a209b805e425ff789642890cd35d07539c7ef76dd3294e69becb7fd47f3bacb5

Analysis

max time kernel
40s
max time network
123s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
28-02-2024 16:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ac4a48770b14b067fee1b89c6cf42611.exe
Size

217KB
MD5

ac4a48770b14b067fee1b89c6cf42611
SHA1

cd1b273cb013c73d3af92a74a0aac9b15152e4aa
SHA256

a209b805e425ff789642890cd35d07539c7ef76dd3294e69becb7fd47f3bacb5
SHA512

f9398e6906532dcaa603a2361bfc127a1ce4c407735c8d16afd5360372f292b50bdeb99067e5d0c85bf73bc94acfb2406ebb1bd4ec99c6baed946996aeae739a
SSDEEP

6144:R1n2GkIowqifuDLZpuHK3p9nMn/KLKsTV4VLRr:RF9k+xfuD1AqZoWvVKp

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
3016	ttybreykq.exe
2628	bxigapihd.exe
2452	sptrihyux.exe
2880	fgouqpebq.exe
2668	fvlriyhps.exe
2208	ztbukvwps.exe
1564	bshjiabky.exe
992	ginkqosmz.exe
1936	fimeswsit.exe
2780	hhbhbiddb.exe
384	bnrceyscc.exe
448	vhtcvuqnd.exe
1192	xoiflmrjx.exe
1092	ovinsnssl.exe
1644	dwsanyety.exe
2336	axknrbpcm.exe
2548	ddzyhtryg.exe
2348	hmwlvhcjn.exe
2920	hbtqupfxg.exe
2516	jahfsutsm.exe
1380	obpaazzgu.exe
276	qawqywmba.exe
1288	avwaoqnyo.exe
2000	dfoygmvxv.exe
2016	kyvdvodrp.exe
1648	mimtnklqv.exe
1588	whqqfjspw.exe
544	juiolfruk.exe
1340	ucmlwezuk.exe
2816	tygjsvpfd.exe
1448	dxkgltpfd.exe
2380	nwodvsxed.exe
1628	yrpwdnxkz.exe
2092	nlmjmjitf.exe
1884	pkayknvwl.exe
1968	uwugepaef.exe
2600	cpshseerf.exe
2316	qxcjtvzka.exe
2888	eckzsdfap.exe
2216	mnrktetev.exe
772	fbvfqrjwd.exe
1556	emfhezdvy.exe
2040	mjqfpwycz.exe
2252	vlfpdaeel.exe
2440	veoifmovs.exe
1056	aqiqqwsvm.exe
1692	fdbxjgfdg.exe
2356	kfjsaddro.exe
1460	zygfjzniu.exe
572	uwwaexvzu.exe
1684	edagwvczu.exe
1096	dzndtmlsv.exe
2688	nccngpzmh.exe
2400	vgmsyaccc.exe
2268	hisijngmi.exe
2520	uznlsnmtj.exe
2804	egzikmttj.exe
2460	ofdgvlbsj.exe
2644	zaeycfcqw.exe
648	jzivvejpw.exe
2984	ytfiwslgl.exe
1260	ljilnajod.exe
1544	qafgbouyk.exe
2752	iksyjlvxr.exe

Loads dropped DLL 64 IoCs

pid	Process
3028	ac4a48770b14b067fee1b89c6cf42611.exe
3028	ac4a48770b14b067fee1b89c6cf42611.exe
3016	ttybreykq.exe
3016	ttybreykq.exe
2628	bxigapihd.exe
2628	bxigapihd.exe
2452	sptrihyux.exe
2452	sptrihyux.exe
2880	fgouqpebq.exe
2880	fgouqpebq.exe
2668	fvlriyhps.exe
2668	fvlriyhps.exe
2208	ztbukvwps.exe
2208	ztbukvwps.exe
1564	bshjiabky.exe
1564	bshjiabky.exe
992	ginkqosmz.exe
992	ginkqosmz.exe
1936	fimeswsit.exe
1936	fimeswsit.exe
2780	hhbhbiddb.exe
2780	hhbhbiddb.exe
384	bnrceyscc.exe
384	bnrceyscc.exe
448	vhtcvuqnd.exe
448	vhtcvuqnd.exe
1192	xoiflmrjx.exe
1192	xoiflmrjx.exe
1092	ovinsnssl.exe
1092	ovinsnssl.exe
1644	dwsanyety.exe
1644	dwsanyety.exe
2336	axknrbpcm.exe
2336	axknrbpcm.exe
2548	ddzyhtryg.exe
2548	ddzyhtryg.exe
2348	hmwlvhcjn.exe
2348	hmwlvhcjn.exe
2920	hbtqupfxg.exe
2920	hbtqupfxg.exe
2516	jahfsutsm.exe
2516	jahfsutsm.exe
1380	obpaazzgu.exe
1380	obpaazzgu.exe
276	qawqywmba.exe
276	qawqywmba.exe
1288	avwaoqnyo.exe
1288	avwaoqnyo.exe
2000	dfoygmvxv.exe
2000	dfoygmvxv.exe
2016	kyvdvodrp.exe
2016	kyvdvodrp.exe
1648	mimtnklqv.exe
1648	mimtnklqv.exe
1588	whqqfjspw.exe
1588	whqqfjspw.exe
544	juiolfruk.exe
544	juiolfruk.exe
1340	ucmlwezuk.exe
1340	ucmlwezuk.exe
2816	tygjsvpfd.exe
2816	tygjsvpfd.exe
1448	dxkgltpfd.exe
1448	dxkgltpfd.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\aemzhylmc.exe	llqmfljdw.exe
File created	C:\Windows\SysWOW64\vncsjupxt.exe	ialcerisf.exe
File opened for modification	C:\Windows\SysWOW64\bqjxoqewi.exe	mxmcedcfc.exe
File opened for modification	C:\Windows\SysWOW64\juiolfruk.exe	whqqfjspw.exe
File created	C:\Windows\SysWOW64\opaouefrf.exe	zvetkqdar.exe
File created	C:\Windows\SysWOW64\fbvfqrjwd.exe	mnrktetev.exe
File created	C:\Windows\SysWOW64\alqbbrccr.exe	nvnysrevy.exe
File opened for modification	C:\Windows\SysWOW64\aaggsinrs.exe	qbcjijfrs.exe
File created	C:\Windows\SysWOW64\dfoygmvxv.exe	avwaoqnyo.exe
File opened for modification	C:\Windows\SysWOW64\pkayknvwl.exe	nlmjmjitf.exe
File created	C:\Windows\SysWOW64\llqmfljdw.exe	ddculvzlw.exe
File opened for modification	C:\Windows\SysWOW64\fvlriyhps.exe	fgouqpebq.exe
File created	C:\Windows\SysWOW64\mnrktetev.exe	eckzsdfap.exe
File opened for modification	C:\Windows\SysWOW64\aqiqqwsvm.exe	veoifmovs.exe
File created	C:\Windows\SysWOW64\zygfjzniu.exe	kfjsaddro.exe
File created	C:\Windows\SysWOW64\uwwaexvzu.exe	zygfjzniu.exe
File opened for modification	C:\Windows\SysWOW64\zvetkqdar.exe	pwawasvar.exe
File opened for modification	C:\Windows\SysWOW64\mmdaidifh.exe	cqkpajhau.exe
File created	C:\Windows\SysWOW64\ztbukvwps.exe	fvlriyhps.exe
File created	C:\Windows\SysWOW64\ucmlwezuk.exe	juiolfruk.exe
File created	C:\Windows\SysWOW64\burggztpj.exe	ryywqfkro.exe
File created	C:\Windows\SysWOW64\jzivvejpw.exe	zaeycfcqw.exe
File opened for modification	C:\Windows\SysWOW64\xzaadflkd.exe	husfzroqo.exe
File opened for modification	C:\Windows\SysWOW64\edagwvczu.exe	uwwaexvzu.exe
File created	C:\Windows\SysWOW64\ddzyhtryg.exe	axknrbpcm.exe
File created	C:\Windows\SysWOW64\liwfskvmw.exe	valflssyu.exe
File created	C:\Windows\SysWOW64\hhlgmtabh.exe	snotcgykb.exe
File opened for modification	C:\Windows\SysWOW64\bxigapihd.exe	ttybreykq.exe
File created	C:\Windows\SysWOW64\fimeswsit.exe	ginkqosmz.exe
File opened for modification	C:\Windows\SysWOW64\kyvdvodrp.exe	dfoygmvxv.exe
File opened for modification	C:\Windows\SysWOW64\eckzsdfap.exe	qxcjtvzka.exe
File opened for modification	C:\Windows\SysWOW64\dzndtmlsv.exe	edagwvczu.exe
File created	C:\Windows\SysWOW64\wfeuyzurm.exe	jhjrqrwkl.exe
File opened for modification	C:\Windows\SysWOW64\tgohudgbz.exe	mnpcxjxgf.exe
File opened for modification	C:\Windows\SysWOW64\vncsjupxt.exe	ialcerisf.exe
File created	C:\Windows\SysWOW64\bshjiabky.exe	ztbukvwps.exe
File created	C:\Windows\SysWOW64\axknrbpcm.exe	dwsanyety.exe
File opened for modification	C:\Windows\SysWOW64\egzikmttj.exe	uznlsnmtj.exe
File opened for modification	C:\Windows\SysWOW64\wfeuyzurm.exe	jhjrqrwkl.exe
File created	C:\Windows\SysWOW64\ytfiwslgl.exe	jzivvejpw.exe
File created	C:\Windows\SysWOW64\lyudxntum.exe	bkcgzgoyn.exe
File created	C:\Windows\SysWOW64\hhbhbiddb.exe	fimeswsit.exe
File opened for modification	C:\Windows\SysWOW64\veoifmovs.exe	vlfpdaeel.exe
File created	C:\Windows\SysWOW64\veoifmovs.exe	vlfpdaeel.exe
File created	C:\Windows\SysWOW64\edagwvczu.exe	uwwaexvzu.exe
File created	C:\Windows\SysWOW64\egzikmttj.exe	uznlsnmtj.exe
File opened for modification	C:\Windows\SysWOW64\jzivvejpw.exe	zaeycfcqw.exe
File created	C:\Windows\SysWOW64\zonledmrf.exe	opaouefrf.exe
File opened for modification	C:\Windows\SysWOW64\ysaovcttb.exe	gkyjqjzxg.exe
File created	C:\Windows\SysWOW64\ttybreykq.exe	ac4a48770b14b067fee1b89c6cf42611.exe
File opened for modification	C:\Windows\SysWOW64\ttybreykq.exe	ac4a48770b14b067fee1b89c6cf42611.exe
File created	C:\Windows\SysWOW64\tgohudgbz.exe	mnpcxjxgf.exe
File opened for modification	C:\Windows\SysWOW64\woiegddoh.exe	kxnbxvxgg.exe
File opened for modification	C:\Windows\SysWOW64\ddculvzlw.exe	tafjystjc.exe
File created	C:\Windows\SysWOW64\xcthifqbd.exe	kdqezxtmc.exe
File opened for modification	C:\Windows\SysWOW64\sptrihyux.exe	bxigapihd.exe
File created	C:\Windows\SysWOW64\vgmsyaccc.exe	nccngpzmh.exe
File created	C:\Windows\SysWOW64\rqrnspcbk.exe	hqfqhqubj.exe
File opened for modification	C:\Windows\SysWOW64\qawqywmba.exe	obpaazzgu.exe
File opened for modification	C:\Windows\SysWOW64\vgmsyaccc.exe	nccngpzmh.exe
File opened for modification	C:\Windows\SysWOW64\mjqfpwycz.exe	emfhezdvy.exe
File created	C:\Windows\SysWOW64\aemzhylmc.exe	llqmfljdw.exe
File opened for modification	C:\Windows\SysWOW64\valflssyu.exe	lpnvypmwi.exe
File created	C:\Windows\SysWOW64\vsmqnncgj.exe	liwfskvmw.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3028 wrote to memory of 3016	3028	ac4a48770b14b067fee1b89c6cf42611.exe	28
PID 3028 wrote to memory of 3016	3028	ac4a48770b14b067fee1b89c6cf42611.exe	28
PID 3028 wrote to memory of 3016	3028	ac4a48770b14b067fee1b89c6cf42611.exe	28
PID 3028 wrote to memory of 3016	3028	ac4a48770b14b067fee1b89c6cf42611.exe	28
PID 3016 wrote to memory of 2628	3016	ttybreykq.exe	29
PID 3016 wrote to memory of 2628	3016	ttybreykq.exe	29
PID 3016 wrote to memory of 2628	3016	ttybreykq.exe	29
PID 3016 wrote to memory of 2628	3016	ttybreykq.exe	29
PID 2628 wrote to memory of 2452	2628	bxigapihd.exe	30
PID 2628 wrote to memory of 2452	2628	bxigapihd.exe	30
PID 2628 wrote to memory of 2452	2628	bxigapihd.exe	30
PID 2628 wrote to memory of 2452	2628	bxigapihd.exe	30
PID 2452 wrote to memory of 2880	2452	sptrihyux.exe	31
PID 2452 wrote to memory of 2880	2452	sptrihyux.exe	31
PID 2452 wrote to memory of 2880	2452	sptrihyux.exe	31
PID 2452 wrote to memory of 2880	2452	sptrihyux.exe	31
PID 2880 wrote to memory of 2668	2880	fgouqpebq.exe	32
PID 2880 wrote to memory of 2668	2880	fgouqpebq.exe	32
PID 2880 wrote to memory of 2668	2880	fgouqpebq.exe	32
PID 2880 wrote to memory of 2668	2880	fgouqpebq.exe	32
PID 2668 wrote to memory of 2208	2668	fvlriyhps.exe	33
PID 2668 wrote to memory of 2208	2668	fvlriyhps.exe	33
PID 2668 wrote to memory of 2208	2668	fvlriyhps.exe	33
PID 2668 wrote to memory of 2208	2668	fvlriyhps.exe	33
PID 2208 wrote to memory of 1564	2208	ztbukvwps.exe	34
PID 2208 wrote to memory of 1564	2208	ztbukvwps.exe	34
PID 2208 wrote to memory of 1564	2208	ztbukvwps.exe	34
PID 2208 wrote to memory of 1564	2208	ztbukvwps.exe	34
PID 1564 wrote to memory of 992	1564	bshjiabky.exe	35
PID 1564 wrote to memory of 992	1564	bshjiabky.exe	35
PID 1564 wrote to memory of 992	1564	bshjiabky.exe	35
PID 1564 wrote to memory of 992	1564	bshjiabky.exe	35
PID 992 wrote to memory of 1936	992	ginkqosmz.exe	36
PID 992 wrote to memory of 1936	992	ginkqosmz.exe	36
PID 992 wrote to memory of 1936	992	ginkqosmz.exe	36
PID 992 wrote to memory of 1936	992	ginkqosmz.exe	36
PID 1936 wrote to memory of 2780	1936	fimeswsit.exe	37
PID 1936 wrote to memory of 2780	1936	fimeswsit.exe	37
PID 1936 wrote to memory of 2780	1936	fimeswsit.exe	37
PID 1936 wrote to memory of 2780	1936	fimeswsit.exe	37
PID 2780 wrote to memory of 384	2780	hhbhbiddb.exe	38
PID 2780 wrote to memory of 384	2780	hhbhbiddb.exe	38
PID 2780 wrote to memory of 384	2780	hhbhbiddb.exe	38
PID 2780 wrote to memory of 384	2780	hhbhbiddb.exe	38
PID 384 wrote to memory of 448	384	bnrceyscc.exe	39
PID 384 wrote to memory of 448	384	bnrceyscc.exe	39
PID 384 wrote to memory of 448	384	bnrceyscc.exe	39
PID 384 wrote to memory of 448	384	bnrceyscc.exe	39
PID 448 wrote to memory of 1192	448	vhtcvuqnd.exe	40
PID 448 wrote to memory of 1192	448	vhtcvuqnd.exe	40
PID 448 wrote to memory of 1192	448	vhtcvuqnd.exe	40
PID 448 wrote to memory of 1192	448	vhtcvuqnd.exe	40
PID 1192 wrote to memory of 1092	1192	xoiflmrjx.exe	41
PID 1192 wrote to memory of 1092	1192	xoiflmrjx.exe	41
PID 1192 wrote to memory of 1092	1192	xoiflmrjx.exe	41
PID 1192 wrote to memory of 1092	1192	xoiflmrjx.exe	41
PID 1092 wrote to memory of 1644	1092	ovinsnssl.exe	42
PID 1092 wrote to memory of 1644	1092	ovinsnssl.exe	42
PID 1092 wrote to memory of 1644	1092	ovinsnssl.exe	42
PID 1092 wrote to memory of 1644	1092	ovinsnssl.exe	42
PID 1644 wrote to memory of 2336	1644	dwsanyety.exe	43
PID 1644 wrote to memory of 2336	1644	dwsanyety.exe	43
PID 1644 wrote to memory of 2336	1644	dwsanyety.exe	43
PID 1644 wrote to memory of 2336	1644	dwsanyety.exe	43

C:\Users\Admin\AppData\Local\Temp\ac4a48770b14b067fee1b89c6cf42611.exe
"C:\Users\Admin\AppData\Local\Temp\ac4a48770b14b067fee1b89c6cf42611.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3028
- C:\Windows\SysWOW64\ttybreykq.exe
  C:\Windows\system32\ttybreykq.exe 540 "C:\Users\Admin\AppData\Local\Temp\ac4a48770b14b067fee1b89c6cf42611.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:3016
- - C:\Windows\SysWOW64\bxigapihd.exe
    C:\Windows\system32\bxigapihd.exe 568 "C:\Windows\SysWOW64\ttybreykq.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:2628
  - - C:\Windows\SysWOW64\sptrihyux.exe
      C:\Windows\system32\sptrihyux.exe 488 "C:\Windows\SysWOW64\bxigapihd.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2452
    - - C:\Windows\SysWOW64\fgouqpebq.exe
        
        C:\Windows\system32\fgouqpebq.exe 576 "C:\Windows\SysWOW64\sptrihyux.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2880
      - C:\Windows\SysWOW64\fvlriyhps.exe
        
        C:\Windows\system32\fvlriyhps.exe 492 "C:\Windows\SysWOW64\fgouqpebq.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2668
        
        C:\Windows\SysWOW64\ztbukvwps.exe
        
        C:\Windows\system32\ztbukvwps.exe 496 "C:\Windows\SysWOW64\fvlriyhps.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2208
        
        C:\Windows\SysWOW64\bshjiabky.exe
        
        C:\Windows\system32\bshjiabky.exe 500 "C:\Windows\SysWOW64\ztbukvwps.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1564
        
        C:\Windows\SysWOW64\ginkqosmz.exe
        
        C:\Windows\system32\ginkqosmz.exe 504 "C:\Windows\SysWOW64\bshjiabky.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:992
        
        C:\Windows\SysWOW64\fimeswsit.exe
        
        C:\Windows\system32\fimeswsit.exe 508 "C:\Windows\SysWOW64\ginkqosmz.exe"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1936
        
        C:\Windows\SysWOW64\hhbhbiddb.exe
        
        C:\Windows\system32\hhbhbiddb.exe 512 "C:\Windows\SysWOW64\fimeswsit.exe"
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2780
        
        C:\Windows\SysWOW64\bnrceyscc.exe
        
        C:\Windows\system32\bnrceyscc.exe 544 "C:\Windows\SysWOW64\hhbhbiddb.exe"
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:384
        
        C:\Windows\SysWOW64\vhtcvuqnd.exe
        
        C:\Windows\system32\vhtcvuqnd.exe 516 "C:\Windows\SysWOW64\bnrceyscc.exe"
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:448
        
        C:\Windows\SysWOW64\xoiflmrjx.exe
        
        C:\Windows\system32\xoiflmrjx.exe 520 "C:\Windows\SysWOW64\vhtcvuqnd.exe"
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1192
        
        C:\Windows\SysWOW64\ovinsnssl.exe
        
        C:\Windows\system32\ovinsnssl.exe 524 "C:\Windows\SysWOW64\xoiflmrjx.exe"
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1092
        
        C:\Windows\SysWOW64\dwsanyety.exe
        
        C:\Windows\system32\dwsanyety.exe 528 "C:\Windows\SysWOW64\ovinsnssl.exe"
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1644
        
        C:\Windows\SysWOW64\axknrbpcm.exe
        
        C:\Windows\system32\axknrbpcm.exe 624 "C:\Windows\SysWOW64\dwsanyety.exe"
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:2336
        
        C:\Windows\SysWOW64\ddzyhtryg.exe
        
        C:\Windows\system32\ddzyhtryg.exe 564 "C:\Windows\SysWOW64\axknrbpcm.exe"
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2548
        
        C:\Windows\SysWOW64\hmwlvhcjn.exe
        
        C:\Windows\system32\hmwlvhcjn.exe 632 "C:\Windows\SysWOW64\ddzyhtryg.exe"
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2348
        
        C:\Windows\SysWOW64\hbtqupfxg.exe
        
        C:\Windows\system32\hbtqupfxg.exe 636 "C:\Windows\SysWOW64\hmwlvhcjn.exe"
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2920
        
        C:\Windows\SysWOW64\jahfsutsm.exe
        
        C:\Windows\system32\jahfsutsm.exe 604 "C:\Windows\SysWOW64\hbtqupfxg.exe"
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2516
        
        C:\Windows\SysWOW64\obpaazzgu.exe
        
        C:\Windows\system32\obpaazzgu.exe 592 "C:\Windows\SysWOW64\jahfsutsm.exe"
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:1380
        
        C:\Windows\SysWOW64\qawqywmba.exe
        
        C:\Windows\system32\qawqywmba.exe 640 "C:\Windows\SysWOW64\obpaazzgu.exe"
        23⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:276
        
        C:\Windows\SysWOW64\avwaoqnyo.exe
        
        C:\Windows\system32\avwaoqnyo.exe 652 "C:\Windows\SysWOW64\qawqywmba.exe"
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:1288
        
        C:\Windows\SysWOW64\dfoygmvxv.exe
        
        C:\Windows\system32\dfoygmvxv.exe 532 "C:\Windows\SysWOW64\avwaoqnyo.exe"
        25⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:2000
        
        C:\Windows\SysWOW64\kyvdvodrp.exe
        
        C:\Windows\system32\kyvdvodrp.exe 580 "C:\Windows\SysWOW64\dfoygmvxv.exe"
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2016
        
        C:\Windows\SysWOW64\mimtnklqv.exe
        
        C:\Windows\system32\mimtnklqv.exe 536 "C:\Windows\SysWOW64\kyvdvodrp.exe"
        27⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1648
        
        C:\Windows\SysWOW64\whqqfjspw.exe
        
        C:\Windows\system32\whqqfjspw.exe 548 "C:\Windows\SysWOW64\mimtnklqv.exe"
        28⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:1588
        
        C:\Windows\SysWOW64\juiolfruk.exe
        
        C:\Windows\system32\juiolfruk.exe 552 "C:\Windows\SysWOW64\whqqfjspw.exe"
        29⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:544
        
        C:\Windows\SysWOW64\ucmlwezuk.exe
        
        C:\Windows\system32\ucmlwezuk.exe 560 "C:\Windows\SysWOW64\juiolfruk.exe"
        30⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1340
        
        C:\Windows\SysWOW64\tygjsvpfd.exe
        
        C:\Windows\system32\tygjsvpfd.exe 556 "C:\Windows\SysWOW64\ucmlwezuk.exe"
        31⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2816
        
        C:\Windows\SysWOW64\dxkgltpfd.exe
        
        C:\Windows\system32\dxkgltpfd.exe 608 "C:\Windows\SysWOW64\tygjsvpfd.exe"
        32⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1448
        
        C:\Windows\SysWOW64\nwodvsxed.exe
        
        C:\Windows\system32\nwodvsxed.exe 572 "C:\Windows\SysWOW64\dxkgltpfd.exe"
        33⤵
        Executes dropped EXE
        
        PID:2380
        
        C:\Windows\SysWOW64\yrpwdnxkz.exe
        
        C:\Windows\system32\yrpwdnxkz.exe 584 "C:\Windows\SysWOW64\nwodvsxed.exe"
        34⤵
        Executes dropped EXE
        
        PID:1628
        
        C:\Windows\SysWOW64\nlmjmjitf.exe
        
        C:\Windows\system32\nlmjmjitf.exe 688 "C:\Windows\SysWOW64\yrpwdnxkz.exe"
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2092
        
        C:\Windows\SysWOW64\pkayknvwl.exe
        
        C:\Windows\system32\pkayknvwl.exe 692 "C:\Windows\SysWOW64\nlmjmjitf.exe"
        36⤵
        Executes dropped EXE
        
        PID:1884
        
        C:\Windows\SysWOW64\uwugepaef.exe
        
        C:\Windows\system32\uwugepaef.exe 704 "C:\Windows\SysWOW64\pkayknvwl.exe"
        37⤵
        Executes dropped EXE
        
        PID:1968
        
        C:\Windows\SysWOW64\cpshseerf.exe
        
        C:\Windows\system32\cpshseerf.exe 648 "C:\Windows\SysWOW64\uwugepaef.exe"
        38⤵
        Executes dropped EXE
        
        PID:2600
        
        C:\Windows\SysWOW64\qxcjtvzka.exe
        
        C:\Windows\system32\qxcjtvzka.exe 588 "C:\Windows\SysWOW64\cpshseerf.exe"
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2316
        
        C:\Windows\SysWOW64\eckzsdfap.exe
        
        C:\Windows\system32\eckzsdfap.exe 596 "C:\Windows\SysWOW64\qxcjtvzka.exe"
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2888
        
        C:\Windows\SysWOW64\mnrktetev.exe
        
        C:\Windows\system32\mnrktetev.exe 600 "C:\Windows\SysWOW64\eckzsdfap.exe"
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2216
        
        C:\Windows\SysWOW64\fbvfqrjwd.exe
        
        C:\Windows\system32\fbvfqrjwd.exe 612 "C:\Windows\SysWOW64\mnrktetev.exe"
        42⤵
        Executes dropped EXE
        
        PID:772
        
        C:\Windows\SysWOW64\emfhezdvy.exe
        
        C:\Windows\system32\emfhezdvy.exe 616 "C:\Windows\SysWOW64\fbvfqrjwd.exe"
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1556
        
        C:\Windows\SysWOW64\mjqfpwycz.exe
        
        C:\Windows\system32\mjqfpwycz.exe 620 "C:\Windows\SysWOW64\emfhezdvy.exe"
        44⤵
        Executes dropped EXE
        
        PID:2040
        
        C:\Windows\SysWOW64\vlfpdaeel.exe
        
        C:\Windows\system32\vlfpdaeel.exe 728 "C:\Windows\SysWOW64\mjqfpwycz.exe"
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2252
        
        C:\Windows\SysWOW64\veoifmovs.exe
        
        C:\Windows\system32\veoifmovs.exe 628 "C:\Windows\SysWOW64\vlfpdaeel.exe"
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2440
        
        C:\Windows\SysWOW64\aqiqqwsvm.exe
        
        C:\Windows\system32\aqiqqwsvm.exe 644 "C:\Windows\SysWOW64\veoifmovs.exe"
        47⤵
        Executes dropped EXE
        
        PID:1056
        
        C:\Windows\SysWOW64\fdbxjgfdg.exe
        
        C:\Windows\system32\fdbxjgfdg.exe 748 "C:\Windows\SysWOW64\aqiqqwsvm.exe"
        48⤵
        Executes dropped EXE
        
        PID:1692
        
        C:\Windows\SysWOW64\kfjsaddro.exe
        
        C:\Windows\system32\kfjsaddro.exe 656 "C:\Windows\SysWOW64\fdbxjgfdg.exe"
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2356
        
        C:\Windows\SysWOW64\zygfjzniu.exe
        
        C:\Windows\system32\zygfjzniu.exe 756 "C:\Windows\SysWOW64\kfjsaddro.exe"
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1460
        
        C:\Windows\SysWOW64\uwwaexvzu.exe
        
        C:\Windows\system32\uwwaexvzu.exe 676 "C:\Windows\SysWOW64\zygfjzniu.exe"
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:572
        
        C:\Windows\SysWOW64\edagwvczu.exe
        
        C:\Windows\system32\edagwvczu.exe 660 "C:\Windows\SysWOW64\uwwaexvzu.exe"
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1684
        
        C:\Windows\SysWOW64\dzndtmlsv.exe
        
        C:\Windows\system32\dzndtmlsv.exe 680 "C:\Windows\SysWOW64\edagwvczu.exe"
        53⤵
        Executes dropped EXE
        
        PID:1096
        
        C:\Windows\SysWOW64\nccngpzmh.exe
        
        C:\Windows\system32\nccngpzmh.exe 716 "C:\Windows\SysWOW64\dzndtmlsv.exe"
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2688
        
        C:\Windows\SysWOW64\vgmsyaccc.exe
        
        C:\Windows\system32\vgmsyaccc.exe 776 "C:\Windows\SysWOW64\nccngpzmh.exe"
        55⤵
        Executes dropped EXE
        
        PID:2400
        
        C:\Windows\SysWOW64\hisijngmi.exe
        
        C:\Windows\system32\hisijngmi.exe 780 "C:\Windows\SysWOW64\vgmsyaccc.exe"
        56⤵
        Executes dropped EXE
        
        PID:2268
        
        C:\Windows\SysWOW64\uznlsnmtj.exe
        
        C:\Windows\system32\uznlsnmtj.exe 784 "C:\Windows\SysWOW64\hisijngmi.exe"
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2520
        
        C:\Windows\SysWOW64\egzikmttj.exe
        
        C:\Windows\system32\egzikmttj.exe 792 "C:\Windows\SysWOW64\uznlsnmtj.exe"
        58⤵
        Executes dropped EXE
        
        PID:2804
        
        C:\Windows\SysWOW64\ofdgvlbsj.exe
        
        C:\Windows\system32\ofdgvlbsj.exe 788 "C:\Windows\SysWOW64\egzikmttj.exe"
        59⤵
        Executes dropped EXE
        
        PID:2460
        
        C:\Windows\SysWOW64\zaeycfcqw.exe
        
        C:\Windows\system32\zaeycfcqw.exe 800 "C:\Windows\SysWOW64\ofdgvlbsj.exe"
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2644
        
        C:\Windows\SysWOW64\jzivvejpw.exe
        
        C:\Windows\system32\jzivvejpw.exe 796 "C:\Windows\SysWOW64\zaeycfcqw.exe"
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:648
        
        C:\Windows\SysWOW64\ytfiwslgl.exe
        
        C:\Windows\system32\ytfiwslgl.exe 804 "C:\Windows\SysWOW64\jzivvejpw.exe"
        62⤵
        Executes dropped EXE
        
        PID:2984
        
        C:\Windows\SysWOW64\ljilnajod.exe
        
        C:\Windows\system32\ljilnajod.exe 812 "C:\Windows\SysWOW64\ytfiwslgl.exe"
        63⤵
        Executes dropped EXE
        
        PID:1260
        
        C:\Windows\SysWOW64\qafgbouyk.exe
        
        C:\Windows\system32\qafgbouyk.exe 808 "C:\Windows\SysWOW64\ljilnajod.exe"
        64⤵
        Executes dropped EXE
        
        PID:1544
        
        C:\Windows\SysWOW64\iksyjlvxr.exe
        
        C:\Windows\system32\iksyjlvxr.exe 816 "C:\Windows\SysWOW64\qafgbouyk.exe"
        65⤵
        Executes dropped EXE
        
        PID:2752
        
        C:\Windows\SysWOW64\nxlgcnifl.exe
        
        C:\Windows\system32\nxlgcnifl.exe 836 "C:\Windows\SysWOW64\iksyjlvxr.exe"
        66⤵
        
        PID:1520
        
        C:\Windows\SysWOW64\critmjkwr.exe
        
        C:\Windows\system32\critmjkwr.exe 820 "C:\Windows\SysWOW64\nxlgcnifl.exe"
        67⤵
        
        PID:1800
        
        C:\Windows\SysWOW64\pwawasvar.exe
        
        C:\Windows\system32\pwawasvar.exe 824 "C:\Windows\SysWOW64\critmjkwr.exe"
        68⤵
        Drops file in System32 directory
        
        PID:792
        
        C:\Windows\SysWOW64\zvetkqdar.exe
        
        C:\Windows\system32\zvetkqdar.exe 828 "C:\Windows\SysWOW64\pwawasvar.exe"
        69⤵
        Drops file in System32 directory
        
        PID:1232
        
        C:\Windows\SysWOW64\opaouefrf.exe
        
        C:\Windows\system32\opaouefrf.exe 832 "C:\Windows\SysWOW64\zvetkqdar.exe"
        70⤵
        Drops file in System32 directory
        
        PID:1452
        
        C:\Windows\SysWOW64\zonledmrf.exe
        
        C:\Windows\system32\zonledmrf.exe 840 "C:\Windows\SysWOW64\opaouefrf.exe"
        71⤵
        
        PID:1220
        
        C:\Windows\SysWOW64\lehovlkyg.exe
        
        C:\Windows\system32\lehovlkyg.exe 848 "C:\Windows\SysWOW64\zonledmrf.exe"
        72⤵
        
        PID:2624
        
        C:\Windows\SysWOW64\ydcrdtqfz.exe
        
        C:\Windows\system32\ydcrdtqfz.exe 844 "C:\Windows\SysWOW64\lehovlkyg.exe"
        73⤵
        
        PID:2608
        
        C:\Windows\SysWOW64\gkyjqjzxg.exe
        
        C:\Windows\system32\gkyjqjzxg.exe 852 "C:\Windows\SysWOW64\ydcrdtqfz.exe"
        74⤵
        Drops file in System32 directory
        
        PID:1376
        
        C:\Windows\SysWOW64\ysaovcttb.exe
        
        C:\Windows\system32\ysaovcttb.exe 856 "C:\Windows\SysWOW64\gkyjqjzxg.exe"
        75⤵
        
        PID:2536
        
        C:\Windows\SysWOW64\ireufbatb.exe
        
        C:\Windows\system32\ireufbatb.exe 860 "C:\Windows\SysWOW64\ysaovcttb.exe"
        76⤵
        
        PID:3032
        
        C:\Windows\SysWOW64\vtkbrnfdo.exe
        
        C:\Windows\system32\vtkbrnfdo.exe 864 "C:\Windows\SysWOW64\ireufbatb.exe"
        77⤵
        
        PID:1532
        
        C:\Windows\SysWOW64\ajneznkkh.exe
        
        C:\Windows\system32\ajneznkkh.exe 876 "C:\Windows\SysWOW64\vtkbrnfdo.exe"
        78⤵
        
        PID:1324
        
        C:\Windows\SysWOW64\kxnbxvxgg.exe
        
        C:\Windows\system32\kxnbxvxgg.exe 868 "C:\Windows\SysWOW64\ajneznkkh.exe"
        79⤵
        Drops file in System32 directory
        
        PID:596
        
        C:\Windows\SysWOW64\woiegddoh.exe
        
        C:\Windows\system32\woiegddoh.exe 872 "C:\Windows\SysWOW64\kxnbxvxgg.exe"
        80⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\jqomrhhxv.exe
        
        C:\Windows\system32\jqomrhhxv.exe 880 "C:\Windows\SysWOW64\woiegddoh.exe"
        81⤵
        
        PID:820
        
        C:\Windows\SysWOW64\ruyzjaknh.exe
        
        C:\Windows\system32\ruyzjaknh.exe 884 "C:\Windows\SysWOW64\jqomrhhxv.exe"
        82⤵
        
        PID:2496
        
        C:\Windows\SysWOW64\ektcrbpui.exe
        
        C:\Windows\system32\ektcrbpui.exe 888 "C:\Windows\SysWOW64\ruyzjaknh.exe"
        83⤵
        
        PID:2136
        
        C:\Windows\SysWOW64\tafjystjc.exe
        
        C:\Windows\system32\tafjystjc.exe 892 "C:\Windows\SysWOW64\ektcrbpui.exe"
        84⤵
        Drops file in System32 directory
        
        PID:2008
        
        C:\Windows\SysWOW64\ddculvzlw.exe
        
        C:\Windows\system32\ddculvzlw.exe 896 "C:\Windows\SysWOW64\tafjystjc.exe"
        85⤵
        Drops file in System32 directory
        
        PID:380
        
        C:\Windows\SysWOW64\llqmfljdw.exe
        
        C:\Windows\system32\llqmfljdw.exe 900 "C:\Windows\SysWOW64\ddculvzlw.exe"
        86⤵
        Drops file in System32 directory
        
        PID:848
        
        C:\Windows\SysWOW64\aemzhylmc.exe
        
        C:\Windows\system32\aemzhylmc.exe 904 "C:\Windows\SysWOW64\llqmfljdw.exe"
        87⤵
        
        PID:1188
        
        C:\Windows\SysWOW64\kdqezxtmc.exe
        
        C:\Windows\system32\kdqezxtmc.exe 908 "C:\Windows\SysWOW64\aemzhylmc.exe"
        88⤵
        Drops file in System32 directory
        
        PID:2056
        
        C:\Windows\SysWOW64\xcthifqbd.exe
        
        C:\Windows\system32\xcthifqbd.exe 912 "C:\Windows\SysWOW64\kdqezxtmc.exe"
        89⤵
        
        PID:1504
        
        C:\Windows\SysWOW64\ksocrgwie.exe
        
        C:\Windows\system32\ksocrgwie.exe 924 "C:\Windows\SysWOW64\xcthifqbd.exe"
        90⤵
        
        PID:920
        
        C:\Windows\SysWOW64\zpwkdgfuw.exe
        
        C:\Windows\system32\zpwkdgfuw.exe 916 "C:\Windows\SysWOW64\ksocrgwie.exe"
        91⤵
        
        PID:2812
        
        C:\Windows\SysWOW64\mrcrokjdk.exe
        
        C:\Windows\system32\mrcrokjdk.exe 920 "C:\Windows\SysWOW64\zpwkdgfuw.exe"
        92⤵
        
        PID:1524
        
        C:\Windows\SysWOW64\wqgpzjrdk.exe
        
        C:\Windows\system32\wqgpzjrdk.exe 928 "C:\Windows\SysWOW64\mrcrokjdk.exe"
        93⤵
        
        PID:552
        
        C:\Windows\SysWOW64\jhjrqrwkl.exe
        
        C:\Windows\system32\jhjrqrwkl.exe 768 "C:\Windows\SysWOW64\wqgpzjrdk.exe"
        94⤵
        Drops file in System32 directory
        
        PID:336
        
        C:\Windows\SysWOW64\wfeuyzurm.exe
        
        C:\Windows\system32\wfeuyzurm.exe 936 "C:\Windows\SysWOW64\jhjrqrwkl.exe"
        95⤵
        
        PID:2756
        
        C:\Windows\SysWOW64\mnpcxjxgf.exe
        
        C:\Windows\system32\mnpcxjxgf.exe 772 "C:\Windows\SysWOW64\wfeuyzurm.exe"
        96⤵
        Drops file in System32 directory
        
        PID:3048
        
        C:\Windows\SysWOW64\tgohudgbz.exe
        
        C:\Windows\system32\tgohudgbz.exe 944 "C:\Windows\SysWOW64\mnpcxjxgf.exe"
        97⤵
        
        PID:880
        
        C:\Windows\SysWOW64\ialcerisf.exe
        
        C:\Windows\system32\ialcerisf.exe 932 "C:\Windows\SysWOW64\tgohudgbz.exe"
        98⤵
        Drops file in System32 directory
        
        PID:2376
        
        C:\Windows\SysWOW64\vncsjupxt.exe
        
        C:\Windows\system32\vncsjupxt.exe 952 "C:\Windows\SysWOW64\ialcerisf.exe"
        99⤵
        
        PID:1912
        
        C:\Windows\SysWOW64\fmgputowu.exe
        
        C:\Windows\system32\fmgputowu.exe 956 "C:\Windows\SysWOW64\vncsjupxt.exe"
        100⤵
        
        PID:1756
        
        C:\Windows\SysWOW64\poeapwdyg.exe
        
        C:\Windows\system32\poeapwdyg.exe 960 "C:\Windows\SysWOW64\fmgputowu.exe"
        101⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\cqkpajhau.exe
        
        C:\Windows\system32\cqkpajhau.exe 964 "C:\Windows\SysWOW64\poeapwdyg.exe"
        102⤵
        Drops file in System32 directory
        
        PID:1952
        
        C:\Windows\SysWOW64\mmdaidifh.exe
        
        C:\Windows\system32\mmdaidifh.exe 968 "C:\Windows\SysWOW64\cqkpajhau.exe"
        103⤵
        
        PID:2948
        
        C:\Windows\SysWOW64\cjlauvrra.exe
        
        C:\Windows\system32\cjlauvrra.exe 972 "C:\Windows\SysWOW64\mmdaidifh.exe"
        104⤵
        
        PID:2996
        
        C:\Windows\SysWOW64\jqyaplbjh.exe
        
        C:\Windows\system32\jqyaplbjh.exe 976 "C:\Windows\SysWOW64\cjlauvrra.exe"
        105⤵
        
        PID:1864
        
        C:\Windows\SysWOW64\bbmsoibio.exe
        
        C:\Windows\system32\bbmsoibio.exe 980 "C:\Windows\SysWOW64\jqyaplbjh.exe"
        106⤵
        
        PID:1904
        
        C:\Windows\SysWOW64\mxmcedcfc.exe
        
        C:\Windows\system32\mxmcedcfc.exe 984 "C:\Windows\SysWOW64\bbmsoibio.exe"
        107⤵
        Drops file in System32 directory
        
        PID:2492
        
        C:\Windows\SysWOW64\bqjxoqewi.exe
        
        C:\Windows\system32\bqjxoqewi.exe 988 "C:\Windows\SysWOW64\mxmcedcfc.exe"
        108⤵
        
        PID:2388
        
        C:\Windows\SysWOW64\lpnvypmwi.exe
        
        C:\Windows\system32\lpnvypmwi.exe 992 "C:\Windows\SysWOW64\bqjxoqewi.exe"
        109⤵
        Drops file in System32 directory
        
        PID:2704
        
        C:\Windows\SysWOW64\valflssyu.exe
        
        C:\Windows\system32\valflssyu.exe 996 "C:\Windows\SysWOW64\lpnvypmwi.exe"
        110⤵
        Drops file in System32 directory
        
        PID:2532
        
        C:\Windows\SysWOW64\liwfskvmw.exe
        
        C:\Windows\system32\liwfskvmw.exe 940 "C:\Windows\SysWOW64\valflssyu.exe"
        111⤵
        Drops file in System32 directory
        
        PID:852
        
        C:\Windows\SysWOW64\vsmqnncgj.exe
        
        C:\Windows\system32\vsmqnncgj.exe 1004 "C:\Windows\SysWOW64\liwfskvmw.exe"
        112⤵
        
        PID:2860
        
        C:\Windows\SysWOW64\husfzroqo.exe
        
        C:\Windows\system32\husfzroqo.exe 1008 "C:\Windows\SysWOW64\vsmqnncgj.exe"
        113⤵
        Drops file in System32 directory
        
        PID:1488
        
        C:\Windows\SysWOW64\xzaadflkd.exe
        
        C:\Windows\system32\xzaadflkd.exe 1012 "C:\Windows\SysWOW64\husfzroqo.exe"
        114⤵
        
        PID:1164
        
        C:\Windows\SysWOW64\hyeyndkkd.exe
        
        C:\Windows\system32\hyeyndkkd.exe 1016 "C:\Windows\SysWOW64\xzaadflkd.exe"
        115⤵
        
        PID:2828
        
        C:\Windows\SysWOW64\udvsbmwod.exe
        
        C:\Windows\system32\udvsbmwod.exe 1020 "C:\Windows\SysWOW64\hyeyndkkd.exe"
        116⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\hqfqhqubj.exe
        
        C:\Windows\system32\hqfqhqubj.exe 1028 "C:\Windows\SysWOW64\udvsbmwod.exe"
        117⤵
        Drops file in System32 directory
        
        PID:1028
        
        C:\Windows\SysWOW64\rqrnspcbk.exe
        
        C:\Windows\system32\rqrnspcbk.exe 1040 "C:\Windows\SysWOW64\hqfqhqubj.exe"
        118⤵
        
        PID:2432
        
        C:\Windows\SysWOW64\esxvltgcx.exe
        
        C:\Windows\system32\esxvltgcx.exe 1032 "C:\Windows\SysWOW64\rqrnspcbk.exe"
        119⤵
        
        PID:1512
        
        C:\Windows\SysWOW64\ldwiavwpr.exe
        
        C:\Windows\system32\ldwiavwpr.exe 1036 "C:\Windows\SysWOW64\esxvltgcx.exe"
        120⤵
        
        PID:1212
        
        C:\Windows\SysWOW64\awtvkjzgx.exe
        
        C:\Windows\system32\awtvkjzgx.exe 1044 "C:\Windows\SysWOW64\ldwiavwpr.exe"
        121⤵
        
        PID:1672
        
        C:\Windows\SysWOW64\nvnysrevy.exe
        
        C:\Windows\system32\nvnysrevy.exe 1048 "C:\Windows\SysWOW64\awtvkjzgx.exe"
        122⤵
        Drops file in System32 directory
        
        PID:2328
        
        C:\Windows\SysWOW64\alqbbrccr.exe
        
        C:\Windows\system32\alqbbrccr.exe 948 "C:\Windows\SysWOW64\nvnysrevy.exe"
        123⤵
        
        PID:2684
        
        C:\Windows\SysWOW64\qbcjijfrs.exe
        
        C:\Windows\system32\qbcjijfrs.exe 1056 "C:\Windows\SysWOW64\alqbbrccr.exe"
        124⤵
        Drops file in System32 directory
        
        PID:1576
        
        C:\Windows\SysWOW64\aaggsinrs.exe
        
        C:\Windows\system32\aaggsinrs.exe 1000 "C:\Windows\SysWOW64\qbcjijfrs.exe"
        125⤵
        
        PID:2156
        
        C:\Windows\SysWOW64\ncmolmrag.exe
        
        C:\Windows\system32\ncmolmrag.exe 1064 "C:\Windows\SysWOW64\aaggsinrs.exe"
        126⤵
        
        PID:600
        
        C:\Windows\SysWOW64\ofjyzpyus.exe
        
        C:\Windows\system32\ofjyzpyus.exe 1052 "C:\Windows\SysWOW64\ncmolmrag.exe"
        127⤵
        
        PID:332
        
        C:\Windows\SysWOW64\bdebhxdbt.exe
        
        C:\Windows\system32\bdebhxdbt.exe 1072 "C:\Windows\SysWOW64\ofjyzpyus.exe"
        128⤵
        
        PID:2620
        
        C:\Windows\SysWOW64\ouzdqyjjm.exe
        
        C:\Windows\system32\ouzdqyjjm.exe 1076 "C:\Windows\SysWOW64\bdebhxdbt.exe"
        129⤵
        
        PID:1228
        
        C:\Windows\SysWOW64\bkcgzgoyn.exe
        
        C:\Windows\system32\bkcgzgoyn.exe 1080 "C:\Windows\SysWOW64\ouzdqyjjm.exe"
        130⤵
        Drops file in System32 directory
        
        PID:1636
        
        C:\Windows\SysWOW64\lyudxntum.exe
        
        C:\Windows\system32\lyudxntum.exe 1084 "C:\Windows\SysWOW64\bkcgzgoyn.exe"
        131⤵
        
        PID:2476
        
        C:\Windows\SysWOW64\ypxgfvzcn.exe
        
        C:\Windows\system32\ypxgfvzcn.exe 1088 "C:\Windows\SysWOW64\lyudxntum.exe"
        132⤵
        
        PID:2084
        
        C:\Windows\SysWOW64\lnsjovfjo.exe
        
        C:\Windows\system32\lnsjovfjo.exe 1092 "C:\Windows\SysWOW64\ypxgfvzcn.exe"
        133⤵
        
        PID:3060
        
        C:\Windows\SysWOW64\yenlwecqh.exe
        
        C:\Windows\system32\yenlwecqh.exe 1096 "C:\Windows\SysWOW64\lnsjovfjo.exe"
        134⤵
        
        PID:1372
        
        C:\Windows\SysWOW64\kcpgfmixh.exe
        
        C:\Windows\system32\kcpgfmixh.exe 1060 "C:\Windows\SysWOW64\yenlwecqh.exe"
        135⤵
        
        PID:2504
        
        C:\Windows\SysWOW64\snotcgykb.exe
        
        C:\Windows\system32\snotcgykb.exe 1108 "C:\Windows\SysWOW64\kcpgfmixh.exe"
        136⤵
        Drops file in System32 directory
        
        PID:1500
        
        C:\Windows\SysWOW64\hhlgmtabh.exe
        
        C:\Windows\system32\hhlgmtabh.exe 1104 "C:\Windows\SysWOW64\snotcgykb.exe"
        137⤵
        
        PID:2676
        
        C:\Windows\SysWOW64\pakgsaewi.exe
        
        C:\Windows\system32\pakgsaewi.exe 1112 "C:\Windows\SysWOW64\hhlgmtabh.exe"
        138⤵
        
        PID:2360
        
        C:\Windows\SysWOW64\ryywqfkro.exe
        
        C:\Windows\system32\ryywqfkro.exe 1124 "C:\Windows\SysWOW64\pakgsaewi.exe"
        139⤵
        Drops file in System32 directory
        
        PID:2708
        
        C:\Windows\SysWOW64\burggztpj.exe
        
        C:\Windows\system32\burggztpj.exe 1068 "C:\Windows\SysWOW64\ryywqfkro.exe"
        140⤵
        
        PID:2500
        
        C:\Windows\SysWOW64\tjqecocgj.exe
        
        C:\Windows\system32\tjqecocgj.exe 664 "C:\Windows\SysWOW64\burggztpj.exe"
        141⤵
        
        PID:2184
        
        C:\Windows\SysWOW64\fdwmwaoqw.exe
        
        C:\Windows\system32\fdwmwaoqw.exe 712 "C:\Windows\SysWOW64\tjqecocgj.exe"
        142⤵
        
        PID:2776
        
        C:\Windows\SysWOW64\sipuwqxmr.exe
        
        C:\Windows\system32\sipuwqxmr.exe 668 "C:\Windows\SysWOW64\fdwmwaoqw.exe"
        143⤵
        
        PID:1084
        
        C:\Windows\SysWOW64\uwapldndy.exe
        
        C:\Windows\system32\uwapldndy.exe 672 "C:\Windows\SysWOW64\sipuwqxmr.exe"
        144⤵
        
        PID:2160
        
        C:\Windows\SysWOW64\tlnejpoff.exe
        
        C:\Windows\system32\tlnejpoff.exe 684 "C:\Windows\SysWOW64\uwapldndy.exe"
        145⤵
        
        PID:1012
        
        C:\Windows\SysWOW64\atkpqrzgt.exe
        
        C:\Windows\system32\atkpqrzgt.exe 736 "C:\Windows\SysWOW64\tlnejpoff.exe"
        146⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\gpbkushsu.exe
        
        C:\Windows\system32\gpbkushsu.exe 696 "C:\Windows\SysWOW64\atkpqrzgt.exe"
        147⤵
        
        PID:412
        
        C:\Windows\SysWOW64\nbbalgzvu.exe
        
        C:\Windows\system32\nbbalgzvu.exe 744 "C:\Windows\SysWOW64\gpbkushsu.exe"
        148⤵
        
        PID:2312
        
        C:\Windows\SysWOW64\mizxxbuic.exe
        
        C:\Windows\system32\mizxxbuic.exe 700 "C:\Windows\SysWOW64\nbbalgzvu.exe"
        149⤵
        
        PID:1364
        
        C:\Windows\SysWOW64\eqyniehok.exe
        
        C:\Windows\system32\eqyniehok.exe 708 "C:\Windows\SysWOW64\mizxxbuic.exe"
        150⤵
        
        PID:2640
        
        C:\Windows\SysWOW64\acsdapnws.exe
        
        C:\Windows\system32\acsdapnws.exe 720 "C:\Windows\SysWOW64\eqyniehok.exe"
        151⤵
        
        PID:2712
        
        C:\Windows\SysWOW64\uaigdmcws.exe
        
        C:\Windows\system32\uaigdmcws.exe 724 "C:\Windows\SysWOW64\acsdapnws.exe"
        152⤵
        
        PID:2884
        
        C:\Windows\SysWOW64\okkoioqpf.exe
        
        C:\Windows\system32\okkoioqpf.exe 732 "C:\Windows\SysWOW64\uaigdmcws.exe"
        153⤵
        
        PID:2564
        
        C:\Windows\SysWOW64\woutszsfa.exe
        
        C:\Windows\system32\woutszsfa.exe 740 "C:\Windows\SysWOW64\okkoioqpf.exe"
        154⤵
        
        PID:488
        
        C:\Windows\SysWOW64\dvhtmpcxz.exe
        
        C:\Windows\system32\dvhtmpcxz.exe 752 "C:\Windows\SysWOW64\woutszsfa.exe"
        155⤵
        
        PID:2192
        
        C:\Windows\SysWOW64\ixpocuidh.exe
        
        C:\Windows\system32\ixpocuidh.exe 760 "C:\Windows\SysWOW64\dvhtmpcxz.exe"
        156⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\ukfgcggup.exe
        
        C:\Windows\system32\ukfgcggup.exe 764 "C:\Windows\SysWOW64\ixpocuidh.exe"
        157⤵
        
        PID:2384
        
        C:\Windows\SysWOW64\akjzdgwrq.exe
        
        C:\Windows\system32\akjzdgwrq.exe 1100 "C:\Windows\SysWOW64\ukfgcggup.exe"
        158⤵
        
        PID:2952
        
        C:\Windows\SysWOW64\odfusjvet.exe
        
        C:\Windows\system32\odfusjvet.exe 1116 "C:\Windows\SysWOW64\akjzdgwrq.exe"
        159⤵
        
        PID:972
        
        C:\Windows\SysWOW64\zbfpounvv.exe
        
        C:\Windows\system32\zbfpounvv.exe 1120 "C:\Windows\SysWOW64\odfusjvet.exe"
        160⤵
        
        PID:2764
        
        C:\Windows\SysWOW64\tlyxtwjpi.exe
        
        C:\Windows\system32\tlyxtwjpi.exe 1128 "C:\Windows\SysWOW64\zbfpounvv.exe"
        161⤵
        
        PID:1736
        
        C:\Windows\SysWOW64\ipwkxfvxc.exe
        
        C:\Windows\system32\ipwkxfvxc.exe 1132 "C:\Windows\SysWOW64\tlyxtwjpi.exe"
        162⤵
        
        PID:1724
        
        C:\Windows\SysWOW64\fuyckbkwc.exe
        
        C:\Windows\system32\fuyckbkwc.exe 1136 "C:\Windows\SysWOW64\ipwkxfvxc.exe"
        163⤵
        
        PID:996
        
        C:\Windows\SysWOW64\xeyaiaaiz.exe
        
        C:\Windows\system32\xeyaiaaiz.exe 1140 "C:\Windows\SysWOW64\fuyckbkwc.exe"
        164⤵
        
        PID:2592
        
        C:\Windows\SysWOW64\ayoquipjh.exe
        
        C:\Windows\system32\ayoquipjh.exe 1144 "C:\Windows\SysWOW64\xeyaiaaiz.exe"
        165⤵
        
        PID:2228
        
        C:\Windows\SysWOW64\ndgquzxmb.exe
        
        C:\Windows\system32\ndgquzxmb.exe 1148 "C:\Windows\SysWOW64\ayoquipjh.exe"
        166⤵
        
        PID:2576
        
        C:\Windows\SysWOW64\gjudxsurp.exe
        
        C:\Windows\system32\gjudxsurp.exe 1152 "C:\Windows\SysWOW64\ndgquzxmb.exe"
        167⤵
        
        PID:1272
        
        C:\Windows\SysWOW64\tapqhmjpw.exe
        
        C:\Windows\system32\tapqhmjpw.exe 1156 "C:\Windows\SysWOW64\gjudxsurp.exe"
        168⤵
        
        PID:2036
        
        C:\Windows\SysWOW64\pqfjugynl.exe
        
        C:\Windows\system32\pqfjugynl.exe 1160 "C:\Windows\SysWOW64\tapqhmjpw.exe"
        169⤵
        
        PID:2088
        
        C:\Windows\SysWOW64\zlvmkwxge.exe
        
        C:\Windows\system32\zlvmkwxge.exe 1164 "C:\Windows\SysWOW64\pqfjugynl.exe"
        170⤵
        
        PID:1240
        
        C:\Windows\SysWOW64\vbdwfpmvt.exe
        
        C:\Windows\system32\vbdwfpmvt.exe 1168 "C:\Windows\SysWOW64\zlvmkwxge.exe"
        171⤵
        
        PID:2096
        
        C:\Windows\SysWOW64\ikhrhkbta.exe
        
        C:\Windows\system32\ikhrhkbta.exe 1172 "C:\Windows\SysWOW64\vbdwfpmvt.exe"
        172⤵
        
        PID:2232
        
        C:\Windows\SysWOW64\mxxjpwzla.exe
        
        C:\Windows\system32\mxxjpwzla.exe 1176 "C:\Windows\SysWOW64\ikhrhkbta.exe"
        173⤵
        
        PID:2320
        
        C:\Windows\SysWOW64\dpjrionoo.exe
        
        C:\Windows\system32\dpjrionoo.exe 1180 "C:\Windows\SysWOW64\mxxjpwzla.exe"
        174⤵
        
        PID:2436
        
        C:\Windows\SysWOW64\fdmmxblyw.exe
        
        C:\Windows\system32\fdmmxblyw.exe 1184 "C:\Windows\SysWOW64\dpjrionoo.exe"
        175⤵
        
        PID:1476
        
        C:\Windows\SysWOW64\xgbxztvvr.exe
        
        C:\Windows\system32\xgbxztvvr.exe 1188 "C:\Windows\SysWOW64\fdmmxblyw.exe"
        176⤵
        
        PID:2604
        
        C:\Windows\SysWOW64\bpgcpurpe.exe
        
        C:\Windows\system32\bpgcpurpe.exe 1192 "C:\Windows\SysWOW64\xgbxztvvr.exe"
        177⤵
        
        PID:780
        
        C:\Windows\SysWOW64\swgatiaze.exe
        
        C:\Windows\system32\swgatiaze.exe 1196 "C:\Windows\SysWOW64\bpgcpurpe.exe"
        178⤵
        
        PID:548
        
        C:\Windows\SysWOW64\zwckiktir.exe
        
        C:\Windows\system32\zwckiktir.exe 1212 "C:\Windows\SysWOW64\swgatiaze.exe"
        179⤵
        
        PID:1764
        
        C:\Windows\SysWOW64\qzyvpkata.exe
        
        C:\Windows\system32\qzyvpkata.exe 1200 "C:\Windows\SysWOW64\zwckiktir.exe"
        180⤵
        
        PID:1540
        
        C:\Windows\SysWOW64\zrmdvqcsv.exe
        
        C:\Windows\system32\zrmdvqcsv.exe 1204 "C:\Windows\SysWOW64\qzyvpkata.exe"
        181⤵
        
        PID:1568
        
        C:\Windows\SysWOW64\owsbtlyrd.exe
        
        C:\Windows\system32\owsbtlyrd.exe 1208 "C:\Windows\SysWOW64\zrmdvqcsv.exe"
        182⤵
        
        PID:2236
        
        C:\Windows\SysWOW64\smnliuehk.exe
        
        C:\Windows\system32\smnliuehk.exe 1216 "C:\Windows\SysWOW64\owsbtlyrd.exe"
        183⤵
        
        PID:1808
        
        C:\Windows\SysWOW64\yuggcgjrl.exe
        
        C:\Windows\system32\yuggcgjrl.exe 1220 "C:\Windows\SysWOW64\smnliuehk.exe"
        184⤵
        
        PID:1592
        
        C:\Windows\SysWOW64\heugjekqg.exe
        
        C:\Windows\system32\heugjekqg.exe 1224 "C:\Windows\SysWOW64\yuggcgjrl.exe"
        185⤵
        
        PID:2584
        
        C:\Windows\SysWOW64\rlecngfvo.exe
        
        C:\Windows\system32\rlecngfvo.exe 1228 "C:\Windows\SysWOW64\heugjekqg.exe"
        186⤵
        
        PID:2144
        
        C:\Windows\SysWOW64\qsdryjsaw.exe
        
        C:\Windows\system32\qsdryjsaw.exe 1232 "C:\Windows\SysWOW64\rlecngfvo.exe"
        187⤵
        
        PID:2632
        
        C:\Windows\SysWOW64\psbuzrrep.exe
        
        C:\Windows\system32\psbuzrrep.exe 1236 "C:\Windows\SysWOW64\qsdryjsaw.exe"
        188⤵
        
        PID:680
        
        C:\Windows\SysWOW64\jqrpcogex.exe
        
        C:\Windows\system32\jqrpcogex.exe 1240 "C:\Windows\SysWOW64\psbuzrrep.exe"
        189⤵
        
        PID:1896
        
        C:\Windows\SysWOW64\jfpuuxksr.exe
        
        C:\Windows\system32\jfpuuxksr.exe 1244 "C:\Windows\SysWOW64\jqrpcogex.exe"
        190⤵
        
        PID:2220
        
        C:\Windows\SysWOW64\qflfihdbf.exe
        
        C:\Windows\system32\qflfihdbf.exe 1248 "C:\Windows\SysWOW64\jfpuuxksr.exe"
        191⤵
        
        PID:2784
        
        C:\Windows\SysWOW64\qubkzpopy.exe
        
        C:\Windows\system32\qubkzpopy.exe 1252 "C:\Windows\SysWOW64\qflfihdbf.exe"
        192⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\cstxhtbkn.exe
        
        C:\Windows\system32\cstxhtbkn.exe 1256 "C:\Windows\SysWOW64\qubkzpopy.exe"
        193⤵
        
        PID:1016
        
        C:\Windows\SysWOW64\chrcybmzg.exe
        
        C:\Windows\system32\chrcybmzg.exe 1260 "C:\Windows\SysWOW64\cstxhtbkn.exe"
        194⤵
        
        PID:2072
        
        C:\Windows\SysWOW64\lcpxorcrh.exe
        
        C:\Windows\system32\lcpxorcrh.exe 1264 "C:\Windows\SysWOW64\chrcybmzg.exe"
        195⤵
        
        PID:2200
        
        C:\Windows\SysWOW64\fjxsrojrh.exe
        
        C:\Windows\system32\fjxsrojrh.exe 1268 "C:\Windows\SysWOW64\lcpxorcrh.exe"
        196⤵
        
        PID:924
        
        C:\Windows\SysWOW64\uvdfuxerc.exe
        
        C:\Windows\system32\uvdfuxerc.exe 1272 "C:\Windows\SysWOW64\fjxsrojrh.exe"
        197⤵
        
        PID:1572
        
        C:\Windows\SysWOW64\uypyjbilj.exe
        
        C:\Windows\system32\uypyjbilj.exe 1276 "C:\Windows\SysWOW64\uvdfuxerc.exe"
        198⤵
        
        PID:2652
        
        C:\Windows\SysWOW64\gwhlrevgp.exe
        
        C:\Windows\system32\gwhlrevgp.exe 1280 "C:\Windows\SysWOW64\uypyjbilj.exe"
        199⤵
        
        PID:320
        
        C:\Windows\SysWOW64\tcyguckfx.exe
        
        C:\Windows\system32\tcyguckfx.exe 1284 "C:\Windows\SysWOW64\gwhlrevgp.exe"
        200⤵
        
        PID:2580
        
        C:\Windows\SysWOW64\iovlxcwnj.exe
        
        C:\Windows\system32\iovlxcwnj.exe 1288 "C:\Windows\SysWOW64\tcyguckfx.exe"
        201⤵
        
        PID:704
        
        C:\Windows\SysWOW64\fpnyboiox.exe
        
        C:\Windows\system32\fpnyboiox.exe 1292 "C:\Windows\SysWOW64\iovlxcwnj.exe"
        202⤵
        
        PID:1104
        
        C:\Windows\SysWOW64\ewddswlkz.exe
        
        C:\Windows\system32\ewddswlkz.exe 1296 "C:\Windows\SysWOW64\fpnyboiox.exe"
        203⤵
        
        PID:576
        
        C:\Windows\SysWOW64\whrouowam.exe
        
        C:\Windows\system32\whrouowam.exe 1300 "C:\Windows\SysWOW64\ewddswlkz.exe"
        204⤵
        
        PID:2244
        
        C:\Windows\SysWOW64\yndbjbujt.exe
        
        C:\Windows\system32\yndbjbujt.exe 1304 "C:\Windows\SysWOW64\whrouowam.exe"
        205⤵
        
        PID:344
        
        C:\Windows\SysWOW64\qrrlllezg.exe
        
        C:\Windows\system32\qrrlllezg.exe 1308 "C:\Windows\SysWOW64\yndbjbujt.exe"
        206⤵
        
        PID:1732
        
        C:\Windows\SysWOW64\kattrnstb.exe
        
        C:\Windows\system32\kattrnstb.exe 1312 "C:\Windows\SysWOW64\qrrlllezg.exe"
        207⤵
        
        PID:1620
        
        C:\Windows\SysWOW64\wjoothiri.exe
        
        C:\Windows\system32\wjoothiri.exe 1316 "C:\Windows\SysWOW64\kattrnstb.exe"
        208⤵
        
        PID:2408
        
        C:\Windows\SysWOW64\onlrvrsgv.exe
        
        C:\Windows\system32\onlrvrsgv.exe 1320 "C:\Windows\SysWOW64\wjoothiri.exe"
        209⤵
        
        PID:404
        
        C:\Windows\SysWOW64\aldedvfjj.exe
        
        C:\Windows\system32\aldedvfjj.exe 1324 "C:\Windows\SysWOW64\onlrvrsgv.exe"
        210⤵
        
        PID:2572
        
        C:\Windows\SysWOW64\eqxerrcak.exe
        
        C:\Windows\system32\eqxerrcak.exe 1328 "C:\Windows\SysWOW64\aldedvfjj.exe"
        211⤵
        
        PID:840
        
        C:\Windows\SysWOW64\hwmpgjdee.exe
        
        C:\Windows\system32\hwmpgjdee.exe 1332 "C:\Windows\SysWOW64\eqxerrcak.exe"
        212⤵
        
        PID:1708
        
        C:\Windows\SysWOW64\tnhcrescl.exe
        
        C:\Windows\system32\tnhcrescl.exe 1336 "C:\Windows\SysWOW64\hwmpgjdee.exe"
        213⤵
        
        PID:2852
        
        C:\Windows\SysWOW64\qoapmhedz.exe
        
        C:\Windows\system32\qoapmhedz.exe 1340 "C:\Windows\SysWOW64\tnhcrescl.exe"
        214⤵
        
        PID:2524
        
        C:\Windows\SysWOW64\fsxuqpqlt.exe
        
        C:\Windows\system32\fsxuqpqlt.exe 1344 "C:\Windows\SysWOW64\qoapmhedz.exe"
        215⤵
        
        PID:2364
        
        C:\Windows\SysWOW64\hrlkouegz.exe
        
        C:\Windows\system32\hrlkouegz.exe 1360 "C:\Windows\SysWOW64\fsxuqpqlt.exe"
        216⤵
        
        PID:2924
        
        C:\Windows\SysWOW64\cifnljfja.exe
        
        C:\Windows\system32\cifnljfja.exe 1348 "C:\Windows\SysWOW64\hrlkouegz.exe"
        217⤵
        
        PID:1444
        
        C:\Windows\SysWOW64\mhrkwinia.exe
        
        C:\Windows\system32\mhrkwinia.exe 1352 "C:\Windows\SysWOW64\cifnljfja.exe"
        218⤵
        
        PID:1484
        
        C:\Windows\SysWOW64\lldhazetb.exe
        
        C:\Windows\system32\lldhazetb.exe 1356 "C:\Windows\SysWOW64\mhrkwinia.exe"
        219⤵
        
        PID:2332
        
        C:\Windows\SysWOW64\qqxpmiicv.exe
        
        C:\Windows\system32\qqxpmiicv.exe 1364 "C:\Windows\SysWOW64\lldhazetb.exe"
        220⤵
        
        PID:1456
        
        C:\Windows\SysWOW64\hujnqzzvo.exe
        
        C:\Windows\system32\hujnqzzvo.exe 1368 "C:\Windows\SysWOW64\qqxpmiicv.exe"
        221⤵
        
        PID:324
        
        C:\Windows\SysWOW64\fgeihuxzc.exe
        
        C:\Windows\system32\fgeihuxzc.exe 1372 "C:\Windows\SysWOW64\hujnqzzvo.exe"
        222⤵
        
        PID:2732
        
        C:\Windows\SysWOW64\xktsimppp.exe
        
        C:\Windows\system32\xktsimppp.exe 1376 "C:\Windows\SysWOW64\fgeihuxzc.exe"
        223⤵
        
        PID:1236
        
        C:\Windows\SysWOW64\lknqsvhuj.exe
        
        C:\Windows\system32\lknqsvhuj.exe 1380 "C:\Windows\SysWOW64\xktsimppp.exe"
        224⤵
        
        PID:2128
        
        C:\Windows\SysWOW64\nnnyeezje.exe
        
        C:\Windows\system32\nnnyeezje.exe 1384 "C:\Windows\SysWOW64\lknqsvhuj.exe"
        225⤵
        
        PID:2892
        
        C:\Windows\SysWOW64\xbpaotkxy.exe
        
        C:\Windows\system32\xbpaotkxy.exe 1388 "C:\Windows\SysWOW64\nnnyeezje.exe"
        226⤵
        
        PID:2068
        
        C:\Windows\SysWOW64\vbnluqgxn.exe
        
        C:\Windows\system32\vbnluqgxn.exe 1416 "C:\Windows\SysWOW64\xbpaotkxy.exe"
        227⤵
        
        PID:2616
        
        C:\Windows\SysWOW64\mtztorbbc.exe
        
        C:\Windows\system32\mtztorbbc.exe 1392 "C:\Windows\SysWOW64\vbnluqgxn.exe"
        228⤵
        
        PID:2868
        
        C:\Windows\SysWOW64\txgrfxuec.exe
        
        C:\Windows\system32\txgrfxuec.exe 1444 "C:\Windows\SysWOW64\mtztorbbc.exe"
        229⤵
        
        PID:3056
        
        C:\Windows\SysWOW64\oirxbuajo.exe
        
        C:\Windows\system32\oirxbuajo.exe 1396 "C:\Windows\SysWOW64\txgrfxuec.exe"
        230⤵
        
        PID:1760
        
        C:\Windows\SysWOW64\sjzafpdlj.exe
        
        C:\Windows\system32\sjzafpdlj.exe 1400 "C:\Windows\SysWOW64\oirxbuajo.exe"
        231⤵
        
        PID:2664
        
        C:\Windows\SysWOW64\denqxvwhr.exe
        
        C:\Windows\system32\denqxvwhr.exe 1404 "C:\Windows\SysWOW64\sjzafpdlj.exe"
        232⤵
        
        PID:1944
        
        C:\Windows\SysWOW64\rtdqrymgu.exe
        
        C:\Windows\system32\rtdqrymgu.exe 1408 "C:\Windows\SysWOW64\denqxvwhr.exe"
        233⤵
        
        PID:912
        
        C:\Windows\SysWOW64\mqhjxilwo.exe
        
        C:\Windows\system32\mqhjxilwo.exe 1412 "C:\Windows\SysWOW64\rtdqrymgu.exe"
        234⤵
        
        PID:888
        
        C:\Windows\SysWOW64\xsmgwkmcy.exe
        
        C:\Windows\system32\xsmgwkmcy.exe 1420 "C:\Windows\SysWOW64\mqhjxilwo.exe"
        235⤵
        
        PID:2444
        
        C:\Windows\SysWOW64\ohhwnonef.exe
        
        C:\Windows\system32\ohhwnonef.exe 1424 "C:\Windows\SysWOW64\xsmgwkmcy.exe"
        236⤵
        
        PID:1480
        
        C:\Windows\SysWOW64\dorzvnixs.exe
        
        C:\Windows\system32\dorzvnixs.exe 1428 "C:\Windows\SysWOW64\ohhwnonef.exe"
        237⤵
        
        PID:2176
        
        C:\Windows\SysWOW64\uhdpondbh.exe
        
        C:\Windows\system32\uhdpondbh.exe 1432 "C:\Windows\SysWOW64\dorzvnixs.exe"
        238⤵
        
        PID:816
        
        C:\Windows\SysWOW64\apzhifufi.exe
        
        C:\Windows\system32\apzhifufi.exe 1436 "C:\Windows\SysWOW64\uhdpondbh.exe"
        239⤵
        
        PID:2412
        
        C:\Windows\SysWOW64\vkonsmysv.exe
        
        C:\Windows\system32\vkonsmysv.exe 1440 "C:\Windows\SysWOW64\apzhifufi.exe"
        240⤵
        
        PID:1548
        
        C:\Windows\SysWOW64\vvyqgtsah.exe
        
        C:\Windows\system32\vvyqgtsah.exe 1448 "C:\Windows\SysWOW64\vkonsmysv.exe"
        241⤵
        
        PID:2740
        
        C:\Windows\SysWOW64\fhfzsrrft.exe
        
        C:\Windows\system32\fhfzsrrft.exe 1452 "C:\Windows\SysWOW64\vvyqgtsah.exe"
        242⤵
        
        PID:2648
        
        C:\Windows\SysWOW64\hzugsjorn.exe
        
        C:\Windows\system32\hzugsjorn.exe 1456 "C:\Windows\SysWOW64\fhfzsrrft.exe"
        243⤵
        
        PID:2792
        
        C:\Windows\SysWOW64\nbpplztzy.exe
        
        C:\Windows\system32\nbpplztzy.exe 1460 "C:\Windows\SysWOW64\hzugsjorn.exe"
        244⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\pptkausqg.exe
        
        C:\Windows\system32\pptkausqg.exe 1508 "C:\Windows\SysWOW64\nbpplztzy.exe"
        245⤵
        
        PID:2424
        
        C:\Windows\SysWOW64\hmadvlfay.exe
        
        C:\Windows\system32\hmadvlfay.exe 1464 "C:\Windows\SysWOW64\pptkausqg.exe"
        246⤵
        
        PID:1920
        
        C:\Windows\SysWOW64\lvfjllatt.exe
        
        C:\Windows\system32\lvfjllatt.exe 1468 "C:\Windows\SysWOW64\hmadvlfay.exe"
        247⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\kxljrplfj.exe
        
        C:\Windows\system32\kxljrplfj.exe 1472 "C:\Windows\SysWOW64\lvfjllatt.exe"
        248⤵
        
        PID:2696

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\ginkqosmz.exe

Filesize
64KB

MD5
81d65f6636b323dadf19a2fd819194ef

SHA1
5b2e9be2b7afe64f7586c84a68e9f3014ad1fb91

SHA256
31ad4360452b24380f205757cc46822b6f55ef844683efee2743112b7e89fd0a

SHA512
aa8b8d394e8ee6a5c77521b66a8fa7a6b4e1b6f0768c27d4ec08aab25f7b847ec2d60710d23c586466cb8a36e0a301291c70a88b3a51c24d3f089455bfc5d313

Download Submit
\Windows\SysWOW64\ttybreykq.exe

Filesize
217KB

MD5
ac4a48770b14b067fee1b89c6cf42611

SHA1
cd1b273cb013c73d3af92a74a0aac9b15152e4aa

SHA256
a209b805e425ff789642890cd35d07539c7ef76dd3294e69becb7fd47f3bacb5

SHA512
f9398e6906532dcaa603a2361bfc127a1ce4c407735c8d16afd5360372f292b50bdeb99067e5d0c85bf73bc94acfb2406ebb1bd4ec99c6baed946996aeae739a

Download Submit
memory/384-192-0x0000000002FD0000-0x0000000003455000-memory.dmp

Filesize
4.5MB

Download
memory/384-190-0x0000000002FD0000-0x0000000003455000-memory.dmp

Filesize
4.5MB

Download
memory/384-180-0x00000000023A0000-0x00000000024B0000-memory.dmp

Filesize
1.1MB

Download
memory/384-176-0x0000000000400000-0x0000000000885000-memory.dmp

Filesize
4.5MB

Download
memory/448-198-0x00000000022F0000-0x0000000002400000-memory.dmp

Filesize
1.1MB

Download
memory/448-193-0x0000000000400000-0x0000000000885000-memory.dmp

Filesize
4.5MB

Download
memory/992-144-0x0000000002EB0000-0x0000000003335000-memory.dmp

Filesize
4.5MB

Download
memory/992-143-0x0000000002EB0000-0x0000000003335000-memory.dmp

Filesize
4.5MB

Download
memory/992-130-0x0000000000400000-0x0000000000885000-memory.dmp

Filesize
4.5MB

Download
memory/992-151-0x0000000000400000-0x0000000000885000-memory.dmp

Filesize
4.5MB

Download
memory/992-135-0x0000000002220000-0x0000000002330000-memory.dmp

Filesize
1.1MB

Download
memory/1564-129-0x0000000000400000-0x0000000000885000-memory.dmp

Filesize
4.5MB

Download
memory/1564-134-0x0000000002380000-0x0000000002490000-memory.dmp

Filesize
1.1MB

Download
memory/1564-112-0x0000000002380000-0x0000000002490000-memory.dmp

Filesize
1.1MB

Download
memory/1564-128-0x0000000003000000-0x0000000003485000-memory.dmp

Filesize
4.5MB

Download
memory/1564-124-0x0000000003000000-0x0000000003485000-memory.dmp

Filesize
4.5MB

Download
memory/1564-110-0x0000000000400000-0x0000000000885000-memory.dmp

Filesize
4.5MB

Download
memory/1936-162-0x0000000000400000-0x0000000000885000-memory.dmp

Filesize
4.5MB

Download
memory/1936-145-0x0000000000400000-0x0000000000885000-memory.dmp

Filesize
4.5MB

Download
memory/1936-146-0x0000000002280000-0x0000000002390000-memory.dmp

Filesize
1.1MB

Download
memory/1936-164-0x0000000002280000-0x0000000002390000-memory.dmp

Filesize
1.1MB

Download
memory/2208-98-0x0000000000400000-0x0000000000885000-memory.dmp

Filesize
4.5MB

Download
memory/2208-116-0x0000000000400000-0x0000000000885000-memory.dmp

Filesize
4.5MB

Download
memory/2208-117-0x00000000022E0000-0x00000000023F0000-memory.dmp

Filesize
1.1MB

Download
memory/2208-109-0x0000000002F10000-0x0000000003395000-memory.dmp

Filesize
4.5MB

Download
memory/2208-93-0x00000000022E0000-0x00000000023F0000-memory.dmp

Filesize
1.1MB

Download
memory/2208-108-0x0000000002F10000-0x0000000003395000-memory.dmp

Filesize
4.5MB

Download
memory/2452-57-0x0000000002F40000-0x00000000033C5000-memory.dmp

Filesize
4.5MB

Download
memory/2452-46-0x0000000002320000-0x0000000002430000-memory.dmp

Filesize
1.1MB

Download
memory/2452-45-0x0000000000400000-0x0000000000885000-memory.dmp

Filesize
4.5MB

Download
memory/2452-61-0x0000000002F40000-0x00000000033C5000-memory.dmp

Filesize
4.5MB

Download
memory/2452-126-0x0000000000400000-0x0000000000885000-memory.dmp

Filesize
4.5MB

Download
memory/2628-63-0x0000000002350000-0x0000000002460000-memory.dmp

Filesize
1.1MB

Download
memory/2628-33-0x0000000002350000-0x0000000002460000-memory.dmp

Filesize
1.1MB

Download
memory/2628-44-0x0000000002F70000-0x00000000033F5000-memory.dmp

Filesize
4.5MB

Download
memory/2628-28-0x0000000000400000-0x0000000000885000-memory.dmp

Filesize
4.5MB

Download
memory/2628-60-0x0000000000400000-0x0000000000885000-memory.dmp

Filesize
4.5MB

Download
memory/2668-92-0x0000000002DC0000-0x0000000003245000-memory.dmp

Filesize
4.5MB

Download
memory/2668-76-0x0000000000400000-0x0000000000885000-memory.dmp

Filesize
4.5MB

Download
memory/2668-79-0x0000000002340000-0x0000000002450000-memory.dmp

Filesize
1.1MB

Download
memory/2668-100-0x0000000000400000-0x0000000000885000-memory.dmp

Filesize
4.5MB

Download
memory/2668-99-0x0000000002340000-0x0000000002450000-memory.dmp

Filesize
1.1MB

Download
memory/2780-175-0x0000000002DB0000-0x0000000003235000-memory.dmp

Filesize
4.5MB

Download
memory/2780-173-0x0000000002DB0000-0x0000000003235000-memory.dmp

Filesize
4.5MB

Download
memory/2780-178-0x0000000000400000-0x0000000000885000-memory.dmp

Filesize
4.5MB

Download
memory/2780-159-0x0000000000400000-0x0000000000885000-memory.dmp

Filesize
4.5MB

Download
memory/2780-161-0x0000000002370000-0x0000000002480000-memory.dmp

Filesize
1.1MB

Download
memory/2780-179-0x0000000002370000-0x0000000002480000-memory.dmp

Filesize
1.1MB

Download
memory/2880-75-0x0000000002E20000-0x00000000032A5000-memory.dmp

Filesize
4.5MB

Download
memory/2880-59-0x0000000000400000-0x0000000000885000-memory.dmp

Filesize
4.5MB

Download
memory/2880-64-0x00000000023E0000-0x00000000024F0000-memory.dmp

Filesize
1.1MB

Download
memory/2880-77-0x0000000002E20000-0x00000000032A5000-memory.dmp

Filesize
4.5MB

Download
memory/2880-90-0x0000000000400000-0x0000000000885000-memory.dmp

Filesize
4.5MB

Download
memory/2880-80-0x00000000023E0000-0x00000000024F0000-memory.dmp

Filesize
1.1MB

Download
memory/3016-26-0x0000000002E30000-0x00000000032B5000-memory.dmp

Filesize
4.5MB

Download
memory/3016-31-0x0000000000400000-0x0000000000885000-memory.dmp

Filesize
4.5MB

Download
memory/3016-13-0x00000000023B0000-0x00000000024C0000-memory.dmp

Filesize
1.1MB

Download
memory/3016-32-0x00000000023B0000-0x00000000024C0000-memory.dmp

Filesize
1.1MB

Download
memory/3016-14-0x0000000000400000-0x0000000000885000-memory.dmp

Filesize
4.5MB

Download
memory/3028-29-0x0000000000400000-0x0000000000885000-memory.dmp

Filesize
4.5MB

Download
memory/3028-25-0x0000000002470000-0x0000000002580000-memory.dmp

Filesize
1.1MB

Download
memory/3028-0-0x0000000000400000-0x0000000000885000-memory.dmp

Filesize
4.5MB

Download
memory/3028-12-0x0000000002E60000-0x00000000032E5000-memory.dmp

Filesize
4.5MB

Download
memory/3028-1-0x0000000002470000-0x0000000002580000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads