Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    46s
  • max time network
    16s
  • platform
    windows7_x64
  • resource
    win7-20240215-en
  • resource tags

    arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
  • submitted
    06/04/2024, 21:57

Errors

Reason
Machine shutdown

General

  • Target

    e3606fe661cb86e3fe8843d598d9ac13_JaffaCakes118.exe

  • Size

    280KB

  • MD5

    e3606fe661cb86e3fe8843d598d9ac13

  • SHA1

    7c63a823717d43257e641bd42d37ed5b415308f7

  • SHA256

    dcfac4cd97fab0cf3a91febe447faad646115d46429349af1b80452dd446498a

  • SHA512

    d57b158fc275400506ddb655c48d5fa6a24a8304ca7ca194ec4f74581c9a5998f88f3c24347dcaaab6c2e724580e69770fb2a722cdd2353459699526f5bb8344

  • SSDEEP

    6144:UBycky5x57KKM6CRzMSx/2S3bwvP6bQ7yMP+DE827+c:gkvKDsU6b7MP+Dd2Sc

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 64 IoCs
  • Loads dropped DLL 64 IoCs
  • Writes to the Master Boot Record (MBR) 1 TTPs 64 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • Drops file in System32 directory 64 IoCs
  • Suspicious use of SetThreadContext 64 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e3606fe661cb86e3fe8843d598d9ac13_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\e3606fe661cb86e3fe8843d598d9ac13_JaffaCakes118.exe"
    1⤵
    • Writes to the Master Boot Record (MBR)
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1288
    • C:\Users\Admin\AppData\Local\Temp\e3606fe661cb86e3fe8843d598d9ac13_JaffaCakes118.exe
      C:\Users\Admin\AppData\Local\Temp\e3606fe661cb86e3fe8843d598d9ac13_JaffaCakes118.exe
      2⤵
      • Loads dropped DLL
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:2800
      • C:\Windows\SysWOW64\lvdf.exe
        C:\Windows\system32\lvdf.exe 500 "C:\Users\Admin\AppData\Local\Temp\e3606fe661cb86e3fe8843d598d9ac13_JaffaCakes118.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Writes to the Master Boot Record (MBR)
        • Suspicious use of SetThreadContext
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:2980
        • C:\Windows\SysWOW64\lvdf.exe
          C:\Windows\SysWOW64\lvdf.exe
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Drops file in System32 directory
          • Suspicious use of WriteProcessMemory
          PID:2620
          • C:\Windows\SysWOW64\ihad.exe
            C:\Windows\system32\ihad.exe 456 "C:\Windows\SysWOW64\lvdf.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious use of WriteProcessMemory
            PID:2896
            • C:\Windows\SysWOW64\ihad.exe
              C:\Windows\SysWOW64\ihad.exe
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Drops file in System32 directory
              • Suspicious use of WriteProcessMemory
              PID:2668
              • C:\Windows\SysWOW64\qeli.exe
                C:\Windows\system32\qeli.exe 456 "C:\Windows\SysWOW64\ihad.exe"
                7⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • Suspicious use of WriteProcessMemory
                PID:2888
                • C:\Windows\SysWOW64\qeli.exe
                  C:\Windows\SysWOW64\qeli.exe
                  8⤵
                  • Executes dropped EXE
                  • Loads dropped DLL
                  • Drops file in System32 directory
                  • Suspicious use of WriteProcessMemory
                  PID:1236
                  • C:\Windows\SysWOW64\wmdl.exe
                    C:\Windows\system32\wmdl.exe 456 "C:\Windows\SysWOW64\qeli.exe"
                    9⤵
                    • Executes dropped EXE
                    • Suspicious use of SetThreadContext
                    • Suspicious use of WriteProcessMemory
                    PID:1520
                    • C:\Windows\SysWOW64\wmdl.exe
                      C:\Windows\SysWOW64\wmdl.exe
                      10⤵
                      • Executes dropped EXE
                      • Loads dropped DLL
                      • Suspicious use of WriteProcessMemory
                      PID:2116
                      • C:\Windows\SysWOW64\yodt.exe
                        C:\Windows\system32\yodt.exe 432 "C:\Windows\SysWOW64\wmdl.exe"
                        11⤵
                        • Executes dropped EXE
                        • Suspicious use of SetThreadContext
                        • Modifies registry class
                        • Suspicious use of WriteProcessMemory
                        PID:2076
                        • C:\Windows\SysWOW64\yodt.exe
                          C:\Windows\SysWOW64\yodt.exe
                          12⤵
                          • Executes dropped EXE
                          • Loads dropped DLL
                          • Suspicious use of WriteProcessMemory
                          PID:1052
                          • C:\Windows\SysWOW64\zfsb.exe
                            C:\Windows\system32\zfsb.exe 456 "C:\Windows\SysWOW64\yodt.exe"
                            13⤵
                            • Executes dropped EXE
                            • Writes to the Master Boot Record (MBR)
                            • Suspicious use of SetThreadContext
                            • Modifies registry class
                            • Suspicious use of WriteProcessMemory
                            PID:3064
                            • C:\Windows\SysWOW64\zfsb.exe
                              C:\Windows\SysWOW64\zfsb.exe
                              14⤵
                              • Executes dropped EXE
                              • Loads dropped DLL
                              • Drops file in System32 directory
                              PID:288
                              • C:\Windows\SysWOW64\juue.exe
                                C:\Windows\system32\juue.exe 460 "C:\Windows\SysWOW64\zfsb.exe"
                                15⤵
                                • Executes dropped EXE
                                • Writes to the Master Boot Record (MBR)
                                • Suspicious use of SetThreadContext
                                • Modifies registry class
                                PID:2788
                                • C:\Windows\SysWOW64\juue.exe
                                  C:\Windows\SysWOW64\juue.exe
                                  16⤵
                                  • Executes dropped EXE
                                  • Loads dropped DLL
                                  • Drops file in System32 directory
                                  PID:792
                                  • C:\Windows\SysWOW64\ycgw.exe
                                    C:\Windows\system32\ycgw.exe 460 "C:\Windows\SysWOW64\juue.exe"
                                    17⤵
                                    • Executes dropped EXE
                                    • Writes to the Master Boot Record (MBR)
                                    • Suspicious use of SetThreadContext
                                    • Modifies registry class
                                    PID:2368
                                    • C:\Windows\SysWOW64\ycgw.exe
                                      C:\Windows\SysWOW64\ycgw.exe
                                      18⤵
                                      • Executes dropped EXE
                                      • Loads dropped DLL
                                      • Drops file in System32 directory
                                      PID:2028
                                      • C:\Windows\SysWOW64\iutm.exe
                                        C:\Windows\system32\iutm.exe 460 "C:\Windows\SysWOW64\ycgw.exe"
                                        19⤵
                                        • Executes dropped EXE
                                        • Suspicious use of SetThreadContext
                                        PID:3024
                                        • C:\Windows\SysWOW64\iutm.exe
                                          C:\Windows\SysWOW64\iutm.exe
                                          20⤵
                                          • Executes dropped EXE
                                          • Loads dropped DLL
                                          PID:2716
                                          • C:\Windows\SysWOW64\klim.exe
                                            C:\Windows\system32\klim.exe 480 "C:\Windows\SysWOW64\iutm.exe"
                                            21⤵
                                            • Executes dropped EXE
                                            • Writes to the Master Boot Record (MBR)
                                            • Suspicious use of SetThreadContext
                                            PID:2464
                                            • C:\Windows\SysWOW64\klim.exe
                                              C:\Windows\SysWOW64\klim.exe
                                              22⤵
                                              • Executes dropped EXE
                                              • Loads dropped DLL
                                              PID:2504
                                              • C:\Windows\SysWOW64\tcvc.exe
                                                C:\Windows\system32\tcvc.exe 460 "C:\Windows\SysWOW64\klim.exe"
                                                23⤵
                                                • Executes dropped EXE
                                                • Writes to the Master Boot Record (MBR)
                                                • Suspicious use of SetThreadContext
                                                PID:344
                                                • C:\Windows\SysWOW64\tcvc.exe
                                                  C:\Windows\SysWOW64\tcvc.exe
                                                  24⤵
                                                  • Executes dropped EXE
                                                  • Loads dropped DLL
                                                  • Drops file in System32 directory
                                                  PID:1956
                                                  • C:\Windows\SysWOW64\ojlw.exe
                                                    C:\Windows\system32\ojlw.exe 480 "C:\Windows\SysWOW64\tcvc.exe"
                                                    25⤵
                                                    • Executes dropped EXE
                                                    • Writes to the Master Boot Record (MBR)
                                                    • Suspicious use of SetThreadContext
                                                    PID:1636
                                                    • C:\Windows\SysWOW64\ojlw.exe
                                                      C:\Windows\SysWOW64\ojlw.exe
                                                      26⤵
                                                      • Executes dropped EXE
                                                      • Loads dropped DLL
                                                      • Drops file in System32 directory
                                                      PID:2092
                                                      • C:\Windows\SysWOW64\plme.exe
                                                        C:\Windows\system32\plme.exe 472 "C:\Windows\SysWOW64\ojlw.exe"
                                                        27⤵
                                                        • Executes dropped EXE
                                                        • Suspicious use of SetThreadContext
                                                        PID:1952
                                                        • C:\Windows\SysWOW64\plme.exe
                                                          C:\Windows\SysWOW64\plme.exe
                                                          28⤵
                                                          • Executes dropped EXE
                                                          • Loads dropped DLL
                                                          • Drops file in System32 directory
                                                          PID:992
                                                          • C:\Windows\SysWOW64\ufvs.exe
                                                            C:\Windows\system32\ufvs.exe 480 "C:\Windows\SysWOW64\plme.exe"
                                                            29⤵
                                                            • Executes dropped EXE
                                                            • Writes to the Master Boot Record (MBR)
                                                            • Suspicious use of SetThreadContext
                                                            PID:560
                                                            • C:\Windows\SysWOW64\ufvs.exe
                                                              C:\Windows\SysWOW64\ufvs.exe
                                                              30⤵
                                                              • Executes dropped EXE
                                                              • Loads dropped DLL
                                                              • Drops file in System32 directory
                                                              PID:2152
                                                              • C:\Windows\SysWOW64\muuh.exe
                                                                C:\Windows\system32\muuh.exe 536 "C:\Windows\SysWOW64\ufvs.exe"
                                                                31⤵
                                                                • Executes dropped EXE
                                                                • Writes to the Master Boot Record (MBR)
                                                                • Suspicious use of SetThreadContext
                                                                • Modifies registry class
                                                                PID:960
                                                                • C:\Windows\SysWOW64\muuh.exe
                                                                  C:\Windows\SysWOW64\muuh.exe
                                                                  32⤵
                                                                  • Executes dropped EXE
                                                                  • Loads dropped DLL
                                                                  • Drops file in System32 directory
                                                                  PID:1680
                                                                  • C:\Windows\SysWOW64\dauf.exe
                                                                    C:\Windows\system32\dauf.exe 468 "C:\Windows\SysWOW64\muuh.exe"
                                                                    33⤵
                                                                    • Executes dropped EXE
                                                                    • Writes to the Master Boot Record (MBR)
                                                                    • Suspicious use of SetThreadContext
                                                                    PID:2956
                                                                    • C:\Windows\SysWOW64\dauf.exe
                                                                      C:\Windows\SysWOW64\dauf.exe
                                                                      34⤵
                                                                      • Executes dropped EXE
                                                                      • Loads dropped DLL
                                                                      PID:2988
                                                                      • C:\Windows\SysWOW64\sqdx.exe
                                                                        C:\Windows\system32\sqdx.exe 468 "C:\Windows\SysWOW64\dauf.exe"
                                                                        35⤵
                                                                        • Executes dropped EXE
                                                                        • Writes to the Master Boot Record (MBR)
                                                                        • Suspicious use of SetThreadContext
                                                                        • Modifies registry class
                                                                        PID:2316
                                                                        • C:\Windows\SysWOW64\sqdx.exe
                                                                          C:\Windows\SysWOW64\sqdx.exe
                                                                          36⤵
                                                                          • Executes dropped EXE
                                                                          • Loads dropped DLL
                                                                          PID:1512
                                                                          • C:\Windows\SysWOW64\cabn.exe
                                                                            C:\Windows\system32\cabn.exe 460 "C:\Windows\SysWOW64\sqdx.exe"
                                                                            37⤵
                                                                            • Executes dropped EXE
                                                                            • Writes to the Master Boot Record (MBR)
                                                                            • Suspicious use of SetThreadContext
                                                                            PID:2816
                                                                            • C:\Windows\SysWOW64\cabn.exe
                                                                              C:\Windows\SysWOW64\cabn.exe
                                                                              38⤵
                                                                              • Executes dropped EXE
                                                                              • Loads dropped DLL
                                                                              • Drops file in System32 directory
                                                                              PID:2624
                                                                              • C:\Windows\SysWOW64\msgd.exe
                                                                                C:\Windows\system32\msgd.exe 472 "C:\Windows\SysWOW64\cabn.exe"
                                                                                39⤵
                                                                                • Executes dropped EXE
                                                                                • Writes to the Master Boot Record (MBR)
                                                                                • Suspicious use of SetThreadContext
                                                                                PID:2496
                                                                                • C:\Windows\SysWOW64\msgd.exe
                                                                                  C:\Windows\SysWOW64\msgd.exe
                                                                                  40⤵
                                                                                  • Executes dropped EXE
                                                                                  • Loads dropped DLL
                                                                                  • Drops file in System32 directory
                                                                                  PID:2692
                                                                                  • C:\Windows\SysWOW64\temi.exe
                                                                                    C:\Windows\system32\temi.exe 464 "C:\Windows\SysWOW64\msgd.exe"
                                                                                    41⤵
                                                                                    • Executes dropped EXE
                                                                                    • Writes to the Master Boot Record (MBR)
                                                                                    • Suspicious use of SetThreadContext
                                                                                    • Modifies registry class
                                                                                    PID:2620
                                                                                    • C:\Windows\SysWOW64\temi.exe
                                                                                      C:\Windows\SysWOW64\temi.exe
                                                                                      42⤵
                                                                                      • Executes dropped EXE
                                                                                      • Loads dropped DLL
                                                                                      PID:332
                                                                                      • C:\Windows\SysWOW64\fyti.exe
                                                                                        C:\Windows\system32\fyti.exe 464 "C:\Windows\SysWOW64\temi.exe"
                                                                                        43⤵
                                                                                        • Executes dropped EXE
                                                                                        • Writes to the Master Boot Record (MBR)
                                                                                        • Suspicious use of SetThreadContext
                                                                                        • Modifies registry class
                                                                                        PID:1752
                                                                                        • C:\Windows\SysWOW64\fyti.exe
                                                                                          C:\Windows\SysWOW64\fyti.exe
                                                                                          44⤵
                                                                                          • Executes dropped EXE
                                                                                          • Loads dropped DLL
                                                                                          • Drops file in System32 directory
                                                                                          PID:1536
                                                                                          • C:\Windows\SysWOW64\shwd.exe
                                                                                            C:\Windows\system32\shwd.exe 456 "C:\Windows\SysWOW64\fyti.exe"
                                                                                            45⤵
                                                                                            • Executes dropped EXE
                                                                                            • Writes to the Master Boot Record (MBR)
                                                                                            • Suspicious use of SetThreadContext
                                                                                            PID:2888
                                                                                            • C:\Windows\SysWOW64\shwd.exe
                                                                                              C:\Windows\SysWOW64\shwd.exe
                                                                                              46⤵
                                                                                              • Executes dropped EXE
                                                                                              • Loads dropped DLL
                                                                                              • Drops file in System32 directory
                                                                                              PID:2704
                                                                                              • C:\Windows\SysWOW64\gffn.exe
                                                                                                C:\Windows\system32\gffn.exe 468 "C:\Windows\SysWOW64\shwd.exe"
                                                                                                47⤵
                                                                                                • Executes dropped EXE
                                                                                                • Suspicious use of SetThreadContext
                                                                                                • Modifies registry class
                                                                                                PID:1172
                                                                                                • C:\Windows\SysWOW64\gffn.exe
                                                                                                  C:\Windows\SysWOW64\gffn.exe
                                                                                                  48⤵
                                                                                                  • Executes dropped EXE
                                                                                                  • Loads dropped DLL
                                                                                                  • Drops file in System32 directory
                                                                                                  PID:1952
                                                                                                  • C:\Windows\SysWOW64\aghd.exe
                                                                                                    C:\Windows\system32\aghd.exe 456 "C:\Windows\SysWOW64\gffn.exe"
                                                                                                    49⤵
                                                                                                    • Executes dropped EXE
                                                                                                    • Writes to the Master Boot Record (MBR)
                                                                                                    • Suspicious use of SetThreadContext
                                                                                                    PID:1364
                                                                                                    • C:\Windows\SysWOW64\aghd.exe
                                                                                                      C:\Windows\SysWOW64\aghd.exe
                                                                                                      50⤵
                                                                                                      • Executes dropped EXE
                                                                                                      • Loads dropped DLL
                                                                                                      • Drops file in System32 directory
                                                                                                      PID:900
                                                                                                      • C:\Windows\SysWOW64\fiqi.exe
                                                                                                        C:\Windows\system32\fiqi.exe 464 "C:\Windows\SysWOW64\aghd.exe"
                                                                                                        51⤵
                                                                                                        • Executes dropped EXE
                                                                                                        • Writes to the Master Boot Record (MBR)
                                                                                                        • Suspicious use of SetThreadContext
                                                                                                        PID:1624
                                                                                                        • C:\Windows\SysWOW64\fiqi.exe
                                                                                                          C:\Windows\SysWOW64\fiqi.exe
                                                                                                          52⤵
                                                                                                          • Executes dropped EXE
                                                                                                          • Loads dropped DLL
                                                                                                          • Drops file in System32 directory
                                                                                                          PID:956
                                                                                                          • C:\Windows\SysWOW64\advy.exe
                                                                                                            C:\Windows\system32\advy.exe 468 "C:\Windows\SysWOW64\fiqi.exe"
                                                                                                            53⤵
                                                                                                            • Executes dropped EXE
                                                                                                            • Writes to the Master Boot Record (MBR)
                                                                                                            • Suspicious use of SetThreadContext
                                                                                                            • Modifies registry class
                                                                                                            PID:2868
                                                                                                            • C:\Windows\SysWOW64\advy.exe
                                                                                                              C:\Windows\SysWOW64\advy.exe
                                                                                                              54⤵
                                                                                                              • Executes dropped EXE
                                                                                                              • Loads dropped DLL
                                                                                                              • Drops file in System32 directory
                                                                                                              PID:2240
                                                                                                              • C:\Windows\SysWOW64\rvgb.exe
                                                                                                                C:\Windows\system32\rvgb.exe 468 "C:\Windows\SysWOW64\advy.exe"
                                                                                                                55⤵
                                                                                                                • Executes dropped EXE
                                                                                                                • Writes to the Master Boot Record (MBR)
                                                                                                                • Suspicious use of SetThreadContext
                                                                                                                • Modifies registry class
                                                                                                                PID:1584
                                                                                                                • C:\Windows\SysWOW64\rvgb.exe
                                                                                                                  C:\Windows\SysWOW64\rvgb.exe
                                                                                                                  56⤵
                                                                                                                  • Executes dropped EXE
                                                                                                                  • Loads dropped DLL
                                                                                                                  • Drops file in System32 directory
                                                                                                                  PID:1148
                                                                                                                  • C:\Windows\SysWOW64\ltww.exe
                                                                                                                    C:\Windows\system32\ltww.exe 464 "C:\Windows\SysWOW64\rvgb.exe"
                                                                                                                    57⤵
                                                                                                                    • Executes dropped EXE
                                                                                                                    • Suspicious use of SetThreadContext
                                                                                                                    • Modifies registry class
                                                                                                                    PID:2648
                                                                                                                    • C:\Windows\SysWOW64\ltww.exe
                                                                                                                      C:\Windows\SysWOW64\ltww.exe
                                                                                                                      58⤵
                                                                                                                      • Executes dropped EXE
                                                                                                                      • Loads dropped DLL
                                                                                                                      • Drops file in System32 directory
                                                                                                                      PID:2816
                                                                                                                      • C:\Windows\SysWOW64\yksr.exe
                                                                                                                        C:\Windows\system32\yksr.exe 504 "C:\Windows\SysWOW64\ltww.exe"
                                                                                                                        59⤵
                                                                                                                        • Executes dropped EXE
                                                                                                                        • Writes to the Master Boot Record (MBR)
                                                                                                                        • Suspicious use of SetThreadContext
                                                                                                                        • Modifies registry class
                                                                                                                        PID:2980
                                                                                                                        • C:\Windows\SysWOW64\yksr.exe
                                                                                                                          C:\Windows\SysWOW64\yksr.exe
                                                                                                                          60⤵
                                                                                                                          • Executes dropped EXE
                                                                                                                          • Loads dropped DLL
                                                                                                                          • Drops file in System32 directory
                                                                                                                          PID:2580
                                                                                                                          • C:\Windows\SysWOW64\kxhr.exe
                                                                                                                            C:\Windows\system32\kxhr.exe 500 "C:\Windows\SysWOW64\yksr.exe"
                                                                                                                            61⤵
                                                                                                                            • Executes dropped EXE
                                                                                                                            • Suspicious use of SetThreadContext
                                                                                                                            PID:1720
                                                                                                                            • C:\Windows\SysWOW64\kxhr.exe
                                                                                                                              C:\Windows\SysWOW64\kxhr.exe
                                                                                                                              62⤵
                                                                                                                              • Executes dropped EXE
                                                                                                                              • Loads dropped DLL
                                                                                                                              • Drops file in System32 directory
                                                                                                                              PID:2216
                                                                                                                              • C:\Windows\SysWOW64\zfbr.exe
                                                                                                                                C:\Windows\system32\zfbr.exe 480 "C:\Windows\SysWOW64\kxhr.exe"
                                                                                                                                63⤵
                                                                                                                                • Executes dropped EXE
                                                                                                                                • Writes to the Master Boot Record (MBR)
                                                                                                                                • Suspicious use of SetThreadContext
                                                                                                                                PID:2872
                                                                                                                                • C:\Windows\SysWOW64\zfbr.exe
                                                                                                                                  C:\Windows\SysWOW64\zfbr.exe
                                                                                                                                  64⤵
                                                                                                                                  • Executes dropped EXE
                                                                                                                                  • Loads dropped DLL
                                                                                                                                  PID:332
                                                                                                                                  • C:\Windows\SysWOW64\orzw.exe
                                                                                                                                    C:\Windows\system32\orzw.exe 476 "C:\Windows\SysWOW64\zfbr.exe"
                                                                                                                                    65⤵
                                                                                                                                    • Executes dropped EXE
                                                                                                                                    • Writes to the Master Boot Record (MBR)
                                                                                                                                    • Suspicious use of SetThreadContext
                                                                                                                                    PID:2100
                                                                                                                                    • C:\Windows\SysWOW64\orzw.exe
                                                                                                                                      C:\Windows\SysWOW64\orzw.exe
                                                                                                                                      66⤵
                                                                                                                                      • Executes dropped EXE
                                                                                                                                      PID:1688
                                                                                                                                      • C:\Windows\SysWOW64\gbjz.exe
                                                                                                                                        C:\Windows\system32\gbjz.exe 464 "C:\Windows\SysWOW64\orzw.exe"
                                                                                                                                        67⤵
                                                                                                                                        • Writes to the Master Boot Record (MBR)
                                                                                                                                        • Suspicious use of SetThreadContext
                                                                                                                                        PID:1880
                                                                                                                                        • C:\Windows\SysWOW64\gbjz.exe
                                                                                                                                          C:\Windows\SysWOW64\gbjz.exe
                                                                                                                                          68⤵
                                                                                                                                            PID:696
                                                                                                                                            • C:\Windows\SysWOW64\dvfm.exe
                                                                                                                                              C:\Windows\system32\dvfm.exe 460 "C:\Windows\SysWOW64\gbjz.exe"
                                                                                                                                              69⤵
                                                                                                                                              • Suspicious use of SetThreadContext
                                                                                                                                              • Modifies registry class
                                                                                                                                              PID:3044
                                                                                                                                              • C:\Windows\SysWOW64\dvfm.exe
                                                                                                                                                C:\Windows\SysWOW64\dvfm.exe
                                                                                                                                                70⤵
                                                                                                                                                • Drops file in System32 directory
                                                                                                                                                PID:1364
                                                                                                                                                • C:\Windows\SysWOW64\ebjh.exe
                                                                                                                                                  C:\Windows\system32\ebjh.exe 468 "C:\Windows\SysWOW64\dvfm.exe"
                                                                                                                                                  71⤵
                                                                                                                                                  • Writes to the Master Boot Record (MBR)
                                                                                                                                                  • Suspicious use of SetThreadContext
                                                                                                                                                  • Modifies registry class
                                                                                                                                                  PID:1032
                                                                                                                                                  • C:\Windows\SysWOW64\ebjh.exe
                                                                                                                                                    C:\Windows\SysWOW64\ebjh.exe
                                                                                                                                                    72⤵
                                                                                                                                                    • Drops file in System32 directory
                                                                                                                                                    PID:2380
                                                                                                                                                    • C:\Windows\SysWOW64\rwqh.exe
                                                                                                                                                      C:\Windows\system32\rwqh.exe 480 "C:\Windows\SysWOW64\ebjh.exe"
                                                                                                                                                      73⤵
                                                                                                                                                      • Writes to the Master Boot Record (MBR)
                                                                                                                                                      • Suspicious use of SetThreadContext
                                                                                                                                                      PID:1792
                                                                                                                                                      • C:\Windows\SysWOW64\rwqh.exe
                                                                                                                                                        C:\Windows\SysWOW64\rwqh.exe
                                                                                                                                                        74⤵
                                                                                                                                                        • Drops file in System32 directory
                                                                                                                                                        PID:2168
                                                                                                                                                        • C:\Windows\SysWOW64\gbzu.exe
                                                                                                                                                          C:\Windows\system32\gbzu.exe 464 "C:\Windows\SysWOW64\rwqh.exe"
                                                                                                                                                          75⤵
                                                                                                                                                          • Suspicious use of SetThreadContext
                                                                                                                                                          PID:2700
                                                                                                                                                          • C:\Windows\SysWOW64\gbzu.exe
                                                                                                                                                            C:\Windows\SysWOW64\gbzu.exe
                                                                                                                                                            76⤵
                                                                                                                                                            • Drops file in System32 directory
                                                                                                                                                            PID:2308
                                                                                                                                                            • C:\Windows\SysWOW64\knou.exe
                                                                                                                                                              C:\Windows\system32\knou.exe 456 "C:\Windows\SysWOW64\gbzu.exe"
                                                                                                                                                              77⤵
                                                                                                                                                              • Suspicious use of SetThreadContext
                                                                                                                                                              PID:2672
                                                                                                                                                              • C:\Windows\SysWOW64\knou.exe
                                                                                                                                                                C:\Windows\SysWOW64\knou.exe
                                                                                                                                                                78⤵
                                                                                                                                                                • Drops file in System32 directory
                                                                                                                                                                PID:1672
                                                                                                                                                                • C:\Windows\SysWOW64\ilnu.exe
                                                                                                                                                                  C:\Windows\system32\ilnu.exe 464 "C:\Windows\SysWOW64\knou.exe"
                                                                                                                                                                  79⤵
                                                                                                                                                                  • Writes to the Master Boot Record (MBR)
                                                                                                                                                                  • Suspicious use of SetThreadContext
                                                                                                                                                                  PID:1604
                                                                                                                                                                  • C:\Windows\SysWOW64\ilnu.exe
                                                                                                                                                                    C:\Windows\SysWOW64\ilnu.exe
                                                                                                                                                                    80⤵
                                                                                                                                                                    • Drops file in System32 directory
                                                                                                                                                                    PID:1796
                                                                                                                                                                    • C:\Windows\SysWOW64\ujnh.exe
                                                                                                                                                                      C:\Windows\system32\ujnh.exe 468 "C:\Windows\SysWOW64\ilnu.exe"
                                                                                                                                                                      81⤵
                                                                                                                                                                      • Writes to the Master Boot Record (MBR)
                                                                                                                                                                      • Suspicious use of SetThreadContext
                                                                                                                                                                      • Modifies registry class
                                                                                                                                                                      PID:2496
                                                                                                                                                                      • C:\Windows\SysWOW64\ujnh.exe
                                                                                                                                                                        C:\Windows\SysWOW64\ujnh.exe
                                                                                                                                                                        82⤵
                                                                                                                                                                        • Drops file in System32 directory
                                                                                                                                                                        PID:2200
                                                                                                                                                                        • C:\Windows\SysWOW64\lqmf.exe
                                                                                                                                                                          C:\Windows\system32\lqmf.exe 476 "C:\Windows\SysWOW64\ujnh.exe"
                                                                                                                                                                          83⤵
                                                                                                                                                                          • Writes to the Master Boot Record (MBR)
                                                                                                                                                                          • Suspicious use of SetThreadContext
                                                                                                                                                                          • Modifies registry class
                                                                                                                                                                          PID:1752
                                                                                                                                                                          • C:\Windows\SysWOW64\lqmf.exe
                                                                                                                                                                            C:\Windows\SysWOW64\lqmf.exe
                                                                                                                                                                            84⤵
                                                                                                                                                                              PID:1972
                                                                                                                                                                              • C:\Windows\SysWOW64\lbzx.exe
                                                                                                                                                                                C:\Windows\system32\lbzx.exe 476 "C:\Windows\SysWOW64\lqmf.exe"
                                                                                                                                                                                85⤵
                                                                                                                                                                                • Writes to the Master Boot Record (MBR)
                                                                                                                                                                                • Suspicious use of SetThreadContext
                                                                                                                                                                                PID:2896
                                                                                                                                                                                • C:\Windows\SysWOW64\lbzx.exe
                                                                                                                                                                                  C:\Windows\SysWOW64\lbzx.exe
                                                                                                                                                                                  86⤵
                                                                                                                                                                                  • Drops file in System32 directory
                                                                                                                                                                                  PID:332
                                                                                                                                                                                  • C:\Windows\SysWOW64\uiaf.exe
                                                                                                                                                                                    C:\Windows\system32\uiaf.exe 492 "C:\Windows\SysWOW64\lbzx.exe"
                                                                                                                                                                                    87⤵
                                                                                                                                                                                    • Writes to the Master Boot Record (MBR)
                                                                                                                                                                                    • Suspicious use of SetThreadContext
                                                                                                                                                                                    PID:1136
                                                                                                                                                                                    • C:\Windows\SysWOW64\uiaf.exe
                                                                                                                                                                                      C:\Windows\SysWOW64\uiaf.exe
                                                                                                                                                                                      88⤵
                                                                                                                                                                                      • Drops file in System32 directory
                                                                                                                                                                                      PID:584
                                                                                                                                                                                      • C:\Windows\SysWOW64\mlpq.exe
                                                                                                                                                                                        C:\Windows\system32\mlpq.exe 464 "C:\Windows\SysWOW64\uiaf.exe"
                                                                                                                                                                                        89⤵
                                                                                                                                                                                        • Writes to the Master Boot Record (MBR)
                                                                                                                                                                                        • Suspicious use of SetThreadContext
                                                                                                                                                                                        • Modifies registry class
                                                                                                                                                                                        PID:2392
                                                                                                                                                                                        • C:\Windows\SysWOW64\mlpq.exe
                                                                                                                                                                                          C:\Windows\SysWOW64\mlpq.exe
                                                                                                                                                                                          90⤵
                                                                                                                                                                                            PID:1572
                                                                                                                                                                                            • C:\Windows\SysWOW64\jbvq.exe
                                                                                                                                                                                              C:\Windows\system32\jbvq.exe 472 "C:\Windows\SysWOW64\mlpq.exe"
                                                                                                                                                                                              91⤵
                                                                                                                                                                                              • Suspicious use of SetThreadContext
                                                                                                                                                                                              PID:1044
                                                                                                                                                                                              • C:\Windows\SysWOW64\jbvq.exe
                                                                                                                                                                                                C:\Windows\SysWOW64\jbvq.exe
                                                                                                                                                                                                92⤵
                                                                                                                                                                                                  PID:1048
                                                                                                                                                                                                  • C:\Windows\SysWOW64\qjsa.exe
                                                                                                                                                                                                    C:\Windows\system32\qjsa.exe 460 "C:\Windows\SysWOW64\jbvq.exe"
                                                                                                                                                                                                    93⤵
                                                                                                                                                                                                    • Writes to the Master Boot Record (MBR)
                                                                                                                                                                                                    • Suspicious use of SetThreadContext
                                                                                                                                                                                                    PID:956
                                                                                                                                                                                                    • C:\Windows\SysWOW64\qjsa.exe
                                                                                                                                                                                                      C:\Windows\SysWOW64\qjsa.exe
                                                                                                                                                                                                      94⤵
                                                                                                                                                                                                      • Drops file in System32 directory
                                                                                                                                                                                                      PID:572
                                                                                                                                                                                                      • C:\Windows\SysWOW64\ldxq.exe
                                                                                                                                                                                                        C:\Windows\system32\ldxq.exe 460 "C:\Windows\SysWOW64\qjsa.exe"
                                                                                                                                                                                                        95⤵
                                                                                                                                                                                                        • Suspicious use of SetThreadContext
                                                                                                                                                                                                        PID:2548
                                                                                                                                                                                                        • C:\Windows\SysWOW64\ldxq.exe
                                                                                                                                                                                                          C:\Windows\SysWOW64\ldxq.exe
                                                                                                                                                                                                          96⤵
                                                                                                                                                                                                            PID:2632
                                                                                                                                                                                                            • C:\Windows\SysWOW64\fcnl.exe
                                                                                                                                                                                                              C:\Windows\system32\fcnl.exe 468 "C:\Windows\SysWOW64\ldxq.exe"
                                                                                                                                                                                                              97⤵
                                                                                                                                                                                                              • Writes to the Master Boot Record (MBR)
                                                                                                                                                                                                              • Suspicious use of SetThreadContext
                                                                                                                                                                                                              • Modifies registry class
                                                                                                                                                                                                              PID:2264
                                                                                                                                                                                                              • C:\Windows\SysWOW64\fcnl.exe
                                                                                                                                                                                                                C:\Windows\SysWOW64\fcnl.exe
                                                                                                                                                                                                                98⤵
                                                                                                                                                                                                                • Drops file in System32 directory
                                                                                                                                                                                                                PID:2644
                                                                                                                                                                                                                • C:\Windows\SysWOW64\mnni.exe
                                                                                                                                                                                                                  C:\Windows\system32\mnni.exe 464 "C:\Windows\SysWOW64\fcnl.exe"
                                                                                                                                                                                                                  99⤵
                                                                                                                                                                                                                  • Writes to the Master Boot Record (MBR)
                                                                                                                                                                                                                  • Suspicious use of SetThreadContext
                                                                                                                                                                                                                  PID:2224
                                                                                                                                                                                                                  • C:\Windows\SysWOW64\mnni.exe
                                                                                                                                                                                                                    C:\Windows\SysWOW64\mnni.exe
                                                                                                                                                                                                                    100⤵
                                                                                                                                                                                                                      PID:2716
                                                                                                                                                                                                                      • C:\Windows\SysWOW64\ywqv.exe
                                                                                                                                                                                                                        C:\Windows\system32\ywqv.exe 456 "C:\Windows\SysWOW64\mnni.exe"
                                                                                                                                                                                                                        101⤵
                                                                                                                                                                                                                        • Writes to the Master Boot Record (MBR)
                                                                                                                                                                                                                        • Suspicious use of SetThreadContext
                                                                                                                                                                                                                        PID:1892
                                                                                                                                                                                                                        • C:\Windows\SysWOW64\ywqv.exe
                                                                                                                                                                                                                          C:\Windows\SysWOW64\ywqv.exe
                                                                                                                                                                                                                          102⤵
                                                                                                                                                                                                                          • Drops file in System32 directory
                                                                                                                                                                                                                          PID:2884
                                                                                                                                                                                                                          • C:\Windows\SysWOW64\ypro.exe
                                                                                                                                                                                                                            C:\Windows\system32\ypro.exe 480 "C:\Windows\SysWOW64\ywqv.exe"
                                                                                                                                                                                                                            103⤵
                                                                                                                                                                                                                            • Writes to the Master Boot Record (MBR)
                                                                                                                                                                                                                            • Suspicious use of SetThreadContext
                                                                                                                                                                                                                            • Modifies registry class
                                                                                                                                                                                                                            PID:1588
                                                                                                                                                                                                                            • C:\Windows\SysWOW64\ypro.exe
                                                                                                                                                                                                                              C:\Windows\SysWOW64\ypro.exe
                                                                                                                                                                                                                              104⤵
                                                                                                                                                                                                                              • Drops file in System32 directory
                                                                                                                                                                                                                              PID:2828
                                                                                                                                                                                                                              • C:\Windows\SysWOW64\psny.exe
                                                                                                                                                                                                                                C:\Windows\system32\psny.exe 464 "C:\Windows\SysWOW64\ypro.exe"
                                                                                                                                                                                                                                105⤵
                                                                                                                                                                                                                                • Writes to the Master Boot Record (MBR)
                                                                                                                                                                                                                                • Suspicious use of SetThreadContext
                                                                                                                                                                                                                                • Modifies registry class
                                                                                                                                                                                                                                PID:2836
                                                                                                                                                                                                                                • C:\Windows\SysWOW64\psny.exe
                                                                                                                                                                                                                                  C:\Windows\SysWOW64\psny.exe
                                                                                                                                                                                                                                  106⤵
                                                                                                                                                                                                                                    PID:2844
                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\zvet.exe
                                                                                                                                                                                                                                      C:\Windows\system32\zvet.exe 468 "C:\Windows\SysWOW64\psny.exe"
                                                                                                                                                                                                                                      107⤵
                                                                                                                                                                                                                                      • Writes to the Master Boot Record (MBR)
                                                                                                                                                                                                                                      • Suspicious use of SetThreadContext
                                                                                                                                                                                                                                      • Modifies registry class
                                                                                                                                                                                                                                      PID:2116
                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\zvet.exe
                                                                                                                                                                                                                                        C:\Windows\SysWOW64\zvet.exe
                                                                                                                                                                                                                                        108⤵
                                                                                                                                                                                                                                        • Drops file in System32 directory
                                                                                                                                                                                                                                        PID:1804
                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\rvpr.exe
                                                                                                                                                                                                                                          C:\Windows\system32\rvpr.exe 472 "C:\Windows\SysWOW64\zvet.exe"
                                                                                                                                                                                                                                          109⤵
                                                                                                                                                                                                                                          • Writes to the Master Boot Record (MBR)
                                                                                                                                                                                                                                          • Suspicious use of SetThreadContext
                                                                                                                                                                                                                                          • Modifies registry class
                                                                                                                                                                                                                                          PID:1812
                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\rvpr.exe
                                                                                                                                                                                                                                            C:\Windows\SysWOW64\rvpr.exe
                                                                                                                                                                                                                                            110⤵
                                                                                                                                                                                                                                            • Drops file in System32 directory
                                                                                                                                                                                                                                            PID:2152
                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\dhwr.exe
                                                                                                                                                                                                                                              C:\Windows\system32\dhwr.exe 472 "C:\Windows\SysWOW64\rvpr.exe"
                                                                                                                                                                                                                                              111⤵
                                                                                                                                                                                                                                              • Writes to the Master Boot Record (MBR)
                                                                                                                                                                                                                                              • Suspicious use of SetThreadContext
                                                                                                                                                                                                                                              • Modifies registry class
                                                                                                                                                                                                                                              PID:920
                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\dhwr.exe
                                                                                                                                                                                                                                                C:\Windows\SysWOW64\dhwr.exe
                                                                                                                                                                                                                                                112⤵
                                                                                                                                                                                                                                                • Drops file in System32 directory
                                                                                                                                                                                                                                                PID:2024
                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\yomu.exe
                                                                                                                                                                                                                                                  C:\Windows\system32\yomu.exe 460 "C:\Windows\SysWOW64\dhwr.exe"
                                                                                                                                                                                                                                                  113⤵
                                                                                                                                                                                                                                                  • Writes to the Master Boot Record (MBR)
                                                                                                                                                                                                                                                  • Suspicious use of SetThreadContext
                                                                                                                                                                                                                                                  • Modifies registry class
                                                                                                                                                                                                                                                  PID:2956
                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\yomu.exe
                                                                                                                                                                                                                                                    C:\Windows\SysWOW64\yomu.exe
                                                                                                                                                                                                                                                    114⤵
                                                                                                                                                                                                                                                      PID:352
                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\cxqh.exe
                                                                                                                                                                                                                                                        C:\Windows\system32\cxqh.exe 460 "C:\Windows\SysWOW64\yomu.exe"
                                                                                                                                                                                                                                                        115⤵
                                                                                                                                                                                                                                                        • Writes to the Master Boot Record (MBR)
                                                                                                                                                                                                                                                        • Suspicious use of SetThreadContext
                                                                                                                                                                                                                                                        • Modifies registry class
                                                                                                                                                                                                                                                        PID:2664
                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\cxqh.exe
                                                                                                                                                                                                                                                          C:\Windows\SysWOW64\cxqh.exe
                                                                                                                                                                                                                                                          116⤵
                                                                                                                                                                                                                                                          • Drops file in System32 directory
                                                                                                                                                                                                                                                          PID:952
                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\lagj.exe
                                                                                                                                                                                                                                                            C:\Windows\system32\lagj.exe 476 "C:\Windows\SysWOW64\cxqh.exe"
                                                                                                                                                                                                                                                            117⤵
                                                                                                                                                                                                                                                            • Writes to the Master Boot Record (MBR)
                                                                                                                                                                                                                                                            • Suspicious use of SetThreadContext
                                                                                                                                                                                                                                                            • Modifies registry class
                                                                                                                                                                                                                                                            PID:2892
                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\lagj.exe
                                                                                                                                                                                                                                                              C:\Windows\SysWOW64\lagj.exe
                                                                                                                                                                                                                                                              118⤵
                                                                                                                                                                                                                                                                PID:2476
                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\ttou.exe
                                                                                                                                                                                                                                                                  C:\Windows\system32\ttou.exe 460 "C:\Windows\SysWOW64\lagj.exe"
                                                                                                                                                                                                                                                                  119⤵
                                                                                                                                                                                                                                                                  • Writes to the Master Boot Record (MBR)
                                                                                                                                                                                                                                                                  • Suspicious use of SetThreadContext
                                                                                                                                                                                                                                                                  • Modifies registry class
                                                                                                                                                                                                                                                                  PID:2980
                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\ttou.exe
                                                                                                                                                                                                                                                                    C:\Windows\SysWOW64\ttou.exe
                                                                                                                                                                                                                                                                    120⤵
                                                                                                                                                                                                                                                                    • Drops file in System32 directory
                                                                                                                                                                                                                                                                    PID:2772
                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\dkbk.exe
                                                                                                                                                                                                                                                                      C:\Windows\system32\dkbk.exe 464 "C:\Windows\SysWOW64\ttou.exe"
                                                                                                                                                                                                                                                                      121⤵
                                                                                                                                                                                                                                                                      • Writes to the Master Boot Record (MBR)
                                                                                                                                                                                                                                                                      • Suspicious use of SetThreadContext
                                                                                                                                                                                                                                                                      PID:2712
                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\dkbk.exe
                                                                                                                                                                                                                                                                        C:\Windows\SysWOW64\dkbk.exe
                                                                                                                                                                                                                                                                        122⤵
                                                                                                                                                                                                                                                                          PID:1568
                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\rajc.exe
                                                                                                                                                                                                                                                                            C:\Windows\system32\rajc.exe 464 "C:\Windows\SysWOW64\dkbk.exe"
                                                                                                                                                                                                                                                                            123⤵
                                                                                                                                                                                                                                                                            • Writes to the Master Boot Record (MBR)
                                                                                                                                                                                                                                                                            • Suspicious use of SetThreadContext
                                                                                                                                                                                                                                                                            • Modifies registry class
                                                                                                                                                                                                                                                                            PID:2776
                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\rajc.exe
                                                                                                                                                                                                                                                                              C:\Windows\SysWOW64\rajc.exe
                                                                                                                                                                                                                                                                              124⤵
                                                                                                                                                                                                                                                                                PID:1532
                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\jdym.exe
                                                                                                                                                                                                                                                                                  C:\Windows\system32\jdym.exe 468 "C:\Windows\SysWOW64\rajc.exe"
                                                                                                                                                                                                                                                                                  125⤵
                                                                                                                                                                                                                                                                                  • Suspicious use of SetThreadContext
                                                                                                                                                                                                                                                                                  • Modifies registry class
                                                                                                                                                                                                                                                                                  PID:784
                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\jdym.exe
                                                                                                                                                                                                                                                                                    C:\Windows\SysWOW64\jdym.exe
                                                                                                                                                                                                                                                                                    126⤵
                                                                                                                                                                                                                                                                                      PID:336
                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\ythx.exe
                                                                                                                                                                                                                                                                                        C:\Windows\system32\ythx.exe 472 "C:\Windows\SysWOW64\jdym.exe"
                                                                                                                                                                                                                                                                                        127⤵
                                                                                                                                                                                                                                                                                        • Writes to the Master Boot Record (MBR)
                                                                                                                                                                                                                                                                                        • Suspicious use of SetThreadContext
                                                                                                                                                                                                                                                                                        • Modifies registry class
                                                                                                                                                                                                                                                                                        PID:1396
                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\ythx.exe
                                                                                                                                                                                                                                                                                          C:\Windows\SysWOW64\ythx.exe
                                                                                                                                                                                                                                                                                          128⤵
                                                                                                                                                                                                                                                                                            PID:2144
                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\phgu.exe
                                                                                                                                                                                                                                                                                              C:\Windows\system32\phgu.exe 472 "C:\Windows\SysWOW64\ythx.exe"
                                                                                                                                                                                                                                                                                              129⤵
                                                                                                                                                                                                                                                                                              • Writes to the Master Boot Record (MBR)
                                                                                                                                                                                                                                                                                              • Modifies registry class
                                                                                                                                                                                                                                                                                              PID:992
                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\phgu.exe
                                                                                                                                                                                                                                                                                                C:\Windows\SysWOW64\phgu.exe
                                                                                                                                                                                                                                                                                                130⤵
                                                                                                                                                                                                                                                                                                • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                PID:1640
                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\kclk.exe
                                                                                                                                                                                                                                                                                                  C:\Windows\system32\kclk.exe 480 "C:\Windows\SysWOW64\phgu.exe"
                                                                                                                                                                                                                                                                                                  131⤵
                                                                                                                                                                                                                                                                                                  • Writes to the Master Boot Record (MBR)
                                                                                                                                                                                                                                                                                                  PID:2876
                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\kclk.exe
                                                                                                                                                                                                                                                                                                    C:\Windows\SysWOW64\kclk.exe
                                                                                                                                                                                                                                                                                                    132⤵
                                                                                                                                                                                                                                                                                                      PID:2824
                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\wlpx.exe
                                                                                                                                                                                                                                                                                                        C:\Windows\system32\wlpx.exe 476 "C:\Windows\SysWOW64\kclk.exe"
                                                                                                                                                                                                                                                                                                        133⤵
                                                                                                                                                                                                                                                                                                        • Modifies registry class
                                                                                                                                                                                                                                                                                                        PID:2340
                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\wlpx.exe
                                                                                                                                                                                                                                                                                                          C:\Windows\SysWOW64\wlpx.exe
                                                                                                                                                                                                                                                                                                          134⤵
                                                                                                                                                                                                                                                                                                          • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                          PID:876
                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\liyp.exe
                                                                                                                                                                                                                                                                                                            C:\Windows\system32\liyp.exe 456 "C:\Windows\SysWOW64\wlpx.exe"
                                                                                                                                                                                                                                                                                                            135⤵
                                                                                                                                                                                                                                                                                                            • Writes to the Master Boot Record (MBR)
                                                                                                                                                                                                                                                                                                            • Modifies registry class
                                                                                                                                                                                                                                                                                                            PID:888
                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\liyp.exe
                                                                                                                                                                                                                                                                                                              C:\Windows\SysWOW64\liyp.exe
                                                                                                                                                                                                                                                                                                              136⤵
                                                                                                                                                                                                                                                                                                              • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                              PID:2988
                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\iyfq.exe
                                                                                                                                                                                                                                                                                                                C:\Windows\system32\iyfq.exe 460 "C:\Windows\SysWOW64\liyp.exe"
                                                                                                                                                                                                                                                                                                                137⤵
                                                                                                                                                                                                                                                                                                                • Writes to the Master Boot Record (MBR)
                                                                                                                                                                                                                                                                                                                • Modifies registry class
                                                                                                                                                                                                                                                                                                                PID:2720
                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\iyfq.exe
                                                                                                                                                                                                                                                                                                                  C:\Windows\SysWOW64\iyfq.exe
                                                                                                                                                                                                                                                                                                                  138⤵
                                                                                                                                                                                                                                                                                                                    PID:2372
                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\sykf.exe
                                                                                                                                                                                                                                                                                                                      C:\Windows\system32\sykf.exe 476 "C:\Windows\SysWOW64\iyfq.exe"
                                                                                                                                                                                                                                                                                                                      139⤵
                                                                                                                                                                                                                                                                                                                      • Writes to the Master Boot Record (MBR)
                                                                                                                                                                                                                                                                                                                      PID:2604
                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\sykf.exe
                                                                                                                                                                                                                                                                                                                        C:\Windows\SysWOW64\sykf.exe
                                                                                                                                                                                                                                                                                                                        140⤵
                                                                                                                                                                                                                                                                                                                        • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                                        PID:2644
                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\hbpl.exe
                                                                                                                                                                                                                                                                                                                          C:\Windows\system32\hbpl.exe 468 "C:\Windows\SysWOW64\sykf.exe"
                                                                                                                                                                                                                                                                                                                          141⤵
                                                                                                                                                                                                                                                                                                                          • Writes to the Master Boot Record (MBR)
                                                                                                                                                                                                                                                                                                                          • Modifies registry class
                                                                                                                                                                                                                                                                                                                          PID:1712
                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\hbpl.exe
                                                                                                                                                                                                                                                                                                                            C:\Windows\SysWOW64\hbpl.exe
                                                                                                                                                                                                                                                                                                                            142⤵
                                                                                                                                                                                                                                                                                                                            • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                                            PID:2620
                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\usly.exe
                                                                                                                                                                                                                                                                                                                              C:\Windows\system32\usly.exe 460 "C:\Windows\SysWOW64\hbpl.exe"
                                                                                                                                                                                                                                                                                                                              143⤵
                                                                                                                                                                                                                                                                                                                              • Writes to the Master Boot Record (MBR)
                                                                                                                                                                                                                                                                                                                              • Modifies registry class
                                                                                                                                                                                                                                                                                                                              PID:820
                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\usly.exe
                                                                                                                                                                                                                                                                                                                                C:\Windows\SysWOW64\usly.exe
                                                                                                                                                                                                                                                                                                                                144⤵
                                                                                                                                                                                                                                                                                                                                  PID:2960
                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\rqsy.exe
                                                                                                                                                                                                                                                                                                                                    C:\Windows\system32\rqsy.exe 456 "C:\Windows\SysWOW64\usly.exe"
                                                                                                                                                                                                                                                                                                                                    145⤵
                                                                                                                                                                                                                                                                                                                                    • Writes to the Master Boot Record (MBR)
                                                                                                                                                                                                                                                                                                                                    • Modifies registry class
                                                                                                                                                                                                                                                                                                                                    PID:1900
                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\rqsy.exe
                                                                                                                                                                                                                                                                                                                                      C:\Windows\SysWOW64\rqsy.exe
                                                                                                                                                                                                                                                                                                                                      146⤵
                                                                                                                                                                                                                                                                                                                                      • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                                                      PID:1632
                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\vcjq.exe
                                                                                                                                                                                                                                                                                                                                        C:\Windows\system32\vcjq.exe 468 "C:\Windows\SysWOW64\rqsy.exe"
                                                                                                                                                                                                                                                                                                                                        147⤵
                                                                                                                                                                                                                                                                                                                                        • Writes to the Master Boot Record (MBR)
                                                                                                                                                                                                                                                                                                                                        • Modifies registry class
                                                                                                                                                                                                                                                                                                                                        PID:2080
                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\vcjq.exe
                                                                                                                                                                                                                                                                                                                                          C:\Windows\SysWOW64\vcjq.exe
                                                                                                                                                                                                                                                                                                                                          148⤵
                                                                                                                                                                                                                                                                                                                                          • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                                                          PID:1808
                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\pxog.exe
                                                                                                                                                                                                                                                                                                                                            C:\Windows\system32\pxog.exe 472 "C:\Windows\SysWOW64\vcjq.exe"
                                                                                                                                                                                                                                                                                                                                            149⤵
                                                                                                                                                                                                                                                                                                                                            • Writes to the Master Boot Record (MBR)
                                                                                                                                                                                                                                                                                                                                            • Modifies registry class
                                                                                                                                                                                                                                                                                                                                            PID:852
                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\pxog.exe
                                                                                                                                                                                                                                                                                                                                              C:\Windows\SysWOW64\pxog.exe
                                                                                                                                                                                                                                                                                                                                              150⤵
                                                                                                                                                                                                                                                                                                                                              • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                                                              PID:1804
                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\cstw.exe
                                                                                                                                                                                                                                                                                                                                                C:\Windows\system32\cstw.exe 488 "C:\Windows\SysWOW64\pxog.exe"
                                                                                                                                                                                                                                                                                                                                                151⤵
                                                                                                                                                                                                                                                                                                                                                • Writes to the Master Boot Record (MBR)
                                                                                                                                                                                                                                                                                                                                                • Modifies registry class
                                                                                                                                                                                                                                                                                                                                                PID:1032
                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\cstw.exe
                                                                                                                                                                                                                                                                                                                                                  C:\Windows\SysWOW64\cstw.exe
                                                                                                                                                                                                                                                                                                                                                  152⤵
                                                                                                                                                                                                                                                                                                                                                    PID:2012
                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\vfxi.exe
                                                                                                                                                                                                                                                                                                                                                      C:\Windows\system32\vfxi.exe 464 "C:\Windows\SysWOW64\cstw.exe"
                                                                                                                                                                                                                                                                                                                                                      153⤵
                                                                                                                                                                                                                                                                                                                                                      • Modifies registry class
                                                                                                                                                                                                                                                                                                                                                      PID:1364
                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\vfxi.exe
                                                                                                                                                                                                                                                                                                                                                        C:\Windows\SysWOW64\vfxi.exe
                                                                                                                                                                                                                                                                                                                                                        154⤵
                                                                                                                                                                                                                                                                                                                                                        • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                                                                        PID:1700
                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\ikqr.exe
                                                                                                                                                                                                                                                                                                                                                          C:\Windows\system32\ikqr.exe 460 "C:\Windows\SysWOW64\vfxi.exe"
                                                                                                                                                                                                                                                                                                                                                          155⤵
                                                                                                                                                                                                                                                                                                                                                          • Writes to the Master Boot Record (MBR)
                                                                                                                                                                                                                                                                                                                                                          • Modifies registry class
                                                                                                                                                                                                                                                                                                                                                          PID:2560
                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\ikqr.exe
                                                                                                                                                                                                                                                                                                                                                            C:\Windows\SysWOW64\ikqr.exe
                                                                                                                                                                                                                                                                                                                                                            156⤵
                                                                                                                                                                                                                                                                                                                                                              PID:2488
                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\hhlg.exe
                                                                                                                                                                                                                                                                                                                                                                C:\Windows\system32\hhlg.exe 456 "C:\Windows\SysWOW64\ikqr.exe"
                                                                                                                                                                                                                                                                                                                                                                157⤵
                                                                                                                                                                                                                                                                                                                                                                • Writes to the Master Boot Record (MBR)
                                                                                                                                                                                                                                                                                                                                                                • Modifies registry class
                                                                                                                                                                                                                                                                                                                                                                PID:2556
                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\hhlg.exe
                                                                                                                                                                                                                                                                                                                                                                  C:\Windows\SysWOW64\hhlg.exe
                                                                                                                                                                                                                                                                                                                                                                  158⤵
                                                                                                                                                                                                                                                                                                                                                                  • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                                                                                  PID:2552
                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\eesg.exe
                                                                                                                                                                                                                                                                                                                                                                    C:\Windows\system32\eesg.exe 472 "C:\Windows\SysWOW64\hhlg.exe"
                                                                                                                                                                                                                                                                                                                                                                    159⤵
                                                                                                                                                                                                                                                                                                                                                                    • Writes to the Master Boot Record (MBR)
                                                                                                                                                                                                                                                                                                                                                                    PID:2532
                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\eesg.exe
                                                                                                                                                                                                                                                                                                                                                                      C:\Windows\SysWOW64\eesg.exe
                                                                                                                                                                                                                                                                                                                                                                      160⤵
                                                                                                                                                                                                                                                                                                                                                                      • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                                                                                      PID:2476
                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\jcmh.exe
                                                                                                                                                                                                                                                                                                                                                                        C:\Windows\system32\jcmh.exe 468 "C:\Windows\SysWOW64\eesg.exe"
                                                                                                                                                                                                                                                                                                                                                                        161⤵
                                                                                                                                                                                                                                                                                                                                                                        • Writes to the Master Boot Record (MBR)
                                                                                                                                                                                                                                                                                                                                                                        • Modifies registry class
                                                                                                                                                                                                                                                                                                                                                                        PID:2680
                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\jcmh.exe
                                                                                                                                                                                                                                                                                                                                                                          C:\Windows\SysWOW64\jcmh.exe
                                                                                                                                                                                                                                                                                                                                                                          162⤵
                                                                                                                                                                                                                                                                                                                                                                            PID:1444
                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\vwth.exe
                                                                                                                                                                                                                                                                                                                                                                              C:\Windows\system32\vwth.exe 460 "C:\Windows\SysWOW64\jcmh.exe"
                                                                                                                                                                                                                                                                                                                                                                              163⤵
                                                                                                                                                                                                                                                                                                                                                                                PID:1876
                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\vwth.exe
                                                                                                                                                                                                                                                                                                                                                                                  C:\Windows\SysWOW64\vwth.exe
                                                                                                                                                                                                                                                                                                                                                                                  164⤵
                                                                                                                                                                                                                                                                                                                                                                                    PID:1652
                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\prgo.exe
                                                                                                                                                                                                                                                                                                                                                                                      C:\Windows\system32\prgo.exe 484 "C:\Windows\SysWOW64\vwth.exe"
                                                                                                                                                                                                                                                                                                                                                                                      165⤵
                                                                                                                                                                                                                                                                                                                                                                                        PID:668
                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\prgo.exe
                                                                                                                                                                                                                                                                                                                                                                                          C:\Windows\SysWOW64\prgo.exe
                                                                                                                                                                                                                                                                                                                                                                                          166⤵
                                                                                                                                                                                                                                                                                                                                                                                            PID:2256
                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\hggm.exe
                                                                                                                                                                                                                                                                                                                                                                                              C:\Windows\system32\hggm.exe 476 "C:\Windows\SysWOW64\prgo.exe"
                                                                                                                                                                                                                                                                                                                                                                                              167⤵
                                                                                                                                                                                                                                                                                                                                                                                                PID:2268
                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\hggm.exe
                                                                                                                                                                                                                                                                                                                                                                                                  C:\Windows\SysWOW64\hggm.exe
                                                                                                                                                                                                                                                                                                                                                                                                  168⤵
                                                                                                                                                                                                                                                                                                                                                                                                    PID:824
                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\jiyu.exe
                                                                                                                                                                                                                                                                                                                                                                                                      C:\Windows\system32\jiyu.exe 468 "C:\Windows\SysWOW64\hggm.exe"
                                                                                                                                                                                                                                                                                                                                                                                                      169⤵
                                                                                                                                                                                                                                                                                                                                                                                                        PID:2408
                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\jiyu.exe
                                                                                                                                                                                                                                                                                                                                                                                                          C:\Windows\SysWOW64\jiyu.exe
                                                                                                                                                                                                                                                                                                                                                                                                          170⤵
                                                                                                                                                                                                                                                                                                                                                                                                            PID:3020
                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\ibhm.exe
                                                                                                                                                                                                                                                                                                                                                                                                              C:\Windows\system32\ibhm.exe 472 "C:\Windows\SysWOW64\jiyu.exe"
                                                                                                                                                                                                                                                                                                                                                                                                              171⤵
                                                                                                                                                                                                                                                                                                                                                                                                                PID:916
                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\ibhm.exe
                                                                                                                                                                                                                                                                                                                                                                                                                  C:\Windows\SysWOW64\ibhm.exe
                                                                                                                                                                                                                                                                                                                                                                                                                  172⤵
                                                                                                                                                                                                                                                                                                                                                                                                                    PID:1804
                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\xqqx.exe
                                                                                                                                                                                                                                                                                                                                                                                                                      C:\Windows\system32\xqqx.exe 480 "C:\Windows\SysWOW64\ibhm.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                      173⤵
                                                                                                                                                                                                                                                                                                                                                                                                                        PID:288
                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\xqqx.exe
                                                                                                                                                                                                                                                                                                                                                                                                                          C:\Windows\SysWOW64\xqqx.exe
                                                                                                                                                                                                                                                                                                                                                                                                                          174⤵
                                                                                                                                                                                                                                                                                                                                                                                                                            PID:2824
                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\mycx.exe
                                                                                                                                                                                                                                                                                                                                                                                                                              C:\Windows\system32\mycx.exe 484 "C:\Windows\SysWOW64\xqqx.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                              175⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                PID:1392
                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\mycx.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                  C:\Windows\SysWOW64\mycx.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                  176⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:2660
                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\efcn.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                      C:\Windows\system32\efcn.exe 460 "C:\Windows\SysWOW64\mycx.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                      177⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:2632
                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\efcn.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                          C:\Windows\SysWOW64\efcn.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                          178⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:952
                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\town.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                              C:\Windows\system32\town.exe 460 "C:\Windows\SysWOW64\efcn.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                              179⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:2512
                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\town.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                  C:\Windows\SysWOW64\town.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                  180⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:2604
                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\arwc.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                      C:\Windows\system32\arwc.exe 460 "C:\Windows\SysWOW64\town.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                      181⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:328
                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\arwc.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                          C:\Windows\SysWOW64\arwc.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                          182⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:2644
                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\hkev.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                              C:\Windows\system32\hkev.exe 480 "C:\Windows\SysWOW64\arwc.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                              183⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:2084
                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\hkev.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                  C:\Windows\SysWOW64\hkev.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                  184⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:2776
                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\zosf.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      C:\Windows\system32\zosf.exe 464 "C:\Windows\SysWOW64\hkev.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      185⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:1104
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\zosf.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          C:\Windows\SysWOW64\zosf.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          186⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:2172
                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\ghmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                              C:\Windows\system32\ghmd.exe 456 "C:\Windows\SysWOW64\zosf.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                              187⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:1628
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\ghmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  C:\Windows\SysWOW64\ghmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  188⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:1644
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\iyda.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      C:\Windows\system32\iyda.exe 460 "C:\Windows\SysWOW64\ghmd.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      189⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:1188
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\iyda.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          C:\Windows\SysWOW64\iyda.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          190⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:2928
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\pzal.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              C:\Windows\system32\pzal.exe 460 "C:\Windows\SysWOW64\iyda.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              191⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:2136
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\pzal.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  C:\Windows\SysWOW64\pzal.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  192⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:1736
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\kqcg.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      C:\Windows\system32\kqcg.exe 456 "C:\Windows\SysWOW64\pzal.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      193⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:2696
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\kqcg.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          C:\Windows\SysWOW64\kqcg.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          194⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:2340
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\eokj.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              C:\Windows\system32\eokj.exe 464 "C:\Windows\SysWOW64\kqcg.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              195⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:1148
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\eokj.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  C:\Windows\SysWOW64\eokj.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  196⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:1760
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\tapo.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      C:\Windows\system32\tapo.exe 460 "C:\Windows\SysWOW64\eokj.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      197⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:2564
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\tapo.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          C:\Windows\SysWOW64\tapo.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          198⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:2004
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\votb.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              C:\Windows\system32\votb.exe 464 "C:\Windows\SysWOW64\tapo.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              199⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:2516
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\votb.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  C:\Windows\SysWOW64\votb.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  200⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:2792
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\ejre.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      C:\Windows\system32\ejre.exe 468 "C:\Windows\SysWOW64\votb.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      201⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:1528
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\ejre.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          C:\Windows\SysWOW64\ejre.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          202⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:1588
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\qdye.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              C:\Windows\system32\qdye.exe 468 "C:\Windows\SysWOW64\ejre.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              203⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:480
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\qdye.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  C:\Windows\SysWOW64\qdye.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  204⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:2088
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\bopt.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      C:\Windows\system32\bopt.exe 456 "C:\Windows\SysWOW64\qdye.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      205⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:2888
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\bopt.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          C:\Windows\SysWOW64\bopt.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          206⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:2844
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\vqqj.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              C:\Windows\system32\vqqj.exe 468 "C:\Windows\SysWOW64\bopt.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              207⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:1908
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\vqqj.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  C:\Windows\SysWOW64\vqqj.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  208⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:1780
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\xltm.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      C:\Windows\system32\xltm.exe 484 "C:\Windows\SysWOW64\vqqj.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      209⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:1704
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\xltm.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          C:\Windows\SysWOW64\xltm.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          210⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:1036
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\hzvp.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              C:\Windows\system32\hzvp.exe 468 "C:\Windows\SysWOW64\xltm.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              211⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:2808
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\hzvp.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  C:\Windows\SysWOW64\hzvp.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  212⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:2024
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\gvhm.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      C:\Windows\system32\gvhm.exe 476 "C:\Windows\SysWOW64\hzvp.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      213⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:1096
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\gvhm.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          C:\Windows\SysWOW64\gvhm.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          214⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:2032
                                                                                                                                                • C:\Windows\system32\wbem\WMIADAP.EXE
                                                                                                                                                  wmiadap.exe /F /T /R
                                                                                                                                                  1⤵
                                                                                                                                                    PID:1900

                                                                                                                                                  Network

                                                                                                                                                  MITRE ATT&CK Enterprise v15

                                                                                                                                                  Replay Monitor

                                                                                                                                                  Loading Replay Monitor...

                                                                                                                                                  Downloads

                                                                                                                                                  • \Windows\SysWOW64\lvdf.exe

                                                                                                                                                    Filesize

                                                                                                                                                    280KB

                                                                                                                                                    MD5

                                                                                                                                                    e3606fe661cb86e3fe8843d598d9ac13

                                                                                                                                                    SHA1

                                                                                                                                                    7c63a823717d43257e641bd42d37ed5b415308f7

                                                                                                                                                    SHA256

                                                                                                                                                    dcfac4cd97fab0cf3a91febe447faad646115d46429349af1b80452dd446498a

                                                                                                                                                    SHA512

                                                                                                                                                    d57b158fc275400506ddb655c48d5fa6a24a8304ca7ca194ec4f74581c9a5998f88f3c24347dcaaab6c2e724580e69770fb2a722cdd2353459699526f5bb8344

                                                                                                                                                  • memory/1236-163-0x0000000000020000-0x000000000002F000-memory.dmp

                                                                                                                                                    Filesize

                                                                                                                                                    60KB

                                                                                                                                                  • memory/1236-143-0x0000000000020000-0x000000000002F000-memory.dmp

                                                                                                                                                    Filesize

                                                                                                                                                    60KB

                                                                                                                                                  • memory/1236-142-0x0000000000400000-0x00000000004CE000-memory.dmp

                                                                                                                                                    Filesize

                                                                                                                                                    824KB

                                                                                                                                                  • memory/1236-153-0x0000000000D30000-0x0000000000D7E000-memory.dmp

                                                                                                                                                    Filesize

                                                                                                                                                    312KB

                                                                                                                                                  • memory/1236-154-0x0000000000D30000-0x0000000000D7E000-memory.dmp

                                                                                                                                                    Filesize

                                                                                                                                                    312KB

                                                                                                                                                  • memory/1236-166-0x0000000000400000-0x00000000004CE000-memory.dmp

                                                                                                                                                    Filesize

                                                                                                                                                    824KB

                                                                                                                                                  • memory/1288-20-0x00000000021A0000-0x00000000021A1000-memory.dmp

                                                                                                                                                    Filesize

                                                                                                                                                    4KB

                                                                                                                                                  • memory/1288-11-0x0000000002170000-0x0000000002171000-memory.dmp

                                                                                                                                                    Filesize

                                                                                                                                                    4KB

                                                                                                                                                  • memory/1288-12-0x0000000002140000-0x0000000002141000-memory.dmp

                                                                                                                                                    Filesize

                                                                                                                                                    4KB

                                                                                                                                                  • memory/1288-0-0x0000000013140000-0x000000001318E000-memory.dmp

                                                                                                                                                    Filesize

                                                                                                                                                    312KB

                                                                                                                                                  • memory/1288-15-0x0000000002130000-0x0000000002131000-memory.dmp

                                                                                                                                                    Filesize

                                                                                                                                                    4KB

                                                                                                                                                  • memory/1288-4-0x00000000021A0000-0x00000000021A1000-memory.dmp

                                                                                                                                                    Filesize

                                                                                                                                                    4KB

                                                                                                                                                  • memory/1288-9-0x00000000020F0000-0x00000000020F1000-memory.dmp

                                                                                                                                                    Filesize

                                                                                                                                                    4KB

                                                                                                                                                  • memory/1288-1-0x0000000000250000-0x0000000000280000-memory.dmp

                                                                                                                                                    Filesize

                                                                                                                                                    192KB

                                                                                                                                                  • memory/1288-5-0x0000000002190000-0x0000000002191000-memory.dmp

                                                                                                                                                    Filesize

                                                                                                                                                    4KB

                                                                                                                                                  • memory/1288-26-0x0000000000250000-0x0000000000280000-memory.dmp

                                                                                                                                                    Filesize

                                                                                                                                                    192KB

                                                                                                                                                  • memory/1288-3-0x0000000000240000-0x0000000000244000-memory.dmp

                                                                                                                                                    Filesize

                                                                                                                                                    16KB

                                                                                                                                                  • memory/1288-2-0x0000000000590000-0x0000000000591000-memory.dmp

                                                                                                                                                    Filesize

                                                                                                                                                    4KB

                                                                                                                                                  • memory/1288-7-0x0000000002100000-0x0000000002101000-memory.dmp

                                                                                                                                                    Filesize

                                                                                                                                                    4KB

                                                                                                                                                  • memory/1288-23-0x0000000013140000-0x000000001318E000-memory.dmp

                                                                                                                                                    Filesize

                                                                                                                                                    312KB

                                                                                                                                                  • memory/1288-22-0x0000000002180000-0x0000000002181000-memory.dmp

                                                                                                                                                    Filesize

                                                                                                                                                    4KB

                                                                                                                                                  • memory/1288-18-0x0000000002290000-0x00000000022DE000-memory.dmp

                                                                                                                                                    Filesize

                                                                                                                                                    312KB

                                                                                                                                                  • memory/1288-16-0x00000000020D0000-0x00000000020D1000-memory.dmp

                                                                                                                                                    Filesize

                                                                                                                                                    4KB

                                                                                                                                                  • memory/1520-164-0x0000000001DA0000-0x0000000001DA1000-memory.dmp

                                                                                                                                                    Filesize

                                                                                                                                                    4KB

                                                                                                                                                  • memory/1520-159-0x0000000000240000-0x0000000000244000-memory.dmp

                                                                                                                                                    Filesize

                                                                                                                                                    16KB

                                                                                                                                                  • memory/1520-167-0x00000000005C0000-0x00000000005C1000-memory.dmp

                                                                                                                                                    Filesize

                                                                                                                                                    4KB

                                                                                                                                                  • memory/1520-157-0x0000000013140000-0x000000001318E000-memory.dmp

                                                                                                                                                    Filesize

                                                                                                                                                    312KB

                                                                                                                                                  • memory/1520-165-0x0000000000330000-0x0000000000331000-memory.dmp

                                                                                                                                                    Filesize

                                                                                                                                                    4KB

                                                                                                                                                  • memory/1520-161-0x0000000000600000-0x0000000000601000-memory.dmp

                                                                                                                                                    Filesize

                                                                                                                                                    4KB

                                                                                                                                                  • memory/1520-176-0x0000000013140000-0x000000001318E000-memory.dmp

                                                                                                                                                    Filesize

                                                                                                                                                    312KB

                                                                                                                                                  • memory/2620-68-0x0000000000400000-0x00000000004CE000-memory.dmp

                                                                                                                                                    Filesize

                                                                                                                                                    824KB

                                                                                                                                                  • memory/2620-89-0x0000000000020000-0x000000000002F000-memory.dmp

                                                                                                                                                    Filesize

                                                                                                                                                    60KB

                                                                                                                                                  • memory/2620-69-0x0000000000020000-0x000000000002F000-memory.dmp

                                                                                                                                                    Filesize

                                                                                                                                                    60KB

                                                                                                                                                  • memory/2620-92-0x0000000000400000-0x00000000004CE000-memory.dmp

                                                                                                                                                    Filesize

                                                                                                                                                    824KB

                                                                                                                                                  • memory/2620-79-0x0000000002540000-0x000000000258E000-memory.dmp

                                                                                                                                                    Filesize

                                                                                                                                                    312KB

                                                                                                                                                  • memory/2668-123-0x0000000000020000-0x000000000002F000-memory.dmp

                                                                                                                                                    Filesize

                                                                                                                                                    60KB

                                                                                                                                                  • memory/2668-105-0x0000000000020000-0x000000000002F000-memory.dmp

                                                                                                                                                    Filesize

                                                                                                                                                    60KB

                                                                                                                                                  • memory/2668-115-0x0000000002610000-0x000000000265E000-memory.dmp

                                                                                                                                                    Filesize

                                                                                                                                                    312KB

                                                                                                                                                  • memory/2668-116-0x0000000002610000-0x000000000265E000-memory.dmp

                                                                                                                                                    Filesize

                                                                                                                                                    312KB

                                                                                                                                                  • memory/2668-104-0x0000000000400000-0x00000000004CE000-memory.dmp

                                                                                                                                                    Filesize

                                                                                                                                                    824KB

                                                                                                                                                  • memory/2668-126-0x0000000000400000-0x00000000004CE000-memory.dmp

                                                                                                                                                    Filesize

                                                                                                                                                    824KB

                                                                                                                                                  • memory/2800-27-0x0000000013140000-0x000000001318E000-memory.dmp

                                                                                                                                                    Filesize

                                                                                                                                                    312KB

                                                                                                                                                  • memory/2800-40-0x00000000025B0000-0x00000000025FE000-memory.dmp

                                                                                                                                                    Filesize

                                                                                                                                                    312KB

                                                                                                                                                  • memory/2800-52-0x0000000000400000-0x00000000004CE000-memory.dmp

                                                                                                                                                    Filesize

                                                                                                                                                    824KB

                                                                                                                                                  • memory/2800-25-0x0000000000400000-0x00000000004CE000-memory.dmp

                                                                                                                                                    Filesize

                                                                                                                                                    824KB

                                                                                                                                                  • memory/2800-28-0x0000000000400000-0x00000000004CE000-memory.dmp

                                                                                                                                                    Filesize

                                                                                                                                                    824KB

                                                                                                                                                  • memory/2800-29-0x0000000000020000-0x000000000002F000-memory.dmp

                                                                                                                                                    Filesize

                                                                                                                                                    60KB

                                                                                                                                                  • memory/2800-50-0x0000000000020000-0x000000000002F000-memory.dmp

                                                                                                                                                    Filesize

                                                                                                                                                    60KB

                                                                                                                                                  • memory/2800-21-0x0000000000400000-0x00000000004CE000-memory.dmp

                                                                                                                                                    Filesize

                                                                                                                                                    824KB

                                                                                                                                                  • memory/2800-17-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

                                                                                                                                                    Filesize

                                                                                                                                                    4KB

                                                                                                                                                  • memory/2800-13-0x0000000000400000-0x00000000004CE000-memory.dmp

                                                                                                                                                    Filesize

                                                                                                                                                    824KB

                                                                                                                                                  • memory/2888-133-0x0000000000380000-0x0000000000381000-memory.dmp

                                                                                                                                                    Filesize

                                                                                                                                                    4KB

                                                                                                                                                  • memory/2888-136-0x0000000000250000-0x0000000000280000-memory.dmp

                                                                                                                                                    Filesize

                                                                                                                                                    192KB

                                                                                                                                                  • memory/2888-138-0x0000000013140000-0x000000001318E000-memory.dmp

                                                                                                                                                    Filesize

                                                                                                                                                    312KB

                                                                                                                                                  • memory/2888-140-0x0000000001DC0000-0x0000000001DC1000-memory.dmp

                                                                                                                                                    Filesize

                                                                                                                                                    4KB

                                                                                                                                                  • memory/2888-131-0x0000000000420000-0x0000000000421000-memory.dmp

                                                                                                                                                    Filesize

                                                                                                                                                    4KB

                                                                                                                                                  • memory/2888-130-0x00000000003E0000-0x00000000003E1000-memory.dmp

                                                                                                                                                    Filesize

                                                                                                                                                    4KB

                                                                                                                                                  • memory/2888-119-0x0000000013140000-0x000000001318E000-memory.dmp

                                                                                                                                                    Filesize

                                                                                                                                                    312KB

                                                                                                                                                  • memory/2888-121-0x0000000000240000-0x0000000000244000-memory.dmp

                                                                                                                                                    Filesize

                                                                                                                                                    16KB

                                                                                                                                                  • memory/2888-124-0x00000000006F0000-0x00000000006F1000-memory.dmp

                                                                                                                                                    Filesize

                                                                                                                                                    4KB

                                                                                                                                                  • memory/2888-127-0x0000000000700000-0x0000000000701000-memory.dmp

                                                                                                                                                    Filesize

                                                                                                                                                    4KB

                                                                                                                                                  • memory/2896-94-0x0000000000300000-0x0000000000330000-memory.dmp

                                                                                                                                                    Filesize

                                                                                                                                                    192KB

                                                                                                                                                  • memory/2896-95-0x0000000001CB0000-0x0000000001CB1000-memory.dmp

                                                                                                                                                    Filesize

                                                                                                                                                    4KB

                                                                                                                                                  • memory/2896-97-0x00000000021B0000-0x00000000021B1000-memory.dmp

                                                                                                                                                    Filesize

                                                                                                                                                    4KB

                                                                                                                                                  • memory/2896-83-0x00000000002C0000-0x00000000002C4000-memory.dmp

                                                                                                                                                    Filesize

                                                                                                                                                    16KB

                                                                                                                                                  • memory/2896-91-0x0000000002140000-0x0000000002141000-memory.dmp

                                                                                                                                                    Filesize

                                                                                                                                                    4KB

                                                                                                                                                  • memory/2896-101-0x0000000013140000-0x000000001318E000-memory.dmp

                                                                                                                                                    Filesize

                                                                                                                                                    312KB

                                                                                                                                                  • memory/2896-90-0x0000000001CD0000-0x0000000001CD1000-memory.dmp

                                                                                                                                                    Filesize

                                                                                                                                                    4KB

                                                                                                                                                  • memory/2896-87-0x0000000002190000-0x0000000002191000-memory.dmp

                                                                                                                                                    Filesize

                                                                                                                                                    4KB

                                                                                                                                                  • memory/2896-80-0x0000000013140000-0x000000001318E000-memory.dmp

                                                                                                                                                    Filesize

                                                                                                                                                    312KB

                                                                                                                                                  • memory/2896-85-0x0000000002180000-0x0000000002181000-memory.dmp

                                                                                                                                                    Filesize

                                                                                                                                                    4KB

                                                                                                                                                  • memory/2980-56-0x0000000001E30000-0x0000000001E31000-memory.dmp

                                                                                                                                                    Filesize

                                                                                                                                                    4KB

                                                                                                                                                  • memory/2980-44-0x0000000000320000-0x0000000000350000-memory.dmp

                                                                                                                                                    Filesize

                                                                                                                                                    192KB

                                                                                                                                                  • memory/2980-41-0x0000000013140000-0x000000001318E000-memory.dmp

                                                                                                                                                    Filesize

                                                                                                                                                    312KB

                                                                                                                                                  • memory/2980-46-0x00000000002C0000-0x00000000002C4000-memory.dmp

                                                                                                                                                    Filesize

                                                                                                                                                    16KB

                                                                                                                                                  • memory/2980-51-0x0000000001E80000-0x0000000001E81000-memory.dmp

                                                                                                                                                    Filesize

                                                                                                                                                    4KB

                                                                                                                                                  • memory/2980-54-0x0000000001DF0000-0x0000000001DF1000-memory.dmp

                                                                                                                                                    Filesize

                                                                                                                                                    4KB

                                                                                                                                                  • memory/2980-65-0x0000000013140000-0x000000001318E000-memory.dmp

                                                                                                                                                    Filesize

                                                                                                                                                    312KB

                                                                                                                                                  • memory/2980-48-0x0000000001E70000-0x0000000001E71000-memory.dmp

                                                                                                                                                    Filesize

                                                                                                                                                    4KB

                                                                                                                                                  • memory/2980-61-0x0000000001E90000-0x0000000001E91000-memory.dmp

                                                                                                                                                    Filesize

                                                                                                                                                    4KB

                                                                                                                                                  • memory/2980-60-0x0000000001EA0000-0x0000000001EA1000-memory.dmp

                                                                                                                                                    Filesize

                                                                                                                                                    4KB

                                                                                                                                                  • memory/2980-58-0x0000000001CB0000-0x0000000001CB1000-memory.dmp

                                                                                                                                                    Filesize

                                                                                                                                                    4KB