Edit tour
Windows
Analysis Report
laudovisitabombeirosPdf.msi
Overview
General Information
| Sample name: | laudovisitabombeirosPdf.msi |
| Analysis ID: | 1551521 |
| MD5: | 1237a9140ac0333e8f4dff131a18635e |
| SHA1: | ad0621265080d50c2e6f56d6a87a53a448d8d8dd |
| SHA256: | 160d67508f3283df11379f4e5dfa87c68ead4fb9e355813b79560d56856012f4 |
| Tags: | msiuser-malrpt |
| Infos: |   |
 | |
Detection
AteraAgent
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected AteraAgent
Yara detected Powershell download and execute
AI detected suspicious sample
Creates files in the system32 config directory
Installs Task Scheduler Managed Wrapper
Queries disk data (e.g. SMART data)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive service information (via WMI, MSSMBios_RawSMBiosTables, often done to detect sandboxes)
Queries sensitive service information (via WMI, WIN32_SERVICE, often done to detect sandboxes)
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Queries sensitive sound device information (via WMI, Win32_SoundDevice, often done to detect virtual machines)
Reads the Security eventlog
Reads the System eventlog
Writes many files with high entropy
Yara detected Generic Downloader
Adds / modifies Windows certificates
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks for available system drives (often done to infect USB drives)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates COM task schedule object (often to register a task for autostart)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates or modifies windows services
Deletes files inside the Windows folder
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Drops certificate files (DER)
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
Is looking for software installed on the system
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains sections with non-standard names
PE file does not import any functions
Queries disk information (often used to detect virtual machines)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the product ID of Windows
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores large binary data to the registry
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Uses net.exe to stop services
Uses taskkill to terminate processes
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Classification
- System is w10x64
msiexec.exe (PID: 6972 cmdline: "C:\Window s\System32 \msiexec.e xe" /i "C: \Users\use r\Desktop\ laudovisit abombeiros Pdf.msi" MD5: E5DA170027542E25EDE42FC54C929077)
- msiexec.exe (PID: 3148 cmdline:
C:\Windows \system32\ msiexec.ex e /V MD5: E5DA170027542E25EDE42FC54C929077) - msiexec.exe (PID: 6656 cmdline:
C:\Windows \syswow64\ MsiExec.ex e -Embeddi ng 430D652 98A370435C ACEDA990F6 EF0AF MD5: 9D09DC1EDA745A5F87553048E57620CF) 
rundll32.exe (PID: 2464 cmdline: rundll32.e xe "C:\Win dows\Insta ller\MSI97 84.tmp",zz zzInvokeMa nagedCusto mActionOut OfProc Sfx CA_4036640 2 AlphaCo ntrolAgent Installati on!AlphaCo ntrolAgent Installati on.CustomA ctions.Gen erateAgent Id MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 6176 cmdline:
rundll32.e xe "C:\Win dows\Insta ller\MSI9D AF.tmp",zz zzInvokeMa nagedCusto mActionOut OfProc Sfx CA_4038078 6 AlphaCo ntrolAgent Installati on!AlphaCo ntrolAgent Installati on.CustomA ctions.Rep ortMsiStar t MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 6548 cmdline:
rundll32.e xe "C:\Win dows\Insta ller\MSIAD BD.tmp",zz zzInvokeMa nagedCusto mActionOut OfProc Sfx CA_4042187 10 AlphaC ontrolAgen tInstallat ion!AlphaC ontrolAgen tInstallat ion.Custom Actions.Sh ouldContin ueInstalla tion MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 6380 cmdline:
rundll32.e xe "C:\Win dows\Insta ller\MSIE2 5F.tmp",zz zzInvokeMa nagedCusto mActionOut OfProc Sfx CA_4055656 32 AlphaC ontrolAgen tInstallat ion!AlphaC ontrolAgen tInstallat ion.Custom Actions.Re portMsiEnd MD5: 889B99C52A60DD49227C5E485A016679) - msiexec.exe (PID: 6480 cmdline:
C:\Windows \syswow64\ MsiExec.ex e -Embeddi ng B02AFDB B8E5F2E0A7 F412F8C4DE 8EDB7 E Gl obal\MSI00 00 MD5: 9D09DC1EDA745A5F87553048E57620CF) 
net.exe (PID: 3396 cmdline: "NET" STOP AteraAgen t MD5: 31890A7DE89936F922D44D677F681A7F) 
conhost.exe (PID: 3228 cmdline: C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - net1.exe (PID: 4796 cmdline:
C:\Windows \system32\ net1 STOP AteraAgent MD5: 2EFE6ED4C294AB8A39EB59C80813FEC1) - taskkill.exe (PID: 1900 cmdline:
"TaskKill. exe" /f /i m AteraAge nt.exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD) - conhost.exe (PID: 320 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - AteraAgent.exe (PID: 2848 cmdline:
"C:\Progra m Files (x 86)\ATERA Networks\A teraAgent\ AteraAgent .exe" /i / Integrator Login="nan daamannda0 @hotmail.c om" /Compa nyId="1" / Integrator LoginUI="" /CompanyI dUI="" /Fo lderId="" /AccountId ="001Q3000 00M0aRpIAJ " /AgentId ="71c9776e -3cf9-4416 -bfc4-cfa0 66fd02a7" MD5: 477293F80461713D51A98A24023D45E8)
- AteraAgent.exe (PID: 3304 cmdline:
"C:\Progra m Files (x 86)\ATERA Networks\A teraAgent\ AteraAgent .exe" MD5: 477293F80461713D51A98A24023D45E8) - sc.exe (PID: 6208 cmdline:
"C:\Window s\System32 \sc.exe" f ailure Ate raAgent re set= 600 a ctions= re start/2500 0 MD5: 3FB5CF71F7E7EB49790CB0E663434D80) - conhost.exe (PID: 2200 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - AgentPackageAgentInformation.exe (PID: 1200 cmdline:
"C:\Progra m Files (x 86)\ATERA Networks\A teraAgent\ Packages\A gentPackag eAgentInfo rmation\Ag entPackage AgentInfor mation.exe " 71c9776e -3cf9-4416 -bfc4-cfa0 66fd02a7 " fb5b34dc-a 9b8-4254-9 90d-e822c0 c95b4e" ag ent-api.at era.com/Pr oduction 4 43 or8ixLi 90Mf "mini malIdentif ication" 0 01Q300000M 0aRpIAJ MD5: 31DEF444E6135301EA3C38A985341837) - conhost.exe (PID: 1496 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - AgentPackageAgentInformation.exe (PID: 5972 cmdline:
"C:\Progra m Files (x 86)\ATERA Networks\A teraAgent\ Packages\A gentPackag eAgentInfo rmation\Ag entPackage AgentInfor mation.exe " 71c9776e -3cf9-4416 -bfc4-cfa0 66fd02a7 " f04b5438-f 40c-40d8-a 5e0-ba032d b21dde" ag ent-api.at era.com/Pr oduction 4 43 or8ixLi 90Mf "mini malIdentif ication" 0 01Q300000M 0aRpIAJ MD5: 31DEF444E6135301EA3C38A985341837) - conhost.exe (PID: 2696 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - AgentPackageAgentInformation.exe (PID: 4672 cmdline:
"C:\Progra m Files (x 86)\ATERA Networks\A teraAgent\ Packages\A gentPackag eAgentInfo rmation\Ag entPackage AgentInfor mation.exe " 71c9776e -3cf9-4416 -bfc4-cfa0 66fd02a7 " a973accc-a 21c-47de-b 070-a687a2 983c16" ag ent-api.at era.com/Pr oduction 4 43 or8ixLi 90Mf "iden tified" 00 1Q300000M0 aRpIAJ MD5: 31DEF444E6135301EA3C38A985341837) - conhost.exe (PID: 2944 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - AgentPackageAgentInformation.exe (PID: 3716 cmdline:
"C:\Progra m Files (x 86)\ATERA Networks\A teraAgent\ Packages\A gentPackag eAgentInfo rmation\Ag entPackage AgentInfor mation.exe " 71c9776e -3cf9-4416 -bfc4-cfa0 66fd02a7 " f59cece2-f 728-4977-8 62f-2fa2eb d7cc8a" ag ent-api.at era.com/Pr oduction 4 43 or8ixLi 90Mf "gene ralinfo fr omGui" 001 Q300000M0a RpIAJ MD5: 31DEF444E6135301EA3C38A985341837) - conhost.exe (PID: 6564 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 6552 cmdline:
"C:\Window s\System32 \cmd.exe" /c cscript "C:\Progr am Files ( x86)\Micro soft Offic e\Office16 \ospp.vbs" /dstatus MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 6208 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
cscript.exe (PID: 6504 cmdline: cscript "C :\Program Files (x86 )\Microsof t Office\O ffice16\os pp.vbs" /d status MD5: 24590BF74BBBBFD7D7AC070F4E3C44FD) - AgentPackageMonitoring.exe (PID: 6580 cmdline:
"C:\Progra m Files (x 86)\ATERA Networks\A teraAgent\ Packages\A gentPackag eMonitorin g\AgentPac kageMonito ring.exe" 71c9776e-3 cf9-4416-b fc4-cfa066 fd02a7 "98 36577d-4a8 0-45b5-94e 4-03160fdf cc8f" agen t-api.ater a.com/Prod uction 443 or8ixLi90 Mf "syncpr ofile" 001 Q300000M0a RpIAJ MD5: 5E3252E0248B484E76FCDBF8B42A645D) - conhost.exe (PID: 5476 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - AgentPackageSTRemote.exe (PID: 6324 cmdline:
"C:\Progra m Files (x 86)\ATERA Networks\A teraAgent\ Packages\A gentPackag eSTRemote\ AgentPacka geSTRemote .exe" 71c9 776e-3cf9- 4416-bfc4- cfa066fd02 a7 "b6a3ba 18-b9c8-4c c4-aa73-62 0e5295462c " agent-ap i.atera.co m/Producti on 443 or8 ixLi90Mf " install ey JSbW1Db2Rl IjoiaFpDRE ZQaEs3NW1K In0=" 001Q 300000M0aR pIAJ MD5: 749C51599FBF82422791E0DF1C1E841C) - conhost.exe (PID: 4820 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
- AteraAgent.exe (PID: 5776 cmdline:
"C:\Progra m Files (x 86)\ATERA Networks\A teraAgent\ AteraAgent .exe" MD5: 477293F80461713D51A98A24023D45E8) - sc.exe (PID: 6984 cmdline:
"C:\Window s\System32 \sc.exe" f ailure Ate raAgent re set= 600 a ctions= re start/2500 0 MD5: 3FB5CF71F7E7EB49790CB0E663434D80) - conhost.exe (PID: 5476 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - AgentPackageAgentInformation.exe (PID: 7288 cmdline:
"C:\Progra m Files (x 86)\ATERA Networks\A teraAgent\ Packages\A gentPackag eAgentInfo rmation\Ag entPackage AgentInfor mation.exe " 71c9776e -3cf9-4416 -bfc4-cfa0 66fd02a7 " 998885ac-6 859-4dc7-9 41c-972797 f033d3" ag ent-api.at era.com/Pr oduction 4 43 or8ixLi 90Mf "gene ralinfo" 0 01Q300000M 0aRpIAJ MD5: 31DEF444E6135301EA3C38A985341837) - conhost.exe (PID: 7304 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 7380 cmdline:
"C:\Window s\System32 \cmd.exe" /c cscript "C:\Progr am Files ( x86)\Micro soft Offic e\Office16 \ospp.vbs" /dstatus MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 7396 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cscript.exe (PID: 7444 cmdline:
cscript "C :\Program Files (x86 )\Microsof t Office\O ffice16\os pp.vbs" /d status MD5: 24590BF74BBBBFD7D7AC070F4E3C44FD) - AgentPackageUpgradeAgent.exe (PID: 7484 cmdline:
"C:\Progra m Files (x 86)\ATERA Networks\A teraAgent\ Packages\A gentPackag eUpgradeAg ent\AgentP ackageUpgr adeAgent.e xe" 71c977 6e-3cf9-44 16-bfc4-cf a066fd02a7 "d9ae9e6d -98f3-474f -99bd-9b2e b282f1ae" agent-api. atera.com/ Production 443 or8ix Li90Mf "ch eckforupda tes" 001Q3 00000M0aRp IAJ MD5: D11B2139D29E79D795054C3866898B7F) - conhost.exe (PID: 7492 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - msiexec.exe (PID: 7884 cmdline:
"msiexec.e xe" /i C:\ Windows\TE MP\ateraAg entSetup64 _1_8_7_2.m si /lv* At eraSetupLo g.txt /qn /norestart MD5: E5DA170027542E25EDE42FC54C929077) - AgentPackageTicketing.exe (PID: 7544 cmdline:
"C:\Progra m Files (x 86)\ATERA Networks\A teraAgent\ Packages\A gentPackag eTicketing \AgentPack ageTicketi ng.exe" 71 c9776e-3cf 9-4416-bfc 4-cfa066fd 02a7 "02df 84fe-7edb- 44d9-b889- d201e89fa2 2b" agent- api.atera. com/Produc tion 443 o r8ixLi90Mf "maintain " 001Q3000 00M0aRpIAJ MD5: F531D3157E9FF57EEA92DB36C40E283E) - conhost.exe (PID: 7564 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - AgentPackageProgramManagement.exe (PID: 7652 cmdline:
"C:\Progra m Files (x 86)\ATERA Networks\A teraAgent\ Packages\A gentPackag eProgramMa nagement\A gentPackag eProgramMa nagement.e xe" 71c977 6e-3cf9-44 16-bfc4-cf a066fd02a7 "3db9e96a -2487-4773 -a570-afd5 8c7025b6" agent-api. atera.com/ Production 443 or8ix Li90Mf "sy ncinstalle dapps" 001 Q300000M0a RpIAJ MD5: A739B889642CA9CE4AD3A37A3C521604) - conhost.exe (PID: 7668 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - AgentPackageInternalPoller.exe (PID: 7684 cmdline:
"C:\Progra m Files (x 86)\ATERA Networks\A teraAgent\ Packages\A gentPackag eInternalP oller\Agen tPackageIn ternalPoll er.exe" 71 c9776e-3cf 9-4416-bfc 4-cfa066fd 02a7 "d352 4ca3-82f8- 4758-a541- bf792f23d3 f6" agent- api.atera. com/Produc tion 443 o r8ixLi90Mf "pollAll" 001Q30000 0M0aRpIAJ MD5: 01807774F043028EC29982A62FA75941) - conhost.exe (PID: 7744 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - AgentPackageOsUpdates.exe (PID: 7820 cmdline:
"C:\Progra m Files (x 86)\ATERA Networks\A teraAgent\ Packages\A gentPackag eOsUpdates \AgentPack ageOsUpdat es.exe" 71 c9776e-3cf 9-4416-bfc 4-cfa066fd 02a7 "9773 3402-4b20- 4fef-a169- f4ef29ad9b a5" agent- api.atera. com/Produc tion 443 o r8ixLi90Mf "getlisto fallupdate s" 001Q300 000M0aRpIA J MD5: 5F782D0CB0F717AE9DFD1B4DA1295F15) - conhost.exe (PID: 7840 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - AgentPackageMarketplace.exe (PID: 7928 cmdline:
"C:\Progra m Files (x 86)\ATERA Networks\A teraAgent\ Packages\A gentPackag eMarketpla ce\AgentPa ckageMarke tplace.exe " 71c9776e -3cf9-4416 -bfc4-cfa0 66fd02a7 " d64a9c36-a 92d-4b93-8 5a3-659023 a1288d" ag ent-api.at era.com/Pr oduction 4 43 or8ixLi 90Mf "agen tprovision " 001Q3000 00M0aRpIAJ MD5: EFB4712C8713CB05EB7FE7D87A83A55A) - conhost.exe (PID: 7964 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - AgentPackageMonitoring.exe (PID: 8064 cmdline:
"C:\Progra m Files (x 86)\ATERA Networks\A teraAgent\ Packages\A gentPackag eMonitorin g\AgentPac kageMonito ring.exe" 71c9776e-3 cf9-4416-b fc4-cfa066 fd02a7 "d4 afbb8e-78f e-449b-89c 1-82dd81e4 da3c" agen t-api.ater a.com/Prod uction 443 or8ixLi90 Mf "monito r" 001Q300 000M0aRpIA J MD5: 5E3252E0248B484E76FCDBF8B42A645D) - conhost.exe (PID: 8072 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - AgentPackageRuntimeInstaller.exe (PID: 8088 cmdline:
"C:\Progra m Files (x 86)\ATERA Networks\A teraAgent\ Packages\A gentPackag eRuntimeIn staller\Ag entPackage RuntimeIns taller.exe " 71c9776e -3cf9-4416 -bfc4-cfa0 66fd02a7 " c7ebd2b8-f b4c-4fd4-b 8bf-4ce10c 757749" ag ent-api.at era.com/Pr oduction 4 43 or8ixLi 90Mf "eyJD b21tYW5kTm FtZSI6Imlu c3RhbGxkb3 RuZXQiLCJE b3ROZXRWZX JzaW9uIjoi Ni4wLjM1Ii wiTWFjQVJN RG93bmxvYW RVcmwiOiJo dHRwczovL2 Rvd25sb2Fk LnZpc3VhbH N0dWRpby5t aWNyb3NvZn QuY29tL2Rv d25sb2FkL3 ByLzU4OTc4 Y2ViLTVkZT MtNDllMi1i NTcxLTk3Mj gyNWIwOGYw YS9mMWJkOW IxYmI1YjI1 YjhjOWNlZT QwZWQ5YTNk ODAyMy9kb3 RuZXQtcnVu dGltZS02Lj AuMzUtb3N4 LWFybTY0Ln BrZyIsIk1h Y1g2NERvd2 5sb2FkVXJs IjoiaHR0cH M6Ly9kb3du bG9hZC52aX N1YWxzdHVk aW8ubWljcm 9zb2Z0LmNv bS9kb3dubG 9hZC9wci8y NjkyMDY2NC 1kNzU0LTRm NzYtOWM5OS 1lNjkxMTYz NDhlODIvYT QwMzE1Mzcx Y2M2MDdjOW YxODQ3OGM5 M2YyYTY3Nm EvZG90bmV0 LXJ1bnRpbW UtNi4wLjM1 LW9zeC14Nj QucGtnIiwi V2luQVJNRG 93bmxvYWRV cmwiOiJodH RwczovL2Rv d25sb2FkLn Zpc3VhbHN0 dWRpby5taW Nyb3NvZnQu Y29tL2Rvd2 5sb2FkL3By L2EyMjNjND ViLTQ3Nzct NDA1Ni1hZW EyLTY1M2M1 NzZkODExNS 9iZjhhZjYz YzZlNjI1Ym U0YWZhODVl YzA5M2U4MW U2NS9kb3Ru ZXQtcnVudG ltZS02LjAu MzUtd2luLW FybTY0LmV4 ZSIsIldpbl g2NERvd25s b2FkVXJsIj oiaHR0cHM6 Ly9kb3dubG 9hZC52aXN1 YWxzdHVkaW 8ubWljcm9z b2Z0LmNvbS 9kb3dubG9h ZC9wci9jNG Y2NTYyMS1i MzZiLTQ2YT ktODM4MC1k NWI2NjBiZW YyN2UvMDE4 NWZkNzIwNT VkY2RjYTg2 MTY2Yjk5YW RkNzE2ODYv ZG90bmV0LX J1bnRpbWUt Ni4wLjM1LX dpbi14NjQu ZXhlIiwiV2 luWDg2RG93 bmxvYWRVcm wiOiJodHRw czovL2Rvd2 5sb2FkLnZp c3VhbHN0dW Rpby5taWNy b3NvZnQuY2 9tL2Rvd25s b2FkL3ByL2 E5MGZiNWRj LWY0ODgtND AwZS04NWNh LTg0M2ExMz Y0MGY1Ni80 ODNkMjQ2Mz hjYzJiZWRh ZGRhYjQzNz M0YWEyZTQ0 Ny9kb3RuZX QtcnVudGlt ZS02LjAuMz Utd2luLXg4 Ni5leGUiLC JNYWNBUk1D aGVja3N1bS I6IlVlSmJH R0dWb2NwZm dpckU2eDVN N29MQzhBS2 NOSjk4SDNF cmJ0L0taS0 dPdWxpQ1Fl c1x1MDAyQm x6Wno5XHUw MDJCcnQwdX JMZ2FEeng0 cmtXZm0veW g5UWI1RFRK UT09IiwiTW FjWDY0Q2hl Y2tzdW0iOi JaZFZQVmRF SG40ZXFkdl NPUksxRUpX cjdnOUt5b0 RZSXp6czQz OUxKeHYvZk FRdG5iTjk3 OE8yTm1pNG tRSFNkdlJJ azEvNFx1MD AyQjlycTZP MEx2Q2FnL1 d3PT0iLCJX aW5BUk1DaG Vja3N1bSI6 IldlTGhodX U3Vi96NEs2 WGVubDBIND VWWDExb0Zh dHdvV1BNa2 pEQ2dobmhr Tm5US2tqZj c0eUFcdTAw MkJcdTAwMk J0Ri9VU1ZD ZXE2T2dRbH I2V1Y1dU1r RWwxUVdqUT 09IiwiV2lu WDY0Q2hlY2 tzdW0iOiJE REtSSlRFan p6XHUwMDJC SWUxMldTM2 Y0aHVKQlNp eXR4TkRwQl I2SXpFeHpk M2ZBb0toNV V5MkEwbTlK OFU0ZVh5Vm JxeEhjZzB3 M25hWW1FZF NFeEwzMEZn PT0iLCJXaW 5YODZDaGVj a3N1bSI6Ij dtSUF5bG9I eWxIVFVJak hud3NXeVVO XHUwMDJCVW U0alk3eXBr ZVx1MDAyQn EyM2xNbEdz R0hpVUc1b2 1scW1LOVEv YVViODhLXH UwMDJCTnBG MWNaUVpXQj VJb3ZtTzVu cWN3PT0iLC JXb3Jrc3Bh Y2VJZCI6Im JmMGNlNDlk LTc3Y2YtND cyMS1iZjcw LTU3Njg2Mz gzYzlhYiIs IkxvZ05hbW UiOiJEb3RO ZXRSdW50aW 1lSW5zdGFs bGF0aW9uUm Vwb3J0Iiwi U2hhcmVkS2