metasploit | 7f15f65eff5f4776a7a19cb5cc922f9e2e8c4cf5b066741fc0ea5190954a682f

Analysis

max time kernel
151s
max time network
139s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
31/12/2023, 14:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

39927b40478fb42bf73f909b1e3cbe18.exe
Size

440KB
MD5

39927b40478fb42bf73f909b1e3cbe18
SHA1

15d8cb53c2b5bf4e4e430d27a9c09584a0c741e6
SHA256

7f15f65eff5f4776a7a19cb5cc922f9e2e8c4cf5b066741fc0ea5190954a682f
SHA512

14ce0e8cb5e52a36531f45146302a0c6a965742673dde7207e7576df37a921ac6b284390bad59e9a6c03f87b33e6d9a255e052a124c34e87339adc449b75e8eb
SSDEEP

12288:dq3eTRLQp1cWhLb2LYGRfFWh9BQkgIGK+nN/a+LBaiKRqE:o3+RLQp15B2Lkh9WKQfBa1D

Score

10^/10

metasploit backdoor trojan

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Executes dropped EXE 64 IoCs

pid	Process
2784	felehjr.exe
2692	felehjr.exe
2352	whzgitj.exe
2788	whzgitj.exe
2488	eljtsem.exe
2880	eljtsem.exe
1660	gkyjqjz.exe
1988	gkyjqjz.exe
700	pijxbnr.exe
1108	nslbkyj.exe
628	hbxesey.exe
2336	xrxyuxi.exe
2664	yegakhq.exe
560	cehwabp.exe
1812	kxnbxvx.exe
1488	kxnbxvx.exe
1656	uhdzclz.exe
1504	uhdzclz.exe
2392	zjlhbdj.exe
884	zjlhbdj.exe
2652	bfaccng.exe
2828	gckhpkn.exe
2736	zczcwre.exe
2612	okfzczx.exe
2856	norwyqg.exe
2128	norwyqg.exe
1748	quyhoqp.exe
1692	quyhoqp.exe
1644	crshnzy.exe
1524	xfwmlkx.exe
628	hbxesey.exe
1684	hbxesey.exe
1052	ehtcjot.exe
2036	rdnpohe.exe
2468	wndkwfk.exe
2272	wndkwfk.exe
1628	hstvlbx.exe
1700	gpsuriy.exe
1764	rzzdemu.exe
2820	otvzbtb.exe
3008	osicngw.exe
2592	bgmphxa.exe
3024	iohpbmj.exe
2912	iohpbmj.exe
528	vcxhbkp.exe
2216	qwvhvkt.exe
1936	adhffia.exe
2248	adhffia.exe
1952	hlufsyc.exe
2112	hlufsyc.exe
960	ghkorjx.exe
1208	rkhckxj.exe
2496	cbgpsgs.exe
2164	zruuwmt.exe
2416	bvdudtc.exe
1628	hstvlbx.exe
2284	tmzkwfb.exe
2588	tmzkwfb.exe
2908	nitmkfa.exe
2684	buucqvl.exe
1736	yroomft.exe
2988	lpnvypm.exe
440	otsdvla.exe
1780	tuyahio.exe

Loads dropped DLL 64 IoCs

pid	Process
2648	39927b40478fb42bf73f909b1e3cbe18.exe
2648	39927b40478fb42bf73f909b1e3cbe18.exe
2784	felehjr.exe
2692	felehjr.exe
2692	felehjr.exe
2352	whzgitj.exe
2788	whzgitj.exe
2788	whzgitj.exe
2488	eljtsem.exe
2880	eljtsem.exe
2880	eljtsem.exe
1660	gkyjqjz.exe
1988	gkyjqjz.exe
1988	gkyjqjz.exe
1108	nslbkyj.exe
1108	nslbkyj.exe
2336	xrxyuxi.exe
2336	xrxyuxi.exe
560	cehwabp.exe
560	cehwabp.exe
1488	kxnbxvx.exe
1488	kxnbxvx.exe
1504	uhdzclz.exe
1504	uhdzclz.exe
884	zjlhbdj.exe
884	zjlhbdj.exe
2828	gckhpkn.exe
2828	gckhpkn.exe
2612	okfzczx.exe
2612	okfzczx.exe
2128	norwyqg.exe
2128	norwyqg.exe
1692	quyhoqp.exe
1692	quyhoqp.exe
1524	xfwmlkx.exe
1524	xfwmlkx.exe
1684	hbxesey.exe
1684	hbxesey.exe
2036	rdnpohe.exe
2036	rdnpohe.exe
2272	wndkwfk.exe
2272	wndkwfk.exe
1700	gpsuriy.exe
1700	gpsuriy.exe
2820	otvzbtb.exe
2820	otvzbtb.exe
2592	bgmphxa.exe
2592	bgmphxa.exe
2912	iohpbmj.exe
2912	iohpbmj.exe
2216	qwvhvkt.exe
2216	qwvhvkt.exe
2248	adhffia.exe
2248	adhffia.exe
2112	hlufsyc.exe
2112	hlufsyc.exe
1208	rkhckxj.exe
1208	rkhckxj.exe
2164	zruuwmt.exe
2164	zruuwmt.exe
1628	hstvlbx.exe
1628	hstvlbx.exe
2588	tmzkwfb.exe
2588	tmzkwfb.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\myixopz.exe	qxqkkdn.exe
File created	C:\Windows\SysWOW64\fsqnymj.exe	abtacyy.exe
File created	C:\Windows\SysWOW64\ipjvkkx.exe	ldoimir.exe
File created	C:\Windows\SysWOW64\hvefipx.exe	npquuxv.exe
File opened for modification	C:\Windows\SysWOW64\qxjcdps.exe	oydmfke.exe
File opened for modification	C:\Windows\SysWOW64\jmvvqjg.exe	utyagnv.exe
File created	C:\Windows\SysWOW64\rygoqtw.exe	dxmrhkw.exe
File created	C:\Windows\SysWOW64\wndkwfk.exe	rdnpohe.exe
File opened for modification	C:\Windows\SysWOW64\lvrqujv.exe	bwftbkn.exe
File created	C:\Windows\SysWOW64\cfkucdi.exe	cbzhlrf.exe
File created	C:\Windows\SysWOW64\qoapmhe.exe	bvdudtc.exe
File created	C:\Windows\SysWOW64\lhpnxqm.exe	bfaccng.exe
File opened for modification	C:\Windows\SysWOW64\erszbqk.exe	tiqbxgd.exe
File opened for modification	C:\Windows\SysWOW64\kbrkggj.exe	dqlfjmb.exe
File opened for modification	C:\Windows\SysWOW64\welkjit.exe	zspxton.exe
File opened for modification	C:\Windows\SysWOW64\yhlserl.exe	nlkioxc.exe
File created	C:\Windows\SysWOW64\kkuytqj.exe	aptoewj.exe
File opened for modification	C:\Windows\SysWOW64\yegakhq.exe	qlhavsm.exe
File opened for modification	C:\Windows\SysWOW64\zspxton.exe	xxmvyny.exe
File opened for modification	C:\Windows\SysWOW64\ccckdfi.exe	ucdkwze.exe
File opened for modification	C:\Windows\SysWOW64\dbesmzr.exe	olvigmy.exe
File created	C:\Windows\SysWOW64\scejgye.exe	lvrqujv.exe
File created	C:\Windows\SysWOW64\rdilpyn.exe	xtgesez.exe
File opened for modification	C:\Windows\SysWOW64\cwhskcs.exe	qymxctn.exe
File created	C:\Windows\SysWOW64\zczcwre.exe	nitmkfa.exe
File created	C:\Windows\SysWOW64\guivwpw.exe	rblimtt.exe
File opened for modification	C:\Windows\SysWOW64\cotowyi.exe	gkqgkbs.exe
File created	C:\Windows\SysWOW64\abtacyy.exe	tuyahio.exe
File created	C:\Windows\SysWOW64\abrasxh.exe	tteayhf.exe
File opened for modification	C:\Windows\SysWOW64\bhegbep.exe	chgvbja.exe
File opened for modification	C:\Windows\SysWOW64\cexxnfq.exe	sxszdgj.exe
File created	C:\Windows\SysWOW64\wuokkpp.exe	rqccrfc.exe
File created	C:\Windows\SysWOW64\eucwzqb.exe	zdhtiiv.exe
File opened for modification	C:\Windows\SysWOW64\jdypwxa.exe	zpfagqn.exe
File created	C:\Windows\SysWOW64\euqkcxy.exe	ugquept.exe
File created	C:\Windows\SysWOW64\vxnuegq.exe	euqkcxy.exe
File opened for modification	C:\Windows\SysWOW64\zzlovwt.exe	qxwwvdq.exe
File opened for modification	C:\Windows\SysWOW64\vhrdkxh.exe	txrnsbz.exe
File opened for modification	C:\Windows\SysWOW64\rdnpohe.exe	hbxesey.exe
File created	C:\Windows\SysWOW64\kbgqojp.exe	fsqnymj.exe
File created	C:\Windows\SysWOW64\xxmvyny.exe	myixopz.exe
File created	C:\Windows\SysWOW64\ncmqkyg.exe	apvbfui.exe
File opened for modification	C:\Windows\SysWOW64\pomicae.exe	kbsajqz.exe
File created	C:\Windows\SysWOW64\ihjgsyr.exe	yeuwfvl.exe
File created	C:\Windows\SysWOW64\crcoysf.exe	ihjgsyr.exe
File opened for modification	C:\Windows\SysWOW64\uhdzclz.exe	kxnbxvx.exe
File created	C:\Windows\SysWOW64\zruuwmt.exe	rkhckxj.exe
File opened for modification	C:\Windows\SysWOW64\yfegmel.exe	oyaibfe.exe
File created	C:\Windows\SysWOW64\tsyjvyk.exe	mhzeget.exe
File opened for modification	C:\Windows\SysWOW64\vttxgrj.exe	qoapmhe.exe
File opened for modification	C:\Windows\SysWOW64\eljtsem.exe	whzgitj.exe
File created	C:\Windows\SysWOW64\udhppqb.exe	pnkutcq.exe
File created	C:\Windows\SysWOW64\pdaqqyz.exe	hzqkznw.exe
File created	C:\Windows\SysWOW64\qfjsaku.exe	dsacuon.exe
File created	C:\Windows\SysWOW64\fhmkeol.exe	agdpwif.exe
File opened for modification	C:\Windows\SysWOW64\dqlfjmb.exe	xbcfxsl.exe
File opened for modification	C:\Windows\SysWOW64\sprqwty.exe	hqmteuq.exe
File opened for modification	C:\Windows\SysWOW64\vstgywb.exe	kwavrba.exe
File opened for modification	C:\Windows\SysWOW64\ezqzght.exe	xorujnl.exe
File created	C:\Windows\SysWOW64\jbdzgqm.exe	zczcwre.exe
File created	C:\Windows\SysWOW64\fakfttt.exe	yhlserl.exe
File opened for modification	C:\Windows\SysWOW64\ujqsgsp.exe	ccqvbeg.exe
File opened for modification	C:\Windows\SysWOW64\buucqvl.exe	tmzkwfb.exe
File opened for modification	C:\Windows\SysWOW64\kbgqojp.exe	fsqnymj.exe

Suspicious use of SetThreadContext 64 IoCs

description	pid	Process	procid_target
PID 2652 set thread context of 2648	2652	gckhpkn.exe	28
PID 2784 set thread context of 2692	2784	felehjr.exe	29
PID 2352 set thread context of 2788	2352	whzgitj.exe	30
PID 2488 set thread context of 2880	2488	eljtsem.exe	31
PID 1660 set thread context of 1988	1660	gkyjqjz.exe	32
PID 700 set thread context of 1108	700	pijxbnr.exe	33
PID 628 set thread context of 2336	628	hbxesey.exe	35
PID 2664 set thread context of 560	2664	yegakhq.exe	36
PID 1812 set thread context of 1488	1812	kxnbxvx.exe	37
PID 1656 set thread context of 1504	1656	uhdzclz.exe	38
PID 2392 set thread context of 884	2392	zjlhbdj.exe	111
PID 2652 set thread context of 2828	2652	bfaccng.exe	99
PID 2736 set thread context of 2612	2736	zczcwre.exe	39
PID 2856 set thread context of 2128	2856	norwyqg.exe	41
PID 1748 set thread context of 1692	1748	quyhoqp.exe	44
PID 1644 set thread context of 1524	1644	crshnzy.exe	46
PID 628 set thread context of 1684	628	hbxesey.exe	47
PID 1052 set thread context of 2036	1052	ehtcjot.exe	50
PID 2468 set thread context of 2272	2468	wndkwfk.exe	52
PID 1628 set thread context of 1700	1628	hstvlbx.exe	54
PID 1764 set thread context of 2820	1764	rzzdemu.exe	55
PID 3008 set thread context of 2592	3008	osicngw.exe	58
PID 3024 set thread context of 2912	3024	iohpbmj.exe	60
PID 528 set thread context of 2216	528	vcxhbkp.exe	62
PID 1936 set thread context of 2248	1936	adhffia.exe	64
PID 1952 set thread context of 2112	1952	hlufsyc.exe	66
PID 960 set thread context of 1208	960	ghkorjx.exe	68
PID 2496 set thread context of 2164	2496	cbgpsgs.exe	70
PID 2416 set thread context of 1628	2416	bvdudtc.exe	71
PID 2284 set thread context of 2588	2284	tmzkwfb.exe	72
PID 2908 set thread context of 2684	2908	nitmkfa.exe	74
PID 1736 set thread context of 2988	1736	yroomft.exe	76
PID 440 set thread context of 1780	440	otsdvla.exe	79
PID 1640 set thread context of 1020	1640	abtacyy.exe	81
PID 2452 set thread context of 2544	2452	pqtuwrg.exe	83
PID 460 set thread context of 2412	460	jdypwxa.exe	86
PID 2332 set thread context of 1332	2332	uaknzix.exe	87
PID 2176 set thread context of 2900	2176	ezoljhw.exe	90
PID 2624 set thread context of 2680	2624	zczcwre.exe	92
PID 1664 set thread context of 1928	1664	yfegmel.exe	94
PID 1308 set thread context of 2960	1308	bwftbkn.exe	96
PID 832 set thread context of 2944	832	lvrqujv.exe	98
PID 1968 set thread context of 2556	1968	aptoewj.exe	102
PID 2732 set thread context of 1616	2732	kkuytqj.exe	104
PID 1356 set thread context of 2968	1356	ssqqfft.exe	106
PID 1460 set thread context of 2760	1460	asaniyd.exe	107
PID 1224 set thread context of 2840	1224	dylfwrj.exe	110
PID 1944 set thread context of 1932	1944	ctmejud.exe	112
PID 2432 set thread context of 1308	2432	hpnrvgq.exe	116
PID 1960 set thread context of 832	1960	cwjgzbq.exe	118
PID 700 set thread context of 2940	700	pijxbnr.exe	120
PID 2396 set thread context of 1384	2396	vcxhbkp.exe	121
PID 2736 set thread context of 1732	2736	zczcwre.exe	124
PID 1976 set thread context of 2644	1976	vkekaqe.exe	126
PID 1224 set thread context of 1080	1224	dylfwrj.exe	129
PID 1944 set thread context of 2740	1944	ctmejud.exe	132
PID 2432 set thread context of 1808	2432	hpnrvgq.exe	134
PID 1568 set thread context of 2704	1568	fpnyboi.exe	136
PID 1440 set thread context of 960	1440	hfnfauo.exe	139
PID 2068 set thread context of 2572	2068	nfqyuue.exe	141
PID 2564 set thread context of 2584	2564	rgibkwo.exe	143
PID 1728 set thread context of 2156	1728	kmnpefm.exe	144
PID 1224 set thread context of 2608	1224	dylfwrj.exe	147
PID 1944 set thread context of 1092	1944	ctmejud.exe	149

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2652 wrote to memory of 2648	2652	gckhpkn.exe	28
PID 2652 wrote to memory of 2648	2652	gckhpkn.exe	28
PID 2652 wrote to memory of 2648	2652	gckhpkn.exe	28
PID 2652 wrote to memory of 2648	2652	gckhpkn.exe	28
PID 2652 wrote to memory of 2648	2652	gckhpkn.exe	28
PID 2652 wrote to memory of 2648	2652	gckhpkn.exe	28
PID 2652 wrote to memory of 2648	2652	gckhpkn.exe	28
PID 2652 wrote to memory of 2648	2652	gckhpkn.exe	28
PID 2652 wrote to memory of 2648	2652	gckhpkn.exe	28
PID 2652 wrote to memory of 2648	2652	gckhpkn.exe	28
PID 2648 wrote to memory of 2784	2648	39927b40478fb42bf73f909b1e3cbe18.exe	180
PID 2648 wrote to memory of 2784	2648	39927b40478fb42bf73f909b1e3cbe18.exe	180
PID 2648 wrote to memory of 2784	2648	39927b40478fb42bf73f909b1e3cbe18.exe	180
PID 2648 wrote to memory of 2784	2648	39927b40478fb42bf73f909b1e3cbe18.exe	180
PID 2784 wrote to memory of 2692	2784	felehjr.exe	29
PID 2784 wrote to memory of 2692	2784	felehjr.exe	29
PID 2784 wrote to memory of 2692	2784	felehjr.exe	29
PID 2784 wrote to memory of 2692	2784	felehjr.exe	29
PID 2784 wrote to memory of 2692	2784	felehjr.exe	29
PID 2784 wrote to memory of 2692	2784	felehjr.exe	29
PID 2784 wrote to memory of 2692	2784	felehjr.exe	29
PID 2784 wrote to memory of 2692	2784	felehjr.exe	29
PID 2784 wrote to memory of 2692	2784	felehjr.exe	29
PID 2784 wrote to memory of 2692	2784	felehjr.exe	29
PID 2692 wrote to memory of 2352	2692	felehjr.exe	179
PID 2692 wrote to memory of 2352	2692	felehjr.exe	179
PID 2692 wrote to memory of 2352	2692	felehjr.exe	179
PID 2692 wrote to memory of 2352	2692	felehjr.exe	179
PID 2352 wrote to memory of 2788	2352	whzgitj.exe	30
PID 2352 wrote to memory of 2788	2352	whzgitj.exe	30
PID 2352 wrote to memory of 2788	2352	whzgitj.exe	30
PID 2352 wrote to memory of 2788	2352	whzgitj.exe	30
PID 2352 wrote to memory of 2788	2352	whzgitj.exe	30
PID 2352 wrote to memory of 2788	2352	whzgitj.exe	30
PID 2352 wrote to memory of 2788	2352	whzgitj.exe	30
PID 2352 wrote to memory of 2788	2352	whzgitj.exe	30
PID 2352 wrote to memory of 2788	2352	whzgitj.exe	30
PID 2352 wrote to memory of 2788	2352	whzgitj.exe	30
PID 2788 wrote to memory of 2488	2788	whzgitj.exe	178
PID 2788 wrote to memory of 2488	2788	whzgitj.exe	178
PID 2788 wrote to memory of 2488	2788	whzgitj.exe	178
PID 2788 wrote to memory of 2488	2788	whzgitj.exe	178
PID 2488 wrote to memory of 2880	2488	eljtsem.exe	31
PID 2488 wrote to memory of 2880	2488	eljtsem.exe	31
PID 2488 wrote to memory of 2880	2488	eljtsem.exe	31
PID 2488 wrote to memory of 2880	2488	eljtsem.exe	31
PID 2488 wrote to memory of 2880	2488	eljtsem.exe	31
PID 2488 wrote to memory of 2880	2488	eljtsem.exe	31
PID 2488 wrote to memory of 2880	2488	eljtsem.exe	31
PID 2488 wrote to memory of 2880	2488	eljtsem.exe	31
PID 2488 wrote to memory of 2880	2488	eljtsem.exe	31
PID 2488 wrote to memory of 2880	2488	eljtsem.exe	31
PID 2880 wrote to memory of 1660	2880	eljtsem.exe	169
PID 2880 wrote to memory of 1660	2880	eljtsem.exe	169
PID 2880 wrote to memory of 1660	2880	eljtsem.exe	169
PID 2880 wrote to memory of 1660	2880	eljtsem.exe	169
PID 1660 wrote to memory of 1988	1660	gkyjqjz.exe	32
PID 1660 wrote to memory of 1988	1660	gkyjqjz.exe	32
PID 1660 wrote to memory of 1988	1660	gkyjqjz.exe	32
PID 1660 wrote to memory of 1988	1660	gkyjqjz.exe	32
PID 1660 wrote to memory of 1988	1660	gkyjqjz.exe	32
PID 1660 wrote to memory of 1988	1660	gkyjqjz.exe	32
PID 1660 wrote to memory of 1988	1660	gkyjqjz.exe	32
PID 1660 wrote to memory of 1988	1660	gkyjqjz.exe	32

C:\Users\Admin\AppData\Local\Temp\39927b40478fb42bf73f909b1e3cbe18.exe
"C:\Users\Admin\AppData\Local\Temp\39927b40478fb42bf73f909b1e3cbe18.exe"
1⤵
PID:2652
- C:\Users\Admin\AppData\Local\Temp\39927b40478fb42bf73f909b1e3cbe18.exe
  "C:\Users\Admin\AppData\Local\Temp\39927b40478fb42bf73f909b1e3cbe18.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2648
- - C:\Windows\SysWOW64\felehjr.exe
    C:\Windows\system32\felehjr.exe 532 "C:\Users\Admin\AppData\Local\Temp\39927b40478fb42bf73f909b1e3cbe18.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2784
- C:\Windows\SysWOW64\gckhpkn.exe
  C:\Windows\system32\gckhpkn.exe 464 "C:\Windows\SysWOW64\zjlhbdj.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2828

C:\Windows\SysWOW64\felehjr.exe
C:\Windows\system32\felehjr.exe 532 "C:\Users\Admin\AppData\Local\Temp\39927b40478fb42bf73f909b1e3cbe18.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2692
- C:\Windows\SysWOW64\whzgitj.exe
  C:\Windows\system32\whzgitj.exe 452 "C:\Windows\SysWOW64\felehjr.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2352

C:\Windows\SysWOW64\whzgitj.exe
C:\Windows\system32\whzgitj.exe 452 "C:\Windows\SysWOW64\felehjr.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2788
- C:\Windows\SysWOW64\eljtsem.exe
  C:\Windows\system32\eljtsem.exe 452 "C:\Windows\SysWOW64\whzgitj.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2488

C:\Windows\SysWOW64\eljtsem.exe
C:\Windows\system32\eljtsem.exe 452 "C:\Windows\SysWOW64\whzgitj.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2880
- C:\Windows\SysWOW64\gkyjqjz.exe
  C:\Windows\system32\gkyjqjz.exe 528 "C:\Windows\SysWOW64\eljtsem.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1660

C:\Windows\SysWOW64\gkyjqjz.exe
C:\Windows\system32\gkyjqjz.exe 528 "C:\Windows\SysWOW64\eljtsem.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1988
- C:\Windows\SysWOW64\nslbkyj.exe
  C:\Windows\system32\nslbkyj.exe 520 "C:\Windows\SysWOW64\gkyjqjz.exe"
  2⤵
  PID:700

C:\Windows\SysWOW64\nslbkyj.exe
C:\Windows\system32\nslbkyj.exe 520 "C:\Windows\SysWOW64\gkyjqjz.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1108
- C:\Windows\SysWOW64\xrxyuxi.exe
  C:\Windows\system32\xrxyuxi.exe 540 "C:\Windows\SysWOW64\nslbkyj.exe"
  2⤵
  PID:628
- - C:\Windows\SysWOW64\xrxyuxi.exe
    C:\Windows\system32\xrxyuxi.exe 540 "C:\Windows\SysWOW64\nslbkyj.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2336
  - - C:\Windows\SysWOW64\cehwabp.exe
      C:\Windows\system32\cehwabp.exe 536 "C:\Windows\SysWOW64\xrxyuxi.exe"
      4⤵
      PID:2664
- - C:\Windows\SysWOW64\hbxesey.exe
    C:\Windows\system32\hbxesey.exe 528 "C:\Windows\SysWOW64\xfwmlkx.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    PID:1684
  - - C:\Windows\SysWOW64\rdnpohe.exe
      C:\Windows\system32\rdnpohe.exe 528 "C:\Windows\SysWOW64\hbxesey.exe"
      4⤵
      PID:1052
    - - C:\Windows\SysWOW64\rdnpohe.exe
        
        C:\Windows\system32\rdnpohe.exe 528 "C:\Windows\SysWOW64\hbxesey.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:2036
      - C:\Windows\SysWOW64\wndkwfk.exe
        
        C:\Windows\system32\wndkwfk.exe 536 "C:\Windows\SysWOW64\rdnpohe.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2468
        
        C:\Windows\SysWOW64\wndkwfk.exe
        
        C:\Windows\system32\wndkwfk.exe 536 "C:\Windows\SysWOW64\rdnpohe.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2272
        
        C:\Windows\SysWOW64\gpsuriy.exe
        
        C:\Windows\system32\gpsuriy.exe 528 "C:\Windows\SysWOW64\wndkwfk.exe"
        8⤵
        
        PID:1628
        
        C:\Windows\SysWOW64\gpsuriy.exe
        
        C:\Windows\system32\gpsuriy.exe 528 "C:\Windows\SysWOW64\wndkwfk.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1700
        
        C:\Windows\SysWOW64\otvzbtb.exe
        
        C:\Windows\system32\otvzbtb.exe 536 "C:\Windows\SysWOW64\gpsuriy.exe"
        10⤵
        
        PID:1764

C:\Windows\SysWOW64\cehwabp.exe
C:\Windows\system32\cehwabp.exe 536 "C:\Windows\SysWOW64\xrxyuxi.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:560
- C:\Windows\SysWOW64\kxnbxvx.exe
  C:\Windows\system32\kxnbxvx.exe 528 "C:\Windows\SysWOW64\cehwabp.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:1812

C:\Windows\SysWOW64\kxnbxvx.exe
C:\Windows\system32\kxnbxvx.exe 528 "C:\Windows\SysWOW64\cehwabp.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1488
- C:\Windows\SysWOW64\uhdzclz.exe
  C:\Windows\system32\uhdzclz.exe 528 "C:\Windows\SysWOW64\kxnbxvx.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:1656

C:\Windows\SysWOW64\uhdzclz.exe
C:\Windows\system32\uhdzclz.exe 528 "C:\Windows\SysWOW64\kxnbxvx.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1504
- C:\Windows\SysWOW64\zjlhbdj.exe
  C:\Windows\system32\zjlhbdj.exe 476 "C:\Windows\SysWOW64\uhdzclz.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:2392

C:\Windows\SysWOW64\okfzczx.exe
C:\Windows\system32\okfzczx.exe 528 "C:\Windows\SysWOW64\gckhpkn.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2612
- C:\Windows\SysWOW64\norwyqg.exe
  C:\Windows\system32\norwyqg.exe 528 "C:\Windows\SysWOW64\okfzczx.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:2856
- - C:\Windows\SysWOW64\norwyqg.exe
    C:\Windows\system32\norwyqg.exe 528 "C:\Windows\SysWOW64\okfzczx.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2128
  - - C:\Windows\SysWOW64\quyhoqp.exe
      C:\Windows\system32\quyhoqp.exe 540 "C:\Windows\SysWOW64\norwyqg.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      PID:1748
    - - C:\Windows\SysWOW64\quyhoqp.exe
        
        C:\Windows\system32\quyhoqp.exe 540 "C:\Windows\SysWOW64\norwyqg.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1692
      - C:\Windows\SysWOW64\xfwmlkx.exe
        
        C:\Windows\system32\xfwmlkx.exe 528 "C:\Windows\SysWOW64\quyhoqp.exe"
        6⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\xfwmlkx.exe
        
        C:\Windows\system32\xfwmlkx.exe 528 "C:\Windows\SysWOW64\quyhoqp.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1524
        
        C:\Windows\SysWOW64\hbxesey.exe
        
        C:\Windows\system32\hbxesey.exe 528 "C:\Windows\SysWOW64\xfwmlkx.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:628
        
        C:\Windows\SysWOW64\pijxbnr.exe
        
        C:\Windows\system32\pijxbnr.exe 528 "C:\Windows\SysWOW64\iaoxhyh.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:700
        
        C:\Windows\SysWOW64\ahnvlmz.exe
        
        C:\Windows\system32\ahnvlmz.exe 528 "C:\Windows\SysWOW64\pijxbnr.exe"
        8⤵
        
        PID:1904

C:\Windows\SysWOW64\okfzczx.exe
C:\Windows\system32\okfzczx.exe 528 "C:\Windows\SysWOW64\gckhpkn.exe"
1⤵
PID:2736

C:\Windows\SysWOW64\otvzbtb.exe
C:\Windows\system32\otvzbtb.exe 536 "C:\Windows\SysWOW64\gpsuriy.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2820
- C:\Windows\SysWOW64\bgmphxa.exe
  C:\Windows\system32\bgmphxa.exe 532 "C:\Windows\SysWOW64\otvzbtb.exe"
  2⤵
  PID:3008
- - C:\Windows\SysWOW64\bgmphxa.exe
    C:\Windows\system32\bgmphxa.exe 532 "C:\Windows\SysWOW64\otvzbtb.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2592
  - - C:\Windows\SysWOW64\iohpbmj.exe
      C:\Windows\system32\iohpbmj.exe 528 "C:\Windows\SysWOW64\bgmphxa.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      PID:3024
    - - C:\Windows\SysWOW64\iohpbmj.exe
        
        C:\Windows\system32\iohpbmj.exe 528 "C:\Windows\SysWOW64\bgmphxa.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2912
      - C:\Windows\SysWOW64\qwvhvkt.exe
        
        C:\Windows\system32\qwvhvkt.exe 532 "C:\Windows\SysWOW64\iohpbmj.exe"
        6⤵
        
        PID:528
        
        C:\Windows\SysWOW64\qwvhvkt.exe
        
        C:\Windows\system32\qwvhvkt.exe 532 "C:\Windows\SysWOW64\iohpbmj.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2216
        
        C:\Windows\SysWOW64\adhffia.exe
        
        C:\Windows\system32\adhffia.exe 484 "C:\Windows\SysWOW64\qwvhvkt.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1936
        
        C:\Windows\SysWOW64\adhffia.exe
        
        C:\Windows\system32\adhffia.exe 484 "C:\Windows\SysWOW64\qwvhvkt.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2248
        
        C:\Windows\SysWOW64\hlufsyc.exe
        
        C:\Windows\system32\hlufsyc.exe 528 "C:\Windows\SysWOW64\adhffia.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1952
        
        C:\Windows\SysWOW64\hlufsyc.exe
        
        C:\Windows\system32\hlufsyc.exe 528 "C:\Windows\SysWOW64\adhffia.exe"
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2112
        
        C:\Windows\SysWOW64\rkhckxj.exe
        
        C:\Windows\system32\rkhckxj.exe 528 "C:\Windows\SysWOW64\hlufsyc.exe"
        12⤵
        
        PID:960
        
        C:\Windows\SysWOW64\rkhckxj.exe
        
        C:\Windows\system32\rkhckxj.exe 528 "C:\Windows\SysWOW64\hlufsyc.exe"
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:1208
        
        C:\Windows\SysWOW64\zruuwmt.exe
        
        C:\Windows\system32\zruuwmt.exe 536 "C:\Windows\SysWOW64\rkhckxj.exe"
        14⤵
        
        PID:2496
        
        C:\Windows\SysWOW64\zruuwmt.exe
        
        C:\Windows\system32\zruuwmt.exe 536 "C:\Windows\SysWOW64\rkhckxj.exe"
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2164
        
        C:\Windows\SysWOW64\hstvlbx.exe
        
        C:\Windows\system32\hstvlbx.exe 528 "C:\Windows\SysWOW64\zruuwmt.exe"
        16⤵
        
        PID:2416
        
        C:\Windows\SysWOW64\kzgruhd.exe
        
        C:\Windows\system32\kzgruhd.exe 532 "C:\Windows\SysWOW64\dgimffu.exe"
        17⤵
        
        PID:1768
        
        C:\Windows\SysWOW64\xqbuchi.exe
        
        C:\Windows\system32\xqbuchi.exe 532 "C:\Windows\SysWOW64\kzgruhd.exe"
        18⤵
        
        PID:1052
        
        C:\Windows\SysWOW64\xqbuchi.exe
        
        C:\Windows\system32\xqbuchi.exe 532 "C:\Windows\SysWOW64\kzgruhd.exe"
        19⤵
        
        PID:2676
        
        C:\Windows\SysWOW64\hpnrvgq.exe
        
        C:\Windows\system32\hpnrvgq.exe 528 "C:\Windows\SysWOW64\xqbuchi.exe"
        20⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\hpnrvgq.exe
        
        C:\Windows\system32\hpnrvgq.exe 528 "C:\Windows\SysWOW64\xqbuchi.exe"
        21⤵
        Suspicious use of SetThreadContext
        
        PID:2432
        
        C:\Windows\SysWOW64\vcxhbkp.exe
        
        C:\Windows\system32\vcxhbkp.exe 528 "C:\Windows\SysWOW64\hpnrvgq.exe"
        22⤵
        Suspicious use of SetThreadContext
        
        PID:2396
        
        C:\Windows\SysWOW64\vcxhbkp.exe
        
        C:\Windows\system32\vcxhbkp.exe 528 "C:\Windows\SysWOW64\hpnrvgq.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:528
        
        C:\Windows\SysWOW64\crshnzy.exe
        
        C:\Windows\system32\crshnzy.exe 536 "C:\Windows\SysWOW64\vcxhbkp.exe"
        24⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1644
        
        C:\Windows\SysWOW64\crshnzy.exe
        
        C:\Windows\system32\crshnzy.exe 536 "C:\Windows\SysWOW64\vcxhbkp.exe"
        25⤵
        
        PID:2848
        
        C:\Windows\SysWOW64\pinkdhe.exe
        
        C:\Windows\system32\pinkdhe.exe 536 "C:\Windows\SysWOW64\crshnzy.exe"
        26⤵
        
        PID:340
        
        C:\Windows\SysWOW64\pinkdhe.exe
        
        C:\Windows\system32\pinkdhe.exe 536 "C:\Windows\SysWOW64\crshnzy.exe"
        27⤵
        
        PID:1196
        
        C:\Windows\SysWOW64\uvgjpri.exe
        
        C:\Windows\system32\uvgjpri.exe 460 "C:\Windows\SysWOW64\pinkdhe.exe"
        28⤵
        
        PID:2324
        
        C:\Windows\SysWOW64\uvgjpri.exe
        
        C:\Windows\system32\uvgjpri.exe 460 "C:\Windows\SysWOW64\pinkdhe.exe"
        29⤵
        
        PID:1636
        
        C:\Windows\SysWOW64\exwukmp.exe
        
        C:\Windows\system32\exwukmp.exe 540 "C:\Windows\SysWOW64\uvgjpri.exe"
        30⤵
        
        PID:1180
        
        C:\Windows\SysWOW64\exwukmp.exe
        
        C:\Windows\system32\exwukmp.exe 540 "C:\Windows\SysWOW64\uvgjpri.exe"
        31⤵
        
        PID:2136
        
        C:\Windows\SysWOW64\bvdudtc.exe
        
        C:\Windows\system32\bvdudtc.exe 452 "C:\Windows\SysWOW64\exwukmp.exe"
        32⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2416
        
        C:\Windows\SysWOW64\bvdudtc.exe
        
        C:\Windows\system32\bvdudtc.exe 452 "C:\Windows\SysWOW64\exwukmp.exe"
        33⤵
        Drops file in System32 directory
        
        PID:380
        
        C:\Windows\SysWOW64\qoapmhe.exe
        
        C:\Windows\system32\qoapmhe.exe 532 "C:\Windows\SysWOW64\bvdudtc.exe"
        34⤵
        
        PID:1564
        
        C:\Windows\SysWOW64\qoapmhe.exe
        
        C:\Windows\system32\qoapmhe.exe 532 "C:\Windows\SysWOW64\bvdudtc.exe"
        35⤵
        Drops file in System32 directory
        
        PID:876
        
        C:\Windows\SysWOW64\vttxgrj.exe
        
        C:\Windows\system32\vttxgrj.exe 472 "C:\Windows\SysWOW64\qoapmhe.exe"
        36⤵
        
        PID:1892
        
        C:\Windows\SysWOW64\vttxgrj.exe
        
        C:\Windows\system32\vttxgrj.exe 472 "C:\Windows\SysWOW64\qoapmhe.exe"
        37⤵
        
        PID:2072
        
        C:\Windows\SysWOW64\cbgpsgs.exe
        
        C:\Windows\system32\cbgpsgs.exe 476 "C:\Windows\SysWOW64\vttxgrj.exe"
        38⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2496
        
        C:\Windows\SysWOW64\cbgpsgs.exe
        
        C:\Windows\system32\cbgpsgs.exe 476 "C:\Windows\SysWOW64\vttxgrj.exe"
        39⤵
        
        PID:2404
        
        C:\Windows\SysWOW64\nitmkfa.exe
        
        C:\Windows\system32\nitmkfa.exe 528 "C:\Windows\SysWOW64\cbgpsgs.exe"
        40⤵
        
        PID:848
        
        C:\Windows\SysWOW64\nitmkfa.exe
        
        C:\Windows\system32\nitmkfa.exe 528 "C:\Windows\SysWOW64\cbgpsgs.exe"
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        
        PID:2908
        
        C:\Windows\SysWOW64\zczcwre.exe
        
        C:\Windows\system32\zczcwre.exe 528 "C:\Windows\SysWOW64\nitmkfa.exe"
        42⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2736
        
        C:\Windows\SysWOW64\zczcwre.exe
        
        C:\Windows\system32\zczcwre.exe 528 "C:\Windows\SysWOW64\nitmkfa.exe"
        43⤵
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        
        PID:2624
        
        C:\Windows\SysWOW64\jbdzgqm.exe
        
        C:\Windows\system32\jbdzgqm.exe 528 "C:\Windows\SysWOW64\zczcwre.exe"
        44⤵
        
        PID:1864
        
        C:\Windows\SysWOW64\jbdzgqm.exe
        
        C:\Windows\system32\jbdzgqm.exe 528 "C:\Windows\SysWOW64\zczcwre.exe"
        45⤵
        
        PID:2816
        
        C:\Windows\SysWOW64\xwupmmk.exe
        
        C:\Windows\system32\xwupmmk.exe 528 "C:\Windows\SysWOW64\jbdzgqm.exe"
        46⤵
        
        PID:1180
        
        C:\Windows\SysWOW64\xwupmmk.exe
        
        C:\Windows\system32\xwupmmk.exe 528 "C:\Windows\SysWOW64\jbdzgqm.exe"
        47⤵
        
        PID:1344
        
        C:\Windows\SysWOW64\ehtcjot.exe
        
        C:\Windows\system32\ehtcjot.exe 512 "C:\Windows\SysWOW64\xwupmmk.exe"
        48⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1052
        
        C:\Windows\SysWOW64\ehtcjot.exe
        
        C:\Windows\system32\ehtcjot.exe 512 "C:\Windows\SysWOW64\xwupmmk.exe"
        49⤵
        
        PID:1048
        
        C:\Windows\SysWOW64\ryoxsoy.exe
        
        C:\Windows\system32\ryoxsoy.exe 504 "C:\Windows\SysWOW64\ehtcjot.exe"
        50⤵
        
        PID:1476
        
        C:\Windows\SysWOW64\ryoxsoy.exe
        
        C:\Windows\system32\ryoxsoy.exe 504 "C:\Windows\SysWOW64\ehtcjot.exe"
        51⤵
        
        PID:2244
        
        C:\Windows\SysWOW64\bfaccng.exe
        
        C:\Windows\system32\bfaccng.exe 528 "C:\Windows\SysWOW64\ryoxsoy.exe"
        52⤵
        
        PID:2800
        
        C:\Windows\SysWOW64\bfaccng.exe
        
        C:\Windows\system32\bfaccng.exe 528 "C:\Windows\SysWOW64\ryoxsoy.exe"
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        
        PID:2652
        
        C:\Windows\SysWOW64\lhpnxqm.exe
        
        C:\Windows\system32\lhpnxqm.exe 536 "C:\Windows\SysWOW64\bfaccng.exe"
        54⤵
        
        PID:644
        
        C:\Windows\SysWOW64\lhpnxqm.exe
        
        C:\Windows\system32\lhpnxqm.exe 536 "C:\Windows\SysWOW64\bfaccng.exe"
        55⤵
        
        PID:1584
        
        C:\Windows\SysWOW64\quhcdul.exe
        
        C:\Windows\system32\quhcdul.exe 528 "C:\Windows\SysWOW64\lhpnxqm.exe"
        56⤵
        
        PID:340
        
        C:\Windows\SysWOW64\quhcdul.exe
        
        C:\Windows\system32\quhcdul.exe 528 "C:\Windows\SysWOW64\lhpnxqm.exe"
        57⤵
        
        PID:2228
        
        C:\Windows\SysWOW64\pninxgv.exe
        
        C:\Windows\system32\pninxgv.exe 456 "C:\Windows\SysWOW64\quhcdul.exe"
        58⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\pninxgv.exe
        
        C:\Windows\system32\pninxgv.exe 456 "C:\Windows\SysWOW64\quhcdul.exe"
        59⤵
        
        PID:2480
        
        C:\Windows\SysWOW64\hqwxzqf.exe
        
        C:\Windows\system32\hqwxzqf.exe 452 "C:\Windows\SysWOW64\pninxgv.exe"
        60⤵
        
        PID:2384
        
        C:\Windows\SysWOW64\hqwxzqf.exe
        
        C:\Windows\system32\hqwxzqf.exe 452 "C:\Windows\SysWOW64\pninxgv.exe"
        61⤵
        
        PID:2764
        
        C:\Windows\SysWOW64\rblimtt.exe
        
        C:\Windows\system32\rblimtt.exe 492 "C:\Windows\SysWOW64\hqwxzqf.exe"
        62⤵
        
        PID:2488
        
        C:\Windows\SysWOW64\rblimtt.exe
        
        C:\Windows\system32\rblimtt.exe 492 "C:\Windows\SysWOW64\hqwxzqf.exe"
        63⤵
        Drops file in System32 directory
        
        PID:2744
        
        C:\Windows\SysWOW64\guivwpw.exe
        
        C:\Windows\system32\guivwpw.exe 528 "C:\Windows\SysWOW64\rblimtt.exe"
        64⤵
        
        PID:1760
        
        C:\Windows\SysWOW64\guivwpw.exe
        
        C:\Windows\system32\guivwpw.exe 528 "C:\Windows\SysWOW64\rblimtt.exe"
        65⤵
        
        PID:672
        
        C:\Windows\SysWOW64\lknqsvh.exe
        
        C:\Windows\system32\lknqsvh.exe 456 "C:\Windows\SysWOW64\guivwpw.exe"
        66⤵
        
        PID:1648
        
        C:\Windows\SysWOW64\lknqsvh.exe
        
        C:\Windows\system32\lknqsvh.exe 456 "C:\Windows\SysWOW64\guivwpw.exe"
        67⤵
        
        PID:1564
        
        C:\Windows\SysWOW64\ldoimir.exe
        
        C:\Windows\system32\ldoimir.exe 528 "C:\Windows\SysWOW64\lknqsvh.exe"
        68⤵
        
        PID:2952
        
        C:\Windows\SysWOW64\ldoimir.exe
        
        C:\Windows\system32\ldoimir.exe 528 "C:\Windows\SysWOW64\lknqsvh.exe"
        69⤵
        Drops file in System32 directory
        
        PID:1200
        
        C:\Windows\SysWOW64\ipjvkkx.exe
        
        C:\Windows\system32\ipjvkkx.exe 452 "C:\Windows\SysWOW64\ldoimir.exe"
        70⤵
        
        PID:2472
        
        C:\Windows\SysWOW64\ipjvkkx.exe
        
        C:\Windows\system32\ipjvkkx.exe 452 "C:\Windows\SysWOW64\ldoimir.exe"
        71⤵
        
        PID:2456
        
        C:\Windows\SysWOW64\iisnexh.exe
        
        C:\Windows\system32\iisnexh.exe 464 "C:\Windows\SysWOW64\ipjvkkx.exe"
        72⤵
        
        PID:1872
        
        C:\Windows\SysWOW64\iisnexh.exe
        
        C:\Windows\system32\iisnexh.exe 464 "C:\Windows\SysWOW64\ipjvkkx.exe"
        73⤵
        
        PID:2628
        
        C:\Windows\SysWOW64\ppggyuj.exe
        
        C:\Windows\system32\ppggyuj.exe 452 "C:\Windows\SysWOW64\iisnexh.exe"
        74⤵
        
        PID:2688
        
        C:\Windows\SysWOW64\ppggyuj.exe
        
        C:\Windows\system32\ppggyuj.exe 452 "C:\Windows\SysWOW64\iisnexh.exe"
        75⤵
        
        PID:2956
        
        C:\Windows\SysWOW64\otsdvla.exe
        
        C:\Windows\system32\otsdvla.exe 480 "C:\Windows\SysWOW64\ppggyuj.exe"
        76⤵
        
        PID:1820
        
        C:\Windows\SysWOW64\otsdvla.exe
        
        C:\Windows\system32\otsdvla.exe 480 "C:\Windows\SysWOW64\ppggyuj.exe"
        77⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:440
        
        C:\Windows\SysWOW64\gldaurd.exe
        
        C:\Windows\system32\gldaurd.exe 452 "C:\Windows\SysWOW64\otsdvla.exe"
        78⤵
        
        PID:2292
        
        C:\Windows\SysWOW64\gldaurd.exe
        
        C:\Windows\system32\gldaurd.exe 452 "C:\Windows\SysWOW64\otsdvla.exe"
        79⤵
        
        PID:3004
        
        C:\Windows\SysWOW64\gkqgkbs.exe
        
        C:\Windows\system32\gkqgkbs.exe 452 "C:\Windows\SysWOW64\gldaurd.exe"
        80⤵
        
        PID:2972
        
        C:\Windows\SysWOW64\gkqgkbs.exe
        
        C:\Windows\system32\gkqgkbs.exe 452 "C:\Windows\SysWOW64\gldaurd.exe"
        81⤵
        Drops file in System32 directory
        
        PID:2176
        
        C:\Windows\SysWOW64\cotowyi.exe
        
        C:\Windows\system32\cotowyi.exe 536 "C:\Windows\SysWOW64\gkqgkbs.exe"
        82⤵
        
        PID:2732
        
        C:\Windows\SysWOW64\cotowyi.exe
        
        C:\Windows\system32\cotowyi.exe 536 "C:\Windows\SysWOW64\gkqgkbs.exe"
        83⤵
        
        PID:848
        
        C:\Windows\SysWOW64\vmtksnl.exe
        
        C:\Windows\system32\vmtksnl.exe 452 "C:\Windows\SysWOW64\cotowyi.exe"
        84⤵
        
        PID:2472
        
        C:\Windows\SysWOW64\vmtksnl.exe
        
        C:\Windows\system32\vmtksnl.exe 452 "C:\Windows\SysWOW64\cotowyi.exe"
        85⤵
        
        PID:2896
        
        C:\Windows\SysWOW64\npquuxv.exe
        
        C:\Windows\system32\npquuxv.exe 528 "C:\Windows\SysWOW64\vmtksnl.exe"
        86⤵
        
        PID:2928
        
        C:\Windows\SysWOW64\npquuxv.exe
        
        C:\Windows\system32\npquuxv.exe 528 "C:\Windows\SysWOW64\vmtksnl.exe"
        87⤵
        Drops file in System32 directory
        
        PID:1888
        
        C:\Windows\SysWOW64\hvefipx.exe
        
        C:\Windows\system32\hvefipx.exe 532 "C:\Windows\SysWOW64\npquuxv.exe"
        88⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\hvefipx.exe
        
        C:\Windows\system32\hvefipx.exe 532 "C:\Windows\SysWOW64\npquuxv.exe"
        89⤵
        
        PID:1556
        
        C:\Windows\SysWOW64\tzinnip.exe
        
        C:\Windows\system32\tzinnip.exe 452 "C:\Windows\SysWOW64\hvefipx.exe"
        90⤵
        
        PID:2332
        
        C:\Windows\SysWOW64\tzinnip.exe
        
        C:\Windows\system32\tzinnip.exe 452 "C:\Windows\SysWOW64\hvefipx.exe"
        91⤵
        
        PID:2416
        
        C:\Windows\SysWOW64\betaebs.exe
        
        C:\Windows\system32\betaebs.exe 528 "C:\Windows\SysWOW64\tzinnip.exe"
        92⤵
        
        PID:2540
        
        C:\Windows\SysWOW64\betaebs.exe
        
        C:\Windows\system32\betaebs.exe 528 "C:\Windows\SysWOW64\tzinnip.exe"
        93⤵
        
        PID:2844
        
        C:\Windows\SysWOW64\vcjvhzh.exe
        
        C:\Windows\system32\vcjvhzh.exe 528 "C:\Windows\SysWOW64\betaebs.exe"
        94⤵
        
        PID:1656
        
        C:\Windows\SysWOW64\vcjvhzh.exe
        
        C:\Windows\system32\vcjvhzh.exe 528 "C:\Windows\SysWOW64\betaebs.exe"
        95⤵
        
        PID:2800
        
        C:\Windows\SysWOW64\tiqbxgd.exe
        
        C:\Windows\system32\tiqbxgd.exe 528 "C:\Windows\SysWOW64\vcjvhzh.exe"
        96⤵
        
        PID:1612
        
        C:\Windows\SysWOW64\tiqbxgd.exe
        
        C:\Windows\system32\tiqbxgd.exe 528 "C:\Windows\SysWOW64\vcjvhzh.exe"
        97⤵
        Drops file in System32 directory
        
        PID:2256
        
        C:\Windows\SysWOW64\erszbqk.exe
        
        C:\Windows\system32\erszbqk.exe 536 "C:\Windows\SysWOW64\tiqbxgd.exe"
        98⤵
        
        PID:2052
        
        C:\Windows\SysWOW64\erszbqk.exe
        
        C:\Windows\system32\erszbqk.exe 536 "C:\Windows\SysWOW64\tiqbxgd.exe"
        99⤵
        
        PID:2580
        
        C:\Windows\SysWOW64\bwpxuga.exe
        
        C:\Windows\system32\bwpxuga.exe 476 "C:\Windows\SysWOW64\erszbqk.exe"
        100⤵
        
        PID:2688
        
        C:\Windows\SysWOW64\bwpxuga.exe
        
        C:\Windows\system32\bwpxuga.exe 476 "C:\Windows\SysWOW64\erszbqk.exe"
        101⤵
        
        PID:2032
        
        C:\Windows\SysWOW64\oydmfke.exe
        
        C:\Windows\system32\oydmfke.exe 528 "C:\Windows\SysWOW64\bwpxuga.exe"
        102⤵
        
        PID:2352
        
        C:\Windows\SysWOW64\oydmfke.exe
        
        C:\Windows\system32\oydmfke.exe 528 "C:\Windows\SysWOW64\bwpxuga.exe"
        103⤵
        Drops file in System32 directory
        
        PID:2152
        
        C:\Windows\SysWOW64\qxjcdps.exe
        
        C:\Windows\system32\qxjcdps.exe 528 "C:\Windows\SysWOW64\oydmfke.exe"
        104⤵
        
        PID:1248
        
        C:\Windows\SysWOW64\qxjcdps.exe
        
        C:\Windows\system32\qxjcdps.exe 528 "C:\Windows\SysWOW64\oydmfke.exe"
        105⤵
        
        PID:3048
        
        C:\Windows\SysWOW64\ucdkwze.exe
        
        C:\Windows\system32\ucdkwze.exe 484 "C:\Windows\SysWOW64\qxjcdps.exe"
        106⤵
        
        PID:1376
        
        C:\Windows\SysWOW64\ucdkwze.exe
        
        C:\Windows\system32\ucdkwze.exe 484 "C:\Windows\SysWOW64\qxjcdps.exe"
        107⤵
        Drops file in System32 directory
        
        PID:2028
        
        C:\Windows\SysWOW64\ccckdfi.exe
        
        C:\Windows\system32\ccckdfi.exe 484 "C:\Windows\SysWOW64\ucdkwze.exe"
        108⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\ccckdfi.exe
        
        C:\Windows\system32\ccckdfi.exe 484 "C:\Windows\SysWOW64\ucdkwze.exe"
        109⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\ugquept.exe
        
        C:\Windows\system32\ugquept.exe 476 "C:\Windows\SysWOW64\ccckdfi.exe"
        110⤵
        
        PID:1812
        
        C:\Windows\SysWOW64\ugquept.exe
        
        C:\Windows\system32\ugquept.exe 476 "C:\Windows\SysWOW64\ccckdfi.exe"
        111⤵
        Drops file in System32 directory
        
        PID:1120
        
        C:\Windows\SysWOW64\euqkcxy.exe
        
        C:\Windows\system32\euqkcxy.exe 540 "C:\Windows\SysWOW64\ugquept.exe"
        112⤵
        
        PID:2856
        
        C:\Windows\SysWOW64\euqkcxy.exe
        
        C:\Windows\system32\euqkcxy.exe 540 "C:\Windows\SysWOW64\ugquept.exe"
        113⤵
        Drops file in System32 directory
        
        PID:1644
        
        C:\Windows\SysWOW64\vxnuegq.exe
        
        C:\Windows\system32\vxnuegq.exe 464 "C:\Windows\SysWOW64\euqkcxy.exe"
        114⤵
        
        PID:2056
        
        C:\Windows\SysWOW64\vxnuegq.exe
        
        C:\Windows\system32\vxnuegq.exe 464 "C:\Windows\SysWOW64\euqkcxy.exe"
        115⤵
        
        PID:2724
        
        C:\Windows\SysWOW64\dbpioat.exe
        
        C:\Windows\system32\dbpioat.exe 452 "C:\Windows\SysWOW64\vxnuegq.exe"
        116⤵
        
        PID:2488
        
        C:\Windows\SysWOW64\dbpioat.exe
        
        C:\Windows\system32\dbpioat.exe 452 "C:\Windows\SysWOW64\vxnuegq.exe"
        117⤵
        
        PID:1752
        
        C:\Windows\SysWOW64\xdqptbg.exe
        
        C:\Windows\system32\xdqptbg.exe 528 "C:\Windows\SysWOW64\dbpioat.exe"
        118⤵
        
        PID:1220
        
        C:\Windows\SysWOW64\xdqptbg.exe
        
        C:\Windows\system32\xdqptbg.exe 528 "C:\Windows\SysWOW64\dbpioat.exe"
        119⤵
        
        PID:2208
        
        C:\Windows\SysWOW64\rjhkoro.exe
        
        C:\Windows\system32\rjhkoro.exe 464 "C:\Windows\SysWOW64\xdqptbg.exe"
        120⤵
        
        PID:1060
        
        C:\Windows\SysWOW64\rjhkoro.exe
        
        C:\Windows\system32\rjhkoro.exe 464 "C:\Windows\SysWOW64\xdqptbg.exe"
        121⤵
        
        PID:1192
        
        C:\Windows\SysWOW64\utyagnv.exe
        
        C:\Windows\system32\utyagnv.exe 452 "C:\Windows\SysWOW64\rjhkoro.exe"
        122⤵
        
        PID:1096
        
        C:\Windows\SysWOW64\utyagnv.exe
        
        C:\Windows\system32\utyagnv.exe 452 "C:\Windows\SysWOW64\rjhkoro.exe"
        123⤵
        Drops file in System32 directory
        
        PID:1952
        
        C:\Windows\SysWOW64\jmvvqjg.exe
        
        C:\Windows\system32\jmvvqjg.exe 528 "C:\Windows\SysWOW64\utyagnv.exe"
        124⤵
        
        PID:1484
        
        C:\Windows\SysWOW64\jmvvqjg.exe
        
        C:\Windows\system32\jmvvqjg.exe 528 "C:\Windows\SysWOW64\utyagnv.exe"
        125⤵
        
        PID:2324
        
        C:\Windows\SysWOW64\tlzsiif.exe
        
        C:\Windows\system32\tlzsiif.exe 528 "C:\Windows\SysWOW64\jmvvqjg.exe"
        126⤵
        
        PID:2656
        
        C:\Windows\SysWOW64\tlzsiif.exe
        
        C:\Windows\system32\tlzsiif.exe 528 "C:\Windows\SysWOW64\jmvvqjg.exe"
        127⤵
        
        PID:2712
        
        C:\Windows\SysWOW64\teikcup.exe
        
        C:\Windows\system32\teikcup.exe 452 "C:\Windows\SysWOW64\tlzsiif.exe"
        128⤵
        
        PID:2688
        
        C:\Windows\SysWOW64\teikcup.exe
        
        C:\Windows\system32\teikcup.exe 452 "C:\Windows\SysWOW64\tlzsiif.exe"
        129⤵
        
        PID:2932
        
        C:\Windows\SysWOW64\nhnscoy.exe
        
        C:\Windows\system32\nhnscoy.exe 528 "C:\Windows\SysWOW64\teikcup.exe"
        130⤵
        
        PID:996
        
        C:\Windows\SysWOW64\nhnscoy.exe
        
        C:\Windows\system32\nhnscoy.exe 528 "C:\Windows\SysWOW64\teikcup.exe"
        131⤵
        
        PID:2752
        
        C:\Windows\SysWOW64\vjgvjic.exe
        
        C:\Windows\system32\vjgvjic.exe 528 "C:\Windows\SysWOW64\nhnscoy.exe"
        132⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\vjgvjic.exe
        
        C:\Windows\system32\vjgvjic.exe 528 "C:\Windows\SysWOW64\nhnscoy.exe"
        133⤵
        
        PID:2316
        
        C:\Windows\SysWOW64\xbcfxsl.exe
        
        C:\Windows\system32\xbcfxsl.exe 536 "C:\Windows\SysWOW64\vjgvjic.exe"
        134⤵
        
        PID:3056
        
        C:\Windows\SysWOW64\xbcfxsl.exe
        
        C:\Windows\system32\xbcfxsl.exe 536 "C:\Windows\SysWOW64\vjgvjic.exe"
        135⤵
        Drops file in System32 directory
        
        PID:392
        
        C:\Windows\SysWOW64\dqlfjmb.exe
        
        C:\Windows\system32\dqlfjmb.exe 536 "C:\Windows\SysWOW64\xbcfxsl.exe"
        136⤵
        
        PID:2440
        
        C:\Windows\SysWOW64\dqlfjmb.exe
        
        C:\Windows\system32\dqlfjmb.exe 536 "C:\Windows\SysWOW64\xbcfxsl.exe"
        137⤵
        Drops file in System32 directory
        
        PID:2356
        
        C:\Windows\SysWOW64\kbrkggj.exe
        
        C:\Windows\system32\kbrkggj.exe 532 "C:\Windows\SysWOW64\dqlfjmb.exe"
        138⤵
        
        PID:2052
        
        C:\Windows\SysWOW64\kbrkggj.exe
        
        C:\Windows\system32\kbrkggj.exe 532 "C:\Windows\SysWOW64\dqlfjmb.exe"
        139⤵
        
        PID:2132
        
        C:\Windows\SysWOW64\xamnpop.exe
        
        C:\Windows\system32\xamnpop.exe 528 "C:\Windows\SysWOW64\kbrkggj.exe"
        140⤵
        
        PID:2144
        
        C:\Windows\SysWOW64\xamnpop.exe
        
        C:\Windows\system32\xamnpop.exe 528 "C:\Windows\SysWOW64\kbrkggj.exe"
        141⤵
        
        PID:2020
        
        C:\Windows\SysWOW64\hzqkznw.exe
        
        C:\Windows\system32\hzqkznw.exe 528 "C:\Windows\SysWOW64\xamnpop.exe"
        142⤵
        
        PID:1100
        
        C:\Windows\SysWOW64\hzqkznw.exe
        
        C:\Windows\system32\hzqkznw.exe 528 "C:\Windows\SysWOW64\xamnpop.exe"
        143⤵
        Drops file in System32 directory
        
        PID:2488
        
        C:\Windows\SysWOW64\pdaqqyz.exe
        
        C:\Windows\system32\pdaqqyz.exe 528 "C:\Windows\SysWOW64\hzqkznw.exe"
        144⤵
        
        PID:1052
        
        C:\Windows\SysWOW64\pdaqqyz.exe
        
        C:\Windows\system32\pdaqqyz.exe 528 "C:\Windows\SysWOW64\hzqkznw.exe"
        145⤵
        
        PID:1884
        
        C:\Windows\SysWOW64\ttflmmk.exe
        
        C:\Windows\system32\ttflmmk.exe 528 "C:\Windows\SysWOW64\pdaqqyz.exe"
        146⤵
        
        PID:1060
        
        C:\Windows\SysWOW64\ttflmmk.exe
        
        C:\Windows\system32\ttflmmk.exe 528 "C:\Windows\SysWOW64\pdaqqyz.exe"
        147⤵
        
        PID:2548
        
        C:\Windows\SysWOW64\bbtdzcu.exe
        
        C:\Windows\system32\bbtdzcu.exe 528 "C:\Windows\SysWOW64\ttflmmk.exe"
        148⤵
        
        PID:628
        
        C:\Windows\SysWOW64\bbtdzcu.exe
        
        C:\Windows\system32\bbtdzcu.exe 528 "C:\Windows\SysWOW64\ttflmmk.exe"
        149⤵
        
        PID:2168
        
        C:\Windows\SysWOW64\tteayhf.exe
        
        C:\Windows\system32\tteayhf.exe 460 "C:\Windows\SysWOW64\bbtdzcu.exe"
        150⤵
        
        PID:340
        
        C:\Windows\SysWOW64\tteayhf.exe
        
        C:\Windows\system32\tteayhf.exe 460 "C:\Windows\SysWOW64\bbtdzcu.exe"
        151⤵
        Drops file in System32 directory
        
        PID:2776
        
        C:\Windows\SysWOW64\abrasxh.exe
        
        C:\Windows\system32\abrasxh.exe 528 "C:\Windows\SysWOW64\tteayhf.exe"
        152⤵
        
        PID:1576
        
        C:\Windows\SysWOW64\abrasxh.exe
        
        C:\Windows\system32\abrasxh.exe 528 "C:\Windows\SysWOW64\tteayhf.exe"
        153⤵
        
        PID:1484
        
        C:\Windows\SysWOW64\hqmteuq.exe
        
        C:\Windows\system32\hqmteuq.exe 528 "C:\Windows\SysWOW64\abrasxh.exe"
        154⤵
        
        PID:1904
        
        C:\Windows\SysWOW64\hqmteuq.exe
        
        C:\Windows\system32\hqmteuq.exe 528 "C:\Windows\SysWOW64\abrasxh.exe"
        155⤵
        Drops file in System32 directory
        
        PID:1588
        
        C:\Windows\SysWOW64\sprqwty.exe
        
        C:\Windows\system32\sprqwty.exe 528 "C:\Windows\SysWOW64\hqmteuq.exe"
        156⤵
        
        PID:1496
        
        C:\Windows\SysWOW64\sprqwty.exe
        
        C:\Windows\system32\sprqwty.exe 528 "C:\Windows\SysWOW64\hqmteuq.exe"
        157⤵
        
        PID:1220
        
        C:\Windows\SysWOW64\chgvbja.exe
        
        C:\Windows\system32\chgvbja.exe 536 "C:\Windows\SysWOW64\sprqwty.exe"
        158⤵
        
        PID:2104
        
        C:\Windows\SysWOW64\chgvbja.exe
        
        C:\Windows\system32\chgvbja.exe 536 "C:\Windows\SysWOW64\sprqwty.exe"
        159⤵
        Drops file in System32 directory
        
        PID:3024
        
        C:\Windows\SysWOW64\bhegbep.exe
        
        C:\Windows\system32\bhegbep.exe 468 "C:\Windows\SysWOW64\chgvbja.exe"
        160⤵
        
        PID:928
        
        C:\Windows\SysWOW64\bhegbep.exe
        
        C:\Windows\system32\bhegbep.exe 468 "C:\Windows\SysWOW64\chgvbja.exe"
        161⤵
        
        PID:2088
        
        C:\Windows\SysWOW64\bzmydrz.exe
        
        C:\Windows\system32\bzmydrz.exe 460 "C:\Windows\SysWOW64\bhegbep.exe"
        162⤵
        
        PID:1128
        
        C:\Windows\SysWOW64\bzmydrz.exe
        
        C:\Windows\system32\bzmydrz.exe 460 "C:\Windows\SysWOW64\bhegbep.exe"
        163⤵
        
        PID:2536
        
        C:\Windows\SysWOW64\gxjgjsy.exe
        
        C:\Windows\system32\gxjgjsy.exe 460 "C:\Windows\SysWOW64\bzmydrz.exe"
        164⤵
        
        PID:2804
        
        C:\Windows\SysWOW64\gxjgjsy.exe
        
        C:\Windows\system32\gxjgjsy.exe 460 "C:\Windows\SysWOW64\bzmydrz.exe"
        165⤵
        
        PID:1872
        
        C:\Windows\SysWOW64\qeodbrg.exe
        
        C:\Windows\system32\qeodbrg.exe 460 "C:\Windows\SysWOW64\gxjgjsy.exe"
        166⤵
        
        PID:1868
        
        C:\Windows\SysWOW64\qeodbrg.exe
        
        C:\Windows\system32\qeodbrg.exe 460 "C:\Windows\SysWOW64\gxjgjsy.exe"
        167⤵
        
        PID:1816
        
        C:\Windows\SysWOW64\qxwwvdq.exe
        
        C:\Windows\system32\qxwwvdq.exe 536 "C:\Windows\SysWOW64\qeodbrg.exe"
        168⤵
        
        PID:2660
        
        C:\Windows\SysWOW64\qxwwvdq.exe
        
        C:\Windows\system32\qxwwvdq.exe 536 "C:\Windows\SysWOW64\qeodbrg.exe"
        169⤵
        Drops file in System32 directory
        
        PID:2620
        
        C:\Windows\SysWOW64\zzlovwt.exe
        
        C:\Windows\system32\zzlovwt.exe 532 "C:\Windows\SysWOW64\qxwwvdq.exe"
        170⤵
        
        PID:676
        
        C:\Windows\SysWOW64\zzlovwt.exe
        
        C:\Windows\system32\zzlovwt.exe 532 "C:\Windows\SysWOW64\qxwwvdq.exe"
        171⤵
        
        PID:328
        
        C:\Windows\SysWOW64\suwzpxb.exe
        
        C:\Windows\system32\suwzpxb.exe 528 "C:\Windows\SysWOW64\zzlovwt.exe"
        172⤵
        
        PID:2396
        
        C:\Windows\SysWOW64\suwzpxb.exe
        
        C:\Windows\system32\suwzpxb.exe 528 "C:\Windows\SysWOW64\zzlovwt.exe"
        173⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\dkxmfdc.exe
        
        C:\Windows\system32\dkxmfdc.exe 528 "C:\Windows\SysWOW64\suwzpxb.exe"
        174⤵
        
        PID:1396
        
        C:\Windows\SysWOW64\dkxmfdc.exe
        
        C:\Windows\system32\dkxmfdc.exe 528 "C:\Windows\SysWOW64\suwzpxb.exe"
        175⤵
        
        PID:1708
        
        C:\Windows\SysWOW64\kskeztm.exe
        
        C:\Windows\system32\kskeztm.exe 484 "C:\Windows\SysWOW64\dkxmfdc.exe"
        176⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\kskeztm.exe
        
        C:\Windows\system32\kskeztm.exe 484 "C:\Windows\SysWOW64\dkxmfdc.exe"
        177⤵
        
        PID:2140
        
        C:\Windows\SysWOW64\sxszdgj.exe
        
        C:\Windows\system32\sxszdgj.exe 504 "C:\Windows\SysWOW64\kskeztm.exe"
        178⤵
        
        PID:2380
        
        C:\Windows\SysWOW64\sxszdgj.exe
        
        C:\Windows\system32\sxszdgj.exe 504 "C:\Windows\SysWOW64\kskeztm.exe"
        179⤵
        Drops file in System32 directory
        
        PID:2332
        
        C:\Windows\SysWOW64\cexxnfq.exe
        
        C:\Windows\system32\cexxnfq.exe 528 "C:\Windows\SysWOW64\sxszdgj.exe"
        180⤵
        
        PID:1052
        
        C:\Windows\SysWOW64\cexxnfq.exe
        
        C:\Windows\system32\cexxnfq.exe 528 "C:\Windows\SysWOW64\sxszdgj.exe"
        181⤵
        
        PID:1944
        
        C:\Windows\SysWOW64\rqccrfc.exe
        
        C:\Windows\system32\rqccrfc.exe 460 "C:\Windows\SysWOW64\cexxnfq.exe"
        182⤵
        
        PID:2388
        
        C:\Windows\SysWOW64\rqccrfc.exe
        
        C:\Windows\system32\rqccrfc.exe 460 "C:\Windows\SysWOW64\cexxnfq.exe"
        183⤵
        Drops file in System32 directory
        
        PID:2672
        
        C:\Windows\SysWOW64\wuokkpp.exe
        
        C:\Windows\system32\wuokkpp.exe 452 "C:\Windows\SysWOW64\rqccrfc.exe"
        184⤵
        
        PID:2716
        
        C:\Windows\SysWOW64\wuokkpp.exe
        
        C:\Windows\system32\wuokkpp.exe 452 "C:\Windows\SysWOW64\rqccrfc.exe"
        185⤵
        
        PID:1648
        
        C:\Windows\SysWOW64\blsfgdt.exe
        
        C:\Windows\system32\blsfgdt.exe 540 "C:\Windows\SysWOW64\wuokkpp.exe"
        186⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\blsfgdt.exe
        
        C:\Windows\system32\blsfgdt.exe 540 "C:\Windows\SysWOW64\wuokkpp.exe"
        187⤵
        
        PID:2496
        
        C:\Windows\SysWOW64\isoxasc.exe
        
        C:\Windows\system32\isoxasc.exe 456 "C:\Windows\SysWOW64\blsfgdt.exe"
        188⤵
        
        PID:2376
        
        C:\Windows\SysWOW64\isoxasc.exe
        
        C:\Windows\system32\isoxasc.exe 456 "C:\Windows\SysWOW64\blsfgdt.exe"
        189⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\qxqkkdn.exe
        
        C:\Windows\system32\qxqkkdn.exe 452 "C:\Windows\SysWOW64\isoxasc.exe"
        190⤵
        
        PID:2768
        
        C:\Windows\SysWOW64\qxqkkdn.exe
        
        C:\Windows\system32\qxqkkdn.exe 452 "C:\Windows\SysWOW64\isoxasc.exe"
        191⤵
        Drops file in System32 directory
        
        PID:2240
        
        C:\Windows\SysWOW64\myixopz.exe
        
        C:\Windows\system32\myixopz.exe 452 "C:\Windows\SysWOW64\qxqkkdn.exe"
        192⤵
        
        PID:1760
        
        C:\Windows\SysWOW64\myixopz.exe
        
        C:\Windows\system32\myixopz.exe 452 "C:\Windows\SysWOW64\qxqkkdn.exe"
        193⤵
        Drops file in System32 directory
        
        PID:940
        
        C:\Windows\SysWOW64\xxmvyny.exe
        
        C:\Windows\system32\xxmvyny.exe 504 "C:\Windows\SysWOW64\myixopz.exe"
        194⤵
        
        PID:2104
        
        C:\Windows\SysWOW64\xxmvyny.exe
        
        C:\Windows\system32\xxmvyny.exe 504 "C:\Windows\SysWOW64\myixopz.exe"
        195⤵
        Drops file in System32 directory
        
        PID:1060
        
        C:\Windows\SysWOW64\zspxton.exe
        
        C:\Windows\system32\zspxton.exe 468 "C:\Windows\SysWOW64\xxmvyny.exe"
        196⤵
        
        PID:772
        
        C:\Windows\SysWOW64\zspxton.exe
        
        C:\Windows\system32\zspxton.exe 468 "C:\Windows\SysWOW64\xxmvyny.exe"
        197⤵
        Drops file in System32 directory
        
        PID:1756
        
        C:\Windows\SysWOW64\welkjit.exe
        
        C:\Windows\system32\welkjit.exe 452 "C:\Windows\SysWOW64\zspxton.exe"
        198⤵
        
        PID:2688
        
        C:\Windows\SysWOW64\welkjit.exe
        
        C:\Windows\system32\welkjit.exe 452 "C:\Windows\SysWOW64\zspxton.exe"
        199⤵
        
        PID:2352
        
        C:\Windows\SysWOW64\dpsxgcc.exe
        
        C:\Windows\system32\dpsxgcc.exe 528 "C:\Windows\SysWOW64\welkjit.exe"
        200⤵
        
        PID:1744
        
        C:\Windows\SysWOW64\dpsxgcc.exe
        
        C:\Windows\system32\dpsxgcc.exe 528 "C:\Windows\SysWOW64\welkjit.exe"
        201⤵
        
        PID:1924
        
        C:\Windows\SysWOW64\nlkioxc.exe
        
        C:\Windows\system32\nlkioxc.exe 528 "C:\Windows\SysWOW64\dpsxgcc.exe"
        202⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\nlkioxc.exe
        
        C:\Windows\system32\nlkioxc.exe 528 "C:\Windows\SysWOW64\dpsxgcc.exe"
        203⤵
        Drops file in System32 directory
        
        PID:3020
        
        C:\Windows\SysWOW64\yhlserl.exe
        
        C:\Windows\system32\yhlserl.exe 528 "C:\Windows\SysWOW64\nlkioxc.exe"
        204⤵
        
        PID:2064
        
        C:\Windows\SysWOW64\yhlserl.exe
        
        C:\Windows\system32\yhlserl.exe 528 "C:\Windows\SysWOW64\nlkioxc.exe"
        205⤵
        Drops file in System32 directory
        
        PID:1612
        
        C:\Windows\SysWOW64\fakfttt.exe
        
        C:\Windows\system32\fakfttt.exe 480 "C:\Windows\SysWOW64\yhlserl.exe"
        206⤵
        
        PID:2468
        
        C:\Windows\SysWOW64\fakfttt.exe
        
        C:\Windows\system32\fakfttt.exe 480 "C:\Windows\SysWOW64\yhlserl.exe"
        207⤵
        
        PID:676
        
        C:\Windows\SysWOW64\kbsajqz.exe
        
        C:\Windows\system32\kbsajqz.exe 528 "C:\Windows\SysWOW64\fakfttt.exe"
        208⤵
        
        PID:2672
        
        C:\Windows\SysWOW64\kbsajqz.exe
        
        C:\Windows\system32\kbsajqz.exe 528 "C:\Windows\SysWOW64\fakfttt.exe"
        209⤵
        Drops file in System32 directory
        
        PID:2568
        
        C:\Windows\SysWOW64\pomicae.exe
        
        C:\Windows\system32\pomicae.exe 528 "C:\Windows\SysWOW64\kbsajqz.exe"
        210⤵
        
        PID:2688
        
        C:\Windows\SysWOW64\pomicae.exe
        
        C:\Windows\system32\pomicae.exe 528 "C:\Windows\SysWOW64\kbsajqz.exe"
        211⤵
        
        PID:2476
        
        C:\Windows\SysWOW64\wzsnruu.exe
        
        C:\Windows\system32\wzsnruu.exe 476 "C:\Windows\SysWOW64\pomicae.exe"
        212⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\wzsnruu.exe
        
        C:\Windows\system32\wzsnruu.exe 476 "C:\Windows\SysWOW64\pomicae.exe"
        213⤵
        
        PID:1972
        
        C:\Windows\SysWOW64\jynqacs.exe
        
        C:\Windows\system32\jynqacs.exe 528 "C:\Windows\SysWOW64\wzsnruu.exe"
        214⤵
        
        PID:1748
        
        C:\Windows\SysWOW64\jynqacs.exe
        
        C:\Windows\system32\jynqacs.exe 528 "C:\Windows\SysWOW64\wzsnruu.exe"
        215⤵
        
        PID:1968
        
        C:\Windows\SysWOW64\txrnsbz.exe
        
        C:\Windows\system32\txrnsbz.exe 536 "C:\Windows\SysWOW64\jynqacs.exe"
        216⤵
        
        PID:1052
        
        C:\Windows\SysWOW64\txrnsbz.exe
        
        C:\Windows\system32\txrnsbz.exe 536 "C:\Windows\SysWOW64\jynqacs.exe"
        217⤵
        Drops file in System32 directory
        
        PID:1072
        
        C:\Windows\SysWOW64\vhrdkxh.exe
        
        C:\Windows\system32\vhrdkxh.exe 452 "C:\Windows\SysWOW64\txrnsbz.exe"
        218⤵
        
        PID:2716
        
        C:\Windows\SysWOW64\vhrdkxh.exe
        
        C:\Windows\system32\vhrdkxh.exe 452 "C:\Windows\SysWOW64\txrnsbz.exe"
        219⤵
        
        PID:1864
        
        C:\Windows\SysWOW64\kwavrba.exe
        
        C:\Windows\system32\kwavrba.exe 456 "C:\Windows\SysWOW64\vhrdkxh.exe"
        220⤵
        
        PID:2052
        
        C:\Windows\SysWOW64\kwavrba.exe
        
        C:\Windows\system32\kwavrba.exe 456 "C:\Windows\SysWOW64\vhrdkxh.exe"
        221⤵
        Drops file in System32 directory
        
        PID:2440
        
        C:\Windows\SysWOW64\vstgywb.exe
        
        C:\Windows\system32\vstgywb.exe 520 "C:\Windows\SysWOW64\kwavrba.exe"
        222⤵
        
        PID:692
        
        C:\Windows\SysWOW64\vstgywb.exe
        
        C:\Windows\system32\vstgywb.exe 520 "C:\Windows\SysWOW64\kwavrba.exe"
        223⤵
        
        PID:2296
        
        C:\Windows\SysWOW64\frflrvj.exe
        
        C:\Windows\system32\frflrvj.exe 528 "C:\Windows\SysWOW64\vstgywb.exe"
        224⤵
        
        PID:2292
        
        C:\Windows\SysWOW64\frflrvj.exe
        
        C:\Windows\system32\frflrvj.exe 528 "C:\Windows\SysWOW64\vstgywb.exe"
        225⤵
        
        PID:1760
        
        C:\Windows\SysWOW64\oqstvgs.exe
        
        C:\Windows\system32\oqstvgs.exe 452 "C:\Windows\SysWOW64\frflrvj.exe"
        226⤵
        
        PID:2144
        
        C:\Windows\SysWOW64\oqstvgs.exe
        
        C:\Windows\system32\oqstvgs.exe 452 "C:\Windows\SysWOW64\frflrvj.exe"
        227⤵
        
        PID:2396
        
        C:\Windows\SysWOW64\tgporue.exe
        
        C:\Windows\system32\tgporue.exe 456 "C:\Windows\SysWOW64\oqstvgs.exe"
        228⤵
        
        PID:2472
        
        C:\Windows\SysWOW64\tgporue.exe
        
        C:\Windows\system32\tgporue.exe 456 "C:\Windows\SysWOW64\oqstvgs.exe"
        229⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\yeuwfvl.exe
        
        C:\Windows\system32\yeuwfvl.exe 452 "C:\Windows\SysWOW64\tgporue.exe"
        230⤵
        
        PID:1148
        
        C:\Windows\SysWOW64\yeuwfvl.exe
        
        C:\Windows\system32\yeuwfvl.exe 452 "C:\Windows\SysWOW64\tgporue.exe"
        231⤵
        Drops file in System32 directory
        
        PID:608
        
        C:\Windows\SysWOW64\ihjgsyr.exe
        
        C:\Windows\system32\ihjgsyr.exe 528 "C:\Windows\SysWOW64\yeuwfvl.exe"
        232⤵
        
        PID:1620
        
        C:\Windows\SysWOW64\ihjgsyr.exe
        
        C:\Windows\system32\ihjgsyr.exe 528 "C:\Windows\SysWOW64\yeuwfvl.exe"
        233⤵
        Drops file in System32 directory
        
        PID:2656
        
        C:\Windows\SysWOW64\crcoysf.exe
        
        C:\Windows\system32\crcoysf.exe 452 "C:\Windows\SysWOW64\ihjgsyr.exe"
        234⤵
        
        PID:3052
        
        C:\Windows\SysWOW64\crcoysf.exe
        
        C:\Windows\system32\crcoysf.exe 452 "C:\Windows\SysWOW64\ihjgsyr.exe"
        235⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\qeueewe.exe
        
        C:\Windows\system32\qeueewe.exe 456 "C:\Windows\SysWOW64\crcoysf.exe"
        236⤵
        
        PID:1404
        
        C:\Windows\SysWOW64\qeueewe.exe
        
        C:\Windows\system32\qeueewe.exe 456 "C:\Windows\SysWOW64\crcoysf.exe"
        237⤵
        
        PID:576
        
        C:\Windows\SysWOW64\szxozxs.exe
        
        C:\Windows\system32\szxozxs.exe 452 "C:\Windows\SysWOW64\qeueewe.exe"
        238⤵
        
        PID:772
        
        C:\Windows\SysWOW64\szxozxs.exe
        
        C:\Windows\system32\szxozxs.exe 452 "C:\Windows\SysWOW64\qeueewe.exe"
        239⤵
        
        PID:1976
        
        C:\Windows\SysWOW64\zdhtiiv.exe
        
        C:\Windows\system32\zdhtiiv.exe 452 "C:\Windows\SysWOW64\szxozxs.exe"
        240⤵
        
        PID:2380
        
        C:\Windows\SysWOW64\zdhtiiv.exe
        
        C:\Windows\system32\zdhtiiv.exe 452 "C:\Windows\SysWOW64\szxozxs.exe"
        241⤵
        Drops file in System32 directory
        
        PID:2308
        
        C:\Windows\SysWOW64\eucwzqb.exe
        
        C:\Windows\system32\eucwzqb.exe 532 "C:\Windows\SysWOW64\zdhtiiv.exe"
        242⤵
        
        PID:2200
        
        C:\Windows\SysWOW64\eucwzqb.exe
        
        C:\Windows\system32\eucwzqb.exe 532 "C:\Windows\SysWOW64\zdhtiiv.exe"
        243⤵
        
        PID:1576
        
        C:\Windows\SysWOW64\bvujvbn.exe
        
        C:\Windows\system32\bvujvbn.exe 528 "C:\Windows\SysWOW64\eucwzqb.exe"
        244⤵
        
        PID:2064
        
        C:\Windows\SysWOW64\bvujvbn.exe
        
        C:\Windows\system32\bvujvbn.exe 528 "C:\Windows\SysWOW64\eucwzqb.exe"
        245⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\lxjuiet.exe
        
        C:\Windows\system32\lxjuiet.exe 532 "C:\Windows\SysWOW64\bvujvbn.exe"
        246⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\lxjuiet.exe
        
        C:\Windows\system32\lxjuiet.exe 532 "C:\Windows\SysWOW64\bvujvbn.exe"
        247⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\qkdcbgy.exe
        
        C:\Windows\system32\qkdcbgy.exe 452 "C:\Windows\SysWOW64\lxjuiet.exe"
        248⤵
        
        PID:2716
        
        C:\Windows\SysWOW64\qkdcbgy.exe
        
        C:\Windows\system32\qkdcbgy.exe 452 "C:\Windows\SysWOW64\lxjuiet.exe"
        249⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\dxmrhkw.exe
        
        C:\Windows\system32\dxmrhkw.exe 532 "C:\Windows\SysWOW64\qkdcbgy.exe"
        250⤵
        
        PID:3016
        
        C:\Windows\SysWOW64\dxmrhkw.exe
        
        C:\Windows\system32\dxmrhkw.exe 532 "C:\Windows\SysWOW64\qkdcbgy.exe"
        251⤵
        Drops file in System32 directory
        
        PID:1184
        
        C:\Windows\SysWOW64\rygoqtw.exe
        
        C:\Windows\system32\rygoqtw.exe 456 "C:\Windows\SysWOW64\dxmrhkw.exe"
        252⤵
        
        PID:1744
        
        C:\Windows\SysWOW64\rygoqtw.exe
        
        C:\Windows\system32\rygoqtw.exe 456 "C:\Windows\SysWOW64\dxmrhkw.exe"
        253⤵
        
        PID:2200
        
        C:\Windows\SysWOW64\flymexv.exe
        
        C:\Windows\system32\flymexv.exe 520 "C:\Windows\SysWOW64\rygoqtw.exe"
        254⤵
        
        PID:2508
        
        C:\Windows\SysWOW64\flymexv.exe
        
        C:\Windows\system32\flymexv.exe 520 "C:\Windows\SysWOW64\rygoqtw.exe"
        255⤵
        
        PID:2448
        
        C:\Windows\SysWOW64\hybpzxc.exe
        
        C:\Windows\system32\hybpzxc.exe 452 "C:\Windows\SysWOW64\flymexv.exe"
        256⤵
        
        PID:2232
        
        C:\Windows\SysWOW64\hybpzxc.exe
        
        C:\Windows\system32\hybpzxc.exe 452 "C:\Windows\SysWOW64\flymexv.exe"
        257⤵
        
        PID:920
        
        C:\Windows\SysWOW64\wompyhf.exe
        
        C:\Windows\system32\wompyhf.exe 536 "C:\Windows\SysWOW64\hybpzxc.exe"
        258⤵
        
        PID:1496
        
        C:\Windows\SysWOW64\wompyhf.exe
        
        C:\Windows\system32\wompyhf.exe 536 "C:\Windows\SysWOW64\hybpzxc.exe"
        259⤵
        
        PID:2388
        
        C:\Windows\SysWOW64\dzlcvin.exe
        
        C:\Windows\system32\dzlcvin.exe 528 "C:\Windows\SysWOW64\wompyhf.exe"
        260⤵
        
        PID:1312
        
        C:\Windows\SysWOW64\dzlcvin.exe
        
        C:\Windows\system32\dzlcvin.exe 528 "C:\Windows\SysWOW64\wompyhf.exe"
        261⤵
        
        PID:2856
        
        C:\Windows\SysWOW64\lhgupyx.exe
        
        C:\Windows\system32\lhgupyx.exe 532 "C:\Windows\SysWOW64\dzlcvin.exe"
        262⤵
        
        PID:2320
        
        C:\Windows\SysWOW64\lhgupyx.exe
        
        C:\Windows\system32\lhgupyx.exe 532 "C:\Windows\SysWOW64\dzlcvin.exe"
        263⤵
        
        PID:3028
        
        C:\Windows\SysWOW64\ygbxxyd.exe
        
        C:\Windows\system32\ygbxxyd.exe 536 "C:\Windows\SysWOW64\lhgupyx.exe"
        264⤵
        
        PID:2576
        
        C:\Windows\SysWOW64\ygbxxyd.exe
        
        C:\Windows\system32\ygbxxyd.exe 536 "C:\Windows\SysWOW64\lhgupyx.exe"
        265⤵
        
        PID:616
        
        C:\Windows\SysWOW64\fnxpkvm.exe
        
        C:\Windows\system32\fnxpkvm.exe 524 "C:\Windows\SysWOW64\ygbxxyd.exe"
        266⤵
        
        PID:1656
        
        C:\Windows\SysWOW64\fnxpkvm.exe
        
        C:\Windows\system32\fnxpkvm.exe 524 "C:\Windows\SysWOW64\ygbxxyd.exe"
        267⤵
        
        PID:924
        
        C:\Windows\SysWOW64\pmbmcum.exe
        
        C:\Windows\system32\pmbmcum.exe 492 "C:\Windows\SysWOW64\fnxpkvm.exe"
        268⤵
        
        PID:1248
        
        C:\Windows\SysWOW64\pmbmcum.exe
        
        C:\Windows\system32\pmbmcum.exe 492 "C:\Windows\SysWOW64\fnxpkvm.exe"
        269⤵
        
        PID:1168
        
        C:\Windows\SysWOW64\cdwplur.exe
        
        C:\Windows\system32\cdwplur.exe 528 "C:\Windows\SysWOW64\pmbmcum.exe"
        270⤵
        
        PID:628
        
        C:\Windows\SysWOW64\cdwplur.exe
        
        C:\Windows\system32\cdwplur.exe 528 "C:\Windows\SysWOW64\pmbmcum.exe"
        271⤵
        
        PID:2520
        
        C:\Windows\SysWOW64\nzxhsps.exe
        
        C:\Windows\system32\nzxhsps.exe 528 "C:\Windows\SysWOW64\cdwplur.exe"
        272⤵
        
        PID:1404
        
        C:\Windows\SysWOW64\nzxhsps.exe
        
        C:\Windows\system32\nzxhsps.exe 528 "C:\Windows\SysWOW64\cdwplur.exe"
        273⤵
        
        PID:908
        
        C:\Windows\SysWOW64\xgjfdoz.exe
        
        C:\Windows\system32\xgjfdoz.exe 532 "C:\Windows\SysWOW64\nzxhsps.exe"
        274⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\xgjfdoz.exe
        
        C:\Windows\system32\xgjfdoz.exe 532 "C:\Windows\SysWOW64\nzxhsps.exe"
        275⤵
        
        PID:1456
        
        C:\Windows\SysWOW64\zqauvkh.exe
        
        C:\Windows\system32\zqauvkh.exe 544 "C:\Windows\SysWOW64\xgjfdoz.exe"
        276⤵
        
        PID:872
        
        C:\Windows\SysWOW64\zqauvkh.exe
        
        C:\Windows\system32\zqauvkh.exe 544 "C:\Windows\SysWOW64\xgjfdoz.exe"
        277⤵
        
        PID:928
        
        C:\Windows\SysWOW64\gxovphr.exe
        
        C:\Windows\system32\gxovphr.exe 528 "C:\Windows\SysWOW64\zqauvkh.exe"
        278⤵
        
        PID:2144
        
        C:\Windows\SysWOW64\gxovphr.exe
        
        C:\Windows\system32\gxovphr.exe 528 "C:\Windows\SysWOW64\zqauvkh.exe"
        279⤵
        
        PID:436
        
        C:\Windows\SysWOW64\tzucblv.exe
        
        C:\Windows\system32\tzucblv.exe 528 "C:\Windows\SysWOW64\gxovphr.exe"
        280⤵
        
        PID:2508
        
        C:\Windows\SysWOW64\tzucblv.exe
        
        C:\Windows\system32\tzucblv.exe 528 "C:\Windows\SysWOW64\gxovphr.exe"
        281⤵
        
        PID:1788
        
        C:\Windows\SysWOW64\bvepsxy.exe
        
        C:\Windows\system32\bvepsxy.exe 528 "C:\Windows\SysWOW64\tzucblv.exe"
        282⤵
        
        PID:2804
        
        C:\Windows\SysWOW64\bvepsxy.exe
        
        C:\Windows\system32\bvepsxy.exe 528 "C:\Windows\SysWOW64\tzucblv.exe"
        283⤵
        
        PID:1912
        
        C:\Windows\SysWOW64\ilzieuh.exe
        
        C:\Windows\system32\ilzieuh.exe 464 "C:\Windows\SysWOW64\bvepsxy.exe"
        284⤵
        
        PID:2768
        
        C:\Windows\SysWOW64\ilzieuh.exe
        
        C:\Windows\system32\ilzieuh.exe 464 "C:\Windows\SysWOW64\bvepsxy.exe"
        285⤵
        
        PID:1100
        
        C:\Windows\SysWOW64\nmikvrn.exe
        
        C:\Windows\system32\nmikvrn.exe 452 "C:\Windows\SysWOW64\ilzieuh.exe"
        286⤵
        
        PID:2668
        
        C:\Windows\SysWOW64\nmikvrn.exe
        
        C:\Windows\system32\nmikvrn.exe 452 "C:\Windows\SysWOW64\ilzieuh.exe"
        287⤵
        
        PID:2380
        
        C:\Windows\SysWOW64\xaialzb.exe
        
        C:\Windows\system32\xaialzb.exe 528 "C:\Windows\SysWOW64\nmikvrn.exe"
        288⤵
        
        PID:2384
        
        C:\Windows\SysWOW64\xaialzb.exe
        
        C:\Windows\system32\xaialzb.exe 528 "C:\Windows\SysWOW64\nmikvrn.exe"
        289⤵
        
        PID:1248
        
        C:\Windows\SysWOW64\ccqvbeg.exe
        
        C:\Windows\system32\ccqvbeg.exe 452 "C:\Windows\SysWOW64\xaialzb.exe"
        290⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\ccqvbeg.exe
        
        C:\Windows\system32\ccqvbeg.exe 452 "C:\Windows\SysWOW64\xaialzb.exe"
        291⤵
        Drops file in System32 directory
        
        PID:1340
        
        C:\Windows\SysWOW64\ujqsgsp.exe
        
        C:\Windows\system32\ujqsgsp.exe 456 "C:\Windows\SysWOW64\ccqvbeg.exe"
        292⤵
        
        PID:692
        
        C:\Windows\SysWOW64\ujqsgsp.exe
        
        C:\Windows\system32\ujqsgsp.exe 456 "C:\Windows\SysWOW64\ccqvbeg.exe"
        293⤵
        
        PID:1964
        
        C:\Windows\SysWOW64\heiilww.exe
        
        C:\Windows\system32\heiilww.exe 504 "C:\Windows\SysWOW64\ujqsgsp.exe"
        294⤵
        
        PID:1052
        
        C:\Windows\SysWOW64\heiilww.exe
        
        C:\Windows\system32\heiilww.exe 504 "C:\Windows\SysWOW64\ujqsgsp.exe"
        295⤵
        
        PID:2064
        
        C:\Windows\SysWOW64\olvigmy.exe
        
        C:\Windows\system32\olvigmy.exe 488 "C:\Windows\SysWOW64\heiilww.exe"
        296⤵
        
        PID:340
        
        C:\Windows\SysWOW64\olvigmy.exe
        
        C:\Windows\system32\olvigmy.exe 488 "C:\Windows\SysWOW64\heiilww.exe"
        297⤵
        Drops file in System32 directory
        
        PID:2076
        
        C:\Windows\SysWOW64\dbesmzr.exe
        
        C:\Windows\system32\dbesmzr.exe 464 "C:\Windows\SysWOW64\olvigmy.exe"
        298⤵
        
        PID:628
        
        C:\Windows\SysWOW64\dbesmzr.exe
        
        C:\Windows\system32\dbesmzr.exe 464 "C:\Windows\SysWOW64\olvigmy.exe"
        299⤵
        
        PID:800
        
        C:\Windows\SysWOW64\qvkiydv.exe
        
        C:\Windows\system32\qvkiydv.exe 536 "C:\Windows\SysWOW64\dbesmzr.exe"
        300⤵
        
        PID:1512
        
        C:\Windows\SysWOW64\qvkiydv.exe
        
        C:\Windows\system32\qvkiydv.exe 536 "C:\Windows\SysWOW64\dbesmzr.exe"
        301⤵
        
        PID:2436
        
        C:\Windows\SysWOW64\vesdoib.exe
        
        C:\Windows\system32\vesdoib.exe 488 "C:\Windows\SysWOW64\qvkiydv.exe"
        302⤵
        
        PID:2984
        
        C:\Windows\SysWOW64\vesdoib.exe
        
        C:\Windows\system32\vesdoib.exe 488 "C:\Windows\SysWOW64\qvkiydv.exe"
        303⤵
        
        PID:2148
        
        C:\Windows\SysWOW64\fatvwdc.exe
        
        C:\Windows\system32\fatvwdc.exe 488 "C:\Windows\SysWOW64\vesdoib.exe"
        304⤵
        
        PID:1156
        
        C:\Windows\SysWOW64\fatvwdc.exe
        
        C:\Windows\system32\fatvwdc.exe 488 "C:\Windows\SysWOW64\vesdoib.exe"
        305⤵
        
        PID:2952
        
        C:\Windows\SysWOW64\mlsbtxs.exe
        
        C:\Windows\system32\mlsbtxs.exe 528 "C:\Windows\SysWOW64\fatvwdc.exe"
        306⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\mlsbtxs.exe
        
        C:\Windows\system32\mlsbtxs.exe 528 "C:\Windows\SysWOW64\fatvwdc.exe"
        307⤵
        
        PID:1908
        
        C:\Windows\SysWOW64\upcgciv.exe
        
        C:\Windows\system32\upcgciv.exe 452 "C:\Windows\SysWOW64\mlsbtxs.exe"
        308⤵
        
        PID:2540
        
        C:\Windows\SysWOW64\upcgciv.exe
        
        C:\Windows\system32\upcgciv.exe 452 "C:\Windows\SysWOW64\mlsbtxs.exe"
        309⤵
        
        PID:1376
        
        C:\Windows\SysWOW64\btmttby.exe
        
        C:\Windows\system32\btmttby.exe 452 "C:\Windows\SysWOW64\upcgciv.exe"
        310⤵
        
        PID:784
        
        C:\Windows\SysWOW64\btmttby.exe
        
        C:\Windows\system32\btmttby.exe 452 "C:\Windows\SysWOW64\upcgciv.exe"
        311⤵
        
        PID:1744
        
        C:\Windows\SysWOW64\okhwcbd.exe
        
        C:\Windows\system32\okhwcbd.exe 528 "C:\Windows\SysWOW64\btmttby.exe"
        312⤵
        
        PID:2368
        
        C:\Windows\SysWOW64\okhwcbd.exe
        
        C:\Windows\system32\okhwcbd.exe 528 "C:\Windows\SysWOW64\btmttby.exe"
        313⤵
        
        PID:2832
        
        C:\Windows\SysWOW64\ldxvbtn.exe
        
        C:\Windows\system32\ldxvbtn.exe 452 "C:\Windows\SysWOW64\okhwcbd.exe"
        314⤵
        
        PID:628
        
        C:\Windows\SysWOW64\ldxvbtn.exe
        
        C:\Windows\system32\ldxvbtn.exe 452 "C:\Windows\SysWOW64\okhwcbd.exe"
        315⤵
        
        PID:1532
        
        C:\Windows\SysWOW64\ycsyjbt.exe
        
        C:\Windows\system32\ycsyjbt.exe 528 "C:\Windows\SysWOW64\ldxvbtn.exe"
        316⤵
        
        PID:2376
        
        C:\Windows\SysWOW64\ycsyjbt.exe
        
        C:\Windows\system32\ycsyjbt.exe 528 "C:\Windows\SysWOW64\ldxvbtn.exe"
        317⤵
        
        PID:836
        
        C:\Windows\SysWOW64\apvbfui.exe
        
        C:\Windows\system32\apvbfui.exe 460 "C:\Windows\SysWOW64\ycsyjbt.exe"
        318⤵
        
        PID:1396
        
        C:\Windows\SysWOW64\apvbfui.exe
        
        C:\Windows\system32\apvbfui.exe 460 "C:\Windows\SysWOW64\ycsyjbt.exe"
        319⤵
        Drops file in System32 directory
        
        PID:1868
        
        C:\Windows\SysWOW64\ncmqkyg.exe
        
        C:\Windows\system32\ncmqkyg.exe 528 "C:\Windows\SysWOW64\apvbfui.exe"
        320⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\ncmqkyg.exe
        
        C:\Windows\system32\ncmqkyg.exe 528 "C:\Windows\SysWOW64\apvbfui.exe"
        321⤵
        
        PID:2668
        
        C:\Windows\SysWOW64\rtjlgms.exe
        
        C:\Windows\system32\rtjlgms.exe 456 "C:\Windows\SysWOW64\ncmqkyg.exe"
        322⤵
        
        PID:2992
        
        C:\Windows\SysWOW64\rtjlgms.exe
        
        C:\Windows\system32\rtjlgms.exe 456 "C:\Windows\SysWOW64\ncmqkyg.exe"
        323⤵
        
        PID:2732
        
        C:\Windows\SysWOW64\foabmir.exe
        
        C:\Windows\system32\foabmir.exe 528 "C:\Windows\SysWOW64\rtjlgms.exe"
        324⤵
        
        PID:2288
        
        C:\Windows\SysWOW64\foabmir.exe
        
        C:\Windows\system32\foabmir.exe 528 "C:\Windows\SysWOW64\rtjlgms.exe"
        325⤵
        
        PID:1892
        
        C:\Windows\SysWOW64\tgugvzj.exe
        
        C:\Windows\system32\tgugvzj.exe 452 "C:\Windows\SysWOW64\foabmir.exe"
        326⤵
        
        PID:2052
        
        C:\Windows\SysWOW64\tgugvzj.exe
        
        C:\Windows\system32\tgugvzj.exe 452 "C:\Windows\SysWOW64\foabmir.exe"
        327⤵
        
        PID:2632
        
        C:\Windows\SysWOW64\tshzkdn.exe
        
        C:\Windows\system32\tshzkdn.exe 480 "C:\Windows\SysWOW64\tgugvzj.exe"
        328⤵
        
        PID:2716
        
        C:\Windows\SysWOW64\tshzkdn.exe
        
        C:\Windows\system32\tshzkdn.exe 480 "C:\Windows\SysWOW64\tgugvzj.exe"
        329⤵
        
        PID:1468
        
        C:\Windows\SysWOW64\ympyjvx.exe
        
        C:\Windows\system32\ympyjvx.exe 452 "C:\Windows\SysWOW64\tshzkdn.exe"
        330⤵
        
        PID:2992
        
        C:\Windows\SysWOW64\ympyjvx.exe
        
        C:\Windows\system32\ympyjvx.exe 452 "C:\Windows\SysWOW64\tshzkdn.exe"
        331⤵
        
        PID:2376
        
        C:\Windows\SysWOW64\iltwtuf.exe
        
        C:\Windows\system32\iltwtuf.exe 488 "C:\Windows\SysWOW64\ympyjvx.exe"
        332⤵
        
        PID:2492
        
        C:\Windows\SysWOW64\iltwtuf.exe
        
        C:\Windows\system32\iltwtuf.exe 488 "C:\Windows\SysWOW64\ympyjvx.exe"
        333⤵
        
        PID:1900
        
        C:\Windows\SysWOW64\ppdjkfh.exe
        
        C:\Windows\system32\ppdjkfh.exe 528 "C:\Windows\SysWOW64\iltwtuf.exe"
        334⤵
        
        PID:2292
        
        C:\Windows\SysWOW64\ppdjkfh.exe
        
        C:\Windows\system32\ppdjkfh.exe 528 "C:\Windows\SysWOW64\iltwtuf.exe"
        335⤵
        
        PID:340
        
        C:\Windows\SysWOW64\zopgvep.exe
        
        C:\Windows\system32\zopgvep.exe 536 "C:\Windows\SysWOW64\ppdjkfh.exe"
        336⤵
        
        PID:2756
        
        C:\Windows\SysWOW64\zopgvep.exe
        
        C:\Windows\system32\zopgvep.exe 536 "C:\Windows\SysWOW64\ppdjkfh.exe"
        337⤵
        
        PID:2384
        
        C:\Windows\SysWOW64\hpohjlt.exe
        
        C:\Windows\system32\hpohjlt.exe 488 "C:\Windows\SysWOW64\zopgvep.exe"
        338⤵
        
        PID:2808
        
        C:\Windows\SysWOW64\hpohjlt.exe
        
        C:\Windows\system32\hpohjlt.exe 488 "C:\Windows\SysWOW64\zopgvep.exe"
        339⤵
        
        PID:1904
        
        C:\Windows\SysWOW64\umyjybe.exe
        
        C:\Windows\system32\umyjybe.exe 528 "C:\Windows\SysWOW64\hpohjlt.exe"
        340⤵
        
        PID:1224
        
        C:\Windows\SysWOW64\umyjybe.exe
        
        C:\Windows\system32\umyjybe.exe 528 "C:\Windows\SysWOW64\hpohjlt.exe"
        341⤵
        
        PID:2508
        
        C:\Windows\SysWOW64\eiyufwf.exe
        
        C:\Windows\system32\eiyufwf.exe 496 "C:\Windows\SysWOW64\umyjybe.exe"
        342⤵
        
        PID:2928
        
        C:\Windows\SysWOW64\eiyufwf.exe
        
        C:\Windows\system32\eiyufwf.exe 496 "C:\Windows\SysWOW64\umyjybe.exe"
        343⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\bgfugds.exe
        
        C:\Windows\system32\bgfugds.exe 472 "C:\Windows\SysWOW64\eiyufwf.exe"
        344⤵
        
        PID:2172
        
        C:\Windows\SysWOW64\bgfugds.exe
        
        C:\Windows\system32\bgfugds.exe 472 "C:\Windows\SysWOW64\eiyufwf.exe"
        345⤵
        
        PID:2672
        
        C:\Windows\SysWOW64\oeaxpdp.exe
        
        C:\Windows\system32\oeaxpdp.exe 528 "C:\Windows\SysWOW64\bgfugds.exe"
        346⤵
        
        PID:784
        
        C:\Windows\SysWOW64\oeaxpdp.exe
        
        C:\Windows\system32\oeaxpdp.exe 528 "C:\Windows\SysWOW64\bgfugds.exe"
        347⤵
        
        PID:2392
        
        C:\Windows\SysWOW64\vpzcmxg.exe
        
        C:\Windows\system32\vpzcmxg.exe 528 "C:\Windows\SysWOW64\oeaxpdp.exe"
        348⤵
        
        PID:996
        
        C:\Windows\SysWOW64\vpzcmxg.exe
        
        C:\Windows\system32\vpzcmxg.exe 528 "C:\Windows\SysWOW64\oeaxpdp.exe"
        349⤵
        
        PID:1620
        
        C:\Windows\SysWOW64\dxucyuh.exe
        
        C:\Windows\system32\dxucyuh.exe 456 "C:\Windows\SysWOW64\vpzcmxg.exe"
        350⤵
        
        PID:2972
        
        C:\Windows\SysWOW64\dxucyuh.exe
        
        C:\Windows\system32\dxucyuh.exe 456 "C:\Windows\SysWOW64\vpzcmxg.exe"
        351⤵
        
        PID:2056
        
        C:\Windows\SysWOW64\tbcxczm.exe
        
        C:\Windows\system32\tbcxczm.exe 528 "C:\Windows\SysWOW64\dxucyuh.exe"
        352⤵
        
        PID:596
        
        C:\Windows\SysWOW64\tbcxczm.exe
        
        C:\Windows\system32\tbcxczm.exe 528 "C:\Windows\SysWOW64\dxucyuh.exe"
        353⤵
        
        PID:2472
        
        C:\Windows\SysWOW64\aubcztu.exe
        
        C:\Windows\system32\aubcztu.exe 536 "C:\Windows\SysWOW64\tbcxczm.exe"
        354⤵
        
        PID:2808
        
        C:\Windows\SysWOW64\aubcztu.exe
        
        C:\Windows\system32\aubcztu.exe 536 "C:\Windows\SysWOW64\tbcxczm.exe"
        355⤵
        
        PID:1820
        
        C:\Windows\SysWOW64\nlwfiba.exe
        
        C:\Windows\system32\nlwfiba.exe 528 "C:\Windows\SysWOW64\aubcztu.exe"
        356⤵
        
        PID:768
        
        C:\Windows\SysWOW64\mhzeget.exe
        
        C:\Windows\system32\mhzeget.exe 528 "C:\Windows\SysWOW64\ziebpww.exe"
        7⤵
        Drops file in System32 directory
        
        PID:2096
        
        C:\Windows\SysWOW64\tsyjvyk.exe
        
        C:\Windows\system32\tsyjvyk.exe 528 "C:\Windows\SysWOW64\mhzeget.exe"
        8⤵
        
        PID:2472

C:\Windows\SysWOW64\hstvlbx.exe
C:\Windows\system32\hstvlbx.exe 528 "C:\Windows\SysWOW64\zruuwmt.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:1628
- C:\Windows\SysWOW64\tmzkwfb.exe
  C:\Windows\system32\tmzkwfb.exe 528 "C:\Windows\SysWOW64\hstvlbx.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:2284

C:\Windows\SysWOW64\tmzkwfb.exe
C:\Windows\system32\tmzkwfb.exe 528 "C:\Windows\SysWOW64\hstvlbx.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2588
- C:\Windows\SysWOW64\buucqvl.exe
  C:\Windows\system32\buucqvl.exe 528 "C:\Windows\SysWOW64\tmzkwfb.exe"
  2⤵
  PID:2908
- - C:\Windows\SysWOW64\gumzgko.exe
    C:\Windows\system32\gumzgko.exe 528 "C:\Windows\SysWOW64\tsyjvyk.exe"
    3⤵
    PID:2340
  - - C:\Windows\SysWOW64\qqfjwfp.exe
      C:\Windows\system32\qqfjwfp.exe 528 "C:\Windows\SysWOW64\gumzgko.exe"
      4⤵
      PID:2712
    - - C:\Windows\SysWOW64\qqfjwfp.exe
        
        C:\Windows\system32\qqfjwfp.exe 528 "C:\Windows\SysWOW64\gumzgko.exe"
        5⤵
        
        PID:2616
      - C:\Windows\SysWOW64\dgimffu.exe
        
        C:\Windows\system32\dgimffu.exe 536 "C:\Windows\SysWOW64\qqfjwfp.exe"
        6⤵
        
        PID:1180

C:\Windows\SysWOW64\buucqvl.exe
C:\Windows\system32\buucqvl.exe 528 "C:\Windows\SysWOW64\tmzkwfb.exe"
1⤵
- Executes dropped EXE
PID:2684
- C:\Windows\SysWOW64\lpnvypm.exe
  C:\Windows\system32\lpnvypm.exe 544 "C:\Windows\SysWOW64\buucqvl.exe"
  2⤵
  PID:1736

C:\Windows\SysWOW64\lpnvypm.exe
C:\Windows\system32\lpnvypm.exe 544 "C:\Windows\SysWOW64\buucqvl.exe"
1⤵
- Executes dropped EXE
PID:2988
- C:\Windows\SysWOW64\tuyahio.exe
  C:\Windows\system32\tuyahio.exe 528 "C:\Windows\SysWOW64\lpnvypm.exe"
  2⤵
  PID:440
- - C:\Windows\SysWOW64\tuyahio.exe
    C:\Windows\system32\tuyahio.exe 528 "C:\Windows\SysWOW64\lpnvypm.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    PID:1780
  - - C:\Windows\SysWOW64\abtacyy.exe
      C:\Windows\system32\abtacyy.exe 452 "C:\Windows\SysWOW64\tuyahio.exe"
      4⤵
      Suspicious use of SetThreadContext
      PID:1640
    - - C:\Windows\SysWOW64\abtacyy.exe
        
        C:\Windows\system32\abtacyy.exe 452 "C:\Windows\SysWOW64\tuyahio.exe"
        5⤵
        Drops file in System32 directory
        
        PID:1020
      - C:\Windows\SysWOW64\fsqnymj.exe
        
        C:\Windows\system32\fsqnymj.exe 528 "C:\Windows\SysWOW64\abtacyy.exe"
        6⤵
        
        PID:2452
        
        C:\Windows\SysWOW64\fsqnymj.exe
        
        C:\Windows\system32\fsqnymj.exe 528 "C:\Windows\SysWOW64\abtacyy.exe"
        7⤵
        Drops file in System32 directory
        
        PID:2544
        
        C:\Windows\SysWOW64\kbgqojp.exe
        
        C:\Windows\system32\kbgqojp.exe 536 "C:\Windows\SysWOW64\fsqnymj.exe"
        8⤵
        
        PID:460
        
        C:\Windows\SysWOW64\kbgqojp.exe
        
        C:\Windows\system32\kbgqojp.exe 536 "C:\Windows\SysWOW64\fsqnymj.exe"
        9⤵
        
        PID:2412
        
        C:\Windows\SysWOW64\uaknzix.exe
        
        C:\Windows\system32\uaknzix.exe 536 "C:\Windows\SysWOW64\kbgqojp.exe"
        10⤵
        Suspicious use of SetThreadContext
        
        PID:2332

C:\Windows\SysWOW64\uaknzix.exe
C:\Windows\system32\uaknzix.exe 536 "C:\Windows\SysWOW64\kbgqojp.exe"
1⤵
PID:1332
- C:\Windows\SysWOW64\ezoljhw.exe
  C:\Windows\system32\ezoljhw.exe 528 "C:\Windows\SysWOW64\uaknzix.exe"
  2⤵
  - Suspicious use of SetThreadContext
  PID:2176
- - C:\Windows\SysWOW64\ezoljhw.exe
    C:\Windows\system32\ezoljhw.exe 528 "C:\Windows\SysWOW64\uaknzix.exe"
    3⤵
    PID:2900
  - - C:\Windows\SysWOW64\oyaibfe.exe
      C:\Windows\system32\oyaibfe.exe 528 "C:\Windows\SysWOW64\ezoljhw.exe"
      4⤵
      PID:2624
    - - C:\Windows\SysWOW64\oyaibfe.exe
        
        C:\Windows\system32\oyaibfe.exe 528 "C:\Windows\SysWOW64\ezoljhw.exe"
        5⤵
        Drops file in System32 directory
        
        PID:2680
      - C:\Windows\SysWOW64\yfegmel.exe
        
        C:\Windows\system32\yfegmel.exe 536 "C:\Windows\SysWOW64\oyaibfe.exe"
        6⤵
        Suspicious use of SetThreadContext
        
        PID:1664
        
        C:\Windows\SysWOW64\yfegmel.exe
        
        C:\Windows\system32\yfegmel.exe 536 "C:\Windows\SysWOW64\oyaibfe.exe"
        7⤵
        
        PID:1928
        
        C:\Windows\SysWOW64\lwhiumr.exe
        
        C:\Windows\system32\lwhiumr.exe 528 "C:\Windows\SysWOW64\yfegmel.exe"
        8⤵
        
        PID:1308
        
        C:\Windows\SysWOW64\lwhiumr.exe
        
        C:\Windows\system32\lwhiumr.exe 528 "C:\Windows\SysWOW64\yfegmel.exe"
        9⤵
        
        PID:2960
        
        C:\Windows\SysWOW64\shgnrgz.exe
        
        C:\Windows\system32\shgnrgz.exe 528 "C:\Windows\SysWOW64\lwhiumr.exe"
        10⤵
        
        PID:832
        
        C:\Windows\SysWOW64\shgnrgz.exe
        
        C:\Windows\system32\shgnrgz.exe 528 "C:\Windows\SysWOW64\lwhiumr.exe"
        11⤵
        
        PID:2944
        
        C:\Windows\SysWOW64\aptoewj.exe
        
        C:\Windows\system32\aptoewj.exe 528 "C:\Windows\SysWOW64\shgnrgz.exe"
        12⤵
        Suspicious use of SetThreadContext
        
        PID:1968
        
        C:\Windows\SysWOW64\aptoewj.exe
        
        C:\Windows\system32\aptoewj.exe 528 "C:\Windows\SysWOW64\shgnrgz.exe"
        13⤵
        Drops file in System32 directory
        
        PID:2556
        
        C:\Windows\SysWOW64\kkuytqj.exe
        
        C:\Windows\system32\kkuytqj.exe 528 "C:\Windows\SysWOW64\aptoewj.exe"
        14⤵
        Suspicious use of SetThreadContext
        
        PID:2732
        
        C:\Windows\SysWOW64\kkuytqj.exe
        
        C:\Windows\system32\kkuytqj.exe 528 "C:\Windows\SysWOW64\aptoewj.exe"
        15⤵
        
        PID:1616
        
        C:\Windows\SysWOW64\ssqqfft.exe
        
        C:\Windows\system32\ssqqfft.exe 528 "C:\Windows\SysWOW64\kkuytqj.exe"
        16⤵
        Suspicious use of SetThreadContext
        
        PID:1356
        
        C:\Windows\SysWOW64\ssqqfft.exe
        
        C:\Windows\system32\ssqqfft.exe 528 "C:\Windows\SysWOW64\kkuytqj.exe"
        17⤵
        
        PID:2968
        
        C:\Windows\SysWOW64\euwgrsx.exe
        
        C:\Windows\system32\euwgrsx.exe 536 "C:\Windows\SysWOW64\ssqqfft.exe"
        18⤵
        
        PID:1460

C:\Windows\SysWOW64\gckhpkn.exe
C:\Windows\system32\gckhpkn.exe 464 "C:\Windows\SysWOW64\zjlhbdj.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2652

C:\Windows\SysWOW64\euwgrsx.exe
C:\Windows\system32\euwgrsx.exe 536 "C:\Windows\SysWOW64\ssqqfft.exe"
1⤵
PID:2760
- C:\Windows\SysWOW64\jhfvxww.exe
  C:\Windows\system32\jhfvxww.exe 528 "C:\Windows\SysWOW64\euwgrsx.exe"
  2⤵
  PID:1224
- - C:\Windows\SysWOW64\jhfvxww.exe
    C:\Windows\system32\jhfvxww.exe 528 "C:\Windows\SysWOW64\euwgrsx.exe"
    3⤵
    PID:2840
  - - C:\Windows\SysWOW64\uortpve.exe
      C:\Windows\system32\uortpve.exe 528 "C:\Windows\SysWOW64\jhfvxww.exe"
      4⤵
      PID:1944

C:\Windows\SysWOW64\zjlhbdj.exe
C:\Windows\system32\zjlhbdj.exe 476 "C:\Windows\SysWOW64\uhdzclz.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:884

C:\Windows\SysWOW64\uortpve.exe
C:\Windows\system32\uortpve.exe 528 "C:\Windows\SysWOW64\jhfvxww.exe"
1⤵
PID:1932
- C:\Windows\SysWOW64\bwftbkn.exe
  C:\Windows\system32\bwftbkn.exe 528 "C:\Windows\SysWOW64\uortpve.exe"
  2⤵
  PID:2432
- - C:\Windows\SysWOW64\bwftbkn.exe
    C:\Windows\system32\bwftbkn.exe 528 "C:\Windows\SysWOW64\uortpve.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious use of SetThreadContext
    PID:1308
  - - C:\Windows\SysWOW64\lvrqujv.exe
      C:\Windows\system32\lvrqujv.exe 528 "C:\Windows\SysWOW64\bwftbkn.exe"
      4⤵
      PID:1960
    - - C:\Windows\SysWOW64\lvrqujv.exe
        
        C:\Windows\system32\lvrqujv.exe 528 "C:\Windows\SysWOW64\bwftbkn.exe"
        5⤵
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        
        PID:832
      - C:\Windows\SysWOW64\scejgye.exe
        
        C:\Windows\system32\scejgye.exe 528 "C:\Windows\SysWOW64\lvrqujv.exe"
        6⤵
        
        PID:700
        
        C:\Windows\SysWOW64\scejgye.exe
        
        C:\Windows\system32\scejgye.exe 528 "C:\Windows\SysWOW64\lvrqujv.exe"
        7⤵
        
        PID:2940
        
        C:\Windows\SysWOW64\gpwgmcd.exe
        
        C:\Windows\system32\gpwgmcd.exe 536 "C:\Windows\SysWOW64\scejgye.exe"
        8⤵
        
        PID:2396

C:\Windows\SysWOW64\gpwgmcd.exe
C:\Windows\system32\gpwgmcd.exe 536 "C:\Windows\SysWOW64\scejgye.exe"
1⤵
PID:1384
- C:\Windows\SysWOW64\qpaeebk.exe
  C:\Windows\system32\qpaeebk.exe 528 "C:\Windows\SysWOW64\gpwgmcd.exe"
  2⤵
  PID:2736
- - C:\Windows\SysWOW64\qpaeebk.exe
    C:\Windows\system32\qpaeebk.exe 528 "C:\Windows\SysWOW64\gpwgmcd.exe"
    3⤵
    PID:1732
  - - C:\Windows\SysWOW64\awmbpak.exe
      C:\Windows\system32\awmbpak.exe 528 "C:\Windows\SysWOW64\qpaeebk.exe"
      4⤵
      PID:1976
    - - C:\Windows\SysWOW64\awmbpak.exe
        
        C:\Windows\system32\awmbpak.exe 528 "C:\Windows\SysWOW64\qpaeebk.exe"
        5⤵
        
        PID:2644
      - C:\Windows\SysWOW64\kvqzzys.exe
        
        C:\Windows\system32\kvqzzys.exe 528 "C:\Windows\SysWOW64\awmbpak.exe"
        6⤵
        
        PID:1224
        
        C:\Windows\SysWOW64\kvqzzys.exe
        
        C:\Windows\system32\kvqzzys.exe 528 "C:\Windows\SysWOW64\awmbpak.exe"
        7⤵
        
        PID:1080
        
        C:\Windows\SysWOW64\rgpewsi.exe
        
        C:\Windows\system32\rgpewsi.exe 528 "C:\Windows\SysWOW64\kvqzzys.exe"
        8⤵
        
        PID:1944
        
        C:\Windows\SysWOW64\rgpewsi.exe
        
        C:\Windows\system32\rgpewsi.exe 528 "C:\Windows\SysWOW64\kvqzzys.exe"
        9⤵
        
        PID:2740
        
        C:\Windows\SysWOW64\rvnjnbl.exe
        
        C:\Windows\system32\rvnjnbl.exe 536 "C:\Windows\SysWOW64\rgpewsi.exe"
        10⤵
        
        PID:2432
        
        C:\Windows\SysWOW64\rvnjnbl.exe
        
        C:\Windows\system32\rvnjnbl.exe 536 "C:\Windows\SysWOW64\rgpewsi.exe"
        11⤵
        
        PID:1808
        
        C:\Windows\SysWOW64\ydibhyu.exe
        
        C:\Windows\system32\ydibhyu.exe 536 "C:\Windows\SysWOW64\rvnjnbl.exe"
        12⤵
        
        PID:1568
        
        C:\Windows\SysWOW64\ydibhyu.exe
        
        C:\Windows\system32\ydibhyu.exe 536 "C:\Windows\SysWOW64\rvnjnbl.exe"
        13⤵
        
        PID:2704
        
        C:\Windows\SysWOW64\ghkorjx.exe
        
        C:\Windows\system32\ghkorjx.exe 528 "C:\Windows\SysWOW64\ydibhyu.exe"
        14⤵
        
        PID:1440
        
        C:\Windows\SysWOW64\ghkorjx.exe
        
        C:\Windows\system32\ghkorjx.exe 528 "C:\Windows\SysWOW64\ydibhyu.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:960
        
        C:\Windows\SysWOW64\txnrzrd.exe
        
        C:\Windows\system32\txnrzrd.exe 540 "C:\Windows\SysWOW64\ghkorjx.exe"
        16⤵
        
        PID:2068
        
        C:\Windows\SysWOW64\txnrzrd.exe
        
        C:\Windows\system32\txnrzrd.exe 540 "C:\Windows\SysWOW64\ghkorjx.exe"
        17⤵
        
        PID:2572
        
        C:\Windows\SysWOW64\xrvrycn.exe
        
        C:\Windows\system32\xrvrycn.exe 528 "C:\Windows\SysWOW64\txnrzrd.exe"
        18⤵
        
        PID:2564
        
        C:\Windows\SysWOW64\xrvrycn.exe
        
        C:\Windows\system32\xrvrycn.exe 528 "C:\Windows\SysWOW64\txnrzrd.exe"
        19⤵
        
        PID:2584
        
        C:\Windows\SysWOW64\kmnpefm.exe
        
        C:\Windows\system32\kmnpefm.exe 528 "C:\Windows\SysWOW64\xrvrycn.exe"
        20⤵
        Suspicious use of SetThreadContext
        
        PID:1728

C:\Windows\SysWOW64\kmnpefm.exe
C:\Windows\system32\kmnpefm.exe 528 "C:\Windows\SysWOW64\xrvrycn.exe"
1⤵
PID:2156
- C:\Windows\SysWOW64\sxlubzc.exe
  C:\Windows\system32\sxlubzc.exe 528 "C:\Windows\SysWOW64\kmnpefm.exe"
  2⤵
  PID:1224
- - C:\Windows\SysWOW64\sxlubzc.exe
    C:\Windows\system32\sxlubzc.exe 528 "C:\Windows\SysWOW64\kmnpefm.exe"
    3⤵
    PID:2608
  - - C:\Windows\SysWOW64\ctmejud.exe
      C:\Windows\system32\ctmejud.exe 540 "C:\Windows\SysWOW64\sxlubzc.exe"
      4⤵
      Suspicious use of SetThreadContext
      PID:1944
    - - C:\Windows\SysWOW64\ctmejud.exe
        
        C:\Windows\system32\ctmejud.exe 540 "C:\Windows\SysWOW64\sxlubzc.exe"
        5⤵
        
        PID:1092
      - C:\Windows\SysWOW64\mofxyoe.exe
        
        C:\Windows\system32\mofxyoe.exe 528 "C:\Windows\SysWOW64\ctmejud.exe"
        6⤵
        
        PID:1272
        
        C:\Windows\SysWOW64\mofxyoe.exe
        
        C:\Windows\system32\mofxyoe.exe 528 "C:\Windows\SysWOW64\ctmejud.exe"
        7⤵
        
        PID:2400
        
        C:\Windows\SysWOW64\xorujnl.exe
        
        C:\Windows\system32\xorujnl.exe 528 "C:\Windows\SysWOW64\mofxyoe.exe"
        8⤵
        
        PID:2724
        
        C:\Windows\SysWOW64\xorujnl.exe
        
        C:\Windows\system32\xorujnl.exe 528 "C:\Windows\SysWOW64\mofxyoe.exe"
        9⤵
        Drops file in System32 directory
        
        PID:1076
        
        C:\Windows\SysWOW64\ezqzght.exe
        
        C:\Windows\system32\ezqzght.exe 536 "C:\Windows\SysWOW64\xorujnl.exe"
        10⤵
        
        PID:1800
        
        C:\Windows\SysWOW64\ezqzght.exe
        
        C:\Windows\system32\ezqzght.exe 536 "C:\Windows\SysWOW64\xorujnl.exe"
        11⤵
        
        PID:1824
        
        C:\Windows\SysWOW64\lolrswd.exe
        
        C:\Windows\system32\lolrswd.exe 528 "C:\Windows\SysWOW64\ezqzght.exe"
        12⤵
        
        PID:2792
        
        C:\Windows\SysWOW64\ulspodl.exe
        
        C:\Windows\system32\ulspodl.exe 528 "C:\Windows\SysWOW64\kjdfbif.exe"
        13⤵
        
        PID:2884
        
        C:\Windows\SysWOW64\ehtaeyu.exe
        
        C:\Windows\system32\ehtaeyu.exe 536 "C:\Windows\SysWOW64\ulspodl.exe"
        14⤵
        
        PID:1312
        
        C:\Windows\SysWOW64\ehtaeyu.exe
        
        C:\Windows\system32\ehtaeyu.exe 536 "C:\Windows\SysWOW64\ulspodl.exe"
        15⤵
        
        PID:2288
        
        C:\Windows\SysWOW64\orjkrba.exe
        
        C:\Windows\system32\orjkrba.exe 528 "C:\Windows\SysWOW64\ehtaeyu.exe"
        16⤵
        
        PID:956
        
        C:\Windows\SysWOW64\orjkrba.exe
        
        C:\Windows\system32\orjkrba.exe 528 "C:\Windows\SysWOW64\ehtaeyu.exe"
        17⤵
        
        PID:1476
        
        C:\Windows\SysWOW64\besaxfz.exe
        
        C:\Windows\system32\besaxfz.exe 520 "C:\Windows\SysWOW64\orjkrba.exe"
        18⤵
        
        PID:2320
        
        C:\Windows\SysWOW64\besaxfz.exe
        
        C:\Windows\system32\besaxfz.exe 520 "C:\Windows\SysWOW64\orjkrba.exe"
        19⤵
        
        PID:2768

C:\Windows\SysWOW64\lolrswd.exe
C:\Windows\system32\lolrswd.exe 528 "C:\Windows\SysWOW64\ezqzght.exe"
1⤵
PID:2360
- C:\Windows\SysWOW64\vkekaqe.exe
  C:\Windows\system32\vkekaqe.exe 452 "C:\Windows\SysWOW64\lolrswd.exe"
  2⤵
  - Suspicious use of SetThreadContext
  PID:1976
- - C:\Windows\SysWOW64\vkekaqe.exe
    C:\Windows\system32\vkekaqe.exe 452 "C:\Windows\SysWOW64\lolrswd.exe"
    3⤵
    PID:2092
  - - C:\Windows\SysWOW64\dsacuon.exe
      C:\Windows\system32\dsacuon.exe 484 "C:\Windows\SysWOW64\vkekaqe.exe"
      4⤵
      PID:1712

C:\Windows\SysWOW64\dsacuon.exe
C:\Windows\system32\dsacuon.exe 484 "C:\Windows\SysWOW64\vkekaqe.exe"
1⤵
- Drops file in System32 directory
PID:1624
- C:\Windows\SysWOW64\qfjsaku.exe
  C:\Windows\system32\qfjsaku.exe 536 "C:\Windows\SysWOW64\dsacuon.exe"
  2⤵
  PID:1880
- - C:\Windows\SysWOW64\qfjsaku.exe
    C:\Windows\system32\qfjsaku.exe 536 "C:\Windows\SysWOW64\dsacuon.exe"
    3⤵
    PID:1408
  - - C:\Windows\SysWOW64\aevpkju.exe
      C:\Windows\system32\aevpkju.exe 532 "C:\Windows\SysWOW64\qfjsaku.exe"
      4⤵
      PID:2484

C:\Windows\SysWOW64\aevpkju.exe
C:\Windows\system32\aevpkju.exe 532 "C:\Windows\SysWOW64\qfjsaku.exe"
1⤵
PID:2596
- C:\Windows\SysWOW64\kdzuchb.exe
  C:\Windows\system32\kdzuchb.exe 536 "C:\Windows\SysWOW64\aevpkju.exe"
  2⤵
  PID:2380
- - C:\Windows\SysWOW64\kdzuchb.exe
    C:\Windows\system32\kdzuchb.exe 536 "C:\Windows\SysWOW64\aevpkju.exe"
    3⤵
    PID:880
  - - C:\Windows\SysWOW64\pqtuwrg.exe
      C:\Windows\system32\pqtuwrg.exe 528 "C:\Windows\SysWOW64\kdzuchb.exe"
      4⤵
      PID:2044
    - - C:\Windows\SysWOW64\pqtuwrg.exe
        
        C:\Windows\system32\pqtuwrg.exe 528 "C:\Windows\SysWOW64\kdzuchb.exe"
        5⤵
        Suspicious use of SetThreadContext
        
        PID:2452
      - C:\Windows\SysWOW64\zpfagqn.exe
        
        C:\Windows\system32\zpfagqn.exe 476 "C:\Windows\SysWOW64\pqtuwrg.exe"
        6⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\zpfagqn.exe
        
        C:\Windows\system32\zpfagqn.exe 476 "C:\Windows\SysWOW64\pqtuwrg.exe"
        7⤵
        Drops file in System32 directory
        
        PID:2528
        
        C:\Windows\SysWOW64\jdypwxa.exe
        
        C:\Windows\system32\jdypwxa.exe 536 "C:\Windows\SysWOW64\zpfagqn.exe"
        8⤵
        Suspicious use of SetThreadContext
        
        PID:460
        
        C:\Windows\SysWOW64\jdypwxa.exe
        
        C:\Windows\system32\jdypwxa.exe 536 "C:\Windows\SysWOW64\zpfagqn.exe"
        9⤵
        
        PID:1724
        
        C:\Windows\SysWOW64\uvnujnc.exe
        
        C:\Windows\system32\uvnujnc.exe 452 "C:\Windows\SysWOW64\jdypwxa.exe"
        10⤵
        
        PID:2340
        
        C:\Windows\SysWOW64\uvnujnc.exe
        
        C:\Windows\system32\uvnujnc.exe 452 "C:\Windows\SysWOW64\jdypwxa.exe"
        11⤵
        
        PID:2012
        
        C:\Windows\SysWOW64\dylfwrj.exe
        
        C:\Windows\system32\dylfwrj.exe 528 "C:\Windows\SysWOW64\uvnujnc.exe"
        12⤵
        Suspicious use of SetThreadContext
        
        PID:1224
        
        C:\Windows\SysWOW64\dylfwrj.exe
        
        C:\Windows\system32\dylfwrj.exe 528 "C:\Windows\SysWOW64\uvnujnc.exe"
        13⤵
        
        PID:1288
        
        C:\Windows\SysWOW64\iddpnjc.exe
        
        C:\Windows\system32\iddpnjc.exe 528 "C:\Windows\SysWOW64\dylfwrj.exe"
        14⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\iddpnjc.exe
        
        C:\Windows\system32\iddpnjc.exe 528 "C:\Windows\SysWOW64\dylfwrj.exe"
        15⤵
        
        PID:2212
        
        C:\Windows\SysWOW64\ssyjbzt.exe
        
        C:\Windows\system32\ssyjbzt.exe 452 "C:\Windows\SysWOW64\iddpnjc.exe"
        16⤵
        
        PID:2540
        
        C:\Windows\SysWOW64\ssyjbzt.exe
        
        C:\Windows\system32\ssyjbzt.exe 452 "C:\Windows\SysWOW64\iddpnjc.exe"
        17⤵
        
        PID:2728
        
        C:\Windows\SysWOW64\xtgesez.exe
        
        C:\Windows\system32\xtgesez.exe 452 "C:\Windows\SysWOW64\ssyjbzt.exe"
        18⤵
        
        PID:1704
        
        C:\Windows\SysWOW64\xtgesez.exe
        
        C:\Windows\system32\xtgesez.exe 452 "C:\Windows\SysWOW64\ssyjbzt.exe"
        19⤵
        Drops file in System32 directory
        
        PID:1464
        
        C:\Windows\SysWOW64\rdilpyn.exe
        
        C:\Windows\system32\rdilpyn.exe 504 "C:\Windows\SysWOW64\xtgesez.exe"
        20⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\rdilpyn.exe
        
        C:\Windows\system32\rdilpyn.exe 504 "C:\Windows\SysWOW64\xtgesez.exe"
        21⤵
        
        PID:1104
        
        C:\Windows\SysWOW64\kkkzuzh.exe
        
        C:\Windows\system32\kkkzuzh.exe 528 "C:\Windows\SysWOW64\rdilpyn.exe"
        22⤵
        
        PID:2312
        
        C:\Windows\SysWOW64\kkkzuzh.exe
        
        C:\Windows\system32\kkkzuzh.exe 528 "C:\Windows\SysWOW64\rdilpyn.exe"
        23⤵
        
        PID:1712
        
        C:\Windows\SysWOW64\unzjiuv.exe
        
        C:\Windows\system32\unzjiuv.exe 528 "C:\Windows\SysWOW64\kkkzuzh.exe"
        24⤵
        
        PID:1892
        
        C:\Windows\SysWOW64\oordzcn.exe
        
        C:\Windows\system32\oordzcn.exe 528 "C:\Windows\SysWOW64\eectezg.exe"
        17⤵
        
        PID:568
        
        C:\Windows\SysWOW64\yroomft.exe
        
        C:\Windows\system32\yroomft.exe 536 "C:\Windows\SysWOW64\oordzcn.exe"
        18⤵
        
        PID:800
        
        C:\Windows\SysWOW64\yroomft.exe
        
        C:\Windows\system32\yroomft.exe 536 "C:\Windows\SysWOW64\oordzcn.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1736
        
        C:\Windows\SysWOW64\imhyuac.exe
        
        C:\Windows\system32\imhyuac.exe 528 "C:\Windows\SysWOW64\yroomft.exe"
        20⤵
        
        PID:1532
        
        C:\Windows\SysWOW64\imhyuac.exe
        
        C:\Windows\system32\imhyuac.exe 528 "C:\Windows\SysWOW64\yroomft.exe"
        21⤵
        
        PID:552
        
        C:\Windows\SysWOW64\sxxjpdi.exe
        
        C:\Windows\system32\sxxjpdi.exe 536 "C:\Windows\SysWOW64\imhyuac.exe"
        22⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\sxxjpdi.exe
        
        C:\Windows\system32\sxxjpdi.exe 536 "C:\Windows\SysWOW64\imhyuac.exe"
        23⤵
        
        PID:2364
        
        C:\Windows\SysWOW64\cwjgzbq.exe
        
        C:\Windows\system32\cwjgzbq.exe 536 "C:\Windows\SysWOW64\sxxjpdi.exe"
        24⤵
        
        PID:2140

C:\Windows\SysWOW64\unzjiuv.exe
C:\Windows\system32\unzjiuv.exe 528 "C:\Windows\SysWOW64\kkkzuzh.exe"
1⤵
PID:1696
- C:\Windows\SysWOW64\euegatv.exe
  C:\Windows\system32\euegatv.exe 536 "C:\Windows\SysWOW64\unzjiuv.exe"
  2⤵
  PID:2508
- - C:\Windows\SysWOW64\euegatv.exe
    C:\Windows\system32\euegatv.exe 536 "C:\Windows\SysWOW64\unzjiuv.exe"
    3⤵
    PID:2428
  - - C:\Windows\SysWOW64\otqeksc.exe
      C:\Windows\system32\otqeksc.exe 528 "C:\Windows\SysWOW64\euegatv.exe"
      4⤵
      PID:672
    - - C:\Windows\SysWOW64\otqeksc.exe
        
        C:\Windows\system32\otqeksc.exe 528 "C:\Windows\SysWOW64\euegatv.exe"
        5⤵
        
        PID:2776
      - C:\Windows\SysWOW64\ivjmquq.exe
        
        C:\Windows\system32\ivjmquq.exe 528 "C:\Windows\SysWOW64\otqeksc.exe"
        6⤵
        
        PID:2404

C:\Windows\SysWOW64\ivjmquq.exe
C:\Windows\system32\ivjmquq.exe 528 "C:\Windows\SysWOW64\otqeksc.exe"
1⤵
PID:2264
- C:\Windows\SysWOW64\scvjatx.exe
  C:\Windows\system32\scvjatx.exe 544 "C:\Windows\SysWOW64\ivjmquq.exe"
  2⤵
  PID:1568
- - C:\Windows\SysWOW64\scvjatx.exe
    C:\Windows\system32\scvjatx.exe 544 "C:\Windows\SysWOW64\ivjmquq.exe"
    3⤵
    PID:1236
  - - C:\Windows\SysWOW64\cbzhlrf.exe
      C:\Windows\system32\cbzhlrf.exe 528 "C:\Windows\SysWOW64\scvjatx.exe"
      4⤵
      PID:2708
    - - C:\Windows\SysWOW64\cbzhlrf.exe
        
        C:\Windows\system32\cbzhlrf.exe 528 "C:\Windows\SysWOW64\scvjatx.exe"
        5⤵
        Drops file in System32 directory
        
        PID:2748
      - C:\Windows\SysWOW64\cfkucdi.exe
        
        C:\Windows\system32\cfkucdi.exe 536 "C:\Windows\SysWOW64\cbzhlrf.exe"
        6⤵
        
        PID:2308
        
        C:\Windows\SysWOW64\cfkucdi.exe
        
        C:\Windows\system32\cfkucdi.exe 536 "C:\Windows\SysWOW64\cbzhlrf.exe"
        7⤵
        
        PID:2872
        
        C:\Windows\SysWOW64\pwewlln.exe
        
        C:\Windows\system32\pwewlln.exe 536 "C:\Windows\SysWOW64\cfkucdi.exe"
        8⤵
        
        PID:2204
        
        C:\Windows\SysWOW64\pwewlln.exe
        
        C:\Windows\system32\pwewlln.exe 536 "C:\Windows\SysWOW64\cfkucdi.exe"
        9⤵
        
        PID:1536
        
        C:\Windows\SysWOW64\wwbhzvh.exe
        
        C:\Windows\system32\wwbhzvh.exe 480 "C:\Windows\SysWOW64\pwewlln.exe"
        10⤵
        
        PID:2884
        
        C:\Windows\SysWOW64\wwbhzvh.exe
        
        C:\Windows\system32\wwbhzvh.exe 480 "C:\Windows\SysWOW64\pwewlln.exe"
        11⤵
        
        PID:1540
        
        C:\Windows\SysWOW64\tqwuppn.exe
        
        C:\Windows\system32\tqwuppn.exe 516 "C:\Windows\SysWOW64\wwbhzvh.exe"
        12⤵
        
        PID:1760
        
        C:\Windows\SysWOW64\tqwuppn.exe
        
        C:\Windows\system32\tqwuppn.exe 516 "C:\Windows\SysWOW64\wwbhzvh.exe"
        13⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\gkdkbcr.exe
        
        C:\Windows\system32\gkdkbcr.exe 528 "C:\Windows\SysWOW64\tqwuppn.exe"
        14⤵
        
        PID:1880
        
        C:\Windows\SysWOW64\gkdkbcr.exe
        
        C:\Windows\system32\gkdkbcr.exe 528 "C:\Windows\SysWOW64\tqwuppn.exe"
        15⤵
        
        PID:3000
        
        C:\Windows\SysWOW64\qrphtbz.exe
        
        C:\Windows\system32\qrphtbz.exe 536 "C:\Windows\SysWOW64\gkdkbcr.exe"
        16⤵
        
        PID:2484
        
        C:\Windows\SysWOW64\qrphtbz.exe
        
        C:\Windows\system32\qrphtbz.exe 536 "C:\Windows\SysWOW64\gkdkbcr.exe"
        17⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\linafgh.exe
        
        C:\Windows\system32\linafgh.exe 528 "C:\Windows\SysWOW64\qrphtbz.exe"
        18⤵
        
        PID:784
        
        C:\Windows\SysWOW64\linafgh.exe
        
        C:\Windows\system32\linafgh.exe 528 "C:\Windows\SysWOW64\qrphtbz.exe"
        19⤵
        
        PID:2000
        
        C:\Windows\SysWOW64\lcxrqvj.exe
        
        C:\Windows\system32\lcxrqvj.exe 536 "C:\Windows\SysWOW64\linafgh.exe"
        20⤵
        
        PID:2896
        
        C:\Windows\SysWOW64\lcxrqvj.exe
        
        C:\Windows\system32\lcxrqvj.exe 536 "C:\Windows\SysWOW64\linafgh.exe"
        21⤵
        
        PID:2708
        
        C:\Windows\SysWOW64\qsdryjs.exe
        
        C:\Windows\system32\qsdryjs.exe 528 "C:\Windows\SysWOW64\lcxrqvj.exe"
        22⤵
        
        PID:1404

C:\Windows\SysWOW64\qsdryjs.exe
C:\Windows\system32\qsdryjs.exe 528 "C:\Windows\SysWOW64\lcxrqvj.exe"
1⤵
PID:2260
- C:\Windows\SysWOW64\agdpwif.exe
  C:\Windows\system32\agdpwif.exe 528 "C:\Windows\SysWOW64\qsdryjs.exe"
  2⤵
  PID:1376
- - C:\Windows\SysWOW64\agdpwif.exe
    C:\Windows\system32\agdpwif.exe 528 "C:\Windows\SysWOW64\qsdryjs.exe"
    3⤵
    - Drops file in System32 directory
    PID:2312
  - - C:\Windows\SysWOW64\fhmkeol.exe
      C:\Windows\system32\fhmkeol.exe 540 "C:\Windows\SysWOW64\agdpwif.exe"
      4⤵
      PID:328
    - - C:\Windows\SysWOW64\fhmkeol.exe
        
        C:\Windows\system32\fhmkeol.exe 540 "C:\Windows\SysWOW64\agdpwif.exe"
        5⤵
        
        PID:944
      - C:\Windows\SysWOW64\pdnuuim.exe
        
        C:\Windows\system32\pdnuuim.exe 528 "C:\Windows\SysWOW64\fhmkeol.exe"
        6⤵
        
        PID:2292
        
        C:\Windows\SysWOW64\pdnuuim.exe
        
        C:\Windows\system32\pdnuuim.exe 528 "C:\Windows\SysWOW64\fhmkeol.exe"
        7⤵
        
        PID:2040
        
        C:\Windows\SysWOW64\zrnrkqz.exe
        
        C:\Windows\system32\zrnrkqz.exe 536 "C:\Windows\SysWOW64\pdnuuim.exe"
        8⤵
        
        PID:2756
        
        C:\Windows\SysWOW64\zrnrkqz.exe
        
        C:\Windows\system32\zrnrkqz.exe 536 "C:\Windows\SysWOW64\pdnuuim.exe"
        9⤵
        
        PID:1880
        
        C:\Windows\SysWOW64\jngcska.exe
        
        C:\Windows\system32\jngcska.exe 528 "C:\Windows\SysWOW64\zrnrkqz.exe"
        10⤵
        
        PID:1868
        
        C:\Windows\SysWOW64\jngcska.exe
        
        C:\Windows\system32\jngcska.exe 528 "C:\Windows\SysWOW64\zrnrkqz.exe"
        11⤵
        
        PID:900
        
        C:\Windows\SysWOW64\ruccmzj.exe
        
        C:\Windows\system32\ruccmzj.exe 540 "C:\Windows\SysWOW64\jngcska.exe"
        12⤵
        
        PID:1612
        
        C:\Windows\SysWOW64\ruccmzj.exe
        
        C:\Windows\system32\ruccmzj.exe 540 "C:\Windows\SysWOW64\jngcska.exe"
        13⤵
        
        PID:2120
        
        C:\Windows\SysWOW64\dwikxmn.exe
        
        C:\Windows\system32\dwikxmn.exe 528 "C:\Windows\SysWOW64\ruccmzj.exe"
        14⤵
        
        PID:2492
        
        C:\Windows\SysWOW64\dwikxmn.exe
        
        C:\Windows\system32\dwikxmn.exe 528 "C:\Windows\SysWOW64\ruccmzj.exe"
        15⤵
        
        PID:2024
        
        C:\Windows\SysWOW64\osicngw.exe
        
        C:\Windows\system32\osicngw.exe 528 "C:\Windows\SysWOW64\dwikxmn.exe"
        16⤵
        
        PID:2188
        
        C:\Windows\SysWOW64\osicngw.exe
        
        C:\Windows\system32\osicngw.exe 528 "C:\Windows\SysWOW64\dwikxmn.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3008
        
        C:\Windows\SysWOW64\yobmubx.exe
        
        C:\Windows\system32\yobmubx.exe 528 "C:\Windows\SysWOW64\osicngw.exe"
        18⤵
        
        PID:2440
        
        C:\Windows\SysWOW64\yobmubx.exe
        
        C:\Windows\system32\yobmubx.exe 528 "C:\Windows\SysWOW64\osicngw.exe"
        19⤵
        
        PID:2888
        
        C:\Windows\SysWOW64\iqrxied.exe
        
        C:\Windows\system32\iqrxied.exe 528 "C:\Windows\SysWOW64\yobmubx.exe"
        20⤵
        
        PID:2032
        
        C:\Windows\SysWOW64\iqrxied.exe
        
        C:\Windows\system32\iqrxied.exe 528 "C:\Windows\SysWOW64\yobmubx.exe"
        21⤵
        
        PID:1124
        
        C:\Windows\SysWOW64\qymxctn.exe
        
        C:\Windows\system32\qymxctn.exe 528 "C:\Windows\SysWOW64\iqrxied.exe"
        22⤵
        
        PID:2388
        
        C:\Windows\SysWOW64\qymxctn.exe
        
        C:\Windows\system32\qymxctn.exe 528 "C:\Windows\SysWOW64\iqrxied.exe"
        23⤵
        Drops file in System32 directory
        
        PID:2008
        
        C:\Windows\SysWOW64\cwhskcs.exe
        
        C:\Windows\system32\cwhskcs.exe 536 "C:\Windows\SysWOW64\qymxctn.exe"
        24⤵
        
        PID:2764

C:\Windows\SysWOW64\cwhskcs.exe
C:\Windows\system32\cwhskcs.exe 536 "C:\Windows\SysWOW64\qymxctn.exe"
1⤵
PID:2552
- C:\Windows\SysWOW64\pnkutcq.exe
  C:\Windows\system32\pnkutcq.exe 544 "C:\Windows\SysWOW64\cwhskcs.exe"
  2⤵
  PID:1904
- - C:\Windows\SysWOW64\pnkutcq.exe
    C:\Windows\system32\pnkutcq.exe 544 "C:\Windows\SysWOW64\cwhskcs.exe"
    3⤵
    - Drops file in System32 directory
    PID:764
  - - C:\Windows\SysWOW64\udhppqb.exe
      C:\Windows\system32\udhppqb.exe 528 "C:\Windows\SysWOW64\pnkutcq.exe"
      4⤵
      PID:568
    - - C:\Windows\SysWOW64\udhppqb.exe
        
        C:\Windows\system32\udhppqb.exe 528 "C:\Windows\SysWOW64\pnkutcq.exe"
        5⤵
        
        PID:2604
      - C:\Windows\SysWOW64\hfnfauo.exe
        
        C:\Windows\system32\hfnfauo.exe 528 "C:\Windows\SysWOW64\udhppqb.exe"
        6⤵
        
        PID:1612
        
        C:\Windows\SysWOW64\hfnfauo.exe
        
        C:\Windows\system32\hfnfauo.exe 528 "C:\Windows\SysWOW64\udhppqb.exe"
        7⤵
        Suspicious use of SetThreadContext
        
        PID:1440
        
        C:\Windows\SysWOW64\obxkknq.exe
        
        C:\Windows\system32\obxkknq.exe 488 "C:\Windows\SysWOW64\hfnfauo.exe"
        8⤵
        
        PID:2492
        
        C:\Windows\SysWOW64\obxkknq.exe
        
        C:\Windows\system32\obxkknq.exe 488 "C:\Windows\SysWOW64\hfnfauo.exe"
        9⤵
        
        PID:976
        
        C:\Windows\SysWOW64\bddadsv.exe
        
        C:\Windows\system32\bddadsv.exe 528 "C:\Windows\SysWOW64\obxkknq.exe"
        10⤵
        
        PID:928
        
        C:\Windows\SysWOW64\bddadsv.exe
        
        C:\Windows\system32\bddadsv.exe 528 "C:\Windows\SysWOW64\obxkknq.exe"
        11⤵
        
        PID:1144
        
        C:\Windows\SysWOW64\ocgcmaa.exe
        
        C:\Windows\system32\ocgcmaa.exe 536 "C:\Windows\SysWOW64\bddadsv.exe"
        12⤵
        
        PID:2384
- - C:\Windows\SysWOW64\ahnvlmz.exe
    C:\Windows\system32\ahnvlmz.exe 528 "C:\Windows\SysWOW64\pijxbnr.exe"
    3⤵
    PID:2784
  - - C:\Windows\SysWOW64\nfqyuue.exe
      C:\Windows\system32\nfqyuue.exe 528 "C:\Windows\SysWOW64\ahnvlmz.exe"
      4⤵
      PID:568
    - - C:\Windows\SysWOW64\nfqyuue.exe
        
        C:\Windows\system32\nfqyuue.exe 528 "C:\Windows\SysWOW64\ahnvlmz.exe"
        5⤵
        Suspicious use of SetThreadContext
        
        PID:2068
      - C:\Windows\SysWOW64\asaniyd.exe
        
        C:\Windows\system32\asaniyd.exe 536 "C:\Windows\SysWOW64\nfqyuue.exe"
        6⤵
        
        PID:3028
        
        C:\Windows\SysWOW64\asaniyd.exe
        
        C:\Windows\system32\asaniyd.exe 536 "C:\Windows\SysWOW64\nfqyuue.exe"
        7⤵
        Suspicious use of SetThreadContext
        
        PID:1460
        
        C:\Windows\SysWOW64\havfunm.exe
        
        C:\Windows\system32\havfunm.exe 540 "C:\Windows\SysWOW64\asaniyd.exe"
        8⤵
        
        PID:2356
        
        C:\Windows\SysWOW64\havfunm.exe
        
        C:\Windows\system32\havfunm.exe 540 "C:\Windows\SysWOW64\asaniyd.exe"
        9⤵
        
        PID:300
        
        C:\Windows\SysWOW64\rzzdemu.exe
        
        C:\Windows\system32\rzzdemu.exe 540 "C:\Windows\SysWOW64\havfunm.exe"
        10⤵
        
        PID:2672
        
        C:\Windows\SysWOW64\rzzdemu.exe
        
        C:\Windows\system32\rzzdemu.exe 540 "C:\Windows\SysWOW64\havfunm.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1764
        
        C:\Windows\SysWOW64\ysyqbgc.exe
        
        C:\Windows\system32\ysyqbgc.exe 536 "C:\Windows\SysWOW64\rzzdemu.exe"
        12⤵
        
        PID:2372
        
        C:\Windows\SysWOW64\ysyqbgc.exe
        
        C:\Windows\system32\ysyqbgc.exe 536 "C:\Windows\SysWOW64\rzzdemu.exe"
        13⤵
        
        PID:2636
        
        C:\Windows\SysWOW64\gasqipg.exe
        
        C:\Windows\system32\gasqipg.exe 528 "C:\Windows\SysWOW64\ysyqbgc.exe"
        14⤵
        
        PID:2808

C:\Windows\SysWOW64\ocgcmaa.exe
C:\Windows\system32\ocgcmaa.exe 536 "C:\Windows\SysWOW64\bddadsv.exe"
1⤵
PID:2424
- C:\Windows\SysWOW64\vyiqvld.exe
  C:\Windows\system32\vyiqvld.exe 536 "C:\Windows\SysWOW64\ocgcmaa.exe"
  2⤵
  PID:2032
- - C:\Windows\SysWOW64\vyiqvld.exe
    C:\Windows\system32\vyiqvld.exe 536 "C:\Windows\SysWOW64\ocgcmaa.exe"
    3⤵
    PID:1984
  - - C:\Windows\SysWOW64\iaoxhyh.exe
      C:\Windows\system32\iaoxhyh.exe 528 "C:\Windows\SysWOW64\vyiqvld.exe"
      4⤵
      PID:2388
    - - C:\Windows\SysWOW64\iaoxhyh.exe
        
        C:\Windows\system32\iaoxhyh.exe 528 "C:\Windows\SysWOW64\vyiqvld.exe"
        5⤵
        
        PID:2780
      - C:\Windows\SysWOW64\pijxbnr.exe
        
        C:\Windows\system32\pijxbnr.exe 528 "C:\Windows\SysWOW64\iaoxhyh.exe"
        6⤵
        
        PID:1644

C:\Windows\SysWOW64\gasqipg.exe
C:\Windows\system32\gasqipg.exe 528 "C:\Windows\SysWOW64\ysyqbgc.exe"
1⤵
PID:2252
- C:\Windows\SysWOW64\qlhavsm.exe
  C:\Windows\system32\qlhavsm.exe 536 "C:\Windows\SysWOW64\gasqipg.exe"
  2⤵
  PID:3060
- - C:\Windows\SysWOW64\qlhavsm.exe
    C:\Windows\system32\qlhavsm.exe 536 "C:\Windows\SysWOW64\gasqipg.exe"
    3⤵
    - Drops file in System32 directory
    PID:1632
  - - C:\Windows\SysWOW64\yegakhq.exe
      C:\Windows\system32\yegakhq.exe 528 "C:\Windows\SysWOW64\qlhavsm.exe"
      4⤵
      PID:1816
    - - C:\Windows\SysWOW64\yegakhq.exe
        
        C:\Windows\system32\yegakhq.exe 528 "C:\Windows\SysWOW64\qlhavsm.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2664
      - C:\Windows\SysWOW64\kjxdyqt.exe
        
        C:\Windows\system32\kjxdyqt.exe 528 "C:\Windows\SysWOW64\yegakhq.exe"
        6⤵
        
        PID:1940
        
        C:\Windows\SysWOW64\kjxdyqt.exe
        
        C:\Windows\system32\kjxdyqt.exe 528 "C:\Windows\SysWOW64\yegakhq.exe"
        7⤵
        
        PID:2060
        
        C:\Windows\SysWOW64\uibajpb.exe
        
        C:\Windows\system32\uibajpb.exe 528 "C:\Windows\SysWOW64\kjxdyqt.exe"
        8⤵
        
        PID:1964
        
        C:\Windows\SysWOW64\uibajpb.exe
        
        C:\Windows\system32\uibajpb.exe 528 "C:\Windows\SysWOW64\kjxdyqt.exe"
        9⤵
        
        PID:2180
        
        C:\Windows\SysWOW64\fpnyboi.exe
        
        C:\Windows\system32\fpnyboi.exe 528 "C:\Windows\SysWOW64\uibajpb.exe"
        10⤵
        
        PID:1584
        
        C:\Windows\SysWOW64\fpnyboi.exe
        
        C:\Windows\system32\fpnyboi.exe 528 "C:\Windows\SysWOW64\uibajpb.exe"
        11⤵
        Suspicious use of SetThreadContext
        
        PID:1568
        
        C:\Windows\SysWOW64\rgibkwo.exe
        
        C:\Windows\system32\rgibkwo.exe 532 "C:\Windows\SysWOW64\fpnyboi.exe"
        12⤵
        
        PID:2660
        
        C:\Windows\SysWOW64\rgibkwo.exe
        
        C:\Windows\system32\rgibkwo.exe 532 "C:\Windows\SysWOW64\fpnyboi.exe"
        13⤵
        Suspicious use of SetThreadContext
        
        PID:2564
        
        C:\Windows\SysWOW64\znwtwlp.exe
        
        C:\Windows\system32\znwtwlp.exe 528 "C:\Windows\SysWOW64\rgibkwo.exe"
        14⤵
        
        PID:1404
        
        C:\Windows\SysWOW64\znwtwlp.exe
        
        C:\Windows\system32\znwtwlp.exe 528 "C:\Windows\SysWOW64\rgibkwo.exe"
        15⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\pseoaqu.exe
        
        C:\Windows\system32\pseoaqu.exe 536 "C:\Windows\SysWOW64\znwtwlp.exe"
        16⤵
        
        PID:868

C:\Windows\SysWOW64\pseoaqu.exe
C:\Windows\system32\pseoaqu.exe 536 "C:\Windows\SysWOW64\znwtwlp.exe"
1⤵
PID:2600
- C:\Windows\SysWOW64\zzilspu.exe
  C:\Windows\system32\zzilspu.exe 536 "C:\Windows\SysWOW64\pseoaqu.exe"
  2⤵
  PID:1564
- - C:\Windows\SysWOW64\zzilspu.exe
    C:\Windows\system32\zzilspu.exe 536 "C:\Windows\SysWOW64\pseoaqu.exe"
    3⤵
    PID:1704
  - - C:\Windows\SysWOW64\eectezg.exe
      C:\Windows\system32\eectezg.exe 456 "C:\Windows\SysWOW64\zzilspu.exe"
      4⤵
      PID:2096
    - - C:\Windows\SysWOW64\eectezg.exe
        
        C:\Windows\system32\eectezg.exe 456 "C:\Windows\SysWOW64\zzilspu.exe"
        5⤵
        
        PID:1800
      - C:\Windows\SysWOW64\oordzcn.exe
        
        C:\Windows\system32\oordzcn.exe 528 "C:\Windows\SysWOW64\eectezg.exe"
        6⤵
        
        PID:2540

C:\Windows\SysWOW64\cwjgzbq.exe
C:\Windows\system32\cwjgzbq.exe 536 "C:\Windows\SysWOW64\sxxjpdi.exe"
1⤵
- Suspicious use of SetThreadContext
PID:1960
- C:\Windows\SysWOW64\pjsefxo.exe
  C:\Windows\system32\pjsefxo.exe 536 "C:\Windows\SysWOW64\cwjgzbq.exe"
  2⤵
  PID:2676

C:\Windows\SysWOW64\pjsefxo.exe
C:\Windows\system32\pjsefxo.exe 536 "C:\Windows\SysWOW64\cwjgzbq.exe"
1⤵
PID:868
- C:\Windows\SysWOW64\ziebpww.exe
  C:\Windows\system32\ziebpww.exe 528 "C:\Windows\SysWOW64\pjsefxo.exe"
  2⤵
  PID:1128

C:\Windows\SysWOW64\ziebpww.exe
C:\Windows\system32\ziebpww.exe 528 "C:\Windows\SysWOW64\pjsefxo.exe"
1⤵
PID:2700
- C:\Windows\SysWOW64\mhzeget.exe
  C:\Windows\system32\mhzeget.exe 528 "C:\Windows\SysWOW64\ziebpww.exe"
  2⤵
  PID:528

C:\Windows\SysWOW64\tsyjvyk.exe
C:\Windows\system32\tsyjvyk.exe 528 "C:\Windows\SysWOW64\mhzeget.exe"
1⤵
PID:2304
- C:\Windows\SysWOW64\gumzgko.exe
  C:\Windows\system32\gumzgko.exe 528 "C:\Windows\SysWOW64\tsyjvyk.exe"
  2⤵
  PID:2908

C:\Windows\SysWOW64\dgimffu.exe
C:\Windows\system32\dgimffu.exe 536 "C:\Windows\SysWOW64\qqfjwfp.exe"
1⤵
PID:2204
- C:\Windows\SysWOW64\kzgruhd.exe
  C:\Windows\system32\kzgruhd.exe 532 "C:\Windows\SysWOW64\dgimffu.exe"
  2⤵
  PID:2416

C:\Windows\SysWOW64\nlwfiba.exe
C:\Windows\system32\nlwfiba.exe 528 "C:\Windows\SysWOW64\aubcztu.exe"
1⤵
PID:2232
- C:\Windows\SysWOW64\abrhqjx.exe
  C:\Windows\system32\abrhqjx.exe 528 "C:\Windows\SysWOW64\nlwfiba.exe"
  2⤵
  PID:2104
- - C:\Windows\SysWOW64\abrhqjx.exe
    C:\Windows\system32\abrhqjx.exe 528 "C:\Windows\SysWOW64\nlwfiba.exe"
    3⤵
    PID:2716
  - - C:\Windows\SysWOW64\kjdfbif.exe
      C:\Windows\system32\kjdfbif.exe 528 "C:\Windows\SysWOW64\abrhqjx.exe"
      4⤵
      PID:996
    - - C:\Windows\SysWOW64\kjdfbif.exe
        
        C:\Windows\system32\kjdfbif.exe 528 "C:\Windows\SysWOW64\abrhqjx.exe"
        5⤵
        
        PID:2836
      - C:\Windows\SysWOW64\ulspodl.exe
        
        C:\Windows\system32\ulspodl.exe 528 "C:\Windows\SysWOW64\kjdfbif.exe"
        6⤵
        
        PID:2792

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\gkyjqjz.exe

Filesize
440KB

MD5
39927b40478fb42bf73f909b1e3cbe18

SHA1
15d8cb53c2b5bf4e4e430d27a9c09584a0c741e6

SHA256
7f15f65eff5f4776a7a19cb5cc922f9e2e8c4cf5b066741fc0ea5190954a682f

SHA512
14ce0e8cb5e52a36531f45146302a0c6a965742673dde7207e7576df37a921ac6b284390bad59e9a6c03f87b33e6d9a255e052a124c34e87339adc449b75e8eb

Download Submit
memory/560-234-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/560-202-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/884-313-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/884-285-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/1020-802-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/1108-148-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/1108-181-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/1208-678-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/1208-648-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/1488-228-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/1488-268-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/1504-291-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/1504-257-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/1524-429-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/1524-403-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/1628-718-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/1628-692-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/1684-453-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/1684-424-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/1692-409-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/1692-380-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/1700-491-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/1700-520-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/1780-804-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/1780-781-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/1988-122-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/1988-153-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/2036-473-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/2036-447-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/2112-654-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/2112-627-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/2128-359-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/2128-389-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/2164-669-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/2164-697-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/2216-583-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/2216-610-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/2248-632-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/2248-604-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/2272-500-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/2272-468-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/2336-176-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/2336-208-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/2588-739-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/2588-713-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/2592-537-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/2592-565-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/2612-364-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/2612-336-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/2648-2-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/2648-4-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/2648-13-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/2648-12-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/2648-10-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/2648-9-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/2648-8-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/2648-6-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/2648-40-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/2648-0-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/2684-734-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/2684-766-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/2692-42-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/2692-68-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/2788-95-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/2788-69-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/2820-514-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/2820-542-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/2828-339-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/2828-310-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/2880-94-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/2880-127-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/2912-589-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/2912-560-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/2988-789-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/2988-757-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download