metasploit | 1069d2ad83c0264ebf61b490d6385fa9eb678f93dedf165b6863177ea4ac38f6

Analysis

max time kernel
188s
max time network
178s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
04-06-2022 12:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1069d2ad83c0264ebf61b490d6385fa9eb678f93dedf165b6863177ea4ac38f6.exe
Size

498KB
MD5

88d16eafa3d80cbc183085f120475998
SHA1

d9898f4b77ed203106fdb6eaf9b83afec20b6022
SHA256

1069d2ad83c0264ebf61b490d6385fa9eb678f93dedf165b6863177ea4ac38f6
SHA512

b2d97d022d6738a08333bbf5b652c9f96ed5198b189b86912689b5a6a1169f7a4444f947e3c286973cd43643617206051d2da07070d72a1b14f2e22a78ad862a

Score

10^/10

metasploit backdoor trojan

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Executes dropped EXE 64 IoCs

Processes:

hcivseh.exehcivseh.exefgfgwtc.exefgfgwtc.exerjvlnao.exerjvlnao.exemlbwfgs.exemlbwfgs.exehggexza.exehggexza.exeofocahw.exeofocahw.exewtorhwf.exewtorhwf.exewfajvik.exewfajvik.exeogtvgkp.exeogtvgkp.exelmnmuqm.exelmnmuqm.exeayrzkks.exeayrzkks.exefppasyb.exefppasyb.exevfknkpd.exevfknkpd.exeiwninks.exeiwninks.exeqazbqda.exeqazbqda.exevbibsie.exevbibsie.exeqscehxf.exeqscehxf.exeidyojpx.exeidyojpx.exeasqzfqc.exeasqzfqc.exessbxewg.exessbxewg.exeihnkxnh.exeihnkxnh.exenuixbwr.exenuixbwr.exeqeivusz.exeqeivusz.exeyfgvahd.exeyfgvahd.exealnyqze.exealnyqze.exeiemyegi.exeiemyegi.exeiltbbib.exeiltbbib.exefdmcoke.exefdmcoke.exexdlsixa.exexdlsixa.exeheuwand.exeheuwand.exekeakjnb.exekeakjnb.exewxbsnhk.exewxbsnhk.exe

pid	process
2684	hcivseh.exe
3240	hcivseh.exe
3932	fgfgwtc.exe
3176	fgfgwtc.exe
4620	rjvlnao.exe
4584	rjvlnao.exe
3160	mlbwfgs.exe
5068	mlbwfgs.exe
1420	hggexza.exe
2080	hggexza.exe
2044	ofocahw.exe
344	ofocahw.exe
3104	wtorhwf.exe
2980	wtorhwf.exe
4924	wfajvik.exe
2692	wfajvik.exe
2348	ogtvgkp.exe
5088	ogtvgkp.exe
4448	lmnmuqm.exe
3888	lmnmuqm.exe
1660	ayrzkks.exe
4432	ayrzkks.exe
4416	fppasyb.exe
2272	fppasyb.exe
816	vfknkpd.exe
1112	vfknkpd.exe
1204	iwninks.exe
3328	iwninks.exe
4380	qazbqda.exe
1276	qazbqda.exe
1384	vbibsie.exe
3000	vbibsie.exe
5072	qscehxf.exe
4984	qscehxf.exe
1072	idyojpx.exe
3592	idyojpx.exe
4612	asqzfqc.exe
4576	asqzfqc.exe
4948	ssbxewg.exe
652	ssbxewg.exe
4116	ihnkxnh.exe
3960	ihnkxnh.exe
2156	nuixbwr.exe
3288	nuixbwr.exe
1120	qeivusz.exe
2752	qeivusz.exe
640	yfgvahd.exe
2084	yfgvahd.exe
3500	alnyqze.exe
1608	alnyqze.exe
4684	iemyegi.exe
2600	iemyegi.exe
4536	iltbbib.exe
3772	iltbbib.exe
2460	fdmcoke.exe
988	fdmcoke.exe
2248	xdlsixa.exe
3092	xdlsixa.exe
4460	heuwand.exe
4388	heuwand.exe
392	keakjnb.exe
1676	keakjnb.exe
1848	wxbsnhk.exe
1968	wxbsnhk.exe

Drops file in System32 directory 64 IoCs

Processes:

ckqknqg.exeiknmjiw.exehxzoedj.exerefziko.exeasqzfqc.exewwlenhh.exefimmkob.exeumoiupl.exezpdqgou.exeqscehxf.exeyluyfff.exeyogoxua.exescyqink.exeplrsupv.exemlbwfgs.exeayrzkks.exetgalqgk.exelqtuwxw.exexmjftca.exerzwregg.exewcozcae.exedcyfnln.exehxzoedj.exeenkwzci.exezdlrctv.exercopthh.exeomqotdz.exebzjjkhw.exeqzkaukd.exeyogoxua.exehcivseh.exeqazbqda.exedmriwqx.exennfhbds.exercnfrtx.exeeizshpx.exewolnxxr.exejmasfia.exeewkecwl.exelvbogbz.exednxxxbp.exethwiujh.exetpgoqof.execkqknqg.exeqeivusz.exedfddpxm.exeomxuuxq.exeougagfn.exetjkthcm.exesvdcqsi.exezlbeohv.exeblioakn.exettdskba.exejmasfia.exehrioizb.exeptcyqut.exejoahpll.exejwgxzgb.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\quxnqpg.exe	ckqknqg.exe
File created	C:\Windows\SysWOW64\fimmkob.exe	iknmjiw.exe
File opened for modification	C:\Windows\SysWOW64\hxzoedj.exe	hxzoedj.exe
File opened for modification	C:\Windows\SysWOW64\refziko.exe	refziko.exe
File created	C:\Windows\SysWOW64\ssbxewg.exe	asqzfqc.exe
File created	C:\Windows\SysWOW64\ewkecwl.exe	wwlenhh.exe
File opened for modification	C:\Windows\SysWOW64\fimmkob.exe	fimmkob.exe
File created	C:\Windows\SysWOW64\etsgfns.exe	umoiupl.exe
File created	C:\Windows\SysWOW64\jssttri.exe	zpdqgou.exe
File opened for modification	C:\Windows\SysWOW64\idyojpx.exe	qscehxf.exe
File created	C:\Windows\SysWOW64\lcptnnc.exe	yluyfff.exe
File opened for modification	C:\Windows\SysWOW64\dqwocfo.exe	yogoxua.exe
File created	C:\Windows\SysWOW64\cyzbxhl.exe	scyqink.exe
File created	C:\Windows\SysWOW64\eizshpx.exe	plrsupv.exe
File opened for modification	C:\Windows\SysWOW64\mlbwfgs.exe	mlbwfgs.exe
File created	C:\Windows\SysWOW64\fppasyb.exe	ayrzkks.exe
File created	C:\Windows\SysWOW64\dnerbes.exe	tgalqgk.exe
File opened for modification	C:\Windows\SysWOW64\lqtuwxw.exe	lqtuwxw.exe
File opened for modification	C:\Windows\SysWOW64\vgfskfg.exe	xmjftca.exe
File opened for modification	C:\Windows\SysWOW64\rzwregg.exe	rzwregg.exe
File created	C:\Windows\SysWOW64\gbswvzm.exe	wcozcae.exe
File opened for modification	C:\Windows\SysWOW64\dcyfnln.exe	dcyfnln.exe
File opened for modification	C:\Windows\SysWOW64\rssgtgk.exe	hxzoedj.exe
File opened for modification	C:\Windows\SysWOW64\refziko.exe	enkwzci.exe
File created	C:\Windows\SysWOW64\jydckwe.exe	zdlrctv.exe
File opened for modification	C:\Windows\SysWOW64\jydckwe.exe	zdlrctv.exe
File created	C:\Windows\SysWOW64\ywkcdvj.exe	rcopthh.exe
File opened for modification	C:\Windows\SysWOW64\omqotdz.exe	omqotdz.exe
File opened for modification	C:\Windows\SysWOW64\lgnpvfd.exe	bzjjkhw.exe
File opened for modification	C:\Windows\SysWOW64\yogoxua.exe	qzkaukd.exe
File opened for modification	C:\Windows\SysWOW64\yogoxua.exe	yogoxua.exe
File created	C:\Windows\SysWOW64\dqwocfo.exe	yogoxua.exe
File created	C:\Windows\SysWOW64\fgfgwtc.exe	hcivseh.exe
File opened for modification	C:\Windows\SysWOW64\vbibsie.exe	qazbqda.exe
File created	C:\Windows\SysWOW64\oisalky.exe	dmriwqx.exe
File created	C:\Windows\SysWOW64\xmjftca.exe	nnfhbds.exe
File created	C:\Windows\SysWOW64\cbzlbsf.exe	rcnfrtx.exe
File created	C:\Windows\SysWOW64\oapxlfz.exe	eizshpx.exe
File created	C:\Windows\SysWOW64\jyryaxr.exe	wolnxxr.exe
File opened for modification	C:\Windows\SysWOW64\jmasfia.exe	jmasfia.exe
File opened for modification	C:\Windows\SysWOW64\cbzlbsf.exe	rcnfrtx.exe
File opened for modification	C:\Windows\SysWOW64\fppasyb.exe	ayrzkks.exe
File created	C:\Windows\SysWOW64\oslokrm.exe	ewkecwl.exe
File created	C:\Windows\SysWOW64\bzjjkhw.exe	lvbogbz.exe
File opened for modification	C:\Windows\SysWOW64\jwfsngv.exe	dnxxxbp.exe
File opened for modification	C:\Windows\SysWOW64\enaawvc.exe	thwiujh.exe
File created	C:\Windows\SysWOW64\dkhgyin.exe	tpgoqof.exe
File opened for modification	C:\Windows\SysWOW64\ckqknqg.exe	ckqknqg.exe
File opened for modification	C:\Windows\SysWOW64\qeivusz.exe	qeivusz.exe
File opened for modification	C:\Windows\SysWOW64\ywkcdvj.exe	rcopthh.exe
File opened for modification	C:\Windows\SysWOW64\dfddpxm.exe	dfddpxm.exe
File opened for modification	C:\Windows\SysWOW64\bhpkabp.exe	omxuuxq.exe
File opened for modification	C:\Windows\SysWOW64\zqzsnzw.exe	ougagfn.exe
File created	C:\Windows\SysWOW64\dfddpxm.exe	tjkthcm.exe
File opened for modification	C:\Windows\SysWOW64\fivrwoh.exe	svdcqsi.exe
File opened for modification	C:\Windows\SysWOW64\zlbeohv.exe	zlbeohv.exe
File opened for modification	C:\Windows\SysWOW64\nqzixsy.exe	blioakn.exe
File opened for modification	C:\Windows\SysWOW64\dthpvzh.exe	ttdskba.exe
File created	C:\Windows\SysWOW64\rcnfrtx.exe	jmasfia.exe
File created	C:\Windows\SysWOW64\ubprlzb.exe	hrioizb.exe
File opened for modification	C:\Windows\SysWOW64\ptcyqut.exe	ptcyqut.exe
File created	C:\Windows\SysWOW64\tyqfubf.exe	joahpll.exe
File opened for modification	C:\Windows\SysWOW64\gbswvzm.exe	wcozcae.exe
File opened for modification	C:\Windows\SysWOW64\thwiujh.exe	jwgxzgb.exe

Suspicious use of SetThreadContext 64 IoCs

Processes:

1069d2ad83c0264ebf61b490d6385fa9eb678f93dedf165b6863177ea4ac38f6.exehcivseh.exefgfgwtc.exerjvlnao.exemlbwfgs.exehggexza.exeofocahw.exewtorhwf.exewfajvik.exeogtvgkp.exelmnmuqm.exeayrzkks.exefppasyb.exevfknkpd.exeiwninks.exeqazbqda.exevbibsie.exeqscehxf.exeidyojpx.exeasqzfqc.exessbxewg.exeihnkxnh.exenuixbwr.exeqeivusz.exeyfgvahd.exealnyqze.exeiemyegi.exeiltbbib.exefdmcoke.exexdlsixa.exeheuwand.exekeakjnb.exewxbsnhk.exethcggod.exemhojqcm.exehnezlmp.exebtucgkw.exelpnmvew.exewkoxdzf.exettzfqxf.exeonmvqqn.exewolnxxr.exejyryaxr.exerqqyoln.exebbficob.exeokllfgt.exezkqixfb.exejcfocdd.exewwlenhh.exeewkecwl.exeoslokrm.exeeiwwqap.exeosmuvqr.exebusjhdw.exelqtuwxw.exezdlrctv.exejydckwe.exercopthh.exeywkcdvj.exejoahpll.exetyqfubf.exedifphet.exerslakdl.exedmriwqx.exe

description	pid	process	target process
PID 2384 set thread context of 3676	2384	1069d2ad83c0264ebf61b490d6385fa9eb678f93dedf165b6863177ea4ac38f6.exe	1069d2ad83c0264ebf61b490d6385fa9eb678f93dedf165b6863177ea4ac38f6.exe
PID 2684 set thread context of 3240	2684	hcivseh.exe	hcivseh.exe
PID 3932 set thread context of 3176	3932	fgfgwtc.exe	fgfgwtc.exe
PID 4620 set thread context of 4584	4620	rjvlnao.exe	rjvlnao.exe
PID 3160 set thread context of 5068	3160	mlbwfgs.exe	mlbwfgs.exe
PID 1420 set thread context of 2080	1420	hggexza.exe	hggexza.exe
PID 2044 set thread context of 344	2044	ofocahw.exe	ofocahw.exe
PID 3104 set thread context of 2980	3104	wtorhwf.exe	wtorhwf.exe
PID 4924 set thread context of 2692	4924	wfajvik.exe	wfajvik.exe
PID 2348 set thread context of 5088	2348	ogtvgkp.exe	ogtvgkp.exe
PID 4448 set thread context of 3888	4448	lmnmuqm.exe	lmnmuqm.exe
PID 1660 set thread context of 4432	1660	ayrzkks.exe	ayrzkks.exe
PID 4416 set thread context of 2272	4416	fppasyb.exe	fppasyb.exe
PID 816 set thread context of 1112	816	vfknkpd.exe	vfknkpd.exe
PID 1204 set thread context of 3328	1204	iwninks.exe	iwninks.exe
PID 4380 set thread context of 1276	4380	qazbqda.exe	qazbqda.exe
PID 1384 set thread context of 3000	1384	vbibsie.exe	vbibsie.exe
PID 5072 set thread context of 4984	5072	qscehxf.exe	qscehxf.exe
PID 1072 set thread context of 3592	1072	idyojpx.exe	idyojpx.exe
PID 4612 set thread context of 4576	4612	asqzfqc.exe	asqzfqc.exe
PID 4948 set thread context of 652	4948	ssbxewg.exe	ssbxewg.exe
PID 4116 set thread context of 3960	4116	ihnkxnh.exe	ihnkxnh.exe
PID 2156 set thread context of 3288	2156	nuixbwr.exe	nuixbwr.exe
PID 1120 set thread context of 2752	1120	qeivusz.exe	qeivusz.exe
PID 640 set thread context of 2084	640	yfgvahd.exe	yfgvahd.exe
PID 3500 set thread context of 1608	3500	alnyqze.exe	alnyqze.exe
PID 4684 set thread context of 2600	4684	iemyegi.exe	iemyegi.exe
PID 4536 set thread context of 3772	4536	iltbbib.exe	iltbbib.exe
PID 2460 set thread context of 988	2460	fdmcoke.exe	fdmcoke.exe
PID 2248 set thread context of 3092	2248	xdlsixa.exe	xdlsixa.exe
PID 4460 set thread context of 4388	4460	heuwand.exe	heuwand.exe
PID 392 set thread context of 1676	392	keakjnb.exe	keakjnb.exe
PID 1848 set thread context of 1968	1848	wxbsnhk.exe	wxbsnhk.exe
PID 4744 set thread context of 2244	4744	thcggod.exe	thcggod.exe
PID 1768 set thread context of 1828	1768	mhojqcm.exe	mhojqcm.exe
PID 3616 set thread context of 2488	3616	hnezlmp.exe	hnezlmp.exe
PID 4540 set thread context of 2536	4540	btucgkw.exe	btucgkw.exe
PID 4064 set thread context of 4500	4064	lpnmvew.exe	lpnmvew.exe
PID 4592 set thread context of 3932	4592	wkoxdzf.exe	wkoxdzf.exe
PID 2148 set thread context of 2024	2148	ttzfqxf.exe	ttzfqxf.exe
PID 2004 set thread context of 8	2004	onmvqqn.exe	onmvqqn.exe
PID 1420 set thread context of 1720	1420	wolnxxr.exe	wolnxxr.exe
PID 4668 set thread context of 5016	4668	jyryaxr.exe	jyryaxr.exe
PID 2044 set thread context of 4524	2044	rqqyoln.exe	rqqyoln.exe
PID 2132 set thread context of 3348	2132	bbficob.exe	bbficob.exe
PID 1552 set thread context of 4952	1552	okllfgt.exe	okllfgt.exe
PID 3724 set thread context of 2320	3724	zkqixfb.exe	zkqixfb.exe
PID 2348 set thread context of 2968	2348	jcfocdd.exe	jcfocdd.exe
PID 4448 set thread context of 664	4448	wwlenhh.exe	wwlenhh.exe
PID 4872 set thread context of 4452	4872	ewkecwl.exe	ewkecwl.exe
PID 3780 set thread context of 4112	3780	oslokrm.exe	oslokrm.exe
PID 2748 set thread context of 1660	2748	eiwwqap.exe	eiwwqap.exe
PID 1912 set thread context of 1140	1912	osmuvqr.exe	osmuvqr.exe
PID 2520 set thread context of 4332	2520	busjhdw.exe	busjhdw.exe
PID 4868 set thread context of 3364	4868	lqtuwxw.exe	lqtuwxw.exe
PID 3628 set thread context of 5040	3628	zdlrctv.exe	zdlrctv.exe
PID 2256 set thread context of 5044	2256	jydckwe.exe	jydckwe.exe
PID 3540 set thread context of 2280	3540	rcopthh.exe	rcopthh.exe
PID 2996 set thread context of 2360	2996	ywkcdvj.exe	ywkcdvj.exe
PID 4920 set thread context of 2500	4920	joahpll.exe	joahpll.exe
PID 1832 set thread context of 4268	1832	tyqfubf.exe	tyqfubf.exe
PID 1620 set thread context of 4420	1620	difphet.exe	difphet.exe
PID 4284 set thread context of 368	4284	rslakdl.exe	rslakdl.exe
PID 2904 set thread context of 1084	2904	dmriwqx.exe	dmriwqx.exe

Modifies registry class 64 IoCs

Processes:

1069d2ad83c0264ebf61b490d6385fa9eb678f93dedf165b6863177ea4ac38f6.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A0F0FD66-5D37-4959-8B3E-7F76ABAE04CD}\1.0\0\win32	1069d2ad83c0264ebf61b490d6385fa9eb678f93dedf165b6863177ea4ac38f6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9D41FAEC-CD03-4685-9B52-229FB3DDF406}\TypeLib\Version = "1.0"	1069d2ad83c0264ebf61b490d6385fa9eb678f93dedf165b6863177ea4ac38f6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0AEC2553-4818-4756-A2CB-D0D38FEBDEE1}	1069d2ad83c0264ebf61b490d6385fa9eb678f93dedf165b6863177ea4ac38f6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0AEC2553-4818-4756-A2CB-D0D38FEBDEE1}\TypeLib\Version = "1.0"	1069d2ad83c0264ebf61b490d6385fa9eb678f93dedf165b6863177ea4ac38f6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9C3BE5F8-0CAF-4464-9BBD-B9FD25B15E00}	1069d2ad83c0264ebf61b490d6385fa9eb678f93dedf165b6863177ea4ac38f6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D34601CE-E784-4328-9E28-A65E6F1D2BCD}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502}	1069d2ad83c0264ebf61b490d6385fa9eb678f93dedf165b6863177ea4ac38f6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8BD5643A-9D25-4CF4-ACF7-B643A7DFF8B7}\ProxyStubClsid32	1069d2ad83c0264ebf61b490d6385fa9eb678f93dedf165b6863177ea4ac38f6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0AEC2553-4818-4756-A2CB-D0D38FEBDEE1}\TypeLib\ = "{A0F0FD66-5D37-4959-8B3E-7F76ABAE04CD}"	1069d2ad83c0264ebf61b490d6385fa9eb678f93dedf165b6863177ea4ac38f6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8BD5643A-9D25-4CF4-ACF7-B643A7DFF8B7}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}"	1069d2ad83c0264ebf61b490d6385fa9eb678f93dedf165b6863177ea4ac38f6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F7814234-0237-4DFC-9D71-0F36D48D09D0}\LocalServer32	1069d2ad83c0264ebf61b490d6385fa9eb678f93dedf165b6863177ea4ac38f6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4A175F7B-0C86-4EFA-A235-F498F2892A89}	1069d2ad83c0264ebf61b490d6385fa9eb678f93dedf165b6863177ea4ac38f6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4A175F7B-0C86-4EFA-A235-F498F2892A89}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	1069d2ad83c0264ebf61b490d6385fa9eb678f93dedf165b6863177ea4ac38f6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9D41FAEC-CD03-4685-9B52-229FB3DDF406}	1069d2ad83c0264ebf61b490d6385fa9eb678f93dedf165b6863177ea4ac38f6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8BD5643A-9D25-4CF4-ACF7-B643A7DFF8B7}\ProxyStubClsid32	1069d2ad83c0264ebf61b490d6385fa9eb678f93dedf165b6863177ea4ac38f6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0AEC2553-4818-4756-A2CB-D0D38FEBDEE1}\ProxyStubClsid\ = "{00020420-0000-0000-C000-000000000046}"	1069d2ad83c0264ebf61b490d6385fa9eb678f93dedf165b6863177ea4ac38f6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4A175F7B-0C86-4EFA-A235-F498F2892A89}\TypeLib\ = "{A0F0FD66-5D37-4959-8B3E-7F76ABAE04CD}"	1069d2ad83c0264ebf61b490d6385fa9eb678f93dedf165b6863177ea4ac38f6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4A175F7B-0C86-4EFA-A235-F498F2892A89}\ProxyStubClsid32	1069d2ad83c0264ebf61b490d6385fa9eb678f93dedf165b6863177ea4ac38f6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4A175F7B-0C86-4EFA-A235-F498F2892A89}\TypeLib\ = "{A0F0FD66-5D37-4959-8B3E-7F76ABAE04CD}"	1069d2ad83c0264ebf61b490d6385fa9eb678f93dedf165b6863177ea4ac38f6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9D41FAEC-CD03-4685-9B52-229FB3DDF406}\TypeLib\Version = "1.0"	1069d2ad83c0264ebf61b490d6385fa9eb678f93dedf165b6863177ea4ac38f6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\adadadada.Class2\ = "adadadada.Class2"	1069d2ad83c0264ebf61b490d6385fa9eb678f93dedf165b6863177ea4ac38f6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9C3BE5F8-0CAF-4464-9BBD-B9FD25B15E00}\VERSION\ = "1.0"	1069d2ad83c0264ebf61b490d6385fa9eb678f93dedf165b6863177ea4ac38f6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D34601CE-E784-4328-9E28-A65E6F1D2BCD}\Programmable	1069d2ad83c0264ebf61b490d6385fa9eb678f93dedf165b6863177ea4ac38f6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4A175F7B-0C86-4EFA-A235-F498F2892A89}\TypeLib\Version = "1.0"	1069d2ad83c0264ebf61b490d6385fa9eb678f93dedf165b6863177ea4ac38f6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9D41FAEC-CD03-4685-9B52-229FB3DDF406}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	1069d2ad83c0264ebf61b490d6385fa9eb678f93dedf165b6863177ea4ac38f6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9C3BE5F8-0CAF-4464-9BBD-B9FD25B15E00}\TypeLib\ = "{A0F0FD66-5D37-4959-8B3E-7F76ABAE04CD}"	1069d2ad83c0264ebf61b490d6385fa9eb678f93dedf165b6863177ea4ac38f6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\adadadada.mdsaaaaad	1069d2ad83c0264ebf61b490d6385fa9eb678f93dedf165b6863177ea4ac38f6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\adadadada.Class2\Clsid\ = "{F7814234-0237-4DFC-9D71-0F36D48D09D0}"	1069d2ad83c0264ebf61b490d6385fa9eb678f93dedf165b6863177ea4ac38f6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9D41FAEC-CD03-4685-9B52-229FB3DDF406}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}"	1069d2ad83c0264ebf61b490d6385fa9eb678f93dedf165b6863177ea4ac38f6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A0F0FD66-5D37-4959-8B3E-7F76ABAE04CD}	1069d2ad83c0264ebf61b490d6385fa9eb678f93dedf165b6863177ea4ac38f6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4A175F7B-0C86-4EFA-A235-F498F2892A89}\ProxyStubClsid32	1069d2ad83c0264ebf61b490d6385fa9eb678f93dedf165b6863177ea4ac38f6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9D41FAEC-CD03-4685-9B52-229FB3DDF406}\ProxyStubClsid32	1069d2ad83c0264ebf61b490d6385fa9eb678f93dedf165b6863177ea4ac38f6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F7814234-0237-4DFC-9D71-0F36D48D09D0}	1069d2ad83c0264ebf61b490d6385fa9eb678f93dedf165b6863177ea4ac38f6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F7814234-0237-4DFC-9D71-0F36D48D09D0}\ProgID\ = "adadadada.Class2"	1069d2ad83c0264ebf61b490d6385fa9eb678f93dedf165b6863177ea4ac38f6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9C3BE5F8-0CAF-4464-9BBD-B9FD25B15E00}\Programmable	1069d2ad83c0264ebf61b490d6385fa9eb678f93dedf165b6863177ea4ac38f6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F7814234-0237-4DFC-9D71-0F36D48D09D0}\VERSION	1069d2ad83c0264ebf61b490d6385fa9eb678f93dedf165b6863177ea4ac38f6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D34601CE-E784-4328-9E28-A65E6F1D2BCD}	1069d2ad83c0264ebf61b490d6385fa9eb678f93dedf165b6863177ea4ac38f6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4A175F7B-0C86-4EFA-A235-F498F2892A89}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}"	1069d2ad83c0264ebf61b490d6385fa9eb678f93dedf165b6863177ea4ac38f6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A0F0FD66-5D37-4959-8B3E-7F76ABAE04CD}\1.0\ = "Proyecto1"	1069d2ad83c0264ebf61b490d6385fa9eb678f93dedf165b6863177ea4ac38f6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4A175F7B-0C86-4EFA-A235-F498F2892A89}\ = "_Class1"	1069d2ad83c0264ebf61b490d6385fa9eb678f93dedf165b6863177ea4ac38f6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9C3BE5F8-0CAF-4464-9BBD-B9FD25B15E00}\VERSION	1069d2ad83c0264ebf61b490d6385fa9eb678f93dedf165b6863177ea4ac38f6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D34601CE-E784-4328-9E28-A65E6F1D2BCD}\LocalServer32	1069d2ad83c0264ebf61b490d6385fa9eb678f93dedf165b6863177ea4ac38f6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4A175F7B-0C86-4EFA-A235-F498F2892A89}\TypeLib	1069d2ad83c0264ebf61b490d6385fa9eb678f93dedf165b6863177ea4ac38f6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8BD5643A-9D25-4CF4-ACF7-B643A7DFF8B7}\ = "mdsaaaaad"	1069d2ad83c0264ebf61b490d6385fa9eb678f93dedf165b6863177ea4ac38f6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4A175F7B-0C86-4EFA-A235-F498F2892A89}\ = "Class1"	1069d2ad83c0264ebf61b490d6385fa9eb678f93dedf165b6863177ea4ac38f6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8BD5643A-9D25-4CF4-ACF7-B643A7DFF8B7}\TypeLib	1069d2ad83c0264ebf61b490d6385fa9eb678f93dedf165b6863177ea4ac38f6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\adadadada.mdsaaaaad\ = "adadadada.mdsaaaaad"	1069d2ad83c0264ebf61b490d6385fa9eb678f93dedf165b6863177ea4ac38f6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F7814234-0237-4DFC-9D71-0F36D48D09D0}\ProgID	1069d2ad83c0264ebf61b490d6385fa9eb678f93dedf165b6863177ea4ac38f6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A0F0FD66-5D37-4959-8B3E-7F76ABAE04CD}\1.0\HELPDIR	1069d2ad83c0264ebf61b490d6385fa9eb678f93dedf165b6863177ea4ac38f6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4A175F7B-0C86-4EFA-A235-F498F2892A89}\TypeLib\Version = "1.0"	1069d2ad83c0264ebf61b490d6385fa9eb678f93dedf165b6863177ea4ac38f6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D34601CE-E784-4328-9E28-A65E6F1D2BCD}\TypeLib	1069d2ad83c0264ebf61b490d6385fa9eb678f93dedf165b6863177ea4ac38f6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\adadadada.Class1\ = "adadadada.Class1"	1069d2ad83c0264ebf61b490d6385fa9eb678f93dedf165b6863177ea4ac38f6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A0F0FD66-5D37-4959-8B3E-7F76ABAE04CD}\1.0\FLAGS	1069d2ad83c0264ebf61b490d6385fa9eb678f93dedf165b6863177ea4ac38f6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D34601CE-E784-4328-9E28-A65E6F1D2BCD}\Implemented Categories	1069d2ad83c0264ebf61b490d6385fa9eb678f93dedf165b6863177ea4ac38f6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F7814234-0237-4DFC-9D71-0F36D48D09D0}\VERSION\ = "1.0"	1069d2ad83c0264ebf61b490d6385fa9eb678f93dedf165b6863177ea4ac38f6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4A175F7B-0C86-4EFA-A235-F498F2892A89}\ProxyStubClsid	1069d2ad83c0264ebf61b490d6385fa9eb678f93dedf165b6863177ea4ac38f6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0AEC2553-4818-4756-A2CB-D0D38FEBDEE1}\ = "Class1"	1069d2ad83c0264ebf61b490d6385fa9eb678f93dedf165b6863177ea4ac38f6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8BD5643A-9D25-4CF4-ACF7-B643A7DFF8B7}\TypeLib\ = "{A0F0FD66-5D37-4959-8B3E-7F76ABAE04CD}"	1069d2ad83c0264ebf61b490d6385fa9eb678f93dedf165b6863177ea4ac38f6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0AEC2553-4818-4756-A2CB-D0D38FEBDEE1}\TypeLib	1069d2ad83c0264ebf61b490d6385fa9eb678f93dedf165b6863177ea4ac38f6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9C3BE5F8-0CAF-4464-9BBD-B9FD25B15E00}\TypeLib	1069d2ad83c0264ebf61b490d6385fa9eb678f93dedf165b6863177ea4ac38f6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F7814234-0237-4DFC-9D71-0F36D48D09D0}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1069d2ad83c0264ebf61b490d6385fa9eb678f93dedf165b6863177ea4ac38f6.exe"	1069d2ad83c0264ebf61b490d6385fa9eb678f93dedf165b6863177ea4ac38f6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D34601CE-E784-4328-9E28-A65E6F1D2BCD}\VERSION\ = "1.0"	1069d2ad83c0264ebf61b490d6385fa9eb678f93dedf165b6863177ea4ac38f6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A0F0FD66-5D37-4959-8B3E-7F76ABAE04CD}\1.0	1069d2ad83c0264ebf61b490d6385fa9eb678f93dedf165b6863177ea4ac38f6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0AEC2553-4818-4756-A2CB-D0D38FEBDEE1}\TypeLib\Version = "1.0"	1069d2ad83c0264ebf61b490d6385fa9eb678f93dedf165b6863177ea4ac38f6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F7814234-0237-4DFC-9D71-0F36D48D09D0}\TypeLib\ = "{A0F0FD66-5D37-4959-8B3E-7F76ABAE04CD}"	1069d2ad83c0264ebf61b490d6385fa9eb678f93dedf165b6863177ea4ac38f6.exe

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

pid	process
2384	1069d2ad83c0264ebf61b490d6385fa9eb678f93dedf165b6863177ea4ac38f6.exe
2684	hcivseh.exe
3932	fgfgwtc.exe
4620	rjvlnao.exe
3160	mlbwfgs.exe
1420	hggexza.exe
2044	ofocahw.exe
3104	wtorhwf.exe
4924	wfajvik.exe
2348	ogtvgkp.exe
4448	lmnmuqm.exe
1660	ayrzkks.exe
4416	fppasyb.exe
816	vfknkpd.exe
1204	iwninks.exe
4380	qazbqda.exe
1384	vbibsie.exe
5072	qscehxf.exe
1072	idyojpx.exe
4612	asqzfqc.exe
4948	ssbxewg.exe
4116	ihnkxnh.exe
2156	nuixbwr.exe
1120	qeivusz.exe
640	yfgvahd.exe
3500	alnyqze.exe
4684	iemyegi.exe
4536	iltbbib.exe
2460	fdmcoke.exe
2248	xdlsixa.exe
4460	heuwand.exe
392	keakjnb.exe
1848	wxbsnhk.exe
4744	thcggod.exe
1768	mhojqcm.exe
3616	hnezlmp.exe
4540	btucgkw.exe
4064	lpnmvew.exe
4592	wkoxdzf.exe
2148	ttzfqxf.exe
2004	onmvqqn.exe
1420	wolnxxr.exe
4668	jyryaxr.exe
2044	rqqyoln.exe
2132	bbficob.exe
1552	okllfgt.exe
3724	zkqixfb.exe
2348	jcfocdd.exe
4448	wwlenhh.exe
4872	ewkecwl.exe
3780	oslokrm.exe
2748	eiwwqap.exe
1912	osmuvqr.exe
2520	busjhdw.exe
4868	lqtuwxw.exe
3628	zdlrctv.exe
2256	jydckwe.exe
3540	rcopthh.exe
2996	ywkcdvj.exe
4920	joahpll.exe
1832	tyqfubf.exe
1620	difphet.exe
4284	rslakdl.exe
2904	dmriwqx.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

1069d2ad83c0264ebf61b490d6385fa9eb678f93dedf165b6863177ea4ac38f6.exe1069d2ad83c0264ebf61b490d6385fa9eb678f93dedf165b6863177ea4ac38f6.exehcivseh.exehcivseh.exefgfgwtc.exefgfgwtc.exerjvlnao.exerjvlnao.exemlbwfgs.exemlbwfgs.exe

description	pid	process	target process
PID 2384 wrote to memory of 3676	2384	1069d2ad83c0264ebf61b490d6385fa9eb678f93dedf165b6863177ea4ac38f6.exe	1069d2ad83c0264ebf61b490d6385fa9eb678f93dedf165b6863177ea4ac38f6.exe
PID 2384 wrote to memory of 3676	2384	1069d2ad83c0264ebf61b490d6385fa9eb678f93dedf165b6863177ea4ac38f6.exe	1069d2ad83c0264ebf61b490d6385fa9eb678f93dedf165b6863177ea4ac38f6.exe
PID 2384 wrote to memory of 3676	2384	1069d2ad83c0264ebf61b490d6385fa9eb678f93dedf165b6863177ea4ac38f6.exe	1069d2ad83c0264ebf61b490d6385fa9eb678f93dedf165b6863177ea4ac38f6.exe
PID 2384 wrote to memory of 3676	2384	1069d2ad83c0264ebf61b490d6385fa9eb678f93dedf165b6863177ea4ac38f6.exe	1069d2ad83c0264ebf61b490d6385fa9eb678f93dedf165b6863177ea4ac38f6.exe
PID 2384 wrote to memory of 3676	2384	1069d2ad83c0264ebf61b490d6385fa9eb678f93dedf165b6863177ea4ac38f6.exe	1069d2ad83c0264ebf61b490d6385fa9eb678f93dedf165b6863177ea4ac38f6.exe
PID 2384 wrote to memory of 3676	2384	1069d2ad83c0264ebf61b490d6385fa9eb678f93dedf165b6863177ea4ac38f6.exe	1069d2ad83c0264ebf61b490d6385fa9eb678f93dedf165b6863177ea4ac38f6.exe
PID 2384 wrote to memory of 3676	2384	1069d2ad83c0264ebf61b490d6385fa9eb678f93dedf165b6863177ea4ac38f6.exe	1069d2ad83c0264ebf61b490d6385fa9eb678f93dedf165b6863177ea4ac38f6.exe
PID 2384 wrote to memory of 3676	2384	1069d2ad83c0264ebf61b490d6385fa9eb678f93dedf165b6863177ea4ac38f6.exe	1069d2ad83c0264ebf61b490d6385fa9eb678f93dedf165b6863177ea4ac38f6.exe
PID 2384 wrote to memory of 3676	2384	1069d2ad83c0264ebf61b490d6385fa9eb678f93dedf165b6863177ea4ac38f6.exe	1069d2ad83c0264ebf61b490d6385fa9eb678f93dedf165b6863177ea4ac38f6.exe
PID 2384 wrote to memory of 3676	2384	1069d2ad83c0264ebf61b490d6385fa9eb678f93dedf165b6863177ea4ac38f6.exe	1069d2ad83c0264ebf61b490d6385fa9eb678f93dedf165b6863177ea4ac38f6.exe
PID 3676 wrote to memory of 2684	3676	1069d2ad83c0264ebf61b490d6385fa9eb678f93dedf165b6863177ea4ac38f6.exe	hcivseh.exe
PID 3676 wrote to memory of 2684	3676	1069d2ad83c0264ebf61b490d6385fa9eb678f93dedf165b6863177ea4ac38f6.exe	hcivseh.exe
PID 3676 wrote to memory of 2684	3676	1069d2ad83c0264ebf61b490d6385fa9eb678f93dedf165b6863177ea4ac38f6.exe	hcivseh.exe
PID 2684 wrote to memory of 3240	2684	hcivseh.exe	hcivseh.exe
PID 2684 wrote to memory of 3240	2684	hcivseh.exe	hcivseh.exe
PID 2684 wrote to memory of 3240	2684	hcivseh.exe	hcivseh.exe
PID 2684 wrote to memory of 3240	2684	hcivseh.exe	hcivseh.exe
PID 2684 wrote to memory of 3240	2684	hcivseh.exe	hcivseh.exe
PID 2684 wrote to memory of 3240	2684	hcivseh.exe	hcivseh.exe
PID 2684 wrote to memory of 3240	2684	hcivseh.exe	hcivseh.exe
PID 2684 wrote to memory of 3240	2684	hcivseh.exe	hcivseh.exe
PID 2684 wrote to memory of 3240	2684	hcivseh.exe	hcivseh.exe
PID 2684 wrote to memory of 3240	2684	hcivseh.exe	hcivseh.exe
PID 3240 wrote to memory of 3932	3240	hcivseh.exe	fgfgwtc.exe
PID 3240 wrote to memory of 3932	3240	hcivseh.exe	fgfgwtc.exe
PID 3240 wrote to memory of 3932	3240	hcivseh.exe	fgfgwtc.exe
PID 3932 wrote to memory of 3176	3932	fgfgwtc.exe	fgfgwtc.exe
PID 3932 wrote to memory of 3176	3932	fgfgwtc.exe	fgfgwtc.exe
PID 3932 wrote to memory of 3176	3932	fgfgwtc.exe	fgfgwtc.exe
PID 3932 wrote to memory of 3176	3932	fgfgwtc.exe	fgfgwtc.exe
PID 3932 wrote to memory of 3176	3932	fgfgwtc.exe	fgfgwtc.exe
PID 3932 wrote to memory of 3176	3932	fgfgwtc.exe	fgfgwtc.exe
PID 3932 wrote to memory of 3176	3932	fgfgwtc.exe	fgfgwtc.exe
PID 3932 wrote to memory of 3176	3932	fgfgwtc.exe	fgfgwtc.exe
PID 3932 wrote to memory of 3176	3932	fgfgwtc.exe	fgfgwtc.exe
PID 3932 wrote to memory of 3176	3932	fgfgwtc.exe	fgfgwtc.exe
PID 3176 wrote to memory of 4620	3176	fgfgwtc.exe	rjvlnao.exe
PID 3176 wrote to memory of 4620	3176	fgfgwtc.exe	rjvlnao.exe
PID 3176 wrote to memory of 4620	3176	fgfgwtc.exe	rjvlnao.exe
PID 4620 wrote to memory of 4584	4620	rjvlnao.exe	rjvlnao.exe
PID 4620 wrote to memory of 4584	4620	rjvlnao.exe	rjvlnao.exe
PID 4620 wrote to memory of 4584	4620	rjvlnao.exe	rjvlnao.exe
PID 4620 wrote to memory of 4584	4620	rjvlnao.exe	rjvlnao.exe
PID 4620 wrote to memory of 4584	4620	rjvlnao.exe	rjvlnao.exe
PID 4620 wrote to memory of 4584	4620	rjvlnao.exe	rjvlnao.exe
PID 4620 wrote to memory of 4584	4620	rjvlnao.exe	rjvlnao.exe
PID 4620 wrote to memory of 4584	4620	rjvlnao.exe	rjvlnao.exe
PID 4620 wrote to memory of 4584	4620	rjvlnao.exe	rjvlnao.exe
PID 4620 wrote to memory of 4584	4620	rjvlnao.exe	rjvlnao.exe
PID 4584 wrote to memory of 3160	4584	rjvlnao.exe	mlbwfgs.exe
PID 4584 wrote to memory of 3160	4584	rjvlnao.exe	mlbwfgs.exe
PID 4584 wrote to memory of 3160	4584	rjvlnao.exe	mlbwfgs.exe
PID 3160 wrote to memory of 5068	3160	mlbwfgs.exe	mlbwfgs.exe
PID 3160 wrote to memory of 5068	3160	mlbwfgs.exe	mlbwfgs.exe
PID 3160 wrote to memory of 5068	3160	mlbwfgs.exe	mlbwfgs.exe
PID 3160 wrote to memory of 5068	3160	mlbwfgs.exe	mlbwfgs.exe
PID 3160 wrote to memory of 5068	3160	mlbwfgs.exe	mlbwfgs.exe
PID 3160 wrote to memory of 5068	3160	mlbwfgs.exe	mlbwfgs.exe
PID 3160 wrote to memory of 5068	3160	mlbwfgs.exe	mlbwfgs.exe
PID 3160 wrote to memory of 5068	3160	mlbwfgs.exe	mlbwfgs.exe
PID 3160 wrote to memory of 5068	3160	mlbwfgs.exe	mlbwfgs.exe
PID 3160 wrote to memory of 5068	3160	mlbwfgs.exe	mlbwfgs.exe
PID 5068 wrote to memory of 1420	5068	mlbwfgs.exe	hggexza.exe
PID 5068 wrote to memory of 1420	5068	mlbwfgs.exe	hggexza.exe

C:\Users\Admin\AppData\Local\Temp\1069d2ad83c0264ebf61b490d6385fa9eb678f93dedf165b6863177ea4ac38f6.exe
"C:\Users\Admin\AppData\Local\Temp\1069d2ad83c0264ebf61b490d6385fa9eb678f93dedf165b6863177ea4ac38f6.exe"
1⤵
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2384

C:\Users\Admin\AppData\Local\Temp\1069d2ad83c0264ebf61b490d6385fa9eb678f93dedf165b6863177ea4ac38f6.exe
"C:\Users\Admin\AppData\Local\Temp\1069d2ad83c0264ebf61b490d6385fa9eb678f93dedf165b6863177ea4ac38f6.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:3676

C:\Windows\SysWOW64\hcivseh.exe
C:\Windows\system32\hcivseh.exe 1128 "C:\Users\Admin\AppData\Local\Temp\1069d2ad83c0264ebf61b490d6385fa9eb678f93dedf165b6863177ea4ac38f6.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2684

C:\Windows\SysWOW64\hcivseh.exe
"C:\Windows\SysWOW64\hcivseh.exe"
4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3240

C:\Windows\SysWOW64\fgfgwtc.exe
C:\Windows\system32\fgfgwtc.exe 1032 "C:\Windows\SysWOW64\hcivseh.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3932

C:\Windows\SysWOW64\fgfgwtc.exe
"C:\Windows\SysWOW64\fgfgwtc.exe"
6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3176

C:\Windows\SysWOW64\rjvlnao.exe
C:\Windows\system32\rjvlnao.exe 1044 "C:\Windows\SysWOW64\fgfgwtc.exe"
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4620

C:\Windows\SysWOW64\rjvlnao.exe
"C:\Windows\SysWOW64\rjvlnao.exe"
8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4584

C:\Windows\SysWOW64\mlbwfgs.exe
C:\Windows\system32\mlbwfgs.exe 1016 "C:\Windows\SysWOW64\rjvlnao.exe"
9⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3160

C:\Windows\SysWOW64\mlbwfgs.exe
"C:\Windows\SysWOW64\mlbwfgs.exe"
10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5068

C:\Windows\SysWOW64\hggexza.exe
C:\Windows\system32\hggexza.exe 1016 "C:\Windows\SysWOW64\mlbwfgs.exe"
11⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1420

C:\Windows\SysWOW64\hggexza.exe
"C:\Windows\SysWOW64\hggexza.exe"
12⤵
- Executes dropped EXE
PID:2080

C:\Windows\SysWOW64\ofocahw.exe
C:\Windows\system32\ofocahw.exe 1016 "C:\Windows\SysWOW64\hggexza.exe"
13⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2044

C:\Windows\SysWOW64\ofocahw.exe
"C:\Windows\SysWOW64\ofocahw.exe"
14⤵
- Executes dropped EXE
PID:344

C:\Windows\SysWOW64\wtorhwf.exe
C:\Windows\system32\wtorhwf.exe 1016 "C:\Windows\SysWOW64\ofocahw.exe"
15⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:3104

C:\Windows\SysWOW64\wtorhwf.exe
"C:\Windows\SysWOW64\wtorhwf.exe"
16⤵
- Executes dropped EXE
PID:2980

C:\Windows\SysWOW64\wfajvik.exe
C:\Windows\system32\wfajvik.exe 1016 "C:\Windows\SysWOW64\wtorhwf.exe"
17⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:4924

C:\Windows\SysWOW64\wfajvik.exe
"C:\Windows\SysWOW64\wfajvik.exe"
18⤵
- Executes dropped EXE
PID:2692

C:\Windows\SysWOW64\ogtvgkp.exe
C:\Windows\system32\ogtvgkp.exe 1016 "C:\Windows\SysWOW64\wfajvik.exe"
19⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2348

C:\Windows\SysWOW64\ogtvgkp.exe
"C:\Windows\SysWOW64\ogtvgkp.exe"
20⤵
- Executes dropped EXE
PID:5088

C:\Windows\SysWOW64\lmnmuqm.exe
C:\Windows\system32\lmnmuqm.exe 1016 "C:\Windows\SysWOW64\ogtvgkp.exe"
21⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:4448

C:\Windows\SysWOW64\lmnmuqm.exe
"C:\Windows\SysWOW64\lmnmuqm.exe"
22⤵
- Executes dropped EXE
PID:3888

C:\Windows\SysWOW64\ayrzkks.exe
C:\Windows\system32\ayrzkks.exe 1044 "C:\Windows\SysWOW64\lmnmuqm.exe"
23⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1660

C:\Windows\SysWOW64\ayrzkks.exe
"C:\Windows\SysWOW64\ayrzkks.exe"
24⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4432

C:\Windows\SysWOW64\fppasyb.exe
C:\Windows\system32\fppasyb.exe 1148 "C:\Windows\SysWOW64\ayrzkks.exe"
25⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:4416

C:\Windows\SysWOW64\fppasyb.exe
"C:\Windows\SysWOW64\fppasyb.exe"
26⤵
- Executes dropped EXE
PID:2272

C:\Windows\SysWOW64\vfknkpd.exe
C:\Windows\system32\vfknkpd.exe 1044 "C:\Windows\SysWOW64\fppasyb.exe"
27⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:816

C:\Windows\SysWOW64\vfknkpd.exe
"C:\Windows\SysWOW64\vfknkpd.exe"
28⤵
- Executes dropped EXE
PID:1112

C:\Windows\SysWOW64\iwninks.exe
C:\Windows\system32\iwninks.exe 1044 "C:\Windows\SysWOW64\vfknkpd.exe"
29⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1204

C:\Windows\SysWOW64\iwninks.exe
"C:\Windows\SysWOW64\iwninks.exe"
30⤵
- Executes dropped EXE
PID:3328

C:\Windows\SysWOW64\qazbqda.exe
C:\Windows\system32\qazbqda.exe 1148 "C:\Windows\SysWOW64\iwninks.exe"
31⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:4380

C:\Windows\SysWOW64\qazbqda.exe
"C:\Windows\SysWOW64\qazbqda.exe"
32⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1276

C:\Windows\SysWOW64\vbibsie.exe
C:\Windows\system32\vbibsie.exe 1044 "C:\Windows\SysWOW64\qazbqda.exe"
33⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1384

C:\Windows\SysWOW64\vbibsie.exe
"C:\Windows\SysWOW64\vbibsie.exe"
34⤵
- Executes dropped EXE
PID:3000

C:\Windows\SysWOW64\qscehxf.exe
C:\Windows\system32\qscehxf.exe 1148 "C:\Windows\SysWOW64\vbibsie.exe"
35⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:5072

C:\Windows\SysWOW64\qscehxf.exe
"C:\Windows\SysWOW64\qscehxf.exe"
36⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4984

C:\Windows\SysWOW64\idyojpx.exe
C:\Windows\system32\idyojpx.exe 1044 "C:\Windows\SysWOW64\qscehxf.exe"
37⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1072

C:\Windows\SysWOW64\idyojpx.exe
"C:\Windows\SysWOW64\idyojpx.exe"
38⤵
- Executes dropped EXE
PID:3592

C:\Windows\SysWOW64\asqzfqc.exe
C:\Windows\system32\asqzfqc.exe 1148 "C:\Windows\SysWOW64\idyojpx.exe"
39⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:4612

C:\Windows\SysWOW64\asqzfqc.exe
"C:\Windows\SysWOW64\asqzfqc.exe"
40⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4576

C:\Windows\SysWOW64\ssbxewg.exe
C:\Windows\system32\ssbxewg.exe 1016 "C:\Windows\SysWOW64\asqzfqc.exe"
41⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:4948

C:\Windows\SysWOW64\ssbxewg.exe
"C:\Windows\SysWOW64\ssbxewg.exe"
42⤵
- Executes dropped EXE
PID:652

C:\Windows\SysWOW64\ihnkxnh.exe
C:\Windows\system32\ihnkxnh.exe 1016 "C:\Windows\SysWOW64\ssbxewg.exe"
43⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:4116

C:\Windows\SysWOW64\ihnkxnh.exe
"C:\Windows\SysWOW64\ihnkxnh.exe"
44⤵
- Executes dropped EXE
PID:3960

C:\Windows\SysWOW64\nuixbwr.exe
C:\Windows\system32\nuixbwr.exe 1156 "C:\Windows\SysWOW64\ihnkxnh.exe"
45⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2156

C:\Windows\SysWOW64\nuixbwr.exe
"C:\Windows\SysWOW64\nuixbwr.exe"
46⤵
- Executes dropped EXE
PID:3288

C:\Windows\SysWOW64\qeivusz.exe
C:\Windows\system32\qeivusz.exe 1044 "C:\Windows\SysWOW64\nuixbwr.exe"
47⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1120

C:\Windows\SysWOW64\qeivusz.exe
"C:\Windows\SysWOW64\qeivusz.exe"
48⤵
- Executes dropped EXE
PID:2752

C:\Windows\SysWOW64\yfgvahd.exe
C:\Windows\system32\yfgvahd.exe 1196 "C:\Windows\SysWOW64\qeivusz.exe"
49⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:640

C:\Windows\SysWOW64\yfgvahd.exe
"C:\Windows\SysWOW64\yfgvahd.exe"
50⤵
- Executes dropped EXE
PID:2084

C:\Windows\SysWOW64\alnyqze.exe
C:\Windows\system32\alnyqze.exe 1156 "C:\Windows\SysWOW64\yfgvahd.exe"
51⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:3500

C:\Windows\SysWOW64\alnyqze.exe
"C:\Windows\SysWOW64\alnyqze.exe"
52⤵
- Executes dropped EXE
PID:1608

C:\Windows\SysWOW64\iemyegi.exe
C:\Windows\system32\iemyegi.exe 1016 "C:\Windows\SysWOW64\alnyqze.exe"
53⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:4684

C:\Windows\SysWOW64\iemyegi.exe
"C:\Windows\SysWOW64\iemyegi.exe"
54⤵
- Executes dropped EXE
PID:2600

C:\Windows\SysWOW64\iltbbib.exe
C:\Windows\system32\iltbbib.exe 1148 "C:\Windows\SysWOW64\iemyegi.exe"
55⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:4536

C:\Windows\SysWOW64\iltbbib.exe
"C:\Windows\SysWOW64\iltbbib.exe"
56⤵
- Executes dropped EXE
PID:3772

C:\Windows\SysWOW64\fdmcoke.exe
C:\Windows\system32\fdmcoke.exe 1156 "C:\Windows\SysWOW64\iltbbib.exe"
57⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2460

C:\Windows\SysWOW64\fdmcoke.exe
"C:\Windows\SysWOW64\fdmcoke.exe"
58⤵
- Executes dropped EXE
PID:988

C:\Windows\SysWOW64\xdlsixa.exe
C:\Windows\system32\xdlsixa.exe 1016 "C:\Windows\SysWOW64\fdmcoke.exe"
59⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2248

C:\Windows\SysWOW64\xdlsixa.exe
"C:\Windows\SysWOW64\xdlsixa.exe"
60⤵
- Executes dropped EXE
PID:3092

C:\Windows\SysWOW64\heuwand.exe
C:\Windows\system32\heuwand.exe 1016 "C:\Windows\SysWOW64\xdlsixa.exe"
61⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:4460

C:\Windows\SysWOW64\heuwand.exe
"C:\Windows\SysWOW64\heuwand.exe"
62⤵
- Executes dropped EXE
PID:4388

C:\Windows\SysWOW64\keakjnb.exe
C:\Windows\system32\keakjnb.exe 1156 "C:\Windows\SysWOW64\heuwand.exe"
63⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:392

C:\Windows\SysWOW64\keakjnb.exe
"C:\Windows\SysWOW64\keakjnb.exe"
64⤵
- Executes dropped EXE
PID:1676

C:\Windows\SysWOW64\wxbsnhk.exe
C:\Windows\system32\wxbsnhk.exe 1148 "C:\Windows\SysWOW64\keakjnb.exe"
65⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1848

C:\Windows\SysWOW64\wxbsnhk.exe
"C:\Windows\SysWOW64\wxbsnhk.exe"
66⤵
- Executes dropped EXE
PID:1968

C:\Windows\SysWOW64\thcggod.exe
C:\Windows\system32\thcggod.exe 1016 "C:\Windows\SysWOW64\wxbsnhk.exe"
67⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:4744

C:\Windows\SysWOW64\thcggod.exe
"C:\Windows\SysWOW64\thcggod.exe"
68⤵
PID:2244

C:\Windows\SysWOW64\mhojqcm.exe
C:\Windows\system32\mhojqcm.exe 1148 "C:\Windows\SysWOW64\thcggod.exe"
69⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1768

C:\Windows\SysWOW64\mhojqcm.exe
"C:\Windows\SysWOW64\mhojqcm.exe"
70⤵
PID:1828

C:\Windows\SysWOW64\hnezlmp.exe
C:\Windows\system32\hnezlmp.exe 1156 "C:\Windows\SysWOW64\mhojqcm.exe"
71⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:3616

C:\Windows\SysWOW64\hnezlmp.exe
"C:\Windows\SysWOW64\hnezlmp.exe"
72⤵
PID:2488

C:\Windows\SysWOW64\btucgkw.exe
C:\Windows\system32\btucgkw.exe 1016 "C:\Windows\SysWOW64\hnezlmp.exe"
73⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:4540

C:\Windows\SysWOW64\btucgkw.exe
"C:\Windows\SysWOW64\btucgkw.exe"
74⤵
PID:2536

C:\Windows\SysWOW64\lpnmvew.exe
C:\Windows\system32\lpnmvew.exe 1044 "C:\Windows\SysWOW64\btucgkw.exe"
75⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:4064

C:\Windows\SysWOW64\lpnmvew.exe
"C:\Windows\SysWOW64\lpnmvew.exe"
76⤵
PID:4500

C:\Windows\SysWOW64\wkoxdzf.exe
C:\Windows\system32\wkoxdzf.exe 1156 "C:\Windows\SysWOW64\lpnmvew.exe"
77⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:4592

C:\Windows\SysWOW64\wkoxdzf.exe
"C:\Windows\SysWOW64\wkoxdzf.exe"
78⤵
PID:3932

C:\Windows\SysWOW64\ttzfqxf.exe
C:\Windows\system32\ttzfqxf.exe 1044 "C:\Windows\SysWOW64\wkoxdzf.exe"
79⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2148

C:\Windows\SysWOW64\ttzfqxf.exe
"C:\Windows\SysWOW64\ttzfqxf.exe"
80⤵
PID:2024

C:\Windows\SysWOW64\onmvqqn.exe
C:\Windows\system32\onmvqqn.exe 1140 "C:\Windows\SysWOW64\ttzfqxf.exe"
81⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2004

C:\Windows\SysWOW64\onmvqqn.exe
"C:\Windows\SysWOW64\onmvqqn.exe"
82⤵
PID:8

C:\Windows\SysWOW64\wolnxxr.exe
C:\Windows\system32\wolnxxr.exe 1016 "C:\Windows\SysWOW64\onmvqqn.exe"
83⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1420

C:\Windows\SysWOW64\wolnxxr.exe
"C:\Windows\SysWOW64\wolnxxr.exe"
84⤵
- Drops file in System32 directory
PID:1720

C:\Windows\SysWOW64\jyryaxr.exe
C:\Windows\system32\jyryaxr.exe 1124 "C:\Windows\SysWOW64\wolnxxr.exe"
85⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:4668

C:\Windows\SysWOW64\jyryaxr.exe
"C:\Windows\SysWOW64\jyryaxr.exe"
86⤵
PID:5016

C:\Windows\SysWOW64\rqqyoln.exe
C:\Windows\system32\rqqyoln.exe 1152 "C:\Windows\SysWOW64\jyryaxr.exe"
87⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2044

C:\Windows\SysWOW64\rqqyoln.exe
"C:\Windows\SysWOW64\rqqyoln.exe"
88⤵
PID:4524

C:\Windows\SysWOW64\bbficob.exe
C:\Windows\system32\bbficob.exe 1148 "C:\Windows\SysWOW64\rqqyoln.exe"
89⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2132

C:\Windows\SysWOW64\bbficob.exe
"C:\Windows\SysWOW64\bbficob.exe"
90⤵
PID:3348

C:\Windows\SysWOW64\okllfgt.exe
C:\Windows\system32\okllfgt.exe 1056 "C:\Windows\SysWOW64\bbficob.exe"
91⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1552

C:\Windows\SysWOW64\okllfgt.exe
"C:\Windows\SysWOW64\okllfgt.exe"
92⤵
PID:4952

C:\Windows\SysWOW64\zkqixfb.exe
C:\Windows\system32\zkqixfb.exe 1148 "C:\Windows\SysWOW64\okllfgt.exe"
93⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:3724

C:\Windows\SysWOW64\zkqixfb.exe
"C:\Windows\SysWOW64\zkqixfb.exe"
94⤵
PID:2320

C:\Windows\SysWOW64\jcfocdd.exe
C:\Windows\system32\jcfocdd.exe 1044 "C:\Windows\SysWOW64\zkqixfb.exe"
95⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2348

C:\Windows\SysWOW64\jcfocdd.exe
"C:\Windows\SysWOW64\jcfocdd.exe"
96⤵
PID:2968

C:\Windows\SysWOW64\wwlenhh.exe
C:\Windows\system32\wwlenhh.exe 1148 "C:\Windows\SysWOW64\jcfocdd.exe"
97⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:4448

C:\Windows\SysWOW64\wwlenhh.exe
"C:\Windows\SysWOW64\wwlenhh.exe"
98⤵
- Drops file in System32 directory
PID:664

C:\Windows\SysWOW64\ewkecwl.exe
C:\Windows\system32\ewkecwl.exe 1044 "C:\Windows\SysWOW64\wwlenhh.exe"
99⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:4872

C:\Windows\SysWOW64\ewkecwl.exe
"C:\Windows\SysWOW64\ewkecwl.exe"
100⤵
- Drops file in System32 directory
PID:4452

C:\Windows\SysWOW64\oslokrm.exe
C:\Windows\system32\oslokrm.exe 684 "C:\Windows\SysWOW64\ewkecwl.exe"
101⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:3780

C:\Windows\SysWOW64\oslokrm.exe
"C:\Windows\SysWOW64\oslokrm.exe"
102⤵
PID:4112

C:\Windows\SysWOW64\eiwwqap.exe
C:\Windows\system32\eiwwqap.exe 1124 "C:\Windows\SysWOW64\oslokrm.exe"
103⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2748

C:\Windows\SysWOW64\eiwwqap.exe
"C:\Windows\SysWOW64\eiwwqap.exe"
104⤵
PID:1660

C:\Windows\SysWOW64\osmuvqr.exe
C:\Windows\system32\osmuvqr.exe 1052 "C:\Windows\SysWOW64\eiwwqap.exe"
105⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1912

C:\Windows\SysWOW64\osmuvqr.exe
"C:\Windows\SysWOW64\osmuvqr.exe"
106⤵
PID:1140

C:\Windows\SysWOW64\busjhdw.exe
C:\Windows\system32\busjhdw.exe 1140 "C:\Windows\SysWOW64\osmuvqr.exe"
107⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2520

C:\Windows\SysWOW64\busjhdw.exe
"C:\Windows\SysWOW64\busjhdw.exe"
108⤵
PID:4332

C:\Windows\SysWOW64\lqtuwxw.exe
C:\Windows\system32\lqtuwxw.exe 1012 "C:\Windows\SysWOW64\busjhdw.exe"
109⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:4868

C:\Windows\SysWOW64\lqtuwxw.exe
"C:\Windows\SysWOW64\lqtuwxw.exe"
110⤵
PID:3364

C:\Windows\SysWOW64\zdlrctv.exe
C:\Windows\system32\zdlrctv.exe 1016 "C:\Windows\SysWOW64\lqtuwxw.exe"
111⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:3628

C:\Windows\SysWOW64\zdlrctv.exe
"C:\Windows\SysWOW64\zdlrctv.exe"
112⤵
- Drops file in System32 directory
PID:5040

C:\Windows\SysWOW64\jydckwe.exe
C:\Windows\system32\jydckwe.exe 1156 "C:\Windows\SysWOW64\zdlrctv.exe"
113⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2256

C:\Windows\SysWOW64\jydckwe.exe
"C:\Windows\SysWOW64\jydckwe.exe"
114⤵
PID:5044

C:\Windows\SysWOW64\rcopthh.exe
C:\Windows\system32\rcopthh.exe 1148 "C:\Windows\SysWOW64\jydckwe.exe"
115⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:3540

C:\Windows\SysWOW64\rcopthh.exe
"C:\Windows\SysWOW64\rcopthh.exe"
116⤵
- Drops file in System32 directory
PID:2280

C:\Windows\SysWOW64\ywkcdvj.exe
C:\Windows\system32\ywkcdvj.exe 1124 "C:\Windows\SysWOW64\rcopthh.exe"
117⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2996

C:\Windows\SysWOW64\ywkcdvj.exe
"C:\Windows\SysWOW64\ywkcdvj.exe"
118⤵
PID:2360

C:\Windows\SysWOW64\joahpll.exe
C:\Windows\system32\joahpll.exe 1084 "C:\Windows\SysWOW64\ywkcdvj.exe"
119⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:4920

C:\Windows\SysWOW64\joahpll.exe
"C:\Windows\SysWOW64\joahpll.exe"
120⤵
- Drops file in System32 directory
PID:2500

C:\Windows\SysWOW64\tyqfubf.exe
C:\Windows\system32\tyqfubf.exe 1016 "C:\Windows\SysWOW64\joahpll.exe"
121⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1832

C:\Windows\SysWOW64\tyqfubf.exe
"C:\Windows\SysWOW64\tyqfubf.exe"
122⤵
PID:4268

C:\Windows\SysWOW64\difphet.exe
C:\Windows\system32\difphet.exe 1148 "C:\Windows\SysWOW64\tyqfubf.exe"
123⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1620

C:\Windows\SysWOW64\difphet.exe
"C:\Windows\SysWOW64\difphet.exe"
124⤵
PID:4420

C:\Windows\SysWOW64\rslakdl.exe
C:\Windows\system32\rslakdl.exe 1044 "C:\Windows\SysWOW64\difphet.exe"
125⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:4284

C:\Windows\SysWOW64\rslakdl.exe
"C:\Windows\SysWOW64\rslakdl.exe"
126⤵
PID:368

C:\Windows\SysWOW64\dmriwqx.exe
C:\Windows\system32\dmriwqx.exe 1156 "C:\Windows\SysWOW64\rslakdl.exe"
127⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2904

C:\Windows\SysWOW64\dmriwqx.exe
"C:\Windows\SysWOW64\dmriwqx.exe"
128⤵
- Drops file in System32 directory
PID:1084

C:\Windows\SysWOW64\oisalky.exe
C:\Windows\system32\oisalky.exe 1120 "C:\Windows\SysWOW64\dmriwqx.exe"
129⤵
PID:372

C:\Windows\SysWOW64\oisalky.exe
"C:\Windows\SysWOW64\oisalky.exe"
130⤵
PID:2312

C:\Windows\SysWOW64\wirasrc.exe
C:\Windows\system32\wirasrc.exe 1148 "C:\Windows\SysWOW64\oisalky.exe"
131⤵
PID:5008

C:\Windows\SysWOW64\wirasrc.exe
"C:\Windows\SysWOW64\wirasrc.exe"
132⤵
PID:428

C:\Windows\SysWOW64\jzmdbza.exe
C:\Windows\system32\jzmdbza.exe 1152 "C:\Windows\SysWOW64\wirasrc.exe"
133⤵
PID:452

C:\Windows\SysWOW64\jzmdbza.exe
"C:\Windows\SysWOW64\jzmdbza.exe"
134⤵
PID:1672

C:\Windows\SysWOW64\yluyfff.exe
C:\Windows\system32\yluyfff.exe 1148 "C:\Windows\SysWOW64\jzmdbza.exe"
135⤵
PID:4684

C:\Windows\SysWOW64\yluyfff.exe
"C:\Windows\SysWOW64\yluyfff.exe"
136⤵
- Drops file in System32 directory
PID:4520

C:\Windows\SysWOW64\lcptnnc.exe
C:\Windows\system32\lcptnnc.exe 1012 "C:\Windows\SysWOW64\yluyfff.exe"
137⤵
PID:4136

C:\Windows\SysWOW64\lcptnnc.exe
"C:\Windows\SysWOW64\lcptnnc.exe"
138⤵
PID:760

C:\Windows\SysWOW64\tjkthcm.exe
C:\Windows\system32\tjkthcm.exe 1148 "C:\Windows\SysWOW64\lcptnnc.exe"
139⤵
PID:1748

C:\Windows\SysWOW64\tjkthcm.exe
"C:\Windows\SysWOW64\tjkthcm.exe"
140⤵
- Drops file in System32 directory
PID:4964

C:\Windows\SysWOW64\dfddpxm.exe
C:\Windows\system32\dfddpxm.exe 1148 "C:\Windows\SysWOW64\tjkthcm.exe"
141⤵
- Drops file in System32 directory
PID:2428

C:\Windows\SysWOW64\dfddpxm.exe
"C:\Windows\SysWOW64\dfddpxm.exe"
142⤵
PID:4444

C:\Windows\SysWOW64\tgalqgk.exe
C:\Windows\system32\tgalqgk.exe 1156 "C:\Windows\SysWOW64\dfddpxm.exe"
143⤵
PID:3780

C:\Windows\SysWOW64\tgalqgk.exe
"C:\Windows\SysWOW64\tgalqgk.exe"
144⤵
- Drops file in System32 directory
PID:752

C:\Windows\SysWOW64\dnerbes.exe
C:\Windows\system32\dnerbes.exe 1044 "C:\Windows\SysWOW64\tgalqgk.exe"
145⤵
PID:2748

C:\Windows\SysWOW64\dnerbes.exe
"C:\Windows\SysWOW64\dnerbes.exe"
146⤵
PID:2876

C:\Windows\SysWOW64\omqotdz.exe
C:\Windows\system32\omqotdz.exe 1148 "C:\Windows\SysWOW64\dnerbes.exe"
147⤵
- Drops file in System32 directory
PID:616

C:\Windows\SysWOW64\omqotdz.exe
"C:\Windows\SysWOW64\omqotdz.exe"
148⤵
PID:2524

C:\Windows\SysWOW64\eqrjpiw.exe
C:\Windows\system32\eqrjpiw.exe 1164 "C:\Windows\SysWOW64\omqotdz.exe"
149⤵
PID:960

C:\Windows\SysWOW64\eqrjpiw.exe
"C:\Windows\SysWOW64\eqrjpiw.exe"
150⤵
PID:3936

C:\Windows\SysWOW64\lvbogbz.exe
C:\Windows\system32\lvbogbz.exe 1148 "C:\Windows\SysWOW64\eqrjpiw.exe"
151⤵
PID:3156

C:\Windows\SysWOW64\lvbogbz.exe
"C:\Windows\SysWOW64\lvbogbz.exe"
152⤵
- Drops file in System32 directory
PID:4200

C:\Windows\SysWOW64\bzjjkhw.exe
C:\Windows\system32\bzjjkhw.exe 1148 "C:\Windows\SysWOW64\lvbogbz.exe"
153⤵
PID:3268

C:\Windows\SysWOW64\bzjjkhw.exe
"C:\Windows\SysWOW64\bzjjkhw.exe"
154⤵
- Drops file in System32 directory
PID:1772

C:\Windows\SysWOW64\lgnpvfd.exe
C:\Windows\system32\lgnpvfd.exe 1044 "C:\Windows\SysWOW64\bzjjkhw.exe"
155⤵
PID:1920

C:\Windows\SysWOW64\lgnpvfd.exe
"C:\Windows\SysWOW64\lgnpvfd.exe"
156⤵
PID:4208

C:\Windows\SysWOW64\wcozcae.exe
C:\Windows\system32\wcozcae.exe 1044 "C:\Windows\SysWOW64\lgnpvfd.exe"
157⤵
PID:1852

C:\Windows\SysWOW64\wcozcae.exe
"C:\Windows\SysWOW64\wcozcae.exe"
158⤵
- Drops file in System32 directory
PID:4528

C:\Windows\SysWOW64\gbswvzm.exe
C:\Windows\system32\gbswvzm.exe 1112 "C:\Windows\SysWOW64\wcozcae.exe"
159⤵
PID:4296

C:\Windows\SysWOW64\gbswvzm.exe
"C:\Windows\SysWOW64\gbswvzm.exe"
160⤵
PID:3008

C:\Windows\SysWOW64\tkzhyym.exe
C:\Windows\system32\tkzhyym.exe 1156 "C:\Windows\SysWOW64\gbswvzm.exe"
161⤵
PID:4812

C:\Windows\SysWOW64\tkzhyym.exe
"C:\Windows\SysWOW64\tkzhyym.exe"
162⤵
PID:4512

C:\Windows\SysWOW64\dnoklbs.exe
C:\Windows\system32\dnoklbs.exe 1148 "C:\Windows\SysWOW64\tkzhyym.exe"
163⤵
PID:4276

C:\Windows\SysWOW64\dnoklbs.exe
"C:\Windows\SysWOW64\dnoklbs.exe"
164⤵
PID:116

C:\Windows\SysWOW64\rwuuobs.exe
C:\Windows\system32\rwuuobs.exe 1044 "C:\Windows\SysWOW64\dnoklbs.exe"
165⤵
PID:1388

C:\Windows\SysWOW64\rwuuobs.exe
"C:\Windows\SysWOW64\rwuuobs.exe"
166⤵
PID:3436

C:\Windows\SysWOW64\dnxxxbp.exe
C:\Windows\system32\dnxxxbp.exe 1148 "C:\Windows\SysWOW64\rwuuobs.exe"
167⤵
PID:228

C:\Windows\SysWOW64\dnxxxbp.exe
"C:\Windows\SysWOW64\dnxxxbp.exe"
168⤵
- Drops file in System32 directory
PID:1356

C:\Windows\SysWOW64\jwfsngv.exe
C:\Windows\system32\jwfsngv.exe 1156 "C:\Windows\SysWOW64\dnxxxbp.exe"
169⤵
PID:636

C:\Windows\SysWOW64\jwfsngv.exe
"C:\Windows\SysWOW64\jwfsngv.exe"
170⤵
PID:4140

C:\Windows\SysWOW64\vnavwpb.exe
C:\Windows\system32\vnavwpb.exe 1156 "C:\Windows\SysWOW64\jwfsngv.exe"
171⤵
PID:5028

C:\Windows\SysWOW64\vnavwpb.exe
"C:\Windows\SysWOW64\vnavwpb.exe"
172⤵
PID:4604

C:\Windows\SysWOW64\jwgxzgb.exe
C:\Windows\system32\jwgxzgb.exe 1148 "C:\Windows\SysWOW64\vnavwpb.exe"
173⤵
PID:1560

C:\Windows\SysWOW64\jwgxzgb.exe
"C:\Windows\SysWOW64\jwgxzgb.exe"
174⤵
- Drops file in System32 directory
PID:4060

C:\Windows\SysWOW64\thwiujh.exe
C:\Windows\system32\thwiujh.exe 1152 "C:\Windows\SysWOW64\jwgxzgb.exe"
175⤵
PID:4656

C:\Windows\SysWOW64\thwiujh.exe
"C:\Windows\SysWOW64\thwiujh.exe"
176⤵
- Drops file in System32 directory
PID:2036

C:\Windows\SysWOW64\enaawvc.exe
C:\Windows\system32\enaawvc.exe 1152 "C:\Windows\SysWOW64\thwiujh.exe"
177⤵
PID:3740

C:\Windows\SysWOW64\enaawvc.exe
"C:\Windows\SysWOW64\enaawvc.exe"
178⤵
PID:4336

C:\Windows\SysWOW64\oyxljyj.exe
C:\Windows\system32\oyxljyj.exe 1128 "C:\Windows\SysWOW64\enaawvc.exe"
179⤵
PID:3964

C:\Windows\SysWOW64\oyxljyj.exe
"C:\Windows\SysWOW64\oyxljyj.exe"
180⤵
PID:4760

C:\Windows\SysWOW64\dcyfnln.exe
C:\Windows\system32\dcyfnln.exe 1140 "C:\Windows\SysWOW64\oyxljyj.exe"
181⤵
- Drops file in System32 directory
PID:3560

C:\Windows\SysWOW64\dcyfnln.exe
"C:\Windows\SysWOW64\dcyfnln.exe"
182⤵
PID:1116

C:\Windows\SysWOW64\oyzqvgo.exe
C:\Windows\system32\oyzqvgo.exe 1056 "C:\Windows\SysWOW64\dcyfnln.exe"
183⤵
PID:2248

C:\Windows\SysWOW64\oyzqvgo.exe
"C:\Windows\SysWOW64\oyzqvgo.exe"
184⤵
PID:4560

C:\Windows\SysWOW64\blioakn.exe
C:\Windows\system32\blioakn.exe 1156 "C:\Windows\SysWOW64\oyzqvgo.exe"
185⤵
PID:2748

C:\Windows\SysWOW64\blioakn.exe
"C:\Windows\SysWOW64\blioakn.exe"
186⤵
- Drops file in System32 directory
PID:1764

C:\Windows\SysWOW64\nqzixsy.exe
C:\Windows\system32\nqzixsy.exe 1148 "C:\Windows\SysWOW64\blioakn.exe"
187⤵
PID:1796

C:\Windows\SysWOW64\nqzixsy.exe
"C:\Windows\SysWOW64\nqzixsy.exe"
188⤵
PID:4852

C:\Windows\SysWOW64\yfebzet.exe
C:\Windows\system32\yfebzet.exe 1028 "C:\Windows\SysWOW64\nqzixsy.exe"
189⤵
PID:1864

C:\Windows\SysWOW64\yfebzet.exe
"C:\Windows\SysWOW64\yfebzet.exe"
190⤵
PID:3004

C:\Windows\SysWOW64\lwhdhmz.exe
C:\Windows\system32\lwhdhmz.exe 1156 "C:\Windows\SysWOW64\yfebzet.exe"
191⤵
PID:3836

C:\Windows\SysWOW64\lwhdhmz.exe
"C:\Windows\SysWOW64\lwhdhmz.exe"
192⤵
PID:1144

C:\Windows\SysWOW64\yjqtnqy.exe
C:\Windows\system32\yjqtnqy.exe 1148 "C:\Windows\SysWOW64\lwhdhmz.exe"
193⤵
PID:3440

C:\Windows\SysWOW64\yjqtnqy.exe
"C:\Windows\SysWOW64\yjqtnqy.exe"
194⤵
PID:2292

C:\Windows\SysWOW64\jerevly.exe
C:\Windows\system32\jerevly.exe 1044 "C:\Windows\SysWOW64\yjqtnqy.exe"
195⤵
PID:3432

C:\Windows\SysWOW64\jerevly.exe
"C:\Windows\SysWOW64\jerevly.exe"
196⤵
PID:2996

C:\Windows\SysWOW64\tpgoqof.exe
C:\Windows\system32\tpgoqof.exe 1144 "C:\Windows\SysWOW64\jerevly.exe"
197⤵
PID:4248

C:\Windows\SysWOW64\tpgoqof.exe
"C:\Windows\SysWOW64\tpgoqof.exe"
198⤵
- Drops file in System32 directory
PID:3980

C:\Windows\SysWOW64\dkhgyin.exe
C:\Windows\system32\dkhgyin.exe 1148 "C:\Windows\SysWOW64\tpgoqof.exe"
199⤵
PID:2956

C:\Windows\SysWOW64\dkhgyin.exe
"C:\Windows\SysWOW64\dkhgyin.exe"
200⤵
PID:4204

C:\Windows\SysWOW64\ormzauj.exe
C:\Windows\system32\ormzauj.exe 1148 "C:\Windows\SysWOW64\dkhgyin.exe"
201⤵
PID:444

C:\Windows\SysWOW64\ormzauj.exe
"C:\Windows\SysWOW64\ormzauj.exe"
202⤵
PID:4116

C:\Windows\SysWOW64\swduodu.exe
C:\Windows\system32\swduodu.exe 1120 "C:\Windows\SysWOW64\ormzauj.exe"
203⤵
PID:1740

C:\Windows\SysWOW64\swduodu.exe
"C:\Windows\SysWOW64\swduodu.exe"
204⤵
PID:4936

C:\Windows\SysWOW64\binuxjk.exe
C:\Windows\system32\binuxjk.exe 1148 "C:\Windows\SysWOW64\swduodu.exe"
205⤵
PID:2836

C:\Windows\SysWOW64\binuxjk.exe
"C:\Windows\SysWOW64\binuxjk.exe"
206⤵
PID:208

C:\Windows\SysWOW64\lhrzhis.exe
C:\Windows\system32\lhrzhis.exe 1148 "C:\Windows\SysWOW64\binuxjk.exe"
207⤵
PID:4240

C:\Windows\SysWOW64\lhrzhis.exe
"C:\Windows\SysWOW64\lhrzhis.exe"
208⤵
PID:4664

C:\Windows\SysWOW64\vdskpcs.exe
C:\Windows\system32\vdskpcs.exe 1044 "C:\Windows\SysWOW64\lhrzhis.exe"
209⤵
PID:640

C:\Windows\SysWOW64\vdskpcs.exe
"C:\Windows\SysWOW64\vdskpcs.exe"
210⤵
PID:2568

C:\Windows\SysWOW64\ibnmfly.exe
C:\Windows\system32\ibnmfly.exe 1156 "C:\Windows\SysWOW64\vdskpcs.exe"
211⤵
PID:2404

C:\Windows\SysWOW64\ibnmfly.exe
"C:\Windows\SysWOW64\ibnmfly.exe"
212⤵
PID:3668

C:\Windows\SysWOW64\ttdskba.exe
C:\Windows\system32\ttdskba.exe 1044 "C:\Windows\SysWOW64\ibnmfly.exe"
213⤵
PID:1340

C:\Windows\SysWOW64\ttdskba.exe
"C:\Windows\SysWOW64\ttdskba.exe"
214⤵
- Drops file in System32 directory
PID:3512

C:\Windows\SysWOW64\dthpvzh.exe
C:\Windows\system32\dthpvzh.exe 1044 "C:\Windows\SysWOW64\ttdskba.exe"
215⤵
PID:1728

C:\Windows\SysWOW64\dthpvzh.exe
"C:\Windows\SysWOW64\dthpvzh.exe"
216⤵
PID:4340

C:\Windows\SysWOW64\qjksdaf.exe
C:\Windows\system32\qjksdaf.exe 1148 "C:\Windows\SysWOW64\dthpvzh.exe"
217⤵
PID:2460

C:\Windows\SysWOW64\qjksdaf.exe
"C:\Windows\SysWOW64\qjksdaf.exe"
218⤵
PID:2428

C:\Windows\SysWOW64\dievmil.exe
C:\Windows\system32\dievmil.exe 1148 "C:\Windows\SysWOW64\qjksdaf.exe"
219⤵
PID:3560

C:\Windows\SysWOW64\dievmil.exe
"C:\Windows\SysWOW64\dievmil.exe"
220⤵
PID:5020

C:\Windows\SysWOW64\ifjczjk.exe
C:\Windows\system32\ifjczjk.exe 560 "C:\Windows\SysWOW64\dievmil.exe"
221⤵
PID:1668

C:\Windows\SysWOW64\ifjczjk.exe
"C:\Windows\SysWOW64\ifjczjk.exe"
222⤵
PID:3272

C:\Windows\SysWOW64\vstsfnr.exe
C:\Windows\system32\vstsfnr.exe 1044 "C:\Windows\SysWOW64\ifjczjk.exe"
223⤵
PID:4012

C:\Windows\SysWOW64\vstsfnr.exe
"C:\Windows\SysWOW64\vstsfnr.exe"
224⤵
PID:1604

C:\Windows\SysWOW64\veflurv.exe
C:\Windows\system32\veflurv.exe 1044 "C:\Windows\SysWOW64\vstsfnr.exe"
225⤵
PID:1860

C:\Windows\SysWOW64\veflurv.exe
"C:\Windows\SysWOW64\veflurv.exe"
226⤵
PID:4300

C:\Windows\SysWOW64\iylafdz.exe
C:\Windows\system32\iylafdz.exe 1156 "C:\Windows\SysWOW64\veflurv.exe"
227⤵
PID:1324

C:\Windows\SysWOW64\iylafdz.exe
"C:\Windows\SysWOW64\iylafdz.exe"
228⤵
PID:1492

C:\Windows\SysWOW64\qzkaukd.exe
C:\Windows\system32\qzkaukd.exe 1148 "C:\Windows\SysWOW64\iylafdz.exe"
229⤵
PID:1240

C:\Windows\SysWOW64\qzkaukd.exe
"C:\Windows\SysWOW64\qzkaukd.exe"
230⤵
- Drops file in System32 directory
PID:2012

C:\Windows\SysWOW64\yogoxua.exe
C:\Windows\system32\yogoxua.exe 1148 "C:\Windows\SysWOW64\qzkaukd.exe"
231⤵
- Drops file in System32 directory
PID:3908

C:\Windows\SysWOW64\yogoxua.exe
"C:\Windows\SysWOW64\yogoxua.exe"
232⤵
- Drops file in System32 directory
PID:3516

C:\Windows\SysWOW64\dqwocfo.exe
C:\Windows\system32\dqwocfo.exe 1016 "C:\Windows\SysWOW64\yogoxua.exe"
233⤵
PID:5072

C:\Windows\SysWOW64\dqwocfo.exe
"C:\Windows\SysWOW64\dqwocfo.exe"
234⤵
PID:4920

C:\Windows\SysWOW64\njjjhfg.exe
C:\Windows\system32\njjjhfg.exe 1148 "C:\Windows\SysWOW64\dqwocfo.exe"
235⤵
PID:3652

C:\Windows\SysWOW64\njjjhfg.exe
"C:\Windows\SysWOW64\njjjhfg.exe"
236⤵
PID:4476

C:\Windows\SysWOW64\dzuropc.exe
C:\Windows\system32\dzuropc.exe 1008 "C:\Windows\SysWOW64\njjjhfg.exe"
237⤵
PID:3988

C:\Windows\SysWOW64\dzuropc.exe
"C:\Windows\SysWOW64\dzuropc.exe"
238⤵
PID:4816

C:\Windows\SysWOW64\nyhoynk.exe
C:\Windows\system32\nyhoynk.exe 1112 "C:\Windows\SysWOW64\dzuropc.exe"
239⤵
PID:4532

C:\Windows\SysWOW64\nyhoynk.exe
"C:\Windows\SysWOW64\nyhoynk.exe"
240⤵
PID:1096

C:\Windows\SysWOW64\vcjbizm.exe
C:\Windows\system32\vcjbizm.exe 1148 "C:\Windows\SysWOW64\nyhoynk.exe"
241⤵
PID:1196

C:\Windows\SysWOW64\vcjbizm.exe
"C:\Windows\SysWOW64\vcjbizm.exe"
242⤵
PID:624

C:\Windows\SysWOW64\fykmxtv.exe
C:\Windows\system32\fykmxtv.exe 1044 "C:\Windows\SysWOW64\vcjbizm.exe"
243⤵
PID:2380

C:\Windows\SysWOW64\fykmxtv.exe
"C:\Windows\SysWOW64\fykmxtv.exe"
244⤵
PID:1640

C:\Windows\SysWOW64\nnfhbds.exe
C:\Windows\system32\nnfhbds.exe 1032 "C:\Windows\SysWOW64\fykmxtv.exe"
245⤵
PID:4304

C:\Windows\SysWOW64\nnfhbds.exe
"C:\Windows\SysWOW64\nnfhbds.exe"
246⤵
- Drops file in System32 directory
PID:2288

C:\Windows\SysWOW64\xmjftca.exe
C:\Windows\system32\xmjftca.exe 1140 "C:\Windows\SysWOW64\nnfhbds.exe"
247⤵
PID:4272

C:\Windows\SysWOW64\xmjftca.exe
"C:\Windows\SysWOW64\xmjftca.exe"
248⤵
- Drops file in System32 directory
PID:3500

C:\Windows\SysWOW64\vgfskfg.exe
C:\Windows\system32\vgfskfg.exe 1032 "C:\Windows\SysWOW64\xmjftca.exe"
249⤵
PID:2496

C:\Windows\SysWOW64\vgfskfg.exe
"C:\Windows\SysWOW64\vgfskfg.exe"
250⤵
PID:4924

C:\Windows\SysWOW64\fcgcrzh.exe
C:\Windows\system32\fcgcrzh.exe 1124 "C:\Windows\SysWOW64\vgfskfg.exe"
251⤵
PID:4000

C:\Windows\SysWOW64\fcgcrzh.exe
"C:\Windows\SysWOW64\fcgcrzh.exe"
252⤵
PID:4020

C:\Windows\SysWOW64\vcvssax.exe
C:\Windows\system32\vcvssax.exe 1152 "C:\Windows\SysWOW64\fcgcrzh.exe"
253⤵
PID:3192

C:\Windows\SysWOW64\vcvssax.exe
"C:\Windows\SysWOW64\vcvssax.exe"
254⤵
PID:3664

C:\Windows\SysWOW64\ckqknqg.exe
C:\Windows\system32\ckqknqg.exe 1016 "C:\Windows\SysWOW64\vcvssax.exe"
255⤵
- Drops file in System32 directory
PID:536

C:\Windows\SysWOW64\ckqknqg.exe
"C:\Windows\SysWOW64\ckqknqg.exe"
256⤵
- Drops file in System32 directory
PID:1748

C:\Windows\SysWOW64\quxnqpg.exe
C:\Windows\system32\quxnqpg.exe 1148 "C:\Windows\SysWOW64\ckqknqg.exe"
257⤵
PID:3744

C:\Windows\SysWOW64\quxnqpg.exe
"C:\Windows\SysWOW64\quxnqpg.exe"
258⤵
PID:1104

C:\Windows\SysWOW64\atbsaoo.exe
C:\Windows\system32\atbsaoo.exe 1148 "C:\Windows\SysWOW64\quxnqpg.exe"
259⤵
PID:3708

C:\Windows\SysWOW64\atbsaoo.exe
"C:\Windows\SysWOW64\atbsaoo.exe"
260⤵
PID:3304

C:\Windows\SysWOW64\ksnqknv.exe
C:\Windows\system32\ksnqknv.exe 1044 "C:\Windows\SysWOW64\atbsaoo.exe"
261⤵
PID:2264

C:\Windows\SysWOW64\ksnqknv.exe
"C:\Windows\SysWOW64\ksnqknv.exe"
262⤵
PID:4244

C:\Windows\SysWOW64\vgriuzr.exe
C:\Windows\system32\vgriuzr.exe 1148 "C:\Windows\SysWOW64\ksnqknv.exe"
263⤵
PID:956

C:\Windows\SysWOW64\vgriuzr.exe
"C:\Windows\SysWOW64\vgriuzr.exe"
264⤵
PID:2792

C:\Windows\SysWOW64\laoveut.exe
C:\Windows\system32\laoveut.exe 1148 "C:\Windows\SysWOW64\vgriuzr.exe"
265⤵
PID:4792

C:\Windows\SysWOW64\laoveut.exe
"C:\Windows\SysWOW64\laoveut.exe"
266⤵
PID:3332

C:\Windows\SysWOW64\nkglwqb.exe
C:\Windows\system32\nkglwqb.exe 1148 "C:\Windows\SysWOW64\laoveut.exe"
267⤵
PID:3200

C:\Windows\SysWOW64\nkglwqb.exe
"C:\Windows\SysWOW64\nkglwqb.exe"
268⤵
PID:1068

C:\Windows\SysWOW64\sloofoh.exe
C:\Windows\system32\sloofoh.exe 1152 "C:\Windows\SysWOW64\nkglwqb.exe"
269⤵
PID:4796

C:\Windows\SysWOW64\sloofoh.exe
"C:\Windows\SysWOW64\sloofoh.exe"
270⤵
PID:1544

C:\Windows\SysWOW64\xomtcnw.exe
C:\Windows\system32\xomtcnw.exe 1148 "C:\Windows\SysWOW64\sloofoh.exe"
271⤵
PID:2856

C:\Windows\SysWOW64\xomtcnw.exe
"C:\Windows\SysWOW64\xomtcnw.exe"
272⤵
PID:1384

C:\Windows\SysWOW64\iknmjiw.exe
C:\Windows\system32\iknmjiw.exe 1044 "C:\Windows\SysWOW64\xomtcnw.exe"
273⤵
PID:3652

C:\Windows\SysWOW64\iknmjiw.exe
"C:\Windows\SysWOW64\iknmjiw.exe"
274⤵
- Drops file in System32 directory
PID:312

C:\Windows\SysWOW64\fimmkob.exe
C:\Windows\system32\fimmkob.exe 1148 "C:\Windows\SysWOW64\iknmjiw.exe"
275⤵
- Drops file in System32 directory
PID:3988

C:\Windows\SysWOW64\fimmkob.exe
"C:\Windows\SysWOW64\fimmkob.exe"
276⤵
PID:1436

C:\Windows\SysWOW64\svdcqsi.exe
C:\Windows\system32\svdcqsi.exe 1148 "C:\Windows\SysWOW64\fimmkob.exe"
277⤵
PID:1528

C:\Windows\SysWOW64\svdcqsi.exe
"C:\Windows\SysWOW64\svdcqsi.exe"
278⤵
- Drops file in System32 directory
PID:1012

C:\Windows\SysWOW64\fivrwoh.exe
C:\Windows\system32\fivrwoh.exe 1144 "C:\Windows\SysWOW64\svdcqsi.exe"
279⤵
PID:1196

C:\Windows\SysWOW64\fivrwoh.exe
"C:\Windows\SysWOW64\fivrwoh.exe"
280⤵
PID:1120

C:\Windows\SysWOW64\nmxefhk.exe
C:\Windows\system32\nmxefhk.exe 1040 "C:\Windows\SysWOW64\fivrwoh.exe"
281⤵
PID:688

C:\Windows\SysWOW64\nmxefhk.exe
"C:\Windows\SysWOW64\nmxefhk.exe"
282⤵
PID:4240

C:\Windows\SysWOW64\uphpbwm.exe
C:\Windows\system32\uphpbwm.exe 1016 "C:\Windows\SysWOW64\nmxefhk.exe"
283⤵
PID:5084

C:\Windows\SysWOW64\uphpbwm.exe
"C:\Windows\SysWOW64\uphpbwm.exe"
284⤵
PID:452

C:\Windows\SysWOW64\ezwmgmg.exe
C:\Windows\system32\ezwmgmg.exe 1152 "C:\Windows\SysWOW64\uphpbwm.exe"
285⤵
PID:1552

C:\Windows\SysWOW64\ezwmgmg.exe
"C:\Windows\SysWOW64\ezwmgmg.exe"
286⤵
PID:3460

C:\Windows\SysWOW64\ctshepm.exe
C:\Windows\system32\ctshepm.exe 1032 "C:\Windows\SysWOW64\ezwmgmg.exe"
287⤵
PID:3828

C:\Windows\SysWOW64\ctshepm.exe
"C:\Windows\SysWOW64\ctshepm.exe"
288⤵
PID:2456

C:\Windows\SysWOW64\pkvknps.exe
C:\Windows\system32\pkvknps.exe 1156 "C:\Windows\SysWOW64\ctshepm.exe"
289⤵
PID:3192

C:\Windows\SysWOW64\pkvknps.exe
"C:\Windows\SysWOW64\pkvknps.exe"
290⤵
PID:3944

C:\Windows\SysWOW64\xkuktew.exe
C:\Windows\system32\xkuktew.exe 1148 "C:\Windows\SysWOW64\pkvknps.exe"
291⤵
PID:1520

C:\Windows\SysWOW64\xkuktew.exe
"C:\Windows\SysWOW64\xkuktew.exe"
292⤵
PID:3476

C:\Windows\SysWOW64\jmasfia.exe
C:\Windows\system32\jmasfia.exe 1148 "C:\Windows\SysWOW64\xkuktew.exe"
293⤵
- Drops file in System32 directory
PID:4224

C:\Windows\SysWOW64\jmasfia.exe
"C:\Windows\SysWOW64\jmasfia.exe"
294⤵
- Drops file in System32 directory
PID:1464

C:\Windows\SysWOW64\rcnfrtx.exe
C:\Windows\system32\rcnfrtx.exe 1044 "C:\Windows\SysWOW64\jmasfia.exe"
295⤵
PID:4516

C:\Windows\SysWOW64\rcnfrtx.exe
"C:\Windows\SysWOW64\rcnfrtx.exe"
296⤵
- Drops file in System32 directory
PID:1252

C:\Windows\SysWOW64\cbzlbsf.exe
C:\Windows\system32\cbzlbsf.exe 1044 "C:\Windows\SysWOW64\rcnfrtx.exe"
297⤵
PID:2248

C:\Windows\SysWOW64\cbzlbsf.exe
"C:\Windows\SysWOW64\cbzlbsf.exe"
298⤵
PID:1848

C:\Windows\SysWOW64\pkynerf.exe
C:\Windows\system32\pkynerf.exe 1120 "C:\Windows\SysWOW64\cbzlbsf.exe"
299⤵
PID:2136

C:\Windows\SysWOW64\pkynerf.exe
"C:\Windows\SysWOW64\pkynerf.exe"
300⤵
PID:828

C:\Windows\SysWOW64\umoiupl.exe
C:\Windows\system32\umoiupl.exe 1156 "C:\Windows\SysWOW64\pkynerf.exe"
301⤵
PID:2984

C:\Windows\SysWOW64\umoiupl.exe
"C:\Windows\SysWOW64\umoiupl.exe"
302⤵
- Drops file in System32 directory
PID:896

C:\Windows\SysWOW64\etsgfns.exe
C:\Windows\system32\etsgfns.exe 1044 "C:\Windows\SysWOW64\umoiupl.exe"
303⤵
PID:2416

C:\Windows\SysWOW64\etsgfns.exe
"C:\Windows\SysWOW64\etsgfns.exe"
304⤵
PID:3044

C:\Windows\SysWOW64\scyqink.exe
C:\Windows\system32\scyqink.exe 1044 "C:\Windows\SysWOW64\etsgfns.exe"
305⤵
PID:3540

C:\Windows\SysWOW64\scyqink.exe
"C:\Windows\SysWOW64\scyqink.exe"
306⤵
- Drops file in System32 directory
PID:3432

C:\Windows\SysWOW64\cyzbxhl.exe
C:\Windows\system32\cyzbxhl.exe 1148 "C:\Windows\SysWOW64\scyqink.exe"
307⤵
PID:2800

C:\Windows\SysWOW64\cyzbxhl.exe
"C:\Windows\SysWOW64\cyzbxhl.exe"
308⤵
PID:680

C:\Windows\SysWOW64\mxdyigs.exe
C:\Windows\system32\mxdyigs.exe 1016 "C:\Windows\SysWOW64\cyzbxhl.exe"
309⤵
PID:3712

C:\Windows\SysWOW64\mxdyigs.exe
"C:\Windows\SysWOW64\mxdyigs.exe"
310⤵
PID:2336

C:\Windows\SysWOW64\wwhwsfa.exe
C:\Windows\system32\wwhwsfa.exe 1148 "C:\Windows\SysWOW64\mxdyigs.exe"
311⤵
PID:864

C:\Windows\SysWOW64\wwhwsfa.exe
"C:\Windows\SysWOW64\wwhwsfa.exe"
312⤵
PID:2284

C:\Windows\SysWOW64\hrioizb.exe
C:\Windows\system32\hrioizb.exe 1152 "C:\Windows\SysWOW64\wwhwsfa.exe"
313⤵
PID:4948

C:\Windows\SysWOW64\hrioizb.exe
"C:\Windows\SysWOW64\hrioizb.exe"
314⤵
- Drops file in System32 directory
PID:1420

C:\Windows\SysWOW64\ubprlzb.exe
C:\Windows\system32\ubprlzb.exe 1152 "C:\Windows\SysWOW64\hrioizb.exe"
315⤵
PID:1740

C:\Windows\SysWOW64\ubprlzb.exe
"C:\Windows\SysWOW64\ubprlzb.exe"
316⤵
PID:4152

C:\Windows\SysWOW64\hdvhwlf.exe
C:\Windows\system32\hdvhwlf.exe 1156 "C:\Windows\SysWOW64\ubprlzb.exe"
317⤵
PID:4284

C:\Windows\SysWOW64\hdvhwlf.exe
"C:\Windows\SysWOW64\hdvhwlf.exe"
318⤵
PID:640

C:\Windows\SysWOW64\rzwregg.exe
C:\Windows\system32\rzwregg.exe 1148 "C:\Windows\SysWOW64\hdvhwlf.exe"
319⤵
- Drops file in System32 directory
PID:4684

C:\Windows\SysWOW64\rzwregg.exe
"C:\Windows\SysWOW64\rzwregg.exe"
320⤵
PID:1280

C:\Windows\SysWOW64\hghzlpj.exe
C:\Windows\system32\hghzlpj.exe 1152 "C:\Windows\SysWOW64\rzwregg.exe"
321⤵
PID:2496

C:\Windows\SysWOW64\hghzlpj.exe
"C:\Windows\SysWOW64\hghzlpj.exe"
322⤵
PID:1744

C:\Windows\SysWOW64\phgzzwn.exe
C:\Windows\system32\phgzzwn.exe 1040 "C:\Windows\SysWOW64\hghzlpj.exe"
323⤵
PID:1484

C:\Windows\SysWOW64\phgzzwn.exe
"C:\Windows\SysWOW64\phgzzwn.exe"
324⤵
PID:4252

C:\Windows\SysWOW64\zdhkhro.exe
C:\Windows\system32\zdhkhro.exe 1044 "C:\Windows\SysWOW64\phgzzwn.exe"
325⤵
PID:3660

C:\Windows\SysWOW64\zdhkhro.exe
"C:\Windows\SysWOW64\zdhkhro.exe"
326⤵
PID:4772

C:\Windows\SysWOW64\mxnzsds.exe
C:\Windows\system32\mxnzsds.exe 1148 "C:\Windows\SysWOW64\zdhkhro.exe"
327⤵
PID:4324

C:\Windows\SysWOW64\mxnzsds.exe
"C:\Windows\SysWOW64\mxnzsds.exe"
328⤵
PID:4360

C:\Windows\SysWOW64\plrsupv.exe
C:\Windows\system32\plrsupv.exe 1016 "C:\Windows\SysWOW64\mxnzsds.exe"
329⤵
PID:4484

C:\Windows\SysWOW64\plrsupv.exe
"C:\Windows\SysWOW64\plrsupv.exe"
330⤵
- Drops file in System32 directory
PID:396

C:\Windows\SysWOW64\eizshpx.exe
C:\Windows\system32\eizshpx.exe 1148 "C:\Windows\SysWOW64\plrsupv.exe"
331⤵
PID:1756

C:\Windows\SysWOW64\eizshpx.exe
"C:\Windows\SysWOW64\eizshpx.exe"
332⤵
- Drops file in System32 directory
PID:1752

C:\Windows\SysWOW64\oapxlfz.exe
C:\Windows\system32\oapxlfz.exe 1152 "C:\Windows\SysWOW64\eizshpx.exe"
333⤵
PID:4404

C:\Windows\SysWOW64\oapxlfz.exe
"C:\Windows\SysWOW64\oapxlfz.exe"
334⤵
PID:2264

C:\Windows\SysWOW64\cnynzbx.exe
C:\Windows\system32\cnynzbx.exe 1148 "C:\Windows\SysWOW64\oapxlfz.exe"
335⤵
PID:3992

C:\Windows\SysWOW64\cnynzbx.exe
"C:\Windows\SysWOW64\cnynzbx.exe"
336⤵
PID:2136

C:\Windows\SysWOW64\mjzxhwy.exe
C:\Windows\system32\mjzxhwy.exe 1148 "C:\Windows\SysWOW64\cnynzbx.exe"
337⤵
PID:2984

C:\Windows\SysWOW64\mjzxhwy.exe
"C:\Windows\SysWOW64\mjzxhwy.exe"
338⤵
PID:5048

C:\Windows\SysWOW64\wildrug.exe
C:\Windows\system32\wildrug.exe 1148 "C:\Windows\SysWOW64\mjzxhwy.exe"
339⤵
PID:2416

C:\Windows\SysWOW64\wildrug.exe
"C:\Windows\SysWOW64\wildrug.exe"
340⤵
PID:4064

C:\Windows\SysWOW64\ghqactn.exe
C:\Windows\system32\ghqactn.exe 1156 "C:\Windows\SysWOW64\wildrug.exe"
341⤵
PID:1204

C:\Windows\SysWOW64\ghqactn.exe
"C:\Windows\SysWOW64\ghqactn.exe"
342⤵
PID:2176

C:\Windows\SysWOW64\rzfxojp.exe
C:\Windows\system32\rzfxojp.exe 1028 "C:\Windows\SysWOW64\ghqactn.exe"
343⤵
PID:3244

C:\Windows\SysWOW64\rzfxojp.exe
"C:\Windows\SysWOW64\rzfxojp.exe"
344⤵
PID:4580

C:\Windows\SysWOW64\emxvuno.exe
C:\Windows\system32\emxvuno.exe 1016 "C:\Windows\SysWOW64\rzfxojp.exe"
345⤵
PID:4068

C:\Windows\SysWOW64\emxvuno.exe
"C:\Windows\SysWOW64\emxvuno.exe"
346⤵
PID:2000

C:\Windows\SysWOW64\otbtfmv.exe
C:\Windows\system32\otbtfmv.exe 1120 "C:\Windows\SysWOW64\emxvuno.exe"
347⤵
PID:5060

C:\Windows\SysWOW64\otbtfmv.exe
"C:\Windows\SysWOW64\otbtfmv.exe"
348⤵
PID:3344

C:\Windows\SysWOW64\eyjojzs.exe
C:\Windows\system32\eyjojzs.exe 1120 "C:\Windows\SysWOW64\otbtfmv.exe"
349⤵
PID:1528

C:\Windows\SysWOW64\eyjojzs.exe
"C:\Windows\SysWOW64\eyjojzs.exe"
350⤵
PID:4100

C:\Windows\SysWOW64\ptcyqut.exe
C:\Windows\system32\ptcyqut.exe 1120 "C:\Windows\SysWOW64\eyjojzs.exe"
351⤵
- Drops file in System32 directory
PID:4344

C:\Windows\SysWOW64\ptcyqut.exe
"C:\Windows\SysWOW64\ptcyqut.exe"
352⤵
PID:4940

C:\Windows\SysWOW64\zpdqgou.exe
C:\Windows\system32\zpdqgou.exe 1016 "C:\Windows\SysWOW64\ptcyqut.exe"
353⤵
PID:4708

C:\Windows\SysWOW64\zpdqgou.exe
"C:\Windows\SysWOW64\zpdqgou.exe"
354⤵
- Drops file in System32 directory
PID:2860

C:\Windows\SysWOW64\jssttri.exe
C:\Windows\system32\jssttri.exe 1148 "C:\Windows\SysWOW64\zpdqgou.exe"
355⤵
PID:4272

C:\Windows\SysWOW64\jssttri.exe
"C:\Windows\SysWOW64\jssttri.exe"
356⤵
PID:2404

C:\Windows\SysWOW64\wnkrznh.exe
C:\Windows\system32\wnkrznh.exe 1148 "C:\Windows\SysWOW64\jssttri.exe"
357⤵
PID:2344

C:\Windows\SysWOW64\wnkrznh.exe
"C:\Windows\SysWOW64\wnkrznh.exe"
358⤵
PID:3876

C:\Windows\SysWOW64\hxzoedj.exe
C:\Windows\system32\hxzoedj.exe 1156 "C:\Windows\SysWOW64\wnkrznh.exe"
359⤵
- Drops file in System32 directory
PID:4652

C:\Windows\SysWOW64\hxzoedj.exe
"C:\Windows\SysWOW64\hxzoedj.exe"
360⤵
- Drops file in System32 directory
PID:1652

C:\Windows\SysWOW64\rssgtgk.exe
C:\Windows\system32\rssgtgk.exe 1044 "C:\Windows\SysWOW64\hxzoedj.exe"
361⤵
PID:1520

C:\Windows\SysWOW64\rssgtgk.exe
"C:\Windows\SysWOW64\rssgtgk.exe"
362⤵
PID:3872

C:\Windows\SysWOW64\enkwzci.exe
C:\Windows\system32\enkwzci.exe 1148 "C:\Windows\SysWOW64\rssgtgk.exe"
363⤵
PID:3964

C:\Windows\SysWOW64\enkwzci.exe
"C:\Windows\SysWOW64\enkwzci.exe"
364⤵
- Drops file in System32 directory
PID:3796

C:\Windows\SysWOW64\refziko.exe
C:\Windows\system32\refziko.exe 1148 "C:\Windows\SysWOW64\enkwzci.exe"
365⤵
- Drops file in System32 directory
PID:388

C:\Windows\SysWOW64\refziko.exe
"C:\Windows\SysWOW64\refziko.exe"
366⤵
PID:4104

C:\Windows\SysWOW64\bgujvnu.exe
C:\Windows\system32\bgujvnu.exe 1140 "C:\Windows\SysWOW64\refziko.exe"
367⤵
PID:816

C:\Windows\SysWOW64\bgujvnu.exe
"C:\Windows\SysWOW64\bgujvnu.exe"
368⤵
PID:4404

C:\Windows\SysWOW64\lcvudhv.exe
C:\Windows\system32\lcvudhv.exe 1156 "C:\Windows\SysWOW64\bgujvnu.exe"
369⤵
PID:404

C:\Windows\SysWOW64\lcvudhv.exe
"C:\Windows\SysWOW64\lcvudhv.exe"
370⤵
PID:3992

C:\Windows\SysWOW64\zlbeohv.exe
C:\Windows\system32\zlbeohv.exe 1140 "C:\Windows\SysWOW64\lcvudhv.exe"
371⤵
- Drops file in System32 directory
PID:4792

C:\Windows\SysWOW64\zlbeohv.exe
"C:\Windows\SysWOW64\zlbeohv.exe"
372⤵
PID:3268

C:\Windows\SysWOW64\gtwxawe.exe
C:\Windows\system32\gtwxawe.exe 1016 "C:\Windows\SysWOW64\zlbeohv.exe"
373⤵
PID:3180

C:\Windows\SysWOW64\gtwxawe.exe
"C:\Windows\SysWOW64\gtwxawe.exe"
374⤵
PID:3440

C:\Windows\SysWOW64\wjiehga.exe
C:\Windows\system32\wjiehga.exe 1148 "C:\Windows\SysWOW64\gtwxawe.exe"
375⤵
PID:2400

C:\Windows\SysWOW64\wjiehga.exe
"C:\Windows\SysWOW64\wjiehga.exe"
376⤵
PID:3752

C:\Windows\SysWOW64\mnizltf.exe
C:\Windows\system32\mnizltf.exe 1148 "C:\Windows\SysWOW64\wjiehga.exe"
377⤵
PID:1428

C:\Windows\SysWOW64\mnizltf.exe
"C:\Windows\SysWOW64\mnizltf.exe"
378⤵
PID:2684

C:\Windows\SysWOW64\wjjksng.exe
C:\Windows\system32\wjjksng.exe 1148 "C:\Windows\SysWOW64\mnizltf.exe"
379⤵
PID:2904

C:\Windows\SysWOW64\wjjksng.exe
"C:\Windows\SysWOW64\wjjksng.exe"
380⤵
PID:4248

C:\Windows\SysWOW64\erfcmdp.exe
C:\Windows\system32\erfcmdp.exe 1156 "C:\Windows\SysWOW64\wjjksng.exe"
381⤵
PID:2612

C:\Windows\SysWOW64\erfcmdp.exe
"C:\Windows\SysWOW64\erfcmdp.exe"
382⤵
PID:2004

C:\Windows\SysWOW64\omxuuxq.exe
C:\Windows\system32\omxuuxq.exe 1044 "C:\Windows\SysWOW64\erfcmdp.exe"
383⤵
PID:2056

C:\Windows\SysWOW64\omxuuxq.exe
"C:\Windows\SysWOW64\omxuuxq.exe"
384⤵
- Drops file in System32 directory
PID:4612

C:\Windows\SysWOW64\bhpkabp.exe
C:\Windows\system32\bhpkabp.exe 1016 "C:\Windows\SysWOW64\omxuuxq.exe"
385⤵
PID:1128

C:\Windows\SysWOW64\bhpkabp.exe
"C:\Windows\SysWOW64\bhpkabp.exe"
386⤵
PID:2388

C:\Windows\SysWOW64\ougagfn.exe
C:\Windows\system32\ougagfn.exe 1148 "C:\Windows\SysWOW64\bhpkabp.exe"
387⤵
PID:2380

C:\Windows\SysWOW64\ougagfn.exe
"C:\Windows\SysWOW64\ougagfn.exe"
388⤵
- Drops file in System32 directory
PID:2124

C:\Windows\SysWOW64\zqzsnzw.exe
C:\Windows\system32\zqzsnzw.exe 1152 "C:\Windows\SysWOW64\ougagfn.exe"
389⤵
PID:4684

C:\Windows\SysWOW64\zqzsnzw.exe
"C:\Windows\SysWOW64\zqzsnzw.exe"
390⤵
PID:4656

C:\Windows\SysWOW64\mdritvv.exe
C:\Windows\system32\mdritvv.exe 1156 "C:\Windows\SysWOW64\zqzsnzw.exe"
391⤵
PID:2440

C:\Windows\SysWOW64\mdritvv.exe
"C:\Windows\SysWOW64\mdritvv.exe"
392⤵
PID:2572

C:\Windows\SysWOW64\wyssjyw.exe
C:\Windows\system32\wyssjyw.exe 1148 "C:\Windows\SysWOW64\mdritvv.exe"
393⤵
PID:1516

C:\Windows\SysWOW64\wyssjyw.exe
"C:\Windows\SysWOW64\wyssjyw.exe"
394⤵
PID:3744

C:\Windows\SysWOW64\jayiuca.exe
C:\Windows\system32\jayiuca.exe 1156 "C:\Windows\SysWOW64\wyssjyw.exe"
395⤵
PID:4640

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\asqzfqc.exe
Filesize
498KB

MD5
88d16eafa3d80cbc183085f120475998

SHA1
d9898f4b77ed203106fdb6eaf9b83afec20b6022

SHA256
1069d2ad83c0264ebf61b490d6385fa9eb678f93dedf165b6863177ea4ac38f6

SHA512
b2d97d022d6738a08333bbf5b652c9f96ed5198b189b86912689b5a6a1169f7a4444f947e3c286973cd43643617206051d2da07070d72a1b14f2e22a78ad862a

Download Submit
C:\Windows\SysWOW64\asqzfqc.exe
Filesize
498KB

MD5
88d16eafa3d80cbc183085f120475998

SHA1
d9898f4b77ed203106fdb6eaf9b83afec20b6022

SHA256
1069d2ad83c0264ebf61b490d6385fa9eb678f93dedf165b6863177ea4ac38f6

SHA512
b2d97d022d6738a08333bbf5b652c9f96ed5198b189b86912689b5a6a1169f7a4444f947e3c286973cd43643617206051d2da07070d72a1b14f2e22a78ad862a

Download Submit
C:\Windows\SysWOW64\asqzfqc.exe
Filesize
498KB

MD5
88d16eafa3d80cbc183085f120475998

SHA1
d9898f4b77ed203106fdb6eaf9b83afec20b6022

SHA256
1069d2ad83c0264ebf61b490d6385fa9eb678f93dedf165b6863177ea4ac38f6

SHA512
b2d97d022d6738a08333bbf5b652c9f96ed5198b189b86912689b5a6a1169f7a4444f947e3c286973cd43643617206051d2da07070d72a1b14f2e22a78ad862a

Download Submit
C:\Windows\SysWOW64\ayrzkks.exe
Filesize
498KB

MD5
88d16eafa3d80cbc183085f120475998

SHA1
d9898f4b77ed203106fdb6eaf9b83afec20b6022

SHA256
1069d2ad83c0264ebf61b490d6385fa9eb678f93dedf165b6863177ea4ac38f6

SHA512
b2d97d022d6738a08333bbf5b652c9f96ed5198b189b86912689b5a6a1169f7a4444f947e3c286973cd43643617206051d2da07070d72a1b14f2e22a78ad862a

Download Submit
C:\Windows\SysWOW64\ayrzkks.exe
Filesize
498KB

MD5
88d16eafa3d80cbc183085f120475998

SHA1
d9898f4b77ed203106fdb6eaf9b83afec20b6022

SHA256
1069d2ad83c0264ebf61b490d6385fa9eb678f93dedf165b6863177ea4ac38f6

SHA512
b2d97d022d6738a08333bbf5b652c9f96ed5198b189b86912689b5a6a1169f7a4444f947e3c286973cd43643617206051d2da07070d72a1b14f2e22a78ad862a

Download Submit
C:\Windows\SysWOW64\ayrzkks.exe
Filesize
498KB

MD5
88d16eafa3d80cbc183085f120475998

SHA1
d9898f4b77ed203106fdb6eaf9b83afec20b6022

SHA256
1069d2ad83c0264ebf61b490d6385fa9eb678f93dedf165b6863177ea4ac38f6

SHA512
b2d97d022d6738a08333bbf5b652c9f96ed5198b189b86912689b5a6a1169f7a4444f947e3c286973cd43643617206051d2da07070d72a1b14f2e22a78ad862a

Download Submit
C:\Windows\SysWOW64\fgfgwtc.exe
Filesize
498KB

MD5
88d16eafa3d80cbc183085f120475998

SHA1
d9898f4b77ed203106fdb6eaf9b83afec20b6022

SHA256
1069d2ad83c0264ebf61b490d6385fa9eb678f93dedf165b6863177ea4ac38f6

SHA512
b2d97d022d6738a08333bbf5b652c9f96ed5198b189b86912689b5a6a1169f7a4444f947e3c286973cd43643617206051d2da07070d72a1b14f2e22a78ad862a

Download Submit
C:\Windows\SysWOW64\fgfgwtc.exe
Filesize
498KB

MD5
88d16eafa3d80cbc183085f120475998

SHA1
d9898f4b77ed203106fdb6eaf9b83afec20b6022

SHA256
1069d2ad83c0264ebf61b490d6385fa9eb678f93dedf165b6863177ea4ac38f6

SHA512
b2d97d022d6738a08333bbf5b652c9f96ed5198b189b86912689b5a6a1169f7a4444f947e3c286973cd43643617206051d2da07070d72a1b14f2e22a78ad862a

Download Submit
C:\Windows\SysWOW64\fgfgwtc.exe
Filesize
498KB

MD5
88d16eafa3d80cbc183085f120475998

SHA1
d9898f4b77ed203106fdb6eaf9b83afec20b6022

SHA256
1069d2ad83c0264ebf61b490d6385fa9eb678f93dedf165b6863177ea4ac38f6

SHA512
b2d97d022d6738a08333bbf5b652c9f96ed5198b189b86912689b5a6a1169f7a4444f947e3c286973cd43643617206051d2da07070d72a1b14f2e22a78ad862a

Download Submit
C:\Windows\SysWOW64\fppasyb.exe
Filesize
498KB

MD5
88d16eafa3d80cbc183085f120475998

SHA1
d9898f4b77ed203106fdb6eaf9b83afec20b6022

SHA256
1069d2ad83c0264ebf61b490d6385fa9eb678f93dedf165b6863177ea4ac38f6

SHA512
b2d97d022d6738a08333bbf5b652c9f96ed5198b189b86912689b5a6a1169f7a4444f947e3c286973cd43643617206051d2da07070d72a1b14f2e22a78ad862a

Download Submit
C:\Windows\SysWOW64\fppasyb.exe
Filesize
498KB

MD5
88d16eafa3d80cbc183085f120475998

SHA1
d9898f4b77ed203106fdb6eaf9b83afec20b6022

SHA256
1069d2ad83c0264ebf61b490d6385fa9eb678f93dedf165b6863177ea4ac38f6

SHA512
b2d97d022d6738a08333bbf5b652c9f96ed5198b189b86912689b5a6a1169f7a4444f947e3c286973cd43643617206051d2da07070d72a1b14f2e22a78ad862a

Download Submit
C:\Windows\SysWOW64\fppasyb.exe
Filesize
498KB

MD5
88d16eafa3d80cbc183085f120475998

SHA1
d9898f4b77ed203106fdb6eaf9b83afec20b6022

SHA256
1069d2ad83c0264ebf61b490d6385fa9eb678f93dedf165b6863177ea4ac38f6

SHA512
b2d97d022d6738a08333bbf5b652c9f96ed5198b189b86912689b5a6a1169f7a4444f947e3c286973cd43643617206051d2da07070d72a1b14f2e22a78ad862a

Download Submit
C:\Windows\SysWOW64\hcivseh.exe
Filesize
498KB

MD5
88d16eafa3d80cbc183085f120475998

SHA1
d9898f4b77ed203106fdb6eaf9b83afec20b6022

SHA256
1069d2ad83c0264ebf61b490d6385fa9eb678f93dedf165b6863177ea4ac38f6

SHA512
b2d97d022d6738a08333bbf5b652c9f96ed5198b189b86912689b5a6a1169f7a4444f947e3c286973cd43643617206051d2da07070d72a1b14f2e22a78ad862a

Download Submit
C:\Windows\SysWOW64\hcivseh.exe
Filesize
498KB

MD5
88d16eafa3d80cbc183085f120475998

SHA1
d9898f4b77ed203106fdb6eaf9b83afec20b6022

SHA256
1069d2ad83c0264ebf61b490d6385fa9eb678f93dedf165b6863177ea4ac38f6

SHA512
b2d97d022d6738a08333bbf5b652c9f96ed5198b189b86912689b5a6a1169f7a4444f947e3c286973cd43643617206051d2da07070d72a1b14f2e22a78ad862a

Download Submit
C:\Windows\SysWOW64\hcivseh.exe
Filesize
498KB

MD5
88d16eafa3d80cbc183085f120475998

SHA1
d9898f4b77ed203106fdb6eaf9b83afec20b6022

SHA256
1069d2ad83c0264ebf61b490d6385fa9eb678f93dedf165b6863177ea4ac38f6

SHA512
b2d97d022d6738a08333bbf5b652c9f96ed5198b189b86912689b5a6a1169f7a4444f947e3c286973cd43643617206051d2da07070d72a1b14f2e22a78ad862a

Download Submit
C:\Windows\SysWOW64\hggexza.exe
Filesize
498KB

MD5
88d16eafa3d80cbc183085f120475998

SHA1
d9898f4b77ed203106fdb6eaf9b83afec20b6022

SHA256
1069d2ad83c0264ebf61b490d6385fa9eb678f93dedf165b6863177ea4ac38f6

SHA512
b2d97d022d6738a08333bbf5b652c9f96ed5198b189b86912689b5a6a1169f7a4444f947e3c286973cd43643617206051d2da07070d72a1b14f2e22a78ad862a

Download Submit
C:\Windows\SysWOW64\hggexza.exe
Filesize
498KB

MD5
88d16eafa3d80cbc183085f120475998

SHA1
d9898f4b77ed203106fdb6eaf9b83afec20b6022

SHA256
1069d2ad83c0264ebf61b490d6385fa9eb678f93dedf165b6863177ea4ac38f6

SHA512
b2d97d022d6738a08333bbf5b652c9f96ed5198b189b86912689b5a6a1169f7a4444f947e3c286973cd43643617206051d2da07070d72a1b14f2e22a78ad862a

Download Submit
C:\Windows\SysWOW64\hggexza.exe
Filesize
498KB

MD5
88d16eafa3d80cbc183085f120475998

SHA1
d9898f4b77ed203106fdb6eaf9b83afec20b6022

SHA256
1069d2ad83c0264ebf61b490d6385fa9eb678f93dedf165b6863177ea4ac38f6

SHA512
b2d97d022d6738a08333bbf5b652c9f96ed5198b189b86912689b5a6a1169f7a4444f947e3c286973cd43643617206051d2da07070d72a1b14f2e22a78ad862a

Download Submit
C:\Windows\SysWOW64\idyojpx.exe
Filesize
498KB

MD5
88d16eafa3d80cbc183085f120475998

SHA1
d9898f4b77ed203106fdb6eaf9b83afec20b6022

SHA256
1069d2ad83c0264ebf61b490d6385fa9eb678f93dedf165b6863177ea4ac38f6

SHA512
b2d97d022d6738a08333bbf5b652c9f96ed5198b189b86912689b5a6a1169f7a4444f947e3c286973cd43643617206051d2da07070d72a1b14f2e22a78ad862a

Download Submit
C:\Windows\SysWOW64\idyojpx.exe
Filesize
498KB

MD5
88d16eafa3d80cbc183085f120475998

SHA1
d9898f4b77ed203106fdb6eaf9b83afec20b6022

SHA256
1069d2ad83c0264ebf61b490d6385fa9eb678f93dedf165b6863177ea4ac38f6

SHA512
b2d97d022d6738a08333bbf5b652c9f96ed5198b189b86912689b5a6a1169f7a4444f947e3c286973cd43643617206051d2da07070d72a1b14f2e22a78ad862a

Download Submit
C:\Windows\SysWOW64\idyojpx.exe
Filesize
498KB

MD5
88d16eafa3d80cbc183085f120475998

SHA1
d9898f4b77ed203106fdb6eaf9b83afec20b6022

SHA256
1069d2ad83c0264ebf61b490d6385fa9eb678f93dedf165b6863177ea4ac38f6

SHA512
b2d97d022d6738a08333bbf5b652c9f96ed5198b189b86912689b5a6a1169f7a4444f947e3c286973cd43643617206051d2da07070d72a1b14f2e22a78ad862a

Download Submit
C:\Windows\SysWOW64\ihnkxnh.exe
Filesize
498KB

MD5
88d16eafa3d80cbc183085f120475998

SHA1
d9898f4b77ed203106fdb6eaf9b83afec20b6022

SHA256
1069d2ad83c0264ebf61b490d6385fa9eb678f93dedf165b6863177ea4ac38f6

SHA512
b2d97d022d6738a08333bbf5b652c9f96ed5198b189b86912689b5a6a1169f7a4444f947e3c286973cd43643617206051d2da07070d72a1b14f2e22a78ad862a

Download Submit
C:\Windows\SysWOW64\ihnkxnh.exe
Filesize
498KB

MD5
88d16eafa3d80cbc183085f120475998

SHA1
d9898f4b77ed203106fdb6eaf9b83afec20b6022

SHA256
1069d2ad83c0264ebf61b490d6385fa9eb678f93dedf165b6863177ea4ac38f6

SHA512
b2d97d022d6738a08333bbf5b652c9f96ed5198b189b86912689b5a6a1169f7a4444f947e3c286973cd43643617206051d2da07070d72a1b14f2e22a78ad862a

Download Submit
C:\Windows\SysWOW64\ihnkxnh.exe
Filesize
498KB

MD5
88d16eafa3d80cbc183085f120475998

SHA1
d9898f4b77ed203106fdb6eaf9b83afec20b6022

SHA256
1069d2ad83c0264ebf61b490d6385fa9eb678f93dedf165b6863177ea4ac38f6

SHA512
b2d97d022d6738a08333bbf5b652c9f96ed5198b189b86912689b5a6a1169f7a4444f947e3c286973cd43643617206051d2da07070d72a1b14f2e22a78ad862a

Download Submit
C:\Windows\SysWOW64\iwninks.exe
Filesize
498KB

MD5
88d16eafa3d80cbc183085f120475998

SHA1
d9898f4b77ed203106fdb6eaf9b83afec20b6022

SHA256
1069d2ad83c0264ebf61b490d6385fa9eb678f93dedf165b6863177ea4ac38f6

SHA512
b2d97d022d6738a08333bbf5b652c9f96ed5198b189b86912689b5a6a1169f7a4444f947e3c286973cd43643617206051d2da07070d72a1b14f2e22a78ad862a

Download Submit
C:\Windows\SysWOW64\iwninks.exe
Filesize
498KB

MD5
88d16eafa3d80cbc183085f120475998

SHA1
d9898f4b77ed203106fdb6eaf9b83afec20b6022

SHA256
1069d2ad83c0264ebf61b490d6385fa9eb678f93dedf165b6863177ea4ac38f6

SHA512
b2d97d022d6738a08333bbf5b652c9f96ed5198b189b86912689b5a6a1169f7a4444f947e3c286973cd43643617206051d2da07070d72a1b14f2e22a78ad862a

Download Submit
C:\Windows\SysWOW64\iwninks.exe
Filesize
498KB

MD5
88d16eafa3d80cbc183085f120475998

SHA1
d9898f4b77ed203106fdb6eaf9b83afec20b6022

SHA256
1069d2ad83c0264ebf61b490d6385fa9eb678f93dedf165b6863177ea4ac38f6

SHA512
b2d97d022d6738a08333bbf5b652c9f96ed5198b189b86912689b5a6a1169f7a4444f947e3c286973cd43643617206051d2da07070d72a1b14f2e22a78ad862a

Download Submit
C:\Windows\SysWOW64\lmnmuqm.exe
Filesize
498KB

MD5
88d16eafa3d80cbc183085f120475998

SHA1
d9898f4b77ed203106fdb6eaf9b83afec20b6022

SHA256
1069d2ad83c0264ebf61b490d6385fa9eb678f93dedf165b6863177ea4ac38f6

SHA512
b2d97d022d6738a08333bbf5b652c9f96ed5198b189b86912689b5a6a1169f7a4444f947e3c286973cd43643617206051d2da07070d72a1b14f2e22a78ad862a

Download Submit
C:\Windows\SysWOW64\lmnmuqm.exe
Filesize
498KB

MD5
88d16eafa3d80cbc183085f120475998

SHA1
d9898f4b77ed203106fdb6eaf9b83afec20b6022

SHA256
1069d2ad83c0264ebf61b490d6385fa9eb678f93dedf165b6863177ea4ac38f6

SHA512
b2d97d022d6738a08333bbf5b652c9f96ed5198b189b86912689b5a6a1169f7a4444f947e3c286973cd43643617206051d2da07070d72a1b14f2e22a78ad862a

Download Submit
C:\Windows\SysWOW64\lmnmuqm.exe
Filesize
498KB

MD5
88d16eafa3d80cbc183085f120475998

SHA1
d9898f4b77ed203106fdb6eaf9b83afec20b6022

SHA256
1069d2ad83c0264ebf61b490d6385fa9eb678f93dedf165b6863177ea4ac38f6

SHA512
b2d97d022d6738a08333bbf5b652c9f96ed5198b189b86912689b5a6a1169f7a4444f947e3c286973cd43643617206051d2da07070d72a1b14f2e22a78ad862a

Download Submit
C:\Windows\SysWOW64\mlbwfgs.exe
Filesize
498KB

MD5
88d16eafa3d80cbc183085f120475998

SHA1
d9898f4b77ed203106fdb6eaf9b83afec20b6022

SHA256
1069d2ad83c0264ebf61b490d6385fa9eb678f93dedf165b6863177ea4ac38f6

SHA512
b2d97d022d6738a08333bbf5b652c9f96ed5198b189b86912689b5a6a1169f7a4444f947e3c286973cd43643617206051d2da07070d72a1b14f2e22a78ad862a

Download Submit
C:\Windows\SysWOW64\mlbwfgs.exe
Filesize
498KB

MD5
88d16eafa3d80cbc183085f120475998

SHA1
d9898f4b77ed203106fdb6eaf9b83afec20b6022

SHA256
1069d2ad83c0264ebf61b490d6385fa9eb678f93dedf165b6863177ea4ac38f6

SHA512
b2d97d022d6738a08333bbf5b652c9f96ed5198b189b86912689b5a6a1169f7a4444f947e3c286973cd43643617206051d2da07070d72a1b14f2e22a78ad862a

Download Submit
C:\Windows\SysWOW64\mlbwfgs.exe
Filesize
498KB

MD5
88d16eafa3d80cbc183085f120475998

SHA1
d9898f4b77ed203106fdb6eaf9b83afec20b6022

SHA256
1069d2ad83c0264ebf61b490d6385fa9eb678f93dedf165b6863177ea4ac38f6

SHA512
b2d97d022d6738a08333bbf5b652c9f96ed5198b189b86912689b5a6a1169f7a4444f947e3c286973cd43643617206051d2da07070d72a1b14f2e22a78ad862a

Download Submit
C:\Windows\SysWOW64\nuixbwr.exe
Filesize
498KB

MD5
88d16eafa3d80cbc183085f120475998

SHA1
d9898f4b77ed203106fdb6eaf9b83afec20b6022

SHA256
1069d2ad83c0264ebf61b490d6385fa9eb678f93dedf165b6863177ea4ac38f6

SHA512
b2d97d022d6738a08333bbf5b652c9f96ed5198b189b86912689b5a6a1169f7a4444f947e3c286973cd43643617206051d2da07070d72a1b14f2e22a78ad862a

Download Submit
C:\Windows\SysWOW64\ofocahw.exe
Filesize
498KB

MD5
88d16eafa3d80cbc183085f120475998

SHA1
d9898f4b77ed203106fdb6eaf9b83afec20b6022

SHA256
1069d2ad83c0264ebf61b490d6385fa9eb678f93dedf165b6863177ea4ac38f6

SHA512
b2d97d022d6738a08333bbf5b652c9f96ed5198b189b86912689b5a6a1169f7a4444f947e3c286973cd43643617206051d2da07070d72a1b14f2e22a78ad862a

Download Submit
C:\Windows\SysWOW64\ofocahw.exe
Filesize
498KB

MD5
88d16eafa3d80cbc183085f120475998

SHA1
d9898f4b77ed203106fdb6eaf9b83afec20b6022

SHA256
1069d2ad83c0264ebf61b490d6385fa9eb678f93dedf165b6863177ea4ac38f6

SHA512
b2d97d022d6738a08333bbf5b652c9f96ed5198b189b86912689b5a6a1169f7a4444f947e3c286973cd43643617206051d2da07070d72a1b14f2e22a78ad862a

Download Submit
C:\Windows\SysWOW64\ofocahw.exe
Filesize
498KB

MD5
88d16eafa3d80cbc183085f120475998

SHA1
d9898f4b77ed203106fdb6eaf9b83afec20b6022

SHA256
1069d2ad83c0264ebf61b490d6385fa9eb678f93dedf165b6863177ea4ac38f6

SHA512
b2d97d022d6738a08333bbf5b652c9f96ed5198b189b86912689b5a6a1169f7a4444f947e3c286973cd43643617206051d2da07070d72a1b14f2e22a78ad862a

Download Submit
C:\Windows\SysWOW64\ogtvgkp.exe
Filesize
498KB

MD5
88d16eafa3d80cbc183085f120475998

SHA1
d9898f4b77ed203106fdb6eaf9b83afec20b6022

SHA256
1069d2ad83c0264ebf61b490d6385fa9eb678f93dedf165b6863177ea4ac38f6

SHA512
b2d97d022d6738a08333bbf5b652c9f96ed5198b189b86912689b5a6a1169f7a4444f947e3c286973cd43643617206051d2da07070d72a1b14f2e22a78ad862a

Download Submit
C:\Windows\SysWOW64\ogtvgkp.exe
Filesize
498KB

MD5
88d16eafa3d80cbc183085f120475998

SHA1
d9898f4b77ed203106fdb6eaf9b83afec20b6022

SHA256
1069d2ad83c0264ebf61b490d6385fa9eb678f93dedf165b6863177ea4ac38f6

SHA512
b2d97d022d6738a08333bbf5b652c9f96ed5198b189b86912689b5a6a1169f7a4444f947e3c286973cd43643617206051d2da07070d72a1b14f2e22a78ad862a

Download Submit
C:\Windows\SysWOW64\ogtvgkp.exe
Filesize
498KB

MD5
88d16eafa3d80cbc183085f120475998

SHA1
d9898f4b77ed203106fdb6eaf9b83afec20b6022

SHA256
1069d2ad83c0264ebf61b490d6385fa9eb678f93dedf165b6863177ea4ac38f6

SHA512
b2d97d022d6738a08333bbf5b652c9f96ed5198b189b86912689b5a6a1169f7a4444f947e3c286973cd43643617206051d2da07070d72a1b14f2e22a78ad862a

Download Submit
C:\Windows\SysWOW64\qazbqda.exe
Filesize
498KB

MD5
88d16eafa3d80cbc183085f120475998

SHA1
d9898f4b77ed203106fdb6eaf9b83afec20b6022

SHA256
1069d2ad83c0264ebf61b490d6385fa9eb678f93dedf165b6863177ea4ac38f6

SHA512
b2d97d022d6738a08333bbf5b652c9f96ed5198b189b86912689b5a6a1169f7a4444f947e3c286973cd43643617206051d2da07070d72a1b14f2e22a78ad862a

Download Submit
C:\Windows\SysWOW64\qazbqda.exe
Filesize
498KB

MD5
88d16eafa3d80cbc183085f120475998

SHA1
d9898f4b77ed203106fdb6eaf9b83afec20b6022

SHA256
1069d2ad83c0264ebf61b490d6385fa9eb678f93dedf165b6863177ea4ac38f6

SHA512
b2d97d022d6738a08333bbf5b652c9f96ed5198b189b86912689b5a6a1169f7a4444f947e3c286973cd43643617206051d2da07070d72a1b14f2e22a78ad862a

Download Submit
C:\Windows\SysWOW64\qazbqda.exe
Filesize
498KB

MD5
88d16eafa3d80cbc183085f120475998

SHA1
d9898f4b77ed203106fdb6eaf9b83afec20b6022

SHA256
1069d2ad83c0264ebf61b490d6385fa9eb678f93dedf165b6863177ea4ac38f6

SHA512
b2d97d022d6738a08333bbf5b652c9f96ed5198b189b86912689b5a6a1169f7a4444f947e3c286973cd43643617206051d2da07070d72a1b14f2e22a78ad862a

Download Submit
C:\Windows\SysWOW64\qscehxf.exe
Filesize
498KB

MD5
88d16eafa3d80cbc183085f120475998

SHA1
d9898f4b77ed203106fdb6eaf9b83afec20b6022

SHA256
1069d2ad83c0264ebf61b490d6385fa9eb678f93dedf165b6863177ea4ac38f6

SHA512
b2d97d022d6738a08333bbf5b652c9f96ed5198b189b86912689b5a6a1169f7a4444f947e3c286973cd43643617206051d2da07070d72a1b14f2e22a78ad862a

Download Submit
C:\Windows\SysWOW64\qscehxf.exe
Filesize
498KB

MD5
88d16eafa3d80cbc183085f120475998

SHA1
d9898f4b77ed203106fdb6eaf9b83afec20b6022

SHA256
1069d2ad83c0264ebf61b490d6385fa9eb678f93dedf165b6863177ea4ac38f6

SHA512
b2d97d022d6738a08333bbf5b652c9f96ed5198b189b86912689b5a6a1169f7a4444f947e3c286973cd43643617206051d2da07070d72a1b14f2e22a78ad862a

Download Submit
C:\Windows\SysWOW64\qscehxf.exe
Filesize
498KB

MD5
88d16eafa3d80cbc183085f120475998

SHA1
d9898f4b77ed203106fdb6eaf9b83afec20b6022

SHA256
1069d2ad83c0264ebf61b490d6385fa9eb678f93dedf165b6863177ea4ac38f6

SHA512
b2d97d022d6738a08333bbf5b652c9f96ed5198b189b86912689b5a6a1169f7a4444f947e3c286973cd43643617206051d2da07070d72a1b14f2e22a78ad862a

Download Submit
C:\Windows\SysWOW64\rjvlnao.exe
Filesize
498KB

MD5
88d16eafa3d80cbc183085f120475998

SHA1
d9898f4b77ed203106fdb6eaf9b83afec20b6022

SHA256
1069d2ad83c0264ebf61b490d6385fa9eb678f93dedf165b6863177ea4ac38f6

SHA512
b2d97d022d6738a08333bbf5b652c9f96ed5198b189b86912689b5a6a1169f7a4444f947e3c286973cd43643617206051d2da07070d72a1b14f2e22a78ad862a

Download Submit
C:\Windows\SysWOW64\rjvlnao.exe
Filesize
498KB

MD5
88d16eafa3d80cbc183085f120475998

SHA1
d9898f4b77ed203106fdb6eaf9b83afec20b6022

SHA256
1069d2ad83c0264ebf61b490d6385fa9eb678f93dedf165b6863177ea4ac38f6

SHA512
b2d97d022d6738a08333bbf5b652c9f96ed5198b189b86912689b5a6a1169f7a4444f947e3c286973cd43643617206051d2da07070d72a1b14f2e22a78ad862a

Download Submit
C:\Windows\SysWOW64\rjvlnao.exe
Filesize
498KB

MD5
88d16eafa3d80cbc183085f120475998

SHA1
d9898f4b77ed203106fdb6eaf9b83afec20b6022

SHA256
1069d2ad83c0264ebf61b490d6385fa9eb678f93dedf165b6863177ea4ac38f6

SHA512
b2d97d022d6738a08333bbf5b652c9f96ed5198b189b86912689b5a6a1169f7a4444f947e3c286973cd43643617206051d2da07070d72a1b14f2e22a78ad862a

Download Submit
C:\Windows\SysWOW64\ssbxewg.exe
Filesize
498KB

MD5
88d16eafa3d80cbc183085f120475998

SHA1
d9898f4b77ed203106fdb6eaf9b83afec20b6022

SHA256
1069d2ad83c0264ebf61b490d6385fa9eb678f93dedf165b6863177ea4ac38f6

SHA512
b2d97d022d6738a08333bbf5b652c9f96ed5198b189b86912689b5a6a1169f7a4444f947e3c286973cd43643617206051d2da07070d72a1b14f2e22a78ad862a

Download Submit
C:\Windows\SysWOW64\ssbxewg.exe
Filesize
498KB

MD5
88d16eafa3d80cbc183085f120475998

SHA1
d9898f4b77ed203106fdb6eaf9b83afec20b6022

SHA256
1069d2ad83c0264ebf61b490d6385fa9eb678f93dedf165b6863177ea4ac38f6

SHA512
b2d97d022d6738a08333bbf5b652c9f96ed5198b189b86912689b5a6a1169f7a4444f947e3c286973cd43643617206051d2da07070d72a1b14f2e22a78ad862a

Download Submit
C:\Windows\SysWOW64\ssbxewg.exe
Filesize
498KB

MD5
88d16eafa3d80cbc183085f120475998

SHA1
d9898f4b77ed203106fdb6eaf9b83afec20b6022

SHA256
1069d2ad83c0264ebf61b490d6385fa9eb678f93dedf165b6863177ea4ac38f6

SHA512
b2d97d022d6738a08333bbf5b652c9f96ed5198b189b86912689b5a6a1169f7a4444f947e3c286973cd43643617206051d2da07070d72a1b14f2e22a78ad862a

Download Submit
C:\Windows\SysWOW64\vbibsie.exe
Filesize
498KB

MD5
88d16eafa3d80cbc183085f120475998

SHA1
d9898f4b77ed203106fdb6eaf9b83afec20b6022

SHA256
1069d2ad83c0264ebf61b490d6385fa9eb678f93dedf165b6863177ea4ac38f6

SHA512
b2d97d022d6738a08333bbf5b652c9f96ed5198b189b86912689b5a6a1169f7a4444f947e3c286973cd43643617206051d2da07070d72a1b14f2e22a78ad862a

Download Submit
C:\Windows\SysWOW64\vbibsie.exe
Filesize
498KB

MD5
88d16eafa3d80cbc183085f120475998

SHA1
d9898f4b77ed203106fdb6eaf9b83afec20b6022

SHA256
1069d2ad83c0264ebf61b490d6385fa9eb678f93dedf165b6863177ea4ac38f6

SHA512
b2d97d022d6738a08333bbf5b652c9f96ed5198b189b86912689b5a6a1169f7a4444f947e3c286973cd43643617206051d2da07070d72a1b14f2e22a78ad862a

Download Submit
C:\Windows\SysWOW64\vbibsie.exe
Filesize
498KB

MD5
88d16eafa3d80cbc183085f120475998

SHA1
d9898f4b77ed203106fdb6eaf9b83afec20b6022

SHA256
1069d2ad83c0264ebf61b490d6385fa9eb678f93dedf165b6863177ea4ac38f6

SHA512
b2d97d022d6738a08333bbf5b652c9f96ed5198b189b86912689b5a6a1169f7a4444f947e3c286973cd43643617206051d2da07070d72a1b14f2e22a78ad862a

Download Submit
C:\Windows\SysWOW64\vfknkpd.exe
Filesize
498KB

MD5
88d16eafa3d80cbc183085f120475998

SHA1
d9898f4b77ed203106fdb6eaf9b83afec20b6022

SHA256
1069d2ad83c0264ebf61b490d6385fa9eb678f93dedf165b6863177ea4ac38f6

SHA512
b2d97d022d6738a08333bbf5b652c9f96ed5198b189b86912689b5a6a1169f7a4444f947e3c286973cd43643617206051d2da07070d72a1b14f2e22a78ad862a

Download Submit
C:\Windows\SysWOW64\vfknkpd.exe
Filesize
498KB

MD5
88d16eafa3d80cbc183085f120475998

SHA1
d9898f4b77ed203106fdb6eaf9b83afec20b6022

SHA256
1069d2ad83c0264ebf61b490d6385fa9eb678f93dedf165b6863177ea4ac38f6

SHA512
b2d97d022d6738a08333bbf5b652c9f96ed5198b189b86912689b5a6a1169f7a4444f947e3c286973cd43643617206051d2da07070d72a1b14f2e22a78ad862a

Download Submit
C:\Windows\SysWOW64\vfknkpd.exe
Filesize
498KB

MD5
88d16eafa3d80cbc183085f120475998

SHA1
d9898f4b77ed203106fdb6eaf9b83afec20b6022

SHA256
1069d2ad83c0264ebf61b490d6385fa9eb678f93dedf165b6863177ea4ac38f6

SHA512
b2d97d022d6738a08333bbf5b652c9f96ed5198b189b86912689b5a6a1169f7a4444f947e3c286973cd43643617206051d2da07070d72a1b14f2e22a78ad862a

Download Submit
C:\Windows\SysWOW64\wfajvik.exe
Filesize
498KB

MD5
88d16eafa3d80cbc183085f120475998

SHA1
d9898f4b77ed203106fdb6eaf9b83afec20b6022

SHA256
1069d2ad83c0264ebf61b490d6385fa9eb678f93dedf165b6863177ea4ac38f6

SHA512
b2d97d022d6738a08333bbf5b652c9f96ed5198b189b86912689b5a6a1169f7a4444f947e3c286973cd43643617206051d2da07070d72a1b14f2e22a78ad862a

Download Submit
C:\Windows\SysWOW64\wfajvik.exe
Filesize
498KB

MD5
88d16eafa3d80cbc183085f120475998

SHA1
d9898f4b77ed203106fdb6eaf9b83afec20b6022

SHA256
1069d2ad83c0264ebf61b490d6385fa9eb678f93dedf165b6863177ea4ac38f6

SHA512
b2d97d022d6738a08333bbf5b652c9f96ed5198b189b86912689b5a6a1169f7a4444f947e3c286973cd43643617206051d2da07070d72a1b14f2e22a78ad862a

Download Submit
C:\Windows\SysWOW64\wfajvik.exe
Filesize
498KB

MD5
88d16eafa3d80cbc183085f120475998

SHA1
d9898f4b77ed203106fdb6eaf9b83afec20b6022

SHA256
1069d2ad83c0264ebf61b490d6385fa9eb678f93dedf165b6863177ea4ac38f6

SHA512
b2d97d022d6738a08333bbf5b652c9f96ed5198b189b86912689b5a6a1169f7a4444f947e3c286973cd43643617206051d2da07070d72a1b14f2e22a78ad862a

Download Submit
C:\Windows\SysWOW64\wtorhwf.exe
Filesize
498KB

MD5
88d16eafa3d80cbc183085f120475998

SHA1
d9898f4b77ed203106fdb6eaf9b83afec20b6022

SHA256
1069d2ad83c0264ebf61b490d6385fa9eb678f93dedf165b6863177ea4ac38f6

SHA512
b2d97d022d6738a08333bbf5b652c9f96ed5198b189b86912689b5a6a1169f7a4444f947e3c286973cd43643617206051d2da07070d72a1b14f2e22a78ad862a

Download Submit
C:\Windows\SysWOW64\wtorhwf.exe
Filesize
498KB

MD5
88d16eafa3d80cbc183085f120475998

SHA1
d9898f4b77ed203106fdb6eaf9b83afec20b6022

SHA256
1069d2ad83c0264ebf61b490d6385fa9eb678f93dedf165b6863177ea4ac38f6

SHA512
b2d97d022d6738a08333bbf5b652c9f96ed5198b189b86912689b5a6a1169f7a4444f947e3c286973cd43643617206051d2da07070d72a1b14f2e22a78ad862a

Download Submit
C:\Windows\SysWOW64\wtorhwf.exe
Filesize
498KB

MD5
88d16eafa3d80cbc183085f120475998

SHA1
d9898f4b77ed203106fdb6eaf9b83afec20b6022

SHA256
1069d2ad83c0264ebf61b490d6385fa9eb678f93dedf165b6863177ea4ac38f6

SHA512
b2d97d022d6738a08333bbf5b652c9f96ed5198b189b86912689b5a6a1169f7a4444f947e3c286973cd43643617206051d2da07070d72a1b14f2e22a78ad862a

Download Submit
memory/344-210-0x0000000000000000-mapping.dmp

Download
memory/344-221-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/392-487-0x0000000000000000-mapping.dmp

Download
memory/640-431-0x0000000000400000-0x0000000000481600-memory.dmp

Filesize
517KB

Download
memory/640-422-0x0000000000000000-mapping.dmp

Download
memory/640-423-0x0000000000400000-0x0000000000481600-memory.dmp

Filesize
517KB

Download
memory/652-393-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/652-383-0x0000000000000000-mapping.dmp

Download
memory/816-290-0x0000000000000000-mapping.dmp

Download
memory/816-301-0x0000000000400000-0x0000000000481600-memory.dmp

Filesize
517KB

Download
memory/988-463-0x0000000000000000-mapping.dmp

Download
memory/1072-363-0x0000000000400000-0x0000000000481600-memory.dmp

Filesize
517KB

Download
memory/1072-353-0x0000000000000000-mapping.dmp

Download
memory/1112-307-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/1112-295-0x0000000000000000-mapping.dmp

Download
memory/1120-413-0x0000000000000000-mapping.dmp

Download
memory/1120-420-0x0000000000400000-0x0000000000481600-memory.dmp

Filesize
517KB

Download
memory/1204-302-0x0000000000000000-mapping.dmp

Download
memory/1204-314-0x0000000000400000-0x0000000000481600-memory.dmp

Filesize
517KB

Download
memory/1204-309-0x0000000000400000-0x0000000000481600-memory.dmp

Filesize
517KB

Download
memory/1276-327-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/1276-320-0x0000000000000000-mapping.dmp

Download
memory/1276-336-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/1384-328-0x0000000000000000-mapping.dmp

Download
memory/1384-339-0x0000000000400000-0x0000000000481600-memory.dmp

Filesize
517KB

Download
memory/1420-191-0x0000000000000000-mapping.dmp

Download
memory/1420-195-0x0000000000400000-0x0000000000481600-memory.dmp

Filesize
517KB

Download
memory/1420-202-0x0000000000400000-0x0000000000481600-memory.dmp

Filesize
517KB

Download
memory/1608-435-0x0000000000000000-mapping.dmp

Download
memory/1660-265-0x0000000000000000-mapping.dmp

Download
memory/1660-276-0x0000000000400000-0x0000000000481600-memory.dmp

Filesize
517KB

Download
memory/1676-490-0x0000000000000000-mapping.dmp

Download
memory/1848-497-0x0000000000000000-mapping.dmp

Download
memory/2044-204-0x0000000000000000-mapping.dmp

Download
memory/2044-209-0x0000000000400000-0x0000000000481600-memory.dmp

Filesize
517KB

Download
memory/2044-215-0x0000000000400000-0x0000000000481600-memory.dmp

Filesize
517KB

Download
memory/2080-197-0x0000000000000000-mapping.dmp

Download
memory/2080-203-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/2084-427-0x0000000000000000-mapping.dmp

Download
memory/2156-403-0x0000000000000000-mapping.dmp

Download
memory/2156-411-0x0000000000400000-0x0000000000481600-memory.dmp

Filesize
517KB

Download
memory/2248-469-0x0000000000000000-mapping.dmp

Download
memory/2272-299-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/2272-282-0x0000000000000000-mapping.dmp

Download
memory/2348-241-0x0000000000000000-mapping.dmp

Download
memory/2348-251-0x0000000000400000-0x0000000000481600-memory.dmp

Filesize
517KB

Download
memory/2384-130-0x0000000000400000-0x0000000000481600-memory.dmp

Filesize
517KB

Download
memory/2384-138-0x0000000000400000-0x0000000000481600-memory.dmp

Filesize
517KB

Download
memory/2460-460-0x0000000000000000-mapping.dmp

Download
memory/2600-445-0x0000000000000000-mapping.dmp

Download
memory/2684-139-0x0000000000000000-mapping.dmp

Download
memory/2684-144-0x0000000000400000-0x0000000000481600-memory.dmp

Filesize
517KB

Download
memory/2684-150-0x0000000000400000-0x0000000000481600-memory.dmp

Filesize
517KB

Download
memory/2692-234-0x0000000000000000-mapping.dmp

Download
memory/2692-240-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/2752-424-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/2752-416-0x0000000000000000-mapping.dmp

Download
memory/2980-222-0x0000000000000000-mapping.dmp

Download
memory/2980-228-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/3000-333-0x0000000000000000-mapping.dmp

Download
memory/3000-350-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/3092-472-0x0000000000000000-mapping.dmp

Download
memory/3104-216-0x0000000000000000-mapping.dmp

Download
memory/3104-227-0x0000000000400000-0x0000000000481600-memory.dmp

Filesize
517KB

Download
memory/3160-188-0x0000000000400000-0x0000000000481600-memory.dmp

Filesize
517KB

Download
memory/3160-189-0x0000000000400000-0x0000000000481600-memory.dmp

Filesize
517KB

Download
memory/3160-177-0x0000000000000000-mapping.dmp

Download
memory/3176-174-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/3176-157-0x0000000000000000-mapping.dmp

Download
memory/3240-160-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/3240-145-0x0000000000000000-mapping.dmp

Download
memory/3288-407-0x0000000000000000-mapping.dmp

Download
memory/3288-421-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/3328-308-0x0000000000000000-mapping.dmp

Download
memory/3328-323-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/3500-432-0x0000000000000000-mapping.dmp

Download
memory/3592-358-0x0000000000000000-mapping.dmp

Download
memory/3592-359-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/3592-376-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/3592-364-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/3676-151-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/3676-133-0x0000000000000000-mapping.dmp

Download
memory/3676-136-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/3676-137-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/3676-134-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/3772-454-0x0000000000000000-mapping.dmp

Download
memory/3888-275-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/3888-257-0x0000000000000000-mapping.dmp

Download
memory/3888-264-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/3932-162-0x0000000000400000-0x0000000000481600-memory.dmp

Filesize
517KB

Download
memory/3932-164-0x0000000000400000-0x0000000000481600-memory.dmp

Filesize
517KB

Download
memory/3932-152-0x0000000000000000-mapping.dmp

Download
memory/3960-412-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/3960-397-0x0000000000000000-mapping.dmp

Download
memory/4116-400-0x0000000000400000-0x0000000000481600-memory.dmp

Filesize
517KB

Download
memory/4116-396-0x0000000000400000-0x0000000000481600-memory.dmp

Filesize
517KB

Download
memory/4116-390-0x0000000000000000-mapping.dmp

Download
memory/4380-315-0x0000000000000000-mapping.dmp

Download
memory/4380-326-0x0000000000400000-0x0000000000481600-memory.dmp

Filesize
517KB

Download
memory/4388-481-0x0000000000000000-mapping.dmp

Download
memory/4416-288-0x0000000000400000-0x0000000000481600-memory.dmp

Filesize
517KB

Download
memory/4416-277-0x0000000000000000-mapping.dmp

Download
memory/4416-289-0x0000000000400000-0x0000000000481600-memory.dmp

Filesize
517KB

Download
memory/4432-270-0x0000000000000000-mapping.dmp

Download
memory/4432-286-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/4448-252-0x0000000000000000-mapping.dmp

Download
memory/4448-263-0x0000000000400000-0x0000000000481600-memory.dmp

Filesize
517KB

Download
memory/4460-478-0x0000000000000000-mapping.dmp

Download
memory/4536-451-0x0000000000000000-mapping.dmp

Download
memory/4576-388-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/4576-377-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/4576-370-0x0000000000000000-mapping.dmp

Download
memory/4584-170-0x0000000000000000-mapping.dmp

Download
memory/4584-187-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/4612-365-0x0000000000000000-mapping.dmp

Download
memory/4612-375-0x0000000000400000-0x0000000000481600-memory.dmp

Filesize
517KB

Download
memory/4620-165-0x0000000000000000-mapping.dmp

Download
memory/4620-176-0x0000000000400000-0x0000000000481600-memory.dmp

Filesize
517KB

Download
memory/4684-442-0x0000000000000000-mapping.dmp

Download
memory/4924-229-0x0000000000000000-mapping.dmp

Download
memory/4924-238-0x0000000000400000-0x0000000000481600-memory.dmp

Filesize
517KB

Download
memory/4948-378-0x0000000000000000-mapping.dmp

Download
memory/4948-389-0x0000000000400000-0x0000000000481600-memory.dmp

Filesize
517KB

Download
memory/4984-361-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/4984-352-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/4984-345-0x0000000000000000-mapping.dmp

Download
memory/5068-190-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/5068-182-0x0000000000000000-mapping.dmp

Download
memory/5072-340-0x0000000000000000-mapping.dmp

Download
memory/5072-351-0x0000000000400000-0x0000000000481600-memory.dmp

Filesize
517KB

Download
memory/5088-262-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/5088-246-0x0000000000000000-mapping.dmp

Download