f7353cddd843e43df8919917e68ba83d5b82dcab549409d3ddb9640fd668db37

Analysis

max time kernel
150s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
29/12/2023, 22:24

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

058cd6a37e24b8b60d0f2f94d26d7acc.exe
Size

924KB
MD5

058cd6a37e24b8b60d0f2f94d26d7acc
SHA1

429084f91b93a40a3b93a05107337fd98766807b
SHA256

f7353cddd843e43df8919917e68ba83d5b82dcab549409d3ddb9640fd668db37
SHA512

09f14db43b00f0f72c330ddc25efe6592b5bb465c14a4f72b82957ff59510524719971524c62bf4a799a8c3bcd8e4345a0000595d2f1751029591413eb495039
SSDEEP

12288:/VUzFj9BMweqIN8gNJmLKOlUTsnevI8XWAR1OcOWYEEvYMbR2jCi+rpHihz:/VUzFh+mONJnTFvjGA/OTvHvYK26HS

Score

7^/10

Malware Config

Signatures

Checks BIOS information in registry 2 TTPs 46 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	udisdt.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ndsbhp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	xjeprv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	jovlrc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	uujfan.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	ojvtnb.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	agoxqo.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	ogjmug.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ismwvd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	amvzpd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	zxxkea.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	agoxqo.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	opzeri.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	opzeri.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	idvzhu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	058cd6a37e24b8b60d0f2f94d26d7acc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	amvzpd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	uujfan.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	ismwvd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	ormzau.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	wgsbra.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	iekzmw.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	idvzhu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	tpfjyt.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	tpfjyt.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	ndsbhp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ogjmug.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	fljzur.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	xjeprv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rhfblu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	jovlrc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	frccda.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	xoibvc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	iekzmw.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	058cd6a37e24b8b60d0f2f94d26d7acc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	zxxkea.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ojvtnb.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	rhfblu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	fljzur.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	udisdt.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	xoibvc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	frccda.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	wgsbra.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ormzau.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ioxmvi.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	ioxmvi.exe

Executes dropped EXE 22 IoCs

pid	Process
2028	tpfjyt.exe
3668	ndsbhp.exe
4568	ismwvd.exe
3972	amvzpd.exe
4072	fljzur.exe
4212	xjeprv.exe
1540	zxxkea.exe
692	uujfan.exe
4860	ojvtnb.exe
2516	jovlrc.exe
224	ormzau.exe
4092	ioxmvi.exe
2476	frccda.exe
1884	agoxqo.exe
820	udisdt.exe
2992	xoibvc.exe
2884	rhfblu.exe
1412	wgsbra.exe
4276	opzeri.exe
1440	iekzmw.exe
3224	ogjmug.exe
4420	idvzhu.exe

Drops file in System32 directory 46 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\ismwvd.exe	ndsbhp.exe
File created	C:\Windows\SysWOW64\udisdt.exe	agoxqo.exe
File created	C:\Windows\SysWOW64\opzeri.exe	wgsbra.exe
File opened for modification	C:\Windows\SysWOW64\xoibvc.exe	udisdt.exe
File created	C:\Windows\SysWOW64\rhfblu.exe	xoibvc.exe
File opened for modification	C:\Windows\SysWOW64\ndsbhp.exe	tpfjyt.exe
File created	C:\Windows\SysWOW64\ismwvd.exe	ndsbhp.exe
File created	C:\Windows\SysWOW64\xjeprv.exe	fljzur.exe
File created	C:\Windows\SysWOW64\uujfan.exe	zxxkea.exe
File opened for modification	C:\Windows\SysWOW64\frccda.exe	ioxmvi.exe
File opened for modification	C:\Windows\SysWOW64\idvzhu.exe	ogjmug.exe
File opened for modification	C:\Windows\SysWOW64\amvzpd.exe	ismwvd.exe
File created	C:\Windows\SysWOW64\zxxkea.exe	xjeprv.exe
File opened for modification	C:\Windows\SysWOW64\uujfan.exe	zxxkea.exe
File created	C:\Windows\SysWOW64\jovlrc.exe	ojvtnb.exe
File created	C:\Windows\SysWOW64\iekzmw.exe	opzeri.exe
File opened for modification	C:\Windows\SysWOW64\jovlrc.exe	ojvtnb.exe
File opened for modification	C:\Windows\SysWOW64\ormzau.exe	jovlrc.exe
File opened for modification	C:\Windows\SysWOW64\wgsbra.exe	rhfblu.exe
File opened for modification	C:\Windows\SysWOW64\tpfjyt.exe	058cd6a37e24b8b60d0f2f94d26d7acc.exe
File created	C:\Windows\SysWOW64\amvzpd.exe	ismwvd.exe
File created	C:\Windows\SysWOW64\fljzur.exe	amvzpd.exe
File opened for modification	C:\Windows\SysWOW64\xjeprv.exe	fljzur.exe
File opened for modification	C:\Windows\SysWOW64\zxxkea.exe	xjeprv.exe
File created	C:\Windows\SysWOW64\ogjmug.exe	iekzmw.exe
File opened for modification	C:\Windows\SysWOW64\ogjmug.exe	iekzmw.exe
File created	C:\Windows\SysWOW64\idvzhu.exe	ogjmug.exe
File opened for modification	C:\Windows\SysWOW64\dpdqad.exe	idvzhu.exe
File created	C:\Windows\SysWOW64\ndsbhp.exe	tpfjyt.exe
File opened for modification	C:\Windows\SysWOW64\fljzur.exe	amvzpd.exe
File created	C:\Windows\SysWOW64\ojvtnb.exe	uujfan.exe
File opened for modification	C:\Windows\SysWOW64\ioxmvi.exe	ormzau.exe
File created	C:\Windows\SysWOW64\dpdqad.exe	idvzhu.exe
File created	C:\Windows\SysWOW64\tpfjyt.exe	058cd6a37e24b8b60d0f2f94d26d7acc.exe
File created	C:\Windows\SysWOW64\ormzau.exe	jovlrc.exe
File opened for modification	C:\Windows\SysWOW64\iekzmw.exe	opzeri.exe
File created	C:\Windows\SysWOW64\ioxmvi.exe	ormzau.exe
File opened for modification	C:\Windows\SysWOW64\agoxqo.exe	frccda.exe
File created	C:\Windows\SysWOW64\wgsbra.exe	rhfblu.exe
File opened for modification	C:\Windows\SysWOW64\opzeri.exe	wgsbra.exe
File opened for modification	C:\Windows\SysWOW64\rhfblu.exe	xoibvc.exe
File opened for modification	C:\Windows\SysWOW64\ojvtnb.exe	uujfan.exe
File created	C:\Windows\SysWOW64\frccda.exe	ioxmvi.exe
File created	C:\Windows\SysWOW64\agoxqo.exe	frccda.exe
File opened for modification	C:\Windows\SysWOW64\udisdt.exe	agoxqo.exe
File created	C:\Windows\SysWOW64\xoibvc.exe	udisdt.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\kshdpiAovxtw = "MlfgXi@iTMWmH[bKBQe"	xoibvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\yeKFnqpGJj = "rjGW]"	opzeri.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\XyBh = "_NX@YXCiNzERZrLidUYE\\ZwgdvEXv"	ogjmug.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\yeKFnqpGJj = "wbB\\`"	idvzhu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\atzdmevjuhGph = "fZhKr\\DAupYVkgOg"	tpfjyt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\yeKFnqpGJj = "yAYj}"	zxxkea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\GwWefIuyb = "f{STJPAX\\IBvCnpAPX"	ormzau.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\GwWefIuyb = "f{STJPAG\\IBvCnpAPX"	agoxqo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\ahtnieyywa = "izDcNGD@_nsp\|X@dIkXLSWqb"	iekzmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\atzdmevjuhGph = "fZhKr\\DAupIVkgOe"	ismwvd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\XyBh = "_NX@YXCiNzERZrLidUYE\\ZwgdvEXv"	ojvtnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\atzdmevjuhGph = "fZhKr\\DAutyVkgOf"	fljzur.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\ahtnieyywa = "izDcNGD@_nsp\|X@dIkXLSWqb"	zxxkea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\GwWefIuyb = "F{STJPA\\\|IBvCnpAPX"	uujfan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\yeKFnqpGJj = "skZI^"	uujfan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\yeKFnqpGJj = "CaLIc"	ojvtnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\atzdmevjuhGph = "fZhKr\\DAu{YVkgOe"	ojvtnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\ahtnieyywa = "izDcNGD@_nsp\|X@dIkXLSWqb"	tpfjyt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\yeKFnqpGJj = "{gdlg"	ndsbhp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\GwWefIuyb = "F{STJPAB\|IBvCnpAPX"	iekzmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\yeKFnqpGJj = "lYWm{"	agoxqo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\kshdpiAovxtw = "MlfgXi@iTMWmH[bKBQe"	udisdt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\idnarmvkVq = "pXMblZ~^aTCqd{XBj\|EKxDkl_}FU_F"	jovlrc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\XyBh = "_NX@YXCiNzERZrLidUYE\\ZwgdvEXv"	jovlrc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\ZficuRScgxnq = "qnJ[teaErBoDG_bgNVKr\x7fnA"	ismwvd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\GwWefIuyb = "V{STJPA]\\IBvCnpAPX"	zxxkea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\GwWefIuyb = "V{STJPAP\|IBvCnpAPX"	zxxkea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\yeKFnqpGJj = "lNEwr"	xjeprv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\atzdmevjuhGph = "fZhKr\\DAu\x7fiVkgOe"	frccda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\kshdpiAovxtw = "MlfgXi@iTMWmH[bKBQe"	agoxqo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\XyBh = "_NX@YXCiNzERZrLidUYE\\ZwgdvEXv"	iekzmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\atzdmevjuhGph = "fZhKr\\DAuwiVkgOe"	fljzur.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\ZficuRScgxnq = "qnJ[teaErBoDG_cgNVKr\x7fn@"	zxxkea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\atzdmevjuhGph = "fZhKr\\DAu\|IVkgOg"	agoxqo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\XyBh = "_NX@YXCiNzERZrLidUYE\\ZwgdvEXv"	udisdt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\XyBh = "_NX@YXCiNzERZrLidUYE\\ZwgdvEXv"	idvzhu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\ZficuRScgxnq = "qnJ[teaErBoDG_aWNVKr\x7fnB"	ioxmvi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\ahtnieyywa = "izDcNGD@_nsp\|X@dIkXLSWqb"	agoxqo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\idnarmvkVq = "pXMblZ~^aTCqd{XBj\|EKxDkl_}FU_F"	agoxqo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\GwWefIuyb = "F{STJPAFlIBvCnpAPX"	rhfblu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\atzdmevjuhGph = "fZhKr\\DAufiVkgOd"	opzeri.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\yeKFnqpGJj = "uOfxL"	idvzhu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\yeKFnqpGJj = "_gUSF"	amvzpd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\atzdmevjuhGph = "fZhKr\\DAuxyVkgOd"	ojvtnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\atzdmevjuhGph = "fZhKr\\DAupiVkgOd"	tpfjyt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\atzdmevjuhGph = "fZhKr\\DAutYVkgOe"	xjeprv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\XyBh = "_NX@YXCiNzERZrLidUYE\\ZwgdvEXv"	zxxkea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\kshdpiAovxtw = "MlfgXi@iTMWmH[bKBQe"	uujfan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\yeKFnqpGJj = "zNYhy"	agoxqo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\yeKFnqpGJj = "\\SAmF"	udisdt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\InProcServer32\ = "%SystemRoot%\\SysWow64\\IME\\IMETC\\IMTCCFG.DLL"	058cd6a37e24b8b60d0f2f94d26d7acc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\idnarmvkVq = "pXMblZ~^aTCqd{XBj\|EKxDkl_}FU_F"	ndsbhp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\yeKFnqpGJj = "Ay^[`"	xoibvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\idnarmvkVq = "pXMblZ~^aTCqd{XBj\|EKxDkl_}FU_F"	wgsbra.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\ZficuRScgxnq = "qnJ[teaErBoDG_gGNVKr\x7fnD"	iekzmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\yeKFnqpGJj = "Wv~]Z"	ogjmug.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\GwWefIuyb = "V{STJPAG\\IBvCnpAPX"	udisdt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\ahtnieyywa = "izDcNGD@_nsp\|X@dIkXLSWqb"	xoibvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\atzdmevjuhGph = "fZhKr\\DAuuIVkgOd"	zxxkea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\ZficuRScgxnq = "qnJ[teaErBoDG_awNVKr\x7fnB"	frccda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\yeKFnqpGJj = "EZCh_"	iekzmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\atzdmevjuhGph = "fZhKr\\DAugYVkgOg"	ogjmug.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\GwWefIuyb = "V{STJPAWlIBvCnpAPX"	ndsbhp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\atzdmevjuhGph = "fZhKr\\DAuwyVkgOg"	amvzpd.exe

NTFS ADS 23 IoCs

description	ioc	Process
File opened for modification	C:\ProgramData\TEMP:C980DA7D	ojvtnb.exe
File opened for modification	C:\ProgramData\TEMP:C980DA7D	agoxqo.exe
File opened for modification	C:\ProgramData\TEMP:C980DA7D	xoibvc.exe
File opened for modification	C:\ProgramData\TEMP:C980DA7D	opzeri.exe
File opened for modification	C:\ProgramData\TEMP:C980DA7D	ioxmvi.exe
File opened for modification	C:\ProgramData\TEMP:C980DA7D	frccda.exe
File opened for modification	C:\ProgramData\TEMP:C980DA7D	udisdt.exe
File created	C:\ProgramData\TEMP:C980DA7D	tpfjyt.exe
File opened for modification	C:\ProgramData\TEMP:C980DA7D	amvzpd.exe
File opened for modification	C:\ProgramData\TEMP:C980DA7D	fljzur.exe
File opened for modification	C:\ProgramData\TEMP:C980DA7D	xjeprv.exe
File opened for modification	C:\ProgramData\TEMP:C980DA7D	jovlrc.exe
File opened for modification	C:\ProgramData\TEMP:C980DA7D	rhfblu.exe
File opened for modification	C:\ProgramData\TEMP:C980DA7D	uujfan.exe
File opened for modification	C:\ProgramData\TEMP:C980DA7D	ormzau.exe
File opened for modification	C:\ProgramData\TEMP:C980DA7D	wgsbra.exe
File opened for modification	C:\ProgramData\TEMP:C980DA7D	idvzhu.exe
File opened for modification	C:\ProgramData\TEMP:C980DA7D	ogjmug.exe
File opened for modification	C:\ProgramData\TEMP:C980DA7D	tpfjyt.exe
File opened for modification	C:\ProgramData\TEMP:C980DA7D	ndsbhp.exe
File opened for modification	C:\ProgramData\TEMP:C980DA7D	ismwvd.exe
File opened for modification	C:\ProgramData\TEMP:C980DA7D	zxxkea.exe
File opened for modification	C:\ProgramData\TEMP:C980DA7D	iekzmw.exe

Suspicious use of AdjustPrivilegeToken 46 IoCs

description	pid	Process
Token: 33	5100	058cd6a37e24b8b60d0f2f94d26d7acc.exe
Token: SeIncBasePriorityPrivilege	5100	058cd6a37e24b8b60d0f2f94d26d7acc.exe
Token: 33	2028	tpfjyt.exe
Token: SeIncBasePriorityPrivilege	2028	tpfjyt.exe
Token: 33	3668	ndsbhp.exe
Token: SeIncBasePriorityPrivilege	3668	ndsbhp.exe
Token: 33	4568	ismwvd.exe
Token: SeIncBasePriorityPrivilege	4568	ismwvd.exe
Token: 33	3972	amvzpd.exe
Token: SeIncBasePriorityPrivilege	3972	amvzpd.exe
Token: 33	4072	fljzur.exe
Token: SeIncBasePriorityPrivilege	4072	fljzur.exe
Token: 33	4212	xjeprv.exe
Token: SeIncBasePriorityPrivilege	4212	xjeprv.exe
Token: 33	1540	zxxkea.exe
Token: SeIncBasePriorityPrivilege	1540	zxxkea.exe
Token: 33	692	uujfan.exe
Token: SeIncBasePriorityPrivilege	692	uujfan.exe
Token: 33	4860	ojvtnb.exe
Token: SeIncBasePriorityPrivilege	4860	ojvtnb.exe
Token: 33	2516	jovlrc.exe
Token: SeIncBasePriorityPrivilege	2516	jovlrc.exe
Token: 33	224	ormzau.exe
Token: SeIncBasePriorityPrivilege	224	ormzau.exe
Token: 33	4092	ioxmvi.exe
Token: SeIncBasePriorityPrivilege	4092	ioxmvi.exe
Token: 33	2476	frccda.exe
Token: SeIncBasePriorityPrivilege	2476	frccda.exe
Token: 33	1884	agoxqo.exe
Token: SeIncBasePriorityPrivilege	1884	agoxqo.exe
Token: 33	820	udisdt.exe
Token: SeIncBasePriorityPrivilege	820	udisdt.exe
Token: 33	2992	xoibvc.exe
Token: SeIncBasePriorityPrivilege	2992	xoibvc.exe
Token: 33	2884	rhfblu.exe
Token: SeIncBasePriorityPrivilege	2884	rhfblu.exe
Token: 33	1412	wgsbra.exe
Token: SeIncBasePriorityPrivilege	1412	wgsbra.exe
Token: 33	4276	opzeri.exe
Token: SeIncBasePriorityPrivilege	4276	opzeri.exe
Token: 33	1440	iekzmw.exe
Token: SeIncBasePriorityPrivilege	1440	iekzmw.exe
Token: 33	3224	ogjmug.exe
Token: SeIncBasePriorityPrivilege	3224	ogjmug.exe
Token: 33	4420	idvzhu.exe
Token: SeIncBasePriorityPrivilege	4420	idvzhu.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5100 wrote to memory of 2028	5100	058cd6a37e24b8b60d0f2f94d26d7acc.exe	93
PID 5100 wrote to memory of 2028	5100	058cd6a37e24b8b60d0f2f94d26d7acc.exe	93
PID 5100 wrote to memory of 2028	5100	058cd6a37e24b8b60d0f2f94d26d7acc.exe	93
PID 2028 wrote to memory of 3668	2028	tpfjyt.exe	96
PID 2028 wrote to memory of 3668	2028	tpfjyt.exe	96
PID 2028 wrote to memory of 3668	2028	tpfjyt.exe	96
PID 3668 wrote to memory of 4568	3668	ndsbhp.exe	99
PID 3668 wrote to memory of 4568	3668	ndsbhp.exe	99
PID 3668 wrote to memory of 4568	3668	ndsbhp.exe	99
PID 4568 wrote to memory of 3972	4568	ismwvd.exe	101
PID 4568 wrote to memory of 3972	4568	ismwvd.exe	101
PID 4568 wrote to memory of 3972	4568	ismwvd.exe	101
PID 3972 wrote to memory of 4072	3972	amvzpd.exe	103
PID 3972 wrote to memory of 4072	3972	amvzpd.exe	103
PID 3972 wrote to memory of 4072	3972	amvzpd.exe	103
PID 4072 wrote to memory of 4212	4072	fljzur.exe	105
PID 4072 wrote to memory of 4212	4072	fljzur.exe	105
PID 4072 wrote to memory of 4212	4072	fljzur.exe	105
PID 4212 wrote to memory of 1540	4212	xjeprv.exe	107
PID 4212 wrote to memory of 1540	4212	xjeprv.exe	107
PID 4212 wrote to memory of 1540	4212	xjeprv.exe	107
PID 1540 wrote to memory of 692	1540	zxxkea.exe	108
PID 1540 wrote to memory of 692	1540	zxxkea.exe	108
PID 1540 wrote to memory of 692	1540	zxxkea.exe	108
PID 692 wrote to memory of 4860	692	uujfan.exe	110
PID 692 wrote to memory of 4860	692	uujfan.exe	110
PID 692 wrote to memory of 4860	692	uujfan.exe	110
PID 4860 wrote to memory of 2516	4860	ojvtnb.exe	113
PID 4860 wrote to memory of 2516	4860	ojvtnb.exe	113
PID 4860 wrote to memory of 2516	4860	ojvtnb.exe	113
PID 2516 wrote to memory of 224	2516	jovlrc.exe	114
PID 2516 wrote to memory of 224	2516	jovlrc.exe	114
PID 2516 wrote to memory of 224	2516	jovlrc.exe	114
PID 224 wrote to memory of 4092	224	ormzau.exe	115
PID 224 wrote to memory of 4092	224	ormzau.exe	115
PID 224 wrote to memory of 4092	224	ormzau.exe	115
PID 4092 wrote to memory of 2476	4092	ioxmvi.exe	116
PID 4092 wrote to memory of 2476	4092	ioxmvi.exe	116
PID 4092 wrote to memory of 2476	4092	ioxmvi.exe	116
PID 2476 wrote to memory of 1884	2476	frccda.exe	117
PID 2476 wrote to memory of 1884	2476	frccda.exe	117
PID 2476 wrote to memory of 1884	2476	frccda.exe	117
PID 1884 wrote to memory of 820	1884	agoxqo.exe	119
PID 1884 wrote to memory of 820	1884	agoxqo.exe	119
PID 1884 wrote to memory of 820	1884	agoxqo.exe	119
PID 820 wrote to memory of 2992	820	udisdt.exe	120
PID 820 wrote to memory of 2992	820	udisdt.exe	120
PID 820 wrote to memory of 2992	820	udisdt.exe	120
PID 2992 wrote to memory of 2884	2992	xoibvc.exe	123
PID 2992 wrote to memory of 2884	2992	xoibvc.exe	123
PID 2992 wrote to memory of 2884	2992	xoibvc.exe	123
PID 2884 wrote to memory of 1412	2884	rhfblu.exe	124
PID 2884 wrote to memory of 1412	2884	rhfblu.exe	124
PID 2884 wrote to memory of 1412	2884	rhfblu.exe	124
PID 1412 wrote to memory of 4276	1412	wgsbra.exe	125
PID 1412 wrote to memory of 4276	1412	wgsbra.exe	125
PID 1412 wrote to memory of 4276	1412	wgsbra.exe	125
PID 4276 wrote to memory of 1440	4276	opzeri.exe	126
PID 4276 wrote to memory of 1440	4276	opzeri.exe	126
PID 4276 wrote to memory of 1440	4276	opzeri.exe	126
PID 1440 wrote to memory of 3224	1440	iekzmw.exe	127
PID 1440 wrote to memory of 3224	1440	iekzmw.exe	127
PID 1440 wrote to memory of 3224	1440	iekzmw.exe	127
PID 3224 wrote to memory of 4420	3224	ogjmug.exe	128

C:\Users\Admin\AppData\Local\Temp\058cd6a37e24b8b60d0f2f94d26d7acc.exe
"C:\Users\Admin\AppData\Local\Temp\058cd6a37e24b8b60d0f2f94d26d7acc.exe"
1⤵
- Checks BIOS information in registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5100
- C:\Windows\SysWOW64\tpfjyt.exe
  C:\Windows\system32\tpfjyt.exe 1400 "C:\Users\Admin\AppData\Local\Temp\058cd6a37e24b8b60d0f2f94d26d7acc.exe"
  2⤵
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2028
- - C:\Windows\SysWOW64\ndsbhp.exe
    C:\Windows\system32\ndsbhp.exe 1328 "C:\Windows\SysWOW64\tpfjyt.exe"
    3⤵
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - NTFS ADS
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3668
  - - C:\Windows\SysWOW64\ismwvd.exe
      C:\Windows\system32\ismwvd.exe 1432 "C:\Windows\SysWOW64\ndsbhp.exe"
      4⤵
      Checks BIOS information in registry
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      NTFS ADS
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4568
    - - C:\Windows\SysWOW64\amvzpd.exe
        
        C:\Windows\system32\amvzpd.exe 1460 "C:\Windows\SysWOW64\ismwvd.exe"
        5⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        NTFS ADS
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3972
      - C:\Windows\SysWOW64\fljzur.exe
        
        C:\Windows\system32\fljzur.exe 1292 "C:\Windows\SysWOW64\amvzpd.exe"
        6⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        NTFS ADS
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4072
        
        C:\Windows\SysWOW64\xjeprv.exe
        
        C:\Windows\system32\xjeprv.exe 1424 "C:\Windows\SysWOW64\fljzur.exe"
        7⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        NTFS ADS
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4212
        
        C:\Windows\SysWOW64\zxxkea.exe
        
        C:\Windows\system32\zxxkea.exe 1476 "C:\Windows\SysWOW64\xjeprv.exe"
        8⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        NTFS ADS
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1540
        
        C:\Windows\SysWOW64\uujfan.exe
        
        C:\Windows\system32\uujfan.exe 1324 "C:\Windows\SysWOW64\zxxkea.exe"
        9⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        NTFS ADS
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:692
        
        C:\Windows\SysWOW64\ojvtnb.exe
        
        C:\Windows\system32\ojvtnb.exe 1372 "C:\Windows\SysWOW64\uujfan.exe"
        10⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        NTFS ADS
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4860
        
        C:\Windows\SysWOW64\jovlrc.exe
        
        C:\Windows\system32\jovlrc.exe 1284 "C:\Windows\SysWOW64\ojvtnb.exe"
        11⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        NTFS ADS
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2516
        
        C:\Windows\SysWOW64\ormzau.exe
        
        C:\Windows\system32\ormzau.exe 1448 "C:\Windows\SysWOW64\jovlrc.exe"
        12⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        NTFS ADS
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:224
        
        C:\Windows\SysWOW64\ioxmvi.exe
        
        C:\Windows\system32\ioxmvi.exe 1388 "C:\Windows\SysWOW64\ormzau.exe"
        13⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        NTFS ADS
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4092
        
        C:\Windows\SysWOW64\frccda.exe
        
        C:\Windows\system32\frccda.exe 1508 "C:\Windows\SysWOW64\ioxmvi.exe"
        14⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        NTFS ADS
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2476
        
        C:\Windows\SysWOW64\agoxqo.exe
        
        C:\Windows\system32\agoxqo.exe 1288 "C:\Windows\SysWOW64\frccda.exe"
        15⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        NTFS ADS
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1884
        
        C:\Windows\SysWOW64\udisdt.exe
        
        C:\Windows\system32\udisdt.exe 1520 "C:\Windows\SysWOW64\agoxqo.exe"
        16⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        NTFS ADS
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:820
        
        C:\Windows\SysWOW64\xoibvc.exe
        
        C:\Windows\system32\xoibvc.exe 1308 "C:\Windows\SysWOW64\udisdt.exe"
        17⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        NTFS ADS
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2992
        
        C:\Windows\SysWOW64\rhfblu.exe
        
        C:\Windows\system32\rhfblu.exe 1472 "C:\Windows\SysWOW64\xoibvc.exe"
        18⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        NTFS ADS
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2884
        
        C:\Windows\SysWOW64\wgsbra.exe
        
        C:\Windows\system32\wgsbra.exe 1480 "C:\Windows\SysWOW64\rhfblu.exe"
        19⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        NTFS ADS
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1412
        
        C:\Windows\SysWOW64\opzeri.exe
        
        C:\Windows\system32\opzeri.exe 1368 "C:\Windows\SysWOW64\wgsbra.exe"
        20⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        NTFS ADS
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4276
        
        C:\Windows\SysWOW64\iekzmw.exe
        
        C:\Windows\system32\iekzmw.exe 1524 "C:\Windows\SysWOW64\opzeri.exe"
        21⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        NTFS ADS
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1440
        
        C:\Windows\SysWOW64\ogjmug.exe
        
        C:\Windows\system32\ogjmug.exe 1488 "C:\Windows\SysWOW64\iekzmw.exe"
        22⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        NTFS ADS
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3224
        
        C:\Windows\SysWOW64\idvzhu.exe
        
        C:\Windows\system32\idvzhu.exe 1376 "C:\Windows\SysWOW64\ogjmug.exe"
        23⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        NTFS ADS
        Suspicious use of AdjustPrivilegeToken
        
        PID:4420

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\TEMP:C980DA7D

Filesize
122B

MD5
7acc27895ff11449cf9fabd539ed03ef

SHA1
46e657f11f475c8d1e24f400b5c76c6ee79e7d14

SHA256
9d694d7e38ec3f2b25c577f390d1ca63fc4c72afcabbd9ae20659aff2765a64b

SHA512
3b6ce037c8bc7724c24f39e68ede9f993722f5c2ff7ae87d741f5572fbc1478b3681510d393ddda221dc5265c930f785319ecb1b143688c531973c55ea55bee4

Download Submit
C:\ProgramData\TEMP:C980DA7D

Filesize
122B

MD5
9f956c56335b21586ea8e350d4c0c7a4

SHA1
4516265251956bffe335e2911c41336f14cf25f6

SHA256
ab66d2cd5f95b0341f14af4c63d6d347b640b2c8f9c0e3a53c8ef570897e9b0e

SHA512
62d334578f1bdd47fbc50c1b5cc7f6ff05953a553e0af1aa32d3d544869ead5c7995cdd0e6c318b938d77147ec5c721a74d466440e727ac1fbbb747f7f9ba2a2

Download Submit
C:\ProgramData\TEMP:C980DA7D

Filesize
122B

MD5
5b12989057652625bf1efee6f5c3c955

SHA1
55f7b97ec1e25eb99a85acac0acf6ec4393c46cb

SHA256
7bd5cd695a32c4bb93f6c8b28d7db1b35cbfea355d7dfc2e47ad76541da99dad

SHA512
fbc9ccf7cca1f067e6864284edb86be94a2f966d8ccb2f74f2c74061a9bfc5d2f142e0c4c8c9a7fedb2d82c705397aa0e5c45bf6361b6f1fff79985ae9684e02

Download Submit
C:\ProgramData\TEMP:C980DA7D

Filesize
122B

MD5
2078eb8e46efb3a36d9f762fa39706ac

SHA1
0ebbae1cfbce32f4cfbcab55ee7275e4a3172e69

SHA256
1f61dabeacc48996993aa825f482f97431c1e5f22f3a286f4e3fa8b90846393d

SHA512
ec9b72679211e77c96b2d925c0fd3b377b478ee4a9129197fd531c10cba223e5f790657adbac0ff90070b3798459cda596272221092e81d2fe93ce71dc67275c

Download Submit
C:\ProgramData\TEMP:C980DA7D

Filesize
122B

MD5
2abd2f27de4e2e30eafc9d242d58d26a

SHA1
cab4177c7381a971d6cdd9c94af02b4ba23e89cd

SHA256
feed34e92e1ddfc33e5e57e3d5816c52ff2936593d62e87fb0a14f06a0d5de47

SHA512
ae4aa1d71a0049a9069f5a453f88828da72fe9d62d251812d15be8de1be8b3e86a935b9f7d531c7c34c0a15627e7aefe7bcf7ba303d07221dfa8ac0ddbb278e0

Download Submit
C:\ProgramData\TEMP:C980DA7D

Filesize
122B

MD5
c9fa4ea41d320e9c7f294e2d50cec2be

SHA1
61a2826bc4ee2a226faa8044753b9b90b719ac03

SHA256
1e1dff813f3dfaa1433f603c72ce506fe209bb6f216f03d7361cb7c8be6cea60

SHA512
18a03527324a7bf768a03836a2cf66b53572d6a65526fbffbb2d38b511b8a9b148754de6bbcdf8f851bb2ea800d29fd8db09291fd409379661979d5d58f2bc14

Download Submit
C:\ProgramData\TEMP:C980DA7D

Filesize
122B

MD5
6acf814412a6ca2b25dfce1b4f9e73e5

SHA1
6aac25951096e040103b9db8dbecf452e0081fbd

SHA256
039115c40e7db6eb4c396c97ff4156758c911b469c382aed126804e4d7ac1841

SHA512
8edd8278a86fd99f1e0b04384494e79b88799d2e4306a82ef04d85c362e7926dd121e90b9e8719c7c81b7741068eac395b3a2f923fcabd43ae7fd888e17373d0

Download Submit
C:\ProgramData\TEMP:C980DA7D

Filesize
122B

MD5
31357e40c0693662f394114d1cf7553d

SHA1
22180d40eb0a334e3d0ae8fc2bd3f271a15cbe9d

SHA256
ea9a9d4ea39fc967efa973cd652df332b3973c1783f2203c5c832a64e56a5e54

SHA512
9c07c6f86949e41f12e7eeb73412687112ab3ccf7488d83ef2ff293a926d8ae9193307ea81960e8992ecbfff21bd15d866cb34a8384df1ba5177f91b38df8497

Download Submit
C:\ProgramData\TEMP:C980DA7D

Filesize
122B

MD5
9348cdbaae84b2c468a2e4b0efb0093d

SHA1
d2f6c25d9623f157ed27731af01f0b56516dd09a

SHA256
6839947ccb856dba235689991676b8d250b02d542d063667fd566c89984f319c

SHA512
5343d7dab04dfd70deaa8f0b64f35fca7dfcf5ee0bdde5fe9663038dd538505e8ea21de33f922a8844ba5c56ee531b2ff96c7d1c52207e96978ba04557bc7999

Download Submit
C:\ProgramData\TEMP:C980DA7D

Filesize
122B

MD5
9394ac985354f55b16aba031e72ff618

SHA1
d39db61f9924558ac40d3d947f7d3356497251fe

SHA256
a6048d12d958ed675eaab4287f55bcebc287ba3ce8ae0aa9be6ccf239ba11eef

SHA512
90400abbb1e757d203799b9d77f3366ccb3c009fc8b5c564a47a014d05c85fc735f2bcb4d6f624b3faf5167f084a05fef3bcabbc718353a2ae04c1320d12af21

Download Submit
C:\ProgramData\TEMP:C980DA7D

Filesize
122B

MD5
24469e61dbc9a161f659ee7862de806a

SHA1
33166447c21e414d24bbe946a16e5201f497f5c8

SHA256
debb167c8353ea66ed7d4cd013c4117423bf801300b74fd4c745175f332dfa7b

SHA512
8fce4ce3c7761436d8a1a3e4a33000aa3953da2cab1215ccb6b0e420210395533913b8ade4a31056851c3d49f71ffaccd97697dfdff67ac5e1ceafb926423e12

Download Submit
C:\ProgramData\TEMP:C980DA7D

Filesize
122B

MD5
afde9b5d7331ba4ee93ba6f5c8ec15e1

SHA1
8273eacc7fc75b1cdc562a0d9a9facb926721cb6

SHA256
68d7ee4fbb5af446905669ea23b479cff6a92bbaaa642d942f918305617dfcf8

SHA512
a9ffc949f5c3215f94e3f4b29396d20ece78d637f2f05fad4e47a1cabf6ee55e31520f062be301aeacaf9257ec1a605b834284d8bebb7d89392ad9edec9654d6

Download Submit
C:\ProgramData\TEMP:C980DA7D

Filesize
122B

MD5
08b001d29986869a3b09425a70851773

SHA1
4d29a940802363603fbc2c4df703538a1e1c327e

SHA256
4080685c99b65980c9a8a381ccffe375cd80d638e6297130d026360cf68af71e

SHA512
cbd960e234f90cd5099afd8098c4c2f35f9d84f009fb9c4c32c74657a0cb777948fbe382d351d8c635f3fa90fced1f888288a5d22af964dd9253cf1fbc86bd25

Download Submit
C:\ProgramData\TEMP:C980DA7D

Filesize
122B

MD5
8f7ad301327ab1f8ebc96aea0371122e

SHA1
224b8fe6358674125197bd9cc5f9da5d2e1b4f71

SHA256
31b859e9e32a18bb1c18744ef45dff9c5e64de0b442215b136fac51e28d29cb2

SHA512
b9115e1b64f7a230550563405876557801de6bdba2a5741634c6898912c85db367f54e90dccc716ead57c311dd28061eaf3b37077051c6592422678054549c09

Download Submit
C:\ProgramData\TEMP:C980DA7D

Filesize
122B

MD5
1fee3937660eaacf5830642b0e42876f

SHA1
46c355b8516857cc72f32c9b18125037cbc159b8

SHA256
3921b5a1b960145ed83c15f35430c5a8a03b30b78fc112dc1f3ae03213190dff

SHA512
0b272b7ed769553436e07f4eca9a656fd990652d47c5a59967876668eed392af7dc95fdff0b5c5e3a19452b96f735f226f8e37c04da0b783bc329386ff1cea21

Download Submit
C:\ProgramData\TEMP:C980DA7D

Filesize
122B

MD5
5782bd2be343a1289ba0258ec4180002

SHA1
c4a3dea3ef3a2ace9804846ee6c9ba0947226060

SHA256
c1e07394384c3e7f1907cd75f917d198734820e10002b88f885d1f9cff934b4c

SHA512
e3e070915d7aab8d90521fcbb3cefe76a919539c1af9e80aef4ee6b0b49b612fd9c5a354af7b82246b3144d1b852d0afa3a3dd53940b2285e7783d8695281ef7

Download Submit
C:\ProgramData\TEMP:C980DA7D

Filesize
122B

MD5
27ca5b1555eb23d57b8ccebfc756a055

SHA1
7cdce5eea70d6527127ef6765a49da5f71a80d2c

SHA256
54427201e36e35dfadbb64c347954b33a34a179ba3686cdc361196931ed3a17e

SHA512
541aa7591103f9dc8b9f5cf4896440eca1f446ee0a76c0a513973609c5203d00386aca307c02856df98b59fa4c3ed700055635d1e224f27a8e5b3499d8ec1284

Download Submit
C:\ProgramData\TEMP:C980DA7D

Filesize
122B

MD5
87291044eff5e4b141b77db85af9d4b6

SHA1
0142d1b5128bd389580bb2bf276945c97ce321b8

SHA256
24665305c2c4fd58c9f127f51d01f50da610847f850e80accd1f32f65c38d1dd

SHA512
60eea7d6f32fcf99751aaf14f6e746a44245030fead6e24f333d20fde979c8dae5f17ebc01aabae51014d05847282cf0d1515b903dfea68ac1d3ebfb3ada689b

Download Submit
C:\ProgramData\TEMP:C980DA7D

Filesize
122B

MD5
109c787071d7231b7456d3284637ced5

SHA1
ebba77f6a57ca071884377c167542717ed26e57f

SHA256
5207b1a7cd4ef6f67797e34ff6c5df36dd1524c78657568d7ebd3bf39bed0eca

SHA512
e41b7f92c1d583be2765ee562d9c947f7868cc2d9148b52b65351aa8e6877af5c820a08aac3ff5f864200f4e54216e6dd532ee715570daf210a514cd7bb5e6aa

Download Submit
C:\ProgramData\TEMP:C980DA7D

Filesize
122B

MD5
1e6f2318a2debd4b93d9d7f76e16ae45

SHA1
d07701323877df4ae672f30deafe00d24a3866a2

SHA256
13f0e11da84502f18cb7669fc907df0bc0c173f7085137fe0674877df5e2d684

SHA512
0e5b6dee186a1cd574531e6a694cb40175695761599ac32a5e7af5e86800ffb62cb9ec33db642608aace24bc0cd4afc12d3030fc19114fce1e192631a8010623

Download Submit
C:\ProgramData\TEMP:C980DA7D

Filesize
122B

MD5
d6b41b8da676059d498105b5b97846a3

SHA1
b87acc3f27feb2266cebded8d12b73a7981cae64

SHA256
0d13ae9bfeae3ec0ebaba7577720c24698dd1aa122854e974109818d79a5c094

SHA512
a7206d1598da6a1e1f286c027a8be560de2ae167f8805416d57720912ca994e45eb67dd6e725d1198793815109b3cdc072f16cd5beac5f48dd58b592a7a9821c

Download Submit
C:\ProgramData\TEMP:C980DA7D

Filesize
122B

MD5
5518a7fd370b7291be2379ee7f05ea86

SHA1
2afd0ef5f1197ef9479d26cbbb53b5544c9bb066

SHA256
2c8e0cbdc2c4b2555dc884c3b1fba47195696b3fdbffc09405ba8563b6e4943f

SHA512
9358c5e33c43ab3c8b46ced4135d54bae179d5786e88b2cc738690eef15683a3e29bb37f16ee5cfbfbb327301a34d371834a7ba945c94dd05f7f9b77d089eb33

Download Submit
C:\Users\Admin\AppData\Local\Temp\pqiA299.tmp

Filesize
50KB

MD5
4b1b2fd437170c5118b6110b68041693

SHA1
34f133e6d3fe0e081fc0c840d7b2c8aabfd8c779

SHA256
d10cf71feac692ef81b25e10d7ab0f28f88c76cc9c7f3028bf590244e03d2804

SHA512
4fe23b2c2d8e9f048214c1bcbb4b07bf27eacf608d31b1b4fc7488b82f1dbdef2806da669a607cdbf8c70e63adb4867be67dd7cc3e9c9a80337236cb08a1085b

Download Submit
C:\Windows\SysWOW64\amvzpd.exe

Filesize
188KB

MD5
b7dd233f96d3fee6507397f7166f17a6

SHA1
a226dbffce50f8c4cc81a38f06816eb4fc8ae17c

SHA256
b20e54e11007d6ee5adfb05c41d27a4e768dcca240ef218469e217c2925212c6

SHA512
cc268daaf62c27a9b90a3f90e73a6eda631614e5647b98cb87bcf01dc76f51c12d3c7773576b9b041ef72bbeddc134e4c19e5014cccdfbe148df8873bf601484

Download Submit
C:\Windows\SysWOW64\amvzpd.exe

Filesize
115KB

MD5
c035c498c4a2e386b561db4cf6862e1c

SHA1
36816435a525f15d1a0e0f51d3cca61808f44793

SHA256
cc2a3a1e5de63c25889a1f2e381344f9e38b2b420a99a1e718abad7f0e59d2c4

SHA512
874508a70acd858d12bcba8f0fd45a1a829fe994237ae2a26a3f18b2a373689ecd00d2da35296e2f315d38051c45ed8ee82af56eeea1487e563d6b27388879b3

Download Submit
C:\Windows\SysWOW64\fljzur.exe

Filesize
924KB

MD5
058cd6a37e24b8b60d0f2f94d26d7acc

SHA1
429084f91b93a40a3b93a05107337fd98766807b

SHA256
f7353cddd843e43df8919917e68ba83d5b82dcab549409d3ddb9640fd668db37

SHA512
09f14db43b00f0f72c330ddc25efe6592b5bb465c14a4f72b82957ff59510524719971524c62bf4a799a8c3bcd8e4345a0000595d2f1751029591413eb495039

Download Submit
C:\Windows\SysWOW64\ismwvd.exe

Filesize
169KB

MD5
d86efb55519a0242deff92c53d0f5f83

SHA1
0896b6315915d908eafeb2e8bc58fb32d1c0092b

SHA256
f1dd38c84a1e0d46581b270d5870480fe358e4f73a208fec090cdb29fce7ecc6

SHA512
0a9d1aa4aecfdc69ba93b3c15ce9d67fc5c368f25c19d0786937be6b2e8f3be9570a776346bee9f78a96b48c57e4192bb524c898d31ca46f63d5f751f97324e6

Download Submit
C:\Windows\SysWOW64\ismwvd.exe

Filesize
173KB

MD5
e5bb81acc78d59dd9428f5cfdaa6d083

SHA1
92a1dd2421ed022f52e39628956317ff2c027dd4

SHA256
dfb553a1257ab1602e17d3324c7ed5b7424ac23ca43116ddcf82782ccebfeed9

SHA512
a2e39a491898eb99a54f7ce18e21ae50092901ec927651798e005994503031c5c537ac65ca3452339dd3e85e0fb53900079d1ce3519f84cfe1c682269ad3acd6

Download Submit
C:\Windows\SysWOW64\ndsbhp.exe

Filesize
64KB

MD5
367ce148b242860023fd14dc77309c14

SHA1
60a28aba0c3e43330646f692b2a0dc9c90052368

SHA256
c402eb8c55d587a7e25eb38ff06dd83784e0dd31801ff5ef021df69e64aa5926

SHA512
9d34caefedd79806d224847d9f17862be2c020580ae54699759772dede2e7a95aa381a76520c372fc266fb6405aea263d6412c548e1ec6bfe9478471291cb842

Download Submit
C:\Windows\SysWOW64\ndsbhp.exe

Filesize
165KB

MD5
206826cb6d27a44a1d34129b1b7379f0

SHA1
f8ee868808b478aac904625434ac51ae9043f689

SHA256
787f5c78957bddf8cac8b06c3ac91c033253f29db22cbd57e11c9b8be68df473

SHA512
339919832ccddf38288b1d9cbc39f5d13f206e1fc8628a2238fd9f54faa65b9d23b76f9538fbe340170fc6d17dfb0b665c2d0e9f5bafddb937296906ef2b489a

Download Submit
C:\Windows\SysWOW64\ndsbhp.exe

Filesize
177KB

MD5
44cca5715a35e3263e72986589c44abc

SHA1
1cf267ae901095d9872db4a5526d2118b871c20e

SHA256
3ead61482c383ea7ced634e5d5ca1411403bed54132a4a1814ed0e4c8c956a25

SHA512
46245af3e16359bc1bd0eaa80304051c9b8dc586c5d5a6cc97b3892ea6634cf89c36accd3a338ed7dfcfdf21efddaea8f6c3cc302ae328f6e8ee19ab04cdb3f2

Download Submit
C:\Windows\SysWOW64\rhfblu.exe

Filesize
664KB

MD5
ffcf7efab9d10770d0c21eee225db514

SHA1
a7779194e89cf89dd3ba03d0501b81d863fce953

SHA256
88c0c2a38a50938243dee536a003d8fb18b4a77c9a2a8f0a487ac92a36318290

SHA512
511a33e55e2182fe46474e8872e70b62f0aadadd677b9d2db35b362f309a18dd08ae6a5f2c15b0b711858bbdf000bef3012317a6e68baade7bbf52cdf7d1684c

Download Submit
C:\Windows\SysWOW64\rhfblu.exe

Filesize
876KB

MD5
4003627dac996bd5cf64f43dacdc4af0

SHA1
dfebce0c87b1382a54cafad7be316b47b37f64c4

SHA256
a2fa4b883d9c87484ffe0285ffcee93c754dbf2dcb33dc67fe4a3e41f4b186d0

SHA512
d83707a168036e2bee63f58d523ec0a7f414a039188c6ef0007d33f82d23365471039b26c7576e10f26acbb52c6418b97d73692d28446ebc8a736ae67e92c9fd

Download Submit
C:\Windows\SysWOW64\tpfjyt.exe

Filesize
160KB

MD5
c7e5d075e0ab1dd8ee437cb4ddde676f

SHA1
f89f39a2f3b4fa43c07b1778a69758d8276d00eb

SHA256
53a900f556ab89b3faa831e0e7906b3542e7d32648fb754f076889853276ae1f

SHA512
77b7f436c1b09bee50f3e3371255272e9a5183b9fafd0295f51fb2682342ec1d081a650c3732fd83dd5c5e43fe68564c26f0ebdc7f917cb80ac7a1bdcfe46a8b

Download Submit
C:\Windows\SysWOW64\tpfjyt.exe

Filesize
130KB

MD5
342cf05ca1c9943e9a3ad804eadc1309

SHA1
96395c075d276f7ed2a1d141034e60cf2619d016

SHA256
ddd95f1d8b9b6cbb3e3d0da9fc91d1a62ae331b0080ff1f8c18531978cb14efe

SHA512
857f7e100a854f54eb1cdb83753d5ad0fbee521da0dbb6fe39fd62fdfaf456292c4c70fb5fbfe0c727813c300b0073318c7b7d6eb013adb454fbf3e8e4481949

Download Submit
C:\Windows\SysWOW64\wgsbra.exe

Filesize
555KB

MD5
5a4b54b5bd67d26c479cd520d7ee6c18

SHA1
7fc0d5a347906a5108987346bf7f12a1d32dac2c

SHA256
759a6f8b19e17d0c6ac9ec409246d73025ddf5786c7218960aae2027ff9227f2

SHA512
e761d48bd580c921c82639905243163f45c31f5b9cbc79edd3892e316c9000486bfca4ed62a3695f72343ce3523450335456958e82239863ef90e8a84d693df2

Download Submit
C:\Windows\SysWOW64\wgsbra.exe

Filesize
732KB

MD5
121f15bff6d1d22e37c2d04442f6fac0

SHA1
5d8d676ed5818618e1c69572ad262f0c2b8e14eb

SHA256
6dbf76a9121cf18551e55edd2dcd5e578ad17e7b3c73d0f6a8a2986fc4cd9a30

SHA512
612885bab8dcd4c233d2318c48e319241e422f6e051da153e58989892808f697bbc24ead3b7d0aa85ee5ce8ce09e9cb5597fcbde40aa7d4b72561df7edb3b5ef

Download Submit
memory/224-334-0x0000000000400000-0x0000000000590000-memory.dmp

Filesize
1.6MB

Download
memory/224-351-0x0000000000400000-0x0000000000590000-memory.dmp

Filesize
1.6MB

Download
memory/692-264-0x0000000000400000-0x0000000000590000-memory.dmp

Filesize
1.6MB

Download
memory/692-245-0x0000000000400000-0x0000000000590000-memory.dmp

Filesize
1.6MB

Download
memory/820-478-0x0000000000400000-0x0000000000590000-memory.dmp

Filesize
1.6MB

Download
memory/820-454-0x0000000000400000-0x0000000000590000-memory.dmp

Filesize
1.6MB

Download
memory/1412-539-0x0000000000400000-0x0000000000590000-memory.dmp

Filesize
1.6MB

Download
memory/1412-564-0x0000000000400000-0x0000000000590000-memory.dmp

Filesize
1.6MB

Download
memory/1440-596-0x0000000000400000-0x0000000000590000-memory.dmp

Filesize
1.6MB

Download
memory/1440-615-0x0000000000400000-0x0000000000590000-memory.dmp

Filesize
1.6MB

Download
memory/1540-215-0x0000000000400000-0x0000000000590000-memory.dmp

Filesize
1.6MB

Download
memory/1540-234-0x0000000000400000-0x0000000000590000-memory.dmp

Filesize
1.6MB

Download
memory/1884-448-0x0000000000400000-0x0000000000590000-memory.dmp

Filesize
1.6MB

Download
memory/1884-425-0x0000000000400000-0x0000000000590000-memory.dmp

Filesize
1.6MB

Download
memory/2028-40-0x0000000000400000-0x0000000000590000-memory.dmp

Filesize
1.6MB

Download
memory/2028-33-0x0000000000400000-0x0000000000590000-memory.dmp

Filesize
1.6MB

Download
memory/2028-37-0x0000000000400000-0x0000000000590000-memory.dmp

Filesize
1.6MB

Download
memory/2028-31-0x0000000000400000-0x0000000000590000-memory.dmp

Filesize
1.6MB

Download
memory/2028-61-0x0000000001F70000-0x0000000001FF9000-memory.dmp

Filesize
548KB

Download
memory/2028-23-0x0000000001F70000-0x0000000001FF9000-memory.dmp

Filesize
548KB

Download
memory/2028-30-0x0000000000400000-0x0000000000590000-memory.dmp

Filesize
1.6MB

Download
memory/2028-38-0x0000000001F70000-0x0000000001FF9000-memory.dmp

Filesize
548KB

Download
memory/2028-63-0x0000000000400000-0x0000000000590000-memory.dmp

Filesize
1.6MB

Download
memory/2028-43-0x0000000001F70000-0x0000000001FF9000-memory.dmp

Filesize
548KB

Download
memory/2028-35-0x0000000000400000-0x0000000000590000-memory.dmp

Filesize
1.6MB

Download
memory/2028-41-0x0000000001F70000-0x0000000001FF9000-memory.dmp

Filesize
548KB

Download
memory/2476-394-0x0000000000400000-0x0000000000590000-memory.dmp

Filesize
1.6MB

Download
memory/2476-374-0x0000000000400000-0x0000000000590000-memory.dmp

Filesize
1.6MB

Download
memory/2476-422-0x0000000000400000-0x0000000000590000-memory.dmp

Filesize
1.6MB

Download
memory/2516-304-0x0000000000400000-0x0000000000590000-memory.dmp

Filesize
1.6MB

Download
memory/2516-323-0x0000000000400000-0x0000000000590000-memory.dmp

Filesize
1.6MB

Download
memory/2884-511-0x0000000000400000-0x0000000000590000-memory.dmp

Filesize
1.6MB

Download
memory/2884-541-0x0000000000400000-0x0000000000590000-memory.dmp

Filesize
1.6MB

Download
memory/2992-512-0x0000000000400000-0x0000000000590000-memory.dmp

Filesize
1.6MB

Download
memory/2992-483-0x0000000000400000-0x0000000000590000-memory.dmp

Filesize
1.6MB

Download
memory/3224-605-0x0000000000400000-0x0000000000590000-memory.dmp

Filesize
1.6MB

Download
memory/3224-625-0x0000000000400000-0x0000000000590000-memory.dmp

Filesize
1.6MB

Download
memory/3224-648-0x0000000000400000-0x0000000000590000-memory.dmp

Filesize
1.6MB

Download
memory/3668-65-0x0000000000400000-0x0000000000590000-memory.dmp

Filesize
1.6MB

Download
memory/3668-50-0x00000000006D0000-0x0000000000759000-memory.dmp

Filesize
548KB

Download
memory/3668-94-0x00000000006D0000-0x0000000000759000-memory.dmp

Filesize
548KB

Download
memory/3668-62-0x0000000000400000-0x0000000000590000-memory.dmp

Filesize
1.6MB

Download
memory/3668-64-0x0000000000400000-0x0000000000590000-memory.dmp

Filesize
1.6MB

Download
memory/3668-66-0x0000000000400000-0x0000000000590000-memory.dmp

Filesize
1.6MB

Download
memory/3668-69-0x0000000000400000-0x0000000000590000-memory.dmp

Filesize
1.6MB

Download
memory/3668-97-0x0000000000400000-0x0000000000590000-memory.dmp

Filesize
1.6MB

Download
memory/3668-67-0x00000000006D0000-0x0000000000759000-memory.dmp

Filesize
548KB

Download
memory/3668-59-0x0000000000400000-0x0000000000590000-memory.dmp

Filesize
1.6MB

Download
memory/3972-127-0x0000000000400000-0x0000000000590000-memory.dmp

Filesize
1.6MB

Download
memory/3972-122-0x0000000000400000-0x0000000000590000-memory.dmp

Filesize
1.6MB

Download
memory/3972-107-0x00000000006A0000-0x0000000000729000-memory.dmp

Filesize
548KB

Download
memory/3972-146-0x0000000000400000-0x0000000000590000-memory.dmp

Filesize
1.6MB

Download
memory/3972-121-0x0000000000400000-0x0000000000590000-memory.dmp

Filesize
1.6MB

Download
memory/3972-120-0x0000000000400000-0x0000000000590000-memory.dmp

Filesize
1.6MB

Download
memory/4072-174-0x0000000000400000-0x0000000000590000-memory.dmp

Filesize
1.6MB

Download
memory/4072-157-0x0000000000400000-0x0000000000590000-memory.dmp

Filesize
1.6MB

Download
memory/4092-383-0x0000000000400000-0x0000000000590000-memory.dmp

Filesize
1.6MB

Download
memory/4092-361-0x0000000000400000-0x0000000000590000-memory.dmp

Filesize
1.6MB

Download
memory/4212-216-0x0000000000400000-0x0000000000590000-memory.dmp

Filesize
1.6MB

Download
memory/4212-185-0x0000000000400000-0x0000000000590000-memory.dmp

Filesize
1.6MB

Download
memory/4276-595-0x0000000000400000-0x0000000000590000-memory.dmp

Filesize
1.6MB

Download
memory/4276-569-0x0000000000400000-0x0000000000590000-memory.dmp

Filesize
1.6MB

Download
memory/4420-650-0x0000000000400000-0x0000000000590000-memory.dmp

Filesize
1.6MB

Download
memory/4568-115-0x0000000002020000-0x00000000020A9000-memory.dmp

Filesize
548KB

Download
memory/4568-116-0x0000000000400000-0x0000000000590000-memory.dmp

Filesize
1.6MB

Download
memory/4568-88-0x0000000000400000-0x0000000000590000-memory.dmp

Filesize
1.6MB

Download
memory/4568-77-0x0000000002020000-0x00000000020A9000-memory.dmp

Filesize
548KB

Download
memory/4568-95-0x0000000000400000-0x0000000000590000-memory.dmp

Filesize
1.6MB

Download
memory/4568-89-0x0000000000400000-0x0000000000590000-memory.dmp

Filesize
1.6MB

Download
memory/4568-87-0x0000000000400000-0x0000000000590000-memory.dmp

Filesize
1.6MB

Download
memory/4568-86-0x0000000000400000-0x0000000000590000-memory.dmp

Filesize
1.6MB

Download
memory/4568-85-0x0000000000400000-0x0000000000590000-memory.dmp

Filesize
1.6MB

Download
memory/4568-90-0x0000000002020000-0x00000000020A9000-memory.dmp

Filesize
548KB

Download
memory/4568-98-0x0000000002020000-0x00000000020A9000-memory.dmp

Filesize
548KB

Download
memory/4568-100-0x0000000002020000-0x00000000020A9000-memory.dmp

Filesize
548KB

Download
memory/4860-299-0x0000000000400000-0x0000000000590000-memory.dmp

Filesize
1.6MB

Download
memory/4860-275-0x0000000000400000-0x0000000000590000-memory.dmp

Filesize
1.6MB

Download
memory/5100-34-0x0000000000670000-0x00000000006F9000-memory.dmp

Filesize
548KB

Download
memory/5100-8-0x0000000000400000-0x0000000000590000-memory.dmp

Filesize
1.6MB

Download
memory/5100-9-0x0000000000400000-0x0000000000590000-memory.dmp

Filesize
1.6MB

Download
memory/5100-11-0x0000000000400000-0x0000000000590000-memory.dmp

Filesize
1.6MB

Download
memory/5100-36-0x0000000000400000-0x0000000000590000-memory.dmp

Filesize
1.6MB

Download
memory/5100-14-0x0000000000400000-0x0000000000590000-memory.dmp

Filesize
1.6MB

Download
memory/5100-0-0x0000000000400000-0x0000000000590000-memory.dmp

Filesize
1.6MB

Download
memory/5100-12-0x0000000000670000-0x00000000006F9000-memory.dmp

Filesize
548KB

Download
memory/5100-10-0x0000000000400000-0x0000000000590000-memory.dmp

Filesize
1.6MB

Download
memory/5100-7-0x0000000000400000-0x0000000000590000-memory.dmp

Filesize
1.6MB

Download
memory/5100-2-0x0000000000670000-0x00000000006F9000-memory.dmp

Filesize
548KB

Download