98c33d224206752ea52528b128a3495306c35c53f2c8c206b4c194a9cb82a525

Analysis

max time kernel
47s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
26/12/2023, 04:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

545de00a44e44ff1bbc119857dd15f79.exe
Size

147KB
MD5

545de00a44e44ff1bbc119857dd15f79
SHA1

246493466b8052de8ab1409c438cbafd8398cf0a
SHA256

98c33d224206752ea52528b128a3495306c35c53f2c8c206b4c194a9cb82a525
SHA512

24f106215aa82dee23bd72718b8aebc7e2ee643d1d04b292b11bab75fa46306a153670f67c6e39bd3dea12a5695f9edebc9a809e2972abfe43a100889fe2deb0
SSDEEP

3072:pxIilxA2fi/dLWcEk5VbOcoXjMxkK9u4IRMzOLqo:pxbxA2uEk5YcXk/4IRMq

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 36 IoCs

pid	Process
4808	bgybul.exe
5060	rwumsx.exe
3764	yaerci.exe
676	yieahz.exe
3364	lzhdqh.exe
2108	thudcx.exe
1004	gumtib.exe
4240	tdsvla.exe
4680	eztoav.exe
1556	bxdrso.exe
2128	ymkrlu.exe
4740	gndvca.exe
4920	lbknxh.exe
4624	vyhhun.exe
3788	ibrmsn.exe
2944	qlyaej.exe
316	zoyifh.exe
5012	ffozed.exe
3380	mgxavh.exe
3280	rxoecx.exe
1432	pjkrsr.exe
2560	udvudo.exe
1056	wyywyo.exe
3100	huzhfj.exe
2504	msextk.exe
2392	xnxhbe.exe
4084	kxdsee.exe
4204	rfzkyt.exe
1580	carvfo.exe
3532	kpnqjq.exe
2232	mzffbm.exe
1416	xvfqrh.exe
1100	wzqdaa.exe
3880	jykgja.exe
4660	utlqzc.exe
1408	epejgx.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\utlqzc.exe	jykgja.exe
File created	C:\Windows\SysWOW64\yaerci.exe	rwumsx.exe
File opened for modification	C:\Windows\SysWOW64\vyhhun.exe	lbknxh.exe
File opened for modification	C:\Windows\SysWOW64\mgxavh.exe	ffozed.exe
File created	C:\Windows\SysWOW64\msextk.exe	huzhfj.exe
File created	C:\Windows\SysWOW64\mzffbm.exe	kpnqjq.exe
File created	C:\Windows\SysWOW64\xvfqrh.exe	mzffbm.exe
File opened for modification	C:\Windows\SysWOW64\epejgx.exe	utlqzc.exe
File opened for modification	C:\Windows\SysWOW64\tdsvla.exe	gumtib.exe
File opened for modification	C:\Windows\SysWOW64\ymkrlu.exe	bxdrso.exe
File opened for modification	C:\Windows\SysWOW64\zoyifh.exe	qlyaej.exe
File created	C:\Windows\SysWOW64\kxdsee.exe	xnxhbe.exe
File created	C:\Windows\SysWOW64\carvfo.exe	rfzkyt.exe
File opened for modification	C:\Windows\SysWOW64\kpnqjq.exe	carvfo.exe
File opened for modification	C:\Windows\SysWOW64\rwumsx.exe	bgybul.exe
File created	C:\Windows\SysWOW64\ffozed.exe	zoyifh.exe
File opened for modification	C:\Windows\SysWOW64\msextk.exe	huzhfj.exe
File opened for modification	C:\Windows\SysWOW64\kxdsee.exe	xnxhbe.exe
File opened for modification	C:\Windows\SysWOW64\yaerci.exe	rwumsx.exe
File created	C:\Windows\SysWOW64\gumtib.exe	thudcx.exe
File opened for modification	C:\Windows\SysWOW64\jykgja.exe	wzqdaa.exe
File created	C:\Windows\SysWOW64\kpnqjq.exe	carvfo.exe
File opened for modification	C:\Windows\SysWOW64\bgybul.exe	545de00a44e44ff1bbc119857dd15f79.exe
File created	C:\Windows\SysWOW64\ymkrlu.exe	bxdrso.exe
File created	C:\Windows\SysWOW64\gndvca.exe	ymkrlu.exe
File opened for modification	C:\Windows\SysWOW64\pjkrsr.exe	rxoecx.exe
File created	C:\Windows\SysWOW64\epejgx.exe	utlqzc.exe
File created	C:\Windows\SysWOW64\ibrmsn.exe	vyhhun.exe
File opened for modification	C:\Windows\SysWOW64\wyywyo.exe	udvudo.exe
File opened for modification	C:\Windows\SysWOW64\xnxhbe.exe	msextk.exe
File opened for modification	C:\Windows\SysWOW64\wzqdaa.exe	xvfqrh.exe
File opened for modification	C:\Windows\SysWOW64\lzhdqh.exe	yieahz.exe
File opened for modification	C:\Windows\SysWOW64\mzffbm.exe	kpnqjq.exe
File created	C:\Windows\SysWOW64\rfzkyt.exe	kxdsee.exe
File created	C:\Windows\SysWOW64\bgybul.exe	545de00a44e44ff1bbc119857dd15f79.exe
File created	C:\Windows\SysWOW64\rwumsx.exe	bgybul.exe
File opened for modification	C:\Windows\SysWOW64\gumtib.exe	thudcx.exe
File created	C:\Windows\SysWOW64\eztoav.exe	tdsvla.exe
File created	C:\Windows\SysWOW64\zoyifh.exe	qlyaej.exe
File created	C:\Windows\SysWOW64\wyywyo.exe	udvudo.exe
File opened for modification	C:\Windows\SysWOW64\carvfo.exe	rfzkyt.exe
File created	C:\Windows\SysWOW64\wzqdaa.exe	xvfqrh.exe
File created	C:\Windows\SysWOW64\vyhhun.exe	lbknxh.exe
File opened for modification	C:\Windows\SysWOW64\ibrmsn.exe	vyhhun.exe
File opened for modification	C:\Windows\SysWOW64\rxoecx.exe	mgxavh.exe
File created	C:\Windows\SysWOW64\udvudo.exe	pjkrsr.exe
File created	C:\Windows\SysWOW64\thudcx.exe	lzhdqh.exe
File opened for modification	C:\Windows\SysWOW64\ffozed.exe	zoyifh.exe
File created	C:\Windows\SysWOW64\rxoecx.exe	mgxavh.exe
File opened for modification	C:\Windows\SysWOW64\rfzkyt.exe	kxdsee.exe
File created	C:\Windows\SysWOW64\qlyaej.exe	ibrmsn.exe
File created	C:\Windows\SysWOW64\pjkrsr.exe	rxoecx.exe
File created	C:\Windows\SysWOW64\huzhfj.exe	wyywyo.exe
File opened for modification	C:\Windows\SysWOW64\xvfqrh.exe	mzffbm.exe
File opened for modification	C:\Windows\SysWOW64\yieahz.exe	yaerci.exe
File opened for modification	C:\Windows\SysWOW64\thudcx.exe	lzhdqh.exe
File created	C:\Windows\SysWOW64\bxdrso.exe	eztoav.exe
File created	C:\Windows\SysWOW64\lbknxh.exe	gndvca.exe
File opened for modification	C:\Windows\SysWOW64\udvudo.exe	pjkrsr.exe
File created	C:\Windows\SysWOW64\lzhdqh.exe	yieahz.exe
File created	C:\Windows\SysWOW64\tdsvla.exe	gumtib.exe
File opened for modification	C:\Windows\SysWOW64\bxdrso.exe	eztoav.exe
File created	C:\Windows\SysWOW64\mgxavh.exe	ffozed.exe
File opened for modification	C:\Windows\SysWOW64\huzhfj.exe	wyywyo.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4504 wrote to memory of 4808	4504	545de00a44e44ff1bbc119857dd15f79.exe	90
PID 4504 wrote to memory of 4808	4504	545de00a44e44ff1bbc119857dd15f79.exe	90
PID 4504 wrote to memory of 4808	4504	545de00a44e44ff1bbc119857dd15f79.exe	90
PID 4808 wrote to memory of 5060	4808	bgybul.exe	92
PID 4808 wrote to memory of 5060	4808	bgybul.exe	92
PID 4808 wrote to memory of 5060	4808	bgybul.exe	92
PID 5060 wrote to memory of 3764	5060	rwumsx.exe	93
PID 5060 wrote to memory of 3764	5060	rwumsx.exe	93
PID 5060 wrote to memory of 3764	5060	rwumsx.exe	93
PID 3764 wrote to memory of 676	3764	yaerci.exe	94
PID 3764 wrote to memory of 676	3764	yaerci.exe	94
PID 3764 wrote to memory of 676	3764	yaerci.exe	94
PID 676 wrote to memory of 3364	676	yieahz.exe	95
PID 676 wrote to memory of 3364	676	yieahz.exe	95
PID 676 wrote to memory of 3364	676	yieahz.exe	95
PID 3364 wrote to memory of 2108	3364	lzhdqh.exe	96
PID 3364 wrote to memory of 2108	3364	lzhdqh.exe	96
PID 3364 wrote to memory of 2108	3364	lzhdqh.exe	96
PID 2108 wrote to memory of 1004	2108	thudcx.exe	97
PID 2108 wrote to memory of 1004	2108	thudcx.exe	97
PID 2108 wrote to memory of 1004	2108	thudcx.exe	97
PID 1004 wrote to memory of 4240	1004	gumtib.exe	98
PID 1004 wrote to memory of 4240	1004	gumtib.exe	98
PID 1004 wrote to memory of 4240	1004	gumtib.exe	98
PID 4240 wrote to memory of 4680	4240	tdsvla.exe	99
PID 4240 wrote to memory of 4680	4240	tdsvla.exe	99
PID 4240 wrote to memory of 4680	4240	tdsvla.exe	99
PID 4680 wrote to memory of 1556	4680	eztoav.exe	100
PID 4680 wrote to memory of 1556	4680	eztoav.exe	100
PID 4680 wrote to memory of 1556	4680	eztoav.exe	100
PID 1556 wrote to memory of 2128	1556	bxdrso.exe	101
PID 1556 wrote to memory of 2128	1556	bxdrso.exe	101
PID 1556 wrote to memory of 2128	1556	bxdrso.exe	101
PID 2128 wrote to memory of 4740	2128	ymkrlu.exe	102
PID 2128 wrote to memory of 4740	2128	ymkrlu.exe	102
PID 2128 wrote to memory of 4740	2128	ymkrlu.exe	102
PID 4740 wrote to memory of 4920	4740	gndvca.exe	105
PID 4740 wrote to memory of 4920	4740	gndvca.exe	105
PID 4740 wrote to memory of 4920	4740	gndvca.exe	105
PID 4920 wrote to memory of 4624	4920	lbknxh.exe	106
PID 4920 wrote to memory of 4624	4920	lbknxh.exe	106
PID 4920 wrote to memory of 4624	4920	lbknxh.exe	106
PID 4624 wrote to memory of 3788	4624	vyhhun.exe	109
PID 4624 wrote to memory of 3788	4624	vyhhun.exe	109
PID 4624 wrote to memory of 3788	4624	vyhhun.exe	109
PID 3788 wrote to memory of 2944	3788	ibrmsn.exe	110
PID 3788 wrote to memory of 2944	3788	ibrmsn.exe	110
PID 3788 wrote to memory of 2944	3788	ibrmsn.exe	110
PID 2944 wrote to memory of 316	2944	qlyaej.exe	112
PID 2944 wrote to memory of 316	2944	qlyaej.exe	112
PID 2944 wrote to memory of 316	2944	qlyaej.exe	112
PID 316 wrote to memory of 5012	316	zoyifh.exe	113
PID 316 wrote to memory of 5012	316	zoyifh.exe	113
PID 316 wrote to memory of 5012	316	zoyifh.exe	113
PID 5012 wrote to memory of 3380	5012	ffozed.exe	114
PID 5012 wrote to memory of 3380	5012	ffozed.exe	114
PID 5012 wrote to memory of 3380	5012	ffozed.exe	114
PID 3380 wrote to memory of 3280	3380	mgxavh.exe	116
PID 3380 wrote to memory of 3280	3380	mgxavh.exe	116
PID 3380 wrote to memory of 3280	3380	mgxavh.exe	116
PID 3280 wrote to memory of 1432	3280	rxoecx.exe	117
PID 3280 wrote to memory of 1432	3280	rxoecx.exe	117
PID 3280 wrote to memory of 1432	3280	rxoecx.exe	117
PID 1432 wrote to memory of 2560	1432	pjkrsr.exe	118

C:\Users\Admin\AppData\Local\Temp\545de00a44e44ff1bbc119857dd15f79.exe
"C:\Users\Admin\AppData\Local\Temp\545de00a44e44ff1bbc119857dd15f79.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4504
- C:\Windows\SysWOW64\bgybul.exe
  C:\Windows\system32\bgybul.exe 1192 "C:\Users\Admin\AppData\Local\Temp\545de00a44e44ff1bbc119857dd15f79.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:4808
- - C:\Windows\SysWOW64\rwumsx.exe
    C:\Windows\system32\rwumsx.exe 1156 "C:\Windows\SysWOW64\bgybul.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:5060
  - - C:\Windows\SysWOW64\yaerci.exe
      C:\Windows\system32\yaerci.exe 1160 "C:\Windows\SysWOW64\rwumsx.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:3764
    - - C:\Windows\SysWOW64\yieahz.exe
        
        C:\Windows\system32\yieahz.exe 1164 "C:\Windows\SysWOW64\yaerci.exe"
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:676
      - C:\Windows\SysWOW64\lzhdqh.exe
        
        C:\Windows\system32\lzhdqh.exe 1168 "C:\Windows\SysWOW64\yieahz.exe"
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3364
        
        C:\Windows\SysWOW64\thudcx.exe
        
        C:\Windows\system32\thudcx.exe 1152 "C:\Windows\SysWOW64\lzhdqh.exe"
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2108
        
        C:\Windows\SysWOW64\gumtib.exe
        
        C:\Windows\system32\gumtib.exe 1148 "C:\Windows\SysWOW64\thudcx.exe"
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1004
        
        C:\Windows\SysWOW64\tdsvla.exe
        
        C:\Windows\system32\tdsvla.exe 1172 "C:\Windows\SysWOW64\gumtib.exe"
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4240
        
        C:\Windows\SysWOW64\eztoav.exe
        
        C:\Windows\system32\eztoav.exe 1176 "C:\Windows\SysWOW64\tdsvla.exe"
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4680
        
        C:\Windows\SysWOW64\bxdrso.exe
        
        C:\Windows\system32\bxdrso.exe 1180 "C:\Windows\SysWOW64\eztoav.exe"
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1556
        
        C:\Windows\SysWOW64\ymkrlu.exe
        
        C:\Windows\system32\ymkrlu.exe 1196 "C:\Windows\SysWOW64\bxdrso.exe"
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2128
        
        C:\Windows\SysWOW64\gndvca.exe
        
        C:\Windows\system32\gndvca.exe 1200 "C:\Windows\SysWOW64\ymkrlu.exe"
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4740
        
        C:\Windows\SysWOW64\lbknxh.exe
        
        C:\Windows\system32\lbknxh.exe 1184 "C:\Windows\SysWOW64\gndvca.exe"
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4920
        
        C:\Windows\SysWOW64\vyhhun.exe
        
        C:\Windows\system32\vyhhun.exe 1188 "C:\Windows\SysWOW64\lbknxh.exe"
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4624
        
        C:\Windows\SysWOW64\ibrmsn.exe
        
        C:\Windows\system32\ibrmsn.exe 1204 "C:\Windows\SysWOW64\vyhhun.exe"
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3788
        
        C:\Windows\SysWOW64\qlyaej.exe
        
        C:\Windows\system32\qlyaej.exe 1216 "C:\Windows\SysWOW64\ibrmsn.exe"
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2944
        
        C:\Windows\SysWOW64\zoyifh.exe
        
        C:\Windows\system32\zoyifh.exe 1220 "C:\Windows\SysWOW64\qlyaej.exe"
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:316
        
        C:\Windows\SysWOW64\ffozed.exe
        
        C:\Windows\system32\ffozed.exe 1224 "C:\Windows\SysWOW64\zoyifh.exe"
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5012
        
        C:\Windows\SysWOW64\mgxavh.exe
        
        C:\Windows\system32\mgxavh.exe 1208 "C:\Windows\SysWOW64\ffozed.exe"
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3380
        
        C:\Windows\SysWOW64\rxoecx.exe
        
        C:\Windows\system32\rxoecx.exe 1228 "C:\Windows\SysWOW64\mgxavh.exe"
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3280
        
        C:\Windows\SysWOW64\pjkrsr.exe
        
        C:\Windows\system32\pjkrsr.exe 1132 "C:\Windows\SysWOW64\rxoecx.exe"
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1432
        
        C:\Windows\SysWOW64\udvudo.exe
        
        C:\Windows\system32\udvudo.exe 1060 "C:\Windows\SysWOW64\pjkrsr.exe"
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2560
        
        C:\Windows\SysWOW64\wyywyo.exe
        
        C:\Windows\system32\wyywyo.exe 1244 "C:\Windows\SysWOW64\udvudo.exe"
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1056
        
        C:\Windows\SysWOW64\huzhfj.exe
        
        C:\Windows\system32\huzhfj.exe 1252 "C:\Windows\SysWOW64\wyywyo.exe"
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3100
        
        C:\Windows\SysWOW64\msextk.exe
        
        C:\Windows\system32\msextk.exe 1248 "C:\Windows\SysWOW64\huzhfj.exe"
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2504

C:\Windows\SysWOW64\xnxhbe.exe
C:\Windows\system32\xnxhbe.exe 1236 "C:\Windows\SysWOW64\msextk.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2392
- C:\Windows\SysWOW64\kxdsee.exe
  C:\Windows\system32\kxdsee.exe 1260 "C:\Windows\SysWOW64\xnxhbe.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:4084

C:\Windows\SysWOW64\rfzkyt.exe
C:\Windows\system32\rfzkyt.exe 1240 "C:\Windows\SysWOW64\kxdsee.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4204
- C:\Windows\SysWOW64\carvfo.exe
  C:\Windows\system32\carvfo.exe 1268 "C:\Windows\SysWOW64\rfzkyt.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:1580
- - C:\Windows\SysWOW64\kpnqjq.exe
    C:\Windows\system32\kpnqjq.exe 1272 "C:\Windows\SysWOW64\carvfo.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    PID:3532
  - - C:\Windows\SysWOW64\mzffbm.exe
      C:\Windows\system32\mzffbm.exe 1256 "C:\Windows\SysWOW64\kpnqjq.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      PID:2232
    - - C:\Windows\SysWOW64\xvfqrh.exe
        
        C:\Windows\system32\xvfqrh.exe 1280 "C:\Windows\SysWOW64\mzffbm.exe"
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1416
      - C:\Windows\SysWOW64\wzqdaa.exe
        
        C:\Windows\system32\wzqdaa.exe 1264 "C:\Windows\SysWOW64\xvfqrh.exe"
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1100
        
        C:\Windows\SysWOW64\jykgja.exe
        
        C:\Windows\system32\jykgja.exe 1276 "C:\Windows\SysWOW64\wzqdaa.exe"
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3880
        
        C:\Windows\SysWOW64\utlqzc.exe
        
        C:\Windows\system32\utlqzc.exe 1292 "C:\Windows\SysWOW64\jykgja.exe"
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4660
        
        C:\Windows\SysWOW64\epejgx.exe
        
        C:\Windows\system32\epejgx.exe 1296 "C:\Windows\SysWOW64\utlqzc.exe"
        9⤵
        Executes dropped EXE
        
        PID:1408
        
        C:\Windows\SysWOW64\pvrbij.exe
        
        C:\Windows\system32\pvrbij.exe 1284 "C:\Windows\SysWOW64\epejgx.exe"
        10⤵
        
        PID:3064
        
        C:\Windows\SysWOW64\zggddm.exe
        
        C:\Windows\system32\zggddm.exe 1304 "C:\Windows\SysWOW64\pvrbij.exe"
        11⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\jczwlg.exe
        
        C:\Windows\system32\jczwlg.exe 1308 "C:\Windows\SysWOW64\zggddm.exe"
        12⤵
        
        PID:816
        
        C:\Windows\SysWOW64\xdfzog.exe
        
        C:\Windows\system32\xdfzog.exe 1320 "C:\Windows\SysWOW64\jczwlg.exe"
        13⤵
        
        PID:3976
        
        C:\Windows\SysWOW64\hzgrwa.exe
        
        C:\Windows\system32\hzgrwa.exe 1300 "C:\Windows\SysWOW64\xdfzog.exe"
        14⤵
        
        PID:792
        
        C:\Windows\SysWOW64\oobjqq.exe
        
        C:\Windows\system32\oobjqq.exe 1316 "C:\Windows\SysWOW64\hzgrwa.exe"
        15⤵
        
        PID:2780
        
        C:\Windows\SysWOW64\umyzvr.exe
        
        C:\Windows\system32\umyzvr.exe 1312 "C:\Windows\SysWOW64\oobjqq.exe"
        16⤵
        
        PID:2784
        
        C:\Windows\SysWOW64\hzqpjn.exe
        
        C:\Windows\system32\hzqpjn.exe 1288 "C:\Windows\SysWOW64\umyzvr.exe"
        17⤵
        
        PID:884
        
        C:\Windows\SysWOW64\umzepq.exe
        
        C:\Windows\system32\umzepq.exe 1332 "C:\Windows\SysWOW64\hzqpjn.exe"
        18⤵
        
        PID:652
        
        C:\Windows\SysWOW64\elmczp.exe
        
        C:\Windows\system32\elmczp.exe 1324 "C:\Windows\SysWOW64\umzepq.exe"
        19⤵
        
        PID:1564
        
        C:\Windows\SysWOW64\pdbhef.exe
        
        C:\Windows\system32\pdbhef.exe 1336 "C:\Windows\SysWOW64\elmczp.exe"
        20⤵
        
        PID:2756
        
        C:\Windows\SysWOW64\zdffxe.exe
        
        C:\Windows\system32\zdffxe.exe 1328 "C:\Windows\SysWOW64\pdbhef.exe"
        21⤵
        
        PID:728
        
        C:\Windows\SysWOW64\mqxuci.exe
        
        C:\Windows\system32\mqxuci.exe 1348 "C:\Windows\SysWOW64\zdffxe.exe"
        22⤵
        
        PID:948
        
        C:\Windows\SysWOW64\wxbsnh.exe
        
        C:\Windows\system32\wxbsnh.exe 1360 "C:\Windows\SysWOW64\mqxuci.exe"
        23⤵
        
        PID:2400
        
        C:\Windows\SysWOW64\jktitl.exe
        
        C:\Windows\system32\jktitl.exe 1340 "C:\Windows\SysWOW64\wxbsnh.exe"
        24⤵
        
        PID:2368
        
        C:\Windows\SysWOW64\uflaaf.exe
        
        C:\Windows\system32\uflaaf.exe 1344 "C:\Windows\SysWOW64\jktitl.exe"
        25⤵
        
        PID:3500
        
        C:\Windows\SysWOW64\hsdqgb.exe
        
        C:\Windows\system32\hsdqgb.exe 1232 "C:\Windows\SysWOW64\uflaaf.exe"
        26⤵
        
        PID:1944
        
        C:\Windows\SysWOW64\roeawv.exe
        
        C:\Windows\system32\roeawv.exe 1364 "C:\Windows\SysWOW64\hsdqgb.exe"
        27⤵
        
        PID:408
        
        C:\Windows\SysWOW64\cniggu.exe
        
        C:\Windows\system32\cniggu.exe 1356 "C:\Windows\SysWOW64\roeawv.exe"
        28⤵
        
        PID:4556
        
        C:\Windows\SysWOW64\rzqtkh.exe
        
        C:\Windows\system32\rzqtkh.exe 1376 "C:\Windows\SysWOW64\cniggu.exe"
        29⤵
        
        PID:4772
        
        C:\Windows\SysWOW64\cvjlsc.exe
        
        C:\Windows\system32\cvjlsc.exe 1372 "C:\Windows\SysWOW64\rzqtkh.exe"
        30⤵
        
        PID:2348
        
        C:\Windows\SysWOW64\mxgvnf.exe
        
        C:\Windows\system32\mxgvnf.exe 1384 "C:\Windows\SysWOW64\cvjlsc.exe"
        31⤵
        
        PID:4632
        
        C:\Windows\SysWOW64\zkqltj.exe
        
        C:\Windows\system32\zkqltj.exe 1368 "C:\Windows\SysWOW64\mxgvnf.exe"
        32⤵
        
        PID:2112
        
        C:\Windows\SysWOW64\jgrwad.exe
        
        C:\Windows\system32\jgrwad.exe 1380 "C:\Windows\SysWOW64\zkqltj.exe"
        33⤵
        
        PID:4796
        
        C:\Windows\SysWOW64\ucsoiy.exe
        
        C:\Windows\system32\ucsoiy.exe 1396 "C:\Windows\SysWOW64\jgrwad.exe"
        34⤵
        
        PID:3284
        
        C:\Windows\SysWOW64\ebwlax.exe
        
        C:\Windows\system32\ebwlax.exe 1124 "C:\Windows\SysWOW64\ucsoiy.exe"
        35⤵
        
        PID:3804
        
        C:\Windows\SysWOW64\rkcodo.exe
        
        C:\Windows\system32\rkcodo.exe 1408 "C:\Windows\SysWOW64\ebwlax.exe"
        36⤵
        
        PID:4440
        
        C:\Windows\SysWOW64\brguon.exe
        
        C:\Windows\system32\brguon.exe 1392 "C:\Windows\SysWOW64\rkcodo.exe"
        37⤵
        
        PID:1116
        
        C:\Windows\SysWOW64\enthgv.exe
        
        C:\Windows\system32\enthgv.exe 1400 "C:\Windows\SysWOW64\brguon.exe"
        38⤵
        
        PID:1768
        
        C:\Windows\SysWOW64\ybhvax.exe
        
        C:\Windows\system32\ybhvax.exe 1424 "C:\Windows\SysWOW64\enthgv.exe"
        39⤵
        
        PID:4608
        
        C:\Windows\SysWOW64\wvrzmq.exe
        
        C:\Windows\system32\wvrzmq.exe 1416 "C:\Windows\SysWOW64\ybhvax.exe"
        40⤵
        
        PID:4856
        
        C:\Windows\SysWOW64\rjrijy.exe
        
        C:\Windows\system32\rjrijy.exe 1404 "C:\Windows\SysWOW64\wvrzmq.exe"
        41⤵
        
        PID:1456
        
        C:\Windows\SysWOW64\jditdy.exe
        
        C:\Windows\system32\jditdy.exe 1436 "C:\Windows\SysWOW64\rjrijy.exe"
        42⤵
        
        PID:2604
        
        C:\Windows\SysWOW64\lnlmmo.exe
        
        C:\Windows\system32\lnlmmo.exe 1428 "C:\Windows\SysWOW64\jditdy.exe"
        43⤵
        
        PID:4968
        
        C:\Windows\SysWOW64\lzxeia.exe
        
        C:\Windows\system32\lzxeia.exe 1432 "C:\Windows\SysWOW64\lnlmmo.exe"
        44⤵
        
        PID:4684
        
        C:\Windows\SysWOW64\vybktz.exe
        
        C:\Windows\system32\vybktz.exe 1440 "C:\Windows\SysWOW64\lzxeia.exe"
        45⤵
        
        PID:1540
        
        C:\Windows\SysWOW64\ejmkux.exe
        
        C:\Windows\system32\ejmkux.exe 1128 "C:\Windows\SysWOW64\vybktz.exe"
        46⤵
        
        PID:4676
        
        C:\Windows\SysWOW64\ojqhmv.exe
        
        C:\Windows\system32\ojqhmv.exe 1212 "C:\Windows\SysWOW64\ejmkux.exe"
        47⤵
        
        PID:1204
        
        C:\Windows\SysWOW64\yqcfxu.exe
        
        C:\Windows\system32\yqcfxu.exe 1444 "C:\Windows\SysWOW64\ojqhmv.exe"
        48⤵
        
        PID:1940
        
        C:\Windows\SysWOW64\lzipau.exe
        
        C:\Windows\system32\lzipau.exe 1448 "C:\Windows\SysWOW64\yqcfxu.exe"
        49⤵
        
        PID:4764
        
        C:\Windows\SysWOW64\wymnkt.exe
        
        C:\Windows\system32\wymnkt.exe 1456 "C:\Windows\SysWOW64\lzipau.exe"
        50⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\jledqw.exe
        
        C:\Windows\system32\jledqw.exe 1452 "C:\Windows\SysWOW64\wymnkt.exe"
        51⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\wyoses.exe
        
        C:\Windows\system32\wyoses.exe 1460 "C:\Windows\SysWOW64\jledqw.exe"
        52⤵
        
        PID:4448
        
        C:\Windows\SysWOW64\gjddrv.exe
        
        C:\Windows\system32\gjddrv.exe 1472 "C:\Windows\SysWOW64\wyoses.exe"
        53⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\tsjnuv.exe
        
        C:\Windows\system32\tsjnuv.exe 1464 "C:\Windows\SysWOW64\gjddrv.exe"
        54⤵
        
        PID:3716
        
        C:\Windows\SysWOW64\drvleu.exe
        
        C:\Windows\system32\drvleu.exe 1468 "C:\Windows\SysWOW64\tsjnuv.exe"
        55⤵
        
        PID:1300
        
        C:\Windows\SysWOW64\qefbkx.exe
        
        C:\Windows\system32\qefbkx.exe 1496 "C:\Windows\SysWOW64\drvleu.exe"
        56⤵
        
        PID:720
        
        C:\Windows\SysWOW64\ymaten.exe
        
        C:\Windows\system32\ymaten.exe 1476 "C:\Windows\SysWOW64\qefbkx.exe"
        57⤵
        
        PID:496
        
        C:\Windows\SysWOW64\lzkqkr.exe
        
        C:\Windows\system32\lzkqkr.exe 1480 "C:\Windows\SysWOW64\ymaten.exe"
        58⤵
        
        PID:1704
        
        C:\Windows\SysWOW64\qialbw.exe
        
        C:\Windows\system32\qialbw.exe 1492 "C:\Windows\SysWOW64\lzkqkr.exe"
        59⤵
        
        PID:1460
        
        C:\Windows\SysWOW64\esyoeo.exe
        
        C:\Windows\system32\esyoeo.exe 1484 "C:\Windows\SysWOW64\qialbw.exe"
        60⤵
        
        PID:4564
        
        C:\Windows\SysWOW64\evlgsa.exe
        
        C:\Windows\system32\evlgsa.exe 1488 "C:\Windows\SysWOW64\esyoeo.exe"
        61⤵
        
        PID:4472
        
        C:\Windows\SysWOW64\gfkekw.exe
        
        C:\Windows\system32\gfkekw.exe 1500 "C:\Windows\SysWOW64\evlgsa.exe"
        62⤵
        
        PID:4320
        
        C:\Windows\SysWOW64\ibdpsq.exe
        
        C:\Windows\system32\ibdpsq.exe 1116 "C:\Windows\SysWOW64\gfkekw.exe"
        63⤵
        
        PID:2556
        
        C:\Windows\SysWOW64\twezhl.exe
        
        C:\Windows\system32\twezhl.exe 1508 "C:\Windows\SysWOW64\ibdpsq.exe"
        64⤵
        
        PID:1524
        
        C:\Windows\SysWOW64\tiqrwp.exe
        
        C:\Windows\system32\tiqrwp.exe 1520 "C:\Windows\SysWOW64\twezhl.exe"
        65⤵
        
        PID:4628
        
        C:\Windows\SysWOW64\derkdj.exe
        
        C:\Windows\system32\derkdj.exe 1524 "C:\Windows\SysWOW64\tiqrwp.exe"
        66⤵
        
        PID:2360
        
        C:\Windows\SysWOW64\qrbzjn.exe
        
        C:\Windows\system32\qrbzjn.exe 1512 "C:\Windows\SysWOW64\derkdj.exe"
        67⤵
        
        PID:4344
        
        C:\Windows\SysWOW64\bmckrh.exe
        
        C:\Windows\system32\bmckrh.exe 1516 "C:\Windows\SysWOW64\qrbzjn.exe"
        68⤵
        
        PID:3292
        
        C:\Windows\SysWOW64\olwnzq.exe
        
        C:\Windows\system32\olwnzq.exe 1528 "C:\Windows\SysWOW64\bmckrh.exe"
        69⤵
        
        PID:4352
        
        C:\Windows\SysWOW64\ykjsso.exe
        
        C:\Windows\system32\ykjsso.exe 1412 "C:\Windows\SysWOW64\olwnzq.exe"
        70⤵
        
        PID:4644
        
        C:\Windows\SysWOW64\ijnpcn.exe
        
        C:\Windows\system32\ijnpcn.exe 1536 "C:\Windows\SysWOW64\ykjsso.exe"
        71⤵
        
        PID:4476
        
        C:\Windows\SysWOW64\vwefir.exe
        
        C:\Windows\system32\vwefir.exe 1548 "C:\Windows\SysWOW64\ijnpcn.exe"
        72⤵
        
        PID:3800
        
        C:\Windows\SysWOW64\ijovon.exe
        
        C:\Windows\system32\ijovon.exe 1540 "C:\Windows\SysWOW64\vwefir.exe"
        73⤵
        
        PID:772
        
        C:\Windows\SysWOW64\sqasgm.exe
        
        C:\Windows\system32\sqasgm.exe 1544 "C:\Windows\SysWOW64\ijovon.exe"
        74⤵
        
        PID:4112
        
        C:\Windows\SysWOW64\gzgdjl.exe
        
        C:\Windows\system32\gzgdjl.exe 1552 "C:\Windows\SysWOW64\sqasgm.exe"
        75⤵
        
        PID:4800
        
        C:\Windows\SysWOW64\qcwnwo.exe
        
        C:\Windows\system32\qcwnwo.exe 1572 "C:\Windows\SysWOW64\gzgdjl.exe"
        76⤵
        
        PID:1760
        
        C:\Windows\SysWOW64\dmcqzo.exe
        
        C:\Windows\system32\dmcqzo.exe 1564 "C:\Windows\SysWOW64\qcwnwo.exe"
        77⤵
        
        PID:4812
        
        C:\Windows\SysWOW64\qzlgfs.exe
        
        C:\Windows\system32\qzlgfs.exe 1580 "C:\Windows\SysWOW64\dmcqzo.exe"
        78⤵
        
        PID:3464
        
        C:\Windows\SysWOW64\ajjqsn.exe
        
        C:\Windows\system32\ajjqsn.exe 1568 "C:\Windows\SysWOW64\qzlgfs.exe"
        79⤵
        
        PID:3844
        
        C:\Windows\SysWOW64\othbdm.exe
        
        C:\Windows\system32\othbdm.exe 1556 "C:\Windows\SysWOW64\ajjqsn.exe"
        80⤵
        
        PID:1728
        
        C:\Windows\SysWOW64\yvfdrp.exe
        
        C:\Windows\system32\yvfdrp.exe 1584 "C:\Windows\SysWOW64\othbdm.exe"
        81⤵
        
        PID:5104
        
        C:\Windows\SysWOW64\lfloup.exe
        
        C:\Windows\system32\lfloup.exe 1560 "C:\Windows\SysWOW64\yvfdrp.exe"
        82⤵
        
        PID:1544
        
        C:\Windows\SysWOW64\vepleo.exe
        
        C:\Windows\system32\vepleo.exe 1576 "C:\Windows\SysWOW64\lfloup.exe"
        83⤵
        
        PID:2652
        
        C:\Windows\SysWOW64\invohn.exe
        
        C:\Windows\system32\invohn.exe 1588 "C:\Windows\SysWOW64\vepleo.exe"
        84⤵
        
        PID:4820
        
        C:\Windows\SysWOW64\tmzuzm.exe
        
        C:\Windows\system32\tmzuzm.exe 1592 "C:\Windows\SysWOW64\invohn.exe"
        85⤵
        
        PID:3884
        
        C:\Windows\SysWOW64\glcwim.exe
        
        C:\Windows\system32\glcwim.exe 1596 "C:\Windows\SysWOW64\tmzuzm.exe"
        86⤵
        
        PID:2540
        
        C:\Windows\SysWOW64\qkgusl.exe
        
        C:\Windows\system32\qkgusl.exe 1604 "C:\Windows\SysWOW64\glcwim.exe"
        87⤵
        
        PID:452
        
        C:\Windows\SysWOW64\dtnwvk.exe
        
        C:\Windows\system32\dtnwvk.exe 1608 "C:\Windows\SysWOW64\qkgusl.exe"
        88⤵
        
        PID:3632
        
        C:\Windows\SysWOW64\ntrugj.exe
        
        C:\Windows\system32\ntrugj.exe 1600 "C:\Windows\SysWOW64\dtnwvk.exe"
        89⤵
        
        PID:2356
        
        C:\Windows\SysWOW64\agikun.exe
        
        C:\Windows\system32\agikun.exe 1620 "C:\Windows\SysWOW64\ntrugj.exe"
        90⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\lnmpem.exe
        
        C:\Windows\system32\lnmpem.exe 1612 "C:\Windows\SysWOW64\agikun.exe"
        91⤵
        
        PID:3828
        
        C:\Windows\SysWOW64\vinzmg.exe
        
        C:\Windows\system32\vinzmg.exe 1352 "C:\Windows\SysWOW64\lnmpem.exe"
        92⤵
        
        PID:3780
        
        C:\Windows\SysWOW64\ikucpg.exe
        
        C:\Windows\system32\ikucpg.exe 1624 "C:\Windows\SysWOW64\vinzmg.exe"
        93⤵
        
        PID:4792
        
        C:\Windows\SysWOW64\tfuvwa.exe
        
        C:\Windows\system32\tfuvwa.exe 1636 "C:\Windows\SysWOW64\ikucpg.exe"
        94⤵
        
        PID:2036
        
        C:\Windows\SysWOW64\dqkfrd.exe
        
        C:\Windows\system32\dqkfrd.exe 1648 "C:\Windows\SysWOW64\tfuvwa.exe"
        95⤵
        
        PID:2848
        
        C:\Windows\SysWOW64\qzqiud.exe
        
        C:\Windows\system32\qzqiud.exe 1640 "C:\Windows\SysWOW64\dqkfrd.exe"
        96⤵
        
        PID:3508
        
        C:\Windows\SysWOW64\xhdihs.exe
        
        C:\Windows\system32\xhdihs.exe 1628 "C:\Windows\SysWOW64\qzqiud.exe"
        97⤵
        
        PID:5076
        
        C:\Windows\SysWOW64\luvyuw.exe
        
        C:\Windows\system32\luvyuw.exe 1652 "C:\Windows\SysWOW64\xhdihs.exe"
        98⤵
        
        PID:924
        
        C:\Windows\SysWOW64\yebaxo.exe
        
        C:\Windows\system32\yebaxo.exe 1632 "C:\Windows\SysWOW64\luvyuw.exe"
        99⤵
        
        PID:1248
        
        C:\Windows\SysWOW64\izutfi.exe
        
        C:\Windows\system32\izutfi.exe 1644 "C:\Windows\SysWOW64\yebaxo.exe"
        100⤵
        
        PID:1188
        
        C:\Windows\SysWOW64\tygqph.exe
        
        C:\Windows\system32\tygqph.exe 1664 "C:\Windows\SysWOW64\izutfi.exe"
        101⤵
        
        PID:3488
        
        C:\Windows\SysWOW64\glqgvl.exe
        
        C:\Windows\system32\glqgvl.exe 1668 "C:\Windows\SysWOW64\tygqph.exe"
        102⤵
        
        PID:4604
        
        C:\Windows\SysWOW64\qscdok.exe
        
        C:\Windows\system32\qscdok.exe 1672 "C:\Windows\SysWOW64\glqgvl.exe"
        103⤵
        
        PID:2584
        
        C:\Windows\SysWOW64\dfutuo.exe
        
        C:\Windows\system32\dfutuo.exe 1660 "C:\Windows\SysWOW64\qscdok.exe"
        104⤵
        
        PID:212
        
        C:\Windows\SysWOW64\isdjzr.exe
        
        C:\Windows\system32\isdjzr.exe 1656 "C:\Windows\SysWOW64\dfutuo.exe"
        105⤵
        
        PID:3272
        
        C:\Windows\SysWOW64\sspokq.exe
        
        C:\Windows\system32\sspokq.exe 1136 "C:\Windows\SysWOW64\isdjzr.exe"
        106⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\cztmup.exe
        
        C:\Windows\system32\cztmup.exe 1688 "C:\Windows\SysWOW64\sspokq.exe"
        107⤵
        
        PID:4348
        
        C:\Windows\SysWOW64\qaaoxg.exe
        
        C:\Windows\system32\qaaoxg.exe 1680 "C:\Windows\SysWOW64\cztmup.exe"
        108⤵
        
        PID:4536
        
        C:\Windows\SysWOW64\xqnore.exe
        
        C:\Windows\system32\xqnore.exe 1696 "C:\Windows\SysWOW64\qaaoxg.exe"
        109⤵
        
        PID:4616
        
        C:\Windows\SysWOW64\kdfexa.exe
        
        C:\Windows\system32\kdfexa.exe 1692 "C:\Windows\SysWOW64\xqnore.exe"
        110⤵
        
        PID:5084
        
        C:\Windows\SysWOW64\vcjbiz.exe
        
        C:\Windows\system32\vcjbiz.exe 1700 "C:\Windows\SysWOW64\kdfexa.exe"
        111⤵
        
        PID:1412
        
        C:\Windows\SysWOW64\ilpely.exe
        
        C:\Windows\system32\ilpely.exe 1684 "C:\Windows\SysWOW64\vcjbiz.exe"
        112⤵
        
        PID:3276
        
        C:\Windows\SysWOW64\slbkdx.exe
        
        C:\Windows\system32\slbkdx.exe 1708 "C:\Windows\SysWOW64\ilpely.exe"
        113⤵
        
        PID:3228
        
        C:\Windows\SysWOW64\fbwemf.exe
        
        C:\Windows\system32\fbwemf.exe 1704 "C:\Windows\SysWOW64\slbkdx.exe"
        114⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\swocrj.exe
        
        C:\Windows\system32\swocrj.exe 1720 "C:\Windows\SysWOW64\fbwemf.exe"
        115⤵
        
        PID:2732
        
        C:\Windows\SysWOW64\fjxsxf.exe
        
        C:\Windows\system32\fjxsxf.exe 1712 "C:\Windows\SysWOW64\swocrj.exe"
        116⤵
        
        PID:5072
        
        C:\Windows\SysWOW64\nrtkrc.exe
        
        C:\Windows\system32\nrtkrc.exe 1388 "C:\Windows\SysWOW64\fjxsxf.exe"
        117⤵
        
        PID:1824
        
        C:\Windows\SysWOW64\aazvuu.exe
        
        C:\Windows\system32\aazvuu.exe 1724 "C:\Windows\SysWOW64\nrtkrc.exe"
        118⤵
        
        PID:3772
        
        C:\Windows\SysWOW64\kzdsfs.exe
        
        C:\Windows\system32\kzdsfs.exe 1736 "C:\Windows\SysWOW64\aazvuu.exe"
        119⤵
        
        PID:3888
        
        C:\Windows\SysWOW64\yjjvis.exe
        
        C:\Windows\system32\yjjvis.exe 1728 "C:\Windows\SysWOW64\kzdsfs.exe"
        120⤵
        
        PID:4452
        
        C:\Windows\SysWOW64\iinssr.exe
        
        C:\Windows\system32\iinssr.exe 1740 "C:\Windows\SysWOW64\yjjvis.exe"
        121⤵
        
        PID:844
        
        C:\Windows\SysWOW64\shzylp.exe
        
        C:\Windows\system32\shzylp.exe 1748 "C:\Windows\SysWOW64\iinssr.exe"
        122⤵
        
        PID:548
        
        C:\Windows\SysWOW64\fqgaop.exe
        
        C:\Windows\system32\fqgaop.exe 1744 "C:\Windows\SysWOW64\shzylp.exe"
        123⤵
        
        PID:3032
        
        C:\Windows\SysWOW64\qmzlvj.exe
        
        C:\Windows\system32\qmzlvj.exe 1732 "C:\Windows\SysWOW64\fqgaop.exe"
        124⤵
        
        PID:2388
        
        C:\Windows\SysWOW64\aizdde.exe
        
        C:\Windows\system32\aizdde.exe 1760 "C:\Windows\SysWOW64\qmzlvj.exe"
        125⤵
        
        PID:4460
        
        C:\Windows\SysWOW64\ldaosy.exe
        
        C:\Windows\system32\ldaosy.exe 1764 "C:\Windows\SysWOW64\aizdde.exe"
        126⤵
        
        PID:3580
        
        C:\Windows\SysWOW64\vzbgat.exe
        
        C:\Windows\system32\vzbgat.exe 1768 "C:\Windows\SysWOW64\ldaosy.exe"
        127⤵
        
        PID:920
        
        C:\Windows\SysWOW64\fjrqnw.exe
        
        C:\Windows\system32\fjrqnw.exe 1752 "C:\Windows\SysWOW64\vzbgat.exe"
        128⤵
        
        PID:5044
        
        C:\Windows\SysWOW64\stxtqw.exe
        
        C:\Windows\system32\stxtqw.exe 1756 "C:\Windows\SysWOW64\fjrqnw.exe"
        129⤵
        
        PID:708
        
        C:\Windows\SysWOW64\csbrju.exe
        
        C:\Windows\system32\csbrju.exe 1772 "C:\Windows\SysWOW64\stxtqw.exe"
        130⤵
        
        PID:3076
        
        C:\Windows\SysWOW64\qftgoy.exe
        
        C:\Windows\system32\qftgoy.exe 1784 "C:\Windows\SysWOW64\csbrju.exe"
        131⤵
        
        PID:2860
        
        C:\Windows\SysWOW64\usmoia.exe
        
        C:\Windows\system32\usmoia.exe 1788 "C:\Windows\SysWOW64\qftgoy.exe"
        132⤵
        
        PID:3204
        
        C:\Windows\SysWOW64\ifwene.exe
        
        C:\Windows\system32\ifwene.exe 1792 "C:\Windows\SysWOW64\usmoia.exe"
        133⤵
        
        PID:4212
        
        C:\Windows\SysWOW64\vocpqd.exe
        
        C:\Windows\system32\vocpqd.exe 1800 "C:\Windows\SysWOW64\ifwene.exe"
        134⤵
        
        PID:1236
        
        C:\Windows\SysWOW64\fnombc.exe
        
        C:\Windows\system32\fnombc.exe 1776 "C:\Windows\SysWOW64\vocpqd.exe"
        135⤵
        
        PID:3264
        
        C:\Windows\SysWOW64\pnsjlb.exe
        
        C:\Windows\system32\pnsjlb.exe 1812 "C:\Windows\SysWOW64\fnombc.exe"
        136⤵
        
        PID:3592
        
        C:\Windows\SysWOW64\dwyuoa.exe
        
        C:\Windows\system32\dwyuoa.exe 1780 "C:\Windows\SysWOW64\pnsjlb.exe"
        137⤵
        
        PID:3932
        
        C:\Windows\SysWOW64\nhoxjv.exe
        
        C:\Windows\system32\nhoxjv.exe 1820 "C:\Windows\SysWOW64\dwyuoa.exe"
        138⤵
        
        PID:4148
        
        C:\Windows\SysWOW64\aquhmv.exe
        
        C:\Windows\system32\aquhmv.exe 1808 "C:\Windows\SysWOW64\nhoxjv.exe"
        139⤵
        
        PID:748
        
        C:\Windows\SysWOW64\ndexsz.exe
        
        C:\Windows\system32\ndexsz.exe 1816 "C:\Windows\SysWOW64\aquhmv.exe"
        140⤵
        
        PID:3936
        
        C:\Windows\SysWOW64\xcqudy.exe
        
        C:\Windows\system32\xcqudy.exe 1796 "C:\Windows\SysWOW64\ndexsz.exe"
        141⤵
        
        PID:4332
        
        C:\Windows\SysWOW64\lphkib.exe
        
        C:\Windows\system32\lphkib.exe 1828 "C:\Windows\SysWOW64\xcqudy.exe"
        142⤵
        
        PID:3484
        
        C:\Windows\SysWOW64\vwlqba.exe
        
        C:\Windows\system32\vwlqba.exe 1832 "C:\Windows\SysWOW64\lphkib.exe"
        143⤵
        
        PID:4780
        
        C:\Windows\SysWOW64\ijdfhw.exe
        
        C:\Windows\system32\ijdfhw.exe 1836 "C:\Windows\SysWOW64\vwlqba.exe"
        144⤵
        
        PID:4912
        
        C:\Windows\SysWOW64\sihdrv.exe
        
        C:\Windows\system32\sihdrv.exe 1804 "C:\Windows\SysWOW64\ijdfhw.exe"
        145⤵
        
        PID:2884
        
        C:\Windows\SysWOW64\fvzsxz.exe
        
        C:\Windows\system32\fvzsxz.exe 1824 "C:\Windows\SysWOW64\sihdrv.exe"
        146⤵
        
        PID:3148
        
        C:\Windows\SysWOW64\siiidd.exe
        
        C:\Windows\system32\siiidd.exe 1848 "C:\Windows\SysWOW64\fvzsxz.exe"
        147⤵
        
        PID:2684
        
        C:\Windows\SysWOW64\uqufnb.exe
        
        C:\Windows\system32\uqufnb.exe 1840 "C:\Windows\SysWOW64\siiidd.exe"
        148⤵
        
        PID:2988
        
        C:\Windows\SysWOW64\idedbf.exe
        
        C:\Windows\system32\idedbf.exe 1856 "C:\Windows\SysWOW64\uqufnb.exe"
        149⤵
        
        PID:3384
        
        C:\Windows\SysWOW64\scqble.exe
        
        C:\Windows\system32\scqble.exe 1532 "C:\Windows\SysWOW64\idedbf.exe"
        150⤵
        
        PID:2092
        
        C:\Windows\SysWOW64\cxjlty.exe
        
        C:\Windows\system32\cxjlty.exe 1852 "C:\Windows\SysWOW64\scqble.exe"
        151⤵
        
        PID:2380
        
        C:\Windows\SysWOW64\pkabzu.exe
        
        C:\Windows\system32\pkabzu.exe 1860 "C:\Windows\SysWOW64\cxjlty.exe"
        152⤵
        
        PID:3620
        
        C:\Windows\SysWOW64\zjfyrt.exe
        
        C:\Windows\system32\zjfyrt.exe 1144 "C:\Windows\SysWOW64\pkabzu.exe"
        153⤵
        
        PID:64
        
        C:\Windows\SysWOW64\ntljut.exe
        
        C:\Windows\system32\ntljut.exe 1868 "C:\Windows\SysWOW64\zjfyrt.exe"
        154⤵
        
        PID:1508
        
        C:\Windows\SysWOW64\xdathw.exe
        
        C:\Windows\system32\xdathw.exe 1872 "C:\Windows\SysWOW64\ntljut.exe"
        155⤵
        
        PID:3604
        
        C:\Windows\SysWOW64\knhwkv.exe
        
        C:\Windows\system32\knhwkv.exe 1140 "C:\Windows\SysWOW64\xdathw.exe"
        156⤵
        
        PID:812
        
        C:\Windows\SysWOW64\xdjztd.exe
        
        C:\Windows\system32\xdjztd.exe 1880 "C:\Windows\SysWOW64\knhwkv.exe"
        157⤵
        
        PID:1860
        
        C:\Windows\SysWOW64\hzcrby.exe
        
        C:\Windows\system32\hzcrby.exe 1892 "C:\Windows\SysWOW64\xdjztd.exe"
        158⤵
        
        PID:2956
        
        C:\Windows\SysWOW64\vmuhou.exe
        
        C:\Windows\system32\vmuhou.exe 1896 "C:\Windows\SysWOW64\hzcrby.exe"
        159⤵
        
        PID:4088
        
        C:\Windows\SysWOW64\fxjrcx.exe
        
        C:\Windows\system32\fxjrcx.exe 1616 "C:\Windows\SysWOW64\vmuhou.exe"
        160⤵
        
        PID:3588
        
        C:\Windows\SysWOW64\sgpufw.exe
        
        C:\Windows\system32\sgpufw.exe 1904 "C:\Windows\SysWOW64\fxjrcx.exe"
        161⤵
        
        PID:5124
        
        C:\Windows\SysWOW64\fthkka.exe
        
        C:\Windows\system32\fthkka.exe 1912 "C:\Windows\SysWOW64\sgpufw.exe"
        162⤵
        
        PID:5184
        
        C:\Windows\SysWOW64\pwwuyd.exe
        
        C:\Windows\system32\pwwuyd.exe 1888 "C:\Windows\SysWOW64\fthkka.exe"
        163⤵
        
        PID:5240
        
        C:\Windows\SysWOW64\cfdfbd.exe
        
        C:\Windows\system32\cfdfbd.exe 1900 "C:\Windows\SysWOW64\pwwuyd.exe"
        164⤵
        
        PID:5292
        
        C:\Windows\SysWOW64\nehctu.exe
        
        C:\Windows\system32\nehctu.exe 1716 "C:\Windows\SysWOW64\cfdfbd.exe"
        165⤵
        
        PID:5352
        
        C:\Windows\SysWOW64\zdcfcc.exe
        
        C:\Windows\system32\zdcfcc.exe 1924 "C:\Windows\SysWOW64\nehctu.exe"
        166⤵
        
        PID:5416
        
        C:\Windows\SysWOW64\nmiifb.exe
        
        C:\Windows\system32\nmiifb.exe 1936 "C:\Windows\SysWOW64\zdcfcc.exe"
        167⤵
        
        PID:5472
        
        C:\Windows\SysWOW64\xlufpa.exe
        
        C:\Windows\system32\xlufpa.exe 1916 "C:\Windows\SysWOW64\nmiifb.exe"
        168⤵
        
        PID:5524
        
        C:\Windows\SysWOW64\kyevve.exe
        
        C:\Windows\system32\kyevve.exe 1920 "C:\Windows\SysWOW64\xlufpa.exe"
        169⤵
        
        PID:5576
        
        C:\Windows\SysWOW64\uxqand.exe
        
        C:\Windows\system32\uxqand.exe 1928 "C:\Windows\SysWOW64\kyevve.exe"
        170⤵
        
        PID:5636
        
        C:\Windows\SysWOW64\hszqtz.exe
        
        C:\Windows\system32\hszqtz.exe 1940 "C:\Windows\SysWOW64\uxqand.exe"
        171⤵
        
        PID:5700
        
        C:\Windows\SysWOW64\vfrgzc.exe
        
        C:\Windows\system32\vfrgzc.exe 1932 "C:\Windows\SysWOW64\hszqtz.exe"
        172⤵
        
        PID:5756
        
        C:\Windows\SysWOW64\figqmg.exe
        
        C:\Windows\system32\figqmg.exe 1908 "C:\Windows\SysWOW64\vfrgzc.exe"
        173⤵
        
        PID:5820
        
        C:\Windows\SysWOW64\ssmtpf.exe
        
        C:\Windows\system32\ssmtpf.exe 1504 "C:\Windows\SysWOW64\figqmg.exe"
        174⤵
        
        PID:5876
        
        C:\Windows\SysWOW64\cccdki.exe
        
        C:\Windows\system32\cccdki.exe 1952 "C:\Windows\SysWOW64\ssmtpf.exe"
        175⤵
        
        PID:5928
        
        C:\Windows\SysWOW64\pmioni.exe
        
        C:\Windows\system32\pmioni.exe 1956 "C:\Windows\SysWOW64\cccdki.exe"
        176⤵
        
        PID:5996
        
        C:\Windows\SysWOW64\zlmlyg.exe
        
        C:\Windows\system32\zlmlyg.exe 1960 "C:\Windows\SysWOW64\pmioni.exe"
        177⤵
        
        PID:6048
        
        C:\Windows\SysWOW64\nyebdc.exe
        
        C:\Windows\system32\nyebdc.exe 1068 "C:\Windows\SysWOW64\zlmlyg.exe"
        178⤵
        
        PID:6100
        
        C:\Windows\SysWOW64\alvrjg.exe
        
        C:\Windows\system32\alvrjg.exe 1968 "C:\Windows\SysWOW64\nyebdc.exe"
        179⤵
        
        PID:3252
        
        C:\Windows\SysWOW64\kvlbwj.exe
        
        C:\Windows\system32\kvlbwj.exe 1972 "C:\Windows\SysWOW64\alvrjg.exe"
        180⤵
        
        PID:4488
        
        C:\Windows\SysWOW64\vcpugv.exe
        
        C:\Windows\system32\vcpugv.exe 1976 "C:\Windows\SysWOW64\kvlbwj.exe"
        181⤵
        
        PID:5172
        
        C:\Windows\SysWOW64\fbbrru.exe
        
        C:\Windows\system32\fbbrru.exe 1988 "C:\Windows\SysWOW64\vcpugv.exe"
        182⤵
        
        PID:5312
        
        C:\Windows\SysWOW64\pifobt.exe
        
        C:\Windows\system32\pifobt.exe 1992 "C:\Windows\SysWOW64\fbbrru.exe"
        183⤵
        
        PID:5364
        
        C:\Windows\SysWOW64\cvxehw.exe
        
        C:\Windows\system32\cvxehw.exe 1984 "C:\Windows\SysWOW64\pifobt.exe"
        184⤵
        
        PID:5436
        
        C:\Windows\SysWOW64\pfvpkw.exe
        
        C:\Windows\system32\pfvpkw.exe 1980 "C:\Windows\SysWOW64\cvxehw.exe"
        185⤵
        
        PID:5444
        
        C:\Windows\SysWOW64\aawzaq.exe
        
        C:\Windows\system32\aawzaq.exe 2004 "C:\Windows\SysWOW64\pfvpkw.exe"
        186⤵
        
        PID:5568
        
        C:\Windows\SysWOW64\nrrcir.exe
        
        C:\Windows\system32\nrrcir.exe 2000 "C:\Windows\SysWOW64\aawzaq.exe"
        187⤵
        
        PID:5544
        
        C:\Windows\SysWOW64\mdmvog.exe
        
        C:\Windows\system32\mdmvog.exe 1996 "C:\Windows\SysWOW64\nrrcir.exe"
        188⤵
        
        PID:5592
        
        C:\Windows\SysWOW64\fdyyyu.exe
        
        C:\Windows\system32\fdyyyu.exe 1844 "C:\Windows\SysWOW64\mdmvog.exe"
        189⤵
        
        PID:5640
        
        C:\Windows\SysWOW64\wgwhoy.exe
        
        C:\Windows\system32\wgwhoy.exe 1420 "C:\Windows\SysWOW64\fdyyyu.exe"
        190⤵
        
        PID:5716
        
        C:\Windows\SysWOW64\kicsrx.exe
        
        C:\Windows\system32\kicsrx.exe 2020 "C:\Windows\SysWOW64\wgwhoy.exe"
        191⤵
        
        PID:5792
        
        C:\Windows\SysWOW64\xdmhxb.exe
        
        C:\Windows\system32\xdmhxb.exe 2016 "C:\Windows\SysWOW64\kicsrx.exe"
        192⤵
        
        PID:5856
        
        C:\Windows\SysWOW64\hcyfha.exe
        
        C:\Windows\system32\hcyfha.exe 1048 "C:\Windows\SysWOW64\xdmhxb.exe"
        193⤵
        
        PID:6004
        
        C:\Windows\SysWOW64\mtgdua.exe
        
        C:\Windows\system32\mtgdua.exe 2036 "C:\Windows\SysWOW64\hcyfha.exe"
        194⤵
        
        PID:6108
        
        C:\Windows\SysWOW64\pwkgsv.exe
        
        C:\Windows\system32\pwkgsv.exe 2028 "C:\Windows\SysWOW64\mtgdua.exe"
        195⤵
        
        PID:2364
        
        C:\Windows\SysWOW64\bbbipm.exe
        
        C:\Windows\system32\bbbipm.exe 2044 "C:\Windows\SysWOW64\pwkgsv.exe"
        196⤵
        
        PID:6116
        
        C:\Windows\SysWOW64\pdilse.exe
        
        C:\Windows\system32\pdilse.exe 2032 "C:\Windows\SysWOW64\bbbipm.exe"
        197⤵
        
        PID:5252
        
        C:\Windows\SysWOW64\cyzbxh.exe
        
        C:\Windows\system32\cyzbxh.exe 2092 "C:\Windows\SysWOW64\pdilse.exe"
        198⤵
        
        PID:5148
        
        C:\Windows\SysWOW64\mxdyig.exe
        
        C:\Windows\system32\mxdyig.exe 2040 "C:\Windows\SysWOW64\cyzbxh.exe"
        199⤵
        
        PID:5212
        
        C:\Windows\SysWOW64\hrioiz.exe
        
        C:\Windows\system32\hrioiz.exe 2052 "C:\Windows\SysWOW64\mxdyig.exe"
        200⤵
        
        PID:5348
        
        C:\Windows\SysWOW64\mpnwna.exe
        
        C:\Windows\system32\mpnwna.exe 2068 "C:\Windows\SysWOW64\hrioiz.exe"
        201⤵
        
        PID:5376
        
        C:\Windows\SysWOW64\hxzoed.exe
        
        C:\Windows\system32\hxzoed.exe 2060 "C:\Windows\SysWOW64\mpnwna.exe"
        202⤵
        
        PID:5508
        
        C:\Windows\SysWOW64\jwojvq.exe
        
        C:\Windows\system32\jwojvq.exe 2064 "C:\Windows\SysWOW64\hxzoed.exe"
        203⤵
        
        PID:4288
        
        C:\Windows\SysWOW64\hboegk.exe
        
        C:\Windows\system32\hboegk.exe 2056 "C:\Windows\SysWOW64\jwojvq.exe"
        204⤵
        
        PID:5680
        
        C:\Windows\SysWOW64\uofumf.exe
        
        C:\Windows\system32\uofumf.exe 1864 "C:\Windows\SysWOW64\hboegk.exe"
        205⤵
        
        PID:3928
        
        C:\Windows\SysWOW64\eyvezj.exe
        
        C:\Windows\system32\eyvezj.exe 2080 "C:\Windows\SysWOW64\uofumf.exe"
        206⤵
        
        PID:5784
        
        C:\Windows\SysWOW64\rlmcfm.exe
        
        C:\Windows\system32\rlmcfm.exe 2076 "C:\Windows\SysWOW64\eyvezj.exe"
        207⤵
        
        PID:5848
        
        C:\Windows\SysWOW64\bkqzxl.exe
        
        C:\Windows\system32\bkqzxl.exe 2084 "C:\Windows\SysWOW64\rlmcfm.exe"
        208⤵
        
        PID:5916
        
        C:\Windows\SysWOW64\ofipdp.exe
        
        C:\Windows\system32\ofipdp.exe 2088 "C:\Windows\SysWOW64\bkqzxl.exe"
        209⤵
        
        PID:6020
        
        C:\Windows\SysWOW64\zpxvif.exe
        
        C:\Windows\system32\zpxvif.exe 2096 "C:\Windows\SysWOW64\ofipdp.exe"
        210⤵
        
        PID:6064
        
        C:\Windows\SysWOW64\mchknj.exe
        
        C:\Windows\system32\mchknj.exe 2100 "C:\Windows\SysWOW64\zpxvif.exe"
        211⤵
        
        PID:6124
        
        C:\Windows\SysWOW64\wyivvd.exe
        
        C:\Windows\system32\wyivvd.exe 2104 "C:\Windows\SysWOW64\mchknj.exe"
        212⤵
        
        PID:5128
        
        C:\Windows\SysWOW64\gjxfqh.exe
        
        C:\Windows\system32\gjxfqh.exe 2120 "C:\Windows\SysWOW64\wyivvd.exe"
        213⤵
        
        PID:5196
        
        C:\Windows\SysWOW64\reyqyb.exe
        
        C:\Windows\system32\reyqyb.exe 2108 "C:\Windows\SysWOW64\gjxfqh.exe"
        214⤵
        
        PID:640
        
        C:\Windows\SysWOW64\erinex.exe
        
        C:\Windows\system32\erinex.exe 2116 "C:\Windows\SysWOW64\reyqyb.exe"
        215⤵
        
        PID:5304
        
        C:\Windows\SysWOW64\ymvveq.exe
        
        C:\Windows\system32\ymvveq.exe 2112 "C:\Windows\SysWOW64\erinex.exe"
        216⤵
        
        PID:5228
        
        C:\Windows\SysWOW64\mhelju.exe
        
        C:\Windows\system32\mhelju.exe 2132 "C:\Windows\SysWOW64\ymvveq.exe"
        217⤵
        
        PID:4172
        
        C:\Windows\SysWOW64\zikwmt.exe
        
        C:\Windows\system32\zikwmt.exe 1944 "C:\Windows\SysWOW64\mhelju.exe"
        218⤵
        
        PID:5424
        
        C:\Windows\SysWOW64\jtagax.exe
        
        C:\Windows\system32\jtagax.exe 2128 "C:\Windows\SysWOW64\zikwmt.exe"
        219⤵
        
        PID:5532
        
        C:\Windows\SysWOW64\wgrwfa.exe
        
        C:\Windows\system32\wgrwfa.exe 2136 "C:\Windows\SysWOW64\jtagax.exe"
        220⤵
        
        PID:1960
        
        C:\Windows\SysWOW64\beoetu.exe
        
        C:\Windows\system32\beoetu.exe 2140 "C:\Windows\SysWOW64\wgrwfa.exe"
        221⤵
        
        PID:5328
        
        C:\Windows\SysWOW64\mdabds.exe
        
        C:\Windows\system32\mdabds.exe 2152 "C:\Windows\SysWOW64\beoetu.exe"
        222⤵
        
        PID:5612
        
        C:\Windows\SysWOW64\zykzjw.exe
        
        C:\Windows\system32\zykzjw.exe 2156 "C:\Windows\SysWOW64\mdabds.exe"
        223⤵
        
        PID:5892
        
        C:\Windows\SysWOW64\mlcoxa.exe
        
        C:\Windows\system32\mlcoxa.exe 2144 "C:\Windows\SysWOW64\zykzjw.exe"
        224⤵
        
        PID:5496
        
        C:\Windows\SysWOW64\onrzkd.exe
        
        C:\Windows\system32\onrzkd.exe 2164 "C:\Windows\SysWOW64\mlcoxa.exe"
        225⤵
        
        PID:5912
        
        C:\Windows\SysWOW64\yghwpt.exe
        
        C:\Windows\system32\yghwpt.exe 2148 "C:\Windows\SysWOW64\onrzkd.exe"
        226⤵
        
        PID:5024
        
        C:\Windows\SysWOW64\mtyuvx.exe
        
        C:\Windows\system32\mtyuvx.exe 2160 "C:\Windows\SysWOW64\yghwpt.exe"
        227⤵
        
        PID:5760
        
        C:\Windows\SysWOW64\woreks.exe
        
        C:\Windows\system32\woreks.exe 2176 "C:\Windows\SysWOW64\mtyuvx.exe"
        228⤵
        
        PID:3640
        
        C:\Windows\SysWOW64\jbjuqn.exe
        
        C:\Windows\system32\jbjuqn.exe 2168 "C:\Windows\SysWOW64\woreks.exe"
        229⤵
        
        PID:5964
        
        C:\Windows\SysWOW64\uxjnyi.exe
        
        C:\Windows\system32\uxjnyi.exe 2184 "C:\Windows\SysWOW64\jbjuqn.exe"
        230⤵
        
        PID:5980
        
        C:\Windows\SysWOW64\dhzpll.exe
        
        C:\Windows\system32\dhzpll.exe 2188 "C:\Windows\SysWOW64\uxjnyi.exe"
        231⤵
        
        PID:5204
        
        C:\Windows\SysWOW64\dllpzx.exe
        
        C:\Windows\system32\dllpzx.exe 2172 "C:\Windows\SysWOW64\dhzpll.exe"
        232⤵
        
        PID:944
        
        C:\Windows\SysWOW64\rgvfnb.exe
        
        C:\Windows\system32\rgvfnb.exe 2180 "C:\Windows\SysWOW64\dllpzx.exe"
        233⤵
        
        PID:5260
        
        C:\Windows\SysWOW64\etmvtx.exe
        
        C:\Windows\system32\etmvtx.exe 2212 "C:\Windows\SysWOW64\rgvfnb.exe"
        234⤵
        
        PID:5256
        
        C:\Windows\SysWOW64\ovcfga.exe
        
        C:\Windows\system32\ovcfga.exe 2200 "C:\Windows\SysWOW64\etmvtx.exe"
        235⤵
        
        PID:5316
        
        C:\Windows\SysWOW64\bitvme.exe
        
        C:\Windows\system32\bitvme.exe 2208 "C:\Windows\SysWOW64\ovcfga.exe"
        236⤵
        
        PID:5276
        
        C:\Windows\SysWOW64\ohoyvm.exe
        
        C:\Windows\system32\ohoyvm.exe 2192 "C:\Windows\SysWOW64\bitvme.exe"
        237⤵
        
        PID:5432
        
        C:\Windows\SysWOW64\bquayd.exe
        
        C:\Windows\system32\bquayd.exe 2196 "C:\Windows\SysWOW64\ohoyvm.exe"
        238⤵
        
        PID:5540
        
        C:\Windows\SysWOW64\jyiasb.exe
        
        C:\Windows\system32\jyiasb.exe 2204 "C:\Windows\SysWOW64\bquayd.exe"
        239⤵
        
        PID:5740
        
        C:\Windows\SysWOW64\wlzqyx.exe
        
        C:\Windows\system32\wlzqyx.exe 2216 "C:\Windows\SysWOW64\jyiasb.exe"
        240⤵
        
        PID:5560
        
        C:\Windows\SysWOW64\gklniv.exe
        
        C:\Windows\system32\gklniv.exe 1876 "C:\Windows\SysWOW64\wlzqyx.exe"
        241⤵
        
        PID:5828
        
        C:\Windows\SysWOW64\txvdoz.exe
        
        C:\Windows\system32\txvdoz.exe 2232 "C:\Windows\SysWOW64\gklniv.exe"
        242⤵
        
        PID:2344
        
        C:\Windows\SysWOW64\gsmtud.exe
        
        C:\Windows\system32\gsmtud.exe 2224 "C:\Windows\SysWOW64\txvdoz.exe"
        243⤵
        
        PID:5624
        
        C:\Windows\SysWOW64\tfwrzh.exe
        
        C:\Windows\system32\tfwrzh.exe 2124 "C:\Windows\SysWOW64\gsmtud.exe"
        244⤵
        
        PID:6096
        
        C:\Windows\SysWOW64\eeiosg.exe
        
        C:\Windows\system32\eeiosg.exe 2236 "C:\Windows\SysWOW64\tfwrzh.exe"
        245⤵
        
        PID:5900
        
        C:\Windows\SysWOW64\rrseyc.exe
        
        C:\Windows\system32\rrseyc.exe 2240 "C:\Windows\SysWOW64\eeiosg.exe"
        246⤵
        
        PID:6036
        
        C:\Windows\SysWOW64\bqebia.exe
        
        C:\Windows\system32\bqebia.exe 2244 "C:\Windows\SysWOW64\rrseyc.exe"
        247⤵
        
        PID:6088
        
        C:\Windows\SysWOW64\lmfuqv.exe
        
        C:\Windows\system32\lmfuqv.exe 2248 "C:\Windows\SysWOW64\bqebia.exe"
        248⤵
        
        PID:6016
        
        C:\Windows\SysWOW64\zvdwtu.exe
        
        C:\Windows\system32\zvdwtu.exe 2260 "C:\Windows\SysWOW64\lmfuqv.exe"
        249⤵
        
        PID:1336
        
        C:\Windows\SysWOW64\jgahox.exe
        
        C:\Windows\system32\jgahox.exe 2252 "C:\Windows\SysWOW64\zvdwtu.exe"
        250⤵
        
        PID:3000
        
        C:\Windows\SysWOW64\wtkwub.exe
        
        C:\Windows\system32\wtkwub.exe 2264 "C:\Windows\SysWOW64\jgahox.exe"
        251⤵
        
        PID:3212
        
        C:\Windows\SysWOW64\gswuea.exe
        
        C:\Windows\system32\gswuea.exe 2272 "C:\Windows\SysWOW64\wtkwub.exe"
        252⤵
        
        PID:2276
        
        C:\Windows\SysWOW64\qopmuv.exe
        
        C:\Windows\system32\qopmuv.exe 2276 "C:\Windows\SysWOW64\gswuea.exe"
        253⤵
        
        PID:5580
        
        C:\Windows\SysWOW64\gpmunv.exe
        
        C:\Windows\system32\gpmunv.exe 2280 "C:\Windows\SysWOW64\qopmuv.exe"
        254⤵
        
        PID:5732
        
        C:\Windows\SysWOW64\ghnfpq.exe
        
        C:\Windows\system32\ghnfpq.exe 2292 "C:\Windows\SysWOW64\gpmunv.exe"
        255⤵
        
        PID:5780
        
        C:\Windows\SysWOW64\qdoxxl.exe
        
        C:\Windows\system32\qdoxxl.exe 2256 "C:\Windows\SysWOW64\ghnfpq.exe"
        256⤵
        
        PID:5332
        
        C:\Windows\SysWOW64\byohef.exe
        
        C:\Windows\system32\byohef.exe 2288 "C:\Windows\SysWOW64\qdoxxl.exe"
        257⤵
        
        PID:5340
        
        C:\Windows\SysWOW64\oxjknf.exe
        
        C:\Windows\system32\oxjknf.exe 2268 "C:\Windows\SysWOW64\byohef.exe"
        258⤵
        
        PID:5880
        
        C:\Windows\SysWOW64\yskdca.exe
        
        C:\Windows\system32\yskdca.exe 2024 "C:\Windows\SysWOW64\oxjknf.exe"
        259⤵
        
        PID:6092
        
        C:\Windows\SysWOW64\lfcsid.exe
        
        C:\Windows\system32\lfcsid.exe 2300 "C:\Windows\SysWOW64\yskdca.exe"
        260⤵
        
        PID:5808
        
        C:\Windows\SysWOW64\yslioh.exe
        
        C:\Windows\system32\yslioh.exe 2304 "C:\Windows\SysWOW64\lfcsid.exe"
        261⤵
        
        PID:5908
        
        C:\Windows\SysWOW64\jsxfyg.exe
        
        C:\Windows\system32\jsxfyg.exe 2296 "C:\Windows\SysWOW64\yslioh.exe"
        262⤵
        
        PID:4620
        
        C:\Windows\SysWOW64\wnhvek.exe
        
        C:\Windows\system32\wnhvek.exe 2228 "C:\Windows\SysWOW64\jsxfyg.exe"
        263⤵
        
        PID:5972
        
        C:\Windows\SysWOW64\jaylkg.exe
        
        C:\Windows\system32\jaylkg.exe 2316 "C:\Windows\SysWOW64\wnhvek.exe"
        264⤵
        
        PID:5188
        
        C:\Windows\SysWOW64\tcovfj.exe
        
        C:\Windows\system32\tcovfj.exe 2312 "C:\Windows\SysWOW64\jaylkg.exe"
        265⤵
        
        PID:3300
        
        C:\Windows\SysWOW64\dudbkz.exe
        
        C:\Windows\system32\dudbkz.exe 2320 "C:\Windows\SysWOW64\tcovfj.exe"
        266⤵
        
        PID:5236
        
        C:\Windows\SysWOW64\lzewom.exe
        
        C:\Windows\system32\lzewom.exe 2332 "C:\Windows\SysWOW64\dudbkz.exe"
        267⤵
        
        PID:5140
        
        C:\Windows\SysWOW64\vjbgbp.exe
        
        C:\Windows\system32\vjbgbp.exe 2324 "C:\Windows\SysWOW64\lzewom.exe"
        268⤵
        
        PID:5460
        
        C:\Windows\SysWOW64\iwlwht.exe
        
        C:\Windows\system32\iwlwht.exe 2356 "C:\Windows\SysWOW64\vjbgbp.exe"
        269⤵
        
        PID:5488
        
        C:\Windows\SysWOW64\wjcmnp.exe
        
        C:\Windows\system32\wjcmnp.exe 2340 "C:\Windows\SysWOW64\iwlwht.exe"
        270⤵
        
        PID:3132
        
        C:\Windows\SysWOW64\gigjxo.exe
        
        C:\Windows\system32\gigjxo.exe 2328 "C:\Windows\SysWOW64\wjcmnp.exe"
        271⤵
        
        PID:3784
        
        C:\Windows\SysWOW64\ldamil.exe
        
        C:\Windows\system32\ldamil.exe 2348 "C:\Windows\SysWOW64\gigjxo.exe"
        272⤵
        
        PID:5672
        
        C:\Windows\SysWOW64\wzdudz.exe
        
        C:\Windows\system32\wzdudz.exe 2336 "C:\Windows\SysWOW64\ldamil.exe"
        273⤵
        
        PID:5712
        
        C:\Windows\SysWOW64\fbseqd.exe
        
        C:\Windows\system32\fbseqd.exe 2344 "C:\Windows\SysWOW64\wzdudz.exe"
        274⤵
        
        PID:2752
        
        C:\Windows\SysWOW64\dzlvud.exe
        
        C:\Windows\system32\dzlvud.exe 1072 "C:\Windows\SysWOW64\fbseqd.exe"
        275⤵
        
        PID:5852
        
        C:\Windows\SysWOW64\gnaoaf.exe
        
        C:\Windows\system32\gnaoaf.exe 2368 "C:\Windows\SysWOW64\dzlvud.exe"
        276⤵
        
        PID:5232
        
        C:\Windows\SysWOW64\lxspck.exe
        
        C:\Windows\system32\lxspck.exe 2364 "C:\Windows\SysWOW64\gnaoaf.exe"
        277⤵
        
        PID:5164
        
        C:\Windows\SysWOW64\qnbaba.exe
        
        C:\Windows\system32\qnbaba.exe 2372 "C:\Windows\SysWOW64\lxspck.exe"
        278⤵
        
        PID:5520
        
        C:\Windows\SysWOW64\ayqlwv.exe
        
        C:\Windows\system32\ayqlwv.exe 2360 "C:\Windows\SysWOW64\qnbaba.exe"
        279⤵
        
        PID:1936
        
        C:\Windows\SysWOW64\nliacz.exe
        
        C:\Windows\system32\nliacz.exe 2376 "C:\Windows\SysWOW64\ayqlwv.exe"
        280⤵
        
        PID:5420
        
        C:\Windows\SysWOW64\sbcdlh.exe
        
        C:\Windows\system32\sbcdlh.exe 2380 "C:\Windows\SysWOW64\nliacz.exe"
        281⤵
        
        PID:5476
        
        C:\Windows\SysWOW64\gljgoh.exe
        
        C:\Windows\system32\gljgoh.exe 2384 "C:\Windows\SysWOW64\sbcdlh.exe"
        282⤵
        
        PID:1352
        
        C:\Windows\SysWOW64\qvyqbk.exe
        
        C:\Windows\system32\qvyqbk.exe 2396 "C:\Windows\SysWOW64\gljgoh.exe"
        283⤵
        
        PID:3080
        
        C:\Windows\SysWOW64\kvkzuv.exe
        
        C:\Windows\system32\kvkzuv.exe 2400 "C:\Windows\SysWOW64\qvyqbk.exe"
        284⤵
        
        PID:1472

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\bgybul.exe

Filesize
102KB

MD5
49e8e08b18ada0f043c30b2851d9d384

SHA1
b5bec299707b4f50fab101a2816fcfcd74c06835

SHA256
a42e7e9ee505c3c3687ec069e49d2b124ce06d93f9e5795d0898f669778aebfc

SHA512
c639b07280fceb075f8bcc20426b6f8356aa08efadc97c4b9746511bfa471002754f84c93c80538ada9acf435a47a45dee82c277b8c0ebe18b602d34f494f6c8

Download Submit
C:\Windows\SysWOW64\bgybul.exe

Filesize
92KB

MD5
e634ec8329b2c7c45e72e83ae80e21db

SHA1
57aa96c381536d383a29bd1fcf1db7f77b1d06fc

SHA256
74e0d31e42955839effdde980f6f9009dd95378d171a39cf0de56f614333cb8d

SHA512
75f27d76d66cc4b280d1dff2f6992054aedddc61e3b4318d5eb4579a5d8598a156774d23decca462ba184b11f84cb8a5703bee317d478fa0d4e3c7200b0a746e

Download Submit
C:\Windows\SysWOW64\ibrmsn.exe

Filesize
147KB

MD5
545de00a44e44ff1bbc119857dd15f79

SHA1
246493466b8052de8ab1409c438cbafd8398cf0a

SHA256
98c33d224206752ea52528b128a3495306c35c53f2c8c206b4c194a9cb82a525

SHA512
24f106215aa82dee23bd72718b8aebc7e2ee643d1d04b292b11bab75fa46306a153670f67c6e39bd3dea12a5695f9edebc9a809e2972abfe43a100889fe2deb0

Download Submit
memory/316-122-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/676-38-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/676-27-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/792-255-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/816-247-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/1004-58-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/1004-48-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/1056-160-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/1056-150-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/1100-219-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/1100-211-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/1408-233-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/1416-214-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/1432-146-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/1556-75-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/1580-197-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/1632-242-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/1632-235-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/2108-51-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/2108-41-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/2128-84-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/2232-209-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/2392-179-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/2504-173-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/2504-163-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/2560-153-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/2784-257-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/2944-114-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/3064-238-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/3064-230-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/3100-166-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/3280-140-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/3364-34-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/3364-46-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/3380-134-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/3532-203-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/3764-20-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/3764-30-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/3788-110-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/3788-101-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/3880-216-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/3880-224-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/3976-244-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/3976-251-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/4084-185-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/4084-176-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/4204-191-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/4240-65-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/4240-55-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/4504-0-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/4504-9-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/4624-104-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/4624-94-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/4660-221-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/4660-228-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/4680-62-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/4680-69-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/4740-81-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/4740-90-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/4808-14-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/4920-97-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/5012-126-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/5060-24-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/5060-13-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads