98c33d224206752ea52528b128a3495306c35c53f2c8c206b4c194a9cb82a525

Analysis

max time kernel
37s
max time network
127s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
26/12/2023, 04:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

545de00a44e44ff1bbc119857dd15f79.exe
Size

147KB
MD5

545de00a44e44ff1bbc119857dd15f79
SHA1

246493466b8052de8ab1409c438cbafd8398cf0a
SHA256

98c33d224206752ea52528b128a3495306c35c53f2c8c206b4c194a9cb82a525
SHA512

24f106215aa82dee23bd72718b8aebc7e2ee643d1d04b292b11bab75fa46306a153670f67c6e39bd3dea12a5695f9edebc9a809e2972abfe43a100889fe2deb0
SSDEEP

3072:pxIilxA2fi/dLWcEk5VbOcoXjMxkK9u4IRMzOLqo:pxbxA2uEk5YcXk/4IRMq

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
2268	qliiui.exe
2768	nmavql.exe
2224	xletbk.exe
2596	houdwn.exe
552	oseqfg.exe
2412	zrqoyf.exe
2884	icfyla.exe
676	tbjwvz.exe
2648	dxkglt.exe
1532	qzqwwg.exe
3020	ayuthf.exe
2076	maijsr.exe
2456	xvbtim.exe
1776	hyrevh.exe
1824	rxdbfg.exe
1060	bteuva.exe
620	lairfz.exe
2408	yqduoh.exe
1496	gbjzlb.exe
3068	twtorf.exe
2856	gnorzn.exe
2736	pxlcnq.exe
2548	axpzfp.exe
2960	kzfjsk.exe
2804	xmwzyo.exe
2428	hxljlr.exe
2020	myuecw.exe
1468	ejhxjt.exe
1740	jwbedv.exe
1316	ypxzmr.exe
964	asnkau.exe
1648	kzrhkl.exe
1868	xmixqp.exe
972	hoyhls.exe
2628	rnkfvr.exe
2196	byzpju.exe
2044	lxdnbs.exe
2756	wtefjn.exe
2588	dxpkay.exe
2696	owtikx.exe
1928	ydfnvw.exe
1916	icjknu.exe
2572	nhcsze.exe
2536	cazfis.exe
2096	mlpqdv.exe
288	zygfjz.exe
2088	jxkduy.exe
1084	tianhb.exe
1812	dhmlza.exe
1544	ogqikq.exe
2176	yfcncp.exe
1264	imglmo.exe
860	spvvar.exe
2484	ztgark.exe
1604	kskgbj.exe
2580	xfbvhf.exe
2424	hmftae.exe
760	rpddnh.exe
2880	oqnqjs.exe
2692	bdfgpo.exe
2208	lnuqkr.exe
3016	vjopgl.exe
1136	uhjvfv.exe
1560	kwglwu.exe

Loads dropped DLL 64 IoCs

pid	Process
3052	545de00a44e44ff1bbc119857dd15f79.exe
3052	545de00a44e44ff1bbc119857dd15f79.exe
2268	qliiui.exe
2268	qliiui.exe
2768	nmavql.exe
2768	nmavql.exe
2224	xletbk.exe
2224	xletbk.exe
2596	houdwn.exe
2596	houdwn.exe
836	Process not Found
836	Process not Found
836	Process not Found
836	Process not Found
836	Process not Found
836	Process not Found
552	oseqfg.exe
552	oseqfg.exe
836	Process not Found
836	Process not Found
836	Process not Found
836	Process not Found
836	Process not Found
836	Process not Found
2412	zrqoyf.exe
2412	zrqoyf.exe
836	Process not Found
836	Process not Found
2884	icfyla.exe
2884	icfyla.exe
836	Process not Found
836	Process not Found
676	tbjwvz.exe
676	tbjwvz.exe
836	Process not Found
836	Process not Found
2648	dxkglt.exe
2648	dxkglt.exe
836	Process not Found
836	Process not Found
1532	qzqwwg.exe
1532	qzqwwg.exe
836	Process not Found
836	Process not Found
3020	ayuthf.exe
3020	ayuthf.exe
836	Process not Found
836	Process not Found
2076	maijsr.exe
2076	maijsr.exe
836	Process not Found
836	Process not Found
2456	xvbtim.exe
2456	xvbtim.exe
836	Process not Found
836	Process not Found
1776	hyrevh.exe
1776	hyrevh.exe
836	Process not Found
836	Process not Found
1824	rxdbfg.exe
836	Process not Found
836	Process not Found
1824	rxdbfg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\bdjnvd.exe	bkicbq.exe
File opened for modification	C:\Windows\SysWOW64\jwbedv.exe	ejhxjt.exe
File opened for modification	C:\Windows\SysWOW64\asnkau.exe	ypxzmr.exe
File created	C:\Windows\SysWOW64\owtikx.exe	dxpkay.exe
File opened for modification	C:\Windows\SysWOW64\fnuuvu.exe	bwxzzo.exe
File created	C:\Windows\SysWOW64\qzqwwg.exe	dxkglt.exe
File created	C:\Windows\SysWOW64\jxkduy.exe	zygfjz.exe
File created	C:\Windows\SysWOW64\imglmo.exe	yfcncp.exe
File created	C:\Windows\SysWOW64\qbwprt.exe	jqxcuz.exe
File opened for modification	C:\Windows\SysWOW64\cpbrgp.exe	pcjbal.exe
File created	C:\Windows\SysWOW64\qhpkby.exe	cuyvnu.exe
File opened for modification	C:\Windows\SysWOW64\nmavql.exe	qliiui.exe
File created	C:\Windows\SysWOW64\xletbk.exe	nmavql.exe
File created	C:\Windows\SysWOW64\wtefjn.exe	lxdnbs.exe
File opened for modification	C:\Windows\SysWOW64\zygfjz.exe	mlpqdv.exe
File opened for modification	C:\Windows\SysWOW64\svnbil.exe	lkhwlr.exe
File created	C:\Windows\SysWOW64\ypxzmr.exe	jwbedv.exe
File created	C:\Windows\SysWOW64\dxkglt.exe	tbjwvz.exe
File created	C:\Windows\SysWOW64\kzfjsk.exe	axpzfp.exe
File opened for modification	C:\Windows\SysWOW64\xmwzyo.exe	kzfjsk.exe
File created	C:\Windows\SysWOW64\bdfgpo.exe	oqnqjs.exe
File opened for modification	C:\Windows\SysWOW64\oqnqjs.exe	rpddnh.exe
File opened for modification	C:\Windows\SysWOW64\kwglwu.exe	uhjvfv.exe
File created	C:\Windows\SysWOW64\svnbil.exe	lkhwlr.exe
File opened for modification	C:\Windows\SysWOW64\tbjwvz.exe	icfyla.exe
File created	C:\Windows\SysWOW64\rnkfvr.exe	hoyhls.exe
File opened for modification	C:\Windows\SysWOW64\nhcsze.exe	icjknu.exe
File created	C:\Windows\SysWOW64\tbjwvz.exe	icfyla.exe
File created	C:\Windows\SysWOW64\lkhwlr.exe	dgejug.exe
File created	C:\Windows\SysWOW64\zsyylr.exe	ptmbbs.exe
File opened for modification	C:\Windows\SysWOW64\lairfz.exe	bteuva.exe
File created	C:\Windows\SysWOW64\icjknu.exe	ydfnvw.exe
File opened for modification	C:\Windows\SysWOW64\gnorzn.exe	twtorf.exe
File created	C:\Windows\SysWOW64\hmftae.exe	xfbvhf.exe
File opened for modification	C:\Windows\SysWOW64\uhjvfv.exe	vjopgl.exe
File opened for modification	C:\Windows\SysWOW64\lkhwlr.exe	dgejug.exe
File created	C:\Windows\SysWOW64\lmfgzq.exe	mitbuz.exe
File created	C:\Windows\SysWOW64\oseqfg.exe	houdwn.exe
File created	C:\Windows\SysWOW64\gbjzlb.exe	yqduoh.exe
File created	C:\Windows\SysWOW64\lxdnbs.exe	byzpju.exe
File opened for modification	C:\Windows\SysWOW64\vtquvk.exe	igyepo.exe
File created	C:\Windows\SysWOW64\rpddnh.exe	hmftae.exe
File created	C:\Windows\SysWOW64\wigrgk.exe	lmfgzq.exe
File created	C:\Windows\SysWOW64\zygfjz.exe	mlpqdv.exe
File opened for modification	C:\Windows\SysWOW64\zsyylr.exe	ptmbbs.exe
File created	C:\Windows\SysWOW64\mofxyo.exe	cpbrgp.exe
File created	C:\Windows\SysWOW64\bteuva.exe	rxdbfg.exe
File created	C:\Windows\SysWOW64\ejhxjt.exe	myuecw.exe
File created	C:\Windows\SysWOW64\oqnqjs.exe	rpddnh.exe
File opened for modification	C:\Windows\SysWOW64\bdfgpo.exe	oqnqjs.exe
File created	C:\Windows\SysWOW64\mitbuz.exe	zsyylr.exe
File created	C:\Windows\SysWOW64\hxljlr.exe	xmwzyo.exe
File created	C:\Windows\SysWOW64\mlpqdv.exe	cazfis.exe
File created	C:\Windows\SysWOW64\dzphlw.exe	pmgrfs.exe
File created	C:\Windows\SysWOW64\qtntoc.exe	kwglwu.exe
File created	C:\Windows\SysWOW64\bwxzzo.exe	qbwprt.exe
File created	C:\Windows\SysWOW64\vjopgl.exe	lnuqkr.exe
File created	C:\Windows\SysWOW64\vtquvk.exe	igyepo.exe
File opened for modification	C:\Windows\SysWOW64\hyrevh.exe	xvbtim.exe
File created	C:\Windows\SysWOW64\hoyhls.exe	xmixqp.exe
File created	C:\Windows\SysWOW64\ydfnvw.exe	owtikx.exe
File opened for modification	C:\Windows\SysWOW64\pmgrfs.exe	fnuuvu.exe
File opened for modification	C:\Windows\SysWOW64\xvbtim.exe	maijsr.exe
File opened for modification	C:\Windows\SysWOW64\xmixqp.exe	kzrhkl.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3052 wrote to memory of 2268	3052	545de00a44e44ff1bbc119857dd15f79.exe	28
PID 3052 wrote to memory of 2268	3052	545de00a44e44ff1bbc119857dd15f79.exe	28
PID 3052 wrote to memory of 2268	3052	545de00a44e44ff1bbc119857dd15f79.exe	28
PID 3052 wrote to memory of 2268	3052	545de00a44e44ff1bbc119857dd15f79.exe	28
PID 2268 wrote to memory of 2768	2268	qliiui.exe	29
PID 2268 wrote to memory of 2768	2268	qliiui.exe	29
PID 2268 wrote to memory of 2768	2268	qliiui.exe	29
PID 2268 wrote to memory of 2768	2268	qliiui.exe	29
PID 2768 wrote to memory of 2224	2768	nmavql.exe	68
PID 2768 wrote to memory of 2224	2768	nmavql.exe	68
PID 2768 wrote to memory of 2224	2768	nmavql.exe	68
PID 2768 wrote to memory of 2224	2768	nmavql.exe	68
PID 2224 wrote to memory of 2596	2224	xletbk.exe	30
PID 2224 wrote to memory of 2596	2224	xletbk.exe	30
PID 2224 wrote to memory of 2596	2224	xletbk.exe	30
PID 2224 wrote to memory of 2596	2224	xletbk.exe	30
PID 2596 wrote to memory of 552	2596	houdwn.exe	65
PID 2596 wrote to memory of 552	2596	houdwn.exe	65
PID 2596 wrote to memory of 552	2596	houdwn.exe	65
PID 2596 wrote to memory of 552	2596	houdwn.exe	65
PID 552 wrote to memory of 2412	552	oseqfg.exe	62
PID 552 wrote to memory of 2412	552	oseqfg.exe	62
PID 552 wrote to memory of 2412	552	oseqfg.exe	62
PID 552 wrote to memory of 2412	552	oseqfg.exe	62
PID 2412 wrote to memory of 2884	2412	zrqoyf.exe	31
PID 2412 wrote to memory of 2884	2412	zrqoyf.exe	31
PID 2412 wrote to memory of 2884	2412	zrqoyf.exe	31
PID 2412 wrote to memory of 2884	2412	zrqoyf.exe	31
PID 2884 wrote to memory of 676	2884	icfyla.exe	32
PID 2884 wrote to memory of 676	2884	icfyla.exe	32
PID 2884 wrote to memory of 676	2884	icfyla.exe	32
PID 2884 wrote to memory of 676	2884	icfyla.exe	32
PID 676 wrote to memory of 2648	676	tbjwvz.exe	55
PID 676 wrote to memory of 2648	676	tbjwvz.exe	55
PID 676 wrote to memory of 2648	676	tbjwvz.exe	55
PID 676 wrote to memory of 2648	676	tbjwvz.exe	55
PID 2648 wrote to memory of 1532	2648	dxkglt.exe	52
PID 2648 wrote to memory of 1532	2648	dxkglt.exe	52
PID 2648 wrote to memory of 1532	2648	dxkglt.exe	52
PID 2648 wrote to memory of 1532	2648	dxkglt.exe	52
PID 1532 wrote to memory of 3020	1532	qzqwwg.exe	49
PID 1532 wrote to memory of 3020	1532	qzqwwg.exe	49
PID 1532 wrote to memory of 3020	1532	qzqwwg.exe	49
PID 1532 wrote to memory of 3020	1532	qzqwwg.exe	49
PID 3020 wrote to memory of 2076	3020	ayuthf.exe	33
PID 3020 wrote to memory of 2076	3020	ayuthf.exe	33
PID 3020 wrote to memory of 2076	3020	ayuthf.exe	33
PID 3020 wrote to memory of 2076	3020	ayuthf.exe	33
PID 2076 wrote to memory of 2456	2076	maijsr.exe	34
PID 2076 wrote to memory of 2456	2076	maijsr.exe	34
PID 2076 wrote to memory of 2456	2076	maijsr.exe	34
PID 2076 wrote to memory of 2456	2076	maijsr.exe	34
PID 2456 wrote to memory of 1776	2456	xvbtim.exe	35
PID 2456 wrote to memory of 1776	2456	xvbtim.exe	35
PID 2456 wrote to memory of 1776	2456	xvbtim.exe	35
PID 2456 wrote to memory of 1776	2456	xvbtim.exe	35
PID 1776 wrote to memory of 1824	1776	hyrevh.exe	36
PID 1776 wrote to memory of 1824	1776	hyrevh.exe	36
PID 1776 wrote to memory of 1824	1776	hyrevh.exe	36
PID 1776 wrote to memory of 1824	1776	hyrevh.exe	36
PID 1824 wrote to memory of 1060	1824	rxdbfg.exe	37
PID 1824 wrote to memory of 1060	1824	rxdbfg.exe	37
PID 1824 wrote to memory of 1060	1824	rxdbfg.exe	37
PID 1824 wrote to memory of 1060	1824	rxdbfg.exe	37

C:\Users\Admin\AppData\Local\Temp\545de00a44e44ff1bbc119857dd15f79.exe
"C:\Users\Admin\AppData\Local\Temp\545de00a44e44ff1bbc119857dd15f79.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3052
- C:\Windows\SysWOW64\qliiui.exe
  C:\Windows\system32\qliiui.exe 528 "C:\Users\Admin\AppData\Local\Temp\545de00a44e44ff1bbc119857dd15f79.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2268
- - C:\Windows\SysWOW64\nmavql.exe
    C:\Windows\system32\nmavql.exe 532 "C:\Windows\SysWOW64\qliiui.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:2768
  - - C:\Windows\SysWOW64\xletbk.exe
      C:\Windows\system32\xletbk.exe 536 "C:\Windows\SysWOW64\nmavql.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2224

C:\Windows\SysWOW64\houdwn.exe
C:\Windows\system32\houdwn.exe 540 "C:\Windows\SysWOW64\xletbk.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2596
- C:\Windows\SysWOW64\oseqfg.exe
  C:\Windows\system32\oseqfg.exe 548 "C:\Windows\SysWOW64\houdwn.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:552

C:\Windows\SysWOW64\icfyla.exe
C:\Windows\system32\icfyla.exe 544 "C:\Windows\SysWOW64\zrqoyf.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2884
- C:\Windows\SysWOW64\tbjwvz.exe
  C:\Windows\system32\tbjwvz.exe 552 "C:\Windows\SysWOW64\icfyla.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:676
- - C:\Windows\SysWOW64\dxkglt.exe
    C:\Windows\system32\dxkglt.exe 560 "C:\Windows\SysWOW64\tbjwvz.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:2648

C:\Windows\SysWOW64\maijsr.exe
C:\Windows\system32\maijsr.exe 572 "C:\Windows\SysWOW64\ayuthf.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2076
- C:\Windows\SysWOW64\xvbtim.exe
  C:\Windows\system32\xvbtim.exe 576 "C:\Windows\SysWOW64\maijsr.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2456
- - C:\Windows\SysWOW64\hyrevh.exe
    C:\Windows\system32\hyrevh.exe 592 "C:\Windows\SysWOW64\xvbtim.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1776
  - - C:\Windows\SysWOW64\rxdbfg.exe
      C:\Windows\system32\rxdbfg.exe 580 "C:\Windows\SysWOW64\hyrevh.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:1824
    - - C:\Windows\SysWOW64\bteuva.exe
        
        C:\Windows\system32\bteuva.exe 584 "C:\Windows\SysWOW64\rxdbfg.exe"
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1060
      - C:\Windows\SysWOW64\lairfz.exe
        
        C:\Windows\system32\lairfz.exe 588 "C:\Windows\SysWOW64\bteuva.exe"
        6⤵
        Executes dropped EXE
        
        PID:620

C:\Windows\SysWOW64\gbjzlb.exe
C:\Windows\system32\gbjzlb.exe 600 "C:\Windows\SysWOW64\yqduoh.exe"
1⤵
- Executes dropped EXE
PID:1496
- C:\Windows\SysWOW64\twtorf.exe
  C:\Windows\system32\twtorf.exe 604 "C:\Windows\SysWOW64\gbjzlb.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:3068
- - C:\Windows\SysWOW64\gnorzn.exe
    C:\Windows\system32\gnorzn.exe 608 "C:\Windows\SysWOW64\twtorf.exe"
    3⤵
    - Executes dropped EXE
    PID:2856

C:\Windows\SysWOW64\pxlcnq.exe
C:\Windows\system32\pxlcnq.exe 612 "C:\Windows\SysWOW64\gnorzn.exe"
1⤵
- Executes dropped EXE
PID:2736
- C:\Windows\SysWOW64\axpzfp.exe
  C:\Windows\system32\axpzfp.exe 616 "C:\Windows\SysWOW64\pxlcnq.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:2548
- - C:\Windows\SysWOW64\kzfjsk.exe
    C:\Windows\system32\kzfjsk.exe 620 "C:\Windows\SysWOW64\axpzfp.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    PID:2960
  - - C:\Windows\SysWOW64\xmwzyo.exe
      C:\Windows\system32\xmwzyo.exe 624 "C:\Windows\SysWOW64\kzfjsk.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      PID:2804
    - - C:\Windows\SysWOW64\hxljlr.exe
        
        C:\Windows\system32\hxljlr.exe 628 "C:\Windows\SysWOW64\xmwzyo.exe"
        5⤵
        Executes dropped EXE
        
        PID:2428
      - C:\Windows\SysWOW64\myuecw.exe
        
        C:\Windows\system32\myuecw.exe 632 "C:\Windows\SysWOW64\hxljlr.exe"
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2020
        
        C:\Windows\SysWOW64\ejhxjt.exe
        
        C:\Windows\system32\ejhxjt.exe 636 "C:\Windows\SysWOW64\myuecw.exe"
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1468
        
        C:\Windows\SysWOW64\jwbedv.exe
        
        C:\Windows\system32\jwbedv.exe 648 "C:\Windows\SysWOW64\ejhxjt.exe"
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1740
        
        C:\Windows\SysWOW64\ypxzmr.exe
        
        C:\Windows\system32\ypxzmr.exe 520 "C:\Windows\SysWOW64\jwbedv.exe"
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1316
        
        C:\Windows\SysWOW64\asnkau.exe
        
        C:\Windows\system32\asnkau.exe 644 "C:\Windows\SysWOW64\ypxzmr.exe"
        10⤵
        Executes dropped EXE
        
        PID:964
        
        C:\Windows\SysWOW64\kzrhkl.exe
        
        C:\Windows\system32\kzrhkl.exe 660 "C:\Windows\SysWOW64\asnkau.exe"
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1648
        
        C:\Windows\SysWOW64\xmixqp.exe
        
        C:\Windows\system32\xmixqp.exe 652 "C:\Windows\SysWOW64\kzrhkl.exe"
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1868
        
        C:\Windows\SysWOW64\hoyhls.exe
        
        C:\Windows\system32\hoyhls.exe 656 "C:\Windows\SysWOW64\xmixqp.exe"
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:972
        
        C:\Windows\SysWOW64\rnkfvr.exe
        
        C:\Windows\system32\rnkfvr.exe 664 "C:\Windows\SysWOW64\hoyhls.exe"
        14⤵
        Executes dropped EXE
        
        PID:2628
        
        C:\Windows\SysWOW64\byzpju.exe
        
        C:\Windows\system32\byzpju.exe 668 "C:\Windows\SysWOW64\rnkfvr.exe"
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2196
        
        C:\Windows\SysWOW64\lxdnbs.exe
        
        C:\Windows\system32\lxdnbs.exe 680 "C:\Windows\SysWOW64\byzpju.exe"
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2044
        
        C:\Windows\SysWOW64\wtefjn.exe
        
        C:\Windows\system32\wtefjn.exe 684 "C:\Windows\SysWOW64\lxdnbs.exe"
        17⤵
        Executes dropped EXE
        
        PID:2756
        
        C:\Windows\SysWOW64\dxpkay.exe
        
        C:\Windows\system32\dxpkay.exe 672 "C:\Windows\SysWOW64\wtefjn.exe"
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2588
        
        C:\Windows\SysWOW64\owtikx.exe
        
        C:\Windows\system32\owtikx.exe 676 "C:\Windows\SysWOW64\dxpkay.exe"
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2696
        
        C:\Windows\SysWOW64\ydfnvw.exe
        
        C:\Windows\system32\ydfnvw.exe 692 "C:\Windows\SysWOW64\owtikx.exe"
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1928
        
        C:\Windows\SysWOW64\icjknu.exe
        
        C:\Windows\system32\icjknu.exe 688 "C:\Windows\SysWOW64\ydfnvw.exe"
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1916
        
        C:\Windows\SysWOW64\nhcsze.exe
        
        C:\Windows\system32\nhcsze.exe 704 "C:\Windows\SysWOW64\icjknu.exe"
        22⤵
        Executes dropped EXE
        
        PID:2572
        
        C:\Windows\SysWOW64\cazfis.exe
        
        C:\Windows\system32\cazfis.exe 696 "C:\Windows\SysWOW64\nhcsze.exe"
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2536
        
        C:\Windows\SysWOW64\mlpqdv.exe
        
        C:\Windows\system32\mlpqdv.exe 712 "C:\Windows\SysWOW64\cazfis.exe"
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2096
        
        C:\Windows\SysWOW64\zygfjz.exe
        
        C:\Windows\system32\zygfjz.exe 700 "C:\Windows\SysWOW64\mlpqdv.exe"
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:288
        
        C:\Windows\SysWOW64\jxkduy.exe
        
        C:\Windows\system32\jxkduy.exe 708 "C:\Windows\SysWOW64\zygfjz.exe"
        26⤵
        Executes dropped EXE
        
        PID:2088
        
        C:\Windows\SysWOW64\tianhb.exe
        
        C:\Windows\system32\tianhb.exe 716 "C:\Windows\SysWOW64\jxkduy.exe"
        27⤵
        Executes dropped EXE
        
        PID:1084
        
        C:\Windows\SysWOW64\dhmlza.exe
        
        C:\Windows\system32\dhmlza.exe 728 "C:\Windows\SysWOW64\tianhb.exe"
        28⤵
        Executes dropped EXE
        
        PID:1812
        
        C:\Windows\SysWOW64\ogqikq.exe
        
        C:\Windows\system32\ogqikq.exe 732 "C:\Windows\SysWOW64\dhmlza.exe"
        29⤵
        Executes dropped EXE
        
        PID:1544
        
        C:\Windows\SysWOW64\yfcncp.exe
        
        C:\Windows\system32\yfcncp.exe 724 "C:\Windows\SysWOW64\ogqikq.exe"
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2176
        
        C:\Windows\SysWOW64\imglmo.exe
        
        C:\Windows\system32\imglmo.exe 720 "C:\Windows\SysWOW64\yfcncp.exe"
        31⤵
        Executes dropped EXE
        
        PID:1264
        
        C:\Windows\SysWOW64\spvvar.exe
        
        C:\Windows\system32\spvvar.exe 744 "C:\Windows\SysWOW64\imglmo.exe"
        32⤵
        Executes dropped EXE
        
        PID:860
        
        C:\Windows\SysWOW64\ztgark.exe
        
        C:\Windows\system32\ztgark.exe 740 "C:\Windows\SysWOW64\spvvar.exe"
        33⤵
        Executes dropped EXE
        
        PID:2484
        
        C:\Windows\SysWOW64\kskgbj.exe
        
        C:\Windows\system32\kskgbj.exe 760 "C:\Windows\SysWOW64\ztgark.exe"
        34⤵
        Executes dropped EXE
        
        PID:1604
        
        C:\Windows\SysWOW64\xfbvhf.exe
        
        C:\Windows\system32\xfbvhf.exe 736 "C:\Windows\SysWOW64\kskgbj.exe"
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2580
        
        C:\Windows\SysWOW64\hmftae.exe
        
        C:\Windows\system32\hmftae.exe 748 "C:\Windows\SysWOW64\xfbvhf.exe"
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2424
        
        C:\Windows\SysWOW64\rpddnh.exe
        
        C:\Windows\system32\rpddnh.exe 752 "C:\Windows\SysWOW64\hmftae.exe"
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:760
        
        C:\Windows\SysWOW64\oqnqjs.exe
        
        C:\Windows\system32\oqnqjs.exe 756 "C:\Windows\SysWOW64\rpddnh.exe"
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2880
        
        C:\Windows\SysWOW64\bdfgpo.exe
        
        C:\Windows\system32\bdfgpo.exe 764 "C:\Windows\SysWOW64\oqnqjs.exe"
        39⤵
        Executes dropped EXE
        
        PID:2692
        
        C:\Windows\SysWOW64\lnuqkr.exe
        
        C:\Windows\system32\lnuqkr.exe 768 "C:\Windows\SysWOW64\bdfgpo.exe"
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2208
        
        C:\Windows\SysWOW64\vjopgl.exe
        
        C:\Windows\system32\vjopgl.exe 772 "C:\Windows\SysWOW64\lnuqkr.exe"
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3016
        
        C:\Windows\SysWOW64\uhjvfv.exe
        
        C:\Windows\system32\uhjvfv.exe 776 "C:\Windows\SysWOW64\vjopgl.exe"
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1136
        
        C:\Windows\SysWOW64\kwglwu.exe
        
        C:\Windows\system32\kwglwu.exe 796 "C:\Windows\SysWOW64\uhjvfv.exe"
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1560
        
        C:\Windows\SysWOW64\qtntoc.exe
        
        C:\Windows\system32\qtntoc.exe 788 "C:\Windows\SysWOW64\kwglwu.exe"
        44⤵
        
        PID:2448
        
        C:\Windows\SysWOW64\dgejug.exe
        
        C:\Windows\system32\dgejug.exe 524 "C:\Windows\SysWOW64\qtntoc.exe"
        45⤵
        Drops file in System32 directory
        
        PID:580
        
        C:\Windows\SysWOW64\lkhwlr.exe
        
        C:\Windows\system32\lkhwlr.exe 808 "C:\Windows\SysWOW64\dgejug.exe"
        46⤵
        Drops file in System32 directory
        
        PID:1068
        
        C:\Windows\SysWOW64\svnbil.exe
        
        C:\Windows\system32\svnbil.exe 812 "C:\Windows\SysWOW64\lkhwlr.exe"
        47⤵
        
        PID:2356
        
        C:\Windows\SysWOW64\zdbtui.exe
        
        C:\Windows\system32\zdbtui.exe 800 "C:\Windows\SysWOW64\svnbil.exe"
        48⤵
        
        PID:2168
        
        C:\Windows\SysWOW64\ptmbbs.exe
        
        C:\Windows\system32\ptmbbs.exe 784 "C:\Windows\SysWOW64\zdbtui.exe"
        49⤵
        Drops file in System32 directory
        
        PID:872
        
        C:\Windows\SysWOW64\zsyylr.exe
        
        C:\Windows\system32\zsyylr.exe 804 "C:\Windows\SysWOW64\ptmbbs.exe"
        50⤵
        Drops file in System32 directory
        
        PID:2760
        
        C:\Windows\SysWOW64\mitbuz.exe
        
        C:\Windows\system32\mitbuz.exe 792 "C:\Windows\SysWOW64\zsyylr.exe"
        51⤵
        Drops file in System32 directory
        
        PID:2140
        
        C:\Windows\SysWOW64\lmfgzq.exe
        
        C:\Windows\system32\lmfgzq.exe 816 "C:\Windows\SysWOW64\mitbuz.exe"
        52⤵
        Drops file in System32 directory
        
        PID:2680
        
        C:\Windows\SysWOW64\wigrgk.exe
        
        C:\Windows\system32\wigrgk.exe 820 "C:\Windows\SysWOW64\lmfgzq.exe"
        53⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\yzuhep.exe
        
        C:\Windows\system32\yzuhep.exe 824 "C:\Windows\SysWOW64\wigrgk.exe"
        54⤵
        
        PID:2688
        
        C:\Windows\SysWOW64\igyepo.exe
        
        C:\Windows\system32\igyepo.exe 828 "C:\Windows\SysWOW64\yzuhep.exe"
        55⤵
        Drops file in System32 directory
        
        PID:2904
        
        C:\Windows\SysWOW64\vtquvk.exe
        
        C:\Windows\system32\vtquvk.exe 832 "C:\Windows\SysWOW64\igyepo.exe"
        56⤵
        
        PID:1724
        
        C:\Windows\SysWOW64\cepzsl.exe
        
        C:\Windows\system32\cepzsl.exe 844 "C:\Windows\SysWOW64\vtquvk.exe"
        57⤵
        
        PID:2800
        
        C:\Windows\SysWOW64\pcjbal.exe
        
        C:\Windows\system32\pcjbal.exe 856 "C:\Windows\SysWOW64\cepzsl.exe"
        58⤵
        Drops file in System32 directory
        
        PID:1040
        
        C:\Windows\SysWOW64\cpbrgp.exe
        
        C:\Windows\system32\cpbrgp.exe 836 "C:\Windows\SysWOW64\pcjbal.exe"
        59⤵
        Drops file in System32 directory
        
        PID:2420
        
        C:\Windows\SysWOW64\mofxyo.exe
        
        C:\Windows\system32\mofxyo.exe 852 "C:\Windows\SysWOW64\cpbrgp.exe"
        60⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\wdgmow.exe
        
        C:\Windows\system32\wdgmow.exe 840 "C:\Windows\SysWOW64\mofxyo.exe"
        61⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\jqxcuz.exe
        
        C:\Windows\system32\jqxcuz.exe 848 "C:\Windows\SysWOW64\wdgmow.exe"
        62⤵
        Drops file in System32 directory
        
        PID:2200
        
        C:\Windows\SysWOW64\qbwprt.exe
        
        C:\Windows\system32\qbwprt.exe 868 "C:\Windows\SysWOW64\jqxcuz.exe"
        63⤵
        Drops file in System32 directory
        
        PID:1092
        
        C:\Windows\SysWOW64\bwxzzo.exe
        
        C:\Windows\system32\bwxzzo.exe 872 "C:\Windows\SysWOW64\qbwprt.exe"
        64⤵
        Drops file in System32 directory
        
        PID:1540
        
        C:\Windows\SysWOW64\fnuuvu.exe
        
        C:\Windows\system32\fnuuvu.exe 880 "C:\Windows\SysWOW64\bwxzzo.exe"
        65⤵
        Drops file in System32 directory
        
        PID:2452
        
        C:\Windows\SysWOW64\pmgrfs.exe
        
        C:\Windows\system32\pmgrfs.exe 884 "C:\Windows\SysWOW64\fnuuvu.exe"
        66⤵
        Drops file in System32 directory
        
        PID:1624
        
        C:\Windows\SysWOW64\dzphlw.exe
        
        C:\Windows\system32\dzphlw.exe 860 "C:\Windows\SysWOW64\pmgrfs.exe"
        67⤵
        
        PID:1556
        
        C:\Windows\SysWOW64\ngbfdv.exe
        
        C:\Windows\system32\ngbfdv.exe 864 "C:\Windows\SysWOW64\dzphlw.exe"
        68⤵
        
        PID:2372
        
        C:\Windows\SysWOW64\xffcou.exe
        
        C:\Windows\system32\xffcou.exe 888 "C:\Windows\SysWOW64\ngbfdv.exe"
        69⤵
        
        PID:1412
        
        C:\Windows\SysWOW64\hivmbx.exe
        
        C:\Windows\system32\hivmbx.exe 876 "C:\Windows\SysWOW64\xffcou.exe"
        70⤵
        
        PID:2584
        
        C:\Windows\SysWOW64\udmchb.exe
        
        C:\Windows\system32\udmchb.exe 896 "C:\Windows\SysWOW64\hivmbx.exe"
        71⤵
        
        PID:1764
        
        C:\Windows\SysWOW64\bkicbq.exe
        
        C:\Windows\system32\bkicbq.exe 892 "C:\Windows\SysWOW64\udmchb.exe"
        72⤵
        Drops file in System32 directory
        
        PID:2816
        
        C:\Windows\SysWOW64\bdjnvd.exe
        
        C:\Windows\system32\bdjnvd.exe 904 "C:\Windows\SysWOW64\bkicbq.exe"
        73⤵
        
        PID:2120
        
        C:\Windows\SysWOW64\lcnsoc.exe
        
        C:\Windows\system32\lcnsoc.exe 900 "C:\Windows\SysWOW64\bdjnvd.exe"
        74⤵
        
        PID:2852
        
        C:\Windows\SysWOW64\vekubf.exe
        
        C:\Windows\system32\vekubf.exe 908 "C:\Windows\SysWOW64\lcnsoc.exe"
        75⤵
        
        PID:2552
        
        C:\Windows\SysWOW64\cuyvnu.exe
        
        C:\Windows\system32\cuyvnu.exe 912 "C:\Windows\SysWOW64\vekubf.exe"
        76⤵
        Drops file in System32 directory
        
        PID:2888
        
        C:\Windows\SysWOW64\qhpkby.exe
        
        C:\Windows\system32\qhpkby.exe 916 "C:\Windows\SysWOW64\cuyvnu.exe"
        77⤵
        
        PID:2772
        
        C:\Windows\SysWOW64\uxmfpe.exe
        
        C:\Windows\system32\uxmfpe.exe 920 "C:\Windows\SysWOW64\qhpkby.exe"
        78⤵
        
        PID:636
        
        C:\Windows\SysWOW64\ewydhd.exe
        
        C:\Windows\system32\ewydhd.exe 924 "C:\Windows\SysWOW64\uxmfpe.exe"
        79⤵
        
        PID:2956
        
        C:\Windows\SysWOW64\rjisnh.exe
        
        C:\Windows\system32\rjisnh.exe 928 "C:\Windows\SysWOW64\ewydhd.exe"
        80⤵
        
        PID:2860
        
        C:\Windows\SysWOW64\zrdkzw.exe
        
        C:\Windows\system32\zrdkzw.exe 932 "C:\Windows\SysWOW64\rjisnh.exe"
        81⤵
        
        PID:2632
        
        C:\Windows\SysWOW64\dtjalj.exe
        
        C:\Windows\system32\dtjalj.exe 940 "C:\Windows\SysWOW64\zrdkzw.exe"
        82⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\qkedbr.exe
        
        C:\Windows\system32\qkedbr.exe 948 "C:\Windows\SysWOW64\dtjalj.exe"
        83⤵
        
        PID:1820
        
        C:\Windows\SysWOW64\autnpu.exe
        
        C:\Windows\system32\autnpu.exe 936 "C:\Windows\SysWOW64\qkedbr.exe"
        84⤵
        
        PID:2388
        
        C:\Windows\SysWOW64\lquywo.exe
        
        C:\Windows\system32\lquywo.exe 944 "C:\Windows\SysWOW64\autnpu.exe"
        85⤵
        
        PID:1192
        
        C:\Windows\SysWOW64\vskirj.exe
        
        C:\Windows\system32\vskirj.exe 952 "C:\Windows\SysWOW64\lquywo.exe"
        86⤵
        
        PID:1800
        
        C:\Windows\SysWOW64\fokaze.exe
        
        C:\Windows\system32\fokaze.exe 956 "C:\Windows\SysWOW64\vskirj.exe"
        87⤵
        
        PID:948
        
        C:\Windows\SysWOW64\pnpyjd.exe
        
        C:\Windows\system32\pnpyjd.exe 960 "C:\Windows\SysWOW64\fokaze.exe"
        88⤵
        
        PID:684
        
        C:\Windows\SysWOW64\cmrbsl.exe
        
        C:\Windows\system32\cmrbsl.exe 964 "C:\Windows\SysWOW64\pnpyjd.exe"
        89⤵
        
        PID:2100
        
        C:\Windows\SysWOW64\jxqgpf.exe
        
        C:\Windows\system32\jxqgpf.exe 968 "C:\Windows\SysWOW64\cmrbsl.exe"
        90⤵
        
        PID:1500
        
        C:\Windows\SysWOW64\wkivvi.exe
        
        C:\Windows\system32\wkivvi.exe 640 "C:\Windows\SysWOW64\jxqgpf.exe"
        91⤵
        
        PID:2216
        
        C:\Windows\SysWOW64\grmtfh.exe
        
        C:\Windows\system32\grmtfh.exe 976 "C:\Windows\SysWOW64\wkivvi.exe"
        92⤵
        
        PID:2124
        
        C:\Windows\SysWOW64\thhvwp.exe
        
        C:\Windows\system32\thhvwp.exe 984 "C:\Windows\SysWOW64\grmtfh.exe"
        93⤵
        
        PID:2000
        
        C:\Windows\SysWOW64\dkegjs.exe
        
        C:\Windows\system32\dkegjs.exe 980 "C:\Windows\SysWOW64\thhvwp.exe"
        94⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\nvtqwo.exe
        
        C:\Windows\system32\nvtqwo.exe 992 "C:\Windows\SysWOW64\dkegjs.exe"
        95⤵
        
        PID:1696
        
        C:\Windows\SysWOW64\xuxopm.exe
        
        C:\Windows\system32\xuxopm.exe 1004 "C:\Windows\SysWOW64\nvtqwo.exe"
        96⤵
        
        PID:2084
        
        C:\Windows\SysWOW64\fuwovb.exe
        
        C:\Windows\system32\fuwovb.exe 1000 "C:\Windows\SysWOW64\xuxopm.exe"
        97⤵
        
        PID:780
        
        C:\Windows\SysWOW64\nzhbnm.exe
        
        C:\Windows\system32\nzhbnm.exe 1012 "C:\Windows\SysWOW64\fuwovb.exe"
        98⤵
        
        PID:1756
        
        C:\Windows\SysWOW64\ukfgcg.exe
        
        C:\Windows\system32\ukfgcg.exe 988 "C:\Windows\SysWOW64\nzhbnm.exe"
        99⤵
        
        PID:2080
        
        C:\Windows\SysWOW64\ejreuf.exe
        
        C:\Windows\system32\ejreuf.exe 1008 "C:\Windows\SysWOW64\ukfgcg.exe"
        100⤵
        
        PID:1048
        
        C:\Windows\SysWOW64\lrfwgu.exe
        
        C:\Windows\system32\lrfwgu.exe 1016 "C:\Windows\SysWOW64\ejreuf.exe"
        101⤵
        
        PID:2236
        
        C:\Windows\SysWOW64\wyrtzt.exe
        
        C:\Windows\system32\wyrtzt.exe 996 "C:\Windows\SysWOW64\lrfwgu.exe"
        102⤵
        
        PID:2032
        
        C:\Windows\SysWOW64\yiirrp.exe
        
        C:\Windows\system32\yiirrp.exe 1020 "C:\Windows\SysWOW64\wyrtzt.exe"
        103⤵
        
        PID:1864
        
        C:\Windows\SysWOW64\gmteai.exe
        
        C:\Windows\system32\gmteai.exe 1028 "C:\Windows\SysWOW64\yiirrp.exe"
        104⤵
        
        PID:2508
        
        C:\Windows\SysWOW64\qlxblh.exe
        
        C:\Windows\system32\qlxblh.exe 1032 "C:\Windows\SysWOW64\gmteai.exe"
        105⤵
        
        PID:1612
        
        C:\Windows\SysWOW64\vqqjej.exe
        
        C:\Windows\system32\vqqjej.exe 1036 "C:\Windows\SysWOW64\qlxblh.exe"
        106⤵
        
        PID:2228
        
        C:\Windows\SysWOW64\hswrpv.exe
        
        C:\Windows\system32\hswrpv.exe 1040 "C:\Windows\SysWOW64\vqqjej.exe"
        107⤵
        
        PID:1628
        
        C:\Windows\SysWOW64\snxjfq.exe
        
        C:\Windows\system32\snxjfq.exe 1056 "C:\Windows\SysWOW64\hswrpv.exe"
        108⤵
        
        PID:1512
        
        C:\Windows\SysWOW64\cmbhpo.exe
        
        C:\Windows\system32\cmbhpo.exe 1052 "C:\Windows\SysWOW64\snxjfq.exe"
        109⤵
        
        PID:2668
        
        C:\Windows\SysWOW64\mtnean.exe
        
        C:\Windows\system32\mtnean.exe 1060 "C:\Windows\SysWOW64\cmbhpo.exe"
        110⤵
        
        PID:2988
        
        C:\Windows\SysWOW64\wwdovq.exe
        
        C:\Windows\system32\wwdovq.exe 1064 "C:\Windows\SysWOW64\mtnean.exe"
        111⤵
        
        PID:2544
        
        C:\Windows\SysWOW64\jjmebm.exe
        
        C:\Windows\system32\jjmebm.exe 1044 "C:\Windows\SysWOW64\wwdovq.exe"
        112⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\qriwnk.exe
        
        C:\Windows\system32\qriwnk.exe 1048 "C:\Windows\SysWOW64\jjmebm.exe"
        113⤵
        
        PID:1960
        
        C:\Windows\SysWOW64\yydwhz.exe
        
        C:\Windows\system32\yydwhz.exe 1068 "C:\Windows\SysWOW64\qriwnk.exe"
        114⤵
        
        PID:1656
        
        C:\Windows\SysWOW64\ijthvc.exe
        
        C:\Windows\system32\ijthvc.exe 1072 "C:\Windows\SysWOW64\yydwhz.exe"
        115⤵
        
        PID:1816
        
        C:\Windows\SysWOW64\sixenb.exe
        
        C:\Windows\system32\sixenb.exe 1092 "C:\Windows\SysWOW64\ijthvc.exe"
        116⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\fhshwb.exe
        
        C:\Windows\system32\fhshwb.exe 1076 "C:\Windows\SysWOW64\sixenb.exe"
        117⤵
        
        PID:2716
        
        C:\Windows\SysWOW64\sujxbf.exe
        
        C:\Windows\system32\sujxbf.exe 1100 "C:\Windows\SysWOW64\fhshwb.exe"
        118⤵
        
        PID:2332
        
        C:\Windows\SysWOW64\ctnume.exe
        
        C:\Windows\system32\ctnume.exe 1080 "C:\Windows\SysWOW64\sujxbf.exe"
        119⤵
        
        PID:1976
        
        C:\Windows\SysWOW64\mvlehh.exe
        
        C:\Windows\system32\mvlehh.exe 1096 "C:\Windows\SysWOW64\ctnume.exe"
        120⤵
        
        PID:2844
        
        C:\Windows\SysWOW64\zxrust.exe
        
        C:\Windows\system32\zxrust.exe 1084 "C:\Windows\SysWOW64\mvlehh.exe"
        121⤵
        
        PID:1980
        
        C:\Windows\SysWOW64\jtkfao.exe
        
        C:\Windows\system32\jtkfao.exe 1108 "C:\Windows\SysWOW64\zxrust.exe"
        122⤵
        
        PID:1144
        
        C:\Windows\SysWOW64\tswckn.exe
        
        C:\Windows\system32\tswckn.exe 1120 "C:\Windows\SysWOW64\jtkfao.exe"
        123⤵
        
        PID:3064
        
        C:\Windows\SysWOW64\dzazdl.exe
        
        C:\Windows\system32\dzazdl.exe 1088 "C:\Windows\SysWOW64\tswckn.exe"
        124⤵
        
        PID:2568
        
        C:\Windows\SysWOW64\fcpkqo.exe
        
        C:\Windows\system32\fcpkqo.exe 492 "C:\Windows\SysWOW64\dzazdl.exe"
        125⤵
        
        PID:1716
        
        C:\Windows\SysWOW64\oulsxn.exe
        
        C:\Windows\system32\oulsxn.exe 452 "C:\Windows\SysWOW64\fcpkqo.exe"
        126⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\jzsuxx.exe
        
        C:\Windows\system32\jzsuxx.exe 1116 "C:\Windows\SysWOW64\oulsxn.exe"
        127⤵
        
        PID:2316
        
        C:\Windows\SysWOW64\rhovsn.exe
        
        C:\Windows\system32\rhovsn.exe 1124 "C:\Windows\SysWOW64\jzsuxx.exe"
        128⤵
        
        PID:2012
        
        C:\Windows\SysWOW64\xgxlwz.exe
        
        C:\Windows\system32\xgxlwz.exe 1128 "C:\Windows\SysWOW64\rhovsn.exe"
        129⤵
        
        PID:2576
        
        C:\Windows\SysWOW64\srkwyo.exe
        
        C:\Windows\system32\srkwyo.exe 1132 "C:\Windows\SysWOW64\xgxlwz.exe"
        130⤵
        
        PID:756
        
        C:\Windows\SysWOW64\oiaqlt.exe
        
        C:\Windows\system32\oiaqlt.exe 1136 "C:\Windows\SysWOW64\srkwyo.exe"
        131⤵
        
        PID:2300
        
        C:\Windows\SysWOW64\rvaoxa.exe
        
        C:\Windows\system32\rvaoxa.exe 1140 "C:\Windows\SysWOW64\oiaqlt.exe"
        132⤵
        
        PID:656
        
        C:\Windows\SysWOW64\tepopr.exe
        
        C:\Windows\system32\tepopr.exe 1144 "C:\Windows\SysWOW64\rvaoxa.exe"
        133⤵
        
        PID:2796
        
        C:\Windows\SysWOW64\dlblhq.exe
        
        C:\Windows\system32\dlblhq.exe 1148 "C:\Windows\SysWOW64\tepopr.exe"
        134⤵
        
        PID:1284
        
        C:\Windows\SysWOW64\sxzqly.exe
        
        C:\Windows\system32\sxzqly.exe 1152 "C:\Windows\SysWOW64\dlblhq.exe"
        135⤵
        
        PID:280
        
        C:\Windows\SysWOW64\fkqorc.exe
        
        C:\Windows\system32\fkqorc.exe 1156 "C:\Windows\SysWOW64\sxzqly.exe"
        136⤵
        
        PID:2460
        
        C:\Windows\SysWOW64\msegdr.exe
        
        C:\Windows\system32\msegdr.exe 1160 "C:\Windows\SysWOW64\fkqorc.exe"
        137⤵
        
        PID:2892
        
        C:\Windows\SysWOW64\ldklal.exe
        
        C:\Windows\system32\ldklal.exe 1164 "C:\Windows\SysWOW64\msegdr.exe"
        138⤵
        
        PID:2612
        
        C:\Windows\SysWOW64\wcojkk.exe
        
        C:\Windows\system32\wcojkk.exe 1168 "C:\Windows\SysWOW64\ldklal.exe"
        139⤵
        
        PID:1792
        
        C:\Windows\SysWOW64\yidtac.exe
        
        C:\Windows\system32\yidtac.exe 1172 "C:\Windows\SysWOW64\wcojkk.exe"
        140⤵
        
        PID:2924
        
        C:\Windows\SysWOW64\iqhrsa.exe
        
        C:\Windows\system32\iqhrsa.exe 1176 "C:\Windows\SysWOW64\yidtac.exe"
        141⤵
        
        PID:2132
        
        C:\Windows\SysWOW64\tplocz.exe
        
        C:\Windows\system32\tplocz.exe 1180 "C:\Windows\SysWOW64\iqhrsa.exe"
        142⤵
        
        PID:1780
        
        C:\Windows\SysWOW64\yqbjtf.exe
        
        C:\Windows\system32\yqbjtf.exe 1184 "C:\Windows\SysWOW64\tplocz.exe"
        143⤵
        
        PID:988
        
        C:\Windows\SysWOW64\ixfgdd.exe
        
        C:\Windows\system32\ixfgdd.exe 1188 "C:\Windows\SysWOW64\yqbjtf.exe"
        144⤵
        
        PID:856
        
        C:\Windows\SysWOW64\wbmebr.exe
        
        C:\Windows\system32\wbmebr.exe 1192 "C:\Windows\SysWOW64\ixfgdd.exe"
        145⤵
        
        PID:2560
        
        C:\Windows\SysWOW64\agdpwi.exe
        
        C:\Windows\system32\agdpwi.exe 1196 "C:\Windows\SysWOW64\wbmebr.exe"
        146⤵
        
        PID:1856
        
        C:\Windows\SysWOW64\idtqot.exe
        
        C:\Windows\system32\idtqot.exe 1200 "C:\Windows\SysWOW64\agdpwi.exe"
        147⤵
        
        PID:2908
        
        C:\Windows\SysWOW64\jtumlz.exe
        
        C:\Windows\system32\jtumlz.exe 1204 "C:\Windows\SysWOW64\idtqot.exe"
        148⤵
        
        PID:1692
        
        C:\Windows\SysWOW64\swroff.exe
        
        C:\Windows\system32\swroff.exe 1208 "C:\Windows\SysWOW64\jtumlz.exe"
        149⤵
        
        PID:932
        
        C:\Windows\SysWOW64\opjbjq.exe
        
        C:\Windows\system32\opjbjq.exe 1212 "C:\Windows\SysWOW64\swroff.exe"
        150⤵
        
        PID:1476
        
        C:\Windows\SysWOW64\zlcurk.exe
        
        C:\Windows\system32\zlcurk.exe 1216 "C:\Windows\SysWOW64\opjbjq.exe"
        151⤵
        
        PID:1736
        
        C:\Windows\SysWOW64\wmvzmo.exe
        
        C:\Windows\system32\wmvzmo.exe 1220 "C:\Windows\SysWOW64\zlcurk.exe"
        152⤵
        
        PID:2516
        
        C:\Windows\SysWOW64\ayohgx.exe
        
        C:\Windows\system32\ayohgx.exe 1224 "C:\Windows\SysWOW64\wmvzmo.exe"
        153⤵
        
        PID:2492
        
        C:\Windows\SysWOW64\vttxgr.exe
        
        C:\Windows\system32\vttxgr.exe 1228 "C:\Windows\SysWOW64\ayohgx.exe"
        154⤵
        
        PID:2656
        
        C:\Windows\SysWOW64\isozoz.exe
        
        C:\Windows\system32\isozoz.exe 1232 "C:\Windows\SysWOW64\vttxgr.exe"
        155⤵
        
        PID:2732
        
        C:\Windows\SysWOW64\pdnfls.exe
        
        C:\Windows\system32\pdnfls.exe 1236 "C:\Windows\SysWOW64\isozoz.exe"
        156⤵
        
        PID:2244
        
        C:\Windows\SysWOW64\zczcwr.exe
        
        C:\Windows\system32\zczcwr.exe 1240 "C:\Windows\SysWOW64\pdnfls.exe"
        157⤵
        
        PID:2152
        
        C:\Windows\SysWOW64\kysmdm.exe
        
        C:\Windows\system32\kysmdm.exe 1248 "C:\Windows\SysWOW64\zczcwr.exe"
        158⤵
        
        PID:2808
        
        C:\Windows\SysWOW64\uipxzp.exe
        
        C:\Windows\system32\uipxzp.exe 1244 "C:\Windows\SysWOW64\kysmdm.exe"
        159⤵
        
        PID:1252
        
        C:\Windows\SysWOW64\hvyvel.exe
        
        C:\Windows\system32\hvyvel.exe 1260 "C:\Windows\SysWOW64\uipxzp.exe"
        160⤵
        
        PID:2660
        
        C:\Windows\SysWOW64\qjzkus.exe
        
        C:\Windows\system32\qjzkus.exe 1104 "C:\Windows\SysWOW64\hvyvel.exe"
        161⤵
        
        PID:680
        
        C:\Windows\SysWOW64\bfaccn.exe
        
        C:\Windows\system32\bfaccn.exe 1256 "C:\Windows\SysWOW64\qjzkus.exe"
        162⤵
        
        PID:844
        
        C:\Windows\SysWOW64\leeaul.exe
        
        C:\Windows\system32\leeaul.exe 1264 "C:\Windows\SysWOW64\bfaccn.exe"
        163⤵
        
        PID:1940
        
        C:\Windows\SysWOW64\nhtkip.exe
        
        C:\Windows\system32\nhtkip.exe 1268 "C:\Windows\SysWOW64\leeaul.exe"
        164⤵
        
        PID:1804
        
        C:\Windows\SysWOW64\xogisn.exe
        
        C:\Windows\system32\xogisn.exe 1280 "C:\Windows\SysWOW64\nhtkip.exe"
        165⤵
        
        PID:2380
        
        C:\Windows\SysWOW64\kbpxgr.exe
        
        C:\Windows\system32\kbpxgr.exe 1288 "C:\Windows\SysWOW64\xogisn.exe"
        166⤵
        
        PID:1248
        
        C:\Windows\SysWOW64\udmitu.exe
        
        C:\Windows\system32\udmitu.exe 1272 "C:\Windows\SysWOW64\kbpxgr.exe"
        167⤵
        
        PID:2556
        
        C:\Windows\SysWOW64\ezfsbp.exe
        
        C:\Windows\system32\ezfsbp.exe 1276 "C:\Windows\SysWOW64\udmitu.exe"
        168⤵
        
        PID:596
        
        C:\Windows\SysWOW64\rqjnlk.exe
        
        C:\Windows\system32\rqjnlk.exe 1308 "C:\Windows\SysWOW64\ezfsbp.exe"
        169⤵
        
        PID:2532
        
        C:\Windows\SysWOW64\bsyyyn.exe
        
        C:\Windows\system32\bsyyyn.exe 1300 "C:\Windows\SysWOW64\rqjnlk.exe"
        170⤵
        
        PID:3060
        
        C:\Windows\SysWOW64\ldoimi.exe
        
        C:\Windows\system32\ldoimi.exe 1284 "C:\Windows\SysWOW64\bsyyyn.exe"
        171⤵
        
        PID:2352
        
        C:\Windows\SysWOW64\bhwdqv.exe
        
        C:\Windows\system32\bhwdqv.exe 1292 "C:\Windows\SysWOW64\ldoimi.exe"
        172⤵
        
        PID:2068
        
        C:\Windows\SysWOW64\ipjvkk.exe
        
        C:\Windows\system32\ipjvkk.exe 1316 "C:\Windows\SysWOW64\bhwdqv.exe"
        173⤵
        
        PID:1948
        
        C:\Windows\SysWOW64\sowsuj.exe
        
        C:\Windows\system32\sowsuj.exe 1296 "C:\Windows\SysWOW64\ipjvkk.exe"
        174⤵
        
        PID:1568
        
        C:\Windows\SysWOW64\fqcigw.exe
        
        C:\Windows\system32\fqcigw.exe 1304 "C:\Windows\SysWOW64\sowsuj.exe"
        175⤵
        
        PID:1104
        
        C:\Windows\SysWOW64\pbrtbz.exe
        
        C:\Windows\system32\pbrtbz.exe 1312 "C:\Windows\SysWOW64\fqcigw.exe"
        176⤵
        
        PID:832
        
        C:\Windows\SysWOW64\cojihv.exe
        
        C:\Windows\system32\cojihv.exe 1328 "C:\Windows\SysWOW64\pbrtbz.exe"
        177⤵
        
        PID:2360
        
        C:\Windows\SysWOW64\jvwats.exe
        
        C:\Windows\system32\jvwats.exe 1320 "C:\Windows\SysWOW64\cojihv.exe"
        178⤵
        
        PID:1028
        
        C:\Windows\SysWOW64\tyllon.exe
        
        C:\Windows\system32\tyllon.exe 1324 "C:\Windows\SysWOW64\jvwats.exe"
        179⤵
        
        PID:2684
        
        C:\Windows\SysWOW64\dxyizm.exe
        
        C:\Windows\system32\dxyizm.exe 1332 "C:\Windows\SysWOW64\tyllon.exe"
        180⤵
        
        PID:980
        
        C:\Windows\SysWOW64\qwslhu.exe
        
        C:\Windows\system32\qwslhu.exe 1336 "C:\Windows\SysWOW64\dxyizm.exe"
        181⤵
        
        PID:1600
        
        C:\Windows\SysWOW64\avwqst.exe
        
        C:\Windows\system32\avwqst.exe 1340 "C:\Windows\SysWOW64\qwslhu.exe"
        182⤵
        
        PID:1260
        
        C:\Windows\SysWOW64\ntzlab.exe
        
        C:\Windows\system32\ntzlab.exe 1344 "C:\Windows\SysWOW64\avwqst.exe"
        183⤵
        
        PID:2980
        
        C:\Windows\SysWOW64\xsdqta.exe
        
        C:\Windows\system32\xsdqta.exe 1352 "C:\Windows\SysWOW64\ntzlab.exe"
        184⤵
        
        PID:1708
        
        C:\Windows\SysWOW64\hvtbgd.exe
        
        C:\Windows\system32\hvtbgd.exe 1348 "C:\Windows\SysWOW64\xsdqta.exe"
        185⤵
        
        PID:332
        
        C:\Windows\SysWOW64\rcfyyc.exe
        
        C:\Windows\system32\rcfyyc.exe 1356 "C:\Windows\SysWOW64\hvtbgd.exe"
        186⤵
        
        PID:1584
        
        C:\Windows\SysWOW64\hgftuh.exe
        
        C:\Windows\system32\hgftuh.exe 1360 "C:\Windows\SysWOW64\rcfyyc.exe"
        187⤵
        
        PID:1312
        
        C:\Windows\SysWOW64\osmyrb.exe
        
        C:\Windows\system32\osmyrb.exe 1364 "C:\Windows\SysWOW64\hgftuh.exe"
        188⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\cfvoxf.exe
        
        C:\Windows\system32\cfvoxf.exe 1368 "C:\Windows\SysWOW64\osmyrb.exe"
        189⤵
        
        PID:1752
        
        C:\Windows\SysWOW64\mplyki.exe
        
        C:\Windows\system32\mplyki.exe 1380 "C:\Windows\SysWOW64\cfvoxf.exe"
        190⤵
        
        PID:2468
        
        C:\Windows\SysWOW64\vsajgl.exe
        
        C:\Windows\system32\vsajgl.exe 1372 "C:\Windows\SysWOW64\mplyki.exe"
        191⤵
        
        PID:736
        
        C:\Windows\SysWOW64\gzmgqk.exe
        
        C:\Windows\system32\gzmgqk.exe 1376 "C:\Windows\SysWOW64\vsajgl.exe"
        192⤵
        
        PID:2528
        
        C:\Windows\SysWOW64\laubgh.exe
        
        C:\Windows\system32\laubgh.exe 1384 "C:\Windows\SysWOW64\gzmgqk.exe"
        193⤵
        
        PID:2788
        
        C:\Windows\SysWOW64\vzhzrg.exe
        
        C:\Windows\system32\vzhzrg.exe 1388 "C:\Windows\SysWOW64\laubgh.exe"
        194⤵
        
        PID:2496
        
        C:\Windows\SysWOW64\hbnocs.exe
        
        C:\Windows\system32\hbnocs.exe 1392 "C:\Windows\SysWOW64\vzhzrg.exe"
        195⤵
        
        PID:2296
        
        C:\Windows\SysWOW64\sarmvr.exe
        
        C:\Windows\system32\sarmvr.exe 1396 "C:\Windows\SysWOW64\hbnocs.exe"
        196⤵
        
        PID:2592
        
        C:\Windows\SysWOW64\fnibav.exe
        
        C:\Windows\system32\fnibav.exe 1400 "C:\Windows\SysWOW64\sarmvr.exe"
        197⤵
        
        PID:2752
        
        C:\Windows\SysWOW64\ankfjk.exe
        
        C:\Windows\system32\ankfjk.exe 1404 "C:\Windows\SysWOW64\fnibav.exe"
        198⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\otbtyv.exe
        
        C:\Windows\system32\otbtyv.exe 1408 "C:\Windows\SysWOW64\ankfjk.exe"
        199⤵
        
        PID:3028
        
        C:\Windows\SysWOW64\iyzuds.exe
        
        C:\Windows\system32\iyzuds.exe 1412 "C:\Windows\SysWOW64\otbtyv.exe"
        200⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\iixulm.exe
        
        C:\Windows\system32\iixulm.exe 1416 "C:\Windows\SysWOW64\iyzuds.exe"
        201⤵
        
        PID:2136
        
        C:\Windows\SysWOW64\yovauq.exe
        
        C:\Windows\system32\yovauq.exe 1428 "C:\Windows\SysWOW64\iixulm.exe"
        202⤵
        
        PID:2524
        
        C:\Windows\SysWOW64\lfycdy.exe
        
        C:\Windows\system32\lfycdy.exe 1420 "C:\Windows\SysWOW64\yovauq.exe"
        203⤵
        
        PID:2792
        
        C:\Windows\SysWOW64\vmcavx.exe
        
        C:\Windows\system32\vmcavx.exe 1424 "C:\Windows\SysWOW64\lfycdy.exe"
        204⤵
        
        PID:2940
        
        C:\Windows\SysWOW64\arwipz.exe
        
        C:\Windows\system32\arwipz.exe 1432 "C:\Windows\SysWOW64\vmcavx.exe"
        205⤵
        
        PID:1156
        
        C:\Windows\SysWOW64\iyrabw.exe
        
        C:\Windows\system32\iyrabw.exe 1436 "C:\Windows\SysWOW64\arwipz.exe"
        206⤵
        
        PID:1488
        
        C:\Windows\SysWOW64\mlliuy.exe
        
        C:\Windows\system32\mlliuy.exe 1440 "C:\Windows\SysWOW64\iyrabw.exe"
        207⤵
        
        PID:2520
        
        C:\Windows\SysWOW64\upnver.exe
        
        C:\Windows\system32\upnver.exe 1444 "C:\Windows\SysWOW64\mlliuy.exe"
        208⤵
        
        PID:2640
        
        C:\Windows\SysWOW64\bbuabl.exe
        
        C:\Windows\system32\bbuabl.exe 488 "C:\Windows\SysWOW64\upnver.exe"
        209⤵
        
        PID:1872
        
        C:\Windows\SysWOW64\mtjffb.exe
        
        C:\Windows\system32\mtjffb.exe 1452 "C:\Windows\SysWOW64\bbuabl.exe"
        210⤵
        
        PID:2464
        
        C:\Windows\SysWOW64\taxyaq.exe
        
        C:\Windows\system32\taxyaq.exe 1456 "C:\Windows\SysWOW64\mtjffb.exe"
        211⤵
        
        PID:828
        
        C:\Windows\SysWOW64\bfhljb.exe
        
        C:\Windows\system32\bfhljb.exe 1460 "C:\Windows\SysWOW64\taxyaq.exe"
        212⤵
        
        PID:1748
        
        C:\Windows\SysWOW64\imuddz.exe
        
        C:\Windows\system32\imuddz.exe 1464 "C:\Windows\SysWOW64\bfhljb.exe"
        213⤵
        
        PID:1352
        
        C:\Windows\SysWOW64\kaxfyz.exe
        
        C:\Windows\system32\kaxfyz.exe 1468 "C:\Windows\SysWOW64\imuddz.exe"
        214⤵
        
        PID:2444
        
        C:\Windows\SysWOW64\vvyqgt.exe
        
        C:\Windows\system32\vvyqgt.exe 1472 "C:\Windows\SysWOW64\kaxfyz.exe"
        215⤵
        
        PID:336
        
        C:\Windows\SysWOW64\ejznet.exe
        
        C:\Windows\system32\ejznet.exe 1476 "C:\Windows\SysWOW64\vvyqgt.exe"
        216⤵
        
        PID:1272
        
        C:\Windows\SysWOW64\pbotjj.exe
        
        C:\Windows\system32\pbotjj.exe 1480 "C:\Windows\SysWOW64\ejznet.exe"
        217⤵
        
        PID:2252
        
        C:\Windows\SysWOW64\ustgfx.exe
        
        C:\Windows\system32\ustgfx.exe 1484 "C:\Windows\SysWOW64\pbotjj.exe"
        218⤵
        
        PID:1256
        
        C:\Windows\SysWOW64\enmymr.exe
        
        C:\Windows\system32\enmymr.exe 1488 "C:\Windows\SysWOW64\ustgfx.exe"
        219⤵
        
        PID:2188
        
        C:\Windows\SysWOW64\ahcylk.exe
        
        C:\Windows\system32\ahcylk.exe 1492 "C:\Windows\SysWOW64\enmymr.exe"
        220⤵
        
        PID:1832
        
        C:\Windows\SysWOW64\drtvdy.exe
        
        C:\Windows\system32\drtvdy.exe 1496 "C:\Windows\SysWOW64\ahcylk.exe"
        221⤵
        
        PID:1036
        
        C:\Windows\SysWOW64\qelljc.exe
        
        C:\Windows\system32\qelljc.exe 1500 "C:\Windows\SysWOW64\drtvdy.exe"
        222⤵
        
        PID:560
        
        C:\Windows\SysWOW64\uuiyfq.exe
        
        C:\Windows\system32\uuiyfq.exe 1504 "C:\Windows\SysWOW64\qelljc.exe"
        223⤵
        
        PID:1100
        
        C:\Windows\SysWOW64\efxist.exe
        
        C:\Windows\system32\efxist.exe 1508 "C:\Windows\SysWOW64\uuiyfq.exe"
        224⤵
        
        PID:2912
        
        C:\Windows\SysWOW64\mjhwke.exe
        
        C:\Windows\system32\mjhwke.exe 1512 "C:\Windows\SysWOW64\efxist.exe"
        225⤵
        
        PID:2900
        
        C:\Windows\SysWOW64\wittud.exe
        
        C:\Windows\system32\wittud.exe 1516 "C:\Windows\SysWOW64\mjhwke.exe"
        226⤵
        
        PID:1672
        
        C:\Windows\SysWOW64\gemlkx.exe
        
        C:\Windows\system32\gemlkx.exe 1520 "C:\Windows\SysWOW64\wittud.exe"
        227⤵
        
        PID:2440
        
        C:\Windows\SysWOW64\oliewn.exe
        
        C:\Windows\system32\oliewn.exe 1524 "C:\Windows\SysWOW64\gemlkx.exe"
        228⤵
        
        PID:2072
        
        C:\Windows\SysWOW64\yhjoeh.exe
        
        C:\Windows\system32\yhjoeh.exe 1528 "C:\Windows\SysWOW64\oliewn.exe"
        229⤵
        
        PID:1788
        
        C:\Windows\SysWOW64\dbrwdz.exe
        
        C:\Windows\system32\dbrwdz.exe 1532 "C:\Windows\SysWOW64\yhjoeh.exe"
        230⤵
        
        PID:1700
        
        C:\Windows\SysWOW64\qoimiv.exe
        
        C:\Windows\system32\qoimiv.exe 496 "C:\Windows\SysWOW64\dbrwdz.exe"
        231⤵
        
        PID:1848
        
        C:\Windows\SysWOW64\uxoryw.exe
        
        C:\Windows\system32\uxoryw.exe 500 "C:\Windows\SysWOW64\qoimiv.exe"
        232⤵
        
        PID:2024
        
        C:\Windows\SysWOW64\cxnrnl.exe
        
        C:\Windows\system32\cxnrnl.exe 504 "C:\Windows\SysWOW64\uxoryw.exe"
        233⤵
        
        PID:884
        
        C:\Windows\SysWOW64\rrjexz.exe
        
        C:\Windows\system32\rrjexz.exe 780 "C:\Windows\SysWOW64\cxnrnl.exe"
        234⤵
        
        PID:912
        
        C:\Windows\SysWOW64\vhfxei.exe
        
        C:\Windows\system32\vhfxei.exe 516 "C:\Windows\SysWOW64\rrjexz.exe"
        235⤵
        
        PID:2672
        
        C:\Windows\SysWOW64\ugdrfq.exe
        
        C:\Windows\system32\ugdrfq.exe 508 "C:\Windows\SysWOW64\vhfxei.exe"
        236⤵
        
        PID:2708
        
        C:\Windows\SysWOW64\ymfrtm.exe
        
        C:\Windows\system32\ymfrtm.exe 1112 "C:\Windows\SysWOW64\ugdrfq.exe"
        237⤵
        
        PID:924
        
        C:\Windows\SysWOW64\jljpdl.exe
        
        C:\Windows\system32\jljpdl.exe 1564 "C:\Windows\SysWOW64\ymfrtm.exe"
        238⤵
        
        PID:2636
        
        C:\Windows\SysWOW64\wybfjp.exe
        
        C:\Windows\system32\wybfjp.exe 1568 "C:\Windows\SysWOW64\jljpdl.exe"
        239⤵
        
        PID:2848
        
        C:\Windows\SysWOW64\dclsaa.exe
        
        C:\Windows\system32\dclsaa.exe 1572 "C:\Windows\SysWOW64\wybfjp.exe"
        240⤵
        
        PID:852
        
        C:\Windows\SysWOW64\knkxpb.exe
        
        C:\Windows\system32\knkxpb.exe 1576 "C:\Windows\SysWOW64\dclsaa.exe"
        241⤵
        
        PID:2092
        
        C:\Windows\SysWOW64\vjlhfw.exe
        
        C:\Windows\system32\vjlhfw.exe 1580 "C:\Windows\SysWOW64\knkxpb.exe"
        242⤵
        
        PID:1784
        
        C:\Windows\SysWOW64\ccjmuq.exe
        
        C:\Windows\system32\ccjmuq.exe 1448 "C:\Windows\SysWOW64\vjlhfw.exe"
        243⤵
        
        PID:2040
        
        C:\Windows\SysWOW64\eekugy.exe
        
        C:\Windows\system32\eekugy.exe 512 "C:\Windows\SysWOW64\ccjmuq.exe"
        244⤵
        
        PID:2920
        
        C:\Windows\SysWOW64\lfyfvi.exe
        
        C:\Windows\system32\lfyfvi.exe 1536 "C:\Windows\SysWOW64\eekugy.exe"
        245⤵
        
        PID:2620
        
        C:\Windows\SysWOW64\fpznhr.exe
        
        C:\Windows\system32\fpznhr.exe 972 "C:\Windows\SysWOW64\lfyfvi.exe"
        246⤵
        
        PID:1972
        
        C:\Windows\SysWOW64\magfpk.exe
        
        C:\Windows\system32\magfpk.exe 1252 "C:\Windows\SysWOW64\fpznhr.exe"
        247⤵
        
        PID:2336
        
        C:\Windows\SysWOW64\qjmlfl.exe
        
        C:\Windows\system32\qjmlfl.exe 1540 "C:\Windows\SysWOW64\magfpk.exe"
        248⤵
        
        PID:3036
        
        C:\Windows\SysWOW64\biqiyk.exe
        
        C:\Windows\system32\biqiyk.exe 1552 "C:\Windows\SysWOW64\qjmlfl.exe"
        249⤵
        
        PID:2320
        
        C:\Windows\SysWOW64\uktixz.exe
        
        C:\Windows\system32\uktixz.exe 1560 "C:\Windows\SysWOW64\biqiyk.exe"
        250⤵
        
        PID:1232
        
        C:\Windows\SysWOW64\hfjwpf.exe
        
        C:\Windows\system32\hfjwpf.exe 1556 "C:\Windows\SysWOW64\uktixz.exe"
        251⤵
        
        PID:1796
        
        C:\Windows\SysWOW64\lzrohc.exe
        
        C:\Windows\system32\lzrohc.exe 1544 "C:\Windows\SysWOW64\hfjwpf.exe"
        252⤵
        
        PID:2664
        
        C:\Windows\SysWOW64\svctzv.exe
        
        C:\Windows\system32\svctzv.exe 1548 "C:\Windows\SysWOW64\lzrohc.exe"
        253⤵
        
        PID:2396
        
        C:\Windows\SysWOW64\cjdwad.exe
        
        C:\Windows\system32\cjdwad.exe 1584 "C:\Windows\SysWOW64\svctzv.exe"
        254⤵
        
        PID:1964
        
        C:\Windows\SysWOW64\jragpn.exe
        
        C:\Windows\system32\jragpn.exe 1588 "C:\Windows\SysWOW64\cjdwad.exe"
        255⤵
        
        PID:2976
        
        C:\Windows\SysWOW64\qzupos.exe
        
        C:\Windows\system32\qzupos.exe 456 "C:\Windows\SysWOW64\jragpn.exe"
        256⤵
        
        PID:864
        
        C:\Windows\SysWOW64\epdzvx.exe
        
        C:\Windows\system32\epdzvx.exe 1604 "C:\Windows\SysWOW64\qzupos.exe"
        257⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\jiumfp.exe
        
        C:\Windows\system32\jiumfp.exe 1596 "C:\Windows\SysWOW64\epdzvx.exe"
        258⤵
        
        PID:3056
        
        C:\Windows\SysWOW64\nrardp.exe
        
        C:\Windows\system32\nrardp.exe 1600 "C:\Windows\SysWOW64\jiumfp.exe"
        259⤵
        
        PID:3004
        
        C:\Windows\SysWOW64\ktjfnh.exe
        
        C:\Windows\system32\ktjfnh.exe 1608 "C:\Windows\SysWOW64\nrardp.exe"
        260⤵
        
        PID:2292
        
        C:\Windows\SysWOW64\oqmfbe.exe
        
        C:\Windows\system32\oqmfbe.exe 1620 "C:\Windows\SysWOW64\ktjfnh.exe"
        261⤵
        
        PID:1636
        
        C:\Windows\SysWOW64\wnxceb.exe
        
        C:\Windows\system32\wnxceb.exe 1624 "C:\Windows\SysWOW64\oqmfbe.exe"
        262⤵
        
        PID:2952
        
        C:\Windows\SysWOW64\ujksdn.exe
        
        C:\Windows\system32\ujksdn.exe 1628 "C:\Windows\SysWOW64\wnxceb.exe"
        263⤵
        
        PID:2864
        
        C:\Windows\SysWOW64\zhmkqj.exe
        
        C:\Windows\system32\zhmkqj.exe 1632 "C:\Windows\SysWOW64\ujksdn.exe"
        264⤵
        
        PID:1808
        
        C:\Windows\SysWOW64\dmgkey.exe
        
        C:\Windows\system32\dmgkey.exe 1636 "C:\Windows\SysWOW64\zhmkqj.exe"
        265⤵
        
        PID:2204
        
        C:\Windows\SysWOW64\ljripe.exe
        
        C:\Windows\system32\ljripe.exe 1612 "C:\Windows\SysWOW64\dmgkey.exe"
        266⤵
        
        PID:2476
        
        C:\Windows\SysWOW64\sqnabt.exe
        
        C:\Windows\system32\sqnabt.exe 1616 "C:\Windows\SysWOW64\ljripe.exe"
        267⤵
        
        PID:1744
        
        C:\Windows\SysWOW64\cprgus.exe
        
        C:\Windows\system32\cprgus.exe 1684 "C:\Windows\SysWOW64\sqnabt.exe"
        268⤵
        
        PID:1912
        
        C:\Windows\SysWOW64\magqhv.exe
        
        C:\Windows\system32\magqhv.exe 1688 "C:\Windows\SysWOW64\cprgus.exe"
        269⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\ueqvyg.exe
        
        C:\Windows\system32\ueqvyg.exe 1692 "C:\Windows\SysWOW64\magqhv.exe"
        270⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\hrilek.exe
        
        C:\Windows\system32\hrilek.exe 1696 "C:\Windows\SysWOW64\ueqvyg.exe"
        271⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\ozvlqz.exe
        
        C:\Windows\system32\ozvlqz.exe 1700 "C:\Windows\SysWOW64\hrilek.exe"
        272⤵
        
        PID:2604
        
        C:\Windows\SysWOW64\yblvlc.exe
        
        C:\Windows\system32\yblvlc.exe 1712 "C:\Windows\SysWOW64\ozvlqz.exe"
        273⤵
        
        PID:572
        
        C:\Windows\SysWOW64\ijxtwb.exe
        
        C:\Windows\system32\ijxtwb.exe 1704 "C:\Windows\SysWOW64\yblvlc.exe"
        274⤵
        
        PID:1088
        
        C:\Windows\SysWOW64\vzsvej.exe
        
        C:\Windows\system32\vzsvej.exe 1708 "C:\Windows\SysWOW64\ijxtwb.exe"
        275⤵
        
        PID:2004
        
        C:\Windows\SysWOW64\fywtpi.exe
        
        C:\Windows\system32\fywtpi.exe 1716 "C:\Windows\SysWOW64\vzsvej.exe"
        276⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\uraomm.exe
        
        C:\Windows\system32\uraomm.exe 1720 "C:\Windows\SysWOW64\fywtpi.exe"
        277⤵
        
        PID:3048
        
        C:\Windows\SysWOW64\blzbjf.exe
        
        C:\Windows\system32\blzbjf.exe 1724 "C:\Windows\SysWOW64\uraomm.exe"
        278⤵
        
        PID:1676
        
        C:\Windows\SysWOW64\nffjus.exe
        
        C:\Windows\system32\nffjus.exe 1728 "C:\Windows\SysWOW64\blzbjf.exe"
        279⤵
        
        PID:3032
        
        C:\Windows\SysWOW64\yergfr.exe
        
        C:\Windows\system32\yergfr.exe 1732 "C:\Windows\SysWOW64\nffjus.exe"
        280⤵
        
        PID:1000
        
        C:\Windows\SysWOW64\lzaeku.exe
        
        C:\Windows\system32\lzaeku.exe 1736 "C:\Windows\SysWOW64\yergfr.exe"
        281⤵
        
        PID:2840
        
        C:\Windows\SysWOW64\vbqgyq.exe
        
        C:\Windows\system32\vbqgyq.exe 1740 "C:\Windows\SysWOW64\lzaeku.exe"
        282⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\istjoy.exe
        
        C:\Windows\system32\istjoy.exe 1744 "C:\Windows\SysWOW64\vbqgyq.exe"
        283⤵
        
        PID:1508
        
        C:\Windows\SysWOW64\snlbws.exe
        
        C:\Windows\system32\snlbws.exe 1748 "C:\Windows\SysWOW64\istjoy.exe"
        284⤵
        
        PID:1160
        
        C:\Windows\SysWOW64\zluucf.exe
        
        C:\Windows\system32\zluucf.exe 1752 "C:\Windows\SysWOW64\snlbws.exe"
        285⤵
        
        PID:2272
        
        C:\Windows\SysWOW64\gtqmxu.exe
        
        C:\Windows\system32\gtqmxu.exe 1756 "C:\Windows\SysWOW64\zluucf.exe"
        286⤵
        
        PID:1524
        
        C:\Windows\SysWOW64\qsujht.exe
        
        C:\Windows\system32\qsujht.exe 1760 "C:\Windows\SysWOW64\gtqmxu.exe"
        287⤵
        
        PID:2608
        
        C:\Windows\SysWOW64\vtkexz.exe
        
        C:\Windows\system32\vtkexz.exe 1764 "C:\Windows\SysWOW64\qsujht.exe"
        288⤵
        
        PID:976
        
        C:\Windows\SysWOW64\irfhgz.exe
        
        C:\Windows\system32\irfhgz.exe 1768 "C:\Windows\SysWOW64\vtkexz.exe"
        289⤵
        
        PID:2916

C:\Windows\SysWOW64\yqduoh.exe
C:\Windows\system32\yqduoh.exe 596 "C:\Windows\SysWOW64\lairfz.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2408

C:\Windows\SysWOW64\ayuthf.exe
C:\Windows\system32\ayuthf.exe 568 "C:\Windows\SysWOW64\qzqwwg.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3020

C:\Windows\SysWOW64\qzqwwg.exe
C:\Windows\system32\qzqwwg.exe 564 "C:\Windows\SysWOW64\dxkglt.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1532

C:\Windows\SysWOW64\zrqoyf.exe
C:\Windows\system32\zrqoyf.exe 556 "C:\Windows\SysWOW64\oseqfg.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2412

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\zrqoyf.exe

Filesize
92KB

MD5
65914d74a8a68e091e79260118732f84

SHA1
8437459e3c8139b44f646faa2d36371abbb85cac

SHA256
b21933fcf5e490b96dbcc04bb732b42d66ad4d01ca4b2101c991cec594c55a6a

SHA512
11f28600c15c50d1404f35b7fa8c932a46ffb8fe59bbdc979e7008f69f79c0f5be279898ae3087fc38253dc891e2dc7d976200b5cdca80f3ef74bd58bb4bdb72

Download Submit
\Windows\SysWOW64\qliiui.exe

Filesize
147KB

MD5
545de00a44e44ff1bbc119857dd15f79

SHA1
246493466b8052de8ab1409c438cbafd8398cf0a

SHA256
98c33d224206752ea52528b128a3495306c35c53f2c8c206b4c194a9cb82a525

SHA512
24f106215aa82dee23bd72718b8aebc7e2ee643d1d04b292b11bab75fa46306a153670f67c6e39bd3dea12a5695f9edebc9a809e2972abfe43a100889fe2deb0

Download Submit
memory/552-63-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/552-98-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/620-229-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/620-220-0x00000000029C0000-0x0000000002ADC000-memory.dmp

Filesize
1.1MB

Download
memory/620-221-0x00000000029C0000-0x0000000002ADC000-memory.dmp

Filesize
1.1MB

Download
memory/620-211-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/676-126-0x0000000002B80000-0x0000000002C9C000-memory.dmp

Filesize
1.1MB

Download
memory/676-139-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/1060-212-0x0000000002880000-0x000000000299C000-memory.dmp

Filesize
1.1MB

Download
memory/1060-215-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/1060-202-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/1060-210-0x0000000002880000-0x000000000299C000-memory.dmp

Filesize
1.1MB

Download
memory/1496-239-0x00000000028C0000-0x00000000029DC000-memory.dmp

Filesize
1.1MB

Download
memory/1496-231-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/1496-241-0x00000000028C0000-0x00000000029DC000-memory.dmp

Filesize
1.1MB

Download
memory/1496-248-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/1532-143-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/1532-156-0x0000000002890000-0x00000000029AC000-memory.dmp

Filesize
1.1MB

Download
memory/1532-161-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/1776-184-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/1776-197-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/1776-193-0x0000000002870000-0x000000000298C000-memory.dmp

Filesize
1.1MB

Download
memory/1824-209-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/1824-201-0x0000000002A30000-0x0000000002B4C000-memory.dmp

Filesize
1.1MB

Download
memory/1824-192-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/2076-176-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/2076-174-0x0000000002840000-0x000000000295C000-memory.dmp

Filesize
1.1MB

Download
memory/2076-166-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/2224-39-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/2224-55-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/2268-13-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/2268-36-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/2268-25-0x0000000002820000-0x000000000293C000-memory.dmp

Filesize
1.1MB

Download
memory/2408-222-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/2408-238-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/2408-230-0x0000000002870000-0x000000000298C000-memory.dmp

Filesize
1.1MB

Download
memory/2412-87-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/2412-111-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/2456-175-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/2456-187-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/2456-183-0x0000000002AB0000-0x0000000002BCC000-memory.dmp

Filesize
1.1MB

Download
memory/2596-79-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/2596-51-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/2648-155-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/2648-129-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/2736-260-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/2768-37-0x00000000028F0000-0x0000000002A0C000-memory.dmp

Filesize
1.1MB

Download
memory/2768-26-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/2768-43-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/2856-259-0x0000000002900000-0x0000000002A1C000-memory.dmp

Filesize
1.1MB

Download
memory/2856-250-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/2884-101-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/2884-120-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/3020-170-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/3020-157-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/3020-165-0x00000000029E0000-0x0000000002AFC000-memory.dmp

Filesize
1.1MB

Download
memory/3052-12-0x0000000002B30000-0x0000000002C4C000-memory.dmp

Filesize
1.1MB

Download
memory/3052-0-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/3052-5-0x0000000002B30000-0x0000000002C4C000-memory.dmp

Filesize
1.1MB

Download
memory/3052-19-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/3068-258-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/3068-249-0x00000000028B0000-0x00000000029CC000-memory.dmp

Filesize
1.1MB

Download
memory/3068-251-0x00000000028B0000-0x00000000029CC000-memory.dmp

Filesize
1.1MB

Download
memory/3068-240-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads