7abb15e03e0b91fac6a00c5cfb60999bc99fbe378a8decc4751c26eda959df9d

Analysis

max time kernel
154s
max time network
117s
platform
windows7_x64
resource
win7v20210408
submitted
05-05-2021 11:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

25fcf7bb_by_Libranalysis.exe
Size

619KB
MD5

25fcf7bb9e23811c5a807700aec0626d
SHA1

2b1239f32aaa689c8027a06ba2a8a6225a204b18
SHA256

7abb15e03e0b91fac6a00c5cfb60999bc99fbe378a8decc4751c26eda959df9d
SHA512

c14f168dc1be45e39f2a4cec46af5781f37db63dbeed23021ae243046009cbae2baaf7be22bfacc20f89f2872f8526ac22f56d9e6d4b4a8d41dd6450d56c5b4c

Score

10^/10

evasion persistence ransomware spyware stealer trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

25fcf7bb_by_Libranalysis.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\ProgramData\\uqAwUYwk\\MKAMEQUM.exe,"	25fcf7bb_by_Libranalysis.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,C:\\ProgramData\\uqAwUYwk\\MKAMEQUM.exe,"	25fcf7bb_by_Libranalysis.exe

Modifies visibility of file extensions in Explorer 2 TTPs
evasion

Hidden Files and Directories
T1158

Modify Registry
T1112
UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112
Executes dropped EXE 3 IoCs

Processes:

nuoggMMg.exeMKAMEQUM.exedqssIIsw.exe

pid process

1164 nuoggMMg.exe
2012 MKAMEQUM.exe
576 dqssIIsw.exe

Modifies extensions of user files 2 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

MKAMEQUM.exe

description	ioc	process
File created	C:\Users\Admin\Pictures\LimitUnregister.png.exe	MKAMEQUM.exe
File created	C:\Users\Admin\Pictures\StartSend.png.exe	MKAMEQUM.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

nuoggMMg.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Control Panel\International\Geo\Nation	nuoggMMg.exe

Loads dropped DLL 16 IoCs

Processes:

25fcf7bb_by_Libranalysis.exeMKAMEQUM.exe

pid	process
1348	25fcf7bb_by_Libranalysis.exe
1348	25fcf7bb_by_Libranalysis.exe
1348	25fcf7bb_by_Libranalysis.exe
1348	25fcf7bb_by_Libranalysis.exe
2012	MKAMEQUM.exe
2012	MKAMEQUM.exe
2012	MKAMEQUM.exe
2012	MKAMEQUM.exe
2012	MKAMEQUM.exe
2012	MKAMEQUM.exe
2012	MKAMEQUM.exe
2012	MKAMEQUM.exe
2012	MKAMEQUM.exe
2012	MKAMEQUM.exe
2012	MKAMEQUM.exe
2012	MKAMEQUM.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

25fcf7bb_by_Libranalysis.exenuoggMMg.exeMKAMEQUM.exedqssIIsw.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\nuoggMMg.exe = "C:\\Users\\Admin\\pWggUMgo\\nuoggMMg.exe"	25fcf7bb_by_Libranalysis.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\nuoggMMg.exe = "C:\\Users\\Admin\\pWggUMgo\\nuoggMMg.exe"	nuoggMMg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MKAMEQUM.exe = "C:\\ProgramData\\uqAwUYwk\\MKAMEQUM.exe"	25fcf7bb_by_Libranalysis.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MKAMEQUM.exe = "C:\\ProgramData\\uqAwUYwk\\MKAMEQUM.exe"	MKAMEQUM.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MKAMEQUM.exe = "C:\\ProgramData\\uqAwUYwk\\MKAMEQUM.exe"	dqssIIsw.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

25fcf7bb_by_Libranalysis.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	25fcf7bb_by_Libranalysis.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	25fcf7bb_by_Libranalysis.exe

Drops file in System32 directory 2 IoCs

Processes:

dqssIIsw.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\pWggUMgo	dqssIIsw.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\pWggUMgo\nuoggMMg	dqssIIsw.exe

Drops file in Windows directory 1 IoCs

Processes:

MKAMEQUM.exe

description ioc process

File opened for modification \??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico MKAMEQUM.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File opened for modification	\??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico	MKAMEQUM.exe

Modifies registry key 1 TTPs 63 IoCs

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

pid	process
108	reg.exe
1560	reg.exe
844	reg.exe
1992	reg.exe
272	reg.exe
432	reg.exe
1680	reg.exe
600	reg.exe
1792	reg.exe
956	reg.exe
1852	reg.exe
1132	reg.exe
1560	reg.exe
900	reg.exe
1784	reg.exe
108	reg.exe
1844	reg.exe
1648	reg.exe
632	reg.exe
1740	reg.exe
1748	reg.exe
1060	reg.exe
1560	reg.exe
664	reg.exe
1176	reg.exe
1216	reg.exe
1424	reg.exe
1464	reg.exe
1464	reg.exe
964	reg.exe
1672	reg.exe
1332	reg.exe
1548	reg.exe
808	reg.exe
1048	reg.exe
1912	reg.exe
1940	reg.exe
1156	reg.exe
960	reg.exe
664	reg.exe
384	reg.exe
1364	reg.exe
880	reg.exe
1176	reg.exe
1496	reg.exe
1640	reg.exe
916	reg.exe
620	reg.exe
1048	reg.exe
620	reg.exe
1060	reg.exe
432	reg.exe
836	reg.exe
1916	reg.exe
1984	reg.exe
824	reg.exe
432	reg.exe
836	reg.exe
1728	reg.exe
1040	reg.exe
1600	reg.exe
1536	reg.exe
1820	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

25fcf7bb_by_Libranalysis.exe25fcf7bb_by_Libranalysis.exe25fcf7bb_by_Libranalysis.exe25fcf7bb_by_Libranalysis.exe25fcf7bb_by_Libranalysis.exe25fcf7bb_by_Libranalysis.exe25fcf7bb_by_Libranalysis.exe25fcf7bb_by_Libranalysis.exe25fcf7bb_by_Libranalysis.exe25fcf7bb_by_Libranalysis.execmd.exe25fcf7bb_by_Libranalysis.exe25fcf7bb_by_Libranalysis.exe25fcf7bb_by_Libranalysis.exe25fcf7bb_by_Libranalysis.exe25fcf7bb_by_Libranalysis.exe25fcf7bb_by_Libranalysis.execonhost.exe25fcf7bb_by_Libranalysis.exe25fcf7bb_by_Libranalysis.exenuoggMMg.exe

pid	process
1348	25fcf7bb_by_Libranalysis.exe
1348	25fcf7bb_by_Libranalysis.exe
1344	25fcf7bb_by_Libranalysis.exe
1344	25fcf7bb_by_Libranalysis.exe
1688	25fcf7bb_by_Libranalysis.exe
1688	25fcf7bb_by_Libranalysis.exe
1560	25fcf7bb_by_Libranalysis.exe
1560	25fcf7bb_by_Libranalysis.exe
664	25fcf7bb_by_Libranalysis.exe
664	25fcf7bb_by_Libranalysis.exe
1424	25fcf7bb_by_Libranalysis.exe
1424	25fcf7bb_by_Libranalysis.exe
292	25fcf7bb_by_Libranalysis.exe
292	25fcf7bb_by_Libranalysis.exe
1844	25fcf7bb_by_Libranalysis.exe
1844	25fcf7bb_by_Libranalysis.exe
1652	25fcf7bb_by_Libranalysis.exe
1652	25fcf7bb_by_Libranalysis.exe
1060	25fcf7bb_by_Libranalysis.exe
1060	25fcf7bb_by_Libranalysis.exe
1756	cmd.exe
1756	cmd.exe
1616	25fcf7bb_by_Libranalysis.exe
1616	25fcf7bb_by_Libranalysis.exe
844	25fcf7bb_by_Libranalysis.exe
844	25fcf7bb_by_Libranalysis.exe
1156	25fcf7bb_by_Libranalysis.exe
1156	25fcf7bb_by_Libranalysis.exe
432
432
1864	25fcf7bb_by_Libranalysis.exe
1864	25fcf7bb_by_Libranalysis.exe
1348	25fcf7bb_by_Libranalysis.exe
1348	25fcf7bb_by_Libranalysis.exe
980	25fcf7bb_by_Libranalysis.exe
980	25fcf7bb_by_Libranalysis.exe
1496	conhost.exe
1496	conhost.exe
1792	25fcf7bb_by_Libranalysis.exe
1792	25fcf7bb_by_Libranalysis.exe
1652	25fcf7bb_by_Libranalysis.exe
1652	25fcf7bb_by_Libranalysis.exe
1164	nuoggMMg.exe
1164	nuoggMMg.exe
1164	nuoggMMg.exe
1164	nuoggMMg.exe
1164	nuoggMMg.exe
1164	nuoggMMg.exe
1164	nuoggMMg.exe
1164	nuoggMMg.exe
1164	nuoggMMg.exe
1164	nuoggMMg.exe
1164	nuoggMMg.exe
1164	nuoggMMg.exe
1164	nuoggMMg.exe
1164	nuoggMMg.exe
1164	nuoggMMg.exe
1164	nuoggMMg.exe
1164	nuoggMMg.exe
1164	nuoggMMg.exe
1164	nuoggMMg.exe
1164	nuoggMMg.exe
1164	nuoggMMg.exe
1164	nuoggMMg.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

nuoggMMg.exe

pid process

1164 nuoggMMg.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

nuoggMMg.exe

pid	process
1164	nuoggMMg.exe
1164	nuoggMMg.exe
1164	nuoggMMg.exe
1164	nuoggMMg.exe
1164	nuoggMMg.exe
1164	nuoggMMg.exe
1164	nuoggMMg.exe
1164	nuoggMMg.exe
1164	nuoggMMg.exe
1164	nuoggMMg.exe
1164	nuoggMMg.exe
1164	nuoggMMg.exe
1164	nuoggMMg.exe
1164	nuoggMMg.exe
1164	nuoggMMg.exe
1164	nuoggMMg.exe
1164	nuoggMMg.exe
1164	nuoggMMg.exe
1164	nuoggMMg.exe
1164	nuoggMMg.exe
1164	nuoggMMg.exe
1164	nuoggMMg.exe
1164	nuoggMMg.exe
1164	nuoggMMg.exe
1164	nuoggMMg.exe
1164	nuoggMMg.exe
1164	nuoggMMg.exe
1164	nuoggMMg.exe
1164	nuoggMMg.exe
1164	nuoggMMg.exe
1164	nuoggMMg.exe
1164	nuoggMMg.exe
1164	nuoggMMg.exe
1164	nuoggMMg.exe
1164	nuoggMMg.exe
1164	nuoggMMg.exe
1164	nuoggMMg.exe
1164	nuoggMMg.exe
1164	nuoggMMg.exe
1164	nuoggMMg.exe
1164	nuoggMMg.exe
1164	nuoggMMg.exe
1164	nuoggMMg.exe
1164	nuoggMMg.exe
1164	nuoggMMg.exe
1164	nuoggMMg.exe
1164	nuoggMMg.exe
1164	nuoggMMg.exe
1164	nuoggMMg.exe
1164	nuoggMMg.exe
1164	nuoggMMg.exe
1164	nuoggMMg.exe
1164	nuoggMMg.exe
1164	nuoggMMg.exe
1164	nuoggMMg.exe
1164	nuoggMMg.exe
1164	nuoggMMg.exe
1164	nuoggMMg.exe
1164	nuoggMMg.exe
1164	nuoggMMg.exe
1164	nuoggMMg.exe
1164	nuoggMMg.exe
1164	nuoggMMg.exe
1164	nuoggMMg.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

25fcf7bb_by_Libranalysis.execmd.exe25fcf7bb_by_Libranalysis.execmd.exe25fcf7bb_by_Libranalysis.exe

description	pid	process	target process
PID 1348 wrote to memory of 1164	1348	25fcf7bb_by_Libranalysis.exe	nuoggMMg.exe
PID 1348 wrote to memory of 1164	1348	25fcf7bb_by_Libranalysis.exe	nuoggMMg.exe
PID 1348 wrote to memory of 1164	1348	25fcf7bb_by_Libranalysis.exe	nuoggMMg.exe
PID 1348 wrote to memory of 1164	1348	25fcf7bb_by_Libranalysis.exe	nuoggMMg.exe
PID 1348 wrote to memory of 2012	1348	25fcf7bb_by_Libranalysis.exe	MKAMEQUM.exe
PID 1348 wrote to memory of 2012	1348	25fcf7bb_by_Libranalysis.exe	MKAMEQUM.exe
PID 1348 wrote to memory of 2012	1348	25fcf7bb_by_Libranalysis.exe	MKAMEQUM.exe
PID 1348 wrote to memory of 2012	1348	25fcf7bb_by_Libranalysis.exe	MKAMEQUM.exe
PID 1348 wrote to memory of 1804	1348	25fcf7bb_by_Libranalysis.exe	cmd.exe
PID 1348 wrote to memory of 1804	1348	25fcf7bb_by_Libranalysis.exe	cmd.exe
PID 1348 wrote to memory of 1804	1348	25fcf7bb_by_Libranalysis.exe	cmd.exe
PID 1348 wrote to memory of 1804	1348	25fcf7bb_by_Libranalysis.exe	cmd.exe
PID 1804 wrote to memory of 1344	1804	cmd.exe	25fcf7bb_by_Libranalysis.exe
PID 1804 wrote to memory of 1344	1804	cmd.exe	25fcf7bb_by_Libranalysis.exe
PID 1804 wrote to memory of 1344	1804	cmd.exe	25fcf7bb_by_Libranalysis.exe
PID 1804 wrote to memory of 1344	1804	cmd.exe	25fcf7bb_by_Libranalysis.exe
PID 1348 wrote to memory of 1740	1348	25fcf7bb_by_Libranalysis.exe	reg.exe
PID 1348 wrote to memory of 1740	1348	25fcf7bb_by_Libranalysis.exe	reg.exe
PID 1348 wrote to memory of 1740	1348	25fcf7bb_by_Libranalysis.exe	reg.exe
PID 1348 wrote to memory of 1740	1348	25fcf7bb_by_Libranalysis.exe	reg.exe
PID 1348 wrote to memory of 836	1348	25fcf7bb_by_Libranalysis.exe	reg.exe
PID 1348 wrote to memory of 836	1348	25fcf7bb_by_Libranalysis.exe	reg.exe
PID 1348 wrote to memory of 836	1348	25fcf7bb_by_Libranalysis.exe	reg.exe
PID 1348 wrote to memory of 836	1348	25fcf7bb_by_Libranalysis.exe	reg.exe
PID 1348 wrote to memory of 1060	1348	25fcf7bb_by_Libranalysis.exe	reg.exe
PID 1348 wrote to memory of 1060	1348	25fcf7bb_by_Libranalysis.exe	reg.exe
PID 1348 wrote to memory of 1060	1348	25fcf7bb_by_Libranalysis.exe	reg.exe
PID 1348 wrote to memory of 1060	1348	25fcf7bb_by_Libranalysis.exe	reg.exe
PID 1344 wrote to memory of 640	1344	25fcf7bb_by_Libranalysis.exe	cmd.exe
PID 1344 wrote to memory of 640	1344	25fcf7bb_by_Libranalysis.exe	cmd.exe
PID 1344 wrote to memory of 640	1344	25fcf7bb_by_Libranalysis.exe	cmd.exe
PID 1344 wrote to memory of 640	1344	25fcf7bb_by_Libranalysis.exe	cmd.exe
PID 640 wrote to memory of 1688	640	cmd.exe	25fcf7bb_by_Libranalysis.exe
PID 640 wrote to memory of 1688	640	cmd.exe	25fcf7bb_by_Libranalysis.exe
PID 640 wrote to memory of 1688	640	cmd.exe	25fcf7bb_by_Libranalysis.exe
PID 640 wrote to memory of 1688	640	cmd.exe	25fcf7bb_by_Libranalysis.exe
PID 1344 wrote to memory of 900	1344	25fcf7bb_by_Libranalysis.exe	reg.exe
PID 1344 wrote to memory of 900	1344	25fcf7bb_by_Libranalysis.exe	reg.exe
PID 1344 wrote to memory of 900	1344	25fcf7bb_by_Libranalysis.exe	reg.exe
PID 1344 wrote to memory of 900	1344	25fcf7bb_by_Libranalysis.exe	reg.exe
PID 1344 wrote to memory of 1784	1344	25fcf7bb_by_Libranalysis.exe	reg.exe
PID 1344 wrote to memory of 1784	1344	25fcf7bb_by_Libranalysis.exe	reg.exe
PID 1344 wrote to memory of 1784	1344	25fcf7bb_by_Libranalysis.exe	reg.exe
PID 1344 wrote to memory of 1784	1344	25fcf7bb_by_Libranalysis.exe	reg.exe
PID 1344 wrote to memory of 1852	1344	25fcf7bb_by_Libranalysis.exe	reg.exe
PID 1344 wrote to memory of 1852	1344	25fcf7bb_by_Libranalysis.exe	reg.exe
PID 1344 wrote to memory of 1852	1344	25fcf7bb_by_Libranalysis.exe	reg.exe
PID 1344 wrote to memory of 1852	1344	25fcf7bb_by_Libranalysis.exe	reg.exe
PID 1344 wrote to memory of 1940	1344	25fcf7bb_by_Libranalysis.exe	cmd.exe
PID 1344 wrote to memory of 1940	1344	25fcf7bb_by_Libranalysis.exe	cmd.exe
PID 1344 wrote to memory of 1940	1344	25fcf7bb_by_Libranalysis.exe	cmd.exe
PID 1344 wrote to memory of 1940	1344	25fcf7bb_by_Libranalysis.exe	cmd.exe
PID 1688 wrote to memory of 1496	1688	25fcf7bb_by_Libranalysis.exe	cmd.exe
PID 1688 wrote to memory of 1496	1688	25fcf7bb_by_Libranalysis.exe	cmd.exe
PID 1688 wrote to memory of 1496	1688	25fcf7bb_by_Libranalysis.exe	cmd.exe
PID 1688 wrote to memory of 1496	1688	25fcf7bb_by_Libranalysis.exe	cmd.exe
PID 1688 wrote to memory of 880	1688	25fcf7bb_by_Libranalysis.exe	reg.exe
PID 1688 wrote to memory of 880	1688	25fcf7bb_by_Libranalysis.exe	reg.exe
PID 1688 wrote to memory of 880	1688	25fcf7bb_by_Libranalysis.exe	reg.exe
PID 1688 wrote to memory of 880	1688	25fcf7bb_by_Libranalysis.exe	reg.exe
PID 1688 wrote to memory of 1332	1688	25fcf7bb_by_Libranalysis.exe	reg.exe
PID 1688 wrote to memory of 1332	1688	25fcf7bb_by_Libranalysis.exe	reg.exe
PID 1688 wrote to memory of 1332	1688	25fcf7bb_by_Libranalysis.exe	reg.exe
PID 1688 wrote to memory of 1332	1688	25fcf7bb_by_Libranalysis.exe	reg.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

25fcf7bb_by_Libranalysis.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	25fcf7bb_by_Libranalysis.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	25fcf7bb_by_Libranalysis.exe

C:\Users\Admin\AppData\Local\Temp\25fcf7bb_by_Libranalysis.exe
"C:\Users\Admin\AppData\Local\Temp\25fcf7bb_by_Libranalysis.exe"
1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1348

C:\Users\Admin\pWggUMgo\nuoggMMg.exe
"C:\Users\Admin\pWggUMgo\nuoggMMg.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:1164

C:\ProgramData\uqAwUYwk\MKAMEQUM.exe
"C:\ProgramData\uqAwUYwk\MKAMEQUM.exe"
2⤵
- Executes dropped EXE
- Modifies extensions of user files
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
PID:2012

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\25fcf7bb_by_Libranalysis"
2⤵
- Suspicious use of WriteProcessMemory
PID:1804

C:\Users\Admin\AppData\Local\Temp\25fcf7bb_by_Libranalysis.exe
C:\Users\Admin\AppData\Local\Temp\25fcf7bb_by_Libranalysis
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1344

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\25fcf7bb_by_Libranalysis"
4⤵
- Suspicious use of WriteProcessMemory
PID:640

C:\Users\Admin\AppData\Local\Temp\25fcf7bb_by_Libranalysis.exe
C:\Users\Admin\AppData\Local\Temp\25fcf7bb_by_Libranalysis
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1688

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\25fcf7bb_by_Libranalysis"
6⤵
PID:1496

C:\Users\Admin\AppData\Local\Temp\25fcf7bb_by_Libranalysis.exe
C:\Users\Admin\AppData\Local\Temp\25fcf7bb_by_Libranalysis
7⤵
- Suspicious behavior: EnumeratesProcesses
PID:1560

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\25fcf7bb_by_Libranalysis"
8⤵
PID:1064

C:\Users\Admin\AppData\Local\Temp\25fcf7bb_by_Libranalysis.exe
C:\Users\Admin\AppData\Local\Temp\25fcf7bb_by_Libranalysis
9⤵
- Suspicious behavior: EnumeratesProcesses
PID:664

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\25fcf7bb_by_Libranalysis"
10⤵
PID:1852

C:\Users\Admin\AppData\Local\Temp\25fcf7bb_by_Libranalysis.exe
C:\Users\Admin\AppData\Local\Temp\25fcf7bb_by_Libranalysis
11⤵
- Suspicious behavior: EnumeratesProcesses
PID:1424

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\25fcf7bb_by_Libranalysis"
12⤵
PID:1544

C:\Users\Admin\AppData\Local\Temp\25fcf7bb_by_Libranalysis.exe
C:\Users\Admin\AppData\Local\Temp\25fcf7bb_by_Libranalysis
13⤵
- Suspicious behavior: EnumeratesProcesses
PID:292

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\25fcf7bb_by_Libranalysis"
14⤵
PID:1720

C:\Users\Admin\AppData\Local\Temp\25fcf7bb_by_Libranalysis.exe
C:\Users\Admin\AppData\Local\Temp\25fcf7bb_by_Libranalysis
15⤵
- Suspicious behavior: EnumeratesProcesses
PID:1844

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\25fcf7bb_by_Libranalysis"
16⤵
PID:600

C:\Users\Admin\AppData\Local\Temp\25fcf7bb_by_Libranalysis.exe
C:\Users\Admin\AppData\Local\Temp\25fcf7bb_by_Libranalysis
17⤵
- Suspicious behavior: EnumeratesProcesses
PID:1652

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\25fcf7bb_by_Libranalysis"
18⤵
PID:1640

C:\Users\Admin\AppData\Local\Temp\25fcf7bb_by_Libranalysis.exe
C:\Users\Admin\AppData\Local\Temp\25fcf7bb_by_Libranalysis
19⤵
- Suspicious behavior: EnumeratesProcesses
PID:1060

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\25fcf7bb_by_Libranalysis"
20⤵
PID:1992

C:\Users\Admin\AppData\Local\Temp\25fcf7bb_by_Libranalysis.exe
C:\Users\Admin\AppData\Local\Temp\25fcf7bb_by_Libranalysis
21⤵
PID:1756

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\25fcf7bb_by_Libranalysis"
22⤵
PID:1352

C:\Users\Admin\AppData\Local\Temp\25fcf7bb_by_Libranalysis.exe
C:\Users\Admin\AppData\Local\Temp\25fcf7bb_by_Libranalysis
23⤵
- Suspicious behavior: EnumeratesProcesses
PID:1616

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\25fcf7bb_by_Libranalysis"
24⤵
PID:832

C:\Users\Admin\AppData\Local\Temp\25fcf7bb_by_Libranalysis.exe
C:\Users\Admin\AppData\Local\Temp\25fcf7bb_by_Libranalysis
25⤵
- Suspicious behavior: EnumeratesProcesses
PID:844

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\25fcf7bb_by_Libranalysis"
26⤵
PID:1820

C:\Users\Admin\AppData\Local\Temp\25fcf7bb_by_Libranalysis.exe
C:\Users\Admin\AppData\Local\Temp\25fcf7bb_by_Libranalysis
27⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- System policy modification
PID:1156

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\25fcf7bb_by_Libranalysis"
28⤵
PID:1536

C:\Users\Admin\AppData\Local\Temp\25fcf7bb_by_Libranalysis.exe
C:\Users\Admin\AppData\Local\Temp\25fcf7bb_by_Libranalysis
29⤵
PID:432

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\25fcf7bb_by_Libranalysis"
30⤵
PID:1928

C:\Users\Admin\AppData\Local\Temp\25fcf7bb_by_Libranalysis.exe
C:\Users\Admin\AppData\Local\Temp\25fcf7bb_by_Libranalysis
31⤵
- Suspicious behavior: EnumeratesProcesses
PID:1864

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\25fcf7bb_by_Libranalysis"
32⤵
PID:1464

C:\Users\Admin\AppData\Local\Temp\25fcf7bb_by_Libranalysis.exe
C:\Users\Admin\AppData\Local\Temp\25fcf7bb_by_Libranalysis
33⤵
- Suspicious behavior: EnumeratesProcesses
PID:1348

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\25fcf7bb_by_Libranalysis"
34⤵
PID:832

C:\Users\Admin\AppData\Local\Temp\25fcf7bb_by_Libranalysis.exe
C:\Users\Admin\AppData\Local\Temp\25fcf7bb_by_Libranalysis
35⤵
- Suspicious behavior: EnumeratesProcesses
PID:980

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\25fcf7bb_by_Libranalysis"
36⤵
PID:1720

C:\Users\Admin\AppData\Local\Temp\25fcf7bb_by_Libranalysis.exe
C:\Users\Admin\AppData\Local\Temp\25fcf7bb_by_Libranalysis
37⤵
PID:1496

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\25fcf7bb_by_Libranalysis"
38⤵
PID:1844

C:\Users\Admin\AppData\Local\Temp\25fcf7bb_by_Libranalysis.exe
C:\Users\Admin\AppData\Local\Temp\25fcf7bb_by_Libranalysis
39⤵
- Suspicious behavior: EnumeratesProcesses
PID:1792

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\25fcf7bb_by_Libranalysis"
40⤵
PID:1372

C:\Users\Admin\AppData\Local\Temp\25fcf7bb_by_Libranalysis.exe
C:\Users\Admin\AppData\Local\Temp\25fcf7bb_by_Libranalysis
41⤵
- Suspicious behavior: EnumeratesProcesses
PID:1652

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\25fcf7bb_by_Libranalysis"
42⤵
PID:1916

C:\Users\Admin\AppData\Local\Temp\25fcf7bb_by_Libranalysis.exe
C:\Users\Admin\AppData\Local\Temp\25fcf7bb_by_Libranalysis
43⤵
PID:1048

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
42⤵
- Modifies registry key
PID:1364

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
42⤵
- Modifies registry key
PID:1560

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\nCogwcYw.bat" "C:\Users\Admin\AppData\Local\Temp\25fcf7bb_by_Libranalysis.exe""
42⤵
PID:1548

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
43⤵
PID:1756

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
42⤵
- Modifies registry key
PID:1992

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
40⤵
- Modifies registry key
PID:384

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\XMkQIAQY.bat" "C:\Users\Admin\AppData\Local\Temp\25fcf7bb_by_Libranalysis.exe""
40⤵
PID:1812

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
41⤵
PID:1628

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
40⤵
- Modifies registry key
PID:664

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
40⤵
- Modifies registry key
PID:620

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
38⤵
- Modifies registry key
PID:432

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\kmAcoYEw.bat" "C:\Users\Admin\AppData\Local\Temp\25fcf7bb_by_Libranalysis.exe""
38⤵
PID:1436

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
39⤵
PID:1548

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
38⤵
- Modifies registry key
PID:632

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
38⤵
- Modifies registry key
PID:1464

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
36⤵
- Modifies registry key
PID:960

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZiIQwYIg.bat" "C:\Users\Admin\AppData\Local\Temp\25fcf7bb_by_Libranalysis.exe""
36⤵
PID:1364

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
37⤵
PID:916

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
36⤵
- Modifies registry key
PID:1560

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
36⤵
- Modifies registry key
PID:620

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
34⤵
- Modifies registry key
PID:916

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\IyMowkAw.bat" "C:\Users\Admin\AppData\Local\Temp\25fcf7bb_by_Libranalysis.exe""
34⤵
PID:1908

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
35⤵
PID:560

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
34⤵
- Modifies registry key
PID:1176

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
34⤵
- Modifies registry key
PID:1820

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
32⤵
- Modifies registry key
PID:1672

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
32⤵
- Modifies registry key
PID:1060

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
32⤵
- Modifies registry key
PID:1640

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\QissIYkU.bat" "C:\Users\Admin\AppData\Local\Temp\25fcf7bb_by_Libranalysis.exe""
32⤵
PID:1992

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
33⤵
PID:1652

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
30⤵
- Modifies registry key
PID:1048

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
30⤵
- Modifies registry key
PID:1496

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
30⤵
- Modifies registry key
PID:844

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\becccsUQ.bat" "C:\Users\Admin\AppData\Local\Temp\25fcf7bb_by_Libranalysis.exe""
30⤵
PID:1908

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
31⤵
PID:1500

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\mOoAIsgE.bat" "C:\Users\Admin\AppData\Local\Temp\25fcf7bb_by_Libranalysis.exe""
28⤵
PID:588

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
29⤵
PID:1428

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
28⤵
- Modifies registry key
PID:964

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
28⤵
- Modifies registry key
PID:956

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
28⤵
- Modifies registry key
PID:1176

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
26⤵
- Modifies registry key
PID:1464

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
26⤵
- Modifies registry key
PID:824

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
26⤵
- Modifies registry key
PID:1048

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\qqgwwoEQ.bat" "C:\Users\Admin\AppData\Local\Temp\25fcf7bb_by_Libranalysis.exe""
26⤵
PID:664

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
27⤵
PID:1652

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
24⤵
- Modifies registry key
PID:432

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
24⤵
- Modifies registry key
PID:1536

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
24⤵
- Modifies registry key
PID:1984

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\CiAAcsQY.bat" "C:\Users\Admin\AppData\Local\Temp\25fcf7bb_by_Libranalysis.exe""
24⤵
- Suspicious behavior: EnumeratesProcesses
PID:1756

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
25⤵
PID:1816

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\eIoMsUcA.bat" "C:\Users\Admin\AppData\Local\Temp\25fcf7bb_by_Libranalysis.exe""
22⤵
PID:916

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
23⤵
PID:1496

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
22⤵
- Modifies registry key
PID:1792

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
22⤵
- Modifies registry key
PID:1132

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
22⤵
- Modifies registry key
PID:1600

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
20⤵
- Modifies registry key
PID:664

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
20⤵
- Modifies registry key
PID:1156

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
20⤵
- Modifies registry key
PID:1648

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\vQwgYYgU.bat" "C:\Users\Admin\AppData\Local\Temp\25fcf7bb_by_Libranalysis.exe""
20⤵
PID:560

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
21⤵
PID:1500

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
18⤵
- Modifies registry key
PID:1424

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
18⤵
- Modifies registry key
PID:1940

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
18⤵
- Modifies registry key
PID:808

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\nMsgwgME.bat" "C:\Users\Admin\AppData\Local\Temp\25fcf7bb_by_Libranalysis.exe""
18⤵
PID:1728

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
19⤵
PID:632

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
16⤵
- Modifies registry key
PID:836

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
16⤵
- Modifies registry key
PID:1916

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
16⤵
- Modifies registry key
PID:1548

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\TMYwogoA.bat" "C:\Users\Admin\AppData\Local\Temp\25fcf7bb_by_Libranalysis.exe""
16⤵
PID:824

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
17⤵
PID:1048

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
14⤵
- Modifies registry key
PID:1040

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
14⤵
- Modifies registry key
PID:1216

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
14⤵
- Modifies registry key
PID:1560

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\jKMkIkEc.bat" "C:\Users\Admin\AppData\Local\Temp\25fcf7bb_by_Libranalysis.exe""
14⤵
PID:1852

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
15⤵
PID:432

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
12⤵
- Modifies registry key
PID:108

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
12⤵
- Modifies registry key
PID:432

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
12⤵
- Modifies registry key
PID:600

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\IeEwEYcY.bat" "C:\Users\Admin\AppData\Local\Temp\25fcf7bb_by_Libranalysis.exe""
12⤵
PID:1640

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
13⤵
PID:1384

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
10⤵
- Modifies registry key
PID:1680

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
10⤵
- Modifies registry key
PID:1748

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
10⤵
- Modifies registry key
PID:1844

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\UWwsEckA.bat" "C:\Users\Admin\AppData\Local\Temp\25fcf7bb_by_Libranalysis.exe""
10⤵
PID:1364

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
11⤵
PID:1048

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
8⤵
- Modifies registry key
PID:1912

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
8⤵
- Modifies registry key
PID:108

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
8⤵
- Modifies registry key
PID:272

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\KEQkAkoQ.bat" "C:\Users\Admin\AppData\Local\Temp\25fcf7bb_by_Libranalysis.exe""
8⤵
PID:988

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
9⤵
PID:1868

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
6⤵
- Modifies registry key
PID:880

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
6⤵
- Modifies registry key
PID:1332

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
6⤵
- Modifies registry key
PID:1728

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\HEskEYMg.bat" "C:\Users\Admin\AppData\Local\Temp\25fcf7bb_by_Libranalysis.exe""
6⤵
PID:1648

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
7⤵
PID:1072

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
4⤵
- Modifies registry key
PID:900

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
4⤵
- Modifies registry key
PID:1784

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
4⤵
- Modifies registry key
PID:1852

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\QCIUUoIA.bat" "C:\Users\Admin\AppData\Local\Temp\25fcf7bb_by_Libranalysis.exe""
4⤵
PID:1940

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
5⤵
PID:1792

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
2⤵
- Modifies registry key
PID:1740

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
2⤵
- Modifies registry key
PID:836

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
2⤵
- Modifies registry key
PID:1060

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\cEEYoUIA.bat" "C:\Users\Admin\AppData\Local\Temp\25fcf7bb_by_Libranalysis.exe""
2⤵
PID:640

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
3⤵
PID:824

C:\ProgramData\WckEYgck\dqssIIsw.exe
C:\ProgramData\WckEYgck\dqssIIsw.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:576

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-6256572451978036698-18019697419647962291782541931550892921434488216-1888963141"
1⤵
PID:1048

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-506588136158723063-209703885-547441833-73809013230798267-966090658-1700251970"
1⤵
PID:844

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-477396047138071171911304589453226368281548633691-199448634-13312625601125954190"
1⤵
PID:1500

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1664824207-595991976300923837-155911399-505598045-190047210613658480511330701809"
1⤵
PID:1640

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-267301856378032253142833924257507468-128903276120236611691577913260-502294437"
1⤵
PID:1992

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-295002254-1142939438-662161269-1290203722-366177205250177244-11900781341486848179"
1⤵
PID:1176

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "9098946785105795041922929782-588760892893698732-679839561436899462948705348"
1⤵
PID:1908

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1886306856-697512827-102500395055857572968090157-1595483092-57671992-987787492"
1⤵
PID:1060

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "5383622511228816925-128012091212058551041655919250629172-43864366-1478495095"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:1496

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Modify Registry

T1112

Hidden Files and Directories

T1158

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\WckEYgck\dqssIIsw.exe
MD5
24fc8379dea8278e12cb703474460bc6

SHA1
df39aca1b094446cd44f4b8826e97b0d031ec9a9

SHA256
36fed087645ef487485ce5ed3501a2a1d9ef371cc96cbd9ab0367a8443455c5a

SHA512
3381616e08e7e61d5d15b00738d3d101cafee2c70f00071a5cedf8c02511ef5660267426a51a83da287de6b8b1c1f2c13338a0b843e30ac1d987b6410f60fd92

Download Submit
C:\ProgramData\uqAwUYwk\MKAMEQUM.exe
MD5
51aa67e67782a4b2a06d0c03d799394c

SHA1
01fa3cf22939ef103fe74d812c4cca9c986b6e31

SHA256
645174bdad6f66025bdb8f947f625654bc84689a63ebcc6af152d0b1d215205b

SHA512
75720d4b6a63aa23784259920a97d021f3db06d6a4dadbfac04a1b94a946dbad54c29f75f716839a365cc35ff1c3217955caed8ffcf78249cfcc0c064893ef7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\25fcf7bb_by_Libranalysis
MD5
ad19aeae3b6e4e7255c35b73bf519b49

SHA1
3ee1d901db2ed58d61a1c0da2532ef85562ae3fd

SHA256
e9acba85eeed608d5deb570026d92d5c2904fa621223818a26383f64ddf8bfe8

SHA512
a4c31c2dd8ca1ccfb59c73259f3b0d88fd0f93519f31e091e26748ccdb6e45780b6e2c8d9e0628195ac778480899e8102add43a20577bbf028d24952b24bf541

Download Submit
C:\Users\Admin\AppData\Local\Temp\25fcf7bb_by_Libranalysis
MD5
ad19aeae3b6e4e7255c35b73bf519b49

SHA1
3ee1d901db2ed58d61a1c0da2532ef85562ae3fd

SHA256
e9acba85eeed608d5deb570026d92d5c2904fa621223818a26383f64ddf8bfe8

SHA512
a4c31c2dd8ca1ccfb59c73259f3b0d88fd0f93519f31e091e26748ccdb6e45780b6e2c8d9e0628195ac778480899e8102add43a20577bbf028d24952b24bf541

Download Submit
C:\Users\Admin\AppData\Local\Temp\25fcf7bb_by_Libranalysis
MD5
ad19aeae3b6e4e7255c35b73bf519b49

SHA1
3ee1d901db2ed58d61a1c0da2532ef85562ae3fd

SHA256
e9acba85eeed608d5deb570026d92d5c2904fa621223818a26383f64ddf8bfe8

SHA512
a4c31c2dd8ca1ccfb59c73259f3b0d88fd0f93519f31e091e26748ccdb6e45780b6e2c8d9e0628195ac778480899e8102add43a20577bbf028d24952b24bf541

Download Submit
C:\Users\Admin\AppData\Local\Temp\25fcf7bb_by_Libranalysis
MD5
ad19aeae3b6e4e7255c35b73bf519b49

SHA1
3ee1d901db2ed58d61a1c0da2532ef85562ae3fd

SHA256
e9acba85eeed608d5deb570026d92d5c2904fa621223818a26383f64ddf8bfe8

SHA512
a4c31c2dd8ca1ccfb59c73259f3b0d88fd0f93519f31e091e26748ccdb6e45780b6e2c8d9e0628195ac778480899e8102add43a20577bbf028d24952b24bf541

Download Submit
C:\Users\Admin\AppData\Local\Temp\25fcf7bb_by_Libranalysis
MD5
ad19aeae3b6e4e7255c35b73bf519b49

SHA1
3ee1d901db2ed58d61a1c0da2532ef85562ae3fd

SHA256
e9acba85eeed608d5deb570026d92d5c2904fa621223818a26383f64ddf8bfe8

SHA512
a4c31c2dd8ca1ccfb59c73259f3b0d88fd0f93519f31e091e26748ccdb6e45780b6e2c8d9e0628195ac778480899e8102add43a20577bbf028d24952b24bf541

Download Submit
C:\Users\Admin\AppData\Local\Temp\25fcf7bb_by_Libranalysis
MD5
ad19aeae3b6e4e7255c35b73bf519b49

SHA1
3ee1d901db2ed58d61a1c0da2532ef85562ae3fd

SHA256
e9acba85eeed608d5deb570026d92d5c2904fa621223818a26383f64ddf8bfe8

SHA512
a4c31c2dd8ca1ccfb59c73259f3b0d88fd0f93519f31e091e26748ccdb6e45780b6e2c8d9e0628195ac778480899e8102add43a20577bbf028d24952b24bf541

Download Submit
C:\Users\Admin\AppData\Local\Temp\25fcf7bb_by_Libranalysis
MD5
ad19aeae3b6e4e7255c35b73bf519b49

SHA1
3ee1d901db2ed58d61a1c0da2532ef85562ae3fd

SHA256
e9acba85eeed608d5deb570026d92d5c2904fa621223818a26383f64ddf8bfe8

SHA512
a4c31c2dd8ca1ccfb59c73259f3b0d88fd0f93519f31e091e26748ccdb6e45780b6e2c8d9e0628195ac778480899e8102add43a20577bbf028d24952b24bf541

Download Submit
C:\Users\Admin\AppData\Local\Temp\25fcf7bb_by_Libranalysis
MD5
ad19aeae3b6e4e7255c35b73bf519b49

SHA1
3ee1d901db2ed58d61a1c0da2532ef85562ae3fd

SHA256
e9acba85eeed608d5deb570026d92d5c2904fa621223818a26383f64ddf8bfe8

SHA512
a4c31c2dd8ca1ccfb59c73259f3b0d88fd0f93519f31e091e26748ccdb6e45780b6e2c8d9e0628195ac778480899e8102add43a20577bbf028d24952b24bf541

Download Submit
C:\Users\Admin\AppData\Local\Temp\25fcf7bb_by_Libranalysis
MD5
ad19aeae3b6e4e7255c35b73bf519b49

SHA1
3ee1d901db2ed58d61a1c0da2532ef85562ae3fd

SHA256
e9acba85eeed608d5deb570026d92d5c2904fa621223818a26383f64ddf8bfe8

SHA512
a4c31c2dd8ca1ccfb59c73259f3b0d88fd0f93519f31e091e26748ccdb6e45780b6e2c8d9e0628195ac778480899e8102add43a20577bbf028d24952b24bf541

Download Submit
C:\Users\Admin\AppData\Local\Temp\25fcf7bb_by_Libranalysis
MD5
ad19aeae3b6e4e7255c35b73bf519b49

SHA1
3ee1d901db2ed58d61a1c0da2532ef85562ae3fd

SHA256
e9acba85eeed608d5deb570026d92d5c2904fa621223818a26383f64ddf8bfe8

SHA512
a4c31c2dd8ca1ccfb59c73259f3b0d88fd0f93519f31e091e26748ccdb6e45780b6e2c8d9e0628195ac778480899e8102add43a20577bbf028d24952b24bf541

Download Submit
C:\Users\Admin\AppData\Local\Temp\25fcf7bb_by_Libranalysis
MD5
ad19aeae3b6e4e7255c35b73bf519b49

SHA1
3ee1d901db2ed58d61a1c0da2532ef85562ae3fd

SHA256
e9acba85eeed608d5deb570026d92d5c2904fa621223818a26383f64ddf8bfe8

SHA512
a4c31c2dd8ca1ccfb59c73259f3b0d88fd0f93519f31e091e26748ccdb6e45780b6e2c8d9e0628195ac778480899e8102add43a20577bbf028d24952b24bf541

Download Submit
C:\Users\Admin\AppData\Local\Temp\25fcf7bb_by_Libranalysis
MD5
ad19aeae3b6e4e7255c35b73bf519b49

SHA1
3ee1d901db2ed58d61a1c0da2532ef85562ae3fd

SHA256
e9acba85eeed608d5deb570026d92d5c2904fa621223818a26383f64ddf8bfe8

SHA512
a4c31c2dd8ca1ccfb59c73259f3b0d88fd0f93519f31e091e26748ccdb6e45780b6e2c8d9e0628195ac778480899e8102add43a20577bbf028d24952b24bf541

Download Submit
C:\Users\Admin\AppData\Local\Temp\25fcf7bb_by_Libranalysis
MD5
ad19aeae3b6e4e7255c35b73bf519b49

SHA1
3ee1d901db2ed58d61a1c0da2532ef85562ae3fd

SHA256
e9acba85eeed608d5deb570026d92d5c2904fa621223818a26383f64ddf8bfe8

SHA512
a4c31c2dd8ca1ccfb59c73259f3b0d88fd0f93519f31e091e26748ccdb6e45780b6e2c8d9e0628195ac778480899e8102add43a20577bbf028d24952b24bf541

Download Submit
C:\Users\Admin\AppData\Local\Temp\25fcf7bb_by_Libranalysis
MD5
ad19aeae3b6e4e7255c35b73bf519b49

SHA1
3ee1d901db2ed58d61a1c0da2532ef85562ae3fd

SHA256
e9acba85eeed608d5deb570026d92d5c2904fa621223818a26383f64ddf8bfe8

SHA512
a4c31c2dd8ca1ccfb59c73259f3b0d88fd0f93519f31e091e26748ccdb6e45780b6e2c8d9e0628195ac778480899e8102add43a20577bbf028d24952b24bf541

Download Submit
C:\Users\Admin\AppData\Local\Temp\25fcf7bb_by_Libranalysis
MD5
ad19aeae3b6e4e7255c35b73bf519b49

SHA1
3ee1d901db2ed58d61a1c0da2532ef85562ae3fd

SHA256
e9acba85eeed608d5deb570026d92d5c2904fa621223818a26383f64ddf8bfe8

SHA512
a4c31c2dd8ca1ccfb59c73259f3b0d88fd0f93519f31e091e26748ccdb6e45780b6e2c8d9e0628195ac778480899e8102add43a20577bbf028d24952b24bf541

Download Submit
C:\Users\Admin\AppData\Local\Temp\CiAAcsQY.bat
MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\HEskEYMg.bat
MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\IeEwEYcY.bat
MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\KEQkAkoQ.bat
MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\QCIUUoIA.bat
MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\TMYwogoA.bat
MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\UWwsEckA.bat
MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\becccsUQ.bat
MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\cEEYoUIA.bat
MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\eIoMsUcA.bat
MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\jKMkIkEc.bat
MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\mOoAIsgE.bat
MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\nMsgwgME.bat
MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\qqgwwoEQ.bat
MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\vQwgYYgU.bat
MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\pWggUMgo\nuoggMMg.exe
MD5
335cd4d11537fa274ad92b2f757571ff

SHA1
c5f3c176a9335d9ec43821e55db273f15401bf9b

SHA256
8b43cd8c3f3e2eebea11b47d852083232143f719bc53fd4a93e7d7f29f837c88

SHA512
468b323ef50df4fd9fa7a7dd6ec9aa7674c7c4c2c4e87913e27a097ee4724db6cf32778c48bde2f0b200893bcbe896e4d51e3e942991940f7ed7c57c999d5efd

Download Submit
\??\PIPE\samr
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\samr
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\samr
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\samr
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\samr
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe
MD5
9d10f99a6712e28f8acd5641e3a7ea6b

SHA1
835e982347db919a681ba12f3891f62152e50f0d

SHA256
70964a0ed9011ea94044e15fa77edd9cf535cc79ed8e03a3721ff007e69595cc

SHA512
2141ee5c07aa3e038360013e3f40969e248bed05022d161b992df61f21934c5574ed9d3094ffd5245f5afd84815b24f80bda30055cf4d374f9c6254e842f6bd5

Download Submit
\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe
MD5
4d92f518527353c0db88a70fddcfd390

SHA1
c4baffc19e7d1f0e0ebf73bab86a491c1d152f98

SHA256
97e6f3fc1a9163f10b6502509d55bf75ee893967fb35f318954797e8ab4d4d9c

SHA512
05a8136ccc45ef73cd5c70ee0ef204d9d2b48b950e938494b6d1a61dfba37527c9600382321d1c031dc74e4cf3e16f001ae0f8cd64d76d765f5509ce8dc76452

Download Submit
\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe
MD5
4d92f518527353c0db88a70fddcfd390

SHA1
c4baffc19e7d1f0e0ebf73bab86a491c1d152f98

SHA256
97e6f3fc1a9163f10b6502509d55bf75ee893967fb35f318954797e8ab4d4d9c

SHA512
05a8136ccc45ef73cd5c70ee0ef204d9d2b48b950e938494b6d1a61dfba37527c9600382321d1c031dc74e4cf3e16f001ae0f8cd64d76d765f5509ce8dc76452

Download Submit
\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE
MD5
a41e524f8d45f0074fd07805ff0c9b12

SHA1
948deacf95a60c3fdf17e0e4db1931a6f3fc5d38

SHA256
082329648337e5ba7377fed9d8a178809f37eecb8d795b93cca4ec07d8640ff7

SHA512
91bf4be7e82536a85a840dbc9f3ce7b7927d1cedf6391aac93989abae210620433e685b86a12d133a72369a4f8a665c46ac7fc9e8a806e2872d8b1514cbb305f

Download Submit
\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE
MD5
a41e524f8d45f0074fd07805ff0c9b12

SHA1
948deacf95a60c3fdf17e0e4db1931a6f3fc5d38

SHA256
082329648337e5ba7377fed9d8a178809f37eecb8d795b93cca4ec07d8640ff7

SHA512
91bf4be7e82536a85a840dbc9f3ce7b7927d1cedf6391aac93989abae210620433e685b86a12d133a72369a4f8a665c46ac7fc9e8a806e2872d8b1514cbb305f

Download Submit
\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe
MD5
c87e561258f2f8650cef999bf643a731

SHA1
2c64b901284908e8ed59cf9c912f17d45b05e0af

SHA256
a1dfa6639bef3cb4e41175c43730d46a51393942ead826337ca9541ac210c67b

SHA512
dea4833aa712c5823f800f5f5a2adcf241c1b2b6747872f540f5ff9da6795c4ddb73db0912593337083c7c67b91e9eaf1b3d39a34b99980fd5904ba3d7d62f6c

Download Submit
\ProgramData\uqAwUYwk\MKAMEQUM.exe
MD5
51aa67e67782a4b2a06d0c03d799394c

SHA1
01fa3cf22939ef103fe74d812c4cca9c986b6e31

SHA256
645174bdad6f66025bdb8f947f625654bc84689a63ebcc6af152d0b1d215205b

SHA512
75720d4b6a63aa23784259920a97d021f3db06d6a4dadbfac04a1b94a946dbad54c29f75f716839a365cc35ff1c3217955caed8ffcf78249cfcc0c064893ef7e

Download Submit
\ProgramData\uqAwUYwk\MKAMEQUM.exe
MD5
51aa67e67782a4b2a06d0c03d799394c

SHA1
01fa3cf22939ef103fe74d812c4cca9c986b6e31

SHA256
645174bdad6f66025bdb8f947f625654bc84689a63ebcc6af152d0b1d215205b

SHA512
75720d4b6a63aa23784259920a97d021f3db06d6a4dadbfac04a1b94a946dbad54c29f75f716839a365cc35ff1c3217955caed8ffcf78249cfcc0c064893ef7e

Download Submit
\Users\Admin\pWggUMgo\nuoggMMg.exe
MD5
335cd4d11537fa274ad92b2f757571ff

SHA1
c5f3c176a9335d9ec43821e55db273f15401bf9b

SHA256
8b43cd8c3f3e2eebea11b47d852083232143f719bc53fd4a93e7d7f29f837c88

SHA512
468b323ef50df4fd9fa7a7dd6ec9aa7674c7c4c2c4e87913e27a097ee4724db6cf32778c48bde2f0b200893bcbe896e4d51e3e942991940f7ed7c57c999d5efd

Download Submit
\Users\Admin\pWggUMgo\nuoggMMg.exe
MD5
335cd4d11537fa274ad92b2f757571ff

SHA1
c5f3c176a9335d9ec43821e55db273f15401bf9b

SHA256
8b43cd8c3f3e2eebea11b47d852083232143f719bc53fd4a93e7d7f29f837c88

SHA512
468b323ef50df4fd9fa7a7dd6ec9aa7674c7c4c2c4e87913e27a097ee4724db6cf32778c48bde2f0b200893bcbe896e4d51e3e942991940f7ed7c57c999d5efd

Download Submit
memory/108-127-0x0000000000000000-mapping.dmp

Download
memory/108-105-0x0000000000000000-mapping.dmp

Download
memory/272-106-0x0000000000000000-mapping.dmp

Download
memory/292-125-0x0000000000000000-mapping.dmp

Download
memory/432-128-0x0000000000000000-mapping.dmp

Download
memory/432-148-0x0000000000000000-mapping.dmp

Download
memory/600-129-0x0000000000000000-mapping.dmp

Download
memory/600-150-0x0000000000000000-mapping.dmp

Download
memory/640-80-0x0000000000000000-mapping.dmp

Download
memory/664-102-0x0000000000000000-mapping.dmp

Download
memory/664-180-0x0000000000000000-mapping.dmp

Download
memory/808-168-0x0000000000000000-mapping.dmp

Download
memory/824-158-0x0000000000000000-mapping.dmp

Download
memory/836-77-0x0000000000000000-mapping.dmp

Download
memory/836-155-0x0000000000000000-mapping.dmp

Download
memory/880-89-0x0000000000000000-mapping.dmp

Download
memory/900-83-0x0000000000000000-mapping.dmp

Download
memory/988-109-0x0000000000000000-mapping.dmp

Download
memory/1040-142-0x0000000000000000-mapping.dmp

Download
memory/1048-122-0x0000000000000000-mapping.dmp

Download
memory/1060-161-0x0000000000000000-mapping.dmp

Download
memory/1060-78-0x0000000000000000-mapping.dmp

Download
memory/1064-101-0x0000000000000000-mapping.dmp

Download
memory/1072-98-0x0000000000000000-mapping.dmp

Download
memory/1164-63-0x0000000000000000-mapping.dmp

Download
memory/1216-143-0x0000000000000000-mapping.dmp

Download
memory/1332-90-0x0000000000000000-mapping.dmp

Download
memory/1344-74-0x0000000000000000-mapping.dmp

Download
memory/1348-60-0x00000000762C1000-0x00000000762C3000-memory.dmp

Filesize
8KB

Download
memory/1364-119-0x0000000000000000-mapping.dmp

Download
memory/1384-132-0x0000000000000000-mapping.dmp

Download
memory/1424-112-0x0000000000000000-mapping.dmp

Download
memory/1424-166-0x0000000000000000-mapping.dmp

Download
memory/1496-88-0x0000000000000000-mapping.dmp

Download
memory/1544-124-0x0000000000000000-mapping.dmp

Download
memory/1548-157-0x0000000000000000-mapping.dmp

Download
memory/1560-144-0x0000000000000000-mapping.dmp

Download
memory/1560-94-0x0000000000000000-mapping.dmp

Download
memory/1640-160-0x0000000000000000-mapping.dmp

Download
memory/1640-130-0x0000000000000000-mapping.dmp

Download
memory/1648-93-0x0000000000000000-mapping.dmp

Download
memory/1652-153-0x0000000000000000-mapping.dmp

Download
memory/1680-116-0x0000000000000000-mapping.dmp

Download
memory/1688-81-0x0000000000000000-mapping.dmp

Download
memory/1720-139-0x0000000000000000-mapping.dmp

Download
memory/1728-91-0x0000000000000000-mapping.dmp

Download
memory/1728-173-0x0000000000000000-mapping.dmp

Download
memory/1740-76-0x0000000000000000-mapping.dmp

Download
memory/1748-117-0x0000000000000000-mapping.dmp

Download
memory/1756-179-0x0000000000000000-mapping.dmp

Download
memory/1784-84-0x0000000000000000-mapping.dmp

Download
memory/1792-99-0x0000000000000000-mapping.dmp

Download
memory/1804-73-0x0000000000000000-mapping.dmp

Download
memory/1844-140-0x0000000000000000-mapping.dmp

Download
memory/1844-118-0x0000000000000000-mapping.dmp

Download
memory/1852-85-0x0000000000000000-mapping.dmp

Download
memory/1852-146-0x0000000000000000-mapping.dmp

Download
memory/1852-110-0x0000000000000000-mapping.dmp

Download
memory/1868-115-0x0000000000000000-mapping.dmp

Download
memory/1912-104-0x0000000000000000-mapping.dmp

Download
memory/1916-156-0x0000000000000000-mapping.dmp

Download
memory/1940-86-0x0000000000000000-mapping.dmp

Download
memory/1940-167-0x0000000000000000-mapping.dmp

Download
memory/1992-178-0x0000000000000000-mapping.dmp

Download
memory/2012-68-0x0000000000000000-mapping.dmp

Download