metasploit | 5edaadd37dd1dd9425dbbbdcd360194fe1f965ae971a5c8165a3effdc25c7e80

Analysis

max time kernel
150s
max time network
123s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
16-04-2024 13:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f38d258532673cf62200ab2d7dd5268a_JaffaCakes118.exe
Size

222KB
MD5

f38d258532673cf62200ab2d7dd5268a
SHA1

39bf714b2e9ffb5a8cf534977588b71e35952ec6
SHA256

5edaadd37dd1dd9425dbbbdcd360194fe1f965ae971a5c8165a3effdc25c7e80
SHA512

b2c994c3e6575c0463d4278220f79e29867f37049076e28c97feab5af90eec86a472a0f12945df608d73336121c2ff7b9a0c6b30ba82906c67d7f3fdcedc28cf
SSDEEP

6144:ASOrStDEnqmNpMBN+Mcqfbobx4aRrxyre5HfTLGSa:pOrp/N2h4x4aRYixLba

Score

10^/10

metasploit backdoor trojan

Malware Config

Extracted

Family

metasploit

Version

encoder/fnstenv_mov

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Executes dropped EXE 64 IoCs

Processes:

jvzyiv.exejvzyiv.exebynbkf.exebynbkf.exevipiih.exevipiih.exepoflke.exepoflke.exekfzoit.exekfzoit.exeeslbiz.exeeslbiz.exezjfefo.exezjfefo.exewdprja.exewdprja.exeqjgmep.exeqjgmep.exehbqwlq.exehbqwlq.exefnmjkk.exefnmjkk.exewfxmrd.exewfxmrd.exeqenpma.exeqenpma.exenbmpnh.exenbmpnh.exekcecjt.exekcecjt.exehoaphn.exehoaphn.exeetvpgd.exeetvpgd.exeeeihuh.exeeeihuh.exeygjpaj.exeygjpaj.exeveiptq.exeveiptq.exesimhzx.exesimhzx.exesuyaoj.exesuyaoj.exelhdvwi.exelhdvwi.exedkpnlu.exedkpnlu.exexyuits.exexyuits.exeuvbimz.exeuvbimz.exeukqndh.exeukqndh.exerpunkx.exerpunkx.exerejtbf.exerejtbf.exeqthqsv.exeqthqsv.exekgmlbu.exekgmlbu.exeknjqsk.exeknjqsk.exe

pid	process
2884	jvzyiv.exe
2860	jvzyiv.exe
2580	bynbkf.exe
2780	bynbkf.exe
2748	vipiih.exe
2484	vipiih.exe
2732	poflke.exe
2176	poflke.exe
2184	kfzoit.exe
812	kfzoit.exe
1896	eslbiz.exe
1608	eslbiz.exe
1552	zjfefo.exe
2076	zjfefo.exe
2132	wdprja.exe
1228	wdprja.exe
1636	qjgmep.exe
1984	qjgmep.exe
2396	hbqwlq.exe
1236	hbqwlq.exe
780	fnmjkk.exe
2932	fnmjkk.exe
2300	wfxmrd.exe
1016	wfxmrd.exe
2980	qenpma.exe
2012	qenpma.exe
2004	nbmpnh.exe
1448	nbmpnh.exe
2256	kcecjt.exe
2940	kcecjt.exe
3068	hoaphn.exe
2620	hoaphn.exe
2316	etvpgd.exe
2548	etvpgd.exe
2552	eeihuh.exe
2508	eeihuh.exe
1652	ygjpaj.exe
2204	ygjpaj.exe
1780	veiptq.exe
328	veiptq.exe
1716	simhzx.exe
1668	simhzx.exe
2244	suyaoj.exe
628	suyaoj.exe
1828	lhdvwi.exe
2236	lhdvwi.exe
2528	dkpnlu.exe
588	dkpnlu.exe
1308	xyuits.exe
1860	xyuits.exe
2276	uvbimz.exe
940	uvbimz.exe
972	ukqndh.exe
1772	ukqndh.exe
900	rpunkx.exe
2944	rpunkx.exe
2300	rejtbf.exe
876	rejtbf.exe
1680	qthqsv.exe
1700	qthqsv.exe
2312	kgmlbu.exe
2268	kgmlbu.exe
2540	knjqsk.exe
2656	knjqsk.exe

Loads dropped DLL 64 IoCs

Processes:

f38d258532673cf62200ab2d7dd5268a_JaffaCakes118.exejvzyiv.exejvzyiv.exebynbkf.exevipiih.exepoflke.exekfzoit.exeeslbiz.exezjfefo.exewdprja.exeqjgmep.exehbqwlq.exefnmjkk.exewfxmrd.exeqenpma.exenbmpnh.exekcecjt.exehoaphn.exeetvpgd.exeeeihuh.exeygjpaj.exeveiptq.exesimhzx.exesuyaoj.exelhdvwi.exedkpnlu.exexyuits.exeuvbimz.exeukqndh.exerpunkx.exerejtbf.exeqthqsv.exekgmlbu.exe

pid	process
3024	f38d258532673cf62200ab2d7dd5268a_JaffaCakes118.exe
3024	f38d258532673cf62200ab2d7dd5268a_JaffaCakes118.exe
2884	jvzyiv.exe
2860	jvzyiv.exe
2860	jvzyiv.exe
2780	bynbkf.exe
2780	bynbkf.exe
2484	vipiih.exe
2484	vipiih.exe
2176	poflke.exe
2176	poflke.exe
812	kfzoit.exe
812	kfzoit.exe
1608	eslbiz.exe
1608	eslbiz.exe
2076	zjfefo.exe
2076	zjfefo.exe
1228	wdprja.exe
1228	wdprja.exe
1984	qjgmep.exe
1984	qjgmep.exe
1236	hbqwlq.exe
1236	hbqwlq.exe
2932	fnmjkk.exe
2932	fnmjkk.exe
1016	wfxmrd.exe
1016	wfxmrd.exe
2012	qenpma.exe
2012	qenpma.exe
1448	nbmpnh.exe
1448	nbmpnh.exe
2940	kcecjt.exe
2940	kcecjt.exe
2620	hoaphn.exe
2620	hoaphn.exe
2548	etvpgd.exe
2548	etvpgd.exe
2508	eeihuh.exe
2508	eeihuh.exe
2204	ygjpaj.exe
2204	ygjpaj.exe
328	veiptq.exe
328	veiptq.exe
1668	simhzx.exe
1668	simhzx.exe
628	suyaoj.exe
628	suyaoj.exe
2236	lhdvwi.exe
2236	lhdvwi.exe
588	dkpnlu.exe
588	dkpnlu.exe
1860	xyuits.exe
1860	xyuits.exe
940	uvbimz.exe
940	uvbimz.exe
1772	ukqndh.exe
1772	ukqndh.exe
2944	rpunkx.exe
2944	rpunkx.exe
876	rejtbf.exe
876	rejtbf.exe
1700	qthqsv.exe
1700	qthqsv.exe
2268	kgmlbu.exe

Drops file in System32 directory 64 IoCs

Processes:

kthsvo.exemavttr.exeeirlyh.exerchvej.exemkhoyc.exeqwfifr.exenpqvjc.exeeslbiz.exehiwumz.exenljtfy.exeusryjc.exefnmjkk.exemofxyo.exeasjxwf.exesyqyqe.exeffhiel.exevrikuo.exeearilq.exeeznvgx.exefpivgz.exeiqqhfm.exeoxxvcb.exezlhqgp.exehoudwn.exeknjqsk.exeomvsur.exegczzeo.exekfzoit.exedsloqh.exezurevk.exelrpkqs.exepixjgt.exeexprxq.exebyzetb.exeyzoeja.exehgqszz.exelcgkzn.exegfekvy.exevrraxg.exernuvfq.exewfxmrd.exesmcrfs.execkdowa.exetwtwvh.exeipwkjz.exemcjvuf.exeiiailm.exeypornb.exemdqfsa.exezimehg.exerdpwkd.exepwewll.exevsdfxn.exeolorkd.exefrjklh.exefqaurw.exeexumor.exezcagci.exezyxejo.exevtmyko.exedrcwun.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\husfzr.exe	kthsvo.exe
File opened for modification	C:\Windows\SysWOW64\mmhlid.exe	mavttr.exe
File created	C:\Windows\SysWOW64\exprxq.exe	eirlyh.exe
File created	C:\Windows\SysWOW64\oaovxq.exe	rchvej.exe
File opened for modification	C:\Windows\SysWOW64\jlrbcn.exe	mkhoyc.exe
File opened for modification	C:\Windows\SysWOW64\npqvjc.exe	qwfifr.exe
File created	C:\Windows\SysWOW64\kqiaef.exe	npqvjc.exe
File opened for modification	C:\Windows\SysWOW64\zjfefo.exe	eslbiz.exe
File created	C:\Windows\SysWOW64\avjpmf.exe	hiwumz.exe
File created	C:\Windows\SysWOW64\zzooge.exe	nljtfy.exe
File opened for modification	C:\Windows\SysWOW64\thpdak.exe	usryjc.exe
File created	C:\Windows\SysWOW64\wfxmrd.exe	fnmjkk.exe
File created	C:\Windows\SysWOW64\gyhewq.exe	mofxyo.exe
File created	C:\Windows\SysWOW64\ahhcnn.exe	asjxwf.exe
File opened for modification	C:\Windows\SysWOW64\pnpyjd.exe	syqyqe.exe
File opened for modification	C:\Windows\SysWOW64\drcwun.exe	ffhiel.exe
File created	C:\Windows\SysWOW64\vgfpme.exe	vrikuo.exe
File opened for modification	C:\Windows\SysWOW64\bmnvbl.exe	earilq.exe
File opened for modification	C:\Windows\SysWOW64\yxvqju.exe	eznvgx.exe
File opened for modification	C:\Windows\SysWOW64\budveo.exe	fpivgz.exe
File opened for modification	C:\Windows\SysWOW64\ijrzzh.exe	iqqhfm.exe
File opened for modification	C:\Windows\SysWOW64\omvsur.exe	oxxvcb.exe
File opened for modification	C:\Windows\SysWOW64\wmrdcs.exe	zlhqgp.exe
File created	C:\Windows\SysWOW64\mmhlid.exe	mavttr.exe
File created	C:\Windows\SysWOW64\eixqmq.exe	houdwn.exe
File created	C:\Windows\SysWOW64\houdwn.exe	knjqsk.exe
File created	C:\Windows\SysWOW64\budveo.exe	fpivgz.exe
File opened for modification	C:\Windows\SysWOW64\lnffxu.exe	omvsur.exe
File created	C:\Windows\SysWOW64\cdjmiz.exe	gczzeo.exe
File opened for modification	C:\Windows\SysWOW64\eslbiz.exe	kfzoit.exe
File created	C:\Windows\SysWOW64\xfqjzf.exe	dsloqh.exe
File opened for modification	C:\Windows\SysWOW64\thdrer.exe	zurevk.exe
File created	C:\Windows\SysWOW64\ipwkjz.exe	lrpkqs.exe
File opened for modification	C:\Windows\SysWOW64\mjhwke.exe	pixjgt.exe
File opened for modification	C:\Windows\SysWOW64\byzetb.exe	exprxq.exe
File created	C:\Windows\SysWOW64\ariono.exe	byzetb.exe
File created	C:\Windows\SysWOW64\smtyrg.exe	yzoeja.exe
File opened for modification	C:\Windows\SysWOW64\vhifvk.exe	hgqszz.exe
File created	C:\Windows\SysWOW64\dvpuba.exe	lcgkzn.exe
File opened for modification	C:\Windows\SysWOW64\asjxwf.exe	gfekvy.exe
File opened for modification	C:\Windows\SysWOW64\ssbntj.exe	vrraxg.exe
File created	C:\Windows\SysWOW64\rfdfzc.exe	rnuvfq.exe
File opened for modification	C:\Windows\SysWOW64\qenpma.exe	wfxmrd.exe
File created	C:\Windows\SysWOW64\tqojce.exe	smcrfs.exe
File created	C:\Windows\SysWOW64\wxijxg.exe	ckdowa.exe
File opened for modification	C:\Windows\SysWOW64\qlawwg.exe	twtwvh.exe
File created	C:\Windows\SysWOW64\ffvkky.exe	ipwkjz.exe
File created	C:\Windows\SysWOW64\gisqxv.exe	mcjvuf.exe
File created	C:\Windows\SysWOW64\ffhiel.exe	iiailm.exe
File created	C:\Windows\SysWOW64\yemxfk.exe	ypornb.exe
File opened for modification	C:\Windows\SysWOW64\jeisol.exe	mdqfsa.exe
File created	C:\Windows\SysWOW64\zurevk.exe	zimehg.exe
File opened for modification	C:\Windows\SysWOW64\obwxdc.exe	rdpwkd.exe
File opened for modification	C:\Windows\SysWOW64\plccct.exe	pwewll.exe
File opened for modification	C:\Windows\SysWOW64\seysvq.exe	vsdfxn.exe
File opened for modification	C:\Windows\SysWOW64\iupzif.exe	olorkd.exe
File opened for modification	C:\Windows\SysWOW64\fghpdy.exe	frjklh.exe
File created	C:\Windows\SysWOW64\cvvmyd.exe	fqaurw.exe
File created	C:\Windows\SysWOW64\bvbmhy.exe	exumor.exe
File opened for modification	C:\Windows\SysWOW64\spnbdo.exe	zcagci.exe
File created	C:\Windows\SysWOW64\vaprnz.exe	zyxejo.exe
File created	C:\Windows\SysWOW64\obwxdc.exe	rdpwkd.exe
File opened for modification	C:\Windows\SysWOW64\syqyqe.exe	vtmyko.exe
File created	C:\Windows\SysWOW64\ckdowa.exe	drcwun.exe

Suspicious use of SetThreadContext 64 IoCs

Processes:

f38d258532673cf62200ab2d7dd5268a_JaffaCakes118.exejvzyiv.exebynbkf.exevipiih.exepoflke.exekfzoit.exeeslbiz.exezjfefo.exewdprja.exeqjgmep.exehbqwlq.exefnmjkk.exewfxmrd.exeqenpma.exenbmpnh.exekcecjt.exehoaphn.exeetvpgd.exeeeihuh.exeygjpaj.exeveiptq.exesimhzx.exesuyaoj.exelhdvwi.exedkpnlu.exexyuits.exeuvbimz.exeukqndh.exerpunkx.exerejtbf.exeqthqsv.exekgmlbu.exeknjqsk.exehoudwn.exeeixqmq.exeysryss.exeyzoeja.exesmtyrg.exepgplij.exejefokg.exegfpbgk.exedhhgkv.exeaisugy.exeugiwjw.exerdpwkd.exeobwxdc.exelcgkzn.exedvpuba.execkezsq.exewlghxk.exeujnhqr.exeqkxuuc.exeqcgnop.exekboijm.exekmaagq.exeeznvgx.exeyxvqju.exevvcqkt.exestjqda.exeputdzl.exepmcvby.exemcjvuf.exegisqxv.exeastycw.exe

description	pid	process	target process
PID 2004 set thread context of 3024	2004	f38d258532673cf62200ab2d7dd5268a_JaffaCakes118.exe	f38d258532673cf62200ab2d7dd5268a_JaffaCakes118.exe
PID 2884 set thread context of 2860	2884	jvzyiv.exe	jvzyiv.exe
PID 2580 set thread context of 2780	2580	bynbkf.exe	bynbkf.exe
PID 2748 set thread context of 2484	2748	vipiih.exe	vipiih.exe
PID 2732 set thread context of 2176	2732	poflke.exe	poflke.exe
PID 2184 set thread context of 812	2184	kfzoit.exe	kfzoit.exe
PID 1896 set thread context of 1608	1896	eslbiz.exe	eslbiz.exe
PID 1552 set thread context of 2076	1552	zjfefo.exe	zjfefo.exe
PID 2132 set thread context of 1228	2132	wdprja.exe	wdprja.exe
PID 1636 set thread context of 1984	1636	qjgmep.exe	qjgmep.exe
PID 2396 set thread context of 1236	2396	hbqwlq.exe	hbqwlq.exe
PID 780 set thread context of 2932	780	fnmjkk.exe	fnmjkk.exe
PID 2300 set thread context of 1016	2300	wfxmrd.exe	wfxmrd.exe
PID 2980 set thread context of 2012	2980	qenpma.exe	qenpma.exe
PID 2004 set thread context of 1448	2004	nbmpnh.exe	nbmpnh.exe
PID 2256 set thread context of 2940	2256	kcecjt.exe	kcecjt.exe
PID 3068 set thread context of 2620	3068	hoaphn.exe	hoaphn.exe
PID 2316 set thread context of 2548	2316	etvpgd.exe	etvpgd.exe
PID 2552 set thread context of 2508	2552	eeihuh.exe	eeihuh.exe
PID 1652 set thread context of 2204	1652	ygjpaj.exe	ygjpaj.exe
PID 1780 set thread context of 328	1780	veiptq.exe	veiptq.exe
PID 1716 set thread context of 1668	1716	simhzx.exe	simhzx.exe
PID 2244 set thread context of 628	2244	suyaoj.exe	suyaoj.exe
PID 1828 set thread context of 2236	1828	lhdvwi.exe	lhdvwi.exe
PID 2528 set thread context of 588	2528	dkpnlu.exe	dkpnlu.exe
PID 1308 set thread context of 1860	1308	xyuits.exe	xyuits.exe
PID 2276 set thread context of 940	2276	uvbimz.exe	uvbimz.exe
PID 972 set thread context of 1772	972	ukqndh.exe	ukqndh.exe
PID 900 set thread context of 2944	900	rpunkx.exe	rpunkx.exe
PID 2300 set thread context of 876	2300	rejtbf.exe	rejtbf.exe
PID 1680 set thread context of 1700	1680	qthqsv.exe	qthqsv.exe
PID 2312 set thread context of 2268	2312	kgmlbu.exe	kgmlbu.exe
PID 2540 set thread context of 2656	2540	knjqsk.exe	knjqsk.exe
PID 2940 set thread context of 2724	2940	houdwn.exe	houdwn.exe
PID 2620 set thread context of 2916	2620	eixqmq.exe	eixqmq.exe
PID 2968 set thread context of 2388	2968	ysryss.exe	ysryss.exe
PID 2188 set thread context of 2864	2188	yzoeja.exe	yzoeja.exe
PID 2156 set thread context of 1640	2156	smtyrg.exe	smtyrg.exe
PID 328 set thread context of 2948	328	pgplij.exe	pgplij.exe
PID 1668 set thread context of 2060	1668	jefokg.exe	jefokg.exe
PID 1184 set thread context of 476	1184	gfpbgk.exe	gfpbgk.exe
PID 2236 set thread context of 3056	2236	dhhgkv.exe	dhhgkv.exe
PID 588 set thread context of 888	588	aisugy.exe	aisugy.exe
PID 688 set thread context of 1544	688	ugiwjw.exe	ugiwjw.exe
PID 1776 set thread context of 1768	1776	rdpwkd.exe	rdpwkd.exe
PID 2080 set thread context of 1804	2080	obwxdc.exe	obwxdc.exe
PID 832 set thread context of 2008	832	lcgkzn.exe	lcgkzn.exe
PID 1696 set thread context of 2148	1696	dvpuba.exe	dvpuba.exe
PID 2764 set thread context of 2900	2764	ckezsq.exe	ckezsq.exe
PID 2920 set thread context of 2564	2920	wlghxk.exe	wlghxk.exe
PID 1156 set thread context of 2940	1156	ujnhqr.exe	ujnhqr.exe
PID 2436 set thread context of 2620	2436	qkxuuc.exe	qkxuuc.exe
PID 2852 set thread context of 1676	2852	qcgnop.exe	qcgnop.exe
PID 1824 set thread context of 1572	1824	kboijm.exe	kboijm.exe
PID 1564 set thread context of 1728	1564	kmaagq.exe	kmaagq.exe
PID 2836 set thread context of 2244	2836	eznvgx.exe	eznvgx.exe
PID 1740 set thread context of 2272	1740	yxvqju.exe	yxvqju.exe
PID 628 set thread context of 2528	628	vvcqkt.exe	vvcqkt.exe
PID 1632 set thread context of 2036	1632	stjqda.exe	stjqda.exe
PID 1888 set thread context of 2000	1888	putdzl.exe	putdzl.exe
PID 1952 set thread context of 1868	1952	pmcvby.exe	pmcvby.exe
PID 1748 set thread context of 2120	1748	mcjvuf.exe	mcjvuf.exe
PID 2924 set thread context of 2056	2924	gisqxv.exe	gisqxv.exe
PID 968 set thread context of 2772	968	astycw.exe	astycw.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

pid	process
2004	f38d258532673cf62200ab2d7dd5268a_JaffaCakes118.exe
2884	jvzyiv.exe
2580	bynbkf.exe
2748	vipiih.exe
2732	poflke.exe
2184	kfzoit.exe
1896	eslbiz.exe
1552	zjfefo.exe
2132	wdprja.exe
1636	qjgmep.exe
2396	hbqwlq.exe
780	fnmjkk.exe
2300	wfxmrd.exe
2980	qenpma.exe
2004	nbmpnh.exe
2256	kcecjt.exe
3068	hoaphn.exe
2316	etvpgd.exe
2552	eeihuh.exe
1652	ygjpaj.exe
1780	veiptq.exe
1716	simhzx.exe
2244	suyaoj.exe
1828	lhdvwi.exe
2528	dkpnlu.exe
1308	xyuits.exe
2276	uvbimz.exe
972	ukqndh.exe
900	rpunkx.exe
2300	rejtbf.exe
1680	qthqsv.exe
2312	kgmlbu.exe
2540	knjqsk.exe
2940	houdwn.exe
2620	eixqmq.exe
2968	ysryss.exe
2188	yzoeja.exe
2156	smtyrg.exe
328	pgplij.exe
1668	jefokg.exe
1184	gfpbgk.exe
2236	dhhgkv.exe
588	aisugy.exe
688	ugiwjw.exe
1776	rdpwkd.exe
2080	obwxdc.exe
832	lcgkzn.exe
1696	dvpuba.exe
2764	ckezsq.exe
2920	wlghxk.exe
1156	ujnhqr.exe
2436	qkxuuc.exe
2852	qcgnop.exe
1824	kboijm.exe
1564	kmaagq.exe
2836	eznvgx.exe
1740	yxvqju.exe
628	vvcqkt.exe
1632	stjqda.exe
1888	putdzl.exe
1952	pmcvby.exe
1748	mcjvuf.exe
2924	gisqxv.exe
968	astycw.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

f38d258532673cf62200ab2d7dd5268a_JaffaCakes118.exef38d258532673cf62200ab2d7dd5268a_JaffaCakes118.exejvzyiv.exejvzyiv.exebynbkf.exebynbkf.exevipiih.exevipiih.exepoflke.exepoflke.exekfzoit.exekfzoit.exeeslbiz.exe

description	pid	process	target process
PID 2004 wrote to memory of 3024	2004	f38d258532673cf62200ab2d7dd5268a_JaffaCakes118.exe	f38d258532673cf62200ab2d7dd5268a_JaffaCakes118.exe
PID 2004 wrote to memory of 3024	2004	f38d258532673cf62200ab2d7dd5268a_JaffaCakes118.exe	f38d258532673cf62200ab2d7dd5268a_JaffaCakes118.exe
PID 2004 wrote to memory of 3024	2004	f38d258532673cf62200ab2d7dd5268a_JaffaCakes118.exe	f38d258532673cf62200ab2d7dd5268a_JaffaCakes118.exe
PID 2004 wrote to memory of 3024	2004	f38d258532673cf62200ab2d7dd5268a_JaffaCakes118.exe	f38d258532673cf62200ab2d7dd5268a_JaffaCakes118.exe
PID 2004 wrote to memory of 3024	2004	f38d258532673cf62200ab2d7dd5268a_JaffaCakes118.exe	f38d258532673cf62200ab2d7dd5268a_JaffaCakes118.exe
PID 2004 wrote to memory of 3024	2004	f38d258532673cf62200ab2d7dd5268a_JaffaCakes118.exe	f38d258532673cf62200ab2d7dd5268a_JaffaCakes118.exe
PID 3024 wrote to memory of 2884	3024	f38d258532673cf62200ab2d7dd5268a_JaffaCakes118.exe	jvzyiv.exe
PID 3024 wrote to memory of 2884	3024	f38d258532673cf62200ab2d7dd5268a_JaffaCakes118.exe	jvzyiv.exe
PID 3024 wrote to memory of 2884	3024	f38d258532673cf62200ab2d7dd5268a_JaffaCakes118.exe	jvzyiv.exe
PID 3024 wrote to memory of 2884	3024	f38d258532673cf62200ab2d7dd5268a_JaffaCakes118.exe	jvzyiv.exe
PID 2884 wrote to memory of 2860	2884	jvzyiv.exe	jvzyiv.exe
PID 2884 wrote to memory of 2860	2884	jvzyiv.exe	jvzyiv.exe
PID 2884 wrote to memory of 2860	2884	jvzyiv.exe	jvzyiv.exe
PID 2884 wrote to memory of 2860	2884	jvzyiv.exe	jvzyiv.exe
PID 2884 wrote to memory of 2860	2884	jvzyiv.exe	jvzyiv.exe
PID 2884 wrote to memory of 2860	2884	jvzyiv.exe	jvzyiv.exe
PID 2860 wrote to memory of 2580	2860	jvzyiv.exe	bynbkf.exe
PID 2860 wrote to memory of 2580	2860	jvzyiv.exe	bynbkf.exe
PID 2860 wrote to memory of 2580	2860	jvzyiv.exe	bynbkf.exe
PID 2860 wrote to memory of 2580	2860	jvzyiv.exe	bynbkf.exe
PID 2580 wrote to memory of 2780	2580	bynbkf.exe	bynbkf.exe
PID 2580 wrote to memory of 2780	2580	bynbkf.exe	bynbkf.exe
PID 2580 wrote to memory of 2780	2580	bynbkf.exe	bynbkf.exe
PID 2580 wrote to memory of 2780	2580	bynbkf.exe	bynbkf.exe
PID 2580 wrote to memory of 2780	2580	bynbkf.exe	bynbkf.exe
PID 2580 wrote to memory of 2780	2580	bynbkf.exe	bynbkf.exe
PID 2780 wrote to memory of 2748	2780	bynbkf.exe	vipiih.exe
PID 2780 wrote to memory of 2748	2780	bynbkf.exe	vipiih.exe
PID 2780 wrote to memory of 2748	2780	bynbkf.exe	vipiih.exe
PID 2780 wrote to memory of 2748	2780	bynbkf.exe	vipiih.exe
PID 2748 wrote to memory of 2484	2748	vipiih.exe	vipiih.exe
PID 2748 wrote to memory of 2484	2748	vipiih.exe	vipiih.exe
PID 2748 wrote to memory of 2484	2748	vipiih.exe	vipiih.exe
PID 2748 wrote to memory of 2484	2748	vipiih.exe	vipiih.exe
PID 2748 wrote to memory of 2484	2748	vipiih.exe	vipiih.exe
PID 2748 wrote to memory of 2484	2748	vipiih.exe	vipiih.exe
PID 2484 wrote to memory of 2732	2484	vipiih.exe	poflke.exe
PID 2484 wrote to memory of 2732	2484	vipiih.exe	poflke.exe
PID 2484 wrote to memory of 2732	2484	vipiih.exe	poflke.exe
PID 2484 wrote to memory of 2732	2484	vipiih.exe	poflke.exe
PID 2732 wrote to memory of 2176	2732	poflke.exe	poflke.exe
PID 2732 wrote to memory of 2176	2732	poflke.exe	poflke.exe
PID 2732 wrote to memory of 2176	2732	poflke.exe	poflke.exe
PID 2732 wrote to memory of 2176	2732	poflke.exe	poflke.exe
PID 2732 wrote to memory of 2176	2732	poflke.exe	poflke.exe
PID 2732 wrote to memory of 2176	2732	poflke.exe	poflke.exe
PID 2176 wrote to memory of 2184	2176	poflke.exe	kfzoit.exe
PID 2176 wrote to memory of 2184	2176	poflke.exe	kfzoit.exe
PID 2176 wrote to memory of 2184	2176	poflke.exe	kfzoit.exe
PID 2176 wrote to memory of 2184	2176	poflke.exe	kfzoit.exe
PID 2184 wrote to memory of 812	2184	kfzoit.exe	kfzoit.exe
PID 2184 wrote to memory of 812	2184	kfzoit.exe	kfzoit.exe
PID 2184 wrote to memory of 812	2184	kfzoit.exe	kfzoit.exe
PID 2184 wrote to memory of 812	2184	kfzoit.exe	kfzoit.exe
PID 2184 wrote to memory of 812	2184	kfzoit.exe	kfzoit.exe
PID 2184 wrote to memory of 812	2184	kfzoit.exe	kfzoit.exe
PID 812 wrote to memory of 1896	812	kfzoit.exe	eslbiz.exe
PID 812 wrote to memory of 1896	812	kfzoit.exe	eslbiz.exe
PID 812 wrote to memory of 1896	812	kfzoit.exe	eslbiz.exe
PID 812 wrote to memory of 1896	812	kfzoit.exe	eslbiz.exe
PID 1896 wrote to memory of 1608	1896	eslbiz.exe	eslbiz.exe
PID 1896 wrote to memory of 1608	1896	eslbiz.exe	eslbiz.exe
PID 1896 wrote to memory of 1608	1896	eslbiz.exe	eslbiz.exe
PID 1896 wrote to memory of 1608	1896	eslbiz.exe	eslbiz.exe

C:\Users\Admin\AppData\Local\Temp\f38d258532673cf62200ab2d7dd5268a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f38d258532673cf62200ab2d7dd5268a_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2004

C:\Users\Admin\AppData\Local\Temp\f38d258532673cf62200ab2d7dd5268a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f38d258532673cf62200ab2d7dd5268a_JaffaCakes118.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3024

C:\Windows\SysWOW64\jvzyiv.exe
C:\Windows\system32\jvzyiv.exe 484 "C:\Users\Admin\AppData\Local\Temp\f38d258532673cf62200ab2d7dd5268a_JaffaCakes118.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2884

C:\Windows\SysWOW64\jvzyiv.exe
484 C:\Users\Admin\AppData\Local\Temp\f38d258532673cf62200ab2d7dd5268a_JaffaCakes118.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2860

C:\Windows\SysWOW64\bynbkf.exe
C:\Windows\system32\bynbkf.exe 444 "C:\Windows\SysWOW64\jvzyiv.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2580

C:\Windows\SysWOW64\bynbkf.exe
444 C:\Windows\SysWOW64\jvzyiv.exe
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2780

C:\Windows\SysWOW64\vipiih.exe
C:\Windows\system32\vipiih.exe 444 "C:\Windows\SysWOW64\bynbkf.exe"
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2748

C:\Windows\SysWOW64\vipiih.exe
444 C:\Windows\SysWOW64\bynbkf.exe
8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2484

C:\Windows\SysWOW64\poflke.exe
C:\Windows\system32\poflke.exe 444 "C:\Windows\SysWOW64\vipiih.exe"
9⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2732

C:\Windows\SysWOW64\poflke.exe
444 C:\Windows\SysWOW64\vipiih.exe
10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2176

C:\Windows\SysWOW64\kfzoit.exe
C:\Windows\system32\kfzoit.exe 444 "C:\Windows\SysWOW64\poflke.exe"
11⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2184

C:\Windows\SysWOW64\kfzoit.exe
444 C:\Windows\SysWOW64\poflke.exe
12⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:812

C:\Windows\SysWOW64\eslbiz.exe
C:\Windows\system32\eslbiz.exe 444 "C:\Windows\SysWOW64\kfzoit.exe"
13⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1896

C:\Windows\SysWOW64\eslbiz.exe
444 C:\Windows\SysWOW64\kfzoit.exe
14⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1608

C:\Windows\SysWOW64\zjfefo.exe
C:\Windows\system32\zjfefo.exe 444 "C:\Windows\SysWOW64\eslbiz.exe"
15⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:1552

C:\Windows\SysWOW64\zjfefo.exe
444 C:\Windows\SysWOW64\eslbiz.exe
16⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2076

C:\Windows\SysWOW64\wdprja.exe
C:\Windows\system32\wdprja.exe 472 "C:\Windows\SysWOW64\zjfefo.exe"
17⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:2132

C:\Windows\SysWOW64\wdprja.exe
472 C:\Windows\SysWOW64\zjfefo.exe
18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1228

C:\Windows\SysWOW64\qjgmep.exe
C:\Windows\system32\qjgmep.exe 444 "C:\Windows\SysWOW64\wdprja.exe"
19⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:1636

C:\Windows\SysWOW64\qjgmep.exe
444 C:\Windows\SysWOW64\wdprja.exe
20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1984

C:\Windows\SysWOW64\hbqwlq.exe
C:\Windows\system32\hbqwlq.exe 444 "C:\Windows\SysWOW64\qjgmep.exe"
21⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:2396

C:\Windows\SysWOW64\hbqwlq.exe
444 C:\Windows\SysWOW64\qjgmep.exe
22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1236

C:\Windows\SysWOW64\fnmjkk.exe
C:\Windows\system32\fnmjkk.exe 444 "C:\Windows\SysWOW64\hbqwlq.exe"
23⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:780

C:\Windows\SysWOW64\fnmjkk.exe
444 C:\Windows\SysWOW64\hbqwlq.exe
24⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2932

C:\Windows\SysWOW64\wfxmrd.exe
C:\Windows\system32\wfxmrd.exe 444 "C:\Windows\SysWOW64\fnmjkk.exe"
25⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:2300

C:\Windows\SysWOW64\wfxmrd.exe
444 C:\Windows\SysWOW64\fnmjkk.exe
26⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1016

C:\Windows\SysWOW64\qenpma.exe
C:\Windows\system32\qenpma.exe 444 "C:\Windows\SysWOW64\wfxmrd.exe"
27⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:2980

C:\Windows\SysWOW64\qenpma.exe
444 C:\Windows\SysWOW64\wfxmrd.exe
28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2012

C:\Windows\SysWOW64\nbmpnh.exe
C:\Windows\system32\nbmpnh.exe 448 "C:\Windows\SysWOW64\qenpma.exe"
29⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:2004

C:\Windows\SysWOW64\nbmpnh.exe
448 C:\Windows\SysWOW64\qenpma.exe
30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1448

C:\Windows\SysWOW64\kcecjt.exe
C:\Windows\system32\kcecjt.exe 456 "C:\Windows\SysWOW64\nbmpnh.exe"
31⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:2256

C:\Windows\SysWOW64\kcecjt.exe
456 C:\Windows\SysWOW64\nbmpnh.exe
32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2940

C:\Windows\SysWOW64\hoaphn.exe
C:\Windows\system32\hoaphn.exe 456 "C:\Windows\SysWOW64\kcecjt.exe"
33⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:3068

C:\Windows\SysWOW64\hoaphn.exe
456 C:\Windows\SysWOW64\kcecjt.exe
34⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2620

C:\Windows\SysWOW64\etvpgd.exe
C:\Windows\system32\etvpgd.exe 496 "C:\Windows\SysWOW64\hoaphn.exe"
35⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:2316

C:\Windows\SysWOW64\etvpgd.exe
496 C:\Windows\SysWOW64\hoaphn.exe
36⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2548

C:\Windows\SysWOW64\eeihuh.exe
C:\Windows\system32\eeihuh.exe 444 "C:\Windows\SysWOW64\etvpgd.exe"
37⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:2552

C:\Windows\SysWOW64\eeihuh.exe
444 C:\Windows\SysWOW64\etvpgd.exe
38⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2508

C:\Windows\SysWOW64\ygjpaj.exe
C:\Windows\system32\ygjpaj.exe 444 "C:\Windows\SysWOW64\eeihuh.exe"
39⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:1652

C:\Windows\SysWOW64\ygjpaj.exe
444 C:\Windows\SysWOW64\eeihuh.exe
40⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2204

C:\Windows\SysWOW64\veiptq.exe
C:\Windows\system32\veiptq.exe 448 "C:\Windows\SysWOW64\ygjpaj.exe"
41⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:1780

C:\Windows\SysWOW64\veiptq.exe
448 C:\Windows\SysWOW64\ygjpaj.exe
42⤵
- Executes dropped EXE
- Loads dropped DLL
PID:328

C:\Windows\SysWOW64\simhzx.exe
C:\Windows\system32\simhzx.exe 448 "C:\Windows\SysWOW64\veiptq.exe"
43⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:1716

C:\Windows\SysWOW64\simhzx.exe
448 C:\Windows\SysWOW64\veiptq.exe
44⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1668

C:\Windows\SysWOW64\suyaoj.exe
C:\Windows\system32\suyaoj.exe 452 "C:\Windows\SysWOW64\simhzx.exe"
45⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:2244

C:\Windows\SysWOW64\suyaoj.exe
452 C:\Windows\SysWOW64\simhzx.exe
46⤵
- Executes dropped EXE
- Loads dropped DLL
PID:628

C:\Windows\SysWOW64\lhdvwi.exe
C:\Windows\system32\lhdvwi.exe 448 "C:\Windows\SysWOW64\suyaoj.exe"
47⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:1828

C:\Windows\SysWOW64\lhdvwi.exe
448 C:\Windows\SysWOW64\suyaoj.exe
48⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2236

C:\Windows\SysWOW64\dkpnlu.exe
C:\Windows\system32\dkpnlu.exe 448 "C:\Windows\SysWOW64\lhdvwi.exe"
49⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:2528

C:\Windows\SysWOW64\dkpnlu.exe
448 C:\Windows\SysWOW64\lhdvwi.exe
50⤵
- Executes dropped EXE
- Loads dropped DLL
PID:588

C:\Windows\SysWOW64\xyuits.exe
C:\Windows\system32\xyuits.exe 496 "C:\Windows\SysWOW64\dkpnlu.exe"
51⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:1308

C:\Windows\SysWOW64\xyuits.exe
496 C:\Windows\SysWOW64\dkpnlu.exe
52⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1860

C:\Windows\SysWOW64\uvbimz.exe
C:\Windows\system32\uvbimz.exe 444 "C:\Windows\SysWOW64\xyuits.exe"
53⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:2276

C:\Windows\SysWOW64\uvbimz.exe
444 C:\Windows\SysWOW64\xyuits.exe
54⤵
- Executes dropped EXE
- Loads dropped DLL
PID:940

C:\Windows\SysWOW64\ukqndh.exe
C:\Windows\system32\ukqndh.exe 464 "C:\Windows\SysWOW64\uvbimz.exe"
55⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:972

C:\Windows\SysWOW64\ukqndh.exe
464 C:\Windows\SysWOW64\uvbimz.exe
56⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1772

C:\Windows\SysWOW64\rpunkx.exe
C:\Windows\system32\rpunkx.exe 444 "C:\Windows\SysWOW64\ukqndh.exe"
57⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:900

C:\Windows\SysWOW64\rpunkx.exe
444 C:\Windows\SysWOW64\ukqndh.exe
58⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2944

C:\Windows\SysWOW64\rejtbf.exe
C:\Windows\system32\rejtbf.exe 444 "C:\Windows\SysWOW64\rpunkx.exe"
59⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:2300

C:\Windows\SysWOW64\rejtbf.exe
444 C:\Windows\SysWOW64\rpunkx.exe
60⤵
- Executes dropped EXE
- Loads dropped DLL
PID:876

C:\Windows\SysWOW64\qthqsv.exe
C:\Windows\system32\qthqsv.exe 452 "C:\Windows\SysWOW64\rejtbf.exe"
61⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:1680

C:\Windows\SysWOW64\qthqsv.exe
452 C:\Windows\SysWOW64\rejtbf.exe
62⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1700

C:\Windows\SysWOW64\kgmlbu.exe
C:\Windows\system32\kgmlbu.exe 444 "C:\Windows\SysWOW64\qthqsv.exe"
63⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:2312

C:\Windows\SysWOW64\kgmlbu.exe
444 C:\Windows\SysWOW64\qthqsv.exe
64⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2268

C:\Windows\SysWOW64\knjqsk.exe
C:\Windows\system32\knjqsk.exe 444 "C:\Windows\SysWOW64\kgmlbu.exe"
65⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:2540

C:\Windows\SysWOW64\knjqsk.exe
444 C:\Windows\SysWOW64\kgmlbu.exe
66⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2656

C:\Windows\SysWOW64\houdwn.exe
C:\Windows\system32\houdwn.exe 448 "C:\Windows\SysWOW64\knjqsk.exe"
67⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:2940

C:\Windows\SysWOW64\houdwn.exe
448 C:\Windows\SysWOW64\knjqsk.exe
68⤵
- Drops file in System32 directory
PID:2724

C:\Windows\SysWOW64\eixqmq.exe
C:\Windows\system32\eixqmq.exe 444 "C:\Windows\SysWOW64\houdwn.exe"
69⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:2620

C:\Windows\SysWOW64\eixqmq.exe
444 C:\Windows\SysWOW64\houdwn.exe
70⤵
PID:2916

C:\Windows\SysWOW64\ysryss.exe
C:\Windows\system32\ysryss.exe 448 "C:\Windows\SysWOW64\eixqmq.exe"
71⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:2968

C:\Windows\SysWOW64\ysryss.exe
448 C:\Windows\SysWOW64\eixqmq.exe
72⤵
PID:2388

C:\Windows\SysWOW64\yzoeja.exe
C:\Windows\system32\yzoeja.exe 444 "C:\Windows\SysWOW64\ysryss.exe"
73⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:2188

C:\Windows\SysWOW64\yzoeja.exe
444 C:\Windows\SysWOW64\ysryss.exe
74⤵
- Drops file in System32 directory
PID:2864

C:\Windows\SysWOW64\smtyrg.exe
C:\Windows\system32\smtyrg.exe 492 "C:\Windows\SysWOW64\yzoeja.exe"
75⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:2156

C:\Windows\SysWOW64\smtyrg.exe
492 C:\Windows\SysWOW64\yzoeja.exe
76⤵
PID:1640

C:\Windows\SysWOW64\pgplij.exe
C:\Windows\system32\pgplij.exe 460 "C:\Windows\SysWOW64\smtyrg.exe"
77⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:328

C:\Windows\SysWOW64\pgplij.exe
460 C:\Windows\SysWOW64\smtyrg.exe
78⤵
PID:2948

C:\Windows\SysWOW64\jefokg.exe
C:\Windows\system32\jefokg.exe 472 "C:\Windows\SysWOW64\pgplij.exe"
79⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:1668

C:\Windows\SysWOW64\jefokg.exe
472 C:\Windows\SysWOW64\pgplij.exe
80⤵
PID:2060

C:\Windows\SysWOW64\gfpbgk.exe
C:\Windows\system32\gfpbgk.exe 452 "C:\Windows\SysWOW64\jefokg.exe"
81⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:1184

C:\Windows\SysWOW64\gfpbgk.exe
452 C:\Windows\SysWOW64\jefokg.exe
82⤵
PID:476

C:\Windows\SysWOW64\dhhgkv.exe
C:\Windows\system32\dhhgkv.exe 456 "C:\Windows\SysWOW64\gfpbgk.exe"
83⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:2236

C:\Windows\SysWOW64\dhhgkv.exe
456 C:\Windows\SysWOW64\gfpbgk.exe
84⤵
PID:3056

C:\Windows\SysWOW64\aisugy.exe
C:\Windows\system32\aisugy.exe 444 "C:\Windows\SysWOW64\dhhgkv.exe"
85⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:588

C:\Windows\SysWOW64\aisugy.exe
444 C:\Windows\SysWOW64\dhhgkv.exe
86⤵
PID:888

C:\Windows\SysWOW64\ugiwjw.exe
C:\Windows\system32\ugiwjw.exe 448 "C:\Windows\SysWOW64\aisugy.exe"
87⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:688

C:\Windows\SysWOW64\ugiwjw.exe
448 C:\Windows\SysWOW64\aisugy.exe
88⤵
PID:1544

C:\Windows\SysWOW64\rdpwkd.exe
C:\Windows\system32\rdpwkd.exe 472 "C:\Windows\SysWOW64\ugiwjw.exe"
89⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:1776

C:\Windows\SysWOW64\rdpwkd.exe
472 C:\Windows\SysWOW64\ugiwjw.exe
90⤵
- Drops file in System32 directory
PID:1768

C:\Windows\SysWOW64\obwxdc.exe
C:\Windows\system32\obwxdc.exe 460 "C:\Windows\SysWOW64\rdpwkd.exe"
91⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:2080

C:\Windows\SysWOW64\obwxdc.exe
460 C:\Windows\SysWOW64\rdpwkd.exe
92⤵
PID:1804

C:\Windows\SysWOW64\lcgkzn.exe
C:\Windows\system32\lcgkzn.exe 456 "C:\Windows\SysWOW64\obwxdc.exe"
93⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:832

C:\Windows\SysWOW64\lcgkzn.exe
456 C:\Windows\SysWOW64\obwxdc.exe
94⤵
- Drops file in System32 directory
PID:2008

C:\Windows\SysWOW64\dvpuba.exe
C:\Windows\system32\dvpuba.exe 452 "C:\Windows\SysWOW64\lcgkzn.exe"
95⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:1696

C:\Windows\SysWOW64\dvpuba.exe
452 C:\Windows\SysWOW64\lcgkzn.exe
96⤵
PID:2148

C:\Windows\SysWOW64\ckezsq.exe
C:\Windows\system32\ckezsq.exe 444 "C:\Windows\SysWOW64\dvpuba.exe"
97⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:2764

C:\Windows\SysWOW64\ckezsq.exe
444 C:\Windows\SysWOW64\dvpuba.exe
98⤵
PID:2900

C:\Windows\SysWOW64\wlghxk.exe
C:\Windows\system32\wlghxk.exe 456 "C:\Windows\SysWOW64\ckezsq.exe"
99⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:2920

C:\Windows\SysWOW64\wlghxk.exe
456 C:\Windows\SysWOW64\ckezsq.exe
100⤵
PID:2564

C:\Windows\SysWOW64\ujnhqr.exe
C:\Windows\system32\ujnhqr.exe 456 "C:\Windows\SysWOW64\wlghxk.exe"
101⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:1156

C:\Windows\SysWOW64\ujnhqr.exe
456 C:\Windows\SysWOW64\wlghxk.exe
102⤵
PID:2940

C:\Windows\SysWOW64\qkxuuc.exe
C:\Windows\system32\qkxuuc.exe 452 "C:\Windows\SysWOW64\ujnhqr.exe"
103⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:2436

C:\Windows\SysWOW64\qkxuuc.exe
452 C:\Windows\SysWOW64\ujnhqr.exe
104⤵
PID:2620

C:\Windows\SysWOW64\qcgnop.exe
C:\Windows\system32\qcgnop.exe 460 "C:\Windows\SysWOW64\qkxuuc.exe"
105⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:2852

C:\Windows\SysWOW64\qcgnop.exe
460 C:\Windows\SysWOW64\qkxuuc.exe
106⤵
PID:1676

C:\Windows\SysWOW64\kboijm.exe
C:\Windows\system32\kboijm.exe 456 "C:\Windows\SysWOW64\qcgnop.exe"
107⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:1824

C:\Windows\SysWOW64\kboijm.exe
456 C:\Windows\SysWOW64\qcgnop.exe
108⤵
PID:1572

C:\Windows\SysWOW64\kmaagq.exe
C:\Windows\system32\kmaagq.exe 444 "C:\Windows\SysWOW64\kboijm.exe"
109⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:1564

C:\Windows\SysWOW64\kmaagq.exe
444 C:\Windows\SysWOW64\kboijm.exe
110⤵
PID:1728

C:\Windows\SysWOW64\eznvgx.exe
C:\Windows\system32\eznvgx.exe 444 "C:\Windows\SysWOW64\kmaagq.exe"
111⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:2836

C:\Windows\SysWOW64\eznvgx.exe
444 C:\Windows\SysWOW64\kmaagq.exe
112⤵
- Drops file in System32 directory
PID:2244

C:\Windows\SysWOW64\yxvqju.exe
C:\Windows\system32\yxvqju.exe 444 "C:\Windows\SysWOW64\eznvgx.exe"
113⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:1740

C:\Windows\SysWOW64\yxvqju.exe
444 C:\Windows\SysWOW64\eznvgx.exe
114⤵
PID:2272

C:\Windows\SysWOW64\vvcqkt.exe
C:\Windows\system32\vvcqkt.exe 456 "C:\Windows\SysWOW64\yxvqju.exe"
115⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:628

C:\Windows\SysWOW64\vvcqkt.exe
456 C:\Windows\SysWOW64\yxvqju.exe
116⤵
PID:2528

C:\Windows\SysWOW64\stjqda.exe
C:\Windows\system32\stjqda.exe 472 "C:\Windows\SysWOW64\vvcqkt.exe"
117⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:1632

C:\Windows\SysWOW64\stjqda.exe
472 C:\Windows\SysWOW64\vvcqkt.exe
118⤵
PID:2036

C:\Windows\SysWOW64\putdzl.exe
C:\Windows\system32\putdzl.exe 456 "C:\Windows\SysWOW64\stjqda.exe"
119⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:1888

C:\Windows\SysWOW64\putdzl.exe
456 C:\Windows\SysWOW64\stjqda.exe
120⤵
PID:2000

C:\Windows\SysWOW64\pmcvby.exe
C:\Windows\system32\pmcvby.exe 472 "C:\Windows\SysWOW64\putdzl.exe"
121⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:1952

C:\Windows\SysWOW64\pmcvby.exe
472 C:\Windows\SysWOW64\putdzl.exe
122⤵
PID:1868

C:\Windows\SysWOW64\mcjvuf.exe
C:\Windows\system32\mcjvuf.exe 440 "C:\Windows\SysWOW64\pmcvby.exe"
123⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:1748

C:\Windows\SysWOW64\mcjvuf.exe
440 C:\Windows\SysWOW64\pmcvby.exe
124⤵
- Drops file in System32 directory
PID:2120

C:\Windows\SysWOW64\gisqxv.exe
C:\Windows\system32\gisqxv.exe 472 "C:\Windows\SysWOW64\mcjvuf.exe"
125⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:2924

C:\Windows\SysWOW64\gisqxv.exe
472 C:\Windows\SysWOW64\mcjvuf.exe
126⤵
PID:2056

C:\Windows\SysWOW64\astycw.exe
C:\Windows\system32\astycw.exe 444 "C:\Windows\SysWOW64\gisqxv.exe"
127⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:968

C:\Windows\SysWOW64\astycw.exe
444 C:\Windows\SysWOW64\gisqxv.exe
128⤵
PID:2772

C:\Windows\SysWOW64\avfqrj.exe
C:\Windows\system32\avfqrj.exe 452 "C:\Windows\SysWOW64\astycw.exe"
129⤵
PID:2040

C:\Windows\SysWOW64\avfqrj.exe
452 C:\Windows\SysWOW64\astycw.exe
130⤵
PID:1964

C:\Windows\SysWOW64\uiklrh.exe
C:\Windows\system32\uiklrh.exe 444 "C:\Windows\SysWOW64\avfqrj.exe"
131⤵
PID:2524

C:\Windows\SysWOW64\uiklrh.exe
444 C:\Windows\SysWOW64\avfqrj.exe
132⤵
PID:2644

C:\Windows\SysWOW64\uuwent.exe
C:\Windows\system32\uuwent.exe 456 "C:\Windows\SysWOW64\uiklrh.exe"
133⤵
PID:3068

C:\Windows\SysWOW64\uuwent.exe
456 C:\Windows\SysWOW64\uiklrh.exe
134⤵
PID:2672

C:\Windows\SysWOW64\rvprjw.exe
C:\Windows\system32\rvprjw.exe 440 "C:\Windows\SysWOW64\uuwent.exe"
135⤵
PID:2316

C:\Windows\SysWOW64\rvprjw.exe
440 C:\Windows\SysWOW64\uuwent.exe
136⤵
PID:2476

C:\Windows\SysWOW64\olorkd.exe
C:\Windows\system32\olorkd.exe 444 "C:\Windows\SysWOW64\rvprjw.exe"
137⤵
PID:2504

C:\Windows\SysWOW64\olorkd.exe
444 C:\Windows\SysWOW64\rvprjw.exe
138⤵
- Drops file in System32 directory
PID:944

C:\Windows\SysWOW64\iupzif.exe
C:\Windows\system32\iupzif.exe 472 "C:\Windows\SysWOW64\olorkd.exe"
139⤵
PID:2620

C:\Windows\SysWOW64\iupzif.exe
472 C:\Windows\SysWOW64\olorkd.exe
140⤵
PID:2192

C:\Windows\SysWOW64\xvhmmi.exe
C:\Windows\system32\xvhmmi.exe 456 "C:\Windows\SysWOW64\iupzif.exe"
141⤵
PID:2180

C:\Windows\SysWOW64\xvhmmi.exe
456 C:\Windows\SysWOW64\iupzif.exe
142⤵
PID:2404

C:\Windows\SysWOW64\xkxrdy.exe
C:\Windows\system32\xkxrdy.exe 452 "C:\Windows\SysWOW64\xvhmmi.exe"
143⤵
PID:2864

C:\Windows\SysWOW64\xkxrdy.exe
452 C:\Windows\SysWOW64\xvhmmi.exe
144⤵
PID:2160

C:\Windows\SysWOW64\tpsrcg.exe
C:\Windows\system32\tpsrcg.exe 448 "C:\Windows\SysWOW64\xkxrdy.exe"
145⤵
PID:2532

C:\Windows\SysWOW64\tpsrcg.exe
448 C:\Windows\SysWOW64\xkxrdy.exe
146⤵
PID:2228

C:\Windows\SysWOW64\thbbeb.exe
C:\Windows\system32\thbbeb.exe 452 "C:\Windows\SysWOW64\tpsrcg.exe"
147⤵
PID:2420

C:\Windows\SysWOW64\thbbeb.exe
452 C:\Windows\SysWOW64\tpsrcg.exe
148⤵
PID:572

C:\Windows\SysWOW64\ttousf.exe
C:\Windows\system32\ttousf.exe 448 "C:\Windows\SysWOW64\thbbeb.exe"
149⤵
PID:2076

C:\Windows\SysWOW64\ttousf.exe
448 C:\Windows\SysWOW64\thbbeb.exe
150⤵
PID:2236

C:\Windows\SysWOW64\ngspal.exe
C:\Windows\system32\ngspal.exe 456 "C:\Windows\SysWOW64\ttousf.exe"
151⤵
PID:1988

C:\Windows\SysWOW64\ngspal.exe
456 C:\Windows\SysWOW64\ttousf.exe
152⤵
PID:1760

C:\Windows\SysWOW64\nkfhpp.exe
C:\Windows\system32\nkfhpp.exe 456 "C:\Windows\SysWOW64\ngspal.exe"
153⤵
PID:444

C:\Windows\SysWOW64\nkfhpp.exe
456 C:\Windows\SysWOW64\ngspal.exe
154⤵
PID:1900

C:\Windows\SysWOW64\klpula.exe
C:\Windows\system32\klpula.exe 452 "C:\Windows\SysWOW64\nkfhpp.exe"
155⤵
PID:1836

C:\Windows\SysWOW64\klpula.exe
452 C:\Windows\SysWOW64\nkfhpp.exe
156⤵
PID:1460

C:\Windows\SysWOW64\hiwumz.exe
C:\Windows\system32\hiwumz.exe 468 "C:\Windows\SysWOW64\klpula.exe"
157⤵
PID:2352

C:\Windows\SysWOW64\hiwumz.exe
468 C:\Windows\SysWOW64\klpula.exe
158⤵
- Drops file in System32 directory
PID:2896

C:\Windows\SysWOW64\avjpmf.exe
C:\Windows\system32\avjpmf.exe 452 "C:\Windows\SysWOW64\hiwumz.exe"
159⤵
PID:2932

C:\Windows\SysWOW64\avjpmf.exe
452 C:\Windows\SysWOW64\hiwumz.exe
160⤵
PID:1560

C:\Windows\SysWOW64\aojhos.exe
C:\Windows\system32\aojhos.exe 444 "C:\Windows\SysWOW64\avjpmf.exe"
161⤵
PID:1060

C:\Windows\SysWOW64\aojhos.exe
444 C:\Windows\SysWOW64\avjpmf.exe
162⤵
PID:3000

C:\Windows\SysWOW64\xeqhhz.exe
C:\Windows\system32\xeqhhz.exe 448 "C:\Windows\SysWOW64\aojhos.exe"
163⤵
PID:2708

C:\Windows\SysWOW64\xeqhhz.exe
448 C:\Windows\SysWOW64\aojhos.exe
164⤵
PID:2312

C:\Windows\SysWOW64\ufbnlk.exe
C:\Windows\system32\ufbnlk.exe 472 "C:\Windows\SysWOW64\xeqhhz.exe"
165⤵
PID:1196

C:\Windows\SysWOW64\ufbnlk.exe
472 C:\Windows\SysWOW64\xeqhhz.exe
166⤵
PID:1276

C:\Windows\SysWOW64\rchvej.exe
C:\Windows\system32\rchvej.exe 448 "C:\Windows\SysWOW64\ufbnlk.exe"
167⤵
PID:2576

C:\Windows\SysWOW64\rchvej.exe
448 C:\Windows\SysWOW64\ufbnlk.exe
168⤵
- Drops file in System32 directory
PID:2444

C:\Windows\SysWOW64\oaovxq.exe
C:\Windows\system32\oaovxq.exe 452 "C:\Windows\SysWOW64\rchvej.exe"
169⤵
PID:2564

C:\Windows\SysWOW64\oaovxq.exe
452 C:\Windows\SysWOW64\rchvej.exe
170⤵
PID:2448

C:\Windows\SysWOW64\ospfzd.exe
C:\Windows\system32\ospfzd.exe 444 "C:\Windows\SysWOW64\oaovxq.exe"
171⤵
PID:2484

C:\Windows\SysWOW64\ospfzd.exe
444 C:\Windows\SysWOW64\oaovxq.exe
172⤵
PID:1596

C:\Windows\SysWOW64\kthsvo.exe
C:\Windows\system32\kthsvo.exe 444 "C:\Windows\SysWOW64\ospfzd.exe"
173⤵
PID:2320

C:\Windows\SysWOW64\kthsvo.exe
444 C:\Windows\SysWOW64\ospfzd.exe
174⤵
- Drops file in System32 directory
PID:2208

C:\Windows\SysWOW64\husfzr.exe
C:\Windows\system32\husfzr.exe 472 "C:\Windows\SysWOW64\kthsvo.exe"
175⤵
PID:1672

C:\Windows\SysWOW64\husfzr.exe
472 C:\Windows\SysWOW64\kthsvo.exe
176⤵
PID:1076

C:\Windows\SysWOW64\hntyte.exe
C:\Windows\system32\hntyte.exe 456 "C:\Windows\SysWOW64\husfzr.exe"
177⤵
PID:1796

C:\Windows\SysWOW64\hntyte.exe
456 C:\Windows\SysWOW64\husfzr.exe
178⤵
PID:2172

C:\Windows\SysWOW64\edzyml.exe
C:\Windows\system32\edzyml.exe 452 "C:\Windows\SysWOW64\hntyte.exe"
179⤵
PID:1668

C:\Windows\SysWOW64\edzyml.exe
452 C:\Windows\SysWOW64\hntyte.exe
180⤵
PID:2264

C:\Windows\SysWOW64\esxvlt.exe
C:\Windows\system32\esxvlt.exe 456 "C:\Windows\SysWOW64\edzyml.exe"
181⤵
PID:2240

C:\Windows\SysWOW64\esxvlt.exe
456 C:\Windows\SysWOW64\edzyml.exe
182⤵
PID:2244

C:\Windows\SysWOW64\athihf.exe
C:\Windows\system32\athihf.exe 452 "C:\Windows\SysWOW64\esxvlt.exe"
183⤵
PID:672

C:\Windows\SysWOW64\athihf.exe
452 C:\Windows\SysWOW64\esxvlt.exe
184⤵
PID:2076

C:\Windows\SysWOW64\yqoiam.exe
C:\Windows\system32\yqoiam.exe 472 "C:\Windows\SysWOW64\athihf.exe"
185⤵
PID:1632

C:\Windows\SysWOW64\yqoiam.exe
472 C:\Windows\SysWOW64\athihf.exe
186⤵
PID:1692

C:\Windows\SysWOW64\xjpbcy.exe
C:\Windows\system32\xjpbcy.exe 444 "C:\Windows\SysWOW64\yqoiam.exe"
187⤵
PID:1304

C:\Windows\SysWOW64\xjpbcy.exe
444 C:\Windows\SysWOW64\yqoiam.exe
188⤵
PID:1888

C:\Windows\SysWOW64\mkhoyc.exe
C:\Windows\system32\mkhoyc.exe 452 "C:\Windows\SysWOW64\xjpbcy.exe"
189⤵
PID:2000

C:\Windows\SysWOW64\mkhoyc.exe
452 C:\Windows\SysWOW64\xjpbcy.exe
190⤵
- Drops file in System32 directory
PID:1112

C:\Windows\SysWOW64\jlrbcn.exe
C:\Windows\system32\jlrbcn.exe 444 "C:\Windows\SysWOW64\mkhoyc.exe"
191⤵
PID:1104

C:\Windows\SysWOW64\jlrbcn.exe
444 C:\Windows\SysWOW64\mkhoyc.exe
192⤵
PID:1620

C:\Windows\SysWOW64\idalwz.exe
C:\Windows\system32\idalwz.exe 448 "C:\Windows\SysWOW64\jlrbcn.exe"
193⤵
PID:2972

C:\Windows\SysWOW64\idalwz.exe
448 C:\Windows\SysWOW64\jlrbcn.exe
194⤵
PID:2896

C:\Windows\SysWOW64\fthlpg.exe
C:\Windows\system32\fthlpg.exe 444 "C:\Windows\SysWOW64\idalwz.exe"
195⤵
PID:1272

C:\Windows\SysWOW64\fthlpg.exe
444 C:\Windows\SysWOW64\idalwz.exe
196⤵
PID:564

C:\Windows\SysWOW64\zdbtui.exe
C:\Windows\system32\zdbtui.exe 456 "C:\Windows\SysWOW64\fthlpg.exe"
197⤵
PID:2820

C:\Windows\SysWOW64\zdbtui.exe
456 C:\Windows\SysWOW64\fthlpg.exe
198⤵
PID:2256

C:\Windows\SysWOW64\zsyylr.exe
C:\Windows\system32\zsyylr.exe 476 "C:\Windows\SysWOW64\zdbtui.exe"
199⤵
PID:1964

C:\Windows\SysWOW64\zsyylr.exe
476 C:\Windows\SysWOW64\zdbtui.exe
200⤵
PID:2520

C:\Windows\SysWOW64\zkzrnd.exe
C:\Windows\system32\zkzrnd.exe 452 "C:\Windows\SysWOW64\zsyylr.exe"
201⤵
PID:2644

C:\Windows\SysWOW64\zkzrnd.exe
452 C:\Windows\SysWOW64\zsyylr.exe
202⤵
PID:2544

C:\Windows\SysWOW64\tubzlf.exe
C:\Windows\system32\tubzlf.exe 444 "C:\Windows\SysWOW64\zkzrnd.exe"
203⤵
PID:2456

C:\Windows\SysWOW64\tubzlf.exe
444 C:\Windows\SysWOW64\zkzrnd.exe
204⤵
PID:2444

C:\Windows\SysWOW64\smcrfs.exe
C:\Windows\system32\smcrfs.exe 444 "C:\Windows\SysWOW64\tubzlf.exe"
205⤵
PID:2848

C:\Windows\SysWOW64\smcrfs.exe
444 C:\Windows\SysWOW64\tubzlf.exe
206⤵
- Drops file in System32 directory
PID:2448

C:\Windows\SysWOW64\tqojce.exe
C:\Windows\system32\tqojce.exe 496 "C:\Windows\SysWOW64\smcrfs.exe"
207⤵
PID:1732

C:\Windows\SysWOW64\tqojce.exe
496 C:\Windows\SysWOW64\smcrfs.exe
208⤵
PID:1268

C:\Windows\SysWOW64\mdtwck.exe
C:\Windows\system32\mdtwck.exe 452 "C:\Windows\SysWOW64\tqojce.exe"
209⤵
PID:1676

C:\Windows\SysWOW64\mdtwck.exe
452 C:\Windows\SysWOW64\tqojce.exe
210⤵
PID:1736

C:\Windows\SysWOW64\mofxyo.exe
C:\Windows\system32\mofxyo.exe 444 "C:\Windows\SysWOW64\mdtwck.exe"
211⤵
PID:1064

C:\Windows\SysWOW64\mofxyo.exe
444 C:\Windows\SysWOW64\mdtwck.exe
212⤵
- Drops file in System32 directory
PID:2668

C:\Windows\SysWOW64\gyhewq.exe
C:\Windows\system32\gyhewq.exe 444 "C:\Windows\SysWOW64\mofxyo.exe"
213⤵
PID:2472

C:\Windows\SysWOW64\gyhewq.exe
444 C:\Windows\SysWOW64\mofxyo.exe
214⤵
PID:2248

C:\Windows\SysWOW64\gfekvy.exe
C:\Windows\system32\gfekvy.exe 444 "C:\Windows\SysWOW64\gyhewq.exe"
215⤵
PID:1360

C:\Windows\SysWOW64\gfekvy.exe
444 C:\Windows\SysWOW64\gyhewq.exe
216⤵
- Drops file in System32 directory
PID:672

C:\Windows\SysWOW64\asjxwf.exe
C:\Windows\system32\asjxwf.exe 444 "C:\Windows\SysWOW64\gfekvy.exe"
217⤵
PID:588

C:\Windows\SysWOW64\asjxwf.exe
444 C:\Windows\SysWOW64\gfekvy.exe
218⤵
- Drops file in System32 directory
PID:2076

C:\Windows\SysWOW64\ahhcnn.exe
C:\Windows\system32\ahhcnn.exe 444 "C:\Windows\SysWOW64\asjxwf.exe"
219⤵
PID:2036

C:\Windows\SysWOW64\ahhcnn.exe
444 C:\Windows\SysWOW64\asjxwf.exe
220⤵
PID:2276

C:\Windows\SysWOW64\xirpry.exe
C:\Windows\system32\xirpry.exe 448 "C:\Windows\SysWOW64\ahhcnn.exe"
221⤵
PID:972

C:\Windows\SysWOW64\xirpry.exe
448 C:\Windows\SysWOW64\ahhcnn.exe
222⤵
PID:900

C:\Windows\SysWOW64\ugypkx.exe
C:\Windows\system32\ugypkx.exe 444 "C:\Windows\SysWOW64\xirpry.exe"
223⤵
PID:1900

C:\Windows\SysWOW64\ugypkx.exe
444 C:\Windows\SysWOW64\xirpry.exe
224⤵
PID:2960

C:\Windows\SysWOW64\rhicoi.exe
C:\Windows\system32\rhicoi.exe 452 "C:\Windows\SysWOW64\ugypkx.exe"
225⤵
PID:2088

C:\Windows\SysWOW64\rhicoi.exe
452 C:\Windows\SysWOW64\ugypkx.exe
226⤵
PID:1620

C:\Windows\SysWOW64\qwfifr.exe
C:\Windows\system32\qwfifr.exe 444 "C:\Windows\SysWOW64\rhicoi.exe"
227⤵
PID:1584

C:\Windows\SysWOW64\qwfifr.exe
444 C:\Windows\SysWOW64\rhicoi.exe
228⤵
- Drops file in System32 directory
PID:2044

C:\Windows\SysWOW64\npqvjc.exe
C:\Windows\system32\npqvjc.exe 444 "C:\Windows\SysWOW64\qwfifr.exe"
229⤵
PID:3000

C:\Windows\SysWOW64\npqvjc.exe
444 C:\Windows\SysWOW64\qwfifr.exe
230⤵
- Drops file in System32 directory
PID:2540

C:\Windows\SysWOW64\kqiaef.exe
C:\Windows\system32\kqiaef.exe 444 "C:\Windows\SysWOW64\npqvjc.exe"
231⤵
PID:3040

C:\Windows\SysWOW64\kqiaef.exe
444 C:\Windows\SysWOW64\npqvjc.exe
232⤵
PID:2560

C:\Windows\SysWOW64\kfffww.exe
C:\Windows\system32\kfffww.exe 444 "C:\Windows\SysWOW64\kqiaef.exe"
233⤵
PID:2576

C:\Windows\SysWOW64\kfffww.exe
444 C:\Windows\SysWOW64\kqiaef.exe
234⤵
PID:2548

C:\Windows\SysWOW64\hgqszz.exe
C:\Windows\system32\hgqszz.exe 444 "C:\Windows\SysWOW64\kfffww.exe"
235⤵
PID:2748

C:\Windows\SysWOW64\hgqszz.exe
444 C:\Windows\SysWOW64\kfffww.exe
236⤵
- Drops file in System32 directory
PID:2968

C:\Windows\SysWOW64\vhifvk.exe
C:\Windows\system32\vhifvk.exe 472 "C:\Windows\SysWOW64\hgqszz.exe"
237⤵
PID:1212

C:\Windows\SysWOW64\vhifvk.exe
472 C:\Windows\SysWOW64\hgqszz.exe
238⤵
PID:1652

C:\Windows\SysWOW64\vtmyko.exe
C:\Windows\system32\vtmyko.exe 444 "C:\Windows\SysWOW64\vhifvk.exe"
239⤵
PID:2448

C:\Windows\SysWOW64\vtmyko.exe
444 C:\Windows\SysWOW64\vhifvk.exe
240⤵
- Drops file in System32 directory
PID:1200

C:\Windows\SysWOW64\syqyqe.exe
C:\Windows\system32\syqyqe.exe 440 "C:\Windows\SysWOW64\vtmyko.exe"
241⤵
PID:1204

C:\Windows\SysWOW64\syqyqe.exe
440 C:\Windows\SysWOW64\vtmyko.exe
242⤵
- Drops file in System32 directory
PID:1444

C:\Windows\SysWOW64\pnpyjd.exe
C:\Windows\system32\pnpyjd.exe 444 "C:\Windows\SysWOW64\syqyqe.exe"
243⤵
PID:1736

C:\Windows\SysWOW64\pnpyjd.exe
444 C:\Windows\SysWOW64\syqyqe.exe
244⤵
PID:2224

C:\Windows\SysWOW64\pgxilx.exe
C:\Windows\system32\pgxilx.exe 456 "C:\Windows\SysWOW64\pnpyjd.exe"
245⤵
PID:2756

C:\Windows\SysWOW64\pgxilx.exe
456 C:\Windows\SysWOW64\pnpyjd.exe
246⤵
PID:2808

C:\Windows\SysWOW64\lhivhb.exe
C:\Windows\system32\lhivhb.exe 444 "C:\Windows\SysWOW64\pgxilx.exe"
247⤵
PID:2272

C:\Windows\SysWOW64\lhivhb.exe
444 C:\Windows\SysWOW64\pgxilx.exe
248⤵
PID:1228

C:\Windows\SysWOW64\iiailm.exe
C:\Windows\system32\iiailm.exe 448 "C:\Windows\SysWOW64\lhivhb.exe"
249⤵
PID:588

C:\Windows\SysWOW64\iiailm.exe
448 C:\Windows\SysWOW64\lhivhb.exe
250⤵
- Drops file in System32 directory
PID:1660

C:\Windows\SysWOW64\ffhiel.exe
C:\Windows\system32\ffhiel.exe 444 "C:\Windows\SysWOW64\iiailm.exe"
251⤵
PID:2036

C:\Windows\SysWOW64\ffhiel.exe
444 C:\Windows\SysWOW64\iiailm.exe
252⤵
- Drops file in System32 directory
PID:1888

C:\Windows\SysWOW64\drcwun.exe
C:\Windows\system32\drcwun.exe 456 "C:\Windows\SysWOW64\ffhiel.exe"
253⤵
PID:608

C:\Windows\SysWOW64\drcwun.exe
456 C:\Windows\SysWOW64\ffhiel.exe
254⤵
- Drops file in System32 directory
PID:1744

C:\Windows\SysWOW64\ckdowa.exe
C:\Windows\system32\ckdowa.exe 452 "C:\Windows\SysWOW64\drcwun.exe"
255⤵
PID:900

C:\Windows\SysWOW64\ckdowa.exe
452 C:\Windows\SysWOW64\drcwun.exe
256⤵
- Drops file in System32 directory
PID:2336

C:\Windows\SysWOW64\wxijxg.exe
C:\Windows\system32\wxijxg.exe 464 "C:\Windows\SysWOW64\ckdowa.exe"
257⤵
PID:2960

C:\Windows\SysWOW64\wxijxg.exe
464 C:\Windows\SysWOW64\ckdowa.exe
258⤵
PID:1700

C:\Windows\SysWOW64\wyrtzt.exe
C:\Windows\system32\wyrtzt.exe 452 "C:\Windows\SysWOW64\wxijxg.exe"
259⤵
PID:2016

C:\Windows\SysWOW64\wyrtzt.exe
452 C:\Windows\SysWOW64\wxijxg.exe
260⤵
PID:2652

C:\Windows\SysWOW64\vfhyqj.exe
C:\Windows\system32\vfhyqj.exe 448 "C:\Windows\SysWOW64\wyrtzt.exe"
261⤵
PID:2920

C:\Windows\SysWOW64\vfhyqj.exe
448 C:\Windows\SysWOW64\wyrtzt.exe
262⤵
PID:2128

C:\Windows\SysWOW64\vxprkw.exe
C:\Windows\system32\vxprkw.exe 480 "C:\Windows\SysWOW64\vfhyqj.exe"
263⤵
PID:1156

C:\Windows\SysWOW64\vxprkw.exe
480 C:\Windows\SysWOW64\vfhyqj.exe
264⤵
PID:2592

C:\Windows\SysWOW64\syaeoh.exe
C:\Windows\system32\syaeoh.exe 444 "C:\Windows\SysWOW64\vxprkw.exe"
265⤵
PID:112

C:\Windows\SysWOW64\syaeoh.exe
444 C:\Windows\SysWOW64\vxprkw.exe
266⤵
PID:2776

C:\Windows\SysWOW64\rrioiu.exe
C:\Windows\system32\rrioiu.exe 444 "C:\Windows\SysWOW64\syaeoh.exe"
267⤵
PID:2032

C:\Windows\SysWOW64\rrioiu.exe
444 C:\Windows\SysWOW64\syaeoh.exe
268⤵
PID:2656

C:\Windows\SysWOW64\rjjhch.exe
C:\Windows\system32\rjjhch.exe 444 "C:\Windows\SysWOW64\rrioiu.exe"
269⤵
PID:320

C:\Windows\SysWOW64\rjjhch.exe
444 C:\Windows\SysWOW64\rrioiu.exe
270⤵
PID:1800

C:\Windows\SysWOW64\rkkzwt.exe
C:\Windows\system32\rkkzwt.exe 444 "C:\Windows\SysWOW64\rjjhch.exe"
271⤵
PID:1512

C:\Windows\SysWOW64\rkkzwt.exe
444 C:\Windows\SysWOW64\rjjhch.exe
272⤵
PID:2448

C:\Windows\SysWOW64\qctjqo.exe
C:\Windows\system32\qctjqo.exe 464 "C:\Windows\SysWOW64\rkkzwt.exe"
273⤵
PID:1564

C:\Windows\SysWOW64\qctjqo.exe
464 C:\Windows\SysWOW64\rkkzwt.exe
274⤵
PID:1200

C:\Windows\SysWOW64\qvucsb.exe
C:\Windows\system32\qvucsb.exe 444 "C:\Windows\SysWOW64\qctjqo.exe"
275⤵
PID:2160

C:\Windows\SysWOW64\qvucsb.exe
444 C:\Windows\SysWOW64\qctjqo.exe
276⤵
PID:936

C:\Windows\SysWOW64\pnvmmn.exe
C:\Windows\system32\pnvmmn.exe 456 "C:\Windows\SysWOW64\qvucsb.exe"
277⤵
PID:2420

C:\Windows\SysWOW64\pnvmmn.exe
456 C:\Windows\SysWOW64\qvucsb.exe
278⤵
PID:2756

C:\Windows\SysWOW64\monziy.exe
C:\Windows\system32\monziy.exe 472 "C:\Windows\SysWOW64\pnvmmn.exe"
279⤵
PID:2236

C:\Windows\SysWOW64\monziy.exe
472 C:\Windows\SysWOW64\pnvmmn.exe
280⤵
PID:1360

C:\Windows\SysWOW64\pvbkxq.exe
C:\Windows\system32\pvbkxq.exe 472 "C:\Windows\SysWOW64\monziy.exe"
281⤵
PID:1308

C:\Windows\SysWOW64\pvbkxq.exe
472 C:\Windows\SysWOW64\monziy.exe
282⤵
PID:1228

C:\Windows\SysWOW64\lwlxbt.exe
C:\Windows\system32\lwlxbt.exe 444 "C:\Windows\SysWOW64\pvbkxq.exe"
283⤵
PID:1984

C:\Windows\SysWOW64\lwlxbt.exe
444 C:\Windows\SysWOW64\pvbkxq.exe
284⤵
PID:1788

C:\Windows\SysWOW64\ipwkxf.exe
C:\Windows\system32\ipwkxf.exe 452 "C:\Windows\SysWOW64\lwlxbt.exe"
285⤵
PID:2080

C:\Windows\SysWOW64\ipwkxf.exe
452 C:\Windows\SysWOW64\lwlxbt.exe
286⤵
PID:1772

C:\Windows\SysWOW64\aethwn.exe
C:\Windows\system32\aethwn.exe 444 "C:\Windows\SysWOW64\ipwkxf.exe"
287⤵
PID:1688

C:\Windows\SysWOW64\aethwn.exe
444 C:\Windows\SysWOW64\ipwkxf.exe
288⤵
PID:2120

C:\Windows\SysWOW64\ukkkrl.exe
C:\Windows\system32\ukkkrl.exe 444 "C:\Windows\SysWOW64\aethwn.exe"
289⤵
PID:2212

C:\Windows\SysWOW64\ukkkrl.exe
444 C:\Windows\SysWOW64\aethwn.exe
290⤵
PID:1560

C:\Windows\SysWOW64\rluxvw.exe
C:\Windows\system32\rluxvw.exe 444 "C:\Windows\SysWOW64\ukkkrl.exe"
291⤵
PID:1584

C:\Windows\SysWOW64\rluxvw.exe
444 C:\Windows\SysWOW64\ukkkrl.exe
292⤵
PID:2704

C:\Windows\SysWOW64\rarvme.exe
C:\Windows\system32\rarvme.exe 452 "C:\Windows\SysWOW64\rluxvw.exe"
293⤵
PID:2640

C:\Windows\SysWOW64\rarvme.exe
452 C:\Windows\SysWOW64\rluxvw.exe
294⤵
PID:564

C:\Windows\SysWOW64\otjiip.exe
C:\Windows\system32\otjiip.exe 444 "C:\Windows\SysWOW64\rarvme.exe"
295⤵
PID:1448

C:\Windows\SysWOW64\otjiip.exe
444 C:\Windows\SysWOW64\rarvme.exe
296⤵
PID:2488

C:\Windows\SysWOW64\lriijo.exe
C:\Windows\system32\lriijo.exe 452 "C:\Windows\SysWOW64\otjiip.exe"
297⤵
PID:2692

C:\Windows\SysWOW64\lriijo.exe
452 C:\Windows\SysWOW64\otjiip.exe
298⤵
PID:2600

C:\Windows\SysWOW64\fevdrv.exe
C:\Windows\system32\fevdrv.exe 444 "C:\Windows\SysWOW64\lriijo.exe"
299⤵
PID:2732

C:\Windows\SysWOW64\fevdrv.exe
444 C:\Windows\SysWOW64\lriijo.exe
300⤵
PID:2552

C:\Windows\SysWOW64\fpivgz.exe
C:\Windows\system32\fpivgz.exe 456 "C:\Windows\SysWOW64\fevdrv.exe"
301⤵
PID:1628

C:\Windows\SysWOW64\fpivgz.exe
456 C:\Windows\SysWOW64\fevdrv.exe
302⤵
- Drops file in System32 directory
PID:2216

C:\Windows\SysWOW64\budveo.exe
C:\Windows\system32\budveo.exe 444 "C:\Windows\SysWOW64\fpivgz.exe"
303⤵
PID:2208

C:\Windows\SysWOW64\budveo.exe
444 C:\Windows\SysWOW64\fpivgz.exe
304⤵
PID:1652

C:\Windows\SysWOW64\bjbavx.exe
C:\Windows\system32\bjbavx.exe 452 "C:\Windows\SysWOW64\budveo.exe"
305⤵
PID:2308

C:\Windows\SysWOW64\bjbavx.exe
452 C:\Windows\SysWOW64\budveo.exe
306⤵
PID:2696

C:\Windows\SysWOW64\bcblyr.exe
C:\Windows\system32\bcblyr.exe 444 "C:\Windows\SysWOW64\bjbavx.exe"
307⤵
PID:268

C:\Windows\SysWOW64\bcblyr.exe
444 C:\Windows\SysWOW64\bjbavx.exe
308⤵
PID:772

C:\Windows\SysWOW64\ydmytv.exe
C:\Windows\system32\ydmytv.exe 448 "C:\Windows\SysWOW64\bcblyr.exe"
309⤵
PID:1320

C:\Windows\SysWOW64\ydmytv.exe
448 C:\Windows\SysWOW64\bcblyr.exe
310⤵
PID:2472

C:\Windows\SysWOW64\xkjdld.exe
C:\Windows\system32\xkjdld.exe 444 "C:\Windows\SysWOW64\ydmytv.exe"
311⤵
PID:1812

C:\Windows\SysWOW64\xkjdld.exe
444 C:\Windows\SysWOW64\ydmytv.exe
312⤵
PID:2612

C:\Windows\SysWOW64\ulbqoo.exe
C:\Windows\system32\ulbqoo.exe 456 "C:\Windows\SysWOW64\xkjdld.exe"
313⤵
PID:888

C:\Windows\SysWOW64\ulbqoo.exe
456 C:\Windows\SysWOW64\xkjdld.exe
314⤵
PID:2200

C:\Windows\SysWOW64\rpxinw.exe
C:\Windows\system32\rpxinw.exe 444 "C:\Windows\SysWOW64\ulbqoo.exe"
315⤵
PID:780

C:\Windows\SysWOW64\rpxinw.exe
444 C:\Windows\SysWOW64\ulbqoo.exe
316⤵
PID:3032

C:\Windows\SysWOW64\rbjbji.exe
C:\Windows\system32\rbjbji.exe 456 "C:\Windows\SysWOW64\rpxinw.exe"
317⤵
PID:2000

C:\Windows\SysWOW64\rbjbji.exe
456 C:\Windows\SysWOW64\rpxinw.exe
318⤵
PID:1972

C:\Windows\SysWOW64\nffbip.exe
C:\Windows\system32\nffbip.exe 444 "C:\Windows\SysWOW64\rbjbji.exe"
319⤵
PID:1588

C:\Windows\SysWOW64\nffbip.exe
444 C:\Windows\SysWOW64\rbjbji.exe
320⤵
PID:2972

C:\Windows\SysWOW64\kgpomb.exe
C:\Windows\system32\kgpomb.exe 444 "C:\Windows\SysWOW64\nffbip.exe"
321⤵
PID:2336

C:\Windows\SysWOW64\kgpomb.exe
444 C:\Windows\SysWOW64\nffbip.exe
322⤵
PID:2008

C:\Windows\SysWOW64\ksbgaf.exe
C:\Windows\system32\ksbgaf.exe 444 "C:\Windows\SysWOW64\kgpomb.exe"
323⤵
PID:1620

C:\Windows\SysWOW64\ksbgaf.exe
444 C:\Windows\SysWOW64\kgpomb.exe
324⤵
PID:2900

C:\Windows\SysWOW64\hxxgzu.exe
C:\Windows\system32\hxxgzu.exe 444 "C:\Windows\SysWOW64\ksbgaf.exe"
325⤵
PID:2640

C:\Windows\SysWOW64\hxxgzu.exe
444 C:\Windows\SysWOW64\ksbgaf.exe
326⤵
PID:2540

C:\Windows\SysWOW64\hmueqd.exe
C:\Windows\system32\hmueqd.exe 444 "C:\Windows\SysWOW64\hxxgzu.exe"
327⤵
PID:1448

C:\Windows\SysWOW64\hmueqd.exe
444 C:\Windows\SysWOW64\hxxgzu.exe
328⤵
PID:1616

C:\Windows\SysWOW64\dqqexs.exe
C:\Windows\system32\dqqexs.exe 444 "C:\Windows\SysWOW64\hmueqd.exe"
329⤵
PID:2852

C:\Windows\SysWOW64\dqqexs.exe
444 C:\Windows\SysWOW64\hmueqd.exe
330⤵
PID:2148

C:\Windows\SysWOW64\dfnjoa.exe
C:\Windows\system32\dfnjoa.exe 444 "C:\Windows\SysWOW64\dqqexs.exe"
331⤵
PID:3060

C:\Windows\SysWOW64\dfnjoa.exe
444 C:\Windows\SysWOW64\dqqexs.exe
332⤵
PID:2176

C:\Windows\SysWOW64\xhpruc.exe
C:\Windows\system32\xhpruc.exe 472 "C:\Windows\SysWOW64\dfnjoa.exe"
333⤵
PID:320

C:\Windows\SysWOW64\xhpruc.exe
472 C:\Windows\SysWOW64\dfnjoa.exe
334⤵
PID:1664

C:\Windows\SysWOW64\pwewll.exe
C:\Windows\system32\pwewll.exe 456 "C:\Windows\SysWOW64\xhpruc.exe"
335⤵
PID:1644

C:\Windows\SysWOW64\pwewll.exe
456 C:\Windows\SysWOW64\xhpruc.exe
336⤵
- Drops file in System32 directory
PID:1568

C:\Windows\SysWOW64\plccct.exe
C:\Windows\system32\plccct.exe 452 "C:\Windows\SysWOW64\pwewll.exe"
337⤵
PID:2308

C:\Windows\SysWOW64\plccct.exe
452 C:\Windows\SysWOW64\pwewll.exe
338⤵
PID:2264

C:\Windows\SysWOW64\mmmpge.exe
C:\Windows\system32\mmmpge.exe 448 "C:\Windows\SysWOW64\plccct.exe"
339⤵
PID:1328

C:\Windows\SysWOW64\mmmpge.exe
448 C:\Windows\SysWOW64\plccct.exe
340⤵
PID:308

C:\Windows\SysWOW64\iqqhfm.exe
C:\Windows\system32\iqqhfm.exe 456 "C:\Windows\SysWOW64\mmmpge.exe"
341⤵
PID:908

C:\Windows\SysWOW64\iqqhfm.exe
456 C:\Windows\SysWOW64\mmmpge.exe
342⤵
- Drops file in System32 directory
PID:840

C:\Windows\SysWOW64\ijrzzh.exe
C:\Windows\system32\ijrzzh.exe 448 "C:\Windows\SysWOW64\iqqhfm.exe"
343⤵
PID:1632

C:\Windows\SysWOW64\ijrzzh.exe
448 C:\Windows\SysWOW64\iqqhfm.exe
344⤵
PID:1892

C:\Windows\SysWOW64\iudsvl.exe
C:\Windows\system32\iudsvl.exe 444 "C:\Windows\SysWOW64\ijrzzh.exe"
345⤵
PID:2024

C:\Windows\SysWOW64\iudsvl.exe
444 C:\Windows\SysWOW64\ijrzzh.exe
346⤵
PID:1764

C:\Windows\SysWOW64\fwnfrw.exe
C:\Windows\system32\fwnfrw.exe 448 "C:\Windows\SysWOW64\iudsvl.exe"
347⤵
PID:844

C:\Windows\SysWOW64\fwnfrw.exe
448 C:\Windows\SysWOW64\iudsvl.exe
348⤵
PID:1432

C:\Windows\SysWOW64\bxfkvz.exe
C:\Windows\system32\bxfkvz.exe 452 "C:\Windows\SysWOW64\fwnfrw.exe"
349⤵
PID:1540

C:\Windows\SysWOW64\bxfkvz.exe
452 C:\Windows\SysWOW64\fwnfrw.exe
350⤵
PID:2276

C:\Windows\SysWOW64\bedpmp.exe
C:\Windows\system32\bedpmp.exe 440 "C:\Windows\SysWOW64\bxfkvz.exe"
351⤵
PID:832

C:\Windows\SysWOW64\bedpmp.exe
440 C:\Windows\SysWOW64\bxfkvz.exe
352⤵
PID:884

C:\Windows\SysWOW64\vrikuo.exe
C:\Windows\system32\vrikuo.exe 452 "C:\Windows\SysWOW64\bedpmp.exe"
353⤵
PID:2120

C:\Windows\SysWOW64\vrikuo.exe
452 C:\Windows\SysWOW64\bedpmp.exe
354⤵
- Drops file in System32 directory
PID:2908

C:\Windows\SysWOW64\vgfpme.exe
C:\Windows\system32\vgfpme.exe 440 "C:\Windows\SysWOW64\vrikuo.exe"
355⤵
PID:2300

C:\Windows\SysWOW64\vgfpme.exe
440 C:\Windows\SysWOW64\vrikuo.exe
356⤵
PID:1216

C:\Windows\SysWOW64\vvvvdm.exe
C:\Windows\system32\vvvvdm.exe 444 "C:\Windows\SysWOW64\vgfpme.exe"
357⤵
PID:1560

C:\Windows\SysWOW64\vvvvdm.exe
444 C:\Windows\SysWOW64\vgfpme.exe
358⤵
PID:2256

C:\Windows\SysWOW64\rwnizy.exe
C:\Windows\system32\rwnizy.exe 444 "C:\Windows\SysWOW64\vvvvdm.exe"
359⤵
PID:2520

C:\Windows\SysWOW64\rwnizy.exe
444 C:\Windows\SysWOW64\vvvvdm.exe
360⤵
PID:564

C:\Windows\SysWOW64\oxxvcb.exe
C:\Windows\system32\oxxvcb.exe 468 "C:\Windows\SysWOW64\rwnizy.exe"
361⤵
PID:2564

C:\Windows\SysWOW64\oxxvcb.exe
468 C:\Windows\SysWOW64\rwnizy.exe
362⤵
- Drops file in System32 directory
PID:2456

C:\Windows\SysWOW64\omvsur.exe
C:\Windows\system32\omvsur.exe 444 "C:\Windows\SysWOW64\oxxvcb.exe"
363⤵
PID:2868

C:\Windows\SysWOW64\omvsur.exe
444 C:\Windows\SysWOW64\oxxvcb.exe
364⤵
- Drops file in System32 directory
PID:2776

C:\Windows\SysWOW64\lnffxu.exe
C:\Windows\system32\lnffxu.exe 472 "C:\Windows\SysWOW64\omvsur.exe"
365⤵
PID:2568

C:\Windows\SysWOW64\lnffxu.exe
472 C:\Windows\SysWOW64\omvsur.exe
366⤵
PID:1732

C:\Windows\SysWOW64\igxstg.exe
C:\Windows\system32\igxstg.exe 456 "C:\Windows\SysWOW64\lnffxu.exe"
367⤵
PID:2196

C:\Windows\SysWOW64\igxstg.exe
456 C:\Windows\SysWOW64\lnffxu.exe
368⤵
PID:2996

C:\Windows\SysWOW64\hhylns.exe
C:\Windows\system32\hhylns.exe 452 "C:\Windows\SysWOW64\igxstg.exe"
369⤵
PID:1420

C:\Windows\SysWOW64\hhylns.exe
452 C:\Windows\SysWOW64\igxstg.exe
370⤵
PID:2440

C:\Windows\SysWOW64\howqmb.exe
C:\Windows\system32\howqmb.exe 456 "C:\Windows\SysWOW64\hhylns.exe"
371⤵
PID:1828

C:\Windows\SysWOW64\howqmb.exe
456 C:\Windows\SysWOW64\hhylns.exe
372⤵
PID:1604

C:\Windows\SysWOW64\earilq.exe
C:\Windows\system32\earilq.exe 444 "C:\Windows\SysWOW64\howqmb.exe"
373⤵
PID:2244

C:\Windows\SysWOW64\earilq.exe
444 C:\Windows\SysWOW64\howqmb.exe
374⤵
- Drops file in System32 directory
PID:1036

C:\Windows\SysWOW64\bmnvbl.exe
C:\Windows\system32\bmnvbl.exe 456 "C:\Windows\SysWOW64\earilq.exe"
375⤵
PID:2904

C:\Windows\SysWOW64\bmnvbl.exe
456 C:\Windows\SysWOW64\earilq.exe
376⤵
PID:2528

C:\Windows\SysWOW64\yrivib.exe
C:\Windows\system32\yrivib.exe 444 "C:\Windows\SysWOW64\bmnvbl.exe"
377⤵
PID:1632

C:\Windows\SysWOW64\yrivib.exe
444 C:\Windows\SysWOW64\bmnvbl.exe
378⤵
PID:2348

C:\Windows\SysWOW64\vopwba.exe
C:\Windows\system32\vopwba.exe 456 "C:\Windows\SysWOW64\yrivib.exe"
379⤵
PID:1892

C:\Windows\SysWOW64\vopwba.exe
456 C:\Windows\SysWOW64\yrivib.exe
380⤵
PID:444

C:\Windows\SysWOW64\udnbaq.exe
C:\Windows\system32\udnbaq.exe 444 "C:\Windows\SysWOW64\vopwba.exe"
381⤵
PID:312

C:\Windows\SysWOW64\udnbaq.exe
444 C:\Windows\SysWOW64\vopwba.exe
382⤵
PID:1236

C:\Windows\SysWOW64\jxxowt.exe
C:\Windows\system32\jxxowt.exe 456 "C:\Windows\SysWOW64\udnbaq.exe"
383⤵
PID:608

C:\Windows\SysWOW64\jxxowt.exe
456 C:\Windows\SysWOW64\udnbaq.exe
384⤵
PID:1456

C:\Windows\SysWOW64\gypbae.exe
C:\Windows\system32\gypbae.exe 472 "C:\Windows\SysWOW64\jxxowt.exe"
385⤵
PID:1972

C:\Windows\SysWOW64\gypbae.exe
472 C:\Windows\SysWOW64\jxxowt.exe
386⤵
PID:876

C:\Windows\SysWOW64\dsloqh.exe
C:\Windows\system32\dsloqh.exe 472 "C:\Windows\SysWOW64\gypbae.exe"
387⤵
PID:2144

C:\Windows\SysWOW64\dsloqh.exe
472 C:\Windows\SysWOW64\gypbae.exe
388⤵
- Drops file in System32 directory
PID:2336

C:\Windows\SysWOW64\xfqjzf.exe
C:\Windows\system32\xfqjzf.exe 452 "C:\Windows\SysWOW64\dsloqh.exe"
389⤵
PID:2628

C:\Windows\SysWOW64\xfqjzf.exe
452 C:\Windows\SysWOW64\dsloqh.exe
390⤵
PID:2056

C:\Windows\SysWOW64\xxrtta.exe
C:\Windows\system32\xxrtta.exe 444 "C:\Windows\SysWOW64\xfqjzf.exe"
391⤵
PID:3000

C:\Windows\SysWOW64\xxrtta.exe
444 C:\Windows\SysWOW64\xfqjzf.exe
392⤵
PID:1196

C:\Windows\SysWOW64\wqzmnn.exe
C:\Windows\system32\wqzmnn.exe 460 "C:\Windows\SysWOW64\xxrtta.exe"
393⤵
PID:2072

C:\Windows\SysWOW64\wqzmnn.exe
460 C:\Windows\SysWOW64\xxrtta.exe
394⤵
PID:2540

C:\Windows\SysWOW64\wfprev.exe
C:\Windows\system32\wfprev.exe 444 "C:\Windows\SysWOW64\wqzmnn.exe"
395⤵
PID:564

C:\Windows\SysWOW64\wfprev.exe
444 C:\Windows\SysWOW64\wqzmnn.exe
396⤵
PID:2852

C:\Windows\SysWOW64\wxybgq.exe
C:\Windows\system32\wxybgq.exe 452 "C:\Windows\SysWOW64\wfprev.exe"
397⤵
PID:2456

C:\Windows\SysWOW64\wxybgq.exe
452 C:\Windows\SysWOW64\wfprev.exe
398⤵
PID:2464

C:\Windows\SysWOW64\syipct.exe
C:\Windows\system32\syipct.exe 472 "C:\Windows\SysWOW64\wxybgq.exe"
399⤵
PID:2568

C:\Windows\SysWOW64\syipct.exe
472 C:\Windows\SysWOW64\wxybgq.exe
400⤵
PID:320

C:\Windows\SysWOW64\sngutb.exe
C:\Windows\system32\sngutb.exe 452 "C:\Windows\SysWOW64\syipct.exe"
401⤵
PID:2196

C:\Windows\SysWOW64\sngutb.exe
452 C:\Windows\SysWOW64\syipct.exe
402⤵
PID:2180

C:\Windows\SysWOW64\psbuzr.exe
C:\Windows\system32\psbuzr.exe 456 "C:\Windows\SysWOW64\sngutb.exe"
403⤵
PID:2996

C:\Windows\SysWOW64\psbuzr.exe
456 C:\Windows\SysWOW64\sngutb.exe
404⤵
PID:1568

C:\Windows\SysWOW64\phzzrz.exe
C:\Windows\system32\phzzrz.exe 492 "C:\Windows\SysWOW64\psbuzr.exe"
405⤵
PID:2132

C:\Windows\SysWOW64\phzzrz.exe
492 C:\Windows\SysWOW64\psbuzr.exe
406⤵
PID:1200

C:\Windows\SysWOW64\mxgzkg.exe
C:\Windows\system32\mxgzkg.exe 444 "C:\Windows\SysWOW64\phzzrz.exe"
407⤵
PID:308

C:\Windows\SysWOW64\mxgzkg.exe
444 C:\Windows\SysWOW64\phzzrz.exe
408⤵
PID:2796

C:\Windows\SysWOW64\lphkmt.exe
C:\Windows\system32\lphkmt.exe 456 "C:\Windows\SysWOW64\mxgzkg.exe"
409⤵
PID:1692

C:\Windows\SysWOW64\lphkmt.exe
456 C:\Windows\SysWOW64\mxgzkg.exe
410⤵
PID:840

C:\Windows\SysWOW64\iuckki.exe
C:\Windows\system32\iuckki.exe 444 "C:\Windows\SysWOW64\lphkmt.exe"
411⤵
PID:912

C:\Windows\SysWOW64\iuckki.exe
444 C:\Windows\SysWOW64\lphkmt.exe
412⤵
PID:2992

C:\Windows\SysWOW64\frjklh.exe
C:\Windows\system32\frjklh.exe 456 "C:\Windows\SysWOW64\iuckki.exe"
413⤵
PID:1860

C:\Windows\SysWOW64\frjklh.exe
456 C:\Windows\SysWOW64\iuckki.exe
414⤵
- Drops file in System32 directory
PID:1100

C:\Windows\SysWOW64\fghpdy.exe
C:\Windows\system32\fghpdy.exe 444 "C:\Windows\SysWOW64\frjklh.exe"
415⤵
PID:2980

C:\Windows\SysWOW64\fghpdy.exe
444 C:\Windows\SysWOW64\frjklh.exe
416⤵
PID:1432

C:\Windows\SysWOW64\cefpwx.exe
C:\Windows\system32\cefpwx.exe 444 "C:\Windows\SysWOW64\fghpdy.exe"
417⤵
PID:2276

C:\Windows\SysWOW64\cefpwx.exe
444 C:\Windows\SysWOW64\fghpdy.exe
418⤵
PID:2012

C:\Windows\SysWOW64\yijicm.exe
C:\Windows\system32\yijicm.exe 444 "C:\Windows\SysWOW64\cefpwx.exe"
419⤵
PID:2088

C:\Windows\SysWOW64\yijicm.exe
444 C:\Windows\SysWOW64\cefpwx.exe
420⤵
PID:1700

C:\Windows\SysWOW64\ybkawz.exe
C:\Windows\system32\ybkawz.exe 444 "C:\Windows\SysWOW64\yijicm.exe"
421⤵
PID:1696

C:\Windows\SysWOW64\ybkawz.exe
444 C:\Windows\SysWOW64\yijicm.exe
422⤵
PID:2928

C:\Windows\SysWOW64\vrraxg.exe
C:\Windows\system32\vrraxg.exe 452 "C:\Windows\SysWOW64\ybkawz.exe"
423⤵
PID:2700

C:\Windows\SysWOW64\vrraxg.exe
452 C:\Windows\SysWOW64\ybkawz.exe
424⤵
- Drops file in System32 directory
PID:2920

C:\Windows\SysWOW64\ssbntj.exe
C:\Windows\system32\ssbntj.exe 452 "C:\Windows\SysWOW64\vrraxg.exe"
425⤵
PID:2672

C:\Windows\SysWOW64\ssbntj.exe
452 C:\Windows\SysWOW64\vrraxg.exe
426⤵
PID:2692

C:\Windows\SysWOW64\pttapu.exe
C:\Windows\system32\pttapu.exe 444 "C:\Windows\SysWOW64\ssbntj.exe"
427⤵
PID:112

C:\Windows\SysWOW64\pttapu.exe
444 C:\Windows\SysWOW64\ssbntj.exe
428⤵
PID:2580

C:\Windows\SysWOW64\peftly.exe
C:\Windows\system32\peftly.exe 444 "C:\Windows\SysWOW64\pttapu.exe"
429⤵
PID:752

C:\Windows\SysWOW64\peftly.exe
444 C:\Windows\SysWOW64\pttapu.exe
430⤵
PID:2852

C:\Windows\SysWOW64\arknmf.exe
C:\Windows\system32\arknmf.exe 444 "C:\Windows\SysWOW64\peftly.exe"
431⤵
PID:2656

C:\Windows\SysWOW64\arknmf.exe
444 C:\Windows\SysWOW64\peftly.exe
432⤵
PID:1780

C:\Windows\SysWOW64\yhrnnl.exe
C:\Windows\system32\yhrnnl.exe 444 "C:\Windows\SysWOW64\arknmf.exe"
433⤵
PID:948

C:\Windows\SysWOW64\yhrnnl.exe
444 C:\Windows\SysWOW64\arknmf.exe
434⤵
PID:2196

C:\Windows\SysWOW64\xwhteu.exe
C:\Windows\system32\xwhteu.exe 452 "C:\Windows\SysWOW64\yhrnnl.exe"
435⤵
PID:1672

C:\Windows\SysWOW64\xwhteu.exe
452 C:\Windows\SysWOW64\yhrnnl.exe
436⤵
PID:1520

C:\Windows\SysWOW64\ubkllb.exe
C:\Windows\system32\ubkllb.exe 444 "C:\Windows\SysWOW64\xwhteu.exe"
437⤵
PID:2668

C:\Windows\SysWOW64\ubkllb.exe
444 C:\Windows\SysWOW64\xwhteu.exe
438⤵
PID:1568

C:\Windows\SysWOW64\uqaqcs.exe
C:\Windows\system32\uqaqcs.exe 452 "C:\Windows\SysWOW64\ubkllb.exe"
439⤵
PID:2688

C:\Windows\SysWOW64\uqaqcs.exe
452 C:\Windows\SysWOW64\ubkllb.exe
440⤵
PID:1812

C:\Windows\SysWOW64\ufxwta.exe
C:\Windows\system32\ufxwta.exe 444 "C:\Windows\SysWOW64\uqaqcs.exe"
441⤵
PID:1308

C:\Windows\SysWOW64\ufxwta.exe
444 C:\Windows\SysWOW64\uqaqcs.exe
442⤵
PID:2272

C:\Windows\SysWOW64\qjtwsi.exe
C:\Windows\system32\qjtwsi.exe 452 "C:\Windows\SysWOW64\ufxwta.exe"
443⤵
PID:1756

C:\Windows\SysWOW64\qjtwsi.exe
452 C:\Windows\SysWOW64\ufxwta.exe
444⤵
PID:1776

C:\Windows\SysWOW64\nhawtp.exe
C:\Windows\system32\nhawtp.exe 444 "C:\Windows\SysWOW64\qjtwsi.exe"
445⤵
PID:1304

C:\Windows\SysWOW64\nhawtp.exe
444 C:\Windows\SysWOW64\qjtwsi.exe
446⤵
PID:2364

C:\Windows\SysWOW64\nwpbkx.exe
C:\Windows\system32\nwpbkx.exe 444 "C:\Windows\SysWOW64\nhawtp.exe"
447⤵
PID:1888

C:\Windows\SysWOW64\nwpbkx.exe
444 C:\Windows\SysWOW64\nhawtp.exe
448⤵
PID:1984

C:\Windows\SysWOW64\kattrn.exe
C:\Windows\system32\kattrn.exe 444 "C:\Windows\SysWOW64\nwpbkx.exe"
449⤵
PID:2608

C:\Windows\SysWOW64\kattrn.exe
444 C:\Windows\SysWOW64\nwpbkx.exe
450⤵
PID:1752

C:\Windows\SysWOW64\gbdgmq.exe
C:\Windows\system32\gbdgmq.exe 448 "C:\Windows\SysWOW64\kattrn.exe"
451⤵
PID:2960

C:\Windows\SysWOW64\gbdgmq.exe
448 C:\Windows\SysWOW64\kattrn.exe
452⤵
PID:2792

C:\Windows\SysWOW64\drkgnx.exe
C:\Windows\system32\drkgnx.exe 444 "C:\Windows\SysWOW64\gbdgmq.exe"
453⤵
PID:2820

C:\Windows\SysWOW64\drkgnx.exe
444 C:\Windows\SysWOW64\gbdgmq.exe
454⤵
PID:1272

C:\Windows\SysWOW64\jasbwc.exe
C:\Windows\system32\jasbwc.exe 444 "C:\Windows\SysWOW64\drkgnx.exe"
455⤵
PID:2108

C:\Windows\SysWOW64\jasbwc.exe
444 C:\Windows\SysWOW64\drkgnx.exe
456⤵
PID:1688

C:\Windows\SysWOW64\fbkoaf.exe
C:\Windows\system32\fbkoaf.exe 444 "C:\Windows\SysWOW64\jasbwc.exe"
457⤵
PID:2700

C:\Windows\SysWOW64\fbkoaf.exe
444 C:\Windows\SysWOW64\jasbwc.exe
458⤵
PID:2256

C:\Windows\SysWOW64\fqaurw.exe
C:\Windows\system32\fqaurw.exe 460 "C:\Windows\SysWOW64\fbkoaf.exe"
459⤵
PID:2920

C:\Windows\SysWOW64\fqaurw.exe
460 C:\Windows\SysWOW64\fbkoaf.exe
460⤵
- Drops file in System32 directory
PID:2504

C:\Windows\SysWOW64\cvvmyd.exe
C:\Windows\system32\cvvmyd.exe 452 "C:\Windows\SysWOW64\fqaurw.exe"
461⤵
PID:2436

C:\Windows\SysWOW64\cvvmyd.exe
452 C:\Windows\SysWOW64\fqaurw.exe
462⤵
PID:2548

C:\Windows\SysWOW64\cktrpu.exe
C:\Windows\system32\cktrpu.exe 476 "C:\Windows\SysWOW64\cvvmyd.exe"
463⤵
PID:1880

C:\Windows\SysWOW64\cktrpu.exe
476 C:\Windows\SysWOW64\cvvmyd.exe
464⤵
PID:2204

C:\Windows\SysWOW64\ypornb.exe
C:\Windows\system32\ypornb.exe 456 "C:\Windows\SysWOW64\cktrpu.exe"
465⤵
PID:2848

C:\Windows\SysWOW64\ypornb.exe
456 C:\Windows\SysWOW64\cktrpu.exe
466⤵
- Drops file in System32 directory
PID:2500

C:\Windows\SysWOW64\yemxfk.exe
C:\Windows\system32\yemxfk.exe 444 "C:\Windows\SysWOW64\ypornb.exe"
467⤵
PID:2864

C:\Windows\SysWOW64\yemxfk.exe
444 C:\Windows\SysWOW64\ypornb.exe
468⤵
PID:1896

C:\Windows\SysWOW64\sfoekm.exe
C:\Windows\system32\sfoekm.exe 472 "C:\Windows\SysWOW64\yemxfk.exe"
469⤵
PID:1724

C:\Windows\SysWOW64\sfoekm.exe
472 C:\Windows\SysWOW64\yemxfk.exe
470⤵
PID:1672

C:\Windows\SysWOW64\sraxzy.exe
C:\Windows\system32\sraxzy.exe 452 "C:\Windows\SysWOW64\sfoekm.exe"
471⤵
PID:1364

C:\Windows\SysWOW64\sraxzy.exe
452 C:\Windows\SysWOW64\sfoekm.exe
472⤵
PID:1520

C:\Windows\SysWOW64\matfer.exe
C:\Windows\system32\matfer.exe 444 "C:\Windows\SysWOW64\sraxzy.exe"
473⤵
PID:1676

C:\Windows\SysWOW64\matfer.exe
444 C:\Windows\SysWOW64\sraxzy.exe
474⤵
PID:2800

C:\Windows\SysWOW64\jqafxy.exe
C:\Windows\system32\jqafxy.exe 452 "C:\Windows\SysWOW64\matfer.exe"
475⤵
PID:1820

C:\Windows\SysWOW64\jqafxy.exe
452 C:\Windows\SysWOW64\matfer.exe
476⤵
PID:2528

C:\Windows\SysWOW64\grlsbk.exe
C:\Windows\system32\grlsbk.exe 444 "C:\Windows\SysWOW64\jqafxy.exe"
477⤵
PID:2024

C:\Windows\SysWOW64\grlsbk.exe
444 C:\Windows\SysWOW64\jqafxy.exe
478⤵
PID:844

C:\Windows\SysWOW64\vsdfxn.exe
C:\Windows\system32\vsdfxn.exe 476 "C:\Windows\SysWOW64\grlsbk.exe"
479⤵
PID:1104

C:\Windows\SysWOW64\vsdfxn.exe
476 C:\Windows\SysWOW64\grlsbk.exe
480⤵
- Drops file in System32 directory
PID:1948

C:\Windows\SysWOW64\seysvq.exe
C:\Windows\system32\seysvq.exe 444 "C:\Windows\SysWOW64\vsdfxn.exe"
481⤵
PID:1236

C:\Windows\SysWOW64\seysvq.exe
444 C:\Windows\SysWOW64\vsdfxn.exe
482⤵
PID:1480

C:\Windows\SysWOW64\mrdnew.exe
C:\Windows\system32\mrdnew.exe 456 "C:\Windows\SysWOW64\seysvq.exe"
483⤵
PID:1976

C:\Windows\SysWOW64\mrdnew.exe
456 C:\Windows\SysWOW64\seysvq.exe
484⤵
PID:2276

C:\Windows\SysWOW64\mdqfsa.exe
C:\Windows\system32\mdqfsa.exe 444 "C:\Windows\SysWOW64\mrdnew.exe"
485⤵
PID:776

C:\Windows\SysWOW64\mdqfsa.exe
444 C:\Windows\SysWOW64\mrdnew.exe
486⤵
- Drops file in System32 directory
PID:2360

C:\Windows\SysWOW64\jeisol.exe
C:\Windows\system32\jeisol.exe 448 "C:\Windows\SysWOW64\mdqfsa.exe"
487⤵
PID:2516

C:\Windows\SysWOW64\jeisol.exe
448 C:\Windows\SysWOW64\mdqfsa.exe
488⤵
PID:1060

C:\Windows\SysWOW64\gchspk.exe
C:\Windows\system32\gchspk.exe 448 "C:\Windows\SysWOW64\jeisol.exe"
489⤵
PID:2292

C:\Windows\SysWOW64\gchspk.exe
448 C:\Windows\SysWOW64\jeisol.exe
490⤵
PID:2716

C:\Windows\SysWOW64\fytqmb.exe
C:\Windows\system32\fytqmb.exe 444 "C:\Windows\SysWOW64\gchspk.exe"
491⤵
PID:2056

C:\Windows\SysWOW64\fytqmb.exe
444 C:\Windows\SysWOW64\gchspk.exe
492⤵
PID:2252

C:\Windows\SysWOW64\zhuyrd.exe
C:\Windows\system32\zhuyrd.exe 452 "C:\Windows\SysWOW64\fytqmb.exe"
493⤵
PID:2256

C:\Windows\SysWOW64\zhuyrd.exe
452 C:\Windows\SysWOW64\fytqmb.exe
494⤵
PID:2968

C:\Windows\SysWOW64\zlhqgp.exe
C:\Windows\system32\zlhqgp.exe 444 "C:\Windows\SysWOW64\zhuyrd.exe"
495⤵
PID:2504

C:\Windows\SysWOW64\zlhqgp.exe
444 C:\Windows\SysWOW64\zhuyrd.exe
496⤵
- Drops file in System32 directory
PID:2304

C:\Windows\SysWOW64\wmrdcs.exe
C:\Windows\system32\wmrdcs.exe 448 "C:\Windows\SysWOW64\zlhqgp.exe"
497⤵
PID:1624

C:\Windows\SysWOW64\wmrdcs.exe
448 C:\Windows\SysWOW64\zlhqgp.exe
498⤵
PID:1572

C:\Windows\SysWOW64\trudii.exe
C:\Windows\system32\trudii.exe 452 "C:\Windows\SysWOW64\wmrdcs.exe"
499⤵
PID:2848

C:\Windows\SysWOW64\trudii.exe
452 C:\Windows\SysWOW64\wmrdcs.exe
500⤵
PID:2156

C:\Windows\SysWOW64\sjvncu.exe
C:\Windows\system32\sjvncu.exe 444 "C:\Windows\SysWOW64\trudii.exe"
501⤵
PID:996

C:\Windows\SysWOW64\sjvncu.exe
444 C:\Windows\SysWOW64\trudii.exe
502⤵
PID:1612

C:\Windows\SysWOW64\sytttd.exe
C:\Windows\system32\sytttd.exe 444 "C:\Windows\SysWOW64\sjvncu.exe"
503⤵
PID:772

C:\Windows\SysWOW64\sytttd.exe
444 C:\Windows\SysWOW64\sjvncu.exe
504⤵
PID:1604

C:\Windows\SysWOW64\sniylt.exe
C:\Windows\system32\sniylt.exe 444 "C:\Windows\SysWOW64\sytttd.exe"
505⤵
PID:328

C:\Windows\SysWOW64\sniylt.exe
444 C:\Windows\SysWOW64\sytttd.exe
506⤵
PID:2224

C:\Windows\SysWOW64\mavttr.exe
C:\Windows\system32\mavttr.exe 456 "C:\Windows\SysWOW64\sniylt.exe"
507⤵
PID:2332

C:\Windows\SysWOW64\mavttr.exe
456 C:\Windows\SysWOW64\sniylt.exe
508⤵
- Drops file in System32 directory
PID:1036

C:\Windows\SysWOW64\mmhlid.exe
C:\Windows\system32\mmhlid.exe 444 "C:\Windows\SysWOW64\mavttr.exe"
509⤵
PID:1360

C:\Windows\SysWOW64\mmhlid.exe
444 C:\Windows\SysWOW64\mavttr.exe
510⤵
PID:1868

C:\Windows\SysWOW64\iqdlol.exe
C:\Windows\system32\iqdlol.exe 472 "C:\Windows\SysWOW64\mmhlid.exe"
511⤵
PID:2200

C:\Windows\SysWOW64\iqdlol.exe
472 C:\Windows\SysWOW64\mmhlid.exe
512⤵
PID:1900

C:\Windows\SysWOW64\gczzeo.exe
C:\Windows\system32\gczzeo.exe 444 "C:\Windows\SysWOW64\iqdlol.exe"
513⤵
PID:940

C:\Windows\SysWOW64\gczzeo.exe
444 C:\Windows\SysWOW64\iqdlol.exe
514⤵
- Drops file in System32 directory
PID:2096

C:\Windows\SysWOW64\cdjmiz.exe
C:\Windows\system32\cdjmiz.exe 456 "C:\Windows\SysWOW64\gczzeo.exe"
515⤵
PID:1544

C:\Windows\SysWOW64\cdjmiz.exe
456 C:\Windows\SysWOW64\gczzeo.exe
516⤵
PID:2764

C:\Windows\SysWOW64\zimehg.exe
C:\Windows\system32\zimehg.exe 452 "C:\Windows\SysWOW64\cdjmiz.exe"
517⤵
PID:2212

C:\Windows\SysWOW64\zimehg.exe
452 C:\Windows\SysWOW64\cdjmiz.exe
518⤵
- Drops file in System32 directory
PID:884

C:\Windows\SysWOW64\zurevk.exe
C:\Windows\system32\zurevk.exe 452 "C:\Windows\SysWOW64\zimehg.exe"
519⤵
PID:2512

C:\Windows\SysWOW64\zurevk.exe
452 C:\Windows\SysWOW64\zimehg.exe
520⤵
- Drops file in System32 directory
PID:2088

C:\Windows\SysWOW64\thdrer.exe
C:\Windows\system32\thdrer.exe 456 "C:\Windows\SysWOW64\zurevk.exe"
521⤵
PID:2524

C:\Windows\SysWOW64\thdrer.exe
456 C:\Windows\SysWOW64\zurevk.exe
522⤵
PID:2136

C:\Windows\SysWOW64\twtwvh.exe
C:\Windows\system32\twtwvh.exe 456 "C:\Windows\SysWOW64\thdrer.exe"
523⤵
PID:2624

C:\Windows\SysWOW64\twtwvh.exe
456 C:\Windows\SysWOW64\thdrer.exe
524⤵
- Drops file in System32 directory
PID:1448

C:\Windows\SysWOW64\qlawwg.exe
C:\Windows\system32\qlawwg.exe 456 "C:\Windows\SysWOW64\twtwvh.exe"
525⤵
PID:2844

C:\Windows\SysWOW64\qlawwg.exe
456 C:\Windows\SysWOW64\twtwvh.exe
526⤵
PID:2184

C:\Windows\SysWOW64\fjhxpn.exe
C:\Windows\system32\fjhxpn.exe 456 "C:\Windows\SysWOW64\qlawwg.exe"
527⤵
PID:2940

C:\Windows\SysWOW64\fjhxpn.exe
456 C:\Windows\SysWOW64\qlawwg.exe
528⤵
PID:2708

C:\Windows\SysWOW64\ebipra.exe
C:\Windows\system32\ebipra.exe 456 "C:\Windows\SysWOW64\fjhxpn.exe"
529⤵
PID:2504

C:\Windows\SysWOW64\ebipra.exe
456 C:\Windows\SysWOW64\fjhxpn.exe
530⤵
PID:2748

C:\Windows\SysWOW64\exumor.exe
C:\Windows\system32\exumor.exe 444 "C:\Windows\SysWOW64\ebipra.exe"
531⤵
PID:2192

C:\Windows\SysWOW64\exumor.exe
444 C:\Windows\SysWOW64\ebipra.exe
532⤵
- Drops file in System32 directory
PID:2164

C:\Windows\SysWOW64\bvbmhy.exe
C:\Windows\system32\bvbmhy.exe 444 "C:\Windows\SysWOW64\exumor.exe"
533⤵
PID:1564

C:\Windows\SysWOW64\bvbmhy.exe
444 C:\Windows\SysWOW64\exumor.exe
534⤵
PID:2196

C:\Windows\SysWOW64\ytiuie.exe
C:\Windows\system32\ytiuie.exe 444 "C:\Windows\SysWOW64\bvbmhy.exe"
535⤵
PID:476

C:\Windows\SysWOW64\ytiuie.exe
444 C:\Windows\SysWOW64\bvbmhy.exe
536⤵
PID:1716

C:\Windows\SysWOW64\xljfcr.exe
C:\Windows\system32\xljfcr.exe 444 "C:\Windows\SysWOW64\ytiuie.exe"
537⤵
PID:636

C:\Windows\SysWOW64\xljfcr.exe
444 C:\Windows\SysWOW64\ytiuie.exe
538⤵
PID:2904

C:\Windows\SysWOW64\uqmfbz.exe
C:\Windows\system32\uqmfbz.exe 472 "C:\Windows\SysWOW64\xljfcr.exe"
539⤵
PID:2996

C:\Windows\SysWOW64\uqmfbz.exe
472 C:\Windows\SysWOW64\xljfcr.exe
540⤵
PID:1692

C:\Windows\SysWOW64\ufckap.exe
C:\Windows\system32\ufckap.exe 444 "C:\Windows\SysWOW64\uqmfbz.exe"
541⤵
PID:2396

C:\Windows\SysWOW64\ufckap.exe
444 C:\Windows\SysWOW64\uqmfbz.exe
542⤵
PID:1632

C:\Windows\SysWOW64\txkvuc.exe
C:\Windows\system32\txkvuc.exe 452 "C:\Windows\SysWOW64\ufckap.exe"
543⤵
PID:912

C:\Windows\SysWOW64\txkvuc.exe
452 C:\Windows\SysWOW64\ufckap.exe
544⤵
PID:1836

C:\Windows\SysWOW64\qnjvnj.exe
C:\Windows\system32\qnjvnj.exe 444 "C:\Windows\SysWOW64\txkvuc.exe"
545⤵
PID:2236

C:\Windows\SysWOW64\qnjvnj.exe
444 C:\Windows\SysWOW64\txkvuc.exe
546⤵
PID:1768

C:\Windows\SysWOW64\nznvtq.exe
C:\Windows\system32\nznvtq.exe 444 "C:\Windows\SysWOW64\qnjvnj.exe"
547⤵
PID:2036

C:\Windows\SysWOW64\nznvtq.exe
444 C:\Windows\SysWOW64\qnjvnj.exe
548⤵
PID:608

C:\Windows\SysWOW64\ngcalz.exe
C:\Windows\system32\ngcalz.exe 472 "C:\Windows\SysWOW64\nznvtq.exe"
549⤵
PID:2932

C:\Windows\SysWOW64\ngcalz.exe
472 C:\Windows\SysWOW64\nznvtq.exe
550⤵
PID:1972

C:\Windows\SysWOW64\kejamg.exe
C:\Windows\system32\kejamg.exe 448 "C:\Windows\SysWOW64\ngcalz.exe"
551⤵
PID:3024

C:\Windows\SysWOW64\kejamg.exe
448 C:\Windows\SysWOW64\ngcalz.exe
552⤵
PID:1584

C:\Windows\SysWOW64\jwklgs.exe
C:\Windows\system32\jwklgs.exe 448 "C:\Windows\SysWOW64\kejamg.exe"
553⤵
PID:2516

C:\Windows\SysWOW64\jwklgs.exe
448 C:\Windows\SysWOW64\kejamg.exe
554⤵
PID:3000

C:\Windows\SysWOW64\gxcycd.exe
C:\Windows\system32\gxcycd.exe 444 "C:\Windows\SysWOW64\jwklgs.exe"
555⤵
PID:3048

C:\Windows\SysWOW64\gxcycd.exe
444 C:\Windows\SysWOW64\jwklgs.exe
556⤵
PID:1964

C:\Windows\SysWOW64\gmadtm.exe
C:\Windows\system32\gmadtm.exe 444 "C:\Windows\SysWOW64\gxcycd.exe"
557⤵
PID:2716

C:\Windows\SysWOW64\gmadtm.exe
444 C:\Windows\SysWOW64\gxcycd.exe
558⤵
PID:1484

C:\Windows\SysWOW64\aafybs.exe
C:\Windows\system32\aafybs.exe 456 "C:\Windows\SysWOW64\gmadtm.exe"
559⤵
PID:944

C:\Windows\SysWOW64\aafybs.exe
456 C:\Windows\SysWOW64\gmadtm.exe
560⤵
PID:2540

C:\Windows\SysWOW64\adrqqw.exe
C:\Windows\system32\adrqqw.exe 448 "C:\Windows\SysWOW64\aafybs.exe"
561⤵
PID:2576

C:\Windows\SysWOW64\adrqqw.exe
448 C:\Windows\SysWOW64\aafybs.exe
562⤵
PID:2388

C:\Windows\SysWOW64\wqnqwm.exe
C:\Windows\system32\wqnqwm.exe 444 "C:\Windows\SysWOW64\adrqqw.exe"
563⤵
PID:2708

C:\Windows\SysWOW64\wqnqwm.exe
444 C:\Windows\SysWOW64\adrqqw.exe
564⤵
PID:2568

C:\Windows\SysWOW64\ufuqpl.exe
C:\Windows\system32\ufuqpl.exe 444 "C:\Windows\SysWOW64\wqnqwm.exe"
565⤵
PID:320

C:\Windows\SysWOW64\ufuqpl.exe
444 C:\Windows\SysWOW64\wqnqwm.exe
566⤵
PID:1496

C:\Windows\SysWOW64\rdsqqs.exe
C:\Windows\system32\rdsqqs.exe 444 "C:\Windows\SysWOW64\ufuqpl.exe"
567⤵
PID:1064

C:\Windows\SysWOW64\rdsqqs.exe
444 C:\Windows\SysWOW64\ufuqpl.exe
568⤵
PID:1516

C:\Windows\SysWOW64\nhwjph.exe
C:\Windows\system32\nhwjph.exe 452 "C:\Windows\SysWOW64\rdsqqs.exe"
569⤵
PID:2696

C:\Windows\SysWOW64\nhwjph.exe
452 C:\Windows\SysWOW64\rdsqqs.exe
570⤵
PID:476

C:\Windows\SysWOW64\nwmogp.exe
C:\Windows\system32\nwmogp.exe 444 "C:\Windows\SysWOW64\nhwjph.exe"
571⤵
PID:2420

C:\Windows\SysWOW64\nwmogp.exe
444 C:\Windows\SysWOW64\nhwjph.exe
572⤵
PID:536

C:\Windows\SysWOW64\nljtfy.exe
C:\Windows\system32\nljtfy.exe 456 "C:\Windows\SysWOW64\nwmogp.exe"
573⤵
PID:2400

C:\Windows\SysWOW64\nljtfy.exe
456 C:\Windows\SysWOW64\nwmogp.exe
574⤵
- Drops file in System32 directory
PID:2796

C:\Windows\SysWOW64\zzooge.exe
C:\Windows\system32\zzooge.exe 464 "C:\Windows\SysWOW64\nljtfy.exe"
575⤵
PID:2832

C:\Windows\SysWOW64\zzooge.exe
464 C:\Windows\SysWOW64\nljtfy.exe
576⤵
PID:2528

C:\Windows\SysWOW64\zcagci.exe
C:\Windows\system32\zcagci.exe 444 "C:\Windows\SysWOW64\zzooge.exe"
577⤵
PID:2988

C:\Windows\SysWOW64\zcagci.exe
444 C:\Windows\SysWOW64\zzooge.exe
578⤵
- Drops file in System32 directory
PID:972

C:\Windows\SysWOW64\spnbdo.exe
C:\Windows\system32\spnbdo.exe 444 "C:\Windows\SysWOW64\zcagci.exe"
579⤵
PID:2408

C:\Windows\SysWOW64\spnbdo.exe
444 C:\Windows\SysWOW64\zcagci.exe
580⤵
PID:900

C:\Windows\SysWOW64\siomfb.exe
C:\Windows\system32\siomfb.exe 472 "C:\Windows\SysWOW64\spnbdo.exe"
581⤵
PID:2956

C:\Windows\SysWOW64\siomfb.exe
472 C:\Windows\SysWOW64\spnbdo.exe
582⤵
PID:832

C:\Windows\SysWOW64\pfvmyi.exe
C:\Windows\system32\pfvmyi.exe 444 "C:\Windows\SysWOW64\siomfb.exe"
583⤵
PID:2012

C:\Windows\SysWOW64\pfvmyi.exe
444 C:\Windows\SysWOW64\siomfb.exe
584⤵
PID:2944

C:\Windows\SysWOW64\pukrpq.exe
C:\Windows\system32\pukrpq.exe 464 "C:\Windows\SysWOW64\pfvmyi.exe"
585⤵
PID:2908

C:\Windows\SysWOW64\pukrpq.exe
464 C:\Windows\SysWOW64\pfvmyi.exe
586⤵
PID:2152

C:\Windows\SysWOW64\pntjjl.exe
C:\Windows\system32\pntjjl.exe 472 "C:\Windows\SysWOW64\pukrpq.exe"
587⤵
PID:2652

C:\Windows\SysWOW64\pntjjl.exe
472 C:\Windows\SysWOW64\pukrpq.exe
588⤵
PID:2072

C:\Windows\SysWOW64\lrpkqs.exe
C:\Windows\system32\lrpkqs.exe 452 "C:\Windows\SysWOW64\pntjjl.exe"
589⤵
PID:2520

C:\Windows\SysWOW64\lrpkqs.exe
452 C:\Windows\SysWOW64\pntjjl.exe
590⤵
- Drops file in System32 directory
PID:2616

C:\Windows\SysWOW64\ipwkjz.exe
C:\Windows\system32\ipwkjz.exe 456 "C:\Windows\SysWOW64\lrpkqs.exe"
591⤵
PID:2496

C:\Windows\SysWOW64\ipwkjz.exe
456 C:\Windows\SysWOW64\lrpkqs.exe
592⤵
- Drops file in System32 directory
PID:2452

C:\Windows\SysWOW64\ffvkky.exe
C:\Windows\system32\ffvkky.exe 444 "C:\Windows\SysWOW64\ipwkjz.exe"
593⤵
PID:1484

C:\Windows\SysWOW64\ffvkky.exe
444 C:\Windows\SysWOW64\ipwkjz.exe
594⤵
PID:2940

C:\Windows\SysWOW64\fuspbp.exe
C:\Windows\system32\fuspbp.exe 452 "C:\Windows\SysWOW64\ffvkky.exe"
595⤵
PID:2548

C:\Windows\SysWOW64\fuspbp.exe
452 C:\Windows\SysWOW64\ffvkky.exe
596⤵
PID:2656

C:\Windows\SysWOW64\cvkufs.exe
C:\Windows\system32\cvkufs.exe 448 "C:\Windows\SysWOW64\fuspbp.exe"
597⤵
PID:2148

C:\Windows\SysWOW64\cvkufs.exe
448 C:\Windows\SysWOW64\fuspbp.exe
598⤵
PID:2748

C:\Windows\SysWOW64\yzgudi.exe
C:\Windows\system32\yzgudi.exe 452 "C:\Windows\SysWOW64\cvkufs.exe"
599⤵
PID:2568

C:\Windows\SysWOW64\yzgudi.exe
452 C:\Windows\SysWOW64\cvkufs.exe
600⤵
PID:2776

C:\Windows\SysWOW64\ylsnsm.exe
C:\Windows\system32\ylsnsm.exe 448 "C:\Windows\SysWOW64\yzgudi.exe"
601⤵
PID:1944

C:\Windows\SysWOW64\ylsnsm.exe
448 C:\Windows\SysWOW64\yzgudi.exe
602⤵
PID:868

C:\Windows\SysWOW64\syxhas.exe
C:\Windows\system32\syxhas.exe 444 "C:\Windows\SysWOW64\ylsnsm.exe"
603⤵
PID:2132

C:\Windows\SysWOW64\syxhas.exe
444 C:\Windows\SysWOW64\ylsnsm.exe
604⤵
PID:2668

C:\Windows\SysWOW64\snvnra.exe
C:\Windows\system32\snvnra.exe 460 "C:\Windows\SysWOW64\syxhas.exe"
605⤵
PID:952

C:\Windows\SysWOW64\snvnra.exe
460 C:\Windows\SysWOW64\syxhas.exe
606⤵
PID:1676

C:\Windows\SysWOW64\sfvxlv.exe
C:\Windows\system32\sfvxlv.exe 444 "C:\Windows\SysWOW64\snvnra.exe"
607⤵
PID:840

C:\Windows\SysWOW64\sfvxlv.exe
444 C:\Windows\SysWOW64\snvnra.exe
608⤵
PID:588

C:\Windows\SysWOW64\rywqnh.exe
C:\Windows\system32\rywqnh.exe 444 "C:\Windows\SysWOW64\sfvxlv.exe"
609⤵
PID:2024

C:\Windows\SysWOW64\rywqnh.exe
444 C:\Windows\SysWOW64\sfvxlv.exe
610⤵
PID:1660

C:\Windows\SysWOW64\rnuvfq.exe
C:\Windows\system32\rnuvfq.exe 452 "C:\Windows\SysWOW64\rywqnh.exe"
611⤵
PID:1556

C:\Windows\SysWOW64\rnuvfq.exe
452 C:\Windows\SysWOW64\rywqnh.exe
612⤵
- Drops file in System32 directory
PID:2988

C:\Windows\SysWOW64\rfdfzc.exe
C:\Windows\system32\rfdfzc.exe 444 "C:\Windows\SysWOW64\rnuvfq.exe"
613⤵
PID:1836

C:\Windows\SysWOW64\rfdfzc.exe
444 C:\Windows\SysWOW64\rnuvfq.exe
614⤵
PID:1888

C:\Windows\SysWOW64\nkyffs.exe
C:\Windows\system32\nkyffs.exe 456 "C:\Windows\SysWOW64\rfdfzc.exe"
615⤵
PID:1976

C:\Windows\SysWOW64\nkyffs.exe
456 C:\Windows\SysWOW64\rfdfzc.exe
616⤵
PID:2608

C:\Windows\SysWOW64\klisbv.exe
C:\Windows\system32\klisbv.exe 444 "C:\Windows\SysWOW64\nkyffs.exe"
617⤵
PID:2040

C:\Windows\SysWOW64\klisbv.exe
444 C:\Windows\SysWOW64\nkyffs.exe
618⤵
PID:2020

C:\Windows\SysWOW64\kagysm.exe
C:\Windows\system32\kagysm.exe 456 "C:\Windows\SysWOW64\klisbv.exe"
619⤵
PID:1560

C:\Windows\SysWOW64\kagysm.exe
456 C:\Windows\SysWOW64\klisbv.exe
620⤵
PID:1016

C:\Windows\SysWOW64\khedru.exe
C:\Windows\system32\khedru.exe 444 "C:\Windows\SysWOW64\kagysm.exe"
621⤵
PID:2900

C:\Windows\SysWOW64\khedru.exe
444 C:\Windows\SysWOW64\kagysm.exe
622⤵
PID:2044

C:\Windows\SysWOW64\guzvqk.exe
C:\Windows\system32\guzvqk.exe 456 "C:\Windows\SysWOW64\khedru.exe"
623⤵
PID:2644

C:\Windows\SysWOW64\guzvqk.exe
456 C:\Windows\SysWOW64\khedru.exe
624⤵
PID:3040

C:\Windows\SysWOW64\toelqd.exe
C:\Windows\system32\toelqd.exe 448 "C:\Windows\SysWOW64\guzvqk.exe"
625⤵
PID:1680

C:\Windows\SysWOW64\toelqd.exe
448 C:\Windows\SysWOW64\guzvqk.exe
626⤵
PID:2056

C:\Windows\SysWOW64\shfvkp.exe
C:\Windows\system32\shfvkp.exe 456 "C:\Windows\SysWOW64\toelqd.exe"
627⤵
PID:2292

C:\Windows\SysWOW64\shfvkp.exe
456 C:\Windows\SysWOW64\toelqd.exe
628⤵
PID:2252

C:\Windows\SysWOW64\pixjgt.exe
C:\Windows\system32\pixjgt.exe 472 "C:\Windows\SysWOW64\shfvkp.exe"
629⤵
PID:2304

C:\Windows\SysWOW64\pixjgt.exe
472 C:\Windows\SysWOW64\shfvkp.exe
630⤵
- Drops file in System32 directory
PID:2548

C:\Windows\SysWOW64\mjhwke.exe
C:\Windows\system32\mjhwke.exe 456 "C:\Windows\SysWOW64\pixjgt.exe"
631⤵
PID:2192

C:\Windows\SysWOW64\mjhwke.exe
456 C:\Windows\SysWOW64\pixjgt.exe
632⤵
PID:1572

C:\Windows\SysWOW64\mqfbbm.exe
C:\Windows\system32\mqfbbm.exe 444 "C:\Windows\SysWOW64\mjhwke.exe"
633⤵
PID:2948

C:\Windows\SysWOW64\mqfbbm.exe
444 C:\Windows\SysWOW64\mjhwke.exe
634⤵
PID:2864

C:\Windows\SysWOW64\jombct.exe
C:\Windows\system32\jombct.exe 456 "C:\Windows\SysWOW64\mqfbbm.exe"
635⤵
PID:2776

C:\Windows\SysWOW64\jombct.exe
456 C:\Windows\SysWOW64\mqfbbm.exe
636⤵
PID:2472

C:\Windows\SysWOW64\fshtbb.exe
C:\Windows\system32\fshtbb.exe 444 "C:\Windows\SysWOW64\jombct.exe"
637⤵
PID:928

C:\Windows\SysWOW64\fshtbb.exe
444 C:\Windows\SysWOW64\jombct.exe
638⤵
PID:1200

C:\Windows\SysWOW64\ctrgfm.exe
C:\Windows\system32\ctrgfm.exe 456 "C:\Windows\SysWOW64\fshtbb.exe"
639⤵
PID:352

C:\Windows\SysWOW64\ctrgfm.exe
456 C:\Windows\SysWOW64\fshtbb.exe
640⤵
PID:1604

C:\Windows\SysWOW64\cmazzz.exe
C:\Windows\system32\cmazzz.exe 472 "C:\Windows\SysWOW64\ctrgfm.exe"
641⤵
PID:1120

C:\Windows\SysWOW64\cmazzz.exe
472 C:\Windows\SysWOW64\ctrgfm.exe
642⤵
PID:2396

C:\Windows\SysWOW64\zjzzsg.exe
C:\Windows\system32\zjzzsg.exe 444 "C:\Windows\SysWOW64\cmazzz.exe"
643⤵
PID:688

C:\Windows\SysWOW64\zjzzsg.exe
444 C:\Windows\SysWOW64\cmazzz.exe
644⤵
PID:2416

C:\Windows\SysWOW64\zyxejo.exe
C:\Windows\system32\zyxejo.exe 444 "C:\Windows\SysWOW64\zjzzsg.exe"
645⤵
PID:1764

C:\Windows\SysWOW64\zyxejo.exe
444 C:\Windows\SysWOW64\zjzzsg.exe
646⤵
- Drops file in System32 directory
PID:1432

C:\Windows\SysWOW64\vaprnz.exe
C:\Windows\system32\vaprnz.exe 444 "C:\Windows\SysWOW64\zyxejo.exe"
647⤵
PID:1768

C:\Windows\SysWOW64\vaprnz.exe
444 C:\Windows\SysWOW64\zyxejo.exe
648⤵
PID:1988

C:\Windows\SysWOW64\vsqbhm.exe
C:\Windows\system32\vsqbhm.exe 456 "C:\Windows\SysWOW64\vaprnz.exe"
649⤵
PID:2972

C:\Windows\SysWOW64\vsqbhm.exe
456 C:\Windows\SysWOW64\vaprnz.exe
650⤵
PID:1544

C:\Windows\SysWOW64\stapkx.exe
C:\Windows\system32\stapkx.exe 452 "C:\Windows\SysWOW64\vsqbhm.exe"
651⤵
PID:1592

C:\Windows\SysWOW64\stapkx.exe
452 C:\Windows\SysWOW64\vsqbhm.exe
652⤵
PID:2312

C:\Windows\SysWOW64\pjhpdw.exe
C:\Windows\system32\pjhpdw.exe 444 "C:\Windows\SysWOW64\stapkx.exe"
653⤵
PID:2088

C:\Windows\SysWOW64\pjhpdw.exe
444 C:\Windows\SysWOW64\stapkx.exe
654⤵
PID:2632

C:\Windows\SysWOW64\mgopxd.exe
C:\Windows\system32\mgopxd.exe 444 "C:\Windows\SysWOW64\pjhpdw.exe"
655⤵
PID:2672

C:\Windows\SysWOW64\mgopxd.exe
444 C:\Windows\SysWOW64\pjhpdw.exe
656⤵
PID:2072

C:\Windows\SysWOW64\jljpdl.exe
C:\Windows\system32\jljpdl.exe 440 "C:\Windows\SysWOW64\mgopxd.exe"
657⤵
PID:1964

C:\Windows\SysWOW64\jljpdl.exe
440 C:\Windows\SysWOW64\mgopxd.exe
658⤵
PID:2560

C:\Windows\SysWOW64\giqpws.exe
C:\Windows\system32\giqpws.exe 456 "C:\Windows\SysWOW64\jljpdl.exe"
659⤵
PID:2256

C:\Windows\SysWOW64\giqpws.exe
456 C:\Windows\SysWOW64\jljpdl.exe
660⤵
PID:2452

C:\Windows\SysWOW64\ckbcav.exe
C:\Windows\system32\ckbcav.exe 444 "C:\Windows\SysWOW64\giqpws.exe"
661⤵
PID:1684

C:\Windows\SysWOW64\ckbcav.exe
444 C:\Windows\SysWOW64\giqpws.exe
662⤵
PID:2692

C:\Windows\SysWOW64\czyhrl.exe
C:\Windows\system32\czyhrl.exe 452 "C:\Windows\SysWOW64\ckbcav.exe"
663⤵
PID:2676

C:\Windows\SysWOW64\czyhrl.exe
452 C:\Windows\SysWOW64\ckbcav.exe
664⤵
PID:2488

C:\Windows\SysWOW64\zsquvp.exe
C:\Windows\system32\zsquvp.exe 476 "C:\Windows\SysWOW64\czyhrl.exe"
665⤵
PID:1512

C:\Windows\SysWOW64\zsquvp.exe
476 C:\Windows\SysWOW64\czyhrl.exe
666⤵
PID:2568

C:\Windows\SysWOW64\wppvow.exe
C:\Windows\system32\wppvow.exe 460 "C:\Windows\SysWOW64\zsquvp.exe"
667⤵
PID:2748

C:\Windows\SysWOW64\wppvow.exe
460 C:\Windows\SysWOW64\zsquvp.exe
668⤵
PID:1612

C:\Windows\SysWOW64\tnwvhd.exe
C:\Windows\system32\tnwvhd.exe 452 "C:\Windows\SysWOW64\wppvow.exe"
669⤵
PID:1516

C:\Windows\SysWOW64\tnwvhd.exe
452 C:\Windows\SysWOW64\wppvow.exe
670⤵
PID:868

C:\Windows\SysWOW64\tfffjp.exe
C:\Windows\system32\tfffjp.exe 456 "C:\Windows\SysWOW64\tnwvhd.exe"
671⤵
PID:936

C:\Windows\SysWOW64\tfffjp.exe
456 C:\Windows\SysWOW64\tnwvhd.exe
672⤵
PID:2248

C:\Windows\SysWOW64\hkbfix.exe
C:\Windows\system32\hkbfix.exe 444 "C:\Windows\SysWOW64\tfffjp.exe"
673⤵
PID:1716

C:\Windows\SysWOW64\hkbfix.exe
444 C:\Windows\SysWOW64\tfffjp.exe
674⤵
PID:2984

C:\Windows\SysWOW64\hvnywj.exe
C:\Windows\system32\hvnywj.exe 444 "C:\Windows\SysWOW64\hkbfix.exe"
675⤵
PID:2124

C:\Windows\SysWOW64\hvnywj.exe
444 C:\Windows\SysWOW64\hkbfix.exe
676⤵
PID:2832

C:\Windows\SysWOW64\eaiydq.exe
C:\Windows\system32\eaiydq.exe 444 "C:\Windows\SysWOW64\hvnywj.exe"
677⤵
PID:312

C:\Windows\SysWOW64\eaiydq.exe
444 C:\Windows\SysWOW64\hvnywj.exe
678⤵
PID:1036

C:\Windows\SysWOW64\epgvuh.exe
C:\Windows\system32\epgvuh.exe 452 "C:\Windows\SysWOW64\eaiydq.exe"
679⤵
PID:2528

C:\Windows\SysWOW64\epgvuh.exe
452 C:\Windows\SysWOW64\eaiydq.exe
680⤵
PID:1848

C:\Windows\SysWOW64\dhhnot.exe
C:\Windows\system32\dhhnot.exe 452 "C:\Windows\SysWOW64\epgvuh.exe"
681⤵
PID:2872

C:\Windows\SysWOW64\dhhnot.exe
452 C:\Windows\SysWOW64\epgvuh.exe
682⤵
PID:900

C:\Windows\SysWOW64\axonpa.exe
C:\Windows\system32\axonpa.exe 444 "C:\Windows\SysWOW64\dhhnot.exe"
683⤵
PID:2096

C:\Windows\SysWOW64\axonpa.exe
444 C:\Windows\SysWOW64\dhhnot.exe
684⤵
PID:2012

C:\Windows\SysWOW64\xcjnoi.exe
C:\Windows\system32\xcjnoi.exe 452 "C:\Windows\SysWOW64\axonpa.exe"
685⤵
PID:2608

C:\Windows\SysWOW64\xcjnoi.exe
452 C:\Windows\SysWOW64\axonpa.exe
686⤵
PID:2820

C:\Windows\SysWOW64\xnwgcm.exe
C:\Windows\system32\xnwgcm.exe 452 "C:\Windows\SysWOW64\xcjnoi.exe"
687⤵
PID:2636

C:\Windows\SysWOW64\xnwgcm.exe
452 C:\Windows\SysWOW64\xcjnoi.exe
688⤵
PID:2884

C:\Windows\SysWOW64\usryjc.exe
C:\Windows\system32\usryjc.exe 444 "C:\Windows\SysWOW64\xnwgcm.exe"
689⤵
PID:1688

C:\Windows\SysWOW64\usryjc.exe
444 C:\Windows\SysWOW64\xnwgcm.exe
690⤵
- Drops file in System32 directory
PID:1016

C:\Windows\SysWOW64\thpdak.exe
C:\Windows\system32\thpdak.exe 452 "C:\Windows\SysWOW64\usryjc.exe"
691⤵
PID:2428

C:\Windows\SysWOW64\thpdak.exe
452 C:\Windows\SysWOW64\usryjc.exe
692⤵
PID:2564

C:\Windows\SysWOW64\qeodbr.exe
C:\Windows\system32\qeodbr.exe 452 "C:\Windows\SysWOW64\thpdak.exe"
693⤵
PID:2188

C:\Windows\SysWOW64\qeodbr.exe
452 C:\Windows\SysWOW64\thpdak.exe
694⤵
PID:2184

C:\Windows\SysWOW64\nfgqxu.exe
C:\Windows\system32\nfgqxu.exe 456 "C:\Windows\SysWOW64\qeodbr.exe"
695⤵
PID:2292

C:\Windows\SysWOW64\nfgqxu.exe
456 C:\Windows\SysWOW64\qeodbr.exe
696⤵
PID:920

C:\Windows\SysWOW64\hhzycw.exe
C:\Windows\system32\hhzycw.exe 452 "C:\Windows\SysWOW64\nfgqxu.exe"
697⤵
PID:1624

C:\Windows\SysWOW64\hhzycw.exe
452 C:\Windows\SysWOW64\nfgqxu.exe
698⤵
PID:1780

C:\Windows\SysWOW64\eirlyh.exe
C:\Windows\system32\eirlyh.exe 444 "C:\Windows\SysWOW64\hhzycw.exe"
699⤵
PID:2448

C:\Windows\SysWOW64\eirlyh.exe
444 C:\Windows\SysWOW64\hhzycw.exe
700⤵
- Drops file in System32 directory
PID:1444

C:\Windows\SysWOW64\exprxq.exe
C:\Windows\system32\exprxq.exe 456 "C:\Windows\SysWOW64\eirlyh.exe"
701⤵
PID:2216

C:\Windows\SysWOW64\exprxq.exe
456 C:\Windows\SysWOW64\eirlyh.exe
702⤵
- Drops file in System32 directory
PID:2244

C:\Windows\SysWOW64\byzetb.exe
C:\Windows\system32\byzetb.exe 456 "C:\Windows\SysWOW64\exprxq.exe"
703⤵
PID:584

C:\Windows\SysWOW64\byzetb.exe
456 C:\Windows\SysWOW64\exprxq.exe
704⤵
- Drops file in System32 directory
PID:2412

C:\Windows\SysWOW64\ariono.exe
C:\Windows\system32\ariono.exe 456 "C:\Windows\SysWOW64\byzetb.exe"
705⤵
PID:1228

C:\Windows\SysWOW64\ariono.exe
456 C:\Windows\SysWOW64\byzetb.exe
706⤵
PID:2688

C:\Windows\SysWOW64\agyufw.exe
C:\Windows\system32\agyufw.exe 444 "C:\Windows\SysWOW64\ariono.exe"
707⤵
PID:836

C:\Windows\SysWOW64\agyufw.exe
444 C:\Windows\SysWOW64\ariono.exe
708⤵
PID:1328

C:\Windows\SysWOW64\ayhmhq.exe
C:\Windows\system32\ayhmhq.exe 456 "C:\Windows\SysWOW64\agyufw.exe"
709⤵
PID:2052

C:\Windows\SysWOW64\ayhmhq.exe
456 C:\Windows\SysWOW64\agyufw.exe
710⤵
PID:1140

C:\Windows\SysWOW64\zrhwbd.exe
C:\Windows\system32\zrhwbd.exe 444 "C:\Windows\SysWOW64\ayhmhq.exe"
711⤵
PID:2272

C:\Windows\SysWOW64\zrhwbd.exe
444 C:\Windows\SysWOW64\ayhmhq.exe
712⤵
PID:688

C:\Windows\SysWOW64\zjipvq.exe
C:\Windows\system32\zjipvq.exe 448 "C:\Windows\SysWOW64\zrhwbd.exe"
713⤵
PID:2080

C:\Windows\SysWOW64\zjipvq.exe
448 C:\Windows\SysWOW64\zrhwbd.exe
714⤵
PID:692

C:\Windows\SysWOW64\vompbf.exe
C:\Windows\system32\vompbf.exe 444 "C:\Windows\SysWOW64\zjipvq.exe"
715⤵
PID:1816

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\jvzyiv.exe
Filesize
222KB

MD5
f38d258532673cf62200ab2d7dd5268a

SHA1
39bf714b2e9ffb5a8cf534977588b71e35952ec6

SHA256
5edaadd37dd1dd9425dbbbdcd360194fe1f965ae971a5c8165a3effdc25c7e80

SHA512
b2c994c3e6575c0463d4278220f79e29867f37049076e28c97feab5af90eec86a472a0f12945df608d73336121c2ff7b9a0c6b30ba82906c67d7f3fdcedc28cf

Download Submit
memory/588-425-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/588-418-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/628-389-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/628-396-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/812-117-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/812-107-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/940-456-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/940-449-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1228-179-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1228-169-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1236-218-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1236-208-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1448-283-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1448-276-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1544-697-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1552-145-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1572-844-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1572-851-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1608-131-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1676-831-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1700-508-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1700-515-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1728-860-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1728-867-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1768-710-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1768-717-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1772-465-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1804-729-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1860-434-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1868-948-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1868-955-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1896-125-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2000-935-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/2004-4-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2036-924-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/2056-982-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/2060-637-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/2060-644-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/2076-148-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/2076-158-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/2120-966-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/2120-971-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/2148-761-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/2148-754-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/2176-95-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/2184-104-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2244-876-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/2244-883-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/2268-531-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/2268-524-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/2388-582-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/2388-589-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/2484-76-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/2484-66-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/2508-334-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/2508-341-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/2548-318-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/2548-325-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/2580-43-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2620-820-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/2620-813-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/2724-560-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/2724-553-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/2732-84-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2748-63-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2780-48-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/2860-26-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/2884-24-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2900-772-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/2940-804-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/2944-480-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/3024-6-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/3024-1-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/3024-3-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/3024-0-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/3056-666-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/3056-673-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads