f7353cddd843e43df8919917e68ba83d5b82dcab549409d3ddb9640fd668db37

Analysis

max time kernel
150s
max time network
127s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
29-12-2023 22:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

058cd6a37e24b8b60d0f2f94d26d7acc.exe
Size

924KB
MD5

058cd6a37e24b8b60d0f2f94d26d7acc
SHA1

429084f91b93a40a3b93a05107337fd98766807b
SHA256

f7353cddd843e43df8919917e68ba83d5b82dcab549409d3ddb9640fd668db37
SHA512

09f14db43b00f0f72c330ddc25efe6592b5bb465c14a4f72b82957ff59510524719971524c62bf4a799a8c3bcd8e4345a0000595d2f1751029591413eb495039
SSDEEP

12288:/VUzFj9BMweqIN8gNJmLKOlUTsnevI8XWAR1OcOWYEEvYMbR2jCi+rpHihz:/VUzFh+mONJnTFvjGA/OTvHvYK26HS

Score

7^/10

Malware Config

Signatures

Checks BIOS information in registry 2 TTPs 42 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	dqqtfi.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	dqqtfi.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	tauuor.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	msegdr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	mwzzpm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	znxzph.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	wnnygl.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	xojddu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	dvpuba.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	msegdr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	jbfwgs.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	iakrij.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	nvnnbh.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	sfhlei.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	iakrij.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	jbfwgs.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	ntzlab.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	hexkml.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	hexkml.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	058cd6a37e24b8b60d0f2f94d26d7acc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	igtosv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	sygqrh.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	yljxpb.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	yljxpb.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	dvdmrc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	058cd6a37e24b8b60d0f2f94d26d7acc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	nvnnbh.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	sfhlei.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	sygqrh.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	tauuor.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ntzlab.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	dvdmrc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	wnnygl.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	dvpuba.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	sepnam.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	xojddu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	yknsrs.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	yknsrs.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	sepnam.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	mwzzpm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	igtosv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	znxzph.exe

Executes dropped EXE 20 IoCs

pid	Process
2532	dvpuba.exe
2584	nvnnbh.exe
3020	znxzph.exe
1616	sfhlei.exe
2752	sygqrh.exe
1808	dqqtfi.exe
2100	iakrij.exe
1688	tauuor.exe
2636	msegdr.exe
2568	yknsrs.exe
2764	jbfwgs.exe
2552	ntzlab.exe
2432	yljxpb.exe
1032	dvdmrc.exe
2164	wnnygl.exe
2104	hexkml.exe
2688	sepnam.exe
1420	mwzzpm.exe
876	xojddu.exe
2748	igtosv.exe

Loads dropped DLL 40 IoCs

pid	Process
1968	058cd6a37e24b8b60d0f2f94d26d7acc.exe
1968	058cd6a37e24b8b60d0f2f94d26d7acc.exe
2532	dvpuba.exe
2532	dvpuba.exe
2584	nvnnbh.exe
2584	nvnnbh.exe
3020	znxzph.exe
3020	znxzph.exe
1616	sfhlei.exe
1616	sfhlei.exe
2752	sygqrh.exe
2752	sygqrh.exe
1808	dqqtfi.exe
1808	dqqtfi.exe
2100	iakrij.exe
2100	iakrij.exe
1688	tauuor.exe
1688	tauuor.exe
2636	msegdr.exe
2636	msegdr.exe
2568	yknsrs.exe
2568	yknsrs.exe
2764	jbfwgs.exe
2764	jbfwgs.exe
2552	ntzlab.exe
2552	ntzlab.exe
2432	yljxpb.exe
2432	yljxpb.exe
1032	dvdmrc.exe
1032	dvdmrc.exe
2164	wnnygl.exe
2164	wnnygl.exe
2104	hexkml.exe
2104	hexkml.exe
2688	sepnam.exe
2688	sepnam.exe
1420	mwzzpm.exe
1420	mwzzpm.exe
876	xojddu.exe
876	xojddu.exe

Drops file in System32 directory 42 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\sygqrh.exe	sfhlei.exe
File created	C:\Windows\SysWOW64\tauuor.exe	iakrij.exe
File created	C:\Windows\SysWOW64\yljxpb.exe	ntzlab.exe
File opened for modification	C:\Windows\SysWOW64\hexkml.exe	wnnygl.exe
File opened for modification	C:\Windows\SysWOW64\mwzzpm.exe	sepnam.exe
File created	C:\Windows\SysWOW64\bydayv.exe	igtosv.exe
File opened for modification	C:\Windows\SysWOW64\bydayv.exe	igtosv.exe
File created	C:\Windows\SysWOW64\dqqtfi.exe	sygqrh.exe
File opened for modification	C:\Windows\SysWOW64\tauuor.exe	iakrij.exe
File opened for modification	C:\Windows\SysWOW64\sepnam.exe	hexkml.exe
File created	C:\Windows\SysWOW64\xojddu.exe	mwzzpm.exe
File created	C:\Windows\SysWOW64\igtosv.exe	xojddu.exe
File created	C:\Windows\SysWOW64\nvnnbh.exe	dvpuba.exe
File opened for modification	C:\Windows\SysWOW64\iakrij.exe	dqqtfi.exe
File opened for modification	C:\Windows\SysWOW64\jbfwgs.exe	yknsrs.exe
File created	C:\Windows\SysWOW64\hexkml.exe	wnnygl.exe
File opened for modification	C:\Windows\SysWOW64\igtosv.exe	xojddu.exe
File opened for modification	C:\Windows\SysWOW64\dvpuba.exe	058cd6a37e24b8b60d0f2f94d26d7acc.exe
File opened for modification	C:\Windows\SysWOW64\sfhlei.exe	znxzph.exe
File created	C:\Windows\SysWOW64\iakrij.exe	dqqtfi.exe
File opened for modification	C:\Windows\SysWOW64\yljxpb.exe	ntzlab.exe
File created	C:\Windows\SysWOW64\dvpuba.exe	058cd6a37e24b8b60d0f2f94d26d7acc.exe
File created	C:\Windows\SysWOW64\znxzph.exe	nvnnbh.exe
File created	C:\Windows\SysWOW64\ntzlab.exe	jbfwgs.exe
File created	C:\Windows\SysWOW64\sepnam.exe	hexkml.exe
File created	C:\Windows\SysWOW64\mwzzpm.exe	sepnam.exe
File opened for modification	C:\Windows\SysWOW64\znxzph.exe	nvnnbh.exe
File opened for modification	C:\Windows\SysWOW64\dqqtfi.exe	sygqrh.exe
File created	C:\Windows\SysWOW64\yknsrs.exe	msegdr.exe
File opened for modification	C:\Windows\SysWOW64\ntzlab.exe	jbfwgs.exe
File opened for modification	C:\Windows\SysWOW64\dvdmrc.exe	yljxpb.exe
File created	C:\Windows\SysWOW64\sygqrh.exe	sfhlei.exe
File opened for modification	C:\Windows\SysWOW64\yknsrs.exe	msegdr.exe
File created	C:\Windows\SysWOW64\dvdmrc.exe	yljxpb.exe
File created	C:\Windows\SysWOW64\wnnygl.exe	dvdmrc.exe
File opened for modification	C:\Windows\SysWOW64\wnnygl.exe	dvdmrc.exe
File opened for modification	C:\Windows\SysWOW64\nvnnbh.exe	dvpuba.exe
File created	C:\Windows\SysWOW64\sfhlei.exe	znxzph.exe
File created	C:\Windows\SysWOW64\msegdr.exe	tauuor.exe
File opened for modification	C:\Windows\SysWOW64\msegdr.exe	tauuor.exe
File created	C:\Windows\SysWOW64\jbfwgs.exe	yknsrs.exe
File opened for modification	C:\Windows\SysWOW64\xojddu.exe	mwzzpm.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\GzoYkcosdE = "Au{IVkgOghRPEQ"	yknsrs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\ofwz = "gdvEXvqnJ[teaErBoDG_ag"	wnnygl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\ejncqKuMnmG = "NVKr\x7fnEf{STJPAB\|IBvCnpAPXizDc"	mwzzpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\ofwz = "gdvEXvqnJ[teaErBoDG_bw"	nvnnbh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\ejncqKuMnmG = "NVKr\x7fnCF{STJPA_LIBvCnpAPXizDc"	tauuor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\iLlyc = "@YXCiNzERZrLidUYE\\Zw"	msegdr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\cavumonyjq = "NGD@_nsp\|X@dIkXLSWqbfZhKr\\D"	yknsrs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\cavumonyjq = "NGD@_nsp\|X@dIkXLSWqbfZhKr\\D"	xojddu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\ejncqKuMnmG = "NVKr\x7fn@F{STJPAP\\IBvCnpAPXizDc"	sygqrh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\GzoYkcosdE = "AuwIVkgOfF\\S\x7fK"	sygqrh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\Elevation	058cd6a37e24b8b60d0f2f94d26d7acc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\ejncqKuMnmG = "NVKr\x7fnCF{STJPA_lIBvCnpAPXizDc"	msegdr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\iLlyc = "@YXCiNzERZrLidUYE\\Zw"	iakrij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\ofwz = "gdvEXvqnJ[teaErBoDG_aG"	yljxpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\iLlyc = "@YXCiNzERZrLidUYE\\Zw"	hexkml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\puYaQx = "pXMblZ~^aTCqd{XBj\|EKxDkl_}FU"	sepnam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\ejncqKuMnmG = "NVKr\x7fnEv{STJPAB\\IBvCnpAPXizDc"	sepnam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\ofwz = "gdvEXvqnJ[teaErBoDG_gW"	xojddu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\InprocServer32\ = "%systemroot%\\SysWow64\\tapilua.dll"	058cd6a37e24b8b60d0f2f94d26d7acc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\GzoYkcosdE = "AuqyVkgOfjbXNI"	nvnnbh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\ofwz = "gdvEXvqnJ[teaErBoDG_bg"	znxzph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\iLlyc = "@YXCiNzERZrLidUYE\\Zw"	jbfwgs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\Elevation\Enabled = "1"	058cd6a37e24b8b60d0f2f94d26d7acc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\ejncqKuMnmG = "NVKr\x7fnAf{STJPATlIBvCnpAPXizDc"	dvpuba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\GzoYkcosdE = "Au\x7fIVkgOgT\\hlC"	dvdmrc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\GzoYkcosdE = "AubiVkgOeZ`]wC"	hexkml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\ECLGdwkoraach = "_FMlfgXi@iTMWmH[bKBQe_NX"	sygqrh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\GzoYkcosdE = "AutYVkgOfdeKZ]"	dqqtfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\ejncqKuMnmG = "NVKr\x7fnCV{STJPA_LIBvCnpAPXizDc"	iakrij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\GzoYkcosdE = "AuziVkgOfjAFJY"	tauuor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\GzoYkcosdE = "Au{iVkgOe\|_ilB"	msegdr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\ejncqKuMnmG = "NVKr\x7fnBV{STJPAX\\IBvCnpAPXizDc"	jbfwgs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\ejncqKuMnmG = "NVKr\x7fnEF{STJPAB\\IBvCnpAPXizDc"	hexkml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\GzoYkcosdE = "Au`yVkgOf}W@^s"	sepnam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\ofwz = "gdvEXvqnJ[teaErBoDG_bg"	dvpuba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\cavumonyjq = "NGD@_nsp\|X@dIkXLSWqbfZhKr\\D"	iakrij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\puYaQx = "pXMblZ~^aTCqd{XBj\|EKxDkl_}FU"	mwzzpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\ejncqKuMnmG = "NVKr\x7fnEf{STJPAO\\IBvCnpAPXizDc"	mwzzpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\GzoYkcosdE = "Au~iVkgOdhDT\|T"	ntzlab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\puYaQx = "pXMblZ~^aTCqd{XBj\|EKxDkl_}FU"	dvdmrc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\puYaQx = "pXMblZ~^aTCqd{XBj\|EKxDkl_}FU"	wnnygl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\GzoYkcosdE = "AuaiVkgOefxXaK"	xojddu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\puYaQx = "pXMblZ~^aTCqd{XBj\|EKxDkl_}FU"	dvpuba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\GzoYkcosdE = "AuyYVkgOffEbxZ"	jbfwgs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\ofwz = "gdvEXvqnJ[teaErBoDG_`w"	msegdr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\GzoYkcosdE = "AubyVkgOgjjKw~"	wnnygl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\ejncqKuMnmG = "NVKr\x7fn@v{STJPAP\\IBvCnpAPXizDc"	sygqrh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\ofwz = "gdvEXvqnJ[teaErBoDG_cg"	dqqtfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\ofwz = "gdvEXvqnJ[teaErBoDG_gG"	igtosv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\ejncqKuMnmG = "NVKr\x7fnDF{STJPAO\\IBvCnpAPXizDc"	igtosv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\puYaQx = "pXMblZ~^aTCqd{XBj\|EKxDkl_}FU"	znxzph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\ECLGdwkoraach = "_FMlfgXi@iTMWmH[bKBQe_NX"	msegdr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\cavumonyjq = "NGD@_nsp\|X@dIkXLSWqbfZhKr\\D"	yljxpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\GzoYkcosdE = "Au\|YVkgOeLdCot"	yljxpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\ofwz = "gdvEXvqnJ[teaErBoDG_gW"	igtosv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}	058cd6a37e24b8b60d0f2f94d26d7acc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\ofwz = "gdvEXvqnJ[teaErBoDG_`g"	jbfwgs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\ofwz = "gdvEXvqnJ[teaErBoDG_`G"	tauuor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\puYaQx = "pXMblZ~^aTCqd{XBj\|EKxDkl_}FU"	msegdr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\ejncqKuMnmG = "NVKr\x7fnBV{STJPA[\\IBvCnpAPXizDc"	jbfwgs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\ejncqKuMnmG = "NVKr\x7fnBV{STJPA[\\IBvCnpAPXizDc"	ntzlab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\GzoYkcosdE = "AucIVkgOelru\\q"	sepnam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\puYaQx = "pXMblZ~^aTCqd{XBj\|EKxDkl_}FU"	sygqrh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\ofwz = "gdvEXvqnJ[teaErBoDG_`W"	tauuor.exe

NTFS ADS 21 IoCs

description	ioc	Process
File opened for modification	C:\ProgramData\TEMP:C980DA7D	znxzph.exe
File opened for modification	C:\ProgramData\TEMP:C980DA7D	tauuor.exe
File opened for modification	C:\ProgramData\TEMP:C980DA7D	yknsrs.exe
File opened for modification	C:\ProgramData\TEMP:C980DA7D	jbfwgs.exe
File opened for modification	C:\ProgramData\TEMP:C980DA7D	yljxpb.exe
File opened for modification	C:\ProgramData\TEMP:C980DA7D	mwzzpm.exe
File opened for modification	C:\ProgramData\TEMP:C980DA7D	xojddu.exe
File created	C:\ProgramData\TEMP:C980DA7D	dvpuba.exe
File opened for modification	C:\ProgramData\TEMP:C980DA7D	dvpuba.exe
File opened for modification	C:\ProgramData\TEMP:C980DA7D	iakrij.exe
File opened for modification	C:\ProgramData\TEMP:C980DA7D	wnnygl.exe
File opened for modification	C:\ProgramData\TEMP:C980DA7D	hexkml.exe
File opened for modification	C:\ProgramData\TEMP:C980DA7D	sepnam.exe
File opened for modification	C:\ProgramData\TEMP:C980DA7D	sfhlei.exe
File opened for modification	C:\ProgramData\TEMP:C980DA7D	ntzlab.exe
File opened for modification	C:\ProgramData\TEMP:C980DA7D	dvdmrc.exe
File opened for modification	C:\ProgramData\TEMP:C980DA7D	nvnnbh.exe
File opened for modification	C:\ProgramData\TEMP:C980DA7D	sygqrh.exe
File opened for modification	C:\ProgramData\TEMP:C980DA7D	dqqtfi.exe
File opened for modification	C:\ProgramData\TEMP:C980DA7D	msegdr.exe
File opened for modification	C:\ProgramData\TEMP:C980DA7D	igtosv.exe

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: 33	1968	058cd6a37e24b8b60d0f2f94d26d7acc.exe
Token: SeIncBasePriorityPrivilege	1968	058cd6a37e24b8b60d0f2f94d26d7acc.exe
Token: 33	2532	dvpuba.exe
Token: SeIncBasePriorityPrivilege	2532	dvpuba.exe
Token: 33	2584	nvnnbh.exe
Token: SeIncBasePriorityPrivilege	2584	nvnnbh.exe
Token: 33	3020	znxzph.exe
Token: SeIncBasePriorityPrivilege	3020	znxzph.exe
Token: 33	1616	sfhlei.exe
Token: SeIncBasePriorityPrivilege	1616	sfhlei.exe
Token: 33	2752	sygqrh.exe
Token: SeIncBasePriorityPrivilege	2752	sygqrh.exe
Token: 33	1808	dqqtfi.exe
Token: SeIncBasePriorityPrivilege	1808	dqqtfi.exe
Token: 33	2100	iakrij.exe
Token: SeIncBasePriorityPrivilege	2100	iakrij.exe
Token: 33	1688	tauuor.exe
Token: SeIncBasePriorityPrivilege	1688	tauuor.exe
Token: 33	2636	msegdr.exe
Token: SeIncBasePriorityPrivilege	2636	msegdr.exe
Token: 33	2568	yknsrs.exe
Token: SeIncBasePriorityPrivilege	2568	yknsrs.exe
Token: 33	2764	jbfwgs.exe
Token: SeIncBasePriorityPrivilege	2764	jbfwgs.exe
Token: 33	2552	ntzlab.exe
Token: SeIncBasePriorityPrivilege	2552	ntzlab.exe
Token: 33	2432	yljxpb.exe
Token: SeIncBasePriorityPrivilege	2432	yljxpb.exe
Token: 33	1032	dvdmrc.exe
Token: SeIncBasePriorityPrivilege	1032	dvdmrc.exe
Token: 33	2164	wnnygl.exe
Token: SeIncBasePriorityPrivilege	2164	wnnygl.exe
Token: 33	2104	hexkml.exe
Token: SeIncBasePriorityPrivilege	2104	hexkml.exe
Token: 33	2688	sepnam.exe
Token: SeIncBasePriorityPrivilege	2688	sepnam.exe
Token: 33	1420	mwzzpm.exe
Token: SeIncBasePriorityPrivilege	1420	mwzzpm.exe
Token: 33	876	xojddu.exe
Token: SeIncBasePriorityPrivilege	876	xojddu.exe
Token: 33	2748	igtosv.exe
Token: SeIncBasePriorityPrivilege	2748	igtosv.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1968 wrote to memory of 2532	1968	058cd6a37e24b8b60d0f2f94d26d7acc.exe	28
PID 1968 wrote to memory of 2532	1968	058cd6a37e24b8b60d0f2f94d26d7acc.exe	28
PID 1968 wrote to memory of 2532	1968	058cd6a37e24b8b60d0f2f94d26d7acc.exe	28
PID 1968 wrote to memory of 2532	1968	058cd6a37e24b8b60d0f2f94d26d7acc.exe	28
PID 2532 wrote to memory of 2584	2532	dvpuba.exe	29
PID 2532 wrote to memory of 2584	2532	dvpuba.exe	29
PID 2532 wrote to memory of 2584	2532	dvpuba.exe	29
PID 2532 wrote to memory of 2584	2532	dvpuba.exe	29
PID 2584 wrote to memory of 3020	2584	nvnnbh.exe	30
PID 2584 wrote to memory of 3020	2584	nvnnbh.exe	30
PID 2584 wrote to memory of 3020	2584	nvnnbh.exe	30
PID 2584 wrote to memory of 3020	2584	nvnnbh.exe	30
PID 3020 wrote to memory of 1616	3020	znxzph.exe	31
PID 3020 wrote to memory of 1616	3020	znxzph.exe	31
PID 3020 wrote to memory of 1616	3020	znxzph.exe	31
PID 3020 wrote to memory of 1616	3020	znxzph.exe	31
PID 1616 wrote to memory of 2752	1616	sfhlei.exe	32
PID 1616 wrote to memory of 2752	1616	sfhlei.exe	32
PID 1616 wrote to memory of 2752	1616	sfhlei.exe	32
PID 1616 wrote to memory of 2752	1616	sfhlei.exe	32
PID 2752 wrote to memory of 1808	2752	sygqrh.exe	35
PID 2752 wrote to memory of 1808	2752	sygqrh.exe	35
PID 2752 wrote to memory of 1808	2752	sygqrh.exe	35
PID 2752 wrote to memory of 1808	2752	sygqrh.exe	35
PID 1808 wrote to memory of 2100	1808	dqqtfi.exe	36
PID 1808 wrote to memory of 2100	1808	dqqtfi.exe	36
PID 1808 wrote to memory of 2100	1808	dqqtfi.exe	36
PID 1808 wrote to memory of 2100	1808	dqqtfi.exe	36
PID 2100 wrote to memory of 1688	2100	iakrij.exe	37
PID 2100 wrote to memory of 1688	2100	iakrij.exe	37
PID 2100 wrote to memory of 1688	2100	iakrij.exe	37
PID 2100 wrote to memory of 1688	2100	iakrij.exe	37
PID 1688 wrote to memory of 2636	1688	tauuor.exe	38
PID 1688 wrote to memory of 2636	1688	tauuor.exe	38
PID 1688 wrote to memory of 2636	1688	tauuor.exe	38
PID 1688 wrote to memory of 2636	1688	tauuor.exe	38
PID 2636 wrote to memory of 2568	2636	msegdr.exe	39
PID 2636 wrote to memory of 2568	2636	msegdr.exe	39
PID 2636 wrote to memory of 2568	2636	msegdr.exe	39
PID 2636 wrote to memory of 2568	2636	msegdr.exe	39
PID 2568 wrote to memory of 2764	2568	yknsrs.exe	40
PID 2568 wrote to memory of 2764	2568	yknsrs.exe	40
PID 2568 wrote to memory of 2764	2568	yknsrs.exe	40
PID 2568 wrote to memory of 2764	2568	yknsrs.exe	40
PID 2764 wrote to memory of 2552	2764	jbfwgs.exe	41
PID 2764 wrote to memory of 2552	2764	jbfwgs.exe	41
PID 2764 wrote to memory of 2552	2764	jbfwgs.exe	41
PID 2764 wrote to memory of 2552	2764	jbfwgs.exe	41
PID 2552 wrote to memory of 2432	2552	ntzlab.exe	42
PID 2552 wrote to memory of 2432	2552	ntzlab.exe	42
PID 2552 wrote to memory of 2432	2552	ntzlab.exe	42
PID 2552 wrote to memory of 2432	2552	ntzlab.exe	42
PID 2432 wrote to memory of 1032	2432	yljxpb.exe	43
PID 2432 wrote to memory of 1032	2432	yljxpb.exe	43
PID 2432 wrote to memory of 1032	2432	yljxpb.exe	43
PID 2432 wrote to memory of 1032	2432	yljxpb.exe	43
PID 1032 wrote to memory of 2164	1032	dvdmrc.exe	44
PID 1032 wrote to memory of 2164	1032	dvdmrc.exe	44
PID 1032 wrote to memory of 2164	1032	dvdmrc.exe	44
PID 1032 wrote to memory of 2164	1032	dvdmrc.exe	44
PID 2164 wrote to memory of 2104	2164	wnnygl.exe	45
PID 2164 wrote to memory of 2104	2164	wnnygl.exe	45
PID 2164 wrote to memory of 2104	2164	wnnygl.exe	45
PID 2164 wrote to memory of 2104	2164	wnnygl.exe	45

C:\Users\Admin\AppData\Local\Temp\058cd6a37e24b8b60d0f2f94d26d7acc.exe
"C:\Users\Admin\AppData\Local\Temp\058cd6a37e24b8b60d0f2f94d26d7acc.exe"
1⤵
- Checks BIOS information in registry
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1968
- C:\Windows\SysWOW64\dvpuba.exe
  C:\Windows\system32\dvpuba.exe 712 "C:\Users\Admin\AppData\Local\Temp\058cd6a37e24b8b60d0f2f94d26d7acc.exe"
  2⤵
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2532
- - C:\Windows\SysWOW64\nvnnbh.exe
    C:\Windows\system32\nvnnbh.exe 664 "C:\Windows\SysWOW64\dvpuba.exe"
    3⤵
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    - NTFS ADS
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2584
  - - C:\Windows\SysWOW64\znxzph.exe
      C:\Windows\system32\znxzph.exe 724 "C:\Windows\SysWOW64\nvnnbh.exe"
      4⤵
      Checks BIOS information in registry
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Modifies registry class
      NTFS ADS
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3020
    - - C:\Windows\SysWOW64\sfhlei.exe
        
        C:\Windows\system32\sfhlei.exe 680 "C:\Windows\SysWOW64\znxzph.exe"
        5⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        NTFS ADS
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1616
      - C:\Windows\SysWOW64\sygqrh.exe
        
        C:\Windows\system32\sygqrh.exe 684 "C:\Windows\SysWOW64\sfhlei.exe"
        6⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        NTFS ADS
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2752
        
        C:\Windows\SysWOW64\dqqtfi.exe
        
        C:\Windows\system32\dqqtfi.exe 660 "C:\Windows\SysWOW64\sygqrh.exe"
        7⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        NTFS ADS
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1808
        
        C:\Windows\SysWOW64\iakrij.exe
        
        C:\Windows\system32\iakrij.exe 676 "C:\Windows\SysWOW64\dqqtfi.exe"
        8⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        NTFS ADS
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2100
        
        C:\Windows\SysWOW64\tauuor.exe
        
        C:\Windows\system32\tauuor.exe 692 "C:\Windows\SysWOW64\iakrij.exe"
        9⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        NTFS ADS
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1688
        
        C:\Windows\SysWOW64\msegdr.exe
        
        C:\Windows\system32\msegdr.exe 672 "C:\Windows\SysWOW64\tauuor.exe"
        10⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        NTFS ADS
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2636
        
        C:\Windows\SysWOW64\yknsrs.exe
        
        C:\Windows\system32\yknsrs.exe 668 "C:\Windows\SysWOW64\msegdr.exe"
        11⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        NTFS ADS
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2568
        
        C:\Windows\SysWOW64\jbfwgs.exe
        
        C:\Windows\system32\jbfwgs.exe 728 "C:\Windows\SysWOW64\yknsrs.exe"
        12⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        NTFS ADS
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2764
        
        C:\Windows\SysWOW64\ntzlab.exe
        
        C:\Windows\system32\ntzlab.exe 688 "C:\Windows\SysWOW64\jbfwgs.exe"
        13⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        NTFS ADS
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2552
        
        C:\Windows\SysWOW64\yljxpb.exe
        
        C:\Windows\system32\yljxpb.exe 736 "C:\Windows\SysWOW64\ntzlab.exe"
        14⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        NTFS ADS
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2432
        
        C:\Windows\SysWOW64\dvdmrc.exe
        
        C:\Windows\system32\dvdmrc.exe 740 "C:\Windows\SysWOW64\yljxpb.exe"
        15⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        NTFS ADS
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1032
        
        C:\Windows\SysWOW64\wnnygl.exe
        
        C:\Windows\system32\wnnygl.exe 716 "C:\Windows\SysWOW64\dvdmrc.exe"
        16⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        NTFS ADS
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2164
        
        C:\Windows\SysWOW64\hexkml.exe
        
        C:\Windows\system32\hexkml.exe 720 "C:\Windows\SysWOW64\wnnygl.exe"
        17⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        NTFS ADS
        Suspicious use of AdjustPrivilegeToken
        
        PID:2104
        
        C:\Windows\SysWOW64\sepnam.exe
        
        C:\Windows\system32\sepnam.exe 788 "C:\Windows\SysWOW64\hexkml.exe"
        18⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        NTFS ADS
        Suspicious use of AdjustPrivilegeToken
        
        PID:2688
        
        C:\Windows\SysWOW64\mwzzpm.exe
        
        C:\Windows\system32\mwzzpm.exe 652 "C:\Windows\SysWOW64\sepnam.exe"
        19⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        NTFS ADS
        Suspicious use of AdjustPrivilegeToken
        
        PID:1420
        
        C:\Windows\SysWOW64\xojddu.exe
        
        C:\Windows\system32\xojddu.exe 760 "C:\Windows\SysWOW64\mwzzpm.exe"
        20⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        NTFS ADS
        Suspicious use of AdjustPrivilegeToken
        
        PID:876
        
        C:\Windows\SysWOW64\igtosv.exe
        
        C:\Windows\system32\igtosv.exe 644 "C:\Windows\SysWOW64\xojddu.exe"
        21⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        NTFS ADS
        Suspicious use of AdjustPrivilegeToken
        
        PID:2748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\TEMP:C980DA7D

Filesize
122B

MD5
f2869eabe0f70f84e6c796f53d5e1fc3

SHA1
fbe9bc7b748d1e7cc410948e9de0ea07445e9896

SHA256
30df131d23cc210437cc9410d1793365f01a7c8020cab29bc8eb142d81e0cb34

SHA512
d50327a5434731b05167349e2b7b2dc4d0137e088a4571cbcbdd00e93997d7af1c0bb98fa0ff59d9ed7a01d60c35d971b24ca10ea3b6264962d2f422412edf65

Download Submit
C:\ProgramData\TEMP:C980DA7D

Filesize
122B

MD5
e512f65c30b4d79d6b844f577a79f1f8

SHA1
a16fbb49d157fbadc3faa161b0dfef50d2735a55

SHA256
3a9ea974279f62077144a88b53bb93456a57d6be665462a34a8874fcde686625

SHA512
432cab540c33bb7940fa3bedb19fd47ec64ca2af85ea702b3f79315a48a6d18fc9c2af8358e623e88d974079b436c59cd27e6c2cd801ba119165bb4166bf8bb3

Download Submit
C:\ProgramData\TEMP:C980DA7D

Filesize
122B

MD5
6fb4b95257806f54959a96664db4cf8b

SHA1
d51dc11313563cbe8686bd3bccfbb4c6b3ade9e3

SHA256
779646852373d6859522386b072cdb825d9f33cec80d0af11fdf4a10306b85ae

SHA512
11aa575cf489e942f3c50d154bdcd582ad07106a6f9de5e8f1f6f4409004c55cc9bfd2c6d8166599acb6838df004b73277bab4076b100d51c088831ad1b36508

Download Submit
C:\ProgramData\TEMP:C980DA7D

Filesize
122B

MD5
e8885c6fc8d47b9582cbe35ce14dd1c2

SHA1
6436235fe0138d698cd3f58f162dd14e4fb68812

SHA256
34de259d5c6ce70260efa0c1795276585af773f19e0b5f9bae810bc063ebec08

SHA512
095b68fd3e7ee9a017ee9817dc6da29d5462e66b8638e7f2fd871c73752e83d7ad302b75eb9700f20a81d4fec4e7d8202e5e6c48483b2b6b3f6c9cb3fe903e93

Download Submit
C:\ProgramData\TEMP:C980DA7D

Filesize
122B

MD5
1323f27be810bd67a897991775455a2b

SHA1
418cc499e03e802e35224aa663d30a2bda18057e

SHA256
f666576089377bb8cf00163b04e93b63aee7f1e59617493681bb4da5e4562040

SHA512
4fe223c3403eef9e3263332095bcf58d4d205bd3cf14e00e8fa86471098f54c69bf4e00c7178ce6794c9cd0a7f7f427c4eeb304ea393f85c960c26f88d35cabb

Download Submit
C:\ProgramData\TEMP:C980DA7D

Filesize
122B

MD5
251385bcb2e43cb2af2ecefe4b2906e6

SHA1
b95ecea97ea330d88a4d3ab3654d29801160770a

SHA256
1d08afac7383a9e1b6e842d4f1d2c1715874c3f52ad921c2993cc4d6736ea3af

SHA512
a1bb013a7a17dac8a26baaafec4ee29d81cdc99da5168229e26245cfb7503b120c0517ac0ebb737e814ca81342d2da0c37d22bb60ab51cb78aed46a09d70c799

Download Submit
C:\ProgramData\TEMP:C980DA7D

Filesize
122B

MD5
5c229a00067e300e0c1a6a25e37c73c8

SHA1
bb58b1ac7eb4f9f6fc64564ea917a067d9ae4493

SHA256
2aedd3463e663b621d5ab2745cf7500416d4401ce769ba46216be03a3fc80da8

SHA512
6a8572a92d1de47abfe303fa0bbbbaa112a058d842dedfe1ec81f967ccff4d91f75ded3b0ae84e40bd98de83800f18e1e0c144b147da29253514f294b60a9357

Download Submit
C:\ProgramData\TEMP:C980DA7D

Filesize
122B

MD5
42eae83751edde5b2aa47eae903e4ea3

SHA1
9ace6c2c5aa0384a6ab1dbf60a0f01972438d6ed

SHA256
47c1fe91fa4d356d158632f90706c7ceb91645b0b99d4004729f52ea9f82e94e

SHA512
154dae0b834205e38f8c29da55bcc0d460b44c210497d500cd9168388135e4da3c6d9a1ae0fccd74575e999f0dd6c975a700721bd85e14addce05b1f9bc1e69d

Download Submit
C:\ProgramData\TEMP:C980DA7D

Filesize
122B

MD5
e211300399186277e071ee4dfed8fb1a

SHA1
05d3c2e21d93746183ceeca891fd71d73e8317aa

SHA256
a691a5bd81380e3a812e71a4af1583566ada24f3235ea2132da44cb0370eecd0

SHA512
94212fe3425c433f0ae029ccbd96feb198a1488086f316adf878da91178cf658fe69eb30494fbfe327847ddbfffbd9c62d76653a3dd3218f372e5ba15c34804a

Download Submit
C:\ProgramData\TEMP:C980DA7D

Filesize
122B

MD5
9394ac985354f55b16aba031e72ff618

SHA1
d39db61f9924558ac40d3d947f7d3356497251fe

SHA256
a6048d12d958ed675eaab4287f55bcebc287ba3ce8ae0aa9be6ccf239ba11eef

SHA512
90400abbb1e757d203799b9d77f3366ccb3c009fc8b5c564a47a014d05c85fc735f2bcb4d6f624b3faf5167f084a05fef3bcabbc718353a2ae04c1320d12af21

Download Submit
C:\ProgramData\TEMP:C980DA7D

Filesize
122B

MD5
2e946a3300e4fe6b8118fd8df9112166

SHA1
1d5001591ded9a36bfccef0128a7a16b9b6903c2

SHA256
dce14c060990d63e5f666e918f993f732fdf8a3b66494235f728520cc9d204c3

SHA512
136d799a77085ad89a0ace76708d8fdd167c2e90c9a313477de876babda9298d2331de38ab3029187e7c043b4c77c60de692582cc52a7e6287144a3f862e3960

Download Submit
C:\ProgramData\TEMP:C980DA7D

Filesize
122B

MD5
8d943279decb4d37b1c86fab2205be40

SHA1
30cbf6e4f115b8edacf32835a9d8dadf5b0288fc

SHA256
fb32ea0fe654a1cc5813c031f7769182cfdf3ba7e5855d46e5ab4717e2d977d0

SHA512
ef54ad911e06ce5be977d4b4489166712bd14037d3b8811c0a49e159cfce05e9958edbf1fa73bb89f64bed77419e4eb84f1d2371b3f0989eaa372a4382f9dd95

Download Submit
C:\ProgramData\TEMP:C980DA7D

Filesize
122B

MD5
1e6f2318a2debd4b93d9d7f76e16ae45

SHA1
d07701323877df4ae672f30deafe00d24a3866a2

SHA256
13f0e11da84502f18cb7669fc907df0bc0c173f7085137fe0674877df5e2d684

SHA512
0e5b6dee186a1cd574531e6a694cb40175695761599ac32a5e7af5e86800ffb62cb9ec33db642608aace24bc0cd4afc12d3030fc19114fce1e192631a8010623

Download Submit
C:\Users\Admin\AppData\Local\Temp\cnl8814.tmp

Filesize
172KB

MD5
87bda1335cec99002fd5622b7c0e26d1

SHA1
9c914c939392d4ba3fdff1cbde44cb8835e765f6

SHA256
8562c914dde74409f4b0fb5d5533627f61a8548b1a28c9c744ba193b8b337908

SHA512
98c0ef7c64721d1a4fe0230e2c2347a14889bb1e3ed32c235e4326e09e106a9ca2163893bd1e53596aa2a21ceeb2f7b3f4f55c0d05fec563a010a95a97daf31c

Download Submit
C:\Windows\SysWOW64\dvpuba.exe

Filesize
293KB

MD5
985a900e7f555217aa37694a60f3bb31

SHA1
5b221416d1b2c74aff8b74969e96774719526ea0

SHA256
b700827754ce45a301db35df77bf3018722a75c73f547c5e69c859edae9c3089

SHA512
cbdbe55c14865c9e8e02873f8c0c6c620e2b72a7fe11e1c7386be0d3e5c97986ae1274eb5e27e3e00e3930f4e42926c16f9a3f20e5072bf5958425744b79248e

Download Submit
C:\Windows\SysWOW64\dvpuba.exe

Filesize
406KB

MD5
d305aeaac8d8150617c57b73a013549f

SHA1
452801052842c9994ba3659a917ef7a254438fe5

SHA256
568393b17b630175b801714c2f158f18a56c5dfbac117d1d90c544fdae025157

SHA512
3159d875733edffe90f1372107acfdb760c55fcad7a484cd94c66fbcabd941d1958597f6cbe27299ea4fd3fdd496db3e6420bc026f4f34cc35981a6b48b446bf

Download Submit
C:\Windows\SysWOW64\dvpuba.exe

Filesize
165KB

MD5
6184d3403a4f40362f03e5e890e85423

SHA1
023e7a88666910e371349ad2df821cf6b6d8a5dc

SHA256
8468fd834e026ec7c2a16b334ccbb9e003b51c911d18c0ceaf77cda23b73ad87

SHA512
33e8482ca9656e40c9db2637535e09eb15bf7c16572c5a8425c89152abc7b52f30d45cafea48be093a7e7ec76425ef4144c42e6288aec80c2dee14b18157c0e8

Download Submit
C:\Windows\SysWOW64\jbfwgs.exe

Filesize
492KB

MD5
cd8903492165274f0999c76538285bfe

SHA1
b229a5848e68da302c5e8779d5d516abbb6497a8

SHA256
6f7e7434dbec12ebb4563ea522e90609cfecffac12a23aa7009f709100a0cf68

SHA512
437ad956bcb869fdf216fd00b67205e2691ea922b182c15bac9362af3b4db73d0d14c0690bfade0fe8ecba72dd72d0ba1cb875d5ffa0c8811ceaeb2e171c01e1

Download Submit
C:\Windows\SysWOW64\jbfwgs.exe

Filesize
844KB

MD5
6e620227ba8c90d7c5f53018a51e47de

SHA1
935ef31c182b5742cdf56551b9e5f0d29d11c34a

SHA256
e0f11b3e78e9534943c71b5e1e6c244c7b2b524b0cab6d1f31f40b046faccb97

SHA512
8b884bda48792e7529515bff8dd8a2eb4a3325a5a1f4d030bf1ab169eaa9a511e9c2d50c25dc4f66a767143995b9153c33d6593338951ea5469fdaf715640389

Download Submit
C:\Windows\SysWOW64\ntzlab.exe

Filesize
785KB

MD5
31503d9d489dc8a6e358c29ee572e807

SHA1
f585e9f93545f022a3ea515787663ccbf47aa4a5

SHA256
72142a8f7bee5a86fefe0a207c981edec3be8c48341fcaae461724e7bb0954e3

SHA512
dd3ba04fb64b250994b0ad4676411686966a9175462b1c6d8d3d2873be66ce71b8a6e9e2541a805eae26987fa0fcb80c21e5df751154dc6f5d7534f28a6987a0

Download Submit
C:\Windows\SysWOW64\ntzlab.exe

Filesize
636KB

MD5
f39fbda3da5e7b4e32af54afad1240a1

SHA1
af1ecde431abc042861bbf0d7d95327ba97879f2

SHA256
49c5aa2a6e924692d530891d46be1d30f0941e92e47626f61a78617f1d7d793c

SHA512
47bd000454a80db03d8b9095963468ac60a8cebf8ac5e3911caf51ee72028575008ee12054d152607a553ae776441ac43067249974cd4f9f73e1748a8eb9b22f

Download Submit
C:\Windows\SysWOW64\nvnnbh.exe

Filesize
274KB

MD5
a9f7723dbb68df9b802003014958fa4b

SHA1
bd4a31f682b52331a0967c7bb12cfe8afa070f76

SHA256
5f559eab63b2219a684636375014ecff1aadffbc65e3ce025d500ce25a6a9a0e

SHA512
43e10a6092ac3a7841b12625cb97500fb2d9ea9a9d477399eda941b1ef04b46fbdae609d89c6bcf88bdaedf50eae64588f17e8f6b0355dd4c1ef599741f0c62e

Download Submit
C:\Windows\SysWOW64\nvnnbh.exe

Filesize
561KB

MD5
8faa54b0930cb632ede04278c5cfe177

SHA1
cfeba527a6d09548d9c55e00f6971d4c84108240

SHA256
97861c0f09e765f2b1f8adcd43da9815d201cbcd547e8bbd195c3c99b8ba54d5

SHA512
cea8b92366853f38f4ec549b23a31629276093b81035a47bb5bbbbeaf0ea05162bf165b6ea657faf750128497c4e65e430580bed29469f996ec6af362694349c

Download Submit
C:\Windows\SysWOW64\sfhlei.exe

Filesize
231KB

MD5
77a88811d4502b94718d21114c39b0b2

SHA1
0af0f589d8e5679b419bf6d361757ddb182516cc

SHA256
79014cd5156b1e30a794f2b9b77bb965a468e75c6d178a9846473b65c88c6605

SHA512
6c121191802154123603ced501ee25d25094076969da19ae2adaf687bb7f15bc46f26f56f5852aaa00090495a09754185fd51bd8e0a3e89b5fe28d508bd9c650

Download Submit
C:\Windows\SysWOW64\sfhlei.exe

Filesize
225KB

MD5
67766701ae98b0e7be14412cfc3a1347

SHA1
120fdb1754097bfc1f3eefa8a82c44717e6d8ece

SHA256
05860dce101af4f4f5390276401bc029e6bf70cf4fa42e016f11d4e490cbd5bb

SHA512
b5b1ea1221d9108aa1a3d9657f4ce6e04e4042f1cb7601e0d67ae492d66f8a0ba6d48652b316f14ec364afe694a52deab8203a2023db3929b84989a2f8804228

Download Submit
C:\Windows\SysWOW64\sygqrh.exe

Filesize
72KB

MD5
c139338ac5a29092595018c1f164964a

SHA1
ce52b0f6925b51680982e1b09aaf5b2e6893c78c

SHA256
fb9b11f0fb59e583eb37f1208bd981c840308f21815afa894e38538561112eae

SHA512
4bfc398872f3825d309582f75a82f71249aec20e14acd7feb2a29f7e5e7c79d7f0d9ba95a378cbe169f182e225bb2db7c88129c5ce25cccafa4c3ed53379b167

Download Submit
C:\Windows\SysWOW64\sygqrh.exe

Filesize
51KB

MD5
e3c6003f9311a8b36917afd5823fe74d

SHA1
9813bda85041f2edce199d8a0174ef070d3f3aef

SHA256
5608a36d2a817b63bd19c8b27060808ab19b6e4558511a9d44936afec40cd246

SHA512
20ea5f2776c9e39ecb8daca51bbf170ef730ee1cd96da56a95cf34c25fb5a0a0408da3110dc519e12ee5883669567da8f1a175ceab560b8a1949fe8f32ccb85a

Download Submit
C:\Windows\SysWOW64\tauuor.exe

Filesize
120KB

MD5
c2314c14bebd9a780bccb181360b89df

SHA1
623bec6f56e35e574d81fce0fab138ab1e2fc91b

SHA256
76d7aeb135a5b8106a72b61c86a592877a3e9a3245505a1ba1c2a51df272a9d5

SHA512
3c19cfa045508eb223e244f09f8611fb95ce8b752480d15b641289ee1aebbb0f91c386077d43623532ff894487ab57736b44caff4166a407c4a20db647a175ff

Download Submit
C:\Windows\SysWOW64\znxzph.exe

Filesize
167KB

MD5
485f42ae9d8ca2db7daca1efbd917f42

SHA1
1127d41204fb6c87e3beb9625f2922eaaf5afbc5

SHA256
3dc19412eea2390f37b54477feb49da5305e1140d6cfbf863898944638da18f3

SHA512
702ac9fa70be9d3da03f92a046ac3a2571b6e3bc546a1f70249ced8c67b32465cd4f34c396c543acba89a42a5db29f4f980744d77857ee7192805995411d52de

Download Submit
C:\Windows\SysWOW64\znxzph.exe

Filesize
203KB

MD5
c7083ee881790c3e4c25e36ce22a4b25

SHA1
829097176c907a9f4147b3ec7671995619641076

SHA256
ffa1a8f6c8dd1d9d2714d7c24319b518137b56c0ba8ab90bd887a4fd21cb6bc8

SHA512
94e25142e6f74abda839784901ff35a16759241e11a8b6a38a5622279a24bb83a4b622a46bcb5fb427b5ddf1b49f21d74939a280c236ac95bf0a495b4ab5b41f

Download Submit
\Windows\SysWOW64\dqqtfi.exe

Filesize
924KB

MD5
058cd6a37e24b8b60d0f2f94d26d7acc

SHA1
429084f91b93a40a3b93a05107337fd98766807b

SHA256
f7353cddd843e43df8919917e68ba83d5b82dcab549409d3ddb9640fd668db37

SHA512
09f14db43b00f0f72c330ddc25efe6592b5bb465c14a4f72b82957ff59510524719971524c62bf4a799a8c3bcd8e4345a0000595d2f1751029591413eb495039

Download Submit
\Windows\SysWOW64\dvpuba.exe

Filesize
384KB

MD5
ce327210d65d819a619a2c8fed1b3475

SHA1
c7bc6963dfab781921ea50b122ee15f8ecc6387a

SHA256
342bfdbeaee0131dfce7c7b2bb42811871ae32e6127b5b99f84a72eb12bbb50b

SHA512
ccdd4aac6b01ec4b87b49747c986391b0d0ce237fdc67217e9eef969ed7401c1c61c94d7cf1b77b368e970c844066a9422daf28b27e2b237f8e8ff5e8dd67144

Download Submit
\Windows\SysWOW64\dvpuba.exe

Filesize
341KB

MD5
65a553c4f60210cd3b48e702aa3a79c9

SHA1
e3828b1d8170b033a26449a0ca5f6cffa29da39c

SHA256
75e3d2e35ba993b9c66b3f0e17422aeafba5102a18c312986f54c4039eaae190

SHA512
9bcc0fbbd6b0d67b4277df4a5b22e755a38fee87df9e32051808bb5e21018d30ade30389a14eb19e80fc9b88870c411b3ea9ce266a41d8b101328f1ebdd6b0bb

Download Submit
\Windows\SysWOW64\jbfwgs.exe

Filesize
578KB

MD5
7b7f8c54a1f652d6823021e03599036c

SHA1
74ddebaea6c39dcd44c3686f0ba0697b04a5bc85

SHA256
45b35d01df4d8c605b34fe04baf1fea4419e4232256f3ad5bb925aab6ff54f95

SHA512
faa8f9ef6cdf1d5a9692139e86b0b795b865a34e14d1b4a6bd861e1a904720796686c29f3f772924265e47283941e320d30385f6693186bb074b57e7e19dde2e

Download Submit
\Windows\SysWOW64\nvnnbh.exe

Filesize
128KB

MD5
33a7dd635b7645b37afc1ef9dddbadc8

SHA1
5859a7dc330314e57949ebba945f5fb3b8c201d9

SHA256
829c5d5727770323d87f2116c6f6f1310496ee310da0e95dc9de22f2123cb050

SHA512
55ebef2e23f34def0c10c85c363ef94db8165139ee141bae2403008bd353ff5b27f081ea29c54be1f00575eab6a0e420ecd0bd26cfe1d8aaa5bde55e7ca9c46d

Download Submit
\Windows\SysWOW64\nvnnbh.exe

Filesize
225KB

MD5
42f64bce9fe9f01049d1c00ed3b1005e

SHA1
2074c2942410d1c432378bcba8c50b60d1d025ab

SHA256
f0350e333a16c0864a1b7f7c10dc1e684f3fc4900941345f5085732ee598495f

SHA512
9c2466ac20143004d42e0375dc5984acf7a0d275ebb45a1e151943842fdfb769ed535d35514aa49dfca8d0a6e4e5b73c743b8f4a64e7785d52e09d24fa8626ae

Download Submit
\Windows\SysWOW64\sfhlei.exe

Filesize
394KB

MD5
8229dc444be5f5e93372860734302ce0

SHA1
64346832a88343cc5f98fc922e248ae437b286e0

SHA256
a75701bcf27aab69b9cea96df5f03effa616c2e837dcd002e5c4175c63a1ee1c

SHA512
1202d19dd0249ab30550367bc4d6ae90c236de9352c801f04165839e36355cc5683944b470b8498f80c37cbcbba6e61953da817995753db5fc62dcf023c87bcb

Download Submit
\Windows\SysWOW64\sfhlei.exe

Filesize
331KB

MD5
2e6d4738e6c02bcacc4ce1448759de23

SHA1
a4a83f670e26869ad41ce35dd3df68b583f8d913

SHA256
d1dc77d3b9d4b3ea6cd5835eb8b4acb6d90101e66f5361fce9cc49ca5a4b1415

SHA512
f1a29b38f8842353987bd0eafb6b6e3bde59e5155e3bb905fa538ebd216ed5006fd690bb0e0330b1fb7607d611d2051517d5349452016ad374647096679eedee

Download Submit
\Windows\SysWOW64\sygqrh.exe

Filesize
129KB

MD5
eb423d26f4b7af22c113fab13df79cb5

SHA1
cc81a2ad4fccc36c41b8be5bb3acb5c7aee36bac

SHA256
3fdda15ca1324558d0397efafa914c8e62dcd21fd2fcc5cec57d3d796eaa40e1

SHA512
d5ac23bf48d7e12d7798c77078a43fb1ad8cc99068fac63735857b8b272257f54acaed5acf71d2f1222049bd2ca5e52bf3a2d9321afff613543a7d44e68e8328

Download Submit
\Windows\SysWOW64\sygqrh.exe

Filesize
170KB

MD5
89a049f786f8d79382844e0a9d678dd8

SHA1
9ce984e5a479406990dbb6d4679b7d0d2020089d

SHA256
9876f2c0e697d1b7a713120ae1d44c994e6418d06587769ab12daeef54c678b2

SHA512
6accc2365bc15c69b89f64917d1c2a2f88484b4fe7cdb379a8b9612bda216219bc97ad31c69fd432e6d89c7186440237dbd1ba8824118030b316ca10a8e7ddc6

Download Submit
\Windows\SysWOW64\tauuor.exe

Filesize
416KB

MD5
f847f1da2447b97b3dd2c36587163586

SHA1
aba1ab77d5eef26c58bdd8bed376533f10ca97bf

SHA256
4cfa981d6b72fddf8714934fca851662edb190904df86507f5cebdb34cb0d130

SHA512
420c948c57ece735a404f30da3423785d03de41d8d1a17a50fcf2ec4de08e7b280086566661280b32ddb795a76e4a3daa73888d654e6e7b552868e1ea1c7767f

Download Submit
\Windows\SysWOW64\znxzph.exe

Filesize
109KB

MD5
9abb0d3fdd28c61d2b531eda0b434a58

SHA1
39c4638f19151ca003c3c6b8d69a76f0d7b3ffe6

SHA256
41794e10cbb0bddca64925f0244a37f27db17a0a815088dc0ceb700b48716f4f

SHA512
c8e7e714a16a3185e7849cc8c11de69e0062f447713f3a5f101cbbc8ba4e2de29aa21d6de5917e85ddcea7fe5c27ed4c6c304d95ca18ec55fa33056408de5e2b

Download Submit
\Windows\SysWOW64\znxzph.exe

Filesize
126KB

MD5
f90c0a57e03a3c24d7161688ff472f8d

SHA1
a91375ed9488b95106d3549ab33dd6d711e86363

SHA256
b69b9c3da93b4e96e5ad81457e631d1d7eb6856d2c11c6c3f7325d5671946d78

SHA512
bc9cd76e5ba820e44e0ca03922a6d75e92a4741576408479d66d3d795e01402d5ac2b400e7d3837ae759efbef3145f9a9c23f5494753d3d2b27504e19b16ef26

Download Submit
memory/1032-505-0x0000000002FD0000-0x0000000003160000-memory.dmp

Filesize
1.6MB

Download
memory/1032-515-0x0000000000400000-0x0000000000590000-memory.dmp

Filesize
1.6MB

Download
memory/1032-474-0x0000000000400000-0x0000000000590000-memory.dmp

Filesize
1.6MB

Download
memory/1032-491-0x0000000000400000-0x0000000000590000-memory.dmp

Filesize
1.6MB

Download
memory/1032-503-0x0000000002FD0000-0x0000000003160000-memory.dmp

Filesize
1.6MB

Download
memory/1420-597-0x0000000000400000-0x0000000000590000-memory.dmp

Filesize
1.6MB

Download
memory/1616-141-0x0000000000400000-0x0000000000590000-memory.dmp

Filesize
1.6MB

Download
memory/1616-142-0x0000000000400000-0x0000000000590000-memory.dmp

Filesize
1.6MB

Download
memory/1616-127-0x0000000000800000-0x0000000000889000-memory.dmp

Filesize
548KB

Download
memory/1616-129-0x0000000000400000-0x0000000000590000-memory.dmp

Filesize
1.6MB

Download
memory/1616-176-0x0000000000400000-0x0000000000590000-memory.dmp

Filesize
1.6MB

Download
memory/1616-143-0x0000000000400000-0x0000000000590000-memory.dmp

Filesize
1.6MB

Download
memory/1616-147-0x0000000000400000-0x0000000000590000-memory.dmp

Filesize
1.6MB

Download
memory/1688-266-0x0000000000400000-0x0000000000590000-memory.dmp

Filesize
1.6MB

Download
memory/1688-307-0x0000000000400000-0x0000000000590000-memory.dmp

Filesize
1.6MB

Download
memory/1688-287-0x0000000000400000-0x0000000000590000-memory.dmp

Filesize
1.6MB

Download
memory/1808-228-0x0000000002F60000-0x00000000030F0000-memory.dmp

Filesize
1.6MB

Download
memory/1808-241-0x0000000000400000-0x0000000000590000-memory.dmp

Filesize
1.6MB

Download
memory/1808-217-0x0000000000400000-0x0000000000590000-memory.dmp

Filesize
1.6MB

Download
memory/1808-196-0x0000000000400000-0x0000000000590000-memory.dmp

Filesize
1.6MB

Download
memory/1968-7-0x0000000000400000-0x0000000000590000-memory.dmp

Filesize
1.6MB

Download
memory/1968-33-0x0000000000400000-0x0000000000590000-memory.dmp

Filesize
1.6MB

Download
memory/1968-6-0x0000000000400000-0x0000000000590000-memory.dmp

Filesize
1.6MB

Download
memory/1968-10-0x0000000000400000-0x0000000000590000-memory.dmp

Filesize
1.6MB

Download
memory/1968-13-0x0000000000400000-0x0000000000590000-memory.dmp

Filesize
1.6MB

Download
memory/1968-32-0x0000000000310000-0x0000000000399000-memory.dmp

Filesize
548KB

Download
memory/1968-8-0x0000000000400000-0x0000000000590000-memory.dmp

Filesize
1.6MB

Download
memory/1968-1-0x0000000000310000-0x0000000000399000-memory.dmp

Filesize
548KB

Download
memory/1968-9-0x0000000000400000-0x0000000000590000-memory.dmp

Filesize
1.6MB

Download
memory/1968-0-0x0000000000400000-0x0000000000590000-memory.dmp

Filesize
1.6MB

Download
memory/1968-11-0x0000000000310000-0x0000000000399000-memory.dmp

Filesize
548KB

Download
memory/2100-252-0x0000000000400000-0x0000000000590000-memory.dmp

Filesize
1.6MB

Download
memory/2100-276-0x0000000000400000-0x0000000000590000-memory.dmp

Filesize
1.6MB

Download
memory/2100-231-0x0000000000400000-0x0000000000590000-memory.dmp

Filesize
1.6MB

Download
memory/2104-537-0x0000000000400000-0x0000000000590000-memory.dmp

Filesize
1.6MB

Download
memory/2104-568-0x0000000003100000-0x0000000003290000-memory.dmp

Filesize
1.6MB

Download
memory/2104-556-0x0000000000400000-0x0000000000590000-memory.dmp

Filesize
1.6MB

Download
memory/2104-566-0x0000000003100000-0x0000000003290000-memory.dmp

Filesize
1.6MB

Download
memory/2104-581-0x0000000000400000-0x0000000000590000-memory.dmp

Filesize
1.6MB

Download
memory/2164-535-0x0000000003020000-0x00000000031B0000-memory.dmp

Filesize
1.6MB

Download
memory/2164-550-0x0000000000400000-0x0000000000590000-memory.dmp

Filesize
1.6MB

Download
memory/2164-525-0x0000000000400000-0x0000000000590000-memory.dmp

Filesize
1.6MB

Download
memory/2164-507-0x0000000000400000-0x0000000000590000-memory.dmp

Filesize
1.6MB

Download
memory/2432-443-0x0000000000400000-0x0000000000590000-memory.dmp

Filesize
1.6MB

Download
memory/2432-462-0x0000000000400000-0x0000000000590000-memory.dmp

Filesize
1.6MB

Download
memory/2432-493-0x0000000000400000-0x0000000000590000-memory.dmp

Filesize
1.6MB

Download
memory/2532-40-0x0000000000400000-0x0000000000590000-memory.dmp

Filesize
1.6MB

Download
memory/2532-41-0x0000000000220000-0x00000000002A9000-memory.dmp

Filesize
548KB

Download
memory/2532-26-0x0000000000220000-0x00000000002A9000-memory.dmp

Filesize
548KB

Download
memory/2532-36-0x0000000000400000-0x0000000000590000-memory.dmp

Filesize
1.6MB

Download
memory/2532-37-0x0000000000400000-0x0000000000590000-memory.dmp

Filesize
1.6MB

Download
memory/2532-39-0x0000000000400000-0x0000000000590000-memory.dmp

Filesize
1.6MB

Download
memory/2532-38-0x0000000000400000-0x0000000000590000-memory.dmp

Filesize
1.6MB

Download
memory/2532-70-0x0000000000220000-0x00000000002A9000-memory.dmp

Filesize
548KB

Download
memory/2532-43-0x0000000000400000-0x0000000000590000-memory.dmp

Filesize
1.6MB

Download
memory/2532-25-0x0000000000400000-0x0000000000590000-memory.dmp

Filesize
1.6MB

Download
memory/2532-53-0x00000000031B0000-0x0000000003340000-memory.dmp

Filesize
1.6MB

Download
memory/2532-73-0x0000000000400000-0x0000000000590000-memory.dmp

Filesize
1.6MB

Download
memory/2552-441-0x00000000031D0000-0x0000000003360000-memory.dmp

Filesize
1.6MB

Download
memory/2552-445-0x00000000031D0000-0x0000000003360000-memory.dmp

Filesize
1.6MB

Download
memory/2552-453-0x0000000000400000-0x0000000000590000-memory.dmp

Filesize
1.6MB

Download
memory/2552-429-0x0000000000400000-0x0000000000590000-memory.dmp

Filesize
1.6MB

Download
memory/2552-410-0x0000000000400000-0x0000000000590000-memory.dmp

Filesize
1.6MB

Download
memory/2568-367-0x0000000003210000-0x00000000033A0000-memory.dmp

Filesize
1.6MB

Download
memory/2568-358-0x0000000000400000-0x0000000000590000-memory.dmp

Filesize
1.6MB

Download
memory/2568-335-0x0000000000400000-0x0000000000590000-memory.dmp

Filesize
1.6MB

Download
memory/2568-384-0x0000000000400000-0x0000000000590000-memory.dmp

Filesize
1.6MB

Download
memory/2584-99-0x0000000000590000-0x0000000000619000-memory.dmp

Filesize
548KB

Download
memory/2584-77-0x0000000000590000-0x0000000000619000-memory.dmp

Filesize
548KB

Download
memory/2584-55-0x0000000000590000-0x0000000000619000-memory.dmp

Filesize
548KB

Download
memory/2584-64-0x0000000000400000-0x0000000000590000-memory.dmp

Filesize
1.6MB

Download
memory/2584-65-0x0000000000400000-0x0000000000590000-memory.dmp

Filesize
1.6MB

Download
memory/2584-71-0x0000000000400000-0x0000000000590000-memory.dmp

Filesize
1.6MB

Download
memory/2584-74-0x0000000000590000-0x0000000000619000-memory.dmp

Filesize
548KB

Download
memory/2584-72-0x0000000000400000-0x0000000000590000-memory.dmp

Filesize
1.6MB

Download
memory/2584-76-0x0000000000400000-0x0000000000590000-memory.dmp

Filesize
1.6MB

Download
memory/2584-79-0x0000000000590000-0x0000000000619000-memory.dmp

Filesize
548KB

Download
memory/2584-107-0x0000000000400000-0x0000000000590000-memory.dmp

Filesize
1.6MB

Download
memory/2584-66-0x0000000000400000-0x0000000000590000-memory.dmp

Filesize
1.6MB

Download
memory/2584-90-0x0000000003010000-0x00000000031A0000-memory.dmp

Filesize
1.6MB

Download
memory/2636-333-0x0000000003220000-0x00000000033B0000-memory.dmp

Filesize
1.6MB

Download
memory/2636-320-0x0000000000400000-0x0000000000590000-memory.dmp

Filesize
1.6MB

Download
memory/2636-299-0x0000000000400000-0x0000000000590000-memory.dmp

Filesize
1.6MB

Download
memory/2636-352-0x0000000000400000-0x0000000000590000-memory.dmp

Filesize
1.6MB

Download
memory/2688-588-0x0000000000400000-0x0000000000590000-memory.dmp

Filesize
1.6MB

Download
memory/2688-569-0x0000000000400000-0x0000000000590000-memory.dmp

Filesize
1.6MB

Download
memory/2688-610-0x0000000000400000-0x0000000000590000-memory.dmp

Filesize
1.6MB

Download
memory/2752-164-0x0000000000400000-0x0000000000590000-memory.dmp

Filesize
1.6MB

Download
memory/2752-193-0x0000000002EC0000-0x0000000003050000-memory.dmp

Filesize
1.6MB

Download
memory/2752-183-0x0000000000400000-0x0000000000590000-memory.dmp

Filesize
1.6MB

Download
memory/2752-206-0x0000000000400000-0x0000000000590000-memory.dmp

Filesize
1.6MB

Download
memory/2764-395-0x0000000000400000-0x0000000000590000-memory.dmp

Filesize
1.6MB

Download
memory/2764-373-0x0000000000400000-0x0000000000590000-memory.dmp

Filesize
1.6MB

Download
memory/2764-423-0x0000000000400000-0x0000000000590000-memory.dmp

Filesize
1.6MB

Download
memory/3020-136-0x0000000000590000-0x0000000000619000-memory.dmp

Filesize
548KB

Download
memory/3020-137-0x0000000000400000-0x0000000000590000-memory.dmp

Filesize
1.6MB

Download
memory/3020-110-0x0000000000400000-0x0000000000590000-memory.dmp

Filesize
1.6MB

Download
memory/3020-92-0x0000000000400000-0x0000000000590000-memory.dmp

Filesize
1.6MB

Download
memory/3020-105-0x0000000000400000-0x0000000000590000-memory.dmp

Filesize
1.6MB

Download
memory/3020-113-0x0000000000400000-0x0000000000590000-memory.dmp

Filesize
1.6MB

Download
memory/3020-116-0x0000000000590000-0x0000000000619000-memory.dmp

Filesize
548KB

Download
memory/3020-109-0x0000000000400000-0x0000000000590000-memory.dmp

Filesize
1.6MB

Download
memory/3020-111-0x0000000000590000-0x0000000000619000-memory.dmp

Filesize
548KB

Download
memory/3020-126-0x0000000003260000-0x00000000033F0000-memory.dmp

Filesize
1.6MB

Download
memory/3020-106-0x0000000000400000-0x0000000000590000-memory.dmp

Filesize
1.6MB

Download
memory/3020-114-0x0000000000590000-0x0000000000619000-memory.dmp

Filesize
548KB

Download
memory/3020-108-0x0000000000400000-0x0000000000590000-memory.dmp

Filesize
1.6MB

Download