003227ff26fa20b16dddbdf0b791b40c328b0259ddcec860d73861b9b9fe8468

Analysis

max time kernel
150s
max time network
117s
platform
windows10_x64
resource
win10v20201028
submitted
24-02-2021 23:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sample33.exe
Size

524KB
MD5

e752df4c77b8dfa34a902f28c31bb40d
SHA1

a815ae15431626dcffb2be073d1f51f25dede408
SHA256

003227ff26fa20b16dddbdf0b791b40c328b0259ddcec860d73861b9b9fe8468
SHA512

72454c9185ff3a841a36bf952e490f1b72d87b0337b3d5fa6c97d93fec78ceb8162b2abc5e7fa0fba0f62ced6af7ed210888bf3b451154f3519ef7d15897af1e

Score

10^/10

evasion persistence spyware trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

sample33.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\ProgramData\\nmwYgAIE\\keAQccEo.exe,"	sample33.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\ProgramData\\nmwYgAIE\\keAQccEo.exe,"	sample33.exe

Modifies visibility of file extensions in Explorer 2 TTPs
evasion

Hidden Files and Directories
T1158

Modify Registry
T1112
UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112
Executes dropped EXE 3 IoCs

Processes:

xgEkUUMs.exekeAQccEo.exetykcUEss.exe

pid process

3624 xgEkUUMs.exe
3708 keAQccEo.exe
440 tykcUEss.exe

pid	process
3624	xgEkUUMs.exe
3708	keAQccEo.exe
440	tykcUEss.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

keAQccEo.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Control Panel\International\Geo\Nation	keAQccEo.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

sample33.exexgEkUUMs.exekeAQccEo.exetykcUEss.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\xgEkUUMs.exe = "C:\\Users\\Admin\\ZcEsQoQs\\xgEkUUMs.exe"	sample33.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\keAQccEo.exe = "C:\\ProgramData\\nmwYgAIE\\keAQccEo.exe"	sample33.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\xgEkUUMs.exe = "C:\\Users\\Admin\\ZcEsQoQs\\xgEkUUMs.exe"	xgEkUUMs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\keAQccEo.exe = "C:\\ProgramData\\nmwYgAIE\\keAQccEo.exe"	keAQccEo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\keAQccEo.exe = "C:\\ProgramData\\nmwYgAIE\\keAQccEo.exe"	tykcUEss.exe

Drops file in System32 directory 6 IoCs

Processes:

keAQccEo.exetykcUEss.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\sheImportConvertTo.mpg	keAQccEo.exe
File opened for modification	C:\Windows\SysWOW64\sheInvokeStop.bmp	keAQccEo.exe
File opened for modification	C:\Windows\SysWOW64\sheUninstallCompress.docx	keAQccEo.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\ZcEsQoQs	tykcUEss.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\ZcEsQoQs\xgEkUUMs	tykcUEss.exe
File created	C:\Windows\SysWOW64\shell32.dll.exe	keAQccEo.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

pid	process
2536	reg.exe
4680	reg.exe
1564	reg.exe
1544	reg.exe
2560	reg.exe
2572	reg.exe
4708	reg.exe
4668	reg.exe
3952	reg.exe
876	reg.exe
1048	reg.exe
3824	reg.exe
3220	reg.exe
1752	reg.exe
4740	reg.exe
1180	reg.exe
4280	reg.exe
1496	reg.exe
4736	reg.exe
1660	reg.exe
3076	reg.exe
2724	reg.exe
3544	reg.exe
3740	reg.exe
1400	reg.exe
3232	reg.exe
1784	reg.exe
2232	reg.exe
1840	reg.exe
2084	reg.exe
2716	reg.exe
3680	reg.exe
1712	reg.exe
2176	reg.exe
3488	reg.exe
1068	reg.exe
3964	reg.exe
1296	reg.exe
2908	reg.exe
3968	reg.exe
2556	reg.exe
4344	reg.exe
3104	reg.exe
528	reg.exe
4516	reg.exe
2060	reg.exe
2068	reg.exe
4156	reg.exe
2796	reg.exe
3156	reg.exe
2952	reg.exe
4620	reg.exe
672	reg.exe
928	reg.exe
2596	reg.exe
1292	reg.exe
2264	reg.exe
3896	reg.exe
3112	reg.exe
1388	reg.exe
2580	reg.exe
4728	reg.exe
3992	reg.exe
1004	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

sample33.exesample33.exesample33.exesample33.exesample33.exesample33.exesample33.exesample33.exesample33.exesample33.exesample33.exesample33.exesample33.exesample33.exesample33.exesample33.exe

pid	process
4764	sample33.exe
4764	sample33.exe
4764	sample33.exe
4764	sample33.exe
4212	sample33.exe
4212	sample33.exe
4212	sample33.exe
4212	sample33.exe
1128	sample33.exe
1128	sample33.exe
1128	sample33.exe
1128	sample33.exe
4492	sample33.exe
4492	sample33.exe
4492	sample33.exe
4492	sample33.exe
4540	sample33.exe
4540	sample33.exe
4540	sample33.exe
4540	sample33.exe
3612	sample33.exe
3612	sample33.exe
3612	sample33.exe
3612	sample33.exe
3100	sample33.exe
3100	sample33.exe
3100	sample33.exe
3100	sample33.exe
1084	sample33.exe
1084	sample33.exe
1084	sample33.exe
1084	sample33.exe
228	sample33.exe
228	sample33.exe
228	sample33.exe
228	sample33.exe
520	sample33.exe
520	sample33.exe
520	sample33.exe
520	sample33.exe
1608	sample33.exe
1608	sample33.exe
1608	sample33.exe
1608	sample33.exe
4480	sample33.exe
4480	sample33.exe
4480	sample33.exe
4480	sample33.exe
212	sample33.exe
212	sample33.exe
212	sample33.exe
212	sample33.exe
3296	sample33.exe
3296	sample33.exe
3296	sample33.exe
3296	sample33.exe
1336	sample33.exe
1336	sample33.exe
1336	sample33.exe
1336	sample33.exe
4580	sample33.exe
4580	sample33.exe
4580	sample33.exe
4580	sample33.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

keAQccEo.exe

pid process

3708 keAQccEo.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

keAQccEo.exe

pid	process
3708	keAQccEo.exe
3708	keAQccEo.exe
3708	keAQccEo.exe
3708	keAQccEo.exe
3708	keAQccEo.exe
3708	keAQccEo.exe
3708	keAQccEo.exe
3708	keAQccEo.exe
3708	keAQccEo.exe
3708	keAQccEo.exe
3708	keAQccEo.exe
3708	keAQccEo.exe
3708	keAQccEo.exe
3708	keAQccEo.exe
3708	keAQccEo.exe
3708	keAQccEo.exe
3708	keAQccEo.exe
3708	keAQccEo.exe
3708	keAQccEo.exe
3708	keAQccEo.exe
3708	keAQccEo.exe
3708	keAQccEo.exe
3708	keAQccEo.exe
3708	keAQccEo.exe
3708	keAQccEo.exe
3708	keAQccEo.exe
3708	keAQccEo.exe
3708	keAQccEo.exe
3708	keAQccEo.exe
3708	keAQccEo.exe
3708	keAQccEo.exe
3708	keAQccEo.exe
3708	keAQccEo.exe
3708	keAQccEo.exe
3708	keAQccEo.exe
3708	keAQccEo.exe
3708	keAQccEo.exe
3708	keAQccEo.exe
3708	keAQccEo.exe
3708	keAQccEo.exe
3708	keAQccEo.exe
3708	keAQccEo.exe
3708	keAQccEo.exe
3708	keAQccEo.exe
3708	keAQccEo.exe
3708	keAQccEo.exe
3708	keAQccEo.exe
3708	keAQccEo.exe
3708	keAQccEo.exe
3708	keAQccEo.exe
3708	keAQccEo.exe
3708	keAQccEo.exe
3708	keAQccEo.exe
3708	keAQccEo.exe
3708	keAQccEo.exe
3708	keAQccEo.exe
3708	keAQccEo.exe
3708	keAQccEo.exe
3708	keAQccEo.exe
3708	keAQccEo.exe
3708	keAQccEo.exe
3708	keAQccEo.exe
3708	keAQccEo.exe
3708	keAQccEo.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

sample33.execmd.exesample33.execmd.exesample33.execmd.execmd.execmd.exesample33.exe

description	pid	process	target process
PID 4764 wrote to memory of 3624	4764	sample33.exe	xgEkUUMs.exe
PID 4764 wrote to memory of 3624	4764	sample33.exe	xgEkUUMs.exe
PID 4764 wrote to memory of 3624	4764	sample33.exe	xgEkUUMs.exe
PID 4764 wrote to memory of 3708	4764	sample33.exe	keAQccEo.exe
PID 4764 wrote to memory of 3708	4764	sample33.exe	keAQccEo.exe
PID 4764 wrote to memory of 3708	4764	sample33.exe	keAQccEo.exe
PID 4764 wrote to memory of 3908	4764	sample33.exe	cmd.exe
PID 4764 wrote to memory of 3908	4764	sample33.exe	cmd.exe
PID 4764 wrote to memory of 3908	4764	sample33.exe	cmd.exe
PID 3908 wrote to memory of 4212	3908	cmd.exe	sample33.exe
PID 3908 wrote to memory of 4212	3908	cmd.exe	sample33.exe
PID 3908 wrote to memory of 4212	3908	cmd.exe	sample33.exe
PID 4764 wrote to memory of 4236	4764	sample33.exe	reg.exe
PID 4764 wrote to memory of 4236	4764	sample33.exe	reg.exe
PID 4764 wrote to memory of 4236	4764	sample33.exe	reg.exe
PID 4764 wrote to memory of 3104	4764	sample33.exe	reg.exe
PID 4764 wrote to memory of 3104	4764	sample33.exe	reg.exe
PID 4764 wrote to memory of 3104	4764	sample33.exe	reg.exe
PID 4764 wrote to memory of 2796	4764	sample33.exe	reg.exe
PID 4764 wrote to memory of 2796	4764	sample33.exe	reg.exe
PID 4764 wrote to memory of 2796	4764	sample33.exe	reg.exe
PID 4212 wrote to memory of 640	4212	sample33.exe	cmd.exe
PID 4212 wrote to memory of 640	4212	sample33.exe	cmd.exe
PID 4212 wrote to memory of 640	4212	sample33.exe	cmd.exe
PID 640 wrote to memory of 1128	640	cmd.exe	sample33.exe
PID 640 wrote to memory of 1128	640	cmd.exe	sample33.exe
PID 640 wrote to memory of 1128	640	cmd.exe	sample33.exe
PID 4212 wrote to memory of 1172	4212	sample33.exe	reg.exe
PID 4212 wrote to memory of 1172	4212	sample33.exe	reg.exe
PID 4212 wrote to memory of 1172	4212	sample33.exe	reg.exe
PID 4212 wrote to memory of 1296	4212	sample33.exe	reg.exe
PID 4212 wrote to memory of 1296	4212	sample33.exe	reg.exe
PID 4212 wrote to memory of 1296	4212	sample33.exe	reg.exe
PID 4212 wrote to memory of 1340	4212	sample33.exe	reg.exe
PID 4212 wrote to memory of 1340	4212	sample33.exe	reg.exe
PID 4212 wrote to memory of 1340	4212	sample33.exe	reg.exe
PID 4212 wrote to memory of 1552	4212	sample33.exe	cmd.exe
PID 4212 wrote to memory of 1552	4212	sample33.exe	cmd.exe
PID 4212 wrote to memory of 1552	4212	sample33.exe	cmd.exe
PID 1128 wrote to memory of 2296	1128	sample33.exe	cmd.exe
PID 1128 wrote to memory of 2296	1128	sample33.exe	cmd.exe
PID 1128 wrote to memory of 2296	1128	sample33.exe	cmd.exe
PID 1552 wrote to memory of 2768	1552	cmd.exe	cscript.exe
PID 1552 wrote to memory of 2768	1552	cmd.exe	cscript.exe
PID 1552 wrote to memory of 2768	1552	cmd.exe	cscript.exe
PID 1128 wrote to memory of 2588	1128	sample33.exe	reg.exe
PID 1128 wrote to memory of 2588	1128	sample33.exe	reg.exe
PID 1128 wrote to memory of 2588	1128	sample33.exe	reg.exe
PID 1128 wrote to memory of 2908	1128	sample33.exe	reg.exe
PID 1128 wrote to memory of 2908	1128	sample33.exe	reg.exe
PID 1128 wrote to memory of 2908	1128	sample33.exe	reg.exe
PID 1128 wrote to memory of 3156	1128	sample33.exe	reg.exe
PID 1128 wrote to memory of 3156	1128	sample33.exe	reg.exe
PID 1128 wrote to memory of 3156	1128	sample33.exe	reg.exe
PID 1128 wrote to memory of 4092	1128	sample33.exe	cmd.exe
PID 1128 wrote to memory of 4092	1128	sample33.exe	cmd.exe
PID 1128 wrote to memory of 4092	1128	sample33.exe	cmd.exe
PID 2296 wrote to memory of 4492	2296	cmd.exe	sample33.exe
PID 2296 wrote to memory of 4492	2296	cmd.exe	sample33.exe
PID 2296 wrote to memory of 4492	2296	cmd.exe	sample33.exe
PID 4092 wrote to memory of 4016	4092	cmd.exe	cscript.exe
PID 4092 wrote to memory of 4016	4092	cmd.exe	cscript.exe
PID 4092 wrote to memory of 4016	4092	cmd.exe	cscript.exe
PID 4492 wrote to memory of 4564	4492	sample33.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\sample33.exe
"C:\Users\Admin\AppData\Local\Temp\sample33.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4764

C:\Users\Admin\ZcEsQoQs\xgEkUUMs.exe
"C:\Users\Admin\ZcEsQoQs\xgEkUUMs.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3624

C:\ProgramData\nmwYgAIE\keAQccEo.exe
"C:\ProgramData\nmwYgAIE\keAQccEo.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:3708

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\sample33"
2⤵
- Suspicious use of WriteProcessMemory
PID:3908

C:\Users\Admin\AppData\Local\Temp\sample33.exe
C:\Users\Admin\AppData\Local\Temp\sample33
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4212

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\sample33"
4⤵
- Suspicious use of WriteProcessMemory
PID:640

C:\Users\Admin\AppData\Local\Temp\sample33.exe
C:\Users\Admin\AppData\Local\Temp\sample33
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1128

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\sample33"
6⤵
- Suspicious use of WriteProcessMemory
PID:2296

C:\Users\Admin\AppData\Local\Temp\sample33.exe
C:\Users\Admin\AppData\Local\Temp\sample33
7⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4492

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\sample33"
8⤵
PID:4564

C:\Users\Admin\AppData\Local\Temp\sample33.exe
C:\Users\Admin\AppData\Local\Temp\sample33
9⤵
- Suspicious behavior: EnumeratesProcesses
PID:4540

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\sample33"
10⤵
PID:1912

C:\Users\Admin\AppData\Local\Temp\sample33.exe
C:\Users\Admin\AppData\Local\Temp\sample33
11⤵
- Suspicious behavior: EnumeratesProcesses
PID:3612

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\sample33"
12⤵
PID:436

C:\Users\Admin\AppData\Local\Temp\sample33.exe
C:\Users\Admin\AppData\Local\Temp\sample33
13⤵
- Suspicious behavior: EnumeratesProcesses
PID:3100

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\sample33"
14⤵
PID:2312

C:\Users\Admin\AppData\Local\Temp\sample33.exe
C:\Users\Admin\AppData\Local\Temp\sample33
15⤵
- Suspicious behavior: EnumeratesProcesses
PID:1084

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\sample33"
16⤵
PID:4632

C:\Users\Admin\AppData\Local\Temp\sample33.exe
C:\Users\Admin\AppData\Local\Temp\sample33
17⤵
- Suspicious behavior: EnumeratesProcesses
PID:228

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\sample33"
18⤵
PID:4604

C:\Users\Admin\AppData\Local\Temp\sample33.exe
C:\Users\Admin\AppData\Local\Temp\sample33
19⤵
- Suspicious behavior: EnumeratesProcesses
PID:520

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\sample33"
20⤵
PID:2148

C:\Users\Admin\AppData\Local\Temp\sample33.exe
C:\Users\Admin\AppData\Local\Temp\sample33
21⤵
- Suspicious behavior: EnumeratesProcesses
PID:1608

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\sample33"
22⤵
PID:3252

C:\Users\Admin\AppData\Local\Temp\sample33.exe
C:\Users\Admin\AppData\Local\Temp\sample33
23⤵
- Suspicious behavior: EnumeratesProcesses
PID:4480

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\sample33"
24⤵
PID:4724

C:\Users\Admin\AppData\Local\Temp\sample33.exe
C:\Users\Admin\AppData\Local\Temp\sample33
25⤵
- Suspicious behavior: EnumeratesProcesses
PID:212

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\sample33"
26⤵
PID:4216

C:\Users\Admin\AppData\Local\Temp\sample33.exe
C:\Users\Admin\AppData\Local\Temp\sample33
27⤵
- Suspicious behavior: EnumeratesProcesses
PID:3296

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\sample33"
28⤵
PID:1012

C:\Users\Admin\AppData\Local\Temp\sample33.exe
C:\Users\Admin\AppData\Local\Temp\sample33
29⤵
- Suspicious behavior: EnumeratesProcesses
PID:1336

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\sample33"
30⤵
PID:4440

C:\Users\Admin\AppData\Local\Temp\sample33.exe
C:\Users\Admin\AppData\Local\Temp\sample33
31⤵
- Suspicious behavior: EnumeratesProcesses
PID:4580

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\sample33"
32⤵
PID:192

C:\Users\Admin\AppData\Local\Temp\sample33.exe
C:\Users\Admin\AppData\Local\Temp\sample33
33⤵
PID:3116

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\sample33"
34⤵
PID:1500

C:\Users\Admin\AppData\Local\Temp\sample33.exe
C:\Users\Admin\AppData\Local\Temp\sample33
35⤵
PID:4396

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\sample33"
36⤵
PID:4696

C:\Users\Admin\AppData\Local\Temp\sample33.exe
C:\Users\Admin\AppData\Local\Temp\sample33
37⤵
PID:1868

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\sample33"
38⤵
PID:580

C:\Users\Admin\AppData\Local\Temp\sample33.exe
C:\Users\Admin\AppData\Local\Temp\sample33
39⤵
PID:880

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\sample33"
40⤵
PID:568

C:\Users\Admin\AppData\Local\Temp\sample33.exe
C:\Users\Admin\AppData\Local\Temp\sample33
41⤵
PID:1116

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\sample33"
42⤵
PID:4068

C:\Users\Admin\AppData\Local\Temp\sample33.exe
C:\Users\Admin\AppData\Local\Temp\sample33
43⤵
PID:3608

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\sample33"
44⤵
PID:1408

C:\Users\Admin\AppData\Local\Temp\sample33.exe
C:\Users\Admin\AppData\Local\Temp\sample33
45⤵
PID:4508

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\sample33"
46⤵
PID:1844

C:\Users\Admin\AppData\Local\Temp\sample33.exe
C:\Users\Admin\AppData\Local\Temp\sample33
47⤵
PID:2568

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\sample33"
48⤵
PID:2188

C:\Users\Admin\AppData\Local\Temp\sample33.exe
C:\Users\Admin\AppData\Local\Temp\sample33
49⤵
PID:2144

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\sample33"
50⤵
PID:3244

C:\Users\Admin\AppData\Local\Temp\sample33.exe
C:\Users\Admin\AppData\Local\Temp\sample33
51⤵
PID:1144

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\sample33"
52⤵
PID:4872

C:\Users\Admin\AppData\Local\Temp\sample33.exe
C:\Users\Admin\AppData\Local\Temp\sample33
53⤵
PID:4860

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\sample33"
54⤵
PID:208

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
54⤵
- Modifies registry key
PID:4516

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
54⤵
- Modifies registry key
PID:4344

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
54⤵
- Modifies registry key
PID:4740

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eikskwwY.bat" "C:\Users\Admin\AppData\Local\Temp\sample33.exe""
54⤵
PID:572

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
55⤵
PID:4660

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kqIosQEk.bat" "C:\Users\Admin\AppData\Local\Temp\sample33.exe""
52⤵
PID:2020

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
53⤵
PID:4228

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
52⤵
- Modifies registry key
PID:1752

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
52⤵
PID:4880

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
52⤵
- Modifies registry key
PID:3680

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
50⤵
- Modifies registry key
PID:3824

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
50⤵
PID:4532

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
50⤵
- Modifies registry key
PID:3220

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ySkIEAYI.bat" "C:\Users\Admin\AppData\Local\Temp\sample33.exe""
50⤵
PID:4512

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
51⤵
PID:1008

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uMwgEYwI.bat" "C:\Users\Admin\AppData\Local\Temp\sample33.exe""
48⤵
PID:4468

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
49⤵
PID:1776

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
48⤵
- Modifies registry key
PID:2716

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
48⤵
- Modifies registry key
PID:2176

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
48⤵
- Modifies registry key
PID:1660

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pKcIsEoU.bat" "C:\Users\Admin\AppData\Local\Temp\sample33.exe""
46⤵
PID:1316

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
47⤵
PID:4664

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
46⤵
- Modifies registry key
PID:1784

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
46⤵
- Modifies registry key
PID:1048

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
46⤵
- Modifies registry key
PID:2232

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DewssQog.bat" "C:\Users\Admin\AppData\Local\Temp\sample33.exe""
44⤵
PID:2184

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
45⤵
PID:4504

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
44⤵
PID:2124

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
44⤵
PID:744

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
44⤵
- Modifies registry key
PID:928

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VyosUEUI.bat" "C:\Users\Admin\AppData\Local\Temp\sample33.exe""
42⤵
PID:4636

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
43⤵
PID:4712

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
42⤵
- Modifies registry key
PID:2068

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
42⤵
- Modifies registry key
PID:2556

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
42⤵
- Modifies registry key
PID:876

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
40⤵
- Modifies registry key
PID:2264

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
40⤵
- Modifies registry key
PID:4736

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
40⤵
- Modifies registry key
PID:2596

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sSgMAQQQ.bat" "C:\Users\Admin\AppData\Local\Temp\sample33.exe""
40⤵
PID:1056

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
41⤵
PID:4200

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
38⤵
- Modifies registry key
PID:3232

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ciQccYUA.bat" "C:\Users\Admin\AppData\Local\Temp\sample33.exe""
38⤵
PID:4288

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
39⤵
PID:4988

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
38⤵
- Modifies registry key
PID:2572

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
38⤵
- Modifies registry key
PID:3952

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IissYgIo.bat" "C:\Users\Admin\AppData\Local\Temp\sample33.exe""
36⤵
PID:1604

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
37⤵
PID:1676

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
36⤵
- Modifies registry key
PID:2580

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
36⤵
- Modifies registry key
PID:2560

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
36⤵
PID:2564

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
34⤵
PID:4248

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
34⤵
- Modifies registry key
PID:2952

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NiYoEcMg.bat" "C:\Users\Admin\AppData\Local\Temp\sample33.exe""
34⤵
PID:576

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
35⤵
PID:4676

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
34⤵
PID:2916

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zSMYksso.bat" "C:\Users\Admin\AppData\Local\Temp\sample33.exe""
32⤵
PID:4560

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
33⤵
PID:4292

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
32⤵
- Modifies registry key
PID:1544

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
32⤵
- Modifies registry key
PID:1400

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
32⤵
- Modifies registry key
PID:1496

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FiIowMUA.bat" "C:\Users\Admin\AppData\Local\Temp\sample33.exe""
30⤵
PID:4488

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
31⤵
PID:4348

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
30⤵
- Modifies registry key
PID:1388

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
30⤵
- Modifies registry key
PID:1712

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
30⤵
- Modifies registry key
PID:1564

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UGQgMYwk.bat" "C:\Users\Admin\AppData\Local\Temp\sample33.exe""
28⤵
PID:1780

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
29⤵
PID:3940

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
28⤵
- Modifies registry key
PID:1004

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
28⤵
- Modifies registry key
PID:3968

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
28⤵
- Modifies registry key
PID:3740

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KaQsowIY.bat" "C:\Users\Admin\AppData\Local\Temp\sample33.exe""
26⤵
PID:2052

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
27⤵
PID:4204

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
26⤵
- Modifies registry key
PID:3544

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
26⤵
- Modifies registry key
PID:3964

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
26⤵
- Modifies registry key
PID:672

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GaAEMgsw.bat" "C:\Users\Admin\AppData\Local\Temp\sample33.exe""
24⤵
PID:232

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
25⤵
PID:200

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
24⤵
- Modifies registry key
PID:4620

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
24⤵
- Modifies registry key
PID:2724

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
24⤵
PID:2576

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cuwYEggA.bat" "C:\Users\Admin\AppData\Local\Temp\sample33.exe""
22⤵
PID:932

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
23⤵
PID:1612

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
22⤵
- Modifies registry key
PID:3896

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
22⤵
PID:3084

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
22⤵
- Modifies registry key
PID:3112

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PoMwIMEw.bat" "C:\Users\Admin\AppData\Local\Temp\sample33.exe""
20⤵
PID:668

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
21⤵
PID:4552

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
20⤵
PID:888

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
20⤵
- Modifies registry key
PID:1292

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
20⤵
- Modifies registry key
PID:2060

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
18⤵
- Modifies registry key
PID:3992

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RQAYQYUM.bat" "C:\Users\Admin\AppData\Local\Temp\sample33.exe""
18⤵
PID:4568

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
19⤵
PID:4320

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
18⤵
- Modifies registry key
PID:4156

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
18⤵
- Modifies registry key
PID:1068

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
16⤵
- Modifies registry key
PID:3076

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
16⤵
PID:2700

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jcAsogoc.bat" "C:\Users\Admin\AppData\Local\Temp\sample33.exe""
16⤵
PID:4460

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
17⤵
PID:1488

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
16⤵
- Modifies registry key
PID:4280

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
14⤵
PID:2608

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
14⤵
- Modifies registry key
PID:1180

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tqkcocQM.bat" "C:\Users\Admin\AppData\Local\Temp\sample33.exe""
14⤵
PID:2980

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
15⤵
PID:1920

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
14⤵
- Modifies registry key
PID:3488

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
12⤵
- Modifies registry key
PID:2084

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
12⤵
- Modifies registry key
PID:528

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
12⤵
PID:844

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FEEsswQU.bat" "C:\Users\Admin\AppData\Local\Temp\sample33.exe""
12⤵
PID:1332

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
13⤵
PID:4224

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
10⤵
- Modifies registry key
PID:4668

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
10⤵
- Modifies registry key
PID:2536

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
10⤵
- Modifies registry key
PID:4680

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kWggksog.bat" "C:\Users\Admin\AppData\Local\Temp\sample33.exe""
10⤵
PID:4772

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
11⤵
PID:4208

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
8⤵
- Modifies registry key
PID:1840

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
8⤵
- Modifies registry key
PID:4708

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QGIAkIgw.bat" "C:\Users\Admin\AppData\Local\Temp\sample33.exe""
8⤵
PID:4732

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
9⤵
PID:4004

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
8⤵
- Modifies registry key
PID:4728

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
6⤵
PID:2588

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
6⤵
- Modifies registry key
PID:2908

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
6⤵
- Modifies registry key
PID:3156

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QwYEsMAU.bat" "C:\Users\Admin\AppData\Local\Temp\sample33.exe""
6⤵
- Suspicious use of WriteProcessMemory
PID:4092

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
7⤵
PID:4016

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
4⤵
PID:1172

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EqwgooQk.bat" "C:\Users\Admin\AppData\Local\Temp\sample33.exe""
4⤵
- Suspicious use of WriteProcessMemory
PID:1552

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
5⤵
PID:2768

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
4⤵
PID:1340

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
4⤵
- Modifies registry key
PID:1296

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
2⤵
PID:4236

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
2⤵
- Modifies registry key
PID:3104

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
2⤵
- Modifies registry key
PID:2796

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NUYUoEgk.bat" "C:\Users\Admin\AppData\Local\Temp\sample33.exe""
2⤵
PID:1508

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
3⤵
PID:4816

C:\ProgramData\XUQIIIwE\tykcUEss.exe
C:\ProgramData\XUQIIIwE\tykcUEss.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:440

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Modify Registry

T1112

Hidden Files and Directories

T1158

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\XUQIIIwE\tykcUEss.exe
MD5
8e67badbc3b25155ee725d4a3c7fd44d

SHA1
cd9206ed124939b204e540f21d8815ac29a9269d

SHA256
e0f6fb8318f98b7b76acf72f9fac56b2ea93ed27b4a2c17f30b306624a43fe4d

SHA512
507644de9889f71d1f354ee1952cdca0305c70306c89d817095ce6507f2727e29fb148579e571d0dce9b27a64f6df44c54bac8e6d270da9034991b46a7f94493

Download Submit
C:\ProgramData\XUQIIIwE\tykcUEss.exe
MD5
8e67badbc3b25155ee725d4a3c7fd44d

SHA1
cd9206ed124939b204e540f21d8815ac29a9269d

SHA256
e0f6fb8318f98b7b76acf72f9fac56b2ea93ed27b4a2c17f30b306624a43fe4d

SHA512
507644de9889f71d1f354ee1952cdca0305c70306c89d817095ce6507f2727e29fb148579e571d0dce9b27a64f6df44c54bac8e6d270da9034991b46a7f94493

Download Submit
C:\ProgramData\nmwYgAIE\keAQccEo.exe
MD5
0c310b059650bf8d73058475d3cc3df3

SHA1
8d6736ad8fc9d543b4dae82a1e3137672b97a1eb

SHA256
7237de0db02eda9a97cb12e19a74aa93321eededf7200b551830c24c7b8975c5

SHA512
967ee1ce72b319be0a9befc31d85e76800631825f6ab7cb95c3c9d6184e836643f37b3fd6e9896687c68a58f76196fea65048b9de158344e4cf33886a6e636dd

Download Submit
C:\ProgramData\nmwYgAIE\keAQccEo.exe
MD5
0c310b059650bf8d73058475d3cc3df3

SHA1
8d6736ad8fc9d543b4dae82a1e3137672b97a1eb

SHA256
7237de0db02eda9a97cb12e19a74aa93321eededf7200b551830c24c7b8975c5

SHA512
967ee1ce72b319be0a9befc31d85e76800631825f6ab7cb95c3c9d6184e836643f37b3fd6e9896687c68a58f76196fea65048b9de158344e4cf33886a6e636dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\EqwgooQk.bat
MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\FEEsswQU.bat
MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\FiIowMUA.bat
MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\GaAEMgsw.bat
MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\IissYgIo.bat
MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\KaQsowIY.bat
MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\NiYoEcMg.bat
MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\PoMwIMEw.bat
MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\QGIAkIgw.bat
MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\QwYEsMAU.bat
MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\RQAYQYUM.bat
MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\UGQgMYwk.bat
MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\ciQccYUA.bat
MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\cuwYEggA.bat
MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\jcAsogoc.bat
MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\kWggksog.bat
MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\sSgMAQQQ.bat
MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\sample33
MD5
45b3b7ada6575d1623bd52d029d7cf96

SHA1
ae4810a660e18d7e40594d1e8e0fe33b46a7f2a4

SHA256
0f35ace5268db33940ed18e946a9c65be4e31ec0ae31faa6e60122859c5cb5ca

SHA512
c7d39db201687940bcbf8e3afb90becf5389640d7948e0cf3518bfae98fda1496650fa59a490631fcad894a9aa0f3d78e4d8b5bb9df57812abbc010c638926a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\sample33
MD5
45b3b7ada6575d1623bd52d029d7cf96

SHA1
ae4810a660e18d7e40594d1e8e0fe33b46a7f2a4

SHA256
0f35ace5268db33940ed18e946a9c65be4e31ec0ae31faa6e60122859c5cb5ca

SHA512
c7d39db201687940bcbf8e3afb90becf5389640d7948e0cf3518bfae98fda1496650fa59a490631fcad894a9aa0f3d78e4d8b5bb9df57812abbc010c638926a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\sample33
MD5
45b3b7ada6575d1623bd52d029d7cf96

SHA1
ae4810a660e18d7e40594d1e8e0fe33b46a7f2a4

SHA256
0f35ace5268db33940ed18e946a9c65be4e31ec0ae31faa6e60122859c5cb5ca

SHA512
c7d39db201687940bcbf8e3afb90becf5389640d7948e0cf3518bfae98fda1496650fa59a490631fcad894a9aa0f3d78e4d8b5bb9df57812abbc010c638926a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\sample33
MD5
45b3b7ada6575d1623bd52d029d7cf96

SHA1
ae4810a660e18d7e40594d1e8e0fe33b46a7f2a4

SHA256
0f35ace5268db33940ed18e946a9c65be4e31ec0ae31faa6e60122859c5cb5ca

SHA512
c7d39db201687940bcbf8e3afb90becf5389640d7948e0cf3518bfae98fda1496650fa59a490631fcad894a9aa0f3d78e4d8b5bb9df57812abbc010c638926a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\sample33
MD5
45b3b7ada6575d1623bd52d029d7cf96

SHA1
ae4810a660e18d7e40594d1e8e0fe33b46a7f2a4

SHA256
0f35ace5268db33940ed18e946a9c65be4e31ec0ae31faa6e60122859c5cb5ca

SHA512
c7d39db201687940bcbf8e3afb90becf5389640d7948e0cf3518bfae98fda1496650fa59a490631fcad894a9aa0f3d78e4d8b5bb9df57812abbc010c638926a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\sample33
MD5
45b3b7ada6575d1623bd52d029d7cf96

SHA1
ae4810a660e18d7e40594d1e8e0fe33b46a7f2a4

SHA256
0f35ace5268db33940ed18e946a9c65be4e31ec0ae31faa6e60122859c5cb5ca

SHA512
c7d39db201687940bcbf8e3afb90becf5389640d7948e0cf3518bfae98fda1496650fa59a490631fcad894a9aa0f3d78e4d8b5bb9df57812abbc010c638926a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\sample33
MD5
45b3b7ada6575d1623bd52d029d7cf96

SHA1
ae4810a660e18d7e40594d1e8e0fe33b46a7f2a4

SHA256
0f35ace5268db33940ed18e946a9c65be4e31ec0ae31faa6e60122859c5cb5ca

SHA512
c7d39db201687940bcbf8e3afb90becf5389640d7948e0cf3518bfae98fda1496650fa59a490631fcad894a9aa0f3d78e4d8b5bb9df57812abbc010c638926a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\sample33
MD5
45b3b7ada6575d1623bd52d029d7cf96

SHA1
ae4810a660e18d7e40594d1e8e0fe33b46a7f2a4

SHA256
0f35ace5268db33940ed18e946a9c65be4e31ec0ae31faa6e60122859c5cb5ca

SHA512
c7d39db201687940bcbf8e3afb90becf5389640d7948e0cf3518bfae98fda1496650fa59a490631fcad894a9aa0f3d78e4d8b5bb9df57812abbc010c638926a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\sample33
MD5
45b3b7ada6575d1623bd52d029d7cf96

SHA1
ae4810a660e18d7e40594d1e8e0fe33b46a7f2a4

SHA256
0f35ace5268db33940ed18e946a9c65be4e31ec0ae31faa6e60122859c5cb5ca

SHA512
c7d39db201687940bcbf8e3afb90becf5389640d7948e0cf3518bfae98fda1496650fa59a490631fcad894a9aa0f3d78e4d8b5bb9df57812abbc010c638926a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\sample33
MD5
45b3b7ada6575d1623bd52d029d7cf96

SHA1
ae4810a660e18d7e40594d1e8e0fe33b46a7f2a4

SHA256
0f35ace5268db33940ed18e946a9c65be4e31ec0ae31faa6e60122859c5cb5ca

SHA512
c7d39db201687940bcbf8e3afb90becf5389640d7948e0cf3518bfae98fda1496650fa59a490631fcad894a9aa0f3d78e4d8b5bb9df57812abbc010c638926a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\sample33
MD5
45b3b7ada6575d1623bd52d029d7cf96

SHA1
ae4810a660e18d7e40594d1e8e0fe33b46a7f2a4

SHA256
0f35ace5268db33940ed18e946a9c65be4e31ec0ae31faa6e60122859c5cb5ca

SHA512
c7d39db201687940bcbf8e3afb90becf5389640d7948e0cf3518bfae98fda1496650fa59a490631fcad894a9aa0f3d78e4d8b5bb9df57812abbc010c638926a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\sample33
MD5
45b3b7ada6575d1623bd52d029d7cf96

SHA1
ae4810a660e18d7e40594d1e8e0fe33b46a7f2a4

SHA256
0f35ace5268db33940ed18e946a9c65be4e31ec0ae31faa6e60122859c5cb5ca

SHA512
c7d39db201687940bcbf8e3afb90becf5389640d7948e0cf3518bfae98fda1496650fa59a490631fcad894a9aa0f3d78e4d8b5bb9df57812abbc010c638926a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\sample33
MD5
45b3b7ada6575d1623bd52d029d7cf96

SHA1
ae4810a660e18d7e40594d1e8e0fe33b46a7f2a4

SHA256
0f35ace5268db33940ed18e946a9c65be4e31ec0ae31faa6e60122859c5cb5ca

SHA512
c7d39db201687940bcbf8e3afb90becf5389640d7948e0cf3518bfae98fda1496650fa59a490631fcad894a9aa0f3d78e4d8b5bb9df57812abbc010c638926a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\sample33
MD5
45b3b7ada6575d1623bd52d029d7cf96

SHA1
ae4810a660e18d7e40594d1e8e0fe33b46a7f2a4

SHA256
0f35ace5268db33940ed18e946a9c65be4e31ec0ae31faa6e60122859c5cb5ca

SHA512
c7d39db201687940bcbf8e3afb90becf5389640d7948e0cf3518bfae98fda1496650fa59a490631fcad894a9aa0f3d78e4d8b5bb9df57812abbc010c638926a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\sample33
MD5
45b3b7ada6575d1623bd52d029d7cf96

SHA1
ae4810a660e18d7e40594d1e8e0fe33b46a7f2a4

SHA256
0f35ace5268db33940ed18e946a9c65be4e31ec0ae31faa6e60122859c5cb5ca

SHA512
c7d39db201687940bcbf8e3afb90becf5389640d7948e0cf3518bfae98fda1496650fa59a490631fcad894a9aa0f3d78e4d8b5bb9df57812abbc010c638926a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\sample33
MD5
45b3b7ada6575d1623bd52d029d7cf96

SHA1
ae4810a660e18d7e40594d1e8e0fe33b46a7f2a4

SHA256
0f35ace5268db33940ed18e946a9c65be4e31ec0ae31faa6e60122859c5cb5ca

SHA512
c7d39db201687940bcbf8e3afb90becf5389640d7948e0cf3518bfae98fda1496650fa59a490631fcad894a9aa0f3d78e4d8b5bb9df57812abbc010c638926a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\sample33
MD5
45b3b7ada6575d1623bd52d029d7cf96

SHA1
ae4810a660e18d7e40594d1e8e0fe33b46a7f2a4

SHA256
0f35ace5268db33940ed18e946a9c65be4e31ec0ae31faa6e60122859c5cb5ca

SHA512
c7d39db201687940bcbf8e3afb90becf5389640d7948e0cf3518bfae98fda1496650fa59a490631fcad894a9aa0f3d78e4d8b5bb9df57812abbc010c638926a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\sample33
MD5
45b3b7ada6575d1623bd52d029d7cf96

SHA1
ae4810a660e18d7e40594d1e8e0fe33b46a7f2a4

SHA256
0f35ace5268db33940ed18e946a9c65be4e31ec0ae31faa6e60122859c5cb5ca

SHA512
c7d39db201687940bcbf8e3afb90becf5389640d7948e0cf3518bfae98fda1496650fa59a490631fcad894a9aa0f3d78e4d8b5bb9df57812abbc010c638926a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\sample33
MD5
45b3b7ada6575d1623bd52d029d7cf96

SHA1
ae4810a660e18d7e40594d1e8e0fe33b46a7f2a4

SHA256
0f35ace5268db33940ed18e946a9c65be4e31ec0ae31faa6e60122859c5cb5ca

SHA512
c7d39db201687940bcbf8e3afb90becf5389640d7948e0cf3518bfae98fda1496650fa59a490631fcad894a9aa0f3d78e4d8b5bb9df57812abbc010c638926a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\sample33
MD5
45b3b7ada6575d1623bd52d029d7cf96

SHA1
ae4810a660e18d7e40594d1e8e0fe33b46a7f2a4

SHA256
0f35ace5268db33940ed18e946a9c65be4e31ec0ae31faa6e60122859c5cb5ca

SHA512
c7d39db201687940bcbf8e3afb90becf5389640d7948e0cf3518bfae98fda1496650fa59a490631fcad894a9aa0f3d78e4d8b5bb9df57812abbc010c638926a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tqkcocQM.bat
MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\zSMYksso.bat
MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\ZcEsQoQs\xgEkUUMs.exe
MD5
971c1edbcd5e18b544b84085b3e1ba73

SHA1
81695fb2d7a691ad9e8570ade43422fb3ef30356

SHA256
4ccd6faba7a8d78ef1694bbc33a58374a47f0da9fad4fd1fd50c1ca7dfa33910

SHA512
0a4a4553c6577591a02bba2ab1dd8087bedabf08db623829f282b63da1faff37c6ff64da128b39f89bb9640c10e6890478f82398e6951b240e94a36b95fb3f4b

Download Submit
C:\Users\Admin\ZcEsQoQs\xgEkUUMs.exe
MD5
971c1edbcd5e18b544b84085b3e1ba73

SHA1
81695fb2d7a691ad9e8570ade43422fb3ef30356

SHA256
4ccd6faba7a8d78ef1694bbc33a58374a47f0da9fad4fd1fd50c1ca7dfa33910

SHA512
0a4a4553c6577591a02bba2ab1dd8087bedabf08db623829f282b63da1faff37c6ff64da128b39f89bb9640c10e6890478f82398e6951b240e94a36b95fb3f4b

Download Submit
memory/228-77-0x0000000000000000-mapping.dmp

Download
memory/436-56-0x0000000000000000-mapping.dmp

Download
memory/520-91-0x0000000000000000-mapping.dmp

Download
memory/528-59-0x0000000000000000-mapping.dmp

Download
memory/640-16-0x0000000000000000-mapping.dmp

Download
memory/844-60-0x0000000000000000-mapping.dmp

Download
memory/1068-86-0x0000000000000000-mapping.dmp

Download
memory/1084-70-0x0000000000000000-mapping.dmp

Download
memory/1128-17-0x0000000000000000-mapping.dmp

Download
memory/1172-18-0x0000000000000000-mapping.dmp

Download
memory/1180-68-0x0000000000000000-mapping.dmp

Download
memory/1296-19-0x0000000000000000-mapping.dmp

Download
memory/1332-61-0x0000000000000000-mapping.dmp

Download
memory/1340-20-0x0000000000000000-mapping.dmp

Download
memory/1488-85-0x0000000000000000-mapping.dmp

Download
memory/1552-21-0x0000000000000000-mapping.dmp

Download
memory/1840-38-0x0000000000000000-mapping.dmp

Download
memory/1912-43-0x0000000000000000-mapping.dmp

Download
memory/1920-73-0x0000000000000000-mapping.dmp

Download
memory/2084-58-0x0000000000000000-mapping.dmp

Download
memory/2148-96-0x0000000000000000-mapping.dmp

Download
memory/2296-23-0x0000000000000000-mapping.dmp

Download
memory/2312-63-0x0000000000000000-mapping.dmp

Download
memory/2536-45-0x0000000000000000-mapping.dmp

Download
memory/2588-26-0x0000000000000000-mapping.dmp

Download
memory/2608-66-0x0000000000000000-mapping.dmp

Download
memory/2700-79-0x0000000000000000-mapping.dmp

Download
memory/2768-25-0x0000000000000000-mapping.dmp

Download
memory/2796-14-0x0000000000000000-mapping.dmp

Download
memory/2908-27-0x0000000000000000-mapping.dmp

Download
memory/2980-69-0x0000000000000000-mapping.dmp

Download
memory/3076-78-0x0000000000000000-mapping.dmp

Download
memory/3100-57-0x0000000000000000-mapping.dmp

Download
memory/3104-13-0x0000000000000000-mapping.dmp

Download
memory/3156-28-0x0000000000000000-mapping.dmp

Download
memory/3488-67-0x0000000000000000-mapping.dmp

Download
memory/3612-50-0x0000000000000000-mapping.dmp

Download
memory/3624-2-0x0000000000000000-mapping.dmp

Download
memory/3708-5-0x0000000000000000-mapping.dmp

Download
memory/3908-10-0x0000000000000000-mapping.dmp

Download
memory/3992-88-0x0000000000000000-mapping.dmp

Download
memory/4004-49-0x0000000000000000-mapping.dmp

Download
memory/4016-33-0x0000000000000000-mapping.dmp

Download
memory/4092-29-0x0000000000000000-mapping.dmp

Download
memory/4156-87-0x0000000000000000-mapping.dmp

Download
memory/4208-53-0x0000000000000000-mapping.dmp

Download
memory/4212-11-0x0000000000000000-mapping.dmp

Download
memory/4224-65-0x0000000000000000-mapping.dmp

Download
memory/4236-12-0x0000000000000000-mapping.dmp

Download
memory/4280-80-0x0000000000000000-mapping.dmp

Download
memory/4320-93-0x0000000000000000-mapping.dmp

Download
memory/4460-81-0x0000000000000000-mapping.dmp

Download
memory/4492-31-0x0000000000000000-mapping.dmp

Download
memory/4540-37-0x0000000000000000-mapping.dmp

Download
memory/4564-36-0x0000000000000000-mapping.dmp

Download
memory/4568-89-0x0000000000000000-mapping.dmp

Download
memory/4604-83-0x0000000000000000-mapping.dmp

Download
memory/4632-76-0x0000000000000000-mapping.dmp

Download
memory/4668-44-0x0000000000000000-mapping.dmp

Download
memory/4680-46-0x0000000000000000-mapping.dmp

Download
memory/4708-40-0x0000000000000000-mapping.dmp

Download
memory/4728-39-0x0000000000000000-mapping.dmp

Download
memory/4732-41-0x0000000000000000-mapping.dmp

Download
memory/4772-47-0x0000000000000000-mapping.dmp

Download