cobaltstrike | 3dd5f9acef213e5cd84f54cd05dd02a671fb62fa778e997c532fed7868594351

Analysis

max time kernel
146s
max time network
158s
platform
windows7_x64
resource
win7-20220414-en
submitted
01-07-2022 14:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3dd5f9acef213e5cd84f54cd05dd02a671fb62fa778e997c532fed7868594351.exe
Size

5.9MB
MD5

2a19506cc53a25f8417fe1e4b282623b
SHA1

be66fa92612eeb5ffc95d848341f1be4516a610e
SHA256

3dd5f9acef213e5cd84f54cd05dd02a671fb62fa778e997c532fed7868594351
SHA512

edc2c69ac918fa7ac9d674b5994ca0d40deb0d1bc88a1380f67589a7807fb68dcbb52cd92c8e287531ef1db34784c503dd9db79ffd184b908d77a8452b975766

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 42 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
\Windows\system\IdPanMw.exe	cobalt_reflective_dll
C:\Windows\system\IdPanMw.exe	cobalt_reflective_dll
C:\Windows\system\lOyPFDE.exe	cobalt_reflective_dll
\Windows\system\lOyPFDE.exe	cobalt_reflective_dll
\Windows\system\LplCyfs.exe	cobalt_reflective_dll
C:\Windows\system\LplCyfs.exe	cobalt_reflective_dll
\Windows\system\XrWfrqH.exe	cobalt_reflective_dll
C:\Windows\system\XrWfrqH.exe	cobalt_reflective_dll
\Windows\system\fytTudm.exe	cobalt_reflective_dll
C:\Windows\system\fytTudm.exe	cobalt_reflective_dll
C:\Windows\system\NShxOhe.exe	cobalt_reflective_dll
\Windows\system\cBuqTxH.exe	cobalt_reflective_dll
\Windows\system\NShxOhe.exe	cobalt_reflective_dll
\Windows\system\UyaMSYm.exe	cobalt_reflective_dll
C:\Windows\system\UyaMSYm.exe	cobalt_reflective_dll
C:\Windows\system\pISMOZN.exe	cobalt_reflective_dll
C:\Windows\system\fasBVuW.exe	cobalt_reflective_dll
\Windows\system\fasBVuW.exe	cobalt_reflective_dll
\Windows\system\mdWjWYD.exe	cobalt_reflective_dll
\Windows\system\pISMOZN.exe	cobalt_reflective_dll
C:\Windows\system\cBuqTxH.exe	cobalt_reflective_dll
\Windows\system\ELhSoyl.exe	cobalt_reflective_dll
C:\Windows\system\ELhSoyl.exe	cobalt_reflective_dll
C:\Windows\system\mdWjWYD.exe	cobalt_reflective_dll
\Windows\system\jlScgbx.exe	cobalt_reflective_dll
C:\Windows\system\jlScgbx.exe	cobalt_reflective_dll
\Windows\system\lHEvBNF.exe	cobalt_reflective_dll
C:\Windows\system\lHEvBNF.exe	cobalt_reflective_dll
\Windows\system\YasvrfC.exe	cobalt_reflective_dll
C:\Windows\system\YasvrfC.exe	cobalt_reflective_dll
C:\Windows\system\dLDGmJa.exe	cobalt_reflective_dll
\Windows\system\hYcLInH.exe	cobalt_reflective_dll
\Windows\system\dLDGmJa.exe	cobalt_reflective_dll
C:\Windows\system\hYcLInH.exe	cobalt_reflective_dll
\Windows\system\bUfyZfH.exe	cobalt_reflective_dll
C:\Windows\system\ynQfeKQ.exe	cobalt_reflective_dll
C:\Windows\system\bUfyZfH.exe	cobalt_reflective_dll
C:\Windows\system\fjNBQzw.exe	cobalt_reflective_dll
\Windows\system\fjNBQzw.exe	cobalt_reflective_dll
\Windows\system\ynQfeKQ.exe	cobalt_reflective_dll
\Windows\system\CfeXAEr.exe	cobalt_reflective_dll
C:\Windows\system\CfeXAEr.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner Payload 64 IoCs

miner

Processes:

resource	yara_rule
\Windows\system\IdPanMw.exe	xmrig
C:\Windows\system\IdPanMw.exe	xmrig
behavioral1/memory/1668-59-0x000000013F900000-0x000000013FC54000-memory.dmp	xmrig
C:\Windows\system\lOyPFDE.exe	xmrig
\Windows\system\lOyPFDE.exe	xmrig
\Windows\system\LplCyfs.exe	xmrig
behavioral1/memory/1796-67-0x000000013FB90000-0x000000013FEE4000-memory.dmp	xmrig
behavioral1/memory/1192-68-0x000000013F790000-0x000000013FAE4000-memory.dmp	xmrig
C:\Windows\system\LplCyfs.exe	xmrig
behavioral1/memory/1668-72-0x0000000002370000-0x00000000026C4000-memory.dmp	xmrig
behavioral1/memory/2044-73-0x000000013FFF0000-0x0000000140344000-memory.dmp	xmrig
\Windows\system\XrWfrqH.exe	xmrig
C:\Windows\system\XrWfrqH.exe	xmrig
behavioral1/memory/1992-79-0x000000013FB50000-0x000000013FEA4000-memory.dmp	xmrig
\Windows\system\fytTudm.exe	xmrig
C:\Windows\system\fytTudm.exe	xmrig
C:\Windows\system\NShxOhe.exe	xmrig
\Windows\system\cBuqTxH.exe	xmrig
\Windows\system\NShxOhe.exe	xmrig
\Windows\system\UyaMSYm.exe	xmrig
C:\Windows\system\UyaMSYm.exe	xmrig
behavioral1/memory/1660-99-0x000000013F910000-0x000000013FC64000-memory.dmp	xmrig
C:\Windows\system\pISMOZN.exe	xmrig
C:\Windows\system\fasBVuW.exe	xmrig
behavioral1/memory/520-106-0x000000013F370000-0x000000013F6C4000-memory.dmp	xmrig
behavioral1/memory/1684-108-0x000000013F190000-0x000000013F4E4000-memory.dmp	xmrig
behavioral1/memory/1668-109-0x000000013F340000-0x000000013F694000-memory.dmp	xmrig
\Windows\system\fasBVuW.exe	xmrig
\Windows\system\mdWjWYD.exe	xmrig
\Windows\system\pISMOZN.exe	xmrig
behavioral1/memory/428-112-0x000000013F340000-0x000000013F694000-memory.dmp	xmrig
C:\Windows\system\cBuqTxH.exe	xmrig
\Windows\system\ELhSoyl.exe	xmrig
C:\Windows\system\ELhSoyl.exe	xmrig
behavioral1/memory/892-117-0x000000013FFC0000-0x0000000140314000-memory.dmp	xmrig
behavioral1/memory/1204-113-0x000000013F460000-0x000000013F7B4000-memory.dmp	xmrig
C:\Windows\system\mdWjWYD.exe	xmrig
behavioral1/memory/1500-122-0x000000013F980000-0x000000013FCD4000-memory.dmp	xmrig
behavioral1/memory/1224-123-0x000000013F3A0000-0x000000013F6F4000-memory.dmp	xmrig
\Windows\system\jlScgbx.exe	xmrig
C:\Windows\system\jlScgbx.exe	xmrig
behavioral1/memory/1912-129-0x000000013F6C0000-0x000000013FA14000-memory.dmp	xmrig
\Windows\system\lHEvBNF.exe	xmrig
C:\Windows\system\lHEvBNF.exe	xmrig
\Windows\system\YasvrfC.exe	xmrig
C:\Windows\system\YasvrfC.exe	xmrig
C:\Windows\system\dLDGmJa.exe	xmrig
\Windows\system\hYcLInH.exe	xmrig
\Windows\system\dLDGmJa.exe	xmrig
C:\Windows\system\hYcLInH.exe	xmrig
\Windows\system\bUfyZfH.exe	xmrig
C:\Windows\system\ynQfeKQ.exe	xmrig
behavioral1/memory/1560-153-0x000000013F950000-0x000000013FCA4000-memory.dmp	xmrig
C:\Windows\system\bUfyZfH.exe	xmrig
C:\Windows\system\fjNBQzw.exe	xmrig
behavioral1/memory/972-159-0x000000013F100000-0x000000013F454000-memory.dmp	xmrig
behavioral1/memory/384-161-0x000000013F110000-0x000000013F464000-memory.dmp	xmrig
behavioral1/memory/1624-163-0x000000013F8A0000-0x000000013FBF4000-memory.dmp	xmrig
behavioral1/memory/1668-164-0x000000013F200000-0x000000013F554000-memory.dmp	xmrig
behavioral1/memory/1696-165-0x000000013F200000-0x000000013F554000-memory.dmp	xmrig
behavioral1/memory/1668-166-0x000000013F380000-0x000000013F6D4000-memory.dmp	xmrig
behavioral1/memory/636-167-0x000000013F380000-0x000000013F6D4000-memory.dmp	xmrig
behavioral1/memory/560-168-0x000000013F550000-0x000000013F8A4000-memory.dmp	xmrig
\Windows\system\fjNBQzw.exe	xmrig

Executes dropped EXE 21 IoCs

Processes:

IdPanMw.exelOyPFDE.exeLplCyfs.exeXrWfrqH.exefytTudm.exeNShxOhe.execBuqTxH.exeUyaMSYm.exefasBVuW.exepISMOZN.exeELhSoyl.exemdWjWYD.exejlScgbx.exelHEvBNF.exeYasvrfC.exedLDGmJa.exehYcLInH.exeynQfeKQ.exebUfyZfH.exefjNBQzw.exeCfeXAEr.exe

pid	process
1796	IdPanMw.exe
1192	lOyPFDE.exe
2044	LplCyfs.exe
1992	XrWfrqH.exe
1660	fytTudm.exe
520	NShxOhe.exe
1684	cBuqTxH.exe
428	UyaMSYm.exe
1204	fasBVuW.exe
892	pISMOZN.exe
1500	ELhSoyl.exe
1224	mdWjWYD.exe
1912	jlScgbx.exe
1560	lHEvBNF.exe
972	YasvrfC.exe
384	dLDGmJa.exe
1624	hYcLInH.exe
1696	ynQfeKQ.exe
636	bUfyZfH.exe
560	fjNBQzw.exe
1520	CfeXAEr.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Windows\system\IdPanMw.exe	upx
C:\Windows\system\IdPanMw.exe	upx
behavioral1/memory/1668-59-0x000000013F900000-0x000000013FC54000-memory.dmp	upx
C:\Windows\system\lOyPFDE.exe	upx
\Windows\system\lOyPFDE.exe	upx
\Windows\system\LplCyfs.exe	upx
behavioral1/memory/1796-67-0x000000013FB90000-0x000000013FEE4000-memory.dmp	upx
behavioral1/memory/1192-68-0x000000013F790000-0x000000013FAE4000-memory.dmp	upx
C:\Windows\system\LplCyfs.exe	upx
behavioral1/memory/2044-73-0x000000013FFF0000-0x0000000140344000-memory.dmp	upx
\Windows\system\XrWfrqH.exe	upx
C:\Windows\system\XrWfrqH.exe	upx
behavioral1/memory/1992-79-0x000000013FB50000-0x000000013FEA4000-memory.dmp	upx
\Windows\system\fytTudm.exe	upx
C:\Windows\system\fytTudm.exe	upx
C:\Windows\system\NShxOhe.exe	upx
\Windows\system\cBuqTxH.exe	upx
\Windows\system\NShxOhe.exe	upx
\Windows\system\UyaMSYm.exe	upx
C:\Windows\system\UyaMSYm.exe	upx
behavioral1/memory/1660-99-0x000000013F910000-0x000000013FC64000-memory.dmp	upx
C:\Windows\system\pISMOZN.exe	upx
C:\Windows\system\fasBVuW.exe	upx
behavioral1/memory/520-106-0x000000013F370000-0x000000013F6C4000-memory.dmp	upx
behavioral1/memory/1684-108-0x000000013F190000-0x000000013F4E4000-memory.dmp	upx
\Windows\system\fasBVuW.exe	upx
\Windows\system\mdWjWYD.exe	upx
\Windows\system\pISMOZN.exe	upx
behavioral1/memory/428-112-0x000000013F340000-0x000000013F694000-memory.dmp	upx
C:\Windows\system\cBuqTxH.exe	upx
\Windows\system\ELhSoyl.exe	upx
C:\Windows\system\ELhSoyl.exe	upx
behavioral1/memory/892-117-0x000000013FFC0000-0x0000000140314000-memory.dmp	upx
behavioral1/memory/1204-113-0x000000013F460000-0x000000013F7B4000-memory.dmp	upx
C:\Windows\system\mdWjWYD.exe	upx
behavioral1/memory/1500-122-0x000000013F980000-0x000000013FCD4000-memory.dmp	upx
behavioral1/memory/1224-123-0x000000013F3A0000-0x000000013F6F4000-memory.dmp	upx
\Windows\system\jlScgbx.exe	upx
C:\Windows\system\jlScgbx.exe	upx
behavioral1/memory/1912-129-0x000000013F6C0000-0x000000013FA14000-memory.dmp	upx
\Windows\system\lHEvBNF.exe	upx
C:\Windows\system\lHEvBNF.exe	upx
\Windows\system\YasvrfC.exe	upx
C:\Windows\system\YasvrfC.exe	upx
C:\Windows\system\dLDGmJa.exe	upx
\Windows\system\hYcLInH.exe	upx
\Windows\system\dLDGmJa.exe	upx
C:\Windows\system\hYcLInH.exe	upx
\Windows\system\bUfyZfH.exe	upx
C:\Windows\system\ynQfeKQ.exe	upx
behavioral1/memory/1560-153-0x000000013F950000-0x000000013FCA4000-memory.dmp	upx
C:\Windows\system\bUfyZfH.exe	upx
C:\Windows\system\fjNBQzw.exe	upx
behavioral1/memory/972-159-0x000000013F100000-0x000000013F454000-memory.dmp	upx
behavioral1/memory/384-161-0x000000013F110000-0x000000013F464000-memory.dmp	upx
behavioral1/memory/1624-163-0x000000013F8A0000-0x000000013FBF4000-memory.dmp	upx
behavioral1/memory/1696-165-0x000000013F200000-0x000000013F554000-memory.dmp	upx
behavioral1/memory/636-167-0x000000013F380000-0x000000013F6D4000-memory.dmp	upx
behavioral1/memory/560-168-0x000000013F550000-0x000000013F8A4000-memory.dmp	upx
\Windows\system\fjNBQzw.exe	upx
\Windows\system\ynQfeKQ.exe	upx
\Windows\system\CfeXAEr.exe	upx
C:\Windows\system\CfeXAEr.exe	upx
behavioral1/memory/1520-179-0x000000013F680000-0x000000013F9D4000-memory.dmp	upx

Loads dropped DLL 21 IoCs

Processes:

3dd5f9acef213e5cd84f54cd05dd02a671fb62fa778e997c532fed7868594351.exe

pid	process
1668	3dd5f9acef213e5cd84f54cd05dd02a671fb62fa778e997c532fed7868594351.exe
1668	3dd5f9acef213e5cd84f54cd05dd02a671fb62fa778e997c532fed7868594351.exe
1668	3dd5f9acef213e5cd84f54cd05dd02a671fb62fa778e997c532fed7868594351.exe
1668	3dd5f9acef213e5cd84f54cd05dd02a671fb62fa778e997c532fed7868594351.exe
1668	3dd5f9acef213e5cd84f54cd05dd02a671fb62fa778e997c532fed7868594351.exe
1668	3dd5f9acef213e5cd84f54cd05dd02a671fb62fa778e997c532fed7868594351.exe
1668	3dd5f9acef213e5cd84f54cd05dd02a671fb62fa778e997c532fed7868594351.exe
1668	3dd5f9acef213e5cd84f54cd05dd02a671fb62fa778e997c532fed7868594351.exe
1668	3dd5f9acef213e5cd84f54cd05dd02a671fb62fa778e997c532fed7868594351.exe
1668	3dd5f9acef213e5cd84f54cd05dd02a671fb62fa778e997c532fed7868594351.exe
1668	3dd5f9acef213e5cd84f54cd05dd02a671fb62fa778e997c532fed7868594351.exe
1668	3dd5f9acef213e5cd84f54cd05dd02a671fb62fa778e997c532fed7868594351.exe
1668	3dd5f9acef213e5cd84f54cd05dd02a671fb62fa778e997c532fed7868594351.exe
1668	3dd5f9acef213e5cd84f54cd05dd02a671fb62fa778e997c532fed7868594351.exe
1668	3dd5f9acef213e5cd84f54cd05dd02a671fb62fa778e997c532fed7868594351.exe
1668	3dd5f9acef213e5cd84f54cd05dd02a671fb62fa778e997c532fed7868594351.exe
1668	3dd5f9acef213e5cd84f54cd05dd02a671fb62fa778e997c532fed7868594351.exe
1668	3dd5f9acef213e5cd84f54cd05dd02a671fb62fa778e997c532fed7868594351.exe
1668	3dd5f9acef213e5cd84f54cd05dd02a671fb62fa778e997c532fed7868594351.exe
1668	3dd5f9acef213e5cd84f54cd05dd02a671fb62fa778e997c532fed7868594351.exe
1668	3dd5f9acef213e5cd84f54cd05dd02a671fb62fa778e997c532fed7868594351.exe

Drops file in Windows directory 21 IoCs

Processes:

3dd5f9acef213e5cd84f54cd05dd02a671fb62fa778e997c532fed7868594351.exe

description	ioc	process
File created	C:\Windows\System\XrWfrqH.exe	3dd5f9acef213e5cd84f54cd05dd02a671fb62fa778e997c532fed7868594351.exe
File created	C:\Windows\System\fytTudm.exe	3dd5f9acef213e5cd84f54cd05dd02a671fb62fa778e997c532fed7868594351.exe
File created	C:\Windows\System\UyaMSYm.exe	3dd5f9acef213e5cd84f54cd05dd02a671fb62fa778e997c532fed7868594351.exe
File created	C:\Windows\System\YasvrfC.exe	3dd5f9acef213e5cd84f54cd05dd02a671fb62fa778e997c532fed7868594351.exe
File created	C:\Windows\System\bUfyZfH.exe	3dd5f9acef213e5cd84f54cd05dd02a671fb62fa778e997c532fed7868594351.exe
File created	C:\Windows\System\CfeXAEr.exe	3dd5f9acef213e5cd84f54cd05dd02a671fb62fa778e997c532fed7868594351.exe
File created	C:\Windows\System\lOyPFDE.exe	3dd5f9acef213e5cd84f54cd05dd02a671fb62fa778e997c532fed7868594351.exe
File created	C:\Windows\System\LplCyfs.exe	3dd5f9acef213e5cd84f54cd05dd02a671fb62fa778e997c532fed7868594351.exe
File created	C:\Windows\System\cBuqTxH.exe	3dd5f9acef213e5cd84f54cd05dd02a671fb62fa778e997c532fed7868594351.exe
File created	C:\Windows\System\pISMOZN.exe	3dd5f9acef213e5cd84f54cd05dd02a671fb62fa778e997c532fed7868594351.exe
File created	C:\Windows\System\jlScgbx.exe	3dd5f9acef213e5cd84f54cd05dd02a671fb62fa778e997c532fed7868594351.exe
File created	C:\Windows\System\hYcLInH.exe	3dd5f9acef213e5cd84f54cd05dd02a671fb62fa778e997c532fed7868594351.exe
File created	C:\Windows\System\fjNBQzw.exe	3dd5f9acef213e5cd84f54cd05dd02a671fb62fa778e997c532fed7868594351.exe
File created	C:\Windows\System\fasBVuW.exe	3dd5f9acef213e5cd84f54cd05dd02a671fb62fa778e997c532fed7868594351.exe
File created	C:\Windows\System\mdWjWYD.exe	3dd5f9acef213e5cd84f54cd05dd02a671fb62fa778e997c532fed7868594351.exe
File created	C:\Windows\System\lHEvBNF.exe	3dd5f9acef213e5cd84f54cd05dd02a671fb62fa778e997c532fed7868594351.exe
File created	C:\Windows\System\IdPanMw.exe	3dd5f9acef213e5cd84f54cd05dd02a671fb62fa778e997c532fed7868594351.exe
File created	C:\Windows\System\NShxOhe.exe	3dd5f9acef213e5cd84f54cd05dd02a671fb62fa778e997c532fed7868594351.exe
File created	C:\Windows\System\ELhSoyl.exe	3dd5f9acef213e5cd84f54cd05dd02a671fb62fa778e997c532fed7868594351.exe
File created	C:\Windows\System\dLDGmJa.exe	3dd5f9acef213e5cd84f54cd05dd02a671fb62fa778e997c532fed7868594351.exe
File created	C:\Windows\System\ynQfeKQ.exe	3dd5f9acef213e5cd84f54cd05dd02a671fb62fa778e997c532fed7868594351.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

3dd5f9acef213e5cd84f54cd05dd02a671fb62fa778e997c532fed7868594351.exe

description	pid	process
Token: SeLockMemoryPrivilege	1668	3dd5f9acef213e5cd84f54cd05dd02a671fb62fa778e997c532fed7868594351.exe
Token: SeLockMemoryPrivilege	1668	3dd5f9acef213e5cd84f54cd05dd02a671fb62fa778e997c532fed7868594351.exe

Suspicious use of WriteProcessMemory 63 IoCs

Processes:

3dd5f9acef213e5cd84f54cd05dd02a671fb62fa778e997c532fed7868594351.exe

description	pid	process	target process
PID 1668 wrote to memory of 1796	1668	3dd5f9acef213e5cd84f54cd05dd02a671fb62fa778e997c532fed7868594351.exe	IdPanMw.exe
PID 1668 wrote to memory of 1796	1668	3dd5f9acef213e5cd84f54cd05dd02a671fb62fa778e997c532fed7868594351.exe	IdPanMw.exe
PID 1668 wrote to memory of 1796	1668	3dd5f9acef213e5cd84f54cd05dd02a671fb62fa778e997c532fed7868594351.exe	IdPanMw.exe
PID 1668 wrote to memory of 1192	1668	3dd5f9acef213e5cd84f54cd05dd02a671fb62fa778e997c532fed7868594351.exe	lOyPFDE.exe
PID 1668 wrote to memory of 1192	1668	3dd5f9acef213e5cd84f54cd05dd02a671fb62fa778e997c532fed7868594351.exe	lOyPFDE.exe
PID 1668 wrote to memory of 1192	1668	3dd5f9acef213e5cd84f54cd05dd02a671fb62fa778e997c532fed7868594351.exe	lOyPFDE.exe
PID 1668 wrote to memory of 2044	1668	3dd5f9acef213e5cd84f54cd05dd02a671fb62fa778e997c532fed7868594351.exe	LplCyfs.exe
PID 1668 wrote to memory of 2044	1668	3dd5f9acef213e5cd84f54cd05dd02a671fb62fa778e997c532fed7868594351.exe	LplCyfs.exe
PID 1668 wrote to memory of 2044	1668	3dd5f9acef213e5cd84f54cd05dd02a671fb62fa778e997c532fed7868594351.exe	LplCyfs.exe
PID 1668 wrote to memory of 1992	1668	3dd5f9acef213e5cd84f54cd05dd02a671fb62fa778e997c532fed7868594351.exe	XrWfrqH.exe
PID 1668 wrote to memory of 1992	1668	3dd5f9acef213e5cd84f54cd05dd02a671fb62fa778e997c532fed7868594351.exe	XrWfrqH.exe
PID 1668 wrote to memory of 1992	1668	3dd5f9acef213e5cd84f54cd05dd02a671fb62fa778e997c532fed7868594351.exe	XrWfrqH.exe
PID 1668 wrote to memory of 1660	1668	3dd5f9acef213e5cd84f54cd05dd02a671fb62fa778e997c532fed7868594351.exe	fytTudm.exe
PID 1668 wrote to memory of 1660	1668	3dd5f9acef213e5cd84f54cd05dd02a671fb62fa778e997c532fed7868594351.exe	fytTudm.exe
PID 1668 wrote to memory of 1660	1668	3dd5f9acef213e5cd84f54cd05dd02a671fb62fa778e997c532fed7868594351.exe	fytTudm.exe
PID 1668 wrote to memory of 520	1668	3dd5f9acef213e5cd84f54cd05dd02a671fb62fa778e997c532fed7868594351.exe	NShxOhe.exe
PID 1668 wrote to memory of 520	1668	3dd5f9acef213e5cd84f54cd05dd02a671fb62fa778e997c532fed7868594351.exe	NShxOhe.exe
PID 1668 wrote to memory of 520	1668	3dd5f9acef213e5cd84f54cd05dd02a671fb62fa778e997c532fed7868594351.exe	NShxOhe.exe
PID 1668 wrote to memory of 1684	1668	3dd5f9acef213e5cd84f54cd05dd02a671fb62fa778e997c532fed7868594351.exe	cBuqTxH.exe
PID 1668 wrote to memory of 1684	1668	3dd5f9acef213e5cd84f54cd05dd02a671fb62fa778e997c532fed7868594351.exe	cBuqTxH.exe
PID 1668 wrote to memory of 1684	1668	3dd5f9acef213e5cd84f54cd05dd02a671fb62fa778e997c532fed7868594351.exe	cBuqTxH.exe
PID 1668 wrote to memory of 428	1668	3dd5f9acef213e5cd84f54cd05dd02a671fb62fa778e997c532fed7868594351.exe	UyaMSYm.exe
PID 1668 wrote to memory of 428	1668	3dd5f9acef213e5cd84f54cd05dd02a671fb62fa778e997c532fed7868594351.exe	UyaMSYm.exe
PID 1668 wrote to memory of 428	1668	3dd5f9acef213e5cd84f54cd05dd02a671fb62fa778e997c532fed7868594351.exe	UyaMSYm.exe
PID 1668 wrote to memory of 892	1668	3dd5f9acef213e5cd84f54cd05dd02a671fb62fa778e997c532fed7868594351.exe	pISMOZN.exe
PID 1668 wrote to memory of 892	1668	3dd5f9acef213e5cd84f54cd05dd02a671fb62fa778e997c532fed7868594351.exe	pISMOZN.exe
PID 1668 wrote to memory of 892	1668	3dd5f9acef213e5cd84f54cd05dd02a671fb62fa778e997c532fed7868594351.exe	pISMOZN.exe
PID 1668 wrote to memory of 1204	1668	3dd5f9acef213e5cd84f54cd05dd02a671fb62fa778e997c532fed7868594351.exe	fasBVuW.exe
PID 1668 wrote to memory of 1204	1668	3dd5f9acef213e5cd84f54cd05dd02a671fb62fa778e997c532fed7868594351.exe	fasBVuW.exe
PID 1668 wrote to memory of 1204	1668	3dd5f9acef213e5cd84f54cd05dd02a671fb62fa778e997c532fed7868594351.exe	fasBVuW.exe
PID 1668 wrote to memory of 1224	1668	3dd5f9acef213e5cd84f54cd05dd02a671fb62fa778e997c532fed7868594351.exe	mdWjWYD.exe
PID 1668 wrote to memory of 1224	1668	3dd5f9acef213e5cd84f54cd05dd02a671fb62fa778e997c532fed7868594351.exe	mdWjWYD.exe
PID 1668 wrote to memory of 1224	1668	3dd5f9acef213e5cd84f54cd05dd02a671fb62fa778e997c532fed7868594351.exe	mdWjWYD.exe
PID 1668 wrote to memory of 1500	1668	3dd5f9acef213e5cd84f54cd05dd02a671fb62fa778e997c532fed7868594351.exe	ELhSoyl.exe
PID 1668 wrote to memory of 1500	1668	3dd5f9acef213e5cd84f54cd05dd02a671fb62fa778e997c532fed7868594351.exe	ELhSoyl.exe
PID 1668 wrote to memory of 1500	1668	3dd5f9acef213e5cd84f54cd05dd02a671fb62fa778e997c532fed7868594351.exe	ELhSoyl.exe
PID 1668 wrote to memory of 1912	1668	3dd5f9acef213e5cd84f54cd05dd02a671fb62fa778e997c532fed7868594351.exe	jlScgbx.exe
PID 1668 wrote to memory of 1912	1668	3dd5f9acef213e5cd84f54cd05dd02a671fb62fa778e997c532fed7868594351.exe	jlScgbx.exe
PID 1668 wrote to memory of 1912	1668	3dd5f9acef213e5cd84f54cd05dd02a671fb62fa778e997c532fed7868594351.exe	jlScgbx.exe
PID 1668 wrote to memory of 1560	1668	3dd5f9acef213e5cd84f54cd05dd02a671fb62fa778e997c532fed7868594351.exe	lHEvBNF.exe
PID 1668 wrote to memory of 1560	1668	3dd5f9acef213e5cd84f54cd05dd02a671fb62fa778e997c532fed7868594351.exe	lHEvBNF.exe
PID 1668 wrote to memory of 1560	1668	3dd5f9acef213e5cd84f54cd05dd02a671fb62fa778e997c532fed7868594351.exe	lHEvBNF.exe
PID 1668 wrote to memory of 972	1668	3dd5f9acef213e5cd84f54cd05dd02a671fb62fa778e997c532fed7868594351.exe	YasvrfC.exe
PID 1668 wrote to memory of 972	1668	3dd5f9acef213e5cd84f54cd05dd02a671fb62fa778e997c532fed7868594351.exe	YasvrfC.exe
PID 1668 wrote to memory of 972	1668	3dd5f9acef213e5cd84f54cd05dd02a671fb62fa778e997c532fed7868594351.exe	YasvrfC.exe
PID 1668 wrote to memory of 384	1668	3dd5f9acef213e5cd84f54cd05dd02a671fb62fa778e997c532fed7868594351.exe	dLDGmJa.exe
PID 1668 wrote to memory of 384	1668	3dd5f9acef213e5cd84f54cd05dd02a671fb62fa778e997c532fed7868594351.exe	dLDGmJa.exe
PID 1668 wrote to memory of 384	1668	3dd5f9acef213e5cd84f54cd05dd02a671fb62fa778e997c532fed7868594351.exe	dLDGmJa.exe
PID 1668 wrote to memory of 1624	1668	3dd5f9acef213e5cd84f54cd05dd02a671fb62fa778e997c532fed7868594351.exe	hYcLInH.exe
PID 1668 wrote to memory of 1624	1668	3dd5f9acef213e5cd84f54cd05dd02a671fb62fa778e997c532fed7868594351.exe	hYcLInH.exe
PID 1668 wrote to memory of 1624	1668	3dd5f9acef213e5cd84f54cd05dd02a671fb62fa778e997c532fed7868594351.exe	hYcLInH.exe
PID 1668 wrote to memory of 1696	1668	3dd5f9acef213e5cd84f54cd05dd02a671fb62fa778e997c532fed7868594351.exe	ynQfeKQ.exe
PID 1668 wrote to memory of 1696	1668	3dd5f9acef213e5cd84f54cd05dd02a671fb62fa778e997c532fed7868594351.exe	ynQfeKQ.exe
PID 1668 wrote to memory of 1696	1668	3dd5f9acef213e5cd84f54cd05dd02a671fb62fa778e997c532fed7868594351.exe	ynQfeKQ.exe
PID 1668 wrote to memory of 636	1668	3dd5f9acef213e5cd84f54cd05dd02a671fb62fa778e997c532fed7868594351.exe	bUfyZfH.exe
PID 1668 wrote to memory of 636	1668	3dd5f9acef213e5cd84f54cd05dd02a671fb62fa778e997c532fed7868594351.exe	bUfyZfH.exe
PID 1668 wrote to memory of 636	1668	3dd5f9acef213e5cd84f54cd05dd02a671fb62fa778e997c532fed7868594351.exe	bUfyZfH.exe
PID 1668 wrote to memory of 560	1668	3dd5f9acef213e5cd84f54cd05dd02a671fb62fa778e997c532fed7868594351.exe	fjNBQzw.exe
PID 1668 wrote to memory of 560	1668	3dd5f9acef213e5cd84f54cd05dd02a671fb62fa778e997c532fed7868594351.exe	fjNBQzw.exe
PID 1668 wrote to memory of 560	1668	3dd5f9acef213e5cd84f54cd05dd02a671fb62fa778e997c532fed7868594351.exe	fjNBQzw.exe
PID 1668 wrote to memory of 1520	1668	3dd5f9acef213e5cd84f54cd05dd02a671fb62fa778e997c532fed7868594351.exe	CfeXAEr.exe
PID 1668 wrote to memory of 1520	1668	3dd5f9acef213e5cd84f54cd05dd02a671fb62fa778e997c532fed7868594351.exe	CfeXAEr.exe
PID 1668 wrote to memory of 1520	1668	3dd5f9acef213e5cd84f54cd05dd02a671fb62fa778e997c532fed7868594351.exe	CfeXAEr.exe

C:\Users\Admin\AppData\Local\Temp\3dd5f9acef213e5cd84f54cd05dd02a671fb62fa778e997c532fed7868594351.exe
"C:\Users\Admin\AppData\Local\Temp\3dd5f9acef213e5cd84f54cd05dd02a671fb62fa778e997c532fed7868594351.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1668

C:\Windows\System\IdPanMw.exe
C:\Windows\System\IdPanMw.exe
2⤵
- Executes dropped EXE
PID:1796

C:\Windows\System\lOyPFDE.exe
C:\Windows\System\lOyPFDE.exe
2⤵
- Executes dropped EXE
PID:1192

C:\Windows\System\LplCyfs.exe
C:\Windows\System\LplCyfs.exe
2⤵
- Executes dropped EXE
PID:2044

C:\Windows\System\XrWfrqH.exe
C:\Windows\System\XrWfrqH.exe
2⤵
- Executes dropped EXE
PID:1992

C:\Windows\System\fytTudm.exe
C:\Windows\System\fytTudm.exe
2⤵
- Executes dropped EXE
PID:1660

C:\Windows\System\NShxOhe.exe
C:\Windows\System\NShxOhe.exe
2⤵
- Executes dropped EXE
PID:520

C:\Windows\System\cBuqTxH.exe
C:\Windows\System\cBuqTxH.exe
2⤵
- Executes dropped EXE
PID:1684

C:\Windows\System\UyaMSYm.exe
C:\Windows\System\UyaMSYm.exe
2⤵
- Executes dropped EXE
PID:428

C:\Windows\System\fasBVuW.exe
C:\Windows\System\fasBVuW.exe
2⤵
- Executes dropped EXE
PID:1204

C:\Windows\System\mdWjWYD.exe
C:\Windows\System\mdWjWYD.exe
2⤵
- Executes dropped EXE
PID:1224

C:\Windows\System\pISMOZN.exe
C:\Windows\System\pISMOZN.exe
2⤵
- Executes dropped EXE
PID:892

C:\Windows\System\ELhSoyl.exe
C:\Windows\System\ELhSoyl.exe
2⤵
- Executes dropped EXE
PID:1500

C:\Windows\System\jlScgbx.exe
C:\Windows\System\jlScgbx.exe
2⤵
- Executes dropped EXE
PID:1912

C:\Windows\System\lHEvBNF.exe
C:\Windows\System\lHEvBNF.exe
2⤵
- Executes dropped EXE
PID:1560

C:\Windows\System\YasvrfC.exe
C:\Windows\System\YasvrfC.exe
2⤵
- Executes dropped EXE
PID:972

C:\Windows\System\dLDGmJa.exe
C:\Windows\System\dLDGmJa.exe
2⤵
- Executes dropped EXE
PID:384

C:\Windows\System\hYcLInH.exe
C:\Windows\System\hYcLInH.exe
2⤵
- Executes dropped EXE
PID:1624

C:\Windows\System\ynQfeKQ.exe
C:\Windows\System\ynQfeKQ.exe
2⤵
- Executes dropped EXE
PID:1696

C:\Windows\System\bUfyZfH.exe
C:\Windows\System\bUfyZfH.exe
2⤵
- Executes dropped EXE
PID:636

C:\Windows\System\fjNBQzw.exe
C:\Windows\System\fjNBQzw.exe
2⤵
- Executes dropped EXE
PID:560

C:\Windows\System\CfeXAEr.exe
C:\Windows\System\CfeXAEr.exe
2⤵
- Executes dropped EXE
PID:1520

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\CfeXAEr.exe
Filesize
5.9MB

MD5
9ee425be1bddc54016ef6630f95d7466

SHA1
ba1e7624dbb8de784a28f786d4ca2afb96b28da4

SHA256
18db9af33ec5e2ba7a29bdc80abf4e37b37b4979555cd961cb4bb757b53ca684

SHA512
9feb2a885381d32850bcdba2ed2ccb093641ab7239c8b7d62119327e03f64dc1cddad6a1d8a4d6afe75cc939487b986125c700d357343a01e6fd0ac795cf7a35

Download Submit
C:\Windows\system\ELhSoyl.exe
Filesize
5.9MB

MD5
96badff6ed60db9b55fb8b958e8c3889

SHA1
1e364d262a0df6a0aabad304463441f666e1b1b8

SHA256
ea54827f75b79cbe7f13c17a47bc128a5405cc476ae578a4440e2ddebb40b9ee

SHA512
28f1df36206c6b8eb748c95a5d9351a1bfee746b79ae3a1e0d25d531a14310f894e39a61ff6cad045c91eb091eeb33ae14ad6bf4fc4a4471c2f459759095ed5a

Download Submit
C:\Windows\system\IdPanMw.exe
Filesize
5.9MB

MD5
3e16824100a2da6936db117009e8c4fd

SHA1
cb09f92bd16832c1a73cd5b0bbae79f26c88ea9e

SHA256
60dd6bf815b87f64997de5768351b3443dab4a3a147cbabf7826e06971cd5bbf

SHA512
0c809d1cea8f34edf11d84f130b77d1501f275ab55413e8a67175449ce92ef7313e522c036d82bff282e18bbe54c44e726e17a8c12960c6b0e3dc3182dbac462

Download Submit
C:\Windows\system\LplCyfs.exe
Filesize
5.9MB

MD5
ac2036f28153b7d2c0caf30aa24dd1a4

SHA1
5987f184b17fc51624be1894faab75b4b9f89f8a

SHA256
3e354abe555196f543d4bc2ae9bf98e319bf686fe0821e6fcd56b3ee0960eac9

SHA512
ce34a61e8a9b4239ab69399db53a25eabd66d4a67ec73599cf0f9f77cb1973ce0b4d25b0ca0a242c45ebe21be16317a716ca9bd9c617f796a666392590aa5942

Download Submit
C:\Windows\system\NShxOhe.exe
Filesize
5.9MB

MD5
dbed1aebf06e303bd600a9bba841b553

SHA1
12ec6c498915992a9006e8cad07f2a4c0035289f

SHA256
02978caf843de2c58524973b7524f6f0c54e0a7fcdd2d7a9232072b6c2cb6c70

SHA512
bd8fd1daf4c742fa0955933c48dda669615d7d217a4b4ea44ed802fd40819ff5aa68e69818a1d6f1b235d49f98efa526e090b7f4f8c7badb28ee5dd42cfa216c

Download Submit
C:\Windows\system\UyaMSYm.exe
Filesize
5.9MB

MD5
431d27e606ec8ff6d66f6511514387b6

SHA1
e4c1c12f09b1baf3e70db233b3de1cb946bf0cd7

SHA256
63920ee7ca64fc53f2dae1da7957fab34939038ef9ebbfee0bcc56a864587745

SHA512
d8a5c6d141c7265779d671fbd2f294022c5c636efcac09171844e3cebf747a2b821b0611c180e3a0ac653088b41b9367b02dfdd6e0a35a9fb691d92c29fc7a96

Download Submit
C:\Windows\system\XrWfrqH.exe
Filesize
5.9MB

MD5
4f787b63ec7410a8a48a8c59b36a39c9

SHA1
a7b4aec739e344464ea1b76c799b1bbea757bddc

SHA256
41009b86bde3e323a5a26e3110c9ad251340e35567dd4607ae4c8a4a9e84dfae

SHA512
bc61e996d21c434a95238811e24035fcc61ab14e51fb2bc7f22ce4a4256fa113b5d2af7a33a6dcc84db56e17d047abaf678aeb899348124b8cfd52bbb305175f

Download Submit
C:\Windows\system\YasvrfC.exe
Filesize
5.9MB

MD5
768f4d650d37833d36b669542f7fa986

SHA1
cb7a8f09632f9f3d00971c7d84f28791ee09b859

SHA256
37008856fc6c7152a5045b8bf75a90b4a56794315dfc0d974435288eb63cfc2c

SHA512
3cee813d62942e53ce20eed2336b1b3a490a9dc96c2b5cb2ec7a6dc10d8af49ec3283a1c57ca61a8eeb9a75dd04599d72cfacb4f2683396aea992dca6758ee98

Download Submit
C:\Windows\system\bUfyZfH.exe
Filesize
5.9MB

MD5
e34e3b94be4865a424b5ac7557a84c5c

SHA1
fc90fa8b9fad85b4d471f00515a4039fc75a686e

SHA256
1dead3bbf059632be361f7c98e6b6ea4841cda132e3fd9c90bfb335bd57a647d

SHA512
7d19990a81e81869313c9d37e2c215345e3d428f66953915b71964014f90eda6ed09c387daf04b0b83a488951c30432e338220c7c4c8f1b0bccba38674eca6ae

Download Submit
C:\Windows\system\cBuqTxH.exe
Filesize
5.9MB

MD5
4074912ea520325c1874e09e6ec3c6f8

SHA1
b60b95c665607fcbe97e9bf9db2ec3fc067e3280

SHA256
ab05489df35f2e157850a08555d8f8bad51626cd3cde98628e0bf7a2f8b4cc40

SHA512
ca447a48148cfa7132c8fb8f8c28eb30509af7822e6d8a609c0842e814e25183f8d7a02fa7b9077f7c7bd43527be5da29343a9b9586506790ae7c29b3b7537c8

Download Submit
C:\Windows\system\dLDGmJa.exe
Filesize
5.9MB

MD5
a2f25ee0e79619c35c8bfe0225b74271

SHA1
299455e6b500e46027404ea54d53b5d33bd1d474

SHA256
bc807efc5fcefcea0a56954089e554b32c63ab38733172bbd99c6cf8591ba592

SHA512
5e97689f1c1a5c2bc54820809f80c6b6b85889a70da14c960fb5bdfb902ba51826843bdd7debdc3a95cb9824478552d1be6bde284f49cfc2dc29f3fa6fa53273

Download Submit
C:\Windows\system\fasBVuW.exe
Filesize
5.9MB

MD5
360ec525cb73954f017e2a66b3125dbe

SHA1
9da911b9a7a7bd3a88ae9fca0896fb5f174ea91d

SHA256
5db3bcb7326be5300a8ded68f2cbd89cdf8aa9fe526df7f7589fb68bd12d4ca4

SHA512
9570a784d8583e7db760691ce4a403e74398c12aae9f2175131bbaab5432ee1393d093dbd9d90c6f18e005c1dca0969de9323bda7a338614a576e55170ca1522

Download Submit
C:\Windows\system\fjNBQzw.exe
Filesize
5.9MB

MD5
09411736d6f28726142d9ca1af3e0128

SHA1
eda6a56be6c817fa793025b35b90c1b6978e041f

SHA256
57867d73137cff0375a44eff9b1efa4dddf3717d76f2df436f579d15a536de1d

SHA512
b2a1c0a21feff45c83e75022020bd0b92d2677134c77e14db56a90d6f4b61b7c1a528af9bfb3dccb422c331cc9e069d6113cae60936e88d6e4df5d92ffc3ed29

Download Submit
C:\Windows\system\fytTudm.exe
Filesize
5.9MB

MD5
3e8ed8d2b40bc2d9717a133d5c99f019

SHA1
a937d3de5fc47e0ce25a984a307068233c922121

SHA256
28f902135ac6b1a3f56a8c985c7345f13a56939fb640bce1eb5fa4b771005ab2

SHA512
c9db8c7b6d28624e1aa1dc2bf00d2eff7989e7313a0358a4c46d6c5b81529e2eef348b0047aea5cb23908e94ee409a313ac20617ee8f67a3f4001513d75960d9

Download Submit
C:\Windows\system\hYcLInH.exe
Filesize
5.9MB

MD5
97debc48286b656b7d2fe02219a0915a

SHA1
81586f38f9f3634da367eb2c7a4a4d94528456fa

SHA256
f559e39d9253896e2da15896ed746d326957858f2cc27d9a4f41da52d3a09199

SHA512
0a4b1ee4b2af7090bcebf90b9d62f9cba88dd8d6226b58a1354f172e6719ef85bf95452175358508a031592a0cbe2b02d99fd1798148f1d3a20f8fa369932244

Download Submit
C:\Windows\system\jlScgbx.exe
Filesize
5.9MB

MD5
a1290cdc789a8b496a3d24d734c3b34e

SHA1
409772f9cdd9172b5f5899b77932f9faa396285f

SHA256
fad4601a3647296d34def17a8f480eef8f2025bc77e2fd8628fb669878c9d024

SHA512
b0f78b664bb942ec7b7242e8689d5be977ad7c64f710412b2255c9cf3ab126188550d9d34fa1404484e39107c20119a834554b4fc36bea632a374369a4518fc0

Download Submit
C:\Windows\system\lHEvBNF.exe
Filesize
5.9MB

MD5
5369d795a863a352cdb94c88a750dfb5

SHA1
c884c9d183a9a91f3d3f73061e84f131086078f7

SHA256
bd06ac7fda76297a1dd323a35f0b03dcdab374cdb02167c72174ef1a5886fc7c

SHA512
5c01610fce1de860ccc71d32104c3e9790b9048fdf317b4c9a78fe16f96aa73e9141edb029f8dde3e34010b1058e7196e73088b764d1db171cb70c9f1361342a

Download Submit
C:\Windows\system\lOyPFDE.exe
Filesize
5.9MB

MD5
ca65c23fd60e5b57eb588df6a7a13854

SHA1
5cd73bf8892c52181173a312f4274066195a7010

SHA256
3feb3ba51e97ace4a4c72afa1992685a5853428736e8703584e71706b5b0b1e4

SHA512
24e5ca5cc5e7a6c2f53f99ac3e7c97f0d1113d7f1b27ec1b8617bddb1697c8e9bdf15da13511bc201f003947c9d819d2134f3002002b83c0c494c57315ee52c4

Download Submit
C:\Windows\system\mdWjWYD.exe
Filesize
5.9MB

MD5
caf7560d8c0af6c8688ef3a0f647e34f

SHA1
0ddebdb1af2a2f63c7762b06e3d5cb72a9567cae

SHA256
b152a2b056b7ef72ec0691875a3265eaf9202161baef14bf5882f5ff4a1d1355

SHA512
b507a8bb5efee5bb51779f308c0da060736f5830b1bae6f49f6639f703a6a02551a97aaf424de20b6f912fe7ff2f37ea59715f784061652939fea43416163a2e

Download Submit
C:\Windows\system\pISMOZN.exe
Filesize
5.9MB

MD5
96ca9657e87edc869018ab17d8405265

SHA1
c4dec4499c94617ec15def5a8322ee719deeb40c

SHA256
851021f7d8eee6fe6e6847d56f0f76626a98daf6fbc3decd7fd6f9cd1e2aceee

SHA512
3118680967e8d5abfdcfe9264791f75aa9c0a90080d44a7a5122da352ae7acbd7e1904f82b8920e8140575e6a6c03494538c83eb9ae9341c14f29b78195834d4

Download Submit
C:\Windows\system\ynQfeKQ.exe
Filesize
5.9MB

MD5
e920341239563027d1de17f09e9814e6

SHA1
240782f4558805a6d80f9003b0f49b12d8f8e856

SHA256
caf78e4fddb4f9caf4ba08e04db6ef22e687e9275e9f720723ed112b9384e0d8

SHA512
9df746c79080e57dd28385ef3868e6e78c4e061bcb0e0aa0728a8b74dd25ec28d4e1e29c35ab91f1318bf805d4b69a5d2a3ded223926a3bd3be43f7a1b16979f

Download Submit
\Windows\system\CfeXAEr.exe
Filesize
5.9MB

MD5
9ee425be1bddc54016ef6630f95d7466

SHA1
ba1e7624dbb8de784a28f786d4ca2afb96b28da4

SHA256
18db9af33ec5e2ba7a29bdc80abf4e37b37b4979555cd961cb4bb757b53ca684

SHA512
9feb2a885381d32850bcdba2ed2ccb093641ab7239c8b7d62119327e03f64dc1cddad6a1d8a4d6afe75cc939487b986125c700d357343a01e6fd0ac795cf7a35

Download Submit
\Windows\system\ELhSoyl.exe
Filesize
5.9MB

MD5
96badff6ed60db9b55fb8b958e8c3889

SHA1
1e364d262a0df6a0aabad304463441f666e1b1b8

SHA256
ea54827f75b79cbe7f13c17a47bc128a5405cc476ae578a4440e2ddebb40b9ee

SHA512
28f1df36206c6b8eb748c95a5d9351a1bfee746b79ae3a1e0d25d531a14310f894e39a61ff6cad045c91eb091eeb33ae14ad6bf4fc4a4471c2f459759095ed5a

Download Submit
\Windows\system\IdPanMw.exe
Filesize
5.9MB

MD5
3e16824100a2da6936db117009e8c4fd

SHA1
cb09f92bd16832c1a73cd5b0bbae79f26c88ea9e

SHA256
60dd6bf815b87f64997de5768351b3443dab4a3a147cbabf7826e06971cd5bbf

SHA512
0c809d1cea8f34edf11d84f130b77d1501f275ab55413e8a67175449ce92ef7313e522c036d82bff282e18bbe54c44e726e17a8c12960c6b0e3dc3182dbac462

Download Submit
\Windows\system\LplCyfs.exe
Filesize
5.9MB

MD5
ac2036f28153b7d2c0caf30aa24dd1a4

SHA1
5987f184b17fc51624be1894faab75b4b9f89f8a

SHA256
3e354abe555196f543d4bc2ae9bf98e319bf686fe0821e6fcd56b3ee0960eac9

SHA512
ce34a61e8a9b4239ab69399db53a25eabd66d4a67ec73599cf0f9f77cb1973ce0b4d25b0ca0a242c45ebe21be16317a716ca9bd9c617f796a666392590aa5942

Download Submit
\Windows\system\NShxOhe.exe
Filesize
5.9MB

MD5
dbed1aebf06e303bd600a9bba841b553

SHA1
12ec6c498915992a9006e8cad07f2a4c0035289f

SHA256
02978caf843de2c58524973b7524f6f0c54e0a7fcdd2d7a9232072b6c2cb6c70

SHA512
bd8fd1daf4c742fa0955933c48dda669615d7d217a4b4ea44ed802fd40819ff5aa68e69818a1d6f1b235d49f98efa526e090b7f4f8c7badb28ee5dd42cfa216c

Download Submit
\Windows\system\UyaMSYm.exe
Filesize
5.9MB

MD5
431d27e606ec8ff6d66f6511514387b6

SHA1
e4c1c12f09b1baf3e70db233b3de1cb946bf0cd7

SHA256
63920ee7ca64fc53f2dae1da7957fab34939038ef9ebbfee0bcc56a864587745

SHA512
d8a5c6d141c7265779d671fbd2f294022c5c636efcac09171844e3cebf747a2b821b0611c180e3a0ac653088b41b9367b02dfdd6e0a35a9fb691d92c29fc7a96

Download Submit
\Windows\system\XrWfrqH.exe
Filesize
5.9MB

MD5
4f787b63ec7410a8a48a8c59b36a39c9

SHA1
a7b4aec739e344464ea1b76c799b1bbea757bddc

SHA256
41009b86bde3e323a5a26e3110c9ad251340e35567dd4607ae4c8a4a9e84dfae

SHA512
bc61e996d21c434a95238811e24035fcc61ab14e51fb2bc7f22ce4a4256fa113b5d2af7a33a6dcc84db56e17d047abaf678aeb899348124b8cfd52bbb305175f

Download Submit
\Windows\system\YasvrfC.exe
Filesize
5.9MB

MD5
768f4d650d37833d36b669542f7fa986

SHA1
cb7a8f09632f9f3d00971c7d84f28791ee09b859

SHA256
37008856fc6c7152a5045b8bf75a90b4a56794315dfc0d974435288eb63cfc2c

SHA512
3cee813d62942e53ce20eed2336b1b3a490a9dc96c2b5cb2ec7a6dc10d8af49ec3283a1c57ca61a8eeb9a75dd04599d72cfacb4f2683396aea992dca6758ee98

Download Submit
\Windows\system\bUfyZfH.exe
Filesize
5.9MB

MD5
e34e3b94be4865a424b5ac7557a84c5c

SHA1
fc90fa8b9fad85b4d471f00515a4039fc75a686e

SHA256
1dead3bbf059632be361f7c98e6b6ea4841cda132e3fd9c90bfb335bd57a647d

SHA512
7d19990a81e81869313c9d37e2c215345e3d428f66953915b71964014f90eda6ed09c387daf04b0b83a488951c30432e338220c7c4c8f1b0bccba38674eca6ae

Download Submit
\Windows\system\cBuqTxH.exe
Filesize
5.9MB

MD5
4074912ea520325c1874e09e6ec3c6f8

SHA1
b60b95c665607fcbe97e9bf9db2ec3fc067e3280

SHA256
ab05489df35f2e157850a08555d8f8bad51626cd3cde98628e0bf7a2f8b4cc40

SHA512
ca447a48148cfa7132c8fb8f8c28eb30509af7822e6d8a609c0842e814e25183f8d7a02fa7b9077f7c7bd43527be5da29343a9b9586506790ae7c29b3b7537c8

Download Submit
\Windows\system\dLDGmJa.exe
Filesize
5.9MB

MD5
a2f25ee0e79619c35c8bfe0225b74271

SHA1
299455e6b500e46027404ea54d53b5d33bd1d474

SHA256
bc807efc5fcefcea0a56954089e554b32c63ab38733172bbd99c6cf8591ba592

SHA512
5e97689f1c1a5c2bc54820809f80c6b6b85889a70da14c960fb5bdfb902ba51826843bdd7debdc3a95cb9824478552d1be6bde284f49cfc2dc29f3fa6fa53273

Download Submit
\Windows\system\fasBVuW.exe
Filesize
5.9MB

MD5
360ec525cb73954f017e2a66b3125dbe

SHA1
9da911b9a7a7bd3a88ae9fca0896fb5f174ea91d

SHA256
5db3bcb7326be5300a8ded68f2cbd89cdf8aa9fe526df7f7589fb68bd12d4ca4

SHA512
9570a784d8583e7db760691ce4a403e74398c12aae9f2175131bbaab5432ee1393d093dbd9d90c6f18e005c1dca0969de9323bda7a338614a576e55170ca1522

Download Submit
\Windows\system\fjNBQzw.exe
Filesize
5.9MB

MD5
09411736d6f28726142d9ca1af3e0128

SHA1
eda6a56be6c817fa793025b35b90c1b6978e041f

SHA256
57867d73137cff0375a44eff9b1efa4dddf3717d76f2df436f579d15a536de1d

SHA512
b2a1c0a21feff45c83e75022020bd0b92d2677134c77e14db56a90d6f4b61b7c1a528af9bfb3dccb422c331cc9e069d6113cae60936e88d6e4df5d92ffc3ed29

Download Submit
\Windows\system\fytTudm.exe
Filesize
5.9MB

MD5
3e8ed8d2b40bc2d9717a133d5c99f019

SHA1
a937d3de5fc47e0ce25a984a307068233c922121

SHA256
28f902135ac6b1a3f56a8c985c7345f13a56939fb640bce1eb5fa4b771005ab2

SHA512
c9db8c7b6d28624e1aa1dc2bf00d2eff7989e7313a0358a4c46d6c5b81529e2eef348b0047aea5cb23908e94ee409a313ac20617ee8f67a3f4001513d75960d9

Download Submit
\Windows\system\hYcLInH.exe
Filesize
5.9MB

MD5
97debc48286b656b7d2fe02219a0915a

SHA1
81586f38f9f3634da367eb2c7a4a4d94528456fa

SHA256
f559e39d9253896e2da15896ed746d326957858f2cc27d9a4f41da52d3a09199

SHA512
0a4b1ee4b2af7090bcebf90b9d62f9cba88dd8d6226b58a1354f172e6719ef85bf95452175358508a031592a0cbe2b02d99fd1798148f1d3a20f8fa369932244

Download Submit
\Windows\system\jlScgbx.exe
Filesize
5.9MB

MD5
a1290cdc789a8b496a3d24d734c3b34e

SHA1
409772f9cdd9172b5f5899b77932f9faa396285f

SHA256
fad4601a3647296d34def17a8f480eef8f2025bc77e2fd8628fb669878c9d024

SHA512
b0f78b664bb942ec7b7242e8689d5be977ad7c64f710412b2255c9cf3ab126188550d9d34fa1404484e39107c20119a834554b4fc36bea632a374369a4518fc0

Download Submit
\Windows\system\lHEvBNF.exe
Filesize
5.9MB

MD5
5369d795a863a352cdb94c88a750dfb5

SHA1
c884c9d183a9a91f3d3f73061e84f131086078f7

SHA256
bd06ac7fda76297a1dd323a35f0b03dcdab374cdb02167c72174ef1a5886fc7c

SHA512
5c01610fce1de860ccc71d32104c3e9790b9048fdf317b4c9a78fe16f96aa73e9141edb029f8dde3e34010b1058e7196e73088b764d1db171cb70c9f1361342a

Download Submit
\Windows\system\lOyPFDE.exe
Filesize
5.9MB

MD5
ca65c23fd60e5b57eb588df6a7a13854

SHA1
5cd73bf8892c52181173a312f4274066195a7010

SHA256
3feb3ba51e97ace4a4c72afa1992685a5853428736e8703584e71706b5b0b1e4

SHA512
24e5ca5cc5e7a6c2f53f99ac3e7c97f0d1113d7f1b27ec1b8617bddb1697c8e9bdf15da13511bc201f003947c9d819d2134f3002002b83c0c494c57315ee52c4

Download Submit
\Windows\system\mdWjWYD.exe
Filesize
5.9MB

MD5
caf7560d8c0af6c8688ef3a0f647e34f

SHA1
0ddebdb1af2a2f63c7762b06e3d5cb72a9567cae

SHA256
b152a2b056b7ef72ec0691875a3265eaf9202161baef14bf5882f5ff4a1d1355

SHA512
b507a8bb5efee5bb51779f308c0da060736f5830b1bae6f49f6639f703a6a02551a97aaf424de20b6f912fe7ff2f37ea59715f784061652939fea43416163a2e

Download Submit
\Windows\system\pISMOZN.exe
Filesize
5.9MB

MD5
96ca9657e87edc869018ab17d8405265

SHA1
c4dec4499c94617ec15def5a8322ee719deeb40c

SHA256
851021f7d8eee6fe6e6847d56f0f76626a98daf6fbc3decd7fd6f9cd1e2aceee

SHA512
3118680967e8d5abfdcfe9264791f75aa9c0a90080d44a7a5122da352ae7acbd7e1904f82b8920e8140575e6a6c03494538c83eb9ae9341c14f29b78195834d4

Download Submit
\Windows\system\ynQfeKQ.exe
Filesize
5.9MB

MD5
e920341239563027d1de17f09e9814e6

SHA1
240782f4558805a6d80f9003b0f49b12d8f8e856

SHA256
caf78e4fddb4f9caf4ba08e04db6ef22e687e9275e9f720723ed112b9384e0d8

SHA512
9df746c79080e57dd28385ef3868e6e78c4e061bcb0e0aa0728a8b74dd25ec28d4e1e29c35ab91f1318bf805d4b69a5d2a3ded223926a3bd3be43f7a1b16979f

Download Submit
memory/384-161-0x000000013F110000-0x000000013F464000-memory.dmp

Filesize
3.3MB

Download
memory/384-139-0x0000000000000000-mapping.dmp

Download
memory/384-198-0x000000013F110000-0x000000013F464000-memory.dmp

Filesize
3.3MB

Download
memory/428-93-0x0000000000000000-mapping.dmp

Download
memory/428-112-0x000000013F340000-0x000000013F694000-memory.dmp

Filesize
3.3MB

Download
memory/428-191-0x000000013F340000-0x000000013F694000-memory.dmp

Filesize
3.3MB

Download
memory/520-189-0x000000013F370000-0x000000013F6C4000-memory.dmp

Filesize
3.3MB

Download
memory/520-106-0x000000013F370000-0x000000013F6C4000-memory.dmp

Filesize
3.3MB

Download
memory/520-85-0x0000000000000000-mapping.dmp

Download
memory/560-183-0x000000013F550000-0x000000013F8A4000-memory.dmp

Filesize
3.3MB

Download
memory/560-168-0x000000013F550000-0x000000013F8A4000-memory.dmp

Filesize
3.3MB

Download
memory/560-202-0x000000013F550000-0x000000013F8A4000-memory.dmp

Filesize
3.3MB

Download
memory/560-155-0x0000000000000000-mapping.dmp

Download
memory/636-181-0x000000013F380000-0x000000013F6D4000-memory.dmp

Filesize
3.3MB

Download
memory/636-151-0x0000000000000000-mapping.dmp

Download
memory/636-167-0x000000013F380000-0x000000013F6D4000-memory.dmp

Filesize
3.3MB

Download
memory/892-117-0x000000013FFC0000-0x0000000140314000-memory.dmp

Filesize
3.3MB

Download
memory/892-193-0x000000013FFC0000-0x0000000140314000-memory.dmp

Filesize
3.3MB

Download
memory/892-96-0x0000000000000000-mapping.dmp

Download
memory/972-159-0x000000013F100000-0x000000013F454000-memory.dmp

Filesize
3.3MB

Download
memory/972-135-0x0000000000000000-mapping.dmp

Download
memory/972-199-0x000000013F100000-0x000000013F454000-memory.dmp

Filesize
3.3MB

Download
memory/1192-182-0x000000013F790000-0x000000013FAE4000-memory.dmp

Filesize
3.3MB

Download
memory/1192-62-0x0000000000000000-mapping.dmp

Download
memory/1192-68-0x000000013F790000-0x000000013FAE4000-memory.dmp

Filesize
3.3MB

Download
memory/1204-192-0x000000013F460000-0x000000013F7B4000-memory.dmp

Filesize
3.3MB

Download
memory/1204-101-0x0000000000000000-mapping.dmp

Download
memory/1204-113-0x000000013F460000-0x000000013F7B4000-memory.dmp

Filesize
3.3MB

Download
memory/1224-111-0x0000000000000000-mapping.dmp

Download
memory/1224-195-0x000000013F3A0000-0x000000013F6F4000-memory.dmp

Filesize
3.3MB

Download
memory/1224-123-0x000000013F3A0000-0x000000013F6F4000-memory.dmp

Filesize
3.3MB

Download
memory/1500-115-0x0000000000000000-mapping.dmp

Download
memory/1500-122-0x000000013F980000-0x000000013FCD4000-memory.dmp

Filesize
3.3MB

Download
memory/1500-194-0x000000013F980000-0x000000013FCD4000-memory.dmp

Filesize
3.3MB

Download
memory/1520-179-0x000000013F680000-0x000000013F9D4000-memory.dmp

Filesize
3.3MB

Download
memory/1520-172-0x0000000000000000-mapping.dmp

Download
memory/1560-153-0x000000013F950000-0x000000013FCA4000-memory.dmp

Filesize
3.3MB

Download
memory/1560-197-0x000000013F950000-0x000000013FCA4000-memory.dmp

Filesize
3.3MB

Download
memory/1560-131-0x0000000000000000-mapping.dmp

Download
memory/1624-163-0x000000013F8A0000-0x000000013FBF4000-memory.dmp

Filesize
3.3MB

Download
memory/1624-201-0x000000013F8A0000-0x000000013FBF4000-memory.dmp

Filesize
3.3MB

Download
memory/1624-143-0x0000000000000000-mapping.dmp

Download
memory/1660-99-0x000000013F910000-0x000000013FC64000-memory.dmp

Filesize
3.3MB

Download
memory/1660-188-0x000000013F910000-0x000000013FC64000-memory.dmp

Filesize
3.3MB

Download
memory/1660-81-0x0000000000000000-mapping.dmp

Download
memory/1668-164-0x000000013F200000-0x000000013F554000-memory.dmp

Filesize
3.3MB

Download
memory/1668-173-0x000000013F550000-0x000000013F8A4000-memory.dmp

Filesize
3.3MB

Download
memory/1668-109-0x000000013F340000-0x000000013F694000-memory.dmp

Filesize
3.3MB

Download
memory/1668-162-0x0000000002370000-0x00000000026C4000-memory.dmp

Filesize
3.3MB

Download
memory/1668-166-0x000000013F380000-0x000000013F6D4000-memory.dmp

Filesize
3.3MB

Download
memory/1668-60-0x0000000002370000-0x00000000026C4000-memory.dmp

Filesize
3.3MB

Download
memory/1668-158-0x000000013F100000-0x000000013F454000-memory.dmp

Filesize
3.3MB

Download
memory/1668-78-0x0000000002370000-0x00000000026C4000-memory.dmp

Filesize
3.3MB

Download
memory/1668-94-0x0000000002370000-0x00000000026C4000-memory.dmp

Filesize
3.3MB

Download
memory/1668-54-0x00000000000F0000-0x0000000000100000-memory.dmp

Filesize
64KB

Download
memory/1668-59-0x000000013F900000-0x000000013FC54000-memory.dmp

Filesize
3.3MB

Download
memory/1668-186-0x0000000002370000-0x00000000026C4000-memory.dmp

Filesize
3.3MB

Download
memory/1668-72-0x0000000002370000-0x00000000026C4000-memory.dmp

Filesize
3.3MB

Download
memory/1668-121-0x000000013FFC0000-0x0000000140314000-memory.dmp

Filesize
3.3MB

Download
memory/1668-177-0x0000000002370000-0x00000000026C4000-memory.dmp

Filesize
3.3MB

Download
memory/1668-175-0x000000013FFF0000-0x0000000140344000-memory.dmp

Filesize
3.3MB

Download
memory/1668-178-0x0000000002370000-0x00000000026C4000-memory.dmp

Filesize
3.3MB

Download
memory/1668-107-0x000000013F190000-0x000000013F4E4000-memory.dmp

Filesize
3.3MB

Download
memory/1668-180-0x0000000002370000-0x00000000026C4000-memory.dmp

Filesize
3.3MB

Download
memory/1668-128-0x0000000002370000-0x00000000026C4000-memory.dmp

Filesize
3.3MB

Download
memory/1668-70-0x000000013FFF0000-0x0000000140344000-memory.dmp

Filesize
3.3MB

Download
memory/1668-152-0x0000000002370000-0x00000000026C4000-memory.dmp

Filesize
3.3MB

Download
memory/1668-184-0x000000013F550000-0x000000013F8A4000-memory.dmp

Filesize
3.3MB

Download
memory/1668-160-0x000000013F110000-0x000000013F464000-memory.dmp

Filesize
3.3MB

Download
memory/1684-89-0x0000000000000000-mapping.dmp

Download
memory/1684-190-0x000000013F190000-0x000000013F4E4000-memory.dmp

Filesize
3.3MB

Download
memory/1684-108-0x000000013F190000-0x000000013F4E4000-memory.dmp

Filesize
3.3MB

Download
memory/1696-146-0x0000000000000000-mapping.dmp

Download
memory/1696-165-0x000000013F200000-0x000000013F554000-memory.dmp

Filesize
3.3MB

Download
memory/1696-200-0x000000013F200000-0x000000013F554000-memory.dmp

Filesize
3.3MB

Download
memory/1796-56-0x0000000000000000-mapping.dmp

Download
memory/1796-67-0x000000013FB90000-0x000000013FEE4000-memory.dmp

Filesize
3.3MB

Download
memory/1912-196-0x000000013F6C0000-0x000000013FA14000-memory.dmp

Filesize
3.3MB

Download
memory/1912-125-0x0000000000000000-mapping.dmp

Download
memory/1912-129-0x000000013F6C0000-0x000000013FA14000-memory.dmp

Filesize
3.3MB

Download
memory/1992-187-0x000000013FB50000-0x000000013FEA4000-memory.dmp

Filesize
3.3MB

Download
memory/1992-75-0x0000000000000000-mapping.dmp

Download
memory/1992-79-0x000000013FB50000-0x000000013FEA4000-memory.dmp

Filesize
3.3MB

Download
memory/2044-73-0x000000013FFF0000-0x0000000140344000-memory.dmp

Filesize
3.3MB

Download
memory/2044-185-0x000000013FFF0000-0x0000000140344000-memory.dmp

Filesize
3.3MB

Download
memory/2044-66-0x0000000000000000-mapping.dmp

Download