Source: Process started | Author: Oleg Kolesnikov @securonix invrep_de, oscd.community, Florian Roth, Christian Burkard: Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, ParentCommandLine: 'C:\Users\user\Desktop\9JbJZPtaKF.exe' , ParentImage: C:\Users\user\Desktop\9JbJZPtaKF.exe, ParentProcessId: 6972, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, ProcessId: 7040 |
Source: Process started | Author: Florian Roth, Max Altgelt: Data: Command: powershell ExecutionPolicy Bypass Start-Process -FilePath ''C:\Users\user\AppData\Local\Temp\mmybgd.exe'' , CommandLine: powershell ExecutionPolicy Bypass Start-Process -FilePath ''C:\Users\user\AppData\Local\Temp\mmybgd.exe'' , CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Windows\System32\cmd.exe' /c start /b powershell ExecutionPolicy Bypass Start-Process -FilePath ''C:\Users\user\AppData\Local\Temp\mmybgd.exe'' & exit, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 4348, ProcessCommandLine: powershell ExecutionPolicy Bypass Start-Process -FilePath ''C:\Users\user\AppData\Local\Temp\mmybgd.exe'' , ProcessId: 720 |
Source: Process started | Author: Florian Roth, Jonhnathan Ribeiro, oscd.community: Data: Command: 'C:\Windows\System32\cmd.exe' /c start /b powershell ExecutionPolicy Bypass Start-Process -FilePath ''C:\Users\user\AppData\Local\Temp\mmybgd.exe'' & exit, CommandLine: 'C:\Windows\System32\cmd.exe' /c start /b powershell ExecutionPolicy Bypass Start-Process -FilePath ''C:\Users\user\AppData\Local\Temp\mmybgd.exe'' & exit, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, ParentImage: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, ParentProcessId: 7084, ProcessCommandLine: 'C:\Windows\System32\cmd.exe' /c start /b powershell ExecutionPolicy Bypass Start-Process -FilePath ''C:\Users\user\AppData\Local\Temp\mmybgd.exe'' & exit, ProcessId: 4348 |
Source: Process started | Author: juju4: Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, ParentCommandLine: 'C:\Users\user\Desktop\9JbJZPtaKF.exe' , ParentImage: C:\Users\user\Desktop\9JbJZPtaKF.exe, ParentProcessId: 6972, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, ProcessId: 7040 |
Source: Process started | Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell ExecutionPolicy Bypass Start-Process -FilePath ''C:\Users\user\AppData\Local\Temp\mmybgd.exe'' , CommandLine: powershell ExecutionPolicy Bypass Start-Process -FilePath ''C:\Users\user\AppData\Local\Temp\mmybgd.exe'' , CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Windows\System32\cmd.exe' /c start /b powershell ExecutionPolicy Bypass Start-Process -FilePath ''C:\Users\user\AppData\Local\Temp\mmybgd.exe'' & exit, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 4348, ProcessCommandLine: powershell ExecutionPolicy Bypass Start-Process -FilePath ''C:\Users\user\AppData\Local\Temp\mmybgd.exe'' , ProcessId: 720 |
Source: 4.2.RegAsm.exe.400000.0.unpack | Avira: Label: TR/Dropper.Gen |
Source: 17.2.RegAsm.exe.400000.0.unpack | Avira: Label: TR/Dropper.Gen |
Source: 12.2.RegAsm.exe.400000.0.unpack | Avira: Label: TR/Dropper.Gen |
Source: | Binary string: Telemetry.Common.pdb## source: 9JbJZPtaKF.exe, 00000000.00000000.277618427.0000000000487000.00000002.00020000.sdmp, ct.exe, 0000000B.00000003.309143224.0000000002FD6000.00000004.00000001.sdmp, ct.exe, 0000000E.00000002.328247413.0000000000487000.00000002.00020000.sdmp, mmybgd.exe, 0000001E.00000000.437767065.0000000000487000.00000002.00020000.sdmp, bg.exe, 00000021.00000000.460309859.0000000000487000.00000002.00020000.sdmp |
Source: | Binary string: Telemetry.Common.pdb source: 9JbJZPtaKF.exe, 00000000.00000000.277618427.0000000000487000.00000002.00020000.sdmp, ct.exe, 0000000B.00000002.311356379.0000000000487000.00000002.00020000.sdmp, ct.exe, 0000000E.00000002.328247413.0000000000487000.00000002.00020000.sdmp, mmybgd.exe, 0000001E.00000000.437767065.0000000000487000.00000002.00020000.sdmp, bg.exe, 00000021.00000000.460309859.0000000000487000.00000002.00020000.sdmp |
Source: C:\Users\user\Desktop\9JbJZPtaKF.exe | Code function: 4x nop then push ebp | 0_2_00479C70 |
Source: C:\Users\user\Desktop\9JbJZPtaKF.exe | Code function: 4x nop then push ebp | 0_2_00452290 |
Source: C:\Users\user\Desktop\9JbJZPtaKF.exe | Code function: 4x nop then push ebp | 0_2_00459460 |
Source: C:\Users\user\Desktop\9JbJZPtaKF.exe | Code function: 4x nop then push ebp | 0_2_00459460 |
Source: C:\Users\user\Desktop\9JbJZPtaKF.exe | Code function: 4x nop then push ebp | 0_2_0044FF30 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.157.160.136 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.157.160.136 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.157.160.136 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.157.160.136 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.157.160.136 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.157.160.136 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.157.160.136 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.157.160.136 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.157.160.136 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.157.160.136 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.157.160.136 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.157.160.136 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.157.160.136 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.157.160.136 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.157.160.136 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.157.160.136 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.157.160.136 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.157.160.136 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.157.160.136 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.157.160.136 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.157.160.136 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.157.160.136 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.157.160.136 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.157.160.136 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.157.160.136 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.157.160.136 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.157.160.136 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.157.160.136 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.157.160.136 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.157.160.136 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.157.160.136 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.157.160.136 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.157.160.136 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.157.160.136 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.157.160.136 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.157.160.136 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.157.160.136 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.157.160.136 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.157.160.136 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.157.160.136 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.157.160.136 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.157.160.136 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.157.160.136 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.157.160.136 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.157.160.136 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.157.160.136 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.157.160.136 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.157.160.136 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.157.160.136 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.157.160.136 |
Source: RegAsm.exe, 00000004.00000002.561796956.000000000530D000.00000004.00000001.sdmp, powershell.exe, 00000016.00000002.441347188.0000000000923000.00000004.00000001.sdmp | String found in binary or memory: http://crl.globalsign.net/root-r2.crl0 |
Source: RegAsm.exe, 00000004.00000002.552795488.00000000011B6000.00000004.00000020.sdmp | String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en |
Source: RegAsm.exe, 00000004.00000002.561796956.000000000530D000.00000004.00000001.sdmp | String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab |
Source: powershell.exe, 00000016.00000002.446314129.00000000055F4000.00000004.00000001.sdmp | String found in binary or memory: http://nuget.org/NuGet.exe |
Source: powershell.exe, 00000016.00000002.444344805.00000000046D3000.00000004.00000001.sdmp | String found in binary or memory: http://pesterbdd.com/images/Pester.png |
Source: ct.exe | String found in binary or memory: http://schemas.microsof |
Source: RegAsm.exe, 00000004.00000002.554885816.0000000002EB1000.00000004.00000001.sdmp, powershell.exe, 00000016.00000002.443919743.0000000004591000.00000004.00000001.sdmp | String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name |
Source: powershell.exe, 00000016.00000002.444344805.00000000046D3000.00000004.00000001.sdmp | String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html |
Source: 9JbJZPtaKF.exe, 9JbJZPtaKF.exe, 00000000.00000000.277536101.0000000000401000.00000020.00020000.sdmp, RegAsm.exe, 00000004.00000002.558074837.00000000042E7000.00000004.00000001.sdmp, ct.exe, 0000000B.00000000.306368311.0000000000401000.00000020.00020000.sdmp, ct.exe, 0000000E.00000002.328150567.0000000000401000.00000020.00020000.sdmp, mmybgd.exe, 0000001E.00000000.437697279.0000000000401000.00000020.00020000.sdmp, bg.exe, 00000021.00000002.472166356.0000000000401000.00000020.00020000.sdmp | String found in binary or memory: http://www.vb-helper.com/vba.htm |
Source: powershell.exe, 00000016.00000002.446314129.00000000055F4000.00000004.00000001.sdmp | String found in binary or memory: https://contoso.com/ |
Source: powershell.exe, 00000016.00000002.446314129.00000000055F4000.00000004.00000001.sdmp | String found in binary or memory: https://contoso.com/Icon |
Source: powershell.exe, 00000016.00000002.446314129.00000000055F4000.00000004.00000001.sdmp | String found in binary or memory: https://contoso.com/License |
Source: RegAsm.exe, 0000001F.00000002.544923977.0000000000400000.00000040.00000001.sdmp, bg.exe, 00000021.00000003.462953448.00000000034F0000.00000004.00000001.sdmp | String found in binary or memory: https://curl.haxx.se/docs/http-cookies.html |
Source: powershell.exe, 00000016.00000002.444344805.00000000046D3000.00000004.00000001.sdmp | String found in binary or memory: https://github.com/Pester/Pester |
Source: powershell.exe, 00000016.00000002.446314129.00000000055F4000.00000004.00000001.sdmp | String found in binary or memory: https://nuget.org/nuget.exe |
Source: Yara match | File source: 14.3.ct.exe.739714.2.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 14.3.ct.exe.739714.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.3.9JbJZPtaKF.exe.7ee9c8.3.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.3.9JbJZPtaKF.exe.8051e4.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 11.3.ct.exe.6f4934.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.3.9JbJZPtaKF.exe.7ee9c8.3.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.3.9JbJZPtaKF.exe.8051e4.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 14.3.ct.exe.722ef8.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 4.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.3.9JbJZPtaKF.exe.7ee9c8.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 11.3.ct.exe.6de118.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 14.3.ct.exe.722ef8.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 14.3.ct.exe.739714.1.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 11.3.ct.exe.6f4934.1.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 17.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 11.3.ct.exe.6f4934.2.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.3.9JbJZPtaKF.exe.8051e4.1.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.3.9JbJZPtaKF.exe.8051e4.2.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.3.9JbJZPtaKF.exe.7ee9c8.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 11.3.ct.exe.6de118.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 11.3.ct.exe.6f4934.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 12.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 14.3.ct.exe.739714.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0000000B.00000003.307140566.00000000006F4000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 0000000E.00000003.325430436.0000000000723000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 0000000B.00000003.306946941.00000000006DF000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000003.280115518.00000000007EF000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 0000000B.00000003.306899015.00000000006EA000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 0000000E.00000003.327182152.0000000000744000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 0000000E.00000003.325299126.000000000070C000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000004.00000002.544974477.0000000000402000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000003.280183910.0000000000810000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000003.278483376.00000000007D7000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 0000000B.00000003.306958807.00000000006FF000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 0000000E.00000003.325371450.0000000000744000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000011.00000002.340503270.0000000000402000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000004.00000003.356231512.00000000061A4000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 0000000E.00000003.325340924.0000000000723000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 0000000E.00000003.327210322.0000000000723000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000003.278249926.0000000000810000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000003.278304939.0000000000805000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000004.00000002.554990912.0000000002EE8000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000003.278201980.00000000007FA000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 0000000B.00000003.308889804.00000000006FF000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 0000000B.00000003.306989450.00000000006DF000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000003.278470265.0000000000810000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 0000000E.00000003.327236288.0000000000744000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 0000000C.00000002.322158875.0000000000402000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 0000000B.00000003.306923152.00000000006C7000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000003.278264012.00000000007EF000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 0000000E.00000003.325501534.0000000000739000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000003.280278807.0000000000810000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 0000000B.00000003.308874401.00000000006DF000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000003.278240068.00000000007EF000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000003.278220853.00000000007D7000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 0000000B.00000003.308858373.00000000006FF000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 0000000E.00000003.325118501.000000000072F000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: Process Memory Space: 9JbJZPtaKF.exe PID: 6972, type: MEMORYSTR |
Source: Yara match | File source: Process Memory Space: RegAsm.exe PID: 7084, type: MEMORYSTR |
Source: Yara match | File source: Process Memory Space: ct.exe PID: 4644, type: MEMORYSTR |
Source: Yara match | File source: Process Memory Space: RegAsm.exe PID: 5916, type: MEMORYSTR |
Source: Yara match | File source: Process Memory Space: ct.exe PID: 5344, type: MEMORYSTR |
Source: Yara match | File source: Process Memory Space: RegAsm.exe PID: 6756, type: MEMORYSTR |
Source: C:\Users\user\Desktop\9JbJZPtaKF.exe | Code function: 0_2_00479C70 | 0_2_00479C70 |
Source: C:\Users\user\Desktop\9JbJZPtaKF.exe | Code function: 0_2_004034F0 | 0_2_004034F0 |
Source: C:\Users\user\Desktop\9JbJZPtaKF.exe | Code function: 0_2_0040A2FB | 0_2_0040A2FB |
Source: C:\Users\user\Desktop\9JbJZPtaKF.exe | Code function: 0_2_0040A330 | 0_2_0040A330 |
Source: C:\Users\user\Desktop\9JbJZPtaKF.exe | Code function: 0_2_0040350C | 0_2_0040350C |
Source: C:\Users\user\Desktop\9JbJZPtaKF.exe | Code function: 0_2_0040B50D | 0_2_0040B50D |
Source: C:\Users\user\Desktop\9JbJZPtaKF.exe | Code function: 0_2_0045D710 | 0_2_0045D710 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Code function: 4_2_01159530 | 4_2_01159530 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Code function: 4_2_0115D5E0 | 4_2_0115D5E0 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Code function: 4_2_01158C60 | 4_2_01158C60 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Code function: 4_2_0115F298 | 4_2_0115F298 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Code function: 4_2_01158918 | 4_2_01158918 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Code function: 4_2_082F5030 | 4_2_082F5030 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Code function: 4_2_082F0040 | 4_2_082F0040 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Code function: 4_2_082F28C8 | 4_2_082F28C8 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Code function: 4_2_082F57A0 | 4_2_082F57A0 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Code function: 4_2_082F64B0 | 4_2_082F64B0 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Code function: 4_2_083026A0 | 4_2_083026A0 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Code function: 4_2_08300968 | 4_2_08300968 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Code function: 4_2_08302430 | 4_2_08302430 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Code function: 4_2_08302423 | 4_2_08302423 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Code function: 4_2_08302693 | 4_2_08302693 |
Source: C:\Users\user\AppData\Roaming\cf\ct.exe | Code function: 14_3_00745012 | 14_3_00745012 |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Code function: 22_2_0108C240 | 22_2_0108C240 |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Code function: 22_2_0108C2CB | 22_2_0108C2CB |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Code function: 22_2_0787EF70 | 22_2_0787EF70 |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Code function: 22_2_0787D418 | 22_2_0787D418 |
Source: 9JbJZPtaKF.exe | Static PE information: Resource name: CUSTOM type: PE32+ executable (DLL) (GUI) x86-64, for MS Windows |
Source: ct.exe.0.dr | Static PE information: Resource name: CUSTOM type: PE32+ executable (DLL) (GUI) x86-64, for MS Windows |
Source: mmybgd.exe.4.dr | Static PE information: Resource name: CUSTOM type: PE32+ executable (DLL) (GUI) x86-64, for MS Windows |
Source: bg.exe.30.dr | Static PE information: Resource name: CUSTOM type: PE32+ executable (DLL) (GUI) x86-64, for MS Windows |
Source: 9JbJZPtaKF.exe, 00000000.00000003.280115518.00000000007EF000.00000004.00000001.sdmp | Binary or memory string: OriginalFilenameStub.exe" vs 9JbJZPtaKF.exe |
Source: 9JbJZPtaKF.exe, 00000000.00000000.277618427.0000000000487000.00000002.00020000.sdmp | Binary or memory string: OriginalFilenameTelemetry.Common.dllj% vs 9JbJZPtaKF.exe |
Source: 9JbJZPtaKF.exe, 00000000.00000000.277618427.0000000000487000.00000002.00020000.sdmp | Binary or memory string: OriginalFilenamea.exe vs 9JbJZPtaKF.exe |
Source: 9JbJZPtaKF.exe, 00000000.00000003.278461394.00000000007FA000.00000004.00000001.sdmp | Binary or memory string: OriginalFilenamea.exe2W2O;S<_[O=bWdO[2O7U`O_4cbP]Z.12W2O;S<_[O=bWdO[2O7U`O_4cbP]Z.AppData2W2O;S<_[O=bWdO[2O7U`O_4cbP]Z.cf2W2O;S<_[O=bWdO[2O7U`O_4cbP]Z.ct.exe2W2O;S<_[O=bWdO[2O7U`O_4cbP]Z.cp2W2O;S<_[O=bWdO[2O7U`O_4cbP]Z.net42W2O;S<_[O=bWdO[2O7U`O_4cbP]Z.02W2O;S<_[O=bWdO[2O7U`O_4cbP]Z.2W2O;S<_[O=bWdO[2O7U`O_4cbP]Z.02W2O;S<_[O=bWdO[2O7U`O_4cbP]Z.02W2O;S<_[O=bWdO[2O7U`O_4cbP]Z.02W2O;S<_[O=bWdO[2O7U`O_4cbP]Z.02W2O;S<_[O=bWdO[2O7U`O_4cbP]Z.02W2O;S<_[O=bWdO[2O7U`O_4cbP]Z. vs 9JbJZPtaKF.exe |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Section loaded: sfc.dll | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Section loaded: sfc.dll | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Section loaded: sfc.dll | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Section loaded: sfc.dll | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Section loaded: sfc.dll | |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Section loaded: sfc.dll | |
Source: C:\Users\user\Desktop\9JbJZPtaKF.exe | Section loaded: C:\Windows\SysWOW64\msvbvm60.dll | Jump to behavior |
Source: C:\Users\user\AppData\Roaming\cf\ct.exe | Section loaded: C:\Windows\SysWOW64\msvbvm60.dll | Jump to behavior |
Source: C:\Users\user\AppData\Roaming\cf\ct.exe | Section loaded: C:\Windows\SysWOW64\msvbvm60.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\mmybgd.exe | Section loaded: C:\Windows\SysWOW64\msvbvm60.dll | Jump to behavior |
Source: C:\Users\user\AppData\Roaming\bp\bg.exe | Section loaded: C:\Windows\SysWOW64\msvbvm60.dll | |
Source: C:\Users\user\AppData\Roaming\bp\bg.exe | Section loaded: C:\Windows\SysWOW64\msvbvm60.dll | |
Source: unknown | Process created: C:\Users\user\Desktop\9JbJZPtaKF.exe 'C:\Users\user\Desktop\9JbJZPtaKF.exe' | |
Source: C:\Users\user\Desktop\9JbJZPtaKF.exe | Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | |
Source: C:\Users\user\Desktop\9JbJZPtaKF.exe | Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | |
Source: unknown | Process created: C:\Users\user\AppData\Roaming\cf\ct.exe 'C:\Users\user\AppData\Roaming\cf\ct.exe' | |
Source: C:\Users\user\AppData\Roaming\cf\ct.exe | Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | |
Source: unknown | Process created: C:\Users\user\AppData\Roaming\cf\ct.exe 'C:\Users\user\AppData\Roaming\cf\ct.exe' | |
Source: C:\Users\user\AppData\Roaming\cf\ct.exe | Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | |
Source: C:\Users\user\AppData\Roaming\cf\ct.exe | Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c start /b powershell ExecutionPolicy Bypass Start-Process -FilePath ''C:\Users\user\AppData\Local\Temp\mmybgd.exe'' & exit | |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 | |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell ExecutionPolicy Bypass Start-Process -FilePath ''C:\Users\user\AppData\Local\Temp\mmybgd.exe'' | |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Process created: C:\Users\user\AppData\Local\Temp\mmybgd.exe 'C:\Users\user\AppData\Local\Temp\mmybgd.exe' | |
Source: C:\Users\user\AppData\Local\Temp\mmybgd.exe | Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | |
Source: unknown | Process created: C:\Users\user\AppData\Roaming\bp\bg.exe 'C:\Users\user\AppData\Roaming\bp\bg.exe' | |
Source: C:\Users\user\AppData\Roaming\bp\bg.exe | Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | |
Source: C:\Users\user\AppData\Roaming\bp\bg.exe | Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | |
Source: C:\Users\user\AppData\Roaming\bp\bg.exe | Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | |
Source: C:\Users\user\AppData\Roaming\bp\bg.exe | Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | |
Source: unknown | Process created: C:\Users\user\AppData\Roaming\bp\bg.exe 'C:\Users\user\AppData\Roaming\bp\bg.exe' | |
Source: C:\Users\user\AppData\Roaming\bp\bg.exe | Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | |
Source: C:\Users\user\AppData\Roaming\bp\bg.exe | Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | |
Source: C:\Users\user\AppData\Roaming\bp\bg.exe | Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | |
Source: C:\Users\user\Desktop\9JbJZPtaKF.exe | Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Jump to behavior |
Source: C:\Users\user\Desktop\9JbJZPtaKF.exe | Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c start /b powershell ExecutionPolicy Bypass Start-Process -FilePath ''C:\Users\user\AppData\Local\Temp\mmybgd.exe'' & exit | Jump to behavior |
Source: C:\Users\user\AppData\Roaming\cf\ct.exe | Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Jump to behavior |
Source: C:\Users\user\AppData\Roaming\cf\ct.exe | Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Jump to behavior |
Source: C:\Users\user\AppData\Roaming\cf\ct.exe | Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell ExecutionPolicy Bypass Start-Process -FilePath ''C:\Users\user\AppData\Local\Temp\mmybgd.exe'' | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Process created: C:\Users\user\AppData\Local\Temp\mmybgd.exe 'C:\Users\user\AppData\Local\Temp\mmybgd.exe' | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\mmybgd.exe | Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Jump to behavior |
Source: C:\Users\user\AppData\Roaming\bp\bg.exe | Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | |
Source: C:\Users\user\AppData\Roaming\bp\bg.exe | Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | |
Source: C:\Users\user\AppData\Roaming\bp\bg.exe | Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | |
Source: C:\Users\user\AppData\Roaming\bp\bg.exe | Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | |
Source: C:\Users\user\AppData\Roaming\bp\bg.exe | Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | |
Source: C:\Users\user\AppData\Roaming\bp\bg.exe | Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | |
Source: C:\Users\user\AppData\Roaming\bp\bg.exe | Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | |
Source: 4.2.RegAsm.exe.400000.0.unpack, Client/Helper/Methods.cs | Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent() |
Source: 4.2.RegAsm.exe.400000.0.unpack, Client/Helper/Methods.cs | Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole) |
Source: 17.2.RegAsm.exe.400000.0.unpack, Client/Helper/Methods.cs | Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent() |
Source: 17.2.RegAsm.exe.400000.0.unpack, Client/Helper/Methods.cs | Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole) |
Source: 12.2.RegAsm.exe.400000.0.unpack, Client/Helper/Methods.cs | Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent() |
Source: 12.2.RegAsm.exe.400000.0.unpack, Client/Helper/Methods.cs | Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole) |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll | Jump to behavior |
Source: 4.2.RegAsm.exe.400000.0.unpack, Client/Settings.cs | Base64 encoded string: '+LdhvsUs+pw4B71d2iQwVxAbsVN/CI8V5uDe4+8GBQVVA3p3Gjc+xdz/YAfyI5hJiGX1Qc4myvmMJ/w+spH5TQ==', 'Q9Q7PSgZxC8JyyITnfRxL911PUyfaZ4B9LbPmzb+mTt/Hx4JdEAONTuGgnWRwuZpFkFK8zpSe1AiYCl7xj+smQ==', 'SwekYo1ECeuqyYzN9+9SJx43jCQ3iDEuvx8an3VXRZ5VvDwu6r8n7S25x1XQQQHtwNBO8EdlgYpRrR9hxSi3OaDJloHbpfSIX7DAAcqylN8VBzNW6tmZjNKifIL1xwA4LDpbpStyaKERWCs0tsHzPHFUl5kWt8yUwM92eTaBvKMhkHlzxvXcHzlGigD994SD0m1DxsHVtOEkOp13Q9Z3Li/e0abpcfEMTHK4UqVyya09Zq37PU0rpJS3rhyHttYjZqRu4/aysQPq0e6s4B1avfxO0dO4HVdZUQU/FEhl+AZ+n7UJ3Au+H8NclQ/t1Tduui6+i1Zwej8iIp1Tn541nuWtPpBxKSGVGEFu7Dx6/eFT5pYsQVPLh/exGtUzIw3JmwfntfPzHexAEsrF8md/QqpbSwH77xSUhrGItVHFeHSl8Qn58/XiTG/aJP/Tl0FG/VhJWtbgNxWozxdVMu27o19IhfgkHxmssKtHOWua0SR1lhImFUTfwRnDXzHg0pyoMBQVhsL00Y+7npfSGSyX08/8xS0ZCJKgrp2BS3VtcAFZCH1E7AOcLXf50BvkMGbZcIDnqEKOTySfirbIr9tV2FytyGbppML/LOUQvolqbYNC6INHgD3Nqv8YCDPWotuj1BG+Ca6utbQemo+NNqRHET15rUYxtw7pyzIUNsqJnhKfRjKOKi0Db2U6B8sNhWiwNLoFNGv+aQQbEGixQCdlzXiomD0Nkwu/dU7AYoUqlK1Ze1xnGfRm61u+XoWkynj0LMF4Iywewo3n8Fb1u41cijRDsufRt8DTvvGBjILj3MR0n/g5gv4+WSwJpjCOcQBii8Ps3JQHY2IsxhnW9JRxbRJ0g0h9KKFZOJMcewtw7Nji508TbpZZdXvCF176YBMPWkwpoSYpRXMaYM2Kow62560MOfXTj6ijM8a1c5MeuC6G6UKDEQlSfuVFz/b/37BFHqWPFnSetTW3Bmh4cvA5WU/cgh1I1h9v/6InQqIs7ooVK5UYV6ZBnMkKgI0D+BFcOE6YR4K0i5OdvF/+UJG9m8g7zwvniH4jObkSy/HFFOSZIn2rh8omu1d7k4N2Z2lF0yXc+DFhte5S4ggRoOksVK/QtM2nl+c2oOA0SCg2MquzSKF/ZuRaIkH55x4yuRz/alOrgVryfuWwJrNddFeWph32x3ui9V/HFcQg8HZvsRojo/N+DsyBjDBDHaWqH64kz2POlHKHXnpPZbxi7sPze8yb/pL7DK5c4GoeNI2um1X7XG5dcIQXyfObbFEt+A8V8+03DD1lgok7f4gD0RTFZyyT67Hsx+8TPkKBUW2PS83kD+2sGBK/u66SBrO6WxUghpnV/OtaiWBnDGEzn7fGjvWDIhIO9GwLjNnIjXMVpvpN1ZzofYfOHoWqXV2an622TEUWRrf5zdDQsfLv8zvcOCPtUDmS/sfdIKxjovfWfDr2HB7wRZpfJZDZEna+5if6+ExMTMwlwK/mtxR3/q8zsqKNZB/vX97/gvvuVDie2qKbZBLFKVEkZHmRNx6Hcr7MORPFMLinJIIHoyJV5Okih7WJkqj5Vi40EYeXD5QWH5VLL/4xZFNVMVQ4WNejN+MmhVG8Lx4Cb/2vBfCuCxYIuI0Y3ZTGUXRXBK99WzJt8N/rzz/Lmpl8GBxQETqcRxduY6qcfQZYX1Y1ZHSjGjID8Xwb1zMMMfEqca1O27aJnbOMx1HetlFbgZhM/aTkdveZzbNFLTrJRcvpho5wSov/8gZsdxXVnYJ2W0zKgjHfx/VNjxK80bmInIdKLgiqii/oWQD5Bh96/mRKP7lJ2D/jxmGXtAZXZJeCLBRJ8DaQyJ54wn039c4IjazzhWGC11ShaX8eKYIMkYJ6nFUcRukcK3/aTzb6IfKT3djBfrKQIBJGVlRQhXC5hxr14g2pXwkL9uYjwgyVsJqTUmEaFwexPqDO33rm3i7gqWEyVLXnV8MWwOj2/Kzdw+OFf1Dh+VupTTbwleacwaYO4OH4bx3NzBI5xOQ68pBDXi1uJ6pZ+gGlmX+HB2EYMrFBoHxZHLL9J+KpaLAW1zgPdTdOnaDLGzEd9FdCWR298tQIfVNxPAzSO+CDmc4ndtqYl3NZmEW6VwqrGquN4wFNFxEKTmuecdR9AI2BvmDMP6uxHBsybrRlrjhlPDHy70Tc71HQVmsDqu316O7a4VGftIwqQnFR/HfSD8SU0kQoQzV42Am5FsROnV/FYhRuREmYfWhVLektFh4nRiEdCV4cB7soLWyhPwy9PxBmwL4+CS+doBMyTD+o7/R/jv7Jqpg |