66d104ec5651e4807a32ec8ed2a83ccb2d39538123a2d72720730ed2211b1e8b

Analysis

max time kernel
58s
max time network
121s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
06/01/2024, 02:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4507297f46b12e3dbfe13893ed8e1d3b.exe
Size

649KB
MD5

4507297f46b12e3dbfe13893ed8e1d3b
SHA1

6b8c92904b69cf4dc43142eac4d1246999950757
SHA256

66d104ec5651e4807a32ec8ed2a83ccb2d39538123a2d72720730ed2211b1e8b
SHA512

eea98c5afa9202bddc2155bd06377a5f9dc534f2683b1112a80508a1cec4a6d8a7e367773416a4af3c7a153a0d623d05d270a3ff5ebd930153fe97b8f74ea75c
SSDEEP

12288:oxSPMVrbN+j+toNoZ893W0NNO0nb8mjEJW++GS4//v5DTB4sOR8H9:Q8wN+jDoZ63w0nb8HW++p4/31B49R8H

Score

7^/10

Malware Config

Signatures

Checks BIOS information in registry 2 TTPs 64 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ulat.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	dnkj.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	kizm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	wjya.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	pdza.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	jakj.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	yasr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ezyk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	qxuj.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	yrnz.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	bdnr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	jbvx.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	zfic.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	gpgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	xxtb.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	symk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	4507297f46b12e3dbfe13893ed8e1d3b.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	vfxi.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	guxg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	czwk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	kqia.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	onan.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	mapq.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	dnkj.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	acrr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	apky.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	xxtb.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	tkmr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	nwkh.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	ospf.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	besd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	hfji.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	zfmg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	ezyk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	nsvg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	fmsm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	qtna.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	dkeg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	lcpg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	fmsm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	flms.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	besd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	deqe.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	town.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	lxtn.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	lify.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	zplv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	pfhb.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	ulat.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	jxgy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	vfxi.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	zvox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	svor.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	cyle.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	wjya.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	zplv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	deqe.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	dkeg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	mrhl.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	jbvx.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ihzd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	mpon.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	mpon.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	lcpg.exe

Executes dropped EXE 64 IoCs

pid	Process
2756	gkyj.exe
1632	jxnj.exe
780	klpu.exe
2944	mpon.exe
1972	ospf.exe
1756	besd.exe
1492	kkuy.exe
1000	vfxi.exe
1992	zdbt.exe
2216	deqe.exe
2864	kizm.exe
2560	vkek.exe
1752	xirp.exe
2600	town.exe
2500	kqia.exe
2268	mizx.exe
932	zvox.exe
1644	lxtn.exe
1700	xkan.exe
2132	nsvg.exe
2196	guxg.exe
2624	dkeg.exe
608	xjvt.exe
2808	mrhl.exe
872	bdnr.exe
2888	lcpg.exe
440	svor.exe
2016	fmsm.exe
1892	rkkz.exe
1712	jbvx.exe
2924	pnvm.exe
2188	zfic.exe
644	mkak.exe
2376	twgp.exe
1156	czwk.exe
540	wjya.exe
1240	obbx.exe
1816	wflc.exe
1516	flms.exe
2208	pdza.exe
2312	wwht.exe
2620	lify.exe
2904	hfji.exe
1932	zfmg.exe
1908	jakj.exe
468	apky.exe
2968	kgpo.exe
2052	xxtb.exe
2024	gpgr.exe
1012	tkmr.exe
2728	yasr.exe
2844	cyle.exe
2832	mmmp.exe
856	vplk.exe
1072	nwkh.exe
776	ezyk.exe
2248	onan.exe
1116	alsa.exe
2044	qtna.exe
1804	zplv.exe
2704	oaja.exe
1676	ihzd.exe
1952	symk.exe
1660	xauf.exe

Loads dropped DLL 64 IoCs

pid	Process
2520	4507297f46b12e3dbfe13893ed8e1d3b.exe
2520	4507297f46b12e3dbfe13893ed8e1d3b.exe
2756	gkyj.exe
2756	gkyj.exe
1632	jxnj.exe
1632	jxnj.exe
780	klpu.exe
780	klpu.exe
2944	mpon.exe
2944	mpon.exe
1972	ospf.exe
1972	ospf.exe
1756	besd.exe
1756	besd.exe
1492	kkuy.exe
1492	kkuy.exe
1000	vfxi.exe
1000	vfxi.exe
1992	zdbt.exe
1992	zdbt.exe
2216	deqe.exe
2216	deqe.exe
2864	kizm.exe
2864	kizm.exe
2560	vkek.exe
2560	vkek.exe
1752	xirp.exe
1752	xirp.exe
2600	town.exe
2600	town.exe
2500	kqia.exe
2500	kqia.exe
2268	mizx.exe
2268	mizx.exe
932	zvox.exe
932	zvox.exe
1644	lxtn.exe
1644	lxtn.exe
1700	xkan.exe
1700	xkan.exe
2132	nsvg.exe
2132	nsvg.exe
2196	guxg.exe
2196	guxg.exe
2624	dkeg.exe
2624	dkeg.exe
608	xjvt.exe
608	xjvt.exe
2808	mrhl.exe
2808	mrhl.exe
872	bdnr.exe
872	bdnr.exe
2888	lcpg.exe
2888	lcpg.exe
440	svor.exe
440	svor.exe
2016	fmsm.exe
2016	fmsm.exe
1892	rkkz.exe
1892	rkkz.exe
1712	jbvx.exe
1712	jbvx.exe
2924	pnvm.exe
2924	pnvm.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\nsvg.exe	xkan.exe
File created	C:\Windows\SysWOW64\dkeg.exe	guxg.exe
File created	C:\Windows\SysWOW64\fmsm.exe	svor.exe
File created	C:\Windows\SysWOW64\cyle.exe	yasr.exe
File created	C:\Windows\SysWOW64\qtna.exe	alsa.exe
File created	C:\Windows\SysWOW64\pfhb.exe	dtsb.exe
File created	C:\Windows\SysWOW64\besd.exe	ospf.exe
File created	C:\Windows\SysWOW64\mpon.exe	klpu.exe
File opened for modification	C:\Windows\SysWOW64\kkuy.exe	besd.exe
File opened for modification	C:\Windows\SysWOW64\zdbt.exe	vfxi.exe
File opened for modification	C:\Windows\SysWOW64\lcpg.exe	bdnr.exe
File opened for modification	C:\Windows\SysWOW64\lify.exe	wwht.exe
File opened for modification	C:\Windows\SysWOW64\zplv.exe	qtna.exe
File opened for modification	C:\Windows\SysWOW64\pfhb.exe	dtsb.exe
File created	C:\Windows\SysWOW64\jxnj.exe	gkyj.exe
File opened for modification	C:\Windows\SysWOW64\jbvx.exe	rkkz.exe
File created	C:\Windows\SysWOW64\pnvm.exe	jbvx.exe
File created	C:\Windows\SysWOW64\obbx.exe	wjya.exe
File opened for modification	C:\Windows\SysWOW64\yasr.exe	tkmr.exe
File opened for modification	C:\Windows\SysWOW64\cyle.exe	yasr.exe
File opened for modification	C:\Windows\SysWOW64\mmmp.exe	cyle.exe
File created	C:\Windows\SysWOW64\mapq.exe	xauf.exe
File opened for modification	C:\Windows\SysWOW64\jxnj.exe	gkyj.exe
File created	C:\Windows\SysWOW64\twgp.exe	mkak.exe
File opened for modification	C:\Windows\SysWOW64\pdza.exe	flms.exe
File opened for modification	C:\Windows\SysWOW64\wwht.exe	pdza.exe
File opened for modification	C:\Windows\SysWOW64\jakj.exe	zfmg.exe
File opened for modification	C:\Windows\SysWOW64\apky.exe	jakj.exe
File created	C:\Windows\SysWOW64\vplk.exe	mmmp.exe
File created	C:\Windows\SysWOW64\qxuj.exe	jxgy.exe
File opened for modification	C:\Windows\SysWOW64\nsvg.exe	xkan.exe
File opened for modification	C:\Windows\SysWOW64\wjya.exe	czwk.exe
File created	C:\Windows\SysWOW64\ezyk.exe	nwkh.exe
File opened for modification	C:\Windows\SysWOW64\alsa.exe	onan.exe
File created	C:\Windows\SysWOW64\oaja.exe	zplv.exe
File opened for modification	C:\Windows\SysWOW64\svor.exe	lcpg.exe
File created	C:\Windows\SysWOW64\wwht.exe	pdza.exe
File opened for modification	C:\Windows\SysWOW64\lxtn.exe	zvox.exe
File opened for modification	C:\Windows\SysWOW64\xkan.exe	lxtn.exe
File opened for modification	C:\Windows\SysWOW64\pnvm.exe	jbvx.exe
File opened for modification	C:\Windows\SysWOW64\symk.exe	ihzd.exe
File created	C:\Windows\SysWOW64\pyit.exe	pfhb.exe
File opened for modification	C:\Windows\SysWOW64\vkek.exe	kizm.exe
File opened for modification	C:\Windows\SysWOW64\czwk.exe	twgp.exe
File created	C:\Windows\SysWOW64\onan.exe	ezyk.exe
File created	C:\Windows\SysWOW64\jxgy.exe	ulat.exe
File opened for modification	C:\Windows\SysWOW64\bdnr.exe	mrhl.exe
File created	C:\Windows\SysWOW64\zvox.exe	mizx.exe
File opened for modification	C:\Windows\SysWOW64\xjvt.exe	dkeg.exe
File created	C:\Windows\SysWOW64\svor.exe	lcpg.exe
File opened for modification	C:\Windows\SysWOW64\onan.exe	ezyk.exe
File opened for modification	C:\Windows\SysWOW64\ulat.exe	pyit.exe
File opened for modification	C:\Windows\SysWOW64\acrr.exe	flxx.exe
File created	C:\Windows\SysWOW64\yrnz.exe	laje.exe
File opened for modification	C:\Windows\SysWOW64\zvox.exe	mizx.exe
File created	C:\Windows\SysWOW64\pdza.exe	flms.exe
File created	C:\Windows\SysWOW64\xauf.exe	symk.exe
File opened for modification	C:\Windows\SysWOW64\tnfk.exe	dnkj.exe
File opened for modification	C:\Windows\SysWOW64\dkeg.exe	guxg.exe
File created	C:\Windows\SysWOW64\bdnr.exe	mrhl.exe
File opened for modification	C:\Windows\SysWOW64\flms.exe	wflc.exe
File created	C:\Windows\SysWOW64\xxtb.exe	kgpo.exe
File opened for modification	C:\Windows\SysWOW64\ihzd.exe	oaja.exe
File opened for modification	C:\Windows\SysWOW64\flxx.exe	tnfk.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1C417B47-72BF-3E64-C9F4-DA1C49645C44}\qtkn\ = "IhiISxe[xDVF`}NB~UiXkn\|}ACLE]AFp"	dkeg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1C417B47-72BF-3E64-C9F4-DA1C49645C44}\ddMUvpMlswTnk	fmsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1C417B47-72BF-3E64-C9F4-DA1C49645C44}\ddMUvpMlswTnk\ = "_wIqY\x7fTw^Ap}RFzdw_z`Y]dcrIH"	pdza.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1C417B47-72BF-3E64-C9F4-DA1C49645C44}\ecarghji\ = "P[JsaZemxOREm{`\|u_i{o"	jxgy.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1C417B47-72BF-3E64-C9F4-DA1C49645C44}\ddMUvpMlswTnk	zdbt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1C417B47-72BF-3E64-C9F4-DA1C49645C44}\qtkn	zdbt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1C417B47-72BF-3E64-C9F4-DA1C49645C44}	mrhl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1C417B47-72BF-3E64-C9F4-DA1C49645C44}\dLjcQsguf\ = "OTZxCZLURFXsqdITNrIPAqSpi^Z_zhnj"	kgpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1C417B47-72BF-3E64-C9F4-DA1C49645C44}\qtkn\ = "IhiISxe[xDVF`}NB~UiXkn\|}ACLE]AFp"	tnfk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1C417B47-72BF-3E64-C9F4-DA1C49645C44}\qtkn	xirp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1C417B47-72BF-3E64-C9F4-DA1C49645C44}\mfibAqmadfbkj	mrhl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1C417B47-72BF-3E64-C9F4-DA1C49645C44}\qtkn\ = "IhiISxe[xDVF`}NB~UiXkn\|}ACLE]AFp"	mkak.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1C417B47-72BF-3E64-C9F4-DA1C49645C44}\qtkn	zfmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1C417B47-72BF-3E64-C9F4-DA1C49645C44}\dLjcQsguf\ = "OTZxCZLURFXsqdITNrIPAqSpi^Z_zhnj"	dnkj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1C417B47-72BF-3E64-C9F4-DA1C49645C44}\mfibAqmadfbkj\ = "kn@SJQE{W\|uxyA\|@x@JBCXFSf`ZF"	hfji.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1C417B47-72BF-3E64-C9F4-DA1C49645C44}\qtkn	pfhb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1C417B47-72BF-3E64-C9F4-DA1C49645C44}\ecarghji\ = "P[JsaZemxKrEm{`\|cMjBn"	pfhb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1C417B47-72BF-3E64-C9F4-DA1C49645C44}\ecarghji\ = "P[JsaZemxJBEm{`~@`}Y\|"	pfhb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1C417B47-72BF-3E64-C9F4-DA1C49645C44}\ecarghji\ = "P[JsaZemxXrAm{`\|ekfr["	lxtn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1C417B47-72BF-3E64-C9F4-DA1C49645C44}\dLjcQsguf\ = "OTZxCZLURFXsqdITNrIPAqSpi^Z_zhnj"	pnvm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1C417B47-72BF-3E64-C9F4-DA1C49645C44}\mfibAqmadfbkj\ = "klPSJQE{W~exyA\|@x@JBCXFSf`ZF"	wjya.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1C417B47-72BF-3E64-C9F4-DA1C49645C44}\ddMUvpMlswTnk	tkmr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1C417B47-72BF-3E64-C9F4-DA1C49645C44}\qtkn\ = "IhiISxe[xDVF`}NB~UiXkn\|}ACLE]AFp"	mmmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1C417B47-72BF-3E64-C9F4-DA1C49645C44}\ecarghji	dtsb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1C417B47-72BF-3E64-C9F4-DA1C49645C44}	tnfk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1C417B47-72BF-3E64-C9F4-DA1C49645C44}\ecarghji\ = "P[JsaZemxEbEm{`~rOswB"	tnfk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1C417B47-72BF-3E64-C9F4-DA1C49645C44}\qtkn	klpu.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1C417B47-72BF-3E64-C9F4-DA1C49645C44}\mfibAqmadfbkj	klpu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1C417B47-72BF-3E64-C9F4-DA1C49645C44}\mfibAqmadfbkj\ = "k`PSJQE{WrexyA\|@x@JBCXFSf`ZF"	nsvg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1C417B47-72BF-3E64-C9F4-DA1C49645C44}\mfibAqmadfbkj\ = "kb`SJQE{WpUxyA\|@x@JBCXFSf`ZF"	rkkz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1C417B47-72BF-3E64-C9F4-DA1C49645C44}\ddMUvpMlswTnk\ = "_wIqY\x7fTw^Ap}RFzdw_z`Y]dcrIH"	xauf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1C417B47-72BF-3E64-C9F4-DA1C49645C44}\ecarghji\ = "P[JsaZemxJrEm{`}P~WX{"	pyit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1C417B47-72BF-3E64-C9F4-DA1C49645C44}\ddMUvpMlswTnk\ = "_wIqY\x7fTw^Ap}RFzdw_z`Y]dcrIH"	lxtn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1C417B47-72BF-3E64-C9F4-DA1C49645C44}\mfibAqmadfbkj\ = "kapSJQE{WsExyA\|@x@JBCXFSf`ZF"	lxtn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1C417B47-72BF-3E64-C9F4-DA1C49645C44}\mfibAqmadfbkj\ = "kbpSJQE{WpExyA\|@x@JBCXFSf`ZF"	jbvx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1C417B47-72BF-3E64-C9F4-DA1C49645C44}\ecarghji\ = "P[JsaZemx`bAm{`}P@Xdz"	pdza.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1C417B47-72BF-3E64-C9F4-DA1C49645C44}\mfibAqmadfbkj\ = "kopSJQE{W}ExyA\|@x@JBCXFSf`ZF"	lify.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1C417B47-72BF-3E64-C9F4-DA1C49645C44}\ecarghji\ = "P[JsaZemxwrAm{`}rDM`@"	symk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1C417B47-72BF-3E64-C9F4-DA1C49645C44}\dLjcQsguf\ = "OTZxCZLURFXsqdITNrIPAqSpi^Z_zhnj"	mapq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1C417B47-72BF-3E64-C9F4-DA1C49645C44}\ddMUvpMlswTnk	ospf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1C417B47-72BF-3E64-C9F4-DA1C49645C44}\ddMUvpMlswTnk\ = "_wIqY\x7fTw^Ap}RFzdw_z`Y]dcrIH"	zdbt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1C417B47-72BF-3E64-C9F4-DA1C49645C44}\ddMUvpMlswTnk\ = "_wIqY\x7fTw^Ap}RFzdw_z`Y]dcrIH"	xjvt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1C417B47-72BF-3E64-C9F4-DA1C49645C44}\mfibAqmadfbkj\ = "kc`SJQE{WqUxyA\|@x@JBCXFSf`ZF"	lcpg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1C417B47-72BF-3E64-C9F4-DA1C49645C44}\mfibAqmadfbkj\ = "knpSJQE{W\|ExyA\|@x@JBCXFSf`ZF"	jakj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1C417B47-72BF-3E64-C9F4-DA1C49645C44}\ecarghji	zplv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1C417B47-72BF-3E64-C9F4-DA1C49645C44}\qtkn\ = "IhiISxe[xDVF`}NB~UiXkn\|}ACLE]AFp"	mpon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1C417B47-72BF-3E64-C9F4-DA1C49645C44}\qtkn\ = "IhiISxe[xDVF`}NB~UiXkn\|}ACLE]AFp"	xirp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1C417B47-72BF-3E64-C9F4-DA1C49645C44}\dLjcQsguf\ = "OTZxCZLURFXsqdITNrIPAqSpi^Z_zhnj"	lify.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1C417B47-72BF-3E64-C9F4-DA1C49645C44}\dLjcQsguf\ = "OTZxCZLURFXsqdITNrIPAqSpi^Z_zhnj"	gpgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1C417B47-72BF-3E64-C9F4-DA1C49645C44}\mfibAqmadfbkj\ = "kt@SJQE{WfuxyA\|@x@JBCXFSf`ZF"	pyit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1C417B47-72BF-3E64-C9F4-DA1C49645C44}\ddMUvpMlswTnk\ = "_wIqY\x7fTw^Ap}RFzdw_z`Y]dcrIH"	mmmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1C417B47-72BF-3E64-C9F4-DA1C49645C44}\ddMUvpMlswTnk	uvxt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1C417B47-72BF-3E64-C9F4-DA1C49645C44}\dLjcQsguf\ = "OTZxCZLURFXsqdITNrIPAqSpi^Z_zhnj"	ospf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1C417B47-72BF-3E64-C9F4-DA1C49645C44}\ecarghji\ = "P[JsaZemxWbAm{`\|syCdy"	rkkz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1C417B47-72BF-3E64-C9F4-DA1C49645C44}\mfibAqmadfbkj	guxg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1C417B47-72BF-3E64-C9F4-DA1C49645C44}\mfibAqmadfbkj\ = "km`SJQE{W\x7fUxyA\|@x@JBCXFSf`ZF"	twgp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1C417B47-72BF-3E64-C9F4-DA1C49645C44}\qtkn	wwht.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1C417B47-72BF-3E64-C9F4-DA1C49645C44}\mfibAqmadfbkj	qtna.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1C417B47-72BF-3E64-C9F4-DA1C49645C44}\ecarghji	oaja.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1C417B47-72BF-3E64-C9F4-DA1C49645C44}\mfibAqmadfbkj\ = "kjpSJQE{WxExyA\|@x@JBCXFSf`ZF"	zplv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1C417B47-72BF-3E64-C9F4-DA1C49645C44}\ddMUvpMlswTnk	xirp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1C417B47-72BF-3E64-C9F4-DA1C49645C44}\ecarghji\ = "P[JsaZemxYrAm{`~b{ZQU"	zvox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1C417B47-72BF-3E64-C9F4-DA1C49645C44}\qtkn\ = "IhiISxe[xDVF`}NB~UiXkn\|}ACLE]AFp"	hfji.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1C417B47-72BF-3E64-C9F4-DA1C49645C44}	yasr.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: 33	2520	4507297f46b12e3dbfe13893ed8e1d3b.exe
Token: SeIncBasePriorityPrivilege	2520	4507297f46b12e3dbfe13893ed8e1d3b.exe
Token: 33	2756	gkyj.exe
Token: SeIncBasePriorityPrivilege	2756	gkyj.exe
Token: 33	1632	jxnj.exe
Token: SeIncBasePriorityPrivilege	1632	jxnj.exe
Token: 33	780	klpu.exe
Token: SeIncBasePriorityPrivilege	780	klpu.exe
Token: 33	2944	mpon.exe
Token: SeIncBasePriorityPrivilege	2944	mpon.exe
Token: 33	1972	ospf.exe
Token: SeIncBasePriorityPrivilege	1972	ospf.exe
Token: 33	1756	besd.exe
Token: SeIncBasePriorityPrivilege	1756	besd.exe
Token: 33	1492	kkuy.exe
Token: SeIncBasePriorityPrivilege	1492	kkuy.exe
Token: 33	1000	vfxi.exe
Token: SeIncBasePriorityPrivilege	1000	vfxi.exe
Token: 33	1992	zdbt.exe
Token: SeIncBasePriorityPrivilege	1992	zdbt.exe
Token: 33	2216	deqe.exe
Token: SeIncBasePriorityPrivilege	2216	deqe.exe
Token: 33	2864	kizm.exe
Token: SeIncBasePriorityPrivilege	2864	kizm.exe
Token: 33	2560	vkek.exe
Token: SeIncBasePriorityPrivilege	2560	vkek.exe
Token: 33	1752	xirp.exe
Token: SeIncBasePriorityPrivilege	1752	xirp.exe
Token: 33	2600	town.exe
Token: SeIncBasePriorityPrivilege	2600	town.exe
Token: 33	2500	kqia.exe
Token: SeIncBasePriorityPrivilege	2500	kqia.exe
Token: 33	2268	mizx.exe
Token: SeIncBasePriorityPrivilege	2268	mizx.exe
Token: 33	932	zvox.exe
Token: SeIncBasePriorityPrivilege	932	zvox.exe
Token: 33	1644	lxtn.exe
Token: SeIncBasePriorityPrivilege	1644	lxtn.exe
Token: 33	1700	xkan.exe
Token: SeIncBasePriorityPrivilege	1700	xkan.exe
Token: 33	2132	nsvg.exe
Token: SeIncBasePriorityPrivilege	2132	nsvg.exe
Token: 33	2196	guxg.exe
Token: SeIncBasePriorityPrivilege	2196	guxg.exe
Token: 33	2624	dkeg.exe
Token: SeIncBasePriorityPrivilege	2624	dkeg.exe
Token: 33	608	xjvt.exe
Token: SeIncBasePriorityPrivilege	608	xjvt.exe
Token: 33	2808	mrhl.exe
Token: SeIncBasePriorityPrivilege	2808	mrhl.exe
Token: 33	872	bdnr.exe
Token: SeIncBasePriorityPrivilege	872	bdnr.exe
Token: 33	2888	lcpg.exe
Token: SeIncBasePriorityPrivilege	2888	lcpg.exe
Token: 33	440	svor.exe
Token: SeIncBasePriorityPrivilege	440	svor.exe
Token: 33	2016	fmsm.exe
Token: SeIncBasePriorityPrivilege	2016	fmsm.exe
Token: 33	1892	rkkz.exe
Token: SeIncBasePriorityPrivilege	1892	rkkz.exe
Token: 33	1712	jbvx.exe
Token: SeIncBasePriorityPrivilege	1712	jbvx.exe
Token: 33	2924	pnvm.exe
Token: SeIncBasePriorityPrivilege	2924	pnvm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2520 wrote to memory of 2756	2520	4507297f46b12e3dbfe13893ed8e1d3b.exe	28
PID 2520 wrote to memory of 2756	2520	4507297f46b12e3dbfe13893ed8e1d3b.exe	28
PID 2520 wrote to memory of 2756	2520	4507297f46b12e3dbfe13893ed8e1d3b.exe	28
PID 2520 wrote to memory of 2756	2520	4507297f46b12e3dbfe13893ed8e1d3b.exe	28
PID 2756 wrote to memory of 1632	2756	gkyj.exe	29
PID 2756 wrote to memory of 1632	2756	gkyj.exe	29
PID 2756 wrote to memory of 1632	2756	gkyj.exe	29
PID 2756 wrote to memory of 1632	2756	gkyj.exe	29
PID 1632 wrote to memory of 780	1632	jxnj.exe	30
PID 1632 wrote to memory of 780	1632	jxnj.exe	30
PID 1632 wrote to memory of 780	1632	jxnj.exe	30
PID 1632 wrote to memory of 780	1632	jxnj.exe	30
PID 780 wrote to memory of 2944	780	klpu.exe	31
PID 780 wrote to memory of 2944	780	klpu.exe	31
PID 780 wrote to memory of 2944	780	klpu.exe	31
PID 780 wrote to memory of 2944	780	klpu.exe	31
PID 2944 wrote to memory of 1972	2944	mpon.exe	32
PID 2944 wrote to memory of 1972	2944	mpon.exe	32
PID 2944 wrote to memory of 1972	2944	mpon.exe	32
PID 2944 wrote to memory of 1972	2944	mpon.exe	32
PID 1972 wrote to memory of 1756	1972	ospf.exe	33
PID 1972 wrote to memory of 1756	1972	ospf.exe	33
PID 1972 wrote to memory of 1756	1972	ospf.exe	33
PID 1972 wrote to memory of 1756	1972	ospf.exe	33
PID 1756 wrote to memory of 1492	1756	besd.exe	34
PID 1756 wrote to memory of 1492	1756	besd.exe	34
PID 1756 wrote to memory of 1492	1756	besd.exe	34
PID 1756 wrote to memory of 1492	1756	besd.exe	34
PID 1492 wrote to memory of 1000	1492	kkuy.exe	35
PID 1492 wrote to memory of 1000	1492	kkuy.exe	35
PID 1492 wrote to memory of 1000	1492	kkuy.exe	35
PID 1492 wrote to memory of 1000	1492	kkuy.exe	35
PID 1000 wrote to memory of 1992	1000	vfxi.exe	36
PID 1000 wrote to memory of 1992	1000	vfxi.exe	36
PID 1000 wrote to memory of 1992	1000	vfxi.exe	36
PID 1000 wrote to memory of 1992	1000	vfxi.exe	36
PID 1992 wrote to memory of 2216	1992	zdbt.exe	37
PID 1992 wrote to memory of 2216	1992	zdbt.exe	37
PID 1992 wrote to memory of 2216	1992	zdbt.exe	37
PID 1992 wrote to memory of 2216	1992	zdbt.exe	37
PID 2216 wrote to memory of 2864	2216	deqe.exe	38
PID 2216 wrote to memory of 2864	2216	deqe.exe	38
PID 2216 wrote to memory of 2864	2216	deqe.exe	38
PID 2216 wrote to memory of 2864	2216	deqe.exe	38
PID 2864 wrote to memory of 2560	2864	kizm.exe	39
PID 2864 wrote to memory of 2560	2864	kizm.exe	39
PID 2864 wrote to memory of 2560	2864	kizm.exe	39
PID 2864 wrote to memory of 2560	2864	kizm.exe	39
PID 2560 wrote to memory of 1752	2560	vkek.exe	40
PID 2560 wrote to memory of 1752	2560	vkek.exe	40
PID 2560 wrote to memory of 1752	2560	vkek.exe	40
PID 2560 wrote to memory of 1752	2560	vkek.exe	40
PID 1752 wrote to memory of 2600	1752	xirp.exe	41
PID 1752 wrote to memory of 2600	1752	xirp.exe	41
PID 1752 wrote to memory of 2600	1752	xirp.exe	41
PID 1752 wrote to memory of 2600	1752	xirp.exe	41
PID 2600 wrote to memory of 2500	2600	town.exe	42
PID 2600 wrote to memory of 2500	2600	town.exe	42
PID 2600 wrote to memory of 2500	2600	town.exe	42
PID 2600 wrote to memory of 2500	2600	town.exe	42
PID 2500 wrote to memory of 2268	2500	kqia.exe	43
PID 2500 wrote to memory of 2268	2500	kqia.exe	43
PID 2500 wrote to memory of 2268	2500	kqia.exe	43
PID 2500 wrote to memory of 2268	2500	kqia.exe	43

C:\Users\Admin\AppData\Local\Temp\4507297f46b12e3dbfe13893ed8e1d3b.exe
"C:\Users\Admin\AppData\Local\Temp\4507297f46b12e3dbfe13893ed8e1d3b.exe"
1⤵
- Checks BIOS information in registry
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2520
- C:\Windows\SysWOW64\gkyj.exe
  C:\Windows\system32\gkyj.exe 708 "C:\Users\Admin\AppData\Local\Temp\4507297f46b12e3dbfe13893ed8e1d3b.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2756
- - C:\Windows\SysWOW64\jxnj.exe
    C:\Windows\system32\jxnj.exe 664 "C:\Windows\SysWOW64\gkyj.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1632
  - - C:\Windows\SysWOW64\klpu.exe
      C:\Windows\system32\klpu.exe 656 "C:\Windows\SysWOW64\jxnj.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:780
    - - C:\Windows\SysWOW64\mpon.exe
        
        C:\Windows\system32\mpon.exe 668 "C:\Windows\SysWOW64\klpu.exe"
        5⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2944
      - C:\Windows\SysWOW64\ospf.exe
        
        C:\Windows\system32\ospf.exe 672 "C:\Windows\SysWOW64\mpon.exe"
        6⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1972
        
        C:\Windows\SysWOW64\besd.exe
        
        C:\Windows\system32\besd.exe 680 "C:\Windows\SysWOW64\ospf.exe"
        7⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1756
        
        C:\Windows\SysWOW64\kkuy.exe
        
        C:\Windows\system32\kkuy.exe 676 "C:\Windows\SysWOW64\besd.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1492
        
        C:\Windows\SysWOW64\vfxi.exe
        
        C:\Windows\system32\vfxi.exe 688 "C:\Windows\SysWOW64\kkuy.exe"
        9⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1000
        
        C:\Windows\SysWOW64\zdbt.exe
        
        C:\Windows\system32\zdbt.exe 744 "C:\Windows\SysWOW64\vfxi.exe"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1992
        
        C:\Windows\SysWOW64\deqe.exe
        
        C:\Windows\system32\deqe.exe 772 "C:\Windows\SysWOW64\zdbt.exe"
        11⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2216
        
        C:\Windows\SysWOW64\kizm.exe
        
        C:\Windows\system32\kizm.exe 736 "C:\Windows\SysWOW64\deqe.exe"
        12⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2864
        
        C:\Windows\SysWOW64\vkek.exe
        
        C:\Windows\system32\vkek.exe 732 "C:\Windows\SysWOW64\kizm.exe"
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2560
        
        C:\Windows\SysWOW64\xirp.exe
        
        C:\Windows\system32\xirp.exe 728 "C:\Windows\SysWOW64\vkek.exe"
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1752
        
        C:\Windows\SysWOW64\town.exe
        
        C:\Windows\system32\town.exe 784 "C:\Windows\SysWOW64\xirp.exe"
        15⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2600
        
        C:\Windows\SysWOW64\kqia.exe
        
        C:\Windows\system32\kqia.exe 740 "C:\Windows\SysWOW64\town.exe"
        16⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2500
        
        C:\Windows\SysWOW64\mizx.exe
        
        C:\Windows\system32\mizx.exe 684 "C:\Windows\SysWOW64\kqia.exe"
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2268
        
        C:\Windows\SysWOW64\zvox.exe
        
        C:\Windows\system32\zvox.exe 752 "C:\Windows\SysWOW64\mizx.exe"
        18⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:932
        
        C:\Windows\SysWOW64\lxtn.exe
        
        C:\Windows\system32\lxtn.exe 720 "C:\Windows\SysWOW64\zvox.exe"
        19⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1644
        
        C:\Windows\SysWOW64\xkan.exe
        
        C:\Windows\system32\xkan.exe 660 "C:\Windows\SysWOW64\lxtn.exe"
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1700
        
        C:\Windows\SysWOW64\nsvg.exe
        
        C:\Windows\system32\nsvg.exe 800 "C:\Windows\SysWOW64\xkan.exe"
        21⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2132
        
        C:\Windows\SysWOW64\guxg.exe
        
        C:\Windows\system32\guxg.exe 724 "C:\Windows\SysWOW64\nsvg.exe"
        22⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2196
        
        C:\Windows\SysWOW64\dkeg.exe
        
        C:\Windows\system32\dkeg.exe 696 "C:\Windows\SysWOW64\guxg.exe"
        23⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2624
        
        C:\Windows\SysWOW64\xjvt.exe
        
        C:\Windows\system32\xjvt.exe 764 "C:\Windows\SysWOW64\dkeg.exe"
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:608
        
        C:\Windows\SysWOW64\mrhl.exe
        
        C:\Windows\system32\mrhl.exe 780 "C:\Windows\SysWOW64\xjvt.exe"
        25⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2808
        
        C:\Windows\SysWOW64\bdnr.exe
        
        C:\Windows\system32\bdnr.exe 796 "C:\Windows\SysWOW64\mrhl.exe"
        26⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:872
        
        C:\Windows\SysWOW64\lcpg.exe
        
        C:\Windows\system32\lcpg.exe 768 "C:\Windows\SysWOW64\bdnr.exe"
        27⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2888
        
        C:\Windows\SysWOW64\svor.exe
        
        C:\Windows\system32\svor.exe 792 "C:\Windows\SysWOW64\lcpg.exe"
        28⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:440
        
        C:\Windows\SysWOW64\fmsm.exe
        
        C:\Windows\system32\fmsm.exe 820 "C:\Windows\SysWOW64\svor.exe"
        29⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2016
        
        C:\Windows\SysWOW64\rkkz.exe
        
        C:\Windows\system32\rkkz.exe 716 "C:\Windows\SysWOW64\fmsm.exe"
        30⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1892
        
        C:\Windows\SysWOW64\jbvx.exe
        
        C:\Windows\system32\jbvx.exe 748 "C:\Windows\SysWOW64\rkkz.exe"
        31⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1712
        
        C:\Windows\SysWOW64\pnvm.exe
        
        C:\Windows\system32\pnvm.exe 812 "C:\Windows\SysWOW64\jbvx.exe"
        32⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2924
        
        C:\Windows\SysWOW64\zfic.exe
        
        C:\Windows\system32\zfic.exe 788 "C:\Windows\SysWOW64\pnvm.exe"
        33⤵
        Checks BIOS information in registry
        Executes dropped EXE
        
        PID:2188
        
        C:\Windows\SysWOW64\mkak.exe
        
        C:\Windows\system32\mkak.exe 760 "C:\Windows\SysWOW64\zfic.exe"
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:644
        
        C:\Windows\SysWOW64\twgp.exe
        
        C:\Windows\system32\twgp.exe 712 "C:\Windows\SysWOW64\mkak.exe"
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2376
        
        C:\Windows\SysWOW64\czwk.exe
        
        C:\Windows\system32\czwk.exe 704 "C:\Windows\SysWOW64\twgp.exe"
        36⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1156
        
        C:\Windows\SysWOW64\wjya.exe
        
        C:\Windows\system32\wjya.exe 828 "C:\Windows\SysWOW64\czwk.exe"
        37⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:540
        
        C:\Windows\SysWOW64\obbx.exe
        
        C:\Windows\system32\obbx.exe 692 "C:\Windows\SysWOW64\wjya.exe"
        38⤵
        Executes dropped EXE
        
        PID:1240
        
        C:\Windows\SysWOW64\wflc.exe
        
        C:\Windows\system32\wflc.exe 756 "C:\Windows\SysWOW64\obbx.exe"
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1816
        
        C:\Windows\SysWOW64\flms.exe
        
        C:\Windows\system32\flms.exe 808 "C:\Windows\SysWOW64\wflc.exe"
        40⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1516
        
        C:\Windows\SysWOW64\pdza.exe
        
        C:\Windows\system32\pdza.exe 832 "C:\Windows\SysWOW64\flms.exe"
        41⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2208
        
        C:\Windows\SysWOW64\wwht.exe
        
        C:\Windows\system32\wwht.exe 860 "C:\Windows\SysWOW64\pdza.exe"
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2312
        
        C:\Windows\SysWOW64\lify.exe
        
        C:\Windows\system32\lify.exe 872 "C:\Windows\SysWOW64\wwht.exe"
        43⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Modifies registry class
        
        PID:2620
        
        C:\Windows\SysWOW64\hfji.exe
        
        C:\Windows\system32\hfji.exe 836 "C:\Windows\SysWOW64\lify.exe"
        44⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Modifies registry class
        
        PID:2904
        
        C:\Windows\SysWOW64\zfmg.exe
        
        C:\Windows\system32\zfmg.exe 816 "C:\Windows\SysWOW64\hfji.exe"
        45⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1932
        
        C:\Windows\SysWOW64\jakj.exe
        
        C:\Windows\system32\jakj.exe 868 "C:\Windows\SysWOW64\zfmg.exe"
        46⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1908
        
        C:\Windows\SysWOW64\apky.exe
        
        C:\Windows\system32\apky.exe 824 "C:\Windows\SysWOW64\jakj.exe"
        47⤵
        Checks BIOS information in registry
        Executes dropped EXE
        
        PID:468
        
        C:\Windows\SysWOW64\kgpo.exe
        
        C:\Windows\system32\kgpo.exe 880 "C:\Windows\SysWOW64\apky.exe"
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2968
        
        C:\Windows\SysWOW64\xxtb.exe
        
        C:\Windows\system32\xxtb.exe 776 "C:\Windows\SysWOW64\kgpo.exe"
        49⤵
        Checks BIOS information in registry
        Executes dropped EXE
        
        PID:2052
        
        C:\Windows\SysWOW64\gpgr.exe
        
        C:\Windows\system32\gpgr.exe 888 "C:\Windows\SysWOW64\xxtb.exe"
        50⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Modifies registry class
        
        PID:2024
        
        C:\Windows\SysWOW64\tkmr.exe
        
        C:\Windows\system32\tkmr.exe 856 "C:\Windows\SysWOW64\gpgr.exe"
        51⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1012
        
        C:\Windows\SysWOW64\yasr.exe
        
        C:\Windows\system32\yasr.exe 884 "C:\Windows\SysWOW64\tkmr.exe"
        52⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2728
        
        C:\Windows\SysWOW64\cyle.exe
        
        C:\Windows\system32\cyle.exe 852 "C:\Windows\SysWOW64\yasr.exe"
        53⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2844
        
        C:\Windows\SysWOW64\mmmp.exe
        
        C:\Windows\system32\mmmp.exe 908 "C:\Windows\SysWOW64\cyle.exe"
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2832
        
        C:\Windows\SysWOW64\vplk.exe
        
        C:\Windows\system32\vplk.exe 900 "C:\Windows\SysWOW64\mmmp.exe"
        55⤵
        Executes dropped EXE
        
        PID:856
        
        C:\Windows\SysWOW64\nwkh.exe
        
        C:\Windows\system32\nwkh.exe 804 "C:\Windows\SysWOW64\vplk.exe"
        56⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1072
        
        C:\Windows\SysWOW64\ezyk.exe
        
        C:\Windows\system32\ezyk.exe 840 "C:\Windows\SysWOW64\nwkh.exe"
        57⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:776
        
        C:\Windows\SysWOW64\onan.exe
        
        C:\Windows\system32\onan.exe 864 "C:\Windows\SysWOW64\ezyk.exe"
        58⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2248
        
        C:\Windows\SysWOW64\alsa.exe
        
        C:\Windows\system32\alsa.exe 896 "C:\Windows\SysWOW64\onan.exe"
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1116
        
        C:\Windows\SysWOW64\qtna.exe
        
        C:\Windows\system32\qtna.exe 916 "C:\Windows\SysWOW64\alsa.exe"
        60⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2044
        
        C:\Windows\SysWOW64\zplv.exe
        
        C:\Windows\system32\zplv.exe 956 "C:\Windows\SysWOW64\qtna.exe"
        61⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1804
        
        C:\Windows\SysWOW64\oaja.exe
        
        C:\Windows\system32\oaja.exe 924 "C:\Windows\SysWOW64\zplv.exe"
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2704
        
        C:\Windows\SysWOW64\ihzd.exe
        
        C:\Windows\system32\ihzd.exe 844 "C:\Windows\SysWOW64\oaja.exe"
        63⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1676
        
        C:\Windows\SysWOW64\symk.exe
        
        C:\Windows\system32\symk.exe 980 "C:\Windows\SysWOW64\ihzd.exe"
        64⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1952
        
        C:\Windows\SysWOW64\xauf.exe
        
        C:\Windows\system32\xauf.exe 848 "C:\Windows\SysWOW64\symk.exe"
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1660
        
        C:\Windows\SysWOW64\mapq.exe
        
        C:\Windows\system32\mapq.exe 892 "C:\Windows\SysWOW64\xauf.exe"
        66⤵
        Checks BIOS information in registry
        Modifies registry class
        
        PID:1076
        
        C:\Windows\SysWOW64\dtsb.exe
        
        C:\Windows\system32\dtsb.exe 964 "C:\Windows\SysWOW64\mapq.exe"
        67⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:944
        
        C:\Windows\SysWOW64\pfhb.exe
        
        C:\Windows\system32\pfhb.exe 932 "C:\Windows\SysWOW64\dtsb.exe"
        68⤵
        Checks BIOS information in registry
        Drops file in System32 directory
        Modifies registry class
        
        PID:664
        
        C:\Windows\SysWOW64\pyit.exe
        
        C:\Windows\system32\pyit.exe 904 "C:\Windows\SysWOW64\pfhb.exe"
        69⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1680
        
        C:\Windows\SysWOW64\ulat.exe
        
        C:\Windows\system32\ulat.exe 952 "C:\Windows\SysWOW64\pyit.exe"
        70⤵
        Checks BIOS information in registry
        Drops file in System32 directory
        
        PID:2972
        
        C:\Windows\SysWOW64\jxgy.exe
        
        C:\Windows\system32\jxgy.exe 988 "C:\Windows\SysWOW64\ulat.exe"
        71⤵
        Checks BIOS information in registry
        Drops file in System32 directory
        Modifies registry class
        
        PID:2556
        
        C:\Windows\SysWOW64\qxuj.exe
        
        C:\Windows\system32\qxuj.exe 976 "C:\Windows\SysWOW64\jxgy.exe"
        72⤵
        Checks BIOS information in registry
        
        PID:808
        
        C:\Windows\SysWOW64\heug.exe
        
        C:\Windows\system32\heug.exe 948 "C:\Windows\SysWOW64\qxuj.exe"
        73⤵
        
        PID:2416
        
        C:\Windows\SysWOW64\uvxt.exe
        
        C:\Windows\system32\uvxt.exe 984 "C:\Windows\SysWOW64\heug.exe"
        74⤵
        Modifies registry class
        
        PID:2628
        
        C:\Windows\SysWOW64\dnkj.exe
        
        C:\Windows\system32\dnkj.exe 1016 "C:\Windows\SysWOW64\uvxt.exe"
        75⤵
        Checks BIOS information in registry
        Drops file in System32 directory
        Modifies registry class
        
        PID:2836
        
        C:\Windows\SysWOW64\tnfk.exe
        
        C:\Windows\system32\tnfk.exe 912 "C:\Windows\SysWOW64\dnkj.exe"
        76⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1560
        
        C:\Windows\SysWOW64\flxx.exe
        
        C:\Windows\system32\flxx.exe 1008 "C:\Windows\SysWOW64\tnfk.exe"
        77⤵
        Drops file in System32 directory
        
        PID:2688
        
        C:\Windows\SysWOW64\acrr.exe
        
        C:\Windows\system32\acrr.exe 920 "C:\Windows\SysWOW64\flxx.exe"
        78⤵
        Checks BIOS information in registry
        
        PID:1612
        
        C:\Windows\SysWOW64\laje.exe
        
        C:\Windows\system32\laje.exe 1052 "C:\Windows\SysWOW64\acrr.exe"
        79⤵
        Drops file in System32 directory
        
        PID:1496
        
        C:\Windows\SysWOW64\yrnz.exe
        
        C:\Windows\system32\yrnz.exe 940 "C:\Windows\SysWOW64\laje.exe"
        80⤵
        Checks BIOS information in registry
        
        PID:1328
        
        C:\Windows\SysWOW64\abep.exe
        
        C:\Windows\system32\abep.exe 928 "C:\Windows\SysWOW64\yrnz.exe"
        81⤵
        
        PID:1216
        
        C:\Windows\SysWOW64\nsik.exe
        
        C:\Windows\system32\nsik.exe 996 "C:\Windows\SysWOW64\abep.exe"
        82⤵
        
        PID:800
        
        C:\Windows\SysWOW64\hqyf.exe
        
        C:\Windows\system32\hqyf.exe 1068 "C:\Windows\SysWOW64\nsik.exe"
        83⤵
        
        PID:2804
        
        C:\Windows\SysWOW64\rilv.exe
        
        C:\Windows\system32\rilv.exe 1004 "C:\Windows\SysWOW64\hqyf.exe"
        84⤵
        
        PID:976
        
        C:\Windows\SysWOW64\ixlk.exe
        
        C:\Windows\system32\ixlk.exe 1048 "C:\Windows\SysWOW64\rilv.exe"
        85⤵
        
        PID:768
        
        C:\Windows\SysWOW64\adki.exe
        
        C:\Windows\system32\adki.exe 992 "C:\Windows\SysWOW64\ixlk.exe"
        86⤵
        
        PID:924
        
        C:\Windows\SysWOW64\uypy.exe
        
        C:\Windows\system32\uypy.exe 1056 "C:\Windows\SysWOW64\adki.exe"
        87⤵
        
        PID:1404
        
        C:\Windows\SysWOW64\jknd.exe
        
        C:\Windows\system32\jknd.exe 936 "C:\Windows\SysWOW64\uypy.exe"
        88⤵
        
        PID:1724
        
        C:\Windows\SysWOW64\qwki.exe
        
        C:\Windows\system32\qwki.exe 1012 "C:\Windows\SysWOW64\jknd.exe"
        89⤵
        
        PID:2148
        
        C:\Windows\SysWOW64\acuq.exe
        
        C:\Windows\system32\acuq.exe 1028 "C:\Windows\SysWOW64\qwki.exe"
        90⤵
        
        PID:2564
        
        C:\Windows\SysWOW64\mimy.exe
        
        C:\Windows\system32\mimy.exe 1044 "C:\Windows\SysWOW64\acuq.exe"
        91⤵
        
        PID:1164
        
        C:\Windows\SysWOW64\ygfl.exe
        
        C:\Windows\system32\ygfl.exe 1060 "C:\Windows\SysWOW64\mimy.exe"
        92⤵
        
        PID:1940
        
        C:\Windows\SysWOW64\nscq.exe
        
        C:\Windows\system32\nscq.exe 1072 "C:\Windows\SysWOW64\ygfl.exe"
        93⤵
        
        PID:1776
        
        C:\Windows\SysWOW64\dxlw.exe
        
        C:\Windows\system32\dxlw.exe 1036 "C:\Windows\SysWOW64\nscq.exe"
        94⤵
        
        PID:1872
        
        C:\Windows\SysWOW64\pjse.exe
        
        C:\Windows\system32\pjse.exe 1064 "C:\Windows\SysWOW64\dxlw.exe"
        95⤵
        
        PID:2096
        
        C:\Windows\SysWOW64\ezjo.exe
        
        C:\Windows\system32\ezjo.exe 1076 "C:\Windows\SysWOW64\pjse.exe"
        96⤵
        
        PID:536
        
        C:\Windows\SysWOW64\wymm.exe
        
        C:\Windows\system32\wymm.exe 1088 "C:\Windows\SysWOW64\ezjo.exe"
        97⤵
        
        PID:2820
        
        C:\Windows\SysWOW64\fbko.exe
        
        C:\Windows\system32\fbko.exe 1040 "C:\Windows\SysWOW64\wymm.exe"
        98⤵
        
        PID:1080
        
        C:\Windows\SysWOW64\swro.exe
        
        C:\Windows\system32\swro.exe 972 "C:\Windows\SysWOW64\fbko.exe"
        99⤵
        
        PID:1568
        
        C:\Windows\SysWOW64\efvj.exe
        
        C:\Windows\system32\efvj.exe 1084 "C:\Windows\SysWOW64\swro.exe"
        100⤵
        
        PID:1920
        
        C:\Windows\SysWOW64\rorx.exe
        
        C:\Windows\system32\rorx.exe 1092 "C:\Windows\SysWOW64\efvj.exe"
        101⤵
        
        PID:1980
        
        C:\Windows\SysWOW64\arpz.exe
        
        C:\Windows\system32\arpz.exe 1100 "C:\Windows\SysWOW64\rorx.exe"
        102⤵
        
        PID:1764
        
        C:\Windows\SysWOW64\vmuh.exe
        
        C:\Windows\system32\vmuh.exe 1112 "C:\Windows\SysWOW64\arpz.exe"
        103⤵
        
        PID:2652
        
        C:\Windows\SysWOW64\elhx.exe
        
        C:\Windows\system32\elhx.exe 1020 "C:\Windows\SysWOW64\vmuh.exe"
        104⤵
        
        PID:2724
        
        C:\Windows\SysWOW64\ruls.exe
        
        C:\Windows\system32\ruls.exe 944 "C:\Windows\SysWOW64\elhx.exe"
        105⤵
        
        PID:2780
        
        C:\Windows\SysWOW64\sbma.exe
        
        C:\Windows\system32\sbma.exe 1116 "C:\Windows\SysWOW64\ruls.exe"
        106⤵
        
        PID:1152
        
        C:\Windows\SysWOW64\fgei.exe
        
        C:\Windows\system32\fgei.exe 968 "C:\Windows\SysWOW64\sbma.exe"
        107⤵
        
        PID:2936
        
        C:\Windows\SysWOW64\pyrx.exe
        
        C:\Windows\system32\pyrx.exe 1120 "C:\Windows\SysWOW64\fgei.exe"
        108⤵
        
        PID:2348
        
        C:\Windows\SysWOW64\ybis.exe
        
        C:\Windows\system32\ybis.exe 1108 "C:\Windows\SysWOW64\pyrx.exe"
        109⤵
        
        PID:1504
        
        C:\Windows\SysWOW64\fytq.exe
        
        C:\Windows\system32\fytq.exe 1080 "C:\Windows\SysWOW64\ybis.exe"
        110⤵
        
        PID:2292
        
        C:\Windows\SysWOW64\xbpa.exe
        
        C:\Windows\system32\xbpa.exe 1132 "C:\Windows\SysWOW64\fytq.exe"
        111⤵
        
        PID:2072
        
        C:\Windows\SysWOW64\jvwa.exe
        
        C:\Windows\system32\jvwa.exe 1192 "C:\Windows\SysWOW64\xbpa.exe"
        112⤵
        
        PID:2540
        
        C:\Windows\SysWOW64\ywqb.exe
        
        C:\Windows\system32\ywqb.exe 1104 "C:\Windows\SysWOW64\jvwa.exe"
        113⤵
        
        PID:1744
        
        C:\Windows\SysWOW64\vxbg.exe
        
        C:\Windows\system32\vxbg.exe 1000 "C:\Windows\SysWOW64\ywqb.exe"
        114⤵
        
        PID:1520
        
        C:\Windows\SysWOW64\cuml.exe
        
        C:\Windows\system32\cuml.exe 1188 "C:\Windows\SysWOW64\vxbg.exe"
        115⤵
        
        PID:2548
        
        C:\Windows\SysWOW64\rjue.exe
        
        C:\Windows\system32\rjue.exe 1032 "C:\Windows\SysWOW64\cuml.exe"
        116⤵
        
        PID:972
        
        C:\Windows\SysWOW64\eayr.exe
        
        C:\Windows\system32\eayr.exe 1096 "C:\Windows\SysWOW64\rjue.exe"
        117⤵
        
        PID:2308
        
        C:\Windows\SysWOW64\qjcm.exe
        
        C:\Windows\system32\qjcm.exe 1124 "C:\Windows\SysWOW64\eayr.exe"
        118⤵
        
        PID:2848
        
        C:\Windows\SysWOW64\fylw.exe
        
        C:\Windows\system32\fylw.exe 1180 "C:\Windows\SysWOW64\qjcm.exe"
        119⤵
        
        PID:2252
        
        C:\Windows\SysWOW64\zbqm.exe
        
        C:\Windows\system32\zbqm.exe 876 "C:\Windows\SysWOW64\fylw.exe"
        120⤵
        
        PID:2344
        
        C:\Windows\SysWOW64\oukj.exe
        
        C:\Windows\system32\oukj.exe 1136 "C:\Windows\SysWOW64\zbqm.exe"
        121⤵
        
        PID:2956
        
        C:\Windows\SysWOW64\iaam.exe
        
        C:\Windows\system32\iaam.exe 1148 "C:\Windows\SysWOW64\oukj.exe"
        122⤵
        
        PID:792
        
        C:\Windows\SysWOW64\dvfu.exe
        
        C:\Windows\system32\dvfu.exe 1160 "C:\Windows\SysWOW64\iaam.exe"
        123⤵
        
        PID:1656
        
        C:\Windows\SysWOW64\eqvw.exe
        
        C:\Windows\system32\eqvw.exe 1152 "C:\Windows\SysWOW64\dvfu.exe"
        124⤵
        
        PID:2980
        
        C:\Windows\SysWOW64\uvec.exe
        
        C:\Windows\system32\uvec.exe 1144 "C:\Windows\SysWOW64\eqvw.exe"
        125⤵
        
        PID:2772
        
        C:\Windows\SysWOW64\yhvu.exe
        
        C:\Windows\system32\yhvu.exe 1140 "C:\Windows\SysWOW64\uvec.exe"
        126⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\qhgs.exe
        
        C:\Windows\system32\qhgs.exe 1184 "C:\Windows\SysWOW64\yhvu.exe"
        127⤵
        
        PID:2100
        
        C:\Windows\SysWOW64\cbna.exe
        
        C:\Windows\system32\cbna.exe 1176 "C:\Windows\SysWOW64\qhgs.exe"
        128⤵
        
        PID:560
        
        C:\Windows\SysWOW64\ooua.exe
        
        C:\Windows\system32\ooua.exe 1212 "C:\Windows\SysWOW64\cbna.exe"
        129⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\tqln.exe
        
        C:\Windows\system32\tqln.exe 1224 "C:\Windows\SysWOW64\ooua.exe"
        130⤵
        
        PID:1888
        
        C:\Windows\SysWOW64\iqgf.exe
        
        C:\Windows\system32\iqgf.exe 1232 "C:\Windows\SysWOW64\tqln.exe"
        131⤵
        
        PID:1380
        
        C:\Windows\SysWOW64\sqlv.exe
        
        C:\Windows\system32\sqlv.exe 1128 "C:\Windows\SysWOW64\iqgf.exe"
        132⤵
        
        PID:2496
        
        C:\Windows\SysWOW64\hfun.exe
        
        C:\Windows\system32\hfun.exe 1240 "C:\Windows\SysWOW64\sqlv.exe"
        133⤵
        
        PID:2288
        
        C:\Windows\SysWOW64\rbuy.exe
        
        C:\Windows\system32\rbuy.exe 1272 "C:\Windows\SysWOW64\hfun.exe"
        134⤵
        
        PID:2760
        
        C:\Windows\SysWOW64\ytsb.exe
        
        C:\Windows\system32\ytsb.exe 624 "C:\Windows\SysWOW64\rbuy.exe"
        135⤵
        
        PID:2572
        
        C:\Windows\SysWOW64\kkvo.exe
        
        C:\Windows\system32\kkvo.exe 1168 "C:\Windows\SysWOW64\ytsb.exe"
        136⤵
        
        PID:3028
        
        C:\Windows\SysWOW64\hpro.exe
        
        C:\Windows\system32\hpro.exe 1172 "C:\Windows\SysWOW64\kkvo.exe"
        137⤵
        
        PID:1964
        
        C:\Windows\SysWOW64\wbwt.exe
        
        C:\Windows\system32\wbwt.exe 1228 "C:\Windows\SysWOW64\hpro.exe"
        138⤵
        
        PID:1016
        
        C:\Windows\SysWOW64\lnuy.exe
        
        C:\Windows\system32\lnuy.exe 1164 "C:\Windows\SysWOW64\wbwt.exe"
        139⤵
        
        PID:1444
        
        C:\Windows\SysWOW64\xsmg.exe
        
        C:\Windows\system32\xsmg.exe 1244 "C:\Windows\SysWOW64\lnuy.exe"
        140⤵
        
        PID:2272
        
        C:\Windows\SysWOW64\cntg.exe
        
        C:\Windows\system32\cntg.exe 1216 "C:\Windows\SysWOW64\xsmg.exe"
        141⤵
        
        PID:2492
        
        C:\Windows\SysWOW64\yrxy.exe
        
        C:\Windows\system32\yrxy.exe 1200 "C:\Windows\SysWOW64\cntg.exe"
        142⤵
        
        PID:2604
        
        C:\Windows\SysWOW64\oogm.exe
        
        C:\Windows\system32\oogm.exe 1256 "C:\Windows\SysWOW64\yrxy.exe"
        143⤵
        
        PID:1924
        
        C:\Windows\SysWOW64\xglc.exe
        
        C:\Windows\system32\xglc.exe 1220 "C:\Windows\SysWOW64\oogm.exe"
        144⤵
        
        PID:1944
        
        C:\Windows\SysWOW64\mduu.exe
        
        C:\Windows\system32\mduu.exe 1248 "C:\Windows\SysWOW64\xglc.exe"
        145⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\wrdx.exe
        
        C:\Windows\system32\wrdx.exe 1268 "C:\Windows\SysWOW64\mduu.exe"
        146⤵
        
        PID:828
        
        C:\Windows\SysWOW64\gmur.exe
        
        C:\Windows\system32\gmur.exe 1252 "C:\Windows\SysWOW64\wrdx.exe"
        147⤵
        
        PID:2080
        
        C:\Windows\SysWOW64\ppsu.exe
        
        C:\Windows\system32\ppsu.exe 1264 "C:\Windows\SysWOW64\gmur.exe"
        148⤵
        
        PID:2752
        
        C:\Windows\SysWOW64\cvku.exe
        
        C:\Windows\system32\cvku.exe 1196 "C:\Windows\SysWOW64\ppsu.exe"
        149⤵
        
        PID:2244
        
        C:\Windows\SysWOW64\omgp.exe
        
        C:\Windows\system32\omgp.exe 1288 "C:\Windows\SysWOW64\cvku.exe"
        150⤵
        
        PID:1160
        
        C:\Windows\SysWOW64\vmca.exe
        
        C:\Windows\system32\vmca.exe 1292 "C:\Windows\SysWOW64\omgp.exe"
        151⤵
        
        PID:1268
        
        C:\Windows\SysWOW64\ivgn.exe
        
        C:\Windows\system32\ivgn.exe 1208 "C:\Windows\SysWOW64\vmca.exe"
        152⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\zkgk.exe
        
        C:\Windows\system32\zkgk.exe 1260 "C:\Windows\SysWOW64\ivgn.exe"
        153⤵
        
        PID:2448
        
        C:\Windows\SysWOW64\liyx.exe
        
        C:\Windows\system32\liyx.exe 1236 "C:\Windows\SysWOW64\zkgk.exe"
        154⤵
        
        PID:2436
        
        C:\Windows\SysWOW64\yrbs.exe
        
        C:\Windows\system32\yrbs.exe 1328 "C:\Windows\SysWOW64\liyx.exe"
        155⤵
        
        PID:2988
        
        C:\Windows\SysWOW64\qqfq.exe
        
        C:\Windows\system32\qqfq.exe 1204 "C:\Windows\SysWOW64\yrbs.exe"
        156⤵
        
        PID:1848
        
        C:\Windows\SysWOW64\fckv.exe
        
        C:\Windows\system32\fckv.exe 1276 "C:\Windows\SysWOW64\qqfq.exe"
        157⤵
        
        PID:1096
        
        C:\Windows\SysWOW64\ustg.exe
        
        C:\Windows\system32\ustg.exe 1324 "C:\Windows\SysWOW64\fckv.exe"
        158⤵
        
        PID:908
        
        C:\Windows\SysWOW64\berl.exe
        
        C:\Windows\system32\berl.exe 1312 "C:\Windows\SysWOW64\ustg.exe"
        159⤵
        
        PID:2748
        
        C:\Windows\SysWOW64\ptad.exe
        
        C:\Windows\system32\ptad.exe 1320 "C:\Windows\SysWOW64\berl.exe"
        160⤵
        
        PID:2516
        
        C:\Windows\SysWOW64\sdrb.exe
        
        C:\Windows\system32\sdrb.exe 1284 "C:\Windows\SysWOW64\ptad.exe"
        161⤵
        
        PID:2424
        
        C:\Windows\SysWOW64\buej.exe
        
        C:\Windows\system32\buej.exe 1332 "C:\Windows\SysWOW64\sdrb.exe"
        162⤵
        
        PID:1748
        
        C:\Windows\SysWOW64\tupg.exe
        
        C:\Windows\system32\tupg.exe 1316 "C:\Windows\SysWOW64\buej.exe"
        163⤵
        
        PID:936
        
        C:\Windows\SysWOW64\fsht.exe
        
        C:\Windows\system32\fsht.exe 1388 "C:\Windows\SysWOW64\tupg.exe"
        164⤵
        
        PID:2788
        
        C:\Windows\SysWOW64\sjlo.exe
        
        C:\Windows\system32\sjlo.exe 1404 "C:\Windows\SysWOW64\fsht.exe"
        165⤵
        
        PID:2884
        
        C:\Windows\SysWOW64\knzz.exe
        
        C:\Windows\system32\knzz.exe 1344 "C:\Windows\SysWOW64\sjlo.exe"
        166⤵
        
        PID:2116
        
        C:\Windows\SysWOW64\wlrm.exe
        
        C:\Windows\system32\wlrm.exe 1400 "C:\Windows\SysWOW64\knzz.exe"
        167⤵
        
        PID:948
        
        C:\Windows\SysWOW64\gztp.exe
        
        C:\Windows\system32\gztp.exe 960 "C:\Windows\SysWOW64\wlrm.exe"
        168⤵
        
        PID:2212
        
        C:\Windows\SysWOW64\stap.exe
        
        C:\Windows\system32\stap.exe 1360 "C:\Windows\SysWOW64\gztp.exe"
        169⤵
        
        PID:2184
        
        C:\Windows\SysWOW64\ztwz.exe
        
        C:\Windows\system32\ztwz.exe 1336 "C:\Windows\SysWOW64\stap.exe"
        170⤵
        
        PID:1812
        
        C:\Windows\SysWOW64\ukyc.exe
        
        C:\Windows\system32\ukyc.exe 1372 "C:\Windows\SysWOW64\ztwz.exe"
        171⤵
        
        PID:1168
        
        C:\Windows\SysWOW64\dcls.exe
        
        C:\Windows\system32\dcls.exe 1364 "C:\Windows\SysWOW64\ukyc.exe"
        172⤵
        
        PID:2732
        
        C:\Windows\SysWOW64\sruk.exe
        
        C:\Windows\system32\sruk.exe 1348 "C:\Windows\SysWOW64\dcls.exe"
        173⤵
        
        PID:2468
        
        C:\Windows\SysWOW64\kvin.exe
        
        C:\Windows\system32\kvin.exe 1352 "C:\Windows\SysWOW64\sruk.exe"
        174⤵
        
        PID:868
        
        C:\Windows\SysWOW64\cyxx.exe
        
        C:\Windows\system32\cyxx.exe 1300 "C:\Windows\SysWOW64\kvin.exe"
        175⤵
        
        PID:2852
        
        C:\Windows\SysWOW64\otmx.exe
        
        C:\Windows\system32\otmx.exe 1376 "C:\Windows\SysWOW64\cyxx.exe"
        176⤵
        
        PID:1616
        
        C:\Windows\SysWOW64\acff.exe
        
        C:\Windows\system32\acff.exe 1296 "C:\Windows\SysWOW64\otmx.exe"
        177⤵
        
        PID:2676
        
        C:\Windows\SysWOW64\mlja.exe
        
        C:\Windows\system32\mlja.exe 1368 "C:\Windows\SysWOW64\acff.exe"
        178⤵
        
        PID:764
        
        C:\Windows\SysWOW64\bjss.exe
        
        C:\Windows\system32\bjss.exe 620 "C:\Windows\SysWOW64\mlja.exe"
        179⤵
        
        PID:368
        
        C:\Windows\SysWOW64\lxtv.exe
        
        C:\Windows\system32\lxtv.exe 1340 "C:\Windows\SysWOW64\bjss.exe"
        180⤵
        
        PID:2176
        
        C:\Windows\SysWOW64\abra.exe
        
        C:\Windows\system32\abra.exe 1424 "C:\Windows\SysWOW64\lxtv.exe"
        181⤵
        
        PID:2452
        
        C:\Windows\SysWOW64\kaeq.exe
        
        C:\Windows\system32\kaeq.exe 1408 "C:\Windows\SysWOW64\abra.exe"
        182⤵
        
        PID:1956
        
        C:\Windows\SysWOW64\rlmb.exe
        
        C:\Windows\system32\rlmb.exe 1416 "C:\Windows\SysWOW64\kaeq.exe"
        183⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\lyrv.exe
        
        C:\Windows\system32\lyrv.exe 1356 "C:\Windows\SysWOW64\rlmb.exe"
        184⤵
        
        PID:1984
        
        C:\Windows\SysWOW64\ahlo.exe
        
        C:\Windows\system32\ahlo.exe 1384 "C:\Windows\SysWOW64\lyrv.exe"
        185⤵
        
        PID:2912
        
        C:\Windows\SysWOW64\nyhj.exe
        
        C:\Windows\system32\nyhj.exe 1432 "C:\Windows\SysWOW64\ahlo.exe"
        186⤵
        
        PID:1180
        
        C:\Windows\SysWOW64\zwzw.exe
        
        C:\Windows\system32\zwzw.exe 1392 "C:\Windows\SysWOW64\nyhj.exe"
        187⤵
        
        PID:2576
        
        C:\Windows\SysWOW64\jyxm.exe
        
        C:\Windows\system32\jyxm.exe 1412 "C:\Windows\SysWOW64\zwzw.exe"
        188⤵
        
        PID:684
        
        C:\Windows\SysWOW64\sfzt.exe
        
        C:\Windows\system32\sfzt.exe 1380 "C:\Windows\SysWOW64\jyxm.exe"
        189⤵
        
        PID:2428
        
        C:\Windows\SysWOW64\ayhm.exe
        
        C:\Windows\system32\ayhm.exe 1440 "C:\Windows\SysWOW64\sfzt.exe"
        190⤵
        
        PID:2340
        
        C:\Windows\SysWOW64\oope.exe
        
        C:\Windows\system32\oope.exe 1436 "C:\Windows\SysWOW64\ayhm.exe"
        191⤵
        
        PID:2592
        
        C:\Windows\SysWOW64\ycrh.exe
        
        C:\Windows\system32\ycrh.exe 1308 "C:\Windows\SysWOW64\oope.exe"
        192⤵
        
        PID:2172
        
        C:\Windows\SysWOW64\lwyh.exe
        
        C:\Windows\system32\lwyh.exe 1504 "C:\Windows\SysWOW64\ycrh.exe"
        193⤵
        
        PID:2764
        
        C:\Windows\SysWOW64\nkak.exe
        
        C:\Windows\system32\nkak.exe 1460 "C:\Windows\SysWOW64\lwyh.exe"
        194⤵
        
        PID:1500
        
        C:\Windows\SysWOW64\zisx.exe
        
        C:\Windows\system32\zisx.exe 1452 "C:\Windows\SysWOW64\nkak.exe"
        195⤵
        
        PID:2708
        
        C:\Windows\SysWOW64\lrwk.exe
        
        C:\Windows\system32\lrwk.exe 1420 "C:\Windows\SysWOW64\zisx.exe"
        196⤵
        
        PID:1488
        
        C:\Windows\SysWOW64\aaqk.exe
        
        C:\Windows\system32\aaqk.exe 1464 "C:\Windows\SysWOW64\lrwk.exe"
        197⤵
        
        PID:1348
        
        C:\Windows\SysWOW64\hamv.exe
        
        C:\Windows\system32\hamv.exe 1396 "C:\Windows\SysWOW64\aaqk.exe"
        198⤵
        
        PID:1968
        
        C:\Windows\SysWOW64\rrrk.exe
        
        C:\Windows\system32\rrrk.exe 1448 "C:\Windows\SysWOW64\hamv.exe"
        199⤵
        
        PID:1580
        
        C:\Windows\SysWOW64\buqf.exe
        
        C:\Windows\system32\buqf.exe 1476 "C:\Windows\SysWOW64\rrrk.exe"
        200⤵
        
        PID:2640
        
        C:\Windows\SysWOW64\syeq.exe
        
        C:\Windows\system32\syeq.exe 1508 "C:\Windows\SysWOW64\buqf.exe"
        201⤵
        
        PID:1648
        
        C:\Windows\SysWOW64\cbcl.exe
        
        C:\Windows\system32\cbcl.exe 1468 "C:\Windows\SysWOW64\syeq.exe"
        202⤵
        
        PID:1336
        
        C:\Windows\SysWOW64\okyg.exe
        
        C:\Windows\system32\okyg.exe 1484 "C:\Windows\SysWOW64\cbcl.exe"
        203⤵
        
        PID:960
        
        C:\Windows\SysWOW64\gkjd.exe
        
        C:\Windows\system32\gkjd.exe 1496 "C:\Windows\SysWOW64\okyg.exe"
        204⤵
        
        PID:2004
        
        C:\Windows\SysWOW64\nnqb.exe
        
        C:\Windows\system32\nnqb.exe 1456 "C:\Windows\SysWOW64\gkjd.exe"
        205⤵
        
        PID:1740
        
        C:\Windows\SysWOW64\xbsd.exe
        
        C:\Windows\system32\xbsd.exe 1520 "C:\Windows\SysWOW64\nnqb.exe"
        206⤵
        
        PID:2632
        
        C:\Windows\SysWOW64\jzkq.exe
        
        C:\Windows\system32\jzkq.exe 1500 "C:\Windows\SysWOW64\xbsd.exe"
        207⤵
        
        PID:1068
        
        C:\Windows\SysWOW64\eret.exe
        
        C:\Windows\system32\eret.exe 1532 "C:\Windows\SysWOW64\jzkq.exe"
        208⤵
        
        PID:2668
        
        C:\Windows\SysWOW64\qltt.exe
        
        C:\Windows\system32\qltt.exe 1492 "C:\Windows\SysWOW64\eret.exe"
        209⤵
        
        PID:1864
        
        C:\Windows\SysWOW64\zojo.exe
        
        C:\Windows\system32\zojo.exe 1512 "C:\Windows\SysWOW64\qltt.exe"
        210⤵
        
        PID:2220
        
        C:\Windows\SysWOW64\exnj.exe
        
        C:\Windows\system32\exnj.exe 1480 "C:\Windows\SysWOW64\zojo.exe"
        211⤵
        
        PID:2608
        
        C:\Windows\SysWOW64\tjlo.exe
        
        C:\Windows\system32\tjlo.exe 1528 "C:\Windows\SysWOW64\exnj.exe"
        212⤵
        
        PID:2740
        
        C:\Windows\SysWOW64\dxmr.exe
        
        C:\Windows\system32\dxmr.exe 1428 "C:\Windows\SysWOW64\tjlo.exe"
        213⤵
        
        PID:1880
        
        C:\Windows\SysWOW64\pvne.exe
        
        C:\Windows\system32\pvne.exe 1524 "C:\Windows\SysWOW64\dxmr.exe"
        214⤵
        
        PID:1476
        
        C:\Windows\SysWOW64\bqte.exe
        
        C:\Windows\system32\bqte.exe 1540 "C:\Windows\SysWOW64\pvne.exe"
        215⤵
        
        PID:752
        
        C:\Windows\SysWOW64\ozxz.exe
        
        C:\Windows\system32\ozxz.exe 1548 "C:\Windows\SysWOW64\bqte.exe"
        216⤵
        
        PID:2088
        
        C:\Windows\SysWOW64\atez.exe
        
        C:\Windows\system32\atez.exe 1488 "C:\Windows\SysWOW64\ozxz.exe"
        217⤵
        
        PID:2092
        
        C:\Windows\SysWOW64\kevp.exe
        
        C:\Windows\system32\kevp.exe 1560 "C:\Windows\SysWOW64\atez.exe"
        218⤵
        
        PID:2692
        
        C:\Windows\SysWOW64\hfnc.exe
        
        C:\Windows\system32\hfnc.exe 1444 "C:\Windows\SysWOW64\kevp.exe"
        219⤵
        
        PID:2232
        
        C:\Windows\SysWOW64\toqx.exe
        
        C:\Windows\system32\toqx.exe 1536 "C:\Windows\SysWOW64\hfnc.exe"
        220⤵
        
        PID:1556
        
        C:\Windows\SysWOW64\drhs.exe
        
        C:\Windows\system32\drhs.exe 1568 "C:\Windows\SysWOW64\toqx.exe"
        221⤵
        
        PID:332
        
        C:\Windows\SysWOW64\sdmx.exe
        
        C:\Windows\system32\sdmx.exe 1552 "C:\Windows\SysWOW64\drhs.exe"
        222⤵
        
        PID:1208
        
        C:\Windows\SysWOW64\extf.exe
        
        C:\Windows\system32\extf.exe 1596 "C:\Windows\SysWOW64\sdmx.exe"
        223⤵
        
        PID:2200
        
        C:\Windows\SysWOW64\tyoy.exe
        
        C:\Windows\system32\tyoy.exe 1608 "C:\Windows\SysWOW64\extf.exe"
        224⤵
        
        PID:2012
        
        C:\Windows\SysWOW64\gpjl.exe
        
        C:\Windows\system32\gpjl.exe 1576 "C:\Windows\SysWOW64\tyoy.exe"
        225⤵
        
        PID:2512
        
        C:\Windows\SysWOW64\xvji.exe
        
        C:\Windows\system32\xvji.exe 1620 "C:\Windows\SysWOW64\gpjl.exe"
        226⤵
        
        PID:1936
        
        C:\Windows\SysWOW64\ewft.exe
        
        C:\Windows\system32\ewft.exe 1592 "C:\Windows\SysWOW64\xvji.exe"
        227⤵
        
        PID:2000
        
        C:\Windows\SysWOW64\jely.exe
        
        C:\Windows\system32\jely.exe 1580 "C:\Windows\SysWOW64\ewft.exe"
        228⤵
        
        PID:2444
        
        C:\Windows\SysWOW64\doco.exe
        
        C:\Windows\system32\doco.exe 1588 "C:\Windows\SysWOW64\jely.exe"
        229⤵
        
        PID:1020
        
        C:\Windows\SysWOW64\nopd.exe
        
        C:\Windows\system32\nopd.exe 1612 "C:\Windows\SysWOW64\doco.exe"
        230⤵
        
        PID:2588
        
        C:\Windows\SysWOW64\ztil.exe
        
        C:\Windows\system32\ztil.exe 1656 "C:\Windows\SysWOW64\nopd.exe"
        231⤵
        
        PID:1424
        
        C:\Windows\SysWOW64\ojre.exe
        
        C:\Windows\system32\ojre.exe 1564 "C:\Windows\SysWOW64\ztil.exe"
        232⤵
        
        PID:3016
        
        C:\Windows\SysWOW64\baur.exe
        
        C:\Windows\system32\baur.exe 1648 "C:\Windows\SysWOW64\ojre.exe"
        233⤵
        
        PID:1696
        
        C:\Windows\SysWOW64\krhh.exe
        
        C:\Windows\system32\krhh.exe 1616 "C:\Windows\SysWOW64\baur.exe"
        234⤵
        
        PID:1976
        
        C:\Windows\SysWOW64\svru.exe
        
        C:\Windows\system32\svru.exe 1472 "C:\Windows\SysWOW64\krhh.exe"
        235⤵
        
        PID:2332
        
        C:\Windows\SysWOW64\wexz.exe
        
        C:\Windows\system32\wexz.exe 1624 "C:\Windows\SysWOW64\svru.exe"
        236⤵
        
        PID:1532
        
        C:\Windows\SysWOW64\gwkp.exe
        
        C:\Windows\system32\gwkp.exe 1628 "C:\Windows\SysWOW64\wexz.exe"
        237⤵
        
        PID:1584
        
        C:\Windows\SysWOW64\sqrp.exe
        
        C:\Windows\system32\sqrp.exe 1544 "C:\Windows\SysWOW64\gwkp.exe"
        238⤵
        
        PID:2488
        
        C:\Windows\SysWOW64\hcpu.exe
        
        C:\Windows\system32\hcpu.exe 1604 "C:\Windows\SysWOW64\sqrp.exe"
        239⤵
        
        PID:1468
        
        C:\Windows\SysWOW64\rnnk.exe
        
        C:\Windows\system32\rnnk.exe 1516 "C:\Windows\SysWOW64\hcpu.exe"
        240⤵
        
        PID:528
        
        C:\Windows\SysWOW64\grlp.exe
        
        C:\Windows\system32\grlp.exe 1556 "C:\Windows\SysWOW64\rnnk.exe"
        241⤵
        
        PID:3040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CA1EB199.TMP

Filesize
104B

MD5
b63b60e0a3b3085f87993fc014d6ca5c

SHA1
230a2576e67159b18d24398bdb61dd46f3008928

SHA256
8fb883513a828a40c4d5b545948b591e188dda0d956b2d1023f11f98df21fd1b

SHA512
9483a9a9dc15dc7e73b58e71b85997ce9811f3f56c9f769d7a75f0bda98951e798435bb1258a434fa2ddd7db1dc60b4f4c1397f0d1b5c5514ff311b55420258f

Download Submit
C:\Users\Admin\AppData\Local\Temp\CA1EB199.TMP

Filesize
104B

MD5
fb8e831f83ed677010042501b7768655

SHA1
16fe533953962762c2c09b577996fe4f4482af25

SHA256
d81cfce40203f293820dd4f53671ef8c829ec5e419d18d32d1d5106d0fbbff57

SHA512
3297688b0c28abdbb2e8c359b305c5faab4227647befb9087a623010bac81d73354945c7c02e1de133efe5cac13123d6e406f9b4fd04ea1794cb0c6aeed02943

Download Submit
C:\Users\Admin\AppData\Local\Temp\CA1EB199.TMP

Filesize
104B

MD5
50f4ab8197121cc542e0e5a49350f5b8

SHA1
954e44463b6e10ff5d7b9222c4e051090e6f7bb5

SHA256
9c4ee38195b231282064606be13241920f2f8f3bb98440050e76f850b752da47

SHA512
05aa7269c51d6828703117764a5ef0a7b557495182b4531e5a52ea6bb40fb2c3302779f7c3248f303a7081bf2b57a8ce69d9168db07a8f12707e56d8c23f1ad4

Download Submit
C:\Users\Admin\AppData\Local\Temp\CA1EB199.TMP

Filesize
104B

MD5
41c920900d77577e50e6af393515abda

SHA1
65e3ea1dcf8a8074ca4a9ac300a3bbc033a6778a

SHA256
7160ce84112cd94d2e585145786da4c94bc74fbbac7c9fd30b76bb6f066be261

SHA512
3ff71ac559cbf7427c1994d76c777a0b6bd51308db121a08dfc55d1fbbd4340afb6fba7168f463fd0a02979208c43cd4a02f9798b729324108806f0ecb525d64

Download Submit
C:\Users\Admin\AppData\Local\Temp\CA1EB199.TMP

Filesize
104B

MD5
ce09db543150b9c83db30c208b6efa09

SHA1
9ad6c5ae3e139682ba5798491014a6c4748958ed

SHA256
1501a1e8aaba1cedcfa0d050342f38df727957aa62c8dd91e650047a1849aa6c

SHA512
0c958c90d863a352e46ce6c78ffb1d1cf3b120278a8b5bc96d282b51fe0b7758cfadcc5817e4d21908e57623ac9b07d8c5c107954a0c6b2e4e1bddc55d725d59

Download Submit
C:\Users\Admin\AppData\Local\Temp\CA1EB199.TMP

Filesize
104B

MD5
58647eb30039edf7bb15ae26943c42f3

SHA1
41bfb19742da319c93ce9e8ae4ee5d78da7e23b7

SHA256
250e06718bab523e775d30c203c4401c323cc92c176663af177b882b0cfbb8c1

SHA512
3074f705473e9eab747780e2248196263122838044cb7baa5b1bd163cba572b98d6fdadf3e7ad9f2dba5853f4b50bc7eebbb9c438e5dc73c2c9893a6a04f81ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\CA1EB199.TMP

Filesize
104B

MD5
59484e6c7dd021565020a6ea9e518a25

SHA1
8629c7b9f12ab2f80c8a8761acf2c41ca6427970

SHA256
6cb57ff57dc1284e2eb2a9c8b3db281a48f98e244ebfab71693f54f3d0388319

SHA512
e704c37c333684cb2214916f4cd3f94f405703fb2c7a29f80e8ae768762ea8fdb8a166c2431f061710d7cd008135d81f98b89cc5d5b114213d33d86fca97a069

Download Submit
C:\Users\Admin\AppData\Local\Temp\CA1EB199.TMP

Filesize
104B

MD5
48036d1a3660c18b14fd8dd5314cbd11

SHA1
51cf4300f3bc650dcf56afa15231225fb96bf456

SHA256
59daa2fa3aa5f94e982fba640d03398198e9e40cbc5896f5ec1bddbbbc027be8

SHA512
47aa245cfa7e3aad9f5d2dcf4eb568961e716c09bd50ff29e76fd7e16e86999b3c200e3eb7a00fead11d748d596da67c6935994290f739e1dad59d07a88c4cfa

Download Submit
C:\Users\Admin\AppData\Local\Temp\CA1EB199.TMP

Filesize
104B

MD5
489976ab58764bbc06d87aa85baf9090

SHA1
a498bbb100a560cf1270c68311137e2412ca700b

SHA256
c86fff48fcdb47a6f753d04f3f3082046298fc9c98b320bad490807fbfe61271

SHA512
1e94ce358fee6d24ae2a83b263d8c761469b68120fd0b605b20d7914e105306f74a802c0e1262ce616fdf33a3196b354b97db03e7db2c340bd3fd88cf051bf49

Download Submit
C:\Users\Admin\AppData\Local\Temp\CA1EB199.TMP

Filesize
104B

MD5
34e502d429247a65cb89cdc6a2d26e0e

SHA1
4fcea32fd3ed29b713d7a6082ed7cc58d77646dc

SHA256
4840c7187273e8a416a82e3b6d4aed49413d18a7a375572ec33000c2c1c43f6f

SHA512
5dc641574b32093f9154815d8477aab81d73b633f8bc044d4dc233f3b3862d32e393a48a0340dd47ce4025dadf2ff17f622bbd6013335a2c618063dec49a9303

Download Submit
C:\Users\Admin\AppData\Local\Temp\CA1EB199.TMP

Filesize
104B

MD5
5ef26ac2d65c924a6677b80e4e14000d

SHA1
6f0ee9be2dab556f25ee328dddc1d3c655b733ae

SHA256
e1d1bdb6c4248e99a2afef1d00af180c677622f0ec5330fdd8195bccfed1fd7f

SHA512
ba5e0c357137be7b6778b7032f76af36d4486be32c6795435a224e591d410327727dc01c726ab48d141f688698533535511b47fa87002e24ec46ddd99dcb5beb

Download Submit
C:\Users\Admin\AppData\Local\Temp\CA1EB199.TMP

Filesize
104B

MD5
c27563b8d8d817a95e19900252d53fa8

SHA1
7d620af464dfa8f604a06f3a83753e7c77b4969e

SHA256
24da0649c047c0d03925689cb15aca068d3a941ae43077ce77d26d24b339b55a

SHA512
24ff0782df32b9943ef198d5d368d95597812075d91f6f276a566f3f40df16eeb9d8b17bccaa066e038530c94844dca32c98ab5795a1e065c885c8566049b307

Download Submit
C:\Windows\SysWOW64\gkyj.exe

Filesize
64KB

MD5
d7c4b9eaa6dc3d04e9f2a72a8c7c829e

SHA1
246c43bebfdfacfa702ab907b359ae2524f6ea42

SHA256
7c6bac22c9079fab8e7b35e6a61323248b2a7f956d5b4bae63e032ddcf85eeda

SHA512
afa329a985f94ee27fdcc5023ec3d79b9d8aa7b4be8cb42e1314616e0988b603586942ce43e086d3657b340242992b9af9d61d64a04c8d1c1125cabfcc744c71

Download Submit
\Windows\SysWOW64\gkyj.exe

Filesize
649KB

MD5
4507297f46b12e3dbfe13893ed8e1d3b

SHA1
6b8c92904b69cf4dc43142eac4d1246999950757

SHA256
66d104ec5651e4807a32ec8ed2a83ccb2d39538123a2d72720730ed2211b1e8b

SHA512
eea98c5afa9202bddc2155bd06377a5f9dc534f2683b1112a80508a1cec4a6d8a7e367773416a4af3c7a153a0d623d05d270a3ff5ebd930153fe97b8f74ea75c

Download Submit
memory/780-103-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/780-102-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/780-88-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/780-96-0x0000000000220000-0x0000000000284000-memory.dmp

Filesize
400KB

Download
memory/780-101-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/780-100-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/780-122-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/780-118-0x0000000000220000-0x0000000000284000-memory.dmp

Filesize
400KB

Download
memory/780-115-0x00000000032A0000-0x0000000003439000-memory.dmp

Filesize
1.6MB

Download
memory/780-104-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/780-105-0x0000000000220000-0x0000000000284000-memory.dmp

Filesize
400KB

Download
memory/780-85-0x0000000000220000-0x0000000000284000-memory.dmp

Filesize
400KB

Download
memory/1000-276-0x00000000035C0000-0x0000000003759000-memory.dmp

Filesize
1.6MB

Download
memory/1000-254-0x0000000000220000-0x0000000000284000-memory.dmp

Filesize
400KB

Download
memory/1000-278-0x00000000035C0000-0x0000000003759000-memory.dmp

Filesize
1.6MB

Download
memory/1000-286-0x0000000000220000-0x0000000000284000-memory.dmp

Filesize
400KB

Download
memory/1000-288-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/1000-244-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/1492-260-0x0000000000220000-0x0000000000284000-memory.dmp

Filesize
400KB

Download
memory/1492-212-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/1492-224-0x0000000000220000-0x0000000000284000-memory.dmp

Filesize
400KB

Download
memory/1492-262-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/1492-242-0x00000000032E0000-0x0000000003479000-memory.dmp

Filesize
1.6MB

Download
memory/1632-70-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/1632-71-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/1632-92-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/1632-89-0x00000000005A0000-0x0000000000604000-memory.dmp

Filesize
400KB

Download
memory/1632-72-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/1632-73-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/1632-74-0x00000000005A0000-0x0000000000604000-memory.dmp

Filesize
400KB

Download
memory/1632-54-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/1632-84-0x00000000032C0000-0x0000000003459000-memory.dmp

Filesize
1.6MB

Download
memory/1632-68-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/1632-64-0x00000000005A0000-0x0000000000604000-memory.dmp

Filesize
400KB

Download
memory/1752-452-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/1752-415-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/1752-423-0x0000000000310000-0x0000000000374000-memory.dmp

Filesize
400KB

Download
memory/1752-439-0x0000000003210000-0x00000000033A9000-memory.dmp

Filesize
1.6MB

Download
memory/1756-220-0x0000000000320000-0x0000000000384000-memory.dmp

Filesize
400KB

Download
memory/1756-209-0x0000000003360000-0x00000000034F9000-memory.dmp

Filesize
1.6MB

Download
memory/1756-191-0x0000000000320000-0x0000000000384000-memory.dmp

Filesize
400KB

Download
memory/1756-222-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/1972-188-0x0000000000330000-0x0000000000394000-memory.dmp

Filesize
400KB

Download
memory/1972-177-0x0000000003230000-0x00000000033C9000-memory.dmp

Filesize
1.6MB

Download
memory/1972-159-0x0000000000330000-0x0000000000394000-memory.dmp

Filesize
400KB

Download
memory/1972-149-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/1972-190-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/1992-320-0x00000000002C0000-0x0000000000324000-memory.dmp

Filesize
400KB

Download
memory/1992-322-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/1992-291-0x00000000002C0000-0x0000000000324000-memory.dmp

Filesize
400KB

Download
memory/1992-309-0x00000000034A0000-0x0000000003639000-memory.dmp

Filesize
1.6MB

Download
memory/1992-283-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/2216-354-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/2216-352-0x0000000000230000-0x0000000000294000-memory.dmp

Filesize
400KB

Download
memory/2216-342-0x0000000003160000-0x00000000032F9000-memory.dmp

Filesize
1.6MB

Download
memory/2216-313-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/2216-324-0x0000000000230000-0x0000000000294000-memory.dmp

Filesize
400KB

Download
memory/2520-7-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/2520-28-0x0000000003270000-0x0000000003409000-memory.dmp

Filesize
1.6MB

Download
memory/2520-0-0x0000000001DF0000-0x0000000001E54000-memory.dmp

Filesize
400KB

Download
memory/2520-10-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/2520-6-0x0000000001DF0000-0x0000000001E54000-memory.dmp

Filesize
400KB

Download
memory/2520-8-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/2520-9-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/2520-12-0x0000000001DF0000-0x0000000001E54000-memory.dmp

Filesize
400KB

Download
memory/2520-1-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/2520-22-0x0000000003270000-0x0000000003409000-memory.dmp

Filesize
1.6MB

Download
memory/2520-11-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/2520-27-0x0000000001DF0000-0x0000000001E54000-memory.dmp

Filesize
400KB

Download
memory/2520-31-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/2560-386-0x00000000005A0000-0x0000000000604000-memory.dmp

Filesize
400KB

Download
memory/2560-420-0x00000000005A0000-0x0000000000604000-memory.dmp

Filesize
400KB

Download
memory/2560-418-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/2560-409-0x00000000033E0000-0x0000000003579000-memory.dmp

Filesize
1.6MB

Download
memory/2560-377-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/2600-442-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/2600-450-0x0000000000220000-0x0000000000284000-memory.dmp

Filesize
400KB

Download
memory/2756-39-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/2756-56-0x00000000034A0000-0x0000000003639000-memory.dmp

Filesize
1.6MB

Download
memory/2756-24-0x00000000005A0000-0x0000000000604000-memory.dmp

Filesize
400KB

Download
memory/2756-34-0x00000000005A0000-0x0000000000604000-memory.dmp

Filesize
400KB

Download
memory/2756-37-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/2756-38-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/2756-40-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/2756-41-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/2756-25-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/2756-42-0x00000000005A0000-0x0000000000604000-memory.dmp

Filesize
400KB

Download
memory/2756-63-0x00000000005A0000-0x0000000000604000-memory.dmp

Filesize
400KB

Download
memory/2756-69-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/2756-51-0x00000000034A0000-0x0000000003639000-memory.dmp

Filesize
1.6MB

Download
memory/2864-397-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/2864-357-0x00000000005A0000-0x0000000000604000-memory.dmp

Filesize
400KB

Download
memory/2864-375-0x00000000032D0000-0x0000000003469000-memory.dmp

Filesize
1.6MB

Download
memory/2864-395-0x00000000005A0000-0x0000000000604000-memory.dmp

Filesize
400KB

Download
memory/2864-348-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/2944-155-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/2944-134-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/2944-130-0x00000000002C0000-0x0000000000324000-memory.dmp

Filesize
400KB

Download
memory/2944-131-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/2944-132-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/2944-133-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/2944-136-0x00000000002C0000-0x0000000000324000-memory.dmp

Filesize
400KB

Download
memory/2944-121-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/2944-135-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/2944-119-0x00000000002C0000-0x0000000000324000-memory.dmp

Filesize
400KB

Download
memory/2944-146-0x00000000032E0000-0x0000000003479000-memory.dmp

Filesize
1.6MB

Download
memory/2944-150-0x00000000002C0000-0x0000000000324000-memory.dmp

Filesize
400KB

Download