a6d21d179c1f801bc655a19cbdb6a11f7050d4b81bc98696d9d2a2d9b63bf437

Analysis

max time kernel
134s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
25/12/2023, 18:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

35016c4bc187c4a4a06866399fe35650.exe
Size

708KB
MD5

35016c4bc187c4a4a06866399fe35650
SHA1

53c87f60f44492453c3d6e94eee5f63464b029dd
SHA256

a6d21d179c1f801bc655a19cbdb6a11f7050d4b81bc98696d9d2a2d9b63bf437
SHA512

f596ee5b836a14bb0f046143892e772388789567541f15fbaba44b6e452d942e10bfadbc95b51474b452f894997c9c32f4e75730aa81dd2d3e5ad83c1c2489d9
SSDEEP

12288:ihdUZQ75UTWAnhZMYmPabdQNED+YnsdFtxDk5TLhuCDH1EoqWU:ivUZQNGWAnhZMzaSxYnsdWJluUc

Score

7^/10

Malware Config

Signatures

Checks BIOS information in registry 2 TTPs 64 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	rzhfhbp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	uirzhjv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	tozmxfg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	bfecvha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	abomrwu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ftnoard.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	zlvwtgz.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	zyzikur.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	owcsyso.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	gojuofg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	gojuofg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	zlvwtgz.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	wtzgval.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	gcyewkl.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	nlulljy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	ccdaset.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	hvpfhrm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	jcfocdd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	lvbogbz.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	lbjcbig.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	hbusvwp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	kmvlqxh.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	tmtakmc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	enzfhry.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	dgtjxxp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	njefnsn.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	rvsabex.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	qialbwe.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	fyvxova.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	dwsmcai.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	siwxwlk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	xbtjvqk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rvsabex.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	onmvqqn.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	bozocph.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	flwdovg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	jnlgilk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	qiaecjz.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	qbgptzc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	kmvlqxh.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	jvobsmv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	iccpshs.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ccdaset.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	empfrjp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rwiqmcf.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	nbbakom.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	vkbimds.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	tcsbxwn.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	yljoqyt.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	xdwvzrn.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	phvjauc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	upimral.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	bozocph.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	dwtijdm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	gouxnzt.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	xdwvzrn.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	npebrfd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	vfntfzn.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	knkwfyi.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	mwcwoxf.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	deowjgo.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	tmczrte.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	gaqrmax.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	yxryzbi.exe

Executes dropped EXE 64 IoCs

pid	Process
888	wnpexnq.exe
4316	wnpexnq.exe
2200	zbfuyew.exe
2308	zbfuyew.exe
1892	clyxbik.exe
4712	clyxbik.exe
4532	gjdxjwt.exe
368	gjdxjwt.exe
3864	oravpla.exe
4892	oravpla.exe
5008	majdryd.exe
3668	majdryd.exe
3676	wditqbp.exe
2688	wditqbp.exe
1276	jbebsis.exe
764	jbebsis.exe
4660	tmczrte.exe
2740	tmczrte.exe
4280	gojuofg.exe
3972	gojuofg.exe
3364	rvxxset.exe
712	rvxxset.exe
4988	gouxnzt.exe
5072	gouxnzt.exe
3568	tunfnqc.exe
884	tunfnqc.exe
3064	jnlgilk.exe
4440	jnlgilk.exe
4284	tybvpow.exe
3260	tybvpow.exe
2968	gaqrmax.exe
2160	gaqrmax.exe
1032	qkhgslj.exe
2928	qkhgslj.exe
3824	bkurpko.exe
460	bkurpko.exe
4768	rzhfhbp.exe
4296	rzhfhbp.exe
4824	enzfhry.exe
4908	enzfhry.exe
3844	rpgimei.exe
2228	rpgimei.exe
1264	yieahzi.exe
4860	yieahzi.exe
632	lrivkux.exe
992	lrivkux.exe
1712	blgvfqf.exe
4408	blgvfqf.exe
2312	rbajxhg.exe
2188	rbajxhg.exe
1368	dgtjxxp.exe
4972	dgtjxxp.exe
5048	qiaecjz.exe
4664	qiaecjz.exe
4476	dwsmcai.exe
1848	dwsmcai.exe
3948	qmwcwil.exe
2760	qmwcwil.exe
4540	daocwyt.exe
3464	daocwyt.exe
3556	ttmdrub.exe
1440	ttmdrub.exe
4376	gyflzkk.exe
1304	gyflzkk.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\wnpexnq.exe	35016c4bc187c4a4a06866399fe35650.exe
File opened for modification	C:\Windows\SysWOW64\afblltp.exe	kmvlqxh.exe
File opened for modification	C:\Windows\SysWOW64\npebrfd.exe	tjnbdaq.exe
File created	C:\Windows\SysWOW64\lbjcbig.exe	npebrfd.exe
File created	C:\Windows\SysWOW64\rvxxset.exe	gojuofg.exe
File opened for modification	C:\Windows\SysWOW64\gaqrmax.exe	tybvpow.exe
File opened for modification	C:\Windows\SysWOW64\yljoqyt.exe	ismwvdt.exe
File opened for modification	C:\Windows\SysWOW64\beiaovy.exe	mlkzsay.exe
File opened for modification	C:\Windows\SysWOW64\xhdihsf.exe	qkscdns.exe
File opened for modification	C:\Windows\SysWOW64\kmvlqxh.exe	ulykuci.exe
File created	C:\Windows\SysWOW64\xrjapia.exe	klrspsr.exe
File created	C:\Windows\SysWOW64\gcyewkl.exe	qialbwe.exe
File opened for modification	C:\Windows\SysWOW64\curxgdx.exe	nxhzorh.exe
File created	C:\Windows\SysWOW64\clyxbik.exe	zbfuyew.exe
File created	C:\Windows\SysWOW64\daocwyt.exe	qmwcwil.exe
File created	C:\Windows\SysWOW64\qbgptzc.exe	klkgzsz.exe
File opened for modification	C:\Windows\SysWOW64\iccpshs.exe	siwxwlk.exe
File opened for modification	C:\Windows\SysWOW64\gtjvkcm.exe	rwiqmcf.exe
File created	C:\Windows\SysWOW64\qummmrc.exe	abomrwu.exe
File opened for modification	C:\Windows\SysWOW64\pfxzenc.exe	csfqwxt.exe
File opened for modification	C:\Windows\SysWOW64\bkurpko.exe	qkhgslj.exe
File opened for modification	C:\Windows\SysWOW64\blgvfqf.exe	lrivkux.exe
File created	C:\Windows\SysWOW64\ttmdrub.exe	daocwyt.exe
File opened for modification	C:\Windows\SysWOW64\ywqadrx.exe	tiyrebp.exe
File created	C:\Windows\SysWOW64\bdlffce.exe	nfhplub.exe
File created	C:\Windows\SysWOW64\xbtjvqk.exe	phvjauc.exe
File opened for modification	C:\Windows\SysWOW64\csfqwxt.exe	myhqbbl.exe
File created	C:\Windows\SysWOW64\klrspsr.exe	upimral.exe
File opened for modification	C:\Windows\SysWOW64\awcesvn.exe	dkfmpgz.exe
File created	C:\Windows\SysWOW64\tunfnqc.exe	gouxnzt.exe
File created	C:\Windows\SysWOW64\tybvpow.exe	jnlgilk.exe
File created	C:\Windows\SysWOW64\osrmkfi.exe	yztlpsa.exe
File opened for modification	C:\Windows\SysWOW64\pbpklya.exe	zlvwtgz.exe
File created	C:\Windows\SysWOW64\opjirqo.exe	vigpbxp.exe
File created	C:\Windows\SysWOW64\iiydrls.exe	vkbimds.exe
File created	C:\Windows\SysWOW64\iccpshs.exe	siwxwlk.exe
File created	C:\Windows\SysWOW64\afblltp.exe	kmvlqxh.exe
File opened for modification	C:\Windows\SysWOW64\dwtijdm.exe	qummmrc.exe
File created	C:\Windows\SysWOW64\vfntfzn.exe	nbbakom.exe
File created	C:\Windows\SysWOW64\curxgdx.exe	nxhzorh.exe
File opened for modification	C:\Windows\SysWOW64\lbjcbig.exe	npebrfd.exe
File created	C:\Windows\SysWOW64\rzhfhbp.exe	bkurpko.exe
File opened for modification	C:\Windows\SysWOW64\rzhfhbp.exe	bkurpko.exe
File created	C:\Windows\SysWOW64\apddyge.exe	hiakhge.exe
File opened for modification	C:\Windows\SysWOW64\rsmpols.exe	bvdkitm.exe
File created	C:\Windows\SysWOW64\rpjdctp.exe	eyfqzyi.exe
File created	C:\Windows\SysWOW64\zjvenoo.exe	mwcwoxf.exe
File opened for modification	C:\Windows\SysWOW64\sikqmgd.exe	gdrimpu.exe
File opened for modification	C:\Windows\SysWOW64\fjswzek.exe	iiydrls.exe
File created	C:\Windows\SysWOW64\uxvweey.exe	flwdovg.exe
File opened for modification	C:\Windows\SysWOW64\rvxxset.exe	gojuofg.exe
File created	C:\Windows\SysWOW64\siwxwlk.exe	cskkeuj.exe
File opened for modification	C:\Windows\SysWOW64\zjvenoo.exe	mwcwoxf.exe
File created	C:\Windows\SysWOW64\mlkzsay.exe	zjvenoo.exe
File opened for modification	C:\Windows\SysWOW64\onmvqqn.exe	beiaovy.exe
File created	C:\Windows\SysWOW64\dkfmpgz.exe	vfntfzn.exe
File opened for modification	C:\Windows\SysWOW64\dkfmpgz.exe	vfntfzn.exe
File opened for modification	C:\Windows\SysWOW64\oravpla.exe	gjdxjwt.exe
File created	C:\Windows\SysWOW64\pbpklya.exe	zlvwtgz.exe
File created	C:\Windows\SysWOW64\oyzqvgo.exe	yfbyzkg.exe
File created	C:\Windows\SysWOW64\uirzhjv.exe	fptzmnv.exe
File opened for modification	C:\Windows\SysWOW64\ccdaset.exe	nafixqu.exe
File opened for modification	C:\Windows\SysWOW64\bdrydwx.exe	oyzqvgo.exe
File created	C:\Windows\SysWOW64\tjnbdaq.exe	lqnjchc.exe

Modifies registry class 5 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{723B3A73-988E-42E1-1DC3-5D4683FB2476}\InprocServer32\ThreadingModel = "Both"	35016c4bc187c4a4a06866399fe35650.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{723B3A73-988E-42E1-1DC3-5D4683FB2476}	35016c4bc187c4a4a06866399fe35650.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{723B3A73-988E-42E1-1DC3-5D4683FB2476}\ = "CLSID_RecordInfo"	35016c4bc187c4a4a06866399fe35650.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{723B3A73-988E-42E1-1DC3-5D4683FB2476}\InprocServer32	35016c4bc187c4a4a06866399fe35650.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{723B3A73-988E-42E1-1DC3-5D4683FB2476}\InprocServer32\ = "C:\\Windows\\SysWOW64\\oleaut32.dll"	35016c4bc187c4a4a06866399fe35650.exe

NTFS ADS 64 IoCs

description	ioc	Process
File opened for modification	C:\ProgramData\TEMP:474A6CD6	blgvfqf.exe
File opened for modification	C:\ProgramData\TEMP:474A6CD6	dcbfiov.exe
File opened for modification	C:\ProgramData\TEMP:474A6CD6	owcsyso.exe
File opened for modification	C:\ProgramData\TEMP:474A6CD6	flwdovg.exe
File opened for modification	C:\ProgramData\TEMP:474A6CD6	dgtjxxp.exe
File opened for modification	C:\ProgramData\TEMP:474A6CD6	ftnoard.exe
File opened for modification	C:\ProgramData\TEMP:474A6CD6	urwxflp.exe
File opened for modification	C:\ProgramData\TEMP:474A6CD6	majdryd.exe
File opened for modification	C:\ProgramData\TEMP:474A6CD6	wditqbp.exe
File opened for modification	C:\ProgramData\TEMP:474A6CD6	vbibsie.exe
File opened for modification	C:\ProgramData\TEMP:474A6CD6	xrjapia.exe
File opened for modification	C:\ProgramData\TEMP:474A6CD6	onmvqqn.exe
File opened for modification	C:\ProgramData\TEMP:474A6CD6	gjdxjwt.exe
File opened for modification	C:\ProgramData\TEMP:474A6CD6	hiakhge.exe
File opened for modification	C:\ProgramData\TEMP:474A6CD6	jcfocdd.exe
File opened for modification	C:\ProgramData\TEMP:474A6CD6	gtjvkcm.exe
File opened for modification	C:\ProgramData\TEMP:474A6CD6	vkbimds.exe
File opened for modification	C:\ProgramData\TEMP:474A6CD6	pfxzenc.exe
File opened for modification	C:\ProgramData\TEMP:474A6CD6	zyzikur.exe
File opened for modification	C:\ProgramData\TEMP:474A6CD6	hmkpjha.exe
File opened for modification	C:\ProgramData\TEMP:474A6CD6	lvbogbz.exe
File opened for modification	C:\ProgramData\TEMP:474A6CD6	uwaecyj.exe
File opened for modification	C:\ProgramData\TEMP:474A6CD6	jnlgilk.exe
File opened for modification	C:\ProgramData\TEMP:474A6CD6	dwsmcai.exe
File opened for modification	C:\ProgramData\TEMP:474A6CD6	ulykuci.exe
File opened for modification	C:\ProgramData\TEMP:474A6CD6	kmvlqxh.exe
File opened for modification	C:\ProgramData\TEMP:474A6CD6	tmtakmc.exe
File opened for modification	C:\ProgramData\TEMP:474A6CD6	bfecvha.exe
File opened for modification	C:\ProgramData\TEMP:474A6CD6	rbajxhg.exe
File opened for modification	C:\ProgramData\TEMP:474A6CD6	phvjauc.exe
File opened for modification	C:\ProgramData\TEMP:474A6CD6	eapdphs.exe
File opened for modification	C:\ProgramData\TEMP:474A6CD6	utmekca.exe
File opened for modification	C:\ProgramData\TEMP:474A6CD6	eyfqzyi.exe
File opened for modification	C:\ProgramData\TEMP:474A6CD6	hvpfhrm.exe
File opened for modification	C:\ProgramData\TEMP:474A6CD6	bdcqrgx.exe
File opened for modification	C:\ProgramData\TEMP:474A6CD6	rwiqmcf.exe
File opened for modification	C:\ProgramData\TEMP:474A6CD6	sikqmgd.exe
File opened for modification	C:\ProgramData\TEMP:474A6CD6	npebrfd.exe
File opened for modification	C:\ProgramData\TEMP:474A6CD6	hbusvwp.exe
File opened for modification	C:\ProgramData\TEMP:474A6CD6	dmxnffm.exe
File opened for modification	C:\ProgramData\TEMP:474A6CD6	kyenzaw.exe
File opened for modification	C:\ProgramData\TEMP:474A6CD6	knkwfyi.exe
File opened for modification	C:\ProgramData\TEMP:474A6CD6	iiydrls.exe
File opened for modification	C:\ProgramData\TEMP:474A6CD6	zztmaaz.exe
File opened for modification	C:\ProgramData\TEMP:474A6CD6	mlkzsay.exe
File opened for modification	C:\ProgramData\TEMP:474A6CD6	qkscdns.exe
File opened for modification	C:\ProgramData\TEMP:474A6CD6	awcesvn.exe
File opened for modification	C:\ProgramData\TEMP:474A6CD6	dmpmfbi.exe
File opened for modification	C:\ProgramData\TEMP:474A6CD6	ywqadrx.exe
File opened for modification	C:\ProgramData\TEMP:474A6CD6	iailbbb.exe
File opened for modification	C:\ProgramData\TEMP:474A6CD6	nafixqu.exe
File opened for modification	C:\ProgramData\TEMP:474A6CD6	mmbeakr.exe
File opened for modification	C:\ProgramData\TEMP:474A6CD6	rpgimei.exe
File opened for modification	C:\ProgramData\TEMP:474A6CD6	fyyxjxh.exe
File opened for modification	C:\ProgramData\TEMP:474A6CD6	vigpbxp.exe
File opened for modification	C:\ProgramData\TEMP:474A6CD6	gdrimpu.exe
File opened for modification	C:\ProgramData\TEMP:474A6CD6	lqnjchc.exe
File opened for modification	C:\ProgramData\TEMP:474A6CD6	qkhgslj.exe
File opened for modification	C:\ProgramData\TEMP:474A6CD6	nfhplub.exe
File opened for modification	C:\ProgramData\TEMP:474A6CD6	nlulljy.exe
File opened for modification	C:\ProgramData\TEMP:474A6CD6	vlkaeqx.exe
File opened for modification	C:\ProgramData\TEMP:474A6CD6	lipymxl.exe
File opened for modification	C:\ProgramData\TEMP:474A6CD6	cskkeuj.exe
File opened for modification	C:\ProgramData\TEMP:474A6CD6	xdwvzrn.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: 33	3392	35016c4bc187c4a4a06866399fe35650.exe
Token: SeIncBasePriorityPrivilege	3392	35016c4bc187c4a4a06866399fe35650.exe
Token: 33	3392	35016c4bc187c4a4a06866399fe35650.exe
Token: SeIncBasePriorityPrivilege	3392	35016c4bc187c4a4a06866399fe35650.exe
Token: 33	4316	wnpexnq.exe
Token: SeIncBasePriorityPrivilege	4316	wnpexnq.exe
Token: 33	4316	wnpexnq.exe
Token: SeIncBasePriorityPrivilege	4316	wnpexnq.exe
Token: 33	2308	zbfuyew.exe
Token: SeIncBasePriorityPrivilege	2308	zbfuyew.exe
Token: 33	2308	zbfuyew.exe
Token: SeIncBasePriorityPrivilege	2308	zbfuyew.exe
Token: 33	4712	clyxbik.exe
Token: SeIncBasePriorityPrivilege	4712	clyxbik.exe
Token: 33	4712	clyxbik.exe
Token: SeIncBasePriorityPrivilege	4712	clyxbik.exe
Token: 33	368	gjdxjwt.exe
Token: SeIncBasePriorityPrivilege	368	gjdxjwt.exe
Token: 33	368	gjdxjwt.exe
Token: SeIncBasePriorityPrivilege	368	gjdxjwt.exe
Token: 33	4892	oravpla.exe
Token: SeIncBasePriorityPrivilege	4892	oravpla.exe
Token: 33	4892	oravpla.exe
Token: SeIncBasePriorityPrivilege	4892	oravpla.exe
Token: 33	3668	majdryd.exe
Token: SeIncBasePriorityPrivilege	3668	majdryd.exe
Token: 33	3668	majdryd.exe
Token: SeIncBasePriorityPrivilege	3668	majdryd.exe
Token: 33	2688	wditqbp.exe
Token: SeIncBasePriorityPrivilege	2688	wditqbp.exe
Token: 33	2688	wditqbp.exe
Token: SeIncBasePriorityPrivilege	2688	wditqbp.exe
Token: 33	764	jbebsis.exe
Token: SeIncBasePriorityPrivilege	764	jbebsis.exe
Token: 33	764	jbebsis.exe
Token: SeIncBasePriorityPrivilege	764	jbebsis.exe
Token: 33	2740	tmczrte.exe
Token: SeIncBasePriorityPrivilege	2740	tmczrte.exe
Token: 33	2740	tmczrte.exe
Token: SeIncBasePriorityPrivilege	2740	tmczrte.exe
Token: 33	3972	gojuofg.exe
Token: SeIncBasePriorityPrivilege	3972	gojuofg.exe
Token: 33	3972	gojuofg.exe
Token: SeIncBasePriorityPrivilege	3972	gojuofg.exe
Token: 33	712	rvxxset.exe
Token: SeIncBasePriorityPrivilege	712	rvxxset.exe
Token: 33	712	rvxxset.exe
Token: SeIncBasePriorityPrivilege	712	rvxxset.exe
Token: 33	5072	gouxnzt.exe
Token: SeIncBasePriorityPrivilege	5072	gouxnzt.exe
Token: 33	5072	gouxnzt.exe
Token: SeIncBasePriorityPrivilege	5072	gouxnzt.exe
Token: 33	884	tunfnqc.exe
Token: SeIncBasePriorityPrivilege	884	tunfnqc.exe
Token: 33	884	tunfnqc.exe
Token: SeIncBasePriorityPrivilege	884	tunfnqc.exe
Token: 33	4440	jnlgilk.exe
Token: SeIncBasePriorityPrivilege	4440	jnlgilk.exe
Token: 33	4440	jnlgilk.exe
Token: SeIncBasePriorityPrivilege	4440	jnlgilk.exe
Token: 33	3260	tybvpow.exe
Token: SeIncBasePriorityPrivilege	3260	tybvpow.exe
Token: 33	3260	tybvpow.exe
Token: SeIncBasePriorityPrivilege	3260	tybvpow.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 228 wrote to memory of 3392	228	35016c4bc187c4a4a06866399fe35650.exe	91
PID 228 wrote to memory of 3392	228	35016c4bc187c4a4a06866399fe35650.exe	91
PID 228 wrote to memory of 3392	228	35016c4bc187c4a4a06866399fe35650.exe	91
PID 228 wrote to memory of 3392	228	35016c4bc187c4a4a06866399fe35650.exe	91
PID 228 wrote to memory of 3392	228	35016c4bc187c4a4a06866399fe35650.exe	91
PID 3392 wrote to memory of 888	3392	35016c4bc187c4a4a06866399fe35650.exe	97
PID 3392 wrote to memory of 888	3392	35016c4bc187c4a4a06866399fe35650.exe	97
PID 3392 wrote to memory of 888	3392	35016c4bc187c4a4a06866399fe35650.exe	97
PID 888 wrote to memory of 4316	888	wnpexnq.exe	96
PID 888 wrote to memory of 4316	888	wnpexnq.exe	96
PID 888 wrote to memory of 4316	888	wnpexnq.exe	96
PID 888 wrote to memory of 4316	888	wnpexnq.exe	96
PID 888 wrote to memory of 4316	888	wnpexnq.exe	96
PID 4316 wrote to memory of 2200	4316	wnpexnq.exe	98
PID 4316 wrote to memory of 2200	4316	wnpexnq.exe	98
PID 4316 wrote to memory of 2200	4316	wnpexnq.exe	98
PID 2200 wrote to memory of 2308	2200	zbfuyew.exe	99
PID 2200 wrote to memory of 2308	2200	zbfuyew.exe	99
PID 2200 wrote to memory of 2308	2200	zbfuyew.exe	99
PID 2200 wrote to memory of 2308	2200	zbfuyew.exe	99
PID 2200 wrote to memory of 2308	2200	zbfuyew.exe	99
PID 2308 wrote to memory of 1892	2308	zbfuyew.exe	101
PID 2308 wrote to memory of 1892	2308	zbfuyew.exe	101
PID 2308 wrote to memory of 1892	2308	zbfuyew.exe	101
PID 1892 wrote to memory of 4712	1892	clyxbik.exe	100
PID 1892 wrote to memory of 4712	1892	clyxbik.exe	100
PID 1892 wrote to memory of 4712	1892	clyxbik.exe	100
PID 1892 wrote to memory of 4712	1892	clyxbik.exe	100
PID 1892 wrote to memory of 4712	1892	clyxbik.exe	100
PID 4712 wrote to memory of 4532	4712	clyxbik.exe	103
PID 4712 wrote to memory of 4532	4712	clyxbik.exe	103
PID 4712 wrote to memory of 4532	4712	clyxbik.exe	103
PID 4532 wrote to memory of 368	4532	gjdxjwt.exe	102
PID 4532 wrote to memory of 368	4532	gjdxjwt.exe	102
PID 4532 wrote to memory of 368	4532	gjdxjwt.exe	102
PID 4532 wrote to memory of 368	4532	gjdxjwt.exe	102
PID 4532 wrote to memory of 368	4532	gjdxjwt.exe	102
PID 368 wrote to memory of 3864	368	gjdxjwt.exe	105
PID 368 wrote to memory of 3864	368	gjdxjwt.exe	105
PID 368 wrote to memory of 3864	368	gjdxjwt.exe	105
PID 3864 wrote to memory of 4892	3864	oravpla.exe	104
PID 3864 wrote to memory of 4892	3864	oravpla.exe	104
PID 3864 wrote to memory of 4892	3864	oravpla.exe	104
PID 3864 wrote to memory of 4892	3864	oravpla.exe	104
PID 3864 wrote to memory of 4892	3864	oravpla.exe	104
PID 4892 wrote to memory of 5008	4892	oravpla.exe	107
PID 4892 wrote to memory of 5008	4892	oravpla.exe	107
PID 4892 wrote to memory of 5008	4892	oravpla.exe	107
PID 5008 wrote to memory of 3668	5008	majdryd.exe	106
PID 5008 wrote to memory of 3668	5008	majdryd.exe	106
PID 5008 wrote to memory of 3668	5008	majdryd.exe	106
PID 5008 wrote to memory of 3668	5008	majdryd.exe	106
PID 5008 wrote to memory of 3668	5008	majdryd.exe	106
PID 3668 wrote to memory of 3676	3668	majdryd.exe	109
PID 3668 wrote to memory of 3676	3668	majdryd.exe	109
PID 3668 wrote to memory of 3676	3668	majdryd.exe	109
PID 3676 wrote to memory of 2688	3676	wditqbp.exe	108
PID 3676 wrote to memory of 2688	3676	wditqbp.exe	108
PID 3676 wrote to memory of 2688	3676	wditqbp.exe	108
PID 3676 wrote to memory of 2688	3676	wditqbp.exe	108
PID 3676 wrote to memory of 2688	3676	wditqbp.exe	108
PID 2688 wrote to memory of 1276	2688	wditqbp.exe	112
PID 2688 wrote to memory of 1276	2688	wditqbp.exe	112
PID 2688 wrote to memory of 1276	2688	wditqbp.exe	112

C:\Users\Admin\AppData\Local\Temp\35016c4bc187c4a4a06866399fe35650.exe
"C:\Users\Admin\AppData\Local\Temp\35016c4bc187c4a4a06866399fe35650.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:228
- C:\Users\Admin\AppData\Local\Temp\35016c4bc187c4a4a06866399fe35650.exe
  "C:\Users\Admin\AppData\Local\Temp\35016c4bc187c4a4a06866399fe35650.exe"
  2⤵
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3392
- - C:\Windows\SysWOW64\wnpexnq.exe
    C:\Windows\system32\wnpexnq.exe 1416 "C:\Users\Admin\AppData\Local\Temp\35016c4bc187c4a4a06866399fe35650.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:888

C:\Windows\SysWOW64\wnpexnq.exe
C:\Windows\system32\wnpexnq.exe 1416 "C:\Users\Admin\AppData\Local\Temp\35016c4bc187c4a4a06866399fe35650.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4316
- C:\Windows\SysWOW64\zbfuyew.exe
  C:\Windows\system32\zbfuyew.exe 1436 "C:\Windows\SysWOW64\wnpexnq.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2200
- - C:\Windows\SysWOW64\zbfuyew.exe
    C:\Windows\system32\zbfuyew.exe 1436 "C:\Windows\SysWOW64\wnpexnq.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2308
  - - C:\Windows\SysWOW64\clyxbik.exe
      C:\Windows\system32\clyxbik.exe 1448 "C:\Windows\SysWOW64\zbfuyew.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1892

C:\Windows\SysWOW64\clyxbik.exe
C:\Windows\system32\clyxbik.exe 1448 "C:\Windows\SysWOW64\zbfuyew.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4712
- C:\Windows\SysWOW64\gjdxjwt.exe
  C:\Windows\system32\gjdxjwt.exe 1460 "C:\Windows\SysWOW64\clyxbik.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4532

C:\Windows\SysWOW64\gjdxjwt.exe
C:\Windows\system32\gjdxjwt.exe 1460 "C:\Windows\SysWOW64\clyxbik.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:368
- C:\Windows\SysWOW64\oravpla.exe
  C:\Windows\system32\oravpla.exe 1480 "C:\Windows\SysWOW64\gjdxjwt.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3864

C:\Windows\SysWOW64\oravpla.exe
C:\Windows\system32\oravpla.exe 1480 "C:\Windows\SysWOW64\gjdxjwt.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4892
- C:\Windows\SysWOW64\majdryd.exe
  C:\Windows\system32\majdryd.exe 1484 "C:\Windows\SysWOW64\oravpla.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:5008

C:\Windows\SysWOW64\majdryd.exe
C:\Windows\system32\majdryd.exe 1484 "C:\Windows\SysWOW64\oravpla.exe"
1⤵
- Executes dropped EXE
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3668
- C:\Windows\SysWOW64\wditqbp.exe
  C:\Windows\system32\wditqbp.exe 1424 "C:\Windows\SysWOW64\majdryd.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3676

C:\Windows\SysWOW64\wditqbp.exe
C:\Windows\system32\wditqbp.exe 1424 "C:\Windows\SysWOW64\majdryd.exe"
1⤵
- Executes dropped EXE
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2688
- C:\Windows\SysWOW64\jbebsis.exe
  C:\Windows\system32\jbebsis.exe 1508 "C:\Windows\SysWOW64\wditqbp.exe"
  2⤵
  - Executes dropped EXE
  PID:1276

C:\Windows\SysWOW64\jbebsis.exe
C:\Windows\system32\jbebsis.exe 1508 "C:\Windows\SysWOW64\wditqbp.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:764
- C:\Windows\SysWOW64\tmczrte.exe
  C:\Windows\system32\tmczrte.exe 1520 "C:\Windows\SysWOW64\jbebsis.exe"
  2⤵
  - Executes dropped EXE
  PID:4660

C:\Windows\SysWOW64\tmczrte.exe
C:\Windows\system32\tmczrte.exe 1520 "C:\Windows\SysWOW64\jbebsis.exe"
1⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2740
- C:\Windows\SysWOW64\gojuofg.exe
  C:\Windows\system32\gojuofg.exe 1540 "C:\Windows\SysWOW64\tmczrte.exe"
  2⤵
  - Executes dropped EXE
  PID:4280
- - C:\Windows\SysWOW64\gojuofg.exe
    C:\Windows\system32\gojuofg.exe 1540 "C:\Windows\SysWOW64\tmczrte.exe"
    3⤵
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of AdjustPrivilegeToken
    PID:3972
  - - C:\Windows\SysWOW64\rvxxset.exe
      C:\Windows\system32\rvxxset.exe 1544 "C:\Windows\SysWOW64\gojuofg.exe"
      4⤵
      Executes dropped EXE
      PID:3364

C:\Windows\SysWOW64\rvxxset.exe
C:\Windows\system32\rvxxset.exe 1544 "C:\Windows\SysWOW64\gojuofg.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:712
- C:\Windows\SysWOW64\gouxnzt.exe
  C:\Windows\system32\gouxnzt.exe 1556 "C:\Windows\SysWOW64\rvxxset.exe"
  2⤵
  - Executes dropped EXE
  PID:4988

C:\Windows\SysWOW64\gouxnzt.exe
C:\Windows\system32\gouxnzt.exe 1556 "C:\Windows\SysWOW64\rvxxset.exe"
1⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:5072
- C:\Windows\SysWOW64\tunfnqc.exe
  C:\Windows\system32\tunfnqc.exe 1568 "C:\Windows\SysWOW64\gouxnzt.exe"
  2⤵
  - Executes dropped EXE
  PID:3568
- - C:\Windows\SysWOW64\tunfnqc.exe
    C:\Windows\system32\tunfnqc.exe 1568 "C:\Windows\SysWOW64\gouxnzt.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:884
  - - C:\Windows\SysWOW64\jnlgilk.exe
      C:\Windows\system32\jnlgilk.exe 1580 "C:\Windows\SysWOW64\tunfnqc.exe"
      4⤵
      Executes dropped EXE
      PID:3064

C:\Windows\SysWOW64\jnlgilk.exe
C:\Windows\system32\jnlgilk.exe 1580 "C:\Windows\SysWOW64\tunfnqc.exe"
1⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Drops file in System32 directory
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
PID:4440
- C:\Windows\SysWOW64\tybvpow.exe
  C:\Windows\system32\tybvpow.exe 1592 "C:\Windows\SysWOW64\jnlgilk.exe"
  2⤵
  - Executes dropped EXE
  PID:4284

C:\Windows\SysWOW64\tybvpow.exe
C:\Windows\system32\tybvpow.exe 1592 "C:\Windows\SysWOW64\jnlgilk.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:3260
- C:\Windows\SysWOW64\gaqrmax.exe
  C:\Windows\system32\gaqrmax.exe 1604 "C:\Windows\SysWOW64\tybvpow.exe"
  2⤵
  - Executes dropped EXE
  PID:2968

C:\Windows\SysWOW64\gaqrmax.exe
C:\Windows\system32\gaqrmax.exe 1604 "C:\Windows\SysWOW64\tybvpow.exe"
1⤵
- Checks BIOS information in registry
- Executes dropped EXE
PID:2160
- C:\Windows\SysWOW64\qkhgslj.exe
  C:\Windows\system32\qkhgslj.exe 1616 "C:\Windows\SysWOW64\gaqrmax.exe"
  2⤵
  - Executes dropped EXE
  PID:1032

C:\Windows\SysWOW64\qkhgslj.exe
C:\Windows\system32\qkhgslj.exe 1616 "C:\Windows\SysWOW64\gaqrmax.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- NTFS ADS
PID:2928
- C:\Windows\SysWOW64\bkurpko.exe
  C:\Windows\system32\bkurpko.exe 1628 "C:\Windows\SysWOW64\qkhgslj.exe"
  2⤵
  - Executes dropped EXE
  PID:3824

C:\Windows\SysWOW64\bkurpko.exe
C:\Windows\system32\bkurpko.exe 1628 "C:\Windows\SysWOW64\qkhgslj.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:460
- C:\Windows\SysWOW64\rzhfhbp.exe
  C:\Windows\system32\rzhfhbp.exe 1640 "C:\Windows\SysWOW64\bkurpko.exe"
  2⤵
  - Executes dropped EXE
  PID:4768
- - C:\Windows\SysWOW64\rzhfhbp.exe
    C:\Windows\system32\rzhfhbp.exe 1640 "C:\Windows\SysWOW64\bkurpko.exe"
    3⤵
    - Checks BIOS information in registry
    - Executes dropped EXE
    PID:4296
  - - C:\Windows\SysWOW64\enzfhry.exe
      C:\Windows\system32\enzfhry.exe 1652 "C:\Windows\SysWOW64\rzhfhbp.exe"
      4⤵
      Executes dropped EXE
      PID:4824

C:\Windows\SysWOW64\enzfhry.exe
C:\Windows\system32\enzfhry.exe 1652 "C:\Windows\SysWOW64\rzhfhbp.exe"
1⤵
- Checks BIOS information in registry
- Executes dropped EXE
PID:4908
- C:\Windows\SysWOW64\rpgimei.exe
  C:\Windows\system32\rpgimei.exe 1664 "C:\Windows\SysWOW64\enzfhry.exe"
  2⤵
  - Executes dropped EXE
  PID:3844
- - C:\Windows\SysWOW64\rpgimei.exe
    C:\Windows\system32\rpgimei.exe 1664 "C:\Windows\SysWOW64\enzfhry.exe"
    3⤵
    - Executes dropped EXE
    - NTFS ADS
    PID:2228
  - - C:\Windows\SysWOW64\yieahzi.exe
      C:\Windows\system32\yieahzi.exe 1676 "C:\Windows\SysWOW64\rpgimei.exe"
      4⤵
      Executes dropped EXE
      PID:1264

C:\Windows\SysWOW64\yieahzi.exe
C:\Windows\system32\yieahzi.exe 1676 "C:\Windows\SysWOW64\rpgimei.exe"
1⤵
- Executes dropped EXE
PID:4860
- C:\Windows\SysWOW64\lrivkux.exe
  C:\Windows\system32\lrivkux.exe 1688 "C:\Windows\SysWOW64\yieahzi.exe"
  2⤵
  - Executes dropped EXE
  PID:632

C:\Windows\SysWOW64\lrivkux.exe
C:\Windows\system32\lrivkux.exe 1688 "C:\Windows\SysWOW64\yieahzi.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:992
- C:\Windows\SysWOW64\blgvfqf.exe
  C:\Windows\system32\blgvfqf.exe 1700 "C:\Windows\SysWOW64\lrivkux.exe"
  2⤵
  - Executes dropped EXE
  PID:1712
- - C:\Windows\SysWOW64\blgvfqf.exe
    C:\Windows\system32\blgvfqf.exe 1700 "C:\Windows\SysWOW64\lrivkux.exe"
    3⤵
    - Executes dropped EXE
    - NTFS ADS
    PID:4408
  - - C:\Windows\SysWOW64\rbajxhg.exe
      C:\Windows\system32\rbajxhg.exe 1712 "C:\Windows\SysWOW64\blgvfqf.exe"
      4⤵
      Executes dropped EXE
      PID:2312

C:\Windows\SysWOW64\rbajxhg.exe
C:\Windows\system32\rbajxhg.exe 1712 "C:\Windows\SysWOW64\blgvfqf.exe"
1⤵
- Executes dropped EXE
- NTFS ADS
PID:2188
- C:\Windows\SysWOW64\dgtjxxp.exe
  C:\Windows\system32\dgtjxxp.exe 1724 "C:\Windows\SysWOW64\rbajxhg.exe"
  2⤵
  - Executes dropped EXE
  PID:1368

C:\Windows\SysWOW64\dgtjxxp.exe
C:\Windows\system32\dgtjxxp.exe 1724 "C:\Windows\SysWOW64\rbajxhg.exe"
1⤵
- Checks BIOS information in registry
- Executes dropped EXE
- NTFS ADS
PID:4972
- C:\Windows\SysWOW64\qiaecjz.exe
  C:\Windows\system32\qiaecjz.exe 1736 "C:\Windows\SysWOW64\dgtjxxp.exe"
  2⤵
  - Executes dropped EXE
  PID:5048
- - C:\Windows\SysWOW64\qiaecjz.exe
    C:\Windows\system32\qiaecjz.exe 1736 "C:\Windows\SysWOW64\dgtjxxp.exe"
    3⤵
    - Checks BIOS information in registry
    - Executes dropped EXE
    PID:4664
  - - C:\Windows\SysWOW64\dwsmcai.exe
      C:\Windows\system32\dwsmcai.exe 1748 "C:\Windows\SysWOW64\qiaecjz.exe"
      4⤵
      Executes dropped EXE
      PID:4476
    - - C:\Windows\SysWOW64\dwsmcai.exe
        
        C:\Windows\system32\dwsmcai.exe 1748 "C:\Windows\SysWOW64\qiaecjz.exe"
        5⤵
        Checks BIOS information in registry
        Executes dropped EXE
        NTFS ADS
        
        PID:1848
      - C:\Windows\SysWOW64\qmwcwil.exe
        
        C:\Windows\system32\qmwcwil.exe 1760 "C:\Windows\SysWOW64\dwsmcai.exe"
        6⤵
        Executes dropped EXE
        
        PID:3948

C:\Windows\SysWOW64\qmwcwil.exe
C:\Windows\system32\qmwcwil.exe 1760 "C:\Windows\SysWOW64\dwsmcai.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2760
- C:\Windows\SysWOW64\daocwyt.exe
  C:\Windows\system32\daocwyt.exe 1772 "C:\Windows\SysWOW64\qmwcwil.exe"
  2⤵
  - Executes dropped EXE
  PID:4540

C:\Windows\SysWOW64\daocwyt.exe
C:\Windows\system32\daocwyt.exe 1772 "C:\Windows\SysWOW64\qmwcwil.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3464
- C:\Windows\SysWOW64\ttmdrub.exe
  C:\Windows\system32\ttmdrub.exe 1792 "C:\Windows\SysWOW64\daocwyt.exe"
  2⤵
  - Executes dropped EXE
  PID:3556
- - C:\Windows\SysWOW64\ttmdrub.exe
    C:\Windows\system32\ttmdrub.exe 1792 "C:\Windows\SysWOW64\daocwyt.exe"
    3⤵
    - Executes dropped EXE
    PID:1440
  - - C:\Windows\SysWOW64\gyflzkk.exe
      C:\Windows\system32\gyflzkk.exe 1796 "C:\Windows\SysWOW64\ttmdrub.exe"
      4⤵
      Executes dropped EXE
      PID:4376

C:\Windows\SysWOW64\gyflzkk.exe
C:\Windows\system32\gyflzkk.exe 1796 "C:\Windows\SysWOW64\ttmdrub.exe"
1⤵
- Executes dropped EXE
PID:1304
- C:\Windows\SysWOW64\vsdlugk.exe
  C:\Windows\system32\vsdlugk.exe 1808 "C:\Windows\SysWOW64\gyflzkk.exe"
  2⤵
  PID:4812
- - C:\Windows\SysWOW64\vsdlugk.exe
    C:\Windows\system32\vsdlugk.exe 1808 "C:\Windows\SysWOW64\gyflzkk.exe"
    3⤵
    PID:4216
  - - C:\Windows\SysWOW64\lipymxl.exe
      C:\Windows\system32\lipymxl.exe 1820 "C:\Windows\SysWOW64\vsdlugk.exe"
      4⤵
      PID:2712

C:\Windows\SysWOW64\lipymxl.exe
C:\Windows\system32\lipymxl.exe 1820 "C:\Windows\SysWOW64\vsdlugk.exe"
1⤵
- NTFS ADS
PID:4896
- C:\Windows\SysWOW64\yztlpsa.exe
  C:\Windows\system32\yztlpsa.exe 1840 "C:\Windows\SysWOW64\lipymxl.exe"
  2⤵
  PID:3416

C:\Windows\SysWOW64\yztlpsa.exe
C:\Windows\system32\yztlpsa.exe 1840 "C:\Windows\SysWOW64\lipymxl.exe"
1⤵
- Drops file in System32 directory
PID:3820
- C:\Windows\SysWOW64\osrmkfi.exe
  C:\Windows\system32\osrmkfi.exe 1844 "C:\Windows\SysWOW64\yztlpsa.exe"
  2⤵
  PID:2652

C:\Windows\SysWOW64\osrmkfi.exe
C:\Windows\system32\osrmkfi.exe 1844 "C:\Windows\SysWOW64\yztlpsa.exe"
1⤵
PID:4748
- C:\Windows\SysWOW64\dmpmfbi.exe
  C:\Windows\system32\dmpmfbi.exe 1856 "C:\Windows\SysWOW64\osrmkfi.exe"
  2⤵
  PID:2208

C:\Windows\SysWOW64\dmpmfbi.exe
C:\Windows\system32\dmpmfbi.exe 1856 "C:\Windows\SysWOW64\osrmkfi.exe"
1⤵
- NTFS ADS
PID:444
- C:\Windows\SysWOW64\tiyrebp.exe
  C:\Windows\system32\tiyrebp.exe 1868 "C:\Windows\SysWOW64\dmpmfbi.exe"
  2⤵
  PID:2552

C:\Windows\SysWOW64\tiyrebp.exe
C:\Windows\system32\tiyrebp.exe 1868 "C:\Windows\SysWOW64\dmpmfbi.exe"
1⤵
- Drops file in System32 directory
PID:2128
- C:\Windows\SysWOW64\ywqadrx.exe
  C:\Windows\system32\ywqadrx.exe 1888 "C:\Windows\SysWOW64\tiyrebp.exe"
  2⤵
  PID:3944

C:\Windows\SysWOW64\ywqadrx.exe
C:\Windows\system32\ywqadrx.exe 1888 "C:\Windows\SysWOW64\tiyrebp.exe"
1⤵
- NTFS ADS
PID:4336
- C:\Windows\SysWOW64\ntznjrm.exe
  C:\Windows\system32\ntznjrm.exe 1892 "C:\Windows\SysWOW64\ywqadrx.exe"
  2⤵
  PID:1332
- - C:\Windows\SysWOW64\ntznjrm.exe
    C:\Windows\system32\ntznjrm.exe 1892 "C:\Windows\SysWOW64\ywqadrx.exe"
    3⤵
    PID:3776
  - - C:\Windows\SysWOW64\dmxnffm.exe
      C:\Windows\system32\dmxnffm.exe 1904 "C:\Windows\SysWOW64\ntznjrm.exe"
      4⤵
      PID:4872
    - - C:\Windows\SysWOW64\dmxnffm.exe
        
        C:\Windows\system32\dmxnffm.exe 1904 "C:\Windows\SysWOW64\ntznjrm.exe"
        5⤵
        NTFS ADS
        
        PID:4792
      - C:\Windows\SysWOW64\tcsbxwn.exe
        
        C:\Windows\system32\tcsbxwn.exe 1872 "C:\Windows\SysWOW64\dmxnffm.exe"
        6⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\tcsbxwn.exe
        
        C:\Windows\system32\tcsbxwn.exe 1872 "C:\Windows\SysWOW64\dmxnffm.exe"
        7⤵
        Checks BIOS information in registry
        
        PID:4164
        
        C:\Windows\SysWOW64\ftnoard.exe
        
        C:\Windows\system32\ftnoard.exe 1912 "C:\Windows\SysWOW64\tcsbxwn.exe"
        8⤵
        
        PID:1432
        
        C:\Windows\SysWOW64\ftnoard.exe
        
        C:\Windows\system32\ftnoard.exe 1912 "C:\Windows\SysWOW64\tcsbxwn.exe"
        9⤵
        Checks BIOS information in registry
        NTFS ADS
        
        PID:4300
        
        C:\Windows\SysWOW64\vbibsie.exe
        
        C:\Windows\system32\vbibsie.exe 1956 "C:\Windows\SysWOW64\ftnoard.exe"
        10⤵
        
        PID:1280
        
        C:\Windows\SysWOW64\vbibsie.exe
        
        C:\Windows\system32\vbibsie.exe 1956 "C:\Windows\SysWOW64\ftnoard.exe"
        11⤵
        NTFS ADS
        
        PID:2532
        
        C:\Windows\SysWOW64\ismwvdt.exe
        
        C:\Windows\system32\ismwvdt.exe 1948 "C:\Windows\SysWOW64\vbibsie.exe"
        12⤵
        
        PID:1792

C:\Windows\SysWOW64\ismwvdt.exe
C:\Windows\system32\ismwvdt.exe 1948 "C:\Windows\SysWOW64\vbibsie.exe"
1⤵
- Drops file in System32 directory
PID:1684
- C:\Windows\SysWOW64\yljoqyt.exe
  C:\Windows\system32\yljoqyt.exe 1972 "C:\Windows\SysWOW64\ismwvdt.exe"
  2⤵
  PID:4276
- - C:\Windows\SysWOW64\yljoqyt.exe
    C:\Windows\system32\yljoqyt.exe 1972 "C:\Windows\SysWOW64\ismwvdt.exe"
    3⤵
    - Checks BIOS information in registry
    PID:4064
  - - C:\Windows\SysWOW64\nfhplub.exe
      C:\Windows\system32\nfhplub.exe 1976 "C:\Windows\SysWOW64\yljoqyt.exe"
      4⤵
      PID:4288

C:\Windows\SysWOW64\nfhplub.exe
C:\Windows\system32\nfhplub.exe 1976 "C:\Windows\SysWOW64\yljoqyt.exe"
1⤵
- Drops file in System32 directory
- NTFS ADS
PID:2788
- C:\Windows\SysWOW64\bdlffce.exe
  C:\Windows\system32\bdlffce.exe 1852 "C:\Windows\SysWOW64\nfhplub.exe"
  2⤵
  PID:220

C:\Windows\SysWOW64\bdlffce.exe
C:\Windows\system32\bdlffce.exe 1852 "C:\Windows\SysWOW64\nfhplub.exe"
1⤵
PID:2416
- C:\Windows\SysWOW64\njefnsn.exe
  C:\Windows\system32\njefnsn.exe 2012 "C:\Windows\SysWOW64\bdlffce.exe"
  2⤵
  PID:4536
- - C:\Windows\SysWOW64\njefnsn.exe
    C:\Windows\system32\njefnsn.exe 2012 "C:\Windows\SysWOW64\bdlffce.exe"
    3⤵
    - Checks BIOS information in registry
    PID:3040
  - - C:\Windows\SysWOW64\dcbfiov.exe
      C:\Windows\system32\dcbfiov.exe 2008 "C:\Windows\SysWOW64\njefnsn.exe"
      4⤵
      PID:2756

C:\Windows\SysWOW64\dcbfiov.exe
C:\Windows\system32\dcbfiov.exe 2008 "C:\Windows\SysWOW64\njefnsn.exe"
1⤵
- NTFS ADS
PID:3588
- C:\Windows\SysWOW64\ptxaljc.exe
  C:\Windows\system32\ptxaljc.exe 2024 "C:\Windows\SysWOW64\dcbfiov.exe"
  2⤵
  PID:2776

C:\Windows\SysWOW64\ptxaljc.exe
C:\Windows\system32\ptxaljc.exe 2024 "C:\Windows\SysWOW64\dcbfiov.exe"
1⤵
PID:4040
- C:\Windows\SysWOW64\iailbbb.exe
  C:\Windows\system32\iailbbb.exe 2036 "C:\Windows\SysWOW64\ptxaljc.exe"
  2⤵
  PID:3132

C:\Windows\SysWOW64\iailbbb.exe
C:\Windows\system32\iailbbb.exe 2036 "C:\Windows\SysWOW64\ptxaljc.exe"
1⤵
- NTFS ADS
PID:828
- C:\Windows\SysWOW64\yxryzbi.exe
  C:\Windows\system32\yxryzbi.exe 2052 "C:\Windows\SysWOW64\iailbbb.exe"
  2⤵
  PID:4728
- - C:\Windows\SysWOW64\yxryzbi.exe
    C:\Windows\system32\yxryzbi.exe 2052 "C:\Windows\SysWOW64\iailbbb.exe"
    3⤵
    - Checks BIOS information in registry
    PID:4132
  - - C:\Windows\SysWOW64\klkgzsz.exe
      C:\Windows\system32\klkgzsz.exe 2072 "C:\Windows\SysWOW64\yxryzbi.exe"
      4⤵
      PID:4856
    - - C:\Windows\SysWOW64\klkgzsz.exe
        
        C:\Windows\system32\klkgzsz.exe 2072 "C:\Windows\SysWOW64\yxryzbi.exe"
        5⤵
        Drops file in System32 directory
        
        PID:2636
      - C:\Windows\SysWOW64\qbgptzc.exe
        
        C:\Windows\system32\qbgptzc.exe 2076 "C:\Windows\SysWOW64\klkgzsz.exe"
        6⤵
        
        PID:2396

C:\Windows\SysWOW64\qbgptzc.exe
C:\Windows\system32\qbgptzc.exe 2076 "C:\Windows\SysWOW64\klkgzsz.exe"
1⤵
- Checks BIOS information in registry
PID:4776
- C:\Windows\SysWOW64\cskkeuj.exe
  C:\Windows\system32\cskkeuj.exe 2088 "C:\Windows\SysWOW64\qbgptzc.exe"
  2⤵
  PID:2384

C:\Windows\SysWOW64\cskkeuj.exe
C:\Windows\system32\cskkeuj.exe 2088 "C:\Windows\SysWOW64\qbgptzc.exe"
1⤵
- Drops file in System32 directory
- NTFS ADS
PID:3200
- C:\Windows\SysWOW64\siwxwlk.exe
  C:\Windows\system32\siwxwlk.exe 2108 "C:\Windows\SysWOW64\cskkeuj.exe"
  2⤵
  PID:2328

C:\Windows\SysWOW64\siwxwlk.exe
C:\Windows\system32\siwxwlk.exe 2108 "C:\Windows\SysWOW64\cskkeuj.exe"
1⤵
- Checks BIOS information in registry
- Drops file in System32 directory
PID:1756
- C:\Windows\SysWOW64\iccpshs.exe
  C:\Windows\system32\iccpshs.exe 2120 "C:\Windows\SysWOW64\siwxwlk.exe"
  2⤵
  PID:2024
- - C:\Windows\SysWOW64\iccpshs.exe
    C:\Windows\system32\iccpshs.exe 2120 "C:\Windows\SysWOW64\siwxwlk.exe"
    3⤵
    - Checks BIOS information in registry
    PID:452
  - - C:\Windows\SysWOW64\ulykuci.exe
      C:\Windows\system32\ulykuci.exe 2124 "C:\Windows\SysWOW64\iccpshs.exe"
      4⤵
      PID:224

C:\Windows\SysWOW64\ulykuci.exe
C:\Windows\system32\ulykuci.exe 2124 "C:\Windows\SysWOW64\iccpshs.exe"
1⤵
- Drops file in System32 directory
- NTFS ADS
PID:4744
- C:\Windows\SysWOW64\kmvlqxh.exe
  C:\Windows\system32\kmvlqxh.exe 2136 "C:\Windows\SysWOW64\ulykuci.exe"
  2⤵
  PID:1884
- - C:\Windows\SysWOW64\kmvlqxh.exe
    C:\Windows\system32\kmvlqxh.exe 2136 "C:\Windows\SysWOW64\ulykuci.exe"
    3⤵
    - Checks BIOS information in registry
    - Drops file in System32 directory
    - NTFS ADS
    PID:2568
  - - C:\Windows\SysWOW64\afblltp.exe
      C:\Windows\system32\afblltp.exe 2156 "C:\Windows\SysWOW64\kmvlqxh.exe"
      4⤵
      PID:2844
    - - C:\Windows\SysWOW64\afblltp.exe
        
        C:\Windows\system32\afblltp.exe 2156 "C:\Windows\SysWOW64\kmvlqxh.exe"
        5⤵
        
        PID:3608
      - C:\Windows\SysWOW64\nlulljy.exe
        
        C:\Windows\system32\nlulljy.exe 2168 "C:\Windows\SysWOW64\afblltp.exe"
        6⤵
        
        PID:3356
        
        C:\Windows\SysWOW64\nlulljy.exe
        
        C:\Windows\system32\nlulljy.exe 2168 "C:\Windows\SysWOW64\afblltp.exe"
        7⤵
        Checks BIOS information in registry
        NTFS ADS
        
        PID:3004
        
        C:\Windows\SysWOW64\civzrbf.exe
        
        C:\Windows\system32\civzrbf.exe 2164 "C:\Windows\SysWOW64\nlulljy.exe"
        8⤵
        
        PID:3876
        
        C:\Windows\SysWOW64\civzrbf.exe
        
        C:\Windows\system32\civzrbf.exe 2164 "C:\Windows\SysWOW64\nlulljy.exe"
        9⤵
        
        PID:2664
        
        C:\Windows\SysWOW64\sypmjsg.exe
        
        C:\Windows\system32\sypmjsg.exe 2192 "C:\Windows\SysWOW64\civzrbf.exe"
        10⤵
        
        PID:1240

C:\Windows\SysWOW64\sypmjsg.exe
C:\Windows\system32\sypmjsg.exe 2192 "C:\Windows\SysWOW64\civzrbf.exe"
1⤵
PID:3060
- C:\Windows\SysWOW64\fptzmnv.exe
  C:\Windows\system32\fptzmnv.exe 2116 "C:\Windows\SysWOW64\sypmjsg.exe"
  2⤵
  PID:1868

C:\Windows\SysWOW64\fptzmnv.exe
C:\Windows\system32\fptzmnv.exe 2116 "C:\Windows\SysWOW64\sypmjsg.exe"
1⤵
- Drops file in System32 directory
PID:5088
- C:\Windows\SysWOW64\uirzhjv.exe
  C:\Windows\system32\uirzhjv.exe 2132 "C:\Windows\SysWOW64\fptzmnv.exe"
  2⤵
  PID:2352
- - C:\Windows\SysWOW64\uirzhjv.exe
    C:\Windows\system32\uirzhjv.exe 2132 "C:\Windows\SysWOW64\fptzmnv.exe"
    3⤵
    - Checks BIOS information in registry
    PID:1636
  - - C:\Windows\SysWOW64\kyenzaw.exe
      C:\Windows\system32\kyenzaw.exe 2220 "C:\Windows\SysWOW64\uirzhjv.exe"
      4⤵
      PID:4968
    - - C:\Windows\SysWOW64\kyenzaw.exe
        
        C:\Windows\system32\kyenzaw.exe 2220 "C:\Windows\SysWOW64\uirzhjv.exe"
        5⤵
        NTFS ADS
        
        PID:2248
      - C:\Windows\SysWOW64\xdwvzrn.exe
        
        C:\Windows\system32\xdwvzrn.exe 2240 "C:\Windows\SysWOW64\kyenzaw.exe"
        6⤵
        
        PID:3480
        
        C:\Windows\SysWOW64\xdwvzrn.exe
        
        C:\Windows\system32\xdwvzrn.exe 2240 "C:\Windows\SysWOW64\kyenzaw.exe"
        7⤵
        Checks BIOS information in registry
        NTFS ADS
        
        PID:3352
        
        C:\Windows\SysWOW64\nafixqu.exe
        
        C:\Windows\system32\nafixqu.exe 2244 "C:\Windows\SysWOW64\xdwvzrn.exe"
        8⤵
        
        PID:1204
        
        C:\Windows\SysWOW64\nafixqu.exe
        
        C:\Windows\system32\nafixqu.exe 2244 "C:\Windows\SysWOW64\xdwvzrn.exe"
        9⤵
        Drops file in System32 directory
        NTFS ADS
        
        PID:2452
        
        C:\Windows\SysWOW64\ccdaset.exe
        
        C:\Windows\system32\ccdaset.exe 2256 "C:\Windows\SysWOW64\nafixqu.exe"
        10⤵
        
        PID:3952

C:\Windows\SysWOW64\ccdaset.exe
C:\Windows\system32\ccdaset.exe 2256 "C:\Windows\SysWOW64\nafixqu.exe"
1⤵
- Checks BIOS information in registry
PID:3000
- C:\Windows\SysWOW64\phvjauc.exe
  C:\Windows\system32\phvjauc.exe 2100 "C:\Windows\SysWOW64\ccdaset.exe"
  2⤵
  PID:4272

C:\Windows\SysWOW64\phvjauc.exe
C:\Windows\system32\phvjauc.exe 2100 "C:\Windows\SysWOW64\ccdaset.exe"
1⤵
- Checks BIOS information in registry
- Drops file in System32 directory
- NTFS ADS
PID:4028
- C:\Windows\SysWOW64\xbtjvqk.exe
  C:\Windows\system32\xbtjvqk.exe 2288 "C:\Windows\SysWOW64\phvjauc.exe"
  2⤵
  PID:4600

C:\Windows\SysWOW64\xbtjvqk.exe
C:\Windows\system32\xbtjvqk.exe 2288 "C:\Windows\SysWOW64\phvjauc.exe"
1⤵
- Checks BIOS information in registry
PID:5056
- C:\Windows\SysWOW64\kgmrvgt.exe
  C:\Windows\system32\kgmrvgt.exe 2292 "C:\Windows\SysWOW64\xbtjvqk.exe"
  2⤵
  PID:4656
- - C:\Windows\SysWOW64\kgmrvgt.exe
    C:\Windows\system32\kgmrvgt.exe 2292 "C:\Windows\SysWOW64\xbtjvqk.exe"
    3⤵
    PID:2156
  - - C:\Windows\SysWOW64\zlvwtgz.exe
      C:\Windows\system32\zlvwtgz.exe 2352 "C:\Windows\SysWOW64\kgmrvgt.exe"
      4⤵
      PID:676
    - - C:\Windows\SysWOW64\zlvwtgz.exe
        
        C:\Windows\system32\zlvwtgz.exe 2352 "C:\Windows\SysWOW64\kgmrvgt.exe"
        5⤵
        Checks BIOS information in registry
        Drops file in System32 directory
        
        PID:428
      - C:\Windows\SysWOW64\pbpklya.exe
        
        C:\Windows\system32\pbpklya.exe 2324 "C:\Windows\SysWOW64\zlvwtgz.exe"
        6⤵
        
        PID:3528

C:\Windows\SysWOW64\pbpklya.exe
C:\Windows\system32\pbpklya.exe 2324 "C:\Windows\SysWOW64\zlvwtgz.exe"
1⤵
PID:2288
- C:\Windows\SysWOW64\fyyxjxh.exe
  C:\Windows\system32\fyyxjxh.exe 2320 "C:\Windows\SysWOW64\pbpklya.exe"
  2⤵
  PID:3912

C:\Windows\SysWOW64\fyyxjxh.exe
C:\Windows\system32\fyyxjxh.exe 2320 "C:\Windows\SysWOW64\pbpklya.exe"
1⤵
- NTFS ADS
PID:2936
- C:\Windows\SysWOW64\urwxflp.exe
  C:\Windows\system32\urwxflp.exe 2336 "C:\Windows\SysWOW64\fyyxjxh.exe"
  2⤵
  PID:4224
- - C:\Windows\SysWOW64\urwxflp.exe
    C:\Windows\system32\urwxflp.exe 2336 "C:\Windows\SysWOW64\fyyxjxh.exe"
    3⤵
    - NTFS ADS
    PID:832
  - - C:\Windows\SysWOW64\hiakhge.exe
      C:\Windows\system32\hiakhge.exe 2348 "C:\Windows\SysWOW64\urwxflp.exe"
      4⤵
      PID:3488

C:\Windows\SysWOW64\hiakhge.exe
C:\Windows\system32\hiakhge.exe 2348 "C:\Windows\SysWOW64\urwxflp.exe"
1⤵
- Drops file in System32 directory
- NTFS ADS
PID:4724
- C:\Windows\SysWOW64\apddyge.exe
  C:\Windows\system32\apddyge.exe 2364 "C:\Windows\SysWOW64\hiakhge.exe"
  2⤵
  PID:5084
- - C:\Windows\SysWOW64\apddyge.exe
    C:\Windows\system32\apddyge.exe 2364 "C:\Windows\SysWOW64\hiakhge.exe"
    3⤵
    PID:4388
  - - C:\Windows\SysWOW64\myhqbbl.exe
      C:\Windows\system32\myhqbbl.exe 2356 "C:\Windows\SysWOW64\apddyge.exe"
      4⤵
      PID:2748
    - - C:\Windows\SysWOW64\myhqbbl.exe
        
        C:\Windows\system32\myhqbbl.exe 2356 "C:\Windows\SysWOW64\apddyge.exe"
        5⤵
        Drops file in System32 directory
        
        PID:3540
      - C:\Windows\SysWOW64\csfqwxt.exe
        
        C:\Windows\system32\csfqwxt.exe 2376 "C:\Windows\SysWOW64\myhqbbl.exe"
        6⤵
        
        PID:5108

C:\Windows\SysWOW64\csfqwxt.exe
C:\Windows\system32\csfqwxt.exe 2376 "C:\Windows\SysWOW64\myhqbbl.exe"
1⤵
- Drops file in System32 directory
PID:864
- C:\Windows\SysWOW64\pfxzenc.exe
  C:\Windows\system32\pfxzenc.exe 2408 "C:\Windows\SysWOW64\csfqwxt.exe"
  2⤵
  PID:4292
- - C:\Windows\SysWOW64\pfxzenc.exe
    C:\Windows\system32\pfxzenc.exe 2408 "C:\Windows\SysWOW64\csfqwxt.exe"
    3⤵
    - NTFS ADS
    PID:2784
  - - C:\Windows\SysWOW64\fvkmwed.exe
      C:\Windows\system32\fvkmwed.exe 2420 "C:\Windows\SysWOW64\pfxzenc.exe"
      4⤵
      PID:1696

C:\Windows\SysWOW64\fvkmwed.exe
C:\Windows\system32\fvkmwed.exe 2420 "C:\Windows\SysWOW64\pfxzenc.exe"
1⤵
PID:1116
- C:\Windows\SysWOW64\upimral.exe
  C:\Windows\system32\upimral.exe 2424 "C:\Windows\SysWOW64\fvkmwed.exe"
  2⤵
  PID:3440
- - C:\Windows\SysWOW64\upimral.exe
    C:\Windows\system32\upimral.exe 2424 "C:\Windows\SysWOW64\fvkmwed.exe"
    3⤵
    - Checks BIOS information in registry
    - Drops file in System32 directory
    PID:5028
  - - C:\Windows\SysWOW64\klrspsr.exe
      C:\Windows\system32\klrspsr.exe 2436 "C:\Windows\SysWOW64\upimral.exe"
      4⤵
      PID:4868

C:\Windows\SysWOW64\klrspsr.exe
C:\Windows\system32\klrspsr.exe 2436 "C:\Windows\SysWOW64\upimral.exe"
1⤵
- Drops file in System32 directory
PID:4616
- C:\Windows\SysWOW64\xrjapia.exe
  C:\Windows\system32\xrjapia.exe 2448 "C:\Windows\SysWOW64\klrspsr.exe"
  2⤵
  PID:4652

C:\Windows\SysWOW64\xrjapia.exe
C:\Windows\system32\xrjapia.exe 2448 "C:\Windows\SysWOW64\klrspsr.exe"
1⤵
- NTFS ADS
PID:2100
- C:\Windows\SysWOW64\jecipzj.exe
  C:\Windows\system32\jecipzj.exe 2468 "C:\Windows\SysWOW64\xrjapia.exe"
  2⤵
  PID:4984

C:\Windows\SysWOW64\jecipzj.exe
C:\Windows\system32\jecipzj.exe 2468 "C:\Windows\SysWOW64\xrjapia.exe"
1⤵
PID:2044
- C:\Windows\SysWOW64\zyzikur.exe
  C:\Windows\system32\zyzikur.exe 2472 "C:\Windows\SysWOW64\jecipzj.exe"
  2⤵
  PID:4644

C:\Windows\SysWOW64\zyzikur.exe
C:\Windows\system32\zyzikur.exe 2472 "C:\Windows\SysWOW64\jecipzj.exe"
1⤵
- Checks BIOS information in registry
- NTFS ADS
PID:2556
- C:\Windows\SysWOW64\eapdphs.exe
  C:\Windows\system32\eapdphs.exe 2492 "C:\Windows\SysWOW64\zyzikur.exe"
  2⤵
  PID:3872
- - C:\Windows\SysWOW64\eapdphs.exe
    C:\Windows\system32\eapdphs.exe 2492 "C:\Windows\SysWOW64\zyzikur.exe"
    3⤵
    - NTFS ADS
    PID:4036
  - - C:\Windows\SysWOW64\utmekca.exe
      C:\Windows\system32\utmekca.exe 2496 "C:\Windows\SysWOW64\eapdphs.exe"
      4⤵
      PID:3180
    - - C:\Windows\SysWOW64\utmekca.exe
        
        C:\Windows\system32\utmekca.exe 2496 "C:\Windows\SysWOW64\eapdphs.exe"
        5⤵
        NTFS ADS
        
        PID:4196
      - C:\Windows\SysWOW64\knkwfyi.exe
        
        C:\Windows\system32\knkwfyi.exe 2508 "C:\Windows\SysWOW64\utmekca.exe"
        6⤵
        
        PID:4304
        
        C:\Windows\SysWOW64\knkwfyi.exe
        
        C:\Windows\system32\knkwfyi.exe 2508 "C:\Windows\SysWOW64\utmekca.exe"
        7⤵
        Checks BIOS information in registry
        NTFS ADS
        
        PID:3328
        
        C:\Windows\SysWOW64\weorisq.exe
        
        C:\Windows\system32\weorisq.exe 2520 "C:\Windows\SysWOW64\knkwfyi.exe"
        8⤵
        
        PID:1092

C:\Windows\SysWOW64\weorisq.exe
C:\Windows\system32\weorisq.exe 2520 "C:\Windows\SysWOW64\knkwfyi.exe"
1⤵
PID:2216
- C:\Windows\SysWOW64\mmbeakr.exe
  C:\Windows\system32\mmbeakr.exe 2532 "C:\Windows\SysWOW64\weorisq.exe"
  2⤵
  PID:4828
- - C:\Windows\SysWOW64\mmbeakr.exe
    C:\Windows\system32\mmbeakr.exe 2532 "C:\Windows\SysWOW64\weorisq.exe"
    3⤵
    - NTFS ADS
    PID:860
  - - C:\Windows\SysWOW64\zztmaaz.exe
      C:\Windows\system32\zztmaaz.exe 2524 "C:\Windows\SysWOW64\mmbeakr.exe"
      4⤵
      PID:4544
    - - C:\Windows\SysWOW64\zztmaaz.exe
        
        C:\Windows\system32\zztmaaz.exe 2524 "C:\Windows\SysWOW64\mmbeakr.exe"
        5⤵
        NTFS ADS
        
        PID:4840
      - C:\Windows\SysWOW64\owcsyso.exe
        
        C:\Windows\system32\owcsyso.exe 2556 "C:\Windows\SysWOW64\zztmaaz.exe"
        6⤵
        
        PID:5060
        
        C:\Windows\SysWOW64\owcsyso.exe
        
        C:\Windows\system32\owcsyso.exe 2556 "C:\Windows\SysWOW64\zztmaaz.exe"
        7⤵
        Checks BIOS information in registry
        NTFS ADS
        
        PID:3504
        
        C:\Windows\SysWOW64\empfrjp.exe
        
        C:\Windows\system32\empfrjp.exe 2568 "C:\Windows\SysWOW64\owcsyso.exe"
        8⤵
        
        PID:4700
        
        C:\Windows\SysWOW64\empfrjp.exe
        
        C:\Windows\system32\empfrjp.exe 2568 "C:\Windows\SysWOW64\owcsyso.exe"
        9⤵
        Checks BIOS information in registry
        
        PID:2476
        
        C:\Windows\SysWOW64\rvsabex.exe
        
        C:\Windows\system32\rvsabex.exe 2580 "C:\Windows\SysWOW64\empfrjp.exe"
        10⤵
        
        PID:3280

C:\Windows\SysWOW64\rvsabex.exe
C:\Windows\system32\rvsabex.exe 2580 "C:\Windows\SysWOW64\empfrjp.exe"
1⤵
- Checks BIOS information in registry
PID:5052
- C:\Windows\SysWOW64\kketsfw.exe
  C:\Windows\system32\kketsfw.exe 2592 "C:\Windows\SysWOW64\rvsabex.exe"
  2⤵
  PID:4864
- - C:\Windows\SysWOW64\kketsfw.exe
    C:\Windows\system32\kketsfw.exe 2592 "C:\Windows\SysWOW64\rvsabex.exe"
    3⤵
    PID:4956
  - - C:\Windows\SysWOW64\wtzgval.exe
      C:\Windows\system32\wtzgval.exe 2612 "C:\Windows\SysWOW64\kketsfw.exe"
      4⤵
      PID:1496

C:\Windows\SysWOW64\wtzgval.exe
C:\Windows\system32\wtzgval.exe 2612 "C:\Windows\SysWOW64\kketsfw.exe"
1⤵
- Checks BIOS information in registry
PID:2096
- C:\Windows\SysWOW64\jvobsmv.exe
  C:\Windows\system32\jvobsmv.exe 2616 "C:\Windows\SysWOW64\wtzgval.exe"
  2⤵
  PID:5096
- - C:\Windows\SysWOW64\jvobsmv.exe
    C:\Windows\system32\jvobsmv.exe 2616 "C:\Windows\SysWOW64\wtzgval.exe"
    3⤵
    - Checks BIOS information in registry
    PID:4256
  - - C:\Windows\SysWOW64\zombnhv.exe
      C:\Windows\system32\zombnhv.exe 2628 "C:\Windows\SysWOW64\jvobsmv.exe"
      4⤵
      PID:1428
    - - C:\Windows\SysWOW64\zombnhv.exe
        
        C:\Windows\system32\zombnhv.exe 2628 "C:\Windows\SysWOW64\jvobsmv.exe"
        5⤵
        
        PID:2056
      - C:\Windows\SysWOW64\pikcidd.exe
        
        C:\Windows\system32\pikcidd.exe 2640 "C:\Windows\SysWOW64\zombnhv.exe"
        6⤵
        
        PID:5116
        
        C:\Windows\SysWOW64\pikcidd.exe
        
        C:\Windows\system32\pikcidd.exe 2640 "C:\Windows\SysWOW64\zombnhv.exe"
        7⤵
        
        PID:4816
        
        C:\Windows\SysWOW64\bvdkitm.exe
        
        C:\Windows\system32\bvdkitm.exe 2652 "C:\Windows\SysWOW64\pikcidd.exe"
        8⤵
        
        PID:2276
        
        C:\Windows\SysWOW64\bvdkitm.exe
        
        C:\Windows\system32\bvdkitm.exe 2652 "C:\Windows\SysWOW64\pikcidd.exe"
        9⤵
        Drops file in System32 directory
        
        PID:680
        
        C:\Windows\SysWOW64\rsmpols.exe
        
        C:\Windows\system32\rsmpols.exe 2664 "C:\Windows\SysWOW64\bvdkitm.exe"
        10⤵
        
        PID:2080

C:\Windows\SysWOW64\rsmpols.exe
C:\Windows\system32\rsmpols.exe 2664 "C:\Windows\SysWOW64\bvdkitm.exe"
1⤵
PID:2744
- C:\Windows\SysWOW64\hmkpjha.exe
  C:\Windows\system32\hmkpjha.exe 2676 "C:\Windows\SysWOW64\rsmpols.exe"
  2⤵
  PID:4348

C:\Windows\SysWOW64\hmkpjha.exe
C:\Windows\system32\hmkpjha.exe 2676 "C:\Windows\SysWOW64\rsmpols.exe"
1⤵
- NTFS ADS
PID:3680
- C:\Windows\SysWOW64\ofhqeca.exe
  C:\Windows\system32\ofhqeca.exe 2688 "C:\Windows\SysWOW64\hmkpjha.exe"
  2⤵
  PID:1316

C:\Windows\SysWOW64\ofhqeca.exe
C:\Windows\system32\ofhqeca.exe 2688 "C:\Windows\SysWOW64\hmkpjha.exe"
1⤵
PID:5040
- C:\Windows\SysWOW64\eyfqzyi.exe
  C:\Windows\system32\eyfqzyi.exe 2700 "C:\Windows\SysWOW64\ofhqeca.exe"
  2⤵
  PID:2336

C:\Windows\SysWOW64\eyfqzyi.exe
C:\Windows\system32\eyfqzyi.exe 2700 "C:\Windows\SysWOW64\ofhqeca.exe"
1⤵
- Drops file in System32 directory
- NTFS ADS
PID:4740
- C:\Windows\SysWOW64\rpjdctp.exe
  C:\Windows\system32\rpjdctp.exe 2692 "C:\Windows\SysWOW64\eyfqzyi.exe"
  2⤵
  PID:2464

C:\Windows\SysWOW64\rpjdctp.exe
C:\Windows\system32\rpjdctp.exe 2692 "C:\Windows\SysWOW64\eyfqzyi.exe"
1⤵
PID:3888
- C:\Windows\SysWOW64\erqyzfz.exe
  C:\Windows\system32\erqyzfz.exe 2712 "C:\Windows\SysWOW64\rpjdctp.exe"
  2⤵
  PID:4372
- - C:\Windows\SysWOW64\erqyzfz.exe
    C:\Windows\system32\erqyzfz.exe 2712 "C:\Windows\SysWOW64\rpjdctp.exe"
    3⤵
    PID:1624
  - - C:\Windows\SysWOW64\tozmxfg.exe
      C:\Windows\system32\tozmxfg.exe 2744 "C:\Windows\SysWOW64\erqyzfz.exe"
      4⤵
      PID:2524

C:\Windows\SysWOW64\tozmxfg.exe
C:\Windows\system32\tozmxfg.exe 2744 "C:\Windows\SysWOW64\erqyzfz.exe"
1⤵
- Checks BIOS information in registry
PID:4612
- C:\Windows\SysWOW64\mwcwoxf.exe
  C:\Windows\system32\mwcwoxf.exe 2756 "C:\Windows\SysWOW64\tozmxfg.exe"
  2⤵
  PID:4804
- - C:\Windows\SysWOW64\mwcwoxf.exe
    C:\Windows\system32\mwcwoxf.exe 2756 "C:\Windows\SysWOW64\tozmxfg.exe"
    3⤵
    - Checks BIOS information in registry
    - Drops file in System32 directory
    PID:3928
  - - C:\Windows\SysWOW64\zjvenoo.exe
      C:\Windows\system32\zjvenoo.exe 2760 "C:\Windows\SysWOW64\mwcwoxf.exe"
      4⤵
      PID:3980
    - - C:\Windows\SysWOW64\zjvenoo.exe
        
        C:\Windows\system32\zjvenoo.exe 2760 "C:\Windows\SysWOW64\mwcwoxf.exe"
        5⤵
        Drops file in System32 directory
        
        PID:4240
      - C:\Windows\SysWOW64\mlkzsay.exe
        
        C:\Windows\system32\mlkzsay.exe 2736 "C:\Windows\SysWOW64\zjvenoo.exe"
        6⤵
        
        PID:2076

C:\Windows\SysWOW64\mlkzsay.exe
C:\Windows\system32\mlkzsay.exe 2736 "C:\Windows\SysWOW64\zjvenoo.exe"
1⤵
- Drops file in System32 directory
- NTFS ADS
PID:4680
- C:\Windows\SysWOW64\beiaovy.exe
  C:\Windows\system32\beiaovy.exe 2792 "C:\Windows\SysWOW64\mlkzsay.exe"
  2⤵
  PID:4312

C:\Windows\SysWOW64\beiaovy.exe
C:\Windows\system32\beiaovy.exe 2792 "C:\Windows\SysWOW64\mlkzsay.exe"
1⤵
- Drops file in System32 directory
PID:2656
- C:\Windows\SysWOW64\onmvqqn.exe
  C:\Windows\system32\onmvqqn.exe 2776 "C:\Windows\SysWOW64\beiaovy.exe"
  2⤵
  PID:1352
- - C:\Windows\SysWOW64\onmvqqn.exe
    C:\Windows\system32\onmvqqn.exe 2776 "C:\Windows\SysWOW64\beiaovy.exe"
    3⤵
    - Checks BIOS information in registry
    - NTFS ADS
    PID:4500
  - - C:\Windows\SysWOW64\hvpfhrm.exe
      C:\Windows\system32\hvpfhrm.exe 2808 "C:\Windows\SysWOW64\onmvqqn.exe"
      4⤵
      PID:4236
    - - C:\Windows\SysWOW64\hvpfhrm.exe
        
        C:\Windows\system32\hvpfhrm.exe 2808 "C:\Windows\SysWOW64\onmvqqn.exe"
        5⤵
        Checks BIOS information in registry
        NTFS ADS
        
        PID:3992
      - C:\Windows\SysWOW64\tmtakmc.exe
        
        C:\Windows\system32\tmtakmc.exe 2820 "C:\Windows\SysWOW64\hvpfhrm.exe"
        6⤵
        
        PID:4396
        
        C:\Windows\SysWOW64\tmtakmc.exe
        
        C:\Windows\system32\tmtakmc.exe 2820 "C:\Windows\SysWOW64\hvpfhrm.exe"
        7⤵
        Checks BIOS information in registry
        NTFS ADS
        
        PID:4220
        
        C:\Windows\SysWOW64\jcfocdd.exe
        
        C:\Windows\system32\jcfocdd.exe 2832 "C:\Windows\SysWOW64\tmtakmc.exe"
        8⤵
        
        PID:4140

C:\Windows\SysWOW64\jcfocdd.exe
C:\Windows\system32\jcfocdd.exe 2832 "C:\Windows\SysWOW64\tmtakmc.exe"
1⤵
- Checks BIOS information in registry
- NTFS ADS
PID:4160
- C:\Windows\SysWOW64\whywctl.exe
  C:\Windows\system32\whywctl.exe 2844 "C:\Windows\SysWOW64\jcfocdd.exe"
  2⤵
  PID:2296
- - C:\Windows\SysWOW64\whywctl.exe
    C:\Windows\system32\whywctl.exe 2844 "C:\Windows\SysWOW64\jcfocdd.exe"
    3⤵
    PID:3188
  - - C:\Windows\SysWOW64\lehbals.exe
      C:\Windows\system32\lehbals.exe 2856 "C:\Windows\SysWOW64\whywctl.exe"
      4⤵
      PID:396

C:\Windows\SysWOW64\lehbals.exe
C:\Windows\system32\lehbals.exe 2856 "C:\Windows\SysWOW64\whywctl.exe"
1⤵
PID:4976
- C:\Windows\SysWOW64\bfecvha.exe
  C:\Windows\system32\bfecvha.exe 2868 "C:\Windows\SysWOW64\lehbals.exe"
  2⤵
  PID:4904

C:\Windows\SysWOW64\bfecvha.exe
C:\Windows\system32\bfecvha.exe 2868 "C:\Windows\SysWOW64\lehbals.exe"
1⤵
- Checks BIOS information in registry
- NTFS ADS
PID:2392
- C:\Windows\SysWOW64\rzccqca.exe
  C:\Windows\system32\rzccqca.exe 2892 "C:\Windows\SysWOW64\bfecvha.exe"
  2⤵
  PID:5016
- - C:\Windows\SysWOW64\rzccqca.exe
    C:\Windows\system32\rzccqca.exe 2892 "C:\Windows\SysWOW64\bfecvha.exe"
    3⤵
    PID:2808
  - - C:\Windows\SysWOW64\vigpbxp.exe
      C:\Windows\system32\vigpbxp.exe 2888 "C:\Windows\SysWOW64\rzccqca.exe"
      4⤵
      PID:4248

C:\Windows\SysWOW64\vigpbxp.exe
C:\Windows\system32\vigpbxp.exe 2888 "C:\Windows\SysWOW64\rzccqca.exe"
1⤵
- Drops file in System32 directory
- NTFS ADS
PID:4048
- C:\Windows\SysWOW64\opjirqo.exe
  C:\Windows\system32\opjirqo.exe 2912 "C:\Windows\SysWOW64\vigpbxp.exe"
  2⤵
  PID:3780
- - C:\Windows\SysWOW64\opjirqo.exe
    C:\Windows\system32\opjirqo.exe 2912 "C:\Windows\SysWOW64\vigpbxp.exe"
    3⤵
    PID:232
  - - C:\Windows\SysWOW64\bdcqrgx.exe
      C:\Windows\system32\bdcqrgx.exe 2896 "C:\Windows\SysWOW64\opjirqo.exe"
      4⤵
      PID:1632

C:\Windows\SysWOW64\bdcqrgx.exe
C:\Windows\system32\bdcqrgx.exe 2896 "C:\Windows\SysWOW64\opjirqo.exe"
1⤵
- NTFS ADS
PID:1568
- C:\Windows\SysWOW64\rwiqmcf.exe
  C:\Windows\system32\rwiqmcf.exe 2940 "C:\Windows\SysWOW64\bdcqrgx.exe"
  2⤵
  PID:3184
- - C:\Windows\SysWOW64\rwiqmcf.exe
    C:\Windows\system32\rwiqmcf.exe 2940 "C:\Windows\SysWOW64\bdcqrgx.exe"
    3⤵
    - Checks BIOS information in registry
    - Drops file in System32 directory
    - NTFS ADS
    PID:4648
  - - C:\Windows\SysWOW64\gtjvkcm.exe
      C:\Windows\system32\gtjvkcm.exe 2936 "C:\Windows\SysWOW64\rwiqmcf.exe"
      4⤵
      PID:3932

C:\Windows\SysWOW64\gtjvkcm.exe
C:\Windows\system32\gtjvkcm.exe 2936 "C:\Windows\SysWOW64\rwiqmcf.exe"
1⤵
- NTFS ADS
PID:1400
- C:\Windows\SysWOW64\wysjics.exe
  C:\Windows\system32\wysjics.exe 2952 "C:\Windows\SysWOW64\gtjvkcm.exe"
  2⤵
  PID:4424
- - C:\Windows\SysWOW64\wysjics.exe
    C:\Windows\system32\wysjics.exe 2952 "C:\Windows\SysWOW64\gtjvkcm.exe"
    3⤵
    PID:3048
  - - C:\Windows\SysWOW64\lvbogbz.exe
      C:\Windows\system32\lvbogbz.exe 2964 "C:\Windows\SysWOW64\wysjics.exe"
      4⤵
      PID:2648
    - - C:\Windows\SysWOW64\lvbogbz.exe
        
        C:\Windows\system32\lvbogbz.exe 2964 "C:\Windows\SysWOW64\wysjics.exe"
        5⤵
        Checks BIOS information in registry
        NTFS ADS
        
        PID:724
      - C:\Windows\SysWOW64\bozocph.exe
        
        C:\Windows\system32\bozocph.exe 2984 "C:\Windows\SysWOW64\lvbogbz.exe"
        6⤵
        
        PID:4264

C:\Windows\SysWOW64\bozocph.exe
C:\Windows\system32\bozocph.exe 2984 "C:\Windows\SysWOW64\lvbogbz.exe"
1⤵
- Checks BIOS information in registry
PID:1584
- C:\Windows\SysWOW64\qticapo.exe
  C:\Windows\system32\qticapo.exe 2988 "C:\Windows\SysWOW64\bozocph.exe"
  2⤵
  PID:3512
- - C:\Windows\SysWOW64\qticapo.exe
    C:\Windows\system32\qticapo.exe 2988 "C:\Windows\SysWOW64\bozocph.exe"
    3⤵
    PID:1888
  - - C:\Windows\SysWOW64\dyakzfw.exe
      C:\Windows\system32\dyakzfw.exe 3000 "C:\Windows\SysWOW64\qticapo.exe"
      4⤵
      PID:3768
    - - C:\Windows\SysWOW64\dyakzfw.exe
        
        C:\Windows\system32\dyakzfw.exe 3000 "C:\Windows\SysWOW64\qticapo.exe"
        5⤵
        
        PID:4784
      - C:\Windows\SysWOW64\lzipauy.exe
        
        C:\Windows\system32\lzipauy.exe 3012 "C:\Windows\SysWOW64\dyakzfw.exe"
        6⤵
        
        PID:376

C:\Windows\SysWOW64\lzipauy.exe
C:\Windows\system32\lzipauy.exe 3012 "C:\Windows\SysWOW64\dyakzfw.exe"
1⤵
PID:1832
- C:\Windows\SysWOW64\yfbyzkg.exe
  C:\Windows\system32\yfbyzkg.exe 3024 "C:\Windows\SysWOW64\lzipauy.exe"
  2⤵
  PID:4876
- - C:\Windows\SysWOW64\yfbyzkg.exe
    C:\Windows\system32\yfbyzkg.exe 3024 "C:\Windows\SysWOW64\lzipauy.exe"
    3⤵
    - Drops file in System32 directory
    PID:4704
  - - C:\Windows\SysWOW64\oyzqvgo.exe
      C:\Windows\system32\oyzqvgo.exe 3004 "C:\Windows\SysWOW64\yfbyzkg.exe"
      4⤵
      PID:4260
    - - C:\Windows\SysWOW64\oyzqvgo.exe
        
        C:\Windows\system32\oyzqvgo.exe 3004 "C:\Windows\SysWOW64\yfbyzkg.exe"
        5⤵
        Drops file in System32 directory
        
        PID:1788
      - C:\Windows\SysWOW64\bdrydwx.exe
        
        C:\Windows\system32\bdrydwx.exe 3048 "C:\Windows\SysWOW64\oyzqvgo.exe"
        6⤵
        
        PID:4620

C:\Windows\SysWOW64\bdrydwx.exe
C:\Windows\system32\bdrydwx.exe 3048 "C:\Windows\SysWOW64\oyzqvgo.exe"
1⤵
PID:3660
- C:\Windows\SysWOW64\qialbwe.exe
  C:\Windows\system32\qialbwe.exe 3060 "C:\Windows\SysWOW64\bdrydwx.exe"
  2⤵
  PID:3332

C:\Windows\SysWOW64\qialbwe.exe
C:\Windows\system32\qialbwe.exe 3060 "C:\Windows\SysWOW64\bdrydwx.exe"
1⤵
- Checks BIOS information in registry
- Drops file in System32 directory
PID:1156
- C:\Windows\SysWOW64\gcyewkl.exe
  C:\Windows\system32\gcyewkl.exe 3076 "C:\Windows\SysWOW64\qialbwe.exe"
  2⤵
  PID:3652
- - C:\Windows\SysWOW64\gcyewkl.exe
    C:\Windows\system32\gcyewkl.exe 3076 "C:\Windows\SysWOW64\qialbwe.exe"
    3⤵
    - Checks BIOS information in registry
    PID:4492
  - - C:\Windows\SysWOW64\ovwerfl.exe
      C:\Windows\system32\ovwerfl.exe 3096 "C:\Windows\SysWOW64\gcyewkl.exe"
      4⤵
      PID:3628
    - - C:\Windows\SysWOW64\ovwerfl.exe
        
        C:\Windows\system32\ovwerfl.exe 3096 "C:\Windows\SysWOW64\gcyewkl.exe"
        5⤵
        
        PID:3372
      - C:\Windows\SysWOW64\abomrwu.exe
        
        C:\Windows\system32\abomrwu.exe 3100 "C:\Windows\SysWOW64\ovwerfl.exe"
        6⤵
        
        PID:1728

C:\Windows\SysWOW64\abomrwu.exe
C:\Windows\system32\abomrwu.exe 3100 "C:\Windows\SysWOW64\ovwerfl.exe"
1⤵
- Checks BIOS information in registry
- Drops file in System32 directory
PID:5068
- C:\Windows\SysWOW64\qummmrc.exe
  C:\Windows\system32\qummmrc.exe 3120 "C:\Windows\SysWOW64\abomrwu.exe"
  2⤵
  PID:3476
- - C:\Windows\SysWOW64\qummmrc.exe
    C:\Windows\system32\qummmrc.exe 3120 "C:\Windows\SysWOW64\abomrwu.exe"
    3⤵
    - Drops file in System32 directory
    PID:692
  - - C:\Windows\SysWOW64\dwtijdm.exe
      C:\Windows\system32\dwtijdm.exe 3124 "C:\Windows\SysWOW64\qummmrc.exe"
      4⤵
      PID:3848
    - - C:\Windows\SysWOW64\dwtijdm.exe
        
        C:\Windows\system32\dwtijdm.exe 3124 "C:\Windows\SysWOW64\qummmrc.exe"
        5⤵
        Checks BIOS information in registry
        
        PID:4136
      - C:\Windows\SysWOW64\tbcnhds.exe
        
        C:\Windows\system32\tbcnhds.exe 3112 "C:\Windows\SysWOW64\dwtijdm.exe"
        6⤵
        
        PID:1928

C:\Windows\SysWOW64\tbcnhds.exe
C:\Windows\system32\tbcnhds.exe 3112 "C:\Windows\SysWOW64\dwtijdm.exe"
1⤵
PID:3164
- C:\Windows\SysWOW64\gdrimpu.exe
  C:\Windows\system32\gdrimpu.exe 3148 "C:\Windows\SysWOW64\tbcnhds.exe"
  2⤵
  PID:2052
- - C:\Windows\SysWOW64\gdrimpu.exe
    C:\Windows\system32\gdrimpu.exe 3148 "C:\Windows\SysWOW64\tbcnhds.exe"
    3⤵
    - Drops file in System32 directory
    - NTFS ADS
    PID:3956
  - - C:\Windows\SysWOW64\sikqmgd.exe
      C:\Windows\system32\sikqmgd.exe 3140 "C:\Windows\SysWOW64\gdrimpu.exe"
      4⤵
      PID:3656
    - - C:\Windows\SysWOW64\sikqmgd.exe
        
        C:\Windows\system32\sikqmgd.exe 3140 "C:\Windows\SysWOW64\gdrimpu.exe"
        5⤵
        NTFS ADS
        
        PID:4696
      - C:\Windows\SysWOW64\lqnjchc.exe
        
        C:\Windows\system32\lqnjchc.exe 3172 "C:\Windows\SysWOW64\sikqmgd.exe"
        6⤵
        
        PID:3412
        
        C:\Windows\SysWOW64\lqnjchc.exe
        
        C:\Windows\system32\lqnjchc.exe 3172 "C:\Windows\SysWOW64\sikqmgd.exe"
        7⤵
        Drops file in System32 directory
        NTFS ADS
        
        PID:4320
        
        C:\Windows\SysWOW64\tjnbdaq.exe
        
        C:\Windows\system32\tjnbdaq.exe 3200 "C:\Windows\SysWOW64\lqnjchc.exe"
        8⤵
        
        PID:1312
        
        C:\Windows\SysWOW64\tjnbdaq.exe
        
        C:\Windows\system32\tjnbdaq.exe 3200 "C:\Windows\SysWOW64\lqnjchc.exe"
        9⤵
        Drops file in System32 directory
        
        PID:1364
        
        C:\Windows\SysWOW64\npebrfd.exe
        
        C:\Windows\system32\npebrfd.exe 3216 "C:\Windows\SysWOW64\tjnbdaq.exe"
        10⤵
        
        PID:4996
        
        C:\Windows\SysWOW64\npebrfd.exe
        
        C:\Windows\system32\npebrfd.exe 3216 "C:\Windows\SysWOW64\tjnbdaq.exe"
        11⤵
        Checks BIOS information in registry
        Drops file in System32 directory
        NTFS ADS
        
        PID:3728
        
        C:\Windows\SysWOW64\lbjcbig.exe
        
        C:\Windows\system32\lbjcbig.exe 3208 "C:\Windows\SysWOW64\npebrfd.exe"
        12⤵
        
        PID:2220
        
        C:\Windows\SysWOW64\lbjcbig.exe
        
        C:\Windows\system32\lbjcbig.exe 3208 "C:\Windows\SysWOW64\npebrfd.exe"
        13⤵
        Checks BIOS information in registry
        
        PID:4760
        
        C:\Windows\SysWOW64\qkscdns.exe
        
        C:\Windows\system32\qkscdns.exe 3236 "C:\Windows\SysWOW64\lbjcbig.exe"
        14⤵
        
        PID:1476
        
        C:\Windows\SysWOW64\qkscdns.exe
        
        C:\Windows\system32\qkscdns.exe 3236 "C:\Windows\SysWOW64\lbjcbig.exe"
        15⤵
        Drops file in System32 directory
        NTFS ADS
        
        PID:2068
        
        C:\Windows\SysWOW64\xhdihsf.exe
        
        C:\Windows\system32\xhdihsf.exe 3240 "C:\Windows\SysWOW64\qkscdns.exe"
        16⤵
        
        PID:4428
        
        C:\Windows\SysWOW64\xhdihsf.exe
        
        C:\Windows\system32\xhdihsf.exe 3240 "C:\Windows\SysWOW64\qkscdns.exe"
        17⤵
        
        PID:4836
        
        C:\Windows\SysWOW64\nbbakom.exe
        
        C:\Windows\system32\nbbakom.exe 3244 "C:\Windows\SysWOW64\xhdihsf.exe"
        18⤵
        
        PID:2404
        
        C:\Windows\SysWOW64\nbbakom.exe
        
        C:\Windows\system32\nbbakom.exe 3244 "C:\Windows\SysWOW64\xhdihsf.exe"
        19⤵
        Checks BIOS information in registry
        Drops file in System32 directory
        
        PID:1608
        
        C:\Windows\SysWOW64\vfntfzn.exe
        
        C:\Windows\system32\vfntfzn.exe 3264 "C:\Windows\SysWOW64\nbbakom.exe"
        20⤵
        
        PID:4820
        
        C:\Windows\SysWOW64\vfntfzn.exe
        
        C:\Windows\system32\vfntfzn.exe 3264 "C:\Windows\SysWOW64\nbbakom.exe"
        21⤵
        Checks BIOS information in registry
        Drops file in System32 directory
        
        PID:4176
        
        C:\Windows\SysWOW64\dkfmpgz.exe
        
        C:\Windows\system32\dkfmpgz.exe 3268 "C:\Windows\SysWOW64\vfntfzn.exe"
        22⤵
        
        PID:1212
        
        C:\Windows\SysWOW64\dkfmpgz.exe
        
        C:\Windows\system32\dkfmpgz.exe 3268 "C:\Windows\SysWOW64\vfntfzn.exe"
        23⤵
        Drops file in System32 directory
        
        PID:4052
        
        C:\Windows\SysWOW64\awcesvn.exe
        
        C:\Windows\system32\awcesvn.exe 3280 "C:\Windows\SysWOW64\dkfmpgz.exe"
        24⤵
        
        PID:1752
        
        C:\Windows\SysWOW64\awcesvn.exe
        
        C:\Windows\system32\awcesvn.exe 3280 "C:\Windows\SysWOW64\dkfmpgz.exe"
        25⤵
        NTFS ADS
        
        PID:4208
        
        C:\Windows\SysWOW64\fyvxova.exe
        
        C:\Windows\system32\fyvxova.exe 3272 "C:\Windows\SysWOW64\awcesvn.exe"
        26⤵
        
        PID:1520
        
        C:\Windows\SysWOW64\fyvxova.exe
        
        C:\Windows\system32\fyvxova.exe 3272 "C:\Windows\SysWOW64\awcesvn.exe"
        27⤵
        Checks BIOS information in registry
        
        PID:5112
        
        C:\Windows\SysWOW64\vkbimds.exe
        
        C:\Windows\system32\vkbimds.exe 3304 "C:\Windows\SysWOW64\fyvxova.exe"
        28⤵
        
        PID:3084
        
        C:\Windows\SysWOW64\vkbimds.exe
        
        C:\Windows\system32\vkbimds.exe 3304 "C:\Windows\SysWOW64\fyvxova.exe"
        29⤵
        Checks BIOS information in registry
        Drops file in System32 directory
        NTFS ADS
        
        PID:4732
        
        C:\Windows\SysWOW64\iiydrls.exe
        
        C:\Windows\system32\iiydrls.exe 3332 "C:\Windows\SysWOW64\vkbimds.exe"
        30⤵
        
        PID:1692
        
        C:\Windows\SysWOW64\iiydrls.exe
        
        C:\Windows\system32\iiydrls.exe 3332 "C:\Windows\SysWOW64\vkbimds.exe"
        31⤵
        Drops file in System32 directory
        NTFS ADS
        
        PID:1912
        
        C:\Windows\SysWOW64\fjswzek.exe
        
        C:\Windows\system32\fjswzek.exe 3176 "C:\Windows\SysWOW64\iiydrls.exe"
        32⤵
        
        PID:4832
        
        C:\Windows\SysWOW64\fjswzek.exe
        
        C:\Windows\system32\fjswzek.exe 3176 "C:\Windows\SysWOW64\iiydrls.exe"
        33⤵
        
        PID:4624
        
        C:\Windows\SysWOW64\deowjgo.exe
        
        C:\Windows\system32\deowjgo.exe 3184 "C:\Windows\SysWOW64\fjswzek.exe"
        34⤵
        
        PID:4044
        
        C:\Windows\SysWOW64\deowjgo.exe
        
        C:\Windows\system32\deowjgo.exe 3184 "C:\Windows\SysWOW64\fjswzek.exe"
        35⤵
        Checks BIOS information in registry
        
        PID:2148
        
        C:\Windows\SysWOW64\uwaecyj.exe
        
        C:\Windows\system32\uwaecyj.exe 3352 "C:\Windows\SysWOW64\deowjgo.exe"
        36⤵
        
        PID:2468
        
        C:\Windows\SysWOW64\uwaecyj.exe
        
        C:\Windows\system32\uwaecyj.exe 3352 "C:\Windows\SysWOW64\deowjgo.exe"
        37⤵
        NTFS ADS
        
        PID:1704
        
        C:\Windows\SysWOW64\hbusvwp.exe
        
        C:\Windows\system32\hbusvwp.exe 3364 "C:\Windows\SysWOW64\uwaecyj.exe"
        38⤵
        
        PID:552
        
        C:\Windows\SysWOW64\hbusvwp.exe
        
        C:\Windows\system32\hbusvwp.exe 3364 "C:\Windows\SysWOW64\uwaecyj.exe"
        39⤵
        Checks BIOS information in registry
        NTFS ADS
        
        PID:2380
        
        C:\Windows\SysWOW64\vlkaeqx.exe
        
        C:\Windows\system32\vlkaeqx.exe 3380 "C:\Windows\SysWOW64\hbusvwp.exe"
        40⤵
        
        PID:1324
        
        C:\Windows\SysWOW64\vlkaeqx.exe
        
        C:\Windows\system32\vlkaeqx.exe 3380 "C:\Windows\SysWOW64\hbusvwp.exe"
        41⤵
        NTFS ADS
        
        PID:408
        
        C:\Windows\SysWOW64\flwdovg.exe
        
        C:\Windows\system32\flwdovg.exe 3396 "C:\Windows\SysWOW64\vlkaeqx.exe"
        42⤵
        
        PID:2504
        
        C:\Windows\SysWOW64\flwdovg.exe
        
        C:\Windows\system32\flwdovg.exe 3396 "C:\Windows\SysWOW64\vlkaeqx.exe"
        43⤵
        Checks BIOS information in registry
        Drops file in System32 directory
        NTFS ADS
        
        PID:2388
        
        C:\Windows\SysWOW64\uxvweey.exe
        
        C:\Windows\system32\uxvweey.exe 3348 "C:\Windows\SysWOW64\flwdovg.exe"
        44⤵
        
        PID:944
        
        C:\Windows\SysWOW64\uxvweey.exe
        
        C:\Windows\system32\uxvweey.exe 3348 "C:\Windows\SysWOW64\flwdovg.exe"
        45⤵
        
        PID:1056
        
        C:\Windows\SysWOW64\nxhzorh.exe
        
        C:\Windows\system32\nxhzorh.exe 3412 "C:\Windows\SysWOW64\uxvweey.exe"
        46⤵
        
        PID:4556
        
        C:\Windows\SysWOW64\nxhzorh.exe
        
        C:\Windows\system32\nxhzorh.exe 3412 "C:\Windows\SysWOW64\uxvweey.exe"
        47⤵
        Drops file in System32 directory
        
        PID:2448
        
        C:\Windows\SysWOW64\curxgdx.exe
        
        C:\Windows\system32\curxgdx.exe 3440 "C:\Windows\SysWOW64\nxhzorh.exe"
        48⤵
        
        PID:648
        
        C:\Windows\SysWOW64\curxgdx.exe
        
        C:\Windows\system32\curxgdx.exe 3440 "C:\Windows\SysWOW64\nxhzorh.exe"
        49⤵
        
        PID:2880
        
        C:\Windows\SysWOW64\palkacd.exe
        
        C:\Windows\system32\palkacd.exe 3432 "C:\Windows\SysWOW64\curxgdx.exe"
        50⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\palkacd.exe
        
        C:\Windows\system32\palkacd.exe 3432 "C:\Windows\SysWOW64\curxgdx.exe"
        51⤵
        
        PID:752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\TEMP:474A6CD6

Filesize
126B

MD5
6a6dea7a5c1ba1832a81747b013a884c

SHA1
b2f8657ec6791f7d908405e213d9d61af82b4832

SHA256
004572caf1636d688473fb90fabb0b91876782aacddc8c25d2ef2104119793d3

SHA512
72e53a575cd7414ac71da328ca00e1ac1959c8191782ead43cd71036f66ab9b2d326569e8519e9a685180094e2da3d86a2974eb5acc522d39b08bf9549904fc7

Download Submit
C:\ProgramData\TEMP:474A6CD6

Filesize
126B

MD5
bda4cb961faf6e57db844c2cf4070c15

SHA1
230aa5afef7e2d0de02bdc04519e80c966117e66

SHA256
3d2095570c873f31dc6d4403b1a0bd065e6298ec31926a70452942409f346c62

SHA512
64986b5de3aa20e24e926de887bf8b6da17b5ecc18af9d2d09653b1e60e8ef34a6fff752888464ef861dce8346311da1f18040f093e9001f49e6e1425f6696f5

Download Submit
C:\ProgramData\TEMP:474A6CD6

Filesize
126B

MD5
492e32e1f527dc6c0dbba2c88a462af3

SHA1
72272df6bc2b5fab8a6c11d00b241a95133a3970

SHA256
de5291dc323d476262cfeea3f543f3b97c6ff2eea35d407ed49f01741fd94216

SHA512
892fa2028caf7cf6459031636c7be4ed50f33ec6d81ae582190aebaaa7264a26756faa19d3e2adb7f77b721938c48c14c2000055d944e610b0b993548e88a666

Download Submit
C:\ProgramData\TEMP:474A6CD6

Filesize
126B

MD5
d2027ae061c9e15f85658d8c3590041b

SHA1
df50fb62bbce72c955476db6183c6db17790f4ca

SHA256
7a7d7dd4e5b9a826a39024408d25a375c6099f74f4a2d3574a7645be60162e0a

SHA512
49c05ebcde8076f5a88c6814441b3fe86515e440280193085cbd18ad49b8c7802f46245dca4ad196d24a097d2ae9f909fdf1d5d5ae395fceddeea9384d5c0232

Download Submit
C:\ProgramData\TEMP:474A6CD6

Filesize
126B

MD5
a2273c7601486e8e13e3b0f2640a619d

SHA1
32e2adf48966a43021992903e50891de4f949629

SHA256
8bd29230218028b966961fd4a0aecb140ce2d41a774fecdccceccfdd7d5c7cad

SHA512
1b0e153a08060c2a513301f41304ccf43a0626361aed559b7aee29cc9e40be3df5ab992cb8be3187833bcbdef8db785fbd8cf3a00662e81487fec7a7ef411339

Download Submit
C:\ProgramData\TEMP:474A6CD6

Filesize
126B

MD5
52b896c61b7cb4e372a255986b1c1cc8

SHA1
2a3f51b33ff842f87e954b8c1071ec19b40bda96

SHA256
ef6220ed591b86e341c2f2322d37276028e24a872e6ed5c3002673fa6835d590

SHA512
61a66861002100a515791052a20efc68c6d91d593786050b240096dd666007408a5a0b6395d0c02a800992ceeb5f03a98ca552d9f61f03797afa792fd8b27576

Download Submit
C:\ProgramData\TEMP:474A6CD6

Filesize
126B

MD5
587bf85f00fa31d8953701b5a222abdd

SHA1
adb579ba1481b1f2428bf939aebdf4e8be5e6525

SHA256
ee6f5c7f38a6714bdc5ef2614529bd3dd9cf464f147b9eb09794c867b0d86fef

SHA512
e8b54a9f40af28e68e8366c3cd22f84bc3ad9a75c01633dea75b471dfede87dc979edb75e4cd3bffa4e63e5a6b9d9f620084cad4f5f1d19303d33489e82b5e0f

Download Submit
C:\ProgramData\TEMP:474A6CD6

Filesize
126B

MD5
41f01ec928b5aa44557af0c1a0dfbc99

SHA1
968168ee1c344a1b1d8a9ffe5bea9237f7c87a5a

SHA256
51256433279f0b4f28afced3a8757f5d03352232bace9184aba84b6cb498b2c1

SHA512
a5759bd9a373e2c3c1e8851dd48cdf0282e5b3000b3639c5d9774fb25c84dbfb07c015e6f8581f125ee2552e1fd9907d1a38f00e42139d6bb595128f58ce78da

Download Submit
C:\ProgramData\TEMP:474A6CD6

Filesize
126B

MD5
11c18f904b06787c143d862189e2c9c8

SHA1
dc6ce7c8c2e8d4ef019bcb5376e825615d1a77bd

SHA256
2158ead3ad9dd6a0a5b8c86b5ea13a4da6d686cf72eff5f60dc8d9d88829268f

SHA512
4bce77469267fae642857789d7bf7aacf77009fc39266e37bf023266af2e0057776668058b07a0f99774675bf3624f48df5b154e783d2a53e2c81c61b8fdc7c9

Download Submit
C:\ProgramData\TEMP:474A6CD6

Filesize
126B

MD5
a6a8ee453cf7c71d07f2e3a99fc1db8e

SHA1
e2371b4f58602d828a530c975d33c5b7c9a5e5ae

SHA256
72ff9f29d40abce22364d0bdead5d4f48c9d1cb73cb6679210cea59987eb6ff2

SHA512
4385420a454c6f34b6d696caf0752350a31820d5f15cadab7d30b883e00407b170136f3afb6fd194cd3a742d915d9c6037adc7c346bea2335049de766d459e9c

Download Submit
C:\ProgramData\TEMP:474A6CD6

Filesize
126B

MD5
f5ac2e3b5169131f1d1255959942e2af

SHA1
2a85f943bbb1ccdbfe9b4281f7c07b49ee7ff6cf

SHA256
55d49ab7c0ddbe4b15f94af80212bde24ef6581ee3c12bb3854fa05e5dba7427

SHA512
b82f8ff00d37eaecd5baaccf15fb7b1cf071a887789ecf8699bcb589b78144b0ce971f39f7e64883c86464e4a74a27f576879d12be51866771f03a76863190d5

Download Submit
C:\ProgramData\TEMP:474A6CD6

Filesize
126B

MD5
6d4b53668ae0dd4f3b848a011be0e8e6

SHA1
8587865cd4122ffd56e9f58511a04d8cbda2831a

SHA256
0d8d73d2e00da07af15d45c9bcf8bbd821bb50991a5c5128d840868d70095f0d

SHA512
2f17a60f72e2ea4f925c102b0bc1333b3d4a1dabbf4f1b34981c985b85df7522259a95a1831c4b1cf8f8efef553176bbfae080fc43b960883919f539e185103d

Download Submit
C:\ProgramData\TEMP:474A6CD6

Filesize
126B

MD5
1a350e0fc1767474bcbcfb0edb9c7f0e

SHA1
986ee85ea797ee0a1e4b4bf0cebcfe10542ffe15

SHA256
fb8805a08c3141d87e0e89aa55c7fc1b514432fa6cf992f60f4e63fe71b5907b

SHA512
4b277fd7c53faa05b74e3a2109fa02c998c7e817ce0749c5ece5897f9fc9e67551e4a630aabfa1713dc49908c5020234c7fe20db8272027e96fbdbdf2cbc432c

Download Submit
C:\ProgramData\TEMP:474A6CD6

Filesize
126B

MD5
855d3980f889bda7f8fc01245778a28e

SHA1
18b4de10cbe3aefad417064b80883e82e97f16ae

SHA256
dfdafb88ff44a0342d7f52f7f1c02d43f74623cb9b78450d5789f7bc60d5a64a

SHA512
7782b0892ca28e9c717c97b393c6b0e2646f25f4825aaced6d1f7d9702d12aedb4f7cf8895e266e81a664c943f9224c5fb5134124a4ea2dc00e82143e164d34e

Download Submit
C:\Windows\SysWOW64\clyxbik.exe

Filesize
85KB

MD5
322465ada5c38d9c4632eef34105a843

SHA1
7ff3ccee279384d231ff47e494aca66f86ebead5

SHA256
227c77a7cbca5cc2c2a2348ed19af93a760b34f17c4432edc4d626a51b4c4e8a

SHA512
5f8a63063aa4f6f1073c74b1f3c8d321684d87f1653383ae89ece545816fd820b6b476e00ee8254ade3560e88d1025627e51fafdaa5c6649bf7f09280b73a296

Download Submit
C:\Windows\SysWOW64\clyxbik.exe

Filesize
55KB

MD5
9dac7731308a3aae2126a050267c0ffe

SHA1
d7c4308f014bac050dde81f1cfe503b68be94c60

SHA256
47ee5c79fdecb49f59da71044bdf5c995a115a15b353c4a56bc319b6e537a973

SHA512
c1d0c30ed17aa3712e8788a1203e7a3c142f6bd2db309ee87374177f789a6da6878999e56d1c92000c67de1a3ec96684430d8f37a896d65fa7a3cc8547cb606c

Download Submit
C:\Windows\SysWOW64\clyxbik.exe

Filesize
38KB

MD5
e0375b2309742ddf9fa2834c804cef0b

SHA1
e8a18c4d0ca8d62f1c8c3adc423d4d44cdf6bf79

SHA256
69c2d7def615626ee6891a491a0f3f2158907f9d778fe249c0a005d1b94a5aaf

SHA512
13d4dcc3a7d72625186ab5608ddb4680f34c47503c99abb721dcb24c3b6e60af66c5b73d51640baf48fe0b510277327e8204f86963228285fa376fa069f24722

Download Submit
C:\Windows\SysWOW64\gaqrmax.exe

Filesize
25KB

MD5
f6d7c89d4cdffc501370f68a5d8be9c0

SHA1
cbb58bc56d9e2d1f7f21b49b265408673a51f876

SHA256
8917f2df249ec8bb47a7b02c08a368e17fda5120de9d7c98634f550b6834142a

SHA512
a61860dd96b8b0f8530165fef5cba329d151e3099ff79af7fa45b7074ee5ee73dc8c02b70f56ea1da7f05ee3ab05d049112bc0ed8427afc890d100d909eff8cb

Download Submit
C:\Windows\SysWOW64\gaqrmax.exe

Filesize
4KB

MD5
8d881da67b7a95e43ff75dddfcea3631

SHA1
d69f59ad7a23a7ef7244705b31dcceee024a244b

SHA256
37e6ba1d4c5877bb601a5bf0400876bd36b6e18a5e0e9735e70e3f6ed318e429

SHA512
7d43ae1b6154ae4c5b4d00f556e8fb141bd445c9b3c47cebbb610b93d3680f91f191473ca2c331147edc25fc31fbbbe2f5cf90e22b0adc253e22b871c2b234fe

Download Submit
C:\Windows\SysWOW64\gjdxjwt.exe

Filesize
83KB

MD5
c3cba9c52ab1ed4c9252aed129249112

SHA1
e54cea16c3848e10cde4244ada81898da2d6c3c0

SHA256
125cfa1c65b71799c04de177a579669ec4fd52539d9532a3c86148472871c137

SHA512
c7ee331e9381b3132261e89ab7c4c0e55631542eeb5b28b96e9f6e3f6cb68f6f4558ca926fbb58a9d0c4f32f22e5d62b7f7ecbe4132e4a49efb8a9c550f79f40

Download Submit
C:\Windows\SysWOW64\gjdxjwt.exe

Filesize
73KB

MD5
40ed2a497947db05c643512b08498503

SHA1
bef1fe9114717883dd1711c8adf5ad139274b9bb

SHA256
65d896fbb0f9bc23151b822483fb1def2f3cd001ceceba8e2e553f541dfbb288

SHA512
0d59a2f74c1a6da61c5a51d9cbd854310af4110908f4286d9dc3900dcd6ea424a5aa95f77c613f472c34583ba6ab6f875a5f07410e7eb477a566bb70a2f2fed8

Download Submit
C:\Windows\SysWOW64\gjdxjwt.exe

Filesize
68KB

MD5
3353a284a6f8eca9e1f9ce5315376e28

SHA1
d8bed8ba63fd25c3405d1bedccf31d2883789424

SHA256
8b40b2cf664e53ef3dff270565e7df5aa2be43054279d423f3512eea0e413d72

SHA512
71ef056c93438037409a65204b44294e52ebbb6a36af6171c8c3e64f474487e006406473033db5e0bd7c81e0da840bd4db214da96bf79edf3b46ac6321b34d14

Download Submit
C:\Windows\SysWOW64\gojuofg.exe

Filesize
35KB

MD5
573456c6fef7c183c02090ba0aac07db

SHA1
48dfacaba86a7aaf64c1141d8f1e502d7bb579f2

SHA256
602f413c80769d61d3d99875d9e6e931e344c6a8760e355904bc301377802c47

SHA512
12c54bc5345686554da24df26e0b0a4a122f7e615bb36cd1a017dcbebab0804cec12d29191192e32469a55ba725a2c1c2e6b86cba878d98d73666d714c8137bd

Download Submit
C:\Windows\SysWOW64\gojuofg.exe

Filesize
103KB

MD5
cdf234a1ade19746c2bc1796b4514a0f

SHA1
79fff11176663c7bb9b51188dbfb0a49b2b30939

SHA256
e85895d3f9ecf2ab8ed3dc1a0cac9d06281060a7a34be6ce0cc3d555c26b8bb7

SHA512
ca2a4a3242bef9a752e6c3ae03e9b1962de914c79b4b66aa0f2c5239cfef664f7e11a07114ec6f26eb6a89c47f22d80407394d6b1cf8c769aa9c416fbe9d39e0

Download Submit
C:\Windows\SysWOW64\gojuofg.exe

Filesize
50KB

MD5
042910f503dd2a0b597748c953e15296

SHA1
b82ad9fd0a58c633371fb5ae6b93c8391f05c45b

SHA256
a7f80dfa435d79ec74162c4ef0cdf283d59c6668dea88d84701bb11d6cd5f498

SHA512
2b4dd37afae74b0944019b4a5ed754f67b942a23f52c9ee10224d65ee7bacdd55d67e1c73448479bf2f14840fe78c6f98852026bb1f4da5aebf397fe44c91436

Download Submit
C:\Windows\SysWOW64\gouxnzt.exe

Filesize
11KB

MD5
67f9bd88d361369d812de5b55ceb49b8

SHA1
ee8c38dadae9a4ab7ba71c220d2334bb40ee91d6

SHA256
69badefd918116af39488c2c302d4fb5542cd0513b65dbad220b8b7513d2d9ac

SHA512
ed3cead7ce455229a052abe6a3bb7503911bc357774a91ac1000262365fa055ce457e53c26ac46d157ff5a304cb037ceb8b76c2ab37c94facd73e8d0286a54f6

Download Submit
C:\Windows\SysWOW64\gouxnzt.exe

Filesize
34KB

MD5
2182d84547b7de23ba7b8551e4512f42

SHA1
356a6f3fec8d0b83e628022ab853c4dd6557fe90

SHA256
c1f16c6b5950be762105c283822e1be19391a42a0d49bcb7f4889862d26e927c

SHA512
61d50b54e8a9129f962d4e379fd94c9f620fdabe0f751d64b48f3646e2ae89d3cd0ad31de1b2e4c002fb044b1b3d7b19354b20b403fefd1b14394e94def3a150

Download Submit
C:\Windows\SysWOW64\gouxnzt.exe

Filesize
19KB

MD5
7136490aea2db7246902447745c40b7f

SHA1
5d74c9467e31650f3267c587ef741a63a135c112

SHA256
922ba5258c3874c616ddafd311a16d40f08b09f2b36a6a1937222b97be526960

SHA512
6b4c5640dc9019e985dc6d275bf0181ef2a81ff9606a7ecbec843cbb1973e288d69291b7f97454d463f0c50090630a7c9c75c559eeb803fd2a1ed3fcbd697101

Download Submit
C:\Windows\SysWOW64\jbebsis.exe

Filesize
30KB

MD5
48b617ba592f4a1a417ac4f5b8dc9a03

SHA1
e6109fc43883e9cdd1cf0ff73978fdb04bce8f75

SHA256
5542ded2417671e9128997fe626450191fb080130ccdfb60592a24de768c3988

SHA512
71b22329b07602db7d81cab529650d79282c0f74430d98ad01efa4d105f353fa23932c13203e4bc6daf4dc66a93a684f8ad961aeda1c7ccd810738e0a01ca31c

Download Submit
C:\Windows\SysWOW64\jbebsis.exe

Filesize
69KB

MD5
d61f19620c76a887432cc3c9f73234fb

SHA1
529fe9f34b63dc6b0be1f318152171199de59693

SHA256
ace977475845eca526bffc0459115fc1a4a49cb845eed51707b4d016d8eb3256

SHA512
7e0f8bc198b3c4ba86fe1ae28919dc3ce550072feb04fe982a4af8f02d56a7147df80bc22a78a3f7f56823e988062b0a4a0620be8cffd29eef285a25b558b63d

Download Submit
C:\Windows\SysWOW64\jbebsis.exe

Filesize
77KB

MD5
ff63b56cf2f5dcd4c1c51fddfc578deb

SHA1
ca74f5dc15904d9c7d752a5897b2dc0835d2a702

SHA256
5afa3efd0d4ddac11b8d1d2ef96ea3b35d939eed6c2488584b5f0bcecb193519

SHA512
ad9b18e624414f5bcdcf0ad035655df4a319761812c4df6fb8502ee6e5f4e9031fb8c792aa06d51fd50e4ccbcece6b7d5a29fd67aa22f129daa4af8f91336295

Download Submit
C:\Windows\SysWOW64\jnlgilk.exe

Filesize
37KB

MD5
bfc359b3da028f1af813b6a4ed418c48

SHA1
7ed532881e0f1438ccaa9c34d0319bbc598cda7c

SHA256
3e867a77cb8997ff60ca1a7408ba5cc8643c776b5ec3258d40a38ee9aa9a6a5e

SHA512
3f770d51ec16162966d5f6b84b802fd51cdc05c4f0dd82a93e60228408cbf91ef3701a401f0317bc5fb313ee9a67b8c382c116311d252f597a74afee4bb1204c

Download Submit
C:\Windows\SysWOW64\majdryd.exe

Filesize
30KB

MD5
21d95b2d770f7f85f319f9282a4c1162

SHA1
0e648c085c6d5b7c46a25d0f1bd6ada9db884351

SHA256
d5da0cb142e36658ea67c7ec843f3245e2f94e382b57b715244b2dc9a56cc034

SHA512
24b924f4f817f8e5a10c88ab556301e0496c1b62fb48ea6ba12c03cb3ba9e02cacbf79991d4487b86a1e2467bc8575093703537a3fe3f1d9806a88036cfd9d45

Download Submit
C:\Windows\SysWOW64\majdryd.exe

Filesize
92KB

MD5
b300a70019785e4eb4ea104fb9a0716c

SHA1
1461598ad8d1de0bac72691cff4143fc62f62216

SHA256
9925e96afb7cfebfdaee72fdc0c3168a30c6f21983a651f50cd438110ca83dfa

SHA512
baebe64e21b838598607f6f0162d8b7abac46555b60c58395d008ef74befbdf8e8f51a568a511710016ebb02466900a000e9f7886fff0f15d7c48d5769c9eea6

Download Submit
C:\Windows\SysWOW64\majdryd.exe

Filesize
33KB

MD5
974e38cf5b0b6947ffc315d1700e1a3d

SHA1
5296559be5ae6db58bead70d1ee76cbbd4ae8775

SHA256
a5ce85f1083c1ec223ac12067750bfc275bdb5a453193a90b2e03524ff294f9c

SHA512
eac5657b2998bae49e71ec2c25d4d148be383c3951823a2498a1bbf70a49018ca40e95416faf33a6bde35ee334bee3a388b71bbb6bf2245890f321bc10958f9c

Download Submit
C:\Windows\SysWOW64\oravpla.exe

Filesize
56KB

MD5
c27320305361c8cd4c721459306ce5c4

SHA1
ef5a60ff5b1bb44d7c5a687eb4b5f028cb4dd3ca

SHA256
6d26b90aebdcbbbea9c5b17d848d4aa16765d9508695c67598a539c04aae89e7

SHA512
60727708b32bb0431613d3d30780071ff03dbb1e295a31960699fb22d1b082c6fdc979f9126f902fd85d79e4afafb77b9e93c6a92c6fe8324b477f9d7fc0bdfe

Download Submit
C:\Windows\SysWOW64\oravpla.exe

Filesize
29KB

MD5
356a92b28a18c8f2843506a0995e3b9f

SHA1
465950e8eb084daac818036f0926730af2aaad41

SHA256
78ed035ad8f145dd76a7848c3ae4efad62dea966032d4cfa68cf164a3d2e70b8

SHA512
e30bcccbadfcbe5609863ed43d177bb32e399aac93c7543553bcaf70a6979cc95555fe24d4a337a6cc5d625b3ad575d480c8c965404726c9f840bde9d7043d88

Download Submit
C:\Windows\SysWOW64\oravpla.exe

Filesize
56KB

MD5
78f9f3cb64ccd611fa821af97cd2e12f

SHA1
19f5e4ad4621a97fe41c3835160c5a712d87f5e4

SHA256
c87e57e34723f94365c062d3baefe63efaf6b14e75ea62f83d6434db447b8833

SHA512
3ee1b507d150e7ae5f00396da7c12d9980a830bf916268b734c3ed88343835aa37f9721846a03261a180ec9f26df2e993cf103fed6769491f220ea9685e00142

Download Submit
C:\Windows\SysWOW64\rvxxset.exe

Filesize
15KB

MD5
1d1fcda3eadb2a23dd5655b82539dd58

SHA1
ae373df88b4e3367fd9cff465d9d7bf5844619a4

SHA256
77d7ed0695815ac6db13099a5332e2993d7090d19f1e3dc95b95a2fec3b4878f

SHA512
8a1200161f21245ed19df712b9e6caa2057eae292b674532f74cde8514c0ab84db5d8264c1b55ba4bfc186d1d3727c620fa928a91f98abccebd5b17f450c94f0

Download Submit
C:\Windows\SysWOW64\rvxxset.exe

Filesize
15KB

MD5
7675862c865db06bba2a44db185f9386

SHA1
2372832ec480c6fdee37d493bdc7fe1c5e5cd10f

SHA256
05148a3bba772a2ed30ecf4c9ecc43d93843c40c452e2d8222b9537863788f9b

SHA512
08c3f0686e9e0bde4f703b6b740e5e25d618331a159a93994a246404548e34dbb8cffc7318013870f833b1fc4a4a5cdbabbd4f2d54017fd456652d3cb60032b6

Download Submit
C:\Windows\SysWOW64\rvxxset.exe

Filesize
9KB

MD5
04e2d0842e049aaf1c5d2b80e718defb

SHA1
dddb268b7b80f88bed51bf1136c3fe11c60e9f76

SHA256
c06418ea7439c82caa5be12bc5d340ffb2eae313a57765e3693dc97279106f44

SHA512
6223e95c8467e6b04efe2dec919c43fa5a06b327a649c1959baa56e74245ca7b5817e5a8e87dd809646ebd6890dcbca5daa9b5999586394de16399cbc71bac50

Download Submit
C:\Windows\SysWOW64\tmczrte.exe

Filesize
5KB

MD5
bb0bfd0e823feca101509b3e94619271

SHA1
94c4d65129177be1393364d64a9997b572481579

SHA256
d6788154b939dc7d1ffbbb08ea188729b356eaefa5c199188eee29b1da3219f7

SHA512
043f424b55e62856137ead0230847e6bcdb1e92deab20ac30e455daf3592bac3e06c7ea1b67925dadd385d7de1463460ff0e01e300a2b5761229b24bc7a41aad

Download Submit
C:\Windows\SysWOW64\tmczrte.exe

Filesize
20KB

MD5
f26aff0962be1177ba658ae26434803c

SHA1
a805d98784b3407a0b820e3c402fda6e71529e3b

SHA256
0b0b029ded0f54dcfd5265b36a62766ef47b7cdb25e926d7c9eb4cad5764ee61

SHA512
d18f45c22ea486c49690dce80444683c5fe3c80281de3da0da6d49d32b560c99d4b29ec503865b182c2a13515de3c848ab9526486bdf2c4d0886b63d3aa833dc

Download Submit
C:\Windows\SysWOW64\tunfnqc.exe

Filesize
28KB

MD5
1a516ea70e238a5480688cdfb56ef898

SHA1
6c879650ea7e0150845b0b6e39581421f544a185

SHA256
cf7176fa884d62ed1dd6d94b36feccfe1f67cf7e0a29b9b0c3ffd861b7c920ad

SHA512
1fc9472deb0851288a3fb4424f378e4ffa3a573669ad68866d678586abfadb805efbe26b2318713caa529eee21d4aba81d9f8e2df79e51d76248d9b177f21762

Download Submit
C:\Windows\SysWOW64\tybvpow.exe

Filesize
9KB

MD5
e147e44470cd25bcd7a097da3e8af3cd

SHA1
470a1559960156faa63799b13e369a82a32b8a8c

SHA256
4f98c650efbf8c55925649c4164eec9a37092cc318995bc3f6c9abfcac1474c1

SHA512
45c44127f86d20b4e9363ac358f40850839f98e5488d762c97d6498d621f93972e2971697d2a913b5f06bd4bf3cd1bbbdb43c9b8e5fcf1b428bd314601322126

Download Submit
C:\Windows\SysWOW64\tybvpow.exe

Filesize
15KB

MD5
57551e2c7b998f0f6688acf394757fb9

SHA1
73c9e804b2ede5966b579a3605bdd4bd04360b44

SHA256
768054f6cfc70e43558a93acf7e46f87634cc6a8c4fa5980df39c94ecb905a9e

SHA512
5a913805fa601bcc3b7defbd026f1308df87c0f02c372d076cf53f186e23c645244e43898ff9e4c7cfd9b3c6d4871df7fe5022849a151bf7ce5eb134868ad05a

Download Submit
C:\Windows\SysWOW64\wditqbp.exe

Filesize
1KB

MD5
2e07c959fff6d0ee806ad850ebd31599

SHA1
d2ea87e9a2287f598219a2fd976be408fa835cd5

SHA256
35268c1df29b52108728ca5b52c0b2e84b459b09312b3ec697965fc2782a4b98

SHA512
df5fc78a64a8ee53cf8cdf577b4ef41159a132d3999676629fba8b008111271c8e0cf08090a9bc457dd8ae363aef7e246b3b00f17b0b99ad17f5a452efd969b6

Download Submit
C:\Windows\SysWOW64\wditqbp.exe

Filesize
107KB

MD5
ef5d681c0d5b3a1c2d5517bf97978cc1

SHA1
6f5df8daa03051967e89887809800b8b964840de

SHA256
df9bda3e336117d8f98f3cc455404ce3f38d3f1451cbbb32e009bed9bd446b5f

SHA512
5b6d83fd3ee6da17f62ef3dc76decae26e6ebe3941b66560fcf58f300a3aa0241287ce78772f449aa311273aba7af83ded4a94327b9fe4d3904094e3722a5788

Download Submit
C:\Windows\SysWOW64\wnpexnq.exe

Filesize
22KB

MD5
cbff71a76f619d6ac4cebe4f8571d4d1

SHA1
48b9d61ee4b0f99418153a38c8a333aba3e3c6d4

SHA256
58bce01196cbc56e903fb7b5f46f795b5684c5f20924fbfa473362166641b4e6

SHA512
ee6dbfecf261f673f205fb1972f3993f858eaa296736363b7728777ad8804cff1b734d62170e47f63871a04d28969edb7765ef2419b1f68ee076b3024af2328a

Download Submit
C:\Windows\SysWOW64\wnpexnq.exe

Filesize
58KB

MD5
ecf91bf24f5a7425d17591c6a5bfb6d4

SHA1
92924610de1110baca52041ead918ccfa222c86a

SHA256
95e9252aa34f03cba0e6c3407ca0a3f4867fd64fe2c6b0a702657d2ed227041f

SHA512
13cc849fa02780eee35a124824853a2e4648c25744c075c4f33b6e6d43cffba041718747d811d23ff73e90e9c95198b7d8393912d0ca8cd2b89cad31e984db5d

Download Submit
C:\Windows\SysWOW64\wnpexnq.exe

Filesize
47KB

MD5
2f3032bacd89a068a55c0d8dc2ec9fc7

SHA1
a068d14d343811cb573de31bd2c4758121b125d2

SHA256
10632add7e917e8efb268f8cfe979bb2c0169f0be383b70ad9fa283e52937ba0

SHA512
1141343c5f1cba380d7b613b98a01670b9b7a3dd94c638b5abd659927923e996764e9f88b82779617ed52edaaa4702aa5a745f8e6ffd89c2a494f75e847a2286

Download Submit
C:\Windows\SysWOW64\zbfuyew.exe

Filesize
79KB

MD5
dcdfc7448afe8ebd6450ac1283f1dd6f

SHA1
27325735c8d5276cef4fbbfb55587a4866a7fa9f

SHA256
1ac040f6c3df5e2f4f2690e465a017e4c0dc68f15baa8c7bd4f7b05de077fcb0

SHA512
affd71cfd588f70ffd4b4a4698fdd4b9ded0f3d3c632222f3cb813edf8c3a4024ce78a12d7241de1776cfa54a8ceffa1898280f5588b4e0fa452c282a389e73f

Download Submit
C:\Windows\SysWOW64\zbfuyew.exe

Filesize
58KB

MD5
87e6a6d73f11bb6e72ecd4cab5c37510

SHA1
9b862f8e2979270dbb93537df8bb2ee227023f15

SHA256
cf54bdab014da0a6057adfb99af86f6a1294258c5ab144a61a8d85f1e88bd0dc

SHA512
90d02af21cb0dd9a9688cc0fe8250151d2a0a8c1d1d37a81a2e7020642c4f0078d297b217f498cdea28691a48dda47e02f98306af81921852f7ffb40e3e7e86b

Download Submit
C:\Windows\SysWOW64\zbfuyew.exe

Filesize
34KB

MD5
649efbefcee3ab858c71819dca8a27a3

SHA1
0523066fed6667affd3a76efba3f7fdee3519606

SHA256
ee62edeedcd9b470be7f61963067682bfd6545e715c2cc9c72061cf5fbe2784e

SHA512
8c5b65c086a1b15e724c55429832b14de45235d77a128269e06d43d2e9ae3737b0c8c2733369b448a6bb38909198932a6eafb3e994c19cead60aa26a2cbf63c8

Download Submit
C:\Windows\SysWOW64\zbfuyew.exe

Filesize
85KB

MD5
a863ac78c29d99c4e56c946ad326ecd6

SHA1
b78e468ea154de4e0fba71d6491cf00e6a7f2e73

SHA256
8a06a3884aa9bd8566a8f1e1e34d22dc24d94928ce8ae95b43e84ac0ebedb578

SHA512
cf4c217ee91764b001749dceb99069a031de9868a254e62b052fa21d4c26e6a66479533abd3af5b7810bb4ef1cea8d5d8ab7b6722252b647d9bd8fe4042e789b

Download Submit
memory/228-0-0x0000000000400000-0x0000000000591000-memory.dmp

Filesize
1.6MB

Download
memory/228-38-0x0000000000400000-0x0000000000591000-memory.dmp

Filesize
1.6MB

Download
memory/368-132-0x0000000000400000-0x0000000000591000-memory.dmp

Filesize
1.6MB

Download
memory/368-157-0x00000000006D0000-0x0000000000726000-memory.dmp

Filesize
344KB

Download
memory/368-130-0x0000000000400000-0x0000000000591000-memory.dmp

Filesize
1.6MB

Download
memory/368-116-0x00000000006D0000-0x0000000000726000-memory.dmp

Filesize
344KB

Download
memory/368-131-0x0000000000400000-0x0000000000591000-memory.dmp

Filesize
1.6MB

Download
memory/368-156-0x0000000000400000-0x0000000000591000-memory.dmp

Filesize
1.6MB

Download
memory/368-121-0x00000000006D0000-0x0000000000726000-memory.dmp

Filesize
344KB

Download
memory/712-375-0x0000000000400000-0x0000000000591000-memory.dmp

Filesize
1.6MB

Download
memory/712-338-0x0000000000670000-0x00000000006C6000-memory.dmp

Filesize
344KB

Download
memory/712-376-0x0000000000670000-0x00000000006C6000-memory.dmp

Filesize
344KB

Download
memory/764-282-0x0000000000400000-0x0000000000591000-memory.dmp

Filesize
1.6MB

Download
memory/764-283-0x00000000006E0000-0x0000000000736000-memory.dmp

Filesize
344KB

Download
memory/764-245-0x00000000006E0000-0x0000000000736000-memory.dmp

Filesize
344KB

Download
memory/884-400-0x00000000005A0000-0x00000000005F6000-memory.dmp

Filesize
344KB

Download
memory/884-438-0x00000000005A0000-0x00000000005F6000-memory.dmp

Filesize
344KB

Download
memory/884-437-0x0000000000400000-0x0000000000591000-memory.dmp

Filesize
1.6MB

Download
memory/888-61-0x0000000000400000-0x0000000000591000-memory.dmp

Filesize
1.6MB

Download
memory/1276-280-0x0000000000400000-0x0000000000591000-memory.dmp

Filesize
1.6MB

Download
memory/1892-125-0x0000000000400000-0x0000000000591000-memory.dmp

Filesize
1.6MB

Download
memory/2160-493-0x0000000000670000-0x00000000006C6000-memory.dmp

Filesize
344KB

Download
memory/2200-96-0x0000000000400000-0x0000000000591000-memory.dmp

Filesize
1.6MB

Download
memory/2308-97-0x0000000000400000-0x0000000000591000-memory.dmp

Filesize
1.6MB

Download
memory/2308-68-0x00000000005B0000-0x0000000000606000-memory.dmp

Filesize
344KB

Download
memory/2308-63-0x00000000005B0000-0x0000000000606000-memory.dmp

Filesize
344KB

Download
memory/2308-73-0x0000000000400000-0x0000000000591000-memory.dmp

Filesize
1.6MB

Download
memory/2308-76-0x0000000000400000-0x0000000000591000-memory.dmp

Filesize
1.6MB

Download
memory/2308-72-0x0000000000400000-0x0000000000591000-memory.dmp

Filesize
1.6MB

Download
memory/2308-77-0x0000000000400000-0x0000000000591000-memory.dmp

Filesize
1.6MB

Download
memory/2308-74-0x0000000000400000-0x0000000000591000-memory.dmp

Filesize
1.6MB

Download
memory/2308-78-0x00000000005B0000-0x0000000000606000-memory.dmp

Filesize
344KB

Download
memory/2308-95-0x00000000005B0000-0x0000000000606000-memory.dmp

Filesize
344KB

Download
memory/2308-75-0x0000000000400000-0x0000000000591000-memory.dmp

Filesize
1.6MB

Download
memory/2688-214-0x00000000020F0000-0x0000000002146000-memory.dmp

Filesize
344KB

Download
memory/2688-252-0x00000000020F0000-0x0000000002146000-memory.dmp

Filesize
344KB

Download
memory/2688-251-0x0000000000400000-0x0000000000591000-memory.dmp

Filesize
1.6MB

Download
memory/2740-314-0x0000000000680000-0x00000000006D6000-memory.dmp

Filesize
344KB

Download
memory/2740-313-0x0000000000400000-0x0000000000591000-memory.dmp

Filesize
1.6MB

Download
memory/2740-276-0x0000000000680000-0x00000000006D6000-memory.dmp

Filesize
344KB

Download
memory/2928-521-0x00000000005A0000-0x00000000005F6000-memory.dmp

Filesize
344KB

Download
memory/2968-525-0x0000000000400000-0x0000000000591000-memory.dmp

Filesize
1.6MB

Download
memory/3064-466-0x0000000000400000-0x0000000000591000-memory.dmp

Filesize
1.6MB

Download
memory/3260-462-0x0000000002090000-0x00000000020E6000-memory.dmp

Filesize
344KB

Download
memory/3260-500-0x0000000002090000-0x00000000020E6000-memory.dmp

Filesize
344KB

Download
memory/3260-499-0x0000000000400000-0x0000000000591000-memory.dmp

Filesize
1.6MB

Download
memory/3364-373-0x0000000000400000-0x0000000000591000-memory.dmp

Filesize
1.6MB

Download
memory/3392-3-0x0000000000400000-0x0000000000591000-memory.dmp

Filesize
1.6MB

Download
memory/3392-13-0x0000000000400000-0x0000000000591000-memory.dmp

Filesize
1.6MB

Download
memory/3392-18-0x00000000006E0000-0x0000000000736000-memory.dmp

Filesize
344KB

Download
memory/3392-17-0x0000000000400000-0x0000000000591000-memory.dmp

Filesize
1.6MB

Download
memory/3392-36-0x00000000006E0000-0x0000000000736000-memory.dmp

Filesize
344KB

Download
memory/3392-15-0x0000000000400000-0x0000000000591000-memory.dmp

Filesize
1.6MB

Download
memory/3392-16-0x0000000000400000-0x0000000000591000-memory.dmp

Filesize
1.6MB

Download
memory/3392-14-0x0000000000400000-0x0000000000591000-memory.dmp

Filesize
1.6MB

Download
memory/3392-4-0x00000000006E0000-0x0000000000736000-memory.dmp

Filesize
344KB

Download
memory/3392-12-0x0000000000400000-0x0000000000591000-memory.dmp

Filesize
1.6MB

Download
memory/3392-9-0x00000000006E0000-0x0000000000736000-memory.dmp

Filesize
344KB

Download
memory/3392-39-0x0000000000400000-0x0000000000591000-memory.dmp

Filesize
1.6MB

Download
memory/3568-435-0x0000000000400000-0x0000000000591000-memory.dmp

Filesize
1.6MB

Download
memory/3668-221-0x0000000000780000-0x00000000007D6000-memory.dmp

Filesize
344KB

Download
memory/3668-220-0x0000000000400000-0x0000000000591000-memory.dmp

Filesize
1.6MB

Download
memory/3668-182-0x0000000000780000-0x00000000007D6000-memory.dmp

Filesize
344KB

Download
memory/3676-207-0x0000000000400000-0x0000000000591000-memory.dmp

Filesize
1.6MB

Download
memory/3676-249-0x0000000000400000-0x0000000000591000-memory.dmp

Filesize
1.6MB

Download
memory/3864-186-0x0000000000400000-0x0000000000591000-memory.dmp

Filesize
1.6MB

Download
memory/3972-307-0x0000000000670000-0x00000000006C6000-memory.dmp

Filesize
344KB

Download
memory/3972-345-0x0000000000670000-0x00000000006C6000-memory.dmp

Filesize
344KB

Download
memory/3972-344-0x0000000000400000-0x0000000000591000-memory.dmp

Filesize
1.6MB

Download
memory/4280-342-0x0000000000400000-0x0000000000591000-memory.dmp

Filesize
1.6MB

Download
memory/4284-497-0x0000000000400000-0x0000000000591000-memory.dmp

Filesize
1.6MB

Download
memory/4316-44-0x0000000000400000-0x0000000000591000-memory.dmp

Filesize
1.6MB

Download
memory/4316-37-0x0000000000670000-0x00000000006C6000-memory.dmp

Filesize
344KB

Download
memory/4316-60-0x0000000000670000-0x00000000006C6000-memory.dmp

Filesize
344KB

Download
memory/4316-49-0x0000000000670000-0x00000000006C6000-memory.dmp

Filesize
344KB

Download
memory/4316-48-0x0000000000400000-0x0000000000591000-memory.dmp

Filesize
1.6MB

Download
memory/4316-47-0x0000000000400000-0x0000000000591000-memory.dmp

Filesize
1.6MB

Download
memory/4316-43-0x0000000000400000-0x0000000000591000-memory.dmp

Filesize
1.6MB

Download
memory/4316-46-0x0000000000400000-0x0000000000591000-memory.dmp

Filesize
1.6MB

Download
memory/4316-45-0x0000000000400000-0x0000000000591000-memory.dmp

Filesize
1.6MB

Download
memory/4316-62-0x0000000000400000-0x0000000000591000-memory.dmp

Filesize
1.6MB

Download
memory/4316-29-0x0000000000670000-0x00000000006C6000-memory.dmp

Filesize
344KB

Download
memory/4316-28-0x0000000000400000-0x0000000000591000-memory.dmp

Filesize
1.6MB

Download
memory/4440-468-0x0000000000400000-0x0000000000591000-memory.dmp

Filesize
1.6MB

Download
memory/4440-469-0x00000000005F0000-0x0000000000646000-memory.dmp

Filesize
344KB

Download
memory/4440-431-0x00000000005F0000-0x0000000000646000-memory.dmp

Filesize
344KB

Download
memory/4532-154-0x0000000000400000-0x0000000000591000-memory.dmp

Filesize
1.6MB

Download
memory/4660-311-0x0000000000400000-0x0000000000591000-memory.dmp

Filesize
1.6MB

Download
memory/4712-124-0x0000000000670000-0x00000000006C6000-memory.dmp

Filesize
344KB

Download
memory/4712-105-0x0000000000400000-0x0000000000591000-memory.dmp

Filesize
1.6MB

Download
memory/4712-101-0x0000000000400000-0x0000000000591000-memory.dmp

Filesize
1.6MB

Download
memory/4712-106-0x0000000000400000-0x0000000000591000-memory.dmp

Filesize
1.6MB

Download
memory/4712-126-0x0000000000400000-0x0000000000591000-memory.dmp

Filesize
1.6MB

Download
memory/4712-92-0x0000000000670000-0x00000000006C6000-memory.dmp

Filesize
344KB

Download
memory/4712-102-0x0000000000400000-0x0000000000591000-memory.dmp

Filesize
1.6MB

Download
memory/4712-103-0x0000000000400000-0x0000000000591000-memory.dmp

Filesize
1.6MB

Download
memory/4712-104-0x0000000000400000-0x0000000000591000-memory.dmp

Filesize
1.6MB

Download
memory/4712-107-0x0000000000670000-0x00000000006C6000-memory.dmp

Filesize
344KB

Download
memory/4892-150-0x00000000006C0000-0x0000000000716000-memory.dmp

Filesize
344KB

Download
memory/4892-189-0x00000000006C0000-0x0000000000716000-memory.dmp

Filesize
344KB

Download
memory/4892-188-0x0000000000400000-0x0000000000591000-memory.dmp

Filesize
1.6MB

Download
memory/4988-404-0x0000000000400000-0x0000000000591000-memory.dmp

Filesize
1.6MB

Download
memory/5008-218-0x0000000000400000-0x0000000000591000-memory.dmp

Filesize
1.6MB

Download
memory/5008-175-0x0000000000400000-0x0000000000591000-memory.dmp

Filesize
1.6MB

Download
memory/5072-369-0x00000000005A0000-0x00000000005F6000-memory.dmp

Filesize
344KB

Download
memory/5072-407-0x00000000005A0000-0x00000000005F6000-memory.dmp

Filesize
344KB

Download
memory/5072-406-0x0000000000400000-0x0000000000591000-memory.dmp

Filesize
1.6MB

Download