c0addaa89d6ae4b7199f4e4b37ffa50bf2a69ff728121205a5dce5a677d44f42

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
15/03/2024, 15:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cbd2eccb228e932cb19f92bd01beede4.exe
Size

145KB
MD5

cbd2eccb228e932cb19f92bd01beede4
SHA1

7cc7f452c72b603cb80325e0cc3aaec135ded368
SHA256

c0addaa89d6ae4b7199f4e4b37ffa50bf2a69ff728121205a5dce5a677d44f42
SHA512

fcd056e001c7f27c0c90068891608387cb6c1c06a044dd6845452972d52c97e0e786b476bc99da24e0c2cd68f11ef0930fe811d78b9b2549c74598aaa15612e2
SSDEEP

3072:wt8WgDoza726OcvgsOabwd00Syecg3kI77GR+2pLKGSWB4TU:QgZK6nOEUHechA7G9xKF2YU

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
4500	exywyhi.exe
1900	emppbxr.exe
3464	mnwhimv.exe
552	wmamalu.exe
1052	jzscghb.exe
2672	tywaqfa.exe
2484	bwjncqg.exe
3552	ommplyd.exe
3344	bzwfruk.exe
2208	ympnkdp.exe
3588	ihqxryp.exe
3964	wuavxco.exe
5100	gqbgfwx.exe
4984	orzgtdb.exe
1440	ymaqbxc.exe
4300	ldvtkgz.exe
2044	yqnjpkg.exe
4400	ddgrjll.exe
2180	tlsypdo.exe
636	ggjovzn.exe
3092	qbchdto.exe
2140	baoevsv.exe
1228	jpcrzcs.exe
4272	ymkrluc.exe
2872	dkhhzwb.exe
2248	qfyxfza.exe
2616	vksfybm.exe
4884	dhgscmj.exe
4308	grxhuir.exe
3260	lsnckfx.exe
4424	nsgjtlv.exe
4496	gohzbux.exe
4376	lpxcjad.exe
332	iggfqhz.exe
1388	iwoozsq.exe
1040	lnsxgsa.exe
4316	ssccqdl.exe
1624	qqunied.exe
380	vnrvwfc.exe
4472	fndtgek.exe
1628	qiwlozl.exe
2192	aaljapn.exe
2756	iewwkap.exe
5084	smiplxo.exe
3176	yomlgjp.exe
4776	hrbwtmd.exe
1092	snnrajr.exe
2104	xhhicvm.exe
4276	cyxlprm.exe
1288	peccacf.exe
3272	kdviubh.exe
5056	uofjsyy.exe
1680	sqbfzlu.exe
4204	xvfqrhm.exe
3248	hryizju.exe
4396	jykgjau.exe
4560	utlqzcd.exe
4676	bmkqfjz.exe
1992	kbydrme.exe
4540	rfirafh.exe
2260	cbjbizh.exe
2956	mingayp.exe
5088	wsdefor.exe
4296	kfuulsq.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\jvenpwl.exe	znsqxye.exe
File opened for modification	C:\Windows\SysWOW64\curxgdx.exe	pwwuyds.exe
File opened for modification	C:\Windows\SysWOW64\bvbkghz.exe	opjirqo.exe
File opened for modification	C:\Windows\SysWOW64\uiqnhrt.exe	eaffizq.exe
File created	C:\Windows\SysWOW64\ikzojla.exe	tjliwhp.exe
File opened for modification	C:\Windows\SysWOW64\qiwlozl.exe	fndtgek.exe
File created	C:\Windows\SysWOW64\xdhlysq.exe	eweybzo.exe
File created	C:\Windows\SysWOW64\hhmklnh.exe	zdcfccx.exe
File opened for modification	C:\Windows\SysWOW64\ekdoilw.exe	rxlydpq.exe
File opened for modification	C:\Windows\SysWOW64\gdpwcvt.exe	qrpbyio.exe
File created	C:\Windows\SysWOW64\gfbrzok.exe	yyozezb.exe
File opened for modification	C:\Windows\SysWOW64\qapfery.exe	gfpnpxx.exe
File opened for modification	C:\Windows\SysWOW64\yzfhatj.exe	ijthtkf.exe
File opened for modification	C:\Windows\SysWOW64\prbpuiv.exe	bpcerjd.exe
File opened for modification	C:\Windows\SysWOW64\gzrivcs.exe	qyusutu.exe
File opened for modification	C:\Windows\SysWOW64\vkzncai.exe	onnkfvq.exe
File opened for modification	C:\Windows\SysWOW64\encifgo.exe	wggqlje.exe
File created	C:\Windows\SysWOW64\gtzfduj.exe	ghnfpqf.exe
File created	C:\Windows\SysWOW64\exywyhi.exe	cbd2eccb228e932cb19f92bd01beede4.exe
File created	C:\Windows\SysWOW64\srplomo.exe	cmhqkhs.exe
File created	C:\Windows\SysWOW64\nexbjfr.exe	avrzgfz.exe
File created	C:\Windows\SysWOW64\jhmncjy.exe	bwbfbda.exe
File created	C:\Windows\SysWOW64\grxhuir.exe	dhgscmj.exe
File opened for modification	C:\Windows\SysWOW64\dpkihhs.exe	sxvkdrq.exe
File created	C:\Windows\SysWOW64\vflyyri.exe	fpaqran.exe
File opened for modification	C:\Windows\SysWOW64\xbpahbh.exe	koycbyi.exe
File opened for modification	C:\Windows\SysWOW64\esuyecs.exe	ziedwxm.exe
File created	C:\Windows\SysWOW64\txazmik.exe	jflchsi.exe
File opened for modification	C:\Windows\SysWOW64\aoyckxx.exe	svzcvqt.exe
File created	C:\Windows\SysWOW64\emppbxr.exe	exywyhi.exe
File opened for modification	C:\Windows\SysWOW64\vnkyjjg.exe	krjncog.exe
File created	C:\Windows\SysWOW64\lzxeial.exe	yxrxpng.exe
File opened for modification	C:\Windows\SysWOW64\idkluqy.exe	xijamwx.exe
File opened for modification	C:\Windows\SysWOW64\crbonyd.exe	vjnwtbu.exe
File created	C:\Windows\SysWOW64\kozpnfg.exe	xbpahbh.exe
File created	C:\Windows\SysWOW64\butpsct.exe	okvmpdb.exe
File created	C:\Windows\SysWOW64\tvaovid.exe	gaqzhee.exe
File created	C:\Windows\SysWOW64\esiizbd.exe	rcnfrtx.exe
File created	C:\Windows\SysWOW64\hstrzto.exe	ufcctyp.exe
File opened for modification	C:\Windows\SysWOW64\jatgfrg.exe	cvrtvgd.exe
File opened for modification	C:\Windows\SysWOW64\kbydrme.exe	bmkqfjz.exe
File created	C:\Windows\SysWOW64\ayvqvfa.exe	prqxttw.exe
File opened for modification	C:\Windows\SysWOW64\zlbeohv.exe	mykhadw.exe
File created	C:\Windows\SysWOW64\seyingw.exe	spbdwxt.exe
File opened for modification	C:\Windows\SysWOW64\pwwuyds.exe	fxkxnfk.exe
File created	C:\Windows\SysWOW64\ihqxryp.exe	ympnkdp.exe
File created	C:\Windows\SysWOW64\bgdfgyo.exe	rgziwzp.exe
File created	C:\Windows\SysWOW64\khoybxl.exe	dddlreb.exe
File opened for modification	C:\Windows\SysWOW64\ghnfpqf.exe	wfwpift.exe
File opened for modification	C:\Windows\SysWOW64\vqmxnyl.exe	issufpf.exe
File opened for modification	C:\Windows\SysWOW64\tlywinp.exe	gnduzmj.exe
File opened for modification	C:\Windows\SysWOW64\qvjobdw.exe	invohnn.exe
File opened for modification	C:\Windows\SysWOW64\mnwhimv.exe	emppbxr.exe
File created	C:\Windows\SysWOW64\rwohsax.exe	jvqodlt.exe
File opened for modification	C:\Windows\SysWOW64\muinmsr.exe	rhzxrho.exe
File created	C:\Windows\SysWOW64\lsafkqb.exe	yfqpemc.exe
File created	C:\Windows\SysWOW64\qvjobdw.exe	invohnn.exe
File created	C:\Windows\SysWOW64\jpcrzcs.exe	baoevsv.exe
File opened for modification	C:\Windows\SysWOW64\ssccqdl.exe	lnsxgsa.exe
File opened for modification	C:\Windows\SysWOW64\wuzoqdk.exe	jatgfrg.exe
File opened for modification	C:\Windows\SysWOW64\wmamalu.exe	mnwhimv.exe
File opened for modification	C:\Windows\SysWOW64\dddlreb.exe	qnjjbed.exe
File created	C:\Windows\SysWOW64\curxgdx.exe	pwwuyds.exe
File created	C:\Windows\SysWOW64\wuzoqdk.exe	jatgfrg.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4320 wrote to memory of 4500	4320	cbd2eccb228e932cb19f92bd01beede4.exe	90
PID 4320 wrote to memory of 4500	4320	cbd2eccb228e932cb19f92bd01beede4.exe	90
PID 4320 wrote to memory of 4500	4320	cbd2eccb228e932cb19f92bd01beede4.exe	90
PID 4500 wrote to memory of 1900	4500	exywyhi.exe	92
PID 4500 wrote to memory of 1900	4500	exywyhi.exe	92
PID 4500 wrote to memory of 1900	4500	exywyhi.exe	92
PID 1900 wrote to memory of 3464	1900	emppbxr.exe	93
PID 1900 wrote to memory of 3464	1900	emppbxr.exe	93
PID 1900 wrote to memory of 3464	1900	emppbxr.exe	93
PID 3464 wrote to memory of 552	3464	mnwhimv.exe	94
PID 3464 wrote to memory of 552	3464	mnwhimv.exe	94
PID 3464 wrote to memory of 552	3464	mnwhimv.exe	94
PID 552 wrote to memory of 1052	552	wmamalu.exe	95
PID 552 wrote to memory of 1052	552	wmamalu.exe	95
PID 552 wrote to memory of 1052	552	wmamalu.exe	95
PID 1052 wrote to memory of 2672	1052	jzscghb.exe	96
PID 1052 wrote to memory of 2672	1052	jzscghb.exe	96
PID 1052 wrote to memory of 2672	1052	jzscghb.exe	96
PID 2672 wrote to memory of 2484	2672	tywaqfa.exe	97
PID 2672 wrote to memory of 2484	2672	tywaqfa.exe	97
PID 2672 wrote to memory of 2484	2672	tywaqfa.exe	97
PID 2484 wrote to memory of 3552	2484	bwjncqg.exe	98
PID 2484 wrote to memory of 3552	2484	bwjncqg.exe	98
PID 2484 wrote to memory of 3552	2484	bwjncqg.exe	98
PID 3552 wrote to memory of 3344	3552	ommplyd.exe	99
PID 3552 wrote to memory of 3344	3552	ommplyd.exe	99
PID 3552 wrote to memory of 3344	3552	ommplyd.exe	99
PID 3344 wrote to memory of 2208	3344	bzwfruk.exe	100
PID 3344 wrote to memory of 2208	3344	bzwfruk.exe	100
PID 3344 wrote to memory of 2208	3344	bzwfruk.exe	100
PID 2208 wrote to memory of 3588	2208	ympnkdp.exe	101
PID 2208 wrote to memory of 3588	2208	ympnkdp.exe	101
PID 2208 wrote to memory of 3588	2208	ympnkdp.exe	101
PID 3588 wrote to memory of 3964	3588	ihqxryp.exe	102
PID 3588 wrote to memory of 3964	3588	ihqxryp.exe	102
PID 3588 wrote to memory of 3964	3588	ihqxryp.exe	102
PID 3964 wrote to memory of 5100	3964	wuavxco.exe	103
PID 3964 wrote to memory of 5100	3964	wuavxco.exe	103
PID 3964 wrote to memory of 5100	3964	wuavxco.exe	103
PID 5100 wrote to memory of 4984	5100	gqbgfwx.exe	106
PID 5100 wrote to memory of 4984	5100	gqbgfwx.exe	106
PID 5100 wrote to memory of 4984	5100	gqbgfwx.exe	106
PID 4984 wrote to memory of 1440	4984	orzgtdb.exe	107
PID 4984 wrote to memory of 1440	4984	orzgtdb.exe	107
PID 4984 wrote to memory of 1440	4984	orzgtdb.exe	107
PID 1440 wrote to memory of 4300	1440	ymaqbxc.exe	108
PID 1440 wrote to memory of 4300	1440	ymaqbxc.exe	108
PID 1440 wrote to memory of 4300	1440	ymaqbxc.exe	108
PID 4300 wrote to memory of 2044	4300	ldvtkgz.exe	109
PID 4300 wrote to memory of 2044	4300	ldvtkgz.exe	109
PID 4300 wrote to memory of 2044	4300	ldvtkgz.exe	109
PID 2044 wrote to memory of 4400	2044	yqnjpkg.exe	110
PID 2044 wrote to memory of 4400	2044	yqnjpkg.exe	110
PID 2044 wrote to memory of 4400	2044	yqnjpkg.exe	110
PID 4400 wrote to memory of 2180	4400	ddgrjll.exe	112
PID 4400 wrote to memory of 2180	4400	ddgrjll.exe	112
PID 4400 wrote to memory of 2180	4400	ddgrjll.exe	112
PID 2180 wrote to memory of 636	2180	tlsypdo.exe	114
PID 2180 wrote to memory of 636	2180	tlsypdo.exe	114
PID 2180 wrote to memory of 636	2180	tlsypdo.exe	114
PID 636 wrote to memory of 3092	636	ggjovzn.exe	115
PID 636 wrote to memory of 3092	636	ggjovzn.exe	115
PID 636 wrote to memory of 3092	636	ggjovzn.exe	115
PID 3092 wrote to memory of 2140	3092	qbchdto.exe	116

C:\Users\Admin\AppData\Local\Temp\cbd2eccb228e932cb19f92bd01beede4.exe
"C:\Users\Admin\AppData\Local\Temp\cbd2eccb228e932cb19f92bd01beede4.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4320
- C:\Windows\SysWOW64\exywyhi.exe
  C:\Windows\system32\exywyhi.exe 1032 "C:\Users\Admin\AppData\Local\Temp\cbd2eccb228e932cb19f92bd01beede4.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:4500
- - C:\Windows\SysWOW64\emppbxr.exe
    C:\Windows\system32\emppbxr.exe 1152 "C:\Windows\SysWOW64\exywyhi.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:1900
  - - C:\Windows\SysWOW64\mnwhimv.exe
      C:\Windows\system32\mnwhimv.exe 1156 "C:\Windows\SysWOW64\emppbxr.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:3464
    - - C:\Windows\SysWOW64\wmamalu.exe
        
        C:\Windows\system32\wmamalu.exe 1160 "C:\Windows\SysWOW64\mnwhimv.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:552
      - C:\Windows\SysWOW64\jzscghb.exe
        
        C:\Windows\system32\jzscghb.exe 1164 "C:\Windows\SysWOW64\wmamalu.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1052
        
        C:\Windows\SysWOW64\tywaqfa.exe
        
        C:\Windows\system32\tywaqfa.exe 1048 "C:\Windows\SysWOW64\jzscghb.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2672
        
        C:\Windows\SysWOW64\bwjncqg.exe
        
        C:\Windows\system32\bwjncqg.exe 1172 "C:\Windows\SysWOW64\tywaqfa.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2484
        
        C:\Windows\SysWOW64\ommplyd.exe
        
        C:\Windows\system32\ommplyd.exe 1180 "C:\Windows\SysWOW64\bwjncqg.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3552
        
        C:\Windows\SysWOW64\bzwfruk.exe
        
        C:\Windows\system32\bzwfruk.exe 1176 "C:\Windows\SysWOW64\ommplyd.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3344
        
        C:\Windows\SysWOW64\ympnkdp.exe
        
        C:\Windows\system32\ympnkdp.exe 1188 "C:\Windows\SysWOW64\bzwfruk.exe"
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2208
        
        C:\Windows\SysWOW64\ihqxryp.exe
        
        C:\Windows\system32\ihqxryp.exe 1192 "C:\Windows\SysWOW64\ympnkdp.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3588
        
        C:\Windows\SysWOW64\wuavxco.exe
        
        C:\Windows\system32\wuavxco.exe 1196 "C:\Windows\SysWOW64\ihqxryp.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3964
        
        C:\Windows\SysWOW64\gqbgfwx.exe
        
        C:\Windows\system32\gqbgfwx.exe 1200 "C:\Windows\SysWOW64\wuavxco.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5100
        
        C:\Windows\SysWOW64\orzgtdb.exe
        
        C:\Windows\system32\orzgtdb.exe 1052 "C:\Windows\SysWOW64\gqbgfwx.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4984
        
        C:\Windows\SysWOW64\ymaqbxc.exe
        
        C:\Windows\system32\ymaqbxc.exe 1204 "C:\Windows\SysWOW64\orzgtdb.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1440
        
        C:\Windows\SysWOW64\ldvtkgz.exe
        
        C:\Windows\system32\ldvtkgz.exe 1208 "C:\Windows\SysWOW64\ymaqbxc.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4300
        
        C:\Windows\SysWOW64\yqnjpkg.exe
        
        C:\Windows\system32\yqnjpkg.exe 1216 "C:\Windows\SysWOW64\ldvtkgz.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2044
        
        C:\Windows\SysWOW64\ddgrjll.exe
        
        C:\Windows\system32\ddgrjll.exe 1220 "C:\Windows\SysWOW64\yqnjpkg.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4400
        
        C:\Windows\SysWOW64\tlsypdo.exe
        
        C:\Windows\system32\tlsypdo.exe 1224 "C:\Windows\SysWOW64\ddgrjll.exe"
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2180
        
        C:\Windows\SysWOW64\ggjovzn.exe
        
        C:\Windows\system32\ggjovzn.exe 1228 "C:\Windows\SysWOW64\tlsypdo.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:636
        
        C:\Windows\SysWOW64\qbchdto.exe
        
        C:\Windows\system32\qbchdto.exe 1056 "C:\Windows\SysWOW64\ggjovzn.exe"
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3092
        
        C:\Windows\SysWOW64\baoevsv.exe
        
        C:\Windows\system32\baoevsv.exe 1236 "C:\Windows\SysWOW64\qbchdto.exe"
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2140
        
        C:\Windows\SysWOW64\jpcrzcs.exe
        
        C:\Windows\system32\jpcrzcs.exe 1244 "C:\Windows\SysWOW64\baoevsv.exe"
        24⤵
        Executes dropped EXE
        
        PID:1228
        
        C:\Windows\SysWOW64\ymkrluc.exe
        
        C:\Windows\system32\ymkrluc.exe 1240 "C:\Windows\SysWOW64\jpcrzcs.exe"
        25⤵
        Executes dropped EXE
        
        PID:4272
        
        C:\Windows\SysWOW64\dkhhzwb.exe
        
        C:\Windows\system32\dkhhzwb.exe 1248 "C:\Windows\SysWOW64\ymkrluc.exe"
        26⤵
        Executes dropped EXE
        
        PID:2872
        
        C:\Windows\SysWOW64\qfyxfza.exe
        
        C:\Windows\system32\qfyxfza.exe 1256 "C:\Windows\SysWOW64\dkhhzwb.exe"
        27⤵
        Executes dropped EXE
        
        PID:2248
        
        C:\Windows\SysWOW64\vksfybm.exe
        
        C:\Windows\system32\vksfybm.exe 1252 "C:\Windows\SysWOW64\qfyxfza.exe"
        28⤵
        Executes dropped EXE
        
        PID:2616
        
        C:\Windows\SysWOW64\dhgscmj.exe
        
        C:\Windows\system32\dhgscmj.exe 1028 "C:\Windows\SysWOW64\vksfybm.exe"
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4884
        
        C:\Windows\SysWOW64\grxhuir.exe
        
        C:\Windows\system32\grxhuir.exe 1264 "C:\Windows\SysWOW64\dhgscmj.exe"
        30⤵
        Executes dropped EXE
        
        PID:4308
        
        C:\Windows\SysWOW64\lsnckfx.exe
        
        C:\Windows\system32\lsnckfx.exe 1268 "C:\Windows\SysWOW64\grxhuir.exe"
        31⤵
        Executes dropped EXE
        
        PID:3260
        
        C:\Windows\SysWOW64\nsgjtlv.exe
        
        C:\Windows\system32\nsgjtlv.exe 1044 "C:\Windows\SysWOW64\lsnckfx.exe"
        32⤵
        Executes dropped EXE
        
        PID:4424
        
        C:\Windows\SysWOW64\gohzbux.exe
        
        C:\Windows\system32\gohzbux.exe 1272 "C:\Windows\SysWOW64\nsgjtlv.exe"
        33⤵
        Executes dropped EXE
        
        PID:4496
        
        C:\Windows\SysWOW64\lpxcjad.exe
        
        C:\Windows\system32\lpxcjad.exe 1260 "C:\Windows\SysWOW64\gohzbux.exe"
        34⤵
        Executes dropped EXE
        
        PID:4376
        
        C:\Windows\SysWOW64\iggfqhz.exe
        
        C:\Windows\system32\iggfqhz.exe 1284 "C:\Windows\SysWOW64\lpxcjad.exe"
        35⤵
        Executes dropped EXE
        
        PID:332
        
        C:\Windows\SysWOW64\iwoozsq.exe
        
        C:\Windows\system32\iwoozsq.exe 1288 "C:\Windows\SysWOW64\iggfqhz.exe"
        36⤵
        Executes dropped EXE
        
        PID:1388
        
        C:\Windows\SysWOW64\lnsxgsa.exe
        
        C:\Windows\system32\lnsxgsa.exe 1292 "C:\Windows\SysWOW64\iwoozsq.exe"
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1040
        
        C:\Windows\SysWOW64\ssccqdl.exe
        
        C:\Windows\system32\ssccqdl.exe 1280 "C:\Windows\SysWOW64\lnsxgsa.exe"
        38⤵
        Executes dropped EXE
        
        PID:4316
        
        C:\Windows\SysWOW64\qqunied.exe
        
        C:\Windows\system32\qqunied.exe 1300 "C:\Windows\SysWOW64\ssccqdl.exe"
        39⤵
        Executes dropped EXE
        
        PID:1624
        
        C:\Windows\SysWOW64\vnrvwfc.exe
        
        C:\Windows\system32\vnrvwfc.exe 1068 "C:\Windows\SysWOW64\qqunied.exe"
        40⤵
        Executes dropped EXE
        
        PID:380
        
        C:\Windows\SysWOW64\fndtgek.exe
        
        C:\Windows\system32\fndtgek.exe 1308 "C:\Windows\SysWOW64\vnrvwfc.exe"
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4472
        
        C:\Windows\SysWOW64\qiwlozl.exe
        
        C:\Windows\system32\qiwlozl.exe 1316 "C:\Windows\SysWOW64\fndtgek.exe"
        42⤵
        Executes dropped EXE
        
        PID:1628
        
        C:\Windows\SysWOW64\aaljapn.exe
        
        C:\Windows\system32\aaljapn.exe 1304 "C:\Windows\SysWOW64\qiwlozl.exe"
        43⤵
        Executes dropped EXE
        
        PID:2192
        
        C:\Windows\SysWOW64\iewwkap.exe
        
        C:\Windows\system32\iewwkap.exe 1320 "C:\Windows\SysWOW64\aaljapn.exe"
        44⤵
        Executes dropped EXE
        
        PID:2756
        
        C:\Windows\SysWOW64\smiplxo.exe
        
        C:\Windows\system32\smiplxo.exe 1324 "C:\Windows\SysWOW64\iewwkap.exe"
        45⤵
        Executes dropped EXE
        
        PID:5084
        
        C:\Windows\SysWOW64\yomlgjp.exe
        
        C:\Windows\system32\yomlgjp.exe 1328 "C:\Windows\SysWOW64\smiplxo.exe"
        46⤵
        Executes dropped EXE
        
        PID:3176
        
        C:\Windows\SysWOW64\hrbwtmd.exe
        
        C:\Windows\system32\hrbwtmd.exe 1332 "C:\Windows\SysWOW64\yomlgjp.exe"
        47⤵
        Executes dropped EXE
        
        PID:4776
        
        C:\Windows\SysWOW64\snnrajr.exe
        
        C:\Windows\system32\snnrajr.exe 1336 "C:\Windows\SysWOW64\hrbwtmd.exe"
        48⤵
        Executes dropped EXE
        
        PID:1092
        
        C:\Windows\SysWOW64\xhhicvm.exe
        
        C:\Windows\system32\xhhicvm.exe 1340 "C:\Windows\SysWOW64\snnrajr.exe"
        49⤵
        Executes dropped EXE
        
        PID:2104
        
        C:\Windows\SysWOW64\cyxlprm.exe
        
        C:\Windows\system32\cyxlprm.exe 1344 "C:\Windows\SysWOW64\xhhicvm.exe"
        50⤵
        Executes dropped EXE
        
        PID:4276
        
        C:\Windows\SysWOW64\peccacf.exe
        
        C:\Windows\system32\peccacf.exe 1348 "C:\Windows\SysWOW64\cyxlprm.exe"
        51⤵
        Executes dropped EXE
        
        PID:1288
        
        C:\Windows\SysWOW64\kdviubh.exe
        
        C:\Windows\system32\kdviubh.exe 1312 "C:\Windows\SysWOW64\peccacf.exe"
        52⤵
        Executes dropped EXE
        
        PID:3272
        
        C:\Windows\SysWOW64\uofjsyy.exe
        
        C:\Windows\system32\uofjsyy.exe 1356 "C:\Windows\SysWOW64\kdviubh.exe"
        53⤵
        Executes dropped EXE
        
        PID:5056
        
        C:\Windows\SysWOW64\sqbfzlu.exe
        
        C:\Windows\system32\sqbfzlu.exe 1352 "C:\Windows\SysWOW64\uofjsyy.exe"
        54⤵
        Executes dropped EXE
        
        PID:1680
        
        C:\Windows\SysWOW64\xvfqrhm.exe
        
        C:\Windows\system32\xvfqrhm.exe 1360 "C:\Windows\SysWOW64\sqbfzlu.exe"
        55⤵
        Executes dropped EXE
        
        PID:4204
        
        C:\Windows\SysWOW64\hryizju.exe
        
        C:\Windows\system32\hryizju.exe 1364 "C:\Windows\SysWOW64\xvfqrhm.exe"
        56⤵
        Executes dropped EXE
        
        PID:3248
        
        C:\Windows\SysWOW64\jykgjau.exe
        
        C:\Windows\system32\jykgjau.exe 1368 "C:\Windows\SysWOW64\hryizju.exe"
        57⤵
        Executes dropped EXE
        
        PID:4396
        
        C:\Windows\SysWOW64\utlqzcd.exe
        
        C:\Windows\system32\utlqzcd.exe 1372 "C:\Windows\SysWOW64\jykgjau.exe"
        58⤵
        Executes dropped EXE
        
        PID:4560
        
        C:\Windows\SysWOW64\bmkqfjz.exe
        
        C:\Windows\system32\bmkqfjz.exe 1376 "C:\Windows\SysWOW64\utlqzcd.exe"
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4676
        
        C:\Windows\SysWOW64\kbydrme.exe
        
        C:\Windows\system32\kbydrme.exe 1380 "C:\Windows\SysWOW64\bmkqfjz.exe"
        60⤵
        Executes dropped EXE
        
        PID:1992
        
        C:\Windows\SysWOW64\rfirafh.exe
        
        C:\Windows\system32\rfirafh.exe 1384 "C:\Windows\SysWOW64\kbydrme.exe"
        61⤵
        Executes dropped EXE
        
        PID:4540
        
        C:\Windows\SysWOW64\cbjbizh.exe
        
        C:\Windows\system32\cbjbizh.exe 1388 "C:\Windows\SysWOW64\rfirafh.exe"
        62⤵
        Executes dropped EXE
        
        PID:2260
        
        C:\Windows\SysWOW64\mingayp.exe
        
        C:\Windows\system32\mingayp.exe 1392 "C:\Windows\SysWOW64\cbjbizh.exe"
        63⤵
        Executes dropped EXE
        
        PID:2956
        
        C:\Windows\SysWOW64\wsdefor.exe
        
        C:\Windows\system32\wsdefor.exe 1396 "C:\Windows\SysWOW64\mingayp.exe"
        64⤵
        Executes dropped EXE
        
        PID:5088
        
        C:\Windows\SysWOW64\kfuulsq.exe
        
        C:\Windows\system32\kfuulsq.exe 1400 "C:\Windows\SysWOW64\wsdefor.exe"
        65⤵
        Executes dropped EXE
        
        PID:4296
        
        C:\Windows\SysWOW64\jgvmffa.exe
        
        C:\Windows\system32\jgvmffa.exe 1404 "C:\Windows\SysWOW64\kfuulsq.exe"
        66⤵
        
        PID:3164
        
        C:\Windows\SysWOW64\xhbpiea.exe
        
        C:\Windows\system32\xhbpiea.exe 1408 "C:\Windows\SysWOW64\jgvmffa.exe"
        67⤵
        
        PID:2224
        
        C:\Windows\SysWOW64\kclmoay.exe
        
        C:\Windows\system32\kclmoay.exe 1412 "C:\Windows\SysWOW64\xhbpiea.exe"
        68⤵
        
        PID:3648
        
        C:\Windows\SysWOW64\ubxkgzy.exe
        
        C:\Windows\system32\ubxkgzy.exe 1420 "C:\Windows\SysWOW64\kclmoay.exe"
        69⤵
        
        PID:4692
        
        C:\Windows\SysWOW64\eabhryf.exe
        
        C:\Windows\system32\eabhryf.exe 1416 "C:\Windows\SysWOW64\ubxkgzy.exe"
        70⤵
        
        PID:1204
        
        C:\Windows\SysWOW64\psrnvwh.exe
        
        C:\Windows\system32\psrnvwh.exe 1428 "C:\Windows\SysWOW64\eabhryf.exe"
        71⤵
        
        PID:4864
        
        C:\Windows\SysWOW64\bmxupam.exe
        
        C:\Windows\system32\bmxupam.exe 1072 "C:\Windows\SysWOW64\psrnvwh.exe"
        72⤵
        
        PID:2316
        
        C:\Windows\SysWOW64\ohokvek.exe
        
        C:\Windows\system32\ohokvek.exe 1432 "C:\Windows\SysWOW64\bmxupam.exe"
        73⤵
        
        PID:1536
        
        C:\Windows\SysWOW64\zdpdczt.exe
        
        C:\Windows\system32\zdpdczt.exe 1440 "C:\Windows\SysWOW64\ohokvek.exe"
        74⤵
        
        PID:1392
        
        C:\Windows\SysWOW64\mmwffyl.exe
        
        C:\Windows\system32\mmwffyl.exe 1444 "C:\Windows\SysWOW64\zdpdczt.exe"
        75⤵
        
        PID:1328
        
        C:\Windows\SysWOW64\wplqtbz.exe
        
        C:\Windows\system32\wplqtbz.exe 1436 "C:\Windows\SysWOW64\mmwffyl.exe"
        76⤵
        
        PID:1448
        
        C:\Windows\SysWOW64\jggsbbx.exe
        
        C:\Windows\system32\jggsbbx.exe 1452 "C:\Windows\SysWOW64\wplqtbz.exe"
        77⤵
        
        PID:4492
        
        C:\Windows\SysWOW64\xpmdebx.exe
        
        C:\Windows\system32\xpmdebx.exe 1456 "C:\Windows\SysWOW64\jggsbbx.exe"
        78⤵
        
        PID:4708
        
        C:\Windows\SysWOW64\johyvjd.exe
        
        C:\Windows\system32\johyvjd.exe 1460 "C:\Windows\SysWOW64\xpmdebx.exe"
        79⤵
        
        PID:3788
        
        C:\Windows\SysWOW64\untdfik.exe
        
        C:\Windows\system32\untdfik.exe 1448 "C:\Windows\SysWOW64\johyvjd.exe"
        80⤵
        
        PID:4572
        
        C:\Windows\SysWOW64\ebxwhuf.exe
        
        C:\Windows\system32\ebxwhuf.exe 1464 "C:\Windows\SysWOW64\untdfik.exe"
        81⤵
        
        PID:1456
        
        C:\Windows\SysWOW64\rvddtgk.exe
        
        C:\Windows\system32\rvddtgk.exe 1468 "C:\Windows\SysWOW64\ebxwhuf.exe"
        82⤵
        
        PID:4900
        
        C:\Windows\SysWOW64\wfmyjeq.exe
        
        C:\Windows\system32\wfmyjeq.exe 1476 "C:\Windows\SysWOW64\rvddtgk.exe"
        83⤵
        
        PID:3496
        
        C:\Windows\SysWOW64\mjutnrm.exe
        
        C:\Windows\system32\mjutnrm.exe 1480 "C:\Windows\SysWOW64\wfmyjeq.exe"
        84⤵
        
        PID:4332
        
        C:\Windows\SysWOW64\wiyrxqu.exe
        
        C:\Windows\system32\wiyrxqu.exe 1484 "C:\Windows\SysWOW64\mjutnrm.exe"
        85⤵
        
        PID:1852
        
        C:\Windows\SysWOW64\jvqodlt.exe
        
        C:\Windows\system32\jvqodlt.exe 1076 "C:\Windows\SysWOW64\wiyrxqu.exe"
        86⤵
        Drops file in System32 directory
        
        PID:4032
        
        C:\Windows\SysWOW64\rwohsax.exe
        
        C:\Windows\system32\rwohsax.exe 1016 "C:\Windows\SysWOW64\jvqodlt.exe"
        87⤵
        
        PID:3172
        
        C:\Windows\SysWOW64\crpzzvx.exe
        
        C:\Windows\system32\crpzzvx.exe 1492 "C:\Windows\SysWOW64\rwohsax.exe"
        88⤵
        
        PID:2108
        
        C:\Windows\SysWOW64\mqtwktf.exe
        
        C:\Windows\system32\mqtwktf.exe 1500 "C:\Windows\SysWOW64\crpzzvx.exe"
        89⤵
        
        PID:1884
        
        C:\Windows\SysWOW64\zdlmqxe.exe
        
        C:\Windows\system32\zdlmqxe.exe 1060 "C:\Windows\SysWOW64\mqtwktf.exe"
        90⤵
        
        PID:2740
        
        C:\Windows\SysWOW64\rhzxrho.exe
        
        C:\Windows\system32\rhzxrho.exe 1512 "C:\Windows\SysWOW64\zdlmqxe.exe"
        91⤵
        Drops file in System32 directory
        
        PID:4436
        
        C:\Windows\SysWOW64\muinmsr.exe
        
        C:\Windows\system32\muinmsr.exe 1516 "C:\Windows\SysWOW64\rhzxrho.exe"
        92⤵
        
        PID:2196
        
        C:\Windows\SysWOW64\zhzcswp.exe
        
        C:\Windows\system32\zhzcswp.exe 1508 "C:\Windows\SysWOW64\muinmsr.exe"
        93⤵
        
        PID:2088
        
        C:\Windows\SysWOW64\hiycgct.exe
        
        C:\Windows\system32\hiycgct.exe 1520 "C:\Windows\SysWOW64\zhzcswp.exe"
        94⤵
        
        PID:1424
        
        C:\Windows\SysWOW64\wfgclvd.exe
        
        C:\Windows\system32\wfgclvd.exe 1524 "C:\Windows\SysWOW64\hiycgct.exe"
        95⤵
        
        PID:808
        
        C:\Windows\SysWOW64\bwbfbda.exe
        
        C:\Windows\system32\bwbfbda.exe 1504 "C:\Windows\SysWOW64\wfgclvd.exe"
        96⤵
        Drops file in System32 directory
        
        PID:208
        
        C:\Windows\SysWOW64\jhmncjy.exe
        
        C:\Windows\system32\jhmncjy.exe 1532 "C:\Windows\SysWOW64\bwbfbda.exe"
        97⤵
        
        PID:60
        
        C:\Windows\SysWOW64\wggqlje.exe
        
        C:\Windows\system32\wggqlje.exe 1528 "C:\Windows\SysWOW64\jhmncjy.exe"
        98⤵
        Drops file in System32 directory
        
        PID:4688
        
        C:\Windows\SysWOW64\encifgo.exe
        
        C:\Windows\system32\encifgo.exe 1536 "C:\Windows\SysWOW64\wggqlje.exe"
        99⤵
        
        PID:4728
        
        C:\Windows\SysWOW64\tdnqmqj.exe
        
        C:\Windows\system32\tdnqmqj.exe 1088 "C:\Windows\SysWOW64\encifgo.exe"
        100⤵
        
        PID:1988
        
        C:\Windows\SysWOW64\guituyp.exe
        
        C:\Windows\system32\guituyp.exe 1544 "C:\Windows\SysWOW64\tdnqmqj.exe"
        101⤵
        
        PID:4760
        
        C:\Windows\SysWOW64\rmyqzor.exe
        
        C:\Windows\system32\rmyqzor.exe 1552 "C:\Windows\SysWOW64\guituyp.exe"
        102⤵
        
        PID:3732
        
        C:\Windows\SysWOW64\blkokny.exe
        
        C:\Windows\system32\blkokny.exe 1556 "C:\Windows\SysWOW64\rmyqzor.exe"
        103⤵
        
        PID:1080
        
        C:\Windows\SysWOW64\ouqynnq.exe
        
        C:\Windows\system32\ouqynnq.exe 1560 "C:\Windows\SysWOW64\blkokny.exe"
        104⤵
        
        PID:732
        
        C:\Windows\SysWOW64\zuuwfly.exe
        
        C:\Windows\system32\zuuwfly.exe 1548 "C:\Windows\SysWOW64\ouqynnq.exe"
        105⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\jtytpkf.exe
        
        C:\Windows\system32\jtytpkf.exe 1568 "C:\Windows\SysWOW64\zuuwfly.exe"
        106⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\woqjvge.exe
        
        C:\Windows\system32\woqjvge.exe 1572 "C:\Windows\SysWOW64\jtytpkf.exe"
        107⤵
        
        PID:768
        
        C:\Windows\SysWOW64\jbhhbkd.exe
        
        C:\Windows\system32\jbhhbkd.exe 1564 "C:\Windows\SysWOW64\woqjvge.exe"
        108⤵
        
        PID:700
        
        C:\Windows\SysWOW64\twarjel.exe
        
        C:\Windows\system32\twarjel.exe 1576 "C:\Windows\SysWOW64\jbhhbkd.exe"
        109⤵
        
        PID:4756
        
        C:\Windows\SysWOW64\gnduzmj.exe
        
        C:\Windows\system32\gnduzmj.exe 1584 "C:\Windows\SysWOW64\twarjel.exe"
        110⤵
        Drops file in System32 directory
        
        PID:2408
        
        C:\Windows\SysWOW64\tlywinp.exe
        
        C:\Windows\system32\tlywinp.exe 1580 "C:\Windows\SysWOW64\gnduzmj.exe"
        111⤵
        
        PID:2988
        
        C:\Windows\SysWOW64\ehzhphp.exe
        
        C:\Windows\system32\ehzhphp.exe 1588 "C:\Windows\SysWOW64\tlywinp.exe"
        112⤵
        
        PID:2276
        
        C:\Windows\SysWOW64\ruixvlo.exe
        
        C:\Windows\system32\ruixvlo.exe 1592 "C:\Windows\SysWOW64\ehzhphp.exe"
        113⤵
        
        PID:4444
        
        C:\Windows\SysWOW64\ceycabq.exe
        
        C:\Windows\system32\ceycabq.exe 1600 "C:\Windows\SysWOW64\ruixvlo.exe"
        114⤵
        
        PID:3168
        
        C:\Windows\SysWOW64\ogeslou.exe
        
        C:\Windows\system32\ogeslou.exe 1604 "C:\Windows\SysWOW64\ceycabq.exe"
        115⤵
        
        PID:2124
        
        C:\Windows\SysWOW64\yfqpemc.exe
        
        C:\Windows\system32\yfqpemc.exe 1608 "C:\Windows\SysWOW64\ogeslou.exe"
        116⤵
        Drops file in System32 directory
        
        PID:4604
        
        C:\Windows\SysWOW64\lsafkqb.exe
        
        C:\Windows\system32\lsafkqb.exe 1596 "C:\Windows\SysWOW64\yfqpemc.exe"
        117⤵
        
        PID:1256
        
        C:\Windows\SysWOW64\znrupmh.exe
        
        C:\Windows\system32\znrupmh.exe 1612 "C:\Windows\SysWOW64\lsafkqb.exe"
        118⤵
        
        PID:3984
        
        C:\Windows\SysWOW64\majkvqg.exe
        
        C:\Windows\system32\majkvqg.exe 1616 "C:\Windows\SysWOW64\znrupmh.exe"
        119⤵
        
        PID:3180
        
        C:\Windows\SysWOW64\wznqgpo.exe
        
        C:\Windows\system32\wznqgpo.exe 1624 "C:\Windows\SysWOW64\majkvqg.exe"
        120⤵
        
        PID:3772
        
        C:\Windows\SysWOW64\gyrnynn.exe
        
        C:\Windows\system32\gyrnynn.exe 1620 "C:\Windows\SysWOW64\wznqgpo.exe"
        121⤵
        
        PID:1232
        
        C:\Windows\SysWOW64\tixqbnn.exe
        
        C:\Windows\system32\tixqbnn.exe 1628 "C:\Windows\SysWOW64\gyrnynn.exe"
        122⤵
        
        PID:5040
        
        C:\Windows\SysWOW64\hvpfhrm.exe
        
        C:\Windows\system32\hvpfhrm.exe 1640 "C:\Windows\SysWOW64\tixqbnn.exe"
        123⤵
        
        PID:404
        
        C:\Windows\SysWOW64\occgtgw.exe
        
        C:\Windows\system32\occgtgw.exe 1632 "C:\Windows\SysWOW64\hvpfhrm.exe"
        124⤵
        
        PID:2252
        
        C:\Windows\SysWOW64\yydqjbw.exe
        
        C:\Windows\system32\yydqjbw.exe 1636 "C:\Windows\SysWOW64\occgtgw.exe"
        125⤵
        
        PID:1532
        
        C:\Windows\SysWOW64\jueiqvx.exe
        
        C:\Windows\system32\jueiqvx.exe 1644 "C:\Windows\SysWOW64\yydqjbw.exe"
        126⤵
        
        PID:3536
        
        C:\Windows\SysWOW64\zkqixfb.exe
        
        C:\Windows\system32\zkqixfb.exe 1648 "C:\Windows\SysWOW64\jueiqvx.exe"
        127⤵
        
        PID:4672
        
        C:\Windows\SysWOW64\jfqbfzb.exe
        
        C:\Windows\system32\jfqbfzb.exe 1652 "C:\Windows\SysWOW64\zkqixfb.exe"
        128⤵
        
        PID:3848
        
        C:\Windows\SysWOW64\tevypyj.exe
        
        C:\Windows\system32\tevypyj.exe 1660 "C:\Windows\SysWOW64\jfqbfzb.exe"
        129⤵
        
        PID:4932
        
        C:\Windows\SysWOW64\davjfsk.exe
        
        C:\Windows\system32\davjfsk.exe 1664 "C:\Windows\SysWOW64\tevypyj.exe"
        130⤵
        
        PID:4228
        
        C:\Windows\SysWOW64\rnnylwq.exe
        
        C:\Windows\system32\rnnylwq.exe 1668 "C:\Windows\SysWOW64\davjfsk.exe"
        131⤵
        
        PID:5116
        
        C:\Windows\SysWOW64\eiwwqap.exe
        
        C:\Windows\system32\eiwwqap.exe 1672 "C:\Windows\SysWOW64\rnnylwq.exe"
        132⤵
        
        PID:2404
        
        C:\Windows\SysWOW64\ohjubzx.exe
        
        C:\Windows\system32\ohjubzx.exe 1656 "C:\Windows\SysWOW64\eiwwqap.exe"
        133⤵
        
        PID:3904
        
        C:\Windows\SysWOW64\busjhdw.exe
        
        C:\Windows\system32\busjhdw.exe 1676 "C:\Windows\SysWOW64\ohjubzx.exe"
        134⤵
        
        PID:3968
        
        C:\Windows\SysWOW64\okvmpdb.exe
        
        C:\Windows\system32\okvmpdb.exe 1684 "C:\Windows\SysWOW64\busjhdw.exe"
        135⤵
        Drops file in System32 directory
        
        PID:4324
        
        C:\Windows\SysWOW64\butpsct.exe
        
        C:\Windows\system32\butpsct.exe 1036 "C:\Windows\SysWOW64\okvmpdb.exe"
        136⤵
        
        PID:228
        
        C:\Windows\SysWOW64\jydckwe.exe
        
        C:\Windows\system32\jydckwe.exe 1096 "C:\Windows\SysWOW64\butpsct.exe"
        137⤵
        
        PID:2024
        
        C:\Windows\SysWOW64\ohmxatc.exe
        
        C:\Windows\system32\ohmxatc.exe 1108 "C:\Windows\SysWOW64\jydckwe.exe"
        138⤵
        
        PID:2748
        
        C:\Windows\SysWOW64\rrbcfje.exe
        
        C:\Windows\system32\rrbcfje.exe 1020 "C:\Windows\SysWOW64\ohmxatc.exe"
        139⤵
        
        PID:3416
        
        C:\Windows\SysWOW64\dxtxtap.exe
        
        C:\Windows\system32\dxtxtap.exe 1704 "C:\Windows\SysWOW64\rrbcfje.exe"
        140⤵
        
        PID:212
        
        C:\Windows\SysWOW64\rgziwzp.exe
        
        C:\Windows\system32\rgziwzp.exe 1700 "C:\Windows\SysWOW64\dxtxtap.exe"
        141⤵
        Drops file in System32 directory
        
        PID:3692
        
        C:\Windows\SysWOW64\bgdfgyo.exe
        
        C:\Windows\system32\bgdfgyo.exe 1708 "C:\Windows\SysWOW64\rgziwzp.exe"
        142⤵
        
        PID:3660
        
        C:\Windows\SysWOW64\opjirqo.exe
        
        C:\Windows\system32\opjirqo.exe 1716 "C:\Windows\SysWOW64\bgdfgyo.exe"
        143⤵
        Drops file in System32 directory
        
        PID:2004
        
        C:\Windows\SysWOW64\bvbkghz.exe
        
        C:\Windows\system32\bvbkghz.exe 1712 "C:\Windows\SysWOW64\opjirqo.exe"
        144⤵
        
        PID:1012
        
        C:\Windows\SysWOW64\oehnjgr.exe
        
        C:\Windows\system32\oehnjgr.exe 1724 "C:\Windows\SysWOW64\bvbkghz.exe"
        145⤵
        
        PID:528
        
        C:\Windows\SysWOW64\tnpirlx.exe
        
        C:\Windows\system32\tnpirlx.exe 1040 "C:\Windows\SysWOW64\oehnjgr.exe"
        146⤵
        
        PID:860
        
        C:\Windows\SysWOW64\exfnecz.exe
        
        C:\Windows\system32\exfnecz.exe 1732 "C:\Windows\SysWOW64\tnpirlx.exe"
        147⤵
        
        PID:744
        
        C:\Windows\SysWOW64\oiuyrfg.exe
        
        C:\Windows\system32\oiuyrfg.exe 1680 "C:\Windows\SysWOW64\exfnecz.exe"
        148⤵
        
        PID:320
        
        C:\Windows\SysWOW64\bvmoxbe.exe
        
        C:\Windows\system32\bvmoxbe.exe 1112 "C:\Windows\SysWOW64\oiuyrfg.exe"
        149⤵
        
        PID:3516
        
        C:\Windows\SysWOW64\luqlpzm.exe
        
        C:\Windows\system32\luqlpzm.exe 1744 "C:\Windows\SysWOW64\bvmoxbe.exe"
        150⤵
        
        PID:548
        
        C:\Windows\SysWOW64\trlytkr.exe
        
        C:\Windows\system32\trlytkr.exe 1748 "C:\Windows\SysWOW64\luqlpzm.exe"
        151⤵
        
        PID:2920
        
        C:\Windows\SysWOW64\jditdyu.exe
        
        C:\Windows\system32\jditdyu.exe 1752 "C:\Windows\SysWOW64\trlytkr.exe"
        152⤵
        
        PID:5064
        
        C:\Windows\SysWOW64\wysjics.exe
        
        C:\Windows\system32\wysjics.exe 1756 "C:\Windows\SysWOW64\jditdyu.exe"
        153⤵
        
        PID:844
        
        C:\Windows\SysWOW64\jovlrcy.exe
        
        C:\Windows\system32\jovlrcy.exe 1740 "C:\Windows\SysWOW64\wysjics.exe"
        154⤵
        
        PID:1396
        
        C:\Windows\SysWOW64\tknwzwz.exe
        
        C:\Windows\system32\tknwzwz.exe 1760 "C:\Windows\SysWOW64\jovlrcy.exe"
        155⤵
        
        PID:3680
        
        C:\Windows\SysWOW64\gaqzhee.exe
        
        C:\Windows\system32\gaqzhee.exe 1768 "C:\Windows\SysWOW64\tknwzwz.exe"
        156⤵
        Drops file in System32 directory
        
        PID:1984
        
        C:\Windows\SysWOW64\tvaovid.exe
        
        C:\Windows\system32\tvaovid.exe 1064 "C:\Windows\SysWOW64\gaqzhee.exe"
        157⤵
        
        PID:464
        
        C:\Windows\SysWOW64\girebmc.exe
        
        C:\Windows\system32\girebmc.exe 1080 "C:\Windows\SysWOW64\tvaovid.exe"
        158⤵
        
        PID:1224
        
        C:\Windows\SysWOW64\oncrkxe.exe
        
        C:\Windows\system32\oncrkxe.exe 1084 "C:\Windows\SysWOW64\girebmc.exe"
        159⤵
        
        PID:980
        
        C:\Windows\SysWOW64\yxrxpng.exe
        
        C:\Windows\system32\yxrxpng.exe 1784 "C:\Windows\SysWOW64\oncrkxe.exe"
        160⤵
        Drops file in System32 directory
        
        PID:3612
        
        C:\Windows\SysWOW64\lzxeial.exe
        
        C:\Windows\system32\lzxeial.exe 1780 "C:\Windows\SysWOW64\yxrxpng.exe"
        161⤵
        
        PID:3544
        
        C:\Windows\SysWOW64\ypshraq.exe
        
        C:\Windows\system32\ypshraq.exe 1788 "C:\Windows\SysWOW64\lzxeial.exe"
        162⤵
        
        PID:3160
        
        C:\Windows\SysWOW64\lzysuzq.exe
        
        C:\Windows\system32\lzysuzq.exe 1796 "C:\Windows\SysWOW64\ypshraq.exe"
        163⤵
        
        PID:1548
        
        C:\Windows\SysWOW64\wycpeyq.exe
        
        C:\Windows\system32\wycpeyq.exe 1792 "C:\Windows\SysWOW64\lzysuzq.exe"
        164⤵
        
        PID:3076
        
        C:\Windows\SysWOW64\gfpnpxx.exe
        
        C:\Windows\system32\gfpnpxx.exe 1804 "C:\Windows\SysWOW64\wycpeyq.exe"
        165⤵
        Drops file in System32 directory
        
        PID:2780
        
        C:\Windows\SysWOW64\qapfery.exe
        
        C:\Windows\system32\qapfery.exe 1800 "C:\Windows\SysWOW64\gfpnpxx.exe"
        166⤵
        
        PID:4964
        
        C:\Windows\SysWOW64\dnzvkvf.exe
        
        C:\Windows\system32\dnzvkvf.exe 1808 "C:\Windows\SysWOW64\qapfery.exe"
        167⤵
        
        PID:4356
        
        C:\Windows\SysWOW64\thxvfrf.exe
        
        C:\Windows\system32\thxvfrf.exe 1816 "C:\Windows\SysWOW64\dnzvkvf.exe"
        168⤵
        
        PID:4588
        
        C:\Windows\SysWOW64\aosnsgo.exe
        
        C:\Windows\system32\aosnsgo.exe 1820 "C:\Windows\SysWOW64\thxvfrf.exe"
        169⤵
        
        PID:4556
        
        C:\Windows\SysWOW64\yjpocjs.exe
        
        C:\Windows\system32\yjpocjs.exe 1824 "C:\Windows\SysWOW64\aosnsgo.exe"
        170⤵
        
        PID:4440
        
        C:\Windows\SysWOW64\lwhdhmz.exe
        
        C:\Windows\system32\lwhdhmz.exe 1812 "C:\Windows\SysWOW64\yjpocjs.exe"
        171⤵
        
        PID:1152
        
        C:\Windows\SysWOW64\llwjzvc.exe
        
        C:\Windows\system32\llwjzvc.exe 1828 "C:\Windows\SysWOW64\lwhdhmz.exe"
        172⤵
        
        PID:4336
        
        C:\Windows\SysWOW64\yyozezb.exe
        
        C:\Windows\system32\yyozezb.exe 1836 "C:\Windows\SysWOW64\llwjzvc.exe"
        173⤵
        Drops file in System32 directory
        
        PID:3352
        
        C:\Windows\SysWOW64\gfbrzok.exe
        
        C:\Windows\system32\gfbrzok.exe 1832 "C:\Windows\SysWOW64\yyozezb.exe"
        174⤵
        
        PID:848
        
        C:\Windows\SysWOW64\noxwlav.exe
        
        C:\Windows\system32\noxwlav.exe 1844 "C:\Windows\SysWOW64\gfbrzok.exe"
        175⤵
        
        PID:648
        
        C:\Windows\SysWOW64\vdskpcs.exe
        
        C:\Windows\system32\vdskpcs.exe 1840 "C:\Windows\SysWOW64\noxwlav.exe"
        176⤵
        
        PID:4608
        
        C:\Windows\SysWOW64\ibnmfly.exe
        
        C:\Windows\system32\ibnmfly.exe 1856 "C:\Windows\SysWOW64\vdskpcs.exe"
        177⤵
        
        PID:748
        
        C:\Windows\SysWOW64\sarkqjg.exe
        
        C:\Windows\system32\sarkqjg.exe 1848 "C:\Windows\SysWOW64\ibnmfly.exe"
        178⤵
        
        PID:1148
        
        C:\Windows\SysWOW64\gkyutbg.exe
        
        C:\Windows\system32\gkyutbg.exe 1140 "C:\Windows\SysWOW64\sarkqjg.exe"
        179⤵
        
        PID:2368
        
        C:\Windows\SysWOW64\ynvkgsn.exe
        
        C:\Windows\system32\ynvkgsn.exe 1864 "C:\Windows\SysWOW64\gkyutbg.exe"
        180⤵
        
        PID:1484
        
        C:\Windows\SysWOW64\vhrywvu.exe
        
        C:\Windows\system32\vhrywvu.exe 1868 "C:\Windows\SysWOW64\ynvkgsn.exe"
        181⤵
        
        PID:4136
        
        C:\Windows\SysWOW64\yogoxua.exe
        
        C:\Windows\system32\yogoxua.exe 1860 "C:\Windows\SysWOW64\vhrywvu.exe"
        182⤵
        
        PID:1084
        
        C:\Windows\SysWOW64\fvtgskk.exe
        
        C:\Windows\system32\fvtgskk.exe 1128 "C:\Windows\SysWOW64\yogoxua.exe"
        183⤵
        
        PID:4024
        
        C:\Windows\SysWOW64\tildxoj.exe
        
        C:\Windows\system32\tildxoj.exe 1184 "C:\Windows\SysWOW64\fvtgskk.exe"
        184⤵
        
        PID:1480
        
        C:\Windows\SysWOW64\invohnn.exe
        
        C:\Windows\system32\invohnn.exe 1880 "C:\Windows\SysWOW64\tildxoj.exe"
        185⤵
        Drops file in System32 directory
        
        PID:3568
        
        C:\Windows\SysWOW64\qvjobdw.exe
        
        C:\Windows\system32\qvjobdw.exe 1884 "C:\Windows\SysWOW64\invohnn.exe"
        186⤵
        
        PID:3228
        
        C:\Windows\SysWOW64\ghrjfqt.exe
        
        C:\Windows\system32\ghrjfqt.exe 1888 "C:\Windows\SysWOW64\qvjobdw.exe"
        187⤵
        
        PID:5048
        
        C:\Windows\SysWOW64\qdsunkc.exe
        
        C:\Windows\system32\qdsunkc.exe 1892 "C:\Windows\SysWOW64\ghrjfqt.exe"
        188⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\tbyeccd.exe
        
        C:\Windows\system32\tbyeccd.exe 1900 "C:\Windows\SysWOW64\qdsunkc.exe"
        189⤵
        
        PID:2076
        
        C:\Windows\SysWOW64\vxbhxck.exe
        
        C:\Windows\system32\vxbhxck.exe 1104 "C:\Windows\SysWOW64\tbyeccd.exe"
        190⤵
        
        PID:1704
        
        C:\Windows\SysWOW64\fscrfxs.exe
        
        C:\Windows\system32\fscrfxs.exe 1908 "C:\Windows\SysWOW64\vxbhxck.exe"
        191⤵
        
        PID:1912
        
        C:\Windows\SysWOW64\qkrxsnm.exe
        
        C:\Windows\system32\qkrxsnm.exe 1904 "C:\Windows\SysWOW64\fscrfxs.exe"
        192⤵
        
        PID:2796
        
        C:\Windows\SysWOW64\gepxnju.exe
        
        C:\Windows\system32\gepxnju.exe 1916 "C:\Windows\SysWOW64\qkrxsnm.exe"
        193⤵
        
        PID:3580
        
        C:\Windows\SysWOW64\aotyqkl.exe
        
        C:\Windows\system32\aotyqkl.exe 1912 "C:\Windows\SysWOW64\gepxnju.exe"
        194⤵
        
        PID:4980
        
        C:\Windows\SysWOW64\vjylisv.exe
        
        C:\Windows\system32\vjylisv.exe 1924 "C:\Windows\SysWOW64\aotyqkl.exe"
        195⤵
        
        PID:3596
        
        C:\Windows\SysWOW64\awbhnbf.exe
        
        C:\Windows\system32\awbhnbf.exe 1920 "C:\Windows\SysWOW64\vjylisv.exe"
        196⤵
        
        PID:4148
        
        C:\Windows\SysWOW64\fjmpglk.exe
        
        C:\Windows\system32\fjmpglk.exe 1932 "C:\Windows\SysWOW64\awbhnbf.exe"
        197⤵
        
        PID:4568
        
        C:\Windows\SysWOW64\tssrjkk.exe
        
        C:\Windows\system32\tssrjkk.exe 1936 "C:\Windows\SysWOW64\fjmpglk.exe"
        198⤵
        
        PID:3760
        
        C:\Windows\SysWOW64\iejaenj.exe
        
        C:\Windows\system32\iejaenj.exe 1940 "C:\Windows\SysWOW64\tssrjkk.exe"
        199⤵
        
        PID:4744
        
        C:\Windows\SysWOW64\sdnxwlj.exe
        
        C:\Windows\system32\sdnxwlj.exe 1928 "C:\Windows\SysWOW64\iejaenj.exe"
        200⤵
        
        PID:3288
        
        C:\Windows\SysWOW64\dwddbcl.exe
        
        C:\Windows\system32\dwddbcl.exe 1948 "C:\Windows\SysWOW64\sdnxwlj.exe"
        201⤵
        
        PID:2068
        
        C:\Windows\SysWOW64\ffustyt.exe
        
        C:\Windows\system32\ffustyt.exe 1944 "C:\Windows\SysWOW64\dwddbcl.exe"
        202⤵
        
        PID:3572
        
        C:\Windows\SysWOW64\spbdwxt.exe
        
        C:\Windows\system32\spbdwxt.exe 1952 "C:\Windows\SysWOW64\ffustyt.exe"
        203⤵
        Drops file in System32 directory
        
        PID:2228
        
        C:\Windows\SysWOW64\seyingw.exe
        
        C:\Windows\system32\seyingw.exe 1996 "C:\Windows\SysWOW64\spbdwxt.exe"
        204⤵
        
        PID:3252
        
        C:\Windows\SysWOW64\dartvaw.exe
        
        C:\Windows\system32\dartvaw.exe 1956 "C:\Windows\SysWOW64\seyingw.exe"
        205⤵
        
        PID:2952
        
        C:\Windows\SysWOW64\qnjjbed.exe
        
        C:\Windows\system32\qnjjbed.exe 1964 "C:\Windows\SysWOW64\dartvaw.exe"
        206⤵
        Drops file in System32 directory
        
        PID:5112
        
        C:\Windows\SysWOW64\dddlreb.exe
        
        C:\Windows\system32\dddlreb.exe 1968 "C:\Windows\SysWOW64\qnjjbed.exe"
        207⤵
        Drops file in System32 directory
        
        PID:384
        
        C:\Windows\SysWOW64\khoybxl.exe
        
        C:\Windows\system32\khoybxl.exe 1972 "C:\Windows\SysWOW64\dddlreb.exe"
        208⤵
        
        PID:2868
        
        C:\Windows\SysWOW64\xyqbjxj.exe
        
        C:\Windows\system32\xyqbjxj.exe 1960 "C:\Windows\SysWOW64\khoybxl.exe"
        209⤵
        
        PID:3988
        
        C:\Windows\SysWOW64\xgrgvfp.exe
        
        C:\Windows\system32\xgrgvfp.exe 1980 "C:\Windows\SysWOW64\xyqbjxj.exe"
        210⤵
        
        PID:2232
        
        C:\Windows\SysWOW64\kwmjenu.exe
        
        C:\Windows\system32\kwmjenu.exe 1984 "C:\Windows\SysWOW64\xgrgvfp.exe"
        211⤵
        
        PID:2344
        
        C:\Windows\SysWOW64\yjezjjt.exe
        
        C:\Windows\system32\yjezjjt.exe 1092 "C:\Windows\SysWOW64\kwmjenu.exe"
        212⤵
        
        PID:988
        
        C:\Windows\SysWOW64\iqiwcis.exe
        
        C:\Windows\system32\iqiwcis.exe 1992 "C:\Windows\SysWOW64\yjezjjt.exe"
        213⤵
        
        PID:4876
        
        C:\Windows\SysWOW64\vdauimz.exe
        
        C:\Windows\system32\vdauimz.exe 1988 "C:\Windows\SysWOW64\iqiwcis.exe"
        214⤵
        
        PID:3156
        
        C:\Windows\SysWOW64\fcerskz.exe
        
        C:\Windows\system32\fcerskz.exe 2004 "C:\Windows\SysWOW64\vdauimz.exe"
        215⤵
        
        PID:5076
        
        C:\Windows\SysWOW64\qvtpxbb.exe
        
        C:\Windows\system32\qvtpxbb.exe 2008 "C:\Windows\SysWOW64\fcerskz.exe"
        216⤵
        
        PID:2396
        
        C:\Windows\SysWOW64\aufupzi.exe
        
        C:\Windows\system32\aufupzi.exe 1120 "C:\Windows\SysWOW64\qvtpxbb.exe"
        217⤵
        
        PID:756
        
        C:\Windows\SysWOW64\ijthtkf.exe
        
        C:\Windows\system32\ijthtkf.exe 1100 "C:\Windows\SysWOW64\aufupzi.exe"
        218⤵
        Drops file in System32 directory
        
        PID:4252
        
        C:\Windows\SysWOW64\yzfhatj.exe
        
        C:\Windows\system32\yzfhatj.exe 2016 "C:\Windows\SysWOW64\ijthtkf.exe"
        219⤵
        
        PID:1944
        
        C:\Windows\SysWOW64\fgaiujs.exe
        
        C:\Windows\system32\fgaiujs.exe 1168 "C:\Windows\SysWOW64\yzfhatj.exe"
        220⤵
        
        PID:4112
        
        C:\Windows\SysWOW64\sxvkdrq.exe
        
        C:\Windows\system32\sxvkdrq.exe 1212 "C:\Windows\SysWOW64\fgaiujs.exe"
        221⤵
        Drops file in System32 directory
        
        PID:4160
        
        C:\Windows\SysWOW64\dpkihhs.exe
        
        C:\Windows\system32\dpkihhs.exe 1296 "C:\Windows\SysWOW64\sxvkdrq.exe"
        222⤵
        
        PID:4456
        
        C:\Windows\SysWOW64\prqxttw.exe
        
        C:\Windows\system32\prqxttw.exe 2032 "C:\Windows\SysWOW64\dpkihhs.exe"
        223⤵
        Drops file in System32 directory
        
        PID:488
        
        C:\Windows\SysWOW64\ayvqvfa.exe
        
        C:\Windows\system32\ayvqvfa.exe 1116 "C:\Windows\SysWOW64\prqxttw.exe"
        224⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\ktwakaa.exe
        
        C:\Windows\system32\ktwakaa.exe 1876 "C:\Windows\SysWOW64\ayvqvfa.exe"
        225⤵
        
        PID:672
        
        C:\Windows\SysWOW64\kuvarhe.exe
        
        C:\Windows\system32\kuvarhe.exe 2044 "C:\Windows\SysWOW64\ktwakaa.exe"
        226⤵
        
        PID:4696
        
        C:\Windows\SysWOW64\vthgjfe.exe
        
        C:\Windows\system32\vthgjfe.exe 2052 "C:\Windows\SysWOW64\kuvarhe.exe"
        227⤵
        
        PID:3892
        
        C:\Windows\SysWOW64\fpaqran.exe
        
        C:\Windows\system32\fpaqran.exe 2060 "C:\Windows\SysWOW64\vthgjfe.exe"
        228⤵
        Drops file in System32 directory
        
        PID:2968
        
        C:\Windows\SysWOW64\vflyyri.exe
        
        C:\Windows\system32\vflyyri.exe 1232 "C:\Windows\SysWOW64\fpaqran.exe"
        229⤵
        
        PID:2352
        
        C:\Windows\SysWOW64\cmhqkhs.exe
        
        C:\Windows\system32\cmhqkhs.exe 2064 "C:\Windows\SysWOW64\vflyyri.exe"
        230⤵
        Drops file in System32 directory
        
        PID:4576
        
        C:\Windows\SysWOW64\srplomo.exe
        
        C:\Windows\system32\srplomo.exe 2068 "C:\Windows\SysWOW64\cmhqkhs.exe"
        231⤵
        
        PID:3220
        
        C:\Windows\SysWOW64\avrzgfz.exe
        
        C:\Windows\system32\avrzgfz.exe 1144 "C:\Windows\SysWOW64\srplomo.exe"
        232⤵
        Drops file in System32 directory
        
        PID:3956
        
        C:\Windows\SysWOW64\nexbjfr.exe
        
        C:\Windows\system32\nexbjfr.exe 1472 "C:\Windows\SysWOW64\avrzgfz.exe"
        233⤵
        
        PID:4372
        
        C:\Windows\SysWOW64\xhnmwaf.exe
        
        C:\Windows\system32\xhnmwaf.exe 2080 "C:\Windows\SysWOW64\nexbjfr.exe"
        234⤵
        
        PID:1580
        
        C:\Windows\SysWOW64\hcnwdcg.exe
        
        C:\Windows\system32\hcnwdcg.exe 1488 "C:\Windows\SysWOW64\xhnmwaf.exe"
        235⤵
        
        PID:1344
        
        C:\Windows\SysWOW64\vmuhoug.exe
        
        C:\Windows\system32\vmuhoug.exe 2092 "C:\Windows\SysWOW64\hcnwdcg.exe"
        236⤵
        
        PID:4476
        
        C:\Windows\SysWOW64\fivrwoh.exe
        
        C:\Windows\system32\fivrwoh.exe 2096 "C:\Windows\SysWOW64\vmuhoug.exe"
        237⤵
        
        PID:928
        
        C:\Windows\SysWOW64\skbhhbl.exe
        
        C:\Windows\system32\skbhhbl.exe 2088 "C:\Windows\SysWOW64\fivrwoh.exe"
        238⤵
        
        PID:4368
        
        C:\Windows\SysWOW64\fxkxnfk.exe
        
        C:\Windows\system32\fxkxnfk.exe 2100 "C:\Windows\SysWOW64\skbhhbl.exe"
        239⤵
        Drops file in System32 directory
        
        PID:3532
        
        C:\Windows\SysWOW64\pwwuyds.exe
        
        C:\Windows\system32\pwwuyds.exe 2020 "C:\Windows\SysWOW64\fxkxnfk.exe"
        240⤵
        Drops file in System32 directory
        
        PID:4040
        
        C:\Windows\SysWOW64\curxgdx.exe
        
        C:\Windows\system32\curxgdx.exe 2112 "C:\Windows\SysWOW64\pwwuyds.exe"
        241⤵
        
        PID:4844
        
        C:\Windows\SysWOW64\hswfufw.exe
        
        C:\Windows\system32\hswfufw.exe 2116 "C:\Windows\SysWOW64\curxgdx.exe"
        242⤵
        
        PID:3896
        
        C:\Windows\SysWOW64\zdcfccx.exe
        
        C:\Windows\system32\zdcfccx.exe 2120 "C:\Windows\SysWOW64\hswfufw.exe"
        243⤵
        Drops file in System32 directory
        
        PID:4256
        
        C:\Windows\SysWOW64\hhmklnh.exe
        
        C:\Windows\system32\hhmklnh.exe 1496 "C:\Windows\SysWOW64\zdcfccx.exe"
        244⤵
        
        PID:5168
        
        C:\Windows\SysWOW64\xijamwx.exe
        
        C:\Windows\system32\xijamwx.exe 2124 "C:\Windows\SysWOW64\hhmklnh.exe"
        245⤵
        Drops file in System32 directory
        
        PID:5228
        
        C:\Windows\SysWOW64\idkluqy.exe
        
        C:\Windows\system32\idkluqy.exe 1124 "C:\Windows\SysWOW64\xijamwx.exe"
        246⤵
        
        PID:5288
        
        C:\Windows\SysWOW64\szcvjlh.exe
        
        C:\Windows\system32\szcvjlh.exe 2132 "C:\Windows\SysWOW64\idkluqy.exe"
        247⤵
        
        PID:5336
        
        C:\Windows\SysWOW64\ccafxon.exe
        
        C:\Windows\system32\ccafxon.exe 1276 "C:\Windows\SysWOW64\szcvjlh.exe"
        248⤵
        
        PID:5400
        
        C:\Windows\SysWOW64\hzxvkpm.exe
        
        C:\Windows\system32\hzxvkpm.exe 1692 "C:\Windows\SysWOW64\ccafxon.exe"
        249⤵
        
        PID:5464
        
        C:\Windows\SysWOW64\svygsjv.exe
        
        C:\Windows\system32\svygsjv.exe 992 "C:\Windows\SysWOW64\hzxvkpm.exe"
        250⤵
        
        PID:5520
        
        C:\Windows\SysWOW64\unpvkfv.exe
        
        C:\Windows\system32\unpvkfv.exe 2152 "C:\Windows\SysWOW64\svygsjv.exe"
        251⤵
        
        PID:5572
        
        C:\Windows\SysWOW64\hahtqjc.exe
        
        C:\Windows\system32\hahtqjc.exe 2156 "C:\Windows\SysWOW64\unpvkfv.exe"
        252⤵
        
        PID:5636
        
        C:\Windows\SysWOW64\vjnwtbu.exe
        
        C:\Windows\system32\vjnwtbu.exe 2148 "C:\Windows\SysWOW64\hahtqjc.exe"
        253⤵
        Drops file in System32 directory
        
        PID:5688
        
        C:\Windows\SysWOW64\crbonyd.exe
        
        C:\Windows\system32\crbonyd.exe 1148 "C:\Windows\SysWOW64\vjnwtbu.exe"
        254⤵
        
        PID:5752
        
        C:\Windows\SysWOW64\njqtsof.exe
        
        C:\Windows\system32\njqtsof.exe 2164 "C:\Windows\SysWOW64\crbonyd.exe"
        255⤵
        
        PID:5836
        
        C:\Windows\SysWOW64\hevjsio.exe
        
        C:\Windows\system32\hevjsio.exe 2172 "C:\Windows\SysWOW64\njqtsof.exe"
        256⤵
        
        PID:5884
        
        C:\Windows\SysWOW64\vnbmvho.exe
        
        C:\Windows\system32\vnbmvho.exe 2168 "C:\Windows\SysWOW64\hevjsio.exe"
        257⤵
        
        PID:5940
        
        C:\Windows\SysWOW64\cvxehwp.exe
        
        C:\Windows\system32\cvxehwp.exe 2176 "C:\Windows\SysWOW64\vnbmvho.exe"
        258⤵
        
        PID:5992
        
        C:\Windows\SysWOW64\saxzlcu.exe
        
        C:\Windows\system32\saxzlcu.exe 2184 "C:\Windows\SysWOW64\cvxehwp.exe"
        259⤵
        
        PID:6048
        
        C:\Windows\SysWOW64\zhtzfzv.exe
        
        C:\Windows\system32\zhtzfzv.exe 2188 "C:\Windows\SysWOW64\saxzlcu.exe"
        260⤵
        
        PID:6108
        
        C:\Windows\SysWOW64\nrrcirv.exe
        
        C:\Windows\system32\nrrcirv.exe 2192 "C:\Windows\SysWOW64\zhtzfzv.exe"
        261⤵
        
        PID:5124
        
        C:\Windows\SysWOW64\xqdztpd.exe
        
        C:\Windows\system32\xqdztpd.exe 2180 "C:\Windows\SysWOW64\nrrcirv.exe"
        262⤵
        
        PID:4416
        
        C:\Windows\SysWOW64\koycbyi.exe
        
        C:\Windows\system32\koycbyi.exe 2200 "C:\Windows\SysWOW64\xqdztpd.exe"
        263⤵
        Drops file in System32 directory
        
        PID:5236
        
        C:\Windows\SysWOW64\xbpahbh.exe
        
        C:\Windows\system32\xbpahbh.exe 2204 "C:\Windows\SysWOW64\koycbyi.exe"
        264⤵
        Drops file in System32 directory
        
        PID:5196
        
        C:\Windows\SysWOW64\kozpnfg.exe
        
        C:\Windows\system32\kozpnfg.exe 2196 "C:\Windows\SysWOW64\xbpahbh.exe"
        265⤵
        
        PID:5276
        
        C:\Windows\SysWOW64\kpgqbmk.exe
        
        C:\Windows\system32\kpgqbmk.exe 2212 "C:\Windows\SysWOW64\kozpnfg.exe"
        266⤵
        
        PID:5300
        
        C:\Windows\SysWOW64\xfbskuh.exe
        
        C:\Windows\system32\xfbskuh.exe 2208 "C:\Windows\SysWOW64\kpgqbmk.exe"
        267⤵
        
        PID:5340
        
        C:\Windows\SysWOW64\hffqutp.exe
        
        C:\Windows\system32\hffqutp.exe 2220 "C:\Windows\SysWOW64\xfbskuh.exe"
        268⤵
        
        PID:5412
        
        C:\Windows\SysWOW64\udisdtv.exe
        
        C:\Windows\system32\udisdtv.exe 2216 "C:\Windows\SysWOW64\hffqutp.exe"
        269⤵
        
        PID:5508
        
        C:\Windows\SysWOW64\ezadtov.exe
        
        C:\Windows\system32\ezadtov.exe 2108 "C:\Windows\SysWOW64\udisdtv.exe"
        270⤵
        
        PID:5548
        
        C:\Windows\SysWOW64\rmstyru.exe
        
        C:\Windows\system32\rmstyru.exe 2232 "C:\Windows\SysWOW64\ezadtov.exe"
        271⤵
        
        PID:5584
        
        C:\Windows\SysWOW64\fzjievb.exe
        
        C:\Windows\system32\fzjievb.exe 2236 "C:\Windows\SysWOW64\rmstyru.exe"
        272⤵
        
        PID:4736
        
        C:\Windows\SysWOW64\sxelnvy.exe
        
        C:\Windows\system32\sxelnvy.exe 2240 "C:\Windows\SysWOW64\fzjievb.exe"
        273⤵
        
        PID:5820
        
        C:\Windows\SysWOW64\fkwbtzx.exe
        
        C:\Windows\system32\fkwbtzx.exe 1136 "C:\Windows\SysWOW64\sxelnvy.exe"
        274⤵
        
        PID:5788
        
        C:\Windows\SysWOW64\jatwpnj.exe
        
        C:\Windows\system32\jatwpnj.exe 1424 "C:\Windows\SysWOW64\fkwbtzx.exe"
        275⤵
        
        PID:5932
        
        C:\Windows\SysWOW64\ziedwxm.exe
        
        C:\Windows\system32\ziedwxm.exe 1764 "C:\Windows\SysWOW64\jatwpnj.exe"
        276⤵
        Drops file in System32 directory
        
        PID:6016
        
        C:\Windows\SysWOW64\esuyecs.exe
        
        C:\Windows\system32\esuyecs.exe 1772 "C:\Windows\SysWOW64\ziedwxm.exe"
        277⤵
        
        PID:6020
        
        C:\Windows\SysWOW64\utjgfdq.exe
        
        C:\Windows\system32\utjgfdq.exe 2260 "C:\Windows\SysWOW64\esuyecs.exe"
        278⤵
        
        PID:3764
        
        C:\Windows\SysWOW64\hjmjolo.exe
        
        C:\Windows\system32\hjmjolo.exe 2256 "C:\Windows\SysWOW64\utjgfdq.exe"
        279⤵
        
        PID:3280
        
        C:\Windows\SysWOW64\riqggkv.exe
        
        C:\Windows\system32\riqggkv.exe 2264 "C:\Windows\SysWOW64\hjmjolo.exe"
        280⤵
        
        PID:3804
        
        C:\Windows\SysWOW64\bpcerjd.exe
        
        C:\Windows\system32\bpcerjd.exe 1776 "C:\Windows\SysWOW64\riqggkv.exe"
        281⤵
        Drops file in System32 directory
        
        PID:1036
        
        C:\Windows\SysWOW64\prbpuiv.exe
        
        C:\Windows\system32\prbpuiv.exe 2272 "C:\Windows\SysWOW64\bpcerjd.exe"
        282⤵
        
        PID:5152
        
        C:\Windows\SysWOW64\cmsezmc.exe
        
        C:\Windows\system32\cmsezmc.exe 2284 "C:\Windows\SysWOW64\prbpuiv.exe"
        283⤵
        
        PID:5324
        
        C:\Windows\SysWOW64\mhtphhc.exe
        
        C:\Windows\system32\mhtphhc.exe 2276 "C:\Windows\SysWOW64\cmsezmc.exe"
        284⤵
        
        PID:5352
        
        C:\Windows\SysWOW64\zyoryhi.exe
        
        C:\Windows\system32\zyoryhi.exe 2280 "C:\Windows\SysWOW64\mhtphhc.exe"
        285⤵
        
        PID:5356
        
        C:\Windows\SysWOW64\kxspigh.exe
        
        C:\Windows\system32\kxspigh.exe 1736 "C:\Windows\SysWOW64\zyoryhi.exe"
        286⤵
        
        PID:5424
        
        C:\Windows\SysWOW64\ueeusfp.exe
        
        C:\Windows\system32\ueeusfp.exe 2300 "C:\Windows\SysWOW64\kxspigh.exe"
        287⤵
        
        PID:5516
        
        C:\Windows\SysWOW64\eaffizq.exe
        
        C:\Windows\system32\eaffizq.exe 2292 "C:\Windows\SysWOW64\ueeusfp.exe"
        288⤵
        Drops file in System32 directory
        
        PID:5644
        
        C:\Windows\SysWOW64\uiqnhrt.exe
        
        C:\Windows\system32\uiqnhrt.exe 2304 "C:\Windows\SysWOW64\eaffizq.exe"
        289⤵
        
        PID:5716
        
        C:\Windows\SysWOW64\hvacnms.exe
        
        C:\Windows\system32\hvacnms.exe 2308 "C:\Windows\SysWOW64\uiqnhrt.exe"
        290⤵
        
        PID:5708
        
        C:\Windows\SysWOW64\uissaqr.exe
        
        C:\Windows\system32\uissaqr.exe 2312 "C:\Windows\SysWOW64\hvacnms.exe"
        291⤵
        
        PID:5880
        
        C:\Windows\SysWOW64\hdjiguy.exe
        
        C:\Windows\system32\hdjiguy.exe 2316 "C:\Windows\SysWOW64\uissaqr.exe"
        292⤵
        
        PID:5852
        
        C:\Windows\SysWOW64\rcnfrtx.exe
        
        C:\Windows\system32\rcnfrtx.exe 1540 "C:\Windows\SysWOW64\hdjiguy.exe"
        293⤵
        Drops file in System32 directory
        
        PID:5984
        
        C:\Windows\SysWOW64\esiizbd.exe
        
        C:\Windows\system32\esiizbd.exe 2324 "C:\Windows\SysWOW64\rcnfrtx.exe"
        294⤵
        
        PID:4232
        
        C:\Windows\SysWOW64\pojahvd.exe
        
        C:\Windows\system32\pojahvd.exe 1896 "C:\Windows\SysWOW64\esiizbd.exe"
        295⤵
        
        PID:5156
        
        C:\Windows\SysWOW64\cmedpwj.exe
        
        C:\Windows\system32\cmedpwj.exe 2328 "C:\Windows\SysWOW64\pojahvd.exe"
        296⤵
        
        PID:5160
        
        C:\Windows\SysWOW64\pwkgsvj.exe
        
        C:\Windows\system32\pwkgsvj.exe 2352 "C:\Windows\SysWOW64\cmedpwj.exe"
        297⤵
        
        PID:3828
        
        C:\Windows\SysWOW64\zyhqoyp.exe
        
        C:\Windows\system32\zyhqoyp.exe 2332 "C:\Windows\SysWOW64\pwkgsvj.exe"
        298⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\eweybzo.exe
        
        C:\Windows\system32\eweybzo.exe 1728 "C:\Windows\SysWOW64\zyhqoyp.exe"
        299⤵
        Drops file in System32 directory
        
        PID:5284
        
        C:\Windows\SysWOW64\xdhlysq.exe
        
        C:\Windows\system32\xdhlysq.exe 2344 "C:\Windows\SysWOW64\eweybzo.exe"
        300⤵
        
        PID:5376
        
        C:\Windows\SysWOW64\elcdsiz.exe
        
        C:\Windows\system32\elcdsiz.exe 2340 "C:\Windows\SysWOW64\xdhlysq.exe"
        301⤵
        
        PID:5344
        
        C:\Windows\SysWOW64\rviovhz.exe
        
        C:\Windows\system32\rviovhz.exe 2348 "C:\Windows\SysWOW64\elcdsiz.exe"
        302⤵
        
        PID:5488
        
        C:\Windows\SysWOW64\bfyzjkg.exe
        
        C:\Windows\system32\bfyzjkg.exe 2000 "C:\Windows\SysWOW64\rviovhz.exe"
        303⤵
        
        PID:5480
        
        C:\Windows\SysWOW64\phebmkg.exe
        
        C:\Windows\system32\phebmkg.exe 2360 "C:\Windows\SysWOW64\bfyzjkg.exe"
        304⤵
        
        PID:5528
        
        C:\Windows\SysWOW64\ccorrgf.exe
        
        C:\Windows\system32\ccorrgf.exe 2364 "C:\Windows\SysWOW64\phebmkg.exe"
        305⤵
        
        PID:5760
        
        C:\Windows\SysWOW64\medbnjl.exe
        
        C:\Windows\system32\medbnjl.exe 2028 "C:\Windows\SysWOW64\ccorrgf.exe"
        306⤵
        
        PID:5736
        
        C:\Windows\SysWOW64\ufcctyp.exe
        
        C:\Windows\system32\ufcctyp.exe 2372 "C:\Windows\SysWOW64\medbnjl.exe"
        307⤵
        Drops file in System32 directory
        
        PID:5672
        
        C:\Windows\SysWOW64\hstrzto.exe
        
        C:\Windows\system32\hstrzto.exe 2012 "C:\Windows\SysWOW64\ufcctyp.exe"
        308⤵
        
        PID:5792
        
        C:\Windows\SysWOW64\uflhfxm.exe
        
        C:\Windows\system32\uflhfxm.exe 1696 "C:\Windows\SysWOW64\hstrzto.exe"
        309⤵
        
        PID:5920
        
        C:\Windows\SysWOW64\tnyhznw.exe
        
        C:\Windows\system32\tnyhznw.exe 2384 "C:\Windows\SysWOW64\uflhfxm.exe"
        310⤵
        
        PID:5928
        
        C:\Windows\SysWOW64\ccuudxt.exe
        
        C:\Windows\system32\ccuudxt.exe 1872 "C:\Windows\SysWOW64\tnyhznw.exe"
        311⤵
        
        PID:5220
        
        C:\Windows\SysWOW64\jkhmxnd.exe
        
        C:\Windows\system32\jkhmxnd.exe 2040 "C:\Windows\SysWOW64\ccuudxt.exe"
        312⤵
        
        PID:6008
        
        C:\Windows\SysWOW64\zwqhbaz.exe
        
        C:\Windows\system32\zwqhbaz.exe 2396 "C:\Windows\SysWOW64\jkhmxnd.exe"
        313⤵
        
        PID:924
        
        C:\Windows\SysWOW64\jvuflzh.exe
        
        C:\Windows\system32\jvuflzh.exe 1688 "C:\Windows\SysWOW64\zwqhbaz.exe"
        314⤵
        
        PID:5216
        
        C:\Windows\SysWOW64\wfaqoqh.exe
        
        C:\Windows\system32\wfaqoqh.exe 2408 "C:\Windows\SysWOW64\jvuflzh.exe"
        315⤵
        
        PID:3688
        
        C:\Windows\SysWOW64\ghqactn.exe
        
        C:\Windows\system32\ghqactn.exe 2412 "C:\Windows\SysWOW64\wfaqoqh.exe"
        316⤵
        
        PID:5128
        
        C:\Windows\SysWOW64\tchqpxm.exe
        
        C:\Windows\system32\tchqpxm.exe 2404 "C:\Windows\SysWOW64\ghqactn.exe"
        317⤵
        
        PID:5828
        
        C:\Windows\SysWOW64\hmnssxm.exe
        
        C:\Windows\system32\hmnssxm.exe 2420 "C:\Windows\SysWOW64\tchqpxm.exe"
        318⤵
        
        PID:5212
        
        C:\Windows\SysWOW64\ucivbfr.exe
        
        C:\Windows\system32\ucivbfr.exe 2416 "C:\Windows\SysWOW64\hmnssxm.exe"
        319⤵
        
        PID:5428
        
        C:\Windows\SysWOW64\eyjojzs.exe
        
        C:\Windows\system32\eyjojzs.exe 2424 "C:\Windows\SysWOW64\ucivbfr.exe"
        320⤵
        
        PID:5552
        
        C:\Windows\SysWOW64\oayywcz.exe
        
        C:\Windows\system32\oayywcz.exe 1720 "C:\Windows\SysWOW64\eyjojzs.exe"
        321⤵
        
        PID:5652
        
        C:\Windows\SysWOW64\bviocyx.exe
        
        C:\Windows\system32\bviocyx.exe 2076 "C:\Windows\SysWOW64\oayywcz.exe"
        322⤵
        
        PID:5676
        
        C:\Windows\SysWOW64\oiadpce.exe
        
        C:\Windows\system32\oiadpce.exe 2440 "C:\Windows\SysWOW64\bviocyx.exe"
        323⤵
        
        PID:5712
        
        C:\Windows\SysWOW64\cvrtvgd.exe
        
        C:\Windows\system32\cvrtvgd.exe 2436 "C:\Windows\SysWOW64\oiadpce.exe"
        324⤵
        Drops file in System32 directory
        
        PID:5796
        
        C:\Windows\SysWOW64\jatgfrg.exe
        
        C:\Windows\system32\jatgfrg.exe 2448 "C:\Windows\SysWOW64\cvrtvgd.exe"
        325⤵
        Drops file in System32 directory
        
        PID:5848
        
        C:\Windows\SysWOW64\wuzoqdk.exe
        
        C:\Windows\system32\wuzoqdk.exe 2452 "C:\Windows\SysWOW64\jatgfrg.exe"
        326⤵
        
        PID:5604
        
        C:\Windows\SysWOW64\himgspn.exe
        
        C:\Windows\system32\himgspn.exe 2128 "C:\Windows\SysWOW64\wuzoqdk.exe"
        327⤵
        
        PID:5864
        
        C:\Windows\SysWOW64\rlbrnst.exe
        
        C:\Windows\system32\rlbrnst.exe 2456 "C:\Windows\SysWOW64\himgspn.exe"
        328⤵
        
        PID:6072
        
        C:\Windows\SysWOW64\bdrwsiv.exe
        
        C:\Windows\system32\bdrwsiv.exe 2460 "C:\Windows\SysWOW64\rlbrnst.exe"
        329⤵
        
        PID:6080
        
        C:\Windows\SysWOW64\mykhadw.exe
        
        C:\Windows\system32\mykhadw.exe 2468 "C:\Windows\SysWOW64\bdrwsiv.exe"
        330⤵
        Drops file in System32 directory
        
        PID:5132
        
        C:\Windows\SysWOW64\zlbeohv.exe
        
        C:\Windows\system32\zlbeohv.exe 2472 "C:\Windows\SysWOW64\mykhadw.exe"
        331⤵
        
        PID:5372
        
        C:\Windows\SysWOW64\jhcpvbw.exe
        
        C:\Windows\system32\jhcpvbw.exe 2464 "C:\Windows\SysWOW64\zlbeohv.exe"
        332⤵
        
        PID:2588
        
        C:\Windows\SysWOW64\wfxsebb.exe
        
        C:\Windows\system32\wfxsebb.exe 2480 "C:\Windows\SysWOW64\jhcpvbw.exe"
        333⤵
        
        PID:5588
        
        C:\Windows\SysWOW64\jsohkfa.exe
        
        C:\Windows\system32\jsohkfa.exe 1852 "C:\Windows\SysWOW64\wfxsebb.exe"
        334⤵
        
        PID:5280
        
        C:\Windows\SysWOW64\mcgxcbi.exe
        
        C:\Windows\system32\mcgxcbi.exe 1976 "C:\Windows\SysWOW64\jsohkfa.exe"
        335⤵
        
        PID:5592
        
        C:\Windows\SysWOW64\bwdslpk.exe
        
        C:\Windows\system32\bwdslpk.exe 2104 "C:\Windows\SysWOW64\mcgxcbi.exe"
        336⤵
        
        PID:5632
        
        C:\Windows\SysWOW64\ojuhrtj.exe
        
        C:\Windows\system32\ojuhrtj.exe 2496 "C:\Windows\SysWOW64\bwdslpk.exe"
        337⤵
        
        PID:5772
        
        C:\Windows\SysWOW64\yiyfcsr.exe
        
        C:\Windows\system32\yiyfcsr.exe 2492 "C:\Windows\SysWOW64\ojuhrtj.exe"
        338⤵
        
        PID:5728
        
        C:\Windows\SysWOW64\jdzxrmr.exe
        
        C:\Windows\system32\jdzxrmr.exe 2504 "C:\Windows\SysWOW64\yiyfcsr.exe"
        339⤵
        
        PID:5684
        
        C:\Windows\SysWOW64\zewfkvp.exe
        
        C:\Windows\system32\zewfkvp.exe 2508 "C:\Windows\SysWOW64\jdzxrmr.exe"
        340⤵
        
        PID:5912
        
        C:\Windows\SysWOW64\jplqgyw.exe
        
        C:\Windows\system32\jplqgyw.exe 2500 "C:\Windows\SysWOW64\zewfkvp.exe"
        341⤵
        
        PID:5964
        
        C:\Windows\SysWOW64\tleante.exe
        
        C:\Windows\system32\tleante.exe 2520 "C:\Windows\SysWOW64\jplqgyw.exe"
        342⤵
        
        PID:6104
        
        C:\Windows\SysWOW64\gywqtpd.exe
        
        C:\Windows\system32\gywqtpd.exe 2512 "C:\Windows\SysWOW64\tleante.exe"
        343⤵
        
        PID:2724
        
        C:\Windows\SysWOW64\rxandnl.exe
        
        C:\Windows\system32\rxandnl.exe 2516 "C:\Windows\SysWOW64\gywqtpd.exe"
        344⤵
        
        PID:6088
        
        C:\Windows\SysWOW64\yxznsch.exe
        
        C:\Windows\system32\yxznsch.exe 2136 "C:\Windows\SysWOW64\rxandnl.exe"
        345⤵
        
        PID:5184
        
        C:\Windows\SysWOW64\jelguok.exe
        
        C:\Windows\system32\jelguok.exe 2528 "C:\Windows\SysWOW64\yxznsch.exe"
        346⤵
        
        PID:3200
        
        C:\Windows\SysWOW64\wcgjdwh.exe
        
        C:\Windows\system32\wcgjdwh.exe 2532 "C:\Windows\SysWOW64\jelguok.exe"
        347⤵
        
        PID:5392
        
        C:\Windows\SysWOW64\ekcjxmr.exe
        
        C:\Windows\system32\ekcjxmr.exe 2084 "C:\Windows\SysWOW64\wcgjdwh.exe"
        348⤵
        
        PID:5408
        
        C:\Windows\SysWOW64\rxlydpq.exe
        
        C:\Windows\system32\rxlydpq.exe 2544 "C:\Windows\SysWOW64\ekcjxmr.exe"
        349⤵
        Drops file in System32 directory
        
        PID:5260
        
        C:\Windows\SysWOW64\ekdoilw.exe
        
        C:\Windows\system32\ekdoilw.exe 2336 "C:\Windows\SysWOW64\rxlydpq.exe"
        350⤵
        
        PID:5432
        
        C:\Windows\SysWOW64\lsqgdjy.exe
        
        C:\Windows\system32\lsqgdjy.exe 2552 "C:\Windows\SysWOW64\ekdoilw.exe"
        351⤵
        
        PID:5476
        
        C:\Windows\SysWOW64\rfiwief.exe
        
        C:\Windows\system32\rfiwief.exe 2548 "C:\Windows\SysWOW64\lsqgdjy.exe"
        352⤵
        
        PID:5292
        
        C:\Windows\SysWOW64\yghwptb.exe
        
        C:\Windows\system32\yghwptb.exe 2024 "C:\Windows\SysWOW64\rfiwief.exe"
        353⤵
        
        PID:5648
        
        C:\Windows\SysWOW64\jflchsi.exe
        
        C:\Windows\system32\jflchsi.exe 2140 "C:\Windows\SysWOW64\yghwptb.exe"
        354⤵
        Drops file in System32 directory
        
        PID:5780
        
        C:\Windows\SysWOW64\txazmik.exe
        
        C:\Windows\system32\txazmik.exe 2564 "C:\Windows\SysWOW64\jflchsi.exe"
        355⤵
        
        PID:5496
        
        C:\Windows\SysWOW64\jnuhtso.exe
        
        C:\Windows\system32\jnuhtso.exe 2572 "C:\Windows\SysWOW64\txazmik.exe"
        356⤵
        
        PID:5960
        
        C:\Windows\SysWOW64\tmyedrn.exe
        
        C:\Windows\system32\tmyedrn.exe 2576 "C:\Windows\SysWOW64\jnuhtso.exe"
        357⤵
        
        PID:4360
        
        C:\Windows\SysWOW64\gzpujuu.exe
        
        C:\Windows\system32\gzpujuu.exe 2568 "C:\Windows\SysWOW64\tmyedrn.exe"
        358⤵
        
        PID:6092
        
        C:\Windows\SysWOW64\qyusutu.exe
        
        C:\Windows\system32\qyusutu.exe 2584 "C:\Windows\SysWOW64\gzpujuu.exe"
        359⤵
        Drops file in System32 directory
        
        PID:5996
        
        C:\Windows\SysWOW64\gzrivcs.exe
        
        C:\Windows\system32\gzrivcs.exe 2036 "C:\Windows\SysWOW64\qyusutu.exe"
        360⤵
        
        PID:2828
        
        C:\Windows\SysWOW64\qjgsqxy.exe
        
        C:\Windows\system32\qjgsqxy.exe 2592 "C:\Windows\SysWOW64\gzrivcs.exe"
        361⤵
        
        PID:5232
        
        C:\Windows\SysWOW64\etmvtxy.exe
        
        C:\Windows\system32\etmvtxy.exe 2588 "C:\Windows\SysWOW64\qjgsqxy.exe"
        362⤵
        
        PID:5312
        
        C:\Windows\SysWOW64\ovcfgae.exe
        
        C:\Windows\system32\ovcfgae.exe 2596 "C:\Windows\SysWOW64\etmvtxy.exe"
        363⤵
        
        PID:5208
        
        C:\Windows\SysWOW64\ynrllqg.exe
        
        C:\Windows\system32\ynrllqg.exe 2056 "C:\Windows\SysWOW64\ovcfgae.exe"
        364⤵
        
        PID:5696
        
        C:\Windows\SysWOW64\lemfuym.exe
        
        C:\Windows\system32\lemfuym.exe 2608 "C:\Windows\SysWOW64\ynrllqg.exe"
        365⤵
        
        PID:5904
        
        C:\Windows\SysWOW64\znsqxye.exe
        
        C:\Windows\system32\znsqxye.exe 2604 "C:\Windows\SysWOW64\lemfuym.exe"
        366⤵
        Drops file in System32 directory
        
        PID:5804
        
        C:\Windows\SysWOW64\jvenpwl.exe
        
        C:\Windows\system32\jvenpwl.exe 2612 "C:\Windows\SysWOW64\znsqxye.exe"
        367⤵
        
        PID:5892
        
        C:\Windows\SysWOW64\qrpbyio.exe
        
        C:\Windows\system32\qrpbyio.exe 2072 "C:\Windows\SysWOW64\jvenpwl.exe"
        368⤵
        Drops file in System32 directory
        
        PID:5768
        
        C:\Windows\SysWOW64\gdpwcvt.exe
        
        C:\Windows\system32\gdpwcvt.exe 2624 "C:\Windows\SysWOW64\qrpbyio.exe"
        369⤵
        
        PID:5876
        
        C:\Windows\SysWOW64\rcbtnus.exe
        
        C:\Windows\system32\rcbtnus.exe 2144 "C:\Windows\SysWOW64\gdpwcvt.exe"
        370⤵
        
        PID:6040
        
        C:\Windows\SysWOW64\byudcob.exe
        
        C:\Windows\system32\byudcob.exe 2616 "C:\Windows\SysWOW64\rcbtnus.exe"
        371⤵
        
        PID:6064
        
        C:\Windows\SysWOW64\olltika.exe
        
        C:\Windows\system32\olltika.exe 2636 "C:\Windows\SysWOW64\byudcob.exe"
        372⤵
        
        PID:3756
        
        C:\Windows\SysWOW64\ykqztjh.exe
        
        C:\Windows\system32\ykqztjh.exe 2244 "C:\Windows\SysWOW64\olltika.exe"
        373⤵
        
        PID:3792
        
        C:\Windows\SysWOW64\wfwpift.exe
        
        C:\Windows\system32\wfwpift.exe 2268 "C:\Windows\SysWOW64\ykqztjh.exe"
        374⤵
        Drops file in System32 directory
        
        PID:5440
        
        C:\Windows\SysWOW64\ghnfpqf.exe
        
        C:\Windows\system32\ghnfpqf.exe 2644 "C:\Windows\SysWOW64\wfwpift.exe"
        375⤵
        Drops file in System32 directory
        
        PID:5332
        
        C:\Windows\SysWOW64\gtzfduj.exe
        
        C:\Windows\system32\gtzfduj.exe 2648 "C:\Windows\SysWOW64\ghnfpqf.exe"
        376⤵
        
        PID:5396
        
        C:\Windows\SysWOW64\qslcotq.exe
        
        C:\Windows\system32\qslcotq.exe 2652 "C:\Windows\SysWOW64\gtzfduj.exe"
        377⤵
        
        PID:5308
        
        C:\Windows\SysWOW64\ebsfrsi.exe
        
        C:\Windows\system32\ebsfrsi.exe 2296 "C:\Windows\SysWOW64\qslcotq.exe"
        378⤵
        
        PID:5680
        
        C:\Windows\SysWOW64\ramizbo.exe
        
        C:\Windows\system32\ramizbo.exe 2160 "C:\Windows\SysWOW64\ebsfrsi.exe"
        379⤵
        
        PID:5908
        
        C:\Windows\SysWOW64\ysliohs.exe
        
        C:\Windows\system32\ysliohs.exe 2664 "C:\Windows\SysWOW64\ramizbo.exe"
        380⤵
        
        PID:5948
        
        C:\Windows\SysWOW64\gpftlnk.exe
        
        C:\Windows\system32\gpftlnk.exe 2668 "C:\Windows\SysWOW64\ysliohs.exe"
        381⤵
        
        PID:5980
        
        C:\Windows\SysWOW64\lzewomc.exe
        
        C:\Windows\system32\lzewomc.exe 2680 "C:\Windows\SysWOW64\gpftlnk.exe"
        382⤵
        
        PID:6124
        
        C:\Windows\SysWOW64\bwxzsyy.exe
        
        C:\Windows\system32\bwxzsyy.exe 2676 "C:\Windows\SysWOW64\lzewomc.exe"
        383⤵
        
        PID:4580
        
        C:\Windows\SysWOW64\iahmjsb.exe
        
        C:\Windows\system32\iahmjsb.exe 2672 "C:\Windows\SysWOW64\bwxzsyy.exe"
        384⤵
        
        PID:4952
        
        C:\Windows\SysWOW64\qifpubx.exe
        
        C:\Windows\system32\qifpubx.exe 2684 "C:\Windows\SysWOW64\iahmjsb.exe"
        385⤵
        
        PID:4328
        
        C:\Windows\SysWOW64\dsmsxbp.exe
        
        C:\Windows\system32\dsmsxbp.exe 2692 "C:\Windows\SysWOW64\qifpubx.exe"
        386⤵
        
        PID:3424
        
        C:\Windows\SysWOW64\onnkfvq.exe
        
        C:\Windows\system32\onnkfvq.exe 2696 "C:\Windows\SysWOW64\dsmsxbp.exe"
        387⤵
        Drops file in System32 directory
        
        PID:960
        
        C:\Windows\SysWOW64\vkzncai.exe
        
        C:\Windows\system32\vkzncai.exe 2288 "C:\Windows\SysWOW64\onnkfvq.exe"
        388⤵
        
        PID:5668
        
        C:\Windows\SysWOW64\bbbcakr.exe
        
        C:\Windows\system32\bbbcakr.exe 2700 "C:\Windows\SysWOW64\vkzncai.exe"
        389⤵
        
        PID:1804
        
        C:\Windows\SysWOW64\tqtnwlw.exe
        
        C:\Windows\system32\tqtnwlw.exe 2368 "C:\Windows\SysWOW64\bbbcakr.exe"
        390⤵
        
        PID:5856
        
        C:\Windows\SysWOW64\qnbabah.exe
        
        C:\Windows\system32\qnbabah.exe 2704 "C:\Windows\SysWOW64\tqtnwlw.exe"
        391⤵
        
        PID:2992
        
        C:\Windows\SysWOW64\tjliwhp.exe
        
        C:\Windows\system32\tjliwhp.exe 2356 "C:\Windows\SysWOW64\qnbabah.exe"
        392⤵
        Drops file in System32 directory
        
        PID:5172
        
        C:\Windows\SysWOW64\ikzojla.exe
        
        C:\Windows\system32\ikzojla.exe 2380 "C:\Windows\SysWOW64\tjliwhp.exe"
        393⤵
        
        PID:2608
        
        C:\Windows\SysWOW64\iourzjo.exe
        
        C:\Windows\system32\iourzjo.exe 2724 "C:\Windows\SysWOW64\ikzojla.exe"
        394⤵
        
        PID:5164
        
        C:\Windows\SysWOW64\vxaccjo.exe
        
        C:\Windows\system32\vxaccjo.exe 2720 "C:\Windows\SysWOW64\iourzjo.exe"
        395⤵
        
        PID:5380
        
        C:\Windows\SysWOW64\iovelrt.exe
        
        C:\Windows\system32\iovelrt.exe 2732 "C:\Windows\SysWOW64\vxaccjo.exe"
        396⤵
        
        PID:5176
        
        C:\Windows\SysWOW64\svzcvqt.exe
        
        C:\Windows\system32\svzcvqt.exe 2736 "C:\Windows\SysWOW64\iovelrt.exe"
        397⤵
        Drops file in System32 directory
        
        PID:1676
        
        C:\Windows\SysWOW64\aoyckxx.exe
        
        C:\Windows\system32\aoyckxx.exe 2728 "C:\Windows\SysWOW64\svzcvqt.exe"
        398⤵
        
        PID:1104
        
        C:\Windows\SysWOW64\nbqspaw.exe
        
        C:\Windows\system32\nbqspaw.exe 2748 "C:\Windows\SysWOW64\aoyckxx.exe"
        399⤵
        
        PID:2944
        
        C:\Windows\SysWOW64\vqlkcqf.exe
        
        C:\Windows\system32\vqlkcqf.exe 2400 "C:\Windows\SysWOW64\nbqspaw.exe"
        400⤵
        
        PID:3504
        
        C:\Windows\SysWOW64\issufpf.exe
        
        C:\Windows\system32\issufpf.exe 2752 "C:\Windows\SysWOW64\vqlkcqf.exe"
        401⤵
        Drops file in System32 directory
        
        PID:5692
        
        C:\Windows\SysWOW64\vqmxnyl.exe
        
        C:\Windows\system32\vqmxnyl.exe 2756 "C:\Windows\SysWOW64\issufpf.exe"
        402⤵
        
        PID:4684
        
        C:\Windows\SysWOW64\fmnidsm.exe
        
        C:\Windows\system32\fmnidsm.exe 2764 "C:\Windows\SysWOW64\vqmxnyl.exe"
        403⤵
        
        PID:5000
        
        C:\Windows\SysWOW64\sciklsr.exe
        
        C:\Windows\system32\sciklsr.exe 2744 "C:\Windows\SysWOW64\fmnidsm.exe"
        404⤵
        
        PID:2924
        
        C:\Windows\SysWOW64\ahsxvlu.exe
        
        C:\Windows\system32\ahsxvlu.exe 2772 "C:\Windows\SysWOW64\sciklsr.exe"
        405⤵
        
        PID:6000
        
        C:\Windows\SysWOW64\qlsszrr.exe
        
        C:\Windows\system32\qlsszrr.exe 2776 "C:\Windows\SysWOW64\ahsxvlu.exe"
        406⤵
        
        PID:2716
        
        C:\Windows\SysWOW64\awivmux.exe
        
        C:\Windows\system32\awivmux.exe 2760 "C:\Windows\SysWOW64\qlsszrr.exe"
        407⤵
        
        PID:3292
        
        C:\Windows\SysWOW64\krjncog.exe
        
        C:\Windows\system32\krjncog.exe 2788 "C:\Windows\SysWOW64\awivmux.exe"
        408⤵
        Drops file in System32 directory
        
        PID:4824
        
        C:\Windows\SysWOW64\vnkyjjg.exe
        
        C:\Windows\system32\vnkyjjg.exe 2780 "C:\Windows\SysWOW64\krjncog.exe"
        409⤵
        
        PID:3476
        
        C:\Windows\SysWOW64\kdvgqsk.exe
        
        C:\Windows\system32\kdvgqsk.exe 2792 "C:\Windows\SysWOW64\vnkyjjg.exe"
        410⤵
        
        PID:5328

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\exywyhi.exe

Filesize
145KB

MD5
cbd2eccb228e932cb19f92bd01beede4

SHA1
7cc7f452c72b603cb80325e0cc3aaec135ded368

SHA256
c0addaa89d6ae4b7199f4e4b37ffa50bf2a69ff728121205a5dce5a677d44f42

SHA512
fcd056e001c7f27c0c90068891608387cb6c1c06a044dd6845452972d52c97e0e786b476bc99da24e0c2cd68f11ef0930fe811d78b9b2549c74598aaa15612e2

Download Submit
memory/332-216-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/332-223-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/380-245-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/552-39-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/552-27-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/636-131-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/636-141-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/1040-225-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/1040-232-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/1052-34-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/1052-43-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/1228-160-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/1228-151-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/1388-228-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/1440-98-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/1440-108-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/1624-240-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/1628-254-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/1900-14-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/1900-23-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/2044-121-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/2140-155-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/2180-134-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/2192-259-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/2192-251-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/2208-76-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/2248-176-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/2484-56-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/2616-184-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/2672-49-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/2756-256-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/2872-172-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/3092-138-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/3092-147-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/3260-201-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/3344-68-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/3464-32-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/3552-62-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/3552-53-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/3588-72-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/3588-82-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/3964-88-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/3964-79-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/4272-164-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/4300-114-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/4300-105-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/4308-197-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/4308-188-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/4316-235-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/4320-10-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/4320-0-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/4376-219-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/4400-127-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/4400-118-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/4424-208-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/4472-249-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/4472-242-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/4496-207-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/4496-214-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/4500-17-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/4500-7-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/4884-189-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/4984-101-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/5100-95-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads